From e591bfce09ad46abeb7c6a16844d255a44ef7d07 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 4 Oct 2023 23:33:00 +0100 Subject: [PATCH 001/178] Fixed small issues of readme generation script (#4047) --- modules/key-vault/vault/README.md | 2 ++ modules/sql/managed-instance/README.md | 2 ++ modules/sql/server/README.md | 2 ++ utilities/tools/Get-CrossReferencedModuleList.ps1 | 2 +- utilities/tools/Set-ModuleReadMe.ps1 | 4 ++-- 5 files changed, 9 insertions(+), 3 deletions(-) diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 0d85932c61..4772b0c08f 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -473,7 +473,9 @@ module vault './key-vault/vault/main.bicep' = { module vault './key-vault/vault/main.bicep' = { name: '${uniqueString(deployment().name, location)}-test-kvvcom' params: { + // Required parameters name: 'kvvcom002' + // Non-required parameters diagnosticEventHubAuthorizationRuleId: '' diagnosticEventHubName: '' diagnosticStorageAccountId: '' diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index a0b62dd2ee..ee0e5c1ca3 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -297,10 +297,12 @@ The following module usage examples are retrieved from the content of the files module managedInstance './sql/managed-instance/main.bicep' = { name: '${uniqueString(deployment().name, location)}-test-sqlmicom' params: { + // Required parameters administratorLogin: 'adminUserName' administratorLoginPassword: '' name: 'sqlmicom' subnetId: '' + // Non-required parameters collation: 'SQL_Latin1_General_CP1_CI_AS' databases: [ { diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 067199f099..18c05a8ea2 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -442,7 +442,9 @@ module server './sql/server/main.bicep' = { module server './sql/server/main.bicep' = { name: '${uniqueString(deployment().name, location)}-test-sqlscom' params: { + // Required parameters name: 'sqlscom' + // Non-required parameters administratorLogin: 'adminUserName' administratorLoginPassword: '' databases: [ diff --git a/utilities/tools/Get-CrossReferencedModuleList.ps1 b/utilities/tools/Get-CrossReferencedModuleList.ps1 index 49460c61fc..8153fffce8 100644 --- a/utilities/tools/Get-CrossReferencedModuleList.ps1 +++ b/utilities/tools/Get-CrossReferencedModuleList.ps1 @@ -82,7 +82,7 @@ function Get-ReferenceObject { } } - foreach ($involvedFilePath in $involvedFilePaths) { + foreach ($involvedFilePath in (@($ModuleTemplateFilePath) + @($involvedFilePaths))) { $moduleContent = Get-Content -Path $involvedFilePath $resultSet.resourceReferences += @() + $moduleContent | Where-Object { $_ -match "^resource .+ '(.+)' .+$" } | ForEach-Object { $matches[1] } diff --git a/utilities/tools/Set-ModuleReadMe.ps1 b/utilities/tools/Set-ModuleReadMe.ps1 index 582a3ea3db..bf3476da05 100644 --- a/utilities/tools/Set-ModuleReadMe.ps1 +++ b/utilities/tools/Set-ModuleReadMe.ps1 @@ -822,7 +822,7 @@ function ConvertTo-FormattedBicep { } # [1/5] Order parameters recursively - if ($JSONParametersWithoutValue.Keys.Count -gt 0) { + if ($JSONParametersWithoutValue.psbase.Keys.Count -gt 0) { $orderedJSONParameters = Get-OrderedParametersJSON -ParametersJSON ($JSONParametersWithoutValue | ConvertTo-Json -Depth 99) -RequiredParametersList $RequiredParametersList } else { $orderedJSONParameters = @{} @@ -858,7 +858,7 @@ function ConvertTo-FormattedBicep { $splitInputObject = @{ BicepParams = $bicepParams RequiredParametersList = $RequiredParametersList - AllParametersList = $JSONParameters.Keys + AllParametersList = $JSONParameters.psbase.Keys } $commentedBicepParams = Add-BicepParameterTypeComment @splitInputObject From 3a2431db4dc305c2a61128785b1ebba84b3ca63f Mon Sep 17 00:00:00 2001 From: Preston Alvarado <700740+coolhome@users.noreply.github.com> Date: Thu, 5 Oct 2023 09:18:54 +0000 Subject: [PATCH 002/178] Parameter Usage: Service endpoints fix (#4048) * Fix Azure/ResourceModules#3007 * Set-ModuleReadMe run --- .../network/virtual-network/subnet/README.md | 415 +++++++++--------- 1 file changed, 215 insertions(+), 200 deletions(-) diff --git a/modules/network/virtual-network/subnet/README.md b/modules/network/virtual-network/subnet/README.md index 4ce9842e69..2fcd6f1dff 100644 --- a/modules/network/virtual-network/subnet/README.md +++ b/modules/network/virtual-network/subnet/README.md @@ -1,200 +1,215 @@ -# Virtual Network Subnets `[Microsoft.Network/virtualNetworks/subnets]` - -This module deploys a Virtual Network Subnet. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Considerations](#Considerations) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/virtualNetworks/subnets` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualNetworks/subnets) | - -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `addressPrefix` | string | The address prefix for the subnet. | - -**Conditional parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `virtualNetworkName` | string | The name of the parent virtual network. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `addressPrefixes` | array | `[]` | | List of address prefixes for the subnet. | -| `applicationGatewayIPConfigurations` | array | `[]` | | Application gateway IP configurations of virtual network resource. | -| `delegations` | array | `[]` | | The delegations to enable on the subnet. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `ipAllocations` | array | `[]` | | Array of IpAllocation which reference this subnet. | -| `name` | string | | | The Name of the subnet resource. | -| `natGatewayId` | string | `''` | | The resource ID of the NAT Gateway to use for the subnet. | -| `networkSecurityGroupId` | string | `''` | | The resource ID of the network security group to assign to the subnet. | -| `privateEndpointNetworkPolicies` | string | `''` | `['', Disabled, Enabled]` | enable or disable apply network policies on private endpoint in the subnet. | -| `privateLinkServiceNetworkPolicies` | string | `''` | `['', Disabled, Enabled]` | enable or disable apply network policies on private link service in the subnet. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `routeTableId` | string | `''` | | The resource ID of the route table to assign to the subnet. | -| `serviceEndpointPolicies` | array | `[]` | | An array of service endpoint policies. | -| `serviceEndpoints` | array | `[]` | | The service endpoints to enable on the subnet. | - - -### Parameter Usage: `delegations` - -
- -Parameter JSON format - -```json -"delegations": [ - { - "name": "sqlMiDel", - "properties": { - "serviceName": "Microsoft.Sql/managedInstances" - } - } -] -``` - -
- -
- -Bicep format - -```bicep -delegations: [ - { - name: 'sqlMiDel' - properties: { - serviceName: 'Microsoft.Sql/managedInstances' - } - } -] -``` - -
-

- -### Parameter Usage: `serviceEndpoints` - -

- -Parameter JSON format - -```json -"serviceEndpoints": [ - "Microsoft.EventHub", - "Microsoft.Sql", - "Microsoft.Storage", - "Microsoft.KeyVault" -] -``` - -
- - -
- -Bicep format - -```bicep -serviceEndpoints: [ - 'Microsoft.EventHub' - 'Microsoft.Sql' - 'Microsoft.Storage' - 'Microsoft.KeyVault' -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -## Considerations - -The `privateEndpointNetworkPolicies` property must be set to disabled for subnets that contain private endpoints. It confirms that NSGs rules will not apply to private endpoints (currently not supported, [reference](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#limitations)). Default Value when not specified is "Enabled". - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the virtual network peering. | -| `resourceGroupName` | string | The resource group the virtual network peering was deployed into. | -| `resourceId` | string | The resource ID of the virtual network peering. | -| `subnetAddressPrefix` | string | The address prefix for the subnet. | -| `subnetAddressPrefixes` | array | List of address prefixes for the subnet. | - -## Cross-referenced modules - -_None_ +# Virtual Network Subnets `[Microsoft.Network/virtualNetworks/subnets]` + +This module deploys a Virtual Network Subnet. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Considerations](#Considerations) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | +| `Microsoft.Network/virtualNetworks/subnets` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualNetworks/subnets) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `addressPrefix` | string | The address prefix for the subnet. | + +**Conditional parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `virtualNetworkName` | string | The name of the parent virtual network. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `addressPrefixes` | array | `[]` | | List of address prefixes for the subnet. | +| `applicationGatewayIPConfigurations` | array | `[]` | | Application gateway IP configurations of virtual network resource. | +| `delegations` | array | `[]` | | The delegations to enable on the subnet. | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `ipAllocations` | array | `[]` | | Array of IpAllocation which reference this subnet. | +| `name` | string | | | The Name of the subnet resource. | +| `natGatewayId` | string | `''` | | The resource ID of the NAT Gateway to use for the subnet. | +| `networkSecurityGroupId` | string | `''` | | The resource ID of the network security group to assign to the subnet. | +| `privateEndpointNetworkPolicies` | string | `''` | `['', Disabled, Enabled]` | enable or disable apply network policies on private endpoint in the subnet. | +| `privateLinkServiceNetworkPolicies` | string | `''` | `['', Disabled, Enabled]` | enable or disable apply network policies on private link service in the subnet. | +| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `routeTableId` | string | `''` | | The resource ID of the route table to assign to the subnet. | +| `serviceEndpointPolicies` | array | `[]` | | An array of service endpoint policies. | +| `serviceEndpoints` | array | `[]` | | The service endpoints to enable on the subnet. | + + +### Parameter Usage: `delegations` + +

+ +Parameter JSON format + +```json +"delegations": [ + { + "name": "sqlMiDel", + "properties": { + "serviceName": "Microsoft.Sql/managedInstances" + } + } +] +``` + +
+ +
+ +Bicep format + +```bicep +delegations: [ + { + name: 'sqlMiDel' + properties: { + serviceName: 'Microsoft.Sql/managedInstances' + } + } +] +``` + +
+

+ +### Parameter Usage: `serviceEndpoints` + +

+ +Parameter JSON format + +```json +"serviceEndpoints": [ + { + "service": "Microsoft.EventHub" + }, + { + "service": "Microsoft.Sql" + }, + { + "service": "Microsoft.Storage" + }, + { + "service": "Microsoft.KeyVault" + } +] +``` + +
+ +
+ +Bicep format + +```bicep +serviceEndpoints: [ + { + name: 'Microsoft.EventHub' + } + { + name: 'Microsoft.Sql' + } + { + name: 'Microsoft.Storage' + } + { + name: 'Microsoft.KeyVault' + } +] +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +## Considerations + +The `privateEndpointNetworkPolicies` property must be set to disabled for subnets that contain private endpoints. It confirms that NSGs rules will not apply to private endpoints (currently not supported, [reference](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#limitations)). Default Value when not specified is "Enabled". + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the virtual network peering. | +| `resourceGroupName` | string | The resource group the virtual network peering was deployed into. | +| `resourceId` | string | The resource ID of the virtual network peering. | +| `subnetAddressPrefix` | string | The address prefix for the subnet. | +| `subnetAddressPrefixes` | array | List of address prefixes for the subnet. | + +## Cross-referenced modules + +_None_ From 23397cbbba7fb59bb3a5261b1dbb9e3f68ad3681 Mon Sep 17 00:00:00 2001 From: Luke Snoddy <37806411+lsnoddy@users.noreply.github.com> Date: Thu, 5 Oct 2023 17:43:48 +0000 Subject: [PATCH 003/178] [Modules] sql/managed-instance - Fixed bug with vulnerability assessment using storage acct. behind firewall/vnet (#4033) * Updated settings * Updated settings * Updated settings * Updated version * test * test * test * Updated settings file * Added parameter to handle scenario where vulnerability assessment storage accounts are behind firewall or vnet * Updated parameter description and readme * Re-complied arm template * Updated arm template file * Merge branch 'main' of https://github.com/lsnoddy/ResourceModules into users/lsnoddy/sqlMI * Updated arm template build * Simplified vulnerabilityAssessmentProperties var * Re-complied arm templates * Undo settings.yml file changes * Changed storageAccountFirewallOrVnet to useStorageAccountAccessKey * Fixed role name * Added vulnerability assessment rbac test case * Moved nested_storageRoleAssignment to main .bicep folder * Added createStorageRoleAssignment param and systemAssignedIdentity condition for va deployment * Updated readme and json files * Added param note and updated readme and json files * custom settings * Updated test case * Updated test case, moved nested rbac file under va .bicep, updated readme * Revert settings.yml file changes * revert settings.yml --- .../.test/vulnAssm/dependencies.bicep | 386 ++++++++++++++++++ .../.test/vulnAssm/main.test.bicep | 87 ++++ modules/sql/managed-instance/README.md | 109 +++++ modules/sql/managed-instance/main.bicep | 6 +- modules/sql/managed-instance/main.json | 123 ++++-- .../.bicep/nested_storageRoleAssignment.bicep | 17 + .../vulnerability-assessment/README.md | 5 +- .../vulnerability-assessment/main.bicep | 24 +- .../vulnerability-assessment/main.json | 77 +++- 9 files changed, 799 insertions(+), 35 deletions(-) create mode 100644 modules/sql/managed-instance/.test/vulnAssm/dependencies.bicep create mode 100644 modules/sql/managed-instance/.test/vulnAssm/main.test.bicep create mode 100644 modules/sql/managed-instance/vulnerability-assessment/.bicep/nested_storageRoleAssignment.bicep diff --git a/modules/sql/managed-instance/.test/vulnAssm/dependencies.bicep b/modules/sql/managed-instance/.test/vulnAssm/dependencies.bicep new file mode 100644 index 0000000000..d06ccfa76e --- /dev/null +++ b/modules/sql/managed-instance/.test/vulnAssm/dependencies.bicep @@ -0,0 +1,386 @@ +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Network Security Group to create.') +param networkSecurityGroupName string + +@description('Required. The name of the Route Table to create.') +param routeTableName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +var addressPrefix = '10.0.0.0/16' +var addressPrefixString = replace(replace(addressPrefix, '.', '-'), '/', '-') + +resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { + name: networkSecurityGroupName + location: location + properties: { + securityRules: [ + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-sqlmgmt-in-${addressPrefixString}-v10' + properties: { + description: 'Allow MI provisioning Control Plane Deployment and Authentication Service' + protocol: 'Tcp' + sourcePortRange: '*' + sourceAddressPrefix: 'SqlManagement' + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 100 + direction: 'Inbound' + destinationPortRanges: [ + '9000' + '9003' + '1438' + '1440' + '1452' + ] + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-corpsaw-in-${addressPrefixString}-v10' + properties: { + description: 'Allow MI Supportability' + protocol: 'Tcp' + sourcePortRange: '*' + sourceAddressPrefix: 'CorpNetSaw' + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 101 + direction: 'Inbound' + destinationPortRanges: [ + '9000' + '9003' + '1440' + ] + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-corppublic-in-${addressPrefixString}-v10' + properties: { + description: 'Allow MI Supportability through Corpnet ranges' + protocol: 'Tcp' + sourcePortRange: '*' + sourceAddressPrefix: 'CorpNetPublic' + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 102 + direction: 'Inbound' + destinationPortRanges: [ + '9000' + '9003' + ] + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-healthprobe-in-${addressPrefixString}-v10' + properties: { + description: 'Allow Azure Load Balancer inbound traffic' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + sourceAddressPrefix: 'AzureLoadBalancer' + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 103 + direction: 'Inbound' + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-internal-in-${addressPrefixString}-v10' + properties: { + description: 'Allow MI internal inbound traffic' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + sourceAddressPrefix: addressPrefix + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 104 + direction: 'Inbound' + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-aad-out-${addressPrefixString}-v11' + properties: { + description: 'Allow communication with Azure Active Directory over https' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '443' + sourceAddressPrefix: addressPrefix + destinationAddressPrefix: 'AzureActiveDirectory' + access: 'Allow' + priority: 101 + direction: 'Outbound' + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-onedsc-out-${addressPrefixString}-v11' + properties: { + description: 'Allow communication with the One DS Collector over https' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '443' + sourceAddressPrefix: addressPrefix + destinationAddressPrefix: 'OneDsCollector' + access: 'Allow' + priority: 102 + direction: 'Outbound' + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-services-out-${addressPrefixString}-v10' + properties: { + description: 'Allow MI services outbound traffic over https' + protocol: 'Tcp' + sourcePortRange: '*' + sourceAddressPrefix: addressPrefix + destinationAddressPrefix: 'AzureCloud' + access: 'Allow' + priority: 100 + direction: 'Outbound' + destinationPortRanges: [ + '443' + '12000' + ] + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-internal-out-${addressPrefixString}-v10' + properties: { + description: 'Allow MI internal outbound traffic' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + sourceAddressPrefix: addressPrefix + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 103 + direction: 'Outbound' + } + } + { + name: 'mi-strg-p-out-${addressPrefixString}-v11' + properties: { + description: 'Allow outbound communication with storage over HTTPS' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '443' + sourceAddressPrefix: addressPrefix + destinationAddressPrefix: 'Storage.eastus' + access: 'Allow' + priority: 104 + direction: 'Outbound' + } + } + { + name: 'mi-strg-s-out-${addressPrefixString}-v11' + properties: { + description: 'Allow outbound communication with storage over HTTPS' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '443' + sourceAddressPrefix: addressPrefix + destinationAddressPrefix: 'Storage.westus' + access: 'Allow' + priority: 105 + direction: 'Outbound' + } + } + ] + } +} + +resource routeTable 'Microsoft.Network/routeTables@2023-04-01' = { + name: routeTableName + location: location + properties: { + disableBgpRoutePropagation: false + routes: [ + { + name: 'Microsoft.Sql-managedInstances_UseOnly_subnet-${addressPrefixString}-to-vnetlocal' + properties: { + addressPrefix: addressPrefix + nextHopType: 'VnetLocal' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage' + properties: { + addressPrefix: 'Storage' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.eastus' + properties: { + addressPrefix: 'Storage.eastus' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.westus' + properties: { + addressPrefix: 'Storage.westus' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-SqlManagement' + properties: { + addressPrefix: 'SqlManagement' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureMonitor' + properties: { + addressPrefix: 'AzureMonitor' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-CorpNetSaw' + properties: { + addressPrefix: 'CorpNetSaw' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-CorpNetPublic' + properties: { + addressPrefix: 'CorpNetPublic' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureActiveDirectory' + properties: { + addressPrefix: 'AzureActiveDirectory' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-OneDsCollector' + properties: { + addressPrefix: 'OneDsCollector' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureCloud.westeurope' + properties: { + addressPrefix: 'AzureCloud.westeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureCloud.northeurope' + properties: { + addressPrefix: 'AzureCloud.northeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.westeurope' + properties: { + addressPrefix: 'Storage.westeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.northeurope' + properties: { + addressPrefix: 'Storage.northeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-EventHub.westeurope' + properties: { + addressPrefix: 'EventHub.westeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-EventHub.northeurope' + properties: { + addressPrefix: 'EventHub.northeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + ] + } +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'ManagedInstance' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + routeTable: { + id: routeTable.id + } + networkSecurityGroup: { + id: networkSecurityGroup.id + } + delegations: [ + { + name: 'managedInstanceDelegation' + properties: { + serviceName: 'Microsoft.Sql/managedInstances' + } + } + ] + } + } + ] + } +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { + name: storageAccountName + location: location + kind: 'StorageV2' + sku: { + name: 'Standard_LRS' + } + properties: { + allowBlobPublicAccess: false + } +} + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id diff --git a/modules/sql/managed-instance/.test/vulnAssm/main.test.bicep b/modules/sql/managed-instance/.test/vulnAssm/main.test.bicep new file mode 100644 index 0000000000..1238ce7a47 --- /dev/null +++ b/modules/sql/managed-instance/.test/vulnAssm/main.test.bicep @@ -0,0 +1,87 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.sql.managedinstances-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sqlmivln' + +@description('Optional. The password to leverage for the login.') +@secure() +param password string = newGuid() + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' + routeTableName: 'dep-${namePrefix}-rt-${serviceShort}' + location: location + storageAccountName: 'dep${namePrefix}sa${serviceShort}01' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}' + administratorLogin: 'adminUserName' + administratorLoginPassword: password + subnetId: nestedDependencies.outputs.subnetResourceId + systemAssignedIdentity: true + securityAlertPoliciesObj: { + emailAccountAdmins: true + name: 'default' + state: 'Enabled' + } + vulnerabilityAssessmentsObj: { + emailSubscriptionAdmins: true + name: 'default' + recurringScansEmails: [ + 'test1@contoso.com' + 'test2@contoso.com' + ] + recurringScansIsEnabled: true + storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId + useStorageAccountAccessKey: false + createStorageRoleAssignment: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + } +} diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index ee0e5c1ca3..9ed0a0f15f 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -594,3 +594,112 @@ module managedInstance './sql/managed-instance/main.bicep' = {

+ +

Example 3: Vulnassm

+ +
+ +via Bicep module + +```bicep +module managedInstance './sql/managed-instance/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-sqlmivln' + params: { + // Required parameters + administratorLogin: 'adminUserName' + administratorLoginPassword: '' + name: 'sqlmivln' + subnetId: '' + // Non-required parameters + enableDefaultTelemetry: '' + securityAlertPoliciesObj: { + emailAccountAdmins: true + name: 'default' + state: 'Enabled' + } + systemAssignedIdentity: true + vulnerabilityAssessmentsObj: { + createStorageRoleAssignment: true + emailSubscriptionAdmins: true + name: 'default' + recurringScansEmails: [ + 'test1@contoso.com' + 'test2@contoso.com' + ] + recurringScansIsEnabled: true + storageAccountResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + useStorageAccountAccessKey: false + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "administratorLogin": { + "value": "adminUserName" + }, + "administratorLoginPassword": { + "value": "" + }, + "name": { + "value": "sqlmivln" + }, + "subnetId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "securityAlertPoliciesObj": { + "value": { + "emailAccountAdmins": true, + "name": "default", + "state": "Enabled" + } + }, + "systemAssignedIdentity": { + "value": true + }, + "vulnerabilityAssessmentsObj": { + "value": { + "createStorageRoleAssignment": true, + "emailSubscriptionAdmins": true, + "name": "default", + "recurringScansEmails": [ + "test1@contoso.com", + "test2@contoso.com" + ], + "recurringScansIsEnabled": true, + "storageAccountResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + }, + "useStorageAccountAccessKey": false + } + } + } +} +``` + +
+

diff --git a/modules/sql/managed-instance/main.bicep b/modules/sql/managed-instance/main.bicep index 4a134086db..ac87614828 100644 --- a/modules/sql/managed-instance/main.bicep +++ b/modules/sql/managed-instance/main.bicep @@ -331,7 +331,7 @@ module managedInstance_securityAlertPolicy 'security-alert-policy/main.bicep' = } } -module managedInstance_vulnerabilityAssessment 'vulnerability-assessment/main.bicep' = if (!empty(vulnerabilityAssessmentsObj)) { +module managedInstance_vulnerabilityAssessment 'vulnerability-assessment/main.bicep' = if (!empty(vulnerabilityAssessmentsObj) && systemAssignedIdentity) { name: '${uniqueString(deployment().name, location)}-SqlMi-VulnAssessm' params: { managedInstanceName: managedInstance.name @@ -339,7 +339,9 @@ module managedInstance_vulnerabilityAssessment 'vulnerability-assessment/main.bi recurringScansEmails: contains(vulnerabilityAssessmentsObj, 'recurringScansEmails') ? vulnerabilityAssessmentsObj.recurringScansEmails : [] recurringScansEmailSubscriptionAdmins: contains(vulnerabilityAssessmentsObj, 'recurringScansEmailSubscriptionAdmins') ? vulnerabilityAssessmentsObj.recurringScansEmailSubscriptionAdmins : false recurringScansIsEnabled: contains(vulnerabilityAssessmentsObj, 'recurringScansIsEnabled') ? vulnerabilityAssessmentsObj.recurringScansIsEnabled : false - storageAccountResourceId: contains(vulnerabilityAssessmentsObj, 'storageAccountResourceId') ? vulnerabilityAssessmentsObj.storageAccountResourceId : '' + storageAccountResourceId: vulnerabilityAssessmentsObj.storageAccountResourceId + useStorageAccountAccessKey: contains(vulnerabilityAssessmentsObj, 'useStorageAccountAccessKey') ? vulnerabilityAssessmentsObj.useStorageAccountAccessKey : false + createStorageRoleAssignment: contains(vulnerabilityAssessmentsObj, 'createStorageRoleAssignment') ? vulnerabilityAssessmentsObj.createStorageRoleAssignment : true enableDefaultTelemetry: enableReferencedModulesTelemetry } dependsOn: [ diff --git a/modules/sql/managed-instance/main.json b/modules/sql/managed-instance/main.json index 6dfc341577..b4e266703d 100644 --- a/modules/sql/managed-instance/main.json +++ b/modules/sql/managed-instance/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17715240433467527898" + "version": "0.20.4.51522", + "templateHash": "15067027960339653100" }, "name": "SQL Managed Instances", "description": "This module deploys a SQL Managed Instance.", @@ -507,8 +507,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18305177688296262732" + "version": "0.20.4.51522", + "templateHash": "10149117624574107754" } }, "parameters": { @@ -677,8 +677,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12439489569253043438" + "version": "0.20.4.51522", + "templateHash": "7819487658736647657" }, "name": "SQL Managed Instance Databases", "description": "This module deploys a SQL Managed Instance Database.", @@ -984,8 +984,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8451378478264821514" + "version": "0.20.4.51522", + "templateHash": "6931213919610871740" }, "name": "SQL Managed Instance Database Backup Short-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Short-Term Retention Policy.", @@ -1112,8 +1112,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2590589748306696562" + "version": "0.20.4.51522", + "templateHash": "18038719600656297152" }, "name": "SQL Managed Instance Database Backup Long-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Long-Term Retention Policy.", @@ -1296,8 +1296,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5862626500667784950" + "version": "0.20.4.51522", + "templateHash": "15021129035939475675" }, "name": "SQL Managed Instance Security Alert Policies", "description": "This module deploys a SQL Managed Instance Security Alert Policy.", @@ -1397,7 +1397,7 @@ ] }, { - "condition": "[not(empty(parameters('vulnerabilityAssessmentsObj')))]", + "condition": "[and(not(empty(parameters('vulnerabilityAssessmentsObj'))), parameters('systemAssignedIdentity'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-SqlMi-VulnAssessm', uniqueString(deployment().name, parameters('location')))]", @@ -1416,7 +1416,11 @@ "recurringScansEmails": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'recurringScansEmails'), createObject('value', parameters('vulnerabilityAssessmentsObj').recurringScansEmails), createObject('value', createArray()))]", "recurringScansEmailSubscriptionAdmins": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'recurringScansEmailSubscriptionAdmins'), createObject('value', parameters('vulnerabilityAssessmentsObj').recurringScansEmailSubscriptionAdmins), createObject('value', false()))]", "recurringScansIsEnabled": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'recurringScansIsEnabled'), createObject('value', parameters('vulnerabilityAssessmentsObj').recurringScansIsEnabled), createObject('value', false()))]", - "storageAccountResourceId": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'storageAccountResourceId'), createObject('value', parameters('vulnerabilityAssessmentsObj').storageAccountResourceId), createObject('value', ''))]", + "storageAccountResourceId": { + "value": "[parameters('vulnerabilityAssessmentsObj').storageAccountResourceId]" + }, + "useStorageAccountAccessKey": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'useStorageAccountAccessKey'), createObject('value', parameters('vulnerabilityAssessmentsObj').useStorageAccountAccessKey), createObject('value', false()))]", + "createStorageRoleAssignment": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'createStorageRoleAssignment'), createObject('value', parameters('vulnerabilityAssessmentsObj').createStorageRoleAssignment), createObject('value', true()))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } @@ -1427,8 +1431,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11796941454379555787" + "version": "0.20.4.51522", + "templateHash": "16824260265514306931" }, "name": "SQL Managed Instance Vulnerability Assessments", "description": "This module deploys a SQL Managed Instance Vulnerability Assessment.", @@ -1470,9 +1474,22 @@ }, "storageAccountResourceId": { "type": "string", - "defaultValue": "", "metadata": { - "description": "Optional. A blob storage to hold the scan results." + "description": "Required. A blob storage to hold the scan results." + } + }, + "useStorageAccountAccessKey": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL MI system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account." + } + }, + "createStorageRoleAssignment": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account." } }, "enableDefaultTelemetry": { @@ -1483,6 +1500,9 @@ } } }, + "variables": { + "splitStorageAccountResourceId": "[split(parameters('storageAccountResourceId'), '/')]" + }, "resources": [ { "condition": "[parameters('enableDefaultTelemetry')]", @@ -1504,13 +1524,66 @@ "name": "[format('{0}/{1}', parameters('managedInstanceName'), parameters('name'))]", "properties": { "storageContainerPath": "[format('https://{0}.blob.{1}/vulnerability-assessment/', last(split(parameters('storageAccountResourceId'), '/')), environment().suffixes.storage)]", - "storageAccountAccessKey": "[listKeys(parameters('storageAccountResourceId'), '2019-06-01').keys[0].value]", + "storageAccountAccessKey": "[if(parameters('useStorageAccountAccessKey'), listKeys(parameters('storageAccountResourceId'), '2019-06-01').keys[0].value, null())]", "recurringScans": { "isEnabled": "[parameters('recurringScansIsEnabled')]", "emailSubscriptionAdmins": "[parameters('recurringScansEmailSubscriptionAdmins')]", "emails": "[parameters('recurringScansEmails')]" } } + }, + { + "condition": "[and(not(parameters('useStorageAccountAccessKey')), parameters('createStorageRoleAssignment'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-sbdc-rbac', parameters('managedInstanceName'))]", + "resourceGroup": "[variables('splitStorageAccountResourceId')[4]]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "storageAccountName": { + "value": "[last(variables('splitStorageAccountResourceId'))]" + }, + "managedInstanceIdentityPrincipalId": { + "value": "[reference(resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName')), '2022-02-01-preview', 'full').identity.principalId]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.20.4.51522", + "templateHash": "5906561113326922902" + } + }, + "parameters": { + "storageAccountName": { + "type": "string" + }, + "managedInstanceIdentityPrincipalId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('storageAccountName'))]", + "name": "[guid(format('{0}-{1}-Storage-Blob-Data-Contributor', resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), parameters('managedInstanceIdentityPrincipalId')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "principalId": "[parameters('managedInstanceIdentityPrincipalId')]", + "principalType": "ServicePrincipal" + } + } + ] + } + } } ], "outputs": { @@ -1575,8 +1648,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3183276214939752427" + "version": "0.20.4.51522", + "templateHash": "12303930012308222652" }, "name": "SQL Managed Instance Keys", "description": "This module deploys a SQL Managed Instance Key.", @@ -1708,8 +1781,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2261010047023688229" + "version": "0.20.4.51522", + "templateHash": "3596420230929102349" }, "name": "SQL Managed Instance Encryption Protector", "description": "This module deploys a SQL Managed Instance Encryption Protector.", @@ -1841,8 +1914,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12390588638319517954" + "version": "0.20.4.51522", + "templateHash": "94742246961044490" }, "name": "SQL Managed Instances Administrator", "description": "This module deploys a SQL Managed Instance Administrator.", diff --git a/modules/sql/managed-instance/vulnerability-assessment/.bicep/nested_storageRoleAssignment.bicep b/modules/sql/managed-instance/vulnerability-assessment/.bicep/nested_storageRoleAssignment.bicep new file mode 100644 index 0000000000..a6f133a27a --- /dev/null +++ b/modules/sql/managed-instance/vulnerability-assessment/.bicep/nested_storageRoleAssignment.bicep @@ -0,0 +1,17 @@ +param storageAccountName string +param managedInstanceIdentityPrincipalId string + +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' existing = { + name: storageAccountName +} + +// Assign Storage Blob Data Contributor RBAC role +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('${storageAccount.id}-${managedInstanceIdentityPrincipalId}-Storage-Blob-Data-Contributor') + scope: storageAccount + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') + principalId: managedInstanceIdentityPrincipalId + principalType: 'ServicePrincipal' + } +} diff --git a/modules/sql/managed-instance/vulnerability-assessment/README.md b/modules/sql/managed-instance/vulnerability-assessment/README.md index 1347418f63..84442a1c08 100644 --- a/modules/sql/managed-instance/vulnerability-assessment/README.md +++ b/modules/sql/managed-instance/vulnerability-assessment/README.md @@ -13,6 +13,7 @@ This module deploys a SQL Managed Instance Vulnerability Assessment. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Sql/managedInstances/vulnerabilityAssessments` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/vulnerabilityAssessments) | ## Parameters @@ -22,6 +23,7 @@ This module deploys a SQL Managed Instance Vulnerability Assessment. | Parameter Name | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the vulnerability assessment. | +| `storageAccountResourceId` | string | A blob storage to hold the scan results. | **Conditional parameters** @@ -33,11 +35,12 @@ This module deploys a SQL Managed Instance Vulnerability Assessment. | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | +| `createStorageRoleAssignment` | bool | `True` | Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account. | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | | `recurringScansEmails` | array | `[]` | Specifies an array of email addresses to which the scan notification is sent. | | `recurringScansEmailSubscriptionAdmins` | bool | `False` | Specifies that the schedule scan notification will be is sent to the subscription administrators. | | `recurringScansIsEnabled` | bool | `False` | Recurring scans state. | -| `storageAccountResourceId` | string | `''` | A blob storage to hold the scan results. | +| `useStorageAccountAccessKey` | bool | `False` | Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL MI system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account. | ## Outputs diff --git a/modules/sql/managed-instance/vulnerability-assessment/main.bicep b/modules/sql/managed-instance/vulnerability-assessment/main.bicep index 323e0acb3a..61d6360335 100644 --- a/modules/sql/managed-instance/vulnerability-assessment/main.bicep +++ b/modules/sql/managed-instance/vulnerability-assessment/main.bicep @@ -17,12 +17,20 @@ param recurringScansEmailSubscriptionAdmins bool = false @description('Optional. Specifies an array of email addresses to which the scan notification is sent.') param recurringScansEmails array = [] -@description('Optional. A blob storage to hold the scan results.') -param storageAccountResourceId string = '' +@description('Required. A blob storage to hold the scan results.') +param storageAccountResourceId string + +@description('Optional. Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL MI system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account.') +param useStorageAccountAccessKey bool = false + +@description('Optional. Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account.') +param createStorageRoleAssignment bool = true @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var splitStorageAccountResourceId = split (storageAccountResourceId, '/') + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -39,12 +47,22 @@ resource managedInstance 'Microsoft.Sql/managedInstances@2022-02-01-preview' exi name: managedInstanceName } +// Assign SQL MI MSI access to storage account +module storageAccount_sbdc_rbac '.bicep/nested_storageRoleAssignment.bicep' = if (!useStorageAccountAccessKey && createStorageRoleAssignment) { + name: '${managedInstance.name}-sbdc-rbac' + scope: resourceGroup(splitStorageAccountResourceId[4]) + params: { + storageAccountName: last(splitStorageAccountResourceId) + managedInstanceIdentityPrincipalId: managedInstance.identity.principalId + } +} + resource vulnerabilityAssessment 'Microsoft.Sql/managedInstances/vulnerabilityAssessments@2022-02-01-preview' = { name: name parent: managedInstance properties: { storageContainerPath: 'https://${last(split(storageAccountResourceId, '/'))}.blob.${environment().suffixes.storage}/vulnerability-assessment/' - storageAccountAccessKey: listKeys(storageAccountResourceId, '2019-06-01').keys[0].value + storageAccountAccessKey: useStorageAccountAccessKey ? listKeys(storageAccountResourceId, '2019-06-01').keys[0].value : any(null) recurringScans: { isEnabled: recurringScansIsEnabled emailSubscriptionAdmins: recurringScansEmailSubscriptionAdmins diff --git a/modules/sql/managed-instance/vulnerability-assessment/main.json b/modules/sql/managed-instance/vulnerability-assessment/main.json index 8ee0066897..dd8317e70d 100644 --- a/modules/sql/managed-instance/vulnerability-assessment/main.json +++ b/modules/sql/managed-instance/vulnerability-assessment/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.20.4.51522", - "templateHash": "6142359620217113835" + "templateHash": "16824260265514306931" }, "name": "SQL Managed Instance Vulnerability Assessments", "description": "This module deploys a SQL Managed Instance Vulnerability Assessment.", @@ -47,9 +47,22 @@ }, "storageAccountResourceId": { "type": "string", - "defaultValue": "", "metadata": { - "description": "Optional. A blob storage to hold the scan results." + "description": "Required. A blob storage to hold the scan results." + } + }, + "useStorageAccountAccessKey": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL MI system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account." + } + }, + "createStorageRoleAssignment": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account." } }, "enableDefaultTelemetry": { @@ -60,6 +73,9 @@ } } }, + "variables": { + "splitStorageAccountResourceId": "[split(parameters('storageAccountResourceId'), '/')]" + }, "resources": [ { "condition": "[parameters('enableDefaultTelemetry')]", @@ -81,13 +97,66 @@ "name": "[format('{0}/{1}', parameters('managedInstanceName'), parameters('name'))]", "properties": { "storageContainerPath": "[format('https://{0}.blob.{1}/vulnerability-assessment/', last(split(parameters('storageAccountResourceId'), '/')), environment().suffixes.storage)]", - "storageAccountAccessKey": "[listKeys(parameters('storageAccountResourceId'), '2019-06-01').keys[0].value]", + "storageAccountAccessKey": "[if(parameters('useStorageAccountAccessKey'), listKeys(parameters('storageAccountResourceId'), '2019-06-01').keys[0].value, null())]", "recurringScans": { "isEnabled": "[parameters('recurringScansIsEnabled')]", "emailSubscriptionAdmins": "[parameters('recurringScansEmailSubscriptionAdmins')]", "emails": "[parameters('recurringScansEmails')]" } } + }, + { + "condition": "[and(not(parameters('useStorageAccountAccessKey')), parameters('createStorageRoleAssignment'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-sbdc-rbac', parameters('managedInstanceName'))]", + "resourceGroup": "[variables('splitStorageAccountResourceId')[4]]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "storageAccountName": { + "value": "[last(variables('splitStorageAccountResourceId'))]" + }, + "managedInstanceIdentityPrincipalId": { + "value": "[reference(resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName')), '2022-02-01-preview', 'full').identity.principalId]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.20.4.51522", + "templateHash": "5906561113326922902" + } + }, + "parameters": { + "storageAccountName": { + "type": "string" + }, + "managedInstanceIdentityPrincipalId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('storageAccountName'))]", + "name": "[guid(format('{0}-{1}-Storage-Blob-Data-Contributor', resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), parameters('managedInstanceIdentityPrincipalId')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "principalId": "[parameters('managedInstanceIdentityPrincipalId')]", + "principalType": "ServicePrincipal" + } + } + ] + } + } } ], "outputs": { From 3a7230e04ff049fc72bc9573ea3b553ae89d3f7d Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Thu, 5 Oct 2023 17:44:25 +0000 Subject: [PATCH 004/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index b450a27459..f6233d4647 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -137,7 +137,7 @@ This section provides an overview of the library's feature set. | 122 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1] | 284 | | 123 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 189 | | 124 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 159 | -| 125 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:2] | 334 | +| 125 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:2] | 336 | | 126 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:8, L2:2] | 304 | | 127 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:4, L3:1] | 425 | | 128 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 93 | @@ -148,7 +148,7 @@ This section provides an overview of the library's feature set. | 133 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 154 | | 134 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 385 | | 135 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:3] | 196 | -| Sum | | | 110 | 109 | 118 | 57 | 30 | 2 | 226 | 24235 | +| Sum | | | 110 | 109 | 118 | 57 | 30 | 2 | 226 | 24237 | ## Legend From ceb060d2a725dbc45c01f83e761fb47ba9f3bc09 Mon Sep 17 00:00:00 2001 From: Praveen Potturi Date: Sun, 8 Oct 2023 12:25:34 +0100 Subject: [PATCH 005/178] [Modules] CDN Profile afd resources (#4051) * Added afd endpoint and route * Added custom domains * Added origin groups and origins * Added rule sets and rules * Added secrets * Updated profile template * Added tests for afd resources * Update ARM template and Readme * Profile readme update * Afd ruleSets value updated for tests * Resloved PR comments * Updated ARM and Readme --------- Co-authored-by: Praveen Potturi --- .../cdn/profile/.test/afd/dependencies.bicep | 38 + modules/cdn/profile/.test/afd/main.test.bicep | 130 ++ modules/cdn/profile/README.md | 239 ++- modules/cdn/profile/afdEndpoint/README.md | 97 ++ modules/cdn/profile/afdEndpoint/main.bicep | 98 ++ modules/cdn/profile/afdEndpoint/main.json | 388 +++++ .../cdn/profile/afdEndpoint/route/README.md | 56 + .../cdn/profile/afdEndpoint/route/main.bicep | 131 ++ .../cdn/profile/afdEndpoint/route/main.json | 205 +++ .../profile/afdEndpoint/route/version.json | 7 + modules/cdn/profile/afdEndpoint/version.json | 7 + modules/cdn/profile/customdomain/README.md | 56 + modules/cdn/profile/customdomain/main.bicep | 92 + modules/cdn/profile/customdomain/main.json | 145 ++ modules/cdn/profile/customdomain/version.json | 7 + modules/cdn/profile/endpoint/main.json | 10 +- modules/cdn/profile/endpoint/origin/README.md | 2 +- .../cdn/profile/endpoint/origin/main.bicep | 2 +- modules/cdn/profile/endpoint/origin/main.json | 6 +- modules/cdn/profile/main.bicep | 117 +- modules/cdn/profile/main.json | 1512 ++++++++++++++++- modules/cdn/profile/origingroup/README.md | 51 + modules/cdn/profile/origingroup/main.bicep | 91 + modules/cdn/profile/origingroup/main.json | 338 ++++ .../cdn/profile/origingroup/origin/README.md | 54 + .../cdn/profile/origingroup/origin/main.bicep | 91 + .../cdn/profile/origingroup/origin/main.json | 162 ++ .../profile/origingroup/origin/version.json | 7 + modules/cdn/profile/origingroup/version.json | 7 + modules/cdn/profile/ruleset/README.md | 51 + modules/cdn/profile/ruleset/main.bicep | 60 + modules/cdn/profile/ruleset/main.json | 247 +++ modules/cdn/profile/ruleset/rule/README.md | 49 + modules/cdn/profile/ruleset/rule/main.bicep | 71 + modules/cdn/profile/ruleset/rule/main.json | 121 ++ modules/cdn/profile/ruleset/rule/version.json | 7 + modules/cdn/profile/ruleset/version.json | 7 + modules/cdn/profile/secret/README.md | 54 + modules/cdn/profile/secret/main.bicep | 74 + modules/cdn/profile/secret/main.json | 123 ++ modules/cdn/profile/secret/version.json | 7 + 41 files changed, 4964 insertions(+), 53 deletions(-) create mode 100644 modules/cdn/profile/.test/afd/dependencies.bicep create mode 100644 modules/cdn/profile/.test/afd/main.test.bicep create mode 100644 modules/cdn/profile/afdEndpoint/README.md create mode 100644 modules/cdn/profile/afdEndpoint/main.bicep create mode 100644 modules/cdn/profile/afdEndpoint/main.json create mode 100644 modules/cdn/profile/afdEndpoint/route/README.md create mode 100644 modules/cdn/profile/afdEndpoint/route/main.bicep create mode 100644 modules/cdn/profile/afdEndpoint/route/main.json create mode 100644 modules/cdn/profile/afdEndpoint/route/version.json create mode 100644 modules/cdn/profile/afdEndpoint/version.json create mode 100644 modules/cdn/profile/customdomain/README.md create mode 100644 modules/cdn/profile/customdomain/main.bicep create mode 100644 modules/cdn/profile/customdomain/main.json create mode 100644 modules/cdn/profile/customdomain/version.json create mode 100644 modules/cdn/profile/origingroup/README.md create mode 100644 modules/cdn/profile/origingroup/main.bicep create mode 100644 modules/cdn/profile/origingroup/main.json create mode 100644 modules/cdn/profile/origingroup/origin/README.md create mode 100644 modules/cdn/profile/origingroup/origin/main.bicep create mode 100644 modules/cdn/profile/origingroup/origin/main.json create mode 100644 modules/cdn/profile/origingroup/origin/version.json create mode 100644 modules/cdn/profile/origingroup/version.json create mode 100644 modules/cdn/profile/ruleset/README.md create mode 100644 modules/cdn/profile/ruleset/main.bicep create mode 100644 modules/cdn/profile/ruleset/main.json create mode 100644 modules/cdn/profile/ruleset/rule/README.md create mode 100644 modules/cdn/profile/ruleset/rule/main.bicep create mode 100644 modules/cdn/profile/ruleset/rule/main.json create mode 100644 modules/cdn/profile/ruleset/rule/version.json create mode 100644 modules/cdn/profile/ruleset/version.json create mode 100644 modules/cdn/profile/secret/README.md create mode 100644 modules/cdn/profile/secret/main.bicep create mode 100644 modules/cdn/profile/secret/main.json create mode 100644 modules/cdn/profile/secret/version.json diff --git a/modules/cdn/profile/.test/afd/dependencies.bicep b/modules/cdn/profile/.test/afd/dependencies.bicep new file mode 100644 index 0000000000..48a1bc4be0 --- /dev/null +++ b/modules/cdn/profile/.test/afd/dependencies.bicep @@ -0,0 +1,38 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' + properties: { + allowBlobPublicAccess: false + networkAcls: { + defaultAction: 'Deny' + bypass: 'AzureServices' + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id + +@description('The name of the created Storage Account.') +output storageAccountName string = storageAccount.name + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/cdn/profile/.test/afd/main.test.bicep b/modules/cdn/profile/.test/afd/main.test.bicep new file mode 100644 index 0000000000..a8eec32f82 --- /dev/null +++ b/modules/cdn/profile/.test/afd/main.test.bicep @@ -0,0 +1,130 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.cdn.profiles-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdnpafd' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + storageAccountName: 'dep${namePrefix}cdnstore${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: 'dep-${namePrefix}-test-${serviceShort}' + location: 'global' + lock: 'CanNotDelete' + originResponseTimeoutSeconds: 60 + sku: 'Standard_AzureFrontDoor' + enableDefaultTelemetry: enableDefaultTelemetry + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalIds: [ + nestedDependencies.outputs.managedIdentityPrincipalId + ] + principalType: 'ServicePrincipal' + } + ] + customDomains: [ + { + name: 'dep-${namePrefix}-test-${serviceShort}-custom-domain' + hostName: 'dep-${namePrefix}-test-${serviceShort}-custom-domain.azurewebsites.net' + certificateType: 'ManagedCertificate' + } + ] + origionGroups: [ + { + name: 'dep-${namePrefix}-test-${serviceShort}-origin-group' + loadBalancingSettings: { + additionalLatencyInMilliseconds: 50 + sampleSize: 4 + successfulSamplesRequired: 3 + } + origins: [ + { + name: 'dep-${namePrefix}-test-${serviceShort}-origin' + hostName: 'dep-${namePrefix}-test-${serviceShort}-origin.azurewebsites.net' + } + ] + } + ] + ruleSets: [ + { + name: 'dep${namePrefix}test${serviceShort}ruleset' + rules: [ + { + name: 'dep${namePrefix}test${serviceShort}rule' + order: 1 + actions: [ + { + name: 'UrlRedirect' + parameters: { + typeName: 'DeliveryRuleUrlRedirectActionParameters' + redirectType: 'PermanentRedirect' + destinationProtocol: 'Https' + customPath: '/test123' + customHostname: 'dev-etradefd.trade.azure.defra.cloud' + } + } + ] + } + ] + } + ] + afdEndpoints: [ + { + name: 'dep-${namePrefix}-test-${serviceShort}-afd-endpoint' + routes: [ + { + name: 'dep-${namePrefix}-test-${serviceShort}-afd-route' + originGroupName: 'dep-${namePrefix}-test-${serviceShort}-origin-group' + customDomainName: 'dep-${namePrefix}-test-${serviceShort}-custom-domain' + ruleSets: [ + { + name: 'dep${namePrefix}test${serviceShort}ruleset' + } + ] + } + ] + } + ] + } +} diff --git a/modules/cdn/profile/README.md b/modules/cdn/profile/README.md index cdb4f0247b..b056f35b4b 100644 --- a/modules/cdn/profile/README.md +++ b/modules/cdn/profile/README.md @@ -16,9 +16,17 @@ This module deploys a CDN Profile. | :-- | :-- | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Cdn/profiles` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2021-06-01/profiles) | +| `Microsoft.Cdn/profiles` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles) | +| `Microsoft.Cdn/profiles/afdEndpoints` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/afdEndpoints) | +| `Microsoft.Cdn/profiles/afdEndpoints/routes` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/afdEndpoints/routes) | +| `Microsoft.Cdn/profiles/customDomains` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/customDomains) | | `Microsoft.Cdn/profiles/endpoints` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2021-06-01/profiles/endpoints) | | `Microsoft.Cdn/profiles/endpoints/origins` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2021-06-01/profiles/endpoints/origins) | +| `Microsoft.Cdn/profiles/originGroups` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/originGroups) | +| `Microsoft.Cdn/profiles/originGroups/origins` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/originGroups/origins) | +| `Microsoft.Cdn/profiles/ruleSets` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/ruleSets) | +| `Microsoft.Cdn/profiles/ruleSets/rules` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/ruleSets/rules) | +| `Microsoft.Cdn/profiles/secrets` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/secrets) | ## Parameters @@ -27,12 +35,20 @@ This module deploys a CDN Profile. | Parameter Name | Type | Allowed Values | Description | | :-- | :-- | :-- | :-- | | `name` | string | | Name of the CDN profile. | -| `sku` | string | `[Custom_Akamai, Custom_ChinaCdn, Custom_Microsoft, Custom_Microsoft_AzureFrontDoor, Custom_Verizon, Premium_Akamai, Premium_AzureFrontDoor, Premium_ChinaCdn, Premium_Microsoft, Premium_Microsoft_AzureFrontDoor, Premium_Verizon, Standard_Akamai, Standard_AzureFrontDoor, Standard_ChinaCdn, Standard_Microsoft, Standard_Microsoft_AzureFrontDoor, Standard_Verizon]` | The pricing tier (defines a CDN provider, feature list and rate) of the CDN profile. | +| `sku` | string | `[Custom_Verizon, Premium_AzureFrontDoor, Premium_Verizon, Standard_955BandWidth_ChinaCdn, Standard_Akamai, Standard_AvgBandWidth_ChinaCdn, Standard_AzureFrontDoor, Standard_ChinaCdn, Standard_Microsoft, Standard_Verizon, StandardPlus_955BandWidth_ChinaCdn, StandardPlus_AvgBandWidth_ChinaCdn, StandardPlus_ChinaCdn]` | The pricing tier (defines a CDN provider, feature list and rate) of the CDN profile. | + +**Conditional parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `origionGroups` | array | Array of origin group objects. Required if the afdEndpoints is specified. | **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | +| `afdEndpoints` | array | `[]` | | Array of AFD endpoint objects. | +| `customDomains` | array | `[]` | | Array of custom domain objects. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `endpointName` | string | `''` | | Name of the endpoint under the profile which is unique globally. | | `endpointProperties` | object | `{object}` | | Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details). | @@ -40,6 +56,8 @@ This module deploys a CDN Profile. | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | | `originResponseTimeoutSeconds` | int | `60` | | Send and receive timeout on forwarding request to the origin. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `ruleSets` | array | `[]` | | Array of rule set objects. | +| `secrets` | array | `[]` | | Array of secret objects. | | `tags` | object | `{object}` | | Endpoint tags. | @@ -164,7 +182,222 @@ The following module usage examples are retrieved from the content of the files >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -

Example 1: Common

+

Example 1: Afd

+ +
+ +via Bicep module + +```bicep +module profile './cdn/profile/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-cdnpafd' + params: { + // Required parameters + name: 'dep-test-cdnpafd' + sku: 'Standard_AzureFrontDoor' + // Non-required parameters + afdEndpoints: [ + { + name: 'dep-test-cdnpafd-afd-endpoint' + routes: [ + { + customDomainName: 'dep-test-cdnpafd-custom-domain' + name: 'dep-test-cdnpafd-afd-route' + originGroupName: 'dep-test-cdnpafd-origin-group' + ruleSets: [ + { + name: 'deptestcdnpafdruleset' + } + ] + } + ] + } + ] + customDomains: [ + { + certificateType: 'ManagedCertificate' + hostName: 'dep-test-cdnpafd-custom-domain.azurewebsites.net' + name: 'dep-test-cdnpafd-custom-domain' + } + ] + enableDefaultTelemetry: '' + location: 'global' + lock: 'CanNotDelete' + originResponseTimeoutSeconds: 60 + origionGroups: [ + { + loadBalancingSettings: { + additionalLatencyInMilliseconds: 50 + sampleSize: 4 + successfulSamplesRequired: 3 + } + name: 'dep-test-cdnpafd-origin-group' + origins: [ + { + hostName: 'dep-test-cdnpafd-origin.azurewebsites.net' + name: 'dep-test-cdnpafd-origin' + } + ] + } + ] + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ruleSets: [ + { + name: 'deptestcdnpafdruleset' + rules: [ + { + actions: [ + { + name: 'UrlRedirect' + parameters: { + customHostname: 'dev-etradefd.trade.azure.defra.cloud' + customPath: '/test123' + destinationProtocol: 'Https' + redirectType: 'PermanentRedirect' + typeName: 'DeliveryRuleUrlRedirectActionParameters' + } + } + ] + name: 'deptestcdnpafdrule' + order: 1 + } + ] + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dep-test-cdnpafd" + }, + "sku": { + "value": "Standard_AzureFrontDoor" + }, + // Non-required parameters + "afdEndpoints": { + "value": [ + { + "name": "dep-test-cdnpafd-afd-endpoint", + "routes": [ + { + "customDomainName": "dep-test-cdnpafd-custom-domain", + "name": "dep-test-cdnpafd-afd-route", + "originGroupName": "dep-test-cdnpafd-origin-group", + "ruleSets": [ + { + "name": "deptestcdnpafdruleset" + } + ] + } + ] + } + ] + }, + "customDomains": { + "value": [ + { + "certificateType": "ManagedCertificate", + "hostName": "dep-test-cdnpafd-custom-domain.azurewebsites.net", + "name": "dep-test-cdnpafd-custom-domain" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "global" + }, + "lock": { + "value": "CanNotDelete" + }, + "originResponseTimeoutSeconds": { + "value": 60 + }, + "origionGroups": { + "value": [ + { + "loadBalancingSettings": { + "additionalLatencyInMilliseconds": 50, + "sampleSize": 4, + "successfulSamplesRequired": 3 + }, + "name": "dep-test-cdnpafd-origin-group", + "origins": [ + { + "hostName": "dep-test-cdnpafd-origin.azurewebsites.net", + "name": "dep-test-cdnpafd-origin" + } + ] + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "ruleSets": { + "value": [ + { + "name": "deptestcdnpafdruleset", + "rules": [ + { + "actions": [ + { + "name": "UrlRedirect", + "parameters": { + "customHostname": "dev-etradefd.trade.azure.defra.cloud", + "customPath": "/test123", + "destinationProtocol": "Https", + "redirectType": "PermanentRedirect", + "typeName": "DeliveryRuleUrlRedirectActionParameters" + } + } + ], + "name": "deptestcdnpafdrule", + "order": 1 + } + ] + } + ] + } + } +} +``` + +
+

+ +

Example 2: Common

diff --git a/modules/cdn/profile/afdEndpoint/README.md b/modules/cdn/profile/afdEndpoint/README.md new file mode 100644 index 0000000000..792ede4cc6 --- /dev/null +++ b/modules/cdn/profile/afdEndpoint/README.md @@ -0,0 +1,97 @@ +# CDN Profiles AFD Endpoints `[Microsoft.Cdn/profiles/afdEndpoints]` + +This module deploys a CDN Profile AFD Endpoint. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Cdn/profiles/afdEndpoints` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/afdEndpoints) | +| `Microsoft.Cdn/profiles/afdEndpoints/routes` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/afdEndpoints/routes) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the AFD Endpoint. | + +**Conditional parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `profileName` | string | The name of the parent CDN profile. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `autoGeneratedDomainNameLabelScope` | string | `'TenantReuse'` | `[NoReuse, ResourceGroupReuse, SubscriptionReuse, TenantReuse]` | Indicates the endpoint name reuse scope. The default value is TenantReuse. | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `enabledState` | string | `'Enabled'` | `[Disabled, Enabled]` | Indicates whether the AFD Endpoint is enabled. The default value is Enabled. | +| `location` | string | `[resourceGroup().location]` | | The location of the AFD Endpoint. | +| `routes` | array | `[]` | | The list of routes for this AFD Endpoint. | +| `tags` | object | `{object}` | | The tags of the AFD Endpoint. | + + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +
+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the AFD Endpoint. | +| `resourceGroupName` | string | The name of the resource group the endpoint was created in. | +| `resourceId` | string | The resource id of the AFD Endpoint. | + +## Cross-referenced modules + +_None_ diff --git a/modules/cdn/profile/afdEndpoint/main.bicep b/modules/cdn/profile/afdEndpoint/main.bicep new file mode 100644 index 0000000000..83c9d667e0 --- /dev/null +++ b/modules/cdn/profile/afdEndpoint/main.bicep @@ -0,0 +1,98 @@ +metadata name = 'CDN Profiles AFD Endpoints' +metadata description = 'This module deploys a CDN Profile AFD Endpoint.' +metadata owner = 'Azure/module-maintainers' + +@description('Required. The name of the AFD Endpoint.') +param name string + +@description('Conditional. The name of the parent CDN profile. Required if the template is used in a standalone deployment.') +param profileName string + +@description('Optional. The location of the AFD Endpoint.') +param location string = resourceGroup().location + +@description('Optional. The tags of the AFD Endpoint.') +param tags object = {} + +@description('Optional. Indicates the endpoint name reuse scope. The default value is TenantReuse.') +@allowed([ + 'NoReuse' + 'ResourceGroupReuse' + 'SubscriptionReuse' + 'TenantReuse' +]) +param autoGeneratedDomainNameLabelScope string = 'TenantReuse' + +@description('Optional. Indicates whether the AFD Endpoint is enabled. The default value is Enabled.') +@allowed([ + 'Enabled' + 'Disabled' +]) +param enabledState string = 'Enabled' + +@description('Optional. The list of routes for this AFD Endpoint.') +param routes array = [] + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true +var enableReferencedModulesTelemetry = false + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = { + name: profileName +} + +resource afd_endpoint 'Microsoft.Cdn/profiles/afdEndpoints@2023-05-01' = { + name: name + parent: profile + location: location + tags: tags + properties: { + autoGeneratedDomainNameLabelScope: autoGeneratedDomainNameLabelScope + enabledState: enabledState + } +} + +module afd_endpoint_route 'route/main.bicep' = [for route in routes: { + name: '${uniqueString(deployment().name, route.name)}-Profile-AfdEndpoint-Route' + params: { + name: route.name + profileName: profile.name + afdEndpointName: afd_endpoint.name + cacheConfiguration: contains(route, 'cacheConfiguration') ? route.cacheConfiguration : null + customDomainName: contains(route, 'customDomainName') ? route.customDomainName : '' + enabledState: contains(route, 'enabledState') ? route.enabledState : 'Enabled' + forwardingProtocol: contains(route, 'forwardingProtocol') ? route.forwardingProtocol : 'MatchRequest' + httpsRedirect: contains(route, 'httpsRedirect') ? route.httpsRedirect : 'Enabled' + linkToDefaultDomain: contains(route, 'linkToDefaultDomain') ? route.linkToDefaultDomain : 'Enabled' + originGroupName: contains(route, 'originGroupName') ? route.originGroupName : '' + originPath: contains(route, 'originPath') ? route.originPath : '' + patternsToMatch: contains(route, 'patternsToMatch') ? route.patternsToMatch : [] + ruleSets: contains(route, 'ruleSets') ? route.ruleSets : [] + supportedProtocols: contains(route, 'supportedProtocols') ? route.supportedProtocols : [] + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + +@description('The name of the AFD Endpoint.') +output name string = afd_endpoint.name + +@description('The resource id of the AFD Endpoint.') +output resourceId string = afd_endpoint.id + +@description('The name of the resource group the endpoint was created in.') +output resourceGroupName string = resourceGroup().name + +@description('The location the resource was deployed into.') +output location string = afd_endpoint.location diff --git a/modules/cdn/profile/afdEndpoint/main.json b/modules/cdn/profile/afdEndpoint/main.json new file mode 100644 index 0000000000..e7cc491a6c --- /dev/null +++ b/modules/cdn/profile/afdEndpoint/main.json @@ -0,0 +1,388 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "11941850826145778575" + }, + "name": "CDN Profiles AFD Endpoints", + "description": "This module deploys a CDN Profile AFD Endpoint.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the AFD Endpoint." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent CDN profile. Required if the template is used in a standalone deployment." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. The location of the AFD Endpoint." + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The tags of the AFD Endpoint." + } + }, + "autoGeneratedDomainNameLabelScope": { + "type": "string", + "defaultValue": "TenantReuse", + "allowedValues": [ + "NoReuse", + "ResourceGroupReuse", + "SubscriptionReuse", + "TenantReuse" + ], + "metadata": { + "description": "Optional. Indicates the endpoint name reuse scope. The default value is TenantReuse." + } + }, + "enabledState": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Enabled", + "Disabled" + ], + "metadata": { + "description": "Optional. Indicates whether the AFD Endpoint is enabled. The default value is Enabled." + } + }, + "routes": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The list of routes for this AFD Endpoint." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "variables": { + "enableReferencedModulesTelemetry": false + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/afdEndpoints", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "autoGeneratedDomainNameLabelScope": "[parameters('autoGeneratedDomainNameLabelScope')]", + "enabledState": "[parameters('enabledState')]" + } + }, + { + "copy": { + "name": "afd_endpoint_route", + "count": "[length(parameters('routes'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Profile-AfdEndpoint-Route', uniqueString(deployment().name, parameters('routes')[copyIndex()].name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('routes')[copyIndex()].name]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "afdEndpointName": { + "value": "[parameters('name')]" + }, + "cacheConfiguration": "[if(contains(parameters('routes')[copyIndex()], 'cacheConfiguration'), createObject('value', parameters('routes')[copyIndex()].cacheConfiguration), createObject('value', null()))]", + "customDomainName": "[if(contains(parameters('routes')[copyIndex()], 'customDomainName'), createObject('value', parameters('routes')[copyIndex()].customDomainName), createObject('value', ''))]", + "enabledState": "[if(contains(parameters('routes')[copyIndex()], 'enabledState'), createObject('value', parameters('routes')[copyIndex()].enabledState), createObject('value', 'Enabled'))]", + "forwardingProtocol": "[if(contains(parameters('routes')[copyIndex()], 'forwardingProtocol'), createObject('value', parameters('routes')[copyIndex()].forwardingProtocol), createObject('value', 'MatchRequest'))]", + "httpsRedirect": "[if(contains(parameters('routes')[copyIndex()], 'httpsRedirect'), createObject('value', parameters('routes')[copyIndex()].httpsRedirect), createObject('value', 'Enabled'))]", + "linkToDefaultDomain": "[if(contains(parameters('routes')[copyIndex()], 'linkToDefaultDomain'), createObject('value', parameters('routes')[copyIndex()].linkToDefaultDomain), createObject('value', 'Enabled'))]", + "originGroupName": "[if(contains(parameters('routes')[copyIndex()], 'originGroupName'), createObject('value', parameters('routes')[copyIndex()].originGroupName), createObject('value', ''))]", + "originPath": "[if(contains(parameters('routes')[copyIndex()], 'originPath'), createObject('value', parameters('routes')[copyIndex()].originPath), createObject('value', ''))]", + "patternsToMatch": "[if(contains(parameters('routes')[copyIndex()], 'patternsToMatch'), createObject('value', parameters('routes')[copyIndex()].patternsToMatch), createObject('value', createArray()))]", + "ruleSets": "[if(contains(parameters('routes')[copyIndex()], 'ruleSets'), createObject('value', parameters('routes')[copyIndex()].ruleSets), createObject('value', createArray()))]", + "supportedProtocols": "[if(contains(parameters('routes')[copyIndex()], 'supportedProtocols'), createObject('value', parameters('routes')[copyIndex()].supportedProtocols), createObject('value', createArray()))]", + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "13253134886056545686" + }, + "name": "CDN Profiles AFD Endpoint Route", + "description": "This module deploys a CDN Profile AFD Endpoint route.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the route." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Required. The name of the parent CDN profile." + } + }, + "afdEndpointName": { + "type": "string", + "metadata": { + "description": "Required. The name of the AFD endpoint." + } + }, + "cacheConfiguration": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object." + } + }, + "customDomainName": { + "type": "string", + "metadata": { + "description": "Optional. The name of the custom domain. The custom domain must be defined in the profile customDomains." + } + }, + "forwardingProtocol": { + "type": "string", + "defaultValue": "MatchRequest", + "allowedValues": [ + "HttpOnly", + "HttpsOnly", + "MatchRequest" + ], + "metadata": { + "description": "Optional. The protocol this rule will use when forwarding traffic to backends." + } + }, + "enabledState": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "metadata": { + "description": "Optional. Whether this route is enabled." + } + }, + "httpsRedirect": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "metadata": { + "description": "Optional. Whether to automatically redirect HTTP traffic to HTTPS traffic." + } + }, + "linkToDefaultDomain": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "metadata": { + "description": "Optional. Whether this route will be linked to the default endpoint domain." + } + }, + "originGroupName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Required. The name of the origin group. The origin group must be defined in the profile originGroups." + } + }, + "originPath": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath." + } + }, + "patternsToMatch": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The route patterns of the rule." + } + }, + "ruleSets": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The rule sets of the rule. The rule sets must be defined in the profile ruleSets." + } + }, + "supportedProtocols": { + "type": "array", + "defaultValue": [], + "allowedValues": [ + "Http", + "Https" + ], + "metadata": { + "description": "Optional. The supported protocols of the rule." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/afdEndpoints/routes", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('afdEndpointName'), parameters('name'))]", + "properties": { + "copy": [ + { + "name": "ruleSets", + "count": "[length(parameters('ruleSets'))]", + "input": { + "id": "[resourceId('Microsoft.Cdn/profiles/ruleSets', parameters('profileName'), parameters('ruleSets')[copyIndex('ruleSets')].name)]" + } + } + ], + "cacheConfiguration": "[if(not(empty(parameters('cacheConfiguration'))), parameters('cacheConfiguration'), null())]", + "customDomains": "[if(not(empty(parameters('customDomainName'))), createArray(createObject('id', resourceId('Microsoft.Cdn/profiles/customDomains', parameters('profileName'), parameters('customDomainName')))), createArray())]", + "enabledState": "[parameters('enabledState')]", + "forwardingProtocol": "[parameters('forwardingProtocol')]", + "httpsRedirect": "[parameters('httpsRedirect')]", + "linkToDefaultDomain": "[parameters('linkToDefaultDomain')]", + "originGroup": { + "id": "[resourceId('Microsoft.Cdn/profiles/originGroups', parameters('profileName'), parameters('originGroupName'))]" + }, + "originPath": "[if(not(empty(parameters('originPath'))), parameters('originPath'), null())]", + "patternsToMatch": "[parameters('patternsToMatch')]", + "supportedProtocols": "[if(not(empty(parameters('supportedProtocols'))), parameters('supportedProtocols'), null())]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the route." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The ID of the route." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/afdEndpoints/routes', parameters('profileName'), parameters('afdEndpointName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the route was created in." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Cdn/profiles/afdEndpoints', parameters('profileName'), parameters('name'))]" + ] + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the AFD Endpoint." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the AFD Endpoint." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/afdEndpoints', parameters('profileName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the endpoint was created in." + }, + "value": "[resourceGroup().name]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference(resourceId('Microsoft.Cdn/profiles/afdEndpoints', parameters('profileName'), parameters('name')), '2023-05-01', 'full').location]" + } + } +} \ No newline at end of file diff --git a/modules/cdn/profile/afdEndpoint/route/README.md b/modules/cdn/profile/afdEndpoint/route/README.md new file mode 100644 index 0000000000..ee07973325 --- /dev/null +++ b/modules/cdn/profile/afdEndpoint/route/README.md @@ -0,0 +1,56 @@ +# CDN Profiles AFD Endpoint Route `[Microsoft.Cdn/profiles/afdEndpoints/routes]` + +This module deploys a CDN Profile AFD Endpoint route. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Cdn/profiles/afdEndpoints/routes` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/afdEndpoints/routes) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `afdEndpointName` | string | | The name of the AFD endpoint. | +| `name` | string | | The name of the route. | +| `originGroupName` | string | `''` | The name of the origin group. The origin group must be defined in the profile originGroups. | +| `profileName` | string | | The name of the parent CDN profile. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `cacheConfiguration` | object | `{object}` | | The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object. | +| `customDomainName` | string | | | The name of the custom domain. The custom domain must be defined in the profile customDomains. | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `enabledState` | string | `'Enabled'` | `[Disabled, Enabled]` | Whether this route is enabled. | +| `forwardingProtocol` | string | `'MatchRequest'` | `[HttpOnly, HttpsOnly, MatchRequest]` | The protocol this rule will use when forwarding traffic to backends. | +| `httpsRedirect` | string | `'Enabled'` | `[Disabled, Enabled]` | Whether to automatically redirect HTTP traffic to HTTPS traffic. | +| `linkToDefaultDomain` | string | `'Enabled'` | `[Disabled, Enabled]` | Whether this route will be linked to the default endpoint domain. | +| `originPath` | string | `''` | | A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath. | +| `patternsToMatch` | array | `[]` | | The route patterns of the rule. | +| `ruleSets` | array | `[]` | | The rule sets of the rule. The rule sets must be defined in the profile ruleSets. | +| `supportedProtocols` | array | `[]` | `[Http, Https]` | The supported protocols of the rule. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the route. | +| `resourceGroupName` | string | The name of the resource group the route was created in. | +| `resourceId` | string | The ID of the route. | + +## Cross-referenced modules + +_None_ diff --git a/modules/cdn/profile/afdEndpoint/route/main.bicep b/modules/cdn/profile/afdEndpoint/route/main.bicep new file mode 100644 index 0000000000..8d919e4a00 --- /dev/null +++ b/modules/cdn/profile/afdEndpoint/route/main.bicep @@ -0,0 +1,131 @@ +metadata name = 'CDN Profiles AFD Endpoint Route' +metadata description = 'This module deploys a CDN Profile AFD Endpoint route.' +metadata owner = 'Azure/module-maintainers' + +@description('Required. The name of the route.') +param name string + +@description('Required. The name of the parent CDN profile.') +param profileName string + +@description('Required. The name of the AFD endpoint.') +param afdEndpointName string + +@description('Optional. The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object.') +param cacheConfiguration object = {} + +@description('Optional. The name of the custom domain. The custom domain must be defined in the profile customDomains.') +param customDomainName string + +@allowed([ + 'HttpOnly' + 'HttpsOnly' + 'MatchRequest' +]) +@description('Optional. The protocol this rule will use when forwarding traffic to backends.') +param forwardingProtocol string = 'MatchRequest' + +@allowed([ + 'Disabled' + 'Enabled' +]) +@description('Optional. Whether this route is enabled.') +param enabledState string = 'Enabled' + +@allowed([ + 'Disabled' + 'Enabled' +]) +@description('Optional. Whether to automatically redirect HTTP traffic to HTTPS traffic.') +param httpsRedirect string = 'Enabled' + +@allowed([ + 'Disabled' + 'Enabled' +]) +@description('Optional. Whether this route will be linked to the default endpoint domain.') +param linkToDefaultDomain string = 'Enabled' + +@description('Required. The name of the origin group. The origin group must be defined in the profile originGroups.') +param originGroupName string = '' + +@description('Optional. A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath.') +param originPath string = '' + +@description('Optional. The route patterns of the rule.') +param patternsToMatch array = [] + +@description('Optional. The rule sets of the rule. The rule sets must be defined in the profile ruleSets.') +param ruleSets array = [] + +@allowed([ 'Http', 'Https' ]) +@description('Optional. The supported protocols of the rule.') +param supportedProtocols array = [] + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = { + name: profileName + + resource afd_endpoint 'afdEndpoints@2023-05-01' existing = { + name: afdEndpointName + } + + resource custom_domain 'customDomains@2023-05-01' existing = if (!empty(customDomainName)) { + name: customDomainName + } + + resource originGroup 'originGroups@2023-05-01' existing = { + name: originGroupName + } + + resource rule_set 'ruleSets@2023-05-01' existing = [for ruleSet in ruleSets: { + name: ruleSet.name + }] +} + +resource afd_endpoint_route 'Microsoft.Cdn/profiles/afdEndpoints/routes@2023-05-01' = { + name: name + parent: profile::afd_endpoint + properties: { + cacheConfiguration: !empty(cacheConfiguration) ? cacheConfiguration : null + customDomains: !empty(customDomainName) ? [ { + id: profile::custom_domain.id + } ] : [] + enabledState: enabledState + forwardingProtocol: forwardingProtocol + httpsRedirect: httpsRedirect + linkToDefaultDomain: linkToDefaultDomain + originGroup: { + id: profile::originGroup.id + } + originPath: !empty(originPath) ? originPath : null + patternsToMatch: patternsToMatch + ruleSets: [for (item, index) in ruleSets: { + id: profile::rule_set[index].id + }] + supportedProtocols: !empty(supportedProtocols) ? supportedProtocols : null + } +} + +@description('The name of the route.') +output name string = afd_endpoint_route.name + +@description('The ID of the route.') +output resourceId string = afd_endpoint_route.id + +@description('The name of the resource group the route was created in.') +output resourceGroupName string = resourceGroup().name diff --git a/modules/cdn/profile/afdEndpoint/route/main.json b/modules/cdn/profile/afdEndpoint/route/main.json new file mode 100644 index 0000000000..31b11ea4a0 --- /dev/null +++ b/modules/cdn/profile/afdEndpoint/route/main.json @@ -0,0 +1,205 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "13253134886056545686" + }, + "name": "CDN Profiles AFD Endpoint Route", + "description": "This module deploys a CDN Profile AFD Endpoint route.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the route." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Required. The name of the parent CDN profile." + } + }, + "afdEndpointName": { + "type": "string", + "metadata": { + "description": "Required. The name of the AFD endpoint." + } + }, + "cacheConfiguration": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object." + } + }, + "customDomainName": { + "type": "string", + "metadata": { + "description": "Optional. The name of the custom domain. The custom domain must be defined in the profile customDomains." + } + }, + "forwardingProtocol": { + "type": "string", + "defaultValue": "MatchRequest", + "allowedValues": [ + "HttpOnly", + "HttpsOnly", + "MatchRequest" + ], + "metadata": { + "description": "Optional. The protocol this rule will use when forwarding traffic to backends." + } + }, + "enabledState": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "metadata": { + "description": "Optional. Whether this route is enabled." + } + }, + "httpsRedirect": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "metadata": { + "description": "Optional. Whether to automatically redirect HTTP traffic to HTTPS traffic." + } + }, + "linkToDefaultDomain": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "metadata": { + "description": "Optional. Whether this route will be linked to the default endpoint domain." + } + }, + "originGroupName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Required. The name of the origin group. The origin group must be defined in the profile originGroups." + } + }, + "originPath": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath." + } + }, + "patternsToMatch": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The route patterns of the rule." + } + }, + "ruleSets": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The rule sets of the rule. The rule sets must be defined in the profile ruleSets." + } + }, + "supportedProtocols": { + "type": "array", + "defaultValue": [], + "allowedValues": [ + "Http", + "Https" + ], + "metadata": { + "description": "Optional. The supported protocols of the rule." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/afdEndpoints/routes", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('afdEndpointName'), parameters('name'))]", + "properties": { + "copy": [ + { + "name": "ruleSets", + "count": "[length(parameters('ruleSets'))]", + "input": { + "id": "[resourceId('Microsoft.Cdn/profiles/ruleSets', parameters('profileName'), parameters('ruleSets')[copyIndex('ruleSets')].name)]" + } + } + ], + "cacheConfiguration": "[if(not(empty(parameters('cacheConfiguration'))), parameters('cacheConfiguration'), null())]", + "customDomains": "[if(not(empty(parameters('customDomainName'))), createArray(createObject('id', resourceId('Microsoft.Cdn/profiles/customDomains', parameters('profileName'), parameters('customDomainName')))), createArray())]", + "enabledState": "[parameters('enabledState')]", + "forwardingProtocol": "[parameters('forwardingProtocol')]", + "httpsRedirect": "[parameters('httpsRedirect')]", + "linkToDefaultDomain": "[parameters('linkToDefaultDomain')]", + "originGroup": { + "id": "[resourceId('Microsoft.Cdn/profiles/originGroups', parameters('profileName'), parameters('originGroupName'))]" + }, + "originPath": "[if(not(empty(parameters('originPath'))), parameters('originPath'), null())]", + "patternsToMatch": "[parameters('patternsToMatch')]", + "supportedProtocols": "[if(not(empty(parameters('supportedProtocols'))), parameters('supportedProtocols'), null())]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the route." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The ID of the route." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/afdEndpoints/routes', parameters('profileName'), parameters('afdEndpointName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the route was created in." + }, + "value": "[resourceGroup().name]" + } + } +} \ No newline at end of file diff --git a/modules/cdn/profile/afdEndpoint/route/version.json b/modules/cdn/profile/afdEndpoint/route/version.json new file mode 100644 index 0000000000..96236a61ba --- /dev/null +++ b/modules/cdn/profile/afdEndpoint/route/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.4", + "pathFilters": [ + "./main.json" + ] +} diff --git a/modules/cdn/profile/afdEndpoint/version.json b/modules/cdn/profile/afdEndpoint/version.json new file mode 100644 index 0000000000..96236a61ba --- /dev/null +++ b/modules/cdn/profile/afdEndpoint/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.4", + "pathFilters": [ + "./main.json" + ] +} diff --git a/modules/cdn/profile/customdomain/README.md b/modules/cdn/profile/customdomain/README.md new file mode 100644 index 0000000000..87399b9693 --- /dev/null +++ b/modules/cdn/profile/customdomain/README.md @@ -0,0 +1,56 @@ +# CDN Profiles Custom Domains `[Microsoft.Cdn/profiles/customDomains]` + +This module deploys a CDN Profile Custom Domains. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Cdn/profiles/customDomains` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/customDomains) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Allowed Values | Description | +| :-- | :-- | :-- | :-- | +| `certificateType` | string | `[CustomerCertificate, ManagedCertificate]` | The type of the certificate used for secure delivery. | +| `hostName` | string | | The host name of the domain. Must be a domain name. | +| `name` | string | | The name of the custom domain. | +| `profileName` | string | | The name of the CDN profile. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `extendedProperties` | object | `{object}` | | Key-Value pair representing migration properties for domains. | +| `minimumTlsVersion` | string | `'TLS12'` | `[TLS10, TLS12]` | The minimum TLS version required for the custom domain. Default value: TLS12. | +| `preValidatedCustomDomainResourceId` | string | `''` | | Resource reference to the Azure resource where custom domain ownership was prevalidated. | +| `secretName` | string | `''` | | The name of the secret. ie. subs/rg/profile/secret. | + +**Optonal parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `azureDnsZoneResourceId` | string | `''` | Resource reference to the Azure DNS zone. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the custom domain. | +| `resourceGroupName` | string | The name of the resource group the custom domain was created in. | +| `resourceId` | string | The resource id of the custom domain. | + +## Cross-referenced modules + +_None_ diff --git a/modules/cdn/profile/customdomain/main.bicep b/modules/cdn/profile/customdomain/main.bicep new file mode 100644 index 0000000000..63be21a3bb --- /dev/null +++ b/modules/cdn/profile/customdomain/main.bicep @@ -0,0 +1,92 @@ +metadata name = 'CDN Profiles Custom Domains' +metadata description = 'This module deploys a CDN Profile Custom Domains.' +metadata owner = 'Azure/module-maintainers' + +@description('Required. The name of the custom domain.') +param name string + +@description('Required. The name of the CDN profile.') +param profileName string + +@description('Required. The host name of the domain. Must be a domain name.') +param hostName string + +@description('Optonal. Resource reference to the Azure DNS zone.') +param azureDnsZoneResourceId string = '' + +@description('Optional. Key-Value pair representing migration properties for domains.') +param extendedProperties object = {} + +@description('Optional. Resource reference to the Azure resource where custom domain ownership was prevalidated.') +param preValidatedCustomDomainResourceId string = '' + +@allowed([ + 'CustomerCertificate' + 'ManagedCertificate' +]) +@description('Required. The type of the certificate used for secure delivery.') +param certificateType string + +@allowed([ + 'TLS10' + 'TLS12' +]) +@description('Optional. The minimum TLS version required for the custom domain. Default value: TLS12.') +param minimumTlsVersion string = 'TLS12' + +@description('Optional. The name of the secret. ie. subs/rg/profile/secret.') +param secretName string = '' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = { + name: profileName + + resource profile_secrect 'secrets@2023-05-01' existing = if (!empty(secretName)) { + name: secretName + } +} + +resource profile_custom_domain 'Microsoft.Cdn/profiles/customDomains@2023-05-01' = { + name: name + parent: profile + properties: { + azureDnsZone: !empty(azureDnsZoneResourceId) ? { + id: azureDnsZoneResourceId + } : null + extendedProperties: !empty(extendedProperties) ? extendedProperties : null + hostName: hostName + preValidatedCustomDomainResourceId: !empty(preValidatedCustomDomainResourceId) ? { + id: preValidatedCustomDomainResourceId + } : null + tlsSettings: { + certificateType: certificateType + minimumTlsVersion: minimumTlsVersion + secret: !(empty(secretName)) ? { + id: profile::profile_secrect.id + } : null + } + } +} + +@description('The name of the custom domain.') +output name string = profile_custom_domain.name + +@description('The resource id of the custom domain.') +output resourceId string = profile_custom_domain.id + +@description('The name of the resource group the custom domain was created in.') +output resourceGroupName string = resourceGroup().name diff --git a/modules/cdn/profile/customdomain/main.json b/modules/cdn/profile/customdomain/main.json new file mode 100644 index 0000000000..cc466d0cea --- /dev/null +++ b/modules/cdn/profile/customdomain/main.json @@ -0,0 +1,145 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "1547160911539181378" + }, + "name": "CDN Profiles Custom Domains", + "description": "This module deploys a CDN Profile Custom Domains.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the custom domain." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Required. The name of the CDN profile." + } + }, + "hostName": { + "type": "string", + "metadata": { + "description": "Required. The host name of the domain. Must be a domain name." + } + }, + "azureDnsZoneResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optonal. Resource reference to the Azure DNS zone." + } + }, + "extendedProperties": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Key-Value pair representing migration properties for domains." + } + }, + "preValidatedCustomDomainResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource reference to the Azure resource where custom domain ownership was prevalidated." + } + }, + "certificateType": { + "type": "string", + "allowedValues": [ + "CustomerCertificate", + "ManagedCertificate" + ], + "metadata": { + "description": "Required. The type of the certificate used for secure delivery." + } + }, + "minimumTlsVersion": { + "type": "string", + "defaultValue": "TLS12", + "allowedValues": [ + "TLS10", + "TLS12" + ], + "metadata": { + "description": "Optional. The minimum TLS version required for the custom domain. Default value: TLS12." + } + }, + "secretName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The name of the secret. ie. subs/rg/profile/secret." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/customDomains", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", + "properties": { + "azureDnsZone": "[if(not(empty(parameters('azureDnsZoneResourceId'))), createObject('id', parameters('azureDnsZoneResourceId')), null())]", + "extendedProperties": "[if(not(empty(parameters('extendedProperties'))), parameters('extendedProperties'), null())]", + "hostName": "[parameters('hostName')]", + "preValidatedCustomDomainResourceId": "[if(not(empty(parameters('preValidatedCustomDomainResourceId'))), createObject('id', parameters('preValidatedCustomDomainResourceId')), null())]", + "tlsSettings": { + "certificateType": "[parameters('certificateType')]", + "minimumTlsVersion": "[parameters('minimumTlsVersion')]", + "secret": "[if(not(empty(parameters('secretName'))), createObject('id', resourceId('Microsoft.Cdn/profiles/secrets', parameters('profileName'), parameters('secretName'))), null())]" + } + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the custom domain." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the custom domain." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/customDomains', parameters('profileName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the custom domain was created in." + }, + "value": "[resourceGroup().name]" + } + } +} \ No newline at end of file diff --git a/modules/cdn/profile/customdomain/version.json b/modules/cdn/profile/customdomain/version.json new file mode 100644 index 0000000000..96236a61ba --- /dev/null +++ b/modules/cdn/profile/customdomain/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.4", + "pathFilters": [ + "./main.json" + ] +} diff --git a/modules/cdn/profile/endpoint/main.json b/modules/cdn/profile/endpoint/main.json index c2ea25941e..d9184500e2 100644 --- a/modules/cdn/profile/endpoint/main.json +++ b/modules/cdn/profile/endpoint/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17735453478116875585" + "version": "0.22.6.54827", + "templateHash": "66122595863754952" }, "name": "CDN Profiles Endpoints", "description": "This module deploys a CDN Profile Endpoint.", @@ -125,8 +125,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "16752439019054773130" + "version": "0.22.6.54827", + "templateHash": "5759722302271159823" }, "name": "CDN Profiles Endpoints Origins", "description": "This module deploys a CDN Profile Endpoint Origin.", @@ -190,7 +190,7 @@ "type": "int", "defaultValue": -1, "metadata": { - "description": "Conditional. The weight of the origin used for load balancing. Required if `priority` is provided.." + "description": "Conditional. The weight of the origin used for load balancing. Required if `priority` is provided." } }, "privateLinkAlias": { diff --git a/modules/cdn/profile/endpoint/origin/README.md b/modules/cdn/profile/endpoint/origin/README.md index 99224d9456..c4e00f6ddd 100644 --- a/modules/cdn/profile/endpoint/origin/README.md +++ b/modules/cdn/profile/endpoint/origin/README.md @@ -32,7 +32,7 @@ This module deploys a CDN Profile Endpoint Origin. | `priority` | int | `-1` | The priority of origin in given origin group for load balancing. Required if `weight` is provided. | | `privateLinkAlias` | string | | The private link alias of the origin. Required if privateLinkLocation is provided. | | `privateLinkLocation` | string | | The private link location of the origin. Required if privateLinkAlias is provided. | -| `weight` | int | `-1` | The weight of the origin used for load balancing. Required if `priority` is provided.. | +| `weight` | int | `-1` | The weight of the origin used for load balancing. Required if `priority` is provided. | **Optional parameters** diff --git a/modules/cdn/profile/endpoint/origin/main.bicep b/modules/cdn/profile/endpoint/origin/main.bicep index 1461c6b2cc..e0ab14c064 100644 --- a/modules/cdn/profile/endpoint/origin/main.bicep +++ b/modules/cdn/profile/endpoint/origin/main.bicep @@ -26,7 +26,7 @@ param httpsPort int = 443 @description('Conditional. The priority of origin in given origin group for load balancing. Required if `weight` is provided.') param priority int = -1 -@description('Conditional. The weight of the origin used for load balancing. Required if `priority` is provided..') +@description('Conditional. The weight of the origin used for load balancing. Required if `priority` is provided.') param weight int = -1 @description('Conditional. The private link alias of the origin. Required if privateLinkLocation is provided.') diff --git a/modules/cdn/profile/endpoint/origin/main.json b/modules/cdn/profile/endpoint/origin/main.json index 8e4d8bf0e5..00fd4df753 100644 --- a/modules/cdn/profile/endpoint/origin/main.json +++ b/modules/cdn/profile/endpoint/origin/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "16752439019054773130" + "version": "0.22.6.54827", + "templateHash": "5759722302271159823" }, "name": "CDN Profiles Endpoints Origins", "description": "This module deploys a CDN Profile Endpoint Origin.", @@ -69,7 +69,7 @@ "type": "int", "defaultValue": -1, "metadata": { - "description": "Conditional. The weight of the origin used for load balancing. Required if `priority` is provided.." + "description": "Conditional. The weight of the origin used for load balancing. Required if `priority` is provided." } }, "privateLinkAlias": { diff --git a/modules/cdn/profile/main.bicep b/modules/cdn/profile/main.bicep index d85c0584b2..072f1ddba5 100644 --- a/modules/cdn/profile/main.bicep +++ b/modules/cdn/profile/main.bicep @@ -9,23 +9,19 @@ param name string param location string = resourceGroup().location @allowed([ - 'Standard_Verizon' + 'Custom_Verizon' + 'Premium_AzureFrontDoor' + 'Premium_Verizon' + 'StandardPlus_955BandWidth_ChinaCdn' + 'StandardPlus_AvgBandWidth_ChinaCdn' + 'StandardPlus_ChinaCdn' + 'Standard_955BandWidth_ChinaCdn' 'Standard_Akamai' + 'Standard_AvgBandWidth_ChinaCdn' + 'Standard_AzureFrontDoor' 'Standard_ChinaCdn' 'Standard_Microsoft' - 'Premium_Verizon' - 'Premium_Akamai' - 'Premium_ChinaCdn' - 'Premium_Microsoft' - 'Custom_Verizon' - 'Custom_Akamai' - 'Custom_ChinaCdn' - 'Custom_Microsoft' - 'Standard_Microsoft_AzureFrontDoor' - 'Premium_Microsoft_AzureFrontDoor' - 'Custom_Microsoft_AzureFrontDoor' - 'Standard_AzureFrontDoor' - 'Premium_AzureFrontDoor' + 'Standard_Verizon' ]) @description('Required. The pricing tier (defines a CDN provider, feature list and rate) of the CDN profile.') param sku string @@ -39,6 +35,21 @@ param endpointName string = '' @description('Optional. Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details).') param endpointProperties object = {} +@description('Optional. Array of secret objects.') +param secrets array = [] + +@description('Optional. Array of custom domain objects.') +param customDomains array = [] + +@description('Conditional. Array of origin group objects. Required if the afdEndpoints is specified.') +param origionGroups array = [] + +@description('Optional. Array of rule set objects.') +param ruleSets array = [] + +@description('Optional. Array of AFD endpoint objects.') +param afdEndpoints array = [] + @description('Optional. Endpoint tags.') param tags object = {} @@ -70,7 +81,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource profile 'Microsoft.Cdn/profiles@2021-06-01' = { +resource profile 'Microsoft.Cdn/profiles@2023-05-01' = { name: name location: location sku: { @@ -115,6 +126,82 @@ module profile_endpoint 'endpoint/main.bicep' = if (!empty(endpointProperties)) } } +module profile_secret 'secret/main.bicep' = [for (secret, index) in secrets: { + name: '${uniqueString(deployment().name)}-Profile-Secret-${index}' + params: { + name: secret.name + profileName: profile.name + type: secret.type + secretSourceResourceId: secret.secretSourceResourceId + subjectAlternativeNames: contains(secret, 'subjectAlternativeNames') ? secret.subjectAlternativeNames : [] + useLatestVersion: contains(secret, 'useLatestVersion') ? secret.useLatestVersion : false + secretVersion: secret.secretVersion + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + +module profile_custom_domain 'customdomain/main.bicep' = [for (customDomain, index) in customDomains: { + name: '${uniqueString(deployment().name)}-CustomDomain-${index}' + dependsOn: [ + profile_secret + ] + params: { + name: customDomain.name + profileName: profile.name + hostName: customDomain.hostName + azureDnsZoneResourceId: contains(customDomain, 'azureDnsZoneResourceId') ? customDomain.azureDnsZoneResourceId : '' + extendedProperties: contains(customDomain, 'extendedProperties') ? customDomain.extendedProperties : {} + certificateType: customDomain.certificateType + minimumTlsVersion: contains(customDomain, 'minimumTlsVersion') ? customDomain.minimumTlsVersion : 'TLS12' + preValidatedCustomDomainResourceId: contains(customDomain, 'preValidatedCustomDomainResourceId') ? customDomain.preValidatedCustomDomainResourceId : '' + secretName: contains(customDomain, 'secretName') ? customDomain.secretName : '' + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + +module profile_origionGroup 'origingroup/main.bicep' = [for (origingroup, index) in origionGroups: { + name: '${uniqueString(deployment().name)}-Profile-OrigionGroup-${index}' + params: { + name: origingroup.name + profileName: profile.name + healthProbeSettings: contains(origingroup, 'healthProbeSettings') ? origingroup.healthProbeSettings : {} + loadBalancingSettings: origingroup.loadBalancingSettings + sessionAffinityState: contains(origingroup, 'sessionAffinityState') ? origingroup.sessionAffinityState : 'Disabled' + trafficRestorationTimeToHealedOrNewEndpointsInMinutes: contains(origingroup, 'trafficRestorationTimeToHealedOrNewEndpointsInMinutes') ? origingroup.trafficRestorationTimeToHealedOrNewEndpointsInMinutes : 10 + origins: origingroup.origins + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + +module profile_ruleSet 'ruleset/main.bicep' = [for (ruleSet, index) in ruleSets: { + name: '${uniqueString(deployment().name)}-Profile-RuleSet-${index}' + params: { + name: ruleSet.name + profileName: profile.name + rules: ruleSet.rules + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + +module profile_afdEndpoint 'afdEndpoint/main.bicep' = [for (afdEndpoint, index) in afdEndpoints: { + name: '${uniqueString(deployment().name)}-Profile-AfdEndpoint-${index}' + dependsOn: [ + profile_origionGroup + profile_custom_domain + profile_ruleSet + ] + params: { + name: afdEndpoint.name + location: location + profileName: profile.name + autoGeneratedDomainNameLabelScope: contains(afdEndpoint, 'autoGeneratedDomainNameLabelScope') ? afdEndpoint.autoGeneratedDomainNameLabelScope : 'TenantReuse' + enabledState: contains(afdEndpoint, 'enabledState') ? afdEndpoint.enabledState : 'Enabled' + enableDefaultTelemetry: enableReferencedModulesTelemetry + routes: contains(afdEndpoint, 'routes') ? afdEndpoint.routes : [] + tags: contains(afdEndpoint, 'tags') ? afdEndpoint.tags : {} + } +}] + @description('The name of the CDN profile.') output name string = profile.name diff --git a/modules/cdn/profile/main.json b/modules/cdn/profile/main.json index 52d888f2a3..b46a4cdf8d 100644 --- a/modules/cdn/profile/main.json +++ b/modules/cdn/profile/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16014718915315898764" + "version": "0.22.6.54827", + "templateHash": "14280184708897109589" }, "name": "CDN Profiles", "description": "This module deploys a CDN Profile.", @@ -28,23 +28,19 @@ "sku": { "type": "string", "allowedValues": [ - "Standard_Verizon", + "Custom_Verizon", + "Premium_AzureFrontDoor", + "Premium_Verizon", + "StandardPlus_955BandWidth_ChinaCdn", + "StandardPlus_AvgBandWidth_ChinaCdn", + "StandardPlus_ChinaCdn", + "Standard_955BandWidth_ChinaCdn", "Standard_Akamai", + "Standard_AvgBandWidth_ChinaCdn", + "Standard_AzureFrontDoor", "Standard_ChinaCdn", "Standard_Microsoft", - "Premium_Verizon", - "Premium_Akamai", - "Premium_ChinaCdn", - "Premium_Microsoft", - "Custom_Verizon", - "Custom_Akamai", - "Custom_ChinaCdn", - "Custom_Microsoft", - "Standard_Microsoft_AzureFrontDoor", - "Premium_Microsoft_AzureFrontDoor", - "Custom_Microsoft_AzureFrontDoor", - "Standard_AzureFrontDoor", - "Premium_AzureFrontDoor" + "Standard_Verizon" ], "metadata": { "description": "Required. The pricing tier (defines a CDN provider, feature list and rate) of the CDN profile." @@ -71,6 +67,41 @@ "description": "Optional. Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details)." } }, + "secrets": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Array of secret objects." + } + }, + "customDomains": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Array of custom domain objects." + } + }, + "origionGroups": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Conditional. Array of origin group objects. Required if the afdEndpoints is specified." + } + }, + "ruleSets": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Array of rule set objects." + } + }, + "afdEndpoints": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Array of AFD endpoint objects." + } + }, "tags": { "type": "object", "defaultValue": {}, @@ -125,7 +156,7 @@ }, { "type": "Microsoft.Cdn/profiles", - "apiVersion": "2021-06-01", + "apiVersion": "2023-05-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "sku": { @@ -184,8 +215,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16078911369309632762" + "version": "0.22.6.54827", + "templateHash": "6345074970145673737" } }, "parameters": { @@ -337,8 +368,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2600455439338835043" + "version": "0.22.6.54827", + "templateHash": "66122595863754952" }, "name": "CDN Profiles Endpoints", "description": "This module deploys a CDN Profile Endpoint.", @@ -458,8 +489,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11143120787552046432" + "version": "0.22.6.54827", + "templateHash": "5759722302271159823" }, "name": "CDN Profiles Endpoints Origins", "description": "This module deploys a CDN Profile Endpoint Origin.", @@ -523,7 +554,7 @@ "type": "int", "defaultValue": -1, "metadata": { - "description": "Conditional. The weight of the origin used for load balancing. Required if `priority` is provided.." + "description": "Conditional. The weight of the origin used for load balancing. Required if `priority` is provided." } }, "privateLinkAlias": { @@ -656,6 +687,1437 @@ "dependsOn": [ "[resourceId('Microsoft.Cdn/profiles', parameters('name'))]" ] + }, + { + "copy": { + "name": "profile_secret", + "count": "[length(parameters('secrets'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Profile-Secret-{1}', uniqueString(deployment().name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('secrets')[copyIndex()].name]" + }, + "profileName": { + "value": "[parameters('name')]" + }, + "type": { + "value": "[parameters('secrets')[copyIndex()].type]" + }, + "secretSourceResourceId": { + "value": "[parameters('secrets')[copyIndex()].secretSourceResourceId]" + }, + "subjectAlternativeNames": "[if(contains(parameters('secrets')[copyIndex()], 'subjectAlternativeNames'), createObject('value', parameters('secrets')[copyIndex()].subjectAlternativeNames), createObject('value', createArray()))]", + "useLatestVersion": "[if(contains(parameters('secrets')[copyIndex()], 'useLatestVersion'), createObject('value', parameters('secrets')[copyIndex()].useLatestVersion), createObject('value', false()))]", + "secretVersion": { + "value": "[parameters('secrets')[copyIndex()].secretVersion]" + }, + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "10634340039151667854" + }, + "name": "CDN Profiles Secret", + "description": "This module deploys a CDN Profile Secret.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the secrect." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent CDN profile. Required if the template is used in a standalone deployment." + } + }, + "type": { + "type": "string", + "defaultValue": "AzureFirstPartyManagedCertificate", + "allowedValues": [ + "AzureFirstPartyManagedCertificate", + "CustomerCertificate", + "ManagedCertificate", + "UrlSigningKey" + ], + "metadata": { + "description": "Required. The type of the secrect." + } + }, + "secretSourceResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Conditional. The resource ID of the secrect source. Required if the type is CustomerCertificate." + } + }, + "secretVersion": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The version of the secret." + } + }, + "subjectAlternativeNames": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The subject alternative names of the secrect." + } + }, + "useLatestVersion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Indicates whether to use the latest version of the secrect." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/secrets", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", + "properties": { + "parameters": "[if(equals(parameters('type'), 'CustomerCertificate'), createObject('type', parameters('type'), 'secretSource', createObject('id', parameters('secretSourceResourceId')), 'secretVersion', parameters('secretVersion'), 'subjectAlternativeNames', parameters('subjectAlternativeNames'), 'useLatestVersion', parameters('useLatestVersion')), null())]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the secrect." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the secrect." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/secrets', parameters('profileName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the secret was created in." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Cdn/profiles', parameters('name'))]" + ] + }, + { + "copy": { + "name": "profile_custom_domain", + "count": "[length(parameters('customDomains'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-CustomDomain-{1}', uniqueString(deployment().name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('customDomains')[copyIndex()].name]" + }, + "profileName": { + "value": "[parameters('name')]" + }, + "hostName": { + "value": "[parameters('customDomains')[copyIndex()].hostName]" + }, + "azureDnsZoneResourceId": "[if(contains(parameters('customDomains')[copyIndex()], 'azureDnsZoneResourceId'), createObject('value', parameters('customDomains')[copyIndex()].azureDnsZoneResourceId), createObject('value', ''))]", + "extendedProperties": "[if(contains(parameters('customDomains')[copyIndex()], 'extendedProperties'), createObject('value', parameters('customDomains')[copyIndex()].extendedProperties), createObject('value', createObject()))]", + "certificateType": { + "value": "[parameters('customDomains')[copyIndex()].certificateType]" + }, + "minimumTlsVersion": "[if(contains(parameters('customDomains')[copyIndex()], 'minimumTlsVersion'), createObject('value', parameters('customDomains')[copyIndex()].minimumTlsVersion), createObject('value', 'TLS12'))]", + "preValidatedCustomDomainResourceId": "[if(contains(parameters('customDomains')[copyIndex()], 'preValidatedCustomDomainResourceId'), createObject('value', parameters('customDomains')[copyIndex()].preValidatedCustomDomainResourceId), createObject('value', ''))]", + "secretName": "[if(contains(parameters('customDomains')[copyIndex()], 'secretName'), createObject('value', parameters('customDomains')[copyIndex()].secretName), createObject('value', ''))]", + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "1547160911539181378" + }, + "name": "CDN Profiles Custom Domains", + "description": "This module deploys a CDN Profile Custom Domains.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the custom domain." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Required. The name of the CDN profile." + } + }, + "hostName": { + "type": "string", + "metadata": { + "description": "Required. The host name of the domain. Must be a domain name." + } + }, + "azureDnsZoneResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optonal. Resource reference to the Azure DNS zone." + } + }, + "extendedProperties": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Key-Value pair representing migration properties for domains." + } + }, + "preValidatedCustomDomainResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource reference to the Azure resource where custom domain ownership was prevalidated." + } + }, + "certificateType": { + "type": "string", + "allowedValues": [ + "CustomerCertificate", + "ManagedCertificate" + ], + "metadata": { + "description": "Required. The type of the certificate used for secure delivery." + } + }, + "minimumTlsVersion": { + "type": "string", + "defaultValue": "TLS12", + "allowedValues": [ + "TLS10", + "TLS12" + ], + "metadata": { + "description": "Optional. The minimum TLS version required for the custom domain. Default value: TLS12." + } + }, + "secretName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The name of the secret. ie. subs/rg/profile/secret." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/customDomains", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", + "properties": { + "azureDnsZone": "[if(not(empty(parameters('azureDnsZoneResourceId'))), createObject('id', parameters('azureDnsZoneResourceId')), null())]", + "extendedProperties": "[if(not(empty(parameters('extendedProperties'))), parameters('extendedProperties'), null())]", + "hostName": "[parameters('hostName')]", + "preValidatedCustomDomainResourceId": "[if(not(empty(parameters('preValidatedCustomDomainResourceId'))), createObject('id', parameters('preValidatedCustomDomainResourceId')), null())]", + "tlsSettings": { + "certificateType": "[parameters('certificateType')]", + "minimumTlsVersion": "[parameters('minimumTlsVersion')]", + "secret": "[if(not(empty(parameters('secretName'))), createObject('id', resourceId('Microsoft.Cdn/profiles/secrets', parameters('profileName'), parameters('secretName'))), null())]" + } + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the custom domain." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the custom domain." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/customDomains', parameters('profileName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the custom domain was created in." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Cdn/profiles', parameters('name'))]", + "profile_secret" + ] + }, + { + "copy": { + "name": "profile_origionGroup", + "count": "[length(parameters('origionGroups'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Profile-OrigionGroup-{1}', uniqueString(deployment().name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('origionGroups')[copyIndex()].name]" + }, + "profileName": { + "value": "[parameters('name')]" + }, + "healthProbeSettings": "[if(contains(parameters('origionGroups')[copyIndex()], 'healthProbeSettings'), createObject('value', parameters('origionGroups')[copyIndex()].healthProbeSettings), createObject('value', createObject()))]", + "loadBalancingSettings": { + "value": "[parameters('origionGroups')[copyIndex()].loadBalancingSettings]" + }, + "sessionAffinityState": "[if(contains(parameters('origionGroups')[copyIndex()], 'sessionAffinityState'), createObject('value', parameters('origionGroups')[copyIndex()].sessionAffinityState), createObject('value', 'Disabled'))]", + "trafficRestorationTimeToHealedOrNewEndpointsInMinutes": "[if(contains(parameters('origionGroups')[copyIndex()], 'trafficRestorationTimeToHealedOrNewEndpointsInMinutes'), createObject('value', parameters('origionGroups')[copyIndex()].trafficRestorationTimeToHealedOrNewEndpointsInMinutes), createObject('value', 10))]", + "origins": { + "value": "[parameters('origionGroups')[copyIndex()].origins]" + }, + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "5730470112775090005" + }, + "name": "CDN Profiles Origin Group", + "description": "This module deploys a CDN Profile Origin Group.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the origin group." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Required. The name of the CDN profile." + } + }, + "healthProbeSettings": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Health probe settings to the origin that is used to determine the health of the origin." + } + }, + "loadBalancingSettings": { + "type": "object", + "metadata": { + "description": "Required. Load balancing settings for a backend pool." + } + }, + "sessionAffinityState": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "metadata": { + "description": "Optional. Whether to allow session affinity on this host." + } + }, + "trafficRestorationTimeToHealedOrNewEndpointsInMinutes": { + "type": "int", + "defaultValue": 10, + "metadata": { + "description": "Optional. Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins." + } + }, + "origins": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Required. The list of origins within the origin group." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "variables": { + "enableReferencedModulesTelemetry": false + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/originGroups", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", + "properties": { + "healthProbeSettings": "[if(not(empty(parameters('healthProbeSettings'))), parameters('healthProbeSettings'), null())]", + "loadBalancingSettings": "[parameters('loadBalancingSettings')]", + "sessionAffinityState": "[parameters('sessionAffinityState')]", + "trafficRestorationTimeToHealedOrNewEndpointsInMinutes": "[parameters('trafficRestorationTimeToHealedOrNewEndpointsInMinutes')]" + } + }, + { + "copy": { + "name": "origin", + "count": "[length(parameters('origins'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-OriginGroup-Origin-{1}', uniqueString(deployment().name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('origins')[copyIndex()].name]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "hostName": { + "value": "[parameters('origins')[copyIndex()].hostName]" + }, + "originGroupName": { + "value": "[parameters('name')]" + }, + "enabledState": "[if(contains(parameters('origins')[copyIndex()], 'enabledState'), createObject('value', parameters('origins')[copyIndex()].enabledState), createObject('value', 'Enabled'))]", + "enforceCertificateNameCheck": "[if(contains(parameters('origins')[copyIndex()], 'enforceCertificateNameCheck'), createObject('value', parameters('origins')[copyIndex()].enforceCertificateNameCheck), createObject('value', true()))]", + "httpPort": "[if(contains(parameters('origins')[copyIndex()], 'httpPort'), createObject('value', parameters('origins')[copyIndex()].httpPort), createObject('value', 80))]", + "httpsPort": "[if(contains(parameters('origins')[copyIndex()], 'httpsPort'), createObject('value', parameters('origins')[copyIndex()].httpsPort), createObject('value', 443))]", + "originHostHeader": "[if(contains(parameters('origins')[copyIndex()], 'originHostHeader'), createObject('value', parameters('origins')[copyIndex()].originHostHeader), createObject('value', parameters('origins')[copyIndex()].hostName))]", + "priority": "[if(contains(parameters('origins')[copyIndex()], 'priority'), createObject('value', parameters('origins')[copyIndex()].priority), createObject('value', 1))]", + "weight": "[if(contains(parameters('origins')[copyIndex()], 'weight'), createObject('value', parameters('origins')[copyIndex()].weight), createObject('value', 1000))]", + "sharedPrivateLinkResource": "[if(contains(parameters('origins')[copyIndex()], 'sharedPrivateLinkResource'), createObject('value', parameters('origins')[copyIndex()].sharedPrivateLinkResource), createObject('value', null()))]", + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "6401260748375374430" + }, + "name": "CDN Profiles Origin", + "description": "This module deploys a CDN Profile Origin.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the origion." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Required. The name of the CDN profile." + } + }, + "originGroupName": { + "type": "string", + "metadata": { + "description": "Required. The name of the group." + } + }, + "enabledState": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "metadata": { + "description": "Optional. Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool." + } + }, + "enforceCertificateNameCheck": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Whether to enable certificate name check at origin level." + } + }, + "hostName": { + "type": "string", + "metadata": { + "description": "Required. The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint." + } + }, + "httpPort": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Optional. The value of the HTTP port. Must be between 1 and 65535." + } + }, + "httpsPort": { + "type": "int", + "defaultValue": 443, + "metadata": { + "description": "Optional. The value of the HTTPS port. Must be between 1 and 65535." + } + }, + "originHostHeader": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint." + } + }, + "priority": { + "type": "int", + "defaultValue": 1, + "metadata": { + "description": "Optional. Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5." + } + }, + "sharedPrivateLinkResource": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The properties of the private link resource for private origin." + } + }, + "weight": { + "type": "int", + "defaultValue": 1000, + "metadata": { + "description": "Optional. Weight of the origin in given origin group for load balancing. Must be between 1 and 1000." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/originGroups/origins", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('originGroupName'), parameters('name'))]", + "properties": { + "enabledState": "[parameters('enabledState')]", + "enforceCertificateNameCheck": "[parameters('enforceCertificateNameCheck')]", + "hostName": "[parameters('hostName')]", + "httpPort": "[parameters('httpPort')]", + "httpsPort": "[parameters('httpsPort')]", + "originHostHeader": "[parameters('originHostHeader')]", + "priority": "[parameters('priority')]", + "sharedPrivateLinkResource": "[if(not(empty(parameters('sharedPrivateLinkResource'))), parameters('sharedPrivateLinkResource'), null())]", + "weight": "[parameters('weight')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the origin." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the origin." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/originGroups/origins', parameters('profileName'), parameters('originGroupName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the origin was created in." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Cdn/profiles/originGroups', parameters('profileName'), parameters('name'))]" + ] + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the origin group." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the origin group." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/originGroups', parameters('profileName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the origin group was created in." + }, + "value": "[resourceGroup().name]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference(resourceId('Microsoft.Cdn/profiles', parameters('profileName')), '2023-05-01', 'full').location]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Cdn/profiles', parameters('name'))]" + ] + }, + { + "copy": { + "name": "profile_ruleSet", + "count": "[length(parameters('ruleSets'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Profile-RuleSet-{1}', uniqueString(deployment().name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('ruleSets')[copyIndex()].name]" + }, + "profileName": { + "value": "[parameters('name')]" + }, + "rules": { + "value": "[parameters('ruleSets')[copyIndex()].rules]" + }, + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "2165712570349315066" + }, + "name": "CDN Profiles Rule Sets", + "description": "This module deploys a CDN Profile rule set.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule set." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Required. The name of the CDN profile." + } + }, + "rules": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optinal. The rules to apply to the rule set." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "variables": { + "enableReferencedModulesTelemetry": false + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/ruleSets", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]" + }, + { + "copy": { + "name": "rule", + "count": "[length(parameters('rules'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-RuleSet-Rule-{1}-{2}', uniqueString(deployment().name), parameters('rules')[copyIndex()].name, copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "profileName": { + "value": "[parameters('profileName')]" + }, + "ruleSetName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[parameters('rules')[copyIndex()].name]" + }, + "order": { + "value": "[parameters('rules')[copyIndex()].order]" + }, + "actions": { + "value": "[parameters('rules')[copyIndex()].actions]" + }, + "conditions": "[if(contains(parameters('rules')[copyIndex()], 'conditions'), createObject('value', parameters('rules')[copyIndex()].conditions), createObject('value', createArray()))]", + "matchProcessingBehavior": "[if(contains(parameters('rules')[copyIndex()], 'matchProcessingBehavior'), createObject('value', parameters('rules')[copyIndex()].matchProcessingBehavior), createObject('value', 'Continue'))]", + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "17627422900186578144" + }, + "name": "CDN Profiles Rules", + "description": "This module deploys a CDN Profile rule.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Required. The name of the profile." + } + }, + "ruleSetName": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule set." + } + }, + "order": { + "type": "int", + "metadata": { + "description": "Required. The order in which this rule will be applied. Rules with a lower order are applied before rules with a higher order." + } + }, + "actions": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. A list of actions that are executed when all the conditions of a rule are satisfied." + } + }, + "conditions": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. A list of conditions that must be matched for the actions to be executed." + } + }, + "matchProcessingBehavior": { + "type": "string", + "allowedValues": [ + "Continue", + "Stop" + ], + "metadata": { + "description": "Required. If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/ruleSets/rules", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('ruleSetName'), parameters('name'))]", + "properties": { + "order": "[parameters('order')]", + "actions": "[parameters('actions')]", + "conditions": "[parameters('conditions')]", + "matchProcessingBehavior": "[parameters('matchProcessingBehavior')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the rule." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the rule." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/ruleSets/rules', parameters('profileName'), parameters('ruleSetName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the custom domain was created in." + }, + "value": "[resourceGroup().name]" + } + } + } + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the rule set." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the rule set." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/ruleSets', parameters('profileName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the custom domain was created in." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Cdn/profiles', parameters('name'))]" + ] + }, + { + "copy": { + "name": "profile_afdEndpoint", + "count": "[length(parameters('afdEndpoints'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Profile-AfdEndpoint-{1}', uniqueString(deployment().name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('afdEndpoints')[copyIndex()].name]" + }, + "location": { + "value": "[parameters('location')]" + }, + "profileName": { + "value": "[parameters('name')]" + }, + "autoGeneratedDomainNameLabelScope": "[if(contains(parameters('afdEndpoints')[copyIndex()], 'autoGeneratedDomainNameLabelScope'), createObject('value', parameters('afdEndpoints')[copyIndex()].autoGeneratedDomainNameLabelScope), createObject('value', 'TenantReuse'))]", + "enabledState": "[if(contains(parameters('afdEndpoints')[copyIndex()], 'enabledState'), createObject('value', parameters('afdEndpoints')[copyIndex()].enabledState), createObject('value', 'Enabled'))]", + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + }, + "routes": "[if(contains(parameters('afdEndpoints')[copyIndex()], 'routes'), createObject('value', parameters('afdEndpoints')[copyIndex()].routes), createObject('value', createArray()))]", + "tags": "[if(contains(parameters('afdEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('afdEndpoints')[copyIndex()].tags), createObject('value', createObject()))]" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "11941850826145778575" + }, + "name": "CDN Profiles AFD Endpoints", + "description": "This module deploys a CDN Profile AFD Endpoint.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the AFD Endpoint." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent CDN profile. Required if the template is used in a standalone deployment." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. The location of the AFD Endpoint." + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The tags of the AFD Endpoint." + } + }, + "autoGeneratedDomainNameLabelScope": { + "type": "string", + "defaultValue": "TenantReuse", + "allowedValues": [ + "NoReuse", + "ResourceGroupReuse", + "SubscriptionReuse", + "TenantReuse" + ], + "metadata": { + "description": "Optional. Indicates the endpoint name reuse scope. The default value is TenantReuse." + } + }, + "enabledState": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Enabled", + "Disabled" + ], + "metadata": { + "description": "Optional. Indicates whether the AFD Endpoint is enabled. The default value is Enabled." + } + }, + "routes": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The list of routes for this AFD Endpoint." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "variables": { + "enableReferencedModulesTelemetry": false + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/afdEndpoints", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "autoGeneratedDomainNameLabelScope": "[parameters('autoGeneratedDomainNameLabelScope')]", + "enabledState": "[parameters('enabledState')]" + } + }, + { + "copy": { + "name": "afd_endpoint_route", + "count": "[length(parameters('routes'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Profile-AfdEndpoint-Route', uniqueString(deployment().name, parameters('routes')[copyIndex()].name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('routes')[copyIndex()].name]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "afdEndpointName": { + "value": "[parameters('name')]" + }, + "cacheConfiguration": "[if(contains(parameters('routes')[copyIndex()], 'cacheConfiguration'), createObject('value', parameters('routes')[copyIndex()].cacheConfiguration), createObject('value', null()))]", + "customDomainName": "[if(contains(parameters('routes')[copyIndex()], 'customDomainName'), createObject('value', parameters('routes')[copyIndex()].customDomainName), createObject('value', ''))]", + "enabledState": "[if(contains(parameters('routes')[copyIndex()], 'enabledState'), createObject('value', parameters('routes')[copyIndex()].enabledState), createObject('value', 'Enabled'))]", + "forwardingProtocol": "[if(contains(parameters('routes')[copyIndex()], 'forwardingProtocol'), createObject('value', parameters('routes')[copyIndex()].forwardingProtocol), createObject('value', 'MatchRequest'))]", + "httpsRedirect": "[if(contains(parameters('routes')[copyIndex()], 'httpsRedirect'), createObject('value', parameters('routes')[copyIndex()].httpsRedirect), createObject('value', 'Enabled'))]", + "linkToDefaultDomain": "[if(contains(parameters('routes')[copyIndex()], 'linkToDefaultDomain'), createObject('value', parameters('routes')[copyIndex()].linkToDefaultDomain), createObject('value', 'Enabled'))]", + "originGroupName": "[if(contains(parameters('routes')[copyIndex()], 'originGroupName'), createObject('value', parameters('routes')[copyIndex()].originGroupName), createObject('value', ''))]", + "originPath": "[if(contains(parameters('routes')[copyIndex()], 'originPath'), createObject('value', parameters('routes')[copyIndex()].originPath), createObject('value', ''))]", + "patternsToMatch": "[if(contains(parameters('routes')[copyIndex()], 'patternsToMatch'), createObject('value', parameters('routes')[copyIndex()].patternsToMatch), createObject('value', createArray()))]", + "ruleSets": "[if(contains(parameters('routes')[copyIndex()], 'ruleSets'), createObject('value', parameters('routes')[copyIndex()].ruleSets), createObject('value', createArray()))]", + "supportedProtocols": "[if(contains(parameters('routes')[copyIndex()], 'supportedProtocols'), createObject('value', parameters('routes')[copyIndex()].supportedProtocols), createObject('value', createArray()))]", + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "13253134886056545686" + }, + "name": "CDN Profiles AFD Endpoint Route", + "description": "This module deploys a CDN Profile AFD Endpoint route.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the route." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Required. The name of the parent CDN profile." + } + }, + "afdEndpointName": { + "type": "string", + "metadata": { + "description": "Required. The name of the AFD endpoint." + } + }, + "cacheConfiguration": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object." + } + }, + "customDomainName": { + "type": "string", + "metadata": { + "description": "Optional. The name of the custom domain. The custom domain must be defined in the profile customDomains." + } + }, + "forwardingProtocol": { + "type": "string", + "defaultValue": "MatchRequest", + "allowedValues": [ + "HttpOnly", + "HttpsOnly", + "MatchRequest" + ], + "metadata": { + "description": "Optional. The protocol this rule will use when forwarding traffic to backends." + } + }, + "enabledState": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "metadata": { + "description": "Optional. Whether this route is enabled." + } + }, + "httpsRedirect": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "metadata": { + "description": "Optional. Whether to automatically redirect HTTP traffic to HTTPS traffic." + } + }, + "linkToDefaultDomain": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "metadata": { + "description": "Optional. Whether this route will be linked to the default endpoint domain." + } + }, + "originGroupName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Required. The name of the origin group. The origin group must be defined in the profile originGroups." + } + }, + "originPath": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath." + } + }, + "patternsToMatch": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The route patterns of the rule." + } + }, + "ruleSets": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The rule sets of the rule. The rule sets must be defined in the profile ruleSets." + } + }, + "supportedProtocols": { + "type": "array", + "defaultValue": [], + "allowedValues": [ + "Http", + "Https" + ], + "metadata": { + "description": "Optional. The supported protocols of the rule." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/afdEndpoints/routes", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('afdEndpointName'), parameters('name'))]", + "properties": { + "copy": [ + { + "name": "ruleSets", + "count": "[length(parameters('ruleSets'))]", + "input": { + "id": "[resourceId('Microsoft.Cdn/profiles/ruleSets', parameters('profileName'), parameters('ruleSets')[copyIndex('ruleSets')].name)]" + } + } + ], + "cacheConfiguration": "[if(not(empty(parameters('cacheConfiguration'))), parameters('cacheConfiguration'), null())]", + "customDomains": "[if(not(empty(parameters('customDomainName'))), createArray(createObject('id', resourceId('Microsoft.Cdn/profiles/customDomains', parameters('profileName'), parameters('customDomainName')))), createArray())]", + "enabledState": "[parameters('enabledState')]", + "forwardingProtocol": "[parameters('forwardingProtocol')]", + "httpsRedirect": "[parameters('httpsRedirect')]", + "linkToDefaultDomain": "[parameters('linkToDefaultDomain')]", + "originGroup": { + "id": "[resourceId('Microsoft.Cdn/profiles/originGroups', parameters('profileName'), parameters('originGroupName'))]" + }, + "originPath": "[if(not(empty(parameters('originPath'))), parameters('originPath'), null())]", + "patternsToMatch": "[parameters('patternsToMatch')]", + "supportedProtocols": "[if(not(empty(parameters('supportedProtocols'))), parameters('supportedProtocols'), null())]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the route." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The ID of the route." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/afdEndpoints/routes', parameters('profileName'), parameters('afdEndpointName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the route was created in." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Cdn/profiles/afdEndpoints', parameters('profileName'), parameters('name'))]" + ] + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the AFD Endpoint." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the AFD Endpoint." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/afdEndpoints', parameters('profileName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the endpoint was created in." + }, + "value": "[resourceGroup().name]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference(resourceId('Microsoft.Cdn/profiles/afdEndpoints', parameters('profileName'), parameters('name')), '2023-05-01', 'full').location]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Cdn/profiles', parameters('name'))]", + "profile_custom_domain", + "profile_origionGroup", + "profile_ruleSet" + ] } ], "outputs": { @@ -692,7 +2154,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Cdn/profiles', parameters('name')), '2021-06-01', 'full').location]" + "value": "[reference(resourceId('Microsoft.Cdn/profiles', parameters('name')), '2023-05-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/cdn/profile/origingroup/README.md b/modules/cdn/profile/origingroup/README.md new file mode 100644 index 0000000000..fd8396cd17 --- /dev/null +++ b/modules/cdn/profile/origingroup/README.md @@ -0,0 +1,51 @@ +# CDN Profiles Origin Group `[Microsoft.Cdn/profiles/originGroups]` + +This module deploys a CDN Profile Origin Group. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Cdn/profiles/originGroups` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/originGroups) | +| `Microsoft.Cdn/profiles/originGroups/origins` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/originGroups/origins) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `loadBalancingSettings` | object | Load balancing settings for a backend pool. | +| `name` | string | The name of the origin group. | +| `origins` | array | The list of origins within the origin group. | +| `profileName` | string | The name of the CDN profile. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `healthProbeSettings` | object | `{object}` | | Health probe settings to the origin that is used to determine the health of the origin. | +| `sessionAffinityState` | string | `'Disabled'` | `[Disabled, Enabled]` | Whether to allow session affinity on this host. | +| `trafficRestorationTimeToHealedOrNewEndpointsInMinutes` | int | `10` | | Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the origin group. | +| `resourceGroupName` | string | The name of the resource group the origin group was created in. | +| `resourceId` | string | The resource id of the origin group. | + +## Cross-referenced modules + +_None_ diff --git a/modules/cdn/profile/origingroup/main.bicep b/modules/cdn/profile/origingroup/main.bicep new file mode 100644 index 0000000000..e394dcb042 --- /dev/null +++ b/modules/cdn/profile/origingroup/main.bicep @@ -0,0 +1,91 @@ +metadata name = 'CDN Profiles Origin Group' +metadata description = 'This module deploys a CDN Profile Origin Group.' +metadata owner = 'Azure/module-maintainers' + +@description('Required. The name of the origin group.') +param name string + +@description('Required. The name of the CDN profile.') +param profileName string + +@description('Optional. Health probe settings to the origin that is used to determine the health of the origin.') +param healthProbeSettings object = {} + +@description('Required. Load balancing settings for a backend pool.') +param loadBalancingSettings object + +@allowed([ + 'Disabled' + 'Enabled' +]) +@description('Optional. Whether to allow session affinity on this host.') +param sessionAffinityState string = 'Disabled' + +@description('Optional. Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins.') +param trafficRestorationTimeToHealedOrNewEndpointsInMinutes int = 10 + +@description('Required. The list of origins within the origin group.') +param origins array = [] + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +var enableReferencedModulesTelemetry = false + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = { + name: profileName +} + +resource originGroup 'Microsoft.Cdn/profiles/originGroups@2023-05-01' = { + name: name + parent: profile + properties: { + healthProbeSettings: !empty(healthProbeSettings) ? healthProbeSettings : null + loadBalancingSettings: loadBalancingSettings + sessionAffinityState: sessionAffinityState + trafficRestorationTimeToHealedOrNewEndpointsInMinutes: trafficRestorationTimeToHealedOrNewEndpointsInMinutes + } +} + +module origin 'origin/main.bicep' = [for (origion, index) in origins: { + name: '${uniqueString(deployment().name)}-OriginGroup-Origin-${index}' + params: { + name: origion.name + profileName: profileName + hostName: origion.hostName + originGroupName: originGroup.name + enabledState: contains(origion, 'enabledState') ? origion.enabledState : 'Enabled' + enforceCertificateNameCheck: contains(origion, 'enforceCertificateNameCheck') ? origion.enforceCertificateNameCheck : true + httpPort: contains(origion, 'httpPort') ? origion.httpPort : 80 + httpsPort: contains(origion, 'httpsPort') ? origion.httpsPort : 443 + originHostHeader: contains(origion, 'originHostHeader') ? origion.originHostHeader : origion.hostName + priority: contains(origion, 'priority') ? origion.priority : 1 + weight: contains(origion, 'weight') ? origion.weight : 1000 + sharedPrivateLinkResource: contains(origion, 'sharedPrivateLinkResource') ? origion.sharedPrivateLinkResource : null + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + +@description('The name of the origin group.') +output name string = originGroup.name + +@description('The resource id of the origin group.') +output resourceId string = originGroup.id + +@description('The name of the resource group the origin group was created in.') +output resourceGroupName string = resourceGroup().name + +@description('The location the resource was deployed into.') +output location string = profile.location diff --git a/modules/cdn/profile/origingroup/main.json b/modules/cdn/profile/origingroup/main.json new file mode 100644 index 0000000000..529935e7f3 --- /dev/null +++ b/modules/cdn/profile/origingroup/main.json @@ -0,0 +1,338 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "5730470112775090005" + }, + "name": "CDN Profiles Origin Group", + "description": "This module deploys a CDN Profile Origin Group.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the origin group." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Required. The name of the CDN profile." + } + }, + "healthProbeSettings": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Health probe settings to the origin that is used to determine the health of the origin." + } + }, + "loadBalancingSettings": { + "type": "object", + "metadata": { + "description": "Required. Load balancing settings for a backend pool." + } + }, + "sessionAffinityState": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "metadata": { + "description": "Optional. Whether to allow session affinity on this host." + } + }, + "trafficRestorationTimeToHealedOrNewEndpointsInMinutes": { + "type": "int", + "defaultValue": 10, + "metadata": { + "description": "Optional. Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins." + } + }, + "origins": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Required. The list of origins within the origin group." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "variables": { + "enableReferencedModulesTelemetry": false + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/originGroups", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", + "properties": { + "healthProbeSettings": "[if(not(empty(parameters('healthProbeSettings'))), parameters('healthProbeSettings'), null())]", + "loadBalancingSettings": "[parameters('loadBalancingSettings')]", + "sessionAffinityState": "[parameters('sessionAffinityState')]", + "trafficRestorationTimeToHealedOrNewEndpointsInMinutes": "[parameters('trafficRestorationTimeToHealedOrNewEndpointsInMinutes')]" + } + }, + { + "copy": { + "name": "origin", + "count": "[length(parameters('origins'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-OriginGroup-Origin-{1}', uniqueString(deployment().name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('origins')[copyIndex()].name]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "hostName": { + "value": "[parameters('origins')[copyIndex()].hostName]" + }, + "originGroupName": { + "value": "[parameters('name')]" + }, + "enabledState": "[if(contains(parameters('origins')[copyIndex()], 'enabledState'), createObject('value', parameters('origins')[copyIndex()].enabledState), createObject('value', 'Enabled'))]", + "enforceCertificateNameCheck": "[if(contains(parameters('origins')[copyIndex()], 'enforceCertificateNameCheck'), createObject('value', parameters('origins')[copyIndex()].enforceCertificateNameCheck), createObject('value', true()))]", + "httpPort": "[if(contains(parameters('origins')[copyIndex()], 'httpPort'), createObject('value', parameters('origins')[copyIndex()].httpPort), createObject('value', 80))]", + "httpsPort": "[if(contains(parameters('origins')[copyIndex()], 'httpsPort'), createObject('value', parameters('origins')[copyIndex()].httpsPort), createObject('value', 443))]", + "originHostHeader": "[if(contains(parameters('origins')[copyIndex()], 'originHostHeader'), createObject('value', parameters('origins')[copyIndex()].originHostHeader), createObject('value', parameters('origins')[copyIndex()].hostName))]", + "priority": "[if(contains(parameters('origins')[copyIndex()], 'priority'), createObject('value', parameters('origins')[copyIndex()].priority), createObject('value', 1))]", + "weight": "[if(contains(parameters('origins')[copyIndex()], 'weight'), createObject('value', parameters('origins')[copyIndex()].weight), createObject('value', 1000))]", + "sharedPrivateLinkResource": "[if(contains(parameters('origins')[copyIndex()], 'sharedPrivateLinkResource'), createObject('value', parameters('origins')[copyIndex()].sharedPrivateLinkResource), createObject('value', null()))]", + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "6401260748375374430" + }, + "name": "CDN Profiles Origin", + "description": "This module deploys a CDN Profile Origin.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the origion." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Required. The name of the CDN profile." + } + }, + "originGroupName": { + "type": "string", + "metadata": { + "description": "Required. The name of the group." + } + }, + "enabledState": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "metadata": { + "description": "Optional. Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool." + } + }, + "enforceCertificateNameCheck": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Whether to enable certificate name check at origin level." + } + }, + "hostName": { + "type": "string", + "metadata": { + "description": "Required. The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint." + } + }, + "httpPort": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Optional. The value of the HTTP port. Must be between 1 and 65535." + } + }, + "httpsPort": { + "type": "int", + "defaultValue": 443, + "metadata": { + "description": "Optional. The value of the HTTPS port. Must be between 1 and 65535." + } + }, + "originHostHeader": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint." + } + }, + "priority": { + "type": "int", + "defaultValue": 1, + "metadata": { + "description": "Optional. Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5." + } + }, + "sharedPrivateLinkResource": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The properties of the private link resource for private origin." + } + }, + "weight": { + "type": "int", + "defaultValue": 1000, + "metadata": { + "description": "Optional. Weight of the origin in given origin group for load balancing. Must be between 1 and 1000." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/originGroups/origins", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('originGroupName'), parameters('name'))]", + "properties": { + "enabledState": "[parameters('enabledState')]", + "enforceCertificateNameCheck": "[parameters('enforceCertificateNameCheck')]", + "hostName": "[parameters('hostName')]", + "httpPort": "[parameters('httpPort')]", + "httpsPort": "[parameters('httpsPort')]", + "originHostHeader": "[parameters('originHostHeader')]", + "priority": "[parameters('priority')]", + "sharedPrivateLinkResource": "[if(not(empty(parameters('sharedPrivateLinkResource'))), parameters('sharedPrivateLinkResource'), null())]", + "weight": "[parameters('weight')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the origin." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the origin." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/originGroups/origins', parameters('profileName'), parameters('originGroupName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the origin was created in." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Cdn/profiles/originGroups', parameters('profileName'), parameters('name'))]" + ] + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the origin group." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the origin group." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/originGroups', parameters('profileName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the origin group was created in." + }, + "value": "[resourceGroup().name]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference(resourceId('Microsoft.Cdn/profiles', parameters('profileName')), '2023-05-01', 'full').location]" + } + } +} \ No newline at end of file diff --git a/modules/cdn/profile/origingroup/origin/README.md b/modules/cdn/profile/origingroup/origin/README.md new file mode 100644 index 0000000000..260e7846fb --- /dev/null +++ b/modules/cdn/profile/origingroup/origin/README.md @@ -0,0 +1,54 @@ +# CDN Profiles Origin `[Microsoft.Cdn/profiles/originGroups/origins]` + +This module deploys a CDN Profile Origin. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Cdn/profiles/originGroups/origins` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/originGroups/origins) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `hostName` | string | The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint. | +| `name` | string | The name of the origion. | +| `originGroupName` | string | The name of the group. | +| `profileName` | string | The name of the CDN profile. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `enabledState` | string | `'Enabled'` | `[Disabled, Enabled]` | Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool. | +| `enforceCertificateNameCheck` | bool | `True` | | Whether to enable certificate name check at origin level. | +| `httpPort` | int | `80` | | The value of the HTTP port. Must be between 1 and 65535. | +| `httpsPort` | int | `443` | | The value of the HTTPS port. Must be between 1 and 65535. | +| `originHostHeader` | string | `''` | | The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint. | +| `priority` | int | `1` | | Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5. | +| `sharedPrivateLinkResource` | object | `{object}` | | The properties of the private link resource for private origin. | +| `weight` | int | `1000` | | Weight of the origin in given origin group for load balancing. Must be between 1 and 1000. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the origin. | +| `resourceGroupName` | string | The name of the resource group the origin was created in. | +| `resourceId` | string | The resource id of the origin. | + +## Cross-referenced modules + +_None_ diff --git a/modules/cdn/profile/origingroup/origin/main.bicep b/modules/cdn/profile/origingroup/origin/main.bicep new file mode 100644 index 0000000000..c93522b4cc --- /dev/null +++ b/modules/cdn/profile/origingroup/origin/main.bicep @@ -0,0 +1,91 @@ +metadata name = 'CDN Profiles Origin' +metadata description = 'This module deploys a CDN Profile Origin.' +metadata owner = 'Azure/module-maintainers' + +@description('Required. The name of the origion.') +param name string + +@description('Required. The name of the CDN profile.') +param profileName string + +@description('Required. The name of the group.') +param originGroupName string + +@allowed([ + 'Disabled' + 'Enabled' +]) +@description('Optional. Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool.') +param enabledState string = 'Enabled' + +@description('Optional. Whether to enable certificate name check at origin level.') +param enforceCertificateNameCheck bool = true + +@description('Required. The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint.') +param hostName string + +@description('Optional. The value of the HTTP port. Must be between 1 and 65535.') +param httpPort int = 80 + +@description('Optional. The value of the HTTPS port. Must be between 1 and 65535.') +param httpsPort int = 443 + +@description('Optional. The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint.') +param originHostHeader string = '' + +@description('Optional. Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5.') +param priority int = 1 + +@description('Optional. The properties of the private link resource for private origin.') +param sharedPrivateLinkResource object = {} + +@description('Optional. Weight of the origin in given origin group for load balancing. Must be between 1 and 1000.') +param weight int = 1000 + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = { + name: profileName + + resource originGroup 'originGroups@2023-05-01' existing = { + name: originGroupName + } +} + +resource origin 'Microsoft.Cdn/profiles/originGroups/origins@2023-05-01' = { + name: name + parent: profile::originGroup + properties: { + enabledState: enabledState + enforceCertificateNameCheck: enforceCertificateNameCheck + hostName: hostName + httpPort: httpPort + httpsPort: httpsPort + originHostHeader: originHostHeader + priority: priority + sharedPrivateLinkResource: !empty(sharedPrivateLinkResource) ? sharedPrivateLinkResource : null + weight: weight + } +} + +@description('The name of the origin.') +output name string = origin.name + +@description('The resource id of the origin.') +output resourceId string = origin.id + +@description('The name of the resource group the origin was created in.') +output resourceGroupName string = resourceGroup().name diff --git a/modules/cdn/profile/origingroup/origin/main.json b/modules/cdn/profile/origingroup/origin/main.json new file mode 100644 index 0000000000..4715abbae8 --- /dev/null +++ b/modules/cdn/profile/origingroup/origin/main.json @@ -0,0 +1,162 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "6401260748375374430" + }, + "name": "CDN Profiles Origin", + "description": "This module deploys a CDN Profile Origin.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the origion." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Required. The name of the CDN profile." + } + }, + "originGroupName": { + "type": "string", + "metadata": { + "description": "Required. The name of the group." + } + }, + "enabledState": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "metadata": { + "description": "Optional. Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool." + } + }, + "enforceCertificateNameCheck": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Whether to enable certificate name check at origin level." + } + }, + "hostName": { + "type": "string", + "metadata": { + "description": "Required. The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint." + } + }, + "httpPort": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Optional. The value of the HTTP port. Must be between 1 and 65535." + } + }, + "httpsPort": { + "type": "int", + "defaultValue": 443, + "metadata": { + "description": "Optional. The value of the HTTPS port. Must be between 1 and 65535." + } + }, + "originHostHeader": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint." + } + }, + "priority": { + "type": "int", + "defaultValue": 1, + "metadata": { + "description": "Optional. Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5." + } + }, + "sharedPrivateLinkResource": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The properties of the private link resource for private origin." + } + }, + "weight": { + "type": "int", + "defaultValue": 1000, + "metadata": { + "description": "Optional. Weight of the origin in given origin group for load balancing. Must be between 1 and 1000." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/originGroups/origins", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('originGroupName'), parameters('name'))]", + "properties": { + "enabledState": "[parameters('enabledState')]", + "enforceCertificateNameCheck": "[parameters('enforceCertificateNameCheck')]", + "hostName": "[parameters('hostName')]", + "httpPort": "[parameters('httpPort')]", + "httpsPort": "[parameters('httpsPort')]", + "originHostHeader": "[parameters('originHostHeader')]", + "priority": "[parameters('priority')]", + "sharedPrivateLinkResource": "[if(not(empty(parameters('sharedPrivateLinkResource'))), parameters('sharedPrivateLinkResource'), null())]", + "weight": "[parameters('weight')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the origin." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the origin." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/originGroups/origins', parameters('profileName'), parameters('originGroupName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the origin was created in." + }, + "value": "[resourceGroup().name]" + } + } +} \ No newline at end of file diff --git a/modules/cdn/profile/origingroup/origin/version.json b/modules/cdn/profile/origingroup/origin/version.json new file mode 100644 index 0000000000..96236a61ba --- /dev/null +++ b/modules/cdn/profile/origingroup/origin/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.4", + "pathFilters": [ + "./main.json" + ] +} diff --git a/modules/cdn/profile/origingroup/version.json b/modules/cdn/profile/origingroup/version.json new file mode 100644 index 0000000000..96236a61ba --- /dev/null +++ b/modules/cdn/profile/origingroup/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.4", + "pathFilters": [ + "./main.json" + ] +} diff --git a/modules/cdn/profile/ruleset/README.md b/modules/cdn/profile/ruleset/README.md new file mode 100644 index 0000000000..de4783b188 --- /dev/null +++ b/modules/cdn/profile/ruleset/README.md @@ -0,0 +1,51 @@ +# CDN Profiles Rule Sets `[Microsoft.Cdn/profiles/ruleSets]` + +This module deploys a CDN Profile rule set. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Cdn/profiles/ruleSets` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/ruleSets) | +| `Microsoft.Cdn/profiles/ruleSets/rules` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/ruleSets/rules) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the rule set. | +| `profileName` | string | The name of the CDN profile. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | + +**Optinal parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `rules` | array | The rules to apply to the rule set. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the rule set. | +| `resourceGroupName` | string | The name of the resource group the custom domain was created in. | +| `resourceId` | string | The resource id of the rule set. | + +## Cross-referenced modules + +_None_ diff --git a/modules/cdn/profile/ruleset/main.bicep b/modules/cdn/profile/ruleset/main.bicep new file mode 100644 index 0000000000..634a391120 --- /dev/null +++ b/modules/cdn/profile/ruleset/main.bicep @@ -0,0 +1,60 @@ +metadata name = 'CDN Profiles Rule Sets' +metadata description = 'This module deploys a CDN Profile rule set.' +metadata owner = 'Azure/module-maintainers' + +@description('Required. The name of the rule set.') +param name string + +@description('Required. The name of the CDN profile.') +param profileName string + +@description('Optinal. The rules to apply to the rule set.') +param rules array = [] + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true +var enableReferencedModulesTelemetry = false + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = { + name: profileName +} + +resource rule_set 'Microsoft.Cdn/profiles/ruleSets@2023-05-01' = { + name: name + parent: profile +} + +module rule 'rule/main.bicep' = [for (rule, index) in rules: { + name: '${uniqueString(deployment().name)}-RuleSet-Rule-${rule.name}-${index}' + params: { + profileName: profileName + ruleSetName: name + name: rule.name + order: rule.order + actions: rule.actions + conditions: contains(rule, 'conditions') ? rule.conditions : [] + matchProcessingBehavior: contains(rule, 'matchProcessingBehavior') ? rule.matchProcessingBehavior : 'Continue' + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + +@description('The name of the rule set.') +output name string = rule_set.name + +@description('The resource id of the rule set.') +output resourceId string = rule_set.id + +@description('The name of the resource group the custom domain was created in.') +output resourceGroupName string = resourceGroup().name diff --git a/modules/cdn/profile/ruleset/main.json b/modules/cdn/profile/ruleset/main.json new file mode 100644 index 0000000000..cfe7060568 --- /dev/null +++ b/modules/cdn/profile/ruleset/main.json @@ -0,0 +1,247 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "2165712570349315066" + }, + "name": "CDN Profiles Rule Sets", + "description": "This module deploys a CDN Profile rule set.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule set." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Required. The name of the CDN profile." + } + }, + "rules": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optinal. The rules to apply to the rule set." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "variables": { + "enableReferencedModulesTelemetry": false + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/ruleSets", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]" + }, + { + "copy": { + "name": "rule", + "count": "[length(parameters('rules'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-RuleSet-Rule-{1}-{2}', uniqueString(deployment().name), parameters('rules')[copyIndex()].name, copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "profileName": { + "value": "[parameters('profileName')]" + }, + "ruleSetName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[parameters('rules')[copyIndex()].name]" + }, + "order": { + "value": "[parameters('rules')[copyIndex()].order]" + }, + "actions": { + "value": "[parameters('rules')[copyIndex()].actions]" + }, + "conditions": "[if(contains(parameters('rules')[copyIndex()], 'conditions'), createObject('value', parameters('rules')[copyIndex()].conditions), createObject('value', createArray()))]", + "matchProcessingBehavior": "[if(contains(parameters('rules')[copyIndex()], 'matchProcessingBehavior'), createObject('value', parameters('rules')[copyIndex()].matchProcessingBehavior), createObject('value', 'Continue'))]", + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "17627422900186578144" + }, + "name": "CDN Profiles Rules", + "description": "This module deploys a CDN Profile rule.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Required. The name of the profile." + } + }, + "ruleSetName": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule set." + } + }, + "order": { + "type": "int", + "metadata": { + "description": "Required. The order in which this rule will be applied. Rules with a lower order are applied before rules with a higher order." + } + }, + "actions": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. A list of actions that are executed when all the conditions of a rule are satisfied." + } + }, + "conditions": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. A list of conditions that must be matched for the actions to be executed." + } + }, + "matchProcessingBehavior": { + "type": "string", + "allowedValues": [ + "Continue", + "Stop" + ], + "metadata": { + "description": "Required. If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/ruleSets/rules", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('ruleSetName'), parameters('name'))]", + "properties": { + "order": "[parameters('order')]", + "actions": "[parameters('actions')]", + "conditions": "[parameters('conditions')]", + "matchProcessingBehavior": "[parameters('matchProcessingBehavior')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the rule." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the rule." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/ruleSets/rules', parameters('profileName'), parameters('ruleSetName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the custom domain was created in." + }, + "value": "[resourceGroup().name]" + } + } + } + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the rule set." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the rule set." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/ruleSets', parameters('profileName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the custom domain was created in." + }, + "value": "[resourceGroup().name]" + } + } +} \ No newline at end of file diff --git a/modules/cdn/profile/ruleset/rule/README.md b/modules/cdn/profile/ruleset/rule/README.md new file mode 100644 index 0000000000..9fbaa502eb --- /dev/null +++ b/modules/cdn/profile/ruleset/rule/README.md @@ -0,0 +1,49 @@ +# CDN Profiles Rules `[Microsoft.Cdn/profiles/ruleSets/rules]` + +This module deploys a CDN Profile rule. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Cdn/profiles/ruleSets/rules` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/ruleSets/rules) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Allowed Values | Description | +| :-- | :-- | :-- | :-- | +| `matchProcessingBehavior` | string | `[Continue, Stop]` | If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue. | +| `name` | string | | The name of the rule. | +| `order` | int | | The order in which this rule will be applied. Rules with a lower order are applied before rules with a higher order. | +| `profileName` | string | | The name of the profile. | +| `ruleSetName` | string | | The name of the rule set. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `actions` | array | `[]` | A list of actions that are executed when all the conditions of a rule are satisfied. | +| `conditions` | array | `[]` | A list of conditions that must be matched for the actions to be executed. | +| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the rule. | +| `resourceGroupName` | string | The name of the resource group the custom domain was created in. | +| `resourceId` | string | The resource id of the rule. | + +## Cross-referenced modules + +_None_ diff --git a/modules/cdn/profile/ruleset/rule/main.bicep b/modules/cdn/profile/ruleset/rule/main.bicep new file mode 100644 index 0000000000..ac839dd91a --- /dev/null +++ b/modules/cdn/profile/ruleset/rule/main.bicep @@ -0,0 +1,71 @@ +metadata name = 'CDN Profiles Rules' +metadata description = 'This module deploys a CDN Profile rule.' +metadata owner = 'Azure/module-maintainers' + +@description('Required. The name of the rule.') +param name string + +@description('Required. The name of the profile.') +param profileName string + +@description('Required. The name of the rule set.') +param ruleSetName string + +@description('Required. The order in which this rule will be applied. Rules with a lower order are applied before rules with a higher order.') +param order int + +@description('Optional. A list of actions that are executed when all the conditions of a rule are satisfied.') +param actions array = [] + +@description('Optional. A list of conditions that must be matched for the actions to be executed.') +param conditions array = [] + +@allowed([ + 'Continue' + 'Stop' +]) +@description('Required. If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue.') +param matchProcessingBehavior string + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = { + name: profileName + + resource rule_set 'ruleSets@2023-05-01' existing = { + name: ruleSetName + } +} + +resource rule_set_rule 'Microsoft.Cdn/profiles/ruleSets/rules@2023-05-01' = { + name: name + parent: profile::rule_set + properties: { + order: order + actions: actions + conditions: conditions + matchProcessingBehavior: matchProcessingBehavior + } +} + +@description('The name of the rule.') +output name string = rule_set_rule.name + +@description('The resource id of the rule.') +output resourceId string = rule_set_rule.id + +@description('The name of the resource group the custom domain was created in.') +output resourceGroupName string = resourceGroup().name diff --git a/modules/cdn/profile/ruleset/rule/main.json b/modules/cdn/profile/ruleset/rule/main.json new file mode 100644 index 0000000000..bd8539a656 --- /dev/null +++ b/modules/cdn/profile/ruleset/rule/main.json @@ -0,0 +1,121 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "17627422900186578144" + }, + "name": "CDN Profiles Rules", + "description": "This module deploys a CDN Profile rule.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Required. The name of the profile." + } + }, + "ruleSetName": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule set." + } + }, + "order": { + "type": "int", + "metadata": { + "description": "Required. The order in which this rule will be applied. Rules with a lower order are applied before rules with a higher order." + } + }, + "actions": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. A list of actions that are executed when all the conditions of a rule are satisfied." + } + }, + "conditions": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. A list of conditions that must be matched for the actions to be executed." + } + }, + "matchProcessingBehavior": { + "type": "string", + "allowedValues": [ + "Continue", + "Stop" + ], + "metadata": { + "description": "Required. If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/ruleSets/rules", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('ruleSetName'), parameters('name'))]", + "properties": { + "order": "[parameters('order')]", + "actions": "[parameters('actions')]", + "conditions": "[parameters('conditions')]", + "matchProcessingBehavior": "[parameters('matchProcessingBehavior')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the rule." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the rule." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/ruleSets/rules', parameters('profileName'), parameters('ruleSetName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the custom domain was created in." + }, + "value": "[resourceGroup().name]" + } + } +} \ No newline at end of file diff --git a/modules/cdn/profile/ruleset/rule/version.json b/modules/cdn/profile/ruleset/rule/version.json new file mode 100644 index 0000000000..96236a61ba --- /dev/null +++ b/modules/cdn/profile/ruleset/rule/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.4", + "pathFilters": [ + "./main.json" + ] +} diff --git a/modules/cdn/profile/ruleset/version.json b/modules/cdn/profile/ruleset/version.json new file mode 100644 index 0000000000..96236a61ba --- /dev/null +++ b/modules/cdn/profile/ruleset/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.4", + "pathFilters": [ + "./main.json" + ] +} diff --git a/modules/cdn/profile/secret/README.md b/modules/cdn/profile/secret/README.md new file mode 100644 index 0000000000..4f1a1f6161 --- /dev/null +++ b/modules/cdn/profile/secret/README.md @@ -0,0 +1,54 @@ +# CDN Profiles Secret `[Microsoft.Cdn/profiles/secrets]` + +This module deploys a CDN Profile Secret. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Cdn/profiles/secrets` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/secrets) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `name` | string | | | The name of the secrect. | +| `type` | string | `'AzureFirstPartyManagedCertificate'` | `[AzureFirstPartyManagedCertificate, CustomerCertificate, ManagedCertificate, UrlSigningKey]` | The type of the secrect. | + +**Conditional parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `profileName` | string | | The name of the parent CDN profile. Required if the template is used in a standalone deployment. | +| `secretSourceResourceId` | string | `''` | The resource ID of the secrect source. Required if the type is CustomerCertificate. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| `secretVersion` | string | `''` | The version of the secret. | +| `subjectAlternativeNames` | array | `[]` | The subject alternative names of the secrect. | +| `useLatestVersion` | bool | `False` | Indicates whether to use the latest version of the secrect. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the secrect. | +| `resourceGroupName` | string | The name of the resource group the secret was created in. | +| `resourceId` | string | The resource ID of the secrect. | + +## Cross-referenced modules + +_None_ diff --git a/modules/cdn/profile/secret/main.bicep b/modules/cdn/profile/secret/main.bicep new file mode 100644 index 0000000000..b4ea189c45 --- /dev/null +++ b/modules/cdn/profile/secret/main.bicep @@ -0,0 +1,74 @@ +metadata name = 'CDN Profiles Secret' +metadata description = 'This module deploys a CDN Profile Secret.' +metadata owner = 'Azure/module-maintainers' + +@description('Required. The name of the secrect.') +param name string + +@description('Conditional. The name of the parent CDN profile. Required if the template is used in a standalone deployment.') +param profileName string + +@allowed([ + 'AzureFirstPartyManagedCertificate' + 'CustomerCertificate' + 'ManagedCertificate' + 'UrlSigningKey' +]) +@description('Required. The type of the secrect.') +param type string = 'AzureFirstPartyManagedCertificate' + +@description('Conditional. The resource ID of the secrect source. Required if the type is CustomerCertificate.') +param secretSourceResourceId string = '' + +@description('Optional. The version of the secret.') +param secretVersion string = '' + +@description('Optional. The subject alternative names of the secrect.') +param subjectAlternativeNames array = [] + +@description('Optional. Indicates whether to use the latest version of the secrect.') +param useLatestVersion bool = false + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = { + name: profileName +} + +resource profile_secrect 'Microsoft.Cdn/profiles/secrets@2023-05-01' = { + name: name + parent: profile + properties: { + parameters: (type == 'CustomerCertificate') ? { + type: type + secretSource: { + id: secretSourceResourceId + } + secretVersion: secretVersion + subjectAlternativeNames: subjectAlternativeNames + useLatestVersion: useLatestVersion + } : null + } +} + +@description('The name of the secrect.') +output name string = profile_secrect.name + +@description('The resource ID of the secrect.') +output resourceId string = profile_secrect.id + +@description('The name of the resource group the secret was created in.') +output resourceGroupName string = resourceGroup().name diff --git a/modules/cdn/profile/secret/main.json b/modules/cdn/profile/secret/main.json new file mode 100644 index 0000000000..b285eceb11 --- /dev/null +++ b/modules/cdn/profile/secret/main.json @@ -0,0 +1,123 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "10634340039151667854" + }, + "name": "CDN Profiles Secret", + "description": "This module deploys a CDN Profile Secret.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the secrect." + } + }, + "profileName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent CDN profile. Required if the template is used in a standalone deployment." + } + }, + "type": { + "type": "string", + "defaultValue": "AzureFirstPartyManagedCertificate", + "allowedValues": [ + "AzureFirstPartyManagedCertificate", + "CustomerCertificate", + "ManagedCertificate", + "UrlSigningKey" + ], + "metadata": { + "description": "Required. The type of the secrect." + } + }, + "secretSourceResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Conditional. The resource ID of the secrect source. Required if the type is CustomerCertificate." + } + }, + "secretVersion": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The version of the secret." + } + }, + "subjectAlternativeNames": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The subject alternative names of the secrect." + } + }, + "useLatestVersion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Indicates whether to use the latest version of the secrect." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Cdn/profiles/secrets", + "apiVersion": "2023-05-01", + "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", + "properties": { + "parameters": "[if(equals(parameters('type'), 'CustomerCertificate'), createObject('type', parameters('type'), 'secretSource', createObject('id', parameters('secretSourceResourceId')), 'secretVersion', parameters('secretVersion'), 'subjectAlternativeNames', parameters('subjectAlternativeNames'), 'useLatestVersion', parameters('useLatestVersion')), null())]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the secrect." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the secrect." + }, + "value": "[resourceId('Microsoft.Cdn/profiles/secrets', parameters('profileName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the secret was created in." + }, + "value": "[resourceGroup().name]" + } + } +} \ No newline at end of file diff --git a/modules/cdn/profile/secret/version.json b/modules/cdn/profile/secret/version.json new file mode 100644 index 0000000000..96236a61ba --- /dev/null +++ b/modules/cdn/profile/secret/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.4", + "pathFilters": [ + "./main.json" + ] +} From ae5d0ac570b86189681037a0ee9676a4220c6563 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 8 Oct 2023 11:26:17 +0000 Subject: [PATCH 006/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index f6233d4647..ff0c423784 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -30,7 +30,7 @@ This section provides an overview of the library's feature set. | 15 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 227 | | 16 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 240 | | 17 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 197 | -| 18 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1, L2:1] | 111 | +| 18 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:6, L2:4] | 188 | | 19 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 282 | | 20 | compute

availability-set | [![Compute - AvailabilitySets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20AvailabilitySets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.availabilitysets.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 83 | | 21 | compute

disk | [![Compute - Disks](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Disks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.disks.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 185 | @@ -148,7 +148,7 @@ This section provides an overview of the library's feature set. | 133 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 154 | | 134 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 385 | | 135 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:3] | 196 | -| Sum | | | 110 | 109 | 118 | 57 | 30 | 2 | 226 | 24237 | +| Sum | | | 110 | 109 | 118 | 57 | 30 | 2 | 234 | 24314 | ## Legend From 509fd0fc2f6aec1e08ed624df11c8d940bf9014f Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 8 Oct 2023 12:06:06 +0000 Subject: [PATCH 007/178] Push updated API Specs file --- utilities/src/apiSpecsList.json | 1294 ++++++++++++++++++++++--------- 1 file changed, 919 insertions(+), 375 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index 0a2e19af63..34fc76b78b 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -8,7 +8,8 @@ "2023-04-20-preview", "2023-04-27", "2023-08-14-preview", - "2023-08-22-preview" + "2023-08-22-preview", + "2023-09-12-preview" ], "getMarketplaceSaaSResourceDetails": [ "2021-09-01", @@ -18,7 +19,8 @@ "2023-04-20-preview", "2023-04-27", "2023-08-14-preview", - "2023-08-22-preview" + "2023-08-22-preview", + "2023-09-12-preview" ], "locations": [ "2021-09-01", @@ -28,7 +30,8 @@ "2023-04-20-preview", "2023-04-27", "2023-08-14-preview", - "2023-08-22-preview" + "2023-08-22-preview", + "2023-09-12-preview" ], "locations/operationStatuses": [ "2021-09-01", @@ -38,7 +41,8 @@ "2023-04-20-preview", "2023-04-27", "2023-08-14-preview", - "2023-08-22-preview" + "2023-08-22-preview", + "2023-09-12-preview" ], "monitors": [ "2021-09-01", @@ -48,7 +52,8 @@ "2023-04-20-preview", "2023-04-27", "2023-08-14-preview", - "2023-08-22-preview" + "2023-08-22-preview", + "2023-09-12-preview" ], "monitors/singleSignOnConfigurations": [ "2021-09-01", @@ -58,7 +63,8 @@ "2023-04-20-preview", "2023-04-27", "2023-08-14-preview", - "2023-08-22-preview" + "2023-08-22-preview", + "2023-09-12-preview" ], "monitors/tagRules": [ "2021-09-01", @@ -68,7 +74,8 @@ "2023-04-20-preview", "2023-04-27", "2023-08-14-preview", - "2023-08-22-preview" + "2023-08-22-preview", + "2023-09-12-preview" ], "operations": [ "2021-09-01", @@ -78,7 +85,8 @@ "2023-04-20-preview", "2023-04-27", "2023-08-14-preview", - "2023-08-22-preview" + "2023-08-22-preview", + "2023-09-12-preview" ], "registeredSubscriptions": [ "2021-09-01", @@ -88,7 +96,8 @@ "2023-04-20-preview", "2023-04-27", "2023-08-14-preview", - "2023-08-22-preview" + "2023-08-22-preview", + "2023-09-12-preview" ] }, "GitHub.Network": { @@ -534,7 +543,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "checkNameAvailability": [ "2014-02-14", @@ -556,7 +566,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "checkServiceNameAvailability": [ "2014-02-14", @@ -572,7 +583,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "getDomainOwnershipIdentifier": [ "2020-12-01", @@ -583,7 +595,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "locations": [ "2020-06-01-preview", @@ -595,7 +608,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "locations/deletedServices": [ "2020-06-01-preview", @@ -607,7 +621,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "operations": [ "2014-02-14", @@ -629,7 +644,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "reportFeedback": [ "2014-02-14", @@ -651,7 +667,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service": [ "2014-02-14", @@ -673,7 +690,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/api-version-sets": [ "2017-03-01", @@ -1113,7 +1131,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/gateways": [ "2019-12-01", @@ -3980,7 +3999,8 @@ "2023-03-01", "2023-06-01", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01" ], "locations/operationstatuses": [ "2020-10-01", @@ -4001,7 +4021,9 @@ "2023-03-01", "2023-06-01", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01", + "2023-08-01-preview", + "2023-09-01" ], "marketplaceGalleryImages": [ "2021-09-01-preview", @@ -4035,7 +4057,8 @@ "2023-03-01", "2023-06-01", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01" ], "registeredSubscriptions": [ "2022-09-01", @@ -6836,14 +6859,22 @@ "2022-07-01-preview", "2022-10-01-preview", "2023-04-01-preview", - "2023-04-15-preview" + "2023-04-15-preview", + "2023-09-01-preview" + ], + "locations/operationResults": [ + "2023-09-01-preview" + ], + "locations/operationStatuses": [ + "2023-09-01-preview" ], "locations/targetTypes": [ "2021-09-15-preview", "2022-07-01-preview", "2022-10-01-preview", "2023-04-01-preview", - "2023-04-15-preview" + "2023-04-15-preview", + "2023-09-01-preview" ], "operations": [ "2021-07-01-preview", @@ -6853,7 +6884,8 @@ "2022-07-01-preview", "2022-10-01-preview", "2023-04-01-preview", - "2023-04-15-preview" + "2023-04-15-preview", + "2023-09-01-preview" ], "targets": [ "2021-09-15-preview", @@ -7279,6 +7311,17 @@ "2022-12-31-preview" ] }, + "Microsoft.CloudHealth": { + "Locations": [ + "2023-10-01-preview" + ], + "Locations/operationstatuses": [ + "2023-10-01-preview" + ], + "Operations": [ + "2023-10-01-preview" + ] + }, "Microsoft.CloudShell": { "operations": [ "2017-01-01-preview", @@ -11533,50 +11576,59 @@ "2021-09-01-preview", "2022-05-01-preview", "2022-08-01", - "2022-10-01-preview" + "2022-10-01-preview", + "2023-10-01-preview" ], "grafana": [ "2021-09-01-preview", "2022-05-01-preview", "2022-08-01", - "2022-10-01-preview" + "2022-10-01-preview", + "2023-10-01-preview" ], "grafana/managedPrivateEndpoints": [ - "2022-10-01-preview" + "2022-10-01-preview", + "2023-10-01-preview" ], "grafana/privateEndpointConnections": [ "2022-05-01-preview", "2022-08-01", - "2022-10-01-preview" + "2022-10-01-preview", + "2023-10-01-preview" ], "grafana/privateLinkResources": [ "2022-05-01-preview", "2022-08-01", - "2022-10-01-preview" + "2022-10-01-preview", + "2023-10-01-preview" ], "locations": [ "2021-09-01-preview", "2022-05-01-preview", "2022-08-01", - "2022-10-01-preview" + "2022-10-01-preview", + "2023-10-01-preview" ], "locations/checkNameAvailability": [ "2021-09-01-preview", "2022-05-01-preview", "2022-08-01", - "2022-10-01-preview" + "2022-10-01-preview", + "2023-10-01-preview" ], "locations/operationStatuses": [ "2021-09-01-preview", "2022-05-01-preview", "2022-08-01", - "2022-10-01-preview" + "2022-10-01-preview", + "2023-10-01-preview" ], "operations": [ "2021-09-01-preview", "2022-05-01-preview", "2022-08-01", - "2022-10-01-preview" + "2022-10-01-preview", + "2023-10-01-preview" ] }, "Microsoft.DatabaseWatcher": { @@ -14251,7 +14303,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "devcenters": [ "2022-08-01-preview", @@ -14261,7 +14315,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "devcenters/attachednetworks": [ "2022-08-01-preview", @@ -14271,7 +14327,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "devcenters/catalogs": [ "2022-08-01-preview", @@ -14281,17 +14339,25 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "devcenters/catalogs/devboxdefinitions": [ "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "devcenters/catalogs/environmentdefinitions": [ - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "devcenters/catalogs/tasks": [ - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "devcenters/devboxdefinitions": [ "2022-08-01-preview", @@ -14301,7 +14367,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "devcenters/environmentTypes": [ "2022-08-01-preview", @@ -14311,7 +14379,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "devcenters/galleries": [ "2022-08-01-preview", @@ -14321,7 +14391,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "devcenters/galleries/images": [ "2022-08-01-preview", @@ -14331,7 +14403,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "devcenters/galleries/images/versions": [ "2022-08-01-preview", @@ -14341,7 +14415,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "devcenters/images": [ "2022-08-01-preview", @@ -14351,7 +14427,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "Locations": [ "2022-08-01-preview", @@ -14361,7 +14439,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "Locations/OperationStatuses": [ "2022-08-01-preview", @@ -14371,12 +14451,16 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "Locations/usages": [ "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "networkConnections": [ "2022-08-01-preview", @@ -14386,7 +14470,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "networkconnections/healthchecks": [ "2022-08-01-preview", @@ -14396,13 +14482,17 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "networkconnections/outboundNetworkDependenciesEndpoints": [ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "operations": [ "2022-08-01-preview", @@ -14412,7 +14502,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "projects": [ "2022-08-01-preview", @@ -14422,7 +14514,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "projects/allowedEnvironmentTypes": [ "2022-09-01-preview", @@ -14431,7 +14525,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "projects/attachednetworks": [ "2022-08-01-preview", @@ -14441,7 +14537,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "projects/devboxdefinitions": [ "2022-08-01-preview", @@ -14451,7 +14549,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "projects/environmentTypes": [ "2022-08-01-preview", @@ -14461,7 +14561,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "projects/pools": [ "2022-08-01-preview", @@ -14471,7 +14573,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ], "projects/pools/schedules": [ "2022-08-01-preview", @@ -14481,7 +14585,9 @@ "2023-01-01-preview", "2023-04-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview" ] }, "Microsoft.DevHub": { @@ -16893,6 +16999,13 @@ "2023-04-01-preview" ] }, + "Microsoft.EdgeMarketPlace": { + "operations": [ + "2023-04-01-preview", + "2023-06-01-preview", + "2023-08-01" + ] + }, "Microsoft.EdgeOrder": { "addresses": [ "2020-12-01-preview", @@ -17009,7 +17122,8 @@ "2023-07-01-preview" ], "getElasticOrganizationToAzureSubscriptionMapping": [ - "2023-06-15-preview" + "2023-06-15-preview", + "2023-07-01-preview" ], "getOrganizationApiKey": [ "2023-02-01-preview", @@ -17764,6 +17878,12 @@ "2017-04-01" ] }, + "Microsoft.Experimentation": { + "Operations": [ + "2021-11-01-preview", + "2023-09-30-preview" + ] + }, "Microsoft.ExtendedLocation": { "customLocations": [ "2021-03-15-preview", @@ -17992,9 +18112,23 @@ }, "Microsoft.HDInsight": { "clusterpools": [ + "2021-09-15-preview", "2023-06-01-preview" ], "clusterpools/clusters": [ + "2021-09-15-preview", + "2023-06-01-preview" + ], + "clusterPools/clusters/instanceViews": [ + "2021-09-15-preview", + "2023-06-01-preview" + ], + "clusterPools/clusters/jobs": [ + "2021-09-15-preview", + "2023-06-01-preview" + ], + "clusterPools/clusters/serviceConfigs": [ + "2021-09-15-preview", "2023-06-01-preview" ], "clusters": [ @@ -18035,6 +18169,14 @@ "2021-06-01", "2023-04-15-preview" ], + "locations/availableClusterPoolVersions": [ + "2021-09-15-preview", + "2023-06-01-preview" + ], + "locations/availableClusterVersions": [ + "2021-09-15-preview", + "2023-06-01-preview" + ], "locations/azureasyncoperations": [ "2015-03-01-preview", "2018-06-01-preview", @@ -18059,6 +18201,10 @@ "2021-06-01", "2023-04-15-preview" ], + "locations/clusterOfferingVersions": [ + "2021-09-15-preview", + "2023-06-01-preview" + ], "locations/operationresults": [ "2015-03-01-preview", "2018-06-01-preview", @@ -18353,6 +18499,9 @@ "2023-06-01", "2023-09-01-preview" ], + "discoverSolutions": [ + "2023-08-01-preview" + ], "discoverySolutions": [ "2023-01-01-preview", "2023-06-01", @@ -20648,6 +20797,9 @@ ] }, "Microsoft.MachineLearningServices": { + "capacityReserverationGroups": [ + "2023-08-01-preview" + ], "locations": [ "2018-03-01-preview", "2018-11-19", @@ -20680,7 +20832,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "locations/computeOperationsStatus": [ "2018-03-01-preview", @@ -20714,7 +20868,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "locations/mfeOperationResults": [ "2020-12-01-preview", @@ -20729,7 +20885,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "locations/mfeOperationsStatus": [ "2020-12-01-preview", @@ -20744,7 +20902,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "locations/quotas": [ "2019-06-01", @@ -20775,7 +20935,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "locations/registryOperationsStatus": [ "2022-05-01-privatepreview", @@ -20784,7 +20946,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "locations/updatequotas": [ "2019-06-01", @@ -20815,7 +20979,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "locations/usages": [ "2018-11-19", @@ -20848,7 +21014,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "locations/vmsizes": [ "2018-11-19", @@ -20881,7 +21049,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "locations/workspaceOperationsStatus": [ "2018-03-01-preview", @@ -20917,7 +21087,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "operations": [ "2018-03-01-preview", @@ -20951,7 +21123,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "registries": [ "2022-05-01-privatepreview", @@ -20960,7 +21134,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "registries/codes": [ "2022-10-01-preview", @@ -20968,7 +21144,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "registries/codes/versions": [ "2022-10-01-preview", @@ -20976,7 +21154,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "registries/components": [ "2022-10-01-preview", @@ -20984,7 +21164,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "registries/components/versions": [ "2022-10-01-preview", @@ -20992,19 +21174,25 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "registries/data": [ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "registries/data/versions": [ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "registries/environments": [ "2022-10-01-preview", @@ -21012,7 +21200,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "registries/environments/versions": [ "2022-10-01-preview", @@ -21020,7 +21210,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "registries/models": [ "2022-10-01-preview", @@ -21028,7 +21220,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "registries/models/versions": [ "2022-10-01-preview", @@ -21036,7 +21230,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces": [ "2018-03-01-preview", @@ -21071,7 +21267,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/batchEndpoints": [ "2021-03-01-preview", @@ -21085,7 +21283,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/batchEndpoints/deployments": [ "2021-03-01-preview", @@ -21099,7 +21299,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/codes": [ "2021-03-01-preview", @@ -21113,7 +21315,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/codes/versions": [ "2021-03-01-preview", @@ -21127,7 +21331,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/components": [ "2021-10-01", @@ -21140,7 +21346,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/components/versions": [ "2021-10-01", @@ -21153,7 +21361,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/computes": [ "2018-03-01-preview", @@ -21187,7 +21397,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/connections": [ "2020-06-01", @@ -21207,7 +21419,8 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "workspaces/data": [ "2021-03-01-preview", @@ -21220,7 +21433,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/data/versions": [ "2021-03-01-preview", @@ -21233,7 +21448,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/datasets": [ "2020-05-01-preview", @@ -21252,7 +21469,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/environments": [ "2021-03-01-preview", @@ -21266,7 +21485,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/environments/versions": [ "2021-03-01-preview", @@ -21280,7 +21501,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/eventGridFilters": [ "2018-03-01-preview", @@ -21312,27 +21535,46 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/featuresets": [ "2023-02-01-preview", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/featuresets/versions": [ "2023-02-01-preview", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/featurestoreEntities": [ "2023-02-01-preview", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/featurestoreEntities/versions": [ "2023-02-01-preview", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" + ], + "workspaces/inferencePools": [ + "2023-08-01-preview" + ], + "workspaces/inferencePools/endpoints": [ + "2023-08-01-preview" + ], + "workspaces/inferencePools/groups": [ + "2023-08-01-preview" ], "workspaces/jobs": [ "2021-03-01-preview", @@ -21346,7 +21588,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/labelingJobs": [ "2020-09-01-preview", @@ -21356,7 +21600,8 @@ "2022-12-01-preview", "2023-02-01-preview", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "workspaces/linkedServices": [ "2020-04-01-preview", @@ -21380,7 +21625,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/models/versions": [ "2021-03-01-preview", @@ -21394,7 +21641,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/onlineEndpoints": [ "2020-12-01-preview", @@ -21409,7 +21658,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/onlineEndpoints/deployments": [ "2020-12-01-preview", @@ -21424,7 +21675,9 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/onlineEndpoints/deployments/skus": [ "2020-12-01-preview", @@ -21439,11 +21692,14 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" ], "workspaces/outboundRules": [ "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "workspaces/privateEndpointConnections": [ "2020-01-01", @@ -21470,7 +21726,8 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "workspaces/schedules": [ "2022-06-01-preview", @@ -21480,7 +21737,12 @@ "2023-02-01-preview", "2023-04-01", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview", + "2023-10-01" + ], + "workspaces/serverlessEndpoints": [ + "2023-08-01-preview" ], "workspaces/services": [ "2020-05-01-preview", @@ -31934,7 +32196,8 @@ "2022-10-01", "2022-10-01-preview", "2023-07-01-preview", - "2023-07-01-rc" + "2023-07-01-rc", + "2023-10-01-preview" ], "childAvailabilityStatuses": [ "2015-01-01-preview", @@ -31952,7 +32215,8 @@ "2022-10-01", "2023-07-01-beta", "2023-07-01-preview", - "2023-07-01-rc" + "2023-07-01-rc", + "2023-10-01-preview" ], "childResources": [ "2015-01-01-preview", @@ -31968,7 +32232,8 @@ "2018-08-01-rc", "2018-11-06-beta", "2022-10-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-10-01-preview" ], "emergingissues": [ "2017-07-01-beta", @@ -31986,7 +32251,8 @@ "2023-07-01-alpha", "2023-07-01-beta", "2023-07-01-preview", - "2023-07-01-rc" + "2023-07-01-rc", + "2023-10-01-preview" ], "events": [ "2018-07-01", @@ -31996,7 +32262,8 @@ "2022-05-01-rc", "2022-10-01", "2022-10-01-rc", - "2023-07-01-rc" + "2023-07-01-rc", + "2023-10-01-preview" ], "metadata": [ "2018-07-01", @@ -32012,7 +32279,8 @@ "2023-07-01-alpha", "2023-07-01-beta", "2023-07-01-preview", - "2023-07-01-rc" + "2023-07-01-rc", + "2023-10-01-preview" ], "operations": [ "2015-01-01", @@ -32033,7 +32301,8 @@ "2023-07-01-alpha", "2023-07-01-beta", "2023-07-01-preview", - "2023-07-01-rc" + "2023-07-01-rc", + "2023-10-01-preview" ] }, "Microsoft.ResourceNotifications": { @@ -33532,7 +33801,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "automationRules": [ "2019-01-01-preview", @@ -33565,7 +33835,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "bookmarks": [ "2019-01-01-preview", @@ -33641,7 +33912,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "contentPackages": [ "2022-11-01-preview", @@ -33660,14 +33932,16 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "contentProductTemplates": [ "2023-04-01-preview", "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "contentTemplates": [ "2022-11-01-preview", @@ -33744,7 +34018,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "dynamicSummaries": [ "2023-03-01-preview", @@ -33752,7 +34027,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "enrichment": [ "2019-01-01-preview", @@ -33774,7 +34050,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "entities": [ "2019-01-01-preview", @@ -33796,7 +34073,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "entityQueries": [ "2019-01-01-preview", @@ -33843,7 +34121,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "exportConnections": [ "2023-03-01-preview", @@ -33851,7 +34130,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "fileImports": [ "2022-08-01-preview", @@ -33903,7 +34183,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "incidents": [ "2019-01-01-preview", @@ -34025,7 +34306,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "metadata": [ "2021-03-01-preview", @@ -34068,7 +34350,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "officeConsents": [ "2019-01-01-preview", @@ -34090,7 +34373,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "onboardingStates": [ "2021-03-01-preview", @@ -34146,7 +34430,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "overview": [ "2022-09-01-preview", @@ -34159,7 +34444,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "recommendations": [ "2022-11-01-preview", @@ -34170,7 +34456,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "securityMLAnalyticsSettings": [ "2022-05-01-preview", @@ -34264,7 +34551,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "threatIntelligence/indicators": [ "2019-01-01-preview", @@ -34301,7 +34589,8 @@ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "watchlists": [ "2019-01-01-preview", @@ -34803,7 +35092,8 @@ "2022-10-01-preview", "2023-02-01-preview", "2023-03-01-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-09-01-preview" ], "locations/managedClusterOperationResults": [ "2020-01-01-preview", @@ -34818,7 +35108,8 @@ "2022-10-01-preview", "2023-02-01-preview", "2023-03-01-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-09-01-preview" ], "locations/managedClusterOperations": [ "2020-01-01-preview", @@ -34833,7 +35124,8 @@ "2022-10-01-preview", "2023-02-01-preview", "2023-03-01-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-09-01-preview" ], "locations/managedClusterVersions": [ "2020-01-01-preview", @@ -34848,7 +35140,8 @@ "2022-10-01-preview", "2023-02-01-preview", "2023-03-01-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-09-01-preview" ], "locations/managedUnsupportedVMSizes": [ "2020-01-01-preview", @@ -34863,7 +35156,8 @@ "2022-10-01-preview", "2023-02-01-preview", "2023-03-01-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-09-01-preview" ], "locations/operationResults": [ "2016-03-01", @@ -35584,6 +35878,26 @@ "2021-07-01" ] }, + "Microsoft.Sovereign": { + "checkNameAvailability": [ + "2023-09-28-preview" + ], + "landingZoneConfigurations": [ + "2023-09-28-preview" + ], + "landingZoneRegistrations": [ + "2023-09-28-preview" + ], + "Locations": [ + "2023-09-28-preview" + ], + "Locations/OperationStatuses": [ + "2023-09-28-preview" + ], + "Operations": [ + "2023-09-28-preview" + ] + }, "Microsoft.Sql": { "checkNameAvailability": [ "2014-01-01", @@ -35606,7 +35920,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "instancePools": [ "2018-06-01-preview", @@ -35623,7 +35938,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations": [ "2014-01-01", @@ -35647,7 +35963,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/administratorOperationResults": [ "2017-03-01-preview", @@ -35666,7 +35983,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/advancedThreatProtectionAzureAsyncOperation": [ "2021-11-01", @@ -35675,7 +35993,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/advancedThreatProtectionOperationResults": [ "2021-11-01", @@ -35684,7 +36003,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/auditingSettingsAzureAsyncOperation": [ "2017-03-01-preview", @@ -35703,7 +36023,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/auditingSettingsOperationResults": [ "2017-03-01-preview", @@ -35722,7 +36043,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/capabilities": [ "2014-01-01", @@ -35767,7 +36089,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/connectionPoliciesOperationResults": [ "2015-05-01-preview", @@ -35787,7 +36110,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/databaseAzureAsyncOperation": [ "2017-03-01-preview", @@ -35806,7 +36130,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/databaseEncryptionProtectorRevalidateAzureAsyncOperation": [ "2021-11-01", @@ -35815,7 +36140,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/databaseEncryptionProtectorRevalidateOperationResults": [ "2021-11-01", @@ -35824,21 +36150,24 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/databaseEncryptionProtectorRevertAzureAsyncOperation": [ "2022-02-01-preview", "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/databaseEncryptionProtectorRevertOperationResults": [ "2022-02-01-preview", "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/databaseOperationResults": [ "2017-03-01-preview", @@ -35857,7 +36186,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/databaseRestoreAzureAsyncOperation": [ "2017-03-01-preview", @@ -35876,7 +36206,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/deleteVirtualNetworkOrSubnets": [ "2015-05-01", @@ -35897,7 +36228,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/deleteVirtualNetworkOrSubnetsAzureAsyncOperation": [ "2015-05-01", @@ -35918,7 +36250,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/deleteVirtualNetworkOrSubnetsOperationResults": [ "2015-05-01", @@ -35939,7 +36272,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/devOpsAuditingSettingsAzureAsyncOperation": [ "2020-02-02-preview", @@ -35954,7 +36288,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/devOpsAuditingSettingsOperationResults": [ "2020-02-02-preview", @@ -35969,7 +36304,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/distributedAvailabilityGroupsAzureAsyncOperation": [ "2021-05-01-preview", @@ -35980,7 +36316,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/distributedAvailabilityGroupsOperationResults": [ "2021-05-01-preview", @@ -35991,7 +36328,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/dnsAliasAsyncOperation": [ "2017-03-01-preview", @@ -36010,7 +36348,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/dnsAliasOperationResults": [ "2017-03-01-preview", @@ -36029,7 +36368,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/elasticPoolAzureAsyncOperation": [ "2015-05-01", @@ -36050,7 +36390,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/elasticPoolOperationResults": [ "2015-05-01", @@ -36071,7 +36412,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/encryptionProtectorAzureAsyncOperation": [ "2015-05-01-preview", @@ -36091,7 +36433,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/encryptionProtectorOperationResults": [ "2015-05-01-preview", @@ -36111,7 +36454,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/extendedAuditingSettingsAzureAsyncOperation": [ "2017-03-01-preview", @@ -36130,7 +36474,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/extendedAuditingSettingsOperationResults": [ "2017-03-01-preview", @@ -36149,7 +36494,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/externalPolicyBasedAuthorizationsAzureAsycOperation": [ "2021-11-01", @@ -36158,7 +36504,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/externalPolicyBasedAuthorizationsOperationResults": [ "2021-11-01", @@ -36167,7 +36514,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/failoverGroupAzureAsyncOperation": [ "2015-05-01-preview", @@ -36227,7 +36575,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/firewallRulesOperationResults": [ "2015-05-01-preview", @@ -36247,7 +36596,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/importExportAzureAsyncOperation": [ "2020-02-02-preview", @@ -36263,7 +36613,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/importExportOperationResults": [ "2020-02-02-preview", @@ -36279,7 +36630,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/instanceFailoverGroupAzureAsyncOperation": [ "2017-10-01-preview", @@ -36297,7 +36649,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/instanceFailoverGroupOperationResults": [ "2017-10-01-preview", @@ -36315,7 +36668,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/instanceFailoverGroups": [ "2017-10-01-preview", @@ -36333,7 +36687,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/instancePoolAzureAsyncOperation": [ "2018-06-01-preview", @@ -36350,7 +36705,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/instancePoolOperationResults": [ "2018-06-01-preview", @@ -36367,7 +36723,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/ipv6FirewallRulesAzureAsyncOperation": [ "2021-11-01", @@ -36376,7 +36733,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/ipv6FirewallRulesOperationResults": [ "2021-11-01", @@ -36385,7 +36743,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/jobAgentAzureAsyncOperation": [ "2017-03-01-preview", @@ -36443,7 +36802,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/ledgerDigestUploadsOperationResults": [ "2021-02-01-preview", @@ -36455,7 +36815,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/longTermRetentionBackupAzureAsyncOperation": [ "2017-03-01-preview", @@ -36474,7 +36835,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/longTermRetentionBackupOperationResults": [ "2017-03-01-preview", @@ -36493,7 +36855,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/longTermRetentionBackups": [ "2017-03-01-preview", @@ -36512,7 +36875,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/longTermRetentionManagedInstanceBackupAzureAsyncOperation": [ "2018-06-01-preview", @@ -36529,7 +36893,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/longTermRetentionManagedInstanceBackupOperationResults": [ "2018-06-01-preview", @@ -36546,7 +36911,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/longTermRetentionManagedInstanceBackups": [ "2018-06-01-preview", @@ -36563,7 +36929,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/longTermRetentionManagedInstances": [ "2018-06-01-preview", @@ -36580,7 +36947,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/longTermRetentionPolicyAzureAsyncOperation": [ "2017-03-01-preview", @@ -36599,7 +36967,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/longTermRetentionPolicyOperationResults": [ "2017-03-01-preview", @@ -36618,7 +36987,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/longTermRetentionServers": [ "2017-03-01-preview", @@ -36637,7 +37007,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedDatabaseAzureAsyncOperation": [ "2017-03-01-preview", @@ -36656,7 +37027,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedDatabaseCompleteRestoreAzureAsyncOperation": [ "2018-06-01-preview", @@ -36673,7 +37045,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedDatabaseCompleteRestoreOperationResults": [ "2018-06-01-preview", @@ -36690,7 +37063,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedDatabaseMoveAzureAsyncOperation": [ "2021-02-01-preview", @@ -36702,7 +37076,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedDatabaseMoveOperationResults": [ "2021-02-01-preview", @@ -36714,7 +37089,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedDatabaseOperationResults": [ "2017-03-01-preview", @@ -36733,7 +37109,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedDatabaseRestoreAzureAsyncOperation": [ "2017-03-01-preview", @@ -36752,7 +37129,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedDatabaseRestoreOperationResults": [ "2017-03-01-preview", @@ -36771,7 +37149,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedDnsAliasAsyncOperation": [ "2021-11-01", @@ -36780,7 +37159,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedDnsAliasOperationResults": [ "2021-11-01", @@ -36789,21 +37169,24 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedInstanceAdvancedThreatProtectionAzureAsyncOperation": [ "2022-02-01-preview", "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedInstanceAdvancedThreatProtectionOperationResults": [ "2022-02-01-preview", "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedInstanceAzureAsyncOperation": [ "2015-05-01-preview", @@ -36823,14 +37206,16 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedInstanceDtcAzureAsyncOperation": [ "2022-02-01-preview", "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedInstanceEncryptionProtectorAzureAsyncOperation": [ "2017-10-01-preview", @@ -36848,7 +37233,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedInstanceEncryptionProtectorOperationResults": [ "2017-10-01-preview", @@ -36866,7 +37252,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedInstanceKeyAzureAsyncOperation": [ "2017-10-01-preview", @@ -36884,7 +37271,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedInstanceKeyOperationResults": [ "2017-10-01-preview", @@ -36902,7 +37290,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedInstanceLongTermRetentionPolicyAzureAsyncOperation": [ "2018-06-01-preview", @@ -36919,7 +37308,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedInstanceLongTermRetentionPolicyOperationResults": [ "2018-06-01-preview", @@ -36936,7 +37326,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedInstanceOperationResults": [ "2015-05-01-preview", @@ -36956,7 +37347,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedInstancePrivateEndpointConnectionAzureAsyncOperation": [ "2019-06-01-preview", @@ -36972,7 +37364,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedInstancePrivateEndpointConnectionOperationResults": [ "2019-06-01-preview", @@ -36988,7 +37381,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedInstancePrivateEndpointConnectionProxyAzureAsyncOperation": [ "2019-06-01-preview", @@ -37004,7 +37398,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedInstancePrivateEndpointConnectionProxyOperationResults": [ "2019-06-01-preview", @@ -37020,7 +37415,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedInstanceTdeCertAzureAsyncOperation": [ "2017-10-01-preview", @@ -37038,7 +37434,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedInstanceTdeCertOperationResults": [ "2017-10-01-preview", @@ -37056,17 +37453,20 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedLedgerDigestUploadsAzureAsyncOperation": [ "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedLedgerDigestUploadsOperationResults": [ "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedServerSecurityAlertPoliciesAzureAsyncOperation": [ "2017-03-01-preview", @@ -37085,7 +37485,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedServerSecurityAlertPoliciesOperationResults": [ "2017-03-01-preview", @@ -37104,7 +37505,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedShortTermRetentionPolicyAzureAsyncOperation": [ "2017-03-01-preview", @@ -37123,7 +37525,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedShortTermRetentionPolicyOperationResults": [ "2017-03-01-preview", @@ -37142,7 +37545,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedtransparentDataEncryptionAzureAsyncOperation": [ "2019-06-01-preview", @@ -37158,7 +37562,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/managedtransparentDataEncryptionOperationResults": [ "2019-06-01-preview", @@ -37174,7 +37579,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/notifyAzureAsyncOperation": [ "2015-05-01-preview", @@ -37194,7 +37600,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/notifyNetworkSecurityPerimeterUpdatesAvailable": [ "2021-02-01-preview", @@ -37206,7 +37613,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/outboundFirewallRulesAzureAsyncOperation": [ "2021-02-01-preview", @@ -37218,7 +37626,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/outboundFirewallRulesOperationResults": [ "2021-02-01-preview", @@ -37230,7 +37639,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/privateEndpointConnectionAzureAsyncOperation": [ "2018-06-01-preview", @@ -37247,7 +37657,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/privateEndpointConnectionOperationResults": [ "2018-06-01-preview", @@ -37264,7 +37675,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/privateEndpointConnectionProxyAzureAsyncOperation": [ "2018-06-01-preview", @@ -37281,7 +37693,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/privateEndpointConnectionProxyOperationResults": [ "2018-06-01-preview", @@ -37298,23 +37711,28 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/refreshExternalGovernanceStatusAzureAsyncOperation": [ "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/refreshExternalGovernanceStatusMIAzureAsyncOperation": [ - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/refreshExternalGovernanceStatusMIOperationResults": [ - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/refreshExternalGovernanceStatusOperationResults": [ "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/replicationLinksAzureAsyncOperation": [ "2015-05-01-preview", @@ -37334,7 +37752,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/replicationLinksOperationResults": [ "2015-05-01-preview", @@ -37354,7 +37773,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/securityAlertPoliciesAzureAsyncOperation": [ "2017-03-01-preview", @@ -37373,7 +37793,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/securityAlertPoliciesOperationResults": [ "2017-03-01-preview", @@ -37392,7 +37813,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/serverAdministratorAzureAsyncOperation": [ "2018-06-01-preview", @@ -37409,7 +37831,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/serverAdministratorOperationResults": [ "2018-06-01-preview", @@ -37426,7 +37849,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/serverAzureAsyncOperation": [ "2015-05-01-preview", @@ -37446,12 +37870,14 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/serverConfigurationOptionAzureAsyncOperation": [ "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/serverKeyAzureAsyncOperation": [ "2015-05-01-preview", @@ -37471,7 +37897,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/serverKeyOperationResults": [ "2015-05-01-preview", @@ -37491,7 +37918,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/serverOperationResults": [ "2015-05-01-preview", @@ -37511,7 +37939,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/serverTrustCertificatesAzureAsyncOperation": [ "2021-05-01-preview", @@ -37522,7 +37951,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/serverTrustCertificatesOperationResults": [ "2021-05-01-preview", @@ -37533,7 +37963,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/serverTrustGroupAzureAsyncOperation": [ "2020-02-02-preview", @@ -37548,7 +37979,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/serverTrustGroupOperationResults": [ "2020-02-02-preview", @@ -37563,7 +37995,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/serverTrustGroups": [ "2020-02-02-preview", @@ -37578,7 +38011,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/shortTermRetentionPolicyAzureAsyncOperation": [ "2017-10-01-preview", @@ -37596,7 +38030,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/shortTermRetentionPolicyOperationResults": [ "2017-10-01-preview", @@ -37614,21 +38049,24 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/sqlVulnerabilityAssessmentAzureAsyncOperation": [ "2022-02-01-preview", "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/sqlVulnerabilityAssessmentOperationResults": [ "2022-02-01-preview", "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/startManagedInstanceAzureAsyncOperation": [ "2021-05-01-preview", @@ -37639,7 +38077,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/startManagedInstanceOperationResults": [ "2021-05-01-preview", @@ -37650,7 +38089,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/stopManagedInstanceAzureAsyncOperation": [ "2021-05-01-preview", @@ -37661,7 +38101,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/stopManagedInstanceOperationResults": [ "2021-05-01-preview", @@ -37672,7 +38113,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/syncAgentOperationResults": [ "2015-05-01-preview", @@ -37692,7 +38134,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/syncDatabaseIds": [ "2015-05-01-preview", @@ -37712,7 +38155,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/syncGroupAzureAsyncOperation": [ "2015-05-01-preview", @@ -37732,7 +38176,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/syncGroupOperationResults": [ "2015-05-01-preview", @@ -37752,7 +38197,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/syncMemberOperationResults": [ "2015-05-01-preview", @@ -37772,7 +38218,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/tdeCertAzureAsyncOperation": [ "2017-10-01-preview", @@ -37790,7 +38237,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/tdeCertOperationResults": [ "2017-10-01-preview", @@ -37808,7 +38256,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/transparentDataEncryptionAzureAsyncOperation": [ "2019-06-01-preview", @@ -37824,7 +38273,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/transparentDataEncryptionOperationResults": [ "2019-06-01-preview", @@ -37840,19 +38290,22 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/updateManagedInstanceDnsServersAzureAsyncOperation": [ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/updateManagedInstanceDnsServersOperationResults": [ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/usages": [ "2014-04-01-preview", @@ -37874,7 +38327,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/virtualClusterAzureAsyncOperation": [ "2015-05-01-preview", @@ -37894,7 +38348,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/virtualClusterOperationResults": [ "2015-05-01-preview", @@ -37914,7 +38369,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/virtualNetworkRulesAzureAsyncOperation": [ "2015-05-01", @@ -37935,7 +38391,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/virtualNetworkRulesOperationResults": [ "2015-05-01", @@ -37956,7 +38413,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/vulnerabilityAssessmentScanAzureAsyncOperation": [ "2017-10-01-preview", @@ -37974,7 +38432,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/vulnerabilityAssessmentScanOperationResults": [ "2017-10-01-preview", @@ -37992,7 +38451,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances": [ "2015-05-01-preview", @@ -38012,7 +38472,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/administrators": [ "2017-03-01-preview", @@ -38031,14 +38492,16 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/advancedThreatProtectionSettings": [ "2022-02-01-preview", "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/azureADOnlyAuthentications": [ "2020-02-02-preview", @@ -38072,14 +38535,16 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/databases/advancedThreatProtectionSettings": [ "2022-02-01-preview", "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/databases/backupLongTermRetentionPolicies": [ "2018-06-01-preview", @@ -38096,7 +38561,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/databases/backupShortTermRetentionPolicies": [ "2017-03-01-preview", @@ -38117,7 +38583,8 @@ "managedInstances/databases/ledgerDigestUploads": [ "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/databases/schemas/tables/columns/sensitivityLabels": [ "2018-06-01-preview", @@ -38183,7 +38650,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/databases/vulnerabilityAssessments/rules/baselines": [ "2017-10-01-preview", @@ -38219,7 +38687,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/dtc": [ "2022-02-01-preview", @@ -38277,7 +38746,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/metrics": [ "2017-03-01-preview", @@ -38296,7 +38766,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/privateEndpointConnections": [ "2020-02-02-preview", @@ -38329,7 +38800,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/restorableDroppedDatabases/backupShortTermRetentionPolicies": [ "2017-03-01-preview", @@ -38395,7 +38867,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/startStopSchedules": [ "2021-05-01-preview", @@ -38406,7 +38879,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/tdeCertificates": [ "2017-10-01-preview", @@ -38424,7 +38898,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/vulnerabilityAssessments": [ "2018-06-01-preview", @@ -38441,7 +38916,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "operations": [ "2014-01-01", @@ -38465,7 +38941,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers": [ "2014-01-01", @@ -38488,7 +38965,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/administratorOperationResults": [ "2014-01-01", @@ -38513,7 +38991,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/advancedThreatProtectionSettings": [ "2021-11-01", @@ -38522,7 +39001,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/advisors": [ "2014-01-01", @@ -38545,7 +39025,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/aggregatedDatabaseMetrics": [ "2014-01-01", @@ -38573,7 +39054,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/automaticTuning": [ "2017-03-01-preview", @@ -38592,7 +39074,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/azureADOnlyAuthentications": [ "2020-02-02-preview", @@ -38635,7 +39118,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases": [ "2014-01-01", @@ -38659,7 +39143,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/advancedThreatProtectionSettings": [ "2021-11-01", @@ -38668,7 +39153,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/advisors": [ "2014-01-01", @@ -38691,7 +39177,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/auditingPolicies": [ "2014-04-01" @@ -38714,7 +39201,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/auditRecords": [ "2015-05-01-preview", @@ -38734,7 +39222,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/automaticTuning": [ "2015-05-01-preview", @@ -38754,7 +39243,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/backupLongTermRetentionPolicies": [ "2017-03-01-preview", @@ -38773,7 +39263,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/backupShortTermRetentionPolicies": [ "2017-10-01-preview", @@ -38791,7 +39282,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/connectionPolicies": [ "2014-04-01" @@ -38817,7 +39309,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/dataMaskingPolicies/rules": [ "2014-01-01", @@ -38840,7 +39333,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/extendedAuditingSettings": [ "2017-03-01-preview", @@ -38896,7 +39390,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/ledgerDigestUploads": [ "2021-02-01-preview", @@ -38908,7 +39403,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/maintenanceWindows": [ "2020-02-02-preview", @@ -38952,7 +39448,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/schemas/tables/columns/sensitivityLabels": [ "2017-03-01-preview", @@ -38988,14 +39485,16 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/sqlvulnerabilityassessments": [ "2022-02-01-preview", "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/sqlVulnerabilityAssessments/baselines": [ "2022-02-01-preview", @@ -39029,7 +39528,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/syncGroups/syncMembers": [ "2015-05-01-preview", @@ -39049,7 +39549,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/topQueries": [ "2014-01-01", @@ -39079,7 +39580,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/VulnerabilityAssessment": [ "2017-03-01-preview", @@ -39095,7 +39597,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/vulnerabilityAssessments": [ "2017-03-01-preview", @@ -39114,7 +39617,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/vulnerabilityAssessments/rules/baselines": [ "2017-03-01-preview", @@ -39150,7 +39654,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/VulnerabilityAssessmentSettings": [ "2015-05-01-preview", @@ -39170,7 +39675,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/workloadGroups": [ "2019-06-01-preview", @@ -39186,7 +39692,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/workloadGroups/workloadClassifiers": [ "2019-06-01-preview", @@ -39222,7 +39729,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/disasterRecoveryConfiguration": [ "2014-01-01", @@ -39246,7 +39754,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/elasticPoolEstimates": [ "2015-05-01-preview", @@ -39266,7 +39775,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/elasticPools": [ "2014-01-01", @@ -39291,7 +39801,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/elasticPools/advisors": [ "2015-05-01-preview", @@ -39311,7 +39822,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/elasticpools/metricdefinitions": [ "2014-01-01", @@ -39341,7 +39853,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/extendedAuditingSettings": [ "2017-03-01-preview", @@ -39360,7 +39873,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/failoverGroups": [ "2015-05-01-preview", @@ -39419,7 +39933,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/importExportOperationResults": [ "2014-01-01", @@ -39572,7 +40087,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/operationResults": [ "2014-01-01", @@ -39633,7 +40149,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/restorableDroppedDatabases": [ "2014-01-01", @@ -39648,7 +40165,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/securityAlertPolicies": [ "2015-05-01-preview", @@ -39668,7 +40186,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/serviceObjectives": [ "2014-01-01", @@ -39680,7 +40199,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/sqlVulnerabilityAssessments/baselines": [ "2022-02-01-preview", @@ -39714,7 +40234,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/tdeCertificates": [ "2017-10-01-preview", @@ -39732,7 +40253,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/usages": [ "2014-01-01", @@ -39755,7 +40277,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/virtualNetworkRules": [ "2015-05-01-preview", @@ -39775,7 +40298,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/vulnerabilityAssessments": [ "2018-06-01-preview", @@ -39792,7 +40316,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "virtualClusters": [ "2015-05-01-preview", @@ -39812,7 +40337,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ] }, "Microsoft.SqlVirtualMachine": { @@ -40626,17 +41152,20 @@ "locations": [ "2022-07-01-preview", "2023-03-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-10-01" ], "locations/operationStatuses": [ "2022-07-01-preview", "2023-03-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-10-01" ], "operations": [ "2022-07-01-preview", "2023-03-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-10-01" ], "storageMovers": [ "2022-07-01-preview", @@ -40671,7 +41200,8 @@ "storageMovers/projects/jobDefinitions/jobRuns": [ "2022-07-01-preview", "2023-03-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-10-01" ] }, "Microsoft.StoragePool": { @@ -41126,22 +41656,27 @@ "checkNameAvailability": [ "2019-05-01-preview", "2020-04-01", - "2022-09-01-preview" + "2022-09-01-preview", + "2023-06-01-preview" ], "fileWorkspaces": [ - "2022-09-01-preview" + "2022-09-01-preview", + "2023-06-01-preview" ], "fileWorkspaces/files": [ - "2022-09-01-preview" + "2022-09-01-preview", + "2023-06-01-preview" ], "lookUpResourceId": [ "2021-06-01-preview", - "2022-09-01-preview" + "2022-09-01-preview", + "2023-06-01-preview" ], "operationresults": [ "2019-05-01-preview", "2020-04-01", - "2022-09-01-preview" + "2022-09-01-preview", + "2023-06-01-preview" ], "operations": [ "2015-03-01", @@ -41149,32 +41684,38 @@ "2019-05-01-preview", "2020-04-01", "2021-06-01-preview", - "2022-09-01-preview" + "2022-09-01-preview", + "2023-06-01-preview" ], "operationsstatus": [ "2019-05-01-preview", "2020-04-01", - "2022-09-01-preview" + "2022-09-01-preview", + "2023-06-01-preview" ], "services": [ "2019-05-01-preview", "2020-04-01", - "2022-09-01-preview" + "2022-09-01-preview", + "2023-06-01-preview" ], "services/problemclassifications": [ "2019-05-01-preview", "2020-04-01", - "2022-09-01-preview" + "2022-09-01-preview", + "2023-06-01-preview" ], "supportTickets": [ "2019-05-01-preview", "2020-04-01", - "2022-09-01-preview" + "2022-09-01-preview", + "2023-06-01-preview" ], "supportTickets/communications": [ "2019-05-01-preview", "2020-04-01", - "2022-09-01-preview" + "2022-09-01-preview", + "2023-06-01-preview" ] }, "Microsoft.Synapse": { @@ -42157,17 +42698,20 @@ "locations": [ "2023-01-31", "2023-04-03", - "2023-07-13-preview" + "2023-07-13-preview", + "2023-09-01" ], "locations/checkNameAvailability": [ "2023-01-31", "2023-04-03", - "2023-07-13-preview" + "2023-07-13-preview", + "2023-09-01" ], "Operations": [ "2023-01-31", "2023-04-03", - "2023-07-13-preview" + "2023-07-13-preview", + "2023-09-01" ] }, "Microsoft.VSOnline": { From 29293497fcdd069fc8e82ea49fca589bdc37d8a6 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 10 Oct 2023 06:52:40 +1100 Subject: [PATCH 008/178] [Modules] Uplift the Event Hub Module API Version, add support for Retention and additional test cases (#4065) --- .../.bicep/nested_roleAssignments.bicep | 2 +- .../namespace/.test/common/main.test.bicep | 15 +++- .../namespace/.test/pe/main.test.bicep | 3 + modules/event-hub/namespace/README.md | 70 +++++++++++++-- .../namespace/authorization-rule/README.md | 2 +- .../namespace/authorization-rule/main.bicep | 4 +- .../namespace/authorization-rule/main.json | 6 +- .../disaster-recovery-config/README.md | 2 +- .../disaster-recovery-config/main.bicep | 4 +- .../disaster-recovery-config/main.json | 6 +- .../.bicep/nested_roleAssignments.bicep | 2 +- .../event-hub/namespace/eventhub/README.md | 11 ++- .../eventhub/authorization-rule/README.md | 2 +- .../eventhub/authorization-rule/main.bicep | 6 +- .../eventhub/authorization-rule/main.json | 6 +- .../eventhub/consumergroup/README.md | 2 +- .../eventhub/consumergroup/main.bicep | 6 +- .../eventhub/consumergroup/main.json | 6 +- .../event-hub/namespace/eventhub/main.bicep | 38 ++++++-- .../event-hub/namespace/eventhub/main.json | 69 +++++++++++---- modules/event-hub/namespace/main.bicep | 9 +- modules/event-hub/namespace/main.json | 86 +++++++++++++------ .../namespace/network-rule-set/README.md | 2 +- .../namespace/network-rule-set/main.bicep | 4 +- .../namespace/network-rule-set/main.json | 6 +- 25 files changed, 265 insertions(+), 104 deletions(-) diff --git a/modules/event-hub/namespace/.bicep/nested_roleAssignments.bicep b/modules/event-hub/namespace/.bicep/nested_roleAssignments.bicep index ce3d1715c5..43c8aaffa3 100644 --- a/modules/event-hub/namespace/.bicep/nested_roleAssignments.bicep +++ b/modules/event-hub/namespace/.bicep/nested_roleAssignments.bicep @@ -54,7 +54,7 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = { +resource eventHubNamespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' existing = { name: last(split(resourceId, '/'))! } diff --git a/modules/event-hub/namespace/.test/common/main.test.bicep b/modules/event-hub/namespace/.test/common/main.test.bicep index acaefc8e5c..171a1bad4f 100644 --- a/modules/event-hub/namespace/.test/common/main.test.bicep +++ b/modules/event-hub/namespace/.test/common/main.test.bicep @@ -65,7 +65,9 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - + zoneRedundant: true + skuName: 'Standard' + skuCapacity: 2 authorizationRules: [ { name: 'RootManageSharedAccessKey' @@ -146,6 +148,13 @@ module testDeployment '../../main.bicep' = { } ] status: 'Active' + retentionDescriptionCleanupPolicy: 'Delete' + retentionDescriptionRetentionTimeInHours: 3 + } + { + name: '${namePrefix}-az-evh-x-003' + retentionDescriptionCleanupPolicy: 'Compact' + retentionDescriptionTombstoneRetentionTimeInHours: 24 } ] lock: 'CanNotDelete' @@ -201,5 +210,9 @@ module testDeployment '../../main.bicep' = { } kafkaEnabled: true disableLocalAuth: true + isAutoInflateEnabled: true + minimumTlsVersion: '1.2' + maximumThroughputUnits: 4 + publicNetworkAccess: 'Disabled' } } diff --git a/modules/event-hub/namespace/.test/pe/main.test.bicep b/modules/event-hub/namespace/.test/pe/main.test.bicep index 35f8a4c0e5..a335175c6e 100644 --- a/modules/event-hub/namespace/.test/pe/main.test.bicep +++ b/modules/event-hub/namespace/.test/pe/main.test.bicep @@ -49,6 +49,9 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' + skuName: 'Premium' + skuCapacity: 2 + zoneRedundant: true privateEndpoints: [ { privateDnsZoneGroup: { diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index 5f014b5f27..672ff83305 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -16,13 +16,13 @@ This module deploys an Event Hub Namespace. | :-- | :-- | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.EventHub/namespaces` | [2022-01-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-01-01-preview/namespaces) | -| `Microsoft.EventHub/namespaces/authorizationRules` | [2022-01-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-01-01-preview/namespaces/authorizationRules) | -| `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | [2022-01-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-01-01-preview/namespaces/disasterRecoveryConfigs) | -| `Microsoft.EventHub/namespaces/eventhubs` | [2022-01-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-01-01-preview/namespaces/eventhubs) | -| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2022-01-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-01-01-preview/namespaces/eventhubs/authorizationRules) | -| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2022-01-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-01-01-preview/namespaces/eventhubs/consumergroups) | -| `Microsoft.EventHub/namespaces/networkRuleSets` | [2022-01-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-01-01-preview/namespaces/networkRuleSets) | +| `Microsoft.EventHub/namespaces` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces) | +| `Microsoft.EventHub/namespaces/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/authorizationRules) | +| `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/disasterRecoveryConfigs) | +| `Microsoft.EventHub/namespaces/eventhubs` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/eventhubs) | +| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/eventhubs/authorizationRules) | +| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/eventhubs/consumergroups) | +| `Microsoft.EventHub/namespaces/networkRuleSets` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/networkRuleSets) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | @@ -60,7 +60,7 @@ This module deploys an Event Hub Namespace. | `disasterRecoveryConfig` | _[disasterRecoveryConfig](disaster-recovery-config/README.md)_ object | `{object}` | | The disaster recovery config for this namespace. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `eventhubs` | array | `[]` | | The event hubs to deploy into this namespace. | -| `isAutoInflateEnabled` | bool | `False` | | Switch to enable the Auto Inflate feature of Event Hub. | +| `isAutoInflateEnabled` | bool | `False` | | Switch to enable the Auto Inflate feature of Event Hub. Auto Inflate is not supported in Premium SKU EventHub. | | `kafkaEnabled` | bool | `False` | | Value that indicates whether Kafka is enabled for Event Hubs Namespace. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | @@ -422,6 +422,8 @@ module namespace './event-hub/namespace/main.bicep' = { messageRetentionInDays: 1 name: 'az-evh-x-002' partitionCount: 2 + retentionDescriptionCleanupPolicy: 'Delete' + retentionDescriptionRetentionTimeInHours: 3 roleAssignments: [ { principalIds: [ @@ -433,9 +435,17 @@ module namespace './event-hub/namespace/main.bicep' = { ] status: 'Active' } + { + name: 'az-evh-x-003' + retentionDescriptionCleanupPolicy: 'Compact' + retentionDescriptionTombstoneRetentionTimeInHours: 24 + } ] + isAutoInflateEnabled: true kafkaEnabled: true lock: 'CanNotDelete' + maximumThroughputUnits: 4 + minimumTlsVersion: '1.2' networkRuleSets: { defaultAction: 'Deny' ipRules: [ @@ -468,6 +478,7 @@ module namespace './event-hub/namespace/main.bicep' = { } } ] + publicNetworkAccess: 'Disabled' roleAssignments: [ { principalIds: [ @@ -477,6 +488,8 @@ module namespace './event-hub/namespace/main.bicep' = { roleDefinitionIdOrName: 'Reader' } ] + skuCapacity: 2 + skuName: 'Standard' systemAssignedIdentity: true tags: { Environment: 'Non-Prod' @@ -486,6 +499,7 @@ module namespace './event-hub/namespace/main.bicep' = { userAssignedIdentities: { '': {} } + zoneRedundant: true } } ``` @@ -594,6 +608,8 @@ module namespace './event-hub/namespace/main.bicep' = { "messageRetentionInDays": 1, "name": "az-evh-x-002", "partitionCount": 2, + "retentionDescriptionCleanupPolicy": "Delete", + "retentionDescriptionRetentionTimeInHours": 3, "roleAssignments": [ { "principalIds": [ @@ -604,15 +620,29 @@ module namespace './event-hub/namespace/main.bicep' = { } ], "status": "Active" + }, + { + "name": "az-evh-x-003", + "retentionDescriptionCleanupPolicy": "Compact", + "retentionDescriptionTombstoneRetentionTimeInHours": 24 } ] }, + "isAutoInflateEnabled": { + "value": true + }, "kafkaEnabled": { "value": true }, "lock": { "value": "CanNotDelete" }, + "maximumThroughputUnits": { + "value": 4 + }, + "minimumTlsVersion": { + "value": "1.2" + }, "networkRuleSets": { "value": { "defaultAction": "Deny", @@ -649,6 +679,9 @@ module namespace './event-hub/namespace/main.bicep' = { } ] }, + "publicNetworkAccess": { + "value": "Disabled" + }, "roleAssignments": { "value": [ { @@ -660,6 +693,12 @@ module namespace './event-hub/namespace/main.bicep' = { } ] }, + "skuCapacity": { + "value": 2 + }, + "skuName": { + "value": "Standard" + }, "systemAssignedIdentity": { "value": true }, @@ -674,6 +713,9 @@ module namespace './event-hub/namespace/main.bicep' = { "value": { "": {} } + }, + "zoneRedundant": { + "value": true } } } @@ -850,11 +892,14 @@ module namespace './event-hub/namespace/main.bicep' = { } } ] + skuCapacity: 2 + skuName: 'Premium' tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } + zoneRedundant: true } } ``` @@ -897,12 +942,21 @@ module namespace './event-hub/namespace/main.bicep' = { } ] }, + "skuCapacity": { + "value": 2 + }, + "skuName": { + "value": "Premium" + }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } + }, + "zoneRedundant": { + "value": true } } } diff --git a/modules/event-hub/namespace/authorization-rule/README.md b/modules/event-hub/namespace/authorization-rule/README.md index c0091b7ce9..b9ccc45325 100644 --- a/modules/event-hub/namespace/authorization-rule/README.md +++ b/modules/event-hub/namespace/authorization-rule/README.md @@ -13,7 +13,7 @@ This module deploys an Event Hub Namespace Authorization Rule. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.EventHub/namespaces/authorizationRules` | [2022-01-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-01-01-preview/namespaces/authorizationRules) | +| `Microsoft.EventHub/namespaces/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/authorizationRules) | ## Parameters diff --git a/modules/event-hub/namespace/authorization-rule/main.bicep b/modules/event-hub/namespace/authorization-rule/main.bicep index 16f4d6fc7f..18c7df3449 100644 --- a/modules/event-hub/namespace/authorization-rule/main.bicep +++ b/modules/event-hub/namespace/authorization-rule/main.bicep @@ -31,11 +31,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.EventHub/namespaces@2022-01-01-preview' existing = { +resource namespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' existing = { name: namespaceName } -resource authorizationRule 'Microsoft.EventHub/namespaces/authorizationRules@2022-01-01-preview' = { +resource authorizationRule 'Microsoft.EventHub/namespaces/authorizationRules@2022-10-01-preview' = { name: name parent: namespace properties: { diff --git a/modules/event-hub/namespace/authorization-rule/main.json b/modules/event-hub/namespace/authorization-rule/main.json index edf5ee0c75..7facc14895 100644 --- a/modules/event-hub/namespace/authorization-rule/main.json +++ b/modules/event-hub/namespace/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "689013755293429510" + "version": "0.21.1.54444", + "templateHash": "16751252701811556931" }, "name": "Event Hub Namespace Authorization Rule", "description": "This module deploys an Event Hub Namespace Authorization Rule.", @@ -61,7 +61,7 @@ }, { "type": "Microsoft.EventHub/namespaces/authorizationRules", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", "properties": { "rights": "[parameters('rights')]" diff --git a/modules/event-hub/namespace/disaster-recovery-config/README.md b/modules/event-hub/namespace/disaster-recovery-config/README.md index e296417a77..fdd92ebc09 100644 --- a/modules/event-hub/namespace/disaster-recovery-config/README.md +++ b/modules/event-hub/namespace/disaster-recovery-config/README.md @@ -13,7 +13,7 @@ This module deploys an Event Hub Namespace Disaster Recovery Config. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | [2022-01-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-01-01-preview/namespaces/disasterRecoveryConfigs) | +| `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/disasterRecoveryConfigs) | ## Parameters diff --git a/modules/event-hub/namespace/disaster-recovery-config/main.bicep b/modules/event-hub/namespace/disaster-recovery-config/main.bicep index 3edde585c9..1cc93c8e67 100644 --- a/modules/event-hub/namespace/disaster-recovery-config/main.bicep +++ b/modules/event-hub/namespace/disaster-recovery-config/main.bicep @@ -26,11 +26,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.EventHub/namespaces@2022-01-01-preview' existing = { +resource namespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' existing = { name: namespaceName } -resource disasterRecoveryConfig 'Microsoft.EventHub/namespaces/disasterRecoveryConfigs@2022-01-01-preview' = { +resource disasterRecoveryConfig 'Microsoft.EventHub/namespaces/disasterRecoveryConfigs@2022-10-01-preview' = { name: name parent: namespace properties: { diff --git a/modules/event-hub/namespace/disaster-recovery-config/main.json b/modules/event-hub/namespace/disaster-recovery-config/main.json index b0f147b649..26b24be750 100644 --- a/modules/event-hub/namespace/disaster-recovery-config/main.json +++ b/modules/event-hub/namespace/disaster-recovery-config/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "6638470700293836073" + "version": "0.21.1.54444", + "templateHash": "17596363769961747539" }, "name": "Event Hub Namespace Disaster Recovery Configs", "description": "This module deploys an Event Hub Namespace Disaster Recovery Config.", @@ -56,7 +56,7 @@ }, { "type": "Microsoft.EventHub/namespaces/disasterRecoveryConfigs", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", "properties": { "partnerNamespace": "[parameters('partnerNamespaceId')]" diff --git a/modules/event-hub/namespace/eventhub/.bicep/nested_roleAssignments.bicep b/modules/event-hub/namespace/eventhub/.bicep/nested_roleAssignments.bicep index cc3c235e25..0689bff486 100644 --- a/modules/event-hub/namespace/eventhub/.bicep/nested_roleAssignments.bicep +++ b/modules/event-hub/namespace/eventhub/.bicep/nested_roleAssignments.bicep @@ -54,7 +54,7 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2022-01-01-preview' existing = { +resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2022-10-01-preview' existing = { name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' } diff --git a/modules/event-hub/namespace/eventhub/README.md b/modules/event-hub/namespace/eventhub/README.md index 81b77b1a28..d1a867d4c1 100644 --- a/modules/event-hub/namespace/eventhub/README.md +++ b/modules/event-hub/namespace/eventhub/README.md @@ -15,9 +15,9 @@ This module deploys an Event Hub Namespace Event Hub. | :-- | :-- | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.EventHub/namespaces/eventhubs` | [2022-01-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-01-01-preview/namespaces/eventhubs) | -| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2022-01-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-01-01-preview/namespaces/eventhubs/authorizationRules) | -| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2022-01-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-01-01-preview/namespaces/eventhubs/consumergroups) | +| `Microsoft.EventHub/namespaces/eventhubs` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/eventhubs) | +| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/eventhubs/authorizationRules) | +| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/eventhubs/consumergroups) | ## Parameters @@ -50,8 +50,11 @@ This module deploys an Event Hub Namespace Event Hub. | `consumergroups` | array | `[System.Management.Automation.OrderedHashtable]` | | The consumer groups to create in this event hub instance. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `messageRetentionInDays` | int | `1` | | Number of days to retain the events for this Event Hub, value should be 1 to 7 days. | +| `messageRetentionInDays` | int | `1` | | Number of days to retain the events for this Event Hub, value should be 1 to 7 days. Will be automatically set to infinite retention if cleanup policy is set to "Compact". | | `partitionCount` | int | `2` | | Number of partitions created for the Event Hub, allowed values are from 1 to 32 partitions. | +| `retentionDescriptionCleanupPolicy` | string | `'Delete'` | `[Compact, Delete]` | Retention cleanup policy. Enumerates the possible values for cleanup policy. | +| `retentionDescriptionRetentionTimeInHours` | int | `1` | | Retention time in hours. Number of hours to retain the events for this Event Hub. This value is only used when cleanupPolicy is Delete. If cleanupPolicy is Compact the returned value of this property is Long.MaxValue. | +| `retentionDescriptionTombstoneRetentionTimeInHours` | int | `1` | | Retention cleanup policy. Number of hours to retain the tombstone markers of a compacted Event Hub. This value is only used when cleanupPolicy is Compact. Consumer must complete reading the tombstone marker within this specified amount of time if consumer begins from starting offset to ensure they get a valid snapshot for the specific key described by the tombstone marker within the compacted Event Hub. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `status` | string | `'Active'` | `[Active, Creating, Deleting, Disabled, ReceiveDisabled, Renaming, Restoring, SendDisabled, Unknown]` | Enumerates the possible values for the status of the Event Hub. | diff --git a/modules/event-hub/namespace/eventhub/authorization-rule/README.md b/modules/event-hub/namespace/eventhub/authorization-rule/README.md index 66568d2cd1..eef9d6b375 100644 --- a/modules/event-hub/namespace/eventhub/authorization-rule/README.md +++ b/modules/event-hub/namespace/eventhub/authorization-rule/README.md @@ -13,7 +13,7 @@ This module deploys an Event Hub Namespace Event Hub Authorization Rule. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2022-01-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-01-01-preview/namespaces/eventhubs/authorizationRules) | +| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/eventhubs/authorizationRules) | ## Parameters diff --git a/modules/event-hub/namespace/eventhub/authorization-rule/main.bicep b/modules/event-hub/namespace/eventhub/authorization-rule/main.bicep index da370a248a..81c703399c 100644 --- a/modules/event-hub/namespace/eventhub/authorization-rule/main.bicep +++ b/modules/event-hub/namespace/eventhub/authorization-rule/main.bicep @@ -34,15 +34,15 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.EventHub/namespaces@2022-01-01-preview' existing = { +resource namespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' existing = { name: namespaceName - resource eventhub 'eventhubs@2022-01-01-preview' existing = { + resource eventhub 'eventhubs@2022-10-01-preview' existing = { name: eventHubName } } -resource authorizationRule 'Microsoft.EventHub/namespaces/eventhubs/authorizationRules@2022-01-01-preview' = { +resource authorizationRule 'Microsoft.EventHub/namespaces/eventhubs/authorizationRules@2022-10-01-preview' = { name: name parent: namespace::eventhub properties: { diff --git a/modules/event-hub/namespace/eventhub/authorization-rule/main.json b/modules/event-hub/namespace/eventhub/authorization-rule/main.json index 52cd823720..6a12c8409a 100644 --- a/modules/event-hub/namespace/eventhub/authorization-rule/main.json +++ b/modules/event-hub/namespace/eventhub/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12984183065402367529" + "version": "0.21.1.54444", + "templateHash": "6269095332062865528" }, "name": "Event Hub Namespace Event Hub Authorization Rules", "description": "This module deploys an Event Hub Namespace Event Hub Authorization Rule.", @@ -67,7 +67,7 @@ }, { "type": "Microsoft.EventHub/namespaces/eventhubs/authorizationRules", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]", "properties": { "rights": "[parameters('rights')]" diff --git a/modules/event-hub/namespace/eventhub/consumergroup/README.md b/modules/event-hub/namespace/eventhub/consumergroup/README.md index af9ba3f689..4749095254 100644 --- a/modules/event-hub/namespace/eventhub/consumergroup/README.md +++ b/modules/event-hub/namespace/eventhub/consumergroup/README.md @@ -13,7 +13,7 @@ This module deploys an Event Hub Namespace Event Hub Consumer Group. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2022-01-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-01-01-preview/namespaces/eventhubs/consumergroups) | +| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/eventhubs/consumergroups) | ## Parameters diff --git a/modules/event-hub/namespace/eventhub/consumergroup/main.bicep b/modules/event-hub/namespace/eventhub/consumergroup/main.bicep index fc0f0f05d4..debfe0b56d 100644 --- a/modules/event-hub/namespace/eventhub/consumergroup/main.bicep +++ b/modules/event-hub/namespace/eventhub/consumergroup/main.bicep @@ -29,15 +29,15 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.EventHub/namespaces@2022-01-01-preview' existing = { +resource namespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' existing = { name: namespaceName - resource eventhub 'eventhubs@2022-01-01-preview' existing = { + resource eventhub 'eventhubs@2022-10-01-preview' existing = { name: eventHubName } } -resource consumerGroup 'Microsoft.EventHub/namespaces/eventhubs/consumergroups@2022-01-01-preview' = { +resource consumerGroup 'Microsoft.EventHub/namespaces/eventhubs/consumergroups@2022-10-01-preview' = { name: name parent: namespace::eventhub properties: { diff --git a/modules/event-hub/namespace/eventhub/consumergroup/main.json b/modules/event-hub/namespace/eventhub/consumergroup/main.json index 4da93ab1ab..47f1a4c32f 100644 --- a/modules/event-hub/namespace/eventhub/consumergroup/main.json +++ b/modules/event-hub/namespace/eventhub/consumergroup/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "4223870259264150873" + "version": "0.21.1.54444", + "templateHash": "4574999956856176990" }, "name": "Event Hub Namespace Event Hub Consumer Groups", "description": "This module deploys an Event Hub Namespace Event Hub Consumer Group.", @@ -62,7 +62,7 @@ }, { "type": "Microsoft.EventHub/namespaces/eventhubs/consumergroups", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]", "properties": { "userMetadata": "[if(not(empty(parameters('userMetadata'))), parameters('userMetadata'), null())]" diff --git a/modules/event-hub/namespace/eventhub/main.bicep b/modules/event-hub/namespace/eventhub/main.bicep index 50ffeba337..1a7d5a2e74 100644 --- a/modules/event-hub/namespace/eventhub/main.bicep +++ b/modules/event-hub/namespace/eventhub/main.bicep @@ -20,7 +20,7 @@ param authorizationRules array = [ } ] -@description('Optional. Number of days to retain the events for this Event Hub, value should be 1 to 7 days.') +@description('Optional. Number of days to retain the events for this Event Hub, value should be 1 to 7 days. Will be automatically set to infinite retention if cleanup policy is set to "Compact".') @minValue(1) @maxValue(7) param messageRetentionInDays int = 1 @@ -97,20 +97,40 @@ param captureDescriptionSizeLimitInBytes int = 314572800 @description('Optional. A value that indicates whether to Skip Empty Archives.') param captureDescriptionSkipEmptyArchives bool = false +@allowed([ + 'Compact' + 'Delete' +]) +@description('Optional. Retention cleanup policy. Enumerates the possible values for cleanup policy.') +param retentionDescriptionCleanupPolicy string = 'Delete' + +@minValue(1) +@maxValue(168) +@description('Optional. Retention time in hours. Number of hours to retain the events for this Event Hub. This value is only used when cleanupPolicy is Delete. If cleanupPolicy is Compact the returned value of this property is Long.MaxValue.') +param retentionDescriptionRetentionTimeInHours int = 1 + +@minValue(1) +@maxValue(168) +@description('Optional. Retention cleanup policy. Number of hours to retain the tombstone markers of a compacted Event Hub. This value is only used when cleanupPolicy is Compact. Consumer must complete reading the tombstone marker within this specified amount of time if consumer begins from starting offset to ensure they get a valid snapshot for the specific key described by the tombstone marker within the compacted Event Hub.') +param retentionDescriptionTombstoneRetentionTimeInHours int = 1 + @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false -var eventHubPropertiesSimple = { +var eventHubProperties = { messageRetentionInDays: messageRetentionInDays partitionCount: partitionCount status: status + retentionDescription: { + cleanupPolicy: retentionDescriptionCleanupPolicy + retentionTimeInHours: retentionDescriptionCleanupPolicy == 'Delete' ? retentionDescriptionRetentionTimeInHours : null + tombstoneRetentionTimeInHours: retentionDescriptionCleanupPolicy == 'Compact' ? retentionDescriptionTombstoneRetentionTimeInHours : null + } } -var eventHubPropertiesWithCapture = { - messageRetentionInDays: messageRetentionInDays - partitionCount: partitionCount - status: status + +var eventHubPropertiesCapture = { captureDescription: { destination: { name: captureDescriptionDestinationName @@ -140,14 +160,14 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.EventHub/namespaces@2022-01-01-preview' existing = { +resource namespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' existing = { name: namespaceName } -resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2022-01-01-preview' = { +resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2022-10-01-preview' = { name: name parent: namespace - properties: captureDescriptionEnabled ? eventHubPropertiesWithCapture : eventHubPropertiesSimple + properties: captureDescriptionEnabled ? union(eventHubProperties, eventHubPropertiesCapture) : eventHubProperties } resource eventHub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { diff --git a/modules/event-hub/namespace/eventhub/main.json b/modules/event-hub/namespace/eventhub/main.json index 623ef00653..cf4b190d94 100644 --- a/modules/event-hub/namespace/eventhub/main.json +++ b/modules/event-hub/namespace/eventhub/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "443948940379129513" + "version": "0.21.1.54444", + "templateHash": "16089237218391136247" }, "name": "Event Hub Namespace Event Hubs", "description": "This module deploys an Event Hub Namespace Event Hub.", @@ -46,7 +46,7 @@ "minValue": 1, "maxValue": 7, "metadata": { - "description": "Optional. Number of days to retain the events for this Event Hub, value should be 1 to 7 days." + "description": "Optional. Number of days to retain the events for this Event Hub, value should be 1 to 7 days. Will be automatically set to infinite retention if cleanup policy is set to \"Compact\"." } }, "partitionCount": { @@ -177,6 +177,35 @@ "description": "Optional. A value that indicates whether to Skip Empty Archives." } }, + "retentionDescriptionCleanupPolicy": { + "type": "string", + "defaultValue": "Delete", + "allowedValues": [ + "Compact", + "Delete" + ], + "metadata": { + "description": "Optional. Retention cleanup policy. Enumerates the possible values for cleanup policy." + } + }, + "retentionDescriptionRetentionTimeInHours": { + "type": "int", + "defaultValue": 1, + "minValue": 1, + "maxValue": 168, + "metadata": { + "description": "Optional. Retention time in hours. Number of hours to retain the events for this Event Hub. This value is only used when cleanupPolicy is Delete. If cleanupPolicy is Compact the returned value of this property is Long.MaxValue." + } + }, + "retentionDescriptionTombstoneRetentionTimeInHours": { + "type": "int", + "defaultValue": 1, + "minValue": 1, + "maxValue": 168, + "metadata": { + "description": "Optional. Retention cleanup policy. Number of hours to retain the tombstone markers of a compacted Event Hub. This value is only used when cleanupPolicy is Compact. Consumer must complete reading the tombstone marker within this specified amount of time if consumer begins from starting offset to ensure they get a valid snapshot for the specific key described by the tombstone marker within the compacted Event Hub." + } + }, "enableDefaultTelemetry": { "type": "bool", "defaultValue": true, @@ -187,15 +216,17 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "eventHubPropertiesSimple": { - "messageRetentionInDays": "[parameters('messageRetentionInDays')]", - "partitionCount": "[parameters('partitionCount')]", - "status": "[parameters('status')]" - }, - "eventHubPropertiesWithCapture": { + "eventHubProperties": { "messageRetentionInDays": "[parameters('messageRetentionInDays')]", "partitionCount": "[parameters('partitionCount')]", "status": "[parameters('status')]", + "retentionDescription": { + "cleanupPolicy": "[parameters('retentionDescriptionCleanupPolicy')]", + "retentionTimeInHours": "[if(equals(parameters('retentionDescriptionCleanupPolicy'), 'Delete'), parameters('retentionDescriptionRetentionTimeInHours'), null())]", + "tombstoneRetentionTimeInHours": "[if(equals(parameters('retentionDescriptionCleanupPolicy'), 'Compact'), parameters('retentionDescriptionTombstoneRetentionTimeInHours'), null())]" + } + }, + "eventHubPropertiesCapture": { "captureDescription": { "destination": { "name": "[parameters('captureDescriptionDestinationName')]", @@ -230,9 +261,9 @@ }, { "type": "Microsoft.EventHub/namespaces/eventhubs", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": "[if(parameters('captureDescriptionEnabled'), variables('eventHubPropertiesWithCapture'), variables('eventHubPropertiesSimple'))]" + "properties": "[if(parameters('captureDescriptionEnabled'), union(variables('eventHubProperties'), variables('eventHubPropertiesCapture')), variables('eventHubProperties'))]" }, { "condition": "[not(empty(parameters('lock')))]", @@ -282,8 +313,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "4223870259264150873" + "version": "0.21.1.54444", + "templateHash": "4574999956856176990" }, "name": "Event Hub Namespace Event Hub Consumer Groups", "description": "This module deploys an Event Hub Namespace Event Hub Consumer Group.", @@ -340,7 +371,7 @@ }, { "type": "Microsoft.EventHub/namespaces/eventhubs/consumergroups", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]", "properties": { "userMetadata": "[if(not(empty(parameters('userMetadata'))), parameters('userMetadata'), null())]" @@ -410,8 +441,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12984183065402367529" + "version": "0.21.1.54444", + "templateHash": "6269095332062865528" }, "name": "Event Hub Namespace Event Hub Authorization Rules", "description": "This module deploys an Event Hub Namespace Event Hub Authorization Rule.", @@ -473,7 +504,7 @@ }, { "type": "Microsoft.EventHub/namespaces/eventhubs/authorizationRules", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]", "properties": { "rights": "[parameters('rights')]" @@ -543,8 +574,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "14745150939607150150" + "version": "0.21.1.54444", + "templateHash": "13315777836788317981" } }, "parameters": { diff --git a/modules/event-hub/namespace/main.bicep b/modules/event-hub/namespace/main.bicep index b0221fac79..891c0c92d9 100644 --- a/modules/event-hub/namespace/main.bicep +++ b/modules/event-hub/namespace/main.bicep @@ -25,7 +25,7 @@ param skuCapacity int = 1 @description('Optional. Switch to make the Event Hub Namespace zone redundant.') param zoneRedundant bool = false -@description('Optional. Switch to enable the Auto Inflate feature of Event Hub.') +@description('Optional. Switch to enable the Auto Inflate feature of Event Hub. Auto Inflate is not supported in Premium SKU EventHub.') param isAutoInflateEnabled bool = false @description('Optional. Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units.') @@ -192,7 +192,7 @@ resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empt name: last(split(cMKKeyVaultResourceId, '/'))! scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) - resource cMKKey 'keys@2022-07-01' existing = if (!empty(cMKKeyName)) { + resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { name: cMKKeyName } } @@ -209,7 +209,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource eventHubNamespace 'Microsoft.EventHub/namespaces@2022-01-01-preview' = { +resource eventHubNamespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' = { name: name location: location tags: tags @@ -294,6 +294,9 @@ module eventHubNamespace_eventhubs 'eventhub/main.bicep' = [for (eventHub, index partitionCount: contains(eventHub, 'partitionCount') ? eventHub.partitionCount : 2 roleAssignments: contains(eventHub, 'roleAssignments') ? eventHub.roleAssignments : [] status: contains(eventHub, 'status') ? eventHub.status : 'Active' + retentionDescriptionCleanupPolicy: contains(eventHub, 'retentionDescriptionCleanupPolicy') ? eventHub.retentionDescriptionCleanupPolicy : 'Delete' + retentionDescriptionRetentionTimeInHours: contains(eventHub, 'retentionDescriptionRetentionTimeInHours') ? eventHub.retentionDescriptionRetentionTimeInHours : 1 + retentionDescriptionTombstoneRetentionTimeInHours: contains(eventHub, 'retentionDescriptionTombstoneRetentionTimeInHours') ? eventHub.retentionDescriptionTombstoneRetentionTimeInHours : 1 enableDefaultTelemetry: enableReferencedModulesTelemetry } }] diff --git a/modules/event-hub/namespace/main.json b/modules/event-hub/namespace/main.json index e0c0dac2b6..7e9e3029bd 100644 --- a/modules/event-hub/namespace/main.json +++ b/modules/event-hub/namespace/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.21.1.54444", - "templateHash": "3045292130498142319" + "templateHash": "894531966017959267" }, "name": "Event Hub Namespaces", "description": "This module deploys an Event Hub Namespace.", @@ -58,7 +58,7 @@ "type": "bool", "defaultValue": false, "metadata": { - "description": "Optional. Switch to enable the Auto Inflate feature of Event Hub." + "description": "Optional. Switch to enable the Auto Inflate feature of Event Hub. Auto Inflate is not supported in Premium SKU EventHub." } }, "maximumThroughputUnits": { @@ -348,7 +348,7 @@ }, { "type": "Microsoft.EventHub/namespaces", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -360,7 +360,7 @@ }, "properties": { "disableLocalAuth": "[parameters('disableLocalAuth')]", - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createArray(createObject('identity', if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), null()), 'keyName', parameters('cMKKeyName'), 'keyVaultUri', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('cMKKeyVaultResourceId'), '/'))), '2023-02-01').vaultUri, 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '2022-07-01').keyUriWithVersion, '/'))))), 'requireInfrastructureEncryption', parameters('requireInfrastructureEncryption')), null())]", + "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createArray(createObject('identity', if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), null()), 'keyName', parameters('cMKKeyName'), 'keyVaultUri', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('cMKKeyVaultResourceId'), '/'))), '2023-02-01').vaultUri, 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '2023-02-01').keyUriWithVersion, '/'))))), 'requireInfrastructureEncryption', parameters('requireInfrastructureEncryption')), null())]", "isAutoInflateEnabled": "[parameters('isAutoInflateEnabled')]", "kafkaEnabled": "[parameters('kafkaEnabled')]", "maximumThroughputUnits": "[variables('maximumThroughputUnitsVar')]", @@ -433,7 +433,7 @@ "_generator": { "name": "bicep", "version": "0.21.1.54444", - "templateHash": "9802650659747695182" + "templateHash": "16751252701811556931" }, "name": "Event Hub Namespace Authorization Rule", "description": "This module deploys an Event Hub Namespace Authorization Rule.", @@ -489,7 +489,7 @@ }, { "type": "Microsoft.EventHub/namespaces/authorizationRules", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", "properties": { "rights": "[parameters('rights')]" @@ -554,7 +554,7 @@ "_generator": { "name": "bicep", "version": "0.21.1.54444", - "templateHash": "3858700494028099639" + "templateHash": "17596363769961747539" }, "name": "Event Hub Namespace Disaster Recovery Configs", "description": "This module deploys an Event Hub Namespace Disaster Recovery Config.", @@ -605,7 +605,7 @@ }, { "type": "Microsoft.EventHub/namespaces/disasterRecoveryConfigs", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", "properties": { "partnerNamespace": "[parameters('partnerNamespaceId')]" @@ -677,6 +677,9 @@ "partitionCount": "[if(contains(parameters('eventhubs')[copyIndex()], 'partitionCount'), createObject('value', parameters('eventhubs')[copyIndex()].partitionCount), createObject('value', 2))]", "roleAssignments": "[if(contains(parameters('eventhubs')[copyIndex()], 'roleAssignments'), createObject('value', parameters('eventhubs')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "status": "[if(contains(parameters('eventhubs')[copyIndex()], 'status'), createObject('value', parameters('eventhubs')[copyIndex()].status), createObject('value', 'Active'))]", + "retentionDescriptionCleanupPolicy": "[if(contains(parameters('eventhubs')[copyIndex()], 'retentionDescriptionCleanupPolicy'), createObject('value', parameters('eventhubs')[copyIndex()].retentionDescriptionCleanupPolicy), createObject('value', 'Delete'))]", + "retentionDescriptionRetentionTimeInHours": "[if(contains(parameters('eventhubs')[copyIndex()], 'retentionDescriptionRetentionTimeInHours'), createObject('value', parameters('eventhubs')[copyIndex()].retentionDescriptionRetentionTimeInHours), createObject('value', 1))]", + "retentionDescriptionTombstoneRetentionTimeInHours": "[if(contains(parameters('eventhubs')[copyIndex()], 'retentionDescriptionTombstoneRetentionTimeInHours'), createObject('value', parameters('eventhubs')[copyIndex()].retentionDescriptionTombstoneRetentionTimeInHours), createObject('value', 1))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } @@ -688,7 +691,7 @@ "_generator": { "name": "bicep", "version": "0.21.1.54444", - "templateHash": "17109803643850718131" + "templateHash": "16089237218391136247" }, "name": "Event Hub Namespace Event Hubs", "description": "This module deploys an Event Hub Namespace Event Hub.", @@ -729,7 +732,7 @@ "minValue": 1, "maxValue": 7, "metadata": { - "description": "Optional. Number of days to retain the events for this Event Hub, value should be 1 to 7 days." + "description": "Optional. Number of days to retain the events for this Event Hub, value should be 1 to 7 days. Will be automatically set to infinite retention if cleanup policy is set to \"Compact\"." } }, "partitionCount": { @@ -860,6 +863,35 @@ "description": "Optional. A value that indicates whether to Skip Empty Archives." } }, + "retentionDescriptionCleanupPolicy": { + "type": "string", + "defaultValue": "Delete", + "allowedValues": [ + "Compact", + "Delete" + ], + "metadata": { + "description": "Optional. Retention cleanup policy. Enumerates the possible values for cleanup policy." + } + }, + "retentionDescriptionRetentionTimeInHours": { + "type": "int", + "defaultValue": 1, + "minValue": 1, + "maxValue": 168, + "metadata": { + "description": "Optional. Retention time in hours. Number of hours to retain the events for this Event Hub. This value is only used when cleanupPolicy is Delete. If cleanupPolicy is Compact the returned value of this property is Long.MaxValue." + } + }, + "retentionDescriptionTombstoneRetentionTimeInHours": { + "type": "int", + "defaultValue": 1, + "minValue": 1, + "maxValue": 168, + "metadata": { + "description": "Optional. Retention cleanup policy. Number of hours to retain the tombstone markers of a compacted Event Hub. This value is only used when cleanupPolicy is Compact. Consumer must complete reading the tombstone marker within this specified amount of time if consumer begins from starting offset to ensure they get a valid snapshot for the specific key described by the tombstone marker within the compacted Event Hub." + } + }, "enableDefaultTelemetry": { "type": "bool", "defaultValue": true, @@ -870,15 +902,17 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "eventHubPropertiesSimple": { - "messageRetentionInDays": "[parameters('messageRetentionInDays')]", - "partitionCount": "[parameters('partitionCount')]", - "status": "[parameters('status')]" - }, - "eventHubPropertiesWithCapture": { + "eventHubProperties": { "messageRetentionInDays": "[parameters('messageRetentionInDays')]", "partitionCount": "[parameters('partitionCount')]", "status": "[parameters('status')]", + "retentionDescription": { + "cleanupPolicy": "[parameters('retentionDescriptionCleanupPolicy')]", + "retentionTimeInHours": "[if(equals(parameters('retentionDescriptionCleanupPolicy'), 'Delete'), parameters('retentionDescriptionRetentionTimeInHours'), null())]", + "tombstoneRetentionTimeInHours": "[if(equals(parameters('retentionDescriptionCleanupPolicy'), 'Compact'), parameters('retentionDescriptionTombstoneRetentionTimeInHours'), null())]" + } + }, + "eventHubPropertiesCapture": { "captureDescription": { "destination": { "name": "[parameters('captureDescriptionDestinationName')]", @@ -913,9 +947,9 @@ }, { "type": "Microsoft.EventHub/namespaces/eventhubs", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": "[if(parameters('captureDescriptionEnabled'), variables('eventHubPropertiesWithCapture'), variables('eventHubPropertiesSimple'))]" + "properties": "[if(parameters('captureDescriptionEnabled'), union(variables('eventHubProperties'), variables('eventHubPropertiesCapture')), variables('eventHubProperties'))]" }, { "condition": "[not(empty(parameters('lock')))]", @@ -966,7 +1000,7 @@ "_generator": { "name": "bicep", "version": "0.21.1.54444", - "templateHash": "4820896845674383243" + "templateHash": "4574999956856176990" }, "name": "Event Hub Namespace Event Hub Consumer Groups", "description": "This module deploys an Event Hub Namespace Event Hub Consumer Group.", @@ -1023,7 +1057,7 @@ }, { "type": "Microsoft.EventHub/namespaces/eventhubs/consumergroups", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]", "properties": { "userMetadata": "[if(not(empty(parameters('userMetadata'))), parameters('userMetadata'), null())]" @@ -1094,7 +1128,7 @@ "_generator": { "name": "bicep", "version": "0.21.1.54444", - "templateHash": "11306315890463346417" + "templateHash": "6269095332062865528" }, "name": "Event Hub Namespace Event Hub Authorization Rules", "description": "This module deploys an Event Hub Namespace Event Hub Authorization Rule.", @@ -1156,7 +1190,7 @@ }, { "type": "Microsoft.EventHub/namespaces/eventhubs/authorizationRules", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('eventHubName'), parameters('name'))]", "properties": { "rights": "[parameters('rights')]" @@ -1412,7 +1446,7 @@ "_generator": { "name": "bicep", "version": "0.21.1.54444", - "templateHash": "1176983594768207243" + "templateHash": "7109134385195243655" }, "name": "Event Hub Namespace Network Rule Sets", "description": "This module deploys an Event Hub Namespace Network Rule Set.", @@ -1505,7 +1539,7 @@ }, { "type": "Microsoft.EventHub/namespaces/networkRuleSets", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), 'default')]", "properties": { "publicNetworkAccess": "[parameters('publicNetworkAccess')]", @@ -2290,14 +2324,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.EventHub/namespaces', parameters('name')), '2022-01-01-preview', 'full').identity, 'principalId')), reference(resourceId('Microsoft.EventHub/namespaces', parameters('name')), '2022-01-01-preview', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.EventHub/namespaces', parameters('name')), '2022-10-01-preview', 'full').identity, 'principalId')), reference(resourceId('Microsoft.EventHub/namespaces', parameters('name')), '2022-10-01-preview', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.EventHub/namespaces', parameters('name')), '2022-01-01-preview', 'full').location]" + "value": "[reference(resourceId('Microsoft.EventHub/namespaces', parameters('name')), '2022-10-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/event-hub/namespace/network-rule-set/README.md b/modules/event-hub/namespace/network-rule-set/README.md index b0adf9de11..4be4872512 100644 --- a/modules/event-hub/namespace/network-rule-set/README.md +++ b/modules/event-hub/namespace/network-rule-set/README.md @@ -13,7 +13,7 @@ This module deploys an Event Hub Namespace Network Rule Set. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.EventHub/namespaces/networkRuleSets` | [2022-01-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-01-01-preview/namespaces/networkRuleSets) | +| `Microsoft.EventHub/namespaces/networkRuleSets` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2022-10-01-preview/namespaces/networkRuleSets) | ## Parameters diff --git a/modules/event-hub/namespace/network-rule-set/main.bicep b/modules/event-hub/namespace/network-rule-set/main.bicep index fa1f75b9b6..c36bd58609 100644 --- a/modules/event-hub/namespace/network-rule-set/main.bicep +++ b/modules/event-hub/namespace/network-rule-set/main.bicep @@ -50,11 +50,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.EventHub/namespaces@2022-01-01-preview' existing = { +resource namespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' existing = { name: namespaceName } -resource networkRuleSet 'Microsoft.EventHub/namespaces/networkRuleSets@2022-01-01-preview' = { +resource networkRuleSet 'Microsoft.EventHub/namespaces/networkRuleSets@2022-10-01-preview' = { name: 'default' parent: namespace properties: { diff --git a/modules/event-hub/namespace/network-rule-set/main.json b/modules/event-hub/namespace/network-rule-set/main.json index a83b70e250..1c3f921460 100644 --- a/modules/event-hub/namespace/network-rule-set/main.json +++ b/modules/event-hub/namespace/network-rule-set/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "2572752048492506478" + "version": "0.21.1.54444", + "templateHash": "7109134385195243655" }, "name": "Event Hub Namespace Network Rule Sets", "description": "This module deploys an Event Hub Namespace Network Rule Set.", @@ -98,7 +98,7 @@ }, { "type": "Microsoft.EventHub/namespaces/networkRuleSets", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), 'default')]", "properties": { "publicNetworkAccess": "[parameters('publicNetworkAccess')]", From 92f8c3dd7079bb98e0fc569ccbcf0d60cb82e6ab Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Mon, 9 Oct 2023 19:53:20 +0000 Subject: [PATCH 009/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index ff0c423784..2c5289d0f4 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -60,7 +60,7 @@ This section provides an overview of the library's feature set. | 45 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 174 | | 46 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 159 | | 47 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 178 | -| 48 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 328 | +| 48 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 331 | | 49 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 84 | | 50 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:3, L2:1] | 175 | | 51 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | :white_check_mark: | | :white_check_mark: | | | | | 88 | @@ -148,7 +148,7 @@ This section provides an overview of the library's feature set. | 133 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 154 | | 134 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 385 | | 135 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:3] | 196 | -| Sum | | | 110 | 109 | 118 | 57 | 30 | 2 | 234 | 24314 | +| Sum | | | 110 | 109 | 118 | 57 | 30 | 2 | 234 | 24317 | ## Legend From d649ff29e8aa8d4b7bca05952baf990269049ada Mon Sep 17 00:00:00 2001 From: Preston Alvarado <700740+coolhome@users.noreply.github.com> Date: Wed, 11 Oct 2023 18:07:07 -0400 Subject: [PATCH 010/178] [Modules] Update the PostgreSQL - Configurations child module deployment to be sequential (#4071) --- modules/db-for-postgre-sql/flexible-server/main.bicep | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/db-for-postgre-sql/flexible-server/main.bicep b/modules/db-for-postgre-sql/flexible-server/main.bicep index 477adf769a..af23c95f5a 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.bicep +++ b/modules/db-for-postgre-sql/flexible-server/main.bicep @@ -342,6 +342,7 @@ module flexibleServer_firewallRules 'firewall-rule/main.bicep' = [for (firewallR ] }] +@batchSize(1) module flexibleServer_configurations 'configuration/main.bicep' = [for (configuration, index) in configurations: { name: '${uniqueString(deployment().name, location)}-PostgreSQL-Configurations-${index}' params: { From 411f3647c35da8ca910c7ec073b5778c29ad5400 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Wed, 11 Oct 2023 22:07:52 +0000 Subject: [PATCH 011/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 2c5289d0f4..fe14b20403 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -49,7 +49,7 @@ This section provides an overview of the library's feature set. | 34 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1] | 125 | | 35 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 315 | | 36 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:3] | 340 | -| 37 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:4] | 335 | +| 37 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:4] | 336 | | 38 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 148 | | 39 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 241 | | 40 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 154 | @@ -148,7 +148,7 @@ This section provides an overview of the library's feature set. | 133 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 154 | | 134 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 385 | | 135 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:3] | 196 | -| Sum | | | 110 | 109 | 118 | 57 | 30 | 2 | 234 | 24317 | +| Sum | | | 110 | 109 | 118 | 57 | 30 | 2 | 234 | 24318 | ## Legend From 18efbaa878f8d635b7a1e3187947bca0dfa66beb Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Fri, 13 Oct 2023 04:59:21 +1100 Subject: [PATCH 012/178] [Modules] New Module - Azure Databricks Access Connectors (#4066) --- .../ms.databricks.accessconnectors.yml | 50 +++ .../ms.databricks.accessconnectors.yml | 84 +++++ .../.bicep/nested_roleAssignments.bicep | 70 ++++ .../.test/common/dependencies.bicep | 16 + .../.test/common/main.test.bicep | 73 ++++ .../.test/min/main.test.bicep | 45 +++ modules/databricks/access-connector/README.md | 335 ++++++++++++++++++ .../databricks/access-connector/main.bicep | 93 +++++ modules/databricks/access-connector/main.json | 299 ++++++++++++++++ .../databricks/access-connector/version.json | 7 + 10 files changed, 1072 insertions(+) create mode 100644 .azuredevops/modulePipelines/ms.databricks.accessconnectors.yml create mode 100644 .github/workflows/ms.databricks.accessconnectors.yml create mode 100644 modules/databricks/access-connector/.bicep/nested_roleAssignments.bicep create mode 100644 modules/databricks/access-connector/.test/common/dependencies.bicep create mode 100644 modules/databricks/access-connector/.test/common/main.test.bicep create mode 100644 modules/databricks/access-connector/.test/min/main.test.bicep create mode 100644 modules/databricks/access-connector/README.md create mode 100644 modules/databricks/access-connector/main.bicep create mode 100644 modules/databricks/access-connector/main.json create mode 100644 modules/databricks/access-connector/version.json diff --git a/.azuredevops/modulePipelines/ms.databricks.accessconnectors.yml b/.azuredevops/modulePipelines/ms.databricks.accessconnectors.yml new file mode 100644 index 0000000000..1fde021f59 --- /dev/null +++ b/.azuredevops/modulePipelines/ms.databricks.accessconnectors.yml @@ -0,0 +1,50 @@ +name: 'Databricks - Access Connectors' + +parameters: + - name: staticValidation + displayName: Execute static validation + type: boolean + default: true + - name: deploymentValidation + displayName: Execute deployment validation + type: boolean + default: true + - name: removeDeployment + displayName: Remove deployed module + type: boolean + default: true + - name: prerelease + displayName: Publish prerelease module + type: boolean + default: false + +pr: none + +trigger: + batch: true + branches: + include: + - main + paths: + include: + - '/.azuredevops/modulePipelines/ms.databricks.accessconnectors.yml' + - '/.azuredevops/pipelineTemplates/*.yml' + - '/modules/databricks/access-connector/*' + - '/utilities/pipelines/*' + exclude: + - '/utilities/pipelines/deploymentRemoval/*' + - '/**/*.md' + +variables: + - template: '../../settings.yml' + - group: 'PLATFORM_VARIABLES' + - name: modulePath + value: '/modules/databricks/access-connector' + +stages: + - template: /.azuredevops/pipelineTemplates/stages.module.yml + parameters: + staticValidation: '${{ parameters.staticValidation }}' + deploymentValidation: '${{ parameters.deploymentValidation }}' + removeDeployment: '${{ parameters.removeDeployment }}' + prerelease: '${{ parameters.prerelease }}' diff --git a/.github/workflows/ms.databricks.accessconnectors.yml b/.github/workflows/ms.databricks.accessconnectors.yml new file mode 100644 index 0000000000..8a6c4d076d --- /dev/null +++ b/.github/workflows/ms.databricks.accessconnectors.yml @@ -0,0 +1,84 @@ +name: 'Databricks - Access Connectors' + +on: + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: 'Execute static validation' + required: false + default: true + deploymentValidation: + type: boolean + description: 'Execute deployment validation' + required: false + default: true + removeDeployment: + type: boolean + description: 'Remove deployed module' + required: false + default: true + prerelease: + type: boolean + description: 'Publish prerelease module' + required: false + default: false + push: + branches: + - main + paths: + - '.github/actions/templates/**' + - '.github/workflows/template.module.yml' + - '.github/workflows/ms.databricks.accessconnectors.yml' + - 'modules/databricks/access-connector/**' + - 'utilities/pipelines/**' + - '!utilities/pipelines/deploymentRemoval/**' + - '!*/**/README.md' + +env: + modulePath: 'modules/databricks/access-connector' + workflowPath: '.github/workflows/ms.databricks.accessconnectors.yml' + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-20.04 + name: 'Initialize pipeline' + steps: + - name: 'Checkout' + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: 'Set input parameters to output variables' + id: get-workflow-param + uses: ./.github/actions/templates/getWorkflowInput + with: + workflowPath: '${{ env.workflowPath}}' + - name: 'Get parameter file paths' + id: get-module-test-file-paths + uses: ./.github/actions/templates/getModuleTestFiles + with: + modulePath: '${{ env.modulePath }}' + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + modulePath: '${{ env.modulePath }}' + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: 'Module' + needs: + - job_initialize_pipeline + uses: ./.github/workflows/template.module.yml + with: + workflowInput: '${{ needs.job_initialize_pipeline.outputs.workflowInput }}' + moduleTestFilePaths: '${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}' + modulePath: '${{ needs.job_initialize_pipeline.outputs.modulePath}}' + secrets: inherit diff --git a/modules/databricks/access-connector/.bicep/nested_roleAssignments.bicep b/modules/databricks/access-connector/.bicep/nested_roleAssignments.bicep new file mode 100644 index 0000000000..772322584b --- /dev/null +++ b/modules/databricks/access-connector/.bicep/nested_roleAssignments.bicep @@ -0,0 +1,70 @@ +@sys.description('Required. The IDs of the principals to assign the role to.') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to.') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. The description of the role assignment.') +param description string = '' + +@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') +param condition string = '' + +@sys.description('Optional. Version of the condition.') +@allowed([ + '2.0' +]) +param conditionVersion string = '2.0' + +@sys.description('Optional. Id of the delegated managed identity resource.') +param delegatedManagedIdentityResourceId string = '' + +var builtInRoleNames = { + 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') + 'App Compliance Automation Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource accessConnector 'Microsoft.Databricks/accessConnectors@2022-10-01-preview' existing = { + name: last(split(resourceId, '/'))! +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { + name: guid(accessConnector.id, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? any(principalType) : null + condition: !empty(condition) ? condition : null + conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null + delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null + } + scope: accessConnector +}] diff --git a/modules/databricks/access-connector/.test/common/dependencies.bicep b/modules/databricks/access-connector/.test/common/dependencies.bicep new file mode 100644 index 0000000000..b20bc53e8f --- /dev/null +++ b/modules/databricks/access-connector/.test/common/dependencies.bicep @@ -0,0 +1,16 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/databricks/access-connector/.test/common/main.test.bicep b/modules/databricks/access-connector/.test/common/main.test.bicep new file mode 100644 index 0000000000..e6854b68ae --- /dev/null +++ b/modules/databricks/access-connector/.test/common/main.test.bicep @@ -0,0 +1,73 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.databricks.accessconnectors-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'daccom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: 'CanNotDelete' + systemAssignedIdentity: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalIds: [ + nestedDependencies.outputs.managedIdentityPrincipalId + ] + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + location: resourceGroup.location + } +} diff --git a/modules/databricks/access-connector/.test/min/main.test.bicep b/modules/databricks/access-connector/.test/min/main.test.bicep new file mode 100644 index 0000000000..3a950aaa5f --- /dev/null +++ b/modules/databricks/access-connector/.test/min/main.test.bicep @@ -0,0 +1,45 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.databricks.accessconnectors-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dacmin' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + } +} diff --git a/modules/databricks/access-connector/README.md b/modules/databricks/access-connector/README.md new file mode 100644 index 0000000000..65400d0299 --- /dev/null +++ b/modules/databricks/access-connector/README.md @@ -0,0 +1,335 @@ +# Azure Databricks Access Connectors `[Microsoft.Databricks/accessConnectors]` + +This module deploys an Azure Databricks Access Connector. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) +- [Deployment examples](#Deployment-examples) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | +| `Microsoft.Databricks/accessConnectors` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Databricks/2022-10-01-preview/accessConnectors) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the Azure Databricks access connector to create. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | +| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | +| `tags` | object | `{object}` | | Tags of the resource. | +| `userAssignedIdentities` | object | `{object}` | | The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests. | + + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

+ +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed access connector. | +| `resourceGroupName` | string | The resource group of the deployed access connector. | +| `resourceId` | string | The resource ID of the deployed access connector. | + +## Cross-referenced modules + +_None_ + +## Deployment examples + +The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. + + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +

Example 1: Common

+ +
+ +via Bicep module + +```bicep +module accessConnector './databricks/access-connector/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-daccom' + params: { + // Required parameters + name: 'daccom001' + // Non-required parameters + enableDefaultTelemetry: '' + location: '' + lock: 'CanNotDelete' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + systemAssignedIdentity: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + userAssignedIdentities: { + '': {} + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "daccom001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "lock": { + "value": "CanNotDelete" + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "systemAssignedIdentity": { + "value": true + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "userAssignedIdentities": { + "value": { + "": {} + } + } + } +} +``` + +
+

+ +

Example 2: Min

+ +
+ +via Bicep module + +```bicep +module accessConnector './databricks/access-connector/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-dacmin' + params: { + // Required parameters + name: 'dacmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dacmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

diff --git a/modules/databricks/access-connector/main.bicep b/modules/databricks/access-connector/main.bicep new file mode 100644 index 0000000000..249e53593b --- /dev/null +++ b/modules/databricks/access-connector/main.bicep @@ -0,0 +1,93 @@ +metadata name = 'Azure Databricks Access Connectors' +metadata description = 'This module deploys an Azure Databricks Access Connector.' +metadata owner = 'Azure/module-maintainers' + +@description('Required. The name of the Azure Databricks access connector to create.') +param name string + +@description('Optional. Tags of the resource.') +param tags object = {} + +@description('Optional. Location for all Resources.') +param location string = resourceGroup().location + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +param roleAssignments array = [] + +@allowed([ + '' + 'CanNotDelete' + 'ReadOnly' +]) +@description('Optional. Specify the type of lock.') +param lock string = '' + +@description('Optional. Enables system assigned managed identity on the resource.') +param systemAssignedIdentity bool = false + +@description('Optional. The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests.') +param userAssignedIdentities object = {} + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') + +var identity = identityType != 'None' ? { + type: identityType + userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +} : null + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource accessConnector 'Microsoft.Databricks/accessConnectors@2022-10-01-preview' = { + name: name + location: location + tags: tags + identity: identity + properties: {} +} + +resource accessConnector_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { + name: '${accessConnector.name}-${lock}-lock' + properties: { + level: any(lock) + notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + } + scope: accessConnector +} + +module accessConnector_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name, location)}-Databricks-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' + delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' + resourceId: accessConnector.id + } +}] + +@description('The name of the deployed access connector.') +output name string = accessConnector.name + +@description('The resource ID of the deployed access connector.') +output resourceId string = accessConnector.id + +@description('The resource group of the deployed access connector.') +output resourceGroupName string = resourceGroup().name + +@description('The location the resource was deployed into.') +output location string = accessConnector.location diff --git a/modules/databricks/access-connector/main.json b/modules/databricks/access-connector/main.json new file mode 100644 index 0000000000..0dff655dda --- /dev/null +++ b/modules/databricks/access-connector/main.json @@ -0,0 +1,299 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "18141386081798006601" + }, + "name": "Azure Databricks Access Connectors", + "description": "This module deploys an Azure Databricks Access Connector.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the Azure Databricks access connector to create." + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "roleAssignments": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "lock": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "CanNotDelete", + "ReadOnly" + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "systemAssignedIdentity": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedIdentities": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "variables": { + "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", + "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Databricks/accessConnectors", + "apiVersion": "2022-10-01-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "identity": "[variables('identity')]", + "properties": {} + }, + { + "condition": "[not(empty(parameters('lock')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.Databricks/accessConnectors/{0}', parameters('name'))]", + "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "properties": { + "level": "[parameters('lock')]", + "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Databricks/accessConnectors', parameters('name'))]" + ] + }, + { + "copy": { + "name": "accessConnector_roleAssignments", + "count": "[length(parameters('roleAssignments'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Databricks-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", + "principalIds": { + "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" + }, + "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", + "roleDefinitionIdOrName": { + "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" + }, + "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", + "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", + "resourceId": { + "value": "[resourceId('Microsoft.Databricks/accessConnectors', parameters('name'))]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "8744521398620405286" + } + }, + "parameters": { + "principalIds": { + "type": "array", + "metadata": { + "description": "Required. The IDs of the principals to assign the role to." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the resource to apply the role assignment to." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "defaultValue": "2.0", + "allowedValues": [ + "2.0" + ], + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Id of the delegated managed identity resource." + } + } + }, + "variables": { + "builtInRoleNames": { + "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", + "App Compliance Automation Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": [ + { + "copy": { + "name": "roleAssignment", + "count": "[length(parameters('principalIds'))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Databricks/accessConnectors/{0}', last(split(parameters('resourceId'), '/')))]", + "name": "[guid(resourceId('Microsoft.Databricks/accessConnectors', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", + "properties": { + "description": "[parameters('description')]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", + "principalId": "[parameters('principalIds')[copyIndex()]]", + "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", + "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Databricks/accessConnectors', parameters('name'))]" + ] + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed access connector." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed access connector." + }, + "value": "[resourceId('Microsoft.Databricks/accessConnectors', parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group of the deployed access connector." + }, + "value": "[resourceGroup().name]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference(resourceId('Microsoft.Databricks/accessConnectors', parameters('name')), '2022-10-01-preview', 'full').location]" + } + } +} \ No newline at end of file diff --git a/modules/databricks/access-connector/version.json b/modules/databricks/access-connector/version.json new file mode 100644 index 0000000000..96236a61ba --- /dev/null +++ b/modules/databricks/access-connector/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.4", + "pathFilters": [ + "./main.json" + ] +} From 5d110a686c9c28120682e93e14a3f222a5143c55 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Thu, 12 Oct 2023 18:00:04 +0000 Subject: [PATCH 013/178] Push updated Readme file(s) --- README.md | 3 +- docs/wiki/The library - Module overview.md | 205 +++++++++++---------- 2 files changed, 105 insertions(+), 103 deletions(-) diff --git a/README.md b/README.md index dbf9a38f9f..da7b2a5b24 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,8 @@ The CI environment supports both ARM and Bicep and can be leveraged using GitHub | `Microsoft.ContainerService` | [managedClusters](https://github.com/Azure/ResourceModules/tree/main/modules/container-service/managed-cluster) | [Azure Kubernetes Service (AKS) Managed Clusters](https://github.com/Azure/ResourceModules/tree/main/modules/container-service/managed-cluster) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.DataFactory` | [factories](https://github.com/Azure/ResourceModules/tree/main/modules/data-factory/factory) | [Data Factories](https://github.com/Azure/ResourceModules/tree/main/modules/data-factory/factory) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.DataProtection` | [backupVaults](https://github.com/Azure/ResourceModules/tree/main/modules/data-protection/backup-vault) | [Data Protection Backup Vaults](https://github.com/Azure/ResourceModules/tree/main/modules/data-protection/backup-vault) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Databricks` | [workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/databricks/workspace) | [Azure Databricks Workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/databricks/workspace) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| `Microsoft.Databricks` | [accessConnectors](https://github.com/Azure/ResourceModules/tree/main/modules/databricks/access-connector) | [Azure Databricks Access Connectors](https://github.com/Azure/ResourceModules/tree/main/modules/databricks/access-connector) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| | [workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/databricks/workspace) | [Azure Databricks Workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/databricks/workspace) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.DBforMySQL` | [flexibleServers](https://github.com/Azure/ResourceModules/tree/main/modules/db-for-my-sql/flexible-server) | [DBforMySQL Flexible Servers](https://github.com/Azure/ResourceModules/tree/main/modules/db-for-my-sql/flexible-server) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.DBforPostgreSQL` | [flexibleServers](https://github.com/Azure/ResourceModules/tree/main/modules/db-for-postgre-sql/flexible-server) | [DBforPostgreSQL Flexible Servers](https://github.com/Azure/ResourceModules/tree/main/modules/db-for-postgre-sql/flexible-server) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.DesktopVirtualization` | [applicationGroups](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/application-group) | [Azure Virtual Desktop (AVD) Application Groups](https://github.com/Azure/ResourceModules/tree/main/modules/desktop-virtualization/application-group) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index fe14b20403..e62ecb44ec 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -47,108 +47,109 @@ This section provides an overview of the library's feature set. | 32 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 624 | | 33 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:2, L2:1] | 254 | | 34 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1] | 125 | -| 35 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 315 | -| 36 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:3] | 340 | -| 37 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:4] | 336 | -| 38 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 148 | -| 39 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 241 | -| 40 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 154 | -| 41 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 119 | -| 42 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:6, L2:1] | 265 | -| 43 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 221 | -| 44 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3, L2:3] | 332 | -| 45 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 174 | -| 46 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 159 | -| 47 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 178 | -| 48 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 331 | -| 49 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 84 | -| 50 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:3, L2:1] | 175 | -| 51 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | :white_check_mark: | | :white_check_mark: | | | | | 88 | -| 52 | insights

activity-log-alert | [![Insights - ActivityLogAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActivityLogAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.activitylogalerts.yml) | :white_check_mark: | | :white_check_mark: | | | | | 77 | -| 53 | insights

component | [![Insights - Components](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Components/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.components.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 165 | -| 54 | insights

data-collection-endpoint | [![Insights - DataCollectionEndpoints](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionendpoints.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 92 | -| 55 | insights

data-collection-rule | [![Insights - DataCollectionRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionrules.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 101 | -| 56 | insights

diagnostic-setting | [![Insights - DiagnosticSettings](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DiagnosticSettings/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.diagnosticsettings.yml) | | | | :white_check_mark: | | | | 75 | -| 57 | insights

metric-alert | [![Insights - MetricAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20MetricAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.metricalerts.yml) | :white_check_mark: | | :white_check_mark: | | | | | 125 | -| 58 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:1] | 103 | -| 59 | insights

scheduled-query-rule | [![Insights - ScheduledQueryRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ScheduledQueryRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml) | :white_check_mark: | | :white_check_mark: | | | | | 109 | -| 60 | insights

webtest | [![Insights - Web Tests](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Web%20Tests/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.webtests.yml) | :white_check_mark: | :white_check_mark: | | | | | | 124 | -| 61 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 268 | -| 62 | kubernetes-configuration

extension | [![KubernetesConfiguration - Extensions](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20Extensions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.extensions.yml) | | | | | | | | 88 | -| 63 | kubernetes-configuration

flux-configuration | [![KubernetesConfiguration - FluxConfigurations](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20FluxConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml) | | | | | | | | 71 | -| 64 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 195 | -| 65 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 275 | -| 66 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 107 | -| 67 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1] | 83 | -| 68 | managed-services

registration-definition | [![ManagedServices - RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices%20-%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | | | | | | | 67 | -| 69 | management

management-group | [![Management - ManagementGroups](https://github.com/Azure/ResourceModules/workflows/Management%20-%20ManagementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml) | | | | | | | | 50 | -| 70 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1, L2:1] | 119 | -| 71 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 347 | -| 72 | network

application-gateway-web-application-firewall-policy | [![Network - ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGatewayWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 47 | -| 73 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 66 | -| 74 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | 330 | -| 75 | network

bastion-host | [![Network - BastionHosts](https://github.com/Azure/ResourceModules/workflows/Network%20-%20BastionHosts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.bastionhosts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | 209 | -| 76 | network

connection | [![Network - Connections](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.connections.yml) | | :white_check_mark: | :white_check_mark: | | | | | 143 | -| 77 | network

ddos-protection-plan | [![Network - DdosProtectionPlans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DdosProtectionPlans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ddosprotectionplans.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 67 | -| 78 | network

dns-forwarding-ruleset | [![Network - DNS Forwarding Rulesets](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Forwarding%20Rulesets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsforwardingrulesets.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:2] | 94 | -| 79 | network

dns-resolver | [![Network - DNS Resolvers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Resolvers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsresolvers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 103 | -| 80 | network

dns-zone | [![Network - Public DnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Public%20DnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnszones.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:10] | 214 | -| 81 | network

express-route-circuit | [![Network - ExpressRouteCircuits](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteCircuits/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutecircuits.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 197 | -| 82 | network

express-route-gateway | [![Network - ExpressRouteGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutegateways.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 88 | -| 83 | network

firewall-policy | [![Network - FirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.firewallpolicies.yml) | | | :white_check_mark: | | | | [L1:1] | 166 | -| 84 | network

front-door | [![Network - Frontdoors](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Frontdoors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoors.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 149 | -| 85 | network

front-door-web-application-firewall-policy | [![Network - FrontDoorWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FrontDoorWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 124 | -| 86 | network

ip-group | [![Network - IpGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20IpGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ipgroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 71 | -| 87 | network

load-balancer | [![Network - LoadBalancers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LoadBalancers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.loadbalancers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:2] | 234 | -| 88 | network

local-network-gateway | [![Network - LocalNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LocalNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.localnetworkgateways.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 91 | -| 89 | network

nat-gateway | [![Network - NatGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NatGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.natgateways.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 156 | -| 90 | network

network-interface | [![Network - NetworkInterfaces](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkInterfaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkinterfaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 160 | -| 91 | network

network-manager | [![Network - Network Managers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Network%20Managers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkmanagers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:4, L2:2, L3:1] | 136 | -| 92 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 157 | -| 93 | network

network-watcher | [![Network - NetworkWatchers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkWatchers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatchers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:2] | 100 | -| 94 | network

private-dns-zone | [![Network - PrivateDnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateDnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:9] | 192 | -| 95 | network

private-endpoint | [![Network - PrivateEndpoints](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privateendpoints.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1] | 111 | -| 96 | network

private-link-service | [![Network - PrivateLinkServices](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateLinkServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatelinkservices.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 88 | -| 97 | network

public-ip-address | [![Network - PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 185 | -| 98 | network

public-ip-prefix | [![Network - PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 80 | -| 99 | network

route-table | [![Network - RouteTables](https://github.com/Azure/ResourceModules/workflows/Network%20-%20RouteTables/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.routetables.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 73 | -| 100 | network

service-endpoint-policy | [![Network - ServiceEndpointPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ServiceEndpointPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.serviceendpointpolicies.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 76 | -| 101 | network

trafficmanagerprofile | [![Network - TrafficManagerProfiles](https://github.com/Azure/ResourceModules/workflows/Network%20-%20TrafficManagerProfiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 163 | -| 102 | network

virtual-hub | [![Network - VirtualHubs](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualhubs.yml) | | :white_check_mark: | :white_check_mark: | | | | [L1:2] | 147 | -| 103 | network

virtual-network | [![Network - VirtualNetworks](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:2] | 247 | -| 104 | network

virtual-network-gateway | [![Network - VirtualNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworkgateways.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 394 | -| 105 | network

virtual-wan | [![Network - VirtualWans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualWans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualwans.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 83 | -| 106 | network

vpn-gateway | [![Network - VPNGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPNGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpngateways.yml) | | :white_check_mark: | :white_check_mark: | | | | [L1:2] | 110 | -| 107 | network

vpn-site | [![Network - VPN Sites](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPN%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpnsites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 91 | -| 108 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:7] | 309 | -| 109 | operations-management

solution | [![OperationsManagement - Solutions](https://github.com/Azure/ResourceModules/workflows/OperationsManagement%20-%20Solutions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationsmanagement.solutions.yml) | | | | | | | | 53 | -| 110 | policy-insights

remediation | [![PolicyInsights - Remediations](https://github.com/Azure/ResourceModules/workflows/PolicyInsights%20-%20Remediations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.policyinsights.remediations.yml) | | | | | | | [L1:3] | 106 | -| 111 | power-bi-dedicated

capacity | [![PowerBiDedicated - Capacities](https://github.com/Azure/ResourceModules/workflows/PowerBiDedicated%20-%20Capacities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.powerbidedicated.capacities.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 99 | -| 112 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 278 | -| 113 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:7, L2:2, L3:2] | 287 | -| 114 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 258 | -| 115 | resource-graph

query | [![ResourceGraph - Queries](https://github.com/Azure/ResourceModules/workflows/ResourceGraph%20-%20Queries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resourcegraph.queries.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 73 | -| 116 | resources

deployment-script | [![Resources - DeploymentScripts](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | :white_check_mark: | :white_check_mark: | | | | | 124 | -| 117 | resources

resource-group | [![Resources - ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 69 | -| 118 | resources

tags | [![Resources - Tags](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20Tags/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.tags.yml) | | | :white_check_mark: | | | | [L1:2] | 54 | -| 119 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 231 | -| 120 | security

azure-security-center | [![Security - AzureSecurityCenter](https://github.com/Azure/ResourceModules/workflows/Security%20-%20AzureSecurityCenter/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.security.azuresecuritycenter.yml) | | | | | | | | 220 | -| 121 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:2] | 327 | -| 122 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1] | 284 | -| 123 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 189 | -| 124 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 159 | -| 125 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:2] | 336 | -| 126 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:8, L2:2] | 304 | -| 127 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:4, L3:1] | 425 | -| 128 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 93 | -| 129 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:2] | 286 | -| 130 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 188 | -| 131 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 90 | -| 132 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:2] | 227 | -| 133 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 154 | -| 134 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 385 | -| 135 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:3] | 196 | -| Sum | | | 110 | 109 | 118 | 57 | 30 | 2 | 234 | 24318 | +| 35 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 76 | +| 36 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 315 | +| 37 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:3] | 340 | +| 38 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:4] | 336 | +| 39 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 148 | +| 40 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 241 | +| 41 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 154 | +| 42 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 119 | +| 43 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:6, L2:1] | 265 | +| 44 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 221 | +| 45 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3, L2:3] | 332 | +| 46 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 174 | +| 47 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 159 | +| 48 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 178 | +| 49 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 331 | +| 50 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 84 | +| 51 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:3, L2:1] | 175 | +| 52 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | :white_check_mark: | | :white_check_mark: | | | | | 88 | +| 53 | insights

activity-log-alert | [![Insights - ActivityLogAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActivityLogAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.activitylogalerts.yml) | :white_check_mark: | | :white_check_mark: | | | | | 77 | +| 54 | insights

component | [![Insights - Components](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Components/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.components.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 165 | +| 55 | insights

data-collection-endpoint | [![Insights - DataCollectionEndpoints](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionendpoints.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 92 | +| 56 | insights

data-collection-rule | [![Insights - DataCollectionRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionrules.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 101 | +| 57 | insights

diagnostic-setting | [![Insights - DiagnosticSettings](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DiagnosticSettings/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.diagnosticsettings.yml) | | | | :white_check_mark: | | | | 75 | +| 58 | insights

metric-alert | [![Insights - MetricAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20MetricAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.metricalerts.yml) | :white_check_mark: | | :white_check_mark: | | | | | 125 | +| 59 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:1] | 103 | +| 60 | insights

scheduled-query-rule | [![Insights - ScheduledQueryRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ScheduledQueryRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml) | :white_check_mark: | | :white_check_mark: | | | | | 109 | +| 61 | insights

webtest | [![Insights - Web Tests](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Web%20Tests/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.webtests.yml) | :white_check_mark: | :white_check_mark: | | | | | | 124 | +| 62 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 268 | +| 63 | kubernetes-configuration

extension | [![KubernetesConfiguration - Extensions](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20Extensions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.extensions.yml) | | | | | | | | 88 | +| 64 | kubernetes-configuration

flux-configuration | [![KubernetesConfiguration - FluxConfigurations](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20FluxConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml) | | | | | | | | 71 | +| 65 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 195 | +| 66 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 275 | +| 67 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 107 | +| 68 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1] | 83 | +| 69 | managed-services

registration-definition | [![ManagedServices - RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices%20-%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | | | | | | | 67 | +| 70 | management

management-group | [![Management - ManagementGroups](https://github.com/Azure/ResourceModules/workflows/Management%20-%20ManagementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml) | | | | | | | | 50 | +| 71 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1, L2:1] | 119 | +| 72 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 347 | +| 73 | network

application-gateway-web-application-firewall-policy | [![Network - ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGatewayWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 47 | +| 74 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 66 | +| 75 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | 330 | +| 76 | network

bastion-host | [![Network - BastionHosts](https://github.com/Azure/ResourceModules/workflows/Network%20-%20BastionHosts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.bastionhosts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | 209 | +| 77 | network

connection | [![Network - Connections](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.connections.yml) | | :white_check_mark: | :white_check_mark: | | | | | 143 | +| 78 | network

ddos-protection-plan | [![Network - DdosProtectionPlans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DdosProtectionPlans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ddosprotectionplans.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 67 | +| 79 | network

dns-forwarding-ruleset | [![Network - DNS Forwarding Rulesets](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Forwarding%20Rulesets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsforwardingrulesets.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:2] | 94 | +| 80 | network

dns-resolver | [![Network - DNS Resolvers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Resolvers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsresolvers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 103 | +| 81 | network

dns-zone | [![Network - Public DnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Public%20DnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnszones.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:10] | 214 | +| 82 | network

express-route-circuit | [![Network - ExpressRouteCircuits](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteCircuits/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutecircuits.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 197 | +| 83 | network

express-route-gateway | [![Network - ExpressRouteGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutegateways.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 88 | +| 84 | network

firewall-policy | [![Network - FirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.firewallpolicies.yml) | | | :white_check_mark: | | | | [L1:1] | 166 | +| 85 | network

front-door | [![Network - Frontdoors](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Frontdoors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoors.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 149 | +| 86 | network

front-door-web-application-firewall-policy | [![Network - FrontDoorWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FrontDoorWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 124 | +| 87 | network

ip-group | [![Network - IpGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20IpGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ipgroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 71 | +| 88 | network

load-balancer | [![Network - LoadBalancers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LoadBalancers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.loadbalancers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:2] | 234 | +| 89 | network

local-network-gateway | [![Network - LocalNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LocalNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.localnetworkgateways.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 91 | +| 90 | network

nat-gateway | [![Network - NatGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NatGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.natgateways.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 156 | +| 91 | network

network-interface | [![Network - NetworkInterfaces](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkInterfaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkinterfaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 160 | +| 92 | network

network-manager | [![Network - Network Managers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Network%20Managers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkmanagers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:4, L2:2, L3:1] | 136 | +| 93 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 157 | +| 94 | network

network-watcher | [![Network - NetworkWatchers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkWatchers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatchers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:2] | 100 | +| 95 | network

private-dns-zone | [![Network - PrivateDnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateDnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:9] | 192 | +| 96 | network

private-endpoint | [![Network - PrivateEndpoints](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privateendpoints.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1] | 111 | +| 97 | network

private-link-service | [![Network - PrivateLinkServices](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateLinkServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatelinkservices.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 88 | +| 98 | network

public-ip-address | [![Network - PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 185 | +| 99 | network

public-ip-prefix | [![Network - PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 80 | +| 100 | network

route-table | [![Network - RouteTables](https://github.com/Azure/ResourceModules/workflows/Network%20-%20RouteTables/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.routetables.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 73 | +| 101 | network

service-endpoint-policy | [![Network - ServiceEndpointPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ServiceEndpointPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.serviceendpointpolicies.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 76 | +| 102 | network

trafficmanagerprofile | [![Network - TrafficManagerProfiles](https://github.com/Azure/ResourceModules/workflows/Network%20-%20TrafficManagerProfiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 163 | +| 103 | network

virtual-hub | [![Network - VirtualHubs](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualhubs.yml) | | :white_check_mark: | :white_check_mark: | | | | [L1:2] | 147 | +| 104 | network

virtual-network | [![Network - VirtualNetworks](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:2] | 247 | +| 105 | network

virtual-network-gateway | [![Network - VirtualNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworkgateways.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 394 | +| 106 | network

virtual-wan | [![Network - VirtualWans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualWans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualwans.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 83 | +| 107 | network

vpn-gateway | [![Network - VPNGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPNGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpngateways.yml) | | :white_check_mark: | :white_check_mark: | | | | [L1:2] | 110 | +| 108 | network

vpn-site | [![Network - VPN Sites](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPN%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpnsites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 91 | +| 109 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:7] | 309 | +| 110 | operations-management

solution | [![OperationsManagement - Solutions](https://github.com/Azure/ResourceModules/workflows/OperationsManagement%20-%20Solutions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationsmanagement.solutions.yml) | | | | | | | | 53 | +| 111 | policy-insights

remediation | [![PolicyInsights - Remediations](https://github.com/Azure/ResourceModules/workflows/PolicyInsights%20-%20Remediations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.policyinsights.remediations.yml) | | | | | | | [L1:3] | 106 | +| 112 | power-bi-dedicated

capacity | [![PowerBiDedicated - Capacities](https://github.com/Azure/ResourceModules/workflows/PowerBiDedicated%20-%20Capacities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.powerbidedicated.capacities.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 99 | +| 113 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 278 | +| 114 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:7, L2:2, L3:2] | 287 | +| 115 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 258 | +| 116 | resource-graph

query | [![ResourceGraph - Queries](https://github.com/Azure/ResourceModules/workflows/ResourceGraph%20-%20Queries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resourcegraph.queries.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 73 | +| 117 | resources

deployment-script | [![Resources - DeploymentScripts](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | :white_check_mark: | :white_check_mark: | | | | | 124 | +| 118 | resources

resource-group | [![Resources - ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 69 | +| 119 | resources

tags | [![Resources - Tags](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20Tags/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.tags.yml) | | | :white_check_mark: | | | | [L1:2] | 54 | +| 120 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 231 | +| 121 | security

azure-security-center | [![Security - AzureSecurityCenter](https://github.com/Azure/ResourceModules/workflows/Security%20-%20AzureSecurityCenter/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.security.azuresecuritycenter.yml) | | | | | | | | 220 | +| 122 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:2] | 327 | +| 123 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1] | 284 | +| 124 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 189 | +| 125 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 159 | +| 126 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:2] | 336 | +| 127 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:8, L2:2] | 304 | +| 128 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:4, L3:1] | 425 | +| 129 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 93 | +| 130 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:2] | 286 | +| 131 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 188 | +| 132 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 90 | +| 133 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:2] | 227 | +| 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 154 | +| 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 385 | +| 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:3] | 196 | +| Sum | | | 111 | 110 | 119 | 57 | 30 | 2 | 234 | 24394 | ## Legend From f2448b2ac4437f254c01a2e58a780ca4ff157324 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Thu, 12 Oct 2023 21:09:50 +0200 Subject: [PATCH 014/178] Fixed param description (#4076) --- .../web/static-site/custom-domain/README.md | 7 +++- .../web/static-site/custom-domain/main.bicep | 2 +- .../web/static-site/custom-domain/main.json | 6 +-- modules/web/static-site/main.json | 38 +++++++++---------- 4 files changed, 29 insertions(+), 24 deletions(-) diff --git a/modules/web/static-site/custom-domain/README.md b/modules/web/static-site/custom-domain/README.md index 7f5142d327..cd8472bbfe 100644 --- a/modules/web/static-site/custom-domain/README.md +++ b/modules/web/static-site/custom-domain/README.md @@ -17,11 +17,16 @@ This module deploys a Static Web App Site Custom Domain. ## Parameters +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The custom domain name. | + **Conditional parameters** | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `name` | string | The custom domain name. Required if the template is used in a standalone deployment. | | `staticSiteName` | string | The name of the parent Static Web App. Required if the template is used in a standalone deployment. | **Optional parameters** diff --git a/modules/web/static-site/custom-domain/main.bicep b/modules/web/static-site/custom-domain/main.bicep index fee71250fd..b392892704 100644 --- a/modules/web/static-site/custom-domain/main.bicep +++ b/modules/web/static-site/custom-domain/main.bicep @@ -2,7 +2,7 @@ metadata name = 'Static Web App Site Custom Domains' metadata description = 'This module deploys a Static Web App Site Custom Domain.' metadata owner = 'Azure/module-maintainers' -@description('Conditional. The custom domain name. Required if the template is used in a standalone deployment.') +@description('Required. The custom domain name.') param name string @description('Conditional. The name of the parent Static Web App. Required if the template is used in a standalone deployment.') diff --git a/modules/web/static-site/custom-domain/main.json b/modules/web/static-site/custom-domain/main.json index df87e1cfb4..6613ffb610 100644 --- a/modules/web/static-site/custom-domain/main.json +++ b/modules/web/static-site/custom-domain/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12334533883169216576" + "version": "0.22.6.54827", + "templateHash": "13208835708722733896" }, "name": "Static Web App Site Custom Domains", "description": "This module deploys a Static Web App Site Custom Domain.", @@ -15,7 +15,7 @@ "name": { "type": "string", "metadata": { - "description": "Conditional. The custom domain name. Required if the template is used in a standalone deployment." + "description": "Required. The custom domain name." } }, "staticSiteName": { diff --git a/modules/web/static-site/main.json b/modules/web/static-site/main.json index 3cdbd085fd..b37f808c2f 100644 --- a/modules/web/static-site/main.json +++ b/modules/web/static-site/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18252581681683363361" + "version": "0.22.6.54827", + "templateHash": "12872096460250206815" }, "name": "Static Web Apps", "description": "This module deploys a Static Web App.", @@ -279,8 +279,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16239200301217299333" + "version": "0.22.6.54827", + "templateHash": "13553590806488370796" }, "name": "Static Web App Site Linked Backends", "description": "This module deploys a Custom Function App into a Static Web App Site using the Linked Backends property.", @@ -412,8 +412,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14542116541399181875" + "version": "0.22.6.54827", + "templateHash": "8340850851413090940" }, "name": "Static Web App Site Config", "description": "This module deploys a Static Web App Site Config.", @@ -538,8 +538,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14542116541399181875" + "version": "0.22.6.54827", + "templateHash": "8340850851413090940" }, "name": "Static Web App Site Config", "description": "This module deploys a Static Web App Site Config.", @@ -665,8 +665,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8695148534740362749" + "version": "0.22.6.54827", + "templateHash": "13208835708722733896" }, "name": "Static Web App Site Custom Domains", "description": "This module deploys a Static Web App Site Custom Domain.", @@ -676,7 +676,7 @@ "name": { "type": "string", "metadata": { - "description": "Conditional. The custom domain name. Required if the template is used in a standalone deployment." + "description": "Required. The custom domain name." } }, "staticSiteName": { @@ -790,8 +790,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10006606949676096242" + "version": "0.22.6.54827", + "templateHash": "3353684850635934919" } }, "parameters": { @@ -901,8 +901,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1101,8 +1101,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1239,8 +1239,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { From 4b4aa1f59773224eef568807d69059d3ce0bbdf0 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Fri, 13 Oct 2023 08:19:52 +1100 Subject: [PATCH 015/178] [Modules] Updated Service Bus to latest API and introduced new parameters (#4069) --- .../.bicep/nested_roleAssignments.bicep | 2 +- .../namespace/.test/common/main.test.bicep | 8 + .../namespace/.test/pe/main.test.bicep | 1 + modules/service-bus/namespace/README.md | 56 ++++- .../namespace/authorization-rule/README.md | 2 +- .../namespace/authorization-rule/main.bicep | 4 +- .../namespace/authorization-rule/main.json | 6 +- .../disaster-recovery-config/README.md | 2 +- .../disaster-recovery-config/main.bicep | 4 +- .../disaster-recovery-config/main.json | 6 +- modules/service-bus/namespace/main.bicep | 49 ++++- modules/service-bus/namespace/main.json | 203 +++++++++++++----- .../migration-configuration/README.md | 2 +- .../migration-configuration/main.bicep | 4 +- .../migration-configuration/main.json | 6 +- .../namespace/network-rule-set/README.md | 2 +- .../namespace/network-rule-set/main.bicep | 4 +- .../namespace/network-rule-set/main.json | 6 +- .../queue/.bicep/nested_roleAssignments.bicep | 2 +- modules/service-bus/namespace/queue/README.md | 8 +- .../queue/authorization-rule/README.md | 2 +- .../queue/authorization-rule/main.bicep | 6 +- .../queue/authorization-rule/main.json | 6 +- .../service-bus/namespace/queue/main.bicep | 34 ++- modules/service-bus/namespace/queue/main.json | 64 ++++-- .../topic/.bicep/nested_roleAssignments.bicep | 2 +- modules/service-bus/namespace/topic/README.md | 4 +- .../topic/authorization-rule/README.md | 2 +- .../topic/authorization-rule/main.bicep | 6 +- .../topic/authorization-rule/main.json | 6 +- .../service-bus/namespace/topic/main.bicep | 4 +- modules/service-bus/namespace/topic/main.json | 16 +- 32 files changed, 389 insertions(+), 140 deletions(-) diff --git a/modules/service-bus/namespace/.bicep/nested_roleAssignments.bicep b/modules/service-bus/namespace/.bicep/nested_roleAssignments.bicep index 113b9ea501..0735266fe0 100644 --- a/modules/service-bus/namespace/.bicep/nested_roleAssignments.bicep +++ b/modules/service-bus/namespace/.bicep/nested_roleAssignments.bicep @@ -52,7 +52,7 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource namespace 'Microsoft.ServiceBus/namespaces@2021-11-01' existing = { +resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { name: last(split(resourceId, '/'))! } diff --git a/modules/service-bus/namespace/.test/common/main.test.bicep b/modules/service-bus/namespace/.test/common/main.test.bicep index ff78623745..e0ad9fc570 100644 --- a/modules/service-bus/namespace/.test/common/main.test.bicep +++ b/modules/service-bus/namespace/.test/common/main.test.bicep @@ -66,6 +66,9 @@ module testDeployment '../../main.bicep' = { name: '${namePrefix}${serviceShort}001' lock: 'CanNotDelete' skuName: 'Premium' + skuCapacity: 2 + premiumMessagingPartitions: 1 + zoneRedundant: true tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' @@ -146,6 +149,8 @@ module testDeployment '../../main.bicep' = { ] } ] + autoDeleteOnIdle: 'PT5M' + maxMessageSizeInKilobytes: 2048 } ] topics: [ @@ -203,5 +208,8 @@ module testDeployment '../../main.bicep' = { userAssignedIdentities: { '${nestedDependencies.outputs.managedIdentityResourceId}': {} } + disableLocalAuth: true + publicNetworkAccess: 'Enabled' + minimumTlsVersion: '1.2' } } diff --git a/modules/service-bus/namespace/.test/pe/main.test.bicep b/modules/service-bus/namespace/.test/pe/main.test.bicep index 270922fec3..6d1ab9dcc2 100644 --- a/modules/service-bus/namespace/.test/pe/main.test.bicep +++ b/modules/service-bus/namespace/.test/pe/main.test.bicep @@ -50,6 +50,7 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' skuName: 'Premium' + publicNetworkAccess: 'Disabled' privateEndpoints: [ { service: 'namespace' diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 4781e805c0..c84e9b9ed5 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -19,15 +19,15 @@ This module deploys a Service Bus Namespace. | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.ServiceBus/namespaces` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-11-01/namespaces) | -| `Microsoft.ServiceBus/namespaces/AuthorizationRules` | [2017-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/AuthorizationRules) | -| `Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs` | [2017-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/disasterRecoveryConfigs) | -| `Microsoft.ServiceBus/namespaces/migrationConfigurations` | [2017-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/migrationConfigurations) | -| `Microsoft.ServiceBus/namespaces/networkRuleSets` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-11-01/namespaces/networkRuleSets) | -| `Microsoft.ServiceBus/namespaces/queues` | [2021-06-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-06-01-preview/namespaces/queues) | -| `Microsoft.ServiceBus/namespaces/queues/authorizationRules` | [2017-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/queues/authorizationRules) | -| `Microsoft.ServiceBus/namespaces/topics` | [2021-06-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-06-01-preview/namespaces/topics) | -| `Microsoft.ServiceBus/namespaces/topics/authorizationRules` | [2021-06-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-06-01-preview/namespaces/topics/authorizationRules) | +| `Microsoft.ServiceBus/namespaces` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces) | +| `Microsoft.ServiceBus/namespaces/AuthorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/AuthorizationRules) | +| `Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/disasterRecoveryConfigs) | +| `Microsoft.ServiceBus/namespaces/migrationConfigurations` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/migrationConfigurations) | +| `Microsoft.ServiceBus/namespaces/networkRuleSets` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/networkRuleSets) | +| `Microsoft.ServiceBus/namespaces/queues` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/queues) | +| `Microsoft.ServiceBus/namespaces/queues/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/queues/authorizationRules) | +| `Microsoft.ServiceBus/namespaces/topics` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/topics) | +| `Microsoft.ServiceBus/namespaces/topics/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/topics/authorizationRules) | ## Parameters @@ -47,6 +47,7 @@ This module deploys a Service Bus Namespace. | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | +| `alternateName` | string | `''` | | Alternate name for namespace. | | `authorizationRules` | array | `[System.Management.Automation.OrderedHashtable]` | | Authorization Rules for the Service Bus namespace. | | `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key. | | `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | @@ -58,16 +59,21 @@ This module deploys a Service Bus Namespace. | `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | +| `disableLocalAuth` | bool | `True` | | This property disables SAS authentication for the Service Bus namespace. | | `disasterRecoveryConfigs` | object | `{object}` | | The disaster recovery configuration. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | | `migrationConfigurations` | object | `{object}` | | The migration configuration. | +| `minimumTlsVersion` | string | `'1.2'` | `[1.0, 1.1, 1.2]` | The minimum TLS version for the cluster to support. | | `networkRuleSets` | object | `{object}` | | Configure networking options for Premium SKU Service Bus. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | +| `premiumMessagingPartitions` | int | `1` | | The number of partitions of a Service Bus namespace. This property is only applicable to Premium SKU namespaces. The default value is 1 and possible values are 1, 2 and 4. | | `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled, SecuredByPerimeter]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | `queues` | array | `[]` | | The queues to create in the service bus namespace. | | `requireInfrastructureEncryption` | bool | `True` | | Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `skuCapacity` | int | `1` | `[1, 2, 4, 8, 16, 32]` | The specified messaging units for the tier. Only used for Premium Sku tier. | | `skuName` | string | `'Basic'` | `[Basic, Premium, Standard]` | Name of this SKU. - Basic, Standard, Premium. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -404,8 +410,10 @@ module namespace './service-bus/namespace/main.bicep' = { diagnosticEventHubName: '' diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' + disableLocalAuth: true enableDefaultTelemetry: '' lock: 'CanNotDelete' + minimumTlsVersion: '1.2' networkRuleSets: { defaultAction: 'Deny' ipRules: [ @@ -426,6 +434,7 @@ module namespace './service-bus/namespace/main.bicep' = { } ] } + premiumMessagingPartitions: 1 privateEndpoints: [ { privateDnsZoneGroup: { @@ -442,6 +451,7 @@ module namespace './service-bus/namespace/main.bicep' = { } } ] + publicNetworkAccess: 'Enabled' queues: [ { authorizationRules: [ @@ -461,6 +471,8 @@ module namespace './service-bus/namespace/main.bicep' = { ] } ] + autoDeleteOnIdle: 'PT5M' + maxMessageSizeInKilobytes: 2048 name: 'sbncomq001' roleAssignments: [ { @@ -482,6 +494,7 @@ module namespace './service-bus/namespace/main.bicep' = { roleDefinitionIdOrName: 'Reader' } ] + skuCapacity: 2 skuName: 'Premium' systemAssignedIdentity: true tags: { @@ -523,6 +536,7 @@ module namespace './service-bus/namespace/main.bicep' = { userAssignedIdentities: { '': {} } + zoneRedundant: true } } ``` @@ -575,12 +589,18 @@ module namespace './service-bus/namespace/main.bicep' = { "diagnosticWorkspaceId": { "value": "" }, + "disableLocalAuth": { + "value": true + }, "enableDefaultTelemetry": { "value": "" }, "lock": { "value": "CanNotDelete" }, + "minimumTlsVersion": { + "value": "1.2" + }, "networkRuleSets": { "value": { "defaultAction": "Deny", @@ -603,6 +623,9 @@ module namespace './service-bus/namespace/main.bicep' = { ] } }, + "premiumMessagingPartitions": { + "value": 1 + }, "privateEndpoints": { "value": [ { @@ -621,6 +644,9 @@ module namespace './service-bus/namespace/main.bicep' = { } ] }, + "publicNetworkAccess": { + "value": "Enabled" + }, "queues": { "value": [ { @@ -641,6 +667,8 @@ module namespace './service-bus/namespace/main.bicep' = { ] } ], + "autoDeleteOnIdle": "PT5M", + "maxMessageSizeInKilobytes": 2048, "name": "sbncomq001", "roleAssignments": [ { @@ -665,6 +693,9 @@ module namespace './service-bus/namespace/main.bicep' = { } ] }, + "skuCapacity": { + "value": 2 + }, "skuName": { "value": "Premium" }, @@ -715,6 +746,9 @@ module namespace './service-bus/namespace/main.bicep' = { "value": { "": {} } + }, + "zoneRedundant": { + "value": true } } } @@ -981,6 +1015,7 @@ module namespace './service-bus/namespace/main.bicep' = { } } ] + publicNetworkAccess: 'Disabled' skuName: 'Premium' tags: { Environment: 'Non-Prod' @@ -1029,6 +1064,9 @@ module namespace './service-bus/namespace/main.bicep' = { } ] }, + "publicNetworkAccess": { + "value": "Disabled" + }, "skuName": { "value": "Premium" }, diff --git a/modules/service-bus/namespace/authorization-rule/README.md b/modules/service-bus/namespace/authorization-rule/README.md index e09a56d3d5..04226f8184 100644 --- a/modules/service-bus/namespace/authorization-rule/README.md +++ b/modules/service-bus/namespace/authorization-rule/README.md @@ -13,7 +13,7 @@ This module deploys a Service Bus Namespace Authorization Rule. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.ServiceBus/namespaces/AuthorizationRules` | [2017-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/AuthorizationRules) | +| `Microsoft.ServiceBus/namespaces/AuthorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/AuthorizationRules) | ## Parameters diff --git a/modules/service-bus/namespace/authorization-rule/main.bicep b/modules/service-bus/namespace/authorization-rule/main.bicep index 56beb00d21..0ade3c677e 100644 --- a/modules/service-bus/namespace/authorization-rule/main.bicep +++ b/modules/service-bus/namespace/authorization-rule/main.bicep @@ -33,11 +33,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.ServiceBus/namespaces@2021-11-01' existing = { +resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { name: namespaceName } -resource authorizationRule 'Microsoft.ServiceBus/namespaces/AuthorizationRules@2017-04-01' = { +resource authorizationRule 'Microsoft.ServiceBus/namespaces/AuthorizationRules@2022-10-01-preview' = { name: name parent: namespace properties: { diff --git a/modules/service-bus/namespace/authorization-rule/main.json b/modules/service-bus/namespace/authorization-rule/main.json index dbc2c2b79c..5515b8c667 100644 --- a/modules/service-bus/namespace/authorization-rule/main.json +++ b/modules/service-bus/namespace/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "15235435585316551051" + "version": "0.22.6.54827", + "templateHash": "4747986299110708591" }, "name": "Service Bus Namespace Authorization Rules", "description": "This module deploys a Service Bus Namespace Authorization Rule.", @@ -63,7 +63,7 @@ }, { "type": "Microsoft.ServiceBus/namespaces/AuthorizationRules", - "apiVersion": "2017-04-01", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", "properties": { "rights": "[parameters('rights')]" diff --git a/modules/service-bus/namespace/disaster-recovery-config/README.md b/modules/service-bus/namespace/disaster-recovery-config/README.md index a1852a356e..117b394910 100644 --- a/modules/service-bus/namespace/disaster-recovery-config/README.md +++ b/modules/service-bus/namespace/disaster-recovery-config/README.md @@ -13,7 +13,7 @@ This module deploys a Service Bus Namespace Disaster Recovery Config | Resource Type | API Version | | :-- | :-- | -| `Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs` | [2017-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/disasterRecoveryConfigs) | +| `Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/disasterRecoveryConfigs) | ## Parameters diff --git a/modules/service-bus/namespace/disaster-recovery-config/main.bicep b/modules/service-bus/namespace/disaster-recovery-config/main.bicep index c7998b87e2..2d949345a7 100644 --- a/modules/service-bus/namespace/disaster-recovery-config/main.bicep +++ b/modules/service-bus/namespace/disaster-recovery-config/main.bicep @@ -31,11 +31,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.ServiceBus/namespaces@2021-11-01' existing = { +resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { name: namespaceName } -resource disasterRecoveryConfig 'Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs@2017-04-01' = { +resource disasterRecoveryConfig 'Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs@2022-10-01-preview' = { name: name parent: namespace properties: { diff --git a/modules/service-bus/namespace/disaster-recovery-config/main.json b/modules/service-bus/namespace/disaster-recovery-config/main.json index 7dc2c03b14..e36745c3ff 100644 --- a/modules/service-bus/namespace/disaster-recovery-config/main.json +++ b/modules/service-bus/namespace/disaster-recovery-config/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13563716064472285794" + "version": "0.22.6.54827", + "templateHash": "3706608794197885431" }, "name": "Service Bus Namespace Disaster Recovery Configs", "description": "This module deploys a Service Bus Namespace Disaster Recovery Config", @@ -66,7 +66,7 @@ }, { "type": "Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs", - "apiVersion": "2017-04-01", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", "properties": { "alternateName": "[parameters('alternateName')]", diff --git a/modules/service-bus/namespace/main.bicep b/modules/service-bus/namespace/main.bicep index aac98d2c31..df6693bb49 100644 --- a/modules/service-bus/namespace/main.bicep +++ b/modules/service-bus/namespace/main.bicep @@ -17,9 +17,34 @@ param location string = resourceGroup().location ]) param skuName string = 'Basic' +@description('Optional. The specified messaging units for the tier. Only used for Premium Sku tier.') +@allowed([ + 1 + 2 + 4 + 8 + 16 + 32 +]) +param skuCapacity int = 1 + @description('Optional. Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones.') param zoneRedundant bool = false +@allowed([ + '1.0' + '1.1' + '1.2' +]) +@description('Optional. The minimum TLS version for the cluster to support.') +param minimumTlsVersion string = '1.2' + +@description('Optional. Alternate name for namespace.') +param alternateName string = '' + +@description('Optional. The number of partitions of a Service Bus namespace. This property is only applicable to Premium SKU namespaces. The default value is 1 and possible values are 1, 2 and 4.') +param premiumMessagingPartitions int = 1 + @description('Optional. Authorization Rules for the Service Bus namespace.') param authorizationRules array = [ { @@ -67,12 +92,24 @@ param userAssignedIdentities object = {} @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] +@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') +@allowed([ + '' + 'Disabled' + 'Enabled' + 'SecuredByPerimeter' +]) +param publicNetworkAccess string = '' + @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints array = [] @description('Optional. Configure networking options for Premium SKU Service Bus. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.') param networkRuleSets object = {} +@description('Optional. This property disables SAS authentication for the Service Bus namespace.') +param disableLocalAuth bool = true + @description('Optional. Tags of the resource.') param tags object = {} @@ -170,16 +207,22 @@ resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = i scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) } -resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2021-11-01' = { +resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = { name: name location: location tags: empty(tags) ? null : tags sku: { name: skuName + capacity: skuName == 'Premium' ? skuCapacity : null } identity: identity properties: { + publicNetworkAccess: !empty(publicNetworkAccess) ? publicNetworkAccess : (!empty(privateEndpoints) && empty(networkRuleSets) ? 'Disabled' : 'Enabled') + minimumTlsVersion: minimumTlsVersion + alternateName: !empty(alternateName) ? alternateName : null zoneRedundant: zoneRedundant + disableLocalAuth: disableLocalAuth + premiumMessagingPartitions: skuName == 'Premium' ? premiumMessagingPartitions : 0 encryption: !empty(cMKKeyName) ? { keySource: 'Microsoft.KeyVault' keyVaultProperties: [ @@ -246,6 +289,10 @@ module serviceBusNamespace_queues 'queue/main.bicep' = [for (queue, index) in qu params: { namespaceName: serviceBusNamespace.name name: queue.name + autoDeleteOnIdle: contains(queue, 'autoDeleteOnIdle') ? queue.autoDeleteOnIdle : '' + forwardDeadLetteredMessagesTo: contains(queue, 'forwardDeadLetteredMessagesTo') ? queue.forwardDeadLetteredMessagesTo : '' + forwardTo: contains(queue, 'forwardTo') ? queue.forwardTo : '' + maxMessageSizeInKilobytes: contains(queue, 'maxMessageSizeInKilobytes') ? queue.maxMessageSizeInKilobytes : 1024 authorizationRules: contains(queue, 'authorizationRules') ? queue.authorizationRules : [ { name: 'RootManageSharedAccessKey' diff --git a/modules/service-bus/namespace/main.json b/modules/service-bus/namespace/main.json index 89e24c2467..974d711c69 100644 --- a/modules/service-bus/namespace/main.json +++ b/modules/service-bus/namespace/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2445849782386973691" + "version": "0.22.6.54827", + "templateHash": "2912791825816834309" }, "name": "Service Bus Namespaces", "description": "This module deploys a Service Bus Namespace.", @@ -38,6 +38,21 @@ "description": "Optional. Name of this SKU. - Basic, Standard, Premium." } }, + "skuCapacity": { + "type": "int", + "defaultValue": 1, + "allowedValues": [ + 1, + 2, + 4, + 8, + 16, + 32 + ], + "metadata": { + "description": "Optional. The specified messaging units for the tier. Only used for Premium Sku tier." + } + }, "zoneRedundant": { "type": "bool", "defaultValue": false, @@ -45,6 +60,32 @@ "description": "Optional. Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones." } }, + "minimumTlsVersion": { + "type": "string", + "defaultValue": "1.2", + "allowedValues": [ + "1.0", + "1.1", + "1.2" + ], + "metadata": { + "description": "Optional. The minimum TLS version for the cluster to support." + } + }, + "alternateName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Alternate name for namespace." + } + }, + "premiumMessagingPartitions": { + "type": "int", + "defaultValue": 1, + "metadata": { + "description": "Optional. The number of partitions of a Service Bus namespace. This property is only applicable to Premium SKU namespaces. The default value is 1 and possible values are 1, 2 and 4." + } + }, "authorizationRules": { "type": "array", "defaultValue": [ @@ -136,6 +177,19 @@ "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, + "publicNetworkAccess": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "Disabled", + "Enabled", + "SecuredByPerimeter" + ], + "metadata": { + "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." + } + }, "privateEndpoints": { "type": "array", "defaultValue": [], @@ -150,6 +204,13 @@ "description": "Optional. Configure networking options for Premium SKU Service Bus. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace." } }, + "disableLocalAuth": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. This property disables SAS authentication for the Service Bus namespace." + } + }, "tags": { "type": "object", "defaultValue": {}, @@ -289,16 +350,22 @@ }, { "type": "Microsoft.ServiceBus/namespaces", - "apiVersion": "2021-11-01", + "apiVersion": "2022-10-01-preview", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[if(empty(parameters('tags')), null(), parameters('tags'))]", "sku": { - "name": "[parameters('skuName')]" + "name": "[parameters('skuName')]", + "capacity": "[if(equals(parameters('skuName'), 'Premium'), parameters('skuCapacity'), null())]" }, "identity": "[variables('identity')]", "properties": { + "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkRuleSets'))), 'Disabled', 'Enabled'))]", + "minimumTlsVersion": "[parameters('minimumTlsVersion')]", + "alternateName": "[if(not(empty(parameters('alternateName'))), parameters('alternateName'), null())]", "zoneRedundant": "[parameters('zoneRedundant')]", + "disableLocalAuth": "[parameters('disableLocalAuth')]", + "premiumMessagingPartitions": "[if(equals(parameters('skuName'), 'Premium'), parameters('premiumMessagingPartitions'), 0)]", "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createArray(createObject('identity', if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), null()), 'keyName', parameters('cMKKeyName'), 'keyVaultUri', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('cMKKeyVaultResourceId'), '/'))), '2021-10-01').vaultUri, 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[0], split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[1]), '2021-10-01').keyUriWithVersion, '/'))))), 'requireInfrastructureEncryption', parameters('requireInfrastructureEncryption')), null())]" } }, @@ -365,8 +432,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5822650086672206249" + "version": "0.22.6.54827", + "templateHash": "4747986299110708591" }, "name": "Service Bus Namespace Authorization Rules", "description": "This module deploys a Service Bus Namespace Authorization Rule.", @@ -424,7 +491,7 @@ }, { "type": "Microsoft.ServiceBus/namespaces/AuthorizationRules", - "apiVersion": "2017-04-01", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", "properties": { "rights": "[parameters('rights')]" @@ -487,8 +554,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14546614417320888231" + "version": "0.22.6.54827", + "templateHash": "3706608794197885431" }, "name": "Service Bus Namespace Disaster Recovery Configs", "description": "This module deploys a Service Bus Namespace Disaster Recovery Config", @@ -549,7 +616,7 @@ }, { "type": "Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs", - "apiVersion": "2017-04-01", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", "properties": { "alternateName": "[parameters('alternateName')]", @@ -616,8 +683,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11354056165002886498" + "version": "0.22.6.54827", + "templateHash": "11329412672781710568" }, "name": "Service Bus Namespace Migration Configuration", "description": "This module deploys a Service Bus Namespace Migration Configuration.", @@ -669,7 +736,7 @@ }, { "type": "Microsoft.ServiceBus/namespaces/migrationConfigurations", - "apiVersion": "2017-04-01", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), '$default')]", "properties": { "targetNamespace": "[parameters('targetNamespaceResourceId')]", @@ -735,8 +802,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13262837949069466625" + "version": "0.22.6.54827", + "templateHash": "533952694982260366" }, "name": "Service Bus Namespace Network Rule Sets", "description": "This module deploys a ServiceBus Namespace Network Rule Set.", @@ -831,7 +898,7 @@ }, { "type": "Microsoft.ServiceBus/namespaces/networkRuleSets", - "apiVersion": "2021-11-01", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), 'default')]", "properties": { "publicNetworkAccess": "[parameters('publicNetworkAccess')]", @@ -891,6 +958,10 @@ "name": { "value": "[parameters('queues')[copyIndex()].name]" }, + "autoDeleteOnIdle": "[if(contains(parameters('queues')[copyIndex()], 'autoDeleteOnIdle'), createObject('value', parameters('queues')[copyIndex()].autoDeleteOnIdle), createObject('value', ''))]", + "forwardDeadLetteredMessagesTo": "[if(contains(parameters('queues')[copyIndex()], 'forwardDeadLetteredMessagesTo'), createObject('value', parameters('queues')[copyIndex()].forwardDeadLetteredMessagesTo), createObject('value', ''))]", + "forwardTo": "[if(contains(parameters('queues')[copyIndex()], 'forwardTo'), createObject('value', parameters('queues')[copyIndex()].forwardTo), createObject('value', ''))]", + "maxMessageSizeInKilobytes": "[if(contains(parameters('queues')[copyIndex()], 'maxMessageSizeInKilobytes'), createObject('value', parameters('queues')[copyIndex()].maxMessageSizeInKilobytes), createObject('value', 1024))]", "authorizationRules": "[if(contains(parameters('queues')[copyIndex()], 'authorizationRules'), createObject('value', parameters('queues')[copyIndex()].authorizationRules), createObject('value', createArray(createObject('name', 'RootManageSharedAccessKey', 'rights', createArray('Listen', 'Manage', 'Send')))))]", "deadLetteringOnMessageExpiration": "[if(contains(parameters('queues')[copyIndex()], 'deadLetteringOnMessageExpiration'), createObject('value', parameters('queues')[copyIndex()].deadLetteringOnMessageExpiration), createObject('value', true()))]", "defaultMessageTimeToLive": "[if(contains(parameters('queues')[copyIndex()], 'defaultMessageTimeToLive'), createObject('value', parameters('queues')[copyIndex()].defaultMessageTimeToLive), createObject('value', 'P14D'))]", @@ -916,8 +987,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1821948784445884676" + "version": "0.22.6.54827", + "templateHash": "14235495639787970719" }, "name": "Service Bus Namespace Queue", "description": "This module deploys a Service Bus Namespace Queue.", @@ -940,6 +1011,27 @@ "description": "Required. Name of the Service Bus Queue." } }, + "autoDeleteOnIdle": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. ISO 8061 timeSpan idle interval after which the queue is automatically deleted. The minimum duration is 5 minutes (PT5M)." + } + }, + "forwardDeadLetteredMessagesTo": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Queue/Topic name to forward the Dead Letter message." + } + }, + "forwardTo": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Queue/Topic name to forward the messages." + } + }, "lockDuration": { "type": "string", "defaultValue": "PT1M", @@ -1003,6 +1095,13 @@ "description": "Optional. The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10." } }, + "maxMessageSizeInKilobytes": { + "type": "int", + "defaultValue": 1024, + "metadata": { + "description": "Optional. Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024." + } + }, "status": { "type": "string", "defaultValue": "Active", @@ -1100,21 +1199,25 @@ }, { "type": "Microsoft.ServiceBus/namespaces/queues", - "apiVersion": "2021-06-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", "properties": { - "lockDuration": "[parameters('lockDuration')]", - "maxSizeInMegabytes": "[parameters('maxSizeInMegabytes')]", - "requiresDuplicateDetection": "[parameters('requiresDuplicateDetection')]", - "requiresSession": "[parameters('requiresSession')]", + "autoDeleteOnIdle": "[if(not(empty(parameters('autoDeleteOnIdle'))), parameters('autoDeleteOnIdle'), null())]", "defaultMessageTimeToLive": "[parameters('defaultMessageTimeToLive')]", "deadLetteringOnMessageExpiration": "[parameters('deadLetteringOnMessageExpiration')]", - "enableBatchedOperations": "[parameters('enableBatchedOperations')]", "duplicateDetectionHistoryTimeWindow": "[parameters('duplicateDetectionHistoryTimeWindow')]", - "maxDeliveryCount": "[parameters('maxDeliveryCount')]", - "status": "[parameters('status')]", + "enableBatchedOperations": "[parameters('enableBatchedOperations')]", + "enableExpress": "[parameters('enableExpress')]", "enablePartitioning": "[parameters('enablePartitioning')]", - "enableExpress": "[parameters('enableExpress')]" + "forwardDeadLetteredMessagesTo": "[if(not(empty(parameters('forwardDeadLetteredMessagesTo'))), parameters('forwardDeadLetteredMessagesTo'), null())]", + "forwardTo": "[if(not(empty(parameters('forwardTo'))), parameters('forwardTo'), null())]", + "lockDuration": "[parameters('lockDuration')]", + "maxDeliveryCount": "[parameters('maxDeliveryCount')]", + "maxMessageSizeInKilobytes": "[if(equals(reference(resourceId('Microsoft.ServiceBus/namespaces', parameters('namespaceName')), '2022-10-01-preview', 'full').sku.name, 'Premium'), parameters('maxMessageSizeInKilobytes'), null())]", + "maxSizeInMegabytes": "[parameters('maxSizeInMegabytes')]", + "requiresDuplicateDetection": "[parameters('requiresDuplicateDetection')]", + "requiresSession": "[parameters('requiresSession')]", + "status": "[parameters('status')]" } }, { @@ -1165,8 +1268,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6101237367074313867" + "version": "0.22.6.54827", + "templateHash": "4578845431207793137" }, "name": "Service Bus Namespace Queue Authorization Rules", "description": "This module deploys a Service Bus Namespace Queue Authorization Rule.", @@ -1228,7 +1331,7 @@ }, { "type": "Microsoft.ServiceBus/namespaces/queues/authorizationRules", - "apiVersion": "2017-04-01", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('queueName'), parameters('name'))]", "properties": { "rights": "[parameters('rights')]" @@ -1298,8 +1401,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2208902932187886569" + "version": "0.22.6.54827", + "templateHash": "17304766651287695230" } }, "parameters": { @@ -1489,8 +1592,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17697996851366655443" + "version": "0.22.6.54827", + "templateHash": "7517242660485501194" }, "name": "Service Bus Namespace Topic", "description": "This module deploys a Service Bus Namespace Topic.", @@ -1666,7 +1769,7 @@ }, { "type": "Microsoft.ServiceBus/namespaces/topics", - "apiVersion": "2021-06-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", "properties": { "autoDeleteOnIdle": "[parameters('autoDeleteOnIdle')]", @@ -1730,8 +1833,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3386119899926443117" + "version": "0.22.6.54827", + "templateHash": "3590235297575239025" }, "name": "Service Bus Namespace Topic Authorization Rules", "description": "This module deploys a Service Bus Namespace Topic Authorization Rule.", @@ -1793,7 +1896,7 @@ }, { "type": "Microsoft.ServiceBus/namespaces/topics/authorizationRules", - "apiVersion": "2021-06-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('topicName'), parameters('name'))]", "properties": { "rights": "[parameters('rights')]" @@ -1863,8 +1966,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1700456831485668715" + "version": "0.22.6.54827", + "templateHash": "13096307217253704125" } }, "parameters": { @@ -2056,8 +2159,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2256,8 +2359,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -2394,8 +2497,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -2608,8 +2711,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18287242022549990964" + "version": "0.22.6.54827", + "templateHash": "9664927518119461996" } }, "parameters": { @@ -2753,14 +2856,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), '2021-11-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), '2021-11-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), '2022-10-01-preview', 'full').identity, 'principalId')), reference(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), '2022-10-01-preview', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), '2021-11-01', 'full').location]" + "value": "[reference(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), '2022-10-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/service-bus/namespace/migration-configuration/README.md b/modules/service-bus/namespace/migration-configuration/README.md index 6c1aa5f13c..445edd7e6a 100644 --- a/modules/service-bus/namespace/migration-configuration/README.md +++ b/modules/service-bus/namespace/migration-configuration/README.md @@ -13,7 +13,7 @@ This module deploys a Service Bus Namespace Migration Configuration. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.ServiceBus/namespaces/migrationConfigurations` | [2017-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/migrationConfigurations) | +| `Microsoft.ServiceBus/namespaces/migrationConfigurations` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/migrationConfigurations) | ## Parameters diff --git a/modules/service-bus/namespace/migration-configuration/main.bicep b/modules/service-bus/namespace/migration-configuration/main.bicep index a7f90c5fc9..1d7ed788cb 100644 --- a/modules/service-bus/namespace/migration-configuration/main.bicep +++ b/modules/service-bus/namespace/migration-configuration/main.bicep @@ -28,11 +28,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.ServiceBus/namespaces@2021-11-01' existing = { +resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { name: namespaceName } -resource migrationConfiguration 'Microsoft.ServiceBus/namespaces/migrationConfigurations@2017-04-01' = { +resource migrationConfiguration 'Microsoft.ServiceBus/namespaces/migrationConfigurations@2022-10-01-preview' = { name: '$default' parent: namespace properties: { diff --git a/modules/service-bus/namespace/migration-configuration/main.json b/modules/service-bus/namespace/migration-configuration/main.json index 7227e9c794..67c9a0e7ca 100644 --- a/modules/service-bus/namespace/migration-configuration/main.json +++ b/modules/service-bus/namespace/migration-configuration/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "15978046556546709106" + "version": "0.22.6.54827", + "templateHash": "11329412672781710568" }, "name": "Service Bus Namespace Migration Configuration", "description": "This module deploys a Service Bus Namespace Migration Configuration.", @@ -57,7 +57,7 @@ }, { "type": "Microsoft.ServiceBus/namespaces/migrationConfigurations", - "apiVersion": "2017-04-01", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), '$default')]", "properties": { "targetNamespace": "[parameters('targetNamespaceResourceId')]", diff --git a/modules/service-bus/namespace/network-rule-set/README.md b/modules/service-bus/namespace/network-rule-set/README.md index 1bb7d755b2..2ee50b770c 100644 --- a/modules/service-bus/namespace/network-rule-set/README.md +++ b/modules/service-bus/namespace/network-rule-set/README.md @@ -13,7 +13,7 @@ This module deploys a ServiceBus Namespace Network Rule Set. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.ServiceBus/namespaces/networkRuleSets` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-11-01/namespaces/networkRuleSets) | +| `Microsoft.ServiceBus/namespaces/networkRuleSets` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/networkRuleSets) | ## Parameters diff --git a/modules/service-bus/namespace/network-rule-set/main.bicep b/modules/service-bus/namespace/network-rule-set/main.bicep index 9f026053fe..f15d24ad9e 100644 --- a/modules/service-bus/namespace/network-rule-set/main.bicep +++ b/modules/service-bus/namespace/network-rule-set/main.bicep @@ -52,11 +52,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.ServiceBus/namespaces@2021-11-01' existing = { +resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { name: namespaceName } -resource networkRuleSet 'Microsoft.ServiceBus/namespaces/networkRuleSets@2021-11-01' = { +resource networkRuleSet 'Microsoft.ServiceBus/namespaces/networkRuleSets@2022-10-01-preview' = { name: 'default' parent: namespace properties: { diff --git a/modules/service-bus/namespace/network-rule-set/main.json b/modules/service-bus/namespace/network-rule-set/main.json index c998091cf1..c859479f4b 100644 --- a/modules/service-bus/namespace/network-rule-set/main.json +++ b/modules/service-bus/namespace/network-rule-set/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "16662631854898993961" + "version": "0.22.6.54827", + "templateHash": "533952694982260366" }, "name": "Service Bus Namespace Network Rule Sets", "description": "This module deploys a ServiceBus Namespace Network Rule Set.", @@ -100,7 +100,7 @@ }, { "type": "Microsoft.ServiceBus/namespaces/networkRuleSets", - "apiVersion": "2021-11-01", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), 'default')]", "properties": { "publicNetworkAccess": "[parameters('publicNetworkAccess')]", diff --git a/modules/service-bus/namespace/queue/.bicep/nested_roleAssignments.bicep b/modules/service-bus/namespace/queue/.bicep/nested_roleAssignments.bicep index c8bf6aa9ef..e4fc9c7bc2 100644 --- a/modules/service-bus/namespace/queue/.bicep/nested_roleAssignments.bicep +++ b/modules/service-bus/namespace/queue/.bicep/nested_roleAssignments.bicep @@ -52,7 +52,7 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource queue 'Microsoft.ServiceBus/namespaces/queues@2021-06-01-preview' existing = { +resource queue 'Microsoft.ServiceBus/namespaces/queues@2022-10-01-preview' existing = { name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' } diff --git a/modules/service-bus/namespace/queue/README.md b/modules/service-bus/namespace/queue/README.md index d819c6b7bb..4da81c9733 100644 --- a/modules/service-bus/namespace/queue/README.md +++ b/modules/service-bus/namespace/queue/README.md @@ -15,8 +15,8 @@ This module deploys a Service Bus Namespace Queue. | :-- | :-- | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.ServiceBus/namespaces/queues` | [2021-06-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-06-01-preview/namespaces/queues) | -| `Microsoft.ServiceBus/namespaces/queues/authorizationRules` | [2017-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/queues/authorizationRules) | +| `Microsoft.ServiceBus/namespaces/queues` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/queues) | +| `Microsoft.ServiceBus/namespaces/queues/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/queues/authorizationRules) | ## Parameters @@ -37,6 +37,7 @@ This module deploys a Service Bus Namespace Queue. | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `authorizationRules` | array | `[System.Management.Automation.OrderedHashtable]` | | Authorization Rules for the Service Bus Queue. | +| `autoDeleteOnIdle` | string | `''` | | ISO 8061 timeSpan idle interval after which the queue is automatically deleted. The minimum duration is 5 minutes (PT5M). | | `deadLetteringOnMessageExpiration` | bool | `True` | | A value that indicates whether this queue has dead letter support when a message expires. | | `defaultMessageTimeToLive` | string | `'P14D'` | | ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself. | | `duplicateDetectionHistoryTimeWindow` | string | `'PT10M'` | | ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes. | @@ -44,9 +45,12 @@ This module deploys a Service Bus Namespace Queue. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `enableExpress` | bool | `False` | | A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage. | | `enablePartitioning` | bool | `False` | | A value that indicates whether the queue is to be partitioned across multiple message brokers. | +| `forwardDeadLetteredMessagesTo` | string | `''` | | Queue/Topic name to forward the Dead Letter message. | +| `forwardTo` | string | `''` | | Queue/Topic name to forward the messages. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | | `lockDuration` | string | `'PT1M'` | | ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute. | | `maxDeliveryCount` | int | `10` | | The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10. | +| `maxMessageSizeInKilobytes` | int | `1024` | | Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024. | | `maxSizeInMegabytes` | int | `1024` | | The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024. | | `requiresDuplicateDetection` | bool | `False` | | A value indicating if this queue requires duplicate detection. | | `requiresSession` | bool | `False` | | A value that indicates whether the queue supports the concept of sessions. | diff --git a/modules/service-bus/namespace/queue/authorization-rule/README.md b/modules/service-bus/namespace/queue/authorization-rule/README.md index 8f5e346cba..9d3235856b 100644 --- a/modules/service-bus/namespace/queue/authorization-rule/README.md +++ b/modules/service-bus/namespace/queue/authorization-rule/README.md @@ -13,7 +13,7 @@ This module deploys a Service Bus Namespace Queue Authorization Rule. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.ServiceBus/namespaces/queues/authorizationRules` | [2017-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/queues/authorizationRules) | +| `Microsoft.ServiceBus/namespaces/queues/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/queues/authorizationRules) | ## Parameters diff --git a/modules/service-bus/namespace/queue/authorization-rule/main.bicep b/modules/service-bus/namespace/queue/authorization-rule/main.bicep index f18e2917cd..1c246c1650 100644 --- a/modules/service-bus/namespace/queue/authorization-rule/main.bicep +++ b/modules/service-bus/namespace/queue/authorization-rule/main.bicep @@ -34,15 +34,15 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.ServiceBus/namespaces@2021-11-01' existing = { +resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { name: namespaceName - resource queue 'queues@2021-06-01-preview' existing = { + resource queue 'queues@2022-10-01-preview' existing = { name: queueName } } -resource authorizationRule 'Microsoft.ServiceBus/namespaces/queues/authorizationRules@2017-04-01' = { +resource authorizationRule 'Microsoft.ServiceBus/namespaces/queues/authorizationRules@2022-10-01-preview' = { name: name parent: namespace::queue properties: { diff --git a/modules/service-bus/namespace/queue/authorization-rule/main.json b/modules/service-bus/namespace/queue/authorization-rule/main.json index 02d33f18fd..3610d204e0 100644 --- a/modules/service-bus/namespace/queue/authorization-rule/main.json +++ b/modules/service-bus/namespace/queue/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "18039866213861972678" + "version": "0.22.6.54827", + "templateHash": "4578845431207793137" }, "name": "Service Bus Namespace Queue Authorization Rules", "description": "This module deploys a Service Bus Namespace Queue Authorization Rule.", @@ -67,7 +67,7 @@ }, { "type": "Microsoft.ServiceBus/namespaces/queues/authorizationRules", - "apiVersion": "2017-04-01", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('queueName'), parameters('name'))]", "properties": { "rights": "[parameters('rights')]" diff --git a/modules/service-bus/namespace/queue/main.bicep b/modules/service-bus/namespace/queue/main.bicep index cd75b97337..fc7f3276ec 100644 --- a/modules/service-bus/namespace/queue/main.bicep +++ b/modules/service-bus/namespace/queue/main.bicep @@ -12,6 +12,15 @@ param namespaceName string @maxLength(50) param name string +@description('Optional. ISO 8061 timeSpan idle interval after which the queue is automatically deleted. The minimum duration is 5 minutes (PT5M).') +param autoDeleteOnIdle string = '' + +@description('Optional. Queue/Topic name to forward the Dead Letter message.') +param forwardDeadLetteredMessagesTo string = '' + +@description('Optional. Queue/Topic name to forward the messages.') +param forwardTo string = '' + @description('Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute.') param lockDuration string = 'PT1M' @@ -39,6 +48,9 @@ param duplicateDetectionHistoryTimeWindow string = 'PT10M' @description('Optional. The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10.') param maxDeliveryCount int = 10 +@description('Optional. Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024.') +param maxMessageSizeInKilobytes int = 1024 + @description('Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown.') @allowed([ 'Active' @@ -101,26 +113,30 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.ServiceBus/namespaces@2021-11-01' existing = { +resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { name: namespaceName } -resource queue 'Microsoft.ServiceBus/namespaces/queues@2021-06-01-preview' = { +resource queue 'Microsoft.ServiceBus/namespaces/queues@2022-10-01-preview' = { name: name parent: namespace properties: { - lockDuration: lockDuration - maxSizeInMegabytes: maxSizeInMegabytes - requiresDuplicateDetection: requiresDuplicateDetection - requiresSession: requiresSession + autoDeleteOnIdle: !empty(autoDeleteOnIdle) ? autoDeleteOnIdle : null defaultMessageTimeToLive: defaultMessageTimeToLive deadLetteringOnMessageExpiration: deadLetteringOnMessageExpiration - enableBatchedOperations: enableBatchedOperations duplicateDetectionHistoryTimeWindow: duplicateDetectionHistoryTimeWindow + enableBatchedOperations: enableBatchedOperations + enableExpress: enableExpress + enablePartitioning: enablePartitioning + forwardDeadLetteredMessagesTo: !empty(forwardDeadLetteredMessagesTo) ? forwardDeadLetteredMessagesTo : null + forwardTo: !empty(forwardTo) ? forwardTo : null + lockDuration: lockDuration maxDeliveryCount: maxDeliveryCount + maxMessageSizeInKilobytes: namespace.sku.name == 'Premium' ? maxMessageSizeInKilobytes : null + maxSizeInMegabytes: maxSizeInMegabytes + requiresDuplicateDetection: requiresDuplicateDetection + requiresSession: requiresSession status: status - enablePartitioning: enablePartitioning - enableExpress: enableExpress } } diff --git a/modules/service-bus/namespace/queue/main.json b/modules/service-bus/namespace/queue/main.json index a2d25f0d38..db9c7d315a 100644 --- a/modules/service-bus/namespace/queue/main.json +++ b/modules/service-bus/namespace/queue/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12881561992595458775" + "version": "0.22.6.54827", + "templateHash": "14235495639787970719" }, "name": "Service Bus Namespace Queue", "description": "This module deploys a Service Bus Namespace Queue.", @@ -28,6 +28,27 @@ "description": "Required. Name of the Service Bus Queue." } }, + "autoDeleteOnIdle": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. ISO 8061 timeSpan idle interval after which the queue is automatically deleted. The minimum duration is 5 minutes (PT5M)." + } + }, + "forwardDeadLetteredMessagesTo": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Queue/Topic name to forward the Dead Letter message." + } + }, + "forwardTo": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Queue/Topic name to forward the messages." + } + }, "lockDuration": { "type": "string", "defaultValue": "PT1M", @@ -91,6 +112,13 @@ "description": "Optional. The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10." } }, + "maxMessageSizeInKilobytes": { + "type": "int", + "defaultValue": 1024, + "metadata": { + "description": "Optional. Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024." + } + }, "status": { "type": "string", "defaultValue": "Active", @@ -188,21 +216,25 @@ }, { "type": "Microsoft.ServiceBus/namespaces/queues", - "apiVersion": "2021-06-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", "properties": { - "lockDuration": "[parameters('lockDuration')]", - "maxSizeInMegabytes": "[parameters('maxSizeInMegabytes')]", - "requiresDuplicateDetection": "[parameters('requiresDuplicateDetection')]", - "requiresSession": "[parameters('requiresSession')]", + "autoDeleteOnIdle": "[if(not(empty(parameters('autoDeleteOnIdle'))), parameters('autoDeleteOnIdle'), null())]", "defaultMessageTimeToLive": "[parameters('defaultMessageTimeToLive')]", "deadLetteringOnMessageExpiration": "[parameters('deadLetteringOnMessageExpiration')]", - "enableBatchedOperations": "[parameters('enableBatchedOperations')]", "duplicateDetectionHistoryTimeWindow": "[parameters('duplicateDetectionHistoryTimeWindow')]", - "maxDeliveryCount": "[parameters('maxDeliveryCount')]", - "status": "[parameters('status')]", + "enableBatchedOperations": "[parameters('enableBatchedOperations')]", + "enableExpress": "[parameters('enableExpress')]", "enablePartitioning": "[parameters('enablePartitioning')]", - "enableExpress": "[parameters('enableExpress')]" + "forwardDeadLetteredMessagesTo": "[if(not(empty(parameters('forwardDeadLetteredMessagesTo'))), parameters('forwardDeadLetteredMessagesTo'), null())]", + "forwardTo": "[if(not(empty(parameters('forwardTo'))), parameters('forwardTo'), null())]", + "lockDuration": "[parameters('lockDuration')]", + "maxDeliveryCount": "[parameters('maxDeliveryCount')]", + "maxMessageSizeInKilobytes": "[if(equals(reference(resourceId('Microsoft.ServiceBus/namespaces', parameters('namespaceName')), '2022-10-01-preview', 'full').sku.name, 'Premium'), parameters('maxMessageSizeInKilobytes'), null())]", + "maxSizeInMegabytes": "[parameters('maxSizeInMegabytes')]", + "requiresDuplicateDetection": "[parameters('requiresDuplicateDetection')]", + "requiresSession": "[parameters('requiresSession')]", + "status": "[parameters('status')]" } }, { @@ -253,8 +285,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "18039866213861972678" + "version": "0.22.6.54827", + "templateHash": "4578845431207793137" }, "name": "Service Bus Namespace Queue Authorization Rules", "description": "This module deploys a Service Bus Namespace Queue Authorization Rule.", @@ -316,7 +348,7 @@ }, { "type": "Microsoft.ServiceBus/namespaces/queues/authorizationRules", - "apiVersion": "2017-04-01", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('queueName'), parameters('name'))]", "properties": { "rights": "[parameters('rights')]" @@ -386,8 +418,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "18045820924353327609" + "version": "0.22.6.54827", + "templateHash": "17304766651287695230" } }, "parameters": { diff --git a/modules/service-bus/namespace/topic/.bicep/nested_roleAssignments.bicep b/modules/service-bus/namespace/topic/.bicep/nested_roleAssignments.bicep index 4f961068fe..306121abd9 100644 --- a/modules/service-bus/namespace/topic/.bicep/nested_roleAssignments.bicep +++ b/modules/service-bus/namespace/topic/.bicep/nested_roleAssignments.bicep @@ -52,7 +52,7 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource topic 'Microsoft.ServiceBus/namespaces/topics@2021-06-01-preview' existing = { +resource topic 'Microsoft.ServiceBus/namespaces/topics@2022-10-01-preview' existing = { name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' } diff --git a/modules/service-bus/namespace/topic/README.md b/modules/service-bus/namespace/topic/README.md index a79f39f841..3e408a2f86 100644 --- a/modules/service-bus/namespace/topic/README.md +++ b/modules/service-bus/namespace/topic/README.md @@ -15,8 +15,8 @@ This module deploys a Service Bus Namespace Topic. | :-- | :-- | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.ServiceBus/namespaces/topics` | [2021-06-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-06-01-preview/namespaces/topics) | -| `Microsoft.ServiceBus/namespaces/topics/authorizationRules` | [2021-06-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-06-01-preview/namespaces/topics/authorizationRules) | +| `Microsoft.ServiceBus/namespaces/topics` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/topics) | +| `Microsoft.ServiceBus/namespaces/topics/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/topics/authorizationRules) | ## Parameters diff --git a/modules/service-bus/namespace/topic/authorization-rule/README.md b/modules/service-bus/namespace/topic/authorization-rule/README.md index 97a2359e33..42f6aa3e9b 100644 --- a/modules/service-bus/namespace/topic/authorization-rule/README.md +++ b/modules/service-bus/namespace/topic/authorization-rule/README.md @@ -13,7 +13,7 @@ This module deploys a Service Bus Namespace Topic Authorization Rule. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.ServiceBus/namespaces/topics/authorizationRules` | [2021-06-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-06-01-preview/namespaces/topics/authorizationRules) | +| `Microsoft.ServiceBus/namespaces/topics/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/topics/authorizationRules) | ## Parameters diff --git a/modules/service-bus/namespace/topic/authorization-rule/main.bicep b/modules/service-bus/namespace/topic/authorization-rule/main.bicep index 47748fa303..fb60f6c92d 100644 --- a/modules/service-bus/namespace/topic/authorization-rule/main.bicep +++ b/modules/service-bus/namespace/topic/authorization-rule/main.bicep @@ -34,15 +34,15 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.ServiceBus/namespaces@2021-11-01' existing = { +resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { name: namespaceName - resource topic 'topics@2021-06-01-preview' existing = { + resource topic 'topics@2022-10-01-preview' existing = { name: topicName } } -resource authorizationRule 'Microsoft.ServiceBus/namespaces/topics/authorizationRules@2021-06-01-preview' = { +resource authorizationRule 'Microsoft.ServiceBus/namespaces/topics/authorizationRules@2022-10-01-preview' = { name: name parent: namespace::topic properties: { diff --git a/modules/service-bus/namespace/topic/authorization-rule/main.json b/modules/service-bus/namespace/topic/authorization-rule/main.json index 7d2537e9c0..d7f9be9512 100644 --- a/modules/service-bus/namespace/topic/authorization-rule/main.json +++ b/modules/service-bus/namespace/topic/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12912382339345981506" + "version": "0.22.6.54827", + "templateHash": "3590235297575239025" }, "name": "Service Bus Namespace Topic Authorization Rules", "description": "This module deploys a Service Bus Namespace Topic Authorization Rule.", @@ -67,7 +67,7 @@ }, { "type": "Microsoft.ServiceBus/namespaces/topics/authorizationRules", - "apiVersion": "2021-06-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('topicName'), parameters('name'))]", "properties": { "rights": "[parameters('rights')]" diff --git a/modules/service-bus/namespace/topic/main.bicep b/modules/service-bus/namespace/topic/main.bicep index 84036320fb..25140d0269 100644 --- a/modules/service-bus/namespace/topic/main.bicep +++ b/modules/service-bus/namespace/topic/main.bicep @@ -98,11 +98,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.ServiceBus/namespaces@2021-11-01' existing = { +resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { name: namespaceName } -resource topic 'Microsoft.ServiceBus/namespaces/topics@2021-06-01-preview' = { +resource topic 'Microsoft.ServiceBus/namespaces/topics@2022-10-01-preview' = { name: name parent: namespace properties: { diff --git a/modules/service-bus/namespace/topic/main.json b/modules/service-bus/namespace/topic/main.json index e5786cdfc5..52d011eb5d 100644 --- a/modules/service-bus/namespace/topic/main.json +++ b/modules/service-bus/namespace/topic/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "921300981514456809" + "version": "0.22.6.54827", + "templateHash": "7517242660485501194" }, "name": "Service Bus Namespace Topic", "description": "This module deploys a Service Bus Namespace Topic.", @@ -181,7 +181,7 @@ }, { "type": "Microsoft.ServiceBus/namespaces/topics", - "apiVersion": "2021-06-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", "properties": { "autoDeleteOnIdle": "[parameters('autoDeleteOnIdle')]", @@ -245,8 +245,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12912382339345981506" + "version": "0.22.6.54827", + "templateHash": "3590235297575239025" }, "name": "Service Bus Namespace Topic Authorization Rules", "description": "This module deploys a Service Bus Namespace Topic Authorization Rule.", @@ -308,7 +308,7 @@ }, { "type": "Microsoft.ServiceBus/namespaces/topics/authorizationRules", - "apiVersion": "2021-06-01-preview", + "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}/{2}', parameters('namespaceName'), parameters('topicName'), parameters('name'))]", "properties": { "rights": "[parameters('rights')]" @@ -378,8 +378,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11124682842627815351" + "version": "0.22.6.54827", + "templateHash": "13096307217253704125" } }, "parameters": { From 86bd5a9e01f86576773244b869457577373da8bc Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Thu, 12 Oct 2023 21:20:30 +0000 Subject: [PATCH 016/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index e62ecb44ec..24415b24a1 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -134,7 +134,7 @@ This section provides an overview of the library's feature set. | 119 | resources

tags | [![Resources - Tags](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20Tags/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.tags.yml) | | | :white_check_mark: | | | | [L1:2] | 54 | | 120 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 231 | | 121 | security

azure-security-center | [![Security - AzureSecurityCenter](https://github.com/Azure/ResourceModules/workflows/Security%20-%20AzureSecurityCenter/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.security.azuresecuritycenter.yml) | | | | | | | | 220 | -| 122 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:2] | 327 | +| 122 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:2] | 368 | | 123 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1] | 284 | | 124 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 189 | | 125 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 159 | @@ -149,7 +149,7 @@ This section provides an overview of the library's feature set. | 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 154 | | 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 385 | | 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:3] | 196 | -| Sum | | | 111 | 110 | 119 | 57 | 30 | 2 | 234 | 24394 | +| Sum | | | 111 | 110 | 119 | 57 | 30 | 2 | 234 | 24435 | ## Legend From 95af53a03a9c97e72b238cd84b1691381ec243c8 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sat, 14 Oct 2023 07:05:49 +1100 Subject: [PATCH 017/178] [AVM] Updated Readme's to support AVM transition - Part (2) (#4073) --- .../container-group/README.md | 290 ++++++++--------- modules/container-registry/registry/README.md | 35 -- .../managed-cluster/README.md | 200 ++++-------- modules/data-factory/factory/README.md | 103 +++--- .../factory/integration-runtime/README.md | 29 +- .../factory/managed-virtual-network/README.md | 27 +- .../data-protection/backup-vault/README.md | 298 +++++++++--------- .../backup-vault/backup-policy/README.md | 27 +- modules/databricks/workspace/README.md | 134 ++++---- .../.test/public/main.test.bicep | 4 - .../flexible-server/README.md | 143 --------- 11 files changed, 520 insertions(+), 770 deletions(-) diff --git a/modules/container-instance/container-group/README.md b/modules/container-instance/container-group/README.md index 3e31dd66c8..2e9d0bbfcd 100644 --- a/modules/container-instance/container-group/README.md +++ b/modules/container-instance/container-group/README.md @@ -9,10 +9,7 @@ This module deploys a Container Instance Container Group. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) - -### Container groups in Azure Container Instances - -The top-level resource in Azure Container Instances is the container group. A container group is a collection of containers that get scheduled on the same host machine. The containers in a container group share a lifecycle, resources, local network, and storage volumes. It's similar in concept to a pod in Kubernetes. +- [Notes](#Notes) ## Resource types @@ -64,43 +61,6 @@ The top-level resource in Azure Container Instances is the container group. A co | `volumes` | array | `[]` | | Specify if volumes (emptyDir, AzureFileShare or GitRepo) shall be attached to your containergroup. | -### Parameter Usage: `imageRegistryCredentials` - -The image registry credentials by which the container group is created from. - -

- -Parameter JSON format - -```json -"imageRegistryCredentials": { - "value": [ - { - "server": "sxxazacrx001.azurecr.io", - "username": "sxxazacrx001" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -imageRegistryCredentials: [ - { - server: 'sxxazacrx001.azurecr.io' - username: 'sxxazacrx001' - } -] -``` - -
-

- ### Parameter Usage: `tags` Tag names and tag values can be provided as needed. A tag can be left without a value. @@ -142,110 +102,6 @@ tags: {

-### Parameter Usage: `autoGeneratedDomainNameLabelScope` - -DNS name reuse is convenient for DevOps within any modern company. The idea of redeploying an application by reusing the DNS name fulfills an on-demand philosophy that secures cloud development. Therefore, it's important to note that DNS names that are available to anyone become a problem when one customer releases a name only to have that same name taken by another customer. This is called subdomain takeover. A customer releases a resource using a particular name, and another customer creates a new resource with that same DNS name. If there were any records pointing to the old resource, they now also point to the new resource. - -This field can only be used when the `ipAddressType` is set to `Public`. - -Allowed values are: -| Policy name | Policy definition | | | | -|--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|---|---| -| unsecure | Hash will be generated based on only the DNS name. Avoiding subdomain takeover is not guaranteed if another customer uses the same DNS name. | | | | -| tenantReuse | Default Hash will be generated based on the DNS name and the tenant ID. Object's domain name label can be reused within the same tenant. | | | | -| subscriptionReuse | Hash will be generated based on the DNS name and the tenant ID and subscription ID. Object's domain name label can be reused within the same subscription. | | | | -| resourceGroupReuse | Hash will be generated based on the DNS name and the tenant ID, subscription ID, and resource group name. Object's domain name label can be reused within the same resource group. | | | | -| noReuse | Hash will not be generated. Object's domain label can't be reused within resource group, subscription, or tenant. | | | | - -

- -Parameter JSON format - -```json -"autoGeneratedDomainNameLabelScope": { - "value": "Unsecure" - }, -``` - -
- -
- -Bicep format - -```bicep -autoGeneratedDomainNameLabelScope: 'Unsecure' -``` - -
-

- -### Parameter Usage: `volumes` - -By default, Azure Container Instances are stateless. If the container is restarted, crashes, or stops, all of its state is lost. To persist state beyond the lifetime of the container, you must mount a volume from an external store. Currently, Azure volume mounting is only supported on a linux based image. - -You can mount: - -- an Azure File Share (make sure the storage account has a service endpoint when running the container in private mode!) -- a secret -- a GitHub Repository -- an empty local directory - -

- -Parameter JSON format - -```json -"volumes": [ - { - "azureFile": { - "readOnly": "bool", - "shareName": "string", - "storageAccountKey": "string", - "storageAccountName": "string" - }, - "emptyDir": {}, - "gitRepo": { - "directory": "string", - "repository": "string", - "revision": "string" - }, - "name": "string", - "secret": {} - } - ] -``` - -
- -
- -Bicep format - -```bicep -volumes: [ - { - azureFile: { - readOnly: bool - shareName: 'string' - storageAccountKey: 'string' - storageAccountName: 'string' - } - emptyDir: any() - gitRepo: { - directory: 'string' - repository: 'string' - revision: 'string' - } - name: 'string' - secret: {} - } - ] -``` - -
-

- ### Parameter Usage: `userAssignedIdentities` You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: @@ -1022,3 +878,147 @@ module containerGroup './container-instance/container-group/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `imageRegistryCredentials` + +The image registry credentials by which the container group is created from. + +

+ +Parameter JSON format + +```json +"imageRegistryCredentials": { + "value": [ + { + "server": "sxxazacrx001.azurecr.io", + "username": "sxxazacrx001" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +imageRegistryCredentials: [ + { + server: 'sxxazacrx001.azurecr.io' + username: 'sxxazacrx001' + } +] +``` + +
+

+ +### Parameter Usage: `autoGeneratedDomainNameLabelScope` + +DNS name reuse is convenient for DevOps within any modern company. The idea of redeploying an application by reusing the DNS name fulfills an on-demand philosophy that secures cloud development. Therefore, it's important to note that DNS names that are available to anyone become a problem when one customer releases a name only to have that same name taken by another customer. This is called subdomain takeover. A customer releases a resource using a particular name, and another customer creates a new resource with that same DNS name. If there were any records pointing to the old resource, they now also point to the new resource. + +This field can only be used when the `ipAddressType` is set to `Public`. + +Allowed values are: +| Policy name | Policy definition | | | | +|--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|---|---| +| unsecure | Hash will be generated based on only the DNS name. Avoiding subdomain takeover is not guaranteed if another customer uses the same DNS name. | | | | +| tenantReuse | Default Hash will be generated based on the DNS name and the tenant ID. Object's domain name label can be reused within the same tenant. | | | | +| subscriptionReuse | Hash will be generated based on the DNS name and the tenant ID and subscription ID. Object's domain name label can be reused within the same subscription. | | | | +| resourceGroupReuse | Hash will be generated based on the DNS name and the tenant ID, subscription ID, and resource group name. Object's domain name label can be reused within the same resource group. | | | | +| noReuse | Hash will not be generated. Object's domain label can't be reused within resource group, subscription, or tenant. | | | | + +

+ +Parameter JSON format + +```json +"autoGeneratedDomainNameLabelScope": { + "value": "Unsecure" + }, +``` + +
+ +
+ +Bicep format + +```bicep +autoGeneratedDomainNameLabelScope: 'Unsecure' +``` + +
+

+ +### Parameter Usage: `volumes` + +By default, Azure Container Instances are stateless. If the container is restarted, crashes, or stops, all of its state is lost. To persist state beyond the lifetime of the container, you must mount a volume from an external store. Currently, Azure volume mounting is only supported on a linux based image. + +You can mount: + +- an Azure File Share (make sure the storage account has a service endpoint when running the container in private mode!) +- a secret +- a GitHub Repository +- an empty local directory + +

+ +Parameter JSON format + +```json +"volumes": [ + { + "azureFile": { + "readOnly": "bool", + "shareName": "string", + "storageAccountKey": "string", + "storageAccountName": "string" + }, + "emptyDir": {}, + "gitRepo": { + "directory": "string", + "repository": "string", + "revision": "string" + }, + "name": "string", + "secret": {} + } + ] +``` + +
+ +
+ +Bicep format + +```bicep +volumes: [ + { + azureFile: { + readOnly: bool + shareName: 'string' + storageAccountKey: 'string' + storageAccountName: 'string' + } + emptyDir: any() + gitRepo: { + directory: 'string' + repository: 'string' + revision: 'string' + } + name: 'string' + secret: {} + } + ] +``` + +
+

diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index 39286f8f94..e18522cf96 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -141,41 +141,6 @@ roleAssignments: [

-### Parameter Usage: `imageRegistryCredentials` - -The image registry credentials by which the container group is created from. - -

- -Parameter JSON format - -```json -"acrName": { - "value": { - "server": "acrx001", - } -}, -"acrAdminUserEnabled": { - "value": false -} -``` - -
- -
- -Bicep format - -```bicep -acrName: { - server: 'acrx001' -} -acrAdminUserEnabled: false -``` - -
-

- ### Parameter Usage: `privateEndpoints` To use Private Endpoint the following dependencies must be deployed: diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index 402d82e6fb..1e231622d5 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -9,6 +9,7 @@ This module deploys an Azure Kubernetes Service (AKS) Managed Cluster. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -239,100 +240,6 @@ tags: {

-### Parameter Usage: `primaryAgentPoolProfile` - -Provide values for primary agent pool as needed. -For available properties check - -

- -Parameter JSON format - -```json -"primaryAgentPoolProfile": { - "value": [ - { - "name": "poolname", - "vmSize": "Standard_DS3_v2", - "osDiskSizeGB": 128, - "count": 2, - "osType": "Linux", - "maxCount": 5, - "minCount": 1, - "enableAutoScaling": true, - "scaleSetPriority": "Regular", - "scaleSetEvictionPolicy": "Delete", - "nodeLabels": {}, - "nodeTaints": [ - "CriticalAddonsOnly=true:NoSchedule" - ], - "type": "VirtualMachineScaleSets", - "availabilityZones": [ - "1", - "2", - "3" - ], - "maxPods": 30, - "storageProfile": "ManagedDisks", - "mode": "System", - "vnetSubnetID": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/myRg/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet", - "tags": { - "Owner": "test.user@testcompany.com", - "BusinessUnit": "IaCs", - "Environment": "PROD", - "Region": "USEast" - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -primaryAgentPoolProfile: [ - { - name: 'poolname' - vmSize: 'Standard_DS3_v2' - osDiskSizeGB: 128 - count: 2 - osType: 'Linux' - maxCount: 5 - minCount: 1 - enableAutoScaling: true - scaleSetPriority: 'Regular' - scaleSetEvictionPolicy: 'Delete' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - type: 'VirtualMachineScaleSets' - availabilityZones: [ - '1' - '2' - '3' - ] - maxPods: 30 - storageProfile: 'ManagedDisks' - mode: 'System' - vnetSubnetID: '/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/myRg/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet' - tags: { - Owner: 'test.user@testcompany.com' - BusinessUnit: 'IaCs' - Environment: 'PROD' - Region: 'USEast' - } - } -] -``` - -
-

- ### Parameter Usage: `userAssignedIdentities` You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: @@ -366,57 +273,6 @@ userAssignedIdentities: {

-### Parameter Usage: `httpProxyConfig` - -Configurations for provisioning the cluster with HTTP proxy servers. You can specify in the following format: - -

- -Parameter JSON format - -```json -"httpProxyConfig": { - "value": { - "httpProxy": "http://proxy.contoso.com:8080/", - "httpsProxy": "http://proxy.contoso.com:8080/", - "noProxy": [ - "10.0.0.0/8", - "127.0.0.1", - "168.63.129.16", - "169.254.169.254", - "azurecr.io", - "konnectivity", - "localhost" - ] - } -} -``` - -
- -
- -Bicep format - -```bicep -httpProxyConfig: { - httpProxy: 'http://proxy.contoso.com:8080/' - httpsProxy: 'http://proxy.contoso.com:8080/' - noProxy: [ - '10.0.0.0/8' - '127.0.0.1' - '168.63.129.16' - '169.254.169.254' - 'azurecr.io' - 'konnectivity' - 'localhost' - ] -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -1469,3 +1325,57 @@ module managedCluster './container-service/managed-cluster/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `httpProxyConfig` + +Configurations for provisioning the cluster with HTTP proxy servers. You can specify in the following format: + +

+ +Parameter JSON format + +```json +"httpProxyConfig": { + "value": { + "httpProxy": "http://proxy.contoso.com:8080/", + "httpsProxy": "http://proxy.contoso.com:8080/", + "noProxy": [ + "10.0.0.0/8", + "127.0.0.1", + "168.63.129.16", + "169.254.169.254", + "azurecr.io", + "konnectivity", + "localhost" + ] + } +} +``` + +
+ +
+ +Bicep format + +```bicep +httpProxyConfig: { + httpProxy: 'http://proxy.contoso.com:8080/' + httpsProxy: 'http://proxy.contoso.com:8080/' + noProxy: [ + '10.0.0.0/8' + '127.0.0.1' + '168.63.129.16' + '169.254.169.254' + 'azurecr.io' + 'konnectivity' + 'localhost' + ] +} +``` + +
+

diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index e6f1df293c..a1c42758cf 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -9,6 +9,7 @@ This module deploys a Data Factory. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -309,56 +310,7 @@ privateEndpoints: [

-### Parameter Usage: `managedPrivateEndpoints` - -To use Managed Private Endpoints the following dependencies must be deployed: - -- The `managedVirtualNetworkName` property must be set to allow provisioning of a managed virtual network in Azure Data Factory. -- Destination private link resource must be created before and permissions allow requesting a private link connection to that resource. - -

- -Parameter JSON format - -```json -"managedPrivateEndpoints": { - "value": [ - { - "name": "mystorageaccount-managed-privateEndpoint", // Required: The managed private endpoint resource name - "groupId": "blob", // Required: The groupId to which the managed private endpoint is created - "fqdns": [ - "mystorageaccount.blob.core.windows.net" // Required: Fully qualified domain names - ], - "privateLinkResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount" - // Required: The ARM resource ID of the resource to which the managed private endpoint is created. - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -managedPrivateEndpoints: [ - // Example showing all available fields - { - name: 'mystorageaccount-managed-privateEndpoint' // Required: The managed private endpoint resource name - groupId: 'blob' // Required: The groupId to which the managed private endpoint is created - fqdns: [ - 'mystorageaccount.blob.core.windows.net' // Required: Fully qualified domain names - ] - privateLinkResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount' - } // Required: The ARM resource ID of the resource to which the managed private endpoint is created. -] -``` - -

- ## Outputs | Output Name | Type | Description | @@ -659,3 +611,56 @@ module factory './data-factory/factory/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `managedPrivateEndpoints` + +To use Managed Private Endpoints the following dependencies must be deployed: + +- The `managedVirtualNetworkName` property must be set to allow provisioning of a managed virtual network in Azure Data Factory. +- Destination private link resource must be created before and permissions allow requesting a private link connection to that resource. + +

+ +Parameter JSON format + +```json +"managedPrivateEndpoints": { + "value": [ + { + "name": "mystorageaccount-managed-privateEndpoint", // Required: The managed private endpoint resource name + "groupId": "blob", // Required: The groupId to which the managed private endpoint is created + "fqdns": [ + "mystorageaccount.blob.core.windows.net" // Required: Fully qualified domain names + ], + "privateLinkResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount" + // Required: The ARM resource ID of the resource to which the managed private endpoint is created. + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +managedPrivateEndpoints: [ + // Example showing all available fields + { + name: 'mystorageaccount-managed-privateEndpoint' // Required: The managed private endpoint resource name + groupId: 'blob' // Required: The groupId to which the managed private endpoint is created + fqdns: [ + 'mystorageaccount.blob.core.windows.net' // Required: Fully qualified domain names + ] + privateLinkResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount' + } // Required: The ARM resource ID of the resource to which the managed private endpoint is created. +] +``` + +
+

diff --git a/modules/data-factory/factory/integration-runtime/README.md b/modules/data-factory/factory/integration-runtime/README.md index 8d15a01a4e..420d090782 100644 --- a/modules/data-factory/factory/integration-runtime/README.md +++ b/modules/data-factory/factory/integration-runtime/README.md @@ -8,6 +8,7 @@ This module deploys a Data Factory Managed or Self-Hosted Integration Runtime. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource types @@ -39,7 +40,21 @@ This module deploys a Data Factory Managed or Self-Hosted Integration Runtime. | `typeProperties` | object | `{object}` | Integration Runtime type properties. Required if type is "Managed". | -### Parameter Usage: [`typeProperties`](https://learn.microsoft.com/en-us/azure/templates/microsoft.datafactory/factories/integrationruntimes?tabs=bicep#integrationruntime-objects) +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the Integration Runtime. | +| `resourceGroupName` | string | The name of the Resource Group the Integration Runtime was created in. | +| `resourceId` | string | The resource ID of the Integration Runtime. | + +## Cross-referenced modules + +_None_ + +## Notes + +### Parameter Usage: `typeProperties`

@@ -69,15 +84,3 @@ typeProperties: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Integration Runtime. | -| `resourceGroupName` | string | The name of the Resource Group the Integration Runtime was created in. | -| `resourceId` | string | The resource ID of the Integration Runtime. | - -## Cross-referenced modules - -_None_ diff --git a/modules/data-factory/factory/managed-virtual-network/README.md b/modules/data-factory/factory/managed-virtual-network/README.md index d1da00c980..cda18555b9 100644 --- a/modules/data-factory/factory/managed-virtual-network/README.md +++ b/modules/data-factory/factory/managed-virtual-network/README.md @@ -8,6 +8,7 @@ This module deploys a Data Factory Managed Virtual Network. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource types @@ -38,6 +39,20 @@ This module deploys a Data Factory Managed Virtual Network. | `managedPrivateEndpoints` | array | `[]` | An array of managed private endpoints objects created in the Data Factory managed virtual network. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the Managed Virtual Network. | +| `resourceGroupName` | string | The name of the Resource Group the Managed Virtual Network was created in. | +| `resourceId` | string | The resource ID of the Managed Virtual Network. | + +## Cross-referenced modules + +_None_ + +## Notes + ### Parameter Usage: `managedPrivateEndpoints` To use Managed Private Endpoints the following dependencies must be deployed: @@ -86,15 +101,3 @@ managedPrivateEndpoints: [

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Managed Virtual Network. | -| `resourceGroupName` | string | The name of the Resource Group the Managed Virtual Network was created in. | -| `resourceId` | string | The resource ID of the Managed Virtual Network. | - -## Cross-referenced modules - -_None_ diff --git a/modules/data-protection/backup-vault/README.md b/modules/data-protection/backup-vault/README.md index e25728aafc..e12e916acc 100644 --- a/modules/data-protection/backup-vault/README.md +++ b/modules/data-protection/backup-vault/README.md @@ -9,6 +9,7 @@ This module deploys a Data Protection Backup Vault. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -45,153 +46,6 @@ This module deploys a Data Protection Backup Vault. | `type` | string | `'GeoRedundant'` | `[GeoRedundant, LocallyRedundant, ZoneRedundant]` | The vault redundancy level to use. | -### Parameter Usage: `backupPolicies` - -Create backup policies in the backupvault. - -

- -Parameter JSON format -```json - "backupPolicies": { - "value": [ - { - "name": "DefaultPolicy", - "properties": { - "policyRules": [ - { - "backupParameters": { - "backupType": "Incremental", - "objectType": "AzureBackupParams" - }, - "trigger": { - "schedule": { - "repeatingTimeIntervals": [ - "R/2022-05-31T23:30:00+01:00/P1D" - ], - "timeZone": "W. Europe Standard Time" - }, - "taggingCriteria": [ - { - "tagInfo": { - "tagName": "Default", - "id": "Default_" - }, - "taggingPriority": 99, - "isDefault": true - } - ], - "objectType": "ScheduleBasedTriggerContext" - }, - "dataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - }, - "name": "BackupDaily", - "objectType": "AzureBackupRule" - }, - { - "lifecycles": [ - { - "deleteAfter": { - "objectType": "AbsoluteDeleteOption", - "duration": "P7D" - }, - "targetDataStoreCopySettings": [], - "sourceDataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - } - } - ], - "isDefault": true, - "name": "Default", - "objectType": "AzureRetentionRule" - } - ], - "datasourceTypes": [ - "Microsoft.Compute/disks" - ], - "objectType": "BackupPolicy" - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -backupPolicies: [ - { - name: 'DefaultPolicy' - properties: { - policyRules: [ - { - backupParameters: { - backupType: 'Incremental' - objectType: 'AzureBackupParams' - } - trigger: { - schedule: { - repeatingTimeIntervals: [ - 'R/2022-05-31T23:30:00+01:00/P1D' - ] - timeZone: 'W. Europe Standard Time' - } - taggingCriteria: [ - { - tagInfo: { - tagName: 'Default' - id: 'Default_' - } - taggingPriority: 99 - isDefault: true - } - ] - objectType: 'ScheduleBasedTriggerContext' - } - dataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - name: 'BackupDaily' - objectType: 'AzureBackupRule' - } - { - lifecycles: [ - { - deleteAfter: { - objectType: 'AbsoluteDeleteOption' - duration: 'P7D' - } - targetDataStoreCopySettings: [] - sourceDataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - } - ] - isDefault: true - name: 'Default' - objectType: 'AzureRetentionRule' - } - ] - datasourceTypes: [ - 'Microsoft.Compute/disks' - ] - objectType: 'BackupPolicy' - } - } -] -``` - -
- ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. @@ -605,3 +459,153 @@ module backupVault './data-protection/backup-vault/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `backupPolicies` + +Create backup policies in the backupvault. + +

+ +Parameter JSON format +```json + "backupPolicies": { + "value": [ + { + "name": "DefaultPolicy", + "properties": { + "policyRules": [ + { + "backupParameters": { + "backupType": "Incremental", + "objectType": "AzureBackupParams" + }, + "trigger": { + "schedule": { + "repeatingTimeIntervals": [ + "R/2022-05-31T23:30:00+01:00/P1D" + ], + "timeZone": "W. Europe Standard Time" + }, + "taggingCriteria": [ + { + "tagInfo": { + "tagName": "Default", + "id": "Default_" + }, + "taggingPriority": 99, + "isDefault": true + } + ], + "objectType": "ScheduleBasedTriggerContext" + }, + "dataStore": { + "dataStoreType": "OperationalStore", + "objectType": "DataStoreInfoBase" + }, + "name": "BackupDaily", + "objectType": "AzureBackupRule" + }, + { + "lifecycles": [ + { + "deleteAfter": { + "objectType": "AbsoluteDeleteOption", + "duration": "P7D" + }, + "targetDataStoreCopySettings": [], + "sourceDataStore": { + "dataStoreType": "OperationalStore", + "objectType": "DataStoreInfoBase" + } + } + ], + "isDefault": true, + "name": "Default", + "objectType": "AzureRetentionRule" + } + ], + "datasourceTypes": [ + "Microsoft.Compute/disks" + ], + "objectType": "BackupPolicy" + } + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +backupPolicies: [ + { + name: 'DefaultPolicy' + properties: { + policyRules: [ + { + backupParameters: { + backupType: 'Incremental' + objectType: 'AzureBackupParams' + } + trigger: { + schedule: { + repeatingTimeIntervals: [ + 'R/2022-05-31T23:30:00+01:00/P1D' + ] + timeZone: 'W. Europe Standard Time' + } + taggingCriteria: [ + { + tagInfo: { + tagName: 'Default' + id: 'Default_' + } + taggingPriority: 99 + isDefault: true + } + ] + objectType: 'ScheduleBasedTriggerContext' + } + dataStore: { + dataStoreType: 'OperationalStore' + objectType: 'DataStoreInfoBase' + } + name: 'BackupDaily' + objectType: 'AzureBackupRule' + } + { + lifecycles: [ + { + deleteAfter: { + objectType: 'AbsoluteDeleteOption' + duration: 'P7D' + } + targetDataStoreCopySettings: [] + sourceDataStore: { + dataStoreType: 'OperationalStore' + objectType: 'DataStoreInfoBase' + } + } + ] + isDefault: true + name: 'Default' + objectType: 'AzureRetentionRule' + } + ] + datasourceTypes: [ + 'Microsoft.Compute/disks' + ] + objectType: 'BackupPolicy' + } + } +] +``` + +
diff --git a/modules/data-protection/backup-vault/backup-policy/README.md b/modules/data-protection/backup-vault/backup-policy/README.md index 619bef79af..dea9657139 100644 --- a/modules/data-protection/backup-vault/backup-policy/README.md +++ b/modules/data-protection/backup-vault/backup-policy/README.md @@ -8,6 +8,7 @@ This module deploys a Data Protection Backup Vault Backup Policy. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -32,6 +33,20 @@ This module deploys a Data Protection Backup Vault Backup Policy. | `properties` | object | `{object}` | The properties of the backup policy. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the backup policy. | +| `resourceGroupName` | string | The name of the resource group the backup policy was created in. | +| `resourceId` | string | The resource ID of the backup policy. | + +## Cross-referenced modules + +_None_ + +## Notes + ### Parameter Usage: `properties` Create a backup policy. @@ -169,15 +184,3 @@ properties: { ``` - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the backup policy. | -| `resourceGroupName` | string | The name of the resource group the backup policy was created in. | -| `resourceId` | string | The resource ID of the backup policy. | - -## Cross-referenced modules - -_None_ diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index 5f1ba4b232..13d48b4502 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -9,6 +9,7 @@ This module deploys an Azure Databricks Workspace. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -136,71 +137,6 @@ roleAssignments: [

-### Parameter Usage: `customPublicSubnetName` and `customPrivateSubnetName` - -- Require Network Security Groups attached to the subnets (Note: Rule don't have to be set, they are set through the deployment) - -- The two subnets also need the delegation to service `Microsoft.Databricks/workspaces` - -### Parameter Usage: `parameters` - -- Include only those elements (e.g. amlWorkspaceId) as object if specified, otherwise remove it - -

- -Parameter JSON format - -```json -"parameters": { - "value": { - "amlWorkspaceId": { - "value": "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.MachineLearningServices/workspaces/xxx" - }, - "customVirtualNetworkId": { - "value": "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Network/virtualNetworks/xxx" - }, - "customPublicSubnetName": { - "value": "xxx" - }, - "customPrivateSubnetName": { - "value": "xxx" - }, - "enableNoPublicIp": { - "value": true - } - } -} -``` - -
- -
- -Bicep format - -```bicep -parameters: { - amlWorkspaceId: { - value: '/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.MachineLearningServices/workspaces/xxx' - } - customVirtualNetworkId: { - value: '/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Network/virtualNetworks/xxx' - } - customPublicSubnetName: { - value: 'xxx' - } - customPrivateSubnetName: { - value: 'xxx' - } - enableNoPublicIp: { - value: true - } -} -``` - -
-

- ### Parameter Usage: `tags` Tag names and tag values can be provided as needed. A tag can be left without a value. @@ -649,3 +585,71 @@ module workspace './databricks/workspace/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `customPublicSubnetName` and `customPrivateSubnetName` + +- Require Network Security Groups attached to the subnets (Note: Rule don't have to be set, they are set through the deployment) + +- The two subnets also need the delegation to service `Microsoft.Databricks/workspaces` + +### Parameter Usage: `parameters` + +- Include only those elements (e.g. amlWorkspaceId) as object if specified, otherwise remove it. + +

+ +Parameter JSON format + +```json +"parameters": { + "value": { + "amlWorkspaceId": { + "value": "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.MachineLearningServices/workspaces/xxx" + }, + "customVirtualNetworkId": { + "value": "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Network/virtualNetworks/xxx" + }, + "customPublicSubnetName": { + "value": "xxx" + }, + "customPrivateSubnetName": { + "value": "xxx" + }, + "enableNoPublicIp": { + "value": true + } + } +} +``` + +
+ +
+ +Bicep format + +```bicep +parameters: { + amlWorkspaceId: { + value: '/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.MachineLearningServices/workspaces/xxx' + } + customVirtualNetworkId: { + value: '/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Network/virtualNetworks/xxx' + } + customPublicSubnetName: { + value: 'xxx' + } + customPrivateSubnetName: { + value: 'xxx' + } + enableNoPublicIp: { + value: true + } +} +``` + +
+

diff --git a/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep index 5fd5a4da99..93fdbb9416 100644 --- a/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep +++ b/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep @@ -14,10 +14,6 @@ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'dfpsfsp' -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - @description('Generated. Used as a basis for unique resource names.') param baseTime string = utcNow('u') diff --git a/modules/db-for-postgre-sql/flexible-server/README.md b/modules/db-for-postgre-sql/flexible-server/README.md index 6215497fed..e4d2eb18d5 100644 --- a/modules/db-for-postgre-sql/flexible-server/README.md +++ b/modules/db-for-postgre-sql/flexible-server/README.md @@ -182,149 +182,6 @@ tags: {

-### Parameter Usage: `firewallRules` - -To enable firewall rules on the PostgreSQL flexible server: - -- Used when the desired connectivity mode is "Public Access" only. - -

- -Parameter JSON format - -```json -"firewallRules": { - // Example showing all available fields - "value": [ - { - "name": "AllowAllWindowsAzureIps", //Use this rule to allow Trusted Azure services to access the server - "endIpAddress": "0.0.0.0", - "startIpAddress": "0.0.0.0" - }, - { - "name": "test-rule1", - "startIpAddress": "10.10.10.1", //Start IP address for the firewall rule. Must be IPv4 format - "endIpAddress": "10.10.10.10" //End IP address for the firewall rule. Must be IPv4 format - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -firewallRules: [ - // Example showing all available fields - { - name: 'AllowAllWindowsAzureIps', //Use this rule to allow Trusted Azure services to access the server - endIpAddress: '0.0.0.0' - startIpAddress: '0.0.0.0' - } - { - name: "test-rule1", - startIpAddress: '10.10.10.1' //Start IP address for the firewall rule. Must be IPv4 format - endIpAddress: '10.10.10.10' //End IP address for the firewall rule. Must be IPv4 format - } -] -``` - -
-

- -### Parameter Usage: `configurations` - -To override default server configurations on the PostgreSQL flexible server: - -- Use the following documentation as guidance for the available configurations: [PostgreSQL Server Configurations](https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-configure-server-parameters-using-cli). - -

- -Parameter JSON format - -```json -"configurations": { - // Example showing all available fields - "value": [ - { - "name": "log_min_messages", // Name of the configuration - "source": "user-override", // user-override, dynamic, system-default - "value": "INFO" // Value of the configuration - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -configurations: [ - // Example showing all available fields - { - name: 'log_min_messages' // Name of the configuration - source: 'user-override' // user-override, dynamic, system-default - value: 'INFO' // Value of the configuration - } -] -``` - -
-

- -### Parameter Usage: `databases` - -To create databases on the PostgreSQL flexible server: - -

- -Parameter JSON format - -```json -"databases": { - // Example showing all available fields - "value": [ - { - "name": "testdb1", // Name of the database - "collation": "en_US.utf8", // Collation of the database - "charset": "UTF8" // Character set of the database - }, - { - "name": "testdb2" // Name of the database only which implements the default collation and charset - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -databases: [ - // Example showing all available fields - { - name: 'testdb1' // Name of the database - collation: 'en_US.utf8' // Collation of the database - charset: 'UTF8' // Character set of the database - } - { - name: 'testdb2' // Name of the database only which implements the default collation and charset - } -] -``` - -
-

- ### Parameter Usage: `userAssignedIdentities` You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: From e30dea558faf348b58cb9afff567649544d02757 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sat, 14 Oct 2023 07:07:05 +1100 Subject: [PATCH 018/178] [AVM] Updated Readme's to support AVM transition - Part (1) (#4072) --- modules/aad/domain-service/README.md | 69 +- modules/api-management/service/README.md | 71 +- .../service/authorization-server/README.md | 6 - .../api-management/service/backend/README.md | 38 +- .../service/named-value/README.md | 65 +- .../authorization/policy-assignment/README.md | 229 +- .../authorization/policy-definition/README.md | 161 +- .../authorization/policy-exemption/README.md | 298 +- .../policy-set-definition/README.md | 170 +- .../authorization/role-assignment/README.md | 236 +- .../authorization/role-definition/README.md | 240 +- .../automation/automation-account/README.md | 55 - .../software-update-configuration/README.md | 27 +- .../automation-account/variable/README.md | 28 +- .../cache/redis-enterprise/database/README.md | 27 +- modules/cache/redis/README.md | 70 +- modules/cognitive-services/account/README.md | 219 +- modules/compute/gallery/application/README.md | 30 +- .../virtual-machine-scale-set/README.md | 2756 ++++++------ modules/compute/virtual-machine/README.md | 3773 +++++++++-------- 20 files changed, 4206 insertions(+), 4362 deletions(-) diff --git a/modules/aad/domain-service/README.md b/modules/aad/domain-service/README.md index 6c3685fe16..2351a4557e 100644 --- a/modules/aad/domain-service/README.md +++ b/modules/aad/domain-service/README.md @@ -6,10 +6,10 @@ This module deploys an Azure Active Directory Domain Services (AADDS). - [Resource types](#Resource-types) - [Parameters](#Parameters) -- [Considerations](#Considerations) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -167,38 +167,6 @@ tags: {

-## Considerations - -- A network security group has to be created and assigned to the designated AADDS subnet before deploying this module - - The following inbound rules should be allowed on the network security group - | Name | Protocol | Source Port Range | Source Address Prefix | Destination Port Range | Destination Address Prefix | - | - | - | - | - | - | - | - | AllowSyncWithAzureAD | TCP | `*` | `AzureActiveDirectoryDomainServices` | `443` | `*` | - | AllowPSRemoting | TCP | `*` | `AzureActiveDirectoryDomainServices` | `5986` | `*` | -- Associating a route table to the AADDS subnet is not recommended -- The network used for AADDS must have its DNS Servers [configured](https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-networking#configure-dns-servers-in-the-peered-virtual-network) (e.g. with IPs `10.0.1.4` & `10.0.1.5`) -- Your Azure Active Directory must have the 'Domain Controller Services' service principal registered. If that's not the case, you can register it by executing the command `New-AzADServicePrincipal -ApplicationId '2565bd9d-da50-47d4-8b85-4c97f669dc36'` with an eligible user. - -### Create self-signed certificate for secure LDAP -Follow the below PowerShell commands to get base64 encoded string of a self-signed certificate (with a `pfxCertificatePassword`) - -```PowerShell -$pfxCertificatePassword = ConvertTo-SecureString '[[YourPfxCertificatePassword]]' -AsPlainText -Force -$certInputObject = @{ - Subject = 'CN=*.[[YourDomainName]]' - DnsName = '*.[[YourDomainName]]' - CertStoreLocation = 'cert:\LocalMachine\My' - KeyExportPolicy = 'Exportable' - Provider = 'Microsoft Enhanced RSA and AES Cryptographic Provider' - NotAfter = (Get-Date).AddMonths(3) - HashAlgorithm = 'SHA256' -} -$rawCert = New-SelfSignedCertificate @certInputObject -Export-PfxCertificate -Cert ('Cert:\localmachine\my\' + $rawCert.Thumbprint) -FilePath "$home/aadds.pfx" -Password $pfxCertificatePassword -Force -$rawCertByteStream = Get-Content "$home/aadds.pfx" -AsByteStream -$pfxCertificate = [System.Convert]::ToBase64String($rawCertByteStream) -``` - ## Outputs | Output Name | Type | Description | @@ -333,3 +301,38 @@ module domainService './aad/domain-service/main.bicep' = {

+ + +## Notes + +### Network Security Group (NSG) requirements for AADDS + +- A network security group has to be created and assigned to the designated AADDS subnet before deploying this module + - The following inbound rules should be allowed on the network security group + | Name | Protocol | Source Port Range | Source Address Prefix | Destination Port Range | Destination Address Prefix | + | - | - | - | - | - | - | + | AllowSyncWithAzureAD | TCP | `*` | `AzureActiveDirectoryDomainServices` | `443` | `*` | + | AllowPSRemoting | TCP | `*` | `AzureActiveDirectoryDomainServices` | `5986` | `*` | +- Associating a route table to the AADDS subnet is not recommended +- The network used for AADDS must have its DNS Servers [configured](https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-networking#configure-dns-servers-in-the-peered-virtual-network) (e.g. with IPs `10.0.1.4` & `10.0.1.5`) +- Your Azure Active Directory must have the 'Domain Controller Services' service principal registered. If that's not the case, you can register it by executing the command `New-AzADServicePrincipal -ApplicationId '2565bd9d-da50-47d4-8b85-4c97f669dc36'` with an eligible user. + +### Create self-signed certificate for secure LDAP +Follow the below PowerShell commands to get base64 encoded string of a self-signed certificate (with a `pfxCertificatePassword`) + +```PowerShell +$pfxCertificatePassword = ConvertTo-SecureString '[[YourPfxCertificatePassword]]' -AsPlainText -Force +$certInputObject = @{ + Subject = 'CN=*.[[YourDomainName]]' + DnsName = '*.[[YourDomainName]]' + CertStoreLocation = 'cert:\LocalMachine\My' + KeyExportPolicy = 'Exportable' + Provider = 'Microsoft Enhanced RSA and AES Cryptographic Provider' + NotAfter = (Get-Date).AddMonths(3) + HashAlgorithm = 'SHA256' +} +$rawCert = New-SelfSignedCertificate @certInputObject +Export-PfxCertificate -Cert ('Cert:\localmachine\my\' + $rawCert.Thumbprint) -FilePath "$home/aadds.pfx" -Password $pfxCertificatePassword -Force +$rawCertByteStream = Get-Content "$home/aadds.pfx" -AsByteStream +$pfxCertificate = [System.Convert]::ToBase64String($rawCertByteStream) +``` diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index 89711df531..59632276e1 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -7,9 +7,9 @@ This module deploys an API Management Service. - [Resource types](#Resource-types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Considerations](#Considerations) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -190,37 +190,6 @@ tags: {

-### Parameter Usage: `apiManagementServicePolicy` - -

- -Parameter JSON format - -```json -"apiManagementServicePolicy": { - "value": { - "value":" ", - "format":"xml" - } -} -``` - -
- -
- -Bicep format - -```bicep -apiManagementServicePolicy: { - value:' ' - format:'xml' -} -``` - -
-

- ### Parameter Usage: `userAssignedIdentities` You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: @@ -264,10 +233,6 @@ userAssignedIdentities: { | `resourceId` | string | The resource ID of the API management service. | | `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | -## Considerations - -- _None_ - ## Cross-referenced modules _None_ @@ -821,3 +786,37 @@ module service './api-management/service/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `apiManagementServicePolicy` + +

+ +Parameter JSON format + +```json +"apiManagementServicePolicy": { + "value": { + "value":" ", + "format":"xml" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +apiManagementServicePolicy: { + value:' ' + format:'xml' +} +``` + +
+

diff --git a/modules/api-management/service/authorization-server/README.md b/modules/api-management/service/authorization-server/README.md index 8d4c1f4610..a875ea1259 100644 --- a/modules/api-management/service/authorization-server/README.md +++ b/modules/api-management/service/authorization-server/README.md @@ -15,12 +15,6 @@ This module deploys an API Management Service Authorization Server. | :-- | :-- | | `Microsoft.ApiManagement/service/authorizationServers` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/authorizationServers) | -### Resource dependency - -The following resources are required to be able to deploy this resource. - -- `Microsoft.ApiManagement/service` - ## Parameters **Required parameters** diff --git a/modules/api-management/service/backend/README.md b/modules/api-management/service/backend/README.md index bb8c3379c8..90025fec0f 100644 --- a/modules/api-management/service/backend/README.md +++ b/modules/api-management/service/backend/README.md @@ -8,6 +8,7 @@ This module deploys an API Management Service Backend. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource types @@ -15,12 +16,6 @@ This module deploys an API Management Service Backend. | :-- | :-- | | `Microsoft.ApiManagement/service/backends` | [2021-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/backends) | -### Resource dependency - -The following resources are required to be able to deploy this resource. - -- `Microsoft.ApiManagement/service` - ## Parameters **Required parameters** @@ -51,14 +46,19 @@ The following resources are required to be able to deploy this resource. | `tls` | object | `{object}` | Backend TLS Properties. | -### Parameter Usage: Credentials +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the API management service backend. | +| `resourceGroupName` | string | The resource group the API management service backend was deployed into. | +| `resourceId` | string | The resource ID of the API management service backend. | + +## Cross-referenced modules + +_None_ -| Parameter Name| Type | Default Value | Possible values | Description | -| :-- | :-- | :--- | :-- | :- | -| `certificate` | array | | | Optional. List of Client Certificate Thumbprint. - string | -| `query` | object | | | Optional. Query Parameter description. | -| `header` | object | | | Optional. Header Parameter description. | -| `authorization` | object | | | Optional. Authorization header authentication | +## Notes ### Parameter Usage: `credentials` @@ -135,15 +135,3 @@ tls: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the API management service backend. | -| `resourceGroupName` | string | The resource group the API management service backend was deployed into. | -| `resourceId` | string | The resource ID of the API management service backend. | - -## Cross-referenced modules - -_None_ diff --git a/modules/api-management/service/named-value/README.md b/modules/api-management/service/named-value/README.md index 09b2c6bb57..87f55ace0e 100644 --- a/modules/api-management/service/named-value/README.md +++ b/modules/api-management/service/named-value/README.md @@ -8,6 +8,7 @@ This module deploys an API Management Service Named Value. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource types @@ -41,37 +42,6 @@ This module deploys an API Management Service Named Value. | `value` | string | `[newGuid()]` | Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. | -### Parameter Usage: `keyVault` - -

- -Parameter JSON format - -```json -"keyVault": { - "value":{ - "secretIdentifier":"Key vault secret identifier for fetching secret.", - "identityClientId":"SystemAssignedIdentity or UserAssignedIdentity Client ID which will be used to access key vault secret." - } -} -``` - -
- -
- -Bicep format - -```bicep -keyVault: { - secretIdentifier:'Key vault secret identifier for fetching secret.' - identityClientId:'SystemAssignedIdentity or UserAssignedIdentity Client ID which will be used to access key vault secret.' -} -``` - -
-

- ### Parameter Usage: `tags` Tag names and tag values can be provided as needed. A tag can be left without a value. @@ -124,3 +94,36 @@ tags: { ## Cross-referenced modules _None_ + +## Notes + +### Parameter Usage: `keyVault` + +

+ +Parameter JSON format + +```json +"keyVault": { + "value":{ + "secretIdentifier":"Key vault secret identifier for fetching secret.", + "identityClientId":"SystemAssignedIdentity or UserAssignedIdentity Client ID which will be used to access key vault secret." + } +} +``` + +
+ +
+ +Bicep format + +```bicep +keyVault: { + secretIdentifier:'Key vault secret identifier for fetching secret.' + identityClientId:'SystemAssignedIdentity or UserAssignedIdentity Client ID which will be used to access key vault secret.' +} +``` + +
+

diff --git a/modules/authorization/policy-assignment/README.md b/modules/authorization/policy-assignment/README.md index 5063e771be..ff0ddb908a 100644 --- a/modules/authorization/policy-assignment/README.md +++ b/modules/authorization/policy-assignment/README.md @@ -6,10 +6,10 @@ This module deploys a Policy Assignment at a Management Group, Subscription or R - [Resource types](#Resource-types) - [Parameters](#Parameters) -- [Module Usage Guidance](#Module-Usage-Guidance) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -50,118 +50,6 @@ This module deploys a Policy Assignment at a Management Group, Subscription or R | `userAssignedIdentityId` | string | `''` | | The Resource ID for the user assigned identity to assign to the policy assignment. | -### Parameter Usage: `managementGroupId` - -To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. - -

- -Parameter JSON format - -```json -"managementGroupId": { - "value": "contoso-group" -} -``` - -
- - -
- -Bicep format - -```bicep -managementGroupId: 'contoso-group' -``` - -
-

- -> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). - -### Parameter Usage: `subscriptionId` - -To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -} -``` - -
- -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -``` - -
-

- -### Parameter Usage: `resourceGroupName` - -To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -}, -"resourceGroupName": { - "value": "target-resourceGroup" -} -``` - -
- - -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -resourceGroupName: 'target-resourceGroup' -``` - -
-

- -> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). - -## Module Usage Guidance - -In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. - -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: - -```bicep -Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" -``` - -The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: - -**Bicep Registry Reference** -```bicep -module policyassignment 'br:bicepregistry.azurecr.io/bicep/modules/authorization.policyassignments.subscription:version' = {} -``` -**Local Path Reference** -```bicep -module policyassignment 'yourpath/module/Authorization.policyAssignments/subscription/main.bicep' = {} -``` - ## Outputs | Output Name | Type | Description | @@ -985,3 +873,118 @@ module policyAssignment './authorization/policy-assignment/main.bicep' = {

+ + +## Notes + +### Module Usage Guidance + +In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. + +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: + +```bicep +Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" +``` + +The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: + +**Bicep Registry Reference** +```bicep +module policyassignment 'br:bicepregistry.azurecr.io/bicep/modules/authorization.policy-assignment.subscription:version' = {} +``` +**Local Path Reference** +```bicep +module policyassignment 'yourpath/module/authorization/policy-assignment/subscription/main.bicep' = {} +``` + +### Parameter Usage: `managementGroupId` + +To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. + +

+ +Parameter JSON format + +```json +"managementGroupId": { + "value": "contoso-group" +} +``` + +
+ + +
+ +Bicep format + +```bicep +managementGroupId: 'contoso-group' +``` + +
+

+ +> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). + +### Parameter Usage: `subscriptionId` + +To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: + +

+ +Parameter JSON format + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +} +``` + +
+ +
+ +Bicep format + +```bicep +subscriptionId: '12345678-b049-471c-95af-123456789012' +``` + +
+

+ +### Parameter Usage: `resourceGroupName` + +To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: + +

+ +Parameter JSON format + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +}, +"resourceGroupName": { + "value": "target-resourceGroup" +} +``` + +
+ + +
+ +Bicep format + +```bicep +subscriptionId: '12345678-b049-471c-95af-123456789012' +resourceGroupName: 'target-resourceGroup' +``` + +
+

+ +> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). diff --git a/modules/authorization/policy-definition/README.md b/modules/authorization/policy-definition/README.md index 8c284accfb..eea97f4ec3 100644 --- a/modules/authorization/policy-definition/README.md +++ b/modules/authorization/policy-definition/README.md @@ -6,10 +6,10 @@ This module deploys a Policy Definition at a Management Group or Subscription sc - [Resource types](#Resource-types) - [Parameters](#Parameters) -- [Module Usage Guidance](#Module-Usage-Guidance) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -41,84 +41,6 @@ This module deploys a Policy Definition at a Management Group or Subscription sc | `subscriptionId` | string | `''` | | The subscription ID of the subscription (Scope). Cannot be used with managementGroupId. | -### Parameter Usage: `managementGroupId` - -To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. - -

- -Parameter JSON format - -```json -"managementGroupId": { - "value": "contoso-group" -} -``` - -
- - -
- -Bicep format - -```bicep -managementGroupId: 'contoso-group' -``` - -
-

- -> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). - -### Parameter Usage: `subscriptionId` - -To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -} -``` - -
- -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -``` - -
-

- -## Module Usage Guidance - -In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. - -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: - -```bicep -Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" -``` - -The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: - -**Bicep Registry Reference** -```bicep -module policydefinition 'br:bicepregistry.azurecr.io/bicep/modules/authorization.policydefinitions.subscription:version' = {} -``` -**Local Path Reference** -```bicep -module policydefinition 'yourpath/module/Authorization.policyDefinitions/subscription/main.bicep' = {} -``` - ## Outputs | Output Name | Type | Description | @@ -633,3 +555,84 @@ module policyDefinition './authorization/policy-definition/main.bicep' = {

+ + +## Notes + +### Module Usage Guidance + +In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. + +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: + +```bicep +Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" +``` + +The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: + +**Bicep Registry Reference** +```bicep +module policydefinition 'br:bicepregistry.azurecr.io/bicep/modules/authorization.policy-definition.subscription:version' = {} +``` +**Local Path Reference** +```bicep +module policydefinition 'yourpath/module/authorization/policy-definition/subscription/main.bicep' = {} +``` + +### Parameter Usage: `managementGroupId` + +To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. + +

+ +Parameter JSON format + +```json +"managementGroupId": { + "value": "contoso-group" +} +``` + +
+ + +
+ +Bicep format + +```bicep +managementGroupId: 'contoso-group' +``` + +
+

+ +> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). + +### Parameter Usage: `subscriptionId` + +To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: + +

+ +Parameter JSON format + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +} +``` + +
+ +
+ +Bicep format + +```bicep +subscriptionId: '12345678-b049-471c-95af-123456789012' +``` + +
+

diff --git a/modules/authorization/policy-exemption/README.md b/modules/authorization/policy-exemption/README.md index b37f665b6f..50aeb359a3 100644 --- a/modules/authorization/policy-exemption/README.md +++ b/modules/authorization/policy-exemption/README.md @@ -6,11 +6,10 @@ This module deploys a Policy Exemption at a Management Group, Subscription or Re - [Resource types](#Resource-types) - [Parameters](#Parameters) -- [Module Usage Guidance](#Module-Usage-Guidance) - [Outputs](#Outputs) -- [Considerations](#Considerations) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -46,150 +45,6 @@ This module deploys a Policy Exemption at a Management Group, Subscription or Re | `subscriptionId` | string | `''` | | The subscription ID of the subscription to be exempted from the policy assignment. Cannot use with management group ID parameter. | -### Parameter Usage: `managementGroupId` - -To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. - - -

- -Parameter JSON format - -```json -"managementGroupId": { - "value": "contoso-group" -} -``` - -
- - -
- -Bicep format - -```bicep -managementGroupId: 'contoso-group' -``` - -
-

- -> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). - -### Parameter Usage: `subscriptionId` - -To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -} -``` - -
- -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -``` - -
-

- -### Parameter Usage: `resourceGroupName` - -To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -}, -"resourceGroupName": { - "value": "target-resourceGroup" -} -``` - -> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). - -### Parameter Usage: `resourceSelectors` - -To deploy Resource Selectors, you can apply the following syntax - - -

- -Parameter JSON format - -```json -"resourceSelectors": [ - { - "name": "TemporaryMitigation", - "selectors": [ - { - "kind": "resourceLocation", - "in": [ - "westcentralus" - ] - } - ] - } -] -``` - -
- -
- -Bicep format - -```bicep -resourceSelectors: [ - { - name: 'TemporaryMitigation' - selectors: [ - { - kind: 'resourceLocation' - in: [ - 'westcentralus' - ] - } - ] - } -] -``` - -
-

- -## Module Usage Guidance - -In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. - -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: - -```bicep -Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" -``` - -The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: - -**Bicep Registry Reference** -```bicep -module policyexemption 'br:bicepregistry.azurecr.io/bicep/modules/authorization.policyexemptions.subscription:version' = {} -``` -**Local Path Reference** -```bicep -module policyexemption 'yourpath/module/Authorization.policyExemptions/subscription/main.bicep' = {} -``` - ## Outputs | Output Name | Type | Description | @@ -198,10 +53,6 @@ module policyexemption 'yourpath/module/Authorization.policyExemptions/subscript | `resourceId` | string | Policy Exemption resource ID. | | `scope` | string | Policy Exemption Scope. | -## Considerations - -- Policy Exemptions have a dependency on Policy Assignments being applied before creating an exemption. You can use the Policy Assignment [Module](../policy-assignment/main.bicep) to deploy a Policy Assignment and then create the exemption for it on the required scope. - ## Cross-referenced modules _None_ @@ -698,3 +549,150 @@ module policyExemption './authorization/policy-exemption/main.bicep' = {

+ + +## Notes + +### Module Usage Guidance + +In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. + +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: + +```bicep +Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" +``` + +The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: + +**Bicep Registry Reference** +```bicep +module policyexemption 'br:bicepregistry.azurecr.io/bicep/modules/authorization.policy-exemption.subscription:version' = {} +``` +**Local Path Reference** +```bicep +module policyexemption 'yourpath/module/authorization/policy-exemption/subscription/main.bicep' = {} +``` + +### Parameter Usage: `managementGroupId` + +To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. + + +

+ +Parameter JSON format + +```json +"managementGroupId": { + "value": "contoso-group" +} +``` + +
+ + +
+ +Bicep format + +```bicep +managementGroupId: 'contoso-group' +``` + +
+

+ +> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). + +### Parameter Usage: `subscriptionId` + +To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: + +

+ +Parameter JSON format + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +} +``` + +
+ +
+ +Bicep format + +```bicep +subscriptionId: '12345678-b049-471c-95af-123456789012' +``` + +
+

+ +### Parameter Usage: `resourceGroupName` + +To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +}, +"resourceGroupName": { + "value": "target-resourceGroup" +} +``` + +> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). + +### Parameter Usage: `resourceSelectors` + +To deploy Resource Selectors, you can apply the following syntax + + +

+ +Parameter JSON format + +```json +"resourceSelectors": [ + { + "name": "TemporaryMitigation", + "selectors": [ + { + "kind": "resourceLocation", + "in": [ + "westcentralus" + ] + } + ] + } +] +``` + +
+ +
+ +Bicep format + +```bicep +resourceSelectors: [ + { + name: 'TemporaryMitigation' + selectors: [ + { + kind: 'resourceLocation' + in: [ + 'westcentralus' + ] + } + ] + } +] +``` + +
+

diff --git a/modules/authorization/policy-set-definition/README.md b/modules/authorization/policy-set-definition/README.md index 9ec90f0cee..aba3a1620c 100644 --- a/modules/authorization/policy-set-definition/README.md +++ b/modules/authorization/policy-set-definition/README.md @@ -6,11 +6,10 @@ This module deploys a Policy Set Definition (Initiative) at a Management Group o - [Resource types](#Resource-types) - [Parameters](#Parameters) -- [Module Usage Guidance](#Module-Usage-Guidance) - [Outputs](#Outputs) -- [Considerations](#Considerations) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -42,86 +41,6 @@ This module deploys a Policy Set Definition (Initiative) at a Management Group o | `subscriptionId` | string | `''` | The subscription ID of the subscription (Scope). Cannot be used with managementGroupId. | -### Parameter Usage: `managementGroupId` - -To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. - - -

- -Parameter JSON format - -```json -"managementGroupId": { - "value": "contoso-group" -} -``` - -
- - -
- -Bicep format - -```bicep -managementGroupId: 'contoso-group' -``` - -
-

- -> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). - -### Parameter Usage: `subscriptionId` - -To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -} -``` - -
- - -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -``` - -
-

- -## Module Usage Guidance - -In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. - -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: - -```bicep -Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" -``` - -The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: - -**Bicep Registry Reference** -```bicep -module policysetdefinition 'br:bicepregistry.azurecr.io/bicep/modules/authorization.policysetdefinitions.subscription:version' = {} -``` -**Local Path Reference** -```bicep -module policysetdefinition 'yourpath/module/Authorization.policySetDefinitions/subscription/main.bicep' = {} -``` - ## Outputs | Output Name | Type | Description | @@ -129,10 +48,6 @@ module policysetdefinition 'yourpath/module/Authorization.policySetDefinitions/s | `name` | string | Policy Set Definition Name. | | `resourceId` | string | Policy Set Definition resource ID. | -## Considerations - -- Policy Set Definitions (Initiatives) have a dependency on Policy Assignments being applied before creating an initiative. You can use the Policy Assignment [Module](../policy-definition/main.bicep) to deploy a Policy Definition and then create an initiative for it on the required scope. - ## Cross-referenced modules _None_ @@ -571,3 +486,86 @@ module policySetDefinition './authorization/policy-set-definition/main.bicep' =

+ + +## Notes + +### Module Usage Guidance + +In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. + +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: + +```bicep +Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" +``` + +The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: + +**Bicep Registry Reference** +```bicep +module policysetdefinition 'br:bicepregistry.azurecr.io/bicep/modules/authorization.policy-set-definition.subscription:version' = {} +``` +**Local Path Reference** +```bicep +module policysetdefinition 'yourpath/module/authorization/policy-set-definition/subscription/main.bicep' = {} +``` + +### Parameter Usage: `managementGroupId` + +To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. + + +

+ +Parameter JSON format + +```json +"managementGroupId": { + "value": "contoso-group" +} +``` + +
+ + +
+ +Bicep format + +```bicep +managementGroupId: 'contoso-group' +``` + +
+

+ +> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). + +### Parameter Usage: `subscriptionId` + +To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: + +

+ +Parameter JSON format + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +} +``` + +
+ + +
+ +Bicep format + +```bicep +subscriptionId: '12345678-b049-471c-95af-123456789012' +``` + +
+

diff --git a/modules/authorization/role-assignment/README.md b/modules/authorization/role-assignment/README.md index bfeb9d4da4..005701544c 100644 --- a/modules/authorization/role-assignment/README.md +++ b/modules/authorization/role-assignment/README.md @@ -6,11 +6,10 @@ This module deploys a Role Assignment at a Management Group, Subscription or Res - [Resource types](#Resource-types) - [Parameters](#Parameters) -- [Module Usage Guidance](#Module-Usage-Guidance) - [Outputs](#Outputs) -- [Considerations](#Considerations) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -43,119 +42,6 @@ This module deploys a Role Assignment at a Management Group, Subscription or Res | `subscriptionId` | string | `''` | | Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | -### Parameter Usage: `managementGroupId` - -To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. - - -

- -Parameter JSON format - -```json -"managementGroupId": { - "value": "contoso-group" -} -``` - -
- - -
- -Bicep format - -```bicep -managementGroupId: 'contoso-group' -``` - -
-

- -> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). - -### Parameter Usage: `subscriptionId` - -To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -} -``` - -
- -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -``` - -
-

- -### Parameter Usage: `resourceGroupName` - -To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -}, -"resourceGroupName": { - "value": "target-resourceGroup" -} -``` - -
- - -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -resourceGroupName: 'target-resourceGroup' -``` - -
-

- -> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). - -## Module Usage Guidance - -In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. - -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: - -```bicep -Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" -``` - -The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: - -**Bicep Registry Reference** -```bicep -module roleassignment 'br:bicepregistry.azurecr.io/bicep/modules/authorization.roleassignments.subscription:version' = {} -``` -**Local Path Reference** -```bicep -module roleassignment 'yourpath/module/Authorization.roleAssignments/subscription/main.bicep' = {} -``` - ## Outputs | Output Name | Type | Description | @@ -164,10 +50,6 @@ module roleassignment 'yourpath/module/Authorization.roleAssignments/subscriptio | `resourceId` | string | The resource ID of the Role Assignment. | | `scope` | string | The scope this Role Assignment applies to. | -## Considerations - -This module can be deployed at the management group, subscription or resource group level - ## Cross-referenced modules _None_ @@ -536,3 +418,119 @@ module roleAssignment './authorization/role-assignment/main.bicep' = {

+ + +## Notes + +### Module Usage Guidance + +In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. + +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: + +```bicep +Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" +``` + +The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: + +**Bicep Registry Reference** +```bicep +module roleassignment 'br:bicepregistry.azurecr.io/bicep/modules/authorization.role-assignment.subscription:version' = {} +``` +**Local Path Reference** +```bicep +module roleassignment 'yourpath/module/authorization/role-assignment/subscription/main.bicep' = {} +``` + +### Parameter Usage: `managementGroupId` + +To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. + + +

+ +Parameter JSON format + +```json +"managementGroupId": { + "value": "contoso-group" +} +``` + +
+ + +
+ +Bicep format + +```bicep +managementGroupId: 'contoso-group' +``` + +
+

+ +> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). + +### Parameter Usage: `subscriptionId` + +To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: + +

+ +Parameter JSON format + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +} +``` + +
+ +
+ +Bicep format + +```bicep +subscriptionId: '12345678-b049-471c-95af-123456789012' +``` + +
+

+ +### Parameter Usage: `resourceGroupName` + +To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: + +

+ +Parameter JSON format + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +}, +"resourceGroupName": { + "value": "target-resourceGroup" +} +``` + +
+ + +
+ +Bicep format + +```bicep +subscriptionId: '12345678-b049-471c-95af-123456789012' +resourceGroupName: 'target-resourceGroup' +``` + +
+

+ +> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). diff --git a/modules/authorization/role-definition/README.md b/modules/authorization/role-definition/README.md index ba94584af6..35163be1ba 100644 --- a/modules/authorization/role-definition/README.md +++ b/modules/authorization/role-definition/README.md @@ -6,11 +6,10 @@ This module deploys a Role Definition at a Management Group, Subscription or Res - [Resource types](#Resource-types) - [Parameters](#Parameters) -- [Module Usage Guidance](#Module-Usage-Guidance) - [Outputs](#Outputs) -- [Considerations](#Considerations) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -43,119 +42,6 @@ This module deploys a Role Definition at a Management Group, Subscription or Res | `subscriptionId` | string | `''` | The subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level. | -### Parameter Usage: `managementGroupId` - -To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. - -

- -Parameter JSON format - -```json -"managementGroupId": { - "value": "contoso-group" -} -``` - -
- - -
- -Bicep format - -```bicep -managementGroupId: 'contoso-group' -``` - -
-

- -> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). - -### Parameter Usage: `subscriptionId` - -To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: - - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -} -``` - -
- -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -``` - -
-

- -### Parameter Usage: `resourceGroupName` - -To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -}, -"resourceGroupName": { - "value": "target-resourceGroup" -} -``` - -
- - -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -resourceGroupName: 'target-resourceGroup' -``` - -
-

- -> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). - -## Module Usage Guidance - -In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. - -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: - -```bicep -Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" -``` - -The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: - -**Bicep Registry Reference** -```bicep -module roledefinition 'br:bicepregistry.azurecr.io/bicep/modules/authorization.roledefinitions.subscription:version' = {} -``` -**Local Path Reference** -```bicep -module roledefinition 'yourpath/module/Authorization.roleDefinitions/subscription/main.bicep' = {} -``` - ## Outputs | Output Name | Type | Description | @@ -164,14 +50,6 @@ module roledefinition 'yourpath/module/Authorization.roleDefinitions/subscriptio | `resourceId` | string | The resource ID of the Role Definition. | | `scope` | string | The scope this Role Definition applies to. | -## Considerations - -This module can be deployed both at subscription or resource group level: - -- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter and an existing subscription ID in the `subscriptionId` parameter. -- To deploy the module at the subscription level, provide an existing subscription ID in the `subscriptionId` parameter. -- To deploy the module at the management group level, provide an existing management group ID in the `managementGroupId` parameter. - ## Cross-referenced modules _None_ @@ -620,3 +498,119 @@ module roleDefinition './authorization/role-definition/main.bicep' = {

+ + +## Notes + +### Module Usage Guidance + +In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. + +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: + +```bicep +Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" +``` + +The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: + +**Bicep Registry Reference** +```bicep +module roledefinition 'br:bicepregistry.azurecr.io/bicep/modules/authorization.role-definition.subscription:version' = {} +``` +**Local Path Reference** +```bicep +module roledefinition 'yourpath/module/authorization/role-definition/subscription/main.bicep' = {} +``` + +### Parameter Usage: `managementGroupId` + +To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. + +

+ +Parameter JSON format + +```json +"managementGroupId": { + "value": "contoso-group" +} +``` + +
+ + +
+ +Bicep format + +```bicep +managementGroupId: 'contoso-group' +``` + +
+

+ +> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). + +### Parameter Usage: `subscriptionId` + +To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: + + +

+ +Parameter JSON format + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +} +``` + +
+ +
+ +Bicep format + +```bicep +subscriptionId: '12345678-b049-471c-95af-123456789012' +``` + +
+

+ +### Parameter Usage: `resourceGroupName` + +To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: + +

+ +Parameter JSON format + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +}, +"resourceGroupName": { + "value": "target-resourceGroup" +} +``` + +
+ + +
+ +Bicep format + +```bicep +subscriptionId: '12345678-b049-471c-95af-123456789012' +resourceGroupName: 'target-resourceGroup' +``` + +
+

+ +> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index 269eb05810..e2574eea05 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -78,61 +78,6 @@ This module deploys an Azure Automation Account. | `variables` | array | `[]` | | List of variables to be created in the automation account. | -### Parameter Usage: `encryption` - -Prerequisites: - -- User Assigned Identity for Encryption needs `Get`, `List`, `Wrap` and `Unwrap` permissions on the key. -- User Assigned Identity have to be one of the defined identities in userAssignedIdentities parameter block. -- To use Azure Automation with customer managed keys, both `Soft Delete` and `Do Not Purge` features must be turned on to allow for recovery of keys in case of accidental deletion. - -

- -Parameter JSON format - -```json -"encryptionKeySource" : { - "value" : "Microsoft.KeyVault" -}, -"encryptionUserAssignedIdentity": { - "value": "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001" // this identity needs to be one of the identities defined in userAssignedIdentities section -}, -"keyName" : { - "value" : "keyEncryptionKey" -}, -"keyvaultUri" : { - "value" : "https://[[keyValutName]].vault.azure.net/" -}, -"keyVersion" : { - "value" : "aa11b22c1234567890c3608c657cd5a2" -}, -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001": {}, // same value as 'encryptionUserAssignedIdentity' parameter - } -} -``` - -
- -
- -Bicep format - -```bicep -encryptionKeySource: 'Microsoft.KeyVault' -encryptionUserAssignedIdentity: '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001' // this identity needs to be one of the identities defined in userAssignedIdentities section -keyName : 'keyEncryptionKey' -keyvaultUri: 'https://[[keyValutName]].vault.azure.net/' -keyVersion: 'aa11b22c1234567890c3608c657cd5a2' -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001': {} // same value as 'encryptionUserAssignedIdentity' parameter -} -``` - -
-

- ### Parameter Usage: `privateEndpoints` To use Private Endpoint the following dependencies must be deployed: diff --git a/modules/automation/automation-account/software-update-configuration/README.md b/modules/automation/automation-account/software-update-configuration/README.md index 522e7a220b..4504591720 100644 --- a/modules/automation/automation-account/software-update-configuration/README.md +++ b/modules/automation/automation-account/software-update-configuration/README.md @@ -8,6 +8,7 @@ This module deploys an Azure Automation Account Software Update Configuration. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -72,6 +73,20 @@ This module deploys an Azure Automation Account Software Update Configuration. | `baseTime` | string | `[utcNow('u')]` | Do not touch. Is used to provide the base time for time comparison for startTime. If startTime is specified in HH:MM format, baseTime is used to check if the provided startTime has passed, adding one day before setting the deployment schedule. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed softwareUpdateConfiguration. | +| `resourceGroupName` | string | The resource group of the deployed softwareUpdateConfiguration. | +| `resourceId` | string | The resource ID of the deployed softwareUpdateConfiguration. | + +## Cross-referenced modules + +_None_ + +## Notes + ### Parameter Usage: `scopeByTags` Provide tag keys, with an array of values, filtering in machines that should be included in the deployment schedule. @@ -167,15 +182,3 @@ monthlyOccurrences: [

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed softwareUpdateConfiguration. | -| `resourceGroupName` | string | The resource group of the deployed softwareUpdateConfiguration. | -| `resourceId` | string | The resource ID of the deployed softwareUpdateConfiguration. | - -## Cross-referenced modules - -_None_ diff --git a/modules/automation/automation-account/variable/README.md b/modules/automation/automation-account/variable/README.md index d042bc9ef9..a3356c0f6a 100644 --- a/modules/automation/automation-account/variable/README.md +++ b/modules/automation/automation-account/variable/README.md @@ -8,6 +8,7 @@ This module deploys an Azure Automation Account Variable. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -39,6 +40,21 @@ This module deploys an Azure Automation Account Variable. | `isEncrypted` | bool | `True` | If the variable should be encrypted. For security reasons encryption of variables should be enabled. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed variable. | +| `resourceGroupName` | string | The resource group of the deployed variable. | +| `resourceId` | string | The resource ID of the deployed variable. | + +## Cross-referenced modules + +_None_ + +## Notes + + ### Parameter Usage: `value`

@@ -89,15 +105,3 @@ value: '\'TestString\''

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed variable. | -| `resourceGroupName` | string | The resource group of the deployed variable. | -| `resourceId` | string | The resource ID of the deployed variable. | - -## Cross-referenced modules - -_None_ diff --git a/modules/cache/redis-enterprise/database/README.md b/modules/cache/redis-enterprise/database/README.md index b4cfcd3cb1..b685df1716 100644 --- a/modules/cache/redis-enterprise/database/README.md +++ b/modules/cache/redis-enterprise/database/README.md @@ -8,6 +8,7 @@ This module deploys a Redis Cache Enterprise Database. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -41,6 +42,20 @@ This module deploys a Redis Cache Enterprise Database. | `port` | int | `-1` | | TCP port of the database endpoint. Specified at create time. Default is (-1) meaning value is not set and defaults to an available port. Current supported port is 10000. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed database. | +| `resourceGroupName` | string | The resource group of the deployed database. | +| `resourceId` | string | The resource ID of the deployed database. | + +## Cross-referenced modules + +_None_ + +## Notes + ### Parameter Usage: `modules` Optional set of Redis modules to enable in this database. Modules can only be added at creation time. Each module requires a name (e.g. 'RedisBloom', 'RediSearch', 'RedisTimeSeries') and optionally an argument (e.g. 'ERROR_RATE 0.01 INITIAL_SIZE 400'). See [Redis Cache modules documentation](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-redis-modules) for more information. @@ -91,15 +106,3 @@ modules: [

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed database. | -| `resourceGroupName` | string | The resource group of the deployed database. | -| `resourceId` | string | The resource ID of the deployed database. | - -## Cross-referenced modules - -_None_ diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index a9732cb76c..78bcbee51a 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -9,6 +9,7 @@ This module deploys a Redis Cache. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -198,39 +199,6 @@ userAssignedIdentities: {

-### Parameter Usage: `redisConfiguration` - -All Redis Settings. Few possible keys: rdb-backup-enabled,rdb-storage-connection-string,rdb-backup-frequency,maxmemory-delta,maxmemory-policy,notify-keyspace-events,maxmemory-samples,slowlog-log-slower-than,slowlog-max-len,list-max-ziplist-entries,list-max-ziplist-value,hash-max-ziplist-entries,hash-max-ziplist-value,set-max-intset-entries,zset-max-ziplist-entries,zset-max-ziplist-value etc.. - -Name | Description | Value ----------|----------|--------- -aof-storage-connection-string-0 | First storage account connection string | string -aof-storage-connection-string-1 | Second storage account connection string | string -maxfragmentationmemory-reserved | Value in megabytes reserved for fragmentation per shard | string -maxmemory-delta | Value in megabytes reserved for non-cache usage per shard e.g. failover. | string -maxmemory-policy | The eviction strategy used when your data won't fit within its memory limit. | string -maxmemory-reserved | Value in megabytes reserved for non-cache usage per shard e.g. failover. | string -rdb-backup-enabled | Specifies whether the rdb backup is enabled | string -rdb-backup-frequency | Specifies the frequency for creating rdb backup | string -rdb-backup-max-snapshot-count | Specifies the maximum number of snapshots for rdb backup | string -rdb-storage-connection-string | The storage account connection string for storing rdb file | string - -For more details visit [Microsoft.Cache redis reference](https://learn.microsoft.com/en-us/azure/templates/microsoft.cache/redis?tabs=bicep) - -

- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ### Parameter Usage: `privateEndpoints` To use Private Endpoint the following dependencies must be deployed: @@ -561,3 +529,39 @@ module redis './cache/redis/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `redisConfiguration` + +All Redis Settings. Few possible keys: rdb-backup-enabled,rdb-storage-connection-string,rdb-backup-frequency,maxmemory-delta,maxmemory-policy,notify-keyspace-events,maxmemory-samples,slowlog-log-slower-than,slowlog-max-len,list-max-ziplist-entries,list-max-ziplist-value,hash-max-ziplist-entries,hash-max-ziplist-value,set-max-intset-entries,zset-max-ziplist-entries,zset-max-ziplist-value etc.. + +Name | Description | Value +---------|----------|--------- +aof-storage-connection-string-0 | First storage account connection string | string +aof-storage-connection-string-1 | Second storage account connection string | string +maxfragmentationmemory-reserved | Value in megabytes reserved for fragmentation per shard | string +maxmemory-delta | Value in megabytes reserved for non-cache usage per shard e.g. failover. | string +maxmemory-policy | The eviction strategy used when your data won't fit within its memory limit. | string +maxmemory-reserved | Value in megabytes reserved for non-cache usage per shard e.g. failover. | string +rdb-backup-enabled | Specifies whether the rdb backup is enabled | string +rdb-backup-frequency | Specifies the frequency for creating rdb backup | string +rdb-backup-max-snapshot-count | Specifies the maximum number of snapshots for rdb backup | string +rdb-storage-connection-string | The storage account connection string for storing rdb file | string + +For more details visit [Microsoft.Cache redis reference](https://learn.microsoft.com/en-us/azure/templates/microsoft.cache/redis?tabs=bicep) + +

+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index cf27832adf..cd6965fa0d 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -7,9 +7,9 @@ This module deploys a Cognitive Service. - [Resource types](#Resource-types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Considerations](#Considerations) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -173,117 +173,6 @@ privateEndpoints: [

-### Parameter Usage: `encryption` - -

- -Parameter JSON format - -```json -// With customer-managed key -"encryption": { - "value": { - "keySource": "Microsoft.KeyVault", - "keyVaultProperties": { - "identityClientId": "12345678-1234-1234-1234-123456789012", // ID must be updated for new identity - "keyVaultUri": "https://adp-[[namePrefix]]-az-kv-nopr-002.vault.azure.net/", - "keyName": "keyEncryptionKey", - "keyversion": "1111111111111111111111111111111" // Version must be updated for new keys - } - } -} -// With service-managed key -"encryption": { - "value": { - "keySource": "Microsoft.CognitiveServices" - } -} -``` - -
- -
- -Bicep format - -```bicep -// With customer managed key -encryption: { - keySource: 'Microsoft.KeyVault' - keyVaultProperties: { - identityClientId: '12345678-1234-1234-1234-123456789012' // ID must be updated for new identity - keyVaultUri: 'https://adp-[[namePrefix]]-az-kv-nopr-002.vault.azure.net/' - keyName: 'keyEncryptionKey' - keyversion: '1111111111111111111111111111111' // Version must be updated for new keys - } -} -// With service-managed key -encryption: { - keySource: 'Microsoft.CognitiveServices' -} -``` - -
-

-### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ### Parameter Usage: `tags` Tag names and tag values can be provided as needed. A tag can be left without a value. @@ -325,31 +214,20 @@ tags: {

-### Parameter Usage: `networkAcls` +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format:

Parameter JSON format ```json -"networkAcls": { - "value": { - "defaultAction": "Deny", - "virtualNetworkRules": [ - { - "id": "/subscriptions//resourceGroups/resourceGroup/providers/Microsoft.Network/virtualNetworks//subnets/", - "ignoreMissingVnetServiceEndpoint": false - } - ], - "ipRules": [ - { - "value": "1.1.1.1" - }, - { - "value": "" - } - ] - } +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } } ``` @@ -360,42 +238,42 @@ tags: { Bicep format ```bicep -networkAcls: { - defaultAction: 'Deny' - virtualNetworkRules: [ - { - id: '/subscriptions//resourceGroups/resourceGroup/providers/Microsoft.Network/virtualNetworks//subnets/' - ignoreMissingVnetServiceEndpoint: false - } - ] - ipRules: [ - { - value: '1.1.1.1' - } - { - value: '' - } - ] +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} } ```

-### Parameter Usage: `userAssignedIdentities` +### Parameter Usage: `roleAssignments` -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.

Parameter JSON format ```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] } ``` @@ -406,10 +284,23 @@ You can specify multiple user assigned identities to a resource by providing add Bicep format ```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] ```
@@ -426,11 +317,6 @@ userAssignedIdentities: { | `resourceId` | string | The resource ID of the cognitive services account. | | `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | -## Considerations - -- Not all combinations of parameters `kind` and `SKU` are valid and they may vary in different Azure Regions. Please use PowerShell cmdlet `Get-AzCognitiveServicesAccountSku` or another methods to determine valid values in your region. -- Not all kinds of Cognitive Services support virtual networks. Please visit the link below to determine supported services. - ## Cross-referenced modules This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). @@ -875,3 +761,10 @@ module account './cognitive-services/account/main.bicep' = {

+ + +## Notes + +### Module Usage Guidance + +- Not all combinations of parameters `kind` and `SKU` are valid and they may vary in different Azure Regions. Please use PowerShell cmdlet `Get-AzCognitiveServicesAccountSku` or another methods to determine valid values in your region. diff --git a/modules/compute/gallery/application/README.md b/modules/compute/gallery/application/README.md index 5c5b203c60..1ce801893c 100644 --- a/modules/compute/gallery/application/README.md +++ b/modules/compute/gallery/application/README.md @@ -8,6 +8,7 @@ This module deploys an Azure Compute Gallery Application. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource types @@ -147,7 +148,21 @@ tags: {

-

+## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the image. | +| `resourceGroupName` | string | The resource group the image was deployed into. | +| `resourceId` | string | The resource ID of the image. | + +## Cross-referenced modules + +_None_ + +## Notes + ### Parameter Usage: `customActions` Create a list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application. @@ -246,16 +261,3 @@ customActions: [

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the image. | -| `resourceGroupName` | string | The resource group the image was deployed into. | -| `resourceId` | string | The resource ID of the image. | - -## Cross-referenced modules - -_None_ diff --git a/modules/compute/virtual-machine-scale-set/README.md b/modules/compute/virtual-machine-scale-set/README.md index 58083f1794..aeb6d239cf 100644 --- a/modules/compute/virtual-machine-scale-set/README.md +++ b/modules/compute/virtual-machine-scale-set/README.md @@ -9,6 +9,7 @@ This module deploys a Virtual Machine Scale Set. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -119,51 +120,82 @@ The following resources are required to be able to deploy this resource. | `baseTime` | string | `[utcNow('u')]` | Do not provide a value! This date value is used to generate a registration token. | -#### Marketplace images +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.

Parameter JSON format ```json -"imageReference": { - "value": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "2022-datacenter-azure-edition", - "version": "latest" - } +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] } ```
-
Bicep format ```bicep -imageReference: { - publisher: 'MicrosoftWindowsServer' - offer: 'WindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' -} +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] ```
+

-#### Custom images +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value.

Parameter JSON format ```json -"imageReference": { +"tags": { "value": { - "id": "/subscriptions/12345-6789-1011-1213-15161718/resourceGroups/rg-name/providers/Microsoft.Compute/images/imagename" + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" } } ``` @@ -175,26 +207,32 @@ imageReference: { Bicep format ```bicep -imageReference: { - id: '/subscriptions/12345-6789-1011-1213-15161718/resourceGroups/rg-name/providers/Microsoft.Compute/images/imagename' +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' } ```

-### Parameter Usage: `plan` +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format:

Parameter JSON format ```json -"plan": { +"userAssignedIdentities": { "value": { - "name": "qvsa-25", - "product": "qualys-virtual-scanner", - "publisher": "qualysguard" + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} } } ``` @@ -206,839 +244,842 @@ imageReference: { Bicep format ```bicep -plan: { - name: 'qvsa-25' - product: 'qualys-virtual-scanner' - publisher: 'qualysguard' +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} } ```

-### Parameter Usage: `osDisk` - -

- -Parameter JSON format - -```json -"osDisk": { - "value": { - "createOption": "fromImage", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS", - "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. - "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" - } - } - } -} -``` - -
- -
- -Bicep format +## Outputs -```bicep -osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. - id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' - } - } -} -``` +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the virtual machine scale set. | +| `resourceGroupName` | string | The resource group of the virtual machine scale set. | +| `resourceId` | string | The resource ID of the virtual machine scale set. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | -
-

+## Cross-referenced modules -### Parameter Usage: `dataDisks` +_None_ -

+## Deployment examples -Parameter JSON format +The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. -```json -"dataDisks": { - "value": [ - { - "caching": "ReadOnly", - "createOption": "Empty", - "diskSizeGB": "256", - "writeAcceleratorEnabled": true, - "managedDisk": { - "storageAccountType": "Premium_LRS", - "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. - "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" - } - } - }, - { - "caching": "ReadOnly", - "createOption": "Empty", - "diskSizeGB": "128", - "writeAcceleratorEnabled": true, - "managedDisk": { - "storageAccountType": "Premium_LRS", - "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. - "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" - } - } - } - ] -} -``` + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -
+

Example 1: Linux

-Bicep format +via Bicep module ```bicep -dataDisks: [ - { +module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-cvmsslin' + params: { + // Required parameters + adminUsername: 'scaleSetAdmin' + imageReference: { + offer: '0001-com-ubuntu-server-jammy' + publisher: 'Canonical' + sku: '22_04-lts-gen2' + version: 'latest' + } + name: 'cvmsslin001' + osDisk: { + createOption: 'fromImage' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + osType: 'Linux' + skuName: 'Standard_B12ms' + // Non-required parameters + availabilityZones: [ + '2' + ] + bootDiagnosticStorageAccountName: '' + dataDisks: [ + { caching: 'ReadOnly' createOption: 'Empty' diskSizeGB: '256' - writeAcceleratorEnabled: true managedDisk: { - storageAccountType: 'Premium_LRS' - diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. - id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' - } + storageAccountType: 'Premium_LRS' } - } - { + } + { caching: 'ReadOnly' createOption: 'Empty' diskSizeGB: '128' - writeAcceleratorEnabled: true managedDisk: { - storageAccountType: 'Premium_LRS'diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. - id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' - } + storageAccountType: 'Premium_LRS' } + } + ] + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' + disablePasswordAuthentication: true + enableDefaultTelemetry: '' + encryptionAtHost: false + extensionAzureDiskEncryptionConfig: { + enabled: true + settings: { + EncryptionOperation: 'EnableEncryption' + KekVaultResourceId: '' + KeyEncryptionAlgorithm: 'RSA-OAEP' + KeyEncryptionKeyURL: '' + KeyVaultResourceId: '' + KeyVaultURL: '' + ResizeOSDisk: 'false' + VolumeType: 'All' + } } -] -``` - -
-

- -### Parameter Usage: `nicConfigurations` - -Comments: -- The field `nicSuffix` is mandatory. -- If not disabled, `enableAcceleratedNetworking` is considered `true` by default and requires the VMSS to be deployed with a supported OS and VM size. - -

- -Parameter JSON format - -```json -"nicConfigurations": { - "value": [ + extensionCustomScriptConfig: { + enabled: true + fileData: [ { - "nicSuffix": "-nic01", - "ipConfigurations": [ - { - "name": "ipconfig1", - "properties": { - "subnet": { - "id": "/subscriptions/[[subscriptionId]]/resourceGroups/agents-vmss-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-scaleset/subnets/sxx-az-subnet-scaleset-linux" - } - } - } - ] + storageAccountId: '' + uri: '' } - ] -} -``` - -
- -
- -Bicep format - -```bicep -nicConfigurations: [ - { - nicSuffix: '-nic01' + ] + protectedSettings: { + commandToExecute: 'sudo apt-get update' + } + } + extensionDependencyAgentConfig: { + enabled: true + } + extensionMonitoringAgentConfig: { + enabled: true + } + extensionNetworkWatcherAgentConfig: { + enabled: true + } + lock: 'CanNotDelete' + nicConfigurations: [ + { ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: '/subscriptions/[[subscriptionId]]/resourceGroups/agents-vmss-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-scaleset/subnets/sxx-az-subnet-scaleset-linux' - } - } + { + name: 'ipconfig1' + properties: { + subnet: { + id: '' + } } + } + ] + nicSuffix: '-nic01' + } + ] + publicKeys: [ + { + keyData: '' + path: '/home/scaleSetAdmin/.ssh/authorized_keys' + } + ] + roleAssignments: [ + { + principalIds: [ + '' ] + roleDefinitionIdOrName: 'Reader' + } + ] + scaleSetFaultDomain: 1 + skuCapacity: 1 + systemAssignedIdentity: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' } -] -``` - -
-

- -### Parameter Usage: `extensionDomainJoinConfig` - -

- -Parameter JSON format - -```json -"extensionDomainJoinConfig": { - "value": { - "enabled": true, - "settings": { - "name": "contoso.com", - "user": "test.user@testcompany.com", - "ouPath": "OU=testOU; DC=contoso; DC=com", - "restart": true, - "options": 3 + upgradePolicyMode: 'Manual' + userAssignedIdentities: { + '': {} } + vmNamePrefix: 'vmsslinvm' + vmPriority: 'Regular' } -}, -"extensionDomainJoinPassword": { - "reference": { - "keyVault": { - "id": "/subscriptions/</resourceGroups/myRG/providers/Microsoft.KeyVault/vaults/myKvlt" - }, - "secretName": "domainJoinUser02-Password" - } -} -``` - -
- -
- -Bicep format - -```bicep -extensionDomainJoinConfig: { - enabled: true - settings: { - name: 'contoso.com' - user: 'test.user@testcompany.com' - ouPath: 'OU=testOU; DC=contoso; DC=com' - restart: true - options: 3 - } -} - -resource kv1 'Microsoft.KeyVault/vaults@2019-09-01' existing = { - name: 'adp-[[namePrefix]]-az-kv-x-001' - scope: resourceGroup('[[subscriptionId]]','validation-rg') -} - -extensionDomainJoinPassword: kv1.getSecret('domainJoinUser02-Password') -``` - -
-

- -### Parameter Usage: `extensionNetworkWatcherAgentConfig` - -

- -Parameter JSON format - -```json -"extensionNetworkWatcherAgentConfig": { - "value": { - "enabled": true - } -} -``` - -
- -
- -Bicep format - -```bicep -extensionNetworkWatcherAgentConfig: { - enabled: true } ```

-### Parameter Usage: `extensionAntiMalwareConfig` - -Only for OSType Windows -

-Parameter JSON format +via JSON Parameter file ```json -"extensionAntiMalwareConfig": { - "value": { - "enabled": true, - "settings": { - "AntimalwareEnabled": true, - "Exclusions": { - "Extensions": ".log;.ldf", - "Paths": "D:\\IISlogs;D:\\DatabaseLogs", - "Processes": "mssence.svc" - }, - "RealtimeProtectionEnabled": true, - "ScheduledScanSettings": { - "isEnabled": "true", - "scanType": "Quick", - "day": "7", - "time": "120" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "adminUsername": { + "value": "scaleSetAdmin" + }, + "imageReference": { + "value": { + "offer": "0001-com-ubuntu-server-jammy", + "publisher": "Canonical", + "sku": "22_04-lts-gen2", + "version": "latest" } - } - } -} -``` - -
- -
- -Bicep format - -```bicep -extensionAntiMalwareConfig: { - enabled: true - settings: { - AntimalwareEnabled: true - Exclusions: { - Extensions: '.log;.ldf' - Paths: 'D:\\IISlogs;D:\\DatabaseLogs' - Processes: 'mssence.svc' + }, + "name": { + "value": "cvmsslin001" + }, + "osDisk": { + "value": { + "createOption": "fromImage", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" } - RealtimeProtectionEnabled: true - ScheduledScanSettings: { - isEnabled: 'true' - scanType: 'Quick' - day: '7' - time: '120' + } + }, + "osType": { + "value": "Linux" + }, + "skuName": { + "value": "Standard_B12ms" + }, + // Non-required parameters + "availabilityZones": { + "value": [ + "2" + ] + }, + "bootDiagnosticStorageAccountName": { + "value": "" + }, + "dataDisks": { + "value": [ + { + "caching": "ReadOnly", + "createOption": "Empty", + "diskSizeGB": "256", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + }, + { + "caching": "ReadOnly", + "createOption": "Empty", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } + ] + }, + "diagnosticEventHubAuthorizationRuleId": { + "value": "" + }, + "diagnosticEventHubName": { + "value": "" + }, + "diagnosticStorageAccountId": { + "value": "" + }, + "diagnosticWorkspaceId": { + "value": "" + }, + "disablePasswordAuthentication": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "encryptionAtHost": { + "value": false + }, + "extensionAzureDiskEncryptionConfig": { + "value": { + "enabled": true, + "settings": { + "EncryptionOperation": "EnableEncryption", + "KekVaultResourceId": "", + "KeyEncryptionAlgorithm": "RSA-OAEP", + "KeyEncryptionKeyURL": "", + "KeyVaultResourceId": "", + "KeyVaultURL": "", + "ResizeOSDisk": "false", + "VolumeType": "All" + } + } + }, + "extensionCustomScriptConfig": { + "value": { + "enabled": true, + "fileData": [ + { + "storageAccountId": "", + "uri": "" + } + ], + "protectedSettings": { + "commandToExecute": "sudo apt-get update" + } + } + }, + "extensionDependencyAgentConfig": { + "value": { + "enabled": true + } + }, + "extensionMonitoringAgentConfig": { + "value": { + "enabled": true + } + }, + "extensionNetworkWatcherAgentConfig": { + "value": { + "enabled": true + } + }, + "lock": { + "value": "CanNotDelete" + }, + "nicConfigurations": { + "value": [ + { + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "subnet": { + "id": "" + } + } + } + ], + "nicSuffix": "-nic01" + } + ] + }, + "publicKeys": { + "value": [ + { + "keyData": "", + "path": "/home/scaleSetAdmin/.ssh/authorized_keys" + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "roleDefinitionIdOrName": "Reader" } + ] + }, + "scaleSetFaultDomain": { + "value": 1 + }, + "skuCapacity": { + "value": 1 + }, + "systemAssignedIdentity": { + "value": true + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "upgradePolicyMode": { + "value": "Manual" + }, + "userAssignedIdentities": { + "value": { + "": {} + } + }, + "vmNamePrefix": { + "value": "vmsslinvm" + }, + "vmPriority": { + "value": "Regular" } + } } ```

-### Parameter Usage: `extensionAzureDiskEncryptionConfig` +

Example 2: Linux.Min

-Parameter JSON format +via Bicep module -```json -"extensionAzureDiskEncryptionConfig": { - // Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. - "value": { - "enabled": true, - "settings": { - "EncryptionOperation": "EnableEncryption", - "KeyVaultURL": "https://mykeyvault.vault.azure.net/", - "KeyVaultResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001", - "KeyEncryptionKeyURL": "https://mykeyvault.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5", // ID must be updated for new keys - "KekVaultResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001", - "KeyEncryptionAlgorithm": "RSA-OAEP", //'RSA-OAEP'/'RSA-OAEP-256'/'RSA1_5' - "VolumeType": "All", //'OS'/'Data'/'All' - "ResizeOSDisk": "false" - } +```bicep +module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-cvmsslinmin' + params: { + // Required parameters + adminUsername: 'scaleSetAdmin' + imageReference: { + offer: '0001-com-ubuntu-server-jammy' + publisher: 'Canonical' + sku: '22_04-lts-gen2' + version: 'latest' + } + name: 'cvmsslinmin001' + osDisk: { + createOption: 'fromImage' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } } + osType: 'Linux' + skuName: 'Standard_B12ms' + // Non-required parameters + disablePasswordAuthentication: true + enableDefaultTelemetry: '' + nicConfigurations: [ + { + ipConfigurations: [ + { + name: 'ipconfig1' + properties: { + subnet: { + id: '' + } + } + } + ] + nicSuffix: '-nic01' + } + ] + publicKeys: [ + { + keyData: '' + path: '/home/scaleSetAdmin/.ssh/authorized_keys' + } + ] + } } ```
+

-Bicep format +via JSON Parameter file -```bicep -extensionAzureDiskEncryptionConfig: { - // Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KeyVaultURL: 'https://mykeyvault.vault.azure.net/' - KeyVaultResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001' - KeyEncryptionKeyURL: 'https://mykeyvault.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5' // ID must be updated for new keys - KekVaultResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001' - KeyEncryptionAlgorithm: 'RSA-OAEP' //'RSA-OAEP'/'RSA-OAEP-256'/'RSA1_5' - VolumeType: 'All' //'OS'/'Data'/'All' - ResizeOSDisk: 'false' - } +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "adminUsername": { + "value": "scaleSetAdmin" + }, + "imageReference": { + "value": { + "offer": "0001-com-ubuntu-server-jammy", + "publisher": "Canonical", + "sku": "22_04-lts-gen2", + "version": "latest" + } + }, + "name": { + "value": "cvmsslinmin001" + }, + "osDisk": { + "value": { + "createOption": "fromImage", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } + }, + "osType": { + "value": "Linux" + }, + "skuName": { + "value": "Standard_B12ms" + }, + // Non-required parameters + "disablePasswordAuthentication": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "nicConfigurations": { + "value": [ + { + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "subnet": { + "id": "" + } + } + } + ], + "nicSuffix": "-nic01" + } + ] + }, + "publicKeys": { + "value": [ + { + "keyData": "", + "path": "/home/scaleSetAdmin/.ssh/authorized_keys" + } + ] + } + } } ```

-### Parameter Usage: `extensionCustomScriptConfig` +

Example 3: Linux.Ssecmk

-Parameter JSON format +via Bicep module -```json -"extensionCustomScriptConfig": { - "value": { - "enabled": true, - "fileData": [ - //storage accounts with SAS token requirement +```bicep +module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-cvmsslcmk' + params: { + // Required parameters + adminUsername: 'scaleSetAdmin' + imageReference: { + offer: '0001-com-ubuntu-server-jammy' + publisher: 'Canonical' + sku: '22_04-lts-gen2' + version: 'latest' + } + name: 'cvmsslcmk001' + osDisk: { + createOption: 'fromImage' + diskSizeGB: '128' + managedDisk: { + diskEncryptionSet: { + id: '' + } + storageAccountType: 'Premium_LRS' + } + } + osType: 'Linux' + skuName: 'Standard_B12ms' + // Non-required parameters + dataDisks: [ { - "uri": "https://mystorageaccount.blob.core.windows.net/avdscripts/File1.ps1", - "storageAccountId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName" - }, + caching: 'ReadOnly' + createOption: 'Empty' + diskSizeGB: '128' + managedDisk: { + diskEncryptionSet: { + id: '' + } + storageAccountType: 'Premium_LRS' + } + } + ] + disablePasswordAuthentication: true + enableDefaultTelemetry: '' + location: '' + nicConfigurations: [ { - "uri": "https://mystorageaccount.blob.core.windows.net/avdscripts/File2.ps1", - "storageAccountId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName" - }, - //storage account with public container (no SAS token is required) OR other public URL (not a storage account) + ipConfigurations: [ + { + name: 'ipconfig1' + properties: { + subnet: { + id: '' + } + } + } + ] + nicSuffix: '-nic01' + } + ] + publicKeys: [ { - "uri": "https://github.com/myProject/File3.ps1", - "storageAccountId": "" + keyData: '' + path: '/home/scaleSetAdmin/.ssh/authorized_keys' } - ], - "settings": { - "commandToExecute": "powershell -ExecutionPolicy Unrestricted -File testscript.ps1" + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' } } } ```
+

-Bicep format +via JSON Parameter file -```bicep -extensionCustomScriptConfig: { - enabled: true - fileData: [ - //storage accounts with SAS token requirement +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "adminUsername": { + "value": "scaleSetAdmin" + }, + "imageReference": { + "value": { + "offer": "0001-com-ubuntu-server-jammy", + "publisher": "Canonical", + "sku": "22_04-lts-gen2", + "version": "latest" + } + }, + "name": { + "value": "cvmsslcmk001" + }, + "osDisk": { + "value": { + "createOption": "fromImage", + "diskSizeGB": "128", + "managedDisk": { + "diskEncryptionSet": { + "id": "" + }, + "storageAccountType": "Premium_LRS" + } + } + }, + "osType": { + "value": "Linux" + }, + "skuName": { + "value": "Standard_B12ms" + }, + // Non-required parameters + "dataDisks": { + "value": [ { - uri: 'https://mystorageaccount.blob.core.windows.net/avdscripts/File1.ps1' - storageAccountId: '/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName' + "caching": "ReadOnly", + "createOption": "Empty", + "diskSizeGB": "128", + "managedDisk": { + "diskEncryptionSet": { + "id": "" + }, + "storageAccountType": "Premium_LRS" + } } + ] + }, + "disablePasswordAuthentication": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "nicConfigurations": { + "value": [ { - uri: 'https://mystorageaccount.blob.core.windows.net/avdscripts/File2.ps1' - storageAccountId: '/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName' + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "subnet": { + "id": "" + } + } + } + ], + "nicSuffix": "-nic01" } - //storage account with public container (no SAS token is required) OR other public URL (not a storage account) + ] + }, + "publicKeys": { + "value": [ { - uri: 'https://github.com/myProject/File3.ps1' - storageAccountId: '' - } - ] - settings: { - commandToExecute: 'powershell -ExecutionPolicy Unrestricted -File testscript.ps1' - } -} -``` - -
-

- -### Parameter Usage: `extensionDSCConfig` - -

- -Parameter JSON format - -```json -"extensionDSCConfig": { - "value": { - "enabled": true, - "settings": { - "wmfVersion": "latest", - "configuration": { - "url": "http://validURLToConfigLocation", - "script": "ConfigurationScript.ps1", - "function": "ConfigurationFunction" - }, - "configurationArguments": { - "argument1": "Value1", - "argument2": "Value2" - }, - "configurationData": { - "url": "https://foo.psd1" - }, - "privacy": { - "dataCollection": "enable" - }, - "advancedOptions": { - "forcePullAndApply": false, - "downloadMappings": { - "specificDependencyKey": "https://myCustomDependencyLocation" - } - } - }, - "protectedSettings": { - "configurationArguments": { - "mySecret": "MyPlaceholder" - }, - "configurationUrlSasToken": "MyPlaceholder", - "configurationDataUrlSasToken": "MyPlaceholder" + "keyData": "", + "path": "/home/scaleSetAdmin/.ssh/authorized_keys" } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } } + } } ```
+

+ +

Example 4: Windows

-Bicep format +via Bicep module ```bicep -extensionDSCConfig: { - enabled: true - settings: { - wmfVersion: 'latest' - configuration: { - url: 'http://validURLToConfigLocation' - script: 'ConfigurationScript.ps1' - function: 'ConfigurationFunction' - } - configurationArguments: { - argument1: 'Value1' - argument2: 'Value2' - } - configurationData: { - url: 'https://foo.psd1' - } - privacy: { - dataCollection: 'enable' +module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-cvmsswin' + params: { + // Required parameters + adminUsername: 'localAdminUser' + imageReference: { + offer: 'WindowsServer' + publisher: 'MicrosoftWindowsServer' + sku: '2022-datacenter-azure-edition' + version: 'latest' + } + name: 'cvmsswin001' + osDisk: { + createOption: 'fromImage' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + osType: 'Windows' + skuName: 'Standard_B12ms' + // Non-required parameters + adminPassword: '' + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' + enableDefaultTelemetry: '' + encryptionAtHost: false + extensionAntiMalwareConfig: { + enabled: true + settings: { + AntimalwareEnabled: true + Exclusions: { + Extensions: '.log;.ldf' + Paths: 'D:\\IISlogs;D:\\DatabaseLogs' + Processes: 'mssence.svc' } - advancedOptions: { - forcePullAndApply: false - downloadMappings: { - specificDependencyKey: 'https://myCustomDependencyLocation' - } + RealtimeProtectionEnabled: true + ScheduledScanSettings: { + day: '7' + isEnabled: 'true' + scanType: 'Quick' + time: '120' } + } } - protectedSettings: { - configurationArguments: { - mySecret: 'MyPlaceholder' - } - configurationUrlSasToken: 'MyPlaceholder' - configurationDataUrlSasToken: 'MyPlaceholder' + extensionAzureDiskEncryptionConfig: { + enabled: true + settings: { + EncryptionOperation: 'EnableEncryption' + KekVaultResourceId: '' + KeyEncryptionAlgorithm: 'RSA-OAEP' + KeyEncryptionKeyURL: '' + KeyVaultResourceId: '' + KeyVaultURL: '' + ResizeOSDisk: 'false' + VolumeType: 'All' + } } -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, + extensionCustomScriptConfig: { + enabled: true + fileData: [ { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" + storageAccountId: '' + uri: '' } + ] + protectedSettings: { + commandToExecute: '' + } + } + extensionDependencyAgentConfig: { + enabled: true + } + extensionDSCConfig: { + enabled: true + } + extensionMonitoringAgentConfig: { + enabled: true + } + extensionNetworkWatcherAgentConfig: { + enabled: true + } + lock: 'CanNotDelete' + nicConfigurations: [ + { + ipConfigurations: [ + { + name: 'ipconfig1' + properties: { + subnet: { + id: '' + } + } + } + ] + nicSuffix: '-nic01' + } ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' + proximityPlacementGroupResourceId: '' + roleAssignments: [ + { principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 + '' ] + roleDefinitionIdOrName: 'Reader' + } + ] + skuCapacity: 1 + systemAssignedIdentity: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' + upgradePolicyMode: 'Manual' + userAssignedIdentities: { + '': {} } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the virtual machine scale set. | -| `resourceGroupName` | string | The resource group of the virtual machine scale set. | -| `resourceId` | string | The resource ID of the virtual machine scale set. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Linux

- -
- -via Bicep module - -```bicep -module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-cvmsslin' - params: { - // Required parameters - adminUsername: 'scaleSetAdmin' - imageReference: { - offer: '0001-com-ubuntu-server-jammy' - publisher: 'Canonical' - sku: '22_04-lts-gen2' - version: 'latest' - } - name: 'cvmsslin001' - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - skuName: 'Standard_B12ms' - // Non-required parameters - availabilityZones: [ - '2' - ] - bootDiagnosticStorageAccountName: '' - dataDisks: [ - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '256' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' - disablePasswordAuthentication: true - enableDefaultTelemetry: '' - encryptionAtHost: false - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: '' - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: '' - KeyVaultResourceId: '' - KeyVaultURL: '' - ResizeOSDisk: 'false' - VolumeType: 'All' - } - } - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: '' - uri: '' - } - ] - protectedSettings: { - commandToExecute: 'sudo apt-get update' - } - } - extensionDependencyAgentConfig: { - enabled: true - } - extensionMonitoringAgentConfig: { - enabled: true - } - extensionNetworkWatcherAgentConfig: { - enabled: true - } - lock: 'CanNotDelete' - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: '' - } - } - } - ] - nicSuffix: '-nic01' - } - ] - publicKeys: [ - { - keyData: '' - path: '/home/scaleSetAdmin/.ssh/authorized_keys' - } - ] - roleAssignments: [ - { - principalIds: [ - '' - ] - roleDefinitionIdOrName: 'Reader' - } - ] - scaleSetFaultDomain: 1 - skuCapacity: 1 - systemAssignedIdentity: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - upgradePolicyMode: 'Manual' - userAssignedIdentities: { - '': {} - } - vmNamePrefix: 'vmsslinvm' - vmPriority: 'Regular' - } -} + vmNamePrefix: 'vmsswinvm' + vmPriority: 'Regular' + } +} ```
@@ -1055,18 +1096,18 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = "parameters": { // Required parameters "adminUsername": { - "value": "scaleSetAdmin" + "value": "localAdminUser" }, "imageReference": { "value": { - "offer": "0001-com-ubuntu-server-jammy", - "publisher": "Canonical", - "sku": "22_04-lts-gen2", + "offer": "WindowsServer", + "publisher": "MicrosoftWindowsServer", + "sku": "2022-datacenter-azure-edition", "version": "latest" } }, "name": { - "value": "cvmsslin001" + "value": "cvmsswin001" }, "osDisk": { "value": { @@ -1078,42 +1119,17 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = } }, "osType": { - "value": "Linux" + "value": "Windows" }, "skuName": { "value": "Standard_B12ms" }, // Non-required parameters - "availabilityZones": { - "value": [ - "2" - ] + "adminPassword": { + "value": "" }, - "bootDiagnosticStorageAccountName": { - "value": "" - }, - "dataDisks": { - "value": [ - { - "caching": "ReadOnly", - "createOption": "Empty", - "diskSizeGB": "256", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - }, - { - "caching": "ReadOnly", - "createOption": "Empty", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - ] - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" + "diagnosticEventHubAuthorizationRuleId": { + "value": "" }, "diagnosticEventHubName": { "value": "" @@ -1124,15 +1140,32 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = "diagnosticWorkspaceId": { "value": "" }, - "disablePasswordAuthentication": { - "value": true - }, "enableDefaultTelemetry": { "value": "" }, "encryptionAtHost": { "value": false }, + "extensionAntiMalwareConfig": { + "value": { + "enabled": true, + "settings": { + "AntimalwareEnabled": true, + "Exclusions": { + "Extensions": ".log;.ldf", + "Paths": "D:\\IISlogs;D:\\DatabaseLogs", + "Processes": "mssence.svc" + }, + "RealtimeProtectionEnabled": true, + "ScheduledScanSettings": { + "day": "7", + "isEnabled": "true", + "scanType": "Quick", + "time": "120" + } + } + } + }, "extensionAzureDiskEncryptionConfig": { "value": { "enabled": true, @@ -1158,7 +1191,7 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = } ], "protectedSettings": { - "commandToExecute": "sudo apt-get update" + "commandToExecute": "" } } }, @@ -1167,6 +1200,11 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = "enabled": true } }, + "extensionDSCConfig": { + "value": { + "enabled": true + } + }, "extensionMonitoringAgentConfig": { "value": { "enabled": true @@ -1197,13 +1235,8 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = } ] }, - "publicKeys": { - "value": [ - { - "keyData": "", - "path": "/home/scaleSetAdmin/.ssh/authorized_keys" - } - ] + "proximityPlacementGroupResourceId": { + "value": "" }, "roleAssignments": { "value": [ @@ -1215,9 +1248,6 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = } ] }, - "scaleSetFaultDomain": { - "value": 1 - }, "skuCapacity": { "value": 1 }, @@ -1240,7 +1270,7 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = } }, "vmNamePrefix": { - "value": "vmsslinvm" + "value": "vmsswinvm" }, "vmPriority": { "value": "Regular" @@ -1252,7 +1282,7 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' =

-

Example 2: Linux.Min

+

Example 5: Windows.Min

@@ -1260,17 +1290,17 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = ```bicep module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-cvmsslinmin' + name: '${uniqueString(deployment().name, location)}-test-cvmsswinmin' params: { // Required parameters - adminUsername: 'scaleSetAdmin' + adminUsername: 'localAdminUser' imageReference: { - offer: '0001-com-ubuntu-server-jammy' - publisher: 'Canonical' - sku: '22_04-lts-gen2' + offer: 'WindowsServer' + publisher: 'MicrosoftWindowsServer' + sku: '2022-datacenter-azure-edition' version: 'latest' } - name: 'cvmsslinmin001' + name: 'cvmsswinmin001' osDisk: { createOption: 'fromImage' diskSizeGB: '128' @@ -1278,10 +1308,10 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = storageAccountType: 'Premium_LRS' } } - osType: 'Linux' + osType: 'Windows' skuName: 'Standard_B12ms' // Non-required parameters - disablePasswordAuthentication: true + adminPassword: '' enableDefaultTelemetry: '' nicConfigurations: [ { @@ -1298,12 +1328,6 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = nicSuffix: '-nic01' } ] - publicKeys: [ - { - keyData: '' - path: '/home/scaleSetAdmin/.ssh/authorized_keys' - } - ] } } ``` @@ -1322,18 +1346,18 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = "parameters": { // Required parameters "adminUsername": { - "value": "scaleSetAdmin" + "value": "localAdminUser" }, "imageReference": { "value": { - "offer": "0001-com-ubuntu-server-jammy", - "publisher": "Canonical", - "sku": "22_04-lts-gen2", + "offer": "WindowsServer", + "publisher": "MicrosoftWindowsServer", + "sku": "2022-datacenter-azure-edition", "version": "latest" } }, "name": { - "value": "cvmsslinmin001" + "value": "cvmsswinmin001" }, "osDisk": { "value": { @@ -1345,14 +1369,14 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = } }, "osType": { - "value": "Linux" + "value": "Windows" }, "skuName": { "value": "Standard_B12ms" }, // Non-required parameters - "disablePasswordAuthentication": { - "value": true + "adminPassword": { + "value": "" }, "enableDefaultTelemetry": { "value": "" @@ -1373,14 +1397,6 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = "nicSuffix": "-nic01" } ] - }, - "publicKeys": { - "value": [ - { - "keyData": "", - "path": "/home/scaleSetAdmin/.ssh/authorized_keys" - } - ] } } } @@ -1389,643 +1405,633 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' =

-

Example 3: Linux.Ssecmk

+ +## Notes + +### Parameter Usage: `imageReference` + +#### Marketplace images
-via Bicep module +Parameter JSON format -```bicep -module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-cvmsslcmk' - params: { - // Required parameters - adminUsername: 'scaleSetAdmin' - imageReference: { - offer: '0001-com-ubuntu-server-jammy' - publisher: 'Canonical' - sku: '22_04-lts-gen2' - version: 'latest' - } - name: 'cvmsslcmk001' - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - diskEncryptionSet: { - id: '' - } - storageAccountType: 'Premium_LRS' - } +```json +"imageReference": { + "value": { + "publisher": "MicrosoftWindowsServer", + "offer": "WindowsServer", + "sku": "2022-datacenter-azure-edition", + "version": "latest" } - osType: 'Linux' - skuName: 'Standard_B12ms' - // Non-required parameters - dataDisks: [ - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '128' - managedDisk: { - diskEncryptionSet: { - id: '' - } - storageAccountType: 'Premium_LRS' - } - } - ] - disablePasswordAuthentication: true - enableDefaultTelemetry: '' - location: '' - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: '' - } - } - } - ] - nicSuffix: '-nic01' - } - ] - publicKeys: [ - { - keyData: '' - path: '/home/scaleSetAdmin/.ssh/authorized_keys' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' +} +``` + +
+ + +
+ +Bicep format + +```bicep +imageReference: { + publisher: 'MicrosoftWindowsServer' + offer: 'WindowsServer' + sku: '2022-datacenter-azure-edition' + version: 'latest' +} +``` + +
+ +#### Custom images + +
+ +Parameter JSON format + +```json +"imageReference": { + "value": { + "id": "/subscriptions/12345-6789-1011-1213-15161718/resourceGroups/rg-name/providers/Microsoft.Compute/images/imagename" } - } +} +``` + +
+ +
+ +Bicep format + +```bicep +imageReference: { + id: '/subscriptions/12345-6789-1011-1213-15161718/resourceGroups/rg-name/providers/Microsoft.Compute/images/imagename' } ```

+### Parameter Usage: `plan` +

-via JSON Parameter file +Parameter JSON format ```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "scaleSetAdmin" - }, - "imageReference": { - "value": { - "offer": "0001-com-ubuntu-server-jammy", - "publisher": "Canonical", - "sku": "22_04-lts-gen2", - "version": "latest" - } - }, - "name": { - "value": "cvmsslcmk001" - }, - "osDisk": { - "value": { +"plan": { + "value": { + "name": "qvsa-25", + "product": "qualys-virtual-scanner", + "publisher": "qualysguard" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +plan: { + name: 'qvsa-25' + product: 'qualys-virtual-scanner' + publisher: 'qualysguard' +} +``` + +
+

+ +### Parameter Usage: `osDisk` + +

+ +Parameter JSON format + +```json +"osDisk": { + "value": { "createOption": "fromImage", "diskSizeGB": "128", "managedDisk": { - "diskEncryptionSet": { - "id": "" - }, - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Linux" - }, - "skuName": { - "value": "Standard_B12ms" - }, - // Non-required parameters - "dataDisks": { - "value": [ - { - "caching": "ReadOnly", - "createOption": "Empty", - "diskSizeGB": "128", - "managedDisk": { - "diskEncryptionSet": { - "id": "" - }, - "storageAccountType": "Premium_LRS" - } - } - ] - }, - "disablePasswordAuthentication": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig1", - "properties": { - "subnet": { - "id": "" - } - } + "storageAccountType": "Premium_LRS", + "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. + "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" } - ], - "nicSuffix": "-nic01" - } - ] - }, - "publicKeys": { - "value": [ - { - "keyData": "", - "path": "/home/scaleSetAdmin/.ssh/authorized_keys" } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } - } } ```
-

- -

Example 4: Windows

-via Bicep module +Bicep format ```bicep -module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-cvmsswin' - params: { - // Required parameters - adminUsername: 'localAdminUser' - imageReference: { - offer: 'WindowsServer' - publisher: 'MicrosoftWindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' - } - name: 'cvmsswin001' - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { +osDisk: { + createOption: 'fromImage' + diskSizeGB: '128' + managedDisk: { storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - skuName: 'Standard_B12ms' - // Non-required parameters - adminPassword: '' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' - enableDefaultTelemetry: '' - encryptionAtHost: false - extensionAntiMalwareConfig: { - enabled: true - settings: { - AntimalwareEnabled: true - Exclusions: { - Extensions: '.log;.ldf' - Paths: 'D:\\IISlogs;D:\\DatabaseLogs' - Processes: 'mssence.svc' - } - RealtimeProtectionEnabled: true - ScheduledScanSettings: { - day: '7' - isEnabled: 'true' - scanType: 'Quick' - time: '120' - } - } - } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: '' - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: '' - KeyVaultResourceId: '' - KeyVaultURL: '' - ResizeOSDisk: 'false' - VolumeType: 'All' - } - } - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: '' - uri: '' + diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. + id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' } - ] - protectedSettings: { - commandToExecute: '' - } - } - extensionDependencyAgentConfig: { - enabled: true - } - extensionDSCConfig: { - enabled: true - } - extensionMonitoringAgentConfig: { - enabled: true - } - extensionNetworkWatcherAgentConfig: { - enabled: true - } - lock: 'CanNotDelete' - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: '' - } - } - } - ] - nicSuffix: '-nic01' - } - ] - proximityPlacementGroupResourceId: '' - roleAssignments: [ - { - principalIds: [ - '' - ] - roleDefinitionIdOrName: 'Reader' - } - ] - skuCapacity: 1 - systemAssignedIdentity: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - upgradePolicyMode: 'Manual' - userAssignedIdentities: { - '': {} } - vmNamePrefix: 'vmsswinvm' - vmPriority: 'Regular' - } } ```

+### Parameter Usage: `dataDisks` +

-via JSON Parameter file +Parameter JSON format ```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "localAdminUser" - }, - "imageReference": { - "value": { - "offer": "WindowsServer", - "publisher": "MicrosoftWindowsServer", - "sku": "2022-datacenter-azure-edition", - "version": "latest" - } - }, - "name": { - "value": "cvmsswin001" - }, - "osDisk": { - "value": { - "createOption": "fromImage", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" +"dataDisks": { + "value": [ + { + "caching": "ReadOnly", + "createOption": "Empty", + "diskSizeGB": "256", + "writeAcceleratorEnabled": true, + "managedDisk": { + "storageAccountType": "Premium_LRS", + "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. + "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" + } + } + }, + { + "caching": "ReadOnly", + "createOption": "Empty", + "diskSizeGB": "128", + "writeAcceleratorEnabled": true, + "managedDisk": { + "storageAccountType": "Premium_LRS", + "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. + "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" + } + } } - } - }, - "osType": { - "value": "Windows" - }, - "skuName": { - "value": "Standard_B12ms" - }, - // Non-required parameters - "adminPassword": { - "value": "" - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "encryptionAtHost": { - "value": false - }, - "extensionAntiMalwareConfig": { - "value": { - "enabled": true, - "settings": { - "AntimalwareEnabled": true, - "Exclusions": { - "Extensions": ".log;.ldf", - "Paths": "D:\\IISlogs;D:\\DatabaseLogs", - "Processes": "mssence.svc" - }, - "RealtimeProtectionEnabled": true, - "ScheduledScanSettings": { - "day": "7", - "isEnabled": "true", - "scanType": "Quick", - "time": "120" - } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +dataDisks: [ + { + caching: 'ReadOnly' + createOption: 'Empty' + diskSizeGB: '256' + writeAcceleratorEnabled: true + managedDisk: { + storageAccountType: 'Premium_LRS' + diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. + id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' + } } - } - }, - "extensionAzureDiskEncryptionConfig": { - "value": { - "enabled": true, - "settings": { - "EncryptionOperation": "EnableEncryption", - "KekVaultResourceId": "", - "KeyEncryptionAlgorithm": "RSA-OAEP", - "KeyEncryptionKeyURL": "", - "KeyVaultResourceId": "", - "KeyVaultURL": "", - "ResizeOSDisk": "false", - "VolumeType": "All" + } + { + caching: 'ReadOnly' + createOption: 'Empty' + diskSizeGB: '128' + writeAcceleratorEnabled: true + managedDisk: { + storageAccountType: 'Premium_LRS'diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. + id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' + } } - } - }, - "extensionCustomScriptConfig": { - "value": { - "enabled": true, - "fileData": [ - { - "storageAccountId": "", - "uri": "" - } - ], - "protectedSettings": { - "commandToExecute": "" + } +] +``` + +
+

+ +### Parameter Usage: `nicConfigurations` + +Comments: +- The field `nicSuffix` is mandatory. +- If not disabled, `enableAcceleratedNetworking` is considered `true` by default and requires the VMSS to be deployed with a supported OS and VM size. + +

+ +Parameter JSON format + +```json +"nicConfigurations": { + "value": [ + { + "nicSuffix": "-nic01", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "subnet": { + "id": "/subscriptions/[[subscriptionId]]/resourceGroups/agents-vmss-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-scaleset/subnets/sxx-az-subnet-scaleset-linux" + } + } + } + ] } - } - }, - "extensionDependencyAgentConfig": { - "value": { - "enabled": true - } - }, - "extensionDSCConfig": { - "value": { - "enabled": true - } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +nicConfigurations: [ + { + nicSuffix: '-nic01' + ipConfigurations: [ + { + name: 'ipconfig1' + properties: { + subnet: { + id: '/subscriptions/[[subscriptionId]]/resourceGroups/agents-vmss-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-scaleset/subnets/sxx-az-subnet-scaleset-linux' + } + } + } + ] + } +] +``` + +
+

+ +### Parameter Usage: `extensionDomainJoinConfig` + +

+ +Parameter JSON format + +```json +"extensionDomainJoinConfig": { + "value": { + "enabled": true, + "settings": { + "name": "contoso.com", + "user": "test.user@testcompany.com", + "ouPath": "OU=testOU; DC=contoso; DC=com", + "restart": true, + "options": 3 + } + } +}, +"extensionDomainJoinPassword": { + "reference": { + "keyVault": { + "id": "/subscriptions/</resourceGroups/myRG/providers/Microsoft.KeyVault/vaults/myKvlt" }, - "extensionMonitoringAgentConfig": { - "value": { + "secretName": "domainJoinUser02-Password" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +extensionDomainJoinConfig: { + enabled: true + settings: { + name: 'contoso.com' + user: 'test.user@testcompany.com' + ouPath: 'OU=testOU; DC=contoso; DC=com' + restart: true + options: 3 + } +} + +resource kv1 'Microsoft.KeyVault/vaults@2019-09-01' existing = { + name: 'adp-[[namePrefix]]-az-kv-x-001' + scope: resourceGroup('[[subscriptionId]]','validation-rg') +} + +extensionDomainJoinPassword: kv1.getSecret('domainJoinUser02-Password') +``` + +
+

+ +### Parameter Usage: `extensionNetworkWatcherAgentConfig` + +

+ +Parameter JSON format + +```json +"extensionNetworkWatcherAgentConfig": { + "value": { "enabled": true + } +} +``` + +
+ +
+ +Bicep format + +```bicep +extensionNetworkWatcherAgentConfig: { + enabled: true +} +``` + +
+

+ +### Parameter Usage: `extensionAntiMalwareConfig` + +Only for OSType Windows + +

+ +Parameter JSON format + +```json +"extensionAntiMalwareConfig": { + "value": { + "enabled": true, + "settings": { + "AntimalwareEnabled": true, + "Exclusions": { + "Extensions": ".log;.ldf", + "Paths": "D:\\IISlogs;D:\\DatabaseLogs", + "Processes": "mssence.svc" + }, + "RealtimeProtectionEnabled": true, + "ScheduledScanSettings": { + "isEnabled": "true", + "scanType": "Quick", + "day": "7", + "time": "120" } - }, - "extensionNetworkWatcherAgentConfig": { - "value": { - "enabled": true + } + } +} +``` + +
+ +
+ +Bicep format + +```bicep +extensionAntiMalwareConfig: { + enabled: true + settings: { + AntimalwareEnabled: true + Exclusions: { + Extensions: '.log;.ldf' + Paths: 'D:\\IISlogs;D:\\DatabaseLogs' + Processes: 'mssence.svc' + } + RealtimeProtectionEnabled: true + ScheduledScanSettings: { + isEnabled: 'true' + scanType: 'Quick' + day: '7' + time: '120' + } + } +} +``` + +
+

+ +### Parameter Usage: `extensionAzureDiskEncryptionConfig` + +

+ +Parameter JSON format + +```json +"extensionAzureDiskEncryptionConfig": { + // Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. + "value": { + "enabled": true, + "settings": { + "EncryptionOperation": "EnableEncryption", + "KeyVaultURL": "https://mykeyvault.vault.azure.net/", + "KeyVaultResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001", + "KeyEncryptionKeyURL": "https://mykeyvault.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5", // ID must be updated for new keys + "KekVaultResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001", + "KeyEncryptionAlgorithm": "RSA-OAEP", //'RSA-OAEP'/'RSA-OAEP-256'/'RSA1_5' + "VolumeType": "All", //'OS'/'Data'/'All' + "ResizeOSDisk": "false" + } + } +} +``` + +
+ +
+ +Bicep format + +```bicep +extensionAzureDiskEncryptionConfig: { + // Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. + enabled: true + settings: { + EncryptionOperation: 'EnableEncryption' + KeyVaultURL: 'https://mykeyvault.vault.azure.net/' + KeyVaultResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001' + KeyEncryptionKeyURL: 'https://mykeyvault.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5' // ID must be updated for new keys + KekVaultResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001' + KeyEncryptionAlgorithm: 'RSA-OAEP' //'RSA-OAEP'/'RSA-OAEP-256'/'RSA1_5' + VolumeType: 'All' //'OS'/'Data'/'All' + ResizeOSDisk: 'false' + } +} +``` + +
+

+ +### Parameter Usage: `extensionCustomScriptConfig` + +

+ +Parameter JSON format + +```json +"extensionCustomScriptConfig": { + "value": { + "enabled": true, + "fileData": [ + //storage accounts with SAS token requirement + { + "uri": "https://mystorageaccount.blob.core.windows.net/avdscripts/File1.ps1", + "storageAccountId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName" + }, + { + "uri": "https://mystorageaccount.blob.core.windows.net/avdscripts/File2.ps1", + "storageAccountId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName" + }, + //storage account with public container (no SAS token is required) OR other public URL (not a storage account) + { + "uri": "https://github.com/myProject/File3.ps1", + "storageAccountId": "" } - }, - "lock": { - "value": "CanNotDelete" - }, - "nicConfigurations": { - "value": [ + ], + "settings": { + "commandToExecute": "powershell -ExecutionPolicy Unrestricted -File testscript.ps1" + } + } +} +``` + +
+ +
+ +Bicep format + +```bicep +extensionCustomScriptConfig: { + enabled: true + fileData: [ + //storage accounts with SAS token requirement { - "ipConfigurations": [ - { - "name": "ipconfig1", - "properties": { - "subnet": { - "id": "" - } - } - } - ], - "nicSuffix": "-nic01" + uri: 'https://mystorageaccount.blob.core.windows.net/avdscripts/File1.ps1' + storageAccountId: '/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName' } - ] - }, - "proximityPlacementGroupResourceId": { - "value": "" - }, - "roleAssignments": { - "value": [ { - "principalIds": [ - "" - ], - "roleDefinitionIdOrName": "Reader" + uri: 'https://mystorageaccount.blob.core.windows.net/avdscripts/File2.ps1' + storageAccountId: '/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName' } - ] - }, - "skuCapacity": { - "value": 1 - }, - "systemAssignedIdentity": { - "value": true - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "upgradePolicyMode": { - "value": "Manual" - }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, - "vmNamePrefix": { - "value": "vmsswinvm" - }, - "vmPriority": { - "value": "Regular" + //storage account with public container (no SAS token is required) OR other public URL (not a storage account) + { + uri: 'https://github.com/myProject/File3.ps1' + storageAccountId: '' + } + ] + settings: { + commandToExecute: 'powershell -ExecutionPolicy Unrestricted -File testscript.ps1' } - } } ```

-

Example 5: Windows.Min

+### Parameter Usage: `extensionDSCConfig`
-via Bicep module +Parameter JSON format -```bicep -module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-cvmsswinmin' - params: { - // Required parameters - adminUsername: 'localAdminUser' - imageReference: { - offer: 'WindowsServer' - publisher: 'MicrosoftWindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' - } - name: 'cvmsswinmin001' - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - skuName: 'Standard_B12ms' - // Non-required parameters - adminPassword: '' - enableDefaultTelemetry: '' - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: '' - } +```json +"extensionDSCConfig": { + "value": { + "enabled": true, + "settings": { + "wmfVersion": "latest", + "configuration": { + "url": "http://validURLToConfigLocation", + "script": "ConfigurationScript.ps1", + "function": "ConfigurationFunction" + }, + "configurationArguments": { + "argument1": "Value1", + "argument2": "Value2" + }, + "configurationData": { + "url": "https://foo.psd1" + }, + "privacy": { + "dataCollection": "enable" + }, + "advancedOptions": { + "forcePullAndApply": false, + "downloadMappings": { + "specificDependencyKey": "https://myCustomDependencyLocation" + } } - } - ] - nicSuffix: '-nic01' - } - ] - } + }, + "protectedSettings": { + "configurationArguments": { + "mySecret": "MyPlaceholder" + }, + "configurationUrlSasToken": "MyPlaceholder", + "configurationDataUrlSasToken": "MyPlaceholder" + } + } } ```
-

-via JSON Parameter file +Bicep format -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "localAdminUser" - }, - "imageReference": { - "value": { - "offer": "WindowsServer", - "publisher": "MicrosoftWindowsServer", - "sku": "2022-datacenter-azure-edition", - "version": "latest" - } - }, - "name": { - "value": "cvmsswinmin001" - }, - "osDisk": { - "value": { - "createOption": "fromImage", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" +```bicep +extensionDSCConfig: { + enabled: true + settings: { + wmfVersion: 'latest' + configuration: { + url: 'http://validURLToConfigLocation' + script: 'ConfigurationScript.ps1' + function: 'ConfigurationFunction' } - } - }, - "osType": { - "value": "Windows" - }, - "skuName": { - "value": "Standard_B12ms" - }, - // Non-required parameters - "adminPassword": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig1", - "properties": { - "subnet": { - "id": "" - } - } + configurationArguments: { + argument1: 'Value1' + argument2: 'Value2' + } + configurationData: { + url: 'https://foo.psd1' + } + privacy: { + dataCollection: 'enable' + } + advancedOptions: { + forcePullAndApply: false + downloadMappings: { + specificDependencyKey: 'https://myCustomDependencyLocation' } - ], - "nicSuffix": "-nic01" } - ] } - } + protectedSettings: { + configurationArguments: { + mySecret: 'MyPlaceholder' + } + configurationUrlSasToken: 'MyPlaceholder' + configurationDataUrlSasToken: 'MyPlaceholder' + } } ``` diff --git a/modules/compute/virtual-machine/README.md b/modules/compute/virtual-machine/README.md index 68a796c604..a7ec515bda 100644 --- a/modules/compute/virtual-machine/README.md +++ b/modules/compute/virtual-machine/README.md @@ -6,10 +6,10 @@ This module deploys a Virtual Machine with one or multiple NICs and optionally o - [Resource Types](#Resource-Types) - [Parameters](#Parameters) -- [Considerations](#Considerations) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -116,52 +116,82 @@ This module deploys a Virtual Machine with one or multiple NICs and optionally o | `baseTime` | string | `[utcNow('u')]` | Do not provide a value! This date value is used to generate a registration token. | -### Parameter Usage: `imageReference` +### Parameter Usage: `roleAssignments` -#### Marketplace images +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.
Parameter JSON format ```json -"imageReference": { - "value": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "2022-datacenter-azure-edition", - "version": "latest" - } +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] } ```
+
Bicep format ```bicep -imageReference: { - publisher: 'MicrosoftWindowsServer' - offer: 'WindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' -} +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] ```

-#### Custom images +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value.

Parameter JSON format ```json -"imageReference": { +"tags": { "value": { - "id": "/subscriptions/12345-6789-1011-1213-15161718/resourceGroups/rg-name/providers/Microsoft.Compute/images/imagename" + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" } } ``` @@ -173,26 +203,32 @@ imageReference: { Bicep format ```bicep -imageReference: { - id: '/subscriptions/12345-6789-1011-1213-15161718/resourceGroups/rg-name/providers/Microsoft.Compute/images/imagename' +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' } ```

-### Parameter Usage: `plan` +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format:

Parameter JSON format ```json -"plan": { +"userAssignedIdentities": { "value": { - "name": "qvsa-25", - "product": "qualys-virtual-scanner", - "publisher": "qualysguard" + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} } } ``` @@ -204,1063 +240,1124 @@ imageReference: { Bicep format ```bicep -plan: { - name: 'qvsa-25' - product: 'qualys-virtual-scanner' - publisher: 'qualysguard' +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} } ```

-### Parameter Usage: `osDisk` - -

- -Parameter JSON format - -```json -"osDisk": { - "value": { - "createOption": "fromImage", - "deleteOption": "Delete", // Optional. Can be 'Delete' or 'Detach' - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS", - "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. - "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" - } - } - } -} -``` - -
- -
+## Outputs -Bicep format +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the VM. | +| `resourceGroupName` | string | The name of the resource group the VM was created in. | +| `resourceId` | string | The resource ID of the VM. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | -```bicep -osDisk: { - createOption: 'fromImage' - deleteOption: 'Delete' // Optional. Can be 'Delete' or 'Detach' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. - id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' - } - } -} -``` +## Cross-referenced modules -
-

+This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). -### Parameter Usage: `dataDisks` +| Reference | Type | +| :-- | :-- | +| `network/network-interface` | Local reference | +| `network/public-ip-address` | Local reference | +| `recovery-services/vault/backup-fabric/protection-container/protected-item` | Local reference | -

+## Deployment examples -Parameter JSON format +The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. -```json -"dataDisks": { - "value": [ - { - "caching": "ReadOnly", - "createOption": "Empty", - "deleteOption": "Delete", // Optional. Can be 'Delete' or 'Detach' - "diskSizeGB": "256", - "managedDisk": { - "storageAccountType": "Premium_LRS", - "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. - "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" - } - } - }, - { - "caching": "ReadOnly", - "createOption": "Empty", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS", - "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. - "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" - } - } - } - ] -} -``` + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -
+

Example 1: Linux

-Bicep format +via Bicep module ```bicep -dataDisks: [ - { - caching: 'ReadOnly' - createOption: 'Empty' - deleteOption: 'Delete' // Optional. Can be 'Delete' or 'Detach' - diskSizeGB: '256' - managedDisk: { - storageAccountType: 'Premium_LRS' - diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. - id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' - } - } +module virtualMachine './compute/virtual-machine/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-cvmlincom' + params: { + // Required parameters + adminUsername: 'localAdministrator' + imageReference: { + offer: '0001-com-ubuntu-server-focal' + publisher: 'Canonical' + sku: '' + version: 'latest' } - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. - id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' + nicConfigurations: [ + { + deleteOption: 'Delete' + ipConfigurations: [ + { + applicationSecurityGroups: [ + { + id: '' + } + ] + loadBalancerBackendAddressPools: [ + { + id: '' + } + ] + name: 'ipconfig01' + pipConfiguration: { + publicIpNameSuffix: '-pip-01' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] } - } - } -] -``` - -
-

- -### Parameter Usage: `nicConfigurations` - -Comments: -- The field `nicSuffix` and `subnetResourceId` are mandatory. -- If `enablePublicIP` is set to true, then `publicIpNameSuffix` is also mandatory. -- Each IP config needs to have the mandatory field `name`. -- If not disabled, `enableAcceleratedNetworking` is considered `true` by default and requires the VM to be deployed with a supported OS and VM size. - -

- -Parameter JSON format - -```json -"nicConfigurations": { - "value": [ - { - "nicSuffix": "-nic-01", - "deleteOption": "Delete", // Optional. Can be 'Delete' or 'Detach' - "ipConfigurations": [ - { - "name": "ipconfig1", - "subnetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", - "pipConfiguration": { - "publicIpNameSuffix": "-pip-01", - "roleAssignments": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "" - ] - } + subnetResourceId: '' + zones: [ + '1' + '2' + '3' ] } - }, - { - "name": "ipconfig2", - "subnetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", + ] + nicSuffix: '-nic-01' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + ] + osDisk: { + caching: 'ReadOnly' + createOption: 'fromImage' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + osType: 'Linux' + vmSize: 'Standard_DS2_v2' + // Non-required parameters + availabilityZone: 1 + backupPolicyName: '' + backupVaultName: '' + backupVaultResourceGroup: '' + computerName: 'linvm1' + dataDisks: [ + { + caching: 'ReadWrite' + createOption: 'Empty' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' } - ], - "nsgId": "/subscriptions//resourceGroups//providers/Microsoft.Network/networkSecurityGroups/", - "roleAssignments": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "" - ] + } + { + caching: 'ReadWrite' + createOption: 'Empty' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' } - ] - }, - { - "nicSuffix": "-nic-02", - "ipConfigurations": [ - { - "name": "ipconfig1", - "subnetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", - "pipConfiguration": { - "publicIpNameSuffix": "-pip-02" - } - }, + } + ] + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' + disablePasswordAuthentication: true + enableAutomaticUpdates: true + enableDefaultTelemetry: '' + encryptionAtHost: false + extensionAadJoinConfig: { + enabled: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + extensionAzureDiskEncryptionConfig: { + enabled: true + settings: { + EncryptionOperation: 'EnableEncryption' + KekVaultResourceId: '' + KeyEncryptionAlgorithm: 'RSA-OAEP' + KeyEncryptionKeyURL: '' + KeyVaultResourceId: '' + KeyVaultURL: '' + ResizeOSDisk: 'false' + VolumeType: 'All' + } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + extensionCustomScriptConfig: { + enabled: true + fileData: [ { - "name": "ipconfig2", - "subnetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", - "privateIPAllocationMethod": "Static", - "privateIPAddress": "10.0.0.9" + storageAccountId: '' + uri: '' } ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } } - ] + extensionCustomScriptProtectedSetting: { + commandToExecute: '' + } + extensionDependencyAgentConfig: { + enabled: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + extensionDSCConfig: { + enabled: false + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + extensionMonitoringAgentConfig: { + enabled: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + extensionNetworkWatcherAgentConfig: { + enabled: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + location: '' + lock: 'CanNotDelete' + monitoringWorkspaceId: '' + name: 'cvmlincom' + patchMode: 'AutomaticByPlatform' + publicKeys: [ + { + keyData: '' + path: '/home/localAdministrator/.ssh/authorized_keys' + } + ] + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + systemAssignedIdentity: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + userAssignedIdentities: { + '': {} + } + } } ```
+

-Bicep format +via JSON Parameter file -```bicep -nicConfigurations: { - value: [ - { - nicSuffix: '-nic-01' - deleteOption: 'Delete' // Optional. Can be 'Delete' or 'Detach' - ipConfigurations: [ +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "adminUsername": { + "value": "localAdministrator" + }, + "imageReference": { + "value": { + "offer": "0001-com-ubuntu-server-focal", + "publisher": "Canonical", + "sku": "", + "version": "latest" + } + }, + "nicConfigurations": { + "value": [ { - name: 'ipconfig1' - subnetResourceId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - '' + "deleteOption": "Delete", + "ipConfigurations": [ + { + "applicationSecurityGroups": [ + { + "id": "" + } + ], + "loadBalancerBackendAddressPools": [ + { + "id": "" + } + ], + "name": "ipconfig01", + "pipConfiguration": { + "publicIpNameSuffix": "-pip-01", + "roleAssignments": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } ] - } - ] - } - } - { - name: 'ipconfig2' - subnetResourceId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' + }, + "subnetResourceId": "", + "zones": [ + "1", + "2", + "3" + ] + } + ], + "nicSuffix": "-nic-01", + "roleAssignments": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] } ] - nsgId: '/subscriptions//resourceGroups//providers/Microsoft.Network/networkSecurityGroups/' - roleAssignments: [ + }, + "osDisk": { + "value": { + "caching": "ReadOnly", + "createOption": "fromImage", + "deleteOption": "Delete", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } + }, + "osType": { + "value": "Linux" + }, + "vmSize": { + "value": "Standard_DS2_v2" + }, + // Non-required parameters + "availabilityZone": { + "value": 1 + }, + "backupPolicyName": { + "value": "" + }, + "backupVaultName": { + "value": "" + }, + "backupVaultResourceGroup": { + "value": "" + }, + "computerName": { + "value": "linvm1" + }, + "dataDisks": { + "value": [ { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - '' - ] + "caching": "ReadWrite", + "createOption": "Empty", + "deleteOption": "Delete", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + }, + { + "caching": "ReadWrite", + "createOption": "Empty", + "deleteOption": "Delete", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } } ] - } - { - nicSuffix: '-nic-02' - ipConfigurations: [ - { - name: 'ipconfig1' - subnetResourceId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' - pipConfiguration: { - publicIpNameSuffix: '-pip-02' + }, + "diagnosticEventHubAuthorizationRuleId": { + "value": "" + }, + "diagnosticEventHubName": { + "value": "" + }, + "diagnosticStorageAccountId": { + "value": "" + }, + "diagnosticWorkspaceId": { + "value": "" + }, + "disablePasswordAuthentication": { + "value": true + }, + "enableAutomaticUpdates": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "encryptionAtHost": { + "value": false + }, + "extensionAadJoinConfig": { + "value": { + "enabled": true, + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + }, + "extensionAzureDiskEncryptionConfig": { + "value": { + "enabled": true, + "settings": { + "EncryptionOperation": "EnableEncryption", + "KekVaultResourceId": "", + "KeyEncryptionAlgorithm": "RSA-OAEP", + "KeyEncryptionKeyURL": "", + "KeyVaultResourceId": "", + "KeyVaultURL": "", + "ResizeOSDisk": "false", + "VolumeType": "All" + }, + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + }, + "extensionCustomScriptConfig": { + "value": { + "enabled": true, + "fileData": [ + { + "storageAccountId": "", + "uri": "" } + ], + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + }, + "extensionCustomScriptProtectedSetting": { + "value": { + "commandToExecute": "" + } + }, + "extensionDependencyAgentConfig": { + "value": { + "enabled": true, + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + }, + "extensionDSCConfig": { + "value": { + "enabled": false, + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + }, + "extensionMonitoringAgentConfig": { + "value": { + "enabled": true, + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + }, + "extensionNetworkWatcherAgentConfig": { + "value": { + "enabled": true, + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" } + } + }, + "location": { + "value": "" + }, + "lock": { + "value": "CanNotDelete" + }, + "monitoringWorkspaceId": { + "value": "" + }, + "name": { + "value": "cvmlincom" + }, + "patchMode": { + "value": "AutomaticByPlatform" + }, + "publicKeys": { + "value": [ { - name: 'ipconfig2' - subnetResourceId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' - privateIPAllocationMethod: 'Static' - privateIPAddress: '10.0.0.9' + "keyData": "", + "path": "/home/localAdministrator/.ssh/authorized_keys" } ] + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "systemAssignedIdentity": { + "value": true + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "userAssignedIdentities": { + "value": { + "": {} + } } - ] + } } ```

-### Parameter Usage: `configurationProfileAssignments` +

Example 2: Linux.Atmg

-Parameter JSON format +via Bicep module -```json -"configurationProfileAssignments": { - "value": [ - "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction", - "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest" +```bicep +module virtualMachine './compute/virtual-machine/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-cvmlinatmg' + params: { + // Required parameters + adminUsername: 'localAdminUser' + imageReference: { + offer: '0001-com-ubuntu-server-jammy' + publisher: 'Canonical' + sku: '22_04-lts-gen2' + version: 'latest' + } + nicConfigurations: [ + { + ipConfigurations: [ + { + name: 'ipconfig01' + pipConfiguration: { + publicIpNameSuffix: '-pip-01' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + subnetResourceId: '' + zones: [ + '1' + '2' + '3' + ] + } + ] + nicSuffix: '-nic-01' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + osDisk: { + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + osType: 'Linux' + vmSize: 'Standard_DS2_v2' + // Non-required parameters + configurationProfile: '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' + disablePasswordAuthentication: true + enableDefaultTelemetry: '' + location: '' + name: 'cvmlinatmg' + publicKeys: [ + { + keyData: '' + path: '/home/localAdminUser/.ssh/authorized_keys' + } ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } } ``` -
- -
- -Bicep format - -```bicep -configurationProfileAssignments: [ - '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' - '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest' -] -``` -

-### Parameter Usage: `extensionDomainJoinConfig` -

-Parameter JSON format +via JSON Parameter file ```json -"extensionDomainJoinConfig": { - "value": { - "enabled": true, - "settings": { - "name": "contoso.com", - "user": "test.user@testcompany.com", - "ouPath": "OU=testOU; DC=contoso; DC=com", - "restart": true, - "options": 3 - } - } -}, -"extensionDomainJoinPassword": { - "reference": { - "keyVault": { - "id": "/subscriptions/</resourceGroups/myRG/providers/Microsoft.KeyVault/vaults/myKvlt" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "adminUsername": { + "value": "localAdminUser" }, - "secretName": "domainJoinUser02-Password" + "imageReference": { + "value": { + "offer": "0001-com-ubuntu-server-jammy", + "publisher": "Canonical", + "sku": "22_04-lts-gen2", + "version": "latest" + } + }, + "nicConfigurations": { + "value": [ + { + "ipConfigurations": [ + { + "name": "ipconfig01", + "pipConfiguration": { + "publicIpNameSuffix": "-pip-01", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "subnetResourceId": "", + "zones": [ + "1", + "2", + "3" + ] + } + ], + "nicSuffix": "-nic-01", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "osDisk": { + "value": { + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } + }, + "osType": { + "value": "Linux" + }, + "vmSize": { + "value": "Standard_DS2_v2" + }, + // Non-required parameters + "configurationProfile": { + "value": "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction" + }, + "disablePasswordAuthentication": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "name": { + "value": "cvmlinatmg" + }, + "publicKeys": { + "value": [ + { + "keyData": "", + "path": "/home/localAdminUser/.ssh/authorized_keys" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } } } ```
+

+ +

Example 3: Linux.Min

-Bicep format +via Bicep module ```bicep -extensionDomainJoinConfig: { - enabled: true - settings: { - name: 'contoso.com' - user: 'test.user@testcompany.com' - ouPath: 'OU=testOU; DC=contoso; DC=com' - restart: true - options: 3 +module virtualMachine './compute/virtual-machine/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-cvmlinmin' + params: { + // Required parameters + adminUsername: 'localAdminUser' + imageReference: { + offer: '0001-com-ubuntu-server-jammy' + publisher: 'Canonical' + sku: '22_04-lts-gen2' + version: 'latest' } -} - -resource kv1 'Microsoft.KeyVault/vaults@2019-09-01' existing = { - name: 'adp-[[namePrefix]]-az-kv-x-001' - scope: resourceGroup('[[subscriptionId]]','validation-rg') -} - -extensionDomainJoinPassword: kv1.getSecret('domainJoinUser02-Password') -``` - -
-

- -### Parameter Usage: `extensionAntiMalwareConfig` - -Only for OSType Windows - -

- -Parameter JSON format - -```json -"extensionAntiMalwareConfig": { - "value": { - "enabled": true, - "settings": { - "AntimalwareEnabled": true, - "Exclusions": { - "Extensions": ".log;.ldf", - "Paths": "D:\\IISlogs;D:\\DatabaseLogs", - "Processes": "mssence.svc" - }, - "RealtimeProtectionEnabled": true, - "ScheduledScanSettings": { - "isEnabled": "true", - "scanType": "Quick", - "day": "7", - "time": "120" + nicConfigurations: [ + { + ipConfigurations: [ + { + name: 'ipconfig01' + pipConfiguration: { + publicIpNameSuffix: '-pip-01' + } + subnetResourceId: '' + } + ] + nicSuffix: '-nic-01' + } + ] + osDisk: { + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' } } + osType: 'Linux' + vmSize: 'Standard_DS2_v2' + // Non-required parameters + disablePasswordAuthentication: true + enableDefaultTelemetry: '' + location: '' + name: 'cvmlinmin' + publicKeys: [ + { + keyData: '' + path: '/home/localAdminUser/.ssh/authorized_keys' + } + ] } } ``` -
- -
- -Bicep format - -```bicep -extensionAntiMalwareConfig: { - enabled: true - settings: { - AntimalwareEnabled: true - Exclusions: { - Extensions: '.log;.ldf' - Paths: 'D:\\IISlogs;D:\\DatabaseLogs' - Processes: 'mssence.svc' - } - RealtimeProtectionEnabled: true - ScheduledScanSettings: { - isEnabled: 'true' - scanType: 'Quick' - day: '7' - time: '120' - } - } -} -``` - -
-

- -### Parameter Usage: `extensionAzureDiskEncryptionConfig` - -

- -Parameter JSON format - -```json -"extensionAzureDiskEncryptionConfig": { - // Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. - "value": { - "enabled": true, - "settings": { - "EncryptionOperation": "EnableEncryption", - "KeyVaultURL": "https://mykeyvault.vault.azure.net/", - "KeyVaultResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001", - "KeyEncryptionKeyURL": "https://mykeyvault.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5", // ID must be updated for new keys - "KekVaultResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001", - "KeyEncryptionAlgorithm": "RSA-OAEP", //'RSA-OAEP'/'RSA-OAEP-256'/'RSA1_5' - "VolumeType": "All", //'OS'/'Data'/'All' - "ResizeOSDisk": "false" - } - } -} -``` - -
- -
- -Bicep format - -```bicep -extensionAzureDiskEncryptionConfig: { - // Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KeyVaultURL: 'https://mykeyvault.vault.azure.net/' - KeyVaultResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001' - KeyEncryptionKeyURL: 'https://mykeyvault.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5' // ID must be updated for new keys - KekVaultResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001' - KeyEncryptionAlgorithm: 'RSA-OAEP' //'RSA-OAEP'/'RSA-OAEP-256'/'RSA1_5' - VolumeType: 'All' //'OS'/'Data'/'All' - ResizeOSDisk: 'false' - } -} -``` -

-### Parameter Usage: `extensionDSCConfig` -

-Parameter JSON format +via JSON Parameter file ```json -"extensionDSCConfig": { - "value": { - { - "enabled": true, - "settings": { - "wmfVersion": "latest", - "configuration": { - "url": "http://validURLToConfigLocation", - "script": "ConfigurationScript.ps1", - "function": "ConfigurationFunction" - }, - "configurationArguments": { - "argument1": "Value1", - "argument2": "Value2" - }, - "configurationData": { - "url": "https://foo.psd1" - }, - "privacy": { - "dataCollection": "enable" - }, - "advancedOptions": { - "forcePullAndApply": false, - "downloadMappings": { - "specificDependencyKey": "https://myCustomDependencyLocation" - } +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "adminUsername": { + "value": "localAdminUser" + }, + "imageReference": { + "value": { + "offer": "0001-com-ubuntu-server-jammy", + "publisher": "Canonical", + "sku": "22_04-lts-gen2", + "version": "latest" + } + }, + "nicConfigurations": { + "value": [ + { + "ipConfigurations": [ + { + "name": "ipconfig01", + "pipConfiguration": { + "publicIpNameSuffix": "-pip-01" + }, + "subnetResourceId": "" + } + ], + "nicSuffix": "-nic-01" + } + ] + }, + "osDisk": { + "value": { + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" } - }, - "protectedSettings": { - "configurationArguments": { - "mySecret": "MyPlaceholder" - }, - "configurationUrlSasToken": "MyPlaceholder", - "configurationDataUrlSasToken": "MyPlaceholder" } + }, + "osType": { + "value": "Linux" + }, + "vmSize": { + "value": "Standard_DS2_v2" + }, + // Non-required parameters + "disablePasswordAuthentication": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "name": { + "value": "cvmlinmin" + }, + "publicKeys": { + "value": [ + { + "keyData": "", + "path": "/home/localAdminUser/.ssh/authorized_keys" + } + ] } } } ```
+

+ +

Example 4: Windows

-Bicep format +via Bicep module ```bicep -extensionDSCConfig: { - { - enabled: true - settings: { - wmfVersion: 'latest' - configuration: { - url: 'http://validURLToConfigLocation' - script: 'ConfigurationScript.ps1' - function: 'ConfigurationFunction' - } - configurationArguments: { - argument1: 'Value1' - argument2: 'Value2' - } - configurationData: { - url: 'https://foo.psd1' - } - privacy: { - dataCollection: 'enable' - } - advancedOptions: { - forcePullAndApply: false - downloadMappings: { - specificDependencyKey: 'https://myCustomDependencyLocation' +module virtualMachine './compute/virtual-machine/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-cvmwincom' + params: { + // Required parameters + adminUsername: 'VMAdmin' + imageReference: { + offer: 'WindowsServer' + publisher: 'MicrosoftWindowsServer' + sku: '2019-datacenter' + version: 'latest' + } + nicConfigurations: [ + { + deleteOption: 'Delete' + ipConfigurations: [ + { + applicationSecurityGroups: [ + { + id: '' + } + ] + loadBalancerBackendAddressPools: [ + { + id: '' + } + ] + name: 'ipconfig01' + pipConfiguration: { + publicIpNameSuffix: '-pip-01' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] } + subnetResourceId: '' + zones: [ + '1' + '2' + '3' + ] } - } - protectedSettings: { - configurationArguments: { - mySecret: 'MyPlaceholder' + ] + nicSuffix: '-nic-01' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' } - configurationUrlSasToken: 'MyPlaceholder' - configurationDataUrlSasToken: 'MyPlaceholder' + ] + } + ] + osDisk: { + caching: 'None' + createOption: 'fromImage' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + osType: 'Windows' + vmSize: 'Standard_DS2_v2' + // Non-required parameters + adminPassword: '' + availabilityZone: 2 + backupPolicyName: '' + backupVaultName: '' + backupVaultResourceGroup: '' + computerName: 'winvm1' + dataDisks: [ + { + caching: 'None' + createOption: 'Empty' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + { + caching: 'None' + createOption: 'Empty' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + ] + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' + enableAutomaticUpdates: true + enableDefaultTelemetry: '' + encryptionAtHost: false + extensionAadJoinConfig: { + enabled: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + extensionAntiMalwareConfig: { + enabled: true + settings: { + AntimalwareEnabled: 'true' + Exclusions: { + Extensions: '.ext1;.ext2' + Paths: 'c:\\excluded-path-1;c:\\excluded-path-2' + Processes: 'excludedproc1.exe;excludedproc2.exe' + } + RealtimeProtectionEnabled: 'true' + ScheduledScanSettings: { + day: '7' + isEnabled: 'true' + scanType: 'Quick' + time: '120' + } + } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + extensionAzureDiskEncryptionConfig: { + enabled: true + settings: { + EncryptionOperation: 'EnableEncryption' + KekVaultResourceId: '' + KeyEncryptionAlgorithm: 'RSA-OAEP' + KeyEncryptionKeyURL: '' + KeyVaultResourceId: '' + KeyVaultURL: '' + ResizeOSDisk: 'false' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + VolumeType: 'All' + } + } + extensionCustomScriptConfig: { + enabled: true + fileData: [ + { + storageAccountId: '' + uri: '' } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + extensionCustomScriptProtectedSetting: { + commandToExecute: '' + } + extensionDependencyAgentConfig: { + enabled: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + extensionDSCConfig: { + enabled: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + extensionMonitoringAgentConfig: { + enabled: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + extensionNetworkWatcherAgentConfig: { + enabled: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + location: '' + lock: 'CanNotDelete' + monitoringWorkspaceId: '' + name: 'cvmwincom' + patchMode: 'AutomaticByPlatform' + proximityPlacementGroupResourceId: '' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + systemAssignedIdentity: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' } + userAssignedIdentities: { + '': {} + } + } } ```

-### Parameter Usage: `extensionCustomScriptConfig` -

-Parameter JSON format - -```json -"extensionCustomScriptConfig": { - "value": { - "enabled": true, - "fileData": [ - //storage accounts with SAS token requirement - { - "uri": "https://mystorageaccount.blob.core.windows.net/avdscripts/File1.ps1", - "storageAccountId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName" - }, - { - "uri": "https://mystorageaccount.blob.core.windows.net/avdscripts/File2.ps1", - "storageAccountId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName" - }, - //storage account with public container (no SAS token is required) OR other public URL (not a storage account) - { - "uri": "https://github.com/myProject/File3.ps1", - "storageAccountId": "" - } - ], - "settings": { - "commandToExecute": "powershell -ExecutionPolicy Unrestricted -File testscript.ps1" - } - } -} -``` - -
- -
- -Bicep format - -```bicep -extensionCustomScriptConfig: { - enabled: true - fileData: [ - //storage accounts with SAS token requirement - { - uri: 'https://mystorageaccount.blob.core.windows.net/avdscripts/File1.ps1' - storageAccountId: '/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName' - } - { - uri: 'https://mystorageaccount.blob.core.windows.net/avdscripts/File2.ps1' - storageAccountId: '/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName' - } - //storage account with public container (no SAS token is required) OR other public URL (not a storage account) - { - uri: 'https://github.com/myProject/File3.ps1' - storageAccountId: '' - } - ] - settings: { - commandToExecute: 'powershell -ExecutionPolicy Unrestricted -File testscript.ps1' - } -} -``` - -
-

- -### Parameter Usage: `extensionCustomScriptProtectedSetting` - -This is used if you are going to use secrets or other sensitive information that you don't want to be visible in the deployment and logs. - -

- -Parameter JSON format - -```json -"extensionCustomScriptProtectedSetting": { - "value": [ - { - "commandToExecute": "mycommandToRun -someParam MYSECRET" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -extensionCustomScriptProtectedSetting: [ - { - commandToExecute: 'mycommandToRun -someParam MYSECRET' - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -## Considerations - -Enabling automanage triggers the creation of additional resources outside of the specific virtual machine deployment, such as: -- an `Automanage-Automate-` in the same Virtual Machine Resource Group and linking to the log analytics workspace leveraged by Azure Security Center. -- a `DefaultResourceGroup-` rg hosting a recovery services vault `DefaultBackupVault-` where vm backups are stored -For further details on automanage please refer to [Automanage virtual machines](https://learn.microsoft.com/en-us/azure/automanage/automanage-virtual-machines). - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the VM. | -| `resourceGroupName` | string | The name of the resource group the VM was created in. | -| `resourceId` | string | The resource ID of the VM. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/network-interface` | Local reference | -| `network/public-ip-address` | Local reference | -| `recovery-services/vault/backup-fabric/protection-container/protected-item` | Local reference | - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Linux

- -
- -via Bicep module - -```bicep -module virtualMachine './compute/virtual-machine/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-cvmlincom' - params: { - // Required parameters - adminUsername: 'localAdministrator' - imageReference: { - offer: '0001-com-ubuntu-server-focal' - publisher: 'Canonical' - sku: '' - version: 'latest' - } - nicConfigurations: [ - { - deleteOption: 'Delete' - ipConfigurations: [ - { - applicationSecurityGroups: [ - { - id: '' - } - ] - loadBalancerBackendAddressPools: [ - { - id: '' - } - ] - name: 'ipconfig01' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - subnetResourceId: '' - zones: [ - '1' - '2' - '3' - ] - } - ] - nicSuffix: '-nic-01' - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - ] - osDisk: { - caching: 'ReadOnly' - createOption: 'fromImage' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - vmSize: 'Standard_DS2_v2' - // Non-required parameters - availabilityZone: 1 - backupPolicyName: '' - backupVaultName: '' - backupVaultResourceGroup: '' - computerName: 'linvm1' - dataDisks: [ - { - caching: 'ReadWrite' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - { - caching: 'ReadWrite' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' - disablePasswordAuthentication: true - enableAutomaticUpdates: true - enableDefaultTelemetry: '' - encryptionAtHost: false - extensionAadJoinConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: '' - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: '' - KeyVaultResourceId: '' - KeyVaultURL: '' - ResizeOSDisk: 'false' - VolumeType: 'All' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: '' - uri: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionCustomScriptProtectedSetting: { - commandToExecute: '' - } - extensionDependencyAgentConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionDSCConfig: { - enabled: false - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionMonitoringAgentConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionNetworkWatcherAgentConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - location: '' - lock: 'CanNotDelete' - monitoringWorkspaceId: '' - name: 'cvmlincom' - patchMode: 'AutomaticByPlatform' - publicKeys: [ - { - keyData: '' - path: '/home/localAdministrator/.ssh/authorized_keys' - } - ] - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - systemAssignedIdentity: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - userAssignedIdentities: { - '': {} - } - } -} -``` - -
-

- -

- -via JSON Parameter file +via JSON Parameter file ```json { @@ -1269,13 +1366,13 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { "parameters": { // Required parameters "adminUsername": { - "value": "localAdministrator" + "value": "VMAdmin" }, "imageReference": { "value": { - "offer": "0001-com-ubuntu-server-focal", - "publisher": "Canonical", - "sku": "", + "offer": "WindowsServer", + "publisher": "MicrosoftWindowsServer", + "sku": "2019-datacenter", "version": "latest" } }, @@ -1331,7 +1428,7 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { }, "osDisk": { "value": { - "caching": "ReadOnly", + "caching": "None", "createOption": "fromImage", "deleteOption": "Delete", "diskSizeGB": "128", @@ -1341,14 +1438,17 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { } }, "osType": { - "value": "Linux" + "value": "Windows" }, "vmSize": { "value": "Standard_DS2_v2" }, // Non-required parameters + "adminPassword": { + "value": "" + }, "availabilityZone": { - "value": 1 + "value": 2 }, "backupPolicyName": { "value": "" @@ -1360,12 +1460,12 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { "value": "" }, "computerName": { - "value": "linvm1" + "value": "winvm1" }, "dataDisks": { "value": [ { - "caching": "ReadWrite", + "caching": "None", "createOption": "Empty", "deleteOption": "Delete", "diskSizeGB": "128", @@ -1374,7 +1474,7 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { } }, { - "caching": "ReadWrite", + "caching": "None", "createOption": "Empty", "deleteOption": "Delete", "diskSizeGB": "128", @@ -1396,9 +1496,6 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { "diagnosticWorkspaceId": { "value": "" }, - "disablePasswordAuthentication": { - "value": true - }, "enableAutomaticUpdates": { "value": true }, @@ -1418,6 +1515,31 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { } } }, + "extensionAntiMalwareConfig": { + "value": { + "enabled": true, + "settings": { + "AntimalwareEnabled": "true", + "Exclusions": { + "Extensions": ".ext1;.ext2", + "Paths": "c:\\excluded-path-1;c:\\excluded-path-2", + "Processes": "excludedproc1.exe;excludedproc2.exe" + }, + "RealtimeProtectionEnabled": "true", + "ScheduledScanSettings": { + "day": "7", + "isEnabled": "true", + "scanType": "Quick", + "time": "120" + } + }, + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + }, "extensionAzureDiskEncryptionConfig": { "value": { "enabled": true, @@ -1429,12 +1551,12 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { "KeyVaultResourceId": "", "KeyVaultURL": "", "ResizeOSDisk": "false", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + }, "VolumeType": "All" - }, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" } } }, @@ -1471,7 +1593,7 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { }, "extensionDSCConfig": { "value": { - "enabled": false, + "enabled": true, "tags": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", @@ -1509,18 +1631,13 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { "value": "" }, "name": { - "value": "cvmlincom" + "value": "cvmwincom" }, "patchMode": { "value": "AutomaticByPlatform" }, - "publicKeys": { - "value": [ - { - "keyData": "", - "path": "/home/localAdministrator/.ssh/authorized_keys" - } - ] + "proximityPlacementGroupResourceId": { + "value": "" }, "roleAssignments": { "value": [ @@ -1555,7 +1672,7 @@ module virtualMachine './compute/virtual-machine/main.bicep' = {

-

Example 2: Linux.Atmg

+

Example 5: Windows.Atmg

@@ -1563,14 +1680,14 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { ```bicep module virtualMachine './compute/virtual-machine/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-cvmlinatmg' + name: '${uniqueString(deployment().name, location)}-test-cvmwinatmg' params: { // Required parameters - adminUsername: 'localAdminUser' + adminUsername: 'localAdministrator' imageReference: { - offer: '0001-com-ubuntu-server-jammy' - publisher: 'Canonical' - sku: '22_04-lts-gen2' + offer: 'WindowsServer' + publisher: 'MicrosoftWindowsServer' + sku: '2022-datacenter-azure-edition' version: 'latest' } nicConfigurations: [ @@ -1578,28 +1695,10 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { ipConfigurations: [ { name: 'ipconfig01' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } subnetResourceId: '' - zones: [ - '1' - '2' - '3' - ] } ] nicSuffix: '-nic-01' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } ] osDisk: { @@ -1608,20 +1707,14 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { storageAccountType: 'Premium_LRS' } } - osType: 'Linux' + osType: 'Windows' vmSize: 'Standard_DS2_v2' // Non-required parameters + adminPassword: '' configurationProfile: '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' - disablePasswordAuthentication: true enableDefaultTelemetry: '' location: '' - name: 'cvmlinatmg' - publicKeys: [ - { - keyData: '' - path: '/home/localAdminUser/.ssh/authorized_keys' - } - ] + name: 'cvmwinatmg' tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -1645,13 +1738,13 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { "parameters": { // Required parameters "adminUsername": { - "value": "localAdminUser" + "value": "localAdministrator" }, "imageReference": { "value": { - "offer": "0001-com-ubuntu-server-jammy", - "publisher": "Canonical", - "sku": "22_04-lts-gen2", + "offer": "WindowsServer", + "publisher": "MicrosoftWindowsServer", + "sku": "2022-datacenter-azure-edition", "version": "latest" } }, @@ -1661,28 +1754,10 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { "ipConfigurations": [ { "name": "ipconfig01", - "pipConfiguration": { - "publicIpNameSuffix": "-pip-01", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "subnetResourceId": "", - "zones": [ - "1", - "2", - "3" - ] + "subnetResourceId": "" } ], - "nicSuffix": "-nic-01", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } + "nicSuffix": "-nic-01" } ] }, @@ -1695,18 +1770,18 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { } }, "osType": { - "value": "Linux" + "value": "Windows" }, "vmSize": { "value": "Standard_DS2_v2" }, // Non-required parameters + "adminPassword": { + "value": "" + }, "configurationProfile": { "value": "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction" }, - "disablePasswordAuthentication": { - "value": true - }, "enableDefaultTelemetry": { "value": "" }, @@ -1714,15 +1789,7 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { "value": "" }, "name": { - "value": "cvmlinatmg" - }, - "publicKeys": { - "value": [ - { - "keyData": "", - "path": "/home/localAdminUser/.ssh/authorized_keys" - } - ] + "value": "cvmwinatmg" }, "tags": { "value": { @@ -1738,7 +1805,7 @@ module virtualMachine './compute/virtual-machine/main.bicep' = {

-

Example 3: Linux.Min

+

Example 6: Windows.Min

@@ -1746,14 +1813,14 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { ```bicep module virtualMachine './compute/virtual-machine/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-cvmlinmin' + name: '${uniqueString(deployment().name, location)}-test-cvmwinmin' params: { // Required parameters adminUsername: 'localAdminUser' imageReference: { - offer: '0001-com-ubuntu-server-jammy' - publisher: 'Canonical' - sku: '22_04-lts-gen2' + offer: 'WindowsServer' + publisher: 'MicrosoftWindowsServer' + sku: '2022-datacenter-azure-edition' version: 'latest' } nicConfigurations: [ @@ -1761,9 +1828,6 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { ipConfigurations: [ { name: 'ipconfig01' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - } subnetResourceId: '' } ] @@ -1776,19 +1840,13 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { storageAccountType: 'Premium_LRS' } } - osType: 'Linux' + osType: 'Windows' vmSize: 'Standard_DS2_v2' // Non-required parameters - disablePasswordAuthentication: true + adminPassword: '' enableDefaultTelemetry: '' location: '' - name: 'cvmlinmin' - publicKeys: [ - { - keyData: '' - path: '/home/localAdminUser/.ssh/authorized_keys' - } - ] + name: 'cvmwinmin' } } ``` @@ -1811,9 +1869,9 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { }, "imageReference": { "value": { - "offer": "0001-com-ubuntu-server-jammy", - "publisher": "Canonical", - "sku": "22_04-lts-gen2", + "offer": "WindowsServer", + "publisher": "MicrosoftWindowsServer", + "sku": "2022-datacenter-azure-edition", "version": "latest" } }, @@ -1823,9 +1881,6 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { "ipConfigurations": [ { "name": "ipconfig01", - "pipConfiguration": { - "publicIpNameSuffix": "-pip-01" - }, "subnetResourceId": "" } ], @@ -1842,31 +1897,23 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { } }, "osType": { - "value": "Linux" + "value": "Windows" }, "vmSize": { "value": "Standard_DS2_v2" }, // Non-required parameters - "disablePasswordAuthentication": { - "value": true + "adminPassword": { + "value": "" }, "enableDefaultTelemetry": { "value": "" }, "location": { "value": "" - }, - "name": { - "value": "cvmlinmin" - }, - "publicKeys": { - "value": [ - { - "keyData": "", - "path": "/home/localAdminUser/.ssh/authorized_keys" - } - ] + }, + "name": { + "value": "cvmwinmin" } } } @@ -1875,7 +1922,7 @@ module virtualMachine './compute/virtual-machine/main.bicep' = {

-

Example 4: Windows

+

Example 7: Windows.Ssecmk

@@ -1883,10 +1930,10 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { ```bicep module virtualMachine './compute/virtual-machine/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-cvmwincom' + name: '${uniqueString(deployment().name, location)}-test-cvmwincmk' params: { // Required parameters - adminUsername: 'VMAdmin' + adminUsername: 'VMAdministrator' imageReference: { offer: 'WindowsServer' publisher: 'MicrosoftWindowsServer' @@ -1895,58 +1942,21 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { } nicConfigurations: [ { - deleteOption: 'Delete' ipConfigurations: [ { - applicationSecurityGroups: [ - { - id: '' - } - ] - loadBalancerBackendAddressPools: [ - { - id: '' - } - ] name: 'ipconfig01' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } subnetResourceId: '' - zones: [ - '1' - '2' - '3' - ] } ] nicSuffix: '-nic-01' - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] } ] osDisk: { - caching: 'None' - createOption: 'fromImage' - deleteOption: 'Delete' diskSizeGB: '128' managedDisk: { + diskEncryptionSet: { + id: '' + } storageAccountType: 'Premium_LRS' } } @@ -1954,159 +1964,115 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { vmSize: 'Standard_DS2_v2' // Non-required parameters adminPassword: '' - availabilityZone: 2 - backupPolicyName: '' - backupVaultName: '' - backupVaultResourceGroup: '' - computerName: 'winvm1' dataDisks: [ { - caching: 'None' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - { - caching: 'None' - createOption: 'Empty' - deleteOption: 'Delete' diskSizeGB: '128' managedDisk: { + diskEncryptionSet: { + id: '' + } storageAccountType: 'Premium_LRS' } } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' - enableAutomaticUpdates: true enableDefaultTelemetry: '' - encryptionAtHost: false - extensionAadJoinConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionAntiMalwareConfig: { - enabled: true - settings: { - AntimalwareEnabled: 'true' - Exclusions: { - Extensions: '.ext1;.ext2' - Paths: 'c:\\excluded-path-1;c:\\excluded-path-2' - Processes: 'excludedproc1.exe;excludedproc2.exe' - } - RealtimeProtectionEnabled: 'true' - ScheduledScanSettings: { - day: '7' - isEnabled: 'true' - scanType: 'Quick' - time: '120' - } - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } + location: '' + name: 'cvmwincmk' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: '' - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: '' - KeyVaultResourceId: '' - KeyVaultURL: '' - ResizeOSDisk: 'false' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - VolumeType: 'All' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "adminUsername": { + "value": "VMAdministrator" + }, + "imageReference": { + "value": { + "offer": "WindowsServer", + "publisher": "MicrosoftWindowsServer", + "sku": "2019-datacenter", + "version": "latest" } - } - extensionCustomScriptConfig: { - enabled: true - fileData: [ + }, + "nicConfigurations": { + "value": [ { - storageAccountId: '' - uri: '' + "ipConfigurations": [ + { + "name": "ipconfig01", + "subnetResourceId": "" + } + ], + "nicSuffix": "-nic-01" } ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionCustomScriptProtectedSetting: { - commandToExecute: '' - } - extensionDependencyAgentConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionDSCConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionMonitoringAgentConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionNetworkWatcherAgentConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' + }, + "osDisk": { + "value": { + "diskSizeGB": "128", + "managedDisk": { + "diskEncryptionSet": { + "id": "" + }, + "storageAccountType": "Premium_LRS" + } } - } - location: '' - lock: 'CanNotDelete' - monitoringWorkspaceId: '' - name: 'cvmwincom' - patchMode: 'AutomaticByPlatform' - proximityPlacementGroupResourceId: '' - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + }, + "osType": { + "value": "Windows" + }, + "vmSize": { + "value": "Standard_DS2_v2" + }, + // Non-required parameters + "adminPassword": { + "value": "" + }, + "dataDisks": { + "value": [ + { + "diskSizeGB": "128", + "managedDisk": { + "diskEncryptionSet": { + "id": "" + }, + "storageAccountType": "Premium_LRS" + } + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "name": { + "value": "cvmwincmk" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" } - ] - systemAssignedIdentity: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - userAssignedIdentities: { - '': {} } } } @@ -2115,447 +2081,613 @@ module virtualMachine './compute/virtual-machine/main.bicep' = {

+ +## Notes + +### Automanage considerations + +Enabling automanage triggers the creation of additional resources outside of the specific virtual machine deployment, such as: +- an `Automanage-Automate-` in the same Virtual Machine Resource Group and linking to the log analytics workspace leveraged by Azure Security Center. +- a `DefaultResourceGroup-` resource group hosting a recovery services vault `DefaultBackupVault-` where virtual machine backups are stored +For further details on automanage please refer to [Automanage virtual machines](https://learn.microsoft.com/en-us/azure/automanage/automanage-virtual-machines). + +### Parameter Usage: `imageReference` + +#### Marketplace images +

-via JSON Parameter file +Parameter JSON format ```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "VMAdmin" - }, - "imageReference": { - "value": { - "offer": "WindowsServer", +"imageReference": { + "value": { "publisher": "MicrosoftWindowsServer", - "sku": "2019-datacenter", + "offer": "WindowsServer", + "sku": "2022-datacenter-azure-edition", "version": "latest" - } - }, - "nicConfigurations": { - "value": [ + } +} +``` + +
+
+ +Bicep format + +```bicep +imageReference: { + publisher: 'MicrosoftWindowsServer' + offer: 'WindowsServer' + sku: '2022-datacenter-azure-edition' + version: 'latest' +} +``` + +
+

+ +#### Custom images + +

+ +Parameter JSON format + +```json +"imageReference": { + "value": { + "id": "/subscriptions/12345-6789-1011-1213-15161718/resourceGroups/rg-name/providers/Microsoft.Compute/images/imagename" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +imageReference: { + id: '/subscriptions/12345-6789-1011-1213-15161718/resourceGroups/rg-name/providers/Microsoft.Compute/images/imagename' +} +``` + +
+

+ +### Parameter Usage: `plan` + +

+ +Parameter JSON format + +```json +"plan": { + "value": { + "name": "qvsa-25", + "product": "qualys-virtual-scanner", + "publisher": "qualysguard" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +plan: { + name: 'qvsa-25' + product: 'qualys-virtual-scanner' + publisher: 'qualysguard' +} +``` + +
+

+ +### Parameter Usage: `osDisk` + +

+ +Parameter JSON format + +```json +"osDisk": { + "value": { + "createOption": "fromImage", + "deleteOption": "Delete", // Optional. Can be 'Delete' or 'Detach' + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS", + "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. + "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" + } + } + } +} +``` + +
+ +
+ +Bicep format + +```bicep +osDisk: { + createOption: 'fromImage' + deleteOption: 'Delete' // Optional. Can be 'Delete' or 'Detach' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. + id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' + } + } +} +``` + +
+

+ +### Parameter Usage: `dataDisks` + +

+ +Parameter JSON format + +```json +"dataDisks": { + "value": [ { - "deleteOption": "Delete", - "ipConfigurations": [ - { - "applicationSecurityGroups": [ - { - "id": "" + "caching": "ReadOnly", + "createOption": "Empty", + "deleteOption": "Delete", // Optional. Can be 'Delete' or 'Detach' + "diskSizeGB": "256", + "managedDisk": { + "storageAccountType": "Premium_LRS", + "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. + "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" } - ], - "loadBalancerBackendAddressPools": [ - { - "id": "" + } + }, + { + "caching": "ReadOnly", + "createOption": "Empty", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS", + "diskEncryptionSet": { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. + "id": "/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/" } - ], - "name": "ipconfig01", - "pipConfiguration": { - "publicIpNameSuffix": "-pip-01", - "roleAssignments": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "subnetResourceId": "", - "zones": [ - "1", - "2", - "3" - ] } - ], - "nicSuffix": "-nic-01", - "roleAssignments": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +dataDisks: [ + { + caching: 'ReadOnly' + createOption: 'Empty' + deleteOption: 'Delete' // Optional. Can be 'Delete' or 'Detach' + diskSizeGB: '256' + managedDisk: { + storageAccountType: 'Premium_LRS' + diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. + id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' } - ] } - ] - }, - "osDisk": { - "value": { - "caching": "None", - "createOption": "fromImage", - "deleteOption": "Delete", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" + } + { + caching: 'ReadOnly' + createOption: 'Empty' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + diskEncryptionSet: { // Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. + id: '/subscriptions//resourceGroups//providers/Microsoft.Compute/diskEncryptionSets/' + } } - } - }, - "osType": { - "value": "Windows" - }, - "vmSize": { - "value": "Standard_DS2_v2" - }, - // Non-required parameters - "adminPassword": { - "value": "" - }, - "availabilityZone": { - "value": 2 - }, - "backupPolicyName": { - "value": "" - }, - "backupVaultName": { - "value": "" - }, - "backupVaultResourceGroup": { - "value": "" - }, - "computerName": { - "value": "winvm1" - }, - "dataDisks": { - "value": [ + } +] +``` + +
+

+ +### Parameter Usage: `nicConfigurations` + +Comments: +- The field `nicSuffix` and `subnetResourceId` are mandatory. +- If `enablePublicIP` is set to true, then `publicIpNameSuffix` is also mandatory. +- Each IP config needs to have the mandatory field `name`. +- If not disabled, `enableAcceleratedNetworking` is considered `true` by default and requires the VM to be deployed with a supported OS and VM size. + +

+ +Parameter JSON format + +```json +"nicConfigurations": { + "value": [ + { + "nicSuffix": "-nic-01", + "deleteOption": "Delete", // Optional. Can be 'Delete' or 'Detach' + "ipConfigurations": [ { - "caching": "None", - "createOption": "Empty", - "deleteOption": "Delete", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" + "name": "ipconfig1", + "subnetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", + "pipConfiguration": { + "publicIpNameSuffix": "-pip-01", + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "" + ] + } + ] } }, { - "caching": "None", - "createOption": "Empty", - "deleteOption": "Delete", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } + "name": "ipconfig2", + "subnetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", } - ] - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" - }, - "enableAutomaticUpdates": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "encryptionAtHost": { - "value": false - }, - "extensionAadJoinConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" + ], + "nsgId": "/subscriptions//resourceGroups//providers/Microsoft.Network/networkSecurityGroups/", + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "" + ] } - } + ] }, - "extensionAntiMalwareConfig": { - "value": { - "enabled": true, - "settings": { - "AntimalwareEnabled": "true", - "Exclusions": { - "Extensions": ".ext1;.ext2", - "Paths": "c:\\excluded-path-1;c:\\excluded-path-2", - "Processes": "excludedproc1.exe;excludedproc2.exe" - }, - "RealtimeProtectionEnabled": "true", - "ScheduledScanSettings": { - "day": "7", - "isEnabled": "true", - "scanType": "Quick", - "time": "120" + { + "nicSuffix": "-nic-02", + "ipConfigurations": [ + { + "name": "ipconfig1", + "subnetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", + "pipConfiguration": { + "publicIpNameSuffix": "-pip-02" } }, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionAzureDiskEncryptionConfig": { - "value": { - "enabled": true, - "settings": { - "EncryptionOperation": "EnableEncryption", - "KekVaultResourceId": "", - "KeyEncryptionAlgorithm": "RSA-OAEP", - "KeyEncryptionKeyURL": "", - "KeyVaultResourceId": "", - "KeyVaultURL": "", - "ResizeOSDisk": "false", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - }, - "VolumeType": "All" + { + "name": "ipconfig2", + "subnetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", + "privateIPAllocationMethod": "Static", + "privateIPAddress": "10.0.0.9" } - } - }, - "extensionCustomScriptConfig": { - "value": { - "enabled": true, - "fileData": [ - { - "storageAccountId": "", - "uri": "" + ] + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +nicConfigurations: { + value: [ + { + nicSuffix: '-nic-01' + deleteOption: 'Delete' // Optional. Can be 'Delete' or 'Detach' + ipConfigurations: [ + { + name: 'ipconfig1' + subnetResourceId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' + pipConfiguration: { + publicIpNameSuffix: '-pip-01' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalIds: [ + '' + ] + } + ] } - ], - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionCustomScriptProtectedSetting": { - "value": { - "commandToExecute": "" - } - }, - "extensionDependencyAgentConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" } - } - }, - "extensionDSCConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" + { + name: 'ipconfig2' + subnetResourceId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' } - } - }, - "extensionMonitoringAgentConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" + ] + nsgId: '/subscriptions//resourceGroups//providers/Microsoft.Network/networkSecurityGroups/' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalIds: [ + '' + ] } - } - }, - "extensionNetworkWatcherAgentConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" + ] + } + { + nicSuffix: '-nic-02' + ipConfigurations: [ + { + name: 'ipconfig1' + subnetResourceId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' + pipConfiguration: { + publicIpNameSuffix: '-pip-02' + } } - } - }, - "location": { - "value": "" - }, - "lock": { - "value": "CanNotDelete" - }, - "monitoringWorkspaceId": { - "value": "" - }, - "name": { - "value": "cvmwincom" - }, - "patchMode": { - "value": "AutomaticByPlatform" - }, - "proximityPlacementGroupResourceId": { - "value": "" - }, - "roleAssignments": { - "value": [ { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + name: 'ipconfig2' + subnetResourceId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' + privateIPAllocationMethod: 'Static' + privateIPAddress: '10.0.0.9' } ] + } + ] +} +``` + +
+

+ +### Parameter Usage: `configurationProfileAssignments` + +

+ +Parameter JSON format + +```json +"configurationProfileAssignments": { + "value": [ + "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction", + "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest" + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +configurationProfileAssignments: [ + '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' + '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest' +] +``` + +
+

+ +### Parameter Usage: `extensionDomainJoinConfig` + +

+ +Parameter JSON format + +```json +"extensionDomainJoinConfig": { + "value": { + "enabled": true, + "settings": { + "name": "contoso.com", + "user": "test.user@testcompany.com", + "ouPath": "OU=testOU; DC=contoso; DC=com", + "restart": true, + "options": 3 + } + } +}, +"extensionDomainJoinPassword": { + "reference": { + "keyVault": { + "id": "/subscriptions/</resourceGroups/myRG/providers/Microsoft.KeyVault/vaults/myKvlt" }, - "systemAssignedIdentity": { - "value": true - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "userAssignedIdentities": { - "value": { - "": {} + "secretName": "domainJoinUser02-Password" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +extensionDomainJoinConfig: { + enabled: true + settings: { + name: 'contoso.com' + user: 'test.user@testcompany.com' + ouPath: 'OU=testOU; DC=contoso; DC=com' + restart: true + options: 3 + } +} + +resource kv1 'Microsoft.KeyVault/vaults@2019-09-01' existing = { + name: 'adp-[[namePrefix]]-az-kv-x-001' + scope: resourceGroup('[[subscriptionId]]','validation-rg') +} + +extensionDomainJoinPassword: kv1.getSecret('domainJoinUser02-Password') +``` + +
+

+ +### Parameter Usage: `extensionAntiMalwareConfig` + +Only for OSType Windows + +

+ +Parameter JSON format + +```json +"extensionAntiMalwareConfig": { + "value": { + "enabled": true, + "settings": { + "AntimalwareEnabled": true, + "Exclusions": { + "Extensions": ".log;.ldf", + "Paths": "D:\\IISlogs;D:\\DatabaseLogs", + "Processes": "mssence.svc" + }, + "RealtimeProtectionEnabled": true, + "ScheduledScanSettings": { + "isEnabled": "true", + "scanType": "Quick", + "day": "7", + "time": "120" } } - } + } +} +``` + +
+ +
+ +Bicep format + +```bicep +extensionAntiMalwareConfig: { + enabled: true + settings: { + AntimalwareEnabled: true + Exclusions: { + Extensions: '.log;.ldf' + Paths: 'D:\\IISlogs;D:\\DatabaseLogs' + Processes: 'mssence.svc' + } + RealtimeProtectionEnabled: true + ScheduledScanSettings: { + isEnabled: 'true' + scanType: 'Quick' + day: '7' + time: '120' + } + } } ```

-

Example 5: Windows.Atmg

+### Parameter Usage: `extensionAzureDiskEncryptionConfig`
-via Bicep module +Parameter JSON format -```bicep -module virtualMachine './compute/virtual-machine/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-cvmwinatmg' - params: { - // Required parameters - adminUsername: 'localAdministrator' - imageReference: { - offer: 'WindowsServer' - publisher: 'MicrosoftWindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig01' - subnetResourceId: '' - } - ] - nicSuffix: '-nic-01' - } - ] - osDisk: { - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - vmSize: 'Standard_DS2_v2' - // Non-required parameters - adminPassword: '' - configurationProfile: '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' - enableDefaultTelemetry: '' - location: '' - name: 'cvmwinatmg' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' +```json +"extensionAzureDiskEncryptionConfig": { + // Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. + "value": { + "enabled": true, + "settings": { + "EncryptionOperation": "EnableEncryption", + "KeyVaultURL": "https://mykeyvault.vault.azure.net/", + "KeyVaultResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001", + "KeyEncryptionKeyURL": "https://mykeyvault.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5", // ID must be updated for new keys + "KekVaultResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001", + "KeyEncryptionAlgorithm": "RSA-OAEP", //'RSA-OAEP'/'RSA-OAEP-256'/'RSA1_5' + "VolumeType": "All", //'OS'/'Data'/'All' + "ResizeOSDisk": "false" } } } ``` +
+ +
+ +Bicep format + +```bicep +extensionAzureDiskEncryptionConfig: { + // Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. + enabled: true + settings: { + EncryptionOperation: 'EnableEncryption' + KeyVaultURL: 'https://mykeyvault.vault.azure.net/' + KeyVaultResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001' + KeyEncryptionKeyURL: 'https://mykeyvault.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5' // ID must be updated for new keys + KekVaultResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001' + KeyEncryptionAlgorithm: 'RSA-OAEP' //'RSA-OAEP'/'RSA-OAEP-256'/'RSA1_5' + VolumeType: 'All' //'OS'/'Data'/'All' + ResizeOSDisk: 'false' + } +} +``` +

+### Parameter Usage: `extensionDSCConfig` +

-via JSON Parameter file +Parameter JSON format ```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "localAdministrator" - }, - "imageReference": { - "value": { - "offer": "WindowsServer", - "publisher": "MicrosoftWindowsServer", - "sku": "2022-datacenter-azure-edition", - "version": "latest" - } - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig01", - "subnetResourceId": "" - } - ], - "nicSuffix": "-nic-01" - } - ] - }, - "osDisk": { - "value": { - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" +"extensionDSCConfig": { + "value": { + { + "enabled": true, + "settings": { + "wmfVersion": "latest", + "configuration": { + "url": "http://validURLToConfigLocation", + "script": "ConfigurationScript.ps1", + "function": "ConfigurationFunction" + }, + "configurationArguments": { + "argument1": "Value1", + "argument2": "Value2" + }, + "configurationData": { + "url": "https://foo.psd1" + }, + "privacy": { + "dataCollection": "enable" + }, + "advancedOptions": { + "forcePullAndApply": false, + "downloadMappings": { + "specificDependencyKey": "https://myCustomDependencyLocation" + } } - } - }, - "osType": { - "value": "Windows" - }, - "vmSize": { - "value": "Standard_DS2_v2" - }, - // Non-required parameters - "adminPassword": { - "value": "" - }, - "configurationProfile": { - "value": "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "name": { - "value": "cvmwinatmg" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" + }, + "protectedSettings": { + "configurationArguments": { + "mySecret": "MyPlaceholder" + }, + "configurationUrlSasToken": "MyPlaceholder", + "configurationDataUrlSasToken": "MyPlaceholder" } } } @@ -2563,280 +2695,151 @@ module virtualMachine './compute/virtual-machine/main.bicep' = { ```
-

- -

Example 6: Windows.Min

-via Bicep module +Bicep format ```bicep -module virtualMachine './compute/virtual-machine/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-cvmwinmin' - params: { - // Required parameters - adminUsername: 'localAdminUser' - imageReference: { - offer: 'WindowsServer' - publisher: 'MicrosoftWindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig01' - subnetResourceId: '' +extensionDSCConfig: { + { + enabled: true + settings: { + wmfVersion: 'latest' + configuration: { + url: 'http://validURLToConfigLocation' + script: 'ConfigurationScript.ps1' + function: 'ConfigurationFunction' } - ] - nicSuffix: '-nic-01' - } - ] - osDisk: { - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - vmSize: 'Standard_DS2_v2' - // Non-required parameters - adminPassword: '' - enableDefaultTelemetry: '' - location: '' - name: 'cvmwinmin' - } + configurationArguments: { + argument1: 'Value1' + argument2: 'Value2' + } + configurationData: { + url: 'https://foo.psd1' + } + privacy: { + dataCollection: 'enable' + } + advancedOptions: { + forcePullAndApply: false + downloadMappings: { + specificDependencyKey: 'https://myCustomDependencyLocation' + } + } + } + protectedSettings: { + configurationArguments: { + mySecret: 'MyPlaceholder' + } + configurationUrlSasToken: 'MyPlaceholder' + configurationDataUrlSasToken: 'MyPlaceholder' + } + } } ```

+### Parameter Usage: `extensionCustomScriptConfig` +

-via JSON Parameter file +Parameter JSON format ```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "localAdminUser" - }, - "imageReference": { - "value": { - "offer": "WindowsServer", - "publisher": "MicrosoftWindowsServer", - "sku": "2022-datacenter-azure-edition", - "version": "latest" - } - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig01", - "subnetResourceId": "" - } - ], - "nicSuffix": "-nic-01" - } - ] - }, - "osDisk": { - "value": { - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } +"extensionCustomScriptConfig": { + "value": { + "enabled": true, + "fileData": [ + //storage accounts with SAS token requirement + { + "uri": "https://mystorageaccount.blob.core.windows.net/avdscripts/File1.ps1", + "storageAccountId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName" + }, + { + "uri": "https://mystorageaccount.blob.core.windows.net/avdscripts/File2.ps1", + "storageAccountId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName" + }, + //storage account with public container (no SAS token is required) OR other public URL (not a storage account) + { + "uri": "https://github.com/myProject/File3.ps1", + "storageAccountId": "" } - }, - "osType": { - "value": "Windows" - }, - "vmSize": { - "value": "Standard_DS2_v2" - }, - // Non-required parameters - "adminPassword": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "name": { - "value": "cvmwinmin" + ], + "settings": { + "commandToExecute": "powershell -ExecutionPolicy Unrestricted -File testscript.ps1" } } } ```
-

- -

Example 7: Windows.Ssecmk

-via Bicep module +Bicep format ```bicep -module virtualMachine './compute/virtual-machine/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-cvmwincmk' - params: { - // Required parameters - adminUsername: 'VMAdministrator' - imageReference: { - offer: 'WindowsServer' - publisher: 'MicrosoftWindowsServer' - sku: '2019-datacenter' - version: 'latest' - } - nicConfigurations: [ +extensionCustomScriptConfig: { + enabled: true + fileData: [ + //storage accounts with SAS token requirement { - ipConfigurations: [ - { - name: 'ipconfig01' - subnetResourceId: '' - } - ] - nicSuffix: '-nic-01' + uri: 'https://mystorageaccount.blob.core.windows.net/avdscripts/File1.ps1' + storageAccountId: '/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName' } - ] - osDisk: { - diskSizeGB: '128' - managedDisk: { - diskEncryptionSet: { - id: '' - } - storageAccountType: 'Premium_LRS' + { + uri: 'https://mystorageaccount.blob.core.windows.net/avdscripts/File2.ps1' + storageAccountId: '/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rgName/providers/Microsoft.Storage/storageAccounts/storageAccountName' } - } - osType: 'Windows' - vmSize: 'Standard_DS2_v2' - // Non-required parameters - adminPassword: '' - dataDisks: [ + //storage account with public container (no SAS token is required) OR other public URL (not a storage account) { - diskSizeGB: '128' - managedDisk: { - diskEncryptionSet: { - id: '' - } - storageAccountType: 'Premium_LRS' - } + uri: 'https://github.com/myProject/File3.ps1' + storageAccountId: '' } ] - enableDefaultTelemetry: '' - location: '' - name: 'cvmwincmk' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' + settings: { + commandToExecute: 'powershell -ExecutionPolicy Unrestricted -File testscript.ps1' } - } } ```

+### Parameter Usage: `extensionCustomScriptProtectedSetting` + +This is used if you are going to use secrets or other sensitive information that you don't want to be visible in the deployment and logs. +

-via JSON Parameter file +Parameter JSON format ```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "VMAdministrator" - }, - "imageReference": { - "value": { - "offer": "WindowsServer", - "publisher": "MicrosoftWindowsServer", - "sku": "2019-datacenter", - "version": "latest" - } - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig01", - "subnetResourceId": "" - } - ], - "nicSuffix": "-nic-01" - } - ] - }, - "osDisk": { - "value": { - "diskSizeGB": "128", - "managedDisk": { - "diskEncryptionSet": { - "id": "" - }, - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Windows" - }, - "vmSize": { - "value": "Standard_DS2_v2" - }, - // Non-required parameters - "adminPassword": { - "value": "" - }, - "dataDisks": { - "value": [ - { - "diskSizeGB": "128", - "managedDisk": { - "diskEncryptionSet": { - "id": "" - }, - "storageAccountType": "Premium_LRS" - } - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "name": { - "value": "cvmwincmk" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } +"extensionCustomScriptProtectedSetting": { + "value": [ + { + "commandToExecute": "mycommandToRun -someParam MYSECRET" } - } + ] } ``` +
+ +
+ +Bicep format + +```bicep +extensionCustomScriptProtectedSetting: [ + { + commandToExecute: 'mycommandToRun -someParam MYSECRET' + } +] +``` +

From 70b1184b40c80a096169c0067749abb2e3cd28f0 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sat, 14 Oct 2023 07:53:34 +1100 Subject: [PATCH 019/178] [AVM] Updated Readme's to support AVM transition - Part (3) (#4080) * Updated desktop virtualization host and scaling plan * Updated Digital Twins * Updated event grid * Updated event hubs * Healthcare APIs * Updated healthcare APIs * updated action groups * activity log alert * insights activity log attempt v2 * Updated metric Alert * document db 1 * Updated cosmos db --- .../host-pool/README.md | 86 +---- .../host-pool/main.bicep | 2 +- .../host-pool/main.json | 10 +- .../scaling-plan/.test/common/main.test.bicep | 39 +++ .../scaling-plan/README.md | 183 +++++------ .../scaling-plan/main.json | 8 +- .../digital-twins-instance/README.md | 127 -------- .../endpoint--event-grid/main.json | 4 +- .../endpoint--event-hub/README.md | 4 +- .../endpoint--event-hub/main.bicep | 4 +- .../endpoint--event-hub/main.json | 8 +- .../endpoint--service-bus/README.md | 4 +- .../endpoint--service-bus/main.bicep | 4 +- .../endpoint--service-bus/main.json | 8 +- .../digital-twins-instance/main.json | 40 +-- .../document-db/database-account/README.md | 208 ------------ .../gremlin-database/README.md | 115 +++---- .../gremlin-database/graph/README.md | 27 +- .../mongodb-database/README.md | 4 - .../mongodb-database/collection/README.md | 27 +- .../sql-database/container/README.md | 27 +- modules/event-grid/system-topic/README.md | 73 ----- modules/event-grid/topic/README.md | 73 ----- modules/event-hub/namespace/main.json | 52 +-- .../namespace/network-rule-set/README.md | 46 +-- .../namespace/network-rule-set/main.bicep | 4 +- .../namespace/network-rule-set/main.json | 8 +- modules/healthcare-apis/workspace/README.md | 235 +++++--------- .../workspace/fhirservice/README.md | 83 ++--- .../workspace/iotconnector/README.md | 181 ++++++----- .../iotconnector/fhirdestination/README.md | 31 +- .../action-group/.test/common/main.test.bicep | 14 +- modules/insights/action-group/README.md | 94 +----- modules/insights/action-group/main.json | 8 +- .../.test/common/main.test.bicep | 29 +- modules/insights/activity-log-alert/README.md | 304 +++--------------- .../insights/activity-log-alert/main.bicep | 2 +- modules/insights/activity-log-alert/main.json | 10 +- modules/insights/metric-alert/README.md | 218 +------------ modules/insights/metric-alert/main.bicep | 2 +- modules/insights/metric-alert/main.json | 10 +- 41 files changed, 656 insertions(+), 1760 deletions(-) diff --git a/modules/desktop-virtualization/host-pool/README.md b/modules/desktop-virtualization/host-pool/README.md index 95799c2de3..81a5599f0a 100644 --- a/modules/desktop-virtualization/host-pool/README.md +++ b/modules/desktop-virtualization/host-pool/README.md @@ -65,7 +65,7 @@ This module deploys an Azure Virtual Desktop (AVD) Host Pool. | `tokenValidityLength` | string | `'PT8H'` | | Host Pool token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the token will be valid for 8 hours. | | `type` | string | `'Pooled'` | `[Personal, Pooled]` | Set this parameter to Personal if you would like to enable Persistent Desktop experience. Defaults to Pooled. | | `validationEnvironment` | bool | `False` | | Validation host pools allows you to test service changes before they are deployed to production. When set to true, the Host Pool will be deployed in a validation 'ring' (environment) that receives all the new features (might be less stable). Defaults to false that stands for the stable, production-ready environment. | -| `vmTemplate` | object | `{object}` | | The necessary information for adding more VMs to this Host Pool. | +| `vmTemplate` | object | `{object}` | | The necessary information for adding more VMs to this Host Pool. The object is converted to an in-line string when handed over to the resource deployment, since that only takes strings. | **Generated parameters** @@ -133,90 +133,6 @@ roleAssignments: [

-### Parameter Usage: `vmTemplate` - -The below parameter object is converted to an in-line string when handed over to the resource deployment, since that only takes strings. - -

- -Parameter JSON format - -```json -"vmTemplate": { - "value": { - "domain": ".com", - "galleryImageOffer": "office-365", - "galleryImagePublisher": "microsoftwindowsdesktop", - "galleryImageSKU": "19h2-evd-o365pp", - "imageType": "Gallery", - "imageUri": null, - "customImageId": null, - "namePrefix": "AVDv2", - "osDiskType": "StandardSSD_LRS", - "useManagedDisks": true, - "vmSize": { - "id": "Standard_D2s_v3", - "cores": 2, - "ram": 8 - } - } -} -``` - -
- -
- -Bicep format - -```bicep -vmTemplate: { - domain: '.com' - galleryImageOffer: 'office-365' - galleryImagePublisher: 'microsoftwindowsdesktop' - galleryImageSKU: '19h2-evd-o365pp' - imageType: 'Gallery' - imageUri: null - customImageId: null - namePrefix: 'AVDv2' - osDiskType: 'StandardSSD_LRS' - useManagedDisks: true - vmSize: { - id: 'Standard_D2s_v3' - cores: 2 - ram: 8 - } -} -``` - -
-

- -### Parameter Usage: `customRdpProperty` - -

- -Parameter JSON format - -```json -"customRdpProperty": { - "value": "audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode ID:i:2;" -} -``` - -
- -
- -Bicep format - -```bicep -customRdpProperty: 'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode ID:i:2;' -``` - -
-

- ### Parameter Usage: `tags` Tag names and tag values can be provided as needed. A tag can be left without a value. diff --git a/modules/desktop-virtualization/host-pool/main.bicep b/modules/desktop-virtualization/host-pool/main.bicep index 483e0faa44..79ea1e7407 100644 --- a/modules/desktop-virtualization/host-pool/main.bicep +++ b/modules/desktop-virtualization/host-pool/main.bicep @@ -47,7 +47,7 @@ param customRdpProperty string = 'audiocapturemode:i:1;audiomode:i:0;drivestored @sys.description('Optional. Validation host pools allows you to test service changes before they are deployed to production. When set to true, the Host Pool will be deployed in a validation \'ring\' (environment) that receives all the new features (might be less stable). Defaults to false that stands for the stable, production-ready environment.') param validationEnvironment bool = false -@sys.description('Optional. The necessary information for adding more VMs to this Host Pool.') +@sys.description('Optional. The necessary information for adding more VMs to this Host Pool. The object is converted to an in-line string when handed over to the resource deployment, since that only takes strings.') param vmTemplate object = {} @sys.description('Optional. Host Pool token validity length. Usage: \'PT8H\' - valid for 8 hours; \'P5D\' - valid for 5 days; \'P1Y\' - valid for 1 year. When not provided, the token will be valid for 8 hours.') diff --git a/modules/desktop-virtualization/host-pool/main.json b/modules/desktop-virtualization/host-pool/main.json index c986ba58ae..9f61db2a23 100644 --- a/modules/desktop-virtualization/host-pool/main.json +++ b/modules/desktop-virtualization/host-pool/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14979820932920385091" + "version": "0.22.6.54827", + "templateHash": "15971169028304265471" }, "name": "Azure Virtual Desktop (AVD) Host Pools", "description": "This module deploys an Azure Virtual Desktop (AVD) Host Pool.", @@ -100,7 +100,7 @@ "type": "object", "defaultValue": {}, "metadata": { - "description": "Optional. The necessary information for adding more VMs to this Host Pool." + "description": "Optional. The necessary information for adding more VMs to this Host Pool. The object is converted to an in-line string when handed over to the resource deployment, since that only takes strings." } }, "tokenValidityLength": { @@ -465,8 +465,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15758203474913146406" + "version": "0.22.6.54827", + "templateHash": "11172902539120316456" } }, "parameters": { diff --git a/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep b/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep index 0a6f49d2c5..5423566864 100644 --- a/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep @@ -84,5 +84,44 @@ module testDeployment '../../main.bicep' = { hostPoolType: 'Pooled' friendlyName: 'My Scaling Plan' description: 'My Scaling Plan Description' + schedules: [ { + rampUpStartTime: { + hour: 7 + minute: 0 + } + peakStartTime: { + hour: 9 + minute: 0 + } + rampDownStartTime: { + hour: 18 + minute: 0 + } + offPeakStartTime: { + hour: 20 + minute: 0 + } + name: 'weekdays_schedule' + daysOfWeek: [ + 'Monday' + 'Tuesday' + 'Wednesday' + 'Thursday' + 'Friday' + ] + rampUpLoadBalancingAlgorithm: 'DepthFirst' + rampUpMinimumHostsPct: 20 + rampUpCapacityThresholdPct: 60 + peakLoadBalancingAlgorithm: 'DepthFirst' + rampDownLoadBalancingAlgorithm: 'DepthFirst' + rampDownMinimumHostsPct: 10 + rampDownCapacityThresholdPct: 90 + rampDownForceLogoffUsers: true + rampDownWaitTimeMinutes: 30 + rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' + rampDownStopHostsWhen: 'ZeroSessions' + offPeakLoadBalancingAlgorithm: 'DepthFirst' + } + ] } } diff --git a/modules/desktop-virtualization/scaling-plan/README.md b/modules/desktop-virtualization/scaling-plan/README.md index 93eb2d7557..25b485d144 100644 --- a/modules/desktop-virtualization/scaling-plan/README.md +++ b/modules/desktop-virtualization/scaling-plan/README.md @@ -48,107 +48,6 @@ This module deploys an Azure Virtual Desktop (AVD) Scaling Plan. | `timeZone` | string | `'W. Europe Standard Time'` | | Timezone to be used for the scaling plan. | -### Parameter Usage: `schedules` - -Multiple schedules can be provided as needed. If a schedule is not provided, a default schedule will be created. - -```json -"schedules" : { - "value": [ - { - "rampUpStartTime": { - "hour": 7, - "minute": 0 - }, - "peakStartTime": { - "hour": 9, - "minute": 0 - }, - "rampDownStartTime": { - "hour": 18, - "minute": 0 - }, - "offPeakStartTime": { - "hour": 20, - "minute": 0 - }, - "name": "weekdays_schedule", - "daysOfWeek": [ - "Monday", - "Tuesday", - "Wednesday", - "Thursday", - "Friday" - ], - "rampUpLoadBalancingAlgorithm": "DepthFirst", - "rampUpMinimumHostsPct": 20, - "rampUpCapacityThresholdPct": 60, - "peakLoadBalancingAlgorithm": "DepthFirst", - "rampDownLoadBalancingAlgorithm": "DepthFirst", - "rampDownMinimumHostsPct": 10, - "rampDownCapacityThresholdPct": 90, - "rampDownForceLogoffUsers": true, - "rampDownWaitTimeMinutes": 30, - "rampDownNotificationMessage": "You will be logged off in 30 min. Make sure to save your work.", - "rampDownStopHostsWhen": "ZeroSessions", - "offPeakLoadBalancingAlgorithm": "DepthFirst" - } - ] -} -``` - - - -

- -Bicep format - -```bicep -'schedules': [ - { - rampUpStartTime: { - hour: 7 - minute: 0 - } - peakStartTime: { - hour: 9 - minute: 0 - } - rampDownStartTime: { - hour: 18 - minute: 0 - } - offPeakStartTime: { - hour: 20 - minute: 0 - } - name: 'weekdays_schedule' - daysOfWeek: [ - 'Monday' - 'Tuesday' - 'Wednesday' - 'Thursday' - 'Friday' - ] - rampUpLoadBalancingAlgorithm: 'DepthFirst' - rampUpMinimumHostsPct: 20 - rampUpCapacityThresholdPct: 60 - peakLoadBalancingAlgorithm: 'DepthFirst' - rampDownLoadBalancingAlgorithm: 'DepthFirst' - rampDownMinimumHostsPct: 10 - rampDownCapacityThresholdPct: 90 - rampDownForceLogoffUsers: true - rampDownWaitTimeMinutes: 30 - rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' - rampDownStopHostsWhen: 'ZeroSessions' - offPeakLoadBalancingAlgorithm: 'DepthFirst' - } -] -``` - -
-

- ### Parameter Usage: `tags` Tag names and tag values can be provided as needed. A tag can be left without a value. @@ -299,6 +198,46 @@ module scalingPlan './desktop-virtualization/scaling-plan/main.bicep' = { roleDefinitionIdOrName: 'Reader' } ] + schedules: [ + { + daysOfWeek: [ + 'Friday' + 'Monday' + 'Thursday' + 'Tuesday' + 'Wednesday' + ] + name: 'weekdays_schedule' + offPeakLoadBalancingAlgorithm: 'DepthFirst' + offPeakStartTime: { + hour: 20 + minute: 0 + } + peakLoadBalancingAlgorithm: 'DepthFirst' + peakStartTime: { + hour: 9 + minute: 0 + } + rampDownCapacityThresholdPct: 90 + rampDownForceLogoffUsers: true + rampDownLoadBalancingAlgorithm: 'DepthFirst' + rampDownMinimumHostsPct: 10 + rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' + rampDownStartTime: { + hour: 18 + minute: 0 + } + rampDownStopHostsWhen: 'ZeroSessions' + rampDownWaitTimeMinutes: 30 + rampUpCapacityThresholdPct: 60 + rampUpLoadBalancingAlgorithm: 'DepthFirst' + rampUpMinimumHostsPct: 20 + rampUpStartTime: { + hour: 7 + minute: 0 + } + } + ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -360,6 +299,48 @@ module scalingPlan './desktop-virtualization/scaling-plan/main.bicep' = { } ] }, + "schedules": { + "value": [ + { + "daysOfWeek": [ + "Friday", + "Monday", + "Thursday", + "Tuesday", + "Wednesday" + ], + "name": "weekdays_schedule", + "offPeakLoadBalancingAlgorithm": "DepthFirst", + "offPeakStartTime": { + "hour": 20, + "minute": 0 + }, + "peakLoadBalancingAlgorithm": "DepthFirst", + "peakStartTime": { + "hour": 9, + "minute": 0 + }, + "rampDownCapacityThresholdPct": 90, + "rampDownForceLogoffUsers": true, + "rampDownLoadBalancingAlgorithm": "DepthFirst", + "rampDownMinimumHostsPct": 10, + "rampDownNotificationMessage": "You will be logged off in 30 min. Make sure to save your work.", + "rampDownStartTime": { + "hour": 18, + "minute": 0 + }, + "rampDownStopHostsWhen": "ZeroSessions", + "rampDownWaitTimeMinutes": 30, + "rampUpCapacityThresholdPct": 60, + "rampUpLoadBalancingAlgorithm": "DepthFirst", + "rampUpMinimumHostsPct": 20, + "rampUpStartTime": { + "hour": 7, + "minute": 0 + } + } + ] + }, "tags": { "value": { "Environment": "Non-Prod", diff --git a/modules/desktop-virtualization/scaling-plan/main.json b/modules/desktop-virtualization/scaling-plan/main.json index 0d39c715ee..ce7aa1ec9b 100644 --- a/modules/desktop-virtualization/scaling-plan/main.json +++ b/modules/desktop-virtualization/scaling-plan/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6944405808593930056" + "version": "0.22.6.54827", + "templateHash": "2358392324334042734" }, "name": "Azure Virtual Desktop (AVD) Scaling Plans", "description": "This module deploys an Azure Virtual Desktop (AVD) Scaling Plan.", @@ -276,8 +276,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5284850760210698082" + "version": "0.22.6.54827", + "templateHash": "919506430332723114" } }, "parameters": { diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index 4be6c79af6..512bd242ac 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -289,134 +289,7 @@ userAssignedIdentities: {

-### Parameter Usage: `eventhubEndpoint` - -

- -Parameter JSON format - -```json -"eventhubEndpoint": { - "value": { - "authenticationType": "IdentityBased", // IdentityBased or KeyBased - "name": "", - "entityPath": "evh1", // Event Hub Name - "endpointUri": "sb://xyz.servicebus.windows.net", //Event Hub namespace, including sb:// - "deadLetterUri": "", - "deadLetterSecret": "", - "connectionStringPrimaryKey": "", //Keybased Auth - "connectionStringSecondaryKey": "" //Keybased Auth - } -} -``` - -
-

- -

- -Bicep format - -```bicep -eventhubEndpoint: { - authenticationType: 'IdentityBased' // IdentityBased or KeyBased - name: '' - entityPath: 'evh1' // Event Hub Name - endpointUri: 'sb://xyz.servicebus.windows.net' //Event Hub namespace, including sb:// - deadLetterUri: '' - deadLetterSecret: '' - connectionStringPrimaryKey: '' //Keybased Auth - connectionStringSecondaryKey: '' //Keybased Auth -} - ``` - -
-

- -### Parameter Usage: `eventGridEndpoint` - -

- -Parameter JSON format - -```json -"eventGridEndpoint": { - "value": { - "name": "", - "accessKey1": "", - "accessKey2": "", - "TopicEndpoint": "", - "deadLetterUri": "", - "deadLetterSecret": "" - } -} -``` - -

- -

- -Bicep format - -```bicep -eventGridEndpoint: { - name: '' - accessKey1: '' - accessKey2: '' - TopicEndpoint: '' - deadLetterSecret: '' - deadLetterSecret: '' -} - ``` - -
-

- -### Parameter Usage: `serviceBusEndpoint` - -

- -Parameter JSON format - -```json -"serviceBusEndpoint": { - "value": { - "authenticationType": "IdentityBased", // IdentityBased or KeyBased - "name": "", - "entityPath": "sb1", // Event Hub Name - "endpointUri": "sb://xyz.servicebus.windows.net", //Event Hub namespace, including sb:// - "deadLetterUri": "", - "deadLetterSecret": "", - "connectionStringPrimaryKey": "", //Keybased Auth - "connectionStringSecondaryKey": "" //Keybased Auth - } -} -``` - -
-

- -

- -Bicep format - -```bicep -serviceBusEndpoint: { - authenticationType: 'IdentityBased' // IdentityBased or KeyBased - name: '' - entityPath: 'evh1' // Event Hub Name - endpointUri: 'sb://xyz.servicebus.windows.net' //Event Hub namespace, including sb:// - deadLetterUri: '' - deadLetterSecret: '' - connectionStringPrimaryKey: '' //Keybased Auth - connectionStringSecondaryKey: '' //Keybased Auth -} - ``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.json b/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.json index a1978b3907..27b52f1b55 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.json +++ b/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "7115177198919820190" + "version": "0.22.6.54827", + "templateHash": "15429197908359098698" }, "name": "Digital Twins Instance Event Grid Endpoints", "description": "This module deploys a Digital Twins Instance Event Grid Endpoint.", diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md index acdd791423..89cb8b96b9 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md +++ b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md @@ -29,11 +29,11 @@ This module deploys a Digital Twins Instance EventHub Endpoint. | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `authenticationType` | string | `'IdentityBased'` | `[IdentityBased, KeyBased]` | Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified. | -| `connectionStringSecondaryKey` | securestring | `''` | | SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. | +| `connectionStringSecondaryKey` | securestring | `''` | | SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". | | `deadLetterSecret` | securestring | `''` | | Dead letter storage secret for key-based authentication. Will be obfuscated during read. | | `deadLetterUri` | string | `''` | | Dead letter storage URL for identity-based authentication. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `endpointUri` | string | `''` | | The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://'. | +| `endpointUri` | string | `''` | | The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://' (i.e. sb://xyz.servicebus.windows.net). | | `entityPath` | string | `''` | | The EventHub name in the EventHub namespace for identity-based authentication. | | `name` | string | `'EventHubEndpoint'` | | The name of the Digital Twin Endpoint. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep index bcb41b28e8..bde961d9e6 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep +++ b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep @@ -26,14 +26,14 @@ param deadLetterUri string = '' @secure() param connectionStringPrimaryKey string = '' -@description('Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read.') +@description('Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased".') @secure() param connectionStringSecondaryKey string = '' @description('Optional. The EventHub name in the EventHub namespace for identity-based authentication.') param entityPath string = '' -@description('Optional. The URL of the EventHub namespace for identity-based authentication. It must include the protocol \'sb://\'.') +@description('Optional. The URL of the EventHub namespace for identity-based authentication. It must include the protocol \'sb://\' (i.e. sb://xyz.servicebus.windows.net).') param endpointUri string = '' @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.json b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.json index a964a1f125..3ef4af7bb3 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.json +++ b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "10898754622351027742" + "version": "0.22.6.54827", + "templateHash": "1200386987193874100" }, "name": "Digital Twins Instance EventHub Endpoint", "description": "This module deploys a Digital Twins Instance EventHub Endpoint.", @@ -61,7 +61,7 @@ "type": "securestring", "defaultValue": "", "metadata": { - "description": "Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read." + "description": "Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is \"KeyBased\"." } }, "entityPath": { @@ -75,7 +75,7 @@ "type": "string", "defaultValue": "", "metadata": { - "description": "Optional. The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://'." + "description": "Optional. The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://' (i.e. sb://xyz.servicebus.windows.net)." } }, "enableDefaultTelemetry": { diff --git a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md index d782e9bca2..3f448d3791 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md +++ b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md @@ -32,10 +32,10 @@ This module deploys a Digital Twins Instance ServiceBus Endpoint. | `deadLetterSecret` | securestring | `''` | | Dead letter storage secret for key-based authentication. Will be obfuscated during read. | | `deadLetterUri` | string | `''` | | Dead letter storage URL for identity-based authentication. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `endpointUri` | string | `''` | | The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://'. | +| `endpointUri` | string | `''` | | The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://' (e.g. sb://xyz.servicebus.windows.net). | | `entityPath` | string | `''` | | The ServiceBus Topic name for identity-based authentication. | | `name` | string | `'ServiceBusEndpoint'` | | The name of the Digital Twin Endpoint. | -| `secondaryConnectionString` | securestring | `''` | | SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. | +| `secondaryConnectionString` | securestring | `''` | | SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `userAssignedIdentity` | string | `''` | | The ID to assign to the resource. | diff --git a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep index 91050fff39..25e6eb0ae7 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep +++ b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep @@ -22,7 +22,7 @@ param deadLetterSecret string = '' @description('Optional. Dead letter storage URL for identity-based authentication.') param deadLetterUri string = '' -@description('Optional. The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol \'sb://\'.') +@description('Optional. The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol \'sb://\' (e.g. sb://xyz.servicebus.windows.net).') param endpointUri string = '' @description('Optional. The ServiceBus Topic name for identity-based authentication.') @@ -32,7 +32,7 @@ param entityPath string = '' @secure() param primaryConnectionString string = '' -@description('Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read.') +@description('Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased".') @secure() param secondaryConnectionString string = '' diff --git a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.json b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.json index b1513fcf98..31056e282d 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.json +++ b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13127448885590640743" + "version": "0.22.6.54827", + "templateHash": "2168121049050485718" }, "name": "Digital Twins Instance ServiceBus Endpoint", "description": "This module deploys a Digital Twins Instance ServiceBus Endpoint.", @@ -54,7 +54,7 @@ "type": "string", "defaultValue": "", "metadata": { - "description": "Optional. The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://'." + "description": "Optional. The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://' (e.g. sb://xyz.servicebus.windows.net)." } }, "entityPath": { @@ -75,7 +75,7 @@ "type": "securestring", "defaultValue": "", "metadata": { - "description": "Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read." + "description": "Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is \"KeyBased\"." } }, "enableDefaultTelemetry": { diff --git a/modules/digital-twins/digital-twins-instance/main.json b/modules/digital-twins/digital-twins-instance/main.json index d4bae9acbc..5f9ecd3472 100644 --- a/modules/digital-twins/digital-twins-instance/main.json +++ b/modules/digital-twins/digital-twins-instance/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16548186733986998903" + "version": "0.22.6.54827", + "templateHash": "4594245496875399302" }, "name": "Digital Twins Instances", "description": "This module deploys an Azure Digital Twins Instance.", @@ -298,8 +298,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14898430327900380970" + "version": "0.22.6.54827", + "templateHash": "1200386987193874100" }, "name": "Digital Twins Instance EventHub Endpoint", "description": "This module deploys a Digital Twins Instance EventHub Endpoint.", @@ -355,7 +355,7 @@ "type": "securestring", "defaultValue": "", "metadata": { - "description": "Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read." + "description": "Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is \"KeyBased\"." } }, "entityPath": { @@ -369,7 +369,7 @@ "type": "string", "defaultValue": "", "metadata": { - "description": "Optional. The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://'." + "description": "Optional. The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://' (i.e. sb://xyz.servicebus.windows.net)." } }, "enableDefaultTelemetry": { @@ -488,8 +488,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5050137596110044755" + "version": "0.22.6.54827", + "templateHash": "15429197908359098698" }, "name": "Digital Twins Instance Event Grid Endpoints", "description": "This module deploys a Digital Twins Instance Event Grid Endpoint.", @@ -636,8 +636,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9533801539124134426" + "version": "0.22.6.54827", + "templateHash": "2168121049050485718" }, "name": "Digital Twins Instance ServiceBus Endpoint", "description": "This module deploys a Digital Twins Instance ServiceBus Endpoint.", @@ -686,7 +686,7 @@ "type": "string", "defaultValue": "", "metadata": { - "description": "Optional. The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://'." + "description": "Optional. The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://' (e.g. sb://xyz.servicebus.windows.net)." } }, "entityPath": { @@ -707,7 +707,7 @@ "type": "securestring", "defaultValue": "", "metadata": { - "description": "Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read." + "description": "Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is \"KeyBased\"." } }, "enableDefaultTelemetry": { @@ -840,8 +840,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1040,8 +1040,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1178,8 +1178,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -1392,8 +1392,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2921285895718977549" + "version": "0.22.6.54827", + "templateHash": "4249531612554442902" } }, "parameters": { diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index ee70f0bac0..a1b836499f 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -173,214 +173,6 @@ tags: {

-### Parameter Usage: `locations` - -

- -Parameter JSON format - -```json -"locations": { - "value": [ - { - "failoverPriority": 1, - "locationName": "East US", - "isZoneRedundant": false - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -locations: [ - { - failoverPriority: 1 - locationName: 'East US' - isZoneRedundant: false - } -] -``` - -
-

- -### Parameter Usage: `sqlDatabases` - -

- -Parameter JSON format - -```json -"sqlDatabases": { - "value": [ - { - "name": "sxx-az-sql-x-001", - "containers": [ - "container-001", - "container-002" - ] - }, - { - "name": "sxx-az-sql-x-002", - "containers": [] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -sqlDatabases: { - value: [ - { - name: 'sxx-az-sql-x-001' - containers: [ - 'container-001' - 'container-002' - ] - } - { - name: 'sxx-az-sql-x-002' - containers: [] - } - ] -} -``` - -
-

- -### Parameter Usage: `mongodbDatabases` - -

- -Parameter JSON format - -```json -"mongodbDatabases": { - "value": [ - { - "name": "sxx-az-mdb-x-001", - "collections": [ - <...> - ] - }, - { - "name": "sxx-az-mdb-x-002", - "collections": [ - <...> - ] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -mongodbDatabases: [ - { - name: 'sxx-az-mdb-x-001' - collections: [ - <...> - ] - } - { - name: 'sxx-az-mdb-x-002' - collections: [ - <...> - ] - } -] -``` - -
-

- -Please reference the documentation for [mongodbDatabase](./mongodb-database/README.md) - -### Parameter Usage: `gremlinDatabases` - -

- -Parameter JSON format - -```json -"mongodbDatabases": { - "value": [ - { - "name": "graphDb01", - "graphs": [ - { - "name": "graph01", - "automaticIndexing": true, - "partitionKeyPaths": [ - "/name" - ] - }, - { - "name": "graph02", - "automaticIndexing": true, - "partitionKeyPaths": [ - "/name" - ] - } - ] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -gremlinDatabases: [ - { - name: 'graphDb01' - graphs: [ - { - name: 'graph01' - automaticIndexing: true - partitionKeyPaths: [ - '/name' - ] - } - { - name: 'graph02' - automaticIndexing: true - partitionKeyPaths: [ - '/name' - ] - } - ] - } -] -``` - -
-

- -Please reference the documentation for [gremlinDatabase](./gremlin-database/README.md) - ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to 'ServicePrincipal'. This will ensure the role assignment waits for the principal's propagation in Azure. diff --git a/modules/document-db/database-account/gremlin-database/README.md b/modules/document-db/database-account/gremlin-database/README.md index 4e531443bb..cd4b13532a 100644 --- a/modules/document-db/database-account/gremlin-database/README.md +++ b/modules/document-db/database-account/gremlin-database/README.md @@ -8,6 +8,7 @@ This module deploys a Gremlin Database within a CosmosDB Account. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -43,62 +44,6 @@ This module deploys a Gremlin Database within a CosmosDB Account. | `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. | -### Parameter Usage: `graphs` - -List of graph databaseAccounts - -

- -Parameter JSON format - -```json -"graphs": { - "value": [ - { - "name": "graph01", - "automaticIndexing": true, - "partitionKeyPaths": [ - "/name" - ] - }, - { - "name": "graph02", - "automaticIndexing": true, - "partitionKeyPaths": [ - "/name" - ] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -graphs: [ - { - name: 'graph01' - automaticIndexing: true - partitionKeyPaths: [ - '/name' - ] - } - { - name: 'graph02' - automaticIndexing: true - partitionKeyPaths: [ - '/name' - ] - } -] -``` - -
- ### Parameter Usage: `tags` Tag names and tag values can be provided as needed. A tag can be left without a value. @@ -184,3 +129,61 @@ userAssignedIdentities: { ## Cross-referenced modules _None_ + +## Notes + +### Parameter Usage: `graphs` + +List of graph databaseAccounts. + +
+ +Parameter JSON format + +```json +"graphs": { + "value": [ + { + "name": "graph01", + "automaticIndexing": true, + "partitionKeyPaths": [ + "/name" + ] + }, + { + "name": "graph02", + "automaticIndexing": true, + "partitionKeyPaths": [ + "/name" + ] + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +graphs: [ + { + name: 'graph01' + automaticIndexing: true + partitionKeyPaths: [ + '/name' + ] + } + { + name: 'graph02' + automaticIndexing: true + partitionKeyPaths: [ + '/name' + ] + } +] +``` + +
diff --git a/modules/document-db/database-account/gremlin-database/graph/README.md b/modules/document-db/database-account/gremlin-database/graph/README.md index 0254cb0940..46669ea63c 100644 --- a/modules/document-db/database-account/gremlin-database/graph/README.md +++ b/modules/document-db/database-account/gremlin-database/graph/README.md @@ -8,6 +8,7 @@ This module deploys a DocumentDB Database Accounts Gremlin Database Graph. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -81,6 +82,20 @@ tags: {

+## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the graph. | +| `resourceGroupName` | string | The name of the resource group the graph was created in. | +| `resourceId` | string | The resource ID of the graph. | + +## Cross-referenced modules + +_None_ + +## Notes + ### Parameter Usage: `partitionKeyPaths`, `uniqueKeyPaths` Different kinds of paths can be provided as array of strings: @@ -111,15 +126,3 @@ graphs: [

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the graph. | -| `resourceGroupName` | string | The name of the resource group the graph was created in. | -| `resourceId` | string | The resource ID of the graph. | - -## Cross-referenced modules - -_None_ diff --git a/modules/document-db/database-account/mongodb-database/README.md b/modules/document-db/database-account/mongodb-database/README.md index db3dbf1e40..21d0be5f7e 100644 --- a/modules/document-db/database-account/mongodb-database/README.md +++ b/modules/document-db/database-account/mongodb-database/README.md @@ -81,10 +81,6 @@ tags: {

-### Parameter Usage: `collections` - -Please reference the documentation for [collection](./collection/README.md) - ## Outputs | Output Name | Type | Description | diff --git a/modules/document-db/database-account/mongodb-database/collection/README.md b/modules/document-db/database-account/mongodb-database/collection/README.md index 4092da7d8d..c29b48e614 100644 --- a/modules/document-db/database-account/mongodb-database/collection/README.md +++ b/modules/document-db/database-account/mongodb-database/collection/README.md @@ -8,6 +8,7 @@ This module deploys a MongoDB Database Collection. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -40,6 +41,20 @@ This module deploys a MongoDB Database Collection. | `throughput` | int | `400` | Name of the mongodb database. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the mongodb database. | +| `resourceGroupName` | string | The name of the resource group the mongodb database was created in. | +| `resourceId` | string | The resource ID of the mongodb database. | + +## Cross-referenced modules + +_None_ + +## Notes + ### Parameter Usage: `indexes` Array of index keys as MongoIndex. The array contains keys for each MongoDB collection in the Azure Cosmos DB service with a collection resource object (as `key`) and collection index options (as `options`). @@ -169,15 +184,3 @@ shardKey: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the mongodb database. | -| `resourceGroupName` | string | The name of the resource group the mongodb database was created in. | -| `resourceId` | string | The resource ID of the mongodb database. | - -## Cross-referenced modules - -_None_ diff --git a/modules/document-db/database-account/sql-database/container/README.md b/modules/document-db/database-account/sql-database/container/README.md index c30d0050f1..d1f36ece5d 100644 --- a/modules/document-db/database-account/sql-database/container/README.md +++ b/modules/document-db/database-account/sql-database/container/README.md @@ -8,6 +8,7 @@ This module deploys a SQL Database Container in a CosmosDB Account. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -88,6 +89,20 @@ tags: {

+## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the container. | +| `resourceGroupName` | string | The name of the resource group the container was created in. | +| `resourceId` | string | The resource ID of the container. | + +## Cross-referenced modules + +_None_ + +## Notes + ### Parameter Usage: `indexingPolicy` Tag names and tag values can be provided as needed. A tag can be left without a value. @@ -129,15 +144,3 @@ indexingPolicy: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the container. | -| `resourceGroupName` | string | The name of the resource group the container was created in. | -| `resourceId` | string | The resource ID of the container. | - -## Cross-referenced modules - -_None_ diff --git a/modules/event-grid/system-topic/README.md b/modules/event-grid/system-topic/README.md index a6aa00839d..4d00048638 100644 --- a/modules/event-grid/system-topic/README.md +++ b/modules/event-grid/system-topic/README.md @@ -51,79 +51,6 @@ This module deploys an Event Grid System Topic. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `eventSubscriptions` - -You can specify multiple event subscriptions using the following format: - -

- -Parameter JSON format - -```json -"eventSubscriptions": { - "value": [ - { - "destination": { - "endpointType": "StorageQueue", - "properties": { - "queueMessageTimeToLiveInSeconds": 86400, - "queueName": "", - "resourceId": "" - } - }, - "enableDefaultTelemetry": "", - "eventDeliverySchema": "CloudEventSchemaV1_0", - "expirationTimeUtc": "2099-01-01T11:00:21.715Z", - "filter": { - "enableAdvancedFilteringOnArrays": true, - "isSubjectCaseSensitive": false - }, - "name": "[[namePrefix]]egstcom001", - "retryPolicy": { - "eventTimeToLive": "120", - "maxDeliveryAttempts": 10 - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -eventSubscriptions: [ - { - destination: { - endpointType: 'StorageQueue' - properties: { - queueMessageTimeToLiveInSeconds: 86400 - queueName: '' - resourceId: '' - } - } - enableDefaultTelemetry: '' - eventDeliverySchema: 'CloudEventSchemaV1_0' - expirationTimeUtc: '2099-01-01T11:00:21.715Z' - filter: { - enableAdvancedFilteringOnArrays: true - isSubjectCaseSensitive: false - } - name: '[[namePrefix]]egstcom001' - retryPolicy: { - eventTimeToLive: '120' - maxDeliveryAttempts: 10 - } - } - ] -``` - -
-

- ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index 4710dcd36a..8e5edbc4b1 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -52,79 +52,6 @@ This module deploys an Event Grid Topic. | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `eventSubscriptions` - -You can specify multiple event subscriptions using the following format: - -

- -Parameter JSON format - -```json -"eventSubscriptions": { - "value": [ - { - "destination": { - "endpointType": "StorageQueue", - "properties": { - "queueMessageTimeToLiveInSeconds": 86400, - "queueName": "", - "resourceId": "" - } - }, - "enableDefaultTelemetry": "", - "eventDeliverySchema": "CloudEventSchemaV1_0", - "expirationTimeUtc": "2099-01-01T11:00:21.715Z", - "filter": { - "enableAdvancedFilteringOnArrays": true, - "isSubjectCaseSensitive": false - }, - "name": "[[namePrefix]]egstcom001", - "retryPolicy": { - "eventTimeToLive": "120", - "maxDeliveryAttempts": 10 - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -eventSubscriptions: [ - { - destination: { - endpointType: 'StorageQueue' - properties: { - queueMessageTimeToLiveInSeconds: 86400 - queueName: '' - resourceId: '' - } - } - enableDefaultTelemetry: '' - eventDeliverySchema: 'CloudEventSchemaV1_0' - expirationTimeUtc: '2099-01-01T11:00:21.715Z' - filter: { - enableAdvancedFilteringOnArrays: true - isSubjectCaseSensitive: false - } - name: '[[namePrefix]]egstcom001' - retryPolicy: { - eventTimeToLive: '120' - maxDeliveryAttempts: 10 - } - } - ] -``` - -
-

- ### Parameter Usage: `privateEndpoints` To use Private Endpoint the following dependencies must be deployed: diff --git a/modules/event-hub/namespace/main.json b/modules/event-hub/namespace/main.json index 7e9e3029bd..10bb99aa07 100644 --- a/modules/event-hub/namespace/main.json +++ b/modules/event-hub/namespace/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "894531966017959267" + "version": "0.22.6.54827", + "templateHash": "16009659029865974325" }, "name": "Event Hub Namespaces", "description": "This module deploys an Event Hub Namespace.", @@ -432,8 +432,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16751252701811556931" + "version": "0.22.6.54827", + "templateHash": "3063860457313937367" }, "name": "Event Hub Namespace Authorization Rule", "description": "This module deploys an Event Hub Namespace Authorization Rule.", @@ -553,8 +553,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17596363769961747539" + "version": "0.22.6.54827", + "templateHash": "7624585689136088815" }, "name": "Event Hub Namespace Disaster Recovery Configs", "description": "This module deploys an Event Hub Namespace Disaster Recovery Config.", @@ -690,8 +690,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16089237218391136247" + "version": "0.22.6.54827", + "templateHash": "11568505658717744379" }, "name": "Event Hub Namespace Event Hubs", "description": "This module deploys an Event Hub Namespace Event Hub.", @@ -999,8 +999,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4574999956856176990" + "version": "0.22.6.54827", + "templateHash": "3522913919009222120" }, "name": "Event Hub Namespace Event Hub Consumer Groups", "description": "This module deploys an Event Hub Namespace Event Hub Consumer Group.", @@ -1127,8 +1127,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6269095332062865528" + "version": "0.22.6.54827", + "templateHash": "12245634232079362340" }, "name": "Event Hub Namespace Event Hub Authorization Rules", "description": "This module deploys an Event Hub Namespace Event Hub Authorization Rule.", @@ -1260,8 +1260,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13315777836788317981" + "version": "0.22.6.54827", + "templateHash": "5794309156960386834" } }, "parameters": { @@ -1445,8 +1445,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7109134385195243655" + "version": "0.22.6.54827", + "templateHash": "17411238681152908216" }, "name": "Event Hub Namespace Network Rule Sets", "description": "This module deploys an Event Hub Namespace Network Rule Set.", @@ -1492,14 +1492,14 @@ "type": "array", "defaultValue": [], "metadata": { - "description": "Optional. List virtual network rules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." + "description": "Optional. Contains an array of objects of subnet resource IDs that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." } }, "ipRules": { "type": "array", "defaultValue": [], "metadata": { - "description": "Optional. List of IpRules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." + "description": "Optional. Contains an array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." } }, "enableDefaultTelemetry": { @@ -1625,8 +1625,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1825,8 +1825,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1963,8 +1963,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -2177,8 +2177,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1887246320785357809" + "version": "0.22.6.54827", + "templateHash": "3195673782424292860" } }, "parameters": { diff --git a/modules/event-hub/namespace/network-rule-set/README.md b/modules/event-hub/namespace/network-rule-set/README.md index 4be4872512..4d10778ca7 100644 --- a/modules/event-hub/namespace/network-rule-set/README.md +++ b/modules/event-hub/namespace/network-rule-set/README.md @@ -29,54 +29,12 @@ This module deploys an Event Hub Namespace Network Rule Set. | :-- | :-- | :-- | :-- | :-- | | `defaultAction` | string | `'Allow'` | `[Allow, Deny]` | Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `ipRules` | array | `[]` | | List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | +| `ipRules` | array | `[]` | | An array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | | `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | | `trustedServiceAccessEnabled` | bool | `True` | | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | -| `virtualNetworkRules` | array | `[]` | | List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | +| `virtualNetworkRules` | array | `[]` | | An array of subnet resource ID objects that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | -### Parameter Usage: `` - -Contains an array of subnets that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. - -```json -"virtualNetworkRules": { - "value": [ - { - "ignoreMissingVnetServiceEndpoint": true, - "subnet": { - "id": "/subscriptions/[[subscriptionId]]/resourcegroups/[[resourceGroupName]]/providers/Microsoft.Network/virtualNetworks/[[virtualNetworkName]]/subnets/[[subnetName1]]" - } - }, - { - "ignoreMissingVnetServiceEndpoint": false, - "subnet": { - "id": "/subscriptions/[[subscriptionId]]/resourcegroups/[[resourceGroupName]]/providers/Microsoft.Network/virtualNetworks/[[virtualNetworkName]]/subnets/[[subnetName2]]" - } - } - ] -} -``` - -### Parameter Usage: `` - -Contains an array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. - -```json -"ipRules": { - "value": [ - { - "action": "Allow", - "ipMask": "a.b.c.d/e" - }, - { - "action": "Allow", - "ipMask": "x.x.x.x/x" - } - ] -} -``` - ## Outputs | Output Name | Type | Description | diff --git a/modules/event-hub/namespace/network-rule-set/main.bicep b/modules/event-hub/namespace/network-rule-set/main.bicep index c36bd58609..c84fe076bd 100644 --- a/modules/event-hub/namespace/network-rule-set/main.bicep +++ b/modules/event-hub/namespace/network-rule-set/main.bicep @@ -22,10 +22,10 @@ param defaultAction string = 'Allow' @description('Optional. Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled".') param trustedServiceAccessEnabled bool = true -@description('Optional. List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny".') +@description('Optional. An array of subnet resource ID objects that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny".') param virtualNetworkRules array = [] -@description('Optional. List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny".') +@description('Optional. An array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny".') param ipRules array = [] @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') diff --git a/modules/event-hub/namespace/network-rule-set/main.json b/modules/event-hub/namespace/network-rule-set/main.json index 1c3f921460..ec22360d6f 100644 --- a/modules/event-hub/namespace/network-rule-set/main.json +++ b/modules/event-hub/namespace/network-rule-set/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7109134385195243655" + "version": "0.22.6.54827", + "templateHash": "17411238681152908216" }, "name": "Event Hub Namespace Network Rule Sets", "description": "This module deploys an Event Hub Namespace Network Rule Set.", @@ -51,14 +51,14 @@ "type": "array", "defaultValue": [], "metadata": { - "description": "Optional. List virtual network rules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." + "description": "Optional. Contains an array of objects of subnet resource IDs that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." } }, "ipRules": { "type": "array", "defaultValue": [], "metadata": { - "description": "Optional. List of IpRules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." + "description": "Optional. Contains an array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." } }, "enableDefaultTelemetry": { diff --git a/modules/healthcare-apis/workspace/README.md b/modules/healthcare-apis/workspace/README.md index a0803593be..a27a82037a 100644 --- a/modules/healthcare-apis/workspace/README.md +++ b/modules/healthcare-apis/workspace/README.md @@ -9,6 +9,7 @@ This module deploys a Healthcare API Workspace. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -143,156 +144,6 @@ fhirServices: [

-### Parameter Usage: `dicomservices` - -Create a DICOM service with the workspace. - -

- -Parameter JSON format - -```json -"dicomServices": { - "value": [ - { - "name": "[[namePrefix]]-az-dicom-x-001", - "workspaceName": "[[namePrefix]]001", - "corsOrigins": [ "*" ], - "corsHeaders": [ "*" ], - "corsMethods": [ "GET" ], - "corsMaxAge": 600, - "corsAllowCredentials": false, - "location": "[[location]]", - "diagnosticStorageAccountId": "[[storageAccountResourceId]]", - "diagnosticWorkspaceId": "[[logAnalyticsWorkspaceResourceId]]", - "diagnosticEventHubAuthorizationRuleId": "[[eventHubAuthorizationRuleId]]", - "diagnosticEventHubName": "[[eventHubNamespaceEventHubName]]", - "publicNetworkAccess": "Enabled", - "enableDefaultTelemetry": false, - "systemAssignedIdentity": true, - "userAssignedIdentities": { - "[[managedIdentityResourceId]]": {} - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -dicomServices: [ - { - name: '[[namePrefix]]-az-dicom-x-001' - workspaceName: '[[namePrefix]]001' - corsOrigins: [ '*' ] - corsHeaders: [ '*' ] - corsMethods: [ 'GET' ] - corsMaxAge: 600 - corsAllowCredentials: false - location: location - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - publicNetworkAccess: 'Enabled' - enableDefaultTelemetry: enableDefaultTelemetry - systemAssignedIdentity: true - userAssignedIdentities: { - '${resourceGroupResources.outputs.managedIdentityResourceId}': {} - } - } -] -``` - -
-

- -### Parameter Usage: `iotconnectors` - -Create an IOT Connector (MedTech) service with the workspace. - -

- -Parameter JSON format - -```json -"iotConnectors": { - "value": [ - { - "name": "[[namePrefix]]-az-iomt-x-001", - "workspaceName": "[[namePrefix]]001", - "corsOrigins": [ "*" ], - "corsHeaders": [ "*" ], - "corsMethods": [ "GET" ], - "corsMaxAge": 600, - "corsAllowCredentials": false, - "location": "[[location]]", - "diagnosticStorageAccountId": "[[storageAccountResourceId]]", - "diagnosticWorkspaceId": "[[logAnalyticsWorkspaceResourceId]]", - "diagnosticEventHubAuthorizationRuleId": "[[eventHubAuthorizationRuleId]]", - "diagnosticEventHubName": "[[eventHubNamespaceEventHubName]]", - "publicNetworkAccess": "Enabled", - "enableDefaultTelemetry": false, - "systemAssignedIdentity": true, - "userAssignedIdentities": { - "[[managedIdentityResourceId]]": {} - }, - "eventHubName": "[[eventHubName]]", - "consumerGroup": "[[consumerGroup]]", - "eventHubNamespaceName": "[[eventHubNamespaceName]]", - "deviceMapping": "[[deviceMapping]]", - "destinationMapping": "[[destinationMapping]]", - "fhirServiceResourceId": "[[fhirServiceResourceId]]", - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -iotConnectors: [ - { - name: '[[namePrefix]]-az-iomt-x-001' - workspaceName: '[[namePrefix]]001' - corsOrigins: [ '*' ] - corsHeaders: [ '*' ] - corsMethods: [ 'GET' ] - corsMaxAge: 600 - corsAllowCredentials: false - location: location - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - publicNetworkAccess: 'Enabled' - enableDefaultTelemetry: enableDefaultTelemetry - systemAssignedIdentity: true - userAssignedIdentities: { - '${resourceGroupResources.outputs.managedIdentityResourceId}': {} - } - eventHubName: '[[eventHubName]]' - consumerGroup: '[[consumerGroup]]' - eventHubNamespaceName: '[[eventHubNamespaceName]]' - deviceMapping: '[[deviceMapping]]' - destinationMapping: '[[destinationMapping]]' - fhirServiceResourceId: '[[fhirServiceResourceId]]' - } -] -``` - -
-

- ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. @@ -678,3 +529,87 @@ module workspace './healthcare-apis/workspace/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `iotconnectors` + +Create an IOT Connector (MedTech) service with the workspace. + +

+ +Parameter JSON format + +```json +"iotConnectors": { + "value": [ + { + "name": "[[namePrefix]]-az-iomt-x-001", + "workspaceName": "[[namePrefix]]001", + "corsOrigins": [ "*" ], + "corsHeaders": [ "*" ], + "corsMethods": [ "GET" ], + "corsMaxAge": 600, + "corsAllowCredentials": false, + "location": "[[location]]", + "diagnosticStorageAccountId": "[[storageAccountResourceId]]", + "diagnosticWorkspaceId": "[[logAnalyticsWorkspaceResourceId]]", + "diagnosticEventHubAuthorizationRuleId": "[[eventHubAuthorizationRuleId]]", + "diagnosticEventHubName": "[[eventHubNamespaceEventHubName]]", + "publicNetworkAccess": "Enabled", + "enableDefaultTelemetry": false, + "systemAssignedIdentity": true, + "userAssignedIdentities": { + "[[managedIdentityResourceId]]": {} + }, + "eventHubName": "[[eventHubName]]", + "consumerGroup": "[[consumerGroup]]", + "eventHubNamespaceName": "[[eventHubNamespaceName]]", + "deviceMapping": "[[deviceMapping]]", + "destinationMapping": "[[destinationMapping]]", + "fhirServiceResourceId": "[[fhirServiceResourceId]]", + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +iotConnectors: [ + { + name: '[[namePrefix]]-az-iomt-x-001' + workspaceName: '[[namePrefix]]001' + corsOrigins: [ '*' ] + corsHeaders: [ '*' ] + corsMethods: [ 'GET' ] + corsMaxAge: 600 + corsAllowCredentials: false + location: location + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + publicNetworkAccess: 'Enabled' + enableDefaultTelemetry: enableDefaultTelemetry + systemAssignedIdentity: true + userAssignedIdentities: { + '${resourceGroupResources.outputs.managedIdentityResourceId}': {} + } + eventHubName: '[[eventHubName]]' + consumerGroup: '[[consumerGroup]]' + eventHubNamespaceName: '[[eventHubNamespaceName]]' + deviceMapping: '[[deviceMapping]]' + destinationMapping: '[[destinationMapping]]' + fhirServiceResourceId: '[[fhirServiceResourceId]]' + } +] +``` + +
+

diff --git a/modules/healthcare-apis/workspace/fhirservice/README.md b/modules/healthcare-apis/workspace/fhirservice/README.md index 894e8c400c..511faf3271 100644 --- a/modules/healthcare-apis/workspace/fhirservice/README.md +++ b/modules/healthcare-apis/workspace/fhirservice/README.md @@ -8,6 +8,7 @@ This module deploys a Healthcare API Workspace FHIR Service. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -71,46 +72,6 @@ This module deploys a Healthcare API Workspace FHIR Service. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `acrOciArtifacts` - -You can specify multiple Azure Container OCI artifacts using the following format: - -

- -Parameter JSON format - -```json -"acrOciArtifacts": { - "value": { - [{ - "digest": "sha256:0a2e01852872580b2c2fea9380ff8d7b637d3928783c55beb3f21a6e58d5d108", - "imageName": "myimage:v1", - "loginServer": "myregistry.azurecr.io" - }] - } -} -``` - -
- -
- -Bicep format - -```bicep -acrOciArtifacts: [ - { - digest: 'sha256:0a2e01852872580b2c2fea9380ff8d7b637d3928783c55beb3f21a6e58d5d108' - imageName: 'myimage:v1' - loginServer: 'myregistry.azurecr.io' - } -] -``` - -
- -

- ### Parameter Usage: `userAssignedIdentities` You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: @@ -291,3 +252,45 @@ userAssignedIdentities: { ## Cross-referenced modules _None_ + +## Notes + +### Parameter Usage: `acrOciArtifacts` + +You can specify multiple Azure Container OCI artifacts using the following format: + +

+ +Parameter JSON format + +```json +"acrOciArtifacts": { + "value": { + [{ + "digest": "sha256:0a2e01852872580b2c2fea9380ff8d7b637d3928783c55beb3f21a6e58d5d108", + "imageName": "myimage:v1", + "loginServer": "myregistry.azurecr.io" + }] + } +} +``` + +
+ +
+ +Bicep format + +```bicep +acrOciArtifacts: [ + { + digest: 'sha256:0a2e01852872580b2c2fea9380ff8d7b637d3928783c55beb3f21a6e58d5d108' + imageName: 'myimage:v1' + loginServer: 'myregistry.azurecr.io' + } +] +``` + +
+ +

diff --git a/modules/healthcare-apis/workspace/iotconnector/README.md b/modules/healthcare-apis/workspace/iotconnector/README.md index 81f646817d..2537a702dc 100644 --- a/modules/healthcare-apis/workspace/iotconnector/README.md +++ b/modules/healthcare-apis/workspace/iotconnector/README.md @@ -8,6 +8,7 @@ This module deploys a Healthcare API Workspace IoT Connector. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -56,6 +57,97 @@ This module deploys a Healthcare API Workspace IoT Connector. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

+ +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the medtech service. | +| `resourceGroupName` | string | The resource group where the namespace is deployed. | +| `resourceId` | string | The resource ID of the medtech service. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `workspaceName` | string | The name of the medtech workspace. | + +## Cross-referenced modules + +_None_ + +## Notes + ### Parameter Usage: `deviceMapping` You can specify a collection of device mapping using the following format: @@ -192,92 +284,3 @@ destinationMapping: {

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the medtech service. | -| `resourceGroupName` | string | The resource group where the namespace is deployed. | -| `resourceId` | string | The resource ID of the medtech service. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | -| `workspaceName` | string | The name of the medtech workspace. | - -## Cross-referenced modules - -_None_ diff --git a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md b/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md index 7064bfd1b7..9a81a65c63 100644 --- a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md +++ b/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md @@ -8,6 +8,7 @@ This module deploys a Healthcare API Workspace IoT Connector FHIR Destination. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -41,6 +42,22 @@ This module deploys a Healthcare API Workspace IoT Connector FHIR Destination. | `resourceIdentityResolutionType` | string | `'Lookup'` | `[Create, Lookup]` | Determines how resource identity is resolved on the destination. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `iotConnectorName` | string | The name of the medtech service. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the FHIR destination. | +| `resourceGroupName` | string | The resource group where the namespace is deployed. | +| `resourceId` | string | The resource ID of the FHIR destination. | + +## Cross-referenced modules + +_None_ + +## Notes + ### Parameter Usage: `destinationMapping` You can specify a collection of destination mapping using the following format: @@ -106,17 +123,3 @@ destinationMapping: { ``` - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `iotConnectorName` | string | The name of the medtech service. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the FHIR destination. | -| `resourceGroupName` | string | The resource group where the namespace is deployed. | -| `resourceId` | string | The resource ID of the FHIR destination. | - -## Cross-referenced modules - -_None_ diff --git a/modules/insights/action-group/.test/common/main.test.bicep b/modules/insights/action-group/.test/common/main.test.bicep index e9130942bf..cbc7e3e4f2 100644 --- a/modules/insights/action-group/.test/common/main.test.bicep +++ b/modules/insights/action-group/.test/common/main.test.bicep @@ -62,6 +62,13 @@ module testDeployment '../../main.bicep' = { useCommonAlertSchema: true } ] + smsReceivers: [ + { + countryCode: '1' + name: 'TestUser_-SMSAction-' + phoneNumber: '2345678901' + } + ] roleAssignments: [ { principalIds: [ @@ -70,13 +77,6 @@ module testDeployment '../../main.bicep' = { roleDefinitionIdOrName: 'Reader' } ] - smsReceivers: [ - { - countryCode: '1' - name: 'TestUser_-SMSAction-' - phoneNumber: '2345678901' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/insights/action-group/README.md b/modules/insights/action-group/README.md index 0d64d6ac5e..1d1dadea2f 100644 --- a/modules/insights/action-group/README.md +++ b/modules/insights/action-group/README.md @@ -9,6 +9,7 @@ This module deploys an Action Group. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -47,71 +48,6 @@ This module deploys an Action Group. | `webhookReceivers` | array | `[]` | The list of webhook receivers that are part of this action group. | -### Parameter Usage: receivers - -See [Documentation](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2019-06-01/actiongroups) for description of parameters usage and syntax. - -

- -Parameter JSON file - -```json -"emailReceivers": { - "value": [ - { - "name": "TestUser_-EmailAction-", - "emailAddress": "test.user@testcompany.com", - "useCommonAlertSchema": true - }, - { - "name": "TestUser2", - "emailAddress": "test.user2@testcompany.com", - "useCommonAlertSchema": true - } - ] -}, -"smsReceivers": { - "value": [ - { - "name": "TestUser_-SMSAction-", - "countryCode": "1", - "phoneNumber": "2345678901" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -emailReceivers: [ - { - name: 'TestUser_-EmailAction-' - emailAddress: 'test.user@testcompany.com' - useCommonAlertSchema: true - } - { - name: 'TestUser2' - emailAddress: 'test.user2@testcompany.com' - useCommonAlertSchema: true - } -] -smsReceivers: [ - { - name: 'TestUser_-SMSAction-' - countryCode: '1' - phoneNumber: '2345678901' - } -] -``` - -
-

- ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. @@ -212,18 +148,6 @@ tags: {

-### Additional notes on parameters - -- Receiver name must be unique across the ActionGroup -- Email, SMS, Azure App push and Voice can be grouped in the same Action. To do so, the `name` field of the receivers must be in the `RecName_-ActionType-` format where: - - _RecName_ is the name you want to give to the Action - - _ActionType_ is one of the action types that can be grouped together. Possible values are: - - EmailAction - - SMSAction - - AzureAppAction - - VoiceAction -- To understand the impact of the `useCommonAlertSchema` field, see [here](https://learn.microsoft.com/en-us/azure/azure-monitor/platform/alerts-common-schema) - ## Outputs | Output Name | Type | Description | @@ -413,3 +337,19 @@ module actionGroup './insights/action-group/main.bicep' = {

+ + +## Notes + +### Module Usage Considerations + +- Receiver name must be unique across the ActionGroup. +- Email, SMS, Azure App push and Voice can be grouped in the same Action. To do so, the `name` field of the receivers must be in the `RecName_-ActionType-` format where: + - _RecName_ is the name you want to give to the Action + - _ActionType_ is one of the action types that can be grouped together. Possible values are: + - EmailAction + - SMSAction + - AzureAppAction + - VoiceAction + +- To understand the impact of the `useCommonAlertSchema` field, see [documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/platform/alerts-common-schema). diff --git a/modules/insights/action-group/main.json b/modules/insights/action-group/main.json index 172be30385..2a88b67d97 100644 --- a/modules/insights/action-group/main.json +++ b/modules/insights/action-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13796806533868847082" + "version": "0.22.6.54827", + "templateHash": "11117499491590178682" }, "name": "Action Groups", "description": "This module deploys an Action Group.", @@ -200,8 +200,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2628891413283540922" + "version": "0.22.6.54827", + "templateHash": "3593800460322974765" } }, "parameters": { diff --git a/modules/insights/activity-log-alert/.test/common/main.test.bicep b/modules/insights/activity-log-alert/.test/common/main.test.bicep index f61430c448..f95e1529af 100644 --- a/modules/insights/activity-log-alert/.test/common/main.test.bicep +++ b/modules/insights/activity-log-alert/.test/common/main.test.bicep @@ -50,19 +50,36 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - conditions: [ { - equals: 'Administrative' field: 'category' + equals: 'ServiceHealth' + } + { + anyOf: [ + { + field: 'properties.incidentType' + equals: 'Incident' + } + { + field: 'properties.incidentType' + equals: 'Maintenance' + } + ] } { - equals: 'microsoft.compute/virtualmachines' - field: 'resourceType' + field: 'properties.impactedServices[*].ServiceName' + containsAny: [ + 'Action Groups' + 'Activity Logs & Alerts' + ] } { - equals: 'Microsoft.Compute/virtualMachines/performMaintenance/action' - field: 'operationName' + field: 'properties.impactedServices[*].ImpactedRegions[*].RegionName' + containsAny: [ + 'West Europe' + 'Global' + ] } ] actions: [ diff --git a/modules/insights/activity-log-alert/README.md b/modules/insights/activity-log-alert/README.md index 46d8a409c5..caa33005cc 100644 --- a/modules/insights/activity-log-alert/README.md +++ b/modules/insights/activity-log-alert/README.md @@ -23,7 +23,7 @@ This module deploys an Activity Log Alert. | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `conditions` | array | The condition that will cause this alert to activate. Array of objects. | +| `conditions` | array | An Array of objects containing conditions that will cause this alert to activate. Conditions can also be combined with logical operators `allOf` and `anyOf`. Each condition can specify only one field between `equals` and `containsAny`. An alert rule condition must have exactly one category (Administrative, ServiceHealth, ResourceHealth, Alert, Autoscale, Recommendation, Security, or Policy). | | `name` | string | The name of the alert. | **Optional parameters** @@ -40,252 +40,6 @@ This module deploys an Activity Log Alert. | `tags` | object | `{object}` | Tags of the resource. | -### Parameter Usage: actions - -

- -Parameter JSON format - -```json -"actions": { - "value": [ - { - "actionGroupId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rgName/providers/Microsoft.Insights/actiongroups/actionGroupName", - "webhookProperties": {} - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -actions: [ - { - actionGroupId: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rgName/providers/Microsoft.Insights/actiongroups/actionGroupName' - webhookProperties: {} - } -] -``` - -
-

- -`webhookProperties` is optional. - -If you do only want to provide actionGroupIds, a shorthand use of the parameter is available. - -

- -Parameter JSON format - -```json -"actions": { - "value": [ - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rgName/providers/Microsoft.Insights/actiongroups/actionGroupName" - ] -} -``` - -
- -
- -Bicep format - -```bicep -actions: [ - '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rgName/providers/Microsoft.Insights/actiongroups/actionGroupName' -] -``` - -
-

- -### Parameter Usage: conditions - -**Conditions can also be combined with logical operators `allOf` and `anyOf`** - - -

- -Parameter JSON format - -```json -{ - "field": "string", - "equals": "string", - "containsAny": "array" -} -``` - -
- -
- -Bicep format - -```bicep -{ - field: 'string' - equals: 'string' - containsAny: 'array' -} -``` - -
-

- -Each condition can specify only one field between `equals` and `containsAny`. - -| Parameter Name | Type | Possible values | Description | -| :------------- | :--------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------- | -| `field` | string | `resourceId`,
`category`,
`caller`,
`level`,
`operationName`,
`resourceGroup`,
`resourceProvider`,
`status`,
`subStatus`,
`resourceType`,
or anything beginning with `properties.` | Required. The name of the field that this condition will examine. | -| `equals` | string | | Optional (Alternative to `containsAny`). The value to confront with. | -| `containsAny` | array of strings | | Optional (Alternative to `equals`). Condition will be satisfied if value of the field in the event is within one of the specified here. | - -**Sample** - -
- -Parameter JSON format - -```json -"conditions": { - "value": [ - { - "field": "category", - "equals": "Administrative" - }, - { - "field": "resourceType", - "equals": "microsoft.compute/virtualmachines" - }, - { - "field": "operationName", - "equals": "Microsoft.Compute/virtualMachines/performMaintenance/action" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -conditions: [ - { - field: 'category' - equals: 'Administrative' - } - { - field: 'resourceType' - equals: 'microsoft.compute/virtualmachines' - } - { - field: 'operationName' - equals: 'Microsoft.Compute/virtualMachines/performMaintenance/action' - } -] -``` - -
-

- -**Sample 2** - -

- -Parameter JSON format - -```json -"conditions":{ - "value": [ - { - "field": "category", - "equals": "ServiceHealth" - }, - { - "anyOf": [ - { - "field": "properties.incidentType", - "equals": "Incident" - }, - { - "field": "properties.incidentType", - "equals": "Maintenance" - } - ] - }, - { - "field": "properties.impactedServices[*].ServiceName", - "containsAny": [ - "Action Groups", - "Activity Logs & Alerts" - ] - }, - { - "field": "properties.impactedServices[*].ImpactedRegions[*].RegionName", - "containsAny": [ - "West Europe", - "Global" - ] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -conditions: [ - { - field: 'category' - equals: 'ServiceHealth' - } - { - anyOf: [ - { - field: 'properties.incidentType' - equals: 'Incident' - } - { - field: 'properties.incidentType' - equals: 'Maintenance' - } - ] - } - { - field: 'properties.impactedServices[*].ServiceName' - containsAny: [ - 'Action Groups' - 'Activity Logs & Alerts' - ] - } - { - field: 'properties.impactedServices[*].ImpactedRegions[*].RegionName' - containsAny: [ - 'West Europe' - 'Global' - ] - } -] -``` - -
-

- ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. @@ -419,16 +173,34 @@ module activityLogAlert './insights/activity-log-alert/main.bicep' = { // Required parameters conditions: [ { - equals: 'Administrative' + equals: 'ServiceHealth' field: 'category' } { - equals: 'microsoft.compute/virtualmachines' - field: 'resourceType' + anyOf: [ + { + equals: 'Incident' + field: 'properties.incidentType' + } + { + equals: 'Maintenance' + field: 'properties.incidentType' + } + ] + } + { + containsAny: [ + 'Action Groups' + 'Activity Logs & Alerts' + ] + field: 'properties.impactedServices[*].ServiceName' } { - equals: 'Microsoft.Compute/virtualMachines/performMaintenance/action' - field: 'operationName' + containsAny: [ + 'Global' + 'West Europe' + ] + field: 'properties.impactedServices[*].ImpactedRegions[*].RegionName' } ] name: 'ialacom001' @@ -476,16 +248,34 @@ module activityLogAlert './insights/activity-log-alert/main.bicep' = { "conditions": { "value": [ { - "equals": "Administrative", + "equals": "ServiceHealth", "field": "category" }, { - "equals": "microsoft.compute/virtualmachines", - "field": "resourceType" + "anyOf": [ + { + "equals": "Incident", + "field": "properties.incidentType" + }, + { + "equals": "Maintenance", + "field": "properties.incidentType" + } + ] + }, + { + "containsAny": [ + "Action Groups", + "Activity Logs & Alerts" + ], + "field": "properties.impactedServices[*].ServiceName" }, { - "equals": "Microsoft.Compute/virtualMachines/performMaintenance/action", - "field": "operationName" + "containsAny": [ + "Global", + "West Europe" + ], + "field": "properties.impactedServices[*].ImpactedRegions[*].RegionName" } ] }, diff --git a/modules/insights/activity-log-alert/main.bicep b/modules/insights/activity-log-alert/main.bicep index c9aa792869..b31bb74665 100644 --- a/modules/insights/activity-log-alert/main.bicep +++ b/modules/insights/activity-log-alert/main.bicep @@ -22,7 +22,7 @@ param scopes array = [ @description('Optional. The list of actions to take when alert triggers.') param actions array = [] -@description('Required. The condition that will cause this alert to activate. Array of objects.') +@description('Required. An Array of objects containing conditions that will cause this alert to activate. Conditions can also be combined with logical operators `allOf` and `anyOf`. Each condition can specify only one field between `equals` and `containsAny`. An alert rule condition must have exactly one category (Administrative, ServiceHealth, ResourceHealth, Alert, Autoscale, Recommendation, Security, or Policy).') param conditions array @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') diff --git a/modules/insights/activity-log-alert/main.json b/modules/insights/activity-log-alert/main.json index 3ad64ea733..b3d35d5ff4 100644 --- a/modules/insights/activity-log-alert/main.json +++ b/modules/insights/activity-log-alert/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16456832175233219235" + "version": "0.22.6.54827", + "templateHash": "7845044983132371204" }, "name": "Activity Log Alerts", "description": "This module deploys an Activity Log Alert.", @@ -58,7 +58,7 @@ "conditions": { "type": "array", "metadata": { - "description": "Required. The condition that will cause this alert to activate. Array of objects." + "description": "Required. An Array of objects containing conditions that will cause this alert to activate. Conditions can also be combined with logical operators `allOf` and `anyOf`. Each condition can specify only one field between `equals` and `containsAny`. An alert rule condition must have exactly one category (Administrative, ServiceHealth, ResourceHealth, Alert, Autoscale, Recommendation, Security, or Policy)." } }, "roleAssignments": { @@ -162,8 +162,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "441111163887526316" + "version": "0.22.6.54827", + "templateHash": "9472664752100118667" } }, "parameters": { diff --git a/modules/insights/metric-alert/README.md b/modules/insights/metric-alert/README.md index 505b63e93f..47d2e0958f 100644 --- a/modules/insights/metric-alert/README.md +++ b/modules/insights/metric-alert/README.md @@ -23,7 +23,7 @@ This module deploys a Metric Alert. | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `criterias` | array | Criterias to trigger the alert. Array of 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' or 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' objects. | +| `criterias` | array | Criterias to trigger the alert. Array of 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' or 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' objects. When using MultipleResourceMultipleMetricCriteria criteria type, some parameters becomes mandatory. It is not possible to convert from SingleResourceMultipleMetricCriteria to MultipleResourceMultipleMetricCriteria. The alert must be deleted and recreated. | | `name` | string | The name of the alert. | **Conditional parameters** @@ -52,216 +52,6 @@ This module deploys a Metric Alert. | `windowSize` | string | `'PT15M'` | `[P1D, PT12H, PT15M, PT1H, PT1M, PT30M, PT5M, PT6H]` | the period of time (in ISO 8601 duration format) that is used to monitor alert activity based on the threshold. | -### Parameter Usage: actions - -

- -Parameter JSON format - -```json -"actions": { - "value": [ - { - "actionGroupId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rgName/providers/Microsoft.Insights/actiongroups/ActionGroupName", - "webhookProperties": {} - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -actions: [ - { - actionGroupId: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rgName/providers/Microsoft.Insights/actiongroups/ActionGroupName' - webhookProperties: {} - } -] -``` - -
-

- -`webhookProperties` is optional. - -If you do only want to provide actionGroupIds, a shorthand use of the parameter is available. - -

- -Parameter JSON format - -```json -"actions": { - "value": [ - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rgName/providers/Microsoft.Insights/actiongroups/actionGroupName" - ] -} -``` - -
- - -
- -Bicep format - -```bicep - - -``` - -
- -### Parameter Usage: `criteria` - -**SingleResourceMultipleMetricCriteria** - - -
- -Parameter JSON format - -```json -{ - "criterionType": "string", - "dimensions": [], - "metricName": "string", - "metricNamespace": "string", - "name": "string", - "operator": "string", - "threshold": "integer", - "timeAggregation": "string" -} -``` - -
- - -
- -Bicep format - -```bicep -{ - criterionType: 'string' - dimensions: [] - metricName: 'string' - metricNamespace: 'string' - name: 'string' - operator: 'string' - threshold: 'integer' - timeAggregation: 'string' -} -``` - -
-

- -**MultipleResourceMultipleMetricCriteria** - -

- -Parameter JSON format - -```json -{ - "criterionType": "string", - "dimensions": [], - "metricName": "string", - "metricNamespace": "string", - "name": "string", - "operator": "string", - "threshold": "integer", - "timeAggregation": "string", - "alertSensitivity": "string", - "failingPeriods": { - "minFailingPeriodsToAlert": "integer", - "numberOfEvaluationPeriods": "integer" - }, - "ignoreDataBefore": "string" -} -``` - -
- - -
- -Bicep format - -```bicep -{ - criterionType: 'string' - dimensions: [] - metricName: 'string' - metricNamespace: 'string' - name: 'string' - operator: 'string' - threshold: 'integer' - timeAggregation: 'string' - alertSensitivity: 'string' - failingPeriods: { - minFailingPeriodsToAlert: 'integer' - numberOfEvaluationPeriods: 'integer' - } - ignoreDataBefore: 'string' -} -``` - -
-

- -**Sample** -The following sample can be use both for Single and Multiple criteria. The other parameters are optional. - -

- -Parameter JSON format - -```json -"criterias":{ - "value": [ - { - "criterionType": "StaticThresholdCriterion", - "metricName": "Percentage CPU", - "metricNamespace": "microsoft.compute/virtualmachines", - "name": "HighCPU", - "operator": "GreaterThan", - "threshold": "90", - "timeAggregation": "Average" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -criterias: [ - { - criterionType: 'StaticThresholdCriterion' - metricName: 'Percentage CPU' - metricNamespace: 'microsoft.compute/virtualmachines' - name: 'HighCPU' - operator: 'GreaterThan' - threshold: '90' - timeAggregation: 'Average' - } -] -``` - -
-

- ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. @@ -362,12 +152,6 @@ tags: {

-### Additional notes on parameters - -- When using MultipleResourceMultipleMetricCriteria criteria type, some parameters becomes mandatory (see above) -- MultipleResourceMultipleMetricCriteria is suggested, as additional scopes can be added later -- It's not possible to convert from SingleResourceMultipleMetricCriteria to MultipleResourceMultipleMetricCriteria. Delete and re-create the alert. - ## Outputs | Output Name | Type | Description | diff --git a/modules/insights/metric-alert/main.bicep b/modules/insights/metric-alert/main.bicep index 2cf20873d3..978e41e69e 100644 --- a/modules/insights/metric-alert/main.bicep +++ b/modules/insights/metric-alert/main.bicep @@ -72,7 +72,7 @@ param actions array = [] ]) param alertCriteriaType string = 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' -@description('Required. Criterias to trigger the alert. Array of \'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria\' or \'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria\' objects.') +@description('Required. Criterias to trigger the alert. Array of \'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria\' or \'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria\' objects. When using MultipleResourceMultipleMetricCriteria criteria type, some parameters becomes mandatory. It is not possible to convert from SingleResourceMultipleMetricCriteria to MultipleResourceMultipleMetricCriteria. The alert must be deleted and recreated.') param criterias array @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') diff --git a/modules/insights/metric-alert/main.json b/modules/insights/metric-alert/main.json index bb45999b4b..dd0d30a3f6 100644 --- a/modules/insights/metric-alert/main.json +++ b/modules/insights/metric-alert/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13551710672251370699" + "version": "0.22.6.54827", + "templateHash": "15731967065620351074" }, "name": "Metric Alerts", "description": "This module deploys a Metric Alert.", @@ -136,7 +136,7 @@ "criterias": { "type": "array", "metadata": { - "description": "Required. Criterias to trigger the alert. Array of 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' or 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' objects." + "description": "Required. Criterias to trigger the alert. Array of 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' or 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' objects. When using MultipleResourceMultipleMetricCriteria criteria type, some parameters becomes mandatory. It is not possible to convert from SingleResourceMultipleMetricCriteria to MultipleResourceMultipleMetricCriteria. The alert must be deleted and recreated." } }, "roleAssignments": { @@ -245,8 +245,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8947238026152055709" + "version": "0.22.6.54827", + "templateHash": "14564060617945907933" } }, "parameters": { From aeea6054668c3ce6dd2fa287ca96e942ad13a955 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Fri, 13 Oct 2023 23:29:45 +0200 Subject: [PATCH 020/178] [AVM] Updated Readme's to support AVM transition - Part (-1) (#4077) * Rollback of unrelated changes * Rollback of unrelated changes * Update to latest * Update to latest * Update to latest * Serverfarm * host env * IT * Synapse key * Storage ManagePolicy * Storage * Update to latest * SQL * SQL MI * Web pub sub * Update to latest * Namepsace * Security * Update to latest * Regen readmes --- .../security/azure-security-center/README.md | 35 - modules/service-bus/namespace/README.md | 506 +++---- modules/service-fabric/cluster/README.md | 310 ++-- .../signal-r-service/web-pub-sub/README.md | 543 +++---- modules/sql/managed-instance/README.md | 358 ++--- .../sql/managed-instance/database/README.md | 33 +- modules/sql/server/README.md | 1308 +++++++++-------- modules/storage/storage-account/README.md | 536 +++---- .../management-policy/README.md | 81 - modules/synapse/workspace/key/README.md | 5 - .../image-template/README.md | 690 ++++----- modules/web/hosting-environment/README.md | 305 ++-- modules/web/serverfarm/README.md | 241 ++- modules/web/site/README.md | 793 +++++----- .../web/site/config--appsettings/README.md | 27 +- .../web/site/config--authsettingsv2/README.md | 31 - modules/web/site/slot/README.md | 126 +- .../site/slot/config--appsettings/README.md | 60 +- .../slot/config--authsettingsv2/README.md | 31 - modules/web/static-site/README.md | 503 +++---- 20 files changed, 2994 insertions(+), 3528 deletions(-) diff --git a/modules/security/azure-security-center/README.md b/modules/security/azure-security-center/README.md index d132f0662b..98bd54bdda 100644 --- a/modules/security/azure-security-center/README.md +++ b/modules/security/azure-security-center/README.md @@ -55,41 +55,6 @@ This module deploys an Azure Security Center (Defender for Cloud) Configuration. | `virtualMachinesPricingTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -### Parameter Usage: `securityContactProperties` - -

- -Parameter JSON format - -```json -"securityContactProperties": { - "value": { - "email": "test@contoso.com", - "phone": "+12345678", - "alertNotifications": "On", - "alertsToAdmins": "Off" - } -} -``` - -
- -
- -Bicep format - -```bicep -securityContactProperties: { - email: 'test@contoso.com' - phone: '+12345678' - alertNotifications: 'On' - alertsToAdmins: 'Off' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index c84e9b9ed5..65c1ff3a6b 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -9,6 +9,7 @@ This module deploys a Service Bus Namespace. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -82,275 +83,6 @@ This module deploys a Service Bus Namespace. | `zoneRedundant` | bool | `False` | | Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `networkAcl` - -Configure networing options on premium SKU only. - -

- -Parameter JSON format - -```json -"networkAclConfig": { - "value" : { - "publicNetworkAccess": "Disabled", - "allowTrustedServices": true - } -} - - -``` - -
- -
- -Bicep format - -```bicep -networkingAclConfig: { - publicNetworkAccess: "Disabled" - allowTrustedServices: true -} - -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -1083,3 +815,239 @@ module namespace './service-bus/namespace/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +

+ +Parameter JSON format + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "", // e.g. vault, registry, blob + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + }, + "ipConfigurations":[ + { + "name": "myIPconfigTest02", + "properties": { + "groupId": "blob", + "memberName": "blob", + "privateIPAddress": "10.0.0.30" + } + } + ], + "customDnsConfigs": [ + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "" // e.g. vault, registry, blob + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +privateEndpoints: [ + // Example showing all available fields + { + name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + privateDnsZoneGroup: { + privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + } + customDnsConfigs: [ + { + fqdn: 'customname.test.local' + ipAddresses: [ + '10.10.10.10' + ] + } + ] + ipConfigurations:[ + { + name: 'myIPconfigTest02' + properties: { + groupId: 'blob' + memberName: 'blob' + privateIPAddress: '10.0.0.30' + } + } + ] + } + // Example showing only mandatory fields + { + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

diff --git a/modules/service-fabric/cluster/README.md b/modules/service-fabric/cluster/README.md index 8c91416501..6a3174bddd 100644 --- a/modules/service-fabric/cluster/README.md +++ b/modules/service-fabric/cluster/README.md @@ -9,6 +9,7 @@ This module deploys a Service Fabric Cluster. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -66,159 +67,6 @@ This module deploys a Service Fabric Cluster. | `waveUpgradePaused` | bool | `False` | | Boolean to pause automatic runtime version upgrades to the cluster. | -### Parameter Usage: `notifications` - -

- -Parameter JSON format - -```json -"notifications": { - "value": [ - { - "isEnabled": true, // Required. Indicates if the notification is enabled. - "notificationCategory": "WaveProgress", // Required. The category of notification. Possible values include: "WaveProgress". - "notificationLevel": "Critical", // Required. The level of notification. Possible values include: "Critical", "All". - "notificationTargets": [ - { - "notificationChannel": "EmailUser", // Required. The notification channel indicates the type of receivers subscribed to the notification, either user or subscription. Possible values include: "EmailUser", "EmailSubscription". - "receivers": [ - "SomeReceiver" // Required. List of targets that subscribe to the notification. - ] - } - ] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -notifications: [ - { - isEnabled: true // Required. Indicates if the notification is enabled. - notificationCategory: 'WaveProgress' // Required. The category of notification. Possible values include: 'WaveProgress'. - notificationLevel: 'Critical' // Required. The level of notification. Possible values include: 'Critical' 'All'. - notificationTargets: [ - { - notificationChannel: 'EmailUser' // Required. The notification channel indicates the type of receivers subscribed to the notification either user or subscription. Possible values include: 'EmailUser' 'EmailSubscription'. - receivers: [ - 'SomeReceiver' // Required. List of targets that subscribe to the notification. - ] - } - ] - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -848,3 +696,159 @@ module cluster './service-fabric/cluster/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `notifications` + +

+ +Parameter JSON format + +```json +"notifications": { + "value": [ + { + "isEnabled": true, // Required. Indicates if the notification is enabled. + "notificationCategory": "WaveProgress", // Required. The category of notification. Possible values include: "WaveProgress". + "notificationLevel": "Critical", // Required. The level of notification. Possible values include: "Critical", "All". + "notificationTargets": [ + { + "notificationChannel": "EmailUser", // Required. The notification channel indicates the type of receivers subscribed to the notification, either user or subscription. Possible values include: "EmailUser", "EmailSubscription". + "receivers": [ + "SomeReceiver" // Required. List of targets that subscribe to the notification. + ] + } + ] + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +notifications: [ + { + isEnabled: true // Required. Indicates if the notification is enabled. + notificationCategory: 'WaveProgress' // Required. The category of notification. Possible values include: 'WaveProgress'. + notificationLevel: 'Critical' // Required. The level of notification. Possible values include: 'Critical' 'All'. + notificationTargets: [ + { + notificationChannel: 'EmailUser' // Required. The notification channel indicates the type of receivers subscribed to the notification either user or subscription. Possible values include: 'EmailUser' 'EmailSubscription'. + receivers: [ + 'SomeReceiver' // Required. List of targets that subscribe to the notification. + ] + } + ] + } +] +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index e0cc720580..d595076366 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -9,6 +9,7 @@ This module deploys a SignalR Web PubSub Service. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -50,311 +51,6 @@ This module deploys a SignalR Web PubSub Service. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `networkAcls` - -Using this object you can configure the service's firewall. Note, that the `defaultAction` either allows all / denies all communication via the `publicNetwork` and `privateEndpoints`. You can subsequently allow/deny individual actions using the corresponding arrays. - -Either block supports any array of values: - -- 'ClientConnection' -- 'RESTAPI' -- 'ServerConnection' -- 'Trace' - -

- -Parameter JSON format - -```json -"networkAcls": { - "value": { - "defaultAction": "Deny", - "privateEndpoints": [ - { - "name": "pe-[[namePrefix]]-az-pubsub-x-001-webpubsub-0", - "allow": [ - "ServerConnection", - "Trace" - ], - "deny": [] - } - ], - "publicNetwork": { - "allow": [ - "RESTAPI", - "Trace" - ], - "deny": [] - } - } -} -``` - -
- -
- -Bicep format - -```bicep -networkAcls: { - defaultAction: 'Deny' - privateEndpoints: [ - { - name: 'pe-[[namePrefix]]-az-pubsub-x-001-webpubsub-0' - allow: [ - 'ServerConnection' - 'Trace' - ], - deny: [] - } - ] - publicNetwork: { - allow: [ - 'RESTAPI' - 'Trace' - ] - deny: [] - } -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -713,3 +409,240 @@ module webPubSub './signal-r-service/web-pub-sub/main.bicep' = {

+ + +## Notes + + +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +

+ +Parameter JSON format + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "", // e.g. vault, registry, blob + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + }, + "ipConfigurations":[ + { + "name": "myIPconfigTest02", + "properties": { + "groupId": "blob", + "memberName": "blob", + "privateIPAddress": "10.0.0.30" + } + } + ], + "customDnsConfigs": [ + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "" // e.g. vault, registry, blob + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +privateEndpoints: [ + // Example showing all available fields + { + name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + privateDnsZoneGroup: { + privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + } + customDnsConfigs: [ + { + fqdn: 'customname.test.local' + ipAddresses: [ + '10.10.10.10' + ] + } + ] + ipConfigurations:[ + { + name: 'myIPconfigTest02' + properties: { + groupId: 'blob' + memberName: 'blob' + privateIPAddress: '10.0.0.30' + } + } + ] + } + // Example showing only mandatory fields + { + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + } +] +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index 9ed0a0f15f..f4585d78dc 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -9,6 +9,7 @@ This module deploys a SQL Managed Instance. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -27,18 +28,6 @@ This module deploys a SQL Managed Instance. | `Microsoft.Sql/managedInstances/securityAlertPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/securityAlertPolicies) | | `Microsoft.Sql/managedInstances/vulnerabilityAssessments` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/vulnerabilityAssessments) | -### Deployment prerequisites - -#### Networking - -SQL Managed Instance is deployed on a virtual network to a subnet that is delagated to the SQL MI service. This network is required to satisfy the requirements explained [here](https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/connectivity-architecture-overview?view=azuresql#network-requirements). - -SQL MI requires that the subnet have a Route Table and NSG assigned to it. The SQL MI service will automatically add Routes to the Route Table and Rules to the NSG once the SQL MI has been deployed. As a result, the parameter file for the Route Table and NSG will have to be updated afterwards with the created Routes & Rules, otherwise redeployment of the Route Table & NSG via Bicep/ARM will fail. - -#### Azure AD Authentication - -SQL MI allows for Azure AD Authentication via an [Azure AD Admin](https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#provision-azure-ad-admin-sql-managed-instance). This requires a Service Principal to be assigned and granted Reader rights to Azure AD by an AD Admin. To do so via this module, the `servicePrincipal` parameter must be set to `SystemAssigned` and deploy the SQL MI. Afterwards an Azure AD Admin must go to the SQL MI Azure Active Directory admin page in the Azure Portal and assigned the Reader rights. Next the `administratorsObj` must be configured in the parameter file and be redeployed. - ## Parameters **Required parameters** @@ -101,171 +90,6 @@ SQL MI allows for Azure AD Authentication via an [Azure AD Admin](https://learn. | `zoneRedundant` | bool | `False` | | Whether or not multi-az is enabled. | -### Parameter Usage : `userAssignedIdentities` - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- - -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -703,3 +527,183 @@ module managedInstance './sql/managed-instance/main.bicep' = {

+ + +## Notes + +### Considerations + +#### Networking + +SQL Managed Instance is deployed on a virtual network to a subnet that is delagated to the SQL MI service. This network is required to satisfy the requirements explained [here](https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/connectivity-architecture-overview?view=azuresql#network-requirements). + +SQL MI requires that the subnet have a Route Table and NSG assigned to it. The SQL MI service will automatically add Routes to the Route Table and Rules to the NSG once the SQL MI has been deployed. As a result, the parameter file for the Route Table and NSG will have to be updated afterwards with the created Routes & Rules, otherwise redeployment of the Route Table & NSG via Bicep/ARM will fail. + +#### Azure AD Authentication + +SQL MI allows for Azure AD Authentication via an [Azure AD Admin](https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#provision-azure-ad-admin-sql-managed-instance). This requires a Service Principal to be assigned and granted Reader rights to Azure AD by an AD Admin. To do so via this module, the `servicePrincipal` parameter must be set to `SystemAssigned` and deploy the SQL MI. Afterwards an Azure AD Admin must go to the SQL MI Azure Active Directory admin page in the Azure Portal and assigned the Reader rights. Next the `administratorsObj` must be configured in the parameter file and be redeployed. + +### Parameter Usage : `userAssignedIdentities` + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ + +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

diff --git a/modules/sql/managed-instance/database/README.md b/modules/sql/managed-instance/database/README.md index b347af31a0..4feb82d887 100644 --- a/modules/sql/managed-instance/database/README.md +++ b/modules/sql/managed-instance/database/README.md @@ -8,6 +8,7 @@ This module deploys a SQL Managed Instance Database. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource types @@ -19,10 +20,6 @@ This module deploys a SQL Managed Instance Database. | `Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/databases/backupLongTermRetentionPolicies) | | `Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/databases/backupShortTermRetentionPolicies) | -### Deployment prerequisites - -The SQL Managed Instance Database is deployed on a SQL Managed Instance. - ## Parameters **Required parameters** @@ -65,6 +62,21 @@ The SQL Managed Instance Database is deployed on a SQL Managed Instance. | `tags` | object | `{object}` | | Tags of the resource. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed database. | +| `resourceGroupName` | string | The resource group the database was deployed into. | +| `resourceId` | string | The resource ID of the deployed database. | + +## Cross-referenced modules + +_None_ + +## Notes + ### Parameter Usage: `tags` Tag names and tag values can be provided as needed. A tag can be left without a value. @@ -105,16 +117,3 @@ tags: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed database. | -| `resourceGroupName` | string | The resource group the database was deployed into. | -| `resourceId` | string | The resource ID of the deployed database. | - -## Cross-referenced modules - -_None_ diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 18c05a8ea2..b6a4646090 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -9,6 +9,7 @@ This module deploys an Azure SQL Server. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -73,502 +74,229 @@ This module deploys an Azure SQL Server. | `vulnerabilityAssessmentsObj` | object | `{object}` | | The vulnerability assessment configuration. | -### Parameter Usage: `roleAssignments` +## Outputs -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed SQL server. | +| `resourceGroupName` | string | The resource group of the deployed SQL server. | +| `resourceId` | string | The resource ID of the deployed SQL server. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | -

+## Cross-referenced modules -Parameter JSON format +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` +| Reference | Type | +| :-- | :-- | +| `network/private-endpoint` | Local reference | -
+## Deployment examples + +The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. + + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +

Example 1: Admin

-Bicep format +via Bicep module ```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' +module server './sql/server/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-sqlsadmin' + params: { + // Required parameters + name: 'sqlsadmin' + // Non-required parameters + administrators: { + azureADOnlyAuthentication: true + login: 'myspn' + principalType: 'Application' + sid: '' + tenantId: '' } -] + enableDefaultTelemetry: '' + } +} ```

-### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. -

-Parameter JSON format +via JSON Parameter file ```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "sqlsadmin" + }, + // Non-required parameters + "administrators": { + "value": { + "azureADOnlyAuthentication": true, + "login": "myspn", + "principalType": "Application", + "sid": "", + "tenantId": "" + } + }, + "enableDefaultTelemetry": { + "value": "" } + } } ```
+

+ +

Example 2: Common

-Bicep format +via Bicep module ```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' +module server './sql/server/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-sqlscom' + params: { + // Required parameters + name: 'sqlscom' + // Non-required parameters + administratorLogin: 'adminUserName' + administratorLoginPassword: '' + databases: [ + { + backupLongTermRetentionPolicy: { + monthlyRetention: 'P6M' + } + backupShortTermRetentionPolicy: { + retentionDays: 14 + } + capacity: 0 + collation: 'SQL_Latin1_General_CP1_CI_AS' + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' + elasticPoolId: '' + encryptionProtectorObj: { + serverKeyName: '' + serverKeyType: 'AzureKeyVault' + } + licenseType: 'LicenseIncluded' + maxSizeBytes: 34359738368 + name: 'sqlscomdb-001' + skuName: 'ElasticPool' + skuTier: 'GeneralPurpose' + } + ] + elasticPools: [ + { + maintenanceConfigurationId: '' + name: 'sqlscom-ep-001' + skuCapacity: 10 + skuName: 'GP_Gen5' + skuTier: 'GeneralPurpose' + } + ] + enableDefaultTelemetry: '' + firewallRules: [ + { + endIpAddress: '0.0.0.0' + name: 'AllowAllWindowsAzureIps' + startIpAddress: '0.0.0.0' + } + ] + keys: [ + { + name: '' + serverKeyType: 'AzureKeyVault' + uri: '' + } + ] + location: '' + lock: 'CanNotDelete' + primaryUserAssignedIdentityId: '' + privateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + '' + ] + } + service: 'sqlServer' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + restrictOutboundNetworkAccess: 'Disabled' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + securityAlertPolicies: [ + { + emailAccountAdmins: true + name: 'Default' + state: 'Enabled' + } + ] + systemAssignedIdentity: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + userAssignedIdentities: { + '': {} + } + virtualNetworkRules: [ + { + ignoreMissingVnetServiceEndpoint: true + name: 'newVnetRule1' + virtualNetworkSubnetId: '' + } + ] + vulnerabilityAssessmentsObj: { + emailSubscriptionAdmins: true + name: 'default' + recurringScansEmails: [ + 'test1@contoso.com' + 'test2@contoso.com' + ] + recurringScansIsEnabled: true + storageAccountResourceId: '' + } + } } ```

-### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: -

-Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `administrators` - -Configure Azure Active Directory Authentication method for server administrator. - - -

- -Parameter JSON format - -```json -"administrators": { - "value": { - "azureADOnlyAuthentication": true - "login": "John Doe", // if application can be anything - "sid": "[[objectId]]", // if application, the object ID - "principalType" : "User", // options: "User", "Group", "Application" - "tenantId": "[[tenantId]]" - } -} -``` - -
- -
- -Bicep format - -```bicep -administrators: { - azureADOnlyAuthentication: true - login: 'John Doe' // if application can be anything - sid: '[[objectId]]' // if application the object ID - 'principalType' : 'User' // options: 'User' 'Group' 'Application' - tenantId: '[[tenantId]]' -} -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed SQL server. | -| `resourceGroupName` | string | The resource group of the deployed SQL server. | -| `resourceId` | string | The resource ID of the deployed SQL server. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Admin

- -
- -via Bicep module - -```bicep -module server './sql/server/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-sqlsadmin' - params: { - // Required parameters - name: 'sqlsadmin' - // Non-required parameters - administrators: { - azureADOnlyAuthentication: true - login: 'myspn' - principalType: 'Application' - sid: '' - tenantId: '' - } - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sqlsadmin" - }, - // Non-required parameters - "administrators": { - "value": { - "azureADOnlyAuthentication": true, - "login": "myspn", - "principalType": "Application", - "sid": "", - "tenantId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -

Example 2: Common

- -
- -via Bicep module - -```bicep -module server './sql/server/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-sqlscom' - params: { - // Required parameters - name: 'sqlscom' - // Non-required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - databases: [ - { - backupLongTermRetentionPolicy: { - monthlyRetention: 'P6M' - } - backupShortTermRetentionPolicy: { - retentionDays: 14 - } - capacity: 0 - collation: 'SQL_Latin1_General_CP1_CI_AS' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' - elasticPoolId: '' - encryptionProtectorObj: { - serverKeyName: '' - serverKeyType: 'AzureKeyVault' - } - licenseType: 'LicenseIncluded' - maxSizeBytes: 34359738368 - name: 'sqlscomdb-001' - skuName: 'ElasticPool' - skuTier: 'GeneralPurpose' - } - ] - elasticPools: [ - { - maintenanceConfigurationId: '' - name: 'sqlscom-ep-001' - skuCapacity: 10 - skuName: 'GP_Gen5' - skuTier: 'GeneralPurpose' - } - ] - enableDefaultTelemetry: '' - firewallRules: [ - { - endIpAddress: '0.0.0.0' - name: 'AllowAllWindowsAzureIps' - startIpAddress: '0.0.0.0' - } - ] - keys: [ - { - name: '' - serverKeyType: 'AzureKeyVault' - uri: '' - } - ] - location: '' - lock: 'CanNotDelete' - primaryUserAssignedIdentityId: '' - privateEndpoints: [ - { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } - service: 'sqlServer' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - restrictOutboundNetworkAccess: 'Disabled' - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - securityAlertPolicies: [ - { - emailAccountAdmins: true - name: 'Default' - state: 'Enabled' - } - ] - systemAssignedIdentity: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - userAssignedIdentities: { - '': {} - } - virtualNetworkRules: [ - { - ignoreMissingVnetServiceEndpoint: true - name: 'newVnetRule1' - virtualNetworkSubnetId: '' - } - ] - vulnerabilityAssessmentsObj: { - emailSubscriptionAdmins: true - name: 'default' - recurringScansEmails: [ - 'test1@contoso.com' - 'test2@contoso.com' - ] - recurringScansIsEnabled: true - storageAccountResourceId: '' - } - } -} -``` - -
-

- -

- -via JSON Parameter file +via JSON Parameter file ```json { @@ -647,11 +375,162 @@ module server './sql/server/main.bicep' = { "location": { "value": "" }, - "lock": { - "value": "CanNotDelete" + "lock": { + "value": "CanNotDelete" + }, + "primaryUserAssignedIdentityId": { + "value": "" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ + "" + ] + }, + "service": "sqlServer", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "restrictOutboundNetworkAccess": { + "value": "Disabled" + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "securityAlertPolicies": { + "value": [ + { + "emailAccountAdmins": true, + "name": "Default", + "state": "Enabled" + } + ] + }, + "systemAssignedIdentity": { + "value": true + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "userAssignedIdentities": { + "value": { + "": {} + } + }, + "virtualNetworkRules": { + "value": [ + { + "ignoreMissingVnetServiceEndpoint": true, + "name": "newVnetRule1", + "virtualNetworkSubnetId": "" + } + ] + }, + "vulnerabilityAssessmentsObj": { + "value": { + "emailSubscriptionAdmins": true, + "name": "default", + "recurringScansEmails": [ + "test1@contoso.com", + "test2@contoso.com" + ], + "recurringScansIsEnabled": true, + "storageAccountResourceId": "" + } + } + } +} +``` + +
+

+ +

Example 3: Pe

+ +
+ +via Bicep module + +```bicep +module server './sql/server/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-sqlspe' + params: { + // Required parameters + name: 'sqlspe' + // Non-required parameters + administratorLogin: 'adminUserName' + administratorLoginPassword: '' + enableDefaultTelemetry: '' + privateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + '' + ] + } + service: 'sqlServer' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "sqlspe" + }, + // Non-required parameters + "administratorLogin": { + "value": "adminUserName" + }, + "administratorLoginPassword": { + "value": "" }, - "primaryUserAssignedIdentityId": { - "value": "" + "enableDefaultTelemetry": { + "value": "" }, "privateEndpoints": { "value": [ @@ -671,63 +550,98 @@ module server './sql/server/main.bicep' = { } ] }, - "restrictOutboundNetworkAccess": { - "value": "Disabled" - }, - "roleAssignments": { - "value": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "securityAlertPolicies": { - "value": [ - { - "emailAccountAdmins": true, - "name": "Default", - "state": "Enabled" - } - ] - }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} + } + } +} +``` + +
+

+ +

Example 4: Secondary

+ +
+ +via Bicep module + +```bicep +module server './sql/server/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-sqlsec' + params: { + // Required parameters + name: 'sqlsec-sec' + // Non-required parameters + administratorLogin: 'adminUserName' + administratorLoginPassword: '' + databases: [ + { + createMode: 'Secondary' + maxSizeBytes: 2147483648 + name: '' + skuName: 'Basic' + skuTier: 'Basic' + sourceDatabaseResourceId: '' } + ] + enableDefaultTelemetry: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "sqlsec-sec" }, - "virtualNetworkRules": { + // Non-required parameters + "administratorLogin": { + "value": "adminUserName" + }, + "administratorLoginPassword": { + "value": "" + }, + "databases": { "value": [ { - "ignoreMissingVnetServiceEndpoint": true, - "name": "newVnetRule1", - "virtualNetworkSubnetId": "" + "createMode": "Secondary", + "maxSizeBytes": 2147483648, + "name": "", + "skuName": "Basic", + "skuTier": "Basic", + "sourceDatabaseResourceId": "" } ] }, - "vulnerabilityAssessmentsObj": { + "enableDefaultTelemetry": { + "value": "" + }, + "tags": { "value": { - "emailSubscriptionAdmins": true, - "name": "default", - "recurringScansEmails": [ - "test1@contoso.com", - "test2@contoso.com" - ], - "recurringScansIsEnabled": true, - "storageAccountResourceId": "" + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" } } } @@ -737,187 +651,277 @@ module server './sql/server/main.bicep' = {

-

Example 3: Pe

+ +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +
+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

+ +### Parameter Usage: `administrators` + +Configure Azure Active Directory Authentication method for server administrator. +

-via Bicep module +Parameter JSON format -```bicep -module server './sql/server/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-sqlspe' - params: { - // Required parameters - name: 'sqlspe' - // Non-required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - enableDefaultTelemetry: '' - privateEndpoints: [ - { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } - service: 'sqlServer' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' +```json +"administrators": { + "value": { + "azureADOnlyAuthentication": true, + "login": "John Doe", // if application can be anything + "sid": "[[objectId]]", // if application, the object ID + "principalType" : "User", // options: "User", "Group", "Application" + "tenantId": "[[tenantId]]" } - } } ```
-

-via JSON Parameter file +Bicep format -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sqlspe" - }, - // Non-required parameters - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, - "service": "sqlServer", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } +```bicep +administrators: { + azureADOnlyAuthentication: true + login: 'John Doe' // if application can be anything + sid: '[[objectId]]' // if application the object ID + 'principalType' : 'User' // options: 'User' 'Group' 'Application' + tenantId: '[[tenantId]]' } ```

-

Example 4: Secondary

+### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information.
-via Bicep module +Parameter JSON format -```bicep -module server './sql/server/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-sqlsec' - params: { - // Required parameters - name: 'sqlsec-sec' - // Non-required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - databases: [ - { - createMode: 'Secondary' - maxSizeBytes: 2147483648 - name: '' - skuName: 'Basic' - skuTier: 'Basic' - sourceDatabaseResourceId: '' - } +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "", // e.g. vault, registry, blob + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + }, + "ipConfigurations":[ + { + "name": "myIPconfigTest02", + "properties": { + "groupId": "blob", + "memberName": "blob", + "privateIPAddress": "10.0.0.30" + } + } + ], + "customDnsConfigs": [ + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "" // e.g. vault, registry, blob + } ] - enableDefaultTelemetry: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } } ```
-

-via JSON Parameter file +Bicep format -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sqlsec-sec" - }, - // Non-required parameters - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "databases": { - "value": [ - { - "createMode": "Secondary", - "maxSizeBytes": 2147483648, - "name": "", - "skuName": "Basic", - "skuTier": "Basic", - "sourceDatabaseResourceId": "" +```bicep +privateEndpoints: [ + // Example showing all available fields + { + name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + privateDnsZoneGroup: { + privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } + customDnsConfigs: [ + { + fqdn: 'customname.test.local' + ipAddresses: [ + '10.10.10.10' + ] + } + ] + ipConfigurations:[ + { + name: 'myIPconfigTest02' + properties: { + groupId: 'blob' + memberName: 'blob' + privateIPAddress: '10.0.0.30' + } + } + ] } - } -} + // Example showing only mandatory fields + { + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + } +] ```
diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index a32a026482..9222dae86d 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -7,9 +7,9 @@ This module deploys a Storage Account. - [Resource types](#Resource-types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Considerations](#Considerations) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -99,294 +99,6 @@ This module deploys a Storage Account. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -
- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `networkAcls` - -

- -Parameter JSON format - -```json -"networkAcls": { - "value": { - "bypass": "AzureServices", - "defaultAction": "Deny", - "virtualNetworkRules": [ - { - "action": "Allow", - "id": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001" - } - ], - "ipRules": [ - { - "action": "Allow", - "value": "1.1.1.1" - } - ] - } -} -``` - -
- -
- -Bicep format - -```bicep -networkAcls: { - bypass: 'AzureServices' - defaultAction: 'Deny' - virtualNetworkRules: [ - { - action: 'Allow' - id: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - } - ] - ipRules: [ - { - action: 'Allow' - value: '1.1.1.1' - } - ] -} -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -398,11 +110,6 @@ userAssignedIdentities: { | `resourceId` | string | The resource ID of the deployed storage account. | | `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | -## Considerations - -This is a generic module for deploying a Storage Account. Any customization for different storage needs (such as a diagnostic or other storage account) need to be done through the Archetype. -The hierarchical namespace of the storage account (see parameter `enableHierarchicalNamespace`), can be only set at creation time. - ## Cross-referenced modules This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). @@ -1374,3 +1081,244 @@ module storageAccount './storage/storage-account/main.bicep' = {

+ + +## Notes + +### Considerations + +This is a generic module for deploying a Storage Account. Any customization for different storage needs (such as a diagnostic or other storage account) need to be done through the Archetype. +The hierarchical namespace of the storage account (see parameter `enableHierarchicalNamespace`), can be only set at creation time. + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +

+ +Parameter JSON format + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "", // e.g. vault, registry, blob + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + }, + "ipConfigurations":[ + { + "name": "myIPconfigTest02", + "properties": { + "groupId": "blob", + "memberName": "blob", + "privateIPAddress": "10.0.0.30" + } + } + ], + "customDnsConfigs": [ + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "" // e.g. vault, registry, blob + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +privateEndpoints: [ + // Example showing all available fields + { + name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + privateDnsZoneGroup: { + privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + } + customDnsConfigs: [ + { + fqdn: 'customname.test.local' + ipAddresses: [ + '10.10.10.10' + ] + } + ] + ipConfigurations:[ + { + name: 'myIPconfigTest02' + properties: { + groupId: 'blob' + memberName: 'blob' + privateIPAddress: '10.0.0.30' + } + } + ] + } + // Example showing only mandatory fields + { + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + } +] +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

diff --git a/modules/storage/storage-account/management-policy/README.md b/modules/storage/storage-account/management-policy/README.md index 471cefa283..063b8d60fa 100644 --- a/modules/storage/storage-account/management-policy/README.md +++ b/modules/storage/storage-account/management-policy/README.md @@ -36,87 +36,6 @@ This module deploys a Storage Account Management Policy. | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter Usage: `rules` - -

- -Parameter JSON format - -```json -"rules": { - "value": [ - { - "enabled": true, - "name": "retention-policy", - "type": "Lifecycle", - "definition": { - "actions": { - "baseBlob": { - "tierToArchive": { - "daysAfterModificationGreaterThan": 30 - }, - "delete": { - "daysAfterModificationGreaterThan": 1096 - } - }, - "snapshot": { - "delete": { - "daysAfterCreationGreaterThan": 1096 - } - } - }, - "filters": { - "blobTypes": [ - "blockBlob" - ] - } - } - } - ] -} -``` -
- - -
- -Bicep format - -```bicep -rules: [ - { - enabled: true - name: 'retention-policy' - type: 'Lifecycle' - definition: { - actions: { - baseBlob: { - tierToArchive: { - daysAfterModificationGreaterThan: 30 - } - delete: { - daysAfterModificationGreaterThan: 1096 - } - } - snapshot: { - delete: { - daysAfterCreationGreaterThan: 1096 - } - } - } - filters: { - blobTypes: [ - 'blockBlob' - ] - } - } - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/synapse/workspace/key/README.md b/modules/synapse/workspace/key/README.md index eb2930be2a..f540c885ba 100644 --- a/modules/synapse/workspace/key/README.md +++ b/modules/synapse/workspace/key/README.md @@ -7,7 +7,6 @@ This module deploys a Synapse Workspaces Key. - [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Template references](#Template-references) - [Cross-referenced modules](#Cross-referenced-modules) ## Resource Types @@ -48,10 +47,6 @@ This module deploys a Synapse Workspaces Key. | `resourceGroupName` | string | The resource group of the deployed key. | | `resourceId` | string | The resource ID of the deployed key. | -## Template references - -- [Workspaces/Keys](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Synapse/2021-06-01/workspaces/keys) - ## Cross-referenced modules _None_ diff --git a/modules/virtual-machine-images/image-template/README.md b/modules/virtual-machine-images/image-template/README.md index 03c7dc9eb8..f0c979df4b 100644 --- a/modules/virtual-machine-images/image-template/README.md +++ b/modules/virtual-machine-images/image-template/README.md @@ -9,6 +9,7 @@ This module deploys a Virtual Machine Image Template that can be consumed by Azu - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -60,115 +61,394 @@ This module deploys a Virtual Machine Image Template that can be consumed by Azu | `baseTime` | string | `[utcNow('yyyy-MM-dd-HH-mm-ss')]` | Do not provide a value! This date value is used to generate a unique image template name. | -### Parameter Usage: `imageSource` +## Outputs -Tag names and tag values can be provided as needed. A tag can be left without a value. +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The full name of the deployed image template. | +| `namePrefix` | string | The prefix of the image template name provided as input. | +| `resourceGroupName` | string | The resource group the image template was deployed into. | +| `resourceId` | string | The resource ID of the image template. | +| `runThisCommand` | string | The command to run in order to trigger the image build. | -#### Platform Image +## Cross-referenced modules -

+_None_ -Parameter JSON format +## Deployment examples -```json -"source": { - "type": "PlatformImage", - "publisher": "MicrosoftWindowsDesktop", - "offer": "Windows-10", - "sku": "19h2-evd", - "version": "latest" -} -``` +The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. -
+ >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +

Example 1: Common

-Bicep format +via Bicep module ```bicep -source: { - type: 'PlatformImage' - publisher: 'MicrosoftWindowsDesktop' - offer: 'Windows-10' - sku: '19h2-evd' - version: 'latest' +module imageTemplate './virtual-machine-images/image-template/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-vmiitcom' + params: { + // Required parameters + customizationSteps: [ + { + restartTimeout: '10m' + type: 'WindowsRestart' + } + ] + imageSource: { + offer: 'Windows-11' + publisher: 'MicrosoftWindowsDesktop' + sku: 'win11-22h2-avd' + type: 'PlatformImage' + version: 'latest' + } + name: 'vmiitcom001' + userMsiName: '' + // Non-required parameters + buildTimeoutInMinutes: 60 + enableDefaultTelemetry: '' + imageReplicationRegions: [] + lock: 'CanNotDelete' + managedImageName: 'mi-vmiitcom-001' + osDiskSizeGB: 127 + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sigImageDefinitionId: '' + sigImageVersion: '' + stagingResourceGroup: '' + subnetId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + unManagedImageName: 'umi-vmiitcom-001' + userAssignedIdentities: [ + '' + ] + userMsiResourceGroup: '' + vmSize: 'Standard_D2s_v3' + } } ```

-#### Managed Image -

-Parameter JSON format +via JSON Parameter file ```json -"source": { - "type": "ManagedImage", - "imageId": "/subscriptions//resourceGroups/{destinationResourceGroupName}/providers/Microsoft.Compute/images/" -} -``` - -
- -
- -Bicep format - -```bicep -source: { - type: 'ManagedImage' - imageId: '/subscriptions//resourceGroups/{destinationResourceGroupName}/providers/Microsoft.Compute/images/' +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "customizationSteps": { + "value": [ + { + "restartTimeout": "10m", + "type": "WindowsRestart" + } + ] + }, + "imageSource": { + "value": { + "offer": "Windows-11", + "publisher": "MicrosoftWindowsDesktop", + "sku": "win11-22h2-avd", + "type": "PlatformImage", + "version": "latest" + } + }, + "name": { + "value": "vmiitcom001" + }, + "userMsiName": { + "value": "" + }, + // Non-required parameters + "buildTimeoutInMinutes": { + "value": 60 + }, + "enableDefaultTelemetry": { + "value": "" + }, + "imageReplicationRegions": { + "value": [] + }, + "lock": { + "value": "CanNotDelete" + }, + "managedImageName": { + "value": "mi-vmiitcom-001" + }, + "osDiskSizeGB": { + "value": 127 + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sigImageDefinitionId": { + "value": "" + }, + "sigImageVersion": { + "value": "" + }, + "stagingResourceGroup": { + "value": "" + }, + "subnetId": { + "value": "" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "unManagedImageName": { + "value": "umi-vmiitcom-001" + }, + "userAssignedIdentities": { + "value": [ + "" + ] + }, + "userMsiResourceGroup": { + "value": "" + }, + "vmSize": { + "value": "Standard_D2s_v3" + } + } } ```

-#### Shared Image - -

- -Parameter JSON format - -```json -"source": { - "type": "SharedImageVersion", - "imageVersionID": "/subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/" -} -``` - -
+

Example 2: Min

-Bicep format +via Bicep module ```bicep -source: { - type: 'SharedImageVersion' - imageVersionID: '/subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/' +module imageTemplate './virtual-machine-images/image-template/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-vmiitmin' + params: { + // Required parameters + customizationSteps: [ + { + restartTimeout: '30m' + type: 'WindowsRestart' + } + ] + imageSource: { + offer: 'Windows-10' + publisher: 'MicrosoftWindowsDesktop' + sku: 'win10-22h2-ent' + type: 'PlatformImage' + version: 'latest' + } + name: 'vmiitmin001' + userMsiName: '' + // Non-required parameters + enableDefaultTelemetry: '' + managedImageName: 'mi-vmiitmin-001' + userMsiResourceGroup: '' + } } ```

-### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. -

-Parameter JSON format +via JSON Parameter file ```json -"tags": { - "value": { - "Environment": "Non-Prod", +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "customizationSteps": { + "value": [ + { + "restartTimeout": "30m", + "type": "WindowsRestart" + } + ] + }, + "imageSource": { + "value": { + "offer": "Windows-10", + "publisher": "MicrosoftWindowsDesktop", + "sku": "win10-22h2-ent", + "type": "PlatformImage", + "version": "latest" + } + }, + "name": { + "value": "vmiitmin001" + }, + "userMsiName": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "managedImageName": { + "value": "mi-vmiitmin-001" + }, + "userMsiResourceGroup": { + "value": "" + } + } +} +``` + +
+

+ + +## Notes + +### Parameter Usage: `imageSource` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +#### Platform Image + +

+ +Parameter JSON format + +```json +"source": { + "type": "PlatformImage", + "publisher": "MicrosoftWindowsDesktop", + "offer": "Windows-10", + "sku": "19h2-evd", + "version": "latest" +} +``` + +
+ +
+ +Bicep format + +```bicep +source: { + type: 'PlatformImage' + publisher: 'MicrosoftWindowsDesktop' + offer: 'Windows-10' + sku: '19h2-evd' + version: 'latest' +} +``` + +
+

+ +#### Managed Image + +

+ +Parameter JSON format + +```json +"source": { + "type": "ManagedImage", + "imageId": "/subscriptions//resourceGroups/{destinationResourceGroupName}/providers/Microsoft.Compute/images/" +} +``` + +
+ +
+ +Bicep format + +```bicep +source: { + type: 'ManagedImage' + imageId: '/subscriptions//resourceGroups/{destinationResourceGroupName}/providers/Microsoft.Compute/images/' +} +``` + +
+

+ +#### Shared Image + +

+ +Parameter JSON format + +```json +"source": { + "type": "SharedImageVersion", + "imageVersionID": "/subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/" +} +``` + +
+ +
+ +Bicep format + +```bicep +source: { + type: 'SharedImageVersion' + imageVersionID: '/subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/' +} +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", "Contact": "test.user@testcompany.com", "PurchaseOrder": "1234", "CostCenter": "7890", @@ -322,279 +602,3 @@ userAssignedIdentities: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The full name of the deployed image template. | -| `namePrefix` | string | The prefix of the image template name provided as input. | -| `resourceGroupName` | string | The resource group the image template was deployed into. | -| `resourceId` | string | The resource ID of the image template. | -| `runThisCommand` | string | The command to run in order to trigger the image build. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

- -
- -via Bicep module - -```bicep -module imageTemplate './virtual-machine-images/image-template/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-vmiitcom' - params: { - // Required parameters - customizationSteps: [ - { - restartTimeout: '10m' - type: 'WindowsRestart' - } - ] - imageSource: { - offer: 'Windows-11' - publisher: 'MicrosoftWindowsDesktop' - sku: 'win11-22h2-avd' - type: 'PlatformImage' - version: 'latest' - } - name: 'vmiitcom001' - userMsiName: '' - // Non-required parameters - buildTimeoutInMinutes: 60 - enableDefaultTelemetry: '' - imageReplicationRegions: [] - lock: 'CanNotDelete' - managedImageName: 'mi-vmiitcom-001' - osDiskSizeGB: 127 - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - sigImageDefinitionId: '' - sigImageVersion: '' - stagingResourceGroup: '' - subnetId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - unManagedImageName: 'umi-vmiitcom-001' - userAssignedIdentities: [ - '' - ] - userMsiResourceGroup: '' - vmSize: 'Standard_D2s_v3' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "customizationSteps": { - "value": [ - { - "restartTimeout": "10m", - "type": "WindowsRestart" - } - ] - }, - "imageSource": { - "value": { - "offer": "Windows-11", - "publisher": "MicrosoftWindowsDesktop", - "sku": "win11-22h2-avd", - "type": "PlatformImage", - "version": "latest" - } - }, - "name": { - "value": "vmiitcom001" - }, - "userMsiName": { - "value": "" - }, - // Non-required parameters - "buildTimeoutInMinutes": { - "value": 60 - }, - "enableDefaultTelemetry": { - "value": "" - }, - "imageReplicationRegions": { - "value": [] - }, - "lock": { - "value": "CanNotDelete" - }, - "managedImageName": { - "value": "mi-vmiitcom-001" - }, - "osDiskSizeGB": { - "value": 127 - }, - "roleAssignments": { - "value": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "sigImageDefinitionId": { - "value": "" - }, - "sigImageVersion": { - "value": "" - }, - "stagingResourceGroup": { - "value": "" - }, - "subnetId": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "unManagedImageName": { - "value": "umi-vmiitcom-001" - }, - "userAssignedIdentities": { - "value": [ - "" - ] - }, - "userMsiResourceGroup": { - "value": "" - }, - "vmSize": { - "value": "Standard_D2s_v3" - } - } -} -``` - -
-

- -

Example 2: Min

- -
- -via Bicep module - -```bicep -module imageTemplate './virtual-machine-images/image-template/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-vmiitmin' - params: { - // Required parameters - customizationSteps: [ - { - restartTimeout: '30m' - type: 'WindowsRestart' - } - ] - imageSource: { - offer: 'Windows-10' - publisher: 'MicrosoftWindowsDesktop' - sku: 'win10-22h2-ent' - type: 'PlatformImage' - version: 'latest' - } - name: 'vmiitmin001' - userMsiName: '' - // Non-required parameters - enableDefaultTelemetry: '' - managedImageName: 'mi-vmiitmin-001' - userMsiResourceGroup: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "customizationSteps": { - "value": [ - { - "restartTimeout": "30m", - "type": "WindowsRestart" - } - ] - }, - "imageSource": { - "value": { - "offer": "Windows-10", - "publisher": "MicrosoftWindowsDesktop", - "sku": "win10-22h2-ent", - "type": "PlatformImage", - "version": "latest" - } - }, - "name": { - "value": "vmiitmin001" - }, - "userMsiName": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "managedImageName": { - "value": "mi-vmiitmin-001" - }, - "userMsiResourceGroup": { - "value": "" - } - } -} -``` - -
-

diff --git a/modules/web/hosting-environment/README.md b/modules/web/hosting-environment/README.md index 54a3e74821..bcaf7288a6 100644 --- a/modules/web/hosting-environment/README.md +++ b/modules/web/hosting-environment/README.md @@ -9,6 +9,7 @@ This module deploys an App Service Environment. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -71,174 +72,6 @@ This module deploys an App Service Environment. | `zoneRedundant` | bool | `False` | | Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`. | -### Parameter Usage: `clusterSettings` - -

- -Parameter JSON format - -```json -"clusterSettings": { - "value": [ - { - "name": "DisableTls1.0", - "value": "1" - } - ] -} -``` - -
- - -
- -Bicep format - -```bicep -clusterSettings: [ - { - name: 'DisableTls1.0' - value: '1' - } -] -``` - -
- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -
- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -568,3 +401,139 @@ module hostingEnvironment './web/hosting-environment/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index 21bd28da66..c3fa426a14 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -9,6 +9,7 @@ This module deploys an App Service Plan. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -53,143 +54,6 @@ This module deploys an App Service Plan. | `zoneRedundant` | bool | `False` | | When true, this App Service Plan will perform availability zone balancing. | -### Parameter Usage: `sku` - -

- -Parameter JSON format - -```json -"sku": { - "value": { - "name": "P1v2", - "tier": "PremiumV2", - "size": "P1v2", - "family": "Pv2", - "capacity": 1 - } -} -``` - -
- -
- -Bicep format - -```bicep -sku: { - name: 'P1v2' - tier: 'PremiumV2' - size: 'P1v2' - family: 'Pv2' - capacity: 1 -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -322,3 +186,106 @@ module serverfarm './web/serverfarm/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 089772fd28..0591052d17 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -9,6 +9,7 @@ This module deploys a Web or Function App. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -91,339 +92,6 @@ This module deploys a Web or Function App. | `vnetRouteAllEnabled` | bool | `False` | | Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. | -### Parameter Usage: `appSettingsKeyValuePairs` - -AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING are set separately (check parameters storageAccountId, setAzureWebJobsDashboard, appInsightId). -For all other app settings key-value pairs use this object. - -

- -Parameter JSON format - -```json -"appSettingsKeyValuePairs": { - "value": { - "AzureFunctionsJobHost__logging__logLevel__default": "Trace", - "EASYAUTH_SECRET": "https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password", - "FUNCTIONS_EXTENSION_VERSION": "~4", - "FUNCTIONS_WORKER_RUNTIME": "dotnet" - } -} -``` - -
- -
- -Bicep format - -```bicep -appSettingsKeyValuePairs: { - AzureFunctionsJobHost__logging__logLevel__default: 'Trace' - EASYAUTH_SECRET: 'https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password' - FUNCTIONS_EXTENSION_VERSION: '~4' - FUNCTIONS_WORKER_RUNTIME: 'dotnet' -} -``` - -
-

- -### Parameter Usage: `authSettingV2Configuration` - -The auth settings V2 configuration. - -

- -Parameter JSON format - -```json -"siteConfig": { - "value": [ - // Check out https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=bicep#siteauthsettingsv2properties for possible properties - ] -} -``` - -
- -
- -Bicep format - -```bicep -siteConfig: [ - // Check out https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=bicep#siteauthsettingsv2properties for possible properties -] -``` - -
-

- -### Parameter Usage: `siteConfig` - -The site config. - -

- -Parameter JSON format - -```json -"siteConfig": { - "value": [ - // Check out https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites?tabs=bicep#siteconfig for possible properties - ] -} -``` - -
- -
- -Bicep format - -```bicep -siteConfig: [ - // Check out https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites?tabs=bicep#siteconfig for possible properties -] -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -1075,128 +743,403 @@ module site './web/site/main.bicep' = { "slots": { "value": [ { - "diagnosticEventHubAuthorizationRuleId": "", - "diagnosticEventHubName": "", - "diagnosticStorageAccountId": "", - "diagnosticWorkspaceId": "", - "hybridConnectionRelays": [ - { - "resourceId": "", - "sendKeyName": "defaultSender" - } - ], - "name": "slot1", - "privateEndpoints": [ + "diagnosticEventHubAuthorizationRuleId": "", + "diagnosticEventHubName": "", + "diagnosticStorageAccountId": "", + "diagnosticWorkspaceId": "", + "hybridConnectionRelays": [ + { + "resourceId": "", + "sendKeyName": "defaultSender" + } + ], + "name": "slot1", + "privateEndpoints": [ + { + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ + "" + ] + }, + "service": "sites", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ], + "roleAssignments": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "siteConfig": { + "alwaysOn": true, + "metadata": [ + { + "name": "CURRENT_STACK", + "value": "dotnetcore" + } + ] + } + }, + { + "name": "slot2" + } + ] + }, + "systemAssignedIdentity": { + "value": true + }, + "userAssignedIdentities": { + "value": { + "": {} + } + }, + "vnetContentShareEnabled": { + "value": true + }, + "vnetImagePullEnabled": { + "value": true + }, + "vnetRouteAllEnabled": { + "value": true + } + } +} +``` + + +

+ +

Example 4: Webappmin

+ +
+ +via Bicep module + +```bicep +module site './web/site/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-wswamin' + params: { + // Required parameters + kind: 'app' + name: 'wswamin001' + serverFarmResourceId: '' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "kind": { + "value": "app" + }, + "name": { + "value": "wswamin001" + }, + "serverFarmResourceId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ + +## Notes + + +### Parameter Usage: `appSettingsKeyValuePairs` + +AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING are set separately (check parameters storageAccountId, setAzureWebJobsDashboard, appInsightId). +For all other app settings key-value pairs use this object. + +

+ +Parameter JSON format + +```json +"appSettingsKeyValuePairs": { + "value": { + "AzureFunctionsJobHost__logging__logLevel__default": "Trace", + "EASYAUTH_SECRET": "https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password", + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "dotnet" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +appSettingsKeyValuePairs: { + AzureFunctionsJobHost__logging__logLevel__default: 'Trace' + EASYAUTH_SECRET: 'https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password' + FUNCTIONS_EXTENSION_VERSION: '~4' + FUNCTIONS_WORKER_RUNTIME: 'dotnet' +} +``` + +
+

+ +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +

+ +Parameter JSON format + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "", // e.g. vault, registry, blob + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + }, + "ipConfigurations":[ + { + "name": "myIPconfigTest02", + "properties": { + "groupId": "blob", + "memberName": "blob", + "privateIPAddress": "10.0.0.30" + } + } + ], + "customDnsConfigs": [ + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "" // e.g. vault, registry, blob + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +privateEndpoints: [ + // Example showing all available fields + { + name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + privateDnsZoneGroup: { + privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + } + customDnsConfigs: [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" + fqdn: 'customname.test.local' + ipAddresses: [ + '10.10.10.10' ] - }, - "service": "sites", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } - ], - "roleAssignments": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + ] + ipConfigurations:[ + { + name: 'myIPconfigTest02' + properties: { + groupId: 'blob' + memberName: 'blob' + privateIPAddress: '10.0.0.30' } - ], - "siteConfig": { - "alwaysOn": true, - "metadata": [ - { - "name": "CURRENT_STACK", - "value": "dotnetcore" - } - ] } + ] + } + // Example showing only mandatory fields + { + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + } +] +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] }, { - "name": "slot2" + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" } - ] - }, - "systemAssignedIdentity": { - "value": true - }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, - "vnetContentShareEnabled": { - "value": true - }, - "vnetImagePullEnabled": { - "value": true - }, - "vnetRouteAllEnabled": { - "value": true - } - } + ] } ``` +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` +

-

Example 4: Webappmin

+### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value.
-via Bicep module +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format ```bicep -module site './web/site/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-wswamin' - params: { - // Required parameters - kind: 'app' - name: 'wswamin001' - serverFarmResourceId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' } ```

+### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: +

-via JSON Parameter file +Parameter JSON format ```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "kind": { - "value": "app" - }, - "name": { - "value": "wswamin001" - }, - "serverFarmResourceId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} } - } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} } ``` diff --git a/modules/web/site/config--appsettings/README.md b/modules/web/site/config--appsettings/README.md index 7400841fc1..3be5e82252 100644 --- a/modules/web/site/config--appsettings/README.md +++ b/modules/web/site/config--appsettings/README.md @@ -8,6 +8,7 @@ This module deploys a Site App Setting. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -40,6 +41,20 @@ This module deploys a Site App Setting. | `storageAccountResourceId` | string | `''` | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the site config. | +| `resourceGroupName` | string | The resource group the site config was deployed into. | +| `resourceId` | string | The resource ID of the site config. | + +## Cross-referenced modules + +_None_ + +## Notes + ### Parameter Usage: `appSettingsKeyValuePairs` AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING are set separately (check parameters storageAccountId, setAzureWebJobsDashboard, appInsightId). @@ -85,15 +100,3 @@ appSettingsKeyValuePairs: [

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the site config. | -| `resourceGroupName` | string | The resource group the site config was deployed into. | -| `resourceId` | string | The resource ID of the site config. | - -## Cross-referenced modules - -_None_ diff --git a/modules/web/site/config--authsettingsv2/README.md b/modules/web/site/config--authsettingsv2/README.md index 827a7b7b85..94dad58be5 100644 --- a/modules/web/site/config--authsettingsv2/README.md +++ b/modules/web/site/config--authsettingsv2/README.md @@ -37,37 +37,6 @@ This module deploys a Site Auth Settings V2 Configuration. | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter Usage: `authSettingV2Configuration` - -The auth settings V2 configuration. - -

- -Parameter JSON format - -```json -"siteConfig": { - "value": [ - // Check out https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=bicep#siteauthsettingsv2properties for possible properties - ] -} -``` - -
- -
- -Bicep format - -```bicep -siteConfig: [ - // Check out https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=bicep#siteauthsettingsv2properties for possible properties -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index 3e3340731a..abfd53c9aa 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -8,6 +8,7 @@ This module deploys a Web or Function App Deployment Slot. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource types @@ -89,65 +90,44 @@ This module deploys a Web or Function App Deployment Slot. | `vnetRouteAllEnabled` | bool | `False` | | Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. | -### Parameter Usage: `appSettingsKeyValuePairs` - -AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING are set separately (check parameters storageAccountId, setAzureWebJobsDashboard, appInsightId). -For all other app settings key-value pairs use this object. - -

- -Parameter JSON format +## Outputs -```json -"appSettingsKeyValuePairs": { - "value": [ - { - "name": "key1", - "value": "val1" - }, - { - "name": "key2", - "value": "val2" - } - ] -} -``` +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the slot. | +| `resourceGroupName` | string | The resource group the slot was deployed into. | +| `resourceId` | string | The resource ID of the slot. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | -
+## Cross-referenced modules -
+This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). -Bicep format +| Reference | Type | +| :-- | :-- | +| `network/private-endpoint` | Local reference | -```bicep -appSettingsKeyValuePairs: [ - { - name: 'key1' - value: 'val1' - } - { - name: 'key2' - value: 'val2' - } -] -``` +## Notes -
-

-### Parameter Usage: `authSettingV2Configuration` +### Parameter Usage: `appSettingsKeyValuePairs` -The auth settings V2 configuration. +AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING are set separately (check parameters storageAccountId, setAzureWebJobsDashboard, appInsightId). +For all other app settings key-value pairs use this object.

Parameter JSON format ```json -"siteConfig": { - "value": [ - // Check out https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=bicep#siteauthsettingsv2properties for possible properties - ] +"appSettingsKeyValuePairs": { + "value": { + "AzureFunctionsJobHost__logging__logLevel__default": "Trace", + "EASYAUTH_SECRET": "https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password", + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "dotnet" + } } ``` @@ -158,42 +138,14 @@ The auth settings V2 configuration. Bicep format ```bicep -siteConfig: [ - // Check out https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=bicep#siteauthsettingsv2properties for possible properties -] -``` - -
-

- -### Parameter Usage: `siteConfig` - -The site config. - -

- -Parameter JSON format - -```json -"siteConfig": { - "value": [ - // Check out https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites?tabs=bicep#siteconfig for possible properties - ] +appSettingsKeyValuePairs: { + AzureFunctionsJobHost__logging__logLevel__default: 'Trace' + EASYAUTH_SECRET: 'https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password' + FUNCTIONS_EXTENSION_VERSION: '~4' + FUNCTIONS_WORKER_RUNTIME: 'dotnet' } ``` -
- -
- -Bicep format - -```bicep -siteConfig: [ - // Check out https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites?tabs=bicep#siteconfig for possible properties -] -``` -

@@ -429,21 +381,3 @@ userAssignedIdentities: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the slot. | -| `resourceGroupName` | string | The resource group the slot was deployed into. | -| `resourceId` | string | The resource ID of the slot. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | diff --git a/modules/web/site/slot/config--appsettings/README.md b/modules/web/site/slot/config--appsettings/README.md index 1b098e1a68..e41825e801 100644 --- a/modules/web/site/slot/config--appsettings/README.md +++ b/modules/web/site/slot/config--appsettings/README.md @@ -8,6 +8,7 @@ This module deploys a Site Slot App Setting. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -41,6 +42,20 @@ This module deploys a Site Slot App Setting. | `storageAccountResourceId` | string | `''` | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the slot config. | +| `resourceGroupName` | string | The resource group the slot config was deployed into. | +| `resourceId` | string | The resource ID of the slot config. | + +## Cross-referenced modules + +_None_ + +## Notes + ### Parameter Usage: `appSettingsKeyValuePairs` AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING are set separately (check parameters storageAccountId, setAzureWebJobsDashboard, appInsightId). @@ -52,16 +67,12 @@ For all other app settings key-value pairs use this object. ```json "appSettingsKeyValuePairs": { - "value": [ - { - "name": "key1", - "value": "val1" - }, - { - "name": "key2", - "value": "val2" - } - ] + "value": { + "AzureFunctionsJobHost__logging__logLevel__default": "Trace", + "EASYAUTH_SECRET": "https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password", + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "dotnet" + } } ``` @@ -72,29 +83,16 @@ For all other app settings key-value pairs use this object.

Bicep format ```bicep -appSettingsKeyValuePairs: [ - { - name: 'key1' - value: 'val1' - } - { - name: 'key2' - value: 'val2' - } -] +appSettingsKeyValuePairs: { + AzureFunctionsJobHost__logging__logLevel__default: 'Trace' + EASYAUTH_SECRET: 'https://adp-[[namePrefix]]-az-kv-x-001.vault.azure.net/secrets/Modules-Test-SP-Password' + FUNCTIONS_EXTENSION_VERSION: '~4' + FUNCTIONS_WORKER_RUNTIME: 'dotnet' +} ```

-## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the slot config. | -| `resourceGroupName` | string | The resource group the slot config was deployed into. | -| `resourceId` | string | The resource ID of the slot config. | - -## Cross-referenced modules - -_None_ + +

diff --git a/modules/web/site/slot/config--authsettingsv2/README.md b/modules/web/site/slot/config--authsettingsv2/README.md index 1af48618ea..ecd2214ba4 100644 --- a/modules/web/site/slot/config--authsettingsv2/README.md +++ b/modules/web/site/slot/config--authsettingsv2/README.md @@ -38,37 +38,6 @@ This module deploys a Site Auth Settings V2 Configuration. | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | -### Parameter Usage: `authSettingV2Configuration` - -The auth settings V2 configuration. - -

- -Parameter JSON format - -```json -"siteConfig": { - "value": [ - // Check out https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=bicep#siteauthsettingsv2properties for possible properties - ] -} -``` - -
- -
- -Bicep format - -```bicep -siteConfig: [ - // Check out https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=bicep#siteauthsettingsv2properties for possible properties -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index b58b5ceebf..b471b37790 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -9,6 +9,7 @@ This module deploys a Static Web App. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -59,272 +60,6 @@ This module deploys a Static Web App. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `customDomains` - -

- -Parameter JSON format - -```json -"customDomains": { - "value": [ - "[[namePrefix]]domain1.domain", - "[[namePrefix]]domain2.domain.domain", - "[[namePrefix]]domain3.domain.domain.domain" - ] -} -``` - -
- -
- -Bicep format - -```bicep -customDomains: [ - 'carmldomain1.domain' - 'carmldomain2.domain.domain' - 'carmldomain3.domain.domain.domain' -] -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -566,3 +301,239 @@ module staticSite './web/static-site/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +

+ +Parameter JSON format + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "", // e.g. vault, registry, blob + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + }, + "ipConfigurations":[ + { + "name": "myIPconfigTest02", + "properties": { + "groupId": "blob", + "memberName": "blob", + "privateIPAddress": "10.0.0.30" + } + } + ], + "customDnsConfigs": [ + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "" // e.g. vault, registry, blob + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +privateEndpoints: [ + // Example showing all available fields + { + name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + privateDnsZoneGroup: { + privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + } + customDnsConfigs: [ + { + fqdn: 'customname.test.local' + ipAddresses: [ + '10.10.10.10' + ] + } + ] + ipConfigurations:[ + { + name: 'myIPconfigTest02' + properties: { + groupId: 'blob' + memberName: 'blob' + privateIPAddress: '10.0.0.30' + } + } + ] + } + // Example showing only mandatory fields + { + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + } +] +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

From 364ea6aa2f5022442a931cd206a93962bbb76967 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Fri, 13 Oct 2023 23:30:01 +0200 Subject: [PATCH 021/178] [AVM] Updated Readme's to support AVM transition - Part (-2) (#4078) * rg * ds * Recovery Vault * policy * Workspace * von * vpn gw * vn gw * Update to latest * VNET * Hub connection * traffigmanager * Routes * Private Link Service * Regen readmes * Compiled template --- .../network/private-link-service/README.md | 636 ++++------ .../network/private-link-service/main.bicep | 6 +- .../network/private-link-service/main.json | 14 +- modules/network/route-table/README.md | 293 ++--- .../network/trafficmanagerprofile/README.md | 342 +++--- .../hub-virtual-network-connection/README.md | 4 - .../network/virtual-network-gateway/README.md | 270 ++--- modules/network/virtual-network/README.md | 408 ++----- .../network/virtual-network/subnet/README.md | 110 +- .../virtual-network-peering/README.md | 7 - modules/network/vpn-gateway/README.md | 240 ++-- .../vpn-gateway/vpn-connection/README.md | 27 +- modules/network/vpn-site/README.md | 403 +++--- .../operational-insights/workspace/README.md | 539 +++------ modules/policy-insights/remediation/README.md | 229 ++-- modules/recovery-services/vault/README.md | 1078 ++++------------- .../vault/backup-policy/README.md | 182 --- .../vault/replication-fabric/README.md | 51 - .../README.md | 47 - modules/resources/deployment-script/README.md | 157 ++- modules/resources/resource-group/README.md | 209 ++-- 21 files changed, 1737 insertions(+), 3515 deletions(-) diff --git a/modules/network/private-link-service/README.md b/modules/network/private-link-service/README.md index 9709de3864..ad8c02cae2 100644 --- a/modules/network/private-link-service/README.md +++ b/modules/network/private-link-service/README.md @@ -9,6 +9,7 @@ This module deploys a Private Link Service. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -32,18 +33,275 @@ This module deploys a Private Link Service. | :-- | :-- | :-- | :-- | :-- | | `autoApproval` | object | `{object}` | | The auto-approval list of the private link service. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableProxyProtocol` | bool | `False` | | Whether the private link service is enabled for proxy protocol or not. | +| `enableProxyProtocol` | bool | `False` | | Lets the service provider use tcp proxy v2 to retrieve connection information about the service consumer. Service Provider is responsible for setting up receiver configs to be able to parse the proxy protocol v2 header. | | `extendedLocation` | object | `{object}` | | The extended location of the load balancer. | | `fqdns` | array | `[]` | | The list of Fqdn. | | `ipConfigurations` | array | `[]` | | An array of private link service IP configurations. | -| `loadBalancerFrontendIpConfigurations` | array | `[]` | | An array of references to the load balancer IP configurations. | +| `loadBalancerFrontendIpConfigurations` | array | `[]` | | An array of references to the load balancer IP configurations. The Private Link service is tied to the frontend IP address of a Standard Load Balancer. All traffic destined for the service will reach the frontend of the SLB. You can configure SLB rules to direct this traffic to appropriate backend pools where your applications are running. Load balancer frontend IP configurations are different than NAT IP configurations. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags to be applied on all resources/resource groups in this deployment. | -| `visibility` | object | `{object}` | | The visibility list of the private link service. | +| `visibility` | object | `{object}` | | Controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control (Azure RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the private link service. | +| `resourceGroupName` | string | The resource group the private link service was deployed into. | +| `resourceId` | string | The resource ID of the private link service. | + +## Cross-referenced modules + +_None_ + +## Deployment examples + +The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. + + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +

Example 1: Common

+ +
+ +via Bicep module + +```bicep +module privateLinkService './network/private-link-service/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-nplscom' + params: { + // Required parameters + name: 'nplscom001' + // Non-required parameters + autoApproval: { + subscriptions: [ + '*' + ] + } + enableDefaultTelemetry: '' + enableProxyProtocol: true + fqdns: [ + 'nplscom.plsfqdn01.azure.privatelinkservice' + 'nplscom.plsfqdn02.azure.privatelinkservice' + ] + ipConfigurations: [ + { + name: 'nplscom01' + properties: { + primary: true + privateIPAllocationMethod: 'Dynamic' + subnet: { + id: '' + } + } + } + ] + loadBalancerFrontendIpConfigurations: [ + { + id: '' + } + ] + lock: 'CanNotDelete' + roleAssignments: [ + { + principalIds: [ + '' + ] + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + visibility: { + subscriptions: [ + '' + ] + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nplscom001" + }, + // Non-required parameters + "autoApproval": { + "value": { + "subscriptions": [ + "*" + ] + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enableProxyProtocol": { + "value": true + }, + "fqdns": { + "value": [ + "nplscom.plsfqdn01.azure.privatelinkservice", + "nplscom.plsfqdn02.azure.privatelinkservice" + ] + }, + "ipConfigurations": { + "value": [ + { + "name": "nplscom01", + "properties": { + "primary": true, + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "" + } + } + } + ] + }, + "loadBalancerFrontendIpConfigurations": { + "value": [ + { + "id": "" + } + ] + }, + "lock": { + "value": "CanNotDelete" + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "visibility": { + "value": { + "subscriptions": [ + "" + ] + } + } + } +} +``` + +
+

+ +

Example 2: Min

+ +
+ +via Bicep module + +```bicep +module privateLinkService './network/private-link-service/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-nplsmin' + params: { + // Required parameters + name: 'nplsmin001' + // Non-required parameters + enableDefaultTelemetry: '' + ipConfigurations: [ + { + name: 'nplsmin01' + properties: { + subnet: { + id: '' + } + } + } + ] + loadBalancerFrontendIpConfigurations: [ + { + id: '' + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nplsmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "ipConfigurations": { + "value": [ + { + "name": "nplsmin01", + "properties": { + "subnet": { + "id": "" + } + } + } + ] + }, + "loadBalancerFrontendIpConfigurations": { + "value": [ + { + "id": "" + } + ] + } + } +} +``` + +
+

+ + +## Notes + ### Parameter Usage: `ipConfigurations` This property refers to the NAT (Network Address Translation) IP configuration for the Private Link service. The NAT IP can be chosen from any subnet in a service provider's virtual network. Private Link service performs destination side NAT-ing on the Private Link traffic. This ensures that there is no IP conflict between source (consumer side) and destination (service provider) address space. On the destination side (service provider side), the NAT IP address will show up as Source IP for all packets received by your service and destination IP for all packets sent by your service. @@ -117,43 +375,6 @@ ipConfigurations: [

-### Parameter Usage: `loadBalancerFrontendIpConfigurations` - -Private Link service is tied to the frontend IP address of a Standard Load Balancer. All traffic destined for the service will reach the frontend of the SLB. You can configure SLB rules to direct this traffic to appropriate backend pools where your applications are running. Load balancer frontend IP configurations are different than NAT IP configurations. - -

- -Parameter JSON format - -```json -"loadBalancerFrontendIpConfigurations": { - "value": [ - // Example showing reference to the font end IP configuration of the load balancer - { - "id": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/loadBalancers/adp-[[namePrefix]]-az-lb-internal-001/frontendIPConfigurations/privateIPConfig1" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -loadBalancerFrontendIpConfigurations: [ - // Example showing reference to the font end IP configuration of the load balancer - { - id: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/loadBalancers/adp-[[namePrefix]]-az-lb-internal-001/frontendIPConfigurations/privateIPConfig1' - } -] -``` - -
-

- ### Parameter Usage: `extendedLocation` This is the Edge Zone ID of the Edge Zone corresponding to the region in which the resource is deployed. More information is available here: [Azure Edge Zone ID](https://learn.microsoft.com/en-us/azure/public-multi-access-edge-compute-mec/key-concepts#azure-edge-zone-id). @@ -228,85 +449,8 @@ autoApproval: [ // Example to auto-approve a specific set of subscriptions. This should always be a subset of the subscriptions provided under "visibility" autoApproval: [ - '12345678-1234-1234-1234-123456781234' // Subscription 1 - '87654321-1234-1234-1234-123456781234' // Subscription 2 -] -``` - - -

- -### Parameter Usage: `visibility` - -Visibility is the property that controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control (Azure RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions. - -

- -Parameter JSON format - -```json -"visibility": { - "value" - // Example showing usage of visibility param - "subscriptions": [ - "12345678-1234-1234-1234-123456781234", // Subscription 1 - "87654321-1234-1234-1234-123456781234", // Subscription 2 - "12341234-1234-1234-1234-123456781234" // Subscription 3 - ] -} -``` - -
- -
- -Bicep format - -```bicep -visibility: { - subscriptions: [ - '12345678-1234-1234-1234-123456781234' // Subscription 1 - '87654321-1234-1234-1234-123456781234' // Subscription 2 - '12341234-1234-1234-1234-123456781234' // Subscription 3 - ] -} -``` - -
-

- -### Parameter Usage: `enableProxyProtocol` - -This property lets the service provider use tcp proxy v2 to retrieve connection information about the service consumer. Service Provider is responsible for setting up receiver configs to be able to parse the proxy protocol v2 header. - -### Parameter Usage: `fqdns` - -This property lets you set the fqdn(s) to access the Private Link service. -

- -Parameter JSON format - -```json -"fqdns": { - // Example to set FQDNs for the Private Link service - "value": [ - "pls01.azure.privatelinkservice", // FQDN 1 - "pls01-duplicate.azure.privatelinkserivce" // FQDN 2 - ] -} -``` - -
- -
- -Bicep format - -```bicep -fqdns: [ - // Example to set FQDNs for the Private Link service - 'pls01.azure.privatelinkservice' - 'pls01-duplicate.azure.privatelinkservice' + '12345678-1234-1234-1234-123456781234' // Subscription 1 + '87654321-1234-1234-1234-123456781234' // Subscription 2 ] ``` @@ -412,257 +556,3 @@ tags: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the private link service. | -| `resourceGroupName` | string | The resource group the private link service was deployed into. | -| `resourceId` | string | The resource ID of the private link service. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

- -
- -via Bicep module - -```bicep -module privateLinkService './network/private-link-service/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-nplscom' - params: { - // Required parameters - name: 'nplscom001' - // Non-required parameters - autoApproval: { - subscriptions: [ - '*' - ] - } - enableDefaultTelemetry: '' - enableProxyProtocol: true - fqdns: [ - 'nplscom.plsfqdn01.azure.privatelinkservice' - 'nplscom.plsfqdn02.azure.privatelinkservice' - ] - ipConfigurations: [ - { - name: 'nplscom01' - properties: { - primary: true - privateIPAllocationMethod: 'Dynamic' - subnet: { - id: '' - } - } - } - ] - loadBalancerFrontendIpConfigurations: [ - { - id: '' - } - ] - lock: 'CanNotDelete' - roleAssignments: [ - { - principalIds: [ - '' - ] - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - visibility: { - subscriptions: [ - '' - ] - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nplscom001" - }, - // Non-required parameters - "autoApproval": { - "value": { - "subscriptions": [ - "*" - ] - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enableProxyProtocol": { - "value": true - }, - "fqdns": { - "value": [ - "nplscom.plsfqdn01.azure.privatelinkservice", - "nplscom.plsfqdn02.azure.privatelinkservice" - ] - }, - "ipConfigurations": { - "value": [ - { - "name": "nplscom01", - "properties": { - "primary": true, - "privateIPAllocationMethod": "Dynamic", - "subnet": { - "id": "" - } - } - } - ] - }, - "loadBalancerFrontendIpConfigurations": { - "value": [ - { - "id": "" - } - ] - }, - "lock": { - "value": "CanNotDelete" - }, - "roleAssignments": { - "value": [ - { - "principalIds": [ - "" - ], - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "visibility": { - "value": { - "subscriptions": [ - "" - ] - } - } - } -} -``` - -
-

- -

Example 2: Min

- -
- -via Bicep module - -```bicep -module privateLinkService './network/private-link-service/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-nplsmin' - params: { - // Required parameters - name: 'nplsmin001' - // Non-required parameters - enableDefaultTelemetry: '' - ipConfigurations: [ - { - name: 'nplsmin01' - properties: { - subnet: { - id: '' - } - } - } - ] - loadBalancerFrontendIpConfigurations: [ - { - id: '' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nplsmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "ipConfigurations": { - "value": [ - { - "name": "nplsmin01", - "properties": { - "subnet": { - "id": "" - } - } - } - ] - }, - "loadBalancerFrontendIpConfigurations": { - "value": [ - { - "id": "" - } - ] - } - } -} -``` - -
-

diff --git a/modules/network/private-link-service/main.bicep b/modules/network/private-link-service/main.bicep index cc1f2dccdc..e9f91ecae5 100644 --- a/modules/network/private-link-service/main.bicep +++ b/modules/network/private-link-service/main.bicep @@ -25,7 +25,7 @@ param extendedLocation object = {} @description('Optional. The auto-approval list of the private link service.') param autoApproval object = {} -@description('Optional. Whether the private link service is enabled for proxy protocol or not.') +@description('Optional. Lets the service provider use tcp proxy v2 to retrieve connection information about the service consumer. Service Provider is responsible for setting up receiver configs to be able to parse the proxy protocol v2 header.') param enableProxyProtocol bool = false @description('Optional. The list of Fqdn.') @@ -34,10 +34,10 @@ param fqdns array = [] @description('Optional. An array of private link service IP configurations.') param ipConfigurations array = [] -@description('Optional. An array of references to the load balancer IP configurations.') +@description('Optional. An array of references to the load balancer IP configurations. The Private Link service is tied to the frontend IP address of a Standard Load Balancer. All traffic destined for the service will reach the frontend of the SLB. You can configure SLB rules to direct this traffic to appropriate backend pools where your applications are running. Load balancer frontend IP configurations are different than NAT IP configurations.') param loadBalancerFrontendIpConfigurations array = [] -@description('Optional. The visibility list of the private link service.') +@description('Optional. Controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control (Azure RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions.') param visibility object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') diff --git a/modules/network/private-link-service/main.json b/modules/network/private-link-service/main.json index d355611b6c..fedfe30695 100644 --- a/modules/network/private-link-service/main.json +++ b/modules/network/private-link-service/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5269294083779286611" + "version": "0.22.6.54827", + "templateHash": "15026904267969319263" }, "name": "Private Link Services", "description": "This module deploys a Private Link Service.", @@ -62,7 +62,7 @@ "type": "bool", "defaultValue": false, "metadata": { - "description": "Optional. Whether the private link service is enabled for proxy protocol or not." + "description": "Optional. Lets the service provider use tcp proxy v2 to retrieve connection information about the service consumer. Service Provider is responsible for setting up receiver configs to be able to parse the proxy protocol v2 header." } }, "fqdns": { @@ -83,14 +83,14 @@ "type": "array", "defaultValue": [], "metadata": { - "description": "Optional. An array of references to the load balancer IP configurations." + "description": "Optional. An array of references to the load balancer IP configurations. The Private Link service is tied to the frontend IP address of a Standard Load Balancer. All traffic destined for the service will reach the frontend of the SLB. You can configure SLB rules to direct this traffic to appropriate backend pools where your applications are running. Load balancer frontend IP configurations are different than NAT IP configurations." } }, "visibility": { "type": "object", "defaultValue": {}, "metadata": { - "description": "Optional. The visibility list of the private link service." + "description": "Optional. Controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control (Azure RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions." } }, "enableDefaultTelemetry": { @@ -187,8 +187,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5533654870046410263" + "version": "0.22.6.54827", + "templateHash": "535852805558824015" } }, "parameters": { diff --git a/modules/network/route-table/README.md b/modules/network/route-table/README.md index 0d634f3add..345da52329 100644 --- a/modules/network/route-table/README.md +++ b/modules/network/route-table/README.md @@ -9,6 +9,7 @@ This module deploys a User Defined Route Table (UDR). - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -39,195 +40,6 @@ This module deploys a User Defined Route Table (UDR). | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `routes` - -The `routes` parameter accepts a JSON Array of Route objects to deploy to the Route Table. - -Here's an example of specifying a few routes: - -

- -Parameter JSON format - -```json -"routes": { - "value": [ - { - "name": "tojumpboxes", - "properties": { - "addressPrefix": "172.16.0.48/28", - "nextHopType": "VnetLocal" - } - }, - { - "name": "tosharedservices", - "properties": { - "addressPrefix": "172.16.0.64/27", - "nextHopType": "VnetLocal" - } - }, - { - "name": "toonprem", - "properties": { - "addressPrefix": "10.0.0.0/8", - "nextHopType": "VirtualNetworkGateway" - } - }, - { - "name": "tonva", - "properties": { - "addressPrefix": "172.16.0.0/18", - "nextHopType": "VirtualAppliance", - "nextHopIpAddress": "172.16.0.20" - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -routes: [ - { - name: 'tojumpboxes' - properties: { - addressPrefix: '172.16.0.48/28' - nextHopType: 'VnetLocal' - } - } - { - name: 'tosharedservices' - properties: { - addressPrefix: '172.16.0.64/27' - nextHopType: 'VnetLocal' - } - } - { - name: 'toonprem' - properties: { - addressPrefix: '10.0.0.0/8' - nextHopType: 'VirtualNetworkGateway' - } - } - { - name: 'tonva' - properties: { - addressPrefix: '172.16.0.0/18' - nextHopType: 'VirtualAppliance' - nextHopIpAddress: '172.16.0.20' - } - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -395,3 +207,106 @@ module routeTable './network/route-table/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

diff --git a/modules/network/trafficmanagerprofile/README.md b/modules/network/trafficmanagerprofile/README.md index 3511923eee..592e9cd99b 100644 --- a/modules/network/trafficmanagerprofile/README.md +++ b/modules/network/trafficmanagerprofile/README.md @@ -9,6 +9,7 @@ This module deploys a Traffic Manager Profile. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -52,6 +53,178 @@ This module deploys a Traffic Manager Profile. | `ttl` | int | `60` | | The DNS Time-To-Live (TTL), in seconds. This informs the local DNS resolvers and DNS clients how long to cache DNS responses provided by this Traffic Manager profile. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the traffic manager was deployed into. | +| `resourceGroupName` | string | The resource group the traffic manager was deployed into. | +| `resourceId` | string | The resource ID of the traffic manager. | + +## Cross-referenced modules + +_None_ + +## Deployment examples + +The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. + + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +

Example 1: Common

+ +
+ +via Bicep module + +```bicep +module trafficmanagerprofile './network/trafficmanagerprofile/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-ntmpcom' + params: { + // Required parameters + name: '' + relativeName: '' + // Non-required parameters + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' + enableDefaultTelemetry: '' + lock: 'CanNotDelete' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "" + }, + "relativeName": { + "value": "" + }, + // Non-required parameters + "diagnosticEventHubAuthorizationRuleId": { + "value": "" + }, + "diagnosticEventHubName": { + "value": "" + }, + "diagnosticStorageAccountId": { + "value": "" + }, + "diagnosticWorkspaceId": { + "value": "" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": "CanNotDelete" + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ +

Example 2: Min

+ +
+ +via Bicep module + +```bicep +module trafficmanagerprofile './network/trafficmanagerprofile/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-ntmpmin' + params: { + // Required parameters + name: '' + relativeName: '' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "" + }, + "relativeName": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ + +## Notes + ### Parameter Usage: `monitorConfig`

@@ -241,172 +414,3 @@ tags: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the traffic manager was deployed into. | -| `resourceGroupName` | string | The resource group the traffic manager was deployed into. | -| `resourceId` | string | The resource ID of the traffic manager. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

- -
- -via Bicep module - -```bicep -module trafficmanagerprofile './network/trafficmanagerprofile/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-ntmpcom' - params: { - // Required parameters - name: '' - relativeName: '' - // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' - enableDefaultTelemetry: '' - lock: 'CanNotDelete' - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "" - }, - "relativeName": { - "value": "" - }, - // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": "CanNotDelete" - }, - "roleAssignments": { - "value": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -

Example 2: Min

- -
- -via Bicep module - -```bicep -module trafficmanagerprofile './network/trafficmanagerprofile/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-ntmpmin' - params: { - // Required parameters - name: '' - relativeName: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "" - }, - "relativeName": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

diff --git a/modules/network/virtual-hub/hub-virtual-network-connection/README.md b/modules/network/virtual-hub/hub-virtual-network-connection/README.md index 6039a55267..bd663aeb43 100644 --- a/modules/network/virtual-hub/hub-virtual-network-connection/README.md +++ b/modules/network/virtual-hub/hub-virtual-network-connection/README.md @@ -39,10 +39,6 @@ This module deploys a Virtual Hub Virtual Network Connection. | `routingConfiguration` | object | `{object}` | Routing Configuration indicating the associated and propagated route tables for this connection. | -### Parameter Usage: `hubVirtualNetworkConnections` - -... - ## Outputs | Output Name | Type | Description | diff --git a/modules/network/virtual-network-gateway/README.md b/modules/network/virtual-network-gateway/README.md index 8eaf06c0d0..f40b952857 100644 --- a/modules/network/virtual-network-gateway/README.md +++ b/modules/network/virtual-network-gateway/README.md @@ -9,6 +9,7 @@ This module deploys a Virtual Network Gateway. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -74,173 +75,6 @@ This module deploys a Virtual Network Gateway. | `vpnType` | string | `'RouteBased'` | `[PolicyBased, RouteBased]` | Specifies the VPN type. | -### Parameter Usage: `subnets` - -The `subnets` parameter accepts a JSON Array of `subnet` objects to deploy to the Virtual Network. - -Here's an example of specifying a couple Subnets to deploy: - -

- -Parameter JSON format - -```json -"subnets": { - "value": [ - { - "name": "app", - "properties": { - "addressPrefix": "10.1.0.0/24", - "networkSecurityGroup": { - "id": "[resourceId('Microsoft.Network/networkSecurityGroups', 'app-nsg')]" - }, - "routeTable": { - "id": "[resourceId('Microsoft.Network/routeTables', 'app-udr')]" - } - } - }, - { - "name": "data", - "properties": { - "addressPrefix": "10.1.1.0/24" - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -subnets: [ - { - name: 'app' - properties: { - addressPrefix: '10.1.0.0/24' - networkSecurityGroup: { - id: '[resourceId('Microsoft.Network/networkSecurityGroups' 'app-nsg')]' - } - routeTable: { - id: '[resourceId('Microsoft.Network/routeTables' 'app-udr')]' - } - } - } - { - name: 'data' - properties: { - addressPrefix: '10.1.1.0/24' - } - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -790,3 +624,105 @@ module virtualNetworkGateway './network/virtual-network-gateway/main.bicep' = {

+ + +## Notes +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

diff --git a/modules/network/virtual-network/README.md b/modules/network/virtual-network/README.md index 2664550387..420481c523 100644 --- a/modules/network/virtual-network/README.md +++ b/modules/network/virtual-network/README.md @@ -6,10 +6,10 @@ This module deploys a Virtual Network (vNet). - [Resource types](#Resource-types) - [Parameters](#Parameters) -- [Considerations](#Considerations) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -56,290 +56,6 @@ This module deploys a Virtual Network (vNet). | `vnetEncryptionEnforcement` | string | `'AllowUnencrypted'` | `[AllowUnencrypted, DropUnencrypted]` | If the encrypted VNet allows VM that does not support encryption. Can only be used when vnetEncryption is enabled. | -### Parameter Usage: `subnets` - -Below you can find an example for the subnet property's usage. For all remaining properties, please refer to the _[subnet](subnet/README.md)_ readme. - -

- -Template JSON format - -```json -"subnets": { - "value": [ - { - "name": "GatewaySubnet", - "addressPrefix": "10.0.255.0/24" - }, - { - "name": "[[namePrefix]]-az-subnet-x-001", - "addressPrefix": "10.0.0.0/24", - "networkSecurityGroupId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-[[namePrefix]]-az-nsg-x-001", - "serviceEndpoints": [ - { - "service": "Microsoft.Storage" - }, - { - "service": "Microsoft.Sql" - } - ], - "routeTableId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/routeTables/adp-[[namePrefix]]-az-udr-x-001", - "delegations": [ - { - "name": "netappDel", - "properties": { - "serviceName": "Microsoft.Netapp/volumes" - } - } - ], - "privateEndpointNetworkPolicies": "Disabled", - "privateLinkServiceNetworkPolicies": "Enabled" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -subnets: [ - { - name: 'GatewaySubnet' - addressPrefix: '10.0.255.0/24' - } - { - name: '[[namePrefix]]-az-subnet-x-001' - addressPrefix: '10.0.0.0/24' - networkSecurityGroupId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-[[namePrefix]]-az-nsg-x-001' - serviceEndpoints: [ - { - service: 'Microsoft.Storage' - } - { - service: 'Microsoft.Sql' - } - ] - routeTableId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/routeTables/adp-[[namePrefix]]-az-udr-x-001' - delegations: [ - { - name: 'netappDel' - properties: { - serviceName: 'Microsoft.Netapp/volumes' - } - } - ] - privateEndpointNetworkPolicies: 'Disabled' - privateLinkServiceNetworkPolicies: 'Enabled' - } -] -``` - -
-

- -### Parameter Usage: `virtualNetworkPeerings` - -As the virtual network peering array allows you to deploy not only a one-way but also two-way peering (i.e reverse), you can use the following ***additional*** properties on top of what is documented in _[virtualNetworkPeering](virtual-network-peering/README.md)_. - -| Parameter Name | Type | Default Value | Possible Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `remotePeeringEnabled` | bool | `false` | | Optional. Set to true to also deploy the reverse peering for the configured remote virtual networks to the local network | -| `remotePeeringName` | string | `'${last(split(peering.remoteVirtualNetworkId, '/'))}-${name}'` | | Optional. The Name of Vnet Peering resource. If not provided, default value will be - | -| `remotePeeringAllowForwardedTraffic` | bool | `true` | | Optional. Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. | -| `remotePeeringAllowGatewayTransit` | bool | `false` | | Optional. If gateway links can be used in remote virtual networking to link to this virtual network. | -| `remotePeeringAllowVirtualNetworkAccess` | bool | `true` | | Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. | -| `remotePeeringDoNotVerifyRemoteGateways` | bool | `true` | | Optional. If we need to verify the provisioning state of the remote gateway. | -| `remotePeeringUseRemoteGateways` | bool | `false` | | Optional. If remote gateways can be used on this virtual network. If the flag is set to `true`, and allowGatewayTransit on local peering is also `true`, virtual network will use gateways of local virtual network for transit. Only one peering can have this flag set to `true`. This flag cannot be set if virtual network already has a gateway. | - -

- -Parameter JSON format - -```json -"virtualNetworkPeerings": { - "value": [ - { - "remoteVirtualNetworkId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-peer01", - "allowForwardedTraffic": true, - "allowGatewayTransit": false, - "allowVirtualNetworkAccess": true, - "useRemoteGateways": false, - "remotePeeringEnabled": true, - "remotePeeringName": "customName", - "remotePeeringAllowVirtualNetworkAccess": true, - "remotePeeringAllowForwardedTraffic": true - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -virtualNetworkPeerings: [ - { - remoteVirtualNetworkId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-peer01' - allowForwardedTraffic: true - allowGatewayTransit: false - allowVirtualNetworkAccess: true - useRemoteGateways: false - remotePeeringEnabled: true - remotePeeringName: 'customName' - remotePeeringAllowVirtualNetworkAccess: true - remotePeeringAllowForwardedTraffic: true - } -] -``` - -
-

- -### Parameter Usage: `addressPrefixes` - -The `addressPrefixes` parameter accepts a JSON Array of string values containing the IP Address Prefixes for the Virtual Network (vNet). - -Here's an example of specifying a single Address Prefix: - - -

- -Parameter JSON format - -```json -"addressPrefixes": { - "value": [ - "10.1.0.0/16" - ] -} -``` - -
- -
- -Bicep format - -```bicep -addressPrefixes: [ - '10.1.0.0/16' -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -## Considerations - -The network security group and route table resources must reside in the same resource group as the virtual network. - ## Outputs | Output Name | Type | Description | @@ -737,3 +453,125 @@ module virtualNetwork './network/virtual-network/main.bicep' = {

+ + +## Notes + +### Considerations + +The network security group and route table resources must reside in the same resource group as the virtual network. + +### Parameter Usage: `peerings` + +As the virtual network peering array allows you to deploy not only a one-way but also two-way peering (i.e reverse), you can use the following ***additional*** properties on top of what is documented in _[virtualNetworkPeering](virtual-network-peering/README.md)_. + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `remotePeeringEnabled` | bool | `false` | | Optional. Set to true to also deploy the reverse peering for the configured remote virtual networks to the local network | +| `remotePeeringName` | string | `'${last(split(peering.remoteVirtualNetworkId, '/'))}-${name}'` | | Optional. The Name of Vnet Peering resource. If not provided, default value will be - | +| `remotePeeringAllowForwardedTraffic` | bool | `true` | | Optional. Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. | +| `remotePeeringAllowGatewayTransit` | bool | `false` | | Optional. If gateway links can be used in remote virtual networking to link to this virtual network. | +| `remotePeeringAllowVirtualNetworkAccess` | bool | `true` | | Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. | +| `remotePeeringDoNotVerifyRemoteGateways` | bool | `true` | | Optional. If we need to verify the provisioning state of the remote gateway. | +| `remotePeeringUseRemoteGateways` | bool | `false` | | Optional. If remote gateways can be used on this virtual network. If the flag is set to `true`, and allowGatewayTransit on local peering is also `true`, virtual network will use gateways of local virtual network for transit. Only one peering can have this flag set to `true`. This flag cannot be set if virtual network already has a gateway. | + + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

diff --git a/modules/network/virtual-network/subnet/README.md b/modules/network/virtual-network/subnet/README.md index 2fcd6f1dff..1d0e363cf6 100644 --- a/modules/network/virtual-network/subnet/README.md +++ b/modules/network/virtual-network/subnet/README.md @@ -6,9 +6,9 @@ This module deploys a Virtual Network Subnet. - [Resource Types](#Resource-Types) - [Parameters](#Parameters) -- [Considerations](#Considerations) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -51,91 +51,21 @@ This module deploys a Virtual Network Subnet. | `serviceEndpoints` | array | `[]` | | The service endpoints to enable on the subnet. | -### Parameter Usage: `delegations` - -

- -Parameter JSON format - -```json -"delegations": [ - { - "name": "sqlMiDel", - "properties": { - "serviceName": "Microsoft.Sql/managedInstances" - } - } -] -``` - -
- -
- -Bicep format - -```bicep -delegations: [ - { - name: 'sqlMiDel' - properties: { - serviceName: 'Microsoft.Sql/managedInstances' - } - } -] -``` - -
-

- -### Parameter Usage: `serviceEndpoints` - -

- -Parameter JSON format - -```json -"serviceEndpoints": [ - { - "service": "Microsoft.EventHub" - }, - { - "service": "Microsoft.Sql" - }, - { - "service": "Microsoft.Storage" - }, - { - "service": "Microsoft.KeyVault" - } -] -``` - -
+## Outputs -
+| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the virtual network peering. | +| `resourceGroupName` | string | The resource group the virtual network peering was deployed into. | +| `resourceId` | string | The resource ID of the virtual network peering. | +| `subnetAddressPrefix` | string | The address prefix for the subnet. | +| `subnetAddressPrefixes` | array | List of address prefixes for the subnet. | -Bicep format +## Cross-referenced modules -```bicep -serviceEndpoints: [ - { - name: 'Microsoft.EventHub' - } - { - name: 'Microsoft.Sql' - } - { - name: 'Microsoft.Storage' - } - { - name: 'Microsoft.KeyVault' - } -] -``` +_None_ -
-

+## Notes ### Parameter Usage: `roleAssignments` @@ -196,20 +126,6 @@ roleAssignments: [

-## Considerations +### Considerations The `privateEndpointNetworkPolicies` property must be set to disabled for subnets that contain private endpoints. It confirms that NSGs rules will not apply to private endpoints (currently not supported, [reference](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#limitations)). Default Value when not specified is "Enabled". - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the virtual network peering. | -| `resourceGroupName` | string | The resource group the virtual network peering was deployed into. | -| `resourceId` | string | The resource ID of the virtual network peering. | -| `subnetAddressPrefix` | string | The address prefix for the subnet. | -| `subnetAddressPrefixes` | array | List of address prefixes for the subnet. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/virtual-network/virtual-network-peering/README.md b/modules/network/virtual-network/virtual-network-peering/README.md index 059f1d9ef1..f5dd0935e8 100644 --- a/modules/network/virtual-network/virtual-network-peering/README.md +++ b/modules/network/virtual-network/virtual-network-peering/README.md @@ -15,13 +15,6 @@ This module deploys a Virtual Network Peering. | :-- | :-- | | `Microsoft.Network/virtualNetworks/virtualNetworkPeerings` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualNetworks/virtualNetworkPeerings) | -### Resource dependency - -The following resources are required to be able to deploy this resource. - -- Local Virtual Network (Identified by the `localVnetName` parameter). -- Remote Virtual Network (Identified by the `remoteVirtualNetworkId` parameter) - ## Parameters **Required parameters** diff --git a/modules/network/vpn-gateway/README.md b/modules/network/vpn-gateway/README.md index 283bbfe3cd..dae2760dda 100644 --- a/modules/network/vpn-gateway/README.md +++ b/modules/network/vpn-gateway/README.md @@ -9,6 +9,7 @@ This module deploys a VPN Gateway. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -44,124 +45,6 @@ This module deploys a VPN Gateway. | `vpnGatewayScaleUnit` | int | `2` | | The scale unit for this VPN gateway. | -### Parameter Usage: `bgpSettings` - -

- -Parameter JSON format - -```json -"bgpSettings": { - "asn": 65515, - "peerWeight": 0, - "bgpPeeringAddresses": [ - { - "ipconfigurationId": "Instance0", - "defaultBgpIpAddresses": [ - "10.0.0.12" - ], - "customBgpIpAddresses": [], - "tunnelIpAddresses": [ - "20.84.35.53", - "10.0.0.4" - ] - }, - { - "ipconfigurationId": "Instance1", - "defaultBgpIpAddresses": [ - "10.0.0.13" - ], - "customBgpIpAddresses": [], - "tunnelIpAddresses": [ - "20.84.34.225", - "10.0.0.5" - ] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -bgpSettings: { - asn: 65515 - peerWeight: 0 - bgpPeeringAddresses: [ - { - ipconfigurationId: 'Instance0' - defaultBgpIpAddresses: [ - '10.0.0.12' - ] - customBgpIpAddresses: [] - tunnelIpAddresses: [ - '20.84.35.53' - '10.0.0.4' - ] - } - { - ipconfigurationId: 'Instance1' - defaultBgpIpAddresses: [ - '10.0.0.13' - ] - customBgpIpAddresses: [] - tunnelIpAddresses: [ - '20.84.34.225' - '10.0.0.5' - ] - } - ] -} -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -371,3 +254,124 @@ module vpnGateway './network/vpn-gateway/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `bgpSettings` + +

+ +Parameter JSON format + +```json +"bgpSettings": { + "asn": 65515, + "peerWeight": 0, + "bgpPeeringAddresses": [ + { + "ipconfigurationId": "Instance0", + "defaultBgpIpAddresses": [ + "10.0.0.12" + ], + "customBgpIpAddresses": [], + "tunnelIpAddresses": [ + "20.84.35.53", + "10.0.0.4" + ] + }, + { + "ipconfigurationId": "Instance1", + "defaultBgpIpAddresses": [ + "10.0.0.13" + ], + "customBgpIpAddresses": [], + "tunnelIpAddresses": [ + "20.84.34.225", + "10.0.0.5" + ] + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +bgpSettings: { + asn: 65515 + peerWeight: 0 + bgpPeeringAddresses: [ + { + ipconfigurationId: 'Instance0' + defaultBgpIpAddresses: [ + '10.0.0.12' + ] + customBgpIpAddresses: [] + tunnelIpAddresses: [ + '20.84.35.53' + '10.0.0.4' + ] + } + { + ipconfigurationId: 'Instance1' + defaultBgpIpAddresses: [ + '10.0.0.13' + ] + customBgpIpAddresses: [] + tunnelIpAddresses: [ + '20.84.34.225' + '10.0.0.5' + ] + } + ] +} +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

diff --git a/modules/network/vpn-gateway/vpn-connection/README.md b/modules/network/vpn-gateway/vpn-connection/README.md index fd46c20e02..624aacd235 100644 --- a/modules/network/vpn-gateway/vpn-connection/README.md +++ b/modules/network/vpn-gateway/vpn-connection/README.md @@ -8,6 +8,7 @@ This module deploys a VPN Gateway VPN Connection. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -50,6 +51,20 @@ This module deploys a VPN Gateway VPN Connection. | `vpnLinkConnections` | array | `[]` | | List of all VPN site link connections to the gateway. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the VPN connection. | +| `resourceGroupName` | string | The name of the resource group the VPN connection was deployed into. | +| `resourceId` | string | The resource ID of the VPN connection. | + +## Cross-referenced modules + +_None_ + +## Notes + ### Parameter Usage: `routingConfiguration`

@@ -106,15 +121,3 @@ routingConfiguration: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the VPN connection. | -| `resourceGroupName` | string | The name of the resource group the VPN connection was deployed into. | -| `resourceId` | string | The resource ID of the VPN connection. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/vpn-site/README.md b/modules/network/vpn-site/README.md index 36cd83eb33..885dd54c32 100644 --- a/modules/network/vpn-site/README.md +++ b/modules/network/vpn-site/README.md @@ -9,6 +9,7 @@ This module deploys a VPN Site. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -50,271 +51,6 @@ This module deploys a VPN Site. | `vpnSiteLinks` | array | `[]` | | List of all VPN site links. | -### Parameter Usage `o365Policy` - -

- -Parameter JSON format - -```json -"o365Policy": { - "value": { - "breakOutCategories": { - "optimize": true, - "allow": true, - "default": true - } - } -} -``` - -
- - -
- -Bicep format - -```bicep -o365Policy: { - breakOutCategories: { - optimize: true - allow: true - default: true - } -} -``` - -
-

- -### Parameter Usage `deviceProperties` - -

- -Parameter JSON format - -```json -"deviceProperties": { - "value": { - "deviceModel": "morty", - "deviceVendor": "contoso", - "linkSpeedInMbps": 0 - } -} -``` - -
- - -
- -Bicep format - -```bicep -deviceProperties: { - deviceModel: 'morty' - deviceVendor: 'contoso' - linkSpeedInMbps: 0 -} -``` - -
-

- -### Parameter Usage `bgpProperties` - -The BGP properties. Note: This is a deprecated property, please use the corresponding `VpnSiteLinks` property instead. - -

- -Parameter JSON format - -```json -"bgpProperties": { - "value": { - "asn": 65010, - "bgpPeeringAddress": "1.1.1.1", - "peerWeight": 0 - } -} -``` - -
- - -
- -Bicep format - -```bicep -bgpProperties: { - asn: 65010 - bgpPeeringAddress: '1.1.1.1' - peerWeight: 0 -} -``` - -
-

- -### Parameter Usage `vpnSiteLinks` - -An array of links. Should be used instead of the top-level `ipAddress` & `bgpProperties` properties. If using links, one default link with same name and properties as VpnSite itself is mandatory. - -

- -Parameter JSON format - -```json -"vpnSiteLinks": { - "value": [ - { - "name": "[[namePrefix]]-az-vSite-x-001", - "properties": { - "bgpProperties": { - "asn": 65010, - "bgpPeeringAddress": "1.1.1.1" - }, - "ipAddress": "1.2.3.4", - "linkProperties": { - "linkProviderName": "contoso", - "linkSpeedInMbps": 5 - } - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -vpnSiteLinks: [ - { - name: '[[namePrefix]]-az-vSite-x-001' - properties: { - bgpProperties: { - asn: 65010 - bgpPeeringAddress: '1.1.1.1' - } - ipAddress: '1.2.3.4' - linkProperties: { - linkProviderName: 'contoso' - linkSpeedInMbps: 5 - } - } - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -566,3 +302,140 @@ module vpnSite './network/vpn-site/main.bicep' = {

+ + +## Notes + +### Parameter Usage `deviceProperties` + +

+ +Parameter JSON format + +```json +"deviceProperties": { + "value": { + "deviceModel": "morty", + "deviceVendor": "contoso", + "linkSpeedInMbps": 0 + } +} +``` + +
+ + +
+ +Bicep format + +```bicep +deviceProperties: { + deviceModel: 'morty' + deviceVendor: 'contoso' + linkSpeedInMbps: 0 +} +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

diff --git a/modules/operational-insights/workspace/README.md b/modules/operational-insights/workspace/README.md index 6c7f72648d..ef62355818 100644 --- a/modules/operational-insights/workspace/README.md +++ b/modules/operational-insights/workspace/README.md @@ -9,6 +9,7 @@ This module deploys a Log Analytics Workspace. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -76,408 +77,6 @@ This module deploys a Log Analytics Workspace. | `useResourcePermissions` | bool | `False` | | Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions. | -### Parameter Usage: `gallerySolutions` - -Ref cross-referenced _[solution](../../operations-management/solution/README.md)_ - -

- -Parameter JSON format - -```json -"gallerySolutions": { - "value": [ - { - "name": "AgentHealthAssessment", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "AlertManagement", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "AntiMalware", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "AzureActivity", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "AzureAutomation", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "AzureCdnCoreAnalytics", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "AzureDataFactoryAnalytics", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "AzureNSGAnalytics", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "AzureSQLAnalytics", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "ChangeTracking", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "Containers", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "InfrastructureInsights", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "KeyVaultAnalytics", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "LogicAppsManagement", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "NetworkMonitoring", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "Security", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "SecurityCenterFree", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "ServiceFabric", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "ServiceMap", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "SQLAssessment", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "Updates", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "VMInsights", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "WireData2", - "product": "OMSGallery", - "publisher": "Microsoft" - }, - { - "name": "WaaSUpdateInsights", - "product": "OMSGallery", - "publisher": "Microsoft" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -gallerySolutions: [ - { - name: 'AgentHealthAssessment' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'AlertManagement' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'AntiMalware' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'AzureActivity' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'AzureAutomation' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'AzureCdnCoreAnalytics' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'AzureDataFactoryAnalytics' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'AzureNSGAnalytics' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'AzureSQLAnalytics' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'ChangeTracking' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'Containers' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'InfrastructureInsights' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'KeyVaultAnalytics' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'LogicAppsManagement' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'NetworkMonitoring' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'Security' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'SecurityCenterFree' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'ServiceFabric' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'ServiceMap' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'SQLAssessment' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'Updates' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'VMInsights' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'WireData2' - product: 'OMSGallery' - publisher: 'Microsoft' - } - { - name: 'WaaSUpdateInsights' - product: 'OMSGallery' - publisher: 'Microsoft' - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -1462,3 +1061,139 @@ module workspace './operational-insights/workspace/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

diff --git a/modules/policy-insights/remediation/README.md b/modules/policy-insights/remediation/README.md index b99ddb0e37..cb7a763830 100644 --- a/modules/policy-insights/remediation/README.md +++ b/modules/policy-insights/remediation/README.md @@ -6,10 +6,10 @@ This module deploys a Policy Insights Remediation. - [Resource Types](#Resource-Types) - [Parameters](#Parameters) -- [Module Usage Guidance](#Module-Usage-Guidance) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -43,117 +43,6 @@ This module deploys a Policy Insights Remediation. | `subscriptionId` | string | `''` | | The target scope for the remediation. The subscription ID of the subscription for the policy assignment. | -### Parameter Usage: `managementGroupId` - -To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. - -

- -Parameter JSON format - -```json -"managementGroupId": { - "value": "contoso-group" -} -``` - -
- - -
- -Bicep format - -```bicep -managementGroupId: 'contoso-group' -``` - -
-

- -> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). - -### Parameter Usage: `subscriptionId` - -To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -} -``` - -
- -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -``` - -
-

- -### Parameter Usage: `resourceGroupName` - -To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: - -

- -Parameter JSON format - -```json -"subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" -}, -"resourceGroupName": { - "value": "target-resourceGroup" -} -``` - -
- - -
- -Bicep format - -```bicep -subscriptionId: '12345678-b049-471c-95af-123456789012' -resourceGroupName: 'target-resourceGroup' -``` - -
-

- -> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). - -## Module Usage Guidance - -In general, resources under the `Microsoft.PolicyInsights` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. - -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: - -```bicep -Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" -``` - -The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.PolicyInsights` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: - -**Bicep Registry Reference** -```bicep -module remediation 'br:bicepregistry.azurecr.io/bicep/modules/policyinsights.remediations.subscription:version' = {} -``` -**Local Path Reference** -```bicep -module remediation 'yourpath/module/Authorization.policyinsights/subscription/main.bicep' = {} - ## Outputs | Output Name | Type | Description | @@ -562,3 +451,119 @@ module remediation './policy-insights/remediation/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `managementGroupId` + +To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. + +

+ +Parameter JSON format + +```json +"managementGroupId": { + "value": "contoso-group" +} +``` + +
+ + +
+ +Bicep format + +```bicep +managementGroupId: 'contoso-group' +``` + +
+

+ +> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). + +### Parameter Usage: `subscriptionId` + +To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: + +

+ +Parameter JSON format + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +} +``` + +
+ +
+ +Bicep format + +```bicep +subscriptionId: '12345678-b049-471c-95af-123456789012' +``` + +
+

+ +### Parameter Usage: `resourceGroupName` + +To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: + +

+ +Parameter JSON format + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +}, +"resourceGroupName": { + "value": "target-resourceGroup" +} +``` + +
+ + +
+ +Bicep format + +```bicep +subscriptionId: '12345678-b049-471c-95af-123456789012' +resourceGroupName: 'target-resourceGroup' +``` + +
+

+ +> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). + + +### Module Usage Guidance + +In general, resources under the `Microsoft.PolicyInsights` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. + +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: + +```bicep +Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" +``` + +The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.PolicyInsights` namespace, then you can directly use the sub-module ['/subscription/main.bicep'](./subscription/main.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: + +**Bicep Registry Reference** +```bicep +module remediation 'br:bicepregistry.azurecr.io/bicep/modules/policyinsights.remediations.subscription:version' = {} +``` +**Local Path Reference** +```bicep +module remediation 'yourpath/module/Authorization.policyinsights/subscription/main.bicep' = {} +``` diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index 3bf4b14d20..fdb0a41276 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -9,6 +9,7 @@ This module deploys a Recovery Services Vault. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -70,847 +71,6 @@ This module deploys a Recovery Services Vault. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `backupStorageConfig` - -

- -Parameter JSON format - -```json -"backupStorageConfig": { - "value": { - "storageModelType": "GeoRedundant", - "crossRegionRestoreFlag": true - } -} -``` - -
- -
- -Bicep format - -```bicep -backupStorageConfig: { - value: { - storageModelType: 'GeoRedundant' - crossRegionRestoreFlag: true - } -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `backupPolicies` - -Array of backup policies. They need to be properly formatted and can be VM backup policies, SQL on VM backup policies or fileshare policies. The following example shows all three types of backup policies. - -

- -Parameter JSON format - -```json -"backupPolicies": { - "value": [ - { - "name": "VMpolicy", - "type": "Microsoft.RecoveryServices/vaults/backupPolicies", - "properties": { - "backupManagementType": "AzureIaasVM", - "instantRPDetails": {}, - "schedulePolicy": { - "schedulePolicyType": "SimpleSchedulePolicy", - "scheduleRunFrequency": "Daily", - "scheduleRunTimes": [ - "2019-11-07T07:00:00Z" - ], - "scheduleWeeklyFrequency": 0 - }, - "retentionPolicy": { - "retentionPolicyType": "LongTermRetentionPolicy", - "dailySchedule": { - "retentionTimes": [ - "2019-11-07T07:00:00Z" - ], - "retentionDuration": { - "count": 180, - "durationType": "Days" - } - }, - "weeklySchedule": { - "daysOfTheWeek": [ - "Sunday" - ], - "retentionTimes": [ - "2019-11-07T07:00:00Z" - ], - "retentionDuration": { - "count": 12, - "durationType": "Weeks" - } - }, - "monthlySchedule": { - "retentionScheduleFormatType": "Weekly", - "retentionScheduleWeekly": { - "daysOfTheWeek": [ - "Sunday" - ], - "weeksOfTheMonth": [ - "First" - ] - }, - "retentionTimes": [ - "2019-11-07T07:00:00Z" - ], - "retentionDuration": { - "count": 60, - "durationType": "Months" - } - }, - "yearlySchedule": { - "retentionScheduleFormatType": "Weekly", - "monthsOfYear": [ - "January" - ], - "retentionScheduleWeekly": { - "daysOfTheWeek": [ - "Sunday" - ], - "weeksOfTheMonth": [ - "First" - ] - }, - "retentionTimes": [ - "2019-11-07T07:00:00Z" - ], - "retentionDuration": { - "count": 10, - "durationType": "Years" - } - } - }, - "instantRpRetentionRangeInDays": 2, - "timeZone": "UTC", - "protectedItemsCount": 0 - } - }, - { - "name": "sqlpolicy", - "type": "Microsoft.RecoveryServices/vaults/backupPolicies", - "properties": { - "backupManagementType": "AzureWorkload", - "workLoadType": "SQLDataBase", - "settings": { - "timeZone": "UTC", - "issqlcompression": true, - "isCompression": true - }, - "subProtectionPolicy": [ - { - "policyType": "Full", - "schedulePolicy": { - "schedulePolicyType": "SimpleSchedulePolicy", - "scheduleRunFrequency": "Weekly", - "scheduleRunDays": [ - "Sunday" - ], - "scheduleRunTimes": [ - "2019-11-07T22:00:00Z" - ], - "scheduleWeeklyFrequency": 0 - }, - "retentionPolicy": { - "retentionPolicyType": "LongTermRetentionPolicy", - "weeklySchedule": { - "daysOfTheWeek": [ - "Sunday" - ], - "retentionTimes": [ - "2019-11-07T22:00:00Z" - ], - "retentionDuration": { - "count": 104, - "durationType": "Weeks" - } - }, - "monthlySchedule": { - "retentionScheduleFormatType": "Weekly", - "retentionScheduleWeekly": { - "daysOfTheWeek": [ - "Sunday" - ], - "weeksOfTheMonth": [ - "First" - ] - }, - "retentionTimes": [ - "2019-11-07T22:00:00Z" - ], - "retentionDuration": { - "count": 60, - "durationType": "Months" - } - }, - "yearlySchedule": { - "retentionScheduleFormatType": "Weekly", - "monthsOfYear": [ - "January" - ], - "retentionScheduleWeekly": { - "daysOfTheWeek": [ - "Sunday" - ], - "weeksOfTheMonth": [ - "First" - ] - }, - "retentionTimes": [ - "2019-11-07T22:00:00Z" - ], - "retentionDuration": { - "count": 10, - "durationType": "Years" - } - } - } - }, - { - "policyType": "Differential", - "schedulePolicy": { - "schedulePolicyType": "SimpleSchedulePolicy", - "scheduleRunFrequency": "Weekly", - "scheduleRunDays": [ - "Monday" - ], - "scheduleRunTimes": [ - "2017-03-07T02:00:00Z" - ], - "scheduleWeeklyFrequency": 0 - }, - "retentionPolicy": { - "retentionPolicyType": "SimpleRetentionPolicy", - "retentionDuration": { - "count": 30, - "durationType": "Days" - } - } - }, - { - "policyType": "Log", - "schedulePolicy": { - "schedulePolicyType": "LogSchedulePolicy", - "scheduleFrequencyInMins": 120 - }, - "retentionPolicy": { - "retentionPolicyType": "SimpleRetentionPolicy", - "retentionDuration": { - "count": 15, - "durationType": "Days" - } - } - } - ], - "protectedItemsCount": 0 - } - }, - { - "name": "filesharepolicy", - "type": "Microsoft.RecoveryServices/vaults/backupPolicies", - "properties": { - "backupManagementType": "AzureStorage", - "workloadType": "AzureFileShare", - "schedulePolicy": { - "schedulePolicyType": "SimpleSchedulePolicy", - "scheduleRunFrequency": "Daily", - "scheduleRunTimes": [ - "2019-11-07T04:30:00Z" - ], - "scheduleWeeklyFrequency": 0 - }, - "retentionPolicy": { - "retentionPolicyType": "LongTermRetentionPolicy", - "dailySchedule": { - "retentionTimes": [ - "2019-11-07T04:30:00Z" - ], - "retentionDuration": { - "count": 30, - "durationType": "Days" - } - } - }, - "timeZone": "UTC", - "protectedItemsCount": 0 - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -backupPolicies: [ - { - name: 'VMpolicy' - type: 'Microsoft.RecoveryServices/vaults/backupPolicies' - properties: { - backupManagementType: 'AzureIaasVM' - instantRPDetails: {} - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunFrequency: 'Daily' - scheduleRunTimes: [ - '2019-11-07T07:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - retentionPolicy: { - retentionPolicyType: 'LongTermRetentionPolicy' - dailySchedule: { - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - retentionDuration: { - count: 180 - durationType: 'Days' - } - } - weeklySchedule: { - daysOfTheWeek: [ - 'Sunday' - ] - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - retentionDuration: { - count: 12 - durationType: 'Weeks' - } - } - monthlySchedule: { - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - retentionDuration: { - count: 60 - durationType: 'Months' - } - } - yearlySchedule: { - retentionScheduleFormatType: 'Weekly' - monthsOfYear: [ - 'January' - ] - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - retentionDuration: { - count: 10 - durationType: 'Years' - } - } - } - instantRpRetentionRangeInDays: 2 - timeZone: 'UTC' - protectedItemsCount: 0 - } - } - { - name: 'sqlpolicy' - type: 'Microsoft.RecoveryServices/vaults/backupPolicies' - properties: { - backupManagementType: 'AzureWorkload' - workLoadType: 'SQLDataBase' - settings: { - timeZone: 'UTC' - issqlcompression: true - isCompression: true - } - subProtectionPolicy: [ - { - policyType: 'Full' - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunFrequency: 'Weekly' - scheduleRunDays: [ - 'Sunday' - ] - scheduleRunTimes: [ - '2019-11-07T22:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - retentionPolicy: { - retentionPolicyType: 'LongTermRetentionPolicy' - weeklySchedule: { - daysOfTheWeek: [ - 'Sunday' - ] - retentionTimes: [ - '2019-11-07T22:00:00Z' - ] - retentionDuration: { - count: 104 - durationType: 'Weeks' - } - } - monthlySchedule: { - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T22:00:00Z' - ] - retentionDuration: { - count: 60 - durationType: 'Months' - } - } - yearlySchedule: { - retentionScheduleFormatType: 'Weekly' - monthsOfYear: [ - 'January' - ] - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T22:00:00Z' - ] - retentionDuration: { - count: 10 - durationType: 'Years' - } - } - } - } - { - policyType: 'Differential' - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunFrequency: 'Weekly' - scheduleRunDays: [ - 'Monday' - ] - scheduleRunTimes: [ - '2017-03-07T02:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - retentionPolicy: { - retentionPolicyType: 'SimpleRetentionPolicy' - retentionDuration: { - count: 30 - durationType: 'Days' - } - } - } - { - policyType: 'Log' - schedulePolicy: { - schedulePolicyType: 'LogSchedulePolicy' - scheduleFrequencyInMins: 120 - } - retentionPolicy: { - retentionPolicyType: 'SimpleRetentionPolicy' - retentionDuration: { - count: 15 - durationType: 'Days' - } - } - } - ] - protectedItemsCount: 0 - } - } - { - name: 'filesharepolicy' - type: 'Microsoft.RecoveryServices/vaults/backupPolicies' - properties: { - backupManagementType: 'AzureStorage' - workloadType: 'AzureFileShare' - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunFrequency: 'Daily' - scheduleRunTimes: [ - '2019-11-07T04:30:00Z' - ] - scheduleWeeklyFrequency: 0 - } - retentionPolicy: { - retentionPolicyType: 'LongTermRetentionPolicy' - dailySchedule: { - retentionTimes: [ - '2019-11-07T04:30:00Z' - ] - retentionDuration: { - count: 30 - durationType: 'Days' - } - } - } - timeZone: 'UTC' - protectedItemsCount: 0 - } - } -] -``` - -
-

- -### Parameter Usage: `replicationFabrics` - -

- -Parameter JSON format - -```json -"replicationFabrics": { - "value": [ - { - "location": "NorthEurope", - "replicationContainers": [ - { - "name": "ne-container1", - "replicationContainerMappings": [ - { - "policyName": "Default_values", - "targetContainerFabricName": "WestEurope-Fabric", - "targetContainerName": "we-conainer2" - } - ] - } - ] - }, - { - "name": "WestEurope-Fabric", //Optional - "location": "WestEurope", - "replicationContainers": [ - { - "name": "we-conainer2" - } - ] - } - ] -}, -``` - -### Parameter Usage: `replicationPolicies` - -
- -Parameter JSON format - -```json -"replicationPolicies": { - "value": [ - { - "name": "Default_values" - }, - { - "name": "Custom_values", - "appConsistentFrequencyInMinutes": 240, - "crashConsistentFrequencyInMinutes": 7, - "multiVmSyncStatus": "Disable", - "recoveryPointHistory": 2880 - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -replicationPolicies: [ - { - name: 'Default_values' - } - { - name: 'Custom_values' - appConsistentFrequencyInMinutes: 240 - crashConsistentFrequencyInMinutes: 7 - multiVmSyncStatus: 'Disable' - recoveryPointHistory: 2880 - } -] -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -1810,3 +970,239 @@ module vault './recovery-services/vault/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

+ +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +

+ +Parameter JSON format + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "", // e.g. vault, registry, blob + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + }, + "ipConfigurations":[ + { + "name": "myIPconfigTest02", + "properties": { + "groupId": "blob", + "memberName": "blob", + "privateIPAddress": "10.0.0.30" + } + } + ], + "customDnsConfigs": [ + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "" // e.g. vault, registry, blob + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +privateEndpoints: [ + // Example showing all available fields + { + name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + privateDnsZoneGroup: { + privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + } + customDnsConfigs: [ + { + fqdn: 'customname.test.local' + ipAddresses: [ + '10.10.10.10' + ] + } + ] + ipConfigurations:[ + { + name: 'myIPconfigTest02' + properties: { + groupId: 'blob' + memberName: 'blob' + privateIPAddress: '10.0.0.30' + } + } + ] + } + // Example showing only mandatory fields + { + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + } +] +``` + +
+

diff --git a/modules/recovery-services/vault/backup-policy/README.md b/modules/recovery-services/vault/backup-policy/README.md index 619df0c550..8490913844 100644 --- a/modules/recovery-services/vault/backup-policy/README.md +++ b/modules/recovery-services/vault/backup-policy/README.md @@ -37,188 +37,6 @@ This module deploys a Recovery Services Vault Backup Policy. | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter Usage: `backupPolicyProperties` - -Object continaining the configuration for backup policies. It needs to be properly formatted and can be VM backup policies, SQL on VM backup policies or fileshare policies. The following example shows a VM backup policy. - -

- -Parameter JSON format - -```json -"backupPolicyProperties": { - "value": { - "backupManagementType": "AzureIaasVM", - "instantRPDetails": {}, - "schedulePolicy": { - "schedulePolicyType": "SimpleSchedulePolicy", - "scheduleRunFrequency": "Daily", - "scheduleRunTimes": [ - "2019-11-07T07:00:00Z" - ], - "scheduleWeeklyFrequency": 0 - }, - "retentionPolicy": { - "retentionPolicyType": "LongTermRetentionPolicy", - "dailySchedule": { - "retentionTimes": [ - "2019-11-07T07:00:00Z" - ], - "retentionDuration": { - "count": 180, - "durationType": "Days" - } - }, - "weeklySchedule": { - "daysOfTheWeek": [ - "Sunday" - ], - "retentionTimes": [ - "2019-11-07T07:00:00Z" - ], - "retentionDuration": { - "count": 12, - "durationType": "Weeks" - } - }, - "monthlySchedule": { - "retentionScheduleFormatType": "Weekly", - "retentionScheduleWeekly": { - "daysOfTheWeek": [ - "Sunday" - ], - "weeksOfTheMonth": [ - "First" - ] - }, - "retentionTimes": [ - "2019-11-07T07:00:00Z" - ], - "retentionDuration": { - "count": 60, - "durationType": "Months" - } - }, - "yearlySchedule": { - "retentionScheduleFormatType": "Weekly", - "monthsOfYear": [ - "January" - ], - "retentionScheduleWeekly": { - "daysOfTheWeek": [ - "Sunday" - ], - "weeksOfTheMonth": [ - "First" - ] - }, - "retentionTimes": [ - "2019-11-07T07:00:00Z" - ], - "retentionDuration": { - "count": 10, - "durationType": "Years" - } - } - }, - "instantRpRetentionRangeInDays": 2, - "timeZone": "UTC", - "protectedItemsCount": 0 - } -} -``` - -
- - -
- -Bicep format - -```bicep -backupPolicyProperties: { - backupManagementType: 'AzureIaasVM' - instantRPDetails: {} - schedulePolicy: { - schedulePolicyType: 'SimpleSchedulePolicy' - scheduleRunFrequency: 'Daily' - scheduleRunTimes: [ - '2019-11-07T07:00:00Z' - ] - scheduleWeeklyFrequency: 0 - } - retentionPolicy: { - retentionPolicyType: 'LongTermRetentionPolicy' - dailySchedule: { - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - retentionDuration: { - count: 180 - durationType: 'Days' - } - } - weeklySchedule: { - daysOfTheWeek: [ - 'Sunday' - ] - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - retentionDuration: { - count: 12 - durationType: 'Weeks' - } - } - monthlySchedule: { - retentionScheduleFormatType: 'Weekly' - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - retentionDuration: { - count: 60 - durationType: 'Months' - } - } - yearlySchedule: { - retentionScheduleFormatType: 'Weekly' - monthsOfYear: [ - 'January' - ] - retentionScheduleWeekly: { - daysOfTheWeek: [ - 'Sunday' - ] - weeksOfTheMonth: [ - 'First' - ] - } - retentionTimes: [ - '2019-11-07T07:00:00Z' - ] - retentionDuration: { - count: 10 - durationType: 'Years' - } - } - } - instantRpRetentionRangeInDays: 2 - timeZone: 'UTC' - protectedItemsCount: 0 -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/recovery-services/vault/replication-fabric/README.md b/modules/recovery-services/vault/replication-fabric/README.md index 8ffb07971f..e11ecc23d5 100644 --- a/modules/recovery-services/vault/replication-fabric/README.md +++ b/modules/recovery-services/vault/replication-fabric/README.md @@ -42,57 +42,6 @@ This module deploys a Replication Fabric for Azure to Azure disaster recovery sc | `replicationContainers` | array | `[]` | Replication containers to create. | -### Parameter Usage: `replicationContainers` - -

- -Parameter JSON format - -```json -"replicationContainers": { - "value": [ - { - "name": "we-container1", - "replicationContainerMappings": [ //optional - { - "policyName": "Default_values", - "targetContainerName": "we-container2" - } - ] - }, - { - "name": "we-container2" - }, - ] -} -``` - -
- -
- -Bicep format - -```bicep -replicationContainers: [ - { - name: 'we-container1' - replicationContainerMappings: [ //optional - { - policyName: 'Default_values' - targetContainerName: 'we-container2' - } - ] - } - { - name: 'we-container2' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/recovery-services/vault/replication-fabric/replication-protection-container/README.md b/modules/recovery-services/vault/replication-fabric/replication-protection-container/README.md index 13b7cc85d3..23b6656e50 100644 --- a/modules/recovery-services/vault/replication-fabric/replication-protection-container/README.md +++ b/modules/recovery-services/vault/replication-fabric/replication-protection-container/README.md @@ -41,53 +41,6 @@ This module deploys a Recovery Services Vault Replication Protection Container. | `replicationContainerMappings` | array | `[]` | Replication containers mappings to create. | -### Parameter Usage: `replicationContainerMappings` - -

- -Parameter JSON format - -```json -"replicationContainerMappings": { - "value": [ - { - "targetProtectionContainerId": "/Subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.RecoveryServices/vaults/[[namePrefix]]-az-rsv-dr-001/replicationFabrics/NorthEurope/replicationProtectionContainers/ne-container1", - "policyId": "/Subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.RecoveryServices/vaults/[[namePrefix]]-az-rsv-dr-001/replicationPolicies/Default_values" - }, - { - "name": null, //Optional - "policyName": "Default_values", - "targetContainerFabricName": "WestEurope", - "targetContainerName": "we-container" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -replicationContainerMappings: [ - { - targetProtectionContainerId: '/Subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.RecoveryServices/vaults/[[namePrefix]]-az-rsv-dr-001/replicationFabrics/NorthEurope/replicationProtectionContainers/ne-container1' - policyId: '/Subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.RecoveryServices/vaults/[[namePrefix]]-az-rsv-dr-001/replicationPolicies/Default_values' - } - { - name: null //Optional - policyName: 'Default_values' - targetContainerFabricName: 'WestEurope' - targetContainerName: 'we-container' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/resources/deployment-script/README.md b/modules/resources/deployment-script/README.md index 2e02259112..78a07ec984 100644 --- a/modules/resources/deployment-script/README.md +++ b/modules/resources/deployment-script/README.md @@ -7,9 +7,9 @@ This module deploys a Deployment Script. - [Resource types](#Resource-types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Considerations](#Considerations) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -57,80 +57,6 @@ This module deploys a Deployment Script. | `baseTime` | string | `[utcNow('yyyy-MM-dd-HH-mm-ss')]` | Do not provide a value! This date value is used to make sure the script run every time the template is deployed. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -141,10 +67,6 @@ userAssignedIdentities: { | `resourceGroupName` | string | The resource group the deployment script was deployed into. | | `resourceId` | string | The resource ID of the deployment script. | -## Considerations - -This module requires a User Assigned Identity (MSI, managed service identity) to exist, and this MSI has to have contributor rights on the subscription - that allows the Deployment Script to create the required Storage Account and the Azure Container Instance. - ## Cross-referenced modules _None_ @@ -379,3 +301,80 @@ module deploymentScript './resources/deployment-script/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

diff --git a/modules/resources/resource-group/README.md b/modules/resources/resource-group/README.md index 66370e303a..f0f88d7331 100644 --- a/modules/resources/resource-group/README.md +++ b/modules/resources/resource-group/README.md @@ -6,10 +6,10 @@ This module deploys a Resource Group. - [Resource types](#Resource-types) - [Parameters](#Parameters) -- [Considerations](#Considerations) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -39,110 +39,6 @@ This module deploys a Resource Group. | `tags` | object | `{object}` | | Tags of the storage account resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -## Considerations - -This module requires a User Assigned Identity (MSI, managed service identity) to exist, and this MSI has to have contributor rights on the subscription - that allows the Deployment Script to create the required Storage Account and the Azure Container Instance. - ## Outputs | Output Name | Type | Description | @@ -291,3 +187,106 @@ module resourceGroup './resources/resource-group/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

From 6be9b6f5a1b5855a20e95b4d9a06bb19ad0e2476 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Fri, 13 Oct 2023 23:30:11 +0200 Subject: [PATCH 022/178] [AVM] Updated Readme's to support AVM transition - Part (-3) (#4079) * PE * dns zone * network manager * network manager * NIC * LB * dns resolver * connection * Bastion Host * Firewall * MgmtGroup * Lighthouse * Maintenance Config * ML * LA * kube * Secret * kvlt * Regen readmes * Compiled templates --- .../key-vault/vault/access-policy/README.md | 59 - modules/key-vault/vault/key/README.md | 28 +- modules/key-vault/vault/secret/README.md | 27 +- .../extension/README.md | 41 +- .../flux-configuration/README.md | 41 +- modules/logic/workflow/README.md | 397 +++--- .../workspace/README.md | 1262 +++++++++-------- .../workspace/compute/README.md | 55 +- .../workspace/compute/main.bicep | 2 +- .../workspace/compute/main.json | 6 +- .../workspace/main.json | 26 +- .../maintenance-configuration/README.md | 240 ++-- .../registration-definition/README.md | 160 +-- modules/management/management-group/README.md | 159 ++- modules/network/azure-firewall/README.md | 329 ++--- modules/network/bastion-host/README.md | 325 ++--- modules/network/connection/README.md | 228 ++- modules/network/dns-resolver/README.md | 240 ++-- modules/network/load-balancer/README.md | 576 +++----- modules/network/network-interface/README.md | 224 ++- modules/network/network-manager/README.md | 622 ++------ modules/network/network-manager/main.bicep | 6 +- .../network/private-dns-zone/txt/README.md | 50 +- modules/network/private-endpoint/README.md | 326 ++--- 24 files changed, 2086 insertions(+), 3343 deletions(-) diff --git a/modules/key-vault/vault/access-policy/README.md b/modules/key-vault/vault/access-policy/README.md index 6adabd23d8..02445788a0 100644 --- a/modules/key-vault/vault/access-policy/README.md +++ b/modules/key-vault/vault/access-policy/README.md @@ -31,65 +31,6 @@ This module deploys a Key Vault Access Policy. | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter Usage: `accessPolicies` - -

- -Parameter JSON format - -```json -"accessPolicies": { - "value": [ - { - "tenantId": null, // Optional - "applicationId": null, // Optional - "objectId": null, - "permissions": { - "certificates": [ - "All" - ], - "keys": [ - "All" - ], - "secrets": [ - "All" - ] - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -accessPolicies: [ - { - tenantId: null // Optional - applicationId: null // Optional - objectId: null - permissions: { - certificates: [ - 'All' - ] - keys: [ - 'All' - ] - secrets: [ - 'All' - ] - } - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/key-vault/vault/key/README.md b/modules/key-vault/vault/key/README.md index 8b892d702b..b32023c755 100644 --- a/modules/key-vault/vault/key/README.md +++ b/modules/key-vault/vault/key/README.md @@ -8,6 +8,7 @@ This module deploys a Key Vault Key. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -47,6 +48,21 @@ This module deploys a Key Vault Key. | `tags` | object | `{object}` | | Resource tags. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the key. | +| `resourceGroupName` | string | The name of the resource group the key was created in. | +| `resourceId` | string | The resource ID of the key. | + +## Cross-referenced modules + +_None_ + +## Notes + + ### Parameter Usage: `tags` Tag names and tag values can be provided as needed. A tag can be left without a value. @@ -223,15 +239,3 @@ rotationPolicy: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the key. | -| `resourceGroupName` | string | The name of the resource group the key was created in. | -| `resourceId` | string | The resource ID of the key. | - -## Cross-referenced modules - -_None_ diff --git a/modules/key-vault/vault/secret/README.md b/modules/key-vault/vault/secret/README.md index bb5b627773..6ee8eaf639 100644 --- a/modules/key-vault/vault/secret/README.md +++ b/modules/key-vault/vault/secret/README.md @@ -8,6 +8,7 @@ This module deploys a Key Vault Secret. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -44,6 +45,20 @@ This module deploys a Key Vault Secret. | `tags` | object | `{object}` | Resource tags. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the secret. | +| `resourceGroupName` | string | The name of the resource group the secret was created in. | +| `resourceId` | string | The resource ID of the secret. | + +## Cross-referenced modules + +_None_ + +## Notes + ### Parameter Usage: `tags` Tag names and tag values can be provided as needed. A tag can be left without a value. @@ -143,15 +158,3 @@ roleAssignments: [

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the secret. | -| `resourceGroupName` | string | The name of the resource group the secret was created in. | -| `resourceId` | string | The resource ID of the secret. | - -## Cross-referenced modules - -_None_ diff --git a/modules/kubernetes-configuration/extension/README.md b/modules/kubernetes-configuration/extension/README.md index d5718433e2..996e27802e 100644 --- a/modules/kubernetes-configuration/extension/README.md +++ b/modules/kubernetes-configuration/extension/README.md @@ -4,30 +4,12 @@ This module deploys a Kubernetes Configuration Extension. ## Navigation -- [Prerequisites](#Prerequisites) - [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) - -## Prerequisites - -Registration of your subscription with the AKS-ExtensionManager feature flag. Use the following command: - -```powershell -az feature register --namespace Microsoft.ContainerService --name AKS-ExtensionManager -``` - -Registration of the following Azure service providers. (It's OK to re-register an existing provider.) - -```powershell -az provider register --namespace Microsoft.Kubernetes -az provider register --namespace Microsoft.ContainerService -az provider register --namespace Microsoft.KubernetesConfiguration -``` - -For Details see [Prerequisites](https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/tutorial-use-gitops-flux2) +- [Notes](#Notes) ## Resource Types @@ -255,3 +237,24 @@ module extension './kubernetes-configuration/extension/main.bicep' = {

+ + +## Notes + +### Prerequisites + +Registration of your subscription with the AKS-ExtensionManager feature flag. Use the following command: + +```powershell +az feature register --namespace Microsoft.ContainerService --name AKS-ExtensionManager +``` + +Registration of the following Azure service providers. (It's OK to re-register an existing provider.) + +```powershell +az provider register --namespace Microsoft.Kubernetes +az provider register --namespace Microsoft.ContainerService +az provider register --namespace Microsoft.KubernetesConfiguration +``` + +For Details see [Prerequisites](https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/tutorial-use-gitops-flux2) diff --git a/modules/kubernetes-configuration/flux-configuration/README.md b/modules/kubernetes-configuration/flux-configuration/README.md index ab26af9c42..dec2c843cf 100644 --- a/modules/kubernetes-configuration/flux-configuration/README.md +++ b/modules/kubernetes-configuration/flux-configuration/README.md @@ -4,30 +4,12 @@ This module deploys a Kubernetes Configuration Flux Configuration. ## Navigation -- [Prerequisites](#Prerequisites) - [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) - -## Prerequisites - -Registration of your subscription with the AKS-ExtensionManager feature flag. Use the following command: - -```powershell -az feature register --namespace Microsoft.ContainerService --name AKS-ExtensionManager -``` - -Registration of the following Azure service providers. (It's OK to re-register an existing provider.) - -```powershell -az provider register --namespace Microsoft.Kubernetes -az provider register --namespace Microsoft.ContainerService -az provider register --namespace Microsoft.KubernetesConfiguration -``` - -For Details see [Prerequisites](https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/tutorial-use-gitops-flux2) +- [Notes](#Notes) ## Resource Types @@ -254,3 +236,24 @@ module fluxConfiguration './kubernetes-configuration/flux-configuration/main.bic

+ + +## Notes + +### Prerequisites + +Registration of your subscription with the AKS-ExtensionManager feature flag. Use the following command: + +```powershell +az feature register --namespace Microsoft.ContainerService --name AKS-ExtensionManager +``` + +Registration of the following Azure service providers. (It's OK to re-register an existing provider.) + +```powershell +az provider register --namespace Microsoft.Kubernetes +az provider register --namespace Microsoft.ContainerService +az provider register --namespace Microsoft.KubernetesConfiguration +``` + +For Details see [Prerequisites](https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/tutorial-use-gitops-flux2) diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index 8b84f01653..5429ff8eab 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -9,6 +9,7 @@ This module deploys a Logic App (Workflow). - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -62,6 +63,201 @@ This module deploys a Logic App (Workflow). | `workflowTriggers` | object | `{object}` | | The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer. | +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the logic app. | +| `resourceGroupName` | string | The resource group the logic app was deployed into. | +| `resourceId` | string | The resource ID of the logic app. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +_None_ + +## Deployment examples + +The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. + + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +

Example 1: Common

+ +
+ +via Bicep module + +```bicep +module workflow './logic/workflow/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-lwcom' + params: { + // Required parameters + name: 'lwcom001' + // Non-required parameters + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' + enableDefaultTelemetry: '' + lock: 'CanNotDelete' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + userAssignedIdentities: { + '': {} + } + workflowActions: { + HTTP: { + inputs: { + body: { + BeginPeakTime: '' + EndPeakTime: '' + HostPoolName: '' + LAWorkspaceName: '' + LimitSecondsToForceLogOffUser: '' + LogOffMessageBody: '' + LogOffMessageTitle: '' + MinimumNumberOfRDSH: 1 + ResourceGroupName: '' + SessionThresholdPerCPU: 1 + UtcOffset: '' + } + method: 'POST' + uri: 'https://testStringForValidation.com' + } + type: 'Http' + } + } + workflowTriggers: { + Recurrence: { + recurrence: { + frequency: 'Minute' + interval: 15 + } + type: 'Recurrence' + } + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "lwcom001" + }, + // Non-required parameters + "diagnosticEventHubAuthorizationRuleId": { + "value": "" + }, + "diagnosticEventHubName": { + "value": "" + }, + "diagnosticStorageAccountId": { + "value": "" + }, + "diagnosticWorkspaceId": { + "value": "" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": "CanNotDelete" + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "userAssignedIdentities": { + "value": { + "": {} + } + }, + "workflowActions": { + "value": { + "HTTP": { + "inputs": { + "body": { + "BeginPeakTime": "", + "EndPeakTime": "", + "HostPoolName": "", + "LAWorkspaceName": "", + "LimitSecondsToForceLogOffUser": "", + "LogOffMessageBody": "", + "LogOffMessageTitle": "", + "MinimumNumberOfRDSH": 1, + "ResourceGroupName": "", + "SessionThresholdPerCPU": 1, + "UtcOffset": "" + }, + "method": "POST", + "uri": "https://testStringForValidation.com" + }, + "type": "Http" + } + } + }, + "workflowTriggers": { + "value": { + "Recurrence": { + "recurrence": { + "frequency": "Minute", + "interval": 15 + }, + "type": "Recurrence" + } + } + } + } +} +``` + +
+

+ + +## Notes + ### Parameter Usage `AccessControlConfiguration` - `actionsAccessControlConfiguration` @@ -160,15 +356,6 @@ This module deploys a Logic App (Workflow).

-### Parameter Usage `workflow*` - -- To use the below parameters, see the following [documentation.](https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-workflow-definition-language) - - `workflowActions` - - `workflowOutputs` - - `workflowParameters` - - `workflowStaticResults` - - `workflowTriggers` - ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. @@ -301,195 +488,3 @@ userAssignedIdentities: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the logic app. | -| `resourceGroupName` | string | The resource group the logic app was deployed into. | -| `resourceId` | string | The resource ID of the logic app. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

- -
- -via Bicep module - -```bicep -module workflow './logic/workflow/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-lwcom' - params: { - // Required parameters - name: 'lwcom001' - // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' - enableDefaultTelemetry: '' - lock: 'CanNotDelete' - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - userAssignedIdentities: { - '': {} - } - workflowActions: { - HTTP: { - inputs: { - body: { - BeginPeakTime: '' - EndPeakTime: '' - HostPoolName: '' - LAWorkspaceName: '' - LimitSecondsToForceLogOffUser: '' - LogOffMessageBody: '' - LogOffMessageTitle: '' - MinimumNumberOfRDSH: 1 - ResourceGroupName: '' - SessionThresholdPerCPU: 1 - UtcOffset: '' - } - method: 'POST' - uri: 'https://testStringForValidation.com' - } - type: 'Http' - } - } - workflowTriggers: { - Recurrence: { - recurrence: { - frequency: 'Minute' - interval: 15 - } - type: 'Recurrence' - } - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "lwcom001" - }, - // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": "CanNotDelete" - }, - "roleAssignments": { - "value": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, - "workflowActions": { - "value": { - "HTTP": { - "inputs": { - "body": { - "BeginPeakTime": "", - "EndPeakTime": "", - "HostPoolName": "", - "LAWorkspaceName": "", - "LimitSecondsToForceLogOffUser": "", - "LogOffMessageBody": "", - "LogOffMessageTitle": "", - "MinimumNumberOfRDSH": 1, - "ResourceGroupName": "", - "SessionThresholdPerCPU": 1, - "UtcOffset": "" - }, - "method": "POST", - "uri": "https://testStringForValidation.com" - }, - "type": "Http" - } - } - }, - "workflowTriggers": { - "value": { - "Recurrence": { - "recurrence": { - "frequency": "Minute", - "interval": 15 - }, - "type": "Recurrence" - } - } - } - } -} -``` - -
-

diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index 97b9351d56..7dcc69e3b8 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -9,6 +9,7 @@ This module deploys a Machine Learning Services Workspace. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -75,461 +76,313 @@ This module deploys a Machine Learning Services Workspace. | `tags` | object | `{object}` | | Resource tags. | -### Parameter Usage: `computes` +## Outputs -Array to specify the compute resources to create respectively attach. -In case you provide a resource ID, it will attach the resource and ignore "properties". In this case "computeLocation", "sku", "systemAssignedIdentity", "userAssignedIdentities" as well as "tags" don't need to be provided respectively are being ignored. -Attaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML. I.e. for the first run set "deploy" to true, and after successful deployment to false. -For more information see https://learn.microsoft.com/en-us/azure/templates/microsoft.machinelearningservices/workspaces/computes?tabs=bicep +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the machine learning service. | +| `principalId` | string | The principal ID of the system assigned identity. | +| `resourceGroupName` | string | The resource group the machine learning service was deployed into. | +| `resourceId` | string | The resource ID of the machine learning service. | -

+## Cross-referenced modules -Parameter JSON format +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). -```json -"computes": { - "value": [ - // Attach existing resources - { - "name": "DefaultAKS", - "location": "westeurope", - "description": "Default AKS Cluster", - "disableLocalAuth": false, - "deployCompute": true, - "computeType": "AKS", - "resourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.ContainerService/managedClusters/xxx" - }, - // Create new compute resource - { - "name": "DefaultCPU", - "location": "westeurope", - "computeLocation": "westeurope", - "sku": "Basic", - "systemAssignedIdentity": true, - "userAssignedIdentities": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001": {} - }, - "description": "Default CPU Cluster", - "disableLocalAuth": false, - "computeType": "AmlCompute", - "properties": { - "enableNodePublicIp": true, - "isolatedNetwork": false, - "osType": "Linux", - "remoteLoginPortPublicAccess": "Disabled", - "scaleSettings": { - "maxNodeCount": 3, - "minNodeCount": 0, - "nodeIdleTimeBeforeScaleDown": "PT5M" - }, - "vmPriority": "Dedicated", - "vmSize": "STANDARD_DS11_V2" - } - } - ] -} -``` +| Reference | Type | +| :-- | :-- | +| `network/private-endpoint` | Local reference | -
+## Deployment examples + +The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. + + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +

Example 1: Common

-Bicep format +via Bicep module ```bicep -computes: [ - // Attach existing resources - { - name: 'DefaultAKS' - location: 'westeurope' - description: 'Default AKS Cluster' +module workspace './machine-learning-services/workspace/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-mlswcom' + params: { + // Required parameters + associatedApplicationInsightsResourceId: '' + associatedKeyVaultResourceId: '' + associatedStorageAccountResourceId: '' + name: 'mlswcom001' + sku: 'Premium' + // Non-required parameters + computes: [ + { + computeLocation: 'westeurope' + computeType: 'AmlCompute' + description: 'Default CPU Cluster' disableLocalAuth: false - deployCompute: true - computeType: 'AKS' - resourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.ContainerService/managedClusters/xxx' - } - // Create new compute resource - { - name: 'DefaultCPU' location: 'westeurope' - computeLocation: 'westeurope' + name: 'DefaultCPU' + properties: { + enableNodePublicIp: true + isolatedNetwork: false + osType: 'Linux' + remoteLoginPortPublicAccess: 'Disabled' + scaleSettings: { + maxNodeCount: 3 + minNodeCount: 0 + nodeIdleTimeBeforeScaleDown: 'PT5M' + } + vmPriority: 'Dedicated' + vmSize: 'STANDARD_DS11_V2' + } sku: 'Basic' - systemAssignedIdentity: true + systemAssignedIdentity: false userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001': {} + '': {} } - description: 'Default CPU Cluster' - disableLocalAuth: false - computeType: 'AmlCompute' - properties: { - enableNodePublicIp: true - isolatedNetwork: false - osType: 'Linux' - remoteLoginPortPublicAccess: 'Disabled' - scaleSettings: { - maxNodeCount: 3 - minNodeCount: 0 - nodeIdleTimeBeforeScaleDown: 'PT5M' - } - vmPriority: 'Dedicated' - vmSize: 'STANDARD_DS11_V2' + } + ] + description: 'The cake is a lie.' + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' + discoveryUrl: 'http://example.com' + enableDefaultTelemetry: '' + imageBuildCompute: 'testcompute' + lock: 'CanNotDelete' + primaryUserAssignedIdentity: '' + privateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + '' + ] } - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" + service: 'amlworkspace' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' } + } ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + roleAssignments: [ + { principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 + '' ] principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + systemAssignedIdentity: false + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" + userAssignedIdentities: { + '': {} } + } } ```
+

-Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format +via JSON Parameter file ```json -"privateEndpoints": { - "value": [ - // Example showing all available fields +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "associatedApplicationInsightsResourceId": { + "value": "" + }, + "associatedKeyVaultResourceId": { + "value": "" + }, + "associatedStorageAccountResourceId": { + "value": "" + }, + "name": { + "value": "mlswcom001" + }, + "sku": { + "value": "Premium" + }, + // Non-required parameters + "computes": { + "value": [ { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] + "computeLocation": "westeurope", + "computeType": "AmlCompute", + "description": "Default CPU Cluster", + "disableLocalAuth": false, + "location": "westeurope", + "name": "DefaultCPU", + "properties": { + "enableNodePublicIp": true, + "isolatedNetwork": false, + "osType": "Linux", + "remoteLoginPortPublicAccess": "Disabled", + "scaleSettings": { + "maxNodeCount": 3, + "minNodeCount": 0, + "nodeIdleTimeBeforeScaleDown": "PT5M" }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } + "vmPriority": "Dedicated", + "vmSize": "STANDARD_DS11_V2" + }, + "sku": "Basic", + "systemAssignedIdentity": false, + "userAssignedIdentities": { + "": {} + } + } + ] + }, + "description": { + "value": "The cake is a lie." + }, + "diagnosticEventHubAuthorizationRuleId": { + "value": "" + }, + "diagnosticEventHubName": { + "value": "" + }, + "diagnosticStorageAccountId": { + "value": "" + }, + "diagnosticWorkspaceId": { + "value": "" + }, + "discoveryUrl": { + "value": "http://example.com" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "imageBuildCompute": { + "value": "testcompute" + }, + "lock": { + "value": "CanNotDelete" + }, + "primaryUserAssignedIdentity": { + "value": "" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ + "" ] - }, - // Example showing only mandatory fields + }, + "service": "amlworkspace", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" } - ] + ] + }, + "systemAssignedIdentity": { + "value": false + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "userAssignedIdentities": { + "value": { + "": {} + } + } + } } ```
+

+ +

Example 2: Encr

-Bicep format +via Bicep module ```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob +module workspace './machine-learning-services/workspace/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-mlswecr' + params: { + // Required parameters + associatedApplicationInsightsResourceId: '' + associatedKeyVaultResourceId: '' + associatedStorageAccountResourceId: '' + name: 'mlswecr001' + sku: 'Basic' + // Non-required parameters + cMKKeyName: '' + cMKKeyVaultResourceId: '' + cMKUserAssignedIdentityResourceId: '' + enableDefaultTelemetry: '' + primaryUserAssignedIdentity: '' + privateEndpoints: [ + { privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] + privateDNSResourceIds: [ + '' + ] } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] + service: 'amlworkspace' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + systemAssignedIdentity: false + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob + userAssignedIdentities: { + '': {} } -] -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the machine learning service. | -| `principalId` | string | The principal ID of the system assigned identity. | -| `resourceGroupName` | string | The resource group the machine learning service was deployed into. | -| `resourceId` | string | The resource ID of the machine learning service. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

- -
- -via Bicep module - -```bicep -module workspace './machine-learning-services/workspace/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-mlswcom' - params: { - // Required parameters - associatedApplicationInsightsResourceId: '' - associatedKeyVaultResourceId: '' - associatedStorageAccountResourceId: '' - name: 'mlswcom001' - sku: 'Premium' - // Non-required parameters - computes: [ - { - computeLocation: 'westeurope' - computeType: 'AmlCompute' - description: 'Default CPU Cluster' - disableLocalAuth: false - location: 'westeurope' - name: 'DefaultCPU' - properties: { - enableNodePublicIp: true - isolatedNetwork: false - osType: 'Linux' - remoteLoginPortPublicAccess: 'Disabled' - scaleSettings: { - maxNodeCount: 3 - minNodeCount: 0 - nodeIdleTimeBeforeScaleDown: 'PT5M' - } - vmPriority: 'Dedicated' - vmSize: 'STANDARD_DS11_V2' - } - sku: 'Basic' - systemAssignedIdentity: false - userAssignedIdentities: { - '': {} - } - } - ] - description: 'The cake is a lie.' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' - discoveryUrl: 'http://example.com' - enableDefaultTelemetry: '' - imageBuildCompute: 'testcompute' - lock: 'CanNotDelete' - primaryUserAssignedIdentity: '' - privateEndpoints: [ - { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } - service: 'amlworkspace' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - systemAssignedIdentity: false - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - userAssignedIdentities: { - '': {} - } - } -} + } +} ```
@@ -555,69 +408,24 @@ module workspace './machine-learning-services/workspace/main.bicep' = { "value": "" }, "name": { - "value": "mlswcom001" + "value": "mlswecr001" }, "sku": { - "value": "Premium" + "value": "Basic" }, // Non-required parameters - "computes": { - "value": [ - { - "computeLocation": "westeurope", - "computeType": "AmlCompute", - "description": "Default CPU Cluster", - "disableLocalAuth": false, - "location": "westeurope", - "name": "DefaultCPU", - "properties": { - "enableNodePublicIp": true, - "isolatedNetwork": false, - "osType": "Linux", - "remoteLoginPortPublicAccess": "Disabled", - "scaleSettings": { - "maxNodeCount": 3, - "minNodeCount": 0, - "nodeIdleTimeBeforeScaleDown": "PT5M" - }, - "vmPriority": "Dedicated", - "vmSize": "STANDARD_DS11_V2" - }, - "sku": "Basic", - "systemAssignedIdentity": false, - "userAssignedIdentities": { - "": {} - } - } - ] - }, - "description": { - "value": "The cake is a lie." - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" + "cMKKeyName": { + "value": "" }, - "diagnosticWorkspaceId": { - "value": "" + "cMKKeyVaultResourceId": { + "value": "" }, - "discoveryUrl": { - "value": "http://example.com" + "cMKUserAssignedIdentityResourceId": { + "value": "" }, "enableDefaultTelemetry": { "value": "" }, - "imageBuildCompute": { - "value": "testcompute" - }, - "lock": { - "value": "CanNotDelete" - }, "primaryUserAssignedIdentity": { "value": "" }, @@ -639,17 +447,6 @@ module workspace './machine-learning-services/workspace/main.bicep' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "systemAssignedIdentity": { "value": false }, @@ -672,200 +469,407 @@ module workspace './machine-learning-services/workspace/main.bicep' = {

-

Example 2: Encr

+

Example 3: Min

+ +
+ +via Bicep module + +```bicep +module workspace './machine-learning-services/workspace/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-mlswmin' + params: { + // Required parameters + associatedApplicationInsightsResourceId: '' + associatedKeyVaultResourceId: '' + associatedStorageAccountResourceId: '' + name: 'mlswmin001' + sku: 'Basic' + // Non-required parameters + enableDefaultTelemetry: '' + systemAssignedIdentity: true + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "associatedApplicationInsightsResourceId": { + "value": "" + }, + "associatedKeyVaultResourceId": { + "value": "" + }, + "associatedStorageAccountResourceId": { + "value": "" + }, + "name": { + "value": "mlswmin001" + }, + "sku": { + "value": "Basic" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "systemAssignedIdentity": { + "value": true + } + } +} +``` + +
+

+ + +## Notes + +### Parameter Usage: `computes` + +Array to specify the compute resources to create respectively attach. +In case you provide a resource ID, it will attach the resource and ignore "properties". In this case "computeLocation", "sku", "systemAssignedIdentity", "userAssignedIdentities" as well as "tags" don't need to be provided respectively are being ignored. +Attaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML. I.e. for the first run set "deploy" to true, and after successful deployment to false. +For more information see https://learn.microsoft.com/en-us/azure/templates/microsoft.machinelearningservices/workspaces/computes?tabs=bicep + +

+ +Parameter JSON format + +```json +"computes": { + "value": [ + // Attach existing resources + { + "name": "DefaultAKS", + "location": "westeurope", + "description": "Default AKS Cluster", + "disableLocalAuth": false, + "deployCompute": true, + "computeType": "AKS", + "resourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.ContainerService/managedClusters/xxx" + }, + // Create new compute resource + { + "name": "DefaultCPU", + "location": "westeurope", + "computeLocation": "westeurope", + "sku": "Basic", + "systemAssignedIdentity": true, + "userAssignedIdentities": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001": {} + }, + "description": "Default CPU Cluster", + "disableLocalAuth": false, + "computeType": "AmlCompute", + "properties": { + "enableNodePublicIp": true, + "isolatedNetwork": false, + "osType": "Linux", + "remoteLoginPortPublicAccess": "Disabled", + "scaleSettings": { + "maxNodeCount": 3, + "minNodeCount": 0, + "nodeIdleTimeBeforeScaleDown": "PT5M" + }, + "vmPriority": "Dedicated", + "vmSize": "STANDARD_DS11_V2" + } + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +computes: [ + // Attach existing resources + { + name: 'DefaultAKS' + location: 'westeurope' + description: 'Default AKS Cluster' + disableLocalAuth: false + deployCompute: true + computeType: 'AKS' + resourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.ContainerService/managedClusters/xxx' + } + // Create new compute resource + { + name: 'DefaultCPU' + location: 'westeurope' + computeLocation: 'westeurope' + sku: 'Basic' + systemAssignedIdentity: true + userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001': {} + } + description: 'Default CPU Cluster' + disableLocalAuth: false + computeType: 'AmlCompute' + properties: { + enableNodePublicIp: true + isolatedNetwork: false + osType: 'Linux' + remoteLoginPortPublicAccess: 'Disabled' + scaleSettings: { + maxNodeCount: 3 + minNodeCount: 0 + nodeIdleTimeBeforeScaleDown: 'PT5M' + } + vmPriority: 'Dedicated' + vmSize: 'STANDARD_DS11_V2' + } + } +] +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information.

-via Bicep module +Parameter JSON format -```bicep -module workspace './machine-learning-services/workspace/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-mlswecr' - params: { - // Required parameters - associatedApplicationInsightsResourceId: '' - associatedKeyVaultResourceId: '' - associatedStorageAccountResourceId: '' - name: 'mlswecr001' - sku: 'Basic' - // Non-required parameters - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUserAssignedIdentityResourceId: '' - enableDefaultTelemetry: '' - primaryUserAssignedIdentity: '' - privateEndpoints: [ - { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } - service: 'amlworkspace' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "", // e.g. vault, registry, blob + "privateDnsZoneGroup": { + "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net + ] + }, + "ipConfigurations":[ + { + "name": "myIPconfigTest02", + "properties": { + "groupId": "blob", + "memberName": "blob", + "privateIPAddress": "10.0.0.30" + } + } + ], + "customDnsConfigs": [ + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "" // e.g. vault, registry, blob } - } ] - systemAssignedIdentity: false - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - userAssignedIdentities: { - '': {} - } - } } ```
-

-via JSON Parameter file +Bicep format -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "associatedApplicationInsightsResourceId": { - "value": "" - }, - "associatedKeyVaultResourceId": { - "value": "" - }, - "associatedStorageAccountResourceId": { - "value": "" - }, - "name": { - "value": "mlswecr001" - }, - "sku": { - "value": "Basic" - }, - // Non-required parameters - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "primaryUserAssignedIdentity": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" +```bicep +privateEndpoints: [ + // Example showing all available fields + { + name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + privateDnsZoneGroup: { + privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net ] - }, - "service": "amlworkspace", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } - ] - }, - "systemAssignedIdentity": { - "value": false - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "userAssignedIdentities": { - "value": { - "": {} - } + customDnsConfigs: [ + { + fqdn: 'customname.test.local' + ipAddresses: [ + '10.10.10.10' + ] + } + ] + ipConfigurations:[ + { + name: 'myIPconfigTest02' + properties: { + groupId: 'blob' + memberName: 'blob' + privateIPAddress: '10.0.0.30' + } + } + ] } - } -} + // Example showing only mandatory fields + { + subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' + service: '' // e.g. vault, registry, blob + } +] ```

-

Example 3: Min

+### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format:
-via Bicep module +Parameter JSON format -```bicep -module workspace './machine-learning-services/workspace/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-mlswmin' - params: { - // Required parameters - associatedApplicationInsightsResourceId: '' - associatedKeyVaultResourceId: '' - associatedStorageAccountResourceId: '' - name: 'mlswmin001' - sku: 'Basic' - // Non-required parameters - enableDefaultTelemetry: '' - systemAssignedIdentity: true - } +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } } ```
-

-via JSON Parameter file +Bicep format -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "associatedApplicationInsightsResourceId": { - "value": "" - }, - "associatedKeyVaultResourceId": { - "value": "" - }, - "associatedStorageAccountResourceId": { - "value": "" - }, - "name": { - "value": "mlswmin001" - }, - "sku": { - "value": "Basic" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "systemAssignedIdentity": { - "value": true - } - } +```bicep +userAssignedIdentities: { + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} } ``` diff --git a/modules/machine-learning-services/workspace/compute/README.md b/modules/machine-learning-services/workspace/compute/README.md index d9f5d29a21..3cd9156a16 100644 --- a/modules/machine-learning-services/workspace/compute/README.md +++ b/modules/machine-learning-services/workspace/compute/README.md @@ -10,6 +10,7 @@ Attaching a compute is not idempotent and will fail in case you try to redeploy - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) ## Resource Types @@ -37,7 +38,7 @@ Attaching a compute is not idempotent and will fail in case you try to redeploy | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `computeLocation` | string | `[resourceGroup().location]` | | Location for the underlying compute. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | -| `deployCompute` | bool | `True` | | Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempontent, i.e. a second deployment will fail. Therefore, this flag needs to be set to "false" as long as the compute resource exists. | +| `deployCompute` | bool | `True` | | Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to "false" as long as the compute resource exists. | | `description` | string | `''` | | The description of the Machine Learning compute. | | `disableLocalAuth` | bool | `False` | | Opt-out of local authentication and ensure customers can use only MSI and AAD exclusively for authentication. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | @@ -50,37 +51,21 @@ Attaching a compute is not idempotent and will fail in case you try to redeploy | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | -### Parameter Usage: `properties` - -Properties for the compute resource to create. -Will be ignored in case a resource ID is provided. - -
- -Parameter JSON format - -```json -"properties": { - "value": { - // See https://learn.microsoft.com/en-us/azure/templates/microsoft.machinelearningservices/workspaces/computes?tabs=bicep#compute for the properties for the difference compute types - } -} -``` - -
+## Outputs -
+| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the compute. | +| `resourceGroupName` | string | The resource group the compute was deployed into. | +| `resourceId` | string | The resource ID of the compute. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. Is null in case of attaching a compute resource, i.e. when you provide a resource ID. | -Bicep format +## Cross-referenced modules -```bicep -properties: { - // See https://learn.microsoft.com/en-us/azure/templates/microsoft.machinelearningservices/workspaces/computes?tabs=bicep#compute for the properties for the difference compute types -} -``` +_None_ -
-

+## Notes ### Parameter Usage: `tags` @@ -155,17 +140,3 @@ userAssignedIdentities: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the compute. | -| `resourceGroupName` | string | The resource group the compute was deployed into. | -| `resourceId` | string | The resource ID of the compute. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. Is null in case of attaching a compute resource, i.e. when you provide a resource ID. | - -## Cross-referenced modules - -_None_ diff --git a/modules/machine-learning-services/workspace/compute/main.bicep b/modules/machine-learning-services/workspace/compute/main.bicep index c28eeab57e..9d401399fa 100644 --- a/modules/machine-learning-services/workspace/compute/main.bicep +++ b/modules/machine-learning-services/workspace/compute/main.bicep @@ -31,7 +31,7 @@ param sku string = '' @sys.description('Optional. Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID.') param tags object = {} -@sys.description('Optional. Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempontent, i.e. a second deployment will fail. Therefore, this flag needs to be set to "false" as long as the compute resource exists.') +@sys.description('Optional. Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to "false" as long as the compute resource exists.') param deployCompute bool = true @sys.description('Optional. Location for the underlying compute. Ignored when attaching a compute resource, i.e. when you provide a resource ID.') diff --git a/modules/machine-learning-services/workspace/compute/main.json b/modules/machine-learning-services/workspace/compute/main.json index 6a6d90b340..16e519cbef 100644 --- a/modules/machine-learning-services/workspace/compute/main.json +++ b/modules/machine-learning-services/workspace/compute/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "1887700101020083718" + "version": "0.22.6.54827", + "templateHash": "12652944532720556326" }, "name": "Machine Learning Services Workspaces Computes", "description": "This module deploys a Machine Learning Services Workspaces Compute.\r\n\r\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", @@ -58,7 +58,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempontent, i.e. a second deployment will fail. Therefore, this flag needs to be set to \"false\" as long as the compute resource exists." + "description": "Optional. Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to \"false\" as long as the compute resource exists." } }, "computeLocation": { diff --git a/modules/machine-learning-services/workspace/main.json b/modules/machine-learning-services/workspace/main.json index 1cda09efa3..85a28a93ad 100644 --- a/modules/machine-learning-services/workspace/main.json +++ b/modules/machine-learning-services/workspace/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11591223647718164676" + "version": "0.22.6.54827", + "templateHash": "15135710804774691863" }, "name": "Machine Learning Services Workspaces", "description": "This module deploys a Machine Learning Services Workspace.", @@ -431,8 +431,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3258553383268163778" + "version": "0.22.6.54827", + "templateHash": "12652944532720556326" }, "name": "Machine Learning Services Workspaces Computes", "description": "This module deploys a Machine Learning Services Workspaces Compute.\r\n\r\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", @@ -485,7 +485,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempontent, i.e. a second deployment will fail. Therefore, this flag needs to be set to \"false\" as long as the compute resource exists." + "description": "Optional. Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to \"false\" as long as the compute resource exists." } }, "computeLocation": { @@ -681,8 +681,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -881,8 +881,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1019,8 +1019,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -1233,8 +1233,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12944726350528933504" + "version": "0.22.6.54827", + "templateHash": "4724282348303599635" } }, "parameters": { diff --git a/modules/maintenance/maintenance-configuration/README.md b/modules/maintenance/maintenance-configuration/README.md index 0b52632072..7747774f22 100644 --- a/modules/maintenance/maintenance-configuration/README.md +++ b/modules/maintenance/maintenance-configuration/README.md @@ -9,6 +9,7 @@ This module deploys a Maintenance Configuration. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -43,142 +44,6 @@ This module deploys a Maintenance Configuration. | `visibility` | string | `''` | `['', Custom, Public]` | Gets or sets the visibility of the configuration. The default value is 'Custom'. | -### Parameter Usage: `maintenanceWindow` - -

- -Parameter JSON format - -```JSON -"maintenanceWindow": { - "value": { - "duration": "05:00", - "expirationDateTime": "9999-12-31 23:59:59", - "recurEvery": "Day", - "startDateTime": "2022-12-31 13:00", - "timeZone": "W. Europe Standard Time" - } -} -``` - -
- -
- -Bicep format - -```bicep -maintenanceWindow: { - duration: '05:00' - expirationDateTime: '9999-12-31 23:59:59' - recurEvery: 'Day' - startDateTime: '2022-12-31 13:00' - timeZone: 'W. Europe Standard Time' -} -``` - -
- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -
- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -390,3 +255,106 @@ module maintenanceConfiguration './maintenance/maintenance-configuration/main.bi

+ + +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

diff --git a/modules/managed-services/registration-definition/README.md b/modules/managed-services/registration-definition/README.md index ce0bce2b75..690c4c3720 100644 --- a/modules/managed-services/registration-definition/README.md +++ b/modules/managed-services/registration-definition/README.md @@ -11,9 +11,9 @@ remote/managing tenant. - [Resource types](#Resource-types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Considerations](#Considerations) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -42,73 +42,6 @@ remote/managing tenant. | `resourceGroupName` | string | `''` | Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription. | -### Parameter Usage: `authorizations` - -| Parameter Name | Type | Default Value | Possible values | Description | -| :----------------------- | :----- | :------------ | :-------------- | :------------------------------------------------------------------------------------------ | -| `principalId` | string | | GUID | Required. The object ID of the principal in the managing tenant to delegate permissions to. | -| `principalIdDisplayName` | string | `principalId` | | Optional. A display name of the principal that is delegated permissions to. | -| `roleDefinitionId` | string | | GUID | Required. The role definition ID to delegate to the principal in the managing tenant. | - -

- -Parameter JSON format - -```json -"authorizations": { - "value": [ - // Delegates 'Reader' to a group in managing tenant (managedByTenantId) - { - "principalId": "9d949eef-00d5-45d9-8586-56be91a13398", - "principalIdDisplayName": "Reader-Group", - "roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7" - }, - // Delegates 'Contributor' to a group in managing tenant (managedByTenantId) - { - "principalId": "06eb144f-1a10-4935-881b-757efd1d0b58", - "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - // Delegates 'Managed Services Registration assignment Delete Role' to a group in managing tenant (managedByTenantId) - { - "principalId": "9cd792b0-dc7c-4551-84f8-dd87388030fb", - "principalIdDisplayName": "LighthouseManagement-Group", - "roleDefinitionId": "91c1777a-f3dc-4fae-b103-61d183457e46" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -authorizations: [ - // Delegates 'Reader' to a group in managing tenant (managedByTenantId) - { - principalId: '9d949eef-00d5-45d9-8586-56be91a13398' - principalIdDisplayName: 'Reader-Group' - roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' - } - // Delegates 'Contributor' to a group in managing tenant (managedByTenantId) - { - principalId: '06eb144f-1a10-4935-881b-757efd1d0b58' - roleDefinitionId: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - // Delegates 'Managed Services Registration assignment Delete Role' to a group in managing tenant (managedByTenantId) - { - principalId: '9cd792b0-dc7c-4551-84f8-dd87388030fb' - principalIdDisplayName: 'LighthouseManagement-Group' - roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -118,54 +51,6 @@ authorizations: [ | `resourceId` | string | The resource ID of the registration definition. | | `subscriptionName` | string | The subscription the registration definition was deployed into. | -## Considerations - -This module can be deployed both at subscription and resource group level: - -- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter. -- To deploy the module at the subscription level, leave the `resourceGroupName` parameter empty. - -### Permissions required to create delegations - -This deployment must be done by a non-guest account in the customer's tenant which has a role with the `Microsoft.Authorization/roleAssignments/write` permission, -such as [`Owner`](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner) for the subscription being onboarded (or which contains the resource groups that are being onboarded). - -If the subscription was created through the Cloud Solution Provider (CSP) program, any user who has the AdminAgent role in your service provider tenant can perform the deployment. - -**More info on this topic:** - - -### Permissions required to remove delegations - -#### From customer side - -Users in the customer's tenant who have a role with the `Microsoft.Authorization/roleAssignments/write` permission, such as -[`Owner`](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner) can remove service provider -access to that subscription (or to resource groups in that subscription). To do so, the user can go to the Service providers -page of the Azure portal and delete the delegation. - -#### From managing tenant side - -Users in a managing tenant can remove access to delegated resources if they were granted the -[`Managed Services Registration Assignment Delete Role`](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#managed-services-registration-assignment-delete-role) -for the customer's resources. If this role was not assigned to any service provider users, the delegation can **only** be -removed by a user in the customer's tenant. - -**More info on this topic:** - - -### Limitations with Lighthouse and resource delegation - -There are a couple of limitations that you should be aware of with Lighthouse: - -- Only allows resource delegation within Azure Resource Manager. Excludes Azure Active Directory, Microsoft 365 and Dynamics 365. -- Only supports delegation of control plane permissions. Excludes data plane access. -- Only supports subscription and resource group scopes. Excludes tenant and management group delegations. -- Only supports built-in roles, with the exception of `Owner`. Excludes the use of custom roles. - -**More info on this topic:** - - ## Cross-referenced modules _None_ @@ -358,3 +243,46 @@ module registrationDefinition './managed-services/registration-definition/main.b

+ + +## Notes + +### Considerations + +This module can be deployed both at subscription and resource group level: + +- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter. +- To deploy the module at the subscription level, leave the `resourceGroupName` parameter empty. + +#### Permissions required to create delegations + +This deployment must be done by a non-guest account in the customer's tenant which has a role with the `Microsoft.Authorization/roleAssignments/write` permission, +such as [`Owner`](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner) for the subscription being onboarded (or which contains the resource groups that are being onboarded). + +If the subscription was created through the Cloud Solution Provider (CSP) program, any user who has the AdminAgent role in your service provider tenant can perform the deployment. + + +#### Permissions required to remove delegations + +##### From customer side + +Users in the customer's tenant who have a role with the `Microsoft.Authorization/roleAssignments/write` permission, such as +[`Owner`](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner) can remove service provider +access to that subscription (or to resource groups in that subscription). To do so, the user can go to the Service providers +page of the Azure portal and delete the delegation. + +##### From managing tenant side + +Users in a managing tenant can remove access to delegated resources if they were granted the +[`Managed Services Registration Assignment Delete Role`](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#managed-services-registration-assignment-delete-role) +for the customer's resources. If this role was not assigned to any service provider users, the delegation can **only** be +removed by a user in the customer's tenant. + +#### Limitations with Lighthouse and resource delegation + +There are a couple of limitations that you should be aware of with Lighthouse: + +- Only allows resource delegation within Azure Resource Manager. Excludes Azure Active Directory, Microsoft 365 and Dynamics 365. +- Only supports delegation of control plane permissions. Excludes data plane access. +- Only supports subscription and resource group scopes. Excludes tenant and management group delegations. +- Only supports built-in roles, with the exception of `Owner`. Excludes the use of custom roles. diff --git a/modules/management/management-group/README.md b/modules/management/management-group/README.md index 998c5b341b..1ca85fae64 100644 --- a/modules/management/management-group/README.md +++ b/modules/management/management-group/README.md @@ -11,9 +11,9 @@ This module has some known **limitations**: - [Resource types](#Resource-types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Considerations](#Considerations) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -39,65 +39,6 @@ This module has some known **limitations**: | `parentId` | string | `[last(split(managementGroup().id, '/'))]` | The management group parent ID. Defaults to current scope. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -105,24 +46,6 @@ roleAssignments: [ | `name` | string | The name of the management group. | | `resourceId` | string | The resource ID of the management group. | -## Considerations - -This template is using a **Tenant level deployment**, meaning the user/principal deploying it needs to have the [proper access](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-tenant#required-access) - -If owner access is excessive, the following rights roles will grant enough rights: - -- **Automation Job Operator** at **tenant** level (scope '/') -- **Management Group Contributor** at the top management group that needs to be managed - -Consider using the following script: - -```powershell -$PrincipalID = "" -$TopMGID = "" -New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/" -RoleDefinitionName "Automation Job Operator" -New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/providers/Microsoft.Management/managementGroups/$TopMGID" -RoleDefinitionName "Management Group Contributor" -``` - ## Cross-referenced modules _None_ @@ -231,3 +154,83 @@ module managementGroup './management/management-group/main.bicep' = {

+ + +## Notes + +### Considerations + +This template is using a **Tenant level deployment**, meaning the user/principal deploying it needs to have the [proper access](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-tenant#required-access) + +If owner access is excessive, the following rights roles will grant enough rights: + +- **Automation Job Operator** at **tenant** level (scope '/') +- **Management Group Contributor** at the top management group that needs to be managed + +Consider using the following script: + +```powershell +$PrincipalID = "" +$TopMGID = "" +New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/" -RoleDefinitionName "Automation Job Operator" +New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/providers/Microsoft.Management/managementGroups/$TopMGID" -RoleDefinitionName "Management Group Contributor" +``` + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index 76a8aec9bb..2b03642400 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -7,9 +7,9 @@ This module deploys an Azure Firewall. - [Resource types](#Resource-types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Considerations](#Considerations) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -68,226 +68,6 @@ This module deploys an Azure Firewall. | `zones` | array | `[1, 2, 3]` | | Zone numbers e.g. 1,2,3. | -### Parameter Usage: `additionalPublicIpConfigurations` - -Create additional public ip configurations from existing public ips - -

- -Parameter JSON format - -```json -"additionalPublicIpConfigurations": { - "value": [ - { - "name": "ipConfig01", - "publicIPAddressResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-[[namePrefix]]-az-pip-x-fw-01" - }, - { - "name": "ipConfig02", - "publicIPAddressResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-[[namePrefix]]-az-pip-x-fw-02" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -additionalPublicIpConfigurations: [ - { - name: 'ipConfig01' - publicIPAddressResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-[[namePrefix]]-az-pip-x-fw-01' - } - { - name: 'ipConfig02' - publicIPAddressResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-[[namePrefix]]-az-pip-x-fw-02' - } -] -``` - -
- - -### Parameter Usage: `publicIPAddressObject` - -The Public IP Address object to create as part of the module. This will be created if `isCreateDefaultPublicIP` is true (which it is by default). If not provided, the name and other configurations will be set by default. - - -
- -Parameter JSON format - -```json -"publicIPAddressObject": { - "value": { - "name": "adp-[[namePrefix]]-az-pip-custom-x-fw", - "publicIPPrefixResourceId": "", - "publicIPAllocationMethod": "Static", - "skuName": "Standard", - "skuTier": "Regional", - "roleAssignments": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "" - ] - } - ], - "diagnosticMetricsToEnable": [ - "AllMetrics" - ], - "diagnosticLogCategoriesToEnable": [ - "DDoSProtectionNotifications", - "DDoSMitigationFlowLogs", - "DDoSMitigationReports" - ] - } -} -``` - -
- - - -
- -Bicep format - - -```bicep -publicIPAddressObject: { - name: 'mypip' - publicIPPrefixResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPPrefixes/myprefix' - publicIPAllocationMethod: 'Dynamic' - skuName: 'Basic' - skuTier: 'Regional' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - '' - ] - } - ] - diagnosticMetricsToEnable: [ - 'AllMetrics' - ] - diagnosticLogCategoriesToEnable: [ - 'DDoSProtectionNotifications' - 'DDoSMitigationFlowLogs' - 'DDoSMitigationReports' - ] -} -``` - -
- - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -
- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -302,10 +82,6 @@ tags: { | `resourceGroupName` | string | The resource group the Azure firewall was deployed into. | | `resourceId` | string | The resource ID of the Azure Firewall. | -## Considerations - -The `applicationRuleCollections` parameter accepts a JSON Array of AzureFirewallApplicationRule objects. -The `networkRuleCollections` parameter accepts a JSON Array of AzureFirewallNetworkRuleCollection objects. ## Cross-referenced modules @@ -1007,3 +783,106 @@ module azureFirewall './network/azure-firewall/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index f98ebf07f8..8cf520a554 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -9,6 +9,7 @@ This module deploys a Bastion Host. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -56,227 +57,6 @@ This module deploys a Bastion Host. | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `additionalPublicIpConfigurations` - -Create additional public ip configurations from existing public ips - -

- -Parameter JSON format - -```json -"additionalPublicIpConfigurations": { - "value": [ - { - "name": "ipConfig01", - "publicIPAddressResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-[[namePrefix]]-az-pip-x-fw-01" - }, - { - "name": "ipConfig02", - "publicIPAddressResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-[[namePrefix]]-az-pip-x-fw-02" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -additionalPublicIpConfigurations: [ - { - name: 'ipConfig01' - publicIPAddressResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-[[namePrefix]]-az-pip-x-fw-01' - } - { - name: 'ipConfig02' - publicIPAddressResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-[[namePrefix]]-az-pip-x-fw-02' - } -] -``` - -
- - -### Parameter Usage: `publicIPAddressObject` - -The Public IP Address object to create as part of the module. This will be created if `isCreateDefaultPublicIP` is true (which it is by default). If not provided, the name and other configurations will be set by default. - - -
- -Parameter JSON format - -```json -"publicIPAddressObject": { - "value": { - "name": "adp-[[namePrefix]]-az-pip-custom-x-fw", - "publicIPPrefixResourceId": "", - "publicIPAllocationMethod": "Static", - "skuName": "Standard", - "skuTier": "Regional", - "roleAssignments": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "" - ] - } - ], - "diagnosticMetricsToEnable": [ - "AllMetrics" - ], - "diagnosticLogCategoriesToEnable": [ - "DDoSProtectionNotifications", - "DDoSMitigationFlowLogs", - "DDoSMitigationReports" - ] - } -} -``` - -
- - - -
- -Bicep format - - -```bicep -publicIPAddressObject: { - name: 'mypip' - publicIPPrefixResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPPrefixes/myprefix' - publicIPAllocationMethod: 'Dynamic' - skuName: 'Basic' - skuTier: 'Regional' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - '' - ] - } - ] - diagnosticMetricsToEnable: [ - 'AllMetrics' - ] - diagnosticLogCategoriesToEnable: [ - 'DDoSProtectionNotifications' - 'DDoSMitigationFlowLogs' - 'DDoSMitigationReports' - ] -} -``` - -
- - - -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -
- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -600,3 +380,106 @@ module bastionHost './network/bastion-host/main.bicep' = {

+ + +## Notes + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

diff --git a/modules/network/connection/README.md b/modules/network/connection/README.md index ce27fefeab..ca5e4810ad 100644 --- a/modules/network/connection/README.md +++ b/modules/network/connection/README.md @@ -9,6 +9,7 @@ This module deploys a Virtual Network Gateway Connection. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -52,67 +53,117 @@ This module deploys a Virtual Network Gateway Connection. | `vpnSharedKey` | securestring | `''` | | Specifies a VPN shared key. The same value has to be specified on both Virtual Network Gateways. | -### Parameter Usage: `virtualNetworkGateway1` +## Outputs -The primary virtual network gateway object. +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the remote connection. | +| `resourceGroupName` | string | The resource group the remote connection was deployed into. | +| `resourceId` | string | The resource ID of the remote connection. | -

+## Cross-referenced modules -Parameter JSON format +_None_ -```json -"virtualNetworkGateway1": { - "value": { - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/virtualNetworkGateways/myGateway01" - } -} -``` +## Deployment examples -
+The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. + + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +

Example 1: Vnet2vnet

-Bicep format +via Bicep module ```bicep -virtualNetworkGateway1: { - id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/virtualNetworkGateways/myGateway01' +module connection './network/connection/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-ncvtv' + params: { + // Required parameters + name: 'ncvtv001' + virtualNetworkGateway1: { + id: '' + } + // Non-required parameters + connectionType: 'Vnet2Vnet' + enableBgp: false + enableDefaultTelemetry: '' + lock: 'CanNotDelete' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + virtualNetworkGateway2: { + id: '' + } + vpnSharedKey: '' + } } ```

-### Parameter Usage: `virtualNetworkGateway2` - -The secondary virtual network gateway used for VNET to VNET connections. -

-Parameter JSON format +via JSON Parameter file ```json -"virtualNetworkGateway2" : { - "value": { - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/virtualNetworkGateways/myGateway02" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ncvtv001" + }, + "virtualNetworkGateway1": { + "value": { + "id": "" + } + }, + // Non-required parameters + "connectionType": { + "value": "Vnet2Vnet" + }, + "enableBgp": { + "value": false + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": "CanNotDelete" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "virtualNetworkGateway2": { + "value": { + "id": "" + } + }, + "vpnSharedKey": { + "value": "" } + } } ```
+

-

-Bicep format - -```bicep -virtualNetworkGateway2 : { - id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/virtualNetworkGateways/myGateway02' -} -``` - -
-

+## Notes ### Parameter Usage: `localNetworkGateway2` @@ -302,112 +353,3 @@ tags: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the remote connection. | -| `resourceGroupName` | string | The resource group the remote connection was deployed into. | -| `resourceId` | string | The resource ID of the remote connection. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Vnet2vnet

- -
- -via Bicep module - -```bicep -module connection './network/connection/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-ncvtv' - params: { - // Required parameters - name: 'ncvtv001' - virtualNetworkGateway1: { - id: '' - } - // Non-required parameters - connectionType: 'Vnet2Vnet' - enableBgp: false - enableDefaultTelemetry: '' - lock: 'CanNotDelete' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - virtualNetworkGateway2: { - id: '' - } - vpnSharedKey: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ncvtv001" - }, - "virtualNetworkGateway1": { - "value": { - "id": "" - } - }, - // Non-required parameters - "connectionType": { - "value": "Vnet2Vnet" - }, - "enableBgp": { - "value": false - }, - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": "CanNotDelete" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "virtualNetworkGateway2": { - "value": { - "id": "" - } - }, - "vpnSharedKey": { - "value": "" - } - } -} -``` - -
-

diff --git a/modules/network/dns-resolver/README.md b/modules/network/dns-resolver/README.md index 183db3d0ee..48e410e323 100644 --- a/modules/network/dns-resolver/README.md +++ b/modules/network/dns-resolver/README.md @@ -9,6 +9,7 @@ This module deploys a DNS Resolver. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -42,88 +43,118 @@ This module deploys a DNS Resolver. | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `inboundEndpoints` +## Outputs -Create a inbound endpoint for Azure DNS Private Resolver +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the Private DNS Resolver. | +| `resourceGroupName` | string | The resource group the Private DNS Resolver was deployed into. | +| `resourceId` | string | The resource ID of the Private DNS Resolver. | -

+## Cross-referenced modules -Parameter JSON format +_None_ -```json - "inboundEndpoints": { - "value": [ - { - "name": "[[namePrefix]]-az-pdnsin-x-001", - "subnetId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-002/subnets/[[namePrefix]]-az-subnet-x-001" - } - ] - }, -``` +## Deployment examples -
+The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. + + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +

Example 1: Common

-Bicep format +via Bicep module ```bicep -inboundEndpoints: [ - { - name: '[[namePrefix]]-az-pdnsin-x-001' - subnetId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-002/subnets/[[namePrefix]]-az-subnet-x-001' - } - { - name: '[[namePrefix]]-az-pdnsin-x-002' - subnetId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-002/subnets/[[namePrefix]]-az-subnet-x-002' +module dnsResolver './network/dns-resolver/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-ndrcom' + params: { + // Required parameters + name: 'ndrcom001' + virtualNetworkId: '' + // Non-required parameters + enableDefaultTelemetry: '' + inboundEndpoints: [ + { + name: 'az-pdnsin-x-001' + subnetId: '' + } + ] + outboundEndpoints: [ + { + name: 'az-pdnsout-x-001' + subnetId: '' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' } -] + } +} ```

-### Parameter Usage: `outboundEndpoints` - -Create a inbound endpoint for Azure DNS Private Resolver -

-Parameter JSON format +via JSON Parameter file ```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ndrcom001" + }, + "virtualNetworkId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "inboundEndpoints": { + "value": [ + { + "name": "az-pdnsin-x-001", + "subnetId": "" + } + ] + }, "outboundEndpoints": { "value": [ { - "name": "[[namePrefix]]-az-pdnsout-x-001", - "subnetId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-002/subnets/[[namePrefix]]-az-subnet-x-001" + "name": "az-pdnsout-x-001", + "subnetId": "" } ] }, -``` - -
- -
- -Bicep format - -```bicep -outboundEndpoints: [ - { - name: '[[namePrefix]]-az-pdnsout-x-001' - subnetId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-002/subnets/[[namePrefix]]-az-subnet-x-001' - } - { - name: '[[namePrefix]]-az-pdnsout-x-002' - subnetId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-002/subnets/[[namePrefix]]-az-subnet-x-002' + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } } -] + } +} ```

+ +## Notes + ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. @@ -223,112 +254,3 @@ tags: {

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Private DNS Resolver. | -| `resourceGroupName` | string | The resource group the Private DNS Resolver was deployed into. | -| `resourceId` | string | The resource ID of the Private DNS Resolver. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

- -
- -via Bicep module - -```bicep -module dnsResolver './network/dns-resolver/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-ndrcom' - params: { - // Required parameters - name: 'ndrcom001' - virtualNetworkId: '' - // Non-required parameters - enableDefaultTelemetry: '' - inboundEndpoints: [ - { - name: 'az-pdnsin-x-001' - subnetId: '' - } - ] - outboundEndpoints: [ - { - name: 'az-pdnsout-x-001' - subnetId: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ndrcom001" - }, - "virtualNetworkId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "inboundEndpoints": { - "value": [ - { - "name": "az-pdnsin-x-001", - "subnetId": "" - } - ] - }, - "outboundEndpoints": { - "value": [ - { - "name": "az-pdnsout-x-001", - "subnetId": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

diff --git a/modules/network/load-balancer/README.md b/modules/network/load-balancer/README.md index 0f720fc744..493d0397fd 100644 --- a/modules/network/load-balancer/README.md +++ b/modules/network/load-balancer/README.md @@ -52,403 +52,6 @@ This module deploys a Load Balancer. | `skuName` | string | `'Standard'` | `[Basic, Standard]` | Name of a load balancer SKU. | | `tags` | object | `{object}` | | Tags of the resource. | - -### Parameter Usage: `frontendIPConfigurations` - -

- -Parameter JSON format - -```json -"frontendIPConfigurations": { - "value": [ - { - "name": "p_hub-bfw-server-feip", - "properties": { - "publicIPAddressId": "[reference(variables('deploymentPIP-VPN')).outputs.publicIPAddressResourceId.value]", - "subnetId": "", - "privateIPAddress": "" - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -frontendIPConfigurations: [ - { - name: 'p_hub-bfw-server-feip' - properties: { - publicIPAddressId: '[reference(variables('deploymentPIP-VPN')).outputs.publicIPAddressResourceId.value]' - subnetId: '' - privateIPAddress: '' - } - } -] -``` - -
-

- -### Parameter Usage: `backendAddressPools` - -

- -Parameter JSON format - -```json -"backendAddressPools": { - "value": [ - { - "name": "p_hub-bfw-server-bepool", - "properties": { - "loadBalancerBackendAddresses": [ - { - "name": "iacs-sh-main-pd-01-euw-rg-network_awefwa01p-nic-int-01ipconfig-internal", - "properties": { - "virtualNetwork": { - "id": "[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]" - }, - "ipAddress": "172.22.232.5" - } - }, - { - "name": "iacs-sh-main-pd-01-euw-rg-network_awefwa01p-ha-nic-int-01ipconfig-internal", - "properties": { - "virtualNetwork": { - "id": "[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]" - }, - "ipAddress": "172.22.232.6" - } - } - ] - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -backendAddressPools: [ - { - name: 'p_hub-bfw-server-bepool' - properties: { - loadBalancerBackendAddresses: [ - { - name: 'iacs-sh-main-pd-01-euw-rg-network_awefwa01p-nic-int-01ipconfig-internal' - properties: { - virtualNetwork: { - id: '[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]' - } - ipAddress: '172.22.232.5' - } - } - { - name: 'iacs-sh-main-pd-01-euw-rg-network_awefwa01p-ha-nic-int-01ipconfig-internal' - properties: { - virtualNetwork: { - id: '[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]' - } - ipAddress: '172.22.232.6' - } - } - ] - } - } -] -``` - -
-

- -### Parameter Usage: `loadBalancingRules` - -

- -Parameter JSON format - -```json -"loadBalancingRules": { - "value": [ - { - "name": "p_hub-bfw-server-IPSEC-IKE-lbrule", - "properties": { - "frontendIPConfigurationName": "p_hub-bfw-server-feip", - "backendAddressPoolName": "p_hub-bfw-server-bepool", - "protocol": "Udp", - "frontendPort": 500, - "backendPort": 500, - "enableFloatingIP": false, - "idleTimeoutInMinutes": 5, - "probeName": "p_hub-bfw-server-tcp-65001-probe" - } - }, - { - "name": "p_hub-bfw-server-IPSEC-NATT-lbrule", - "properties": { - "frontendIPConfigurationName": "p_hub-bfw-server-feip", - "backendAddressPoolName": "p_hub-bfw-server-bepool", - "protocol": "Udp", - "frontendPort": 4500, - "backendPort": 4500, - "enableFloatingIP": false, - "idleTimeoutInMinutes": 5, - "probeName": "p_hub-bfw-server-tcp-65001-probe" - } - }, - { - "name": "p_hub-bfw-server-TINA-UDP-lbrule", - "properties": { - "frontendIPConfigurationName": "p_hub-bfw-server-feip", - "backendAddressPoolName": "p_hub-bfw-server-bepool", - "protocol": "Udp", - "frontendPort": 691, - "backendPort": 691, - "enableFloatingIP": false, - "idleTimeoutInMinutes": 5, - "probeName": "p_hub-bfw-server-tcp-65001-probe" - } - }, - { - "name": "p_hub-bfw-server-TINA-TCP-lbrule", - "properties": { - "frontendIPConfigurationName": "p_hub-bfw-server-feip", - "backendAddressPoolName": "p_hub-bfw-server-bepool", - "protocol": "Tcp", - "frontendPort": 691, - "backendPort": 691, - "enableFloatingIP": false, - "idleTimeoutInMinutes": 5, - "probeName": "p_hub-bfw-server-tcp-65001-probe" - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -loadBalancingRules: [ - { - name: 'p_hub-bfw-server-IPSEC-IKE-lbrule' - properties: { - frontendIPConfigurationName: 'p_hub-bfw-server-feip' - backendAddressPoolName: 'p_hub-bfw-server-bepool' - protocol: 'Udp' - frontendPort: 500 - backendPort: 500 - enableFloatingIP: false - idleTimeoutInMinutes: 5 - probeName: 'p_hub-bfw-server-tcp-65001-probe' - } - } - { - name: 'p_hub-bfw-server-IPSEC-NATT-lbrule' - properties: { - frontendIPConfigurationName: 'p_hub-bfw-server-feip' - backendAddressPoolName: 'p_hub-bfw-server-bepool' - protocol: 'Udp' - frontendPort: 4500 - backendPort: 4500 - enableFloatingIP: false - idleTimeoutInMinutes: 5 - probeName: 'p_hub-bfw-server-tcp-65001-probe' - } - } - { - name: 'p_hub-bfw-server-TINA-UDP-lbrule' - properties: { - frontendIPConfigurationName: 'p_hub-bfw-server-feip' - backendAddressPoolName: 'p_hub-bfw-server-bepool' - protocol: 'Udp' - frontendPort: 691 - backendPort: 691 - enableFloatingIP: false - idleTimeoutInMinutes: 5 - probeName: 'p_hub-bfw-server-tcp-65001-probe' - } - } - { - name: 'p_hub-bfw-server-TINA-TCP-lbrule' - properties: { - frontendIPConfigurationName: 'p_hub-bfw-server-feip' - backendAddressPoolName: 'p_hub-bfw-server-bepool' - protocol: 'Tcp' - frontendPort: 691 - backendPort: 691 - enableFloatingIP: false - idleTimeoutInMinutes: 5 - probeName: 'p_hub-bfw-server-tcp-65001-probe' - } - } -] -``` - -
-

- -### Parameter Usage: `probes` - -

- -Parameter JSON format - -```json -"probes": { - "value": [ - { - "name": "p_hub-bfw-server-tcp-65001-probe", - "properties": { - "protocol": "Tcp", - "port": 65001, - "intervalInSeconds": 5, - "numberOfProbes": 2 - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -probes: [ - { - name: 'p_hub-bfw-server-tcp-65001-probe' - properties: { - protocol: 'Tcp' - port: 65001 - intervalInSeconds: 5 - numberOfProbes: 2 - } - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -1012,3 +615,182 @@ module loadBalancer './network/load-balancer/main.bicep' = {

+ +## Notes + +### Parameter Usage: `backendAddressPools` + +

+ +Parameter JSON format + +```json +"backendAddressPools": { + "value": [ + { + "name": "p_hub-bfw-server-bepool", + "properties": { + "loadBalancerBackendAddresses": [ + { + "name": "iacs-sh-main-pd-01-euw-rg-network_awefwa01p-nic-int-01ipconfig-internal", + "properties": { + "virtualNetwork": { + "id": "[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]" + }, + "ipAddress": "172.22.232.5" + } + }, + { + "name": "iacs-sh-main-pd-01-euw-rg-network_awefwa01p-ha-nic-int-01ipconfig-internal", + "properties": { + "virtualNetwork": { + "id": "[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]" + }, + "ipAddress": "172.22.232.6" + } + } + ] + } + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +backendAddressPools: [ + { + name: 'p_hub-bfw-server-bepool' + properties: { + loadBalancerBackendAddresses: [ + { + name: 'iacs-sh-main-pd-01-euw-rg-network_awefwa01p-nic-int-01ipconfig-internal' + properties: { + virtualNetwork: { + id: '[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]' + } + ipAddress: '172.22.232.5' + } + } + { + name: 'iacs-sh-main-pd-01-euw-rg-network_awefwa01p-ha-nic-int-01ipconfig-internal' + properties: { + virtualNetwork: { + id: '[reference(variables('deploymentVNET')).outputs.vNetResourceId.value]' + } + ipAddress: '172.22.232.6' + } + } + ] + } + } +] +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

diff --git a/modules/network/network-interface/README.md b/modules/network/network-interface/README.md index 24748b8d68..ab8a22386d 100644 --- a/modules/network/network-interface/README.md +++ b/modules/network/network-interface/README.md @@ -51,128 +51,6 @@ This module deploys a Network Interface. | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | - -### Parameter Usage: `ipConfigurations` - -The IP configurations to apply to the network interface. - -```json -{ - "name": "ipconfig01", - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-[[namePrefix]]-az-vnet-x-001/subnets/[[namePrefix]]-az-subnet-x-001", - "loadBalancerBackendAddressPools": [ - { - "id": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/loadBalancers/adp-[[namePrefix]]-az-lb-internal-001/backendAddressPools/servers" - } - ], - "applicationSecurityGroups": [ - { - "id": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/applicationSecurityGroups/adp-[[namePrefix]]-az-asg-x-001" - } - ] -} -``` - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -398,3 +276,105 @@ module networkInterface './network/network-interface/main.bicep' = {

+ +## Notes + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

diff --git a/modules/network/network-manager/README.md b/modules/network/network-manager/README.md index ff90c8fbf9..5d0079d172 100644 --- a/modules/network/network-manager/README.md +++ b/modules/network/network-manager/README.md @@ -10,6 +10,7 @@ This module deploys a Network Manager. - [Cross-referenced modules](#Cross-referenced-modules) - [Considerations](#Considerations) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource Types @@ -40,7 +41,7 @@ This module deploys a Network Manager. | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `networkGroups` | array | Network Groups and static members to create for the network manager. Required if using "connectivityConfigurations" or "securityAdminConfigurations" parameters. | +| `networkGroups` | array | Network Groups and static members to create for the network manager. Required if using "connectivityConfigurations" or "securityAdminConfigurations" parameters. A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details. | **Optional parameters** @@ -52,472 +53,11 @@ This module deploys a Network Manager. | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `scopeConnections` | array | `[]` | | Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. | -| `securityAdminConfigurations` | array | `[]` | | Security Admin Configurations, Rule Collections and Rules to create for the network manager. | +| `scopeConnections` | array | `[]` | | Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant. | +| `securityAdminConfigurations` | array | `[]` | | Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to. | | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `` - -Features are scope access that you allow the Azure Virtual Network Manager to manage. Azure Virtual Network Manager currently has two feature scopes, which are `Connectivity` and `SecurityAdmin`. You can enable both feature scopes on the same Virtual Network Manager instance. - -

- -Parameter JSON format - -```json -"networkManagerScopeAccesses": { - "value": [ - "Connectivity" - "SecurityAdmin" - ] -} -``` - -
- -
- -Bicep format - -```bicep -networkManagerScopeAccesses: [ - 'Connectivity' - 'SecurityAdmin' -] -``` - -
-

- -### Parameter Usage: `` - -Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this virtual network manager instance can manage. - -**Note**: You can't create multiple Azure Virtual Network Manager instances with an overlapping scope of the same hierarchy and the same features selected. - -

- -Parameter JSON format - -```json -"networkManagerScopes": { - "value": { - "subscriptions": [ - "/subscriptions/" - ], - "managementGroups": [ - "/providers/Microsoft.Management/managementGroups/" - ] - } -} -``` - -
- -
- -Bicep format - -```bicep -networkManagerScopes: { - subscriptions: [ - '/subscriptions/' - ] - managementGroups: [ - '/providers/Microsoft.Management/managementGroups/[[managementGroupId]]' - ] -} -``` - -
-

- -### Parameter Usage: `` - -A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details. - -

- -Parameter JSON format - -```json -"networkGroups": { - "value": [ - { - "name": "network-group-test", - "description": "network-group-test description", - "staticMembers": [ - { - "name": "vnet1", - "resourceId": "" - }, - { - "name": "vnet2", - "resourceId": "" - } - ] - } - ] -}, -``` - -
- -
- -Bicep format - -```bicep -networkGroups: [ - { - name: 'network-group-test' - description: 'network-group-test description' - staticMembers: [ - { - name: 'vnet1' - resourceId: '' - } - { - name: 'vnet2' - resourceId: '' - } - ] - } -] -``` - -
-

- -### Parameter Usage: `` - -Connectivity configurations allow you to create different network topologies based on your network needs. You have two topologies to choose from, a mesh network and a hub and spoke. Connectivities between virtual networks are defined within the configuration settings. - -

- -Parameter JSON format - -```json -"connectivityConfigurations": { - "value": [ - { - "name": "hubSpokeConnectivity", - "description": "hubSpokeConnectivity description", - "connectivityTopology": "HubAndSpoke", - "hubs": [ - { - "resourceId": "", - "resourceType": "Microsoft.Network/virtualNetworks" - } - ], - "deleteExistingPeering": "True", - "isGlobal": "True", - "appliesToGroups": [ - { - "networkGroupId": "", - "useHubGateway": "False", - "groupConnectivity": "None", - "isGlobal": "False" - } - ] - }, - { - "name": "MeshConnectivity", - "description": "MeshConnectivity description", - "connectivityTopology": "Mesh", - "deleteExistingPeering": "True", - "isGlobal": "True", - "appliesToGroups": [ - { - "networkGroupId": "", - "useHubGateway": "False", - "groupConnectivity": "None", - "isGlobal": "False" - } - ] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -connectivityConfigurations: [ - { - name: 'hubSpokeConnectivity' - description: 'hubSpokeConnectivity description' - connectivityTopology: 'HubAndSpoke' - hubs: [ - { - resourceId: '' - resourceType: 'Microsoft.Network/virtualNetworks' - } - ] - deleteExistingPeering: 'True' - isGlobal: 'True' - appliesToGroups: [ - { - networkGroupId: '' - useHubGateway: 'False' - groupConnectivity: 'None' - isGlobal: 'False' - } - ] - } - { - name: 'MeshConnectivity' - description: 'MeshConnectivity description' - connectivityTopology: 'Mesh' - deleteExistingPeering: 'True' - isGlobal: 'True' - appliesToGroups: [ - { - networkGroupId: '' - useHubGateway: 'False' - groupConnectivity: 'None' - isGlobal: 'False' - } - ] - } -] -``` - -
-

- -### Parameter Usage: `` - -Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant. - -

- -Parameter JSON format - -```json -"scopeConnections": { - "value": [ - { - "name": "scope-connection-test", - "description": "description of the scope connection", - "resourceId": "/subscriptions/", // or "/providers/Microsoft.Management/managementGroups/" - "tenantid": "" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -scopeConnections: [ - { - name: 'scope-connection-test' - description: 'description of the scope connection' - resourceId: '/subscriptions/', // or '/providers/Microsoft.Management/managementGroups/' - tenantid: t'' - } -] -``` - -
-

- -### Parameter Usage: `` - -Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to. - -

- -Parameter JSON format - -```json -"securityAdminConfigurations": { - "value": [ - { - "name": "test-security-admin-config", - "description": "description of the security admin config", - "applyOnNetworkIntentPolicyBasedServices": [ - "AllowRulesOnly" - ], - "ruleCollections": [ - { - "name": "test-rule-collection-1", - "description": "test-rule-collection-description", - "appliesToGroups": [ - { - "networkGroupId": "" - } - ], - "rules": [ - { - "name": "test-inbound-allow-rule-1", - "description": "test-inbound-allow-rule-1-description", - "access": "Allow", - "direction": "Inbound", - "priority": 150, - "protocol": "Tcp" - } - ] - } - ] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -securityAdminConfigurations: [ - { - name: 'test-security-admin-config' - description: 'description of the security admin config' - applyOnNetworkIntentPolicyBasedServices: [ - 'AllowRulesOnly' - ] - ruleCollections: [ - { - name: 'test-rule-collection-1' - description: 'test-rule-collection-description' - appliesToGroups: [ - { - networkGroupId: '' - } - ] - rules: [ - { - name: 'test-inbound-allow-rule-1' - description: 'test-inbound-allow-rule-1-description' - access: 'Allow' - direction: 'Inbound' - priority: 150 - protocol: 'Tcp' - } - ] - } - ] - } -] -``` - -
-

- - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -531,10 +71,6 @@ tags: { _None_ -## Considerations - -In order to deploy a Network Manager with the `networkManagerScopes` property set to `managementGroups`, you need to register the `Microsoft.Network` resource provider at the Management Group first ([ref](https://learn.microsoft.com/en-us/rest/api/resources/providers/register-at-management-group-scope)). - ## Deployment examples The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. @@ -986,3 +522,153 @@ module networkManager './network/network-manager/main.bicep' = {

+ + +## Notes + +### Considerations + +In order to deploy a Network Manager with the `networkManagerScopes` property set to `managementGroups`, you need to register the `Microsoft.Network` resource provider at the Management Group first ([ref](https://learn.microsoft.com/en-us/rest/api/resources/providers/register-at-management-group-scope)). + +### Parameter Usage: `networkManagerScopes` + +Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this virtual network manager instance can manage. + +**Note**: You can't create multiple Azure Virtual Network Manager instances with an overlapping scope of the same hierarchy and the same features selected. + +

+ +Parameter JSON format + +```json +"networkManagerScopes": { + "value": { + "subscriptions": [ + "/subscriptions/" + ], + "managementGroups": [ + "/providers/Microsoft.Management/managementGroups/" + ] + } +} +``` + +
+ +
+ +Bicep format + +```bicep +networkManagerScopes: { + subscriptions: [ + '/subscriptions/' + ] + managementGroups: [ + '/providers/Microsoft.Management/managementGroups/[[managementGroupId]]' + ] +} +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

diff --git a/modules/network/network-manager/main.bicep b/modules/network/network-manager/main.bicep index 3a1164faca..21c5a261c0 100644 --- a/modules/network/network-manager/main.bicep +++ b/modules/network/network-manager/main.bicep @@ -34,16 +34,16 @@ param networkManagerScopeAccesses array @sys.description('Required. Scope of Network Manager. Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this Network Manager instance can manage. If using Management Groups, ensure that the "Microsoft.Network" resource provider is registered for those Management Groups prior to deployment.') param networkManagerScopes object -@sys.description('Conditional. Network Groups and static members to create for the network manager. Required if using "connectivityConfigurations" or "securityAdminConfigurations" parameters.') +@sys.description('Conditional. Network Groups and static members to create for the network manager. Required if using "connectivityConfigurations" or "securityAdminConfigurations" parameters. A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details.') param networkGroups array = [] @sys.description('Optional. Connectivity Configurations to create for the network manager. Network manager must contain at least one network group in order to define connectivity configurations.') param connectivityConfigurations array = [] -@sys.description('Optional. Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant.') +@sys.description('Optional. Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant.') param scopeConnections array = [] -@sys.description('Optional. Security Admin Configurations, Rule Collections and Rules to create for the network manager.') +@sys.description('Optional. Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to.') param securityAdminConfigurations array = [] @sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') diff --git a/modules/network/private-dns-zone/txt/README.md b/modules/network/private-dns-zone/txt/README.md index 55635b80c9..18f4ab62b2 100644 --- a/modules/network/private-dns-zone/txt/README.md +++ b/modules/network/private-dns-zone/txt/README.md @@ -40,39 +40,19 @@ This module deploys a Private DNS Zone TXT record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | | `txtRecords` | array | `[]` | The list of TXT records in the record set. | +## Outputs -### Parameter Usage: `txtRecords` - -

- -Parameter JSON format - -```json -"txtRecords": { - "value": [ - { - "value": [ "string" ] - } - ] -} -``` - -
- -
+| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed TXT record. | +| `resourceGroupName` | string | The resource group of the deployed TXT record. | +| `resourceId` | string | The resource ID of the deployed TXT record. | -Bicep format +## Cross-referenced modules -```bicep -txtRecords: [ - { - value: [ 'string' ] - } -] -``` +_None_ -
-

+## Notes ### Parameter Usage: `roleAssignments` @@ -132,15 +112,3 @@ roleAssignments: [

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the deployed TXT record. | -| `resourceGroupName` | string | The resource group of the deployed TXT record. | -| `resourceId` | string | The resource ID of the deployed TXT record. | - -## Cross-referenced modules - -_None_ diff --git a/modules/network/private-endpoint/README.md b/modules/network/private-endpoint/README.md index 585231b095..51569056bc 100644 --- a/modules/network/private-endpoint/README.md +++ b/modules/network/private-endpoint/README.md @@ -19,16 +19,6 @@ This module deploys a Private Endpoint. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -### Resource dependency - -The following resources are required to be able to deploy this resource: - -- `PrivateDNSZone` -- `VirtualNetwork/subnet` -- The service that needs to be connected through private endpoint - -**Important**: Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). - ## Parameters **Required parameters** @@ -56,220 +46,6 @@ The following resources are required to be able to deploy this resource: | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `applicationSecurityGroups` - -You can attach multiple Application Security Groups to a private endpoint resource. - -

- -Parameter JSON format - -```json -"applicationSecurityGroups": { - "value": [ - { - "id": "" - }, - { - "id": "" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -applicationSecurityGroups: [ - { - id: '' - } - { - id: '' - } -] -``` - -
-

- -### Parameter Usage: `customNetworkInterfaceName` - -You can customize the name of the private endpoint network interface instead of the default one that contains the string 'nic.GUID'. This helps with having consistent naming standards across all resources. Existing private endpoints cannot be renamed. See [documentation](https://learn.microsoft.com/en-us/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell#network-interface-rename) for more details. - -

- -Parameter JSON format - -```json -"customNetworkInterfaceName": { - "value": "myPrivateEndpointName-Nic" -} -``` - -
- -
- -Bicep format - -```bicep -customNetworkInterfaceName: 'myPrivateEndpointName-Nic' -``` - -
-

- -### Parameter Usage: `ipConfigurations` - -You can use this property to define a static IP address for the private endpoint instead of the default dynamic one. To do that, first extract the `memberName` and `groupId` for the resource type you are creating the private endpoint for. See [documentation](https://learn.microsoft.com/en-us/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell#determine-groupid-and-membername) for guidance on how to do that. Also provide the `privateIPAddress` for the private endpoint from the subnet range you are creating the private endpoint in. Note that static IP addresses [can be applied](https://learn.microsoft.com/en-us/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell#custom-properties) when the private endpoint is created. - -

- -Parameter JSON format - -```json -"customNetworkInterfaceName": { - "value": [ - { - "name": "myIPconfig", - "properties": { - "memberName": "", // e.g. default, sites, blob - "groupId": "", // e.g. vault, registry, blob - "privateIPAddress": "10.10.10.10" - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -ipConfigurations: [ - { - name: 'myIPconfig' - properties: { - memberName: '' // e.g. default, sites, blob - groupId: '' // e.g. vault, registry, blob - privateIPAddress: '10.10.10.10' - } - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -497,3 +273,105 @@ module privateEndpoint './network/private-endpoint/main.bicep' = {

+ +## Notes + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +

+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

From cfd9906eb1c5bfedd5bce937d261f3e84fc73202 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sat, 14 Oct 2023 08:34:24 +1100 Subject: [PATCH 023/178] [Modules] Updated Event Hub - Recompiled JSON files (#4081) --- .../namespace/authorization-rule/main.json | 4 ++-- .../namespace/disaster-recovery-config/main.json | 4 ++-- .../eventhub/authorization-rule/main.json | 4 ++-- .../namespace/eventhub/consumergroup/main.json | 4 ++-- modules/event-hub/namespace/eventhub/main.json | 16 ++++++++-------- modules/event-hub/namespace/main.json | 8 ++++---- .../namespace/network-rule-set/main.json | 6 +++--- 7 files changed, 23 insertions(+), 23 deletions(-) diff --git a/modules/event-hub/namespace/authorization-rule/main.json b/modules/event-hub/namespace/authorization-rule/main.json index 7facc14895..d9f8dc98a7 100644 --- a/modules/event-hub/namespace/authorization-rule/main.json +++ b/modules/event-hub/namespace/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16751252701811556931" + "version": "0.22.6.54827", + "templateHash": "3063860457313937367" }, "name": "Event Hub Namespace Authorization Rule", "description": "This module deploys an Event Hub Namespace Authorization Rule.", diff --git a/modules/event-hub/namespace/disaster-recovery-config/main.json b/modules/event-hub/namespace/disaster-recovery-config/main.json index 26b24be750..65b8246881 100644 --- a/modules/event-hub/namespace/disaster-recovery-config/main.json +++ b/modules/event-hub/namespace/disaster-recovery-config/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17596363769961747539" + "version": "0.22.6.54827", + "templateHash": "7624585689136088815" }, "name": "Event Hub Namespace Disaster Recovery Configs", "description": "This module deploys an Event Hub Namespace Disaster Recovery Config.", diff --git a/modules/event-hub/namespace/eventhub/authorization-rule/main.json b/modules/event-hub/namespace/eventhub/authorization-rule/main.json index 6a12c8409a..7b2d55d760 100644 --- a/modules/event-hub/namespace/eventhub/authorization-rule/main.json +++ b/modules/event-hub/namespace/eventhub/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6269095332062865528" + "version": "0.22.6.54827", + "templateHash": "12245634232079362340" }, "name": "Event Hub Namespace Event Hub Authorization Rules", "description": "This module deploys an Event Hub Namespace Event Hub Authorization Rule.", diff --git a/modules/event-hub/namespace/eventhub/consumergroup/main.json b/modules/event-hub/namespace/eventhub/consumergroup/main.json index 47f1a4c32f..e64fa652a1 100644 --- a/modules/event-hub/namespace/eventhub/consumergroup/main.json +++ b/modules/event-hub/namespace/eventhub/consumergroup/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4574999956856176990" + "version": "0.22.6.54827", + "templateHash": "3522913919009222120" }, "name": "Event Hub Namespace Event Hub Consumer Groups", "description": "This module deploys an Event Hub Namespace Event Hub Consumer Group.", diff --git a/modules/event-hub/namespace/eventhub/main.json b/modules/event-hub/namespace/eventhub/main.json index cf4b190d94..9ce1247a9f 100644 --- a/modules/event-hub/namespace/eventhub/main.json +++ b/modules/event-hub/namespace/eventhub/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16089237218391136247" + "version": "0.22.6.54827", + "templateHash": "11568505658717744379" }, "name": "Event Hub Namespace Event Hubs", "description": "This module deploys an Event Hub Namespace Event Hub.", @@ -313,8 +313,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4574999956856176990" + "version": "0.22.6.54827", + "templateHash": "3522913919009222120" }, "name": "Event Hub Namespace Event Hub Consumer Groups", "description": "This module deploys an Event Hub Namespace Event Hub Consumer Group.", @@ -441,8 +441,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6269095332062865528" + "version": "0.22.6.54827", + "templateHash": "12245634232079362340" }, "name": "Event Hub Namespace Event Hub Authorization Rules", "description": "This module deploys an Event Hub Namespace Event Hub Authorization Rule.", @@ -574,8 +574,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13315777836788317981" + "version": "0.22.6.54827", + "templateHash": "5794309156960386834" } }, "parameters": { diff --git a/modules/event-hub/namespace/main.json b/modules/event-hub/namespace/main.json index 10bb99aa07..f95385acf9 100644 --- a/modules/event-hub/namespace/main.json +++ b/modules/event-hub/namespace/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16009659029865974325" + "templateHash": "1995710596888287584" }, "name": "Event Hub Namespaces", "description": "This module deploys an Event Hub Namespace.", @@ -1446,7 +1446,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17411238681152908216" + "templateHash": "2605359643798084834" }, "name": "Event Hub Namespace Network Rule Sets", "description": "This module deploys an Event Hub Namespace Network Rule Set.", @@ -1492,14 +1492,14 @@ "type": "array", "defaultValue": [], "metadata": { - "description": "Optional. Contains an array of objects of subnet resource IDs that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." + "description": "Optional. An array of subnet resource ID objects that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." } }, "ipRules": { "type": "array", "defaultValue": [], "metadata": { - "description": "Optional. Contains an array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." + "description": "Optional. An array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." } }, "enableDefaultTelemetry": { diff --git a/modules/event-hub/namespace/network-rule-set/main.json b/modules/event-hub/namespace/network-rule-set/main.json index ec22360d6f..f4eab5a4ca 100644 --- a/modules/event-hub/namespace/network-rule-set/main.json +++ b/modules/event-hub/namespace/network-rule-set/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17411238681152908216" + "templateHash": "2605359643798084834" }, "name": "Event Hub Namespace Network Rule Sets", "description": "This module deploys an Event Hub Namespace Network Rule Set.", @@ -51,14 +51,14 @@ "type": "array", "defaultValue": [], "metadata": { - "description": "Optional. Contains an array of objects of subnet resource IDs that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." + "description": "Optional. An array of subnet resource ID objects that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." } }, "ipRules": { "type": "array", "defaultValue": [], "metadata": { - "description": "Optional. Contains an array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." + "description": "Optional. An array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"." } }, "enableDefaultTelemetry": { From 56c94e011f600bb7902d08627a143c0abd07ae36 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sat, 14 Oct 2023 08:42:06 +1100 Subject: [PATCH 024/178] [Modules] Updated Network Manager JSON Files and Readmes (#4082) --- modules/network/network-manager/README.md | 1 - .../connectivity-configuration/main.json | 4 +- modules/network/network-manager/main.json | 42 +++++++++---------- .../network-manager/network-group/main.json | 8 ++-- .../network-group/static-member/main.json | 4 +- .../scope-connection/main.json | 4 +- .../security-admin-configuration/main.json | 12 +++--- .../rule-collection/main.json | 8 ++-- .../rule-collection/rule/main.json | 4 +- 9 files changed, 43 insertions(+), 44 deletions(-) diff --git a/modules/network/network-manager/README.md b/modules/network/network-manager/README.md index 5d0079d172..7a1979c20f 100644 --- a/modules/network/network-manager/README.md +++ b/modules/network/network-manager/README.md @@ -8,7 +8,6 @@ This module deploys a Network Manager. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Considerations](#Considerations) - [Deployment examples](#Deployment-examples) - [Notes](#Notes) diff --git a/modules/network/network-manager/connectivity-configuration/main.json b/modules/network/network-manager/connectivity-configuration/main.json index f93f38ee52..9d92ba9227 100644 --- a/modules/network/network-manager/connectivity-configuration/main.json +++ b/modules/network/network-manager/connectivity-configuration/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13738709959380835083" + "version": "0.22.6.54827", + "templateHash": "5280310149581848411" }, "name": "Network Manager Connectivity Configurations", "description": "This module deploys a Network Manager Connectivity Configuration.\r\nConnectivity configurations define hub-and-spoke or mesh topologies applied to one or more network groups.", diff --git a/modules/network/network-manager/main.json b/modules/network/network-manager/main.json index 7e9c9b752f..be5b31c5ee 100644 --- a/modules/network/network-manager/main.json +++ b/modules/network/network-manager/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17085331643244384133" + "version": "0.22.6.54827", + "templateHash": "17206951315494060900" }, "name": "Network Managers", "description": "This module deploys a Network Manager.", @@ -77,7 +77,7 @@ "type": "array", "defaultValue": [], "metadata": { - "description": "Conditional. Network Groups and static members to create for the network manager. Required if using \"connectivityConfigurations\" or \"securityAdminConfigurations\" parameters." + "description": "Conditional. Network Groups and static members to create for the network manager. Required if using \"connectivityConfigurations\" or \"securityAdminConfigurations\" parameters. A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details." } }, "connectivityConfigurations": { @@ -91,14 +91,14 @@ "type": "array", "defaultValue": [], "metadata": { - "description": "Optional. Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant." + "description": "Optional. Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant." } }, "securityAdminConfigurations": { "type": "array", "defaultValue": [], "metadata": { - "description": "Optional. Security Admin Configurations, Rule Collections and Rules to create for the network manager." + "description": "Optional. Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to." } }, "enableDefaultTelemetry": { @@ -185,8 +185,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16574504470456645773" + "version": "0.22.6.54827", + "templateHash": "15734624931109113465" }, "name": "Network Manager Network Groups", "description": "This module deploys a Network Manager Network Group.\r\nA network group is a collection of same-type network resources that you can associate with network manager configurations. You can add same-type network resources after you create the network group.", @@ -291,8 +291,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5572467876932888883" + "version": "0.22.6.54827", + "templateHash": "13400290933908034947" }, "name": "Network Manager Network Group Static Members", "description": "This module deploys a Network Manager Network Group Static Member.\r\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", @@ -454,8 +454,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1935694739815489166" + "version": "0.22.6.54827", + "templateHash": "5280310149581848411" }, "name": "Network Manager Connectivity Configurations", "description": "This module deploys a Network Manager Connectivity Configuration.\r\nConnectivity configurations define hub-and-spoke or mesh topologies applied to one or more network groups.", @@ -633,8 +633,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3939307521553261907" + "version": "0.22.6.54827", + "templateHash": "9309301917607746358" }, "name": "Network Manager Scope Connections", "description": "This module deploys a Network Manager Scope Connection.\r\nCreate a cross-tenant connection to manage a resource from another tenant.", @@ -772,8 +772,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5810096593595124606" + "version": "0.22.6.54827", + "templateHash": "14740794033127814314" }, "name": "Network Manager Security Admin Configurations", "description": "This module deploys an Network Manager Security Admin Configuration.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", @@ -894,8 +894,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8641931937337579552" + "version": "0.22.6.54827", + "templateHash": "11695176114935586913" }, "name": "Network Manager Security Admin Configuration Rule Collections", "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", @@ -1029,8 +1029,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "128171619204085449" + "version": "0.22.6.54827", + "templateHash": "8150493920671936292" }, "name": "Network Manager Security Admin Configuration Rule Collection Rules", "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", @@ -1306,8 +1306,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12627653750285812361" + "version": "0.22.6.54827", + "templateHash": "11211131176904314262" } }, "parameters": { diff --git a/modules/network/network-manager/network-group/main.json b/modules/network/network-manager/network-group/main.json index f5db35d400..8073af7494 100644 --- a/modules/network/network-manager/network-group/main.json +++ b/modules/network/network-manager/network-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "1182394296109740179" + "version": "0.22.6.54827", + "templateHash": "15734624931109113465" }, "name": "Network Manager Network Groups", "description": "This module deploys a Network Manager Network Group.\r\nA network group is a collection of same-type network resources that you can associate with network manager configurations. You can add same-type network resources after you create the network group.", @@ -110,8 +110,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12393286614459840374" + "version": "0.22.6.54827", + "templateHash": "13400290933908034947" }, "name": "Network Manager Network Group Static Members", "description": "This module deploys a Network Manager Network Group Static Member.\r\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", diff --git a/modules/network/network-manager/network-group/static-member/main.json b/modules/network/network-manager/network-group/static-member/main.json index 1150de3107..cc511c69ae 100644 --- a/modules/network/network-manager/network-group/static-member/main.json +++ b/modules/network/network-manager/network-group/static-member/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12393286614459840374" + "version": "0.22.6.54827", + "templateHash": "13400290933908034947" }, "name": "Network Manager Network Group Static Members", "description": "This module deploys a Network Manager Network Group Static Member.\r\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", diff --git a/modules/network/network-manager/scope-connection/main.json b/modules/network/network-manager/scope-connection/main.json index 6f876db365..91c4436a36 100644 --- a/modules/network/network-manager/scope-connection/main.json +++ b/modules/network/network-manager/scope-connection/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "10403692977342355689" + "version": "0.22.6.54827", + "templateHash": "9309301917607746358" }, "name": "Network Manager Scope Connections", "description": "This module deploys a Network Manager Scope Connection.\r\nCreate a cross-tenant connection to manage a resource from another tenant.", diff --git a/modules/network/network-manager/security-admin-configuration/main.json b/modules/network/network-manager/security-admin-configuration/main.json index b74075fe1a..7cc19444ba 100644 --- a/modules/network/network-manager/security-admin-configuration/main.json +++ b/modules/network/network-manager/security-admin-configuration/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "509040400222226150" + "version": "0.22.6.54827", + "templateHash": "14740794033127814314" }, "name": "Network Manager Security Admin Configurations", "description": "This module deploys an Network Manager Security Admin Configuration.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", @@ -126,8 +126,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3922899062083147081" + "version": "0.22.6.54827", + "templateHash": "11695176114935586913" }, "name": "Network Manager Security Admin Configuration Rule Collections", "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", @@ -261,8 +261,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "493168310843879218" + "version": "0.22.6.54827", + "templateHash": "8150493920671936292" }, "name": "Network Manager Security Admin Configuration Rule Collection Rules", "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", diff --git a/modules/network/network-manager/security-admin-configuration/rule-collection/main.json b/modules/network/network-manager/security-admin-configuration/rule-collection/main.json index 76c720676e..936667268a 100644 --- a/modules/network/network-manager/security-admin-configuration/rule-collection/main.json +++ b/modules/network/network-manager/security-admin-configuration/rule-collection/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3922899062083147081" + "version": "0.22.6.54827", + "templateHash": "11695176114935586913" }, "name": "Network Manager Security Admin Configuration Rule Collections", "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", @@ -139,8 +139,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "493168310843879218" + "version": "0.22.6.54827", + "templateHash": "8150493920671936292" }, "name": "Network Manager Security Admin Configuration Rule Collection Rules", "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", diff --git a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/main.json b/modules/network/network-manager/security-admin-configuration/rule-collection/rule/main.json index d78574bf06..5a3dc77879 100644 --- a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/main.json +++ b/modules/network/network-manager/security-admin-configuration/rule-collection/rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "493168310843879218" + "version": "0.22.6.54827", + "templateHash": "8150493920671936292" }, "name": "Network Manager Security Admin Configuration Rule Collection Rules", "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", From 08b86f03f0a9454b43f2197c06204482ceb3156c Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sat, 14 Oct 2023 11:35:12 +0200 Subject: [PATCH 025/178] [Modules] Removed auto-generated parameter usage sections (#4083) * Removed readme sources * Removed role assignments * Removed tags * Removed PE * Removed manage identity * excess newlines * Removed remaining occurences * Cleanup notes * Finalizing touches --- .../README.md | 59 --- .../Compute/virtualMachinesMultiple/README.md | 131 ------- .../managementGroupStructure/README.md | 36 -- ...ribution guide - Generate module readme.md | 21 -- docs/wiki/The library - Module design.md | 1 - modules/aad/domain-service/README.md | 100 ----- modules/analysis-services/server/README.md | 100 ----- modules/api-management/service/README.md | 133 ------- .../service/named-value/README.md | 41 --- .../configuration-store/README.md | 233 ------------ .../configuration-store/key-value/README.md | 133 ------- modules/app/container-app/README.md | 133 ------- modules/app/managed-environment/README.md | 100 ----- .../automation/automation-account/README.md | 233 ------------ .../automation-account/module/README.md | 41 --- .../automation-account/runbook/README.md | 41 --- modules/batch/batch-account/README.md | 174 --------- modules/cache/redis-enterprise/README.md | 200 ---------- modules/cache/redis/README.md | 233 ------------ modules/cdn/profile/README.md | 100 ----- modules/cdn/profile/afdEndpoint/README.md | 41 --- modules/cdn/profile/endpoint/README.md | 41 --- modules/cognitive-services/account/README.md | 237 +----------- modules/compute/availability-set/README.md | 100 ----- modules/compute/disk-encryption-set/README.md | 133 ------- modules/compute/disk/README.md | 100 ----- modules/compute/gallery/README.md | 100 ----- modules/compute/gallery/application/README.md | 100 ----- modules/compute/gallery/image/README.md | 100 ----- modules/compute/image/README.md | 100 ----- .../proximity-placement-group/README.md | 100 ----- modules/compute/ssh-public-key/README.md | 100 ----- .../virtual-machine-scale-set/README.md | 133 ------- modules/compute/virtual-machine/README.md | 133 ------- .../virtual-machine/extension/README.md | 41 --- .../container-group/README.md | 74 ---- modules/container-registry/registry/README.md | 233 ------------ .../registry/replication/README.md | 41 --- .../registry/webhook/README.md | 41 --- .../managed-cluster/README.md | 133 ------- .../managed-cluster/agent-pool/README.md | 41 --- modules/data-factory/factory/README.md | 234 ------------ .../data-protection/backup-vault/README.md | 133 ------- modules/databricks/access-connector/README.md | 133 ------- modules/databricks/workspace/README.md | 200 ---------- .../db-for-my-sql/flexible-server/README.md | 133 ------- .../flexible-server/README.md | 133 ------- .../application-group/README.md | 100 ----- .../host-pool/README.md | 100 ----- .../scaling-plan/README.md | 100 ----- .../workspace/README.md | 100 ----- modules/dev-test-lab/lab/README.md | 133 ------- .../dev-test-lab/lab/artifactsource/README.md | 41 --- modules/dev-test-lab/lab/cost/README.md | 41 --- .../lab/notificationchannel/README.md | 41 --- .../lab/policyset/policy/README.md | 41 --- modules/dev-test-lab/lab/schedule/README.md | 41 --- .../dev-test-lab/lab/virtualnetwork/README.md | 41 --- .../digital-twins-instance/README.md | 234 ------------ .../document-db/database-account/README.md | 345 ------------------ .../gremlin-database/README.md | 74 ---- .../gremlin-database/graph/README.md | 41 --- .../mongodb-database/README.md | 41 --- .../database-account/sql-database/README.md | 41 --- .../sql-database/container/README.md | 41 --- modules/event-grid/domain/README.md | 200 ---------- modules/event-grid/system-topic/README.md | 133 ------- modules/event-grid/topic/README.md | 200 ---------- modules/event-hub/namespace/README.md | 233 ------------ .../event-hub/namespace/eventhub/README.md | 59 --- modules/health-bot/health-bot/README.md | 133 ------- modules/healthcare-apis/workspace/README.md | 99 ----- .../workspace/dicomservice/README.md | 74 ---- .../workspace/fhirservice/README.md | 166 --------- .../workspace/iotconnector/README.md | 74 ---- modules/insights/action-group/README.md | 102 ------ modules/insights/activity-log-alert/README.md | 100 ----- modules/insights/component/README.md | 100 ----- .../data-collection-endpoint/README.md | 100 ----- .../insights/data-collection-rule/README.md | 100 ----- modules/insights/metric-alert/README.md | 100 ----- modules/insights/private-link-scope/README.md | 200 ---------- .../insights/scheduled-query-rule/README.md | 100 ----- modules/insights/webtest/README.md | 100 ----- modules/key-vault/vault/README.md | 200 ---------- modules/key-vault/vault/key/README.md | 101 ----- modules/key-vault/vault/secret/README.md | 103 ------ .../extension/README.md | 22 -- modules/logic/workflow/README.md | 133 ------- .../workspace/README.md | 233 ------------ .../workspace/compute/README.md | 77 ---- .../maintenance-configuration/README.md | 104 ------ .../user-assigned-identity/README.md | 100 ----- modules/management/management-group/README.md | 59 --- modules/net-app/net-app-account/README.md | 133 ------- .../net-app-account/capacity-pool/README.md | 100 ----- .../capacity-pool/volume/README.md | 59 --- .../README.md | 41 --- modules/network/application-gateway/README.md | 233 ------------ .../application-security-group/README.md | 100 ----- modules/network/azure-firewall/README.md | 104 ------ modules/network/bastion-host/README.md | 104 ------ modules/network/connection/README.md | 41 --- .../network/ddos-protection-plan/README.md | 100 ----- .../network/dns-forwarding-ruleset/README.md | 100 ----- .../forwarding-rule/README.md | 100 ----- modules/network/dns-resolver/README.md | 104 ------ modules/network/dns-zone/README.md | 100 ----- modules/network/dns-zone/a/README.md | 59 --- modules/network/dns-zone/aaaa/README.md | 59 --- modules/network/dns-zone/caa/README.md | 59 --- modules/network/dns-zone/cname/README.md | 59 --- modules/network/dns-zone/mx/README.md | 59 --- modules/network/dns-zone/ns/README.md | 59 --- modules/network/dns-zone/ptr/README.md | 59 --- modules/network/dns-zone/soa/README.md | 59 --- modules/network/dns-zone/srv/README.md | 59 --- modules/network/dns-zone/txt/README.md | 59 --- .../network/express-route-circuit/README.md | 100 ----- .../network/express-route-gateway/README.md | 133 ------- modules/network/firewall-policy/README.md | 74 ---- .../README.md | 100 ----- modules/network/front-door/README.md | 100 ----- modules/network/ip-group/README.md | 100 ----- modules/network/load-balancer/README.md | 103 +----- .../network/local-network-gateway/README.md | 100 ----- modules/network/nat-gateway/README.md | 100 ----- modules/network/network-interface/README.md | 103 +----- modules/network/network-manager/README.md | 100 ----- .../network/network-security-group/README.md | 100 ----- modules/network/network-watcher/README.md | 100 ----- .../connection-monitor/README.md | 41 --- .../network-watcher/flow-log/README.md | 41 --- modules/network/private-dns-zone/README.md | 100 ----- modules/network/private-dns-zone/a/README.md | 59 --- .../network/private-dns-zone/aaaa/README.md | 59 --- .../network/private-dns-zone/cname/README.md | 59 --- modules/network/private-dns-zone/mx/README.md | 59 --- .../network/private-dns-zone/ptr/README.md | 59 --- .../network/private-dns-zone/soa/README.md | 59 --- .../network/private-dns-zone/srv/README.md | 59 --- .../network/private-dns-zone/txt/README.md | 62 +--- .../virtual-network-link/README.md | 41 --- modules/network/private-endpoint/README.md | 103 +----- .../network/private-link-service/README.md | 100 ----- modules/network/public-ip-address/README.md | 100 ----- modules/network/public-ip-prefix/README.md | 100 ----- modules/network/route-table/README.md | 104 ------ .../network/service-endpoint-policy/README.md | 100 ----- .../network/trafficmanagerprofile/README.md | 100 ----- modules/network/virtual-hub/README.md | 41 --- .../network/virtual-network-gateway/README.md | 103 ------ modules/network/virtual-network/README.md | 101 ----- .../network/virtual-network/subnet/README.md | 61 ---- modules/network/virtual-wan/README.md | 100 ----- modules/network/vpn-gateway/README.md | 41 --- modules/network/vpn-site/README.md | 100 ----- .../operational-insights/workspace/README.md | 137 ------- .../workspace/data-source/README.md | 41 --- .../workspace/linked-service/README.md | 41 --- .../workspace/saved-search/README.md | 41 --- .../storage-insight-config/README.md | 41 --- modules/power-bi-dedicated/capacity/README.md | 100 ----- modules/purview/account/README.md | 133 ------- modules/recovery-services/vault/README.md | 237 ------------ modules/relay/namespace/README.md | 200 ---------- .../namespace/hybrid-connection/README.md | 59 --- modules/relay/namespace/wcf-relay/README.md | 59 --- modules/resource-graph/query/README.md | 100 ----- modules/resources/deployment-script/README.md | 78 ---- modules/resources/resource-group/README.md | 104 ------ modules/resources/tags/README.md | 41 --- .../resources/tags/resource-group/README.md | 41 --- modules/resources/tags/subscription/README.md | 41 --- modules/search/search-service/README.md | 200 ---------- modules/service-bus/namespace/README.md | 237 ------------ modules/service-bus/namespace/queue/README.md | 59 --- modules/service-bus/namespace/topic/README.md | 59 --- modules/service-fabric/cluster/README.md | 100 ----- .../cluster/application-type/README.md | 41 --- modules/signal-r-service/signal-r/README.md | 200 ---------- .../signal-r-service/web-pub-sub/README.md | 238 ------------ modules/sql/managed-instance/README.md | 165 --------- .../sql/managed-instance/database/README.md | 44 --- modules/sql/server/README.md | 233 ------------ modules/sql/server/database/README.md | 41 --- modules/sql/server/elastic-pool/README.md | 41 --- modules/storage/storage-account/README.md | 235 ------------ .../blob-service/container/README.md | 59 --- .../file-service/share/README.md | 59 --- .../queue-service/queue/README.md | 59 --- modules/synapse/private-link-hub/README.md | 200 ---------- modules/synapse/workspace/README.md | 233 ------------ .../image-template/README.md | 166 --------- modules/web/connection/README.md | 100 ----- modules/web/hosting-environment/README.md | 137 ------- modules/web/serverfarm/README.md | 104 ------ modules/web/site/README.md | 234 ------------ modules/web/site/slot/README.md | 234 ------------ modules/web/static-site/README.md | 237 ------------ utilities/tools/Set-ModuleReadMe.ps1 | 29 -- .../resourceUsage-privateEndpoints.md | 97 ----- .../resourceUsage-roleAssignments.md | 56 --- .../moduleReadMeSource/resourceUsage-tags.md | 38 -- .../resourceUsage-userAssignedIdentities.md | 30 -- 205 files changed, 7 insertions(+), 21158 deletions(-) delete mode 100644 utilities/tools/moduleReadMeSource/resourceUsage-privateEndpoints.md delete mode 100644 utilities/tools/moduleReadMeSource/resourceUsage-roleAssignments.md delete mode 100644 utilities/tools/moduleReadMeSource/resourceUsage-tags.md delete mode 100644 utilities/tools/moduleReadMeSource/resourceUsage-userAssignedIdentities.md diff --git a/constructs/Authorization/roleAssignmentsMultiRolesMultiPrincipals/README.md b/constructs/Authorization/roleAssignmentsMultiRolesMultiPrincipals/README.md index 32358e3b5a..ca376774c5 100644 --- a/constructs/Authorization/roleAssignmentsMultiRolesMultiPrincipals/README.md +++ b/constructs/Authorization/roleAssignmentsMultiRolesMultiPrincipals/README.md @@ -31,65 +31,6 @@ This module deploys Role Assignments. | `subscriptionId` | string | `''` | Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ### Parameter Usage: `managementGroupId` To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. diff --git a/constructs/Compute/virtualMachinesMultiple/README.md b/constructs/Compute/virtualMachinesMultiple/README.md index 81b6f034e7..914c75fc91 100644 --- a/constructs/Compute/virtualMachinesMultiple/README.md +++ b/constructs/Compute/virtualMachinesMultiple/README.md @@ -133,138 +133,7 @@ Name(s) of the virtual machine(s). If no explicit names are provided, VM name(s) } ``` -### Parameter Usage: `roleAssignments` -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

## Outputs diff --git a/constructs/Management/managementGroupStructure/README.md b/constructs/Management/managementGroupStructure/README.md index b786eaeba3..4dcc4e7383 100644 --- a/constructs/Management/managementGroupStructure/README.md +++ b/constructs/Management/managementGroupStructure/README.md @@ -68,42 +68,6 @@ Describes the Management groups to be created. Each management group is represen | `parentNotManagedInThisTemplate` | bool | `false` | | Optional. `true` if the parent management group is existing and defined elsewhere, `false` if the parent MG is also managed in this template. This parameter is used to define the deployment sequence | | `roleAssignments` | array | | | Optional. Array of role assignment objects | -### Parameter Usage: `roleAssignments` - -

- -Parameter JSON format - -```json -"roleAssignments": [ - { - "roleDefinitionIdOrName": "Desktop Virtualization User", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ] - } -] -``` - -| Parameter Name | Type | Default Value | Possible values | Description | -| :- | :- | :- | :- | :- | -| `roleDefinitionIdOrName` | string | | | Mandatory. The name or the ID of the role to assign to the management group | -| `principalIds` | array | | | Mandatory. An array of principal IDs | - ## Outputs | Output Name | Type | Description | diff --git a/docs/wiki/Contribution guide - Generate module readme.md b/docs/wiki/Contribution guide - Generate module readme.md index 9d76819235..0a03ffc600 100644 --- a/docs/wiki/Contribution guide - Generate module readme.md +++ b/docs/wiki/Contribution guide - Generate module readme.md @@ -8,7 +8,6 @@ The ReadMe generator utility aims to simplify contributing to the CARML library, - [Location](#location) - [How it works](#how-it-works) - - [Special case: 'Parameter Usage' section](#special-case-parameter-usage-section) - [How to use it](#how-to-use-it) --- @@ -23,26 +22,6 @@ You can find the script under [`/utilities/tools/Set-ModuleReadMe.ps1`](https:// 1. The script then goes through all sections defined as `SectionsToRefresh` (by default all) and refreshes the sections' content (for example, for the `Parameters`) based on the values in the ARM/JSON Template. It detects sections by their header and always regenerates the full section. 1. Once all are refreshed, the current ReadMe file is overwritten. **Note:** The script can be invoked combining the `WhatIf` and `Verbose` switches to just receive an console-output of the updated content. -## Special case: 'Parameter Usage' section - -The `Parameter Usage` examples are located just beneath the `Parameters` table. They are intended to show how to use complex objects/arrays that can be leveraged as parameters, excluding the child resources' parameters, since they have their own readMe files. - -**For the most part, this section is to be populated manually**. However, for a specific set of common parameters, we automatically add their example to the readMe if the parameter exists in the template. At the time of this writing these are: -- Private Endpoints -- Role Assignments -- Tags -- User Assigned Identities - -To change this list with minimum effort, the script reads the content from markdown files in the folder of `utilities/tools/moduleReadMeSource`, and matches their title to the parameters of the template file. If a match is found, it's content is added to the readme alongside the generated header. This means, if you want to add another case, you just need to add a new file to the `moduleReadMeSource` folder and follow the naming pattern `resourceUsage-.md`. - -For example, the content of the `resourceUsage-roleAssignments.md` file in the `moduleReadMeSource` folder is added to a template's readMe if it contains a `roleAssignments` parameter. The combined result is: - -```markdown -### Parameter Usage: `roleAssignments` - -<[resourceUsage-roleAssignments.md] file content> -``` - # How to use it For details on how to use the function, please refer to the script's local documentation. diff --git a/docs/wiki/The library - Module design.md b/docs/wiki/The library - Module design.md index de43468cd3..9cbb357cc0 100644 --- a/docs/wiki/The library - Module design.md +++ b/docs/wiki/The library - Module design.md @@ -583,7 +583,6 @@ Its primary components are in order: - A short description - A **Resource types** section with a table that outlines all resources that can be deployed as part of the module. - A **Parameters** section with a table containing all parameters, their type, default and allowed values if any, and their description. -- Optionally, a **Parameter Usage** section that shows how to use complex structures such as parameter objects or array of objects, e.g., roleAssignments, tags, privateEndpoints. - An **Outputs** section with a table that describes all outputs the module template returns. - A **Template references** section listing relevant resources [Azure resource reference](https://learn.microsoft.com/en-us/azure/templates). diff --git a/modules/aad/domain-service/README.md b/modules/aad/domain-service/README.md index 2351a4557e..fca50dcd19 100644 --- a/modules/aad/domain-service/README.md +++ b/modules/aad/domain-service/README.md @@ -67,106 +67,6 @@ This module deploys an Azure Active Directory Domain Services (AADDS). | `tlsV1` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable clients making request using TLSv1. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -
- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/analysis-services/server/README.md b/modules/analysis-services/server/README.md index 5655dfe807..02f71b089c 100644 --- a/modules/analysis-services/server/README.md +++ b/modules/analysis-services/server/README.md @@ -48,106 +48,6 @@ This module deploys an Analysis Services Server. | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index 59632276e1..d9d56c5b77 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -90,139 +90,6 @@ This module deploys an API Management Service. | `zones` | array | `[]` | | A list of availability zones denoting where the resource needs to come from. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/api-management/service/named-value/README.md b/modules/api-management/service/named-value/README.md index 87f55ace0e..2920b62283 100644 --- a/modules/api-management/service/named-value/README.md +++ b/modules/api-management/service/named-value/README.md @@ -42,47 +42,6 @@ This module deploys an API Management Service Named Value. | `value` | string | `[newGuid()]` | Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index 1cdae7dca1..c29bc1d5bd 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -58,239 +58,6 @@ This module deploys an App Configuration Store. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/app-configuration/configuration-store/key-value/README.md b/modules/app-configuration/configuration-store/key-value/README.md index 3ee2236fad..4d8a0cc029 100644 --- a/modules/app-configuration/configuration-store/key-value/README.md +++ b/modules/app-configuration/configuration-store/key-value/README.md @@ -39,139 +39,6 @@ This module deploys an App Configuration Store Key Value. | `tags` | object | `{object}` | Tags of the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/app/container-app/README.md b/modules/app/container-app/README.md index e41716ecbd..941fff342b 100644 --- a/modules/app/container-app/README.md +++ b/modules/app/container-app/README.md @@ -64,139 +64,6 @@ This module deploys a Container App. | `workloadProfileType` | string | `''` | | Workload profile type to pin for container app execution. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/app/managed-environment/README.md b/modules/app/managed-environment/README.md index 693ccbad41..e432404e3a 100644 --- a/modules/app/managed-environment/README.md +++ b/modules/app/managed-environment/README.md @@ -57,106 +57,6 @@ This module deploys an App Managed Environment (also known as a Container App En | `zoneRedundant` | bool | `False` | | Whether or not this Managed Environment is zone-redundant. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index e2574eea05..92619970e8 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -78,239 +78,6 @@ This module deploys an Azure Automation Account. | `variables` | array | `[]` | | List of variables to be created in the automation account. | -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/automation/automation-account/module/README.md b/modules/automation/automation-account/module/README.md index 2c40209702..21ea5e81c4 100644 --- a/modules/automation/automation-account/module/README.md +++ b/modules/automation/automation-account/module/README.md @@ -40,47 +40,6 @@ This module deploys an Azure Automation Account Module. | `version` | string | `'latest'` | Module version or specify latest to get the latest version. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/automation/automation-account/runbook/README.md b/modules/automation/automation-account/runbook/README.md index d00bc8f5e9..5712d4182b 100644 --- a/modules/automation/automation-account/runbook/README.md +++ b/modules/automation/automation-account/runbook/README.md @@ -50,47 +50,6 @@ This module deploys an Azure Automation Account Runbook. | `baseTime` | string | `[utcNow('u')]` | Time used as a basis for e.g. the schedule start date. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index 3351c6cfc8..cf3dd26a6c 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -66,180 +66,6 @@ This module deploys a Batch Account. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index d80f2d8857..4421956599 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -54,206 +54,6 @@ This module deploys a Redis Cache Enterprise. | `zoneRedundant` | bool | `True` | | When true, the cluster will be deployed across availability zones. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index 78bcbee51a..721d612132 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -66,239 +66,6 @@ This module deploys a Redis Cache. | `zones` | array | `[]` | | If the zoneRedundant parameter is true, replicas will be provisioned in the availability zones specified here. Otherwise, the service will choose where replicas are deployed. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/cdn/profile/README.md b/modules/cdn/profile/README.md index b056f35b4b..e3f4d453f2 100644 --- a/modules/cdn/profile/README.md +++ b/modules/cdn/profile/README.md @@ -61,106 +61,6 @@ This module deploys a CDN Profile. | `tags` | object | `{object}` | | Endpoint tags. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/cdn/profile/afdEndpoint/README.md b/modules/cdn/profile/afdEndpoint/README.md index 792ede4cc6..92b71cb16f 100644 --- a/modules/cdn/profile/afdEndpoint/README.md +++ b/modules/cdn/profile/afdEndpoint/README.md @@ -42,47 +42,6 @@ This module deploys a CDN Profile AFD Endpoint. | `tags` | object | `{object}` | | The tags of the AFD Endpoint. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/cdn/profile/endpoint/README.md b/modules/cdn/profile/endpoint/README.md index cc5e5689f6..688a86025a 100644 --- a/modules/cdn/profile/endpoint/README.md +++ b/modules/cdn/profile/endpoint/README.md @@ -40,47 +40,6 @@ This module deploys a CDN Profile Endpoint. | `tags` | object | `{object}` | Endpoint tags. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index cd6965fa0d..93f229c9e9 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -73,239 +73,6 @@ This module deploys a Cognitive Service. | `userOwnedStorage` | array | `[]` | | The storage accounts for this resource. | -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -765,6 +532,4 @@ module account './cognitive-services/account/main.bicep' = { ## Notes -### Module Usage Guidance - -- Not all combinations of parameters `kind` and `SKU` are valid and they may vary in different Azure Regions. Please use PowerShell cmdlet `Get-AzCognitiveServicesAccountSku` or another methods to determine valid values in your region. +Not all combinations of parameters `kind` and `SKU` are valid and they may vary in different Azure Regions. Please use PowerShell cmdlet `Get-AzCognitiveServicesAccountSku` or another methods to determine valid values in your region. diff --git a/modules/compute/availability-set/README.md b/modules/compute/availability-set/README.md index 62c7f649ff..795e47aef4 100644 --- a/modules/compute/availability-set/README.md +++ b/modules/compute/availability-set/README.md @@ -41,106 +41,6 @@ This module deploys an Availability Set. | `tags` | object | `{object}` | | Tags of the availability set resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/compute/disk-encryption-set/README.md b/modules/compute/disk-encryption-set/README.md index 77400143c9..beee32ad5d 100644 --- a/modules/compute/disk-encryption-set/README.md +++ b/modules/compute/disk-encryption-set/README.md @@ -52,139 +52,6 @@ This module deploys a Disk Encryption Set. | `tags` | object | `{object}` | | Tags of the disk encryption resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/compute/disk/README.md b/modules/compute/disk/README.md index 7e52c52e77..1c03c30837 100644 --- a/modules/compute/disk/README.md +++ b/modules/compute/disk/README.md @@ -64,106 +64,6 @@ This module deploys a Compute Disk | `uploadSizeBytes` | int | `20972032` | | If create option is Upload, this is the size of the contents of the upload including the VHD footer. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/compute/gallery/README.md b/modules/compute/gallery/README.md index 78b64b460c..361dfefa38 100644 --- a/modules/compute/gallery/README.md +++ b/modules/compute/gallery/README.md @@ -42,106 +42,6 @@ This module deploys an Azure Compute Gallery (formerly known as Shared Image Gal | `tags` | object | `{object}` | | Tags for all resources. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/compute/gallery/application/README.md b/modules/compute/gallery/application/README.md index 1ce801893c..ad83eb42dc 100644 --- a/modules/compute/gallery/application/README.md +++ b/modules/compute/gallery/application/README.md @@ -48,106 +48,6 @@ This module deploys an Azure Compute Gallery Application. | `tags` | object | `{object}` | | Tags for all resources. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/compute/gallery/image/README.md b/modules/compute/gallery/image/README.md index 2feab7d26a..51ccbb2e93 100644 --- a/modules/compute/gallery/image/README.md +++ b/modules/compute/gallery/image/README.md @@ -62,106 +62,6 @@ This module deploys an Azure Compute Gallery Image Definition. | `tags` | object | `{object}` | | Tags for all resources. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/compute/image/README.md b/modules/compute/image/README.md index 6023fb8469..bfe1ab68d0 100644 --- a/modules/compute/image/README.md +++ b/modules/compute/image/README.md @@ -49,106 +49,6 @@ This module deploys a Compute Image. | `zoneResilient` | bool | `False` | | Default is false. Specifies whether an image is zone resilient or not. Zone resilient images can be created only in regions that provide Zone Redundant Storage (ZRS). | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/compute/proximity-placement-group/README.md b/modules/compute/proximity-placement-group/README.md index a11ceb4175..42bb92577b 100644 --- a/modules/compute/proximity-placement-group/README.md +++ b/modules/compute/proximity-placement-group/README.md @@ -41,106 +41,6 @@ This module deploys a Proximity Placement Group. | `zones` | array | `[]` | | Specifies the Availability Zone where virtual machine, virtual machine scale set or availability set associated with the proximity placement group can be created. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/compute/ssh-public-key/README.md b/modules/compute/ssh-public-key/README.md index ff38ea2ad3..ae6fc16917 100644 --- a/modules/compute/ssh-public-key/README.md +++ b/modules/compute/ssh-public-key/README.md @@ -40,106 +40,6 @@ This module deploys a Public SSH Key. | `tags` | object | `{object}` | | Tags of the availability set resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/compute/virtual-machine-scale-set/README.md b/modules/compute/virtual-machine-scale-set/README.md index aeb6d239cf..9c7583c1c4 100644 --- a/modules/compute/virtual-machine-scale-set/README.md +++ b/modules/compute/virtual-machine-scale-set/README.md @@ -120,139 +120,6 @@ The following resources are required to be able to deploy this resource. | `baseTime` | string | `[utcNow('u')]` | Do not provide a value! This date value is used to generate a registration token. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/compute/virtual-machine/README.md b/modules/compute/virtual-machine/README.md index a7ec515bda..0a3195f2ef 100644 --- a/modules/compute/virtual-machine/README.md +++ b/modules/compute/virtual-machine/README.md @@ -116,139 +116,6 @@ This module deploys a Virtual Machine with one or multiple NICs and optionally o | `baseTime` | string | `[utcNow('u')]` | Do not provide a value! This date value is used to generate a registration token. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/compute/virtual-machine/extension/README.md b/modules/compute/virtual-machine/extension/README.md index c32abb8770..7823c9766b 100644 --- a/modules/compute/virtual-machine/extension/README.md +++ b/modules/compute/virtual-machine/extension/README.md @@ -47,47 +47,6 @@ This module deploys a Virtual Machine Extension. | `tags` | object | `{object}` | Tags of the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/container-instance/container-group/README.md b/modules/container-instance/container-group/README.md index 2e9d0bbfcd..9e02a54f3c 100644 --- a/modules/container-instance/container-group/README.md +++ b/modules/container-instance/container-group/README.md @@ -61,80 +61,6 @@ This module deploys a Container Instance Container Group. | `volumes` | array | `[]` | | Specify if volumes (emptyDir, AzureFileShare or GitRepo) shall be attached to your containergroup. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index e18522cf96..0a5487152b 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -82,239 +82,6 @@ This module deploys an Azure Container Registry (ACR). | `zoneRedundancy` | string | `'Disabled'` | `[Disabled, Enabled]` | Whether or not zone redundancy is enabled for this container registry. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/container-registry/registry/replication/README.md b/modules/container-registry/registry/replication/README.md index d750fa7ba6..1c164a9f05 100644 --- a/modules/container-registry/registry/replication/README.md +++ b/modules/container-registry/registry/replication/README.md @@ -40,47 +40,6 @@ This module deploys an Azure Container Registry (ACR) Replication. | `zoneRedundancy` | string | `'Disabled'` | `[Disabled, Enabled]` | Whether or not zone redundancy is enabled for this container registry. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/container-registry/registry/webhook/README.md b/modules/container-registry/registry/webhook/README.md index 571aa87073..34a74af6cc 100644 --- a/modules/container-registry/registry/webhook/README.md +++ b/modules/container-registry/registry/webhook/README.md @@ -43,47 +43,6 @@ This module deploys an Azure Container Registry (ACR) Webhook. | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index 1e231622d5..fb3247fc75 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -140,139 +140,6 @@ This module deploys an Azure Kubernetes Service (AKS) Managed Cluster. | `webApplicationRoutingEnabled` | bool | `False` | | Specifies whether the webApplicationRoutingEnabled add-on is enabled or not. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/container-service/managed-cluster/agent-pool/README.md b/modules/container-service/managed-cluster/agent-pool/README.md index 7c0c4666bd..56fd616524 100644 --- a/modules/container-service/managed-cluster/agent-pool/README.md +++ b/modules/container-service/managed-cluster/agent-pool/README.md @@ -70,47 +70,6 @@ This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool | `workloadRuntime` | string | `''` | | Determines the type of workload a node can run. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index a1c42758cf..02ca57084e 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -77,240 +77,6 @@ This module deploys a Data Factory. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -

## Outputs | Output Name | Type | Description | diff --git a/modules/data-protection/backup-vault/README.md b/modules/data-protection/backup-vault/README.md index e12e916acc..f0e7d4caee 100644 --- a/modules/data-protection/backup-vault/README.md +++ b/modules/data-protection/backup-vault/README.md @@ -46,139 +46,6 @@ This module deploys a Data Protection Backup Vault. | `type` | string | `'GeoRedundant'` | `[GeoRedundant, LocallyRedundant, ZoneRedundant]` | The vault redundancy level to use. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/databricks/access-connector/README.md b/modules/databricks/access-connector/README.md index 65400d0299..d530fdb979 100644 --- a/modules/databricks/access-connector/README.md +++ b/modules/databricks/access-connector/README.md @@ -39,139 +39,6 @@ This module deploys an Azure Databricks Access Connector. | `userAssignedIdentities` | object | `{object}` | | The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index 13d48b4502..064f045a46 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -78,206 +78,6 @@ This module deploys an Azure Databricks Workspace. | `vnetAddressPrefix` | string | `'10.139'` | | Address prefix for Managed virtual network. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/db-for-my-sql/flexible-server/README.md b/modules/db-for-my-sql/flexible-server/README.md index 58abc4eb43..613aacfd8d 100644 --- a/modules/db-for-my-sql/flexible-server/README.md +++ b/modules/db-for-my-sql/flexible-server/README.md @@ -85,139 +85,6 @@ This module deploys a DBforMySQL Flexible Server. | `version` | string | `'5.7'` | `[5.7, 8.0.21]` | MySQL Server version. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/db-for-postgre-sql/flexible-server/README.md b/modules/db-for-postgre-sql/flexible-server/README.md index e4d2eb18d5..bb12fbcf62 100644 --- a/modules/db-for-postgre-sql/flexible-server/README.md +++ b/modules/db-for-postgre-sql/flexible-server/README.md @@ -82,139 +82,6 @@ This module deploys a DBforPostgreSQL Flexible Server. | `version` | string | `'15'` | `[11, 12, 13, 14, 15]` | PostgreSQL Server version. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/desktop-virtualization/application-group/README.md b/modules/desktop-virtualization/application-group/README.md index 3ad409cb29..696349103d 100644 --- a/modules/desktop-virtualization/application-group/README.md +++ b/modules/desktop-virtualization/application-group/README.md @@ -50,106 +50,6 @@ This module deploys an Azure Virtual Desktop (AVD) Application Group. | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/desktop-virtualization/host-pool/README.md b/modules/desktop-virtualization/host-pool/README.md index 81a5599f0a..9d96667dba 100644 --- a/modules/desktop-virtualization/host-pool/README.md +++ b/modules/desktop-virtualization/host-pool/README.md @@ -74,106 +74,6 @@ This module deploys an Azure Virtual Desktop (AVD) Host Pool. | `baseTime` | string | `[utcNow('u')]` | Do not provide a value! This date value is used to generate a registration token. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/desktop-virtualization/scaling-plan/README.md b/modules/desktop-virtualization/scaling-plan/README.md index 25b485d144..3476b8e9f1 100644 --- a/modules/desktop-virtualization/scaling-plan/README.md +++ b/modules/desktop-virtualization/scaling-plan/README.md @@ -48,106 +48,6 @@ This module deploys an Azure Virtual Desktop (AVD) Scaling Plan. | `timeZone` | string | `'W. Europe Standard Time'` | | Timezone to be used for the scaling plan. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/desktop-virtualization/workspace/README.md b/modules/desktop-virtualization/workspace/README.md index 7bdbd363f3..6512110609 100644 --- a/modules/desktop-virtualization/workspace/README.md +++ b/modules/desktop-virtualization/workspace/README.md @@ -47,106 +47,6 @@ This module deploys an Azure Virtual Desktop (AVD) Workspace. | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/dev-test-lab/lab/README.md b/modules/dev-test-lab/lab/README.md index b7a1b79f6a..9b21814ef3 100644 --- a/modules/dev-test-lab/lab/README.md +++ b/modules/dev-test-lab/lab/README.md @@ -71,139 +71,6 @@ This module deploys a DevTest Lab. | `vmCreationResourceGroupId` | string | `[resourceGroup().id]` | | Resource Group allocation for virtual machines. If left empty, virtual machines will be deployed in their own Resource Groups. Default is the same Resource Group for DevTest Lab. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/dev-test-lab/lab/artifactsource/README.md b/modules/dev-test-lab/lab/artifactsource/README.md index 98deaaf041..0318c83d13 100644 --- a/modules/dev-test-lab/lab/artifactsource/README.md +++ b/modules/dev-test-lab/lab/artifactsource/README.md @@ -47,47 +47,6 @@ An artifact source allows you to create custom artifacts for the VMs in the lab, | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/dev-test-lab/lab/cost/README.md b/modules/dev-test-lab/lab/cost/README.md index 273b7ca1dd..7ad70ef322 100644 --- a/modules/dev-test-lab/lab/cost/README.md +++ b/modules/dev-test-lab/lab/cost/README.md @@ -54,47 +54,6 @@ Manage lab costs by setting a spending target that can be viewed in the Monthly | `thresholdValue75SendNotificationWhenExceeded` | string | `'Disabled'` | `[Disabled, Enabled]` | Target cost threshold at 75% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/dev-test-lab/lab/notificationchannel/README.md b/modules/dev-test-lab/lab/notificationchannel/README.md index f887cae58a..432c8b1d1b 100644 --- a/modules/dev-test-lab/lab/notificationchannel/README.md +++ b/modules/dev-test-lab/lab/notificationchannel/README.md @@ -44,47 +44,6 @@ Notification channels are used by the schedule resource type in order to send no | `tags` | object | `{object}` | Tags of the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/dev-test-lab/lab/policyset/policy/README.md b/modules/dev-test-lab/lab/policyset/policy/README.md index 618d84c1e5..fcf05efe7c 100644 --- a/modules/dev-test-lab/lab/policyset/policy/README.md +++ b/modules/dev-test-lab/lab/policyset/policy/README.md @@ -46,47 +46,6 @@ DevTest lab policies are used to modify the lab settings such as only allowing c | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/dev-test-lab/lab/schedule/README.md b/modules/dev-test-lab/lab/schedule/README.md index 323515efcc..181ecedd78 100644 --- a/modules/dev-test-lab/lab/schedule/README.md +++ b/modules/dev-test-lab/lab/schedule/README.md @@ -48,47 +48,6 @@ Lab schedules are used to modify the settings for auto-shutdown, auto-start for | `weeklyRecurrence` | object | `{object}` | | If the schedule will occur only some days of the week, specify the weekly recurrence. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/dev-test-lab/lab/virtualnetwork/README.md b/modules/dev-test-lab/lab/virtualnetwork/README.md index 2f6be68cc7..cb4f24b6dd 100644 --- a/modules/dev-test-lab/lab/virtualnetwork/README.md +++ b/modules/dev-test-lab/lab/virtualnetwork/README.md @@ -43,47 +43,6 @@ Lab virtual machines must be deployed into a virtual network. This resource type | `tags` | object | `{object}` | Tags of the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index 512bd242ac..b7fd3b5123 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -56,240 +56,6 @@ This module deploys an Azure Digital Twins Instance. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -

## Outputs | Output Name | Type | Description | diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index a1b836499f..3eea1daa41 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -73,351 +73,6 @@ This module deploys a DocumentDB Database Account. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to 'ServicePrincipal'. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Desktop Virtualization User", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Desktop Virtualization User' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/document-db/database-account/gremlin-database/README.md b/modules/document-db/database-account/gremlin-database/README.md index cd4b13532a..bd2d6e6b59 100644 --- a/modules/document-db/database-account/gremlin-database/README.md +++ b/modules/document-db/database-account/gremlin-database/README.md @@ -44,80 +44,6 @@ This module deploys a Gremlin Database within a CosmosDB Account. | `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/document-db/database-account/gremlin-database/graph/README.md b/modules/document-db/database-account/gremlin-database/graph/README.md index 46669ea63c..9ef2885821 100644 --- a/modules/document-db/database-account/gremlin-database/graph/README.md +++ b/modules/document-db/database-account/gremlin-database/graph/README.md @@ -41,47 +41,6 @@ This module deploys a DocumentDB Database Accounts Gremlin Database Graph. | `tags` | object | `{object}` | Tags of the Gremlin graph resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/document-db/database-account/mongodb-database/README.md b/modules/document-db/database-account/mongodb-database/README.md index 21d0be5f7e..d9c2501383 100644 --- a/modules/document-db/database-account/mongodb-database/README.md +++ b/modules/document-db/database-account/mongodb-database/README.md @@ -40,47 +40,6 @@ This module deploys a MongoDB Database within a CosmosDB Account. | `throughput` | int | `400` | Name of the mongodb database. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/document-db/database-account/sql-database/README.md b/modules/document-db/database-account/sql-database/README.md index fa35dfa962..2d6e69f472 100644 --- a/modules/document-db/database-account/sql-database/README.md +++ b/modules/document-db/database-account/sql-database/README.md @@ -41,47 +41,6 @@ This module deploys a SQL Database in a CosmosDB Account. | `throughput` | int | `400` | Request units per second. Will be set to null if autoscaleSettingsMaxThroughput is used. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/document-db/database-account/sql-database/container/README.md b/modules/document-db/database-account/sql-database/container/README.md index d1f36ece5d..1e14de9526 100644 --- a/modules/document-db/database-account/sql-database/container/README.md +++ b/modules/document-db/database-account/sql-database/container/README.md @@ -48,47 +48,6 @@ This module deploys a SQL Database Container in a CosmosDB Account. | `uniqueKeyPolicyKeys` | array | `[]` | | The unique key policy configuration containing a list of unique keys that enforces uniqueness constraint on documents in the collection in the Azure Cosmos DB service. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/event-grid/domain/README.md b/modules/event-grid/domain/README.md index 6c0b803a00..4da7b333e7 100644 --- a/modules/event-grid/domain/README.md +++ b/modules/event-grid/domain/README.md @@ -54,206 +54,6 @@ This module deploys an Event Grid Domain. | `topics` | array | `[]` | | The topic names which are associated with the domain. | -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/event-grid/system-topic/README.md b/modules/event-grid/system-topic/README.md index 4d00048638..a1fbd8ae6d 100644 --- a/modules/event-grid/system-topic/README.md +++ b/modules/event-grid/system-topic/README.md @@ -51,139 +51,6 @@ This module deploys an Event Grid System Topic. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index 8e5edbc4b1..2bf435446a 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -52,206 +52,6 @@ This module deploys an Event Grid Topic. | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index 672ff83305..51e0ddece9 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -79,239 +79,6 @@ This module deploys an Event Hub Namespace. | `zoneRedundant` | bool | `False` | | Switch to make the Event Hub Namespace zone redundant. | -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/event-hub/namespace/eventhub/README.md b/modules/event-hub/namespace/eventhub/README.md index d1a867d4c1..de5de70349 100644 --- a/modules/event-hub/namespace/eventhub/README.md +++ b/modules/event-hub/namespace/eventhub/README.md @@ -59,65 +59,6 @@ This module deploys an Event Hub Namespace Event Hub. | `status` | string | `'Active'` | `[Active, Creating, Deleting, Disabled, ReceiveDisabled, Renaming, Restoring, SendDisabled, Unknown]` | Enumerates the possible values for the status of the Event Hub. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/health-bot/health-bot/README.md b/modules/health-bot/health-bot/README.md index 1964a2bea7..f56a72df16 100644 --- a/modules/health-bot/health-bot/README.md +++ b/modules/health-bot/health-bot/README.md @@ -39,139 +39,6 @@ This module deploys an Azure Health Bot. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/healthcare-apis/workspace/README.md b/modules/healthcare-apis/workspace/README.md index a27a82037a..8e99abc232 100644 --- a/modules/healthcare-apis/workspace/README.md +++ b/modules/healthcare-apis/workspace/README.md @@ -144,105 +144,6 @@ fhirServices: [

-### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

## Outputs diff --git a/modules/healthcare-apis/workspace/dicomservice/README.md b/modules/healthcare-apis/workspace/dicomservice/README.md index c0ae746aa9..f335d27de0 100644 --- a/modules/healthcare-apis/workspace/dicomservice/README.md +++ b/modules/healthcare-apis/workspace/dicomservice/README.md @@ -55,80 +55,6 @@ This module deploys a Healthcare API Workspace DICOM Service. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/healthcare-apis/workspace/fhirservice/README.md b/modules/healthcare-apis/workspace/fhirservice/README.md index 511faf3271..a4b3d407cf 100644 --- a/modules/healthcare-apis/workspace/fhirservice/README.md +++ b/modules/healthcare-apis/workspace/fhirservice/README.md @@ -72,172 +72,6 @@ This module deploys a Healthcare API Workspace FHIR Service. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/healthcare-apis/workspace/iotconnector/README.md b/modules/healthcare-apis/workspace/iotconnector/README.md index 2537a702dc..e23cdfb648 100644 --- a/modules/healthcare-apis/workspace/iotconnector/README.md +++ b/modules/healthcare-apis/workspace/iotconnector/README.md @@ -57,80 +57,6 @@ This module deploys a Healthcare API Workspace IoT Connector. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/insights/action-group/README.md b/modules/insights/action-group/README.md index 1d1dadea2f..65ef94f1ad 100644 --- a/modules/insights/action-group/README.md +++ b/modules/insights/action-group/README.md @@ -48,106 +48,6 @@ This module deploys an Action Group. | `webhookReceivers` | array | `[]` | The list of webhook receivers that are part of this action group. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | @@ -341,8 +241,6 @@ module actionGroup './insights/action-group/main.bicep' = { ## Notes -### Module Usage Considerations - - Receiver name must be unique across the ActionGroup. - Email, SMS, Azure App push and Voice can be grouped in the same Action. To do so, the `name` field of the receivers must be in the `RecName_-ActionType-` format where: - _RecName_ is the name you want to give to the Action diff --git a/modules/insights/activity-log-alert/README.md b/modules/insights/activity-log-alert/README.md index caa33005cc..4e9a5b012e 100644 --- a/modules/insights/activity-log-alert/README.md +++ b/modules/insights/activity-log-alert/README.md @@ -40,106 +40,6 @@ This module deploys an Activity Log Alert. | `tags` | object | `{object}` | Tags of the resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/insights/component/README.md b/modules/insights/component/README.md index 77b596d5a9..815a655d02 100644 --- a/modules/insights/component/README.md +++ b/modules/insights/component/README.md @@ -50,106 +50,6 @@ This component deploys an Application Insights instance. | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/insights/data-collection-endpoint/README.md b/modules/insights/data-collection-endpoint/README.md index 2ee2e7c77f..73a632031b 100644 --- a/modules/insights/data-collection-endpoint/README.md +++ b/modules/insights/data-collection-endpoint/README.md @@ -39,106 +39,6 @@ This module deploys a Data Collection Endpoint. | `tags` | object | `{object}` | | Resource tags. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/insights/data-collection-rule/README.md b/modules/insights/data-collection-rule/README.md index 99d6c905b3..aa4038af07 100644 --- a/modules/insights/data-collection-rule/README.md +++ b/modules/insights/data-collection-rule/README.md @@ -44,106 +44,6 @@ This module deploys a Data Collection Rule. | `tags` | object | `{object}` | | Resource tags. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/insights/metric-alert/README.md b/modules/insights/metric-alert/README.md index 47d2e0958f..b2ffecb0f5 100644 --- a/modules/insights/metric-alert/README.md +++ b/modules/insights/metric-alert/README.md @@ -52,106 +52,6 @@ This module deploys a Metric Alert. | `windowSize` | string | `'PT15M'` | `[P1D, PT12H, PT15M, PT1H, PT1M, PT30M, PT5M, PT6H]` | the period of time (in ISO 8601 duration format) that is used to monitor alert activity based on the threshold. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index 9104b7f967..44b66f32bb 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -42,206 +42,6 @@ This module deploys an Azure Monitor Private Link Scope. | `tags` | object | `{object}` | | Resource tags. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/insights/scheduled-query-rule/README.md b/modules/insights/scheduled-query-rule/README.md index c0342e5576..ac0722d263 100644 --- a/modules/insights/scheduled-query-rule/README.md +++ b/modules/insights/scheduled-query-rule/README.md @@ -49,106 +49,6 @@ This module deploys a Scheduled Query Rule. | `windowSize` | string | `''` | | The period of time (in ISO 8601 duration format) on which the Alert query will be executed (bin size). Relevant and required only for rules of the kind LogAlert. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/insights/webtest/README.md b/modules/insights/webtest/README.md index ad8243714e..a46e16f64a 100644 --- a/modules/insights/webtest/README.md +++ b/modules/insights/webtest/README.md @@ -49,106 +49,6 @@ This module deploys a Web Test. | `validationRules` | object | `{object}` | | The collection of validation rule properties. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 4772b0c08f..abd7378c73 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -65,206 +65,6 @@ This module deploys a Key Vault. | `vaultSku` | string | `'premium'` | `[premium, standard]` | Specifies the SKU for the vault. | -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/key-vault/vault/key/README.md b/modules/key-vault/vault/key/README.md index b32023c755..fa6e94dc7b 100644 --- a/modules/key-vault/vault/key/README.md +++ b/modules/key-vault/vault/key/README.md @@ -62,107 +62,6 @@ _None_ ## Notes - -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ### Parameter Usage: `rotationPolicy` Configures a [auto-rotation policy](https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation) for the key. diff --git a/modules/key-vault/vault/secret/README.md b/modules/key-vault/vault/secret/README.md index 6ee8eaf639..80f7173e8e 100644 --- a/modules/key-vault/vault/secret/README.md +++ b/modules/key-vault/vault/secret/README.md @@ -8,7 +8,6 @@ This module deploys a Key Vault Secret. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) ## Resource Types @@ -56,105 +55,3 @@ This module deploys a Key Vault Secret. ## Cross-referenced modules _None_ - -## Notes - -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

diff --git a/modules/kubernetes-configuration/extension/README.md b/modules/kubernetes-configuration/extension/README.md index 996e27802e..5ea39db7e9 100644 --- a/modules/kubernetes-configuration/extension/README.md +++ b/modules/kubernetes-configuration/extension/README.md @@ -9,7 +9,6 @@ This module deploys a Kubernetes Configuration Extension. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -- [Notes](#Notes) ## Resource Types @@ -237,24 +236,3 @@ module extension './kubernetes-configuration/extension/main.bicep' = {

- - -## Notes - -### Prerequisites - -Registration of your subscription with the AKS-ExtensionManager feature flag. Use the following command: - -```powershell -az feature register --namespace Microsoft.ContainerService --name AKS-ExtensionManager -``` - -Registration of the following Azure service providers. (It's OK to re-register an existing provider.) - -```powershell -az provider register --namespace Microsoft.Kubernetes -az provider register --namespace Microsoft.ContainerService -az provider register --namespace Microsoft.KubernetesConfiguration -``` - -For Details see [Prerequisites](https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/tutorial-use-gitops-flux2) diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index 5429ff8eab..fcf3c02ae4 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -355,136 +355,3 @@ module workflow './logic/workflow/main.bicep' = {

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index 7dcc69e3b8..78eb3c9e54 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -642,236 +642,3 @@ computes: [

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

diff --git a/modules/machine-learning-services/workspace/compute/README.md b/modules/machine-learning-services/workspace/compute/README.md index 3cd9156a16..2c65c0486b 100644 --- a/modules/machine-learning-services/workspace/compute/README.md +++ b/modules/machine-learning-services/workspace/compute/README.md @@ -10,7 +10,6 @@ Attaching a compute is not idempotent and will fail in case you try to redeploy - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) ## Resource Types @@ -64,79 +63,3 @@ Attaching a compute is not idempotent and will fail in case you try to redeploy ## Cross-referenced modules _None_ - -## Notes - -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

diff --git a/modules/maintenance/maintenance-configuration/README.md b/modules/maintenance/maintenance-configuration/README.md index 7747774f22..550d69eb48 100644 --- a/modules/maintenance/maintenance-configuration/README.md +++ b/modules/maintenance/maintenance-configuration/README.md @@ -9,7 +9,6 @@ This module deploys a Maintenance Configuration. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -- [Notes](#Notes) ## Resource Types @@ -255,106 +254,3 @@ module maintenanceConfiguration './maintenance/maintenance-configuration/main.bi

- - -## Notes - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/modules/managed-identity/user-assigned-identity/README.md b/modules/managed-identity/user-assigned-identity/README.md index 27e00e865e..5a4b75c1b9 100644 --- a/modules/managed-identity/user-assigned-identity/README.md +++ b/modules/managed-identity/user-assigned-identity/README.md @@ -34,106 +34,6 @@ This module deploys a User Assigned Identity. | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/management/management-group/README.md b/modules/management/management-group/README.md index 1ca85fae64..ff8276cec7 100644 --- a/modules/management/management-group/README.md +++ b/modules/management/management-group/README.md @@ -175,62 +175,3 @@ $TopMGID = "" New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/" -RoleDefinitionName "Automation Job Operator" New-AzRoleAssignment -ObjectId $PrincipalID -Scope "/providers/Microsoft.Management/managementGroups/$TopMGID" -RoleDefinitionName "Management Group Contributor" ``` - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

diff --git a/modules/net-app/net-app-account/README.md b/modules/net-app/net-app-account/README.md index 9afcdf63b6..61958f1328 100644 --- a/modules/net-app/net-app-account/README.md +++ b/modules/net-app/net-app-account/README.md @@ -47,139 +47,6 @@ This module deploys an Azure NetApp File. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/net-app/net-app-account/capacity-pool/README.md b/modules/net-app/net-app-account/capacity-pool/README.md index b6a7594c8d..c614fe1313 100644 --- a/modules/net-app/net-app-account/capacity-pool/README.md +++ b/modules/net-app/net-app-account/capacity-pool/README.md @@ -47,106 +47,6 @@ This module deploys an Azure NetApp Files Capacity Pool. | `volumes` | array | `[]` | | List of volumnes to create in the capacity pool. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/net-app/net-app-account/capacity-pool/volume/README.md b/modules/net-app/net-app-account/capacity-pool/volume/README.md index 20851da1db..1996ecba95 100644 --- a/modules/net-app/net-app-account/capacity-pool/volume/README.md +++ b/modules/net-app/net-app-account/capacity-pool/volume/README.md @@ -46,65 +46,6 @@ This module deploys an Azure NetApp Files Capacity Pool Volume. | `serviceLevel` | string | `'Standard'` | `[Premium, Standard, StandardZRS, Ultra]` | The pool service level. Must match the one of the parent capacity pool. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/application-gateway-web-application-firewall-policy/README.md b/modules/network/application-gateway-web-application-firewall-policy/README.md index c2888af3b8..ecc3fd56fa 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/README.md +++ b/modules/network/application-gateway-web-application-firewall-policy/README.md @@ -36,47 +36,6 @@ This module deploys an Application Gateway Web Application Firewall (WAF) Policy | `tags` | object | `{object}` | Resource tags. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index be66413289..b8e66e159f 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -86,239 +86,6 @@ This module deploys a Network Application Gateway. | `zones` | array | `[]` | | A list of availability zones denoting where the resource needs to come from. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/application-security-group/README.md b/modules/network/application-security-group/README.md index 5bbabf47d1..6b5150d961 100644 --- a/modules/network/application-security-group/README.md +++ b/modules/network/application-security-group/README.md @@ -37,106 +37,6 @@ This module deploys an Application Security Group (ASG). | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index 2b03642400..58c2d46f73 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -9,7 +9,6 @@ This module deploys an Azure Firewall. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -- [Notes](#Notes) ## Resource types @@ -783,106 +782,3 @@ module azureFirewall './network/azure-firewall/main.bicep' = {

- - -## Notes - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index 8cf520a554..b68e8d4c80 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -9,7 +9,6 @@ This module deploys a Bastion Host. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -- [Notes](#Notes) ## Resource Types @@ -380,106 +379,3 @@ module bastionHost './network/bastion-host/main.bicep' = {

- - -## Notes - -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

diff --git a/modules/network/connection/README.md b/modules/network/connection/README.md index ca5e4810ad..a8e9cf6573 100644 --- a/modules/network/connection/README.md +++ b/modules/network/connection/README.md @@ -312,44 +312,3 @@ customIPSecPolicy: {

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/modules/network/ddos-protection-plan/README.md b/modules/network/ddos-protection-plan/README.md index 1a88aaec59..d41f975e6c 100644 --- a/modules/network/ddos-protection-plan/README.md +++ b/modules/network/ddos-protection-plan/README.md @@ -37,106 +37,6 @@ This module deploys a DDoS Protection Plan. | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/dns-forwarding-ruleset/README.md b/modules/network/dns-forwarding-ruleset/README.md index 6d72792bbe..c391b29ada 100644 --- a/modules/network/dns-forwarding-ruleset/README.md +++ b/modules/network/dns-forwarding-ruleset/README.md @@ -42,106 +42,6 @@ This template deploys an dns forwarding ruleset. | `vNetLinks` | array | `[]` | | Array of virtual network links. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md b/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md index e47e07ead8..b99f308ee7 100644 --- a/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md +++ b/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md @@ -42,106 +42,6 @@ This template deploys Forwarding Rule in a Dns Forwarding Ruleset. | `metadata` | object | `{object}` | | Metadata attached to the forwarding rule. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/dns-resolver/README.md b/modules/network/dns-resolver/README.md index 48e410e323..cc337017bd 100644 --- a/modules/network/dns-resolver/README.md +++ b/modules/network/dns-resolver/README.md @@ -9,7 +9,6 @@ This module deploys a DNS Resolver. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -- [Notes](#Notes) ## Resource Types @@ -151,106 +150,3 @@ module dnsResolver './network/dns-resolver/main.bicep' = {

- - -## Notes - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/modules/network/dns-zone/README.md b/modules/network/dns-zone/README.md index c8ce60021e..4e03141daa 100644 --- a/modules/network/dns-zone/README.md +++ b/modules/network/dns-zone/README.md @@ -57,106 +57,6 @@ This module deploys a Public DNS zone. | `txt` | _[txt](txt/README.md)_ array | `[]` | | Array of TXT records. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/dns-zone/a/README.md b/modules/network/dns-zone/a/README.md index 2232f5da8e..243741caa9 100644 --- a/modules/network/dns-zone/a/README.md +++ b/modules/network/dns-zone/a/README.md @@ -42,65 +42,6 @@ This module deploys a Public DNS Zone A record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/dns-zone/aaaa/README.md b/modules/network/dns-zone/aaaa/README.md index fb791b89c7..3ced8d13c1 100644 --- a/modules/network/dns-zone/aaaa/README.md +++ b/modules/network/dns-zone/aaaa/README.md @@ -42,65 +42,6 @@ This module deploys a Public DNS Zone AAAA record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/dns-zone/caa/README.md b/modules/network/dns-zone/caa/README.md index 80ecc6de2c..790b850ff9 100644 --- a/modules/network/dns-zone/caa/README.md +++ b/modules/network/dns-zone/caa/README.md @@ -41,65 +41,6 @@ This module deploys a Public DNS Zone CAA record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/dns-zone/cname/README.md b/modules/network/dns-zone/cname/README.md index b2364ef261..761f346b01 100644 --- a/modules/network/dns-zone/cname/README.md +++ b/modules/network/dns-zone/cname/README.md @@ -42,65 +42,6 @@ This module deploys a Public DNS Zone CNAME record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/dns-zone/mx/README.md b/modules/network/dns-zone/mx/README.md index 255f4581a1..e6b6a99d5a 100644 --- a/modules/network/dns-zone/mx/README.md +++ b/modules/network/dns-zone/mx/README.md @@ -41,65 +41,6 @@ This module deploys a Public DNS Zone MX record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/dns-zone/ns/README.md b/modules/network/dns-zone/ns/README.md index 391818abdd..411d63a495 100644 --- a/modules/network/dns-zone/ns/README.md +++ b/modules/network/dns-zone/ns/README.md @@ -41,65 +41,6 @@ This module deploys a Public DNS Zone NS record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/dns-zone/ptr/README.md b/modules/network/dns-zone/ptr/README.md index 96bdd843ca..caf2ea722a 100644 --- a/modules/network/dns-zone/ptr/README.md +++ b/modules/network/dns-zone/ptr/README.md @@ -41,65 +41,6 @@ This module deploys a Public DNS Zone PTR record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/dns-zone/soa/README.md b/modules/network/dns-zone/soa/README.md index ed10646af7..83c0fa4654 100644 --- a/modules/network/dns-zone/soa/README.md +++ b/modules/network/dns-zone/soa/README.md @@ -41,65 +41,6 @@ This module deploys a Public DNS Zone SOA record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/dns-zone/srv/README.md b/modules/network/dns-zone/srv/README.md index 89f86d9e0a..fb1f8c35f6 100644 --- a/modules/network/dns-zone/srv/README.md +++ b/modules/network/dns-zone/srv/README.md @@ -41,65 +41,6 @@ This module deploys a Public DNS Zone SRV record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/dns-zone/txt/README.md b/modules/network/dns-zone/txt/README.md index 7a304d3cd6..9db5f6f73e 100644 --- a/modules/network/dns-zone/txt/README.md +++ b/modules/network/dns-zone/txt/README.md @@ -41,65 +41,6 @@ This module deploys a Public DNS Zone TXT record. | `txtRecords` | array | `[]` | The list of TXT records in the record set. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/express-route-circuit/README.md b/modules/network/express-route-circuit/README.md index cdf0893e28..679f0b7aa6 100644 --- a/modules/network/express-route-circuit/README.md +++ b/modules/network/express-route-circuit/README.md @@ -61,106 +61,6 @@ This module deploys an Express Route Circuit. | `vlanId` | int | `0` | | Specifies the identifier that is used to identify the customer. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/express-route-gateway/README.md b/modules/network/express-route-gateway/README.md index b6797dc37c..f7160b91ba 100644 --- a/modules/network/express-route-gateway/README.md +++ b/modules/network/express-route-gateway/README.md @@ -42,139 +42,6 @@ This module deploys an Express Route Gateway. | `tags` | object | `{object}` | | Tags of the Firewall policy resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/firewall-policy/README.md b/modules/network/firewall-policy/README.md index 21269645d2..28a24d3072 100644 --- a/modules/network/firewall-policy/README.md +++ b/modules/network/firewall-policy/README.md @@ -55,80 +55,6 @@ This module deploys a Firewall Policy. | `workspaces` | array | `[]` | | List of workspaces for Firewall Policy Insights. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/front-door-web-application-firewall-policy/README.md b/modules/network/front-door-web-application-firewall-policy/README.md index 2b7e1b8d81..41570c94cd 100644 --- a/modules/network/front-door-web-application-firewall-policy/README.md +++ b/modules/network/front-door-web-application-firewall-policy/README.md @@ -41,106 +41,6 @@ This module deploys a Front Door Web Application Firewall (WAF) Policy. | `tags` | object | `{object}` | | Resource tags. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/front-door/README.md b/modules/network/front-door/README.md index 90dfa5731d..64e78ae5f3 100644 --- a/modules/network/front-door/README.md +++ b/modules/network/front-door/README.md @@ -53,106 +53,6 @@ This module deploys an Azure Front Door. | `tags` | object | `{object}` | | Resource tags. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/ip-group/README.md b/modules/network/ip-group/README.md index 74704e8132..d6481e255f 100644 --- a/modules/network/ip-group/README.md +++ b/modules/network/ip-group/README.md @@ -38,106 +38,6 @@ This module deploys an IP Group. | `tags` | object | `{object}` | | Resource tags. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/load-balancer/README.md b/modules/network/load-balancer/README.md index 493d0397fd..5c8c51a3b7 100644 --- a/modules/network/load-balancer/README.md +++ b/modules/network/load-balancer/README.md @@ -9,6 +9,7 @@ This module deploys a Load Balancer. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) +- [Notes](#Notes) ## Resource types @@ -52,6 +53,7 @@ This module deploys a Load Balancer. | `skuName` | string | `'Standard'` | `[Basic, Standard]` | Name of a load balancer SKU. | | `tags` | object | `{object}` | | Tags of the resource. | + ## Outputs | Output Name | Type | Description | @@ -616,6 +618,7 @@ module loadBalancer './network/load-balancer/main.bicep' = {

+ ## Notes ### Parameter Usage: `backendAddressPools` @@ -694,103 +697,3 @@ backendAddressPools: [

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/modules/network/local-network-gateway/README.md b/modules/network/local-network-gateway/README.md index 0b3677e963..6cbde10008 100644 --- a/modules/network/local-network-gateway/README.md +++ b/modules/network/local-network-gateway/README.md @@ -43,106 +43,6 @@ This module deploys a Local Network Gateway. | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/nat-gateway/README.md b/modules/network/nat-gateway/README.md index 79c5d19990..2ae5f1ad5c 100644 --- a/modules/network/nat-gateway/README.md +++ b/modules/network/nat-gateway/README.md @@ -54,106 +54,6 @@ This module deploys a NAT Gateway. | `zones` | array | `[]` | | A list of availability zones denoting the zone in which Nat Gateway should be deployed. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/network-interface/README.md b/modules/network/network-interface/README.md index ab8a22386d..ed14946f06 100644 --- a/modules/network/network-interface/README.md +++ b/modules/network/network-interface/README.md @@ -51,6 +51,7 @@ This module deploys a Network Interface. | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | + ## Outputs | Output Name | Type | Description | @@ -276,105 +277,3 @@ module networkInterface './network/network-interface/main.bicep' = {

- -## Notes - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/modules/network/network-manager/README.md b/modules/network/network-manager/README.md index 7a1979c20f..656930cdc9 100644 --- a/modules/network/network-manager/README.md +++ b/modules/network/network-manager/README.md @@ -571,103 +571,3 @@ networkManagerScopes: {

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/modules/network/network-security-group/README.md b/modules/network/network-security-group/README.md index ef735d9bf3..306ed08855 100644 --- a/modules/network/network-security-group/README.md +++ b/modules/network/network-security-group/README.md @@ -47,106 +47,6 @@ This module deploys a Network security Group (NSG). | `tags` | object | `{object}` | | Tags of the NSG resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/network-watcher/README.md b/modules/network/network-watcher/README.md index f6f07d744e..d41d90b40b 100644 --- a/modules/network/network-watcher/README.md +++ b/modules/network/network-watcher/README.md @@ -36,106 +36,6 @@ This module deploys a Network Watcher. | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/network-watcher/connection-monitor/README.md b/modules/network/network-watcher/connection-monitor/README.md index db814f4700..d066d55387 100644 --- a/modules/network/network-watcher/connection-monitor/README.md +++ b/modules/network/network-watcher/connection-monitor/README.md @@ -37,47 +37,6 @@ This module deploys a Network Watcher Connection Monitor. | `workspaceResourceId` | string | `''` | Specify the Log Analytics Workspace Resource ID. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/network-watcher/flow-log/README.md b/modules/network/network-watcher/flow-log/README.md index e0f8e669df..0dacbbb823 100644 --- a/modules/network/network-watcher/flow-log/README.md +++ b/modules/network/network-watcher/flow-log/README.md @@ -41,47 +41,6 @@ This module controls the Network Security Group Flow Logs and analytics settings | `workspaceResourceId` | string | `''` | | Specify the Log Analytics Workspace Resource ID. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/private-dns-zone/README.md b/modules/network/private-dns-zone/README.md index c3c0c2f400..a6d1f62e04 100644 --- a/modules/network/private-dns-zone/README.md +++ b/modules/network/private-dns-zone/README.md @@ -55,106 +55,6 @@ This module deploys a Private DNS zone. | `virtualNetworkLinks` | array | `[]` | | Array of custom objects describing vNet links of the DNS zone. Each object should contain properties 'vnetResourceId' and 'registrationEnabled'. The 'vnetResourceId' is a resource ID of a vNet to link, 'registrationEnabled' (bool) enables automatic DNS registration in the zone for the linked vNet. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/private-dns-zone/a/README.md b/modules/network/private-dns-zone/a/README.md index 01c4538788..54ae836063 100644 --- a/modules/network/private-dns-zone/a/README.md +++ b/modules/network/private-dns-zone/a/README.md @@ -41,65 +41,6 @@ This module deploys a Private DNS Zone A record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/private-dns-zone/aaaa/README.md b/modules/network/private-dns-zone/aaaa/README.md index 05822f5841..10dbc0d92d 100644 --- a/modules/network/private-dns-zone/aaaa/README.md +++ b/modules/network/private-dns-zone/aaaa/README.md @@ -41,65 +41,6 @@ This module deploys a Private DNS Zone AAAA record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/private-dns-zone/cname/README.md b/modules/network/private-dns-zone/cname/README.md index 314938dbe3..274c08ff98 100644 --- a/modules/network/private-dns-zone/cname/README.md +++ b/modules/network/private-dns-zone/cname/README.md @@ -41,65 +41,6 @@ This module deploys a Private DNS Zone CNAME record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/private-dns-zone/mx/README.md b/modules/network/private-dns-zone/mx/README.md index b18d99bcad..2e235dc3a0 100644 --- a/modules/network/private-dns-zone/mx/README.md +++ b/modules/network/private-dns-zone/mx/README.md @@ -41,65 +41,6 @@ This module deploys a Private DNS Zone MX record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/private-dns-zone/ptr/README.md b/modules/network/private-dns-zone/ptr/README.md index 76398f1922..1af2199b1e 100644 --- a/modules/network/private-dns-zone/ptr/README.md +++ b/modules/network/private-dns-zone/ptr/README.md @@ -41,65 +41,6 @@ This module deploys a Private DNS Zone PTR record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/private-dns-zone/soa/README.md b/modules/network/private-dns-zone/soa/README.md index 7f92d51241..d67c893c38 100644 --- a/modules/network/private-dns-zone/soa/README.md +++ b/modules/network/private-dns-zone/soa/README.md @@ -41,65 +41,6 @@ This module deploys a Private DNS Zone SOA record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/private-dns-zone/srv/README.md b/modules/network/private-dns-zone/srv/README.md index 21c5992e70..fbddcefda1 100644 --- a/modules/network/private-dns-zone/srv/README.md +++ b/modules/network/private-dns-zone/srv/README.md @@ -41,65 +41,6 @@ This module deploys a Private DNS Zone SRV record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/private-dns-zone/txt/README.md b/modules/network/private-dns-zone/txt/README.md index 18f4ab62b2..62fe57a009 100644 --- a/modules/network/private-dns-zone/txt/README.md +++ b/modules/network/private-dns-zone/txt/README.md @@ -40,6 +40,7 @@ This module deploys a Private DNS Zone TXT record. | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | | `txtRecords` | array | `[]` | The list of TXT records in the record set. | + ## Outputs | Output Name | Type | Description | @@ -51,64 +52,3 @@ This module deploys a Private DNS Zone TXT record. ## Cross-referenced modules _None_ - -## Notes - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

diff --git a/modules/network/private-dns-zone/virtual-network-link/README.md b/modules/network/private-dns-zone/virtual-network-link/README.md index 57675f1db9..44f61227f6 100644 --- a/modules/network/private-dns-zone/virtual-network-link/README.md +++ b/modules/network/private-dns-zone/virtual-network-link/README.md @@ -40,47 +40,6 @@ This module deploys a Private DNS Zone Virtual Network Link. | `tags` | object | `{object}` | Tags of the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/private-endpoint/README.md b/modules/network/private-endpoint/README.md index 51569056bc..86ea2dc1c5 100644 --- a/modules/network/private-endpoint/README.md +++ b/modules/network/private-endpoint/README.md @@ -46,6 +46,7 @@ This module deploys a Private Endpoint. | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags to be applied on all resources/resource groups in this deployment. | + ## Outputs | Output Name | Type | Description | @@ -273,105 +274,3 @@ module privateEndpoint './network/private-endpoint/main.bicep' = {

- -## Notes - -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

diff --git a/modules/network/private-link-service/README.md b/modules/network/private-link-service/README.md index ad8c02cae2..779847dd62 100644 --- a/modules/network/private-link-service/README.md +++ b/modules/network/private-link-service/README.md @@ -456,103 +456,3 @@ autoApproval: [

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/modules/network/public-ip-address/README.md b/modules/network/public-ip-address/README.md index 75cbcfd8cf..f9fbb64201 100644 --- a/modules/network/public-ip-address/README.md +++ b/modules/network/public-ip-address/README.md @@ -55,106 +55,6 @@ This module deploys a Public IP Address. | `zones` | array | `[]` | | A list of availability zones denoting the IP allocated for the resource needs to come from. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/public-ip-prefix/README.md b/modules/network/public-ip-prefix/README.md index df1d3f6b4d..4c46286757 100644 --- a/modules/network/public-ip-prefix/README.md +++ b/modules/network/public-ip-prefix/README.md @@ -39,106 +39,6 @@ This module deploys a Public IP Prefix. | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/route-table/README.md b/modules/network/route-table/README.md index 345da52329..cc9d1fc7b2 100644 --- a/modules/network/route-table/README.md +++ b/modules/network/route-table/README.md @@ -9,7 +9,6 @@ This module deploys a User Defined Route Table (UDR). - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -- [Notes](#Notes) ## Resource types @@ -207,106 +206,3 @@ module routeTable './network/route-table/main.bicep' = {

- - -## Notes - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/modules/network/service-endpoint-policy/README.md b/modules/network/service-endpoint-policy/README.md index 4f4efd992a..38a9157321 100644 --- a/modules/network/service-endpoint-policy/README.md +++ b/modules/network/service-endpoint-policy/README.md @@ -40,106 +40,6 @@ This module deploys a Service Endpoint Policy. | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/trafficmanagerprofile/README.md b/modules/network/trafficmanagerprofile/README.md index 592e9cd99b..d9db9a5dbe 100644 --- a/modules/network/trafficmanagerprofile/README.md +++ b/modules/network/trafficmanagerprofile/README.md @@ -314,103 +314,3 @@ endpoints: [

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/modules/network/virtual-hub/README.md b/modules/network/virtual-hub/README.md index 8de50dc12d..d40c79d5e8 100644 --- a/modules/network/virtual-hub/README.md +++ b/modules/network/virtual-hub/README.md @@ -54,47 +54,6 @@ If you are planning to deploy a Secure Virtual Hub (with an Azure Firewall integ | `vpnGatewayId` | string | `''` | | Resource ID of the VPN Gateway to link to. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/virtual-network-gateway/README.md b/modules/network/virtual-network-gateway/README.md index f40b952857..31e33bd461 100644 --- a/modules/network/virtual-network-gateway/README.md +++ b/modules/network/virtual-network-gateway/README.md @@ -9,7 +9,6 @@ This module deploys a Virtual Network Gateway. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -- [Notes](#Notes) ## Resource types @@ -624,105 +623,3 @@ module virtualNetworkGateway './network/virtual-network-gateway/main.bicep' = {

- - -## Notes -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/modules/network/virtual-network/README.md b/modules/network/virtual-network/README.md index 420481c523..17c45fe91e 100644 --- a/modules/network/virtual-network/README.md +++ b/modules/network/virtual-network/README.md @@ -474,104 +474,3 @@ As the virtual network peering array allows you to deploy not only a one-way but | `remotePeeringAllowVirtualNetworkAccess` | bool | `true` | | Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. | | `remotePeeringDoNotVerifyRemoteGateways` | bool | `true` | | Optional. If we need to verify the provisioning state of the remote gateway. | | `remotePeeringUseRemoteGateways` | bool | `false` | | Optional. If remote gateways can be used on this virtual network. If the flag is set to `true`, and allowGatewayTransit on local peering is also `true`, virtual network will use gateways of local virtual network for transit. Only one peering can have this flag set to `true`. This flag cannot be set if virtual network already has a gateway. | - - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/modules/network/virtual-network/subnet/README.md b/modules/network/virtual-network/subnet/README.md index 1d0e363cf6..8a9dfc4089 100644 --- a/modules/network/virtual-network/subnet/README.md +++ b/modules/network/virtual-network/subnet/README.md @@ -67,65 +67,4 @@ _None_ ## Notes -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Considerations - The `privateEndpointNetworkPolicies` property must be set to disabled for subnets that contain private endpoints. It confirms that NSGs rules will not apply to private endpoints (currently not supported, [reference](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#limitations)). Default Value when not specified is "Enabled". diff --git a/modules/network/virtual-wan/README.md b/modules/network/virtual-wan/README.md index 053e5982aa..8039719c7c 100644 --- a/modules/network/virtual-wan/README.md +++ b/modules/network/virtual-wan/README.md @@ -41,106 +41,6 @@ This module deploys a Virtual WAN. | `type` | string | `'Standard'` | `[Basic, Standard]` | The type of the Virtual WAN. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/network/vpn-gateway/README.md b/modules/network/vpn-gateway/README.md index dae2760dda..8fd26e019d 100644 --- a/modules/network/vpn-gateway/README.md +++ b/modules/network/vpn-gateway/README.md @@ -334,44 +334,3 @@ bgpSettings: {

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/modules/network/vpn-site/README.md b/modules/network/vpn-site/README.md index 885dd54c32..ea575095be 100644 --- a/modules/network/vpn-site/README.md +++ b/modules/network/vpn-site/README.md @@ -339,103 +339,3 @@ deviceProperties: {

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

diff --git a/modules/operational-insights/workspace/README.md b/modules/operational-insights/workspace/README.md index ef62355818..1d36c0d1b3 100644 --- a/modules/operational-insights/workspace/README.md +++ b/modules/operational-insights/workspace/README.md @@ -9,7 +9,6 @@ This module deploys a Log Analytics Workspace. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -- [Notes](#Notes) ## Resource types @@ -1061,139 +1060,3 @@ module workspace './operational-insights/workspace/main.bicep' = {

- - -## Notes - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

diff --git a/modules/operational-insights/workspace/data-source/README.md b/modules/operational-insights/workspace/data-source/README.md index 85d6a4f784..e0d5f9f875 100644 --- a/modules/operational-insights/workspace/data-source/README.md +++ b/modules/operational-insights/workspace/data-source/README.md @@ -49,47 +49,6 @@ This module deploys a Log Analytics Workspace Data Source. | `tags` | object | `{object}` | Tags to configure in the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/operational-insights/workspace/linked-service/README.md b/modules/operational-insights/workspace/linked-service/README.md index 48c495aac5..57b5316e53 100644 --- a/modules/operational-insights/workspace/linked-service/README.md +++ b/modules/operational-insights/workspace/linked-service/README.md @@ -39,47 +39,6 @@ This module deploys a Log Analytics Workspace Linked Service. | `writeAccessResourceId` | string | `''` | The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require write access. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/operational-insights/workspace/saved-search/README.md b/modules/operational-insights/workspace/saved-search/README.md index 3e6be0fc0e..1db2ca47d5 100644 --- a/modules/operational-insights/workspace/saved-search/README.md +++ b/modules/operational-insights/workspace/saved-search/README.md @@ -44,47 +44,6 @@ This module deploys a Log Analytics Workspace Saved Search. | `version` | int | `2` | The version number of the query language. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/operational-insights/workspace/storage-insight-config/README.md b/modules/operational-insights/workspace/storage-insight-config/README.md index 3bef2a8a5c..032ee4b2c8 100644 --- a/modules/operational-insights/workspace/storage-insight-config/README.md +++ b/modules/operational-insights/workspace/storage-insight-config/README.md @@ -40,47 +40,6 @@ This module deploys a Log Analytics Workspace Storage Insight Config. | `tags` | object | `{object}` | Tags to configure in the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/power-bi-dedicated/capacity/README.md b/modules/power-bi-dedicated/capacity/README.md index 5c6d290f44..a5f670d0ad 100644 --- a/modules/power-bi-dedicated/capacity/README.md +++ b/modules/power-bi-dedicated/capacity/README.md @@ -42,106 +42,6 @@ This module deploys a Power BI Dedicated Capacity. | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/purview/account/README.md b/modules/purview/account/README.md index ebd680590e..ea412e85c2 100644 --- a/modules/purview/account/README.md +++ b/modules/purview/account/README.md @@ -55,139 +55,6 @@ This module deploys a Purview Account. | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index fdb0a41276..9adaee17b2 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -9,7 +9,6 @@ This module deploys a Recovery Services Vault. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -- [Notes](#Notes) ## Resource Types @@ -970,239 +969,3 @@ module vault './recovery-services/vault/main.bicep' = {

- - -## Notes - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index 9c8752244e..4d6c984338 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -59,206 +59,6 @@ This module deploys a Relay Namespace | `wcfRelays` | array | `[]` | | The wcf relays to create in the relay namespace. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/relay/namespace/hybrid-connection/README.md b/modules/relay/namespace/hybrid-connection/README.md index a45ba19aae..03ee068530 100644 --- a/modules/relay/namespace/hybrid-connection/README.md +++ b/modules/relay/namespace/hybrid-connection/README.md @@ -44,65 +44,6 @@ This module deploys a Relay Namespace Hybrid Connection. | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/relay/namespace/wcf-relay/README.md b/modules/relay/namespace/wcf-relay/README.md index 07ca91cea0..3a4b841219 100644 --- a/modules/relay/namespace/wcf-relay/README.md +++ b/modules/relay/namespace/wcf-relay/README.md @@ -46,65 +46,6 @@ This module deploys a Relay Namespace WCF Relay. | `userMetadata` | string | `''` | | User-defined string data for the WCF Relay. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/resource-graph/query/README.md b/modules/resource-graph/query/README.md index 28de6f414e..9cec40305f 100644 --- a/modules/resource-graph/query/README.md +++ b/modules/resource-graph/query/README.md @@ -39,106 +39,6 @@ This module deploys a Resource Graph Query. | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/resources/deployment-script/README.md b/modules/resources/deployment-script/README.md index 78a07ec984..98aca51078 100644 --- a/modules/resources/deployment-script/README.md +++ b/modules/resources/deployment-script/README.md @@ -9,7 +9,6 @@ This module deploys a Deployment Script. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -- [Notes](#Notes) ## Resource types @@ -301,80 +300,3 @@ module deploymentScript './resources/deployment-script/main.bicep' = {

- - -## Notes - -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

diff --git a/modules/resources/resource-group/README.md b/modules/resources/resource-group/README.md index f0f88d7331..4c341910e3 100644 --- a/modules/resources/resource-group/README.md +++ b/modules/resources/resource-group/README.md @@ -9,7 +9,6 @@ This module deploys a Resource Group. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -- [Notes](#Notes) ## Resource types @@ -187,106 +186,3 @@ module resourceGroup './resources/resource-group/main.bicep' = {

- - -## Notes - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/modules/resources/tags/README.md b/modules/resources/tags/README.md index 36ae3d1b23..8c84394fa8 100644 --- a/modules/resources/tags/README.md +++ b/modules/resources/tags/README.md @@ -30,47 +30,6 @@ This module deploys a Resource Tag at a Subscription or Resource Group scope. | `tags` | object | `{object}` | Tags for the resource group. If not provided, removes existing tags. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/resources/tags/resource-group/README.md b/modules/resources/tags/resource-group/README.md index 3deb2a74cf..b01512e657 100644 --- a/modules/resources/tags/resource-group/README.md +++ b/modules/resources/tags/resource-group/README.md @@ -26,47 +26,6 @@ This module deploys a Resource Tag on a Resource Group scope. | `tags` | object | `{object}` | Tags for the resource group. If not provided, removes existing tags. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/resources/tags/subscription/README.md b/modules/resources/tags/subscription/README.md index ab74b2d81c..384fb2c7e9 100644 --- a/modules/resources/tags/subscription/README.md +++ b/modules/resources/tags/subscription/README.md @@ -27,47 +27,6 @@ This module deploys a Resource Tag on a Subscription scope. | `tags` | object | `{object}` | Tags for the resource group. If not provided, removes existing tags. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index 6841ec89c8..ab526edefb 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -60,206 +60,6 @@ This module deploys a Search Service. | `tags` | object | `{object}` | | Tags to help categorize the resource in the Azure portal. | -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 65c1ff3a6b..eb97303df4 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -9,7 +9,6 @@ This module deploys a Service Bus Namespace. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -- [Notes](#Notes) ## Resource types @@ -815,239 +814,3 @@ module namespace './service-bus/namespace/main.bicep' = {

- - -## Notes - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

diff --git a/modules/service-bus/namespace/queue/README.md b/modules/service-bus/namespace/queue/README.md index 4da81c9733..23a86f0b78 100644 --- a/modules/service-bus/namespace/queue/README.md +++ b/modules/service-bus/namespace/queue/README.md @@ -58,65 +58,6 @@ This module deploys a Service Bus Namespace Queue. | `status` | string | `'Active'` | `[Active, Creating, Deleting, Disabled, ReceiveDisabled, Renaming, Restoring, SendDisabled, Unknown]` | Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/service-bus/namespace/topic/README.md b/modules/service-bus/namespace/topic/README.md index 3e408a2f86..51fe952267 100644 --- a/modules/service-bus/namespace/topic/README.md +++ b/modules/service-bus/namespace/topic/README.md @@ -53,65 +53,6 @@ This module deploys a Service Bus Namespace Topic. | `supportOrdering` | bool | `False` | | Value that indicates whether the topic supports ordering. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/service-fabric/cluster/README.md b/modules/service-fabric/cluster/README.md index 6a3174bddd..1d92aa0629 100644 --- a/modules/service-fabric/cluster/README.md +++ b/modules/service-fabric/cluster/README.md @@ -752,103 +752,3 @@ notifications: [

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/modules/service-fabric/cluster/application-type/README.md b/modules/service-fabric/cluster/application-type/README.md index 0d5f757531..5694135918 100644 --- a/modules/service-fabric/cluster/application-type/README.md +++ b/modules/service-fabric/cluster/application-type/README.md @@ -32,47 +32,6 @@ This module deploys a Service Fabric Cluster Application Type. | `tags` | object | `{object}` | Tags of the resource. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index d34bbb4be5..2f25ef7491 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -53,206 +53,6 @@ This module deploys a SignalR Service SignalR. | `upstreamTemplatesToEnable` | array | `[]` | | Upstream templates to enable. For more information, see https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/2022-02-01/signalr?pivots=deployment-language-bicep#upstreamtemplate. | -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index d595076366..2fdf5cb244 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -9,7 +9,6 @@ This module deploys a SignalR Web PubSub Service. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -- [Notes](#Notes) ## Resource Types @@ -409,240 +408,3 @@ module webPubSub './signal-r-service/web-pub-sub/main.bicep' = {

- - -## Notes - - -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index f4585d78dc..cb696de727 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -542,168 +542,3 @@ SQL MI requires that the subnet have a Route Table and NSG assigned to it. The S #### Azure AD Authentication SQL MI allows for Azure AD Authentication via an [Azure AD Admin](https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#provision-azure-ad-admin-sql-managed-instance). This requires a Service Principal to be assigned and granted Reader rights to Azure AD by an AD Admin. To do so via this module, the `servicePrincipal` parameter must be set to `SystemAssigned` and deploy the SQL MI. Afterwards an Azure AD Admin must go to the SQL MI Azure Active Directory admin page in the Azure Portal and assigned the Reader rights. Next the `administratorsObj` must be configured in the parameter file and be redeployed. - -### Parameter Usage : `userAssignedIdentities` - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- - -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

diff --git a/modules/sql/managed-instance/database/README.md b/modules/sql/managed-instance/database/README.md index 4feb82d887..c052ef6853 100644 --- a/modules/sql/managed-instance/database/README.md +++ b/modules/sql/managed-instance/database/README.md @@ -8,7 +8,6 @@ This module deploys a SQL Managed Instance Database. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) ## Resource types @@ -74,46 +73,3 @@ This module deploys a SQL Managed Instance Database. ## Cross-referenced modules _None_ - -## Notes - -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index b6a4646090..e93c03a27a 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -654,139 +654,6 @@ module server './sql/server/main.bicep' = { ## Notes -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ### Parameter Usage: `administrators` Configure Azure Active Directory Authentication method for server administrator. @@ -826,103 +693,3 @@ administrators: {

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

diff --git a/modules/sql/server/database/README.md b/modules/sql/server/database/README.md index 6a7202d179..772edc8f0e 100644 --- a/modules/sql/server/database/README.md +++ b/modules/sql/server/database/README.md @@ -73,47 +73,6 @@ This module deploys an Azure SQL Server Database. | `zoneRedundant` | bool | `False` | | Whether or not this database is zone redundant. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/sql/server/elastic-pool/README.md b/modules/sql/server/elastic-pool/README.md index 69009aee29..97d38ea3bc 100644 --- a/modules/sql/server/elastic-pool/README.md +++ b/modules/sql/server/elastic-pool/README.md @@ -49,47 +49,6 @@ This module deploys an Azure SQL Server Elastic Pool. | `zoneRedundant` | bool | `False` | | Whether or not this elastic pool is zone redundant, which means the replicas of this elastic pool will be spread across multiple availability zones. | -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 9222dae86d..571fa9e6d7 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -1085,240 +1085,5 @@ module storageAccount './storage/storage-account/main.bicep' = { ## Notes -### Considerations - This is a generic module for deploying a Storage Account. Any customization for different storage needs (such as a diagnostic or other storage account) need to be done through the Archetype. The hierarchical namespace of the storage account (see parameter `enableHierarchicalNamespace`), can be only set at creation time. - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

diff --git a/modules/storage/storage-account/blob-service/container/README.md b/modules/storage/storage-account/blob-service/container/README.md index fdd219e185..bd2bac4f1e 100644 --- a/modules/storage/storage-account/blob-service/container/README.md +++ b/modules/storage/storage-account/blob-service/container/README.md @@ -48,65 +48,6 @@ This module deploys a Storage Account Blob Container. | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/storage/storage-account/file-service/share/README.md b/modules/storage/storage-account/file-service/share/README.md index db06e991f9..5513c20483 100644 --- a/modules/storage/storage-account/file-service/share/README.md +++ b/modules/storage/storage-account/file-service/share/README.md @@ -43,65 +43,6 @@ This module deploys a Storage Account File Share. | `shareQuota` | int | `5120` | | The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5120 (5TB). For Large File Shares, the maximum size is 102400 (100TB). | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/storage/storage-account/queue-service/queue/README.md b/modules/storage/storage-account/queue-service/queue/README.md index 51328da37f..e166adc84f 100644 --- a/modules/storage/storage-account/queue-service/queue/README.md +++ b/modules/storage/storage-account/queue-service/queue/README.md @@ -39,65 +39,6 @@ This module deploys a Storage Account Queue. | `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/synapse/private-link-hub/README.md b/modules/synapse/private-link-hub/README.md index 0edae4ac65..bdf83ecdca 100644 --- a/modules/synapse/private-link-hub/README.md +++ b/modules/synapse/private-link-hub/README.md @@ -40,206 +40,6 @@ This module deploys an Azure Synapse Analytics (Private Link Hub). | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index 391fcd8e22..3446019c20 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -78,239 +78,6 @@ This module deploys a Synapse Workspace. | `workspaceRepositoryConfiguration` | object | `{object}` | | Git integration settings. | -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/virtual-machine-images/image-template/README.md b/modules/virtual-machine-images/image-template/README.md index f0c979df4b..727825a17e 100644 --- a/modules/virtual-machine-images/image-template/README.md +++ b/modules/virtual-machine-images/image-template/README.md @@ -436,169 +436,3 @@ source: {

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `vmUserAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"vmUserAssignedIdentities": { - "value": [ - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001", - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002" - ] -} -``` - -
- -
- -Bicep format - -```bicep -vmUserAssignedIdentities: [ - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001' - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002' -] -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

diff --git a/modules/web/connection/README.md b/modules/web/connection/README.md index 15c8ff3c0b..4353443b6b 100644 --- a/modules/web/connection/README.md +++ b/modules/web/connection/README.md @@ -44,106 +44,6 @@ This module deploys an Azure API Connection. | `testLinks` | array | `[]` | | Links to test the API connection. | -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- ## Outputs | Output Name | Type | Description | diff --git a/modules/web/hosting-environment/README.md b/modules/web/hosting-environment/README.md index bcaf7288a6..dd8fac9921 100644 --- a/modules/web/hosting-environment/README.md +++ b/modules/web/hosting-environment/README.md @@ -9,7 +9,6 @@ This module deploys an App Service Environment. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -- [Notes](#Notes) ## Resource types @@ -401,139 +400,3 @@ module hostingEnvironment './web/hosting-environment/main.bicep' = {

- - -## Notes - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index c3fa426a14..52b2606816 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -9,7 +9,6 @@ This module deploys an App Service Plan. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -- [Notes](#Notes) ## Resource Types @@ -186,106 +185,3 @@ module serverfarm './web/serverfarm/main.bicep' = {

- - -## Notes - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 0591052d17..7abafc3801 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -874,7 +874,6 @@ module site './web/site/main.bicep' = { ## Notes - ### Parameter Usage: `appSettingsKeyValuePairs` AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING are set separately (check parameters storageAccountId, setAzureWebJobsDashboard, appInsightId). @@ -912,236 +911,3 @@ appSettingsKeyValuePairs: {

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index abfd53c9aa..a2c44834f2 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -110,7 +110,6 @@ This section gives you an overview of all local-referenced module files (i.e., o ## Notes - ### Parameter Usage: `appSettingsKeyValuePairs` AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING are set separately (check parameters storageAccountId, setAzureWebJobsDashboard, appInsightId). @@ -148,236 +147,3 @@ appSettingsKeyValuePairs: {

- -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index b471b37790..0e40acc22d 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -9,7 +9,6 @@ This module deploys a Static Web App. - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Deployment examples](#Deployment-examples) -- [Notes](#Notes) ## Resource Types @@ -301,239 +300,3 @@ module staticSite './web/static-site/main.bicep' = {

- - -## Notes - -### Parameter Usage: `privateEndpoints` - -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

diff --git a/utilities/tools/Set-ModuleReadMe.ps1 b/utilities/tools/Set-ModuleReadMe.ps1 index bf3476da05..fc1ca2f07c 100644 --- a/utilities/tools/Set-ModuleReadMe.ps1 +++ b/utilities/tools/Set-ModuleReadMe.ps1 @@ -224,30 +224,6 @@ function Set-ParametersSection { $updatedFileContent = Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $newSectionContent -SectionStartIdentifier $SectionStartIdentifier -contentType 'none' } - # Build sub-section 'ParameterUsage' - if (Test-Path (Join-Path $PSScriptRoot 'moduleReadMeSource')) { - if ($resourceUsageSourceFiles = Get-ChildItem (Join-Path $PSScriptRoot 'moduleReadMeSource') -Recurse -Filter 'resourceUsage-*') { - foreach ($sourceFile in $resourceUsageSourceFiles.FullName) { - $parameterName = (Split-Path $sourceFile -LeafBase).Replace('resourceUsage-', '') - if ($templateFileContent.parameters.Keys -contains $parameterName) { - $subSectionStartIdentifier = '### Parameter Usage: `{0}`' -f $ParameterName - - # Build result - $updateParameterUsageInputObject = @{ - OldContent = $updatedFileContent - NewContent = (Get-Content $sourceFile -Raw).Trim() - SectionStartIdentifier = $subSectionStartIdentifier - ParentStartIdentifier = $SectionStartIdentifier - ContentType = 'none' - } - if ($PSCmdlet.ShouldProcess(('Original file with new parameter usage [{0}] content' -f $parameterName), 'Merge')) { - $updatedFileContent = Merge-FileWithNewContent @updateParameterUsageInputObject - } - } - } - } - } - return $updatedFileContent } @@ -1534,11 +1510,6 @@ $templatePaths = (Get-ChildItem 'C:/network' -Filter 'main.bicep' -Recurse).Full $templatePaths | ForEach-Object -Parallel { . '/utilities/tools/Set-ModuleReadMe.ps1' ; Set-ModuleReadMe -TemplateFilePath $_ } Generate the Module ReadMe for any template in a folder path - -.NOTES -The script autopopulates the Parameter Usage section of the ReadMe with the matching content in path './moduleReadMeSource'. -The content is added in case the given template has a parameter that matches the suffix of one of the files in that path. -To account for more parameter, just add another markdown file with the naming pattern 'resourceUsage-' #> function Set-ModuleReadMe { diff --git a/utilities/tools/moduleReadMeSource/resourceUsage-privateEndpoints.md b/utilities/tools/moduleReadMeSource/resourceUsage-privateEndpoints.md deleted file mode 100644 index 934d52cf04..0000000000 --- a/utilities/tools/moduleReadMeSource/resourceUsage-privateEndpoints.md +++ /dev/null @@ -1,97 +0,0 @@ -To use Private Endpoint the following dependencies must be deployed: - -- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. -- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. - -

- -Parameter JSON format - -```json -"privateEndpoints": { - "value": [ - // Example showing all available fields - { - "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "", // e.g. vault, registry, blob - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - }, - "ipConfigurations":[ - { - "name": "myIPconfigTest02", - "properties": { - "groupId": "blob", - "memberName": "blob", - "privateIPAddress": "10.0.0.30" - } - } - ], - "customDnsConfigs": [ - { - "fqdn": "customname.test.local", - "ipAddresses": [ - "10.10.10.10" - ] - } - ] - }, - // Example showing only mandatory fields - { - "subnetResourceId": "/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", - "service": "" // e.g. vault, registry, blob - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -privateEndpoints: [ - // Example showing all available fields - { - name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - privateDnsZoneGroup: { - privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified - '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net - ] - } - customDnsConfigs: [ - { - fqdn: 'customname.test.local' - ipAddresses: [ - '10.10.10.10' - ] - } - ] - ipConfigurations:[ - { - name: 'myIPconfigTest02' - properties: { - groupId: 'blob' - memberName: 'blob' - privateIPAddress: '10.0.0.30' - } - } - ] - } - // Example showing only mandatory fields - { - subnetResourceId: '/subscriptions/[[subscriptionId]]/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001' - service: '' // e.g. vault, registry, blob - } -] -``` - -
-

diff --git a/utilities/tools/moduleReadMeSource/resourceUsage-roleAssignments.md b/utilities/tools/moduleReadMeSource/resourceUsage-roleAssignments.md deleted file mode 100644 index ea2d34c044..0000000000 --- a/utilities/tools/moduleReadMeSource/resourceUsage-roleAssignments.md +++ /dev/null @@ -1,56 +0,0 @@ -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -

- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

diff --git a/utilities/tools/moduleReadMeSource/resourceUsage-tags.md b/utilities/tools/moduleReadMeSource/resourceUsage-tags.md deleted file mode 100644 index f39b518472..0000000000 --- a/utilities/tools/moduleReadMeSource/resourceUsage-tags.md +++ /dev/null @@ -1,38 +0,0 @@ -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

diff --git a/utilities/tools/moduleReadMeSource/resourceUsage-userAssignedIdentities.md b/utilities/tools/moduleReadMeSource/resourceUsage-userAssignedIdentities.md deleted file mode 100644 index 6ce203e0b7..0000000000 --- a/utilities/tools/moduleReadMeSource/resourceUsage-userAssignedIdentities.md +++ /dev/null @@ -1,30 +0,0 @@ -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

From ffa263a907ea58b235cd1fdaf1b91e0bc8766c9c Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 15 Oct 2023 12:05:57 +0000 Subject: [PATCH 026/178] Push updated API Specs file --- utilities/src/apiSpecsList.json | 588 +++++++++++++++++++++++--------- 1 file changed, 419 insertions(+), 169 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index 34fc76b78b..d017fc29d5 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -102,15 +102,20 @@ }, "GitHub.Network": { "networkSettings": [ - "2023-03-15-beta" + "2023-03-15-beta", + "2023-11-01-preview" ], "Operations": [ "2023-03-15-alpha", - "2023-03-15-beta" + "2023-03-15-beta", + "2023-11-01-preview", + "2023-11-01-rc" ], "registeredSubscriptions": [ "2023-03-15-alpha", - "2023-03-15-beta" + "2023-03-15-beta", + "2023-11-01-preview", + "2023-11-01-rc" ] }, "Microsoft.AAD": { @@ -394,6 +399,11 @@ "2023-06-01-preview" ] }, + "Microsoft.AksHybrid": { + "locations": [ + "2023-09-01-preview" + ] + }, "Microsoft.AlertsManagement": { "actionRules": [ "2018-11-02-privatepreview", @@ -3758,6 +3768,23 @@ "2019-07-24-preview" ] }, + "Microsoft.AzureLargeInstance": { + "azureLargeInstances": [ + "2023-07-20-preview" + ], + "azureLargeStorageInstances": [ + "2023-07-20-preview" + ], + "locations": [ + "2023-07-20-preview" + ], + "locations/operationsStatus": [ + "2023-07-20-preview" + ], + "operations": [ + "2023-07-20-preview" + ] + }, "Microsoft.AzurePercept": { "checkNameAvailability": [ "2021-09-01-preview", @@ -3902,7 +3929,8 @@ "2022-12-15-preview", "2023-02-01", "2023-03-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "clusters/arcSettings": [ "2021-01-01-preview", @@ -3917,7 +3945,8 @@ "2022-12-15-preview", "2023-02-01", "2023-03-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "clusters/arcSettings/extensions": [ "2021-01-01-preview", @@ -3932,7 +3961,8 @@ "2022-12-15-preview", "2023-02-01", "2023-03-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "clusters/offers": [ "2022-04-01-preview" @@ -3953,7 +3983,8 @@ "2022-12-15-preview", "2023-02-01", "2023-03-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "clusters/updates/updateRuns": [ "2022-08-01-preview", @@ -3962,7 +3993,8 @@ "2022-12-15-preview", "2023-02-01", "2023-03-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "clusters/updateSummaries": [ "2022-08-01-preview", @@ -3971,14 +4003,16 @@ "2022-12-15-preview", "2023-02-01", "2023-03-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "galleryImages": [ "2020-11-01-preview", "2021-07-01-preview", "2021-09-01-preview", "2022-12-15-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-09-01-preview" ], "locations": [ "2020-10-01", @@ -4025,17 +4059,22 @@ "2023-08-01-preview", "2023-09-01" ], + "logicalNetworks": [ + "2023-09-01-preview" + ], "marketplaceGalleryImages": [ "2021-09-01-preview", "2022-12-15-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-09-01-preview" ], "networkInterfaces": [ "2020-11-01-preview", "2021-07-01-preview", "2021-09-01-preview", "2022-12-15-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-09-01-preview" ], "operations": [ "2020-03-01-preview", @@ -4071,20 +4110,24 @@ "storageContainers": [ "2021-09-01-preview", "2022-12-15-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-09-01-preview" ], "virtualHardDisks": [ "2020-11-01-preview", "2021-07-01-preview", "2021-09-01-preview", "2022-12-15-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-09-01-preview" ], "virtualMachineInstances": [ - "2023-07-01-preview" + "2023-07-01-preview", + "2023-09-01-preview" ], "virtualMachineInstances/guestAgents": [ - "2023-07-01-preview" + "2023-07-01-preview", + "2023-09-01-preview" ], "virtualMachines": [ "2020-11-01-preview", @@ -5140,13 +5183,9 @@ "2023-11-01-preview" ], "maccs": [ - "2023-11-01-beta", "2023-11-01-preview" ], "maccs/contributors": [ - "2023-07-01-beta", - "2023-07-01-preview", - "2023-11-01-beta", "2023-11-01-preview" ], "operationResults": [ @@ -5195,6 +5234,10 @@ "2023-07-01-beta", "2023-07-01-preview" ], + "savingsPlanOrders/return": [ + "2023-07-01-beta", + "2023-07-01-preview" + ], "savingsPlanOrders/savingsPlans": [ "2021-07-01-beta", "2021-07-01-privatepreview", @@ -5222,6 +5265,8 @@ "2022-06-02-privatepreview", "2022-11-01", "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview", "2023-11-01-beta", "2023-11-01-preview" ] @@ -5316,7 +5361,8 @@ "2021-03-01", "2021-05-01-preview", "2022-06-15-preview", - "2022-09-15" + "2022-09-15", + "2023-09-15-preview" ], "botServices/channels": [ "2017-12-01", @@ -5325,7 +5371,8 @@ "2021-03-01", "2021-05-01-preview", "2022-06-15-preview", - "2022-09-15" + "2022-09-15", + "2023-09-15-preview" ], "botServices/Connections": [ "2017-12-01", @@ -5334,7 +5381,8 @@ "2021-03-01", "2021-05-01-preview", "2022-06-15-preview", - "2022-09-15" + "2022-09-15", + "2023-09-15-preview" ], "botServices/privateEndpointConnectionProxies": [ "2021-03-01", @@ -5346,7 +5394,8 @@ "2021-03-01", "2021-05-01-preview", "2022-06-15-preview", - "2022-09-15" + "2022-09-15", + "2023-09-15-preview" ], "botServices/privateLinkResources": [ "2021-03-01", @@ -5687,7 +5736,8 @@ "2022-11-01-preview", "2023-03-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-10-01-preview" ], "redisEnterprise/databases": [ "2020-04-01-preview", @@ -5699,7 +5749,8 @@ "2022-11-01-preview", "2023-03-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-10-01-preview" ], "RedisEnterprise/privateEndpointConnectionProxies": [ "2020-04-01-preview", @@ -5744,7 +5795,8 @@ "2022-11-01-preview", "2023-03-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-10-01-preview" ], "RedisEnterprise/privateEndpointConnections/operationresults": [ "2020-04-01-preview", @@ -7391,21 +7443,27 @@ "2022-10-01", "2022-12-01", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" ], "accounts/commitmentPlans": [ "2021-10-01", "2022-03-01", "2022-10-01", "2022-12-01", - "2023-05-01" + "2023-05-01", + "2023-10-01-preview" ], "accounts/deployments": [ "2021-10-01", "2022-03-01", "2022-10-01", "2022-12-01", - "2023-05-01" + "2023-05-01", + "2023-10-01-preview" + ], + "accounts/encryptionScopes": [ + "2023-10-01-preview" ], "accounts/networkSecurityPerimeterAssociationProxies": [ "2021-10-01" @@ -7418,7 +7476,8 @@ "2022-10-01", "2022-12-01", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" ], "accounts/privateEndpointConnections": [ "2017-04-18", @@ -7428,7 +7487,8 @@ "2022-10-01", "2022-12-01", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" ], "accounts/privateLinkResources": [ "2017-04-18", @@ -7438,7 +7498,17 @@ "2022-10-01", "2022-12-01", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" + ], + "accounts/raiBlocklists": [ + "2023-10-01-preview" + ], + "accounts/raiBlocklists/raiBlocklistItems": [ + "2023-10-01-preview" + ], + "accounts/raiPolicies": [ + "2023-10-01-preview" ], "checkDomainAvailability": [ "2016-02-01-preview", @@ -7449,16 +7519,19 @@ "2022-10-01", "2022-12-01", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" ], "commitmentPlans": [ "2022-12-01", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" ], "commitmentPlans/accountAssociations": [ "2022-12-01", - "2023-05-01" + "2023-05-01", + "2023-10-01-preview" ], "deletedAccounts": [ "2021-04-30", @@ -7467,7 +7540,8 @@ "2022-10-01", "2022-12-01", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" ], "locations": [ "2016-02-01-preview", @@ -7478,7 +7552,8 @@ "2022-10-01", "2022-12-01", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" ], "locations/checkSkuAvailability": [ "2016-02-01-preview", @@ -7489,7 +7564,8 @@ "2022-10-01", "2022-12-01", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" ], "locations/commitmentTiers": [ "2021-10-01", @@ -7497,7 +7573,8 @@ "2022-10-01", "2022-12-01", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" ], "locations/deleteVirtualNetworkOrSubnets": [ "2016-02-01-preview", @@ -7508,11 +7585,13 @@ "2022-10-01", "2022-12-01", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" ], "locations/models": [ "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" ], "locations/notifyNetworkSecurityPerimeterUpdatesAvailable": [ "2021-10-01" @@ -7526,10 +7605,12 @@ "2022-10-01", "2022-12-01", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" ], "locations/raiContentFilters": [ - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" ], "locations/resourceGroups": [ "2021-04-30", @@ -7538,7 +7619,8 @@ "2022-10-01", "2022-12-01", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" ], "locations/resourceGroups/deletedAccounts": [ "2021-04-30", @@ -7547,11 +7629,13 @@ "2022-10-01", "2022-12-01", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" ], "locations/usages": [ "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" ], "operations": [ "2016-02-01-preview", @@ -7562,7 +7646,8 @@ "2022-10-01", "2022-12-01", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-10-01-preview" ] }, "Microsoft.Commerce": { @@ -7599,7 +7684,8 @@ "2022-10-01-preview", "2023-03-01-preview", "2023-03-31", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-06-01-preview" ], "CommunicationServices/eventGridFilters": [ "2020-08-20", @@ -7611,7 +7697,8 @@ "2022-10-01-preview", "2023-03-01-preview", "2023-03-31", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-06-01-preview" ], "emailServices/domains": [ "2021-10-01-preview", @@ -7619,12 +7706,20 @@ "2022-10-01-preview", "2023-03-01-preview", "2023-03-31", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-06-01-preview" ], "emailServices/domains/senderUsernames": [ "2023-03-01-preview", "2023-03-31", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-06-01-preview" + ], + "emailServices/domains/suppressionLists": [ + "2023-06-01-preview" + ], + "emailServices/domains/suppressionLists/suppressionListAddresses": [ + "2023-06-01-preview" ], "Locations": [ "2020-08-20", @@ -10306,7 +10401,8 @@ "2022-09-02-preview", "2023-03-15-preview", "2023-06-15-preview", - "2023-08-15-preview" + "2023-08-15-preview", + "2023-10-15" ], "fleets": [ "2022-06-02-preview", @@ -10314,7 +10410,8 @@ "2022-09-02-preview", "2023-03-15-preview", "2023-06-15-preview", - "2023-08-15-preview" + "2023-08-15-preview", + "2023-10-15" ], "fleets/members": [ "2022-06-02-preview", @@ -10322,15 +10419,18 @@ "2022-09-02-preview", "2023-03-15-preview", "2023-06-15-preview", - "2023-08-15-preview" + "2023-08-15-preview", + "2023-10-15" ], "fleets/updateRuns": [ "2023-03-15-preview", "2023-06-15-preview", - "2023-08-15-preview" + "2023-08-15-preview", + "2023-10-15" ], "fleets/updateStrategies": [ - "2023-08-15-preview" + "2023-08-15-preview", + "2023-10-15" ], "locations": [ "2015-11-01-preview", @@ -10341,7 +10441,8 @@ ], "locations/guardrailsVersions": [ "2023-07-02-preview", - "2023-08-02-preview" + "2023-08-02-preview", + "2023-09-02-preview" ], "locations/kubernetesVersions": [ "2023-03-01", @@ -10355,7 +10456,9 @@ "2023-07-01", "2023-07-02-preview", "2023-08-01", - "2023-08-02-preview" + "2023-08-02-preview", + "2023-09-01", + "2023-09-02-preview" ], "locations/notifyNetworkSecurityPerimeterUpdatesAvailable": [ "2022-03-01", @@ -10372,7 +10475,8 @@ "2023-05-02-preview", "2023-06-02-preview", "2023-07-02-preview", - "2023-08-02-preview" + "2023-08-02-preview", + "2023-09-02-preview" ], "locations/operationresults": [ "2016-03-30", @@ -10435,7 +10539,9 @@ "2023-07-01", "2023-07-02-preview", "2023-08-01", - "2023-08-02-preview" + "2023-08-02-preview", + "2023-09-01", + "2023-09-02-preview" ], "locations/operations": [ "2016-03-30", @@ -10498,7 +10604,9 @@ "2023-07-01", "2023-07-02-preview", "2023-08-01", - "2023-08-02-preview" + "2023-08-02-preview", + "2023-09-01", + "2023-09-02-preview" ], "locations/orchestrators": [ "2017-09-30", @@ -10558,7 +10666,9 @@ "2023-07-01", "2023-07-02-preview", "2023-08-01", - "2023-08-02-preview" + "2023-08-02-preview", + "2023-09-01", + "2023-09-02-preview" ], "locations/osOptions": [ "2021-03-01", @@ -10602,7 +10712,9 @@ "2023-07-01", "2023-07-02-preview", "2023-08-01", - "2023-08-02-preview" + "2023-08-02-preview", + "2023-09-01", + "2023-09-02-preview" ], "managedClusters": [ "2017-08-31", @@ -10667,7 +10779,9 @@ "2023-07-01", "2023-07-02-preview", "2023-08-01", - "2023-08-02-preview" + "2023-08-02-preview", + "2023-09-01", + "2023-09-02-preview" ], "managedClusters/agentPools": [ "2019-02-01", @@ -10773,7 +10887,9 @@ "2023-07-01", "2023-07-02-preview", "2023-08-01", - "2023-08-02-preview" + "2023-08-02-preview", + "2023-09-01", + "2023-09-02-preview" ], "managedClusters/maintenanceConfigurations": [ "2020-12-01", @@ -10911,7 +11027,8 @@ "2023-05-02-preview", "2023-06-02-preview", "2023-07-02-preview", - "2023-08-02-preview" + "2023-08-02-preview", + "2023-09-02-preview" ], "openShiftManagedClusters": [ "2018-09-30-preview", @@ -10985,7 +11102,9 @@ "2023-07-01", "2023-07-02-preview", "2023-08-01", - "2023-08-02-preview" + "2023-08-02-preview", + "2023-09-01", + "2023-09-02-preview" ], "snapshots": [ "2021-08-01", @@ -11028,7 +11147,9 @@ "2023-07-01", "2023-07-02-preview", "2023-08-01", - "2023-08-02-preview" + "2023-08-02-preview", + "2023-09-01", + "2023-09-02-preview" ] }, "Microsoft.ContainerStorage": { @@ -12086,31 +12207,36 @@ "2018-04-01", "2021-04-01-preview", "2022-04-01-preview", - "2023-02-01" + "2023-02-01", + "2023-09-15-preview" ], "locations/getNetworkPolicies": [ "2018-04-01", "2021-04-01-preview", "2022-04-01-preview", - "2023-02-01" + "2023-02-01", + "2023-09-15-preview" ], "locations/operationstatuses": [ "2018-04-01", "2021-04-01-preview", "2022-04-01-preview", - "2023-02-01" + "2023-02-01", + "2023-09-15-preview" ], "operations": [ "2018-04-01", "2021-04-01-preview", "2022-04-01-preview", - "2023-02-01" + "2023-02-01", + "2023-09-15-preview" ], "workspaces": [ "2018-04-01", "2021-04-01-preview", "2022-04-01-preview", - "2023-02-01" + "2023-02-01", + "2023-09-15-preview" ], "workspaces/dbWorkspaces": [ "2018-04-01" @@ -12124,7 +12250,8 @@ "2018-04-01", "2021-04-01-preview", "2022-04-01-preview", - "2023-02-01" + "2023-02-01", + "2023-09-15-preview" ] }, "Microsoft.DataCatalog": { @@ -12351,6 +12478,10 @@ "2017-09-01-preview", "2018-06-01" ], + "factories/privateEndpointConnectionProxies": [ + "2017-09-01-preview", + "2018-06-01" + ], "factories/privateEndpointConnections": [ "2018-06-01" ], @@ -13291,6 +13422,10 @@ "2023-06-01-preview", "2023-06-30" ], + "locations/capabilitySets": [ + "2023-06-01-preview", + "2023-06-30" + ], "locations/checkNameAvailability": [ "2021-05-01", "2021-05-01-preview", @@ -14593,22 +14728,27 @@ "Microsoft.DevHub": { "locations": [ "2022-04-01-preview", - "2022-10-11-preview" + "2022-10-11-preview", + "2023-08-01" ], "locations/generatePreviewArtifacts": [ - "2022-10-11-preview" + "2022-10-11-preview", + "2023-08-01" ], "locations/githuboauth": [ "2022-04-01-preview", - "2022-10-11-preview" + "2022-10-11-preview", + "2023-08-01" ], "operations": [ "2022-04-01-preview", - "2022-10-11-preview" + "2022-10-11-preview", + "2023-08-01" ], "workflows": [ "2022-04-01-preview", - "2022-10-11-preview" + "2022-10-11-preview", + "2023-08-01" ] }, "Microsoft.Devices": { @@ -17112,25 +17252,29 @@ "2023-05-01-preview", "2023-06-01", "2023-06-15-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-10-01-preview" ], "elasticVersions": [ "2023-02-01-preview", "2023-05-01-preview", "2023-06-01", "2023-06-15-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-10-01-preview" ], "getElasticOrganizationToAzureSubscriptionMapping": [ "2023-06-15-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-10-01-preview" ], "getOrganizationApiKey": [ "2023-02-01-preview", "2023-05-01-preview", "2023-06-01", "2023-06-15-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-10-01-preview" ], "locations": [ "2020-07-01", @@ -17144,7 +17288,8 @@ "2023-05-01-preview", "2023-06-01", "2023-06-15-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-10-01-preview" ], "locations/operationStatuses": [ "2020-07-01", @@ -17158,7 +17303,8 @@ "2023-05-01-preview", "2023-06-01", "2023-06-15-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-10-01-preview" ], "monitors": [ "2020-07-01", @@ -17172,7 +17318,8 @@ "2023-05-01-preview", "2023-06-01", "2023-06-15-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-10-01-preview" ], "monitors/tagRules": [ "2020-07-01", @@ -17186,7 +17333,8 @@ "2023-05-01-preview", "2023-06-01", "2023-06-15-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-10-01-preview" ], "operations": [ "2020-07-01", @@ -17200,7 +17348,8 @@ "2023-05-01-preview", "2023-06-01", "2023-06-15-preview", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-10-01-preview" ] }, "Microsoft.ElasticSan": { @@ -19562,8 +19711,7 @@ ], "tenantActionGroups": [ "2023-03-01-preview", - "2023-05-01-preview", - "2023-08-01-preview" + "2023-05-01-preview" ], "topology": [ "2019-10-17-preview" @@ -19601,6 +19749,17 @@ "2020-11-20" ] }, + "Microsoft.IntegrationSpaces": { + "locations": [ + "2023-11-14-preview" + ], + "locations/OperationStatuses": [ + "2023-11-14-preview" + ], + "operations": [ + "2023-11-14-preview" + ] + }, "Microsoft.Intune": { "locations/androidPolicies": [ "2015-01-14-preview", @@ -19904,11 +20063,13 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "managedHSMs/keys": [ "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "managedHSMs/keys/versions": [ @@ -19924,7 +20085,8 @@ "2022-02-01-preview", "2022-07-01", "2022-11-01", - "2023-02-01" + "2023-02-01", + "2023-07-01" ], "operations": [ "2014-12-19-preview", @@ -19959,6 +20121,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "vaults/accessPolicies": [ @@ -19976,6 +20139,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "vaults/eventGridFilters": [ @@ -20004,6 +20168,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "vaults/keys/versions": [ @@ -20030,7 +20195,8 @@ "2022-02-01-preview", "2022-07-01", "2022-11-01", - "2023-02-01" + "2023-02-01", + "2023-07-01" ], "vaults/secrets": [ "2015-06-01", @@ -20047,6 +20213,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ] }, @@ -23067,37 +23234,43 @@ "2022-03-01-preview", "2022-04-01-preview", "2022-11-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "mobileNetworks/dataNetworks": [ "2022-03-01-preview", "2022-04-01-preview", "2022-11-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "mobileNetworks/services": [ "2022-03-01-preview", "2022-04-01-preview", "2022-11-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "mobileNetworks/simPolicies": [ "2022-03-01-preview", "2022-04-01-preview", "2022-11-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "mobileNetworks/sites": [ "2022-03-01-preview", "2022-04-01-preview", "2022-11-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "mobileNetworks/slices": [ "2022-03-01-preview", "2022-04-01-preview", "2022-11-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "Operations": [ "2022-04-01-preview", @@ -23111,25 +23284,30 @@ "2022-03-01-preview", "2022-04-01-preview", "2022-11-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "packetCoreControlPlanes/diagnosticsPackages": [ - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "packetCoreControlPlanes/packetCaptures": [ - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "packetCoreControlPlanes/packetCoreDataPlanes": [ "2022-03-01-preview", "2022-04-01-preview", "2022-11-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "packetCoreControlPlanes/packetCoreDataPlanes/attachedDataNetworks": [ "2022-03-01-preview", "2022-04-01-preview", "2022-11-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "packetCoreControlPlaneVersions": [ "2022-04-01-preview", @@ -23142,12 +23320,14 @@ "simGroups": [ "2022-04-01-preview", "2022-11-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "simGroups/sims": [ "2022-04-01-preview", "2022-11-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "sims": [ "2022-03-01-preview" @@ -23164,6 +23344,10 @@ ], "networkFunctions": [ "2023-05-15-preview" + ], + "Operations": [ + "2023-04-15-preview", + "2023-05-15-preview" ] }, "Microsoft.ModSimWorkbench": { @@ -29546,7 +29730,8 @@ "2022-11-15-preview" ], "Locations/OperationStatuses": [ - "2022-11-15-preview" + "2022-11-15-preview", + "2023-11-15" ], "Operations": [ "2022-11-15-preview" @@ -32139,13 +32324,17 @@ ] }, "Microsoft.ResourceGraph": { + "generateQuery": [ + "2023-09-01-preview" + ], "operations": [ "2018-09-01-preview", "2019-04-01", "2020-04-01-preview", "2021-03-01", "2021-06-01-preview", - "2022-10-01" + "2022-10-01", + "2023-09-01-preview" ], "queries": [ "2018-09-01-preview", @@ -32167,7 +32356,8 @@ "2020-04-01-preview", "2021-03-01", "2021-06-01-preview", - "2022-10-01" + "2022-10-01", + "2023-09-01-preview" ], "resourcesHistory": [ "2018-09-01-preview", @@ -33191,7 +33381,8 @@ "2020-08-01-preview", "2021-04-01-preview", "2021-06-06-Preview", - "2022-09-01" + "2022-09-01", + "2023-11-01" ], "searchServices/privateEndpointConnections": [ "2019-10-01-preview", @@ -33199,13 +33390,15 @@ "2020-08-01", "2020-08-01-preview", "2021-04-01-preview", - "2022-09-01" + "2022-09-01", + "2023-11-01" ], "searchServices/sharedPrivateLinkResources": [ "2020-08-01", "2020-08-01-preview", "2021-04-01-preview", - "2022-09-01" + "2022-09-01", + "2023-11-01" ] }, "Microsoft.Security": { @@ -33744,7 +33937,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "alertRules/actions": [ "2019-01-01-preview", @@ -33802,7 +33996,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "automationRules": [ "2019-01-01-preview", @@ -33829,14 +34024,16 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "billingStatistics": [ "2023-05-01-preview", "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "bookmarks": [ "2019-01-01-preview", @@ -33864,7 +34061,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "bookmarks/relations": [ "2019-01-01-preview", @@ -33913,7 +34111,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "contentPackages": [ "2022-11-01-preview", @@ -33925,7 +34124,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "contentProductPackages": [ "2023-04-01-preview", @@ -33933,7 +34133,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "contentProductTemplates": [ "2023-04-01-preview", @@ -33941,7 +34142,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "contentTemplates": [ "2022-11-01-preview", @@ -33953,7 +34155,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "dataConnectorDefinitions": [ "2022-09-01-preview", @@ -33967,7 +34170,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "dataConnectors": [ "2019-01-01-preview", @@ -33996,7 +34200,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "dataConnectorsCheckRequirements": [ "2019-01-01-preview", @@ -34019,7 +34224,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "dynamicSummaries": [ "2023-03-01-preview", @@ -34028,7 +34234,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "enrichment": [ "2019-01-01-preview", @@ -34051,7 +34258,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "entities": [ "2019-01-01-preview", @@ -34074,7 +34282,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "entityQueries": [ "2019-01-01-preview", @@ -34098,7 +34307,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "entityQueryTemplates": [ "2019-01-01-preview", @@ -34122,7 +34332,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "exportConnections": [ "2023-03-01-preview", @@ -34131,7 +34342,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "fileImports": [ "2022-08-01-preview", @@ -34146,7 +34358,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "hunts": [ "2023-04-01-preview", @@ -34154,7 +34367,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "hunts/comments": [ "2023-04-01-preview", @@ -34184,7 +34398,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "incidents": [ "2019-01-01-preview", @@ -34214,7 +34429,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "incidents/comments": [ "2019-01-01-preview", @@ -34307,7 +34523,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "metadata": [ "2021-03-01-preview", @@ -34331,7 +34548,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "MitreCoverageRecords": [ "2022-01-01-preview", @@ -34351,7 +34569,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "officeConsents": [ "2019-01-01-preview", @@ -34374,7 +34593,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "onboardingStates": [ "2021-03-01-preview", @@ -34401,7 +34621,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "operations": [ "2019-01-01-preview", @@ -34431,7 +34652,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "overview": [ "2022-09-01-preview", @@ -34445,7 +34667,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "recommendations": [ "2022-11-01-preview", @@ -34457,7 +34680,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "securityMLAnalyticsSettings": [ "2022-05-01-preview", @@ -34477,7 +34701,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "settings": [ "2019-01-01-preview", @@ -34501,7 +34726,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "sourcecontrols": [ "2021-03-01-preview", @@ -34524,7 +34750,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "threatIntelligence": [ "2019-01-01-preview", @@ -34552,7 +34779,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "threatIntelligence/indicators": [ "2019-01-01-preview", @@ -34590,7 +34818,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "watchlists": [ "2019-01-01-preview", @@ -34619,7 +34848,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "watchlists/watchlistItems": [ "2019-01-01-preview", @@ -34657,7 +34887,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "workspaceManagerConfigurations": [ "2023-03-01-preview", @@ -34666,7 +34897,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "workspaceManagerGroups": [ "2023-03-01-preview", @@ -34675,7 +34907,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "workspaceManagerMembers": [ "2023-03-01-preview", @@ -34684,7 +34917,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ] }, "Microsoft.SerialConsole": { @@ -41286,12 +41520,14 @@ "2019-10-01", "2020-03-01", "2020-09-01", - "2022-06-01" + "2022-06-01", + "2022-09-01" ], "storageSyncServices/privateEndpointConnections": [ "2020-03-01", "2020-09-01", - "2022-06-01" + "2022-06-01", + "2022-09-01" ], "storageSyncServices/registeredServers": [ "2017-06-05-preview", @@ -41304,7 +41540,8 @@ "2019-10-01", "2020-03-01", "2020-09-01", - "2022-06-01" + "2022-06-01", + "2022-09-01" ], "storageSyncServices/syncGroups": [ "2017-06-05-preview", @@ -41317,7 +41554,8 @@ "2019-10-01", "2020-03-01", "2020-09-01", - "2022-06-01" + "2022-06-01", + "2022-09-01" ], "storageSyncServices/syncGroups/cloudEndpoints": [ "2017-06-05-preview", @@ -41330,7 +41568,8 @@ "2019-10-01", "2020-03-01", "2020-09-01", - "2022-06-01" + "2022-06-01", + "2022-09-01" ], "storageSyncServices/syncGroups/serverEndpoints": [ "2017-06-05-preview", @@ -41343,7 +41582,8 @@ "2019-10-01", "2020-03-01", "2020-09-01", - "2022-06-01" + "2022-06-01", + "2022-09-01" ], "storageSyncServices/workflows": [ "2018-04-02", @@ -44938,22 +45178,26 @@ "sapVirtualInstances": [ "2021-12-01-preview", "2022-11-01-preview", - "2023-04-01" + "2023-04-01", + "2023-10-01-preview" ], "sapVirtualInstances/applicationInstances": [ "2021-12-01-preview", "2022-11-01-preview", - "2023-04-01" + "2023-04-01", + "2023-10-01-preview" ], "sapVirtualInstances/centralInstances": [ "2021-12-01-preview", "2022-11-01-preview", - "2023-04-01" + "2023-04-01", + "2023-10-01-preview" ], "sapVirtualInstances/databaseInstances": [ "2021-12-01-preview", "2022-11-01-preview", - "2023-04-01" + "2023-04-01", + "2023-10-01-preview" ] }, "NewRelic.Observability": { @@ -45126,32 +45370,38 @@ "checkNameAvailability": [ "2022-06-27-preview", "2022-10-12", - "2022-10-12-preview" + "2022-10-12-preview", + "2023-08-29-preview" ], "fileSystems": [ "2022-06-27-preview", "2022-10-12", - "2022-10-12-preview" + "2022-10-12-preview", + "2023-08-29-preview" ], "locations": [ "2022-06-27-preview", "2022-10-12", - "2022-10-12-preview" + "2022-10-12-preview", + "2023-08-29-preview" ], "locations/operationStatuses": [ "2022-06-27-preview", "2022-10-12", - "2022-10-12-preview" + "2022-10-12-preview", + "2023-08-29-preview" ], "operations": [ "2022-06-27-preview", "2022-10-12", - "2022-10-12-preview" + "2022-10-12-preview", + "2023-08-29-preview" ], "registeredSubscriptions": [ "2022-06-27-preview", "2022-10-12", - "2022-10-12-preview" + "2022-10-12-preview", + "2023-08-29-preview" ] }, "SolarWinds.Observability": { From 948838bd768bbe1436ab3db262ec1b02d9a8939a Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sun, 15 Oct 2023 16:41:44 +0200 Subject: [PATCH 027/178] Made metadata removal ready for UDT (#4090) --- .../staticValidation/helper/helper.psm1 | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/utilities/pipelines/staticValidation/helper/helper.psm1 b/utilities/pipelines/staticValidation/helper/helper.psm1 index 3c5e9a087f..1afedb79fb 100644 --- a/utilities/pipelines/staticValidation/helper/helper.psm1 +++ b/utilities/pipelines/staticValidation/helper/helper.psm1 @@ -155,9 +155,22 @@ function Remove-JSONMetadata { [hashtable] $TemplateObject ) $TemplateObject.Remove('metadata') - for ($index = 0; $index -lt $TemplateObject.resources.Count; $index++) { - if ($TemplateObject.resources[$index].type -eq 'Microsoft.Resources/deployments') { - $TemplateObject.resources[$index] = Remove-JSONMetadata -TemplateObject $TemplateObject.resources[$index].properties.template + + # Differantiate case: With user defined types (resources property is hashtable) vs without user defined types (resources property is array) + if ($TemplateObject.resources.GetType().BaseType.Name -eq 'Hashtable') { + # Case: Hashtable + $resourceIdentifiers = $TemplateObject.resources.Keys + for ($index = 0; $index -lt $resourceIdentifiers.Count; $index++) { + if ($TemplateObject.resources[$resourceIdentifiers[$index]].type -eq 'Microsoft.Resources/deployments') { + $TemplateObject.resources[$resourceIdentifiers[$index]] = Remove-JSONMetadata -TemplateObject $TemplateObject.resources[$resourceIdentifiers[$index]].properties.template + } + } + } else { + # Case: Array + for ($index = 0; $index -lt $TemplateObject.resources.Count; $index++) { + if ($TemplateObject.resources[$index].type -eq 'Microsoft.Resources/deployments') { + $TemplateObject.resources[$index] = Remove-JSONMetadata -TemplateObject $TemplateObject.resources[$index].properties.template + } } } From 9e97fec2b856f5913e9d855a2dfa5ebb2f9e27bd Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Mon, 16 Oct 2023 18:47:03 +0200 Subject: [PATCH 028/178] [Modules] Updated banner & added `MOVED-TO-AVM.md` files (#4097) * Updated banner * Updated banner and added moved files * Updated link * Update README.md Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> * Added moved to SSH --------- Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- README.md | 5 +++++ modules/compute/ssh-public-key/MOVED-TO-AVM.md | 1 + modules/key-vault/vault/MOVED-TO-AVM.md | 1 + modules/kubernetes-configuration/extension/MOVED-TO-AVM.md | 1 + .../flux-configuration/MOVED-TO-AVM.md | 1 + modules/network/private-endpoint/MOVED-TO-AVM.md | 1 + modules/network/public-ip-address/MOVED-TO-AVM.md | 1 + 7 files changed, 11 insertions(+) create mode 100644 modules/compute/ssh-public-key/MOVED-TO-AVM.md create mode 100644 modules/key-vault/vault/MOVED-TO-AVM.md create mode 100644 modules/kubernetes-configuration/extension/MOVED-TO-AVM.md create mode 100644 modules/kubernetes-configuration/flux-configuration/MOVED-TO-AVM.md create mode 100644 modules/network/private-endpoint/MOVED-TO-AVM.md create mode 100644 modules/network/public-ip-address/MOVED-TO-AVM.md diff --git a/README.md b/README.md index da7b2a5b24..b23a99af1d 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,8 @@ Following the recent release of [`0.11.0`](https://github.com/Azure/ResourceModules/releases/tag/v0.11.0), the upcoming period will focus on implementing the remaining changes required to align CARML's modules to the specifications of [Azure Verified Modules](https://aka.ms/avm) (currently in development). This will enable us to move & publish the modules of the CARML library to the official [Public Bicep Registry](https://github.com/Azure/bicep-registry-modules). You can read more about CARML's future in AVM [here](https://azure.github.io/Azure-Verified-Modules/faq/#what-is-happening-to-existing-initiatives-like-carml-and-tfvm). +> You can find details on the status of the migration in this [issue](https://github.com/Azure/ResourceModules/issues/4020). + Please note that these changes will affect many interfaces (e.g., the diagnostic settings). We intend to keep this period as short as possible, but are limited by our own available capacity. As we want to avoid one 'big bang' migration, we will incrementally align & move modules, and keep a copy in this repository until the move is concluded. For modules that were already published, we will redirect the proposed changes to the `AVM` folder of the new [repository](https://github.com/Azure/bicep-registry-modules). In its final state, this `AVM` folder will contain all modules you can currently find in the `modules` folder of this repository. Possible changes include (but are not limited to): @@ -10,6 +12,9 @@ Possible changes include (but are not limited to): - An update to individual folder names - The addition of several user defined types (requiring Bicep version `0.21.1`) +Modules that are already migrated to AVM will contain a file `MOVED-TO-AVM.md` to indicate that further contributions to the module should be done in the Public Bicep Registry's [repository](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). +**Therefore, further contributions to those modules will not be integrated in the CARML repository.** + Once the move concluded, the library & CI environment is planned to be maintained. However, several changes to the CARML CI environment will become necessary to ensure a low entry barrier when onboarding both (for example, as per the AVM specs we will need to be less restrictive in our tests). # ![AzureIcon] Common Azure Resource Modules Library diff --git a/modules/compute/ssh-public-key/MOVED-TO-AVM.md b/modules/compute/ssh-public-key/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/compute/ssh-public-key/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/key-vault/vault/MOVED-TO-AVM.md b/modules/key-vault/vault/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/key-vault/vault/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/kubernetes-configuration/extension/MOVED-TO-AVM.md b/modules/kubernetes-configuration/extension/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/kubernetes-configuration/extension/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/kubernetes-configuration/flux-configuration/MOVED-TO-AVM.md b/modules/kubernetes-configuration/flux-configuration/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/kubernetes-configuration/flux-configuration/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/private-endpoint/MOVED-TO-AVM.md b/modules/network/private-endpoint/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/network/private-endpoint/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/public-ip-address/MOVED-TO-AVM.md b/modules/network/public-ip-address/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/network/public-ip-address/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). From 5b43f91a3dbfbb0968341545cc5e9bb9c04c45d4 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Tue, 17 Oct 2023 13:33:33 +0200 Subject: [PATCH 029/178] [Utilities] Introduced `Set-Module` script (#4067) * Moved diverse scripts around and updated them to latest AVM * Moved further scripts * Small fix * Further fixes * Several improvements and fixes * Private registry specific pdates * Updated docs * Updated path * Renamed function * Ran generation for KVLT to enable testing of pipeline * Updated & reduced tests where it made sense * Fixed pester tests * Moved cross-ref script back to tools * Moved local-ref script back to pipes * Fixed ref * Fixed ref * Fixed ref * Fixed ref * Push updated Readme file(s) * Rollback test changes * Updated test file overview markdown via scrip * Roll KVLT back post updates * Updated AAD considerations * Removed default headers * Update to latest * Enabled notes * Update to latest * Update to latest * Update to latest * Update to latest * Remvoed notes feature * ReadMe rollback (as handled in different PR) * Added latest improvements * Updated readme script to ONLY allow notes and delete all else * Added support for top-level diff * Updated logic that detects notes * Update to latest * Added should process * Added cross ref cache * Small fix * Fixed script refs * Another fix * Improve Cross ref runtime * Update to latest * Update docs/wiki/Contribution guide - Generate module readme.md Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> * Update docs/wiki/Contribution guide - Generate module readme.md Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> * Added docs * Ajusted usage examples header * Renamed header * Regenerated modules 1-60 (#4084) * Regenerated first 60 files * Small fixes * Fixed templates * Regen * Renamed header * Regenerated modules 61-120 (#4085) * Regen readmes 2 * Fixed script refs * Fixed templates * Regen * Renamed header * Regenerated modules 121-180 (#4086) * Regen readmes 3 * Fixed templates * Regen * Renamed header * Regenerated modules 181-240 (#4087) * Regen readmes 4 * Fixed templates * Regen * Renamed header * Regenerated modules 300-366 (#4089) * Regen readmes 6 * Fixed templates * Small update * Regen * Renamed header * Regenerated modules 241-300 (#4088) * Regen readmes 5 * Fixed templates * Regen * Renamed header * Updated readme script * Updated usage example description * [Utilities] Enabled progress bar on module update & depth param (#4098) * Tested logic & added depth param * Added finally block * Enabled cancel * ReadMe fallback * Added docs * Added silent continue on finally for non-cancel * Update utilities/tools/Set-Module.ps1 Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --------- Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> * Cross ref fix * Update to latest * Added verbosity * Added verbosity * Update to latest * Adjusted syntax * Adjusted syntax * Adjusted verbosity * Added force * Cleanup --------- Co-authored-by: CARMLPipelinePrincipal Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- ...ribution guide - Generate module readme.md | 23 +- ...eroperability - Bicep to ARM conversion.md | 2 +- .../The CI environment - Static validation.md | 9 - docs/wiki/The library - Module design.md | 2 +- .../.test/common/main.test.bicep | 3 + modules/aad/domain-service/README.md | 352 ++++-- modules/aad/domain-service/main.json | 8 +- .../server/.test/common/main.test.bicep | 3 + .../server/.test/min/main.test.bicep | 3 + modules/analysis-services/server/README.md | 224 +++- modules/analysis-services/server/main.json | 8 +- .../service/.test/common/main.test.bicep | 3 + .../service/.test/min/main.test.bicep | 3 + modules/api-management/service/README.md | 473 ++++++-- .../service/api-version-set/README.md | 43 +- .../service/api-version-set/main.json | 4 +- modules/api-management/service/api/README.md | 229 +++- modules/api-management/service/api/main.json | 8 +- .../service/api/policy/README.md | 62 +- .../service/api/policy/main.json | 4 +- .../service/authorization-server/README.md | 170 ++- .../service/authorization-server/main.json | 4 +- .../api-management/service/backend/README.md | 119 +- .../api-management/service/backend/main.json | 4 +- .../api-management/service/cache/README.md | 73 +- .../api-management/service/cache/main.json | 4 +- .../service/identity-provider/README.md | 137 ++- .../service/identity-provider/main.json | 4 +- modules/api-management/service/main.json | 64 +- .../service/named-value/README.md | 83 +- .../service/named-value/main.json | 4 +- .../api-management/service/policy/README.md | 54 +- .../api-management/service/policy/main.json | 4 +- .../service/portalsetting/README.md | 47 +- .../service/portalsetting/main.json | 4 +- .../api-management/service/product/README.md | 111 +- .../service/product/api/README.md | 43 +- .../service/product/api/main.json | 4 +- .../service/product/group/README.md | 43 +- .../service/product/group/main.json | 4 +- .../api-management/service/product/main.json | 12 +- .../service/subscription/README.md | 93 +- .../service/subscription/main.json | 4 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../configuration-store/README.md | 304 ++++- .../configuration-store/key-value/README.md | 65 +- .../configuration-store/key-value/main.json | 4 +- .../configuration-store/main.json | 24 +- .../.test/common/main.test.bicep | 3 + .../container-app/.test/min/main.test.bicep | 3 + modules/app/container-app/README.md | 370 +++++- modules/app/container-app/main.json | 8 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + modules/app/managed-environment/README.md | 271 ++++- modules/app/managed-environment/main.json | 8 +- .../lock/.test/common/main.test.bicep | 3 + modules/authorization/lock/README.md | 117 +- modules/authorization/lock/main.json | 12 +- .../lock/resource-group/README.md | 46 +- .../lock/resource-group/main.json | 4 +- .../authorization/lock/subscription/README.md | 46 +- .../authorization/lock/subscription/main.json | 4 +- .../authorization/policy-assignment/README.md | 265 ++++- .../authorization/policy-assignment/main.json | 16 +- .../management-group/README.md | 161 ++- .../management-group/main.json | 4 +- .../resource-group/README.md | 170 ++- .../resource-group/main.json | 4 +- .../policy-assignment/subscription/README.md | 161 ++- .../policy-assignment/subscription/main.json | 4 +- .../authorization/policy-definition/README.md | 180 ++- .../authorization/policy-definition/main.json | 12 +- .../management-group/README.md | 88 +- .../management-group/main.json | 4 +- .../policy-definition/subscription/README.md | 88 +- .../policy-definition/subscription/main.json | 4 +- .../authorization/policy-exemption/README.md | 227 +++- .../authorization/policy-exemption/main.json | 16 +- .../management-group/README.md | 116 +- .../management-group/main.json | 4 +- .../policy-exemption/resource-group/README.md | 107 +- .../policy-exemption/resource-group/main.json | 4 +- .../policy-exemption/subscription/README.md | 116 +- .../policy-exemption/subscription/main.json | 4 +- .../policy-set-definition/README.md | 177 ++- .../policy-set-definition/main.json | 12 +- .../management-group/README.md | 87 +- .../management-group/main.json | 4 +- .../subscription/README.md | 87 +- .../subscription/main.json | 4 +- .../authorization/role-assignment/README.md | 200 +++- .../authorization/role-assignment/main.json | 16 +- .../management-group/README.md | 98 +- .../management-group/main.json | 4 +- .../role-assignment/resource-group/README.md | 98 +- .../role-assignment/resource-group/main.json | 4 +- .../role-assignment/subscription/README.md | 98 +- .../role-assignment/subscription/main.json | 4 +- .../authorization/role-definition/README.md | 199 +++- .../authorization/role-definition/main.json | 16 +- .../management-group/README.md | 79 +- .../management-group/main.json | 4 +- .../role-definition/resource-group/README.md | 97 +- .../role-definition/resource-group/main.json | 4 +- .../role-definition/subscription/README.md | 97 +- .../role-definition/subscription/main.json | 4 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../automation/automation-account/README.md | 385 ++++-- .../automation-account/job-schedule/README.md | 74 +- .../automation-account/job-schedule/main.json | 4 +- .../automation/automation-account/main.json | 52 +- .../automation-account/module/README.md | 70 +- .../automation-account/module/main.json | 4 +- .../automation-account/runbook/README.md | 122 +- .../automation-account/runbook/main.json | 4 +- .../automation-account/schedule/README.md | 112 +- .../automation-account/schedule/main.json | 4 +- .../software-update-configuration/README.md | 324 +++++- .../software-update-configuration/main.json | 4 +- .../automation-account/variable/README.md | 61 +- .../automation-account/variable/main.json | 4 +- .../.test/common/main.test.bicep | 3 + .../batch-account/.test/min/main.test.bicep | 3 + modules/batch/batch-account/README.md | 349 ++++-- modules/batch/batch-account/main.json | 16 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + modules/cache/redis-enterprise/README.md | 263 ++++- .../cache/redis-enterprise/database/README.md | 131 ++- .../cache/redis-enterprise/database/main.json | 4 +- modules/cache/redis-enterprise/main.json | 24 +- .../cache/redis/.test/common/main.test.bicep | 3 + modules/cache/redis/.test/min/main.test.bicep | 3 + modules/cache/redis/README.md | 372 ++++-- modules/cache/redis/main.json | 20 +- .../cdn/profile/.test/common/main.test.bicep | 3 + modules/cdn/profile/README.md | 221 +++- modules/cdn/profile/afdEndpoint/README.md | 82 +- .../cdn/profile/afdEndpoint/route/README.md | 146 ++- modules/cdn/profile/customdomain/README.md | 102 +- modules/cdn/profile/endpoint/README.md | 61 +- modules/cdn/profile/endpoint/origin/README.md | 131 ++- modules/cdn/profile/origingroup/README.md | 78 +- .../cdn/profile/origingroup/origin/README.md | 122 +- modules/cdn/profile/ruleset/README.md | 44 +- modules/cdn/profile/ruleset/rule/README.md | 78 +- modules/cdn/profile/secret/README.md | 85 +- .../account/.test/common/main.test.bicep | 3 + .../account/.test/min/main.test.bicep | 3 + modules/cognitive-services/account/README.md | 409 +++++-- modules/cognitive-services/account/main.json | 20 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + modules/compute/availability-set/README.md | 167 ++- modules/compute/availability-set/main.json | 8 +- .../.test/common/main.test.bicep | 3 + modules/compute/disk-encryption-set/README.md | 227 +++- modules/compute/disk-encryption-set/main.json | 20 +- .../compute/disk/.test/common/main.test.bicep | 3 + .../compute/disk/.test/min/main.test.bicep | 3 + modules/compute/disk/README.md | 351 ++++-- modules/compute/disk/main.json | 8 +- .../gallery/.test/common/main.test.bicep | 3 + .../compute/gallery/.test/min/main.test.bicep | 3 + modules/compute/gallery/README.md | 154 ++- modules/compute/gallery/application/README.md | 130 ++- modules/compute/gallery/application/main.json | 8 +- modules/compute/gallery/image/README.md | 270 ++++- modules/compute/gallery/image/main.json | 8 +- modules/compute/gallery/main.json | 24 +- .../image/.test/common/main.test.bicep | 3 + modules/compute/image/README.md | 236 +++- modules/compute/image/main.json | 8 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../proximity-placement-group/README.md | 168 ++- .../proximity-placement-group/main.json | 8 +- .../.test/common/main.test.bicep | 3 + .../ssh-public-key/.test/min/main.test.bicep | 3 + modules/compute/ssh-public-key/README.md | 136 ++- modules/compute/ssh-public-key/main.json | 8 +- .../virtual-machine-scale-set/README.md | 782 +++++++++++-- .../extension/README.md | 111 +- .../extension/main.json | 4 +- .../virtual-machine-scale-set/main.json | 40 +- modules/compute/virtual-machine/README.md | 781 +++++++++++-- .../virtual-machine/extension/README.md | 129 ++- .../virtual-machine/extension/main.json | 4 +- modules/compute/virtual-machine/main.json | 68 +- .../budget/.test/common/main.test.bicep | 3 + .../budget/.test/min/main.test.bicep | 3 + modules/consumption/budget/README.md | 193 +++- modules/consumption/budget/main.json | 4 +- .../.test/common/main.test.bicep | 3 + .../container-group/.test/min/main.test.bicep | 3 + .../container-group/README.md | 328 ++++-- .../container-group/main.json | 4 +- .../registry/.test/common/main.test.bicep | 3 + .../registry/.test/min/main.test.bicep | 3 + modules/container-registry/registry/README.md | 482 ++++++-- .../registry/cache-rules/README.md | 60 +- .../registry/cache-rules/main.json | 4 +- modules/container-registry/registry/main.json | 32 +- .../registry/replication/README.md | 72 +- .../registry/replication/main.json | 4 +- .../registry/webhook/README.md | 99 +- .../registry/webhook/main.json | 4 +- .../managed-cluster/.test/min/main.test.bicep | 3 + .../managed-cluster/README.md | 1029 ++++++++++++++--- .../managed-cluster/agent-pool/README.md | 352 +++++- .../managed-cluster/agent-pool/main.json | 4 +- .../managed-cluster/main.json | 20 +- .../factory/.test/common/main.test.bicep | 3 + .../factory/.test/min/main.test.bicep | 3 + modules/data-factory/factory/README.md | 405 +++++-- .../factory/integration-runtime/README.md | 68 +- .../factory/integration-runtime/main.json | 4 +- modules/data-factory/factory/main.json | 32 +- .../factory/managed-virtual-network/README.md | 48 +- .../factory/managed-virtual-network/main.json | 8 +- .../managed-private-endpoint/README.md | 67 +- .../managed-private-endpoint/main.json | 4 +- .../backup-vault/.test/common/main.test.bicep | 3 + .../backup-vault/.test/min/main.test.bicep | 3 + .../data-protection/backup-vault/README.md | 194 +++- .../backup-vault/backup-policy/README.md | 43 +- .../backup-vault/backup-policy/main.json | 4 +- .../data-protection/backup-vault/main.json | 12 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + modules/databricks/access-connector/README.md | 145 ++- modules/databricks/access-connector/main.json | 8 +- .../workspace/.test/common/main.test.bicep | 3 + .../workspace/.test/min/main.test.bicep | 3 + modules/databricks/workspace/README.md | 440 +++++-- modules/databricks/workspace/main.json | 20 +- .../flexible-server/.test/min/main.test.bicep | 3 + .../db-for-my-sql/flexible-server/README.md | 500 ++++++-- .../flexible-server/administrator/README.md | 69 +- .../flexible-server/administrator/main.json | 4 +- .../flexible-server/database/README.md | 62 +- .../flexible-server/database/main.json | 4 +- .../flexible-server/firewall-rule/README.md | 51 +- .../flexible-server/firewall-rule/main.json | 4 +- .../db-for-my-sql/flexible-server/main.json | 20 +- .../flexible-server/.test/min/main.test.bicep | 3 + .../flexible-server/README.md | 463 ++++++-- .../flexible-server/administrator/README.md | 72 +- .../flexible-server/administrator/main.json | 4 +- .../flexible-server/configuration/README.md | 62 +- .../flexible-server/configuration/main.json | 4 +- .../flexible-server/database/README.md | 62 +- .../flexible-server/database/main.json | 4 +- .../flexible-server/firewall-rule/README.md | 51 +- .../flexible-server/firewall-rule/main.json | 4 +- .../flexible-server/main.json | 28 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../application-group/README.md | 230 +++- .../application-group/application/README.md | 110 +- .../application-group/application/main.json | 4 +- .../application-group/main.json | 12 +- .../host-pool/.test/common/main.test.bicep | 3 + .../host-pool/.test/min/main.test.bicep | 3 + .../host-pool/README.md | 430 +++++-- .../scaling-plan/.test/common/main.test.bicep | 3 + .../scaling-plan/.test/min/main.test.bicep | 3 + .../scaling-plan/README.md | 227 +++- .../workspace/.test/common/main.test.bicep | 3 + .../workspace/.test/min/main.test.bicep | 3 + .../workspace/README.md | 213 +++- .../workspace/main.json | 8 +- .../lab/.test/common/main.test.bicep | 3 + .../lab/.test/min/main.test.bicep | 3 + modules/dev-test-lab/lab/README.md | 354 ++++-- .../dev-test-lab/lab/artifactsource/README.md | 119 +- .../dev-test-lab/lab/artifactsource/main.json | 4 +- modules/dev-test-lab/lab/cost/README.md | 195 +++- modules/dev-test-lab/lab/cost/main.json | 4 +- modules/dev-test-lab/lab/main.json | 32 +- .../lab/notificationchannel/README.md | 94 +- .../lab/notificationchannel/main.json | 4 +- .../lab/policyset/policy/README.md | 109 +- .../lab/policyset/policy/main.json | 4 +- modules/dev-test-lab/lab/schedule/README.md | 130 ++- modules/dev-test-lab/lab/schedule/main.json | 4 +- .../dev-test-lab/lab/virtualnetwork/README.md | 79 +- .../dev-test-lab/lab/virtualnetwork/main.json | 4 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../digital-twins-instance/README.md | 266 ++++- .../endpoint--event-grid/README.md | 70 +- .../endpoint--event-hub/README.md | 118 +- .../endpoint--service-bus/README.md | 118 +- .../document-db/database-account/README.md | 396 +++++-- .../gremlin-database/README.md | 89 +- .../gremlin-database/graph/README.md | 70 +- .../gremlin-database/graph/main.json | 4 +- .../gremlin-database/main.json | 8 +- .../document-db/database-account/main.json | 44 +- .../mongodb-database/README.md | 62 +- .../mongodb-database/collection/README.md | 68 +- .../mongodb-database/collection/main.json | 4 +- .../mongodb-database/main.json | 8 +- .../database-account/sql-database/README.md | 71 +- .../sql-database/container/README.md | 134 ++- .../sql-database/container/main.json | 4 +- .../database-account/sql-database/main.json | 8 +- .../domain/.test/common/main.test.bicep | 3 + .../domain/.test/min/main.test.bicep | 3 + modules/event-grid/domain/README.md | 260 ++++- modules/event-grid/domain/main.json | 24 +- modules/event-grid/domain/topic/README.md | 44 +- modules/event-grid/domain/topic/main.json | 4 +- .../system-topic/.test/common/main.test.bicep | 3 + .../system-topic/.test/min/main.test.bicep | 3 + modules/event-grid/system-topic/README.md | 237 +++- .../system-topic/event-subscription/README.md | 123 +- .../system-topic/event-subscription/main.json | 4 +- modules/event-grid/system-topic/main.json | 12 +- .../topic/.test/common/main.test.bicep | 3 + .../topic/.test/min/main.test.bicep | 3 + modules/event-grid/topic/README.md | 242 +++- .../topic/event-subscription/README.md | 123 +- .../topic/event-subscription/main.json | 4 +- modules/event-grid/topic/main.json | 24 +- .../namespace/.test/common/main.test.bicep | 3 + .../namespace/.test/min/main.test.bicep | 3 + modules/event-hub/namespace/README.md | 414 +++++-- .../namespace/authorization-rule/README.md | 45 +- .../disaster-recovery-config/README.md | 44 +- .../event-hub/namespace/eventhub/README.md | 214 +++- .../eventhub/authorization-rule/README.md | 53 +- .../eventhub/consumergroup/README.md | 52 +- .../namespace/network-rule-set/README.md | 72 +- .../health-bot/.test/common/main.test.bicep | 3 + .../health-bot/.test/min/main.test.bicep | 3 + modules/health-bot/health-bot/README.md | 145 ++- modules/health-bot/health-bot/main.json | 8 +- .../workspace/.test/common/main.test.bicep | 3 + .../workspace/.test/min/main.test.bicep | 3 + modules/healthcare-apis/workspace/README.md | 261 ++--- .../workspace/dicomservice/README.md | 192 ++- .../workspace/dicomservice/main.json | 4 +- .../workspace/fhirservice/README.md | 330 +++++- .../workspace/fhirservice/main.json | 8 +- .../workspace/iotconnector/README.md | 191 ++- .../iotconnector/fhirdestination/README.md | 81 +- .../iotconnector/fhirdestination/main.json | 4 +- .../workspace/iotconnector/main.json | 8 +- modules/healthcare-apis/workspace/main.json | 28 +- .../action-group/.test/common/main.test.bicep | 3 + .../action-group/.test/min/main.test.bicep | 3 + modules/insights/action-group/README.md | 223 +++- .../.test/common/main.test.bicep | 3 + modules/insights/activity-log-alert/README.md | 153 ++- .../component/.test/common/main.test.bicep | 3 + .../component/.test/min/main.test.bicep | 3 + modules/insights/component/README.md | 252 +++- modules/insights/component/main.json | 8 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../data-collection-endpoint/README.md | 147 ++- .../data-collection-endpoint/main.json | 8 +- .../.test/min/main.test.bicep | 3 + .../insights/data-collection-rule/README.md | 209 +++- .../insights/data-collection-rule/main.json | 8 +- .../.test/common/main.test.bicep | 3 + modules/insights/diagnostic-setting/README.md | 126 +- modules/insights/diagnostic-setting/main.json | 4 +- .../metric-alert/.test/common/main.test.bicep | 3 + modules/insights/metric-alert/README.md | 234 +++- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + modules/insights/private-link-scope/README.md | 155 ++- modules/insights/private-link-scope/main.json | 24 +- .../scoped-resource/README.md | 43 +- .../scoped-resource/main.json | 4 +- .../.test/common/main.test.bicep | 3 + .../insights/scheduled-query-rule/README.md | 239 +++- .../insights/scheduled-query-rule/main.json | 8 +- .../webtest/.test/common/main.test.bicep | 3 + .../webtest/.test/min/main.test.bicep | 3 + modules/insights/webtest/README.md | 233 +++- modules/insights/webtest/main.json | 8 +- .../vault/.test/common/main.test.bicep | 3 + .../key-vault/vault/.test/min/main.test.bicep | 3 + modules/key-vault/vault/README.md | 353 ++++-- .../key-vault/vault/access-policy/README.md | 34 +- .../key-vault/vault/access-policy/main.json | 4 +- modules/key-vault/vault/key/README.md | 128 +- modules/key-vault/vault/key/main.json | 8 +- modules/key-vault/vault/main.json | 40 +- modules/key-vault/vault/secret/README.md | 97 +- modules/key-vault/vault/secret/main.json | 8 +- .../extension/.test/common/main.test.bicep | 3 + .../extension/.test/min/main.test.bicep | 3 + .../extension/README.md | 184 ++- .../extension/main.json | 8 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../flux-configuration/README.md | 175 ++- .../flux-configuration/main.json | 4 +- .../workflow/.test/common/main.test.bicep | 3 + modules/logic/workflow/README.md | 343 +++++- modules/logic/workflow/main.json | 8 +- .../workspace/.test/common/main.test.bicep | 3 + .../workspace/.test/min/main.test.bicep | 3 + .../workspace/README.md | 416 +++++-- .../workspace/compute/README.md | 146 ++- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../maintenance-configuration/README.md | 183 ++- .../maintenance-configuration/main.json | 8 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../user-assigned-identity/README.md | 135 ++- .../federated-identity-credential/README.md | 59 +- .../federated-identity-credential/main.json | 4 +- .../user-assigned-identity/main.json | 12 +- .../.test/common/main.test.bicep | 3 + .../registration-definition/README.md | 132 ++- .../registration-definition/main.json | 8 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + modules/management/management-group/README.md | 116 +- modules/management/management-group/main.json | 4 +- .../net-app-account/.test/min/main.test.bicep | 3 + modules/net-app/net-app-account/README.md | 205 +++- .../net-app-account/capacity-pool/README.md | 118 +- .../net-app-account/capacity-pool/main.json | 16 +- .../capacity-pool/volume/README.md | 114 +- .../capacity-pool/volume/main.json | 8 +- modules/net-app/net-app-account/main.json | 24 +- .../.test/common/main.test.bicep | 3 + .../README.md | 127 +- .../main.json | 4 +- .../.test/common/main.test.bicep | 3 + modules/network/application-gateway/README.md | 548 +++++++-- modules/network/application-gateway/main.json | 20 +- .../.test/common/main.test.bicep | 3 + .../application-security-group/README.md | 119 +- .../application-security-group/main.json | 8 +- .../.test/common/main.test.bicep | 3 + .../azure-firewall/.test/min/main.test.bicep | 3 + modules/network/azure-firewall/README.md | 395 +++++-- modules/network/azure-firewall/main.json | 24 +- .../bastion-host/.test/common/main.test.bicep | 3 + .../bastion-host/.test/min/main.test.bicep | 3 + modules/network/bastion-host/README.md | 296 ++++- modules/network/bastion-host/main.json | 16 +- modules/network/connection/README.md | 269 ++++- modules/network/connection/main.json | 4 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../network/ddos-protection-plan/README.md | 131 ++- .../network/ddos-protection-plan/main.json | 8 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../network/dns-forwarding-ruleset/README.md | 153 ++- .../forwarding-rule/README.md | 146 ++- .../forwarding-rule/main.json | 4 +- .../network/dns-forwarding-ruleset/main.json | 16 +- .../virtual-network-link/README.md | 53 +- .../virtual-network-link/main.json | 4 +- .../dns-resolver/.test/common/main.test.bicep | 3 + modules/network/dns-resolver/README.md | 145 ++- modules/network/dns-resolver/main.json | 8 +- .../dns-zone/.test/common/main.test.bicep | 3 + .../dns-zone/.test/min/main.test.bicep | 3 + modules/network/dns-zone/README.md | 221 +++- modules/network/dns-zone/a/README.md | 80 +- modules/network/dns-zone/a/main.json | 8 +- modules/network/dns-zone/aaaa/README.md | 80 +- modules/network/dns-zone/aaaa/main.json | 8 +- modules/network/dns-zone/caa/README.md | 71 +- modules/network/dns-zone/caa/main.json | 8 +- modules/network/dns-zone/cname/README.md | 80 +- modules/network/dns-zone/cname/main.json | 8 +- modules/network/dns-zone/main.json | 88 +- modules/network/dns-zone/mx/README.md | 71 +- modules/network/dns-zone/mx/main.json | 8 +- modules/network/dns-zone/ns/README.md | 71 +- modules/network/dns-zone/ns/main.json | 8 +- modules/network/dns-zone/ptr/README.md | 71 +- modules/network/dns-zone/ptr/main.json | 8 +- modules/network/dns-zone/soa/README.md | 71 +- modules/network/dns-zone/soa/main.json | 8 +- modules/network/dns-zone/srv/README.md | 71 +- modules/network/dns-zone/srv/main.json | 8 +- modules/network/dns-zone/txt/README.md | 71 +- modules/network/dns-zone/txt/main.json | 8 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../network/express-route-circuit/README.md | 342 +++++- .../network/express-route-circuit/main.json | 8 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../network/express-route-gateway/README.md | 171 ++- .../network/express-route-gateway/main.json | 8 +- .../.test/common/main.test.bicep | 3 + .../firewall-policy/.test/min/main.test.bicep | 3 + modules/network/firewall-policy/README.md | 301 ++++- modules/network/firewall-policy/main.json | 8 +- .../rule-collection-group/README.md | 52 +- .../rule-collection-group/main.json | 4 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../README.md | 164 ++- .../main.json | 8 +- .../front-door/.test/common/main.test.bicep | 3 + .../front-door/.test/min/main.test.bicep | 3 + modules/network/front-door/README.md | 257 +++- modules/network/front-door/main.json | 8 +- .../ip-group/.test/common/main.test.bicep | 3 + .../ip-group/.test/min/main.test.bicep | 3 + modules/network/ip-group/README.md | 140 ++- modules/network/ip-group/main.json | 8 +- .../.test/common/main.test.bicep | 3 + .../load-balancer/.test/min/main.test.bicep | 3 + modules/network/load-balancer/README.md | 255 +++- .../backend-address-pool/README.md | 72 +- .../backend-address-pool/main.json | 4 +- .../load-balancer/inbound-nat-rule/README.md | 124 +- .../load-balancer/inbound-nat-rule/main.json | 4 +- modules/network/load-balancer/main.json | 16 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../network/local-network-gateway/README.md | 183 ++- .../network/local-network-gateway/main.json | 8 +- .../nat-gateway/.test/common/main.test.bicep | 3 + modules/network/nat-gateway/README.md | 268 ++++- modules/network/nat-gateway/main.json | 16 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + modules/network/network-interface/README.md | 255 +++- modules/network/network-interface/main.json | 8 +- .../.test/common/main.test.bicep | 3 + modules/network/network-manager/README.md | 189 ++- .../connectivity-configuration/README.md | 93 +- .../network-manager/network-group/README.md | 53 +- .../network-group/static-member/README.md | 51 +- .../scope-connection/README.md | 60 +- .../security-admin-configuration/README.md | 65 +- .../rule-collection/README.md | 68 +- .../rule-collection/rule/README.md | 133 ++- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../network/network-security-group/README.md | 200 +++- .../network/network-security-group/main.json | 12 +- .../security-rule/README.md | 172 ++- .../security-rule/main.json | 4 +- .../.test/common/main.test.bicep | 3 + .../network-watcher/.test/min/main.test.bicep | 3 + modules/network/network-watcher/README.md | 140 ++- .../connection-monitor/README.md | 88 +- .../connection-monitor/main.json | 4 +- .../network-watcher/flow-log/README.md | 120 +- .../network-watcher/flow-log/main.json | 4 +- modules/network/network-watcher/main.json | 16 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + modules/network/private-dns-zone/README.md | 212 +++- modules/network/private-dns-zone/a/README.md | 71 +- modules/network/private-dns-zone/a/main.json | 8 +- .../network/private-dns-zone/aaaa/README.md | 71 +- .../network/private-dns-zone/aaaa/main.json | 8 +- .../network/private-dns-zone/cname/README.md | 71 +- .../network/private-dns-zone/cname/main.json | 8 +- modules/network/private-dns-zone/main.json | 76 +- modules/network/private-dns-zone/mx/README.md | 71 +- modules/network/private-dns-zone/mx/main.json | 8 +- .../network/private-dns-zone/ptr/README.md | 71 +- .../network/private-dns-zone/ptr/main.json | 8 +- .../network/private-dns-zone/soa/README.md | 71 +- .../network/private-dns-zone/soa/main.json | 8 +- .../network/private-dns-zone/srv/README.md | 71 +- .../network/private-dns-zone/srv/main.json | 8 +- .../network/private-dns-zone/txt/README.md | 71 +- .../network/private-dns-zone/txt/main.json | 8 +- .../virtual-network-link/README.md | 71 +- .../virtual-network-link/main.json | 4 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + modules/network/private-endpoint/README.md | 209 +++- modules/network/private-endpoint/main.json | 12 +- .../private-dns-zone-group/README.md | 44 +- .../private-dns-zone-group/main.json | 4 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../network/private-link-service/README.md | 193 +++- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + modules/network/public-ip-address/README.md | 293 ++++- modules/network/public-ip-address/main.json | 8 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + modules/network/public-ip-prefix/README.md | 148 ++- modules/network/public-ip-prefix/main.json | 8 +- .../route-table/.test/common/main.test.bicep | 3 + .../route-table/.test/min/main.test.bicep | 3 + modules/network/route-table/README.md | 149 ++- modules/network/route-table/main.json | 8 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../network/service-endpoint-policy/README.md | 154 ++- .../network/service-endpoint-policy/main.json | 8 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + .../network/trafficmanagerprofile/README.md | 258 ++++- .../network/trafficmanagerprofile/main.json | 8 +- .../virtual-hub/.test/common/main.test.bicep | 3 + .../virtual-hub/.test/min/main.test.bicep | 3 + modules/network/virtual-hub/README.md | 262 ++++- .../virtual-hub/hub-route-table/README.md | 53 +- .../virtual-hub/hub-route-table/main.json | 4 +- .../hub-virtual-network-connection/README.md | 61 +- .../hub-virtual-network-connection/main.json | 4 +- modules/network/virtual-hub/main.json | 12 +- .../network/virtual-network-gateway/README.md | 454 ++++++-- .../network/virtual-network-gateway/main.json | 20 +- .../nat-rule/README.md | 82 +- .../nat-rule/main.json | 4 +- .../.test/common/main.test.bicep | 3 + .../virtual-network/.test/min/main.test.bicep | 3 + modules/network/virtual-network/README.md | 278 ++++- modules/network/virtual-network/main.json | 24 +- .../network/virtual-network/subnet/README.md | 153 ++- .../network/virtual-network/subnet/main.json | 8 +- .../virtual-network-peering/README.md | 93 +- .../virtual-network-peering/main.json | 4 +- .../virtual-wan/.test/common/main.test.bicep | 3 + .../virtual-wan/.test/min/main.test.bicep | 3 + modules/network/virtual-wan/README.md | 168 ++- modules/network/virtual-wan/main.json | 8 +- .../vpn-gateway/.test/common/main.test.bicep | 3 + .../vpn-gateway/.test/min/main.test.bicep | 3 + modules/network/vpn-gateway/README.md | 179 ++- modules/network/vpn-gateway/main.json | 12 +- .../network/vpn-gateway/nat-rule/README.md | 82 +- .../network/vpn-gateway/nat-rule/main.json | 4 +- .../vpn-gateway/vpn-connection/README.md | 162 ++- .../vpn-gateway/vpn-connection/main.json | 4 +- .../vpn-site/.test/common/main.test.bicep | 3 + .../vpn-site/.test/min/main.test.bicep | 3 + modules/network/vpn-site/README.md | 207 +++- modules/network/vpn-site/main.json | 8 +- .../workspace/.test/common/main.test.bicep | 3 + .../workspace/.test/min/main.test.bicep | 3 + .../operational-insights/workspace/README.md | 392 +++++-- .../workspace/data-export/README.md | 62 +- .../workspace/data-export/main.json | 4 +- .../workspace/data-source/README.md | 155 ++- .../workspace/data-source/main.json | 4 +- .../workspace/linked-service/README.md | 64 +- .../workspace/linked-service/main.json | 4 +- .../linked-storage-account/README.md | 46 +- .../linked-storage-account/main.json | 4 +- .../operational-insights/workspace/main.json | 40 +- .../workspace/saved-search/README.md | 104 +- .../workspace/saved-search/main.json | 4 +- .../storage-insight-config/README.md | 71 +- .../storage-insight-config/main.json | 4 +- .../workspace/table/README.md | 90 +- .../workspace/table/main.json | 4 +- .../solution/.test/min/main.test.bicep | 3 + .../operations-management/solution/README.md | 127 +- .../operations-management/solution/main.json | 4 +- modules/policy-insights/remediation/README.md | 204 +++- modules/policy-insights/remediation/main.json | 16 +- .../remediation/management-group/README.md | 97 +- .../remediation/management-group/main.json | 4 +- .../remediation/resource-group/README.md | 97 +- .../remediation/resource-group/main.json | 4 +- .../remediation/subscription/README.md | 97 +- .../remediation/subscription/main.json | 4 +- .../capacity/.test/common/main.test.bicep | 3 + .../capacity/.test/min/main.test.bicep | 3 + modules/power-bi-dedicated/capacity/README.md | 173 ++- modules/power-bi-dedicated/capacity/main.json | 8 +- .../account/.test/common/main.test.bicep | 3 + .../purview/account/.test/min/main.test.bicep | 3 + modules/purview/account/README.md | 283 ++++- modules/purview/account/main.json | 68 +- .../vault/.test/common/main.test.bicep | 3 + .../vault/.test/min/main.test.bicep | 3 + modules/recovery-services/vault/README.md | 325 +++++- .../vault/backup-config/README.md | 102 +- .../vault/backup-config/main.json | 4 +- .../protection-container/README.md | 95 +- .../protection-container/main.json | 8 +- .../protected-item/README.md | 83 +- .../protected-item/main.json | 4 +- .../vault/backup-policy/README.md | 47 +- .../vault/backup-policy/main.json | 4 +- .../vault/backup-storage-config/README.md | 57 +- .../vault/backup-storage-config/main.json | 4 +- modules/recovery-services/vault/main.json | 60 +- .../vault/replication-alert-setting/README.md | 62 +- .../vault/replication-alert-setting/main.json | 4 +- .../vault/replication-fabric/README.md | 56 +- .../vault/replication-fabric/main.json | 12 +- .../README.md | 52 +- .../main.json | 8 +- .../README.md | 95 +- .../main.json | 4 +- .../vault/replication-policy/README.md | 72 +- .../vault/replication-policy/main.json | 4 +- .../namespace/.test/common/main.test.bicep | 3 + .../relay/namespace/.test/min/main.test.bicep | 3 + modules/relay/namespace/README.md | 264 ++++- .../namespace/authorization-rule/README.md | 45 +- .../namespace/authorization-rule/main.json | 4 +- .../namespace/hybrid-connection/README.md | 84 +- .../authorization-rule/README.md | 53 +- .../authorization-rule/main.json | 4 +- .../namespace/hybrid-connection/main.json | 12 +- modules/relay/namespace/main.json | 52 +- .../namespace/network-rule-set/README.md | 54 +- .../namespace/network-rule-set/main.json | 4 +- modules/relay/namespace/wcf-relay/README.md | 105 +- .../wcf-relay/authorization-rule/README.md | 53 +- .../wcf-relay/authorization-rule/main.json | 4 +- modules/relay/namespace/wcf-relay/main.json | 12 +- .../query/.test/common/main.test.bicep | 3 + .../query/.test/min/main.test.bicep | 3 + modules/resource-graph/query/README.md | 148 ++- modules/resource-graph/query/main.json | 8 +- modules/resources/deployment-script/README.md | 278 ++++- modules/resources/deployment-script/main.json | 4 +- .../.test/common/main.test.bicep | 3 + .../resource-group/.test/min/main.test.bicep | 3 + modules/resources/resource-group/README.md | 146 ++- modules/resources/resource-group/main.json | 12 +- .../resources/tags/.test/min/main.test.bicep | 3 + modules/resources/tags/README.md | 117 +- modules/resources/tags/main.json | 20 +- .../resources/tags/resource-group/README.md | 33 +- .../resources/tags/resource-group/main.json | 8 +- modules/resources/tags/subscription/README.md | 42 +- modules/resources/tags/subscription/main.json | 8 +- .../.test/common/main.test.bicep | 3 + .../search-service/.test/min/main.test.bicep | 3 + modules/search/search-service/README.md | 317 ++++- modules/search/search-service/main.json | 24 +- .../shared-private-link-resource/README.md | 68 +- .../shared-private-link-resource/main.json | 4 +- .../.test/common/main.test.bicep | 3 + .../security/azure-security-center/README.md | 266 ++++- .../security/azure-security-center/main.json | 8 +- .../namespace/.test/common/main.test.bicep | 3 + .../namespace/.test/min/main.test.bicep | 3 + modules/service-bus/namespace/README.md | 428 +++++-- .../namespace/authorization-rule/README.md | 45 +- .../disaster-recovery-config/README.md | 52 +- .../migration-configuration/README.md | 43 +- .../namespace/network-rule-set/README.md | 72 +- modules/service-bus/namespace/queue/README.md | 212 +++- .../queue/authorization-rule/README.md | 53 +- modules/service-bus/namespace/topic/README.md | 163 ++- .../topic/authorization-rule/README.md | 53 +- .../cluster/.test/common/main.test.bicep | 3 + .../cluster/.test/min/main.test.bicep | 3 + modules/service-fabric/cluster/README.md | 392 +++++-- .../cluster/application-type/README.md | 43 +- .../cluster/application-type/main.json | 4 +- modules/service-fabric/cluster/main.json | 12 +- .../signal-r/.test/common/main.test.bicep | 3 + .../signal-r/.test/min/main.test.bicep | 3 + modules/signal-r-service/signal-r/README.md | 266 ++++- modules/signal-r-service/signal-r/main.json | 20 +- .../web-pub-sub/.test/common/main.test.bicep | 3 + .../web-pub-sub/.test/min/main.test.bicep | 3 + .../signal-r-service/web-pub-sub/README.md | 250 +++- .../signal-r-service/web-pub-sub/main.json | 20 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + modules/sql/managed-instance/README.md | 494 ++++++-- .../managed-instance/administrator/README.md | 52 +- .../managed-instance/administrator/main.json | 4 +- .../sql/managed-instance/database/README.md | 233 +++- .../README.md | 79 +- .../main.json | 4 +- .../README.md | 52 +- .../main.json | 4 +- .../sql/managed-instance/database/main.json | 12 +- .../encryption-protector/README.md | 54 +- .../encryption-protector/main.json | 4 +- modules/sql/managed-instance/key/README.md | 54 +- modules/sql/managed-instance/key/main.json | 4 +- modules/sql/managed-instance/main.json | 44 +- .../security-alert-policy/README.md | 54 +- .../security-alert-policy/main.json | 4 +- .../vulnerability-assessment/README.md | 88 +- .../vulnerability-assessment/main.json | 8 +- .../sql/server/.test/common/main.test.bicep | 3 + modules/sql/server/README.md | 322 ++++-- modules/sql/server/database/README.md | 350 +++++- .../README.md | 69 +- .../main.json | 4 +- .../README.md | 51 +- .../main.json | 4 +- modules/sql/server/database/main.json | 12 +- modules/sql/server/elastic-pool/README.md | 153 ++- modules/sql/server/elastic-pool/main.json | 4 +- .../sql/server/encryption-protector/README.md | 54 +- .../sql/server/encryption-protector/main.json | 4 +- modules/sql/server/firewall-rule/README.md | 53 +- modules/sql/server/firewall-rule/main.json | 4 +- modules/sql/server/key/README.md | 54 +- modules/sql/server/key/main.json | 4 +- modules/sql/server/main.json | 60 +- .../server/security-alert-policy/README.md | 99 +- .../server/security-alert-policy/main.json | 4 +- .../sql/server/virtual-network-rule/README.md | 52 +- .../sql/server/virtual-network-rule/main.json | 4 +- .../server/vulnerability-assessment/README.md | 69 +- .../server/vulnerability-assessment/main.json | 4 +- .../.test/common/main.test.bicep | 3 + .../storage-account/.test/min/main.test.bicep | 3 + modules/storage/storage-account/README.md | 554 +++++++-- .../storage-account/blob-service/README.md | 234 +++- .../blob-service/container/README.md | 126 +- .../container/immutability-policy/README.md | 60 +- .../container/immutability-policy/main.json | 4 +- .../blob-service/container/main.json | 12 +- .../storage-account/blob-service/main.json | 16 +- .../storage-account/file-service/README.md | 126 +- .../storage-account/file-service/main.json | 12 +- .../file-service/share/README.md | 94 +- .../file-service/share/main.json | 8 +- .../storage-account/local-user/README.md | 86 +- .../storage-account/local-user/main.json | 4 +- modules/storage/storage-account/main.json | 76 +- .../management-policy/README.md | 35 +- .../management-policy/main.json | 4 +- .../storage-account/queue-service/README.md | 99 +- .../storage-account/queue-service/main.json | 12 +- .../queue-service/queue/README.md | 53 +- .../queue-service/queue/main.json | 8 +- .../storage-account/table-service/README.md | 99 +- .../storage-account/table-service/main.json | 8 +- .../table-service/table/README.md | 35 +- .../table-service/table/main.json | 4 +- .../.test/common/main.test.bicep | 3 + .../.test/min/main.test.bicep | 3 + modules/synapse/private-link-hub/README.md | 144 ++- modules/synapse/private-link-hub/main.json | 20 +- .../workspace/.test/common/main.test.bicep | 3 + .../workspace/.test/min/main.test.bicep | 3 + modules/synapse/workspace/README.md | 433 +++++-- .../workspace/integration-runtime/README.md | 55 +- .../workspace/integration-runtime/main.json | 4 +- modules/synapse/workspace/key/README.md | 61 +- modules/synapse/workspace/key/main.json | 4 +- modules/synapse/workspace/main.json | 32 +- .../.test/common/main.test.bicep | 3 + .../image-template/.test/min/main.test.bicep | 3 + .../image-template/README.md | 304 ++++- .../image-template/main.json | 8 +- .../connection/.test/common/main.test.bicep | 3 + modules/web/connection/README.md | 185 ++- modules/web/connection/main.json | 8 +- modules/web/hosting-environment/README.md | 386 +++++-- .../configuration--customdnssuffix/README.md | 51 +- .../configuration--customdnssuffix/main.json | 4 +- .../configuration--networking/README.md | 61 +- .../configuration--networking/main.json | 4 +- modules/web/hosting-environment/main.json | 16 +- .../serverfarm/.test/common/main.test.bicep | 3 + modules/web/serverfarm/README.md | 256 +++- modules/web/serverfarm/main.json | 8 +- modules/web/site/README.md | 547 +++++++-- .../README.md | 47 +- .../main.json | 4 +- .../web/site/config--appsettings/README.md | 74 +- .../web/site/config--appsettings/main.json | 4 +- .../web/site/config--authsettingsv2/README.md | 46 +- .../web/site/config--authsettingsv2/main.json | 4 +- .../relay/README.md | 53 +- .../relay/main.json | 4 +- modules/web/site/main.json | 68 +- modules/web/site/slot/README.md | 445 ++++++- .../site/slot/config--appsettings/README.md | 82 +- .../site/slot/config--appsettings/main.json | 4 +- .../slot/config--authsettingsv2/README.md | 54 +- .../slot/config--authsettingsv2/main.json | 4 +- .../relay/README.md | 61 +- .../relay/main.json | 4 +- modules/web/site/slot/main.json | 32 +- .../static-site/.test/common/main.test.bicep | 3 + .../web/static-site/.test/min/main.test.bicep | 3 + modules/web/static-site/README.md | 295 ++++- modules/web/static-site/config/README.md | 55 +- modules/web/static-site/config/main.json | 4 +- .../web/static-site/custom-domain/README.md | 53 +- .../web/static-site/linked-backend/README.md | 62 +- .../web/static-site/linked-backend/main.json | 4 +- .../Get-PrivateRegistryRepositoryName.ps1 | 2 +- .../resourcePublish/Get-TemplateSpecsName.ps1 | 2 +- .../Get-UniversalArtifactsName.ps1 | 2 +- .../Get-LocallyReferencedFileList.ps1 | 14 +- .../sharedScripts}/Set-ModuleReadMe.ps1 | 543 ++++++--- .../helper/ConvertTo-OrderedHashtable.ps1 | 0 .../helper/Get-SpecsAlignedResourceName.ps1 | 2 +- .../helper/Merge-FileWithNewContent.ps1 | 14 +- .../staticValidation/helper/helper.psm1 | 2 +- .../staticValidation/module.tests.ps1 | 293 +---- .../tools/Get-CrossReferencedModuleList.ps1 | 44 +- utilities/tools/Get-ModulesFeatureOutline.ps1 | 2 +- utilities/tools/Set-Module.ps1 | 168 +++ .../helper/Get-ModulesAsMarkdownTable.ps1 | 5 +- .../tools/helper/Get-PipelineFileName.ps1 | 3 +- .../platform/Set-ModuleOverviewTable.ps1 | 6 +- .../tools/platform/Set-ReadMeModuleTable.ps1 | 6 +- .../platform/Set-ReadMePlatformTable.ps1 | 5 +- .../platform/Set-StaticTestDocumentation.ps1 | 4 +- 920 files changed, 50052 insertions(+), 13465 deletions(-) rename utilities/{tools => pipelines/sharedScripts}/Set-ModuleReadMe.ps1 (78%) rename utilities/{tools => pipelines/sharedScripts}/helper/ConvertTo-OrderedHashtable.ps1 (100%) rename utilities/{tools => pipelines/sharedScripts}/helper/Get-SpecsAlignedResourceName.ps1 (97%) rename utilities/{tools => pipelines/sharedScripts}/helper/Merge-FileWithNewContent.ps1 (94%) create mode 100644 utilities/tools/Set-Module.ps1 diff --git a/docs/wiki/Contribution guide - Generate module readme.md b/docs/wiki/Contribution guide - Generate module readme.md index 0a03ffc600..346dea5fc5 100644 --- a/docs/wiki/Contribution guide - Generate module readme.md +++ b/docs/wiki/Contribution guide - Generate module readme.md @@ -1,6 +1,13 @@ As per the module design structure, every module in the CARML library requires a ReadMe markdown file documenting the set of deployable resource types, input and output parameters and a set of relevant template references from the official Azure Resource Reference documentation. -The ReadMe generator utility aims to simplify contributing to the CARML library, as it supports creating the module ReadMe markdown file from scratch or updating it. +The `Set-Module` utility aims to simplify contributing to the AVM library, as it supports +- idempotently generating the AVM folder structure for a module (including any child resource) +- generating the module's ReadMe file from scratch or updating it +- compiling/building the module template + +To ease maintenance, you can run the utility with a `Recurse` flag from the root of your folder to update all files automatically. + +> **Note:** If you want to add any non-generated content to the Readme you can do so by adding it to a `## Notes` section at the bottom of the corresponding readme. --- @@ -13,14 +20,18 @@ The ReadMe generator utility aims to simplify contributing to the CARML library, --- # Location -You can find the script under [`/utilities/tools/Set-ModuleReadMe.ps1`](https://github.com/Azure/ResourceModules/blob/main/utilities/tools/Set-ModuleReadMe.ps1) +You can find the script under [`/utilities/tools/Set-Module.ps1`](https://github.com/Azure/ResourceModules/blob/main/utilities/tools/Set-Module.ps1) # How it works -1. Using the provided template path, the script first converts it to ARM/JSON if necessary (i.e., if a path to a Bicep file was provided) -1. If the intended readMe file does not yet exist in the expected path, it is generated with a skeleton (with e.g., a generated header name) -1. The script then goes through all sections defined as `SectionsToRefresh` (by default all) and refreshes the sections' content (for example, for the `Parameters`) based on the values in the ARM/JSON Template. It detects sections by their header and always regenerates the full section. -1. Once all are refreshed, the current ReadMe file is overwritten. **Note:** The script can be invoked combining the `WhatIf` and `Verbose` switches to just receive an console-output of the updated content. +Using the provided template path, the script +1. validates the module's folder structure + - To do so, it searches for any required folder path / file missing and adds them. For several files, it will also provide some default content to get you started. The sources files for this action can be found [here](https://github.com/Azure/ResourceModules/tree/main/utilities/tools/helper/src) +1. compiles its bicep template +1. updates the readme (recursively, specified) + 1. If the intended ReadMe file does not yet exist in the expected path, it is generated with a skeleton (with e.g., a generated header name) + 1. The script then goes through all sections defined as `SectionsToRefresh` (by default all) and refreshes the sections' content (for example, for the `Parameters`) based on the values in the ARM/JSON Template. It detects sections by their header and always regenerates the full section. + 1. Once all sections are refreshed, the current ReadMe file is overwritten. **Note:** The script can be invoked combining the `WhatIf` and `Verbose` switches to just receive an console-output of the updated content. # How to use it diff --git a/docs/wiki/Interoperability - Bicep to ARM conversion.md b/docs/wiki/Interoperability - Bicep to ARM conversion.md index e19fd5116b..6c8690b8ee 100644 --- a/docs/wiki/Interoperability - Bicep to ARM conversion.md +++ b/docs/wiki/Interoperability - Bicep to ARM conversion.md @@ -5,7 +5,7 @@ However, for users who still prefer using ARM templates over Bicep, the CARML li This page documents the conversion utility and how to use it. -> **NOTE:** As Bicep & ARM template files work slightly different (e.g., references as specified differently), the ReadMe we generate out of them using the [`/utilities/tools/Set-ModuleReadMe.ps1`](https://github.com/Azure/ResourceModules/blob/main/utilities/tools/Set-ModuleReadMe.ps1) utility may look differently. To this end, make sure to regenerate all ReadMEs after you converted the repository from Bicep to ARM. If you don't, the Pester tests in the pipeline may fail when reviewing the ReadMEs. +> **NOTE:** As Bicep & ARM template files work slightly different (e.g., references as specified differently), the ReadMe we generate out of them using the [`/utilities/tools/Set-Module.ps1`](https://github.com/Azure/ResourceModules/blob/main/utilities/tools/Set-Module.ps1) utility may look differently. To this end, make sure to regenerate all ReadMEs after you converted the repository from Bicep to ARM. If you don't, the Pester tests in the pipeline may fail when reviewing the ReadMEs. --- diff --git a/docs/wiki/The CI environment - Static validation.md b/docs/wiki/The CI environment - Static validation.md index 6a89edeb5d..483660f8c2 100644 --- a/docs/wiki/The CI environment - Static validation.md +++ b/docs/wiki/The CI environment - Static validation.md @@ -35,15 +35,6 @@ The following activities are performed by the [`utilities/pipelines/staticValida - **Module tests** - **Readme content tests** 1. `README.md` file should not be empty. - 1. `README.md` file should contain these sections in order: Navigation, Resource Types, Parameters, Outputs, Cross-referenced modules, Deployment examples. - 1. Resources section should contain all resources from the template file. - 1. Resources section should not contain more resources than the template file. - 1. Parameters section should contain a table for each existing parameter category in the following order: Required, Conditional, Optional, Generated. - 1. Parameter tables should provide columns in the following order: Parameter Name, Type, Default Value, Allowed Values, Description. Each column should be present unless empty for all the rows. - 1. Parameters section should contain all parameters from the template file. - 1. Outputs section should contain a table with these column names in order: Output Name, Type. - 1. Output section should contain all outputs defined in the template file. - 1. Dependencies section should contain all cross-references defined in the template file. 1. `Set-ModuleReadMe` script should not apply any updates. - **Compiled ARM template tests** 1. Compiled ARM template should be latest. diff --git a/docs/wiki/The library - Module design.md b/docs/wiki/The library - Module design.md index 9cbb357cc0..09691d5115 100644 --- a/docs/wiki/The library - Module design.md +++ b/docs/wiki/The library - Module design.md @@ -88,7 +88,7 @@ Microsoft.Sql └─ databases [child-module/resource] ``` -In this folder, we recommend to place the child resource-template alongside a ReadMe (that can be generated via the [Set-ModuleReadMe](./Contribution%20guide%20-%20Generate%20module%20Readme) script) and optionally further nest additional folders for it's child resources. +In this folder, we recommend to place the child resource-template alongside a ReadMe (that can be generated via the [Set-Module](./Contribution%20guide%20-%20Generate%20module%20Readme) script) and optionally further nest additional folders for it's child resources. The parent template should reference all it's direct child-templates to allow for an end-to-end deployment experience while allowing any user to also reference 'just' the child resource itself. In case of the SQL server example, the server template would reference the database module and encapsulate it in a loop to allow for the deployment of multiple databases. For example diff --git a/modules/aad/domain-service/.test/common/main.test.bicep b/modules/aad/domain-service/.test/common/main.test.bicep index 45310e5723..6df70643ed 100644 --- a/modules/aad/domain-service/.test/common/main.test.bicep +++ b/modules/aad/domain-service/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/aad/domain-service/README.md b/modules/aad/domain-service/README.md index fca50dcd19..89ea3e1a49 100644 --- a/modules/aad/domain-service/README.md +++ b/modules/aad/domain-service/README.md @@ -4,14 +4,14 @@ This module deploys an Azure Active Directory Domain Services (AADDS). ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -20,81 +20,27 @@ This module deploys an Azure Active Directory Domain Services (AADDS). | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -## Parameters - -**Required parameters** +## Usage examples -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `domainName` | string | The domain name specific to the Azure ADDS service. | - -**Conditional parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `pfxCertificate` | securestring | `''` | The certificate required to configure Secure LDAP. Should be a base64encoded representation of the certificate PFX file. Required if secure LDAP is enabled and must be valid more than 30 days. | -| `pfxCertificatePassword` | securestring | `''` | The password to decrypt the provided Secure LDAP certificate PFX file. Required if secure LDAP is enabled. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `additionalRecipients` | array | `[]` | | The email recipient value to receive alerts. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', AccountLogon, AccountManagement, allLogs, DetailTracking, DirectoryServiceAccess, LogonLogoff, ObjectAccess, PolicyChange, PrivilegeUse, SystemSecurity]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `domainConfigurationType` | string | `'FullySynced'` | `[FullySynced, ResourceTrusting]` | The value is to provide domain configuration type. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `externalAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable the Secure LDAP for external services of Azure ADDS Services. | -| `filteredSync` | string | `'Enabled'` | | The value is to synchronize scoped users and groups. | -| `kerberosArmoring` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable to provide a protected channel between the Kerberos client and the KDC. | -| `kerberosRc4Encryption` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable Kerberos requests that use RC4 encryption. | -| `ldaps` | string | `'Enabled'` | `[Disabled, Enabled]` | A flag to determine whether or not Secure LDAP is enabled or disabled. | -| `location` | string | `[resourceGroup().location]` | | The location to deploy the Azure ADDS Services. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `name` | string | `[parameters('domainName')]` | | The name of the AADDS resource. Defaults to the domain name specific to the Azure ADDS service. | -| `notifyDcAdmins` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to notify the DC Admins. | -| `notifyGlobalAdmins` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to notify the Global Admins. | -| `ntlmV1` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable clients making request using NTLM v1. | -| `replicaSets` | array | `[]` | | Additional replica set for the managed domain. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sku` | string | `'Standard'` | `[Enterprise, Premium, Standard]` | The name of the SKU specific to Azure ADDS Services. | -| `syncNtlmPasswords` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable synchronized users to use NTLM authentication. | -| `syncOnPremPasswords` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable on-premises users to authenticate against managed domain. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `tlsV1` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable clients making request using TLSv1. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The domain name of the Azure Active Directory Domain Services(Azure ADDS). | -| `resourceGroupName` | string | The name of the resource group the Azure Active Directory Domain Services(Azure ADDS) was created in. | -| `resourceId` | string | The resource ID of the Azure Active Directory Domain Services(Azure ADDS). | - -## Cross-referenced modules - -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/aad.domain-service:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module domainService './aad/domain-service/main.bicep' = { +module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-aaddscom' params: { // Required parameters @@ -203,6 +149,282 @@ module domainService './aad/domain-service/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`domainName`](#parameter-domainname) | string | The domain name specific to the Azure ADDS service. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`pfxCertificate`](#parameter-pfxcertificate) | securestring | The certificate required to configure Secure LDAP. Should be a base64encoded representation of the certificate PFX file. Required if secure LDAP is enabled and must be valid more than 30 days. | +| [`pfxCertificatePassword`](#parameter-pfxcertificatepassword) | securestring | The password to decrypt the provided Secure LDAP certificate PFX file. Required if secure LDAP is enabled. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`additionalRecipients`](#parameter-additionalrecipients) | array | The email recipient value to receive alerts. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`domainConfigurationType`](#parameter-domainconfigurationtype) | string | The value is to provide domain configuration type. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`externalAccess`](#parameter-externalaccess) | string | The value is to enable the Secure LDAP for external services of Azure ADDS Services. | +| [`filteredSync`](#parameter-filteredsync) | string | The value is to synchronize scoped users and groups. | +| [`kerberosArmoring`](#parameter-kerberosarmoring) | string | The value is to enable to provide a protected channel between the Kerberos client and the KDC. | +| [`kerberosRc4Encryption`](#parameter-kerberosrc4encryption) | string | The value is to enable Kerberos requests that use RC4 encryption. | +| [`ldaps`](#parameter-ldaps) | string | A flag to determine whether or not Secure LDAP is enabled or disabled. | +| [`location`](#parameter-location) | string | The location to deploy the Azure ADDS Services. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`name`](#parameter-name) | string | The name of the AADDS resource. Defaults to the domain name specific to the Azure ADDS service. | +| [`notifyDcAdmins`](#parameter-notifydcadmins) | string | The value is to notify the DC Admins. | +| [`notifyGlobalAdmins`](#parameter-notifyglobaladmins) | string | The value is to notify the Global Admins. | +| [`ntlmV1`](#parameter-ntlmv1) | string | The value is to enable clients making request using NTLM v1. | +| [`replicaSets`](#parameter-replicasets) | array | Additional replica set for the managed domain. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`sku`](#parameter-sku) | string | The name of the SKU specific to Azure ADDS Services. | +| [`syncNtlmPasswords`](#parameter-syncntlmpasswords) | string | The value is to enable synchronized users to use NTLM authentication. | +| [`syncOnPremPasswords`](#parameter-synconprempasswords) | string | The value is to enable on-premises users to authenticate against managed domain. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`tlsV1`](#parameter-tlsv1) | string | The value is to enable clients making request using TLSv1. | + +### Parameter: `additionalRecipients` + +The email recipient value to receive alerts. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', AccountLogon, AccountManagement, allLogs, DetailTracking, DirectoryServiceAccess, LogonLogoff, ObjectAccess, PolicyChange, PrivilegeUse, SystemSecurity]` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `domainConfigurationType` + +The value is to provide domain configuration type. +- Required: No +- Type: string +- Default: `'FullySynced'` +- Allowed: `[FullySynced, ResourceTrusting]` + +### Parameter: `domainName` + +The domain name specific to the Azure ADDS service. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `externalAccess` + +The value is to enable the Secure LDAP for external services of Azure ADDS Services. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `filteredSync` + +The value is to synchronize scoped users and groups. +- Required: No +- Type: string +- Default: `'Enabled'` + +### Parameter: `kerberosArmoring` + +The value is to enable to provide a protected channel between the Kerberos client and the KDC. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `kerberosRc4Encryption` + +The value is to enable Kerberos requests that use RC4 encryption. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `ldaps` + +A flag to determine whether or not Secure LDAP is enabled or disabled. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `location` + +The location to deploy the Azure ADDS Services. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the AADDS resource. Defaults to the domain name specific to the Azure ADDS service. +- Required: No +- Type: string +- Default: `[parameters('domainName')]` + +### Parameter: `notifyDcAdmins` + +The value is to notify the DC Admins. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `notifyGlobalAdmins` + +The value is to notify the Global Admins. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `ntlmV1` + +The value is to enable clients making request using NTLM v1. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `pfxCertificate` + +The certificate required to configure Secure LDAP. Should be a base64encoded representation of the certificate PFX file. Required if secure LDAP is enabled and must be valid more than 30 days. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `pfxCertificatePassword` + +The password to decrypt the provided Secure LDAP certificate PFX file. Required if secure LDAP is enabled. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `replicaSets` + +Additional replica set for the managed domain. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sku` + +The name of the SKU specific to Azure ADDS Services. +- Required: No +- Type: string +- Default: `'Standard'` +- Allowed: `[Enterprise, Premium, Standard]` + +### Parameter: `syncNtlmPasswords` + +The value is to enable synchronized users to use NTLM authentication. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `syncOnPremPasswords` + +The value is to enable on-premises users to authenticate against managed domain. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `tlsV1` + +The value is to enable clients making request using TLSv1. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The domain name of the Azure Active Directory Domain Services(Azure ADDS). | +| `resourceGroupName` | string | The name of the resource group the Azure Active Directory Domain Services(Azure ADDS) was created in. | +| `resourceId` | string | The resource ID of the Azure Active Directory Domain Services(Azure ADDS). | + +## Cross-referenced modules + +_None_ + ## Notes ### Network Security Group (NSG) requirements for AADDS diff --git a/modules/aad/domain-service/main.json b/modules/aad/domain-service/main.json index 3070f9df0a..0f206dd1ce 100644 --- a/modules/aad/domain-service/main.json +++ b/modules/aad/domain-service/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5043907679276521852" + "version": "0.22.6.54827", + "templateHash": "10694057578652449276" }, "name": "Azure Active Directory Domain Services", "description": "This module deploys an Azure Active Directory Domain Services (AADDS).", @@ -410,8 +410,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4015790044658504688" + "version": "0.22.6.54827", + "templateHash": "4984019978971427023" } }, "parameters": { diff --git a/modules/analysis-services/server/.test/common/main.test.bicep b/modules/analysis-services/server/.test/common/main.test.bicep index 0dcc74191b..527c3c1c71 100644 --- a/modules/analysis-services/server/.test/common/main.test.bicep +++ b/modules/analysis-services/server/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/analysis-services/server/.test/min/main.test.bicep b/modules/analysis-services/server/.test/min/main.test.bicep index 3c210ec288..e89ac48c07 100644 --- a/modules/analysis-services/server/.test/min/main.test.bicep +++ b/modules/analysis-services/server/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/analysis-services/server/README.md b/modules/analysis-services/server/README.md index 02f71b089c..bd06d1cc84 100644 --- a/modules/analysis-services/server/README.md +++ b/modules/analysis-services/server/README.md @@ -5,10 +5,10 @@ This module deploys an Analysis Services Server. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -19,63 +19,29 @@ This module deploys an Analysis Services Server. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Azure Analysis Services server to create. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/analysis-services.server:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, Engine, Service]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `firewallSettings` | object | `{object}` | | The inbound firewall rules to define on the server. If not specified, firewall is disabled. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `skuCapacity` | int | `1` | | The total number of query replica scale-out instances. | -| `skuName` | string | `'S0'` | | The SKU name of the Azure Analysis Services server to create. | -| `tags` | object | `{object}` | | Tags of the resource. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Max](#example-2-max) +- [Using only defaults](#example-3-using-only-defaults) +### Example 1: _Using large parameter set_ -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the analysis service. | -| `resourceGroupName` | string | The resource group the analysis service was deployed into. | -| `resourceId` | string | The resource ID of the analysis service. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module server './analysis-services/server/main.bicep' = { +module server 'br:bicep/modules/analysis-services.server:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-asscom' params: { // Required parameters @@ -169,14 +135,14 @@ module server './analysis-services/server/main.bicep' = {

-

Example 2: Max

+### Example 2: _Max_
via Bicep module ```bicep -module server './analysis-services/server/main.bicep' = { +module server 'br:bicep/modules/analysis-services.server:1.0.0' = { name: '${uniqueString(deployment().name)}-test-assmax' params: { // Required parameters @@ -302,14 +268,17 @@ module server './analysis-services/server/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module server './analysis-services/server/main.bicep' = { +module server 'br:bicep/modules/analysis-services.server:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-assmin' params: { // Required parameters @@ -346,3 +315,160 @@ module server './analysis-services/server/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Azure Analysis Services server to create. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`firewallSettings`](#parameter-firewallsettings) | object | The inbound firewall rules to define on the server. If not specified, firewall is disabled. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`skuCapacity`](#parameter-skucapacity) | int | The total number of query replica scale-out instances. | +| [`skuName`](#parameter-skuname) | string | The SKU name of the Azure Analysis Services server to create. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, Engine, Service]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `firewallSettings` + +The inbound firewall rules to define on the server. If not specified, firewall is disabled. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the Azure Analysis Services server to create. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `skuCapacity` + +The total number of query replica scale-out instances. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `skuName` + +The SKU name of the Azure Analysis Services server to create. +- Required: No +- Type: string +- Default: `'S0'` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the analysis service. | +| `resourceGroupName` | string | The resource group the analysis service was deployed into. | +| `resourceId` | string | The resource ID of the analysis service. | + +## Cross-referenced modules + +_None_ diff --git a/modules/analysis-services/server/main.json b/modules/analysis-services/server/main.json index c54bb4c44b..9855c786cd 100644 --- a/modules/analysis-services/server/main.json +++ b/modules/analysis-services/server/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1234109873215342159" + "version": "0.22.6.54827", + "templateHash": "5443858044342002150" }, "name": "Analysis Services Servers", "description": "This module deploys an Analysis Services Server.", @@ -268,8 +268,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5938154849701330874" + "version": "0.22.6.54827", + "templateHash": "7231657665941581698" } }, "parameters": { diff --git a/modules/api-management/service/.test/common/main.test.bicep b/modules/api-management/service/.test/common/main.test.bicep index 7431d43d99..d00d8943f8 100644 --- a/modules/api-management/service/.test/common/main.test.bicep +++ b/modules/api-management/service/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/api-management/service/.test/min/main.test.bicep b/modules/api-management/service/.test/min/main.test.bicep index b45bd98469..f4e9fd87a5 100644 --- a/modules/api-management/service/.test/min/main.test.bicep +++ b/modules/api-management/service/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index d9d56c5b77..9d2bea3e8d 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -4,14 +4,14 @@ This module deploys an API Management Service. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -34,91 +34,29 @@ This module deploys an API Management Service. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the API Management service. | -| `publisherEmail` | string | The email address of the owner of the service. | -| `publisherName` | string | The name of the owner of the service. | - -**Optional parameters** +## Usage examples -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `additionalLocations` | array | `[]` | | Additional datacenter locations of the API Management service. | -| `apis` | array | `[]` | | APIs. | -| `apiVersionSets` | array | `[]` | | API Version Sets. | -| `authorizationServers` | secureObject | `{object}` | | Authorization servers. | -| `backends` | array | `[]` | | Backends. | -| `caches` | array | `[]` | | Caches. | -| `certificates` | array | `[]` | | List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. | -| `customProperties` | object | `{object}` | | Custom properties of the API Management service. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, GatewayLogs]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `disableGateway` | bool | `False` | | Property only valid for an API Management service deployed in multiple locations. This can be used to disable the gateway in master region. | -| `enableClientCertificate` | bool | `False` | | Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `hostnameConfigurations` | array | `[]` | | Custom hostname configuration of the API Management service. | -| `identityProviders` | array | `[]` | | Identity providers. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `minApiVersion` | string | `''` | | Limit control plane API calls to API Management service with version equal to or newer than this value. | -| `namedValues` | array | `[]` | | Named values. | -| `newGuidValue` | string | `[newGuid()]` | | Necessary to create a new GUID. | -| `notificationSenderEmail` | string | `'apimgmt-noreply@mail.windowsazure.com'` | | The notification sender email address for the service. | -| `policies` | array | `[]` | | Policies. | -| `portalsettings` | array | `[]` | | Portal settings. | -| `products` | array | `[]` | | Products. | -| `restore` | bool | `False` | | Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sku` | string | `'Developer'` | `[Basic, Consumption, Developer, Premium, Standard]` | The pricing tier of this API Management service. | -| `skuCount` | int | `1` | `[1, 2]` | The instance size of this API Management service. | -| `subnetResourceId` | string | `''` | | The full resource ID of a subnet in a virtual network to deploy the API Management service in. | -| `subscriptions` | array | `[]` | | Subscriptions. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `virtualNetworkType` | string | `'None'` | `[External, Internal, None]` | The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. | -| `zones` | array | `[]` | | A list of availability zones denoting where the resource needs to come from. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the API management service. | -| `resourceGroupName` | string | The resource group the API management service was deployed into. | -| `resourceId` | string | The resource ID of the API management service. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/api-management.service:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Max](#example-2-max) +- [Using only defaults](#example-3-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module service './api-management/service/main.bicep' = { +module service 'br:bicep/modules/api-management.service:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-apiscom' params: { // Required parameters @@ -252,14 +190,14 @@ module service './api-management/service/main.bicep' = {

-

Example 2: Max

+### Example 2: _Max_
via Bicep module ```bicep -module service './api-management/service/main.bicep' = { +module service 'br:bicep/modules/api-management.service:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-apismax' params: { // Required parameters @@ -601,14 +539,17 @@ module service './api-management/service/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module service './api-management/service/main.bicep' = { +module service 'br:bicep/modules/api-management.service:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-apismin' params: { // Required parameters @@ -655,6 +596,380 @@ module service './api-management/service/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the API Management service. | +| [`publisherEmail`](#parameter-publisheremail) | string | The email address of the owner of the service. | +| [`publisherName`](#parameter-publishername) | string | The name of the owner of the service. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`additionalLocations`](#parameter-additionallocations) | array | Additional datacenter locations of the API Management service. | +| [`apis`](#parameter-apis) | array | APIs. | +| [`apiVersionSets`](#parameter-apiversionsets) | array | API Version Sets. | +| [`authorizationServers`](#parameter-authorizationservers) | secureObject | Authorization servers. | +| [`backends`](#parameter-backends) | array | Backends. | +| [`caches`](#parameter-caches) | array | Caches. | +| [`certificates`](#parameter-certificates) | array | List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. | +| [`customProperties`](#parameter-customproperties) | object | Custom properties of the API Management service. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`disableGateway`](#parameter-disablegateway) | bool | Property only valid for an API Management service deployed in multiple locations. This can be used to disable the gateway in master region. | +| [`enableClientCertificate`](#parameter-enableclientcertificate) | bool | Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`hostnameConfigurations`](#parameter-hostnameconfigurations) | array | Custom hostname configuration of the API Management service. | +| [`identityProviders`](#parameter-identityproviders) | array | Identity providers. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`minApiVersion`](#parameter-minapiversion) | string | Limit control plane API calls to API Management service with version equal to or newer than this value. | +| [`namedValues`](#parameter-namedvalues) | array | Named values. | +| [`newGuidValue`](#parameter-newguidvalue) | string | Necessary to create a new GUID. | +| [`notificationSenderEmail`](#parameter-notificationsenderemail) | string | The notification sender email address for the service. | +| [`policies`](#parameter-policies) | array | Policies. | +| [`portalsettings`](#parameter-portalsettings) | array | Portal settings. | +| [`products`](#parameter-products) | array | Products. | +| [`restore`](#parameter-restore) | bool | Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`sku`](#parameter-sku) | string | The pricing tier of this API Management service. | +| [`skuCount`](#parameter-skucount) | int | The instance size of this API Management service. | +| [`subnetResourceId`](#parameter-subnetresourceid) | string | The full resource ID of a subnet in a virtual network to deploy the API Management service in. | +| [`subscriptions`](#parameter-subscriptions) | array | Subscriptions. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`virtualNetworkType`](#parameter-virtualnetworktype) | string | The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. | +| [`zones`](#parameter-zones) | array | A list of availability zones denoting where the resource needs to come from. | + +### Parameter: `additionalLocations` + +Additional datacenter locations of the API Management service. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `apis` + +APIs. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `apiVersionSets` + +API Version Sets. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `authorizationServers` + +Authorization servers. +- Required: No +- Type: secureObject +- Default: `{object}` + +### Parameter: `backends` + +Backends. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `caches` + +Caches. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `certificates` + +List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `customProperties` + +Custom properties of the API Management service. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, GatewayLogs]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `disableGateway` + +Property only valid for an API Management service deployed in multiple locations. This can be used to disable the gateway in master region. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableClientCertificate` + +Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hostnameConfigurations` + +Custom hostname configuration of the API Management service. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `identityProviders` + +Identity providers. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `minApiVersion` + +Limit control plane API calls to API Management service with version equal to or newer than this value. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +The name of the API Management service. +- Required: Yes +- Type: string + +### Parameter: `namedValues` + +Named values. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `newGuidValue` + +Necessary to create a new GUID. +- Required: No +- Type: string +- Default: `[newGuid()]` + +### Parameter: `notificationSenderEmail` + +The notification sender email address for the service. +- Required: No +- Type: string +- Default: `'apimgmt-noreply@mail.windowsazure.com'` + +### Parameter: `policies` + +Policies. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `portalsettings` + +Portal settings. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `products` + +Products. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publisherEmail` + +The email address of the owner of the service. +- Required: Yes +- Type: string + +### Parameter: `publisherName` + +The name of the owner of the service. +- Required: Yes +- Type: string + +### Parameter: `restore` + +Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sku` + +The pricing tier of this API Management service. +- Required: No +- Type: string +- Default: `'Developer'` +- Allowed: `[Basic, Consumption, Developer, Premium, Standard]` + +### Parameter: `skuCount` + +The instance size of this API Management service. +- Required: No +- Type: int +- Default: `1` +- Allowed: `[1, 2]` + +### Parameter: `subnetResourceId` + +The full resource ID of a subnet in a virtual network to deploy the API Management service in. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `subscriptions` + +Subscriptions. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `virtualNetworkType` + +The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. +- Required: No +- Type: string +- Default: `'None'` +- Allowed: `[External, Internal, None]` + +### Parameter: `zones` + +A list of availability zones denoting where the resource needs to come from. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the API management service. | +| `resourceGroupName` | string | The resource group the API management service was deployed into. | +| `resourceId` | string | The resource ID of the API management service. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +_None_ + ## Notes ### Parameter Usage: `apiManagementServicePolicy` diff --git a/modules/api-management/service/api-version-set/README.md b/modules/api-management/service/api-version-set/README.md index 675ca80d79..3be54ecd44 100644 --- a/modules/api-management/service/api-version-set/README.md +++ b/modules/api-management/service/api-version-set/README.md @@ -19,22 +19,49 @@ This module deploys an API Management Service API Version Set. **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | +| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `name` | string | `'default'` | API Version set name. | -| `properties` | object | `{object}` | API Version set properties. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`name`](#parameter-name) | string | API Version set name. | +| [`properties`](#parameter-properties) | object | API Version set properties. | + +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +API Version set name. +- Required: No +- Type: string +- Default: `'default'` + +### Parameter: `properties` + +API Version set properties. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the API Version set. | | `resourceGroupName` | string | The resource group the API Version set was deployed into. | diff --git a/modules/api-management/service/api-version-set/main.json b/modules/api-management/service/api-version-set/main.json index f09d56ff92..1f27892ce2 100644 --- a/modules/api-management/service/api-version-set/main.json +++ b/modules/api-management/service/api-version-set/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "9352626903654043411" + "version": "0.22.6.54827", + "templateHash": "12233980723609740158" }, "name": "API Management Service API Version Sets", "description": "This module deploys an API Management Service API Version Set.", diff --git a/modules/api-management/service/api/README.md b/modules/api-management/service/api/README.md index 2390fc6a17..a9cd300c66 100644 --- a/modules/api-management/service/api/README.md +++ b/modules/api-management/service/api/README.md @@ -4,12 +4,12 @@ This module deploys an API Management Service API. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -20,47 +20,214 @@ This module deploys an API Management Service API. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `displayName` | string | API name. Must be 1 to 300 characters long. | -| `name` | string | API revision identifier. Must be unique in the current API Management service instance. Non-current revision has ;rev=n as a suffix where n is the revision number. | -| `path` | string | Relative URL uniquely identifying this API and all of its resource paths within the API Management service instance. It is appended to the API endpoint base URL specified during the service instance creation to form a public URL for this API. | +| [`displayName`](#parameter-displayname) | string | API name. Must be 1 to 300 characters long. | +| [`name`](#parameter-name) | string | API revision identifier. Must be unique in the current API Management service instance. Non-current revision has ;rev=n as a suffix where n is the revision number. | +| [`path`](#parameter-path) | string | Relative URL uniquely identifying this API and all of its resource paths within the API Management service instance. It is appended to the API endpoint base URL specified during the service instance creation to form a public URL for this API. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | +| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `apiDescription` | string | `''` | | Description of the API. May include HTML formatting tags. | -| `apiRevision` | string | `''` | | Describes the Revision of the API. If no value is provided, default revision 1 is created. | -| `apiRevisionDescription` | string | `''` | | Description of the API Revision. | -| `apiType` | string | `'http'` | `[graphql, http, soap, websocket]` | Type of API to create. * http creates a REST API * soap creates a SOAP pass-through API * websocket creates websocket API * graphql creates GraphQL API. | -| `apiVersion` | string | `''` | | Indicates the Version identifier of the API if the API is versioned. | -| `apiVersionDescription` | string | `''` | | Description of the API Version. | -| `apiVersionSetId` | string | `''` | | Indicates the Version identifier of the API version set. | -| `authenticationSettings` | object | `{object}` | | Collection of authentication settings included into this API. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `format` | string | `'openapi'` | `[openapi, openapi-link, openapi+json, openapi+json-link, swagger-json, swagger-link-json, wadl-link-json, wadl-xml, wsdl, wsdl-link]` | Format of the Content in which the API is getting imported. | -| `isCurrent` | bool | `True` | | Indicates if API revision is current API revision. | -| `policies` | array | `[]` | | Array of Policies to apply to the Service API. | -| `protocols` | array | `[https]` | | Describes on which protocols the operations in this API can be invoked. - HTTP or HTTPS. | -| `serviceUrl` | string | `''` | | Absolute URL of the backend service implementing this API. Cannot be more than 2000 characters long. | -| `sourceApiId` | string | `''` | | API identifier of the source API. | -| `subscriptionKeyParameterNames` | object | `{object}` | | Protocols over which API is made available. | -| `subscriptionRequired` | bool | `False` | | Specifies whether an API or Product subscription is required for accessing the API. | -| `type` | string | `'http'` | `[graphql, http, soap, websocket]` | Type of API. | -| `value` | string | `''` | | Content value when Importing an API. | -| `wsdlSelector` | object | `{object}` | | Criteria to limit import of WSDL to a subset of the document. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`apiDescription`](#parameter-apidescription) | string | Description of the API. May include HTML formatting tags. | +| [`apiRevision`](#parameter-apirevision) | string | Describes the Revision of the API. If no value is provided, default revision 1 is created. | +| [`apiRevisionDescription`](#parameter-apirevisiondescription) | string | Description of the API Revision. | +| [`apiType`](#parameter-apitype) | string | Type of API to create. * http creates a REST API * soap creates a SOAP pass-through API * websocket creates websocket API * graphql creates GraphQL API. | +| [`apiVersion`](#parameter-apiversion) | string | Indicates the Version identifier of the API if the API is versioned. | +| [`apiVersionDescription`](#parameter-apiversiondescription) | string | Description of the API Version. | +| [`apiVersionSetId`](#parameter-apiversionsetid) | string | Indicates the Version identifier of the API version set. | +| [`authenticationSettings`](#parameter-authenticationsettings) | object | Collection of authentication settings included into this API. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`format`](#parameter-format) | string | Format of the Content in which the API is getting imported. | +| [`isCurrent`](#parameter-iscurrent) | bool | Indicates if API revision is current API revision. | +| [`policies`](#parameter-policies) | array | Array of Policies to apply to the Service API. | +| [`protocols`](#parameter-protocols) | array | Describes on which protocols the operations in this API can be invoked. - HTTP or HTTPS. | +| [`serviceUrl`](#parameter-serviceurl) | string | Absolute URL of the backend service implementing this API. Cannot be more than 2000 characters long. | +| [`sourceApiId`](#parameter-sourceapiid) | string | API identifier of the source API. | +| [`subscriptionKeyParameterNames`](#parameter-subscriptionkeyparameternames) | object | Protocols over which API is made available. | +| [`subscriptionRequired`](#parameter-subscriptionrequired) | bool | Specifies whether an API or Product subscription is required for accessing the API. | +| [`type`](#parameter-type) | string | Type of API. | +| [`value`](#parameter-value) | string | Content value when Importing an API. | +| [`wsdlSelector`](#parameter-wsdlselector) | object | Criteria to limit import of WSDL to a subset of the document. | + +### Parameter: `apiDescription` + +Description of the API. May include HTML formatting tags. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `apiRevision` + +Describes the Revision of the API. If no value is provided, default revision 1 is created. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `apiRevisionDescription` + +Description of the API Revision. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `apiType` + +Type of API to create. * http creates a REST API * soap creates a SOAP pass-through API * websocket creates websocket API * graphql creates GraphQL API. +- Required: No +- Type: string +- Default: `'http'` +- Allowed: `[graphql, http, soap, websocket]` + +### Parameter: `apiVersion` + +Indicates the Version identifier of the API if the API is versioned. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `apiVersionDescription` + +Description of the API Version. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `apiVersionSetId` + +Indicates the Version identifier of the API version set. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `authenticationSettings` + +Collection of authentication settings included into this API. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `displayName` + +API name. Must be 1 to 300 characters long. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `format` + +Format of the Content in which the API is getting imported. +- Required: No +- Type: string +- Default: `'openapi'` +- Allowed: `[openapi, openapi-link, openapi+json, openapi+json-link, swagger-json, swagger-link-json, wadl-link-json, wadl-xml, wsdl, wsdl-link]` + +### Parameter: `isCurrent` + +Indicates if API revision is current API revision. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +API revision identifier. Must be unique in the current API Management service instance. Non-current revision has ;rev=n as a suffix where n is the revision number. +- Required: Yes +- Type: string + +### Parameter: `path` + +Relative URL uniquely identifying this API and all of its resource paths within the API Management service instance. It is appended to the API endpoint base URL specified during the service instance creation to form a public URL for this API. +- Required: Yes +- Type: string + +### Parameter: `policies` + +Array of Policies to apply to the Service API. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `protocols` + +Describes on which protocols the operations in this API can be invoked. - HTTP or HTTPS. +- Required: No +- Type: array +- Default: `[https]` + +### Parameter: `serviceUrl` + +Absolute URL of the backend service implementing this API. Cannot be more than 2000 characters long. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `sourceApiId` + +API identifier of the source API. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `subscriptionKeyParameterNames` + +Protocols over which API is made available. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `subscriptionRequired` + +Specifies whether an API or Product subscription is required for accessing the API. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `type` + +Type of API. +- Required: No +- Type: string +- Default: `'http'` +- Allowed: `[graphql, http, soap, websocket]` + +### Parameter: `value` + +Content value when Importing an API. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `wsdlSelector` + +Criteria to limit import of WSDL to a subset of the document. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the API management service API. | | `resourceGroupName` | string | The resource group the API management service API was deployed to. | diff --git a/modules/api-management/service/api/main.json b/modules/api-management/service/api/main.json index 08c998bf80..f150d2bcb8 100644 --- a/modules/api-management/service/api/main.json +++ b/modules/api-management/service/api/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "9074052005199170712" + "version": "0.22.6.54827", + "templateHash": "17340528539230351720" }, "name": "API Management Service APIs", "description": "This module deploys an API Management Service API.", @@ -284,8 +284,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5031714372762112092" + "version": "0.22.6.54827", + "templateHash": "14571499926134179860" }, "name": "API Management Service APIs Policies", "description": "This module deploys an API Management Service API Policy.", diff --git a/modules/api-management/service/api/policy/README.md b/modules/api-management/service/api/policy/README.md index 3696e336ba..969678d876 100644 --- a/modules/api-management/service/api/policy/README.md +++ b/modules/api-management/service/api/policy/README.md @@ -19,29 +19,69 @@ This module deploys an API Management Service API Policy. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `value` | string | Contents of the Policy as defined by the format. | +| [`value`](#parameter-value) | string | Contents of the Policy as defined by the format. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | -| `apiName` | string | The name of the parent API. Required if the template is used in a standalone deployment. | +| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | +| [`apiName`](#parameter-apiname) | string | The name of the parent API. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `format` | string | `'xml'` | `[rawxml, rawxml-link, xml, xml-link]` | Format of the policyContent. | -| `name` | string | `'policy'` | | The name of the policy. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`format`](#parameter-format) | string | Format of the policyContent. | +| [`name`](#parameter-name) | string | The name of the policy. | + +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `apiName` + +The name of the parent API. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `format` + +Format of the policyContent. +- Required: No +- Type: string +- Default: `'xml'` +- Allowed: `[rawxml, rawxml-link, xml, xml-link]` + +### Parameter: `name` + +The name of the policy. +- Required: No +- Type: string +- Default: `'policy'` + +### Parameter: `value` + +Contents of the Policy as defined by the format. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the API policy. | | `resourceGroupName` | string | The resource group the API policy was deployed into. | diff --git a/modules/api-management/service/api/policy/main.json b/modules/api-management/service/api/policy/main.json index 76457b0c2f..02322fa340 100644 --- a/modules/api-management/service/api/policy/main.json +++ b/modules/api-management/service/api/policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5031714372762112092" + "version": "0.22.6.54827", + "templateHash": "14571499926134179860" }, "name": "API Management Service APIs Policies", "description": "This module deploys an API Management Service API Policy.", diff --git a/modules/api-management/service/authorization-server/README.md b/modules/api-management/service/authorization-server/README.md index a875ea1259..f10abac911 100644 --- a/modules/api-management/service/authorization-server/README.md +++ b/modules/api-management/service/authorization-server/README.md @@ -4,12 +4,12 @@ This module deploys an API Management Service Authorization Server. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,41 +19,161 @@ This module deploys an API Management Service Authorization Server. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `authorizationEndpoint` | string | OAuth authorization endpoint. See . | -| `clientId` | securestring | Client or app ID registered with this authorization server. | -| `clientSecret` | securestring | Client or app secret registered with this authorization server. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. | -| `grantTypes` | array | Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials. | -| `name` | string | Identifier of the authorization server. | +| [`authorizationEndpoint`](#parameter-authorizationendpoint) | string | OAuth authorization endpoint. See . | +| [`clientId`](#parameter-clientid) | securestring | Client or app ID registered with this authorization server. | +| [`clientSecret`](#parameter-clientsecret) | securestring | Client or app secret registered with this authorization server. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. | +| [`grantTypes`](#parameter-granttypes) | array | Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials. | +| [`name`](#parameter-name) | string | Identifier of the authorization server. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | +| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `authorizationMethods` | array | `[GET]` | HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE. | -| `bearerTokenSendingMethods` | array | `[authorizationHeader]` | Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query. | -| `clientAuthenticationMethod` | array | `[Basic]` | Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body. | -| `clientRegistrationEndpoint` | string | `''` | Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced. | -| `defaultScope` | string | `''` | Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `resourceOwnerPassword` | string | `''` | Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password. | -| `resourceOwnerUsername` | string | `''` | Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username. | -| `serverDescription` | string | `''` | Description of the authorization server. Can contain HTML formatting tags. | -| `supportState` | bool | `False` | If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security. | -| `tokenBodyParameters` | array | `[]` | Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}. - TokenBodyParameterContract object. | -| `tokenEndpoint` | string | `''` | OAuth token endpoint. Contains absolute URI to entity being referenced. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`authorizationMethods`](#parameter-authorizationmethods) | array | HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE. | +| [`bearerTokenSendingMethods`](#parameter-bearertokensendingmethods) | array | Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query. | +| [`clientAuthenticationMethod`](#parameter-clientauthenticationmethod) | array | Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body. | +| [`clientRegistrationEndpoint`](#parameter-clientregistrationendpoint) | string | Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced. | +| [`defaultScope`](#parameter-defaultscope) | string | Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`resourceOwnerPassword`](#parameter-resourceownerpassword) | string | Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password. | +| [`resourceOwnerUsername`](#parameter-resourceownerusername) | string | Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username. | +| [`serverDescription`](#parameter-serverdescription) | string | Description of the authorization server. Can contain HTML formatting tags. | +| [`supportState`](#parameter-supportstate) | bool | If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security. | +| [`tokenBodyParameters`](#parameter-tokenbodyparameters) | array | Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}. - TokenBodyParameterContract object. | +| [`tokenEndpoint`](#parameter-tokenendpoint) | string | OAuth token endpoint. Contains absolute URI to entity being referenced. | + +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `authorizationEndpoint` + +OAuth authorization endpoint. See . +- Required: Yes +- Type: string + +### Parameter: `authorizationMethods` + +HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE. +- Required: No +- Type: array +- Default: `[GET]` + +### Parameter: `bearerTokenSendingMethods` + +Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query. +- Required: No +- Type: array +- Default: `[authorizationHeader]` + +### Parameter: `clientAuthenticationMethod` + +Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body. +- Required: No +- Type: array +- Default: `[Basic]` + +### Parameter: `clientId` + +Client or app ID registered with this authorization server. +- Required: Yes +- Type: securestring + +### Parameter: `clientRegistrationEndpoint` + +Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `clientSecret` + +Client or app secret registered with this authorization server. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. +- Required: Yes +- Type: securestring + +### Parameter: `defaultScope` + +Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `grantTypes` + +Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials. +- Required: Yes +- Type: array + +### Parameter: `name` + +Identifier of the authorization server. +- Required: Yes +- Type: string + +### Parameter: `resourceOwnerPassword` + +Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `resourceOwnerUsername` + +Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `serverDescription` + +Description of the authorization server. Can contain HTML formatting tags. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `supportState` + +If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tokenBodyParameters` + +Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}. - TokenBodyParameterContract object. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tokenEndpoint` + +OAuth token endpoint. Contains absolute URI to entity being referenced. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the API management service authorization server. | | `resourceGroupName` | string | The resource group the API management service authorization server was deployed into. | diff --git a/modules/api-management/service/authorization-server/main.json b/modules/api-management/service/authorization-server/main.json index d956cf25f5..09fc98f3c1 100644 --- a/modules/api-management/service/authorization-server/main.json +++ b/modules/api-management/service/authorization-server/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "8155815469027179886" + "version": "0.22.6.54827", + "templateHash": "7988688467600216709" }, "name": "API Management Service Authorization Servers", "description": "This module deploys an API Management Service Authorization Server.", diff --git a/modules/api-management/service/backend/README.md b/modules/api-management/service/backend/README.md index 90025fec0f..a94b3f65e9 100644 --- a/modules/api-management/service/backend/README.md +++ b/modules/api-management/service/backend/README.md @@ -4,13 +4,13 @@ This module deploys an API Management Service Backend. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -20,35 +20,116 @@ This module deploys an API Management Service Backend. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Backend Name. | -| `url` | string | Runtime URL of the Backend. | +| [`name`](#parameter-name) | string | Backend Name. | +| [`url`](#parameter-url) | string | Runtime URL of the Backend. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | +| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `credentials` | object | `{object}` | Backend Credentials Contract Properties. | -| `description` | string | `''` | Backend Description. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `protocol` | string | `'http'` | Backend communication protocol. - http or soap. | -| `proxy` | object | `{object}` | Backend Proxy Contract Properties. | -| `resourceId` | string | `''` | Management Uri of the Resource in External System. This URL can be the Arm Resource ID of Logic Apps, Function Apps or API Apps. | -| `serviceFabricCluster` | object | `{object}` | Backend Service Fabric Cluster Properties. | -| `title` | string | `''` | Backend Title. | -| `tls` | object | `{object}` | Backend TLS Properties. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`credentials`](#parameter-credentials) | object | Backend Credentials Contract Properties. | +| [`description`](#parameter-description) | string | Backend Description. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`protocol`](#parameter-protocol) | string | Backend communication protocol. - http or soap. | +| [`proxy`](#parameter-proxy) | object | Backend Proxy Contract Properties. | +| [`resourceId`](#parameter-resourceid) | string | Management Uri of the Resource in External System. This URL can be the Arm Resource ID of Logic Apps, Function Apps or API Apps. | +| [`serviceFabricCluster`](#parameter-servicefabriccluster) | object | Backend Service Fabric Cluster Properties. | +| [`title`](#parameter-title) | string | Backend Title. | +| [`tls`](#parameter-tls) | object | Backend TLS Properties. | + +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `credentials` + +Backend Credentials Contract Properties. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `description` + +Backend Description. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +Backend Name. +- Required: Yes +- Type: string + +### Parameter: `protocol` + +Backend communication protocol. - http or soap. +- Required: No +- Type: string +- Default: `'http'` + +### Parameter: `proxy` + +Backend Proxy Contract Properties. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `resourceId` + +Management Uri of the Resource in External System. This URL can be the Arm Resource ID of Logic Apps, Function Apps or API Apps. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `serviceFabricCluster` + +Backend Service Fabric Cluster Properties. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `title` + +Backend Title. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `tls` + +Backend TLS Properties. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `url` + +Runtime URL of the Backend. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the API management service backend. | | `resourceGroupName` | string | The resource group the API management service backend was deployed into. | diff --git a/modules/api-management/service/backend/main.json b/modules/api-management/service/backend/main.json index 17c351e22a..e10f1c81ee 100644 --- a/modules/api-management/service/backend/main.json +++ b/modules/api-management/service/backend/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "1669725941639871055" + "version": "0.22.6.54827", + "templateHash": "3713166604792624713" }, "name": "API Management Service Backends", "description": "This module deploys an API Management Service Backend.", diff --git a/modules/api-management/service/cache/README.md b/modules/api-management/service/cache/README.md index d6c9712e8e..3bc84b82c2 100644 --- a/modules/api-management/service/cache/README.md +++ b/modules/api-management/service/cache/README.md @@ -4,12 +4,12 @@ This module deploys an API Management Service Cache. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,30 +19,75 @@ This module deploys an API Management Service Cache. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `connectionString` | string | Runtime connection string to cache. Can be referenced by a named value like so, {{}}. | -| `name` | string | Identifier of the Cache entity. Cache identifier (should be either 'default' or valid Azure region identifier). | -| `useFromLocation` | string | Location identifier to use cache from (should be either 'default' or valid Azure region identifier). | +| [`connectionString`](#parameter-connectionstring) | string | Runtime connection string to cache. Can be referenced by a named value like so, {{}}. | +| [`name`](#parameter-name) | string | Identifier of the Cache entity. Cache identifier (should be either 'default' or valid Azure region identifier). | +| [`useFromLocation`](#parameter-usefromlocation) | string | Location identifier to use cache from (should be either 'default' or valid Azure region identifier). | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | +| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `description` | string | `''` | Cache description. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `resourceId` | string | `''` | Original uri of entity in external system cache points to. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | Cache description. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`resourceId`](#parameter-resourceid) | string | Original uri of entity in external system cache points to. | + +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `connectionString` + +Runtime connection string to cache. Can be referenced by a named value like so, {{}}. +- Required: Yes +- Type: string + +### Parameter: `description` + +Cache description. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +Identifier of the Cache entity. Cache identifier (should be either 'default' or valid Azure region identifier). +- Required: Yes +- Type: string + +### Parameter: `resourceId` + +Original uri of entity in external system cache points to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `useFromLocation` + +Location identifier to use cache from (should be either 'default' or valid Azure region identifier). +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the API management service cache. | | `resourceGroupName` | string | The resource group the API management service cache was deployed into. | diff --git a/modules/api-management/service/cache/main.json b/modules/api-management/service/cache/main.json index 662943675f..80972f2881 100644 --- a/modules/api-management/service/cache/main.json +++ b/modules/api-management/service/cache/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17031319637382778576" + "version": "0.22.6.54827", + "templateHash": "4933923478377534151" }, "name": "API Management Service Caches", "description": "This module deploys an API Management Service Cache.", diff --git a/modules/api-management/service/identity-provider/README.md b/modules/api-management/service/identity-provider/README.md index ee17802cdf..9246273650 100644 --- a/modules/api-management/service/identity-provider/README.md +++ b/modules/api-management/service/identity-provider/README.md @@ -19,37 +19,134 @@ This module deploys an API Management Service Identity Provider. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Identity provider name. | +| [`name`](#parameter-name) | string | Identity provider name. | **Conditional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `apiManagementServiceName` | string | | The name of the parent API Management service. Required if the template is used in a standalone deployment. | -| `clientId` | string | `''` | Client ID of the Application in the external Identity Provider. Required if identity provider is used. | -| `clientSecret` | securestring | `''` | Client secret of the Application in external Identity Provider, used to authenticate login request. Required if identity provider is used. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | +| [`clientId`](#parameter-clientid) | string | Client ID of the Application in the external Identity Provider. Required if identity provider is used. | +| [`clientSecret`](#parameter-clientsecret) | securestring | Client secret of the Application in external Identity Provider, used to authenticate login request. Required if identity provider is used. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `allowedTenants` | array | `[]` | | List of Allowed Tenants when configuring Azure Active Directory login. - string. | -| `authority` | string | `''` | | OpenID Connect discovery endpoint hostname for AAD or AAD B2C. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableIdentityProviders` | bool | `False` | | Used to enable the deployment of the identityProviders child resource. | -| `passwordResetPolicyName` | string | `''` | | Password Reset Policy Name. Only applies to AAD B2C Identity Provider. | -| `profileEditingPolicyName` | string | `''` | | Profile Editing Policy Name. Only applies to AAD B2C Identity Provider. | -| `signInPolicyName` | string | `''` | | Signin Policy Name. Only applies to AAD B2C Identity Provider. | -| `signInTenant` | string | `''` | | The TenantId to use instead of Common when logging into Active Directory. | -| `signUpPolicyName` | string | `''` | | Signup Policy Name. Only applies to AAD B2C Identity Provider. | -| `type` | string | `'aad'` | `[aad, aadB2C, facebook, google, microsoft, twitter]` | Identity Provider Type identifier. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowedTenants`](#parameter-allowedtenants) | array | List of Allowed Tenants when configuring Azure Active Directory login. - string. | +| [`authority`](#parameter-authority) | string | OpenID Connect discovery endpoint hostname for AAD or AAD B2C. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableIdentityProviders`](#parameter-enableidentityproviders) | bool | Used to enable the deployment of the identityProviders child resource. | +| [`passwordResetPolicyName`](#parameter-passwordresetpolicyname) | string | Password Reset Policy Name. Only applies to AAD B2C Identity Provider. | +| [`profileEditingPolicyName`](#parameter-profileeditingpolicyname) | string | Profile Editing Policy Name. Only applies to AAD B2C Identity Provider. | +| [`signInPolicyName`](#parameter-signinpolicyname) | string | Signin Policy Name. Only applies to AAD B2C Identity Provider. | +| [`signInTenant`](#parameter-signintenant) | string | The TenantId to use instead of Common when logging into Active Directory. | +| [`signUpPolicyName`](#parameter-signuppolicyname) | string | Signup Policy Name. Only applies to AAD B2C Identity Provider. | +| [`type`](#parameter-type) | string | Identity Provider Type identifier. | + +### Parameter: `allowedTenants` + +List of Allowed Tenants when configuring Azure Active Directory login. - string. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `authority` + +OpenID Connect discovery endpoint hostname for AAD or AAD B2C. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `clientId` + +Client ID of the Application in the external Identity Provider. Required if identity provider is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `clientSecret` + +Client secret of the Application in external Identity Provider, used to authenticate login request. Required if identity provider is used. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableIdentityProviders` + +Used to enable the deployment of the identityProviders child resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `name` + +Identity provider name. +- Required: Yes +- Type: string + +### Parameter: `passwordResetPolicyName` + +Password Reset Policy Name. Only applies to AAD B2C Identity Provider. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `profileEditingPolicyName` + +Profile Editing Policy Name. Only applies to AAD B2C Identity Provider. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `signInPolicyName` + +Signin Policy Name. Only applies to AAD B2C Identity Provider. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `signInTenant` + +The TenantId to use instead of Common when logging into Active Directory. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `signUpPolicyName` + +Signup Policy Name. Only applies to AAD B2C Identity Provider. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `type` + +Identity Provider Type identifier. +- Required: No +- Type: string +- Default: `'aad'` +- Allowed: `[aad, aadB2C, facebook, google, microsoft, twitter]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the API management service identity provider. | | `resourceGroupName` | string | The resource group the API management service identity provider was deployed into. | diff --git a/modules/api-management/service/identity-provider/main.json b/modules/api-management/service/identity-provider/main.json index 12777acfdc..a5131f7311 100644 --- a/modules/api-management/service/identity-provider/main.json +++ b/modules/api-management/service/identity-provider/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17041253664250888675" + "version": "0.22.6.54827", + "templateHash": "13822474427587974385" }, "name": "API Management Service Identity Providers", "description": "This module deploys an API Management Service Identity Provider.", diff --git a/modules/api-management/service/main.json b/modules/api-management/service/main.json index e6a0293d07..0eca3efbe5 100644 --- a/modules/api-management/service/main.json +++ b/modules/api-management/service/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16139014256674828272" + "version": "0.22.6.54827", + "templateHash": "12476936893104821390" }, "name": "API Management Services", "description": "This module deploys an API Management Service.", @@ -501,8 +501,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13643970540915525806" + "version": "0.22.6.54827", + "templateHash": "17340528539230351720" }, "name": "API Management Service APIs", "description": "This module deploys an API Management Service API.", @@ -781,8 +781,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6059606679416480431" + "version": "0.22.6.54827", + "templateHash": "14571499926134179860" }, "name": "API Management Service APIs Policies", "description": "This module deploys an API Management Service API Policy.", @@ -951,8 +951,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17009588020697963791" + "version": "0.22.6.54827", + "templateHash": "12233980723609740158" }, "name": "API Management Service API Version Sets", "description": "This module deploys an API Management Service API Version Set.", @@ -1091,8 +1091,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10093092890891107320" + "version": "0.22.6.54827", + "templateHash": "7988688467600216709" }, "name": "API Management Service Authorization Servers", "description": "This module deploys an API Management Service Authorization Server.", @@ -1339,8 +1339,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15587770490550622003" + "version": "0.22.6.54827", + "templateHash": "3713166604792624713" }, "name": "API Management Service Backends", "description": "This module deploys an API Management Service Backend.", @@ -1533,8 +1533,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12512964555569038583" + "version": "0.22.6.54827", + "templateHash": "4933923478377534151" }, "name": "API Management Service Caches", "description": "This module deploys an API Management Service Cache.", @@ -1684,8 +1684,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5821693072491820871" + "version": "0.22.6.54827", + "templateHash": "13822474427587974385" }, "name": "API Management Service Identity Providers", "description": "This module deploys an API Management Service Identity Provider.", @@ -1900,8 +1900,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3922343729155718081" + "version": "0.22.6.54827", + "templateHash": "3581707708141744852" }, "name": "API Management Service Named Values", "description": "This module deploys an API Management Service Named Value.", @@ -2053,8 +2053,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "869969373482543080" + "version": "0.22.6.54827", + "templateHash": "1124223085084988655" }, "name": "API Management Service Portal Settings", "description": "This module deploys an API Management Service Portal Setting.", @@ -2176,8 +2176,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13858171935263007479" + "version": "0.22.6.54827", + "templateHash": "3650757020022888901" }, "name": "API Management Service Policies", "description": "This module deploys an API Management Service Policy.", @@ -2316,8 +2316,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6198741217819703348" + "version": "0.22.6.54827", + "templateHash": "2758822676627115160" }, "name": "API Management Service Products", "description": "This module deploys an API Management Service Product.", @@ -2465,8 +2465,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4854177138271927700" + "version": "0.22.6.54827", + "templateHash": "16488730655399972556" }, "name": "API Management Service Products APIs", "description": "This module deploys an API Management Service Product API.", @@ -2579,8 +2579,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8500094107587576986" + "version": "0.22.6.54827", + "templateHash": "14085709622188800883" }, "name": "API Management Service Products Groups", "description": "This module deploys an API Management Service Product Group.", @@ -2745,8 +2745,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5104726614398406453" + "version": "0.22.6.54827", + "templateHash": "10733141744485121232" }, "name": "API Management Service Subscriptions", "description": "This module deploys an API Management Service Subscription.", @@ -2908,8 +2908,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15706860856976307419" + "version": "0.22.6.54827", + "templateHash": "1194193235287598548" } }, "parameters": { diff --git a/modules/api-management/service/named-value/README.md b/modules/api-management/service/named-value/README.md index 2920b62283..d73832ca82 100644 --- a/modules/api-management/service/named-value/README.md +++ b/modules/api-management/service/named-value/README.md @@ -4,13 +4,13 @@ This module deploys an API Management Service Named Value. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -20,31 +20,84 @@ This module deploys an API Management Service Named Value. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `displayName` | string | Unique name of NamedValue. It may contain only letters, digits, period, dash, and underscore characters. | -| `name` | string | Named value Name. | +| [`displayName`](#parameter-displayname) | string | Unique name of NamedValue. It may contain only letters, digits, period, dash, and underscore characters. | +| [`name`](#parameter-name) | string | Named value Name. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | +| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `keyVault` | object | `{object}` | KeyVault location details of the namedValue. | -| `secret` | bool | `False` | Determines whether the value is a secret and should be encrypted or not. Default value is false. | -| `tags` | array | `[]` | Tags that when provided can be used to filter the NamedValue list. - string. | -| `value` | string | `[newGuid()]` | Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`keyVault`](#parameter-keyvault) | object | KeyVault location details of the namedValue. | +| [`secret`](#parameter-secret) | bool | Determines whether the value is a secret and should be encrypted or not. Default value is false. | +| [`tags`](#parameter-tags) | array | Tags that when provided can be used to filter the NamedValue list. - string. | +| [`value`](#parameter-value) | string | Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. | + +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `displayName` + +Unique name of NamedValue. It may contain only letters, digits, period, dash, and underscore characters. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `keyVault` + +KeyVault location details of the namedValue. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Named value Name. +- Required: Yes +- Type: string + +### Parameter: `secret` + +Determines whether the value is a secret and should be encrypted or not. Default value is false. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags that when provided can be used to filter the NamedValue list. - string. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `value` + +Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. +- Required: No +- Type: string +- Default: `[newGuid()]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the named value. | | `resourceGroupName` | string | The resource group the named value was deployed into. | diff --git a/modules/api-management/service/named-value/main.json b/modules/api-management/service/named-value/main.json index c75a4a3928..f47f644953 100644 --- a/modules/api-management/service/named-value/main.json +++ b/modules/api-management/service/named-value/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "7537918735725646871" + "version": "0.22.6.54827", + "templateHash": "3581707708141744852" }, "name": "API Management Service Named Values", "description": "This module deploys an API Management Service Named Value.", diff --git a/modules/api-management/service/policy/README.md b/modules/api-management/service/policy/README.md index 1e48186bc5..c9ca730024 100644 --- a/modules/api-management/service/policy/README.md +++ b/modules/api-management/service/policy/README.md @@ -19,28 +19,62 @@ This module deploys an API Management Service Policy. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `value` | string | Contents of the Policy as defined by the format. | +| [`value`](#parameter-value) | string | Contents of the Policy as defined by the format. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | +| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `format` | string | `'xml'` | `[rawxml, rawxml-link, xml, xml-link]` | Format of the policyContent. | -| `name` | string | `'policy'` | | The name of the policy. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`format`](#parameter-format) | string | Format of the policyContent. | +| [`name`](#parameter-name) | string | The name of the policy. | + +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `format` + +Format of the policyContent. +- Required: No +- Type: string +- Default: `'xml'` +- Allowed: `[rawxml, rawxml-link, xml, xml-link]` + +### Parameter: `name` + +The name of the policy. +- Required: No +- Type: string +- Default: `'policy'` + +### Parameter: `value` + +Contents of the Policy as defined by the format. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the API management service policy. | | `resourceGroupName` | string | The resource group the API management service policy was deployed into. | diff --git a/modules/api-management/service/policy/main.json b/modules/api-management/service/policy/main.json index 65580b17b4..32bd1ce4bc 100644 --- a/modules/api-management/service/policy/main.json +++ b/modules/api-management/service/policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "8348924989076719813" + "version": "0.22.6.54827", + "templateHash": "3650757020022888901" }, "name": "API Management Service Policies", "description": "This module deploys an API Management Service Policy.", diff --git a/modules/api-management/service/portalsetting/README.md b/modules/api-management/service/portalsetting/README.md index e9c2e989a7..92c67fce9e 100644 --- a/modules/api-management/service/portalsetting/README.md +++ b/modules/api-management/service/portalsetting/README.md @@ -19,27 +19,54 @@ This module deploys an API Management Service Portal Setting. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `name` | string | `[delegation, signin, signup]` | Portal setting name. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Portal setting name. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | +| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `properties` | object | `{object}` | Portal setting properties. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`properties`](#parameter-properties) | object | Portal setting properties. | + +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +Portal setting name. +- Required: Yes +- Type: string +- Allowed: `[delegation, signin, signup]` + +### Parameter: `properties` + +Portal setting properties. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the API management service portal setting. | | `resourceGroupName` | string | The resource group the API management service portal setting was deployed into. | diff --git a/modules/api-management/service/portalsetting/main.json b/modules/api-management/service/portalsetting/main.json index 174392d0e0..01f872a8e5 100644 --- a/modules/api-management/service/portalsetting/main.json +++ b/modules/api-management/service/portalsetting/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11909172258549553650" + "version": "0.22.6.54827", + "templateHash": "1124223085084988655" }, "name": "API Management Service Portal Settings", "description": "This module deploys an API Management Service Portal Setting.", diff --git a/modules/api-management/service/product/README.md b/modules/api-management/service/product/README.md index e5b15b55f4..03ba03cf8b 100644 --- a/modules/api-management/service/product/README.md +++ b/modules/api-management/service/product/README.md @@ -4,12 +4,12 @@ This module deploys an API Management Service Product. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -21,34 +21,109 @@ This module deploys an API Management Service Product. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Product Name. | +| [`name`](#parameter-name) | string | Product Name. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | +| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `apis` | array | `[]` | Array of Product APIs. | -| `approvalRequired` | bool | `False` | Whether subscription approval is required. If false, new subscriptions will be approved automatically enabling developers to call the products APIs immediately after subscribing. If true, administrators must manually approve the subscription before the developer can any of the products APIs. Can be present only if subscriptionRequired property is present and has a value of false. | -| `description` | string | `''` | Product description. May include HTML formatting tags. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `groups` | array | `[]` | Array of Product Groups. | -| `state` | string | `'published'` | whether product is published or not. Published products are discoverable by users of developer portal. Non published products are visible only to administrators. Default state of Product is notPublished. - notPublished or published. | -| `subscriptionRequired` | bool | `False` | Whether a product subscription is required for accessing APIs included in this product. If true, the product is referred to as "protected" and a valid subscription key is required for a request to an API included in the product to succeed. If false, the product is referred to as "open" and requests to an API included in the product can be made without a subscription key. If property is omitted when creating a new product it's value is assumed to be true. | -| `subscriptionsLimit` | int | `1` | Whether the number of subscriptions a user can have to this product at the same time. Set to null or omit to allow unlimited per user subscriptions. Can be present only if subscriptionRequired property is present and has a value of false. | -| `terms` | string | `''` | Product terms of use. Developers trying to subscribe to the product will be presented and required to accept these terms before they can complete the subscription process. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`apis`](#parameter-apis) | array | Array of Product APIs. | +| [`approvalRequired`](#parameter-approvalrequired) | bool | Whether subscription approval is required. If false, new subscriptions will be approved automatically enabling developers to call the products APIs immediately after subscribing. If true, administrators must manually approve the subscription before the developer can any of the products APIs. Can be present only if subscriptionRequired property is present and has a value of false. | +| [`description`](#parameter-description) | string | Product description. May include HTML formatting tags. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`groups`](#parameter-groups) | array | Array of Product Groups. | +| [`state`](#parameter-state) | string | whether product is published or not. Published products are discoverable by users of developer portal. Non published products are visible only to administrators. Default state of Product is notPublished. - notPublished or published. | +| [`subscriptionRequired`](#parameter-subscriptionrequired) | bool | Whether a product subscription is required for accessing APIs included in this product. If true, the product is referred to as "protected" and a valid subscription key is required for a request to an API included in the product to succeed. If false, the product is referred to as "open" and requests to an API included in the product can be made without a subscription key. If property is omitted when creating a new product it's value is assumed to be true. | +| [`subscriptionsLimit`](#parameter-subscriptionslimit) | int | Whether the number of subscriptions a user can have to this product at the same time. Set to null or omit to allow unlimited per user subscriptions. Can be present only if subscriptionRequired property is present and has a value of false. | +| [`terms`](#parameter-terms) | string | Product terms of use. Developers trying to subscribe to the product will be presented and required to accept these terms before they can complete the subscription process. | + +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `apis` + +Array of Product APIs. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `approvalRequired` + +Whether subscription approval is required. If false, new subscriptions will be approved automatically enabling developers to call the products APIs immediately after subscribing. If true, administrators must manually approve the subscription before the developer can any of the products APIs. Can be present only if subscriptionRequired property is present and has a value of false. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `description` + +Product description. May include HTML formatting tags. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `groups` + +Array of Product Groups. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `name` + +Product Name. +- Required: Yes +- Type: string + +### Parameter: `state` + +whether product is published or not. Published products are discoverable by users of developer portal. Non published products are visible only to administrators. Default state of Product is notPublished. - notPublished or published. +- Required: No +- Type: string +- Default: `'published'` + +### Parameter: `subscriptionRequired` + +Whether a product subscription is required for accessing APIs included in this product. If true, the product is referred to as "protected" and a valid subscription key is required for a request to an API included in the product to succeed. If false, the product is referred to as "open" and requests to an API included in the product can be made without a subscription key. If property is omitted when creating a new product it's value is assumed to be true. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `subscriptionsLimit` + +Whether the number of subscriptions a user can have to this product at the same time. Set to null or omit to allow unlimited per user subscriptions. Can be present only if subscriptionRequired property is present and has a value of false. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `terms` + +Product terms of use. Developers trying to subscribe to the product will be presented and required to accept these terms before they can complete the subscription process. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `apiResourceIds` | array | The Resources IDs of the API management service product APIs. | | `groupResourceIds` | array | The Resources IDs of the API management service product groups. | diff --git a/modules/api-management/service/product/api/README.md b/modules/api-management/service/product/api/README.md index fb2a3bcac8..3ae7df516b 100644 --- a/modules/api-management/service/product/api/README.md +++ b/modules/api-management/service/product/api/README.md @@ -19,27 +19,52 @@ This module deploys an API Management Service Product API. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the product API. | +| [`name`](#parameter-name) | string | Name of the product API. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | -| `productName` | string | The name of the parent Product. Required if the template is used in a standalone deployment. | +| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | +| [`productName`](#parameter-productname) | string | The name of the parent Product. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +Name of the product API. +- Required: Yes +- Type: string + +### Parameter: `productName` + +The name of the parent Product. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the product API. | | `resourceGroupName` | string | The resource group the product API was deployed into. | diff --git a/modules/api-management/service/product/api/main.json b/modules/api-management/service/product/api/main.json index 157c8181f7..0ecf6ebe3a 100644 --- a/modules/api-management/service/product/api/main.json +++ b/modules/api-management/service/product/api/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13243242177616383868" + "version": "0.22.6.54827", + "templateHash": "16488730655399972556" }, "name": "API Management Service Products APIs", "description": "This module deploys an API Management Service Product API.", diff --git a/modules/api-management/service/product/group/README.md b/modules/api-management/service/product/group/README.md index e58f9a3739..943378da28 100644 --- a/modules/api-management/service/product/group/README.md +++ b/modules/api-management/service/product/group/README.md @@ -19,27 +19,52 @@ This module deploys an API Management Service Product Group. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the product group. | +| [`name`](#parameter-name) | string | Name of the product group. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | -| `productName` | string | The name of the parent Product. Required if the template is used in a standalone deployment. | +| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | +| [`productName`](#parameter-productname) | string | The name of the parent Product. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +Name of the product group. +- Required: Yes +- Type: string + +### Parameter: `productName` + +The name of the parent Product. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the product group. | | `resourceGroupName` | string | The resource group the product group was deployed into. | diff --git a/modules/api-management/service/product/group/main.json b/modules/api-management/service/product/group/main.json index de5f8ef5c8..209c9c33d6 100644 --- a/modules/api-management/service/product/group/main.json +++ b/modules/api-management/service/product/group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11867976378445976169" + "version": "0.22.6.54827", + "templateHash": "14085709622188800883" }, "name": "API Management Service Products Groups", "description": "This module deploys an API Management Service Product Group.", diff --git a/modules/api-management/service/product/main.json b/modules/api-management/service/product/main.json index 172a816f4f..94a2143e2a 100644 --- a/modules/api-management/service/product/main.json +++ b/modules/api-management/service/product/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11659142408016307537" + "version": "0.22.6.54827", + "templateHash": "2758822676627115160" }, "name": "API Management Service Products", "description": "This module deploys an API Management Service Product.", @@ -153,8 +153,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13243242177616383868" + "version": "0.22.6.54827", + "templateHash": "16488730655399972556" }, "name": "API Management Service Products APIs", "description": "This module deploys an API Management Service Product API.", @@ -267,8 +267,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11867976378445976169" + "version": "0.22.6.54827", + "templateHash": "14085709622188800883" }, "name": "API Management Service Products Groups", "description": "This module deploys an API Management Service Product Group.", diff --git a/modules/api-management/service/subscription/README.md b/modules/api-management/service/subscription/README.md index 0195b16bfb..81c7f5c71b 100644 --- a/modules/api-management/service/subscription/README.md +++ b/modules/api-management/service/subscription/README.md @@ -4,12 +4,12 @@ This module deploys an API Management Service Subscription. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,32 +19,93 @@ This module deploys an API Management Service Subscription. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Subscription name. | +| [`name`](#parameter-name) | string | Subscription name. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | +| [`apiManagementServiceName`](#parameter-apimanagementservicename) | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `allowTracing` | bool | `True` | Determines whether tracing can be enabled. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `ownerId` | string | `''` | User (user ID path) for whom subscription is being created in form /users/{userId}. | -| `primaryKey` | string | `''` | Primary subscription key. If not specified during request key will be generated automatically. | -| `scope` | string | `'/apis'` | Scope type to choose between a product, "allAPIs" or a specific API. Scope like "/products/{productId}" or "/apis" or "/apis/{apiId}". | -| `secondaryKey` | string | `''` | Secondary subscription key. If not specified during request key will be generated automatically. | -| `state` | string | `''` | Initial subscription state. If no value is specified, subscription is created with Submitted state. Possible states are "*" active "?" the subscription is active, "*" suspended "?" the subscription is blocked, and the subscriber cannot call any APIs of the product, * submitted ? the subscription request has been made by the developer, but has not yet been approved or rejected, * rejected ? the subscription request has been denied by an administrator, * cancelled ? the subscription has been cancelled by the developer or administrator, * expired ? the subscription reached its expiration date and was deactivated. - suspended, active, expired, submitted, rejected, cancelled. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowTracing`](#parameter-allowtracing) | bool | Determines whether tracing can be enabled. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`ownerId`](#parameter-ownerid) | string | User (user ID path) for whom subscription is being created in form /users/{userId}. | +| [`primaryKey`](#parameter-primarykey) | string | Primary subscription key. If not specified during request key will be generated automatically. | +| [`scope`](#parameter-scope) | string | Scope type to choose between a product, "allAPIs" or a specific API. Scope like "/products/{productId}" or "/apis" or "/apis/{apiId}". | +| [`secondaryKey`](#parameter-secondarykey) | string | Secondary subscription key. If not specified during request key will be generated automatically. | +| [`state`](#parameter-state) | string | Initial subscription state. If no value is specified, subscription is created with Submitted state. Possible states are "*" active "?" the subscription is active, "*" suspended "?" the subscription is blocked, and the subscriber cannot call any APIs of the product, * submitted ? the subscription request has been made by the developer, but has not yet been approved or rejected, * rejected ? the subscription request has been denied by an administrator, * cancelled ? the subscription has been cancelled by the developer or administrator, * expired ? the subscription reached its expiration date and was deactivated. - suspended, active, expired, submitted, rejected, cancelled. | + +### Parameter: `allowTracing` + +Determines whether tracing can be enabled. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +Subscription name. +- Required: Yes +- Type: string + +### Parameter: `ownerId` + +User (user ID path) for whom subscription is being created in form /users/{userId}. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `primaryKey` + +Primary subscription key. If not specified during request key will be generated automatically. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `scope` + +Scope type to choose between a product, "allAPIs" or a specific API. Scope like "/products/{productId}" or "/apis" or "/apis/{apiId}". +- Required: No +- Type: string +- Default: `'/apis'` + +### Parameter: `secondaryKey` + +Secondary subscription key. If not specified during request key will be generated automatically. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `state` + +Initial subscription state. If no value is specified, subscription is created with Submitted state. Possible states are "*" active "?" the subscription is active, "*" suspended "?" the subscription is blocked, and the subscriber cannot call any APIs of the product, * submitted ? the subscription request has been made by the developer, but has not yet been approved or rejected, * rejected ? the subscription request has been denied by an administrator, * cancelled ? the subscription has been cancelled by the developer or administrator, * expired ? the subscription reached its expiration date and was deactivated. - suspended, active, expired, submitted, rejected, cancelled. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the API management service subscription. | | `resourceGroupName` | string | The resource group the API management service subscription was deployed into. | diff --git a/modules/api-management/service/subscription/main.json b/modules/api-management/service/subscription/main.json index 2ca7d5862e..faefcb8783 100644 --- a/modules/api-management/service/subscription/main.json +++ b/modules/api-management/service/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "15277659663277232184" + "version": "0.22.6.54827", + "templateHash": "10733141744485121232" }, "name": "API Management Service Subscriptions", "description": "This module deploys an API Management Service Subscription.", diff --git a/modules/app-configuration/configuration-store/.test/common/main.test.bicep b/modules/app-configuration/configuration-store/.test/common/main.test.bicep index f7bf489277..9c5e54e5f8 100644 --- a/modules/app-configuration/configuration-store/.test/common/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/app-configuration/configuration-store/.test/min/main.test.bicep b/modules/app-configuration/configuration-store/.test/min/main.test.bicep index 141cbc3ee0..8770a7a8ca 100644 --- a/modules/app-configuration/configuration-store/.test/min/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index c29bc1d5bd..fbbd683f2b 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -4,13 +4,13 @@ This module deploys an App Configuration Store. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -22,75 +22,29 @@ This module deploys an App Configuration Store. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Azure App Configuration. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `createMode` | string | `'Default'` | `[Default, Recover]` | Indicates whether the configuration store need to be recovered. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, Audit, HttpRequest]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `disableLocalAuth` | bool | `False` | | Disables all authentication methods other than AAD authentication. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enablePurgeProtection` | bool | `False` | | Property specifying whether protection against purge is enabled for this configuration store. | -| `keyValues` | array | `[]` | | All Key / Values to create. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sku` | string | `'Standard'` | `[Free, Standard]` | Pricing tier of App Configuration. | -| `softDeleteRetentionInDays` | int | `1` | | The amount of time in days that the configuration store will be retained when it is soft deleted. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the app configuration. | -| `resourceGroupName` | string | The resource group the app configuration store was deployed into. | -| `resourceId` | string | The resource ID of the app configuration. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/app-configuration.configuration-store:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +- [Pe](#example-3-pe) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module configurationStore './app-configuration/configuration-store/main.bicep' = { +module configurationStore 'br:bicep/modules/app-configuration.configuration-store:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-acccom' params: { // Required parameters @@ -234,14 +188,17 @@ module configurationStore './app-configuration/configuration-store/main.bicep' =

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module configurationStore './app-configuration/configuration-store/main.bicep' = { +module configurationStore 'br:bicep/modules/app-configuration.configuration-store:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-accmin' params: { // Required parameters @@ -279,14 +236,14 @@ module configurationStore './app-configuration/configuration-store/main.bicep' =

-

Example 3: Pe

+### Example 3: _Pe_
via Bicep module ```bicep -module configurationStore './app-configuration/configuration-store/main.bicep' = { +module configurationStore 'br:bicep/modules/app-configuration.configuration-store:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-accpe' params: { // Required parameters @@ -385,3 +342,224 @@ module configurationStore './app-configuration/configuration-store/main.bicep' =

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Azure App Configuration. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`createMode`](#parameter-createmode) | string | Indicates whether the configuration store need to be recovered. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Disables all authentication methods other than AAD authentication. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enablePurgeProtection`](#parameter-enablepurgeprotection) | bool | Property specifying whether protection against purge is enabled for this configuration store. | +| [`keyValues`](#parameter-keyvalues) | array | All Key / Values to create. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`sku`](#parameter-sku) | string | Pricing tier of App Configuration. | +| [`softDeleteRetentionInDays`](#parameter-softdeleteretentionindays) | int | The amount of time in days that the configuration store will be retained when it is soft deleted. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +### Parameter: `createMode` + +Indicates whether the configuration store need to be recovered. +- Required: No +- Type: string +- Default: `'Default'` +- Allowed: `[Default, Recover]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, Audit, HttpRequest]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `disableLocalAuth` + +Disables all authentication methods other than AAD authentication. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enablePurgeProtection` + +Property specifying whether protection against purge is enabled for this configuration store. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `keyValues` + +All Key / Values to create. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Azure App Configuration. +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sku` + +Pricing tier of App Configuration. +- Required: No +- Type: string +- Default: `'Standard'` +- Allowed: `[Free, Standard]` + +### Parameter: `softDeleteRetentionInDays` + +The amount of time in days that the configuration store will be retained when it is soft deleted. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the app configuration. | +| `resourceGroupName` | string | The resource group the app configuration store was deployed into. | +| `resourceId` | string | The resource ID of the app configuration. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/app-configuration/configuration-store/key-value/README.md b/modules/app-configuration/configuration-store/key-value/README.md index 4d8a0cc029..7aba86936e 100644 --- a/modules/app-configuration/configuration-store/key-value/README.md +++ b/modules/app-configuration/configuration-store/key-value/README.md @@ -4,12 +4,12 @@ This module deploys an App Configuration Store Key Value. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,29 +19,68 @@ This module deploys an App Configuration Store Key Value. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the key. | -| `value` | string | Name of the value. | +| [`name`](#parameter-name) | string | Name of the key. | +| [`value`](#parameter-value) | string | Name of the value. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `appConfigurationName` | string | The name of the parent app configuration store. Required if the template is used in a standalone deployment. | +| [`appConfigurationName`](#parameter-appconfigurationname) | string | The name of the parent app configuration store. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `contentType` | string | `''` | The content type of the key-values value. Providing a proper content-type can enable transformations of values when they are retrieved by applications. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `tags` | object | `{object}` | Tags of the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`contentType`](#parameter-contenttype) | string | The content type of the key-values value. Providing a proper content-type can enable transformations of values when they are retrieved by applications. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `appConfigurationName` + +The name of the parent app configuration store. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `contentType` + +The content type of the key-values value. Providing a proper content-type can enable transformations of values when they are retrieved by applications. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +Name of the key. +- Required: Yes +- Type: string + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `value` + +Name of the value. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the key values. | | `resourceGroupName` | string | The resource group the batch account was deployed into. | diff --git a/modules/app-configuration/configuration-store/key-value/main.json b/modules/app-configuration/configuration-store/key-value/main.json index 69e7caf120..bd6ba98307 100644 --- a/modules/app-configuration/configuration-store/key-value/main.json +++ b/modules/app-configuration/configuration-store/key-value/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "18125120019454222929" + "version": "0.22.6.54827", + "templateHash": "16698134952769248111" }, "name": "App Configuration Stores Key Values", "description": "This module deploys an App Configuration Store Key Value.", diff --git a/modules/app-configuration/configuration-store/main.json b/modules/app-configuration/configuration-store/main.json index 1442aabb14..9864464e86 100644 --- a/modules/app-configuration/configuration-store/main.json +++ b/modules/app-configuration/configuration-store/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11782317267764138408" + "version": "0.22.6.54827", + "templateHash": "10110269901043104603" }, "name": "App Configuration Stores", "description": "This module deploys an App Configuration Store.", @@ -334,8 +334,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12355291254193028960" + "version": "0.22.6.54827", + "templateHash": "16698134952769248111" }, "name": "App Configuration Stores Key Values", "description": "This module deploys an App Configuration Store Key Value.", @@ -471,8 +471,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3406373389314015592" + "version": "0.22.6.54827", + "templateHash": "17212866457936326905" } }, "parameters": { @@ -633,8 +633,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -833,8 +833,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -971,8 +971,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { diff --git a/modules/app/container-app/.test/common/main.test.bicep b/modules/app/container-app/.test/common/main.test.bicep index 3f215031b9..9667da2fbe 100644 --- a/modules/app/container-app/.test/common/main.test.bicep +++ b/modules/app/container-app/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/app/container-app/.test/min/main.test.bicep b/modules/app/container-app/.test/min/main.test.bicep index 66ba9c9e91..8969d7e6e3 100644 --- a/modules/app/container-app/.test/min/main.test.bicep +++ b/modules/app/container-app/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/app/container-app/README.md b/modules/app/container-app/README.md index 941fff342b..870012dd19 100644 --- a/modules/app/container-app/README.md +++ b/modules/app/container-app/README.md @@ -5,10 +5,10 @@ This module deploys a Container App. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -18,80 +18,28 @@ This module deploys a Container App. | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -## Parameters - -**Required parameters** +## Usage examples -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `containers` | array | List of container definitions for the Container App. | -| `environmentId` | string | Resource ID of environment. | -| `name` | string | Name of the Container App. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -**Optional parameters** +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `activeRevisionsMode` | string | `'Single'` | `[Multiple, Single]` | ActiveRevisionsMode controls how active revisions are handled for the Container app. | -| `customDomains` | array | `[]` | | Custom domain bindings for Container App hostnames. | -| `dapr` | object | `{object}` | | Dapr configuration for the Container App. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `exposedPort` | int | `0` | | Exposed Port in containers for TCP traffic from ingress. | -| `ingressAllowInsecure` | bool | `True` | | Bool indicating if HTTP connections to is allowed. If set to false HTTP connections are automatically redirected to HTTPS connections. | -| `ingressExternal` | bool | `True` | | Bool indicating if app exposes an external http endpoint. | -| `ingressTargetPort` | int | `80` | | Target Port in containers for traffic from ingress. | -| `ingressTransport` | string | `'auto'` | `[auto, http, http2, tcp]` | Ingress transport protocol. | -| `initContainersTemplate` | array | `[]` | | List of specialized containers that run before app containers. | -| `ipSecurityRestrictions` | array | `[]` | | Rules to restrict incoming IP address. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `maxInactiveRevisions` | int | `0` | | Max inactive revisions a Container App can have. | -| `registries` | array | `[]` | | Collection of private container registry credentials for containers used by the Container app. | -| `revisionSuffix` | string | `''` | | User friendly suffix that is appended to the revision name. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute. | -| `scaleMaxReplicas` | int | `1` | | Maximum number of container replicas. Defaults to 10 if not set. | -| `scaleMinReplicas` | int | `0` | | Minimum number of container replicas. | -| `scaleRules` | array | `[]` | | Scaling rules. | -| `secrets` | secureObject | `{object}` | | The secrets of the Container App. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `trafficLabel` | string | `'label-1'` | | Associates a traffic label with a revision. Label name should be consist of lower case alphanumeric characters or dashes. | -| `trafficLatestRevision` | bool | `True` | | Indicates that the traffic weight belongs to a latest stable revision. | -| `trafficRevisionName` | string | `''` | | Name of a revision. | -| `trafficWeight` | int | `100` | | Traffic weight assigned to a revision. | -| `userAssignedIdentities` | object | `{object}` | | The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests. | -| `volumes` | array | `[]` | | List of volume definitions for the Container App. | -| `workloadProfileType` | string | `''` | | Workload profile type to pin for container app execution. | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/app.container-app:1.0.0`. +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -## Outputs +### Example 1: _Using large parameter set_ -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Container App. | -| `resourceGroupName` | string | The name of the resource group the Container App was deployed into. | -| `resourceId` | string | The resource ID of the Container App. | +This instance deploys the module with most of its features enabled. -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module containerApp './app/container-app/main.bicep' = { +module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-mcappcom' params: { // Required parameters @@ -233,14 +181,17 @@ module containerApp './app/container-app/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module containerApp './app/container-app/main.bicep' = { +module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-mcappmin' params: { // Required parameters @@ -317,3 +268,294 @@ module containerApp './app/container-app/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`containers`](#parameter-containers) | array | List of container definitions for the Container App. | +| [`environmentId`](#parameter-environmentid) | string | Resource ID of environment. | +| [`name`](#parameter-name) | string | Name of the Container App. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`activeRevisionsMode`](#parameter-activerevisionsmode) | string | ActiveRevisionsMode controls how active revisions are handled for the Container app. | +| [`customDomains`](#parameter-customdomains) | array | Custom domain bindings for Container App hostnames. | +| [`dapr`](#parameter-dapr) | object | Dapr configuration for the Container App. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`exposedPort`](#parameter-exposedport) | int | Exposed Port in containers for TCP traffic from ingress. | +| [`ingressAllowInsecure`](#parameter-ingressallowinsecure) | bool | Bool indicating if HTTP connections to is allowed. If set to false HTTP connections are automatically redirected to HTTPS connections. | +| [`ingressExternal`](#parameter-ingressexternal) | bool | Bool indicating if app exposes an external http endpoint. | +| [`ingressTargetPort`](#parameter-ingresstargetport) | int | Target Port in containers for traffic from ingress. | +| [`ingressTransport`](#parameter-ingresstransport) | string | Ingress transport protocol. | +| [`initContainersTemplate`](#parameter-initcontainerstemplate) | array | List of specialized containers that run before app containers. | +| [`ipSecurityRestrictions`](#parameter-ipsecurityrestrictions) | array | Rules to restrict incoming IP address. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`maxInactiveRevisions`](#parameter-maxinactiverevisions) | int | Max inactive revisions a Container App can have. | +| [`registries`](#parameter-registries) | array | Collection of private container registry credentials for containers used by the Container app. | +| [`revisionSuffix`](#parameter-revisionsuffix) | string | User friendly suffix that is appended to the revision name. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute. | +| [`scaleMaxReplicas`](#parameter-scalemaxreplicas) | int | Maximum number of container replicas. Defaults to 10 if not set. | +| [`scaleMinReplicas`](#parameter-scaleminreplicas) | int | Minimum number of container replicas. | +| [`scaleRules`](#parameter-scalerules) | array | Scaling rules. | +| [`secrets`](#parameter-secrets) | secureObject | The secrets of the Container App. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`trafficLabel`](#parameter-trafficlabel) | string | Associates a traffic label with a revision. Label name should be consist of lower case alphanumeric characters or dashes. | +| [`trafficLatestRevision`](#parameter-trafficlatestrevision) | bool | Indicates that the traffic weight belongs to a latest stable revision. | +| [`trafficRevisionName`](#parameter-trafficrevisionname) | string | Name of a revision. | +| [`trafficWeight`](#parameter-trafficweight) | int | Traffic weight assigned to a revision. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests. | +| [`volumes`](#parameter-volumes) | array | List of volume definitions for the Container App. | +| [`workloadProfileType`](#parameter-workloadprofiletype) | string | Workload profile type to pin for container app execution. | + +### Parameter: `activeRevisionsMode` + +ActiveRevisionsMode controls how active revisions are handled for the Container app. +- Required: No +- Type: string +- Default: `'Single'` +- Allowed: `[Multiple, Single]` + +### Parameter: `containers` + +List of container definitions for the Container App. +- Required: Yes +- Type: array + +### Parameter: `customDomains` + +Custom domain bindings for Container App hostnames. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `dapr` + +Dapr configuration for the Container App. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `environmentId` + +Resource ID of environment. +- Required: Yes +- Type: string + +### Parameter: `exposedPort` + +Exposed Port in containers for TCP traffic from ingress. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `ingressAllowInsecure` + +Bool indicating if HTTP connections to is allowed. If set to false HTTP connections are automatically redirected to HTTPS connections. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `ingressExternal` + +Bool indicating if app exposes an external http endpoint. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `ingressTargetPort` + +Target Port in containers for traffic from ingress. +- Required: No +- Type: int +- Default: `80` + +### Parameter: `ingressTransport` + +Ingress transport protocol. +- Required: No +- Type: string +- Default: `'auto'` +- Allowed: `[auto, http, http2, tcp]` + +### Parameter: `initContainersTemplate` + +List of specialized containers that run before app containers. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ipSecurityRestrictions` + +Rules to restrict incoming IP address. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `maxInactiveRevisions` + +Max inactive revisions a Container App can have. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `name` + +Name of the Container App. +- Required: Yes +- Type: string + +### Parameter: `registries` + +Collection of private container registry credentials for containers used by the Container app. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `revisionSuffix` + +User friendly suffix that is appended to the revision name. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `scaleMaxReplicas` + +Maximum number of container replicas. Defaults to 10 if not set. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `scaleMinReplicas` + +Minimum number of container replicas. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `scaleRules` + +Scaling rules. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `secrets` + +The secrets of the Container App. +- Required: No +- Type: secureObject +- Default: `{object}` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `trafficLabel` + +Associates a traffic label with a revision. Label name should be consist of lower case alphanumeric characters or dashes. +- Required: No +- Type: string +- Default: `'label-1'` + +### Parameter: `trafficLatestRevision` + +Indicates that the traffic weight belongs to a latest stable revision. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `trafficRevisionName` + +Name of a revision. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `trafficWeight` + +Traffic weight assigned to a revision. +- Required: No +- Type: int +- Default: `100` + +### Parameter: `userAssignedIdentities` + +The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `volumes` + +List of volume definitions for the Container App. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `workloadProfileType` + +Workload profile type to pin for container app execution. +- Required: No +- Type: string +- Default: `''` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the Container App. | +| `resourceGroupName` | string | The name of the resource group the Container App was deployed into. | +| `resourceId` | string | The resource ID of the Container App. | + +## Cross-referenced modules + +_None_ diff --git a/modules/app/container-app/main.json b/modules/app/container-app/main.json index e2de42de12..1d501046a4 100644 --- a/modules/app/container-app/main.json +++ b/modules/app/container-app/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16754480041180669063" + "version": "0.22.6.54827", + "templateHash": "2221038631504030167" }, "name": "Container Apps", "description": "This module deploys a Container App.", @@ -371,8 +371,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9188415638960634445" + "version": "0.22.6.54827", + "templateHash": "6133741258710054291" } }, "parameters": { diff --git a/modules/app/managed-environment/.test/common/main.test.bicep b/modules/app/managed-environment/.test/common/main.test.bicep index 076aa920a4..6a3a769e96 100644 --- a/modules/app/managed-environment/.test/common/main.test.bicep +++ b/modules/app/managed-environment/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/app/managed-environment/.test/min/main.test.bicep b/modules/app/managed-environment/.test/min/main.test.bicep index 6692258b4d..ceab992425 100644 --- a/modules/app/managed-environment/.test/min/main.test.bicep +++ b/modules/app/managed-environment/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/app/managed-environment/README.md b/modules/app/managed-environment/README.md index e432404e3a..19638dbf5b 100644 --- a/modules/app/managed-environment/README.md +++ b/modules/app/managed-environment/README.md @@ -5,10 +5,10 @@ This module deploys an App Managed Environment (also known as a Container App En ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -18,73 +18,28 @@ This module deploys an App Managed Environment (also known as a Container App En | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `logAnalyticsWorkspaceResourceId` | string | Existing Log Analytics Workspace resource ID. Note: This value is not required as per the resource type. However, not providing it currently causes an issue that is tracked [here](https://github.com/Azure/bicep/issues/9990). | -| `name` | string | Name of the Container Apps Managed Environment. | - -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `infrastructureSubnetId` | string | `''` | Resource ID of a subnet for infrastructure components. This is used to deploy the environment into a virtual network. Must not overlap with any other provided IP ranges. Required if "internal" is set to true. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `certificatePassword` | securestring | `''` | | Password of the certificate used by the custom domain. | -| `certificateValue` | securestring | `''` | | Certificate to use for the custom domain. PFX or PEM. | -| `daprAIConnectionString` | securestring | `''` | | Application Insights connection string used by Dapr to export Service to Service communication telemetry. | -| `daprAIInstrumentationKey` | securestring | `''` | | Azure Monitor instrumentation key used by Dapr to export Service to Service communication telemetry. | -| `dnsSuffix` | string | `''` | | DNS suffix for the environment domain. | -| `dockerBridgeCidr` | string | `''` | | CIDR notation IP range assigned to the Docker bridge, network. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | -| `enableDefaultTelemetry` | bool | | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `internal` | bool | `False` | | Boolean indicating the environment only has an internal load balancer. These environments do not have a public static IP resource. If set to true, then "infrastructureSubnetId" must be provided. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `logsDestination` | string | `'log-analytics'` | | Logs destination. | -| `platformReservedCidr` | string | `''` | | IP range in CIDR notation that can be reserved for environment infrastructure IP addresses. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | -| `platformReservedDnsIP` | string | `''` | | An IP address from the IP range defined by "platformReservedCidr" that will be reserved for the internal DNS server. It must not be the first address in the range and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `skuName` | string | `'Consumption'` | `[Consumption, Premium]` | Managed environment SKU. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `workloadProfiles` | array | `[]` | | Workload profiles configured for the Managed Environment. | -| `zoneRedundant` | bool | `False` | | Whether or not this Managed Environment is zone-redundant. | - +## Usage examples -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Managed Environment. | -| `resourceGroupName` | string | The name of the resource group the Managed Environment was deployed into. | -| `resourceId` | string | The resource ID of the Managed Environment. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/app.managed-environment:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module managedEnvironment './app/managed-environment/main.bicep' = { +module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-amecom' params: { // Required parameters @@ -168,14 +123,17 @@ module managedEnvironment './app/managed-environment/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module managedEnvironment './app/managed-environment/main.bicep' = { +module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-amemin' params: { // Required parameters @@ -214,3 +172,202 @@ module managedEnvironment './app/managed-environment/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`logAnalyticsWorkspaceResourceId`](#parameter-loganalyticsworkspaceresourceid) | string | Existing Log Analytics Workspace resource ID. Note: This value is not required as per the resource type. However, not providing it currently causes an issue that is tracked [here](https://github.com/Azure/bicep/issues/9990). | +| [`name`](#parameter-name) | string | Name of the Container Apps Managed Environment. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`infrastructureSubnetId`](#parameter-infrastructuresubnetid) | string | Resource ID of a subnet for infrastructure components. This is used to deploy the environment into a virtual network. Must not overlap with any other provided IP ranges. Required if "internal" is set to true. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`certificatePassword`](#parameter-certificatepassword) | securestring | Password of the certificate used by the custom domain. | +| [`certificateValue`](#parameter-certificatevalue) | securestring | Certificate to use for the custom domain. PFX or PEM. | +| [`daprAIConnectionString`](#parameter-dapraiconnectionstring) | securestring | Application Insights connection string used by Dapr to export Service to Service communication telemetry. | +| [`daprAIInstrumentationKey`](#parameter-dapraiinstrumentationkey) | securestring | Azure Monitor instrumentation key used by Dapr to export Service to Service communication telemetry. | +| [`dnsSuffix`](#parameter-dnssuffix) | string | DNS suffix for the environment domain. | +| [`dockerBridgeCidr`](#parameter-dockerbridgecidr) | string | CIDR notation IP range assigned to the Docker bridge, network. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`internal`](#parameter-internal) | bool | Boolean indicating the environment only has an internal load balancer. These environments do not have a public static IP resource. If set to true, then "infrastructureSubnetId" must be provided. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`logsDestination`](#parameter-logsdestination) | string | Logs destination. | +| [`platformReservedCidr`](#parameter-platformreservedcidr) | string | IP range in CIDR notation that can be reserved for environment infrastructure IP addresses. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | +| [`platformReservedDnsIP`](#parameter-platformreserveddnsip) | string | An IP address from the IP range defined by "platformReservedCidr" that will be reserved for the internal DNS server. It must not be the first address in the range and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`skuName`](#parameter-skuname) | string | Managed environment SKU. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`workloadProfiles`](#parameter-workloadprofiles) | array | Workload profiles configured for the Managed Environment. | +| [`zoneRedundant`](#parameter-zoneredundant) | bool | Whether or not this Managed Environment is zone-redundant. | + +### Parameter: `certificatePassword` + +Password of the certificate used by the custom domain. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `certificateValue` + +Certificate to use for the custom domain. PFX or PEM. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `daprAIConnectionString` + +Application Insights connection string used by Dapr to export Service to Service communication telemetry. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `daprAIInstrumentationKey` + +Azure Monitor instrumentation key used by Dapr to export Service to Service communication telemetry. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `dnsSuffix` + +DNS suffix for the environment domain. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `dockerBridgeCidr` + +CIDR notation IP range assigned to the Docker bridge, network. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: Yes +- Type: bool + +### Parameter: `infrastructureSubnetId` + +Resource ID of a subnet for infrastructure components. This is used to deploy the environment into a virtual network. Must not overlap with any other provided IP ranges. Required if "internal" is set to true. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `internal` + +Boolean indicating the environment only has an internal load balancer. These environments do not have a public static IP resource. If set to true, then "infrastructureSubnetId" must be provided. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `logAnalyticsWorkspaceResourceId` + +Existing Log Analytics Workspace resource ID. Note: This value is not required as per the resource type. However, not providing it currently causes an issue that is tracked [here](https://github.com/Azure/bicep/issues/9990). +- Required: Yes +- Type: string + +### Parameter: `logsDestination` + +Logs destination. +- Required: No +- Type: string +- Default: `'log-analytics'` + +### Parameter: `name` + +Name of the Container Apps Managed Environment. +- Required: Yes +- Type: string + +### Parameter: `platformReservedCidr` + +IP range in CIDR notation that can be reserved for environment infrastructure IP addresses. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `platformReservedDnsIP` + +An IP address from the IP range defined by "platformReservedCidr" that will be reserved for the internal DNS server. It must not be the first address in the range and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `skuName` + +Managed environment SKU. +- Required: No +- Type: string +- Default: `'Consumption'` +- Allowed: `[Consumption, Premium]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `workloadProfiles` + +Workload profiles configured for the Managed Environment. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `zoneRedundant` + +Whether or not this Managed Environment is zone-redundant. +- Required: No +- Type: bool +- Default: `False` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the Managed Environment. | +| `resourceGroupName` | string | The name of the resource group the Managed Environment was deployed into. | +| `resourceId` | string | The resource ID of the Managed Environment. | + +## Cross-referenced modules + +_None_ diff --git a/modules/app/managed-environment/main.json b/modules/app/managed-environment/main.json index a958ca3a6e..71407f0d6d 100644 --- a/modules/app/managed-environment/main.json +++ b/modules/app/managed-environment/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14963884189492658840" + "version": "0.22.6.54827", + "templateHash": "3480452524372003572" }, "name": "App ManagedEnvironments", "description": "This module deploys an App Managed Environment (also known as a Container App Environment).", @@ -264,8 +264,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10028072894056989627" + "version": "0.22.6.54827", + "templateHash": "18101859194273235473" } }, "parameters": { diff --git a/modules/authorization/lock/.test/common/main.test.bicep b/modules/authorization/lock/.test/common/main.test.bicep index 197c3e06aa..aa9099f4a9 100644 --- a/modules/authorization/lock/.test/common/main.test.bicep +++ b/modules/authorization/lock/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/authorization/lock/README.md b/modules/authorization/lock/README.md index 1555dae44e..6a17288433 100644 --- a/modules/authorization/lock/README.md +++ b/modules/authorization/lock/README.md @@ -5,10 +5,10 @@ This module deploys an Authorization Lock at a Subscription or Resource Group sc ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -16,52 +16,27 @@ This module deploys an Authorization Lock at a Subscription or Resource Group sc | :-- | :-- | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `level` | string | `[CanNotDelete, ReadOnly]` | Set lock level. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | Location for all resources. | -| `notes` | string | `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` | The decription attached to the lock. | -| `resourceGroupName` | string | `''` | Name of the Resource Group to assign the lock to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided lock to the resource group. | -| `subscriptionId` | string | `[subscription().id]` | Subscription ID of the subscription to assign the lock to. If not provided, will use the current scope for deployment. If no resource group name is provided, the module deploys at subscription level, therefore assigns the provided locks to the subscription. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the lock. | -| `resourceId` | string | The resource ID of the lock. | -| `scope` | string | The scope this lock applies to. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/authorization.lock:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module lock './authorization/lock/main.bicep' = { +module lock 'br:bicep/modules/authorization.lock:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-alcom' params: { // Required parameters @@ -106,3 +81,77 @@ module lock './authorization/lock/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`level`](#parameter-level) | string | Set lock level. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`notes`](#parameter-notes) | string | The decription attached to the lock. | +| [`resourceGroupName`](#parameter-resourcegroupname) | string | Name of the Resource Group to assign the lock to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided lock to the resource group. | +| [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the lock to. If not provided, will use the current scope for deployment. If no resource group name is provided, the module deploys at subscription level, therefore assigns the provided locks to the subscription. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `level` + +Set lock level. +- Required: Yes +- Type: string +- Allowed: `[CanNotDelete, ReadOnly]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `notes` + +The decription attached to the lock. +- Required: No +- Type: string +- Default: `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` + +### Parameter: `resourceGroupName` + +Name of the Resource Group to assign the lock to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided lock to the resource group. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `subscriptionId` + +Subscription ID of the subscription to assign the lock to. If not provided, will use the current scope for deployment. If no resource group name is provided, the module deploys at subscription level, therefore assigns the provided locks to the subscription. +- Required: No +- Type: string +- Default: `[subscription().id]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the lock. | +| `resourceId` | string | The resource ID of the lock. | +| `scope` | string | The scope this lock applies to. | + +## Cross-referenced modules + +_None_ diff --git a/modules/authorization/lock/main.json b/modules/authorization/lock/main.json index a6018e68bc..927dc1ae2c 100644 --- a/modules/authorization/lock/main.json +++ b/modules/authorization/lock/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15010949072500473441" + "version": "0.22.6.54827", + "templateHash": "15385346851879884120" }, "name": "Authorization Locks (All scopes)", "description": "This module deploys an Authorization Lock at a Subscription or Resource Group scope.", @@ -109,8 +109,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15362884032350876286" + "version": "0.22.6.54827", + "templateHash": "876321567657394219" }, "name": "Authorization Locks (Subscription scope)", "description": "This module deploys an Authorization Lock at a Subscription scope.", @@ -239,8 +239,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10420976827552614779" + "version": "0.22.6.54827", + "templateHash": "8961143332409950444" }, "name": "Authorization Locks (Resource Group scope)", "description": "This module deploys an Authorization Lock at a Resource Group scope.", diff --git a/modules/authorization/lock/resource-group/README.md b/modules/authorization/lock/resource-group/README.md index 146e48ed25..9fff1df214 100644 --- a/modules/authorization/lock/resource-group/README.md +++ b/modules/authorization/lock/resource-group/README.md @@ -19,22 +19,50 @@ This module deploys an Authorization Lock at a Resource Group scope. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `level` | string | `[CanNotDelete, ReadOnly]` | Set lock level. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`level`](#parameter-level) | string | Set lock level. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `name` | string | `[format('{0}-lock', parameters('level'))]` | The name of the lock. | -| `notes` | string | `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` | The decription attached to the lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`name`](#parameter-name) | string | The name of the lock. | +| [`notes`](#parameter-notes) | string | The decription attached to the lock. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `level` + +Set lock level. +- Required: Yes +- Type: string +- Allowed: `[CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the lock. +- Required: No +- Type: string +- Default: `[format('{0}-lock', parameters('level'))]` + +### Parameter: `notes` + +The decription attached to the lock. +- Required: No +- Type: string +- Default: `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the lock. | | `resourceGroupName` | string | The name of the resource group name the lock was applied to. | diff --git a/modules/authorization/lock/resource-group/main.json b/modules/authorization/lock/resource-group/main.json index 25b2ec1b99..903530da93 100644 --- a/modules/authorization/lock/resource-group/main.json +++ b/modules/authorization/lock/resource-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "7885747985110001606" + "version": "0.22.6.54827", + "templateHash": "8961143332409950444" }, "name": "Authorization Locks (Resource Group scope)", "description": "This module deploys an Authorization Lock at a Resource Group scope.", diff --git a/modules/authorization/lock/subscription/README.md b/modules/authorization/lock/subscription/README.md index 35fe0fd8ca..56454213bb 100644 --- a/modules/authorization/lock/subscription/README.md +++ b/modules/authorization/lock/subscription/README.md @@ -19,22 +19,50 @@ This module deploys an Authorization Lock at a Subscription scope. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `level` | string | `[CanNotDelete, ReadOnly]` | Set lock level. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`level`](#parameter-level) | string | Set lock level. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `name` | string | `[format('{0}-lock', parameters('level'))]` | The name of the lock. | -| `notes` | string | `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` | The decription attached to the lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`name`](#parameter-name) | string | The name of the lock. | +| [`notes`](#parameter-notes) | string | The decription attached to the lock. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `level` + +Set lock level. +- Required: Yes +- Type: string +- Allowed: `[CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the lock. +- Required: No +- Type: string +- Default: `[format('{0}-lock', parameters('level'))]` + +### Parameter: `notes` + +The decription attached to the lock. +- Required: No +- Type: string +- Default: `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the lock. | | `resourceId` | string | The resource ID of the lock. | diff --git a/modules/authorization/lock/subscription/main.json b/modules/authorization/lock/subscription/main.json index 5664616784..19ec31903c 100644 --- a/modules/authorization/lock/subscription/main.json +++ b/modules/authorization/lock/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "10927394621764774821" + "version": "0.22.6.54827", + "templateHash": "876321567657394219" }, "name": "Authorization Locks (Subscription scope)", "description": "This module deploys an Authorization Lock at a Subscription scope.", diff --git a/modules/authorization/policy-assignment/README.md b/modules/authorization/policy-assignment/README.md index ff0ddb908a..d2906fcd0a 100644 --- a/modules/authorization/policy-assignment/README.md +++ b/modules/authorization/policy-assignment/README.md @@ -4,80 +4,43 @@ This module deploys a Policy Assignment at a Management Group, Subscription or R ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/policyAssignments` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-06-01/policyAssignments) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -## Parameters - -**Required parameters** +## Usage examples -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes. | -| `policyDefinitionId` | string | Specifies the ID of the policy definition or policy set definition being assigned. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -**Optional parameters** +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `description` | string | `''` | | This message will be part of response in case of policy violation. | -| `displayName` | string | `''` | | The display name of the policy assignment. Maximum length is 128 characters. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enforcementMode` | string | `'Default'` | `[Default, DoNotEnforce]` | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. | -| `identity` | string | `'SystemAssigned'` | `[None, SystemAssigned, UserAssigned]` | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | -| `location` | string | `[deployment().location]` | | Location for all resources. | -| `managementGroupId` | string | `[managementGroup().name]` | | The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. | -| `metadata` | object | `{object}` | | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `nonComplianceMessages` | array | `[]` | | The messages that describe why a resource is non-compliant with the policy. | -| `notScopes` | array | `[]` | | The policy excluded scopes. | -| `overrides` | array | `[]` | | The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. | -| `parameters` | object | `{object}` | | Parameters for the policy assignment if needed. | -| `resourceGroupName` | string | `''` | | The Target Scope for the Policy. The name of the resource group for the policy assignment. | -| `resourceSelectors` | array | `[]` | | The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. | -| `roleDefinitionIds` | array | `[]` | | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. | -| `subscriptionId` | string | `''` | | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. | -| `userAssignedIdentityId` | string | `''` | | The Resource ID for the user assigned identity to assign to the policy assignment. | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/authorization.policy-assignment:1.0.0`. +- [Mg.Common](#example-1-mgcommon) +- [Mg.Min](#example-2-mgmin) +- [Rg.Common](#example-3-rgcommon) +- [Rg.Min](#example-4-rgmin) +- [Sub.Common](#example-5-subcommon) +- [Sub.Min](#example-6-submin) -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | Policy Assignment Name. | -| `principalId` | string | Policy Assignment principal ID. | -| `resourceId` | string | Policy Assignment resource ID. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Mg.Common

+### Example 1: _Mg.Common_
via Bicep module ```bicep -module policyAssignment './authorization/policy-assignment/main.bicep' = { +module policyAssignment 'br:bicep/modules/authorization.policy-assignment:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-apamgcom' params: { // Required parameters @@ -273,14 +236,14 @@ module policyAssignment './authorization/policy-assignment/main.bicep' = {

-

Example 2: Mg.Min

+### Example 2: _Mg.Min_
via Bicep module ```bicep -module policyAssignment './authorization/policy-assignment/main.bicep' = { +module policyAssignment 'br:bicep/modules/authorization.policy-assignment:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apamgmin' params: { // Required parameters @@ -330,14 +293,14 @@ module policyAssignment './authorization/policy-assignment/main.bicep' = {

-

Example 3: Rg.Common

+### Example 3: _Rg.Common_
via Bicep module ```bicep -module policyAssignment './authorization/policy-assignment/main.bicep' = { +module policyAssignment 'br:bicep/modules/authorization.policy-assignment:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apargcom' params: { // Required parameters @@ -541,14 +504,14 @@ module policyAssignment './authorization/policy-assignment/main.bicep' = {

-

Example 4: Rg.Min

+### Example 4: _Rg.Min_
via Bicep module ```bicep -module policyAssignment './authorization/policy-assignment/main.bicep' = { +module policyAssignment 'br:bicep/modules/authorization.policy-assignment:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apargmin' params: { // Required parameters @@ -602,14 +565,14 @@ module policyAssignment './authorization/policy-assignment/main.bicep' = {

-

Example 5: Sub.Common

+### Example 5: _Sub.Common_
via Bicep module ```bicep -module policyAssignment './authorization/policy-assignment/main.bicep' = { +module policyAssignment 'br:bicep/modules/authorization.policy-assignment:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apasubcom' params: { // Required parameters @@ -809,14 +772,14 @@ module policyAssignment './authorization/policy-assignment/main.bicep' = {

-

Example 6: Sub.Min

+### Example 6: _Sub.Min_
via Bicep module ```bicep -module policyAssignment './authorization/policy-assignment/main.bicep' = { +module policyAssignment 'br:bicep/modules/authorization.policy-assignment:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apasubmin' params: { // Required parameters @@ -875,6 +838,184 @@ module policyAssignment './authorization/policy-assignment/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes. | +| [`policyDefinitionId`](#parameter-policydefinitionid) | string | Specifies the ID of the policy definition or policy set definition being assigned. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | This message will be part of response in case of policy violation. | +| [`displayName`](#parameter-displayname) | string | The display name of the policy assignment. Maximum length is 128 characters. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enforcementMode`](#parameter-enforcementmode) | string | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. | +| [`identity`](#parameter-identity) | string | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`managementGroupId`](#parameter-managementgroupid) | string | The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. | +| [`metadata`](#parameter-metadata) | object | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| [`nonComplianceMessages`](#parameter-noncompliancemessages) | array | The messages that describe why a resource is non-compliant with the policy. | +| [`notScopes`](#parameter-notscopes) | array | The policy excluded scopes. | +| [`overrides`](#parameter-overrides) | array | The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. | +| [`parameters`](#parameter-parameters) | object | Parameters for the policy assignment if needed. | +| [`resourceGroupName`](#parameter-resourcegroupname) | string | The Target Scope for the Policy. The name of the resource group for the policy assignment. | +| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. | +| [`roleDefinitionIds`](#parameter-roledefinitionids) | array | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. | +| [`subscriptionId`](#parameter-subscriptionid) | string | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. | +| [`userAssignedIdentityId`](#parameter-userassignedidentityid) | string | The Resource ID for the user assigned identity to assign to the policy assignment. | + +### Parameter: `description` + +This message will be part of response in case of policy violation. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `displayName` + +The display name of the policy assignment. Maximum length is 128 characters. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enforcementMode` + +The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. +- Required: No +- Type: string +- Default: `'Default'` +- Allowed: `[Default, DoNotEnforce]` + +### Parameter: `identity` + +The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. +- Required: No +- Type: string +- Default: `'SystemAssigned'` +- Allowed: `[None, SystemAssigned, UserAssigned]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `managementGroupId` + +The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[managementGroup().name]` + +### Parameter: `metadata` + +The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes. +- Required: Yes +- Type: string + +### Parameter: `nonComplianceMessages` + +The messages that describe why a resource is non-compliant with the policy. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `notScopes` + +The policy excluded scopes. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `overrides` + +The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `parameters` + +Parameters for the policy assignment if needed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `policyDefinitionId` + +Specifies the ID of the policy definition or policy set definition being assigned. +- Required: Yes +- Type: string + +### Parameter: `resourceGroupName` + +The Target Scope for the Policy. The name of the resource group for the policy assignment. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `resourceSelectors` + +The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleDefinitionIds` + +The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `subscriptionId` + +The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `userAssignedIdentityId` + +The Resource ID for the user assigned identity to assign to the policy assignment. +- Required: No +- Type: string +- Default: `''` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | Policy Assignment Name. | +| `principalId` | string | Policy Assignment principal ID. | +| `resourceId` | string | Policy Assignment resource ID. | + +## Cross-referenced modules + +_None_ + ## Notes ### Module Usage Guidance diff --git a/modules/authorization/policy-assignment/main.json b/modules/authorization/policy-assignment/main.json index 66bced0521..4b15a7c3ee 100644 --- a/modules/authorization/policy-assignment/main.json +++ b/modules/authorization/policy-assignment/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13477192333915886863" + "version": "0.22.6.54827", + "templateHash": "10579624444479342334" }, "name": "Policy Assignments (All scopes)", "description": "This module deploys a Policy Assignment at a Management Group, Subscription or Resource Group scope.", @@ -226,8 +226,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15108071880274736880" + "version": "0.22.6.54827", + "templateHash": "14811948404877688716" }, "name": "Policy Assignments (Management Group scope)", "description": "This module deploys a Policy Assignment at a Management Group scope.", @@ -506,8 +506,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15303635224407962753" + "version": "0.22.6.54827", + "templateHash": "1296030047986147440" }, "name": "Policy Assignments (Subscription scope)", "description": "This module deploys a Policy Assignment at a Subscription scope.", @@ -786,8 +786,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17736185251366823136" + "version": "0.22.6.54827", + "templateHash": "15032410491892224041" }, "name": "Policy Assignments (Resource Group scope)", "description": "This module deploys a Policy Assignment at a Resource Group scope.", diff --git a/modules/authorization/policy-assignment/management-group/README.md b/modules/authorization/policy-assignment/management-group/README.md index 086b1d38ea..5bdeb7fe3c 100644 --- a/modules/authorization/policy-assignment/management-group/README.md +++ b/modules/authorization/policy-assignment/management-group/README.md @@ -20,35 +20,154 @@ This module deploys a Policy Assignment at a Management Group scope. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope. | -| `policyDefinitionId` | string | Specifies the ID of the policy definition or policy set definition being assigned. | +| [`name`](#parameter-name) | string | Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope. | +| [`policyDefinitionId`](#parameter-policydefinitionid) | string | Specifies the ID of the policy definition or policy set definition being assigned. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `description` | string | `''` | | This message will be part of response in case of policy violation. | -| `displayName` | string | `''` | | The display name of the policy assignment. Maximum length is 128 characters. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enforcementMode` | string | `'Default'` | `[Default, DoNotEnforce]` | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. | -| `identity` | string | `'SystemAssigned'` | `[None, SystemAssigned, UserAssigned]` | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | -| `location` | string | `[deployment().location]` | | Location for all resources. | -| `managementGroupId` | string | `[managementGroup().name]` | | The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. | -| `metadata` | object | `{object}` | | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `nonComplianceMessages` | array | `[]` | | The messages that describe why a resource is non-compliant with the policy. | -| `notScopes` | array | `[]` | | The policy excluded scopes. | -| `overrides` | array | `[]` | | The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. | -| `parameters` | object | `{object}` | | Parameters for the policy assignment if needed. | -| `resourceSelectors` | array | `[]` | | The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. | -| `roleDefinitionIds` | array | `[]` | | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. | -| `userAssignedIdentityId` | string | `''` | | The Resource ID for the user assigned identity to assign to the policy assignment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | This message will be part of response in case of policy violation. | +| [`displayName`](#parameter-displayname) | string | The display name of the policy assignment. Maximum length is 128 characters. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enforcementMode`](#parameter-enforcementmode) | string | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. | +| [`identity`](#parameter-identity) | string | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`managementGroupId`](#parameter-managementgroupid) | string | The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. | +| [`metadata`](#parameter-metadata) | object | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| [`nonComplianceMessages`](#parameter-noncompliancemessages) | array | The messages that describe why a resource is non-compliant with the policy. | +| [`notScopes`](#parameter-notscopes) | array | The policy excluded scopes. | +| [`overrides`](#parameter-overrides) | array | The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. | +| [`parameters`](#parameter-parameters) | object | Parameters for the policy assignment if needed. | +| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. | +| [`roleDefinitionIds`](#parameter-roledefinitionids) | array | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. | +| [`userAssignedIdentityId`](#parameter-userassignedidentityid) | string | The Resource ID for the user assigned identity to assign to the policy assignment. | + +### Parameter: `description` + +This message will be part of response in case of policy violation. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `displayName` + +The display name of the policy assignment. Maximum length is 128 characters. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enforcementMode` + +The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. +- Required: No +- Type: string +- Default: `'Default'` +- Allowed: `[Default, DoNotEnforce]` + +### Parameter: `identity` + +The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. +- Required: No +- Type: string +- Default: `'SystemAssigned'` +- Allowed: `[None, SystemAssigned, UserAssigned]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `managementGroupId` + +The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[managementGroup().name]` + +### Parameter: `metadata` + +The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope. +- Required: Yes +- Type: string + +### Parameter: `nonComplianceMessages` + +The messages that describe why a resource is non-compliant with the policy. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `notScopes` + +The policy excluded scopes. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `overrides` + +The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `parameters` + +Parameters for the policy assignment if needed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `policyDefinitionId` + +Specifies the ID of the policy definition or policy set definition being assigned. +- Required: Yes +- Type: string + +### Parameter: `resourceSelectors` + +The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleDefinitionIds` + +The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `userAssignedIdentityId` + +The Resource ID for the user assigned identity to assign to the policy assignment. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | Policy Assignment Name. | diff --git a/modules/authorization/policy-assignment/management-group/main.json b/modules/authorization/policy-assignment/management-group/main.json index 1f346ad116..5041a99c35 100644 --- a/modules/authorization/policy-assignment/management-group/main.json +++ b/modules/authorization/policy-assignment/management-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "8902545451587564927" + "version": "0.22.6.54827", + "templateHash": "14811948404877688716" }, "name": "Policy Assignments (Management Group scope)", "description": "This module deploys a Policy Assignment at a Management Group scope.", diff --git a/modules/authorization/policy-assignment/resource-group/README.md b/modules/authorization/policy-assignment/resource-group/README.md index 6ed90b07ac..fa03fd32ea 100644 --- a/modules/authorization/policy-assignment/resource-group/README.md +++ b/modules/authorization/policy-assignment/resource-group/README.md @@ -20,36 +20,162 @@ This module deploys a Policy Assignment at a Resource Group scope. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy assignment. Maximum length is 64 characters for resource group scope. | -| `policyDefinitionId` | string | Specifies the ID of the policy definition or policy set definition being assigned. | +| [`name`](#parameter-name) | string | Specifies the name of the policy assignment. Maximum length is 64 characters for resource group scope. | +| [`policyDefinitionId`](#parameter-policydefinitionid) | string | Specifies the ID of the policy definition or policy set definition being assigned. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `description` | string | `''` | | This message will be part of response in case of policy violation. | -| `displayName` | string | `''` | | The display name of the policy assignment. Maximum length is 128 characters. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enforcementMode` | string | `'Default'` | `[Default, DoNotEnforce]` | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. | -| `identity` | string | `'SystemAssigned'` | `[None, SystemAssigned, UserAssigned]` | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `metadata` | object | `{object}` | | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `nonComplianceMessages` | array | `[]` | | The messages that describe why a resource is non-compliant with the policy. | -| `notScopes` | array | `[]` | | The policy excluded scopes. | -| `overrides` | array | `[]` | | The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. | -| `parameters` | object | `{object}` | | Parameters for the policy assignment if needed. | -| `resourceGroupName` | string | `[resourceGroup().name]` | | The Target Scope for the Policy. The name of the resource group for the policy assignment. If not provided, will use the current scope for deployment. | -| `resourceSelectors` | array | `[]` | | The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. | -| `roleDefinitionIds` | array | `[]` | | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. | -| `userAssignedIdentityId` | string | `''` | | The Resource ID for the user assigned identity to assign to the policy assignment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | This message will be part of response in case of policy violation. | +| [`displayName`](#parameter-displayname) | string | The display name of the policy assignment. Maximum length is 128 characters. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enforcementMode`](#parameter-enforcementmode) | string | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. | +| [`identity`](#parameter-identity) | string | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`metadata`](#parameter-metadata) | object | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| [`nonComplianceMessages`](#parameter-noncompliancemessages) | array | The messages that describe why a resource is non-compliant with the policy. | +| [`notScopes`](#parameter-notscopes) | array | The policy excluded scopes. | +| [`overrides`](#parameter-overrides) | array | The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. | +| [`parameters`](#parameter-parameters) | object | Parameters for the policy assignment if needed. | +| [`resourceGroupName`](#parameter-resourcegroupname) | string | The Target Scope for the Policy. The name of the resource group for the policy assignment. If not provided, will use the current scope for deployment. | +| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. | +| [`roleDefinitionIds`](#parameter-roledefinitionids) | array | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. | +| [`subscriptionId`](#parameter-subscriptionid) | string | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. | +| [`userAssignedIdentityId`](#parameter-userassignedidentityid) | string | The Resource ID for the user assigned identity to assign to the policy assignment. | + +### Parameter: `description` + +This message will be part of response in case of policy violation. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `displayName` + +The display name of the policy assignment. Maximum length is 128 characters. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enforcementMode` + +The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. +- Required: No +- Type: string +- Default: `'Default'` +- Allowed: `[Default, DoNotEnforce]` + +### Parameter: `identity` + +The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. +- Required: No +- Type: string +- Default: `'SystemAssigned'` +- Allowed: `[None, SystemAssigned, UserAssigned]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `metadata` + +The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Specifies the name of the policy assignment. Maximum length is 64 characters for resource group scope. +- Required: Yes +- Type: string + +### Parameter: `nonComplianceMessages` + +The messages that describe why a resource is non-compliant with the policy. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `notScopes` + +The policy excluded scopes. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `overrides` + +The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `parameters` + +Parameters for the policy assignment if needed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `policyDefinitionId` + +Specifies the ID of the policy definition or policy set definition being assigned. +- Required: Yes +- Type: string + +### Parameter: `resourceGroupName` + +The Target Scope for the Policy. The name of the resource group for the policy assignment. If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[resourceGroup().name]` + +### Parameter: `resourceSelectors` + +The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleDefinitionIds` + +The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `subscriptionId` + +The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[subscription().subscriptionId]` + +### Parameter: `userAssignedIdentityId` + +The Resource ID for the user assigned identity to assign to the policy assignment. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | Policy Assignment Name. | diff --git a/modules/authorization/policy-assignment/resource-group/main.json b/modules/authorization/policy-assignment/resource-group/main.json index 91b95356eb..65912a4b91 100644 --- a/modules/authorization/policy-assignment/resource-group/main.json +++ b/modules/authorization/policy-assignment/resource-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "18205418867751406787" + "version": "0.22.6.54827", + "templateHash": "15032410491892224041" }, "name": "Policy Assignments (Resource Group scope)", "description": "This module deploys a Policy Assignment at a Resource Group scope.", diff --git a/modules/authorization/policy-assignment/subscription/README.md b/modules/authorization/policy-assignment/subscription/README.md index 26810db431..c861c6e6c7 100644 --- a/modules/authorization/policy-assignment/subscription/README.md +++ b/modules/authorization/policy-assignment/subscription/README.md @@ -20,35 +20,154 @@ This module deploys a Policy Assignment at a Subscription scope. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy assignment. Maximum length is 64 characters for subscription scope. | -| `policyDefinitionId` | string | Specifies the ID of the policy definition or policy set definition being assigned. | +| [`name`](#parameter-name) | string | Specifies the name of the policy assignment. Maximum length is 64 characters for subscription scope. | +| [`policyDefinitionId`](#parameter-policydefinitionid) | string | Specifies the ID of the policy definition or policy set definition being assigned. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `description` | string | `''` | | This message will be part of response in case of policy violation. | -| `displayName` | string | `''` | | The display name of the policy assignment. Maximum length is 128 characters. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enforcementMode` | string | `'Default'` | `[Default, DoNotEnforce]` | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. | -| `identity` | string | `'SystemAssigned'` | `[None, SystemAssigned, UserAssigned]` | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | -| `location` | string | `[deployment().location]` | | Location for all resources. | -| `metadata` | object | `{object}` | | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `nonComplianceMessages` | array | `[]` | | The messages that describe why a resource is non-compliant with the policy. | -| `notScopes` | array | `[]` | | The policy excluded scopes. | -| `overrides` | array | `[]` | | The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. | -| `parameters` | object | `{object}` | | Parameters for the policy assignment if needed. | -| `resourceSelectors` | array | `[]` | | The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. | -| `roleDefinitionIds` | array | `[]` | | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. | -| `userAssignedIdentityId` | string | `''` | | The Resource ID for the user assigned identity to assign to the policy assignment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | This message will be part of response in case of policy violation. | +| [`displayName`](#parameter-displayname) | string | The display name of the policy assignment. Maximum length is 128 characters. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enforcementMode`](#parameter-enforcementmode) | string | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. | +| [`identity`](#parameter-identity) | string | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`metadata`](#parameter-metadata) | object | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| [`nonComplianceMessages`](#parameter-noncompliancemessages) | array | The messages that describe why a resource is non-compliant with the policy. | +| [`notScopes`](#parameter-notscopes) | array | The policy excluded scopes. | +| [`overrides`](#parameter-overrides) | array | The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. | +| [`parameters`](#parameter-parameters) | object | Parameters for the policy assignment if needed. | +| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. | +| [`roleDefinitionIds`](#parameter-roledefinitionids) | array | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. | +| [`subscriptionId`](#parameter-subscriptionid) | string | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. | +| [`userAssignedIdentityId`](#parameter-userassignedidentityid) | string | The Resource ID for the user assigned identity to assign to the policy assignment. | + +### Parameter: `description` + +This message will be part of response in case of policy violation. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `displayName` + +The display name of the policy assignment. Maximum length is 128 characters. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enforcementMode` + +The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. +- Required: No +- Type: string +- Default: `'Default'` +- Allowed: `[Default, DoNotEnforce]` + +### Parameter: `identity` + +The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. +- Required: No +- Type: string +- Default: `'SystemAssigned'` +- Allowed: `[None, SystemAssigned, UserAssigned]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `metadata` + +The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Specifies the name of the policy assignment. Maximum length is 64 characters for subscription scope. +- Required: Yes +- Type: string + +### Parameter: `nonComplianceMessages` + +The messages that describe why a resource is non-compliant with the policy. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `notScopes` + +The policy excluded scopes. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `overrides` + +The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `parameters` + +Parameters for the policy assignment if needed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `policyDefinitionId` + +Specifies the ID of the policy definition or policy set definition being assigned. +- Required: Yes +- Type: string + +### Parameter: `resourceSelectors` + +The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleDefinitionIds` + +The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `subscriptionId` + +The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[subscription().subscriptionId]` + +### Parameter: `userAssignedIdentityId` + +The Resource ID for the user assigned identity to assign to the policy assignment. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | Policy Assignment Name. | diff --git a/modules/authorization/policy-assignment/subscription/main.json b/modules/authorization/policy-assignment/subscription/main.json index 24a4662eca..5d6deb533a 100644 --- a/modules/authorization/policy-assignment/subscription/main.json +++ b/modules/authorization/policy-assignment/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13568773713405945676" + "version": "0.22.6.54827", + "templateHash": "1296030047986147440" }, "name": "Policy Assignments (Subscription scope)", "description": "This module deploys a Policy Assignment at a Subscription scope.", diff --git a/modules/authorization/policy-definition/README.md b/modules/authorization/policy-definition/README.md index eea97f4ec3..97138d3db8 100644 --- a/modules/authorization/policy-definition/README.md +++ b/modules/authorization/policy-definition/README.md @@ -4,70 +4,40 @@ This module deploys a Policy Definition at a Management Group or Subscription sc ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/policyDefinitions` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policyDefinitions) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy definition. Maximum length is 64 characters for management group scope and subscription scope. | -| `policyRule` | object | The Policy Rule details for the Policy Definition. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `description` | string | `''` | | The policy definition description. | -| `displayName` | string | `''` | | The display name of the policy definition. Maximum length is 128 characters. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | | Location deployment metadata. | -| `managementGroupId` | string | `[managementGroup().name]` | | The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment. | -| `metadata` | object | `{object}` | | The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `mode` | string | `'All'` | `[All, Indexed, Microsoft.ContainerService.Data, Microsoft.KeyVault.Data, Microsoft.Kubernetes.Data, Microsoft.Network.Data]` | The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | -| `parameters` | object | `{object}` | | The policy definition parameters that can be used in policy definition references. | -| `subscriptionId` | string | `''` | | The subscription ID of the subscription (Scope). Cannot be used with managementGroupId. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Policy Definition Name. | -| `resourceId` | string | Policy Definition resource ID. | -| `roleDefinitionIds` | array | Policy Definition Role Definition IDs. | +## Usage examples -## Cross-referenced modules - -_None_ +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Deployment examples +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/authorization.policy-definition:1.0.0`. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +- [Mg.Common](#example-1-mgcommon) +- [Mg.Min](#example-2-mgmin) +- [Sub.Common](#example-3-subcommon) +- [Sub.Min](#example-4-submin) -

Example 1: Mg.Common

+### Example 1: _Mg.Common_
via Bicep module ```bicep -module policyDefinition './authorization/policy-definition/main.bicep' = { +module policyDefinition 'br:bicep/modules/authorization.policy-definition:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apdmgcom' params: { // Required parameters @@ -215,14 +185,14 @@ module policyDefinition './authorization/policy-definition/main.bicep' = {

-

Example 2: Mg.Min

+### Example 2: _Mg.Min_
via Bicep module ```bicep -module policyDefinition './authorization/policy-definition/main.bicep' = { +module policyDefinition 'br:bicep/modules/authorization.policy-definition:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apdmgmin' params: { // Required parameters @@ -308,14 +278,14 @@ module policyDefinition './authorization/policy-definition/main.bicep' = {

-

Example 3: Sub.Common

+### Example 3: _Sub.Common_
via Bicep module ```bicep -module policyDefinition './authorization/policy-definition/main.bicep' = { +module policyDefinition 'br:bicep/modules/authorization.policy-definition:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apdsubcom' params: { // Required parameters @@ -463,14 +433,14 @@ module policyDefinition './authorization/policy-definition/main.bicep' = {

-

Example 4: Sub.Min

+### Example 4: _Sub.Min_
via Bicep module ```bicep -module policyDefinition './authorization/policy-definition/main.bicep' = { +module policyDefinition 'br:bicep/modules/authorization.policy-definition:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apdsubmin' params: { // Required parameters @@ -557,6 +527,118 @@ module policyDefinition './authorization/policy-definition/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Specifies the name of the policy definition. Maximum length is 64 characters for management group scope and subscription scope. | +| [`policyRule`](#parameter-policyrule) | object | The Policy Rule details for the Policy Definition. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | The policy definition description. | +| [`displayName`](#parameter-displayname) | string | The display name of the policy definition. Maximum length is 128 characters. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`managementGroupId`](#parameter-managementgroupid) | string | The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment. | +| [`metadata`](#parameter-metadata) | object | The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| [`mode`](#parameter-mode) | string | The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | +| [`parameters`](#parameter-parameters) | object | The policy definition parameters that can be used in policy definition references. | +| [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID of the subscription (Scope). Cannot be used with managementGroupId. | + +### Parameter: `description` + +The policy definition description. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `displayName` + +The display name of the policy definition. Maximum length is 128 characters. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `managementGroupId` + +The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[managementGroup().name]` + +### Parameter: `metadata` + +The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `mode` + +The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. +- Required: No +- Type: string +- Default: `'All'` +- Allowed: `[All, Indexed, Microsoft.ContainerService.Data, Microsoft.KeyVault.Data, Microsoft.Kubernetes.Data, Microsoft.Network.Data]` + +### Parameter: `name` + +Specifies the name of the policy definition. Maximum length is 64 characters for management group scope and subscription scope. +- Required: Yes +- Type: string + +### Parameter: `parameters` + +The policy definition parameters that can be used in policy definition references. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `policyRule` + +The Policy Rule details for the Policy Definition. +- Required: Yes +- Type: object + +### Parameter: `subscriptionId` + +The subscription ID of the subscription (Scope). Cannot be used with managementGroupId. +- Required: No +- Type: string +- Default: `''` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | Policy Definition Name. | +| `resourceId` | string | Policy Definition resource ID. | +| `roleDefinitionIds` | array | Policy Definition Role Definition IDs. | + +## Cross-referenced modules + +_None_ + ## Notes ### Module Usage Guidance diff --git a/modules/authorization/policy-definition/main.json b/modules/authorization/policy-definition/main.json index 2d366af87f..0667382c4a 100644 --- a/modules/authorization/policy-definition/main.json +++ b/modules/authorization/policy-definition/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15749498802750084340" + "version": "0.22.6.54827", + "templateHash": "12398926446776214850" }, "name": "Policy Definitions (All scopes)", "description": "This module deploys a Policy Definition at a Management Group or Subscription scope.", @@ -156,8 +156,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17859945353406314149" + "version": "0.22.6.54827", + "templateHash": "3632302304949681871" }, "name": "Policy Definitions (Management Group scope)", "description": "This module deploys a Policy Definition at a Management Group scope.", @@ -332,8 +332,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7453988849629465072" + "version": "0.22.6.54827", + "templateHash": "15610043692526006499" }, "name": "Policy Definitions (Subscription scope)", "description": "This module deploys a Policy Definition at a Subscription scope.", diff --git a/modules/authorization/policy-definition/management-group/README.md b/modules/authorization/policy-definition/management-group/README.md index 01780427c6..d09b6aad3e 100644 --- a/modules/authorization/policy-definition/management-group/README.md +++ b/modules/authorization/policy-definition/management-group/README.md @@ -19,27 +19,89 @@ This module deploys a Policy Definition at a Management Group scope. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy definition. Maximum length is 64 characters. | -| `policyRule` | object | The Policy Rule details for the Policy Definition. | +| [`name`](#parameter-name) | string | Specifies the name of the policy definition. Maximum length is 64 characters. | +| [`policyRule`](#parameter-policyrule) | object | The Policy Rule details for the Policy Definition. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `description` | string | `''` | | The policy definition description. | -| `displayName` | string | `''` | | The display name of the policy definition. Maximum length is 128 characters. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | | Location deployment metadata. | -| `metadata` | object | `{object}` | | The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `mode` | string | `'All'` | `[All, Indexed, Microsoft.ContainerService.Data, Microsoft.KeyVault.Data, Microsoft.Kubernetes.Data, Microsoft.Network.Data]` | The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | -| `parameters` | object | `{object}` | | The policy definition parameters that can be used in policy definition references. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | The policy definition description. | +| [`displayName`](#parameter-displayname) | string | The display name of the policy definition. Maximum length is 128 characters. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`metadata`](#parameter-metadata) | object | The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| [`mode`](#parameter-mode) | string | The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | +| [`parameters`](#parameter-parameters) | object | The policy definition parameters that can be used in policy definition references. | + +### Parameter: `description` + +The policy definition description. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `displayName` + +The display name of the policy definition. Maximum length is 128 characters. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `metadata` + +The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `mode` + +The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. +- Required: No +- Type: string +- Default: `'All'` +- Allowed: `[All, Indexed, Microsoft.ContainerService.Data, Microsoft.KeyVault.Data, Microsoft.Kubernetes.Data, Microsoft.Network.Data]` + +### Parameter: `name` + +Specifies the name of the policy definition. Maximum length is 64 characters. +- Required: Yes +- Type: string + +### Parameter: `parameters` + +The policy definition parameters that can be used in policy definition references. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `policyRule` + +The Policy Rule details for the Policy Definition. +- Required: Yes +- Type: object ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Definition Name. | | `resourceId` | string | Policy Definition resource ID. | diff --git a/modules/authorization/policy-definition/management-group/main.json b/modules/authorization/policy-definition/management-group/main.json index c1d82a9803..0c99261e72 100644 --- a/modules/authorization/policy-definition/management-group/main.json +++ b/modules/authorization/policy-definition/management-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "14890815799488372081" + "version": "0.22.6.54827", + "templateHash": "3632302304949681871" }, "name": "Policy Definitions (Management Group scope)", "description": "This module deploys a Policy Definition at a Management Group scope.", diff --git a/modules/authorization/policy-definition/subscription/README.md b/modules/authorization/policy-definition/subscription/README.md index 2557236387..acb2ee448d 100644 --- a/modules/authorization/policy-definition/subscription/README.md +++ b/modules/authorization/policy-definition/subscription/README.md @@ -19,27 +19,89 @@ This module deploys a Policy Definition at a Subscription scope. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy definition. Maximum length is 64 characters. | -| `policyRule` | object | The Policy Rule details for the Policy Definition. | +| [`name`](#parameter-name) | string | Specifies the name of the policy definition. Maximum length is 64 characters. | +| [`policyRule`](#parameter-policyrule) | object | The Policy Rule details for the Policy Definition. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `description` | string | `''` | | The policy definition description. | -| `displayName` | string | `''` | | The display name of the policy definition. Maximum length is 128 characters. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | | Location deployment metadata. | -| `metadata` | object | `{object}` | | The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `mode` | string | `'All'` | `[All, Indexed, Microsoft.ContainerService.Data, Microsoft.KeyVault.Data, Microsoft.Kubernetes.Data, Microsoft.Network.Data]` | The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | -| `parameters` | object | `{object}` | | The policy definition parameters that can be used in policy definition references. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | The policy definition description. | +| [`displayName`](#parameter-displayname) | string | The display name of the policy definition. Maximum length is 128 characters. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`metadata`](#parameter-metadata) | object | The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| [`mode`](#parameter-mode) | string | The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | +| [`parameters`](#parameter-parameters) | object | The policy definition parameters that can be used in policy definition references. | + +### Parameter: `description` + +The policy definition description. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `displayName` + +The display name of the policy definition. Maximum length is 128 characters. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `metadata` + +The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `mode` + +The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. +- Required: No +- Type: string +- Default: `'All'` +- Allowed: `[All, Indexed, Microsoft.ContainerService.Data, Microsoft.KeyVault.Data, Microsoft.Kubernetes.Data, Microsoft.Network.Data]` + +### Parameter: `name` + +Specifies the name of the policy definition. Maximum length is 64 characters. +- Required: Yes +- Type: string + +### Parameter: `parameters` + +The policy definition parameters that can be used in policy definition references. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `policyRule` + +The Policy Rule details for the Policy Definition. +- Required: Yes +- Type: object ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Definition Name. | | `resourceId` | string | Policy Definition resource ID. | diff --git a/modules/authorization/policy-definition/subscription/main.json b/modules/authorization/policy-definition/subscription/main.json index 9d45f6df13..d765d1b498 100644 --- a/modules/authorization/policy-definition/subscription/main.json +++ b/modules/authorization/policy-definition/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "14434059777291440353" + "version": "0.22.6.54827", + "templateHash": "15610043692526006499" }, "name": "Policy Definitions (Subscription scope)", "description": "This module deploys a Policy Definition at a Subscription scope.", diff --git a/modules/authorization/policy-exemption/README.md b/modules/authorization/policy-exemption/README.md index 50aeb359a3..c7ed13229a 100644 --- a/modules/authorization/policy-exemption/README.md +++ b/modules/authorization/policy-exemption/README.md @@ -4,74 +4,42 @@ This module deploys a Policy Exemption at a Management Group, Subscription or Re ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/policyExemptions` | [2022-07-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-07-01-preview/policyExemptions) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy exemption. Maximum length is 64 characters for management group, subscription and resource group scopes. | -| `policyAssignmentId` | string | The resource ID of the policy assignment that is being exempted. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `assignmentScopeValidation` | string | `''` | `['', Default, DoNotValidate]` | The option whether validate the exemption is at or under the assignment scope. | -| `description` | string | `''` | | The description of the policy exemption. | -| `displayName` | string | `''` | | The display name of the policy exemption. Maximum length is 128 characters. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `exemptionCategory` | string | `'Mitigated'` | `[Mitigated, Waiver]` | The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. | -| `expiresOn` | string | `''` | | The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. | -| `location` | string | `[deployment().location]` | | Location deployment metadata. | -| `managementGroupId` | string | `[managementGroup().name]` | | The group ID of the management group to be exempted from the policy assignment. If not provided, will use the current scope for deployment. | -| `metadata` | object | `{object}` | | The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `policyDefinitionReferenceIds` | array | `[]` | | The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | -| `resourceGroupName` | string | `''` | | The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter. | -| `resourceSelectors` | array | `[]` | | The resource selector list to filter policies by resource properties. | -| `subscriptionId` | string | `''` | | The subscription ID of the subscription to be exempted from the policy assignment. Cannot use with management group ID parameter. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Policy Exemption Name. | -| `resourceId` | string | Policy Exemption resource ID. | -| `scope` | string | Policy Exemption Scope. | - -## Cross-referenced modules +## Usage examples -_None_ +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Deployment examples +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/authorization.policy-exemption:1.0.0`. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +- [Mg.Common](#example-1-mgcommon) +- [Mg.Min](#example-2-mgmin) +- [Rg.Common](#example-3-rgcommon) +- [Rg.Min](#example-4-rgmin) +- [Sub.Common](#example-5-subcommon) +- [Sub.Min](#example-6-submin) -

Example 1: Mg.Common

+### Example 1: _Mg.Common_
via Bicep module ```bicep -module policyExemption './authorization/policy-exemption/main.bicep' = { +module policyExemption 'br:bicep/modules/authorization.policy-exemption:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apemgcom' params: { // Required parameters @@ -177,14 +145,14 @@ module policyExemption './authorization/policy-exemption/main.bicep' = {

-

Example 2: Mg.Min

+### Example 2: _Mg.Min_
via Bicep module ```bicep -module policyExemption './authorization/policy-exemption/main.bicep' = { +module policyExemption 'br:bicep/modules/authorization.policy-exemption:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apemgmin' params: { // Required parameters @@ -226,14 +194,14 @@ module policyExemption './authorization/policy-exemption/main.bicep' = {

-

Example 3: Rg.Common

+### Example 3: _Rg.Common_
via Bicep module ```bicep -module policyExemption './authorization/policy-exemption/main.bicep' = { +module policyExemption 'br:bicep/modules/authorization.policy-exemption:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apergcom' params: { // Required parameters @@ -339,14 +307,14 @@ module policyExemption './authorization/policy-exemption/main.bicep' = {

-

Example 4: Rg.Min

+### Example 4: _Rg.Min_
via Bicep module ```bicep -module policyExemption './authorization/policy-exemption/main.bicep' = { +module policyExemption 'br:bicep/modules/authorization.policy-exemption:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apergmin' params: { // Required parameters @@ -388,14 +356,14 @@ module policyExemption './authorization/policy-exemption/main.bicep' = {

-

Example 5: Sub.Common

+### Example 5: _Sub.Common_
via Bicep module ```bicep -module policyExemption './authorization/policy-exemption/main.bicep' = { +module policyExemption 'br:bicep/modules/authorization.policy-exemption:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apesubcom' params: { // Required parameters @@ -501,14 +469,14 @@ module policyExemption './authorization/policy-exemption/main.bicep' = {

-

Example 6: Sub.Min

+### Example 6: _Sub.Min_
via Bicep module ```bicep -module policyExemption './authorization/policy-exemption/main.bicep' = { +module policyExemption 'br:bicep/modules/authorization.policy-exemption:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apesubmin' params: { // Required parameters @@ -551,6 +519,151 @@ module policyExemption './authorization/policy-exemption/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Specifies the name of the policy exemption. Maximum length is 64 characters for management group, subscription and resource group scopes. | +| [`policyAssignmentId`](#parameter-policyassignmentid) | string | The resource ID of the policy assignment that is being exempted. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`assignmentScopeValidation`](#parameter-assignmentscopevalidation) | string | The option whether validate the exemption is at or under the assignment scope. | +| [`description`](#parameter-description) | string | The description of the policy exemption. | +| [`displayName`](#parameter-displayname) | string | The display name of the policy exemption. Maximum length is 128 characters. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`exemptionCategory`](#parameter-exemptioncategory) | string | The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. | +| [`expiresOn`](#parameter-expireson) | string | The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`managementGroupId`](#parameter-managementgroupid) | string | The group ID of the management group to be exempted from the policy assignment. If not provided, will use the current scope for deployment. | +| [`metadata`](#parameter-metadata) | object | The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| [`policyDefinitionReferenceIds`](#parameter-policydefinitionreferenceids) | array | The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | +| [`resourceGroupName`](#parameter-resourcegroupname) | string | The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter. | +| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. | +| [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID of the subscription to be exempted from the policy assignment. Cannot use with management group ID parameter. | + +### Parameter: `assignmentScopeValidation` + +The option whether validate the exemption is at or under the assignment scope. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Default, DoNotValidate]` + +### Parameter: `description` + +The description of the policy exemption. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `displayName` + +The display name of the policy exemption. Maximum length is 128 characters. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `exemptionCategory` + +The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. +- Required: No +- Type: string +- Default: `'Mitigated'` +- Allowed: `[Mitigated, Waiver]` + +### Parameter: `expiresOn` + +The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `managementGroupId` + +The group ID of the management group to be exempted from the policy assignment. If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[managementGroup().name]` + +### Parameter: `metadata` + +The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Specifies the name of the policy exemption. Maximum length is 64 characters for management group, subscription and resource group scopes. +- Required: Yes +- Type: string + +### Parameter: `policyAssignmentId` + +The resource ID of the policy assignment that is being exempted. +- Required: Yes +- Type: string + +### Parameter: `policyDefinitionReferenceIds` + +The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `resourceGroupName` + +The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `resourceSelectors` + +The resource selector list to filter policies by resource properties. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `subscriptionId` + +The subscription ID of the subscription to be exempted from the policy assignment. Cannot use with management group ID parameter. +- Required: No +- Type: string +- Default: `''` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | Policy Exemption Name. | +| `resourceId` | string | Policy Exemption resource ID. | +| `scope` | string | Policy Exemption Scope. | + +## Cross-referenced modules + +_None_ + ## Notes ### Module Usage Guidance diff --git a/modules/authorization/policy-exemption/main.json b/modules/authorization/policy-exemption/main.json index a870d46d9b..37bb291bf4 100644 --- a/modules/authorization/policy-exemption/main.json +++ b/modules/authorization/policy-exemption/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7537469788100455482" + "version": "0.22.6.54827", + "templateHash": "5596643679633132129" }, "name": "Policy Exemptions (All scopes)", "description": "This module deploys a Policy Exemption at a Management Group, Subscription or Resource Group scope.", @@ -202,8 +202,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5811278633353778987" + "version": "0.22.6.54827", + "templateHash": "5606667569084267633" }, "name": "Policy Exemptions (Management Group scope)", "description": "This module deploys a Policy Exemption at a Management Group scope.", @@ -413,8 +413,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16790622898117117515" + "version": "0.22.6.54827", + "templateHash": "10613705515536903891" }, "name": "Policy Exemptions (Subscription scope)", "description": "This module deploys a Policy Exemption at a Subscription scope.", @@ -621,8 +621,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15066914920145194393" + "version": "0.22.6.54827", + "templateHash": "17689607806582642174" }, "name": "Policy Exemptions (Resource Group scope)", "description": "This module deploys a Policy Exemption at a Resource Group scope.", diff --git a/modules/authorization/policy-exemption/management-group/README.md b/modules/authorization/policy-exemption/management-group/README.md index 1bfb787eab..7cca1936a3 100644 --- a/modules/authorization/policy-exemption/management-group/README.md +++ b/modules/authorization/policy-exemption/management-group/README.md @@ -19,30 +19,114 @@ This module deploys a Policy Exemption at a Management Group scope. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy exemption. Maximum length is 64 characters for management group scope. | -| `policyAssignmentId` | string | The resource ID of the policy assignment that is being exempted. | +| [`name`](#parameter-name) | string | Specifies the name of the policy exemption. Maximum length is 64 characters for management group scope. | +| [`policyAssignmentId`](#parameter-policyassignmentid) | string | The resource ID of the policy assignment that is being exempted. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `assignmentScopeValidation` | string | `''` | `['', Default, DoNotValidate]` | The option whether validate the exemption is at or under the assignment scope. | -| `description` | string | `''` | | The description of the policy exemption. | -| `displayName` | string | `''` | | The display name of the policy assignment. Maximum length is 128 characters. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `exemptionCategory` | string | `'Mitigated'` | `[Mitigated, Waiver]` | The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. | -| `expiresOn` | string | `''` | | The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. | -| `location` | string | `[deployment().location]` | | Location deployment metadata. | -| `metadata` | object | `{object}` | | The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `policyDefinitionReferenceIds` | array | `[]` | | The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | -| `resourceSelectors` | array | `[]` | | The resource selector list to filter policies by resource properties. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`assignmentScopeValidation`](#parameter-assignmentscopevalidation) | string | The option whether validate the exemption is at or under the assignment scope. | +| [`description`](#parameter-description) | string | The description of the policy exemption. | +| [`displayName`](#parameter-displayname) | string | The display name of the policy assignment. Maximum length is 128 characters. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`exemptionCategory`](#parameter-exemptioncategory) | string | The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. | +| [`expiresOn`](#parameter-expireson) | string | The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`metadata`](#parameter-metadata) | object | The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| [`policyDefinitionReferenceIds`](#parameter-policydefinitionreferenceids) | array | The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | +| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. | + +### Parameter: `assignmentScopeValidation` + +The option whether validate the exemption is at or under the assignment scope. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Default, DoNotValidate]` + +### Parameter: `description` + +The description of the policy exemption. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `displayName` + +The display name of the policy assignment. Maximum length is 128 characters. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `exemptionCategory` + +The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. +- Required: No +- Type: string +- Default: `'Mitigated'` +- Allowed: `[Mitigated, Waiver]` + +### Parameter: `expiresOn` + +The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `metadata` + +The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Specifies the name of the policy exemption. Maximum length is 64 characters for management group scope. +- Required: Yes +- Type: string + +### Parameter: `policyAssignmentId` + +The resource ID of the policy assignment that is being exempted. +- Required: Yes +- Type: string + +### Parameter: `policyDefinitionReferenceIds` + +The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `resourceSelectors` + +The resource selector list to filter policies by resource properties. +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Exemption Name. | | `resourceId` | string | Policy Exemption resource ID. | diff --git a/modules/authorization/policy-exemption/management-group/main.json b/modules/authorization/policy-exemption/management-group/main.json index 9d9e463ba8..8271a1ee56 100644 --- a/modules/authorization/policy-exemption/management-group/main.json +++ b/modules/authorization/policy-exemption/management-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17592627855612646241" + "version": "0.22.6.54827", + "templateHash": "5606667569084267633" }, "name": "Policy Exemptions (Management Group scope)", "description": "This module deploys a Policy Exemption at a Management Group scope.", diff --git a/modules/authorization/policy-exemption/resource-group/README.md b/modules/authorization/policy-exemption/resource-group/README.md index 7fd6faa68a..cc3f54c9b9 100644 --- a/modules/authorization/policy-exemption/resource-group/README.md +++ b/modules/authorization/policy-exemption/resource-group/README.md @@ -19,29 +19,106 @@ This module deploys a Policy Exemption at a Resource Group scope. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope. | -| `policyAssignmentId` | string | The resource ID of the policy assignment that is being exempted. | +| [`name`](#parameter-name) | string | Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope. | +| [`policyAssignmentId`](#parameter-policyassignmentid) | string | The resource ID of the policy assignment that is being exempted. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `assignmentScopeValidation` | string | `''` | `['', Default, DoNotValidate]` | The option whether validate the exemption is at or under the assignment scope. | -| `description` | string | `''` | | The description of the policy exemption. | -| `displayName` | string | `''` | | The display name of the policy exemption. Maximum length is 128 characters. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `exemptionCategory` | string | `'Mitigated'` | `[Mitigated, Waiver]` | The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. | -| `expiresOn` | string | `''` | | The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. | -| `metadata` | object | `{object}` | | The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `policyDefinitionReferenceIds` | array | `[]` | | The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | -| `resourceSelectors` | array | `[]` | | The resource selector list to filter policies by resource properties. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`assignmentScopeValidation`](#parameter-assignmentscopevalidation) | string | The option whether validate the exemption is at or under the assignment scope. | +| [`description`](#parameter-description) | string | The description of the policy exemption. | +| [`displayName`](#parameter-displayname) | string | The display name of the policy exemption. Maximum length is 128 characters. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`exemptionCategory`](#parameter-exemptioncategory) | string | The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. | +| [`expiresOn`](#parameter-expireson) | string | The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. | +| [`metadata`](#parameter-metadata) | object | The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| [`policyDefinitionReferenceIds`](#parameter-policydefinitionreferenceids) | array | The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | +| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. | + +### Parameter: `assignmentScopeValidation` + +The option whether validate the exemption is at or under the assignment scope. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Default, DoNotValidate]` + +### Parameter: `description` + +The description of the policy exemption. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `displayName` + +The display name of the policy exemption. Maximum length is 128 characters. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `exemptionCategory` + +The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. +- Required: No +- Type: string +- Default: `'Mitigated'` +- Allowed: `[Mitigated, Waiver]` + +### Parameter: `expiresOn` + +The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `metadata` + +The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope. +- Required: Yes +- Type: string + +### Parameter: `policyAssignmentId` + +The resource ID of the policy assignment that is being exempted. +- Required: Yes +- Type: string + +### Parameter: `policyDefinitionReferenceIds` + +The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `resourceSelectors` + +The resource selector list to filter policies by resource properties. +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Exemption Name. | | `resourceGroupName` | string | The name of the resource group the policy exemption was applied at. | diff --git a/modules/authorization/policy-exemption/resource-group/main.json b/modules/authorization/policy-exemption/resource-group/main.json index f9d5590f54..8672a1ff5d 100644 --- a/modules/authorization/policy-exemption/resource-group/main.json +++ b/modules/authorization/policy-exemption/resource-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13048294777047698866" + "version": "0.22.6.54827", + "templateHash": "17689607806582642174" }, "name": "Policy Exemptions (Resource Group scope)", "description": "This module deploys a Policy Exemption at a Resource Group scope.", diff --git a/modules/authorization/policy-exemption/subscription/README.md b/modules/authorization/policy-exemption/subscription/README.md index 82e45d2349..8094b8371f 100644 --- a/modules/authorization/policy-exemption/subscription/README.md +++ b/modules/authorization/policy-exemption/subscription/README.md @@ -19,30 +19,114 @@ This module deploys a Policy Exemption at a Subscription scope. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope. | -| `policyAssignmentId` | string | The resource ID of the policy assignment that is being exempted. | +| [`name`](#parameter-name) | string | Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope. | +| [`policyAssignmentId`](#parameter-policyassignmentid) | string | The resource ID of the policy assignment that is being exempted. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `assignmentScopeValidation` | string | `''` | `['', Default, DoNotValidate]` | The option whether validate the exemption is at or under the assignment scope. | -| `description` | string | `''` | | The description of the policy exemption. | -| `displayName` | string | `''` | | The display name of the policy exemption. Maximum length is 128 characters. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `exemptionCategory` | string | `'Mitigated'` | `[Mitigated, Waiver]` | The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. | -| `expiresOn` | string | `''` | | The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. | -| `location` | string | `[deployment().location]` | | Location deployment metadata. | -| `metadata` | object | `{object}` | | The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `policyDefinitionReferenceIds` | array | `[]` | | The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | -| `resourceSelectors` | array | `[]` | | The resource selector list to filter policies by resource properties. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`assignmentScopeValidation`](#parameter-assignmentscopevalidation) | string | The option whether validate the exemption is at or under the assignment scope. | +| [`description`](#parameter-description) | string | The description of the policy exemption. | +| [`displayName`](#parameter-displayname) | string | The display name of the policy exemption. Maximum length is 128 characters. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`exemptionCategory`](#parameter-exemptioncategory) | string | The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. | +| [`expiresOn`](#parameter-expireson) | string | The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`metadata`](#parameter-metadata) | object | The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| [`policyDefinitionReferenceIds`](#parameter-policydefinitionreferenceids) | array | The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | +| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. | + +### Parameter: `assignmentScopeValidation` + +The option whether validate the exemption is at or under the assignment scope. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Default, DoNotValidate]` + +### Parameter: `description` + +The description of the policy exemption. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `displayName` + +The display name of the policy exemption. Maximum length is 128 characters. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `exemptionCategory` + +The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. +- Required: No +- Type: string +- Default: `'Mitigated'` +- Allowed: `[Mitigated, Waiver]` + +### Parameter: `expiresOn` + +The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `metadata` + +The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope. +- Required: Yes +- Type: string + +### Parameter: `policyAssignmentId` + +The resource ID of the policy assignment that is being exempted. +- Required: Yes +- Type: string + +### Parameter: `policyDefinitionReferenceIds` + +The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `resourceSelectors` + +The resource selector list to filter policies by resource properties. +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Exemption Name. | | `resourceId` | string | Policy Exemption resource ID. | diff --git a/modules/authorization/policy-exemption/subscription/main.json b/modules/authorization/policy-exemption/subscription/main.json index 2418e1af36..b9bce72b18 100644 --- a/modules/authorization/policy-exemption/subscription/main.json +++ b/modules/authorization/policy-exemption/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5067037150154630010" + "version": "0.22.6.54827", + "templateHash": "10613705515536903891" }, "name": "Policy Exemptions (Subscription scope)", "description": "This module deploys a Policy Exemption at a Subscription scope.", diff --git a/modules/authorization/policy-set-definition/README.md b/modules/authorization/policy-set-definition/README.md index aba3a1620c..89f2a0fba8 100644 --- a/modules/authorization/policy-set-definition/README.md +++ b/modules/authorization/policy-set-definition/README.md @@ -4,69 +4,40 @@ This module deploys a Policy Set Definition (Initiative) at a Management Group o ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/policySetDefinitions` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policySetDefinitions) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy Set Definition (Initiative). | -| `policyDefinitions` | array | The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `description` | string | `''` | The description name of the Set Definition (Initiative). | -| `displayName` | string | `''` | The display name of the Set Definition (Initiative). Maximum length is 128 characters. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | Location deployment metadata. | -| `managementGroupId` | string | `[managementGroup().name]` | The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment. | -| `metadata` | object | `{object}` | The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `parameters` | object | `{object}` | The Set Definition (Initiative) parameters that can be used in policy definition references. | -| `policyDefinitionGroups` | array | `[]` | The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | -| `subscriptionId` | string | `''` | The subscription ID of the subscription (Scope). Cannot be used with managementGroupId. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Policy Set Definition Name. | -| `resourceId` | string | Policy Set Definition resource ID. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/authorization.policy-set-definition:1.0.0`. -## Deployment examples +- [Mg.Common](#example-1-mgcommon) +- [Mg.Min](#example-2-mgmin) +- [Sub.Common](#example-3-subcommon) +- [Sub.Min](#example-4-submin) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Mg.Common

+### Example 1: _Mg.Common_
via Bicep module ```bicep -module policySetDefinition './authorization/policy-set-definition/main.bicep' = { +module policySetDefinition 'br:bicep/modules/authorization.policy-set-definition:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apsdmgcom' params: { // Required parameters @@ -202,14 +173,14 @@ module policySetDefinition './authorization/policy-set-definition/main.bicep' =

-

Example 2: Mg.Min

+### Example 2: _Mg.Min_
via Bicep module ```bicep -module policySetDefinition './authorization/policy-set-definition/main.bicep' = { +module policySetDefinition 'br:bicep/modules/authorization.policy-set-definition:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apsdmgmin' params: { // Required parameters @@ -273,14 +244,14 @@ module policySetDefinition './authorization/policy-set-definition/main.bicep' =

-

Example 3: Sub.Common

+### Example 3: _Sub.Common_
via Bicep module ```bicep -module policySetDefinition './authorization/policy-set-definition/main.bicep' = { +module policySetDefinition 'br:bicep/modules/authorization.policy-set-definition:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apsdsubcom' params: { // Required parameters @@ -416,14 +387,14 @@ module policySetDefinition './authorization/policy-set-definition/main.bicep' =

-

Example 4: Sub.Min

+### Example 4: _Sub.Min_
via Bicep module ```bicep -module policySetDefinition './authorization/policy-set-definition/main.bicep' = { +module policySetDefinition 'br:bicep/modules/authorization.policy-set-definition:1.0.0' = { name: '${uniqueString(deployment().name)}-test-apsdsubmin' params: { // Required parameters @@ -488,6 +459,116 @@ module policySetDefinition './authorization/policy-set-definition/main.bicep' =

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Specifies the name of the policy Set Definition (Initiative). | +| [`policyDefinitions`](#parameter-policydefinitions) | array | The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | The description name of the Set Definition (Initiative). | +| [`displayName`](#parameter-displayname) | string | The display name of the Set Definition (Initiative). Maximum length is 128 characters. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`managementGroupId`](#parameter-managementgroupid) | string | The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment. | +| [`metadata`](#parameter-metadata) | object | The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| [`parameters`](#parameter-parameters) | object | The Set Definition (Initiative) parameters that can be used in policy definition references. | +| [`policyDefinitionGroups`](#parameter-policydefinitiongroups) | array | The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | +| [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID of the subscription (Scope). Cannot be used with managementGroupId. | + +### Parameter: `description` + +The description name of the Set Definition (Initiative). +- Required: No +- Type: string +- Default: `''` + +### Parameter: `displayName` + +The display name of the Set Definition (Initiative). Maximum length is 128 characters. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `managementGroupId` + +The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[managementGroup().name]` + +### Parameter: `metadata` + +The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Specifies the name of the policy Set Definition (Initiative). +- Required: Yes +- Type: string + +### Parameter: `parameters` + +The Set Definition (Initiative) parameters that can be used in policy definition references. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `policyDefinitionGroups` + +The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `policyDefinitions` + +The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. +- Required: Yes +- Type: array + +### Parameter: `subscriptionId` + +The subscription ID of the subscription (Scope). Cannot be used with managementGroupId. +- Required: No +- Type: string +- Default: `''` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | Policy Set Definition Name. | +| `resourceId` | string | Policy Set Definition resource ID. | + +## Cross-referenced modules + +_None_ + ## Notes ### Module Usage Guidance diff --git a/modules/authorization/policy-set-definition/main.json b/modules/authorization/policy-set-definition/main.json index 4416cb72bf..d0051bf41a 100644 --- a/modules/authorization/policy-set-definition/main.json +++ b/modules/authorization/policy-set-definition/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1831706179623308969" + "version": "0.22.6.54827", + "templateHash": "9153336425223705834" }, "name": "Policy Set Definitions (Initiatives) (All scopes)", "description": "This module deploys a Policy Set Definition (Initiative) at a Management Group or Subscription scope.", @@ -146,8 +146,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9278231745561513332" + "version": "0.22.6.54827", + "templateHash": "13574874097410910980" }, "name": "Policy Set Definitions (Initiatives) (Management Group scope)", "description": "This module deploys a Policy Set Definition (Initiative) at a Management Group scope.", @@ -305,8 +305,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3357776167220688626" + "version": "0.22.6.54827", + "templateHash": "566743094418434146" }, "name": "Policy Set Definitions (Initiatives) (Subscription scope)", "description": "This module deploys a Policy Set Definition (Initiative) at a Subscription scope.", diff --git a/modules/authorization/policy-set-definition/management-group/README.md b/modules/authorization/policy-set-definition/management-group/README.md index 40de7bcd60..6e0a971597 100644 --- a/modules/authorization/policy-set-definition/management-group/README.md +++ b/modules/authorization/policy-set-definition/management-group/README.md @@ -19,27 +19,88 @@ This module deploys a Policy Set Definition (Initiative) at a Management Group s **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy Set Definition (Initiative). | -| `policyDefinitions` | array | The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. | +| [`name`](#parameter-name) | string | Specifies the name of the policy Set Definition (Initiative). | +| [`policyDefinitions`](#parameter-policydefinitions) | array | The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `description` | string | `''` | The description name of the Set Definition (Initiative). | -| `displayName` | string | `''` | The display name of the Set Definition (Initiative). Maximum length is 128 characters. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | Location deployment metadata. | -| `metadata` | object | `{object}` | The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `parameters` | object | `{object}` | The Set Definition (Initiative) parameters that can be used in policy definition references. | -| `policyDefinitionGroups` | array | `[]` | The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | The description name of the Set Definition (Initiative). | +| [`displayName`](#parameter-displayname) | string | The display name of the Set Definition (Initiative). Maximum length is 128 characters. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`metadata`](#parameter-metadata) | object | The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| [`parameters`](#parameter-parameters) | object | The Set Definition (Initiative) parameters that can be used in policy definition references. | +| [`policyDefinitionGroups`](#parameter-policydefinitiongroups) | array | The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | + +### Parameter: `description` + +The description name of the Set Definition (Initiative). +- Required: No +- Type: string +- Default: `''` + +### Parameter: `displayName` + +The display name of the Set Definition (Initiative). Maximum length is 128 characters. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `metadata` + +The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Specifies the name of the policy Set Definition (Initiative). +- Required: Yes +- Type: string + +### Parameter: `parameters` + +The Set Definition (Initiative) parameters that can be used in policy definition references. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `policyDefinitionGroups` + +The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `policyDefinitions` + +The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. +- Required: Yes +- Type: array ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Set Definition Name. | | `resourceId` | string | Policy Set Definition resource ID. | diff --git a/modules/authorization/policy-set-definition/management-group/main.json b/modules/authorization/policy-set-definition/management-group/main.json index baa439be6e..9b627357b6 100644 --- a/modules/authorization/policy-set-definition/management-group/main.json +++ b/modules/authorization/policy-set-definition/management-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "1638152228410583836" + "version": "0.22.6.54827", + "templateHash": "13574874097410910980" }, "name": "Policy Set Definitions (Initiatives) (Management Group scope)", "description": "This module deploys a Policy Set Definition (Initiative) at a Management Group scope.", diff --git a/modules/authorization/policy-set-definition/subscription/README.md b/modules/authorization/policy-set-definition/subscription/README.md index 64b2597fe0..8b0f87ad46 100644 --- a/modules/authorization/policy-set-definition/subscription/README.md +++ b/modules/authorization/policy-set-definition/subscription/README.md @@ -19,27 +19,88 @@ This module deploys a Policy Set Definition (Initiative) at a Subscription scope **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy Set Definition (Initiative). Maximum length is 64 characters for subscription scope. | -| `policyDefinitions` | array | The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. | +| [`name`](#parameter-name) | string | Specifies the name of the policy Set Definition (Initiative). Maximum length is 64 characters for subscription scope. | +| [`policyDefinitions`](#parameter-policydefinitions) | array | The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `description` | string | `''` | The description name of the Set Definition (Initiative). | -| `displayName` | string | `''` | The display name of the Set Definition (Initiative). Maximum length is 128 characters. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | Location deployment metadata. | -| `metadata` | object | `{object}` | The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `parameters` | object | `{object}` | The Set Definition (Initiative) parameters that can be used in policy definition references. | -| `policyDefinitionGroups` | array | `[]` | The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | The description name of the Set Definition (Initiative). | +| [`displayName`](#parameter-displayname) | string | The display name of the Set Definition (Initiative). Maximum length is 128 characters. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`metadata`](#parameter-metadata) | object | The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| [`parameters`](#parameter-parameters) | object | The Set Definition (Initiative) parameters that can be used in policy definition references. | +| [`policyDefinitionGroups`](#parameter-policydefinitiongroups) | array | The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | + +### Parameter: `description` + +The description name of the Set Definition (Initiative). +- Required: No +- Type: string +- Default: `''` + +### Parameter: `displayName` + +The display name of the Set Definition (Initiative). Maximum length is 128 characters. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `metadata` + +The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Specifies the name of the policy Set Definition (Initiative). Maximum length is 64 characters for subscription scope. +- Required: Yes +- Type: string + +### Parameter: `parameters` + +The Set Definition (Initiative) parameters that can be used in policy definition references. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `policyDefinitionGroups` + +The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `policyDefinitions` + +The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. +- Required: Yes +- Type: array ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Set Definition Name. | | `resourceId` | string | Policy Set Definition resource ID. | diff --git a/modules/authorization/policy-set-definition/subscription/main.json b/modules/authorization/policy-set-definition/subscription/main.json index 430128e583..4f8ea43907 100644 --- a/modules/authorization/policy-set-definition/subscription/main.json +++ b/modules/authorization/policy-set-definition/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "8864751360907211482" + "version": "0.22.6.54827", + "templateHash": "566743094418434146" }, "name": "Policy Set Definitions (Initiatives) (Subscription scope)", "description": "This module deploys a Policy Set Definition (Initiative) at a Subscription scope.", diff --git a/modules/authorization/role-assignment/README.md b/modules/authorization/role-assignment/README.md index 005701544c..6f4fc01610 100644 --- a/modules/authorization/role-assignment/README.md +++ b/modules/authorization/role-assignment/README.md @@ -4,71 +4,42 @@ This module deploys a Role Assignment at a Management Group, Subscription or Res ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `principalId` | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | -| `roleDefinitionIdOrName` | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `condition` | string | `''` | | The conditions on the role assignment. This limits the resources it can be assigned to. | -| `conditionVersion` | string | `'2.0'` | `[2.0]` | Version of the condition. Currently accepted value is "2.0". | -| `delegatedManagedIdentityResourceId` | string | `''` | | ID of the delegated managed identity resource. | -| `description` | string | `''` | | The description of the role assignment. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | | Location deployment metadata. | -| `managementGroupId` | string | `[managementGroup().name]` | | Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | -| `principalType` | string | `''` | `['', Device, ForeignGroup, Group, ServicePrincipal, User]` | The principal type of the assigned principal ID. | -| `resourceGroupName` | string | `''` | | Name of the Resource Group to assign the RBAC role to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided RBAC role to the resource group. | -| `subscriptionId` | string | `''` | | Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | - - -## Outputs +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The GUID of the Role Assignment. | -| `resourceId` | string | The resource ID of the Role Assignment. | -| `scope` | string | The scope this Role Assignment applies to. | - -## Cross-referenced modules - -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/authorization.role-assignment:1.0.0`. -## Deployment examples +- [Mg.Common](#example-1-mgcommon) +- [Mg.Min](#example-2-mgmin) +- [Rg.Common](#example-3-rgcommon) +- [Rg.Min](#example-4-rgmin) +- [Sub.Common](#example-5-subcommon) +- [Sub.Min](#example-6-submin) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Mg.Common

+### Example 1: _Mg.Common_
via Bicep module ```bicep -module roleAssignment './authorization/role-assignment/main.bicep' = { +module roleAssignment 'br:bicep/modules/authorization.role-assignment:1.0.0' = { name: '${uniqueString(deployment().name)}-test-aramgcom' params: { // Required parameters @@ -122,14 +93,14 @@ module roleAssignment './authorization/role-assignment/main.bicep' = {

-

Example 2: Mg.Min

+### Example 2: _Mg.Min_
via Bicep module ```bicep -module roleAssignment './authorization/role-assignment/main.bicep' = { +module roleAssignment 'br:bicep/modules/authorization.role-assignment:1.0.0' = { name: '${uniqueString(deployment().name)}-test-aramgmin' params: { // Required parameters @@ -175,14 +146,14 @@ module roleAssignment './authorization/role-assignment/main.bicep' = {

-

Example 3: Rg.Common

+### Example 3: _Rg.Common_
via Bicep module ```bicep -module roleAssignment './authorization/role-assignment/main.bicep' = { +module roleAssignment 'br:bicep/modules/authorization.role-assignment:1.0.0' = { name: '${uniqueString(deployment().name)}-test-arargcom' params: { // Required parameters @@ -240,14 +211,14 @@ module roleAssignment './authorization/role-assignment/main.bicep' = {

-

Example 4: Rg.Min

+### Example 4: _Rg.Min_
via Bicep module ```bicep -module roleAssignment './authorization/role-assignment/main.bicep' = { +module roleAssignment 'br:bicep/modules/authorization.role-assignment:1.0.0' = { name: '${uniqueString(deployment().name)}-test-arargmin' params: { // Required parameters @@ -301,14 +272,14 @@ module roleAssignment './authorization/role-assignment/main.bicep' = {

-

Example 5: Sub.Common

+### Example 5: _Sub.Common_
via Bicep module ```bicep -module roleAssignment './authorization/role-assignment/main.bicep' = { +module roleAssignment 'br:bicep/modules/authorization.role-assignment:1.0.0' = { name: '${uniqueString(deployment().name)}-test-arasubcom' params: { // Required parameters @@ -362,14 +333,14 @@ module roleAssignment './authorization/role-assignment/main.bicep' = {

-

Example 6: Sub.Min

+### Example 6: _Sub.Min_
via Bicep module ```bicep -module roleAssignment './authorization/role-assignment/main.bicep' = { +module roleAssignment 'br:bicep/modules/authorization.role-assignment:1.0.0' = { name: '${uniqueString(deployment().name)}-test-arasubmin' params: { // Required parameters @@ -420,6 +391,127 @@ module roleAssignment './authorization/role-assignment/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | +| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-condition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. | +| [`conditionVersion`](#parameter-conditionversion) | string | Version of the condition. Currently accepted value is "2.0". | +| [`delegatedManagedIdentityResourceId`](#parameter-delegatedmanagedidentityresourceid) | string | ID of the delegated managed identity resource. | +| [`description`](#parameter-description) | string | The description of the role assignment. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`managementGroupId`](#parameter-managementgroupid) | string | Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | +| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | +| [`resourceGroupName`](#parameter-resourcegroupname) | string | Name of the Resource Group to assign the RBAC role to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided RBAC role to the resource group. | +| [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | + +### Parameter: `condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `conditionVersion` + +Version of the condition. Currently accepted value is "2.0". +- Required: No +- Type: string +- Default: `'2.0'` +- Allowed: `[2.0]` + +### Parameter: `delegatedManagedIdentityResourceId` + +ID of the delegated managed identity resource. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `description` + +The description of the role assignment. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `managementGroupId` + +Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[managementGroup().name]` + +### Parameter: `principalId` + +The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). +- Required: Yes +- Type: string + +### Parameter: `principalType` + +The principal type of the assigned principal ID. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `resourceGroupName` + +Name of the Resource Group to assign the RBAC role to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided RBAC role to the resource group. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleDefinitionIdOrName` + +You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: Yes +- Type: string + +### Parameter: `subscriptionId` + +Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. +- Required: No +- Type: string +- Default: `''` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The GUID of the Role Assignment. | +| `resourceId` | string | The resource ID of the Role Assignment. | +| `scope` | string | The scope this Role Assignment applies to. | + +## Cross-referenced modules + +_None_ + ## Notes ### Module Usage Guidance diff --git a/modules/authorization/role-assignment/main.json b/modules/authorization/role-assignment/main.json index 23f3d4897d..0cf8880ab7 100644 --- a/modules/authorization/role-assignment/main.json +++ b/modules/authorization/role-assignment/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14335081108343042206" + "version": "0.22.6.54827", + "templateHash": "807341397297135440" }, "name": "Role Assignments (All scopes)", "description": "This module deploys a Role Assignment at a Management Group, Subscription or Resource Group scope.", @@ -167,8 +167,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6412111068130570787" + "version": "0.22.6.54827", + "templateHash": "3058280694250439865" }, "name": "Role Assignments (Management Group scope)", "description": "This module deploys a Role Assignment at a Management Group scope.", @@ -756,8 +756,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15330444935750176887" + "version": "0.22.6.54827", + "templateHash": "1741591761510469286" }, "name": "Role Assignments (Subscription scope)", "description": "This module deploys a Role Assignment at a Subscription scope.", @@ -1345,8 +1345,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11095586144343595797" + "version": "0.22.6.54827", + "templateHash": "13714993030578518060" }, "name": "Role Assignments (Resource Group scope)", "description": "This module deploys a Role Assignment at a Resource Group scope.", diff --git a/modules/authorization/role-assignment/management-group/README.md b/modules/authorization/role-assignment/management-group/README.md index 911ac2c8e6..2166992af8 100644 --- a/modules/authorization/role-assignment/management-group/README.md +++ b/modules/authorization/role-assignment/management-group/README.md @@ -19,28 +19,98 @@ This module deploys a Role Assignment at a Management Group scope. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `principalId` | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | -| `roleDefinitionIdOrName` | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | +| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `condition` | string | `''` | | The conditions on the role assignment. This limits the resources it can be assigned to. | -| `conditionVersion` | string | `'2.0'` | `[2.0]` | Version of the condition. Currently accepted value is "2.0". | -| `delegatedManagedIdentityResourceId` | string | `''` | | ID of the delegated managed identity resource. | -| `description` | string | `''` | | The description of the role assignment. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | | Location deployment metadata. | -| `managementGroupId` | string | `[managementGroup().name]` | | Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | -| `principalType` | string | `''` | `['', Device, ForeignGroup, Group, ServicePrincipal, User]` | The principal type of the assigned principal ID. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-condition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. | +| [`conditionVersion`](#parameter-conditionversion) | string | Version of the condition. Currently accepted value is "2.0". | +| [`delegatedManagedIdentityResourceId`](#parameter-delegatedmanagedidentityresourceid) | string | ID of the delegated managed identity resource. | +| [`description`](#parameter-description) | string | The description of the role assignment. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`managementGroupId`](#parameter-managementgroupid) | string | Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | +| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `conditionVersion` + +Version of the condition. Currently accepted value is "2.0". +- Required: No +- Type: string +- Default: `'2.0'` +- Allowed: `[2.0]` + +### Parameter: `delegatedManagedIdentityResourceId` + +ID of the delegated managed identity resource. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `description` + +The description of the role assignment. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `managementGroupId` + +Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[managementGroup().name]` + +### Parameter: `principalId` + +The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). +- Required: Yes +- Type: string + +### Parameter: `principalType` + +The principal type of the assigned principal ID. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleDefinitionIdOrName` + +You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The GUID of the Role Assignment. | | `resourceId` | string | The resource ID of the Role Assignment. | diff --git a/modules/authorization/role-assignment/management-group/main.json b/modules/authorization/role-assignment/management-group/main.json index 5356f24b6f..c7695ece43 100644 --- a/modules/authorization/role-assignment/management-group/main.json +++ b/modules/authorization/role-assignment/management-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5116103670131987468" + "version": "0.22.6.54827", + "templateHash": "3058280694250439865" }, "name": "Role Assignments (Management Group scope)", "description": "This module deploys a Role Assignment at a Management Group scope.", diff --git a/modules/authorization/role-assignment/resource-group/README.md b/modules/authorization/role-assignment/resource-group/README.md index a2cd0959a5..3699890e4a 100644 --- a/modules/authorization/role-assignment/resource-group/README.md +++ b/modules/authorization/role-assignment/resource-group/README.md @@ -19,28 +19,98 @@ This module deploys a Role Assignment at a Resource Group scope. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `principalId` | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | -| `roleDefinitionIdOrName` | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | +| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `condition` | string | `''` | | The conditions on the role assignment. This limits the resources it can be assigned to. | -| `conditionVersion` | string | `'2.0'` | `[2.0]` | Version of the condition. Currently accepted value is "2.0". | -| `delegatedManagedIdentityResourceId` | string | `''` | | ID of the delegated managed identity resource. | -| `description` | string | `''` | | The description of the role assignment. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `principalType` | string | `''` | `['', Device, ForeignGroup, Group, ServicePrincipal, User]` | The principal type of the assigned principal ID. | -| `resourceGroupName` | string | `[resourceGroup().name]` | | Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-condition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. | +| [`conditionVersion`](#parameter-conditionversion) | string | Version of the condition. Currently accepted value is "2.0". | +| [`delegatedManagedIdentityResourceId`](#parameter-delegatedmanagedidentityresourceid) | string | ID of the delegated managed identity resource. | +| [`description`](#parameter-description) | string | The description of the role assignment. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | +| [`resourceGroupName`](#parameter-resourcegroupname) | string | Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | +| [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. | + +### Parameter: `condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `conditionVersion` + +Version of the condition. Currently accepted value is "2.0". +- Required: No +- Type: string +- Default: `'2.0'` +- Allowed: `[2.0]` + +### Parameter: `delegatedManagedIdentityResourceId` + +ID of the delegated managed identity resource. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `description` + +The description of the role assignment. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `principalId` + +The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). +- Required: Yes +- Type: string + +### Parameter: `principalType` + +The principal type of the assigned principal ID. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `resourceGroupName` + +Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[resourceGroup().name]` + +### Parameter: `roleDefinitionIdOrName` + +You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: Yes +- Type: string + +### Parameter: `subscriptionId` + +Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[subscription().subscriptionId]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The GUID of the Role Assignment. | | `resourceGroupName` | string | The name of the resource group the role assignment was applied at. | diff --git a/modules/authorization/role-assignment/resource-group/main.json b/modules/authorization/role-assignment/resource-group/main.json index 056f28f034..3ce0469854 100644 --- a/modules/authorization/role-assignment/resource-group/main.json +++ b/modules/authorization/role-assignment/resource-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "1439450089488966223" + "version": "0.22.6.54827", + "templateHash": "13714993030578518060" }, "name": "Role Assignments (Resource Group scope)", "description": "This module deploys a Role Assignment at a Resource Group scope.", diff --git a/modules/authorization/role-assignment/subscription/README.md b/modules/authorization/role-assignment/subscription/README.md index 58b5d059a4..cf374e9f4d 100644 --- a/modules/authorization/role-assignment/subscription/README.md +++ b/modules/authorization/role-assignment/subscription/README.md @@ -19,28 +19,98 @@ This module deploys a Role Assignment at a Subscription scope. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `principalId` | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | -| `roleDefinitionIdOrName` | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | +| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `condition` | string | `''` | | The conditions on the role assignment. This limits the resources it can be assigned to. | -| `conditionVersion` | string | `'2.0'` | `[2.0]` | Version of the condition. Currently accepted value is "2.0". | -| `delegatedManagedIdentityResourceId` | string | `''` | | ID of the delegated managed identity resource. | -| `description` | string | `''` | | The description of the role assignment. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | | Location deployment metadata. | -| `principalType` | string | `''` | `['', Device, ForeignGroup, Group, ServicePrincipal, User]` | The principal type of the assigned principal ID. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-condition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. | +| [`conditionVersion`](#parameter-conditionversion) | string | Version of the condition. Currently accepted value is "2.0". | +| [`delegatedManagedIdentityResourceId`](#parameter-delegatedmanagedidentityresourceid) | string | ID of the delegated managed identity resource. | +| [`description`](#parameter-description) | string | The description of the role assignment. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | +| [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. | + +### Parameter: `condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `conditionVersion` + +Version of the condition. Currently accepted value is "2.0". +- Required: No +- Type: string +- Default: `'2.0'` +- Allowed: `[2.0]` + +### Parameter: `delegatedManagedIdentityResourceId` + +ID of the delegated managed identity resource. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `description` + +The description of the role assignment. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `principalId` + +The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). +- Required: Yes +- Type: string + +### Parameter: `principalType` + +The principal type of the assigned principal ID. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleDefinitionIdOrName` + +You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: Yes +- Type: string + +### Parameter: `subscriptionId` + +Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[subscription().subscriptionId]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The GUID of the Role Assignment. | | `resourceId` | string | The resource ID of the Role Assignment. | diff --git a/modules/authorization/role-assignment/subscription/main.json b/modules/authorization/role-assignment/subscription/main.json index 751db130ed..12889ef5e5 100644 --- a/modules/authorization/role-assignment/subscription/main.json +++ b/modules/authorization/role-assignment/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "318736480892502738" + "version": "0.22.6.54827", + "templateHash": "1741591761510469286" }, "name": "Role Assignments (Subscription scope)", "description": "This module deploys a Role Assignment at a Subscription scope.", diff --git a/modules/authorization/role-definition/README.md b/modules/authorization/role-definition/README.md index 35163be1ba..0008ff66c4 100644 --- a/modules/authorization/role-definition/README.md +++ b/modules/authorization/role-definition/README.md @@ -4,71 +4,42 @@ This module deploys a Role Definition at a Management Group, Subscription or Res ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/roleDefinitions` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleDefinitions) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `roleName` | string | Name of the custom RBAC role to be created. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `actions` | array | `[]` | List of allowed actions. | -| `assignableScopes` | array | `[]` | Role definition assignable scopes. If not provided, will use the current scope provided. | -| `dataActions` | array | `[]` | List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. | -| `description` | string | `''` | Description of the custom RBAC role to be created. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | Location deployment metadata. | -| `managementGroupId` | string | `[managementGroup().name]` | The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | -| `notActions` | array | `[]` | List of denied actions. | -| `notDataActions` | array | `[]` | List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. | -| `resourceGroupName` | string | `''` | The name of the Resource Group where the Role Definition and Target Scope will be applied to. | -| `subscriptionId` | string | `''` | The subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level. | - - -## Outputs +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The GUID of the Role Definition. | -| `resourceId` | string | The resource ID of the Role Definition. | -| `scope` | string | The scope this Role Definition applies to. | - -## Cross-referenced modules - -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/authorization.role-definition:1.0.0`. -## Deployment examples +- [Mg.Common](#example-1-mgcommon) +- [Mg.Min](#example-2-mgmin) +- [Rg.Common](#example-3-rgcommon) +- [Rg.Min](#example-4-rgmin) +- [Sub.Common](#example-5-subcommon) +- [Sub.Min](#example-6-submin) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Mg.Common

+### Example 1: _Mg.Common_
via Bicep module ```bicep -module roleDefinition './authorization/role-definition/main.bicep' = { +module roleDefinition 'br:bicep/modules/authorization.role-definition:1.0.0' = { name: '${uniqueString(deployment().name)}-test-ardmgcom' params: { // Required parameters @@ -140,14 +111,14 @@ module roleDefinition './authorization/role-definition/main.bicep' = {

-

Example 2: Mg.Min

+### Example 2: _Mg.Min_
via Bicep module ```bicep -module roleDefinition './authorization/role-definition/main.bicep' = { +module roleDefinition 'br:bicep/modules/authorization.role-definition:1.0.0' = { name: '${uniqueString(deployment().name)}-test-ardmgmin' params: { // Required parameters @@ -195,14 +166,14 @@ module roleDefinition './authorization/role-definition/main.bicep' = {

-

Example 3: Rg.Common

+### Example 3: _Rg.Common_
via Bicep module ```bicep -module roleDefinition './authorization/role-definition/main.bicep' = { +module roleDefinition 'br:bicep/modules/authorization.role-definition:1.0.0' = { name: '${uniqueString(deployment().name)}-test-ardrgcom' params: { // Required parameters @@ -290,14 +261,14 @@ module roleDefinition './authorization/role-definition/main.bicep' = {

-

Example 4: Rg.Min

+### Example 4: _Rg.Min_
via Bicep module ```bicep -module roleDefinition './authorization/role-definition/main.bicep' = { +module roleDefinition 'br:bicep/modules/authorization.role-definition:1.0.0' = { name: '${uniqueString(deployment().name)}-test-ardrgmin' params: { // Required parameters @@ -345,14 +316,14 @@ module roleDefinition './authorization/role-definition/main.bicep' = {

-

Example 5: Sub.Common

+### Example 5: _Sub.Common_
via Bicep module ```bicep -module roleDefinition './authorization/role-definition/main.bicep' = { +module roleDefinition 'br:bicep/modules/authorization.role-definition:1.0.0' = { name: '${uniqueString(deployment().name)}-test-ardsubcom' params: { // Required parameters @@ -440,14 +411,14 @@ module roleDefinition './authorization/role-definition/main.bicep' = {

-

Example 6: Sub.Min

+### Example 6: _Sub.Min_
via Bicep module ```bicep -module roleDefinition './authorization/role-definition/main.bicep' = { +module roleDefinition 'br:bicep/modules/authorization.role-definition:1.0.0' = { name: '${uniqueString(deployment().name)}-test-ardsubmin' params: { // Required parameters @@ -500,6 +471,126 @@ module roleDefinition './authorization/role-definition/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`roleName`](#parameter-rolename) | string | Name of the custom RBAC role to be created. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`actions`](#parameter-actions) | array | List of allowed actions. | +| [`assignableScopes`](#parameter-assignablescopes) | array | Role definition assignable scopes. If not provided, will use the current scope provided. | +| [`dataActions`](#parameter-dataactions) | array | List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. | +| [`description`](#parameter-description) | string | Description of the custom RBAC role to be created. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`managementGroupId`](#parameter-managementgroupid) | string | The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | +| [`notActions`](#parameter-notactions) | array | List of denied actions. | +| [`notDataActions`](#parameter-notdataactions) | array | List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. | +| [`resourceGroupName`](#parameter-resourcegroupname) | string | The name of the Resource Group where the Role Definition and Target Scope will be applied to. | +| [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level. | + +### Parameter: `actions` + +List of allowed actions. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `assignableScopes` + +Role definition assignable scopes. If not provided, will use the current scope provided. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `dataActions` + +List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `description` + +Description of the custom RBAC role to be created. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `managementGroupId` + +The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[managementGroup().name]` + +### Parameter: `notActions` + +List of denied actions. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `notDataActions` + +List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `resourceGroupName` + +The name of the Resource Group where the Role Definition and Target Scope will be applied to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleName` + +Name of the custom RBAC role to be created. +- Required: Yes +- Type: string + +### Parameter: `subscriptionId` + +The subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level. +- Required: No +- Type: string +- Default: `''` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The GUID of the Role Definition. | +| `resourceId` | string | The resource ID of the Role Definition. | +| `scope` | string | The scope this Role Definition applies to. | + +## Cross-referenced modules + +_None_ + ## Notes ### Module Usage Guidance diff --git a/modules/authorization/role-definition/main.json b/modules/authorization/role-definition/main.json index cf31e78348..51ac23254d 100644 --- a/modules/authorization/role-definition/main.json +++ b/modules/authorization/role-definition/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18292113724809460809" + "version": "0.22.6.54827", + "templateHash": "16702773762135222765" }, "name": "Role Definitions (All scopes)", "description": "This module deploys a Role Definition at a Management Group, Subscription or Resource Group scope.", @@ -151,8 +151,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1388091612585738122" + "version": "0.22.6.54827", + "templateHash": "5277764931156995532" }, "name": "Role Definitions (Management Group scope)", "description": "This module deploys a Role Definition at a Management Group scope.", @@ -313,8 +313,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11994641933581262080" + "version": "0.22.6.54827", + "templateHash": "5911596219403447648" }, "name": "Role Definitions (Subscription scope)", "description": "This module deploys a Role Definition at a Subscription scope.", @@ -491,8 +491,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "51591651981484766" + "version": "0.22.6.54827", + "templateHash": "15123790149450958610" }, "name": "Role Definitions (Resource Group scope)", "description": "This module deploys a Role Definition at a Resource Group scope.", diff --git a/modules/authorization/role-definition/management-group/README.md b/modules/authorization/role-definition/management-group/README.md index 02a11b45bc..e892466ced 100644 --- a/modules/authorization/role-definition/management-group/README.md +++ b/modules/authorization/role-definition/management-group/README.md @@ -19,26 +19,81 @@ This module deploys a Role Definition at a Management Group scope. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `roleName` | string | Name of the custom RBAC role to be created. | +| [`roleName`](#parameter-rolename) | string | Name of the custom RBAC role to be created. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `actions` | array | `[]` | List of allowed actions. | -| `assignableScopes` | array | `[]` | Role definition assignable scopes. If not provided, will use the current scope provided. | -| `description` | string | `''` | Description of the custom RBAC role to be created. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | Location deployment metadata. | -| `managementGroupId` | string | `[managementGroup().name]` | The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | -| `notActions` | array | `[]` | List of denied actions. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`actions`](#parameter-actions) | array | List of allowed actions. | +| [`assignableScopes`](#parameter-assignablescopes) | array | Role definition assignable scopes. If not provided, will use the current scope provided. | +| [`description`](#parameter-description) | string | Description of the custom RBAC role to be created. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`managementGroupId`](#parameter-managementgroupid) | string | The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | +| [`notActions`](#parameter-notactions) | array | List of denied actions. | + +### Parameter: `actions` + +List of allowed actions. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `assignableScopes` + +Role definition assignable scopes. If not provided, will use the current scope provided. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `description` + +Description of the custom RBAC role to be created. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `managementGroupId` + +The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[managementGroup().name]` + +### Parameter: `notActions` + +List of denied actions. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleName` + +Name of the custom RBAC role to be created. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The GUID of the Role Definition. | | `resourceId` | string | The resource ID of the Role Definition. | diff --git a/modules/authorization/role-definition/management-group/main.json b/modules/authorization/role-definition/management-group/main.json index cc28a185f9..00d197b4e8 100644 --- a/modules/authorization/role-definition/management-group/main.json +++ b/modules/authorization/role-definition/management-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "15321014984642305644" + "version": "0.22.6.54827", + "templateHash": "5277764931156995532" }, "name": "Role Definitions (Management Group scope)", "description": "This module deploys a Role Definition at a Management Group scope.", diff --git a/modules/authorization/role-definition/resource-group/README.md b/modules/authorization/role-definition/resource-group/README.md index 924c4eb112..1e5da9a0d7 100644 --- a/modules/authorization/role-definition/resource-group/README.md +++ b/modules/authorization/role-definition/resource-group/README.md @@ -19,28 +19,97 @@ This module deploys a Role Definition at a Resource Group scope. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `roleName` | string | Name of the custom RBAC role to be created. | +| [`roleName`](#parameter-rolename) | string | Name of the custom RBAC role to be created. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `actions` | array | `[]` | List of allowed actions. | -| `assignableScopes` | array | `[]` | Role definition assignable scopes. If not provided, will use the current scope provided. | -| `dataActions` | array | `[]` | List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. | -| `description` | string | `''` | Description of the custom RBAC role to be created. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `notActions` | array | `[]` | List of denied actions. | -| `notDataActions` | array | `[]` | List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. | -| `resourceGroupName` | string | `[resourceGroup().name]` | The name of the Resource Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`actions`](#parameter-actions) | array | List of allowed actions. | +| [`assignableScopes`](#parameter-assignablescopes) | array | Role definition assignable scopes. If not provided, will use the current scope provided. | +| [`dataActions`](#parameter-dataactions) | array | List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. | +| [`description`](#parameter-description) | string | Description of the custom RBAC role to be created. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`notActions`](#parameter-notactions) | array | List of denied actions. | +| [`notDataActions`](#parameter-notdataactions) | array | List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. | +| [`resourceGroupName`](#parameter-resourcegroupname) | string | The name of the Resource Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | +| [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | + +### Parameter: `actions` + +List of allowed actions. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `assignableScopes` + +Role definition assignable scopes. If not provided, will use the current scope provided. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `dataActions` + +List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `description` + +Description of the custom RBAC role to be created. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `notActions` + +List of denied actions. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `notDataActions` + +List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `resourceGroupName` + +The name of the Resource Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[resourceGroup().name]` + +### Parameter: `roleName` + +Name of the custom RBAC role to be created. +- Required: Yes +- Type: string + +### Parameter: `subscriptionId` + +The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[subscription().subscriptionId]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The GUID of the Role Definition. | | `resourceGroupName` | string | The name of the resource group the role definition was created at. | diff --git a/modules/authorization/role-definition/resource-group/main.json b/modules/authorization/role-definition/resource-group/main.json index 734ae5e18c..c10d685cc7 100644 --- a/modules/authorization/role-definition/resource-group/main.json +++ b/modules/authorization/role-definition/resource-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13735806028928031798" + "version": "0.22.6.54827", + "templateHash": "15123790149450958610" }, "name": "Role Definitions (Resource Group scope)", "description": "This module deploys a Role Definition at a Resource Group scope.", diff --git a/modules/authorization/role-definition/subscription/README.md b/modules/authorization/role-definition/subscription/README.md index 3bbd9894b0..e0f96a3894 100644 --- a/modules/authorization/role-definition/subscription/README.md +++ b/modules/authorization/role-definition/subscription/README.md @@ -19,28 +19,97 @@ This module deploys a Role Definition at a Subscription scope. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `roleName` | string | Name of the custom RBAC role to be created. | +| [`roleName`](#parameter-rolename) | string | Name of the custom RBAC role to be created. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `actions` | array | `[]` | List of allowed actions. | -| `assignableScopes` | array | `[]` | Role definition assignable scopes. If not provided, will use the current scope provided. | -| `dataActions` | array | `[]` | List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. | -| `description` | string | `''` | Description of the custom RBAC role to be created. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | Location deployment metadata. | -| `notActions` | array | `[]` | List of denied actions. | -| `notDataActions` | array | `[]` | List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`actions`](#parameter-actions) | array | List of allowed actions. | +| [`assignableScopes`](#parameter-assignablescopes) | array | Role definition assignable scopes. If not provided, will use the current scope provided. | +| [`dataActions`](#parameter-dataactions) | array | List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. | +| [`description`](#parameter-description) | string | Description of the custom RBAC role to be created. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`notActions`](#parameter-notactions) | array | List of denied actions. | +| [`notDataActions`](#parameter-notdataactions) | array | List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. | +| [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | + +### Parameter: `actions` + +List of allowed actions. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `assignableScopes` + +Role definition assignable scopes. If not provided, will use the current scope provided. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `dataActions` + +List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `description` + +Description of the custom RBAC role to be created. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `notActions` + +List of denied actions. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `notDataActions` + +List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleName` + +Name of the custom RBAC role to be created. +- Required: Yes +- Type: string + +### Parameter: `subscriptionId` + +The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[subscription().subscriptionId]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The GUID of the Role Definition. | | `resourceId` | string | The resource ID of the Role Definition. | diff --git a/modules/authorization/role-definition/subscription/main.json b/modules/authorization/role-definition/subscription/main.json index 13af925166..ab79f1d69a 100644 --- a/modules/authorization/role-definition/subscription/main.json +++ b/modules/authorization/role-definition/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "9532889033437004469" + "version": "0.22.6.54827", + "templateHash": "5911596219403447648" }, "name": "Role Definitions (Subscription scope)", "description": "This module deploys a Role Definition at a Subscription scope.", diff --git a/modules/automation/automation-account/.test/common/main.test.bicep b/modules/automation/automation-account/.test/common/main.test.bicep index 2efb5d1f6e..7bfe9ab16b 100644 --- a/modules/automation/automation-account/.test/common/main.test.bicep +++ b/modules/automation/automation-account/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/automation/automation-account/.test/min/main.test.bicep b/modules/automation/automation-account/.test/min/main.test.bicep index 85372aede7..3156e8971b 100644 --- a/modules/automation/automation-account/.test/min/main.test.bicep +++ b/modules/automation/automation-account/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index 92619970e8..52e1318985 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -5,10 +5,10 @@ This module deploys an Azure Automation Account. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -29,90 +29,29 @@ This module deploys an Azure Automation Account. | `Microsoft.OperationalInsights/workspaces/linkedServices` | [2020-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces/linkedServices) | | `Microsoft.OperationsManagement/solutions` | [2015-11-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationsManagement/2015-11-01-preview/solutions) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Automation Account. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | -| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, DscNodeStatus, JobLogs, JobStreams]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `disableLocalAuth` | bool | `True` | | Disable local authentication profile used within the resource. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `gallerySolutions` | array | `[]` | | List of gallerySolutions to be created in the linked log analytics workspace. | -| `jobSchedules` | array | `[]` | | List of jobSchedules to be created in the automation account. | -| `linkedWorkspaceResourceId` | string | `''` | | ID of the log analytics workspace to be linked to the deployed automation account. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `modules` | array | `[]` | | List of modules to be created in the automation account. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `runbooks` | array | `[]` | | List of runbooks to be created in the automation account. | -| `schedules` | array | `[]` | | List of schedules to be created in the automation account. | -| `skuName` | string | `'Basic'` | `[Basic, Free]` | SKU name of the account. | -| `softwareUpdateConfigurations` | array | `[]` | | List of softwareUpdateConfigurations to be created in the automation account. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the Automation Account resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `variables` | array | `[]` | | List of variables to be created in the automation account. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed automation account. | -| `resourceGroupName` | string | The resource group of the deployed automation account. | -| `resourceId` | string | The resource ID of the deployed automation account. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | -| `operational-insights/workspace/linked-service` | Local reference | -| `operations-management/solution` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/automation.automation-account:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Encr](#example-2-encr) +- [Using only defaults](#example-3-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module automationAccount './automation/automation-account/main.bicep' = { +module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-aacom' params: { // Required parameters @@ -548,14 +487,14 @@ module automationAccount './automation/automation-account/main.bicep' = {

-

Example 2: Encr

+### Example 2: _Encr_
via Bicep module ```bicep -module automationAccount './automation/automation-account/main.bicep' = { +module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-aaencr' params: { // Required parameters @@ -613,14 +552,17 @@ module automationAccount './automation/automation-account/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module automationAccount './automation/automation-account/main.bicep' = { +module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-aamin' params: { // Required parameters @@ -657,3 +599,294 @@ module automationAccount './automation/automation-account/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Automation Account. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | +| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | +| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Disable local authentication profile used within the resource. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`gallerySolutions`](#parameter-gallerysolutions) | array | List of gallerySolutions to be created in the linked log analytics workspace. | +| [`jobSchedules`](#parameter-jobschedules) | array | List of jobSchedules to be created in the automation account. | +| [`linkedWorkspaceResourceId`](#parameter-linkedworkspaceresourceid) | string | ID of the log analytics workspace to be linked to the deployed automation account. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`modules`](#parameter-modules) | array | List of modules to be created in the automation account. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`runbooks`](#parameter-runbooks) | array | List of runbooks to be created in the automation account. | +| [`schedules`](#parameter-schedules) | array | List of schedules to be created in the automation account. | +| [`skuName`](#parameter-skuname) | string | SKU name of the account. | +| [`softwareUpdateConfigurations`](#parameter-softwareupdateconfigurations) | array | List of softwareUpdateConfigurations to be created in the automation account. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the Automation Account resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`variables`](#parameter-variables) | array | List of variables to be created in the automation account. | + +### Parameter: `cMKKeyName` + +The name of the customer managed key to use for encryption. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVersion` + +The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKUserAssignedIdentityResourceId` + +User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, DscNodeStatus, JobLogs, JobStreams]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `disableLocalAuth` + +Disable local authentication profile used within the resource. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `gallerySolutions` + +List of gallerySolutions to be created in the linked log analytics workspace. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `jobSchedules` + +List of jobSchedules to be created in the automation account. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `linkedWorkspaceResourceId` + +ID of the log analytics workspace to be linked to the deployed automation account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `modules` + +List of modules to be created in the automation account. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `name` + +Name of the Automation Account. +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `runbooks` + +List of runbooks to be created in the automation account. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `schedules` + +List of schedules to be created in the automation account. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `skuName` + +SKU name of the account. +- Required: No +- Type: string +- Default: `'Basic'` +- Allowed: `[Basic, Free]` + +### Parameter: `softwareUpdateConfigurations` + +List of softwareUpdateConfigurations to be created in the automation account. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the Automation Account resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `variables` + +List of variables to be created in the automation account. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed automation account. | +| `resourceGroupName` | string | The resource group of the deployed automation account. | +| `resourceId` | string | The resource ID of the deployed automation account. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | +| `modules/operational-insights/workspace/linked-service` | Local reference | +| `modules/operations-management/solution` | Local reference | diff --git a/modules/automation/automation-account/job-schedule/README.md b/modules/automation/automation-account/job-schedule/README.md index d5f88fc047..57460c8123 100644 --- a/modules/automation/automation-account/job-schedule/README.md +++ b/modules/automation/automation-account/job-schedule/README.md @@ -19,35 +19,81 @@ This module deploys an Azure Automation Account Job Schedule. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `runbookName` | string | The runbook property associated with the entity. | -| `scheduleName` | string | The schedule property associated with the entity. | +| [`runbookName`](#parameter-runbookname) | string | The runbook property associated with the entity. | +| [`scheduleName`](#parameter-schedulename) | string | The schedule property associated with the entity. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `automationAccountName` | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | +| [`automationAccountName`](#parameter-automationaccountname) | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `parameters` | object | `{object}` | List of job properties. | -| `runOn` | string | `''` | The hybrid worker group that the scheduled job should run on. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`parameters`](#parameter-parameters) | object | List of job properties. | +| [`runOn`](#parameter-runon) | string | The hybrid worker group that the scheduled job should run on. | **Generated parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `name` | string | `[newGuid()]` | Name of the Automation Account job schedule. Must be a GUID and is autogenerated. No need to provide this value. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Automation Account job schedule. Must be a GUID and is autogenerated. No need to provide this value. | + +### Parameter: `automationAccountName` + +The name of the parent Automation Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +Name of the Automation Account job schedule. Must be a GUID and is autogenerated. No need to provide this value. +- Required: No +- Type: string +- Default: `[newGuid()]` + +### Parameter: `parameters` + +List of job properties. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `runbookName` + +The runbook property associated with the entity. +- Required: Yes +- Type: string + +### Parameter: `runOn` + +The hybrid worker group that the scheduled job should run on. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `scheduleName` + +The schedule property associated with the entity. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed job schedule. | | `resourceGroupName` | string | The resource group of the deployed job schedule. | diff --git a/modules/automation/automation-account/job-schedule/main.json b/modules/automation/automation-account/job-schedule/main.json index 5fee90a026..bb8ec2e35b 100644 --- a/modules/automation/automation-account/job-schedule/main.json +++ b/modules/automation/automation-account/job-schedule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12038142052110102548" + "version": "0.22.6.54827", + "templateHash": "7560418296837405700" }, "name": "Automation Account Job Schedules", "description": "This module deploys an Azure Automation Account Job Schedule.", diff --git a/modules/automation/automation-account/main.json b/modules/automation/automation-account/main.json index 413b25d49a..e99ac28588 100644 --- a/modules/automation/automation-account/main.json +++ b/modules/automation/automation-account/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "715583337826412599" + "version": "0.22.6.54827", + "templateHash": "14616774767362362836" }, "name": "Automation Accounts", "description": "This module deploys an Azure Automation Account.", @@ -387,8 +387,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6993581259043167782" + "version": "0.22.6.54827", + "templateHash": "15709477569881004771" }, "name": "Automation Account Modules", "description": "This module deploys an Azure Automation Account Module.", @@ -544,8 +544,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14615504958276169101" + "version": "0.22.6.54827", + "templateHash": "4119330639685982378" }, "name": "Automation Account Schedules", "description": "This module deploys an Azure Automation Account Schedule.", @@ -740,8 +740,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14475542689236047442" + "version": "0.22.6.54827", + "templateHash": "18248893160569507204" }, "name": "Automation Account Runbooks", "description": "This module deploys an Azure Automation Account Runbook.", @@ -945,8 +945,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12703294720660038691" + "version": "0.22.6.54827", + "templateHash": "7560418296837405700" }, "name": "Automation Account Job Schedules", "description": "This module deploys an Azure Automation Account Job Schedule.", @@ -1097,8 +1097,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10724020478275741370" + "version": "0.22.6.54827", + "templateHash": "17400819380217562013" }, "name": "Automation Account Variables", "description": "This module deploys an Azure Automation Account Variable.", @@ -1235,8 +1235,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7090165993767697446" + "version": "0.22.6.54827", + "templateHash": "15022791045507209174" }, "name": "Log Analytics Workspace Linked Services", "description": "This module deploys a Log Analytics Workspace Linked Service.", @@ -1377,8 +1377,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9052763253522380709" + "version": "0.22.6.54827", + "templateHash": "2318608107759137473" }, "name": "Operations Management Solutions", "description": "This module deploys an Operations Management Solution.", @@ -1563,8 +1563,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17973053005173772952" + "version": "0.22.6.54827", + "templateHash": "10775503419002427646" }, "name": "Automation Account Software Update Configurations", "description": "This module deploys an Azure Automation Account Software Update Configuration.", @@ -2035,8 +2035,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2235,8 +2235,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -2373,8 +2373,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -2587,8 +2587,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10676519467876912979" + "version": "0.22.6.54827", + "templateHash": "10195514445399502357" } }, "parameters": { diff --git a/modules/automation/automation-account/module/README.md b/modules/automation/automation-account/module/README.md index 21ea5e81c4..bba5a2892b 100644 --- a/modules/automation/automation-account/module/README.md +++ b/modules/automation/automation-account/module/README.md @@ -19,30 +19,76 @@ This module deploys an Azure Automation Account Module. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the Automation Account module. | -| `uri` | string | Module package URI, e.g. https://www.powershellgallery.com/api/v2/package. | +| [`name`](#parameter-name) | string | Name of the Automation Account module. | +| [`uri`](#parameter-uri) | string | Module package URI, e.g. https://www.powershellgallery.com/api/v2/package. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `automationAccountName` | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | +| [`automationAccountName`](#parameter-automationaccountname) | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | -| `tags` | object | `{object}` | Tags of the Automation Account resource. | -| `version` | string | `'latest'` | Module version or specify latest to get the latest version. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`tags`](#parameter-tags) | object | Tags of the Automation Account resource. | +| [`version`](#parameter-version) | string | Module version or specify latest to get the latest version. | + +### Parameter: `automationAccountName` + +The name of the parent Automation Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +Name of the Automation Account module. +- Required: Yes +- Type: string + +### Parameter: `tags` + +Tags of the Automation Account resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `uri` + +Module package URI, e.g. https://www.powershellgallery.com/api/v2/package. +- Required: Yes +- Type: string + +### Parameter: `version` + +Module version or specify latest to get the latest version. +- Required: No +- Type: string +- Default: `'latest'` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the deployed module. | diff --git a/modules/automation/automation-account/module/main.json b/modules/automation/automation-account/module/main.json index 92e1b857bf..bf3c18c30b 100644 --- a/modules/automation/automation-account/module/main.json +++ b/modules/automation/automation-account/module/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12776439865232935886" + "version": "0.22.6.54827", + "templateHash": "15709477569881004771" }, "name": "Automation Account Modules", "description": "This module deploys an Azure Automation Account Module.", diff --git a/modules/automation/automation-account/runbook/README.md b/modules/automation/automation-account/runbook/README.md index 5712d4182b..8cb4f7f0c8 100644 --- a/modules/automation/automation-account/runbook/README.md +++ b/modules/automation/automation-account/runbook/README.md @@ -19,40 +19,122 @@ This module deploys an Azure Automation Account Runbook. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `name` | string | | Name of the Automation Account runbook. | -| `type` | string | `[Graph, GraphPowerShell, GraphPowerShellWorkflow, PowerShell, PowerShellWorkflow]` | The type of the runbook. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Automation Account runbook. | +| [`type`](#parameter-type) | string | The type of the runbook. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `automationAccountName` | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | +| [`automationAccountName`](#parameter-automationaccountname) | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `description` | string | `''` | The description of the runbook. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | -| `sasTokenValidityLength` | string | `'PT8H'` | SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | -| `scriptStorageAccountId` | string | `''` | ID of the runbook storage account. | -| `tags` | object | `{object}` | Tags of the Automation Account resource. | -| `uri` | string | `''` | The uri of the runbook content. | -| `version` | string | `''` | The version of the runbook content. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | The description of the runbook. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`sasTokenValidityLength`](#parameter-sastokenvaliditylength) | string | SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | +| [`scriptStorageAccountId`](#parameter-scriptstorageaccountid) | string | ID of the runbook storage account. | +| [`tags`](#parameter-tags) | object | Tags of the Automation Account resource. | +| [`uri`](#parameter-uri) | string | The uri of the runbook content. | +| [`version`](#parameter-version) | string | The version of the runbook content. | **Generated parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `baseTime` | string | `[utcNow('u')]` | Time used as a basis for e.g. the schedule start date. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`baseTime`](#parameter-basetime) | string | Time used as a basis for e.g. the schedule start date. | + +### Parameter: `automationAccountName` + +The name of the parent Automation Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `baseTime` + +Time used as a basis for e.g. the schedule start date. +- Required: No +- Type: string +- Default: `[utcNow('u')]` + +### Parameter: `description` + +The description of the runbook. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +Name of the Automation Account runbook. +- Required: Yes +- Type: string + +### Parameter: `sasTokenValidityLength` + +SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. +- Required: No +- Type: string +- Default: `'PT8H'` + +### Parameter: `scriptStorageAccountId` + +ID of the runbook storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `tags` + +Tags of the Automation Account resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `type` + +The type of the runbook. +- Required: Yes +- Type: string +- Allowed: `[Graph, GraphPowerShell, GraphPowerShellWorkflow, PowerShell, PowerShellWorkflow]` + +### Parameter: `uri` + +The uri of the runbook content. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `version` + +The version of the runbook content. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the deployed runbook. | diff --git a/modules/automation/automation-account/runbook/main.json b/modules/automation/automation-account/runbook/main.json index 21cabe276d..3a2f126c75 100644 --- a/modules/automation/automation-account/runbook/main.json +++ b/modules/automation/automation-account/runbook/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "123190998372280958" + "version": "0.22.6.54827", + "templateHash": "18248893160569507204" }, "name": "Automation Account Runbooks", "description": "This module deploys an Azure Automation Account Runbook.", diff --git a/modules/automation/automation-account/schedule/README.md b/modules/automation/automation-account/schedule/README.md index c337d0a7a1..df92b24d03 100644 --- a/modules/automation/automation-account/schedule/README.md +++ b/modules/automation/automation-account/schedule/README.md @@ -19,39 +19,115 @@ This module deploys an Azure Automation Account Schedule. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the Automation Account schedule. | +| [`name`](#parameter-name) | string | Name of the Automation Account schedule. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `automationAccountName` | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | +| [`automationAccountName`](#parameter-automationaccountname) | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `advancedSchedule` | object | `{object}` | | The properties of the create Advanced Schedule. | -| `description` | string | `''` | | The description of the schedule. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `expiryTime` | string | `''` | | The end time of the schedule. | -| `frequency` | string | `'OneTime'` | `[Day, Hour, Minute, Month, OneTime, Week]` | The frequency of the schedule. | -| `interval` | int | `0` | | Anything. | -| `startTime` | string | `''` | | The start time of the schedule. | -| `timeZone` | string | `''` | | The time zone of the schedule. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`advancedSchedule`](#parameter-advancedschedule) | object | The properties of the create Advanced Schedule. | +| [`description`](#parameter-description) | string | The description of the schedule. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`expiryTime`](#parameter-expirytime) | string | The end time of the schedule. | +| [`frequency`](#parameter-frequency) | string | The frequency of the schedule. | +| [`interval`](#parameter-interval) | int | Anything. | +| [`startTime`](#parameter-starttime) | string | The start time of the schedule. | +| [`timeZone`](#parameter-timezone) | string | The time zone of the schedule. | **Generated parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `baseTime` | string | `[utcNow('u')]` | Time used as a basis for e.g. the schedule start date. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`baseTime`](#parameter-basetime) | string | Time used as a basis for e.g. the schedule start date. | + +### Parameter: `advancedSchedule` + +The properties of the create Advanced Schedule. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `automationAccountName` + +The name of the parent Automation Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `baseTime` + +Time used as a basis for e.g. the schedule start date. +- Required: No +- Type: string +- Default: `[utcNow('u')]` + +### Parameter: `description` + +The description of the schedule. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `expiryTime` + +The end time of the schedule. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `frequency` + +The frequency of the schedule. +- Required: No +- Type: string +- Default: `'OneTime'` +- Allowed: `[Day, Hour, Minute, Month, OneTime, Week]` + +### Parameter: `interval` + +Anything. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `name` + +Name of the Automation Account schedule. +- Required: Yes +- Type: string + +### Parameter: `startTime` + +The start time of the schedule. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `timeZone` + +The time zone of the schedule. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed schedule. | | `resourceGroupName` | string | The resource group of the deployed schedule. | diff --git a/modules/automation/automation-account/schedule/main.json b/modules/automation/automation-account/schedule/main.json index b76ec06a61..4183686e3a 100644 --- a/modules/automation/automation-account/schedule/main.json +++ b/modules/automation/automation-account/schedule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5807574740331814274" + "version": "0.22.6.54827", + "templateHash": "4119330639685982378" }, "name": "Automation Account Schedules", "description": "This module deploys an Azure Automation Account Schedule.", diff --git a/modules/automation/automation-account/software-update-configuration/README.md b/modules/automation/automation-account/software-update-configuration/README.md index 4504591720..97acf050e6 100644 --- a/modules/automation/automation-account/software-update-configuration/README.md +++ b/modules/automation/automation-account/software-update-configuration/README.md @@ -20,62 +20,302 @@ This module deploys an Azure Automation Account Software Update Configuration. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `frequency` | string | `[Day, Hour, Month, OneTime, Week]` | The frequency of the deployment schedule. When using 'Hour', 'Day', 'Week' or 'Month', an interval needs to be provided. | -| `name` | string | | The name of the Deployment schedule. | -| `operatingSystem` | string | `[Linux, Windows]` | The operating system to be configured by the deployment schedule. | -| `rebootSetting` | string | `[Always, IfRequired, Never, RebootOnly]` | Reboot setting for the deployment schedule. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`frequency`](#parameter-frequency) | string | The frequency of the deployment schedule. When using 'Hour', 'Day', 'Week' or 'Month', an interval needs to be provided. | +| [`name`](#parameter-name) | string | The name of the Deployment schedule. | +| [`operatingSystem`](#parameter-operatingsystem) | string | The operating system to be configured by the deployment schedule. | +| [`rebootSetting`](#parameter-rebootsetting) | string | Reboot setting for the deployment schedule. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `automationAccountName` | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | +| [`automationAccountName`](#parameter-automationaccountname) | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `azureVirtualMachines` | array | `[]` | | List of azure resource IDs for azure virtual machines in scope for the deployment schedule. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `excludeUpdates` | array | `[]` | | KB numbers or Linux packages excluded in the deployment schedule. | -| `expiryTime` | string | `''` | | The end time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. | -| `expiryTimeOffsetMinutes` | int | `0` | | The expiry time's offset in minutes. | -| `includeUpdates` | array | `[]` | | KB numbers or Linux packages included in the deployment schedule. | -| `interval` | int | `1` | | The interval of the frequency for the deployment schedule. 1 Hour is every hour, 2 Day is every second day, etc. | -| `isEnabled` | bool | `True` | | Enables the deployment schedule. | -| `maintenanceWindow` | string | `'PT2H'` | | Maximum time allowed for the deployment schedule to run. Duration needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. | -| `monthDays` | array | `[]` | `[1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31]` | Can be used with frequency 'Month'. Provides the specific days of the month to run the deployment schedule. | -| `monthlyOccurrences` | array | `[]` | | Can be used with frequency 'Month'. Provides the pattern/cadence for running the deployment schedule in a month. Takes objects formed like this {occurance(int),day(string)}. Day is the name of the day to run the deployment schedule, the occurance specifies which occurance of that day to run the deployment schedule. | -| `nextRun` | string | `''` | | The next time the deployment schedule runs in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. | -| `nextRunOffsetMinutes` | int | `0` | | The next run's offset in minutes. | -| `nonAzureComputerNames` | array | `[]` | | List of names of non-azure machines in scope for the deployment schedule. | -| `nonAzureQueries` | array | `[]` | | Array of functions from a Log Analytics workspace, used to scope the deployment schedule. | -| `postTaskParameters` | object | `{object}` | | Parameters provided to the task running after the deployment schedule. | -| `postTaskSource` | string | `''` | | The source of the task running after the deployment schedule. | -| `preTaskParameters` | object | `{object}` | | Parameters provided to the task running before the deployment schedule. | -| `preTaskSource` | string | `''` | | The source of the task running before the deployment schedule. | -| `scheduleDescription` | string | `''` | | The schedules description. | -| `scopeByLocations` | array | `[]` | | Specify locations to which to scope the deployment schedule to. | -| `scopeByResources` | array | `[[subscription().id]]` | | Specify the resources to scope the deployment schedule to. | -| `scopeByTags` | object | `{object}` | | Specify tags to which to scope the deployment schedule to. | -| `scopeByTagsOperation` | string | `'All'` | `[All, Any]` | Enables the scopeByTags to require All (Tag A and Tag B) or Any (Tag A or Tag B). | -| `startTime` | string | `''` | | The start time of the deployment schedule in ISO 8601 format. To specify a specific time use YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. For schedules where we want to start the deployment as soon as possible, specify the time segment only in 24 hour format, HH:MM, 22:00. | -| `timeZone` | string | `'UTC'` | | Time zone for the deployment schedule. IANA ID or a Windows Time Zone ID. | -| `updateClassifications` | array | `[Critical, Security]` | `[Critical, Definition, FeaturePack, Other, Security, ServicePack, Tools, UpdateRollup, Updates]` | Update classification included in the deployment schedule. | -| `weekDays` | array | `[]` | `[Friday, Monday, Saturday, Sunday, Thursday, Tuesday, Wednesday]` | Required when used with frequency 'Week'. Specified the day of the week to run the deployment schedule. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`azureVirtualMachines`](#parameter-azurevirtualmachines) | array | List of azure resource IDs for azure virtual machines in scope for the deployment schedule. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`excludeUpdates`](#parameter-excludeupdates) | array | KB numbers or Linux packages excluded in the deployment schedule. | +| [`expiryTime`](#parameter-expirytime) | string | The end time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. | +| [`expiryTimeOffsetMinutes`](#parameter-expirytimeoffsetminutes) | int | The expiry time's offset in minutes. | +| [`includeUpdates`](#parameter-includeupdates) | array | KB numbers or Linux packages included in the deployment schedule. | +| [`interval`](#parameter-interval) | int | The interval of the frequency for the deployment schedule. 1 Hour is every hour, 2 Day is every second day, etc. | +| [`isEnabled`](#parameter-isenabled) | bool | Enables the deployment schedule. | +| [`maintenanceWindow`](#parameter-maintenancewindow) | string | Maximum time allowed for the deployment schedule to run. Duration needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. | +| [`monthDays`](#parameter-monthdays) | array | Can be used with frequency 'Month'. Provides the specific days of the month to run the deployment schedule. | +| [`monthlyOccurrences`](#parameter-monthlyoccurrences) | array | Can be used with frequency 'Month'. Provides the pattern/cadence for running the deployment schedule in a month. Takes objects formed like this {occurance(int),day(string)}. Day is the name of the day to run the deployment schedule, the occurance specifies which occurance of that day to run the deployment schedule. | +| [`nextRun`](#parameter-nextrun) | string | The next time the deployment schedule runs in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. | +| [`nextRunOffsetMinutes`](#parameter-nextrunoffsetminutes) | int | The next run's offset in minutes. | +| [`nonAzureComputerNames`](#parameter-nonazurecomputernames) | array | List of names of non-azure machines in scope for the deployment schedule. | +| [`nonAzureQueries`](#parameter-nonazurequeries) | array | Array of functions from a Log Analytics workspace, used to scope the deployment schedule. | +| [`postTaskParameters`](#parameter-posttaskparameters) | object | Parameters provided to the task running after the deployment schedule. | +| [`postTaskSource`](#parameter-posttasksource) | string | The source of the task running after the deployment schedule. | +| [`preTaskParameters`](#parameter-pretaskparameters) | object | Parameters provided to the task running before the deployment schedule. | +| [`preTaskSource`](#parameter-pretasksource) | string | The source of the task running before the deployment schedule. | +| [`scheduleDescription`](#parameter-scheduledescription) | string | The schedules description. | +| [`scopeByLocations`](#parameter-scopebylocations) | array | Specify locations to which to scope the deployment schedule to. | +| [`scopeByResources`](#parameter-scopebyresources) | array | Specify the resources to scope the deployment schedule to. | +| [`scopeByTags`](#parameter-scopebytags) | object | Specify tags to which to scope the deployment schedule to. | +| [`scopeByTagsOperation`](#parameter-scopebytagsoperation) | string | Enables the scopeByTags to require All (Tag A and Tag B) or Any (Tag A or Tag B). | +| [`startTime`](#parameter-starttime) | string | The start time of the deployment schedule in ISO 8601 format. To specify a specific time use YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. For schedules where we want to start the deployment as soon as possible, specify the time segment only in 24 hour format, HH:MM, 22:00. | +| [`timeZone`](#parameter-timezone) | string | Time zone for the deployment schedule. IANA ID or a Windows Time Zone ID. | +| [`updateClassifications`](#parameter-updateclassifications) | array | Update classification included in the deployment schedule. | +| [`weekDays`](#parameter-weekdays) | array | Required when used with frequency 'Week'. Specified the day of the week to run the deployment schedule. | **Generated parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `baseTime` | string | `[utcNow('u')]` | Do not touch. Is used to provide the base time for time comparison for startTime. If startTime is specified in HH:MM format, baseTime is used to check if the provided startTime has passed, adding one day before setting the deployment schedule. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`baseTime`](#parameter-basetime) | string | Do not touch. Is used to provide the base time for time comparison for startTime. If startTime is specified in HH:MM format, baseTime is used to check if the provided startTime has passed, adding one day before setting the deployment schedule. | + +### Parameter: `automationAccountName` + +The name of the parent Automation Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `azureVirtualMachines` + +List of azure resource IDs for azure virtual machines in scope for the deployment schedule. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `baseTime` + +Do not touch. Is used to provide the base time for time comparison for startTime. If startTime is specified in HH:MM format, baseTime is used to check if the provided startTime has passed, adding one day before setting the deployment schedule. +- Required: No +- Type: string +- Default: `[utcNow('u')]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `excludeUpdates` + +KB numbers or Linux packages excluded in the deployment schedule. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `expiryTime` + +The end time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `expiryTimeOffsetMinutes` + +The expiry time's offset in minutes. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `frequency` + +The frequency of the deployment schedule. When using 'Hour', 'Day', 'Week' or 'Month', an interval needs to be provided. +- Required: Yes +- Type: string +- Allowed: `[Day, Hour, Month, OneTime, Week]` + +### Parameter: `includeUpdates` + +KB numbers or Linux packages included in the deployment schedule. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `interval` + +The interval of the frequency for the deployment schedule. 1 Hour is every hour, 2 Day is every second day, etc. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `isEnabled` + +Enables the deployment schedule. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `maintenanceWindow` + +Maximum time allowed for the deployment schedule to run. Duration needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. +- Required: No +- Type: string +- Default: `'PT2H'` + +### Parameter: `monthDays` + +Can be used with frequency 'Month'. Provides the specific days of the month to run the deployment schedule. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `[1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31]` + +### Parameter: `monthlyOccurrences` + +Can be used with frequency 'Month'. Provides the pattern/cadence for running the deployment schedule in a month. Takes objects formed like this {occurance(int),day(string)}. Day is the name of the day to run the deployment schedule, the occurance specifies which occurance of that day to run the deployment schedule. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `name` + +The name of the Deployment schedule. +- Required: Yes +- Type: string + +### Parameter: `nextRun` + +The next time the deployment schedule runs in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `nextRunOffsetMinutes` + +The next run's offset in minutes. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `nonAzureComputerNames` + +List of names of non-azure machines in scope for the deployment schedule. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `nonAzureQueries` + +Array of functions from a Log Analytics workspace, used to scope the deployment schedule. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `operatingSystem` + +The operating system to be configured by the deployment schedule. +- Required: Yes +- Type: string +- Allowed: `[Linux, Windows]` + +### Parameter: `postTaskParameters` + +Parameters provided to the task running after the deployment schedule. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `postTaskSource` + +The source of the task running after the deployment schedule. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `preTaskParameters` + +Parameters provided to the task running before the deployment schedule. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `preTaskSource` + +The source of the task running before the deployment schedule. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `rebootSetting` + +Reboot setting for the deployment schedule. +- Required: Yes +- Type: string +- Allowed: `[Always, IfRequired, Never, RebootOnly]` + +### Parameter: `scheduleDescription` + +The schedules description. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `scopeByLocations` + +Specify locations to which to scope the deployment schedule to. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `scopeByResources` + +Specify the resources to scope the deployment schedule to. +- Required: No +- Type: array +- Default: `[[subscription().id]]` + +### Parameter: `scopeByTags` + +Specify tags to which to scope the deployment schedule to. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `scopeByTagsOperation` + +Enables the scopeByTags to require All (Tag A and Tag B) or Any (Tag A or Tag B). +- Required: No +- Type: string +- Default: `'All'` +- Allowed: `[All, Any]` + +### Parameter: `startTime` + +The start time of the deployment schedule in ISO 8601 format. To specify a specific time use YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. For schedules where we want to start the deployment as soon as possible, specify the time segment only in 24 hour format, HH:MM, 22:00. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `timeZone` + +Time zone for the deployment schedule. IANA ID or a Windows Time Zone ID. +- Required: No +- Type: string +- Default: `'UTC'` + +### Parameter: `updateClassifications` + +Update classification included in the deployment schedule. +- Required: No +- Type: array +- Default: `[Critical, Security]` +- Allowed: `[Critical, Definition, FeaturePack, Other, Security, ServicePack, Tools, UpdateRollup, Updates]` + +### Parameter: `weekDays` + +Required when used with frequency 'Week'. Specified the day of the week to run the deployment schedule. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `[Friday, Monday, Saturday, Sunday, Thursday, Tuesday, Wednesday]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed softwareUpdateConfiguration. | | `resourceGroupName` | string | The resource group of the deployed softwareUpdateConfiguration. | diff --git a/modules/automation/automation-account/software-update-configuration/main.json b/modules/automation/automation-account/software-update-configuration/main.json index f4305ddbf8..14b2d33ac1 100644 --- a/modules/automation/automation-account/software-update-configuration/main.json +++ b/modules/automation/automation-account/software-update-configuration/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11844327136869535634" + "version": "0.22.6.54827", + "templateHash": "10775503419002427646" }, "name": "Automation Account Software Update Configurations", "description": "This module deploys an Azure Automation Account Software Update Configuration.", diff --git a/modules/automation/automation-account/variable/README.md b/modules/automation/automation-account/variable/README.md index a3356c0f6a..99ec5a4985 100644 --- a/modules/automation/automation-account/variable/README.md +++ b/modules/automation/automation-account/variable/README.md @@ -20,29 +20,68 @@ This module deploys an Azure Automation Account Variable. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the variable. | -| `value` | securestring | The value of the variable. For security best practices, this value is always passed as a secure string as it could contain an encrypted value when the "isEncrypted" property is set to true. | +| [`name`](#parameter-name) | string | The name of the variable. | +| [`value`](#parameter-value) | securestring | The value of the variable. For security best practices, this value is always passed as a secure string as it could contain an encrypted value when the "isEncrypted" property is set to true. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `automationAccountName` | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | +| [`automationAccountName`](#parameter-automationaccountname) | string | The name of the parent Automation Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `description` | string | `''` | The description of the variable. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `isEncrypted` | bool | `True` | If the variable should be encrypted. For security reasons encryption of variables should be enabled. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | The description of the variable. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`isEncrypted`](#parameter-isencrypted) | bool | If the variable should be encrypted. For security reasons encryption of variables should be enabled. | + +### Parameter: `automationAccountName` + +The name of the parent Automation Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `description` + +The description of the variable. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `isEncrypted` + +If the variable should be encrypted. For security reasons encryption of variables should be enabled. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the variable. +- Required: Yes +- Type: string + +### Parameter: `value` + +The value of the variable. For security best practices, this value is always passed as a secure string as it could contain an encrypted value when the "isEncrypted" property is set to true. +- Required: Yes +- Type: securestring ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed variable. | | `resourceGroupName` | string | The resource group of the deployed variable. | diff --git a/modules/automation/automation-account/variable/main.json b/modules/automation/automation-account/variable/main.json index e0ffc7ec3a..333cb278b4 100644 --- a/modules/automation/automation-account/variable/main.json +++ b/modules/automation/automation-account/variable/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17684191295648041474" + "version": "0.22.6.54827", + "templateHash": "17400819380217562013" }, "name": "Automation Account Variables", "description": "This module deploys an Azure Automation Account Variable.", diff --git a/modules/batch/batch-account/.test/common/main.test.bicep b/modules/batch/batch-account/.test/common/main.test.bicep index d90c14f14e..b81a0e4036 100644 --- a/modules/batch/batch-account/.test/common/main.test.bicep +++ b/modules/batch/batch-account/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/batch/batch-account/.test/min/main.test.bicep b/modules/batch/batch-account/.test/min/main.test.bicep index c92b18d8ab..8d213101ab 100644 --- a/modules/batch/batch-account/.test/min/main.test.bicep +++ b/modules/batch/batch-account/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index cf3dd26a6c..17cd685691 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -4,13 +4,13 @@ This module deploys a Batch Account. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -21,83 +21,29 @@ This module deploys a Batch Account. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Azure Batch. | -| `storageAccountId` | string | The resource ID of the storage account to be used for auto-storage account. | - -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | -| `keyVaultReferenceResourceId` | string | `''` | The key vault to associate with the Batch account. Required if the 'poolAllocationMode' is set to 'UserSubscription' and requires the service principal 'Microsoft Azure Batch' to be granted contributor permissions on this key vault. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `allowedAuthenticationModes` | array | `[]` | `[AAD, SharedKey, TaskAuthenticationToken]` | List of allowed authentication modes for the Batch account that can be used to authenticate with the data plane. | -| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, ServiceLog]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `networkProfileAllowedIpRanges` | array | `[]` | | Array of IP ranges to filter client IP address. It is only applicable when publicNetworkAccess is not explicitly disabled. | -| `networkProfileDefaultAction` | string | `'Deny'` | `[Allow, Deny]` | The network profile default action for endpoint access. It is only applicable when publicNetworkAccess is not explicitly disabled. | -| `poolAllocationMode` | string | `'BatchService'` | `[BatchService, UserSubscription]` | The allocation mode for creating pools in the Batch account. Determines which quota will be used. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkProfileAllowedIpRanges are not set. | -| `storageAccessIdentity` | string | `''` | | The resource ID of a user assigned identity assigned to pools which have compute nodes that need access to auto-storage. | -| `storageAuthenticationMode` | string | `'StorageKeys'` | `[BatchAccountManagedIdentity, StorageKeys]` | The authentication mode which the Batch service will use to manage the auto-storage account. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the batch account. | -| `resourceGroupName` | string | The resource group the batch account was deployed into. | -| `resourceId` | string | The resource ID of the batch account. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/batch.batch-account:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Encr](#example-2-encr) +- [Using only defaults](#example-3-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module batchAccount './batch/batch-account/main.bicep' = { +module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-bbacom' params: { // Required parameters @@ -239,14 +185,14 @@ module batchAccount './batch/batch-account/main.bicep' = {

-

Example 2: Encr

+### Example 2: _Encr_
via Bicep module ```bicep -module batchAccount './batch/batch-account/main.bicep' = { +module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-bbaencr' params: { // Required parameters @@ -362,14 +308,17 @@ module batchAccount './batch/batch-account/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module batchAccount './batch/batch-account/main.bicep' = { +module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-bbamin' params: { // Required parameters @@ -410,3 +359,261 @@ module batchAccount './batch/batch-account/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Azure Batch. | +| [`storageAccountId`](#parameter-storageaccountid) | string | The resource ID of the storage account to be used for auto-storage account. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | +| [`keyVaultReferenceResourceId`](#parameter-keyvaultreferenceresourceid) | string | The key vault to associate with the Batch account. Required if the 'poolAllocationMode' is set to 'UserSubscription' and requires the service principal 'Microsoft Azure Batch' to be granted contributor permissions on this key vault. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowedAuthenticationModes`](#parameter-allowedauthenticationmodes) | array | List of allowed authentication modes for the Batch account that can be used to authenticate with the data plane. | +| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | +| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`networkProfileAllowedIpRanges`](#parameter-networkprofileallowedipranges) | array | Array of IP ranges to filter client IP address. It is only applicable when publicNetworkAccess is not explicitly disabled. | +| [`networkProfileDefaultAction`](#parameter-networkprofiledefaultaction) | string | The network profile default action for endpoint access. It is only applicable when publicNetworkAccess is not explicitly disabled. | +| [`poolAllocationMode`](#parameter-poolallocationmode) | string | The allocation mode for creating pools in the Batch account. Determines which quota will be used. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkProfileAllowedIpRanges are not set. | +| [`storageAccessIdentity`](#parameter-storageaccessidentity) | string | The resource ID of a user assigned identity assigned to pools which have compute nodes that need access to auto-storage. | +| [`storageAuthenticationMode`](#parameter-storageauthenticationmode) | string | The authentication mode which the Batch service will use to manage the auto-storage account. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +### Parameter: `allowedAuthenticationModes` + +List of allowed authentication modes for the Batch account that can be used to authenticate with the data plane. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `[AAD, SharedKey, TaskAuthenticationToken]` + +### Parameter: `cMKKeyName` + +The name of the customer managed key to use for encryption. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVersion` + +The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, ServiceLog]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `keyVaultReferenceResourceId` + +The key vault to associate with the Batch account. Required if the 'poolAllocationMode' is set to 'UserSubscription' and requires the service principal 'Microsoft Azure Batch' to be granted contributor permissions on this key vault. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Azure Batch. +- Required: Yes +- Type: string + +### Parameter: `networkProfileAllowedIpRanges` + +Array of IP ranges to filter client IP address. It is only applicable when publicNetworkAccess is not explicitly disabled. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `networkProfileDefaultAction` + +The network profile default action for endpoint access. It is only applicable when publicNetworkAccess is not explicitly disabled. +- Required: No +- Type: string +- Default: `'Deny'` +- Allowed: `[Allow, Deny]` + +### Parameter: `poolAllocationMode` + +The allocation mode for creating pools in the Batch account. Determines which quota will be used. +- Required: No +- Type: string +- Default: `'BatchService'` +- Allowed: `[BatchService, UserSubscription]` + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkProfileAllowedIpRanges are not set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `storageAccessIdentity` + +The resource ID of a user assigned identity assigned to pools which have compute nodes that need access to auto-storage. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `storageAccountId` + +The resource ID of the storage account to be used for auto-storage account. +- Required: Yes +- Type: string + +### Parameter: `storageAuthenticationMode` + +The authentication mode which the Batch service will use to manage the auto-storage account. +- Required: No +- Type: string +- Default: `'StorageKeys'` +- Allowed: `[BatchAccountManagedIdentity, StorageKeys]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the batch account. | +| `resourceGroupName` | string | The resource group the batch account was deployed into. | +| `resourceId` | string | The resource ID of the batch account. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/batch/batch-account/main.json b/modules/batch/batch-account/main.json index a114631351..0253e6c50b 100644 --- a/modules/batch/batch-account/main.json +++ b/modules/batch/batch-account/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8956575251332566079" + "version": "0.22.6.54827", + "templateHash": "12201052807403978225" }, "name": "Batch Accounts", "description": "This module deploys a Batch Account.", @@ -391,8 +391,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -591,8 +591,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -729,8 +729,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { diff --git a/modules/cache/redis-enterprise/.test/common/main.test.bicep b/modules/cache/redis-enterprise/.test/common/main.test.bicep index fe85adb34b..70adc46f2c 100644 --- a/modules/cache/redis-enterprise/.test/common/main.test.bicep +++ b/modules/cache/redis-enterprise/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/cache/redis-enterprise/.test/min/main.test.bicep b/modules/cache/redis-enterprise/.test/min/main.test.bicep index dfe3f24c13..19ab84407e 100644 --- a/modules/cache/redis-enterprise/.test/min/main.test.bicep +++ b/modules/cache/redis-enterprise/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index 4421956599..79e8069cff 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -5,10 +5,10 @@ This module deploys a Redis Cache Enterprise. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -22,71 +22,29 @@ This module deploys a Redis Cache Enterprise. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters - -**Required parameters** +## Usage examples -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Redis Cache Enterprise resource. | - -**Optional parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `capacity` | int | `2` | | The size of the Redis Enterprise Cluster. Defaults to 2. Valid values are (2, 4, 6, ...) for Enterprise SKUs and (3, 9, 15, ...) for Flash SKUs. | -| `databases` | array | `[]` | | The databases to create in the Redis Cache Enterprise Cluster. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticLogCategoriesToEnable` | array | `[]` | `['', audit, ConnectionEvents]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource, but currently not supported for Redis Cache Enterprise. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | The geo-location where the resource lives. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `minimumTlsVersion` | string | `'1.2'` | `[1.0, 1.1, 1.2]` | Requires clients to use a specified TLS version (or higher) to connect. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `skuName` | string | `'Enterprise_E10'` | `[Enterprise_E10, Enterprise_E100, Enterprise_E20, Enterprise_E50, EnterpriseFlash_F1500, EnterpriseFlash_F300, EnterpriseFlash_F700]` | The type of Redis Enterprise Cluster to deploy. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `zoneRedundant` | bool | `True` | | When true, the cluster will be deployed across availability zones. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/cache.redis-enterprise:1.0.0`. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `hostName` | string | Redis hostname. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the redis cache enterprise. | -| `resourceGroupName` | string | The name of the resource group the redis cache enterprise was created in. | -| `resourceId` | string | The resource ID of the redis cache enterprise. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | - -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Geo](#example-2-geo) +- [Using only defaults](#example-3-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module redisEnterprise './cache/redis-enterprise/main.bicep' = { +module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-crecom' params: { // Required parameters @@ -264,14 +222,14 @@ module redisEnterprise './cache/redis-enterprise/main.bicep' = {

-

Example 2: Geo

+### Example 2: _Geo_
via Bicep module ```bicep -module redisEnterprise './cache/redis-enterprise/main.bicep' = { +module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cregeo' params: { // Required parameters @@ -385,14 +343,17 @@ module redisEnterprise './cache/redis-enterprise/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module redisEnterprise './cache/redis-enterprise/main.bicep' = { +module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cremin' params: { // Required parameters @@ -429,3 +390,191 @@ module redisEnterprise './cache/redis-enterprise/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Redis Cache Enterprise resource. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`capacity`](#parameter-capacity) | int | The size of the Redis Enterprise Cluster. Defaults to 2. Valid values are (2, 4, 6, ...) for Enterprise SKUs and (3, 9, 15, ...) for Flash SKUs. | +| [`databases`](#parameter-databases) | array | The databases to create in the Redis Cache Enterprise Cluster. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource, but currently not supported for Redis Cache Enterprise. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | The geo-location where the resource lives. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | Requires clients to use a specified TLS version (or higher) to connect. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`skuName`](#parameter-skuname) | string | The type of Redis Enterprise Cluster to deploy. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`zoneRedundant`](#parameter-zoneredundant) | bool | When true, the cluster will be deployed across availability zones. | + +### Parameter: `capacity` + +The size of the Redis Enterprise Cluster. Defaults to 2. Valid values are (2, 4, 6, ...) for Enterprise SKUs and (3, 9, 15, ...) for Flash SKUs. +- Required: No +- Type: int +- Default: `2` + +### Parameter: `databases` + +The databases to create in the Redis Cache Enterprise Cluster. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource, but currently not supported for Redis Cache Enterprise. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `['', audit, ConnectionEvents]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +The geo-location where the resource lives. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `minimumTlsVersion` + +Requires clients to use a specified TLS version (or higher) to connect. +- Required: No +- Type: string +- Default: `'1.2'` +- Allowed: `[1.0, 1.1, 1.2]` + +### Parameter: `name` + +The name of the Redis Cache Enterprise resource. +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `skuName` + +The type of Redis Enterprise Cluster to deploy. +- Required: No +- Type: string +- Default: `'Enterprise_E10'` +- Allowed: `[Enterprise_E10, Enterprise_E100, Enterprise_E20, Enterprise_E50, EnterpriseFlash_F1500, EnterpriseFlash_F300, EnterpriseFlash_F700]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `zoneRedundant` + +When true, the cluster will be deployed across availability zones. +- Required: No +- Type: bool +- Default: `True` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `hostName` | string | Redis hostname. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the redis cache enterprise. | +| `resourceGroupName` | string | The name of the resource group the redis cache enterprise was created in. | +| `resourceId` | string | The resource ID of the redis cache enterprise. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/cache/redis-enterprise/database/README.md b/modules/cache/redis-enterprise/database/README.md index b685df1716..7f0d3120d2 100644 --- a/modules/cache/redis-enterprise/database/README.md +++ b/modules/cache/redis-enterprise/database/README.md @@ -20,31 +20,126 @@ This module deploys a Redis Cache Enterprise Database. **Conditional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `persistenceAofFrequency` | string | `''` | `['', 1s, always]` | Sets the frequency at which data is written to disk. Required if AOF persistence is enabled. | -| `persistenceRdbFrequency` | string | `''` | `['', 12h, 1h, 6h]` | Sets the frequency at which a snapshot of the database is created. Required if RDB persistence is enabled. | -| `redisCacheEnterpriseName` | string | | | The name of the parent Redis Cache Enterprise Cluster. Required if the template is used in a standalone deployment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`persistenceAofFrequency`](#parameter-persistenceaoffrequency) | string | Sets the frequency at which data is written to disk. Required if AOF persistence is enabled. | +| [`persistenceRdbFrequency`](#parameter-persistencerdbfrequency) | string | Sets the frequency at which a snapshot of the database is created. Required if RDB persistence is enabled. | +| [`redisCacheEnterpriseName`](#parameter-rediscacheenterprisename) | string | The name of the parent Redis Cache Enterprise Cluster. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `clientProtocol` | string | `'Encrypted'` | `[Encrypted, Plaintext]` | Specifies whether redis clients can connect using TLS-encrypted or plaintext redis protocols. Default is TLS-encrypted. | -| `clusteringPolicy` | string | `'OSSCluster'` | `[EnterpriseCluster, OSSCluster]` | Specifies the clustering policy to enable at creation time of the Redis Cache Enterprise Cluster. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `evictionPolicy` | string | `'VolatileLRU'` | `[AllKeysLFU, AllKeysLRU, AllKeysRandom, NoEviction, VolatileLFU, VolatileLRU, VolatileRandom, VolatileTTL]` | Redis eviction policy - default is VolatileLRU. | -| `geoReplication` | object | `{object}` | | Optional set of properties to configure geo replication for this database. Geo replication prerequisites must be met. See "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-active-geo-replication#active-geo-replication-prerequisites" for more information. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `modules` | array | `[]` | | Optional set of redis modules to enable in this database - modules can only be added at creation time. | -| `persistenceAofEnabled` | bool | `False` | | Sets whether AOF is enabled. Required if setting AOF frequency. AOF and RDB persistence cannot be enabled at the same time. | -| `persistenceRdbEnabled` | bool | `False` | | Sets whether RDB is enabled. RDB and AOF persistence cannot be enabled at the same time. | -| `port` | int | `-1` | | TCP port of the database endpoint. Specified at create time. Default is (-1) meaning value is not set and defaults to an available port. Current supported port is 10000. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`clientProtocol`](#parameter-clientprotocol) | string | Specifies whether redis clients can connect using TLS-encrypted or plaintext redis protocols. Default is TLS-encrypted. | +| [`clusteringPolicy`](#parameter-clusteringpolicy) | string | Specifies the clustering policy to enable at creation time of the Redis Cache Enterprise Cluster. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`evictionPolicy`](#parameter-evictionpolicy) | string | Redis eviction policy - default is VolatileLRU. | +| [`geoReplication`](#parameter-georeplication) | object | Optional set of properties to configure geo replication for this database. Geo replication prerequisites must be met. See "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-active-geo-replication#active-geo-replication-prerequisites" for more information. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`modules`](#parameter-modules) | array | Optional set of redis modules to enable in this database - modules can only be added at creation time. | +| [`persistenceAofEnabled`](#parameter-persistenceaofenabled) | bool | Sets whether AOF is enabled. Required if setting AOF frequency. AOF and RDB persistence cannot be enabled at the same time. | +| [`persistenceRdbEnabled`](#parameter-persistencerdbenabled) | bool | Sets whether RDB is enabled. RDB and AOF persistence cannot be enabled at the same time. | +| [`port`](#parameter-port) | int | TCP port of the database endpoint. Specified at create time. Default is (-1) meaning value is not set and defaults to an available port. Current supported port is 10000. | + +### Parameter: `clientProtocol` + +Specifies whether redis clients can connect using TLS-encrypted or plaintext redis protocols. Default is TLS-encrypted. +- Required: No +- Type: string +- Default: `'Encrypted'` +- Allowed: `[Encrypted, Plaintext]` + +### Parameter: `clusteringPolicy` + +Specifies the clustering policy to enable at creation time of the Redis Cache Enterprise Cluster. +- Required: No +- Type: string +- Default: `'OSSCluster'` +- Allowed: `[EnterpriseCluster, OSSCluster]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `evictionPolicy` + +Redis eviction policy - default is VolatileLRU. +- Required: No +- Type: string +- Default: `'VolatileLRU'` +- Allowed: `[AllKeysLFU, AllKeysLRU, AllKeysRandom, NoEviction, VolatileLFU, VolatileLRU, VolatileRandom, VolatileTTL]` + +### Parameter: `geoReplication` + +Optional set of properties to configure geo replication for this database. Geo replication prerequisites must be met. See "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-active-geo-replication#active-geo-replication-prerequisites" for more information. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `modules` + +Optional set of redis modules to enable in this database - modules can only be added at creation time. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `persistenceAofEnabled` + +Sets whether AOF is enabled. Required if setting AOF frequency. AOF and RDB persistence cannot be enabled at the same time. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `persistenceAofFrequency` + +Sets the frequency at which data is written to disk. Required if AOF persistence is enabled. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', 1s, always]` + +### Parameter: `persistenceRdbEnabled` + +Sets whether RDB is enabled. RDB and AOF persistence cannot be enabled at the same time. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `persistenceRdbFrequency` + +Sets the frequency at which a snapshot of the database is created. Required if RDB persistence is enabled. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', 12h, 1h, 6h]` + +### Parameter: `port` + +TCP port of the database endpoint. Specified at create time. Default is (-1) meaning value is not set and defaults to an available port. Current supported port is 10000. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `redisCacheEnterpriseName` + +The name of the parent Redis Cache Enterprise Cluster. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed database. | | `resourceGroupName` | string | The resource group of the deployed database. | diff --git a/modules/cache/redis-enterprise/database/main.json b/modules/cache/redis-enterprise/database/main.json index 27d234923b..d5698a412b 100644 --- a/modules/cache/redis-enterprise/database/main.json +++ b/modules/cache/redis-enterprise/database/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16731424701559883139" + "version": "0.22.6.54827", + "templateHash": "8155705065039005753" }, "name": "Redis Cache Enterprise Databases", "description": "This module deploys a Redis Cache Enterprise Database.", diff --git a/modules/cache/redis-enterprise/main.json b/modules/cache/redis-enterprise/main.json index acdc3aa903..0dae10b9b6 100644 --- a/modules/cache/redis-enterprise/main.json +++ b/modules/cache/redis-enterprise/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8401793883308983497" + "version": "0.22.6.54827", + "templateHash": "15719841187562389936" }, "name": "Redis Cache Enterprise", "description": "This module deploys a Redis Cache Enterprise.", @@ -296,8 +296,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2462654739530119148" + "version": "0.22.6.54827", + "templateHash": "12607572296541142934" } }, "parameters": { @@ -451,8 +451,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16731424701559883139" + "version": "0.22.6.54827", + "templateHash": "8155705065039005753" }, "name": "Redis Cache Enterprise Databases", "description": "This module deploys a Redis Cache Enterprise Database.", @@ -689,8 +689,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -889,8 +889,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1027,8 +1027,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { diff --git a/modules/cache/redis/.test/common/main.test.bicep b/modules/cache/redis/.test/common/main.test.bicep index 27cba7a79e..5428f2e9cb 100644 --- a/modules/cache/redis/.test/common/main.test.bicep +++ b/modules/cache/redis/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/cache/redis/.test/min/main.test.bicep b/modules/cache/redis/.test/min/main.test.bicep index 21c9108e8a..4ab171428a 100644 --- a/modules/cache/redis/.test/min/main.test.bicep +++ b/modules/cache/redis/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index 721d612132..8360ae347a 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -5,10 +5,10 @@ This module deploys a Redis Cache. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) ## Resource Types @@ -22,85 +22,28 @@ This module deploys a Redis Cache. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Redis cache resource. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `capacity` | int | `1` | `[0, 1, 2, 3, 4, 5, 6]` | The size of the Redis cache to deploy. Valid values: for C (Basic/Standard) family (0, 1, 2, 3, 4, 5, 6), for P (Premium) family (1, 2, 3, 4). | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, ConnectedClientList]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableNonSslPort` | bool | `False` | | Specifies whether the non-ssl Redis server port (6379) is enabled. | -| `location` | string | `[resourceGroup().location]` | | The location to deploy the Redis cache service. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `minimumTlsVersion` | string | `'1.2'` | `[1.0, 1.1, 1.2]` | Requires clients to use a specified TLS version (or higher) to connect. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| `redisConfiguration` | object | `{object}` | | All Redis Settings. Few possible keys: rdb-backup-enabled,rdb-storage-connection-string,rdb-backup-frequency,maxmemory-delta,maxmemory-policy,notify-keyspace-events,maxmemory-samples,slowlog-log-slower-than,slowlog-max-len,list-max-ziplist-entries,list-max-ziplist-value,hash-max-ziplist-entries,hash-max-ziplist-value,set-max-intset-entries,zset-max-ziplist-entries,zset-max-ziplist-value etc. | -| `redisVersion` | string | `'6'` | `[4, 6]` | Redis version. Only major version will be used in PUT/PATCH request with current valid values: (4, 6). | -| `replicasPerMaster` | int | `1` | | The number of replicas to be created per primary. | -| `replicasPerPrimary` | int | `1` | | The number of replicas to be created per primary. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `shardCount` | int | `1` | | The number of shards to be created on a Premium Cluster Cache. | -| `skuName` | string | `'Basic'` | `[Basic, Premium, Standard]` | The type of Redis cache to deploy. | -| `staticIP` | string | `''` | | Static IP address. Optionally, may be specified when deploying a Redis cache inside an existing Azure Virtual Network; auto assigned by default. | -| `subnetId` | string | `''` | | The full resource ID of a subnet in a virtual network to deploy the Redis cache in. Example format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/Microsoft.{Network|ClassicNetwork}/VirtualNetworks/vnet1/subnets/subnet1. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `tenantSettings` | object | `{object}` | | A dictionary of tenant settings. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `zoneRedundant` | bool | `True` | | When true, replicas will be provisioned in availability zones specified in the zones parameter. | -| `zones` | array | `[]` | | If the zoneRedundant parameter is true, replicas will be provisioned in the availability zones specified here. Otherwise, the service will choose where replicas are deployed. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `hostName` | string | Redis hostname. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Redis Cache. | -| `resourceGroupName` | string | The name of the resource group the Redis Cache was created in. | -| `resourceId` | string | The resource ID of the Redis Cache. | -| `sslPort` | int | Redis SSL port. | -| `subnetId` | string | The full resource ID of a subnet in a virtual network where the Redis Cache was deployed in. | +## Usage examples -## Cross-referenced modules +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/cache.redis:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module redis './cache/redis/main.bicep' = { +module redis 'br:bicep/modules/cache.redis:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-crcom' params: { // Required parameters @@ -252,14 +195,17 @@ module redis './cache/redis/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module redis './cache/redis/main.bicep' = { +module redis 'br:bicep/modules/cache.redis:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-crmin' params: { // Required parameters @@ -298,6 +244,294 @@ module redis './cache/redis/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Redis cache resource. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`capacity`](#parameter-capacity) | int | The size of the Redis cache to deploy. Valid values: for C (Basic/Standard) family (0, 1, 2, 3, 4, 5, 6), for P (Premium) family (1, 2, 3, 4). | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableNonSslPort`](#parameter-enablenonsslport) | bool | Specifies whether the non-ssl Redis server port (6379) is enabled. | +| [`location`](#parameter-location) | string | The location to deploy the Redis cache service. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | Requires clients to use a specified TLS version (or higher) to connect. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | +| [`redisConfiguration`](#parameter-redisconfiguration) | object | All Redis Settings. Few possible keys: rdb-backup-enabled,rdb-storage-connection-string,rdb-backup-frequency,maxmemory-delta,maxmemory-policy,notify-keyspace-events,maxmemory-samples,slowlog-log-slower-than,slowlog-max-len,list-max-ziplist-entries,list-max-ziplist-value,hash-max-ziplist-entries,hash-max-ziplist-value,set-max-intset-entries,zset-max-ziplist-entries,zset-max-ziplist-value etc. | +| [`redisVersion`](#parameter-redisversion) | string | Redis version. Only major version will be used in PUT/PATCH request with current valid values: (4, 6). | +| [`replicasPerMaster`](#parameter-replicaspermaster) | int | The number of replicas to be created per primary. | +| [`replicasPerPrimary`](#parameter-replicasperprimary) | int | The number of replicas to be created per primary. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`shardCount`](#parameter-shardcount) | int | The number of shards to be created on a Premium Cluster Cache. | +| [`skuName`](#parameter-skuname) | string | The type of Redis cache to deploy. | +| [`staticIP`](#parameter-staticip) | string | Static IP address. Optionally, may be specified when deploying a Redis cache inside an existing Azure Virtual Network; auto assigned by default. | +| [`subnetId`](#parameter-subnetid) | string | The full resource ID of a subnet in a virtual network to deploy the Redis cache in. Example format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/Microsoft.{Network|ClassicNetwork}/VirtualNetworks/vnet1/subnets/subnet1. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`tenantSettings`](#parameter-tenantsettings) | object | A dictionary of tenant settings. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`zoneRedundant`](#parameter-zoneredundant) | bool | When true, replicas will be provisioned in availability zones specified in the zones parameter. | +| [`zones`](#parameter-zones) | array | If the zoneRedundant parameter is true, replicas will be provisioned in the availability zones specified here. Otherwise, the service will choose where replicas are deployed. | + +### Parameter: `capacity` + +The size of the Redis cache to deploy. Valid values: for C (Basic/Standard) family (0, 1, 2, 3, 4, 5, 6), for P (Premium) family (1, 2, 3, 4). +- Required: No +- Type: int +- Default: `1` +- Allowed: `[0, 1, 2, 3, 4, 5, 6]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, ConnectedClientList]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableNonSslPort` + +Specifies whether the non-ssl Redis server port (6379) is enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `location` + +The location to deploy the Redis cache service. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `minimumTlsVersion` + +Requires clients to use a specified TLS version (or higher) to connect. +- Required: No +- Type: string +- Default: `'1.2'` +- Allowed: `[1.0, 1.1, 1.2]` + +### Parameter: `name` + +The name of the Redis cache resource. +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `redisConfiguration` + +All Redis Settings. Few possible keys: rdb-backup-enabled,rdb-storage-connection-string,rdb-backup-frequency,maxmemory-delta,maxmemory-policy,notify-keyspace-events,maxmemory-samples,slowlog-log-slower-than,slowlog-max-len,list-max-ziplist-entries,list-max-ziplist-value,hash-max-ziplist-entries,hash-max-ziplist-value,set-max-intset-entries,zset-max-ziplist-entries,zset-max-ziplist-value etc. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `redisVersion` + +Redis version. Only major version will be used in PUT/PATCH request with current valid values: (4, 6). +- Required: No +- Type: string +- Default: `'6'` +- Allowed: `[4, 6]` + +### Parameter: `replicasPerMaster` + +The number of replicas to be created per primary. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `replicasPerPrimary` + +The number of replicas to be created per primary. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `shardCount` + +The number of shards to be created on a Premium Cluster Cache. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `skuName` + +The type of Redis cache to deploy. +- Required: No +- Type: string +- Default: `'Basic'` +- Allowed: `[Basic, Premium, Standard]` + +### Parameter: `staticIP` + +Static IP address. Optionally, may be specified when deploying a Redis cache inside an existing Azure Virtual Network; auto assigned by default. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `subnetId` + +The full resource ID of a subnet in a virtual network to deploy the Redis cache in. Example format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/Microsoft.{Network|ClassicNetwork}/VirtualNetworks/vnet1/subnets/subnet1. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `tenantSettings` + +A dictionary of tenant settings. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `zoneRedundant` + +When true, replicas will be provisioned in availability zones specified in the zones parameter. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `zones` + +If the zoneRedundant parameter is true, replicas will be provisioned in the availability zones specified here. Otherwise, the service will choose where replicas are deployed. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `hostName` | string | Redis hostname. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the Redis Cache. | +| `resourceGroupName` | string | The name of the resource group the Redis Cache was created in. | +| `resourceId` | string | The resource ID of the Redis Cache. | +| `sslPort` | int | Redis SSL port. | +| `subnetId` | string | The full resource ID of a subnet in a virtual network where the Redis Cache was deployed in. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | + ## Notes ### Parameter Usage: `redisConfiguration` diff --git a/modules/cache/redis/main.json b/modules/cache/redis/main.json index ef37e001eb..d503dc74b8 100644 --- a/modules/cache/redis/main.json +++ b/modules/cache/redis/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9970933369999379119" + "version": "0.22.6.54827", + "templateHash": "5929435185460509109" }, "name": "Redis Cache", "description": "This module deploys a Redis Cache.", @@ -414,8 +414,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7380162094150397462" + "version": "0.22.6.54827", + "templateHash": "4475888832005151593" } }, "parameters": { @@ -575,8 +575,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -775,8 +775,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -913,8 +913,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { diff --git a/modules/cdn/profile/.test/common/main.test.bicep b/modules/cdn/profile/.test/common/main.test.bicep index b8413ea964..d8dcf730f7 100644 --- a/modules/cdn/profile/.test/common/main.test.bicep +++ b/modules/cdn/profile/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/cdn/profile/README.md b/modules/cdn/profile/README.md index e3f4d453f2..04388adbbd 100644 --- a/modules/cdn/profile/README.md +++ b/modules/cdn/profile/README.md @@ -5,10 +5,10 @@ This module deploys a CDN Profile. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -28,68 +28,25 @@ This module deploys a CDN Profile. | `Microsoft.Cdn/profiles/ruleSets/rules` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/ruleSets/rules) | | `Microsoft.Cdn/profiles/secrets` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/secrets) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `name` | string | | Name of the CDN profile. | -| `sku` | string | `[Custom_Verizon, Premium_AzureFrontDoor, Premium_Verizon, Standard_955BandWidth_ChinaCdn, Standard_Akamai, Standard_AvgBandWidth_ChinaCdn, Standard_AzureFrontDoor, Standard_ChinaCdn, Standard_Microsoft, Standard_Verizon, StandardPlus_955BandWidth_ChinaCdn, StandardPlus_AvgBandWidth_ChinaCdn, StandardPlus_ChinaCdn]` | The pricing tier (defines a CDN provider, feature list and rate) of the CDN profile. | - -**Conditional parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `origionGroups` | array | Array of origin group objects. Required if the afdEndpoints is specified. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `afdEndpoints` | array | `[]` | | Array of AFD endpoint objects. | -| `customDomains` | array | `[]` | | Array of custom domain objects. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `endpointName` | string | `''` | | Name of the endpoint under the profile which is unique globally. | -| `endpointProperties` | object | `{object}` | | Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details). | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `originResponseTimeoutSeconds` | int | `60` | | Send and receive timeout on forwarding request to the origin. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `ruleSets` | array | `[]` | | Array of rule set objects. | -| `secrets` | array | `[]` | | Array of secret objects. | -| `tags` | object | `{object}` | | Endpoint tags. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the CDN profile. | -| `profileType` | string | The type of the CDN profile. | -| `resourceGroupName` | string | The resource group where the CDN profile is deployed. | -| `resourceId` | string | The resource ID of the CDN profile. | - -## Cross-referenced modules - -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/cdn.profile:1.0.0`. -## Deployment examples +- [Afd](#example-1-afd) +- [Using large parameter set](#example-2-using-large-parameter-set) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Afd

+### Example 1: _Afd_
via Bicep module ```bicep -module profile './cdn/profile/main.bicep' = { +module profile 'br:bicep/modules/cdn.profile:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cdnpafd' params: { // Required parameters @@ -297,14 +254,17 @@ module profile './cdn/profile/main.bicep' = {

-

Example 2: Common

+### Example 2: _Using large parameter set_ + +This instance deploys the module with most of its features enabled. +
via Bicep module ```bicep -module profile './cdn/profile/main.bicep' = { +module profile 'br:bicep/modules/cdn.profile:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cdnpcom' params: { // Required parameters @@ -439,3 +399,156 @@ module profile './cdn/profile/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the CDN profile. | +| [`sku`](#parameter-sku) | string | The pricing tier (defines a CDN provider, feature list and rate) of the CDN profile. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`origionGroups`](#parameter-origiongroups) | array | Array of origin group objects. Required if the afdEndpoints is specified. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`afdEndpoints`](#parameter-afdendpoints) | array | Array of AFD endpoint objects. | +| [`customDomains`](#parameter-customdomains) | array | Array of custom domain objects. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`endpointName`](#parameter-endpointname) | string | Name of the endpoint under the profile which is unique globally. | +| [`endpointProperties`](#parameter-endpointproperties) | object | Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details). | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`originResponseTimeoutSeconds`](#parameter-originresponsetimeoutseconds) | int | Send and receive timeout on forwarding request to the origin. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`ruleSets`](#parameter-rulesets) | array | Array of rule set objects. | +| [`secrets`](#parameter-secrets) | array | Array of secret objects. | +| [`tags`](#parameter-tags) | object | Endpoint tags. | + +### Parameter: `afdEndpoints` + +Array of AFD endpoint objects. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `customDomains` + +Array of custom domain objects. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `endpointName` + +Name of the endpoint under the profile which is unique globally. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `endpointProperties` + +Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details). +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the CDN profile. +- Required: Yes +- Type: string + +### Parameter: `originResponseTimeoutSeconds` + +Send and receive timeout on forwarding request to the origin. +- Required: No +- Type: int +- Default: `60` + +### Parameter: `origionGroups` + +Array of origin group objects. Required if the afdEndpoints is specified. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ruleSets` + +Array of rule set objects. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `secrets` + +Array of secret objects. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sku` + +The pricing tier (defines a CDN provider, feature list and rate) of the CDN profile. +- Required: Yes +- Type: string +- Allowed: `[Custom_Verizon, Premium_AzureFrontDoor, Premium_Verizon, Standard_955BandWidth_ChinaCdn, Standard_Akamai, Standard_AvgBandWidth_ChinaCdn, Standard_AzureFrontDoor, Standard_ChinaCdn, Standard_Microsoft, Standard_Verizon, StandardPlus_955BandWidth_ChinaCdn, StandardPlus_AvgBandWidth_ChinaCdn, StandardPlus_ChinaCdn]` + +### Parameter: `tags` + +Endpoint tags. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the CDN profile. | +| `profileType` | string | The type of the CDN profile. | +| `resourceGroupName` | string | The resource group where the CDN profile is deployed. | +| `resourceId` | string | The resource ID of the CDN profile. | + +## Cross-referenced modules + +_None_ diff --git a/modules/cdn/profile/afdEndpoint/README.md b/modules/cdn/profile/afdEndpoint/README.md index 92b71cb16f..6668c13e76 100644 --- a/modules/cdn/profile/afdEndpoint/README.md +++ b/modules/cdn/profile/afdEndpoint/README.md @@ -20,31 +20,87 @@ This module deploys a CDN Profile AFD Endpoint. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the AFD Endpoint. | +| [`name`](#parameter-name) | string | The name of the AFD Endpoint. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `profileName` | string | The name of the parent CDN profile. Required if the template is used in a standalone deployment. | +| [`profileName`](#parameter-profilename) | string | The name of the parent CDN profile. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `autoGeneratedDomainNameLabelScope` | string | `'TenantReuse'` | `[NoReuse, ResourceGroupReuse, SubscriptionReuse, TenantReuse]` | Indicates the endpoint name reuse scope. The default value is TenantReuse. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enabledState` | string | `'Enabled'` | `[Disabled, Enabled]` | Indicates whether the AFD Endpoint is enabled. The default value is Enabled. | -| `location` | string | `[resourceGroup().location]` | | The location of the AFD Endpoint. | -| `routes` | array | `[]` | | The list of routes for this AFD Endpoint. | -| `tags` | object | `{object}` | | The tags of the AFD Endpoint. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`autoGeneratedDomainNameLabelScope`](#parameter-autogenerateddomainnamelabelscope) | string | Indicates the endpoint name reuse scope. The default value is TenantReuse. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enabledState`](#parameter-enabledstate) | string | Indicates whether the AFD Endpoint is enabled. The default value is Enabled. | +| [`location`](#parameter-location) | string | The location of the AFD Endpoint. | +| [`routes`](#parameter-routes) | array | The list of routes for this AFD Endpoint. | +| [`tags`](#parameter-tags) | object | The tags of the AFD Endpoint. | + +### Parameter: `autoGeneratedDomainNameLabelScope` + +Indicates the endpoint name reuse scope. The default value is TenantReuse. +- Required: No +- Type: string +- Default: `'TenantReuse'` +- Allowed: `[NoReuse, ResourceGroupReuse, SubscriptionReuse, TenantReuse]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enabledState` + +Indicates whether the AFD Endpoint is enabled. The default value is Enabled. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `location` + +The location of the AFD Endpoint. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the AFD Endpoint. +- Required: Yes +- Type: string + +### Parameter: `profileName` + +The name of the parent CDN profile. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `routes` + +The list of routes for this AFD Endpoint. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +The tags of the AFD Endpoint. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the AFD Endpoint. | diff --git a/modules/cdn/profile/afdEndpoint/route/README.md b/modules/cdn/profile/afdEndpoint/route/README.md index ee07973325..5b63f03281 100644 --- a/modules/cdn/profile/afdEndpoint/route/README.md +++ b/modules/cdn/profile/afdEndpoint/route/README.md @@ -19,33 +19,139 @@ This module deploys a CDN Profile AFD Endpoint route. **Required parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `afdEndpointName` | string | | The name of the AFD endpoint. | -| `name` | string | | The name of the route. | -| `originGroupName` | string | `''` | The name of the origin group. The origin group must be defined in the profile originGroups. | -| `profileName` | string | | The name of the parent CDN profile. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`afdEndpointName`](#parameter-afdendpointname) | string | The name of the AFD endpoint. | +| [`name`](#parameter-name) | string | The name of the route. | +| [`originGroupName`](#parameter-origingroupname) | string | The name of the origin group. The origin group must be defined in the profile originGroups. | +| [`profileName`](#parameter-profilename) | string | The name of the parent CDN profile. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `cacheConfiguration` | object | `{object}` | | The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object. | -| `customDomainName` | string | | | The name of the custom domain. The custom domain must be defined in the profile customDomains. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enabledState` | string | `'Enabled'` | `[Disabled, Enabled]` | Whether this route is enabled. | -| `forwardingProtocol` | string | `'MatchRequest'` | `[HttpOnly, HttpsOnly, MatchRequest]` | The protocol this rule will use when forwarding traffic to backends. | -| `httpsRedirect` | string | `'Enabled'` | `[Disabled, Enabled]` | Whether to automatically redirect HTTP traffic to HTTPS traffic. | -| `linkToDefaultDomain` | string | `'Enabled'` | `[Disabled, Enabled]` | Whether this route will be linked to the default endpoint domain. | -| `originPath` | string | `''` | | A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath. | -| `patternsToMatch` | array | `[]` | | The route patterns of the rule. | -| `ruleSets` | array | `[]` | | The rule sets of the rule. The rule sets must be defined in the profile ruleSets. | -| `supportedProtocols` | array | `[]` | `[Http, Https]` | The supported protocols of the rule. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cacheConfiguration`](#parameter-cacheconfiguration) | object | The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object. | +| [`customDomainName`](#parameter-customdomainname) | string | The name of the custom domain. The custom domain must be defined in the profile customDomains. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enabledState`](#parameter-enabledstate) | string | Whether this route is enabled. | +| [`forwardingProtocol`](#parameter-forwardingprotocol) | string | The protocol this rule will use when forwarding traffic to backends. | +| [`httpsRedirect`](#parameter-httpsredirect) | string | Whether to automatically redirect HTTP traffic to HTTPS traffic. | +| [`linkToDefaultDomain`](#parameter-linktodefaultdomain) | string | Whether this route will be linked to the default endpoint domain. | +| [`originPath`](#parameter-originpath) | string | A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath. | +| [`patternsToMatch`](#parameter-patternstomatch) | array | The route patterns of the rule. | +| [`ruleSets`](#parameter-rulesets) | array | The rule sets of the rule. The rule sets must be defined in the profile ruleSets. | +| [`supportedProtocols`](#parameter-supportedprotocols) | array | The supported protocols of the rule. | + +### Parameter: `afdEndpointName` + +The name of the AFD endpoint. +- Required: Yes +- Type: string + +### Parameter: `cacheConfiguration` + +The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `customDomainName` + +The name of the custom domain. The custom domain must be defined in the profile customDomains. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enabledState` + +Whether this route is enabled. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `forwardingProtocol` + +The protocol this rule will use when forwarding traffic to backends. +- Required: No +- Type: string +- Default: `'MatchRequest'` +- Allowed: `[HttpOnly, HttpsOnly, MatchRequest]` + +### Parameter: `httpsRedirect` + +Whether to automatically redirect HTTP traffic to HTTPS traffic. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `linkToDefaultDomain` + +Whether this route will be linked to the default endpoint domain. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `name` + +The name of the route. +- Required: Yes +- Type: string + +### Parameter: `originGroupName` + +The name of the origin group. The origin group must be defined in the profile originGroups. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `originPath` + +A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `patternsToMatch` + +The route patterns of the rule. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `profileName` + +The name of the parent CDN profile. +- Required: Yes +- Type: string + +### Parameter: `ruleSets` + +The rule sets of the rule. The rule sets must be defined in the profile ruleSets. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `supportedProtocols` + +The supported protocols of the rule. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `[Http, Https]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the route. | | `resourceGroupName` | string | The name of the resource group the route was created in. | diff --git a/modules/cdn/profile/customdomain/README.md b/modules/cdn/profile/customdomain/README.md index 87399b9693..57363db2c1 100644 --- a/modules/cdn/profile/customdomain/README.md +++ b/modules/cdn/profile/customdomain/README.md @@ -19,33 +19,101 @@ This module deploys a CDN Profile Custom Domains. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `certificateType` | string | `[CustomerCertificate, ManagedCertificate]` | The type of the certificate used for secure delivery. | -| `hostName` | string | | The host name of the domain. Must be a domain name. | -| `name` | string | | The name of the custom domain. | -| `profileName` | string | | The name of the CDN profile. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`certificateType`](#parameter-certificatetype) | string | The type of the certificate used for secure delivery. | +| [`hostName`](#parameter-hostname) | string | The host name of the domain. Must be a domain name. | +| [`name`](#parameter-name) | string | The name of the custom domain. | +| [`profileName`](#parameter-profilename) | string | The name of the CDN profile. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `extendedProperties` | object | `{object}` | | Key-Value pair representing migration properties for domains. | -| `minimumTlsVersion` | string | `'TLS12'` | `[TLS10, TLS12]` | The minimum TLS version required for the custom domain. Default value: TLS12. | -| `preValidatedCustomDomainResourceId` | string | `''` | | Resource reference to the Azure resource where custom domain ownership was prevalidated. | -| `secretName` | string | `''` | | The name of the secret. ie. subs/rg/profile/secret. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`extendedProperties`](#parameter-extendedproperties) | object | Key-Value pair representing migration properties for domains. | +| [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | The minimum TLS version required for the custom domain. Default value: TLS12. | +| [`preValidatedCustomDomainResourceId`](#parameter-prevalidatedcustomdomainresourceid) | string | Resource reference to the Azure resource where custom domain ownership was prevalidated. | +| [`secretName`](#parameter-secretname) | string | The name of the secret. ie. subs/rg/profile/secret. | **Optonal parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `azureDnsZoneResourceId` | string | `''` | Resource reference to the Azure DNS zone. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`azureDnsZoneResourceId`](#parameter-azurednszoneresourceid) | string | Resource reference to the Azure DNS zone. | + +### Parameter: `azureDnsZoneResourceId` + +Resource reference to the Azure DNS zone. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `certificateType` + +The type of the certificate used for secure delivery. +- Required: Yes +- Type: string +- Allowed: `[CustomerCertificate, ManagedCertificate]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `extendedProperties` + +Key-Value pair representing migration properties for domains. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `hostName` + +The host name of the domain. Must be a domain name. +- Required: Yes +- Type: string + +### Parameter: `minimumTlsVersion` + +The minimum TLS version required for the custom domain. Default value: TLS12. +- Required: No +- Type: string +- Default: `'TLS12'` +- Allowed: `[TLS10, TLS12]` + +### Parameter: `name` + +The name of the custom domain. +- Required: Yes +- Type: string + +### Parameter: `preValidatedCustomDomainResourceId` + +Resource reference to the Azure resource where custom domain ownership was prevalidated. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `profileName` + +The name of the CDN profile. +- Required: Yes +- Type: string + +### Parameter: `secretName` + +The name of the secret. ie. subs/rg/profile/secret. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the custom domain. | | `resourceGroupName` | string | The name of the resource group the custom domain was created in. | diff --git a/modules/cdn/profile/endpoint/README.md b/modules/cdn/profile/endpoint/README.md index 688a86025a..7681a1e2f8 100644 --- a/modules/cdn/profile/endpoint/README.md +++ b/modules/cdn/profile/endpoint/README.md @@ -20,29 +20,68 @@ This module deploys a CDN Profile Endpoint. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the endpoint under the profile which is unique globally. | -| `properties` | object | Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details). | +| [`name`](#parameter-name) | string | Name of the endpoint under the profile which is unique globally. | +| [`properties`](#parameter-properties) | object | Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details). | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `profileName` | string | The name of the parent CDN profile. Required if the template is used in a standalone deployment. | +| [`profileName`](#parameter-profilename) | string | The name of the parent CDN profile. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Resource location. | -| `tags` | object | `{object}` | Endpoint tags. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Resource location. | +| [`tags`](#parameter-tags) | object | Endpoint tags. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Resource location. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +Name of the endpoint under the profile which is unique globally. +- Required: Yes +- Type: string + +### Parameter: `profileName` + +The name of the parent CDN profile. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `properties` + +Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details). +- Required: Yes +- Type: object + +### Parameter: `tags` + +Endpoint tags. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `endpointProperties` | object | The properties of the endpoint. | | `location` | string | The location the resource was deployed into. | diff --git a/modules/cdn/profile/endpoint/origin/README.md b/modules/cdn/profile/endpoint/origin/README.md index c4e00f6ddd..706d8a9c4a 100644 --- a/modules/cdn/profile/endpoint/origin/README.md +++ b/modules/cdn/profile/endpoint/origin/README.md @@ -19,37 +19,128 @@ This module deploys a CDN Profile Endpoint Origin. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `endpointName` | string | The name of the CDN Endpoint. | -| `hostName` | string | The hostname of the origin. | -| `name` | string | The name of the origin. | +| [`endpointName`](#parameter-endpointname) | string | The name of the CDN Endpoint. | +| [`hostName`](#parameter-hostname) | string | The hostname of the origin. | +| [`name`](#parameter-name) | string | The name of the origin. | **Conditional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `priority` | int | `-1` | The priority of origin in given origin group for load balancing. Required if `weight` is provided. | -| `privateLinkAlias` | string | | The private link alias of the origin. Required if privateLinkLocation is provided. | -| `privateLinkLocation` | string | | The private link location of the origin. Required if privateLinkAlias is provided. | -| `weight` | int | `-1` | The weight of the origin used for load balancing. Required if `priority` is provided. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`priority`](#parameter-priority) | int | The priority of origin in given origin group for load balancing. Required if `weight` is provided. | +| [`privateLinkAlias`](#parameter-privatelinkalias) | string | The private link alias of the origin. Required if privateLinkLocation is provided. | +| [`privateLinkLocation`](#parameter-privatelinklocation) | string | The private link location of the origin. Required if privateLinkAlias is provided. | +| [`weight`](#parameter-weight) | int | The weight of the origin used for load balancing. Required if `priority` is provided. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enabled` | bool | `True` | Whether the origin is enabled for load balancing. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `httpPort` | int | `80` | The HTTP port of the origin. | -| `httpsPort` | int | `443` | The HTTPS port of the origin. | -| `originHostHeader` | string | | The host header value sent to the origin. | -| `privateLinkResourceId` | string | | The private link resource ID of the origin. | -| `profileName` | string | `'default'` | The name of the CDN profile. Default to "default". | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enabled`](#parameter-enabled) | bool | Whether the origin is enabled for load balancing. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`httpPort`](#parameter-httpport) | int | The HTTP port of the origin. | +| [`httpsPort`](#parameter-httpsport) | int | The HTTPS port of the origin. | +| [`originHostHeader`](#parameter-originhostheader) | string | The host header value sent to the origin. | +| [`privateLinkResourceId`](#parameter-privatelinkresourceid) | string | The private link resource ID of the origin. | +| [`profileName`](#parameter-profilename) | string | The name of the CDN profile. Default to "default". | + +### Parameter: `enabled` + +Whether the origin is enabled for load balancing. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `endpointName` + +The name of the CDN Endpoint. +- Required: Yes +- Type: string + +### Parameter: `hostName` + +The hostname of the origin. +- Required: Yes +- Type: string + +### Parameter: `httpPort` + +The HTTP port of the origin. +- Required: No +- Type: int +- Default: `80` + +### Parameter: `httpsPort` + +The HTTPS port of the origin. +- Required: No +- Type: int +- Default: `443` + +### Parameter: `name` + +The name of the origin. +- Required: Yes +- Type: string + +### Parameter: `originHostHeader` + +The host header value sent to the origin. +- Required: Yes +- Type: string + +### Parameter: `priority` + +The priority of origin in given origin group for load balancing. Required if `weight` is provided. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `privateLinkAlias` + +The private link alias of the origin. Required if privateLinkLocation is provided. +- Required: Yes +- Type: string + +### Parameter: `privateLinkLocation` + +The private link location of the origin. Required if privateLinkAlias is provided. +- Required: Yes +- Type: string + +### Parameter: `privateLinkResourceId` + +The private link resource ID of the origin. +- Required: Yes +- Type: string + +### Parameter: `profileName` + +The name of the CDN profile. Default to "default". +- Required: No +- Type: string +- Default: `'default'` + +### Parameter: `weight` + +The weight of the origin used for load balancing. Required if `priority` is provided. +- Required: No +- Type: int +- Default: `-1` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the endpoint. | diff --git a/modules/cdn/profile/origingroup/README.md b/modules/cdn/profile/origingroup/README.md index fd8396cd17..0ba329cf7b 100644 --- a/modules/cdn/profile/origingroup/README.md +++ b/modules/cdn/profile/origingroup/README.md @@ -20,26 +20,80 @@ This module deploys a CDN Profile Origin Group. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `loadBalancingSettings` | object | Load balancing settings for a backend pool. | -| `name` | string | The name of the origin group. | -| `origins` | array | The list of origins within the origin group. | -| `profileName` | string | The name of the CDN profile. | +| [`loadBalancingSettings`](#parameter-loadbalancingsettings) | object | Load balancing settings for a backend pool. | +| [`name`](#parameter-name) | string | The name of the origin group. | +| [`origins`](#parameter-origins) | array | The list of origins within the origin group. | +| [`profileName`](#parameter-profilename) | string | The name of the CDN profile. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `healthProbeSettings` | object | `{object}` | | Health probe settings to the origin that is used to determine the health of the origin. | -| `sessionAffinityState` | string | `'Disabled'` | `[Disabled, Enabled]` | Whether to allow session affinity on this host. | -| `trafficRestorationTimeToHealedOrNewEndpointsInMinutes` | int | `10` | | Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`healthProbeSettings`](#parameter-healthprobesettings) | object | Health probe settings to the origin that is used to determine the health of the origin. | +| [`sessionAffinityState`](#parameter-sessionaffinitystate) | string | Whether to allow session affinity on this host. | +| [`trafficRestorationTimeToHealedOrNewEndpointsInMinutes`](#parameter-trafficrestorationtimetohealedornewendpointsinminutes) | int | Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `healthProbeSettings` + +Health probe settings to the origin that is used to determine the health of the origin. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `loadBalancingSettings` + +Load balancing settings for a backend pool. +- Required: Yes +- Type: object + +### Parameter: `name` + +The name of the origin group. +- Required: Yes +- Type: string + +### Parameter: `origins` + +The list of origins within the origin group. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `profileName` + +The name of the CDN profile. +- Required: Yes +- Type: string + +### Parameter: `sessionAffinityState` + +Whether to allow session affinity on this host. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `trafficRestorationTimeToHealedOrNewEndpointsInMinutes` + +Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins. +- Required: No +- Type: int +- Default: `10` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the origin group. | diff --git a/modules/cdn/profile/origingroup/origin/README.md b/modules/cdn/profile/origingroup/origin/README.md index 260e7846fb..fd6cf7110b 100644 --- a/modules/cdn/profile/origingroup/origin/README.md +++ b/modules/cdn/profile/origingroup/origin/README.md @@ -19,31 +19,119 @@ This module deploys a CDN Profile Origin. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `hostName` | string | The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint. | -| `name` | string | The name of the origion. | -| `originGroupName` | string | The name of the group. | -| `profileName` | string | The name of the CDN profile. | +| [`hostName`](#parameter-hostname) | string | The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint. | +| [`name`](#parameter-name) | string | The name of the origion. | +| [`originGroupName`](#parameter-origingroupname) | string | The name of the group. | +| [`profileName`](#parameter-profilename) | string | The name of the CDN profile. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enabledState` | string | `'Enabled'` | `[Disabled, Enabled]` | Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool. | -| `enforceCertificateNameCheck` | bool | `True` | | Whether to enable certificate name check at origin level. | -| `httpPort` | int | `80` | | The value of the HTTP port. Must be between 1 and 65535. | -| `httpsPort` | int | `443` | | The value of the HTTPS port. Must be between 1 and 65535. | -| `originHostHeader` | string | `''` | | The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint. | -| `priority` | int | `1` | | Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5. | -| `sharedPrivateLinkResource` | object | `{object}` | | The properties of the private link resource for private origin. | -| `weight` | int | `1000` | | Weight of the origin in given origin group for load balancing. Must be between 1 and 1000. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enabledState`](#parameter-enabledstate) | string | Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool. | +| [`enforceCertificateNameCheck`](#parameter-enforcecertificatenamecheck) | bool | Whether to enable certificate name check at origin level. | +| [`httpPort`](#parameter-httpport) | int | The value of the HTTP port. Must be between 1 and 65535. | +| [`httpsPort`](#parameter-httpsport) | int | The value of the HTTPS port. Must be between 1 and 65535. | +| [`originHostHeader`](#parameter-originhostheader) | string | The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint. | +| [`priority`](#parameter-priority) | int | Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5. | +| [`sharedPrivateLinkResource`](#parameter-sharedprivatelinkresource) | object | The properties of the private link resource for private origin. | +| [`weight`](#parameter-weight) | int | Weight of the origin in given origin group for load balancing. Must be between 1 and 1000. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enabledState` + +Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `enforceCertificateNameCheck` + +Whether to enable certificate name check at origin level. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hostName` + +The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint. +- Required: Yes +- Type: string + +### Parameter: `httpPort` + +The value of the HTTP port. Must be between 1 and 65535. +- Required: No +- Type: int +- Default: `80` + +### Parameter: `httpsPort` + +The value of the HTTPS port. Must be between 1 and 65535. +- Required: No +- Type: int +- Default: `443` + +### Parameter: `name` + +The name of the origion. +- Required: Yes +- Type: string + +### Parameter: `originGroupName` + +The name of the group. +- Required: Yes +- Type: string + +### Parameter: `originHostHeader` + +The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `priority` + +Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `profileName` + +The name of the CDN profile. +- Required: Yes +- Type: string + +### Parameter: `sharedPrivateLinkResource` + +The properties of the private link resource for private origin. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `weight` + +Weight of the origin in given origin group for load balancing. Must be between 1 and 1000. +- Required: No +- Type: int +- Default: `1000` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the origin. | | `resourceGroupName` | string | The name of the resource group the origin was created in. | diff --git a/modules/cdn/profile/ruleset/README.md b/modules/cdn/profile/ruleset/README.md index de4783b188..e7dc4c15de 100644 --- a/modules/cdn/profile/ruleset/README.md +++ b/modules/cdn/profile/ruleset/README.md @@ -20,27 +20,53 @@ This module deploys a CDN Profile rule set. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the rule set. | -| `profileName` | string | The name of the CDN profile. | +| [`name`](#parameter-name) | string | The name of the rule set. | +| [`profileName`](#parameter-profilename) | string | The name of the CDN profile. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | **Optinal parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `rules` | array | The rules to apply to the rule set. | +| [`rules`](#parameter-rules) | array | The rules to apply to the rule set. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the rule set. +- Required: Yes +- Type: string + +### Parameter: `profileName` + +The name of the CDN profile. +- Required: Yes +- Type: string + +### Parameter: `rules` + +The rules to apply to the rule set. +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the rule set. | | `resourceGroupName` | string | The name of the resource group the custom domain was created in. | diff --git a/modules/cdn/profile/ruleset/rule/README.md b/modules/cdn/profile/ruleset/rule/README.md index 9fbaa502eb..53201f8cfb 100644 --- a/modules/cdn/profile/ruleset/rule/README.md +++ b/modules/cdn/profile/ruleset/rule/README.md @@ -19,26 +19,78 @@ This module deploys a CDN Profile rule. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `matchProcessingBehavior` | string | `[Continue, Stop]` | If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue. | -| `name` | string | | The name of the rule. | -| `order` | int | | The order in which this rule will be applied. Rules with a lower order are applied before rules with a higher order. | -| `profileName` | string | | The name of the profile. | -| `ruleSetName` | string | | The name of the rule set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`matchProcessingBehavior`](#parameter-matchprocessingbehavior) | string | If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue. | +| [`name`](#parameter-name) | string | The name of the rule. | +| [`order`](#parameter-order) | int | The order in which this rule will be applied. Rules with a lower order are applied before rules with a higher order. | +| [`profileName`](#parameter-profilename) | string | The name of the profile. | +| [`ruleSetName`](#parameter-rulesetname) | string | The name of the rule set. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `actions` | array | `[]` | A list of actions that are executed when all the conditions of a rule are satisfied. | -| `conditions` | array | `[]` | A list of conditions that must be matched for the actions to be executed. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`actions`](#parameter-actions) | array | A list of actions that are executed when all the conditions of a rule are satisfied. | +| [`conditions`](#parameter-conditions) | array | A list of conditions that must be matched for the actions to be executed. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `actions` + +A list of actions that are executed when all the conditions of a rule are satisfied. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `conditions` + +A list of conditions that must be matched for the actions to be executed. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `matchProcessingBehavior` + +If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue. +- Required: Yes +- Type: string +- Allowed: `[Continue, Stop]` + +### Parameter: `name` + +The name of the rule. +- Required: Yes +- Type: string + +### Parameter: `order` + +The order in which this rule will be applied. Rules with a lower order are applied before rules with a higher order. +- Required: Yes +- Type: int + +### Parameter: `profileName` + +The name of the profile. +- Required: Yes +- Type: string + +### Parameter: `ruleSetName` + +The name of the rule set. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the rule. | | `resourceGroupName` | string | The name of the resource group the custom domain was created in. | diff --git a/modules/cdn/profile/secret/README.md b/modules/cdn/profile/secret/README.md index 4f1a1f6161..9156b542e5 100644 --- a/modules/cdn/profile/secret/README.md +++ b/modules/cdn/profile/secret/README.md @@ -19,31 +19,86 @@ This module deploys a CDN Profile Secret. **Required parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `name` | string | | | The name of the secrect. | -| `type` | string | `'AzureFirstPartyManagedCertificate'` | `[AzureFirstPartyManagedCertificate, CustomerCertificate, ManagedCertificate, UrlSigningKey]` | The type of the secrect. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the secrect. | +| [`type`](#parameter-type) | string | The type of the secrect. | **Conditional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `profileName` | string | | The name of the parent CDN profile. Required if the template is used in a standalone deployment. | -| `secretSourceResourceId` | string | `''` | The resource ID of the secrect source. Required if the type is CustomerCertificate. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`profileName`](#parameter-profilename) | string | The name of the parent CDN profile. Required if the template is used in a standalone deployment. | +| [`secretSourceResourceId`](#parameter-secretsourceresourceid) | string | The resource ID of the secrect source. Required if the type is CustomerCertificate. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `secretVersion` | string | `''` | The version of the secret. | -| `subjectAlternativeNames` | array | `[]` | The subject alternative names of the secrect. | -| `useLatestVersion` | bool | `False` | Indicates whether to use the latest version of the secrect. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`secretVersion`](#parameter-secretversion) | string | The version of the secret. | +| [`subjectAlternativeNames`](#parameter-subjectalternativenames) | array | The subject alternative names of the secrect. | +| [`useLatestVersion`](#parameter-uselatestversion) | bool | Indicates whether to use the latest version of the secrect. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the secrect. +- Required: Yes +- Type: string + +### Parameter: `profileName` + +The name of the parent CDN profile. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `secretSourceResourceId` + +The resource ID of the secrect source. Required if the type is CustomerCertificate. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `secretVersion` + +The version of the secret. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `subjectAlternativeNames` + +The subject alternative names of the secrect. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `type` + +The type of the secrect. +- Required: No +- Type: string +- Default: `'AzureFirstPartyManagedCertificate'` +- Allowed: `[AzureFirstPartyManagedCertificate, CustomerCertificate, ManagedCertificate, UrlSigningKey]` + +### Parameter: `useLatestVersion` + +Indicates whether to use the latest version of the secrect. +- Required: No +- Type: bool +- Default: `False` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the secrect. | | `resourceGroupName` | string | The name of the resource group the secret was created in. | diff --git a/modules/cognitive-services/account/.test/common/main.test.bicep b/modules/cognitive-services/account/.test/common/main.test.bicep index 0802ae9df8..39d0bbbd26 100644 --- a/modules/cognitive-services/account/.test/common/main.test.bicep +++ b/modules/cognitive-services/account/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/cognitive-services/account/.test/min/main.test.bicep b/modules/cognitive-services/account/.test/min/main.test.bicep index 727b9a5a92..c24b67f868 100644 --- a/modules/cognitive-services/account/.test/min/main.test.bicep +++ b/modules/cognitive-services/account/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index 93f229c9e9..1d92f15fb0 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -4,14 +4,14 @@ This module deploys a Cognitive Service. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -22,91 +22,30 @@ This module deploys a Cognitive Service. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `kind` | string | `[AnomalyDetector, Bing.Autosuggest.v7, Bing.CustomSearch, Bing.EntitySearch, Bing.Search.v7, Bing.SpellCheck.v7, CognitiveServices, ComputerVision, ContentModerator, CustomVision.Prediction, CustomVision.Training, Face, FormRecognizer, ImmersiveReader, Internal.AllInOne, LUIS, LUIS.Authoring, Personalizer, QnAMaker, SpeechServices, TextAnalytics, TextTranslation]` | Kind of the Cognitive Services. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region. | -| `name` | string | | The name of Cognitive Services account. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Conditional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/cognitive-services.account:1.0.0`. -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | -| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | -| `customSubDomainName` | string | `''` | Subdomain name used for token-based authentication. Required if 'networkAcls' or 'privateEndpoints' are set. | -| `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Encr](#example-2-encr) +- [Using only defaults](#example-3-using-only-defaults) +- [Speech](#example-4-speech) -**Optional parameters** +### Example 1: _Using large parameter set_ -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `allowedFqdnList` | array | `[]` | | List of allowed FQDN. | -| `apiProperties` | object | `{object}` | | The API properties for special APIs. | -| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. | -| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, latest is used. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, Audit, RequestResponse]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `disableLocalAuth` | bool | `True` | | Allow only Azure AD authentication. Should be enabled for security reasons. | -| `dynamicThrottlingEnabled` | bool | `False` | | The flag to enable dynamic throttling. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `migrationToken` | string | `''` | | Resource migration token. | -| `networkAcls` | object | `{object}` | | A collection of rules governing the accessibility from specific network locations. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. | -| `restore` | bool | `False` | | Restore a soft-deleted cognitive service at deployment time. Will fail if no such soft-deleted resource exists. | -| `restrictOutboundNetworkAccess` | bool | `True` | | Restrict outbound network access. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sku` | string | `'S0'` | `[C2, C3, C4, F0, F1, S, S0, S1, S10, S2, S3, S4, S5, S6, S7, S8, S9]` | SKU of the Cognitive Services resource. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userOwnedStorage` | array | `[]` | | The storage accounts for this resource. | - - -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `endpoint` | string | The service endpoint of the cognitive services account. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the cognitive services account. | -| `resourceGroupName` | string | The resource group the cognitive services account was deployed into. | -| `resourceId` | string | The resource ID of the cognitive services account. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module account './cognitive-services/account/main.bicep' = { +module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-csacom' params: { // Required parameters @@ -284,14 +223,14 @@ module account './cognitive-services/account/main.bicep' = {

-

Example 2: Encr

+### Example 2: _Encr_
via Bicep module ```bicep -module account './cognitive-services/account/main.bicep' = { +module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-csaencr' params: { // Required parameters @@ -365,14 +304,17 @@ module account './cognitive-services/account/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module account './cognitive-services/account/main.bicep' = { +module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-csamin' params: { // Required parameters @@ -414,14 +356,14 @@ module account './cognitive-services/account/main.bicep' = {

-

Example 4: Speech

+### Example 4: _Speech_
via Bicep module ```bicep -module account './cognitive-services/account/main.bicep' = { +module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-csaspeech' params: { // Required parameters @@ -530,6 +472,311 @@ module account './cognitive-services/account/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-kind) | string | Kind of the Cognitive Services. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region. | +| [`name`](#parameter-name) | string | The name of Cognitive Services account. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | +| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | +| [`customSubDomainName`](#parameter-customsubdomainname) | string | Subdomain name used for token-based authentication. Required if 'networkAcls' or 'privateEndpoints' are set. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowedFqdnList`](#parameter-allowedfqdnlist) | array | List of allowed FQDN. | +| [`apiProperties`](#parameter-apiproperties) | object | The API properties for special APIs. | +| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. | +| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, latest is used. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Allow only Azure AD authentication. Should be enabled for security reasons. | +| [`dynamicThrottlingEnabled`](#parameter-dynamicthrottlingenabled) | bool | The flag to enable dynamic throttling. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`migrationToken`](#parameter-migrationtoken) | string | Resource migration token. | +| [`networkAcls`](#parameter-networkacls) | object | A collection of rules governing the accessibility from specific network locations. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. | +| [`restore`](#parameter-restore) | bool | Restore a soft-deleted cognitive service at deployment time. Will fail if no such soft-deleted resource exists. | +| [`restrictOutboundNetworkAccess`](#parameter-restrictoutboundnetworkaccess) | bool | Restrict outbound network access. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`sku`](#parameter-sku) | string | SKU of the Cognitive Services resource. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userOwnedStorage`](#parameter-userownedstorage) | array | The storage accounts for this resource. | + +### Parameter: `allowedFqdnList` + +List of allowed FQDN. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `apiProperties` + +The API properties for special APIs. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `cMKKeyName` + +The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVersion` + +The version of the customer managed key to reference for encryption. If not provided, latest is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKUserAssignedIdentityResourceId` + +User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `customSubDomainName` + +Subdomain name used for token-based authentication. Required if 'networkAcls' or 'privateEndpoints' are set. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, Audit, RequestResponse]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `disableLocalAuth` + +Allow only Azure AD authentication. Should be enabled for security reasons. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `dynamicThrottlingEnabled` + +The flag to enable dynamic throttling. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `kind` + +Kind of the Cognitive Services. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region. +- Required: Yes +- Type: string +- Allowed: `[AnomalyDetector, Bing.Autosuggest.v7, Bing.CustomSearch, Bing.EntitySearch, Bing.Search.v7, Bing.SpellCheck.v7, CognitiveServices, ComputerVision, ContentModerator, CustomVision.Prediction, CustomVision.Training, Face, FormRecognizer, ImmersiveReader, Internal.AllInOne, LUIS, LUIS.Authoring, Personalizer, QnAMaker, SpeechServices, TextAnalytics, TextTranslation]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `migrationToken` + +Resource migration token. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +The name of Cognitive Services account. +- Required: Yes +- Type: string + +### Parameter: `networkAcls` + +A collection of rules governing the accessibility from specific network locations. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `restore` + +Restore a soft-deleted cognitive service at deployment time. Will fail if no such soft-deleted resource exists. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `restrictOutboundNetworkAccess` + +Restrict outbound network access. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sku` + +SKU of the Cognitive Services resource. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region. +- Required: No +- Type: string +- Default: `'S0'` +- Allowed: `[C2, C3, C4, F0, F1, S, S0, S1, S10, S2, S3, S4, S5, S6, S7, S8, S9]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userOwnedStorage` + +The storage accounts for this resource. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `endpoint` | string | The service endpoint of the cognitive services account. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the cognitive services account. | +| `resourceGroupName` | string | The resource group the cognitive services account was deployed into. | +| `resourceId` | string | The resource ID of the cognitive services account. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | + ## Notes Not all combinations of parameters `kind` and `SKU` are valid and they may vary in different Azure Regions. Please use PowerShell cmdlet `Get-AzCognitiveServicesAccountSku` or another methods to determine valid values in your region. diff --git a/modules/cognitive-services/account/main.json b/modules/cognitive-services/account/main.json index bf739e9b56..cbee7b00f2 100644 --- a/modules/cognitive-services/account/main.json +++ b/modules/cognitive-services/account/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11205324681033433198" + "version": "0.22.6.54827", + "templateHash": "13442875800072342008" }, "name": "Cognitive Services", "description": "This module deploys a Cognitive Service.", @@ -452,8 +452,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -652,8 +652,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -790,8 +790,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -1004,8 +1004,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8402203115964616978" + "version": "0.22.6.54827", + "templateHash": "2121072685211673304" } }, "parameters": { diff --git a/modules/compute/availability-set/.test/common/main.test.bicep b/modules/compute/availability-set/.test/common/main.test.bicep index 6bece2dc2d..ae1d4d2684 100644 --- a/modules/compute/availability-set/.test/common/main.test.bicep +++ b/modules/compute/availability-set/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/compute/availability-set/.test/min/main.test.bicep b/modules/compute/availability-set/.test/min/main.test.bicep index 440148ac96..9160e72cc4 100644 --- a/modules/compute/availability-set/.test/min/main.test.bicep +++ b/modules/compute/availability-set/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/compute/availability-set/README.md b/modules/compute/availability-set/README.md index 795e47aef4..84aafa7e4b 100644 --- a/modules/compute/availability-set/README.md +++ b/modules/compute/availability-set/README.md @@ -4,13 +4,13 @@ This module deploys an Availability Set. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -18,57 +18,28 @@ This module deploys an Availability Set. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Compute/availabilitySets` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-11-01/availabilitySets) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the availability set that is being created. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Resource location. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `platformFaultDomainCount` | int | `2` | | The number of fault domains to use. | -| `platformUpdateDomainCount` | int | `5` | | The number of update domains to use. | -| `proximityPlacementGroupResourceId` | string | `''` | | Resource ID of a proximity placement group. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `skuName` | string | `'Aligned'` | | SKU of the availability set.

- Use 'Aligned' for virtual machines with managed disks.

- Use 'Classic' for virtual machines with unmanaged disks. | -| `tags` | object | `{object}` | | Tags of the availability set resource. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the availability set. | -| `resourceGroupName` | string | The resource group the availability set was deployed into. | -| `resourceId` | string | The resource ID of the availability set. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.availability-set:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module availabilitySet './compute/availability-set/main.bicep' = { +module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cascom' params: { // Required parameters @@ -146,14 +117,17 @@ module availabilitySet './compute/availability-set/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module availabilitySet './compute/availability-set/main.bicep' = { +module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-casmin' params: { // Required parameters @@ -190,3 +164,110 @@ module availabilitySet './compute/availability-set/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the availability set that is being created. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Resource location. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`platformFaultDomainCount`](#parameter-platformfaultdomaincount) | int | The number of fault domains to use. | +| [`platformUpdateDomainCount`](#parameter-platformupdatedomaincount) | int | The number of update domains to use. | +| [`proximityPlacementGroupResourceId`](#parameter-proximityplacementgroupresourceid) | string | Resource ID of a proximity placement group. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`skuName`](#parameter-skuname) | string | SKU of the availability set.

- Use 'Aligned' for virtual machines with managed disks.

- Use 'Classic' for virtual machines with unmanaged disks. | +| [`tags`](#parameter-tags) | object | Tags of the availability set resource. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Resource location. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the availability set that is being created. +- Required: Yes +- Type: string + +### Parameter: `platformFaultDomainCount` + +The number of fault domains to use. +- Required: No +- Type: int +- Default: `2` + +### Parameter: `platformUpdateDomainCount` + +The number of update domains to use. +- Required: No +- Type: int +- Default: `5` + +### Parameter: `proximityPlacementGroupResourceId` + +Resource ID of a proximity placement group. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `skuName` + +SKU of the availability set.

- Use 'Aligned' for virtual machines with managed disks.

- Use 'Classic' for virtual machines with unmanaged disks. +- Required: No +- Type: string +- Default: `'Aligned'` + +### Parameter: `tags` + +Tags of the availability set resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the availability set. | +| `resourceGroupName` | string | The resource group the availability set was deployed into. | +| `resourceId` | string | The resource ID of the availability set. | + +## Cross-referenced modules + +_None_ diff --git a/modules/compute/availability-set/main.json b/modules/compute/availability-set/main.json index 0f7753fa37..19bcaa1b81 100644 --- a/modules/compute/availability-set/main.json +++ b/modules/compute/availability-set/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5171259001608994511" + "version": "0.22.6.54827", + "templateHash": "9507883477012630410" }, "name": "Availability Sets", "description": "This module deploys an Availability Set.", @@ -165,8 +165,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12543587259073888483" + "version": "0.22.6.54827", + "templateHash": "5622639352313082546" } }, "parameters": { diff --git a/modules/compute/disk-encryption-set/.test/common/main.test.bicep b/modules/compute/disk-encryption-set/.test/common/main.test.bicep index 5b54d45427..a6ad758a86 100644 --- a/modules/compute/disk-encryption-set/.test/common/main.test.bicep +++ b/modules/compute/disk-encryption-set/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/compute/disk-encryption-set/README.md b/modules/compute/disk-encryption-set/README.md index beee32ad5d..c6bac4b9e8 100644 --- a/modules/compute/disk-encryption-set/README.md +++ b/modules/compute/disk-encryption-set/README.md @@ -4,13 +4,13 @@ This module deploys a Disk Encryption Set. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -20,73 +20,25 @@ This module deploys a Disk Encryption Set. | `Microsoft.KeyVault/vaults/accessPolicies` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults/accessPolicies) | | `Microsoft.ManagedIdentity/userAssignedIdentities` | [2018-11-30](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ManagedIdentity/2018-11-30/userAssignedIdentities) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `keyName` | string | Key URL (with version) pointing to a key or secret in KeyVault. | -| `keyVaultResourceId` | string | Resource ID of the KeyVault containing the key or secret. | -| `name` | string | The name of the disk encryption set that is being created. | - -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `systemAssignedIdentity` | bool | `True` | Enables system assigned managed identity on the resource. Required if userAssignedIdentities is empty. | -| `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if systemAssignedIdentity is set to "false". | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `encryptionType` | string | `'EncryptionAtRestWithPlatformAndCustomerKeys'` | `[EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys]` | The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys. | -| `federatedClientId` | string | `'None'` | | Multi-tenant application client ID to access key vault in a different tenant. Setting the value to "None" will clear the property. | -| `keyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `location` | string | `[resourceGroup().location]` | | Resource location. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `rotationToLatestKeyVersionEnabled` | bool | `False` | | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | -| `tags` | object | `{object}` | | Tags of the disk encryption resource. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `identities` | object | The idenities of the disk encryption set. | -| `keyVaultName` | string | The name of the key vault with the disk encryption key. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the disk encryption set. | -| `principalId` | string | The principal ID of the disk encryption set. | -| `resourceGroupName` | string | The resource group the disk encryption set was deployed into. | -| `resourceId` | string | The resource ID of the disk encryption set. | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.disk-encryption-set:1.0.0`. -## Cross-referenced modules +- [Accesspolicies](#example-1-accesspolicies) +- [Using large parameter set](#example-2-using-large-parameter-set) -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `key-vault/vault/access-policy` | Local reference | - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Accesspolicies

+### Example 1: _Accesspolicies_
via Bicep module ```bicep -module diskEncryptionSet './compute/disk-encryption-set/main.bicep' = { +module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cdesap' params: { // Required parameters @@ -176,14 +128,17 @@ module diskEncryptionSet './compute/disk-encryption-set/main.bicep' = {

-

Example 2: Common

+### Example 2: _Using large parameter set_ + +This instance deploys the module with most of its features enabled. +
via Bicep module ```bicep -module diskEncryptionSet './compute/disk-encryption-set/main.bicep' = { +module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cdescom' params: { // Required parameters @@ -276,3 +231,153 @@ module diskEncryptionSet './compute/disk-encryption-set/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-keyname) | string | Key URL (with version) pointing to a key or secret in KeyVault. | +| [`keyVaultResourceId`](#parameter-keyvaultresourceid) | string | Resource ID of the KeyVault containing the key or secret. | +| [`name`](#parameter-name) | string | The name of the disk encryption set that is being created. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. Required if userAssignedIdentities is empty. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. Required if systemAssignedIdentity is set to "false". | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`encryptionType`](#parameter-encryptiontype) | string | The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys. | +| [`federatedClientId`](#parameter-federatedclientid) | string | Multi-tenant application client ID to access key vault in a different tenant. Setting the value to "None" will clear the property. | +| [`keyVersion`](#parameter-keyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`location`](#parameter-location) | string | Resource location. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`rotationToLatestKeyVersionEnabled`](#parameter-rotationtolatestkeyversionenabled) | bool | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | +| [`tags`](#parameter-tags) | object | Tags of the disk encryption resource. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `encryptionType` + +The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys. +- Required: No +- Type: string +- Default: `'EncryptionAtRestWithPlatformAndCustomerKeys'` +- Allowed: `[EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys]` + +### Parameter: `federatedClientId` + +Multi-tenant application client ID to access key vault in a different tenant. Setting the value to "None" will clear the property. +- Required: No +- Type: string +- Default: `'None'` + +### Parameter: `keyName` + +Key URL (with version) pointing to a key or secret in KeyVault. +- Required: Yes +- Type: string + +### Parameter: `keyVaultResourceId` + +Resource ID of the KeyVault containing the key or secret. +- Required: Yes +- Type: string + +### Parameter: `keyVersion` + +The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Resource location. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the disk encryption set that is being created. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `rotationToLatestKeyVersionEnabled` + +Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. Required if userAssignedIdentities is empty. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `tags` + +Tags of the disk encryption resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. Required if systemAssignedIdentity is set to "false". +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `identities` | object | The idenities of the disk encryption set. | +| `keyVaultName` | string | The name of the key vault with the disk encryption key. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the disk encryption set. | +| `principalId` | string | The principal ID of the disk encryption set. | +| `resourceGroupName` | string | The resource group the disk encryption set was deployed into. | +| `resourceId` | string | The resource ID of the disk encryption set. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/key-vault/vault/access-policy` | Local reference | diff --git a/modules/compute/disk-encryption-set/main.json b/modules/compute/disk-encryption-set/main.json index 64d9b15bb7..d695c7fa4b 100644 --- a/modules/compute/disk-encryption-set/main.json +++ b/modules/compute/disk-encryption-set/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18377917753202643188" + "version": "0.22.6.54827", + "templateHash": "2262193414925411787" }, "name": "Disk Encryption Sets", "description": "This module deploys a Disk Encryption Set.", @@ -210,8 +210,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1230112027833486150" + "version": "0.22.6.54827", + "templateHash": "17441180682016270247" } }, "parameters": { @@ -286,8 +286,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7222366309271203422" + "version": "0.22.6.54827", + "templateHash": "7398650593557443106" } }, "parameters": { @@ -358,8 +358,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10458348557666655329" + "version": "0.22.6.54827", + "templateHash": "2131300650084383528" }, "name": "Key Vault Access Policies", "description": "This module deploys a Key Vault Access Policy.", @@ -492,8 +492,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13165233376501361165" + "version": "0.22.6.54827", + "templateHash": "17225067072833999246" } }, "parameters": { diff --git a/modules/compute/disk/.test/common/main.test.bicep b/modules/compute/disk/.test/common/main.test.bicep index 7b06f5ded0..aa9864c7ed 100644 --- a/modules/compute/disk/.test/common/main.test.bicep +++ b/modules/compute/disk/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/compute/disk/.test/min/main.test.bicep b/modules/compute/disk/.test/min/main.test.bicep index 15661b44b4..6a69bbe644 100644 --- a/modules/compute/disk/.test/min/main.test.bicep +++ b/modules/compute/disk/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/compute/disk/README.md b/modules/compute/disk/README.md index 1c03c30837..1443faa26e 100644 --- a/modules/compute/disk/README.md +++ b/modules/compute/disk/README.md @@ -5,10 +5,10 @@ This module deploys a Compute Disk ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -18,80 +18,30 @@ This module deploys a Compute Disk | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Compute/disks` | [2022-07-02](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-07-02/disks) | -## Parameters - -**Required parameters** +## Usage examples -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `name` | string | | The name of the disk that is being created. | -| `sku` | string | `[Premium_LRS, Premium_ZRS, Premium_ZRS, PremiumV2_LRS, Standard_LRS, StandardSSD_LRS, UltraSSD_LRS]` | The disks sku name. Can be . | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -**Conditional parameters** +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `diskSizeGB` | int | `0` | The size of the disk to create. Required if create option is Empty. | -| `storageAccountId` | string | `''` | The resource ID of the storage account containing the blob to import as a disk. Required if create option is Import. | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.disk:1.0.0`. -**Optional parameters** +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Image](#example-2-image) +- [Import](#example-3-import) +- [Using only defaults](#example-4-using-only-defaults) -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `acceleratedNetwork` | bool | `False` | | True if the image from which the OS disk is created supports accelerated networking. | -| `architecture` | string | `''` | `['', Arm64, x64]` | CPU architecture supported by an OS disk. | -| `burstingEnabled` | bool | `False` | | Set to true to enable bursting beyond the provisioned performance target of the disk. | -| `completionPercent` | int | `100` | | Percentage complete for the background copy when a resource is created via the CopyStart operation. | -| `createOption` | string | `'Empty'` | `[Attach, Copy, CopyStart, Empty, FromImage, Import, ImportSecure, Restore, Upload, UploadPreparedSecure]` | Sources of a disk creation. | -| `diskIOPSReadWrite` | int | `0` | | The number of IOPS allowed for this disk; only settable for UltraSSD disks. | -| `diskMBpsReadWrite` | int | `0` | | The bandwidth allowed for this disk; only settable for UltraSSD disks. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `hyperVGeneration` | string | `'V2'` | `[V1, V2]` | The hypervisor generation of the Virtual Machine. Applicable to OS disks only. | -| `imageReferenceId` | string | `''` | | A relative uri containing either a Platform Image Repository or user image reference. | -| `location` | string | `[resourceGroup().location]` | | Resource location. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `logicalSectorSize` | int | `4096` | | Logical sector size in bytes for Ultra disks. Supported values are 512 ad 4096. | -| `maxShares` | int | `1` | | The maximum number of VMs that can attach to the disk at the same time. Default value is 0. | -| `networkAccessPolicy` | string | `'DenyAll'` | `[AllowAll, AllowPrivate, DenyAll]` | Policy for accessing the disk via network. | -| `optimizedForFrequentAttach` | bool | `False` | | Setting this property to true improves reliability and performance of data disks that are frequently (more than 5 times a day) by detached from one virtual machine and attached to another. This property should not be set for disks that are not detached and attached frequently as it causes the disks to not align with the fault domain of the virtual machine. | -| `osType` | string | `''` | `['', Linux, Windows]` | Sources of a disk creation. | -| `publicNetworkAccess` | string | `'Disabled'` | `[Disabled, Enabled]` | Policy for controlling export on the disk. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `securityDataUri` | string | `''` | | If create option is ImportSecure, this is the URI of a blob to be imported into VM guest state. | -| `sourceResourceId` | string | `''` | | If create option is Copy, this is the ARM ID of the source snapshot or disk. | -| `sourceUri` | string | `''` | | If create option is Import, this is the URI of a blob to be imported into a managed disk. | -| `tags` | object | `{object}` | | Tags of the availability set resource. | -| `uploadSizeBytes` | int | `20972032` | | If create option is Upload, this is the size of the contents of the upload including the VHD footer. | +### Example 1: _Using large parameter set_ +This instance deploys the module with most of its features enabled. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the disk. | -| `resourceGroupName` | string | The resource group the disk was deployed into. | -| `resourceId` | string | The resource ID of the disk. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module disk './compute/disk/main.bicep' = { +module disk 'br:bicep/modules/compute.disk:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cdcom' params: { // Required parameters @@ -193,14 +143,14 @@ module disk './compute/disk/main.bicep' = {

-

Example 2: Image

+### Example 2: _Image_
via Bicep module ```bicep -module disk './compute/disk/main.bicep' = { +module disk 'br:bicep/modules/compute.disk:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cdimg' params: { // Required parameters @@ -282,14 +232,14 @@ module disk './compute/disk/main.bicep' = {

-

Example 3: Import

+### Example 3: _Import_
via Bicep module ```bicep -module disk './compute/disk/main.bicep' = { +module disk 'br:bicep/modules/compute.disk:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cdimp' params: { // Required parameters @@ -375,14 +325,17 @@ module disk './compute/disk/main.bicep' = {

-

Example 4: Min

+### Example 4: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module disk './compute/disk/main.bicep' = { +module disk 'br:bicep/modules/compute.disk:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cdmin' params: { // Required parameters @@ -427,3 +380,265 @@ module disk './compute/disk/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the disk that is being created. | +| [`sku`](#parameter-sku) | string | The disks sku name. Can be . | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`diskSizeGB`](#parameter-disksizegb) | int | The size of the disk to create. Required if create option is Empty. | +| [`storageAccountId`](#parameter-storageaccountid) | string | The resource ID of the storage account containing the blob to import as a disk. Required if create option is Import. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`acceleratedNetwork`](#parameter-acceleratednetwork) | bool | True if the image from which the OS disk is created supports accelerated networking. | +| [`architecture`](#parameter-architecture) | string | CPU architecture supported by an OS disk. | +| [`burstingEnabled`](#parameter-burstingenabled) | bool | Set to true to enable bursting beyond the provisioned performance target of the disk. | +| [`completionPercent`](#parameter-completionpercent) | int | Percentage complete for the background copy when a resource is created via the CopyStart operation. | +| [`createOption`](#parameter-createoption) | string | Sources of a disk creation. | +| [`diskIOPSReadWrite`](#parameter-diskiopsreadwrite) | int | The number of IOPS allowed for this disk; only settable for UltraSSD disks. | +| [`diskMBpsReadWrite`](#parameter-diskmbpsreadwrite) | int | The bandwidth allowed for this disk; only settable for UltraSSD disks. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`hyperVGeneration`](#parameter-hypervgeneration) | string | The hypervisor generation of the Virtual Machine. Applicable to OS disks only. | +| [`imageReferenceId`](#parameter-imagereferenceid) | string | A relative uri containing either a Platform Image Repository or user image reference. | +| [`location`](#parameter-location) | string | Resource location. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`logicalSectorSize`](#parameter-logicalsectorsize) | int | Logical sector size in bytes for Ultra disks. Supported values are 512 ad 4096. | +| [`maxShares`](#parameter-maxshares) | int | The maximum number of VMs that can attach to the disk at the same time. Default value is 0. | +| [`networkAccessPolicy`](#parameter-networkaccesspolicy) | string | Policy for accessing the disk via network. | +| [`optimizedForFrequentAttach`](#parameter-optimizedforfrequentattach) | bool | Setting this property to true improves reliability and performance of data disks that are frequently (more than 5 times a day) by detached from one virtual machine and attached to another. This property should not be set for disks that are not detached and attached frequently as it causes the disks to not align with the fault domain of the virtual machine. | +| [`osType`](#parameter-ostype) | string | Sources of a disk creation. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Policy for controlling export on the disk. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`securityDataUri`](#parameter-securitydatauri) | string | If create option is ImportSecure, this is the URI of a blob to be imported into VM guest state. | +| [`sourceResourceId`](#parameter-sourceresourceid) | string | If create option is Copy, this is the ARM ID of the source snapshot or disk. | +| [`sourceUri`](#parameter-sourceuri) | string | If create option is Import, this is the URI of a blob to be imported into a managed disk. | +| [`tags`](#parameter-tags) | object | Tags of the availability set resource. | +| [`uploadSizeBytes`](#parameter-uploadsizebytes) | int | If create option is Upload, this is the size of the contents of the upload including the VHD footer. | + +### Parameter: `acceleratedNetwork` + +True if the image from which the OS disk is created supports accelerated networking. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `architecture` + +CPU architecture supported by an OS disk. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Arm64, x64]` + +### Parameter: `burstingEnabled` + +Set to true to enable bursting beyond the provisioned performance target of the disk. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `completionPercent` + +Percentage complete for the background copy when a resource is created via the CopyStart operation. +- Required: No +- Type: int +- Default: `100` + +### Parameter: `createOption` + +Sources of a disk creation. +- Required: No +- Type: string +- Default: `'Empty'` +- Allowed: `[Attach, Copy, CopyStart, Empty, FromImage, Import, ImportSecure, Restore, Upload, UploadPreparedSecure]` + +### Parameter: `diskIOPSReadWrite` + +The number of IOPS allowed for this disk; only settable for UltraSSD disks. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `diskMBpsReadWrite` + +The bandwidth allowed for this disk; only settable for UltraSSD disks. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `diskSizeGB` + +The size of the disk to create. Required if create option is Empty. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hyperVGeneration` + +The hypervisor generation of the Virtual Machine. Applicable to OS disks only. +- Required: No +- Type: string +- Default: `'V2'` +- Allowed: `[V1, V2]` + +### Parameter: `imageReferenceId` + +A relative uri containing either a Platform Image Repository or user image reference. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Resource location. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `logicalSectorSize` + +Logical sector size in bytes for Ultra disks. Supported values are 512 ad 4096. +- Required: No +- Type: int +- Default: `4096` + +### Parameter: `maxShares` + +The maximum number of VMs that can attach to the disk at the same time. Default value is 0. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `name` + +The name of the disk that is being created. +- Required: Yes +- Type: string + +### Parameter: `networkAccessPolicy` + +Policy for accessing the disk via network. +- Required: No +- Type: string +- Default: `'DenyAll'` +- Allowed: `[AllowAll, AllowPrivate, DenyAll]` + +### Parameter: `optimizedForFrequentAttach` + +Setting this property to true improves reliability and performance of data disks that are frequently (more than 5 times a day) by detached from one virtual machine and attached to another. This property should not be set for disks that are not detached and attached frequently as it causes the disks to not align with the fault domain of the virtual machine. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `osType` + +Sources of a disk creation. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Linux, Windows]` + +### Parameter: `publicNetworkAccess` + +Policy for controlling export on the disk. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `securityDataUri` + +If create option is ImportSecure, this is the URI of a blob to be imported into VM guest state. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `sku` + +The disks sku name. Can be . +- Required: Yes +- Type: string +- Allowed: `[Premium_LRS, Premium_ZRS, Premium_ZRS, PremiumV2_LRS, Standard_LRS, StandardSSD_LRS, UltraSSD_LRS]` + +### Parameter: `sourceResourceId` + +If create option is Copy, this is the ARM ID of the source snapshot or disk. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `sourceUri` + +If create option is Import, this is the URI of a blob to be imported into a managed disk. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `storageAccountId` + +The resource ID of the storage account containing the blob to import as a disk. Required if create option is Import. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `tags` + +Tags of the availability set resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `uploadSizeBytes` + +If create option is Upload, this is the size of the contents of the upload including the VHD footer. +- Required: No +- Type: int +- Default: `20972032` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the disk. | +| `resourceGroupName` | string | The resource group the disk was deployed into. | +| `resourceId` | string | The resource ID of the disk. | + +## Cross-referenced modules + +_None_ diff --git a/modules/compute/disk/main.json b/modules/compute/disk/main.json index 39c388e7bf..84ea41a567 100644 --- a/modules/compute/disk/main.json +++ b/modules/compute/disk/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5862388830070369227" + "version": "0.22.6.54827", + "templateHash": "12764361220335313353" }, "name": "Compute Disks", "description": "This module deploys a Compute Disk", @@ -353,8 +353,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15033488944608271524" + "version": "0.22.6.54827", + "templateHash": "9743538331774034121" } }, "parameters": { diff --git a/modules/compute/gallery/.test/common/main.test.bicep b/modules/compute/gallery/.test/common/main.test.bicep index 7d1d8b24e4..661d7c9463 100644 --- a/modules/compute/gallery/.test/common/main.test.bicep +++ b/modules/compute/gallery/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/compute/gallery/.test/min/main.test.bicep b/modules/compute/gallery/.test/min/main.test.bicep index df2b8e1bfb..363ba87906 100644 --- a/modules/compute/gallery/.test/min/main.test.bicep +++ b/modules/compute/gallery/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/compute/gallery/README.md b/modules/compute/gallery/README.md index 361dfefa38..61b8789f43 100644 --- a/modules/compute/gallery/README.md +++ b/modules/compute/gallery/README.md @@ -5,10 +5,10 @@ This module deploys an Azure Compute Gallery (formerly known as Shared Image Gal ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -20,56 +20,28 @@ This module deploys an Azure Compute Gallery (formerly known as Shared Image Gal | `Microsoft.Compute/galleries/applications` | [2022-03-03](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-03-03/galleries/applications) | | `Microsoft.Compute/galleries/images` | [2022-03-03](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-03-03/galleries/images) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Azure Compute Gallery. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `applications` | array | `[]` | | Applications to create. | -| `description` | string | `''` | | Description of the Azure Shared Image Gallery. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `images` | array | `[]` | | Images to create. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags for all resources. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed image gallery. | -| `resourceGroupName` | string | The resource group of the deployed image gallery. | -| `resourceId` | string | The resource ID of the deployed image gallery. | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.gallery:1.0.0`. -## Cross-referenced modules +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -_None_ +### Example 1: _Using large parameter set_ -## Deployment examples +This instance deploys the module with most of its features enabled. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module gallery './compute/gallery/main.bicep' = { +module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cgcom' params: { // Required parameters @@ -401,14 +373,17 @@ module gallery './compute/gallery/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module gallery './compute/gallery/main.bicep' = { +module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cgmin' params: { // Required parameters @@ -445,3 +420,102 @@ module gallery './compute/gallery/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Azure Compute Gallery. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applications`](#parameter-applications) | array | Applications to create. | +| [`description`](#parameter-description) | string | Description of the Azure Shared Image Gallery. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`images`](#parameter-images) | array | Images to create. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags for all resources. | + +### Parameter: `applications` + +Applications to create. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `description` + +Description of the Azure Shared Image Gallery. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `images` + +Images to create. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Azure Compute Gallery. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags for all resources. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed image gallery. | +| `resourceGroupName` | string | The resource group of the deployed image gallery. | +| `resourceId` | string | The resource ID of the deployed image gallery. | + +## Cross-referenced modules + +_None_ diff --git a/modules/compute/gallery/application/README.md b/modules/compute/gallery/application/README.md index ad83eb42dc..9f581840d4 100644 --- a/modules/compute/gallery/application/README.md +++ b/modules/compute/gallery/application/README.md @@ -4,13 +4,13 @@ This module deploys an Azure Compute Gallery Application. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -21,36 +21,126 @@ This module deploys an Azure Compute Gallery Application. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the application definition. | +| [`name`](#parameter-name) | string | Name of the application definition. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `galleryName` | string | The name of the parent Azure Compute Gallery. Required if the template is used in a standalone deployment. | +| [`galleryName`](#parameter-galleryname) | string | The name of the parent Azure Compute Gallery. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `customActions` | array | `[]` | | A list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application. | -| `description` | string | `''` | | The description of this gallery Application Definition resource. This property is updatable. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `endOfLifeDate` | string | `''` | | The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z. | -| `eula` | string | `''` | | The Eula agreement for the gallery Application Definition. Has to be a valid URL. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `privacyStatementUri` | string | `''` | | The privacy statement uri. Has to be a valid URL. | -| `releaseNoteUri` | string | `''` | | The release note uri. Has to be a valid URL. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `supportedOSType` | string | `'Windows'` | `[Linux, Windows]` | This property allows you to specify the supported type of the OS that application is built for. | -| `tags` | object | `{object}` | | Tags for all resources. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`customActions`](#parameter-customactions) | array | A list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application. | +| [`description`](#parameter-description) | string | The description of this gallery Application Definition resource. This property is updatable. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`endOfLifeDate`](#parameter-endoflifedate) | string | The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z. | +| [`eula`](#parameter-eula) | string | The Eula agreement for the gallery Application Definition. Has to be a valid URL. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`privacyStatementUri`](#parameter-privacystatementuri) | string | The privacy statement uri. Has to be a valid URL. | +| [`releaseNoteUri`](#parameter-releasenoteuri) | string | The release note uri. Has to be a valid URL. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`supportedOSType`](#parameter-supportedostype) | string | This property allows you to specify the supported type of the OS that application is built for. | +| [`tags`](#parameter-tags) | object | Tags for all resources. | + +### Parameter: `customActions` + +A list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `description` + +The description of this gallery Application Definition resource. This property is updatable. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `endOfLifeDate` + +The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `eula` + +The Eula agreement for the gallery Application Definition. Has to be a valid URL. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `galleryName` + +The name of the parent Azure Compute Gallery. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +Name of the application definition. +- Required: Yes +- Type: string + +### Parameter: `privacyStatementUri` + +The privacy statement uri. Has to be a valid URL. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `releaseNoteUri` + +The release note uri. Has to be a valid URL. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `supportedOSType` + +This property allows you to specify the supported type of the OS that application is built for. +- Required: No +- Type: string +- Default: `'Windows'` +- Allowed: `[Linux, Windows]` + +### Parameter: `tags` + +Tags for all resources. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the image. | diff --git a/modules/compute/gallery/application/main.json b/modules/compute/gallery/application/main.json index 723172da86..c845191f4c 100644 --- a/modules/compute/gallery/application/main.json +++ b/modules/compute/gallery/application/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "302763326863799273" + "version": "0.22.6.54827", + "templateHash": "16139720757397534180" }, "name": "Compute Galleries Applications", "description": "This module deploys an Azure Compute Gallery Application.", @@ -172,8 +172,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3891555929973685105" + "version": "0.22.6.54827", + "templateHash": "13281580182526787077" } }, "parameters": { diff --git a/modules/compute/gallery/image/README.md b/modules/compute/gallery/image/README.md index 51ccbb2e93..3ad27fb151 100644 --- a/modules/compute/gallery/image/README.md +++ b/modules/compute/gallery/image/README.md @@ -4,12 +4,12 @@ This module deploys an Azure Compute Gallery Image Definition. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -20,51 +20,251 @@ This module deploys an Azure Compute Gallery Image Definition. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the image definition. | +| [`name`](#parameter-name) | string | Name of the image definition. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `galleryName` | string | The name of the parent Azure Shared Image Gallery. Required if the template is used in a standalone deployment. | +| [`galleryName`](#parameter-galleryname) | string | The name of the parent Azure Shared Image Gallery. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `description` | string | `''` | | The description of this gallery Image Definition resource. This property is updatable. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `endOfLife` | string | `''` | | The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z. | -| `eula` | string | `''` | | The Eula agreement for the gallery Image Definition. Has to be a valid URL. | -| `excludedDiskTypes` | array | `[]` | | List of the excluded disk types. E.g. Standard_LRS. | -| `hyperVGeneration` | string | `''` | `['', V1, V2]` | The hypervisor generation of the Virtual Machine.

- If this value is not specified, then it is determined by the securityType parameter.

- If the securityType parameter is specified, then the value of hyperVGeneration will be V2, else V1. | -| `isAcceleratedNetworkSupported` | string | `'false'` | `[false, true]` | The image supports accelerated networking.

Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance.

This high-performance path bypasses the host from the data path, which reduces latency, jitter, and CPU utilization for the most demanding network workloads on supported VM types. | -| `isHibernateSupported` | string | `'false'` | `[false, true]` | The image will support hibernation. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `maxRecommendedMemory` | int | `16` | | The maximum amount of RAM in GB recommended for this image. | -| `maxRecommendedvCPUs` | int | `4` | | The maximum number of the CPU cores recommended for this image. | -| `minRecommendedMemory` | int | `4` | | The minimum amount of RAM in GB recommended for this image. | -| `minRecommendedvCPUs` | int | `1` | | The minimum number of the CPU cores recommended for this image. | -| `offer` | string | `'WindowsServer'` | | The name of the gallery Image Definition offer. | -| `osState` | string | `'Generalized'` | `[Generalized, Specialized]` | This property allows the user to specify whether the virtual machines created under this image are 'Generalized' or 'Specialized'. | -| `osType` | string | `'Windows'` | `[Linux, Windows]` | OS type of the image to be created. | -| `planName` | string | `''` | | The plan ID. | -| `planPublisherName` | string | `''` | | The publisher ID. | -| `privacyStatementUri` | string | `''` | | The privacy statement uri. Has to be a valid URL. | -| `productName` | string | `''` | | The product ID. | -| `publisher` | string | `'MicrosoftWindowsServer'` | | The name of the gallery Image Definition publisher. | -| `releaseNoteUri` | string | `''` | | The release note uri. Has to be a valid URL. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `securityType` | string | `'Standard'` | `[ConfidentialVM, ConfidentialVMSupported, Standard, TrustedLaunch]` | The security type of the image. Requires a hyperVGeneration V2. | -| `sku` | string | `'2019-Datacenter'` | | The name of the gallery Image Definition SKU. | -| `tags` | object | `{object}` | | Tags for all resources. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | The description of this gallery Image Definition resource. This property is updatable. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`endOfLife`](#parameter-endoflife) | string | The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z. | +| [`eula`](#parameter-eula) | string | The Eula agreement for the gallery Image Definition. Has to be a valid URL. | +| [`excludedDiskTypes`](#parameter-excludeddisktypes) | array | List of the excluded disk types. E.g. Standard_LRS. | +| [`hyperVGeneration`](#parameter-hypervgeneration) | string | The hypervisor generation of the Virtual Machine.

- If this value is not specified, then it is determined by the securityType parameter.

- If the securityType parameter is specified, then the value of hyperVGeneration will be V2, else V1. | +| [`isAcceleratedNetworkSupported`](#parameter-isacceleratednetworksupported) | string | The image supports accelerated networking.

Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance.

This high-performance path bypasses the host from the data path, which reduces latency, jitter, and CPU utilization for the most demanding network workloads on supported VM types. | +| [`isHibernateSupported`](#parameter-ishibernatesupported) | string | The image will support hibernation. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`maxRecommendedMemory`](#parameter-maxrecommendedmemory) | int | The maximum amount of RAM in GB recommended for this image. | +| [`maxRecommendedvCPUs`](#parameter-maxrecommendedvcpus) | int | The maximum number of the CPU cores recommended for this image. | +| [`minRecommendedMemory`](#parameter-minrecommendedmemory) | int | The minimum amount of RAM in GB recommended for this image. | +| [`minRecommendedvCPUs`](#parameter-minrecommendedvcpus) | int | The minimum number of the CPU cores recommended for this image. | +| [`offer`](#parameter-offer) | string | The name of the gallery Image Definition offer. | +| [`osState`](#parameter-osstate) | string | This property allows the user to specify whether the virtual machines created under this image are 'Generalized' or 'Specialized'. | +| [`osType`](#parameter-ostype) | string | OS type of the image to be created. | +| [`planName`](#parameter-planname) | string | The plan ID. | +| [`planPublisherName`](#parameter-planpublishername) | string | The publisher ID. | +| [`privacyStatementUri`](#parameter-privacystatementuri) | string | The privacy statement uri. Has to be a valid URL. | +| [`productName`](#parameter-productname) | string | The product ID. | +| [`publisher`](#parameter-publisher) | string | The name of the gallery Image Definition publisher. | +| [`releaseNoteUri`](#parameter-releasenoteuri) | string | The release note uri. Has to be a valid URL. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`securityType`](#parameter-securitytype) | string | The security type of the image. Requires a hyperVGeneration V2. | +| [`sku`](#parameter-sku) | string | The name of the gallery Image Definition SKU. | +| [`tags`](#parameter-tags) | object | Tags for all resources. | + +### Parameter: `description` + +The description of this gallery Image Definition resource. This property is updatable. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `endOfLife` + +The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `eula` + +The Eula agreement for the gallery Image Definition. Has to be a valid URL. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `excludedDiskTypes` + +List of the excluded disk types. E.g. Standard_LRS. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `galleryName` + +The name of the parent Azure Shared Image Gallery. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `hyperVGeneration` + +The hypervisor generation of the Virtual Machine.

- If this value is not specified, then it is determined by the securityType parameter.

- If the securityType parameter is specified, then the value of hyperVGeneration will be V2, else V1. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', V1, V2]` + +### Parameter: `isAcceleratedNetworkSupported` + +The image supports accelerated networking.

Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance.

This high-performance path bypasses the host from the data path, which reduces latency, jitter, and CPU utilization for the most demanding network workloads on supported VM types. +- Required: No +- Type: string +- Default: `'false'` +- Allowed: `[false, true]` + +### Parameter: `isHibernateSupported` + +The image will support hibernation. +- Required: No +- Type: string +- Default: `'false'` +- Allowed: `[false, true]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `maxRecommendedMemory` + +The maximum amount of RAM in GB recommended for this image. +- Required: No +- Type: int +- Default: `16` + +### Parameter: `maxRecommendedvCPUs` + +The maximum number of the CPU cores recommended for this image. +- Required: No +- Type: int +- Default: `4` + +### Parameter: `minRecommendedMemory` + +The minimum amount of RAM in GB recommended for this image. +- Required: No +- Type: int +- Default: `4` + +### Parameter: `minRecommendedvCPUs` + +The minimum number of the CPU cores recommended for this image. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `name` + +Name of the image definition. +- Required: Yes +- Type: string + +### Parameter: `offer` + +The name of the gallery Image Definition offer. +- Required: No +- Type: string +- Default: `'WindowsServer'` + +### Parameter: `osState` + +This property allows the user to specify whether the virtual machines created under this image are 'Generalized' or 'Specialized'. +- Required: No +- Type: string +- Default: `'Generalized'` +- Allowed: `[Generalized, Specialized]` + +### Parameter: `osType` + +OS type of the image to be created. +- Required: No +- Type: string +- Default: `'Windows'` +- Allowed: `[Linux, Windows]` + +### Parameter: `planName` + +The plan ID. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `planPublisherName` + +The publisher ID. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `privacyStatementUri` + +The privacy statement uri. Has to be a valid URL. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `productName` + +The product ID. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `publisher` + +The name of the gallery Image Definition publisher. +- Required: No +- Type: string +- Default: `'MicrosoftWindowsServer'` + +### Parameter: `releaseNoteUri` + +The release note uri. Has to be a valid URL. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `securityType` + +The security type of the image. Requires a hyperVGeneration V2. +- Required: No +- Type: string +- Default: `'Standard'` +- Allowed: `[ConfidentialVM, ConfidentialVMSupported, Standard, TrustedLaunch]` + +### Parameter: `sku` + +The name of the gallery Image Definition SKU. +- Required: No +- Type: string +- Default: `'2019-Datacenter'` + +### Parameter: `tags` + +Tags for all resources. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the image. | diff --git a/modules/compute/gallery/image/main.json b/modules/compute/gallery/image/main.json index 3cc4aa0a12..27cd77a9d9 100644 --- a/modules/compute/gallery/image/main.json +++ b/modules/compute/gallery/image/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "14112753208892308004" + "version": "0.22.6.54827", + "templateHash": "12756969313323460277" }, "name": "Compute Galleries Image Definitions", "description": "This module deploys an Azure Compute Gallery Image Definition.", @@ -333,8 +333,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5875220683176267757" + "version": "0.22.6.54827", + "templateHash": "11966293152836776526" } }, "parameters": { diff --git a/modules/compute/gallery/main.json b/modules/compute/gallery/main.json index 30cefa77b2..d1a6ae1c3b 100644 --- a/modules/compute/gallery/main.json +++ b/modules/compute/gallery/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9949380945514738513" + "version": "0.22.6.54827", + "templateHash": "18299186787302449822" }, "name": "Azure Compute Galleries", "description": "This module deploys an Azure Compute Gallery (formerly known as Shared Image Gallery).", @@ -158,8 +158,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4214079490664881100" + "version": "0.22.6.54827", + "templateHash": "14589885933064386870" } }, "parameters": { @@ -333,8 +333,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3432608104011360661" + "version": "0.22.6.54827", + "templateHash": "16139720757397534180" }, "name": "Compute Galleries Applications", "description": "This module deploys an Azure Compute Gallery Application.", @@ -501,8 +501,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1432477963725169802" + "version": "0.22.6.54827", + "templateHash": "13281580182526787077" } }, "parameters": { @@ -726,8 +726,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11726406803846510228" + "version": "0.22.6.54827", + "templateHash": "12756969313323460277" }, "name": "Compute Galleries Image Definitions", "description": "This module deploys an Azure Compute Gallery Image Definition.", @@ -1055,8 +1055,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9996928759826468102" + "version": "0.22.6.54827", + "templateHash": "11966293152836776526" } }, "parameters": { diff --git a/modules/compute/image/.test/common/main.test.bicep b/modules/compute/image/.test/common/main.test.bicep index 05f4ac649e..64743cb96c 100644 --- a/modules/compute/image/.test/common/main.test.bicep +++ b/modules/compute/image/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/compute/image/README.md b/modules/compute/image/README.md index bfe1ab68d0..2616327300 100644 --- a/modules/compute/image/README.md +++ b/modules/compute/image/README.md @@ -4,79 +4,40 @@ This module deploys a Compute Image. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Compute/images` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-11-01/images) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the image. | -| `osDiskBlobUri` | string | The Virtual Hard Disk. | -| `osType` | string | This property allows you to specify the type of the OS that is included in the disk if creating a VM from a custom image. - Windows or Linux. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.image:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `dataDisks` | array | `[]` | | Specifies the parameters that are used to add a data disk to a virtual machine. | -| `diskEncryptionSetResourceId` | string | `''` | | Specifies the customer managed disk encryption set resource ID for the managed image disk. | -| `diskSizeGB` | int | `128` | | Specifies the size of empty data disks in gigabytes. This element can be used to overwrite the name of the disk in a virtual machine image. This value cannot be larger than 1023 GB. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `extendedLocation` | object | `{object}` | | The extended location of the Image. | -| `hyperVGeneration` | string | `'V1'` | | Gets the HyperVGenerationType of the VirtualMachine created from the image. - V1 or V2. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `managedDiskResourceId` | string | `''` | | The managedDisk. | -| `osAccountType` | string | | | Specifies the storage account type for the managed disk. NOTE: UltraSSD_LRS can only be used with data disks, it cannot be used with OS Disk. - Standard_LRS, Premium_LRS, StandardSSD_LRS, UltraSSD_LRS. | -| `osDiskCaching` | string | | | Specifies the caching requirements. Default: None for Standard storage. ReadOnly for Premium storage. - None, ReadOnly, ReadWrite. | -| `osState` | string | `'Generalized'` | `[Generalized, Specialized]` | The OS State. For managed images, use Generalized. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `snapshotResourceId` | string | `''` | | The snapshot resource ID. | -| `sourceVirtualMachineResourceId` | string | `''` | | The source virtual machine from which Image is created. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `zoneResilient` | bool | `False` | | Default is false. Specifies whether an image is zone resilient or not. Zone resilient images can be created only in regions that provide Zone Redundant Storage (ZRS). | +- [Using large parameter set](#example-1-using-large-parameter-set) +### Example 1: _Using large parameter set_ -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the image. | -| `resourceGroupName` | string | The resource group the image was deployed into. | -| `resourceId` | string | The resource ID of the image. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module image './compute/image/main.bicep' = { +module image 'br:bicep/modules/compute.image:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cicom' params: { // Required parameters @@ -181,3 +142,178 @@ module image './compute/image/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the image. | +| [`osDiskBlobUri`](#parameter-osdiskbloburi) | string | The Virtual Hard Disk. | +| [`osType`](#parameter-ostype) | string | This property allows you to specify the type of the OS that is included in the disk if creating a VM from a custom image. - Windows or Linux. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`dataDisks`](#parameter-datadisks) | array | Specifies the parameters that are used to add a data disk to a virtual machine. | +| [`diskEncryptionSetResourceId`](#parameter-diskencryptionsetresourceid) | string | Specifies the customer managed disk encryption set resource ID for the managed image disk. | +| [`diskSizeGB`](#parameter-disksizegb) | int | Specifies the size of empty data disks in gigabytes. This element can be used to overwrite the name of the disk in a virtual machine image. This value cannot be larger than 1023 GB. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`extendedLocation`](#parameter-extendedlocation) | object | The extended location of the Image. | +| [`hyperVGeneration`](#parameter-hypervgeneration) | string | Gets the HyperVGenerationType of the VirtualMachine created from the image. - V1 or V2. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`managedDiskResourceId`](#parameter-manageddiskresourceid) | string | The managedDisk. | +| [`osAccountType`](#parameter-osaccounttype) | string | Specifies the storage account type for the managed disk. NOTE: UltraSSD_LRS can only be used with data disks, it cannot be used with OS Disk. - Standard_LRS, Premium_LRS, StandardSSD_LRS, UltraSSD_LRS. | +| [`osDiskCaching`](#parameter-osdiskcaching) | string | Specifies the caching requirements. Default: None for Standard storage. ReadOnly for Premium storage. - None, ReadOnly, ReadWrite. | +| [`osState`](#parameter-osstate) | string | The OS State. For managed images, use Generalized. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`snapshotResourceId`](#parameter-snapshotresourceid) | string | The snapshot resource ID. | +| [`sourceVirtualMachineResourceId`](#parameter-sourcevirtualmachineresourceid) | string | The source virtual machine from which Image is created. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`zoneResilient`](#parameter-zoneresilient) | bool | Default is false. Specifies whether an image is zone resilient or not. Zone resilient images can be created only in regions that provide Zone Redundant Storage (ZRS). | + +### Parameter: `dataDisks` + +Specifies the parameters that are used to add a data disk to a virtual machine. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `diskEncryptionSetResourceId` + +Specifies the customer managed disk encryption set resource ID for the managed image disk. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diskSizeGB` + +Specifies the size of empty data disks in gigabytes. This element can be used to overwrite the name of the disk in a virtual machine image. This value cannot be larger than 1023 GB. +- Required: No +- Type: int +- Default: `128` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `extendedLocation` + +The extended location of the Image. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `hyperVGeneration` + +Gets the HyperVGenerationType of the VirtualMachine created from the image. - V1 or V2. +- Required: No +- Type: string +- Default: `'V1'` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `managedDiskResourceId` + +The managedDisk. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +The name of the image. +- Required: Yes +- Type: string + +### Parameter: `osAccountType` + +Specifies the storage account type for the managed disk. NOTE: UltraSSD_LRS can only be used with data disks, it cannot be used with OS Disk. - Standard_LRS, Premium_LRS, StandardSSD_LRS, UltraSSD_LRS. +- Required: Yes +- Type: string + +### Parameter: `osDiskBlobUri` + +The Virtual Hard Disk. +- Required: Yes +- Type: string + +### Parameter: `osDiskCaching` + +Specifies the caching requirements. Default: None for Standard storage. ReadOnly for Premium storage. - None, ReadOnly, ReadWrite. +- Required: Yes +- Type: string + +### Parameter: `osState` + +The OS State. For managed images, use Generalized. +- Required: No +- Type: string +- Default: `'Generalized'` +- Allowed: `[Generalized, Specialized]` + +### Parameter: `osType` + +This property allows you to specify the type of the OS that is included in the disk if creating a VM from a custom image. - Windows or Linux. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `snapshotResourceId` + +The snapshot resource ID. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `sourceVirtualMachineResourceId` + +The source virtual machine from which Image is created. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `zoneResilient` + +Default is false. Specifies whether an image is zone resilient or not. Zone resilient images can be created only in regions that provide Zone Redundant Storage (ZRS). +- Required: No +- Type: bool +- Default: `False` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the image. | +| `resourceGroupName` | string | The resource group the image was deployed into. | +| `resourceId` | string | The resource ID of the image. | + +## Cross-referenced modules + +_None_ diff --git a/modules/compute/image/main.json b/modules/compute/image/main.json index ae3a9cc984..4d5551e4a8 100644 --- a/modules/compute/image/main.json +++ b/modules/compute/image/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2820072627955480116" + "version": "0.22.6.54827", + "templateHash": "10714756522840080401" }, "name": "Images", "description": "This module deploys a Compute Image.", @@ -221,8 +221,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18299600248178146819" + "version": "0.22.6.54827", + "templateHash": "17260715174516023943" } }, "parameters": { diff --git a/modules/compute/proximity-placement-group/.test/common/main.test.bicep b/modules/compute/proximity-placement-group/.test/common/main.test.bicep index 04e74c7088..38de4fd5d1 100644 --- a/modules/compute/proximity-placement-group/.test/common/main.test.bicep +++ b/modules/compute/proximity-placement-group/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/compute/proximity-placement-group/.test/min/main.test.bicep b/modules/compute/proximity-placement-group/.test/min/main.test.bicep index 244fae144c..cb745a8bda 100644 --- a/modules/compute/proximity-placement-group/.test/min/main.test.bicep +++ b/modules/compute/proximity-placement-group/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/compute/proximity-placement-group/README.md b/modules/compute/proximity-placement-group/README.md index 42bb92577b..69368d6058 100644 --- a/modules/compute/proximity-placement-group/README.md +++ b/modules/compute/proximity-placement-group/README.md @@ -4,13 +4,13 @@ This module deploys a Proximity Placement Group. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -18,57 +18,28 @@ This module deploys a Proximity Placement Group. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Compute/proximityPlacementGroups` | [2022-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-08-01/proximityPlacementGroups) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the proximity placement group that is being created. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `colocationStatus` | object | `{object}` | | Describes colocation status of the Proximity Placement Group. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `intent` | object | `{object}` | | Specifies the user intent of the proximity placement group. | -| `location` | string | `[resourceGroup().location]` | | Resource location. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the proximity placement group resource. | -| `type` | string | `'Standard'` | `[Standard, Ultra]` | Specifies the type of the proximity placement group. | -| `zones` | array | `[]` | | Specifies the Availability Zone where virtual machine, virtual machine scale set or availability set associated with the proximity placement group can be created. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the proximity placement group. | -| `resourceGroupName` | string | The resource group the proximity placement group was deployed into. | -| `resourceId` | string | The resourceId the proximity placement group. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.proximity-placement-group:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module proximityPlacementGroup './compute/proximity-placement-group/main.bicep' = { +module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-group:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cppgcom' params: { // Required parameters @@ -182,14 +153,17 @@ module proximityPlacementGroup './compute/proximity-placement-group/main.bicep'

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module proximityPlacementGroup './compute/proximity-placement-group/main.bicep' = { +module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-group:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cppgmin' params: { // Required parameters @@ -226,3 +200,111 @@ module proximityPlacementGroup './compute/proximity-placement-group/main.bicep'

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the proximity placement group that is being created. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`colocationStatus`](#parameter-colocationstatus) | object | Describes colocation status of the Proximity Placement Group. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`intent`](#parameter-intent) | object | Specifies the user intent of the proximity placement group. | +| [`location`](#parameter-location) | string | Resource location. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the proximity placement group resource. | +| [`type`](#parameter-type) | string | Specifies the type of the proximity placement group. | +| [`zones`](#parameter-zones) | array | Specifies the Availability Zone where virtual machine, virtual machine scale set or availability set associated with the proximity placement group can be created. | + +### Parameter: `colocationStatus` + +Describes colocation status of the Proximity Placement Group. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `intent` + +Specifies the user intent of the proximity placement group. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `location` + +Resource location. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the proximity placement group that is being created. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the proximity placement group resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `type` + +Specifies the type of the proximity placement group. +- Required: No +- Type: string +- Default: `'Standard'` +- Allowed: `[Standard, Ultra]` + +### Parameter: `zones` + +Specifies the Availability Zone where virtual machine, virtual machine scale set or availability set associated with the proximity placement group can be created. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the proximity placement group. | +| `resourceGroupName` | string | The resource group the proximity placement group was deployed into. | +| `resourceId` | string | The resourceId the proximity placement group. | + +## Cross-referenced modules + +_None_ diff --git a/modules/compute/proximity-placement-group/main.json b/modules/compute/proximity-placement-group/main.json index c14b4643cf..515ff086af 100644 --- a/modules/compute/proximity-placement-group/main.json +++ b/modules/compute/proximity-placement-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12193143335374733252" + "version": "0.22.6.54827", + "templateHash": "6477295143375151288" }, "name": "Proximity Placement Groups", "description": "This module deploys a Proximity Placement Group.", @@ -167,8 +167,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9569185937867215918" + "version": "0.22.6.54827", + "templateHash": "843117559787773713" } }, "parameters": { diff --git a/modules/compute/ssh-public-key/.test/common/main.test.bicep b/modules/compute/ssh-public-key/.test/common/main.test.bicep index 0a61dd1d16..f20494fb87 100644 --- a/modules/compute/ssh-public-key/.test/common/main.test.bicep +++ b/modules/compute/ssh-public-key/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/compute/ssh-public-key/.test/min/main.test.bicep b/modules/compute/ssh-public-key/.test/min/main.test.bicep index c115e84702..dfc7cdd0ec 100644 --- a/modules/compute/ssh-public-key/.test/min/main.test.bicep +++ b/modules/compute/ssh-public-key/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/compute/ssh-public-key/README.md b/modules/compute/ssh-public-key/README.md index ae6fc16917..d55794c19a 100644 --- a/modules/compute/ssh-public-key/README.md +++ b/modules/compute/ssh-public-key/README.md @@ -7,10 +7,10 @@ This module deploys a Public SSH Key. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -20,54 +20,28 @@ This module deploys a Public SSH Key. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Compute/sshPublicKeys` | [2022-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-08-01/sshPublicKeys) | -## Parameters - -**Required parameters** +## Usage examples -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the SSH public Key that is being created. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -**Optional parameters** +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Resource location. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `publicKey` | string | `''` | | SSH public key used to authenticate to a virtual machine through SSH. If this property is not initially provided when the resource is created, the publicKey property will be populated when generateKeyPair is called. If the public key is provided upon resource creation, the provided public key needs to be at least 2048-bit and in ssh-rsa format. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the availability set resource. | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.ssh-public-key:1.0.0`. +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -## Outputs +### Example 1: _Using large parameter set_ -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Public SSH Key. | -| `resourceGroupName` | string | The name of the Resource Group the Public SSH Key was created in. | -| `resourceId` | string | The resource ID of the Public SSH Key. | - -## Cross-referenced modules - -_None_ +This instance deploys the module with most of its features enabled. -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module sshPublicKey './compute/ssh-public-key/main.bicep' = { +module sshPublicKey 'br:bicep/modules/compute.ssh-public-key:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cspkcom' params: { // Required parameters @@ -109,14 +83,17 @@ module sshPublicKey './compute/ssh-public-key/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module sshPublicKey './compute/ssh-public-key/main.bicep' = { +module sshPublicKey 'br:bicep/modules/compute.ssh-public-key:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cspkmin' params: { // Required parameters @@ -153,3 +130,86 @@ module sshPublicKey './compute/ssh-public-key/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the SSH public Key that is being created. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Resource location. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`publicKey`](#parameter-publickey) | string | SSH public key used to authenticate to a virtual machine through SSH. If this property is not initially provided when the resource is created, the publicKey property will be populated when generateKeyPair is called. If the public key is provided upon resource creation, the provided public key needs to be at least 2048-bit and in ssh-rsa format. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the availability set resource. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Resource location. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the SSH public Key that is being created. +- Required: Yes +- Type: string + +### Parameter: `publicKey` + +SSH public key used to authenticate to a virtual machine through SSH. If this property is not initially provided when the resource is created, the publicKey property will be populated when generateKeyPair is called. If the public key is provided upon resource creation, the provided public key needs to be at least 2048-bit and in ssh-rsa format. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the availability set resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the Public SSH Key. | +| `resourceGroupName` | string | The name of the Resource Group the Public SSH Key was created in. | +| `resourceId` | string | The resource ID of the Public SSH Key. | + +## Cross-referenced modules + +_None_ diff --git a/modules/compute/ssh-public-key/main.json b/modules/compute/ssh-public-key/main.json index 8249f12974..b0179a9ba4 100644 --- a/modules/compute/ssh-public-key/main.json +++ b/modules/compute/ssh-public-key/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15954994307790830722" + "version": "0.22.6.54827", + "templateHash": "10030504426335419860" }, "name": "Public SSH Keys", "description": "This module deploys a Public SSH Key.\r\n\r\n> Note: The resource does not auto-generate the key for you.", @@ -139,8 +139,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6373247458133694880" + "version": "0.22.6.54827", + "templateHash": "12934875075357551454" } }, "parameters": { diff --git a/modules/compute/virtual-machine-scale-set/README.md b/modules/compute/virtual-machine-scale-set/README.md index 9c7583c1c4..7bd3a39ad8 100644 --- a/modules/compute/virtual-machine-scale-set/README.md +++ b/modules/compute/virtual-machine-scale-set/README.md @@ -4,14 +4,14 @@ This module deploys a Virtual Machine Scale Set. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -21,134 +21,28 @@ This module deploys a Virtual Machine Scale Set. | `Microsoft.Compute/virtualMachineScaleSets/extensions` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-11-01/virtualMachineScaleSets/extensions) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -### Resource dependency +## Usage examples -The following resources are required to be able to deploy this resource. +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -- `Microsoft.Network/VirtualNetwork` +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -## Parameters - -**Required parameters** - -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `adminUsername` | securestring | | Administrator username. | -| `imageReference` | object | | OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | -| `name` | string | | Name of the VMSS. | -| `nicConfigurations` | array | | Configures NICs and PIPs. | -| `osDisk` | object | | Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. | -| `osType` | string | `[Linux, Windows]` | The chosen OS type. | -| `skuName` | string | | The SKU size of the VMs. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `additionalUnattendContent` | array | `[]` | | Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. | -| `adminPassword` | securestring | `''` | | When specifying a Windows Virtual Machine, this value should be passed. | -| `automaticRepairsPolicyEnabled` | bool | `False` | | Specifies whether automatic repairs should be enabled on the virtual machine scale set. | -| `availabilityZones` | array | `[]` | | The virtual machine scale set zones. NOTE: Availability zones can only be set when you create the scale set. | -| `bootDiagnosticStorageAccountName` | string | `''` | | Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided. | -| `bootDiagnosticStorageAccountUri` | string | `[format('.blob.{0}/', environment().suffixes.storage)]` | | Storage account boot diagnostic base URI. | -| `customData` | string | `''` | | Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | -| `dataDisks` | array | `[]` | | Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `disableAutomaticRollback` | bool | `False` | | Whether OS image rollback feature should be disabled. | -| `disablePasswordAuthentication` | bool | `False` | | Specifies whether password authentication should be disabled. | -| `doNotRunExtensionsOnOverprovisionedVMs` | bool | `False` | | When Overprovision is enabled, extensions are launched only on the requested number of VMs which are finally kept. This property will hence ensure that the extensions do not run on the extra overprovisioned VMs. | -| `enableAutomaticOSUpgrade` | bool | `False` | | Indicates whether OS upgrades should automatically be applied to scale set instances in a rolling fashion when a newer version of the OS image becomes available. Default value is false. If this is set to true for Windows based scale sets, enableAutomaticUpdates is automatically set to false and cannot be set to true. | -| `enableAutomaticUpdates` | bool | `True` | | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableEvictionPolicy` | bool | `False` | | Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | -| `encryptionAtHost` | bool | `True` | | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your virtual machine scale sets. | -| `extensionAntiMalwareConfig` | object | `{object}` | | The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionAzureDiskEncryptionConfig` | object | `{object}` | | The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. | -| `extensionCustomScriptConfig` | object | `{object}` | | The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionDependencyAgentConfig` | object | `{object}` | | The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionDomainJoinConfig` | object | `{object}` | | The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionDomainJoinPassword` | securestring | `''` | | Required if name is specified. Password of the user specified in user parameter. | -| `extensionDSCConfig` | object | `{object}` | | The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionMonitoringAgentConfig` | object | `{object}` | | The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionNetworkWatcherAgentConfig` | object | `{object}` | | The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. | -| `gracePeriod` | string | `'PT30M'` | | The amount of time for which automatic repairs are suspended due to a state change on VM. The grace time starts after the state change has completed. This helps avoid premature or accidental repairs. The time duration should be specified in ISO 8601 format. The minimum allowed grace period is 30 minutes (PT30M). The maximum allowed grace period is 90 minutes (PT90M). | -| `licenseType` | string | `''` | `['', Windows_Client, Windows_Server]` | Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `maxBatchInstancePercent` | int | `20` | | The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability. | -| `maxPriceForLowPriorityVm` | string | `''` | | Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | -| `maxUnhealthyInstancePercent` | int | `20` | | The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. | -| `maxUnhealthyUpgradedInstancePercent` | int | `20` | | The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. | -| `monitoringWorkspaceId` | string | `''` | | Resource ID of the monitoring log analytics workspace. | -| `overprovision` | bool | `False` | | Specifies whether the Virtual Machine Scale Set should be overprovisioned. | -| `pauseTimeBetweenBatches` | string | `'PT0S'` | | The wait time between completing the update for all virtual machines in one batch and starting the next batch. The time duration should be specified in ISO 8601 format. | -| `plan` | object | `{object}` | | Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | -| `provisionVMAgent` | bool | `True` | | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | -| `proximityPlacementGroupResourceId` | string | `''` | | Resource ID of a proximity placement group. | -| `publicIpDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the diagnostic setting, if deployed. | -| `publicKeys` | array | `[]` | | The list of SSH public keys used to authenticate with linux based VMs. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sasTokenValidityLength` | string | `'PT8H'` | | SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | -| `scaleInPolicy` | object | `{object}` | | Specifies the scale-in policy that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled-in. | -| `scaleSetFaultDomain` | int | `2` | | Fault Domain count for each placement group. | -| `scheduledEventsProfile` | object | `{object}` | | Specifies Scheduled Event related configurations. | -| `secrets` | array | `[]` | | Specifies set of certificates that should be installed onto the virtual machines in the scale set. | -| `secureBootEnabled` | bool | `False` | | Specifies whether secure boot should be enabled on the virtual machine scale set. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | -| `securityType` | string | `''` | | Specifies the SecurityType of the virtual machine scale set. It is set as TrustedLaunch to enable UefiSettings. | -| `singlePlacementGroup` | bool | `True` | | When true this limits the scale set to a single placement group, of max size 100 virtual machines. NOTE: If singlePlacementGroup is true, it may be modified to false. However, if singlePlacementGroup is false, it may not be modified to true. | -| `skuCapacity` | int | `1` | | The initial instance count of scale set VMs. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `timeZone` | string | `''` | | Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. | -| `ultraSSDEnabled` | bool | `False` | | The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | -| `upgradePolicyMode` | string | `'Manual'` | `[Automatic, Manual, Rolling]` | Specifies the mode of an upgrade to virtual machines in the scale set.' Manual - You control the application of updates to virtual machines in the scale set. You do this by using the manualUpgrade action. ; Automatic - All virtual machines in the scale set are automatically updated at the same time. - Automatic, Manual, Rolling. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `vmNamePrefix` | string | `'vmssvm'` | | Specifies the computer name prefix for all of the virtual machines in the scale set. | -| `vmPriority` | string | `'Regular'` | `[Low, Regular, Spot]` | Specifies the priority for the virtual machine. | -| `vTpmEnabled` | bool | `False` | | Specifies whether vTPM should be enabled on the virtual machine scale set. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | -| `winRM` | object | `{object}` | | Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. | -| `zoneBalance` | bool | `False` | | Whether to force strictly even Virtual Machine distribution cross x-zones in case there is zone outage. | - -**Generated parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `baseTime` | string | `[utcNow('u')]` | Do not provide a value! This date value is used to generate a registration token. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the virtual machine scale set. | -| `resourceGroupName` | string | The resource group of the virtual machine scale set. | -| `resourceId` | string | The resource ID of the virtual machine scale set. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.virtual-machine-scale-set:1.0.0`. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +- [Linux](#example-1-linux) +- [Linux.Min](#example-2-linuxmin) +- [Linux.Ssecmk](#example-3-linuxssecmk) +- [Windows](#example-4-windows) +- [Windows.Min](#example-5-windowsmin) -

Example 1: Linux

+### Example 1: _Linux_
via Bicep module ```bicep -module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = { +module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-set:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cvmsslin' params: { // Required parameters @@ -492,14 +386,14 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' =

-

Example 2: Linux.Min

+### Example 2: _Linux.Min_
via Bicep module ```bicep -module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = { +module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-set:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cvmsslinmin' params: { // Required parameters @@ -629,14 +523,14 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' =

-

Example 3: Linux.Ssecmk

+### Example 3: _Linux.Ssecmk_
via Bicep module ```bicep -module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = { +module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-set:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cvmsslcmk' params: { // Required parameters @@ -816,14 +710,14 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' =

-

Example 4: Windows

+### Example 4: _Windows_
via Bicep module ```bicep -module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = { +module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-set:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cvmsswin' params: { // Required parameters @@ -1149,14 +1043,14 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' =

-

Example 5: Windows.Min

+### Example 5: _Windows.Min_
via Bicep module ```bicep -module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' = { +module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-set:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cvmsswinmin' params: { // Required parameters @@ -1273,6 +1167,638 @@ module virtualMachineScaleSet './compute/virtual-machine-scale-set/main.bicep' =

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`adminUsername`](#parameter-adminusername) | securestring | Administrator username. | +| [`imageReference`](#parameter-imagereference) | object | OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | +| [`name`](#parameter-name) | string | Name of the VMSS. | +| [`nicConfigurations`](#parameter-nicconfigurations) | array | Configures NICs and PIPs. | +| [`osDisk`](#parameter-osdisk) | object | Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. | +| [`osType`](#parameter-ostype) | string | The chosen OS type. | +| [`skuName`](#parameter-skuname) | string | The SKU size of the VMs. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`additionalUnattendContent`](#parameter-additionalunattendcontent) | array | Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. | +| [`adminPassword`](#parameter-adminpassword) | securestring | When specifying a Windows Virtual Machine, this value should be passed. | +| [`automaticRepairsPolicyEnabled`](#parameter-automaticrepairspolicyenabled) | bool | Specifies whether automatic repairs should be enabled on the virtual machine scale set. | +| [`availabilityZones`](#parameter-availabilityzones) | array | The virtual machine scale set zones. NOTE: Availability zones can only be set when you create the scale set. | +| [`bootDiagnosticStorageAccountName`](#parameter-bootdiagnosticstorageaccountname) | string | Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided. | +| [`bootDiagnosticStorageAccountUri`](#parameter-bootdiagnosticstorageaccounturi) | string | Storage account boot diagnostic base URI. | +| [`customData`](#parameter-customdata) | string | Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | +| [`dataDisks`](#parameter-datadisks) | array | Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`disableAutomaticRollback`](#parameter-disableautomaticrollback) | bool | Whether OS image rollback feature should be disabled. | +| [`disablePasswordAuthentication`](#parameter-disablepasswordauthentication) | bool | Specifies whether password authentication should be disabled. | +| [`doNotRunExtensionsOnOverprovisionedVMs`](#parameter-donotrunextensionsonoverprovisionedvms) | bool | When Overprovision is enabled, extensions are launched only on the requested number of VMs which are finally kept. This property will hence ensure that the extensions do not run on the extra overprovisioned VMs. | +| [`enableAutomaticOSUpgrade`](#parameter-enableautomaticosupgrade) | bool | Indicates whether OS upgrades should automatically be applied to scale set instances in a rolling fashion when a newer version of the OS image becomes available. Default value is false. If this is set to true for Windows based scale sets, enableAutomaticUpdates is automatically set to false and cannot be set to true. | +| [`enableAutomaticUpdates`](#parameter-enableautomaticupdates) | bool | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableEvictionPolicy`](#parameter-enableevictionpolicy) | bool | Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | +| [`encryptionAtHost`](#parameter-encryptionathost) | bool | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your virtual machine scale sets. | +| [`extensionAntiMalwareConfig`](#parameter-extensionantimalwareconfig) | object | The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. | +| [`extensionAzureDiskEncryptionConfig`](#parameter-extensionazurediskencryptionconfig) | object | The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. | +| [`extensionCustomScriptConfig`](#parameter-extensioncustomscriptconfig) | object | The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. | +| [`extensionDependencyAgentConfig`](#parameter-extensiondependencyagentconfig) | object | The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. | +| [`extensionDomainJoinConfig`](#parameter-extensiondomainjoinconfig) | object | The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. | +| [`extensionDomainJoinPassword`](#parameter-extensiondomainjoinpassword) | securestring | Required if name is specified. Password of the user specified in user parameter. | +| [`extensionDSCConfig`](#parameter-extensiondscconfig) | object | The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. | +| [`extensionMonitoringAgentConfig`](#parameter-extensionmonitoringagentconfig) | object | The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. | +| [`extensionNetworkWatcherAgentConfig`](#parameter-extensionnetworkwatcheragentconfig) | object | The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. | +| [`gracePeriod`](#parameter-graceperiod) | string | The amount of time for which automatic repairs are suspended due to a state change on VM. The grace time starts after the state change has completed. This helps avoid premature or accidental repairs. The time duration should be specified in ISO 8601 format. The minimum allowed grace period is 30 minutes (PT30M). The maximum allowed grace period is 90 minutes (PT90M). | +| [`licenseType`](#parameter-licensetype) | string | Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`maxBatchInstancePercent`](#parameter-maxbatchinstancepercent) | int | The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability. | +| [`maxPriceForLowPriorityVm`](#parameter-maxpriceforlowpriorityvm) | string | Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | +| [`maxUnhealthyInstancePercent`](#parameter-maxunhealthyinstancepercent) | int | The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. | +| [`maxUnhealthyUpgradedInstancePercent`](#parameter-maxunhealthyupgradedinstancepercent) | int | The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. | +| [`monitoringWorkspaceId`](#parameter-monitoringworkspaceid) | string | Resource ID of the monitoring log analytics workspace. | +| [`overprovision`](#parameter-overprovision) | bool | Specifies whether the Virtual Machine Scale Set should be overprovisioned. | +| [`pauseTimeBetweenBatches`](#parameter-pausetimebetweenbatches) | string | The wait time between completing the update for all virtual machines in one batch and starting the next batch. The time duration should be specified in ISO 8601 format. | +| [`plan`](#parameter-plan) | object | Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | +| [`provisionVMAgent`](#parameter-provisionvmagent) | bool | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | +| [`proximityPlacementGroupResourceId`](#parameter-proximityplacementgroupresourceid) | string | Resource ID of a proximity placement group. | +| [`publicIpDiagnosticSettingsName`](#parameter-publicipdiagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. | +| [`publicKeys`](#parameter-publickeys) | array | The list of SSH public keys used to authenticate with linux based VMs. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`sasTokenValidityLength`](#parameter-sastokenvaliditylength) | string | SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | +| [`scaleInPolicy`](#parameter-scaleinpolicy) | object | Specifies the scale-in policy that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled-in. | +| [`scaleSetFaultDomain`](#parameter-scalesetfaultdomain) | int | Fault Domain count for each placement group. | +| [`scheduledEventsProfile`](#parameter-scheduledeventsprofile) | object | Specifies Scheduled Event related configurations. | +| [`secrets`](#parameter-secrets) | array | Specifies set of certificates that should be installed onto the virtual machines in the scale set. | +| [`secureBootEnabled`](#parameter-securebootenabled) | bool | Specifies whether secure boot should be enabled on the virtual machine scale set. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | +| [`securityType`](#parameter-securitytype) | string | Specifies the SecurityType of the virtual machine scale set. It is set as TrustedLaunch to enable UefiSettings. | +| [`singlePlacementGroup`](#parameter-singleplacementgroup) | bool | When true this limits the scale set to a single placement group, of max size 100 virtual machines. NOTE: If singlePlacementGroup is true, it may be modified to false. However, if singlePlacementGroup is false, it may not be modified to true. | +| [`skuCapacity`](#parameter-skucapacity) | int | The initial instance count of scale set VMs. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`timeZone`](#parameter-timezone) | string | Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. | +| [`ultraSSDEnabled`](#parameter-ultrassdenabled) | bool | The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | +| [`upgradePolicyMode`](#parameter-upgradepolicymode) | string | Specifies the mode of an upgrade to virtual machines in the scale set.' Manual - You control the application of updates to virtual machines in the scale set. You do this by using the manualUpgrade action. ; Automatic - All virtual machines in the scale set are automatically updated at the same time. - Automatic, Manual, Rolling. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`vmNamePrefix`](#parameter-vmnameprefix) | string | Specifies the computer name prefix for all of the virtual machines in the scale set. | +| [`vmPriority`](#parameter-vmpriority) | string | Specifies the priority for the virtual machine. | +| [`vTpmEnabled`](#parameter-vtpmenabled) | bool | Specifies whether vTPM should be enabled on the virtual machine scale set. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | +| [`winRM`](#parameter-winrm) | object | Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. | +| [`zoneBalance`](#parameter-zonebalance) | bool | Whether to force strictly even Virtual Machine distribution cross x-zones in case there is zone outage. | + +**Generated parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date value is used to generate a registration token. | + +### Parameter: `additionalUnattendContent` + +Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `adminPassword` + +When specifying a Windows Virtual Machine, this value should be passed. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `adminUsername` + +Administrator username. +- Required: Yes +- Type: securestring + +### Parameter: `automaticRepairsPolicyEnabled` + +Specifies whether automatic repairs should be enabled on the virtual machine scale set. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `availabilityZones` + +The virtual machine scale set zones. NOTE: Availability zones can only be set when you create the scale set. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `baseTime` + +Do not provide a value! This date value is used to generate a registration token. +- Required: No +- Type: string +- Default: `[utcNow('u')]` + +### Parameter: `bootDiagnosticStorageAccountName` + +Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `bootDiagnosticStorageAccountUri` + +Storage account boot diagnostic base URI. +- Required: No +- Type: string +- Default: `[format('.blob.{0}/', environment().suffixes.storage)]` + +### Parameter: `customData` + +Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `dataDisks` + +Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `disableAutomaticRollback` + +Whether OS image rollback feature should be disabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `disablePasswordAuthentication` + +Specifies whether password authentication should be disabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `doNotRunExtensionsOnOverprovisionedVMs` + +When Overprovision is enabled, extensions are launched only on the requested number of VMs which are finally kept. This property will hence ensure that the extensions do not run on the extra overprovisioned VMs. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableAutomaticOSUpgrade` + +Indicates whether OS upgrades should automatically be applied to scale set instances in a rolling fashion when a newer version of the OS image becomes available. Default value is false. If this is set to true for Windows based scale sets, enableAutomaticUpdates is automatically set to false and cannot be set to true. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableAutomaticUpdates` + +Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableEvictionPolicy` + +Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `encryptionAtHost` + +This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your virtual machine scale sets. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `extensionAntiMalwareConfig` + +The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `extensionAzureDiskEncryptionConfig` + +The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `extensionCustomScriptConfig` + +The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `extensionDependencyAgentConfig` + +The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `extensionDomainJoinConfig` + +The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `extensionDomainJoinPassword` + +Required if name is specified. Password of the user specified in user parameter. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `extensionDSCConfig` + +The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `extensionMonitoringAgentConfig` + +The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `extensionNetworkWatcherAgentConfig` + +The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `gracePeriod` + +The amount of time for which automatic repairs are suspended due to a state change on VM. The grace time starts after the state change has completed. This helps avoid premature or accidental repairs. The time duration should be specified in ISO 8601 format. The minimum allowed grace period is 30 minutes (PT30M). The maximum allowed grace period is 90 minutes (PT90M). +- Required: No +- Type: string +- Default: `'PT30M'` + +### Parameter: `imageReference` + +OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. +- Required: Yes +- Type: object + +### Parameter: `licenseType` + +Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Windows_Client, Windows_Server]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `maxBatchInstancePercent` + +The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability. +- Required: No +- Type: int +- Default: `20` + +### Parameter: `maxPriceForLowPriorityVm` + +Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `maxUnhealthyInstancePercent` + +The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. +- Required: No +- Type: int +- Default: `20` + +### Parameter: `maxUnhealthyUpgradedInstancePercent` + +The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. +- Required: No +- Type: int +- Default: `20` + +### Parameter: `monitoringWorkspaceId` + +Resource ID of the monitoring log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +Name of the VMSS. +- Required: Yes +- Type: string + +### Parameter: `nicConfigurations` + +Configures NICs and PIPs. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `osDisk` + +Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. +- Required: Yes +- Type: object + +### Parameter: `osType` + +The chosen OS type. +- Required: Yes +- Type: string +- Allowed: `[Linux, Windows]` + +### Parameter: `overprovision` + +Specifies whether the Virtual Machine Scale Set should be overprovisioned. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `pauseTimeBetweenBatches` + +The wait time between completing the update for all virtual machines in one batch and starting the next batch. The time duration should be specified in ISO 8601 format. +- Required: No +- Type: string +- Default: `'PT0S'` + +### Parameter: `plan` + +Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `provisionVMAgent` + +Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `proximityPlacementGroupResourceId` + +Resource ID of a proximity placement group. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `publicIpDiagnosticSettingsName` + +The name of the diagnostic setting, if deployed. +- Required: No +- Type: string +- Default: `[format('{0}-diagnosticSettings', parameters('name'))]` + +### Parameter: `publicKeys` + +The list of SSH public keys used to authenticate with linux based VMs. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sasTokenValidityLength` + +SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. +- Required: No +- Type: string +- Default: `'PT8H'` + +### Parameter: `scaleInPolicy` + +Specifies the scale-in policy that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled-in. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `scaleSetFaultDomain` + +Fault Domain count for each placement group. +- Required: No +- Type: int +- Default: `2` + +### Parameter: `scheduledEventsProfile` + +Specifies Scheduled Event related configurations. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `secrets` + +Specifies set of certificates that should be installed onto the virtual machines in the scale set. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `secureBootEnabled` + +Specifies whether secure boot should be enabled on the virtual machine scale set. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `securityType` + +Specifies the SecurityType of the virtual machine scale set. It is set as TrustedLaunch to enable UefiSettings. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `singlePlacementGroup` + +When true this limits the scale set to a single placement group, of max size 100 virtual machines. NOTE: If singlePlacementGroup is true, it may be modified to false. However, if singlePlacementGroup is false, it may not be modified to true. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `skuCapacity` + +The initial instance count of scale set VMs. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `skuName` + +The SKU size of the VMs. +- Required: Yes +- Type: string + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `timeZone` + +Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `ultraSSDEnabled` + +The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `upgradePolicyMode` + +Specifies the mode of an upgrade to virtual machines in the scale set.' Manual - You control the application of updates to virtual machines in the scale set. You do this by using the manualUpgrade action. ; Automatic - All virtual machines in the scale set are automatically updated at the same time. - Automatic, Manual, Rolling. +- Required: No +- Type: string +- Default: `'Manual'` +- Allowed: `[Automatic, Manual, Rolling]` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `vmNamePrefix` + +Specifies the computer name prefix for all of the virtual machines in the scale set. +- Required: No +- Type: string +- Default: `'vmssvm'` + +### Parameter: `vmPriority` + +Specifies the priority for the virtual machine. +- Required: No +- Type: string +- Default: `'Regular'` +- Allowed: `[Low, Regular, Spot]` + +### Parameter: `vTpmEnabled` + +Specifies whether vTPM should be enabled on the virtual machine scale set. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `winRM` + +Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `zoneBalance` + +Whether to force strictly even Virtual Machine distribution cross x-zones in case there is zone outage. +- Required: No +- Type: bool +- Default: `False` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the virtual machine scale set. | +| `resourceGroupName` | string | The resource group of the virtual machine scale set. | +| `resourceId` | string | The resource ID of the virtual machine scale set. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +_None_ + ## Notes ### Parameter Usage: `imageReference` diff --git a/modules/compute/virtual-machine-scale-set/extension/README.md b/modules/compute/virtual-machine-scale-set/extension/README.md index 52412ef886..462a5b3111 100644 --- a/modules/compute/virtual-machine-scale-set/extension/README.md +++ b/modules/compute/virtual-machine-scale-set/extension/README.md @@ -19,35 +19,112 @@ This module deploys a Virtual Machine Scale Set Extension. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `autoUpgradeMinorVersion` | bool | Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true. | -| `enableAutomaticUpgrade` | bool | Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available. | -| `name` | string | The name of the virtual machine scale set extension. | -| `publisher` | string | The name of the extension handler publisher. | -| `type` | string | Specifies the type of the extension; an example is "CustomScriptExtension". | -| `typeHandlerVersion` | string | Specifies the version of the script handler. | +| [`autoUpgradeMinorVersion`](#parameter-autoupgrademinorversion) | bool | Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true. | +| [`enableAutomaticUpgrade`](#parameter-enableautomaticupgrade) | bool | Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available. | +| [`name`](#parameter-name) | string | The name of the virtual machine scale set extension. | +| [`publisher`](#parameter-publisher) | string | The name of the extension handler publisher. | +| [`type`](#parameter-type) | string | Specifies the type of the extension; an example is "CustomScriptExtension". | +| [`typeHandlerVersion`](#parameter-typehandlerversion) | string | Specifies the version of the script handler. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `virtualMachineScaleSetName` | string | The name of the parent virtual machine scale set that extension is provisioned for. Required if the template is used in a standalone deployment. | +| [`virtualMachineScaleSetName`](#parameter-virtualmachinescalesetname) | string | The name of the parent virtual machine scale set that extension is provisioned for. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `forceUpdateTag` | string | `''` | How the extension handler should be forced to update even if the extension configuration has not changed. | -| `protectedSettings` | secureObject | `{object}` | Any object that contains the extension specific protected settings. | -| `settings` | object | `{object}` | Any object that contains the extension specific settings. | -| `supressFailures` | bool | `False` | Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`forceUpdateTag`](#parameter-forceupdatetag) | string | How the extension handler should be forced to update even if the extension configuration has not changed. | +| [`protectedSettings`](#parameter-protectedsettings) | secureObject | Any object that contains the extension specific protected settings. | +| [`settings`](#parameter-settings) | object | Any object that contains the extension specific settings. | +| [`supressFailures`](#parameter-supressfailures) | bool | Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false. | + +### Parameter: `autoUpgradeMinorVersion` + +Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true. +- Required: Yes +- Type: bool + +### Parameter: `enableAutomaticUpgrade` + +Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available. +- Required: Yes +- Type: bool + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `forceUpdateTag` + +How the extension handler should be forced to update even if the extension configuration has not changed. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +The name of the virtual machine scale set extension. +- Required: Yes +- Type: string + +### Parameter: `protectedSettings` + +Any object that contains the extension specific protected settings. +- Required: No +- Type: secureObject +- Default: `{object}` + +### Parameter: `publisher` + +The name of the extension handler publisher. +- Required: Yes +- Type: string + +### Parameter: `settings` + +Any object that contains the extension specific settings. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `supressFailures` + +Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `type` + +Specifies the type of the extension; an example is "CustomScriptExtension". +- Required: Yes +- Type: string + +### Parameter: `typeHandlerVersion` + +Specifies the version of the script handler. +- Required: Yes +- Type: string + +### Parameter: `virtualMachineScaleSetName` + +The name of the parent virtual machine scale set that extension is provisioned for. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the extension. | | `resourceGroupName` | string | The name of the Resource Group the extension was created in. | diff --git a/modules/compute/virtual-machine-scale-set/extension/main.json b/modules/compute/virtual-machine-scale-set/extension/main.json index 14783762a8..d63e240501 100644 --- a/modules/compute/virtual-machine-scale-set/extension/main.json +++ b/modules/compute/virtual-machine-scale-set/extension/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3045861199823874082" + "version": "0.22.6.54827", + "templateHash": "5906561479759498703" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", diff --git a/modules/compute/virtual-machine-scale-set/main.json b/modules/compute/virtual-machine-scale-set/main.json index 974fbd8b00..59b04e2594 100644 --- a/modules/compute/virtual-machine-scale-set/main.json +++ b/modules/compute/virtual-machine-scale-set/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12564504054150617860" + "version": "0.22.6.54827", + "templateHash": "1180320046795963031" }, "name": "Virtual Machine Scale Sets", "description": "This module deploys a Virtual Machine Scale Set.", @@ -842,8 +842,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7816202249753353774" + "version": "0.22.6.54827", + "templateHash": "5906561479759498703" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -1028,8 +1028,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7816202249753353774" + "version": "0.22.6.54827", + "templateHash": "5906561479759498703" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -1219,8 +1219,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7816202249753353774" + "version": "0.22.6.54827", + "templateHash": "5906561479759498703" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -1400,8 +1400,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7816202249753353774" + "version": "0.22.6.54827", + "templateHash": "5906561479759498703" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -1581,8 +1581,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7816202249753353774" + "version": "0.22.6.54827", + "templateHash": "5906561479759498703" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -1766,8 +1766,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7816202249753353774" + "version": "0.22.6.54827", + "templateHash": "5906561479759498703" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -1957,8 +1957,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7816202249753353774" + "version": "0.22.6.54827", + "templateHash": "5906561479759498703" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -2143,8 +2143,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7816202249753353774" + "version": "0.22.6.54827", + "templateHash": "5906561479759498703" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -2326,8 +2326,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18352328702844325130" + "version": "0.22.6.54827", + "templateHash": "2683570948982482973" } }, "parameters": { diff --git a/modules/compute/virtual-machine/README.md b/modules/compute/virtual-machine/README.md index 0a3195f2ef..f833ed5a15 100644 --- a/modules/compute/virtual-machine/README.md +++ b/modules/compute/virtual-machine/README.md @@ -5,10 +5,10 @@ This module deploys a Virtual Machine with one or multiple NICs and optionally o ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) ## Resource Types @@ -25,132 +25,30 @@ This module deploys a Virtual Machine with one or multiple NICs and optionally o | `Microsoft.Network/publicIPAddresses` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/publicIPAddresses) | | `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2023-01-01/vaults/backupFabrics/protectionContainers/protectedItems) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `adminUsername` | securestring | | | Administrator username. | -| `configurationProfile` | string | `''` | `['', /providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest, /providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction]` | The configuration profile of automanage. | -| `imageReference` | object | | | OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | -| `nicConfigurations` | array | | | Configures NICs and PIPs. | -| `osDisk` | object | | | Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | -| `osType` | string | | `[Linux, Windows]` | The chosen OS type. | -| `vmSize` | string | | | Specifies the size for the VMs. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `additionalUnattendContent` | array | `[]` | | Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. | -| `adminPassword` | securestring | `''` | | When specifying a Windows Virtual Machine, this value should be passed. | -| `allowExtensionOperations` | bool | `True` | | Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine. | -| `availabilitySetResourceId` | string | `''` | | Resource ID of an availability set. Cannot be used in combination with availability zone nor scale set. | -| `availabilityZone` | int | `0` | `[0, 1, 2, 3]` | If set to 1, 2 or 3, the availability zone for all VMs is hardcoded to that value. If zero, then availability zones is not used. Cannot be used in combination with availability set nor scale set. | -| `backupPolicyName` | string | `'DefaultPolicy'` | | Backup policy the VMs should be using for backup. If not provided, it will use the DefaultPolicy from the backup recovery service vault. | -| `backupVaultName` | string | `''` | | Recovery service vault name to add VMs to backup. | -| `backupVaultResourceGroup` | string | `[resourceGroup().name]` | | Resource group of the backup recovery service vault. If not provided the current resource group name is considered by default. | -| `bootDiagnostics` | bool | `False` | | Whether boot diagnostics should be enabled on the Virtual Machine. Boot diagnostics will be enabled with a managed storage account if no bootDiagnosticsStorageAccountName value is provided. If bootDiagnostics and bootDiagnosticsStorageAccountName values are not provided, boot diagnostics will be disabled. | -| `bootDiagnosticStorageAccountName` | string | `''` | | Custom storage account used to store boot diagnostic information. Boot diagnostics will be enabled with a custom storage account if a value is provided. | -| `bootDiagnosticStorageAccountUri` | string | `[format('.blob.{0}/', environment().suffixes.storage)]` | | Storage account boot diagnostic base URI. | -| `certificatesToBeInstalled` | array | `[]` | | Specifies set of certificates that should be installed onto the virtual machine. | -| `computerName` | string | `[parameters('name')]` | | Can be used if the computer name needs to be different from the Azure VM resource name. If not used, the resource name will be used as computer name. | -| `customData` | string | `''` | | Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | -| `dataDisks` | array | `[]` | | Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | -| `dedicatedHostId` | string | `''` | | Specifies resource ID about the dedicated host that the virtual machine resides in. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `disablePasswordAuthentication` | bool | `False` | | Specifies whether password authentication should be disabled. | -| `enableAutomaticUpdates` | bool | `True` | | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When patchMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableEvictionPolicy` | bool | `False` | | Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | -| `encryptionAtHost` | bool | `True` | | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | -| `extensionAadJoinConfig` | object | `{object}` | | The configuration for the [AAD Join] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionAntiMalwareConfig` | object | `{object}` | | The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionAzureDiskEncryptionConfig` | object | `{object}` | | The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. | -| `extensionCustomScriptConfig` | object | `{object}` | | The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionCustomScriptProtectedSetting` | secureObject | `{object}` | | Any object that contains the extension specific protected settings. | -| `extensionDependencyAgentConfig` | object | `{object}` | | The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionDomainJoinConfig` | object | `{object}` | | The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionDomainJoinPassword` | securestring | `''` | | Required if name is specified. Password of the user specified in user parameter. | -| `extensionDSCConfig` | object | `{object}` | | The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionMonitoringAgentConfig` | object | `{object}` | | The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionNetworkWatcherAgentConfig` | object | `{object}` | | The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. | -| `licenseType` | string | `''` | `['', Windows_Client, Windows_Server]` | Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `maxPriceForLowPriorityVm` | string | `''` | | Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | -| `monitoringWorkspaceId` | string | `''` | | Resource ID of the monitoring log analytics workspace. Must be set when extensionMonitoringAgentConfig is set to true. | -| `name` | string | `[take(toLower(uniqueString(resourceGroup().name)), 10)]` | | The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | -| `nicdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `nicDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the NIC diagnostic setting, if deployed. | -| `patchAssessmentMode` | string | `'ImageDefault'` | `[AutomaticByPlatform, ImageDefault]` | VM guest patching assessment mode. Set it to 'AutomaticByPlatform' to enable automatically check for updates every 24 hours. | -| `patchMode` | string | `''` | `['', AutomaticByOS, AutomaticByPlatform, ImageDefault, Manual]` | VM guest patching orchestration mode. 'AutomaticByOS' & 'Manual' are for Windows only, 'ImageDefault' for Linux only. Refer to 'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching'. | -| `pipdiagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `pipdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `pipDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the PIP diagnostic setting, if deployed. | -| `plan` | object | `{object}` | | Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | -| `priority` | string | `'Regular'` | `[Low, Regular, Spot]` | Specifies the priority for the virtual machine. | -| `provisionVMAgent` | bool | `True` | | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | -| `proximityPlacementGroupResourceId` | string | `''` | | Resource ID of a proximity placement group. | -| `publicKeys` | array | `[]` | | The list of SSH public keys used to authenticate with linux based VMs. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sasTokenValidityLength` | string | `'PT8H'` | | SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | -| `secureBootEnabled` | bool | `False` | | Specifies whether secure boot should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | -| `securityType` | string | `''` | | Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to enable UefiSettings. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. The system-assigned managed identity will automatically be enabled if extensionAadJoinConfig.enabled = "True". | -| `tags` | object | `{object}` | | Tags of the resource. | -| `timeZone` | string | `''` | | Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. | -| `ultraSSDEnabled` | bool | `False` | | The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `vTpmEnabled` | bool | `False` | | Specifies whether vTPM should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | -| `winRM` | object | `{object}` | | Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. | - -**Generated parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `baseTime` | string | `[utcNow('u')]` | Do not provide a value! This date value is used to generate a registration token. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the VM. | -| `resourceGroupName` | string | The name of the resource group the VM was created in. | -| `resourceId` | string | The resource ID of the VM. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/network-interface` | Local reference | -| `network/public-ip-address` | Local reference | -| `recovery-services/vault/backup-fabric/protection-container/protected-item` | Local reference | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Deployment examples +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.virtual-machine:1.0.0`. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +- [Linux](#example-1-linux) +- [Linux.Atmg](#example-2-linuxatmg) +- [Linux.Min](#example-3-linuxmin) +- [Windows](#example-4-windows) +- [Windows.Atmg](#example-5-windowsatmg) +- [Windows.Min](#example-6-windowsmin) +- [Windows.Ssecmk](#example-7-windowsssecmk) -

Example 1: Linux

+### Example 1: _Linux_
via Bicep module ```bicep -module virtualMachine './compute/virtual-machine/main.bicep' = { +module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cvmlincom' params: { // Required parameters @@ -662,14 +560,14 @@ module virtualMachine './compute/virtual-machine/main.bicep' = {

-

Example 2: Linux.Atmg

+### Example 2: _Linux.Atmg_
via Bicep module ```bicep -module virtualMachine './compute/virtual-machine/main.bicep' = { +module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cvmlinatmg' params: { // Required parameters @@ -845,14 +743,14 @@ module virtualMachine './compute/virtual-machine/main.bicep' = {

-

Example 3: Linux.Min

+### Example 3: _Linux.Min_
via Bicep module ```bicep -module virtualMachine './compute/virtual-machine/main.bicep' = { +module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cvmlinmin' params: { // Required parameters @@ -982,14 +880,14 @@ module virtualMachine './compute/virtual-machine/main.bicep' = {

-

Example 4: Windows

+### Example 4: _Windows_
via Bicep module ```bicep -module virtualMachine './compute/virtual-machine/main.bicep' = { +module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cvmwincom' params: { // Required parameters @@ -1539,14 +1437,14 @@ module virtualMachine './compute/virtual-machine/main.bicep' = {

-

Example 5: Windows.Atmg

+### Example 5: _Windows.Atmg_
via Bicep module ```bicep -module virtualMachine './compute/virtual-machine/main.bicep' = { +module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cvmwinatmg' params: { // Required parameters @@ -1672,14 +1570,14 @@ module virtualMachine './compute/virtual-machine/main.bicep' = {

-

Example 6: Windows.Min

+### Example 6: _Windows.Min_
via Bicep module ```bicep -module virtualMachine './compute/virtual-machine/main.bicep' = { +module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cvmwinmin' params: { // Required parameters @@ -1789,14 +1687,14 @@ module virtualMachine './compute/virtual-machine/main.bicep' = {

-

Example 7: Windows.Ssecmk

+### Example 7: _Windows.Ssecmk_
via Bicep module ```bicep -module virtualMachine './compute/virtual-machine/main.bicep' = { +module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cvmwincmk' params: { // Required parameters @@ -1949,6 +1847,633 @@ module virtualMachine './compute/virtual-machine/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`adminUsername`](#parameter-adminusername) | securestring | Administrator username. | +| [`configurationProfile`](#parameter-configurationprofile) | string | The configuration profile of automanage. | +| [`imageReference`](#parameter-imagereference) | object | OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | +| [`nicConfigurations`](#parameter-nicconfigurations) | array | Configures NICs and PIPs. | +| [`osDisk`](#parameter-osdisk) | object | Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | +| [`osType`](#parameter-ostype) | string | The chosen OS type. | +| [`vmSize`](#parameter-vmsize) | string | Specifies the size for the VMs. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`additionalUnattendContent`](#parameter-additionalunattendcontent) | array | Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. | +| [`adminPassword`](#parameter-adminpassword) | securestring | When specifying a Windows Virtual Machine, this value should be passed. | +| [`allowExtensionOperations`](#parameter-allowextensionoperations) | bool | Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine. | +| [`availabilitySetResourceId`](#parameter-availabilitysetresourceid) | string | Resource ID of an availability set. Cannot be used in combination with availability zone nor scale set. | +| [`availabilityZone`](#parameter-availabilityzone) | int | If set to 1, 2 or 3, the availability zone for all VMs is hardcoded to that value. If zero, then availability zones is not used. Cannot be used in combination with availability set nor scale set. | +| [`backupPolicyName`](#parameter-backuppolicyname) | string | Backup policy the VMs should be using for backup. If not provided, it will use the DefaultPolicy from the backup recovery service vault. | +| [`backupVaultName`](#parameter-backupvaultname) | string | Recovery service vault name to add VMs to backup. | +| [`backupVaultResourceGroup`](#parameter-backupvaultresourcegroup) | string | Resource group of the backup recovery service vault. If not provided the current resource group name is considered by default. | +| [`bootDiagnostics`](#parameter-bootdiagnostics) | bool | Whether boot diagnostics should be enabled on the Virtual Machine. Boot diagnostics will be enabled with a managed storage account if no bootDiagnosticsStorageAccountName value is provided. If bootDiagnostics and bootDiagnosticsStorageAccountName values are not provided, boot diagnostics will be disabled. | +| [`bootDiagnosticStorageAccountName`](#parameter-bootdiagnosticstorageaccountname) | string | Custom storage account used to store boot diagnostic information. Boot diagnostics will be enabled with a custom storage account if a value is provided. | +| [`bootDiagnosticStorageAccountUri`](#parameter-bootdiagnosticstorageaccounturi) | string | Storage account boot diagnostic base URI. | +| [`certificatesToBeInstalled`](#parameter-certificatestobeinstalled) | array | Specifies set of certificates that should be installed onto the virtual machine. | +| [`computerName`](#parameter-computername) | string | Can be used if the computer name needs to be different from the Azure VM resource name. If not used, the resource name will be used as computer name. | +| [`customData`](#parameter-customdata) | string | Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | +| [`dataDisks`](#parameter-datadisks) | array | Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | +| [`dedicatedHostId`](#parameter-dedicatedhostid) | string | Specifies resource ID about the dedicated host that the virtual machine resides in. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`disablePasswordAuthentication`](#parameter-disablepasswordauthentication) | bool | Specifies whether password authentication should be disabled. | +| [`enableAutomaticUpdates`](#parameter-enableautomaticupdates) | bool | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When patchMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableEvictionPolicy`](#parameter-enableevictionpolicy) | bool | Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | +| [`encryptionAtHost`](#parameter-encryptionathost) | bool | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | +| [`extensionAadJoinConfig`](#parameter-extensionaadjoinconfig) | object | The configuration for the [AAD Join] extension. Must at least contain the ["enabled": true] property to be executed. | +| [`extensionAntiMalwareConfig`](#parameter-extensionantimalwareconfig) | object | The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. | +| [`extensionAzureDiskEncryptionConfig`](#parameter-extensionazurediskencryptionconfig) | object | The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. | +| [`extensionCustomScriptConfig`](#parameter-extensioncustomscriptconfig) | object | The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. | +| [`extensionCustomScriptProtectedSetting`](#parameter-extensioncustomscriptprotectedsetting) | secureObject | Any object that contains the extension specific protected settings. | +| [`extensionDependencyAgentConfig`](#parameter-extensiondependencyagentconfig) | object | The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. | +| [`extensionDomainJoinConfig`](#parameter-extensiondomainjoinconfig) | object | The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. | +| [`extensionDomainJoinPassword`](#parameter-extensiondomainjoinpassword) | securestring | Required if name is specified. Password of the user specified in user parameter. | +| [`extensionDSCConfig`](#parameter-extensiondscconfig) | object | The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. | +| [`extensionMonitoringAgentConfig`](#parameter-extensionmonitoringagentconfig) | object | The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. | +| [`extensionNetworkWatcherAgentConfig`](#parameter-extensionnetworkwatcheragentconfig) | object | The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. | +| [`licenseType`](#parameter-licensetype) | string | Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`maxPriceForLowPriorityVm`](#parameter-maxpriceforlowpriorityvm) | string | Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | +| [`monitoringWorkspaceId`](#parameter-monitoringworkspaceid) | string | Resource ID of the monitoring log analytics workspace. Must be set when extensionMonitoringAgentConfig is set to true. | +| [`name`](#parameter-name) | string | The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | +| [`nicdiagnosticMetricsToEnable`](#parameter-nicdiagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`nicDiagnosticSettingsName`](#parameter-nicdiagnosticsettingsname) | string | The name of the NIC diagnostic setting, if deployed. | +| [`patchAssessmentMode`](#parameter-patchassessmentmode) | string | VM guest patching assessment mode. Set it to 'AutomaticByPlatform' to enable automatically check for updates every 24 hours. | +| [`patchMode`](#parameter-patchmode) | string | VM guest patching orchestration mode. 'AutomaticByOS' & 'Manual' are for Windows only, 'ImageDefault' for Linux only. Refer to 'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching'. | +| [`pipdiagnosticLogCategoriesToEnable`](#parameter-pipdiagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`pipdiagnosticMetricsToEnable`](#parameter-pipdiagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`pipDiagnosticSettingsName`](#parameter-pipdiagnosticsettingsname) | string | The name of the PIP diagnostic setting, if deployed. | +| [`plan`](#parameter-plan) | object | Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | +| [`priority`](#parameter-priority) | string | Specifies the priority for the virtual machine. | +| [`provisionVMAgent`](#parameter-provisionvmagent) | bool | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | +| [`proximityPlacementGroupResourceId`](#parameter-proximityplacementgroupresourceid) | string | Resource ID of a proximity placement group. | +| [`publicKeys`](#parameter-publickeys) | array | The list of SSH public keys used to authenticate with linux based VMs. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`sasTokenValidityLength`](#parameter-sastokenvaliditylength) | string | SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | +| [`secureBootEnabled`](#parameter-securebootenabled) | bool | Specifies whether secure boot should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | +| [`securityType`](#parameter-securitytype) | string | Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to enable UefiSettings. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. The system-assigned managed identity will automatically be enabled if extensionAadJoinConfig.enabled = "True". | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`timeZone`](#parameter-timezone) | string | Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. | +| [`ultraSSDEnabled`](#parameter-ultrassdenabled) | bool | The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`vTpmEnabled`](#parameter-vtpmenabled) | bool | Specifies whether vTPM should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | +| [`winRM`](#parameter-winrm) | object | Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. | + +**Generated parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date value is used to generate a registration token. | + +### Parameter: `additionalUnattendContent` + +Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `adminPassword` + +When specifying a Windows Virtual Machine, this value should be passed. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `adminUsername` + +Administrator username. +- Required: Yes +- Type: securestring + +### Parameter: `allowExtensionOperations` + +Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `availabilitySetResourceId` + +Resource ID of an availability set. Cannot be used in combination with availability zone nor scale set. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `availabilityZone` + +If set to 1, 2 or 3, the availability zone for all VMs is hardcoded to that value. If zero, then availability zones is not used. Cannot be used in combination with availability set nor scale set. +- Required: No +- Type: int +- Default: `0` +- Allowed: `[0, 1, 2, 3]` + +### Parameter: `backupPolicyName` + +Backup policy the VMs should be using for backup. If not provided, it will use the DefaultPolicy from the backup recovery service vault. +- Required: No +- Type: string +- Default: `'DefaultPolicy'` + +### Parameter: `backupVaultName` + +Recovery service vault name to add VMs to backup. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `backupVaultResourceGroup` + +Resource group of the backup recovery service vault. If not provided the current resource group name is considered by default. +- Required: No +- Type: string +- Default: `[resourceGroup().name]` + +### Parameter: `baseTime` + +Do not provide a value! This date value is used to generate a registration token. +- Required: No +- Type: string +- Default: `[utcNow('u')]` + +### Parameter: `bootDiagnostics` + +Whether boot diagnostics should be enabled on the Virtual Machine. Boot diagnostics will be enabled with a managed storage account if no bootDiagnosticsStorageAccountName value is provided. If bootDiagnostics and bootDiagnosticsStorageAccountName values are not provided, boot diagnostics will be disabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `bootDiagnosticStorageAccountName` + +Custom storage account used to store boot diagnostic information. Boot diagnostics will be enabled with a custom storage account if a value is provided. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `bootDiagnosticStorageAccountUri` + +Storage account boot diagnostic base URI. +- Required: No +- Type: string +- Default: `[format('.blob.{0}/', environment().suffixes.storage)]` + +### Parameter: `certificatesToBeInstalled` + +Specifies set of certificates that should be installed onto the virtual machine. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `computerName` + +Can be used if the computer name needs to be different from the Azure VM resource name. If not used, the resource name will be used as computer name. +- Required: No +- Type: string +- Default: `[parameters('name')]` + +### Parameter: `configurationProfile` + +The configuration profile of automanage. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', /providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest, /providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction]` + +### Parameter: `customData` + +Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `dataDisks` + +Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `dedicatedHostId` + +Specifies resource ID about the dedicated host that the virtual machine resides in. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `disablePasswordAuthentication` + +Specifies whether password authentication should be disabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableAutomaticUpdates` + +Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When patchMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableEvictionPolicy` + +Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `encryptionAtHost` + +This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `extensionAadJoinConfig` + +The configuration for the [AAD Join] extension. Must at least contain the ["enabled": true] property to be executed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `extensionAntiMalwareConfig` + +The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `extensionAzureDiskEncryptionConfig` + +The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `extensionCustomScriptConfig` + +The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `extensionCustomScriptProtectedSetting` + +Any object that contains the extension specific protected settings. +- Required: No +- Type: secureObject +- Default: `{object}` + +### Parameter: `extensionDependencyAgentConfig` + +The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `extensionDomainJoinConfig` + +The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `extensionDomainJoinPassword` + +Required if name is specified. Password of the user specified in user parameter. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `extensionDSCConfig` + +The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `extensionMonitoringAgentConfig` + +The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `extensionNetworkWatcherAgentConfig` + +The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `imageReference` + +OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. +- Required: Yes +- Type: object + +### Parameter: `licenseType` + +Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Windows_Client, Windows_Server]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `maxPriceForLowPriorityVm` + +Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `monitoringWorkspaceId` + +Resource ID of the monitoring log analytics workspace. Must be set when extensionMonitoringAgentConfig is set to true. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. +- Required: No +- Type: string +- Default: `[take(toLower(uniqueString(resourceGroup().name)), 10)]` + +### Parameter: `nicConfigurations` + +Configures NICs and PIPs. +- Required: Yes +- Type: array + +### Parameter: `nicdiagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `nicDiagnosticSettingsName` + +The name of the NIC diagnostic setting, if deployed. +- Required: No +- Type: string +- Default: `[format('{0}-diagnosticSettings', parameters('name'))]` + +### Parameter: `osDisk` + +Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. +- Required: Yes +- Type: object + +### Parameter: `osType` + +The chosen OS type. +- Required: Yes +- Type: string +- Allowed: `[Linux, Windows]` + +### Parameter: `patchAssessmentMode` + +VM guest patching assessment mode. Set it to 'AutomaticByPlatform' to enable automatically check for updates every 24 hours. +- Required: No +- Type: string +- Default: `'ImageDefault'` +- Allowed: `[AutomaticByPlatform, ImageDefault]` + +### Parameter: `patchMode` + +VM guest patching orchestration mode. 'AutomaticByOS' & 'Manual' are for Windows only, 'ImageDefault' for Linux only. Refer to 'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching'. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', AutomaticByOS, AutomaticByPlatform, ImageDefault, Manual]` + +### Parameter: `pipdiagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` + +### Parameter: `pipdiagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `pipDiagnosticSettingsName` + +The name of the PIP diagnostic setting, if deployed. +- Required: No +- Type: string +- Default: `[format('{0}-diagnosticSettings', parameters('name'))]` + +### Parameter: `plan` + +Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `priority` + +Specifies the priority for the virtual machine. +- Required: No +- Type: string +- Default: `'Regular'` +- Allowed: `[Low, Regular, Spot]` + +### Parameter: `provisionVMAgent` + +Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `proximityPlacementGroupResourceId` + +Resource ID of a proximity placement group. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `publicKeys` + +The list of SSH public keys used to authenticate with linux based VMs. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sasTokenValidityLength` + +SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. +- Required: No +- Type: string +- Default: `'PT8H'` + +### Parameter: `secureBootEnabled` + +Specifies whether secure boot should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `securityType` + +Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to enable UefiSettings. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. The system-assigned managed identity will automatically be enabled if extensionAadJoinConfig.enabled = "True". +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `timeZone` + +Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `ultraSSDEnabled` + +The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `vmSize` + +Specifies the size for the VMs. +- Required: Yes +- Type: string + +### Parameter: `vTpmEnabled` + +Specifies whether vTPM should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `winRM` + +Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the VM. | +| `resourceGroupName` | string | The name of the resource group the VM was created in. | +| `resourceId` | string | The resource ID of the VM. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/network-interface` | Local reference | +| `modules/network/public-ip-address` | Local reference | +| `modules/recovery-services/vault/backup-fabric/protection-container/protected-item` | Local reference | + ## Notes ### Automanage considerations diff --git a/modules/compute/virtual-machine/extension/README.md b/modules/compute/virtual-machine/extension/README.md index 7823c9766b..761c7b4d27 100644 --- a/modules/compute/virtual-machine/extension/README.md +++ b/modules/compute/virtual-machine/extension/README.md @@ -19,37 +19,128 @@ This module deploys a Virtual Machine Extension. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `autoUpgradeMinorVersion` | bool | Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true. | -| `enableAutomaticUpgrade` | bool | Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available. | -| `name` | string | The name of the virtual machine extension. | -| `publisher` | string | The name of the extension handler publisher. | -| `type` | string | Specifies the type of the extension; an example is "CustomScriptExtension". | -| `typeHandlerVersion` | string | Specifies the version of the script handler. | +| [`autoUpgradeMinorVersion`](#parameter-autoupgrademinorversion) | bool | Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true. | +| [`enableAutomaticUpgrade`](#parameter-enableautomaticupgrade) | bool | Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available. | +| [`name`](#parameter-name) | string | The name of the virtual machine extension. | +| [`publisher`](#parameter-publisher) | string | The name of the extension handler publisher. | +| [`type`](#parameter-type) | string | Specifies the type of the extension; an example is "CustomScriptExtension". | +| [`typeHandlerVersion`](#parameter-typehandlerversion) | string | Specifies the version of the script handler. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `virtualMachineName` | string | The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment. | +| [`virtualMachineName`](#parameter-virtualmachinename) | string | The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `forceUpdateTag` | string | `''` | How the extension handler should be forced to update even if the extension configuration has not changed. | -| `location` | string | `[resourceGroup().location]` | The location the extension is deployed to. | -| `protectedSettings` | secureObject | `{object}` | Any object that contains the extension specific protected settings. | -| `settings` | object | `{object}` | Any object that contains the extension specific settings. | -| `supressFailures` | bool | `False` | Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false. | -| `tags` | object | `{object}` | Tags of the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`forceUpdateTag`](#parameter-forceupdatetag) | string | How the extension handler should be forced to update even if the extension configuration has not changed. | +| [`location`](#parameter-location) | string | The location the extension is deployed to. | +| [`protectedSettings`](#parameter-protectedsettings) | secureObject | Any object that contains the extension specific protected settings. | +| [`settings`](#parameter-settings) | object | Any object that contains the extension specific settings. | +| [`supressFailures`](#parameter-supressfailures) | bool | Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `autoUpgradeMinorVersion` + +Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true. +- Required: Yes +- Type: bool + +### Parameter: `enableAutomaticUpgrade` + +Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available. +- Required: Yes +- Type: bool + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `forceUpdateTag` + +How the extension handler should be forced to update even if the extension configuration has not changed. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +The location the extension is deployed to. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the virtual machine extension. +- Required: Yes +- Type: string + +### Parameter: `protectedSettings` + +Any object that contains the extension specific protected settings. +- Required: No +- Type: secureObject +- Default: `{object}` + +### Parameter: `publisher` + +The name of the extension handler publisher. +- Required: Yes +- Type: string + +### Parameter: `settings` + +Any object that contains the extension specific settings. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `supressFailures` + +Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `type` + +Specifies the type of the extension; an example is "CustomScriptExtension". +- Required: Yes +- Type: string + +### Parameter: `typeHandlerVersion` + +Specifies the version of the script handler. +- Required: Yes +- Type: string + +### Parameter: `virtualMachineName` + +The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the extension. | diff --git a/modules/compute/virtual-machine/extension/main.json b/modules/compute/virtual-machine/extension/main.json index 9dc0e8298a..782a6fa1ff 100644 --- a/modules/compute/virtual-machine/extension/main.json +++ b/modules/compute/virtual-machine/extension/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3227525972274814852" + "version": "0.22.6.54827", + "templateHash": "16166330808348655128" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", diff --git a/modules/compute/virtual-machine/main.json b/modules/compute/virtual-machine/main.json index 6ba690ab4f..202cf5e053 100644 --- a/modules/compute/virtual-machine/main.json +++ b/modules/compute/virtual-machine/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8956159626460319190" + "version": "0.22.6.54827", + "templateHash": "16514436583417262148" }, "name": "Virtual Machines", "description": "This module deploys a Virtual Machine with one or multiple NICs and optionally one or multiple public IPs.", @@ -844,8 +844,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17678163563393779135" + "version": "0.22.6.54827", + "templateHash": "8548313386789098939" } }, "parameters": { @@ -999,8 +999,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1887898957722092173" + "version": "0.22.6.54827", + "templateHash": "4317747709004918530" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -1333,8 +1333,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7328126239184883887" + "version": "0.22.6.54827", + "templateHash": "9976109177347918049" } }, "parameters": { @@ -1585,8 +1585,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5974456600868040376" + "version": "0.22.6.54827", + "templateHash": "14479255820598719580" }, "name": "Network Interface", "description": "This module deploys a Network Interface.", @@ -1888,8 +1888,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10645923556503351364" + "version": "0.22.6.54827", + "templateHash": "11518733977101662334" } }, "parameters": { @@ -2105,8 +2105,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3227525972274814852" + "version": "0.22.6.54827", + "templateHash": "16166330808348655128" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -2320,8 +2320,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3227525972274814852" + "version": "0.22.6.54827", + "templateHash": "16166330808348655128" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -2530,8 +2530,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3227525972274814852" + "version": "0.22.6.54827", + "templateHash": "16166330808348655128" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -2745,8 +2745,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3227525972274814852" + "version": "0.22.6.54827", + "templateHash": "16166330808348655128" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -2950,8 +2950,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3227525972274814852" + "version": "0.22.6.54827", + "templateHash": "16166330808348655128" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -3155,8 +3155,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3227525972274814852" + "version": "0.22.6.54827", + "templateHash": "16166330808348655128" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -3364,8 +3364,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3227525972274814852" + "version": "0.22.6.54827", + "templateHash": "16166330808348655128" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -3581,8 +3581,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3227525972274814852" + "version": "0.22.6.54827", + "templateHash": "16166330808348655128" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -3791,8 +3791,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3227525972274814852" + "version": "0.22.6.54827", + "templateHash": "16166330808348655128" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -4003,8 +4003,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10079924922844886000" + "version": "0.22.6.54827", + "templateHash": "7148492251760573310" }, "name": "Recovery Service Vaults Protection Container Protected Item", "description": "This module deploys a Recovery Services Vault Protection Container Protected Item.", @@ -4172,8 +4172,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11877341194593849245" + "version": "0.22.6.54827", + "templateHash": "16523538632311306099" } }, "parameters": { diff --git a/modules/consumption/budget/.test/common/main.test.bicep b/modules/consumption/budget/.test/common/main.test.bicep index 0b3044a0e3..7668018aae 100644 --- a/modules/consumption/budget/.test/common/main.test.bicep +++ b/modules/consumption/budget/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/consumption/budget/.test/min/main.test.bicep b/modules/consumption/budget/.test/min/main.test.bicep index cd1da3812e..a76b439216 100644 --- a/modules/consumption/budget/.test/min/main.test.bicep +++ b/modules/consumption/budget/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/consumption/budget/README.md b/modules/consumption/budget/README.md index 191cc3a890..bd08b6d387 100644 --- a/modules/consumption/budget/README.md +++ b/modules/consumption/budget/README.md @@ -4,75 +4,40 @@ This module deploys a Consumption Budget for Subscriptions. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | | `Microsoft.Consumption/budgets` | [2021-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Consumption/2021-10-01/budgets) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `amount` | int | The total amount of cost or usage to track with the budget. | -| `name` | string | The name of the budget. | - -**Conditional parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `actionGroups` | array | List of action group resource IDs that will receive the alert. Required if neither `contactEmails` nor `contactEmails` was provided. | -| `contactEmails` | array | The list of email addresses to send the budget notification to when the thresholds are exceeded. Required if neither `contactRoles` nor `actionGroups` was provided. | -| `contactRoles` | array | The list of contact roles to send the budget notification to when the thresholds are exceeded. Required if neither `contactEmails` nor `actionGroups` was provided. | +## Usage examples -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `category` | string | `'Cost'` | `[Cost, Usage]` | The category of the budget, whether the budget tracks cost or usage. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `endDate` | string | `''` | | The end date for the budget. If not provided, it will default to 10 years from the start date. | -| `location` | string | `[deployment().location]` | | Location deployment metadata. | -| `resetPeriod` | string | `'Monthly'` | `[Annually, BillingAnnual, BillingMonth, BillingQuarter, Monthly, Quarterly]` | The time covered by a budget. Tracking of the amount will be reset based on the time grain. BillingMonth, BillingQuarter, and BillingAnnual are only supported by WD customers. | -| `startDate` | string | `[format('{0}-{1}-01T00:00:00Z', utcNow('yyyy'), utcNow('MM'))]` | | The start date for the budget. Start date should be the first day of the month and cannot be in the past (except for the current month). | -| `thresholds` | array | `[50, 75, 90, 100, 110]` | | Percent thresholds of budget for when to get a notification. Can be up to 5 thresholds, where each must be between 1 and 1000. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the budget. | -| `resourceId` | string | The resource ID of the budget. | -| `subscriptionName` | string | The subscription the budget was deployed into. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/consumption.budget:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module budget './consumption/budget/main.bicep' = { +module budget 'br:bicep/modules/consumption.budget:1.0.0' = { name: '${uniqueString(deployment().name)}-test-cbcom' params: { // Required parameters @@ -138,14 +103,17 @@ module budget './consumption/budget/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module budget './consumption/budget/main.bicep' = { +module budget 'br:bicep/modules/consumption.budget:1.0.0' = { name: '${uniqueString(deployment().name)}-test-cbmin' params: { // Required parameters @@ -194,3 +162,130 @@ module budget './consumption/budget/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`amount`](#parameter-amount) | int | The total amount of cost or usage to track with the budget. | +| [`name`](#parameter-name) | string | The name of the budget. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`actionGroups`](#parameter-actiongroups) | array | List of action group resource IDs that will receive the alert. Required if neither `contactEmails` nor `contactEmails` was provided. | +| [`contactEmails`](#parameter-contactemails) | array | The list of email addresses to send the budget notification to when the thresholds are exceeded. Required if neither `contactRoles` nor `actionGroups` was provided. | +| [`contactRoles`](#parameter-contactroles) | array | The list of contact roles to send the budget notification to when the thresholds are exceeded. Required if neither `contactEmails` nor `actionGroups` was provided. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`category`](#parameter-category) | string | The category of the budget, whether the budget tracks cost or usage. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`endDate`](#parameter-enddate) | string | The end date for the budget. If not provided, it will default to 10 years from the start date. | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`resetPeriod`](#parameter-resetperiod) | string | The time covered by a budget. Tracking of the amount will be reset based on the time grain. BillingMonth, BillingQuarter, and BillingAnnual are only supported by WD customers. | +| [`startDate`](#parameter-startdate) | string | The start date for the budget. Start date should be the first day of the month and cannot be in the past (except for the current month). | +| [`thresholds`](#parameter-thresholds) | array | Percent thresholds of budget for when to get a notification. Can be up to 5 thresholds, where each must be between 1 and 1000. | + +### Parameter: `actionGroups` + +List of action group resource IDs that will receive the alert. Required if neither `contactEmails` nor `contactEmails` was provided. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `amount` + +The total amount of cost or usage to track with the budget. +- Required: Yes +- Type: int + +### Parameter: `category` + +The category of the budget, whether the budget tracks cost or usage. +- Required: No +- Type: string +- Default: `'Cost'` +- Allowed: `[Cost, Usage]` + +### Parameter: `contactEmails` + +The list of email addresses to send the budget notification to when the thresholds are exceeded. Required if neither `contactRoles` nor `actionGroups` was provided. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `contactRoles` + +The list of contact roles to send the budget notification to when the thresholds are exceeded. Required if neither `contactEmails` nor `actionGroups` was provided. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `endDate` + +The end date for the budget. If not provided, it will default to 10 years from the start date. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `name` + +The name of the budget. +- Required: Yes +- Type: string + +### Parameter: `resetPeriod` + +The time covered by a budget. Tracking of the amount will be reset based on the time grain. BillingMonth, BillingQuarter, and BillingAnnual are only supported by WD customers. +- Required: No +- Type: string +- Default: `'Monthly'` +- Allowed: `[Annually, BillingAnnual, BillingMonth, BillingQuarter, Monthly, Quarterly]` + +### Parameter: `startDate` + +The start date for the budget. Start date should be the first day of the month and cannot be in the past (except for the current month). +- Required: No +- Type: string +- Default: `[format('{0}-{1}-01T00:00:00Z', utcNow('yyyy'), utcNow('MM'))]` + +### Parameter: `thresholds` + +Percent thresholds of budget for when to get a notification. Can be up to 5 thresholds, where each must be between 1 and 1000. +- Required: No +- Type: array +- Default: `[50, 75, 90, 100, 110]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the budget. | +| `resourceId` | string | The resource ID of the budget. | +| `subscriptionName` | string | The subscription the budget was deployed into. | + +## Cross-referenced modules + +_None_ diff --git a/modules/consumption/budget/main.json b/modules/consumption/budget/main.json index 5b676a256c..a65a1bbfe8 100644 --- a/modules/consumption/budget/main.json +++ b/modules/consumption/budget/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14854724529401221825" + "version": "0.22.6.54827", + "templateHash": "2760526032764483110" }, "name": "Consumption Budgets", "description": "This module deploys a Consumption Budget for Subscriptions.", diff --git a/modules/container-instance/container-group/.test/common/main.test.bicep b/modules/container-instance/container-group/.test/common/main.test.bicep index d514033d8f..76374c71e0 100644 --- a/modules/container-instance/container-group/.test/common/main.test.bicep +++ b/modules/container-instance/container-group/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/container-instance/container-group/.test/min/main.test.bicep b/modules/container-instance/container-group/.test/min/main.test.bicep index 6136c721aa..240ce76d42 100644 --- a/modules/container-instance/container-group/.test/min/main.test.bicep +++ b/modules/container-instance/container-group/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/container-instance/container-group/README.md b/modules/container-instance/container-group/README.md index 9e02a54f3c..66e52bf7e2 100644 --- a/modules/container-instance/container-group/README.md +++ b/modules/container-instance/container-group/README.md @@ -4,93 +4,44 @@ This module deploys a Container Instance Container Group. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.ContainerInstance/containerGroups` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerInstance/2022-09-01/containerGroups) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `containers` | array | The containers and their respective config within the container group. | -| `name` | string | Name for the container group. | - -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | -| `ipAddressPorts` | array | `[]` | Ports to open on the public IP address. Must include all ports assigned on container level. Required if `ipAddressType` is set to `public`. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `autoGeneratedDomainNameLabelScope` | string | `'TenantReuse'` | `[Noreuse, ResourceGroupReuse, SubscriptionReuse, TenantReuse, Unsecure]` | Specify level of protection of the domain name label. | -| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | -| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `dnsNameLabel` | string | `''` | | The Dns name label for the resource. | -| `dnsNameServers` | array | `[]` | | List of dns servers used by the containers for lookups. | -| `dnsSearchDomains` | string | `''` | | DNS search domain which will be appended to each DNS lookup. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `imageRegistryCredentials` | array | `[]` | | The image registry credentials by which the container group is created from. | -| `initContainers` | array | `[]` | | A list of container definitions which will be executed before the application container starts. | -| `ipAddressType` | string | `'Public'` | `[Private, Public]` | Specifies if the IP is exposed to the public internet or private VNET. - Public or Private. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `osType` | string | `'Linux'` | | The operating system type required by the containers in the container group. - Windows or Linux. | -| `restartPolicy` | string | `'Always'` | `[Always, Never, OnFailure]` | Restart policy for all containers within the container group. - Always: Always restart. OnFailure: Restart on failure. Never: Never restart. - Always, OnFailure, Never. | -| `sku` | string | `'Standard'` | `[Dedicated, Standard]` | The container group SKU. | -| `subnetId` | string | `''` | | Resource ID of the subnet. Only specify when ipAddressType is Private. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `volumes` | array | `[]` | | Specify if volumes (emptyDir, AzureFileShare or GitRepo) shall be attached to your containergroup. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `iPv4Address` | string | The IPv4 address of the container group. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the container group. | -| `resourceGroupName` | string | The resource group the container group was deployed into. | -| `resourceId` | string | The resource ID of the container group. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/container-instance.container-group:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Encr](#example-2-encr) +- [Using only defaults](#example-3-using-only-defaults) +- [Private](#example-4-private) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module containerGroup './container-instance/container-group/main.bicep' = { +module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cicgcom' params: { // Required parameters @@ -272,14 +223,14 @@ module containerGroup './container-instance/container-group/main.bicep' = {

-

Example 2: Encr

+### Example 2: _Encr_
via Bicep module ```bicep -module containerGroup './container-instance/container-group/main.bicep' = { +module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cicgenc' params: { // Required parameters @@ -473,14 +424,17 @@ module containerGroup './container-instance/container-group/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module containerGroup './container-instance/container-group/main.bicep' = { +module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cicgmin' params: { // Required parameters @@ -574,14 +528,14 @@ module containerGroup './container-instance/container-group/main.bicep' = {

-

Example 4: Private

+### Example 4: _Private_
via Bicep module ```bicep -module containerGroup './container-instance/container-group/main.bicep' = { +module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-cicgprivate' params: { // Required parameters @@ -806,6 +760,242 @@ module containerGroup './container-instance/container-group/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`containers`](#parameter-containers) | array | The containers and their respective config within the container group. | +| [`name`](#parameter-name) | string | Name for the container group. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | +| [`ipAddressPorts`](#parameter-ipaddressports) | array | Ports to open on the public IP address. Must include all ports assigned on container level. Required if `ipAddressType` is set to `public`. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`autoGeneratedDomainNameLabelScope`](#parameter-autogenerateddomainnamelabelscope) | string | Specify level of protection of the domain name label. | +| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | +| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`dnsNameLabel`](#parameter-dnsnamelabel) | string | The Dns name label for the resource. | +| [`dnsNameServers`](#parameter-dnsnameservers) | array | List of dns servers used by the containers for lookups. | +| [`dnsSearchDomains`](#parameter-dnssearchdomains) | string | DNS search domain which will be appended to each DNS lookup. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`imageRegistryCredentials`](#parameter-imageregistrycredentials) | array | The image registry credentials by which the container group is created from. | +| [`initContainers`](#parameter-initcontainers) | array | A list of container definitions which will be executed before the application container starts. | +| [`ipAddressType`](#parameter-ipaddresstype) | string | Specifies if the IP is exposed to the public internet or private VNET. - Public or Private. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`osType`](#parameter-ostype) | string | The operating system type required by the containers in the container group. - Windows or Linux. | +| [`restartPolicy`](#parameter-restartpolicy) | string | Restart policy for all containers within the container group. - Always: Always restart. OnFailure: Restart on failure. Never: Never restart. - Always, OnFailure, Never. | +| [`sku`](#parameter-sku) | string | The container group SKU. | +| [`subnetId`](#parameter-subnetid) | string | Resource ID of the subnet. Only specify when ipAddressType is Private. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`volumes`](#parameter-volumes) | array | Specify if volumes (emptyDir, AzureFileShare or GitRepo) shall be attached to your containergroup. | + +### Parameter: `autoGeneratedDomainNameLabelScope` + +Specify level of protection of the domain name label. +- Required: No +- Type: string +- Default: `'TenantReuse'` +- Allowed: `[Noreuse, ResourceGroupReuse, SubscriptionReuse, TenantReuse, Unsecure]` + +### Parameter: `cMKKeyName` + +The name of the customer managed key to use for encryption. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVersion` + +The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKUserAssignedIdentityResourceId` + +User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `containers` + +The containers and their respective config within the container group. +- Required: Yes +- Type: array + +### Parameter: `dnsNameLabel` + +The Dns name label for the resource. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `dnsNameServers` + +List of dns servers used by the containers for lookups. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `dnsSearchDomains` + +DNS search domain which will be appended to each DNS lookup. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `imageRegistryCredentials` + +The image registry credentials by which the container group is created from. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `initContainers` + +A list of container definitions which will be executed before the application container starts. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ipAddressPorts` + +Ports to open on the public IP address. Must include all ports assigned on container level. Required if `ipAddressType` is set to `public`. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ipAddressType` + +Specifies if the IP is exposed to the public internet or private VNET. - Public or Private. +- Required: No +- Type: string +- Default: `'Public'` +- Allowed: `[Private, Public]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name for the container group. +- Required: Yes +- Type: string + +### Parameter: `osType` + +The operating system type required by the containers in the container group. - Windows or Linux. +- Required: No +- Type: string +- Default: `'Linux'` + +### Parameter: `restartPolicy` + +Restart policy for all containers within the container group. - Always: Always restart. OnFailure: Restart on failure. Never: Never restart. - Always, OnFailure, Never. +- Required: No +- Type: string +- Default: `'Always'` +- Allowed: `[Always, Never, OnFailure]` + +### Parameter: `sku` + +The container group SKU. +- Required: No +- Type: string +- Default: `'Standard'` +- Allowed: `[Dedicated, Standard]` + +### Parameter: `subnetId` + +Resource ID of the subnet. Only specify when ipAddressType is Private. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `volumes` + +Specify if volumes (emptyDir, AzureFileShare or GitRepo) shall be attached to your containergroup. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `iPv4Address` | string | The IPv4 address of the container group. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the container group. | +| `resourceGroupName` | string | The resource group the container group was deployed into. | +| `resourceId` | string | The resource ID of the container group. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +_None_ + ## Notes ### Parameter Usage: `imageRegistryCredentials` diff --git a/modules/container-instance/container-group/main.json b/modules/container-instance/container-group/main.json index cf3d24c34f..de3ed088b2 100644 --- a/modules/container-instance/container-group/main.json +++ b/modules/container-instance/container-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1590771633757024092" + "version": "0.22.6.54827", + "templateHash": "3196122826827836156" }, "name": "Container Instances Container Groups", "description": "This module deploys a Container Instance Container Group.", diff --git a/modules/container-registry/registry/.test/common/main.test.bicep b/modules/container-registry/registry/.test/common/main.test.bicep index 46df910a1b..1cba142a21 100644 --- a/modules/container-registry/registry/.test/common/main.test.bicep +++ b/modules/container-registry/registry/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/container-registry/registry/.test/min/main.test.bicep b/modules/container-registry/registry/.test/min/main.test.bicep index b861c01634..0db5d24fdd 100644 --- a/modules/container-registry/registry/.test/min/main.test.bicep +++ b/modules/container-registry/registry/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index 0a5487152b..c1c5ee9a5d 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -4,13 +4,13 @@ This module deploys an Azure Container Registry (ACR). ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -24,98 +24,30 @@ This module deploys an Azure Container Registry (ACR). | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of your Azure container registry. | - -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Note, CMK requires the 'acrSku' to be 'Premium'. Required if 'cMKKeyName' is not empty. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `acrAdminUserEnabled` | bool | `False` | | Enable admin user that have push / pull permission to the registry. | -| `acrSku` | string | `'Basic'` | `[Basic, Premium, Standard]` | Tier of your Azure container registry. | -| `anonymousPullEnabled` | bool | `False` | | Enables registry-wide pull from unauthenticated clients. It's in preview and available in the Standard and Premium service tiers. | -| `azureADAuthenticationAsArmPolicyStatus` | string | `'enabled'` | `[disabled, enabled]` | The value that indicates whether the policy for using ARM audience token for a container registr is enabled or not. Default is enabled. | -| `cacheRules` | _[cacheRules](cache-rules/README.md)_ array | `[]` | | Array of Cache Rules. Note: This is a preview feature ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache#cache-for-acr-preview)). | -| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. Note, CMK requires the 'acrSku' to be 'Premium'. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. Note, CMK requires the 'acrSku' to be 'Premium'. | -| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `dataEndpointEnabled` | bool | `False` | | Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access. Note, requires the 'acrSku' to be 'Premium'. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, ContainerRegistryLoginEvents, ContainerRegistryRepositoryEvents]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `exportPolicyStatus` | string | `'disabled'` | `[disabled, enabled]` | The value that indicates whether the export policy is enabled or not. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `networkRuleBypassOptions` | string | `'AzureServices'` | `[AzureServices, None]` | Whether to allow trusted Azure services to access a network restricted registry. | -| `networkRuleSetDefaultAction` | string | `'Deny'` | `[Allow, Deny]` | The default action of allow or deny when no other rules match. | -| `networkRuleSetIpRules` | array | `[]` | | The IP ACL rules. Note, requires the 'acrSku' to be 'Premium'. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'acrSku' to be 'Premium'. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkRuleSetIpRules are not set. Note, requires the 'acrSku' to be 'Premium'. | -| `quarantinePolicyStatus` | string | `'disabled'` | `[disabled, enabled]` | The value that indicates whether the quarantine policy is enabled or not. | -| `replications` | array | `[]` | | All replications to create. | -| `retentionPolicyDays` | int | `15` | | The number of days to retain an untagged manifest after which it gets purged. | -| `retentionPolicyStatus` | string | `'enabled'` | `[disabled, enabled]` | The value that indicates whether the retention policy is enabled or not. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `softDeletePolicyDays` | int | `7` | | The number of days after which a soft-deleted item is permanently deleted. | -| `softDeletePolicyStatus` | string | `'disabled'` | `[disabled, enabled]` | Soft Delete policy status. Default is disabled. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `trustPolicyStatus` | string | `'disabled'` | `[disabled, enabled]` | The value that indicates whether the trust policy is enabled or not. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `webhooks` | array | `[]` | | All webhooks to create. | -| `zoneRedundancy` | string | `'Disabled'` | `[Disabled, Enabled]` | Whether or not zone redundancy is enabled for this container registry. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `loginServer` | string | The reference to the Azure container registry. | -| `name` | string | The Name of the Azure container registry. | -| `resourceGroupName` | string | The name of the Azure container registry. | -| `resourceId` | string | The resource ID of the Azure container registry. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +## Usage examples -## Cross-referenced modules +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/container-registry.registry:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Encr](#example-2-encr) +- [Using only defaults](#example-3-using-only-defaults) +- [Pe](#example-4-pe) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module registry './container-registry/registry/main.bicep' = { +module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-crrcom' params: { // Required parameters @@ -347,14 +279,14 @@ module registry './container-registry/registry/main.bicep' = {

-

Example 2: Encr

+### Example 2: _Encr_
via Bicep module ```bicep -module registry './container-registry/registry/main.bicep' = { +module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-crrencr' params: { // Required parameters @@ -432,14 +364,17 @@ module registry './container-registry/registry/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module registry './container-registry/registry/main.bicep' = { +module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-crrmin' params: { // Required parameters @@ -477,14 +412,14 @@ module registry './container-registry/registry/main.bicep' = {

-

Example 4: Pe

+### Example 4: _Pe_
via Bicep module ```bicep -module registry './container-registry/registry/main.bicep' = { +module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-crrpe' params: { // Required parameters @@ -571,3 +506,374 @@ module registry './container-registry/registry/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of your Azure container registry. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Note, CMK requires the 'acrSku' to be 'Premium'. Required if 'cMKKeyName' is not empty. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`acrAdminUserEnabled`](#parameter-acradminuserenabled) | bool | Enable admin user that have push / pull permission to the registry. | +| [`acrSku`](#parameter-acrsku) | string | Tier of your Azure container registry. | +| [`anonymousPullEnabled`](#parameter-anonymouspullenabled) | bool | Enables registry-wide pull from unauthenticated clients. It's in preview and available in the Standard and Premium service tiers. | +| [`azureADAuthenticationAsArmPolicyStatus`](#parameter-azureadauthenticationasarmpolicystatus) | string | The value that indicates whether the policy for using ARM audience token for a container registr is enabled or not. Default is enabled. | +| [`cacheRules`](#parameter-cacherules) | array | Array of Cache Rules. Note: This is a preview feature ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache#cache-for-acr-preview)). | +| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. Note, CMK requires the 'acrSku' to be 'Premium'. | +| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Note, CMK requires the 'acrSku' to be 'Premium'. | +| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`dataEndpointEnabled`](#parameter-dataendpointenabled) | bool | Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access. Note, requires the 'acrSku' to be 'Premium'. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`exportPolicyStatus`](#parameter-exportpolicystatus) | string | The value that indicates whether the export policy is enabled or not. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`networkRuleBypassOptions`](#parameter-networkrulebypassoptions) | string | Whether to allow trusted Azure services to access a network restricted registry. | +| [`networkRuleSetDefaultAction`](#parameter-networkrulesetdefaultaction) | string | The default action of allow or deny when no other rules match. | +| [`networkRuleSetIpRules`](#parameter-networkrulesetiprules) | array | The IP ACL rules. Note, requires the 'acrSku' to be 'Premium'. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'acrSku' to be 'Premium'. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkRuleSetIpRules are not set. Note, requires the 'acrSku' to be 'Premium'. | +| [`quarantinePolicyStatus`](#parameter-quarantinepolicystatus) | string | The value that indicates whether the quarantine policy is enabled or not. | +| [`replications`](#parameter-replications) | array | All replications to create. | +| [`retentionPolicyDays`](#parameter-retentionpolicydays) | int | The number of days to retain an untagged manifest after which it gets purged. | +| [`retentionPolicyStatus`](#parameter-retentionpolicystatus) | string | The value that indicates whether the retention policy is enabled or not. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`softDeletePolicyDays`](#parameter-softdeletepolicydays) | int | The number of days after which a soft-deleted item is permanently deleted. | +| [`softDeletePolicyStatus`](#parameter-softdeletepolicystatus) | string | Soft Delete policy status. Default is disabled. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`trustPolicyStatus`](#parameter-trustpolicystatus) | string | The value that indicates whether the trust policy is enabled or not. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`webhooks`](#parameter-webhooks) | array | All webhooks to create. | +| [`zoneRedundancy`](#parameter-zoneredundancy) | string | Whether or not zone redundancy is enabled for this container registry. | + +### Parameter: `acrAdminUserEnabled` + +Enable admin user that have push / pull permission to the registry. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `acrSku` + +Tier of your Azure container registry. +- Required: No +- Type: string +- Default: `'Basic'` +- Allowed: `[Basic, Premium, Standard]` + +### Parameter: `anonymousPullEnabled` + +Enables registry-wide pull from unauthenticated clients. It's in preview and available in the Standard and Premium service tiers. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `azureADAuthenticationAsArmPolicyStatus` + +The value that indicates whether the policy for using ARM audience token for a container registr is enabled or not. Default is enabled. +- Required: No +- Type: string +- Default: `'enabled'` +- Allowed: `[disabled, enabled]` + +### Parameter: `cacheRules` + +Array of Cache Rules. Note: This is a preview feature ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache#cache-for-acr-preview)). +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `cMKKeyName` + +The name of the customer managed key to use for encryption. Note, CMK requires the 'acrSku' to be 'Premium'. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. Note, CMK requires the 'acrSku' to be 'Premium'. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVersion` + +The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKUserAssignedIdentityResourceId` + +User assigned identity to use when fetching the customer managed key. Note, CMK requires the 'acrSku' to be 'Premium'. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `dataEndpointEnabled` + +Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access. Note, requires the 'acrSku' to be 'Premium'. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, ContainerRegistryLoginEvents, ContainerRegistryRepositoryEvents]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `exportPolicyStatus` + +The value that indicates whether the export policy is enabled or not. +- Required: No +- Type: string +- Default: `'disabled'` +- Allowed: `[disabled, enabled]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of your Azure container registry. +- Required: Yes +- Type: string + +### Parameter: `networkRuleBypassOptions` + +Whether to allow trusted Azure services to access a network restricted registry. +- Required: No +- Type: string +- Default: `'AzureServices'` +- Allowed: `[AzureServices, None]` + +### Parameter: `networkRuleSetDefaultAction` + +The default action of allow or deny when no other rules match. +- Required: No +- Type: string +- Default: `'Deny'` +- Allowed: `[Allow, Deny]` + +### Parameter: `networkRuleSetIpRules` + +The IP ACL rules. Note, requires the 'acrSku' to be 'Premium'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'acrSku' to be 'Premium'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkRuleSetIpRules are not set. Note, requires the 'acrSku' to be 'Premium'. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `quarantinePolicyStatus` + +The value that indicates whether the quarantine policy is enabled or not. +- Required: No +- Type: string +- Default: `'disabled'` +- Allowed: `[disabled, enabled]` + +### Parameter: `replications` + +All replications to create. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `retentionPolicyDays` + +The number of days to retain an untagged manifest after which it gets purged. +- Required: No +- Type: int +- Default: `15` + +### Parameter: `retentionPolicyStatus` + +The value that indicates whether the retention policy is enabled or not. +- Required: No +- Type: string +- Default: `'enabled'` +- Allowed: `[disabled, enabled]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `softDeletePolicyDays` + +The number of days after which a soft-deleted item is permanently deleted. +- Required: No +- Type: int +- Default: `7` + +### Parameter: `softDeletePolicyStatus` + +Soft Delete policy status. Default is disabled. +- Required: No +- Type: string +- Default: `'disabled'` +- Allowed: `[disabled, enabled]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `trustPolicyStatus` + +The value that indicates whether the trust policy is enabled or not. +- Required: No +- Type: string +- Default: `'disabled'` +- Allowed: `[disabled, enabled]` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `webhooks` + +All webhooks to create. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `zoneRedundancy` + +Whether or not zone redundancy is enabled for this container registry. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `loginServer` | string | The reference to the Azure container registry. | +| `name` | string | The Name of the Azure container registry. | +| `resourceGroupName` | string | The name of the Azure container registry. | +| `resourceId` | string | The resource ID of the Azure container registry. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/container-registry/registry/cache-rules/README.md b/modules/container-registry/registry/cache-rules/README.md index 80f65eb47b..75303e848b 100644 --- a/modules/container-registry/registry/cache-rules/README.md +++ b/modules/container-registry/registry/cache-rules/README.md @@ -19,24 +19,64 @@ Cache for Azure Container Registry (Preview) feature allows users to cache conta **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `registryName` | string | The name of the parent registry. Required if the template is used in a standalone deployment. | -| `sourceRepository` | string | Source repository pulled from upstream. | +| [`registryName`](#parameter-registryname) | string | The name of the parent registry. Required if the template is used in a standalone deployment. | +| [`sourceRepository`](#parameter-sourcerepository) | string | Source repository pulled from upstream. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `credentialSetResourceId` | string | `''` | The resource ID of the credential store which is associated with the cache rule. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `name` | string | `[replace(replace(parameters('sourceRepository'), '/', '-'), '.', '-')]` | The name of the cache rule. Will be dereived from the source repository name if not defined. | -| `targetRepository` | string | `[parameters('sourceRepository')]` | Target repository specified in docker pull command. E.g.: docker pull myregistry.azurecr.io/{targetRepository}:{tag}. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`credentialSetResourceId`](#parameter-credentialsetresourceid) | string | The resource ID of the credential store which is associated with the cache rule. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`name`](#parameter-name) | string | The name of the cache rule. Will be dereived from the source repository name if not defined. | +| [`targetRepository`](#parameter-targetrepository) | string | Target repository specified in docker pull command. E.g.: docker pull myregistry.azurecr.io/{targetRepository}:{tag}. | + +### Parameter: `credentialSetResourceId` + +The resource ID of the credential store which is associated with the cache rule. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the cache rule. Will be dereived from the source repository name if not defined. +- Required: No +- Type: string +- Default: `[replace(replace(parameters('sourceRepository'), '/', '-'), '.', '-')]` + +### Parameter: `registryName` + +The name of the parent registry. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `sourceRepository` + +Source repository pulled from upstream. +- Required: Yes +- Type: string + +### Parameter: `targetRepository` + +Target repository specified in docker pull command. E.g.: docker pull myregistry.azurecr.io/{targetRepository}:{tag}. +- Required: No +- Type: string +- Default: `[parameters('sourceRepository')]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The Name of the Cache Rule. | | `resourceGroupName` | string | The name of the Cache Rule. | diff --git a/modules/container-registry/registry/cache-rules/main.json b/modules/container-registry/registry/cache-rules/main.json index 83a945758f..05e6d97ffd 100644 --- a/modules/container-registry/registry/cache-rules/main.json +++ b/modules/container-registry/registry/cache-rules/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "8306764349327428733" + "version": "0.22.6.54827", + "templateHash": "6694265508496204217" }, "name": "Container Registries Cache", "description": "Cache for Azure Container Registry (Preview) feature allows users to cache container images in a private container registry. Cache for ACR, is a preview feature available in Basic, Standard, and Premium service tiers ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache)).", diff --git a/modules/container-registry/registry/main.json b/modules/container-registry/registry/main.json index 6ffdf39a75..eb1edb3019 100644 --- a/modules/container-registry/registry/main.json +++ b/modules/container-registry/registry/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14469522788734895645" + "version": "0.22.6.54827", + "templateHash": "810724730181048401" }, "name": "Azure Container Registries (ACR)", "description": "This module deploys an Azure Container Registry (ACR).", @@ -505,8 +505,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9951681110843116683" + "version": "0.22.6.54827", + "templateHash": "3105247041693395359" }, "name": "Azure Container Registry (ACR) Replications", "description": "This module deploys an Azure Container Registry (ACR) Replication.", @@ -661,8 +661,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14358887700222348175" + "version": "0.22.6.54827", + "templateHash": "6694265508496204217" }, "name": "Container Registries Cache", "description": "Cache for Azure Container Registry (Preview) feature allows users to cache container images in a private container registry. Cache for ACR, is a preview feature available in Basic, Standard, and Premium service tiers ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache)).", @@ -804,8 +804,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10631233428813928982" + "version": "0.22.6.54827", + "templateHash": "6585565654056170037" }, "name": "Azure Container Registry (ACR) Webhooks", "description": "This module deploys an Azure Container Registry (ACR) Webhook.", @@ -1014,8 +1014,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10926055476825540288" + "version": "0.22.6.54827", + "templateHash": "16788652740395923269" } }, "parameters": { @@ -1180,8 +1180,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1380,8 +1380,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1518,8 +1518,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { diff --git a/modules/container-registry/registry/replication/README.md b/modules/container-registry/registry/replication/README.md index 1c164a9f05..186c4b5e69 100644 --- a/modules/container-registry/registry/replication/README.md +++ b/modules/container-registry/registry/replication/README.md @@ -19,30 +19,78 @@ This module deploys an Azure Container Registry (ACR) Replication. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the replication. | +| [`name`](#parameter-name) | string | The name of the replication. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `registryName` | string | The name of the parent registry. Required if the template is used in a standalone deployment. | +| [`registryName`](#parameter-registryname) | string | The name of the parent registry. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `regionEndpointEnabled` | bool | `True` | | Specifies whether the replication regional endpoint is enabled. Requests will not be routed to a replication whose regional endpoint is disabled, however its data will continue to be synced with other replications. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `zoneRedundancy` | string | `'Disabled'` | `[Disabled, Enabled]` | Whether or not zone redundancy is enabled for this container registry. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`regionEndpointEnabled`](#parameter-regionendpointenabled) | bool | Specifies whether the replication regional endpoint is enabled. Requests will not be routed to a replication whose regional endpoint is disabled, however its data will continue to be synced with other replications. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`zoneRedundancy`](#parameter-zoneredundancy) | string | Whether or not zone redundancy is enabled for this container registry. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the replication. +- Required: Yes +- Type: string + +### Parameter: `regionEndpointEnabled` + +Specifies whether the replication regional endpoint is enabled. Requests will not be routed to a replication whose regional endpoint is disabled, however its data will continue to be synced with other replications. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `registryName` + +The name of the parent registry. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `zoneRedundancy` + +Whether or not zone redundancy is enabled for this container registry. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the replication. | diff --git a/modules/container-registry/registry/replication/main.json b/modules/container-registry/registry/replication/main.json index f520fb4066..4e38206ba4 100644 --- a/modules/container-registry/registry/replication/main.json +++ b/modules/container-registry/registry/replication/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "842274698238951310" + "version": "0.22.6.54827", + "templateHash": "3105247041693395359" }, "name": "Azure Container Registry (ACR) Replications", "description": "This module deploys an Azure Container Registry (ACR) Replication.", diff --git a/modules/container-registry/registry/webhook/README.md b/modules/container-registry/registry/webhook/README.md index 34a74af6cc..a44a03ca55 100644 --- a/modules/container-registry/registry/webhook/README.md +++ b/modules/container-registry/registry/webhook/README.md @@ -19,33 +19,102 @@ This module deploys an Azure Container Registry (ACR) Webhook. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `serviceUri` | string | The service URI for the webhook to post notifications. | +| [`serviceUri`](#parameter-serviceuri) | string | The service URI for the webhook to post notifications. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `registryName` | string | The name of the parent registry. Required if the template is used in a standalone deployment. | +| [`registryName`](#parameter-registryname) | string | The name of the parent registry. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `action` | array | `[chart_delete, chart_push, delete, push, quarantine]` | | The list of actions that trigger the webhook to post notifications. | -| `customHeaders` | object | `{object}` | | Custom headers that will be added to the webhook notifications. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `name` | string | `[format('{0}webhook', parameters('registryName'))]` | | The name of the registry webhook. | -| `scope` | string | `''` | | The scope of repositories where the event can be triggered. For example, 'foo:*' means events for all tags under repository 'foo'. 'foo:bar' means events for 'foo:bar' only. 'foo' is equivalent to 'foo:latest'. Empty means all events. | -| `status` | string | `'enabled'` | `[disabled, enabled]` | The status of the webhook at the time the operation was called. | -| `tags` | object | `{object}` | | Tags of the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`action`](#parameter-action) | array | The list of actions that trigger the webhook to post notifications. | +| [`customHeaders`](#parameter-customheaders) | object | Custom headers that will be added to the webhook notifications. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`name`](#parameter-name) | string | The name of the registry webhook. | +| [`scope`](#parameter-scope) | string | The scope of repositories where the event can be triggered. For example, 'foo:*' means events for all tags under repository 'foo'. 'foo:bar' means events for 'foo:bar' only. 'foo' is equivalent to 'foo:latest'. Empty means all events. | +| [`status`](#parameter-status) | string | The status of the webhook at the time the operation was called. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `action` + +The list of actions that trigger the webhook to post notifications. +- Required: No +- Type: array +- Default: `[chart_delete, chart_push, delete, push, quarantine]` + +### Parameter: `customHeaders` + +Custom headers that will be added to the webhook notifications. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the registry webhook. +- Required: No +- Type: string +- Default: `[format('{0}webhook', parameters('registryName'))]` + +### Parameter: `registryName` + +The name of the parent registry. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `scope` + +The scope of repositories where the event can be triggered. For example, 'foo:*' means events for all tags under repository 'foo'. 'foo:bar' means events for 'foo:bar' only. 'foo' is equivalent to 'foo:latest'. Empty means all events. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `serviceUri` + +The service URI for the webhook to post notifications. +- Required: Yes +- Type: string + +### Parameter: `status` + +The status of the webhook at the time the operation was called. +- Required: No +- Type: string +- Default: `'enabled'` +- Allowed: `[disabled, enabled]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `actions` | array | The actions of the webhook. | | `location` | string | The location the resource was deployed into. | diff --git a/modules/container-registry/registry/webhook/main.json b/modules/container-registry/registry/webhook/main.json index 025bf2a393..13ceaa13ed 100644 --- a/modules/container-registry/registry/webhook/main.json +++ b/modules/container-registry/registry/webhook/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "1820627526704627956" + "version": "0.22.6.54827", + "templateHash": "6585565654056170037" }, "name": "Azure Container Registry (ACR) Webhooks", "description": "This module deploys an Azure Container Registry (ACR) Webhook.", diff --git a/modules/container-service/managed-cluster/.test/min/main.test.bicep b/modules/container-service/managed-cluster/.test/min/main.test.bicep index b63007e8a7..477264b2e2 100644 --- a/modules/container-service/managed-cluster/.test/min/main.test.bicep +++ b/modules/container-service/managed-cluster/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index fb3247fc75..6f6331ad58 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -4,14 +4,14 @@ This module deploys an Azure Kubernetes Service (AKS) Managed Cluster. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -23,164 +23,27 @@ This module deploys an Azure Kubernetes Service (AKS) Managed Cluster. | `Microsoft.KubernetesConfiguration/extensions` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/extensions) | | `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/fluxConfigurations) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Specifies the name of the AKS cluster. | -| `primaryAgentPoolProfile` | array | Properties of the primary agent pool. | - -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `aksServicePrincipalProfile` | object | `{object}` | Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster. | -| `appGatewayResourceId` | string | `''` | Specifies the resource ID of connected application gateway. Required if `ingressApplicationGatewayEnabled` is set to `true`. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `aadProfileAdminGroupObjectIDs` | array | `[]` | | Specifies the AAD group object IDs that will have admin role of the cluster. | -| `aadProfileClientAppID` | string | `''` | | The client AAD application ID. | -| `aadProfileEnableAzureRBAC` | bool | `[parameters('enableRBAC')]` | | Specifies whether to enable Azure RBAC for Kubernetes authorization. | -| `aadProfileManaged` | bool | `True` | | Specifies whether to enable managed AAD integration. | -| `aadProfileServerAppID` | string | `''` | | The server AAD application ID. | -| `aadProfileServerAppSecret` | string | `''` | | The server AAD application secret. | -| `aadProfileTenantId` | string | `[subscription().tenantId]` | | Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication. | -| `aciConnectorLinuxEnabled` | bool | `False` | | Specifies whether the aciConnectorLinux add-on is enabled or not. | -| `adminUsername` | string | `'azureuser'` | | Specifies the administrator username of Linux virtual machines. | -| `agentPools` | array | `[]` | | Define one or more secondary/additional agent pools. | -| `authorizedIPRanges` | array | `[]` | | IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. | -| `autoScalerProfileBalanceSimilarNodeGroups` | string | `'false'` | `[false, true]` | Specifies the balance of similar node groups for the auto-scaler of the AKS cluster. | -| `autoScalerProfileExpander` | string | `'random'` | `[least-waste, most-pods, priority, random]` | Specifies the expand strategy for the auto-scaler of the AKS cluster. | -| `autoScalerProfileMaxEmptyBulkDelete` | string | `'10'` | | Specifies the maximum empty bulk delete for the auto-scaler of the AKS cluster. | -| `autoScalerProfileMaxGracefulTerminationSec` | string | `'600'` | | Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster. | -| `autoScalerProfileMaxNodeProvisionTime` | string | `'15m'` | | Specifies the maximum node provisioning time for the auto-scaler of the AKS cluster. Values must be an integer followed by an "m". No unit of time other than minutes (m) is supported. | -| `autoScalerProfileMaxTotalUnreadyPercentage` | string | `'45'` | | Specifies the mximum total unready percentage for the auto-scaler of the AKS cluster. The maximum is 100 and the minimum is 0. | -| `autoScalerProfileNewPodScaleUpDelay` | string | `'0s'` | | For scenarios like burst/batch scale where you do not want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they are a certain age. Values must be an integer followed by a unit ("s" for seconds, "m" for minutes, "h" for hours, etc). | -| `autoScalerProfileOkTotalUnreadyCount` | string | `'3'` | | Specifies the OK total unready count for the auto-scaler of the AKS cluster. | -| `autoScalerProfileScaleDownDelayAfterAdd` | string | `'10m'` | | Specifies the scale down delay after add of the auto-scaler of the AKS cluster. | -| `autoScalerProfileScaleDownDelayAfterDelete` | string | `'20s'` | | Specifies the scale down delay after delete of the auto-scaler of the AKS cluster. | -| `autoScalerProfileScaleDownDelayAfterFailure` | string | `'3m'` | | Specifies scale down delay after failure of the auto-scaler of the AKS cluster. | -| `autoScalerProfileScaleDownUnneededTime` | string | `'10m'` | | Specifies the scale down unneeded time of the auto-scaler of the AKS cluster. | -| `autoScalerProfileScaleDownUnreadyTime` | string | `'20m'` | | Specifies the scale down unready time of the auto-scaler of the AKS cluster. | -| `autoScalerProfileScanInterval` | string | `'10s'` | | Specifies the scan interval of the auto-scaler of the AKS cluster. | -| `autoScalerProfileSkipNodesWithLocalStorage` | string | `'true'` | `[false, true]` | Specifies if nodes with local storage should be skipped for the auto-scaler of the AKS cluster. | -| `autoScalerProfileSkipNodesWithSystemPods` | string | `'true'` | `[false, true]` | Specifies if nodes with system pods should be skipped for the auto-scaler of the AKS cluster. | -| `autoScalerProfileUtilizationThreshold` | string | `'0.5'` | | Specifies the utilization threshold of the auto-scaler of the AKS cluster. | -| `autoUpgradeProfileUpgradeChannel` | string | `''` | `['', node-image, none, patch, rapid, stable]` | Auto-upgrade channel on the AKS cluster. | -| `azurePolicyEnabled` | bool | `True` | | Specifies whether the azurepolicy add-on is enabled or not. For security reasons, this setting should be enabled. | -| `azurePolicyVersion` | string | `'v2'` | | Specifies the azure policy version to use. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, cluster-autoscaler, guard, kube-apiserver, kube-audit, kube-audit-admin, kube-controller-manager, kube-scheduler]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `disableLocalAccounts` | bool | `False` | | If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. | -| `disableRunCommand` | bool | `False` | | Whether to disable run command for the cluster or not. | -| `diskEncryptionSetID` | string | `''` | | The resource ID of the disc encryption set to apply to the cluster. For security reasons, this value should be provided. | -| `dnsPrefix` | string | `[parameters('name')]` | | Specifies the DNS prefix specified when creating the managed cluster. | -| `dnsServiceIP` | string | `''` | | Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. | -| `dnsZoneResourceId` | string | `''` | | Specifies the resource ID of connected DNS zone. It will be ignored if `webApplicationRoutingEnabled` is set to `false`. | -| `enableAzureDefender` | bool | `False` | | Whether to enable Azure Defender. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableDnsZoneContributorRoleAssignment` | bool | `True` | | Specifies whether assing the DNS zone contributor role to the cluster service principal. It will be ignored if `webApplicationRoutingEnabled` is set to `false` or `dnsZoneResourceId` not provided. | -| `enableKeyvaultSecretsProvider` | bool | `False` | | Specifies whether the KeyvaultSecretsProvider add-on is enabled or not. | -| `enableOidcIssuerProfile` | bool | `False` | | Whether the The OIDC issuer profile of the Managed Cluster is enabled. | -| `enablePodSecurityPolicy` | bool | `False` | | Whether to enable Kubernetes pod security policy. Requires enabling the pod security policy feature flag on the subscription. | -| `enablePrivateCluster` | bool | `False` | | Specifies whether to create the cluster as a private cluster or not. | -| `enablePrivateClusterPublicFQDN` | bool | `False` | | Whether to create additional public FQDN for private cluster or not. | -| `enableRBAC` | bool | `True` | | Whether to enable Kubernetes Role-Based Access Control. | -| `enableSecretRotation` | string | `'false'` | `[false, true]` | Specifies whether the KeyvaultSecretsProvider add-on uses secret rotation. | -| `enableStorageProfileBlobCSIDriver` | bool | `False` | | Whether the AzureBlob CSI Driver for the storage profile is enabled. | -| `enableStorageProfileDiskCSIDriver` | bool | `False` | | Whether the AzureDisk CSI Driver for the storage profile is enabled. | -| `enableStorageProfileFileCSIDriver` | bool | `False` | | Whether the AzureFile CSI Driver for the storage profile is enabled. | -| `enableStorageProfileSnapshotController` | bool | `False` | | Whether the snapshot controller for the storage profile is enabled. | -| `enableWorkloadIdentity` | bool | `False` | | Whether to enable Workload Identity. Requires OIDC issuer profile to be enabled. | -| `fluxConfigurationProtectedSettings` | secureObject | `{object}` | | Configuration settings that are sensitive, as name-value pairs for configuring this extension. | -| `fluxExtension` | object | `{object}` | | Settings and configurations for the flux extension. | -| `httpApplicationRoutingEnabled` | bool | `False` | | Specifies whether the httpApplicationRouting add-on is enabled or not. | -| `httpProxyConfig` | object | `{object}` | | Configurations for provisioning the cluster with HTTP proxy servers. | -| `identityProfile` | object | `{object}` | | Identities associated with the cluster. | -| `ingressApplicationGatewayEnabled` | bool | `False` | | Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not. | -| `kubeDashboardEnabled` | bool | `False` | | Specifies whether the kubeDashboard add-on is enabled or not. | -| `kubernetesVersion` | string | `''` | | Version of Kubernetes specified when creating the managed cluster. | -| `loadBalancerSku` | string | `'standard'` | `[basic, standard]` | Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools. | -| `location` | string | `[resourceGroup().location]` | | Specifies the location of AKS cluster. It picks up Resource Group's location by default. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `managedOutboundIPCount` | int | `0` | | Outbound IP Count for the Load balancer. | -| `monitoringWorkspaceId` | string | `''` | | Resource ID of the monitoring log analytics workspace. | -| `networkDataplane` | string | `''` | `['', azure, cilium]` | Network dataplane used in the Kubernetes cluster. Not compatible with kubenet network plugin. | -| `networkPlugin` | string | `''` | `['', azure, kubenet]` | Specifies the network plugin used for building Kubernetes network. | -| `networkPluginMode` | string | `''` | `['', overlay]` | Network plugin mode used for building the Kubernetes network. Not compatible with kubenet network plugin. | -| `networkPolicy` | string | `''` | `['', azure, calico]` | Specifies the network policy used for building Kubernetes network. - calico or azure. | -| `nodeResourceGroup` | string | `[format('{0}_aks_{1}_nodes', resourceGroup().name, parameters('name'))]` | | Name of the resource group containing agent pool nodes. | -| `omsAgentEnabled` | bool | `True` | | Specifies whether the OMS agent is enabled. | -| `openServiceMeshEnabled` | bool | `False` | | Specifies whether the openServiceMesh add-on is enabled or not. | -| `outboundType` | string | `'loadBalancer'` | `[loadBalancer, userDefinedRouting]` | Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting. | -| `podCidr` | string | `''` | | Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used. | -| `podIdentityProfileAllowNetworkPluginKubenet` | bool | `False` | | Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. | -| `podIdentityProfileEnable` | bool | `False` | | Whether the pod identity addon is enabled. | -| `podIdentityProfileUserAssignedIdentities` | array | `[]` | | The pod identities to use in the cluster. | -| `podIdentityProfileUserAssignedIdentityExceptions` | array | `[]` | | The pod identity exceptions to allow. | -| `privateDNSZone` | string | `''` | | Private DNS Zone configuration. Set to 'system' and AKS will create a private DNS zone in the node resource group. Set to '' to disable private DNS Zone creation and use public DNS. Supply the resource ID here of an existing Private DNS zone to use an existing zone. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `serviceCidr` | string | `''` | | A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. | -| `skuTier` | string | `'Free'` | `[Free, Premium, Standard]` | Tier of a managed cluster SKU. - Free or Standard. | -| `sshPublicKey` | string | `''` | | Specifies the SSH RSA public key string for the Linux nodes. | -| `supportPlan` | string | `'KubernetesOfficial'` | `[AKSLongTermSupport, KubernetesOfficial]` | The support plan for the Managed Cluster. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `webApplicationRoutingEnabled` | bool | `False` | | Specifies whether the webApplicationRoutingEnabled add-on is enabled or not. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `addonProfiles` | object | The addonProfiles of the Kubernetes cluster. | -| `controlPlaneFQDN` | string | The control plane FQDN of the managed cluster. | -| `keyvaultIdentityClientId` | string | The Client ID of the Key Vault Secrets Provider identity. | -| `keyvaultIdentityObjectId` | string | The Object ID of the Key Vault Secrets Provider identity. | -| `kubeletidentityObjectId` | string | The Object ID of the AKS identity. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the managed cluster. | -| `oidcIssuerUrl` | string | The OIDC token issuer URL. | -| `omsagentIdentityObjectId` | string | The Object ID of the OMS agent identity. | -| `resourceGroupName` | string | The resource group the managed cluster was deployed into. | -| `resourceId` | string | The resource ID of the managed cluster. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +## Usage examples -## Cross-referenced modules +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Reference | Type | -| :-- | :-- | -| `kubernetes-configuration/extension` | Local reference | -| `kubernetes-configuration/flux-configuration` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/container-service.managed-cluster:1.0.0`. -## Deployment examples +- [Azure](#example-1-azure) +- [Kubenet](#example-2-kubenet) +- [Using only defaults](#example-3-using-only-defaults) +- [Priv](#example-4-priv) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Azure

+### Example 1: _Azure_
via Bicep module ```bicep -module managedCluster './container-service/managed-cluster/main.bicep' = { +module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-csmaz' params: { // Required parameters @@ -624,14 +487,14 @@ module managedCluster './container-service/managed-cluster/main.bicep' = {

-

Example 2: Kubenet

+### Example 2: _Kubenet_
via Bicep module ```bicep -module managedCluster './container-service/managed-cluster/main.bicep' = { +module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-csmkube' params: { // Required parameters @@ -873,14 +736,17 @@ module managedCluster './container-service/managed-cluster/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module managedCluster './container-service/managed-cluster/main.bicep' = { +module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-csmmin' params: { // Required parameters @@ -940,14 +806,14 @@ module managedCluster './container-service/managed-cluster/main.bicep' = {

-

Example 4: Priv

+### Example 4: _Priv_
via Bicep module ```bicep -module managedCluster './container-service/managed-cluster/main.bicep' = { +module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-csmpriv' params: { // Required parameters @@ -1194,6 +1060,857 @@ module managedCluster './container-service/managed-cluster/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Specifies the name of the AKS cluster. | +| [`primaryAgentPoolProfile`](#parameter-primaryagentpoolprofile) | array | Properties of the primary agent pool. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`aksServicePrincipalProfile`](#parameter-aksserviceprincipalprofile) | object | Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster. | +| [`appGatewayResourceId`](#parameter-appgatewayresourceid) | string | Specifies the resource ID of connected application gateway. Required if `ingressApplicationGatewayEnabled` is set to `true`. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`aadProfileAdminGroupObjectIDs`](#parameter-aadprofileadmingroupobjectids) | array | Specifies the AAD group object IDs that will have admin role of the cluster. | +| [`aadProfileClientAppID`](#parameter-aadprofileclientappid) | string | The client AAD application ID. | +| [`aadProfileEnableAzureRBAC`](#parameter-aadprofileenableazurerbac) | bool | Specifies whether to enable Azure RBAC for Kubernetes authorization. | +| [`aadProfileManaged`](#parameter-aadprofilemanaged) | bool | Specifies whether to enable managed AAD integration. | +| [`aadProfileServerAppID`](#parameter-aadprofileserverappid) | string | The server AAD application ID. | +| [`aadProfileServerAppSecret`](#parameter-aadprofileserverappsecret) | string | The server AAD application secret. | +| [`aadProfileTenantId`](#parameter-aadprofiletenantid) | string | Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication. | +| [`aciConnectorLinuxEnabled`](#parameter-aciconnectorlinuxenabled) | bool | Specifies whether the aciConnectorLinux add-on is enabled or not. | +| [`adminUsername`](#parameter-adminusername) | string | Specifies the administrator username of Linux virtual machines. | +| [`agentPools`](#parameter-agentpools) | array | Define one or more secondary/additional agent pools. | +| [`authorizedIPRanges`](#parameter-authorizedipranges) | array | IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. | +| [`autoScalerProfileBalanceSimilarNodeGroups`](#parameter-autoscalerprofilebalancesimilarnodegroups) | string | Specifies the balance of similar node groups for the auto-scaler of the AKS cluster. | +| [`autoScalerProfileExpander`](#parameter-autoscalerprofileexpander) | string | Specifies the expand strategy for the auto-scaler of the AKS cluster. | +| [`autoScalerProfileMaxEmptyBulkDelete`](#parameter-autoscalerprofilemaxemptybulkdelete) | string | Specifies the maximum empty bulk delete for the auto-scaler of the AKS cluster. | +| [`autoScalerProfileMaxGracefulTerminationSec`](#parameter-autoscalerprofilemaxgracefulterminationsec) | string | Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster. | +| [`autoScalerProfileMaxNodeProvisionTime`](#parameter-autoscalerprofilemaxnodeprovisiontime) | string | Specifies the maximum node provisioning time for the auto-scaler of the AKS cluster. Values must be an integer followed by an "m". No unit of time other than minutes (m) is supported. | +| [`autoScalerProfileMaxTotalUnreadyPercentage`](#parameter-autoscalerprofilemaxtotalunreadypercentage) | string | Specifies the mximum total unready percentage for the auto-scaler of the AKS cluster. The maximum is 100 and the minimum is 0. | +| [`autoScalerProfileNewPodScaleUpDelay`](#parameter-autoscalerprofilenewpodscaleupdelay) | string | For scenarios like burst/batch scale where you do not want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they are a certain age. Values must be an integer followed by a unit ("s" for seconds, "m" for minutes, "h" for hours, etc). | +| [`autoScalerProfileOkTotalUnreadyCount`](#parameter-autoscalerprofileoktotalunreadycount) | string | Specifies the OK total unready count for the auto-scaler of the AKS cluster. | +| [`autoScalerProfileScaleDownDelayAfterAdd`](#parameter-autoscalerprofilescaledowndelayafteradd) | string | Specifies the scale down delay after add of the auto-scaler of the AKS cluster. | +| [`autoScalerProfileScaleDownDelayAfterDelete`](#parameter-autoscalerprofilescaledowndelayafterdelete) | string | Specifies the scale down delay after delete of the auto-scaler of the AKS cluster. | +| [`autoScalerProfileScaleDownDelayAfterFailure`](#parameter-autoscalerprofilescaledowndelayafterfailure) | string | Specifies scale down delay after failure of the auto-scaler of the AKS cluster. | +| [`autoScalerProfileScaleDownUnneededTime`](#parameter-autoscalerprofilescaledownunneededtime) | string | Specifies the scale down unneeded time of the auto-scaler of the AKS cluster. | +| [`autoScalerProfileScaleDownUnreadyTime`](#parameter-autoscalerprofilescaledownunreadytime) | string | Specifies the scale down unready time of the auto-scaler of the AKS cluster. | +| [`autoScalerProfileScanInterval`](#parameter-autoscalerprofilescaninterval) | string | Specifies the scan interval of the auto-scaler of the AKS cluster. | +| [`autoScalerProfileSkipNodesWithLocalStorage`](#parameter-autoscalerprofileskipnodeswithlocalstorage) | string | Specifies if nodes with local storage should be skipped for the auto-scaler of the AKS cluster. | +| [`autoScalerProfileSkipNodesWithSystemPods`](#parameter-autoscalerprofileskipnodeswithsystempods) | string | Specifies if nodes with system pods should be skipped for the auto-scaler of the AKS cluster. | +| [`autoScalerProfileUtilizationThreshold`](#parameter-autoscalerprofileutilizationthreshold) | string | Specifies the utilization threshold of the auto-scaler of the AKS cluster. | +| [`autoUpgradeProfileUpgradeChannel`](#parameter-autoupgradeprofileupgradechannel) | string | Auto-upgrade channel on the AKS cluster. | +| [`azurePolicyEnabled`](#parameter-azurepolicyenabled) | bool | Specifies whether the azurepolicy add-on is enabled or not. For security reasons, this setting should be enabled. | +| [`azurePolicyVersion`](#parameter-azurepolicyversion) | string | Specifies the azure policy version to use. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`disableLocalAccounts`](#parameter-disablelocalaccounts) | bool | If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. | +| [`disableRunCommand`](#parameter-disableruncommand) | bool | Whether to disable run command for the cluster or not. | +| [`diskEncryptionSetID`](#parameter-diskencryptionsetid) | string | The resource ID of the disc encryption set to apply to the cluster. For security reasons, this value should be provided. | +| [`dnsPrefix`](#parameter-dnsprefix) | string | Specifies the DNS prefix specified when creating the managed cluster. | +| [`dnsServiceIP`](#parameter-dnsserviceip) | string | Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. | +| [`dnsZoneResourceId`](#parameter-dnszoneresourceid) | string | Specifies the resource ID of connected DNS zone. It will be ignored if `webApplicationRoutingEnabled` is set to `false`. | +| [`enableAzureDefender`](#parameter-enableazuredefender) | bool | Whether to enable Azure Defender. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableDnsZoneContributorRoleAssignment`](#parameter-enablednszonecontributorroleassignment) | bool | Specifies whether assing the DNS zone contributor role to the cluster service principal. It will be ignored if `webApplicationRoutingEnabled` is set to `false` or `dnsZoneResourceId` not provided. | +| [`enableKeyvaultSecretsProvider`](#parameter-enablekeyvaultsecretsprovider) | bool | Specifies whether the KeyvaultSecretsProvider add-on is enabled or not. | +| [`enableOidcIssuerProfile`](#parameter-enableoidcissuerprofile) | bool | Whether the The OIDC issuer profile of the Managed Cluster is enabled. | +| [`enablePodSecurityPolicy`](#parameter-enablepodsecuritypolicy) | bool | Whether to enable Kubernetes pod security policy. Requires enabling the pod security policy feature flag on the subscription. | +| [`enablePrivateCluster`](#parameter-enableprivatecluster) | bool | Specifies whether to create the cluster as a private cluster or not. | +| [`enablePrivateClusterPublicFQDN`](#parameter-enableprivateclusterpublicfqdn) | bool | Whether to create additional public FQDN for private cluster or not. | +| [`enableRBAC`](#parameter-enablerbac) | bool | Whether to enable Kubernetes Role-Based Access Control. | +| [`enableSecretRotation`](#parameter-enablesecretrotation) | string | Specifies whether the KeyvaultSecretsProvider add-on uses secret rotation. | +| [`enableStorageProfileBlobCSIDriver`](#parameter-enablestorageprofileblobcsidriver) | bool | Whether the AzureBlob CSI Driver for the storage profile is enabled. | +| [`enableStorageProfileDiskCSIDriver`](#parameter-enablestorageprofilediskcsidriver) | bool | Whether the AzureDisk CSI Driver for the storage profile is enabled. | +| [`enableStorageProfileFileCSIDriver`](#parameter-enablestorageprofilefilecsidriver) | bool | Whether the AzureFile CSI Driver for the storage profile is enabled. | +| [`enableStorageProfileSnapshotController`](#parameter-enablestorageprofilesnapshotcontroller) | bool | Whether the snapshot controller for the storage profile is enabled. | +| [`enableWorkloadIdentity`](#parameter-enableworkloadidentity) | bool | Whether to enable Workload Identity. Requires OIDC issuer profile to be enabled. | +| [`fluxConfigurationProtectedSettings`](#parameter-fluxconfigurationprotectedsettings) | secureObject | Configuration settings that are sensitive, as name-value pairs for configuring this extension. | +| [`fluxExtension`](#parameter-fluxextension) | object | Settings and configurations for the flux extension. | +| [`httpApplicationRoutingEnabled`](#parameter-httpapplicationroutingenabled) | bool | Specifies whether the httpApplicationRouting add-on is enabled or not. | +| [`httpProxyConfig`](#parameter-httpproxyconfig) | object | Configurations for provisioning the cluster with HTTP proxy servers. | +| [`identityProfile`](#parameter-identityprofile) | object | Identities associated with the cluster. | +| [`ingressApplicationGatewayEnabled`](#parameter-ingressapplicationgatewayenabled) | bool | Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not. | +| [`kubeDashboardEnabled`](#parameter-kubedashboardenabled) | bool | Specifies whether the kubeDashboard add-on is enabled or not. | +| [`kubernetesVersion`](#parameter-kubernetesversion) | string | Version of Kubernetes specified when creating the managed cluster. | +| [`loadBalancerSku`](#parameter-loadbalancersku) | string | Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools. | +| [`location`](#parameter-location) | string | Specifies the location of AKS cluster. It picks up Resource Group's location by default. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`managedOutboundIPCount`](#parameter-managedoutboundipcount) | int | Outbound IP Count for the Load balancer. | +| [`monitoringWorkspaceId`](#parameter-monitoringworkspaceid) | string | Resource ID of the monitoring log analytics workspace. | +| [`networkDataplane`](#parameter-networkdataplane) | string | Network dataplane used in the Kubernetes cluster. Not compatible with kubenet network plugin. | +| [`networkPlugin`](#parameter-networkplugin) | string | Specifies the network plugin used for building Kubernetes network. | +| [`networkPluginMode`](#parameter-networkpluginmode) | string | Network plugin mode used for building the Kubernetes network. Not compatible with kubenet network plugin. | +| [`networkPolicy`](#parameter-networkpolicy) | string | Specifies the network policy used for building Kubernetes network. - calico or azure. | +| [`nodeResourceGroup`](#parameter-noderesourcegroup) | string | Name of the resource group containing agent pool nodes. | +| [`omsAgentEnabled`](#parameter-omsagentenabled) | bool | Specifies whether the OMS agent is enabled. | +| [`openServiceMeshEnabled`](#parameter-openservicemeshenabled) | bool | Specifies whether the openServiceMesh add-on is enabled or not. | +| [`outboundType`](#parameter-outboundtype) | string | Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting. | +| [`podCidr`](#parameter-podcidr) | string | Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used. | +| [`podIdentityProfileAllowNetworkPluginKubenet`](#parameter-podidentityprofileallownetworkpluginkubenet) | bool | Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. | +| [`podIdentityProfileEnable`](#parameter-podidentityprofileenable) | bool | Whether the pod identity addon is enabled. | +| [`podIdentityProfileUserAssignedIdentities`](#parameter-podidentityprofileuserassignedidentities) | array | The pod identities to use in the cluster. | +| [`podIdentityProfileUserAssignedIdentityExceptions`](#parameter-podidentityprofileuserassignedidentityexceptions) | array | The pod identity exceptions to allow. | +| [`privateDNSZone`](#parameter-privatednszone) | string | Private DNS Zone configuration. Set to 'system' and AKS will create a private DNS zone in the node resource group. Set to '' to disable private DNS Zone creation and use public DNS. Supply the resource ID here of an existing Private DNS zone to use an existing zone. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`serviceCidr`](#parameter-servicecidr) | string | A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. | +| [`skuTier`](#parameter-skutier) | string | Tier of a managed cluster SKU. - Free or Standard. | +| [`sshPublicKey`](#parameter-sshpublickey) | string | Specifies the SSH RSA public key string for the Linux nodes. | +| [`supportPlan`](#parameter-supportplan) | string | The support plan for the Managed Cluster. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`webApplicationRoutingEnabled`](#parameter-webapplicationroutingenabled) | bool | Specifies whether the webApplicationRoutingEnabled add-on is enabled or not. | + +### Parameter: `aadProfileAdminGroupObjectIDs` + +Specifies the AAD group object IDs that will have admin role of the cluster. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `aadProfileClientAppID` + +The client AAD application ID. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `aadProfileEnableAzureRBAC` + +Specifies whether to enable Azure RBAC for Kubernetes authorization. +- Required: No +- Type: bool +- Default: `[parameters('enableRBAC')]` + +### Parameter: `aadProfileManaged` + +Specifies whether to enable managed AAD integration. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `aadProfileServerAppID` + +The server AAD application ID. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `aadProfileServerAppSecret` + +The server AAD application secret. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `aadProfileTenantId` + +Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication. +- Required: No +- Type: string +- Default: `[subscription().tenantId]` + +### Parameter: `aciConnectorLinuxEnabled` + +Specifies whether the aciConnectorLinux add-on is enabled or not. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `adminUsername` + +Specifies the administrator username of Linux virtual machines. +- Required: No +- Type: string +- Default: `'azureuser'` + +### Parameter: `agentPools` + +Define one or more secondary/additional agent pools. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `aksServicePrincipalProfile` + +Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `appGatewayResourceId` + +Specifies the resource ID of connected application gateway. Required if `ingressApplicationGatewayEnabled` is set to `true`. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `authorizedIPRanges` + +IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `autoScalerProfileBalanceSimilarNodeGroups` + +Specifies the balance of similar node groups for the auto-scaler of the AKS cluster. +- Required: No +- Type: string +- Default: `'false'` +- Allowed: `[false, true]` + +### Parameter: `autoScalerProfileExpander` + +Specifies the expand strategy for the auto-scaler of the AKS cluster. +- Required: No +- Type: string +- Default: `'random'` +- Allowed: `[least-waste, most-pods, priority, random]` + +### Parameter: `autoScalerProfileMaxEmptyBulkDelete` + +Specifies the maximum empty bulk delete for the auto-scaler of the AKS cluster. +- Required: No +- Type: string +- Default: `'10'` + +### Parameter: `autoScalerProfileMaxGracefulTerminationSec` + +Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster. +- Required: No +- Type: string +- Default: `'600'` + +### Parameter: `autoScalerProfileMaxNodeProvisionTime` + +Specifies the maximum node provisioning time for the auto-scaler of the AKS cluster. Values must be an integer followed by an "m". No unit of time other than minutes (m) is supported. +- Required: No +- Type: string +- Default: `'15m'` + +### Parameter: `autoScalerProfileMaxTotalUnreadyPercentage` + +Specifies the mximum total unready percentage for the auto-scaler of the AKS cluster. The maximum is 100 and the minimum is 0. +- Required: No +- Type: string +- Default: `'45'` + +### Parameter: `autoScalerProfileNewPodScaleUpDelay` + +For scenarios like burst/batch scale where you do not want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they are a certain age. Values must be an integer followed by a unit ("s" for seconds, "m" for minutes, "h" for hours, etc). +- Required: No +- Type: string +- Default: `'0s'` + +### Parameter: `autoScalerProfileOkTotalUnreadyCount` + +Specifies the OK total unready count for the auto-scaler of the AKS cluster. +- Required: No +- Type: string +- Default: `'3'` + +### Parameter: `autoScalerProfileScaleDownDelayAfterAdd` + +Specifies the scale down delay after add of the auto-scaler of the AKS cluster. +- Required: No +- Type: string +- Default: `'10m'` + +### Parameter: `autoScalerProfileScaleDownDelayAfterDelete` + +Specifies the scale down delay after delete of the auto-scaler of the AKS cluster. +- Required: No +- Type: string +- Default: `'20s'` + +### Parameter: `autoScalerProfileScaleDownDelayAfterFailure` + +Specifies scale down delay after failure of the auto-scaler of the AKS cluster. +- Required: No +- Type: string +- Default: `'3m'` + +### Parameter: `autoScalerProfileScaleDownUnneededTime` + +Specifies the scale down unneeded time of the auto-scaler of the AKS cluster. +- Required: No +- Type: string +- Default: `'10m'` + +### Parameter: `autoScalerProfileScaleDownUnreadyTime` + +Specifies the scale down unready time of the auto-scaler of the AKS cluster. +- Required: No +- Type: string +- Default: `'20m'` + +### Parameter: `autoScalerProfileScanInterval` + +Specifies the scan interval of the auto-scaler of the AKS cluster. +- Required: No +- Type: string +- Default: `'10s'` + +### Parameter: `autoScalerProfileSkipNodesWithLocalStorage` + +Specifies if nodes with local storage should be skipped for the auto-scaler of the AKS cluster. +- Required: No +- Type: string +- Default: `'true'` +- Allowed: `[false, true]` + +### Parameter: `autoScalerProfileSkipNodesWithSystemPods` + +Specifies if nodes with system pods should be skipped for the auto-scaler of the AKS cluster. +- Required: No +- Type: string +- Default: `'true'` +- Allowed: `[false, true]` + +### Parameter: `autoScalerProfileUtilizationThreshold` + +Specifies the utilization threshold of the auto-scaler of the AKS cluster. +- Required: No +- Type: string +- Default: `'0.5'` + +### Parameter: `autoUpgradeProfileUpgradeChannel` + +Auto-upgrade channel on the AKS cluster. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', node-image, none, patch, rapid, stable]` + +### Parameter: `azurePolicyEnabled` + +Specifies whether the azurepolicy add-on is enabled or not. For security reasons, this setting should be enabled. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `azurePolicyVersion` + +Specifies the azure policy version to use. +- Required: No +- Type: string +- Default: `'v2'` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, cluster-autoscaler, guard, kube-apiserver, kube-audit, kube-audit-admin, kube-controller-manager, kube-scheduler]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `disableLocalAccounts` + +If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `disableRunCommand` + +Whether to disable run command for the cluster or not. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `diskEncryptionSetID` + +The resource ID of the disc encryption set to apply to the cluster. For security reasons, this value should be provided. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `dnsPrefix` + +Specifies the DNS prefix specified when creating the managed cluster. +- Required: No +- Type: string +- Default: `[parameters('name')]` + +### Parameter: `dnsServiceIP` + +Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `dnsZoneResourceId` + +Specifies the resource ID of connected DNS zone. It will be ignored if `webApplicationRoutingEnabled` is set to `false`. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableAzureDefender` + +Whether to enable Azure Defender. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDnsZoneContributorRoleAssignment` + +Specifies whether assing the DNS zone contributor role to the cluster service principal. It will be ignored if `webApplicationRoutingEnabled` is set to `false` or `dnsZoneResourceId` not provided. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableKeyvaultSecretsProvider` + +Specifies whether the KeyvaultSecretsProvider add-on is enabled or not. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableOidcIssuerProfile` + +Whether the The OIDC issuer profile of the Managed Cluster is enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enablePodSecurityPolicy` + +Whether to enable Kubernetes pod security policy. Requires enabling the pod security policy feature flag on the subscription. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enablePrivateCluster` + +Specifies whether to create the cluster as a private cluster or not. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enablePrivateClusterPublicFQDN` + +Whether to create additional public FQDN for private cluster or not. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableRBAC` + +Whether to enable Kubernetes Role-Based Access Control. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableSecretRotation` + +Specifies whether the KeyvaultSecretsProvider add-on uses secret rotation. +- Required: No +- Type: string +- Default: `'false'` +- Allowed: `[false, true]` + +### Parameter: `enableStorageProfileBlobCSIDriver` + +Whether the AzureBlob CSI Driver for the storage profile is enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableStorageProfileDiskCSIDriver` + +Whether the AzureDisk CSI Driver for the storage profile is enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableStorageProfileFileCSIDriver` + +Whether the AzureFile CSI Driver for the storage profile is enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableStorageProfileSnapshotController` + +Whether the snapshot controller for the storage profile is enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableWorkloadIdentity` + +Whether to enable Workload Identity. Requires OIDC issuer profile to be enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `fluxConfigurationProtectedSettings` + +Configuration settings that are sensitive, as name-value pairs for configuring this extension. +- Required: No +- Type: secureObject +- Default: `{object}` + +### Parameter: `fluxExtension` + +Settings and configurations for the flux extension. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `httpApplicationRoutingEnabled` + +Specifies whether the httpApplicationRouting add-on is enabled or not. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `httpProxyConfig` + +Configurations for provisioning the cluster with HTTP proxy servers. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `identityProfile` + +Identities associated with the cluster. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `ingressApplicationGatewayEnabled` + +Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `kubeDashboardEnabled` + +Specifies whether the kubeDashboard add-on is enabled or not. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `kubernetesVersion` + +Version of Kubernetes specified when creating the managed cluster. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `loadBalancerSku` + +Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools. +- Required: No +- Type: string +- Default: `'standard'` +- Allowed: `[basic, standard]` + +### Parameter: `location` + +Specifies the location of AKS cluster. It picks up Resource Group's location by default. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `managedOutboundIPCount` + +Outbound IP Count for the Load balancer. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `monitoringWorkspaceId` + +Resource ID of the monitoring log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +Specifies the name of the AKS cluster. +- Required: Yes +- Type: string + +### Parameter: `networkDataplane` + +Network dataplane used in the Kubernetes cluster. Not compatible with kubenet network plugin. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', azure, cilium]` + +### Parameter: `networkPlugin` + +Specifies the network plugin used for building Kubernetes network. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', azure, kubenet]` + +### Parameter: `networkPluginMode` + +Network plugin mode used for building the Kubernetes network. Not compatible with kubenet network plugin. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', overlay]` + +### Parameter: `networkPolicy` + +Specifies the network policy used for building Kubernetes network. - calico or azure. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', azure, calico]` + +### Parameter: `nodeResourceGroup` + +Name of the resource group containing agent pool nodes. +- Required: No +- Type: string +- Default: `[format('{0}_aks_{1}_nodes', resourceGroup().name, parameters('name'))]` + +### Parameter: `omsAgentEnabled` + +Specifies whether the OMS agent is enabled. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `openServiceMeshEnabled` + +Specifies whether the openServiceMesh add-on is enabled or not. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `outboundType` + +Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting. +- Required: No +- Type: string +- Default: `'loadBalancer'` +- Allowed: `[loadBalancer, userDefinedRouting]` + +### Parameter: `podCidr` + +Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `podIdentityProfileAllowNetworkPluginKubenet` + +Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `podIdentityProfileEnable` + +Whether the pod identity addon is enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `podIdentityProfileUserAssignedIdentities` + +The pod identities to use in the cluster. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `podIdentityProfileUserAssignedIdentityExceptions` + +The pod identity exceptions to allow. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `primaryAgentPoolProfile` + +Properties of the primary agent pool. +- Required: Yes +- Type: array + +### Parameter: `privateDNSZone` + +Private DNS Zone configuration. Set to 'system' and AKS will create a private DNS zone in the node resource group. Set to '' to disable private DNS Zone creation and use public DNS. Supply the resource ID here of an existing Private DNS zone to use an existing zone. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `serviceCidr` + +A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `skuTier` + +Tier of a managed cluster SKU. - Free or Standard. +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: `[Free, Premium, Standard]` + +### Parameter: `sshPublicKey` + +Specifies the SSH RSA public key string for the Linux nodes. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `supportPlan` + +The support plan for the Managed Cluster. +- Required: No +- Type: string +- Default: `'KubernetesOfficial'` +- Allowed: `[AKSLongTermSupport, KubernetesOfficial]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `webApplicationRoutingEnabled` + +Specifies whether the webApplicationRoutingEnabled add-on is enabled or not. +- Required: No +- Type: bool +- Default: `False` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `addonProfiles` | object | The addonProfiles of the Kubernetes cluster. | +| `controlPlaneFQDN` | string | The control plane FQDN of the managed cluster. | +| `keyvaultIdentityClientId` | string | The Client ID of the Key Vault Secrets Provider identity. | +| `keyvaultIdentityObjectId` | string | The Object ID of the Key Vault Secrets Provider identity. | +| `kubeletidentityObjectId` | string | The Object ID of the AKS identity. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the managed cluster. | +| `oidcIssuerUrl` | string | The OIDC token issuer URL. | +| `omsagentIdentityObjectId` | string | The Object ID of the OMS agent identity. | +| `resourceGroupName` | string | The resource group the managed cluster was deployed into. | +| `resourceId` | string | The resource ID of the managed cluster. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/kubernetes-configuration/extension` | Local reference | +| `modules/kubernetes-configuration/flux-configuration` | Local reference | + ## Notes ### Parameter Usage: `httpProxyConfig` diff --git a/modules/container-service/managed-cluster/agent-pool/README.md b/modules/container-service/managed-cluster/agent-pool/README.md index 56fd616524..3c02efae7a 100644 --- a/modules/container-service/managed-cluster/agent-pool/README.md +++ b/modules/container-service/managed-cluster/agent-pool/README.md @@ -4,12 +4,12 @@ This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,60 +19,324 @@ This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the agent pool. | +| [`name`](#parameter-name) | string | Name of the agent pool. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `managedClusterName` | string | The name of the parent managed cluster. Required if the template is used in a standalone deployment. | +| [`managedClusterName`](#parameter-managedclustername) | string | The name of the parent managed cluster. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `availabilityZones` | array | `[]` | | The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is "VirtualMachineScaleSets". | -| `count` | int | `1` | | Desired Number of agents (VMs) specified to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. | -| `enableAutoScaling` | bool | `False` | | Whether to enable auto-scaler. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableEncryptionAtHost` | bool | `False` | | This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled. | -| `enableFIPS` | bool | `False` | | See Add a FIPS-enabled node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details. | -| `enableNodePublicIP` | bool | `False` | | Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools). | -| `enableUltraSSD` | bool | `False` | | Whether to enable UltraSSD. | -| `gpuInstanceProfile` | string | `''` | `['', MIG1g, MIG2g, MIG3g, MIG4g, MIG7g]` | GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. | -| `kubeletDiskType` | string | `''` | | Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. | -| `maxCount` | int | `-1` | | The maximum number of nodes for auto-scaling. | -| `maxPods` | int | `-1` | | The maximum number of pods that can run on a node. | -| `maxSurge` | string | `''` | | This can either be set to an integer (e.g. "5") or a percentage (e.g. "50%"). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade. | -| `minCount` | int | `-1` | | The minimum number of nodes for auto-scaling. | -| `mode` | string | `''` | | A cluster must have at least one "System" Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools. | -| `nodeLabels` | object | `{object}` | | The node labels to be persisted across all nodes in agent pool. | -| `nodePublicIpPrefixId` | string | `''` | | ResourceId of the node PublicIPPrefix. | -| `nodeTaints` | array | `[]` | | The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. | -| `orchestratorVersion` | string | `''` | | As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#upgrade-a-node-pool). | -| `osDiskSizeGB` | int | `0` | | OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. | -| `osDiskType` | string | `''` | `['', Ephemeral, Managed]` | The default is "Ephemeral" if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to "Managed". May not be changed after creation. For more information see Ephemeral OS (https://learn.microsoft.com/en-us/azure/aks/cluster-configuration#ephemeral-os). | -| `osSku` | string | `''` | `['', AzureLinux, CBLMariner, Ubuntu, Windows2019, Windows2022]` | Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows. | -| `osType` | string | `'Linux'` | `[Linux, Windows]` | The operating system type. The default is Linux. | -| `podSubnetId` | string | `''` | | Subnet ID for the pod IPs. If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}. | -| `proximityPlacementGroupResourceId` | string | `''` | | The ID for the Proximity Placement Group. | -| `scaleDownMode` | string | `'Delete'` | `[Deallocate, Delete]` | Describes how VMs are added to or removed from Agent Pools. See billing states (https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing). | -| `scaleSetEvictionPolicy` | string | `'Delete'` | `[Deallocate, Delete]` | The eviction policy specifies what to do with the VM when it is evicted. The default is Delete. For more information about eviction see spot VMs. | -| `scaleSetPriority` | string | `''` | `['', Regular, Spot]` | The Virtual Machine Scale Set priority. | -| `sourceResourceId` | string | `''` | | This is the ARM ID of the source object to be used to create the target object. | -| `spotMaxPrice` | int | `-1` | | Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing (https://learn.microsoft.com/en-us/azure/virtual-machines/spot-vms#pricing). | -| `tags` | object | `{object}` | | Tags of the resource. | -| `type` | string | `''` | | The type of Agent Pool. | -| `vmSize` | string | `'Standard_D2s_v3'` | | VM size. VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions. | -| `vnetSubnetId` | string | `''` | | Node Subnet ID. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}. | -| `workloadRuntime` | string | `''` | | Determines the type of workload a node can run. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`availabilityZones`](#parameter-availabilityzones) | array | The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is "VirtualMachineScaleSets". | +| [`count`](#parameter-count) | int | Desired Number of agents (VMs) specified to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. | +| [`enableAutoScaling`](#parameter-enableautoscaling) | bool | Whether to enable auto-scaler. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableEncryptionAtHost`](#parameter-enableencryptionathost) | bool | This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled. | +| [`enableFIPS`](#parameter-enablefips) | bool | See Add a FIPS-enabled node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details. | +| [`enableNodePublicIP`](#parameter-enablenodepublicip) | bool | Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools). | +| [`enableUltraSSD`](#parameter-enableultrassd) | bool | Whether to enable UltraSSD. | +| [`gpuInstanceProfile`](#parameter-gpuinstanceprofile) | string | GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. | +| [`kubeletDiskType`](#parameter-kubeletdisktype) | string | Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. | +| [`maxCount`](#parameter-maxcount) | int | The maximum number of nodes for auto-scaling. | +| [`maxPods`](#parameter-maxpods) | int | The maximum number of pods that can run on a node. | +| [`maxSurge`](#parameter-maxsurge) | string | This can either be set to an integer (e.g. "5") or a percentage (e.g. "50%"). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade. | +| [`minCount`](#parameter-mincount) | int | The minimum number of nodes for auto-scaling. | +| [`mode`](#parameter-mode) | string | A cluster must have at least one "System" Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools. | +| [`nodeLabels`](#parameter-nodelabels) | object | The node labels to be persisted across all nodes in agent pool. | +| [`nodePublicIpPrefixId`](#parameter-nodepublicipprefixid) | string | ResourceId of the node PublicIPPrefix. | +| [`nodeTaints`](#parameter-nodetaints) | array | The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. | +| [`orchestratorVersion`](#parameter-orchestratorversion) | string | As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#upgrade-a-node-pool). | +| [`osDiskSizeGB`](#parameter-osdisksizegb) | int | OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. | +| [`osDiskType`](#parameter-osdisktype) | string | The default is "Ephemeral" if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to "Managed". May not be changed after creation. For more information see Ephemeral OS (https://learn.microsoft.com/en-us/azure/aks/cluster-configuration#ephemeral-os). | +| [`osSku`](#parameter-ossku) | string | Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows. | +| [`osType`](#parameter-ostype) | string | The operating system type. The default is Linux. | +| [`podSubnetId`](#parameter-podsubnetid) | string | Subnet ID for the pod IPs. If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}. | +| [`proximityPlacementGroupResourceId`](#parameter-proximityplacementgroupresourceid) | string | The ID for the Proximity Placement Group. | +| [`scaleDownMode`](#parameter-scaledownmode) | string | Describes how VMs are added to or removed from Agent Pools. See billing states (https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing). | +| [`scaleSetEvictionPolicy`](#parameter-scalesetevictionpolicy) | string | The eviction policy specifies what to do with the VM when it is evicted. The default is Delete. For more information about eviction see spot VMs. | +| [`scaleSetPriority`](#parameter-scalesetpriority) | string | The Virtual Machine Scale Set priority. | +| [`sourceResourceId`](#parameter-sourceresourceid) | string | This is the ARM ID of the source object to be used to create the target object. | +| [`spotMaxPrice`](#parameter-spotmaxprice) | int | Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing (https://learn.microsoft.com/en-us/azure/virtual-machines/spot-vms#pricing). | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`type`](#parameter-type) | string | The type of Agent Pool. | +| [`vmSize`](#parameter-vmsize) | string | VM size. VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions. | +| [`vnetSubnetId`](#parameter-vnetsubnetid) | string | Node Subnet ID. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}. | +| [`workloadRuntime`](#parameter-workloadruntime) | string | Determines the type of workload a node can run. | + +### Parameter: `availabilityZones` + +The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is "VirtualMachineScaleSets". +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `count` + +Desired Number of agents (VMs) specified to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `enableAutoScaling` + +Whether to enable auto-scaler. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableEncryptionAtHost` + +This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableFIPS` + +See Add a FIPS-enabled node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableNodePublicIP` + +Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools). +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableUltraSSD` + +Whether to enable UltraSSD. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `gpuInstanceProfile` + +GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', MIG1g, MIG2g, MIG3g, MIG4g, MIG7g]` + +### Parameter: `kubeletDiskType` + +Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `managedClusterName` + +The name of the parent managed cluster. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `maxCount` + +The maximum number of nodes for auto-scaling. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `maxPods` + +The maximum number of pods that can run on a node. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `maxSurge` + +This can either be set to an integer (e.g. "5") or a percentage (e.g. "50%"). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `minCount` + +The minimum number of nodes for auto-scaling. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `mode` + +A cluster must have at least one "System" Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +Name of the agent pool. +- Required: Yes +- Type: string + +### Parameter: `nodeLabels` + +The node labels to be persisted across all nodes in agent pool. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `nodePublicIpPrefixId` + +ResourceId of the node PublicIPPrefix. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `nodeTaints` + +The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `orchestratorVersion` + +As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#upgrade-a-node-pool). +- Required: No +- Type: string +- Default: `''` + +### Parameter: `osDiskSizeGB` + +OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `osDiskType` + +The default is "Ephemeral" if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to "Managed". May not be changed after creation. For more information see Ephemeral OS (https://learn.microsoft.com/en-us/azure/aks/cluster-configuration#ephemeral-os). +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Ephemeral, Managed]` + +### Parameter: `osSku` + +Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', AzureLinux, CBLMariner, Ubuntu, Windows2019, Windows2022]` + +### Parameter: `osType` + +The operating system type. The default is Linux. +- Required: No +- Type: string +- Default: `'Linux'` +- Allowed: `[Linux, Windows]` + +### Parameter: `podSubnetId` + +Subnet ID for the pod IPs. If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `proximityPlacementGroupResourceId` + +The ID for the Proximity Placement Group. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `scaleDownMode` + +Describes how VMs are added to or removed from Agent Pools. See billing states (https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing). +- Required: No +- Type: string +- Default: `'Delete'` +- Allowed: `[Deallocate, Delete]` + +### Parameter: `scaleSetEvictionPolicy` + +The eviction policy specifies what to do with the VM when it is evicted. The default is Delete. For more information about eviction see spot VMs. +- Required: No +- Type: string +- Default: `'Delete'` +- Allowed: `[Deallocate, Delete]` + +### Parameter: `scaleSetPriority` + +The Virtual Machine Scale Set priority. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Regular, Spot]` + +### Parameter: `sourceResourceId` + +This is the ARM ID of the source object to be used to create the target object. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `spotMaxPrice` + +Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing (https://learn.microsoft.com/en-us/azure/virtual-machines/spot-vms#pricing). +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `type` + +The type of Agent Pool. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `vmSize` + +VM size. VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions. +- Required: No +- Type: string +- Default: `'Standard_D2s_v3'` + +### Parameter: `vnetSubnetId` + +Node Subnet ID. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `workloadRuntime` + +Determines the type of workload a node can run. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the agent pool. | | `resourceGroupName` | string | The resource group the agent pool was deployed into. | diff --git a/modules/container-service/managed-cluster/agent-pool/main.json b/modules/container-service/managed-cluster/agent-pool/main.json index a99f675bf9..9325db5ebe 100644 --- a/modules/container-service/managed-cluster/agent-pool/main.json +++ b/modules/container-service/managed-cluster/agent-pool/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15838012443949702483" + "version": "0.22.6.54827", + "templateHash": "4102221439423294777" }, "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.", diff --git a/modules/container-service/managed-cluster/main.json b/modules/container-service/managed-cluster/main.json index ee3d0499c8..ad17d46755 100644 --- a/modules/container-service/managed-cluster/main.json +++ b/modules/container-service/managed-cluster/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1411508113014099928" + "version": "0.22.6.54827", + "templateHash": "5840083578872726906" }, "name": "Azure Kubernetes Service (AKS) Managed Clusters", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", @@ -1102,8 +1102,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15838012443949702483" + "version": "0.22.6.54827", + "templateHash": "4102221439423294777" }, "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.", @@ -1545,8 +1545,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14913275975998013893" + "version": "0.22.6.54827", + "templateHash": "5002606439705018990" }, "name": "Kubernetes Configuration Extensions", "description": "This module deploys a Kubernetes Configuration Extension.", @@ -1708,8 +1708,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11648869363176032755" + "version": "0.22.6.54827", + "templateHash": "6686104224333946371" }, "name": "Kubernetes Configuration Flux Configurations", "description": "This module deploys a Kubernetes Configuration Flux Configuration.", @@ -1929,8 +1929,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11132457537180081397" + "version": "0.22.6.54827", + "templateHash": "921005320898310167" } }, "parameters": { diff --git a/modules/data-factory/factory/.test/common/main.test.bicep b/modules/data-factory/factory/.test/common/main.test.bicep index 31c1fa8500..9d7ac74872 100644 --- a/modules/data-factory/factory/.test/common/main.test.bicep +++ b/modules/data-factory/factory/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/data-factory/factory/.test/min/main.test.bicep b/modules/data-factory/factory/.test/min/main.test.bicep index 9f0e43eef7..f5dadd9372 100644 --- a/modules/data-factory/factory/.test/min/main.test.bicep +++ b/modules/data-factory/factory/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index 02ca57084e..f9473fa622 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -4,14 +4,14 @@ This module deploys a Data Factory. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -25,91 +25,28 @@ This module deploys a Data Factory. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Azure Factory to create. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | -| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | - -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/data-factory.factory:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', ActivityRuns, allLogs, PipelineRuns, SSISIntegrationRuntimeLogs, SSISPackageEventMessageContext, SSISPackageEventMessages, SSISPackageExecutableStatistics, SSISPackageExecutionComponentPhases, SSISPackageExecutionDataStatistics, TriggerRuns]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `gitAccountName` | string | `''` | | The account name. | -| `gitCollaborationBranch` | string | `'main'` | | The collaboration branch name. Default is 'main'. | -| `gitConfigureLater` | bool | `True` | | Boolean to define whether or not to configure git during template deployment. | -| `gitDisablePublish` | bool | `False` | | Disable manual publish operation in ADF studio to favor automated publish. | -| `gitHostName` | string | `''` | | The GitHub Enterprise Server host (prefixed with 'https://'). Only relevant for 'FactoryGitHubConfiguration'. | -| `gitProjectName` | string | `''` | | The project name. Only relevant for 'FactoryVSTSConfiguration'. | -| `gitRepositoryName` | string | `''` | | The repository name. | -| `gitRepoType` | string | `'FactoryVSTSConfiguration'` | | Repository type - can be 'FactoryVSTSConfiguration' or 'FactoryGitHubConfiguration'. Default is 'FactoryVSTSConfiguration'. | -| `gitRootFolder` | string | `'/'` | | The root folder path name. Default is '/'. | -| `globalParameters` | object | `{object}` | | List of Global Parameters for the factory. | -| `integrationRuntimes` | array | `[]` | | An array of objects for the configuration of an Integration Runtime. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `managedPrivateEndpoints` | array | `[]` | | An array of managed private endpoints objects created in the Data Factory managed virtual network. | -| `managedVirtualNetworkName` | string | `''` | | The name of the Managed Virtual Network. | -| `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +### Example 1: _Using large parameter set_ -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The Name of the Azure Data Factory instance. | -| `resourceGroupName` | string | The name of the Resource Group with the Data factory. | -| `resourceId` | string | The Resource ID of the Data factory. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module factory './data-factory/factory/main.bicep' = { +module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dffcom' params: { // Required parameters @@ -333,14 +270,17 @@ module factory './data-factory/factory/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module factory './data-factory/factory/main.bicep' = { +module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dffmin' params: { // Required parameters @@ -379,6 +319,317 @@ module factory './data-factory/factory/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Azure Factory to create. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | +| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | +| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`gitAccountName`](#parameter-gitaccountname) | string | The account name. | +| [`gitCollaborationBranch`](#parameter-gitcollaborationbranch) | string | The collaboration branch name. Default is 'main'. | +| [`gitConfigureLater`](#parameter-gitconfigurelater) | bool | Boolean to define whether or not to configure git during template deployment. | +| [`gitDisablePublish`](#parameter-gitdisablepublish) | bool | Disable manual publish operation in ADF studio to favor automated publish. | +| [`gitHostName`](#parameter-githostname) | string | The GitHub Enterprise Server host (prefixed with 'https://'). Only relevant for 'FactoryGitHubConfiguration'. | +| [`gitProjectName`](#parameter-gitprojectname) | string | The project name. Only relevant for 'FactoryVSTSConfiguration'. | +| [`gitRepositoryName`](#parameter-gitrepositoryname) | string | The repository name. | +| [`gitRepoType`](#parameter-gitrepotype) | string | Repository type - can be 'FactoryVSTSConfiguration' or 'FactoryGitHubConfiguration'. Default is 'FactoryVSTSConfiguration'. | +| [`gitRootFolder`](#parameter-gitrootfolder) | string | The root folder path name. Default is '/'. | +| [`globalParameters`](#parameter-globalparameters) | object | List of Global Parameters for the factory. | +| [`integrationRuntimes`](#parameter-integrationruntimes) | array | An array of objects for the configuration of an Integration Runtime. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`managedPrivateEndpoints`](#parameter-managedprivateendpoints) | array | An array of managed private endpoints objects created in the Data Factory managed virtual network. | +| [`managedVirtualNetworkName`](#parameter-managedvirtualnetworkname) | string | The name of the Managed Virtual Network. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +### Parameter: `cMKKeyName` + +The name of the customer managed key to use for encryption. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVersion` + +The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKUserAssignedIdentityResourceId` + +User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', ActivityRuns, allLogs, PipelineRuns, SSISIntegrationRuntimeLogs, SSISPackageEventMessageContext, SSISPackageEventMessages, SSISPackageExecutableStatistics, SSISPackageExecutionComponentPhases, SSISPackageExecutionDataStatistics, TriggerRuns]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `gitAccountName` + +The account name. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `gitCollaborationBranch` + +The collaboration branch name. Default is 'main'. +- Required: No +- Type: string +- Default: `'main'` + +### Parameter: `gitConfigureLater` + +Boolean to define whether or not to configure git during template deployment. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `gitDisablePublish` + +Disable manual publish operation in ADF studio to favor automated publish. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `gitHostName` + +The GitHub Enterprise Server host (prefixed with 'https://'). Only relevant for 'FactoryGitHubConfiguration'. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `gitProjectName` + +The project name. Only relevant for 'FactoryVSTSConfiguration'. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `gitRepositoryName` + +The repository name. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `gitRepoType` + +Repository type - can be 'FactoryVSTSConfiguration' or 'FactoryGitHubConfiguration'. Default is 'FactoryVSTSConfiguration'. +- Required: No +- Type: string +- Default: `'FactoryVSTSConfiguration'` + +### Parameter: `gitRootFolder` + +The root folder path name. Default is '/'. +- Required: No +- Type: string +- Default: `'/'` + +### Parameter: `globalParameters` + +List of Global Parameters for the factory. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `integrationRuntimes` + +An array of objects for the configuration of an Integration Runtime. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `managedPrivateEndpoints` + +An array of managed private endpoints objects created in the Data Factory managed virtual network. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `managedVirtualNetworkName` + +The name of the Managed Virtual Network. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +The name of the Azure Factory to create. +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints` + +Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The Name of the Azure Data Factory instance. | +| `resourceGroupName` | string | The name of the Resource Group with the Data factory. | +| `resourceId` | string | The Resource ID of the Data factory. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | + ## Notes ### Parameter Usage: `managedPrivateEndpoints` diff --git a/modules/data-factory/factory/integration-runtime/README.md b/modules/data-factory/factory/integration-runtime/README.md index 420d090782..27111ad237 100644 --- a/modules/data-factory/factory/integration-runtime/README.md +++ b/modules/data-factory/factory/integration-runtime/README.md @@ -4,13 +4,13 @@ This module deploys a Data Factory Managed or Self-Hosted Integration Runtime. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -20,29 +20,69 @@ This module deploys a Data Factory Managed or Self-Hosted Integration Runtime. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `name` | string | | The name of the Integration Runtime. | -| `type` | string | `[Managed, SelfHosted]` | The type of Integration Runtime. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Integration Runtime. | +| [`type`](#parameter-type) | string | The type of Integration Runtime. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `dataFactoryName` | string | The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment. | +| [`dataFactoryName`](#parameter-datafactoryname) | string | The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `managedVirtualNetworkName` | string | `''` | The name of the Managed Virtual Network if using type "Managed" . | -| `typeProperties` | object | `{object}` | Integration Runtime type properties. Required if type is "Managed". | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`managedVirtualNetworkName`](#parameter-managedvirtualnetworkname) | string | The name of the Managed Virtual Network if using type "Managed" . | +| [`typeProperties`](#parameter-typeproperties) | object | Integration Runtime type properties. Required if type is "Managed". | + +### Parameter: `dataFactoryName` + +The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `managedVirtualNetworkName` + +The name of the Managed Virtual Network if using type "Managed" . +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +The name of the Integration Runtime. +- Required: Yes +- Type: string + +### Parameter: `type` + +The type of Integration Runtime. +- Required: Yes +- Type: string +- Allowed: `[Managed, SelfHosted]` + +### Parameter: `typeProperties` + +Integration Runtime type properties. Required if type is "Managed". +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the Integration Runtime. | | `resourceGroupName` | string | The name of the Resource Group the Integration Runtime was created in. | diff --git a/modules/data-factory/factory/integration-runtime/main.json b/modules/data-factory/factory/integration-runtime/main.json index bb811c619f..1622eb4e06 100644 --- a/modules/data-factory/factory/integration-runtime/main.json +++ b/modules/data-factory/factory/integration-runtime/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3532154338917341406" + "version": "0.22.6.54827", + "templateHash": "2407789138740487733" }, "name": "Data Factory Integration RunTimes", "description": "This module deploys a Data Factory Managed or Self-Hosted Integration Runtime.", diff --git a/modules/data-factory/factory/main.json b/modules/data-factory/factory/main.json index 377ac5f940..ca428834bc 100644 --- a/modules/data-factory/factory/main.json +++ b/modules/data-factory/factory/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "636961564143694705" + "version": "0.22.6.54827", + "templateHash": "5636410891768038353" }, "name": "Data Factories", "description": "This module deploys a Data Factory.", @@ -396,8 +396,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7244200630080980053" + "version": "0.22.6.54827", + "templateHash": "14273608975905052502" }, "name": "Data Factory Managed Virtual Networks", "description": "This module deploys a Data Factory Managed Virtual Network.", @@ -497,8 +497,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8218881783737158619" + "version": "0.22.6.54827", + "templateHash": "1490870890954327678" }, "name": "Data Factory Managed Virtual Network Managed PrivateEndpoints", "description": "This module deploys a Data Factory Managed Virtual Network Managed Private Endpoint.", @@ -666,8 +666,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1297850532911310740" + "version": "0.22.6.54827", + "templateHash": "2407789138740487733" }, "name": "Data Factory Integration RunTimes", "description": "This module deploys a Data Factory Managed or Self-Hosted Integration Runtime.", @@ -810,8 +810,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18228102662712097574" + "version": "0.22.6.54827", + "templateHash": "18126264566074899156" } }, "parameters": { @@ -971,8 +971,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1171,8 +1171,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1309,8 +1309,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { diff --git a/modules/data-factory/factory/managed-virtual-network/README.md b/modules/data-factory/factory/managed-virtual-network/README.md index cda18555b9..59b92e31fe 100644 --- a/modules/data-factory/factory/managed-virtual-network/README.md +++ b/modules/data-factory/factory/managed-virtual-network/README.md @@ -4,13 +4,13 @@ This module deploys a Data Factory Managed Virtual Network. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -21,27 +21,53 @@ This module deploys a Data Factory Managed Virtual Network. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the Managed Virtual Network. | +| [`name`](#parameter-name) | string | The name of the Managed Virtual Network. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `dataFactoryName` | string | The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment. | +| [`dataFactoryName`](#parameter-datafactoryname) | string | The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `managedPrivateEndpoints` | array | `[]` | An array of managed private endpoints objects created in the Data Factory managed virtual network. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`managedPrivateEndpoints`](#parameter-managedprivateendpoints) | array | An array of managed private endpoints objects created in the Data Factory managed virtual network. | + +### Parameter: `dataFactoryName` + +The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `managedPrivateEndpoints` + +An array of managed private endpoints objects created in the Data Factory managed virtual network. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `name` + +The name of the Managed Virtual Network. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the Managed Virtual Network. | | `resourceGroupName` | string | The name of the Resource Group the Managed Virtual Network was created in. | diff --git a/modules/data-factory/factory/managed-virtual-network/main.json b/modules/data-factory/factory/managed-virtual-network/main.json index 2885cf59b4..96dc5dd33b 100644 --- a/modules/data-factory/factory/managed-virtual-network/main.json +++ b/modules/data-factory/factory/managed-virtual-network/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12310194736024387290" + "version": "0.22.6.54827", + "templateHash": "14273608975905052502" }, "name": "Data Factory Managed Virtual Networks", "description": "This module deploys a Data Factory Managed Virtual Network.", @@ -105,8 +105,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17089196483393073819" + "version": "0.22.6.54827", + "templateHash": "1490870890954327678" }, "name": "Data Factory Managed Virtual Network Managed PrivateEndpoints", "description": "This module deploys a Data Factory Managed Virtual Network Managed Private Endpoint.", diff --git a/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/README.md b/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/README.md index 7d3631961a..8d1265830d 100644 --- a/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/README.md +++ b/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/README.md @@ -19,30 +19,73 @@ This module deploys a Data Factory Managed Virtual Network Managed Private Endpo **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `fqdns` | array | Fully qualified domain names. | -| `groupId` | string | The groupId to which the managed private endpoint is created. | -| `managedVirtualNetworkName` | string | The name of the parent managed virtual network. | -| `name` | string | The managed private endpoint resource name. | -| `privateLinkResourceId` | string | The ARM resource ID of the resource to which the managed private endpoint is created. | +| [`fqdns`](#parameter-fqdns) | array | Fully qualified domain names. | +| [`groupId`](#parameter-groupid) | string | The groupId to which the managed private endpoint is created. | +| [`managedVirtualNetworkName`](#parameter-managedvirtualnetworkname) | string | The name of the parent managed virtual network. | +| [`name`](#parameter-name) | string | The managed private endpoint resource name. | +| [`privateLinkResourceId`](#parameter-privatelinkresourceid) | string | The ARM resource ID of the resource to which the managed private endpoint is created. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `dataFactoryName` | string | The name of the parent data factory. Required if the template is used in a standalone deployment. | +| [`dataFactoryName`](#parameter-datafactoryname) | string | The name of the parent data factory. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `dataFactoryName` + +The name of the parent data factory. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `fqdns` + +Fully qualified domain names. +- Required: Yes +- Type: array + +### Parameter: `groupId` + +The groupId to which the managed private endpoint is created. +- Required: Yes +- Type: string + +### Parameter: `managedVirtualNetworkName` + +The name of the parent managed virtual network. +- Required: Yes +- Type: string + +### Parameter: `name` + +The managed private endpoint resource name. +- Required: Yes +- Type: string + +### Parameter: `privateLinkResourceId` + +The ARM resource ID of the resource to which the managed private endpoint is created. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed managed private endpoint. | | `resourceGroupName` | string | The resource group of the deployed managed private endpoint. | diff --git a/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/main.json b/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/main.json index aa4a6643bf..96606099ca 100644 --- a/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/main.json +++ b/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17089196483393073819" + "version": "0.22.6.54827", + "templateHash": "1490870890954327678" }, "name": "Data Factory Managed Virtual Network Managed PrivateEndpoints", "description": "This module deploys a Data Factory Managed Virtual Network Managed Private Endpoint.", diff --git a/modules/data-protection/backup-vault/.test/common/main.test.bicep b/modules/data-protection/backup-vault/.test/common/main.test.bicep index 218affe3d4..18be93ad16 100644 --- a/modules/data-protection/backup-vault/.test/common/main.test.bicep +++ b/modules/data-protection/backup-vault/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/data-protection/backup-vault/.test/min/main.test.bicep b/modules/data-protection/backup-vault/.test/min/main.test.bicep index 8fdcfd95c0..e96ec60caf 100644 --- a/modules/data-protection/backup-vault/.test/min/main.test.bicep +++ b/modules/data-protection/backup-vault/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/data-protection/backup-vault/README.md b/modules/data-protection/backup-vault/README.md index f0e7d4caee..bf67a3843d 100644 --- a/modules/data-protection/backup-vault/README.md +++ b/modules/data-protection/backup-vault/README.md @@ -5,10 +5,10 @@ This module deploys a Data Protection Backup Vault. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) ## Resource Types @@ -20,61 +20,28 @@ This module deploys a Data Protection Backup Vault. | `Microsoft.DataProtection/backupVaults` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DataProtection/backupVaults) | | `Microsoft.DataProtection/backupVaults/backupPolicies` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DataProtection/backupVaults/backupPolicies) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Backup Vault. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `azureMonitorAlertSettingsAlertsForAllJobFailures` | string | `'Enabled'` | `[Disabled, Enabled]` | Settings for Azure Monitor based alerts for job failures. | -| `backupPolicies` | array | `[]` | | List of all backup policies. | -| `dataStoreType` | string | `'VaultStore'` | `[ArchiveStore, OperationalStore, VaultStore]` | The datastore type to use. ArchiveStore does not support ZoneRedundancy. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `featureSettings` | object | `{object}` | | Feature settings for the backup vault. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `securitySettings` | object | `{object}` | | Security settings for the backup vault. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the Recovery Service Vault resource. | -| `type` | string | `'GeoRedundant'` | `[GeoRedundant, LocallyRedundant, ZoneRedundant]` | The vault redundancy level to use. | - +## Usage examples -## Outputs +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The Name of the backup vault. | -| `resourceGroupName` | string | The name of the resource group the recovery services vault was created in. | -| `resourceId` | string | The resource ID of the backup vault. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/data-protection.backup-vault:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module backupVault './data-protection/backup-vault/main.bicep' = { +module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dpbvcom' params: { // Required parameters @@ -282,14 +249,17 @@ module backupVault './data-protection/backup-vault/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module backupVault './data-protection/backup-vault/main.bicep' = { +module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dpbvmin' params: { // Required parameters @@ -328,6 +298,140 @@ module backupVault './data-protection/backup-vault/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Backup Vault. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`azureMonitorAlertSettingsAlertsForAllJobFailures`](#parameter-azuremonitoralertsettingsalertsforalljobfailures) | string | Settings for Azure Monitor based alerts for job failures. | +| [`backupPolicies`](#parameter-backuppolicies) | array | List of all backup policies. | +| [`dataStoreType`](#parameter-datastoretype) | string | The datastore type to use. ArchiveStore does not support ZoneRedundancy. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`featureSettings`](#parameter-featuresettings) | object | Feature settings for the backup vault. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`securitySettings`](#parameter-securitysettings) | object | Security settings for the backup vault. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the Recovery Service Vault resource. | +| [`type`](#parameter-type) | string | The vault redundancy level to use. | + +### Parameter: `azureMonitorAlertSettingsAlertsForAllJobFailures` + +Settings for Azure Monitor based alerts for job failures. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `backupPolicies` + +List of all backup policies. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `dataStoreType` + +The datastore type to use. ArchiveStore does not support ZoneRedundancy. +- Required: No +- Type: string +- Default: `'VaultStore'` +- Allowed: `[ArchiveStore, OperationalStore, VaultStore]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `featureSettings` + +Feature settings for the backup vault. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Backup Vault. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `securitySettings` + +Security settings for the backup vault. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the Recovery Service Vault resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `type` + +The vault redundancy level to use. +- Required: No +- Type: string +- Default: `'GeoRedundant'` +- Allowed: `[GeoRedundant, LocallyRedundant, ZoneRedundant]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The Name of the backup vault. | +| `resourceGroupName` | string | The name of the resource group the recovery services vault was created in. | +| `resourceId` | string | The resource ID of the backup vault. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +_None_ + ## Notes ### Parameter Usage: `backupPolicies` diff --git a/modules/data-protection/backup-vault/backup-policy/README.md b/modules/data-protection/backup-vault/backup-policy/README.md index dea9657139..169a76f3d5 100644 --- a/modules/data-protection/backup-vault/backup-policy/README.md +++ b/modules/data-protection/backup-vault/backup-policy/README.md @@ -20,22 +20,49 @@ This module deploys a Data Protection Backup Vault Backup Policy. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `backupVaultName` | string | The name of the backup vault. | +| [`backupVaultName`](#parameter-backupvaultname) | string | The name of the backup vault. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `name` | string | `'DefaultPolicy'` | The name of the backup policy. | -| `properties` | object | `{object}` | The properties of the backup policy. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`name`](#parameter-name) | string | The name of the backup policy. | +| [`properties`](#parameter-properties) | object | The properties of the backup policy. | + +### Parameter: `backupVaultName` + +The name of the backup vault. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the backup policy. +- Required: No +- Type: string +- Default: `'DefaultPolicy'` + +### Parameter: `properties` + +The properties of the backup policy. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the backup policy. | | `resourceGroupName` | string | The name of the resource group the backup policy was created in. | diff --git a/modules/data-protection/backup-vault/backup-policy/main.json b/modules/data-protection/backup-vault/backup-policy/main.json index 259cf9ab04..9717619f41 100644 --- a/modules/data-protection/backup-vault/backup-policy/main.json +++ b/modules/data-protection/backup-vault/backup-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13351591046039775322" + "version": "0.22.6.54827", + "templateHash": "4068293382331739919" }, "name": "Data Protection Backup Vault Backup Policies", "description": "This module deploys a Data Protection Backup Vault Backup Policy.", diff --git a/modules/data-protection/backup-vault/main.json b/modules/data-protection/backup-vault/main.json index 6f38347abd..0251fbd6b9 100644 --- a/modules/data-protection/backup-vault/main.json +++ b/modules/data-protection/backup-vault/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9192043285599381556" + "version": "0.22.6.54827", + "templateHash": "758221244478675783" }, "name": "Data Protection Backup Vaults", "description": "This module deploys a Data Protection Backup Vault.", @@ -212,8 +212,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7012714576885585177" + "version": "0.22.6.54827", + "templateHash": "4068293382331739919" }, "name": "Data Protection Backup Vault Backup Policies", "description": "This module deploys a Data Protection Backup Vault Backup Policy.", @@ -333,8 +333,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5799522460784182968" + "version": "0.22.6.54827", + "templateHash": "14959625805292931026" } }, "parameters": { diff --git a/modules/databricks/access-connector/.test/common/main.test.bicep b/modules/databricks/access-connector/.test/common/main.test.bicep index e6854b68ae..81dfb69963 100644 --- a/modules/databricks/access-connector/.test/common/main.test.bicep +++ b/modules/databricks/access-connector/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/databricks/access-connector/.test/min/main.test.bicep b/modules/databricks/access-connector/.test/min/main.test.bicep index 3a950aaa5f..1c8b923b29 100644 --- a/modules/databricks/access-connector/.test/min/main.test.bicep +++ b/modules/databricks/access-connector/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/databricks/access-connector/README.md b/modules/databricks/access-connector/README.md index d530fdb979..75b28ed04e 100644 --- a/modules/databricks/access-connector/README.md +++ b/modules/databricks/access-connector/README.md @@ -5,10 +5,10 @@ This module deploys an Azure Databricks Access Connector. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -18,55 +18,28 @@ This module deploys an Azure Databricks Access Connector. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Databricks/accessConnectors` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Databricks/2022-10-01-preview/accessConnectors) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Azure Databricks access connector to create. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed access connector. | -| `resourceGroupName` | string | The resource group of the deployed access connector. | -| `resourceId` | string | The resource ID of the deployed access connector. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/databricks.access-connector:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module accessConnector './databricks/access-connector/main.bicep' = { +module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-daccom' params: { // Required parameters @@ -156,14 +129,17 @@ module accessConnector './databricks/access-connector/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module accessConnector './databricks/access-connector/main.bicep' = { +module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dacmin' params: { // Required parameters @@ -200,3 +176,94 @@ module accessConnector './databricks/access-connector/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Azure Databricks access connector to create. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the Azure Databricks access connector to create. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed access connector. | +| `resourceGroupName` | string | The resource group of the deployed access connector. | +| `resourceId` | string | The resource ID of the deployed access connector. | + +## Cross-referenced modules + +_None_ diff --git a/modules/databricks/access-connector/main.json b/modules/databricks/access-connector/main.json index 0dff655dda..e7e834fff8 100644 --- a/modules/databricks/access-connector/main.json +++ b/modules/databricks/access-connector/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18141386081798006601" + "version": "0.22.6.54827", + "templateHash": "8282781227910546878" }, "name": "Azure Databricks Access Connectors", "description": "This module deploys an Azure Databricks Access Connector.", @@ -149,8 +149,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8744521398620405286" + "version": "0.22.6.54827", + "templateHash": "9290418788736930611" } }, "parameters": { diff --git a/modules/databricks/workspace/.test/common/main.test.bicep b/modules/databricks/workspace/.test/common/main.test.bicep index 9dbc424bf9..cd9bef2b09 100644 --- a/modules/databricks/workspace/.test/common/main.test.bicep +++ b/modules/databricks/workspace/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/databricks/workspace/.test/min/main.test.bicep b/modules/databricks/workspace/.test/min/main.test.bicep index 85cd2ef8dc..00e0a9cd89 100644 --- a/modules/databricks/workspace/.test/min/main.test.bicep +++ b/modules/databricks/workspace/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index 064f045a46..79dd99e50c 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -4,14 +4,14 @@ This module deploys an Azure Databricks Workspace. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -22,94 +22,28 @@ This module deploys an Azure Databricks Workspace. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Azure Databricks workspace to create. | - -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cMKManagedDisksKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | -| `cMKManagedServicesKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `amlWorkspaceResourceId` | string | `''` | | The resource ID of a Azure Machine Learning workspace to link with Databricks workspace. | -| `cMKManagedDisksKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKManagedDisksKeyRotationToLatestKeyVersionEnabled` | bool | `True` | | Enable Auto Rotation of Key. | -| `cMKManagedDisksKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `cMKManagedServicesKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKManagedServicesKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `customPrivateSubnetName` | string | `''` | | The name of the Private Subnet within the Virtual Network. | -| `customPublicSubnetName` | string | `''` | | The name of a Public Subnet within the Virtual Network. | -| `customVirtualNetworkResourceId` | string | `''` | | The resource ID of a Virtual Network where this Databricks Cluster should be created. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', accounts, allLogs, clusters, dbfs, instancePools, jobs, notebook, secrets, sqlPermissions, ssh, workspace]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `disablePublicIp` | bool | `False` | | Disable Public IP. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `loadBalancerBackendPoolName` | string | `''` | | Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP). | -| `loadBalancerResourceId` | string | `''` | | Resource URI of Outbound Load balancer for Secure Cluster Connectivity (No Public IP) workspace. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `managedResourceGroupResourceId` | string | `''` | | The managed resource group ID. It is created by the module as per the to-be resource ID you provide. | -| `natGatewayName` | string | `''` | | Name of the NAT gateway for Secure Cluster Connectivity (No Public IP) workspace subnets. | -| `prepareEncryption` | bool | `False` | | Prepare the workspace for encryption. Enables the Managed Identity for managed storage account. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicIpName` | string | `''` | | Name of the Public IP for No Public IP workspace with managed vNet. | -| `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | The network access type for accessing workspace. Set value to disabled to access workspace only via private link. | -| `requiredNsgRules` | string | `'AllRules'` | `[AllRules, NoAzureDatabricksRules]` | Gets or sets a value indicating whether data plane (clusters) to control plane communication happen over private endpoint. | -| `requireInfrastructureEncryption` | bool | `False` | | A boolean indicating whether or not the DBFS root file system will be enabled with secondary layer of encryption with platform managed keys for data at rest. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `skuName` | string | `'premium'` | `[premium, standard, trial]` | The pricing tier of workspace. | -| `storageAccountName` | string | `''` | | Default DBFS storage account name. | -| `storageAccountSkuName` | string | `'Standard_GRS'` | | Storage account SKU name. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `vnetAddressPrefix` | string | `'10.139'` | | Address prefix for Managed virtual network. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed databricks workspace. | -| `resourceGroupName` | string | The resource group of the deployed databricks workspace. | -| `resourceId` | string | The resource ID of the deployed databricks workspace. | - -## Cross-referenced modules +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/databricks.workspace:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module workspace './databricks/workspace/main.bicep' = { +module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dwcom' params: { // Required parameters @@ -341,14 +275,17 @@ module workspace './databricks/workspace/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module workspace './databricks/workspace/main.bicep' = { +module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dwmin' params: { // Required parameters @@ -387,6 +324,349 @@ module workspace './databricks/workspace/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Azure Databricks workspace to create. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cMKManagedDisksKeyVaultResourceId`](#parameter-cmkmanageddiskskeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | +| [`cMKManagedServicesKeyVaultResourceId`](#parameter-cmkmanagedserviceskeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`amlWorkspaceResourceId`](#parameter-amlworkspaceresourceid) | string | The resource ID of a Azure Machine Learning workspace to link with Databricks workspace. | +| [`cMKManagedDisksKeyName`](#parameter-cmkmanageddiskskeyname) | string | The name of the customer managed key to use for encryption. | +| [`cMKManagedDisksKeyRotationToLatestKeyVersionEnabled`](#parameter-cmkmanageddiskskeyrotationtolatestkeyversionenabled) | bool | Enable Auto Rotation of Key. | +| [`cMKManagedDisksKeyVersion`](#parameter-cmkmanageddiskskeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`cMKManagedServicesKeyName`](#parameter-cmkmanagedserviceskeyname) | string | The name of the customer managed key to use for encryption. | +| [`cMKManagedServicesKeyVersion`](#parameter-cmkmanagedserviceskeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`customPrivateSubnetName`](#parameter-customprivatesubnetname) | string | The name of the Private Subnet within the Virtual Network. | +| [`customPublicSubnetName`](#parameter-custompublicsubnetname) | string | The name of a Public Subnet within the Virtual Network. | +| [`customVirtualNetworkResourceId`](#parameter-customvirtualnetworkresourceid) | string | The resource ID of a Virtual Network where this Databricks Cluster should be created. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`disablePublicIp`](#parameter-disablepublicip) | bool | Disable Public IP. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`loadBalancerBackendPoolName`](#parameter-loadbalancerbackendpoolname) | string | Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP). | +| [`loadBalancerResourceId`](#parameter-loadbalancerresourceid) | string | Resource URI of Outbound Load balancer for Secure Cluster Connectivity (No Public IP) workspace. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`managedResourceGroupResourceId`](#parameter-managedresourcegroupresourceid) | string | The managed resource group ID. It is created by the module as per the to-be resource ID you provide. | +| [`natGatewayName`](#parameter-natgatewayname) | string | Name of the NAT gateway for Secure Cluster Connectivity (No Public IP) workspace subnets. | +| [`prepareEncryption`](#parameter-prepareencryption) | bool | Prepare the workspace for encryption. Enables the Managed Identity for managed storage account. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicIpName`](#parameter-publicipname) | string | Name of the Public IP for No Public IP workspace with managed vNet. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | The network access type for accessing workspace. Set value to disabled to access workspace only via private link. | +| [`requiredNsgRules`](#parameter-requirednsgrules) | string | Gets or sets a value indicating whether data plane (clusters) to control plane communication happen over private endpoint. | +| [`requireInfrastructureEncryption`](#parameter-requireinfrastructureencryption) | bool | A boolean indicating whether or not the DBFS root file system will be enabled with secondary layer of encryption with platform managed keys for data at rest. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`skuName`](#parameter-skuname) | string | The pricing tier of workspace. | +| [`storageAccountName`](#parameter-storageaccountname) | string | Default DBFS storage account name. | +| [`storageAccountSkuName`](#parameter-storageaccountskuname) | string | Storage account SKU name. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`vnetAddressPrefix`](#parameter-vnetaddressprefix) | string | Address prefix for Managed virtual network. | + +### Parameter: `amlWorkspaceResourceId` + +The resource ID of a Azure Machine Learning workspace to link with Databricks workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKManagedDisksKeyName` + +The name of the customer managed key to use for encryption. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKManagedDisksKeyRotationToLatestKeyVersionEnabled` + +Enable Auto Rotation of Key. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `cMKManagedDisksKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKManagedDisksKeyVersion` + +The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKManagedServicesKeyName` + +The name of the customer managed key to use for encryption. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKManagedServicesKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKManagedServicesKeyVersion` + +The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `customPrivateSubnetName` + +The name of the Private Subnet within the Virtual Network. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `customPublicSubnetName` + +The name of a Public Subnet within the Virtual Network. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `customVirtualNetworkResourceId` + +The resource ID of a Virtual Network where this Databricks Cluster should be created. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', accounts, allLogs, clusters, dbfs, instancePools, jobs, notebook, secrets, sqlPermissions, ssh, workspace]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `disablePublicIp` + +Disable Public IP. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `loadBalancerBackendPoolName` + +Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP). +- Required: No +- Type: string +- Default: `''` + +### Parameter: `loadBalancerResourceId` + +Resource URI of Outbound Load balancer for Secure Cluster Connectivity (No Public IP) workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `managedResourceGroupResourceId` + +The managed resource group ID. It is created by the module as per the to-be resource ID you provide. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +The name of the Azure Databricks workspace to create. +- Required: Yes +- Type: string + +### Parameter: `natGatewayName` + +Name of the NAT gateway for Secure Cluster Connectivity (No Public IP) workspace subnets. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `prepareEncryption` + +Prepare the workspace for encryption. Enables the Managed Identity for managed storage account. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicIpName` + +Name of the Public IP for No Public IP workspace with managed vNet. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `publicNetworkAccess` + + The network access type for accessing workspace. Set value to disabled to access workspace only via private link. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `requiredNsgRules` + +Gets or sets a value indicating whether data plane (clusters) to control plane communication happen over private endpoint. +- Required: No +- Type: string +- Default: `'AllRules'` +- Allowed: `[AllRules, NoAzureDatabricksRules]` + +### Parameter: `requireInfrastructureEncryption` + +A boolean indicating whether or not the DBFS root file system will be enabled with secondary layer of encryption with platform managed keys for data at rest. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `skuName` + +The pricing tier of workspace. +- Required: No +- Type: string +- Default: `'premium'` +- Allowed: `[premium, standard, trial]` + +### Parameter: `storageAccountName` + +Default DBFS storage account name. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `storageAccountSkuName` + +Storage account SKU name. +- Required: No +- Type: string +- Default: `'Standard_GRS'` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `vnetAddressPrefix` + +Address prefix for Managed virtual network. +- Required: No +- Type: string +- Default: `'10.139'` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed databricks workspace. | +| `resourceGroupName` | string | The resource group of the deployed databricks workspace. | +| `resourceId` | string | The resource ID of the deployed databricks workspace. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | + ## Notes ### Parameter Usage: `customPublicSubnetName` and `customPrivateSubnetName` diff --git a/modules/databricks/workspace/main.json b/modules/databricks/workspace/main.json index f9dd854434..c729c6ec4f 100644 --- a/modules/databricks/workspace/main.json +++ b/modules/databricks/workspace/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4229571861676210045" + "version": "0.22.6.54827", + "templateHash": "11204795410714061974" }, "name": "Azure Databricks Workspaces", "description": "This module deploys an Azure Databricks Workspace.", @@ -423,8 +423,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6437441931020419683" + "version": "0.22.6.54827", + "templateHash": "3551736854871241675" } }, "parameters": { @@ -583,8 +583,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -783,8 +783,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -921,8 +921,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { diff --git a/modules/db-for-my-sql/flexible-server/.test/min/main.test.bicep b/modules/db-for-my-sql/flexible-server/.test/min/main.test.bicep index 49cc626f3d..61b5a01a27 100644 --- a/modules/db-for-my-sql/flexible-server/.test/min/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/db-for-my-sql/flexible-server/README.md b/modules/db-for-my-sql/flexible-server/README.md index 613aacfd8d..5b936154cd 100644 --- a/modules/db-for-my-sql/flexible-server/README.md +++ b/modules/db-for-my-sql/flexible-server/README.md @@ -5,10 +5,10 @@ This module deploys a DBforMySQL Flexible Server. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -22,97 +22,29 @@ This module deploys a DBforMySQL Flexible Server. | `Microsoft.DBforMySQL/flexibleServers/firewallRules` | [2022-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2022-01-01/flexibleServers/firewallRules) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `name` | string | | The name of the MySQL flexible server. | -| `skuName` | string | | The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3. | -| `tier` | string | `[Burstable, GeneralPurpose, MemoryOptimized]` | The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3". | +## Usage examples -**Conditional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty. | -| `cMKUserAssignedIdentityResourceId` | string | `''` | | User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty. | -| `geoBackupCMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty and geoRedundantBackup is "Enabled". | -| `geoBackupCMKUserAssignedIdentityResourceId` | string | `''` | | Geo backup user identity resource ID as identity cant cross region, need identity in same region as geo backup. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty and geoRedundantBackup is "Enabled". | -| `privateDnsZoneResourceId` | string | `''` | | Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access". Required if "delegatedSubnetResourceId" is used and the Private DNS Zone name must end with mysql.database.azure.com in order to be linked to the MySQL Flexible Server. | -| `restorePointInTime` | string | `''` | | Restore point creation time (ISO8601 format), specifying the time to restore from. Required if "createMode" is set to "PointInTimeRestore". | -| `sourceServerResourceId` | string | `''` | | The source MySQL server ID. Required if "createMode" is set to "PointInTimeRestore". | -| `storageAutoGrow` | string | `'Disabled'` | `[Disabled, Enabled]` | Enable Storage Auto Grow or not. Storage auto-growth prevents a server from running out of storage and becoming read-only. Required if "highAvailability" is not "Disabled". | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. Required if "cMKKeyName" is not empty. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `administratorLogin` | string | `''` | | The administrator login name of a server. Can only be specified when the MySQL server is being created. | -| `administratorLoginPassword` | securestring | `''` | | The administrator login password. | -| `administrators` | array | `[]` | | The Azure AD administrators when AAD authentication enabled. | -| `availabilityZone` | string | `''` | `['', 1, 2, 3]` | Availability zone information of the server. Default will have no preference set. | -| `backupRetentionDays` | int | `7` | | Backup retention days for the server. | -| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `createMode` | string | `'Default'` | `[Default, GeoRestore, PointInTimeRestore, Replica]` | The mode to create a new MySQL server. | -| `databases` | array | `[]` | | The databases to create in the server. | -| `delegatedSubnetResourceId` | string | `''` | | Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. Delegation must be enabled on the subnet for MySQL Flexible Servers and subnet CIDR size is /29. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, MySqlAuditLogs, MySqlSlowLogs]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `firewallRules` | array | `[]` | | The firewall rules to create in the MySQL flexible server. | -| `geoBackupCMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption when geoRedundantBackup is "Enabled". | -| `geoBackupCMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption when geoRedundantBackup is "Enabled". If not provided, the latest key version is used. | -| `geoRedundantBackup` | string | `'Disabled'` | `[Disabled, Enabled]` | A value indicating whether Geo-Redundant backup is enabled on the server. If "Enabled" and "cMKKeyName" is not empty, then "geoBackupCMKKeyVaultResourceId" and "cMKUserAssignedIdentityResourceId" are also required. | -| `highAvailability` | string | `'Disabled'` | `[Disabled, SameZone, ZoneRedundant]` | The mode for High Availability (HA). It is not supported for the Burstable pricing tier and Zone redundant HA can only be set during server provisioning. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `maintenanceWindow` | object | `{object}` | | Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". | -| `replicationRole` | string | `'None'` | `[None, Replica, Source]` | The replication role. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the "roleDefinitionIdOrName" and "principalId" to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11". | -| `storageAutoIoScaling` | string | `'Disabled'` | `[Disabled, Enabled]` | Enable IO Auto Scaling or not. The server scales IOPs up or down automatically depending on your workload needs. | -| `storageIOPS` | int | `1000` | | Storage IOPS for a server. Max IOPS are determined by compute size. | -| `storageSizeGB` | int | `64` | `[20, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384]` | Max storage allowed for a server. In all compute tiers, the minimum storage supported is 20 GiB and maximum is 16 TiB. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `version` | string | `'5.7'` | `[5.7, 8.0.21]` | MySQL Server version. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed MySQL Flexible server. | -| `resourceGroupName` | string | The resource group of the deployed MySQL Flexible server. | -| `resourceId` | string | The resource ID of the deployed MySQL Flexible server. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/db-for-my-sql.flexible-server:1.0.0`. -## Deployment examples +- [Using only defaults](#example-1-using-only-defaults) +- [Private](#example-2-private) +- [Public](#example-3-public) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using only defaults_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with the minimum set of required parameters. -

Example 1: Min

via Bicep module ```bicep -module flexibleServer './db-for-my-sql/flexible-server/main.bicep' = { +module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dfmsfsmin' params: { // Required parameters @@ -166,14 +98,14 @@ module flexibleServer './db-for-my-sql/flexible-server/main.bicep' = {

-

Example 2: Private

+### Example 2: _Private_
via Bicep module ```bicep -module flexibleServer './db-for-my-sql/flexible-server/main.bicep' = { +module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dfmsfspvt' params: { // Required parameters @@ -351,14 +283,14 @@ module flexibleServer './db-for-my-sql/flexible-server/main.bicep' = {

-

Example 3: Public

+### Example 3: _Public_
via Bicep module ```bicep -module flexibleServer './db-for-my-sql/flexible-server/main.bicep' = { +module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dfmsfsp' params: { // Required parameters @@ -595,3 +527,405 @@ module flexibleServer './db-for-my-sql/flexible-server/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the MySQL flexible server. | +| [`skuName`](#parameter-skuname) | string | The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3. | +| [`tier`](#parameter-tier) | string | The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3". | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty. | +| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty. | +| [`geoBackupCMKKeyVaultResourceId`](#parameter-geobackupcmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty and geoRedundantBackup is "Enabled". | +| [`geoBackupCMKUserAssignedIdentityResourceId`](#parameter-geobackupcmkuserassignedidentityresourceid) | string | Geo backup user identity resource ID as identity cant cross region, need identity in same region as geo backup. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty and geoRedundantBackup is "Enabled". | +| [`privateDnsZoneResourceId`](#parameter-privatednszoneresourceid) | string | Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access". Required if "delegatedSubnetResourceId" is used and the Private DNS Zone name must end with mysql.database.azure.com in order to be linked to the MySQL Flexible Server. | +| [`restorePointInTime`](#parameter-restorepointintime) | string | Restore point creation time (ISO8601 format), specifying the time to restore from. Required if "createMode" is set to "PointInTimeRestore". | +| [`sourceServerResourceId`](#parameter-sourceserverresourceid) | string | The source MySQL server ID. Required if "createMode" is set to "PointInTimeRestore". | +| [`storageAutoGrow`](#parameter-storageautogrow) | string | Enable Storage Auto Grow or not. Storage auto-growth prevents a server from running out of storage and becoming read-only. Required if "highAvailability" is not "Disabled". | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. Required if "cMKKeyName" is not empty. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`administratorLogin`](#parameter-administratorlogin) | string | The administrator login name of a server. Can only be specified when the MySQL server is being created. | +| [`administratorLoginPassword`](#parameter-administratorloginpassword) | securestring | The administrator login password. | +| [`administrators`](#parameter-administrators) | array | The Azure AD administrators when AAD authentication enabled. | +| [`availabilityZone`](#parameter-availabilityzone) | string | Availability zone information of the server. Default will have no preference set. | +| [`backupRetentionDays`](#parameter-backupretentiondays) | int | Backup retention days for the server. | +| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | +| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`createMode`](#parameter-createmode) | string | The mode to create a new MySQL server. | +| [`databases`](#parameter-databases) | array | The databases to create in the server. | +| [`delegatedSubnetResourceId`](#parameter-delegatedsubnetresourceid) | string | Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. Delegation must be enabled on the subnet for MySQL Flexible Servers and subnet CIDR size is /29. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`firewallRules`](#parameter-firewallrules) | array | The firewall rules to create in the MySQL flexible server. | +| [`geoBackupCMKKeyName`](#parameter-geobackupcmkkeyname) | string | The name of the customer managed key to use for encryption when geoRedundantBackup is "Enabled". | +| [`geoBackupCMKKeyVersion`](#parameter-geobackupcmkkeyversion) | string | The version of the customer managed key to reference for encryption when geoRedundantBackup is "Enabled". If not provided, the latest key version is used. | +| [`geoRedundantBackup`](#parameter-georedundantbackup) | string | A value indicating whether Geo-Redundant backup is enabled on the server. If "Enabled" and "cMKKeyName" is not empty, then "geoBackupCMKKeyVaultResourceId" and "cMKUserAssignedIdentityResourceId" are also required. | +| [`highAvailability`](#parameter-highavailability) | string | The mode for High Availability (HA). It is not supported for the Burstable pricing tier and Zone redundant HA can only be set during server provisioning. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`maintenanceWindow`](#parameter-maintenancewindow) | object | Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". | +| [`replicationRole`](#parameter-replicationrole) | string | The replication role. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the "roleDefinitionIdOrName" and "principalId" to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11". | +| [`storageAutoIoScaling`](#parameter-storageautoioscaling) | string | Enable IO Auto Scaling or not. The server scales IOPs up or down automatically depending on your workload needs. | +| [`storageIOPS`](#parameter-storageiops) | int | Storage IOPS for a server. Max IOPS are determined by compute size. | +| [`storageSizeGB`](#parameter-storagesizegb) | int | Max storage allowed for a server. In all compute tiers, the minimum storage supported is 20 GiB and maximum is 16 TiB. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`version`](#parameter-version) | string | MySQL Server version. | + +### Parameter: `administratorLogin` + +The administrator login name of a server. Can only be specified when the MySQL server is being created. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `administratorLoginPassword` + +The administrator login password. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `administrators` + +The Azure AD administrators when AAD authentication enabled. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `availabilityZone` + +Availability zone information of the server. Default will have no preference set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', 1, 2, 3]` + +### Parameter: `backupRetentionDays` + +Backup retention days for the server. +- Required: No +- Type: int +- Default: `7` + +### Parameter: `cMKKeyName` + +The name of the customer managed key to use for encryption. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVersion` + +The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKUserAssignedIdentityResourceId` + +User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `createMode` + +The mode to create a new MySQL server. +- Required: No +- Type: string +- Default: `'Default'` +- Allowed: `[Default, GeoRestore, PointInTimeRestore, Replica]` + +### Parameter: `databases` + +The databases to create in the server. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `delegatedSubnetResourceId` + +Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. Delegation must be enabled on the subnet for MySQL Flexible Servers and subnet CIDR size is /29. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, MySqlAuditLogs, MySqlSlowLogs]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `firewallRules` + +The firewall rules to create in the MySQL flexible server. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `geoBackupCMKKeyName` + +The name of the customer managed key to use for encryption when geoRedundantBackup is "Enabled". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `geoBackupCMKKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty and geoRedundantBackup is "Enabled". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `geoBackupCMKKeyVersion` + +The version of the customer managed key to reference for encryption when geoRedundantBackup is "Enabled". If not provided, the latest key version is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `geoBackupCMKUserAssignedIdentityResourceId` + +Geo backup user identity resource ID as identity cant cross region, need identity in same region as geo backup. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty and geoRedundantBackup is "Enabled". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `geoRedundantBackup` + +A value indicating whether Geo-Redundant backup is enabled on the server. If "Enabled" and "cMKKeyName" is not empty, then "geoBackupCMKKeyVaultResourceId" and "cMKUserAssignedIdentityResourceId" are also required. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `highAvailability` + +The mode for High Availability (HA). It is not supported for the Burstable pricing tier and Zone redundant HA can only be set during server provisioning. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, SameZone, ZoneRedundant]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `maintenanceWindow` + +Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the MySQL flexible server. +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneResourceId` + +Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access". Required if "delegatedSubnetResourceId" is used and the Private DNS Zone name must end with mysql.database.azure.com in order to be linked to the MySQL Flexible Server. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `replicationRole` + +The replication role. +- Required: No +- Type: string +- Default: `'None'` +- Allowed: `[None, Replica, Source]` + +### Parameter: `restorePointInTime` + +Restore point creation time (ISO8601 format), specifying the time to restore from. Required if "createMode" is set to "PointInTimeRestore". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the "roleDefinitionIdOrName" and "principalId" to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11". +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `skuName` + +The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3. +- Required: Yes +- Type: string + +### Parameter: `sourceServerResourceId` + +The source MySQL server ID. Required if "createMode" is set to "PointInTimeRestore". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `storageAutoGrow` + +Enable Storage Auto Grow or not. Storage auto-growth prevents a server from running out of storage and becoming read-only. Required if "highAvailability" is not "Disabled". +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `storageAutoIoScaling` + +Enable IO Auto Scaling or not. The server scales IOPs up or down automatically depending on your workload needs. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `storageIOPS` + +Storage IOPS for a server. Max IOPS are determined by compute size. +- Required: No +- Type: int +- Default: `1000` + +### Parameter: `storageSizeGB` + +Max storage allowed for a server. In all compute tiers, the minimum storage supported is 20 GiB and maximum is 16 TiB. +- Required: No +- Type: int +- Default: `64` +- Allowed: `[20, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `tier` + +The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3". +- Required: Yes +- Type: string +- Allowed: `[Burstable, GeneralPurpose, MemoryOptimized]` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. Required if "cMKKeyName" is not empty. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `version` + +MySQL Server version. +- Required: No +- Type: string +- Default: `'5.7'` +- Allowed: `[5.7, 8.0.21]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed MySQL Flexible server. | +| `resourceGroupName` | string | The resource group of the deployed MySQL Flexible server. | +| `resourceId` | string | The resource ID of the deployed MySQL Flexible server. | + +## Cross-referenced modules + +_None_ diff --git a/modules/db-for-my-sql/flexible-server/administrator/README.md b/modules/db-for-my-sql/flexible-server/administrator/README.md index fe8dbf343e..247e680d29 100644 --- a/modules/db-for-my-sql/flexible-server/administrator/README.md +++ b/modules/db-for-my-sql/flexible-server/administrator/README.md @@ -19,30 +19,75 @@ This module deploys a DBforMySQL Flexible Server Administrator. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `identityResourceId` | string | The resource ID of the identity used for AAD Authentication. | -| `login` | string | Login name of the server administrator. | -| `sid` | string | SID (object ID) of the server administrator. | +| [`identityResourceId`](#parameter-identityresourceid) | string | The resource ID of the identity used for AAD Authentication. | +| [`login`](#parameter-login) | string | Login name of the server administrator. | +| [`sid`](#parameter-sid) | string | SID (object ID) of the server administrator. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `flexibleServerName` | string | The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment. | +| [`flexibleServerName`](#parameter-flexibleservername) | string | The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | -| `tenantId` | string | `[tenant().tenantId]` | The tenantId of the Active Directory administrator. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`tenantId`](#parameter-tenantid) | string | The tenantId of the Active Directory administrator. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `flexibleServerName` + +The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `identityResourceId` + +The resource ID of the identity used for AAD Authentication. +- Required: Yes +- Type: string + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `login` + +Login name of the server administrator. +- Required: Yes +- Type: string + +### Parameter: `sid` + +SID (object ID) of the server administrator. +- Required: Yes +- Type: string + +### Parameter: `tenantId` + +The tenantId of the Active Directory administrator. +- Required: No +- Type: string +- Default: `[tenant().tenantId]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed administrator. | | `resourceGroupName` | string | The resource group of the deployed administrator. | diff --git a/modules/db-for-my-sql/flexible-server/administrator/main.json b/modules/db-for-my-sql/flexible-server/administrator/main.json index 926f61fac5..41ee008d22 100644 --- a/modules/db-for-my-sql/flexible-server/administrator/main.json +++ b/modules/db-for-my-sql/flexible-server/administrator/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6026324512499502510" + "version": "0.22.6.54827", + "templateHash": "16367563858411209197" }, "name": "DBforMySQL Flexible Server Administrators", "description": "This module deploys a DBforMySQL Flexible Server Administrator.", diff --git a/modules/db-for-my-sql/flexible-server/database/README.md b/modules/db-for-my-sql/flexible-server/database/README.md index f6394d9998..f2cced0ae4 100644 --- a/modules/db-for-my-sql/flexible-server/database/README.md +++ b/modules/db-for-my-sql/flexible-server/database/README.md @@ -19,29 +19,69 @@ This module deploys a DBforMySQL Flexible Server Database. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the database. | +| [`name`](#parameter-name) | string | The name of the database. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `flexibleServerName` | string | The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment. | +| [`flexibleServerName`](#parameter-flexibleservername) | string | The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `charset` | string | `'utf8_general_ci'` | The charset of the database. | -| `collation` | string | `'utf8'` | The collation of the database. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`charset`](#parameter-charset) | string | The charset of the database. | +| [`collation`](#parameter-collation) | string | The collation of the database. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | + +### Parameter: `charset` + +The charset of the database. +- Required: No +- Type: string +- Default: `'utf8_general_ci'` + +### Parameter: `collation` + +The collation of the database. +- Required: No +- Type: string +- Default: `'utf8'` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `flexibleServerName` + +The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the database. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed database. | | `resourceGroupName` | string | The resource group of the deployed database. | diff --git a/modules/db-for-my-sql/flexible-server/database/main.json b/modules/db-for-my-sql/flexible-server/database/main.json index a2fa950dd3..4a68e48562 100644 --- a/modules/db-for-my-sql/flexible-server/database/main.json +++ b/modules/db-for-my-sql/flexible-server/database/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12647720847614647024" + "version": "0.22.6.54827", + "templateHash": "16649222900362138505" }, "name": "DBforMySQL Flexible Server Databases", "description": "This module deploys a DBforMySQL Flexible Server Database.", diff --git a/modules/db-for-my-sql/flexible-server/firewall-rule/README.md b/modules/db-for-my-sql/flexible-server/firewall-rule/README.md index 6c3b17dcdf..ee7be0779a 100644 --- a/modules/db-for-my-sql/flexible-server/firewall-rule/README.md +++ b/modules/db-for-my-sql/flexible-server/firewall-rule/README.md @@ -19,28 +19,59 @@ This module deploys a DBforMySQL Flexible Server Firewall Rule. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `endIpAddress` | string | The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. | -| `name` | string | The name of the MySQL flexible server Firewall Rule. | -| `startIpAddress` | string | The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. | +| [`endIpAddress`](#parameter-endipaddress) | string | The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. | +| [`name`](#parameter-name) | string | The name of the MySQL flexible server Firewall Rule. | +| [`startIpAddress`](#parameter-startipaddress) | string | The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `flexibleServerName` | string | The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment. | +| [`flexibleServerName`](#parameter-flexibleservername) | string | The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `endIpAddress` + +The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. +- Required: Yes +- Type: string + +### Parameter: `flexibleServerName` + +The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the MySQL flexible server Firewall Rule. +- Required: Yes +- Type: string + +### Parameter: `startIpAddress` + +The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed firewall rule. | | `resourceGroupName` | string | The resource group of the deployed firewall rule. | diff --git a/modules/db-for-my-sql/flexible-server/firewall-rule/main.json b/modules/db-for-my-sql/flexible-server/firewall-rule/main.json index c6c49e9e71..4b909f3882 100644 --- a/modules/db-for-my-sql/flexible-server/firewall-rule/main.json +++ b/modules/db-for-my-sql/flexible-server/firewall-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5263296307327888660" + "version": "0.22.6.54827", + "templateHash": "12840531816938690352" }, "name": "DBforMySQL Flexible Server Firewall Rules", "description": "This module deploys a DBforMySQL Flexible Server Firewall Rule.", diff --git a/modules/db-for-my-sql/flexible-server/main.json b/modules/db-for-my-sql/flexible-server/main.json index c3f53162a6..da56c4087f 100644 --- a/modules/db-for-my-sql/flexible-server/main.json +++ b/modules/db-for-my-sql/flexible-server/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11042164284975783101" + "version": "0.22.6.54827", + "templateHash": "1515305312622683890" }, "name": "DBforMySQL Flexible Servers", "description": "This module deploys a DBforMySQL Flexible Server.", @@ -548,8 +548,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17154165990398141081" + "version": "0.22.6.54827", + "templateHash": "17516117596765839904" } }, "parameters": { @@ -695,8 +695,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17356615394418311167" + "version": "0.22.6.54827", + "templateHash": "16649222900362138505" }, "name": "DBforMySQL Flexible Server Databases", "description": "This module deploys a DBforMySQL Flexible Server Database.", @@ -834,8 +834,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10162316213188664200" + "version": "0.22.6.54827", + "templateHash": "12840531816938690352" }, "name": "DBforMySQL Flexible Server Firewall Rules", "description": "This module deploys a DBforMySQL Flexible Server Firewall Rule.", @@ -962,8 +962,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6026324512499502510" + "version": "0.22.6.54827", + "templateHash": "16367563858411209197" }, "name": "DBforMySQL Flexible Server Administrators", "description": "This module deploys a DBforMySQL Flexible Server Administrator.", diff --git a/modules/db-for-postgre-sql/flexible-server/.test/min/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/.test/min/main.test.bicep index 788d7c3423..1386d47e69 100644 --- a/modules/db-for-postgre-sql/flexible-server/.test/min/main.test.bicep +++ b/modules/db-for-postgre-sql/flexible-server/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/db-for-postgre-sql/flexible-server/README.md b/modules/db-for-postgre-sql/flexible-server/README.md index bb12fbcf62..4895dea492 100644 --- a/modules/db-for-postgre-sql/flexible-server/README.md +++ b/modules/db-for-postgre-sql/flexible-server/README.md @@ -5,10 +5,10 @@ This module deploys a DBforPostgreSQL Flexible Server. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -23,93 +23,29 @@ This module deploys a DBforPostgreSQL Flexible Server. | `Microsoft.DBforPostgreSQL/flexibleServers/firewallRules` | [2022-12-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforPostgreSQL/2022-12-01/flexibleServers/firewallRules) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -## Parameters - -**Required parameters** +## Usage examples -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `name` | string | | The name of the PostgreSQL flexible server. | -| `skuName` | string | | The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3. | -| `tier` | string | `[Burstable, GeneralPurpose, MemoryOptimized]` | The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3". | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | -| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if 'cMKKeyName' is not empty. | -| `pointInTimeUTC` | string | `''` | Required if "createMode" is set to "PointInTimeRestore". | -| `sourceServerResourceId` | string | `''` | Required if "createMode" is set to "PointInTimeRestore". | -| `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if 'cMKKeyName' is not empty. | - -**Optional parameters** +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `activeDirectoryAuth` | string | `'Enabled'` | `[Disabled, Enabled]` | If Enabled, Azure Active Directory authentication is enabled. | -| `administratorLogin` | string | `''` | | The administrator login name of a server. Can only be specified when the PostgreSQL server is being created. | -| `administratorLoginPassword` | securestring | `''` | | The administrator login password. | -| `administrators` | array | `[]` | | The Azure AD administrators when AAD authentication enabled. | -| `availabilityZone` | string | `''` | `['', 1, 2, 3]` | Availability zone information of the server. Default will have no preference set. | -| `backupRetentionDays` | int | `7` | | Backup retention days for the server. | -| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `configurations` | array | `[]` | | The configurations to create in the server. | -| `createMode` | string | `'Default'` | `[Create, Default, PointInTimeRestore, Update]` | The mode to create a new PostgreSQL server. | -| `databases` | array | `[]` | | The databases to create in the server. | -| `delegatedSubnetResourceId` | string | `''` | | Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, PostgreSQLFlexDatabaseXacts, PostgreSQLFlexQueryStoreRuntime, PostgreSQLFlexQueryStoreWaitStats, PostgreSQLFlexSessions, PostgreSQLFlexTableStats, PostgreSQLLogs]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `firewallRules` | array | `[]` | | The firewall rules to create in the PostgreSQL flexible server. | -| `geoRedundantBackup` | string | `'Disabled'` | `[Disabled, Enabled]` | A value indicating whether Geo-Redundant backup is enabled on the server. Should be left disabled if 'cMKKeyName' is not empty. | -| `highAvailability` | string | `'Disabled'` | `[Disabled, SameZone, ZoneRedundant]` | The mode for high availability. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `maintenanceWindow` | object | `{object}` | | Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". | -| `passwordAuth` | string | `'Disabled'` | `[Disabled, Enabled]` | If Enabled, password authentication is enabled. | -| `privateDnsZoneArmResourceId` | string | `''` | | Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access" and required when "delegatedSubnetResourceId" is used. The Private DNS Zone must be lined to the Virtual Network referenced in "delegatedSubnetResourceId". | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `storageSizeGB` | int | `32` | `[32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384]` | Max storage allowed for a server. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `tenantId` | string | `''` | | Tenant id of the server. | -| `version` | string | `'15'` | `[11, 12, 13, 14, 15]` | PostgreSQL Server version. | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0`. +- [Using only defaults](#example-1-using-only-defaults) +- [Private](#example-2-private) +- [Public](#example-3-public) -## Outputs +### Example 1: _Using only defaults_ -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed PostgreSQL Flexible server. | -| `resourceGroupName` | string | The resource group of the deployed PostgreSQL Flexible server. | -| `resourceId` | string | The resource ID of the deployed PostgreSQL Flexible server. | +This instance deploys the module with the minimum set of required parameters. -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Min

via Bicep module ```bicep -module flexibleServer './db-for-postgre-sql/flexible-server/main.bicep' = { +module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dfpsfsmin' params: { // Required parameters @@ -163,14 +99,14 @@ module flexibleServer './db-for-postgre-sql/flexible-server/main.bicep' = {

-

Example 2: Private

+### Example 2: _Private_
via Bicep module ```bicep -module flexibleServer './db-for-postgre-sql/flexible-server/main.bicep' = { +module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dfpsfspvt' params: { // Required parameters @@ -312,14 +248,14 @@ module flexibleServer './db-for-postgre-sql/flexible-server/main.bicep' = {

-

Example 3: Public

+### Example 3: _Public_
via Bicep module ```bicep -module flexibleServer './db-for-postgre-sql/flexible-server/main.bicep' = { +module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dfpsfsp' params: { // Required parameters @@ -530,3 +466,372 @@ module flexibleServer './db-for-postgre-sql/flexible-server/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the PostgreSQL flexible server. | +| [`skuName`](#parameter-skuname) | string | The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3. | +| [`tier`](#parameter-tier) | string | The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3". | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | +| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if 'cMKKeyName' is not empty. | +| [`pointInTimeUTC`](#parameter-pointintimeutc) | string | Required if "createMode" is set to "PointInTimeRestore". | +| [`sourceServerResourceId`](#parameter-sourceserverresourceid) | string | Required if "createMode" is set to "PointInTimeRestore". | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. Required if 'cMKKeyName' is not empty. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`activeDirectoryAuth`](#parameter-activedirectoryauth) | string | If Enabled, Azure Active Directory authentication is enabled. | +| [`administratorLogin`](#parameter-administratorlogin) | string | The administrator login name of a server. Can only be specified when the PostgreSQL server is being created. | +| [`administratorLoginPassword`](#parameter-administratorloginpassword) | securestring | The administrator login password. | +| [`administrators`](#parameter-administrators) | array | The Azure AD administrators when AAD authentication enabled. | +| [`availabilityZone`](#parameter-availabilityzone) | string | Availability zone information of the server. Default will have no preference set. | +| [`backupRetentionDays`](#parameter-backupretentiondays) | int | Backup retention days for the server. | +| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | +| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`configurations`](#parameter-configurations) | array | The configurations to create in the server. | +| [`createMode`](#parameter-createmode) | string | The mode to create a new PostgreSQL server. | +| [`databases`](#parameter-databases) | array | The databases to create in the server. | +| [`delegatedSubnetResourceId`](#parameter-delegatedsubnetresourceid) | string | Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`firewallRules`](#parameter-firewallrules) | array | The firewall rules to create in the PostgreSQL flexible server. | +| [`geoRedundantBackup`](#parameter-georedundantbackup) | string | A value indicating whether Geo-Redundant backup is enabled on the server. Should be left disabled if 'cMKKeyName' is not empty. | +| [`highAvailability`](#parameter-highavailability) | string | The mode for high availability. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`maintenanceWindow`](#parameter-maintenancewindow) | object | Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". | +| [`passwordAuth`](#parameter-passwordauth) | string | If Enabled, password authentication is enabled. | +| [`privateDnsZoneArmResourceId`](#parameter-privatednszonearmresourceid) | string | Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access" and required when "delegatedSubnetResourceId" is used. The Private DNS Zone must be lined to the Virtual Network referenced in "delegatedSubnetResourceId". | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`storageSizeGB`](#parameter-storagesizegb) | int | Max storage allowed for a server. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`tenantId`](#parameter-tenantid) | string | Tenant id of the server. | +| [`version`](#parameter-version) | string | PostgreSQL Server version. | + +### Parameter: `activeDirectoryAuth` + +If Enabled, Azure Active Directory authentication is enabled. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `administratorLogin` + +The administrator login name of a server. Can only be specified when the PostgreSQL server is being created. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `administratorLoginPassword` + +The administrator login password. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `administrators` + +The Azure AD administrators when AAD authentication enabled. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `availabilityZone` + +Availability zone information of the server. Default will have no preference set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', 1, 2, 3]` + +### Parameter: `backupRetentionDays` + +Backup retention days for the server. +- Required: No +- Type: int +- Default: `7` + +### Parameter: `cMKKeyName` + +The name of the customer managed key to use for encryption. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVersion` + +The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKUserAssignedIdentityResourceId` + +User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `configurations` + +The configurations to create in the server. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `createMode` + +The mode to create a new PostgreSQL server. +- Required: No +- Type: string +- Default: `'Default'` +- Allowed: `[Create, Default, PointInTimeRestore, Update]` + +### Parameter: `databases` + +The databases to create in the server. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `delegatedSubnetResourceId` + +Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, PostgreSQLFlexDatabaseXacts, PostgreSQLFlexQueryStoreRuntime, PostgreSQLFlexQueryStoreWaitStats, PostgreSQLFlexSessions, PostgreSQLFlexTableStats, PostgreSQLLogs]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `firewallRules` + +The firewall rules to create in the PostgreSQL flexible server. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `geoRedundantBackup` + +A value indicating whether Geo-Redundant backup is enabled on the server. Should be left disabled if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `highAvailability` + +The mode for high availability. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, SameZone, ZoneRedundant]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `maintenanceWindow` + +Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the PostgreSQL flexible server. +- Required: Yes +- Type: string + +### Parameter: `passwordAuth` + +If Enabled, password authentication is enabled. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `pointInTimeUTC` + +Required if "createMode" is set to "PointInTimeRestore". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `privateDnsZoneArmResourceId` + +Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access" and required when "delegatedSubnetResourceId" is used. The Private DNS Zone must be lined to the Virtual Network referenced in "delegatedSubnetResourceId". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `skuName` + +The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3. +- Required: Yes +- Type: string + +### Parameter: `sourceServerResourceId` + +Required if "createMode" is set to "PointInTimeRestore". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `storageSizeGB` + +Max storage allowed for a server. +- Required: No +- Type: int +- Default: `32` +- Allowed: `[32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `tenantId` + +Tenant id of the server. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `tier` + +The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3". +- Required: Yes +- Type: string +- Allowed: `[Burstable, GeneralPurpose, MemoryOptimized]` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `version` + +PostgreSQL Server version. +- Required: No +- Type: string +- Default: `'15'` +- Allowed: `[11, 12, 13, 14, 15]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed PostgreSQL Flexible server. | +| `resourceGroupName` | string | The resource group of the deployed PostgreSQL Flexible server. | +| `resourceId` | string | The resource ID of the deployed PostgreSQL Flexible server. | + +## Cross-referenced modules + +_None_ diff --git a/modules/db-for-postgre-sql/flexible-server/administrator/README.md b/modules/db-for-postgre-sql/flexible-server/administrator/README.md index 34cfa2b0b7..64e08316bd 100644 --- a/modules/db-for-postgre-sql/flexible-server/administrator/README.md +++ b/modules/db-for-postgre-sql/flexible-server/administrator/README.md @@ -19,30 +19,76 @@ This module deploys a DBforPostgreSQL Flexible Server Administrator. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `objectId` | string | | The objectId of the Active Directory administrator. | -| `principalName` | string | | Active Directory administrator principal name. | -| `principalType` | string | `[Group, ServicePrincipal, Unknown, User]` | The principal type used to represent the type of Active Directory Administrator. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`objectId`](#parameter-objectid) | string | The objectId of the Active Directory administrator. | +| [`principalName`](#parameter-principalname) | string | Active Directory administrator principal name. | +| [`principalType`](#parameter-principaltype) | string | The principal type used to represent the type of Active Directory Administrator. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `flexibleServerName` | string | The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. | +| [`flexibleServerName`](#parameter-flexibleservername) | string | The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | -| `tenantId` | string | `[tenant().tenantId]` | The tenantId of the Active Directory administrator. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`tenantId`](#parameter-tenantid) | string | The tenantId of the Active Directory administrator. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `flexibleServerName` + +The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `objectId` + +The objectId of the Active Directory administrator. +- Required: Yes +- Type: string + +### Parameter: `principalName` + +Active Directory administrator principal name. +- Required: Yes +- Type: string + +### Parameter: `principalType` + +The principal type used to represent the type of Active Directory Administrator. +- Required: Yes +- Type: string +- Allowed: `[Group, ServicePrincipal, Unknown, User]` + +### Parameter: `tenantId` + +The tenantId of the Active Directory administrator. +- Required: No +- Type: string +- Default: `[tenant().tenantId]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed administrator. | | `resourceGroupName` | string | The resource group of the deployed administrator. | diff --git a/modules/db-for-postgre-sql/flexible-server/administrator/main.json b/modules/db-for-postgre-sql/flexible-server/administrator/main.json index eb10947fcc..6ac911a9e5 100644 --- a/modules/db-for-postgre-sql/flexible-server/administrator/main.json +++ b/modules/db-for-postgre-sql/flexible-server/administrator/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14812998248518641282" + "version": "0.22.6.54827", + "templateHash": "3514176123135146796" }, "name": "DBforPostgreSQL Flexible Server Administrators", "description": "This module deploys a DBforPostgreSQL Flexible Server Administrator.", diff --git a/modules/db-for-postgre-sql/flexible-server/configuration/README.md b/modules/db-for-postgre-sql/flexible-server/configuration/README.md index 5a98fdc548..d156b0635a 100644 --- a/modules/db-for-postgre-sql/flexible-server/configuration/README.md +++ b/modules/db-for-postgre-sql/flexible-server/configuration/README.md @@ -19,29 +19,69 @@ This module deploys a DBforPostgreSQL Flexible Server Configuration. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the configuration. | +| [`name`](#parameter-name) | string | The name of the configuration. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `flexibleServerName` | string | The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. | +| [`flexibleServerName`](#parameter-flexibleservername) | string | The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | -| `source` | string | `''` | Source of the configuration. | -| `value` | string | `''` | Value of the configuration. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`source`](#parameter-source) | string | Source of the configuration. | +| [`value`](#parameter-value) | string | Value of the configuration. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `flexibleServerName` + +The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the configuration. +- Required: Yes +- Type: string + +### Parameter: `source` + +Source of the configuration. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `value` + +Value of the configuration. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed configuration. | | `resourceGroupName` | string | The resource group of the deployed configuration. | diff --git a/modules/db-for-postgre-sql/flexible-server/configuration/main.json b/modules/db-for-postgre-sql/flexible-server/configuration/main.json index 92aa1e45be..54b8e1f4b7 100644 --- a/modules/db-for-postgre-sql/flexible-server/configuration/main.json +++ b/modules/db-for-postgre-sql/flexible-server/configuration/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5586008567080780040" + "version": "0.22.6.54827", + "templateHash": "12961146168624492771" }, "name": "DBforPostgreSQL Flexible Server Configurations", "description": "This module deploys a DBforPostgreSQL Flexible Server Configuration.", diff --git a/modules/db-for-postgre-sql/flexible-server/database/README.md b/modules/db-for-postgre-sql/flexible-server/database/README.md index 700caebc88..57ba0b45a5 100644 --- a/modules/db-for-postgre-sql/flexible-server/database/README.md +++ b/modules/db-for-postgre-sql/flexible-server/database/README.md @@ -19,29 +19,69 @@ This module deploys a DBforPostgreSQL Flexible Server Database. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the database. | +| [`name`](#parameter-name) | string | The name of the database. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `flexibleServerName` | string | The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. | +| [`flexibleServerName`](#parameter-flexibleservername) | string | The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `charset` | string | `''` | The charset of the database. | -| `collation` | string | `''` | The collation of the database. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`charset`](#parameter-charset) | string | The charset of the database. | +| [`collation`](#parameter-collation) | string | The collation of the database. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | + +### Parameter: `charset` + +The charset of the database. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `collation` + +The collation of the database. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `flexibleServerName` + +The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the database. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed database. | | `resourceGroupName` | string | The resource group of the deployed database. | diff --git a/modules/db-for-postgre-sql/flexible-server/database/main.json b/modules/db-for-postgre-sql/flexible-server/database/main.json index 0b0f806020..bc43485c4f 100644 --- a/modules/db-for-postgre-sql/flexible-server/database/main.json +++ b/modules/db-for-postgre-sql/flexible-server/database/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "7432917940199201712" + "version": "0.22.6.54827", + "templateHash": "15866259518448635553" }, "name": "DBforPostgreSQL Flexible Server Databases", "description": "This module deploys a DBforPostgreSQL Flexible Server Database.", diff --git a/modules/db-for-postgre-sql/flexible-server/firewall-rule/README.md b/modules/db-for-postgre-sql/flexible-server/firewall-rule/README.md index d4f092e9f6..de0f21fadf 100644 --- a/modules/db-for-postgre-sql/flexible-server/firewall-rule/README.md +++ b/modules/db-for-postgre-sql/flexible-server/firewall-rule/README.md @@ -19,28 +19,59 @@ This module deploys a DBforPostgreSQL Flexible Server Firewall Rule. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `endIpAddress` | string | The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. | -| `name` | string | The name of the PostgreSQL flexible server Firewall Rule. | -| `startIpAddress` | string | The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. | +| [`endIpAddress`](#parameter-endipaddress) | string | The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. | +| [`name`](#parameter-name) | string | The name of the PostgreSQL flexible server Firewall Rule. | +| [`startIpAddress`](#parameter-startipaddress) | string | The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `flexibleServerName` | string | The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. | +| [`flexibleServerName`](#parameter-flexibleservername) | string | The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `endIpAddress` + +The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. +- Required: Yes +- Type: string + +### Parameter: `flexibleServerName` + +The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the PostgreSQL flexible server Firewall Rule. +- Required: Yes +- Type: string + +### Parameter: `startIpAddress` + +The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed firewall rule. | | `resourceGroupName` | string | The resource group of the deployed firewall rule. | diff --git a/modules/db-for-postgre-sql/flexible-server/firewall-rule/main.json b/modules/db-for-postgre-sql/flexible-server/firewall-rule/main.json index 19cc04b358..79c31b0bfb 100644 --- a/modules/db-for-postgre-sql/flexible-server/firewall-rule/main.json +++ b/modules/db-for-postgre-sql/flexible-server/firewall-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3071080362723739241" + "version": "0.22.6.54827", + "templateHash": "13418631602887252631" }, "name": "DBforPostgreSQL Flexible Server Firewall Rules", "description": "This module deploys a DBforPostgreSQL Flexible Server Firewall Rule.", diff --git a/modules/db-for-postgre-sql/flexible-server/main.json b/modules/db-for-postgre-sql/flexible-server/main.json index 316363a8c8..e737116aa5 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.json +++ b/modules/db-for-postgre-sql/flexible-server/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16240139018001575474" + "version": "0.22.6.54827", + "templateHash": "2675797994216094359" }, "name": "DBforPostgreSQL Flexible Servers", "description": "This module deploys a DBforPostgreSQL Flexible Server.", @@ -521,8 +521,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4898014763123062752" + "version": "0.22.6.54827", + "templateHash": "6100419547048418453" } }, "parameters": { @@ -667,8 +667,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16660732763595780206" + "version": "0.22.6.54827", + "templateHash": "15866259518448635553" }, "name": "DBforPostgreSQL Flexible Server Databases", "description": "This module deploys a DBforPostgreSQL Flexible Server Database.", @@ -806,8 +806,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7935033505380784919" + "version": "0.22.6.54827", + "templateHash": "13418631602887252631" }, "name": "DBforPostgreSQL Flexible Server Firewall Rules", "description": "This module deploys a DBforPostgreSQL Flexible Server Firewall Rule.", @@ -904,7 +904,9 @@ { "copy": { "name": "flexibleServer_configurations", - "count": "[length(parameters('configurations'))]" + "count": "[length(parameters('configurations'))]", + "mode": "serial", + "batchSize": 1 }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -933,8 +935,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10954863077388190830" + "version": "0.22.6.54827", + "templateHash": "12961146168624492771" }, "name": "DBforPostgreSQL Flexible Server Configurations", "description": "This module deploys a DBforPostgreSQL Flexible Server Configuration.", @@ -1071,8 +1073,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14812998248518641282" + "version": "0.22.6.54827", + "templateHash": "3514176123135146796" }, "name": "DBforPostgreSQL Flexible Server Administrators", "description": "This module deploys a DBforPostgreSQL Flexible Server Administrator.", diff --git a/modules/desktop-virtualization/application-group/.test/common/main.test.bicep b/modules/desktop-virtualization/application-group/.test/common/main.test.bicep index 959990ac7c..673b79551f 100644 --- a/modules/desktop-virtualization/application-group/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/application-group/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/desktop-virtualization/application-group/.test/min/main.test.bicep b/modules/desktop-virtualization/application-group/.test/min/main.test.bicep index e5a99a1d1e..8dae8dc2d4 100644 --- a/modules/desktop-virtualization/application-group/.test/min/main.test.bicep +++ b/modules/desktop-virtualization/application-group/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/desktop-virtualization/application-group/README.md b/modules/desktop-virtualization/application-group/README.md index 696349103d..9738f61981 100644 --- a/modules/desktop-virtualization/application-group/README.md +++ b/modules/desktop-virtualization/application-group/README.md @@ -4,13 +4,13 @@ This module deploys an Azure Virtual Desktop (AVD) Application Group. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -20,64 +20,28 @@ This module deploys an Azure Virtual Desktop (AVD) Application Group. | `Microsoft.DesktopVirtualization/applicationGroups/applications` | [2022-09-09](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DesktopVirtualization/2022-09-09/applicationGroups/applications) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `applicationGroupType` | string | `[Desktop, RemoteApp]` | The type of the Application Group to be created. Allowed values: RemoteApp or Desktop. | -| `hostpoolName` | string | | Name of the Host Pool to be linked to this Application Group. | -| `name` | string | | Name of the Application Group to create this application in. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `applications` | array | `[]` | | List of applications to be created in the Application Group. | -| `description` | string | `''` | | The description of the Application Group to be created. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, Checkpoint, Error, Management]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of log analytics. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `friendlyName` | string | `''` | | The friendly name of the Application Group to be created. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the AVD application group. | -| `resourceGroupName` | string | The resource group the AVD application group was deployed into. | -| `resourceId` | string | The resource ID of the AVD application group. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/desktop-virtualization.application-group:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module applicationGroup './desktop-virtualization/application-group/main.bicep' = { +module applicationGroup 'br:bicep/modules/desktop-virtualization.application-group:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dvagcom' params: { // Required parameters @@ -225,14 +189,17 @@ module applicationGroup './desktop-virtualization/application-group/main.bicep'

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module applicationGroup './desktop-virtualization/application-group/main.bicep' = { +module applicationGroup 'br:bicep/modules/desktop-virtualization.application-group:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dvagmin' params: { // Required parameters @@ -277,3 +244,166 @@ module applicationGroup './desktop-virtualization/application-group/main.bicep'

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationGroupType`](#parameter-applicationgrouptype) | string | The type of the Application Group to be created. Allowed values: RemoteApp or Desktop. | +| [`hostpoolName`](#parameter-hostpoolname) | string | Name of the Host Pool to be linked to this Application Group. | +| [`name`](#parameter-name) | string | Name of the Application Group to create this application in. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applications`](#parameter-applications) | array | List of applications to be created in the Application Group. | +| [`description`](#parameter-description) | string | The description of the Application Group to be created. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of log analytics. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`friendlyName`](#parameter-friendlyname) | string | The friendly name of the Application Group to be created. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `applicationGroupType` + +The type of the Application Group to be created. Allowed values: RemoteApp or Desktop. +- Required: Yes +- Type: string +- Allowed: `[Desktop, RemoteApp]` + +### Parameter: `applications` + +List of applications to be created in the Application Group. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `description` + +The description of the Application Group to be created. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, Checkpoint, Error, Management]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of log analytics. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `friendlyName` + +The friendly name of the Application Group to be created. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `hostpoolName` + +Name of the Host Pool to be linked to this Application Group. +- Required: Yes +- Type: string + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Application Group to create this application in. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the AVD application group. | +| `resourceGroupName` | string | The resource group the AVD application group was deployed into. | +| `resourceId` | string | The resource ID of the AVD application group. | + +## Cross-referenced modules + +_None_ diff --git a/modules/desktop-virtualization/application-group/application/README.md b/modules/desktop-virtualization/application-group/application/README.md index 7d87db5d0c..cc46be1fbe 100644 --- a/modules/desktop-virtualization/application-group/application/README.md +++ b/modules/desktop-virtualization/application-group/application/README.md @@ -4,12 +4,12 @@ This module deploys an Azure Virtual Desktop (AVD) Application Group Application ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,34 +19,108 @@ This module deploys an Azure Virtual Desktop (AVD) Application Group Application **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `filePath` | string | Specifies a path for the executable file for the application. | -| `friendlyName` | string | Friendly name of Application.. | -| `name` | string | Name of the Application to be created in the Application Group. | +| [`filePath`](#parameter-filepath) | string | Specifies a path for the executable file for the application. | +| [`friendlyName`](#parameter-friendlyname) | string | Friendly name of Application.. | +| [`name`](#parameter-name) | string | Name of the Application to be created in the Application Group. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `appGroupName` | string | The name of the parent Application Group to create the application(s) in. Required if the template is used in a standalone deployment. | +| [`appGroupName`](#parameter-appgroupname) | string | The name of the parent Application Group to create the application(s) in. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `commandLineArguments` | string | `''` | | Command-Line Arguments for Application. | -| `commandLineSetting` | string | `'DoNotAllow'` | `[Allow, DoNotAllow, Require]` | Specifies whether this published application can be launched with command-line arguments provided by the client, command-line arguments specified at publish time, or no command-line arguments at all. | -| `description` | string | `''` | | Description of Application.. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `iconIndex` | int | `0` | | Index of the icon. | -| `iconPath` | string | `''` | | Path to icon. | -| `showInPortal` | bool | `False` | | Specifies whether to show the RemoteApp program in the RD Web Access server. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`commandLineArguments`](#parameter-commandlinearguments) | string | Command-Line Arguments for Application. | +| [`commandLineSetting`](#parameter-commandlinesetting) | string | Specifies whether this published application can be launched with command-line arguments provided by the client, command-line arguments specified at publish time, or no command-line arguments at all. | +| [`description`](#parameter-description) | string | Description of Application.. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`iconIndex`](#parameter-iconindex) | int | Index of the icon. | +| [`iconPath`](#parameter-iconpath) | string | Path to icon. | +| [`showInPortal`](#parameter-showinportal) | bool | Specifies whether to show the RemoteApp program in the RD Web Access server. | + +### Parameter: `appGroupName` + +The name of the parent Application Group to create the application(s) in. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `commandLineArguments` + +Command-Line Arguments for Application. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `commandLineSetting` + +Specifies whether this published application can be launched with command-line arguments provided by the client, command-line arguments specified at publish time, or no command-line arguments at all. +- Required: No +- Type: string +- Default: `'DoNotAllow'` +- Allowed: `[Allow, DoNotAllow, Require]` + +### Parameter: `description` + +Description of Application.. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `filePath` + +Specifies a path for the executable file for the application. +- Required: Yes +- Type: string + +### Parameter: `friendlyName` + +Friendly name of Application.. +- Required: Yes +- Type: string + +### Parameter: `iconIndex` + +Index of the icon. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `iconPath` + +Path to icon. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +Name of the Application to be created in the Application Group. +- Required: Yes +- Type: string + +### Parameter: `showInPortal` + +Specifies whether to show the RemoteApp program in the RD Web Access server. +- Required: No +- Type: bool +- Default: `False` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The Name of the Application Group to register the Application in. | | `resourceGroupName` | string | The name of the Resource Group the AVD Application was created in. | diff --git a/modules/desktop-virtualization/application-group/application/main.json b/modules/desktop-virtualization/application-group/application/main.json index 2621a89ffe..70e339a8b2 100644 --- a/modules/desktop-virtualization/application-group/application/main.json +++ b/modules/desktop-virtualization/application-group/application/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "7619639220591936340" + "version": "0.22.6.54827", + "templateHash": "10616827856455579307" }, "name": "Azure Virtual Desktop (AVD) Application Group Applications", "description": "This module deploys an Azure Virtual Desktop (AVD) Application Group Application.", diff --git a/modules/desktop-virtualization/application-group/main.json b/modules/desktop-virtualization/application-group/main.json index 351595b955..a84976fdda 100644 --- a/modules/desktop-virtualization/application-group/main.json +++ b/modules/desktop-virtualization/application-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6445435320297948317" + "version": "0.22.6.54827", + "templateHash": "8705022781837382520" }, "name": "Azure Virtual Desktop (AVD) Application Groups", "description": "This module deploys an Azure Virtual Desktop (AVD) Application Group.", @@ -261,8 +261,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "110356307048121387" + "version": "0.22.6.54827", + "templateHash": "10616827856455579307" }, "name": "Azure Virtual Desktop (AVD) Application Group Applications", "description": "This module deploys an Azure Virtual Desktop (AVD) Application Group Application.", @@ -442,8 +442,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9771114878684828045" + "version": "0.22.6.54827", + "templateHash": "16875966944342044136" } }, "parameters": { diff --git a/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep b/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep index 6f581c0315..ae07838fee 100644 --- a/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/desktop-virtualization/host-pool/.test/min/main.test.bicep b/modules/desktop-virtualization/host-pool/.test/min/main.test.bicep index 9a7bbfd580..7691ccaa51 100644 --- a/modules/desktop-virtualization/host-pool/.test/min/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/desktop-virtualization/host-pool/README.md b/modules/desktop-virtualization/host-pool/README.md index 9d96667dba..aeced854d6 100644 --- a/modules/desktop-virtualization/host-pool/README.md +++ b/modules/desktop-virtualization/host-pool/README.md @@ -4,13 +4,13 @@ This module deploys an Azure Virtual Desktop (AVD) Host Pool. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,90 +19,28 @@ This module deploys an Azure Virtual Desktop (AVD) Host Pool. | `Microsoft.DesktopVirtualization/hostPools` | [2022-09-09](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DesktopVirtualization/2022-09-09/hostPools) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Host Pool. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `agentUpdate` | object | `{object}` | | The session host configuration for updating agent, monitoring agent, and stack component. | -| `agentUpdateMaintenanceWindowDayOfWeek` | string | `'Sunday'` | `[Friday, Monday, Saturday, Sunday, Thursday, Tuesday, Wednesday]` | Update day for scheduled agent updates. | -| `agentUpdateMaintenanceWindowHour` | int | `22` | | Update hour for scheduled agent updates. | -| `agentUpdateMaintenanceWindows` | array | `[System.Management.Automation.OrderedHashtable]` | | List of maintenance windows for scheduled agent updates. | -| `agentUpdateMaintenanceWindowTimeZone` | string | `'Central Standard Time'` | | Time zone for scheduled agent updates. | -| `agentUpdateType` | string | `'Default'` | `[Default, Scheduled]` | Enable scheduled agent updates, Default means agent updates will automatically be installed by AVD when they become available. | -| `agentUpdateUseSessionHostLocalTime` | bool | `False` | | Whether to use localTime of the virtual machine for scheduled agent updates. | -| `customRdpProperty` | string | `'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;'` | | Host Pool RDP properties. | -| `description` | string | `''` | | The description of the Host Pool to be created. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', AgentHealthStatus, allLogs, Checkpoint, Connection, Error, HostRegistration, Management]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `friendlyName` | string | `''` | | The friendly name of the Host Pool to be created. | -| `loadBalancerType` | string | `'BreadthFirst'` | `[BreadthFirst, DepthFirst, Persistent]` | Type of load balancer algorithm. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `maxSessionLimit` | int | `99999` | | Maximum number of sessions. | -| `personalDesktopAssignmentType` | string | `''` | `['', Automatic, Direct]` | Set the type of assignment for a Personal Host Pool type. | -| `preferredAppGroupType` | string | `'Desktop'` | `[Desktop, None, RailApplications]` | The type of preferred application group type, default to Desktop Application Group. | -| `ring` | int | `-1` | | The ring number of HostPool. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `ssoadfsAuthority` | string | `''` | | URL to customer ADFS server for signing WVD SSO certificates. | -| `ssoClientId` | string | `''` | | ClientId for the registered Relying Party used to issue WVD SSO certificates. | -| `ssoClientSecretKeyVaultPath` | string | `''` | | Path to Azure KeyVault storing the secret used for communication to ADFS. | -| `ssoSecretType` | string | `''` | `['', Certificate, CertificateInKeyVault, SharedKey, SharedKeyInKeyVault]` | The type of single sign on Secret Type. | -| `startVMOnConnect` | bool | `False` | | Enable Start VM on connect to allow users to start the virtual machine from a deallocated state. Important: Custom RBAC role required to power manage VMs. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `tokenValidityLength` | string | `'PT8H'` | | Host Pool token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the token will be valid for 8 hours. | -| `type` | string | `'Pooled'` | `[Personal, Pooled]` | Set this parameter to Personal if you would like to enable Persistent Desktop experience. Defaults to Pooled. | -| `validationEnvironment` | bool | `False` | | Validation host pools allows you to test service changes before they are deployed to production. When set to true, the Host Pool will be deployed in a validation 'ring' (environment) that receives all the new features (might be less stable). Defaults to false that stands for the stable, production-ready environment. | -| `vmTemplate` | object | `{object}` | | The necessary information for adding more VMs to this Host Pool. The object is converted to an in-line string when handed over to the resource deployment, since that only takes strings. | +## Usage examples -**Generated parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `baseTime` | string | `[utcNow('u')]` | Do not provide a value! This date value is used to generate a registration token. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the AVD host pool. | -| `resourceGroupName` | string | The resource group the AVD host pool was deployed into. | -| `resourceId` | string | The resource ID of the AVD host pool. | -| `tokenExpirationTime` | string | The expiration time for the registration token. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/desktop-virtualization.host-pool:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module hostPool './desktop-virtualization/host-pool/main.bicep' = { +module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dvhpcom' params: { // Required parameters @@ -292,14 +230,17 @@ module hostPool './desktop-virtualization/host-pool/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module hostPool './desktop-virtualization/host-pool/main.bicep' = { +module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dvhpmin' params: { // Required parameters @@ -336,3 +277,340 @@ module hostPool './desktop-virtualization/host-pool/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Host Pool. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`agentUpdate`](#parameter-agentupdate) | object | The session host configuration for updating agent, monitoring agent, and stack component. | +| [`agentUpdateMaintenanceWindowDayOfWeek`](#parameter-agentupdatemaintenancewindowdayofweek) | string | Update day for scheduled agent updates. | +| [`agentUpdateMaintenanceWindowHour`](#parameter-agentupdatemaintenancewindowhour) | int | Update hour for scheduled agent updates. | +| [`agentUpdateMaintenanceWindows`](#parameter-agentupdatemaintenancewindows) | array | List of maintenance windows for scheduled agent updates. | +| [`agentUpdateMaintenanceWindowTimeZone`](#parameter-agentupdatemaintenancewindowtimezone) | string | Time zone for scheduled agent updates. | +| [`agentUpdateType`](#parameter-agentupdatetype) | string | Enable scheduled agent updates, Default means agent updates will automatically be installed by AVD when they become available. | +| [`agentUpdateUseSessionHostLocalTime`](#parameter-agentupdateusesessionhostlocaltime) | bool | Whether to use localTime of the virtual machine for scheduled agent updates. | +| [`customRdpProperty`](#parameter-customrdpproperty) | string | Host Pool RDP properties. | +| [`description`](#parameter-description) | string | The description of the Host Pool to be created. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`friendlyName`](#parameter-friendlyname) | string | The friendly name of the Host Pool to be created. | +| [`loadBalancerType`](#parameter-loadbalancertype) | string | Type of load balancer algorithm. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`maxSessionLimit`](#parameter-maxsessionlimit) | int | Maximum number of sessions. | +| [`personalDesktopAssignmentType`](#parameter-personaldesktopassignmenttype) | string | Set the type of assignment for a Personal Host Pool type. | +| [`preferredAppGroupType`](#parameter-preferredappgrouptype) | string | The type of preferred application group type, default to Desktop Application Group. | +| [`ring`](#parameter-ring) | int | The ring number of HostPool. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`ssoadfsAuthority`](#parameter-ssoadfsauthority) | string | URL to customer ADFS server for signing WVD SSO certificates. | +| [`ssoClientId`](#parameter-ssoclientid) | string | ClientId for the registered Relying Party used to issue WVD SSO certificates. | +| [`ssoClientSecretKeyVaultPath`](#parameter-ssoclientsecretkeyvaultpath) | string | Path to Azure KeyVault storing the secret used for communication to ADFS. | +| [`ssoSecretType`](#parameter-ssosecrettype) | string | The type of single sign on Secret Type. | +| [`startVMOnConnect`](#parameter-startvmonconnect) | bool | Enable Start VM on connect to allow users to start the virtual machine from a deallocated state. Important: Custom RBAC role required to power manage VMs. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`tokenValidityLength`](#parameter-tokenvaliditylength) | string | Host Pool token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the token will be valid for 8 hours. | +| [`type`](#parameter-type) | string | Set this parameter to Personal if you would like to enable Persistent Desktop experience. Defaults to Pooled. | +| [`validationEnvironment`](#parameter-validationenvironment) | bool | Validation host pools allows you to test service changes before they are deployed to production. When set to true, the Host Pool will be deployed in a validation 'ring' (environment) that receives all the new features (might be less stable). Defaults to false that stands for the stable, production-ready environment. | +| [`vmTemplate`](#parameter-vmtemplate) | object | The necessary information for adding more VMs to this Host Pool. The object is converted to an in-line string when handed over to the resource deployment, since that only takes strings. | + +**Generated parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date value is used to generate a registration token. | + +### Parameter: `agentUpdate` + +The session host configuration for updating agent, monitoring agent, and stack component. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `agentUpdateMaintenanceWindowDayOfWeek` + +Update day for scheduled agent updates. +- Required: No +- Type: string +- Default: `'Sunday'` +- Allowed: `[Friday, Monday, Saturday, Sunday, Thursday, Tuesday, Wednesday]` + +### Parameter: `agentUpdateMaintenanceWindowHour` + +Update hour for scheduled agent updates. +- Required: No +- Type: int +- Default: `22` + +### Parameter: `agentUpdateMaintenanceWindows` + +List of maintenance windows for scheduled agent updates. +- Required: No +- Type: array +- Default: `[System.Management.Automation.OrderedHashtable]` + +### Parameter: `agentUpdateMaintenanceWindowTimeZone` + +Time zone for scheduled agent updates. +- Required: No +- Type: string +- Default: `'Central Standard Time'` + +### Parameter: `agentUpdateType` + +Enable scheduled agent updates, Default means agent updates will automatically be installed by AVD when they become available. +- Required: No +- Type: string +- Default: `'Default'` +- Allowed: `[Default, Scheduled]` + +### Parameter: `agentUpdateUseSessionHostLocalTime` + +Whether to use localTime of the virtual machine for scheduled agent updates. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `baseTime` + +Do not provide a value! This date value is used to generate a registration token. +- Required: No +- Type: string +- Default: `[utcNow('u')]` + +### Parameter: `customRdpProperty` + +Host Pool RDP properties. +- Required: No +- Type: string +- Default: `'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;'` + +### Parameter: `description` + +The description of the Host Pool to be created. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', AgentHealthStatus, allLogs, Checkpoint, Connection, Error, HostRegistration, Management]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `friendlyName` + +The friendly name of the Host Pool to be created. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `loadBalancerType` + +Type of load balancer algorithm. +- Required: No +- Type: string +- Default: `'BreadthFirst'` +- Allowed: `[BreadthFirst, DepthFirst, Persistent]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `maxSessionLimit` + +Maximum number of sessions. +- Required: No +- Type: int +- Default: `99999` + +### Parameter: `name` + +Name of the Host Pool. +- Required: Yes +- Type: string + +### Parameter: `personalDesktopAssignmentType` + +Set the type of assignment for a Personal Host Pool type. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Automatic, Direct]` + +### Parameter: `preferredAppGroupType` + +The type of preferred application group type, default to Desktop Application Group. +- Required: No +- Type: string +- Default: `'Desktop'` +- Allowed: `[Desktop, None, RailApplications]` + +### Parameter: `ring` + +The ring number of HostPool. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ssoadfsAuthority` + +URL to customer ADFS server for signing WVD SSO certificates. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `ssoClientId` + +ClientId for the registered Relying Party used to issue WVD SSO certificates. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `ssoClientSecretKeyVaultPath` + +Path to Azure KeyVault storing the secret used for communication to ADFS. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `ssoSecretType` + +The type of single sign on Secret Type. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Certificate, CertificateInKeyVault, SharedKey, SharedKeyInKeyVault]` + +### Parameter: `startVMOnConnect` + +Enable Start VM on connect to allow users to start the virtual machine from a deallocated state. Important: Custom RBAC role required to power manage VMs. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `tokenValidityLength` + +Host Pool token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the token will be valid for 8 hours. +- Required: No +- Type: string +- Default: `'PT8H'` + +### Parameter: `type` + +Set this parameter to Personal if you would like to enable Persistent Desktop experience. Defaults to Pooled. +- Required: No +- Type: string +- Default: `'Pooled'` +- Allowed: `[Personal, Pooled]` + +### Parameter: `validationEnvironment` + +Validation host pools allows you to test service changes before they are deployed to production. When set to true, the Host Pool will be deployed in a validation 'ring' (environment) that receives all the new features (might be less stable). Defaults to false that stands for the stable, production-ready environment. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `vmTemplate` + +The necessary information for adding more VMs to this Host Pool. The object is converted to an in-line string when handed over to the resource deployment, since that only takes strings. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the AVD host pool. | +| `resourceGroupName` | string | The resource group the AVD host pool was deployed into. | +| `resourceId` | string | The resource ID of the AVD host pool. | +| `tokenExpirationTime` | string | The expiration time for the registration token. | + +## Cross-referenced modules + +_None_ diff --git a/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep b/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep index 5423566864..b346cfc8ad 100644 --- a/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/desktop-virtualization/scaling-plan/.test/min/main.test.bicep b/modules/desktop-virtualization/scaling-plan/.test/min/main.test.bicep index d2476d9b7b..9eac3af179 100644 --- a/modules/desktop-virtualization/scaling-plan/.test/min/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/desktop-virtualization/scaling-plan/README.md b/modules/desktop-virtualization/scaling-plan/README.md index 3476b8e9f1..bc75544c2e 100644 --- a/modules/desktop-virtualization/scaling-plan/README.md +++ b/modules/desktop-virtualization/scaling-plan/README.md @@ -5,10 +5,10 @@ This module deploys an Azure Virtual Desktop (AVD) Scaling Plan. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -18,64 +18,28 @@ This module deploys an Azure Virtual Desktop (AVD) Scaling Plan. | `Microsoft.DesktopVirtualization/scalingPlans` | [2022-09-09](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DesktopVirtualization/2022-09-09/scalingPlans) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the scaling plan. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `description` | string | `[parameters('name')]` | | Description of the scaling plan. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, Autoscale]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `exclusionTag` | string | `''` | | Provide a tag to be used for hosts that should not be affected by the scaling plan. | -| `friendlyName` | string | `[parameters('name')]` | | Friendly Name of the scaling plan. | -| `hostPoolReferences` | array | `[]` | | An array of references to hostpools. | -| `hostPoolType` | string | `'Pooled'` | `[Pooled]` | The type of hostpool where this scaling plan should be applied. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `schedules` | array | `[System.Management.Automation.OrderedHashtable]` | | The schedules related to this scaling plan. If no value is provided a default schedule will be provided. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `timeZone` | string | `'W. Europe Standard Time'` | | Timezone to be used for the scaling plan. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the AVD scaling plan. | -| `resourceGroupName` | string | The resource group the AVD scaling plan was deployed into. | -| `resourceId` | string | The resource ID of the AVD scaling plan. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module scalingPlan './desktop-virtualization/scaling-plan/main.bicep' = { +module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dvspcom' params: { // Required parameters @@ -255,14 +219,17 @@ module scalingPlan './desktop-virtualization/scaling-plan/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module scalingPlan './desktop-virtualization/scaling-plan/main.bicep' = { +module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dvspmin' params: { // Required parameters @@ -299,3 +266,167 @@ module scalingPlan './desktop-virtualization/scaling-plan/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the scaling plan. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | Description of the scaling plan. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`exclusionTag`](#parameter-exclusiontag) | string | Provide a tag to be used for hosts that should not be affected by the scaling plan. | +| [`friendlyName`](#parameter-friendlyname) | string | Friendly Name of the scaling plan. | +| [`hostPoolReferences`](#parameter-hostpoolreferences) | array | An array of references to hostpools. | +| [`hostPoolType`](#parameter-hostpooltype) | string | The type of hostpool where this scaling plan should be applied. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`schedules`](#parameter-schedules) | array | The schedules related to this scaling plan. If no value is provided a default schedule will be provided. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`timeZone`](#parameter-timezone) | string | Timezone to be used for the scaling plan. | + +### Parameter: `description` + +Description of the scaling plan. +- Required: No +- Type: string +- Default: `[parameters('name')]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, Autoscale]` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `exclusionTag` + +Provide a tag to be used for hosts that should not be affected by the scaling plan. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `friendlyName` + +Friendly Name of the scaling plan. +- Required: No +- Type: string +- Default: `[parameters('name')]` + +### Parameter: `hostPoolReferences` + +An array of references to hostpools. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `hostPoolType` + +The type of hostpool where this scaling plan should be applied. +- Required: No +- Type: string +- Default: `'Pooled'` +- Allowed: `[Pooled]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +Name of the scaling plan. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `schedules` + +The schedules related to this scaling plan. If no value is provided a default schedule will be provided. +- Required: No +- Type: array +- Default: `[System.Management.Automation.OrderedHashtable]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `timeZone` + +Timezone to be used for the scaling plan. +- Required: No +- Type: string +- Default: `'W. Europe Standard Time'` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the AVD scaling plan. | +| `resourceGroupName` | string | The resource group the AVD scaling plan was deployed into. | +| `resourceId` | string | The resource ID of the AVD scaling plan. | + +## Cross-referenced modules + +_None_ diff --git a/modules/desktop-virtualization/workspace/.test/common/main.test.bicep b/modules/desktop-virtualization/workspace/.test/common/main.test.bicep index 6a603dc442..d98e112b0f 100644 --- a/modules/desktop-virtualization/workspace/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/workspace/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/desktop-virtualization/workspace/.test/min/main.test.bicep b/modules/desktop-virtualization/workspace/.test/min/main.test.bicep index 845f5ef455..78df110582 100644 --- a/modules/desktop-virtualization/workspace/.test/min/main.test.bicep +++ b/modules/desktop-virtualization/workspace/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/desktop-virtualization/workspace/README.md b/modules/desktop-virtualization/workspace/README.md index 6512110609..176ee1f214 100644 --- a/modules/desktop-virtualization/workspace/README.md +++ b/modules/desktop-virtualization/workspace/README.md @@ -4,13 +4,13 @@ This module deploys an Azure Virtual Desktop (AVD) Workspace. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,62 +19,28 @@ This module deploys an Azure Virtual Desktop (AVD) Workspace. | `Microsoft.DesktopVirtualization/workspaces` | [2022-09-09](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DesktopVirtualization/2022-09-09/workspaces) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the workspace to be attach to new Application Group. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/desktop-virtualization.workspace:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `appGroupResourceIds` | array | `[]` | | Resource IDs for the existing Application groups this workspace will group together. | -| `description` | string | `''` | | The description of the Workspace to be created. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, Checkpoint, Error, Feed, Management]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `friendlyName` | string | `''` | | The friendly name of the Workspace to be created. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +### Example 1: _Using large parameter set_ -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the AVD workspace. | -| `resourceGroupName` | string | The resource group the AVD workspace was deployed into. | -| `resourceId` | string | The resource ID of the AVD workspace. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module workspace './desktop-virtualization/workspace/main.bicep' = { +module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dvwcom' params: { // Required parameters @@ -184,14 +150,17 @@ module workspace './desktop-virtualization/workspace/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module workspace './desktop-virtualization/workspace/main.bicep' = { +module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dvwmin' params: { // Required parameters @@ -228,3 +197,151 @@ module workspace './desktop-virtualization/workspace/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the workspace to be attach to new Application Group. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`appGroupResourceIds`](#parameter-appgroupresourceids) | array | Resource IDs for the existing Application groups this workspace will group together. | +| [`description`](#parameter-description) | string | The description of the Workspace to be created. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`friendlyName`](#parameter-friendlyname) | string | The friendly name of the Workspace to be created. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `appGroupResourceIds` + +Resource IDs for the existing Application groups this workspace will group together. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `description` + +The description of the Workspace to be created. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, Checkpoint, Error, Feed, Management]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `friendlyName` + +The friendly name of the Workspace to be created. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the workspace to be attach to new Application Group. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the AVD workspace. | +| `resourceGroupName` | string | The resource group the AVD workspace was deployed into. | +| `resourceId` | string | The resource ID of the AVD workspace. | + +## Cross-referenced modules + +_None_ diff --git a/modules/desktop-virtualization/workspace/main.json b/modules/desktop-virtualization/workspace/main.json index 6c0aa6b332..b96c1b5e6c 100644 --- a/modules/desktop-virtualization/workspace/main.json +++ b/modules/desktop-virtualization/workspace/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10679736874154725054" + "version": "0.22.6.54827", + "templateHash": "8129248040868416848" }, "name": "Azure Virtual Desktop (AVD) Workspaces", "description": "This module deploys an Azure Virtual Desktop (AVD) Workspace.", @@ -237,8 +237,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12071774351316031070" + "version": "0.22.6.54827", + "templateHash": "10387281728055526723" } }, "parameters": { diff --git a/modules/dev-test-lab/lab/.test/common/main.test.bicep b/modules/dev-test-lab/lab/.test/common/main.test.bicep index 2f0565eb03..c63a75d0ae 100644 --- a/modules/dev-test-lab/lab/.test/common/main.test.bicep +++ b/modules/dev-test-lab/lab/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/dev-test-lab/lab/.test/min/main.test.bicep b/modules/dev-test-lab/lab/.test/min/main.test.bicep index 70e5d551d1..7989d9f4d2 100644 --- a/modules/dev-test-lab/lab/.test/min/main.test.bicep +++ b/modules/dev-test-lab/lab/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/dev-test-lab/lab/README.md b/modules/dev-test-lab/lab/README.md index 9b21814ef3..03bc402078 100644 --- a/modules/dev-test-lab/lab/README.md +++ b/modules/dev-test-lab/lab/README.md @@ -5,10 +5,10 @@ This module deploys a DevTest Lab. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -24,83 +24,28 @@ This module deploys a DevTest Lab. | `Microsoft.DevTestLab/labs/schedules` | [2018-09-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DevTestLab/2018-09-15/labs/schedules) | | `Microsoft.DevTestLab/labs/virtualnetworks` | [2018-09-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DevTestLab/2018-09-15/labs/virtualnetworks) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the lab. | - -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `encryptionDiskEncryptionSetId` | string | `''` | The Disk Encryption Set Resource ID used to encrypt OS and data disks created as part of the the lab. Required if encryptionType is set to "EncryptionAtRestWithCustomerKey". | -| `notificationchannels` | array | `[]` | Notification Channels to create for the lab. Required if the schedules property "notificationSettingsStatus" is set to "Enabled. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `announcement` | object | `{object}` | | The properties of any lab announcement associated with this lab. | -| `artifactsources` | array | `[]` | | Artifact sources to create for the lab. | -| `artifactsStorageAccount` | string | `''` | | The resource ID of the storage account used to store artifacts and images by the lab. Also used for defaultStorageAccount, defaultPremiumStorageAccount and premiumDataDiskStorageAccount properties. If left empty, a default storage account will be created by the lab and used. | -| `browserConnect` | string | `'Disabled'` | `[Disabled, Enabled]` | Enable browser connect on virtual machines if the lab's VNETs have configured Azure Bastion. | -| `costs` | object | `{object}` | | Costs to create for the lab. | -| `disableAutoUpgradeCseMinorVersion` | bool | `False` | | Disable auto upgrade custom script extension minor version. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `encryptionType` | string | `'EncryptionAtRestWithPlatformKey'` | `[EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformKey]` | Specify how OS and data disks created as part of the lab are encrypted. | -| `environmentPermission` | string | `'Reader'` | `[Contributor, Reader]` | The access rights to be granted to the user when provisioning an environment. | -| `extendedProperties` | object | `{object}` | | Extended properties of the lab used for experimental features. | -| `isolateLabResources` | string | `'Enabled'` | `[Disabled, Enabled]` | Enable lab resources isolation from the public internet. | -| `labStorageType` | string | `'Premium'` | `[Premium, Standard, StandardSSD]` | Type of storage used by the lab. It can be either Premium or Standard. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `managementIdentities` | object | `{object}` | | The ID(s) to assign to the virtual machines associated with this lab. | -| `mandatoryArtifactsResourceIdsLinux` | array | `[]` | | The ordered list of artifact resource IDs that should be applied on all Linux VM creations by default, prior to the artifacts specified by the user. | -| `mandatoryArtifactsResourceIdsWindows` | array | `[]` | | The ordered list of artifact resource IDs that should be applied on all Windows VM creations by default, prior to the artifacts specified by the user. | -| `policies` | array | `[]` | | Policies to create for the lab. | -| `premiumDataDisks` | string | `'Disabled'` | `[Disabled, Enabled]` | The setting to enable usage of premium data disks. When its value is "Enabled", creation of standard or premium data disks is allowed. When its value is "Disabled", only creation of standard data disks is allowed. Default is "Disabled". | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `schedules` | array | `[]` | | Schedules to create for the lab. | -| `support` | object | `{object}` | | The properties of any lab support message associated with this lab. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `virtualnetworks` | array | `[]` | | Virtual networks to create for the lab. | -| `vmCreationResourceGroupId` | string | `[resourceGroup().id]` | | Resource Group allocation for virtual machines. If left empty, virtual machines will be deployed in their own Resource Groups. Default is the same Resource Group for DevTest Lab. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the lab. | -| `resourceGroupName` | string | The resource group the lab was deployed into. | -| `resourceId` | string | The resource ID of the lab. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | -| `uniqueIdentifier` | string | The unique identifier for the lab. Used to track tags that the lab applies to each resource that it creates. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/dev-test-lab.lab:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module lab './dev-test-lab/lab/main.bicep' = { +module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dtllcom' params: { // Required parameters @@ -626,14 +571,17 @@ module lab './dev-test-lab/lab/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module lab './dev-test-lab/lab/main.bicep' = { +module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dtllmin' params: { // Required parameters @@ -670,3 +618,275 @@ module lab './dev-test-lab/lab/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the lab. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`encryptionDiskEncryptionSetId`](#parameter-encryptiondiskencryptionsetid) | string | The Disk Encryption Set Resource ID used to encrypt OS and data disks created as part of the the lab. Required if encryptionType is set to "EncryptionAtRestWithCustomerKey". | +| [`notificationchannels`](#parameter-notificationchannels) | array | Notification Channels to create for the lab. Required if the schedules property "notificationSettingsStatus" is set to "Enabled. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`announcement`](#parameter-announcement) | object | The properties of any lab announcement associated with this lab. | +| [`artifactsources`](#parameter-artifactsources) | array | Artifact sources to create for the lab. | +| [`artifactsStorageAccount`](#parameter-artifactsstorageaccount) | string | The resource ID of the storage account used to store artifacts and images by the lab. Also used for defaultStorageAccount, defaultPremiumStorageAccount and premiumDataDiskStorageAccount properties. If left empty, a default storage account will be created by the lab and used. | +| [`browserConnect`](#parameter-browserconnect) | string | Enable browser connect on virtual machines if the lab's VNETs have configured Azure Bastion. | +| [`costs`](#parameter-costs) | object | Costs to create for the lab. | +| [`disableAutoUpgradeCseMinorVersion`](#parameter-disableautoupgradecseminorversion) | bool | Disable auto upgrade custom script extension minor version. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`encryptionType`](#parameter-encryptiontype) | string | Specify how OS and data disks created as part of the lab are encrypted. | +| [`environmentPermission`](#parameter-environmentpermission) | string | The access rights to be granted to the user when provisioning an environment. | +| [`extendedProperties`](#parameter-extendedproperties) | object | Extended properties of the lab used for experimental features. | +| [`isolateLabResources`](#parameter-isolatelabresources) | string | Enable lab resources isolation from the public internet. | +| [`labStorageType`](#parameter-labstoragetype) | string | Type of storage used by the lab. It can be either Premium or Standard. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`managementIdentities`](#parameter-managementidentities) | object | The ID(s) to assign to the virtual machines associated with this lab. | +| [`mandatoryArtifactsResourceIdsLinux`](#parameter-mandatoryartifactsresourceidslinux) | array | The ordered list of artifact resource IDs that should be applied on all Linux VM creations by default, prior to the artifacts specified by the user. | +| [`mandatoryArtifactsResourceIdsWindows`](#parameter-mandatoryartifactsresourceidswindows) | array | The ordered list of artifact resource IDs that should be applied on all Windows VM creations by default, prior to the artifacts specified by the user. | +| [`policies`](#parameter-policies) | array | Policies to create for the lab. | +| [`premiumDataDisks`](#parameter-premiumdatadisks) | string | The setting to enable usage of premium data disks. When its value is "Enabled", creation of standard or premium data disks is allowed. When its value is "Disabled", only creation of standard data disks is allowed. Default is "Disabled". | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`schedules`](#parameter-schedules) | array | Schedules to create for the lab. | +| [`support`](#parameter-support) | object | The properties of any lab support message associated with this lab. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`virtualnetworks`](#parameter-virtualnetworks) | array | Virtual networks to create for the lab. | +| [`vmCreationResourceGroupId`](#parameter-vmcreationresourcegroupid) | string | Resource Group allocation for virtual machines. If left empty, virtual machines will be deployed in their own Resource Groups. Default is the same Resource Group for DevTest Lab. | + +### Parameter: `announcement` + +The properties of any lab announcement associated with this lab. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `artifactsources` + +Artifact sources to create for the lab. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `artifactsStorageAccount` + +The resource ID of the storage account used to store artifacts and images by the lab. Also used for defaultStorageAccount, defaultPremiumStorageAccount and premiumDataDiskStorageAccount properties. If left empty, a default storage account will be created by the lab and used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `browserConnect` + +Enable browser connect on virtual machines if the lab's VNETs have configured Azure Bastion. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `costs` + +Costs to create for the lab. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `disableAutoUpgradeCseMinorVersion` + +Disable auto upgrade custom script extension minor version. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `encryptionDiskEncryptionSetId` + +The Disk Encryption Set Resource ID used to encrypt OS and data disks created as part of the the lab. Required if encryptionType is set to "EncryptionAtRestWithCustomerKey". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `encryptionType` + +Specify how OS and data disks created as part of the lab are encrypted. +- Required: No +- Type: string +- Default: `'EncryptionAtRestWithPlatformKey'` +- Allowed: `[EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformKey]` + +### Parameter: `environmentPermission` + +The access rights to be granted to the user when provisioning an environment. +- Required: No +- Type: string +- Default: `'Reader'` +- Allowed: `[Contributor, Reader]` + +### Parameter: `extendedProperties` + +Extended properties of the lab used for experimental features. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `isolateLabResources` + +Enable lab resources isolation from the public internet. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `labStorageType` + +Type of storage used by the lab. It can be either Premium or Standard. +- Required: No +- Type: string +- Default: `'Premium'` +- Allowed: `[Premium, Standard, StandardSSD]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `managementIdentities` + +The ID(s) to assign to the virtual machines associated with this lab. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `mandatoryArtifactsResourceIdsLinux` + +The ordered list of artifact resource IDs that should be applied on all Linux VM creations by default, prior to the artifacts specified by the user. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `mandatoryArtifactsResourceIdsWindows` + +The ordered list of artifact resource IDs that should be applied on all Windows VM creations by default, prior to the artifacts specified by the user. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `name` + +The name of the lab. +- Required: Yes +- Type: string + +### Parameter: `notificationchannels` + +Notification Channels to create for the lab. Required if the schedules property "notificationSettingsStatus" is set to "Enabled. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `policies` + +Policies to create for the lab. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `premiumDataDisks` + +The setting to enable usage of premium data disks. When its value is "Enabled", creation of standard or premium data disks is allowed. When its value is "Disabled", only creation of standard data disks is allowed. Default is "Disabled". +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `schedules` + +Schedules to create for the lab. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `support` + +The properties of any lab support message associated with this lab. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `virtualnetworks` + +Virtual networks to create for the lab. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `vmCreationResourceGroupId` + +Resource Group allocation for virtual machines. If left empty, virtual machines will be deployed in their own Resource Groups. Default is the same Resource Group for DevTest Lab. +- Required: No +- Type: string +- Default: `[resourceGroup().id]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the lab. | +| `resourceGroupName` | string | The resource group the lab was deployed into. | +| `resourceId` | string | The resource ID of the lab. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `uniqueIdentifier` | string | The unique identifier for the lab. Used to track tags that the lab applies to each resource that it creates. | + +## Cross-referenced modules + +_None_ diff --git a/modules/dev-test-lab/lab/artifactsource/README.md b/modules/dev-test-lab/lab/artifactsource/README.md index 0318c83d13..26aa3c0d4f 100644 --- a/modules/dev-test-lab/lab/artifactsource/README.md +++ b/modules/dev-test-lab/lab/artifactsource/README.md @@ -21,35 +21,118 @@ An artifact source allows you to create custom artifacts for the VMs in the lab, **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the artifact source. | -| `uri` | string | The artifact source's URI. | +| [`name`](#parameter-name) | string | The name of the artifact source. | +| [`uri`](#parameter-uri) | string | The artifact source's URI. | **Conditional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `armTemplateFolderPath` | string | `''` | The folder containing Azure Resource Manager templates. Required if "folderPath" is empty. | -| `folderPath` | string | `''` | The folder containing artifacts. At least one folder path is required. Required if "armTemplateFolderPath" is empty. | -| `labName` | string | | The name of the parent lab. Required if the template is used in a standalone deployment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`armTemplateFolderPath`](#parameter-armtemplatefolderpath) | string | The folder containing Azure Resource Manager templates. Required if "folderPath" is empty. | +| [`folderPath`](#parameter-folderpath) | string | The folder containing artifacts. At least one folder path is required. Required if "armTemplateFolderPath" is empty. | +| [`labName`](#parameter-labname) | string | The name of the parent lab. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `branchRef` | string | `''` | | The artifact source's branch reference (e.g. main or master). | -| `displayName` | string | `[parameters('name')]` | | The artifact source's display name. Default is the name of the artifact source. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `securityToken` | securestring | `''` | | The security token to authenticate to the artifact source. | -| `sourceType` | string | `''` | `['', GitHub, StorageAccount, VsoGit]` | The artifact source's type. | -| `status` | string | `'Enabled'` | `[Disabled, Enabled]` | Indicates if the artifact source is enabled (values: Enabled, Disabled). Default is "Enabled". | -| `tags` | object | `{object}` | | Tags of the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`branchRef`](#parameter-branchref) | string | The artifact source's branch reference (e.g. main or master). | +| [`displayName`](#parameter-displayname) | string | The artifact source's display name. Default is the name of the artifact source. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`securityToken`](#parameter-securitytoken) | securestring | The security token to authenticate to the artifact source. | +| [`sourceType`](#parameter-sourcetype) | string | The artifact source's type. | +| [`status`](#parameter-status) | string | Indicates if the artifact source is enabled (values: Enabled, Disabled). Default is "Enabled". | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `armTemplateFolderPath` + +The folder containing Azure Resource Manager templates. Required if "folderPath" is empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `branchRef` + +The artifact source's branch reference (e.g. main or master). +- Required: No +- Type: string +- Default: `''` + +### Parameter: `displayName` + +The artifact source's display name. Default is the name of the artifact source. +- Required: No +- Type: string +- Default: `[parameters('name')]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `folderPath` + +The folder containing artifacts. At least one folder path is required. Required if "armTemplateFolderPath" is empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `labName` + +The name of the parent lab. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the artifact source. +- Required: Yes +- Type: string + +### Parameter: `securityToken` + +The security token to authenticate to the artifact source. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `sourceType` + +The artifact source's type. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', GitHub, StorageAccount, VsoGit]` + +### Parameter: `status` + +Indicates if the artifact source is enabled (values: Enabled, Disabled). Default is "Enabled". +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `uri` + +The artifact source's URI. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the artifact source. | | `resourceGroupName` | string | The name of the resource group the artifact source was created in. | diff --git a/modules/dev-test-lab/lab/artifactsource/main.json b/modules/dev-test-lab/lab/artifactsource/main.json index 9056139395..946b4a505a 100644 --- a/modules/dev-test-lab/lab/artifactsource/main.json +++ b/modules/dev-test-lab/lab/artifactsource/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "10765635521160351928" + "version": "0.22.6.54827", + "templateHash": "4180084937723506143" }, "name": "DevTest Lab Artifact Sources", "description": "This module deploys a DevTest Lab Artifact Source.\r\n\r\nAn artifact source allows you to create custom artifacts for the VMs in the lab, or use Azure Resource Manager templates to create a custom test environment. You must add a private Git repository for the artifacts or Resource Manager templates that your team creates. The repository can be hosted on GitHub or on Azure DevOps Services.", diff --git a/modules/dev-test-lab/lab/cost/README.md b/modules/dev-test-lab/lab/cost/README.md index 7ad70ef322..69d66fdbc7 100644 --- a/modules/dev-test-lab/lab/cost/README.md +++ b/modules/dev-test-lab/lab/cost/README.md @@ -21,42 +21,185 @@ Manage lab costs by setting a spending target that can be viewed in the Monthly **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `cycleType` | string | `[CalendarMonth, Custom]` | Reporting cycle type. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cycleType`](#parameter-cycletype) | string | Reporting cycle type. | **Conditional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cycleEndDateTime` | string | `''` | Reporting cycle end date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to "Custom". | -| `cycleStartDateTime` | string | `''` | Reporting cycle start date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to "Custom". | -| `labName` | string | | The name of the parent lab. Required if the template is used in a standalone deployment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cycleEndDateTime`](#parameter-cycleenddatetime) | string | Reporting cycle end date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to "Custom". | +| [`cycleStartDateTime`](#parameter-cyclestartdatetime) | string | Reporting cycle start date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to "Custom". | +| [`labName`](#parameter-labname) | string | The name of the parent lab. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `currencyCode` | string | `'USD'` | | The currency code of the cost. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `status` | string | `'Enabled'` | `[Disabled, Enabled]` | Target cost status. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `target` | int | `0` | | Lab target cost (e.g. 100). The target cost will appear in the "Cost trend" chart to allow tracking lab spending relative to the target cost for the current reporting cycleSetting the target cost to 0 will disable all thresholds. | -| `thresholdValue100DisplayOnChart` | string | `'Disabled'` | `[Disabled, Enabled]` | Target Cost threshold at 100% display on chart. Indicates whether this threshold will be displayed on cost charts. | -| `thresholdValue100SendNotificationWhenExceeded` | string | `'Disabled'` | `[Disabled, Enabled]` | Target cost threshold at 100% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. | -| `thresholdValue125DisplayOnChart` | string | `'Disabled'` | `[Disabled, Enabled]` | Target Cost threshold at 125% display on chart. Indicates whether this threshold will be displayed on cost charts. | -| `thresholdValue125SendNotificationWhenExceeded` | string | `'Disabled'` | `[Disabled, Enabled]` | Target cost threshold at 125% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. | -| `thresholdValue25DisplayOnChart` | string | `'Disabled'` | `[Disabled, Enabled]` | Target Cost threshold at 25% display on chart. Indicates whether this threshold will be displayed on cost charts. | -| `thresholdValue25SendNotificationWhenExceeded` | string | `'Disabled'` | `[Disabled, Enabled]` | Target cost threshold at 25% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. | -| `thresholdValue50DisplayOnChart` | string | `'Disabled'` | `[Disabled, Enabled]` | Target Cost threshold at 50% display on chart. Indicates whether this threshold will be displayed on cost charts. | -| `thresholdValue50SendNotificationWhenExceeded` | string | `'Disabled'` | `[Disabled, Enabled]` | Target cost threshold at 50% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. | -| `thresholdValue75DisplayOnChart` | string | `'Disabled'` | `[Disabled, Enabled]` | Target Cost threshold at 75% display on chart. Indicates whether this threshold will be displayed on cost charts. | -| `thresholdValue75SendNotificationWhenExceeded` | string | `'Disabled'` | `[Disabled, Enabled]` | Target cost threshold at 75% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`currencyCode`](#parameter-currencycode) | string | The currency code of the cost. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`status`](#parameter-status) | string | Target cost status. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`target`](#parameter-target) | int | Lab target cost (e.g. 100). The target cost will appear in the "Cost trend" chart to allow tracking lab spending relative to the target cost for the current reporting cycleSetting the target cost to 0 will disable all thresholds. | +| [`thresholdValue100DisplayOnChart`](#parameter-thresholdvalue100displayonchart) | string | Target Cost threshold at 100% display on chart. Indicates whether this threshold will be displayed on cost charts. | +| [`thresholdValue100SendNotificationWhenExceeded`](#parameter-thresholdvalue100sendnotificationwhenexceeded) | string | Target cost threshold at 100% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. | +| [`thresholdValue125DisplayOnChart`](#parameter-thresholdvalue125displayonchart) | string | Target Cost threshold at 125% display on chart. Indicates whether this threshold will be displayed on cost charts. | +| [`thresholdValue125SendNotificationWhenExceeded`](#parameter-thresholdvalue125sendnotificationwhenexceeded) | string | Target cost threshold at 125% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. | +| [`thresholdValue25DisplayOnChart`](#parameter-thresholdvalue25displayonchart) | string | Target Cost threshold at 25% display on chart. Indicates whether this threshold will be displayed on cost charts. | +| [`thresholdValue25SendNotificationWhenExceeded`](#parameter-thresholdvalue25sendnotificationwhenexceeded) | string | Target cost threshold at 25% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. | +| [`thresholdValue50DisplayOnChart`](#parameter-thresholdvalue50displayonchart) | string | Target Cost threshold at 50% display on chart. Indicates whether this threshold will be displayed on cost charts. | +| [`thresholdValue50SendNotificationWhenExceeded`](#parameter-thresholdvalue50sendnotificationwhenexceeded) | string | Target cost threshold at 50% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. | +| [`thresholdValue75DisplayOnChart`](#parameter-thresholdvalue75displayonchart) | string | Target Cost threshold at 75% display on chart. Indicates whether this threshold will be displayed on cost charts. | +| [`thresholdValue75SendNotificationWhenExceeded`](#parameter-thresholdvalue75sendnotificationwhenexceeded) | string | Target cost threshold at 75% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. | + +### Parameter: `currencyCode` + +The currency code of the cost. +- Required: No +- Type: string +- Default: `'USD'` + +### Parameter: `cycleEndDateTime` + +Reporting cycle end date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to "Custom". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cycleStartDateTime` + +Reporting cycle start date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to "Custom". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cycleType` + +Reporting cycle type. +- Required: Yes +- Type: string +- Allowed: `[CalendarMonth, Custom]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `labName` + +The name of the parent lab. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `status` + +Target cost status. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `target` + +Lab target cost (e.g. 100). The target cost will appear in the "Cost trend" chart to allow tracking lab spending relative to the target cost for the current reporting cycleSetting the target cost to 0 will disable all thresholds. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `thresholdValue100DisplayOnChart` + +Target Cost threshold at 100% display on chart. Indicates whether this threshold will be displayed on cost charts. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `thresholdValue100SendNotificationWhenExceeded` + +Target cost threshold at 100% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `thresholdValue125DisplayOnChart` + +Target Cost threshold at 125% display on chart. Indicates whether this threshold will be displayed on cost charts. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `thresholdValue125SendNotificationWhenExceeded` + +Target cost threshold at 125% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `thresholdValue25DisplayOnChart` + +Target Cost threshold at 25% display on chart. Indicates whether this threshold will be displayed on cost charts. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `thresholdValue25SendNotificationWhenExceeded` + +Target cost threshold at 25% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `thresholdValue50DisplayOnChart` + +Target Cost threshold at 50% display on chart. Indicates whether this threshold will be displayed on cost charts. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `thresholdValue50SendNotificationWhenExceeded` + +Target cost threshold at 50% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `thresholdValue75DisplayOnChart` + +Target Cost threshold at 75% display on chart. Indicates whether this threshold will be displayed on cost charts. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `thresholdValue75SendNotificationWhenExceeded` + +Target cost threshold at 75% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the cost. | | `resourceGroupName` | string | The name of the resource group the cost was created in. | diff --git a/modules/dev-test-lab/lab/cost/main.json b/modules/dev-test-lab/lab/cost/main.json index 5c385935d5..89f70cfd1f 100644 --- a/modules/dev-test-lab/lab/cost/main.json +++ b/modules/dev-test-lab/lab/cost/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "4166206931202072952" + "version": "0.22.6.54827", + "templateHash": "17587308196408831883" }, "name": "DevTest Lab Costs", "description": "This module deploys a DevTest Lab Cost.\r\n\r\nManage lab costs by setting a spending target that can be viewed in the Monthly Estimated Cost Trend chart. DevTest Labs can send a notification when spending reaches the specified target threshold.", diff --git a/modules/dev-test-lab/lab/main.json b/modules/dev-test-lab/lab/main.json index a8f2ba4948..a83a20dd30 100644 --- a/modules/dev-test-lab/lab/main.json +++ b/modules/dev-test-lab/lab/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11215744490422832347" + "version": "0.22.6.54827", + "templateHash": "12564230212135431557" }, "name": "DevTest Labs", "description": "This module deploys a DevTest Lab.", @@ -347,8 +347,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10585523023574394931" + "version": "0.22.6.54827", + "templateHash": "5213684482874022181" }, "name": "DevTest Lab Virtual Networks", "description": "This module deploys a DevTest Lab Virtual Network.\r\n\r\nLab virtual machines must be deployed into a virtual network. This resource type allows configuring the virtual network and subnet settings used for the lab virtual machines.", @@ -511,8 +511,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8971513022315177152" + "version": "0.22.6.54827", + "templateHash": "7402281637422771358" }, "name": "DevTest Lab Policy Sets Policies", "description": "This module deploys a DevTest Lab Policy Sets Policy.\r\n\r\nDevTest lab policies are used to modify the lab settings such as only allowing certain VM Size SKUs, marketplace image types, number of VMs allowed per user and other settings.", @@ -715,8 +715,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12263098724597801740" + "version": "0.22.6.54827", + "templateHash": "853057685884144049" }, "name": "DevTest Lab Schedules", "description": "This module deploys a DevTest Lab Schedule.\r\n\r\nLab schedules are used to modify the settings for auto-shutdown, auto-start for lab virtual machines.", @@ -929,8 +929,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17695938428337610065" + "version": "0.22.6.54827", + "templateHash": "7575060424945865003" }, "name": "DevTest Lab Notification Channels", "description": "This module deploys a DevTest Lab Notification Channel.\r\n\r\nNotification channels are used by the schedule resource type in order to send notifications or events to email addresses and/or webhooks.", @@ -1103,8 +1103,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9073888459731266435" + "version": "0.22.6.54827", + "templateHash": "4180084937723506143" }, "name": "DevTest Lab Artifact Sources", "description": "This module deploys a DevTest Lab Artifact Source.\r\n\r\nAn artifact source allows you to create custom artifacts for the VMs in the lab, or use Azure Resource Manager templates to create a custom test environment. You must add a private Git repository for the artifacts or Resource Manager templates that your team creates. The repository can be hosted on GitHub or on Azure DevOps Services.", @@ -1309,8 +1309,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15716544808866806342" + "version": "0.22.6.54827", + "templateHash": "17587308196408831883" }, "name": "DevTest Lab Costs", "description": "This module deploys a DevTest Lab Cost.\r\n\r\nManage lab costs by setting a spending target that can be viewed in the Monthly Estimated Cost Trend chart. DevTest Labs can send a notification when spending reaches the specified target threshold.", @@ -1636,8 +1636,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4976650846797191229" + "version": "0.22.6.54827", + "templateHash": "5435640009728678460" } }, "parameters": { diff --git a/modules/dev-test-lab/lab/notificationchannel/README.md b/modules/dev-test-lab/lab/notificationchannel/README.md index 432c8b1d1b..d78d419ad8 100644 --- a/modules/dev-test-lab/lab/notificationchannel/README.md +++ b/modules/dev-test-lab/lab/notificationchannel/README.md @@ -21,32 +21,94 @@ Notification channels are used by the schedule resource type in order to send no **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `events` | array | | The list of event for which this notification is enabled. | -| `name` | string | `[autoShutdown, costThreshold]` | The name of the notification channel. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`events`](#parameter-events) | array | The list of event for which this notification is enabled. | +| [`name`](#parameter-name) | string | The name of the notification channel. | **Conditional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `emailRecipient` | string | `''` | The email recipient to send notifications to (can be a list of semi-colon separated email addresses). Required if "webHookUrl" is empty. | -| `labName` | string | | The name of the parent lab. Required if the template is used in a standalone deployment. | -| `webHookUrl` | string | `''` | The webhook URL to which the notification will be sent. Required if "emailRecipient" is empty. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`emailRecipient`](#parameter-emailrecipient) | string | The email recipient to send notifications to (can be a list of semi-colon separated email addresses). Required if "webHookUrl" is empty. | +| [`labName`](#parameter-labname) | string | The name of the parent lab. Required if the template is used in a standalone deployment. | +| [`webHookUrl`](#parameter-webhookurl) | string | The webhook URL to which the notification will be sent. Required if "emailRecipient" is empty. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `description` | string | `''` | Description of notification. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `notificationLocale` | string | `'en'` | The locale to use when sending a notification (fallback for unsupported languages is EN). | -| `tags` | object | `{object}` | Tags of the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | Description of notification. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`notificationLocale`](#parameter-notificationlocale) | string | The locale to use when sending a notification (fallback for unsupported languages is EN). | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `description` + +Description of notification. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `emailRecipient` + +The email recipient to send notifications to (can be a list of semi-colon separated email addresses). Required if "webHookUrl" is empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `events` + +The list of event for which this notification is enabled. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `labName` + +The name of the parent lab. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the notification channel. +- Required: Yes +- Type: string +- Allowed: `[autoShutdown, costThreshold]` + +### Parameter: `notificationLocale` + +The locale to use when sending a notification (fallback for unsupported languages is EN). +- Required: No +- Type: string +- Default: `'en'` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `webHookUrl` + +The webhook URL to which the notification will be sent. Required if "emailRecipient" is empty. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the notification channel. | | `resourceGroupName` | string | The name of the resource group the notification channel was created in. | diff --git a/modules/dev-test-lab/lab/notificationchannel/main.json b/modules/dev-test-lab/lab/notificationchannel/main.json index 0a723cda14..6251464ffc 100644 --- a/modules/dev-test-lab/lab/notificationchannel/main.json +++ b/modules/dev-test-lab/lab/notificationchannel/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "16877948453352231958" + "version": "0.22.6.54827", + "templateHash": "7575060424945865003" }, "name": "DevTest Lab Notification Channels", "description": "This module deploys a DevTest Lab Notification Channel.\r\n\r\nNotification channels are used by the schedule resource type in order to send notifications or events to email addresses and/or webhooks.", diff --git a/modules/dev-test-lab/lab/policyset/policy/README.md b/modules/dev-test-lab/lab/policyset/policy/README.md index fcf05efe7c..cc9746dea5 100644 --- a/modules/dev-test-lab/lab/policyset/policy/README.md +++ b/modules/dev-test-lab/lab/policyset/policy/README.md @@ -21,34 +21,109 @@ DevTest lab policies are used to modify the lab settings such as only allowing c **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `evaluatorType` | string | `[AllowedValuesPolicy, MaxValuePolicy]` | The evaluator type of the policy (i.e. AllowedValuesPolicy, MaxValuePolicy). | -| `factName` | string | `[EnvironmentTemplate, GalleryImage, LabPremiumVmCount, LabTargetCost, LabVmCount, LabVmSize, ScheduleEditPermission, UserOwnedLabPremiumVmCount, UserOwnedLabVmCount, UserOwnedLabVmCountInSubnet]` | The fact name of the policy. | -| `name` | string | | The name of the policy. | -| `threshold` | string | | The threshold of the policy (i.e. a number for MaxValuePolicy, and a JSON array of values for AllowedValuesPolicy). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`evaluatorType`](#parameter-evaluatortype) | string | The evaluator type of the policy (i.e. AllowedValuesPolicy, MaxValuePolicy). | +| [`factName`](#parameter-factname) | string | The fact name of the policy. | +| [`name`](#parameter-name) | string | The name of the policy. | +| [`threshold`](#parameter-threshold) | string | The threshold of the policy (i.e. a number for MaxValuePolicy, and a JSON array of values for AllowedValuesPolicy). | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `labName` | string | The name of the parent lab. Required if the template is used in a standalone deployment. | +| [`labName`](#parameter-labname) | string | The name of the parent lab. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `description` | string | `''` | | The description of the policy. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `factData` | string | `''` | | The fact data of the policy. | -| `policySetName` | string | `'default'` | | The name of the parent policy set. | -| `status` | string | `'Enabled'` | `[Disabled, Enabled]` | The status of the policy. | -| `tags` | object | `{object}` | | Tags of the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | The description of the policy. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`factData`](#parameter-factdata) | string | The fact data of the policy. | +| [`policySetName`](#parameter-policysetname) | string | The name of the parent policy set. | +| [`status`](#parameter-status) | string | The status of the policy. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `description` + +The description of the policy. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `evaluatorType` + +The evaluator type of the policy (i.e. AllowedValuesPolicy, MaxValuePolicy). +- Required: Yes +- Type: string +- Allowed: `[AllowedValuesPolicy, MaxValuePolicy]` + +### Parameter: `factData` + +The fact data of the policy. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `factName` + +The fact name of the policy. +- Required: Yes +- Type: string +- Allowed: `[EnvironmentTemplate, GalleryImage, LabPremiumVmCount, LabTargetCost, LabVmCount, LabVmSize, ScheduleEditPermission, UserOwnedLabPremiumVmCount, UserOwnedLabVmCount, UserOwnedLabVmCountInSubnet]` + +### Parameter: `labName` + +The name of the parent lab. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the policy. +- Required: Yes +- Type: string + +### Parameter: `policySetName` + +The name of the parent policy set. +- Required: No +- Type: string +- Default: `'default'` + +### Parameter: `status` + +The status of the policy. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `threshold` + +The threshold of the policy (i.e. a number for MaxValuePolicy, and a JSON array of values for AllowedValuesPolicy). +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the policy. | | `resourceGroupName` | string | The name of the resource group the policy was created in. | diff --git a/modules/dev-test-lab/lab/policyset/policy/main.json b/modules/dev-test-lab/lab/policyset/policy/main.json index 5f4ddafad9..18e4b827e3 100644 --- a/modules/dev-test-lab/lab/policyset/policy/main.json +++ b/modules/dev-test-lab/lab/policyset/policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "9961899772573814013" + "version": "0.22.6.54827", + "templateHash": "7402281637422771358" }, "name": "DevTest Lab Policy Sets Policies", "description": "This module deploys a DevTest Lab Policy Sets Policy.\r\n\r\nDevTest lab policies are used to modify the lab settings such as only allowing certain VM Size SKUs, marketplace image types, number of VMs allowed per user and other settings.", diff --git a/modules/dev-test-lab/lab/schedule/README.md b/modules/dev-test-lab/lab/schedule/README.md index 181ecedd78..5d197319c3 100644 --- a/modules/dev-test-lab/lab/schedule/README.md +++ b/modules/dev-test-lab/lab/schedule/README.md @@ -21,36 +21,128 @@ Lab schedules are used to modify the settings for auto-shutdown, auto-start for **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `name` | string | `[LabVmAutoStart, LabVmsShutdown]` | The name of the schedule. | -| `taskType` | string | `[LabVmsShutdownTask, LabVmsStartupTask]` | The task type of the schedule (e.g. LabVmsShutdownTask, LabVmsStartupTask). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the schedule. | +| [`taskType`](#parameter-tasktype) | string | The task type of the schedule (e.g. LabVmsShutdownTask, LabVmsStartupTask). | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `labName` | string | The name of the parent lab. Required if the template is used in a standalone deployment. | +| [`labName`](#parameter-labname) | string | The name of the parent lab. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `dailyRecurrence` | object | `{object}` | | If the schedule will occur once each day of the week, specify the daily recurrence. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `hourlyRecurrence` | object | `{object}` | | If the schedule will occur multiple times a day, specify the hourly recurrence. | -| `notificationSettingsStatus` | string | `'Disabled'` | `[Disabled, Enabled]` | If notifications are enabled for this schedule (i.e. Enabled, Disabled). | -| `notificationSettingsTimeInMinutes` | int | `30` | | Time in minutes before event at which notification will be sent. Optional if "notificationSettingsStatus" is set to "Enabled". Default is 30 minutes. | -| `status` | string | `'Enabled'` | `[Disabled, Enabled]` | The status of the schedule (i.e. Enabled, Disabled). | -| `tags` | object | `{object}` | | Tags of the resource. | -| `targetResourceId` | string | `''` | | The resource ID to which the schedule belongs. | -| `timeZoneId` | string | `'Pacific Standard time'` | | The time zone ID (e.g. Pacific Standard time). | -| `weeklyRecurrence` | object | `{object}` | | If the schedule will occur only some days of the week, specify the weekly recurrence. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`dailyRecurrence`](#parameter-dailyrecurrence) | object | If the schedule will occur once each day of the week, specify the daily recurrence. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`hourlyRecurrence`](#parameter-hourlyrecurrence) | object | If the schedule will occur multiple times a day, specify the hourly recurrence. | +| [`notificationSettingsStatus`](#parameter-notificationsettingsstatus) | string | If notifications are enabled for this schedule (i.e. Enabled, Disabled). | +| [`notificationSettingsTimeInMinutes`](#parameter-notificationsettingstimeinminutes) | int | Time in minutes before event at which notification will be sent. Optional if "notificationSettingsStatus" is set to "Enabled". Default is 30 minutes. | +| [`status`](#parameter-status) | string | The status of the schedule (i.e. Enabled, Disabled). | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`targetResourceId`](#parameter-targetresourceid) | string | The resource ID to which the schedule belongs. | +| [`timeZoneId`](#parameter-timezoneid) | string | The time zone ID (e.g. Pacific Standard time). | +| [`weeklyRecurrence`](#parameter-weeklyrecurrence) | object | If the schedule will occur only some days of the week, specify the weekly recurrence. | + +### Parameter: `dailyRecurrence` + +If the schedule will occur once each day of the week, specify the daily recurrence. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hourlyRecurrence` + +If the schedule will occur multiple times a day, specify the hourly recurrence. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `labName` + +The name of the parent lab. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the schedule. +- Required: Yes +- Type: string +- Allowed: `[LabVmAutoStart, LabVmsShutdown]` + +### Parameter: `notificationSettingsStatus` + +If notifications are enabled for this schedule (i.e. Enabled, Disabled). +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `notificationSettingsTimeInMinutes` + +Time in minutes before event at which notification will be sent. Optional if "notificationSettingsStatus" is set to "Enabled". Default is 30 minutes. +- Required: No +- Type: int +- Default: `30` + +### Parameter: `status` + +The status of the schedule (i.e. Enabled, Disabled). +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `targetResourceId` + +The resource ID to which the schedule belongs. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `taskType` + +The task type of the schedule (e.g. LabVmsShutdownTask, LabVmsStartupTask). +- Required: Yes +- Type: string +- Allowed: `[LabVmsShutdownTask, LabVmsStartupTask]` + +### Parameter: `timeZoneId` + +The time zone ID (e.g. Pacific Standard time). +- Required: No +- Type: string +- Default: `'Pacific Standard time'` + +### Parameter: `weeklyRecurrence` + +If the schedule will occur only some days of the week, specify the weekly recurrence. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the schedule. | | `resourceGroupName` | string | The name of the resource group the schedule was created in. | diff --git a/modules/dev-test-lab/lab/schedule/main.json b/modules/dev-test-lab/lab/schedule/main.json index a4efd42401..96c2fa8537 100644 --- a/modules/dev-test-lab/lab/schedule/main.json +++ b/modules/dev-test-lab/lab/schedule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12427678703978539260" + "version": "0.22.6.54827", + "templateHash": "853057685884144049" }, "name": "DevTest Lab Schedules", "description": "This module deploys a DevTest Lab Schedule.\r\n\r\nLab schedules are used to modify the settings for auto-shutdown, auto-start for lab virtual machines.", diff --git a/modules/dev-test-lab/lab/virtualnetwork/README.md b/modules/dev-test-lab/lab/virtualnetwork/README.md index cb4f24b6dd..c2eaf8a2bc 100644 --- a/modules/dev-test-lab/lab/virtualnetwork/README.md +++ b/modules/dev-test-lab/lab/virtualnetwork/README.md @@ -21,31 +21,84 @@ Lab virtual machines must be deployed into a virtual network. This resource type **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `externalProviderResourceId` | string | The resource ID of the virtual network. | -| `name` | string | The name of the virtual network. | +| [`externalProviderResourceId`](#parameter-externalproviderresourceid) | string | The resource ID of the virtual network. | +| [`name`](#parameter-name) | string | The name of the virtual network. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `labName` | string | The name of the parent lab. Required if the template is used in a standalone deployment. | +| [`labName`](#parameter-labname) | string | The name of the parent lab. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `allowedSubnets` | array | `[]` | The allowed subnets of the virtual network. | -| `description` | string | `''` | The description of the virtual network. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `subnetOverrides` | array | `[]` | The subnet overrides of the virtual network. | -| `tags` | object | `{object}` | Tags of the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowedSubnets`](#parameter-allowedsubnets) | array | The allowed subnets of the virtual network. | +| [`description`](#parameter-description) | string | The description of the virtual network. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`subnetOverrides`](#parameter-subnetoverrides) | array | The subnet overrides of the virtual network. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `allowedSubnets` + +The allowed subnets of the virtual network. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `description` + +The description of the virtual network. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `externalProviderResourceId` + +The resource ID of the virtual network. +- Required: Yes +- Type: string + +### Parameter: `labName` + +The name of the parent lab. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the virtual network. +- Required: Yes +- Type: string + +### Parameter: `subnetOverrides` + +The subnet overrides of the virtual network. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the lab virtual network. | | `resourceGroupName` | string | The name of the resource group the lab virtual network was created in. | diff --git a/modules/dev-test-lab/lab/virtualnetwork/main.json b/modules/dev-test-lab/lab/virtualnetwork/main.json index 1449aed564..71e0cb54e5 100644 --- a/modules/dev-test-lab/lab/virtualnetwork/main.json +++ b/modules/dev-test-lab/lab/virtualnetwork/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3541849489263903716" + "version": "0.22.6.54827", + "templateHash": "5213684482874022181" }, "name": "DevTest Lab Virtual Networks", "description": "This module deploys a DevTest Lab Virtual Network.\r\n\r\nLab virtual machines must be deployed into a virtual network. This resource type allows configuring the virtual network and subnet settings used for the lab virtual machines.", diff --git a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep index 73b4bd8fae..fceb1ad4b6 100644 --- a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/digital-twins/digital-twins-instance/.test/min/main.test.bicep b/modules/digital-twins/digital-twins-instance/.test/min/main.test.bicep index e923ca1679..f970096185 100644 --- a/modules/digital-twins/digital-twins-instance/.test/min/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index b7fd3b5123..7c92db6dec 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -5,10 +5,10 @@ This module deploys an Azure Digital Twins Instance. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -23,72 +23,28 @@ This module deploys an Azure Digital Twins Instance. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Digital Twin Instance. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, DataHistoryOperation, DigitalTwinsOperation, EventRoutesOperation, ModelsOperation, QueryOperation, ResourceProviderOperation]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the diagnostic setting, if deployed. | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `eventGridEndpoint` | object | `{object}` | | Event Grid Endpoint. | -| `eventHubEndpoint` | object | `{object}` | | Event Hub Endpoint. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `serviceBusEndpoint` | object | `{object}` | | Service Bus Endpoint. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Resource tags. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `hostname` | string | The hostname of the Digital Twins Instance. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Digital Twins Instance. | -| `resourceGroupName` | string | The name of the resource group the resource was created in. | -| `resourceId` | string | The resource ID of the Digital Twins Instance. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/digital-twins.digital-twins-instance:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module digitalTwinsInstance './digital-twins/digital-twins-instance/main.bicep' = { +module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instance:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dtdticom' params: { // Required parameters @@ -248,14 +204,17 @@ module digitalTwinsInstance './digital-twins/digital-twins-instance/main.bicep'

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module digitalTwinsInstance './digital-twins/digital-twins-instance/main.bicep' = { +module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instance:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dtdtimin' params: { // Required parameters @@ -292,3 +251,198 @@ module digitalTwinsInstance './digital-twins/digital-twins-instance/main.bicep'

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Digital Twin Instance. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| [`eventGridEndpoint`](#parameter-eventgridendpoint) | object | Event Grid Endpoint. | +| [`eventHubEndpoint`](#parameter-eventhubendpoint) | object | Event Hub Endpoint. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`serviceBusEndpoint`](#parameter-servicebusendpoint) | object | Service Bus Endpoint. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Resource tags. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, DataHistoryOperation, DigitalTwinsOperation, EventRoutesOperation, ModelsOperation, QueryOperation, ResourceProviderOperation]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. +- Required: No +- Type: string +- Default: `[format('{0}-diagnosticSettings', parameters('name'))]` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `eventGridEndpoint` + +Event Grid Endpoint. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `eventHubEndpoint` + +Event Hub Endpoint. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the Digital Twin Instance. +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `serviceBusEndpoint` + +Service Bus Endpoint. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Resource tags. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `hostname` | string | The hostname of the Digital Twins Instance. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the Digital Twins Instance. | +| `resourceGroupName` | string | The name of the resource group the resource was created in. | +| `resourceId` | string | The resource ID of the Digital Twins Instance. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/README.md b/modules/digital-twins/digital-twins-instance/endpoint--event-grid/README.md index 70a63cb0a6..0b66892ffa 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/README.md +++ b/modules/digital-twins/digital-twins-instance/endpoint--event-grid/README.md @@ -19,30 +19,76 @@ This module deploys a Digital Twins Instance Event Grid Endpoint. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `eventGridDomainResourceId` | string | The resource ID of the Event Grid to get access keys from. | -| `topicEndpoint` | string | EventGrid Topic Endpoint. | +| [`eventGridDomainResourceId`](#parameter-eventgriddomainresourceid) | string | The resource ID of the Event Grid to get access keys from. | +| [`topicEndpoint`](#parameter-topicendpoint) | string | EventGrid Topic Endpoint. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `digitalTwinInstanceName` | string | The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. | +| [`digitalTwinInstanceName`](#parameter-digitaltwininstancename) | string | The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `deadLetterSecret` | securestring | `''` | Dead letter storage secret for key-based authentication. Will be obfuscated during read. | -| `deadLetterUri` | string | `''` | Dead letter storage URL for identity-based authentication. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `name` | string | `'EventGridEndpoint'` | The name of the Digital Twin Endpoint. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`deadLetterSecret`](#parameter-deadlettersecret) | securestring | Dead letter storage secret for key-based authentication. Will be obfuscated during read. | +| [`deadLetterUri`](#parameter-deadletteruri) | string | Dead letter storage URL for identity-based authentication. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| [`name`](#parameter-name) | string | The name of the Digital Twin Endpoint. | + +### Parameter: `deadLetterSecret` + +Dead letter storage secret for key-based authentication. Will be obfuscated during read. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `deadLetterUri` + +Dead letter storage URL for identity-based authentication. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `digitalTwinInstanceName` + +The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `eventGridDomainResourceId` + +The resource ID of the Event Grid to get access keys from. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the Digital Twin Endpoint. +- Required: No +- Type: string +- Default: `'EventGridEndpoint'` + +### Parameter: `topicEndpoint` + +EventGrid Topic Endpoint. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the Endpoint. | | `resourceGroupName` | string | The name of the resource group the resource was created in. | diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md index 89cb8b96b9..ea2990793c 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md +++ b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md @@ -19,30 +19,114 @@ This module deploys a Digital Twins Instance EventHub Endpoint. **Conditional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `connectionStringPrimaryKey` | securestring | `''` | PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". | -| `digitalTwinInstanceName` | string | | The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`connectionStringPrimaryKey`](#parameter-connectionstringprimarykey) | securestring | PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". | +| [`digitalTwinInstanceName`](#parameter-digitaltwininstancename) | string | The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `authenticationType` | string | `'IdentityBased'` | `[IdentityBased, KeyBased]` | Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified. | -| `connectionStringSecondaryKey` | securestring | `''` | | SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". | -| `deadLetterSecret` | securestring | `''` | | Dead letter storage secret for key-based authentication. Will be obfuscated during read. | -| `deadLetterUri` | string | `''` | | Dead letter storage URL for identity-based authentication. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `endpointUri` | string | `''` | | The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://' (i.e. sb://xyz.servicebus.windows.net). | -| `entityPath` | string | `''` | | The EventHub name in the EventHub namespace for identity-based authentication. | -| `name` | string | `'EventHubEndpoint'` | | The name of the Digital Twin Endpoint. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `userAssignedIdentity` | string | `''` | | The ID to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`authenticationType`](#parameter-authenticationtype) | string | Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified. | +| [`connectionStringSecondaryKey`](#parameter-connectionstringsecondarykey) | securestring | SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". | +| [`deadLetterSecret`](#parameter-deadlettersecret) | securestring | Dead letter storage secret for key-based authentication. Will be obfuscated during read. | +| [`deadLetterUri`](#parameter-deadletteruri) | string | Dead letter storage URL for identity-based authentication. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| [`endpointUri`](#parameter-endpointuri) | string | The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://' (i.e. sb://xyz.servicebus.windows.net). | +| [`entityPath`](#parameter-entitypath) | string | The EventHub name in the EventHub namespace for identity-based authentication. | +| [`name`](#parameter-name) | string | The name of the Digital Twin Endpoint. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedIdentity`](#parameter-userassignedidentity) | string | The ID to assign to the resource. | + +### Parameter: `authenticationType` + +Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified. +- Required: No +- Type: string +- Default: `'IdentityBased'` +- Allowed: `[IdentityBased, KeyBased]` + +### Parameter: `connectionStringPrimaryKey` + +PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `connectionStringSecondaryKey` + +SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `deadLetterSecret` + +Dead letter storage secret for key-based authentication. Will be obfuscated during read. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `deadLetterUri` + +Dead letter storage URL for identity-based authentication. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `digitalTwinInstanceName` + +The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `endpointUri` + +The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://' (i.e. sb://xyz.servicebus.windows.net). +- Required: No +- Type: string +- Default: `''` + +### Parameter: `entityPath` + +The EventHub name in the EventHub namespace for identity-based authentication. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +The name of the Digital Twin Endpoint. +- Required: No +- Type: string +- Default: `'EventHubEndpoint'` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `userAssignedIdentity` + +The ID to assign to the resource. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the Endpoint. | | `resourceGroupName` | string | The name of the resource group the resource was created in. | diff --git a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md index 3f448d3791..eeae357cd9 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md +++ b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md @@ -19,30 +19,114 @@ This module deploys a Digital Twins Instance ServiceBus Endpoint. **Conditional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `digitalTwinInstanceName` | string | | The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. | -| `primaryConnectionString` | securestring | `''` | PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`digitalTwinInstanceName`](#parameter-digitaltwininstancename) | string | The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. | +| [`primaryConnectionString`](#parameter-primaryconnectionstring) | securestring | PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `authenticationType` | string | `'IdentityBased'` | `[IdentityBased, KeyBased]` | Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified. | -| `deadLetterSecret` | securestring | `''` | | Dead letter storage secret for key-based authentication. Will be obfuscated during read. | -| `deadLetterUri` | string | `''` | | Dead letter storage URL for identity-based authentication. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `endpointUri` | string | `''` | | The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://' (e.g. sb://xyz.servicebus.windows.net). | -| `entityPath` | string | `''` | | The ServiceBus Topic name for identity-based authentication. | -| `name` | string | `'ServiceBusEndpoint'` | | The name of the Digital Twin Endpoint. | -| `secondaryConnectionString` | securestring | `''` | | SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `userAssignedIdentity` | string | `''` | | The ID to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`authenticationType`](#parameter-authenticationtype) | string | Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified. | +| [`deadLetterSecret`](#parameter-deadlettersecret) | securestring | Dead letter storage secret for key-based authentication. Will be obfuscated during read. | +| [`deadLetterUri`](#parameter-deadletteruri) | string | Dead letter storage URL for identity-based authentication. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| [`endpointUri`](#parameter-endpointuri) | string | The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://' (e.g. sb://xyz.servicebus.windows.net). | +| [`entityPath`](#parameter-entitypath) | string | The ServiceBus Topic name for identity-based authentication. | +| [`name`](#parameter-name) | string | The name of the Digital Twin Endpoint. | +| [`secondaryConnectionString`](#parameter-secondaryconnectionstring) | securestring | SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedIdentity`](#parameter-userassignedidentity) | string | The ID to assign to the resource. | + +### Parameter: `authenticationType` + +Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified. +- Required: No +- Type: string +- Default: `'IdentityBased'` +- Allowed: `[IdentityBased, KeyBased]` + +### Parameter: `deadLetterSecret` + +Dead letter storage secret for key-based authentication. Will be obfuscated during read. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `deadLetterUri` + +Dead letter storage URL for identity-based authentication. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `digitalTwinInstanceName` + +The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `endpointUri` + +The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://' (e.g. sb://xyz.servicebus.windows.net). +- Required: No +- Type: string +- Default: `''` + +### Parameter: `entityPath` + +The ServiceBus Topic name for identity-based authentication. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +The name of the Digital Twin Endpoint. +- Required: No +- Type: string +- Default: `'ServiceBusEndpoint'` + +### Parameter: `primaryConnectionString` + +PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `secondaryConnectionString` + +SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `userAssignedIdentity` + +The ID to assign to the resource. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the Endpoint. | | `resourceGroupName` | string | The name of the resource group the resource was created in. | diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index 3eea1daa41..69a8c77859 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -5,10 +5,10 @@ This module deploys a DocumentDB Database Account. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -27,85 +27,27 @@ This module deploys a DocumentDB Database Account. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `locations` | array | Locations enabled for the Cosmos DB account. | -| `name` | string | Name of the Database Account. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `automaticFailover` | bool | `True` | | Enable automatic failover for regions. | -| `backupIntervalInMinutes` | int | `240` | | An integer representing the interval in minutes between two backups. Only applies to periodic backup type. | -| `backupPolicyContinuousTier` | string | `'Continuous30Days'` | `[Continuous30Days, Continuous7Days]` | Configuration values for continuous mode backup. | -| `backupPolicyType` | string | `'Continuous'` | `[Continuous, Periodic]` | Describes the mode of backups. | -| `backupRetentionIntervalInHours` | int | `8` | | An integer representing the time (in hours) that each backup is retained. Only applies to periodic backup type. | -| `backupStorageRedundancy` | string | `'Local'` | `[Geo, Local, Zone]` | Enum to indicate type of backup residency. Only applies to periodic backup type. | -| `capabilitiesToAdd` | array | `[]` | `[DisableRateLimitingResponses, EnableCassandra, EnableGremlin, EnableMongo, EnableServerless, EnableTable]` | List of Cosmos DB capabilities for the account. | -| `databaseAccountOfferType` | string | `'Standard'` | `[Standard]` | The offer type for the Cosmos DB database account. | -| `defaultConsistencyLevel` | string | `'Session'` | `[BoundedStaleness, ConsistentPrefix, Eventual, Session, Strong]` | The default consistency level of the Cosmos DB account. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, CassandraRequests, ControlPlaneRequests, DataPlaneRequests, GremlinRequests, MongoRequests, PartitionKeyRUConsumption, PartitionKeyStatistics, QueryRuntimeStatistics, TableApiRequests]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[Requests]` | `[Requests]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableFreeTier` | bool | `False` | | Flag to indicate whether Free Tier is enabled. | -| `gremlinDatabases` | array | `[]` | | Gremlin Databases configurations. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `maxIntervalInSeconds` | int | `300` | | Max lag time (minutes). Required for BoundedStaleness. Valid ranges, Single Region: 5 to 84600. Multi Region: 300 to 86400. | -| `maxStalenessPrefix` | int | `100000` | | Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: 10 to 1000000. Multi Region: 100000 to 1000000. | -| `mongodbDatabases` | array | `[]` | | MongoDB Databases configurations. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `serverVersion` | string | `'4.2'` | `[3.2, 3.6, 4.0, 4.2]` | Specifies the MongoDB server version to use. | -| `sqlDatabases` | array | `[]` | | SQL Databases configurations. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the Database Account resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the database account. | -| `resourceGroupName` | string | The name of the resource group the database account was created in. | -| `resourceId` | string | The resource ID of the database account. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules +## Usage examples -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -## Deployment examples +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/document-db.database-account:1.0.0`. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +- [Gremlindb](#example-1-gremlindb) +- [Mongodb](#example-2-mongodb) +- [Plain](#example-3-plain) +- [Sqldb](#example-4-sqldb) - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Gremlindb

+### Example 1: _Gremlindb_
via Bicep module ```bicep -module databaseAccount './document-db/database-account/main.bicep' = { +module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dddagrm' params: { // Required parameters @@ -331,14 +273,14 @@ module databaseAccount './document-db/database-account/main.bicep' = {

-

Example 2: Mongodb

+### Example 2: _Mongodb_
via Bicep module ```bicep -module databaseAccount './document-db/database-account/main.bicep' = { +module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dddamng' params: { // Required parameters @@ -828,14 +770,14 @@ module databaseAccount './document-db/database-account/main.bicep' = {

-

Example 3: Plain

+### Example 3: _Plain_
via Bicep module ```bicep -module databaseAccount './document-db/database-account/main.bicep' = { +module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dddapln' params: { // Required parameters @@ -951,14 +893,14 @@ module databaseAccount './document-db/database-account/main.bicep' = {

-

Example 4: Sqldb

+### Example 4: _Sqldb_
via Bicep module ```bicep -module databaseAccount './document-db/database-account/main.bicep' = { +module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-dddasql' params: { // Required parameters @@ -1269,3 +1211,307 @@ module databaseAccount './document-db/database-account/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`locations`](#parameter-locations) | array | Locations enabled for the Cosmos DB account. | +| [`name`](#parameter-name) | string | Name of the Database Account. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`automaticFailover`](#parameter-automaticfailover) | bool | Enable automatic failover for regions. | +| [`backupIntervalInMinutes`](#parameter-backupintervalinminutes) | int | An integer representing the interval in minutes between two backups. Only applies to periodic backup type. | +| [`backupPolicyContinuousTier`](#parameter-backuppolicycontinuoustier) | string | Configuration values for continuous mode backup. | +| [`backupPolicyType`](#parameter-backuppolicytype) | string | Describes the mode of backups. | +| [`backupRetentionIntervalInHours`](#parameter-backupretentionintervalinhours) | int | An integer representing the time (in hours) that each backup is retained. Only applies to periodic backup type. | +| [`backupStorageRedundancy`](#parameter-backupstorageredundancy) | string | Enum to indicate type of backup residency. Only applies to periodic backup type. | +| [`capabilitiesToAdd`](#parameter-capabilitiestoadd) | array | List of Cosmos DB capabilities for the account. | +| [`databaseAccountOfferType`](#parameter-databaseaccountoffertype) | string | The offer type for the Cosmos DB database account. | +| [`defaultConsistencyLevel`](#parameter-defaultconsistencylevel) | string | The default consistency level of the Cosmos DB account. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableFreeTier`](#parameter-enablefreetier) | bool | Flag to indicate whether Free Tier is enabled. | +| [`gremlinDatabases`](#parameter-gremlindatabases) | array | Gremlin Databases configurations. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`maxIntervalInSeconds`](#parameter-maxintervalinseconds) | int | Max lag time (minutes). Required for BoundedStaleness. Valid ranges, Single Region: 5 to 84600. Multi Region: 300 to 86400. | +| [`maxStalenessPrefix`](#parameter-maxstalenessprefix) | int | Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: 10 to 1000000. Multi Region: 100000 to 1000000. | +| [`mongodbDatabases`](#parameter-mongodbdatabases) | array | MongoDB Databases configurations. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`serverVersion`](#parameter-serverversion) | string | Specifies the MongoDB server version to use. | +| [`sqlDatabases`](#parameter-sqldatabases) | array | SQL Databases configurations. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the Database Account resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +### Parameter: `automaticFailover` + +Enable automatic failover for regions. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `backupIntervalInMinutes` + +An integer representing the interval in minutes between two backups. Only applies to periodic backup type. +- Required: No +- Type: int +- Default: `240` + +### Parameter: `backupPolicyContinuousTier` + +Configuration values for continuous mode backup. +- Required: No +- Type: string +- Default: `'Continuous30Days'` +- Allowed: `[Continuous30Days, Continuous7Days]` + +### Parameter: `backupPolicyType` + +Describes the mode of backups. +- Required: No +- Type: string +- Default: `'Continuous'` +- Allowed: `[Continuous, Periodic]` + +### Parameter: `backupRetentionIntervalInHours` + +An integer representing the time (in hours) that each backup is retained. Only applies to periodic backup type. +- Required: No +- Type: int +- Default: `8` + +### Parameter: `backupStorageRedundancy` + +Enum to indicate type of backup residency. Only applies to periodic backup type. +- Required: No +- Type: string +- Default: `'Local'` +- Allowed: `[Geo, Local, Zone]` + +### Parameter: `capabilitiesToAdd` + +List of Cosmos DB capabilities for the account. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `[DisableRateLimitingResponses, EnableCassandra, EnableGremlin, EnableMongo, EnableServerless, EnableTable]` + +### Parameter: `databaseAccountOfferType` + +The offer type for the Cosmos DB database account. +- Required: No +- Type: string +- Default: `'Standard'` +- Allowed: `[Standard]` + +### Parameter: `defaultConsistencyLevel` + +The default consistency level of the Cosmos DB account. +- Required: No +- Type: string +- Default: `'Session'` +- Allowed: `[BoundedStaleness, ConsistentPrefix, Eventual, Session, Strong]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, CassandraRequests, ControlPlaneRequests, DataPlaneRequests, GremlinRequests, MongoRequests, PartitionKeyRUConsumption, PartitionKeyStatistics, QueryRuntimeStatistics, TableApiRequests]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[Requests]` +- Allowed: `[Requests]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableFreeTier` + +Flag to indicate whether Free Tier is enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `gremlinDatabases` + +Gremlin Databases configurations. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `locations` + +Locations enabled for the Cosmos DB account. +- Required: Yes +- Type: array + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `maxIntervalInSeconds` + +Max lag time (minutes). Required for BoundedStaleness. Valid ranges, Single Region: 5 to 84600. Multi Region: 300 to 86400. +- Required: No +- Type: int +- Default: `300` + +### Parameter: `maxStalenessPrefix` + +Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: 10 to 1000000. Multi Region: 100000 to 1000000. +- Required: No +- Type: int +- Default: `100000` + +### Parameter: `mongodbDatabases` + +MongoDB Databases configurations. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `name` + +Name of the Database Account. +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `serverVersion` + +Specifies the MongoDB server version to use. +- Required: No +- Type: string +- Default: `'4.2'` +- Allowed: `[3.2, 3.6, 4.0, 4.2]` + +### Parameter: `sqlDatabases` + +SQL Databases configurations. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the Database Account resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the database account. | +| `resourceGroupName` | string | The name of the resource group the database account was created in. | +| `resourceId` | string | The resource ID of the database account. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/document-db/database-account/gremlin-database/README.md b/modules/document-db/database-account/gremlin-database/README.md index bd2d6e6b59..4a715c8f19 100644 --- a/modules/document-db/database-account/gremlin-database/README.md +++ b/modules/document-db/database-account/gremlin-database/README.md @@ -21,32 +21,93 @@ This module deploys a Gremlin Database within a CosmosDB Account. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the Gremlin database. | +| [`name`](#parameter-name) | string | Name of the Gremlin database. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `databaseAccountName` | string | The name of the parent Gremlin database. Required if the template is used in a standalone deployment. | +| [`databaseAccountName`](#parameter-databaseaccountname) | string | The name of the parent Gremlin database. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `graphs` | array | `[]` | Array of graphs to deploy in the Gremlin database. | -| `maxThroughput` | int | `4000` | Represents maximum throughput, the resource can scale up to. Cannot be set together with `throughput`. If `throughput` is set to something else than -1, this autoscale setting is ignored. | -| `systemAssignedIdentity` | bool | `False` | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | Tags of the Gremlin database resource. | -| `throughput` | int | `-1` | Request Units per second (for example 10000). Cannot be set together with `maxThroughput`. | -| `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`graphs`](#parameter-graphs) | array | Array of graphs to deploy in the Gremlin database. | +| [`maxThroughput`](#parameter-maxthroughput) | int | Represents maximum throughput, the resource can scale up to. Cannot be set together with `throughput`. If `throughput` is set to something else than -1, this autoscale setting is ignored. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the Gremlin database resource. | +| [`throughput`](#parameter-throughput) | int | Request Units per second (for example 10000). Cannot be set together with `maxThroughput`. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +### Parameter: `databaseAccountName` + +The name of the parent Gremlin database. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `graphs` + +Array of graphs to deploy in the Gremlin database. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `maxThroughput` + +Represents maximum throughput, the resource can scale up to. Cannot be set together with `throughput`. If `throughput` is set to something else than -1, this autoscale setting is ignored. +- Required: No +- Type: int +- Default: `4000` + +### Parameter: `name` + +Name of the Gremlin database. +- Required: Yes +- Type: string + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the Gremlin database resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `throughput` + +Request Units per second (for example 10000). Cannot be set together with `maxThroughput`. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the Gremlin database. | | `resourceGroupName` | string | The name of the resource group the Gremlin database was created in. | diff --git a/modules/document-db/database-account/gremlin-database/graph/README.md b/modules/document-db/database-account/gremlin-database/graph/README.md index 9ef2885821..9bd3196bdc 100644 --- a/modules/document-db/database-account/gremlin-database/graph/README.md +++ b/modules/document-db/database-account/gremlin-database/graph/README.md @@ -20,30 +20,76 @@ This module deploys a DocumentDB Database Accounts Gremlin Database Graph. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the graph. | +| [`name`](#parameter-name) | string | Name of the graph. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `databaseAccountName` | string | The name of the parent Database Account. Required if the template is used in a standalone deployment. | -| `gremlinDatabaseName` | string | The name of the parent Gremlin Database. Required if the template is used in a standalone deployment. | +| [`databaseAccountName`](#parameter-databaseaccountname) | string | The name of the parent Database Account. Required if the template is used in a standalone deployment. | +| [`gremlinDatabaseName`](#parameter-gremlindatabasename) | string | The name of the parent Gremlin Database. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `indexingPolicy` | object | `{object}` | Indexing policy of the graph. | -| `partitionKeyPaths` | array | `[]` | List of paths using which data within the container can be partitioned. | -| `tags` | object | `{object}` | Tags of the Gremlin graph resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`indexingPolicy`](#parameter-indexingpolicy) | object | Indexing policy of the graph. | +| [`partitionKeyPaths`](#parameter-partitionkeypaths) | array | List of paths using which data within the container can be partitioned. | +| [`tags`](#parameter-tags) | object | Tags of the Gremlin graph resource. | + +### Parameter: `databaseAccountName` + +The name of the parent Database Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `gremlinDatabaseName` + +The name of the parent Gremlin Database. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `indexingPolicy` + +Indexing policy of the graph. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Name of the graph. +- Required: Yes +- Type: string + +### Parameter: `partitionKeyPaths` + +List of paths using which data within the container can be partitioned. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the Gremlin graph resource. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the graph. | | `resourceGroupName` | string | The name of the resource group the graph was created in. | diff --git a/modules/document-db/database-account/gremlin-database/graph/main.json b/modules/document-db/database-account/gremlin-database/graph/main.json index d02a60bd22..ac3ab15bde 100644 --- a/modules/document-db/database-account/gremlin-database/graph/main.json +++ b/modules/document-db/database-account/gremlin-database/graph/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3593445264917455012" + "version": "0.22.6.54827", + "templateHash": "18333404401527081455" }, "name": "DocumentDB Database Accounts Gremlin Databases Graphs", "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.", diff --git a/modules/document-db/database-account/gremlin-database/main.json b/modules/document-db/database-account/gremlin-database/main.json index f3df7da63e..3a99fdbe58 100644 --- a/modules/document-db/database-account/gremlin-database/main.json +++ b/modules/document-db/database-account/gremlin-database/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "4256328904115204005" + "version": "0.22.6.54827", + "templateHash": "15423165717770718605" }, "name": "DocumentDB Database Account Gremlin Databases", "description": "This module deploys a Gremlin Database within a CosmosDB Account.", @@ -141,8 +141,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3593445264917455012" + "version": "0.22.6.54827", + "templateHash": "18333404401527081455" }, "name": "DocumentDB Database Accounts Gremlin Databases Graphs", "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.", diff --git a/modules/document-db/database-account/main.json b/modules/document-db/database-account/main.json index a5a0399033..8c6c60a55b 100644 --- a/modules/document-db/database-account/main.json +++ b/modules/document-db/database-account/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9451370227821690902" + "version": "0.22.6.54827", + "templateHash": "1321966146332079883" }, "name": "DocumentDB Database Accounts", "description": "This module deploys a DocumentDB Database Account.", @@ -466,8 +466,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5613744277609573742" + "version": "0.22.6.54827", + "templateHash": "9195274417066284555" } }, "parameters": { @@ -618,8 +618,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12650326317614213616" + "version": "0.22.6.54827", + "templateHash": "11353697729412779140" }, "name": "DocumentDB Database Account SQL Databases", "description": "This module deploys a SQL Database in a CosmosDB Account.", @@ -746,8 +746,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17915639819408167865" + "version": "0.22.6.54827", + "templateHash": "8116399669974678281" }, "name": "DocumentDB Database Account SQL Database Containers", "description": "This module deploys a SQL Database Container in a CosmosDB Account.", @@ -985,8 +985,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6108492173430130197" + "version": "0.22.6.54827", + "templateHash": "1822071123668929932" }, "name": "DocumentDB Database Account MongoDB Databases", "description": "This module deploys a MongoDB Database within a CosmosDB Account.", @@ -1103,8 +1103,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15278439403607777812" + "version": "0.22.6.54827", + "templateHash": "14573428332905458641" }, "name": "DocumentDB Database Account MongoDB Database Collections", "description": "This module deploys a MongoDB Database Collection.", @@ -1275,8 +1275,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3882851808439491481" + "version": "0.22.6.54827", + "templateHash": "15423165717770718605" }, "name": "DocumentDB Database Account Gremlin Databases", "description": "This module deploys a Gremlin Database within a CosmosDB Account.", @@ -1412,8 +1412,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16873442968006597080" + "version": "0.22.6.54827", + "templateHash": "18333404401527081455" }, "name": "DocumentDB Database Accounts Gremlin Databases Graphs", "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.", @@ -1603,8 +1603,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1803,8 +1803,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1941,8 +1941,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { diff --git a/modules/document-db/database-account/mongodb-database/README.md b/modules/document-db/database-account/mongodb-database/README.md index d9c2501383..93ddb86a7f 100644 --- a/modules/document-db/database-account/mongodb-database/README.md +++ b/modules/document-db/database-account/mongodb-database/README.md @@ -20,29 +20,69 @@ This module deploys a MongoDB Database within a CosmosDB Account. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the mongodb database. | +| [`name`](#parameter-name) | string | Name of the mongodb database. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `databaseAccountName` | string | The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment. | +| [`databaseAccountName`](#parameter-databaseaccountname) | string | The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `collections` | array | `[]` | Collections in the mongodb database. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `tags` | object | `{object}` | Tags of the resource. | -| `throughput` | int | `400` | Name of the mongodb database. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`collections`](#parameter-collections) | array | Collections in the mongodb database. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`throughput`](#parameter-throughput) | int | Name of the mongodb database. | + +### Parameter: `collections` + +Collections in the mongodb database. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `databaseAccountName` + +The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +Name of the mongodb database. +- Required: Yes +- Type: string + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `throughput` + +Name of the mongodb database. +- Required: No +- Type: int +- Default: `400` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the mongodb database. | | `resourceGroupName` | string | The name of the resource group the mongodb database was created in. | diff --git a/modules/document-db/database-account/mongodb-database/collection/README.md b/modules/document-db/database-account/mongodb-database/collection/README.md index c29b48e614..ce98977d82 100644 --- a/modules/document-db/database-account/mongodb-database/collection/README.md +++ b/modules/document-db/database-account/mongodb-database/collection/README.md @@ -20,30 +20,74 @@ This module deploys a MongoDB Database Collection. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `indexes` | array | Indexes for the collection. | -| `name` | string | Name of the collection. | -| `shardKey` | object | ShardKey for the collection. | +| [`indexes`](#parameter-indexes) | array | Indexes for the collection. | +| [`name`](#parameter-name) | string | Name of the collection. | +| [`shardKey`](#parameter-shardkey) | object | ShardKey for the collection. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `databaseAccountName` | string | The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment. | -| `mongodbDatabaseName` | string | The name of the parent mongodb database. Required if the template is used in a standalone deployment. | +| [`databaseAccountName`](#parameter-databaseaccountname) | string | The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment. | +| [`mongodbDatabaseName`](#parameter-mongodbdatabasename) | string | The name of the parent mongodb database. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `throughput` | int | `400` | Name of the mongodb database. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`throughput`](#parameter-throughput) | int | Name of the mongodb database. | + +### Parameter: `databaseAccountName` + +The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `indexes` + +Indexes for the collection. +- Required: Yes +- Type: array + +### Parameter: `mongodbDatabaseName` + +The name of the parent mongodb database. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +Name of the collection. +- Required: Yes +- Type: string + +### Parameter: `shardKey` + +ShardKey for the collection. +- Required: Yes +- Type: object + +### Parameter: `throughput` + +Name of the mongodb database. +- Required: No +- Type: int +- Default: `400` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the mongodb database. | | `resourceGroupName` | string | The name of the resource group the mongodb database was created in. | diff --git a/modules/document-db/database-account/mongodb-database/collection/main.json b/modules/document-db/database-account/mongodb-database/collection/main.json index a6fa0bc567..7b4dd23c09 100644 --- a/modules/document-db/database-account/mongodb-database/collection/main.json +++ b/modules/document-db/database-account/mongodb-database/collection/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12957080003676592321" + "version": "0.22.6.54827", + "templateHash": "14573428332905458641" }, "name": "DocumentDB Database Account MongoDB Database Collections", "description": "This module deploys a MongoDB Database Collection.", diff --git a/modules/document-db/database-account/mongodb-database/main.json b/modules/document-db/database-account/mongodb-database/main.json index 3446932229..ac1f8b3634 100644 --- a/modules/document-db/database-account/mongodb-database/main.json +++ b/modules/document-db/database-account/mongodb-database/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13972019361365434498" + "version": "0.22.6.54827", + "templateHash": "1822071123668929932" }, "name": "DocumentDB Database Account MongoDB Databases", "description": "This module deploys a MongoDB Database within a CosmosDB Account.", @@ -122,8 +122,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12957080003676592321" + "version": "0.22.6.54827", + "templateHash": "14573428332905458641" }, "name": "DocumentDB Database Account MongoDB Database Collections", "description": "This module deploys a MongoDB Database Collection.", diff --git a/modules/document-db/database-account/sql-database/README.md b/modules/document-db/database-account/sql-database/README.md index 2d6e69f472..83def7fb2b 100644 --- a/modules/document-db/database-account/sql-database/README.md +++ b/modules/document-db/database-account/sql-database/README.md @@ -20,30 +20,77 @@ This module deploys a SQL Database in a CosmosDB Account. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the SQL database . | +| [`name`](#parameter-name) | string | Name of the SQL database . | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `databaseAccountName` | string | The name of the parent Database Account. Required if the template is used in a standalone deployment. | +| [`databaseAccountName`](#parameter-databaseaccountname) | string | The name of the parent Database Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `autoscaleSettingsMaxThroughput` | int | `-1` | Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled. | -| `containers` | array | `[]` | Array of containers to deploy in the SQL database. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `tags` | object | `{object}` | Tags of the SQL database resource. | -| `throughput` | int | `400` | Request units per second. Will be set to null if autoscaleSettingsMaxThroughput is used. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`autoscaleSettingsMaxThroughput`](#parameter-autoscalesettingsmaxthroughput) | int | Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled. | +| [`containers`](#parameter-containers) | array | Array of containers to deploy in the SQL database. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`tags`](#parameter-tags) | object | Tags of the SQL database resource. | +| [`throughput`](#parameter-throughput) | int | Request units per second. Will be set to null if autoscaleSettingsMaxThroughput is used. | + +### Parameter: `autoscaleSettingsMaxThroughput` + +Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `containers` + +Array of containers to deploy in the SQL database. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `databaseAccountName` + +The name of the parent Database Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +Name of the SQL database . +- Required: Yes +- Type: string + +### Parameter: `tags` + +Tags of the SQL database resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `throughput` + +Request units per second. Will be set to null if autoscaleSettingsMaxThroughput is used. +- Required: No +- Type: int +- Default: `400` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the SQL database. | | `resourceGroupName` | string | The name of the resource group the SQL database was created in. | diff --git a/modules/document-db/database-account/sql-database/container/README.md b/modules/document-db/database-account/sql-database/container/README.md index 1e14de9526..a090b1fe3f 100644 --- a/modules/document-db/database-account/sql-database/container/README.md +++ b/modules/document-db/database-account/sql-database/container/README.md @@ -20,37 +20,133 @@ This module deploys a SQL Database Container in a CosmosDB Account. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the container. | +| [`name`](#parameter-name) | string | Name of the container. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `databaseAccountName` | string | The name of the parent Database Account. Required if the template is used in a standalone deployment. | -| `sqlDatabaseName` | string | The name of the parent SQL Database. Required if the template is used in a standalone deployment. | +| [`databaseAccountName`](#parameter-databaseaccountname) | string | The name of the parent Database Account. Required if the template is used in a standalone deployment. | +| [`sqlDatabaseName`](#parameter-sqldatabasename) | string | The name of the parent SQL Database. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `analyticalStorageTtl` | int | `0` | | Indicates how long data should be retained in the analytical store, for a container. Analytical store is enabled when ATTL is set with a value other than 0. If the value is set to -1, the analytical store retains all historical data, irrespective of the retention of the data in the transactional store. | -| `autoscaleSettingsMaxThroughput` | int | `-1` | | Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled. | -| `conflictResolutionPolicy` | object | `{object}` | | The conflict resolution policy for the container. Conflicts and conflict resolution policies are applicable if the Azure Cosmos DB account is configured with multiple write regions. | -| `defaultTtl` | int | `-1` | | Default time to live (in seconds). With Time to Live or TTL, Azure Cosmos DB provides the ability to delete items automatically from a container after a certain time period. If the value is set to "-1", it is equal to infinity, and items dont expire by default. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `indexingPolicy` | object | `{object}` | | Indexing policy of the container. | -| `kind` | string | `'Hash'` | `[Hash, MultiHash, Range]` | Indicates the kind of algorithm used for partitioning. | -| `paths` | array | `[]` | | List of paths using which data within the container can be partitioned. | -| `tags` | object | `{object}` | | Tags of the SQL Database resource. | -| `throughput` | int | `400` | | Request Units per second. Will be set to null if autoscaleSettingsMaxThroughput is used. | -| `uniqueKeyPolicyKeys` | array | `[]` | | The unique key policy configuration containing a list of unique keys that enforces uniqueness constraint on documents in the collection in the Azure Cosmos DB service. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`analyticalStorageTtl`](#parameter-analyticalstoragettl) | int | Indicates how long data should be retained in the analytical store, for a container. Analytical store is enabled when ATTL is set with a value other than 0. If the value is set to -1, the analytical store retains all historical data, irrespective of the retention of the data in the transactional store. | +| [`autoscaleSettingsMaxThroughput`](#parameter-autoscalesettingsmaxthroughput) | int | Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled. | +| [`conflictResolutionPolicy`](#parameter-conflictresolutionpolicy) | object | The conflict resolution policy for the container. Conflicts and conflict resolution policies are applicable if the Azure Cosmos DB account is configured with multiple write regions. | +| [`defaultTtl`](#parameter-defaultttl) | int | Default time to live (in seconds). With Time to Live or TTL, Azure Cosmos DB provides the ability to delete items automatically from a container after a certain time period. If the value is set to "-1", it is equal to infinity, and items dont expire by default. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`indexingPolicy`](#parameter-indexingpolicy) | object | Indexing policy of the container. | +| [`kind`](#parameter-kind) | string | Indicates the kind of algorithm used for partitioning. | +| [`paths`](#parameter-paths) | array | List of paths using which data within the container can be partitioned. | +| [`tags`](#parameter-tags) | object | Tags of the SQL Database resource. | +| [`throughput`](#parameter-throughput) | int | Request Units per second. Will be set to null if autoscaleSettingsMaxThroughput is used. | +| [`uniqueKeyPolicyKeys`](#parameter-uniquekeypolicykeys) | array | The unique key policy configuration containing a list of unique keys that enforces uniqueness constraint on documents in the collection in the Azure Cosmos DB service. | + +### Parameter: `analyticalStorageTtl` + +Indicates how long data should be retained in the analytical store, for a container. Analytical store is enabled when ATTL is set with a value other than 0. If the value is set to -1, the analytical store retains all historical data, irrespective of the retention of the data in the transactional store. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `autoscaleSettingsMaxThroughput` + +Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `conflictResolutionPolicy` + +The conflict resolution policy for the container. Conflicts and conflict resolution policies are applicable if the Azure Cosmos DB account is configured with multiple write regions. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `databaseAccountName` + +The name of the parent Database Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `defaultTtl` + +Default time to live (in seconds). With Time to Live or TTL, Azure Cosmos DB provides the ability to delete items automatically from a container after a certain time period. If the value is set to "-1", it is equal to infinity, and items dont expire by default. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `indexingPolicy` + +Indexing policy of the container. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `kind` + +Indicates the kind of algorithm used for partitioning. +- Required: No +- Type: string +- Default: `'Hash'` +- Allowed: `[Hash, MultiHash, Range]` + +### Parameter: `name` + +Name of the container. +- Required: Yes +- Type: string + +### Parameter: `paths` + +List of paths using which data within the container can be partitioned. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sqlDatabaseName` + +The name of the parent SQL Database. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `tags` + +Tags of the SQL Database resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `throughput` + +Request Units per second. Will be set to null if autoscaleSettingsMaxThroughput is used. +- Required: No +- Type: int +- Default: `400` + +### Parameter: `uniqueKeyPolicyKeys` + +The unique key policy configuration containing a list of unique keys that enforces uniqueness constraint on documents in the collection in the Azure Cosmos DB service. +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the container. | | `resourceGroupName` | string | The name of the resource group the container was created in. | diff --git a/modules/document-db/database-account/sql-database/container/main.json b/modules/document-db/database-account/sql-database/container/main.json index 6986286959..0975283cf0 100644 --- a/modules/document-db/database-account/sql-database/container/main.json +++ b/modules/document-db/database-account/sql-database/container/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "14315455818011845279" + "version": "0.22.6.54827", + "templateHash": "8116399669974678281" }, "name": "DocumentDB Database Account SQL Database Containers", "description": "This module deploys a SQL Database Container in a CosmosDB Account.", diff --git a/modules/document-db/database-account/sql-database/main.json b/modules/document-db/database-account/sql-database/main.json index 145a1881bc..f077897716 100644 --- a/modules/document-db/database-account/sql-database/main.json +++ b/modules/document-db/database-account/sql-database/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3181306638327423907" + "version": "0.22.6.54827", + "templateHash": "11353697729412779140" }, "name": "DocumentDB Database Account SQL Databases", "description": "This module deploys a SQL Database in a CosmosDB Account.", @@ -132,8 +132,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "14315455818011845279" + "version": "0.22.6.54827", + "templateHash": "8116399669974678281" }, "name": "DocumentDB Database Account SQL Database Containers", "description": "This module deploys a SQL Database Container in a CosmosDB Account.", diff --git a/modules/event-grid/domain/.test/common/main.test.bicep b/modules/event-grid/domain/.test/common/main.test.bicep index 9a38dc3ee4..868878e147 100644 --- a/modules/event-grid/domain/.test/common/main.test.bicep +++ b/modules/event-grid/domain/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/event-grid/domain/.test/min/main.test.bicep b/modules/event-grid/domain/.test/min/main.test.bicep index 3fe94445cd..f7238a4aaa 100644 --- a/modules/event-grid/domain/.test/min/main.test.bicep +++ b/modules/event-grid/domain/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/event-grid/domain/README.md b/modules/event-grid/domain/README.md index 4da7b333e7..1b981ed272 100644 --- a/modules/event-grid/domain/README.md +++ b/modules/event-grid/domain/README.md @@ -5,10 +5,10 @@ This module deploys an Event Grid Domain. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -22,70 +22,29 @@ This module deploys an Event Grid Domain. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Event Grid Domain. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `autoCreateTopicWithFirstSubscription` | bool | `True` | | Location for all Resources. | -| `autoDeleteTopicWithLastSubscription` | bool | `True` | | Location for all Resources. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, DeliveryFailures, PublishFailures]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `inboundIpRules` | array | `[]` | | This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `topics` | array | `[]` | | The topic names which are associated with the domain. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the event grid domain. | -| `resourceGroupName` | string | The name of the resource group the event grid domain was deployed into. | -| `resourceId` | string | The resource ID of the event grid domain. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/event-grid.domain:1.0.0`. -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +- [Pe](#example-3-pe) -## Deployment examples +### Example 1: _Using large parameter set_ -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +This instance deploys the module with most of its features enabled. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module domain './event-grid/domain/main.bicep' = { +module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-egdcom' params: { // Required parameters @@ -231,14 +190,17 @@ module domain './event-grid/domain/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module domain './event-grid/domain/main.bicep' = { +module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-egdmin' params: { // Required parameters @@ -276,14 +238,14 @@ module domain './event-grid/domain/main.bicep' = {

-

Example 3: Pe

+### Example 3: _Pe_
via Bicep module ```bicep -module domain './event-grid/domain/main.bicep' = { +module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-egdpe' params: { // Required parameters @@ -366,3 +328,189 @@ module domain './event-grid/domain/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Event Grid Domain. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`autoCreateTopicWithFirstSubscription`](#parameter-autocreatetopicwithfirstsubscription) | bool | Location for all Resources. | +| [`autoDeleteTopicWithLastSubscription`](#parameter-autodeletetopicwithlastsubscription) | bool | Location for all Resources. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`inboundIpRules`](#parameter-inboundiprules) | array | This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`topics`](#parameter-topics) | array | The topic names which are associated with the domain. | + +### Parameter: `autoCreateTopicWithFirstSubscription` + +Location for all Resources. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `autoDeleteTopicWithLastSubscription` + +Location for all Resources. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, DeliveryFailures, PublishFailures]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `inboundIpRules` + +This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the Event Grid Domain. +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `topics` + +The topic names which are associated with the domain. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the event grid domain. | +| `resourceGroupName` | string | The name of the resource group the event grid domain was deployed into. | +| `resourceId` | string | The resource ID of the event grid domain. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/event-grid/domain/main.json b/modules/event-grid/domain/main.json index 84acd63341..dcfe142327 100644 --- a/modules/event-grid/domain/main.json +++ b/modules/event-grid/domain/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7818867267496589436" + "version": "0.22.6.54827", + "templateHash": "7856347884267755946" }, "name": "Event Grid Domains", "description": "This module deploys an Event Grid Domain.", @@ -284,8 +284,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3376028275602435166" + "version": "0.22.6.54827", + "templateHash": "13108601447016690436" }, "name": "Event Grid Domain Topics", "description": "This module deploys an Event Grid Domain Topic.", @@ -415,8 +415,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -615,8 +615,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -753,8 +753,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -967,8 +967,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16462235446782187240" + "version": "0.22.6.54827", + "templateHash": "1659842695042016822" } }, "parameters": { diff --git a/modules/event-grid/domain/topic/README.md b/modules/event-grid/domain/topic/README.md index d34ee64a33..f4c4b1a733 100644 --- a/modules/event-grid/domain/topic/README.md +++ b/modules/event-grid/domain/topic/README.md @@ -19,27 +19,53 @@ This module deploys an Event Grid Domain Topic. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the Event Grid Domain Topic. | +| [`name`](#parameter-name) | string | The name of the Event Grid Domain Topic. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `domainName` | string | The name of the parent Event Grid Domain. Required if the template is used in a standalone deployment. | +| [`domainName`](#parameter-domainname) | string | The name of the parent Event Grid Domain. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all Resources. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all Resources. | + +### Parameter: `domainName` + +The name of the parent Event Grid Domain. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the Event Grid Domain Topic. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the event grid topic. | | `resourceGroupName` | string | The name of the resource group the event grid topic was deployed into. | diff --git a/modules/event-grid/domain/topic/main.json b/modules/event-grid/domain/topic/main.json index 8b821bd6f1..c640f2628c 100644 --- a/modules/event-grid/domain/topic/main.json +++ b/modules/event-grid/domain/topic/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "15871414282174794846" + "version": "0.22.6.54827", + "templateHash": "13108601447016690436" }, "name": "Event Grid Domain Topics", "description": "This module deploys an Event Grid Domain Topic.", diff --git a/modules/event-grid/system-topic/.test/common/main.test.bicep b/modules/event-grid/system-topic/.test/common/main.test.bicep index d5cd6b5f79..316cfc5c48 100644 --- a/modules/event-grid/system-topic/.test/common/main.test.bicep +++ b/modules/event-grid/system-topic/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/event-grid/system-topic/.test/min/main.test.bicep b/modules/event-grid/system-topic/.test/min/main.test.bicep index 89d438902b..52ccd0b7bc 100644 --- a/modules/event-grid/system-topic/.test/min/main.test.bicep +++ b/modules/event-grid/system-topic/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/event-grid/system-topic/README.md b/modules/event-grid/system-topic/README.md index a1fbd8ae6d..e605059de0 100644 --- a/modules/event-grid/system-topic/README.md +++ b/modules/event-grid/system-topic/README.md @@ -5,10 +5,10 @@ This module deploys an Event Grid System Topic. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -20,66 +20,28 @@ This module deploys an Event Grid System Topic. | `Microsoft.EventGrid/systemTopics/eventSubscriptions` | [2022-06-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.EventGrid/2022-06-15/systemTopics/eventSubscriptions) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Event Grid Topic. | -| `source` | string | Source for the system topic. | -| `topicType` | string | TopicType for the system topic. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/event-grid.system-topic:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, DeliveryFailures]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `eventSubscriptions` | array | `[]` | | Event subscriptions to deploy. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +### Example 1: _Using large parameter set_ -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the event grid system topic. | -| `resourceGroupName` | string | The name of the resource group the event grid system topic was deployed into. | -| `resourceId` | string | The resource ID of the event grid system topic. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module systemTopic './event-grid/system-topic/main.bicep' = { +module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-egstcom' params: { // Required parameters @@ -227,14 +189,17 @@ module systemTopic './event-grid/system-topic/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module systemTopic './event-grid/system-topic/main.bicep' = { +module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-egstmin' params: { // Required parameters @@ -279,3 +244,175 @@ module systemTopic './event-grid/system-topic/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Event Grid Topic. | +| [`source`](#parameter-source) | string | Source for the system topic. | +| [`topicType`](#parameter-topictype) | string | TopicType for the system topic. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`eventSubscriptions`](#parameter-eventsubscriptions) | array | Event subscriptions to deploy. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, DeliveryFailures]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `eventSubscriptions` + +Event subscriptions to deploy. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the Event Grid Topic. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `source` + +Source for the system topic. +- Required: Yes +- Type: string + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `topicType` + +TopicType for the system topic. +- Required: Yes +- Type: string + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the event grid system topic. | +| `resourceGroupName` | string | The name of the resource group the event grid system topic was deployed into. | +| `resourceId` | string | The resource ID of the event grid system topic. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +_None_ diff --git a/modules/event-grid/system-topic/event-subscription/README.md b/modules/event-grid/system-topic/event-subscription/README.md index 0ec60e8c50..d488702524 100644 --- a/modules/event-grid/system-topic/event-subscription/README.md +++ b/modules/event-grid/system-topic/event-subscription/README.md @@ -19,31 +19,120 @@ This module deploys an Event Grid System Topic Event Subscription. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `destination` | object | The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information). | -| `name` | string | The name of the Event Subscription. | -| `systemTopicName` | string | Name of the Event Grid System Topic. | +| [`destination`](#parameter-destination) | object | The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information). | +| [`name`](#parameter-name) | string | The name of the Event Subscription. | +| [`systemTopicName`](#parameter-systemtopicname) | string | Name of the Event Grid System Topic. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `deadLetterDestination` | object | `{object}` | | Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information). | -| `deadLetterWithResourceIdentity` | object | `{object}` | | Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information). | -| `deliveryWithResourceIdentity` | object | `{object}` | | Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information). | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `eventDeliverySchema` | string | `'EventGridSchema'` | `[CloudEventSchemaV1_0, CustomInputSchema, EventGridEvent, EventGridSchema]` | The event delivery schema for the event subscription. | -| `expirationTimeUtc` | string | `''` | | The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ). | -| `filter` | object | `{object}` | | The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information). | -| `labels` | array | `[]` | | The list of user defined labels. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `retryPolicy` | object | `{object}` | | The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`deadLetterDestination`](#parameter-deadletterdestination) | object | Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information). | +| [`deadLetterWithResourceIdentity`](#parameter-deadletterwithresourceidentity) | object | Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information). | +| [`deliveryWithResourceIdentity`](#parameter-deliverywithresourceidentity) | object | Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information). | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`eventDeliverySchema`](#parameter-eventdeliveryschema) | string | The event delivery schema for the event subscription. | +| [`expirationTimeUtc`](#parameter-expirationtimeutc) | string | The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ). | +| [`filter`](#parameter-filter) | object | The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information). | +| [`labels`](#parameter-labels) | array | The list of user defined labels. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`retryPolicy`](#parameter-retrypolicy) | object | The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events. | + +### Parameter: `deadLetterDestination` + +Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information). +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `deadLetterWithResourceIdentity` + +Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information). +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `deliveryWithResourceIdentity` + +Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information). +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `destination` + +The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information). +- Required: Yes +- Type: object + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `eventDeliverySchema` + +The event delivery schema for the event subscription. +- Required: No +- Type: string +- Default: `'EventGridSchema'` +- Allowed: `[CloudEventSchemaV1_0, CustomInputSchema, EventGridEvent, EventGridSchema]` + +### Parameter: `expirationTimeUtc` + +The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ). +- Required: No +- Type: string +- Default: `''` + +### Parameter: `filter` + +The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information). +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `labels` + +The list of user defined labels. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the Event Subscription. +- Required: Yes +- Type: string + +### Parameter: `retryPolicy` + +The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `systemTopicName` + +Name of the Event Grid System Topic. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the event subscription. | diff --git a/modules/event-grid/system-topic/event-subscription/main.json b/modules/event-grid/system-topic/event-subscription/main.json index d01d0b7544..1b3870ba98 100644 --- a/modules/event-grid/system-topic/event-subscription/main.json +++ b/modules/event-grid/system-topic/event-subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "2662254923590356448" + "version": "0.22.6.54827", + "templateHash": "10392297144322720436" }, "name": "Event Grid System Topic Event Subscriptions", "description": "This module deploys an Event Grid System Topic Event Subscription.", diff --git a/modules/event-grid/system-topic/main.json b/modules/event-grid/system-topic/main.json index a5d5a0f260..d47e0b9d3f 100644 --- a/modules/event-grid/system-topic/main.json +++ b/modules/event-grid/system-topic/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12331506143348068786" + "version": "0.22.6.54827", + "templateHash": "13215489869065606829" }, "name": "Event Grid System Topics", "description": "This module deploys an Event Grid System Topic.", @@ -276,8 +276,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12279525611210070078" + "version": "0.22.6.54827", + "templateHash": "10392297144322720436" }, "name": "Event Grid System Topic Event Subscriptions", "description": "This module deploys an Event Grid System Topic Event Subscription.", @@ -481,8 +481,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3745938905849630295" + "version": "0.22.6.54827", + "templateHash": "12562324298360461829" } }, "parameters": { diff --git a/modules/event-grid/topic/.test/common/main.test.bicep b/modules/event-grid/topic/.test/common/main.test.bicep index c55aa3de33..b78bcf0f8c 100644 --- a/modules/event-grid/topic/.test/common/main.test.bicep +++ b/modules/event-grid/topic/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/event-grid/topic/.test/min/main.test.bicep b/modules/event-grid/topic/.test/min/main.test.bicep index f55b6f3f86..6e3cc70796 100644 --- a/modules/event-grid/topic/.test/min/main.test.bicep +++ b/modules/event-grid/topic/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index 2bf435446a..db0e345ab6 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -5,10 +5,10 @@ This module deploys an Event Grid Topic. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -22,68 +22,29 @@ This module deploys an Event Grid Topic. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters - -**Required parameters** +## Usage examples -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Event Grid Topic. | - -**Optional parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, DeliveryFailures, PublishFailures]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `eventSubscriptions` | array | `[]` | | Event subscriptions to deploy. | -| `inboundIpRules` | array | `[]` | | This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/event-grid.topic:1.0.0`. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the event grid topic. | -| `resourceGroupName` | string | The name of the resource group the event grid topic was deployed into. | -| `resourceId` | string | The resource ID of the event grid topic. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | - -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +- [Pe](#example-3-pe) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module topic './event-grid/topic/main.bicep' = { +module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-egtcom' params: { // Required parameters @@ -271,14 +232,17 @@ module topic './event-grid/topic/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module topic './event-grid/topic/main.bicep' = { +module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-egtmin' params: { // Required parameters @@ -316,14 +280,14 @@ module topic './event-grid/topic/main.bicep' = {

-

Example 3: Pe

+### Example 3: _Pe_
via Bicep module ```bicep -module topic './event-grid/topic/main.bicep' = { +module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-egtpe' params: { // Required parameters @@ -406,3 +370,173 @@ module topic './event-grid/topic/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Event Grid Topic. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`eventSubscriptions`](#parameter-eventsubscriptions) | array | Event subscriptions to deploy. | +| [`inboundIpRules`](#parameter-inboundiprules) | array | This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, DeliveryFailures, PublishFailures]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `eventSubscriptions` + +Event subscriptions to deploy. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `inboundIpRules` + +This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the Event Grid Topic. +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the event grid topic. | +| `resourceGroupName` | string | The name of the resource group the event grid topic was deployed into. | +| `resourceId` | string | The resource ID of the event grid topic. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/event-grid/topic/event-subscription/README.md b/modules/event-grid/topic/event-subscription/README.md index ae0aee3b5d..ddfd871622 100644 --- a/modules/event-grid/topic/event-subscription/README.md +++ b/modules/event-grid/topic/event-subscription/README.md @@ -19,31 +19,120 @@ This module deploys an Event Grid Topic Event Subscription. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `destination` | object | The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information). | -| `name` | string | The name of the Event Subscription. | -| `topicName` | string | Name of the Event Grid Topic. | +| [`destination`](#parameter-destination) | object | The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information). | +| [`name`](#parameter-name) | string | The name of the Event Subscription. | +| [`topicName`](#parameter-topicname) | string | Name of the Event Grid Topic. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `deadLetterDestination` | object | `{object}` | | Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information). | -| `deadLetterWithResourceIdentity` | object | `{object}` | | Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information). | -| `deliveryWithResourceIdentity` | object | `{object}` | | Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information). | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `eventDeliverySchema` | string | `'EventGridSchema'` | `[CloudEventSchemaV1_0, CustomInputSchema, EventGridEvent, EventGridSchema]` | The event delivery schema for the event subscription. | -| `expirationTimeUtc` | string | `''` | | The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ). | -| `filter` | object | `{object}` | | The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information). | -| `labels` | array | `[]` | | The list of user defined labels. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `retryPolicy` | object | `{object}` | | The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`deadLetterDestination`](#parameter-deadletterdestination) | object | Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information). | +| [`deadLetterWithResourceIdentity`](#parameter-deadletterwithresourceidentity) | object | Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information). | +| [`deliveryWithResourceIdentity`](#parameter-deliverywithresourceidentity) | object | Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information). | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`eventDeliverySchema`](#parameter-eventdeliveryschema) | string | The event delivery schema for the event subscription. | +| [`expirationTimeUtc`](#parameter-expirationtimeutc) | string | The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ). | +| [`filter`](#parameter-filter) | object | The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information). | +| [`labels`](#parameter-labels) | array | The list of user defined labels. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`retryPolicy`](#parameter-retrypolicy) | object | The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events. | + +### Parameter: `deadLetterDestination` + +Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information). +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `deadLetterWithResourceIdentity` + +Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information). +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `deliveryWithResourceIdentity` + +Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information). +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `destination` + +The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information). +- Required: Yes +- Type: object + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `eventDeliverySchema` + +The event delivery schema for the event subscription. +- Required: No +- Type: string +- Default: `'EventGridSchema'` +- Allowed: `[CloudEventSchemaV1_0, CustomInputSchema, EventGridEvent, EventGridSchema]` + +### Parameter: `expirationTimeUtc` + +The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ). +- Required: No +- Type: string +- Default: `''` + +### Parameter: `filter` + +The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information). +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `labels` + +The list of user defined labels. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the Event Subscription. +- Required: Yes +- Type: string + +### Parameter: `retryPolicy` + +The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `topicName` + +Name of the Event Grid Topic. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the event subscription. | diff --git a/modules/event-grid/topic/event-subscription/main.json b/modules/event-grid/topic/event-subscription/main.json index 37e87b702f..9891a17599 100644 --- a/modules/event-grid/topic/event-subscription/main.json +++ b/modules/event-grid/topic/event-subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "1847712751203709530" + "version": "0.22.6.54827", + "templateHash": "2222106647839764321" }, "name": "EventGrid Topic Event Subscriptions", "description": "This module deploys an Event Grid Topic Event Subscription.", diff --git a/modules/event-grid/topic/main.json b/modules/event-grid/topic/main.json index 7d6e63ce94..f60d2077df 100644 --- a/modules/event-grid/topic/main.json +++ b/modules/event-grid/topic/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2223845646859059604" + "version": "0.22.6.54827", + "templateHash": "17347618398012771479" }, "name": "Event Grid Topics", "description": "This module deploys an Event Grid Topic.", @@ -275,8 +275,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6395050115112731120" + "version": "0.22.6.54827", + "templateHash": "2222106647839764321" }, "name": "EventGrid Topic Event Subscriptions", "description": "This module deploys an Event Grid Topic Event Subscription.", @@ -492,8 +492,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -692,8 +692,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -830,8 +830,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -1044,8 +1044,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13615997203559529091" + "version": "0.22.6.54827", + "templateHash": "8293298385688392206" } }, "parameters": { diff --git a/modules/event-hub/namespace/.test/common/main.test.bicep b/modules/event-hub/namespace/.test/common/main.test.bicep index 171a1bad4f..9852491947 100644 --- a/modules/event-hub/namespace/.test/common/main.test.bicep +++ b/modules/event-hub/namespace/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/event-hub/namespace/.test/min/main.test.bicep b/modules/event-hub/namespace/.test/min/main.test.bicep index a1b2f4684b..282a233685 100644 --- a/modules/event-hub/namespace/.test/min/main.test.bicep +++ b/modules/event-hub/namespace/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index 51e0ddece9..de5b7fa061 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -5,10 +5,10 @@ This module deploys an Event Hub Namespace. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -27,91 +27,30 @@ This module deploys an Event Hub Namespace. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the event hub namespace. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty. | -| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty. | - -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/event-hub.namespace:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `authorizationRules` | array | `[System.Management.Automation.OrderedHashtable]` | | Authorization Rules for the Event Hub namespace. | -| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. Customer-managed key encryption at rest is only available for namespaces of premium SKU or namespaces created in a Dedicated Cluster. | -| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, ApplicationMetricsLogs, ArchiveLogs, AutoScaleLogs, CustomerManagedKeyUserLogs, EventHubVNetConnectionEvent, KafkaCoordinatorLogs, KafkaUserErrorLogs, OperationalLogs, RuntimeAuditLogs]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `disableLocalAuth` | bool | `True` | | This property disables SAS authentication for the Event Hubs namespace. | -| `disasterRecoveryConfig` | _[disasterRecoveryConfig](disaster-recovery-config/README.md)_ object | `{object}` | | The disaster recovery config for this namespace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `eventhubs` | array | `[]` | | The event hubs to deploy into this namespace. | -| `isAutoInflateEnabled` | bool | `False` | | Switch to enable the Auto Inflate feature of Event Hub. Auto Inflate is not supported in Premium SKU EventHub. | -| `kafkaEnabled` | bool | `False` | | Value that indicates whether Kafka is enabled for Event Hubs Namespace. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `maximumThroughputUnits` | int | `1` | | Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units. | -| `minimumTlsVersion` | string | `'1.2'` | `[1.0, 1.1, 1.2]` | The minimum TLS version for the cluster to support. | -| `networkRuleSets` | object | `{object}` | | Configure networking options. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled, SecuredByPerimeter]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| `requireInfrastructureEncryption` | bool | `False` | | Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `skuCapacity` | int | `1` | | The Event Hub's throughput units for Basic or Standard tiers, where value should be 0 to 20 throughput units. The Event Hubs premium units for Premium tier, where value should be 0 to 10 premium units. | -| `skuName` | string | `'Standard'` | `[Basic, Premium, Standard]` | event hub plan SKU name. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `zoneRedundant` | bool | `False` | | Switch to make the Event Hub Namespace zone redundant. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Encr](#example-2-encr) +- [Using only defaults](#example-3-using-only-defaults) +- [Pe](#example-4-pe) +### Example 1: _Using large parameter set_ -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the eventspace. | -| `resourceGroupName` | string | The resource group where the namespace is deployed. | -| `resourceId` | string | The resource ID of the eventspace. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module namespace './event-hub/namespace/main.bicep' = { +module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ehncom' params: { // Required parameters @@ -491,14 +430,14 @@ module namespace './event-hub/namespace/main.bicep' = {

-

Example 2: Encr

+### Example 2: _Encr_
via Bicep module ```bicep -module namespace './event-hub/namespace/main.bicep' = { +module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ehnenc' params: { // Required parameters @@ -584,14 +523,17 @@ module namespace './event-hub/namespace/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module namespace './event-hub/namespace/main.bicep' = { +module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ehnmin' params: { // Required parameters @@ -629,14 +571,14 @@ module namespace './event-hub/namespace/main.bicep' = {

-

Example 4: Pe

+### Example 4: _Pe_
via Bicep module ```bicep -module namespace './event-hub/namespace/main.bicep' = { +module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ehnpe' params: { // Required parameters @@ -731,3 +673,317 @@ module namespace './event-hub/namespace/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the event hub namespace. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty. | +| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the Event Hub namespace. | +| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. Customer-managed key encryption at rest is only available for namespaces of premium SKU or namespaces created in a Dedicated Cluster. | +| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | This property disables SAS authentication for the Event Hubs namespace. | +| [`disasterRecoveryConfig`](#parameter-disasterrecoveryconfig) | object | The disaster recovery config for this namespace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`eventhubs`](#parameter-eventhubs) | array | The event hubs to deploy into this namespace. | +| [`isAutoInflateEnabled`](#parameter-isautoinflateenabled) | bool | Switch to enable the Auto Inflate feature of Event Hub. Auto Inflate is not supported in Premium SKU EventHub. | +| [`kafkaEnabled`](#parameter-kafkaenabled) | bool | Value that indicates whether Kafka is enabled for Event Hubs Namespace. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`maximumThroughputUnits`](#parameter-maximumthroughputunits) | int | Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units. | +| [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | The minimum TLS version for the cluster to support. | +| [`networkRuleSets`](#parameter-networkrulesets) | object | Configure networking options. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | +| [`requireInfrastructureEncryption`](#parameter-requireinfrastructureencryption) | bool | Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`skuCapacity`](#parameter-skucapacity) | int | The Event Hub's throughput units for Basic or Standard tiers, where value should be 0 to 20 throughput units. The Event Hubs premium units for Premium tier, where value should be 0 to 10 premium units. | +| [`skuName`](#parameter-skuname) | string | event hub plan SKU name. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`zoneRedundant`](#parameter-zoneredundant) | bool | Switch to make the Event Hub Namespace zone redundant. | + +### Parameter: `authorizationRules` + +Authorization Rules for the Event Hub namespace. +- Required: No +- Type: array +- Default: `[System.Management.Automation.OrderedHashtable]` + +### Parameter: `cMKKeyName` + +The name of the customer managed key to use for encryption. Customer-managed key encryption at rest is only available for namespaces of premium SKU or namespaces created in a Dedicated Cluster. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVersion` + +The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKUserAssignedIdentityResourceId` + +User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, ApplicationMetricsLogs, ArchiveLogs, AutoScaleLogs, CustomerManagedKeyUserLogs, EventHubVNetConnectionEvent, KafkaCoordinatorLogs, KafkaUserErrorLogs, OperationalLogs, RuntimeAuditLogs]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `disableLocalAuth` + +This property disables SAS authentication for the Event Hubs namespace. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `disasterRecoveryConfig` + +The disaster recovery config for this namespace. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `eventhubs` + +The event hubs to deploy into this namespace. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `isAutoInflateEnabled` + +Switch to enable the Auto Inflate feature of Event Hub. Auto Inflate is not supported in Premium SKU EventHub. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `kafkaEnabled` + +Value that indicates whether Kafka is enabled for Event Hubs Namespace. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `maximumThroughputUnits` + +Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `minimumTlsVersion` + +The minimum TLS version for the cluster to support. +- Required: No +- Type: string +- Default: `'1.2'` +- Allowed: `[1.0, 1.1, 1.2]` + +### Parameter: `name` + +The name of the event hub namespace. +- Required: Yes +- Type: string + +### Parameter: `networkRuleSets` + +Configure networking options. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled, SecuredByPerimeter]` + +### Parameter: `requireInfrastructureEncryption` + +Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `skuCapacity` + +The Event Hub's throughput units for Basic or Standard tiers, where value should be 0 to 20 throughput units. The Event Hubs premium units for Premium tier, where value should be 0 to 10 premium units. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `skuName` + +event hub plan SKU name. +- Required: No +- Type: string +- Default: `'Standard'` +- Allowed: `[Basic, Premium, Standard]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `zoneRedundant` + +Switch to make the Event Hub Namespace zone redundant. +- Required: No +- Type: bool +- Default: `False` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the eventspace. | +| `resourceGroupName` | string | The resource group where the namespace is deployed. | +| `resourceId` | string | The resource ID of the eventspace. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/event-hub/namespace/authorization-rule/README.md b/modules/event-hub/namespace/authorization-rule/README.md index b9ccc45325..bbc74cf9cc 100644 --- a/modules/event-hub/namespace/authorization-rule/README.md +++ b/modules/event-hub/namespace/authorization-rule/README.md @@ -19,27 +19,54 @@ This module deploys an Event Hub Namespace Authorization Rule. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the authorization rule. | +| [`name`](#parameter-name) | string | The name of the authorization rule. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `rights` | array | `[]` | `[Listen, Manage, Send]` | The rights associated with the rule. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`rights`](#parameter-rights) | array | The rights associated with the rule. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the authorization rule. +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent event hub namespace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `rights` + +The rights associated with the rule. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `[Listen, Manage, Send]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the authorization rule. | | `resourceGroupName` | string | The name of the resource group the authorization rule was created in. | diff --git a/modules/event-hub/namespace/disaster-recovery-config/README.md b/modules/event-hub/namespace/disaster-recovery-config/README.md index fdd92ebc09..d9ccac42a8 100644 --- a/modules/event-hub/namespace/disaster-recovery-config/README.md +++ b/modules/event-hub/namespace/disaster-recovery-config/README.md @@ -19,27 +19,53 @@ This module deploys an Event Hub Namespace Disaster Recovery Config. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the disaster recovery config. | +| [`name`](#parameter-name) | string | The name of the disaster recovery config. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `partnerNamespaceId` | string | `''` | Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`partnerNamespaceId`](#parameter-partnernamespaceid) | string | Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the disaster recovery config. +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent event hub namespace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `partnerNamespaceId` + +Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the disaster recovery config. | | `resourceGroupName` | string | The name of the resource group the disaster recovery config was created in. | diff --git a/modules/event-hub/namespace/eventhub/README.md b/modules/event-hub/namespace/eventhub/README.md index de5de70349..006f14d3e3 100644 --- a/modules/event-hub/namespace/eventhub/README.md +++ b/modules/event-hub/namespace/eventhub/README.md @@ -4,12 +4,12 @@ This module deploys an Event Hub Namespace Event Hub. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -23,45 +23,201 @@ This module deploys an Event Hub Namespace Event Hub. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the event hub. | +| [`name`](#parameter-name) | string | The name of the event hub. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `authorizationRules` | array | `[System.Management.Automation.OrderedHashtable]` | | Authorization Rules for the event hub. | -| `captureDescriptionDestinationArchiveNameFormat` | string | `'{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}'` | | Blob naming convention for archive, e.g. {Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}. Here all the parameters (Namespace,EventHub .. etc) are mandatory irrespective of order. | -| `captureDescriptionDestinationBlobContainer` | string | `''` | | Blob container Name. | -| `captureDescriptionDestinationName` | string | `'EventHubArchive.AzureBlockBlob'` | | Name for capture destination. | -| `captureDescriptionDestinationStorageAccountResourceId` | string | `''` | | Resource ID of the storage account to be used to create the blobs. | -| `captureDescriptionEnabled` | bool | `False` | | A value that indicates whether capture description is enabled. | -| `captureDescriptionEncoding` | string | `'Avro'` | `[Avro, AvroDeflate]` | Enumerates the possible values for the encoding format of capture description. Note: "AvroDeflate" will be deprecated in New API Version. | -| `captureDescriptionIntervalInSeconds` | int | `300` | | The time window allows you to set the frequency with which the capture to Azure Blobs will happen. | -| `captureDescriptionSizeLimitInBytes` | int | `314572800` | | The size window defines the amount of data built up in your Event Hub before an capture operation. | -| `captureDescriptionSkipEmptyArchives` | bool | `False` | | A value that indicates whether to Skip Empty Archives. | -| `consumergroups` | array | `[System.Management.Automation.OrderedHashtable]` | | The consumer groups to create in this event hub instance. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `messageRetentionInDays` | int | `1` | | Number of days to retain the events for this Event Hub, value should be 1 to 7 days. Will be automatically set to infinite retention if cleanup policy is set to "Compact". | -| `partitionCount` | int | `2` | | Number of partitions created for the Event Hub, allowed values are from 1 to 32 partitions. | -| `retentionDescriptionCleanupPolicy` | string | `'Delete'` | `[Compact, Delete]` | Retention cleanup policy. Enumerates the possible values for cleanup policy. | -| `retentionDescriptionRetentionTimeInHours` | int | `1` | | Retention time in hours. Number of hours to retain the events for this Event Hub. This value is only used when cleanupPolicy is Delete. If cleanupPolicy is Compact the returned value of this property is Long.MaxValue. | -| `retentionDescriptionTombstoneRetentionTimeInHours` | int | `1` | | Retention cleanup policy. Number of hours to retain the tombstone markers of a compacted Event Hub. This value is only used when cleanupPolicy is Compact. Consumer must complete reading the tombstone marker within this specified amount of time if consumer begins from starting offset to ensure they get a valid snapshot for the specific key described by the tombstone marker within the compacted Event Hub. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `status` | string | `'Active'` | `[Active, Creating, Deleting, Disabled, ReceiveDisabled, Renaming, Restoring, SendDisabled, Unknown]` | Enumerates the possible values for the status of the Event Hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the event hub. | +| [`captureDescriptionDestinationArchiveNameFormat`](#parameter-capturedescriptiondestinationarchivenameformat) | string | Blob naming convention for archive, e.g. {Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}. Here all the parameters (Namespace,EventHub .. etc) are mandatory irrespective of order. | +| [`captureDescriptionDestinationBlobContainer`](#parameter-capturedescriptiondestinationblobcontainer) | string | Blob container Name. | +| [`captureDescriptionDestinationName`](#parameter-capturedescriptiondestinationname) | string | Name for capture destination. | +| [`captureDescriptionDestinationStorageAccountResourceId`](#parameter-capturedescriptiondestinationstorageaccountresourceid) | string | Resource ID of the storage account to be used to create the blobs. | +| [`captureDescriptionEnabled`](#parameter-capturedescriptionenabled) | bool | A value that indicates whether capture description is enabled. | +| [`captureDescriptionEncoding`](#parameter-capturedescriptionencoding) | string | Enumerates the possible values for the encoding format of capture description. Note: "AvroDeflate" will be deprecated in New API Version. | +| [`captureDescriptionIntervalInSeconds`](#parameter-capturedescriptionintervalinseconds) | int | The time window allows you to set the frequency with which the capture to Azure Blobs will happen. | +| [`captureDescriptionSizeLimitInBytes`](#parameter-capturedescriptionsizelimitinbytes) | int | The size window defines the amount of data built up in your Event Hub before an capture operation. | +| [`captureDescriptionSkipEmptyArchives`](#parameter-capturedescriptionskipemptyarchives) | bool | A value that indicates whether to Skip Empty Archives. | +| [`consumergroups`](#parameter-consumergroups) | array | The consumer groups to create in this event hub instance. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`messageRetentionInDays`](#parameter-messageretentionindays) | int | Number of days to retain the events for this Event Hub, value should be 1 to 7 days. Will be automatically set to infinite retention if cleanup policy is set to "Compact". | +| [`partitionCount`](#parameter-partitioncount) | int | Number of partitions created for the Event Hub, allowed values are from 1 to 32 partitions. | +| [`retentionDescriptionCleanupPolicy`](#parameter-retentiondescriptioncleanuppolicy) | string | Retention cleanup policy. Enumerates the possible values for cleanup policy. | +| [`retentionDescriptionRetentionTimeInHours`](#parameter-retentiondescriptionretentiontimeinhours) | int | Retention time in hours. Number of hours to retain the events for this Event Hub. This value is only used when cleanupPolicy is Delete. If cleanupPolicy is Compact the returned value of this property is Long.MaxValue. | +| [`retentionDescriptionTombstoneRetentionTimeInHours`](#parameter-retentiondescriptiontombstoneretentiontimeinhours) | int | Retention cleanup policy. Number of hours to retain the tombstone markers of a compacted Event Hub. This value is only used when cleanupPolicy is Compact. Consumer must complete reading the tombstone marker within this specified amount of time if consumer begins from starting offset to ensure they get a valid snapshot for the specific key described by the tombstone marker within the compacted Event Hub. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`status`](#parameter-status) | string | Enumerates the possible values for the status of the Event Hub. | + +### Parameter: `authorizationRules` + +Authorization Rules for the event hub. +- Required: No +- Type: array +- Default: `[System.Management.Automation.OrderedHashtable]` + +### Parameter: `captureDescriptionDestinationArchiveNameFormat` + +Blob naming convention for archive, e.g. {Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}. Here all the parameters (Namespace,EventHub .. etc) are mandatory irrespective of order. +- Required: No +- Type: string +- Default: `'{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}'` + +### Parameter: `captureDescriptionDestinationBlobContainer` + +Blob container Name. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `captureDescriptionDestinationName` + +Name for capture destination. +- Required: No +- Type: string +- Default: `'EventHubArchive.AzureBlockBlob'` + +### Parameter: `captureDescriptionDestinationStorageAccountResourceId` + +Resource ID of the storage account to be used to create the blobs. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `captureDescriptionEnabled` + +A value that indicates whether capture description is enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `captureDescriptionEncoding` + +Enumerates the possible values for the encoding format of capture description. Note: "AvroDeflate" will be deprecated in New API Version. +- Required: No +- Type: string +- Default: `'Avro'` +- Allowed: `[Avro, AvroDeflate]` + +### Parameter: `captureDescriptionIntervalInSeconds` + +The time window allows you to set the frequency with which the capture to Azure Blobs will happen. +- Required: No +- Type: int +- Default: `300` + +### Parameter: `captureDescriptionSizeLimitInBytes` + +The size window defines the amount of data built up in your Event Hub before an capture operation. +- Required: No +- Type: int +- Default: `314572800` + +### Parameter: `captureDescriptionSkipEmptyArchives` + +A value that indicates whether to Skip Empty Archives. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `consumergroups` + +The consumer groups to create in this event hub instance. +- Required: No +- Type: array +- Default: `[System.Management.Automation.OrderedHashtable]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `messageRetentionInDays` + +Number of days to retain the events for this Event Hub, value should be 1 to 7 days. Will be automatically set to infinite retention if cleanup policy is set to "Compact". +- Required: No +- Type: int +- Default: `1` + +### Parameter: `name` + +The name of the event hub. +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent event hub namespace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `partitionCount` + +Number of partitions created for the Event Hub, allowed values are from 1 to 32 partitions. +- Required: No +- Type: int +- Default: `2` + +### Parameter: `retentionDescriptionCleanupPolicy` + +Retention cleanup policy. Enumerates the possible values for cleanup policy. +- Required: No +- Type: string +- Default: `'Delete'` +- Allowed: `[Compact, Delete]` + +### Parameter: `retentionDescriptionRetentionTimeInHours` + +Retention time in hours. Number of hours to retain the events for this Event Hub. This value is only used when cleanupPolicy is Delete. If cleanupPolicy is Compact the returned value of this property is Long.MaxValue. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `retentionDescriptionTombstoneRetentionTimeInHours` + +Retention cleanup policy. Number of hours to retain the tombstone markers of a compacted Event Hub. This value is only used when cleanupPolicy is Compact. Consumer must complete reading the tombstone marker within this specified amount of time if consumer begins from starting offset to ensure they get a valid snapshot for the specific key described by the tombstone marker within the compacted Event Hub. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `status` + +Enumerates the possible values for the status of the Event Hub. +- Required: No +- Type: string +- Default: `'Active'` +- Allowed: `[Active, Creating, Deleting, Disabled, ReceiveDisabled, Renaming, Restoring, SendDisabled, Unknown]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `eventHubId` | string | The resource ID of the event hub. | | `name` | string | The name of the event hub. | diff --git a/modules/event-hub/namespace/eventhub/authorization-rule/README.md b/modules/event-hub/namespace/eventhub/authorization-rule/README.md index eef9d6b375..5abe5dafa8 100644 --- a/modules/event-hub/namespace/eventhub/authorization-rule/README.md +++ b/modules/event-hub/namespace/eventhub/authorization-rule/README.md @@ -19,28 +19,61 @@ This module deploys an Event Hub Namespace Event Hub Authorization Rule. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the authorization rule. | +| [`name`](#parameter-name) | string | The name of the authorization rule. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `eventHubName` | string | The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment. | -| `namespaceName` | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment. | +| [`eventHubName`](#parameter-eventhubname) | string | The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `rights` | array | `[]` | `[Listen, Manage, Send]` | The rights associated with the rule. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`rights`](#parameter-rights) | array | The rights associated with the rule. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `eventHubName` + +The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the authorization rule. +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent event hub namespace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `rights` + +The rights associated with the rule. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `[Listen, Manage, Send]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the authorization rule. | | `resourceGroupName` | string | The name of the resource group the authorization rule was created in. | diff --git a/modules/event-hub/namespace/eventhub/consumergroup/README.md b/modules/event-hub/namespace/eventhub/consumergroup/README.md index 4749095254..589b4fa044 100644 --- a/modules/event-hub/namespace/eventhub/consumergroup/README.md +++ b/modules/event-hub/namespace/eventhub/consumergroup/README.md @@ -19,28 +19,60 @@ This module deploys an Event Hub Namespace Event Hub Consumer Group. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the consumer group. | +| [`name`](#parameter-name) | string | The name of the consumer group. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `eventHubName` | string | The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment. | -| `namespaceName` | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment.s. | +| [`eventHubName`](#parameter-eventhubname) | string | The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment.s. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `userMetadata` | string | `''` | User Metadata is a placeholder to store user-defined string data with maximum length 1024. e.g. it can be used to store descriptive data, such as list of teams and their contact information also user-defined configuration settings can be stored. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`userMetadata`](#parameter-usermetadata) | string | User Metadata is a placeholder to store user-defined string data with maximum length 1024. e.g. it can be used to store descriptive data, such as list of teams and their contact information also user-defined configuration settings can be stored. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `eventHubName` + +The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the consumer group. +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent event hub namespace. Required if the template is used in a standalone deployment.s. +- Required: Yes +- Type: string + +### Parameter: `userMetadata` + +User Metadata is a placeholder to store user-defined string data with maximum length 1024. e.g. it can be used to store descriptive data, such as list of teams and their contact information also user-defined configuration settings can be stored. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the consumer group. | | `resourceGroupName` | string | The name of the resource group the consumer group was created in. | diff --git a/modules/event-hub/namespace/network-rule-set/README.md b/modules/event-hub/namespace/network-rule-set/README.md index 4d10778ca7..a0ac082d1c 100644 --- a/modules/event-hub/namespace/network-rule-set/README.md +++ b/modules/event-hub/namespace/network-rule-set/README.md @@ -19,25 +19,75 @@ This module deploys an Event Hub Namespace Network Rule Set. **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `defaultAction` | string | `'Allow'` | `[Allow, Deny]` | Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `ipRules` | array | `[]` | | An array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | -| `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | -| `trustedServiceAccessEnabled` | bool | `True` | | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | -| `virtualNetworkRules` | array | `[]` | | An array of subnet resource ID objects that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`defaultAction`](#parameter-defaultaction) | string | Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`ipRules`](#parameter-iprules) | array | An array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | +| [`trustedServiceAccessEnabled`](#parameter-trustedserviceaccessenabled) | bool | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | +| [`virtualNetworkRules`](#parameter-virtualnetworkrules) | array | An array of subnet resource ID objects that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | + +### Parameter: `defaultAction` + +Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. +- Required: No +- Type: string +- Default: `'Allow'` +- Allowed: `[Allow, Deny]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `ipRules` + +An array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `namespaceName` + +The name of the parent event hub namespace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `publicNetworkAccess` + +This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `trustedServiceAccessEnabled` + +Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `virtualNetworkRules` + +An array of subnet resource ID objects that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the network rule set. | | `resourceGroupName` | string | The name of the resource group the network rule set was created in. | diff --git a/modules/health-bot/health-bot/.test/common/main.test.bicep b/modules/health-bot/health-bot/.test/common/main.test.bicep index 7ec0798687..25523eb3d0 100644 --- a/modules/health-bot/health-bot/.test/common/main.test.bicep +++ b/modules/health-bot/health-bot/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/health-bot/health-bot/.test/min/main.test.bicep b/modules/health-bot/health-bot/.test/min/main.test.bicep index 7810dc31de..6c9996b611 100644 --- a/modules/health-bot/health-bot/.test/min/main.test.bicep +++ b/modules/health-bot/health-bot/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/health-bot/health-bot/README.md b/modules/health-bot/health-bot/README.md index f56a72df16..fe8b3adee4 100644 --- a/modules/health-bot/health-bot/README.md +++ b/modules/health-bot/health-bot/README.md @@ -5,10 +5,10 @@ This module deploys an Azure Health Bot. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -18,55 +18,28 @@ This module deploys an Azure Health Bot. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.HealthBot/healthBots` | [2022-08-08](https://learn.microsoft.com/en-us/azure/templates/Microsoft.HealthBot/2022-08-08/healthBots) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `name` | string | | Name of the resource. | -| `sku` | string | `[C0, F0, S1]` | The name of the Azure Health Bot SKU. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | - +## Usage examples -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the health bot. | -| `resourceGroupName` | string | The resource group the health bot was deployed into. | -| `resourceId` | string | The resource ID of the health bot. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/health-bot.health-bot:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module healthBot './health-bot/health-bot/main.bicep' = { +module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-hbhbcom' params: { // Required parameters @@ -152,14 +125,17 @@ module healthBot './health-bot/health-bot/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module healthBot './health-bot/health-bot/main.bicep' = { +module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-hbhbmin' params: { // Required parameters @@ -200,3 +176,94 @@ module healthBot './health-bot/health-bot/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the resource. | +| [`sku`](#parameter-sku) | string | The name of the Azure Health Bot SKU. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the resource. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sku` + +The name of the Azure Health Bot SKU. +- Required: Yes +- Type: string +- Allowed: `[C0, F0, S1]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the health bot. | +| `resourceGroupName` | string | The resource group the health bot was deployed into. | +| `resourceId` | string | The resource ID of the health bot. | + +## Cross-referenced modules + +_None_ diff --git a/modules/health-bot/health-bot/main.json b/modules/health-bot/health-bot/main.json index 1b2888ef2a..517c93ef00 100644 --- a/modules/health-bot/health-bot/main.json +++ b/modules/health-bot/health-bot/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13417269663268591312" + "version": "0.22.6.54827", + "templateHash": "1397739701759067802" }, "name": "Azure Health Bots", "description": "This module deploys an Azure Health Bot.", @@ -156,8 +156,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9746468105018607304" + "version": "0.22.6.54827", + "templateHash": "4105513755228551985" } }, "parameters": { diff --git a/modules/healthcare-apis/workspace/.test/common/main.test.bicep b/modules/healthcare-apis/workspace/.test/common/main.test.bicep index 2baa190bdb..e64ff1eea7 100644 --- a/modules/healthcare-apis/workspace/.test/common/main.test.bicep +++ b/modules/healthcare-apis/workspace/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/healthcare-apis/workspace/.test/min/main.test.bicep b/modules/healthcare-apis/workspace/.test/min/main.test.bicep index 6399106a53..95061177c5 100644 --- a/modules/healthcare-apis/workspace/.test/min/main.test.bicep +++ b/modules/healthcare-apis/workspace/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/healthcare-apis/workspace/README.md b/modules/healthcare-apis/workspace/README.md index 8e99abc232..075bb5dbba 100644 --- a/modules/healthcare-apis/workspace/README.md +++ b/modules/healthcare-apis/workspace/README.md @@ -5,10 +5,10 @@ This module deploys a Healthcare API Workspace. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) ## Resource Types @@ -24,155 +24,28 @@ This module deploys a Healthcare API Workspace. | `Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations` | [2022-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.HealthcareApis/workspaces) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Health Data Services Workspace service. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `dicomservices` | array | `[]` | | Deploy DICOM services. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `fhirservices` | array | `[]` | | Deploy FHIR services. | -| `iotconnectors` | array | `[]` | | Deploy IOT connectors. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `publicNetworkAccess` | string | `'Disabled'` | `[Disabled, Enabled]` | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | - - -### Parameter Usage: `fhirservices` - -Create a FHIR service with the workspace. - -

- -Parameter JSON format - -```json -"fhirServices": { - "value": [ - { - "name": "[[namePrefix]]-az-fhir-x-001", - "kind": "fhir-R4", - "workspaceName": "[[namePrefix]]001", - "corsOrigins": [ "*" ], - "corsHeaders": [ "*" ], - "corsMethods": [ "GET" ], - "corsMaxAge": 600, - "corsAllowCredentials": false, - "location": "[[location]]", - "diagnosticStorageAccountId": "[[storageAccountResourceId]]", - "diagnosticWorkspaceId": "[[logAnalyticsWorkspaceResourceId]]", - "diagnosticEventHubAuthorizationRuleId": "[[eventHubAuthorizationRuleId]]", - "diagnosticEventHubName": "[[eventHubNamespaceEventHubName]]", - "publicNetworkAccess": "Enabled", - "resourceVersionPolicy": "versioned", - "smartProxyEnabled": false, - "enableDefaultTelemetry": false, - "systemAssignedIdentity": true, - "importEnabled": false, - "initialImportMode": false, - "userAssignedIdentities": { - "[[managedIdentityResourceId]]": {} - }, - "roleAssignments": [ - { - "roleDefinitionIdOrName": "Role Name", - "principalIds": [ - "managedIdentityPrincipalId" - ], - "principalType": "ServicePrincipal" - } - ] - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -fhirServices: [ - { - name: '[[namePrefix]]-az-fhir-x-001' - kind: 'fhir-R4' - workspaceName: '[[namePrefix]]001' - corsOrigins: [ '*' ] - corsHeaders: [ '*' ] - corsMethods: [ 'GET' ] - corsMaxAge: 600 - corsAllowCredentials: false - location: location - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - publicNetworkAccess: 'Enabled' - resourceVersionPolicy: 'versioned' - smartProxyEnabled: false - enableDefaultTelemetry: enableDefaultTelemetry - systemAssignedIdentity: true - importEnabled: false - initialImportMode: false - userAssignedIdentities: { - '${resourceGroupResources.outputs.managedIdentityResourceId}': {} - } - roleAssignments: [ - { - roleDefinitionIdOrName: resourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd') - principalIds: [ - resourceGroupResources.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - } -] -``` - -
-

- - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the health data services workspace. | -| `resourceGroupName` | string | The resource group where the workspace is deployed. | -| `resourceId` | string | The resource ID of the health data services workspace. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/healthcare-apis.workspace:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module workspace './healthcare-apis/workspace/main.bicep' = { +module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { name: '${uniqueString(deployment().name)}-test-hawcom' params: { // Required parameters @@ -378,14 +251,17 @@ module workspace './healthcare-apis/workspace/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module workspace './healthcare-apis/workspace/main.bicep' = { +module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { name: '${uniqueString(deployment().name)}-test-hawmin' params: { // Required parameters @@ -432,6 +308,113 @@ module workspace './healthcare-apis/workspace/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Health Data Services Workspace service. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`dicomservices`](#parameter-dicomservices) | array | Deploy DICOM services. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| [`fhirservices`](#parameter-fhirservices) | array | Deploy FHIR services. | +| [`iotconnectors`](#parameter-iotconnectors) | array | Deploy IOT connectors. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `dicomservices` + +Deploy DICOM services. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `fhirservices` + +Deploy FHIR services. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `iotconnectors` + +Deploy IOT connectors. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the Health Data Services Workspace service. +- Required: Yes +- Type: string + +### Parameter: `publicNetworkAccess` + +Control permission for data plane traffic coming from public networks while private endpoint is enabled. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the health data services workspace. | +| `resourceGroupName` | string | The resource group where the workspace is deployed. | +| `resourceId` | string | The resource ID of the health data services workspace. | + +## Cross-referenced modules + +_None_ + ## Notes ### Parameter Usage: `iotconnectors` diff --git a/modules/healthcare-apis/workspace/dicomservice/README.md b/modules/healthcare-apis/workspace/dicomservice/README.md index f335d27de0..4fa8abe468 100644 --- a/modules/healthcare-apis/workspace/dicomservice/README.md +++ b/modules/healthcare-apis/workspace/dicomservice/README.md @@ -21,43 +21,185 @@ This module deploys a Healthcare API Workspace DICOM Service. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the DICOM service. | +| [`name`](#parameter-name) | string | The name of the DICOM service. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `workspaceName` | string | The name of the parent health data services workspace. Required if the template is used in a standalone deployment. | +| [`workspaceName`](#parameter-workspacename) | string | The name of the parent health data services workspace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `corsAllowCredentials` | bool | `False` | | Use this setting to indicate that cookies should be included in CORS requests. | -| `corsHeaders` | array | `[]` | | Specify HTTP headers which can be used during the request. Use "*" for any header. | -| `corsMaxAge` | int | `-1` | | Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes. | -| `corsMethods` | array | `[]` | `[DELETE, GET, OPTIONS, PATCH, POST, PUT]` | Specify the allowed HTTP methods. | -| `corsOrigins` | array | `[]` | | Specify URLs of origin sites that can access this API, or use "*" to allow access from any site. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[AuditLogs]` | `[AuditLogs]` | The name of logs that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `publicNetworkAccess` | string | `'Disabled'` | `[Disabled, Enabled]` | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`corsAllowCredentials`](#parameter-corsallowcredentials) | bool | Use this setting to indicate that cookies should be included in CORS requests. | +| [`corsHeaders`](#parameter-corsheaders) | array | Specify HTTP headers which can be used during the request. Use "*" for any header. | +| [`corsMaxAge`](#parameter-corsmaxage) | int | Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes. | +| [`corsMethods`](#parameter-corsmethods) | array | Specify the allowed HTTP methods. | +| [`corsOrigins`](#parameter-corsorigins) | array | Specify URLs of origin sites that can access this API, or use "*" to allow access from any site. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +### Parameter: `corsAllowCredentials` + +Use this setting to indicate that cookies should be included in CORS requests. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `corsHeaders` + +Specify HTTP headers which can be used during the request. Use "*" for any header. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `corsMaxAge` + +Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `corsMethods` + +Specify the allowed HTTP methods. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `[DELETE, GET, OPTIONS, PATCH, POST, PUT]` + +### Parameter: `corsOrigins` + +Specify URLs of origin sites that can access this API, or use "*" to allow access from any site. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. +- Required: No +- Type: array +- Default: `[AuditLogs]` +- Allowed: `[AuditLogs]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the DICOM service. +- Required: Yes +- Type: string + +### Parameter: `publicNetworkAccess` + +Control permission for data plane traffic coming from public networks while private endpoint is enabled. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `workspaceName` + +The name of the parent health data services workspace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the dicom service. | diff --git a/modules/healthcare-apis/workspace/dicomservice/main.json b/modules/healthcare-apis/workspace/dicomservice/main.json index e9d301126e..bd72aa17df 100644 --- a/modules/healthcare-apis/workspace/dicomservice/main.json +++ b/modules/healthcare-apis/workspace/dicomservice/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13236257936604632093" + "version": "0.22.6.54827", + "templateHash": "12318721261811271092" }, "name": "Healthcare API Workspace DICOM Services", "description": "This module deploys a Healthcare API Workspace DICOM Service.", diff --git a/modules/healthcare-apis/workspace/fhirservice/README.md b/modules/healthcare-apis/workspace/fhirservice/README.md index a4b3d407cf..710e6b336b 100644 --- a/modules/healthcare-apis/workspace/fhirservice/README.md +++ b/modules/healthcare-apis/workspace/fhirservice/README.md @@ -23,58 +23,308 @@ This module deploys a Healthcare API Workspace FHIR Service. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the FHIR service. | +| [`name`](#parameter-name) | string | The name of the FHIR service. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `workspaceName` | string | The name of the parent health data services workspace. Required if the template is used in a standalone deployment. | +| [`workspaceName`](#parameter-workspacename) | string | The name of the parent health data services workspace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `accessPolicyObjectIds` | array | `[]` | | List of Azure AD object IDs (User or Apps) that is allowed access to the FHIR service. | -| `acrLoginServers` | array | `[]` | | The list of the Azure container registry login servers. | -| `acrOciArtifacts` | array | `[]` | | The list of Open Container Initiative (OCI) artifacts. | -| `authenticationAudience` | string | `[format('https://{0}-{1}.fhir.azurehealthcareapis.com', parameters('workspaceName'), parameters('name'))]` | | The audience url for the service. | -| `authenticationAuthority` | string | `[uri(environment().authentication.loginEndpoint, subscription().tenantId)]` | | The authority url for the service. | -| `corsAllowCredentials` | bool | `False` | | Use this setting to indicate that cookies should be included in CORS requests. | -| `corsHeaders` | array | `[]` | | Specify HTTP headers which can be used during the request. Use "*" for any header. | -| `corsMaxAge` | int | `-1` | | Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes. | -| `corsMethods` | array | `[]` | `[DELETE, GET, OPTIONS, PATCH, POST, PUT]` | Specify the allowed HTTP methods. | -| `corsOrigins` | array | `[]` | | Specify URLs of origin sites that can access this API, or use "*" to allow access from any site. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[AuditLogs]` | `[AuditLogs]` | The name of logs that will be streamed. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `exportStorageAccountName` | string | `''` | | The name of the default export storage account. | -| `importEnabled` | bool | `False` | | If the import operation is enabled. | -| `importStorageAccountName` | string | `''` | | The name of the default integration storage account. | -| `initialImportMode` | bool | `False` | | If the FHIR service is in InitialImportMode. | -| `kind` | string | `'fhir-R4'` | `[fhir-R4, fhir-Stu3]` | The kind of the service. Defaults to R4. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `publicNetworkAccess` | string | `'Disabled'` | `[Disabled, Enabled]` | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| `resourceVersionOverrides` | object | `{object}` | | A list of FHIR Resources and their version policy overrides. | -| `resourceVersionPolicy` | string | `'versioned'` | `[no-version, versioned, versioned-update]` | The default value for tracking history across all resources. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `smartProxyEnabled` | bool | `False` | | If the SMART on FHIR proxy is enabled. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`accessPolicyObjectIds`](#parameter-accesspolicyobjectids) | array | List of Azure AD object IDs (User or Apps) that is allowed access to the FHIR service. | +| [`acrLoginServers`](#parameter-acrloginservers) | array | The list of the Azure container registry login servers. | +| [`acrOciArtifacts`](#parameter-acrociartifacts) | array | The list of Open Container Initiative (OCI) artifacts. | +| [`authenticationAudience`](#parameter-authenticationaudience) | string | The audience url for the service. | +| [`authenticationAuthority`](#parameter-authenticationauthority) | string | The authority url for the service. | +| [`corsAllowCredentials`](#parameter-corsallowcredentials) | bool | Use this setting to indicate that cookies should be included in CORS requests. | +| [`corsHeaders`](#parameter-corsheaders) | array | Specify HTTP headers which can be used during the request. Use "*" for any header. | +| [`corsMaxAge`](#parameter-corsmaxage) | int | Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes. | +| [`corsMethods`](#parameter-corsmethods) | array | Specify the allowed HTTP methods. | +| [`corsOrigins`](#parameter-corsorigins) | array | Specify URLs of origin sites that can access this API, or use "*" to allow access from any site. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| [`exportStorageAccountName`](#parameter-exportstorageaccountname) | string | The name of the default export storage account. | +| [`importEnabled`](#parameter-importenabled) | bool | If the import operation is enabled. | +| [`importStorageAccountName`](#parameter-importstorageaccountname) | string | The name of the default integration storage account. | +| [`initialImportMode`](#parameter-initialimportmode) | bool | If the FHIR service is in InitialImportMode. | +| [`kind`](#parameter-kind) | string | The kind of the service. Defaults to R4. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | +| [`resourceVersionOverrides`](#parameter-resourceversionoverrides) | object | A list of FHIR Resources and their version policy overrides. | +| [`resourceVersionPolicy`](#parameter-resourceversionpolicy) | string | The default value for tracking history across all resources. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`smartProxyEnabled`](#parameter-smartproxyenabled) | bool | If the SMART on FHIR proxy is enabled. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +### Parameter: `accessPolicyObjectIds` + +List of Azure AD object IDs (User or Apps) that is allowed access to the FHIR service. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `acrLoginServers` + +The list of the Azure container registry login servers. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `acrOciArtifacts` + +The list of Open Container Initiative (OCI) artifacts. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `authenticationAudience` + +The audience url for the service. +- Required: No +- Type: string +- Default: `[format('https://{0}-{1}.fhir.azurehealthcareapis.com', parameters('workspaceName'), parameters('name'))]` + +### Parameter: `authenticationAuthority` + +The authority url for the service. +- Required: No +- Type: string +- Default: `[uri(environment().authentication.loginEndpoint, subscription().tenantId)]` + +### Parameter: `corsAllowCredentials` + +Use this setting to indicate that cookies should be included in CORS requests. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `corsHeaders` + +Specify HTTP headers which can be used during the request. Use "*" for any header. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `corsMaxAge` + +Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `corsMethods` + +Specify the allowed HTTP methods. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `[DELETE, GET, OPTIONS, PATCH, POST, PUT]` + +### Parameter: `corsOrigins` + +Specify URLs of origin sites that can access this API, or use "*" to allow access from any site. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. +- Required: No +- Type: array +- Default: `[AuditLogs]` +- Allowed: `[AuditLogs]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `exportStorageAccountName` + +The name of the default export storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `importEnabled` + +If the import operation is enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `importStorageAccountName` + +The name of the default integration storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `initialImportMode` + +If the FHIR service is in InitialImportMode. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `kind` + +The kind of the service. Defaults to R4. +- Required: No +- Type: string +- Default: `'fhir-R4'` +- Allowed: `[fhir-R4, fhir-Stu3]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the FHIR service. +- Required: Yes +- Type: string + +### Parameter: `publicNetworkAccess` + +Control permission for data plane traffic coming from public networks while private endpoint is enabled. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `resourceVersionOverrides` + +A list of FHIR Resources and their version policy overrides. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `resourceVersionPolicy` + +The default value for tracking history across all resources. +- Required: No +- Type: string +- Default: `'versioned'` +- Allowed: `[no-version, versioned, versioned-update]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `smartProxyEnabled` + +If the SMART on FHIR proxy is enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `workspaceName` + +The name of the parent health data services workspace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the fhir service. | diff --git a/modules/healthcare-apis/workspace/fhirservice/main.json b/modules/healthcare-apis/workspace/fhirservice/main.json index 33998d37da..96a6c13806 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.json +++ b/modules/healthcare-apis/workspace/fhirservice/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3716031618750035294" + "version": "0.22.6.54827", + "templateHash": "11687946305671678451" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", @@ -446,8 +446,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13975136606830731755" + "version": "0.22.6.54827", + "templateHash": "13260238293612966350" } }, "parameters": { diff --git a/modules/healthcare-apis/workspace/iotconnector/README.md b/modules/healthcare-apis/workspace/iotconnector/README.md index e23cdfb648..d250583016 100644 --- a/modules/healthcare-apis/workspace/iotconnector/README.md +++ b/modules/healthcare-apis/workspace/iotconnector/README.md @@ -23,43 +23,182 @@ This module deploys a Healthcare API Workspace IoT Connector. **Required parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `deviceMapping` | object | `{object}` | The mapping JSON that determines how incoming device data is normalized. | -| `eventHubName` | string | | Event Hub name to connect to. | -| `eventHubNamespaceName` | string | | Namespace of the Event Hub to connect to. | -| `name` | string | | The name of the MedTech service. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`deviceMapping`](#parameter-devicemapping) | object | The mapping JSON that determines how incoming device data is normalized. | +| [`eventHubName`](#parameter-eventhubname) | string | Event Hub name to connect to. | +| [`eventHubNamespaceName`](#parameter-eventhubnamespacename) | string | Namespace of the Event Hub to connect to. | +| [`name`](#parameter-name) | string | The name of the MedTech service. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `workspaceName` | string | The name of the parent health data services workspace. Required if the template is used in a standalone deployment. | +| [`workspaceName`](#parameter-workspacename) | string | The name of the parent health data services workspace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `consumerGroup` | string | `[parameters('name')]` | | Consumer group of the event hub to connected to. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[DiagnosticLogs]` | `[DiagnosticLogs]` | The name of logs that will be streamed. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `fhirdestination` | _[fhirdestination](fhirdestination/README.md)_ object | `{object}` | | FHIR Destination. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`consumerGroup`](#parameter-consumergroup) | string | Consumer group of the event hub to connected to. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| [`fhirdestination`](#parameter-fhirdestination) | object | FHIR Destination. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +### Parameter: `consumerGroup` + +Consumer group of the event hub to connected to. +- Required: No +- Type: string +- Default: `[parameters('name')]` + +### Parameter: `deviceMapping` + +The mapping JSON that determines how incoming device data is normalized. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. +- Required: No +- Type: array +- Default: `[DiagnosticLogs]` +- Allowed: `[DiagnosticLogs]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `eventHubName` + +Event Hub name to connect to. +- Required: Yes +- Type: string + +### Parameter: `eventHubNamespaceName` + +Namespace of the Event Hub to connect to. +- Required: Yes +- Type: string + +### Parameter: `fhirdestination` + +FHIR Destination. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the MedTech service. +- Required: Yes +- Type: string + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `workspaceName` + +The name of the parent health data services workspace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the medtech service. | diff --git a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md b/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md index 9a81a65c63..16df71b996 100644 --- a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md +++ b/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md @@ -20,31 +20,84 @@ This module deploys a Healthcare API Workspace IoT Connector FHIR Destination. **Required parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `destinationMapping` | object | `{object}` | The mapping JSON that determines how normalized data is converted to FHIR Observations. | -| `fhirServiceResourceId` | string | | The resource identifier of the FHIR Service to connect to. | -| `name` | string | | The name of the FHIR destination. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`destinationMapping`](#parameter-destinationmapping) | object | The mapping JSON that determines how normalized data is converted to FHIR Observations. | +| [`fhirServiceResourceId`](#parameter-fhirserviceresourceid) | string | The resource identifier of the FHIR Service to connect to. | +| [`name`](#parameter-name) | string | The name of the FHIR destination. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `iotConnectorName` | string | The name of the MedTech service to add this destination to. Required if the template is used in a standalone deployment. | -| `workspaceName` | string | The name of the parent health data services workspace. Required if the template is used in a standalone deployment. | +| [`iotConnectorName`](#parameter-iotconnectorname) | string | The name of the MedTech service to add this destination to. Required if the template is used in a standalone deployment. | +| [`workspaceName`](#parameter-workspacename) | string | The name of the parent health data services workspace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `resourceIdentityResolutionType` | string | `'Lookup'` | `[Create, Lookup]` | Determines how resource identity is resolved on the destination. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`resourceIdentityResolutionType`](#parameter-resourceidentityresolutiontype) | string | Determines how resource identity is resolved on the destination. | + +### Parameter: `destinationMapping` + +The mapping JSON that determines how normalized data is converted to FHIR Observations. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `fhirServiceResourceId` + +The resource identifier of the FHIR Service to connect to. +- Required: Yes +- Type: string + +### Parameter: `iotConnectorName` + +The name of the MedTech service to add this destination to. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the FHIR destination. +- Required: Yes +- Type: string + +### Parameter: `resourceIdentityResolutionType` + +Determines how resource identity is resolved on the destination. +- Required: No +- Type: string +- Default: `'Lookup'` +- Allowed: `[Create, Lookup]` + +### Parameter: `workspaceName` + +The name of the parent health data services workspace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `iotConnectorName` | string | The name of the medtech service. | | `location` | string | The location the resource was deployed into. | diff --git a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/main.json b/modules/healthcare-apis/workspace/iotconnector/fhirdestination/main.json index b48bcb3727..8f1f5ff94d 100644 --- a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/main.json +++ b/modules/healthcare-apis/workspace/iotconnector/fhirdestination/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "18442235072798053221" + "version": "0.22.6.54827", + "templateHash": "10973515077627017376" }, "name": "Healthcare API Workspace IoT Connector FHIR Destinations", "description": "This module deploys a Healthcare API Workspace IoT Connector FHIR Destination.", diff --git a/modules/healthcare-apis/workspace/iotconnector/main.json b/modules/healthcare-apis/workspace/iotconnector/main.json index 63bb75e273..cce29e9a45 100644 --- a/modules/healthcare-apis/workspace/iotconnector/main.json +++ b/modules/healthcare-apis/workspace/iotconnector/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "16981578699165858107" + "version": "0.22.6.54827", + "templateHash": "3714179156189652458" }, "name": "Healthcare API Workspace IoT Connectors", "description": "This module deploys a Healthcare API Workspace IoT Connector.", @@ -295,8 +295,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "18442235072798053221" + "version": "0.22.6.54827", + "templateHash": "10973515077627017376" }, "name": "Healthcare API Workspace IoT Connector FHIR Destinations", "description": "This module deploys a Healthcare API Workspace IoT Connector FHIR Destination.", diff --git a/modules/healthcare-apis/workspace/main.json b/modules/healthcare-apis/workspace/main.json index 6ea7262bfa..3437138b45 100644 --- a/modules/healthcare-apis/workspace/main.json +++ b/modules/healthcare-apis/workspace/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10903561527048363978" + "version": "0.22.6.54827", + "templateHash": "5818866804276261569" }, "name": "Healthcare API Workspaces", "description": "This module deploys a Healthcare API Workspace.", @@ -168,8 +168,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14482455306867053366" + "version": "0.22.6.54827", + "templateHash": "4822666259108954856" } }, "parameters": { @@ -356,8 +356,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17348973963835618248" + "version": "0.22.6.54827", + "templateHash": "11687946305671678451" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", @@ -798,8 +798,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5237941464164481673" + "version": "0.22.6.54827", + "templateHash": "13260238293612966350" } }, "parameters": { @@ -1020,8 +1020,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14081576760153046183" + "version": "0.22.6.54827", + "templateHash": "12318721261811271092" }, "name": "Healthcare API Workspace DICOM Services", "description": "This module deploys a Healthcare API Workspace DICOM Service.", @@ -1365,8 +1365,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7419022677033687481" + "version": "0.22.6.54827", + "templateHash": "3714179156189652458" }, "name": "Healthcare API Workspace IoT Connectors", "description": "This module deploys a Healthcare API Workspace IoT Connector.", @@ -1656,8 +1656,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8944835312780233488" + "version": "0.22.6.54827", + "templateHash": "10973515077627017376" }, "name": "Healthcare API Workspace IoT Connector FHIR Destinations", "description": "This module deploys a Healthcare API Workspace IoT Connector FHIR Destination.", diff --git a/modules/insights/action-group/.test/common/main.test.bicep b/modules/insights/action-group/.test/common/main.test.bicep index cbc7e3e4f2..4f4d8071b8 100644 --- a/modules/insights/action-group/.test/common/main.test.bicep +++ b/modules/insights/action-group/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/insights/action-group/.test/min/main.test.bicep b/modules/insights/action-group/.test/min/main.test.bicep index e4cdbfbdce..22938cd7a3 100644 --- a/modules/insights/action-group/.test/min/main.test.bicep +++ b/modules/insights/action-group/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/insights/action-group/README.md b/modules/insights/action-group/README.md index 65ef94f1ad..fd46d2712c 100644 --- a/modules/insights/action-group/README.md +++ b/modules/insights/action-group/README.md @@ -5,10 +5,10 @@ This module deploys an Action Group. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) ## Resource Types @@ -18,64 +18,28 @@ This module deploys an Action Group. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/actionGroups` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2023-01-01/actionGroups) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `groupShortName` | string | The short name of the action group. | -| `name` | string | The name of the action group. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `armRoleReceivers` | array | `[]` | The list of ARM role receivers that are part of this action group. Roles are Azure RBAC roles and only built-in roles are supported. | -| `automationRunbookReceivers` | array | `[]` | The list of AutomationRunbook receivers that are part of this action group. | -| `azureAppPushReceivers` | array | `[]` | The list of AzureAppPush receivers that are part of this action group. | -| `azureFunctionReceivers` | array | `[]` | The list of function receivers that are part of this action group. | -| `emailReceivers` | array | `[]` | The list of email receivers that are part of this action group. | -| `enabled` | bool | `True` | Indicates whether this action group is enabled. If an action group is not enabled, then none of its receivers will receive communications. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `itsmReceivers` | array | `[]` | The list of ITSM receivers that are part of this action group. | -| `location` | string | `'global'` | Location for all resources. | -| `logicAppReceivers` | array | `[]` | The list of logic app receivers that are part of this action group. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `smsReceivers` | array | `[]` | The list of SMS receivers that are part of this action group. | -| `tags` | object | `{object}` | Tags of the resource. | -| `voiceReceivers` | array | `[]` | The list of voice receivers that are part of this action group. | -| `webhookReceivers` | array | `[]` | The list of webhook receivers that are part of this action group. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the action group . | -| `resourceGroupName` | string | The resource group the action group was deployed into. | -| `resourceId` | string | The resource ID of the action group . | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.action-group:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module actionGroup './insights/action-group/main.bicep' = { +module actionGroup 'br:bicep/modules/insights.action-group:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-iagcom' params: { // Required parameters @@ -189,14 +153,17 @@ module actionGroup './insights/action-group/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module actionGroup './insights/action-group/main.bicep' = { +module actionGroup 'br:bicep/modules/insights.action-group:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-iagmin' params: { // Required parameters @@ -239,6 +206,166 @@ module actionGroup './insights/action-group/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`groupShortName`](#parameter-groupshortname) | string | The short name of the action group. | +| [`name`](#parameter-name) | string | The name of the action group. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`armRoleReceivers`](#parameter-armrolereceivers) | array | The list of ARM role receivers that are part of this action group. Roles are Azure RBAC roles and only built-in roles are supported. | +| [`automationRunbookReceivers`](#parameter-automationrunbookreceivers) | array | The list of AutomationRunbook receivers that are part of this action group. | +| [`azureAppPushReceivers`](#parameter-azureapppushreceivers) | array | The list of AzureAppPush receivers that are part of this action group. | +| [`azureFunctionReceivers`](#parameter-azurefunctionreceivers) | array | The list of function receivers that are part of this action group. | +| [`emailReceivers`](#parameter-emailreceivers) | array | The list of email receivers that are part of this action group. | +| [`enabled`](#parameter-enabled) | bool | Indicates whether this action group is enabled. If an action group is not enabled, then none of its receivers will receive communications. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`itsmReceivers`](#parameter-itsmreceivers) | array | The list of ITSM receivers that are part of this action group. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`logicAppReceivers`](#parameter-logicappreceivers) | array | The list of logic app receivers that are part of this action group. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`smsReceivers`](#parameter-smsreceivers) | array | The list of SMS receivers that are part of this action group. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`voiceReceivers`](#parameter-voicereceivers) | array | The list of voice receivers that are part of this action group. | +| [`webhookReceivers`](#parameter-webhookreceivers) | array | The list of webhook receivers that are part of this action group. | + +### Parameter: `armRoleReceivers` + +The list of ARM role receivers that are part of this action group. Roles are Azure RBAC roles and only built-in roles are supported. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `automationRunbookReceivers` + +The list of AutomationRunbook receivers that are part of this action group. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `azureAppPushReceivers` + +The list of AzureAppPush receivers that are part of this action group. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `azureFunctionReceivers` + +The list of function receivers that are part of this action group. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `emailReceivers` + +The list of email receivers that are part of this action group. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enabled` + +Indicates whether this action group is enabled. If an action group is not enabled, then none of its receivers will receive communications. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `groupShortName` + +The short name of the action group. +- Required: Yes +- Type: string + +### Parameter: `itsmReceivers` + +The list of ITSM receivers that are part of this action group. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `'global'` + +### Parameter: `logicAppReceivers` + +The list of logic app receivers that are part of this action group. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `name` + +The name of the action group. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `smsReceivers` + +The list of SMS receivers that are part of this action group. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `voiceReceivers` + +The list of voice receivers that are part of this action group. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `webhookReceivers` + +The list of webhook receivers that are part of this action group. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the action group . | +| `resourceGroupName` | string | The resource group the action group was deployed into. | +| `resourceId` | string | The resource ID of the action group . | + +## Cross-referenced modules + +_None_ + ## Notes - Receiver name must be unique across the ActionGroup. diff --git a/modules/insights/activity-log-alert/.test/common/main.test.bicep b/modules/insights/activity-log-alert/.test/common/main.test.bicep index f95e1529af..49d570477c 100644 --- a/modules/insights/activity-log-alert/.test/common/main.test.bicep +++ b/modules/insights/activity-log-alert/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/insights/activity-log-alert/README.md b/modules/insights/activity-log-alert/README.md index 4e9a5b012e..0e825a2959 100644 --- a/modules/insights/activity-log-alert/README.md +++ b/modules/insights/activity-log-alert/README.md @@ -5,10 +5,10 @@ This module deploys an Activity Log Alert. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -17,57 +17,27 @@ This module deploys an Activity Log Alert. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/activityLogAlerts` | [2020-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2020-10-01/activityLogAlerts) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `conditions` | array | An Array of objects containing conditions that will cause this alert to activate. Conditions can also be combined with logical operators `allOf` and `anyOf`. Each condition can specify only one field between `equals` and `containsAny`. An alert rule condition must have exactly one category (Administrative, ServiceHealth, ResourceHealth, Alert, Autoscale, Recommendation, Security, or Policy). | -| `name` | string | The name of the alert. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `actions` | array | `[]` | The list of actions to take when alert triggers. | -| `alertDescription` | string | `''` | Description of the alert. | -| `enabled` | bool | `True` | Indicates whether this alert is enabled. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `'global'` | Location for all resources. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `scopes` | array | `[[subscription().id]]` | The list of resource IDs that this Activity Log Alert is scoped to. | -| `tags` | object | `{object}` | Tags of the resource. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the activity log alert. | -| `resourceGroupName` | string | The resource group the activity log alert was deployed into. | -| `resourceId` | string | The resource ID of the activity log alert. | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.activity-log-alert:1.0.0`. -## Cross-referenced modules +- [Using large parameter set](#example-1-using-large-parameter-set) -_None_ +### Example 1: _Using large parameter set_ -## Deployment examples +This instance deploys the module with most of its features enabled. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module activityLogAlert './insights/activity-log-alert/main.bicep' = { +module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ialacom' params: { // Required parameters @@ -222,3 +192,108 @@ module activityLogAlert './insights/activity-log-alert/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`conditions`](#parameter-conditions) | array | An Array of objects containing conditions that will cause this alert to activate. Conditions can also be combined with logical operators `allOf` and `anyOf`. Each condition can specify only one field between `equals` and `containsAny`. An alert rule condition must have exactly one category (Administrative, ServiceHealth, ResourceHealth, Alert, Autoscale, Recommendation, Security, or Policy). | +| [`name`](#parameter-name) | string | The name of the alert. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`actions`](#parameter-actions) | array | The list of actions to take when alert triggers. | +| [`alertDescription`](#parameter-alertdescription) | string | Description of the alert. | +| [`enabled`](#parameter-enabled) | bool | Indicates whether this alert is enabled. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`scopes`](#parameter-scopes) | array | The list of resource IDs that this Activity Log Alert is scoped to. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `actions` + +The list of actions to take when alert triggers. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `alertDescription` + +Description of the alert. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `conditions` + +An Array of objects containing conditions that will cause this alert to activate. Conditions can also be combined with logical operators `allOf` and `anyOf`. Each condition can specify only one field between `equals` and `containsAny`. An alert rule condition must have exactly one category (Administrative, ServiceHealth, ResourceHealth, Alert, Autoscale, Recommendation, Security, or Policy). +- Required: Yes +- Type: array + +### Parameter: `enabled` + +Indicates whether this alert is enabled. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `'global'` + +### Parameter: `name` + +The name of the alert. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `scopes` + +The list of resource IDs that this Activity Log Alert is scoped to. +- Required: No +- Type: array +- Default: `[[subscription().id]]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the activity log alert. | +| `resourceGroupName` | string | The resource group the activity log alert was deployed into. | +| `resourceId` | string | The resource ID of the activity log alert. | + +## Cross-referenced modules + +_None_ diff --git a/modules/insights/component/.test/common/main.test.bicep b/modules/insights/component/.test/common/main.test.bicep index bb1280676e..31b26886ab 100644 --- a/modules/insights/component/.test/common/main.test.bicep +++ b/modules/insights/component/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/insights/component/.test/min/main.test.bicep b/modules/insights/component/.test/min/main.test.bicep index 7e5bd974e5..965482d24d 100644 --- a/modules/insights/component/.test/min/main.test.bicep +++ b/modules/insights/component/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/insights/component/README.md b/modules/insights/component/README.md index 815a655d02..161ac02871 100644 --- a/modules/insights/component/README.md +++ b/modules/insights/component/README.md @@ -5,10 +5,10 @@ This component deploys an Application Insights instance. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -18,68 +18,28 @@ This component deploys an Application Insights instance. | `Microsoft.Insights/components` | [2020-02-02](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2020-02-02/components) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Application Insights. | -| `workspaceResourceId` | string | Resource ID of the log analytics workspace which the data will be ingested to. This property is required to create an application with this API version. Applications from older versions will not have this property. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `applicationType` | string | `'web'` | `[other, web]` | Application type. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, AppAvailabilityResults, AppBrowserTimings, AppDependencies, AppEvents, AppExceptions, AppMetrics, AppPageViews, AppPerformanceCounters, AppRequests, AppSystemEvents, AppTraces]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `kind` | string | `''` | | The kind of application that this component refers to, used to customize UI. This value is a freeform string, values should typically be one of the following: web, ios, other, store, java, phone. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `publicNetworkAccessForIngestion` | string | `'Enabled'` | `[Disabled, Enabled]` | The network access type for accessing Application Insights ingestion. - Enabled or Disabled. | -| `publicNetworkAccessForQuery` | string | `'Enabled'` | `[Disabled, Enabled]` | The network access type for accessing Application Insights query. - Enabled or Disabled. | -| `retentionInDays` | int | `365` | `[30, 60, 90, 120, 180, 270, 365, 550, 730]` | Retention period in days. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `samplingPercentage` | int | `100` | | Percentage of the data produced by the application being monitored that is being sampled for Application Insights telemetry. | -| `tags` | object | `{object}` | | Tags of the resource. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `applicationId` | string | The application ID of the application insights component. | -| `instrumentationKey` | string | Application Insights Instrumentation key. A read-only value that applications can use to identify the destination for all telemetry sent to Azure Application Insights. This value will be supplied upon construction of each new Application Insights component. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the application insights component. | -| `resourceGroupName` | string | The resource group the application insights component was deployed into. | -| `resourceId` | string | The resource ID of the application insights component. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.component:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module component './insights/component/main.bicep' = { +module component 'br:bicep/modules/insights.component:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-iccom' params: { // Required parameters @@ -169,14 +129,17 @@ module component './insights/component/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module component './insights/component/main.bicep' = { +module component 'br:bicep/modules/insights.component:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-icmin' params: { // Required parameters @@ -217,3 +180,188 @@ module component './insights/component/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Application Insights. | +| [`workspaceResourceId`](#parameter-workspaceresourceid) | string | Resource ID of the log analytics workspace which the data will be ingested to. This property is required to create an application with this API version. Applications from older versions will not have this property. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationType`](#parameter-applicationtype) | string | Application type. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`kind`](#parameter-kind) | string | The kind of application that this component refers to, used to customize UI. This value is a freeform string, values should typically be one of the following: web, ios, other, store, java, phone. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`publicNetworkAccessForIngestion`](#parameter-publicnetworkaccessforingestion) | string | The network access type for accessing Application Insights ingestion. - Enabled or Disabled. | +| [`publicNetworkAccessForQuery`](#parameter-publicnetworkaccessforquery) | string | The network access type for accessing Application Insights query. - Enabled or Disabled. | +| [`retentionInDays`](#parameter-retentionindays) | int | Retention period in days. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`samplingPercentage`](#parameter-samplingpercentage) | int | Percentage of the data produced by the application being monitored that is being sampled for Application Insights telemetry. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `applicationType` + +Application type. +- Required: No +- Type: string +- Default: `'web'` +- Allowed: `[other, web]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, AppAvailabilityResults, AppBrowserTimings, AppDependencies, AppEvents, AppExceptions, AppMetrics, AppPageViews, AppPerformanceCounters, AppRequests, AppSystemEvents, AppTraces]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `kind` + +The kind of application that this component refers to, used to customize UI. This value is a freeform string, values should typically be one of the following: web, ios, other, store, java, phone. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +Name of the Application Insights. +- Required: Yes +- Type: string + +### Parameter: `publicNetworkAccessForIngestion` + +The network access type for accessing Application Insights ingestion. - Enabled or Disabled. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `publicNetworkAccessForQuery` + +The network access type for accessing Application Insights query. - Enabled or Disabled. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `retentionInDays` + +Retention period in days. +- Required: No +- Type: int +- Default: `365` +- Allowed: `[30, 60, 90, 120, 180, 270, 365, 550, 730]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `samplingPercentage` + +Percentage of the data produced by the application being monitored that is being sampled for Application Insights telemetry. +- Required: No +- Type: int +- Default: `100` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `workspaceResourceId` + +Resource ID of the log analytics workspace which the data will be ingested to. This property is required to create an application with this API version. Applications from older versions will not have this property. +- Required: Yes +- Type: string + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `applicationId` | string | The application ID of the application insights component. | +| `instrumentationKey` | string | Application Insights Instrumentation key. A read-only value that applications can use to identify the destination for all telemetry sent to Azure Application Insights. This value will be supplied upon construction of each new Application Insights component. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the application insights component. | +| `resourceGroupName` | string | The resource group the application insights component was deployed into. | +| `resourceId` | string | The resource ID of the application insights component. | + +## Cross-referenced modules + +_None_ diff --git a/modules/insights/component/main.json b/modules/insights/component/main.json index 8e2f175e45..b3eddedc41 100644 --- a/modules/insights/component/main.json +++ b/modules/insights/component/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17654702224690381000" + "version": "0.22.6.54827", + "templateHash": "10525905837638712461" }, "name": "Application Insights", "description": "This component deploys an Application Insights instance.", @@ -296,8 +296,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13934424345752147710" + "version": "0.22.6.54827", + "templateHash": "11402620495113145502" } }, "parameters": { diff --git a/modules/insights/data-collection-endpoint/.test/common/main.test.bicep b/modules/insights/data-collection-endpoint/.test/common/main.test.bicep index 2ce0a08132..5c0660113b 100644 --- a/modules/insights/data-collection-endpoint/.test/common/main.test.bicep +++ b/modules/insights/data-collection-endpoint/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/insights/data-collection-endpoint/.test/min/main.test.bicep b/modules/insights/data-collection-endpoint/.test/min/main.test.bicep index 0de821478e..0ac9115755 100644 --- a/modules/insights/data-collection-endpoint/.test/min/main.test.bicep +++ b/modules/insights/data-collection-endpoint/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/insights/data-collection-endpoint/README.md b/modules/insights/data-collection-endpoint/README.md index 73a632031b..b967448c1e 100644 --- a/modules/insights/data-collection-endpoint/README.md +++ b/modules/insights/data-collection-endpoint/README.md @@ -5,10 +5,10 @@ This module deploys a Data Collection Endpoint. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -18,55 +18,28 @@ This module deploys a Data Collection Endpoint. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/dataCollectionEndpoints` | [2021-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-04-01/dataCollectionEndpoints) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the data collection endpoint. The name is case insensitive. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `kind` | string | `'Linux'` | `[Linux, Windows]` | The kind of the resource. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `publicNetworkAccess` | string | `'Disabled'` | `[Disabled, Enabled]` | The configuration to set whether network access from public internet to the endpoints are allowed. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Resource tags. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the dataCollectionEndpoint. | -| `resourceGroupName` | string | The name of the resource group the dataCollectionEndpoint was created in. | -| `resourceId` | string | The resource ID of the dataCollectionEndpoint. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.data-collection-endpoint:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module dataCollectionEndpoint './insights/data-collection-endpoint/main.bicep' = { +module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoint:1.0.0' = { name: '${uniqueString(deployment().name)}-test-idcecom' params: { // Required parameters @@ -148,14 +121,17 @@ module dataCollectionEndpoint './insights/data-collection-endpoint/main.bicep' =

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module dataCollectionEndpoint './insights/data-collection-endpoint/main.bicep' = { +module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoint:1.0.0' = { name: '${uniqueString(deployment().name)}-test-idcemin' params: { // Required parameters @@ -192,3 +168,96 @@ module dataCollectionEndpoint './insights/data-collection-endpoint/main.bicep' =

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the data collection endpoint. The name is case insensitive. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| [`kind`](#parameter-kind) | string | The kind of the resource. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | The configuration to set whether network access from public internet to the endpoints are allowed. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Resource tags. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `kind` + +The kind of the resource. +- Required: No +- Type: string +- Default: `'Linux'` +- Allowed: `[Linux, Windows]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the data collection endpoint. The name is case insensitive. +- Required: Yes +- Type: string + +### Parameter: `publicNetworkAccess` + +The configuration to set whether network access from public internet to the endpoints are allowed. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Resource tags. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the dataCollectionEndpoint. | +| `resourceGroupName` | string | The name of the resource group the dataCollectionEndpoint was created in. | +| `resourceId` | string | The resource ID of the dataCollectionEndpoint. | + +## Cross-referenced modules + +_None_ diff --git a/modules/insights/data-collection-endpoint/main.json b/modules/insights/data-collection-endpoint/main.json index 23d2aeef04..f40ef19865 100644 --- a/modules/insights/data-collection-endpoint/main.json +++ b/modules/insights/data-collection-endpoint/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3728781575799278005" + "version": "0.22.6.54827", + "templateHash": "13275626141321439645" }, "name": "Data Collection Endpoints", "description": "This module deploys a Data Collection Endpoint.", @@ -157,8 +157,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8300016643720111813" + "version": "0.22.6.54827", + "templateHash": "5079554613850149123" } }, "parameters": { diff --git a/modules/insights/data-collection-rule/.test/min/main.test.bicep b/modules/insights/data-collection-rule/.test/min/main.test.bicep index 46e103725d..e18f5d9ef8 100644 --- a/modules/insights/data-collection-rule/.test/min/main.test.bicep +++ b/modules/insights/data-collection-rule/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/insights/data-collection-rule/README.md b/modules/insights/data-collection-rule/README.md index aa4038af07..d1ce364f66 100644 --- a/modules/insights/data-collection-rule/README.md +++ b/modules/insights/data-collection-rule/README.md @@ -5,10 +5,10 @@ This module deploys a Data Collection Rule. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -18,60 +18,29 @@ This module deploys a Data Collection Rule. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/dataCollectionRules` | [2021-09-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-09-01-preview/dataCollectionRules) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `dataFlows` | array | The specification of data flows. | -| `dataSources` | object | Specification of data sources that will be collected. | -| `destinations` | object | Specification of destinations that can be used in data flows. | -| `name` | string | The name of the data collection rule. The name is case insensitive. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `dataCollectionEndpointId` | string | `''` | | The resource ID of the data collection endpoint that this rule can be used with. | -| `description` | string | `''` | | Description of the data collection rule. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `kind` | string | `'Linux'` | `[Linux, Windows]` | The kind of the resource. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `streamDeclarations` | object | `{object}` | | Declaration of custom streams used in this rule. | -| `tags` | object | `{object}` | | Resource tags. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the dataCollectionRule. | -| `resourceGroupName` | string | The name of the resource group the dataCollectionRule was created in. | -| `resourceId` | string | The resource ID of the dataCollectionRule. | - -## Cross-referenced modules +## Usage examples -_None_ +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Deployment examples +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.data-collection-rule:1.0.0`. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +- [Customadv](#example-1-customadv) +- [Custombasic](#example-2-custombasic) +- [Customiis](#example-3-customiis) +- [Linux](#example-4-linux) +- [Using only defaults](#example-5-using-only-defaults) +- [Windows](#example-6-windows) -

Example 1: Customadv

+### Example 1: _Customadv_
via Bicep module ```bicep -module dataCollectionRule './insights/data-collection-rule/main.bicep' = { +module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { name: '${uniqueString(deployment().name)}-test-idcrcusadv' params: { // Required parameters @@ -305,14 +274,14 @@ module dataCollectionRule './insights/data-collection-rule/main.bicep' = {

-

Example 2: Custombasic

+### Example 2: _Custombasic_
via Bicep module ```bicep -module dataCollectionRule './insights/data-collection-rule/main.bicep' = { +module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { name: '${uniqueString(deployment().name)}-test-idcrcusbas' params: { // Required parameters @@ -514,14 +483,14 @@ module dataCollectionRule './insights/data-collection-rule/main.bicep' = {

-

Example 3: Customiis

+### Example 3: _Customiis_
via Bicep module ```bicep -module dataCollectionRule './insights/data-collection-rule/main.bicep' = { +module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { name: '${uniqueString(deployment().name)}-test-idcrcusiis' params: { // Required parameters @@ -679,14 +648,14 @@ module dataCollectionRule './insights/data-collection-rule/main.bicep' = {

-

Example 4: Linux

+### Example 4: _Linux_
via Bicep module ```bicep -module dataCollectionRule './insights/data-collection-rule/main.bicep' = { +module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { name: '${uniqueString(deployment().name)}-test-idcrlin' params: { // Required parameters @@ -1068,14 +1037,17 @@ module dataCollectionRule './insights/data-collection-rule/main.bicep' = {

-

Example 5: Min

+### Example 5: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module dataCollectionRule './insights/data-collection-rule/main.bicep' = { +module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { name: '${uniqueString(deployment().name)}-test-idcrmin' params: { // Required parameters @@ -1199,14 +1171,14 @@ module dataCollectionRule './insights/data-collection-rule/main.bicep' = {

-

Example 6: Windows

+### Example 6: _Windows_
via Bicep module ```bicep -module dataCollectionRule './insights/data-collection-rule/main.bicep' = { +module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { name: '${uniqueString(deployment().name)}-test-idcrwin' params: { // Required parameters @@ -1495,3 +1467,132 @@ module dataCollectionRule './insights/data-collection-rule/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`dataFlows`](#parameter-dataflows) | array | The specification of data flows. | +| [`dataSources`](#parameter-datasources) | object | Specification of data sources that will be collected. | +| [`destinations`](#parameter-destinations) | object | Specification of destinations that can be used in data flows. | +| [`name`](#parameter-name) | string | The name of the data collection rule. The name is case insensitive. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`dataCollectionEndpointId`](#parameter-datacollectionendpointid) | string | The resource ID of the data collection endpoint that this rule can be used with. | +| [`description`](#parameter-description) | string | Description of the data collection rule. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| [`kind`](#parameter-kind) | string | The kind of the resource. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`streamDeclarations`](#parameter-streamdeclarations) | object | Declaration of custom streams used in this rule. | +| [`tags`](#parameter-tags) | object | Resource tags. | + +### Parameter: `dataCollectionEndpointId` + +The resource ID of the data collection endpoint that this rule can be used with. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `dataFlows` + +The specification of data flows. +- Required: Yes +- Type: array + +### Parameter: `dataSources` + +Specification of data sources that will be collected. +- Required: Yes +- Type: object + +### Parameter: `description` + +Description of the data collection rule. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `destinations` + +Specification of destinations that can be used in data flows. +- Required: Yes +- Type: object + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `kind` + +The kind of the resource. +- Required: No +- Type: string +- Default: `'Linux'` +- Allowed: `[Linux, Windows]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the data collection rule. The name is case insensitive. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `streamDeclarations` + +Declaration of custom streams used in this rule. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `tags` + +Resource tags. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the dataCollectionRule. | +| `resourceGroupName` | string | The name of the resource group the dataCollectionRule was created in. | +| `resourceId` | string | The resource ID of the dataCollectionRule. | + +## Cross-referenced modules + +_None_ diff --git a/modules/insights/data-collection-rule/main.json b/modules/insights/data-collection-rule/main.json index 40ab530aea..9fd6a4d083 100644 --- a/modules/insights/data-collection-rule/main.json +++ b/modules/insights/data-collection-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4052867535187508575" + "version": "0.22.6.54827", + "templateHash": "12233779363216703767" }, "name": "Data Collection Rules", "description": "This module deploys a Data Collection Rule.", @@ -188,8 +188,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5004939963696451046" + "version": "0.22.6.54827", + "templateHash": "15006261932688103990" } }, "parameters": { diff --git a/modules/insights/diagnostic-setting/.test/common/main.test.bicep b/modules/insights/diagnostic-setting/.test/common/main.test.bicep index d8eb101670..4fdfbd0770 100644 --- a/modules/insights/diagnostic-setting/.test/common/main.test.bicep +++ b/modules/insights/diagnostic-setting/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/insights/diagnostic-setting/README.md b/modules/insights/diagnostic-setting/README.md index 1af907de3f..d4369f0915 100644 --- a/modules/insights/diagnostic-setting/README.md +++ b/modules/insights/diagnostic-setting/README.md @@ -5,10 +5,10 @@ This module deploys a Subscription wide export of the Activity Log. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -16,49 +16,27 @@ This module deploys a Subscription wide export of the Activity Log. | :-- | :-- | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -## Parameters - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', Administrative, Alert, allLogs, Autoscale, Policy, Recommendation, ResourceHealth, Security, ServiceHealth]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | | Location deployment metadata. | -| `name` | string | `[format('{0}-ActivityLog', uniqueString(subscription().id))]` | | Name of the ActivityLog diagnostic settings. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the diagnostic settings. | -| `resourceId` | string | The resource ID of the diagnostic settings. | -| `subscriptionName` | string | The name of the subscription to deploy into. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.diagnostic-setting:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module diagnosticSetting './insights/diagnostic-setting/main.bicep' = { +module diagnosticSetting 'br:bicep/modules/insights.diagnostic-setting:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-idscom' params: { diagnosticEventHubAuthorizationRuleId: '' @@ -107,3 +85,89 @@ module diagnosticSetting './insights/diagnostic-setting/main.bicep' = {

+ + +## Parameters + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`name`](#parameter-name) | string | Name of the ActivityLog diagnostic settings. | + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', Administrative, Alert, allLogs, Autoscale, Policy, Recommendation, ResourceHealth, Security, ServiceHealth]` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `name` + +Name of the ActivityLog diagnostic settings. +- Required: No +- Type: string +- Default: `[format('{0}-ActivityLog', uniqueString(subscription().id))]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the diagnostic settings. | +| `resourceId` | string | The resource ID of the diagnostic settings. | +| `subscriptionName` | string | The name of the subscription to deploy into. | + +## Cross-referenced modules + +_None_ diff --git a/modules/insights/diagnostic-setting/main.json b/modules/insights/diagnostic-setting/main.json index 19685f7e7b..7ced987e1c 100644 --- a/modules/insights/diagnostic-setting/main.json +++ b/modules/insights/diagnostic-setting/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9469136899800527049" + "version": "0.22.6.54827", + "templateHash": "11607957812214718943" }, "name": "Diagnostic Settings (Activity Logs) for Azure Subscriptions", "description": "This module deploys a Subscription wide export of the Activity Log.", diff --git a/modules/insights/metric-alert/.test/common/main.test.bicep b/modules/insights/metric-alert/.test/common/main.test.bicep index 148d924d70..a5fcd52873 100644 --- a/modules/insights/metric-alert/.test/common/main.test.bicep +++ b/modules/insights/metric-alert/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/insights/metric-alert/README.md b/modules/insights/metric-alert/README.md index b2ffecb0f5..9167bd19af 100644 --- a/modules/insights/metric-alert/README.md +++ b/modules/insights/metric-alert/README.md @@ -4,82 +4,40 @@ This module deploys a Metric Alert. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/metricAlerts` | [2018-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2018-03-01/metricAlerts) | -## Parameters - -**Required parameters** +## Usage examples -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `criterias` | array | Criterias to trigger the alert. Array of 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' or 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' objects. When using MultipleResourceMultipleMetricCriteria criteria type, some parameters becomes mandatory. It is not possible to convert from SingleResourceMultipleMetricCriteria to MultipleResourceMultipleMetricCriteria. The alert must be deleted and recreated. | -| `name` | string | The name of the alert. | - -**Conditional parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `targetResourceRegion` | string | `''` | The region of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria. | -| `targetResourceType` | string | `''` | The resource type of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `actions` | array | `[]` | | The list of actions to take when alert triggers. | -| `alertCriteriaType` | string | `'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria'` | `[Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria, Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria, Microsoft.Azure.Monitor.WebtestLocationAvailabilityCriteria]` | Maps to the 'odata.type' field. Specifies the type of the alert criteria. | -| `alertDescription` | string | `''` | | Description of the alert. | -| `autoMitigate` | bool | `True` | | The flag that indicates whether the alert should be auto resolved or not. | -| `enabled` | bool | `True` | | Indicates whether this alert is enabled. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `evaluationFrequency` | string | `'PT5M'` | `[PT15M, PT1H, PT1M, PT30M, PT5M]` | how often the metric alert is evaluated represented in ISO 8601 duration format. | -| `location` | string | `'global'` | | Location for all resources. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `scopes` | array | `[[subscription().id]]` | | the list of resource IDs that this metric alert is scoped to. | -| `severity` | int | `3` | `[0, 1, 2, 3, 4]` | The severity of the alert. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `windowSize` | string | `'PT15M'` | `[P1D, PT12H, PT15M, PT1H, PT1M, PT30M, PT5M, PT6H]` | the period of time (in ISO 8601 duration format) that is used to monitor alert activity based on the threshold. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the metric alert. | -| `resourceGroupName` | string | The resource group the metric alert was deployed into. | -| `resourceId` | string | The resource ID of the metric alert. | - -## Cross-referenced modules - -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.metric-alert:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module metricAlert './insights/metric-alert/main.bicep' = { +module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-imacom' params: { // Required parameters @@ -196,3 +154,173 @@ module metricAlert './insights/metric-alert/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`criterias`](#parameter-criterias) | array | Criterias to trigger the alert. Array of 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' or 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' objects. When using MultipleResourceMultipleMetricCriteria criteria type, some parameters becomes mandatory. It is not possible to convert from SingleResourceMultipleMetricCriteria to MultipleResourceMultipleMetricCriteria. The alert must be deleted and recreated. | +| [`name`](#parameter-name) | string | The name of the alert. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`targetResourceRegion`](#parameter-targetresourceregion) | string | The region of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria. | +| [`targetResourceType`](#parameter-targetresourcetype) | string | The resource type of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`actions`](#parameter-actions) | array | The list of actions to take when alert triggers. | +| [`alertCriteriaType`](#parameter-alertcriteriatype) | string | Maps to the 'odata.type' field. Specifies the type of the alert criteria. | +| [`alertDescription`](#parameter-alertdescription) | string | Description of the alert. | +| [`autoMitigate`](#parameter-automitigate) | bool | The flag that indicates whether the alert should be auto resolved or not. | +| [`enabled`](#parameter-enabled) | bool | Indicates whether this alert is enabled. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`evaluationFrequency`](#parameter-evaluationfrequency) | string | how often the metric alert is evaluated represented in ISO 8601 duration format. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`scopes`](#parameter-scopes) | array | the list of resource IDs that this metric alert is scoped to. | +| [`severity`](#parameter-severity) | int | The severity of the alert. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`windowSize`](#parameter-windowsize) | string | the period of time (in ISO 8601 duration format) that is used to monitor alert activity based on the threshold. | + +### Parameter: `actions` + +The list of actions to take when alert triggers. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `alertCriteriaType` + +Maps to the 'odata.type' field. Specifies the type of the alert criteria. +- Required: No +- Type: string +- Default: `'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria'` +- Allowed: `[Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria, Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria, Microsoft.Azure.Monitor.WebtestLocationAvailabilityCriteria]` + +### Parameter: `alertDescription` + +Description of the alert. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `autoMitigate` + +The flag that indicates whether the alert should be auto resolved or not. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `criterias` + +Criterias to trigger the alert. Array of 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' or 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' objects. When using MultipleResourceMultipleMetricCriteria criteria type, some parameters becomes mandatory. It is not possible to convert from SingleResourceMultipleMetricCriteria to MultipleResourceMultipleMetricCriteria. The alert must be deleted and recreated. +- Required: Yes +- Type: array + +### Parameter: `enabled` + +Indicates whether this alert is enabled. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `evaluationFrequency` + +how often the metric alert is evaluated represented in ISO 8601 duration format. +- Required: No +- Type: string +- Default: `'PT5M'` +- Allowed: `[PT15M, PT1H, PT1M, PT30M, PT5M]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `'global'` + +### Parameter: `name` + +The name of the alert. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `scopes` + +the list of resource IDs that this metric alert is scoped to. +- Required: No +- Type: array +- Default: `[[subscription().id]]` + +### Parameter: `severity` + +The severity of the alert. +- Required: No +- Type: int +- Default: `3` +- Allowed: `[0, 1, 2, 3, 4]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `targetResourceRegion` + +The region of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `targetResourceType` + +The resource type of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `windowSize` + +the period of time (in ISO 8601 duration format) that is used to monitor alert activity based on the threshold. +- Required: No +- Type: string +- Default: `'PT15M'` +- Allowed: `[P1D, PT12H, PT15M, PT1H, PT1M, PT30M, PT5M, PT6H]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the metric alert. | +| `resourceGroupName` | string | The resource group the metric alert was deployed into. | +| `resourceId` | string | The resource ID of the metric alert. | + +## Cross-referenced modules + +_None_ diff --git a/modules/insights/private-link-scope/.test/common/main.test.bicep b/modules/insights/private-link-scope/.test/common/main.test.bicep index ee6b934b40..9b899bd5c8 100644 --- a/modules/insights/private-link-scope/.test/common/main.test.bicep +++ b/modules/insights/private-link-scope/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/insights/private-link-scope/.test/min/main.test.bicep b/modules/insights/private-link-scope/.test/min/main.test.bicep index 63ab6727cc..38e1bad335 100644 --- a/modules/insights/private-link-scope/.test/min/main.test.bicep +++ b/modules/insights/private-link-scope/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index 44b66f32bb..95d6f651da 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -4,13 +4,13 @@ This module deploys an Azure Monitor Private Link Scope. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -21,59 +21,27 @@ This module deploys an Azure Monitor Private Link Scope. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the private link scope. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.private-link-scope:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `'global'` | | The location of the private link scope. Should be global. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `scopedResources` | array | `[]` | | Configuration details for Azure Monitor Resources. | -| `tags` | object | `{object}` | | Resource tags. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +### Example 1: _Using large parameter set_ -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the private link scope. | -| `resourceGroupName` | string | The resource group the private link scope was deployed into. | -| `resourceId` | string | The resource ID of the private link scope. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module privateLinkScope './insights/private-link-scope/main.bicep' = { name: '${uniqueString(deployment().name, location)}-test-iplscom' params: { // Required parameters @@ -191,14 +159,16 @@ module privateLinkScope './insights/private-link-scope/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module privateLinkScope './insights/private-link-scope/main.bicep' = { name: '${uniqueString(deployment().name, location)}-test-iplsmin' params: { // Required parameters @@ -235,3 +205,98 @@ module privateLinkScope './insights/private-link-scope/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the private link scope. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | The location of the private link scope. Should be global. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`scopedResources`](#parameter-scopedresources) | array | Configuration details for Azure Monitor Resources. | +| [`tags`](#parameter-tags) | object | Resource tags. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +The location of the private link scope. Should be global. +- Required: No +- Type: string +- Default: `'global'` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the private link scope. +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `scopedResources` + +Configuration details for Azure Monitor Resources. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Resource tags. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the private link scope. | +| `resourceGroupName` | string | The resource group the private link scope was deployed into. | +| `resourceId` | string | The resource ID of the private link scope. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/insights/private-link-scope/main.json b/modules/insights/private-link-scope/main.json index d6e2051ab8..309a70ce4d 100644 --- a/modules/insights/private-link-scope/main.json +++ b/modules/insights/private-link-scope/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13996279122424310340" + "version": "0.22.6.54827", + "templateHash": "9824068275707710634" }, "name": "Azure Monitor Private Link Scopes", "description": "This module deploys an Azure Monitor Private Link Scope.", @@ -147,8 +147,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3902218127334936289" + "version": "0.22.6.54827", + "templateHash": "13415430389319270642" }, "name": "Private Link Scope Scoped Resources", "description": "This module deploys a Private Link Scope Scoped Resource.", @@ -282,8 +282,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -482,8 +482,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -620,8 +620,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -834,8 +834,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10054224154652466544" + "version": "0.22.6.54827", + "templateHash": "5166949819431915903" } }, "parameters": { diff --git a/modules/insights/private-link-scope/scoped-resource/README.md b/modules/insights/private-link-scope/scoped-resource/README.md index 9a2b71bdfd..77b61ba102 100644 --- a/modules/insights/private-link-scope/scoped-resource/README.md +++ b/modules/insights/private-link-scope/scoped-resource/README.md @@ -19,27 +19,52 @@ This module deploys a Private Link Scope Scoped Resource. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `linkedResourceId` | string | The resource ID of the scoped Azure monitor resource. | -| `name` | string | Name of the private link scoped resource. | +| [`linkedResourceId`](#parameter-linkedresourceid) | string | The resource ID of the scoped Azure monitor resource. | +| [`name`](#parameter-name) | string | Name of the private link scoped resource. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `privateLinkScopeName` | string | The name of the parent private link scope. Required if the template is used in a standalone deployment. | +| [`privateLinkScopeName`](#parameter-privatelinkscopename) | string | The name of the parent private link scope. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `linkedResourceId` + +The resource ID of the scoped Azure monitor resource. +- Required: Yes +- Type: string + +### Parameter: `name` + +Name of the private link scoped resource. +- Required: Yes +- Type: string + +### Parameter: `privateLinkScopeName` + +The name of the parent private link scope. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The full name of the deployed Scoped Resource. | | `resourceGroupName` | string | The name of the resource group where the resource has been deployed. | diff --git a/modules/insights/private-link-scope/scoped-resource/main.json b/modules/insights/private-link-scope/scoped-resource/main.json index 790a70f1a7..349184548c 100644 --- a/modules/insights/private-link-scope/scoped-resource/main.json +++ b/modules/insights/private-link-scope/scoped-resource/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "15630582062607337146" + "version": "0.22.6.54827", + "templateHash": "13415430389319270642" }, "name": "Private Link Scope Scoped Resources", "description": "This module deploys a Private Link Scope Scoped Resource.", diff --git a/modules/insights/scheduled-query-rule/.test/common/main.test.bicep b/modules/insights/scheduled-query-rule/.test/common/main.test.bicep index a8b98171e6..225e5a94d4 100644 --- a/modules/insights/scheduled-query-rule/.test/common/main.test.bicep +++ b/modules/insights/scheduled-query-rule/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/insights/scheduled-query-rule/README.md b/modules/insights/scheduled-query-rule/README.md index ac0722d263..6a30bc24a4 100644 --- a/modules/insights/scheduled-query-rule/README.md +++ b/modules/insights/scheduled-query-rule/README.md @@ -4,79 +4,40 @@ This module deploys a Scheduled Query Rule. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/scheduledQueryRules` | [2021-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-02-01-preview/scheduledQueryRules) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `criterias` | object | The rule criteria that defines the conditions of the scheduled query rule. | -| `name` | string | The name of the Alert. | -| `scopes` | array | The list of resource IDs that this scheduled query rule is scoped to. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `actions` | array | `[]` | | Actions to invoke when the alert fires. | -| `alertDescription` | string | `''` | | The description of the scheduled query rule. | -| `autoMitigate` | bool | `True` | | The flag that indicates whether the alert should be automatically resolved or not. Relevant only for rules of the kind LogAlert. | -| `enabled` | bool | `True` | | The flag which indicates whether this scheduled query rule is enabled. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `evaluationFrequency` | string | `''` | | How often the scheduled query rule is evaluated represented in ISO 8601 duration format. Relevant and required only for rules of the kind LogAlert. | -| `kind` | string | `'LogAlert'` | `[LogAlert, LogToMetric]` | Indicates the type of scheduled query rule. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `queryTimeRange` | string | `''` | | If specified (in ISO 8601 duration format) then overrides the query time range. Relevant only for rules of the kind LogAlert. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `severity` | int | `3` | `[0, 1, 2, 3, 4]` | Severity of the alert. Should be an integer between [0-4]. Value of 0 is severest. Relevant and required only for rules of the kind LogAlert. | -| `skipQueryValidation` | bool | `False` | | The flag which indicates whether the provided query should be validated or not. Relevant only for rules of the kind LogAlert. | -| `suppressForMinutes` | string | `''` | | Mute actions for the chosen period of time (in ISO 8601 duration format) after the alert is fired. If set, autoMitigate must be disabled.Relevant only for rules of the kind LogAlert. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `targetResourceTypes` | array | `[]` | | List of resource type of the target resource(s) on which the alert is created/updated. For example if the scope is a resource group and targetResourceTypes is Microsoft.Compute/virtualMachines, then a different alert will be fired for each virtual machine in the resource group which meet the alert criteria. Relevant only for rules of the kind LogAlert. | -| `windowSize` | string | `''` | | The period of time (in ISO 8601 duration format) on which the Alert query will be executed (bin size). Relevant and required only for rules of the kind LogAlert. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The Name of the created query rule. | -| `resourceGroupName` | string | The Resource Group of the created query rule. | -| `resourceId` | string | The resource ID of the created query rule. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.scheduled-query-rule:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module scheduledQueryRule './insights/scheduled-query-rule/main.bicep' = { +module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-isqrcom' params: { // Required parameters @@ -233,3 +194,181 @@ module scheduledQueryRule './insights/scheduled-query-rule/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`criterias`](#parameter-criterias) | object | The rule criteria that defines the conditions of the scheduled query rule. | +| [`name`](#parameter-name) | string | The name of the Alert. | +| [`scopes`](#parameter-scopes) | array | The list of resource IDs that this scheduled query rule is scoped to. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`actions`](#parameter-actions) | array | Actions to invoke when the alert fires. | +| [`alertDescription`](#parameter-alertdescription) | string | The description of the scheduled query rule. | +| [`autoMitigate`](#parameter-automitigate) | bool | The flag that indicates whether the alert should be automatically resolved or not. Relevant only for rules of the kind LogAlert. | +| [`enabled`](#parameter-enabled) | bool | The flag which indicates whether this scheduled query rule is enabled. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`evaluationFrequency`](#parameter-evaluationfrequency) | string | How often the scheduled query rule is evaluated represented in ISO 8601 duration format. Relevant and required only for rules of the kind LogAlert. | +| [`kind`](#parameter-kind) | string | Indicates the type of scheduled query rule. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`queryTimeRange`](#parameter-querytimerange) | string | If specified (in ISO 8601 duration format) then overrides the query time range. Relevant only for rules of the kind LogAlert. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`severity`](#parameter-severity) | int | Severity of the alert. Should be an integer between [0-4]. Value of 0 is severest. Relevant and required only for rules of the kind LogAlert. | +| [`skipQueryValidation`](#parameter-skipqueryvalidation) | bool | The flag which indicates whether the provided query should be validated or not. Relevant only for rules of the kind LogAlert. | +| [`suppressForMinutes`](#parameter-suppressforminutes) | string | Mute actions for the chosen period of time (in ISO 8601 duration format) after the alert is fired. If set, autoMitigate must be disabled.Relevant only for rules of the kind LogAlert. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`targetResourceTypes`](#parameter-targetresourcetypes) | array | List of resource type of the target resource(s) on which the alert is created/updated. For example if the scope is a resource group and targetResourceTypes is Microsoft.Compute/virtualMachines, then a different alert will be fired for each virtual machine in the resource group which meet the alert criteria. Relevant only for rules of the kind LogAlert. | +| [`windowSize`](#parameter-windowsize) | string | The period of time (in ISO 8601 duration format) on which the Alert query will be executed (bin size). Relevant and required only for rules of the kind LogAlert. | + +### Parameter: `actions` + +Actions to invoke when the alert fires. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `alertDescription` + +The description of the scheduled query rule. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `autoMitigate` + +The flag that indicates whether the alert should be automatically resolved or not. Relevant only for rules of the kind LogAlert. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `criterias` + +The rule criteria that defines the conditions of the scheduled query rule. +- Required: Yes +- Type: object + +### Parameter: `enabled` + +The flag which indicates whether this scheduled query rule is enabled. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `evaluationFrequency` + +How often the scheduled query rule is evaluated represented in ISO 8601 duration format. Relevant and required only for rules of the kind LogAlert. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `kind` + +Indicates the type of scheduled query rule. +- Required: No +- Type: string +- Default: `'LogAlert'` +- Allowed: `[LogAlert, LogToMetric]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the Alert. +- Required: Yes +- Type: string + +### Parameter: `queryTimeRange` + +If specified (in ISO 8601 duration format) then overrides the query time range. Relevant only for rules of the kind LogAlert. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `scopes` + +The list of resource IDs that this scheduled query rule is scoped to. +- Required: Yes +- Type: array + +### Parameter: `severity` + +Severity of the alert. Should be an integer between [0-4]. Value of 0 is severest. Relevant and required only for rules of the kind LogAlert. +- Required: No +- Type: int +- Default: `3` +- Allowed: `[0, 1, 2, 3, 4]` + +### Parameter: `skipQueryValidation` + +The flag which indicates whether the provided query should be validated or not. Relevant only for rules of the kind LogAlert. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `suppressForMinutes` + +Mute actions for the chosen period of time (in ISO 8601 duration format) after the alert is fired. If set, autoMitigate must be disabled.Relevant only for rules of the kind LogAlert. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `targetResourceTypes` + +List of resource type of the target resource(s) on which the alert is created/updated. For example if the scope is a resource group and targetResourceTypes is Microsoft.Compute/virtualMachines, then a different alert will be fired for each virtual machine in the resource group which meet the alert criteria. Relevant only for rules of the kind LogAlert. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `windowSize` + +The period of time (in ISO 8601 duration format) on which the Alert query will be executed (bin size). Relevant and required only for rules of the kind LogAlert. +- Required: No +- Type: string +- Default: `''` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The Name of the created query rule. | +| `resourceGroupName` | string | The Resource Group of the created query rule. | +| `resourceId` | string | The resource ID of the created query rule. | + +## Cross-referenced modules + +_None_ diff --git a/modules/insights/scheduled-query-rule/main.json b/modules/insights/scheduled-query-rule/main.json index 5d00e35361..5f912821a8 100644 --- a/modules/insights/scheduled-query-rule/main.json +++ b/modules/insights/scheduled-query-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14503369793494300469" + "version": "0.22.6.54827", + "templateHash": "5166537476303359521" }, "name": "Scheduled Query Rules", "description": "This module deploys a Scheduled Query Rule.", @@ -230,8 +230,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15352642791797157407" + "version": "0.22.6.54827", + "templateHash": "10545808551952818846" } }, "parameters": { diff --git a/modules/insights/webtest/.test/common/main.test.bicep b/modules/insights/webtest/.test/common/main.test.bicep index 9e5d9bf6ce..2c96c3c4dd 100644 --- a/modules/insights/webtest/.test/common/main.test.bicep +++ b/modules/insights/webtest/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/insights/webtest/.test/min/main.test.bicep b/modules/insights/webtest/.test/min/main.test.bicep index c309005ca8..b5fd4f6831 100644 --- a/modules/insights/webtest/.test/min/main.test.bicep +++ b/modules/insights/webtest/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/insights/webtest/README.md b/modules/insights/webtest/README.md index a46e16f64a..e875e2c3a4 100644 --- a/modules/insights/webtest/README.md +++ b/modules/insights/webtest/README.md @@ -5,10 +5,10 @@ This module deploys a Web Test. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -18,65 +18,28 @@ This module deploys a Web Test. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/webtests` | [2022-06-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2022-06-15/webtests) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the webtest. | -| `request` | object | The collection of request properties. | -| `tags` | object | A single hidden-link tag pointing to an existing AI component is required. | -| `webTestName` | string | User defined name if this WebTest. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `configuration` | object | `{object}` | | An XML configuration specification for a WebTest. | -| `description` | string | `''` | | User defined description for this WebTest. | -| `enabled` | bool | `True` | | Is the test actively being monitored. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `frequency` | int | `300` | | Interval in seconds between test runs for this WebTest. | -| `kind` | string | `'standard'` | `[multistep, ping, standard]` | The kind of WebTest that this web test watches. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `locations` | array | `[System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable]` | | List of where to physically run the tests from to give global coverage for accessibility of your application. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `retryEnabled` | bool | `True` | | Allow for retries should this WebTest fail. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `syntheticMonitorId` | string | `[parameters('name')]` | | Unique ID of this WebTest. | -| `timeout` | int | `30` | | Seconds until this WebTest will timeout and fail. | -| `validationRules` | object | `{object}` | | The collection of validation rule properties. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the webtest. | -| `resourceGroupName` | string | The resource group the resource was deployed into. | -| `resourceId` | string | The resource ID of the webtest. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.webtest:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module webtest './insights/webtest/main.bicep' = { +module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-iwtcom' params: { // Required parameters @@ -158,14 +121,17 @@ module webtest './insights/webtest/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module webtest './insights/webtest/main.bicep' = { +module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-iwtmin' params: { // Required parameters @@ -226,3 +192,172 @@ module webtest './insights/webtest/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the webtest. | +| [`request`](#parameter-request) | object | The collection of request properties. | +| [`tags`](#parameter-tags) | object | A single hidden-link tag pointing to an existing AI component is required. | +| [`webTestName`](#parameter-webtestname) | string | User defined name if this WebTest. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`configuration`](#parameter-configuration) | object | An XML configuration specification for a WebTest. | +| [`description`](#parameter-description) | string | User defined description for this WebTest. | +| [`enabled`](#parameter-enabled) | bool | Is the test actively being monitored. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`frequency`](#parameter-frequency) | int | Interval in seconds between test runs for this WebTest. | +| [`kind`](#parameter-kind) | string | The kind of WebTest that this web test watches. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`locations`](#parameter-locations) | array | List of where to physically run the tests from to give global coverage for accessibility of your application. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`retryEnabled`](#parameter-retryenabled) | bool | Allow for retries should this WebTest fail. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`syntheticMonitorId`](#parameter-syntheticmonitorid) | string | Unique ID of this WebTest. | +| [`timeout`](#parameter-timeout) | int | Seconds until this WebTest will timeout and fail. | +| [`validationRules`](#parameter-validationrules) | object | The collection of validation rule properties. | + +### Parameter: `configuration` + +An XML configuration specification for a WebTest. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `description` + +User defined description for this WebTest. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enabled` + +Is the test actively being monitored. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `frequency` + +Interval in seconds between test runs for this WebTest. +- Required: No +- Type: int +- Default: `300` + +### Parameter: `kind` + +The kind of WebTest that this web test watches. +- Required: No +- Type: string +- Default: `'standard'` +- Allowed: `[multistep, ping, standard]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `locations` + +List of where to physically run the tests from to give global coverage for accessibility of your application. +- Required: No +- Type: array +- Default: `[System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the webtest. +- Required: Yes +- Type: string + +### Parameter: `request` + +The collection of request properties. +- Required: Yes +- Type: object + +### Parameter: `retryEnabled` + +Allow for retries should this WebTest fail. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `syntheticMonitorId` + +Unique ID of this WebTest. +- Required: No +- Type: string +- Default: `[parameters('name')]` + +### Parameter: `tags` + +A single hidden-link tag pointing to an existing AI component is required. +- Required: Yes +- Type: object + +### Parameter: `timeout` + +Seconds until this WebTest will timeout and fail. +- Required: No +- Type: int +- Default: `30` + +### Parameter: `validationRules` + +The collection of validation rule properties. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `webTestName` + +User defined name if this WebTest. +- Required: Yes +- Type: string + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the webtest. | +| `resourceGroupName` | string | The resource group the resource was deployed into. | +| `resourceId` | string | The resource ID of the webtest. | + +## Cross-referenced modules + +_None_ diff --git a/modules/insights/webtest/main.json b/modules/insights/webtest/main.json index 0705ac73d2..334ab5e53b 100644 --- a/modules/insights/webtest/main.json +++ b/modules/insights/webtest/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16956370635999680512" + "version": "0.22.6.54827", + "templateHash": "17812769147790423288" }, "name": "Web Tests", "description": "This module deploys a Web Test.", @@ -245,8 +245,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10303500513207854110" + "version": "0.22.6.54827", + "templateHash": "13954103255282067786" } }, "parameters": { diff --git a/modules/key-vault/vault/.test/common/main.test.bicep b/modules/key-vault/vault/.test/common/main.test.bicep index 42499a4e72..179de80d30 100644 --- a/modules/key-vault/vault/.test/common/main.test.bicep +++ b/modules/key-vault/vault/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/key-vault/vault/.test/min/main.test.bicep b/modules/key-vault/vault/.test/min/main.test.bicep index 0ecea959ed..1fe0290488 100644 --- a/modules/key-vault/vault/.test/min/main.test.bicep +++ b/modules/key-vault/vault/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index abd7378c73..2160f1abf6 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -5,10 +5,10 @@ This module deploys a Key Vault. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -24,80 +24,27 @@ This module deploys a Key Vault. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Key Vault. Must be globally unique. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `accessPolicies` | array | `[]` | | All access policies to create. | -| `createMode` | string | `'default'` | | The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, AuditEvent, AzurePolicyEvaluationDetails]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enablePurgeProtection` | bool | `True` | | Provide 'true' to enable Key Vault's purge protection feature. | -| `enableRbacAuthorization` | bool | `True` | | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC. | -| `enableSoftDelete` | bool | `True` | | Switch to enable/disable Key Vault's soft delete feature. | -| `enableVaultForDeployment` | bool | `True` | | Specifies if the vault is enabled for deployment by script or compute. | -| `enableVaultForDiskEncryption` | bool | `True` | | Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. | -| `enableVaultForTemplateDeployment` | bool | `True` | | Specifies if the vault is enabled for a template deployment. | -| `keys` | array | `[]` | | All keys to create. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `networkAcls` | object | `{object}` | | Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `secrets` | secureObject | `{object}` | | All secrets to create. | -| `softDeleteRetentionInDays` | int | `90` | | softDelete data retention days. It accepts >=7 and <=90. | -| `tags` | object | `{object}` | | Resource tags. | -| `vaultSku` | string | `'premium'` | `[premium, standard]` | Specifies the SKU for the vault. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the key vault. | -| `resourceGroupName` | string | The name of the resource group the key vault was created in. | -| `resourceId` | string | The resource ID of the key vault. | -| `uri` | string | The URI of the key vault. | +## Usage examples -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Deployment examples +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/key-vault.vault:1.0.0`. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +- [Accesspolicies](#example-1-accesspolicies) +- [Using large parameter set](#example-2-using-large-parameter-set) +- [Using only defaults](#example-3-using-only-defaults) +- [Pe](#example-4-pe) -

Example 1: Accesspolicies

+### Example 1: _Accesspolicies_
via Bicep module ```bicep -module vault './key-vault/vault/main.bicep' = { +module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-kvvap' params: { // Required parameters @@ -263,14 +210,17 @@ module vault './key-vault/vault/main.bicep' = {

-

Example 2: Common

+### Example 2: _Using large parameter set_ + +This instance deploys the module with most of its features enabled. +
via Bicep module ```bicep -module vault './key-vault/vault/main.bicep' = { +module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-kvvcom' params: { // Required parameters @@ -558,14 +508,17 @@ module vault './key-vault/vault/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module vault './key-vault/vault/main.bicep' = { +module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-kvvmin' params: { // Required parameters @@ -607,14 +560,14 @@ module vault './key-vault/vault/main.bicep' = {

-

Example 4: Pe

+### Example 4: _Pe_
via Bicep module ```bicep -module vault './key-vault/vault/main.bicep' = { +module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-kvvpe' params: { // Required parameters @@ -755,3 +708,263 @@ module vault './key-vault/vault/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Key Vault. Must be globally unique. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`accessPolicies`](#parameter-accesspolicies) | array | All access policies to create. | +| [`createMode`](#parameter-createmode) | string | The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enablePurgeProtection`](#parameter-enablepurgeprotection) | bool | Provide 'true' to enable Key Vault's purge protection feature. | +| [`enableRbacAuthorization`](#parameter-enablerbacauthorization) | bool | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC. | +| [`enableSoftDelete`](#parameter-enablesoftdelete) | bool | Switch to enable/disable Key Vault's soft delete feature. | +| [`enableVaultForDeployment`](#parameter-enablevaultfordeployment) | bool | Specifies if the vault is enabled for deployment by script or compute. | +| [`enableVaultForDiskEncryption`](#parameter-enablevaultfordiskencryption) | bool | Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. | +| [`enableVaultForTemplateDeployment`](#parameter-enablevaultfortemplatedeployment) | bool | Specifies if the vault is enabled for a template deployment. | +| [`keys`](#parameter-keys) | array | All keys to create. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`networkAcls`](#parameter-networkacls) | object | Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`secrets`](#parameter-secrets) | secureObject | All secrets to create. | +| [`softDeleteRetentionInDays`](#parameter-softdeleteretentionindays) | int | softDelete data retention days. It accepts >=7 and <=90. | +| [`tags`](#parameter-tags) | object | Resource tags. | +| [`vaultSku`](#parameter-vaultsku) | string | Specifies the SKU for the vault. | + +### Parameter: `accessPolicies` + +All access policies to create. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `createMode` + +The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default. +- Required: No +- Type: string +- Default: `'default'` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, AuditEvent, AzurePolicyEvaluationDetails]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enablePurgeProtection` + +Provide 'true' to enable Key Vault's purge protection feature. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableRbacAuthorization` + +Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableSoftDelete` + +Switch to enable/disable Key Vault's soft delete feature. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableVaultForDeployment` + +Specifies if the vault is enabled for deployment by script or compute. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableVaultForDiskEncryption` + +Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableVaultForTemplateDeployment` + +Specifies if the vault is enabled for a template deployment. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `keys` + +All keys to create. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Key Vault. Must be globally unique. +- Required: Yes +- Type: string + +### Parameter: `networkAcls` + +Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `secrets` + +All secrets to create. +- Required: No +- Type: secureObject +- Default: `{object}` + +### Parameter: `softDeleteRetentionInDays` + +softDelete data retention days. It accepts >=7 and <=90. +- Required: No +- Type: int +- Default: `90` + +### Parameter: `tags` + +Resource tags. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `vaultSku` + +Specifies the SKU for the vault. +- Required: No +- Type: string +- Default: `'premium'` +- Allowed: `[premium, standard]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the key vault. | +| `resourceGroupName` | string | The name of the resource group the key vault was created in. | +| `resourceId` | string | The resource ID of the key vault. | +| `uri` | string | The URI of the key vault. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/key-vault/vault/access-policy/README.md b/modules/key-vault/vault/access-policy/README.md index 02445788a0..3cd899cab1 100644 --- a/modules/key-vault/vault/access-policy/README.md +++ b/modules/key-vault/vault/access-policy/README.md @@ -19,21 +19,41 @@ This module deploys a Key Vault Access Policy. **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `keyVaultName` | string | The name of the parent key vault. Required if the template is used in a standalone deployment. | +| [`keyVaultName`](#parameter-keyvaultname) | string | The name of the parent key vault. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `accessPolicies` | array | `[]` | An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`accessPolicies`](#parameter-accesspolicies) | array | An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `accessPolicies` + +An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `keyVaultName` + +The name of the parent key vault. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the access policies assignment. | | `resourceGroupName` | string | The name of the resource group the access policies assignment was created in. | diff --git a/modules/key-vault/vault/access-policy/main.json b/modules/key-vault/vault/access-policy/main.json index 6aab64e72c..ca9895ce0c 100644 --- a/modules/key-vault/vault/access-policy/main.json +++ b/modules/key-vault/vault/access-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10458348557666655329" + "version": "0.22.6.54827", + "templateHash": "2131300650084383528" }, "name": "Key Vault Access Policies", "description": "This module deploys a Key Vault Access Policy.", diff --git a/modules/key-vault/vault/key/README.md b/modules/key-vault/vault/key/README.md index fa6e94dc7b..df45c90f3d 100644 --- a/modules/key-vault/vault/key/README.md +++ b/modules/key-vault/vault/key/README.md @@ -21,36 +21,128 @@ This module deploys a Key Vault Key. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the key. | +| [`name`](#parameter-name) | string | The name of the key. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `keyVaultName` | string | The name of the parent key vault. Required if the template is used in a standalone deployment. | +| [`keyVaultName`](#parameter-keyvaultname) | string | The name of the parent key vault. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `attributesEnabled` | bool | `True` | | Determines whether the object is enabled. | -| `attributesExp` | int | `-1` | | Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible. | -| `attributesNbf` | int | `-1` | | Not before date in seconds since 1970-01-01T00:00:00Z. | -| `curveName` | string | `'P-256'` | `[P-256, P-256K, P-384, P-521]` | The elliptic curve name. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `keyOps` | array | `[]` | `[decrypt, encrypt, import, sign, unwrapKey, verify, wrapKey]` | Array of JsonWebKeyOperation. | -| `keySize` | int | `-1` | | The key size in bits. For example: 2048, 3072, or 4096 for RSA. | -| `kty` | string | `'EC'` | `[EC, EC-HSM, RSA, RSA-HSM]` | The type of the key. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `rotationPolicy` | object | `{object}` | | Key rotation policy properties object. | -| `tags` | object | `{object}` | | Resource tags. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`attributesEnabled`](#parameter-attributesenabled) | bool | Determines whether the object is enabled. | +| [`attributesExp`](#parameter-attributesexp) | int | Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible. | +| [`attributesNbf`](#parameter-attributesnbf) | int | Not before date in seconds since 1970-01-01T00:00:00Z. | +| [`curveName`](#parameter-curvename) | string | The elliptic curve name. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`keyOps`](#parameter-keyops) | array | Array of JsonWebKeyOperation. | +| [`keySize`](#parameter-keysize) | int | The key size in bits. For example: 2048, 3072, or 4096 for RSA. | +| [`kty`](#parameter-kty) | string | The type of the key. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`rotationPolicy`](#parameter-rotationpolicy) | object | Key rotation policy properties object. | +| [`tags`](#parameter-tags) | object | Resource tags. | + +### Parameter: `attributesEnabled` + +Determines whether the object is enabled. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `attributesExp` + +Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `attributesNbf` + +Not before date in seconds since 1970-01-01T00:00:00Z. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `curveName` + +The elliptic curve name. +- Required: No +- Type: string +- Default: `'P-256'` +- Allowed: `[P-256, P-256K, P-384, P-521]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `keyOps` + +Array of JsonWebKeyOperation. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `[decrypt, encrypt, import, sign, unwrapKey, verify, wrapKey]` + +### Parameter: `keySize` + +The key size in bits. For example: 2048, 3072, or 4096 for RSA. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `keyVaultName` + +The name of the parent key vault. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `kty` + +The type of the key. +- Required: No +- Type: string +- Default: `'EC'` +- Allowed: `[EC, EC-HSM, RSA, RSA-HSM]` + +### Parameter: `name` + +The name of the key. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `rotationPolicy` + +Key rotation policy properties object. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `tags` + +Resource tags. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the key. | | `resourceGroupName` | string | The name of the resource group the key was created in. | diff --git a/modules/key-vault/vault/key/main.json b/modules/key-vault/vault/key/main.json index 42b35d55cc..84cf8349fb 100644 --- a/modules/key-vault/vault/key/main.json +++ b/modules/key-vault/vault/key/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13427300513937033652" + "version": "0.22.6.54827", + "templateHash": "3444180240240001557" }, "name": "Key Vault Keys", "description": "This module deploys a Key Vault Key.", @@ -190,8 +190,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8510219443070850278" + "version": "0.22.6.54827", + "templateHash": "14547096535874536511" } }, "parameters": { diff --git a/modules/key-vault/vault/main.json b/modules/key-vault/vault/main.json index aafc3db6bd..c270216400 100644 --- a/modules/key-vault/vault/main.json +++ b/modules/key-vault/vault/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9452615051960144682" + "version": "0.22.6.54827", + "templateHash": "2257250292452239694" }, "name": "Key Vaults", "description": "This module deploys a Key Vault.", @@ -369,8 +369,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10458348557666655329" + "version": "0.22.6.54827", + "templateHash": "2131300650084383528" }, "name": "Key Vault Access Policies", "description": "This module deploys a Key Vault Access Policy.", @@ -504,8 +504,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4314059595515029873" + "version": "0.22.6.54827", + "templateHash": "15496955101876834904" }, "name": "Key Vault Secrets", "description": "This module deploys a Key Vault Secret.", @@ -644,8 +644,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15814620610091788537" + "version": "0.22.6.54827", + "templateHash": "17395736576734421648" } }, "parameters": { @@ -839,8 +839,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13427300513937033652" + "version": "0.22.6.54827", + "templateHash": "3444180240240001557" }, "name": "Key Vault Keys", "description": "This module deploys a Key Vault Key.", @@ -1025,8 +1025,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8510219443070850278" + "version": "0.22.6.54827", + "templateHash": "14547096535874536511" } }, "parameters": { @@ -1226,8 +1226,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1426,8 +1426,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1564,8 +1564,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -1778,8 +1778,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12411629325302614699" + "version": "0.22.6.54827", + "templateHash": "13908410767908593601" } }, "parameters": { diff --git a/modules/key-vault/vault/secret/README.md b/modules/key-vault/vault/secret/README.md index 80f7173e8e..240a6475e6 100644 --- a/modules/key-vault/vault/secret/README.md +++ b/modules/key-vault/vault/secret/README.md @@ -20,33 +20,100 @@ This module deploys a Key Vault Secret. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the secret. | -| `value` | securestring | The value of the secret. NOTE: "value" will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. | +| [`name`](#parameter-name) | string | The name of the secret. | +| [`value`](#parameter-value) | securestring | The value of the secret. NOTE: "value" will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `keyVaultName` | string | The name of the parent key vault. Required if the template is used in a standalone deployment. | +| [`keyVaultName`](#parameter-keyvaultname) | string | The name of the parent key vault. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `attributesEnabled` | bool | `True` | Determines whether the object is enabled. | -| `attributesExp` | int | `-1` | Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible. | -| `attributesNbf` | int | `-1` | Not before date in seconds since 1970-01-01T00:00:00Z. | -| `contentType` | securestring | `''` | The content type of the secret. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | Resource tags. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`attributesEnabled`](#parameter-attributesenabled) | bool | Determines whether the object is enabled. | +| [`attributesExp`](#parameter-attributesexp) | int | Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible. | +| [`attributesNbf`](#parameter-attributesnbf) | int | Not before date in seconds since 1970-01-01T00:00:00Z. | +| [`contentType`](#parameter-contenttype) | securestring | The content type of the secret. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Resource tags. | + +### Parameter: `attributesEnabled` + +Determines whether the object is enabled. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `attributesExp` + +Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `attributesNbf` + +Not before date in seconds since 1970-01-01T00:00:00Z. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `contentType` + +The content type of the secret. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `keyVaultName` + +The name of the parent key vault. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the secret. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Resource tags. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `value` + +The value of the secret. NOTE: "value" will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. +- Required: Yes +- Type: securestring ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the secret. | | `resourceGroupName` | string | The name of the resource group the secret was created in. | diff --git a/modules/key-vault/vault/secret/main.json b/modules/key-vault/vault/secret/main.json index ca6ad0a02c..07f0947902 100644 --- a/modules/key-vault/vault/secret/main.json +++ b/modules/key-vault/vault/secret/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4314059595515029873" + "version": "0.22.6.54827", + "templateHash": "15496955101876834904" }, "name": "Key Vault Secrets", "description": "This module deploys a Key Vault Secret.", @@ -144,8 +144,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15814620610091788537" + "version": "0.22.6.54827", + "templateHash": "17395736576734421648" } }, "parameters": { diff --git a/modules/kubernetes-configuration/extension/.test/common/main.test.bicep b/modules/kubernetes-configuration/extension/.test/common/main.test.bicep index 377eeeb3c4..aed37f7e01 100644 --- a/modules/kubernetes-configuration/extension/.test/common/main.test.bicep +++ b/modules/kubernetes-configuration/extension/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/kubernetes-configuration/extension/.test/min/main.test.bicep b/modules/kubernetes-configuration/extension/.test/min/main.test.bicep index ba2461c5e6..e387fdf629 100644 --- a/modules/kubernetes-configuration/extension/.test/min/main.test.bicep +++ b/modules/kubernetes-configuration/extension/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/kubernetes-configuration/extension/README.md b/modules/kubernetes-configuration/extension/README.md index 5ea39db7e9..ced229237b 100644 --- a/modules/kubernetes-configuration/extension/README.md +++ b/modules/kubernetes-configuration/extension/README.md @@ -5,10 +5,10 @@ This module deploys a Kubernetes Configuration Extension. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -17,62 +17,28 @@ This module deploys a Kubernetes Configuration Extension. | `Microsoft.KubernetesConfiguration/extensions` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/extensions) | | `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/fluxConfigurations) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `clusterName` | string | The name of the AKS cluster that should be configured. | -| `extensionType` | string | Type of the Extension, of which this resource is an instance of. It must be one of the Extension Types registered with Microsoft.KubernetesConfiguration by the Extension publisher. | -| `name` | string | The name of the Flux Configuration. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `configurationProtectedSettings` | secureObject | `{object}` | Configuration settings that are sensitive, as name-value pairs for configuring this extension. | -| `configurationSettings` | object | `{object}` | Configuration settings, as name-value pairs for configuring this extension. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `fluxConfigurations` | array | `[]` | A list of flux configuraitons. | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | -| `releaseNamespace` | string | `''` | Namespace where the extension Release must be placed, for a Cluster scoped extension. If this namespace does not exist, it will be created. | -| `releaseTrain` | string | `'Stable'` | ReleaseTrain this extension participates in for auto-upgrade (e.g. Stable, Preview, etc.) - only if autoUpgradeMinorVersion is "true". | -| `targetNamespace` | string | `''` | Namespace where the extension will be created for an Namespace scoped extension. If this namespace does not exist, it will be created. | -| `version` | string | `''` | Version of the extension for this extension, if it is "pinned" to a specific version. | - +## Usage examples -## Outputs +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the extension. | -| `resourceGroupName` | string | The name of the resource group the extension was deployed into. | -| `resourceId` | string | The resource ID of the extension. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Reference | Type | -| :-- | :-- | -| `kubernetes-configuration/flux-configuration` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/kubernetes-configuration.extension:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module extension './kubernetes-configuration/extension/main.bicep' = { +module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-kcecom' params: { // Required parameters @@ -176,14 +142,17 @@ module extension './kubernetes-configuration/extension/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module extension './kubernetes-configuration/extension/main.bicep' = { +module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-kcemin' params: { // Required parameters @@ -236,3 +205,126 @@ module extension './kubernetes-configuration/extension/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`clusterName`](#parameter-clustername) | string | The name of the AKS cluster that should be configured. | +| [`extensionType`](#parameter-extensiontype) | string | Type of the Extension, of which this resource is an instance of. It must be one of the Extension Types registered with Microsoft.KubernetesConfiguration by the Extension publisher. | +| [`name`](#parameter-name) | string | The name of the Flux Configuration. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`configurationProtectedSettings`](#parameter-configurationprotectedsettings) | secureObject | Configuration settings that are sensitive, as name-value pairs for configuring this extension. | +| [`configurationSettings`](#parameter-configurationsettings) | object | Configuration settings, as name-value pairs for configuring this extension. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`fluxConfigurations`](#parameter-fluxconfigurations) | array | A list of flux configuraitons. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`releaseNamespace`](#parameter-releasenamespace) | string | Namespace where the extension Release must be placed, for a Cluster scoped extension. If this namespace does not exist, it will be created. | +| [`releaseTrain`](#parameter-releasetrain) | string | ReleaseTrain this extension participates in for auto-upgrade (e.g. Stable, Preview, etc.) - only if autoUpgradeMinorVersion is "true". | +| [`targetNamespace`](#parameter-targetnamespace) | string | Namespace where the extension will be created for an Namespace scoped extension. If this namespace does not exist, it will be created. | +| [`version`](#parameter-version) | string | Version of the extension for this extension, if it is "pinned" to a specific version. | + +### Parameter: `clusterName` + +The name of the AKS cluster that should be configured. +- Required: Yes +- Type: string + +### Parameter: `configurationProtectedSettings` + +Configuration settings that are sensitive, as name-value pairs for configuring this extension. +- Required: No +- Type: secureObject +- Default: `{object}` + +### Parameter: `configurationSettings` + +Configuration settings, as name-value pairs for configuring this extension. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `extensionType` + +Type of the Extension, of which this resource is an instance of. It must be one of the Extension Types registered with Microsoft.KubernetesConfiguration by the Extension publisher. +- Required: Yes +- Type: string + +### Parameter: `fluxConfigurations` + +A list of flux configuraitons. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the Flux Configuration. +- Required: Yes +- Type: string + +### Parameter: `releaseNamespace` + +Namespace where the extension Release must be placed, for a Cluster scoped extension. If this namespace does not exist, it will be created. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `releaseTrain` + +ReleaseTrain this extension participates in for auto-upgrade (e.g. Stable, Preview, etc.) - only if autoUpgradeMinorVersion is "true". +- Required: No +- Type: string +- Default: `'Stable'` + +### Parameter: `targetNamespace` + +Namespace where the extension will be created for an Namespace scoped extension. If this namespace does not exist, it will be created. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `version` + +Version of the extension for this extension, if it is "pinned" to a specific version. +- Required: No +- Type: string +- Default: `''` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the extension. | +| `resourceGroupName` | string | The name of the resource group the extension was deployed into. | +| `resourceId` | string | The resource ID of the extension. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/kubernetes-configuration/flux-configuration` | Local reference | diff --git a/modules/kubernetes-configuration/extension/main.json b/modules/kubernetes-configuration/extension/main.json index 59d2a7c481..f72a9dcfba 100644 --- a/modules/kubernetes-configuration/extension/main.json +++ b/modules/kubernetes-configuration/extension/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14913275975998013893" + "version": "0.22.6.54827", + "templateHash": "5002606439705018990" }, "name": "Kubernetes Configuration Extensions", "description": "This module deploys a Kubernetes Configuration Extension.", @@ -167,8 +167,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11648869363176032755" + "version": "0.22.6.54827", + "templateHash": "6686104224333946371" }, "name": "Kubernetes Configuration Flux Configurations", "description": "This module deploys a Kubernetes Configuration Flux Configuration.", diff --git a/modules/kubernetes-configuration/flux-configuration/.test/common/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/.test/common/main.test.bicep index aca4b0de21..fc42c880db 100644 --- a/modules/kubernetes-configuration/flux-configuration/.test/common/main.test.bicep +++ b/modules/kubernetes-configuration/flux-configuration/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/kubernetes-configuration/flux-configuration/.test/min/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/.test/min/main.test.bicep index 19c5b732e7..deffae3122 100644 --- a/modules/kubernetes-configuration/flux-configuration/.test/min/main.test.bicep +++ b/modules/kubernetes-configuration/flux-configuration/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/kubernetes-configuration/flux-configuration/README.md b/modules/kubernetes-configuration/flux-configuration/README.md index dec2c843cf..5e19132a78 100644 --- a/modules/kubernetes-configuration/flux-configuration/README.md +++ b/modules/kubernetes-configuration/flux-configuration/README.md @@ -5,10 +5,10 @@ This module deploys a Kubernetes Configuration Flux Configuration. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) ## Resource Types @@ -17,58 +17,28 @@ This module deploys a Kubernetes Configuration Flux Configuration. | :-- | :-- | | `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/fluxConfigurations) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `clusterName` | string | | The name of the AKS cluster that should be configured. | -| `name` | string | | The name of the Flux Configuration. | -| `namespace` | string | | The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only. | -| `scope` | string | `[cluster, namespace]` | Scope at which the configuration will be installed. | -| `sourceKind` | string | `[Bucket, GitRepository]` | Source Kind to pull the configuration data from. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `bucket` | object | `{object}` | Parameters to reconcile to the GitRepository source kind type. | -| `configurationProtectedSettings` | secureObject | `{object}` | Key-value pairs of protected configuration settings for the configuration. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `gitRepository` | object | `{object}` | Parameters to reconcile to the GitRepository source kind type. | -| `kustomizations` | object | `{object}` | Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster. | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | -| `suspend` | bool | `False` | Whether this configuration should suspend its reconciliation of its kustomizations and sources. | - +## Usage examples -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the flux configuration. | -| `resourceGroupName` | string | The name of the resource group the flux configuration was deployed into. | -| `resourceId` | string | The resource ID of the flux configuration. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/kubernetes-configuration.flux-configuration:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module fluxConfiguration './kubernetes-configuration/flux-configuration/main.bicep' = { +module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configuration:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-kcfccom' params: { // Required parameters @@ -160,14 +130,17 @@ module fluxConfiguration './kubernetes-configuration/flux-configuration/main.bic

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module fluxConfiguration './kubernetes-configuration/flux-configuration/main.bicep' = { +module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configuration:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-kcfcmin' params: { // Required parameters @@ -238,6 +211,124 @@ module fluxConfiguration './kubernetes-configuration/flux-configuration/main.bic

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`clusterName`](#parameter-clustername) | string | The name of the AKS cluster that should be configured. | +| [`name`](#parameter-name) | string | The name of the Flux Configuration. | +| [`namespace`](#parameter-namespace) | string | The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only. | +| [`scope`](#parameter-scope) | string | Scope at which the configuration will be installed. | +| [`sourceKind`](#parameter-sourcekind) | string | Source Kind to pull the configuration data from. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`bucket`](#parameter-bucket) | object | Parameters to reconcile to the GitRepository source kind type. | +| [`configurationProtectedSettings`](#parameter-configurationprotectedsettings) | secureObject | Key-value pairs of protected configuration settings for the configuration. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`gitRepository`](#parameter-gitrepository) | object | Parameters to reconcile to the GitRepository source kind type. | +| [`kustomizations`](#parameter-kustomizations) | object | Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`suspend`](#parameter-suspend) | bool | Whether this configuration should suspend its reconciliation of its kustomizations and sources. | + +### Parameter: `bucket` + +Parameters to reconcile to the GitRepository source kind type. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `clusterName` + +The name of the AKS cluster that should be configured. +- Required: Yes +- Type: string + +### Parameter: `configurationProtectedSettings` + +Key-value pairs of protected configuration settings for the configuration. +- Required: No +- Type: secureObject +- Default: `{object}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `gitRepository` + +Parameters to reconcile to the GitRepository source kind type. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `kustomizations` + +Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the Flux Configuration. +- Required: Yes +- Type: string + +### Parameter: `namespace` + +The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only. +- Required: Yes +- Type: string + +### Parameter: `scope` + +Scope at which the configuration will be installed. +- Required: Yes +- Type: string +- Allowed: `[cluster, namespace]` + +### Parameter: `sourceKind` + +Source Kind to pull the configuration data from. +- Required: Yes +- Type: string +- Allowed: `[Bucket, GitRepository]` + +### Parameter: `suspend` + +Whether this configuration should suspend its reconciliation of its kustomizations and sources. +- Required: No +- Type: bool +- Default: `False` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the flux configuration. | +| `resourceGroupName` | string | The name of the resource group the flux configuration was deployed into. | +| `resourceId` | string | The resource ID of the flux configuration. | + +## Cross-referenced modules + +_None_ + ## Notes ### Prerequisites diff --git a/modules/kubernetes-configuration/flux-configuration/main.json b/modules/kubernetes-configuration/flux-configuration/main.json index 2615f2ccce..252df520e1 100644 --- a/modules/kubernetes-configuration/flux-configuration/main.json +++ b/modules/kubernetes-configuration/flux-configuration/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11648869363176032755" + "version": "0.22.6.54827", + "templateHash": "6686104224333946371" }, "name": "Kubernetes Configuration Flux Configurations", "description": "This module deploys a Kubernetes Configuration Flux Configuration.", diff --git a/modules/logic/workflow/.test/common/main.test.bicep b/modules/logic/workflow/.test/common/main.test.bicep index 743b19f8a1..80c5e688ac 100644 --- a/modules/logic/workflow/.test/common/main.test.bicep +++ b/modules/logic/workflow/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index fcf3c02ae4..19d3961c81 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -4,14 +4,14 @@ This module deploys a Logic App (Workflow). ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -20,78 +20,27 @@ This module deploys a Logic App (Workflow). | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Logic/workflows` | [2019-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Logic/2019-05-01/workflows) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The logic app workflow name. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/logic.workflow:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `actionsAccessControlConfiguration` | object | `{object}` | | The access control configuration for workflow actions. | -| `connectorEndpointsConfiguration` | object | `{object}` | | The endpoints configuration: Access endpoint and outgoing IP addresses for the connector. | -| `contentsAccessControlConfiguration` | object | `{object}` | | The access control configuration for accessing workflow run contents. | -| `definitionParameters` | object | `{object}` | | Parameters for the definition template. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, WorkflowRuntime]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `integrationAccount` | object | `{object}` | | The integration account. | -| `integrationServiceEnvironmentResourceId` | string | `''` | | The integration service environment Id. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `state` | string | `'Enabled'` | `[Completed, Deleted, Disabled, Enabled, NotSpecified, Suspended]` | The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `triggersAccessControlConfiguration` | object | `{object}` | | The access control configuration for invoking workflow triggers. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `workflowActions` | object | `{object}` | | The definitions for one or more actions to execute at workflow runtime. | -| `workflowEndpointsConfiguration` | object | `{object}` | | The endpoints configuration: Access endpoint and outgoing IP addresses for the workflow. | -| `workflowManagementAccessControlConfiguration` | object | `{object}` | | The access control configuration for workflow management. | -| `workflowOutputs` | object | `{object}` | | The definitions for the outputs to return from a workflow run. | -| `workflowParameters` | object | `{object}` | | The definitions for one or more parameters that pass the values to use at your logic app's runtime. | -| `workflowStaticResults` | object | `{object}` | | The definitions for one or more static results returned by actions as mock outputs when static results are enabled on those actions. In each action definition, the runtimeConfiguration.staticResult.name attribute references the corresponding definition inside staticResults. | -| `workflowTriggers` | object | `{object}` | | The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer. | +- [Using large parameter set](#example-1-using-large-parameter-set) +### Example 1: _Using large parameter set_ -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the logic app. | -| `resourceGroupName` | string | The resource group the logic app was deployed into. | -| `resourceId` | string | The resource ID of the logic app. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module workflow './logic/workflow/main.bicep' = { +module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-lwcom' params: { // Required parameters @@ -256,6 +205,276 @@ module workflow './logic/workflow/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The logic app workflow name. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`actionsAccessControlConfiguration`](#parameter-actionsaccesscontrolconfiguration) | object | The access control configuration for workflow actions. | +| [`connectorEndpointsConfiguration`](#parameter-connectorendpointsconfiguration) | object | The endpoints configuration: Access endpoint and outgoing IP addresses for the connector. | +| [`contentsAccessControlConfiguration`](#parameter-contentsaccesscontrolconfiguration) | object | The access control configuration for accessing workflow run contents. | +| [`definitionParameters`](#parameter-definitionparameters) | object | Parameters for the definition template. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`integrationAccount`](#parameter-integrationaccount) | object | The integration account. | +| [`integrationServiceEnvironmentResourceId`](#parameter-integrationserviceenvironmentresourceid) | string | The integration service environment Id. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`state`](#parameter-state) | string | The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`triggersAccessControlConfiguration`](#parameter-triggersaccesscontrolconfiguration) | object | The access control configuration for invoking workflow triggers. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`workflowActions`](#parameter-workflowactions) | object | The definitions for one or more actions to execute at workflow runtime. | +| [`workflowEndpointsConfiguration`](#parameter-workflowendpointsconfiguration) | object | The endpoints configuration: Access endpoint and outgoing IP addresses for the workflow. | +| [`workflowManagementAccessControlConfiguration`](#parameter-workflowmanagementaccesscontrolconfiguration) | object | The access control configuration for workflow management. | +| [`workflowOutputs`](#parameter-workflowoutputs) | object | The definitions for the outputs to return from a workflow run. | +| [`workflowParameters`](#parameter-workflowparameters) | object | The definitions for one or more parameters that pass the values to use at your logic app's runtime. | +| [`workflowStaticResults`](#parameter-workflowstaticresults) | object | The definitions for one or more static results returned by actions as mock outputs when static results are enabled on those actions. In each action definition, the runtimeConfiguration.staticResult.name attribute references the corresponding definition inside staticResults. | +| [`workflowTriggers`](#parameter-workflowtriggers) | object | The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer. | + +### Parameter: `actionsAccessControlConfiguration` + +The access control configuration for workflow actions. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `connectorEndpointsConfiguration` + +The endpoints configuration: Access endpoint and outgoing IP addresses for the connector. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `contentsAccessControlConfiguration` + +The access control configuration for accessing workflow run contents. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `definitionParameters` + +Parameters for the definition template. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, WorkflowRuntime]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `integrationAccount` + +The integration account. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `integrationServiceEnvironmentResourceId` + +The integration service environment Id. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The logic app workflow name. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `state` + +The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Completed, Deleted, Disabled, Enabled, NotSpecified, Suspended]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `triggersAccessControlConfiguration` + +The access control configuration for invoking workflow triggers. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `workflowActions` + +The definitions for one or more actions to execute at workflow runtime. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `workflowEndpointsConfiguration` + +The endpoints configuration: Access endpoint and outgoing IP addresses for the workflow. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `workflowManagementAccessControlConfiguration` + +The access control configuration for workflow management. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `workflowOutputs` + +The definitions for the outputs to return from a workflow run. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `workflowParameters` + +The definitions for one or more parameters that pass the values to use at your logic app's runtime. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `workflowStaticResults` + +The definitions for one or more static results returned by actions as mock outputs when static results are enabled on those actions. In each action definition, the runtimeConfiguration.staticResult.name attribute references the corresponding definition inside staticResults. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `workflowTriggers` + +The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the logic app. | +| `resourceGroupName` | string | The resource group the logic app was deployed into. | +| `resourceId` | string | The resource ID of the logic app. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +_None_ + ## Notes ### Parameter Usage `AccessControlConfiguration` diff --git a/modules/logic/workflow/main.json b/modules/logic/workflow/main.json index b2670cf85d..dde2332a12 100644 --- a/modules/logic/workflow/main.json +++ b/modules/logic/workflow/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2324052045076799122" + "version": "0.22.6.54827", + "templateHash": "4385100753259148556" }, "name": "Logic Apps (Workflows)", "description": "This module deploys a Logic App (Workflow).", @@ -385,8 +385,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13203827803656665166" + "version": "0.22.6.54827", + "templateHash": "4086758110722720032" } }, "parameters": { diff --git a/modules/machine-learning-services/workspace/.test/common/main.test.bicep b/modules/machine-learning-services/workspace/.test/common/main.test.bicep index a50621023c..1955aee361 100644 --- a/modules/machine-learning-services/workspace/.test/common/main.test.bicep +++ b/modules/machine-learning-services/workspace/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/machine-learning-services/workspace/.test/min/main.test.bicep b/modules/machine-learning-services/workspace/.test/min/main.test.bicep index 302c8cef36..65a73dfd4d 100644 --- a/modules/machine-learning-services/workspace/.test/min/main.test.bicep +++ b/modules/machine-learning-services/workspace/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index 78eb3c9e54..ff8b39bf37 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -4,14 +4,14 @@ This module deploys a Machine Learning Services Workspace. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -23,92 +23,29 @@ This module deploys a Machine Learning Services Workspace. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `associatedApplicationInsightsResourceId` | string | | The resource ID of the associated Application Insights. | -| `associatedKeyVaultResourceId` | string | | The resource ID of the associated Key Vault. | -| `associatedStorageAccountResourceId` | string | | The resource ID of the associated Storage Account. | -| `name` | string | | The name of the machine learning workspace. | -| `sku` | string | `[Basic, Free, Premium, Standard]` | Specifies the SKU, also referred as 'edition' of the Azure Machine Learning workspace. | - -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | -| `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource ID that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. | -| `systemAssignedIdentity` | bool | `False` | Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided. | -| `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `allowPublicAccessWhenBehindVnet` | bool | `False` | | The flag to indicate whether to allow public access when behind VNet. | -| `associatedContainerRegistryResourceId` | string | `''` | | The resource ID of the associated Container Registry. | -| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `cMKUserAssignedIdentityResourceId` | string | `''` | | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | -| `computes` | array | `[]` | | Computes to create respectively attach to the workspace. | -| `description` | string | `''` | | The description of this workspace. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, AmlComputeClusterEvent, AmlComputeClusterNodeEvent, AmlComputeCpuGpuUtilization, AmlComputeJobEvent, AmlRunStatusChangedEvent]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `discoveryUrl` | string | `''` | | URL for the discovery service to identify regional endpoints for machine learning experimentation services. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `hbiWorkspace` | bool | `False` | | The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service. | -| `imageBuildCompute` | string | `''` | | The compute name for image build. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `serviceManagedResourcesSettings` | object | `{object}` | | The service managed resource settings. | -| `sharedPrivateLinkResources` | array | `[]` | | The list of shared private link resources in this workspace. | -| `tags` | object | `{object}` | | Resource tags. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the machine learning service. | -| `principalId` | string | The principal ID of the system assigned identity. | -| `resourceGroupName` | string | The resource group the machine learning service was deployed into. | -| `resourceId` | string | The resource ID of the machine learning service. | +## Usage examples -## Cross-referenced modules +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/machine-learning-services.workspace:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Encr](#example-2-encr) +- [Using only defaults](#example-3-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module workspace './machine-learning-services/workspace/main.bicep' = { +module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-mlswcom' params: { // Required parameters @@ -334,14 +271,14 @@ module workspace './machine-learning-services/workspace/main.bicep' = {

-

Example 2: Encr

+### Example 2: _Encr_
via Bicep module ```bicep -module workspace './machine-learning-services/workspace/main.bicep' = { +module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-mlswecr' params: { // Required parameters @@ -469,14 +406,17 @@ module workspace './machine-learning-services/workspace/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module workspace './machine-learning-services/workspace/main.bicep' = { +module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-mlswmin' params: { // Required parameters @@ -535,6 +475,322 @@ module workspace './machine-learning-services/workspace/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`associatedApplicationInsightsResourceId`](#parameter-associatedapplicationinsightsresourceid) | string | The resource ID of the associated Application Insights. | +| [`associatedKeyVaultResourceId`](#parameter-associatedkeyvaultresourceid) | string | The resource ID of the associated Key Vault. | +| [`associatedStorageAccountResourceId`](#parameter-associatedstorageaccountresourceid) | string | The resource ID of the associated Storage Account. | +| [`name`](#parameter-name) | string | The name of the machine learning workspace. | +| [`sku`](#parameter-sku) | string | Specifies the SKU, also referred as 'edition' of the Azure Machine Learning workspace. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | +| [`primaryUserAssignedIdentity`](#parameter-primaryuserassignedidentity) | string | The user assigned identity resource ID that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowPublicAccessWhenBehindVnet`](#parameter-allowpublicaccesswhenbehindvnet) | bool | The flag to indicate whether to allow public access when behind VNet. | +| [`associatedContainerRegistryResourceId`](#parameter-associatedcontainerregistryresourceid) | string | The resource ID of the associated Container Registry. | +| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | +| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | +| [`computes`](#parameter-computes) | array | Computes to create respectively attach to the workspace. | +| [`description`](#parameter-description) | string | The description of this workspace. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`discoveryUrl`](#parameter-discoveryurl) | string | URL for the discovery service to identify regional endpoints for machine learning experimentation services. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`hbiWorkspace`](#parameter-hbiworkspace) | bool | The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service. | +| [`imageBuildCompute`](#parameter-imagebuildcompute) | string | The compute name for image build. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`serviceManagedResourcesSettings`](#parameter-servicemanagedresourcessettings) | object | The service managed resource settings. | +| [`sharedPrivateLinkResources`](#parameter-sharedprivatelinkresources) | array | The list of shared private link resources in this workspace. | +| [`tags`](#parameter-tags) | object | Resource tags. | + +### Parameter: `allowPublicAccessWhenBehindVnet` + +The flag to indicate whether to allow public access when behind VNet. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `associatedApplicationInsightsResourceId` + +The resource ID of the associated Application Insights. +- Required: Yes +- Type: string + +### Parameter: `associatedContainerRegistryResourceId` + +The resource ID of the associated Container Registry. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `associatedKeyVaultResourceId` + +The resource ID of the associated Key Vault. +- Required: Yes +- Type: string + +### Parameter: `associatedStorageAccountResourceId` + +The resource ID of the associated Storage Account. +- Required: Yes +- Type: string + +### Parameter: `cMKKeyName` + +The name of the customer managed key to use for encryption. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVersion` + +The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKUserAssignedIdentityResourceId` + +User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `computes` + +Computes to create respectively attach to the workspace. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `description` + +The description of this workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, AmlComputeClusterEvent, AmlComputeClusterNodeEvent, AmlComputeCpuGpuUtilization, AmlComputeJobEvent, AmlRunStatusChangedEvent]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `discoveryUrl` + +URL for the discovery service to identify regional endpoints for machine learning experimentation services. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hbiWorkspace` + +The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `imageBuildCompute` + +The compute name for image build. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the machine learning workspace. +- Required: Yes +- Type: string + +### Parameter: `primaryUserAssignedIdentity` + +The user assigned identity resource ID that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `serviceManagedResourcesSettings` + +The service managed resource settings. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `sharedPrivateLinkResources` + +The list of shared private link resources in this workspace. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sku` + +Specifies the SKU, also referred as 'edition' of the Azure Machine Learning workspace. +- Required: Yes +- Type: string +- Allowed: `[Basic, Free, Premium, Standard]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Resource tags. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the machine learning service. | +| `principalId` | string | The principal ID of the system assigned identity. | +| `resourceGroupName` | string | The resource group the machine learning service was deployed into. | +| `resourceId` | string | The resource ID of the machine learning service. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | + ## Notes ### Parameter Usage: `computes` diff --git a/modules/machine-learning-services/workspace/compute/README.md b/modules/machine-learning-services/workspace/compute/README.md index 2c65c0486b..78fb6a7eee 100644 --- a/modules/machine-learning-services/workspace/compute/README.md +++ b/modules/machine-learning-services/workspace/compute/README.md @@ -21,38 +21,142 @@ Attaching a compute is not idempotent and will fail in case you try to redeploy **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `computeType` | string | `[AKS, AmlCompute, ComputeInstance, Databricks, DataFactory, DataLakeAnalytics, HDInsight, Kubernetes, SynapseSpark, VirtualMachine]` | Set the object type. | -| `name` | string | | Name of the compute. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`computeType`](#parameter-computetype) | string | Set the object type. | +| [`name`](#parameter-name) | string | Name of the compute. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `machineLearningWorkspaceName` | string | The name of the parent Machine Learning Workspace. Required if the template is used in a standalone deployment. | +| [`machineLearningWorkspaceName`](#parameter-machinelearningworkspacename) | string | The name of the parent Machine Learning Workspace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `computeLocation` | string | `[resourceGroup().location]` | | Location for the underlying compute. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | -| `deployCompute` | bool | `True` | | Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to "false" as long as the compute resource exists. | -| `description` | string | `''` | | The description of the Machine Learning compute. | -| `disableLocalAuth` | bool | `False` | | Opt-out of local authentication and ensure customers can use only MSI and AAD exclusively for authentication. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Specifies the location of the resource. | -| `properties` | object | `{object}` | | The properties of the compute. Will be ignored in case "resourceId" is set. | -| `resourceId` | string | `''` | | ARM resource ID of the underlying compute. | -| `sku` | string | `''` | `['', Basic, Free, Premium, Standard]` | Specifies the sku, also referred as "edition". Required for creating a compute resource. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | -| `tags` | object | `{object}` | | Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`computeLocation`](#parameter-computelocation) | string | Location for the underlying compute. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | +| [`deployCompute`](#parameter-deploycompute) | bool | Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to "false" as long as the compute resource exists. | +| [`description`](#parameter-description) | string | The description of the Machine Learning compute. | +| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Opt-out of local authentication and ensure customers can use only MSI and AAD exclusively for authentication. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Specifies the location of the resource. | +| [`properties`](#parameter-properties) | object | The properties of the compute. Will be ignored in case "resourceId" is set. | +| [`resourceId`](#parameter-resourceid) | string | ARM resource ID of the underlying compute. | +| [`sku`](#parameter-sku) | string | Specifies the sku, also referred as "edition". Required for creating a compute resource. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | +| [`tags`](#parameter-tags) | object | Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | + +### Parameter: `computeLocation` + +Location for the underlying compute. Ignored when attaching a compute resource, i.e. when you provide a resource ID. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `computeType` + +Set the object type. +- Required: Yes +- Type: string +- Allowed: `[AKS, AmlCompute, ComputeInstance, Databricks, DataFactory, DataLakeAnalytics, HDInsight, Kubernetes, SynapseSpark, VirtualMachine]` + +### Parameter: `deployCompute` + +Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to "false" as long as the compute resource exists. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `description` + +The description of the Machine Learning compute. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `disableLocalAuth` + +Opt-out of local authentication and ensure customers can use only MSI and AAD exclusively for authentication. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Specifies the location of the resource. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `machineLearningWorkspaceName` + +The name of the parent Machine Learning Workspace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +Name of the compute. +- Required: Yes +- Type: string + +### Parameter: `properties` + +The properties of the compute. Will be ignored in case "resourceId" is set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `resourceId` + +ARM resource ID of the underlying compute. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `sku` + +Specifies the sku, also referred as "edition". Required for creating a compute resource. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Basic, Free, Premium, Standard]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the compute. | diff --git a/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep b/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep index 5206cb44e2..4606ff4c70 100644 --- a/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/maintenance/maintenance-configuration/.test/min/main.test.bicep b/modules/maintenance/maintenance-configuration/.test/min/main.test.bicep index 3b9ba0d973..1120f4565b 100644 --- a/modules/maintenance/maintenance-configuration/.test/min/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/maintenance/maintenance-configuration/README.md b/modules/maintenance/maintenance-configuration/README.md index 550d69eb48..75f6334537 100644 --- a/modules/maintenance/maintenance-configuration/README.md +++ b/modules/maintenance/maintenance-configuration/README.md @@ -5,10 +5,10 @@ This module deploys a Maintenance Configuration. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -18,59 +18,28 @@ This module deploys a Maintenance Configuration. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Maintenance/maintenanceConfigurations` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Maintenance/2023-04-01/maintenanceConfigurations) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Maintenance Configuration Name. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `extensionProperties` | object | `{object}` | | Gets or sets extensionProperties of the maintenanceConfiguration. | -| `installPatches` | object | `{object}` | | Configuration settings for VM guest patching with Azure Update Manager. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `maintenanceScope` | string | `'Host'` | `[Extension, Host, InGuestPatch, OSImage, SQLDB, SQLManagedInstance]` | Gets or sets maintenanceScope of the configuration. | -| `maintenanceWindow` | object | `{object}` | | Definition of a MaintenanceWindow. | -| `namespace` | string | `''` | | Gets or sets namespace of the resource. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Gets or sets tags of the resource. | -| `visibility` | string | `''` | `['', Custom, Public]` | Gets or sets the visibility of the configuration. The default value is 'Custom'. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the Maintenance Configuration was created in. | -| `name` | string | The name of the Maintenance Configuration. | -| `resourceGroupName` | string | The name of the resource group the Maintenance Configuration was created in. | -| `resourceId` | string | The resource ID of the Maintenance Configuration. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/maintenance.maintenance-configuration:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module maintenanceConfiguration './maintenance/maintenance-configuration/main.bicep' = { +module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-configuration:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-mmccom' params: { // Required parameters @@ -210,14 +179,17 @@ module maintenanceConfiguration './maintenance/maintenance-configuration/main.bi

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module maintenanceConfiguration './maintenance/maintenance-configuration/main.bicep' = { +module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-configuration:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-mmcmin' params: { // Required parameters @@ -254,3 +226,128 @@ module maintenanceConfiguration './maintenance/maintenance-configuration/main.bi

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Maintenance Configuration Name. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`extensionProperties`](#parameter-extensionproperties) | object | Gets or sets extensionProperties of the maintenanceConfiguration. | +| [`installPatches`](#parameter-installpatches) | object | Configuration settings for VM guest patching with Azure Update Manager. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`maintenanceScope`](#parameter-maintenancescope) | string | Gets or sets maintenanceScope of the configuration. | +| [`maintenanceWindow`](#parameter-maintenancewindow) | object | Definition of a MaintenanceWindow. | +| [`namespace`](#parameter-namespace) | string | Gets or sets namespace of the resource. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Gets or sets tags of the resource. | +| [`visibility`](#parameter-visibility) | string | Gets or sets the visibility of the configuration. The default value is 'Custom'. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `extensionProperties` + +Gets or sets extensionProperties of the maintenanceConfiguration. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `installPatches` + +Configuration settings for VM guest patching with Azure Update Manager. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `maintenanceScope` + +Gets or sets maintenanceScope of the configuration. +- Required: No +- Type: string +- Default: `'Host'` +- Allowed: `[Extension, Host, InGuestPatch, OSImage, SQLDB, SQLManagedInstance]` + +### Parameter: `maintenanceWindow` + +Definition of a MaintenanceWindow. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Maintenance Configuration Name. +- Required: Yes +- Type: string + +### Parameter: `namespace` + +Gets or sets namespace of the resource. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Gets or sets tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `visibility` + +Gets or sets the visibility of the configuration. The default value is 'Custom'. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Custom, Public]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the Maintenance Configuration was created in. | +| `name` | string | The name of the Maintenance Configuration. | +| `resourceGroupName` | string | The name of the resource group the Maintenance Configuration was created in. | +| `resourceId` | string | The resource ID of the Maintenance Configuration. | + +## Cross-referenced modules + +_None_ diff --git a/modules/maintenance/maintenance-configuration/main.json b/modules/maintenance/maintenance-configuration/main.json index fa8b75249d..1215f56f14 100644 --- a/modules/maintenance/maintenance-configuration/main.json +++ b/modules/maintenance/maintenance-configuration/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11249408608442094590" + "version": "0.22.6.54827", + "templateHash": "2646666210857505384" }, "name": "Maintenance Configurations", "description": "This module deploys a Maintenance Configuration.", @@ -192,8 +192,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13667533049136172110" + "version": "0.22.6.54827", + "templateHash": "17730168206359180764" } }, "parameters": { diff --git a/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep b/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep index 35e152866a..d99f3b2a60 100644 --- a/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/managed-identity/user-assigned-identity/.test/min/main.test.bicep b/modules/managed-identity/user-assigned-identity/.test/min/main.test.bicep index 95ed7da3d2..4a83660c9c 100644 --- a/modules/managed-identity/user-assigned-identity/.test/min/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/managed-identity/user-assigned-identity/README.md b/modules/managed-identity/user-assigned-identity/README.md index 5a4b75c1b9..bcf7800957 100644 --- a/modules/managed-identity/user-assigned-identity/README.md +++ b/modules/managed-identity/user-assigned-identity/README.md @@ -4,13 +4,13 @@ This module deploys a User Assigned Identity. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,51 +19,28 @@ This module deploys a User Assigned Identity. | `Microsoft.ManagedIdentity/userAssignedIdentities` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ManagedIdentity/2023-01-31/userAssignedIdentities) | | `Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ManagedIdentity/2023-01-31/userAssignedIdentities/federatedIdentityCredentials) | -## Parameters - -**Optional parameters** +## Usage examples -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `federatedIdentityCredentials` | array | `[]` | | The federated identity credentials list to indicate which token from the external IdP should be trusted by your application. Federated identity credentials are supported on applications only. A maximum of 20 federated identity credentials can be added per application object. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `name` | string | `[guid(resourceGroup().id)]` | | Name of the User Assigned Identity. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `clientId` | string | The client ID (application ID) of the user assigned identity. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the user assigned identity. | -| `principalId` | string | The principal ID (object ID) of the user assigned identity. | -| `resourceGroupName` | string | The resource group the user assigned identity was deployed into. | -| `resourceId` | string | The resource ID of the user assigned identity. | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/managed-identity.user-assigned-identity:1.0.0`. -## Cross-referenced modules +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -_None_ +### Example 1: _Using large parameter set_ -## Deployment examples +This instance deploys the module with most of its features enabled. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module userAssignedIdentity './managed-identity/user-assigned-identity/main.bicep' = { +module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-identity:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-miuaicom' params: { enableDefaultTelemetry: '' @@ -155,14 +132,17 @@ module userAssignedIdentity './managed-identity/user-assigned-identity/main.bice

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module userAssignedIdentity './managed-identity/user-assigned-identity/main.bicep' = { +module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-identity:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-miuaimin' params: { enableDefaultTelemetry: '' @@ -191,3 +171,84 @@ module userAssignedIdentity './managed-identity/user-assigned-identity/main.bice

+ + +## Parameters + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`federatedIdentityCredentials`](#parameter-federatedidentitycredentials) | array | The federated identity credentials list to indicate which token from the external IdP should be trusted by your application. Federated identity credentials are supported on applications only. A maximum of 20 federated identity credentials can be added per application object. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`name`](#parameter-name) | string | Name of the User Assigned Identity. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `federatedIdentityCredentials` + +The federated identity credentials list to indicate which token from the external IdP should be trusted by your application. Federated identity credentials are supported on applications only. A maximum of 20 federated identity credentials can be added per application object. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the User Assigned Identity. +- Required: No +- Type: string +- Default: `[guid(resourceGroup().id)]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `clientId` | string | The client ID (application ID) of the user assigned identity. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the user assigned identity. | +| `principalId` | string | The principal ID (object ID) of the user assigned identity. | +| `resourceGroupName` | string | The resource group the user assigned identity was deployed into. | +| `resourceId` | string | The resource ID of the user assigned identity. | + +## Cross-referenced modules + +_None_ diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md b/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md index 0405906384..ab9e7a346f 100644 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md +++ b/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md @@ -19,29 +19,66 @@ This module deploys a User Assigned Identity Federated Identity Credential. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `audiences` | array | The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token. | -| `issuer` | string | The URL of the issuer to be trusted. Must match the issuer claim of the external token being exchanged. | -| `name` | string | The name of the secret. | -| `subject` | string | The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD. | +| [`audiences`](#parameter-audiences) | array | The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token. | +| [`issuer`](#parameter-issuer) | string | The URL of the issuer to be trusted. Must match the issuer claim of the external token being exchanged. | +| [`name`](#parameter-name) | string | The name of the secret. | +| [`subject`](#parameter-subject) | string | The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `userAssignedIdentityName` | string | The name of the parent user assigned identity. Required if the template is used in a standalone deployment. | +| [`userAssignedIdentityName`](#parameter-userassignedidentityname) | string | The name of the parent user assigned identity. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `audiences` + +The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token. +- Required: Yes +- Type: array + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `issuer` + +The URL of the issuer to be trusted. Must match the issuer claim of the external token being exchanged. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the secret. +- Required: Yes +- Type: string + +### Parameter: `subject` + +The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD. +- Required: Yes +- Type: string + +### Parameter: `userAssignedIdentityName` + +The name of the parent user assigned identity. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the federated identity credential. | | `resourceGroupName` | string | The name of the resource group the federated identity credential was created in. | diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json index be4b79c764..d7d037aaa3 100644 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json +++ b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13014227007294077055" + "version": "0.22.6.54827", + "templateHash": "15026838206978058830" }, "name": "User Assigned Identity Federated Identity Credential", "description": "This module deploys a User Assigned Identity Federated Identity Credential.", diff --git a/modules/managed-identity/user-assigned-identity/main.json b/modules/managed-identity/user-assigned-identity/main.json index 3efc21a3a0..8b93e98d84 100644 --- a/modules/managed-identity/user-assigned-identity/main.json +++ b/modules/managed-identity/user-assigned-identity/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5028263176846859457" + "version": "0.22.6.54827", + "templateHash": "689312003789935835" }, "name": "User Assigned Identities", "description": "This module deploys a User Assigned Identity.", @@ -145,8 +145,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "961909405436269630" + "version": "0.22.6.54827", + "templateHash": "15026838206978058830" }, "name": "User Assigned Identity Federated Identity Credential", "description": "This module deploys a User Assigned Identity Federated Identity Credential.", @@ -280,8 +280,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5263933546195004806" + "version": "0.22.6.54827", + "templateHash": "2246284698738978006" } }, "parameters": { diff --git a/modules/managed-services/registration-definition/.test/common/main.test.bicep b/modules/managed-services/registration-definition/.test/common/main.test.bicep index bb23b4235e..854fe9a70d 100644 --- a/modules/managed-services/registration-definition/.test/common/main.test.bicep +++ b/modules/managed-services/registration-definition/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/managed-services/registration-definition/README.md b/modules/managed-services/registration-definition/README.md index 690c4c3720..23aac725b0 100644 --- a/modules/managed-services/registration-definition/README.md +++ b/modules/managed-services/registration-definition/README.md @@ -8,68 +8,42 @@ remote/managing tenant. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | | `Microsoft.ManagedServices/registrationAssignments` | [2019-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ManagedServices/2019-09-01/registrationAssignments) | | `Microsoft.ManagedServices/registrationDefinitions` | [2019-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ManagedServices/2019-09-01/registrationDefinitions) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `authorizations` | array | Specify an array of objects, containing object of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider's Active Directory and the principalIdDisplayName is visible to customers. | -| `managedByTenantId` | string | Specify the tenant ID of the tenant which homes the principals you are delegating permissions to. | -| `name` | string | Specify a unique name for your offer/registration. i.e ' - - '. | -| `registrationDescription` | string | Description of the offer/registration. i.e. 'Managed by '. | - -**Optional parameters** +## Usage examples -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | Location deployment metadata. | -| `resourceGroupName` | string | `''` | Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `assignmentResourceId` | string | The registration assignment resource ID. | -| `name` | string | The name of the registration definition. | -| `resourceId` | string | The resource ID of the registration definition. | -| `subscriptionName` | string | The subscription the registration definition was deployed into. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/managed-services.registration-definition:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Rg](#example-2-rg) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module registrationDefinition './managed-services/registration-definition/main.bicep' = { +module registrationDefinition 'br:bicep/modules/managed-services.registration-definition:1.0.0' = { name: '${uniqueString(deployment().name)}-test-msrdcom' params: { // Required parameters @@ -151,14 +125,14 @@ module registrationDefinition './managed-services/registration-definition/main.b

-

Example 2: Rg

+### Example 2: _Rg_
via Bicep module ```bicep -module registrationDefinition './managed-services/registration-definition/main.bicep' = { +module registrationDefinition 'br:bicep/modules/managed-services.registration-definition:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-msrdrg' params: { // Required parameters @@ -245,6 +219,84 @@ module registrationDefinition './managed-services/registration-definition/main.b

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`authorizations`](#parameter-authorizations) | array | Specify an array of objects, containing object of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider's Active Directory and the principalIdDisplayName is visible to customers. | +| [`managedByTenantId`](#parameter-managedbytenantid) | string | Specify the tenant ID of the tenant which homes the principals you are delegating permissions to. | +| [`name`](#parameter-name) | string | Specify a unique name for your offer/registration. i.e ' - - '. | +| [`registrationDescription`](#parameter-registrationdescription) | string | Description of the offer/registration. i.e. 'Managed by '. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`resourceGroupName`](#parameter-resourcegroupname) | string | Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription. | + +### Parameter: `authorizations` + +Specify an array of objects, containing object of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider's Active Directory and the principalIdDisplayName is visible to customers. +- Required: Yes +- Type: array + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `managedByTenantId` + +Specify the tenant ID of the tenant which homes the principals you are delegating permissions to. +- Required: Yes +- Type: string + +### Parameter: `name` + +Specify a unique name for your offer/registration. i.e ' - - '. +- Required: Yes +- Type: string + +### Parameter: `registrationDescription` + +Description of the offer/registration. i.e. 'Managed by '. +- Required: Yes +- Type: string + +### Parameter: `resourceGroupName` + +Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription. +- Required: No +- Type: string +- Default: `''` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `assignmentResourceId` | string | The registration assignment resource ID. | +| `name` | string | The name of the registration definition. | +| `resourceId` | string | The resource ID of the registration definition. | +| `subscriptionName` | string | The subscription the registration definition was deployed into. | + +## Cross-referenced modules + +_None_ + ## Notes ### Considerations diff --git a/modules/managed-services/registration-definition/main.json b/modules/managed-services/registration-definition/main.json index e636c18090..2940047230 100644 --- a/modules/managed-services/registration-definition/main.json +++ b/modules/managed-services/registration-definition/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1981923206458772574" + "version": "0.22.6.54827", + "templateHash": "18225216426535356338" }, "name": "Registration Definitions", "description": "This module deploys a `Registration Definition` and a `Registration Assignment` (often referred to as 'Lighthouse' or 'resource delegation')\r\non subscription or resource group scopes. This type of delegation is very similar to role assignments but here the principal that is\r\nassigned a role is in a remote/managing Azure Active Directory tenant. The templates are run towards the tenant where\r\nthe Azure resources you want to delegate access to are, providing 'authorizations' (aka. access delegation) to principals in a\r\nremote/managing tenant.", @@ -125,8 +125,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11245217647113250760" + "version": "0.22.6.54827", + "templateHash": "3494089951098103079" } }, "parameters": { diff --git a/modules/management/management-group/.test/common/main.test.bicep b/modules/management/management-group/.test/common/main.test.bicep index eff3e650d8..65122a5c04 100644 --- a/modules/management/management-group/.test/common/main.test.bicep +++ b/modules/management/management-group/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'managementGroup' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/management/management-group/.test/min/main.test.bicep b/modules/management/management-group/.test/min/main.test.bicep index 41bd4cdfba..471cd8cc08 100644 --- a/modules/management/management-group/.test/min/main.test.bicep +++ b/modules/management/management-group/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'managementGroup' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/management/management-group/README.md b/modules/management/management-group/README.md index ff8276cec7..cba016ed6e 100644 --- a/modules/management/management-group/README.md +++ b/modules/management/management-group/README.md @@ -8,63 +8,41 @@ This module has some known **limitations**: ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | | `Microsoft.Management/managementGroups` | [2021-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Management/2021-04-01/managementGroups) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The group ID of the Management group. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/management.management-group:1.0.0`. -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `displayName` | string | `''` | The friendly name of the management group. If no value is passed then this field will be set to the group ID. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | Location deployment metadata. | -| `parentId` | string | `[last(split(managementGroup().id, '/'))]` | The management group parent ID. Defaults to current scope. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +### Example 1: _Using large parameter set_ -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the management group. | -| `resourceId` | string | The resource ID of the management group. | - -## Cross-referenced modules - -_None_ +This instance deploys the module with most of its features enabled. -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module managementGroup './management/management-group/main.bicep' = { +module managementGroup 'br:bicep/modules/management.management-group:1.0.0' = { name: '${uniqueString(deployment().name)}-test-mmgcom' params: { // Required parameters @@ -110,14 +88,17 @@ module managementGroup './management/management-group/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module managementGroup './management/management-group/main.bicep' = { +module managementGroup 'br:bicep/modules/management.management-group:1.0.0' = { name: '${uniqueString(deployment().name)}-test-mmgmin' params: { // Required parameters @@ -156,6 +137,69 @@ module managementGroup './management/management-group/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The group ID of the Management group. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`displayName`](#parameter-displayname) | string | The friendly name of the management group. If no value is passed then this field will be set to the group ID. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`parentId`](#parameter-parentid) | string | The management group parent ID. Defaults to current scope. | + +### Parameter: `displayName` + +The friendly name of the management group. If no value is passed then this field will be set to the group ID. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `name` + +The group ID of the Management group. +- Required: Yes +- Type: string + +### Parameter: `parentId` + +The management group parent ID. Defaults to current scope. +- Required: No +- Type: string +- Default: `[last(split(managementGroup().id, '/'))]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the management group. | +| `resourceId` | string | The resource ID of the management group. | + +## Cross-referenced modules + +_None_ + ## Notes ### Considerations diff --git a/modules/management/management-group/main.json b/modules/management/management-group/main.json index 6288682f3e..728fe73364 100644 --- a/modules/management/management-group/main.json +++ b/modules/management/management-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13700903894139474584" + "version": "0.22.6.54827", + "templateHash": "10015491334460357572" }, "name": "Management Groups", "description": "This template will prepare the management group structure based on the provided parameter.\r\n\r\nThis module has some known **limitations**:\r\n- It's not possible to change the display name of the root management group (the one that has the tenant GUID as ID)\r\n- It can't manage the Root (/) management group", diff --git a/modules/net-app/net-app-account/.test/min/main.test.bicep b/modules/net-app/net-app-account/.test/min/main.test.bicep index 389a87065a..509217aef3 100644 --- a/modules/net-app/net-app-account/.test/min/main.test.bicep +++ b/modules/net-app/net-app-account/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/net-app/net-app-account/README.md b/modules/net-app/net-app-account/README.md index 61958f1328..c589ef8523 100644 --- a/modules/net-app/net-app-account/README.md +++ b/modules/net-app/net-app-account/README.md @@ -4,13 +4,13 @@ This module deploys an Azure NetApp File. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -20,61 +20,29 @@ This module deploys an Azure NetApp File. | `Microsoft.NetApp/netAppAccounts/capacityPools` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools) | | `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools/volumes) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the NetApp account. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `capacityPools` | array | `[]` | | Capacity pools to create. | -| `dnsServers` | string | `''` | | Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed. | -| `domainJoinOU` | string | `''` | | Used only if domainName is specified. LDAP Path for the Organization Unit (OU) where SMB Server machine accounts will be created (i.e. 'OU=SecondLevel,OU=FirstLevel'). | -| `domainJoinPassword` | securestring | `''` | | Required if domainName is specified. Password of the user specified in domainJoinUser parameter. | -| `domainJoinUser` | string | `''` | | Required if domainName is specified. Username of Active Directory domain administrator, with permissions to create SMB server machine account in the AD domain. | -| `domainName` | string | `''` | | Fully Qualified Active Directory DNS Domain Name (e.g. 'contoso.com'). | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `smbServerNamePrefix` | string | `''` | | Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes. | -| `tags` | object | `{object}` | | Tags for all resources. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the NetApp account. | -| `resourceGroupName` | string | The name of the Resource Group the NetApp account was created in. | -| `resourceId` | string | The Resource ID of the NetApp account. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/net-app.net-app-account:1.0.0`. -## Deployment examples +- [Using only defaults](#example-1-using-only-defaults) +- [Nfs3](#example-2-nfs3) +- [Nfs41](#example-3-nfs41) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using only defaults_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with the minimum set of required parameters. -

Example 1: Min

via Bicep module ```bicep -module netAppAccount './net-app/net-app-account/main.bicep' = { +module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nanaamin' params: { // Required parameters @@ -112,14 +80,14 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {

-

Example 2: Nfs3

+### Example 2: _Nfs3_
via Bicep module ```bicep -module netAppAccount './net-app/net-app-account/main.bicep' = { +module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nanaanfs3' params: { // Required parameters @@ -339,14 +307,14 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {

-

Example 3: Nfs41

+### Example 3: _Nfs41_
via Bicep module ```bicep -module netAppAccount './net-app/net-app-account/main.bicep' = { +module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nanaanfs41' params: { // Required parameters @@ -589,3 +557,142 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the NetApp account. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`capacityPools`](#parameter-capacitypools) | array | Capacity pools to create. | +| [`dnsServers`](#parameter-dnsservers) | string | Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed. | +| [`domainJoinOU`](#parameter-domainjoinou) | string | Used only if domainName is specified. LDAP Path for the Organization Unit (OU) where SMB Server machine accounts will be created (i.e. 'OU=SecondLevel,OU=FirstLevel'). | +| [`domainJoinPassword`](#parameter-domainjoinpassword) | securestring | Required if domainName is specified. Password of the user specified in domainJoinUser parameter. | +| [`domainJoinUser`](#parameter-domainjoinuser) | string | Required if domainName is specified. Username of Active Directory domain administrator, with permissions to create SMB server machine account in the AD domain. | +| [`domainName`](#parameter-domainname) | string | Fully Qualified Active Directory DNS Domain Name (e.g. 'contoso.com'). | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`smbServerNamePrefix`](#parameter-smbservernameprefix) | string | Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes. | +| [`tags`](#parameter-tags) | object | Tags for all resources. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +### Parameter: `capacityPools` + +Capacity pools to create. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `dnsServers` + +Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `domainJoinOU` + +Used only if domainName is specified. LDAP Path for the Organization Unit (OU) where SMB Server machine accounts will be created (i.e. 'OU=SecondLevel,OU=FirstLevel'). +- Required: No +- Type: string +- Default: `''` + +### Parameter: `domainJoinPassword` + +Required if domainName is specified. Password of the user specified in domainJoinUser parameter. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `domainJoinUser` + +Required if domainName is specified. Username of Active Directory domain administrator, with permissions to create SMB server machine account in the AD domain. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `domainName` + +Fully Qualified Active Directory DNS Domain Name (e.g. 'contoso.com'). +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the NetApp account. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `smbServerNamePrefix` + +Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `tags` + +Tags for all resources. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the NetApp account. | +| `resourceGroupName` | string | The name of the Resource Group the NetApp account was created in. | +| `resourceId` | string | The Resource ID of the NetApp account. | + +## Cross-referenced modules + +_None_ diff --git a/modules/net-app/net-app-account/capacity-pool/README.md b/modules/net-app/net-app-account/capacity-pool/README.md index c614fe1313..527a0d6555 100644 --- a/modules/net-app/net-app-account/capacity-pool/README.md +++ b/modules/net-app/net-app-account/capacity-pool/README.md @@ -21,35 +21,119 @@ This module deploys an Azure NetApp Files Capacity Pool. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the capacity pool. | -| `size` | int | Provisioned size of the pool (in bytes). Allowed values are in 4TiB chunks (value must be multiply of 4398046511104). | +| [`name`](#parameter-name) | string | The name of the capacity pool. | +| [`size`](#parameter-size) | int | Provisioned size of the pool (in bytes). Allowed values are in 4TiB chunks (value must be multiply of 4398046511104). | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `netAppAccountName` | string | The name of the parent NetApp account. Required if the template is used in a standalone deployment. | +| [`netAppAccountName`](#parameter-netappaccountname) | string | The name of the parent NetApp account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `coolAccess` | bool | `False` | | If enabled (true) the pool can contain cool Access enabled volumes. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `encryptionType` | string | `'Single'` | `[Double, Single]` | Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool. | -| `location` | string | `[resourceGroup().location]` | | Location of the pool volume. | -| `qosType` | string | `'Auto'` | `[Auto, Manual]` | The qos type of the pool. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `serviceLevel` | string | `'Standard'` | `[Premium, Standard, StandardZRS, Ultra]` | The pool service level. | -| `tags` | object | `{object}` | | Tags for all resources. | -| `volumes` | array | `[]` | | List of volumnes to create in the capacity pool. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`coolAccess`](#parameter-coolaccess) | bool | If enabled (true) the pool can contain cool Access enabled volumes. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`encryptionType`](#parameter-encryptiontype) | string | Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool. | +| [`location`](#parameter-location) | string | Location of the pool volume. | +| [`qosType`](#parameter-qostype) | string | The qos type of the pool. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`serviceLevel`](#parameter-servicelevel) | string | The pool service level. | +| [`tags`](#parameter-tags) | object | Tags for all resources. | +| [`volumes`](#parameter-volumes) | array | List of volumnes to create in the capacity pool. | + +### Parameter: `coolAccess` + +If enabled (true) the pool can contain cool Access enabled volumes. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `encryptionType` + +Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool. +- Required: No +- Type: string +- Default: `'Single'` +- Allowed: `[Double, Single]` + +### Parameter: `location` + +Location of the pool volume. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the capacity pool. +- Required: Yes +- Type: string + +### Parameter: `netAppAccountName` + +The name of the parent NetApp account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `qosType` + +The qos type of the pool. +- Required: No +- Type: string +- Default: `'Auto'` +- Allowed: `[Auto, Manual]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `serviceLevel` + +The pool service level. +- Required: No +- Type: string +- Default: `'Standard'` +- Allowed: `[Premium, Standard, StandardZRS, Ultra]` + +### Parameter: `size` + +Provisioned size of the pool (in bytes). Allowed values are in 4TiB chunks (value must be multiply of 4398046511104). +- Required: Yes +- Type: int + +### Parameter: `tags` + +Tags for all resources. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `volumes` + +List of volumnes to create in the capacity pool. +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the Capacity Pool. | diff --git a/modules/net-app/net-app-account/capacity-pool/main.json b/modules/net-app/net-app-account/capacity-pool/main.json index 0ef41ba698..799fc661e7 100644 --- a/modules/net-app/net-app-account/capacity-pool/main.json +++ b/modules/net-app/net-app-account/capacity-pool/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13333372953499047799" + "version": "0.22.6.54827", + "templateHash": "12343130799883120576" }, "name": "Azure NetApp Files Capacity Pools", "description": "This module deploys an Azure NetApp Files Capacity Pool.", @@ -191,8 +191,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5724175752968001086" + "version": "0.22.6.54827", + "templateHash": "14691007687090359135" }, "name": "Azure NetApp Files Capacity Pool Volumes", "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", @@ -348,8 +348,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "6579931820257793193" + "version": "0.22.6.54827", + "templateHash": "11293747403075474966" } }, "parameters": { @@ -533,8 +533,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "6567527079478034080" + "version": "0.22.6.54827", + "templateHash": "121785236396056059" } }, "parameters": { diff --git a/modules/net-app/net-app-account/capacity-pool/volume/README.md b/modules/net-app/net-app-account/capacity-pool/volume/README.md index 1996ecba95..c0d9409c13 100644 --- a/modules/net-app/net-app-account/capacity-pool/volume/README.md +++ b/modules/net-app/net-app-account/capacity-pool/volume/README.md @@ -20,35 +20,115 @@ This module deploys an Azure NetApp Files Capacity Pool Volume. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the pool volume. | -| `subnetResourceId` | string | The Azure Resource URI for a delegated subnet. Must have the delegation Microsoft.NetApp/volumes. | -| `usageThreshold` | int | Maximum storage quota allowed for a file system in bytes. | +| [`name`](#parameter-name) | string | The name of the pool volume. | +| [`subnetResourceId`](#parameter-subnetresourceid) | string | The Azure Resource URI for a delegated subnet. Must have the delegation Microsoft.NetApp/volumes. | +| [`usageThreshold`](#parameter-usagethreshold) | int | Maximum storage quota allowed for a file system in bytes. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `capacityPoolName` | string | The name of the parent capacity pool. Required if the template is used in a standalone deployment. | -| `netAppAccountName` | string | The name of the parent NetApp account. Required if the template is used in a standalone deployment. | +| [`capacityPoolName`](#parameter-capacitypoolname) | string | The name of the parent capacity pool. Required if the template is used in a standalone deployment. | +| [`netAppAccountName`](#parameter-netappaccountname) | string | The name of the parent NetApp account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `creationToken` | string | `[parameters('name')]` | | A unique file path for the volume. This is the name of the volume export. A volume is mounted using the export path. File path must start with an alphabetical character and be unique within the subscription. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `exportPolicyRules` | array | `[]` | | Export policy rules. | -| `location` | string | `[resourceGroup().location]` | | Location of the pool volume. | -| `protocolTypes` | array | `[]` | | Set of protocol types. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `serviceLevel` | string | `'Standard'` | `[Premium, Standard, StandardZRS, Ultra]` | The pool service level. Must match the one of the parent capacity pool. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`creationToken`](#parameter-creationtoken) | string | A unique file path for the volume. This is the name of the volume export. A volume is mounted using the export path. File path must start with an alphabetical character and be unique within the subscription. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`exportPolicyRules`](#parameter-exportpolicyrules) | array | Export policy rules. | +| [`location`](#parameter-location) | string | Location of the pool volume. | +| [`protocolTypes`](#parameter-protocoltypes) | array | Set of protocol types. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`serviceLevel`](#parameter-servicelevel) | string | The pool service level. Must match the one of the parent capacity pool. | + +### Parameter: `capacityPoolName` + +The name of the parent capacity pool. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `creationToken` + +A unique file path for the volume. This is the name of the volume export. A volume is mounted using the export path. File path must start with an alphabetical character and be unique within the subscription. +- Required: No +- Type: string +- Default: `[parameters('name')]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `exportPolicyRules` + +Export policy rules. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location of the pool volume. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the pool volume. +- Required: Yes +- Type: string + +### Parameter: `netAppAccountName` + +The name of the parent NetApp account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `protocolTypes` + +Set of protocol types. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `serviceLevel` + +The pool service level. Must match the one of the parent capacity pool. +- Required: No +- Type: string +- Default: `'Standard'` +- Allowed: `[Premium, Standard, StandardZRS, Ultra]` + +### Parameter: `subnetResourceId` + +The Azure Resource URI for a delegated subnet. Must have the delegation Microsoft.NetApp/volumes. +- Required: Yes +- Type: string + +### Parameter: `usageThreshold` + +Maximum storage quota allowed for a file system in bytes. +- Required: Yes +- Type: int ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the Volume. | diff --git a/modules/net-app/net-app-account/capacity-pool/volume/main.json b/modules/net-app/net-app-account/capacity-pool/volume/main.json index 49b126bd4d..67e9e039f4 100644 --- a/modules/net-app/net-app-account/capacity-pool/volume/main.json +++ b/modules/net-app/net-app-account/capacity-pool/volume/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5724175752968001086" + "version": "0.22.6.54827", + "templateHash": "14691007687090359135" }, "name": "Azure NetApp Files Capacity Pool Volumes", "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", @@ -161,8 +161,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "6579931820257793193" + "version": "0.22.6.54827", + "templateHash": "11293747403075474966" } }, "parameters": { diff --git a/modules/net-app/net-app-account/main.json b/modules/net-app/net-app-account/main.json index 0a493368ff..60bd7acee6 100644 --- a/modules/net-app/net-app-account/main.json +++ b/modules/net-app/net-app-account/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5672083206908645861" + "version": "0.22.6.54827", + "templateHash": "5505435135426261272" }, "name": "Azure NetApp Files", "description": "This module deploys an Azure NetApp File.", @@ -204,8 +204,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7683969196599898101" + "version": "0.22.6.54827", + "templateHash": "4540603330973895229" } }, "parameters": { @@ -361,8 +361,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10886668033150864965" + "version": "0.22.6.54827", + "templateHash": "12343130799883120576" }, "name": "Azure NetApp Files Capacity Pools", "description": "This module deploys an Azure NetApp Files Capacity Pool.", @@ -548,8 +548,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5786364369491933087" + "version": "0.22.6.54827", + "templateHash": "14691007687090359135" }, "name": "Azure NetApp Files Capacity Pool Volumes", "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", @@ -705,8 +705,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9382580519288369520" + "version": "0.22.6.54827", + "templateHash": "11293747403075474966" } }, "parameters": { @@ -890,8 +890,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3927269100657288300" + "version": "0.22.6.54827", + "templateHash": "121785236396056059" } }, "parameters": { diff --git a/modules/network/application-gateway-web-application-firewall-policy/.test/common/main.test.bicep b/modules/network/application-gateway-web-application-firewall-policy/.test/common/main.test.bicep index f9b166f85c..0c71d78598 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/.test/common/main.test.bicep +++ b/modules/network/application-gateway-web-application-firewall-policy/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/application-gateway-web-application-firewall-policy/README.md b/modules/network/application-gateway-web-application-firewall-policy/README.md index ecc3fd56fa..97b54c1336 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/README.md +++ b/modules/network/application-gateway-web-application-firewall-policy/README.md @@ -5,10 +5,10 @@ This module deploys an Application Gateway Web Application Firewall (WAF) Policy ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -16,54 +16,27 @@ This module deploys an Application Gateway Web Application Firewall (WAF) Policy | :-- | :-- | | `Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-11-01/ApplicationGatewayWebApplicationFirewallPolicies) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Application Gateway WAF policy. | - -**Optional parameters** +## Usage examples -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `customRules` | array | `[]` | The custom rules inside the policy. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | -| `managedRules` | object | `{object}` | Describes the managedRules structure. | -| `policySettings` | object | `{object}` | The PolicySettings for policy. | -| `tags` | object | `{object}` | Resource tags. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the application gateway WAF policy. | -| `resourceGroupName` | string | The resource group the application gateway WAF policy was deployed into. | -| `resourceId` | string | The resource ID of the application gateway WAF policy. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.application-gateway-web-application-firewall-policy:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module applicationGatewayWebApplicationFirewallPolicy './network/application-gateway-web-application-firewall-policy/main.bicep' = { +module applicationGatewayWebApplicationFirewallPolicy 'br:bicep/modules/network.application-gateway-web-application-firewall-policy:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nagwafpcom' params: { // Required parameters @@ -154,3 +127,85 @@ module applicationGatewayWebApplicationFirewallPolicy './network/application-gat

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Application Gateway WAF policy. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`customRules`](#parameter-customrules) | array | The custom rules inside the policy. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`managedRules`](#parameter-managedrules) | object | Describes the managedRules structure. | +| [`policySettings`](#parameter-policysettings) | object | The PolicySettings for policy. | +| [`tags`](#parameter-tags) | object | Resource tags. | + +### Parameter: `customRules` + +The custom rules inside the policy. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `managedRules` + +Describes the managedRules structure. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Name of the Application Gateway WAF policy. +- Required: Yes +- Type: string + +### Parameter: `policySettings` + +The PolicySettings for policy. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `tags` + +Resource tags. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the application gateway WAF policy. | +| `resourceGroupName` | string | The resource group the application gateway WAF policy was deployed into. | +| `resourceId` | string | The resource ID of the application gateway WAF policy. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/application-gateway-web-application-firewall-policy/main.json b/modules/network/application-gateway-web-application-firewall-policy/main.json index 3586f21c15..9c0a3caeb5 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/main.json +++ b/modules/network/application-gateway-web-application-firewall-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1454714316313419889" + "version": "0.22.6.54827", + "templateHash": "1301728261383253712" }, "name": "Application Gateway Web Application Firewall (WAF) Policies", "description": "This module deploys an Application Gateway Web Application Firewall (WAF) Policy.", diff --git a/modules/network/application-gateway/.test/common/main.test.bicep b/modules/network/application-gateway/.test/common/main.test.bicep index 9c66f3fa8e..548ada9bbd 100644 --- a/modules/network/application-gateway/.test/common/main.test.bicep +++ b/modules/network/application-gateway/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index b8e66e159f..aaee08b326 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -5,10 +5,10 @@ This module deploys a Network Application Gateway. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -21,103 +21,27 @@ This module deploys a Network Application Gateway. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Application Gateway. | +## Usage examples -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `authenticationCertificates` | array | `[]` | | Authentication certificates of the application gateway resource. | -| `autoscaleMaxCapacity` | int | `-1` | | Upper bound on number of Application Gateway capacity. | -| `autoscaleMinCapacity` | int | `-1` | | Lower bound on number of Application Gateway capacity. | -| `backendAddressPools` | array | `[]` | | Backend address pool of the application gateway resource. | -| `backendHttpSettingsCollection` | array | `[]` | | Backend http settings of the application gateway resource. | -| `backendSettingsCollection` | array | `[]` | | Backend settings of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits). | -| `capacity` | int | `2` | | The number of Application instances to be configured. | -| `customErrorConfigurations` | array | `[]` | | Custom error configurations of the application gateway resource. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, ApplicationGatewayAccessLog, ApplicationGatewayFirewallLog, ApplicationGatewayPerformanceLog]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableFips` | bool | `False` | | Whether FIPS is enabled on the application gateway resource. | -| `enableHttp2` | bool | `False` | | Whether HTTP2 is enabled on the application gateway resource. | -| `enableRequestBuffering` | bool | `False` | | Enable request buffering. | -| `enableResponseBuffering` | bool | `False` | | Enable response buffering. | -| `firewallPolicyId` | string | `''` | | The resource ID of an associated firewall policy. Should be configured for security reasons. | -| `frontendIPConfigurations` | array | `[]` | | Frontend IP addresses of the application gateway resource. | -| `frontendPorts` | array | `[]` | | Frontend ports of the application gateway resource. | -| `gatewayIPConfigurations` | array | `[]` | | Subnets of the application gateway resource. | -| `httpListeners` | array | `[]` | | Http listeners of the application gateway resource. | -| `listeners` | array | `[]` | | Listeners of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits). | -| `loadDistributionPolicies` | array | `[]` | | Load distribution policies of the application gateway resource. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `privateLinkConfigurations` | array | `[]` | | PrivateLink configurations on application gateway. | -| `probes` | array | `[]` | | Probes of the application gateway resource. | -| `redirectConfigurations` | array | `[]` | | Redirect configurations of the application gateway resource. | -| `requestRoutingRules` | array | `[]` | | Request routing rules of the application gateway resource. | -| `rewriteRuleSets` | array | `[]` | | Rewrite rules for the application gateway resource. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `routingRules` | array | `[]` | | Routing rules of the application gateway resource. | -| `sku` | string | `'WAF_Medium'` | `[Standard_Large, Standard_Medium, Standard_Small, Standard_v2, WAF_Large, WAF_Medium, WAF_v2]` | The name of the SKU for the Application Gateway. | -| `sslCertificates` | array | `[]` | | SSL certificates of the application gateway resource. | -| `sslPolicyCipherSuites` | array | `[TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]` | `[TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384]` | Ssl cipher suites to be enabled in the specified order to application gateway. | -| `sslPolicyMinProtocolVersion` | string | `'TLSv1_2'` | `[TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3]` | Ssl protocol enums. | -| `sslPolicyName` | string | `''` | `['', AppGwSslPolicy20150501, AppGwSslPolicy20170401, AppGwSslPolicy20170401S, AppGwSslPolicy20220101, AppGwSslPolicy20220101S]` | Ssl predefined policy name enums. | -| `sslPolicyType` | string | `'Custom'` | `[Custom, CustomV2, Predefined]` | Type of Ssl Policy. | -| `sslProfiles` | array | `[]` | | SSL profiles of the application gateway resource. | -| `tags` | object | `{object}` | | Resource tags. | -| `trustedClientCertificates` | array | `[]` | | Trusted client certificates of the application gateway resource. | -| `trustedRootCertificates` | array | `[]` | | Trusted Root certificates of the application gateway resource. | -| `urlPathMaps` | array | `[]` | | URL path map of the application gateway resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `webApplicationFirewallConfiguration` | object | `{object}` | | Application gateway web application firewall configuration. Should be configured for security reasons. | -| `zones` | array | `[]` | | A list of availability zones denoting where the resource needs to come from. | - - -## Outputs +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the application gateway. | -| `resourceGroupName` | string | The resource group the application gateway was deployed into. | -| `resourceId` | string | The resource ID of the application gateway. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.application-gateway:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module applicationGateway './network/application-gateway/main.bicep' = { +module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nagcom' params: { // Required parameters @@ -1024,3 +948,457 @@ module applicationGateway './network/application-gateway/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Application Gateway. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`authenticationCertificates`](#parameter-authenticationcertificates) | array | Authentication certificates of the application gateway resource. | +| [`autoscaleMaxCapacity`](#parameter-autoscalemaxcapacity) | int | Upper bound on number of Application Gateway capacity. | +| [`autoscaleMinCapacity`](#parameter-autoscalemincapacity) | int | Lower bound on number of Application Gateway capacity. | +| [`backendAddressPools`](#parameter-backendaddresspools) | array | Backend address pool of the application gateway resource. | +| [`backendHttpSettingsCollection`](#parameter-backendhttpsettingscollection) | array | Backend http settings of the application gateway resource. | +| [`backendSettingsCollection`](#parameter-backendsettingscollection) | array | Backend settings of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits). | +| [`capacity`](#parameter-capacity) | int | The number of Application instances to be configured. | +| [`customErrorConfigurations`](#parameter-customerrorconfigurations) | array | Custom error configurations of the application gateway resource. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableFips`](#parameter-enablefips) | bool | Whether FIPS is enabled on the application gateway resource. | +| [`enableHttp2`](#parameter-enablehttp2) | bool | Whether HTTP2 is enabled on the application gateway resource. | +| [`enableRequestBuffering`](#parameter-enablerequestbuffering) | bool | Enable request buffering. | +| [`enableResponseBuffering`](#parameter-enableresponsebuffering) | bool | Enable response buffering. | +| [`firewallPolicyId`](#parameter-firewallpolicyid) | string | The resource ID of an associated firewall policy. Should be configured for security reasons. | +| [`frontendIPConfigurations`](#parameter-frontendipconfigurations) | array | Frontend IP addresses of the application gateway resource. | +| [`frontendPorts`](#parameter-frontendports) | array | Frontend ports of the application gateway resource. | +| [`gatewayIPConfigurations`](#parameter-gatewayipconfigurations) | array | Subnets of the application gateway resource. | +| [`httpListeners`](#parameter-httplisteners) | array | Http listeners of the application gateway resource. | +| [`listeners`](#parameter-listeners) | array | Listeners of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits). | +| [`loadDistributionPolicies`](#parameter-loaddistributionpolicies) | array | Load distribution policies of the application gateway resource. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`privateLinkConfigurations`](#parameter-privatelinkconfigurations) | array | PrivateLink configurations on application gateway. | +| [`probes`](#parameter-probes) | array | Probes of the application gateway resource. | +| [`redirectConfigurations`](#parameter-redirectconfigurations) | array | Redirect configurations of the application gateway resource. | +| [`requestRoutingRules`](#parameter-requestroutingrules) | array | Request routing rules of the application gateway resource. | +| [`rewriteRuleSets`](#parameter-rewriterulesets) | array | Rewrite rules for the application gateway resource. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`routingRules`](#parameter-routingrules) | array | Routing rules of the application gateway resource. | +| [`sku`](#parameter-sku) | string | The name of the SKU for the Application Gateway. | +| [`sslCertificates`](#parameter-sslcertificates) | array | SSL certificates of the application gateway resource. | +| [`sslPolicyCipherSuites`](#parameter-sslpolicyciphersuites) | array | Ssl cipher suites to be enabled in the specified order to application gateway. | +| [`sslPolicyMinProtocolVersion`](#parameter-sslpolicyminprotocolversion) | string | Ssl protocol enums. | +| [`sslPolicyName`](#parameter-sslpolicyname) | string | Ssl predefined policy name enums. | +| [`sslPolicyType`](#parameter-sslpolicytype) | string | Type of Ssl Policy. | +| [`sslProfiles`](#parameter-sslprofiles) | array | SSL profiles of the application gateway resource. | +| [`tags`](#parameter-tags) | object | Resource tags. | +| [`trustedClientCertificates`](#parameter-trustedclientcertificates) | array | Trusted client certificates of the application gateway resource. | +| [`trustedRootCertificates`](#parameter-trustedrootcertificates) | array | Trusted Root certificates of the application gateway resource. | +| [`urlPathMaps`](#parameter-urlpathmaps) | array | URL path map of the application gateway resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`webApplicationFirewallConfiguration`](#parameter-webapplicationfirewallconfiguration) | object | Application gateway web application firewall configuration. Should be configured for security reasons. | +| [`zones`](#parameter-zones) | array | A list of availability zones denoting where the resource needs to come from. | + +### Parameter: `authenticationCertificates` + +Authentication certificates of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `autoscaleMaxCapacity` + +Upper bound on number of Application Gateway capacity. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `autoscaleMinCapacity` + +Lower bound on number of Application Gateway capacity. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `backendAddressPools` + +Backend address pool of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `backendHttpSettingsCollection` + +Backend http settings of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `backendSettingsCollection` + +Backend settings of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits). +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `capacity` + +The number of Application instances to be configured. +- Required: No +- Type: int +- Default: `2` + +### Parameter: `customErrorConfigurations` + +Custom error configurations of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, ApplicationGatewayAccessLog, ApplicationGatewayFirewallLog, ApplicationGatewayPerformanceLog]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableFips` + +Whether FIPS is enabled on the application gateway resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableHttp2` + +Whether HTTP2 is enabled on the application gateway resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableRequestBuffering` + +Enable request buffering. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableResponseBuffering` + +Enable response buffering. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `firewallPolicyId` + +The resource ID of an associated firewall policy. Should be configured for security reasons. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `frontendIPConfigurations` + +Frontend IP addresses of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `frontendPorts` + +Frontend ports of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `gatewayIPConfigurations` + +Subnets of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `httpListeners` + +Http listeners of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `listeners` + +Listeners of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits). +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `loadDistributionPolicies` + +Load distribution policies of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Application Gateway. +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `privateLinkConfigurations` + +PrivateLink configurations on application gateway. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `probes` + +Probes of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `redirectConfigurations` + +Redirect configurations of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `requestRoutingRules` + +Request routing rules of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `rewriteRuleSets` + +Rewrite rules for the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `routingRules` + +Routing rules of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sku` + +The name of the SKU for the Application Gateway. +- Required: No +- Type: string +- Default: `'WAF_Medium'` +- Allowed: `[Standard_Large, Standard_Medium, Standard_Small, Standard_v2, WAF_Large, WAF_Medium, WAF_v2]` + +### Parameter: `sslCertificates` + +SSL certificates of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sslPolicyCipherSuites` + +Ssl cipher suites to be enabled in the specified order to application gateway. +- Required: No +- Type: array +- Default: `[TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]` +- Allowed: `[TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384]` + +### Parameter: `sslPolicyMinProtocolVersion` + +Ssl protocol enums. +- Required: No +- Type: string +- Default: `'TLSv1_2'` +- Allowed: `[TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3]` + +### Parameter: `sslPolicyName` + +Ssl predefined policy name enums. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', AppGwSslPolicy20150501, AppGwSslPolicy20170401, AppGwSslPolicy20170401S, AppGwSslPolicy20220101, AppGwSslPolicy20220101S]` + +### Parameter: `sslPolicyType` + +Type of Ssl Policy. +- Required: No +- Type: string +- Default: `'Custom'` +- Allowed: `[Custom, CustomV2, Predefined]` + +### Parameter: `sslProfiles` + +SSL profiles of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Resource tags. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `trustedClientCertificates` + +Trusted client certificates of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `trustedRootCertificates` + +Trusted Root certificates of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `urlPathMaps` + +URL path map of the application gateway resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `webApplicationFirewallConfiguration` + +Application gateway web application firewall configuration. Should be configured for security reasons. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `zones` + +A list of availability zones denoting where the resource needs to come from. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the application gateway. | +| `resourceGroupName` | string | The resource group the application gateway was deployed into. | +| `resourceId` | string | The resource ID of the application gateway. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/network/application-gateway/main.json b/modules/network/application-gateway/main.json index 60b0d828c3..c1c3844517 100644 --- a/modules/network/application-gateway/main.json +++ b/modules/network/application-gateway/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7571026279371080579" + "version": "0.22.6.54827", + "templateHash": "214441703213354743" }, "name": "Network Application Gateways", "description": "This module deploys a Network Application Gateway.", @@ -587,8 +587,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -787,8 +787,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -925,8 +925,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -1139,8 +1139,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5981161114261866158" + "version": "0.22.6.54827", + "templateHash": "4623397595540345983" } }, "parameters": { diff --git a/modules/network/application-security-group/.test/common/main.test.bicep b/modules/network/application-security-group/.test/common/main.test.bicep index 8f996a1349..d97c89d410 100644 --- a/modules/network/application-security-group/.test/common/main.test.bicep +++ b/modules/network/application-security-group/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/application-security-group/README.md b/modules/network/application-security-group/README.md index 6b5150d961..dd4a0b47e3 100644 --- a/modules/network/application-security-group/README.md +++ b/modules/network/application-security-group/README.md @@ -5,10 +5,10 @@ This module deploys an Application Security Group (ASG). ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -18,53 +18,27 @@ This module deploys an Application Security Group (ASG). | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Network/applicationSecurityGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/applicationSecurityGroups) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Application Security Group. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.application-security-group:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | - - -## Outputs +- [Using large parameter set](#example-1-using-large-parameter-set) -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the application security group. | -| `resourceGroupName` | string | The resource group the application security group was deployed into. | -| `resourceId` | string | The resource ID of the application security group. | +### Example 1: _Using large parameter set_ -## Cross-referenced modules +This instance deploys the module with most of its features enabled. -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module applicationSecurityGroup './network/application-security-group/main.bicep' = { +module applicationSecurityGroup 'br:bicep/modules/network.application-security-group:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nasgcom' params: { // Required parameters @@ -137,3 +111,78 @@ module applicationSecurityGroup './network/application-security-group/main.bicep

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Application Security Group. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Application Security Group. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the application security group. | +| `resourceGroupName` | string | The resource group the application security group was deployed into. | +| `resourceId` | string | The resource ID of the application security group. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/application-security-group/main.json b/modules/network/application-security-group/main.json index 5cac0b4ccf..a733a611db 100644 --- a/modules/network/application-security-group/main.json +++ b/modules/network/application-security-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9223506282900740503" + "version": "0.22.6.54827", + "templateHash": "4115045672718601619" }, "name": "Application Security Groups (ASG)", "description": "This module deploys an Application Security Group (ASG).", @@ -130,8 +130,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4152038459218204517" + "version": "0.22.6.54827", + "templateHash": "1920288953009439364" } }, "parameters": { diff --git a/modules/network/azure-firewall/.test/common/main.test.bicep b/modules/network/azure-firewall/.test/common/main.test.bicep index 0bac54906a..17193997bd 100644 --- a/modules/network/azure-firewall/.test/common/main.test.bicep +++ b/modules/network/azure-firewall/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/azure-firewall/.test/min/main.test.bicep b/modules/network/azure-firewall/.test/min/main.test.bicep index 9b3e65d2f4..28620b7046 100644 --- a/modules/network/azure-firewall/.test/min/main.test.bicep +++ b/modules/network/azure-firewall/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index 58c2d46f73..73137eee0b 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -4,13 +4,13 @@ This module deploys an Azure Firewall. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -20,91 +20,29 @@ This module deploys an Azure Firewall. | `Microsoft.Network/azureFirewalls` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/azureFirewalls) | | `Microsoft.Network/publicIPAddresses` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/publicIPAddresses) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Azure Firewall. | - -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `hubIPAddresses` | object | `{object}` | IP addresses associated with AzureFirewall. Required if `virtualHubId` is supplied. | -| `virtualHubId` | string | `''` | The virtualHub resource ID to which the firewall belongs. Required if `vNetId` is empty. | -| `vNetId` | string | `''` | Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a Public IP is not provided, then the Public IP that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `additionalPublicIpConfigurations` | array | `[]` | | This is to add any additional Public IP configurations on top of the Public IP with subnet IP configuration. | -| `applicationRuleCollections` | array | `[]` | | Collection of application rule collections used by Azure Firewall. | -| `azureSkuTier` | string | `'Standard'` | `[Basic, Premium, Standard]` | Tier of an Azure Firewall. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, AzureFirewallApplicationRule, AzureFirewallDnsProxy, AzureFirewallNetworkRule]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Diagnostic Storage Account resource identifier. | -| `diagnosticWorkspaceId` | string | `''` | | Log Analytics workspace resource identifier. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `firewallPolicyId` | string | `''` | | Resource ID of the Firewall Policy that should be attached. | -| `isCreateDefaultPublicIP` | bool | `True` | | Specifies if a Public IP should be created by default if one is not provided. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `managementIPAddressObject` | object | `{object}` | | Specifies the properties of the Management Public IP to create and be used by Azure Firewall. If it's not provided and managementIPResourceID is empty, a '-mip' suffix will be appended to the Firewall's name. | -| `managementIPResourceID` | string | `''` | | The Management Public IP resource ID to associate to the AzureFirewallManagementSubnet. If empty, then the Management Public IP that is created as part of this module will be applied to the AzureFirewallManagementSubnet. | -| `natRuleCollections` | array | `[]` | | Collection of NAT rule collections used by Azure Firewall. | -| `networkRuleCollections` | array | `[]` | | Collection of network rule collections used by Azure Firewall. | -| `publicIPAddressObject` | object | `{object}` | | Specifies the properties of the Public IP to create and be used by Azure Firewall. If it's not provided and publicIPResourceID is empty, a '-pip' suffix will be appended to the Firewall's name. | -| `publicIPResourceID` | string | `''` | | The Public IP resource ID to associate to the AzureFirewallSubnet. If empty, then the Public IP that is created as part of this module will be applied to the AzureFirewallSubnet. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the Azure Firewall resource. | -| `threatIntelMode` | string | `'Deny'` | `[Alert, Deny, Off]` | The operation mode for Threat Intel. | -| `zones` | array | `[1, 2, 3]` | | Zone numbers e.g. 1,2,3. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `applicationRuleCollections` | array | List of Application Rule Collections. | -| `ipConfAzureFirewallSubnet` | object | The Public IP configuration object for the Azure Firewall Subnet. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Azure Firewall. | -| `natRuleCollections` | array | Collection of NAT rule collections used by Azure Firewall. | -| `networkRuleCollections` | array | List of Network Rule Collections. | -| `privateIp` | string | The private IP of the Azure firewall. | -| `resourceGroupName` | string | The resource group the Azure firewall was deployed into. | -| `resourceId` | string | The resource ID of the Azure Firewall. | - - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +## Usage examples -| Reference | Type | -| :-- | :-- | -| `network/public-ip-address` | Local reference | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Deployment examples +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.azure-firewall:1.0.0`. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +- [Addpip](#example-1-addpip) +- [Using large parameter set](#example-2-using-large-parameter-set) +- [Custompip](#example-3-custompip) +- [Hubcommon](#example-4-hubcommon) +- [Hubmin](#example-5-hubmin) +- [Using only defaults](#example-6-using-only-defaults) -

Example 1: Addpip

+### Example 1: _Addpip_
via Bicep module ```bicep -module azureFirewall './network/azure-firewall/main.bicep' = { +module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nafaddpip' params: { // Required parameters @@ -202,14 +140,17 @@ module azureFirewall './network/azure-firewall/main.bicep' = {

-

Example 2: Common

+### Example 2: _Using large parameter set_ + +This instance deploys the module with most of its features enabled. +
via Bicep module ```bicep -module azureFirewall './network/azure-firewall/main.bicep' = { +module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nafcom' params: { // Required parameters @@ -485,14 +426,14 @@ module azureFirewall './network/azure-firewall/main.bicep' = {

-

Example 3: Custompip

+### Example 3: _Custompip_
via Bicep module ```bicep -module azureFirewall './network/azure-firewall/main.bicep' = { +module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nafcstpip' params: { // Required parameters @@ -596,14 +537,14 @@ module azureFirewall './network/azure-firewall/main.bicep' = {

-

Example 4: Hubcommon

+### Example 4: _Hubcommon_
via Bicep module ```bicep -module azureFirewall './network/azure-firewall/main.bicep' = { +module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nafhubcom' params: { // Required parameters @@ -673,14 +614,14 @@ module azureFirewall './network/azure-firewall/main.bicep' = {

-

Example 5: Hubmin

+### Example 5: _Hubmin_
via Bicep module ```bicep -module azureFirewall './network/azure-firewall/main.bicep' = { +module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nafhubmin' params: { // Required parameters @@ -734,14 +675,17 @@ module azureFirewall './network/azure-firewall/main.bicep' = {

-

Example 6: Min

+### Example 6: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module azureFirewall './network/azure-firewall/main.bicep' = { +module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nafmin' params: { // Required parameters @@ -782,3 +726,280 @@ module azureFirewall './network/azure-firewall/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Azure Firewall. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`hubIPAddresses`](#parameter-hubipaddresses) | object | IP addresses associated with AzureFirewall. Required if `virtualHubId` is supplied. | +| [`virtualHubId`](#parameter-virtualhubid) | string | The virtualHub resource ID to which the firewall belongs. Required if `vNetId` is empty. | +| [`vNetId`](#parameter-vnetid) | string | Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a Public IP is not provided, then the Public IP that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`additionalPublicIpConfigurations`](#parameter-additionalpublicipconfigurations) | array | This is to add any additional Public IP configurations on top of the Public IP with subnet IP configuration. | +| [`applicationRuleCollections`](#parameter-applicationrulecollections) | array | Collection of application rule collections used by Azure Firewall. | +| [`azureSkuTier`](#parameter-azureskutier) | string | Tier of an Azure Firewall. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Diagnostic Storage Account resource identifier. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Log Analytics workspace resource identifier. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`firewallPolicyId`](#parameter-firewallpolicyid) | string | Resource ID of the Firewall Policy that should be attached. | +| [`isCreateDefaultPublicIP`](#parameter-iscreatedefaultpublicip) | bool | Specifies if a Public IP should be created by default if one is not provided. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`managementIPAddressObject`](#parameter-managementipaddressobject) | object | Specifies the properties of the Management Public IP to create and be used by Azure Firewall. If it's not provided and managementIPResourceID is empty, a '-mip' suffix will be appended to the Firewall's name. | +| [`managementIPResourceID`](#parameter-managementipresourceid) | string | The Management Public IP resource ID to associate to the AzureFirewallManagementSubnet. If empty, then the Management Public IP that is created as part of this module will be applied to the AzureFirewallManagementSubnet. | +| [`natRuleCollections`](#parameter-natrulecollections) | array | Collection of NAT rule collections used by Azure Firewall. | +| [`networkRuleCollections`](#parameter-networkrulecollections) | array | Collection of network rule collections used by Azure Firewall. | +| [`publicIPAddressObject`](#parameter-publicipaddressobject) | object | Specifies the properties of the Public IP to create and be used by Azure Firewall. If it's not provided and publicIPResourceID is empty, a '-pip' suffix will be appended to the Firewall's name. | +| [`publicIPResourceID`](#parameter-publicipresourceid) | string | The Public IP resource ID to associate to the AzureFirewallSubnet. If empty, then the Public IP that is created as part of this module will be applied to the AzureFirewallSubnet. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the Azure Firewall resource. | +| [`threatIntelMode`](#parameter-threatintelmode) | string | The operation mode for Threat Intel. | +| [`zones`](#parameter-zones) | array | Zone numbers e.g. 1,2,3. | + +### Parameter: `additionalPublicIpConfigurations` + +This is to add any additional Public IP configurations on top of the Public IP with subnet IP configuration. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `applicationRuleCollections` + +Collection of application rule collections used by Azure Firewall. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `azureSkuTier` + +Tier of an Azure Firewall. +- Required: No +- Type: string +- Default: `'Standard'` +- Allowed: `[Basic, Premium, Standard]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, AzureFirewallApplicationRule, AzureFirewallDnsProxy, AzureFirewallNetworkRule]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Diagnostic Storage Account resource identifier. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Log Analytics workspace resource identifier. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `firewallPolicyId` + +Resource ID of the Firewall Policy that should be attached. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `hubIPAddresses` + +IP addresses associated with AzureFirewall. Required if `virtualHubId` is supplied. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `isCreateDefaultPublicIP` + +Specifies if a Public IP should be created by default if one is not provided. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `managementIPAddressObject` + +Specifies the properties of the Management Public IP to create and be used by Azure Firewall. If it's not provided and managementIPResourceID is empty, a '-mip' suffix will be appended to the Firewall's name. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `managementIPResourceID` + +The Management Public IP resource ID to associate to the AzureFirewallManagementSubnet. If empty, then the Management Public IP that is created as part of this module will be applied to the AzureFirewallManagementSubnet. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +Name of the Azure Firewall. +- Required: Yes +- Type: string + +### Parameter: `natRuleCollections` + +Collection of NAT rule collections used by Azure Firewall. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `networkRuleCollections` + +Collection of network rule collections used by Azure Firewall. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicIPAddressObject` + +Specifies the properties of the Public IP to create and be used by Azure Firewall. If it's not provided and publicIPResourceID is empty, a '-pip' suffix will be appended to the Firewall's name. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `publicIPResourceID` + +The Public IP resource ID to associate to the AzureFirewallSubnet. If empty, then the Public IP that is created as part of this module will be applied to the AzureFirewallSubnet. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the Azure Firewall resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `threatIntelMode` + +The operation mode for Threat Intel. +- Required: No +- Type: string +- Default: `'Deny'` +- Allowed: `[Alert, Deny, Off]` + +### Parameter: `virtualHubId` + +The virtualHub resource ID to which the firewall belongs. Required if `vNetId` is empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `vNetId` + +Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a Public IP is not provided, then the Public IP that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `zones` + +Zone numbers e.g. 1,2,3. +- Required: No +- Type: array +- Default: `[1, 2, 3]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `applicationRuleCollections` | array | List of Application Rule Collections. | +| `ipConfAzureFirewallSubnet` | object | The Public IP configuration object for the Azure Firewall Subnet. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the Azure Firewall. | +| `natRuleCollections` | array | Collection of NAT rule collections used by Azure Firewall. | +| `networkRuleCollections` | array | List of Network Rule Collections. | +| `privateIp` | string | The private IP of the Azure firewall. | +| `resourceGroupName` | string | The resource group the Azure firewall was deployed into. | +| `resourceId` | string | The resource ID of the Azure Firewall. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/public-ip-address` | Local reference | diff --git a/modules/network/azure-firewall/main.json b/modules/network/azure-firewall/main.json index 860263abc5..e51d5158ae 100644 --- a/modules/network/azure-firewall/main.json +++ b/modules/network/azure-firewall/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1618306039549240547" + "version": "0.22.6.54827", + "templateHash": "11388637561853566149" }, "name": "Azure Firewalls", "description": "This module deploys an Azure Firewall.", @@ -417,8 +417,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1887898957722092173" + "version": "0.22.6.54827", + "templateHash": "4317747709004918530" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -751,8 +751,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7328126239184883887" + "version": "0.22.6.54827", + "templateHash": "9976109177347918049" } }, "parameters": { @@ -988,8 +988,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1887898957722092173" + "version": "0.22.6.54827", + "templateHash": "4317747709004918530" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -1322,8 +1322,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7328126239184883887" + "version": "0.22.6.54827", + "templateHash": "9976109177347918049" } }, "parameters": { @@ -1540,8 +1540,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4956524931122744714" + "version": "0.22.6.54827", + "templateHash": "11885290344977420864" } }, "parameters": { diff --git a/modules/network/bastion-host/.test/common/main.test.bicep b/modules/network/bastion-host/.test/common/main.test.bicep index 35ab2e3670..5d384c25e9 100644 --- a/modules/network/bastion-host/.test/common/main.test.bicep +++ b/modules/network/bastion-host/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/bastion-host/.test/min/main.test.bicep b/modules/network/bastion-host/.test/min/main.test.bicep index 5c3fb70bb0..8292377077 100644 --- a/modules/network/bastion-host/.test/min/main.test.bicep +++ b/modules/network/bastion-host/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index b68e8d4c80..8aa5825b04 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -5,10 +5,10 @@ This module deploys a Bastion Host. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -20,75 +20,29 @@ This module deploys a Bastion Host. | `Microsoft.Network/bastionHosts` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-11-01/bastionHosts) | | `Microsoft.Network/publicIPAddresses` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/publicIPAddresses) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Azure Bastion resource. | -| `vNetId` | string | Shared services Virtual Network resource identifier. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `bastionSubnetPublicIpResourceId` | string | `''` | | The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, BastionAuditLogs]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `disableCopyPaste` | bool | `False` | | Choose to disable or enable Copy Paste. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableFileCopy` | bool | `True` | | Choose to disable or enable File Copy. | -| `enableIpConnect` | bool | `False` | | Choose to disable or enable IP Connect. | -| `enableKerberos` | bool | `False` | | Choose to disable or enable Kerberos authentication. | -| `enableShareableLink` | bool | `False` | | Choose to disable or enable Shareable Link. | -| `isCreateDefaultPublicIP` | bool | `True` | | Specifies if a Public IP should be created by default if one is not provided. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `publicIPAddressObject` | object | `{object}` | | Specifies the properties of the Public IP to create and be used by Azure Bastion. If it's not provided and publicIPAddressResourceId is empty, a '-pip' suffix will be appended to the Bastion's name. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `scaleUnits` | int | `2` | | The scale units for the Bastion Host resource. | -| `skuName` | string | `'Basic'` | `[Basic, Standard]` | The SKU of this Bastion Host. | -| `tags` | object | `{object}` | | Tags of the resource. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `ipConfAzureBastionSubnet` | object | The Public IPconfiguration object for the AzureBastionSubnet. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name the Azure Bastion. | -| `resourceGroupName` | string | The resource group the Azure Bastion was deployed into. | -| `resourceId` | string | The resource ID the Azure Bastion. | +## Usage examples -## Cross-referenced modules +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Reference | Type | -| :-- | :-- | -| `network/public-ip-address` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.bastion-host:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Custompip](#example-2-custompip) +- [Using only defaults](#example-3-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module bastionHost './network/bastion-host/main.bicep' = { +module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nbhcom' params: { // Required parameters @@ -210,14 +164,14 @@ module bastionHost './network/bastion-host/main.bicep' = {

-

Example 2: Custompip

+### Example 2: _Custompip_
via Bicep module ```bicep -module bastionHost './network/bastion-host/main.bicep' = { +module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nbhctmpip' params: { // Required parameters @@ -331,14 +285,17 @@ module bastionHost './network/bastion-host/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module bastionHost './network/bastion-host/main.bicep' = { +module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nbhmin' params: { // Required parameters @@ -379,3 +336,220 @@ module bastionHost './network/bastion-host/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Azure Bastion resource. | +| [`vNetId`](#parameter-vnetid) | string | Shared services Virtual Network resource identifier. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`bastionSubnetPublicIpResourceId`](#parameter-bastionsubnetpublicipresourceid) | string | The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`disableCopyPaste`](#parameter-disablecopypaste) | bool | Choose to disable or enable Copy Paste. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableFileCopy`](#parameter-enablefilecopy) | bool | Choose to disable or enable File Copy. | +| [`enableIpConnect`](#parameter-enableipconnect) | bool | Choose to disable or enable IP Connect. | +| [`enableKerberos`](#parameter-enablekerberos) | bool | Choose to disable or enable Kerberos authentication. | +| [`enableShareableLink`](#parameter-enableshareablelink) | bool | Choose to disable or enable Shareable Link. | +| [`isCreateDefaultPublicIP`](#parameter-iscreatedefaultpublicip) | bool | Specifies if a Public IP should be created by default if one is not provided. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`publicIPAddressObject`](#parameter-publicipaddressobject) | object | Specifies the properties of the Public IP to create and be used by Azure Bastion. If it's not provided and publicIPAddressResourceId is empty, a '-pip' suffix will be appended to the Bastion's name. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`scaleUnits`](#parameter-scaleunits) | int | The scale units for the Bastion Host resource. | +| [`skuName`](#parameter-skuname) | string | The SKU of this Bastion Host. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `bastionSubnetPublicIpResourceId` + +The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, BastionAuditLogs]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `disableCopyPaste` + +Choose to disable or enable Copy Paste. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableFileCopy` + +Choose to disable or enable File Copy. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableIpConnect` + +Choose to disable or enable IP Connect. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableKerberos` + +Choose to disable or enable Kerberos authentication. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableShareableLink` + +Choose to disable or enable Shareable Link. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `isCreateDefaultPublicIP` + +Specifies if a Public IP should be created by default if one is not provided. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Azure Bastion resource. +- Required: Yes +- Type: string + +### Parameter: `publicIPAddressObject` + +Specifies the properties of the Public IP to create and be used by Azure Bastion. If it's not provided and publicIPAddressResourceId is empty, a '-pip' suffix will be appended to the Bastion's name. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `scaleUnits` + +The scale units for the Bastion Host resource. +- Required: No +- Type: int +- Default: `2` + +### Parameter: `skuName` + +The SKU of this Bastion Host. +- Required: No +- Type: string +- Default: `'Basic'` +- Allowed: `[Basic, Standard]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `vNetId` + +Shared services Virtual Network resource identifier. +- Required: Yes +- Type: string + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `ipConfAzureBastionSubnet` | object | The Public IPconfiguration object for the AzureBastionSubnet. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name the Azure Bastion. | +| `resourceGroupName` | string | The resource group the Azure Bastion was deployed into. | +| `resourceId` | string | The resource ID the Azure Bastion. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/public-ip-address` | Local reference | diff --git a/modules/network/bastion-host/main.json b/modules/network/bastion-host/main.json index 0370ab6fdd..ab504b7428 100644 --- a/modules/network/bastion-host/main.json +++ b/modules/network/bastion-host/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17208156201497944921" + "version": "0.22.6.54827", + "templateHash": "18039554301844568366" }, "name": "Bastion Hosts", "description": "This module deploys a Bastion Host.", @@ -326,8 +326,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1887898957722092173" + "version": "0.22.6.54827", + "templateHash": "4317747709004918530" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -660,8 +660,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7328126239184883887" + "version": "0.22.6.54827", + "templateHash": "9976109177347918049" } }, "parameters": { @@ -878,8 +878,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5797020701488147835" + "version": "0.22.6.54827", + "templateHash": "7732571198100682148" } }, "parameters": { diff --git a/modules/network/connection/README.md b/modules/network/connection/README.md index a8e9cf6573..7275058f5a 100644 --- a/modules/network/connection/README.md +++ b/modules/network/connection/README.md @@ -4,83 +4,38 @@ This module deploys a Virtual Network Gateway Connection. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Network/connections` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/connections) | -## Parameters - -**Required parameters** +## Usage examples -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Remote connection name. | -| `virtualNetworkGateway1` | object | The primary Virtual Network Gateway. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -**Optional parameters** +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `authorizationKey` | securestring | `''` | | The Authorization Key to connect to an Express Route Circuit. Used for connection type [ExpressRoute]. | -| `connectionMode` | string | `'Default'` | `[Default, InitiatorOnly, ResponderOnly]` | The connection connectionMode for this connection. Available for IPSec connections. | -| `connectionProtocol` | string | `'IKEv2'` | `[IKEv1, IKEv2]` | Connection connectionProtocol used for this connection. Available for IPSec connections. | -| `connectionType` | string | `'IPsec'` | `[ExpressRoute, IPsec, Vnet2Vnet, VPNClient]` | Gateway connection connectionType. | -| `customIPSecPolicy` | object | `{object}` | | The IPSec Policies to be considered by this connection. | -| `dpdTimeoutSeconds` | int | `45` | | The dead peer detection timeout of this connection in seconds. Setting the timeout to shorter periods will cause IKE to rekey more aggressively, causing the connection to appear to be disconnected in some instances. The general recommendation is to set the timeout between 30 to 45 seconds. | -| `enableBgp` | bool | `False` | | Value to specify if BGP is enabled or not. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enablePrivateLinkFastPath` | bool | `False` | | Bypass the ExpressRoute gateway when accessing private-links. ExpressRoute FastPath (expressRouteGatewayBypass) must be enabled. Only available when connection connectionType is Express Route. | -| `expressRouteGatewayBypass` | bool | `False` | | Bypass ExpressRoute Gateway for data forwarding. Only available when connection connectionType is Express Route. | -| `localNetworkGateway2` | object | `{object}` | | The local network gateway. Used for connection type [IPsec]. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the connectionType of lock. | -| `peer` | object | `{object}` | | The remote peer. Used for connection connectionType [ExpressRoute]. | -| `routingWeight` | int | `-1` | | The weight added to routes learned from this BGP speaker. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `useLocalAzureIpAddress` | bool | `False` | | Use private local Azure IP for the connection. Only available for IPSec Virtual Network Gateways that use the Azure Private IP Property. | -| `usePolicyBasedTrafficSelectors` | bool | `False` | | Enable policy-based traffic selectors. | -| `virtualNetworkGateway2` | object | `{object}` | | The remote Virtual Network Gateway. Used for connection connectionType [Vnet2Vnet]. | -| `vpnSharedKey` | securestring | `''` | | Specifies a VPN shared key. The same value has to be specified on both Virtual Network Gateways. | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.connection:1.0.0`. +- [Vnet2vnet](#example-1-vnet2vnet) -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the remote connection. | -| `resourceGroupName` | string | The resource group the remote connection was deployed into. | -| `resourceId` | string | The resource ID of the remote connection. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Vnet2vnet

+### Example 1: _Vnet2vnet_
via Bicep module ```bicep -module connection './network/connection/main.bicep' = { +module connection 'br:bicep/modules/network.connection:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ncvtv' params: { // Required parameters @@ -163,6 +118,210 @@ module connection './network/connection/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Remote connection name. | +| [`virtualNetworkGateway1`](#parameter-virtualnetworkgateway1) | object | The primary Virtual Network Gateway. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`authorizationKey`](#parameter-authorizationkey) | securestring | The Authorization Key to connect to an Express Route Circuit. Used for connection type [ExpressRoute]. | +| [`connectionMode`](#parameter-connectionmode) | string | The connection connectionMode for this connection. Available for IPSec connections. | +| [`connectionProtocol`](#parameter-connectionprotocol) | string | Connection connectionProtocol used for this connection. Available for IPSec connections. | +| [`connectionType`](#parameter-connectiontype) | string | Gateway connection connectionType. | +| [`customIPSecPolicy`](#parameter-customipsecpolicy) | object | The IPSec Policies to be considered by this connection. | +| [`dpdTimeoutSeconds`](#parameter-dpdtimeoutseconds) | int | The dead peer detection timeout of this connection in seconds. Setting the timeout to shorter periods will cause IKE to rekey more aggressively, causing the connection to appear to be disconnected in some instances. The general recommendation is to set the timeout between 30 to 45 seconds. | +| [`enableBgp`](#parameter-enablebgp) | bool | Value to specify if BGP is enabled or not. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enablePrivateLinkFastPath`](#parameter-enableprivatelinkfastpath) | bool | Bypass the ExpressRoute gateway when accessing private-links. ExpressRoute FastPath (expressRouteGatewayBypass) must be enabled. Only available when connection connectionType is Express Route. | +| [`expressRouteGatewayBypass`](#parameter-expressroutegatewaybypass) | bool | Bypass ExpressRoute Gateway for data forwarding. Only available when connection connectionType is Express Route. | +| [`localNetworkGateway2`](#parameter-localnetworkgateway2) | object | The local network gateway. Used for connection type [IPsec]. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the connectionType of lock. | +| [`peer`](#parameter-peer) | object | The remote peer. Used for connection connectionType [ExpressRoute]. | +| [`routingWeight`](#parameter-routingweight) | int | The weight added to routes learned from this BGP speaker. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`useLocalAzureIpAddress`](#parameter-uselocalazureipaddress) | bool | Use private local Azure IP for the connection. Only available for IPSec Virtual Network Gateways that use the Azure Private IP Property. | +| [`usePolicyBasedTrafficSelectors`](#parameter-usepolicybasedtrafficselectors) | bool | Enable policy-based traffic selectors. | +| [`virtualNetworkGateway2`](#parameter-virtualnetworkgateway2) | object | The remote Virtual Network Gateway. Used for connection connectionType [Vnet2Vnet]. | +| [`vpnSharedKey`](#parameter-vpnsharedkey) | securestring | Specifies a VPN shared key. The same value has to be specified on both Virtual Network Gateways. | + +### Parameter: `authorizationKey` + +The Authorization Key to connect to an Express Route Circuit. Used for connection type [ExpressRoute]. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `connectionMode` + +The connection connectionMode for this connection. Available for IPSec connections. +- Required: No +- Type: string +- Default: `'Default'` +- Allowed: `[Default, InitiatorOnly, ResponderOnly]` + +### Parameter: `connectionProtocol` + +Connection connectionProtocol used for this connection. Available for IPSec connections. +- Required: No +- Type: string +- Default: `'IKEv2'` +- Allowed: `[IKEv1, IKEv2]` + +### Parameter: `connectionType` + +Gateway connection connectionType. +- Required: No +- Type: string +- Default: `'IPsec'` +- Allowed: `[ExpressRoute, IPsec, Vnet2Vnet, VPNClient]` + +### Parameter: `customIPSecPolicy` + +The IPSec Policies to be considered by this connection. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `dpdTimeoutSeconds` + +The dead peer detection timeout of this connection in seconds. Setting the timeout to shorter periods will cause IKE to rekey more aggressively, causing the connection to appear to be disconnected in some instances. The general recommendation is to set the timeout between 30 to 45 seconds. +- Required: No +- Type: int +- Default: `45` + +### Parameter: `enableBgp` + +Value to specify if BGP is enabled or not. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enablePrivateLinkFastPath` + +Bypass the ExpressRoute gateway when accessing private-links. ExpressRoute FastPath (expressRouteGatewayBypass) must be enabled. Only available when connection connectionType is Express Route. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `expressRouteGatewayBypass` + +Bypass ExpressRoute Gateway for data forwarding. Only available when connection connectionType is Express Route. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `localNetworkGateway2` + +The local network gateway. Used for connection type [IPsec]. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the connectionType of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Remote connection name. +- Required: Yes +- Type: string + +### Parameter: `peer` + +The remote peer. Used for connection connectionType [ExpressRoute]. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `routingWeight` + +The weight added to routes learned from this BGP speaker. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `useLocalAzureIpAddress` + +Use private local Azure IP for the connection. Only available for IPSec Virtual Network Gateways that use the Azure Private IP Property. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `usePolicyBasedTrafficSelectors` + +Enable policy-based traffic selectors. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `virtualNetworkGateway1` + +The primary Virtual Network Gateway. +- Required: Yes +- Type: object + +### Parameter: `virtualNetworkGateway2` + +The remote Virtual Network Gateway. Used for connection connectionType [Vnet2Vnet]. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `vpnSharedKey` + +Specifies a VPN shared key. The same value has to be specified on both Virtual Network Gateways. +- Required: No +- Type: securestring +- Default: `''` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the remote connection. | +| `resourceGroupName` | string | The resource group the remote connection was deployed into. | +| `resourceId` | string | The resource ID of the remote connection. | + +## Cross-referenced modules + +_None_ + ## Notes ### Parameter Usage: `localNetworkGateway2` diff --git a/modules/network/connection/main.json b/modules/network/connection/main.json index 1f36ad5004..e72fe07213 100644 --- a/modules/network/connection/main.json +++ b/modules/network/connection/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16230225022830179202" + "version": "0.22.6.54827", + "templateHash": "4819464445955431710" }, "name": "Virtual Network Gateway Connections", "description": "This module deploys a Virtual Network Gateway Connection.", diff --git a/modules/network/ddos-protection-plan/.test/common/main.test.bicep b/modules/network/ddos-protection-plan/.test/common/main.test.bicep index fa1ddafb22..07f548e028 100644 --- a/modules/network/ddos-protection-plan/.test/common/main.test.bicep +++ b/modules/network/ddos-protection-plan/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/ddos-protection-plan/.test/min/main.test.bicep b/modules/network/ddos-protection-plan/.test/min/main.test.bicep index b961a7b2e4..3f06befe16 100644 --- a/modules/network/ddos-protection-plan/.test/min/main.test.bicep +++ b/modules/network/ddos-protection-plan/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/ddos-protection-plan/README.md b/modules/network/ddos-protection-plan/README.md index d41f975e6c..ce299dd18a 100644 --- a/modules/network/ddos-protection-plan/README.md +++ b/modules/network/ddos-protection-plan/README.md @@ -4,13 +4,13 @@ This module deploys a DDoS Protection Plan. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -18,53 +18,28 @@ This module deploys a DDoS Protection Plan. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Network/ddosProtectionPlans` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/ddosProtectionPlans) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the DDoS protection plan to assign the VNET to. | - -**Optional parameters** +## Usage examples -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the DDOS protection plan. | -| `resourceGroupName` | string | The resource group the DDOS protection plan was deployed into. | -| `resourceId` | string | The resource ID of the DDOS protection plan. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.ddos-protection-plan:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module ddosProtectionPlan './network/ddos-protection-plan/main.bicep' = { +module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ndppcom' params: { // Required parameters @@ -138,14 +113,17 @@ module ddosProtectionPlan './network/ddos-protection-plan/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module ddosProtectionPlan './network/ddos-protection-plan/main.bicep' = { +module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ndppmin' params: { // Required parameters @@ -182,3 +160,78 @@ module ddosProtectionPlan './network/ddos-protection-plan/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the DDoS protection plan to assign the VNET to. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the DDoS protection plan to assign the VNET to. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the DDOS protection plan. | +| `resourceGroupName` | string | The resource group the DDOS protection plan was deployed into. | +| `resourceId` | string | The resource ID of the DDOS protection plan. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/ddos-protection-plan/main.json b/modules/network/ddos-protection-plan/main.json index da760e0ac6..f67227f30a 100644 --- a/modules/network/ddos-protection-plan/main.json +++ b/modules/network/ddos-protection-plan/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4598977816480625428" + "version": "0.22.6.54827", + "templateHash": "10705912154060159414" }, "name": "DDoS Protection Plans", "description": "This module deploys a DDoS Protection Plan.", @@ -131,8 +131,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3995691276861378568" + "version": "0.22.6.54827", + "templateHash": "17533391111719842656" } }, "parameters": { diff --git a/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep b/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep index fb7c7a3a91..1580914504 100644 --- a/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep +++ b/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/dns-forwarding-ruleset/.test/min/main.test.bicep b/modules/network/dns-forwarding-ruleset/.test/min/main.test.bicep index 43e250ddf4..0d95972412 100644 --- a/modules/network/dns-forwarding-ruleset/.test/min/main.test.bicep +++ b/modules/network/dns-forwarding-ruleset/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/dns-forwarding-ruleset/README.md b/modules/network/dns-forwarding-ruleset/README.md index c391b29ada..100d91455b 100644 --- a/modules/network/dns-forwarding-ruleset/README.md +++ b/modules/network/dns-forwarding-ruleset/README.md @@ -5,10 +5,10 @@ This template deploys an dns forwarding ruleset. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -20,56 +20,28 @@ This template deploys an dns forwarding ruleset. | `Microsoft.Network/dnsForwardingRulesets/forwardingRules` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/dnsForwardingRulesets/forwardingRules) | | `Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/dnsForwardingRulesets/virtualNetworkLinks) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `dnsResolverOutboundEndpointResourceIds` | array | The reference to the DNS resolver outbound endpoints that are used to route DNS queries matching the forwarding rules in the ruleset to the target DNS servers. | -| `name` | string | Name of the DNS Forwarding Ruleset. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `forwardingRules` | array | `[]` | | Array of forwarding rules. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `vNetLinks` | array | `[]` | | Array of virtual network links. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the DNS Forwarding Ruleset. | -| `resourceGroupName` | string | The resource group the DNS Forwarding Ruleset was deployed into. | -| `resourceId` | string | The resource ID of the DNS Forwarding Ruleset. | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.dns-forwarding-ruleset:1.0.0`. -## Cross-referenced modules +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -_None_ +### Example 1: _Using large parameter set_ -## Deployment examples +This instance deploys the module with most of its features enabled. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module dnsForwardingRuleset './network/dns-forwarding-ruleset/main.bicep' = { +module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ndfrscom' params: { // Required parameters @@ -187,14 +159,17 @@ module dnsForwardingRuleset './network/dns-forwarding-ruleset/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module dnsForwardingRuleset './network/dns-forwarding-ruleset/main.bicep' = { +module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ndfrsmin' params: { // Required parameters @@ -239,3 +214,101 @@ module dnsForwardingRuleset './network/dns-forwarding-ruleset/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`dnsResolverOutboundEndpointResourceIds`](#parameter-dnsresolveroutboundendpointresourceids) | array | The reference to the DNS resolver outbound endpoints that are used to route DNS queries matching the forwarding rules in the ruleset to the target DNS servers. | +| [`name`](#parameter-name) | string | Name of the DNS Forwarding Ruleset. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`forwardingRules`](#parameter-forwardingrules) | array | Array of forwarding rules. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`vNetLinks`](#parameter-vnetlinks) | array | Array of virtual network links. | + +### Parameter: `dnsResolverOutboundEndpointResourceIds` + +The reference to the DNS resolver outbound endpoints that are used to route DNS queries matching the forwarding rules in the ruleset to the target DNS servers. +- Required: Yes +- Type: array + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `forwardingRules` + +Array of forwarding rules. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the DNS Forwarding Ruleset. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `vNetLinks` + +Array of virtual network links. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the DNS Forwarding Ruleset. | +| `resourceGroupName` | string | The resource group the DNS Forwarding Ruleset was deployed into. | +| `resourceId` | string | The resource ID of the DNS Forwarding Ruleset. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md b/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md index b99f308ee7..7f9b46b23d 100644 --- a/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md +++ b/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md @@ -8,7 +8,6 @@ This template deploys Forwarding Rule in a Dns Forwarding Ruleset. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -20,31 +19,84 @@ This template deploys Forwarding Rule in a Dns Forwarding Ruleset. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `domainName` | string | The domain name for the forwarding rule. | -| `name` | string | Name of the Forwarding Rule. | -| `targetDnsServers` | array | DNS servers to forward the DNS query to. | +| [`domainName`](#parameter-domainname) | string | The domain name for the forwarding rule. | +| [`name`](#parameter-name) | string | Name of the Forwarding Rule. | +| [`targetDnsServers`](#parameter-targetdnsservers) | array | DNS servers to forward the DNS query to. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `dnsForwardingRulesetName` | string | Name of the parent DNS Forwarding Ruleset. Required if the template is used in a standalone deployment. | +| [`dnsForwardingRulesetName`](#parameter-dnsforwardingrulesetname) | string | Name of the parent DNS Forwarding Ruleset. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `forwardingRuleState` | string | `'Enabled'` | `[Disabled, Enabled]` | The state of forwarding rule. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `metadata` | object | `{object}` | | Metadata attached to the forwarding rule. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`forwardingRuleState`](#parameter-forwardingrulestate) | string | The state of forwarding rule. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`metadata`](#parameter-metadata) | object | Metadata attached to the forwarding rule. | + +### Parameter: `dnsForwardingRulesetName` + +Name of the parent DNS Forwarding Ruleset. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `domainName` + +The domain name for the forwarding rule. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `forwardingRuleState` + +The state of forwarding rule. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `metadata` + +Metadata attached to the forwarding rule. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Name of the Forwarding Rule. +- Required: Yes +- Type: string + +### Parameter: `targetDnsServers` + +DNS servers to forward the DNS query to. +- Required: Yes +- Type: array ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the Forwarding Rule. | | `resourceGroupName` | string | The resource group the Forwarding Rule was deployed into. | @@ -53,69 +105,3 @@ This template deploys Forwarding Rule in a Dns Forwarding Ruleset. ## Cross-referenced modules _None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

- -
- -via Bicep module - -```bicep -module dnsForwardingRulesets './Microsoft.Network/dnsForwardingRulesets/deploy.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-ndfrscom' - params: { - // Required parameters - dnsResolverOutboundEndpointId: '' - name: '[[namePrefix]]ndfrscom001' - // Non-required parameters - enableDefaultTelemetry: '' - tags: { - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "dnsResolverOutboundEndpointId": { - "value": "" - }, - "name": { - "value": "[[namePrefix]]ndfrscom001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

diff --git a/modules/network/dns-forwarding-ruleset/forwarding-rule/main.json b/modules/network/dns-forwarding-ruleset/forwarding-rule/main.json index 4d23c6d66f..398ba866ee 100644 --- a/modules/network/dns-forwarding-ruleset/forwarding-rule/main.json +++ b/modules/network/dns-forwarding-ruleset/forwarding-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "9007779430484184440" + "version": "0.22.6.54827", + "templateHash": "14481617304679147684" }, "name": "Dns Forwarding Rulesets Forwarding Rules", "description": "This template deploys Forwarding Rule in a Dns Forwarding Ruleset.", diff --git a/modules/network/dns-forwarding-ruleset/main.json b/modules/network/dns-forwarding-ruleset/main.json index e1335f72c5..19ee04a44f 100644 --- a/modules/network/dns-forwarding-ruleset/main.json +++ b/modules/network/dns-forwarding-ruleset/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1553146733132520499" + "version": "0.22.6.54827", + "templateHash": "3259269947258844338" }, "name": "Dns Forwarding Rulesets", "description": "This template deploys an dns forwarding ruleset.", @@ -163,8 +163,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18119021871235878699" + "version": "0.22.6.54827", + "templateHash": "14481617304679147684" }, "name": "Dns Forwarding Rulesets Forwarding Rules", "description": "This template deploys Forwarding Rule in a Dns Forwarding Ruleset.", @@ -310,8 +310,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9549351328560052808" + "version": "0.22.6.54827", + "templateHash": "13868433916800604215" }, "name": "Dns Forwarding Rulesets Virtual Network Links", "description": "This template deploys Virtual Network Link in a Dns Forwarding Ruleset.", @@ -441,8 +441,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5837323048310954906" + "version": "0.22.6.54827", + "templateHash": "8279185746379392662" } }, "parameters": { diff --git a/modules/network/dns-forwarding-ruleset/virtual-network-link/README.md b/modules/network/dns-forwarding-ruleset/virtual-network-link/README.md index 8fa0d6c219..af8b359da9 100644 --- a/modules/network/dns-forwarding-ruleset/virtual-network-link/README.md +++ b/modules/network/dns-forwarding-ruleset/virtual-network-link/README.md @@ -19,28 +19,61 @@ This template deploys Virtual Network Link in a Dns Forwarding Ruleset. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `virtualNetworkResourceId` | string | Link to another virtual network resource ID. | +| [`virtualNetworkResourceId`](#parameter-virtualnetworkresourceid) | string | Link to another virtual network resource ID. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `dnsForwardingRulesetName` | string | The name of the parent DNS Fowarding Rule Set. Required if the template is used in a standalone deployment. | +| [`dnsForwardingRulesetName`](#parameter-dnsforwardingrulesetname) | string | The name of the parent DNS Fowarding Rule Set. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `'global'` | The location of the PrivateDNSZone. Should be global. | -| `name` | string | `[format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/')))]` | The name of the virtual network link. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | The location of the PrivateDNSZone. Should be global. | +| [`name`](#parameter-name) | string | The name of the virtual network link. | + +### Parameter: `dnsForwardingRulesetName` + +The name of the parent DNS Fowarding Rule Set. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +The location of the PrivateDNSZone. Should be global. +- Required: No +- Type: string +- Default: `'global'` + +### Parameter: `name` + +The name of the virtual network link. +- Required: No +- Type: string +- Default: `[format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/')))]` + +### Parameter: `virtualNetworkResourceId` + +Link to another virtual network resource ID. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed virtual network link. | | `resourceGroupName` | string | The resource group of the deployed virtual network link. | diff --git a/modules/network/dns-forwarding-ruleset/virtual-network-link/main.json b/modules/network/dns-forwarding-ruleset/virtual-network-link/main.json index f41aa5933d..ac505b8cef 100644 --- a/modules/network/dns-forwarding-ruleset/virtual-network-link/main.json +++ b/modules/network/dns-forwarding-ruleset/virtual-network-link/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13969101007511584177" + "version": "0.22.6.54827", + "templateHash": "13868433916800604215" }, "name": "Dns Forwarding Rulesets Virtual Network Links", "description": "This template deploys Virtual Network Link in a Dns Forwarding Ruleset.", diff --git a/modules/network/dns-resolver/.test/common/main.test.bicep b/modules/network/dns-resolver/.test/common/main.test.bicep index 87c839c618..10ca18a16f 100644 --- a/modules/network/dns-resolver/.test/common/main.test.bicep +++ b/modules/network/dns-resolver/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/dns-resolver/README.md b/modules/network/dns-resolver/README.md index cc337017bd..682f0e5b10 100644 --- a/modules/network/dns-resolver/README.md +++ b/modules/network/dns-resolver/README.md @@ -5,10 +5,10 @@ This module deploys a DNS Resolver. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -20,56 +20,27 @@ This module deploys a DNS Resolver. | `Microsoft.Network/dnsResolvers/inboundEndpoints` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/dnsResolvers/inboundEndpoints) | | `Microsoft.Network/dnsResolvers/outboundEndpoints` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/dnsResolvers/outboundEndpoints) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Private DNS Resolver. | -| `virtualNetworkId` | string | ResourceId of the virtual network to attach the Private DNS Resolver to. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `inboundEndpoints` | array | `[]` | | Inbound Endpoints for Private DNS Resolver. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `outboundEndpoints` | array | `[]` | | Outbound Endpoints for Private DNS Resolver. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Private DNS Resolver. | -| `resourceGroupName` | string | The resource group the Private DNS Resolver was deployed into. | -| `resourceId` | string | The resource ID of the Private DNS Resolver. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.dns-resolver:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module dnsResolver './network/dns-resolver/main.bicep' = { +module dnsResolver 'br:bicep/modules/network.dns-resolver:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ndrcom' params: { // Required parameters @@ -150,3 +121,101 @@ module dnsResolver './network/dns-resolver/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Private DNS Resolver. | +| [`virtualNetworkId`](#parameter-virtualnetworkid) | string | ResourceId of the virtual network to attach the Private DNS Resolver to. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`inboundEndpoints`](#parameter-inboundendpoints) | array | Inbound Endpoints for Private DNS Resolver. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`outboundEndpoints`](#parameter-outboundendpoints) | array | Outbound Endpoints for Private DNS Resolver. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `inboundEndpoints` + +Inbound Endpoints for Private DNS Resolver. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Private DNS Resolver. +- Required: Yes +- Type: string + +### Parameter: `outboundEndpoints` + +Outbound Endpoints for Private DNS Resolver. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `virtualNetworkId` + +ResourceId of the virtual network to attach the Private DNS Resolver to. +- Required: Yes +- Type: string + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the Private DNS Resolver. | +| `resourceGroupName` | string | The resource group the Private DNS Resolver was deployed into. | +| `resourceId` | string | The resource ID of the Private DNS Resolver. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/dns-resolver/main.json b/modules/network/dns-resolver/main.json index 0ec0f996bf..f4fde16620 100644 --- a/modules/network/dns-resolver/main.json +++ b/modules/network/dns-resolver/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3727820015033589972" + "version": "0.22.6.54827", + "templateHash": "317150262818676597" }, "name": "DNS Resolvers", "description": "This module deploys a DNS Resolver.", @@ -197,8 +197,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8749643017224763236" + "version": "0.22.6.54827", + "templateHash": "14781577945075842659" } }, "parameters": { diff --git a/modules/network/dns-zone/.test/common/main.test.bicep b/modules/network/dns-zone/.test/common/main.test.bicep index 7fec103202..f23e497864 100644 --- a/modules/network/dns-zone/.test/common/main.test.bicep +++ b/modules/network/dns-zone/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/dns-zone/.test/min/main.test.bicep b/modules/network/dns-zone/.test/min/main.test.bicep index 096c2d1315..99dd5b9612 100644 --- a/modules/network/dns-zone/.test/min/main.test.bicep +++ b/modules/network/dns-zone/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/dns-zone/README.md b/modules/network/dns-zone/README.md index 4e03141daa..cf007e7fc7 100644 --- a/modules/network/dns-zone/README.md +++ b/modules/network/dns-zone/README.md @@ -4,13 +4,13 @@ This module deploys a Public DNS zone. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -28,63 +28,28 @@ This module deploys a Public DNS zone. | `Microsoft.Network/dnsZones/SRV` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/SRV) | | `Microsoft.Network/dnsZones/TXT` | [2018-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-05-01/dnsZones/TXT) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | DNS zone name. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.dns-zone:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `a` | _[a](a/README.md)_ array | `[]` | | Array of A records. | -| `aaaa` | _[aaaa](aaaa/README.md)_ array | `[]` | | Array of AAAA records. | -| `caa` | _[caa](caa/README.md)_ array | `[]` | | Array of CAA records. | -| `cname` | _[cname](cname/README.md)_ array | `[]` | | Array of CNAME records. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `'global'` | | The location of the dnsZone. Should be global. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `mx` | _[mx](mx/README.md)_ array | `[]` | | Array of MX records. | -| `ns` | _[ns](ns/README.md)_ array | `[]` | | Array of NS records. | -| `ptr` | _[ptr](ptr/README.md)_ array | `[]` | | Array of PTR records. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `soa` | _[soa](soa/README.md)_ array | `[]` | | Array of SOA records. | -| `srv` | _[srv](srv/README.md)_ array | `[]` | | Array of SRV records. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `txt` | _[txt](txt/README.md)_ array | `[]` | | Array of TXT records. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +### Example 1: _Using large parameter set_ -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the DNS zone. | -| `resourceGroupName` | string | The resource group the DNS zone was deployed into. | -| `resourceId` | string | The resource ID of the DNS zone. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module dnsZone './network/dns-zone/main.bicep' = { +module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ndzcom' params: { // Required parameters @@ -500,14 +465,17 @@ module dnsZone './network/dns-zone/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module dnsZone './network/dns-zone/main.bicep' = { +module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ndzmin' params: { // Required parameters @@ -544,3 +512,158 @@ module dnsZone './network/dns-zone/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | DNS zone name. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`a`](#parameter-a) | array | Array of A records. | +| [`aaaa`](#parameter-aaaa) | array | Array of AAAA records. | +| [`caa`](#parameter-caa) | array | Array of CAA records. | +| [`cname`](#parameter-cname) | array | Array of CNAME records. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | The location of the dnsZone. Should be global. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`mx`](#parameter-mx) | array | Array of MX records. | +| [`ns`](#parameter-ns) | array | Array of NS records. | +| [`ptr`](#parameter-ptr) | array | Array of PTR records. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`soa`](#parameter-soa) | array | Array of SOA records. | +| [`srv`](#parameter-srv) | array | Array of SRV records. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`txt`](#parameter-txt) | array | Array of TXT records. | + +### Parameter: `a` + +Array of A records. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `aaaa` + +Array of AAAA records. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `caa` + +Array of CAA records. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `cname` + +Array of CNAME records. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +The location of the dnsZone. Should be global. +- Required: No +- Type: string +- Default: `'global'` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `mx` + +Array of MX records. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `name` + +DNS zone name. +- Required: Yes +- Type: string + +### Parameter: `ns` + +Array of NS records. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ptr` + +Array of PTR records. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `soa` + +Array of SOA records. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `srv` + +Array of SRV records. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `txt` + +Array of TXT records. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the DNS zone. | +| `resourceGroupName` | string | The resource group the DNS zone was deployed into. | +| `resourceId` | string | The resource ID of the DNS zone. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/dns-zone/a/README.md b/modules/network/dns-zone/a/README.md index 243741caa9..0929f596ca 100644 --- a/modules/network/dns-zone/a/README.md +++ b/modules/network/dns-zone/a/README.md @@ -20,31 +20,85 @@ This module deploys a Public DNS Zone A record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the A record. | +| [`name`](#parameter-name) | string | The name of the A record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `dnsZoneName` | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | +| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `aRecords` | array | `[]` | The list of A records in the record set. Cannot be used in conjuction with the "targetResource" property. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `targetResourceId` | string | `''` | A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`aRecords`](#parameter-arecords) | array | The list of A records in the record set. Cannot be used in conjuction with the "targetResource" property. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`targetResourceId`](#parameter-targetresourceid) | string | A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | + +### Parameter: `aRecords` + +The list of A records in the record set. Cannot be used in conjuction with the "targetResource" property. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `dnsZoneName` + +The name of the parent DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the A record. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `targetResourceId` + +A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed A record. | | `resourceGroupName` | string | The resource group of the deployed A record. | diff --git a/modules/network/dns-zone/a/main.json b/modules/network/dns-zone/a/main.json index 003161d55c..9aeb4218f1 100644 --- a/modules/network/dns-zone/a/main.json +++ b/modules/network/dns-zone/a/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5170145363622927115" + "version": "0.22.6.54827", + "templateHash": "6542208080967583866" }, "name": "Public DNS Zone A record", "description": "This module deploys a Public DNS Zone A record.", @@ -127,8 +127,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3558751375290910792" + "version": "0.22.6.54827", + "templateHash": "12863297534613170503" } }, "parameters": { diff --git a/modules/network/dns-zone/aaaa/README.md b/modules/network/dns-zone/aaaa/README.md index 3ced8d13c1..c4e820ffe6 100644 --- a/modules/network/dns-zone/aaaa/README.md +++ b/modules/network/dns-zone/aaaa/README.md @@ -20,31 +20,85 @@ This module deploys a Public DNS Zone AAAA record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the AAAA record. | +| [`name`](#parameter-name) | string | The name of the AAAA record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `dnsZoneName` | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | +| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `aaaaRecords` | array | `[]` | The list of AAAA records in the record set. Cannot be used in conjuction with the "targetResource" property. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `targetResourceId` | string | `''` | A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`aaaaRecords`](#parameter-aaaarecords) | array | The list of AAAA records in the record set. Cannot be used in conjuction with the "targetResource" property. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`targetResourceId`](#parameter-targetresourceid) | string | A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | + +### Parameter: `aaaaRecords` + +The list of AAAA records in the record set. Cannot be used in conjuction with the "targetResource" property. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `dnsZoneName` + +The name of the parent DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the AAAA record. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `targetResourceId` + +A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed AAAA record. | | `resourceGroupName` | string | The resource group of the deployed AAAA record. | diff --git a/modules/network/dns-zone/aaaa/main.json b/modules/network/dns-zone/aaaa/main.json index 9bcf93a5ff..1a9f64999a 100644 --- a/modules/network/dns-zone/aaaa/main.json +++ b/modules/network/dns-zone/aaaa/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "14783067103445567469" + "version": "0.22.6.54827", + "templateHash": "3710520452642205212" }, "name": "Public DNS Zone AAAA record", "description": "This module deploys a Public DNS Zone AAAA record.", @@ -127,8 +127,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "10619447653791643982" + "version": "0.22.6.54827", + "templateHash": "8289108097363297951" } }, "parameters": { diff --git a/modules/network/dns-zone/caa/README.md b/modules/network/dns-zone/caa/README.md index 790b850ff9..9bfa2bb020 100644 --- a/modules/network/dns-zone/caa/README.md +++ b/modules/network/dns-zone/caa/README.md @@ -20,30 +20,77 @@ This module deploys a Public DNS Zone CAA record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the CAA record. | +| [`name`](#parameter-name) | string | The name of the CAA record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `dnsZoneName` | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | +| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `caaRecords` | array | `[]` | The list of CAA records in the record set. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`caaRecords`](#parameter-caarecords) | array | The list of CAA records in the record set. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | + +### Parameter: `caaRecords` + +The list of CAA records in the record set. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `dnsZoneName` + +The name of the parent DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the CAA record. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed CAA record. | | `resourceGroupName` | string | The resource group of the deployed CAA record. | diff --git a/modules/network/dns-zone/caa/main.json b/modules/network/dns-zone/caa/main.json index 01174cacf6..c0b6623111 100644 --- a/modules/network/dns-zone/caa/main.json +++ b/modules/network/dns-zone/caa/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "4477853461523597510" + "version": "0.22.6.54827", + "templateHash": "139457689749453308" }, "name": "Public DNS Zone CAA record", "description": "This module deploys a Public DNS Zone CAA record.", @@ -119,8 +119,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17740559314627874296" + "version": "0.22.6.54827", + "templateHash": "9470565833545804306" } }, "parameters": { diff --git a/modules/network/dns-zone/cname/README.md b/modules/network/dns-zone/cname/README.md index 761f346b01..d58c077c0d 100644 --- a/modules/network/dns-zone/cname/README.md +++ b/modules/network/dns-zone/cname/README.md @@ -20,31 +20,85 @@ This module deploys a Public DNS Zone CNAME record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the CNAME record. | +| [`name`](#parameter-name) | string | The name of the CNAME record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `dnsZoneName` | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | +| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cnameRecord` | object | `{object}` | A CNAME record. Cannot be used in conjuction with the "targetResource" property. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `targetResourceId` | string | `''` | A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cnameRecord`](#parameter-cnamerecord) | object | A CNAME record. Cannot be used in conjuction with the "targetResource" property. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`targetResourceId`](#parameter-targetresourceid) | string | A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | + +### Parameter: `cnameRecord` + +A CNAME record. Cannot be used in conjuction with the "targetResource" property. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `dnsZoneName` + +The name of the parent DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the CNAME record. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `targetResourceId` + +A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed CNAME record. | | `resourceGroupName` | string | The resource group of the deployed CNAME record. | diff --git a/modules/network/dns-zone/cname/main.json b/modules/network/dns-zone/cname/main.json index 4f413117dd..78d4dd61c0 100644 --- a/modules/network/dns-zone/cname/main.json +++ b/modules/network/dns-zone/cname/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "16690614046545500600" + "version": "0.22.6.54827", + "templateHash": "9638487977820751575" }, "name": "Public DNS Zone CNAME record", "description": "This module deploys a Public DNS Zone CNAME record.", @@ -127,8 +127,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "1579300133069941204" + "version": "0.22.6.54827", + "templateHash": "9902709125102553327" } }, "parameters": { diff --git a/modules/network/dns-zone/main.json b/modules/network/dns-zone/main.json index 2cd166e951..2050ccbfa3 100644 --- a/modules/network/dns-zone/main.json +++ b/modules/network/dns-zone/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6851549629737338757" + "version": "0.22.6.54827", + "templateHash": "9774189040753970370" }, "name": "Public DNS Zones", "description": "This module deploys a Public DNS zone.", @@ -208,8 +208,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "68732993276774389" + "version": "0.22.6.54827", + "templateHash": "6542208080967583866" }, "name": "Public DNS Zone A record", "description": "This module deploys a Public DNS Zone A record.", @@ -331,8 +331,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5391899014295336127" + "version": "0.22.6.54827", + "templateHash": "12863297534613170503" } }, "parameters": { @@ -539,8 +539,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1399420754199725079" + "version": "0.22.6.54827", + "templateHash": "3710520452642205212" }, "name": "Public DNS Zone AAAA record", "description": "This module deploys a Public DNS Zone AAAA record.", @@ -662,8 +662,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11088059014224151171" + "version": "0.22.6.54827", + "templateHash": "8289108097363297951" } }, "parameters": { @@ -870,8 +870,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1081451111818125712" + "version": "0.22.6.54827", + "templateHash": "9638487977820751575" }, "name": "Public DNS Zone CNAME record", "description": "This module deploys a Public DNS Zone CNAME record.", @@ -993,8 +993,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8600790202870820366" + "version": "0.22.6.54827", + "templateHash": "9902709125102553327" } }, "parameters": { @@ -1200,8 +1200,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5673527444453988582" + "version": "0.22.6.54827", + "templateHash": "139457689749453308" }, "name": "Public DNS Zone CAA record", "description": "This module deploys a Public DNS Zone CAA record.", @@ -1315,8 +1315,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15901517837296662514" + "version": "0.22.6.54827", + "templateHash": "9470565833545804306" } }, "parameters": { @@ -1522,8 +1522,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12122627275966612771" + "version": "0.22.6.54827", + "templateHash": "17935109453553054168" }, "name": "Public DNS Zone MX record", "description": "This module deploys a Public DNS Zone MX record.", @@ -1637,8 +1637,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12990053881217536027" + "version": "0.22.6.54827", + "templateHash": "3617371994879925017" } }, "parameters": { @@ -1844,8 +1844,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1252842746264260293" + "version": "0.22.6.54827", + "templateHash": "5114862259619051357" }, "name": "Public DNS Zone NS record", "description": "This module deploys a Public DNS Zone NS record.", @@ -1959,8 +1959,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4203054026416577590" + "version": "0.22.6.54827", + "templateHash": "14367633254025428198" } }, "parameters": { @@ -2166,8 +2166,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8254188493299686045" + "version": "0.22.6.54827", + "templateHash": "10998530599333888745" }, "name": "Public DNS Zone PTR record", "description": "This module deploys a Public DNS Zone PTR record.", @@ -2281,8 +2281,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3382234855470984930" + "version": "0.22.6.54827", + "templateHash": "17983831737512612600" } }, "parameters": { @@ -2488,8 +2488,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9958980921150733070" + "version": "0.22.6.54827", + "templateHash": "10118634861239112279" }, "name": "Public DNS Zone SOA record", "description": "This module deploys a Public DNS Zone SOA record.", @@ -2603,8 +2603,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10962387383395206364" + "version": "0.22.6.54827", + "templateHash": "7383644209973085042" } }, "parameters": { @@ -2810,8 +2810,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11054274383314435498" + "version": "0.22.6.54827", + "templateHash": "17870818057963659035" }, "name": "Public DNS Zone SRV record", "description": "This module deploys a Public DNS Zone SRV record.", @@ -2925,8 +2925,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17186909847958573798" + "version": "0.22.6.54827", + "templateHash": "1743157605226588693" } }, "parameters": { @@ -3132,8 +3132,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4896316740645265762" + "version": "0.22.6.54827", + "templateHash": "13941492299186927650" }, "name": "Public DNS Zone TXT record", "description": "This module deploys a Public DNS Zone TXT record.", @@ -3247,8 +3247,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2655826582817627242" + "version": "0.22.6.54827", + "templateHash": "7288997439030042721" } }, "parameters": { @@ -3454,8 +3454,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14647311365948094297" + "version": "0.22.6.54827", + "templateHash": "10745925950629635011" } }, "parameters": { diff --git a/modules/network/dns-zone/mx/README.md b/modules/network/dns-zone/mx/README.md index e6b6a99d5a..2404e76d3a 100644 --- a/modules/network/dns-zone/mx/README.md +++ b/modules/network/dns-zone/mx/README.md @@ -20,30 +20,77 @@ This module deploys a Public DNS Zone MX record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the MX record. | +| [`name`](#parameter-name) | string | The name of the MX record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `dnsZoneName` | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | +| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `mxRecords` | array | `[]` | The list of MX records in the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`mxRecords`](#parameter-mxrecords) | array | The list of MX records in the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | + +### Parameter: `dnsZoneName` + +The name of the parent DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `mxRecords` + +The list of MX records in the record set. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `name` + +The name of the MX record. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed MX record. | | `resourceGroupName` | string | The resource group of the deployed MX record. | diff --git a/modules/network/dns-zone/mx/main.json b/modules/network/dns-zone/mx/main.json index 8b13e14708..1c740cd6dc 100644 --- a/modules/network/dns-zone/mx/main.json +++ b/modules/network/dns-zone/mx/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "14301321817801341159" + "version": "0.22.6.54827", + "templateHash": "17935109453553054168" }, "name": "Public DNS Zone MX record", "description": "This module deploys a Public DNS Zone MX record.", @@ -119,8 +119,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "9536077061979113211" + "version": "0.22.6.54827", + "templateHash": "3617371994879925017" } }, "parameters": { diff --git a/modules/network/dns-zone/ns/README.md b/modules/network/dns-zone/ns/README.md index 411d63a495..f95a252125 100644 --- a/modules/network/dns-zone/ns/README.md +++ b/modules/network/dns-zone/ns/README.md @@ -20,30 +20,77 @@ This module deploys a Public DNS Zone NS record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the NS record. | +| [`name`](#parameter-name) | string | The name of the NS record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `dnsZoneName` | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | +| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `nsRecords` | array | `[]` | The list of NS records in the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`nsRecords`](#parameter-nsrecords) | array | The list of NS records in the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | + +### Parameter: `dnsZoneName` + +The name of the parent DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the NS record. +- Required: Yes +- Type: string + +### Parameter: `nsRecords` + +The list of NS records in the record set. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed NS record. | | `resourceGroupName` | string | The resource group of the deployed NS record. | diff --git a/modules/network/dns-zone/ns/main.json b/modules/network/dns-zone/ns/main.json index 39cbd138f6..0324b74495 100644 --- a/modules/network/dns-zone/ns/main.json +++ b/modules/network/dns-zone/ns/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13879924638868874443" + "version": "0.22.6.54827", + "templateHash": "5114862259619051357" }, "name": "Public DNS Zone NS record", "description": "This module deploys a Public DNS Zone NS record.", @@ -119,8 +119,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "2717382131813837654" + "version": "0.22.6.54827", + "templateHash": "14367633254025428198" } }, "parameters": { diff --git a/modules/network/dns-zone/ptr/README.md b/modules/network/dns-zone/ptr/README.md index caf2ea722a..04db682bb4 100644 --- a/modules/network/dns-zone/ptr/README.md +++ b/modules/network/dns-zone/ptr/README.md @@ -20,30 +20,77 @@ This module deploys a Public DNS Zone PTR record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the PTR record. | +| [`name`](#parameter-name) | string | The name of the PTR record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `dnsZoneName` | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | +| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `ptrRecords` | array | `[]` | The list of PTR records in the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`ptrRecords`](#parameter-ptrrecords) | array | The list of PTR records in the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | + +### Parameter: `dnsZoneName` + +The name of the parent DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the PTR record. +- Required: Yes +- Type: string + +### Parameter: `ptrRecords` + +The list of PTR records in the record set. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed PTR record. | | `resourceGroupName` | string | The resource group of the deployed PTR record. | diff --git a/modules/network/dns-zone/ptr/main.json b/modules/network/dns-zone/ptr/main.json index 8e886f5e90..d596d246fc 100644 --- a/modules/network/dns-zone/ptr/main.json +++ b/modules/network/dns-zone/ptr/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "14950916556855362521" + "version": "0.22.6.54827", + "templateHash": "10998530599333888745" }, "name": "Public DNS Zone PTR record", "description": "This module deploys a Public DNS Zone PTR record.", @@ -119,8 +119,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "14048540340305231771" + "version": "0.22.6.54827", + "templateHash": "17983831737512612600" } }, "parameters": { diff --git a/modules/network/dns-zone/soa/README.md b/modules/network/dns-zone/soa/README.md index 83c0fa4654..ec6efc70ec 100644 --- a/modules/network/dns-zone/soa/README.md +++ b/modules/network/dns-zone/soa/README.md @@ -20,30 +20,77 @@ This module deploys a Public DNS Zone SOA record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the SOA record. | +| [`name`](#parameter-name) | string | The name of the SOA record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `dnsZoneName` | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | +| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `soaRecord` | object | `{object}` | A SOA record. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`soaRecord`](#parameter-soarecord) | object | A SOA record. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | + +### Parameter: `dnsZoneName` + +The name of the parent DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the SOA record. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `soaRecord` + +A SOA record. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed SOA record. | | `resourceGroupName` | string | The resource group of the deployed SOA record. | diff --git a/modules/network/dns-zone/soa/main.json b/modules/network/dns-zone/soa/main.json index 69744041ff..17ba5d7803 100644 --- a/modules/network/dns-zone/soa/main.json +++ b/modules/network/dns-zone/soa/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "15092776661272728734" + "version": "0.22.6.54827", + "templateHash": "10118634861239112279" }, "name": "Public DNS Zone SOA record", "description": "This module deploys a Public DNS Zone SOA record.", @@ -119,8 +119,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17247816691852004236" + "version": "0.22.6.54827", + "templateHash": "7383644209973085042" } }, "parameters": { diff --git a/modules/network/dns-zone/srv/README.md b/modules/network/dns-zone/srv/README.md index fb1f8c35f6..8947cd2a5f 100644 --- a/modules/network/dns-zone/srv/README.md +++ b/modules/network/dns-zone/srv/README.md @@ -20,30 +20,77 @@ This module deploys a Public DNS Zone SRV record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the SRV record. | +| [`name`](#parameter-name) | string | The name of the SRV record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `dnsZoneName` | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | +| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `srvRecords` | array | `[]` | The list of SRV records in the record set. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`srvRecords`](#parameter-srvrecords) | array | The list of SRV records in the record set. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | + +### Parameter: `dnsZoneName` + +The name of the parent DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the SRV record. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `srvRecords` + +The list of SRV records in the record set. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed SRV record. | | `resourceGroupName` | string | The resource group of the deployed SRV record. | diff --git a/modules/network/dns-zone/srv/main.json b/modules/network/dns-zone/srv/main.json index 6e3933b6ad..d0c3e30324 100644 --- a/modules/network/dns-zone/srv/main.json +++ b/modules/network/dns-zone/srv/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "2772370204362718864" + "version": "0.22.6.54827", + "templateHash": "17870818057963659035" }, "name": "Public DNS Zone SRV record", "description": "This module deploys a Public DNS Zone SRV record.", @@ -119,8 +119,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13880457002928639304" + "version": "0.22.6.54827", + "templateHash": "1743157605226588693" } }, "parameters": { diff --git a/modules/network/dns-zone/txt/README.md b/modules/network/dns-zone/txt/README.md index 9db5f6f73e..54111ce95e 100644 --- a/modules/network/dns-zone/txt/README.md +++ b/modules/network/dns-zone/txt/README.md @@ -20,30 +20,77 @@ This module deploys a Public DNS Zone TXT record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the TXT record. | +| [`name`](#parameter-name) | string | The name of the TXT record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `dnsZoneName` | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | +| [`dnsZoneName`](#parameter-dnszonename) | string | The name of the parent DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -| `txtRecords` | array | `[]` | The list of TXT records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | +| [`txtRecords`](#parameter-txtrecords) | array | The list of TXT records in the record set. | + +### Parameter: `dnsZoneName` + +The name of the parent DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the TXT record. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` + +### Parameter: `txtRecords` + +The list of TXT records in the record set. +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed TXT record. | | `resourceGroupName` | string | The resource group of the deployed TXT record. | diff --git a/modules/network/dns-zone/txt/main.json b/modules/network/dns-zone/txt/main.json index 3cc94f1b0e..d6a56e6411 100644 --- a/modules/network/dns-zone/txt/main.json +++ b/modules/network/dns-zone/txt/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "16370550186541929198" + "version": "0.22.6.54827", + "templateHash": "13941492299186927650" }, "name": "Public DNS Zone TXT record", "description": "This module deploys a Public DNS Zone TXT record.", @@ -119,8 +119,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17843024796725206765" + "version": "0.22.6.54827", + "templateHash": "7288997439030042721" } }, "parameters": { diff --git a/modules/network/express-route-circuit/.test/common/main.test.bicep b/modules/network/express-route-circuit/.test/common/main.test.bicep index 054fed2490..58ce2762f0 100644 --- a/modules/network/express-route-circuit/.test/common/main.test.bicep +++ b/modules/network/express-route-circuit/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/express-route-circuit/.test/min/main.test.bicep b/modules/network/express-route-circuit/.test/min/main.test.bicep index 10ba226791..9023c41dfe 100644 --- a/modules/network/express-route-circuit/.test/min/main.test.bicep +++ b/modules/network/express-route-circuit/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/express-route-circuit/README.md b/modules/network/express-route-circuit/README.md index 679f0b7aa6..3acc1d2f3c 100644 --- a/modules/network/express-route-circuit/README.md +++ b/modules/network/express-route-circuit/README.md @@ -4,13 +4,13 @@ This module deploys an Express Route Circuit. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,77 +19,28 @@ This module deploys an Express Route Circuit. | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/expressRouteCircuits` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/expressRouteCircuits) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `bandwidthInMbps` | int | This is the bandwidth in Mbps of the circuit being created. It must exactly match one of the available bandwidth offers List ExpressRoute Service Providers API call. | -| `name` | string | This is the name of the ExpressRoute circuit. | -| `peeringLocation` | string | This is the name of the peering location and not the ARM resource location. It must exactly match one of the available peering locations from List ExpressRoute Service Providers API call. | -| `serviceProviderName` | string | This is the name of the ExpressRoute Service Provider. It must exactly match one of the Service Providers from List ExpressRoute Service Providers API call. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `allowClassicOperations` | bool | `False` | | Allow classic operations. You can connect to virtual networks in the classic deployment model by setting allowClassicOperations to true. | -| `bandwidthInGbps` | int | `0` | | The bandwidth of the circuit when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct. Default value of 0 will set the property to null. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, PeeringRouteLog]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `expressRoutePortResourceId` | string | `''` | | The reference to the ExpressRoutePort resource when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct. | -| `globalReachEnabled` | bool | `False` | | Flag denoting global reach status. To enable ExpressRoute Global Reach between different geopolitical regions, your circuits must be Premium SKU. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `peerASN` | int | `0` | | The autonomous system number of the customer/connectivity provider. | -| `peering` | bool | `False` | | Enabled BGP peering type for the Circuit. | -| `peeringType` | string | `'AzurePrivatePeering'` | `[AzurePrivatePeering, MicrosoftPeering]` | BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering. | -| `primaryPeerAddressPrefix` | string | `''` | | A /30 subnet used to configure IP addresses for interfaces on Link1. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `secondaryPeerAddressPrefix` | string | `''` | | A /30 subnet used to configure IP addresses for interfaces on Link2. | -| `sharedKey` | string | `''` | | The shared key for peering configuration. Router does MD5 hash comparison to validate the packets sent by BGP connection. This parameter is optional and can be removed from peering configuration if not required. | -| `skuFamily` | string | `'MeteredData'` | `[MeteredData, UnlimitedData]` | Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedData SKU families. | -| `skuTier` | string | `'Standard'` | `[Local, Premium, Standard]` | Chosen SKU Tier of ExpressRoute circuit. Choose from Local, Premium or Standard SKU tiers. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `vlanId` | int | `0` | | Specifies the identifier that is used to identify the customer. | - +## Usage examples -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of express route curcuit. | -| `resourceGroupName` | string | The resource group the express route curcuit was deployed into. | -| `resourceId` | string | The resource ID of express route curcuit. | -| `serviceKey` | string | The service key of the express route circuit. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.express-route-circuit:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module expressRouteCircuit './network/express-route-circuit/main.bicep' = { +module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nerccom' params: { // Required parameters @@ -203,14 +154,17 @@ module expressRouteCircuit './network/express-route-circuit/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module expressRouteCircuit './network/express-route-circuit/main.bicep' = { +module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nercmin' params: { // Required parameters @@ -259,3 +213,265 @@ module expressRouteCircuit './network/express-route-circuit/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`bandwidthInMbps`](#parameter-bandwidthinmbps) | int | This is the bandwidth in Mbps of the circuit being created. It must exactly match one of the available bandwidth offers List ExpressRoute Service Providers API call. | +| [`name`](#parameter-name) | string | This is the name of the ExpressRoute circuit. | +| [`peeringLocation`](#parameter-peeringlocation) | string | This is the name of the peering location and not the ARM resource location. It must exactly match one of the available peering locations from List ExpressRoute Service Providers API call. | +| [`serviceProviderName`](#parameter-serviceprovidername) | string | This is the name of the ExpressRoute Service Provider. It must exactly match one of the Service Providers from List ExpressRoute Service Providers API call. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowClassicOperations`](#parameter-allowclassicoperations) | bool | Allow classic operations. You can connect to virtual networks in the classic deployment model by setting allowClassicOperations to true. | +| [`bandwidthInGbps`](#parameter-bandwidthingbps) | int | The bandwidth of the circuit when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct. Default value of 0 will set the property to null. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`expressRoutePortResourceId`](#parameter-expressrouteportresourceid) | string | The reference to the ExpressRoutePort resource when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct. | +| [`globalReachEnabled`](#parameter-globalreachenabled) | bool | Flag denoting global reach status. To enable ExpressRoute Global Reach between different geopolitical regions, your circuits must be Premium SKU. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`peerASN`](#parameter-peerasn) | int | The autonomous system number of the customer/connectivity provider. | +| [`peering`](#parameter-peering) | bool | Enabled BGP peering type for the Circuit. | +| [`peeringType`](#parameter-peeringtype) | string | BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering. | +| [`primaryPeerAddressPrefix`](#parameter-primarypeeraddressprefix) | string | A /30 subnet used to configure IP addresses for interfaces on Link1. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`secondaryPeerAddressPrefix`](#parameter-secondarypeeraddressprefix) | string | A /30 subnet used to configure IP addresses for interfaces on Link2. | +| [`sharedKey`](#parameter-sharedkey) | string | The shared key for peering configuration. Router does MD5 hash comparison to validate the packets sent by BGP connection. This parameter is optional and can be removed from peering configuration if not required. | +| [`skuFamily`](#parameter-skufamily) | string | Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedData SKU families. | +| [`skuTier`](#parameter-skutier) | string | Chosen SKU Tier of ExpressRoute circuit. Choose from Local, Premium or Standard SKU tiers. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`vlanId`](#parameter-vlanid) | int | Specifies the identifier that is used to identify the customer. | + +### Parameter: `allowClassicOperations` + +Allow classic operations. You can connect to virtual networks in the classic deployment model by setting allowClassicOperations to true. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `bandwidthInGbps` + +The bandwidth of the circuit when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct. Default value of 0 will set the property to null. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `bandwidthInMbps` + +This is the bandwidth in Mbps of the circuit being created. It must exactly match one of the available bandwidth offers List ExpressRoute Service Providers API call. +- Required: Yes +- Type: int + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, PeeringRouteLog]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `expressRoutePortResourceId` + +The reference to the ExpressRoutePort resource when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `globalReachEnabled` + +Flag denoting global reach status. To enable ExpressRoute Global Reach between different geopolitical regions, your circuits must be Premium SKU. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +This is the name of the ExpressRoute circuit. +- Required: Yes +- Type: string + +### Parameter: `peerASN` + +The autonomous system number of the customer/connectivity provider. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `peering` + +Enabled BGP peering type for the Circuit. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `peeringLocation` + +This is the name of the peering location and not the ARM resource location. It must exactly match one of the available peering locations from List ExpressRoute Service Providers API call. +- Required: Yes +- Type: string + +### Parameter: `peeringType` + +BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering. +- Required: No +- Type: string +- Default: `'AzurePrivatePeering'` +- Allowed: `[AzurePrivatePeering, MicrosoftPeering]` + +### Parameter: `primaryPeerAddressPrefix` + +A /30 subnet used to configure IP addresses for interfaces on Link1. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `secondaryPeerAddressPrefix` + +A /30 subnet used to configure IP addresses for interfaces on Link2. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `serviceProviderName` + +This is the name of the ExpressRoute Service Provider. It must exactly match one of the Service Providers from List ExpressRoute Service Providers API call. +- Required: Yes +- Type: string + +### Parameter: `sharedKey` + +The shared key for peering configuration. Router does MD5 hash comparison to validate the packets sent by BGP connection. This parameter is optional and can be removed from peering configuration if not required. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `skuFamily` + +Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedData SKU families. +- Required: No +- Type: string +- Default: `'MeteredData'` +- Allowed: `[MeteredData, UnlimitedData]` + +### Parameter: `skuTier` + +Chosen SKU Tier of ExpressRoute circuit. Choose from Local, Premium or Standard SKU tiers. +- Required: No +- Type: string +- Default: `'Standard'` +- Allowed: `[Local, Premium, Standard]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `vlanId` + +Specifies the identifier that is used to identify the customer. +- Required: No +- Type: int +- Default: `0` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of express route curcuit. | +| `resourceGroupName` | string | The resource group the express route curcuit was deployed into. | +| `resourceId` | string | The resource ID of express route curcuit. | +| `serviceKey` | string | The service key of the express route circuit. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/express-route-circuit/main.json b/modules/network/express-route-circuit/main.json index 7ee4c7678d..74d56855cd 100644 --- a/modules/network/express-route-circuit/main.json +++ b/modules/network/express-route-circuit/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6824996198660601155" + "version": "0.22.6.54827", + "templateHash": "15387700502783731966" }, "name": "ExpressRoute Circuits", "description": "This module deploys an Express Route Circuit.", @@ -382,8 +382,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1993477429002621283" + "version": "0.22.6.54827", + "templateHash": "14124226202821764051" } }, "parameters": { diff --git a/modules/network/express-route-gateway/.test/common/main.test.bicep b/modules/network/express-route-gateway/.test/common/main.test.bicep index 264ba8ba7e..9dd58dbbe3 100644 --- a/modules/network/express-route-gateway/.test/common/main.test.bicep +++ b/modules/network/express-route-gateway/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/express-route-gateway/.test/min/main.test.bicep b/modules/network/express-route-gateway/.test/min/main.test.bicep index ec61027df0..b410608160 100644 --- a/modules/network/express-route-gateway/.test/min/main.test.bicep +++ b/modules/network/express-route-gateway/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/express-route-gateway/README.md b/modules/network/express-route-gateway/README.md index f7160b91ba..8221723ccf 100644 --- a/modules/network/express-route-gateway/README.md +++ b/modules/network/express-route-gateway/README.md @@ -5,10 +5,10 @@ This module deploys an Express Route Gateway. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -18,58 +18,28 @@ This module deploys an Express Route Gateway. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Network/expressRouteGateways` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/expressRouteGateways) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Express Route Gateway. | -| `virtualHubId` | string | Resource ID of the Virtual Wan Hub. | - -**Optional parameters** +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `allowNonVirtualWanTraffic` | bool | `False` | | Configures this gateway to accept traffic from non Virtual WAN networks. | -| `autoScaleConfigurationBoundsMax` | int | `2` | | Maximum number of scale units deployed for ExpressRoute gateway. | -| `autoScaleConfigurationBoundsMin` | int | `2` | | Minimum number of scale units deployed for ExpressRoute gateway. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `expressRouteConnections` | array | `[]` | | List of ExpressRoute connections to the ExpressRoute gateway. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the Firewall policy resource. | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.express-route-gateway:1.0.0`. +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the ExpressRoute Gateway. | -| `resourceGroupName` | string | The resource group of the ExpressRoute Gateway was deployed into. | -| `resourceId` | string | The resource ID of the ExpressRoute Gateway. | - -## Cross-referenced modules - -_None_ - -## Deployment examples +### Example 1: _Using large parameter set_ -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +This instance deploys the module with most of its features enabled. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module expressRouteGateway './network/express-route-gateway/main.bicep' = { +module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nergcom' params: { // Required parameters @@ -153,14 +123,17 @@ module expressRouteGateway './network/express-route-gateway/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module expressRouteGateway './network/express-route-gateway/main.bicep' = { +module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nergmin' params: { // Required parameters @@ -201,3 +174,117 @@ module expressRouteGateway './network/express-route-gateway/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Express Route Gateway. | +| [`virtualHubId`](#parameter-virtualhubid) | string | Resource ID of the Virtual Wan Hub. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowNonVirtualWanTraffic`](#parameter-allownonvirtualwantraffic) | bool | Configures this gateway to accept traffic from non Virtual WAN networks. | +| [`autoScaleConfigurationBoundsMax`](#parameter-autoscaleconfigurationboundsmax) | int | Maximum number of scale units deployed for ExpressRoute gateway. | +| [`autoScaleConfigurationBoundsMin`](#parameter-autoscaleconfigurationboundsmin) | int | Minimum number of scale units deployed for ExpressRoute gateway. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`expressRouteConnections`](#parameter-expressrouteconnections) | array | List of ExpressRoute connections to the ExpressRoute gateway. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the Firewall policy resource. | + +### Parameter: `allowNonVirtualWanTraffic` + +Configures this gateway to accept traffic from non Virtual WAN networks. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `autoScaleConfigurationBoundsMax` + +Maximum number of scale units deployed for ExpressRoute gateway. +- Required: No +- Type: int +- Default: `2` + +### Parameter: `autoScaleConfigurationBoundsMin` + +Minimum number of scale units deployed for ExpressRoute gateway. +- Required: No +- Type: int +- Default: `2` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `expressRouteConnections` + +List of ExpressRoute connections to the ExpressRoute gateway. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Express Route Gateway. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the Firewall policy resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `virtualHubId` + +Resource ID of the Virtual Wan Hub. +- Required: Yes +- Type: string + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the ExpressRoute Gateway. | +| `resourceGroupName` | string | The resource group of the ExpressRoute Gateway was deployed into. | +| `resourceId` | string | The resource ID of the ExpressRoute Gateway. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/express-route-gateway/main.json b/modules/network/express-route-gateway/main.json index 3431a0aef3..084701ac54 100644 --- a/modules/network/express-route-gateway/main.json +++ b/modules/network/express-route-gateway/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4204996721387656228" + "version": "0.22.6.54827", + "templateHash": "8092497363245159180" }, "name": "Express Route Gateways", "description": "This module deploys an Express Route Gateway.", @@ -176,8 +176,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13068351482866901446" + "version": "0.22.6.54827", + "templateHash": "10999249246469924012" } }, "parameters": { diff --git a/modules/network/firewall-policy/.test/common/main.test.bicep b/modules/network/firewall-policy/.test/common/main.test.bicep index bf8c202a14..b0f3e73de8 100644 --- a/modules/network/firewall-policy/.test/common/main.test.bicep +++ b/modules/network/firewall-policy/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/firewall-policy/.test/min/main.test.bicep b/modules/network/firewall-policy/.test/min/main.test.bicep index bd06e9e9f4..2efbeaeead 100644 --- a/modules/network/firewall-policy/.test/min/main.test.bicep +++ b/modules/network/firewall-policy/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/firewall-policy/README.md b/modules/network/firewall-policy/README.md index 28a24d3072..6c127c21e5 100644 --- a/modules/network/firewall-policy/README.md +++ b/modules/network/firewall-policy/README.md @@ -5,10 +5,10 @@ This module deploys a Firewall Policy. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -17,72 +17,28 @@ This module deploys a Firewall Policy. | `Microsoft.Network/firewallPolicies` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/firewallPolicies) | | `Microsoft.Network/firewallPolicies/ruleCollectionGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/firewallPolicies/ruleCollectionGroups) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Firewall Policy. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `allowSqlRedirect` | bool | `False` | | A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | -| `autoLearnPrivateRanges` | string | `'Disabled'` | `[Disabled, Enabled]` | The operation mode for automatically learning private ranges to not be SNAT. | -| `basePolicyResourceId` | string | `''` | | Resource ID of the base policy. | -| `bypassTrafficSettings` | array | `[]` | | List of rules for traffic to bypass. | -| `certificateName` | string | `''` | | Name of the CA certificate. | -| `defaultWorkspaceId` | string | `''` | | Default Log Analytics Resource ID for Firewall Policy Insights. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableProxy` | bool | `False` | | Enable DNS Proxy on Firewalls attached to the Firewall Policy. | -| `fqdns` | array | `[]` | | List of FQDNs for the ThreatIntel Allowlist. | -| `insightsIsEnabled` | bool | `False` | | A flag to indicate if the insights are enabled on the policy. | -| `ipAddresses` | array | `[]` | | List of IP addresses for the ThreatIntel Allowlist. | -| `keyVaultSecretId` | string | `''` | | Secret ID of (base-64 encoded unencrypted PFX) Secret or Certificate object stored in KeyVault. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `mode` | string | `'Off'` | `[Alert, Deny, Off]` | The configuring of intrusion detection. | -| `privateRanges` | array | `[]` | | List of private IP addresses/IP address ranges to not be SNAT. | -| `retentionDays` | int | `365` | | Number of days the insights should be enabled on the policy. | -| `ruleCollectionGroups` | array | `[]` | | Rule collection groups. | -| `servers` | array | `[]` | | List of Custom DNS Servers. | -| `signatureOverrides` | array | `[]` | | List of specific signatures states. | -| `tags` | object | `{object}` | | Tags of the Firewall policy resource. | -| `threatIntelMode` | string | `'Off'` | `[Alert, Deny, Off]` | The operation mode for Threat Intel. | -| `tier` | string | `'Standard'` | `[Premium, Standard]` | Tier of Firewall Policy. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `workspaces` | array | `[]` | | List of workspaces for Firewall Policy Insights. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed firewall policy. | -| `resourceGroupName` | string | The resource group of the deployed firewall policy. | -| `resourceId` | string | The resource ID of the deployed firewall policy. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.firewall-policy:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module firewallPolicy './network/firewall-policy/main.bicep' = { +module firewallPolicy 'br:bicep/modules/network.firewall-policy:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nfpcom' params: { // Required parameters @@ -218,14 +174,17 @@ module firewallPolicy './network/firewall-policy/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module firewallPolicy './network/firewall-policy/main.bicep' = { +module firewallPolicy 'br:bicep/modules/network.firewall-policy:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nfpmin' params: { // Required parameters @@ -262,3 +221,233 @@ module firewallPolicy './network/firewall-policy/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Firewall Policy. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowSqlRedirect`](#parameter-allowsqlredirect) | bool | A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. | +| [`autoLearnPrivateRanges`](#parameter-autolearnprivateranges) | string | The operation mode for automatically learning private ranges to not be SNAT. | +| [`basePolicyResourceId`](#parameter-basepolicyresourceid) | string | Resource ID of the base policy. | +| [`bypassTrafficSettings`](#parameter-bypasstrafficsettings) | array | List of rules for traffic to bypass. | +| [`certificateName`](#parameter-certificatename) | string | Name of the CA certificate. | +| [`defaultWorkspaceId`](#parameter-defaultworkspaceid) | string | Default Log Analytics Resource ID for Firewall Policy Insights. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableProxy`](#parameter-enableproxy) | bool | Enable DNS Proxy on Firewalls attached to the Firewall Policy. | +| [`fqdns`](#parameter-fqdns) | array | List of FQDNs for the ThreatIntel Allowlist. | +| [`insightsIsEnabled`](#parameter-insightsisenabled) | bool | A flag to indicate if the insights are enabled on the policy. | +| [`ipAddresses`](#parameter-ipaddresses) | array | List of IP addresses for the ThreatIntel Allowlist. | +| [`keyVaultSecretId`](#parameter-keyvaultsecretid) | string | Secret ID of (base-64 encoded unencrypted PFX) Secret or Certificate object stored in KeyVault. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`mode`](#parameter-mode) | string | The configuring of intrusion detection. | +| [`privateRanges`](#parameter-privateranges) | array | List of private IP addresses/IP address ranges to not be SNAT. | +| [`retentionDays`](#parameter-retentiondays) | int | Number of days the insights should be enabled on the policy. | +| [`ruleCollectionGroups`](#parameter-rulecollectiongroups) | array | Rule collection groups. | +| [`servers`](#parameter-servers) | array | List of Custom DNS Servers. | +| [`signatureOverrides`](#parameter-signatureoverrides) | array | List of specific signatures states. | +| [`tags`](#parameter-tags) | object | Tags of the Firewall policy resource. | +| [`threatIntelMode`](#parameter-threatintelmode) | string | The operation mode for Threat Intel. | +| [`tier`](#parameter-tier) | string | Tier of Firewall Policy. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`workspaces`](#parameter-workspaces) | array | List of workspaces for Firewall Policy Insights. | + +### Parameter: `allowSqlRedirect` + +A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `autoLearnPrivateRanges` + +The operation mode for automatically learning private ranges to not be SNAT. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `basePolicyResourceId` + +Resource ID of the base policy. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `bypassTrafficSettings` + +List of rules for traffic to bypass. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `certificateName` + +Name of the CA certificate. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `defaultWorkspaceId` + +Default Log Analytics Resource ID for Firewall Policy Insights. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableProxy` + +Enable DNS Proxy on Firewalls attached to the Firewall Policy. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `fqdns` + +List of FQDNs for the ThreatIntel Allowlist. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `insightsIsEnabled` + +A flag to indicate if the insights are enabled on the policy. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `ipAddresses` + +List of IP addresses for the ThreatIntel Allowlist. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `keyVaultSecretId` + +Secret ID of (base-64 encoded unencrypted PFX) Secret or Certificate object stored in KeyVault. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `mode` + +The configuring of intrusion detection. +- Required: No +- Type: string +- Default: `'Off'` +- Allowed: `[Alert, Deny, Off]` + +### Parameter: `name` + +Name of the Firewall Policy. +- Required: Yes +- Type: string + +### Parameter: `privateRanges` + +List of private IP addresses/IP address ranges to not be SNAT. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `retentionDays` + +Number of days the insights should be enabled on the policy. +- Required: No +- Type: int +- Default: `365` + +### Parameter: `ruleCollectionGroups` + +Rule collection groups. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `servers` + +List of Custom DNS Servers. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `signatureOverrides` + +List of specific signatures states. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the Firewall policy resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `threatIntelMode` + +The operation mode for Threat Intel. +- Required: No +- Type: string +- Default: `'Off'` +- Allowed: `[Alert, Deny, Off]` + +### Parameter: `tier` + +Tier of Firewall Policy. +- Required: No +- Type: string +- Default: `'Standard'` +- Allowed: `[Premium, Standard]` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `workspaces` + +List of workspaces for Firewall Policy Insights. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed firewall policy. | +| `resourceGroupName` | string | The resource group of the deployed firewall policy. | +| `resourceId` | string | The resource ID of the deployed firewall policy. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/firewall-policy/main.json b/modules/network/firewall-policy/main.json index 17bff00e52..466fff08d7 100644 --- a/modules/network/firewall-policy/main.json +++ b/modules/network/firewall-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6554136279481645026" + "version": "0.22.6.54827", + "templateHash": "18116522930721554549" }, "name": "Firewall Policies", "description": "This module deploys a Firewall Policy.", @@ -290,8 +290,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6780265410658307445" + "version": "0.22.6.54827", + "templateHash": "13617778659554817427" }, "name": "Firewall Policy Rule Collection Groups", "description": "This module deploys a Firewall Policy Rule Collection Group.", diff --git a/modules/network/firewall-policy/rule-collection-group/README.md b/modules/network/firewall-policy/rule-collection-group/README.md index 9be45dfd53..920f33ecd8 100644 --- a/modules/network/firewall-policy/rule-collection-group/README.md +++ b/modules/network/firewall-policy/rule-collection-group/README.md @@ -19,28 +19,60 @@ This module deploys a Firewall Policy Rule Collection Group. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the rule collection group to deploy. | -| `priority` | int | Priority of the Firewall Policy Rule Collection Group resource. | +| [`name`](#parameter-name) | string | The name of the rule collection group to deploy. | +| [`priority`](#parameter-priority) | int | Priority of the Firewall Policy Rule Collection Group resource. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `firewallPolicyName` | string | The name of the parent Firewall Policy. Required if the template is used in a standalone deployment. | +| [`firewallPolicyName`](#parameter-firewallpolicyname) | string | The name of the parent Firewall Policy. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `ruleCollections` | array | `[]` | Group of Firewall Policy rule collections. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`ruleCollections`](#parameter-rulecollections) | array | Group of Firewall Policy rule collections. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `firewallPolicyName` + +The name of the parent Firewall Policy. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the rule collection group to deploy. +- Required: Yes +- Type: string + +### Parameter: `priority` + +Priority of the Firewall Policy Rule Collection Group resource. +- Required: Yes +- Type: int + +### Parameter: `ruleCollections` + +Group of Firewall Policy rule collections. +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed rule collection group. | | `resourceGroupName` | string | The resource group of the deployed rule collection group. | diff --git a/modules/network/firewall-policy/rule-collection-group/main.json b/modules/network/firewall-policy/rule-collection-group/main.json index f2abb4caf2..6c26a49d8a 100644 --- a/modules/network/firewall-policy/rule-collection-group/main.json +++ b/modules/network/firewall-policy/rule-collection-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12741470915279971248" + "version": "0.22.6.54827", + "templateHash": "13617778659554817427" }, "name": "Firewall Policy Rule Collection Groups", "description": "This module deploys a Firewall Policy Rule Collection Group.", diff --git a/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep index 838318de95..a971d68691 100644 --- a/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/front-door-web-application-firewall-policy/.test/min/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/.test/min/main.test.bicep index 469b740344..e6dc94614a 100644 --- a/modules/network/front-door-web-application-firewall-policy/.test/min/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/front-door-web-application-firewall-policy/README.md b/modules/network/front-door-web-application-firewall-policy/README.md index 41570c94cd..8cf0e4a016 100644 --- a/modules/network/front-door-web-application-firewall-policy/README.md +++ b/modules/network/front-door-web-application-firewall-policy/README.md @@ -5,10 +5,10 @@ This module deploys a Front Door Web Application Firewall (WAF) Policy. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -18,57 +18,28 @@ This module deploys a Front Door Web Application Firewall (WAF) Policy. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Network/FrontDoorWebApplicationFirewallPolicies` | [2022-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-05-01/FrontDoorWebApplicationFirewallPolicies) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Front Door WAF policy. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `customRules` | object | `{object}` | | The custom rules inside the policy. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `'global'` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `managedRules` | object | `{object}` | | Describes the managedRules structure. | -| `policySettings` | object | `{object}` | | The PolicySettings for policy. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sku` | string | `'Standard_AzureFrontDoor'` | `[Premium_AzureFrontDoor, Standard_AzureFrontDoor]` | The pricing tier of the WAF profile. | -| `tags` | object | `{object}` | | Resource tags. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Front Door WAF policy. | -| `resourceGroupName` | string | The resource group the Front Door WAF policy was deployed into. | -| `resourceId` | string | The resource ID of the Front Door WAF policy. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.front-door-web-application-firewall-policy:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module frontDoorWebApplicationFirewallPolicy './network/front-door-web-application-firewall-policy/main.bicep' = { +module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-door-web-application-firewall-policy:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nagwafpcom' params: { // Required parameters @@ -276,14 +247,17 @@ module frontDoorWebApplicationFirewallPolicy './network/front-door-web-applicati

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module frontDoorWebApplicationFirewallPolicy './network/front-door-web-application-firewall-policy/main.bicep' = { +module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-door-web-application-firewall-policy:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nagwafpmin' params: { // Required parameters @@ -320,3 +294,111 @@ module frontDoorWebApplicationFirewallPolicy './network/front-door-web-applicati

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Front Door WAF policy. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`customRules`](#parameter-customrules) | object | The custom rules inside the policy. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`managedRules`](#parameter-managedrules) | object | Describes the managedRules structure. | +| [`policySettings`](#parameter-policysettings) | object | The PolicySettings for policy. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`sku`](#parameter-sku) | string | The pricing tier of the WAF profile. | +| [`tags`](#parameter-tags) | object | Resource tags. | + +### Parameter: `customRules` + +The custom rules inside the policy. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `'global'` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `managedRules` + +Describes the managedRules structure. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Name of the Front Door WAF policy. +- Required: Yes +- Type: string + +### Parameter: `policySettings` + +The PolicySettings for policy. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sku` + +The pricing tier of the WAF profile. +- Required: No +- Type: string +- Default: `'Standard_AzureFrontDoor'` +- Allowed: `[Premium_AzureFrontDoor, Standard_AzureFrontDoor]` + +### Parameter: `tags` + +Resource tags. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the Front Door WAF policy. | +| `resourceGroupName` | string | The resource group the Front Door WAF policy was deployed into. | +| `resourceId` | string | The resource ID of the Front Door WAF policy. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/front-door-web-application-firewall-policy/main.json b/modules/network/front-door-web-application-firewall-policy/main.json index 0d56d79ca8..a2dffd263e 100644 --- a/modules/network/front-door-web-application-firewall-policy/main.json +++ b/modules/network/front-door-web-application-firewall-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3252423512239689635" + "version": "0.22.6.54827", + "templateHash": "9522616710967870505" }, "name": "Front Door Web Application Firewall (WAF) Policies", "description": "This module deploys a Front Door Web Application Firewall (WAF) Policy.", @@ -210,8 +210,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9019610193929502057" + "version": "0.22.6.54827", + "templateHash": "15230534892714027949" } }, "parameters": { diff --git a/modules/network/front-door/.test/common/main.test.bicep b/modules/network/front-door/.test/common/main.test.bicep index c8ce73be84..dfc4e2b726 100644 --- a/modules/network/front-door/.test/common/main.test.bicep +++ b/modules/network/front-door/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/front-door/.test/min/main.test.bicep b/modules/network/front-door/.test/min/main.test.bicep index 5cde0a04e4..d924dcbb25 100644 --- a/modules/network/front-door/.test/min/main.test.bicep +++ b/modules/network/front-door/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/front-door/README.md b/modules/network/front-door/README.md index 64e78ae5f3..f9b46052f3 100644 --- a/modules/network/front-door/README.md +++ b/modules/network/front-door/README.md @@ -5,10 +5,10 @@ This module deploys an Azure Front Door. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -19,67 +19,28 @@ This module deploys an Azure Front Door. | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/frontDoors` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-05-01/frontDoors) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `backendPools` | array | Backend address pool of the frontdoor resource. | -| `frontendEndpoints` | array | Frontend endpoints of the frontdoor resource. | -| `healthProbeSettings` | array | Heath probe settings of the frontdoor resource. | -| `loadBalancingSettings` | array | Load balancing settings of the frontdoor resource. | -| `name` | string | The name of the frontDoor. | -| `routingRules` | array | Routing rules settings of the frontdoor resource. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.front-door:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, FrontdoorAccessLog, FrontdoorWebApplicationFirewallLog]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enabledState` | string | `'Enabled'` | | State of the frontdoor resource. | -| `enforceCertificateNameCheck` | string | `'Disabled'` | | Enforce certificate name check of the frontdoor resource. | -| `friendlyName` | string | `''` | | Friendly name of the frontdoor resource. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sendRecvTimeoutSeconds` | int | `240` | | Certificate name check time of the frontdoor resource. | -| `tags` | object | `{object}` | | Resource tags. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +### Example 1: _Using large parameter set_ -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the front door. | -| `resourceGroupName` | string | The resource group the front door was deployed into. | -| `resourceId` | string | The resource ID of the front door. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module frontDoor './network/front-door/main.bicep' = { +module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nfdcom' params: { // Required parameters @@ -345,14 +306,17 @@ module frontDoor './network/front-door/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module frontDoor './network/front-door/main.bicep' = { +module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nfdmin' params: { // Required parameters @@ -557,3 +521,194 @@ module frontDoor './network/front-door/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`backendPools`](#parameter-backendpools) | array | Backend address pool of the frontdoor resource. | +| [`frontendEndpoints`](#parameter-frontendendpoints) | array | Frontend endpoints of the frontdoor resource. | +| [`healthProbeSettings`](#parameter-healthprobesettings) | array | Heath probe settings of the frontdoor resource. | +| [`loadBalancingSettings`](#parameter-loadbalancingsettings) | array | Load balancing settings of the frontdoor resource. | +| [`name`](#parameter-name) | string | The name of the frontDoor. | +| [`routingRules`](#parameter-routingrules) | array | Routing rules settings of the frontdoor resource. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enabledState`](#parameter-enabledstate) | string | State of the frontdoor resource. | +| [`enforceCertificateNameCheck`](#parameter-enforcecertificatenamecheck) | string | Enforce certificate name check of the frontdoor resource. | +| [`friendlyName`](#parameter-friendlyname) | string | Friendly name of the frontdoor resource. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`metricsToEnable`](#parameter-metricstoenable) | array | The name of metrics that will be streamed. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`sendRecvTimeoutSeconds`](#parameter-sendrecvtimeoutseconds) | int | Certificate name check time of the frontdoor resource. | +| [`tags`](#parameter-tags) | object | Resource tags. | + +### Parameter: `backendPools` + +Backend address pool of the frontdoor resource. +- Required: Yes +- Type: array + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, FrontdoorAccessLog, FrontdoorWebApplicationFirewallLog]` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enabledState` + +State of the frontdoor resource. +- Required: No +- Type: string +- Default: `'Enabled'` + +### Parameter: `enforceCertificateNameCheck` + +Enforce certificate name check of the frontdoor resource. +- Required: No +- Type: string +- Default: `'Disabled'` + +### Parameter: `friendlyName` + +Friendly name of the frontdoor resource. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `frontendEndpoints` + +Frontend endpoints of the frontdoor resource. +- Required: Yes +- Type: array + +### Parameter: `healthProbeSettings` + +Heath probe settings of the frontdoor resource. +- Required: Yes +- Type: array + +### Parameter: `loadBalancingSettings` + +Load balancing settings of the frontdoor resource. +- Required: Yes +- Type: array + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `metricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `name` + +The name of the frontDoor. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `routingRules` + +Routing rules settings of the frontdoor resource. +- Required: Yes +- Type: array + +### Parameter: `sendRecvTimeoutSeconds` + +Certificate name check time of the frontdoor resource. +- Required: No +- Type: int +- Default: `240` + +### Parameter: `tags` + +Resource tags. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the front door. | +| `resourceGroupName` | string | The resource group the front door was deployed into. | +| `resourceId` | string | The resource ID of the front door. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/front-door/main.json b/modules/network/front-door/main.json index 6d8212300c..3722abf630 100644 --- a/modules/network/front-door/main.json +++ b/modules/network/front-door/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18085582863238637831" + "version": "0.22.6.54827", + "templateHash": "1800137372393005313" }, "name": "Azure Front Doors", "description": "This module deploys an Azure Front Door.", @@ -298,8 +298,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15530628531766056415" + "version": "0.22.6.54827", + "templateHash": "9337028153232884606" } }, "parameters": { diff --git a/modules/network/ip-group/.test/common/main.test.bicep b/modules/network/ip-group/.test/common/main.test.bicep index 3dad1a2400..61476fd930 100644 --- a/modules/network/ip-group/.test/common/main.test.bicep +++ b/modules/network/ip-group/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/ip-group/.test/min/main.test.bicep b/modules/network/ip-group/.test/min/main.test.bicep index dc0c682523..174c87ae38 100644 --- a/modules/network/ip-group/.test/min/main.test.bicep +++ b/modules/network/ip-group/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/ip-group/README.md b/modules/network/ip-group/README.md index d6481e255f..2de276d682 100644 --- a/modules/network/ip-group/README.md +++ b/modules/network/ip-group/README.md @@ -4,13 +4,13 @@ This module deploys an IP Group. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -18,54 +18,28 @@ This module deploys an IP Group. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Network/ipGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/ipGroups) | -## Parameters - -**Required parameters** +## Usage examples -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the ipGroups. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -**Optional parameters** +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `ipAddresses` | array | `[]` | | IpAddresses/IpAddressPrefixes in the IpGroups resource. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Resource tags. | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.ip-group:1.0.0`. +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -## Outputs +### Example 1: _Using large parameter set_ -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the IP group. | -| `resourceGroupName` | string | The resource group of the IP group was deployed into. | -| `resourceId` | string | The resource ID of the IP group. | - -## Cross-referenced modules - -_None_ +This instance deploys the module with most of its features enabled. -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module ipGroup './network/ip-group/main.bicep' = { +module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nigcom' params: { // Required parameters @@ -149,14 +123,17 @@ module ipGroup './network/ip-group/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module ipGroup './network/ip-group/main.bicep' = { +module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nigmin' params: { // Required parameters @@ -193,3 +170,86 @@ module ipGroup './network/ip-group/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the ipGroups. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`ipAddresses`](#parameter-ipaddresses) | array | IpAddresses/IpAddressPrefixes in the IpGroups resource. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Resource tags. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `ipAddresses` + +IpAddresses/IpAddressPrefixes in the IpGroups resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the ipGroups. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Resource tags. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the IP group. | +| `resourceGroupName` | string | The resource group of the IP group was deployed into. | +| `resourceId` | string | The resource ID of the IP group. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/ip-group/main.json b/modules/network/ip-group/main.json index 5ab53eaa7a..3d3b61dbe5 100644 --- a/modules/network/ip-group/main.json +++ b/modules/network/ip-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14113274555296490837" + "version": "0.22.6.54827", + "templateHash": "3722289923159347480" }, "name": "IP Groups", "description": "This module deploys an IP Group.", @@ -140,8 +140,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15558620083655583266" + "version": "0.22.6.54827", + "templateHash": "11934973470926193389" } }, "parameters": { diff --git a/modules/network/load-balancer/.test/common/main.test.bicep b/modules/network/load-balancer/.test/common/main.test.bicep index 79ce0f2cbd..6efb446ead 100644 --- a/modules/network/load-balancer/.test/common/main.test.bicep +++ b/modules/network/load-balancer/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/load-balancer/.test/min/main.test.bicep b/modules/network/load-balancer/.test/min/main.test.bicep index de083737e7..dbb4ca6571 100644 --- a/modules/network/load-balancer/.test/min/main.test.bicep +++ b/modules/network/load-balancer/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/load-balancer/README.md b/modules/network/load-balancer/README.md index 5c8c51a3b7..779036371c 100644 --- a/modules/network/load-balancer/README.md +++ b/modules/network/load-balancer/README.md @@ -4,14 +4,14 @@ This module deploys a Load Balancer. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -22,67 +22,29 @@ This module deploys a Load Balancer. | `Microsoft.Network/loadBalancers/backendAddressPools` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/loadBalancers/backendAddressPools) | | `Microsoft.Network/loadBalancers/inboundNatRules` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/loadBalancers/inboundNatRules) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `frontendIPConfigurations` | array | Array of objects containing all frontend IP configurations. | -| `name` | string | The Proximity Placement Groups Name. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.load-balancer:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `backendAddressPools` | array | `[]` | | Collection of backend address pools used by a load balancer. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `inboundNatRules` | array | `[]` | | Collection of inbound NAT Rules used by a load balancer. Defining inbound NAT rules on your load balancer is mutually exclusive with defining an inbound NAT pool. Inbound NAT pools are referenced from virtual machine scale sets. NICs that are associated with individual virtual machines cannot reference an Inbound NAT pool. They have to reference individual inbound NAT rules. | -| `loadBalancingRules` | array | `[]` | | Array of objects containing all load balancing rules. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `outboundRules` | array | `[]` | | The outbound rules. | -| `probes` | array | `[]` | | Array of objects containing all probes, these are references in the load balancing rules. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `skuName` | string | `'Standard'` | `[Basic, Standard]` | Name of a load balancer SKU. | -| `tags` | object | `{object}` | | Tags of the resource. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Internal](#example-2-internal) +- [Using only defaults](#example-3-using-only-defaults) +### Example 1: _Using large parameter set_ -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `backendpools` | array | The backend address pools available in the load balancer. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the load balancer. | -| `resourceGroupName` | string | The resource group the load balancer was deployed into. | -| `resourceId` | string | The resource ID of the load balancer. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module loadBalancer './network/load-balancer/main.bicep' = { +module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nlbcom' params: { // Required parameters @@ -344,14 +306,14 @@ module loadBalancer './network/load-balancer/main.bicep' = {

-

Example 2: Internal

+### Example 2: _Internal_
via Bicep module ```bicep -module loadBalancer './network/load-balancer/main.bicep' = { +module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nlbint' params: { // Required parameters @@ -559,14 +521,17 @@ module loadBalancer './network/load-balancer/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module loadBalancer './network/load-balancer/main.bicep' = { +module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nlbmin' params: { // Required parameters @@ -619,6 +584,186 @@ module loadBalancer './network/load-balancer/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`frontendIPConfigurations`](#parameter-frontendipconfigurations) | array | Array of objects containing all frontend IP configurations. | +| [`name`](#parameter-name) | string | The Proximity Placement Groups Name. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`backendAddressPools`](#parameter-backendaddresspools) | array | Collection of backend address pools used by a load balancer. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`inboundNatRules`](#parameter-inboundnatrules) | array | Collection of inbound NAT Rules used by a load balancer. Defining inbound NAT rules on your load balancer is mutually exclusive with defining an inbound NAT pool. Inbound NAT pools are referenced from virtual machine scale sets. NICs that are associated with individual virtual machines cannot reference an Inbound NAT pool. They have to reference individual inbound NAT rules. | +| [`loadBalancingRules`](#parameter-loadbalancingrules) | array | Array of objects containing all load balancing rules. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`outboundRules`](#parameter-outboundrules) | array | The outbound rules. | +| [`probes`](#parameter-probes) | array | Array of objects containing all probes, these are references in the load balancing rules. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`skuName`](#parameter-skuname) | string | Name of a load balancer SKU. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `backendAddressPools` + +Collection of backend address pools used by a load balancer. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `frontendIPConfigurations` + +Array of objects containing all frontend IP configurations. +- Required: Yes +- Type: array + +### Parameter: `inboundNatRules` + +Collection of inbound NAT Rules used by a load balancer. Defining inbound NAT rules on your load balancer is mutually exclusive with defining an inbound NAT pool. Inbound NAT pools are referenced from virtual machine scale sets. NICs that are associated with individual virtual machines cannot reference an Inbound NAT pool. They have to reference individual inbound NAT rules. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `loadBalancingRules` + +Array of objects containing all load balancing rules. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The Proximity Placement Groups Name. +- Required: Yes +- Type: string + +### Parameter: `outboundRules` + +The outbound rules. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `probes` + +Array of objects containing all probes, these are references in the load balancing rules. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `skuName` + +Name of a load balancer SKU. +- Required: No +- Type: string +- Default: `'Standard'` +- Allowed: `[Basic, Standard]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `backendpools` | array | The backend address pools available in the load balancer. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the load balancer. | +| `resourceGroupName` | string | The resource group the load balancer was deployed into. | +| `resourceId` | string | The resource ID of the load balancer. | + +## Cross-referenced modules + +_None_ + ## Notes ### Parameter Usage: `backendAddressPools` diff --git a/modules/network/load-balancer/backend-address-pool/README.md b/modules/network/load-balancer/backend-address-pool/README.md index 44dfdef1f7..99b752c0a9 100644 --- a/modules/network/load-balancer/backend-address-pool/README.md +++ b/modules/network/load-balancer/backend-address-pool/README.md @@ -19,30 +19,78 @@ This module deploys a Load Balancer Backend Address Pools. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the backend address pool. | +| [`name`](#parameter-name) | string | The name of the backend address pool. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `loadBalancerName` | string | The name of the parent load balancer. Required if the template is used in a standalone deployment. | +| [`loadBalancerName`](#parameter-loadbalancername) | string | The name of the parent load balancer. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `drainPeriodInSeconds` | int | `0` | | Amount of seconds Load Balancer waits for before sending RESET to client and backend address. if value is 0 then this property will be set to null. Subscription must register the feature Microsoft.Network/SLBAllowConnectionDraining before using this property. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `loadBalancerBackendAddresses` | array | `[]` | | An array of backend addresses. | -| `syncMode` | string | `''` | `['', Automatic, Manual]` | Backend address synchronous mode for the backend pool. | -| `tunnelInterfaces` | array | `[]` | | An array of gateway load balancer tunnel interfaces. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`drainPeriodInSeconds`](#parameter-drainperiodinseconds) | int | Amount of seconds Load Balancer waits for before sending RESET to client and backend address. if value is 0 then this property will be set to null. Subscription must register the feature Microsoft.Network/SLBAllowConnectionDraining before using this property. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`loadBalancerBackendAddresses`](#parameter-loadbalancerbackendaddresses) | array | An array of backend addresses. | +| [`syncMode`](#parameter-syncmode) | string | Backend address synchronous mode for the backend pool. | +| [`tunnelInterfaces`](#parameter-tunnelinterfaces) | array | An array of gateway load balancer tunnel interfaces. | + +### Parameter: `drainPeriodInSeconds` + +Amount of seconds Load Balancer waits for before sending RESET to client and backend address. if value is 0 then this property will be set to null. Subscription must register the feature Microsoft.Network/SLBAllowConnectionDraining before using this property. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `loadBalancerBackendAddresses` + +An array of backend addresses. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `loadBalancerName` + +The name of the parent load balancer. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the backend address pool. +- Required: Yes +- Type: string + +### Parameter: `syncMode` + +Backend address synchronous mode for the backend pool. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Automatic, Manual]` + +### Parameter: `tunnelInterfaces` + +An array of gateway load balancer tunnel interfaces. +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the backend address pool. | | `resourceGroupName` | string | The resource group the backend address pool was deployed into. | diff --git a/modules/network/load-balancer/backend-address-pool/main.json b/modules/network/load-balancer/backend-address-pool/main.json index 4c67067b1a..e79735bfeb 100644 --- a/modules/network/load-balancer/backend-address-pool/main.json +++ b/modules/network/load-balancer/backend-address-pool/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "14919070901241549953" + "version": "0.22.6.54827", + "templateHash": "8746126160153035357" }, "name": "Load Balancer Backend Address Pools", "description": "This module deploys a Load Balancer Backend Address Pools.", diff --git a/modules/network/load-balancer/inbound-nat-rule/README.md b/modules/network/load-balancer/inbound-nat-rule/README.md index c26aee6bf8..012c32a79f 100644 --- a/modules/network/load-balancer/inbound-nat-rule/README.md +++ b/modules/network/load-balancer/inbound-nat-rule/README.md @@ -19,36 +19,124 @@ This module deploys a Load Balancer Inbound NAT Rules. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `frontendIPConfigurationName` | string | The name of the frontend IP address to set for the inbound NAT rule. | -| `frontendPort` | int | The port for the external endpoint. Port numbers for each rule must be unique within the Load Balancer. | -| `name` | string | The name of the inbound NAT rule. | +| [`frontendIPConfigurationName`](#parameter-frontendipconfigurationname) | string | The name of the frontend IP address to set for the inbound NAT rule. | +| [`frontendPort`](#parameter-frontendport) | int | The port for the external endpoint. Port numbers for each rule must be unique within the Load Balancer. | +| [`name`](#parameter-name) | string | The name of the inbound NAT rule. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `loadBalancerName` | string | The name of the parent load balancer. Required if the template is used in a standalone deployment. | +| [`loadBalancerName`](#parameter-loadbalancername) | string | The name of the parent load balancer. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `backendAddressPoolName` | string | `''` | | Name of the backend address pool. | -| `backendPort` | int | `[parameters('frontendPort')]` | | The port used for the internal endpoint. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableFloatingIP` | bool | `False` | | Configures a virtual machine's endpoint for the floating IP capability required to configure a SQL AlwaysOn Availability Group. This setting is required when using the SQL AlwaysOn Availability Groups in SQL server. This setting can't be changed after you create the endpoint. | -| `enableTcpReset` | bool | `False` | | Receive bidirectional TCP Reset on TCP flow idle timeout or unexpected connection termination. This element is only used when the protocol is set to TCP. | -| `frontendPortRangeEnd` | int | `-1` | | The port range end for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeStart. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. | -| `frontendPortRangeStart` | int | `-1` | | The port range start for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeEnd. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. | -| `idleTimeoutInMinutes` | int | `4` | | The timeout for the TCP idle connection. The value can be set between 4 and 30 minutes. The default value is 4 minutes. This element is only used when the protocol is set to TCP. | -| `protocol` | string | `'Tcp'` | `[All, Tcp, Udp]` | The transport protocol for the endpoint. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`backendAddressPoolName`](#parameter-backendaddresspoolname) | string | Name of the backend address pool. | +| [`backendPort`](#parameter-backendport) | int | The port used for the internal endpoint. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableFloatingIP`](#parameter-enablefloatingip) | bool | Configures a virtual machine's endpoint for the floating IP capability required to configure a SQL AlwaysOn Availability Group. This setting is required when using the SQL AlwaysOn Availability Groups in SQL server. This setting can't be changed after you create the endpoint. | +| [`enableTcpReset`](#parameter-enabletcpreset) | bool | Receive bidirectional TCP Reset on TCP flow idle timeout or unexpected connection termination. This element is only used when the protocol is set to TCP. | +| [`frontendPortRangeEnd`](#parameter-frontendportrangeend) | int | The port range end for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeStart. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. | +| [`frontendPortRangeStart`](#parameter-frontendportrangestart) | int | The port range start for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeEnd. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. | +| [`idleTimeoutInMinutes`](#parameter-idletimeoutinminutes) | int | The timeout for the TCP idle connection. The value can be set between 4 and 30 minutes. The default value is 4 minutes. This element is only used when the protocol is set to TCP. | +| [`protocol`](#parameter-protocol) | string | The transport protocol for the endpoint. | + +### Parameter: `backendAddressPoolName` + +Name of the backend address pool. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `backendPort` + +The port used for the internal endpoint. +- Required: No +- Type: int +- Default: `[parameters('frontendPort')]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableFloatingIP` + +Configures a virtual machine's endpoint for the floating IP capability required to configure a SQL AlwaysOn Availability Group. This setting is required when using the SQL AlwaysOn Availability Groups in SQL server. This setting can't be changed after you create the endpoint. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableTcpReset` + +Receive bidirectional TCP Reset on TCP flow idle timeout or unexpected connection termination. This element is only used when the protocol is set to TCP. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `frontendIPConfigurationName` + +The name of the frontend IP address to set for the inbound NAT rule. +- Required: Yes +- Type: string + +### Parameter: `frontendPort` + +The port for the external endpoint. Port numbers for each rule must be unique within the Load Balancer. +- Required: Yes +- Type: int + +### Parameter: `frontendPortRangeEnd` + +The port range end for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeStart. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `frontendPortRangeStart` + +The port range start for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeEnd. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `idleTimeoutInMinutes` + +The timeout for the TCP idle connection. The value can be set between 4 and 30 minutes. The default value is 4 minutes. This element is only used when the protocol is set to TCP. +- Required: No +- Type: int +- Default: `4` + +### Parameter: `loadBalancerName` + +The name of the parent load balancer. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the inbound NAT rule. +- Required: Yes +- Type: string + +### Parameter: `protocol` + +The transport protocol for the endpoint. +- Required: No +- Type: string +- Default: `'Tcp'` +- Allowed: `[All, Tcp, Udp]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the inbound NAT rule. | | `resourceGroupName` | string | The resource group the inbound NAT rule was deployed into. | diff --git a/modules/network/load-balancer/inbound-nat-rule/main.json b/modules/network/load-balancer/inbound-nat-rule/main.json index e340a35b19..f72e675dc4 100644 --- a/modules/network/load-balancer/inbound-nat-rule/main.json +++ b/modules/network/load-balancer/inbound-nat-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17563889842244498787" + "version": "0.22.6.54827", + "templateHash": "10708877822656641045" }, "name": "Load Balancer Inbound NAT Rules", "description": "This module deploys a Load Balancer Inbound NAT Rules.", diff --git a/modules/network/load-balancer/main.json b/modules/network/load-balancer/main.json index ef65dd9b14..974b7006fd 100644 --- a/modules/network/load-balancer/main.json +++ b/modules/network/load-balancer/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5174015576413093389" + "version": "0.22.6.54827", + "templateHash": "4129476930281729422" }, "name": "Load Balancers", "description": "This module deploys a Load Balancer.", @@ -353,8 +353,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10695626328021788561" + "version": "0.22.6.54827", + "templateHash": "8746126160153035357" }, "name": "Load Balancer Backend Address Pools", "description": "This module deploys a Load Balancer Backend Address Pools.", @@ -514,8 +514,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8138775732002888044" + "version": "0.22.6.54827", + "templateHash": "10708877822656641045" }, "name": "Load Balancer Inbound NAT Rules", "description": "This module deploys a Load Balancer Inbound NAT Rules.", @@ -722,8 +722,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5738508706605924950" + "version": "0.22.6.54827", + "templateHash": "14340033754168371744" } }, "parameters": { diff --git a/modules/network/local-network-gateway/.test/common/main.test.bicep b/modules/network/local-network-gateway/.test/common/main.test.bicep index eb7d4a2d7a..8bebc4a7aa 100644 --- a/modules/network/local-network-gateway/.test/common/main.test.bicep +++ b/modules/network/local-network-gateway/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/local-network-gateway/.test/min/main.test.bicep b/modules/network/local-network-gateway/.test/min/main.test.bicep index 54f8df4c34..b9577924ea 100644 --- a/modules/network/local-network-gateway/.test/min/main.test.bicep +++ b/modules/network/local-network-gateway/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/local-network-gateway/README.md b/modules/network/local-network-gateway/README.md index 6cbde10008..0f26183ba5 100644 --- a/modules/network/local-network-gateway/README.md +++ b/modules/network/local-network-gateway/README.md @@ -4,13 +4,13 @@ This module deploys a Local Network Gateway. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -18,59 +18,28 @@ This module deploys a Local Network Gateway. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Network/localNetworkGateways` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/localNetworkGateways) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `localAddressPrefixes` | array | List of the local (on-premises) IP address ranges. | -| `localGatewayPublicIpAddress` | string | Public IP of the local gateway. | -| `name` | string | Name of the Local Network Gateway. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `fqdn` | string | `''` | | FQDN of local network gateway. | -| `localAsn` | string | `''` | | The BGP speaker's ASN. Not providing this value will automatically disable BGP on this Local Network Gateway resource. | -| `localBgpPeeringAddress` | string | `''` | | The BGP peering address and BGP identifier of this BGP speaker. Not providing this value will automatically disable BGP on this Local Network Gateway resource. | -| `localPeerWeight` | string | `''` | | The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the local network gateway. | -| `resourceGroupName` | string | The resource group the local network gateway was deployed into. | -| `resourceId` | string | The resource ID of the local network gateway. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.local-network-gateway:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module localNetworkGateway './network/local-network-gateway/main.bicep' = { +module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nlngcom' params: { // Required parameters @@ -164,14 +133,17 @@ module localNetworkGateway './network/local-network-gateway/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module localNetworkGateway './network/local-network-gateway/main.bicep' = { +module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nlngmin' params: { // Required parameters @@ -220,3 +192,124 @@ module localNetworkGateway './network/local-network-gateway/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`localAddressPrefixes`](#parameter-localaddressprefixes) | array | List of the local (on-premises) IP address ranges. | +| [`localGatewayPublicIpAddress`](#parameter-localgatewaypublicipaddress) | string | Public IP of the local gateway. | +| [`name`](#parameter-name) | string | Name of the Local Network Gateway. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`fqdn`](#parameter-fqdn) | string | FQDN of local network gateway. | +| [`localAsn`](#parameter-localasn) | string | The BGP speaker's ASN. Not providing this value will automatically disable BGP on this Local Network Gateway resource. | +| [`localBgpPeeringAddress`](#parameter-localbgppeeringaddress) | string | The BGP peering address and BGP identifier of this BGP speaker. Not providing this value will automatically disable BGP on this Local Network Gateway resource. | +| [`localPeerWeight`](#parameter-localpeerweight) | string | The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `fqdn` + +FQDN of local network gateway. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `localAddressPrefixes` + +List of the local (on-premises) IP address ranges. +- Required: Yes +- Type: array + +### Parameter: `localAsn` + +The BGP speaker's ASN. Not providing this value will automatically disable BGP on this Local Network Gateway resource. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `localBgpPeeringAddress` + +The BGP peering address and BGP identifier of this BGP speaker. Not providing this value will automatically disable BGP on this Local Network Gateway resource. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `localGatewayPublicIpAddress` + +Public IP of the local gateway. +- Required: Yes +- Type: string + +### Parameter: `localPeerWeight` + +The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Local Network Gateway. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the local network gateway. | +| `resourceGroupName` | string | The resource group the local network gateway was deployed into. | +| `resourceId` | string | The resource ID of the local network gateway. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/local-network-gateway/main.json b/modules/network/local-network-gateway/main.json index ab62f612c9..7ddb2effdf 100644 --- a/modules/network/local-network-gateway/main.json +++ b/modules/network/local-network-gateway/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12820613470164660088" + "version": "0.22.6.54827", + "templateHash": "3075207124319652071" }, "name": "Local Network Gateways", "description": "This module deploys a Local Network Gateway.", @@ -185,8 +185,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12018482118126048951" + "version": "0.22.6.54827", + "templateHash": "181485081298307705" } }, "parameters": { diff --git a/modules/network/nat-gateway/.test/common/main.test.bicep b/modules/network/nat-gateway/.test/common/main.test.bicep index 8bb8083fdd..178f58c027 100644 --- a/modules/network/nat-gateway/.test/common/main.test.bicep +++ b/modules/network/nat-gateway/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/nat-gateway/README.md b/modules/network/nat-gateway/README.md index 2ae5f1ad5c..8d239324a4 100644 --- a/modules/network/nat-gateway/README.md +++ b/modules/network/nat-gateway/README.md @@ -4,13 +4,13 @@ This module deploys a NAT Gateway. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -20,72 +20,27 @@ This module deploys a NAT Gateway. | `Microsoft.Network/natGateways` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/natGateways) | | `Microsoft.Network/publicIPAddresses` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/publicIPAddresses) | -## Parameters - -**Required parameters** +## Usage examples -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Azure Bastion resource. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -**Optional parameters** +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the public IP diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `domainNameLabel` | string | `''` | | DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `idleTimeoutInMinutes` | int | `5` | | The idle timeout of the NAT gateway. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `natGatewayPipName` | string | `''` | | Specifies the name of the Public IP used by the NAT Gateway. If it's not provided, a '-pip' suffix will be appended to the Bastion's name. | -| `natGatewayPublicIpAddress` | bool | `False` | | Use to have a new Public IP Address created for the NAT Gateway. | -| `publicIpAddresses` | array | `[]` | | Existing Public IP Address resource names to use for the NAT Gateway. | -| `publicIpPrefixes` | array | `[]` | | Existing Public IP Prefixes resource names to use for the NAT Gateway. | -| `publicIPPrefixResourceId` | string | `''` | | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags for the resource. | -| `zones` | array | `[]` | | A list of availability zones denoting the zone in which Nat Gateway should be deployed. | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.nat-gateway:1.0.0`. +- [Using large parameter set](#example-1-using-large-parameter-set) -## Outputs +### Example 1: _Using large parameter set_ -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the NAT Gateway. | -| `resourceGroupName` | string | The resource group the NAT Gateway was deployed into. | -| `resourceId` | string | The resource ID of the NAT Gateway. | +This instance deploys the module with most of its features enabled. -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/public-ip-address` | Local reference | - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module natGateway './network/nat-gateway/main.bicep' = { +module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nngcom' params: { // Required parameters @@ -178,3 +133,204 @@ module natGateway './network/nat-gateway/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Azure Bastion resource. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the public IP diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`domainNameLabel`](#parameter-domainnamelabel) | string | DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`idleTimeoutInMinutes`](#parameter-idletimeoutinminutes) | int | The idle timeout of the NAT gateway. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`natGatewayPipName`](#parameter-natgatewaypipname) | string | Specifies the name of the Public IP used by the NAT Gateway. If it's not provided, a '-pip' suffix will be appended to the Bastion's name. | +| [`natGatewayPublicIpAddress`](#parameter-natgatewaypublicipaddress) | bool | Use to have a new Public IP Address created for the NAT Gateway. | +| [`publicIpAddresses`](#parameter-publicipaddresses) | array | Existing Public IP Address resource names to use for the NAT Gateway. | +| [`publicIpPrefixes`](#parameter-publicipprefixes) | array | Existing Public IP Prefixes resource names to use for the NAT Gateway. | +| [`publicIPPrefixResourceId`](#parameter-publicipprefixresourceid) | string | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags for the resource. | +| [`zones`](#parameter-zones) | array | A list of availability zones denoting the zone in which Nat Gateway should be deployed. | + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the public IP diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `domainNameLabel` + +DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `idleTimeoutInMinutes` + +The idle timeout of the NAT gateway. +- Required: No +- Type: int +- Default: `5` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Azure Bastion resource. +- Required: Yes +- Type: string + +### Parameter: `natGatewayPipName` + +Specifies the name of the Public IP used by the NAT Gateway. If it's not provided, a '-pip' suffix will be appended to the Bastion's name. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `natGatewayPublicIpAddress` + +Use to have a new Public IP Address created for the NAT Gateway. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `publicIpAddresses` + +Existing Public IP Address resource names to use for the NAT Gateway. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicIpPrefixes` + +Existing Public IP Prefixes resource names to use for the NAT Gateway. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicIPPrefixResourceId` + +Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags for the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `zones` + +A list of availability zones denoting the zone in which Nat Gateway should be deployed. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the NAT Gateway. | +| `resourceGroupName` | string | The resource group the NAT Gateway was deployed into. | +| `resourceId` | string | The resource ID of the NAT Gateway. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/public-ip-address` | Local reference | diff --git a/modules/network/nat-gateway/main.json b/modules/network/nat-gateway/main.json index 8ae2e59ca3..ffc7620f1a 100644 --- a/modules/network/nat-gateway/main.json +++ b/modules/network/nat-gateway/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14895423675743454" + "version": "0.22.6.54827", + "templateHash": "9634258356447527908" }, "name": "NAT Gateways", "description": "This module deploys a NAT Gateway.", @@ -314,8 +314,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1887898957722092173" + "version": "0.22.6.54827", + "templateHash": "4317747709004918530" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -648,8 +648,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7328126239184883887" + "version": "0.22.6.54827", + "templateHash": "9976109177347918049" } }, "parameters": { @@ -866,8 +866,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15916588634255073631" + "version": "0.22.6.54827", + "templateHash": "15036243165894053484" } }, "parameters": { diff --git a/modules/network/network-interface/.test/common/main.test.bicep b/modules/network/network-interface/.test/common/main.test.bicep index 50737c3734..5a7bfcf666 100644 --- a/modules/network/network-interface/.test/common/main.test.bicep +++ b/modules/network/network-interface/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/network-interface/.test/min/main.test.bicep b/modules/network/network-interface/.test/min/main.test.bicep index 11236f4d45..8a045fec44 100644 --- a/modules/network/network-interface/.test/min/main.test.bicep +++ b/modules/network/network-interface/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/network-interface/README.md b/modules/network/network-interface/README.md index ed14946f06..ee9c528fdd 100644 --- a/modules/network/network-interface/README.md +++ b/modules/network/network-interface/README.md @@ -5,10 +5,10 @@ This module deploys a Network Interface. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -19,67 +19,28 @@ This module deploys a Network Interface. | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/networkInterfaces` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/networkInterfaces) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `ipConfigurations` | array | A list of IPConfigurations of the network interface. | -| `name` | string | The name of the network interface. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.network-interface:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `auxiliaryMode` | string | `'None'` | `[Floating, MaxConnections, None]` | Auxiliary mode of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic. | -| `auxiliarySku` | string | `'None'` | `[A1, A2, A4, A8, None]` | Auxiliary sku of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource identifier of log analytics. | -| `disableTcpStateTracking` | bool | `False` | | Indicates whether to disable tcp state tracking. Subscription must be registered for the Microsoft.Network/AllowDisableTcpStateTracking feature before this property can be set to true. | -| `dnsServers` | array | `[]` | | List of DNS servers IP addresses. Use 'AzureProvidedDNS' to switch to azure provided DNS resolution. 'AzureProvidedDNS' value cannot be combined with other IPs, it must be the only value in dnsServers collection. | -| `enableAcceleratedNetworking` | bool | `False` | | If the network interface is accelerated networking enabled. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableIPForwarding` | bool | `False` | | Indicates whether IP forwarding is enabled on this network interface. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `networkSecurityGroupResourceId` | string | `''` | | The network security group (NSG) to attach to the network interface. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +### Example 1: _Using large parameter set_ -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed resource. | -| `resourceGroupName` | string | The resource group of the deployed resource. | -| `resourceId` | string | The resource ID of the deployed resource. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module networkInterface './network/network-interface/main.bicep' = { +module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nnicom' params: { // Required parameters @@ -219,14 +180,17 @@ module networkInterface './network/network-interface/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module networkInterface './network/network-interface/main.bicep' = { +module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nnimin' params: { // Required parameters @@ -277,3 +241,192 @@ module networkInterface './network/network-interface/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`ipConfigurations`](#parameter-ipconfigurations) | array | A list of IPConfigurations of the network interface. | +| [`name`](#parameter-name) | string | The name of the network interface. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`auxiliaryMode`](#parameter-auxiliarymode) | string | Auxiliary mode of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic. | +| [`auxiliarySku`](#parameter-auxiliarysku) | string | Auxiliary sku of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource identifier of log analytics. | +| [`disableTcpStateTracking`](#parameter-disabletcpstatetracking) | bool | Indicates whether to disable tcp state tracking. Subscription must be registered for the Microsoft.Network/AllowDisableTcpStateTracking feature before this property can be set to true. | +| [`dnsServers`](#parameter-dnsservers) | array | List of DNS servers IP addresses. Use 'AzureProvidedDNS' to switch to azure provided DNS resolution. 'AzureProvidedDNS' value cannot be combined with other IPs, it must be the only value in dnsServers collection. | +| [`enableAcceleratedNetworking`](#parameter-enableacceleratednetworking) | bool | If the network interface is accelerated networking enabled. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableIPForwarding`](#parameter-enableipforwarding) | bool | Indicates whether IP forwarding is enabled on this network interface. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`networkSecurityGroupResourceId`](#parameter-networksecuritygroupresourceid) | string | The network security group (NSG) to attach to the network interface. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `auxiliaryMode` + +Auxiliary mode of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic. +- Required: No +- Type: string +- Default: `'None'` +- Allowed: `[Floating, MaxConnections, None]` + +### Parameter: `auxiliarySku` + +Auxiliary sku of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic. +- Required: No +- Type: string +- Default: `'None'` +- Allowed: `[A1, A2, A4, A8, None]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource identifier of log analytics. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `disableTcpStateTracking` + +Indicates whether to disable tcp state tracking. Subscription must be registered for the Microsoft.Network/AllowDisableTcpStateTracking feature before this property can be set to true. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `dnsServers` + +List of DNS servers IP addresses. Use 'AzureProvidedDNS' to switch to azure provided DNS resolution. 'AzureProvidedDNS' value cannot be combined with other IPs, it must be the only value in dnsServers collection. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableAcceleratedNetworking` + +If the network interface is accelerated networking enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableIPForwarding` + +Indicates whether IP forwarding is enabled on this network interface. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `ipConfigurations` + +A list of IPConfigurations of the network interface. +- Required: Yes +- Type: array + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the network interface. +- Required: Yes +- Type: string + +### Parameter: `networkSecurityGroupResourceId` + +The network security group (NSG) to attach to the network interface. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed resource. | +| `resourceGroupName` | string | The resource group of the deployed resource. | +| `resourceId` | string | The resource ID of the deployed resource. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/network-interface/main.json b/modules/network/network-interface/main.json index 59419cbae3..20e292dd8f 100644 --- a/modules/network/network-interface/main.json +++ b/modules/network/network-interface/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5974456600868040376" + "version": "0.22.6.54827", + "templateHash": "14479255820598719580" }, "name": "Network Interface", "description": "This module deploys a Network Interface.", @@ -307,8 +307,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10645923556503351364" + "version": "0.22.6.54827", + "templateHash": "11518733977101662334" } }, "parameters": { diff --git a/modules/network/network-manager/.test/common/main.test.bicep b/modules/network/network-manager/.test/common/main.test.bicep index 1ebb51582a..e0899bd41c 100644 --- a/modules/network/network-manager/.test/common/main.test.bicep +++ b/modules/network/network-manager/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/network-manager/README.md b/modules/network/network-manager/README.md index 656930cdc9..86e3036e2f 100644 --- a/modules/network/network-manager/README.md +++ b/modules/network/network-manager/README.md @@ -5,10 +5,10 @@ This module deploys a Network Manager. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) ## Resource Types @@ -26,65 +26,27 @@ This module deploys a Network Manager. | `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/securityAdminConfigurations/ruleCollections) | | `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules` | [2023-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-02-01/networkManagers/securityAdminConfigurations/ruleCollections/rules) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Network Manager. | -| `networkManagerScopeAccesses` | array | Scope Access. String array containing any of "Connectivity", "SecurityAdmin". The connectivity feature allows you to create network topologies at scale. The security admin feature lets you create high-priority security rules, which take precedence over NSGs. | -| `networkManagerScopes` | object | Scope of Network Manager. Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this Network Manager instance can manage. If using Management Groups, ensure that the "Microsoft.Network" resource provider is registered for those Management Groups prior to deployment. | +## Usage examples -**Conditional parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `networkGroups` | array | Network Groups and static members to create for the network manager. Required if using "connectivityConfigurations" or "securityAdminConfigurations" parameters. A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `connectivityConfigurations` | array | `[]` | | Connectivity Configurations to create for the network manager. Network manager must contain at least one network group in order to define connectivity configurations. | -| `description` | string | `''` | | A description of the network manager. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `scopeConnections` | array | `[]` | | Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant. | -| `securityAdminConfigurations` | array | `[]` | | Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to. | -| `tags` | object | `{object}` | | Tags of the resource. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the network manager. | -| `resourceGroupName` | string | The resource group the network manager was deployed into. | -| `resourceId` | string | The resource ID of the network manager. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.network-manager:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module networkManager './network/network-manager/main.bicep' = { +module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nnmcom' params: { // Required parameters @@ -523,6 +485,139 @@ module networkManager './network/network-manager/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Network Manager. | +| [`networkManagerScopeAccesses`](#parameter-networkmanagerscopeaccesses) | array | Scope Access. String array containing any of "Connectivity", "SecurityAdmin". The connectivity feature allows you to create network topologies at scale. The security admin feature lets you create high-priority security rules, which take precedence over NSGs. | +| [`networkManagerScopes`](#parameter-networkmanagerscopes) | object | Scope of Network Manager. Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this Network Manager instance can manage. If using Management Groups, ensure that the "Microsoft.Network" resource provider is registered for those Management Groups prior to deployment. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`networkGroups`](#parameter-networkgroups) | array | Network Groups and static members to create for the network manager. Required if using "connectivityConfigurations" or "securityAdminConfigurations" parameters. A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`connectivityConfigurations`](#parameter-connectivityconfigurations) | array | Connectivity Configurations to create for the network manager. Network manager must contain at least one network group in order to define connectivity configurations. | +| [`description`](#parameter-description) | string | A description of the network manager. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`scopeConnections`](#parameter-scopeconnections) | array | Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant. | +| [`securityAdminConfigurations`](#parameter-securityadminconfigurations) | array | Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `connectivityConfigurations` + +Connectivity Configurations to create for the network manager. Network manager must contain at least one network group in order to define connectivity configurations. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `description` + +A description of the network manager. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Network Manager. +- Required: Yes +- Type: string + +### Parameter: `networkGroups` + +Network Groups and static members to create for the network manager. Required if using "connectivityConfigurations" or "securityAdminConfigurations" parameters. A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `networkManagerScopeAccesses` + +Scope Access. String array containing any of "Connectivity", "SecurityAdmin". The connectivity feature allows you to create network topologies at scale. The security admin feature lets you create high-priority security rules, which take precedence over NSGs. +- Required: Yes +- Type: array + +### Parameter: `networkManagerScopes` + +Scope of Network Manager. Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this Network Manager instance can manage. If using Management Groups, ensure that the "Microsoft.Network" resource provider is registered for those Management Groups prior to deployment. +- Required: Yes +- Type: object + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `scopeConnections` + +Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `securityAdminConfigurations` + +Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the network manager. | +| `resourceGroupName` | string | The resource group the network manager was deployed into. | +| `resourceId` | string | The resource ID of the network manager. | + +## Cross-referenced modules + +_None_ + ## Notes ### Considerations diff --git a/modules/network/network-manager/connectivity-configuration/README.md b/modules/network/network-manager/connectivity-configuration/README.md index 77c750ba1f..cf5ff24e23 100644 --- a/modules/network/network-manager/connectivity-configuration/README.md +++ b/modules/network/network-manager/connectivity-configuration/README.md @@ -20,32 +20,95 @@ Connectivity configurations define hub-and-spoke or mesh topologies applied to o **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `appliesToGroups` | array | | Network Groups for the configuration. | -| `connectivityTopology` | string | `[HubAndSpoke, Mesh]` | Connectivity topology type. | -| `name` | string | | The name of the connectivity configuration. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`appliesToGroups`](#parameter-appliestogroups) | array | Network Groups for the configuration. | +| [`connectivityTopology`](#parameter-connectivitytopology) | string | Connectivity topology type. | +| [`name`](#parameter-name) | string | The name of the connectivity configuration. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `hubs` | array | List of hub items. This will create peerings between the specified hub and the virtual networks in the network group specified. Required if connectivityTopology is of type "HubAndSpoke". | -| `networkManagerName` | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | +| [`hubs`](#parameter-hubs) | array | List of hub items. This will create peerings between the specified hub and the virtual networks in the network group specified. Required if connectivityTopology is of type "HubAndSpoke". | +| [`networkManagerName`](#parameter-networkmanagername) | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `deleteExistingPeering` | string | `'False'` | `[False, True]` | Flag if need to remove current existing peerings. If set to "True", all peerings on virtual networks in selected network groups will be removed and replaced with the peerings defined by this configuration. Optional when connectivityTopology is of type "HubAndSpoke". | -| `description` | string | `''` | | A description of the connectivity configuration. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `isGlobal` | string | `'False'` | `[False, True]` | Flag if global mesh is supported. By default, mesh connectivity is applied to virtual networks within the same region. If set to "True", a global mesh enables connectivity across regions. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`deleteExistingPeering`](#parameter-deleteexistingpeering) | string | Flag if need to remove current existing peerings. If set to "True", all peerings on virtual networks in selected network groups will be removed and replaced with the peerings defined by this configuration. Optional when connectivityTopology is of type "HubAndSpoke". | +| [`description`](#parameter-description) | string | A description of the connectivity configuration. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`isGlobal`](#parameter-isglobal) | string | Flag if global mesh is supported. By default, mesh connectivity is applied to virtual networks within the same region. If set to "True", a global mesh enables connectivity across regions. | + +### Parameter: `appliesToGroups` + +Network Groups for the configuration. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `connectivityTopology` + +Connectivity topology type. +- Required: Yes +- Type: string +- Allowed: `[HubAndSpoke, Mesh]` + +### Parameter: `deleteExistingPeering` + +Flag if need to remove current existing peerings. If set to "True", all peerings on virtual networks in selected network groups will be removed and replaced with the peerings defined by this configuration. Optional when connectivityTopology is of type "HubAndSpoke". +- Required: No +- Type: string +- Default: `'False'` +- Allowed: `[False, True]` + +### Parameter: `description` + +A description of the connectivity configuration. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hubs` + +List of hub items. This will create peerings between the specified hub and the virtual networks in the network group specified. Required if connectivityTopology is of type "HubAndSpoke". +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `isGlobal` + +Flag if global mesh is supported. By default, mesh connectivity is applied to virtual networks within the same region. If set to "True", a global mesh enables connectivity across regions. +- Required: No +- Type: string +- Default: `'False'` +- Allowed: `[False, True]` + +### Parameter: `name` + +The name of the connectivity configuration. +- Required: Yes +- Type: string + +### Parameter: `networkManagerName` + +The name of the parent network manager. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed connectivity configuration. | | `resourceGroupName` | string | The resource group the connectivity configuration was deployed into. | diff --git a/modules/network/network-manager/network-group/README.md b/modules/network/network-manager/network-group/README.md index b902fd22a1..a5f8dca4a0 100644 --- a/modules/network/network-manager/network-group/README.md +++ b/modules/network/network-manager/network-group/README.md @@ -21,28 +21,61 @@ A network group is a collection of same-type network resources that you can asso **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the network group. | +| [`name`](#parameter-name) | string | The name of the network group. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `networkManagerName` | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | +| [`networkManagerName`](#parameter-networkmanagername) | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `description` | string | `''` | A description of the network group. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `staticMembers` | array | `[]` | Static Members to create for the network group. Contains virtual networks to add to the network group. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | A description of the network group. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`staticMembers`](#parameter-staticmembers) | array | Static Members to create for the network group. Contains virtual networks to add to the network group. | + +### Parameter: `description` + +A description of the network group. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the network group. +- Required: Yes +- Type: string + +### Parameter: `networkManagerName` + +The name of the parent network manager. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `staticMembers` + +Static Members to create for the network group. Contains virtual networks to add to the network group. +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed network group. | | `resourceGroupName` | string | The resource group the network group was deployed into. | diff --git a/modules/network/network-manager/network-group/static-member/README.md b/modules/network/network-manager/network-group/static-member/README.md index 54989f4a2c..7a10fbc50c 100644 --- a/modules/network/network-manager/network-group/static-member/README.md +++ b/modules/network/network-manager/network-group/static-member/README.md @@ -20,28 +20,59 @@ Static membership allows you to explicitly add virtual networks to a group by ma **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the static member. | -| `resourceId` | string | Resource ID of the virtual network. | +| [`name`](#parameter-name) | string | The name of the static member. | +| [`resourceId`](#parameter-resourceid) | string | Resource ID of the virtual network. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `networkGroupName` | string | The name of the parent network group. Required if the template is used in a standalone deployment. | -| `networkManagerName` | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | +| [`networkGroupName`](#parameter-networkgroupname) | string | The name of the parent network group. Required if the template is used in a standalone deployment. | +| [`networkManagerName`](#parameter-networkmanagername) | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the static member. +- Required: Yes +- Type: string + +### Parameter: `networkGroupName` + +The name of the parent network group. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `networkManagerName` + +The name of the parent network manager. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `resourceId` + +Resource ID of the virtual network. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed static member. | | `resourceGroupName` | string | The resource group the static member was deployed into. | diff --git a/modules/network/network-manager/scope-connection/README.md b/modules/network/network-manager/scope-connection/README.md index 3c0ef6d896..b2e6fbf6c5 100644 --- a/modules/network/network-manager/scope-connection/README.md +++ b/modules/network/network-manager/scope-connection/README.md @@ -20,29 +20,67 @@ Create a cross-tenant connection to manage a resource from another tenant. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the scope connection. | -| `resourceId` | string | Enter the subscription or management group resource ID that you want to add to this network manager's scope. | -| `tenantId` | string | Tenant ID of the subscription or management group that you want to manage. | +| [`name`](#parameter-name) | string | The name of the scope connection. | +| [`resourceId`](#parameter-resourceid) | string | Enter the subscription or management group resource ID that you want to add to this network manager's scope. | +| [`tenantId`](#parameter-tenantid) | string | Tenant ID of the subscription or management group that you want to manage. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `networkManagerName` | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | +| [`networkManagerName`](#parameter-networkmanagername) | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `description` | string | `''` | A description of the scope connection. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | A description of the scope connection. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `description` + +A description of the scope connection. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the scope connection. +- Required: Yes +- Type: string + +### Parameter: `networkManagerName` + +The name of the parent network manager. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `resourceId` + +Enter the subscription or management group resource ID that you want to add to this network manager's scope. +- Required: Yes +- Type: string + +### Parameter: `tenantId` + +Tenant ID of the subscription or management group that you want to manage. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed scope connection. | | `resourceGroupName` | string | The resource group the scope connection was deployed into. | diff --git a/modules/network/network-manager/security-admin-configuration/README.md b/modules/network/network-manager/security-admin-configuration/README.md index 10cd562c0a..c6cb473a8a 100644 --- a/modules/network/network-manager/security-admin-configuration/README.md +++ b/modules/network/network-manager/security-admin-configuration/README.md @@ -22,29 +22,70 @@ A security admin configuration contains a set of rule collections. Each rule col **Required parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `applyOnNetworkIntentPolicyBasedServices` | array | `[None]` | `[All, AllowRulesOnly, None]` | Enum list of network intent policy based services. | -| `name` | string | | | The name of the security admin configuration. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applyOnNetworkIntentPolicyBasedServices`](#parameter-applyonnetworkintentpolicybasedservices) | array | Enum list of network intent policy based services. | +| [`name`](#parameter-name) | string | The name of the security admin configuration. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `networkManagerName` | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | +| [`networkManagerName`](#parameter-networkmanagername) | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `description` | string | `''` | A description of the security admin configuration. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `ruleCollections` | array | `[]` | A security admin configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more security admin rules. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | A description of the security admin configuration. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`ruleCollections`](#parameter-rulecollections) | array | A security admin configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more security admin rules. | + +### Parameter: `applyOnNetworkIntentPolicyBasedServices` + +Enum list of network intent policy based services. +- Required: No +- Type: array +- Default: `[None]` +- Allowed: `[All, AllowRulesOnly, None]` + +### Parameter: `description` + +A description of the security admin configuration. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the security admin configuration. +- Required: Yes +- Type: string + +### Parameter: `networkManagerName` + +The name of the parent network manager. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `ruleCollections` + +A security admin configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more security admin rules. +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed security admin configuration. | | `resourceGroupName` | string | The resource group the security admin configuration was deployed into. | diff --git a/modules/network/network-manager/security-admin-configuration/rule-collection/README.md b/modules/network/network-manager/security-admin-configuration/rule-collection/README.md index 33bd75c517..8f8dbcef8f 100644 --- a/modules/network/network-manager/security-admin-configuration/rule-collection/README.md +++ b/modules/network/network-manager/security-admin-configuration/rule-collection/README.md @@ -21,30 +21,74 @@ A security admin configuration contains a set of rule collections. Each rule col **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `appliesToGroups` | array | List of network groups for configuration. An admin rule collection must be associated to at least one network group. | -| `name` | string | The name of the admin rule collection. | +| [`appliesToGroups`](#parameter-appliestogroups) | array | List of network groups for configuration. An admin rule collection must be associated to at least one network group. | +| [`name`](#parameter-name) | string | The name of the admin rule collection. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `networkManagerName` | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | -| `securityAdminConfigurationName` | string | The name of the parent security admin configuration. Required if the template is used in a standalone deployment. | +| [`networkManagerName`](#parameter-networkmanagername) | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | +| [`securityAdminConfigurationName`](#parameter-securityadminconfigurationname) | string | The name of the parent security admin configuration. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `description` | string | `''` | A description of the admin rule collection. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `rules` | array | | List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | A description of the admin rule collection. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`rules`](#parameter-rules) | array | List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail. | + +### Parameter: `appliesToGroups` + +List of network groups for configuration. An admin rule collection must be associated to at least one network group. +- Required: Yes +- Type: array + +### Parameter: `description` + +A description of the admin rule collection. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the admin rule collection. +- Required: Yes +- Type: string + +### Parameter: `networkManagerName` + +The name of the parent network manager. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `rules` + +List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail. +- Required: Yes +- Type: array + +### Parameter: `securityAdminConfigurationName` + +The name of the parent security admin configuration. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed admin rule collection. | | `resourceGroupName` | string | The resource group the admin rule collection was deployed into. | diff --git a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/README.md b/modules/network/network-manager/security-admin-configuration/rule-collection/rule/README.md index f053a1c8ee..6f0eb7a62f 100644 --- a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/README.md +++ b/modules/network/network-manager/security-admin-configuration/rule-collection/rule/README.md @@ -20,37 +20,130 @@ A security admin configuration contains a set of rule collections. Each rule col **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `access` | string | `[Allow, AlwaysAllow, Deny]` | Indicates the access allowed for this particular rule. "Allow" means traffic matching this rule will be allowed. "Deny" means traffic matching this rule will be blocked. "AlwaysAllow" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs. | -| `direction` | string | `[Inbound, Outbound]` | Indicates if the traffic matched against the rule in inbound or outbound. | -| `name` | string | | The name of the rule. | -| `priority` | int | | The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. | -| `protocol` | string | `[Ah, Any, Esp, Icmp, Tcp, Udp]` | Network protocol this rule applies to. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`access`](#parameter-access) | string | Indicates the access allowed for this particular rule. "Allow" means traffic matching this rule will be allowed. "Deny" means traffic matching this rule will be blocked. "AlwaysAllow" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs. | +| [`direction`](#parameter-direction) | string | Indicates if the traffic matched against the rule in inbound or outbound. | +| [`name`](#parameter-name) | string | The name of the rule. | +| [`priority`](#parameter-priority) | int | The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. | +| [`protocol`](#parameter-protocol) | string | Network protocol this rule applies to. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `networkManagerName` | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | -| `ruleCollectionName` | string | The name of the parent rule collection. Required if the template is used in a standalone deployment. | -| `securityAdminConfigurationName` | string | The name of the parent security admin configuration. Required if the template is used in a standalone deployment. | +| [`networkManagerName`](#parameter-networkmanagername) | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | +| [`ruleCollectionName`](#parameter-rulecollectionname) | string | The name of the parent rule collection. Required if the template is used in a standalone deployment. | +| [`securityAdminConfigurationName`](#parameter-securityadminconfigurationname) | string | The name of the parent security admin configuration. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `description` | string | `''` | A description of the rule. | -| `destinationPortRanges` | array | `[]` | List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535. | -| `destinations` | array | `[]` | The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `sourcePortRanges` | array | `[]` | List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535. | -| `sources` | array | `[]` | The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | A description of the rule. | +| [`destinationPortRanges`](#parameter-destinationportranges) | array | List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535. | +| [`destinations`](#parameter-destinations) | array | The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`sourcePortRanges`](#parameter-sourceportranges) | array | List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535. | +| [`sources`](#parameter-sources) | array | The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted. | + +### Parameter: `access` + +Indicates the access allowed for this particular rule. "Allow" means traffic matching this rule will be allowed. "Deny" means traffic matching this rule will be blocked. "AlwaysAllow" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs. +- Required: Yes +- Type: string +- Allowed: `[Allow, AlwaysAllow, Deny]` + +### Parameter: `description` + +A description of the rule. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `destinationPortRanges` + +List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `destinations` + +The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `direction` + +Indicates if the traffic matched against the rule in inbound or outbound. +- Required: Yes +- Type: string +- Allowed: `[Inbound, Outbound]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the rule. +- Required: Yes +- Type: string + +### Parameter: `networkManagerName` + +The name of the parent network manager. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `priority` + +The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. +- Required: Yes +- Type: int + +### Parameter: `protocol` + +Network protocol this rule applies to. +- Required: Yes +- Type: string +- Allowed: `[Ah, Any, Esp, Icmp, Tcp, Udp]` + +### Parameter: `ruleCollectionName` + +The name of the parent rule collection. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `securityAdminConfigurationName` + +The name of the parent security admin configuration. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `sourcePortRanges` + +List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sources` + +The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted. +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed rule. | | `resourceGroupName` | string | The resource group the rule was deployed into. | diff --git a/modules/network/network-security-group/.test/common/main.test.bicep b/modules/network/network-security-group/.test/common/main.test.bicep index e527049267..b3d3aa351f 100644 --- a/modules/network/network-security-group/.test/common/main.test.bicep +++ b/modules/network/network-security-group/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/network-security-group/.test/min/main.test.bicep b/modules/network/network-security-group/.test/min/main.test.bicep index 744ad53a8c..225b630945 100644 --- a/modules/network/network-security-group/.test/min/main.test.bicep +++ b/modules/network/network-security-group/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/network-security-group/README.md b/modules/network/network-security-group/README.md index 306ed08855..9cc85e94be 100644 --- a/modules/network/network-security-group/README.md +++ b/modules/network/network-security-group/README.md @@ -5,10 +5,10 @@ This module deploys a Network security Group (NSG). ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -20,61 +20,28 @@ This module deploys a Network security Group (NSG). | `Microsoft.Network/networkSecurityGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/networkSecurityGroups) | | `Microsoft.Network/networkSecurityGroups/securityRules` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/networkSecurityGroups/securityRules) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Network Security Group. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, NetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounter]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `flushConnection` | bool | `False` | | When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. Network Security Group connection flushing is not available in all regions. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `securityRules` | array | `[]` | | Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. | -| `tags` | object | `{object}` | | Tags of the NSG resource. | - +## Usage examples -## Outputs +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the network security group. | -| `resourceGroupName` | string | The resource group the network security group was deployed into. | -| `resourceId` | string | The resource ID of the network security group. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.network-security-group:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module networkSecurityGroup './network/network-security-group/main.bicep' = { +module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nnsgcom' params: { // Required parameters @@ -294,14 +261,17 @@ module networkSecurityGroup './network/network-security-group/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module networkSecurityGroup './network/network-security-group/main.bicep' = { +module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nnsgmin' params: { // Required parameters @@ -338,3 +308,143 @@ module networkSecurityGroup './network/network-security-group/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Network Security Group. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`flushConnection`](#parameter-flushconnection) | bool | When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. Network Security Group connection flushing is not available in all regions. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`securityRules`](#parameter-securityrules) | array | Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. | +| [`tags`](#parameter-tags) | object | Tags of the NSG resource. | + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, NetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounter]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `flushConnection` + +When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. Network Security Group connection flushing is not available in all regions. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Network Security Group. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `securityRules` + +Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the NSG resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the network security group. | +| `resourceGroupName` | string | The resource group the network security group was deployed into. | +| `resourceId` | string | The resource ID of the network security group. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/network-security-group/main.json b/modules/network/network-security-group/main.json index b06da3fe4f..abb0e70fca 100644 --- a/modules/network/network-security-group/main.json +++ b/modules/network/network-security-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9239709220807810810" + "version": "0.22.6.54827", + "templateHash": "8128749516786730234" }, "name": "Network Security Groups", "description": "This module deploys a Network security Group (NSG).", @@ -272,8 +272,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18244678468796534516" + "version": "0.22.6.54827", + "templateHash": "820939823450891186" }, "name": "Network Security Group (NSG) Security Rules", "description": "This module deploys a Network Security Group (NSG) Security Rule.", @@ -520,8 +520,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8259083650687909209" + "version": "0.22.6.54827", + "templateHash": "12098965438500552299" } }, "parameters": { diff --git a/modules/network/network-security-group/security-rule/README.md b/modules/network/network-security-group/security-rule/README.md index 57868287ca..bac421ca53 100644 --- a/modules/network/network-security-group/security-rule/README.md +++ b/modules/network/network-security-group/security-rule/README.md @@ -19,41 +19,165 @@ This module deploys a Network Security Group (NSG) Security Rule. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `direction` | string | `[Inbound, Outbound]` | The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. | -| `name` | string | | The name of the security rule. | -| `priority` | int | | The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. | -| `protocol` | string | `[*, Ah, Esp, Icmp, Tcp, Udp]` | Network protocol this rule applies to. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`direction`](#parameter-direction) | string | The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. | +| [`name`](#parameter-name) | string | The name of the security rule. | +| [`priority`](#parameter-priority) | int | The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. | +| [`protocol`](#parameter-protocol) | string | Network protocol this rule applies to. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `networkSecurityGroupName` | string | The name of the parent network security group to deploy the security rule into. Required if the template is used in a standalone deployment. | +| [`networkSecurityGroupName`](#parameter-networksecuritygroupname) | string | The name of the parent network security group to deploy the security rule into. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `access` | string | `'Deny'` | `[Allow, Deny]` | Whether network traffic is allowed or denied. | -| `description` | string | `''` | | A description for this rule. | -| `destinationAddressPrefix` | string | `''` | | The destination address prefix. CIDR or destination IP range. Asterisk "*" can also be used to match all source IPs. Default tags such as "VirtualNetwork", "AzureLoadBalancer" and "Internet" can also be used. | -| `destinationAddressPrefixes` | array | `[]` | | The destination address prefixes. CIDR or destination IP ranges. | -| `destinationApplicationSecurityGroups` | array | `[]` | | The application security group specified as destination. | -| `destinationPortRange` | string | `''` | | The destination port or range. Integer or range between 0 and 65535. Asterisk "*" can also be used to match all ports. | -| `destinationPortRanges` | array | `[]` | | The destination port ranges. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `sourceAddressPrefix` | string | `''` | | The CIDR or source IP range. Asterisk "*" can also be used to match all source IPs. Default tags such as "VirtualNetwork", "AzureLoadBalancer" and "Internet" can also be used. If this is an ingress rule, specifies where network traffic originates from. | -| `sourceAddressPrefixes` | array | `[]` | | The CIDR or source IP ranges. | -| `sourceApplicationSecurityGroups` | array | `[]` | | The application security group specified as source. | -| `sourcePortRange` | string | `''` | | The source port or range. Integer or range between 0 and 65535. Asterisk "*" can also be used to match all ports. | -| `sourcePortRanges` | array | `[]` | | The source port ranges. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`access`](#parameter-access) | string | Whether network traffic is allowed or denied. | +| [`description`](#parameter-description) | string | A description for this rule. | +| [`destinationAddressPrefix`](#parameter-destinationaddressprefix) | string | The destination address prefix. CIDR or destination IP range. Asterisk "*" can also be used to match all source IPs. Default tags such as "VirtualNetwork", "AzureLoadBalancer" and "Internet" can also be used. | +| [`destinationAddressPrefixes`](#parameter-destinationaddressprefixes) | array | The destination address prefixes. CIDR or destination IP ranges. | +| [`destinationApplicationSecurityGroups`](#parameter-destinationapplicationsecuritygroups) | array | The application security group specified as destination. | +| [`destinationPortRange`](#parameter-destinationportrange) | string | The destination port or range. Integer or range between 0 and 65535. Asterisk "*" can also be used to match all ports. | +| [`destinationPortRanges`](#parameter-destinationportranges) | array | The destination port ranges. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`sourceAddressPrefix`](#parameter-sourceaddressprefix) | string | The CIDR or source IP range. Asterisk "*" can also be used to match all source IPs. Default tags such as "VirtualNetwork", "AzureLoadBalancer" and "Internet" can also be used. If this is an ingress rule, specifies where network traffic originates from. | +| [`sourceAddressPrefixes`](#parameter-sourceaddressprefixes) | array | The CIDR or source IP ranges. | +| [`sourceApplicationSecurityGroups`](#parameter-sourceapplicationsecuritygroups) | array | The application security group specified as source. | +| [`sourcePortRange`](#parameter-sourceportrange) | string | The source port or range. Integer or range between 0 and 65535. Asterisk "*" can also be used to match all ports. | +| [`sourcePortRanges`](#parameter-sourceportranges) | array | The source port ranges. | + +### Parameter: `access` + +Whether network traffic is allowed or denied. +- Required: No +- Type: string +- Default: `'Deny'` +- Allowed: `[Allow, Deny]` + +### Parameter: `description` + +A description for this rule. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `destinationAddressPrefix` + +The destination address prefix. CIDR or destination IP range. Asterisk "*" can also be used to match all source IPs. Default tags such as "VirtualNetwork", "AzureLoadBalancer" and "Internet" can also be used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `destinationAddressPrefixes` + +The destination address prefixes. CIDR or destination IP ranges. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `destinationApplicationSecurityGroups` + +The application security group specified as destination. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `destinationPortRange` + +The destination port or range. Integer or range between 0 and 65535. Asterisk "*" can also be used to match all ports. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `destinationPortRanges` + +The destination port ranges. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `direction` + +The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. +- Required: Yes +- Type: string +- Allowed: `[Inbound, Outbound]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the security rule. +- Required: Yes +- Type: string + +### Parameter: `networkSecurityGroupName` + +The name of the parent network security group to deploy the security rule into. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `priority` + +The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. +- Required: Yes +- Type: int + +### Parameter: `protocol` + +Network protocol this rule applies to. +- Required: Yes +- Type: string +- Allowed: `[*, Ah, Esp, Icmp, Tcp, Udp]` + +### Parameter: `sourceAddressPrefix` + +The CIDR or source IP range. Asterisk "*" can also be used to match all source IPs. Default tags such as "VirtualNetwork", "AzureLoadBalancer" and "Internet" can also be used. If this is an ingress rule, specifies where network traffic originates from. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `sourceAddressPrefixes` + +The CIDR or source IP ranges. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sourceApplicationSecurityGroups` + +The application security group specified as source. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sourcePortRange` + +The source port or range. Integer or range between 0 and 65535. Asterisk "*" can also be used to match all ports. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `sourcePortRanges` + +The source port ranges. +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the security rule. | | `resourceGroupName` | string | The resource group the security rule was deployed into. | diff --git a/modules/network/network-security-group/security-rule/main.json b/modules/network/network-security-group/security-rule/main.json index f926892555..a024c862c1 100644 --- a/modules/network/network-security-group/security-rule/main.json +++ b/modules/network/network-security-group/security-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "4767935764969237300" + "version": "0.22.6.54827", + "templateHash": "820939823450891186" }, "name": "Network Security Group (NSG) Security Rules", "description": "This module deploys a Network Security Group (NSG) Security Rule.", diff --git a/modules/network/network-watcher/.test/common/main.test.bicep b/modules/network/network-watcher/.test/common/main.test.bicep index 64e2265f18..ddc0677786 100644 --- a/modules/network/network-watcher/.test/common/main.test.bicep +++ b/modules/network/network-watcher/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/network-watcher/.test/min/main.test.bicep b/modules/network/network-watcher/.test/min/main.test.bicep index 89dee769f8..026f230ae4 100644 --- a/modules/network/network-watcher/.test/min/main.test.bicep +++ b/modules/network/network-watcher/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/network-watcher/README.md b/modules/network/network-watcher/README.md index d41d90b40b..9019a60077 100644 --- a/modules/network/network-watcher/README.md +++ b/modules/network/network-watcher/README.md @@ -4,13 +4,13 @@ This module deploys a Network Watcher. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -20,50 +20,28 @@ This module deploys a Network Watcher. | `Microsoft.Network/networkWatchers/connectionMonitors` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/networkWatchers/connectionMonitors) | | `Microsoft.Network/networkWatchers/flowLogs` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/networkWatchers/flowLogs) | -## Parameters - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `connectionMonitors` | array | `[]` | | Array that contains the Connection Monitors. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `flowLogs` | array | `[]` | | Array that contains the Flow Logs. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `name` | string | `[format('NetworkWatcher_{0}', parameters('location'))]` | | Name of the Network Watcher resource (hidden). | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed network watcher. | -| `resourceGroupName` | string | The resource group the network watcher was deployed into. | -| `resourceId` | string | The resource ID of the deployed network watcher. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.network-watcher:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module networkWatcher './network/network-watcher/main.bicep' = { +module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { name: '${uniqueString(deployment().name, testLocation)}-test-nnwcom' params: { connectionMonitors: [ @@ -275,14 +253,17 @@ module networkWatcher './network/network-watcher/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module networkWatcher './network/network-watcher/main.bicep' = { +module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { name: '${uniqueString(deployment().name, testLocation)}-test-nnwmin' params: { enableDefaultTelemetry: '' @@ -315,3 +296,90 @@ module networkWatcher './network/network-watcher/main.bicep' = {

+ + +## Parameters + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`connectionMonitors`](#parameter-connectionmonitors) | array | Array that contains the Connection Monitors. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`flowLogs`](#parameter-flowlogs) | array | Array that contains the Flow Logs. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`name`](#parameter-name) | string | Name of the Network Watcher resource (hidden). | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `connectionMonitors` + +Array that contains the Connection Monitors. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `flowLogs` + +Array that contains the Flow Logs. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Network Watcher resource (hidden). +- Required: No +- Type: string +- Default: `[format('NetworkWatcher_{0}', parameters('location'))]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed network watcher. | +| `resourceGroupName` | string | The resource group the network watcher was deployed into. | +| `resourceId` | string | The resource ID of the deployed network watcher. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/network-watcher/connection-monitor/README.md b/modules/network/network-watcher/connection-monitor/README.md index d066d55387..efd44e1102 100644 --- a/modules/network/network-watcher/connection-monitor/README.md +++ b/modules/network/network-watcher/connection-monitor/README.md @@ -19,27 +19,89 @@ This module deploys a Network Watcher Connection Monitor. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the resource. | +| [`name`](#parameter-name) | string | Name of the resource. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `endpoints` | array | `[]` | List of connection monitor endpoints. | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | -| `networkWatcherName` | string | `[format('NetworkWatcher_{0}', resourceGroup().location)]` | Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG. | -| `tags` | object | `{object}` | Tags of the resource. | -| `testConfigurations` | array | `[]` | List of connection monitor test configurations. | -| `testGroups` | array | `[]` | List of connection monitor test groups. | -| `workspaceResourceId` | string | `''` | Specify the Log Analytics Workspace Resource ID. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`endpoints`](#parameter-endpoints) | array | List of connection monitor endpoints. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`networkWatcherName`](#parameter-networkwatchername) | string | Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`testConfigurations`](#parameter-testconfigurations) | array | List of connection monitor test configurations. | +| [`testGroups`](#parameter-testgroups) | array | List of connection monitor test groups. | +| [`workspaceResourceId`](#parameter-workspaceresourceid) | string | Specify the Log Analytics Workspace Resource ID. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `endpoints` + +List of connection monitor endpoints. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +Name of the resource. +- Required: Yes +- Type: string + +### Parameter: `networkWatcherName` + +Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG. +- Required: No +- Type: string +- Default: `[format('NetworkWatcher_{0}', resourceGroup().location)]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `testConfigurations` + +List of connection monitor test configurations. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `testGroups` + +List of connection monitor test groups. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `workspaceResourceId` + +Specify the Log Analytics Workspace Resource ID. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the deployed connection monitor. | diff --git a/modules/network/network-watcher/connection-monitor/main.json b/modules/network/network-watcher/connection-monitor/main.json index e76438a305..c7df0ada6e 100644 --- a/modules/network/network-watcher/connection-monitor/main.json +++ b/modules/network/network-watcher/connection-monitor/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "9435199226792787351" + "version": "0.22.6.54827", + "templateHash": "11763235795280157018" }, "name": "Network Watchers Connection Monitors", "description": "This module deploys a Network Watcher Connection Monitor.", diff --git a/modules/network/network-watcher/flow-log/README.md b/modules/network/network-watcher/flow-log/README.md index 0dacbbb823..1afef915fc 100644 --- a/modules/network/network-watcher/flow-log/README.md +++ b/modules/network/network-watcher/flow-log/README.md @@ -5,12 +5,12 @@ This module controls the Network Security Group Flow Logs and analytics settings ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -20,30 +20,114 @@ This module controls the Network Security Group Flow Logs and analytics settings **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `storageId` | string | Resource ID of the diagnostic storage account. | -| `targetResourceId` | string | Resource ID of the NSG that must be enabled for Flow Logs. | +| [`storageId`](#parameter-storageid) | string | Resource ID of the diagnostic storage account. | +| [`targetResourceId`](#parameter-targetresourceid) | string | Resource ID of the NSG that must be enabled for Flow Logs. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enabled` | bool | `True` | | If the flow log should be enabled. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `formatVersion` | int | `2` | `[1, 2]` | The flow log format version. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `name` | string | `[format('{0}-{1}-flowlog', last(split(parameters('targetResourceId'), '/')), split(parameters('targetResourceId'), '/')[4])]` | | Name of the resource. | -| `networkWatcherName` | string | `[format('NetworkWatcher_{0}', resourceGroup().location)]` | | Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG. | -| `retentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `trafficAnalyticsInterval` | int | `60` | `[10, 60]` | The interval in minutes which would decide how frequently TA service should do flow analytics. | -| `workspaceResourceId` | string | `''` | | Specify the Log Analytics Workspace Resource ID. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enabled`](#parameter-enabled) | bool | If the flow log should be enabled. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`formatVersion`](#parameter-formatversion) | int | The flow log format version. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`name`](#parameter-name) | string | Name of the resource. | +| [`networkWatcherName`](#parameter-networkwatchername) | string | Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG. | +| [`retentionInDays`](#parameter-retentionindays) | int | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`trafficAnalyticsInterval`](#parameter-trafficanalyticsinterval) | int | The interval in minutes which would decide how frequently TA service should do flow analytics. | +| [`workspaceResourceId`](#parameter-workspaceresourceid) | string | Specify the Log Analytics Workspace Resource ID. | + +### Parameter: `enabled` + +If the flow log should be enabled. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `formatVersion` + +The flow log format version. +- Required: No +- Type: int +- Default: `2` +- Allowed: `[1, 2]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +Name of the resource. +- Required: No +- Type: string +- Default: `[format('{0}-{1}-flowlog', last(split(parameters('targetResourceId'), '/')), split(parameters('targetResourceId'), '/')[4])]` + +### Parameter: `networkWatcherName` + +Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG. +- Required: No +- Type: string +- Default: `[format('NetworkWatcher_{0}', resourceGroup().location)]` + +### Parameter: `retentionInDays` + +Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. +- Required: No +- Type: int +- Default: `365` + +### Parameter: `storageId` + +Resource ID of the diagnostic storage account. +- Required: Yes +- Type: string + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `targetResourceId` + +Resource ID of the NSG that must be enabled for Flow Logs. +- Required: Yes +- Type: string + +### Parameter: `trafficAnalyticsInterval` + +The interval in minutes which would decide how frequently TA service should do flow analytics. +- Required: No +- Type: int +- Default: `60` +- Allowed: `[10, 60]` + +### Parameter: `workspaceResourceId` + +Specify the Log Analytics Workspace Resource ID. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the flow log. | diff --git a/modules/network/network-watcher/flow-log/main.json b/modules/network/network-watcher/flow-log/main.json index 1a9023a4ba..0d737f5dce 100644 --- a/modules/network/network-watcher/flow-log/main.json +++ b/modules/network/network-watcher/flow-log/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11308204478162486459" + "version": "0.22.6.54827", + "templateHash": "17949647288095694070" }, "name": "NSG Flow Logs", "description": "This module controls the Network Security Group Flow Logs and analytics settings.\r\n**Note: this module must be run on the Resource Group where Network Watcher is deployed**", diff --git a/modules/network/network-watcher/main.json b/modules/network/network-watcher/main.json index 076bf236c0..7d746b120d 100644 --- a/modules/network/network-watcher/main.json +++ b/modules/network/network-watcher/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3813984795397304605" + "version": "0.22.6.54827", + "templateHash": "3515911577845014451" }, "name": "Network Watchers", "description": "This module deploys a Network Watcher.", @@ -149,8 +149,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4655888316956810002" + "version": "0.22.6.54827", + "templateHash": "9894011822541177112" } }, "parameters": { @@ -326,8 +326,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4201838654770127390" + "version": "0.22.6.54827", + "templateHash": "11763235795280157018" }, "name": "Network Watchers Connection Monitors", "description": "This module deploys a Network Watcher Connection Monitor.", @@ -505,8 +505,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11547142807846840674" + "version": "0.22.6.54827", + "templateHash": "17949647288095694070" }, "name": "NSG Flow Logs", "description": "This module controls the Network Security Group Flow Logs and analytics settings.\r\n**Note: this module must be run on the Resource Group where Network Watcher is deployed**", diff --git a/modules/network/private-dns-zone/.test/common/main.test.bicep b/modules/network/private-dns-zone/.test/common/main.test.bicep index 175acecf7f..d3e5ad38db 100644 --- a/modules/network/private-dns-zone/.test/common/main.test.bicep +++ b/modules/network/private-dns-zone/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/private-dns-zone/.test/min/main.test.bicep b/modules/network/private-dns-zone/.test/min/main.test.bicep index f32a389c03..db60e58143 100644 --- a/modules/network/private-dns-zone/.test/min/main.test.bicep +++ b/modules/network/private-dns-zone/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/private-dns-zone/README.md b/modules/network/private-dns-zone/README.md index a6d1f62e04..54fc9873d1 100644 --- a/modules/network/private-dns-zone/README.md +++ b/modules/network/private-dns-zone/README.md @@ -4,13 +4,13 @@ This module deploys a Private DNS zone. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -27,62 +27,28 @@ This module deploys a Private DNS zone. | `Microsoft.Network/privateDnsZones/TXT` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/TXT) | | `Microsoft.Network/privateDnsZones/virtualNetworkLinks` | [2020-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/virtualNetworkLinks) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Private DNS zone name. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.private-dns-zone:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `a` | _[a](a/README.md)_ array | `[]` | | Array of A records. | -| `aaaa` | _[aaaa](aaaa/README.md)_ array | `[]` | | Array of AAAA records. | -| `cname` | _[cname](cname/README.md)_ array | `[]` | | Array of CNAME records. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `'global'` | | The location of the PrivateDNSZone. Should be global. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `mx` | _[mx](mx/README.md)_ array | `[]` | | Array of MX records. | -| `ptr` | _[ptr](ptr/README.md)_ array | `[]` | | Array of PTR records. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `soa` | _[soa](soa/README.md)_ array | `[]` | | Array of SOA records. | -| `srv` | _[srv](srv/README.md)_ array | `[]` | | Array of SRV records. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `txt` | _[txt](txt/README.md)_ array | `[]` | | Array of TXT records. | -| `virtualNetworkLinks` | array | `[]` | | Array of custom objects describing vNet links of the DNS zone. Each object should contain properties 'vnetResourceId' and 'registrationEnabled'. The 'vnetResourceId' is a resource ID of a vNet to link, 'registrationEnabled' (bool) enables automatic DNS registration in the zone for the linked vNet. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +### Example 1: _Using large parameter set_ -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the private DNS zone. | -| `resourceGroupName` | string | The resource group the private DNS zone was deployed into. | -| `resourceId` | string | The resource ID of the private DNS zone. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module privateDnsZone './network/private-dns-zone/main.bicep' = { +module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-npdzcom' params: { // Required parameters @@ -504,14 +470,17 @@ module privateDnsZone './network/private-dns-zone/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module privateDnsZone './network/private-dns-zone/main.bicep' = { +module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-npdzmin' params: { // Required parameters @@ -548,3 +517,150 @@ module privateDnsZone './network/private-dns-zone/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Private DNS zone name. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`a`](#parameter-a) | array | Array of A records. | +| [`aaaa`](#parameter-aaaa) | array | Array of AAAA records. | +| [`cname`](#parameter-cname) | array | Array of CNAME records. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | The location of the PrivateDNSZone. Should be global. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`mx`](#parameter-mx) | array | Array of MX records. | +| [`ptr`](#parameter-ptr) | array | Array of PTR records. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`soa`](#parameter-soa) | array | Array of SOA records. | +| [`srv`](#parameter-srv) | array | Array of SRV records. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`txt`](#parameter-txt) | array | Array of TXT records. | +| [`virtualNetworkLinks`](#parameter-virtualnetworklinks) | array | Array of custom objects describing vNet links of the DNS zone. Each object should contain properties 'vnetResourceId' and 'registrationEnabled'. The 'vnetResourceId' is a resource ID of a vNet to link, 'registrationEnabled' (bool) enables automatic DNS registration in the zone for the linked vNet. | + +### Parameter: `a` + +Array of A records. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `aaaa` + +Array of AAAA records. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `cname` + +Array of CNAME records. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +The location of the PrivateDNSZone. Should be global. +- Required: No +- Type: string +- Default: `'global'` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `mx` + +Array of MX records. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `name` + +Private DNS zone name. +- Required: Yes +- Type: string + +### Parameter: `ptr` + +Array of PTR records. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `soa` + +Array of SOA records. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `srv` + +Array of SRV records. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `txt` + +Array of TXT records. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `virtualNetworkLinks` + +Array of custom objects describing vNet links of the DNS zone. Each object should contain properties 'vnetResourceId' and 'registrationEnabled'. The 'vnetResourceId' is a resource ID of a vNet to link, 'registrationEnabled' (bool) enables automatic DNS registration in the zone for the linked vNet. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the private DNS zone. | +| `resourceGroupName` | string | The resource group the private DNS zone was deployed into. | +| `resourceId` | string | The resource ID of the private DNS zone. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/private-dns-zone/a/README.md b/modules/network/private-dns-zone/a/README.md index 54ae836063..c3368e5187 100644 --- a/modules/network/private-dns-zone/a/README.md +++ b/modules/network/private-dns-zone/a/README.md @@ -20,30 +20,77 @@ This module deploys a Private DNS Zone A record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the A record. | +| [`name`](#parameter-name) | string | The name of the A record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `privateDnsZoneName` | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | +| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `aRecords` | array | `[]` | The list of A records in the record set. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`aRecords`](#parameter-arecords) | array | The list of A records in the record set. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | + +### Parameter: `aRecords` + +The list of A records in the record set. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the A record. +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed A record. | | `resourceGroupName` | string | The resource group of the deployed A record. | diff --git a/modules/network/private-dns-zone/a/main.json b/modules/network/private-dns-zone/a/main.json index 413cc464b5..a6c913362e 100644 --- a/modules/network/private-dns-zone/a/main.json +++ b/modules/network/private-dns-zone/a/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "2464749993448285338" + "version": "0.22.6.54827", + "templateHash": "3286674755199812485" }, "name": "Private DNS Zone A record", "description": "This module deploys a Private DNS Zone A record.", @@ -119,8 +119,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "16462248861146180112" + "version": "0.22.6.54827", + "templateHash": "13885309482367640092" } }, "parameters": { diff --git a/modules/network/private-dns-zone/aaaa/README.md b/modules/network/private-dns-zone/aaaa/README.md index 10dbc0d92d..8519032b83 100644 --- a/modules/network/private-dns-zone/aaaa/README.md +++ b/modules/network/private-dns-zone/aaaa/README.md @@ -20,30 +20,77 @@ This module deploys a Private DNS Zone AAAA record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the AAAA record. | +| [`name`](#parameter-name) | string | The name of the AAAA record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `privateDnsZoneName` | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | +| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `aaaaRecords` | array | `[]` | The list of AAAA records in the record set. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`aaaaRecords`](#parameter-aaaarecords) | array | The list of AAAA records in the record set. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | + +### Parameter: `aaaaRecords` + +The list of AAAA records in the record set. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the AAAA record. +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed AAAA record. | | `resourceGroupName` | string | The resource group of the deployed AAAA record. | diff --git a/modules/network/private-dns-zone/aaaa/main.json b/modules/network/private-dns-zone/aaaa/main.json index 506b619a23..5d0169ad3e 100644 --- a/modules/network/private-dns-zone/aaaa/main.json +++ b/modules/network/private-dns-zone/aaaa/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "2479547994885250676" + "version": "0.22.6.54827", + "templateHash": "17200265918515224034" }, "name": "Private DNS Zone AAAA record", "description": "This module deploys a Private DNS Zone AAAA record.", @@ -119,8 +119,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "8284082844313029952" + "version": "0.22.6.54827", + "templateHash": "370590810970469037" } }, "parameters": { diff --git a/modules/network/private-dns-zone/cname/README.md b/modules/network/private-dns-zone/cname/README.md index 274c08ff98..258427ccc4 100644 --- a/modules/network/private-dns-zone/cname/README.md +++ b/modules/network/private-dns-zone/cname/README.md @@ -20,30 +20,77 @@ This module deploys a Private DNS Zone CNAME record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the CNAME record. | +| [`name`](#parameter-name) | string | The name of the CNAME record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `privateDnsZoneName` | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | +| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cnameRecord` | object | `{object}` | A CNAME record. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cnameRecord`](#parameter-cnamerecord) | object | A CNAME record. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | + +### Parameter: `cnameRecord` + +A CNAME record. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the CNAME record. +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed CNAME record. | | `resourceGroupName` | string | The resource group of the deployed CNAME record. | diff --git a/modules/network/private-dns-zone/cname/main.json b/modules/network/private-dns-zone/cname/main.json index ac82b9556b..a5b1b40592 100644 --- a/modules/network/private-dns-zone/cname/main.json +++ b/modules/network/private-dns-zone/cname/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3131685819107198557" + "version": "0.22.6.54827", + "templateHash": "1218346372201244802" }, "name": "Private DNS Zone CNAME record", "description": "This module deploys a Private DNS Zone CNAME record.", @@ -119,8 +119,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "14977392232463085529" + "version": "0.22.6.54827", + "templateHash": "3701509590842402185" } }, "parameters": { diff --git a/modules/network/private-dns-zone/main.json b/modules/network/private-dns-zone/main.json index 67a605e5c0..575b535727 100644 --- a/modules/network/private-dns-zone/main.json +++ b/modules/network/private-dns-zone/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13683700730440109473" + "version": "0.22.6.54827", + "templateHash": "7094231343264488816" }, "name": "Private DNS Zones", "description": "This module deploys a Private DNS zone.", @@ -195,8 +195,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3023625235674916080" + "version": "0.22.6.54827", + "templateHash": "3286674755199812485" }, "name": "Private DNS Zone A record", "description": "This module deploys a Private DNS Zone A record.", @@ -310,8 +310,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3091185834162670777" + "version": "0.22.6.54827", + "templateHash": "13885309482367640092" } }, "parameters": { @@ -517,8 +517,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9619664849560898729" + "version": "0.22.6.54827", + "templateHash": "17200265918515224034" }, "name": "Private DNS Zone AAAA record", "description": "This module deploys a Private DNS Zone AAAA record.", @@ -632,8 +632,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16612032211561905990" + "version": "0.22.6.54827", + "templateHash": "370590810970469037" } }, "parameters": { @@ -839,8 +839,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18350416636780213220" + "version": "0.22.6.54827", + "templateHash": "1218346372201244802" }, "name": "Private DNS Zone CNAME record", "description": "This module deploys a Private DNS Zone CNAME record.", @@ -954,8 +954,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12449188823441255969" + "version": "0.22.6.54827", + "templateHash": "3701509590842402185" } }, "parameters": { @@ -1167,8 +1167,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5407325770336305290" + "version": "0.22.6.54827", + "templateHash": "498719698216860438" }, "name": "Private DNS Zone MX record", "description": "This module deploys a Private DNS Zone MX record.", @@ -1282,8 +1282,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5166139968688256157" + "version": "0.22.6.54827", + "templateHash": "3875667684091614842" } }, "parameters": { @@ -1489,8 +1489,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7429124351513910459" + "version": "0.22.6.54827", + "templateHash": "15278019758073479253" }, "name": "Private DNS Zone PTR record", "description": "This module deploys a Private DNS Zone PTR record.", @@ -1604,8 +1604,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9774124555582341628" + "version": "0.22.6.54827", + "templateHash": "1115653551360161833" } }, "parameters": { @@ -1811,8 +1811,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6237133824894088471" + "version": "0.22.6.54827", + "templateHash": "2312801328936888366" }, "name": "Private DNS Zone SOA record", "description": "This module deploys a Private DNS Zone SOA record.", @@ -1926,8 +1926,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13019341765980531210" + "version": "0.22.6.54827", + "templateHash": "7407904296801266090" } }, "parameters": { @@ -2133,8 +2133,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8022373880556162081" + "version": "0.22.6.54827", + "templateHash": "5952665052269893806" }, "name": "Private DNS Zone SRV record", "description": "This module deploys a Private DNS Zone SRV record.", @@ -2248,8 +2248,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18406157225832506146" + "version": "0.22.6.54827", + "templateHash": "7603100820795358011" } }, "parameters": { @@ -2455,8 +2455,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9882979825935476673" + "version": "0.22.6.54827", + "templateHash": "1124215030878784014" }, "name": "Private DNS Zone TXT record", "description": "This module deploys a Private DNS Zone TXT record.", @@ -2570,8 +2570,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3370209117297708556" + "version": "0.22.6.54827", + "templateHash": "16791864516622438253" } }, "parameters": { @@ -2777,8 +2777,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2352064432983921161" + "version": "0.22.6.54827", + "templateHash": "12342244725180262876" }, "name": "Private DNS Zone Virtual Network Link", "description": "This module deploys a Private DNS Zone Virtual Network Link.", @@ -2932,8 +2932,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13504974986686820957" + "version": "0.22.6.54827", + "templateHash": "2044377995221762227" } }, "parameters": { diff --git a/modules/network/private-dns-zone/mx/README.md b/modules/network/private-dns-zone/mx/README.md index 2e235dc3a0..66a893a225 100644 --- a/modules/network/private-dns-zone/mx/README.md +++ b/modules/network/private-dns-zone/mx/README.md @@ -20,30 +20,77 @@ This module deploys a Private DNS Zone MX record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the MX record. | +| [`name`](#parameter-name) | string | The name of the MX record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `privateDnsZoneName` | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | +| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `mxRecords` | array | `[]` | The list of MX records in the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`mxRecords`](#parameter-mxrecords) | array | The list of MX records in the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `mxRecords` + +The list of MX records in the record set. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `name` + +The name of the MX record. +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed MX record. | | `resourceGroupName` | string | The resource group of the deployed MX record. | diff --git a/modules/network/private-dns-zone/mx/main.json b/modules/network/private-dns-zone/mx/main.json index 418f721f60..1e0f858136 100644 --- a/modules/network/private-dns-zone/mx/main.json +++ b/modules/network/private-dns-zone/mx/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "6965287962374254577" + "version": "0.22.6.54827", + "templateHash": "498719698216860438" }, "name": "Private DNS Zone MX record", "description": "This module deploys a Private DNS Zone MX record.", @@ -119,8 +119,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11594799085721281275" + "version": "0.22.6.54827", + "templateHash": "3875667684091614842" } }, "parameters": { diff --git a/modules/network/private-dns-zone/ptr/README.md b/modules/network/private-dns-zone/ptr/README.md index 1af2199b1e..f680fea464 100644 --- a/modules/network/private-dns-zone/ptr/README.md +++ b/modules/network/private-dns-zone/ptr/README.md @@ -20,30 +20,77 @@ This module deploys a Private DNS Zone PTR record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the PTR record. | +| [`name`](#parameter-name) | string | The name of the PTR record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `privateDnsZoneName` | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | +| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `ptrRecords` | array | `[]` | The list of PTR records in the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`ptrRecords`](#parameter-ptrrecords) | array | The list of PTR records in the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the PTR record. +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `ptrRecords` + +The list of PTR records in the record set. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed PTR record. | | `resourceGroupName` | string | The resource group of the deployed PTR record. | diff --git a/modules/network/private-dns-zone/ptr/main.json b/modules/network/private-dns-zone/ptr/main.json index 06a5084efd..fd96b1c0b3 100644 --- a/modules/network/private-dns-zone/ptr/main.json +++ b/modules/network/private-dns-zone/ptr/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13259276818307387958" + "version": "0.22.6.54827", + "templateHash": "15278019758073479253" }, "name": "Private DNS Zone PTR record", "description": "This module deploys a Private DNS Zone PTR record.", @@ -119,8 +119,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11481493487541604106" + "version": "0.22.6.54827", + "templateHash": "1115653551360161833" } }, "parameters": { diff --git a/modules/network/private-dns-zone/soa/README.md b/modules/network/private-dns-zone/soa/README.md index d67c893c38..67fd6e00e6 100644 --- a/modules/network/private-dns-zone/soa/README.md +++ b/modules/network/private-dns-zone/soa/README.md @@ -20,30 +20,77 @@ This module deploys a Private DNS Zone SOA record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the SOA record. | +| [`name`](#parameter-name) | string | The name of the SOA record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `privateDnsZoneName` | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | +| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `soaRecord` | object | `{object}` | A SOA record. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`soaRecord`](#parameter-soarecord) | object | A SOA record. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the SOA record. +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `soaRecord` + +A SOA record. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed SOA record. | | `resourceGroupName` | string | The resource group of the deployed SOA record. | diff --git a/modules/network/private-dns-zone/soa/main.json b/modules/network/private-dns-zone/soa/main.json index e3427de316..0cb2fbaa4c 100644 --- a/modules/network/private-dns-zone/soa/main.json +++ b/modules/network/private-dns-zone/soa/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "1534736495493771844" + "version": "0.22.6.54827", + "templateHash": "2312801328936888366" }, "name": "Private DNS Zone SOA record", "description": "This module deploys a Private DNS Zone SOA record.", @@ -119,8 +119,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13036989829941135965" + "version": "0.22.6.54827", + "templateHash": "7407904296801266090" } }, "parameters": { diff --git a/modules/network/private-dns-zone/srv/README.md b/modules/network/private-dns-zone/srv/README.md index fbddcefda1..9fddfb9099 100644 --- a/modules/network/private-dns-zone/srv/README.md +++ b/modules/network/private-dns-zone/srv/README.md @@ -20,30 +20,77 @@ This module deploys a Private DNS Zone SRV record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the SRV record. | +| [`name`](#parameter-name) | string | The name of the SRV record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `privateDnsZoneName` | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | +| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `srvRecords` | array | `[]` | The list of SRV records in the record set. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`srvRecords`](#parameter-srvrecords) | array | The list of SRV records in the record set. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the SRV record. +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `srvRecords` + +The list of SRV records in the record set. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed SRV record. | | `resourceGroupName` | string | The resource group of the deployed SRV record. | diff --git a/modules/network/private-dns-zone/srv/main.json b/modules/network/private-dns-zone/srv/main.json index f52d859ff7..0380f2b5a4 100644 --- a/modules/network/private-dns-zone/srv/main.json +++ b/modules/network/private-dns-zone/srv/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "6444239705368252849" + "version": "0.22.6.54827", + "templateHash": "5952665052269893806" }, "name": "Private DNS Zone SRV record", "description": "This module deploys a Private DNS Zone SRV record.", @@ -119,8 +119,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17805809595422297514" + "version": "0.22.6.54827", + "templateHash": "7603100820795358011" } }, "parameters": { diff --git a/modules/network/private-dns-zone/txt/README.md b/modules/network/private-dns-zone/txt/README.md index 62fe57a009..10472d8fbd 100644 --- a/modules/network/private-dns-zone/txt/README.md +++ b/modules/network/private-dns-zone/txt/README.md @@ -20,30 +20,77 @@ This module deploys a Private DNS Zone TXT record. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the TXT record. | +| [`name`](#parameter-name) | string | The name of the TXT record. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `privateDnsZoneName` | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | +| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | -| `txtRecords` | array | `[]` | The list of TXT records in the record set. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`metadata`](#parameter-metadata) | object | The metadata attached to the record set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | +| [`txtRecords`](#parameter-txtrecords) | array | The list of TXT records in the record set. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +The metadata attached to the record set. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the TXT record. +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ttl` + +The TTL (time-to-live) of the records in the record set. +- Required: No +- Type: int +- Default: `3600` + +### Parameter: `txtRecords` + +The list of TXT records in the record set. +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed TXT record. | | `resourceGroupName` | string | The resource group of the deployed TXT record. | diff --git a/modules/network/private-dns-zone/txt/main.json b/modules/network/private-dns-zone/txt/main.json index 9bc41b0ee0..49da878984 100644 --- a/modules/network/private-dns-zone/txt/main.json +++ b/modules/network/private-dns-zone/txt/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11503781556355030458" + "version": "0.22.6.54827", + "templateHash": "1124215030878784014" }, "name": "Private DNS Zone TXT record", "description": "This module deploys a Private DNS Zone TXT record.", @@ -119,8 +119,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "9559644743323745935" + "version": "0.22.6.54827", + "templateHash": "16791864516622438253" } }, "parameters": { diff --git a/modules/network/private-dns-zone/virtual-network-link/README.md b/modules/network/private-dns-zone/virtual-network-link/README.md index 44f61227f6..b745342815 100644 --- a/modules/network/private-dns-zone/virtual-network-link/README.md +++ b/modules/network/private-dns-zone/virtual-network-link/README.md @@ -19,30 +19,77 @@ This module deploys a Private DNS Zone Virtual Network Link. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `virtualNetworkResourceId` | string | Link to another virtual network resource ID. | +| [`virtualNetworkResourceId`](#parameter-virtualnetworkresourceid) | string | Link to another virtual network resource ID. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `privateDnsZoneName` | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | +| [`privateDnsZoneName`](#parameter-privatednszonename) | string | The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `'global'` | The location of the PrivateDNSZone. Should be global. | -| `name` | string | `[format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/')))]` | The name of the virtual network link. | -| `registrationEnabled` | bool | `False` | Is auto-registration of virtual machine records in the virtual network in the Private DNS zone enabled?. | -| `tags` | object | `{object}` | Tags of the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | The location of the PrivateDNSZone. Should be global. | +| [`name`](#parameter-name) | string | The name of the virtual network link. | +| [`registrationEnabled`](#parameter-registrationenabled) | bool | Is auto-registration of virtual machine records in the virtual network in the Private DNS zone enabled?. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +The location of the PrivateDNSZone. Should be global. +- Required: No +- Type: string +- Default: `'global'` + +### Parameter: `name` + +The name of the virtual network link. +- Required: No +- Type: string +- Default: `[format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/')))]` + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `registrationEnabled` + +Is auto-registration of virtual machine records in the virtual network in the Private DNS zone enabled?. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `virtualNetworkResourceId` + +Link to another virtual network resource ID. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the deployed virtual network link. | diff --git a/modules/network/private-dns-zone/virtual-network-link/main.json b/modules/network/private-dns-zone/virtual-network-link/main.json index 7d0bc4e594..51d922b079 100644 --- a/modules/network/private-dns-zone/virtual-network-link/main.json +++ b/modules/network/private-dns-zone/virtual-network-link/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "8504562326898440676" + "version": "0.22.6.54827", + "templateHash": "12342244725180262876" }, "name": "Private DNS Zone Virtual Network Link", "description": "This module deploys a Private DNS Zone Virtual Network Link.", diff --git a/modules/network/private-endpoint/.test/common/main.test.bicep b/modules/network/private-endpoint/.test/common/main.test.bicep index 548ffb6f74..856807277f 100644 --- a/modules/network/private-endpoint/.test/common/main.test.bicep +++ b/modules/network/private-endpoint/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/private-endpoint/.test/min/main.test.bicep b/modules/network/private-endpoint/.test/min/main.test.bicep index f858091d54..6d5c80f1b3 100644 --- a/modules/network/private-endpoint/.test/min/main.test.bicep +++ b/modules/network/private-endpoint/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/private-endpoint/README.md b/modules/network/private-endpoint/README.md index 86ea2dc1c5..241b1e441a 100644 --- a/modules/network/private-endpoint/README.md +++ b/modules/network/private-endpoint/README.md @@ -4,13 +4,13 @@ This module deploys a Private Endpoint. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,62 +19,28 @@ This module deploys a Private Endpoint. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `groupIds` | array | Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to. | -| `name` | string | Name of the private endpoint resource to create. | -| `serviceResourceId` | string | Resource ID of the resource that needs to be connected to the network. | -| `subnetResourceId` | string | Resource ID of the subnet where the endpoint needs to be created. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.private-endpoint:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `applicationSecurityGroups` | array | `[]` | | Application security groups in which the private endpoint IP configuration is included. | -| `customDnsConfigs` | array | `[]` | | Custom DNS configurations. | -| `customNetworkInterfaceName` | string | `''` | | The custom name of the network interface attached to the private endpoint. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `ipConfigurations` | array | `[]` | | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `manualPrivateLinkServiceConnections` | array | `[]` | | Manual PrivateLink Service Connections. | -| `privateDnsZoneGroup` | _[privateDnsZoneGroup](private-dns-zone-group/README.md)_ object | `{object}` | | The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags to be applied on all resources/resource groups in this deployment. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +### Example 1: _Using large parameter set_ -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the private endpoint. | -| `resourceGroupName` | string | The resource group the private endpoint was deployed into. | -| `resourceId` | string | The resource ID of the private endpoint. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module privateEndpoint './network/private-endpoint/main.bicep' = { +module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-npecom' params: { // Required parameters @@ -214,14 +180,17 @@ module privateEndpoint './network/private-endpoint/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module privateEndpoint './network/private-endpoint/main.bicep' = { +module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-npemin' params: { // Required parameters @@ -274,3 +243,147 @@ module privateEndpoint './network/private-endpoint/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`groupIds`](#parameter-groupids) | array | Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to. | +| [`name`](#parameter-name) | string | Name of the private endpoint resource to create. | +| [`serviceResourceId`](#parameter-serviceresourceid) | string | Resource ID of the resource that needs to be connected to the network. | +| [`subnetResourceId`](#parameter-subnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroups`](#parameter-applicationsecuritygroups) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-customdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-customnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`ipConfigurations`](#parameter-ipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-manualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`privateDnsZoneGroup`](#parameter-privatednszonegroup) | object | The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `applicationSecurityGroups` + +Application security groups in which the private endpoint IP configuration is included. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `customDnsConfigs` + +Custom DNS configurations. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `customNetworkInterfaceName` + +The custom name of the network interface attached to the private endpoint. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `groupIds` + +Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to. +- Required: Yes +- Type: array + +### Parameter: `ipConfigurations` + +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `manualPrivateLinkServiceConnections` + +Manual PrivateLink Service Connections. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `name` + +Name of the private endpoint resource to create. +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneGroup` + +The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `serviceResourceId` + +Resource ID of the resource that needs to be connected to the network. +- Required: Yes +- Type: string + +### Parameter: `subnetResourceId` + +Resource ID of the subnet where the endpoint needs to be created. +- Required: Yes +- Type: string + +### Parameter: `tags` + +Tags to be applied on all resources/resource groups in this deployment. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the private endpoint. | +| `resourceGroupName` | string | The resource group the private endpoint was deployed into. | +| `resourceId` | string | The resource ID of the private endpoint. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/private-endpoint/main.json b/modules/network/private-endpoint/main.json index ec5e636ac3..afc81174b1 100644 --- a/modules/network/private-endpoint/main.json +++ b/modules/network/private-endpoint/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -204,8 +204,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -342,8 +342,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { diff --git a/modules/network/private-endpoint/private-dns-zone-group/README.md b/modules/network/private-endpoint/private-dns-zone-group/README.md index e1d46b8986..2aebf21298 100644 --- a/modules/network/private-endpoint/private-dns-zone-group/README.md +++ b/modules/network/private-endpoint/private-dns-zone-group/README.md @@ -19,27 +19,53 @@ This module deploys a Private Endpoint Private DNS Zone Group. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `privateDNSResourceIds` | array | Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones. | +| [`privateDNSResourceIds`](#parameter-privatednsresourceids) | array | Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `privateEndpointName` | string | The name of the parent private endpoint. Required if the template is used in a standalone deployment. | +| [`privateEndpointName`](#parameter-privateendpointname) | string | The name of the parent private endpoint. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `name` | string | `'default'` | The name of the private DNS zone group. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`name`](#parameter-name) | string | The name of the private DNS zone group. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the private DNS zone group. +- Required: No +- Type: string +- Default: `'default'` + +### Parameter: `privateDNSResourceIds` + +Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones. +- Required: Yes +- Type: array + +### Parameter: `privateEndpointName` + +The name of the parent private endpoint. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the private endpoint DNS zone group. | | `resourceGroupName` | string | The resource group the private endpoint DNS zone group was deployed into. | diff --git a/modules/network/private-endpoint/private-dns-zone-group/main.json b/modules/network/private-endpoint/private-dns-zone-group/main.json index 93baa64a6d..a631f45296 100644 --- a/modules/network/private-endpoint/private-dns-zone-group/main.json +++ b/modules/network/private-endpoint/private-dns-zone-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17831763001460207830" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/network/private-link-service/.test/common/main.test.bicep b/modules/network/private-link-service/.test/common/main.test.bicep index 76599c870e..2566dda08b 100644 --- a/modules/network/private-link-service/.test/common/main.test.bicep +++ b/modules/network/private-link-service/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/private-link-service/.test/min/main.test.bicep b/modules/network/private-link-service/.test/min/main.test.bicep index 7e1e9580f8..d56543c89b 100644 --- a/modules/network/private-link-service/.test/min/main.test.bicep +++ b/modules/network/private-link-service/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/private-link-service/README.md b/modules/network/private-link-service/README.md index 779847dd62..a1182c3ce1 100644 --- a/modules/network/private-link-service/README.md +++ b/modules/network/private-link-service/README.md @@ -4,14 +4,14 @@ This module deploys a Private Link Service. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,60 +19,28 @@ This module deploys a Private Link Service. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Network/privateLinkServices` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-11-01/privateLinkServices) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the private link service to create. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `autoApproval` | object | `{object}` | | The auto-approval list of the private link service. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableProxyProtocol` | bool | `False` | | Lets the service provider use tcp proxy v2 to retrieve connection information about the service consumer. Service Provider is responsible for setting up receiver configs to be able to parse the proxy protocol v2 header. | -| `extendedLocation` | object | `{object}` | | The extended location of the load balancer. | -| `fqdns` | array | `[]` | | The list of Fqdn. | -| `ipConfigurations` | array | `[]` | | An array of private link service IP configurations. | -| `loadBalancerFrontendIpConfigurations` | array | `[]` | | An array of references to the load balancer IP configurations. The Private Link service is tied to the frontend IP address of a Standard Load Balancer. All traffic destined for the service will reach the frontend of the SLB. You can configure SLB rules to direct this traffic to appropriate backend pools where your applications are running. Load balancer frontend IP configurations are different than NAT IP configurations. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags to be applied on all resources/resource groups in this deployment. | -| `visibility` | object | `{object}` | | Controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control (Azure RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions. | - +## Usage examples -## Outputs +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the private link service. | -| `resourceGroupName` | string | The resource group the private link service was deployed into. | -| `resourceId` | string | The resource ID of the private link service. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.private-link-service:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module privateLinkService './network/private-link-service/main.bicep' = { +module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nplscom' params: { // Required parameters @@ -220,14 +188,17 @@ module privateLinkService './network/private-link-service/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module privateLinkService './network/private-link-service/main.bicep' = { +module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nplsmin' params: { // Required parameters @@ -300,6 +271,136 @@ module privateLinkService './network/private-link-service/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the private link service to create. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`autoApproval`](#parameter-autoapproval) | object | The auto-approval list of the private link service. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableProxyProtocol`](#parameter-enableproxyprotocol) | bool | Lets the service provider use tcp proxy v2 to retrieve connection information about the service consumer. Service Provider is responsible for setting up receiver configs to be able to parse the proxy protocol v2 header. | +| [`extendedLocation`](#parameter-extendedlocation) | object | The extended location of the load balancer. | +| [`fqdns`](#parameter-fqdns) | array | The list of Fqdn. | +| [`ipConfigurations`](#parameter-ipconfigurations) | array | An array of private link service IP configurations. | +| [`loadBalancerFrontendIpConfigurations`](#parameter-loadbalancerfrontendipconfigurations) | array | An array of references to the load balancer IP configurations. The Private Link service is tied to the frontend IP address of a Standard Load Balancer. All traffic destined for the service will reach the frontend of the SLB. You can configure SLB rules to direct this traffic to appropriate backend pools where your applications are running. Load balancer frontend IP configurations are different than NAT IP configurations. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags to be applied on all resources/resource groups in this deployment. | +| [`visibility`](#parameter-visibility) | object | Controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control (Azure RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions. | + +### Parameter: `autoApproval` + +The auto-approval list of the private link service. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableProxyProtocol` + +Lets the service provider use tcp proxy v2 to retrieve connection information about the service consumer. Service Provider is responsible for setting up receiver configs to be able to parse the proxy protocol v2 header. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `extendedLocation` + +The extended location of the load balancer. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `fqdns` + +The list of Fqdn. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ipConfigurations` + +An array of private link service IP configurations. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `loadBalancerFrontendIpConfigurations` + +An array of references to the load balancer IP configurations. The Private Link service is tied to the frontend IP address of a Standard Load Balancer. All traffic destined for the service will reach the frontend of the SLB. You can configure SLB rules to direct this traffic to appropriate backend pools where your applications are running. Load balancer frontend IP configurations are different than NAT IP configurations. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the private link service to create. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags to be applied on all resources/resource groups in this deployment. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `visibility` + +Controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control (Azure RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the private link service. | +| `resourceGroupName` | string | The resource group the private link service was deployed into. | +| `resourceId` | string | The resource ID of the private link service. | + +## Cross-referenced modules + +_None_ + ## Notes ### Parameter Usage: `ipConfigurations` diff --git a/modules/network/public-ip-address/.test/common/main.test.bicep b/modules/network/public-ip-address/.test/common/main.test.bicep index abe179fbf3..73fe5bb4a5 100644 --- a/modules/network/public-ip-address/.test/common/main.test.bicep +++ b/modules/network/public-ip-address/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/public-ip-address/.test/min/main.test.bicep b/modules/network/public-ip-address/.test/min/main.test.bicep index dbcf0b97fc..e0f4f0d87d 100644 --- a/modules/network/public-ip-address/.test/min/main.test.bicep +++ b/modules/network/public-ip-address/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/public-ip-address/README.md b/modules/network/public-ip-address/README.md index f9fbb64201..d66c035af4 100644 --- a/modules/network/public-ip-address/README.md +++ b/modules/network/public-ip-address/README.md @@ -4,13 +4,13 @@ This module deploys a Public IP Address. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,71 +19,28 @@ This module deploys a Public IP Address. | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/publicIPAddresses` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/publicIPAddresses) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Public IP Address. | +## Usage examples -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `domainNameLabel` | string | `''` | | The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system. | -| `domainNameLabelScope` | string | `''` | `['', NoReuse, ResourceGroupReuse, SubscriptionReuse, TenantReuse]` | The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `fqdn` | string | `''` | | The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `publicIPAddressVersion` | string | `'IPv4'` | `[IPv4, IPv6]` | IP address version. | -| `publicIPAllocationMethod` | string | `'Static'` | `[Dynamic, Static]` | The public IP address allocation method. | -| `publicIPPrefixResourceId` | string | `''` | | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | -| `reverseFqdn` | string | `''` | | The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `skuName` | string | `'Standard'` | `[Basic, Standard]` | Name of a public IP address SKU. | -| `skuTier` | string | `'Regional'` | `[Global, Regional]` | Tier of a public IP address SKU. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `zones` | array | `[]` | | A list of availability zones denoting the IP allocated for the resource needs to come from. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `ipAddress` | string | The public IP address of the public IP address resource. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the public IP address. | -| `resourceGroupName` | string | The resource group the public IP address was deployed into. | -| `resourceId` | string | The resource ID of the public IP address. | - -## Cross-referenced modules - -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.public-ip-address:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module publicIpAddress './network/public-ip-address/main.bicep' = { +module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-npiacom' params: { // Required parameters @@ -193,14 +150,17 @@ module publicIpAddress './network/public-ip-address/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module publicIpAddress './network/public-ip-address/main.bicep' = { +module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-npiamin' params: { // Required parameters @@ -237,3 +197,222 @@ module publicIpAddress './network/public-ip-address/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Public IP Address. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`domainNameLabel`](#parameter-domainnamelabel) | string | The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system. | +| [`domainNameLabelScope`](#parameter-domainnamelabelscope) | string | The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`fqdn`](#parameter-fqdn) | string | The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`publicIPAddressVersion`](#parameter-publicipaddressversion) | string | IP address version. | +| [`publicIPAllocationMethod`](#parameter-publicipallocationmethod) | string | The public IP address allocation method. | +| [`publicIPPrefixResourceId`](#parameter-publicipprefixresourceid) | string | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | +| [`reverseFqdn`](#parameter-reversefqdn) | string | The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`skuName`](#parameter-skuname) | string | Name of a public IP address SKU. | +| [`skuTier`](#parameter-skutier) | string | Tier of a public IP address SKU. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`zones`](#parameter-zones) | array | A list of availability zones denoting the IP allocated for the resource needs to come from. | + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `domainNameLabel` + +The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `domainNameLabelScope` + +The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', NoReuse, ResourceGroupReuse, SubscriptionReuse, TenantReuse]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `fqdn` + +The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the Public IP Address. +- Required: Yes +- Type: string + +### Parameter: `publicIPAddressVersion` + +IP address version. +- Required: No +- Type: string +- Default: `'IPv4'` +- Allowed: `[IPv4, IPv6]` + +### Parameter: `publicIPAllocationMethod` + +The public IP address allocation method. +- Required: No +- Type: string +- Default: `'Static'` +- Allowed: `[Dynamic, Static]` + +### Parameter: `publicIPPrefixResourceId` + +Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `reverseFqdn` + +The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `skuName` + +Name of a public IP address SKU. +- Required: No +- Type: string +- Default: `'Standard'` +- Allowed: `[Basic, Standard]` + +### Parameter: `skuTier` + +Tier of a public IP address SKU. +- Required: No +- Type: string +- Default: `'Regional'` +- Allowed: `[Global, Regional]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `zones` + +A list of availability zones denoting the IP allocated for the resource needs to come from. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `ipAddress` | string | The public IP address of the public IP address resource. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the public IP address. | +| `resourceGroupName` | string | The resource group the public IP address was deployed into. | +| `resourceId` | string | The resource ID of the public IP address. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/public-ip-address/main.json b/modules/network/public-ip-address/main.json index 8bdcd4365b..583eea8a97 100644 --- a/modules/network/public-ip-address/main.json +++ b/modules/network/public-ip-address/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1887898957722092173" + "version": "0.22.6.54827", + "templateHash": "4317747709004918530" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -338,8 +338,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7328126239184883887" + "version": "0.22.6.54827", + "templateHash": "9976109177347918049" } }, "parameters": { diff --git a/modules/network/public-ip-prefix/.test/common/main.test.bicep b/modules/network/public-ip-prefix/.test/common/main.test.bicep index edaa6063a0..4c96332650 100644 --- a/modules/network/public-ip-prefix/.test/common/main.test.bicep +++ b/modules/network/public-ip-prefix/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/public-ip-prefix/.test/min/main.test.bicep b/modules/network/public-ip-prefix/.test/min/main.test.bicep index 4c9350f358..8115e852ed 100644 --- a/modules/network/public-ip-prefix/.test/min/main.test.bicep +++ b/modules/network/public-ip-prefix/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/public-ip-prefix/README.md b/modules/network/public-ip-prefix/README.md index 4c46286757..b10bc8730b 100644 --- a/modules/network/public-ip-prefix/README.md +++ b/modules/network/public-ip-prefix/README.md @@ -4,13 +4,13 @@ This module deploys a Public IP Prefix. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -18,55 +18,28 @@ This module deploys a Public IP Prefix. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Network/publicIPPrefixes` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/publicIPPrefixes) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Public IP Prefix. | -| `prefixLength` | int | Length of the Public IP Prefix. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `customIPPrefix` | object | `{object}` | | The customIpPrefix that this prefix is associated with. A custom IP address prefix is a contiguous range of IP addresses owned by an external customer and provisioned into a subscription. When a custom IP prefix is in Provisioned, Commissioning, or Commissioned state, a linked public IP prefix can be created. Either as a subset of the custom IP prefix range or the entire range. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the public IP prefix. | -| `resourceGroupName` | string | The resource group the public IP prefix was deployed into. | -| `resourceId` | string | The resource ID of the public IP prefix. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.public-ip-prefix:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module publicIpPrefix './network/public-ip-prefix/main.bicep' = { +module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-npipcom' params: { // Required parameters @@ -144,14 +117,17 @@ module publicIpPrefix './network/public-ip-prefix/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module publicIpPrefix './network/public-ip-prefix/main.bicep' = { +module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-npipmin' params: { // Required parameters @@ -192,3 +168,93 @@ module publicIpPrefix './network/public-ip-prefix/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Public IP Prefix. | +| [`prefixLength`](#parameter-prefixlength) | int | Length of the Public IP Prefix. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`customIPPrefix`](#parameter-customipprefix) | object | The customIpPrefix that this prefix is associated with. A custom IP address prefix is a contiguous range of IP addresses owned by an external customer and provisioned into a subscription. When a custom IP prefix is in Provisioned, Commissioning, or Commissioned state, a linked public IP prefix can be created. Either as a subset of the custom IP prefix range or the entire range. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `customIPPrefix` + +The customIpPrefix that this prefix is associated with. A custom IP address prefix is a contiguous range of IP addresses owned by an external customer and provisioned into a subscription. When a custom IP prefix is in Provisioned, Commissioning, or Commissioned state, a linked public IP prefix can be created. Either as a subset of the custom IP prefix range or the entire range. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Public IP Prefix. +- Required: Yes +- Type: string + +### Parameter: `prefixLength` + +Length of the Public IP Prefix. +- Required: Yes +- Type: int + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the public IP prefix. | +| `resourceGroupName` | string | The resource group the public IP prefix was deployed into. | +| `resourceId` | string | The resource ID of the public IP prefix. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/public-ip-prefix/main.json b/modules/network/public-ip-prefix/main.json index 6c4991917a..be4b9e2e6f 100644 --- a/modules/network/public-ip-prefix/main.json +++ b/modules/network/public-ip-prefix/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8483631788691370434" + "version": "0.22.6.54827", + "templateHash": "823818284337127737" }, "name": "Public IP Prefixes", "description": "This module deploys a Public IP Prefix.", @@ -153,8 +153,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12600348536826609497" + "version": "0.22.6.54827", + "templateHash": "11602921617847310411" } }, "parameters": { diff --git a/modules/network/route-table/.test/common/main.test.bicep b/modules/network/route-table/.test/common/main.test.bicep index 4fafb95fe9..760b5c2741 100644 --- a/modules/network/route-table/.test/common/main.test.bicep +++ b/modules/network/route-table/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/route-table/.test/min/main.test.bicep b/modules/network/route-table/.test/min/main.test.bicep index 1171694e3e..1515b9a8fb 100644 --- a/modules/network/route-table/.test/min/main.test.bicep +++ b/modules/network/route-table/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/route-table/README.md b/modules/network/route-table/README.md index cc9d1fc7b2..ce2ec44629 100644 --- a/modules/network/route-table/README.md +++ b/modules/network/route-table/README.md @@ -4,13 +4,13 @@ This module deploys a User Defined Route Table (UDR). ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -18,55 +18,28 @@ This module deploys a User Defined Route Table (UDR). | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Network/routeTables` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/routeTables) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name given for the hub route table. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `disableBgpRoutePropagation` | bool | `False` | | Switch to disable BGP route propagation. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `routes` | array | `[]` | | An Array of Routes to be established within the hub route table. | -| `tags` | object | `{object}` | | Tags of the resource. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the route table. | -| `resourceGroupName` | string | The resource group the route table was deployed into. | -| `resourceId` | string | The resource ID of the route table. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.route-table:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module routeTable './network/route-table/main.bicep' = { +module routeTable 'br:bicep/modules/network.route-table:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nrtcom' params: { // Required parameters @@ -162,14 +135,17 @@ module routeTable './network/route-table/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module routeTable './network/route-table/main.bicep' = { +module routeTable 'br:bicep/modules/network.route-table:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nrtmin' params: { // Required parameters @@ -206,3 +182,94 @@ module routeTable './network/route-table/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name given for the hub route table. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`disableBgpRoutePropagation`](#parameter-disablebgproutepropagation) | bool | Switch to disable BGP route propagation. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`routes`](#parameter-routes) | array | An Array of Routes to be established within the hub route table. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `disableBgpRoutePropagation` + +Switch to disable BGP route propagation. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name given for the hub route table. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `routes` + +An Array of Routes to be established within the hub route table. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the route table. | +| `resourceGroupName` | string | The resource group the route table was deployed into. | +| `resourceId` | string | The resource ID of the route table. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/route-table/main.json b/modules/network/route-table/main.json index 88ee39b935..af2f4acac1 100644 --- a/modules/network/route-table/main.json +++ b/modules/network/route-table/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16901020059432572250" + "version": "0.22.6.54827", + "templateHash": "14175124869769293837" }, "name": "Route Tables", "description": "This module deploys a User Defined Route Table (UDR).", @@ -147,8 +147,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15918129007023123856" + "version": "0.22.6.54827", + "templateHash": "5854028200493831551" } }, "parameters": { diff --git a/modules/network/service-endpoint-policy/.test/common/main.test.bicep b/modules/network/service-endpoint-policy/.test/common/main.test.bicep index a558092313..ef6675cda3 100644 --- a/modules/network/service-endpoint-policy/.test/common/main.test.bicep +++ b/modules/network/service-endpoint-policy/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/service-endpoint-policy/.test/min/main.test.bicep b/modules/network/service-endpoint-policy/.test/min/main.test.bicep index 24e0f500a5..7ac8d7747a 100644 --- a/modules/network/service-endpoint-policy/.test/min/main.test.bicep +++ b/modules/network/service-endpoint-policy/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/service-endpoint-policy/README.md b/modules/network/service-endpoint-policy/README.md index 38a9157321..f58b19c384 100644 --- a/modules/network/service-endpoint-policy/README.md +++ b/modules/network/service-endpoint-policy/README.md @@ -5,10 +5,10 @@ This module deploys a Service Endpoint Policy. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -18,56 +18,28 @@ This module deploys a Service Endpoint Policy. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Network/serviceEndpointPolicies` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/serviceEndpointPolicies) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The Service Endpoint Policy name. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `contextualServiceEndpointPolicies` | array | `[]` | | An Array of contextual service endpoint policy. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `serviceAlias` | string | `''` | | The alias indicating if the policy belongs to a service. | -| `serviceEndpointPolicyDefinitions` | array | `[]` | | An Array of service endpoint policy definitions. | -| `tags` | object | `{object}` | | Tags of the resource. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Service Endpoint Policy. | -| `resourceGroupName` | string | The resource group the Service Endpoint Policy was deployed into. | -| `resourceId` | string | The resource ID of the Service Endpoint Policy. | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.service-endpoint-policy:1.0.0`. -## Cross-referenced modules +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -_None_ +### Example 1: _Using large parameter set_ -## Deployment examples +This instance deploys the module with most of its features enabled. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module serviceEndpointPolicy './network/service-endpoint-policy/main.bicep' = { +module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nsnpcom' params: { // Required parameters @@ -169,14 +141,17 @@ module serviceEndpointPolicy './network/service-endpoint-policy/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module serviceEndpointPolicy './network/service-endpoint-policy/main.bicep' = { +module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nsnpmin' params: { // Required parameters @@ -213,3 +188,102 @@ module serviceEndpointPolicy './network/service-endpoint-policy/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The Service Endpoint Policy name. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`contextualServiceEndpointPolicies`](#parameter-contextualserviceendpointpolicies) | array | An Array of contextual service endpoint policy. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`serviceAlias`](#parameter-servicealias) | string | The alias indicating if the policy belongs to a service. | +| [`serviceEndpointPolicyDefinitions`](#parameter-serviceendpointpolicydefinitions) | array | An Array of service endpoint policy definitions. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `contextualServiceEndpointPolicies` + +An Array of contextual service endpoint policy. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The Service Endpoint Policy name. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `serviceAlias` + +The alias indicating if the policy belongs to a service. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `serviceEndpointPolicyDefinitions` + +An Array of service endpoint policy definitions. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the Service Endpoint Policy. | +| `resourceGroupName` | string | The resource group the Service Endpoint Policy was deployed into. | +| `resourceId` | string | The resource ID of the Service Endpoint Policy. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/service-endpoint-policy/main.json b/modules/network/service-endpoint-policy/main.json index 46c01805d0..da6271e05c 100644 --- a/modules/network/service-endpoint-policy/main.json +++ b/modules/network/service-endpoint-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7581628455026938381" + "version": "0.22.6.54827", + "templateHash": "702238259297546605" }, "name": "Service Endpoint Policies", "description": "This module deploys a Service Endpoint Policy.", @@ -155,8 +155,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15055971962075100955" + "version": "0.22.6.54827", + "templateHash": "1377119003389114371" } }, "parameters": { diff --git a/modules/network/trafficmanagerprofile/.test/common/main.test.bicep b/modules/network/trafficmanagerprofile/.test/common/main.test.bicep index 7111fdb6dd..14ba90e0c3 100644 --- a/modules/network/trafficmanagerprofile/.test/common/main.test.bicep +++ b/modules/network/trafficmanagerprofile/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/trafficmanagerprofile/.test/min/main.test.bicep b/modules/network/trafficmanagerprofile/.test/min/main.test.bicep index d34573ba6c..b0100513d4 100644 --- a/modules/network/trafficmanagerprofile/.test/min/main.test.bicep +++ b/modules/network/trafficmanagerprofile/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/trafficmanagerprofile/README.md b/modules/network/trafficmanagerprofile/README.md index d9db9a5dbe..614ac693bf 100644 --- a/modules/network/trafficmanagerprofile/README.md +++ b/modules/network/trafficmanagerprofile/README.md @@ -4,14 +4,14 @@ This module deploys a Traffic Manager Profile. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -20,66 +20,28 @@ This module deploys a Traffic Manager Profile. | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/trafficmanagerprofiles` | [2018-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2018-08-01/trafficmanagerprofiles) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Traffic Manager. | -| `relativeName` | string | The relative DNS name provided by this Traffic Manager profile. This value is combined with the DNS domain name used by Azure Traffic Manager to form the fully-qualified domain name (FQDN) of the profile. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, ProbeHealthStatusEvents]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `endpoints` | array | `[]` | | The list of endpoints in the Traffic Manager profile. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `maxReturn` | int | `1` | | Maximum number of endpoints to be returned for MultiValue routing type. | -| `monitorConfig` | object | `{object}` | | The endpoint monitoring settings of the Traffic Manager profile. | -| `profileStatus` | string | `'Enabled'` | `[Disabled, Enabled]` | The status of the Traffic Manager profile. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Resource tags. | -| `trafficRoutingMethod` | string | `'Performance'` | `[Geographic, MultiValue, Performance, Priority, Subnet, Weighted]` | The traffic routing method of the Traffic Manager profile. | -| `trafficViewEnrollmentStatus` | string | `'Disabled'` | `[Disabled, Enabled]` | Indicates whether Traffic View is 'Enabled' or 'Disabled' for the Traffic Manager profile. Null, indicates 'Disabled'. Enabling this feature will increase the cost of the Traffic Manage profile. | -| `ttl` | int | `60` | | The DNS Time-To-Live (TTL), in seconds. This informs the local DNS resolvers and DNS clients how long to cache DNS responses provided by this Traffic Manager profile. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the traffic manager was deployed into. | -| `resourceGroupName` | string | The resource group the traffic manager was deployed into. | -| `resourceId` | string | The resource ID of the traffic manager. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.trafficmanagerprofile:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module trafficmanagerprofile './network/trafficmanagerprofile/main.bicep' = { +module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ntmpcom' params: { // Required parameters @@ -173,14 +135,17 @@ module trafficmanagerprofile './network/trafficmanagerprofile/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module trafficmanagerprofile './network/trafficmanagerprofile/main.bicep' = { +module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ntmpmin' params: { // Required parameters @@ -223,6 +188,195 @@ module trafficmanagerprofile './network/trafficmanagerprofile/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Traffic Manager. | +| [`relativeName`](#parameter-relativename) | string | The relative DNS name provided by this Traffic Manager profile. This value is combined with the DNS domain name used by Azure Traffic Manager to form the fully-qualified domain name (FQDN) of the profile. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`endpoints`](#parameter-endpoints) | array | The list of endpoints in the Traffic Manager profile. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`maxReturn`](#parameter-maxreturn) | int | Maximum number of endpoints to be returned for MultiValue routing type. | +| [`monitorConfig`](#parameter-monitorconfig) | object | The endpoint monitoring settings of the Traffic Manager profile. | +| [`profileStatus`](#parameter-profilestatus) | string | The status of the Traffic Manager profile. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Resource tags. | +| [`trafficRoutingMethod`](#parameter-trafficroutingmethod) | string | The traffic routing method of the Traffic Manager profile. | +| [`trafficViewEnrollmentStatus`](#parameter-trafficviewenrollmentstatus) | string | Indicates whether Traffic View is 'Enabled' or 'Disabled' for the Traffic Manager profile. Null, indicates 'Disabled'. Enabling this feature will increase the cost of the Traffic Manage profile. | +| [`ttl`](#parameter-ttl) | int | The DNS Time-To-Live (TTL), in seconds. This informs the local DNS resolvers and DNS clients how long to cache DNS responses provided by this Traffic Manager profile. | + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, ProbeHealthStatusEvents]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `endpoints` + +The list of endpoints in the Traffic Manager profile. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `maxReturn` + +Maximum number of endpoints to be returned for MultiValue routing type. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `monitorConfig` + +The endpoint monitoring settings of the Traffic Manager profile. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Name of the Traffic Manager. +- Required: Yes +- Type: string + +### Parameter: `profileStatus` + +The status of the Traffic Manager profile. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `relativeName` + +The relative DNS name provided by this Traffic Manager profile. This value is combined with the DNS domain name used by Azure Traffic Manager to form the fully-qualified domain name (FQDN) of the profile. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Resource tags. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `trafficRoutingMethod` + +The traffic routing method of the Traffic Manager profile. +- Required: No +- Type: string +- Default: `'Performance'` +- Allowed: `[Geographic, MultiValue, Performance, Priority, Subnet, Weighted]` + +### Parameter: `trafficViewEnrollmentStatus` + +Indicates whether Traffic View is 'Enabled' or 'Disabled' for the Traffic Manager profile. Null, indicates 'Disabled'. Enabling this feature will increase the cost of the Traffic Manage profile. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `ttl` + +The DNS Time-To-Live (TTL), in seconds. This informs the local DNS resolvers and DNS clients how long to cache DNS responses provided by this Traffic Manager profile. +- Required: No +- Type: int +- Default: `60` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the traffic manager was deployed into. | +| `resourceGroupName` | string | The resource group the traffic manager was deployed into. | +| `resourceId` | string | The resource ID of the traffic manager. | + +## Cross-referenced modules + +_None_ + ## Notes ### Parameter Usage: `monitorConfig` diff --git a/modules/network/trafficmanagerprofile/main.json b/modules/network/trafficmanagerprofile/main.json index 742c68c8e9..2d333fa853 100644 --- a/modules/network/trafficmanagerprofile/main.json +++ b/modules/network/trafficmanagerprofile/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10487954711345174328" + "version": "0.22.6.54827", + "templateHash": "10820097547945525322" }, "name": "Traffic Manager Profiles", "description": "This module deploys a Traffic Manager Profile.", @@ -311,8 +311,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8641211741680217957" + "version": "0.22.6.54827", + "templateHash": "5157762725404408248" } }, "parameters": { diff --git a/modules/network/virtual-hub/.test/common/main.test.bicep b/modules/network/virtual-hub/.test/common/main.test.bicep index b4901c097a..f6186c40cf 100644 --- a/modules/network/virtual-hub/.test/common/main.test.bicep +++ b/modules/network/virtual-hub/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/virtual-hub/.test/min/main.test.bicep b/modules/network/virtual-hub/.test/min/main.test.bicep index b198a5b312..56a53cb235 100644 --- a/modules/network/virtual-hub/.test/min/main.test.bicep +++ b/modules/network/virtual-hub/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/virtual-hub/README.md b/modules/network/virtual-hub/README.md index d40c79d5e8..be143b75c0 100644 --- a/modules/network/virtual-hub/README.md +++ b/modules/network/virtual-hub/README.md @@ -6,10 +6,10 @@ If you are planning to deploy a Secure Virtual Hub (with an Azure Firewall integ ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -20,68 +20,28 @@ If you are planning to deploy a Secure Virtual Hub (with an Azure Firewall integ | `Microsoft.Network/virtualHubs/hubRouteTables` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-11-01/virtualHubs/hubRouteTables) | | `Microsoft.Network/virtualHubs/hubVirtualNetworkConnections` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-11-01/virtualHubs/hubVirtualNetworkConnections) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `addressPrefix` | string | Address-prefix for this VirtualHub. | -| `name` | string | The virtual hub name. | -| `virtualWanId` | string | Resource ID of the virtual WAN to link to. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `allowBranchToBranchTraffic` | bool | `True` | | Flag to control transit for VirtualRouter hub. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `expressRouteGatewayId` | string | `''` | | Resource ID of the Express Route Gateway to link to. | -| `hubRouteTables` | array | `[]` | | Route tables to create for the virtual hub. | -| `hubVirtualNetworkConnections` | array | `[]` | | Virtual network connections to create for the virtual hub. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `p2SVpnGatewayId` | string | `''` | | Resource ID of the Point-to-Site VPN Gateway to link to. | -| `preferredRoutingGateway` | string | `''` | `['', ExpressRoute, None, VpnGateway]` | The preferred routing gateway types. | -| `routeTableRoutes` | array | `[]` | | VirtualHub route tables. | -| `securityPartnerProviderId` | string | `''` | | ID of the Security Partner Provider to link to. | -| `securityProviderName` | string | `''` | | The Security Provider name. | -| `sku` | string | `'Standard'` | `[Basic, Standard]` | The sku of this VirtualHub. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `virtualHubRouteTableV2s` | array | `[]` | | List of all virtual hub route table v2s associated with this VirtualHub. | -| `virtualRouterAsn` | int | `-1` | | VirtualRouter ASN. | -| `virtualRouterIps` | array | `[]` | | VirtualRouter IPs. | -| `vpnGatewayId` | string | `''` | | Resource ID of the VPN Gateway to link to. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the virtual hub. | -| `resourceGroupName` | string | The resource group the virtual hub was deployed into. | -| `resourceId` | string | The resource ID of the virtual hub. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.virtual-hub:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module virtualHub './network/virtual-hub/main.bicep' = { +module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nvhcom' params: { // Required parameters @@ -199,14 +159,17 @@ module virtualHub './network/virtual-hub/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module virtualHub './network/virtual-hub/main.bicep' = { +module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nvhmin' params: { // Required parameters @@ -251,3 +214,198 @@ module virtualHub './network/virtual-hub/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`addressPrefix`](#parameter-addressprefix) | string | Address-prefix for this VirtualHub. | +| [`name`](#parameter-name) | string | The virtual hub name. | +| [`virtualWanId`](#parameter-virtualwanid) | string | Resource ID of the virtual WAN to link to. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowBranchToBranchTraffic`](#parameter-allowbranchtobranchtraffic) | bool | Flag to control transit for VirtualRouter hub. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`expressRouteGatewayId`](#parameter-expressroutegatewayid) | string | Resource ID of the Express Route Gateway to link to. | +| [`hubRouteTables`](#parameter-hubroutetables) | array | Route tables to create for the virtual hub. | +| [`hubVirtualNetworkConnections`](#parameter-hubvirtualnetworkconnections) | array | Virtual network connections to create for the virtual hub. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`p2SVpnGatewayId`](#parameter-p2svpngatewayid) | string | Resource ID of the Point-to-Site VPN Gateway to link to. | +| [`preferredRoutingGateway`](#parameter-preferredroutinggateway) | string | The preferred routing gateway types. | +| [`routeTableRoutes`](#parameter-routetableroutes) | array | VirtualHub route tables. | +| [`securityPartnerProviderId`](#parameter-securitypartnerproviderid) | string | ID of the Security Partner Provider to link to. | +| [`securityProviderName`](#parameter-securityprovidername) | string | The Security Provider name. | +| [`sku`](#parameter-sku) | string | The sku of this VirtualHub. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`virtualHubRouteTableV2s`](#parameter-virtualhubroutetablev2s) | array | List of all virtual hub route table v2s associated with this VirtualHub. | +| [`virtualRouterAsn`](#parameter-virtualrouterasn) | int | VirtualRouter ASN. | +| [`virtualRouterIps`](#parameter-virtualrouterips) | array | VirtualRouter IPs. | +| [`vpnGatewayId`](#parameter-vpngatewayid) | string | Resource ID of the VPN Gateway to link to. | + +### Parameter: `addressPrefix` + +Address-prefix for this VirtualHub. +- Required: Yes +- Type: string + +### Parameter: `allowBranchToBranchTraffic` + +Flag to control transit for VirtualRouter hub. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `expressRouteGatewayId` + +Resource ID of the Express Route Gateway to link to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `hubRouteTables` + +Route tables to create for the virtual hub. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `hubVirtualNetworkConnections` + +Virtual network connections to create for the virtual hub. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The virtual hub name. +- Required: Yes +- Type: string + +### Parameter: `p2SVpnGatewayId` + +Resource ID of the Point-to-Site VPN Gateway to link to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `preferredRoutingGateway` + +The preferred routing gateway types. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', ExpressRoute, None, VpnGateway]` + +### Parameter: `routeTableRoutes` + +VirtualHub route tables. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `securityPartnerProviderId` + +ID of the Security Partner Provider to link to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `securityProviderName` + +The Security Provider name. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `sku` + +The sku of this VirtualHub. +- Required: No +- Type: string +- Default: `'Standard'` +- Allowed: `[Basic, Standard]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `virtualHubRouteTableV2s` + +List of all virtual hub route table v2s associated with this VirtualHub. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `virtualRouterAsn` + +VirtualRouter ASN. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `virtualRouterIps` + +VirtualRouter IPs. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `virtualWanId` + +Resource ID of the virtual WAN to link to. +- Required: Yes +- Type: string + +### Parameter: `vpnGatewayId` + +Resource ID of the VPN Gateway to link to. +- Required: No +- Type: string +- Default: `''` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the virtual hub. | +| `resourceGroupName` | string | The resource group the virtual hub was deployed into. | +| `resourceId` | string | The resource ID of the virtual hub. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/virtual-hub/hub-route-table/README.md b/modules/network/virtual-hub/hub-route-table/README.md index dd27e32016..37e065b3e2 100644 --- a/modules/network/virtual-hub/hub-route-table/README.md +++ b/modules/network/virtual-hub/hub-route-table/README.md @@ -19,28 +19,61 @@ This module deploys a Virtual Hub Route Table. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The route table name. | +| [`name`](#parameter-name) | string | The route table name. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `virtualHubName` | string | The name of the parent virtual hub. Required if the template is used in a standalone deployment. | +| [`virtualHubName`](#parameter-virtualhubname) | string | The name of the parent virtual hub. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `labels` | array | `[]` | List of labels associated with this route table. | -| `routes` | array | `[]` | List of all routes. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`labels`](#parameter-labels) | array | List of labels associated with this route table. | +| [`routes`](#parameter-routes) | array | List of all routes. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `labels` + +List of labels associated with this route table. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `name` + +The route table name. +- Required: Yes +- Type: string + +### Parameter: `routes` + +List of all routes. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `virtualHubName` + +The name of the parent virtual hub. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed virtual hub route table. | | `resourceGroupName` | string | The resource group the virtual hub route table was deployed into. | diff --git a/modules/network/virtual-hub/hub-route-table/main.json b/modules/network/virtual-hub/hub-route-table/main.json index 895c3a3a4f..801ad71e30 100644 --- a/modules/network/virtual-hub/hub-route-table/main.json +++ b/modules/network/virtual-hub/hub-route-table/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "14518513912380539716" + "version": "0.22.6.54827", + "templateHash": "16158603795616593379" }, "name": "Virtual Hub Route Tables", "description": "This module deploys a Virtual Hub Route Table.", diff --git a/modules/network/virtual-hub/hub-virtual-network-connection/README.md b/modules/network/virtual-hub/hub-virtual-network-connection/README.md index bd663aeb43..91988c38ee 100644 --- a/modules/network/virtual-hub/hub-virtual-network-connection/README.md +++ b/modules/network/virtual-hub/hub-virtual-network-connection/README.md @@ -19,29 +19,68 @@ This module deploys a Virtual Hub Virtual Network Connection. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The connection name. | -| `remoteVirtualNetworkId` | string | Resource ID of the virtual network to link to. | +| [`name`](#parameter-name) | string | The connection name. | +| [`remoteVirtualNetworkId`](#parameter-remotevirtualnetworkid) | string | Resource ID of the virtual network to link to. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `virtualHubName` | string | The name of the parent virtual hub. Required if the template is used in a standalone deployment. | +| [`virtualHubName`](#parameter-virtualhubname) | string | The name of the parent virtual hub. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableInternetSecurity` | bool | `True` | Enable internet security. | -| `routingConfiguration` | object | `{object}` | Routing Configuration indicating the associated and propagated route tables for this connection. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableInternetSecurity`](#parameter-enableinternetsecurity) | bool | Enable internet security. | +| [`routingConfiguration`](#parameter-routingconfiguration) | object | Routing Configuration indicating the associated and propagated route tables for this connection. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableInternetSecurity` + +Enable internet security. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The connection name. +- Required: Yes +- Type: string + +### Parameter: `remoteVirtualNetworkId` + +Resource ID of the virtual network to link to. +- Required: Yes +- Type: string + +### Parameter: `routingConfiguration` + +Routing Configuration indicating the associated and propagated route tables for this connection. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `virtualHubName` + +The name of the parent virtual hub. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the virtual hub connection. | | `resourceGroupName` | string | The resource group the virtual hub connection was deployed into. | diff --git a/modules/network/virtual-hub/hub-virtual-network-connection/main.json b/modules/network/virtual-hub/hub-virtual-network-connection/main.json index 3fe3471be2..c514e9baaa 100644 --- a/modules/network/virtual-hub/hub-virtual-network-connection/main.json +++ b/modules/network/virtual-hub/hub-virtual-network-connection/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5767473063979797254" + "version": "0.22.6.54827", + "templateHash": "16334618854228578572" }, "name": "Virtual Hub Virtual Network Connections", "description": "This module deploys a Virtual Hub Virtual Network Connection.", diff --git a/modules/network/virtual-hub/main.json b/modules/network/virtual-hub/main.json index 2b0279e698..5e0c591d00 100644 --- a/modules/network/virtual-hub/main.json +++ b/modules/network/virtual-hub/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4151058169679427361" + "version": "0.22.6.54827", + "templateHash": "6969570927166088400" }, "name": "Virtual Hubs", "description": "This module deploys a Virtual Hub.\r\nIf you are planning to deploy a Secure Virtual Hub (with an Azure Firewall integrated), please refer to the Azure Firewall module.", @@ -261,8 +261,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7824851023582113714" + "version": "0.22.6.54827", + "templateHash": "16158603795616593379" }, "name": "Virtual Hub Route Tables", "description": "This module deploys a Virtual Hub Route Table.", @@ -392,8 +392,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9197169920166780501" + "version": "0.22.6.54827", + "templateHash": "16334618854228578572" }, "name": "Virtual Hub Virtual Network Connections", "description": "This module deploys a Virtual Hub Virtual Network Connection.", diff --git a/modules/network/virtual-network-gateway/README.md b/modules/network/virtual-network-gateway/README.md index 31e33bd461..98a0acccc9 100644 --- a/modules/network/virtual-network-gateway/README.md +++ b/modules/network/virtual-network-gateway/README.md @@ -4,13 +4,13 @@ This module deploys a Virtual Network Gateway. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -21,92 +21,26 @@ This module deploys a Virtual Network Gateway. | `Microsoft.Network/virtualNetworkGateways` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualNetworkGateways) | | `Microsoft.Network/virtualNetworkGateways/natRules` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualNetworkGateways/natRules) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `gatewayType` | string | `[ExpressRoute, Vpn]` | Specifies the gateway type. E.g. VPN, ExpressRoute. | -| `name` | string | | Specifies the Virtual Network Gateway name. | -| `skuName` | string | `[Basic, ErGw1AZ, ErGw2AZ, ErGw3AZ, HighPerformance, Standard, UltraPerformance, VpnGw1, VpnGw1AZ, VpnGw2, VpnGw2AZ, VpnGw3, VpnGw3AZ, VpnGw4, VpnGw4AZ, VpnGw5, VpnGw5AZ]` | The SKU of the Gateway. | -| `vNetResourceId` | string | | Virtual Network resource ID. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `activeActive` | bool | `True` | | Value to specify if the Gateway should be deployed in active-active or active-passive configuration. | -| `activeGatewayPipName` | string | `[format('{0}-pip2', parameters('name'))]` | | Specifies the name of the Public IP used by the Virtual Network Gateway when active-active configuration is required. If it's not provided, a '-pip' suffix will be appended to the gateway's name. | -| `allowRemoteVnetTraffic` | bool | `False` | | Configure this gateway to accept traffic from other Azure Virtual Networks. This configuration does not support connectivity to Azure Virtual WAN. | -| `allowVirtualWanTraffic` | bool | `False` | | Configures this gateway to accept traffic from remote Virtual WAN networks. | -| `asn` | int | `65815` | | ASN value. | -| `clientRevokedCertThumbprint` | string | `''` | | Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet. | -| `clientRootCertData` | string | `''` | | Client root certificate data used to authenticate VPN clients. Cannot be configured if vpnClientAadConfiguration is provided. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `disableIPSecReplayProtection` | bool | `False` | | disableIPSecReplayProtection flag. Used for VPN Gateways. | -| `domainNameLabel` | array | `[]` | | DNS name(s) of the Public IP resource(s). If you enabled active-active configuration, you need to provide 2 DNS names, if you want to use this feature. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com. | -| `enableBgp` | bool | `True` | | Value to specify if BGP is enabled or not. | -| `enableBgpRouteTranslationForNat` | bool | `False` | | EnableBgpRouteTranslationForNat flag. Can only be used when "natRules" are enabled on the Virtual Network Gateway. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableDnsForwarding` | bool | `False` | | Whether DNS forwarding is enabled or not and is only supported for Express Route Gateways. The DNS forwarding feature flag must be enabled on the current subscription. | -| `enablePrivateIpAddress` | bool | `False` | | Whether private IP needs to be enabled on this gateway for connections or not. Used for configuring a Site-to-Site VPN connection over ExpressRoute private peering. | -| `gatewayDefaultSiteLocalNetworkGatewayId` | string | `''` | | The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. | -| `gatewayPipName` | string | `[format('{0}-pip1', parameters('name'))]` | | Specifies the name of the Public IP used by the Virtual Network Gateway. If it's not provided, a '-pip' suffix will be appended to the gateway's name. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `natRules` | array | `[]` | | NatRules for virtual network gateway. NAT is supported on the the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ and is supported for IPsec/IKE cross-premises connections only. | -| `publicIpdiagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `publicIpDiagnosticSettingsName` | string | `''` | | The name of the public IP diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `publicIPPrefixResourceId` | string | `''` | | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | -| `publicIpZones` | array | `[]` | | Specifies the zones of the Public IP address. Basic IP SKU does not support Availability Zones. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `virtualNetworkGatewaydiagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, GatewayDiagnosticLog, IKEDiagnosticLog, P2SDiagnosticLog, RouteDiagnosticLog, TunnelDiagnosticLog]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `vpnClientAadConfiguration` | object | `{object}` | | Configuration for AAD Authentication for P2S Tunnel Type, Cannot be configured if clientRootCertData is provided. | -| `vpnClientAddressPoolPrefix` | string | `''` | | The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network. | -| `vpnGatewayGeneration` | string | `'None'` | `[Generation1, Generation2, None]` | The generation for this VirtualNetworkGateway. Must be None if virtualNetworkGatewayType is not VPN. | -| `vpnType` | string | `'RouteBased'` | `[PolicyBased, RouteBased]` | Specifies the VPN type. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `activeActive` | bool | Shows if the virtual network gateway is configured in active-active mode. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the virtual network gateway. | -| `resourceGroupName` | string | The resource group the virtual network gateway was deployed. | -| `resourceId` | string | The resource ID of the virtual network gateway. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +## Usage examples -| Reference | Type | -| :-- | :-- | -| `network/public-ip-address` | Local reference | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Deployment examples +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.virtual-network-gateway:1.0.0`. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +- [Aadvpn](#example-1-aadvpn) +- [Expressroute](#example-2-expressroute) +- [Vpn](#example-3-vpn) -

Example 1: Aadvpn

+### Example 1: _Aadvpn_
via Bicep module ```bicep -module virtualNetworkGateway './network/virtual-network-gateway/main.bicep' = { +module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nvngavpn' params: { // Required parameters @@ -260,14 +194,14 @@ module virtualNetworkGateway './network/virtual-network-gateway/main.bicep' = {

-

Example 2: Expressroute

+### Example 2: _Expressroute_
via Bicep module ```bicep -module virtualNetworkGateway './network/virtual-network-gateway/main.bicep' = { +module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nvger' params: { // Required parameters @@ -395,14 +329,14 @@ module virtualNetworkGateway './network/virtual-network-gateway/main.bicep' = {

-

Example 3: Vpn

+### Example 3: _Vpn_
via Bicep module ```bicep -module virtualNetworkGateway './network/virtual-network-gateway/main.bicep' = { +module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nvgvpn' params: { // Required parameters @@ -623,3 +557,359 @@ module virtualNetworkGateway './network/virtual-network-gateway/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`gatewayType`](#parameter-gatewaytype) | string | Specifies the gateway type. E.g. VPN, ExpressRoute. | +| [`name`](#parameter-name) | string | Specifies the Virtual Network Gateway name. | +| [`skuName`](#parameter-skuname) | string | The SKU of the Gateway. | +| [`vNetResourceId`](#parameter-vnetresourceid) | string | Virtual Network resource ID. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`activeActive`](#parameter-activeactive) | bool | Value to specify if the Gateway should be deployed in active-active or active-passive configuration. | +| [`activeGatewayPipName`](#parameter-activegatewaypipname) | string | Specifies the name of the Public IP used by the Virtual Network Gateway when active-active configuration is required. If it's not provided, a '-pip' suffix will be appended to the gateway's name. | +| [`allowRemoteVnetTraffic`](#parameter-allowremotevnettraffic) | bool | Configure this gateway to accept traffic from other Azure Virtual Networks. This configuration does not support connectivity to Azure Virtual WAN. | +| [`allowVirtualWanTraffic`](#parameter-allowvirtualwantraffic) | bool | Configures this gateway to accept traffic from remote Virtual WAN networks. | +| [`asn`](#parameter-asn) | int | ASN value. | +| [`clientRevokedCertThumbprint`](#parameter-clientrevokedcertthumbprint) | string | Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet. | +| [`clientRootCertData`](#parameter-clientrootcertdata) | string | Client root certificate data used to authenticate VPN clients. Cannot be configured if vpnClientAadConfiguration is provided. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`disableIPSecReplayProtection`](#parameter-disableipsecreplayprotection) | bool | disableIPSecReplayProtection flag. Used for VPN Gateways. | +| [`domainNameLabel`](#parameter-domainnamelabel) | array | DNS name(s) of the Public IP resource(s). If you enabled active-active configuration, you need to provide 2 DNS names, if you want to use this feature. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com. | +| [`enableBgp`](#parameter-enablebgp) | bool | Value to specify if BGP is enabled or not. | +| [`enableBgpRouteTranslationForNat`](#parameter-enablebgproutetranslationfornat) | bool | EnableBgpRouteTranslationForNat flag. Can only be used when "natRules" are enabled on the Virtual Network Gateway. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableDnsForwarding`](#parameter-enablednsforwarding) | bool | Whether DNS forwarding is enabled or not and is only supported for Express Route Gateways. The DNS forwarding feature flag must be enabled on the current subscription. | +| [`enablePrivateIpAddress`](#parameter-enableprivateipaddress) | bool | Whether private IP needs to be enabled on this gateway for connections or not. Used for configuring a Site-to-Site VPN connection over ExpressRoute private peering. | +| [`gatewayDefaultSiteLocalNetworkGatewayId`](#parameter-gatewaydefaultsitelocalnetworkgatewayid) | string | The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. | +| [`gatewayPipName`](#parameter-gatewaypipname) | string | Specifies the name of the Public IP used by the Virtual Network Gateway. If it's not provided, a '-pip' suffix will be appended to the gateway's name. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`natRules`](#parameter-natrules) | array | NatRules for virtual network gateway. NAT is supported on the the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ and is supported for IPsec/IKE cross-premises connections only. | +| [`publicIpdiagnosticLogCategoriesToEnable`](#parameter-publicipdiagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`publicIpDiagnosticSettingsName`](#parameter-publicipdiagnosticsettingsname) | string | The name of the public IP diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`publicIPPrefixResourceId`](#parameter-publicipprefixresourceid) | string | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | +| [`publicIpZones`](#parameter-publicipzones) | array | Specifies the zones of the Public IP address. Basic IP SKU does not support Availability Zones. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`virtualNetworkGatewaydiagnosticLogCategoriesToEnable`](#parameter-virtualnetworkgatewaydiagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`vpnClientAadConfiguration`](#parameter-vpnclientaadconfiguration) | object | Configuration for AAD Authentication for P2S Tunnel Type, Cannot be configured if clientRootCertData is provided. | +| [`vpnClientAddressPoolPrefix`](#parameter-vpnclientaddresspoolprefix) | string | The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network. | +| [`vpnGatewayGeneration`](#parameter-vpngatewaygeneration) | string | The generation for this VirtualNetworkGateway. Must be None if virtualNetworkGatewayType is not VPN. | +| [`vpnType`](#parameter-vpntype) | string | Specifies the VPN type. | + +### Parameter: `activeActive` + +Value to specify if the Gateway should be deployed in active-active or active-passive configuration. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `activeGatewayPipName` + +Specifies the name of the Public IP used by the Virtual Network Gateway when active-active configuration is required. If it's not provided, a '-pip' suffix will be appended to the gateway's name. +- Required: No +- Type: string +- Default: `[format('{0}-pip2', parameters('name'))]` + +### Parameter: `allowRemoteVnetTraffic` + +Configure this gateway to accept traffic from other Azure Virtual Networks. This configuration does not support connectivity to Azure Virtual WAN. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `allowVirtualWanTraffic` + +Configures this gateway to accept traffic from remote Virtual WAN networks. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `asn` + +ASN value. +- Required: No +- Type: int +- Default: `65815` + +### Parameter: `clientRevokedCertThumbprint` + +Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `clientRootCertData` + +Client root certificate data used to authenticate VPN clients. Cannot be configured if vpnClientAadConfiguration is provided. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `disableIPSecReplayProtection` + +disableIPSecReplayProtection flag. Used for VPN Gateways. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `domainNameLabel` + +DNS name(s) of the Public IP resource(s). If you enabled active-active configuration, you need to provide 2 DNS names, if you want to use this feature. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableBgp` + +Value to specify if BGP is enabled or not. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableBgpRouteTranslationForNat` + +EnableBgpRouteTranslationForNat flag. Can only be used when "natRules" are enabled on the Virtual Network Gateway. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDnsForwarding` + +Whether DNS forwarding is enabled or not and is only supported for Express Route Gateways. The DNS forwarding feature flag must be enabled on the current subscription. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enablePrivateIpAddress` + +Whether private IP needs to be enabled on this gateway for connections or not. Used for configuring a Site-to-Site VPN connection over ExpressRoute private peering. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `gatewayDefaultSiteLocalNetworkGatewayId` + +The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `gatewayPipName` + +Specifies the name of the Public IP used by the Virtual Network Gateway. If it's not provided, a '-pip' suffix will be appended to the gateway's name. +- Required: No +- Type: string +- Default: `[format('{0}-pip1', parameters('name'))]` + +### Parameter: `gatewayType` + +Specifies the gateway type. E.g. VPN, ExpressRoute. +- Required: Yes +- Type: string +- Allowed: `[ExpressRoute, Vpn]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Specifies the Virtual Network Gateway name. +- Required: Yes +- Type: string + +### Parameter: `natRules` + +NatRules for virtual network gateway. NAT is supported on the the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ and is supported for IPsec/IKE cross-premises connections only. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicIpdiagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` + +### Parameter: `publicIpDiagnosticSettingsName` + +The name of the public IP diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `publicIPPrefixResourceId` + +Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `publicIpZones` + +Specifies the zones of the Public IP address. Basic IP SKU does not support Availability Zones. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `skuName` + +The SKU of the Gateway. +- Required: Yes +- Type: string +- Allowed: `[Basic, ErGw1AZ, ErGw2AZ, ErGw3AZ, HighPerformance, Standard, UltraPerformance, VpnGw1, VpnGw1AZ, VpnGw2, VpnGw2AZ, VpnGw3, VpnGw3AZ, VpnGw4, VpnGw4AZ, VpnGw5, VpnGw5AZ]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `virtualNetworkGatewaydiagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, GatewayDiagnosticLog, IKEDiagnosticLog, P2SDiagnosticLog, RouteDiagnosticLog, TunnelDiagnosticLog]` + +### Parameter: `vNetResourceId` + +Virtual Network resource ID. +- Required: Yes +- Type: string + +### Parameter: `vpnClientAadConfiguration` + +Configuration for AAD Authentication for P2S Tunnel Type, Cannot be configured if clientRootCertData is provided. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `vpnClientAddressPoolPrefix` + +The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `vpnGatewayGeneration` + +The generation for this VirtualNetworkGateway. Must be None if virtualNetworkGatewayType is not VPN. +- Required: No +- Type: string +- Default: `'None'` +- Allowed: `[Generation1, Generation2, None]` + +### Parameter: `vpnType` + +Specifies the VPN type. +- Required: No +- Type: string +- Default: `'RouteBased'` +- Allowed: `[PolicyBased, RouteBased]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `activeActive` | bool | Shows if the virtual network gateway is configured in active-active mode. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the virtual network gateway. | +| `resourceGroupName` | string | The resource group the virtual network gateway was deployed. | +| `resourceId` | string | The resource ID of the virtual network gateway. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/public-ip-address` | Local reference | diff --git a/modules/network/virtual-network-gateway/main.json b/modules/network/virtual-network-gateway/main.json index 18b0232c89..0404971daa 100644 --- a/modules/network/virtual-network-gateway/main.json +++ b/modules/network/virtual-network-gateway/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8459366170014558708" + "version": "0.22.6.54827", + "templateHash": "1318421731566619997" }, "name": "Virtual Network Gateways", "description": "This module deploys a Virtual Network Gateway.", @@ -539,8 +539,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1887898957722092173" + "version": "0.22.6.54827", + "templateHash": "4317747709004918530" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -873,8 +873,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7328126239184883887" + "version": "0.22.6.54827", + "templateHash": "9976109177347918049" } }, "parameters": { @@ -1092,8 +1092,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "483133118459920914" + "version": "0.22.6.54827", + "templateHash": "14778714560462406442" }, "name": "VPN Gateway NAT Rules", "description": "This module deploys a Virtual Network Gateway NAT Rule.", @@ -1256,8 +1256,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10035364843796427917" + "version": "0.22.6.54827", + "templateHash": "3489304115292603489" } }, "parameters": { diff --git a/modules/network/virtual-network-gateway/nat-rule/README.md b/modules/network/virtual-network-gateway/nat-rule/README.md index 3cd7056388..9bb8945e60 100644 --- a/modules/network/virtual-network-gateway/nat-rule/README.md +++ b/modules/network/virtual-network-gateway/nat-rule/README.md @@ -19,31 +19,87 @@ This module deploys a Virtual Network Gateway NAT Rule. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the NAT rule. | +| [`name`](#parameter-name) | string | The name of the NAT rule. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `virtualNetworkGatewayName` | string | The name of the parent Virtual Network Gateway this NAT rule is associated with. Required if the template is used in a standalone deployment. | +| [`virtualNetworkGatewayName`](#parameter-virtualnetworkgatewayname) | string | The name of the parent Virtual Network Gateway this NAT rule is associated with. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `externalMappings` | array | `[]` | | An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range. | -| `internalMappings` | array | `[]` | | An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range. | -| `ipConfigurationId` | string | `''` | | A NAT rule must be configured to a specific Virtual Network Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both Virtual Network Gateway instances. | -| `mode` | string | `''` | `['', EgressSnat, IngressSnat]` | The type of NAT rule for Virtual Network NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site Virtual Network gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site Virtual Network gateway. | -| `type` | string | `''` | `['', Dynamic, Static]` | The type of NAT rule for Virtual Network NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`externalMappings`](#parameter-externalmappings) | array | An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range. | +| [`internalMappings`](#parameter-internalmappings) | array | An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range. | +| [`ipConfigurationId`](#parameter-ipconfigurationid) | string | A NAT rule must be configured to a specific Virtual Network Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both Virtual Network Gateway instances. | +| [`mode`](#parameter-mode) | string | The type of NAT rule for Virtual Network NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site Virtual Network gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site Virtual Network gateway. | +| [`type`](#parameter-type) | string | The type of NAT rule for Virtual Network NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `externalMappings` + +An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `internalMappings` + +An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ipConfigurationId` + +A NAT rule must be configured to a specific Virtual Network Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both Virtual Network Gateway instances. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `mode` + +The type of NAT rule for Virtual Network NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site Virtual Network gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site Virtual Network gateway. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', EgressSnat, IngressSnat]` + +### Parameter: `name` + +The name of the NAT rule. +- Required: Yes +- Type: string + +### Parameter: `type` + +The type of NAT rule for Virtual Network NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Dynamic, Static]` + +### Parameter: `virtualNetworkGatewayName` + +The name of the parent Virtual Network Gateway this NAT rule is associated with. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the NAT rule. | | `resourceGroupName` | string | The name of the resource group the NAT rule was deployed into. | diff --git a/modules/network/virtual-network-gateway/nat-rule/main.json b/modules/network/virtual-network-gateway/nat-rule/main.json index 5969b6ecce..8435d984f4 100644 --- a/modules/network/virtual-network-gateway/nat-rule/main.json +++ b/modules/network/virtual-network-gateway/nat-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "483133118459920914" + "version": "0.22.6.54827", + "templateHash": "14778714560462406442" }, "name": "VPN Gateway NAT Rules", "description": "This module deploys a Virtual Network Gateway NAT Rule.", diff --git a/modules/network/virtual-network/.test/common/main.test.bicep b/modules/network/virtual-network/.test/common/main.test.bicep index c0552ce142..832c76cfc0 100644 --- a/modules/network/virtual-network/.test/common/main.test.bicep +++ b/modules/network/virtual-network/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/virtual-network/.test/min/main.test.bicep b/modules/network/virtual-network/.test/min/main.test.bicep index 7148de4655..1cd5b5d90a 100644 --- a/modules/network/virtual-network/.test/min/main.test.bicep +++ b/modules/network/virtual-network/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/virtual-network/README.md b/modules/network/virtual-network/README.md index 17c45fe91e..cff0a58411 100644 --- a/modules/network/virtual-network/README.md +++ b/modules/network/virtual-network/README.md @@ -4,14 +4,14 @@ This module deploys a Virtual Network (vNet). ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -22,71 +22,29 @@ This module deploys a Virtual Network (vNet). | `Microsoft.Network/virtualNetworks/subnets` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualNetworks/subnets) | | `Microsoft.Network/virtualNetworks/virtualNetworkPeerings` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualNetworks/virtualNetworkPeerings) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `addressPrefixes` | array | An Array of 1 or more IP Address Prefixes for the Virtual Network. | -| `name` | string | The Virtual Network (vNet) Name. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.virtual-network:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `ddosProtectionPlanId` | string | `''` | | Resource ID of the DDoS protection plan to assign the VNET to. If it's left blank, DDoS protection will not be configured. If it's provided, the VNET created by this template will be attached to the referenced DDoS protection plan. The DDoS protection plan can exist in the same or in a different subscription. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, VMProtectionAlerts]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `dnsServers` | array | `[]` | | DNS Servers associated to the Virtual Network. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `flowTimeoutInMinutes` | int | `0` | | The flow timeout in minutes for the Virtual Network, which is used to enable connection tracking for intra-VM flows. Possible values are between 4 and 30 minutes. Default value 0 will set the property to null. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `peerings` | array | `[]` | | Virtual Network Peerings configurations. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `subnets` | array | `[]` | | An Array of subnets to deploy to the Virtual Network. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `vnetEncryption` | bool | `False` | | Indicates if encryption is enabled on virtual network and if VM without encryption is allowed in encrypted VNet. Requires the EnableVNetEncryption feature to be registered for the subscription and a supported region to use this property. | -| `vnetEncryptionEnforcement` | string | `'AllowUnencrypted'` | `[AllowUnencrypted, DropUnencrypted]` | If the encrypted VNet allows VM that does not support encryption. Can only be used when vnetEncryption is enabled. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +- [Vnetpeering](#example-3-vnetpeering) +### Example 1: _Using large parameter set_ -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `diagnosticsLogs` | array | The Diagnostic Settings of the virtual network. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the virtual network. | -| `resourceGroupName` | string | The resource group the virtual network was deployed into. | -| `resourceId` | string | The resource ID of the virtual network. | -| `subnetNames` | array | The names of the deployed subnets. | -| `subnetResourceIds` | array | The resource IDs of the deployed subnets. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module virtualNetwork './network/virtual-network/main.bicep' = { +module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nvncom' params: { // Required parameters @@ -294,14 +252,17 @@ module virtualNetwork './network/virtual-network/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module virtualNetwork './network/virtual-network/main.bicep' = { +module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nvnmin' params: { // Required parameters @@ -347,14 +308,14 @@ module virtualNetwork './network/virtual-network/main.bicep' = {

-

Example 3: Vnetpeering

+### Example 3: _Vnetpeering_
via Bicep module ```bicep -module virtualNetwork './network/virtual-network/main.bicep' = { +module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nvnpeer' params: { // Required parameters @@ -455,6 +416,205 @@ module virtualNetwork './network/virtual-network/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`addressPrefixes`](#parameter-addressprefixes) | array | An Array of 1 or more IP Address Prefixes for the Virtual Network. | +| [`name`](#parameter-name) | string | The Virtual Network (vNet) Name. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`ddosProtectionPlanId`](#parameter-ddosprotectionplanid) | string | Resource ID of the DDoS protection plan to assign the VNET to. If it's left blank, DDoS protection will not be configured. If it's provided, the VNET created by this template will be attached to the referenced DDoS protection plan. The DDoS protection plan can exist in the same or in a different subscription. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`dnsServers`](#parameter-dnsservers) | array | DNS Servers associated to the Virtual Network. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`flowTimeoutInMinutes`](#parameter-flowtimeoutinminutes) | int | The flow timeout in minutes for the Virtual Network, which is used to enable connection tracking for intra-VM flows. Possible values are between 4 and 30 minutes. Default value 0 will set the property to null. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`peerings`](#parameter-peerings) | array | Virtual Network Peerings configurations. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`subnets`](#parameter-subnets) | array | An Array of subnets to deploy to the Virtual Network. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`vnetEncryption`](#parameter-vnetencryption) | bool | Indicates if encryption is enabled on virtual network and if VM without encryption is allowed in encrypted VNet. Requires the EnableVNetEncryption feature to be registered for the subscription and a supported region to use this property. | +| [`vnetEncryptionEnforcement`](#parameter-vnetencryptionenforcement) | string | If the encrypted VNet allows VM that does not support encryption. Can only be used when vnetEncryption is enabled. | + +### Parameter: `addressPrefixes` + +An Array of 1 or more IP Address Prefixes for the Virtual Network. +- Required: Yes +- Type: array + +### Parameter: `ddosProtectionPlanId` + +Resource ID of the DDoS protection plan to assign the VNET to. If it's left blank, DDoS protection will not be configured. If it's provided, the VNET created by this template will be attached to the referenced DDoS protection plan. The DDoS protection plan can exist in the same or in a different subscription. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, VMProtectionAlerts]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `dnsServers` + +DNS Servers associated to the Virtual Network. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `flowTimeoutInMinutes` + +The flow timeout in minutes for the Virtual Network, which is used to enable connection tracking for intra-VM flows. Possible values are between 4 and 30 minutes. Default value 0 will set the property to null. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The Virtual Network (vNet) Name. +- Required: Yes +- Type: string + +### Parameter: `peerings` + +Virtual Network Peerings configurations. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `subnets` + +An Array of subnets to deploy to the Virtual Network. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `vnetEncryption` + +Indicates if encryption is enabled on virtual network and if VM without encryption is allowed in encrypted VNet. Requires the EnableVNetEncryption feature to be registered for the subscription and a supported region to use this property. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `vnetEncryptionEnforcement` + +If the encrypted VNet allows VM that does not support encryption. Can only be used when vnetEncryption is enabled. +- Required: No +- Type: string +- Default: `'AllowUnencrypted'` +- Allowed: `[AllowUnencrypted, DropUnencrypted]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `diagnosticsLogs` | array | The Diagnostic Settings of the virtual network. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the virtual network. | +| `resourceGroupName` | string | The resource group the virtual network was deployed into. | +| `resourceId` | string | The resource ID of the virtual network. | +| `subnetNames` | array | The names of the deployed subnets. | +| `subnetResourceIds` | array | The resource IDs of the deployed subnets. | + +## Cross-referenced modules + +_None_ + ## Notes ### Considerations diff --git a/modules/network/virtual-network/main.json b/modules/network/virtual-network/main.json index d246cbd6f8..2da9232c9d 100644 --- a/modules/network/virtual-network/main.json +++ b/modules/network/virtual-network/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12861814735026825278" + "version": "0.22.6.54827", + "templateHash": "6996162426151376576" }, "name": "Virtual Networks", "description": "This module deploys a Virtual Network (vNet).", @@ -341,8 +341,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13147389264555337469" + "version": "0.22.6.54827", + "templateHash": "8758167910677571979" }, "name": "Virtual Network Subnets", "description": "This module deploys a Virtual Network Subnet.", @@ -537,8 +537,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15642916335871461785" + "version": "0.22.6.54827", + "templateHash": "3698261669800089456" } }, "parameters": { @@ -760,8 +760,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10823477125090405647" + "version": "0.22.6.54827", + "templateHash": "18346996432273628410" }, "name": "Virtual Network Peerings", "description": "This module deploys a Virtual Network Peering.", @@ -929,8 +929,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10823477125090405647" + "version": "0.22.6.54827", + "templateHash": "18346996432273628410" }, "name": "Virtual Network Peerings", "description": "This module deploys a Virtual Network Peering.", @@ -1093,8 +1093,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "826837070159019998" + "version": "0.22.6.54827", + "templateHash": "9735784247686217836" } }, "parameters": { diff --git a/modules/network/virtual-network/subnet/README.md b/modules/network/virtual-network/subnet/README.md index 8a9dfc4089..643c00ebdc 100644 --- a/modules/network/virtual-network/subnet/README.md +++ b/modules/network/virtual-network/subnet/README.md @@ -21,39 +21,150 @@ This module deploys a Virtual Network Subnet. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `addressPrefix` | string | The address prefix for the subnet. | +| [`addressPrefix`](#parameter-addressprefix) | string | The address prefix for the subnet. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `virtualNetworkName` | string | The name of the parent virtual network. Required if the template is used in a standalone deployment. | +| [`virtualNetworkName`](#parameter-virtualnetworkname) | string | The name of the parent virtual network. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `addressPrefixes` | array | `[]` | | List of address prefixes for the subnet. | -| `applicationGatewayIPConfigurations` | array | `[]` | | Application gateway IP configurations of virtual network resource. | -| `delegations` | array | `[]` | | The delegations to enable on the subnet. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `ipAllocations` | array | `[]` | | Array of IpAllocation which reference this subnet. | -| `name` | string | | | The Name of the subnet resource. | -| `natGatewayId` | string | `''` | | The resource ID of the NAT Gateway to use for the subnet. | -| `networkSecurityGroupId` | string | `''` | | The resource ID of the network security group to assign to the subnet. | -| `privateEndpointNetworkPolicies` | string | `''` | `['', Disabled, Enabled]` | enable or disable apply network policies on private endpoint in the subnet. | -| `privateLinkServiceNetworkPolicies` | string | `''` | `['', Disabled, Enabled]` | enable or disable apply network policies on private link service in the subnet. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `routeTableId` | string | `''` | | The resource ID of the route table to assign to the subnet. | -| `serviceEndpointPolicies` | array | `[]` | | An array of service endpoint policies. | -| `serviceEndpoints` | array | `[]` | | The service endpoints to enable on the subnet. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`addressPrefixes`](#parameter-addressprefixes) | array | List of address prefixes for the subnet. | +| [`applicationGatewayIPConfigurations`](#parameter-applicationgatewayipconfigurations) | array | Application gateway IP configurations of virtual network resource. | +| [`delegations`](#parameter-delegations) | array | The delegations to enable on the subnet. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`ipAllocations`](#parameter-ipallocations) | array | Array of IpAllocation which reference this subnet. | +| [`name`](#parameter-name) | string | The Name of the subnet resource. | +| [`natGatewayId`](#parameter-natgatewayid) | string | The resource ID of the NAT Gateway to use for the subnet. | +| [`networkSecurityGroupId`](#parameter-networksecuritygroupid) | string | The resource ID of the network security group to assign to the subnet. | +| [`privateEndpointNetworkPolicies`](#parameter-privateendpointnetworkpolicies) | string | enable or disable apply network policies on private endpoint in the subnet. | +| [`privateLinkServiceNetworkPolicies`](#parameter-privatelinkservicenetworkpolicies) | string | enable or disable apply network policies on private link service in the subnet. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`routeTableId`](#parameter-routetableid) | string | The resource ID of the route table to assign to the subnet. | +| [`serviceEndpointPolicies`](#parameter-serviceendpointpolicies) | array | An array of service endpoint policies. | +| [`serviceEndpoints`](#parameter-serviceendpoints) | array | The service endpoints to enable on the subnet. | + +### Parameter: `addressPrefix` + +The address prefix for the subnet. +- Required: Yes +- Type: string + +### Parameter: `addressPrefixes` + +List of address prefixes for the subnet. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `applicationGatewayIPConfigurations` + +Application gateway IP configurations of virtual network resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `delegations` + +The delegations to enable on the subnet. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `ipAllocations` + +Array of IpAllocation which reference this subnet. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `name` + +The Name of the subnet resource. +- Required: Yes +- Type: string + +### Parameter: `natGatewayId` + +The resource ID of the NAT Gateway to use for the subnet. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `networkSecurityGroupId` + +The resource ID of the network security group to assign to the subnet. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `privateEndpointNetworkPolicies` + +enable or disable apply network policies on private endpoint in the subnet. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `privateLinkServiceNetworkPolicies` + +enable or disable apply network policies on private link service in the subnet. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `routeTableId` + +The resource ID of the route table to assign to the subnet. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `serviceEndpointPolicies` + +An array of service endpoint policies. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `serviceEndpoints` + +The service endpoints to enable on the subnet. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `virtualNetworkName` + +The name of the parent virtual network. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the virtual network peering. | | `resourceGroupName` | string | The resource group the virtual network peering was deployed into. | diff --git a/modules/network/virtual-network/subnet/main.json b/modules/network/virtual-network/subnet/main.json index aa1af62d0a..084f994df1 100644 --- a/modules/network/virtual-network/subnet/main.json +++ b/modules/network/virtual-network/subnet/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17563066367289258796" + "version": "0.22.6.54827", + "templateHash": "8758167910677571979" }, "name": "Virtual Network Subnets", "description": "This module deploys a Virtual Network Subnet.", @@ -200,8 +200,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11765890115463110578" + "version": "0.22.6.54827", + "templateHash": "3698261669800089456" } }, "parameters": { diff --git a/modules/network/virtual-network/virtual-network-peering/README.md b/modules/network/virtual-network/virtual-network-peering/README.md index f5dd0935e8..fb53ca2d3f 100644 --- a/modules/network/virtual-network/virtual-network-peering/README.md +++ b/modules/network/virtual-network/virtual-network-peering/README.md @@ -4,12 +4,12 @@ This module deploys a Virtual Network Peering. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,32 +19,93 @@ This module deploys a Virtual Network Peering. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `remoteVirtualNetworkId` | string | The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID. | +| [`remoteVirtualNetworkId`](#parameter-remotevirtualnetworkid) | string | The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `localVnetName` | string | The name of the parent Virtual Network to add the peering to. Required if the template is used in a standalone deployment. | +| [`localVnetName`](#parameter-localvnetname) | string | The name of the parent Virtual Network to add the peering to. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `allowForwardedTraffic` | bool | `True` | Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. Default is true. | -| `allowGatewayTransit` | bool | `False` | If gateway links can be used in remote virtual networking to link to this virtual network. Default is false. | -| `allowVirtualNetworkAccess` | bool | `True` | Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. Default is true. | -| `doNotVerifyRemoteGateways` | bool | `True` | If we need to verify the provisioning state of the remote gateway. Default is true. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `name` | string | `[format('{0}-{1}', parameters('localVnetName'), last(split(parameters('remoteVirtualNetworkId'), '/')))]` | The Name of Vnet Peering resource. If not provided, default value will be localVnetName-remoteVnetName. | -| `useRemoteGateways` | bool | `False` | If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowForwardedTraffic`](#parameter-allowforwardedtraffic) | bool | Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. Default is true. | +| [`allowGatewayTransit`](#parameter-allowgatewaytransit) | bool | If gateway links can be used in remote virtual networking to link to this virtual network. Default is false. | +| [`allowVirtualNetworkAccess`](#parameter-allowvirtualnetworkaccess) | bool | Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. Default is true. | +| [`doNotVerifyRemoteGateways`](#parameter-donotverifyremotegateways) | bool | If we need to verify the provisioning state of the remote gateway. Default is true. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`name`](#parameter-name) | string | The Name of Vnet Peering resource. If not provided, default value will be localVnetName-remoteVnetName. | +| [`useRemoteGateways`](#parameter-useremotegateways) | bool | If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false. | + +### Parameter: `allowForwardedTraffic` + +Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. Default is true. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `allowGatewayTransit` + +If gateway links can be used in remote virtual networking to link to this virtual network. Default is false. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `allowVirtualNetworkAccess` + +Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. Default is true. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `doNotVerifyRemoteGateways` + +If we need to verify the provisioning state of the remote gateway. Default is true. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `localVnetName` + +The name of the parent Virtual Network to add the peering to. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The Name of Vnet Peering resource. If not provided, default value will be localVnetName-remoteVnetName. +- Required: No +- Type: string +- Default: `[format('{0}-{1}', parameters('localVnetName'), last(split(parameters('remoteVirtualNetworkId'), '/')))]` + +### Parameter: `remoteVirtualNetworkId` + +The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID. +- Required: Yes +- Type: string + +### Parameter: `useRemoteGateways` + +If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false. +- Required: No +- Type: bool +- Default: `False` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the virtual network peering. | | `resourceGroupName` | string | The resource group the virtual network peering was deployed into. | diff --git a/modules/network/virtual-network/virtual-network-peering/main.json b/modules/network/virtual-network/virtual-network-peering/main.json index 50c7a9f2a1..a7efe2dec6 100644 --- a/modules/network/virtual-network/virtual-network-peering/main.json +++ b/modules/network/virtual-network/virtual-network-peering/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "6880392752659964193" + "version": "0.22.6.54827", + "templateHash": "18346996432273628410" }, "name": "Virtual Network Peerings", "description": "This module deploys a Virtual Network Peering.", diff --git a/modules/network/virtual-wan/.test/common/main.test.bicep b/modules/network/virtual-wan/.test/common/main.test.bicep index 5b281b7b92..ab7ace98d9 100644 --- a/modules/network/virtual-wan/.test/common/main.test.bicep +++ b/modules/network/virtual-wan/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/virtual-wan/.test/min/main.test.bicep b/modules/network/virtual-wan/.test/min/main.test.bicep index edcf6fe066..8247a6e863 100644 --- a/modules/network/virtual-wan/.test/min/main.test.bicep +++ b/modules/network/virtual-wan/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/virtual-wan/README.md b/modules/network/virtual-wan/README.md index 8039719c7c..4d6f442bb2 100644 --- a/modules/network/virtual-wan/README.md +++ b/modules/network/virtual-wan/README.md @@ -4,13 +4,13 @@ This module deploys a Virtual WAN. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -18,57 +18,28 @@ This module deploys a Virtual WAN. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Network/virtualWans` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualWans) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Virtual WAN. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `allowBranchToBranchTraffic` | bool | `False` | | True if branch to branch traffic is allowed. | -| `allowVnetToVnetTraffic` | bool | `False` | | True if VNET to VNET traffic is allowed. | -| `disableVpnEncryption` | bool | `False` | | VPN encryption to be disabled or not. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location where all resources will be created. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `type` | string | `'Standard'` | `[Basic, Standard]` | The type of the Virtual WAN. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the virtual WAN. | -| `resourceGroupName` | string | The resource group the virtual WAN was deployed into. | -| `resourceId` | string | The resource ID of the virtual WAN. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.virtual-wan:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module virtualWan './network/virtual-wan/main.bicep' = { +module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nvwcom' params: { // Required parameters @@ -158,14 +129,17 @@ module virtualWan './network/virtual-wan/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module virtualWan './network/virtual-wan/main.bicep' = { +module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nvwmin' params: { // Required parameters @@ -202,3 +176,111 @@ module virtualWan './network/virtual-wan/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Virtual WAN. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowBranchToBranchTraffic`](#parameter-allowbranchtobranchtraffic) | bool | True if branch to branch traffic is allowed. | +| [`allowVnetToVnetTraffic`](#parameter-allowvnettovnettraffic) | bool | True if VNET to VNET traffic is allowed. | +| [`disableVpnEncryption`](#parameter-disablevpnencryption) | bool | VPN encryption to be disabled or not. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location where all resources will be created. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`type`](#parameter-type) | string | The type of the Virtual WAN. | + +### Parameter: `allowBranchToBranchTraffic` + +True if branch to branch traffic is allowed. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `allowVnetToVnetTraffic` + +True if VNET to VNET traffic is allowed. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `disableVpnEncryption` + +VPN encryption to be disabled or not. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location where all resources will be created. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Virtual WAN. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `type` + +The type of the Virtual WAN. +- Required: No +- Type: string +- Default: `'Standard'` +- Allowed: `[Basic, Standard]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the virtual WAN. | +| `resourceGroupName` | string | The resource group the virtual WAN was deployed into. | +| `resourceId` | string | The resource ID of the virtual WAN. | + +## Cross-referenced modules + +_None_ diff --git a/modules/network/virtual-wan/main.json b/modules/network/virtual-wan/main.json index 7d82f973b8..f7c0e84e62 100644 --- a/modules/network/virtual-wan/main.json +++ b/modules/network/virtual-wan/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2653906358986045673" + "version": "0.22.6.54827", + "templateHash": "6166970702359791938" }, "name": "Virtual WANs", "description": "This module deploys a Virtual WAN.", @@ -167,8 +167,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6282617647386769433" + "version": "0.22.6.54827", + "templateHash": "2713904896388571012" } }, "parameters": { diff --git a/modules/network/vpn-gateway/.test/common/main.test.bicep b/modules/network/vpn-gateway/.test/common/main.test.bicep index 757556890f..7496548a25 100644 --- a/modules/network/vpn-gateway/.test/common/main.test.bicep +++ b/modules/network/vpn-gateway/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/vpn-gateway/.test/min/main.test.bicep b/modules/network/vpn-gateway/.test/min/main.test.bicep index 4e11cce7a9..f050ca9adc 100644 --- a/modules/network/vpn-gateway/.test/min/main.test.bicep +++ b/modules/network/vpn-gateway/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/vpn-gateway/README.md b/modules/network/vpn-gateway/README.md index 8fd26e019d..67cfe344a8 100644 --- a/modules/network/vpn-gateway/README.md +++ b/modules/network/vpn-gateway/README.md @@ -5,10 +5,10 @@ This module deploys a VPN Gateway. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) ## Resource Types @@ -20,59 +20,28 @@ This module deploys a VPN Gateway. | `Microsoft.Network/vpnGateways/natRules` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/vpnGateways/natRules) | | `Microsoft.Network/vpnGateways/vpnConnections` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/vpnGateways/vpnConnections) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the VPN gateway. | -| `virtualHubResourceId` | string | The resource ID of a virtual Hub to connect to. Note: The virtual Hub and Gateway must be deployed into the same location. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `bgpSettings` | object | `{object}` | | BGP settings details. | -| `enableBgpRouteTranslationForNat` | bool | `False` | | Enable BGP routes translation for NAT on this VPN gateway. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `isRoutingPreferenceInternet` | bool | `False` | | Enable routing preference property for the public IP interface of the VPN gateway. | -| `location` | string | `[resourceGroup().location]` | | Location where all resources will be created. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `natRules` | array | `[]` | | List of all the NAT Rules to associate with the gateway. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `vpnConnections` | array | `[]` | | The VPN connections to create in the VPN gateway. | -| `vpnGatewayScaleUnit` | int | `2` | | The scale unit for this VPN gateway. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the VPN gateway. | -| `resourceGroupName` | string | The name of the resource group the VPN gateway was deployed into. | -| `resourceId` | string | The resource ID of the VPN gateway. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.vpn-gateway:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module vpnGateway './network/vpn-gateway/main.bicep' = { +module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nvgcom' params: { // Required parameters @@ -206,14 +175,17 @@ module vpnGateway './network/vpn-gateway/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module vpnGateway './network/vpn-gateway/main.bicep' = { +module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nvgmin' params: { // Required parameters @@ -256,6 +228,127 @@ module vpnGateway './network/vpn-gateway/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the VPN gateway. | +| [`virtualHubResourceId`](#parameter-virtualhubresourceid) | string | The resource ID of a virtual Hub to connect to. Note: The virtual Hub and Gateway must be deployed into the same location. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`bgpSettings`](#parameter-bgpsettings) | object | BGP settings details. | +| [`enableBgpRouteTranslationForNat`](#parameter-enablebgproutetranslationfornat) | bool | Enable BGP routes translation for NAT on this VPN gateway. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`isRoutingPreferenceInternet`](#parameter-isroutingpreferenceinternet) | bool | Enable routing preference property for the public IP interface of the VPN gateway. | +| [`location`](#parameter-location) | string | Location where all resources will be created. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`natRules`](#parameter-natrules) | array | List of all the NAT Rules to associate with the gateway. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`vpnConnections`](#parameter-vpnconnections) | array | The VPN connections to create in the VPN gateway. | +| [`vpnGatewayScaleUnit`](#parameter-vpngatewayscaleunit) | int | The scale unit for this VPN gateway. | + +### Parameter: `bgpSettings` + +BGP settings details. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enableBgpRouteTranslationForNat` + +Enable BGP routes translation for NAT on this VPN gateway. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `isRoutingPreferenceInternet` + +Enable routing preference property for the public IP interface of the VPN gateway. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `location` + +Location where all resources will be created. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the VPN gateway. +- Required: Yes +- Type: string + +### Parameter: `natRules` + +List of all the NAT Rules to associate with the gateway. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `virtualHubResourceId` + +The resource ID of a virtual Hub to connect to. Note: The virtual Hub and Gateway must be deployed into the same location. +- Required: Yes +- Type: string + +### Parameter: `vpnConnections` + +The VPN connections to create in the VPN gateway. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `vpnGatewayScaleUnit` + +The scale unit for this VPN gateway. +- Required: No +- Type: int +- Default: `2` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the VPN gateway. | +| `resourceGroupName` | string | The name of the resource group the VPN gateway was deployed into. | +| `resourceId` | string | The resource ID of the VPN gateway. | + +## Cross-referenced modules + +_None_ + ## Notes ### Parameter Usage: `bgpSettings` diff --git a/modules/network/vpn-gateway/main.json b/modules/network/vpn-gateway/main.json index d3ab277ddd..16bd090a25 100644 --- a/modules/network/vpn-gateway/main.json +++ b/modules/network/vpn-gateway/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7609266096220214410" + "version": "0.22.6.54827", + "templateHash": "9631635231747205865" }, "name": "VPN Gateways", "description": "This module deploys a VPN Gateway.", @@ -183,8 +183,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6459241670864504569" + "version": "0.22.6.54827", + "templateHash": "4165642550711844737" }, "name": "VPN Gateway NAT Rules", "description": "This module deploys a VPN Gateway NAT Rule.", @@ -357,8 +357,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9210756491180563718" + "version": "0.22.6.54827", + "templateHash": "13660788048333105050" }, "name": "VPN Gateway VPN Connections", "description": "This module deploys a VPN Gateway VPN Connection.", diff --git a/modules/network/vpn-gateway/nat-rule/README.md b/modules/network/vpn-gateway/nat-rule/README.md index 6155ca0fc1..8ce3c4b7a9 100644 --- a/modules/network/vpn-gateway/nat-rule/README.md +++ b/modules/network/vpn-gateway/nat-rule/README.md @@ -19,31 +19,87 @@ This module deploys a VPN Gateway NAT Rule. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the NAT rule. | +| [`name`](#parameter-name) | string | The name of the NAT rule. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `vpnGatewayName` | string | The name of the parent VPN gateway this NAT rule is associated with. Required if the template is used in a standalone deployment. | +| [`vpnGatewayName`](#parameter-vpngatewayname) | string | The name of the parent VPN gateway this NAT rule is associated with. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `externalMappings` | array | `[]` | | An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range. | -| `internalMappings` | array | `[]` | | An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range. | -| `ipConfigurationId` | string | `''` | | A NAT rule must be configured to a specific VPN Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both VPN Gateway instances. | -| `mode` | string | `''` | `['', EgressSnat, IngressSnat]` | The type of NAT rule for VPN NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site VPN gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site VPN gateway. | -| `type` | string | `''` | `['', Dynamic, Static]` | The type of NAT rule for VPN NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`externalMappings`](#parameter-externalmappings) | array | An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range. | +| [`internalMappings`](#parameter-internalmappings) | array | An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range. | +| [`ipConfigurationId`](#parameter-ipconfigurationid) | string | A NAT rule must be configured to a specific VPN Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both VPN Gateway instances. | +| [`mode`](#parameter-mode) | string | The type of NAT rule for VPN NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site VPN gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site VPN gateway. | +| [`type`](#parameter-type) | string | The type of NAT rule for VPN NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `externalMappings` + +An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `internalMappings` + +An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `ipConfigurationId` + +A NAT rule must be configured to a specific VPN Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both VPN Gateway instances. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `mode` + +The type of NAT rule for VPN NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site VPN gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site VPN gateway. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', EgressSnat, IngressSnat]` + +### Parameter: `name` + +The name of the NAT rule. +- Required: Yes +- Type: string + +### Parameter: `type` + +The type of NAT rule for VPN NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Dynamic, Static]` + +### Parameter: `vpnGatewayName` + +The name of the parent VPN gateway this NAT rule is associated with. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the NAT rule. | | `resourceGroupName` | string | The name of the resource group the NAT rule was deployed into. | diff --git a/modules/network/vpn-gateway/nat-rule/main.json b/modules/network/vpn-gateway/nat-rule/main.json index 2bf42881b7..9be53d2e0d 100644 --- a/modules/network/vpn-gateway/nat-rule/main.json +++ b/modules/network/vpn-gateway/nat-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "6991949008498259337" + "version": "0.22.6.54827", + "templateHash": "4165642550711844737" }, "name": "VPN Gateway NAT Rules", "description": "This module deploys a VPN Gateway NAT Rule.", diff --git a/modules/network/vpn-gateway/vpn-connection/README.md b/modules/network/vpn-gateway/vpn-connection/README.md index 624aacd235..76988787ad 100644 --- a/modules/network/vpn-gateway/vpn-connection/README.md +++ b/modules/network/vpn-gateway/vpn-connection/README.md @@ -20,40 +20,158 @@ This module deploys a VPN Gateway VPN Connection. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the VPN connection. | +| [`name`](#parameter-name) | string | The name of the VPN connection. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `vpnGatewayName` | string | The name of the parent VPN gateway this VPN connection is associated with. Required if the template is used in a standalone deployment. | +| [`vpnGatewayName`](#parameter-vpngatewayname) | string | The name of the parent VPN gateway this VPN connection is associated with. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `connectionBandwidth` | int | `10` | | Expected bandwidth in MBPS. | -| `enableBgp` | bool | `False` | | Enable BGP flag. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableInternetSecurity` | bool | `False` | | Enable internet security. | -| `enableRateLimiting` | bool | `False` | | Enable rate limiting. | -| `ipsecPolicies` | array | `[]` | | The IPSec policies to be considered by this connection. | -| `remoteVpnSiteResourceId` | string | `''` | | Reference to a VPN site to link to. | -| `routingConfiguration` | object | `{object}` | | Routing configuration indicating the associated and propagated route tables for this connection. | -| `routingWeight` | int | `0` | | Routing weight for VPN connection. | -| `sharedKey` | securestring | `''` | | SharedKey for the VPN connection. | -| `trafficSelectorPolicies` | array | `[]` | | The traffic selector policies to be considered by this connection. | -| `useLocalAzureIpAddress` | bool | `False` | | Use local Azure IP to initiate connection. | -| `usePolicyBasedTrafficSelectors` | bool | `False` | | Enable policy-based traffic selectors. | -| `vpnConnectionProtocolType` | string | `'IKEv2'` | `[IKEv1, IKEv2]` | Gateway connection protocol. | -| `vpnLinkConnections` | array | `[]` | | List of all VPN site link connections to the gateway. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`connectionBandwidth`](#parameter-connectionbandwidth) | int | Expected bandwidth in MBPS. | +| [`enableBgp`](#parameter-enablebgp) | bool | Enable BGP flag. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableInternetSecurity`](#parameter-enableinternetsecurity) | bool | Enable internet security. | +| [`enableRateLimiting`](#parameter-enableratelimiting) | bool | Enable rate limiting. | +| [`ipsecPolicies`](#parameter-ipsecpolicies) | array | The IPSec policies to be considered by this connection. | +| [`remoteVpnSiteResourceId`](#parameter-remotevpnsiteresourceid) | string | Reference to a VPN site to link to. | +| [`routingConfiguration`](#parameter-routingconfiguration) | object | Routing configuration indicating the associated and propagated route tables for this connection. | +| [`routingWeight`](#parameter-routingweight) | int | Routing weight for VPN connection. | +| [`sharedKey`](#parameter-sharedkey) | securestring | SharedKey for the VPN connection. | +| [`trafficSelectorPolicies`](#parameter-trafficselectorpolicies) | array | The traffic selector policies to be considered by this connection. | +| [`useLocalAzureIpAddress`](#parameter-uselocalazureipaddress) | bool | Use local Azure IP to initiate connection. | +| [`usePolicyBasedTrafficSelectors`](#parameter-usepolicybasedtrafficselectors) | bool | Enable policy-based traffic selectors. | +| [`vpnConnectionProtocolType`](#parameter-vpnconnectionprotocoltype) | string | Gateway connection protocol. | +| [`vpnLinkConnections`](#parameter-vpnlinkconnections) | array | List of all VPN site link connections to the gateway. | + +### Parameter: `connectionBandwidth` + +Expected bandwidth in MBPS. +- Required: No +- Type: int +- Default: `10` + +### Parameter: `enableBgp` + +Enable BGP flag. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableInternetSecurity` + +Enable internet security. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableRateLimiting` + +Enable rate limiting. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `ipsecPolicies` + +The IPSec policies to be considered by this connection. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `name` + +The name of the VPN connection. +- Required: Yes +- Type: string + +### Parameter: `remoteVpnSiteResourceId` + +Reference to a VPN site to link to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `routingConfiguration` + +Routing configuration indicating the associated and propagated route tables for this connection. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `routingWeight` + +Routing weight for VPN connection. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `sharedKey` + +SharedKey for the VPN connection. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `trafficSelectorPolicies` + +The traffic selector policies to be considered by this connection. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `useLocalAzureIpAddress` + +Use local Azure IP to initiate connection. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `usePolicyBasedTrafficSelectors` + +Enable policy-based traffic selectors. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `vpnConnectionProtocolType` + +Gateway connection protocol. +- Required: No +- Type: string +- Default: `'IKEv2'` +- Allowed: `[IKEv1, IKEv2]` + +### Parameter: `vpnGatewayName` + +The name of the parent VPN gateway this VPN connection is associated with. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `vpnLinkConnections` + +List of all VPN site link connections to the gateway. +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the VPN connection. | | `resourceGroupName` | string | The name of the resource group the VPN connection was deployed into. | diff --git a/modules/network/vpn-gateway/vpn-connection/main.json b/modules/network/vpn-gateway/vpn-connection/main.json index e626d18b2a..a4ad3b7923 100644 --- a/modules/network/vpn-gateway/vpn-connection/main.json +++ b/modules/network/vpn-gateway/vpn-connection/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9210756491180563718" + "version": "0.22.6.54827", + "templateHash": "13660788048333105050" }, "name": "VPN Gateway VPN Connections", "description": "This module deploys a VPN Gateway VPN Connection.", diff --git a/modules/network/vpn-site/.test/common/main.test.bicep b/modules/network/vpn-site/.test/common/main.test.bicep index e1b0470cd9..bfcbcbb6ad 100644 --- a/modules/network/vpn-site/.test/common/main.test.bicep +++ b/modules/network/vpn-site/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/vpn-site/.test/min/main.test.bicep b/modules/network/vpn-site/.test/min/main.test.bicep index f20486d112..7a564ddcfa 100644 --- a/modules/network/vpn-site/.test/min/main.test.bicep +++ b/modules/network/vpn-site/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/network/vpn-site/README.md b/modules/network/vpn-site/README.md index ea575095be..d231248df9 100644 --- a/modules/network/vpn-site/README.md +++ b/modules/network/vpn-site/README.md @@ -5,10 +5,10 @@ This module deploys a VPN Site. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) ## Resource Types @@ -19,66 +19,28 @@ This module deploys a VPN Site. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Network/vpnSites` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/vpnSites) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the VPN Site. | -| `virtualWanId` | string | Resource ID of the virtual WAN to link to. | - -**Conditional parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `addressPrefixes` | array | An array of IP address ranges that can be used by subnets of the virtual network. Required if no bgpProperties or VPNSiteLinks are configured. | -| `bgpProperties` | object | BGP settings details. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. Required if no addressPrefixes or VPNSiteLinks are configured. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `deviceProperties` | object | `{object}` | | List of properties of the device. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `ipAddress` | string | `''` | | The IP-address for the VPN-site. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. | -| `isSecuritySite` | bool | `False` | | IsSecuritySite flag. | -| `location` | string | `[resourceGroup().location]` | | Location where all resources will be created. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `o365Policy` | object | `{object}` | | The Office365 breakout policy. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `vpnSiteLinks` | array | `[]` | | List of all VPN site links. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the VPN site. | -| `resourceGroupName` | string | The resource group the VPN site was deployed into. | -| `resourceId` | string | The resource ID of the VPN site. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.vpn-site:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module vpnSite './network/vpn-site/main.bicep' = { +module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nvscom' params: { // Required parameters @@ -242,14 +204,17 @@ module vpnSite './network/vpn-site/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module vpnSite './network/vpn-site/main.bicep' = { +module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-nvsmin' params: { // Required parameters @@ -304,6 +269,148 @@ module vpnSite './network/vpn-site/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the VPN Site. | +| [`virtualWanId`](#parameter-virtualwanid) | string | Resource ID of the virtual WAN to link to. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`addressPrefixes`](#parameter-addressprefixes) | array | An array of IP address ranges that can be used by subnets of the virtual network. Required if no bgpProperties or VPNSiteLinks are configured. | +| [`bgpProperties`](#parameter-bgpproperties) | object | BGP settings details. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. Required if no addressPrefixes or VPNSiteLinks are configured. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`deviceProperties`](#parameter-deviceproperties) | object | List of properties of the device. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`ipAddress`](#parameter-ipaddress) | string | The IP-address for the VPN-site. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. | +| [`isSecuritySite`](#parameter-issecuritysite) | bool | IsSecuritySite flag. | +| [`location`](#parameter-location) | string | Location where all resources will be created. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`o365Policy`](#parameter-o365policy) | object | The Office365 breakout policy. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`vpnSiteLinks`](#parameter-vpnsitelinks) | array | List of all VPN site links. | + +### Parameter: `addressPrefixes` + +An array of IP address ranges that can be used by subnets of the virtual network. Required if no bgpProperties or VPNSiteLinks are configured. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `bgpProperties` + +BGP settings details. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. Required if no addressPrefixes or VPNSiteLinks are configured. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `deviceProperties` + +List of properties of the device. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `ipAddress` + +The IP-address for the VPN-site. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `isSecuritySite` + +IsSecuritySite flag. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `location` + +Location where all resources will be created. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the VPN Site. +- Required: Yes +- Type: string + +### Parameter: `o365Policy` + +The Office365 breakout policy. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `virtualWanId` + +Resource ID of the virtual WAN to link to. +- Required: Yes +- Type: string + +### Parameter: `vpnSiteLinks` + +List of all VPN site links. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the VPN site. | +| `resourceGroupName` | string | The resource group the VPN site was deployed into. | +| `resourceId` | string | The resource ID of the VPN site. | + +## Cross-referenced modules + +_None_ + ## Notes ### Parameter Usage `deviceProperties` diff --git a/modules/network/vpn-site/main.json b/modules/network/vpn-site/main.json index b90f743722..859ddc6ba1 100644 --- a/modules/network/vpn-site/main.json +++ b/modules/network/vpn-site/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13056643175492466003" + "version": "0.22.6.54827", + "templateHash": "1375112363272688444" }, "name": "VPN Sites", "description": "This module deploys a VPN Site.", @@ -192,8 +192,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7148202566959237079" + "version": "0.22.6.54827", + "templateHash": "13348048560732484926" } }, "parameters": { diff --git a/modules/operational-insights/workspace/.test/common/main.test.bicep b/modules/operational-insights/workspace/.test/common/main.test.bicep index 3831bb5238..2e994d7fed 100644 --- a/modules/operational-insights/workspace/.test/common/main.test.bicep +++ b/modules/operational-insights/workspace/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/operational-insights/workspace/.test/min/main.test.bicep b/modules/operational-insights/workspace/.test/min/main.test.bicep index 365f381b19..cb56d8a1a8 100644 --- a/modules/operational-insights/workspace/.test/min/main.test.bicep +++ b/modules/operational-insights/workspace/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/operational-insights/workspace/README.md b/modules/operational-insights/workspace/README.md index 1d36c0d1b3..b0e47dc105 100644 --- a/modules/operational-insights/workspace/README.md +++ b/modules/operational-insights/workspace/README.md @@ -4,13 +4,13 @@ This module deploys a Log Analytics Workspace. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -27,89 +27,26 @@ This module deploys a Log Analytics Workspace. | `Microsoft.OperationalInsights/workspaces/tables` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2022-10-01/workspaces/tables) | | `Microsoft.OperationsManagement/solutions` | [2015-11-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationsManagement/2015-11-01-preview/solutions) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Log Analytics workspace. | - -**Conditional parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `linkedStorageAccounts` | array | List of Storage Accounts to be linked. Required if 'forceCmkForQuery' is set to 'true' and 'savedSearches' is not empty. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `dailyQuotaGb` | int | `-1` | | The workspace daily quota for ingestion. | -| `dataExports` | array | `[]` | | LAW data export instances to be deployed. | -| `dataRetention` | int | `365` | | Number of days data will be retained for. | -| `dataSources` | array | `[]` | | LAW data sources to configure. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, Audit]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of a log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `forceCmkForQuery` | bool | `True` | | Indicates whether customer managed storage is mandatory for query management. | -| `gallerySolutions` | array | `[]` | | List of gallerySolutions to be created in the log analytics workspace. | -| `linkedServices` | array | `[]` | | List of services to be linked. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `publicNetworkAccessForIngestion` | string | `'Enabled'` | `[Disabled, Enabled]` | The network access type for accessing Log Analytics ingestion. | -| `publicNetworkAccessForQuery` | string | `'Enabled'` | `[Disabled, Enabled]` | The network access type for accessing Log Analytics query. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `savedSearches` | array | `[]` | | Kusto Query Language searches to save. | -| `skuCapacityReservationLevel` | int | `100` | | The capacity reservation level in GB for this workspace, when CapacityReservation sku is selected. Must be in increments of 100 between 100 and 5000. | -| `skuName` | string | `'PerGB2018'` | `[CapacityReservation, Free, LACluster, PerGB2018, PerNode, Premium, Standalone, Standard]` | The name of the SKU. | -| `storageInsightsConfigs` | array | `[]` | | List of storage accounts to be read by the workspace. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tables` | array | `[]` | | LAW custom tables to be deployed. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `useResourcePermissions` | bool | `False` | | Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `logAnalyticsWorkspaceId` | string | The ID associated with the workspace. | -| `name` | string | The name of the deployed log analytics workspace. | -| `resourceGroupName` | string | The resource group of the deployed log analytics workspace. | -| `resourceId` | string | The resource ID of the deployed log analytics workspace. | -| `systemAssignedIdentityPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +## Usage examples -| Reference | Type | -| :-- | :-- | -| `operations-management/solution` | Local reference | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Deployment examples +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/operational-insights.workspace:1.0.0`. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +- [Adv](#example-1-adv) +- [Using large parameter set](#example-2-using-large-parameter-set) +- [Using only defaults](#example-3-using-only-defaults) -

Example 1: Adv

+### Example 1: _Adv_
via Bicep module ```bicep -module workspace './operational-insights/workspace/main.bicep' = { +module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-oiwadv' params: { // Required parameters @@ -631,14 +568,17 @@ module workspace './operational-insights/workspace/main.bicep' = {

-

Example 2: Common

+### Example 2: _Using large parameter set_ + +This instance deploys the module with most of its features enabled. +
via Bicep module ```bicep -module workspace './operational-insights/workspace/main.bicep' = { +module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-oiwcom' params: { // Required parameters @@ -1016,14 +956,17 @@ module workspace './operational-insights/workspace/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module workspace './operational-insights/workspace/main.bicep' = { +module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-oiwmin' params: { // Required parameters @@ -1060,3 +1003,294 @@ module workspace './operational-insights/workspace/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Log Analytics workspace. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`linkedStorageAccounts`](#parameter-linkedstorageaccounts) | array | List of Storage Accounts to be linked. Required if 'forceCmkForQuery' is set to 'true' and 'savedSearches' is not empty. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`dailyQuotaGb`](#parameter-dailyquotagb) | int | The workspace daily quota for ingestion. | +| [`dataExports`](#parameter-dataexports) | array | LAW data export instances to be deployed. | +| [`dataRetention`](#parameter-dataretention) | int | Number of days data will be retained for. | +| [`dataSources`](#parameter-datasources) | array | LAW data sources to configure. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of a log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`forceCmkForQuery`](#parameter-forcecmkforquery) | bool | Indicates whether customer managed storage is mandatory for query management. | +| [`gallerySolutions`](#parameter-gallerysolutions) | array | List of gallerySolutions to be created in the log analytics workspace. | +| [`linkedServices`](#parameter-linkedservices) | array | List of services to be linked. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`publicNetworkAccessForIngestion`](#parameter-publicnetworkaccessforingestion) | string | The network access type for accessing Log Analytics ingestion. | +| [`publicNetworkAccessForQuery`](#parameter-publicnetworkaccessforquery) | string | The network access type for accessing Log Analytics query. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`savedSearches`](#parameter-savedsearches) | array | Kusto Query Language searches to save. | +| [`skuCapacityReservationLevel`](#parameter-skucapacityreservationlevel) | int | The capacity reservation level in GB for this workspace, when CapacityReservation sku is selected. Must be in increments of 100 between 100 and 5000. | +| [`skuName`](#parameter-skuname) | string | The name of the SKU. | +| [`storageInsightsConfigs`](#parameter-storageinsightsconfigs) | array | List of storage accounts to be read by the workspace. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tables`](#parameter-tables) | array | LAW custom tables to be deployed. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`useResourcePermissions`](#parameter-useresourcepermissions) | bool | Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions. | + +### Parameter: `dailyQuotaGb` + +The workspace daily quota for ingestion. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `dataExports` + +LAW data export instances to be deployed. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `dataRetention` + +Number of days data will be retained for. +- Required: No +- Type: int +- Default: `365` + +### Parameter: `dataSources` + +LAW data sources to configure. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, Audit]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of a log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `forceCmkForQuery` + +Indicates whether customer managed storage is mandatory for query management. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `gallerySolutions` + +List of gallerySolutions to be created in the log analytics workspace. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `linkedServices` + +List of services to be linked. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `linkedStorageAccounts` + +List of Storage Accounts to be linked. Required if 'forceCmkForQuery' is set to 'true' and 'savedSearches' is not empty. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Log Analytics workspace. +- Required: Yes +- Type: string + +### Parameter: `publicNetworkAccessForIngestion` + +The network access type for accessing Log Analytics ingestion. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `publicNetworkAccessForQuery` + +The network access type for accessing Log Analytics query. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `savedSearches` + +Kusto Query Language searches to save. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `skuCapacityReservationLevel` + +The capacity reservation level in GB for this workspace, when CapacityReservation sku is selected. Must be in increments of 100 between 100 and 5000. +- Required: No +- Type: int +- Default: `100` + +### Parameter: `skuName` + +The name of the SKU. +- Required: No +- Type: string +- Default: `'PerGB2018'` +- Allowed: `[CapacityReservation, Free, LACluster, PerGB2018, PerNode, Premium, Standalone, Standard]` + +### Parameter: `storageInsightsConfigs` + +List of storage accounts to be read by the workspace. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tables` + +LAW custom tables to be deployed. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `useResourcePermissions` + +Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions. +- Required: No +- Type: bool +- Default: `False` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `logAnalyticsWorkspaceId` | string | The ID associated with the workspace. | +| `name` | string | The name of the deployed log analytics workspace. | +| `resourceGroupName` | string | The resource group of the deployed log analytics workspace. | +| `resourceId` | string | The resource ID of the deployed log analytics workspace. | +| `systemAssignedIdentityPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/operations-management/solution` | Local reference | diff --git a/modules/operational-insights/workspace/data-export/README.md b/modules/operational-insights/workspace/data-export/README.md index cdf8f03317..74a748b284 100644 --- a/modules/operational-insights/workspace/data-export/README.md +++ b/modules/operational-insights/workspace/data-export/README.md @@ -19,29 +19,69 @@ This module deploys a Log Analytics Workspace Data Export. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The data export rule name. | +| [`name`](#parameter-name) | string | The data export rule name. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `workspaceName` | string | The name of the parent workspaces. Required if the template is used in a standalone deployment. | +| [`workspaceName`](#parameter-workspacename) | string | The name of the parent workspaces. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `destination` | object | `{object}` | Destination properties. | -| `enable` | bool | `False` | Active when enabled. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `tableNames` | array | `[]` | An array of tables to export, for example: ['Heartbeat', 'SecurityEvent']. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`destination`](#parameter-destination) | object | Destination properties. | +| [`enable`](#parameter-enable) | bool | Active when enabled. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| [`tableNames`](#parameter-tablenames) | array | An array of tables to export, for example: ['Heartbeat', 'SecurityEvent']. | + +### Parameter: `destination` + +Destination properties. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enable` + +Active when enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The data export rule name. +- Required: Yes +- Type: string + +### Parameter: `tableNames` + +An array of tables to export, for example: ['Heartbeat', 'SecurityEvent']. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `workspaceName` + +The name of the parent workspaces. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the data export. | | `resourceGroupName` | string | The name of the resource group the data export was created in. | diff --git a/modules/operational-insights/workspace/data-export/main.json b/modules/operational-insights/workspace/data-export/main.json index 90194a5d43..ee5f16fa67 100644 --- a/modules/operational-insights/workspace/data-export/main.json +++ b/modules/operational-insights/workspace/data-export/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "6853475409424559635" + "version": "0.22.6.54827", + "templateHash": "7753879701724594327" }, "name": "Log Analytics Workspace Data Exports", "description": "This module deploys a Log Analytics Workspace Data Export.", diff --git a/modules/operational-insights/workspace/data-source/README.md b/modules/operational-insights/workspace/data-source/README.md index e0d5f9f875..80b966ff99 100644 --- a/modules/operational-insights/workspace/data-source/README.md +++ b/modules/operational-insights/workspace/data-source/README.md @@ -19,39 +19,150 @@ This module deploys a Log Analytics Workspace Data Source. **Required parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `kind` | string | `'AzureActivityLog'` | `[AzureActivityLog, IISLogs, LinuxPerformanceCollection, LinuxPerformanceObject, LinuxSyslog, LinuxSyslogCollection, WindowsEvent, WindowsPerformanceCounter]` | The kind of the DataSource. | -| `name` | string | | | Name of the solution. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-kind) | string | The kind of the DataSource. | +| [`name`](#parameter-name) | string | Name of the solution. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `logAnalyticsWorkspaceName` | string | The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. | +| [`logAnalyticsWorkspaceName`](#parameter-loganalyticsworkspacename) | string | The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `counterName` | string | `''` | Counter name to configure when kind is WindowsPerformanceCounter. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `eventLogName` | string | `''` | Windows event log name to configure when kind is WindowsEvent. | -| `eventTypes` | array | `[]` | Windows event types to configure when kind is WindowsEvent. | -| `instanceName` | string | `'*'` | Name of the instance to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. | -| `intervalSeconds` | int | `60` | Interval in seconds to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. | -| `linkedResourceId` | string | `''` | Resource ID of the resource to be linked. | -| `objectName` | string | `''` | Name of the object to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. | -| `performanceCounters` | array | `[]` | List of counters to configure when the kind is LinuxPerformanceObject. | -| `state` | string | `''` | State to configure when kind is IISLogs or LinuxSyslogCollection or LinuxPerformanceCollection. | -| `syslogName` | string | `''` | System log to configure when kind is LinuxSyslog. | -| `syslogSeverities` | array | `[]` | Severities to configure when kind is LinuxSyslog. | -| `tags` | object | `{object}` | Tags to configure in the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`counterName`](#parameter-countername) | string | Counter name to configure when kind is WindowsPerformanceCounter. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`eventLogName`](#parameter-eventlogname) | string | Windows event log name to configure when kind is WindowsEvent. | +| [`eventTypes`](#parameter-eventtypes) | array | Windows event types to configure when kind is WindowsEvent. | +| [`instanceName`](#parameter-instancename) | string | Name of the instance to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. | +| [`intervalSeconds`](#parameter-intervalseconds) | int | Interval in seconds to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. | +| [`linkedResourceId`](#parameter-linkedresourceid) | string | Resource ID of the resource to be linked. | +| [`objectName`](#parameter-objectname) | string | Name of the object to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. | +| [`performanceCounters`](#parameter-performancecounters) | array | List of counters to configure when the kind is LinuxPerformanceObject. | +| [`state`](#parameter-state) | string | State to configure when kind is IISLogs or LinuxSyslogCollection or LinuxPerformanceCollection. | +| [`syslogName`](#parameter-syslogname) | string | System log to configure when kind is LinuxSyslog. | +| [`syslogSeverities`](#parameter-syslogseverities) | array | Severities to configure when kind is LinuxSyslog. | +| [`tags`](#parameter-tags) | object | Tags to configure in the resource. | + +### Parameter: `counterName` + +Counter name to configure when kind is WindowsPerformanceCounter. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `eventLogName` + +Windows event log name to configure when kind is WindowsEvent. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `eventTypes` + +Windows event types to configure when kind is WindowsEvent. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `instanceName` + +Name of the instance to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. +- Required: No +- Type: string +- Default: `'*'` + +### Parameter: `intervalSeconds` + +Interval in seconds to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. +- Required: No +- Type: int +- Default: `60` + +### Parameter: `kind` + +The kind of the DataSource. +- Required: No +- Type: string +- Default: `'AzureActivityLog'` +- Allowed: `[AzureActivityLog, IISLogs, LinuxPerformanceCollection, LinuxPerformanceObject, LinuxSyslog, LinuxSyslogCollection, WindowsEvent, WindowsPerformanceCounter]` + +### Parameter: `linkedResourceId` + +Resource ID of the resource to be linked. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `logAnalyticsWorkspaceName` + +The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +Name of the solution. +- Required: Yes +- Type: string + +### Parameter: `objectName` + +Name of the object to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `performanceCounters` + +List of counters to configure when the kind is LinuxPerformanceObject. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `state` + +State to configure when kind is IISLogs or LinuxSyslogCollection or LinuxPerformanceCollection. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `syslogName` + +System log to configure when kind is LinuxSyslog. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `syslogSeverities` + +Severities to configure when kind is LinuxSyslog. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags to configure in the resource. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed data source. | | `resourceGroupName` | string | The resource group where the data source is deployed. | diff --git a/modules/operational-insights/workspace/data-source/main.json b/modules/operational-insights/workspace/data-source/main.json index 12e72aea0f..93d5aef582 100644 --- a/modules/operational-insights/workspace/data-source/main.json +++ b/modules/operational-insights/workspace/data-source/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "526173230944614742" + "version": "0.22.6.54827", + "templateHash": "7994060758159745935" }, "name": "Log Analytics Workspace Datasources", "description": "This module deploys a Log Analytics Workspace Data Source.", diff --git a/modules/operational-insights/workspace/linked-service/README.md b/modules/operational-insights/workspace/linked-service/README.md index 57b5316e53..a05b704e17 100644 --- a/modules/operational-insights/workspace/linked-service/README.md +++ b/modules/operational-insights/workspace/linked-service/README.md @@ -19,29 +19,69 @@ This module deploys a Log Analytics Workspace Linked Service. **Required parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `name` | string | | Name of the link. | -| `resourceId` | string | `''` | The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the link. | +| [`resourceId`](#parameter-resourceid) | string | The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `logAnalyticsWorkspaceName` | string | The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. | +| [`logAnalyticsWorkspaceName`](#parameter-loganalyticsworkspacename) | string | The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `tags` | object | `{object}` | Tags to configure in the resource. | -| `writeAccessResourceId` | string | `''` | The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require write access. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`tags`](#parameter-tags) | object | Tags to configure in the resource. | +| [`writeAccessResourceId`](#parameter-writeaccessresourceid) | string | The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require write access. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `logAnalyticsWorkspaceName` + +The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +Name of the link. +- Required: Yes +- Type: string + +### Parameter: `resourceId` + +The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `tags` + +Tags to configure in the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `writeAccessResourceId` + +The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require write access. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed linked service. | | `resourceGroupName` | string | The resource group where the linked service is deployed. | diff --git a/modules/operational-insights/workspace/linked-service/main.json b/modules/operational-insights/workspace/linked-service/main.json index c66c428091..e0de836475 100644 --- a/modules/operational-insights/workspace/linked-service/main.json +++ b/modules/operational-insights/workspace/linked-service/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "6123492600831728521" + "version": "0.22.6.54827", + "templateHash": "15022791045507209174" }, "name": "Log Analytics Workspace Linked Services", "description": "This module deploys a Log Analytics Workspace Linked Service.", diff --git a/modules/operational-insights/workspace/linked-storage-account/README.md b/modules/operational-insights/workspace/linked-storage-account/README.md index 67285fba0e..c29ee8ed40 100644 --- a/modules/operational-insights/workspace/linked-storage-account/README.md +++ b/modules/operational-insights/workspace/linked-storage-account/README.md @@ -19,27 +19,53 @@ This module deploys a Log Analytics Workspace Linked Storage Account. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `name` | string | `[Alerts, AzureWatson, CustomLogs, Query]` | Name of the link. | -| `resourceId` | string | | The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the link. | +| [`resourceId`](#parameter-resourceid) | string | The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `logAnalyticsWorkspaceName` | string | The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. | +| [`logAnalyticsWorkspaceName`](#parameter-loganalyticsworkspacename) | string | The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `logAnalyticsWorkspaceName` + +The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +Name of the link. +- Required: Yes +- Type: string +- Allowed: `[Alerts, AzureWatson, CustomLogs, Query]` + +### Parameter: `resourceId` + +The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed linked storage account. | | `resourceGroupName` | string | The resource group where the linked storage account is deployed. | diff --git a/modules/operational-insights/workspace/linked-storage-account/main.json b/modules/operational-insights/workspace/linked-storage-account/main.json index ae62d06121..ae3c9c7965 100644 --- a/modules/operational-insights/workspace/linked-storage-account/main.json +++ b/modules/operational-insights/workspace/linked-storage-account/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17235548432615830542" + "version": "0.22.6.54827", + "templateHash": "2117697022066188694" }, "name": "Log Analytics Workspace Linked Storage Accounts", "description": "This module deploys a Log Analytics Workspace Linked Storage Account.", diff --git a/modules/operational-insights/workspace/main.json b/modules/operational-insights/workspace/main.json index b662e00e8b..67aba2675c 100644 --- a/modules/operational-insights/workspace/main.json +++ b/modules/operational-insights/workspace/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10794410731370898440" + "version": "0.22.6.54827", + "templateHash": "13390587976888913833" }, "name": "Log Analytics Workspaces", "description": "This module deploys a Log Analytics Workspace.", @@ -399,8 +399,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6875862134545079569" + "version": "0.22.6.54827", + "templateHash": "6643427484780531502" }, "name": "Log Analytics Workspace Storage Insight Configs", "description": "This module deploys a Log Analytics Workspace Storage Insight Config.", @@ -546,8 +546,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7090165993767697446" + "version": "0.22.6.54827", + "templateHash": "15022791045507209174" }, "name": "Log Analytics Workspace Linked Services", "description": "This module deploys a Log Analytics Workspace Linked Service.", @@ -683,8 +683,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4972790707212258352" + "version": "0.22.6.54827", + "templateHash": "2117697022066188694" }, "name": "Log Analytics Workspace Linked Storage Accounts", "description": "This module deploys a Log Analytics Workspace Linked Storage Account.", @@ -821,8 +821,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8574189144245494701" + "version": "0.22.6.54827", + "templateHash": "12667331360871593591" }, "name": "Log Analytics Workspace Saved Searches", "description": "This module deploys a Log Analytics Workspace Saved Search.", @@ -996,8 +996,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13008977267947771049" + "version": "0.22.6.54827", + "templateHash": "7753879701724594327" }, "name": "Log Analytics Workspace Data Exports", "description": "This module deploys a Log Analytics Workspace Data Export.", @@ -1146,8 +1146,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17869715776960241714" + "version": "0.22.6.54827", + "templateHash": "7994060758159745935" }, "name": "Log Analytics Workspace Datasources", "description": "This module deploys a Log Analytics Workspace Data Source.", @@ -1376,8 +1376,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13305914804653693951" + "version": "0.22.6.54827", + "templateHash": "9983426146462646968" }, "name": "Log Analytics Workspace Tables", "description": "This module deploys a Log Analytics Workspace Table.", @@ -1548,8 +1548,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9052763253522380709" + "version": "0.22.6.54827", + "templateHash": "2318608107759137473" }, "name": "Operations Management Solutions", "description": "This module deploys an Operations Management Solution.", @@ -1702,8 +1702,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3735355062180278453" + "version": "0.22.6.54827", + "templateHash": "17191832464911210338" } }, "parameters": { diff --git a/modules/operational-insights/workspace/saved-search/README.md b/modules/operational-insights/workspace/saved-search/README.md index 1db2ca47d5..6d8fabc766 100644 --- a/modules/operational-insights/workspace/saved-search/README.md +++ b/modules/operational-insights/workspace/saved-search/README.md @@ -19,34 +19,106 @@ This module deploys a Log Analytics Workspace Saved Search. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `category` | string | Query category. | -| `displayName` | string | Display name for the search. | -| `name` | string | Name of the saved search. | -| `query` | string | Kusto Query to be stored. | +| [`category`](#parameter-category) | string | Query category. | +| [`displayName`](#parameter-displayname) | string | Display name for the search. | +| [`name`](#parameter-name) | string | Name of the saved search. | +| [`query`](#parameter-query) | string | Kusto Query to be stored. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `logAnalyticsWorkspaceName` | string | The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. | +| [`logAnalyticsWorkspaceName`](#parameter-loganalyticsworkspacename) | string | The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `etag` | string | `'*'` | The ETag of the saved search. To override an existing saved search, use "*" or specify the current Etag. | -| `functionAlias` | string | `''` | The function alias if query serves as a function. | -| `functionParameters` | string | `''` | The optional function parameters if query serves as a function. Value should be in the following format: "param-name1:type1 = default_value1, param-name2:type2 = default_value2". For more examples and proper syntax please refer to /azure/kusto/query/functions/user-defined-functions. | -| `tags` | array | `[]` | Tags to configure in the resource. | -| `version` | int | `2` | The version number of the query language. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`etag`](#parameter-etag) | string | The ETag of the saved search. To override an existing saved search, use "*" or specify the current Etag. | +| [`functionAlias`](#parameter-functionalias) | string | The function alias if query serves as a function. | +| [`functionParameters`](#parameter-functionparameters) | string | The optional function parameters if query serves as a function. Value should be in the following format: "param-name1:type1 = default_value1, param-name2:type2 = default_value2". For more examples and proper syntax please refer to /azure/kusto/query/functions/user-defined-functions. | +| [`tags`](#parameter-tags) | array | Tags to configure in the resource. | +| [`version`](#parameter-version) | int | The version number of the query language. | + +### Parameter: `category` + +Query category. +- Required: Yes +- Type: string + +### Parameter: `displayName` + +Display name for the search. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `etag` + +The ETag of the saved search. To override an existing saved search, use "*" or specify the current Etag. +- Required: No +- Type: string +- Default: `'*'` + +### Parameter: `functionAlias` + +The function alias if query serves as a function. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `functionParameters` + +The optional function parameters if query serves as a function. Value should be in the following format: "param-name1:type1 = default_value1, param-name2:type2 = default_value2". For more examples and proper syntax please refer to /azure/kusto/query/functions/user-defined-functions. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `logAnalyticsWorkspaceName` + +The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +Name of the saved search. +- Required: Yes +- Type: string + +### Parameter: `query` + +Kusto Query to be stored. +- Required: Yes +- Type: string + +### Parameter: `tags` + +Tags to configure in the resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `version` + +The version number of the query language. +- Required: No +- Type: int +- Default: `2` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed saved search. | | `resourceGroupName` | string | The resource group where the saved search is deployed. | diff --git a/modules/operational-insights/workspace/saved-search/main.json b/modules/operational-insights/workspace/saved-search/main.json index 7fc7ee5138..43332dd89b 100644 --- a/modules/operational-insights/workspace/saved-search/main.json +++ b/modules/operational-insights/workspace/saved-search/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8574189144245494701" + "version": "0.22.6.54827", + "templateHash": "12667331360871593591" }, "name": "Log Analytics Workspace Saved Searches", "description": "This module deploys a Log Analytics Workspace Saved Search.", diff --git a/modules/operational-insights/workspace/storage-insight-config/README.md b/modules/operational-insights/workspace/storage-insight-config/README.md index 032ee4b2c8..4d77ca61f1 100644 --- a/modules/operational-insights/workspace/storage-insight-config/README.md +++ b/modules/operational-insights/workspace/storage-insight-config/README.md @@ -19,30 +19,77 @@ This module deploys a Log Analytics Workspace Storage Insight Config. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `storageAccountResourceId` | string | The Azure Resource Manager ID of the storage account resource. | +| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | The Azure Resource Manager ID of the storage account resource. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `logAnalyticsWorkspaceName` | string | The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. | +| [`logAnalyticsWorkspaceName`](#parameter-loganalyticsworkspacename) | string | The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `containers` | array | `[]` | The names of the blob containers that the workspace should read. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `name` | string | `[format('{0}-stinsconfig', last(split(parameters('storageAccountResourceId'), '/')))]` | The name of the storage insights config. | -| `tables` | array | `[]` | The names of the Azure tables that the workspace should read. | -| `tags` | object | `{object}` | Tags to configure in the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`containers`](#parameter-containers) | array | The names of the blob containers that the workspace should read. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`name`](#parameter-name) | string | The name of the storage insights config. | +| [`tables`](#parameter-tables) | array | The names of the Azure tables that the workspace should read. | +| [`tags`](#parameter-tags) | object | Tags to configure in the resource. | + +### Parameter: `containers` + +The names of the blob containers that the workspace should read. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `logAnalyticsWorkspaceName` + +The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the storage insights config. +- Required: No +- Type: string +- Default: `[format('{0}-stinsconfig', last(split(parameters('storageAccountResourceId'), '/')))]` + +### Parameter: `storageAccountResourceId` + +The Azure Resource Manager ID of the storage account resource. +- Required: Yes +- Type: string + +### Parameter: `tables` + +The names of the Azure tables that the workspace should read. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags to configure in the resource. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the storage insights configuration. | | `resourceGroupName` | string | The resource group where the storage insight configuration is deployed. | diff --git a/modules/operational-insights/workspace/storage-insight-config/main.json b/modules/operational-insights/workspace/storage-insight-config/main.json index 86d2fdda8b..d5e4378634 100644 --- a/modules/operational-insights/workspace/storage-insight-config/main.json +++ b/modules/operational-insights/workspace/storage-insight-config/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5679144933666454393" + "version": "0.22.6.54827", + "templateHash": "6643427484780531502" }, "name": "Log Analytics Workspace Storage Insight Configs", "description": "This module deploys a Log Analytics Workspace Storage Insight Config.", diff --git a/modules/operational-insights/workspace/table/README.md b/modules/operational-insights/workspace/table/README.md index 3dde1dedf4..d3d75c4af5 100644 --- a/modules/operational-insights/workspace/table/README.md +++ b/modules/operational-insights/workspace/table/README.md @@ -19,32 +19,94 @@ This module deploys a Log Analytics Workspace Table. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the table. | +| [`name`](#parameter-name) | string | The name of the table. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `workspaceName` | string | The name of the parent workspaces. Required if the template is used in a standalone deployment. | +| [`workspaceName`](#parameter-workspacename) | string | The name of the parent workspaces. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `plan` | string | `'Analytics'` | `[Analytics, Basic]` | Instruct the system how to handle and charge the logs ingested to this table. | -| `restoredLogs` | object | `{object}` | | Restore parameters. | -| `retentionInDays` | int | `-1` | | The table retention in days, between 4 and 730. Setting this property to -1 will default to the workspace retention. | -| `schema` | object | `{object}` | | Table's schema. | -| `searchResults` | object | `{object}` | | Parameters of the search job that initiated this table. | -| `totalRetentionInDays` | int | `-1` | | The table total retention in days, between 4 and 2555. Setting this property to -1 will default to table retention. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| [`plan`](#parameter-plan) | string | Instruct the system how to handle and charge the logs ingested to this table. | +| [`restoredLogs`](#parameter-restoredlogs) | object | Restore parameters. | +| [`retentionInDays`](#parameter-retentionindays) | int | The table retention in days, between 4 and 730. Setting this property to -1 will default to the workspace retention. | +| [`schema`](#parameter-schema) | object | Table's schema. | +| [`searchResults`](#parameter-searchresults) | object | Parameters of the search job that initiated this table. | +| [`totalRetentionInDays`](#parameter-totalretentionindays) | int | The table total retention in days, between 4 and 2555. Setting this property to -1 will default to table retention. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the table. +- Required: Yes +- Type: string + +### Parameter: `plan` + +Instruct the system how to handle and charge the logs ingested to this table. +- Required: No +- Type: string +- Default: `'Analytics'` +- Allowed: `[Analytics, Basic]` + +### Parameter: `restoredLogs` + +Restore parameters. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `retentionInDays` + +The table retention in days, between 4 and 730. Setting this property to -1 will default to the workspace retention. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `schema` + +Table's schema. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `searchResults` + +Parameters of the search job that initiated this table. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `totalRetentionInDays` + +The table total retention in days, between 4 and 2555. Setting this property to -1 will default to table retention. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `workspaceName` + +The name of the parent workspaces. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the table. | | `resourceGroupName` | string | The name of the resource group the table was created in. | diff --git a/modules/operational-insights/workspace/table/main.json b/modules/operational-insights/workspace/table/main.json index 83bbc2a91d..91a62f8371 100644 --- a/modules/operational-insights/workspace/table/main.json +++ b/modules/operational-insights/workspace/table/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "761158132904084297" + "version": "0.22.6.54827", + "templateHash": "9983426146462646968" }, "name": "Log Analytics Workspace Tables", "description": "This module deploys a Log Analytics Workspace Table.", diff --git a/modules/operations-management/solution/.test/min/main.test.bicep b/modules/operations-management/solution/.test/min/main.test.bicep index 4fa83443b2..0fea432bd3 100644 --- a/modules/operations-management/solution/.test/min/main.test.bicep +++ b/modules/operations-management/solution/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/operations-management/solution/README.md b/modules/operations-management/solution/README.md index bb0ffe8148..d40752a387 100644 --- a/modules/operations-management/solution/README.md +++ b/modules/operations-management/solution/README.md @@ -5,10 +5,10 @@ This module deploys an Operations Management Solution. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -16,53 +16,29 @@ This module deploys an Operations Management Solution. | :-- | :-- | | `Microsoft.OperationsManagement/solutions` | [2015-11-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationsManagement/2015-11-01-preview/solutions) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `logAnalyticsWorkspaceName` | string | Name of the Log Analytics workspace where the solution will be deployed/enabled. | -| `name` | string | Name of the solution. For Microsoft published gallery solution the target solution resource name will be composed as `{name}({logAnalyticsWorkspaceName})`. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/operations-management.solution:1.0.0`. -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | -| `product` | string | `'OMSGallery'` | The product of the deployed solution. For Microsoft published gallery solution it should be `OMSGallery` and the target solution resource product will be composed as `OMSGallery/{name}`. For third party solution, it can be anything. This is case sensitive. | -| `publisher` | string | `'Microsoft'` | The publisher name of the deployed solution. For Microsoft published gallery solution, it is `Microsoft`. | - - -## Outputs +- [Using only defaults](#example-1-using-only-defaults) +- [Ms](#example-2-ms) +- [Nonms](#example-3-nonms) -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed solution. | -| `resourceGroupName` | string | The resource group where the solution is deployed. | -| `resourceId` | string | The resource ID of the deployed solution. | +### Example 1: _Using only defaults_ -## Cross-referenced modules +This instance deploys the module with the minimum set of required parameters. -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Min

via Bicep module ```bicep -module solution './operations-management/solution/main.bicep' = { +module solution 'br:bicep/modules/operations-management.solution:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-omsmin' params: { // Required parameters @@ -104,14 +80,14 @@ module solution './operations-management/solution/main.bicep' = {

-

Example 2: Ms

+### Example 2: _Ms_
via Bicep module ```bicep -module solution './operations-management/solution/main.bicep' = { +module solution 'br:bicep/modules/operations-management.solution:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-omsms' params: { // Required parameters @@ -161,14 +137,14 @@ module solution './operations-management/solution/main.bicep' = {

-

Example 3: Nonms

+### Example 3: _Nonms_
via Bicep module ```bicep -module solution './operations-management/solution/main.bicep' = { +module solution 'br:bicep/modules/operations-management.solution:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-omsnonms' params: { // Required parameters @@ -217,3 +193,76 @@ module solution './operations-management/solution/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`logAnalyticsWorkspaceName`](#parameter-loganalyticsworkspacename) | string | Name of the Log Analytics workspace where the solution will be deployed/enabled. | +| [`name`](#parameter-name) | string | Name of the solution. For Microsoft published gallery solution the target solution resource name will be composed as `{name}({logAnalyticsWorkspaceName})`. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`product`](#parameter-product) | string | The product of the deployed solution. For Microsoft published gallery solution it should be `OMSGallery` and the target solution resource product will be composed as `OMSGallery/{name}`. For third party solution, it can be anything. This is case sensitive. | +| [`publisher`](#parameter-publisher) | string | The publisher name of the deployed solution. For Microsoft published gallery solution, it is `Microsoft`. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `logAnalyticsWorkspaceName` + +Name of the Log Analytics workspace where the solution will be deployed/enabled. +- Required: Yes +- Type: string + +### Parameter: `name` + +Name of the solution. For Microsoft published gallery solution the target solution resource name will be composed as `{name}({logAnalyticsWorkspaceName})`. +- Required: Yes +- Type: string + +### Parameter: `product` + +The product of the deployed solution. For Microsoft published gallery solution it should be `OMSGallery` and the target solution resource product will be composed as `OMSGallery/{name}`. For third party solution, it can be anything. This is case sensitive. +- Required: No +- Type: string +- Default: `'OMSGallery'` + +### Parameter: `publisher` + +The publisher name of the deployed solution. For Microsoft published gallery solution, it is `Microsoft`. +- Required: No +- Type: string +- Default: `'Microsoft'` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed solution. | +| `resourceGroupName` | string | The resource group where the solution is deployed. | +| `resourceId` | string | The resource ID of the deployed solution. | + +## Cross-referenced modules + +_None_ diff --git a/modules/operations-management/solution/main.json b/modules/operations-management/solution/main.json index 6ff5586ce1..a2c344b5ad 100644 --- a/modules/operations-management/solution/main.json +++ b/modules/operations-management/solution/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9052763253522380709" + "version": "0.22.6.54827", + "templateHash": "2318608107759137473" }, "name": "Operations Management Solutions", "description": "This module deploys an Operations Management Solution.", diff --git a/modules/policy-insights/remediation/README.md b/modules/policy-insights/remediation/README.md index cb7a763830..58d11035d5 100644 --- a/modules/policy-insights/remediation/README.md +++ b/modules/policy-insights/remediation/README.md @@ -5,10 +5,10 @@ This module deploys a Policy Insights Remediation. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) ## Resource Types @@ -17,59 +17,29 @@ This module deploys a Policy Insights Remediation. | :-- | :-- | | `Microsoft.PolicyInsights/remediations` | [2021-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.PolicyInsights/2021-10-01/remediations) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy remediation. | -| `policyAssignmentId` | string | The resource ID of the policy assignment that should be remediated. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `failureThresholdPercentage` | string | `'1'` | | The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. | -| `filtersLocations` | array | `[]` | | The filters that will be applied to determine which resources to remediate. | -| `location` | string | `[deployment().location]` | | Location deployment metadata. | -| `managementGroupId` | string | `[managementGroup().name]` | | The target scope for the remediation. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. | -| `parallelDeployments` | int | `10` | | Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. | -| `policyDefinitionReferenceId` | string | `''` | | The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. | -| `resourceCount` | int | `500` | | Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. | -| `resourceDiscoveryMode` | string | `'ExistingNonCompliant'` | `[ExistingNonCompliant, ReEvaluateCompliance]` | The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. | -| `resourceGroupName` | string | `''` | | The target scope for the remediation. The name of the resource group for the policy assignment. | -| `subscriptionId` | string | `''` | | The target scope for the remediation. The subscription ID of the subscription for the policy assignment. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the remediation. | -| `resourceId` | string | The resource ID of the remediation. | - -## Cross-referenced modules +## Usage examples -_None_ +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Deployment examples +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/policy-insights.remediation:1.0.0`. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +- [Mg.Common](#example-1-mgcommon) +- [Mg.Min](#example-2-mgmin) +- [Rg.Common](#example-3-rgcommon) +- [Rg.Min](#example-4-rgmin) +- [Sub.Common](#example-5-subcommon) +- [Sub.Min](#example-6-submin) -

Example 1: Mg.Common

+### Example 1: _Mg.Common_
via Bicep module ```bicep -module remediation './policy-insights/remediation/main.bicep' = { +module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-pirmgcom' params: { // Required parameters @@ -143,14 +113,14 @@ module remediation './policy-insights/remediation/main.bicep' = {

-

Example 2: Mg.Min

+### Example 2: _Mg.Min_
via Bicep module ```bicep -module remediation './policy-insights/remediation/main.bicep' = { +module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { name: '${uniqueString(deployment().name)}-test-pirmgmin' params: { // Required parameters @@ -192,14 +162,14 @@ module remediation './policy-insights/remediation/main.bicep' = {

-

Example 3: Rg.Common

+### Example 3: _Rg.Common_
via Bicep module ```bicep -module remediation './policy-insights/remediation/main.bicep' = { +module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { name: '${uniqueString(deployment().name)}-test-pirrgcom' params: { // Required parameters @@ -273,14 +243,14 @@ module remediation './policy-insights/remediation/main.bicep' = {

-

Example 4: Rg.Min

+### Example 4: _Rg.Min_
via Bicep module ```bicep -module remediation './policy-insights/remediation/main.bicep' = { +module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { name: '${uniqueString(deployment().name)}-test-pirrgmin' params: { // Required parameters @@ -322,14 +292,14 @@ module remediation './policy-insights/remediation/main.bicep' = {

-

Example 5: Sub.Common

+### Example 5: _Sub.Common_
via Bicep module ```bicep -module remediation './policy-insights/remediation/main.bicep' = { +module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { name: '${uniqueString(deployment().name)}-test-pirsubcom' params: { // Required parameters @@ -403,14 +373,14 @@ module remediation './policy-insights/remediation/main.bicep' = {

-

Example 6: Sub.Min

+### Example 6: _Sub.Min_
via Bicep module ```bicep -module remediation './policy-insights/remediation/main.bicep' = { +module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { name: '${uniqueString(deployment().name)}-test-pirsubmin' params: { // Required parameters @@ -453,6 +423,134 @@ module remediation './policy-insights/remediation/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Specifies the name of the policy remediation. | +| [`policyAssignmentId`](#parameter-policyassignmentid) | string | The resource ID of the policy assignment that should be remediated. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`failureThresholdPercentage`](#parameter-failurethresholdpercentage) | string | The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. | +| [`filtersLocations`](#parameter-filterslocations) | array | The filters that will be applied to determine which resources to remediate. | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`managementGroupId`](#parameter-managementgroupid) | string | The target scope for the remediation. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. | +| [`parallelDeployments`](#parameter-paralleldeployments) | int | Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. | +| [`policyDefinitionReferenceId`](#parameter-policydefinitionreferenceid) | string | The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. | +| [`resourceCount`](#parameter-resourcecount) | int | Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. | +| [`resourceDiscoveryMode`](#parameter-resourcediscoverymode) | string | The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. | +| [`resourceGroupName`](#parameter-resourcegroupname) | string | The target scope for the remediation. The name of the resource group for the policy assignment. | +| [`subscriptionId`](#parameter-subscriptionid) | string | The target scope for the remediation. The subscription ID of the subscription for the policy assignment. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `failureThresholdPercentage` + +The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. +- Required: No +- Type: string +- Default: `'1'` + +### Parameter: `filtersLocations` + +The filters that will be applied to determine which resources to remediate. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `managementGroupId` + +The target scope for the remediation. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. +- Required: No +- Type: string +- Default: `[managementGroup().name]` + +### Parameter: `name` + +Specifies the name of the policy remediation. +- Required: Yes +- Type: string + +### Parameter: `parallelDeployments` + +Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. +- Required: No +- Type: int +- Default: `10` + +### Parameter: `policyAssignmentId` + +The resource ID of the policy assignment that should be remediated. +- Required: Yes +- Type: string + +### Parameter: `policyDefinitionReferenceId` + +The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `resourceCount` + +Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. +- Required: No +- Type: int +- Default: `500` + +### Parameter: `resourceDiscoveryMode` + +The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. +- Required: No +- Type: string +- Default: `'ExistingNonCompliant'` +- Allowed: `[ExistingNonCompliant, ReEvaluateCompliance]` + +### Parameter: `resourceGroupName` + +The target scope for the remediation. The name of the resource group for the policy assignment. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `subscriptionId` + +The target scope for the remediation. The subscription ID of the subscription for the policy assignment. +- Required: No +- Type: string +- Default: `''` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the remediation. | +| `resourceId` | string | The resource ID of the remediation. | + +## Cross-referenced modules + +_None_ + ## Notes ### Parameter Usage: `managementGroupId` diff --git a/modules/policy-insights/remediation/main.json b/modules/policy-insights/remediation/main.json index c87b56a9bd..cc27386cb2 100644 --- a/modules/policy-insights/remediation/main.json +++ b/modules/policy-insights/remediation/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9470777729167902898" + "version": "0.22.6.54827", + "templateHash": "4742101117506662139" }, "name": "Policy Insights Remediations", "description": "This module deploys a Policy Insights Remediation.", @@ -179,8 +179,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5184556478687760186" + "version": "0.22.6.54827", + "templateHash": "9807832589850582654" }, "name": "Policy Insights Remediations (Management Group scope)", "description": "This module deploys a Policy Insights Remediation on a Management Group scope.", @@ -375,8 +375,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9797290259140842527" + "version": "0.22.6.54827", + "templateHash": "8491362450892267233" }, "name": "Policy Insights Remediations (Subscription scope)", "description": "This module deploys a Policy Insights Remediation on a Subscription scope.", @@ -571,8 +571,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15508810300941948916" + "version": "0.22.6.54827", + "templateHash": "1603868954809777625" }, "name": "Policy Insights Remediations (Resource Group scope)", "description": "This module deploys a Policy Insights Remediation on a Resource Group scope.", diff --git a/modules/policy-insights/remediation/management-group/README.md b/modules/policy-insights/remediation/management-group/README.md index 7a747eb168..f7bb79c449 100644 --- a/modules/policy-insights/remediation/management-group/README.md +++ b/modules/policy-insights/remediation/management-group/README.md @@ -19,28 +19,97 @@ This module deploys a Policy Insights Remediation on a Management Group scope. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy remediation. | -| `policyAssignmentId` | string | The resource ID of the policy assignment that should be remediated. | +| [`name`](#parameter-name) | string | Specifies the name of the policy remediation. | +| [`policyAssignmentId`](#parameter-policyassignmentid) | string | The resource ID of the policy assignment that should be remediated. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `failureThresholdPercentage` | string | `'1'` | | The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. | -| `filtersLocations` | array | `[]` | | The filters that will be applied to determine which resources to remediate. | -| `location` | string | `[deployment().location]` | | Location deployment metadata. | -| `parallelDeployments` | int | `10` | | Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. | -| `policyDefinitionReferenceId` | string | `''` | | The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. | -| `resourceCount` | int | `500` | | Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. | -| `resourceDiscoveryMode` | string | `'ExistingNonCompliant'` | `[ExistingNonCompliant, ReEvaluateCompliance]` | The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`failureThresholdPercentage`](#parameter-failurethresholdpercentage) | string | The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. | +| [`filtersLocations`](#parameter-filterslocations) | array | The filters that will be applied to determine which resources to remediate. | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`parallelDeployments`](#parameter-paralleldeployments) | int | Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. | +| [`policyDefinitionReferenceId`](#parameter-policydefinitionreferenceid) | string | The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. | +| [`resourceCount`](#parameter-resourcecount) | int | Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. | +| [`resourceDiscoveryMode`](#parameter-resourcediscoverymode) | string | The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `failureThresholdPercentage` + +The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. +- Required: No +- Type: string +- Default: `'1'` + +### Parameter: `filtersLocations` + +The filters that will be applied to determine which resources to remediate. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `name` + +Specifies the name of the policy remediation. +- Required: Yes +- Type: string + +### Parameter: `parallelDeployments` + +Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. +- Required: No +- Type: int +- Default: `10` + +### Parameter: `policyAssignmentId` + +The resource ID of the policy assignment that should be remediated. +- Required: Yes +- Type: string + +### Parameter: `policyDefinitionReferenceId` + +The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `resourceCount` + +Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. +- Required: No +- Type: int +- Default: `500` + +### Parameter: `resourceDiscoveryMode` + +The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. +- Required: No +- Type: string +- Default: `'ExistingNonCompliant'` +- Allowed: `[ExistingNonCompliant, ReEvaluateCompliance]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the remediation. | diff --git a/modules/policy-insights/remediation/management-group/main.json b/modules/policy-insights/remediation/management-group/main.json index 0a87c250c0..bc27183d72 100644 --- a/modules/policy-insights/remediation/management-group/main.json +++ b/modules/policy-insights/remediation/management-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "1304798094791157917" + "version": "0.22.6.54827", + "templateHash": "9807832589850582654" }, "name": "Policy Insights Remediations (Management Group scope)", "description": "This module deploys a Policy Insights Remediation on a Management Group scope.", diff --git a/modules/policy-insights/remediation/resource-group/README.md b/modules/policy-insights/remediation/resource-group/README.md index 88c4aa8f58..a354a06627 100644 --- a/modules/policy-insights/remediation/resource-group/README.md +++ b/modules/policy-insights/remediation/resource-group/README.md @@ -19,28 +19,97 @@ This module deploys a Policy Insights Remediation on a Resource Group scope. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy remediation. | -| `policyAssignmentId` | string | The resource ID of the policy assignment that should be remediated. | +| [`name`](#parameter-name) | string | Specifies the name of the policy remediation. | +| [`policyAssignmentId`](#parameter-policyassignmentid) | string | The resource ID of the policy assignment that should be remediated. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `failureThresholdPercentage` | string | `'1'` | | The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. | -| `filtersLocations` | array | `[]` | | The filters that will be applied to determine which resources to remediate. | -| `location` | string | `[resourceGroup().location]` | | Location deployment metadata. | -| `parallelDeployments` | int | `10` | | Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. | -| `policyDefinitionReferenceId` | string | `''` | | The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. | -| `resourceCount` | int | `500` | | Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. | -| `resourceDiscoveryMode` | string | `'ExistingNonCompliant'` | `[ExistingNonCompliant, ReEvaluateCompliance]` | The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`failureThresholdPercentage`](#parameter-failurethresholdpercentage) | string | The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. | +| [`filtersLocations`](#parameter-filterslocations) | array | The filters that will be applied to determine which resources to remediate. | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`parallelDeployments`](#parameter-paralleldeployments) | int | Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. | +| [`policyDefinitionReferenceId`](#parameter-policydefinitionreferenceid) | string | The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. | +| [`resourceCount`](#parameter-resourcecount) | int | Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. | +| [`resourceDiscoveryMode`](#parameter-resourcediscoverymode) | string | The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `failureThresholdPercentage` + +The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. +- Required: No +- Type: string +- Default: `'1'` + +### Parameter: `filtersLocations` + +The filters that will be applied to determine which resources to remediate. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +Specifies the name of the policy remediation. +- Required: Yes +- Type: string + +### Parameter: `parallelDeployments` + +Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. +- Required: No +- Type: int +- Default: `10` + +### Parameter: `policyAssignmentId` + +The resource ID of the policy assignment that should be remediated. +- Required: Yes +- Type: string + +### Parameter: `policyDefinitionReferenceId` + +The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `resourceCount` + +Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. +- Required: No +- Type: int +- Default: `500` + +### Parameter: `resourceDiscoveryMode` + +The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. +- Required: No +- Type: string +- Default: `'ExistingNonCompliant'` +- Allowed: `[ExistingNonCompliant, ReEvaluateCompliance]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the remediation. | diff --git a/modules/policy-insights/remediation/resource-group/main.json b/modules/policy-insights/remediation/resource-group/main.json index be6c9e58b0..ec8b34293a 100644 --- a/modules/policy-insights/remediation/resource-group/main.json +++ b/modules/policy-insights/remediation/resource-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "16839903448259241444" + "version": "0.22.6.54827", + "templateHash": "1603868954809777625" }, "name": "Policy Insights Remediations (Resource Group scope)", "description": "This module deploys a Policy Insights Remediation on a Resource Group scope.", diff --git a/modules/policy-insights/remediation/subscription/README.md b/modules/policy-insights/remediation/subscription/README.md index 82a91bb72b..0ed9328e97 100644 --- a/modules/policy-insights/remediation/subscription/README.md +++ b/modules/policy-insights/remediation/subscription/README.md @@ -19,28 +19,97 @@ This module deploys a Policy Insights Remediation on a Subscription scope. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy remediation. | -| `policyAssignmentId` | string | The resource ID of the policy assignment that should be remediated. | +| [`name`](#parameter-name) | string | Specifies the name of the policy remediation. | +| [`policyAssignmentId`](#parameter-policyassignmentid) | string | The resource ID of the policy assignment that should be remediated. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `failureThresholdPercentage` | string | `'1'` | | The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. | -| `filtersLocations` | array | `[]` | | The filters that will be applied to determine which resources to remediate. | -| `location` | string | `[deployment().location]` | | Location deployment metadata. | -| `parallelDeployments` | int | `10` | | Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. | -| `policyDefinitionReferenceId` | string | `''` | | The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. | -| `resourceCount` | int | `500` | | Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. | -| `resourceDiscoveryMode` | string | `'ExistingNonCompliant'` | `[ExistingNonCompliant, ReEvaluateCompliance]` | The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`failureThresholdPercentage`](#parameter-failurethresholdpercentage) | string | The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. | +| [`filtersLocations`](#parameter-filterslocations) | array | The filters that will be applied to determine which resources to remediate. | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`parallelDeployments`](#parameter-paralleldeployments) | int | Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. | +| [`policyDefinitionReferenceId`](#parameter-policydefinitionreferenceid) | string | The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. | +| [`resourceCount`](#parameter-resourcecount) | int | Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. | +| [`resourceDiscoveryMode`](#parameter-resourcediscoverymode) | string | The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `failureThresholdPercentage` + +The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. +- Required: No +- Type: string +- Default: `'1'` + +### Parameter: `filtersLocations` + +The filters that will be applied to determine which resources to remediate. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `name` + +Specifies the name of the policy remediation. +- Required: Yes +- Type: string + +### Parameter: `parallelDeployments` + +Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. +- Required: No +- Type: int +- Default: `10` + +### Parameter: `policyAssignmentId` + +The resource ID of the policy assignment that should be remediated. +- Required: Yes +- Type: string + +### Parameter: `policyDefinitionReferenceId` + +The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `resourceCount` + +Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. +- Required: No +- Type: int +- Default: `500` + +### Parameter: `resourceDiscoveryMode` + +The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. +- Required: No +- Type: string +- Default: `'ExistingNonCompliant'` +- Allowed: `[ExistingNonCompliant, ReEvaluateCompliance]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the remediation. | diff --git a/modules/policy-insights/remediation/subscription/main.json b/modules/policy-insights/remediation/subscription/main.json index 499c963670..b7d7bb8b13 100644 --- a/modules/policy-insights/remediation/subscription/main.json +++ b/modules/policy-insights/remediation/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "16781098206548824638" + "version": "0.22.6.54827", + "templateHash": "8491362450892267233" }, "name": "Policy Insights Remediations (Subscription scope)", "description": "This module deploys a Policy Insights Remediation on a Subscription scope.", diff --git a/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep b/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep index 8a9b62ee77..e2222db5b8 100644 --- a/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep +++ b/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/power-bi-dedicated/capacity/.test/min/main.test.bicep b/modules/power-bi-dedicated/capacity/.test/min/main.test.bicep index fee53d9951..dea599ae13 100644 --- a/modules/power-bi-dedicated/capacity/.test/min/main.test.bicep +++ b/modules/power-bi-dedicated/capacity/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/power-bi-dedicated/capacity/README.md b/modules/power-bi-dedicated/capacity/README.md index a5f670d0ad..8257071543 100644 --- a/modules/power-bi-dedicated/capacity/README.md +++ b/modules/power-bi-dedicated/capacity/README.md @@ -5,10 +5,10 @@ This module deploys a Power BI Dedicated Capacity. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -18,58 +18,28 @@ This module deploys a Power BI Dedicated Capacity. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.PowerBIDedicated/capacities` | [2021-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.PowerBIDedicated/2021-01-01/capacities) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `members` | array | Members of the resource. | -| `name` | string | Name of the PowerBI Embedded. | -| `skuCapacity` | int | SkuCapacity of the resource. | - -**Optional parameters** +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | -| `mode` | string | `'Gen2'` | `[Gen1, Gen2]` | Mode of the resource. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `skuName` | string | `'A1'` | `[A1, A2, A3, A4, A5, A6]` | SkuCapacity of the resource. | -| `skuTier` | string | `'PBIE_Azure'` | `[AutoPremiumHost, PBIE_Azure, Premium]` | SkuCapacity of the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/power-bi-dedicated.capacity:1.0.0`. +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The Name of the PowerBi Embedded. | -| `resourceGroupName` | string | The name of the resource group the PowerBi Embedded was created in. | -| `resourceId` | string | The resource ID of the PowerBi Embedded. | - -## Cross-referenced modules - -_None_ - -## Deployment examples +### Example 1: _Using large parameter set_ -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +This instance deploys the module with most of its features enabled. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module capacity './power-bi-dedicated/capacity/main.bicep' = { +module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-pbdcapcom' params: { // Required parameters @@ -155,14 +125,17 @@ module capacity './power-bi-dedicated/capacity/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module capacity './power-bi-dedicated/capacity/main.bicep' = { +module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-pbdcapmin' params: { // Required parameters @@ -211,3 +184,119 @@ module capacity './power-bi-dedicated/capacity/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`members`](#parameter-members) | array | Members of the resource. | +| [`name`](#parameter-name) | string | Name of the PowerBI Embedded. | +| [`skuCapacity`](#parameter-skucapacity) | int | SkuCapacity of the resource. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`mode`](#parameter-mode) | string | Mode of the resource. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`skuName`](#parameter-skuname) | string | SkuCapacity of the resource. | +| [`skuTier`](#parameter-skutier) | string | SkuCapacity of the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, NotSpecified, ReadOnly]` + +### Parameter: `members` + +Members of the resource. +- Required: Yes +- Type: array + +### Parameter: `mode` + +Mode of the resource. +- Required: No +- Type: string +- Default: `'Gen2'` +- Allowed: `[Gen1, Gen2]` + +### Parameter: `name` + +Name of the PowerBI Embedded. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `skuCapacity` + +SkuCapacity of the resource. +- Required: Yes +- Type: int + +### Parameter: `skuName` + +SkuCapacity of the resource. +- Required: No +- Type: string +- Default: `'A1'` +- Allowed: `[A1, A2, A3, A4, A5, A6]` + +### Parameter: `skuTier` + +SkuCapacity of the resource. +- Required: No +- Type: string +- Default: `'PBIE_Azure'` +- Allowed: `[AutoPremiumHost, PBIE_Azure, Premium]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The Name of the PowerBi Embedded. | +| `resourceGroupName` | string | The name of the resource group the PowerBi Embedded was created in. | +| `resourceId` | string | The resource ID of the PowerBi Embedded. | + +## Cross-referenced modules + +_None_ diff --git a/modules/power-bi-dedicated/capacity/main.json b/modules/power-bi-dedicated/capacity/main.json index 7e34e223ae..aafdb27cf3 100644 --- a/modules/power-bi-dedicated/capacity/main.json +++ b/modules/power-bi-dedicated/capacity/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "924797605355156375" + "version": "0.22.6.54827", + "templateHash": "9399428020393768552" }, "name": "Power BI Dedicated Capacities", "description": "This module deploys a Power BI Dedicated Capacity.", @@ -184,8 +184,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18119555403422726514" + "version": "0.22.6.54827", + "templateHash": "4655209444733495279" } }, "parameters": { diff --git a/modules/purview/account/.test/common/main.test.bicep b/modules/purview/account/.test/common/main.test.bicep index c716eb8807..e2746b7ebf 100644 --- a/modules/purview/account/.test/common/main.test.bicep +++ b/modules/purview/account/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/purview/account/.test/min/main.test.bicep b/modules/purview/account/.test/min/main.test.bicep index bdafc9b679..8cf13684b3 100644 --- a/modules/purview/account/.test/min/main.test.bicep +++ b/modules/purview/account/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/purview/account/README.md b/modules/purview/account/README.md index ea412e85c2..78a48d77ad 100644 --- a/modules/purview/account/README.md +++ b/modules/purview/account/README.md @@ -5,10 +5,10 @@ This module deploys a Purview Account. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -21,77 +21,28 @@ This module deploys a Purview Account. | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | | `Microsoft.Purview/accounts` | [2021-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Purview/2021-07-01/accounts) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Purview Account. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `accountPrivateEndpoints` | array | `[]` | | Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'account'. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, DataSensitivity, PurviewAccountAuditEvents, ScanStatus]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `eventHubPrivateEndpoints` | array | `[]` | | Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'namespace'. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `managedResourceGroupName` | string | `[format('managed-rg-{0}', parameters('name'))]` | | The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-'. | -| `portalPrivateEndpoints` | array | `[]` | | Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'. | -| `publicNetworkAccess` | string | `'NotSpecified'` | `[Disabled, Enabled, NotSpecified]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `storageBlobPrivateEndpoints` | array | `[]` | | Configuration details for Purview Managed Storage Account blob private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'blob'. | -| `storageQueuePrivateEndpoints` | array | `[]` | | Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'queue'. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `managedEventHubId` | string | The resource ID of the managed Event Hub Namespace. | -| `managedResourceGroupId` | string | The resource ID of the managed resource group. | -| `managedResourceGroupName` | string | The name of the managed resource group. | -| `managedStorageAccountId` | string | The resource ID of the managed storage account. | -| `name` | string | The name of the Purview Account. | -| `resourceGroupName` | string | The resource group the Purview Account was deployed into. | -| `resourceId` | string | The resource ID of the Purview Account. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +## Usage examples -## Cross-referenced modules +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/purview.account:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module account './purview/account/main.bicep' = { +module account 'br:bicep/modules/purview.account:1.0.0' = { name: '${uniqueString(deployment().name)}-test-pvacom' params: { // Required parameters @@ -387,14 +338,17 @@ module account './purview/account/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module account './purview/account/main.bicep' = { +module account 'br:bicep/modules/purview.account:1.0.0' = { name: '${uniqueString(deployment().name)}-test-pvamin' params: { // Required parameters @@ -435,3 +389,210 @@ module account './purview/account/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Purview Account. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`accountPrivateEndpoints`](#parameter-accountprivateendpoints) | array | Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'account'. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`eventHubPrivateEndpoints`](#parameter-eventhubprivateendpoints) | array | Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'namespace'. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`managedResourceGroupName`](#parameter-managedresourcegroupname) | string | The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-'. | +| [`portalPrivateEndpoints`](#parameter-portalprivateendpoints) | array | Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`storageBlobPrivateEndpoints`](#parameter-storageblobprivateendpoints) | array | Configuration details for Purview Managed Storage Account blob private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'blob'. | +| [`storageQueuePrivateEndpoints`](#parameter-storagequeueprivateendpoints) | array | Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'queue'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +### Parameter: `accountPrivateEndpoints` + +Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'account'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, DataSensitivity, PurviewAccountAuditEvents, ScanStatus]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `eventHubPrivateEndpoints` + +Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'namespace'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `managedResourceGroupName` + +The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-'. +- Required: No +- Type: string +- Default: `[format('managed-rg-{0}', parameters('name'))]` + +### Parameter: `name` + +Name of the Purview Account. +- Required: Yes +- Type: string + +### Parameter: `portalPrivateEndpoints` + +Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. +- Required: No +- Type: string +- Default: `'NotSpecified'` +- Allowed: `[Disabled, Enabled, NotSpecified]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `storageBlobPrivateEndpoints` + +Configuration details for Purview Managed Storage Account blob private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'blob'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `storageQueuePrivateEndpoints` + +Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'queue'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `managedEventHubId` | string | The resource ID of the managed Event Hub Namespace. | +| `managedResourceGroupId` | string | The resource ID of the managed resource group. | +| `managedResourceGroupName` | string | The name of the managed resource group. | +| `managedStorageAccountId` | string | The resource ID of the managed storage account. | +| `name` | string | The name of the Purview Account. | +| `resourceGroupName` | string | The resource group the Purview Account was deployed into. | +| `resourceId` | string | The resource ID of the Purview Account. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/purview/account/main.json b/modules/purview/account/main.json index 4c5a590e59..9133d24ca9 100644 --- a/modules/purview/account/main.json +++ b/modules/purview/account/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13858870839826071407" + "version": "0.22.6.54827", + "templateHash": "5252602419334487318" }, "name": "Purview Accounts", "description": "This module deploys a Purview Account.", @@ -316,8 +316,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -516,8 +516,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -654,8 +654,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -880,8 +880,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1080,8 +1080,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1218,8 +1218,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -1444,8 +1444,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1644,8 +1644,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1782,8 +1782,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -2008,8 +2008,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2208,8 +2208,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -2346,8 +2346,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -2572,8 +2572,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2772,8 +2772,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -2910,8 +2910,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -3124,8 +3124,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12596337449494040710" + "version": "0.22.6.54827", + "templateHash": "15861709353924438880" } }, "parameters": { diff --git a/modules/recovery-services/vault/.test/common/main.test.bicep b/modules/recovery-services/vault/.test/common/main.test.bicep index dc9857d7c9..aa714983ad 100644 --- a/modules/recovery-services/vault/.test/common/main.test.bicep +++ b/modules/recovery-services/vault/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/recovery-services/vault/.test/min/main.test.bicep b/modules/recovery-services/vault/.test/min/main.test.bicep index d34d8bced4..8477f9fb08 100644 --- a/modules/recovery-services/vault/.test/min/main.test.bicep +++ b/modules/recovery-services/vault/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index 9adaee17b2..c7bbaa77ff 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -5,10 +5,10 @@ This module deploys a Recovery Services Vault. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -31,78 +31,29 @@ This module deploys a Recovery Services Vault. | `Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-10-01/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings) | | `Microsoft.RecoveryServices/vaults/replicationPolicies` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-10-01/vaults/replicationPolicies) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Azure Recovery Service Vault. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `backupConfig` | _[backupConfig](backup-config/README.md)_ object | `{object}` | | The backup configuration. | -| `backupPolicies` | array | `[]` | | List of all backup policies. | -| `backupStorageConfig` | _[backupStorageConfig](backup-storage-config/README.md)_ object | `{object}` | | The storage configuration for the Azure Recovery Service Vault. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', AddonAzureBackupAlerts, AddonAzureBackupJobs, AddonAzureBackupPolicy, AddonAzureBackupProtectedInstance, AddonAzureBackupStorage, allLogs, AzureBackupReport, AzureSiteRecoveryEvents, AzureSiteRecoveryJobs, AzureSiteRecoveryProtectedDiskDataChurn, AzureSiteRecoveryRecoveryPoints, AzureSiteRecoveryReplicatedItems, AzureSiteRecoveryReplicationDataUploadRate, AzureSiteRecoveryReplicationStats, CoreAzureBackup]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[Health]` | `[Health]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `monitoringSettings` | object | `{object}` | | Monitoring Settings of the vault. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `protectionContainers` | array | `[]` | | List of all protection containers. | -| `publicNetworkAccess` | string | `'Disabled'` | `[Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. | -| `replicationAlertSettings` | object | `{object}` | | Replication alert settings. | -| `replicationFabrics` | array | `[]` | | List of all replication fabrics. | -| `replicationPolicies` | array | `[]` | | List of all replication policies. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `securitySettings` | object | `{object}` | | Security Settings of the vault. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the Recovery Service Vault resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The Name of the recovery services vault. | -| `resourceGroupName` | string | The name of the resource group the recovery services vault was created in. | -| `resourceId` | string | The resource ID of the recovery services vault. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +## Usage examples -## Cross-referenced modules +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/recovery-services.vault:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Dr](#example-2-dr) +- [Using only defaults](#example-3-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module vault './recovery-services/vault/main.bicep' = { +module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-rsvcom' params: { // Required parameters @@ -754,14 +705,14 @@ module vault './recovery-services/vault/main.bicep' = {

-

Example 2: Dr

+### Example 2: _Dr_
via Bicep module ```bicep -module vault './recovery-services/vault/main.bicep' = { +module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-rsvdr' params: { // Required parameters @@ -925,14 +876,17 @@ module vault './recovery-services/vault/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module vault './recovery-services/vault/main.bicep' = { +module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-rsvmin' params: { // Required parameters @@ -969,3 +923,246 @@ module vault './recovery-services/vault/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Azure Recovery Service Vault. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`backupConfig`](#parameter-backupconfig) | object | The backup configuration. | +| [`backupPolicies`](#parameter-backuppolicies) | array | List of all backup policies. | +| [`backupStorageConfig`](#parameter-backupstorageconfig) | object | The storage configuration for the Azure Recovery Service Vault. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`monitoringSettings`](#parameter-monitoringsettings) | object | Monitoring Settings of the vault. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`protectionContainers`](#parameter-protectioncontainers) | array | List of all protection containers. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. | +| [`replicationAlertSettings`](#parameter-replicationalertsettings) | object | Replication alert settings. | +| [`replicationFabrics`](#parameter-replicationfabrics) | array | List of all replication fabrics. | +| [`replicationPolicies`](#parameter-replicationpolicies) | array | List of all replication policies. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`securitySettings`](#parameter-securitysettings) | object | Security Settings of the vault. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the Recovery Service Vault resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +### Parameter: `backupConfig` + +The backup configuration. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `backupPolicies` + +List of all backup policies. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `backupStorageConfig` + +The storage configuration for the Azure Recovery Service Vault. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', AddonAzureBackupAlerts, AddonAzureBackupJobs, AddonAzureBackupPolicy, AddonAzureBackupProtectedInstance, AddonAzureBackupStorage, allLogs, AzureBackupReport, AzureSiteRecoveryEvents, AzureSiteRecoveryJobs, AzureSiteRecoveryProtectedDiskDataChurn, AzureSiteRecoveryRecoveryPoints, AzureSiteRecoveryReplicatedItems, AzureSiteRecoveryReplicationDataUploadRate, AzureSiteRecoveryReplicationStats, CoreAzureBackup]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[Health]` +- Allowed: `[Health]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `monitoringSettings` + +Monitoring Settings of the vault. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Name of the Azure Recovery Service Vault. +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `protectionContainers` + +List of all protection containers. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `replicationAlertSettings` + +Replication alert settings. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `replicationFabrics` + +List of all replication fabrics. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `replicationPolicies` + +List of all replication policies. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `securitySettings` + +Security Settings of the vault. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the Recovery Service Vault resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The Name of the recovery services vault. | +| `resourceGroupName` | string | The name of the resource group the recovery services vault was created in. | +| `resourceId` | string | The resource ID of the recovery services vault. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/recovery-services/vault/backup-config/README.md b/modules/recovery-services/vault/backup-config/README.md index 8b9118b29d..5ce1b92970 100644 --- a/modules/recovery-services/vault/backup-config/README.md +++ b/modules/recovery-services/vault/backup-config/README.md @@ -19,28 +19,102 @@ This module deploys a Recovery Services Vault Backup Config. **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `recoveryVaultName` | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | +| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enhancedSecurityState` | string | `'Enabled'` | `[Disabled, Enabled]` | Enable this setting to protect hybrid backups against accidental deletes and add additional layer of authentication for critical operations. | -| `isSoftDeleteFeatureStateEditable` | bool | `True` | | Is soft delete feature state editable. | -| `name` | string | `'vaultconfig'` | | Name of the Azure Recovery Service Vault Backup Policy. | -| `resourceGuardOperationRequests` | array | `[]` | | ResourceGuard Operation Requests. | -| `softDeleteFeatureState` | string | `'Enabled'` | `[Disabled, Enabled]` | Enable this setting to protect backup data for Azure VM, SQL Server in Azure VM and SAP HANA in Azure VM from accidental deletes. | -| `storageModelType` | string | `'GeoRedundant'` | `[GeoRedundant, LocallyRedundant, ReadAccessGeoZoneRedundant, ZoneRedundant]` | Storage type. | -| `storageType` | string | `'GeoRedundant'` | `[GeoRedundant, LocallyRedundant, ReadAccessGeoZoneRedundant, ZoneRedundant]` | Storage type. | -| `storageTypeState` | string | `'Locked'` | `[Locked, Unlocked]` | Once a machine is registered against a resource, the storageTypeState is always Locked. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enhancedSecurityState`](#parameter-enhancedsecuritystate) | string | Enable this setting to protect hybrid backups against accidental deletes and add additional layer of authentication for critical operations. | +| [`isSoftDeleteFeatureStateEditable`](#parameter-issoftdeletefeaturestateeditable) | bool | Is soft delete feature state editable. | +| [`name`](#parameter-name) | string | Name of the Azure Recovery Service Vault Backup Policy. | +| [`resourceGuardOperationRequests`](#parameter-resourceguardoperationrequests) | array | ResourceGuard Operation Requests. | +| [`softDeleteFeatureState`](#parameter-softdeletefeaturestate) | string | Enable this setting to protect backup data for Azure VM, SQL Server in Azure VM and SAP HANA in Azure VM from accidental deletes. | +| [`storageModelType`](#parameter-storagemodeltype) | string | Storage type. | +| [`storageType`](#parameter-storagetype) | string | Storage type. | +| [`storageTypeState`](#parameter-storagetypestate) | string | Once a machine is registered against a resource, the storageTypeState is always Locked. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enhancedSecurityState` + +Enable this setting to protect hybrid backups against accidental deletes and add additional layer of authentication for critical operations. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `isSoftDeleteFeatureStateEditable` + +Is soft delete feature state editable. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +Name of the Azure Recovery Service Vault Backup Policy. +- Required: No +- Type: string +- Default: `'vaultconfig'` + +### Parameter: `recoveryVaultName` + +The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `resourceGuardOperationRequests` + +ResourceGuard Operation Requests. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `softDeleteFeatureState` + +Enable this setting to protect backup data for Azure VM, SQL Server in Azure VM and SAP HANA in Azure VM from accidental deletes. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `storageModelType` + +Storage type. +- Required: No +- Type: string +- Default: `'GeoRedundant'` +- Allowed: `[GeoRedundant, LocallyRedundant, ReadAccessGeoZoneRedundant, ZoneRedundant]` + +### Parameter: `storageType` + +Storage type. +- Required: No +- Type: string +- Default: `'GeoRedundant'` +- Allowed: `[GeoRedundant, LocallyRedundant, ReadAccessGeoZoneRedundant, ZoneRedundant]` + +### Parameter: `storageTypeState` + +Once a machine is registered against a resource, the storageTypeState is always Locked. +- Required: No +- Type: string +- Default: `'Locked'` +- Allowed: `[Locked, Unlocked]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the backup config. | | `resourceGroupName` | string | The name of the resource group the backup config was created in. | diff --git a/modules/recovery-services/vault/backup-config/main.json b/modules/recovery-services/vault/backup-config/main.json index 5052408a86..7ba9a5b1cb 100644 --- a/modules/recovery-services/vault/backup-config/main.json +++ b/modules/recovery-services/vault/backup-config/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "2030776827393689599" + "version": "0.22.6.54827", + "templateHash": "7310792683713567656" }, "name": "Recovery Services Vault Backup Config", "description": "This module deploys a Recovery Services Vault Backup Config.", diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/README.md b/modules/recovery-services/vault/backup-fabric/protection-container/README.md index 5c39aced8b..0c7bbeeb33 100644 --- a/modules/recovery-services/vault/backup-fabric/protection-container/README.md +++ b/modules/recovery-services/vault/backup-fabric/protection-container/README.md @@ -4,12 +4,12 @@ This module deploys a Recovery Services Vault Protection Container. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -20,32 +20,95 @@ This module deploys a Recovery Services Vault Protection Container. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the Azure Recovery Service Vault Protection Container. | +| [`name`](#parameter-name) | string | Name of the Azure Recovery Service Vault Protection Container. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `recoveryVaultName` | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | +| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `backupManagementType` | string | `''` | `['', AzureBackupServer, AzureIaasVM, AzureSql, AzureStorage, AzureWorkload, DefaultBackup, DPM, Invalid, MAB]` | Backup management type to execute the current Protection Container job. | -| `containerType` | string | `''` | `['', AzureBackupServerContainer, AzureSqlContainer, GenericContainer, Microsoft.ClassicCompute/virtualMachines, Microsoft.Compute/virtualMachines, SQLAGWorkLoadContainer, StorageContainer, VMAppContainer, Windows]` | Type of the container. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `friendlyName` | string | `''` | | Friendly name of the Protection Container. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `protectedItems` | array | `[]` | | Protected items to register in the container. | -| `sourceResourceId` | string | `''` | | Resource ID of the target resource for the Protection Container. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`backupManagementType`](#parameter-backupmanagementtype) | string | Backup management type to execute the current Protection Container job. | +| [`containerType`](#parameter-containertype) | string | Type of the container. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`friendlyName`](#parameter-friendlyname) | string | Friendly name of the Protection Container. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`protectedItems`](#parameter-protecteditems) | array | Protected items to register in the container. | +| [`sourceResourceId`](#parameter-sourceresourceid) | string | Resource ID of the target resource for the Protection Container. | + +### Parameter: `backupManagementType` + +Backup management type to execute the current Protection Container job. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', AzureBackupServer, AzureIaasVM, AzureSql, AzureStorage, AzureWorkload, DefaultBackup, DPM, Invalid, MAB]` + +### Parameter: `containerType` + +Type of the container. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', AzureBackupServerContainer, AzureSqlContainer, GenericContainer, Microsoft.ClassicCompute/virtualMachines, Microsoft.Compute/virtualMachines, SQLAGWorkLoadContainer, StorageContainer, VMAppContainer, Windows]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `friendlyName` + +Friendly name of the Protection Container. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +Name of the Azure Recovery Service Vault Protection Container. +- Required: Yes +- Type: string + +### Parameter: `protectedItems` + +Protected items to register in the container. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `recoveryVaultName` + +The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `sourceResourceId` + +Resource ID of the target resource for the Protection Container. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The Name of the Protection Container. | | `resourceGroupName` | string | The name of the Resource Group the Protection Container was created in. | diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/main.json b/modules/recovery-services/vault/backup-fabric/protection-container/main.json index 86cb2e9330..ce42abbbf0 100644 --- a/modules/recovery-services/vault/backup-fabric/protection-container/main.json +++ b/modules/recovery-services/vault/backup-fabric/protection-container/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17832840146797285516" + "version": "0.22.6.54827", + "templateHash": "2599343254432362849" }, "name": "Recovery Services Vault Protection Container", "description": "This module deploys a Recovery Services Vault Protection Container.", @@ -172,8 +172,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "6407898441503460857" + "version": "0.22.6.54827", + "templateHash": "7148492251760573310" }, "name": "Recovery Service Vaults Protection Container Protected Item", "description": "This module deploys a Recovery Services Vault Protection Container Protected Item.", diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/README.md b/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/README.md index 51f5bb2b9f..64cd46a689 100644 --- a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/README.md +++ b/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/README.md @@ -4,12 +4,12 @@ This module deploys a Recovery Services Vault Protection Container Protected Ite ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,31 +19,82 @@ This module deploys a Recovery Services Vault Protection Container Protected Ite **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `name` | string | | Name of the resource. | -| `policyId` | string | | ID of the backup policy with which this item is backed up. | -| `protectedItemType` | string | `[AzureFileShareProtectedItem, AzureVmWorkloadSAPAseDatabase, AzureVmWorkloadSAPHanaDatabase, AzureVmWorkloadSQLDatabase, DPMProtectedItem, GenericProtectedItem, MabFileFolderProtectedItem, Microsoft.ClassicCompute/virtualMachines, Microsoft.Compute/virtualMachines, Microsoft.Sql/servers/databases]` | The backup item type. | -| `sourceResourceId` | string | | Resource ID of the resource to back up. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the resource. | +| [`policyId`](#parameter-policyid) | string | ID of the backup policy with which this item is backed up. | +| [`protectedItemType`](#parameter-protecteditemtype) | string | The backup item type. | +| [`sourceResourceId`](#parameter-sourceresourceid) | string | Resource ID of the resource to back up. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `protectionContainerName` | string | Name of the Azure Recovery Service Vault Protection Container. Required if the template is used in a standalone deployment. | -| `recoveryVaultName` | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | +| [`protectionContainerName`](#parameter-protectioncontainername) | string | Name of the Azure Recovery Service Vault Protection Container. Required if the template is used in a standalone deployment. | +| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +Name of the resource. +- Required: Yes +- Type: string + +### Parameter: `policyId` + +ID of the backup policy with which this item is backed up. +- Required: Yes +- Type: string + +### Parameter: `protectedItemType` + +The backup item type. +- Required: Yes +- Type: string +- Allowed: `[AzureFileShareProtectedItem, AzureVmWorkloadSAPAseDatabase, AzureVmWorkloadSAPHanaDatabase, AzureVmWorkloadSQLDatabase, DPMProtectedItem, GenericProtectedItem, MabFileFolderProtectedItem, Microsoft.ClassicCompute/virtualMachines, Microsoft.Compute/virtualMachines, Microsoft.Sql/servers/databases]` + +### Parameter: `protectionContainerName` + +Name of the Azure Recovery Service Vault Protection Container. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `recoveryVaultName` + +The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `sourceResourceId` + +Resource ID of the resource to back up. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The Name of the protected item. | | `resourceGroupName` | string | The name of the Resource Group the protected item was created in. | diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/main.json b/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/main.json index 2ccee87db2..232937bb2a 100644 --- a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/main.json +++ b/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "6407898441503460857" + "version": "0.22.6.54827", + "templateHash": "7148492251760573310" }, "name": "Recovery Service Vaults Protection Container Protected Item", "description": "This module deploys a Recovery Services Vault Protection Container Protected Item.", diff --git a/modules/recovery-services/vault/backup-policy/README.md b/modules/recovery-services/vault/backup-policy/README.md index 8490913844..c769d8ce08 100644 --- a/modules/recovery-services/vault/backup-policy/README.md +++ b/modules/recovery-services/vault/backup-policy/README.md @@ -4,12 +4,12 @@ This module deploys a Recovery Services Vault Backup Policy. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,27 +19,52 @@ This module deploys a Recovery Services Vault Backup Policy. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the Azure Recovery Service Vault Backup Policy. | -| `properties` | object | Configuration of the Azure Recovery Service Vault Backup Policy. | +| [`name`](#parameter-name) | string | Name of the Azure Recovery Service Vault Backup Policy. | +| [`properties`](#parameter-properties) | object | Configuration of the Azure Recovery Service Vault Backup Policy. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `recoveryVaultName` | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | +| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +Name of the Azure Recovery Service Vault Backup Policy. +- Required: Yes +- Type: string + +### Parameter: `properties` + +Configuration of the Azure Recovery Service Vault Backup Policy. +- Required: Yes +- Type: object + +### Parameter: `recoveryVaultName` + +The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the backup policy. | | `resourceGroupName` | string | The name of the resource group the backup policy was created in. | diff --git a/modules/recovery-services/vault/backup-policy/main.json b/modules/recovery-services/vault/backup-policy/main.json index 8a67c74af9..c6180ca142 100644 --- a/modules/recovery-services/vault/backup-policy/main.json +++ b/modules/recovery-services/vault/backup-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13635254612288594433" + "version": "0.22.6.54827", + "templateHash": "5026084694620767555" }, "name": "Recovery Services Vault Backup Policies", "description": "This module deploys a Recovery Services Vault Backup Policy.", diff --git a/modules/recovery-services/vault/backup-storage-config/README.md b/modules/recovery-services/vault/backup-storage-config/README.md index 523244fc10..44c5b030b3 100644 --- a/modules/recovery-services/vault/backup-storage-config/README.md +++ b/modules/recovery-services/vault/backup-storage-config/README.md @@ -4,12 +4,12 @@ This module deploys a Recovery Service Vault Backup Storage Configuration. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,23 +19,58 @@ This module deploys a Recovery Service Vault Backup Storage Configuration. **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `recoveryVaultName` | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | +| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `crossRegionRestoreFlag` | bool | `True` | | Opt in details of Cross Region Restore feature. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `name` | string | `'vaultstorageconfig'` | | The name of the backup storage config. | -| `storageModelType` | string | `'GeoRedundant'` | `[GeoRedundant, LocallyRedundant, ReadAccessGeoZoneRedundant, ZoneRedundant]` | Change Vault Storage Type (Works if vault has not registered any backup instance). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`crossRegionRestoreFlag`](#parameter-crossregionrestoreflag) | bool | Opt in details of Cross Region Restore feature. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`name`](#parameter-name) | string | The name of the backup storage config. | +| [`storageModelType`](#parameter-storagemodeltype) | string | Change Vault Storage Type (Works if vault has not registered any backup instance). | + +### Parameter: `crossRegionRestoreFlag` + +Opt in details of Cross Region Restore feature. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the backup storage config. +- Required: No +- Type: string +- Default: `'vaultstorageconfig'` + +### Parameter: `recoveryVaultName` + +The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `storageModelType` + +Change Vault Storage Type (Works if vault has not registered any backup instance). +- Required: No +- Type: string +- Default: `'GeoRedundant'` +- Allowed: `[GeoRedundant, LocallyRedundant, ReadAccessGeoZoneRedundant, ZoneRedundant]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the backup storage config. | | `resourceGroupName` | string | The name of the Resource Group the backup storage configuration was created in. | diff --git a/modules/recovery-services/vault/backup-storage-config/main.json b/modules/recovery-services/vault/backup-storage-config/main.json index f2d19f8d68..b3b1a961d8 100644 --- a/modules/recovery-services/vault/backup-storage-config/main.json +++ b/modules/recovery-services/vault/backup-storage-config/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5682567943042044037" + "version": "0.22.6.54827", + "templateHash": "11669127714287855633" }, "name": "Recovery Services Vault Backup Storage Config", "description": "This module deploys a Recovery Service Vault Backup Storage Configuration.", diff --git a/modules/recovery-services/vault/main.json b/modules/recovery-services/vault/main.json index 4dbbe27952..8a77b1b8fe 100644 --- a/modules/recovery-services/vault/main.json +++ b/modules/recovery-services/vault/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6227298459944107927" + "version": "0.22.6.54827", + "templateHash": "9931998458625198588" }, "name": "Recovery Services Vaults", "description": "This module deploys a Recovery Services Vault.", @@ -352,8 +352,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5163393158902461304" + "version": "0.22.6.54827", + "templateHash": "4084364932296928832" }, "name": "Recovery Services Vault Replication Fabrics", "description": "This module deploys a Replication Fabric for Azure to Azure disaster recovery scenario of Azure Site Recovery.\r\n\r\n> Note: this module currently support only the `instanceType: 'Azure'` scenario.", @@ -458,8 +458,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11778647907922523589" + "version": "0.22.6.54827", + "templateHash": "12428378308583074618" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Containers", "description": "This module deploys a Recovery Services Vault Replication Protection Container.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", @@ -568,8 +568,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4097117837670939230" + "version": "0.22.6.54827", + "templateHash": "13312155038829056102" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings", "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", @@ -801,8 +801,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "571014987628974476" + "version": "0.22.6.54827", + "templateHash": "4881591174035362600" }, "name": "Recovery Services Vault Replication Policies", "description": "This module deploys a Recovery Services Vault Replication Policy for Disaster Recovery scenario.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", @@ -950,8 +950,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9320127696130777627" + "version": "0.22.6.54827", + "templateHash": "11669127714287855633" }, "name": "Recovery Services Vault Backup Storage Config", "description": "This module deploys a Recovery Service Vault Backup Storage Configuration.", @@ -1099,8 +1099,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18051870481312741885" + "version": "0.22.6.54827", + "templateHash": "2599343254432362849" }, "name": "Recovery Services Vault Protection Container", "description": "This module deploys a Recovery Services Vault Protection Container.", @@ -1267,8 +1267,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10079924922844886000" + "version": "0.22.6.54827", + "templateHash": "7148492251760573310" }, "name": "Recovery Service Vaults Protection Container Protected Item", "description": "This module deploys a Recovery Services Vault Protection Container Protected Item.", @@ -1457,8 +1457,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11484548106923742925" + "version": "0.22.6.54827", + "templateHash": "5026084694620767555" }, "name": "Recovery Services Vault Backup Policies", "description": "This module deploys a Recovery Services Vault Backup Policy.", @@ -1574,8 +1574,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17044473868370755942" + "version": "0.22.6.54827", + "templateHash": "7310792683713567656" }, "name": "Recovery Services Vault Backup Config", "description": "This module deploys a Recovery Services Vault Backup Config.", @@ -1765,8 +1765,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4077813769135879734" + "version": "0.22.6.54827", + "templateHash": "326959657687879671" }, "name": "Recovery Services Vault Replication Alert Settings", "description": "This module deploys a Recovery Services Vault Replication Alert Settings.", @@ -1920,8 +1920,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2120,8 +2120,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -2258,8 +2258,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -2472,8 +2472,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14902208368944856830" + "version": "0.22.6.54827", + "templateHash": "8436896073465306731" } }, "parameters": { diff --git a/modules/recovery-services/vault/replication-alert-setting/README.md b/modules/recovery-services/vault/replication-alert-setting/README.md index b4ee9494c5..c756a3ce98 100644 --- a/modules/recovery-services/vault/replication-alert-setting/README.md +++ b/modules/recovery-services/vault/replication-alert-setting/README.md @@ -19,24 +19,66 @@ This module deploys a Recovery Services Vault Replication Alert Settings. **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `recoveryVaultName` | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | +| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `customEmailAddresses` | array | `[]` | | Comma separated list of custom email address for sending alert emails. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `locale` | string | `''` | | The locale for the email notification. | -| `name` | string | `'defaultAlertSetting'` | | The name of the replication Alert Setting. | -| `sendToOwners` | string | `'Send'` | `[DoNotSend, Send]` | The value indicating whether to send email to subscription administrator. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`customEmailAddresses`](#parameter-customemailaddresses) | array | Comma separated list of custom email address for sending alert emails. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`locale`](#parameter-locale) | string | The locale for the email notification. | +| [`name`](#parameter-name) | string | The name of the replication Alert Setting. | +| [`sendToOwners`](#parameter-sendtoowners) | string | The value indicating whether to send email to subscription administrator. | + +### Parameter: `customEmailAddresses` + +Comma separated list of custom email address for sending alert emails. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `locale` + +The locale for the email notification. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +The name of the replication Alert Setting. +- Required: No +- Type: string +- Default: `'defaultAlertSetting'` + +### Parameter: `recoveryVaultName` + +The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `sendToOwners` + +The value indicating whether to send email to subscription administrator. +- Required: No +- Type: string +- Default: `'Send'` +- Allowed: `[DoNotSend, Send]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the replication Alert Setting. | | `resourceGroupName` | string | The name of the resource group the replication alert setting was created. | diff --git a/modules/recovery-services/vault/replication-alert-setting/main.json b/modules/recovery-services/vault/replication-alert-setting/main.json index f0561c50d1..27d98ff68e 100644 --- a/modules/recovery-services/vault/replication-alert-setting/main.json +++ b/modules/recovery-services/vault/replication-alert-setting/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "14248192554679574765" + "version": "0.22.6.54827", + "templateHash": "326959657687879671" }, "name": "Recovery Services Vault Replication Alert Settings", "description": "This module deploys a Recovery Services Vault Replication Alert Settings.", diff --git a/modules/recovery-services/vault/replication-fabric/README.md b/modules/recovery-services/vault/replication-fabric/README.md index e11ecc23d5..8213e34c2a 100644 --- a/modules/recovery-services/vault/replication-fabric/README.md +++ b/modules/recovery-services/vault/replication-fabric/README.md @@ -23,28 +23,62 @@ This module deploys a Replication Fabric for Azure to Azure disaster recovery sc **Required parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `location` | string | `[resourceGroup().location]` | The recovery location the fabric represents. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`location`](#parameter-location) | string | The recovery location the fabric represents. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `recoveryVaultName` | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | +| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `name` | string | `[parameters('location')]` | The name of the fabric. | -| `replicationContainers` | array | `[]` | Replication containers to create. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`name`](#parameter-name) | string | The name of the fabric. | +| [`replicationContainers`](#parameter-replicationcontainers) | array | Replication containers to create. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +The recovery location the fabric represents. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the fabric. +- Required: No +- Type: string +- Default: `[parameters('location')]` + +### Parameter: `recoveryVaultName` + +The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `replicationContainers` + +Replication containers to create. +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the replication fabric. | | `resourceGroupName` | string | The name of the resource group the replication fabric was created in. | diff --git a/modules/recovery-services/vault/replication-fabric/main.json b/modules/recovery-services/vault/replication-fabric/main.json index 11e29ab771..695123e7e7 100644 --- a/modules/recovery-services/vault/replication-fabric/main.json +++ b/modules/recovery-services/vault/replication-fabric/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "8280438435310104866" + "version": "0.22.6.54827", + "templateHash": "4084364932296928832" }, "name": "Recovery Services Vault Replication Fabrics", "description": "This module deploys a Replication Fabric for Azure to Azure disaster recovery scenario of Azure Site Recovery.\r\n\r\n> Note: this module currently support only the `instanceType: 'Azure'` scenario.", @@ -110,8 +110,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "1196918307822554260" + "version": "0.22.6.54827", + "templateHash": "12428378308583074618" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Containers", "description": "This module deploys a Recovery Services Vault Replication Protection Container.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", @@ -220,8 +220,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "2149629411962083695" + "version": "0.22.6.54827", + "templateHash": "13312155038829056102" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings", "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", diff --git a/modules/recovery-services/vault/replication-fabric/replication-protection-container/README.md b/modules/recovery-services/vault/replication-fabric/replication-protection-container/README.md index 23b6656e50..841d221908 100644 --- a/modules/recovery-services/vault/replication-fabric/replication-protection-container/README.md +++ b/modules/recovery-services/vault/replication-fabric/replication-protection-container/README.md @@ -22,28 +22,60 @@ This module deploys a Recovery Services Vault Replication Protection Container. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the replication container. | +| [`name`](#parameter-name) | string | The name of the replication container. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `recoveryVaultName` | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | -| `replicationFabricName` | string | The name of the parent Replication Fabric. Required if the template is used in a standalone deployment. | +| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | +| [`replicationFabricName`](#parameter-replicationfabricname) | string | The name of the parent Replication Fabric. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `replicationContainerMappings` | array | `[]` | Replication containers mappings to create. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`replicationContainerMappings`](#parameter-replicationcontainermappings) | array | Replication containers mappings to create. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the replication container. +- Required: Yes +- Type: string + +### Parameter: `recoveryVaultName` + +The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `replicationContainerMappings` + +Replication containers mappings to create. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `replicationFabricName` + +The name of the parent Replication Fabric. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the replication container. | | `resourceGroupName` | string | The name of the resource group the replication container was created in. | diff --git a/modules/recovery-services/vault/replication-fabric/replication-protection-container/main.json b/modules/recovery-services/vault/replication-fabric/replication-protection-container/main.json index 9a5aeba687..1dac942bdb 100644 --- a/modules/recovery-services/vault/replication-fabric/replication-protection-container/main.json +++ b/modules/recovery-services/vault/replication-fabric/replication-protection-container/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "1196918307822554260" + "version": "0.22.6.54827", + "templateHash": "12428378308583074618" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Containers", "description": "This module deploys a Recovery Services Vault Replication Protection Container.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", @@ -114,8 +114,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "2149629411962083695" + "version": "0.22.6.54827", + "templateHash": "13312155038829056102" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings", "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", diff --git a/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/README.md b/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/README.md index f2351c5c46..e409532d3e 100644 --- a/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/README.md +++ b/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/README.md @@ -21,28 +21,95 @@ This module deploys a Recovery Services Vault (RSV) Replication Protection Conta **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `recoveryVaultName` | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | -| `replicationFabricName` | string | The name of the parent Replication Fabric. Required if the template is used in a standalone deployment. | -| `sourceProtectionContainerName` | string | The name of the parent source Replication container. Required if the template is used in a standalone deployment. | +| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | +| [`replicationFabricName`](#parameter-replicationfabricname) | string | The name of the parent Replication Fabric. Required if the template is used in a standalone deployment. | +| [`sourceProtectionContainerName`](#parameter-sourceprotectioncontainername) | string | The name of the parent source Replication container. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `name` | string | `''` | The name of the replication container mapping. If not provided, it will be automatically generated as `-`. | -| `policyId` | string | `''` | Resource ID of the replication policy. If defined, policyName will be ignored. | -| `policyName` | string | `''` | Name of the replication policy. Will be ignored if policyId is also specified. | -| `targetContainerFabricName` | string | `[parameters('replicationFabricName')]` | Name of the fabric containing the target container. If targetProtectionContainerId is specified, this parameter will be ignored. | -| `targetContainerName` | string | `''` | Name of the target container. Must be specified if targetProtectionContainerId is not. If targetProtectionContainerId is specified, this parameter will be ignored. | -| `targetProtectionContainerId` | string | `''` | Resource ID of the target Replication container. Must be specified if targetContainerName is not. If specified, targetContainerFabricName and targetContainerName will be ignored. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`name`](#parameter-name) | string | The name of the replication container mapping. If not provided, it will be automatically generated as `-`. | +| [`policyId`](#parameter-policyid) | string | Resource ID of the replication policy. If defined, policyName will be ignored. | +| [`policyName`](#parameter-policyname) | string | Name of the replication policy. Will be ignored if policyId is also specified. | +| [`targetContainerFabricName`](#parameter-targetcontainerfabricname) | string | Name of the fabric containing the target container. If targetProtectionContainerId is specified, this parameter will be ignored. | +| [`targetContainerName`](#parameter-targetcontainername) | string | Name of the target container. Must be specified if targetProtectionContainerId is not. If targetProtectionContainerId is specified, this parameter will be ignored. | +| [`targetProtectionContainerId`](#parameter-targetprotectioncontainerid) | string | Resource ID of the target Replication container. Must be specified if targetContainerName is not. If specified, targetContainerFabricName and targetContainerName will be ignored. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the replication container mapping. If not provided, it will be automatically generated as `-`. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `policyId` + +Resource ID of the replication policy. If defined, policyName will be ignored. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `policyName` + +Name of the replication policy. Will be ignored if policyId is also specified. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `recoveryVaultName` + +The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `replicationFabricName` + +The name of the parent Replication Fabric. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `sourceProtectionContainerName` + +The name of the parent source Replication container. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `targetContainerFabricName` + +Name of the fabric containing the target container. If targetProtectionContainerId is specified, this parameter will be ignored. +- Required: No +- Type: string +- Default: `[parameters('replicationFabricName')]` + +### Parameter: `targetContainerName` + +Name of the target container. Must be specified if targetProtectionContainerId is not. If targetProtectionContainerId is specified, this parameter will be ignored. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `targetProtectionContainerId` + +Resource ID of the target Replication container. Must be specified if targetContainerName is not. If specified, targetContainerFabricName and targetContainerName will be ignored. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the replication container. | | `resourceGroupName` | string | The name of the resource group the replication container was created in. | diff --git a/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.json b/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.json index 6d189a871f..8e5a371f40 100644 --- a/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.json +++ b/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "2149629411962083695" + "version": "0.22.6.54827", + "templateHash": "13312155038829056102" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings", "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", diff --git a/modules/recovery-services/vault/replication-policy/README.md b/modules/recovery-services/vault/replication-policy/README.md index 9e7fd1421d..81a72c1aa8 100644 --- a/modules/recovery-services/vault/replication-policy/README.md +++ b/modules/recovery-services/vault/replication-policy/README.md @@ -21,30 +21,78 @@ This module deploys a Recovery Services Vault Replication Policy for Disaster Re **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the replication policy. | +| [`name`](#parameter-name) | string | The name of the replication policy. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `recoveryVaultName` | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | +| [`recoveryVaultName`](#parameter-recoveryvaultname) | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `appConsistentFrequencyInMinutes` | int | `60` | | The app consistent snapshot frequency (in minutes). | -| `crashConsistentFrequencyInMinutes` | int | `5` | | The crash consistent snapshot frequency (in minutes). | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `multiVmSyncStatus` | string | `'Enable'` | `[Disable, Enable]` | A value indicating whether multi-VM sync has to be enabled. | -| `recoveryPointHistory` | int | `1440` | | The duration in minutes until which the recovery points need to be stored. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`appConsistentFrequencyInMinutes`](#parameter-appconsistentfrequencyinminutes) | int | The app consistent snapshot frequency (in minutes). | +| [`crashConsistentFrequencyInMinutes`](#parameter-crashconsistentfrequencyinminutes) | int | The crash consistent snapshot frequency (in minutes). | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`multiVmSyncStatus`](#parameter-multivmsyncstatus) | string | A value indicating whether multi-VM sync has to be enabled. | +| [`recoveryPointHistory`](#parameter-recoverypointhistory) | int | The duration in minutes until which the recovery points need to be stored. | + +### Parameter: `appConsistentFrequencyInMinutes` + +The app consistent snapshot frequency (in minutes). +- Required: No +- Type: int +- Default: `60` + +### Parameter: `crashConsistentFrequencyInMinutes` + +The crash consistent snapshot frequency (in minutes). +- Required: No +- Type: int +- Default: `5` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `multiVmSyncStatus` + +A value indicating whether multi-VM sync has to be enabled. +- Required: No +- Type: string +- Default: `'Enable'` +- Allowed: `[Disable, Enable]` + +### Parameter: `name` + +The name of the replication policy. +- Required: Yes +- Type: string + +### Parameter: `recoveryPointHistory` + +The duration in minutes until which the recovery points need to be stored. +- Required: No +- Type: int +- Default: `1440` + +### Parameter: `recoveryVaultName` + +The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the replication policy. | | `resourceGroupName` | string | The name of the resource group the replication policy was created in. | diff --git a/modules/recovery-services/vault/replication-policy/main.json b/modules/recovery-services/vault/replication-policy/main.json index d91fe34f95..783b758258 100644 --- a/modules/recovery-services/vault/replication-policy/main.json +++ b/modules/recovery-services/vault/replication-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11896184761533167738" + "version": "0.22.6.54827", + "templateHash": "4881591174035362600" }, "name": "Recovery Services Vault Replication Policies", "description": "This module deploys a Recovery Services Vault Replication Policy for Disaster Recovery scenario.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", diff --git a/modules/relay/namespace/.test/common/main.test.bicep b/modules/relay/namespace/.test/common/main.test.bicep index 3dd433d28f..219a764842 100644 --- a/modules/relay/namespace/.test/common/main.test.bicep +++ b/modules/relay/namespace/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/relay/namespace/.test/min/main.test.bicep b/modules/relay/namespace/.test/min/main.test.bicep index 3553a10c28..25c3225ee0 100644 --- a/modules/relay/namespace/.test/min/main.test.bicep +++ b/modules/relay/namespace/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index 4d6c984338..f9d8f5efff 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -4,13 +4,13 @@ This module deploys a Relay Namespace ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -27,70 +27,29 @@ This module deploys a Relay Namespace | `Microsoft.Relay/namespaces/wcfRelays` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/wcfRelays) | | `Microsoft.Relay/namespaces/wcfRelays/authorizationRules` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Relay/2021-11-01/namespaces/wcfRelays/authorizationRules) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Relay Namespace. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `authorizationRules` | array | `[System.Management.Automation.OrderedHashtable]` | | Authorization Rules for the Relay namespace. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs, hybridConnectionsEvent]` | `['', allLogs, hybridConnectionsEvent, OperationalLogs]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `hybridConnections` | array | `[]` | | The hybrid connections to create in the relay namespace. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `networkRuleSets` | object | `{object}` | | Configure networking options for Relay. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `skuName` | string | `'Standard'` | `[Standard]` | Name of this SKU. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `wcfRelays` | array | `[]` | | The wcf relays to create in the relay namespace. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed relay namespace. | -| `resourceGroupName` | string | The resource group of the deployed relay namespace. | -| `resourceId` | string | The resource ID of the deployed relay namespace. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/relay.namespace:1.0.0`. -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +- [Pe](#example-3-pe) -## Deployment examples +### Example 1: _Using large parameter set_ -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +This instance deploys the module with most of its features enabled. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module namespace './relay/namespace/main.bicep' = { +module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-rncom' params: { // Required parameters @@ -364,14 +323,17 @@ module namespace './relay/namespace/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module namespace './relay/namespace/main.bicep' = { +module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-rnmin' params: { // Required parameters @@ -409,14 +371,14 @@ module namespace './relay/namespace/main.bicep' = {

-

Example 3: Pe

+### Example 3: _Pe_
via Bicep module ```bicep -module namespace './relay/namespace/main.bicep' = { +module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-rnpe' params: { // Required parameters @@ -503,3 +465,189 @@ module namespace './relay/namespace/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Relay Namespace. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the Relay namespace. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`hybridConnections`](#parameter-hybridconnections) | array | The hybrid connections to create in the relay namespace. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`networkRuleSets`](#parameter-networkrulesets) | object | Configure networking options for Relay. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`skuName`](#parameter-skuname) | string | Name of this SKU. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`wcfRelays`](#parameter-wcfrelays) | array | The wcf relays to create in the relay namespace. | + +### Parameter: `authorizationRules` + +Authorization Rules for the Relay namespace. +- Required: No +- Type: array +- Default: `[System.Management.Automation.OrderedHashtable]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs, hybridConnectionsEvent]` +- Allowed: `['', allLogs, hybridConnectionsEvent, OperationalLogs]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hybridConnections` + +The hybrid connections to create in the relay namespace. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Relay Namespace. +- Required: Yes +- Type: string + +### Parameter: `networkRuleSets` + +Configure networking options for Relay. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `skuName` + +Name of this SKU. +- Required: No +- Type: string +- Default: `'Standard'` +- Allowed: `[Standard]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `wcfRelays` + +The wcf relays to create in the relay namespace. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed relay namespace. | +| `resourceGroupName` | string | The resource group of the deployed relay namespace. | +| `resourceId` | string | The resource ID of the deployed relay namespace. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/relay/namespace/authorization-rule/README.md b/modules/relay/namespace/authorization-rule/README.md index 44420982c3..c66fadfdbe 100644 --- a/modules/relay/namespace/authorization-rule/README.md +++ b/modules/relay/namespace/authorization-rule/README.md @@ -19,27 +19,54 @@ This module deploys a Relay Namespace Authorization Rule. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the authorization rule. | +| [`name`](#parameter-name) | string | The name of the authorization rule. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `rights` | array | `[]` | `[Listen, Manage, Send]` | The rights associated with the rule. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`rights`](#parameter-rights) | array | The rights associated with the rule. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the authorization rule. +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `rights` + +The rights associated with the rule. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `[Listen, Manage, Send]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the authorization rule. | | `resourceGroupName` | string | The name of the Resource Group the authorization rule was created in. | diff --git a/modules/relay/namespace/authorization-rule/main.json b/modules/relay/namespace/authorization-rule/main.json index 838638b05f..6969a1416e 100644 --- a/modules/relay/namespace/authorization-rule/main.json +++ b/modules/relay/namespace/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "2910468169645277295" + "version": "0.22.6.54827", + "templateHash": "8947023489504947393" }, "name": "Relay Namespace Authorization Rules", "description": "This module deploys a Relay Namespace Authorization Rule.", diff --git a/modules/relay/namespace/hybrid-connection/README.md b/modules/relay/namespace/hybrid-connection/README.md index 03ee068530..c2b68a3256 100644 --- a/modules/relay/namespace/hybrid-connection/README.md +++ b/modules/relay/namespace/hybrid-connection/README.md @@ -4,12 +4,12 @@ This module deploys a Relay Namespace Hybrid Connection. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -22,31 +22,85 @@ This module deploys a Relay Namespace Hybrid Connection. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the hybrid connection. | -| `userMetadata` | string | The user metadata is a placeholder to store user-defined string data for the hybrid connection endpoint. For example, it can be used to store descriptive data, such as a list of teams and their contact information. Also, user-defined configuration settings can be stored. | +| [`name`](#parameter-name) | string | The name of the hybrid connection. | +| [`userMetadata`](#parameter-usermetadata) | string | The user metadata is a placeholder to store user-defined string data for the hybrid connection endpoint. For example, it can be used to store descriptive data, such as a list of teams and their contact information. Also, user-defined configuration settings can be stored. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `authorizationRules` | array | `[System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable]` | | Authorization Rules for the Relay Hybrid Connection. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `requiresClientAuthorization` | bool | `True` | | A value indicating if this hybrid connection requires client authorization. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the Relay Hybrid Connection. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`requiresClientAuthorization`](#parameter-requiresclientauthorization) | bool | A value indicating if this hybrid connection requires client authorization. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +### Parameter: `authorizationRules` + +Authorization Rules for the Relay Hybrid Connection. +- Required: No +- Type: array +- Default: `[System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the hybrid connection. +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `requiresClientAuthorization` + +A value indicating if this hybrid connection requires client authorization. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `userMetadata` + +The user metadata is a placeholder to store user-defined string data for the hybrid connection endpoint. For example, it can be used to store descriptive data, such as a list of teams and their contact information. Also, user-defined configuration settings can be stored. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed hybrid connection. | | `resourceGroupName` | string | The resource group of the deployed hybrid connection. | diff --git a/modules/relay/namespace/hybrid-connection/authorization-rule/README.md b/modules/relay/namespace/hybrid-connection/authorization-rule/README.md index cd97c6739b..38f6f986a1 100644 --- a/modules/relay/namespace/hybrid-connection/authorization-rule/README.md +++ b/modules/relay/namespace/hybrid-connection/authorization-rule/README.md @@ -19,28 +19,61 @@ This module deploys a Hybrid Connection Authorization Rule. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the authorization rule. | +| [`name`](#parameter-name) | string | The name of the authorization rule. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `hybridConnectionName` | string | The name of the parent Relay Namespace Hybrid Connection. Required if the template is used in a standalone deployment. | -| `namespaceName` | string | The name of the parent Relay Namespace. Required if the template is used in a standalone deployment. | +| [`hybridConnectionName`](#parameter-hybridconnectionname) | string | The name of the parent Relay Namespace Hybrid Connection. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Relay Namespace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `rights` | array | `[]` | `[Listen, Manage, Send]` | The rights associated with the rule. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`rights`](#parameter-rights) | array | The rights associated with the rule. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hybridConnectionName` + +The name of the parent Relay Namespace Hybrid Connection. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the authorization rule. +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent Relay Namespace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `rights` + +The rights associated with the rule. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `[Listen, Manage, Send]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the authorization rule. | | `resourceGroupName` | string | The name of the Resource Group the authorization rule was created in. | diff --git a/modules/relay/namespace/hybrid-connection/authorization-rule/main.json b/modules/relay/namespace/hybrid-connection/authorization-rule/main.json index e9e3874815..7f723b5086 100644 --- a/modules/relay/namespace/hybrid-connection/authorization-rule/main.json +++ b/modules/relay/namespace/hybrid-connection/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "9718423441307347496" + "version": "0.22.6.54827", + "templateHash": "2105813068659609285" }, "name": "Hybrid Connection Authorization Rules", "description": "This module deploys a Hybrid Connection Authorization Rule.", diff --git a/modules/relay/namespace/hybrid-connection/main.json b/modules/relay/namespace/hybrid-connection/main.json index 2a4a626c8c..0056c9f29a 100644 --- a/modules/relay/namespace/hybrid-connection/main.json +++ b/modules/relay/namespace/hybrid-connection/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5587843022604046042" + "version": "0.22.6.54827", + "templateHash": "8795172246215834185" }, "name": "Relay Namespace Hybrid Connections", "description": "This module deploys a Relay Namespace Hybrid Connection.", @@ -171,8 +171,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "9718423441307347496" + "version": "0.22.6.54827", + "templateHash": "2105813068659609285" }, "name": "Hybrid Connection Authorization Rules", "description": "This module deploys a Hybrid Connection Authorization Rule.", @@ -304,8 +304,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5814555714153100571" + "version": "0.22.6.54827", + "templateHash": "9757505768958218088" } }, "parameters": { diff --git a/modules/relay/namespace/main.json b/modules/relay/namespace/main.json index 7d448f54f2..cc816b07e5 100644 --- a/modules/relay/namespace/main.json +++ b/modules/relay/namespace/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6784238447129641700" + "version": "0.22.6.54827", + "templateHash": "14563908102814128404" }, "name": "Relay Namespaces", "description": "This module deploys a Relay Namespace", @@ -290,8 +290,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17576060128370228409" + "version": "0.22.6.54827", + "templateHash": "8947023489504947393" }, "name": "Relay Namespace Authorization Rules", "description": "This module deploys a Relay Namespace Authorization Rule.", @@ -412,8 +412,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12482510131982064246" + "version": "0.22.6.54827", + "templateHash": "4617716666405561945" }, "name": "Relay Namespace Network Rules Sets", "description": "This module deploys a Relay Namespace Network Rule Set.", @@ -555,8 +555,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10449982661635472758" + "version": "0.22.6.54827", + "templateHash": "8795172246215834185" }, "name": "Relay Namespace Hybrid Connections", "description": "This module deploys a Relay Namespace Hybrid Connection.", @@ -722,8 +722,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15090003948629562677" + "version": "0.22.6.54827", + "templateHash": "2105813068659609285" }, "name": "Hybrid Connection Authorization Rules", "description": "This module deploys a Hybrid Connection Authorization Rule.", @@ -855,8 +855,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8710257990438329269" + "version": "0.22.6.54827", + "templateHash": "9757505768958218088" } }, "parameters": { @@ -1040,8 +1040,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16399405169577171151" + "version": "0.22.6.54827", + "templateHash": "16339805298138761905" }, "name": "Relay Namespace WCF Relays", "description": "This module deploys a Relay Namespace WCF Relay.", @@ -1227,8 +1227,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1819166015438260663" + "version": "0.22.6.54827", + "templateHash": "9905508445063497603" }, "name": "WCF Relay Authorization Rules", "description": "This module deploys a WCF Relay Authorization Rule.", @@ -1360,8 +1360,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5004576418567807599" + "version": "0.22.6.54827", + "templateHash": "3790701104073520156" } }, "parameters": { @@ -1554,8 +1554,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1754,8 +1754,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1892,8 +1892,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -2106,8 +2106,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15050721890066924646" + "version": "0.22.6.54827", + "templateHash": "7170472647175450772" } }, "parameters": { diff --git a/modules/relay/namespace/network-rule-set/README.md b/modules/relay/namespace/network-rule-set/README.md index dbca72dddb..999a9f0bd2 100644 --- a/modules/relay/namespace/network-rule-set/README.md +++ b/modules/relay/namespace/network-rule-set/README.md @@ -19,23 +19,59 @@ This module deploys a Relay Namespace Network Rule Set. **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent Relay Namespace for the Relay Network Rule Set. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Relay Namespace for the Relay Network Rule Set. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `defaultAction` | string | `'Allow'` | `[Allow, Deny]` | Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `ipRules` | array | `[]` | | List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | -| `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`defaultAction`](#parameter-defaultaction) | string | Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`ipRules`](#parameter-iprules) | array | List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | + +### Parameter: `defaultAction` + +Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. +- Required: No +- Type: string +- Default: `'Allow'` +- Allowed: `[Allow, Deny]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `ipRules` + +List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `namespaceName` + +The name of the parent Relay Namespace for the Relay Network Rule Set. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `publicNetworkAccess` + +This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the network rule set. | | `resourceGroupName` | string | The name of the resource group the network rule set was created in. | diff --git a/modules/relay/namespace/network-rule-set/main.json b/modules/relay/namespace/network-rule-set/main.json index 0a2577851e..d7742ddf49 100644 --- a/modules/relay/namespace/network-rule-set/main.json +++ b/modules/relay/namespace/network-rule-set/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "319020533136370885" + "version": "0.22.6.54827", + "templateHash": "4617716666405561945" }, "name": "Relay Namespace Network Rules Sets", "description": "This module deploys a Relay Namespace Network Rule Set.", diff --git a/modules/relay/namespace/wcf-relay/README.md b/modules/relay/namespace/wcf-relay/README.md index 3a4b841219..bb155573b1 100644 --- a/modules/relay/namespace/wcf-relay/README.md +++ b/modules/relay/namespace/wcf-relay/README.md @@ -4,12 +4,12 @@ This module deploys a Relay Namespace WCF Relay. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -22,33 +22,102 @@ This module deploys a Relay Namespace WCF Relay. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `name` | string | | Name of the WCF Relay. | -| `relayType` | string | `[Http, NetTcp]` | Type of WCF Relay. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the WCF Relay. | +| [`relayType`](#parameter-relaytype) | string | Type of WCF Relay. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent Relay Namespace for the WCF Relay. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Relay Namespace for the WCF Relay. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `authorizationRules` | array | `[System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable]` | | Authorization Rules for the WCF Relay. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `requiresClientAuthorization` | bool | `True` | | A value indicating if this relay requires client authorization. | -| `requiresTransportSecurity` | bool | `True` | | A value indicating if this relay requires transport security. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `userMetadata` | string | `''` | | User-defined string data for the WCF Relay. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the WCF Relay. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`requiresClientAuthorization`](#parameter-requiresclientauthorization) | bool | A value indicating if this relay requires client authorization. | +| [`requiresTransportSecurity`](#parameter-requirestransportsecurity) | bool | A value indicating if this relay requires transport security. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`userMetadata`](#parameter-usermetadata) | string | User-defined string data for the WCF Relay. | + +### Parameter: `authorizationRules` + +Authorization Rules for the WCF Relay. +- Required: No +- Type: array +- Default: `[System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the WCF Relay. +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent Relay Namespace for the WCF Relay. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `relayType` + +Type of WCF Relay. +- Required: Yes +- Type: string +- Allowed: `[Http, NetTcp]` + +### Parameter: `requiresClientAuthorization` + +A value indicating if this relay requires client authorization. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `requiresTransportSecurity` + +A value indicating if this relay requires transport security. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `userMetadata` + +User-defined string data for the WCF Relay. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed wcf relay. | | `resourceGroupName` | string | The resource group of the deployed wcf relay. | diff --git a/modules/relay/namespace/wcf-relay/authorization-rule/README.md b/modules/relay/namespace/wcf-relay/authorization-rule/README.md index bbdd6020cd..4fbcc69f86 100644 --- a/modules/relay/namespace/wcf-relay/authorization-rule/README.md +++ b/modules/relay/namespace/wcf-relay/authorization-rule/README.md @@ -19,28 +19,61 @@ This module deploys a WCF Relay Authorization Rule. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the authorization rule. | +| [`name`](#parameter-name) | string | The name of the authorization rule. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent Relay Namespace. Required if the template is used in a standalone deployment. | -| `wcfRelayName` | string | The name of the parent Relay Namespace WCF Relay. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Relay Namespace. Required if the template is used in a standalone deployment. | +| [`wcfRelayName`](#parameter-wcfrelayname) | string | The name of the parent Relay Namespace WCF Relay. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `rights` | array | `[]` | `[Listen, Manage, Send]` | The rights associated with the rule. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`rights`](#parameter-rights) | array | The rights associated with the rule. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the authorization rule. +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent Relay Namespace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `rights` + +The rights associated with the rule. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `[Listen, Manage, Send]` + +### Parameter: `wcfRelayName` + +The name of the parent Relay Namespace WCF Relay. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the authorization rule. | | `resourceGroupName` | string | The name of the Resource Group the authorization rule was created in. | diff --git a/modules/relay/namespace/wcf-relay/authorization-rule/main.json b/modules/relay/namespace/wcf-relay/authorization-rule/main.json index 17285b2410..2ab62ecde8 100644 --- a/modules/relay/namespace/wcf-relay/authorization-rule/main.json +++ b/modules/relay/namespace/wcf-relay/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13141425566828642958" + "version": "0.22.6.54827", + "templateHash": "9905508445063497603" }, "name": "WCF Relay Authorization Rules", "description": "This module deploys a WCF Relay Authorization Rule.", diff --git a/modules/relay/namespace/wcf-relay/main.json b/modules/relay/namespace/wcf-relay/main.json index 309e400e0b..4ad90c10ee 100644 --- a/modules/relay/namespace/wcf-relay/main.json +++ b/modules/relay/namespace/wcf-relay/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "18205555090536788516" + "version": "0.22.6.54827", + "templateHash": "16339805298138761905" }, "name": "Relay Namespace WCF Relays", "description": "This module deploys a Relay Namespace WCF Relay.", @@ -191,8 +191,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13141425566828642958" + "version": "0.22.6.54827", + "templateHash": "9905508445063497603" }, "name": "WCF Relay Authorization Rules", "description": "This module deploys a WCF Relay Authorization Rule.", @@ -324,8 +324,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "8507868775083821058" + "version": "0.22.6.54827", + "templateHash": "3790701104073520156" } }, "parameters": { diff --git a/modules/resource-graph/query/.test/common/main.test.bicep b/modules/resource-graph/query/.test/common/main.test.bicep index 3c64dc9dba..77af84a74d 100644 --- a/modules/resource-graph/query/.test/common/main.test.bicep +++ b/modules/resource-graph/query/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/resource-graph/query/.test/min/main.test.bicep b/modules/resource-graph/query/.test/min/main.test.bicep index 9a81477569..f03ce1a8a9 100644 --- a/modules/resource-graph/query/.test/min/main.test.bicep +++ b/modules/resource-graph/query/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/resource-graph/query/README.md b/modules/resource-graph/query/README.md index 9cec40305f..5d725b3c03 100644 --- a/modules/resource-graph/query/README.md +++ b/modules/resource-graph/query/README.md @@ -4,13 +4,13 @@ This module deploys a Resource Graph Query. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -18,55 +18,28 @@ This module deploys a Resource Graph Query. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.ResourceGraph/queries` | [2018-09-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ResourceGraph/2018-09-01-preview/queries) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Resource Graph Query. | -| `query` | string | KQL query that will be graph. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `queryDescription` | string | `''` | | The description of a graph query. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the query. | -| `resourceGroupName` | string | The resource group the query was deployed into. | -| `resourceId` | string | The resource ID of the query. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/resource-graph.query:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module query './resource-graph/query/main.bicep' = { +module query 'br:bicep/modules/resource-graph.query:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-rgqcom' params: { // Required parameters @@ -148,14 +121,17 @@ module query './resource-graph/query/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module query './resource-graph/query/main.bicep' = { +module query 'br:bicep/modules/resource-graph.query:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-rgqmin' params: { // Required parameters @@ -196,3 +172,93 @@ module query './resource-graph/query/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Resource Graph Query. | +| [`query`](#parameter-query) | string | KQL query that will be graph. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`queryDescription`](#parameter-querydescription) | string | The description of a graph query. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the Resource Graph Query. +- Required: Yes +- Type: string + +### Parameter: `query` + +KQL query that will be graph. +- Required: Yes +- Type: string + +### Parameter: `queryDescription` + +The description of a graph query. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the query. | +| `resourceGroupName` | string | The resource group the query was deployed into. | +| `resourceId` | string | The resource ID of the query. | + +## Cross-referenced modules + +_None_ diff --git a/modules/resource-graph/query/main.json b/modules/resource-graph/query/main.json index 301af9810f..637ac21f0a 100644 --- a/modules/resource-graph/query/main.json +++ b/modules/resource-graph/query/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15324622694106945222" + "version": "0.22.6.54827", + "templateHash": "5318766686585928680" }, "name": "Resource Graph Queries", "description": "This module deploys a Resource Graph Query.", @@ -146,8 +146,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5203431571109680712" + "version": "0.22.6.54827", + "templateHash": "11432335123187448929" } }, "parameters": { diff --git a/modules/resources/deployment-script/README.md b/modules/resources/deployment-script/README.md index 98aca51078..16d4b28844 100644 --- a/modules/resources/deployment-script/README.md +++ b/modules/resources/deployment-script/README.md @@ -4,87 +4,38 @@ This module deploys a Deployment Script. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Resources/deploymentScripts` | [2020-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-10-01/deploymentScripts) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Display name of the script to be run. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `arguments` | string | `''` | | Command-line arguments to pass to the script. Arguments are separated by spaces. | -| `azCliVersion` | string | `''` | | Azure CLI module version to be used. | -| `azPowerShellVersion` | string | `'3.0'` | | Azure PowerShell module version to be used. | -| `cleanupPreference` | string | `'Always'` | `[Always, OnExpiration, OnSuccess]` | The clean up preference when the script execution gets in a terminal state. Specify the preference on when to delete the deployment script resources. The default value is Always, which means the deployment script resources are deleted despite the terminal state (Succeeded, Failed, canceled). | -| `containerGroupName` | string | `''` | | Container group name, if not specified then the name will get auto-generated. Not specifying a 'containerGroupName' indicates the system to generate a unique name which might end up flagging an Azure Policy as non-compliant. Use 'containerGroupName' when you have an Azure Policy that expects a specific naming convention or when you want to fully control the name. 'containerGroupName' property must be between 1 and 63 characters long, must contain only lowercase letters, numbers, and dashes and it cannot start or end with a dash and consecutive dashes are not allowed. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `environmentVariables` | secureObject | `{object}` | | The environment variables to pass over to the script. The list is passed as an object with a key name "secureList" and the value is the list of environment variables (array). The list must have a 'name' and a 'value' or a 'secretValue' property for each object. | -| `kind` | string | `'AzurePowerShell'` | `[AzureCLI, AzurePowerShell]` | Type of the script. AzurePowerShell, AzureCLI. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `primaryScriptUri` | string | `''` | | Uri for the external script. This is the entry point for the external script. To run an internal script, use the scriptContent instead. | -| `retentionInterval` | string | `'P1D'` | | Interval for which the service retains the script resource after it reaches a terminal state. Resource will be deleted when this duration expires. Duration is based on ISO 8601 pattern (for example P7D means one week). | -| `runOnce` | bool | `False` | | When set to false, script will run every time the template is deployed. When set to true, the script will only run once. | -| `scriptContent` | string | `''` | | Script body. Max length: 32000 characters. To run an external script, use primaryScriptURI instead. | -| `storageAccountResourceId` | string | `''` | | The resource ID of the storage account to use for this deployment script. If none is provided, the deployment script uses a temporary, managed storage account. | -| `supportingScriptUris` | array | `[]` | | List of supporting files for the external script (defined in primaryScriptUri). Does not work with internal scripts (code defined in scriptContent). | -| `tags` | object | `{object}` | | Tags of the resource. | -| `timeout` | string | `'PT1H'` | | Maximum allowed script execution time specified in ISO 8601 format. Default value is PT1H - 1 hour; 'PT30M' - 30 minutes; 'P5D' - 5 days; 'P1Y' 1 year. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | - -**Generated parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `baseTime` | string | `[utcNow('yyyy-MM-dd-HH-mm-ss')]` | Do not provide a value! This date value is used to make sure the script run every time the template is deployed. | - +## Usage examples -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployment script. | -| `outputs` | object | The output of the deployment script. | -| `resourceGroupName` | string | The resource group the deployment script was deployed into. | -| `resourceId` | string | The resource ID of the deployment script. | - -## Cross-referenced modules - -_None_ +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Deployment examples +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/resources.deployment-script:1.0.0`. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +- [Cli](#example-1-cli) +- [Ps](#example-2-ps) -

Example 1: Cli

+### Example 1: _Cli_
via Bicep module ```bicep -module deploymentScript './resources/deployment-script/main.bicep' = { +module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-rdscli' params: { // Required parameters @@ -200,14 +151,14 @@ module deploymentScript './resources/deployment-script/main.bicep' = {

-

Example 2: Ps

+### Example 2: _Ps_
via Bicep module ```bicep -module deploymentScript './resources/deployment-script/main.bicep' = { +module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-rdsps' params: { // Required parameters @@ -300,3 +251,206 @@ module deploymentScript './resources/deployment-script/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Display name of the script to be run. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`arguments`](#parameter-arguments) | string | Command-line arguments to pass to the script. Arguments are separated by spaces. | +| [`azCliVersion`](#parameter-azcliversion) | string | Azure CLI module version to be used. | +| [`azPowerShellVersion`](#parameter-azpowershellversion) | string | Azure PowerShell module version to be used. | +| [`cleanupPreference`](#parameter-cleanuppreference) | string | The clean up preference when the script execution gets in a terminal state. Specify the preference on when to delete the deployment script resources. The default value is Always, which means the deployment script resources are deleted despite the terminal state (Succeeded, Failed, canceled). | +| [`containerGroupName`](#parameter-containergroupname) | string | Container group name, if not specified then the name will get auto-generated. Not specifying a 'containerGroupName' indicates the system to generate a unique name which might end up flagging an Azure Policy as non-compliant. Use 'containerGroupName' when you have an Azure Policy that expects a specific naming convention or when you want to fully control the name. 'containerGroupName' property must be between 1 and 63 characters long, must contain only lowercase letters, numbers, and dashes and it cannot start or end with a dash and consecutive dashes are not allowed. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`environmentVariables`](#parameter-environmentvariables) | secureObject | The environment variables to pass over to the script. The list is passed as an object with a key name "secureList" and the value is the list of environment variables (array). The list must have a 'name' and a 'value' or a 'secretValue' property for each object. | +| [`kind`](#parameter-kind) | string | Type of the script. AzurePowerShell, AzureCLI. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`primaryScriptUri`](#parameter-primaryscripturi) | string | Uri for the external script. This is the entry point for the external script. To run an internal script, use the scriptContent instead. | +| [`retentionInterval`](#parameter-retentioninterval) | string | Interval for which the service retains the script resource after it reaches a terminal state. Resource will be deleted when this duration expires. Duration is based on ISO 8601 pattern (for example P7D means one week). | +| [`runOnce`](#parameter-runonce) | bool | When set to false, script will run every time the template is deployed. When set to true, the script will only run once. | +| [`scriptContent`](#parameter-scriptcontent) | string | Script body. Max length: 32000 characters. To run an external script, use primaryScriptURI instead. | +| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | The resource ID of the storage account to use for this deployment script. If none is provided, the deployment script uses a temporary, managed storage account. | +| [`supportingScriptUris`](#parameter-supportingscripturis) | array | List of supporting files for the external script (defined in primaryScriptUri). Does not work with internal scripts (code defined in scriptContent). | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`timeout`](#parameter-timeout) | string | Maximum allowed script execution time specified in ISO 8601 format. Default value is PT1H - 1 hour; 'PT30M' - 30 minutes; 'P5D' - 5 days; 'P1Y' 1 year. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +**Generated parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date value is used to make sure the script run every time the template is deployed. | + +### Parameter: `arguments` + +Command-line arguments to pass to the script. Arguments are separated by spaces. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `azCliVersion` + +Azure CLI module version to be used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `azPowerShellVersion` + +Azure PowerShell module version to be used. +- Required: No +- Type: string +- Default: `'3.0'` + +### Parameter: `baseTime` + +Do not provide a value! This date value is used to make sure the script run every time the template is deployed. +- Required: No +- Type: string +- Default: `[utcNow('yyyy-MM-dd-HH-mm-ss')]` + +### Parameter: `cleanupPreference` + +The clean up preference when the script execution gets in a terminal state. Specify the preference on when to delete the deployment script resources. The default value is Always, which means the deployment script resources are deleted despite the terminal state (Succeeded, Failed, canceled). +- Required: No +- Type: string +- Default: `'Always'` +- Allowed: `[Always, OnExpiration, OnSuccess]` + +### Parameter: `containerGroupName` + +Container group name, if not specified then the name will get auto-generated. Not specifying a 'containerGroupName' indicates the system to generate a unique name which might end up flagging an Azure Policy as non-compliant. Use 'containerGroupName' when you have an Azure Policy that expects a specific naming convention or when you want to fully control the name. 'containerGroupName' property must be between 1 and 63 characters long, must contain only lowercase letters, numbers, and dashes and it cannot start or end with a dash and consecutive dashes are not allowed. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `environmentVariables` + +The environment variables to pass over to the script. The list is passed as an object with a key name "secureList" and the value is the list of environment variables (array). The list must have a 'name' and a 'value' or a 'secretValue' property for each object. +- Required: No +- Type: secureObject +- Default: `{object}` + +### Parameter: `kind` + +Type of the script. AzurePowerShell, AzureCLI. +- Required: No +- Type: string +- Default: `'AzurePowerShell'` +- Allowed: `[AzureCLI, AzurePowerShell]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Display name of the script to be run. +- Required: Yes +- Type: string + +### Parameter: `primaryScriptUri` + +Uri for the external script. This is the entry point for the external script. To run an internal script, use the scriptContent instead. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `retentionInterval` + +Interval for which the service retains the script resource after it reaches a terminal state. Resource will be deleted when this duration expires. Duration is based on ISO 8601 pattern (for example P7D means one week). +- Required: No +- Type: string +- Default: `'P1D'` + +### Parameter: `runOnce` + +When set to false, script will run every time the template is deployed. When set to true, the script will only run once. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `scriptContent` + +Script body. Max length: 32000 characters. To run an external script, use primaryScriptURI instead. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `storageAccountResourceId` + +The resource ID of the storage account to use for this deployment script. If none is provided, the deployment script uses a temporary, managed storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `supportingScriptUris` + +List of supporting files for the external script (defined in primaryScriptUri). Does not work with internal scripts (code defined in scriptContent). +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `timeout` + +Maximum allowed script execution time specified in ISO 8601 format. Default value is PT1H - 1 hour; 'PT30M' - 30 minutes; 'P5D' - 5 days; 'P1Y' 1 year. +- Required: No +- Type: string +- Default: `'PT1H'` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployment script. | +| `outputs` | object | The output of the deployment script. | +| `resourceGroupName` | string | The resource group the deployment script was deployed into. | +| `resourceId` | string | The resource ID of the deployment script. | + +## Cross-referenced modules + +_None_ diff --git a/modules/resources/deployment-script/main.json b/modules/resources/deployment-script/main.json index 0a7d0d9090..2f4d4f4a0d 100644 --- a/modules/resources/deployment-script/main.json +++ b/modules/resources/deployment-script/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8110228844611454639" + "version": "0.22.6.54827", + "templateHash": "13171333688007785690" }, "name": "Deployment Scripts", "description": "This module deploys a Deployment Script.", diff --git a/modules/resources/resource-group/.test/common/main.test.bicep b/modules/resources/resource-group/.test/common/main.test.bicep index 7cbc7f6c16..0090211eb1 100644 --- a/modules/resources/resource-group/.test/common/main.test.bicep +++ b/modules/resources/resource-group/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/resources/resource-group/.test/min/main.test.bicep b/modules/resources/resource-group/.test/min/main.test.bicep index dc9625823a..04d75955c0 100644 --- a/modules/resources/resource-group/.test/min/main.test.bicep +++ b/modules/resources/resource-group/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/resources/resource-group/README.md b/modules/resources/resource-group/README.md index 4c341910e3..e57cc52c30 100644 --- a/modules/resources/resource-group/README.md +++ b/modules/resources/resource-group/README.md @@ -4,13 +4,13 @@ This module deploys a Resource Group. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -18,57 +18,28 @@ This module deploys a Resource Group. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Resources/resourceGroups` | [2021-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Resources/2021-04-01/resourceGroups) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Resource Group. | - -**Optional parameters** +## Usage examples -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | | Location of the Resource Group. It uses the deployment's location when not provided. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `managedBy` | string | `''` | | The ID of the resource that manages this resource group. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the storage account resource. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -## Outputs +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/resources.resource-group:1.0.0`. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the resource group. | -| `resourceId` | string | The resource ID of the resource group. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -## Cross-referenced modules +### Example 1: _Using large parameter set_ -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +This instance deploys the module with most of its features enabled. -| Reference | Type | -| :-- | :-- | -| `authorization/lock/resource-group` | Local reference | - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module resourceGroup './resources/resource-group/main.bicep' = { +module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-rrgcom' params: { // Required parameters @@ -142,14 +113,17 @@ module resourceGroup './resources/resource-group/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module resourceGroup './resources/resource-group/main.bicep' = { +module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { name: '${uniqueString(deployment().name)}-test-rrgmin' params: { // Required parameters @@ -186,3 +160,89 @@ module resourceGroup './resources/resource-group/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Resource Group. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location of the Resource Group. It uses the deployment's location when not provided. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`managedBy`](#parameter-managedby) | string | The ID of the resource that manages this resource group. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the storage account resource. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location of the Resource Group. It uses the deployment's location when not provided. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `managedBy` + +The ID of the resource that manages this resource group. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +The name of the Resource Group. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the storage account resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the resource group. | +| `resourceId` | string | The resource ID of the resource group. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/authorization/lock/resource-group` | Local reference | diff --git a/modules/resources/resource-group/main.json b/modules/resources/resource-group/main.json index 2e9a71ba0e..311d143451 100644 --- a/modules/resources/resource-group/main.json +++ b/modules/resources/resource-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3729995632350323768" + "version": "0.22.6.54827", + "templateHash": "698589074683460032" }, "name": "Resource Groups", "description": "This module deploys a Resource Group.", @@ -116,8 +116,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10420976827552614779" + "version": "0.22.6.54827", + "templateHash": "8961143332409950444" }, "name": "Authorization Locks (Resource Group scope)", "description": "This module deploys an Authorization Lock at a Resource Group scope.", @@ -249,8 +249,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1146156557420886689" + "version": "0.22.6.54827", + "templateHash": "9238529270860750175" } }, "parameters": { diff --git a/modules/resources/tags/.test/min/main.test.bicep b/modules/resources/tags/.test/min/main.test.bicep index bd4d81cfe3..4afd22e26f 100644 --- a/modules/resources/tags/.test/min/main.test.bicep +++ b/modules/resources/tags/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/resources/tags/README.md b/modules/resources/tags/README.md index 8c84394fa8..9135bfb176 100644 --- a/modules/resources/tags/README.md +++ b/modules/resources/tags/README.md @@ -5,10 +5,10 @@ This module deploys a Resource Tag at a Subscription or Resource Group scope. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -16,47 +16,29 @@ This module deploys a Resource Tag at a Subscription or Resource Group scope. | :-- | :-- | | `Microsoft.Resources/tags` | [2021-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Resources/2021-04-01/tags) | -## Parameters - -**Optional parameters** +## Usage examples -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | Location deployment metadata. | -| `onlyUpdate` | bool | `False` | Instead of overwriting the existing tags, combine them with the new tags. | -| `resourceGroupName` | string | `''` | Name of the Resource Group to assign the tags to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided tags to the subscription. | -| `subscriptionId` | string | `[subscription().id]` | Subscription ID of the subscription to assign the tags to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided tags to the subscription. | -| `tags` | object | `{object}` | Tags for the resource group. If not provided, removes existing tags. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the tags resource. | -| `resourceId` | string | The resource ID of the applied tags. | -| `tags` | object | The applied tags. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/resources.tags:1.0.0`. -## Deployment examples +- [Using only defaults](#example-1-using-only-defaults) +- [Rg](#example-2-rg) +- [Sub](#example-3-sub) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using only defaults_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with the minimum set of required parameters. -

Example 1: Min

via Bicep module ```bicep -module tags './resources/tags/main.bicep' = { +module tags 'br:bicep/modules/resources.tags:1.0.0' = { name: '${uniqueString(deployment().name)}-test-rtmin' params: { enableDefaultTelemetry: '' @@ -86,14 +68,14 @@ module tags './resources/tags/main.bicep' = {

-

Example 2: Rg

+### Example 2: _Rg_
via Bicep module ```bicep -module tags './resources/tags/main.bicep' = { +module tags 'br:bicep/modules/resources.tags:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-rtrg' params: { enableDefaultTelemetry: '' @@ -143,14 +125,14 @@ module tags './resources/tags/main.bicep' = {

-

Example 3: Sub

+### Example 3: _Sub_
via Bicep module ```bicep -module tags './resources/tags/main.bicep' = { +module tags 'br:bicep/modules/resources.tags:1.0.0' = { name: '${uniqueString(deployment().name)}-test-rtsub' params: { enableDefaultTelemetry: '' @@ -195,3 +177,72 @@ module tags './resources/tags/main.bicep' = {

+ + +## Parameters + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`onlyUpdate`](#parameter-onlyupdate) | bool | Instead of overwriting the existing tags, combine them with the new tags. | +| [`resourceGroupName`](#parameter-resourcegroupname) | string | Name of the Resource Group to assign the tags to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided tags to the subscription. | +| [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the tags to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided tags to the subscription. | +| [`tags`](#parameter-tags) | object | Tags for the resource group. If not provided, removes existing tags. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `onlyUpdate` + +Instead of overwriting the existing tags, combine them with the new tags. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `resourceGroupName` + +Name of the Resource Group to assign the tags to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided tags to the subscription. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `subscriptionId` + +Subscription ID of the subscription to assign the tags to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided tags to the subscription. +- Required: No +- Type: string +- Default: `[subscription().id]` + +### Parameter: `tags` + +Tags for the resource group. If not provided, removes existing tags. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the tags resource. | +| `resourceId` | string | The resource ID of the applied tags. | +| `tags` | object | The applied tags. | + +## Cross-referenced modules + +_None_ diff --git a/modules/resources/tags/main.json b/modules/resources/tags/main.json index 4458dbbe53..85a73c4674 100644 --- a/modules/resources/tags/main.json +++ b/modules/resources/tags/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15623552838363512630" + "version": "0.22.6.54827", + "templateHash": "17959459334247355830" }, "name": "Resources Tags", "description": "This module deploys a Resource Tag at a Subscription or Resource Group scope.", @@ -105,8 +105,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "791889452516757013" + "version": "0.22.6.54827", + "templateHash": "17975356792950377604" }, "name": "Resources Tags Subscription Scope", "description": "This module deploys a Resource Tag on a Subscription scope.", @@ -186,8 +186,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9008008606560089334" + "version": "0.22.6.54827", + "templateHash": "18269006446765776342" } }, "parameters": { @@ -267,8 +267,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11114375852398740809" + "version": "0.22.6.54827", + "templateHash": "8701740381622545052" }, "name": "Resources Tags Resource Group", "description": "This module deploys a Resource Tag on a Resource Group scope.", @@ -339,8 +339,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4678848348426348914" + "version": "0.22.6.54827", + "templateHash": "8737749583083645128" } }, "parameters": { diff --git a/modules/resources/tags/resource-group/README.md b/modules/resources/tags/resource-group/README.md index b01512e657..678fc74561 100644 --- a/modules/resources/tags/resource-group/README.md +++ b/modules/resources/tags/resource-group/README.md @@ -19,16 +19,37 @@ This module deploys a Resource Tag on a Resource Group scope. **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `onlyUpdate` | bool | `False` | Instead of overwriting the existing tags, combine them with the new tags. | -| `tags` | object | `{object}` | Tags for the resource group. If not provided, removes existing tags. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`onlyUpdate`](#parameter-onlyupdate) | bool | Instead of overwriting the existing tags, combine them with the new tags. | +| [`tags`](#parameter-tags) | object | Tags for the resource group. If not provided, removes existing tags. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `onlyUpdate` + +Instead of overwriting the existing tags, combine them with the new tags. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags for the resource group. If not provided, removes existing tags. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the tags resource. | | `resourceGroupName` | string | The name of the resource group the tags were applied to. | diff --git a/modules/resources/tags/resource-group/main.json b/modules/resources/tags/resource-group/main.json index fabaa09756..8e1a7b8b39 100644 --- a/modules/resources/tags/resource-group/main.json +++ b/modules/resources/tags/resource-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "4275347865908810280" + "version": "0.22.6.54827", + "templateHash": "8701740381622545052" }, "name": "Resources Tags Resource Group", "description": "This module deploys a Resource Tag on a Resource Group scope.", @@ -76,8 +76,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5447313974004996573" + "version": "0.22.6.54827", + "templateHash": "8737749583083645128" } }, "parameters": { diff --git a/modules/resources/tags/subscription/README.md b/modules/resources/tags/subscription/README.md index 384fb2c7e9..48c7d355a0 100644 --- a/modules/resources/tags/subscription/README.md +++ b/modules/resources/tags/subscription/README.md @@ -19,17 +19,45 @@ This module deploys a Resource Tag on a Subscription scope. **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[deployment().location]` | Location deployment metadata. | -| `onlyUpdate` | bool | `False` | Instead of overwriting the existing tags, combine them with the new tags. | -| `tags` | object | `{object}` | Tags for the resource group. If not provided, removes existing tags. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`onlyUpdate`](#parameter-onlyupdate) | bool | Instead of overwriting the existing tags, combine them with the new tags. | +| [`tags`](#parameter-tags) | object | Tags for the resource group. If not provided, removes existing tags. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `onlyUpdate` + +Instead of overwriting the existing tags, combine them with the new tags. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags for the resource group. If not provided, removes existing tags. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the tags resource. | | `resourceId` | string | The resource ID of the applied tags. | diff --git a/modules/resources/tags/subscription/main.json b/modules/resources/tags/subscription/main.json index 615fd9ce66..467d62828b 100644 --- a/modules/resources/tags/subscription/main.json +++ b/modules/resources/tags/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17445460813956994133" + "version": "0.22.6.54827", + "templateHash": "17975356792950377604" }, "name": "Resources Tags Subscription Scope", "description": "This module deploys a Resource Tag on a Subscription scope.", @@ -85,8 +85,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "373680921396677494" + "version": "0.22.6.54827", + "templateHash": "18269006446765776342" } }, "parameters": { diff --git a/modules/search/search-service/.test/common/main.test.bicep b/modules/search/search-service/.test/common/main.test.bicep index a57241f341..299cc6438a 100644 --- a/modules/search/search-service/.test/common/main.test.bicep +++ b/modules/search/search-service/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/search/search-service/.test/min/main.test.bicep b/modules/search/search-service/.test/min/main.test.bicep index 6a2b1474fb..4f66e7b2e4 100644 --- a/modules/search/search-service/.test/min/main.test.bicep +++ b/modules/search/search-service/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index ab526edefb..3cc54ce756 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -5,10 +5,10 @@ This module deploys a Search Service. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -22,76 +22,29 @@ This module deploys a Search Service. | `Microsoft.Search/searchServices` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Search/2022-09-01/searchServices) | | `Microsoft.Search/searchServices/sharedPrivateLinkResources` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Search/2022-09-01/searchServices/sharedPrivateLinkResources) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Azure Cognitive Search service to create or update. Search service names must only contain lowercase letters, digits or dashes, cannot use dash as the first two or last one characters, cannot contain consecutive dashes, and must be between 2 and 60 characters in length. Search service names must be globally unique since they are part of the service URI (https://.search.windows.net). You cannot change the service name after the service is created. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `authOptions` | object | `{object}` | | Defines the options for how the data plane API of a Search service authenticates requests. Must remain an empty object {} if 'disableLocalAuth' is set to true. | -| `cmkEnforcement` | string | `'Unspecified'` | `[Disabled, Enabled, Unspecified]` | Describes a policy that determines how resources within the search service are to be encrypted with Customer Managed Keys. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticLogCategoriesToEnable` | array | `[OperationLogs]` | `[OperationLogs]` | The name of logs that will be streamed. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `disableLocalAuth` | bool | `True` | | When set to true, calls to the search service will not be permitted to utilize API keys for authentication. This cannot be set to true if 'authOptions' are defined. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `hostingMode` | string | `'default'` | `[default, highDensity]` | Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either 'default' or 'highDensity'. For all other SKUs, this value must be 'default'. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `networkRuleSet` | object | `{object}` | | Network specific rules that determine how the Azure Cognitive Search service may be reached. | -| `partitionCount` | int | `1` | | The number of partitions in the search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For 'standard3' services with hostingMode set to 'highDensity', the allowed values are between 1 and 3. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `'enabled'` | `[disabled, enabled]` | This value can be set to 'enabled' to avoid breaking changes on existing customer resources and templates. If set to 'disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method. | -| `replicaCount` | int | `1` | | The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sharedPrivateLinkResources` | array | `[]` | | The sharedPrivateLinkResources to create as part of the search Service. | -| `sku` | string | `'standard'` | `[basic, free, standard, standard2, standard3, storage_optimized_l1, storage_optimized_l2]` | Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags to help categorize the resource in the Azure portal. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the search service. | -| `resourceGroupName` | string | The name of the resource group the search service was created in. | -| `resourceId` | string | The resource ID of the search service. | +## Usage examples -## Cross-referenced modules +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/search.search-service:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +- [Pe](#example-3-pe) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module searchService './search/search-service/main.bicep' = { +module searchService 'br:bicep/modules/search.search-service:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ssscom' params: { // Required parameters @@ -257,14 +210,17 @@ module searchService './search/search-service/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module searchService './search/search-service/main.bicep' = { +module searchService 'br:bicep/modules/search.search-service:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-sssmin' params: { // Required parameters @@ -302,14 +258,14 @@ module searchService './search/search-service/main.bicep' = {

-

Example 3: Pe

+### Example 3: _Pe_
via Bicep module ```bicep -module searchService './search/search-service/main.bicep' = { +module searchService 'br:bicep/modules/search.search-service:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ssspe' params: { // Required parameters @@ -432,3 +388,240 @@ module searchService './search/search-service/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Azure Cognitive Search service to create or update. Search service names must only contain lowercase letters, digits or dashes, cannot use dash as the first two or last one characters, cannot contain consecutive dashes, and must be between 2 and 60 characters in length. Search service names must be globally unique since they are part of the service URI (https://.search.windows.net). You cannot change the service name after the service is created. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`authOptions`](#parameter-authoptions) | object | Defines the options for how the data plane API of a Search service authenticates requests. Must remain an empty object {} if 'disableLocalAuth' is set to true. | +| [`cmkEnforcement`](#parameter-cmkenforcement) | string | Describes a policy that determines how resources within the search service are to be encrypted with Customer Managed Keys. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | When set to true, calls to the search service will not be permitted to utilize API keys for authentication. This cannot be set to true if 'authOptions' are defined. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| [`hostingMode`](#parameter-hostingmode) | string | Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either 'default' or 'highDensity'. For all other SKUs, this value must be 'default'. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`networkRuleSet`](#parameter-networkruleset) | object | Network specific rules that determine how the Azure Cognitive Search service may be reached. | +| [`partitionCount`](#parameter-partitioncount) | int | The number of partitions in the search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For 'standard3' services with hostingMode set to 'highDensity', the allowed values are between 1 and 3. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | This value can be set to 'enabled' to avoid breaking changes on existing customer resources and templates. If set to 'disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method. | +| [`replicaCount`](#parameter-replicacount) | int | The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`sharedPrivateLinkResources`](#parameter-sharedprivatelinkresources) | array | The sharedPrivateLinkResources to create as part of the search Service. | +| [`sku`](#parameter-sku) | string | Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags to help categorize the resource in the Azure portal. | + +### Parameter: `authOptions` + +Defines the options for how the data plane API of a Search service authenticates requests. Must remain an empty object {} if 'disableLocalAuth' is set to true. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `cmkEnforcement` + +Describes a policy that determines how resources within the search service are to be encrypted with Customer Managed Keys. +- Required: No +- Type: string +- Default: `'Unspecified'` +- Allowed: `[Disabled, Enabled, Unspecified]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. +- Required: No +- Type: array +- Default: `[OperationLogs]` +- Allowed: `[OperationLogs]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `disableLocalAuth` + +When set to true, calls to the search service will not be permitted to utilize API keys for authentication. This cannot be set to true if 'authOptions' are defined. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hostingMode` + +Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either 'default' or 'highDensity'. For all other SKUs, this value must be 'default'. +- Required: No +- Type: string +- Default: `'default'` +- Allowed: `[default, highDensity]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the Azure Cognitive Search service to create or update. Search service names must only contain lowercase letters, digits or dashes, cannot use dash as the first two or last one characters, cannot contain consecutive dashes, and must be between 2 and 60 characters in length. Search service names must be globally unique since they are part of the service URI (https://.search.windows.net). You cannot change the service name after the service is created. +- Required: Yes +- Type: string + +### Parameter: `networkRuleSet` + +Network specific rules that determine how the Azure Cognitive Search service may be reached. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `partitionCount` + +The number of partitions in the search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For 'standard3' services with hostingMode set to 'highDensity', the allowed values are between 1 and 3. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +This value can be set to 'enabled' to avoid breaking changes on existing customer resources and templates. If set to 'disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method. +- Required: No +- Type: string +- Default: `'enabled'` +- Allowed: `[disabled, enabled]` + +### Parameter: `replicaCount` + +The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sharedPrivateLinkResources` + +The sharedPrivateLinkResources to create as part of the search Service. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sku` + +Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits. +- Required: No +- Type: string +- Default: `'standard'` +- Allowed: `[basic, free, standard, standard2, standard3, storage_optimized_l1, storage_optimized_l2]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags to help categorize the resource in the Azure portal. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the search service. | +| `resourceGroupName` | string | The name of the resource group the search service was created in. | +| `resourceId` | string | The resource ID of the search service. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/search/search-service/main.json b/modules/search/search-service/main.json index 395192b732..7a348d26c6 100644 --- a/modules/search/search-service/main.json +++ b/modules/search/search-service/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10072822591333511170" + "version": "0.22.6.54827", + "templateHash": "6550974299074570161" }, "name": "Search Services", "description": "This module deploys a Search Service.", @@ -356,8 +356,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11875440755487903509" + "version": "0.22.6.54827", + "templateHash": "18375388175912544361" } }, "parameters": { @@ -520,8 +520,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -720,8 +720,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -858,8 +858,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -1074,8 +1074,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11160181254796997108" + "version": "0.22.6.54827", + "templateHash": "13590696020139320386" }, "name": "Search Services Private Link Resources", "description": "This module deploys a Search Service Private Link Resource.", diff --git a/modules/search/search-service/shared-private-link-resource/README.md b/modules/search/search-service/shared-private-link-resource/README.md index 130c6c31ef..1edd330b70 100644 --- a/modules/search/search-service/shared-private-link-resource/README.md +++ b/modules/search/search-service/shared-private-link-resource/README.md @@ -19,30 +19,74 @@ This module deploys a Search Service Private Link Resource. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `groupId` | string | The group ID from the provider of resource the shared private link resource is for. | -| `name` | string | The name of the shared private link resource managed by the Azure Cognitive Search service within the specified resource group. | -| `privateLinkResourceId` | string | The resource ID of the resource the shared private link resource is for. | -| `requestMessage` | string | The request message for requesting approval of the shared private link resource. | +| [`groupId`](#parameter-groupid) | string | The group ID from the provider of resource the shared private link resource is for. | +| [`name`](#parameter-name) | string | The name of the shared private link resource managed by the Azure Cognitive Search service within the specified resource group. | +| [`privateLinkResourceId`](#parameter-privatelinkresourceid) | string | The resource ID of the resource the shared private link resource is for. | +| [`requestMessage`](#parameter-requestmessage) | string | The request message for requesting approval of the shared private link resource. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `searchServiceName` | string | The name of the parent searchServices. Required if the template is used in a standalone deployment. | +| [`searchServiceName`](#parameter-searchservicename) | string | The name of the parent searchServices. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `resourceRegion` | string | `''` | Can be used to specify the Azure Resource Manager location of the resource to which a shared private link is to be created. This is only required for those resources whose DNS configuration are regional (such as Azure Kubernetes Service). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| [`resourceRegion`](#parameter-resourceregion) | string | Can be used to specify the Azure Resource Manager location of the resource to which a shared private link is to be created. This is only required for those resources whose DNS configuration are regional (such as Azure Kubernetes Service). | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `groupId` + +The group ID from the provider of resource the shared private link resource is for. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the shared private link resource managed by the Azure Cognitive Search service within the specified resource group. +- Required: Yes +- Type: string + +### Parameter: `privateLinkResourceId` + +The resource ID of the resource the shared private link resource is for. +- Required: Yes +- Type: string + +### Parameter: `requestMessage` + +The request message for requesting approval of the shared private link resource. +- Required: Yes +- Type: string + +### Parameter: `resourceRegion` + +Can be used to specify the Azure Resource Manager location of the resource to which a shared private link is to be created. This is only required for those resources whose DNS configuration are regional (such as Azure Kubernetes Service). +- Required: No +- Type: string +- Default: `''` + +### Parameter: `searchServiceName` + +The name of the parent searchServices. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the shared private link resource. | | `resourceGroupName` | string | The name of the resource group the shared private link resource was created in. | diff --git a/modules/search/search-service/shared-private-link-resource/main.json b/modules/search/search-service/shared-private-link-resource/main.json index 0c83833c1a..aa59a81fa9 100644 --- a/modules/search/search-service/shared-private-link-resource/main.json +++ b/modules/search/search-service/shared-private-link-resource/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13822392072513993341" + "version": "0.22.6.54827", + "templateHash": "13590696020139320386" }, "name": "Search Services Private Link Resources", "description": "This module deploys a Search Service Private Link Resource.", diff --git a/modules/security/azure-security-center/.test/common/main.test.bicep b/modules/security/azure-security-center/.test/common/main.test.bicep index 1ad4a24cdd..a1caae0519 100644 --- a/modules/security/azure-security-center/.test/common/main.test.bicep +++ b/modules/security/azure-security-center/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/security/azure-security-center/README.md b/modules/security/azure-security-center/README.md index 98bd54bdda..9c0167a1ef 100644 --- a/modules/security/azure-security-center/README.md +++ b/modules/security/azure-security-center/README.md @@ -4,13 +4,13 @@ This module deploys an Azure Security Center (Defender for Cloud) Configuration. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -21,66 +21,27 @@ This module deploys an Azure Security Center (Defender for Cloud) Configuration. | `Microsoft.Security/securityContacts` | [2017-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Security/2017-08-01-preview/securityContacts) | | `Microsoft.Security/workspaceSettings` | [2017-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Security/2017-08-01-preview/workspaceSettings) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `scope` | string | All the VMs in this scope will send their security data to the mentioned workspace unless overridden by a setting with more specific scope. | -| `workspaceId` | string | The full Azure ID of the workspace to save the data in. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `appServicesPricingTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for AppServices. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| `armPricingTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for ARM. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| `autoProvision` | string | `'On'` | `[Off, On]` | Describes what kind of security agent provisioning action to take. - On or Off. | -| `containerRegistryPricingTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for ContainerRegistry. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| `containersTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for containers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| `cosmosDbsTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for CosmosDbs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| `deviceSecurityGroupProperties` | object | `{object}` | | Device Security group data. | -| `dnsPricingTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for DNS. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `ioTSecuritySolutionProperties` | object | `{object}` | | Security Solution data. | -| `keyVaultsPricingTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for KeyVaults. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| `kubernetesServicePricingTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for KubernetesService. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| `location` | string | `[deployment().location]` | | Location deployment metadata. | -| `openSourceRelationalDatabasesTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for OpenSourceRelationalDatabases. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| `securityContactProperties` | object | `{object}` | | Security contact data. | -| `sqlServersPricingTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for SqlServers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| `sqlServerVirtualMachinesPricingTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for SqlServerVirtualMachines. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| `storageAccountsPricingTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | -| `virtualMachinesPricingTier` | string | `'Free'` | `[Free, Standard]` | The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the security center. | -| `workspaceId` | string | The resource ID of the used log analytics workspace. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/security.azure-security-center:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module azureSecurityCenter './security/azure-security-center/main.bicep' = { +module azureSecurityCenter 'br:bicep/modules/security.azure-security-center:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-sasccom' params: { // Required parameters @@ -131,3 +92,208 @@ module azureSecurityCenter './security/azure-security-center/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`scope`](#parameter-scope) | string | All the VMs in this scope will send their security data to the mentioned workspace unless overridden by a setting with more specific scope. | +| [`workspaceId`](#parameter-workspaceid) | string | The full Azure ID of the workspace to save the data in. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`appServicesPricingTier`](#parameter-appservicespricingtier) | string | The pricing tier value for AppServices. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`armPricingTier`](#parameter-armpricingtier) | string | The pricing tier value for ARM. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`autoProvision`](#parameter-autoprovision) | string | Describes what kind of security agent provisioning action to take. - On or Off. | +| [`containerRegistryPricingTier`](#parameter-containerregistrypricingtier) | string | The pricing tier value for ContainerRegistry. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`containersTier`](#parameter-containerstier) | string | The pricing tier value for containers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`cosmosDbsTier`](#parameter-cosmosdbstier) | string | The pricing tier value for CosmosDbs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`deviceSecurityGroupProperties`](#parameter-devicesecuritygroupproperties) | object | Device Security group data. | +| [`dnsPricingTier`](#parameter-dnspricingtier) | string | The pricing tier value for DNS. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`ioTSecuritySolutionProperties`](#parameter-iotsecuritysolutionproperties) | object | Security Solution data. | +| [`keyVaultsPricingTier`](#parameter-keyvaultspricingtier) | string | The pricing tier value for KeyVaults. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`kubernetesServicePricingTier`](#parameter-kubernetesservicepricingtier) | string | The pricing tier value for KubernetesService. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`openSourceRelationalDatabasesTier`](#parameter-opensourcerelationaldatabasestier) | string | The pricing tier value for OpenSourceRelationalDatabases. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`securityContactProperties`](#parameter-securitycontactproperties) | object | Security contact data. | +| [`sqlServersPricingTier`](#parameter-sqlserverspricingtier) | string | The pricing tier value for SqlServers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`sqlServerVirtualMachinesPricingTier`](#parameter-sqlservervirtualmachinespricingtier) | string | The pricing tier value for SqlServerVirtualMachines. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`storageAccountsPricingTier`](#parameter-storageaccountspricingtier) | string | The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`virtualMachinesPricingTier`](#parameter-virtualmachinespricingtier) | string | The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | + +### Parameter: `appServicesPricingTier` + +The pricing tier value for AppServices. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: `[Free, Standard]` + +### Parameter: `armPricingTier` + +The pricing tier value for ARM. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: `[Free, Standard]` + +### Parameter: `autoProvision` + +Describes what kind of security agent provisioning action to take. - On or Off. +- Required: No +- Type: string +- Default: `'On'` +- Allowed: `[Off, On]` + +### Parameter: `containerRegistryPricingTier` + +The pricing tier value for ContainerRegistry. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: `[Free, Standard]` + +### Parameter: `containersTier` + +The pricing tier value for containers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: `[Free, Standard]` + +### Parameter: `cosmosDbsTier` + +The pricing tier value for CosmosDbs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: `[Free, Standard]` + +### Parameter: `deviceSecurityGroupProperties` + +Device Security group data. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `dnsPricingTier` + +The pricing tier value for DNS. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: `[Free, Standard]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `ioTSecuritySolutionProperties` + +Security Solution data. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `keyVaultsPricingTier` + +The pricing tier value for KeyVaults. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: `[Free, Standard]` + +### Parameter: `kubernetesServicePricingTier` + +The pricing tier value for KubernetesService. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: `[Free, Standard]` + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `openSourceRelationalDatabasesTier` + +The pricing tier value for OpenSourceRelationalDatabases. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: `[Free, Standard]` + +### Parameter: `scope` + +All the VMs in this scope will send their security data to the mentioned workspace unless overridden by a setting with more specific scope. +- Required: Yes +- Type: string + +### Parameter: `securityContactProperties` + +Security contact data. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `sqlServersPricingTier` + +The pricing tier value for SqlServers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: `[Free, Standard]` + +### Parameter: `sqlServerVirtualMachinesPricingTier` + +The pricing tier value for SqlServerVirtualMachines. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: `[Free, Standard]` + +### Parameter: `storageAccountsPricingTier` + +The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: `[Free, Standard]` + +### Parameter: `virtualMachinesPricingTier` + +The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: `[Free, Standard]` + +### Parameter: `workspaceId` + +The full Azure ID of the workspace to save the data in. +- Required: Yes +- Type: string + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the security center. | +| `workspaceId` | string | The resource ID of the used log analytics workspace. | + +## Cross-referenced modules + +_None_ diff --git a/modules/security/azure-security-center/main.json b/modules/security/azure-security-center/main.json index d9d382b69c..cf4fce1f0b 100644 --- a/modules/security/azure-security-center/main.json +++ b/modules/security/azure-security-center/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11416260825097629257" + "version": "0.22.6.54827", + "templateHash": "5337788890835022528" }, "name": "Azure Security Center (Defender for Cloud)", "description": "This module deploys an Azure Security Center (Defender for Cloud) Configuration.", @@ -364,8 +364,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13016057569340125747" + "version": "0.22.6.54827", + "templateHash": "15519935694361963633" } }, "parameters": { diff --git a/modules/service-bus/namespace/.test/common/main.test.bicep b/modules/service-bus/namespace/.test/common/main.test.bicep index e0ad9fc570..b7ffb57b2a 100644 --- a/modules/service-bus/namespace/.test/common/main.test.bicep +++ b/modules/service-bus/namespace/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/service-bus/namespace/.test/min/main.test.bicep b/modules/service-bus/namespace/.test/min/main.test.bicep index 0656221b4e..81c5af272a 100644 --- a/modules/service-bus/namespace/.test/min/main.test.bicep +++ b/modules/service-bus/namespace/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index eb97303df4..67765a898b 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -4,13 +4,13 @@ This module deploys a Service Bus Namespace. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -29,92 +29,30 @@ This module deploys a Service Bus Namespace. | `Microsoft.ServiceBus/namespaces/topics` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/topics) | | `Microsoft.ServiceBus/namespaces/topics/authorizationRules` | [2022-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2022-10-01-preview/namespaces/topics/authorizationRules) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Service Bus Namespace. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Conditional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/service-bus.namespace:1.0.0`. -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Encr](#example-2-encr) +- [Using only defaults](#example-3-using-only-defaults) +- [Pe](#example-4-pe) -**Optional parameters** +### Example 1: _Using large parameter set_ -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `alternateName` | string | `''` | | Alternate name for namespace. | -| `authorizationRules` | array | `[System.Management.Automation.OrderedHashtable]` | | Authorization Rules for the Service Bus namespace. | -| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key. | -| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| `cMKUserAssignedIdentityResourceId` | string | `''` | | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, OperationalLogs]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `disableLocalAuth` | bool | `True` | | This property disables SAS authentication for the Service Bus namespace. | -| `disasterRecoveryConfigs` | object | `{object}` | | The disaster recovery configuration. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `migrationConfigurations` | object | `{object}` | | The migration configuration. | -| `minimumTlsVersion` | string | `'1.2'` | `[1.0, 1.1, 1.2]` | The minimum TLS version for the cluster to support. | -| `networkRuleSets` | object | `{object}` | | Configure networking options for Premium SKU Service Bus. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | -| `premiumMessagingPartitions` | int | `1` | | The number of partitions of a Service Bus namespace. This property is only applicable to Premium SKU namespaces. The default value is 1 and possible values are 1, 2 and 4. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled, SecuredByPerimeter]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| `queues` | array | `[]` | | The queues to create in the service bus namespace. | -| `requireInfrastructureEncryption` | bool | `True` | | Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `skuCapacity` | int | `1` | `[1, 2, 4, 8, 16, 32]` | The specified messaging units for the tier. Only used for Premium Sku tier. | -| `skuName` | string | `'Basic'` | `[Basic, Premium, Standard]` | Name of this SKU. - Basic, Standard, Premium. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `topics` | array | `[]` | | The topics to create in the service bus namespace. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `zoneRedundant` | bool | `False` | | Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. | +This instance deploys the module with most of its features enabled. -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed service bus namespace. | -| `resourceGroupName` | string | The resource group of the deployed service bus namespace. | -| `resourceId` | string | The resource ID of the deployed service bus namespace. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

-
via Bicep module ```bicep -module namespace './service-bus/namespace/main.bicep' = { +module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-sbncom' params: { // Required parameters @@ -488,14 +426,14 @@ module namespace './service-bus/namespace/main.bicep' = {

-

Example 2: Encr

+### Example 2: _Encr_
via Bicep module ```bicep -module namespace './service-bus/namespace/main.bicep' = { +module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-sbnencr' params: { // Required parameters @@ -671,14 +609,17 @@ module namespace './service-bus/namespace/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module namespace './service-bus/namespace/main.bicep' = { +module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-sbnmin' params: { // Required parameters @@ -716,14 +657,14 @@ module namespace './service-bus/namespace/main.bicep' = {

-

Example 4: Pe

+### Example 4: _Pe_
via Bicep module ```bicep -module namespace './service-bus/namespace/main.bicep' = { +module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-sbnpe' params: { // Required parameters @@ -814,3 +755,326 @@ module namespace './service-bus/namespace/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Service Bus Namespace. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`alternateName`](#parameter-alternatename) | string | Alternate name for namespace. | +| [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the Service Bus namespace. | +| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key. | +| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | This property disables SAS authentication for the Service Bus namespace. | +| [`disasterRecoveryConfigs`](#parameter-disasterrecoveryconfigs) | object | The disaster recovery configuration. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`migrationConfigurations`](#parameter-migrationconfigurations) | object | The migration configuration. | +| [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | The minimum TLS version for the cluster to support. | +| [`networkRuleSets`](#parameter-networkrulesets) | object | Configure networking options for Premium SKU Service Bus. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | +| [`premiumMessagingPartitions`](#parameter-premiummessagingpartitions) | int | The number of partitions of a Service Bus namespace. This property is only applicable to Premium SKU namespaces. The default value is 1 and possible values are 1, 2 and 4. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | +| [`queues`](#parameter-queues) | array | The queues to create in the service bus namespace. | +| [`requireInfrastructureEncryption`](#parameter-requireinfrastructureencryption) | bool | Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`skuCapacity`](#parameter-skucapacity) | int | The specified messaging units for the tier. Only used for Premium Sku tier. | +| [`skuName`](#parameter-skuname) | string | Name of this SKU. - Basic, Standard, Premium. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`topics`](#parameter-topics) | array | The topics to create in the service bus namespace. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`zoneRedundant`](#parameter-zoneredundant) | bool | Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. | + +### Parameter: `alternateName` + +Alternate name for namespace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `authorizationRules` + +Authorization Rules for the Service Bus namespace. +- Required: No +- Type: array +- Default: `[System.Management.Automation.OrderedHashtable]` + +### Parameter: `cMKKeyName` + +The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVersion` + +The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKUserAssignedIdentityResourceId` + +User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, OperationalLogs]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `disableLocalAuth` + +This property disables SAS authentication for the Service Bus namespace. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `disasterRecoveryConfigs` + +The disaster recovery configuration. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `migrationConfigurations` + +The migration configuration. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `minimumTlsVersion` + +The minimum TLS version for the cluster to support. +- Required: No +- Type: string +- Default: `'1.2'` +- Allowed: `[1.0, 1.1, 1.2]` + +### Parameter: `name` + +Name of the Service Bus Namespace. +- Required: Yes +- Type: string + +### Parameter: `networkRuleSets` + +Configure networking options for Premium SKU Service Bus. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `premiumMessagingPartitions` + +The number of partitions of a Service Bus namespace. This property is only applicable to Premium SKU namespaces. The default value is 1 and possible values are 1, 2 and 4. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled, SecuredByPerimeter]` + +### Parameter: `queues` + +The queues to create in the service bus namespace. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `requireInfrastructureEncryption` + +Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `skuCapacity` + +The specified messaging units for the tier. Only used for Premium Sku tier. +- Required: No +- Type: int +- Default: `1` +- Allowed: `[1, 2, 4, 8, 16, 32]` + +### Parameter: `skuName` + +Name of this SKU. - Basic, Standard, Premium. +- Required: No +- Type: string +- Default: `'Basic'` +- Allowed: `[Basic, Premium, Standard]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `topics` + +The topics to create in the service bus namespace. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `zoneRedundant` + +Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. +- Required: No +- Type: bool +- Default: `False` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed service bus namespace. | +| `resourceGroupName` | string | The resource group of the deployed service bus namespace. | +| `resourceId` | string | The resource ID of the deployed service bus namespace. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/service-bus/namespace/authorization-rule/README.md b/modules/service-bus/namespace/authorization-rule/README.md index 04226f8184..b4bec73526 100644 --- a/modules/service-bus/namespace/authorization-rule/README.md +++ b/modules/service-bus/namespace/authorization-rule/README.md @@ -19,27 +19,54 @@ This module deploys a Service Bus Namespace Authorization Rule. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the authorization rule. | +| [`name`](#parameter-name) | string | The name of the authorization rule. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `rights` | array | `[]` | `[Listen, Manage, Send]` | The rights associated with the rule. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`rights`](#parameter-rights) | array | The rights associated with the rule. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the authorization rule. +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `rights` + +The rights associated with the rule. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `[Listen, Manage, Send]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the authorization rule. | | `resourceGroupName` | string | The name of the Resource Group the authorization rule was created in. | diff --git a/modules/service-bus/namespace/disaster-recovery-config/README.md b/modules/service-bus/namespace/disaster-recovery-config/README.md index 117b394910..f018bb7277 100644 --- a/modules/service-bus/namespace/disaster-recovery-config/README.md +++ b/modules/service-bus/namespace/disaster-recovery-config/README.md @@ -19,23 +19,57 @@ This module deploys a Service Bus Namespace Disaster Recovery Config **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `alternateName` | string | `''` | Primary/Secondary eventhub namespace name, which is part of GEO DR pairing. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `name` | string | `'default'` | The name of the disaster recovery config. | -| `partnerNamespaceResourceID` | string | `''` | Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`alternateName`](#parameter-alternatename) | string | Primary/Secondary eventhub namespace name, which is part of GEO DR pairing. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`name`](#parameter-name) | string | The name of the disaster recovery config. | +| [`partnerNamespaceResourceID`](#parameter-partnernamespaceresourceid) | string | Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing. | + +### Parameter: `alternateName` + +Primary/Secondary eventhub namespace name, which is part of GEO DR pairing. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the disaster recovery config. +- Required: No +- Type: string +- Default: `'default'` + +### Parameter: `namespaceName` + +The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `partnerNamespaceResourceID` + +Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the disaster recovery config. | | `resourceGroupName` | string | The name of the Resource Group the disaster recovery config was created in. | diff --git a/modules/service-bus/namespace/migration-configuration/README.md b/modules/service-bus/namespace/migration-configuration/README.md index 445edd7e6a..26b9a9b0dd 100644 --- a/modules/service-bus/namespace/migration-configuration/README.md +++ b/modules/service-bus/namespace/migration-configuration/README.md @@ -19,27 +19,52 @@ This module deploys a Service Bus Namespace Migration Configuration. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `postMigrationName` | string | Name to access Standard Namespace after migration. | -| `targetNamespaceResourceId` | string | Existing premium Namespace resource ID which has no entities, will be used for migration. | +| [`postMigrationName`](#parameter-postmigrationname) | string | Name to access Standard Namespace after migration. | +| [`targetNamespaceResourceId`](#parameter-targetnamespaceresourceid) | string | Existing premium Namespace resource ID which has no entities, will be used for migration. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `namespaceName` + +The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `postMigrationName` + +Name to access Standard Namespace after migration. +- Required: Yes +- Type: string + +### Parameter: `targetNamespaceResourceId` + +Existing premium Namespace resource ID which has no entities, will be used for migration. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the migration configuration. | | `resourceGroupName` | string | The name of the Resource Group the migration configuration was created in. | diff --git a/modules/service-bus/namespace/network-rule-set/README.md b/modules/service-bus/namespace/network-rule-set/README.md index 2ee50b770c..e24150422b 100644 --- a/modules/service-bus/namespace/network-rule-set/README.md +++ b/modules/service-bus/namespace/network-rule-set/README.md @@ -19,25 +19,75 @@ This module deploys a ServiceBus Namespace Network Rule Set. **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent Service Bus Namespace for the Service Bus Network Rule Set. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Service Bus Namespace for the Service Bus Network Rule Set. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `defaultAction` | string | `'Allow'` | `[Allow, Deny]` | Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `ipRules` | array | `[]` | | List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | -| `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | -| `trustedServiceAccessEnabled` | bool | `True` | | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | -| `virtualNetworkRules` | array | `[]` | | List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`defaultAction`](#parameter-defaultaction) | string | Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`ipRules`](#parameter-iprules) | array | List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | +| [`trustedServiceAccessEnabled`](#parameter-trustedserviceaccessenabled) | bool | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | +| [`virtualNetworkRules`](#parameter-virtualnetworkrules) | array | List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | + +### Parameter: `defaultAction` + +Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. +- Required: No +- Type: string +- Default: `'Allow'` +- Allowed: `[Allow, Deny]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `ipRules` + +List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `namespaceName` + +The name of the parent Service Bus Namespace for the Service Bus Network Rule Set. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `publicNetworkAccess` + +This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `trustedServiceAccessEnabled` + +Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `virtualNetworkRules` + +List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the network rule set. | | `resourceGroupName` | string | The name of the resource group the network rule set was created in. | diff --git a/modules/service-bus/namespace/queue/README.md b/modules/service-bus/namespace/queue/README.md index 23a86f0b78..e77f024a24 100644 --- a/modules/service-bus/namespace/queue/README.md +++ b/modules/service-bus/namespace/queue/README.md @@ -4,12 +4,12 @@ This module deploys a Service Bus Namespace Queue. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -22,45 +22,199 @@ This module deploys a Service Bus Namespace Queue. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the Service Bus Queue. | +| [`name`](#parameter-name) | string | Name of the Service Bus Queue. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `authorizationRules` | array | `[System.Management.Automation.OrderedHashtable]` | | Authorization Rules for the Service Bus Queue. | -| `autoDeleteOnIdle` | string | `''` | | ISO 8061 timeSpan idle interval after which the queue is automatically deleted. The minimum duration is 5 minutes (PT5M). | -| `deadLetteringOnMessageExpiration` | bool | `True` | | A value that indicates whether this queue has dead letter support when a message expires. | -| `defaultMessageTimeToLive` | string | `'P14D'` | | ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself. | -| `duplicateDetectionHistoryTimeWindow` | string | `'PT10M'` | | ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes. | -| `enableBatchedOperations` | bool | `True` | | Value that indicates whether server-side batched operations are enabled. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableExpress` | bool | `False` | | A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage. | -| `enablePartitioning` | bool | `False` | | A value that indicates whether the queue is to be partitioned across multiple message brokers. | -| `forwardDeadLetteredMessagesTo` | string | `''` | | Queue/Topic name to forward the Dead Letter message. | -| `forwardTo` | string | `''` | | Queue/Topic name to forward the messages. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `lockDuration` | string | `'PT1M'` | | ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute. | -| `maxDeliveryCount` | int | `10` | | The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10. | -| `maxMessageSizeInKilobytes` | int | `1024` | | Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024. | -| `maxSizeInMegabytes` | int | `1024` | | The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024. | -| `requiresDuplicateDetection` | bool | `False` | | A value indicating if this queue requires duplicate detection. | -| `requiresSession` | bool | `False` | | A value that indicates whether the queue supports the concept of sessions. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `status` | string | `'Active'` | `[Active, Creating, Deleting, Disabled, ReceiveDisabled, Renaming, Restoring, SendDisabled, Unknown]` | Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the Service Bus Queue. | +| [`autoDeleteOnIdle`](#parameter-autodeleteonidle) | string | ISO 8061 timeSpan idle interval after which the queue is automatically deleted. The minimum duration is 5 minutes (PT5M). | +| [`deadLetteringOnMessageExpiration`](#parameter-deadletteringonmessageexpiration) | bool | A value that indicates whether this queue has dead letter support when a message expires. | +| [`defaultMessageTimeToLive`](#parameter-defaultmessagetimetolive) | string | ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself. | +| [`duplicateDetectionHistoryTimeWindow`](#parameter-duplicatedetectionhistorytimewindow) | string | ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes. | +| [`enableBatchedOperations`](#parameter-enablebatchedoperations) | bool | Value that indicates whether server-side batched operations are enabled. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableExpress`](#parameter-enableexpress) | bool | A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage. | +| [`enablePartitioning`](#parameter-enablepartitioning) | bool | A value that indicates whether the queue is to be partitioned across multiple message brokers. | +| [`forwardDeadLetteredMessagesTo`](#parameter-forwarddeadletteredmessagesto) | string | Queue/Topic name to forward the Dead Letter message. | +| [`forwardTo`](#parameter-forwardto) | string | Queue/Topic name to forward the messages. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lockDuration`](#parameter-lockduration) | string | ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute. | +| [`maxDeliveryCount`](#parameter-maxdeliverycount) | int | The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10. | +| [`maxMessageSizeInKilobytes`](#parameter-maxmessagesizeinkilobytes) | int | Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024. | +| [`maxSizeInMegabytes`](#parameter-maxsizeinmegabytes) | int | The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024. | +| [`requiresDuplicateDetection`](#parameter-requiresduplicatedetection) | bool | A value indicating if this queue requires duplicate detection. | +| [`requiresSession`](#parameter-requiressession) | bool | A value that indicates whether the queue supports the concept of sessions. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`status`](#parameter-status) | string | Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. | + +### Parameter: `authorizationRules` + +Authorization Rules for the Service Bus Queue. +- Required: No +- Type: array +- Default: `[System.Management.Automation.OrderedHashtable]` + +### Parameter: `autoDeleteOnIdle` + +ISO 8061 timeSpan idle interval after which the queue is automatically deleted. The minimum duration is 5 minutes (PT5M). +- Required: No +- Type: string +- Default: `''` + +### Parameter: `deadLetteringOnMessageExpiration` + +A value that indicates whether this queue has dead letter support when a message expires. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `defaultMessageTimeToLive` + +ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself. +- Required: No +- Type: string +- Default: `'P14D'` + +### Parameter: `duplicateDetectionHistoryTimeWindow` + +ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes. +- Required: No +- Type: string +- Default: `'PT10M'` + +### Parameter: `enableBatchedOperations` + +Value that indicates whether server-side batched operations are enabled. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableExpress` + +A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enablePartitioning` + +A value that indicates whether the queue is to be partitioned across multiple message brokers. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `forwardDeadLetteredMessagesTo` + +Queue/Topic name to forward the Dead Letter message. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `forwardTo` + +Queue/Topic name to forward the messages. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `lockDuration` + +ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute. +- Required: No +- Type: string +- Default: `'PT1M'` + +### Parameter: `maxDeliveryCount` + +The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10. +- Required: No +- Type: int +- Default: `10` + +### Parameter: `maxMessageSizeInKilobytes` + +Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024. +- Required: No +- Type: int +- Default: `1024` + +### Parameter: `maxSizeInMegabytes` + +The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024. +- Required: No +- Type: int +- Default: `1024` + +### Parameter: `name` + +Name of the Service Bus Queue. +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `requiresDuplicateDetection` + +A value indicating if this queue requires duplicate detection. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `requiresSession` + +A value that indicates whether the queue supports the concept of sessions. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `status` + +Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. +- Required: No +- Type: string +- Default: `'Active'` +- Allowed: `[Active, Creating, Deleting, Disabled, ReceiveDisabled, Renaming, Restoring, SendDisabled, Unknown]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed queue. | | `resourceGroupName` | string | The resource group of the deployed queue. | diff --git a/modules/service-bus/namespace/queue/authorization-rule/README.md b/modules/service-bus/namespace/queue/authorization-rule/README.md index 9d3235856b..953b3a3459 100644 --- a/modules/service-bus/namespace/queue/authorization-rule/README.md +++ b/modules/service-bus/namespace/queue/authorization-rule/README.md @@ -19,28 +19,61 @@ This module deploys a Service Bus Namespace Queue Authorization Rule. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the service bus namepace queue. | +| [`name`](#parameter-name) | string | The name of the service bus namepace queue. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment. | -| `queueName` | string | The name of the parent Service Bus Namespace Queue. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment. | +| [`queueName`](#parameter-queuename) | string | The name of the parent Service Bus Namespace Queue. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `rights` | array | `[]` | `[Listen, Manage, Send]` | The rights associated with the rule. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`rights`](#parameter-rights) | array | The rights associated with the rule. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the service bus namepace queue. +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `queueName` + +The name of the parent Service Bus Namespace Queue. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `rights` + +The rights associated with the rule. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `[Listen, Manage, Send]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the authorization rule. | | `resourceGroupName` | string | The name of the Resource Group the authorization rule was created in. | diff --git a/modules/service-bus/namespace/topic/README.md b/modules/service-bus/namespace/topic/README.md index 51fe952267..a554531ad1 100644 --- a/modules/service-bus/namespace/topic/README.md +++ b/modules/service-bus/namespace/topic/README.md @@ -22,40 +22,159 @@ This module deploys a Service Bus Namespace Topic. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the Service Bus Topic. | +| [`name`](#parameter-name) | string | Name of the Service Bus Topic. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent Service Bus Namespace for the Service Bus Topic. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Service Bus Namespace for the Service Bus Topic. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `authorizationRules` | array | `[System.Management.Automation.OrderedHashtable]` | | Authorization Rules for the Service Bus Topic. | -| `autoDeleteOnIdle` | string | `'PT5M'` | | ISO 8601 timespan idle interval after which the topic is automatically deleted. The minimum duration is 5 minutes. | -| `defaultMessageTimeToLive` | string | `'P14D'` | | ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself. | -| `duplicateDetectionHistoryTimeWindow` | string | `'PT10M'` | | ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes. | -| `enableBatchedOperations` | bool | `True` | | Value that indicates whether server-side batched operations are enabled. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableExpress` | bool | `False` | | A value that indicates whether Express Entities are enabled. An express topic holds a message in memory temporarily before writing it to persistent storage. | -| `enablePartitioning` | bool | `False` | | A value that indicates whether the topic is to be partitioned across multiple message brokers. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `maxMessageSizeInKilobytes` | int | `1024` | | Maximum size (in KB) of the message payload that can be accepted by the topic. This property is only used in Premium today and default is 1024. | -| `maxSizeInMegabytes` | int | `1024` | | The maximum size of the topic in megabytes, which is the size of memory allocated for the topic. Default is 1024. | -| `requiresDuplicateDetection` | bool | `False` | | A value indicating if this topic requires duplicate detection. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `status` | string | `'Active'` | `[Active, Creating, Deleting, Disabled, ReceiveDisabled, Renaming, Restoring, SendDisabled, Unknown]` | Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. | -| `supportOrdering` | bool | `False` | | Value that indicates whether the topic supports ordering. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the Service Bus Topic. | +| [`autoDeleteOnIdle`](#parameter-autodeleteonidle) | string | ISO 8601 timespan idle interval after which the topic is automatically deleted. The minimum duration is 5 minutes. | +| [`defaultMessageTimeToLive`](#parameter-defaultmessagetimetolive) | string | ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself. | +| [`duplicateDetectionHistoryTimeWindow`](#parameter-duplicatedetectionhistorytimewindow) | string | ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes. | +| [`enableBatchedOperations`](#parameter-enablebatchedoperations) | bool | Value that indicates whether server-side batched operations are enabled. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableExpress`](#parameter-enableexpress) | bool | A value that indicates whether Express Entities are enabled. An express topic holds a message in memory temporarily before writing it to persistent storage. | +| [`enablePartitioning`](#parameter-enablepartitioning) | bool | A value that indicates whether the topic is to be partitioned across multiple message brokers. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`maxMessageSizeInKilobytes`](#parameter-maxmessagesizeinkilobytes) | int | Maximum size (in KB) of the message payload that can be accepted by the topic. This property is only used in Premium today and default is 1024. | +| [`maxSizeInMegabytes`](#parameter-maxsizeinmegabytes) | int | The maximum size of the topic in megabytes, which is the size of memory allocated for the topic. Default is 1024. | +| [`requiresDuplicateDetection`](#parameter-requiresduplicatedetection) | bool | A value indicating if this topic requires duplicate detection. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`status`](#parameter-status) | string | Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. | +| [`supportOrdering`](#parameter-supportordering) | bool | Value that indicates whether the topic supports ordering. | + +### Parameter: `authorizationRules` + +Authorization Rules for the Service Bus Topic. +- Required: No +- Type: array +- Default: `[System.Management.Automation.OrderedHashtable]` + +### Parameter: `autoDeleteOnIdle` + +ISO 8601 timespan idle interval after which the topic is automatically deleted. The minimum duration is 5 minutes. +- Required: No +- Type: string +- Default: `'PT5M'` + +### Parameter: `defaultMessageTimeToLive` + +ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself. +- Required: No +- Type: string +- Default: `'P14D'` + +### Parameter: `duplicateDetectionHistoryTimeWindow` + +ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes. +- Required: No +- Type: string +- Default: `'PT10M'` + +### Parameter: `enableBatchedOperations` + +Value that indicates whether server-side batched operations are enabled. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableExpress` + +A value that indicates whether Express Entities are enabled. An express topic holds a message in memory temporarily before writing it to persistent storage. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enablePartitioning` + +A value that indicates whether the topic is to be partitioned across multiple message brokers. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `maxMessageSizeInKilobytes` + +Maximum size (in KB) of the message payload that can be accepted by the topic. This property is only used in Premium today and default is 1024. +- Required: No +- Type: int +- Default: `1024` + +### Parameter: `maxSizeInMegabytes` + +The maximum size of the topic in megabytes, which is the size of memory allocated for the topic. Default is 1024. +- Required: No +- Type: int +- Default: `1024` + +### Parameter: `name` + +Name of the Service Bus Topic. +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent Service Bus Namespace for the Service Bus Topic. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `requiresDuplicateDetection` + +A value indicating if this topic requires duplicate detection. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `status` + +Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. +- Required: No +- Type: string +- Default: `'Active'` +- Allowed: `[Active, Creating, Deleting, Disabled, ReceiveDisabled, Renaming, Restoring, SendDisabled, Unknown]` + +### Parameter: `supportOrdering` + +Value that indicates whether the topic supports ordering. +- Required: No +- Type: bool +- Default: `False` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed topic. | | `resourceGroupName` | string | The resource group of the deployed topic. | diff --git a/modules/service-bus/namespace/topic/authorization-rule/README.md b/modules/service-bus/namespace/topic/authorization-rule/README.md index 42f6aa3e9b..ec255bfbe3 100644 --- a/modules/service-bus/namespace/topic/authorization-rule/README.md +++ b/modules/service-bus/namespace/topic/authorization-rule/README.md @@ -19,28 +19,61 @@ This module deploys a Service Bus Namespace Topic Authorization Rule. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the service bus namespace topic. | +| [`name`](#parameter-name) | string | The name of the service bus namespace topic. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment. | -| `topicName` | string | The name of the parent Service Bus Namespace Topic. Required if the template is used in a standalone deployment. | +| [`namespaceName`](#parameter-namespacename) | string | The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment. | +| [`topicName`](#parameter-topicname) | string | The name of the parent Service Bus Namespace Topic. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `rights` | array | `[]` | `[Listen, Manage, Send]` | The rights associated with the rule. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`rights`](#parameter-rights) | array | The rights associated with the rule. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the service bus namespace topic. +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `rights` + +The rights associated with the rule. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `[Listen, Manage, Send]` + +### Parameter: `topicName` + +The name of the parent Service Bus Namespace Topic. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the authorization rule. | | `resourceGroupName` | string | The name of the Resource Group the authorization rule was created in. | diff --git a/modules/service-fabric/cluster/.test/common/main.test.bicep b/modules/service-fabric/cluster/.test/common/main.test.bicep index 3d0d8599f6..1f35cd24db 100644 --- a/modules/service-fabric/cluster/.test/common/main.test.bicep +++ b/modules/service-fabric/cluster/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/service-fabric/cluster/.test/min/main.test.bicep b/modules/service-fabric/cluster/.test/min/main.test.bicep index 84390edecf..e7bf07187d 100644 --- a/modules/service-fabric/cluster/.test/min/main.test.bicep +++ b/modules/service-fabric/cluster/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/service-fabric/cluster/README.md b/modules/service-fabric/cluster/README.md index 1d92aa0629..4df1e6c55e 100644 --- a/modules/service-fabric/cluster/README.md +++ b/modules/service-fabric/cluster/README.md @@ -5,10 +5,10 @@ This module deploys a Service Fabric Cluster. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) ## Resource Types @@ -20,82 +20,26 @@ This module deploys a Service Fabric Cluster. | `Microsoft.ServiceFabric/clusters` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceFabric/2021-06-01/clusters) | | `Microsoft.ServiceFabric/clusters/applicationTypes` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ServiceFabric/2021-06-01/clusters/applicationTypes) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `managementEndpoint` | string | | The http management endpoint of the cluster. | -| `name` | string | | Name of the Service Fabric cluster. | -| `nodeTypes` | array | | The list of node types in the cluster. | -| `reliabilityLevel` | string | `[Bronze, Gold, None, Platinum, Silver]` | The reliability level sets the replica set size of system services. Learn about ReliabilityLevel (https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-capacity). - None - Run the System services with a target replica set count of 1. This should only be used for test clusters. - Bronze - Run the System services with a target replica set count of 3. This should only be used for test clusters. - Silver - Run the System services with a target replica set count of 5. - Gold - Run the System services with a target replica set count of 7. - Platinum - Run the System services with a target replica set count of 9. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/service-fabric.cluster:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `addOnFeatures` | array | `[]` | `[BackupRestoreService, DnsService, RepairManager, ResourceMonitorService]` | The list of add-on features to enable in the cluster. | -| `applicationTypes` | array | `[]` | | Array of Service Fabric cluster application types. | -| `azureActiveDirectory` | object | `{object}` | | The settings to enable AAD authentication on the cluster. | -| `certificate` | object | `{object}` | | Describes the certificate details like thumbprint of the primary certificate, thumbprint of the secondary certificate and the local certificate store location. | -| `certificateCommonNames` | object | `{object}` | | Describes a list of server certificates referenced by common name that are used to secure the cluster. | -| `clientCertificateCommonNames` | array | `[]` | | The list of client certificates referenced by common name that are allowed to manage the cluster. | -| `clientCertificateThumbprints` | array | `[]` | | The list of client certificates referenced by thumbprint that are allowed to manage the cluster. | -| `clusterCodeVersion` | string | `''` | | The Service Fabric runtime version of the cluster. This property can only by set the user when upgradeMode is set to "Manual". To get list of available Service Fabric versions for new clusters use ClusterVersion API. To get the list of available version for existing clusters use availableClusterVersions. | -| `diagnosticsStorageAccountConfig` | object | `{object}` | | The storage account information for storing Service Fabric diagnostic logs. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `eventStoreServiceEnabled` | bool | `False` | | Indicates if the event store service is enabled. | -| `fabricSettings` | array | `[]` | | The list of custom fabric settings to configure the cluster. | -| `infrastructureServiceManager` | bool | `False` | | Indicates if infrastructure service manager is enabled. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `maxUnusedVersionsToKeep` | int | `3` | | Number of unused versions per application type to keep. | -| `notifications` | array | `[]` | | Indicates a list of notification channels for cluster events. | -| `reverseProxyCertificate` | object | `{object}` | | Describes the certificate details. | -| `reverseProxyCertificateCommonNames` | object | `{object}` | | Describes a list of server certificates referenced by common name that are used to secure the cluster. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sfZonalUpgradeMode` | string | `'Hierarchical'` | `[Hierarchical, Parallel]` | This property controls the logical grouping of VMs in upgrade domains (UDs). This property cannot be modified if a node type with multiple Availability Zones is already present in the cluster. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `upgradeDescription` | object | `{object}` | | Describes the policy used when upgrading the cluster. | -| `upgradeMode` | string | `'Automatic'` | `[Automatic, Manual]` | The upgrade mode of the cluster when new Service Fabric runtime version is available. | -| `upgradePauseEndTimestampUtc` | string | `''` | | Indicates the end date and time to pause automatic runtime version upgrades on the cluster for an specific period of time on the cluster (UTC). | -| `upgradePauseStartTimestampUtc` | string | `''` | | Indicates the start date and time to pause automatic runtime version upgrades on the cluster for an specific period of time on the cluster (UTC). | -| `upgradeWave` | string | `'Wave0'` | `[Wave0, Wave1, Wave2]` | Indicates when new cluster runtime version upgrades will be applied after they are released. By default is Wave0. | -| `vmImage` | string | `''` | | The VM image VMSS has been configured with. Generic names such as Windows or Linux can be used. | -| `vmssZonalUpgradeMode` | string | `'Hierarchical'` | `[Hierarchical, Parallel]` | This property defines the upgrade mode for the virtual machine scale set, it is mandatory if a node type with multiple Availability Zones is added. | -| `waveUpgradePaused` | bool | `False` | | Boolean to pause automatic runtime version upgrades to the cluster. | +- [Cert](#example-1-cert) +- [Using large parameter set](#example-2-using-large-parameter-set) +- [Using only defaults](#example-3-using-only-defaults) - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `endpoint` | string | The Service Fabric Cluster endpoint. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The Service Fabric Cluster name. | -| `resourceGroupName` | string | The Service Fabric Cluster resource group. | -| `resourceId` | string | The Service Fabric Cluster resource ID. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Cert

+### Example 1: _Cert_
via Bicep module ```bicep -module cluster './service-fabric/cluster/main.bicep' = { +module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-sfccer' params: { // Required parameters @@ -199,14 +143,17 @@ module cluster './service-fabric/cluster/main.bicep' = {

-

Example 2: Common

+### Example 2: _Using large parameter set_ + +This instance deploys the module with most of its features enabled. +
via Bicep module ```bicep -module cluster './service-fabric/cluster/main.bicep' = { +module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-sfccom' params: { // Required parameters @@ -608,14 +555,17 @@ module cluster './service-fabric/cluster/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module cluster './service-fabric/cluster/main.bicep' = { +module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-sfcmin' params: { // Required parameters @@ -698,6 +648,308 @@ module cluster './service-fabric/cluster/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`managementEndpoint`](#parameter-managementendpoint) | string | The http management endpoint of the cluster. | +| [`name`](#parameter-name) | string | Name of the Service Fabric cluster. | +| [`nodeTypes`](#parameter-nodetypes) | array | The list of node types in the cluster. | +| [`reliabilityLevel`](#parameter-reliabilitylevel) | string | The reliability level sets the replica set size of system services. Learn about ReliabilityLevel (https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-capacity). - None - Run the System services with a target replica set count of 1. This should only be used for test clusters. - Bronze - Run the System services with a target replica set count of 3. This should only be used for test clusters. - Silver - Run the System services with a target replica set count of 5. - Gold - Run the System services with a target replica set count of 7. - Platinum - Run the System services with a target replica set count of 9. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`addOnFeatures`](#parameter-addonfeatures) | array | The list of add-on features to enable in the cluster. | +| [`applicationTypes`](#parameter-applicationtypes) | array | Array of Service Fabric cluster application types. | +| [`azureActiveDirectory`](#parameter-azureactivedirectory) | object | The settings to enable AAD authentication on the cluster. | +| [`certificate`](#parameter-certificate) | object | Describes the certificate details like thumbprint of the primary certificate, thumbprint of the secondary certificate and the local certificate store location. | +| [`certificateCommonNames`](#parameter-certificatecommonnames) | object | Describes a list of server certificates referenced by common name that are used to secure the cluster. | +| [`clientCertificateCommonNames`](#parameter-clientcertificatecommonnames) | array | The list of client certificates referenced by common name that are allowed to manage the cluster. | +| [`clientCertificateThumbprints`](#parameter-clientcertificatethumbprints) | array | The list of client certificates referenced by thumbprint that are allowed to manage the cluster. | +| [`clusterCodeVersion`](#parameter-clustercodeversion) | string | The Service Fabric runtime version of the cluster. This property can only by set the user when upgradeMode is set to "Manual". To get list of available Service Fabric versions for new clusters use ClusterVersion API. To get the list of available version for existing clusters use availableClusterVersions. | +| [`diagnosticsStorageAccountConfig`](#parameter-diagnosticsstorageaccountconfig) | object | The storage account information for storing Service Fabric diagnostic logs. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`eventStoreServiceEnabled`](#parameter-eventstoreserviceenabled) | bool | Indicates if the event store service is enabled. | +| [`fabricSettings`](#parameter-fabricsettings) | array | The list of custom fabric settings to configure the cluster. | +| [`infrastructureServiceManager`](#parameter-infrastructureservicemanager) | bool | Indicates if infrastructure service manager is enabled. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`maxUnusedVersionsToKeep`](#parameter-maxunusedversionstokeep) | int | Number of unused versions per application type to keep. | +| [`notifications`](#parameter-notifications) | array | Indicates a list of notification channels for cluster events. | +| [`reverseProxyCertificate`](#parameter-reverseproxycertificate) | object | Describes the certificate details. | +| [`reverseProxyCertificateCommonNames`](#parameter-reverseproxycertificatecommonnames) | object | Describes a list of server certificates referenced by common name that are used to secure the cluster. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`sfZonalUpgradeMode`](#parameter-sfzonalupgrademode) | string | This property controls the logical grouping of VMs in upgrade domains (UDs). This property cannot be modified if a node type with multiple Availability Zones is already present in the cluster. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`upgradeDescription`](#parameter-upgradedescription) | object | Describes the policy used when upgrading the cluster. | +| [`upgradeMode`](#parameter-upgrademode) | string | The upgrade mode of the cluster when new Service Fabric runtime version is available. | +| [`upgradePauseEndTimestampUtc`](#parameter-upgradepauseendtimestamputc) | string | Indicates the end date and time to pause automatic runtime version upgrades on the cluster for an specific period of time on the cluster (UTC). | +| [`upgradePauseStartTimestampUtc`](#parameter-upgradepausestarttimestamputc) | string | Indicates the start date and time to pause automatic runtime version upgrades on the cluster for an specific period of time on the cluster (UTC). | +| [`upgradeWave`](#parameter-upgradewave) | string | Indicates when new cluster runtime version upgrades will be applied after they are released. By default is Wave0. | +| [`vmImage`](#parameter-vmimage) | string | The VM image VMSS has been configured with. Generic names such as Windows or Linux can be used. | +| [`vmssZonalUpgradeMode`](#parameter-vmsszonalupgrademode) | string | This property defines the upgrade mode for the virtual machine scale set, it is mandatory if a node type with multiple Availability Zones is added. | +| [`waveUpgradePaused`](#parameter-waveupgradepaused) | bool | Boolean to pause automatic runtime version upgrades to the cluster. | + +### Parameter: `addOnFeatures` + +The list of add-on features to enable in the cluster. +- Required: No +- Type: array +- Default: `[]` +- Allowed: `[BackupRestoreService, DnsService, RepairManager, ResourceMonitorService]` + +### Parameter: `applicationTypes` + +Array of Service Fabric cluster application types. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `azureActiveDirectory` + +The settings to enable AAD authentication on the cluster. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `certificate` + +Describes the certificate details like thumbprint of the primary certificate, thumbprint of the secondary certificate and the local certificate store location. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `certificateCommonNames` + +Describes a list of server certificates referenced by common name that are used to secure the cluster. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `clientCertificateCommonNames` + +The list of client certificates referenced by common name that are allowed to manage the cluster. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `clientCertificateThumbprints` + +The list of client certificates referenced by thumbprint that are allowed to manage the cluster. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `clusterCodeVersion` + +The Service Fabric runtime version of the cluster. This property can only by set the user when upgradeMode is set to "Manual". To get list of available Service Fabric versions for new clusters use ClusterVersion API. To get the list of available version for existing clusters use availableClusterVersions. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticsStorageAccountConfig` + +The storage account information for storing Service Fabric diagnostic logs. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `eventStoreServiceEnabled` + +Indicates if the event store service is enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `fabricSettings` + +The list of custom fabric settings to configure the cluster. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `infrastructureServiceManager` + +Indicates if infrastructure service manager is enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `managementEndpoint` + +The http management endpoint of the cluster. +- Required: Yes +- Type: string + +### Parameter: `maxUnusedVersionsToKeep` + +Number of unused versions per application type to keep. +- Required: No +- Type: int +- Default: `3` + +### Parameter: `name` + +Name of the Service Fabric cluster. +- Required: Yes +- Type: string + +### Parameter: `nodeTypes` + +The list of node types in the cluster. +- Required: Yes +- Type: array + +### Parameter: `notifications` + +Indicates a list of notification channels for cluster events. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `reliabilityLevel` + +The reliability level sets the replica set size of system services. Learn about ReliabilityLevel (https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-capacity). - None - Run the System services with a target replica set count of 1. This should only be used for test clusters. - Bronze - Run the System services with a target replica set count of 3. This should only be used for test clusters. - Silver - Run the System services with a target replica set count of 5. - Gold - Run the System services with a target replica set count of 7. - Platinum - Run the System services with a target replica set count of 9. +- Required: Yes +- Type: string +- Allowed: `[Bronze, Gold, None, Platinum, Silver]` + +### Parameter: `reverseProxyCertificate` + +Describes the certificate details. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `reverseProxyCertificateCommonNames` + +Describes a list of server certificates referenced by common name that are used to secure the cluster. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sfZonalUpgradeMode` + +This property controls the logical grouping of VMs in upgrade domains (UDs). This property cannot be modified if a node type with multiple Availability Zones is already present in the cluster. +- Required: No +- Type: string +- Default: `'Hierarchical'` +- Allowed: `[Hierarchical, Parallel]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `upgradeDescription` + +Describes the policy used when upgrading the cluster. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `upgradeMode` + +The upgrade mode of the cluster when new Service Fabric runtime version is available. +- Required: No +- Type: string +- Default: `'Automatic'` +- Allowed: `[Automatic, Manual]` + +### Parameter: `upgradePauseEndTimestampUtc` + +Indicates the end date and time to pause automatic runtime version upgrades on the cluster for an specific period of time on the cluster (UTC). +- Required: No +- Type: string +- Default: `''` + +### Parameter: `upgradePauseStartTimestampUtc` + +Indicates the start date and time to pause automatic runtime version upgrades on the cluster for an specific period of time on the cluster (UTC). +- Required: No +- Type: string +- Default: `''` + +### Parameter: `upgradeWave` + +Indicates when new cluster runtime version upgrades will be applied after they are released. By default is Wave0. +- Required: No +- Type: string +- Default: `'Wave0'` +- Allowed: `[Wave0, Wave1, Wave2]` + +### Parameter: `vmImage` + +The VM image VMSS has been configured with. Generic names such as Windows or Linux can be used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `vmssZonalUpgradeMode` + +This property defines the upgrade mode for the virtual machine scale set, it is mandatory if a node type with multiple Availability Zones is added. +- Required: No +- Type: string +- Default: `'Hierarchical'` +- Allowed: `[Hierarchical, Parallel]` + +### Parameter: `waveUpgradePaused` + +Boolean to pause automatic runtime version upgrades to the cluster. +- Required: No +- Type: bool +- Default: `False` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `endpoint` | string | The Service Fabric Cluster endpoint. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The Service Fabric Cluster name. | +| `resourceGroupName` | string | The Service Fabric Cluster resource group. | +| `resourceId` | string | The Service Fabric Cluster resource ID. | + +## Cross-referenced modules + +_None_ + ## Notes ### Parameter Usage: `notifications` diff --git a/modules/service-fabric/cluster/application-type/README.md b/modules/service-fabric/cluster/application-type/README.md index 5694135918..1fd40f7308 100644 --- a/modules/service-fabric/cluster/application-type/README.md +++ b/modules/service-fabric/cluster/application-type/README.md @@ -19,22 +19,49 @@ This module deploys a Service Fabric Cluster Application Type. **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `serviceFabricClusterName` | string | The name of the parent Service Fabric cluster. Required if the template is used in a standalone deployment. | +| [`serviceFabricClusterName`](#parameter-servicefabricclustername) | string | The name of the parent Service Fabric cluster. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `name` | string | `'defaultApplicationType'` | Application type name. | -| `tags` | object | `{object}` | Tags of the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`name`](#parameter-name) | string | Application type name. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +Application type name. +- Required: No +- Type: string +- Default: `'defaultApplicationType'` + +### Parameter: `serviceFabricClusterName` + +The name of the parent Service Fabric cluster. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The resource name of the Application type. | | `resourceGroupName` | string | The resource group of the Application type. | diff --git a/modules/service-fabric/cluster/application-type/main.json b/modules/service-fabric/cluster/application-type/main.json index 4b21e5e00d..ed0f9dfa6d 100644 --- a/modules/service-fabric/cluster/application-type/main.json +++ b/modules/service-fabric/cluster/application-type/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "18125415207616023954" + "version": "0.22.6.54827", + "templateHash": "3441501457466891361" }, "name": "Service Fabric Cluster Application Types", "description": "This module deploys a Service Fabric Cluster Application Type.", diff --git a/modules/service-fabric/cluster/main.json b/modules/service-fabric/cluster/main.json index e24955a9f4..66d8a1770e 100644 --- a/modules/service-fabric/cluster/main.json +++ b/modules/service-fabric/cluster/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4531061772881706732" + "version": "0.22.6.54827", + "templateHash": "212662749954902934" }, "name": "Service Fabric Clusters", "description": "This module deploys a Service Fabric Cluster.", @@ -443,8 +443,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4382638068628666696" + "version": "0.22.6.54827", + "templateHash": "6506040938777455648" } }, "parameters": { @@ -588,8 +588,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14898826188473594106" + "version": "0.22.6.54827", + "templateHash": "3441501457466891361" }, "name": "Service Fabric Cluster Application Types", "description": "This module deploys a Service Fabric Cluster Application Type.", diff --git a/modules/signal-r-service/signal-r/.test/common/main.test.bicep b/modules/signal-r-service/signal-r/.test/common/main.test.bicep index 45b2ef7a66..433523a64f 100644 --- a/modules/signal-r-service/signal-r/.test/common/main.test.bicep +++ b/modules/signal-r-service/signal-r/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/signal-r-service/signal-r/.test/min/main.test.bicep b/modules/signal-r-service/signal-r/.test/min/main.test.bicep index f262b7c91b..3f7d469ad1 100644 --- a/modules/signal-r-service/signal-r/.test/min/main.test.bicep +++ b/modules/signal-r-service/signal-r/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index 2f25ef7491..3a6b8ee2c8 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -5,10 +5,10 @@ This module deploys a SignalR Service SignalR. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -20,71 +20,28 @@ This module deploys a SignalR Service SignalR. | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | | `Microsoft.SignalRService/signalR` | [2022-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.SignalRService/2022-02-01/signalR) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the SignalR Service resource. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `allowedOrigins` | array | `[*]` | | The allowed origin settings of the resource. | -| `capacity` | int | `1` | | The unit count of the resource. | -| `clientCertEnabled` | bool | `False` | | Request client certificate during TLS handshake if enabled. | -| `disableAadAuth` | bool | `False` | | The disable Azure AD auth settings of the resource. | -| `disableLocalAuth` | bool | `True` | | The disable local auth settings of the resource. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `features` | array | `[System.Management.Automation.OrderedHashtable]` | | The features settings of the resource, `ServiceMode` is the only required feature. See https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/signalr?pivots=deployment-language-bicep#signalrfeature for more information. | -| `kind` | string | `'SignalR'` | `[RawWebSockets, SignalR]` | The kind of the service. | -| `liveTraceCatagoriesToEnable` | array | `[ConnectivityLogs, MessagingLogs]` | `[ConnectivityLogs, MessagingLogs]` | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| `location` | string | `[resourceGroup().location]` | | The location for the resource. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `networkAcls` | object | `{object}` | | Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| `resourceLogConfigurationsToEnable` | array | `[ConnectivityLogs, MessagingLogs]` | `[ConnectivityLogs, MessagingLogs]` | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sku` | string | `'Standard_S1'` | `[Free_F1, Premium_P1, Premium_P2, Premium_P3, Standard_S1, Standard_S2, Standard_S3]` | The SKU of the service. | -| `tags` | object | `{object}` | | The tags of the resource. | -| `upstreamTemplatesToEnable` | array | `[]` | | Upstream templates to enable. For more information, see https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/2022-02-01/signalr?pivots=deployment-language-bicep#upstreamtemplate. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The SignalR name. | -| `resourceGroupName` | string | The SignalR resource group. | -| `resourceId` | string | The SignalR resource ID. | +## Usage examples -## Cross-referenced modules +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/signal-r-service.signal-r:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module signalR './signal-r-service/signal-r/main.bicep' = { +module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { name: '${uniqueString(deployment().name)}-test-srssrcom' params: { // Required parameters @@ -268,14 +225,17 @@ module signalR './signal-r-service/signal-r/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module signalR './signal-r-service/signal-r/main.bicep' = { +module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { name: '${uniqueString(deployment().name)}-test-srsdrmin' params: { // Required parameters @@ -312,3 +272,199 @@ module signalR './signal-r-service/signal-r/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the SignalR Service resource. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowedOrigins`](#parameter-allowedorigins) | array | The allowed origin settings of the resource. | +| [`capacity`](#parameter-capacity) | int | The unit count of the resource. | +| [`clientCertEnabled`](#parameter-clientcertenabled) | bool | Request client certificate during TLS handshake if enabled. | +| [`disableAadAuth`](#parameter-disableaadauth) | bool | The disable Azure AD auth settings of the resource. | +| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | The disable local auth settings of the resource. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`features`](#parameter-features) | array | The features settings of the resource, `ServiceMode` is the only required feature. See https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/signalr?pivots=deployment-language-bicep#signalrfeature for more information. | +| [`kind`](#parameter-kind) | string | The kind of the service. | +| [`liveTraceCatagoriesToEnable`](#parameter-livetracecatagoriestoenable) | array | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | +| [`location`](#parameter-location) | string | The location for the resource. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`networkAcls`](#parameter-networkacls) | object | Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | +| [`resourceLogConfigurationsToEnable`](#parameter-resourcelogconfigurationstoenable) | array | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`sku`](#parameter-sku) | string | The SKU of the service. | +| [`tags`](#parameter-tags) | object | The tags of the resource. | +| [`upstreamTemplatesToEnable`](#parameter-upstreamtemplatestoenable) | array | Upstream templates to enable. For more information, see https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/2022-02-01/signalr?pivots=deployment-language-bicep#upstreamtemplate. | + +### Parameter: `allowedOrigins` + +The allowed origin settings of the resource. +- Required: No +- Type: array +- Default: `[*]` + +### Parameter: `capacity` + +The unit count of the resource. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `clientCertEnabled` + +Request client certificate during TLS handshake if enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `disableAadAuth` + +The disable Azure AD auth settings of the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `disableLocalAuth` + +The disable local auth settings of the resource. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `features` + +The features settings of the resource, `ServiceMode` is the only required feature. See https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/signalr?pivots=deployment-language-bicep#signalrfeature for more information. +- Required: No +- Type: array +- Default: `[System.Management.Automation.OrderedHashtable]` + +### Parameter: `kind` + +The kind of the service. +- Required: No +- Type: string +- Default: `'SignalR'` +- Allowed: `[RawWebSockets, SignalR]` + +### Parameter: `liveTraceCatagoriesToEnable` + +Control permission for data plane traffic coming from public networks while private endpoint is enabled. +- Required: No +- Type: array +- Default: `[ConnectivityLogs, MessagingLogs]` +- Allowed: `[ConnectivityLogs, MessagingLogs]` + +### Parameter: `location` + +The location for the resource. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the SignalR Service resource. +- Required: Yes +- Type: string + +### Parameter: `networkAcls` + +Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `resourceLogConfigurationsToEnable` + +Control permission for data plane traffic coming from public networks while private endpoint is enabled. +- Required: No +- Type: array +- Default: `[ConnectivityLogs, MessagingLogs]` +- Allowed: `[ConnectivityLogs, MessagingLogs]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sku` + +The SKU of the service. +- Required: No +- Type: string +- Default: `'Standard_S1'` +- Allowed: `[Free_F1, Premium_P1, Premium_P2, Premium_P3, Standard_S1, Standard_S2, Standard_S3]` + +### Parameter: `tags` + +The tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `upstreamTemplatesToEnable` + +Upstream templates to enable. For more information, see https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/2022-02-01/signalr?pivots=deployment-language-bicep#upstreamtemplate. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The SignalR name. | +| `resourceGroupName` | string | The SignalR resource group. | +| `resourceId` | string | The SignalR resource ID. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/signal-r-service/signal-r/main.json b/modules/signal-r-service/signal-r/main.json index 7362a1c79f..9936aee029 100644 --- a/modules/signal-r-service/signal-r/main.json +++ b/modules/signal-r-service/signal-r/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18397814531819646365" + "version": "0.22.6.54827", + "templateHash": "1694197592231434947" }, "name": "SignalR Service SignalR", "description": "This module deploys a SignalR Service SignalR.", @@ -319,8 +319,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -519,8 +519,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -657,8 +657,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -871,8 +871,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7310613966426306151" + "version": "0.22.6.54827", + "templateHash": "15833181325335121682" } }, "parameters": { diff --git a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep b/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep index 1e4498f8da..841d4abf2d 100644 --- a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/signal-r-service/web-pub-sub/.test/min/main.test.bicep b/modules/signal-r-service/web-pub-sub/.test/min/main.test.bicep index 229caafb2b..0afc1a7936 100644 --- a/modules/signal-r-service/web-pub-sub/.test/min/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index 2fdf5cb244..834852ff3f 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -5,10 +5,10 @@ This module deploys a SignalR Web PubSub Service. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -20,72 +20,29 @@ This module deploys a SignalR Web PubSub Service. | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | | `Microsoft.SignalRService/webPubSub` | [2021-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.SignalRService/2021-10-01/webPubSub) | -## Parameters - -**Required parameters** +## Usage examples -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Web PubSub Service resource. | - -**Optional parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `capacity` | int | `1` | | The unit count of the resource. 1 by default. | -| `clientCertEnabled` | bool | `False` | | Request client certificate during TLS handshake if enabled. | -| `disableAadAuth` | bool | `False` | | When set as true, connection with AuthType=aad won't work. | -| `disableLocalAuth` | bool | `True` | | Disables all authentication methods other than AAD authentication. For security reasons, this value should be set to `true`. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | The location for the resource. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `networkAcls` | object | `{object}` | | Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| `resourceLogConfigurationsToEnable` | array | `[ConnectivityLogs, MessagingLogs]` | `[ConnectivityLogs, MessagingLogs]` | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sku` | string | `'Standard_S1'` | `[Free_F1, Standard_S1]` | Pricing tier of the resource. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/signal-r-service.web-pub-sub:1.0.0`. -## Outputs +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +- [Pe](#example-3-pe) -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `externalIP` | string | The Web PubSub externalIP. | -| `hostName` | string | The Web PubSub hostName. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The Web PubSub name. | -| `publicPort` | int | The Web PubSub publicPort. | -| `resourceGroupName` | string | The Web PubSub resource group. | -| `resourceId` | string | The Web PubSub resource ID. | -| `serverPort` | int | The Web PubSub serverPort. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +### Example 1: _Using large parameter set_ -## Deployment examples +This instance deploys the module with most of its features enabled. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module webPubSub './signal-r-service/web-pub-sub/main.bicep' = { +module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-srswpscom' params: { // Required parameters @@ -269,14 +226,17 @@ module webPubSub './signal-r-service/web-pub-sub/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module webPubSub './signal-r-service/web-pub-sub/main.bicep' = { +module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-srswpsmin' params: { // Required parameters @@ -314,14 +274,14 @@ module webPubSub './signal-r-service/web-pub-sub/main.bicep' = {

-

Example 3: Pe

+### Example 3: _Pe_
via Bicep module ```bicep -module webPubSub './signal-r-service/web-pub-sub/main.bicep' = { +module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-srswpspe' params: { // Required parameters @@ -408,3 +368,177 @@ module webPubSub './signal-r-service/web-pub-sub/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Web PubSub Service resource. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`capacity`](#parameter-capacity) | int | The unit count of the resource. 1 by default. | +| [`clientCertEnabled`](#parameter-clientcertenabled) | bool | Request client certificate during TLS handshake if enabled. | +| [`disableAadAuth`](#parameter-disableaadauth) | bool | When set as true, connection with AuthType=aad won't work. | +| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Disables all authentication methods other than AAD authentication. For security reasons, this value should be set to `true`. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | The location for the resource. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`networkAcls`](#parameter-networkacls) | object | Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | +| [`resourceLogConfigurationsToEnable`](#parameter-resourcelogconfigurationstoenable) | array | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`sku`](#parameter-sku) | string | Pricing tier of the resource. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +### Parameter: `capacity` + +The unit count of the resource. 1 by default. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `clientCertEnabled` + +Request client certificate during TLS handshake if enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `disableAadAuth` + +When set as true, connection with AuthType=aad won't work. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `disableLocalAuth` + +Disables all authentication methods other than AAD authentication. For security reasons, this value should be set to `true`. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +The location for the resource. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the Web PubSub Service resource. +- Required: Yes +- Type: string + +### Parameter: `networkAcls` + +Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `resourceLogConfigurationsToEnable` + +Control permission for data plane traffic coming from public networks while private endpoint is enabled. +- Required: No +- Type: array +- Default: `[ConnectivityLogs, MessagingLogs]` +- Allowed: `[ConnectivityLogs, MessagingLogs]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sku` + +Pricing tier of the resource. +- Required: No +- Type: string +- Default: `'Standard_S1'` +- Allowed: `[Free_F1, Standard_S1]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `externalIP` | string | The Web PubSub externalIP. | +| `hostName` | string | The Web PubSub hostName. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The Web PubSub name. | +| `publicPort` | int | The Web PubSub publicPort. | +| `resourceGroupName` | string | The Web PubSub resource group. | +| `resourceId` | string | The Web PubSub resource ID. | +| `serverPort` | int | The Web PubSub serverPort. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/signal-r-service/web-pub-sub/main.json b/modules/signal-r-service/web-pub-sub/main.json index c4d4b11904..ac949dffda 100644 --- a/modules/signal-r-service/web-pub-sub/main.json +++ b/modules/signal-r-service/web-pub-sub/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10139309088616173208" + "version": "0.22.6.54827", + "templateHash": "16709379153478427185" }, "name": "SignalR Web PubSub Services", "description": "This module deploys a SignalR Web PubSub Service.", @@ -266,8 +266,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -466,8 +466,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -604,8 +604,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -818,8 +818,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6690413318542204402" + "version": "0.22.6.54827", + "templateHash": "2385173204571615101" } }, "parameters": { diff --git a/modules/sql/managed-instance/.test/common/main.test.bicep b/modules/sql/managed-instance/.test/common/main.test.bicep index 954bb2175c..f13416a55e 100644 --- a/modules/sql/managed-instance/.test/common/main.test.bicep +++ b/modules/sql/managed-instance/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/sql/managed-instance/.test/min/main.test.bicep b/modules/sql/managed-instance/.test/min/main.test.bicep index 0602f61a0b..0c9d4bbe75 100644 --- a/modules/sql/managed-instance/.test/min/main.test.bicep +++ b/modules/sql/managed-instance/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index cb696de727..8fcdbe6649 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -4,14 +4,14 @@ This module deploys a SQL Managed Instance. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -28,97 +28,29 @@ This module deploys a SQL Managed Instance. | `Microsoft.Sql/managedInstances/securityAlertPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/securityAlertPolicies) | | `Microsoft.Sql/managedInstances/vulnerabilityAssessments` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/vulnerabilityAssessments) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `administratorLogin` | string | The username used to establish jumpbox VMs. | -| `administratorLoginPassword` | securestring | The password given to the admin user. | -| `name` | string | The name of the SQL managed instance. | -| `subnetId` | string | The fully qualified resource ID of the subnet on which the SQL managed instance will be placed. | - -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `primaryUserAssignedIdentityId` | string | `''` | The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty. | +## Usage examples -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `administratorsObj` | object | `{object}` | | The administrator configuration. | -| `collation` | string | `'SQL_Latin1_General_CP1_CI_AS'` | | Collation of the managed instance. | -| `databases` | array | `[]` | | Databases to create in this server. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, ResourceUsageStats, SQLSecurityAuditEvents]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `dnsZonePartner` | string | `''` | | The resource ID of another managed instance whose DNS zone this managed instance will share after creation. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `encryptionProtectorObj` | _[encryptionProtector](encryption-protector/README.md)_ object | `{object}` | | The encryption protection configuration. | -| `hardwareFamily` | string | `'Gen5'` | | If the service has different generations of hardware, for the same SKU, then that can be captured here. | -| `instancePoolResourceId` | string | `''` | | The resource ID of the instance pool this managed server belongs to. | -| `keys` | array | `[]` | | The keys to configure. | -| `licenseType` | string | `'LicenseIncluded'` | `[BasePrice, LicenseIncluded]` | The license type. Possible values are 'LicenseIncluded' (regular price inclusive of a new SQL license) and 'BasePrice' (discounted AHB price for bringing your own SQL licenses). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `managedInstanceCreateMode` | string | `'Default'` | `[Default, PointInTimeRestore]` | Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified. | -| `minimalTlsVersion` | string | `'1.2'` | `[1.0, 1.1, 1.2, None]` | Minimal TLS version allowed. | -| `proxyOverride` | string | `'Proxy'` | `[Default, Proxy, Redirect]` | Connection type used for connecting to the instance. | -| `publicDataEndpointEnabled` | bool | `False` | | Whether or not the public data endpoint is enabled. | -| `requestedBackupStorageRedundancy` | string | `'Geo'` | `[Geo, GeoZone, Local, Zone]` | The storage account type used to store backups for this database. | -| `restorePointInTime` | string | `''` | | Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `securityAlertPoliciesObj` | object | `{object}` | | The security alert policy configuration. | -| `servicePrincipal` | string | `'None'` | `[None, SystemAssigned]` | Service principal type. If using AD Authentication and applying Admin, must be set to `SystemAssigned`. Then Global Admin must allow Reader access to Azure AD for the Service Principal. | -| `skuName` | string | `'GP_Gen5'` | | The name of the SKU, typically, a letter + Number code, e.g. P3. | -| `skuTier` | string | `'GeneralPurpose'` | | The tier or edition of the particular SKU, e.g. Basic, Premium. | -| `sourceManagedInstanceId` | string | `''` | | The resource identifier of the source managed instance associated with create operation of this instance. | -| `storageSizeInGB` | int | `32` | | Storage size in GB. Minimum value: 32. Maximum value: 8192. Increments of 32 GB allowed only. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `timezoneId` | string | `'UTC'` | | ID of the timezone. Allowed values are timezones supported by Windows. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `vCores` | int | `4` | | The number of vCores. Allowed values: 8, 16, 24, 32, 40, 64, 80. | -| `vulnerabilityAssessmentsObj` | object | `{object}` | | The vulnerability assessment configuration. | -| `zoneRedundant` | bool | `False` | | Whether or not multi-az is enabled. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed managed instance. | -| `resourceGroupName` | string | The resource group of the deployed managed instance. | -| `resourceId` | string | The resource ID of the deployed managed instance. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/sql.managed-instance:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) +- [Vulnassm](#example-3-vulnassm) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module managedInstance './sql/managed-instance/main.bicep' = { +module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-sqlmicom' params: { // Required parameters @@ -362,14 +294,17 @@ module managedInstance './sql/managed-instance/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module managedInstance './sql/managed-instance/main.bicep' = { +module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-sqlmimin' params: { // Required parameters @@ -419,14 +354,14 @@ module managedInstance './sql/managed-instance/main.bicep' = {

-

Example 3: Vulnassm

+### Example 3: _Vulnassm_
via Bicep module ```bicep -module managedInstance './sql/managed-instance/main.bicep' = { +module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-sqlmivln' params: { // Required parameters @@ -529,6 +464,395 @@ module managedInstance './sql/managed-instance/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`administratorLogin`](#parameter-administratorlogin) | string | The username used to establish jumpbox VMs. | +| [`administratorLoginPassword`](#parameter-administratorloginpassword) | securestring | The password given to the admin user. | +| [`name`](#parameter-name) | string | The name of the SQL managed instance. | +| [`subnetId`](#parameter-subnetid) | string | The fully qualified resource ID of the subnet on which the SQL managed instance will be placed. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`primaryUserAssignedIdentityId`](#parameter-primaryuserassignedidentityid) | string | The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`administratorsObj`](#parameter-administratorsobj) | object | The administrator configuration. | +| [`collation`](#parameter-collation) | string | Collation of the managed instance. | +| [`databases`](#parameter-databases) | array | Databases to create in this server. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`dnsZonePartner`](#parameter-dnszonepartner) | string | The resource ID of another managed instance whose DNS zone this managed instance will share after creation. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`encryptionProtectorObj`](#parameter-encryptionprotectorobj) | object | The encryption protection configuration. | +| [`hardwareFamily`](#parameter-hardwarefamily) | string | If the service has different generations of hardware, for the same SKU, then that can be captured here. | +| [`instancePoolResourceId`](#parameter-instancepoolresourceid) | string | The resource ID of the instance pool this managed server belongs to. | +| [`keys`](#parameter-keys) | array | The keys to configure. | +| [`licenseType`](#parameter-licensetype) | string | The license type. Possible values are 'LicenseIncluded' (regular price inclusive of a new SQL license) and 'BasePrice' (discounted AHB price for bringing your own SQL licenses). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`managedInstanceCreateMode`](#parameter-managedinstancecreatemode) | string | Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified. | +| [`minimalTlsVersion`](#parameter-minimaltlsversion) | string | Minimal TLS version allowed. | +| [`proxyOverride`](#parameter-proxyoverride) | string | Connection type used for connecting to the instance. | +| [`publicDataEndpointEnabled`](#parameter-publicdataendpointenabled) | bool | Whether or not the public data endpoint is enabled. | +| [`requestedBackupStorageRedundancy`](#parameter-requestedbackupstorageredundancy) | string | The storage account type used to store backups for this database. | +| [`restorePointInTime`](#parameter-restorepointintime) | string | Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`securityAlertPoliciesObj`](#parameter-securityalertpoliciesobj) | object | The security alert policy configuration. | +| [`servicePrincipal`](#parameter-serviceprincipal) | string | Service principal type. If using AD Authentication and applying Admin, must be set to `SystemAssigned`. Then Global Admin must allow Reader access to Azure AD for the Service Principal. | +| [`skuName`](#parameter-skuname) | string | The name of the SKU, typically, a letter + Number code, e.g. P3. | +| [`skuTier`](#parameter-skutier) | string | The tier or edition of the particular SKU, e.g. Basic, Premium. | +| [`sourceManagedInstanceId`](#parameter-sourcemanagedinstanceid) | string | The resource identifier of the source managed instance associated with create operation of this instance. | +| [`storageSizeInGB`](#parameter-storagesizeingb) | int | Storage size in GB. Minimum value: 32. Maximum value: 8192. Increments of 32 GB allowed only. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`timezoneId`](#parameter-timezoneid) | string | ID of the timezone. Allowed values are timezones supported by Windows. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`vCores`](#parameter-vcores) | int | The number of vCores. Allowed values: 8, 16, 24, 32, 40, 64, 80. | +| [`vulnerabilityAssessmentsObj`](#parameter-vulnerabilityassessmentsobj) | object | The vulnerability assessment configuration. | +| [`zoneRedundant`](#parameter-zoneredundant) | bool | Whether or not multi-az is enabled. | + +### Parameter: `administratorLogin` + +The username used to establish jumpbox VMs. +- Required: Yes +- Type: string + +### Parameter: `administratorLoginPassword` + +The password given to the admin user. +- Required: Yes +- Type: securestring + +### Parameter: `administratorsObj` + +The administrator configuration. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `collation` + +Collation of the managed instance. +- Required: No +- Type: string +- Default: `'SQL_Latin1_General_CP1_CI_AS'` + +### Parameter: `databases` + +Databases to create in this server. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, ResourceUsageStats, SQLSecurityAuditEvents]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `dnsZonePartner` + +The resource ID of another managed instance whose DNS zone this managed instance will share after creation. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `encryptionProtectorObj` + +The encryption protection configuration. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `hardwareFamily` + +If the service has different generations of hardware, for the same SKU, then that can be captured here. +- Required: No +- Type: string +- Default: `'Gen5'` + +### Parameter: `instancePoolResourceId` + +The resource ID of the instance pool this managed server belongs to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `keys` + +The keys to configure. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `licenseType` + +The license type. Possible values are 'LicenseIncluded' (regular price inclusive of a new SQL license) and 'BasePrice' (discounted AHB price for bringing your own SQL licenses). +- Required: No +- Type: string +- Default: `'LicenseIncluded'` +- Allowed: `[BasePrice, LicenseIncluded]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `managedInstanceCreateMode` + +Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified. +- Required: No +- Type: string +- Default: `'Default'` +- Allowed: `[Default, PointInTimeRestore]` + +### Parameter: `minimalTlsVersion` + +Minimal TLS version allowed. +- Required: No +- Type: string +- Default: `'1.2'` +- Allowed: `[1.0, 1.1, 1.2, None]` + +### Parameter: `name` + +The name of the SQL managed instance. +- Required: Yes +- Type: string + +### Parameter: `primaryUserAssignedIdentityId` + +The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `proxyOverride` + +Connection type used for connecting to the instance. +- Required: No +- Type: string +- Default: `'Proxy'` +- Allowed: `[Default, Proxy, Redirect]` + +### Parameter: `publicDataEndpointEnabled` + +Whether or not the public data endpoint is enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `requestedBackupStorageRedundancy` + +The storage account type used to store backups for this database. +- Required: No +- Type: string +- Default: `'Geo'` +- Allowed: `[Geo, GeoZone, Local, Zone]` + +### Parameter: `restorePointInTime` + +Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `securityAlertPoliciesObj` + +The security alert policy configuration. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `servicePrincipal` + +Service principal type. If using AD Authentication and applying Admin, must be set to `SystemAssigned`. Then Global Admin must allow Reader access to Azure AD for the Service Principal. +- Required: No +- Type: string +- Default: `'None'` +- Allowed: `[None, SystemAssigned]` + +### Parameter: `skuName` + +The name of the SKU, typically, a letter + Number code, e.g. P3. +- Required: No +- Type: string +- Default: `'GP_Gen5'` + +### Parameter: `skuTier` + +The tier or edition of the particular SKU, e.g. Basic, Premium. +- Required: No +- Type: string +- Default: `'GeneralPurpose'` + +### Parameter: `sourceManagedInstanceId` + +The resource identifier of the source managed instance associated with create operation of this instance. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `storageSizeInGB` + +Storage size in GB. Minimum value: 32. Maximum value: 8192. Increments of 32 GB allowed only. +- Required: No +- Type: int +- Default: `32` + +### Parameter: `subnetId` + +The fully qualified resource ID of the subnet on which the SQL managed instance will be placed. +- Required: Yes +- Type: string + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `timezoneId` + +ID of the timezone. Allowed values are timezones supported by Windows. +- Required: No +- Type: string +- Default: `'UTC'` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `vCores` + +The number of vCores. Allowed values: 8, 16, 24, 32, 40, 64, 80. +- Required: No +- Type: int +- Default: `4` + +### Parameter: `vulnerabilityAssessmentsObj` + +The vulnerability assessment configuration. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `zoneRedundant` + +Whether or not multi-az is enabled. +- Required: No +- Type: bool +- Default: `False` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed managed instance. | +| `resourceGroupName` | string | The resource group of the deployed managed instance. | +| `resourceId` | string | The resource ID of the deployed managed instance. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +_None_ + ## Notes ### Considerations diff --git a/modules/sql/managed-instance/administrator/README.md b/modules/sql/managed-instance/administrator/README.md index 83e221d3f0..e14642b81c 100644 --- a/modules/sql/managed-instance/administrator/README.md +++ b/modules/sql/managed-instance/administrator/README.md @@ -19,28 +19,60 @@ This module deploys a SQL Managed Instance Administrator. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `login` | string | Login name of the managed instance administrator. | -| `sid` | string | SID (object ID) of the managed instance administrator. | +| [`login`](#parameter-login) | string | Login name of the managed instance administrator. | +| [`sid`](#parameter-sid) | string | SID (object ID) of the managed instance administrator. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `managedInstanceName` | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | +| [`managedInstanceName`](#parameter-managedinstancename) | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `tenantId` | string | `''` | Tenant ID of the managed instance administrator. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`tenantId`](#parameter-tenantid) | string | Tenant ID of the managed instance administrator. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `login` + +Login name of the managed instance administrator. +- Required: Yes +- Type: string + +### Parameter: `managedInstanceName` + +The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `sid` + +SID (object ID) of the managed instance administrator. +- Required: Yes +- Type: string + +### Parameter: `tenantId` + +Tenant ID of the managed instance administrator. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed managed instance administrator. | | `resourceGroupName` | string | The resource group of the deployed managed instance administrator. | diff --git a/modules/sql/managed-instance/administrator/main.json b/modules/sql/managed-instance/administrator/main.json index 14523f5dc5..57f5b1407f 100644 --- a/modules/sql/managed-instance/administrator/main.json +++ b/modules/sql/managed-instance/administrator/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "94742246961044490" + "version": "0.22.6.54827", + "templateHash": "15854210755739319953" }, "name": "SQL Managed Instances Administrator", "description": "This module deploys a SQL Managed Instance Administrator.", diff --git a/modules/sql/managed-instance/database/README.md b/modules/sql/managed-instance/database/README.md index c052ef6853..a4c70e1c9a 100644 --- a/modules/sql/managed-instance/database/README.md +++ b/modules/sql/managed-instance/database/README.md @@ -4,12 +4,12 @@ This module deploys a SQL Managed Instance Database. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -23,47 +23,216 @@ This module deploys a SQL Managed Instance Database. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the SQL managed instance database. | +| [`name`](#parameter-name) | string | The name of the SQL managed instance database. | **Conditional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `longTermRetentionBackupResourceId` | string | `''` | The resource ID of the Long Term Retention backup to be used for restore of this managed database. Required if createMode is RestoreLongTermRetentionBackup. | -| `managedInstanceName` | string | | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | -| `recoverableDatabaseId` | string | `''` | The resource identifier of the recoverable database associated with create operation of this database. Required if createMode is Recovery. | -| `restorePointInTime` | string | `''` | Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. Required if createMode is PointInTimeRestore. | -| `sourceDatabaseId` | string | `''` | The resource identifier of the source database associated with create operation of this database. Required if createMode is PointInTimeRestore. | -| `storageContainerSasToken` | string | `''` | Specifies the storage container sas token. Required if createMode is RestoreExternalBackup. | -| `storageContainerUri` | string | `''` | Specifies the uri of the storage container where backups for this restore are stored. Required if createMode is RestoreExternalBackup. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`longTermRetentionBackupResourceId`](#parameter-longtermretentionbackupresourceid) | string | The resource ID of the Long Term Retention backup to be used for restore of this managed database. Required if createMode is RestoreLongTermRetentionBackup. | +| [`managedInstanceName`](#parameter-managedinstancename) | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | +| [`recoverableDatabaseId`](#parameter-recoverabledatabaseid) | string | The resource identifier of the recoverable database associated with create operation of this database. Required if createMode is Recovery. | +| [`restorePointInTime`](#parameter-restorepointintime) | string | Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. Required if createMode is PointInTimeRestore. | +| [`sourceDatabaseId`](#parameter-sourcedatabaseid) | string | The resource identifier of the source database associated with create operation of this database. Required if createMode is PointInTimeRestore. | +| [`storageContainerSasToken`](#parameter-storagecontainersastoken) | string | Specifies the storage container sas token. Required if createMode is RestoreExternalBackup. | +| [`storageContainerUri`](#parameter-storagecontaineruri) | string | Specifies the uri of the storage container where backups for this restore are stored. Required if createMode is RestoreExternalBackup. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `backupLongTermRetentionPoliciesObj` | object | `{object}` | | The configuration for the backup long term retention policy definition. | -| `backupShortTermRetentionPoliciesObj` | object | `{object}` | | The configuration for the backup short term retention policy definition. | -| `catalogCollation` | string | `'SQL_Latin1_General_CP1_CI_AS'` | | Collation of the managed instance. | -| `collation` | string | `'SQL_Latin1_General_CP1_CI_AS'` | | Collation of the managed instance database. | -| `createMode` | string | `'Default'` | `[Default, PointInTimeRestore, Recovery, RestoreExternalBackup, RestoreLongTermRetentionBackup]` | Managed database create mode. PointInTimeRestore: Create a database by restoring a point in time backup of an existing database. SourceDatabaseName, SourceManagedInstanceName and PointInTime must be specified. RestoreExternalBackup: Create a database by restoring from external backup files. Collation, StorageContainerUri and StorageContainerSasToken must be specified. Recovery: Creates a database by restoring a geo-replicated backup. RecoverableDatabaseId must be specified as the recoverable database resource ID to restore. RestoreLongTermRetentionBackup: Create a database by restoring from a long term retention backup (longTermRetentionBackupResourceId required). | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, Errors, QueryStoreRuntimeStatistics, QueryStoreWaitStatistics, SQLInsights]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `restorableDroppedDatabaseId` | string | `''` | | The restorable dropped database resource ID to restore when creating this database. | -| `tags` | object | `{object}` | | Tags of the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`backupLongTermRetentionPoliciesObj`](#parameter-backuplongtermretentionpoliciesobj) | object | The configuration for the backup long term retention policy definition. | +| [`backupShortTermRetentionPoliciesObj`](#parameter-backupshorttermretentionpoliciesobj) | object | The configuration for the backup short term retention policy definition. | +| [`catalogCollation`](#parameter-catalogcollation) | string | Collation of the managed instance. | +| [`collation`](#parameter-collation) | string | Collation of the managed instance database. | +| [`createMode`](#parameter-createmode) | string | Managed database create mode. PointInTimeRestore: Create a database by restoring a point in time backup of an existing database. SourceDatabaseName, SourceManagedInstanceName and PointInTime must be specified. RestoreExternalBackup: Create a database by restoring from external backup files. Collation, StorageContainerUri and StorageContainerSasToken must be specified. Recovery: Creates a database by restoring a geo-replicated backup. RecoverableDatabaseId must be specified as the recoverable database resource ID to restore. RestoreLongTermRetentionBackup: Create a database by restoring from a long term retention backup (longTermRetentionBackupResourceId required). | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`restorableDroppedDatabaseId`](#parameter-restorabledroppeddatabaseid) | string | The restorable dropped database resource ID to restore when creating this database. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `backupLongTermRetentionPoliciesObj` + +The configuration for the backup long term retention policy definition. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `backupShortTermRetentionPoliciesObj` + +The configuration for the backup short term retention policy definition. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `catalogCollation` + +Collation of the managed instance. +- Required: No +- Type: string +- Default: `'SQL_Latin1_General_CP1_CI_AS'` + +### Parameter: `collation` + +Collation of the managed instance database. +- Required: No +- Type: string +- Default: `'SQL_Latin1_General_CP1_CI_AS'` + +### Parameter: `createMode` + +Managed database create mode. PointInTimeRestore: Create a database by restoring a point in time backup of an existing database. SourceDatabaseName, SourceManagedInstanceName and PointInTime must be specified. RestoreExternalBackup: Create a database by restoring from external backup files. Collation, StorageContainerUri and StorageContainerSasToken must be specified. Recovery: Creates a database by restoring a geo-replicated backup. RecoverableDatabaseId must be specified as the recoverable database resource ID to restore. RestoreLongTermRetentionBackup: Create a database by restoring from a long term retention backup (longTermRetentionBackupResourceId required). +- Required: No +- Type: string +- Default: `'Default'` +- Allowed: `[Default, PointInTimeRestore, Recovery, RestoreExternalBackup, RestoreLongTermRetentionBackup]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, Errors, QueryStoreRuntimeStatistics, QueryStoreWaitStatistics, SQLInsights]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `longTermRetentionBackupResourceId` + +The resource ID of the Long Term Retention backup to be used for restore of this managed database. Required if createMode is RestoreLongTermRetentionBackup. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `managedInstanceName` + +The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the SQL managed instance database. +- Required: Yes +- Type: string + +### Parameter: `recoverableDatabaseId` + +The resource identifier of the recoverable database associated with create operation of this database. Required if createMode is Recovery. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `restorableDroppedDatabaseId` + +The restorable dropped database resource ID to restore when creating this database. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `restorePointInTime` + +Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. Required if createMode is PointInTimeRestore. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `sourceDatabaseId` + +The resource identifier of the source database associated with create operation of this database. Required if createMode is PointInTimeRestore. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `storageContainerSasToken` + +Specifies the storage container sas token. Required if createMode is RestoreExternalBackup. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `storageContainerUri` + +Specifies the uri of the storage container where backups for this restore are stored. Required if createMode is RestoreExternalBackup. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the deployed database. | diff --git a/modules/sql/managed-instance/database/backup-long-term-retention-policy/README.md b/modules/sql/managed-instance/database/backup-long-term-retention-policy/README.md index 36d9e86feb..287c3fbaf2 100644 --- a/modules/sql/managed-instance/database/backup-long-term-retention-policy/README.md +++ b/modules/sql/managed-instance/database/backup-long-term-retention-policy/README.md @@ -19,31 +19,84 @@ This module deploys a SQL Managed Instance Database Backup Long-Term Retention P **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the Long Term Retention backup policy. For example "default". | +| [`name`](#parameter-name) | string | The name of the Long Term Retention backup policy. For example "default". | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `databaseName` | string | The name of the parent managed instance database. Required if the template is used in a standalone deployment. | -| `managedInstanceName` | string | The name of the parent managed instance. Required if the template is used in a standalone deployment. | +| [`databaseName`](#parameter-databasename) | string | The name of the parent managed instance database. Required if the template is used in a standalone deployment. | +| [`managedInstanceName`](#parameter-managedinstancename) | string | The name of the parent managed instance. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `monthlyRetention` | string | `'P1Y'` | The monthly retention policy for an LTR backup in an ISO 8601 format. | -| `weeklyRetention` | string | `'P1M'` | The weekly retention policy for an LTR backup in an ISO 8601 format. | -| `weekOfYear` | int | `5` | The week of year to take the yearly backup in an ISO 8601 format. | -| `yearlyRetention` | string | `'P5Y'` | The yearly retention policy for an LTR backup in an ISO 8601 format. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`monthlyRetention`](#parameter-monthlyretention) | string | The monthly retention policy for an LTR backup in an ISO 8601 format. | +| [`weeklyRetention`](#parameter-weeklyretention) | string | The weekly retention policy for an LTR backup in an ISO 8601 format. | +| [`weekOfYear`](#parameter-weekofyear) | int | The week of year to take the yearly backup in an ISO 8601 format. | +| [`yearlyRetention`](#parameter-yearlyretention) | string | The yearly retention policy for an LTR backup in an ISO 8601 format. | + +### Parameter: `databaseName` + +The name of the parent managed instance database. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `managedInstanceName` + +The name of the parent managed instance. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `monthlyRetention` + +The monthly retention policy for an LTR backup in an ISO 8601 format. +- Required: No +- Type: string +- Default: `'P1Y'` + +### Parameter: `name` + +The name of the Long Term Retention backup policy. For example "default". +- Required: Yes +- Type: string + +### Parameter: `weeklyRetention` + +The weekly retention policy for an LTR backup in an ISO 8601 format. +- Required: No +- Type: string +- Default: `'P1M'` + +### Parameter: `weekOfYear` + +The week of year to take the yearly backup in an ISO 8601 format. +- Required: No +- Type: int +- Default: `5` + +### Parameter: `yearlyRetention` + +The yearly retention policy for an LTR backup in an ISO 8601 format. +- Required: No +- Type: string +- Default: `'P5Y'` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed database backup long-term retention policy. | | `resourceGroupName` | string | The resource group of the deployed database backup long-term retention policy. | diff --git a/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.json b/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.json index 46881cf93b..f5ed047237 100644 --- a/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.json +++ b/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "18038719600656297152" + "version": "0.22.6.54827", + "templateHash": "15408301285980793830" }, "name": "SQL Managed Instance Database Backup Long-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Long-Term Retention Policy.", diff --git a/modules/sql/managed-instance/database/backup-short-term-retention-policy/README.md b/modules/sql/managed-instance/database/backup-short-term-retention-policy/README.md index 71a5b6b63b..7b228f8d1f 100644 --- a/modules/sql/managed-instance/database/backup-short-term-retention-policy/README.md +++ b/modules/sql/managed-instance/database/backup-short-term-retention-policy/README.md @@ -19,28 +19,60 @@ This module deploys a SQL Managed Instance Database Backup Short-Term Retention **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the Short Term Retention backup policy. For example "default". | +| [`name`](#parameter-name) | string | The name of the Short Term Retention backup policy. For example "default". | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `databaseName` | string | The name of the parent SQL managed instance database. Required if the template is used in a standalone deployment. | -| `managedInstanceName` | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | +| [`databaseName`](#parameter-databasename) | string | The name of the parent SQL managed instance database. Required if the template is used in a standalone deployment. | +| [`managedInstanceName`](#parameter-managedinstancename) | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `retentionDays` | int | `35` | The backup retention period in days. This is how many days Point-in-Time Restore will be supported. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`retentionDays`](#parameter-retentiondays) | int | The backup retention period in days. This is how many days Point-in-Time Restore will be supported. | + +### Parameter: `databaseName` + +The name of the parent SQL managed instance database. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `managedInstanceName` + +The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the Short Term Retention backup policy. For example "default". +- Required: Yes +- Type: string + +### Parameter: `retentionDays` + +The backup retention period in days. This is how many days Point-in-Time Restore will be supported. +- Required: No +- Type: int +- Default: `35` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed database backup short-term retention policy. | | `resourceGroupName` | string | The resource group of the deployed database backup short-term retention policy. | diff --git a/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.json b/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.json index 34f3bffae7..ea00e3c99f 100644 --- a/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.json +++ b/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "6931213919610871740" + "version": "0.22.6.54827", + "templateHash": "14876398050931373256" }, "name": "SQL Managed Instance Database Backup Short-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Short-Term Retention Policy.", diff --git a/modules/sql/managed-instance/database/main.json b/modules/sql/managed-instance/database/main.json index 03c72318d8..3b07ade1a8 100644 --- a/modules/sql/managed-instance/database/main.json +++ b/modules/sql/managed-instance/database/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "7819487658736647657" + "version": "0.22.6.54827", + "templateHash": "17690558463959058243" }, "name": "SQL Managed Instance Databases", "description": "This module deploys a SQL Managed Instance Database.", @@ -311,8 +311,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "6931213919610871740" + "version": "0.22.6.54827", + "templateHash": "14876398050931373256" }, "name": "SQL Managed Instance Database Backup Short-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Short-Term Retention Policy.", @@ -439,8 +439,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "18038719600656297152" + "version": "0.22.6.54827", + "templateHash": "15408301285980793830" }, "name": "SQL Managed Instance Database Backup Long-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Long-Term Retention Policy.", diff --git a/modules/sql/managed-instance/encryption-protector/README.md b/modules/sql/managed-instance/encryption-protector/README.md index 88ce6e7f11..47e58ba01b 100644 --- a/modules/sql/managed-instance/encryption-protector/README.md +++ b/modules/sql/managed-instance/encryption-protector/README.md @@ -19,28 +19,62 @@ This module deploys a SQL Managed Instance Encryption Protector. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `serverKeyName` | string | The name of the SQL managed instance key. | +| [`serverKeyName`](#parameter-serverkeyname) | string | The name of the SQL managed instance key. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `managedInstanceName` | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | +| [`managedInstanceName`](#parameter-managedinstancename) | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `autoRotationEnabled` | bool | `False` | | Key auto rotation opt-in flag. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `serverKeyType` | string | `'ServiceManaged'` | `[AzureKeyVault, ServiceManaged]` | The encryption protector type like "ServiceManaged", "AzureKeyVault". | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`autoRotationEnabled`](#parameter-autorotationenabled) | bool | Key auto rotation opt-in flag. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`serverKeyType`](#parameter-serverkeytype) | string | The encryption protector type like "ServiceManaged", "AzureKeyVault". | + +### Parameter: `autoRotationEnabled` + +Key auto rotation opt-in flag. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `managedInstanceName` + +The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `serverKeyName` + +The name of the SQL managed instance key. +- Required: Yes +- Type: string + +### Parameter: `serverKeyType` + +The encryption protector type like "ServiceManaged", "AzureKeyVault". +- Required: No +- Type: string +- Default: `'ServiceManaged'` +- Allowed: `[AzureKeyVault, ServiceManaged]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed managed instance encryption protector. | | `resourceGroupName` | string | The resource group of the deployed managed instance encryption protector. | diff --git a/modules/sql/managed-instance/encryption-protector/main.json b/modules/sql/managed-instance/encryption-protector/main.json index cc7d2dae7a..ca49af4351 100644 --- a/modules/sql/managed-instance/encryption-protector/main.json +++ b/modules/sql/managed-instance/encryption-protector/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3596420230929102349" + "version": "0.22.6.54827", + "templateHash": "8970010319946939362" }, "name": "SQL Managed Instance Encryption Protector", "description": "This module deploys a SQL Managed Instance Encryption Protector.", diff --git a/modules/sql/managed-instance/key/README.md b/modules/sql/managed-instance/key/README.md index f429556832..139793834e 100644 --- a/modules/sql/managed-instance/key/README.md +++ b/modules/sql/managed-instance/key/README.md @@ -19,28 +19,62 @@ This module deploys a SQL Managed Instance Key. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the key. Must follow the [__] pattern. | +| [`name`](#parameter-name) | string | The name of the key. Must follow the [__] pattern. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `managedInstanceName` | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | +| [`managedInstanceName`](#parameter-managedinstancename) | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `serverKeyType` | string | `'ServiceManaged'` | `[AzureKeyVault, ServiceManaged]` | The encryption protector type like "ServiceManaged", "AzureKeyVault". | -| `uri` | string | `''` | | The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`serverKeyType`](#parameter-serverkeytype) | string | The encryption protector type like "ServiceManaged", "AzureKeyVault". | +| [`uri`](#parameter-uri) | string | The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `managedInstanceName` + +The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the key. Must follow the [__] pattern. +- Required: Yes +- Type: string + +### Parameter: `serverKeyType` + +The encryption protector type like "ServiceManaged", "AzureKeyVault". +- Required: No +- Type: string +- Default: `'ServiceManaged'` +- Allowed: `[AzureKeyVault, ServiceManaged]` + +### Parameter: `uri` + +The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed managed instance key. | | `resourceGroupName` | string | The resource group of the deployed managed instance key. | diff --git a/modules/sql/managed-instance/key/main.json b/modules/sql/managed-instance/key/main.json index 2a36cecd48..7d289bb17b 100644 --- a/modules/sql/managed-instance/key/main.json +++ b/modules/sql/managed-instance/key/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12303930012308222652" + "version": "0.22.6.54827", + "templateHash": "18326031332279100252" }, "name": "SQL Managed Instance Keys", "description": "This module deploys a SQL Managed Instance Key.", diff --git a/modules/sql/managed-instance/main.json b/modules/sql/managed-instance/main.json index b4e266703d..b67031103b 100644 --- a/modules/sql/managed-instance/main.json +++ b/modules/sql/managed-instance/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "15067027960339653100" + "version": "0.22.6.54827", + "templateHash": "18227197832977916011" }, "name": "SQL Managed Instances", "description": "This module deploys a SQL Managed Instance.", @@ -507,8 +507,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "10149117624574107754" + "version": "0.22.6.54827", + "templateHash": "4115807259026871068" } }, "parameters": { @@ -677,8 +677,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "7819487658736647657" + "version": "0.22.6.54827", + "templateHash": "17690558463959058243" }, "name": "SQL Managed Instance Databases", "description": "This module deploys a SQL Managed Instance Database.", @@ -984,8 +984,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "6931213919610871740" + "version": "0.22.6.54827", + "templateHash": "14876398050931373256" }, "name": "SQL Managed Instance Database Backup Short-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Short-Term Retention Policy.", @@ -1112,8 +1112,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "18038719600656297152" + "version": "0.22.6.54827", + "templateHash": "15408301285980793830" }, "name": "SQL Managed Instance Database Backup Long-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Long-Term Retention Policy.", @@ -1296,8 +1296,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "15021129035939475675" + "version": "0.22.6.54827", + "templateHash": "744224666214582478" }, "name": "SQL Managed Instance Security Alert Policies", "description": "This module deploys a SQL Managed Instance Security Alert Policy.", @@ -1431,8 +1431,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "16824260265514306931" + "version": "0.22.6.54827", + "templateHash": "18315887045308503469" }, "name": "SQL Managed Instance Vulnerability Assessments", "description": "This module deploys a SQL Managed Instance Vulnerability Assessment.", @@ -1557,8 +1557,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5906561113326922902" + "version": "0.22.6.54827", + "templateHash": "9210546972730714858" } }, "parameters": { @@ -1648,8 +1648,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "12303930012308222652" + "version": "0.22.6.54827", + "templateHash": "18326031332279100252" }, "name": "SQL Managed Instance Keys", "description": "This module deploys a SQL Managed Instance Key.", @@ -1781,8 +1781,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3596420230929102349" + "version": "0.22.6.54827", + "templateHash": "8970010319946939362" }, "name": "SQL Managed Instance Encryption Protector", "description": "This module deploys a SQL Managed Instance Encryption Protector.", @@ -1914,8 +1914,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "94742246961044490" + "version": "0.22.6.54827", + "templateHash": "15854210755739319953" }, "name": "SQL Managed Instances Administrator", "description": "This module deploys a SQL Managed Instance Administrator.", diff --git a/modules/sql/managed-instance/security-alert-policy/README.md b/modules/sql/managed-instance/security-alert-policy/README.md index 3986440c01..7b14687f6d 100644 --- a/modules/sql/managed-instance/security-alert-policy/README.md +++ b/modules/sql/managed-instance/security-alert-policy/README.md @@ -19,28 +19,62 @@ This module deploys a SQL Managed Instance Security Alert Policy. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the security alert policy. | +| [`name`](#parameter-name) | string | The name of the security alert policy. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `managedInstanceName` | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | +| [`managedInstanceName`](#parameter-managedinstancename) | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `emailAccountAdmins` | bool | `False` | | Specifies that the schedule scan notification will be is sent to the subscription administrators. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `state` | string | `'Disabled'` | `[Disabled, Enabled]` | Enables advanced data security features, like recuring vulnerability assesment scans and ATP. If enabled, storage account must be provided. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`emailAccountAdmins`](#parameter-emailaccountadmins) | bool | Specifies that the schedule scan notification will be is sent to the subscription administrators. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`state`](#parameter-state) | string | Enables advanced data security features, like recuring vulnerability assesment scans and ATP. If enabled, storage account must be provided. | + +### Parameter: `emailAccountAdmins` + +Specifies that the schedule scan notification will be is sent to the subscription administrators. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `managedInstanceName` + +The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the security alert policy. +- Required: Yes +- Type: string + +### Parameter: `state` + +Enables advanced data security features, like recuring vulnerability assesment scans and ATP. If enabled, storage account must be provided. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed security alert policy. | | `resourceGroupName` | string | The resource group of the deployed security alert policy. | diff --git a/modules/sql/managed-instance/security-alert-policy/main.json b/modules/sql/managed-instance/security-alert-policy/main.json index 04709674d0..9aa85a482c 100644 --- a/modules/sql/managed-instance/security-alert-policy/main.json +++ b/modules/sql/managed-instance/security-alert-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "15021129035939475675" + "version": "0.22.6.54827", + "templateHash": "744224666214582478" }, "name": "SQL Managed Instance Security Alert Policies", "description": "This module deploys a SQL Managed Instance Security Alert Policy.", diff --git a/modules/sql/managed-instance/vulnerability-assessment/README.md b/modules/sql/managed-instance/vulnerability-assessment/README.md index 84442a1c08..52747a9955 100644 --- a/modules/sql/managed-instance/vulnerability-assessment/README.md +++ b/modules/sql/managed-instance/vulnerability-assessment/README.md @@ -20,32 +20,92 @@ This module deploys a SQL Managed Instance Vulnerability Assessment. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the vulnerability assessment. | -| `storageAccountResourceId` | string | A blob storage to hold the scan results. | +| [`name`](#parameter-name) | string | The name of the vulnerability assessment. | +| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | A blob storage to hold the scan results. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `managedInstanceName` | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | +| [`managedInstanceName`](#parameter-managedinstancename) | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `createStorageRoleAssignment` | bool | `True` | Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `recurringScansEmails` | array | `[]` | Specifies an array of email addresses to which the scan notification is sent. | -| `recurringScansEmailSubscriptionAdmins` | bool | `False` | Specifies that the schedule scan notification will be is sent to the subscription administrators. | -| `recurringScansIsEnabled` | bool | `False` | Recurring scans state. | -| `useStorageAccountAccessKey` | bool | `False` | Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL MI system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`createStorageRoleAssignment`](#parameter-createstorageroleassignment) | bool | Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`recurringScansEmails`](#parameter-recurringscansemails) | array | Specifies an array of email addresses to which the scan notification is sent. | +| [`recurringScansEmailSubscriptionAdmins`](#parameter-recurringscansemailsubscriptionadmins) | bool | Specifies that the schedule scan notification will be is sent to the subscription administrators. | +| [`recurringScansIsEnabled`](#parameter-recurringscansisenabled) | bool | Recurring scans state. | +| [`useStorageAccountAccessKey`](#parameter-usestorageaccountaccesskey) | bool | Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL MI system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account. | + +### Parameter: `createStorageRoleAssignment` + +Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `managedInstanceName` + +The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the vulnerability assessment. +- Required: Yes +- Type: string + +### Parameter: `recurringScansEmails` + +Specifies an array of email addresses to which the scan notification is sent. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `recurringScansEmailSubscriptionAdmins` + +Specifies that the schedule scan notification will be is sent to the subscription administrators. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `recurringScansIsEnabled` + +Recurring scans state. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `storageAccountResourceId` + +A blob storage to hold the scan results. +- Required: Yes +- Type: string + +### Parameter: `useStorageAccountAccessKey` + +Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL MI system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account. +- Required: No +- Type: bool +- Default: `False` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed vulnerability assessment. | | `resourceGroupName` | string | The resource group of the deployed vulnerability assessment. | diff --git a/modules/sql/managed-instance/vulnerability-assessment/main.json b/modules/sql/managed-instance/vulnerability-assessment/main.json index dd8317e70d..985b3b0dca 100644 --- a/modules/sql/managed-instance/vulnerability-assessment/main.json +++ b/modules/sql/managed-instance/vulnerability-assessment/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "16824260265514306931" + "version": "0.22.6.54827", + "templateHash": "18315887045308503469" }, "name": "SQL Managed Instance Vulnerability Assessments", "description": "This module deploys a SQL Managed Instance Vulnerability Assessment.", @@ -130,8 +130,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5906561113326922902" + "version": "0.22.6.54827", + "templateHash": "9210546972730714858" } }, "parameters": { diff --git a/modules/sql/server/.test/common/main.test.bicep b/modules/sql/server/.test/common/main.test.bicep index e9ccba36a6..6c3153cc5e 100644 --- a/modules/sql/server/.test/common/main.test.bicep +++ b/modules/sql/server/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index e93c03a27a..c19646e425 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -5,10 +5,10 @@ This module deploys an Azure SQL Server. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) ## Resource Types @@ -32,81 +32,27 @@ This module deploys an Azure SQL Server. | `Microsoft.Sql/servers/virtualNetworkRules` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/virtualNetworkRules) | | `Microsoft.Sql/servers/vulnerabilityAssessments` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/vulnerabilityAssessments) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the server. | - -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `administratorLogin` | string | `''` | The administrator username for the server. Required if no `administrators` object for AAD authentication is provided. | -| `administratorLoginPassword` | securestring | `''` | The administrator login password. Required if no `administrators` object for AAD authentication is provided. | -| `administrators` | object | `{object}` | The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided. | -| `primaryUserAssignedIdentityId` | string | `''` | The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `databases` | array | `[]` | | The databases to create in the server. | -| `elasticPools` | array | `[]` | | The Elastic Pools to create in the server. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `encryptionProtectorObj` | _[encryptionProtector](encryption-protector/README.md)_ object | `{object}` | | The encryption protection configuration. | -| `firewallRules` | array | `[]` | | The firewall rules to create in the server. | -| `keys` | array | `[]` | | The keys to configure. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `minimalTlsVersion` | string | `'1.2'` | `[1.0, 1.1, 1.2]` | Minimal TLS version allowed. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. | -| `restrictOutboundNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not to restrict outbound network access for this server. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `securityAlertPolicies` | array | `[]` | | The security alert policies to create in the server. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `virtualNetworkRules` | array | `[]` | | The virtual network rules to create in the server. | -| `vulnerabilityAssessmentsObj` | object | `{object}` | | The vulnerability assessment configuration. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed SQL server. | -| `resourceGroupName` | string | The resource group of the deployed SQL server. | -| `resourceId` | string | The resource ID of the deployed SQL server. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Deployment examples +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/sql.server:1.0.0`. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +- [Admin](#example-1-admin) +- [Using large parameter set](#example-2-using-large-parameter-set) +- [Pe](#example-3-pe) +- [Secondary](#example-4-secondary) -

Example 1: Admin

+### Example 1: _Admin_
via Bicep module ```bicep -module server './sql/server/main.bicep' = { +module server 'br:bicep/modules/sql.server:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-sqlsadmin' params: { // Required parameters @@ -160,14 +106,17 @@ module server './sql/server/main.bicep' = {

-

Example 2: Common

+### Example 2: _Using large parameter set_ + +This instance deploys the module with most of its features enabled. +
via Bicep module ```bicep -module server './sql/server/main.bicep' = { +module server 'br:bicep/modules/sql.server:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-sqlscom' params: { // Required parameters @@ -465,14 +414,14 @@ module server './sql/server/main.bicep' = {

-

Example 3: Pe

+### Example 3: _Pe_
via Bicep module ```bicep -module server './sql/server/main.bicep' = { +module server 'br:bicep/modules/sql.server:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-sqlspe' params: { // Required parameters @@ -564,14 +513,14 @@ module server './sql/server/main.bicep' = {

-

Example 4: Secondary

+### Example 4: _Secondary_
via Bicep module ```bicep -module server './sql/server/main.bicep' = { +module server 'br:bicep/modules/sql.server:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-sqlsec' params: { // Required parameters @@ -652,6 +601,237 @@ module server './sql/server/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the server. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`administratorLogin`](#parameter-administratorlogin) | string | The administrator username for the server. Required if no `administrators` object for AAD authentication is provided. | +| [`administratorLoginPassword`](#parameter-administratorloginpassword) | securestring | The administrator login password. Required if no `administrators` object for AAD authentication is provided. | +| [`administrators`](#parameter-administrators) | object | The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided. | +| [`primaryUserAssignedIdentityId`](#parameter-primaryuserassignedidentityid) | string | The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`databases`](#parameter-databases) | array | The databases to create in the server. | +| [`elasticPools`](#parameter-elasticpools) | array | The Elastic Pools to create in the server. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`encryptionProtectorObj`](#parameter-encryptionprotectorobj) | object | The encryption protection configuration. | +| [`firewallRules`](#parameter-firewallrules) | array | The firewall rules to create in the server. | +| [`keys`](#parameter-keys) | array | The keys to configure. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`minimalTlsVersion`](#parameter-minimaltlsversion) | string | Minimal TLS version allowed. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. | +| [`restrictOutboundNetworkAccess`](#parameter-restrictoutboundnetworkaccess) | string | Whether or not to restrict outbound network access for this server. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`securityAlertPolicies`](#parameter-securityalertpolicies) | array | The security alert policies to create in the server. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`virtualNetworkRules`](#parameter-virtualnetworkrules) | array | The virtual network rules to create in the server. | +| [`vulnerabilityAssessmentsObj`](#parameter-vulnerabilityassessmentsobj) | object | The vulnerability assessment configuration. | + +### Parameter: `administratorLogin` + +The administrator username for the server. Required if no `administrators` object for AAD authentication is provided. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `administratorLoginPassword` + +The administrator login password. Required if no `administrators` object for AAD authentication is provided. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `administrators` + +The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `databases` + +The databases to create in the server. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `elasticPools` + +The Elastic Pools to create in the server. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `encryptionProtectorObj` + +The encryption protection configuration. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `firewallRules` + +The firewall rules to create in the server. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `keys` + +The keys to configure. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `minimalTlsVersion` + +Minimal TLS version allowed. +- Required: No +- Type: string +- Default: `'1.2'` +- Allowed: `[1.0, 1.1, 1.2]` + +### Parameter: `name` + +The name of the server. +- Required: Yes +- Type: string + +### Parameter: `primaryUserAssignedIdentityId` + +The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `restrictOutboundNetworkAccess` + +Whether or not to restrict outbound network access for this server. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `securityAlertPolicies` + +The security alert policies to create in the server. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `virtualNetworkRules` + +The virtual network rules to create in the server. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `vulnerabilityAssessmentsObj` + +The vulnerability assessment configuration. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed SQL server. | +| `resourceGroupName` | string | The resource group of the deployed SQL server. | +| `resourceId` | string | The resource ID of the deployed SQL server. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | + ## Notes ### Parameter Usage: `administrators` diff --git a/modules/sql/server/database/README.md b/modules/sql/server/database/README.md index 772edc8f0e..e6ac170a59 100644 --- a/modules/sql/server/database/README.md +++ b/modules/sql/server/database/README.md @@ -4,12 +4,12 @@ This module deploys an Azure SQL Server Database. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -22,60 +22,322 @@ This module deploys an Azure SQL Server Database. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the database. | +| [`name`](#parameter-name) | string | The name of the database. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `serverName` | string | The name of the parent SQL Server. Required if the template is used in a standalone deployment. | +| [`serverName`](#parameter-servername) | string | The name of the parent SQL Server. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `autoPauseDelay` | int | `0` | | Time in minutes after which database is automatically paused. A value of -1 means that automatic pause is disabled. | -| `backupLongTermRetentionPolicy` | _[backupLongTermRetentionPolicy](backup-long-term-retention-policy/README.md)_ object | `{object}` | | The long term backup retention policy to create for the database. | -| `backupShortTermRetentionPolicy` | _[backupShortTermRetentionPolicy](backup-short-term-retention-policy/README.md)_ object | `{object}` | | The short term backup retention policy to create for the database. | -| `collation` | string | `'SQL_Latin1_General_CP1_CI_AS'` | | The collation of the database. | -| `createMode` | string | `'Default'` | `[Copy, Default, OnlineSecondary, PointInTimeRestore, Recovery, Restore, RestoreLongTermRetentionBackup, Secondary]` | Specifies the mode of database creation. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, AutomaticTuning, Blocks, DatabaseWaitStatistics, Deadlocks, DevOpsOperationsAudit, Errors, QueryStoreRuntimeStatistics, QueryStoreWaitStatistics, SQLInsights, SQLSecurityAuditEvents, Timeouts]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[Basic, InstanceAndAppAdvanced, WorkloadManagement]` | `[Basic, InstanceAndAppAdvanced, WorkloadManagement]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `elasticPoolId` | string | `''` | | The resource ID of the elastic pool containing this database. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `highAvailabilityReplicaCount` | int | `0` | | The number of readonly secondary replicas associated with the database. | -| `isLedgerOn` | bool | `False` | | Whether or not this database is a ledger database, which means all tables in the database are ledger tables. Note: the value of this property cannot be changed after the database has been created. | -| `licenseType` | string | `''` | | The license type to apply for this database. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `maintenanceConfigurationId` | string | `''` | | Maintenance configuration ID assigned to the database. This configuration defines the period when the maintenance updates will occur. | -| `maxSizeBytes` | int | `34359738368` | | The max size of the database expressed in bytes. | -| `minCapacity` | string | `''` | | Minimal capacity that database will always have allocated. | -| `readScale` | string | `'Disabled'` | `[Disabled, Enabled]` | The state of read-only routing. | -| `recoveryServicesRecoveryPointResourceId` | string | `''` | | Resource ID of backup if createMode set to RestoreLongTermRetentionBackup. | -| `requestedBackupStorageRedundancy` | string | `''` | `['', Geo, Local, Zone]` | The storage account type to be used to store backups for this database. | -| `restorePointInTime` | string | `''` | | Point in time (ISO8601 format) of the source database to restore when createMode set to Restore or PointInTimeRestore. | -| `sampleName` | string | `''` | | The name of the sample schema to apply when creating this database. | -| `skuCapacity` | int | `-1` | | Capacity of the particular SKU. | -| `skuFamily` | string | `''` | | If the service has different generations of hardware, for the same SKU, then that can be captured here. | -| `skuName` | string | `'GP_Gen5_2'` | | The name of the SKU. | -| `skuSize` | string | `''` | | Size of the particular SKU. | -| `skuTier` | string | `'GeneralPurpose'` | | The skuTier or edition of the particular SKU. | -| `sourceDatabaseDeletionDate` | string | `''` | | The time that the database was deleted when restoring a deleted database. | -| `sourceDatabaseResourceId` | string | `''` | | Resource ID of database if createMode set to Copy, Secondary, PointInTimeRestore, Recovery or Restore. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `zoneRedundant` | bool | `False` | | Whether or not this database is zone redundant. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`autoPauseDelay`](#parameter-autopausedelay) | int | Time in minutes after which database is automatically paused. A value of -1 means that automatic pause is disabled. | +| [`backupLongTermRetentionPolicy`](#parameter-backuplongtermretentionpolicy) | object | The long term backup retention policy to create for the database. | +| [`backupShortTermRetentionPolicy`](#parameter-backupshorttermretentionpolicy) | object | The short term backup retention policy to create for the database. | +| [`collation`](#parameter-collation) | string | The collation of the database. | +| [`createMode`](#parameter-createmode) | string | Specifies the mode of database creation. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`elasticPoolId`](#parameter-elasticpoolid) | string | The resource ID of the elastic pool containing this database. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`highAvailabilityReplicaCount`](#parameter-highavailabilityreplicacount) | int | The number of readonly secondary replicas associated with the database. | +| [`isLedgerOn`](#parameter-isledgeron) | bool | Whether or not this database is a ledger database, which means all tables in the database are ledger tables. Note: the value of this property cannot be changed after the database has been created. | +| [`licenseType`](#parameter-licensetype) | string | The license type to apply for this database. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`maintenanceConfigurationId`](#parameter-maintenanceconfigurationid) | string | Maintenance configuration ID assigned to the database. This configuration defines the period when the maintenance updates will occur. | +| [`maxSizeBytes`](#parameter-maxsizebytes) | int | The max size of the database expressed in bytes. | +| [`minCapacity`](#parameter-mincapacity) | string | Minimal capacity that database will always have allocated. | +| [`readScale`](#parameter-readscale) | string | The state of read-only routing. | +| [`recoveryServicesRecoveryPointResourceId`](#parameter-recoveryservicesrecoverypointresourceid) | string | Resource ID of backup if createMode set to RestoreLongTermRetentionBackup. | +| [`requestedBackupStorageRedundancy`](#parameter-requestedbackupstorageredundancy) | string | The storage account type to be used to store backups for this database. | +| [`restorePointInTime`](#parameter-restorepointintime) | string | Point in time (ISO8601 format) of the source database to restore when createMode set to Restore or PointInTimeRestore. | +| [`sampleName`](#parameter-samplename) | string | The name of the sample schema to apply when creating this database. | +| [`skuCapacity`](#parameter-skucapacity) | int | Capacity of the particular SKU. | +| [`skuFamily`](#parameter-skufamily) | string | If the service has different generations of hardware, for the same SKU, then that can be captured here. | +| [`skuName`](#parameter-skuname) | string | The name of the SKU. | +| [`skuSize`](#parameter-skusize) | string | Size of the particular SKU. | +| [`skuTier`](#parameter-skutier) | string | The skuTier or edition of the particular SKU. | +| [`sourceDatabaseDeletionDate`](#parameter-sourcedatabasedeletiondate) | string | The time that the database was deleted when restoring a deleted database. | +| [`sourceDatabaseResourceId`](#parameter-sourcedatabaseresourceid) | string | Resource ID of database if createMode set to Copy, Secondary, PointInTimeRestore, Recovery or Restore. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`zoneRedundant`](#parameter-zoneredundant) | bool | Whether or not this database is zone redundant. | + +### Parameter: `autoPauseDelay` + +Time in minutes after which database is automatically paused. A value of -1 means that automatic pause is disabled. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `backupLongTermRetentionPolicy` + +The long term backup retention policy to create for the database. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `backupShortTermRetentionPolicy` + +The short term backup retention policy to create for the database. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `collation` + +The collation of the database. +- Required: No +- Type: string +- Default: `'SQL_Latin1_General_CP1_CI_AS'` + +### Parameter: `createMode` + +Specifies the mode of database creation. +- Required: No +- Type: string +- Default: `'Default'` +- Allowed: `[Copy, Default, OnlineSecondary, PointInTimeRestore, Recovery, Restore, RestoreLongTermRetentionBackup, Secondary]` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, AutomaticTuning, Blocks, DatabaseWaitStatistics, Deadlocks, DevOpsOperationsAudit, Errors, QueryStoreRuntimeStatistics, QueryStoreWaitStatistics, SQLInsights, SQLSecurityAuditEvents, Timeouts]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[Basic, InstanceAndAppAdvanced, WorkloadManagement]` +- Allowed: `[Basic, InstanceAndAppAdvanced, WorkloadManagement]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `elasticPoolId` + +The resource ID of the elastic pool containing this database. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `highAvailabilityReplicaCount` + +The number of readonly secondary replicas associated with the database. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `isLedgerOn` + +Whether or not this database is a ledger database, which means all tables in the database are ledger tables. Note: the value of this property cannot be changed after the database has been created. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `licenseType` + +The license type to apply for this database. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `maintenanceConfigurationId` + +Maintenance configuration ID assigned to the database. This configuration defines the period when the maintenance updates will occur. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `maxSizeBytes` + +The max size of the database expressed in bytes. +- Required: No +- Type: int +- Default: `34359738368` + +### Parameter: `minCapacity` + +Minimal capacity that database will always have allocated. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +The name of the database. +- Required: Yes +- Type: string + +### Parameter: `readScale` + +The state of read-only routing. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `recoveryServicesRecoveryPointResourceId` + +Resource ID of backup if createMode set to RestoreLongTermRetentionBackup. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `requestedBackupStorageRedundancy` + +The storage account type to be used to store backups for this database. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Geo, Local, Zone]` + +### Parameter: `restorePointInTime` + +Point in time (ISO8601 format) of the source database to restore when createMode set to Restore or PointInTimeRestore. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `sampleName` + +The name of the sample schema to apply when creating this database. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `serverName` + +The name of the parent SQL Server. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `skuCapacity` + +Capacity of the particular SKU. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `skuFamily` + +If the service has different generations of hardware, for the same SKU, then that can be captured here. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `skuName` + +The name of the SKU. +- Required: No +- Type: string +- Default: `'GP_Gen5_2'` + +### Parameter: `skuSize` + +Size of the particular SKU. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `skuTier` + +The skuTier or edition of the particular SKU. +- Required: No +- Type: string +- Default: `'GeneralPurpose'` + +### Parameter: `sourceDatabaseDeletionDate` + +The time that the database was deleted when restoring a deleted database. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `sourceDatabaseResourceId` + +Resource ID of database if createMode set to Copy, Secondary, PointInTimeRestore, Recovery or Restore. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `zoneRedundant` + +Whether or not this database is zone redundant. +- Required: No +- Type: bool +- Default: `False` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the deployed database. | diff --git a/modules/sql/server/database/backup-long-term-retention-policy/README.md b/modules/sql/server/database/backup-long-term-retention-policy/README.md index d72538713b..3a8d87595a 100644 --- a/modules/sql/server/database/backup-long-term-retention-policy/README.md +++ b/modules/sql/server/database/backup-long-term-retention-policy/README.md @@ -19,25 +19,72 @@ This module deploys an Azure SQL Server Database Long-Term Backup Retention Poli **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `databaseName` | string | The name of the parent database. | -| `serverName` | string | The name of the parent SQL Server. | +| [`databaseName`](#parameter-databasename) | string | The name of the parent database. | +| [`serverName`](#parameter-servername) | string | The name of the parent SQL Server. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `monthlyRetention` | string | `''` | Weekly retention in ISO 8601 duration format. | -| `weeklyRetention` | string | `''` | Monthly retention in ISO 8601 duration format. | -| `weekOfYear` | int | `1` | Week of year backup to keep for yearly retention. | -| `yearlyRetention` | string | `''` | Yearly retention in ISO 8601 duration format. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`monthlyRetention`](#parameter-monthlyretention) | string | Weekly retention in ISO 8601 duration format. | +| [`weeklyRetention`](#parameter-weeklyretention) | string | Monthly retention in ISO 8601 duration format. | +| [`weekOfYear`](#parameter-weekofyear) | int | Week of year backup to keep for yearly retention. | +| [`yearlyRetention`](#parameter-yearlyretention) | string | Yearly retention in ISO 8601 duration format. | + +### Parameter: `databaseName` + +The name of the parent database. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `monthlyRetention` + +Weekly retention in ISO 8601 duration format. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `serverName` + +The name of the parent SQL Server. +- Required: Yes +- Type: string + +### Parameter: `weeklyRetention` + +Monthly retention in ISO 8601 duration format. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `weekOfYear` + +Week of year backup to keep for yearly retention. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `yearlyRetention` + +Yearly retention in ISO 8601 duration format. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the long-term policy. | | `resourceGroupName` | string | The resource group the long-term policy was deployed into. | diff --git a/modules/sql/server/database/backup-long-term-retention-policy/main.json b/modules/sql/server/database/backup-long-term-retention-policy/main.json index 0519d9c583..6d00874970 100644 --- a/modules/sql/server/database/backup-long-term-retention-policy/main.json +++ b/modules/sql/server/database/backup-long-term-retention-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "9219416659486760074" + "version": "0.22.6.54827", + "templateHash": "8422402072460240545" }, "name": "SQL Server Database Long Term Backup Retention Policies", "description": "This module deploys an Azure SQL Server Database Long-Term Backup Retention Policy.", diff --git a/modules/sql/server/database/backup-short-term-retention-policy/README.md b/modules/sql/server/database/backup-short-term-retention-policy/README.md index d5d7afccf7..d6df1d73e8 100644 --- a/modules/sql/server/database/backup-short-term-retention-policy/README.md +++ b/modules/sql/server/database/backup-short-term-retention-policy/README.md @@ -19,23 +19,56 @@ This module deploys an Azure SQL Server Database Short-Term Backup Retention Pol **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `databaseName` | string | The name of the parent database. | -| `serverName` | string | The name of the parent SQL Server. | +| [`databaseName`](#parameter-databasename) | string | The name of the parent database. | +| [`serverName`](#parameter-servername) | string | The name of the parent SQL Server. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `diffBackupIntervalInHours` | int | `24` | Differential backup interval in hours. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `retentionDays` | int | `7` | Poin-in-time retention in days. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`diffBackupIntervalInHours`](#parameter-diffbackupintervalinhours) | int | Differential backup interval in hours. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`retentionDays`](#parameter-retentiondays) | int | Poin-in-time retention in days. | + +### Parameter: `databaseName` + +The name of the parent database. +- Required: Yes +- Type: string + +### Parameter: `diffBackupIntervalInHours` + +Differential backup interval in hours. +- Required: No +- Type: int +- Default: `24` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `retentionDays` + +Poin-in-time retention in days. +- Required: No +- Type: int +- Default: `7` + +### Parameter: `serverName` + +The name of the parent SQL Server. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the short-term policy. | | `resourceGroupName` | string | The resource group the short-term policy was deployed into. | diff --git a/modules/sql/server/database/backup-short-term-retention-policy/main.json b/modules/sql/server/database/backup-short-term-retention-policy/main.json index 50bb545bd8..64a75a29be 100644 --- a/modules/sql/server/database/backup-short-term-retention-policy/main.json +++ b/modules/sql/server/database/backup-short-term-retention-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "2184125360304496486" + "version": "0.22.6.54827", + "templateHash": "11274542290979624142" }, "name": "Azure SQL Server Database Short Term Backup Retention Policies", "description": "This module deploys an Azure SQL Server Database Short-Term Backup Retention Policy.", diff --git a/modules/sql/server/database/main.json b/modules/sql/server/database/main.json index d1f5ef5b28..13c0eb69b1 100644 --- a/modules/sql/server/database/main.json +++ b/modules/sql/server/database/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "641387093656497816" + "version": "0.22.6.54827", + "templateHash": "7000207485744795208" }, "name": "SQL Server Database", "description": "This module deploys an Azure SQL Server Database.", @@ -425,8 +425,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "2184125360304496486" + "version": "0.22.6.54827", + "templateHash": "11274542290979624142" }, "name": "Azure SQL Server Database Short Term Backup Retention Policies", "description": "This module deploys an Azure SQL Server Database Short-Term Backup Retention Policy.", @@ -548,8 +548,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "9219416659486760074" + "version": "0.22.6.54827", + "templateHash": "8422402072460240545" }, "name": "SQL Server Database Long Term Backup Retention Policies", "description": "This module deploys an Azure SQL Server Database Long-Term Backup Retention Policy.", diff --git a/modules/sql/server/elastic-pool/README.md b/modules/sql/server/elastic-pool/README.md index 97d38ea3bc..a9b07265b1 100644 --- a/modules/sql/server/elastic-pool/README.md +++ b/modules/sql/server/elastic-pool/README.md @@ -19,39 +19,150 @@ This module deploys an Azure SQL Server Elastic Pool. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the Elastic Pool. | +| [`name`](#parameter-name) | string | The name of the Elastic Pool. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `serverName` | string | The name of the parent SQL Server. Required if the template is used in a standalone deployment. | +| [`serverName`](#parameter-servername) | string | The name of the parent SQL Server. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `databaseMaxCapacity` | int | `2` | | The maximum capacity any one database can consume. | -| `databaseMinCapacity` | int | `0` | | The minimum capacity all databases are guaranteed. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `highAvailabilityReplicaCount` | int | `-1` | | The number of secondary replicas associated with the elastic pool that are used to provide high availability. Applicable only to Hyperscale elastic pools. | -| `licenseType` | string | `'LicenseIncluded'` | `[BasePrice, LicenseIncluded]` | The license type to apply for this elastic pool. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `maintenanceConfigurationId` | string | `''` | | Maintenance configuration resource ID assigned to the elastic pool. This configuration defines the period when the maintenance updates will will occur. | -| `maxSizeBytes` | int | `34359738368` | | The storage limit for the database elastic pool in bytes. | -| `minCapacity` | int | `-1` | | Minimal capacity that serverless pool will not shrink below, if not paused. | -| `skuCapacity` | int | `2` | | Capacity of the particular SKU. | -| `skuName` | string | `'GP_Gen5'` | | The name of the SKU, typically, a letter + Number code, e.g. P3. | -| `skuTier` | string | `'GeneralPurpose'` | | The tier or edition of the particular SKU, e.g. Basic, Premium. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `zoneRedundant` | bool | `False` | | Whether or not this elastic pool is zone redundant, which means the replicas of this elastic pool will be spread across multiple availability zones. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`databaseMaxCapacity`](#parameter-databasemaxcapacity) | int | The maximum capacity any one database can consume. | +| [`databaseMinCapacity`](#parameter-databasemincapacity) | int | The minimum capacity all databases are guaranteed. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`highAvailabilityReplicaCount`](#parameter-highavailabilityreplicacount) | int | The number of secondary replicas associated with the elastic pool that are used to provide high availability. Applicable only to Hyperscale elastic pools. | +| [`licenseType`](#parameter-licensetype) | string | The license type to apply for this elastic pool. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`maintenanceConfigurationId`](#parameter-maintenanceconfigurationid) | string | Maintenance configuration resource ID assigned to the elastic pool. This configuration defines the period when the maintenance updates will will occur. | +| [`maxSizeBytes`](#parameter-maxsizebytes) | int | The storage limit for the database elastic pool in bytes. | +| [`minCapacity`](#parameter-mincapacity) | int | Minimal capacity that serverless pool will not shrink below, if not paused. | +| [`skuCapacity`](#parameter-skucapacity) | int | Capacity of the particular SKU. | +| [`skuName`](#parameter-skuname) | string | The name of the SKU, typically, a letter + Number code, e.g. P3. | +| [`skuTier`](#parameter-skutier) | string | The tier or edition of the particular SKU, e.g. Basic, Premium. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`zoneRedundant`](#parameter-zoneredundant) | bool | Whether or not this elastic pool is zone redundant, which means the replicas of this elastic pool will be spread across multiple availability zones. | + +### Parameter: `databaseMaxCapacity` + +The maximum capacity any one database can consume. +- Required: No +- Type: int +- Default: `2` + +### Parameter: `databaseMinCapacity` + +The minimum capacity all databases are guaranteed. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `highAvailabilityReplicaCount` + +The number of secondary replicas associated with the elastic pool that are used to provide high availability. Applicable only to Hyperscale elastic pools. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `licenseType` + +The license type to apply for this elastic pool. +- Required: No +- Type: string +- Default: `'LicenseIncluded'` +- Allowed: `[BasePrice, LicenseIncluded]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `maintenanceConfigurationId` + +Maintenance configuration resource ID assigned to the elastic pool. This configuration defines the period when the maintenance updates will will occur. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `maxSizeBytes` + +The storage limit for the database elastic pool in bytes. +- Required: No +- Type: int +- Default: `34359738368` + +### Parameter: `minCapacity` + +Minimal capacity that serverless pool will not shrink below, if not paused. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `name` + +The name of the Elastic Pool. +- Required: Yes +- Type: string + +### Parameter: `serverName` + +The name of the parent SQL Server. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `skuCapacity` + +Capacity of the particular SKU. +- Required: No +- Type: int +- Default: `2` + +### Parameter: `skuName` + +The name of the SKU, typically, a letter + Number code, e.g. P3. +- Required: No +- Type: string +- Default: `'GP_Gen5'` + +### Parameter: `skuTier` + +The tier or edition of the particular SKU, e.g. Basic, Premium. +- Required: No +- Type: string +- Default: `'GeneralPurpose'` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `zoneRedundant` + +Whether or not this elastic pool is zone redundant, which means the replicas of this elastic pool will be spread across multiple availability zones. +- Required: No +- Type: bool +- Default: `False` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the deployed Elastic Pool. | diff --git a/modules/sql/server/elastic-pool/main.json b/modules/sql/server/elastic-pool/main.json index 4eca83e47a..4f107f39b6 100644 --- a/modules/sql/server/elastic-pool/main.json +++ b/modules/sql/server/elastic-pool/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "7347226856045672059" + "version": "0.22.6.54827", + "templateHash": "1361594412163336206" }, "name": "SQL Server Elastic Pool", "description": "This module deploys an Azure SQL Server Elastic Pool.", diff --git a/modules/sql/server/encryption-protector/README.md b/modules/sql/server/encryption-protector/README.md index bfa990d0d5..435f550d8a 100644 --- a/modules/sql/server/encryption-protector/README.md +++ b/modules/sql/server/encryption-protector/README.md @@ -19,28 +19,62 @@ This module deploys an Azure SQL Server Encryption Protector. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `serverKeyName` | string | The name of the server key. | +| [`serverKeyName`](#parameter-serverkeyname) | string | The name of the server key. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `sqlServerName` | string | The name of the sql server. Required if the template is used in a standalone deployment. | +| [`sqlServerName`](#parameter-sqlservername) | string | The name of the sql server. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `autoRotationEnabled` | bool | `False` | | Key auto rotation opt-in. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `serverKeyType` | string | `'ServiceManaged'` | `[AzureKeyVault, ServiceManaged]` | The encryption protector type. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`autoRotationEnabled`](#parameter-autorotationenabled) | bool | Key auto rotation opt-in. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`serverKeyType`](#parameter-serverkeytype) | string | The encryption protector type. | + +### Parameter: `autoRotationEnabled` + +Key auto rotation opt-in. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `serverKeyName` + +The name of the server key. +- Required: Yes +- Type: string + +### Parameter: `serverKeyType` + +The encryption protector type. +- Required: No +- Type: string +- Default: `'ServiceManaged'` +- Allowed: `[AzureKeyVault, ServiceManaged]` + +### Parameter: `sqlServerName` + +The name of the sql server. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed encryption protector. | | `resourceGroupName` | string | The resource group of the deployed encryption protector. | diff --git a/modules/sql/server/encryption-protector/main.json b/modules/sql/server/encryption-protector/main.json index 17c94ae4d0..097ded1243 100644 --- a/modules/sql/server/encryption-protector/main.json +++ b/modules/sql/server/encryption-protector/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "14781745235892971560" + "version": "0.22.6.54827", + "templateHash": "1128739845456097575" }, "name": "Azure SQL Server Encryption Protector", "description": "This module deploys an Azure SQL Server Encryption Protector.", diff --git a/modules/sql/server/firewall-rule/README.md b/modules/sql/server/firewall-rule/README.md index cb028371bc..02a9a24294 100644 --- a/modules/sql/server/firewall-rule/README.md +++ b/modules/sql/server/firewall-rule/README.md @@ -19,28 +19,61 @@ This module deploys an Azure SQL Server Firewall Rule. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the Server Firewall Rule. | +| [`name`](#parameter-name) | string | The name of the Server Firewall Rule. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `serverName` | string | The name of the parent SQL Server. Required if the template is used in a standalone deployment. | +| [`serverName`](#parameter-servername) | string | The name of the parent SQL Server. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `endIpAddress` | string | `'0.0.0.0'` | The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. | -| `startIpAddress` | string | `'0.0.0.0'` | The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`endIpAddress`](#parameter-endipaddress) | string | The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. | +| [`startIpAddress`](#parameter-startipaddress) | string | The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `endIpAddress` + +The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. +- Required: No +- Type: string +- Default: `'0.0.0.0'` + +### Parameter: `name` + +The name of the Server Firewall Rule. +- Required: Yes +- Type: string + +### Parameter: `serverName` + +The name of the parent SQL Server. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `startIpAddress` + +The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. +- Required: No +- Type: string +- Default: `'0.0.0.0'` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed firewall rule. | | `resourceGroupName` | string | The resource group of the deployed firewall rule. | diff --git a/modules/sql/server/firewall-rule/main.json b/modules/sql/server/firewall-rule/main.json index 352001c934..4c7a239b94 100644 --- a/modules/sql/server/firewall-rule/main.json +++ b/modules/sql/server/firewall-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3172947896499441492" + "version": "0.22.6.54827", + "templateHash": "17694214441241917212" }, "name": "Azure SQL Server Firewall Rule", "description": "This module deploys an Azure SQL Server Firewall Rule.", diff --git a/modules/sql/server/key/README.md b/modules/sql/server/key/README.md index e39339513d..b5f44125a5 100644 --- a/modules/sql/server/key/README.md +++ b/modules/sql/server/key/README.md @@ -19,28 +19,62 @@ This module deploys an Azure SQL Server Key. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the key. Must follow the [__] pattern. | +| [`name`](#parameter-name) | string | The name of the key. Must follow the [__] pattern. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `serverName` | string | The name of the parent SQL server. Required if the template is used in a standalone deployment. | +| [`serverName`](#parameter-servername) | string | The name of the parent SQL server. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `serverKeyType` | string | `'ServiceManaged'` | `[AzureKeyVault, ServiceManaged]` | The encryption protector type like "ServiceManaged", "AzureKeyVault". | -| `uri` | string | `''` | | The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`serverKeyType`](#parameter-serverkeytype) | string | The encryption protector type like "ServiceManaged", "AzureKeyVault". | +| [`uri`](#parameter-uri) | string | The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the key. Must follow the [__] pattern. +- Required: Yes +- Type: string + +### Parameter: `serverKeyType` + +The encryption protector type like "ServiceManaged", "AzureKeyVault". +- Required: No +- Type: string +- Default: `'ServiceManaged'` +- Allowed: `[AzureKeyVault, ServiceManaged]` + +### Parameter: `serverName` + +The name of the parent SQL server. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `uri` + +The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed server key. | | `resourceGroupName` | string | The resource group of the deployed server key. | diff --git a/modules/sql/server/key/main.json b/modules/sql/server/key/main.json index 6f88f16d58..7e4fc30512 100644 --- a/modules/sql/server/key/main.json +++ b/modules/sql/server/key/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17103037079550179702" + "version": "0.22.6.54827", + "templateHash": "11118825836661698100" }, "name": "Azure SQL Server Keys", "description": "This module deploys an Azure SQL Server Key.", diff --git a/modules/sql/server/main.json b/modules/sql/server/main.json index 6a1d922d2a..37cb2893eb 100644 --- a/modules/sql/server/main.json +++ b/modules/sql/server/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8694419597061926124" + "version": "0.22.6.54827", + "templateHash": "9716612519097639469" }, "name": "Azure SQL Servers", "description": "This module deploys an Azure SQL Server.", @@ -286,8 +286,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "484260346793465381" + "version": "0.22.6.54827", + "templateHash": "5938444191464090228" } }, "parameters": { @@ -473,8 +473,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16360680719988023446" + "version": "0.22.6.54827", + "templateHash": "7000207485744795208" }, "name": "SQL Server Database", "description": "This module deploys an Azure SQL Server Database.", @@ -894,8 +894,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "4382058876460070717" + "version": "0.22.6.54827", + "templateHash": "11274542290979624142" }, "name": "Azure SQL Server Database Short Term Backup Retention Policies", "description": "This module deploys an Azure SQL Server Database Short-Term Backup Retention Policy.", @@ -1017,8 +1017,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15709058610853670225" + "version": "0.22.6.54827", + "templateHash": "8422402072460240545" }, "name": "SQL Server Database Long Term Backup Retention Policies", "description": "This module deploys an Azure SQL Server Database Long-Term Backup Retention Policy.", @@ -1212,8 +1212,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9604308026054276666" + "version": "0.22.6.54827", + "templateHash": "1361594412163336206" }, "name": "SQL Server Elastic Pool", "description": "This module deploys an Azure SQL Server Elastic Pool.", @@ -1457,8 +1457,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1657,8 +1657,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1795,8 +1795,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -2007,8 +2007,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7423786467503129522" + "version": "0.22.6.54827", + "templateHash": "17694214441241917212" }, "name": "Azure SQL Server Firewall Rule", "description": "This module deploys an Azure SQL Server Firewall Rule.", @@ -2137,8 +2137,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3695719618066271143" + "version": "0.22.6.54827", + "templateHash": "6942471200332924480" }, "name": "Azure SQL Server Virtual Network Rules", "description": "This module deploys an Azure SQL Server Virtual Network Rule.", @@ -2269,8 +2269,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11767059399657225890" + "version": "0.22.6.54827", + "templateHash": "13278850436753309790" }, "name": "Azure SQL Server Security Alert Policies", "description": "This module deploys an Azure SQL Server Security Alert Policy.", @@ -2440,8 +2440,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7320869198261602557" + "version": "0.22.6.54827", + "templateHash": "10943798083405880032" }, "name": "Azure SQL Server Vulnerability Assessments", "description": "This module deploys an Azure SQL Server Vulnerability Assessment.", @@ -2588,8 +2588,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "3865700430562721282" + "version": "0.22.6.54827", + "templateHash": "11118825836661698100" }, "name": "Azure SQL Server Keys", "description": "This module deploys an Azure SQL Server Key.", @@ -2721,8 +2721,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16115324341422318865" + "version": "0.22.6.54827", + "templateHash": "1128739845456097575" }, "name": "Azure SQL Server Encryption Protector", "description": "This module deploys an Azure SQL Server Encryption Protector.", diff --git a/modules/sql/server/security-alert-policy/README.md b/modules/sql/server/security-alert-policy/README.md index db18f7b06f..765094b147 100644 --- a/modules/sql/server/security-alert-policy/README.md +++ b/modules/sql/server/security-alert-policy/README.md @@ -19,33 +19,102 @@ This module deploys an Azure SQL Server Security Alert Policy. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the Security Alert Policy. | +| [`name`](#parameter-name) | string | The name of the Security Alert Policy. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `serverName` | string | The name of the parent SQL Server. Required if the template is used in a standalone deployment. | +| [`serverName`](#parameter-servername) | string | The name of the parent SQL Server. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `disabledAlerts` | array | `[]` | | Specifies an array of alerts that are disabled. Allowed values are: Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action, Brute_Force. | -| `emailAccountAdmins` | bool | `False` | | Specifies that the alert is sent to the account administrators. | -| `emailAddresses` | array | `[]` | | Specifies an array of email addresses to which the alert is sent. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `retentionDays` | int | `0` | | Specifies the number of days to keep in the Threat Detection audit logs. | -| `state` | string | `'Disabled'` | `[Disabled, Enabled]` | Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific database. | -| `storageAccountAccessKey` | securestring | `''` | | Specifies the identifier key of the Threat Detection audit storage account.. | -| `storageEndpoint` | string | `''` | | Specifies the blob storage endpoint. This blob storage will hold all Threat Detection audit logs. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`disabledAlerts`](#parameter-disabledalerts) | array | Specifies an array of alerts that are disabled. Allowed values are: Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action, Brute_Force. | +| [`emailAccountAdmins`](#parameter-emailaccountadmins) | bool | Specifies that the alert is sent to the account administrators. | +| [`emailAddresses`](#parameter-emailaddresses) | array | Specifies an array of email addresses to which the alert is sent. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`retentionDays`](#parameter-retentiondays) | int | Specifies the number of days to keep in the Threat Detection audit logs. | +| [`state`](#parameter-state) | string | Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific database. | +| [`storageAccountAccessKey`](#parameter-storageaccountaccesskey) | securestring | Specifies the identifier key of the Threat Detection audit storage account.. | +| [`storageEndpoint`](#parameter-storageendpoint) | string | Specifies the blob storage endpoint. This blob storage will hold all Threat Detection audit logs. | + +### Parameter: `disabledAlerts` + +Specifies an array of alerts that are disabled. Allowed values are: Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action, Brute_Force. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `emailAccountAdmins` + +Specifies that the alert is sent to the account administrators. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `emailAddresses` + +Specifies an array of email addresses to which the alert is sent. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the Security Alert Policy. +- Required: Yes +- Type: string + +### Parameter: `retentionDays` + +Specifies the number of days to keep in the Threat Detection audit logs. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `serverName` + +The name of the parent SQL Server. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `state` + +Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific database. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `storageAccountAccessKey` + +Specifies the identifier key of the Threat Detection audit storage account.. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `storageEndpoint` + +Specifies the blob storage endpoint. This blob storage will hold all Threat Detection audit logs. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed security alert policy. | | `resourceGroupName` | string | The resource group of the deployed security alert policy. | diff --git a/modules/sql/server/security-alert-policy/main.json b/modules/sql/server/security-alert-policy/main.json index 6855d265d5..5e45eacbe7 100644 --- a/modules/sql/server/security-alert-policy/main.json +++ b/modules/sql/server/security-alert-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "15954751031444198635" + "version": "0.22.6.54827", + "templateHash": "13278850436753309790" }, "name": "Azure SQL Server Security Alert Policies", "description": "This module deploys an Azure SQL Server Security Alert Policy.", diff --git a/modules/sql/server/virtual-network-rule/README.md b/modules/sql/server/virtual-network-rule/README.md index 94da54fc6f..9124257799 100644 --- a/modules/sql/server/virtual-network-rule/README.md +++ b/modules/sql/server/virtual-network-rule/README.md @@ -19,28 +19,60 @@ This module deploys an Azure SQL Server Virtual Network Rule. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the Server Virtual Network Rule. | -| `virtualNetworkSubnetId` | string | The resource ID of the virtual network subnet. | +| [`name`](#parameter-name) | string | The name of the Server Virtual Network Rule. | +| [`virtualNetworkSubnetId`](#parameter-virtualnetworksubnetid) | string | The resource ID of the virtual network subnet. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `serverName` | string | The name of the parent SQL Server. Required if the template is used in a standalone deployment. | +| [`serverName`](#parameter-servername) | string | The name of the parent SQL Server. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `ignoreMissingVnetServiceEndpoint` | bool | `False` | Allow creating a firewall rule before the virtual network has vnet service endpoint enabled. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`ignoreMissingVnetServiceEndpoint`](#parameter-ignoremissingvnetserviceendpoint) | bool | Allow creating a firewall rule before the virtual network has vnet service endpoint enabled. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `ignoreMissingVnetServiceEndpoint` + +Allow creating a firewall rule before the virtual network has vnet service endpoint enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `name` + +The name of the Server Virtual Network Rule. +- Required: Yes +- Type: string + +### Parameter: `serverName` + +The name of the parent SQL Server. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `virtualNetworkSubnetId` + +The resource ID of the virtual network subnet. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed virtual network rule. | | `resourceGroupName` | string | The resource group of the deployed virtual network rule. | diff --git a/modules/sql/server/virtual-network-rule/main.json b/modules/sql/server/virtual-network-rule/main.json index e2db4b658a..b718729e1a 100644 --- a/modules/sql/server/virtual-network-rule/main.json +++ b/modules/sql/server/virtual-network-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "8465167845638762436" + "version": "0.22.6.54827", + "templateHash": "6942471200332924480" }, "name": "Azure SQL Server Virtual Network Rules", "description": "This module deploys an Azure SQL Server Virtual Network Rule.", diff --git a/modules/sql/server/vulnerability-assessment/README.md b/modules/sql/server/vulnerability-assessment/README.md index 19d8e43fdd..ca920e3719 100644 --- a/modules/sql/server/vulnerability-assessment/README.md +++ b/modules/sql/server/vulnerability-assessment/README.md @@ -19,25 +19,72 @@ This module deploys an Azure SQL Server Vulnerability Assessment. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the vulnerability assessment. | -| `serverName` | string | The Name of SQL Server. | +| [`name`](#parameter-name) | string | The name of the vulnerability assessment. | +| [`serverName`](#parameter-servername) | string | The Name of SQL Server. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `recurringScansEmails` | array | `[]` | Specifies an array of email addresses to which the scan notification is sent. | -| `recurringScansEmailSubscriptionAdmins` | bool | `False` | Specifies that the schedule scan notification will be is sent to the subscription administrators. | -| `recurringScansIsEnabled` | bool | `False` | Recurring scans state. | -| `storageAccountResourceId` | string | `''` | A blob storage to hold the scan results. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`recurringScansEmails`](#parameter-recurringscansemails) | array | Specifies an array of email addresses to which the scan notification is sent. | +| [`recurringScansEmailSubscriptionAdmins`](#parameter-recurringscansemailsubscriptionadmins) | bool | Specifies that the schedule scan notification will be is sent to the subscription administrators. | +| [`recurringScansIsEnabled`](#parameter-recurringscansisenabled) | bool | Recurring scans state. | +| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | A blob storage to hold the scan results. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the vulnerability assessment. +- Required: Yes +- Type: string + +### Parameter: `recurringScansEmails` + +Specifies an array of email addresses to which the scan notification is sent. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `recurringScansEmailSubscriptionAdmins` + +Specifies that the schedule scan notification will be is sent to the subscription administrators. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `recurringScansIsEnabled` + +Recurring scans state. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `serverName` + +The Name of SQL Server. +- Required: Yes +- Type: string + +### Parameter: `storageAccountResourceId` + +A blob storage to hold the scan results. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed vulnerability assessment. | | `resourceGroupName` | string | The resource group of the deployed vulnerability assessment. | diff --git a/modules/sql/server/vulnerability-assessment/main.json b/modules/sql/server/vulnerability-assessment/main.json index 200a3baedf..1e52c4fa98 100644 --- a/modules/sql/server/vulnerability-assessment/main.json +++ b/modules/sql/server/vulnerability-assessment/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13755079853951277921" + "version": "0.22.6.54827", + "templateHash": "10943798083405880032" }, "name": "Azure SQL Server Vulnerability Assessments", "description": "This module deploys an Azure SQL Server Vulnerability Assessment.", diff --git a/modules/storage/storage-account/.test/common/main.test.bicep b/modules/storage/storage-account/.test/common/main.test.bicep index 57323509f2..4a706b1279 100644 --- a/modules/storage/storage-account/.test/common/main.test.bicep +++ b/modules/storage/storage-account/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/storage/storage-account/.test/min/main.test.bicep b/modules/storage/storage-account/.test/min/main.test.bicep index e28ad38d60..c96293aff1 100644 --- a/modules/storage/storage-account/.test/min/main.test.bicep +++ b/modules/storage/storage-account/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 571fa9e6d7..257e7ecc6c 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -4,14 +4,14 @@ This module deploys a Storage Account. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -33,106 +33,31 @@ This module deploys a Storage Account. | `Microsoft.Storage/storageAccounts/tableServices` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/tableServices) | | `Microsoft.Storage/storageAccounts/tableServices/tables` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/tableServices/tables) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Storage Account. | - -**Conditional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `accessTier` | string | `'Hot'` | `[Cool, Hot, Premium]` | Required if the Storage Account kind is set to BlobStorage. The access tier is used for billing. The "Premium" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | -| `cMKUserAssignedIdentityResourceId` | string | `''` | | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | -| `enableHierarchicalNamespace` | bool | `False` | | If true, enables Hierarchical Namespace for the storage account. Required if enableSftp or enableNfsV3 is set to true. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `allowBlobPublicAccess` | bool | `False` | | Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false. | -| `allowCrossTenantReplication` | bool | `True` | | Allow or disallow cross AAD tenant object replication. | -| `allowedCopyScope` | string | `''` | `['', AAD, PrivateLink]` | Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. | -| `allowSharedKeyAccess` | bool | `True` | | Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true. | -| `azureFilesIdentityBasedAuthentication` | object | `{object}` | | Provides the identity based authentication settings for Azure Files. | -| `blobServices` | object | `{object}` | | Blob service and containers to deploy. | -| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. | -| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, latest is used. | -| `customDomainName` | string | `''` | | Sets the custom domain name assigned to the storage account. Name is the CNAME source. | -| `customDomainUseSubDomainName` | bool | `False` | | Indicates whether indirect CName validation is enabled. This should only be set on updates. | -| `defaultToOAuthAuthentication` | bool | `False` | | A boolean flag which indicates whether the default authentication is OAuth or not. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticMetricsToEnable` | array | `[Transaction]` | `[Transaction]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `dnsEndpointType` | string | `''` | `['', AzureDnsZone, Standard]` | Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableNfsV3` | bool | `False` | | If true, enables NFS 3.0 support for the storage account. Requires enableHierarchicalNamespace to be true. | -| `enableSftp` | bool | `False` | | If true, enables Secure File Transfer Protocol for the storage account. Requires enableHierarchicalNamespace to be true. | -| `fileServices` | object | `{object}` | | File service and shares to deploy. | -| `isLocalUserEnabled` | bool | `False` | | Enables local users feature, if set to true. | -| `kind` | string | `'StorageV2'` | `[BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2]` | Type of Storage Account to create. | -| `largeFileSharesState` | string | `'Disabled'` | `[Disabled, Enabled]` | Allow large file shares if sets to 'Enabled'. It cannot be disabled once it is enabled. Only supported on locally redundant and zone redundant file shares. It cannot be set on FileStorage storage accounts (storage accounts for premium file shares). | -| `localUsers` | array | `[]` | | Local users to deploy for SFTP authentication. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `managementPolicyRules` | array | `[]` | | The Storage Account ManagementPolicies Rules. | -| `minimumTlsVersion` | string | `'TLS1_2'` | `[TLS1_0, TLS1_1, TLS1_2]` | Set the minimum TLS version on request to storage. | -| `networkAcls` | object | `{object}` | | Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. | -| `queueServices` | object | `{object}` | | Queue service and queues to create. | -| `requireInfrastructureEncryption` | bool | `True` | | A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sasExpirationPeriod` | string | `''` | | The SAS expiration period. DD.HH:MM:SS. | -| `skuName` | string | `'Standard_GRS'` | `[Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS]` | Storage Account Sku Name. | -| `supportsHttpsTrafficOnly` | bool | `True` | | Allows HTTPS traffic only to storage service if sets to true. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tableServices` | object | `{object}` | | Table service and tables to create. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed storage account. | -| `primaryBlobEndpoint` | string | The primary blob endpoint reference if blob services are deployed. | -| `resourceGroupName` | string | The resource group of the deployed storage account. | -| `resourceId` | string | The resource ID of the deployed storage account. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +## Usage examples -## Cross-referenced modules +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/storage.storage-account:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Encr](#example-2-encr) +- [Using only defaults](#example-3-using-only-defaults) +- [Nfs](#example-4-nfs) +- [V1](#example-5-v1) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module storageAccount './storage/storage-account/main.bicep' = { +module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ssacom' params: { // Required parameters @@ -654,14 +579,14 @@ module storageAccount './storage/storage-account/main.bicep' = {

-

Example 2: Encr

+### Example 2: _Encr_
via Bicep module ```bicep -module storageAccount './storage/storage-account/main.bicep' = { +module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ssaencr' params: { // Required parameters @@ -825,14 +750,17 @@ module storageAccount './storage/storage-account/main.bicep' = {

-

Example 3: Min

+### Example 3: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module storageAccount './storage/storage-account/main.bicep' = { +module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ssamin' params: { // Required parameters @@ -874,14 +802,14 @@ module storageAccount './storage/storage-account/main.bicep' = {

-

Example 4: Nfs

+### Example 4: _Nfs_
via Bicep module ```bicep -module storageAccount './storage/storage-account/main.bicep' = { +module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ssanfs' params: { // Required parameters @@ -1017,14 +945,14 @@ module storageAccount './storage/storage-account/main.bicep' = {

-

Example 5: V1

+### Example 5: _V1_
via Bicep module ```bicep -module storageAccount './storage/storage-account/main.bicep' = { +module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-ssav1' params: { // Required parameters @@ -1083,6 +1011,436 @@ module storageAccount './storage/storage-account/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Storage Account. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`accessTier`](#parameter-accesstier) | string | Required if the Storage Account kind is set to BlobStorage. The access tier is used for billing. The "Premium" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type. | +| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | +| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | +| [`enableHierarchicalNamespace`](#parameter-enablehierarchicalnamespace) | bool | If true, enables Hierarchical Namespace for the storage account. Required if enableSftp or enableNfsV3 is set to true. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowBlobPublicAccess`](#parameter-allowblobpublicaccess) | bool | Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false. | +| [`allowCrossTenantReplication`](#parameter-allowcrosstenantreplication) | bool | Allow or disallow cross AAD tenant object replication. | +| [`allowedCopyScope`](#parameter-allowedcopyscope) | string | Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. | +| [`allowSharedKeyAccess`](#parameter-allowsharedkeyaccess) | bool | Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true. | +| [`azureFilesIdentityBasedAuthentication`](#parameter-azurefilesidentitybasedauthentication) | object | Provides the identity based authentication settings for Azure Files. | +| [`blobServices`](#parameter-blobservices) | object | Blob service and containers to deploy. | +| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. | +| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, latest is used. | +| [`customDomainName`](#parameter-customdomainname) | string | Sets the custom domain name assigned to the storage account. Name is the CNAME source. | +| [`customDomainUseSubDomainName`](#parameter-customdomainusesubdomainname) | bool | Indicates whether indirect CName validation is enabled. This should only be set on updates. | +| [`defaultToOAuthAuthentication`](#parameter-defaulttooauthauthentication) | bool | A boolean flag which indicates whether the default authentication is OAuth or not. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`dnsEndpointType`](#parameter-dnsendpointtype) | string | Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableNfsV3`](#parameter-enablenfsv3) | bool | If true, enables NFS 3.0 support for the storage account. Requires enableHierarchicalNamespace to be true. | +| [`enableSftp`](#parameter-enablesftp) | bool | If true, enables Secure File Transfer Protocol for the storage account. Requires enableHierarchicalNamespace to be true. | +| [`fileServices`](#parameter-fileservices) | object | File service and shares to deploy. | +| [`isLocalUserEnabled`](#parameter-islocaluserenabled) | bool | Enables local users feature, if set to true. | +| [`kind`](#parameter-kind) | string | Type of Storage Account to create. | +| [`largeFileSharesState`](#parameter-largefilesharesstate) | string | Allow large file shares if sets to 'Enabled'. It cannot be disabled once it is enabled. Only supported on locally redundant and zone redundant file shares. It cannot be set on FileStorage storage accounts (storage accounts for premium file shares). | +| [`localUsers`](#parameter-localusers) | array | Local users to deploy for SFTP authentication. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`managementPolicyRules`](#parameter-managementpolicyrules) | array | The Storage Account ManagementPolicies Rules. | +| [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | Set the minimum TLS version on request to storage. | +| [`networkAcls`](#parameter-networkacls) | object | Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. | +| [`queueServices`](#parameter-queueservices) | object | Queue service and queues to create. | +| [`requireInfrastructureEncryption`](#parameter-requireinfrastructureencryption) | bool | A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`sasExpirationPeriod`](#parameter-sasexpirationperiod) | string | The SAS expiration period. DD.HH:MM:SS. | +| [`skuName`](#parameter-skuname) | string | Storage Account Sku Name. | +| [`supportsHttpsTrafficOnly`](#parameter-supportshttpstrafficonly) | bool | Allows HTTPS traffic only to storage service if sets to true. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tableServices`](#parameter-tableservices) | object | Table service and tables to create. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +### Parameter: `accessTier` + +Required if the Storage Account kind is set to BlobStorage. The access tier is used for billing. The "Premium" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type. +- Required: No +- Type: string +- Default: `'Hot'` +- Allowed: `[Cool, Hot, Premium]` + +### Parameter: `allowBlobPublicAccess` + +Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `allowCrossTenantReplication` + +Allow or disallow cross AAD tenant object replication. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `allowedCopyScope` + +Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', AAD, PrivateLink]` + +### Parameter: `allowSharedKeyAccess` + +Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `azureFilesIdentityBasedAuthentication` + +Provides the identity based authentication settings for Azure Files. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `blobServices` + +Blob service and containers to deploy. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `cMKKeyName` + +The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVersion` + +The version of the customer managed key to reference for encryption. If not provided, latest is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKUserAssignedIdentityResourceId` + +User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `customDomainName` + +Sets the custom domain name assigned to the storage account. Name is the CNAME source. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `customDomainUseSubDomainName` + +Indicates whether indirect CName validation is enabled. This should only be set on updates. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `defaultToOAuthAuthentication` + +A boolean flag which indicates whether the default authentication is OAuth or not. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[Transaction]` +- Allowed: `[Transaction]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `dnsEndpointType` + +Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', AzureDnsZone, Standard]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableHierarchicalNamespace` + +If true, enables Hierarchical Namespace for the storage account. Required if enableSftp or enableNfsV3 is set to true. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableNfsV3` + +If true, enables NFS 3.0 support for the storage account. Requires enableHierarchicalNamespace to be true. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableSftp` + +If true, enables Secure File Transfer Protocol for the storage account. Requires enableHierarchicalNamespace to be true. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `fileServices` + +File service and shares to deploy. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `isLocalUserEnabled` + +Enables local users feature, if set to true. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `kind` + +Type of Storage Account to create. +- Required: No +- Type: string +- Default: `'StorageV2'` +- Allowed: `[BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2]` + +### Parameter: `largeFileSharesState` + +Allow large file shares if sets to 'Enabled'. It cannot be disabled once it is enabled. Only supported on locally redundant and zone redundant file shares. It cannot be set on FileStorage storage accounts (storage accounts for premium file shares). +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `localUsers` + +Local users to deploy for SFTP authentication. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `managementPolicyRules` + +The Storage Account ManagementPolicies Rules. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `minimumTlsVersion` + +Set the minimum TLS version on request to storage. +- Required: No +- Type: string +- Default: `'TLS1_2'` +- Allowed: `[TLS1_0, TLS1_1, TLS1_2]` + +### Parameter: `name` + +Name of the Storage Account. +- Required: Yes +- Type: string + +### Parameter: `networkAcls` + +Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `queueServices` + +Queue service and queues to create. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `requireInfrastructureEncryption` + +A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sasExpirationPeriod` + +The SAS expiration period. DD.HH:MM:SS. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `skuName` + +Storage Account Sku Name. +- Required: No +- Type: string +- Default: `'Standard_GRS'` +- Allowed: `[Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS]` + +### Parameter: `supportsHttpsTrafficOnly` + +Allows HTTPS traffic only to storage service if sets to true. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tableServices` + +Table service and tables to create. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed storage account. | +| `primaryBlobEndpoint` | string | The primary blob endpoint reference if blob services are deployed. | +| `resourceGroupName` | string | The resource group of the deployed storage account. | +| `resourceId` | string | The resource ID of the deployed storage account. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | + ## Notes This is a generic module for deploying a Storage Account. Any customization for different storage needs (such as a diagnostic or other storage account) need to be done through the Archetype. diff --git a/modules/storage/storage-account/blob-service/README.md b/modules/storage/storage-account/blob-service/README.md index b0c44ced78..366984e3a0 100644 --- a/modules/storage/storage-account/blob-service/README.md +++ b/modules/storage/storage-account/blob-service/README.md @@ -23,43 +23,219 @@ This module deploys a Storage Account Blob Service. **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `storageAccountName` | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | +| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `automaticSnapshotPolicyEnabled` | bool | `False` | | Automatic Snapshot is enabled if set to true. | -| `changeFeedEnabled` | bool | `True` | | The blob service properties for change feed events. Indicates whether change feed event logging is enabled for the Blob service. | -| `changeFeedRetentionInDays` | int | `7` | | Indicates whether change feed event logging is enabled for the Blob service. Indicates the duration of changeFeed retention in days. A "0" value indicates an infinite retention of the change feed. | -| `containerDeleteRetentionPolicyAllowPermanentDelete` | bool | `False` | | This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share. | -| `containerDeleteRetentionPolicyDays` | int | `7` | | Indicates the number of days that the deleted item should be retained. | -| `containerDeleteRetentionPolicyEnabled` | bool | `True` | | The blob service properties for container soft delete. Indicates whether DeleteRetentionPolicy is enabled. | -| `containers` | array | `[]` | | Blob containers to create. | -| `corsRules` | array | `[]` | | Specifies CORS rules for the Blob service. You can include up to five CorsRule elements in the request. If no CorsRule elements are included in the request body, all CORS rules will be deleted, and CORS will be disabled for the Blob service. | -| `defaultServiceVersion` | string | `''` | | Indicates the default version to use for requests to the Blob service if an incoming request's version is not specified. Possible values include version 2008-10-27 and all more recent versions. | -| `deleteRetentionPolicyAllowPermanentDelete` | bool | `False` | | This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share. | -| `deleteRetentionPolicyDays` | int | `7` | | Indicates the number of days that the deleted blob should be retained. | -| `deleteRetentionPolicyEnabled` | bool | `True` | | The blob service properties for blob soft delete. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, StorageDelete, StorageRead, StorageWrite]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[Transaction]` | `[Transaction]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of a log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `isVersioningEnabled` | bool | `True` | | Use versioning to automatically maintain previous versions of your blobs. | -| `lastAccessTimeTrackingPolicyEnabled` | bool | `False` | | The blob service property to configure last access time based tracking policy. When set to true last access time based tracking is enabled. | -| `restorePolicyDays` | int | `6` | | how long this blob can be restored. It should be less than DeleteRetentionPolicy days. | -| `restorePolicyEnabled` | bool | `True` | | The blob service properties for blob restore policy. If point-in-time restore is enabled, then versioning, change feed, and blob soft delete must also be enabled. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`automaticSnapshotPolicyEnabled`](#parameter-automaticsnapshotpolicyenabled) | bool | Automatic Snapshot is enabled if set to true. | +| [`changeFeedEnabled`](#parameter-changefeedenabled) | bool | The blob service properties for change feed events. Indicates whether change feed event logging is enabled for the Blob service. | +| [`changeFeedRetentionInDays`](#parameter-changefeedretentionindays) | int | Indicates whether change feed event logging is enabled for the Blob service. Indicates the duration of changeFeed retention in days. A "0" value indicates an infinite retention of the change feed. | +| [`containerDeleteRetentionPolicyAllowPermanentDelete`](#parameter-containerdeleteretentionpolicyallowpermanentdelete) | bool | This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share. | +| [`containerDeleteRetentionPolicyDays`](#parameter-containerdeleteretentionpolicydays) | int | Indicates the number of days that the deleted item should be retained. | +| [`containerDeleteRetentionPolicyEnabled`](#parameter-containerdeleteretentionpolicyenabled) | bool | The blob service properties for container soft delete. Indicates whether DeleteRetentionPolicy is enabled. | +| [`containers`](#parameter-containers) | array | Blob containers to create. | +| [`corsRules`](#parameter-corsrules) | array | Specifies CORS rules for the Blob service. You can include up to five CorsRule elements in the request. If no CorsRule elements are included in the request body, all CORS rules will be deleted, and CORS will be disabled for the Blob service. | +| [`defaultServiceVersion`](#parameter-defaultserviceversion) | string | Indicates the default version to use for requests to the Blob service if an incoming request's version is not specified. Possible values include version 2008-10-27 and all more recent versions. | +| [`deleteRetentionPolicyAllowPermanentDelete`](#parameter-deleteretentionpolicyallowpermanentdelete) | bool | This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share. | +| [`deleteRetentionPolicyDays`](#parameter-deleteretentionpolicydays) | int | Indicates the number of days that the deleted blob should be retained. | +| [`deleteRetentionPolicyEnabled`](#parameter-deleteretentionpolicyenabled) | bool | The blob service properties for blob soft delete. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of a log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`isVersioningEnabled`](#parameter-isversioningenabled) | bool | Use versioning to automatically maintain previous versions of your blobs. | +| [`lastAccessTimeTrackingPolicyEnabled`](#parameter-lastaccesstimetrackingpolicyenabled) | bool | The blob service property to configure last access time based tracking policy. When set to true last access time based tracking is enabled. | +| [`restorePolicyDays`](#parameter-restorepolicydays) | int | how long this blob can be restored. It should be less than DeleteRetentionPolicy days. | +| [`restorePolicyEnabled`](#parameter-restorepolicyenabled) | bool | The blob service properties for blob restore policy. If point-in-time restore is enabled, then versioning, change feed, and blob soft delete must also be enabled. | + +### Parameter: `automaticSnapshotPolicyEnabled` + +Automatic Snapshot is enabled if set to true. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `changeFeedEnabled` + +The blob service properties for change feed events. Indicates whether change feed event logging is enabled for the Blob service. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `changeFeedRetentionInDays` + +Indicates whether change feed event logging is enabled for the Blob service. Indicates the duration of changeFeed retention in days. A "0" value indicates an infinite retention of the change feed. +- Required: No +- Type: int +- Default: `7` + +### Parameter: `containerDeleteRetentionPolicyAllowPermanentDelete` + +This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `containerDeleteRetentionPolicyDays` + +Indicates the number of days that the deleted item should be retained. +- Required: No +- Type: int +- Default: `7` + +### Parameter: `containerDeleteRetentionPolicyEnabled` + +The blob service properties for container soft delete. Indicates whether DeleteRetentionPolicy is enabled. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `containers` + +Blob containers to create. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `corsRules` + +Specifies CORS rules for the Blob service. You can include up to five CorsRule elements in the request. If no CorsRule elements are included in the request body, all CORS rules will be deleted, and CORS will be disabled for the Blob service. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `defaultServiceVersion` + +Indicates the default version to use for requests to the Blob service if an incoming request's version is not specified. Possible values include version 2008-10-27 and all more recent versions. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `deleteRetentionPolicyAllowPermanentDelete` + +This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `deleteRetentionPolicyDays` + +Indicates the number of days that the deleted blob should be retained. +- Required: No +- Type: int +- Default: `7` + +### Parameter: `deleteRetentionPolicyEnabled` + +The blob service properties for blob soft delete. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, StorageDelete, StorageRead, StorageWrite]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[Transaction]` +- Allowed: `[Transaction]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of a log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `isVersioningEnabled` + +Use versioning to automatically maintain previous versions of your blobs. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `lastAccessTimeTrackingPolicyEnabled` + +The blob service property to configure last access time based tracking policy. When set to true last access time based tracking is enabled. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `restorePolicyDays` + +how long this blob can be restored. It should be less than DeleteRetentionPolicy days. +- Required: No +- Type: int +- Default: `6` + +### Parameter: `restorePolicyEnabled` + +The blob service properties for blob restore policy. If point-in-time restore is enabled, then versioning, change feed, and blob soft delete must also be enabled. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed blob service. | | `resourceGroupName` | string | The name of the deployed blob service. | diff --git a/modules/storage/storage-account/blob-service/container/README.md b/modules/storage/storage-account/blob-service/container/README.md index bd2bac4f1e..58e460fa12 100644 --- a/modules/storage/storage-account/blob-service/container/README.md +++ b/modules/storage/storage-account/blob-service/container/README.md @@ -21,36 +21,126 @@ This module deploys a Storage Account Blob Container. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the storage container to deploy. | +| [`name`](#parameter-name) | string | The name of the storage container to deploy. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `storageAccountName` | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | +| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `defaultEncryptionScope` | string | `''` | | Default the container to use specified encryption scope for all writes. | -| `denyEncryptionScopeOverride` | bool | `False` | | Block override of encryption scope from the container default. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableNfsV3AllSquash` | bool | `False` | | Enable NFSv3 all squash on blob container. | -| `enableNfsV3RootSquash` | bool | `False` | | Enable NFSv3 root squash on blob container. | -| `immutabilityPolicyName` | string | `'default'` | | Name of the immutable policy. | -| `immutabilityPolicyProperties` | object | `{object}` | | Configure immutability policy. | -| `immutableStorageWithVersioningEnabled` | bool | `False` | | This is an immutable property, when set to true it enables object level immutability at the container level. The property is immutable and can only be set to true at the container creation time. Existing containers must undergo a migration process. | -| `metadata` | object | `{object}` | | A name-value pair to associate with the container as metadata. | -| `publicAccess` | string | `'None'` | `[Blob, Container, None]` | Specifies whether data in the container may be accessed publicly and the level of access. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`defaultEncryptionScope`](#parameter-defaultencryptionscope) | string | Default the container to use specified encryption scope for all writes. | +| [`denyEncryptionScopeOverride`](#parameter-denyencryptionscopeoverride) | bool | Block override of encryption scope from the container default. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableNfsV3AllSquash`](#parameter-enablenfsv3allsquash) | bool | Enable NFSv3 all squash on blob container. | +| [`enableNfsV3RootSquash`](#parameter-enablenfsv3rootsquash) | bool | Enable NFSv3 root squash on blob container. | +| [`immutabilityPolicyName`](#parameter-immutabilitypolicyname) | string | Name of the immutable policy. | +| [`immutabilityPolicyProperties`](#parameter-immutabilitypolicyproperties) | object | Configure immutability policy. | +| [`immutableStorageWithVersioningEnabled`](#parameter-immutablestoragewithversioningenabled) | bool | This is an immutable property, when set to true it enables object level immutability at the container level. The property is immutable and can only be set to true at the container creation time. Existing containers must undergo a migration process. | +| [`metadata`](#parameter-metadata) | object | A name-value pair to associate with the container as metadata. | +| [`publicAccess`](#parameter-publicaccess) | string | Specifies whether data in the container may be accessed publicly and the level of access. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +### Parameter: `defaultEncryptionScope` + +Default the container to use specified encryption scope for all writes. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `denyEncryptionScopeOverride` + +Block override of encryption scope from the container default. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableNfsV3AllSquash` + +Enable NFSv3 all squash on blob container. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableNfsV3RootSquash` + +Enable NFSv3 root squash on blob container. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `immutabilityPolicyName` + +Name of the immutable policy. +- Required: No +- Type: string +- Default: `'default'` + +### Parameter: `immutabilityPolicyProperties` + +Configure immutability policy. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `immutableStorageWithVersioningEnabled` + +This is an immutable property, when set to true it enables object level immutability at the container level. The property is immutable and can only be set to true at the container creation time. Existing containers must undergo a migration process. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `metadata` + +A name-value pair to associate with the container as metadata. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the storage container to deploy. +- Required: Yes +- Type: string + +### Parameter: `publicAccess` + +Specifies whether data in the container may be accessed publicly and the level of access. +- Required: No +- Type: string +- Default: `'None'` +- Allowed: `[Blob, Container, None]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed container. | | `resourceGroupName` | string | The resource group of the deployed container. | diff --git a/modules/storage/storage-account/blob-service/container/immutability-policy/README.md b/modules/storage/storage-account/blob-service/container/immutability-policy/README.md index d08fe5de35..119022a4e9 100644 --- a/modules/storage/storage-account/blob-service/container/immutability-policy/README.md +++ b/modules/storage/storage-account/blob-service/container/immutability-policy/README.md @@ -19,24 +19,64 @@ This module deploys a Storage Account Blob Container Immutability Policy. **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `containerName` | string | The name of the parent container to apply the policy to. Required if the template is used in a standalone deployment. | -| `storageAccountName` | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | +| [`containerName`](#parameter-containername) | string | The name of the parent container to apply the policy to. Required if the template is used in a standalone deployment. | +| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `allowProtectedAppendWrites` | bool | `True` | This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. | -| `allowProtectedAppendWritesAll` | bool | `True` | This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to both "Append and Block Blobs" while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. The "allowProtectedAppendWrites" and "allowProtectedAppendWritesAll" properties are mutually exclusive. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `immutabilityPeriodSinceCreationInDays` | int | `365` | The immutability period for the blobs in the container since the policy creation, in days. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowProtectedAppendWrites`](#parameter-allowprotectedappendwrites) | bool | This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. | +| [`allowProtectedAppendWritesAll`](#parameter-allowprotectedappendwritesall) | bool | This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to both "Append and Block Blobs" while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. The "allowProtectedAppendWrites" and "allowProtectedAppendWritesAll" properties are mutually exclusive. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`immutabilityPeriodSinceCreationInDays`](#parameter-immutabilityperiodsincecreationindays) | int | The immutability period for the blobs in the container since the policy creation, in days. | + +### Parameter: `allowProtectedAppendWrites` + +This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `allowProtectedAppendWritesAll` + +This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to both "Append and Block Blobs" while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. The "allowProtectedAppendWrites" and "allowProtectedAppendWritesAll" properties are mutually exclusive. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `containerName` + +The name of the parent container to apply the policy to. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `immutabilityPeriodSinceCreationInDays` + +The immutability period for the blobs in the container since the policy creation, in days. +- Required: No +- Type: int +- Default: `365` + +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed immutability policy. | | `resourceGroupName` | string | The resource group of the deployed immutability policy. | diff --git a/modules/storage/storage-account/blob-service/container/immutability-policy/main.json b/modules/storage/storage-account/blob-service/container/immutability-policy/main.json index 3fc5dd3e17..8f5f095161 100644 --- a/modules/storage/storage-account/blob-service/container/immutability-policy/main.json +++ b/modules/storage/storage-account/blob-service/container/immutability-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5668549883344653702" + "version": "0.22.6.54827", + "templateHash": "5294108325383402237" }, "name": "Storage Account Blob Container Immutability Policies", "description": "This module deploys a Storage Account Blob Container Immutability Policy.", diff --git a/modules/storage/storage-account/blob-service/container/main.json b/modules/storage/storage-account/blob-service/container/main.json index 112c4734d2..8c211d81cf 100644 --- a/modules/storage/storage-account/blob-service/container/main.json +++ b/modules/storage/storage-account/blob-service/container/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "7500144031846073123" + "version": "0.22.6.54827", + "templateHash": "394166978572431989" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", @@ -170,8 +170,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5668549883344653702" + "version": "0.22.6.54827", + "templateHash": "5294108325383402237" }, "name": "Storage Account Blob Container Immutability Policies", "description": "This module deploys a Storage Account Blob Container Immutability Policy.", @@ -309,8 +309,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "8600687658951622621" + "version": "0.22.6.54827", + "templateHash": "3779322696347988040" } }, "parameters": { diff --git a/modules/storage/storage-account/blob-service/main.json b/modules/storage/storage-account/blob-service/main.json index 49c255f2fa..4a0a989e48 100644 --- a/modules/storage/storage-account/blob-service/main.json +++ b/modules/storage/storage-account/blob-service/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "16838270897726250953" + "version": "0.22.6.54827", + "templateHash": "7606881916546008936" }, "name": "Storage Account blob Services", "description": "This module deploys a Storage Account Blob Service.", @@ -341,8 +341,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "7500144031846073123" + "version": "0.22.6.54827", + "templateHash": "394166978572431989" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", @@ -507,8 +507,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5668549883344653702" + "version": "0.22.6.54827", + "templateHash": "5294108325383402237" }, "name": "Storage Account Blob Container Immutability Policies", "description": "This module deploys a Storage Account Blob Container Immutability Policy.", @@ -646,8 +646,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "8600687658951622621" + "version": "0.22.6.54827", + "templateHash": "3779322696347988040" } }, "parameters": { diff --git a/modules/storage/storage-account/file-service/README.md b/modules/storage/storage-account/file-service/README.md index 5ccef9ca69..1593b168b2 100644 --- a/modules/storage/storage-account/file-service/README.md +++ b/modules/storage/storage-account/file-service/README.md @@ -22,31 +22,123 @@ This module deploys a Storage Account File Share Service. **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `storageAccountName` | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | +| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, StorageDelete, StorageRead, StorageWrite]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[Transaction]` | `[Transaction]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of a log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `name` | string | `'default'` | | The name of the file service. | -| `protocolSettings` | object | `{object}` | | Protocol settings for file service. | -| `shareDeleteRetentionPolicy` | object | `{object}` | | The service properties for soft delete. | -| `shares` | array | `[]` | | File shares to create. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of a log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`name`](#parameter-name) | string | The name of the file service. | +| [`protocolSettings`](#parameter-protocolsettings) | object | Protocol settings for file service. | +| [`shareDeleteRetentionPolicy`](#parameter-sharedeleteretentionpolicy) | object | The service properties for soft delete. | +| [`shares`](#parameter-shares) | array | File shares to create. | + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, StorageDelete, StorageRead, StorageWrite]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[Transaction]` +- Allowed: `[Transaction]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of a log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the file service. +- Required: No +- Type: string +- Default: `'default'` + +### Parameter: `protocolSettings` + +Protocol settings for file service. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `shareDeleteRetentionPolicy` + +The service properties for soft delete. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `shares` + +File shares to create. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed file share service. | | `resourceGroupName` | string | The resource group of the deployed file share service. | diff --git a/modules/storage/storage-account/file-service/main.json b/modules/storage/storage-account/file-service/main.json index f4601e248a..047c971b7f 100644 --- a/modules/storage/storage-account/file-service/main.json +++ b/modules/storage/storage-account/file-service/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17282775888269025572" + "version": "0.22.6.54827", + "templateHash": "9522240963883457114" }, "name": "Storage Account File Share Services", "description": "This module deploys a Storage Account File Share Service.", @@ -224,8 +224,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "15634855845265993886" + "version": "0.22.6.54827", + "templateHash": "10078506011156678451" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", @@ -370,8 +370,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17068545632348399169" + "version": "0.22.6.54827", + "templateHash": "11207645433031461361" } }, "parameters": { diff --git a/modules/storage/storage-account/file-service/share/README.md b/modules/storage/storage-account/file-service/share/README.md index 5513c20483..1e20ba6c67 100644 --- a/modules/storage/storage-account/file-service/share/README.md +++ b/modules/storage/storage-account/file-service/share/README.md @@ -20,32 +20,96 @@ This module deploys a Storage Account File Share. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the file share to create. | +| [`name`](#parameter-name) | string | The name of the file share to create. | **Conditional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `accessTier` | string | `'TransactionOptimized'` | `[Cool, Hot, Premium, TransactionOptimized]` | Access tier for specific share. Required if the Storage Account kind is set to FileStorage (should be set to "Premium"). GpV2 account can choose between TransactionOptimized (default), Hot, and Cool. | -| `fileServicesName` | string | `'default'` | | The name of the parent file service. Required if the template is used in a standalone deployment. | -| `storageAccountName` | string | | | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`accessTier`](#parameter-accesstier) | string | Access tier for specific share. Required if the Storage Account kind is set to FileStorage (should be set to "Premium"). GpV2 account can choose between TransactionOptimized (default), Hot, and Cool. | +| [`fileServicesName`](#parameter-fileservicesname) | string | The name of the parent file service. Required if the template is used in a standalone deployment. | +| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enabledProtocols` | string | `'SMB'` | `[NFS, SMB]` | The authentication protocol that is used for the file share. Can only be specified when creating a share. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `rootSquash` | string | `'NoRootSquash'` | `[AllSquash, NoRootSquash, RootSquash]` | Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares. | -| `shareQuota` | int | `5120` | | The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5120 (5TB). For Large File Shares, the maximum size is 102400 (100TB). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enabledProtocols`](#parameter-enabledprotocols) | string | The authentication protocol that is used for the file share. Can only be specified when creating a share. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`rootSquash`](#parameter-rootsquash) | string | Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares. | +| [`shareQuota`](#parameter-sharequota) | int | The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5120 (5TB). For Large File Shares, the maximum size is 102400 (100TB). | + +### Parameter: `accessTier` + +Access tier for specific share. Required if the Storage Account kind is set to FileStorage (should be set to "Premium"). GpV2 account can choose between TransactionOptimized (default), Hot, and Cool. +- Required: No +- Type: string +- Default: `'TransactionOptimized'` +- Allowed: `[Cool, Hot, Premium, TransactionOptimized]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enabledProtocols` + +The authentication protocol that is used for the file share. Can only be specified when creating a share. +- Required: No +- Type: string +- Default: `'SMB'` +- Allowed: `[NFS, SMB]` + +### Parameter: `fileServicesName` + +The name of the parent file service. Required if the template is used in a standalone deployment. +- Required: No +- Type: string +- Default: `'default'` + +### Parameter: `name` + +The name of the file share to create. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `rootSquash` + +Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares. +- Required: No +- Type: string +- Default: `'NoRootSquash'` +- Allowed: `[AllSquash, NoRootSquash, RootSquash]` + +### Parameter: `shareQuota` + +The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5120 (5TB). For Large File Shares, the maximum size is 102400 (100TB). +- Required: No +- Type: int +- Default: `5120` + +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed file share. | | `resourceGroupName` | string | The resource group of the deployed file share. | diff --git a/modules/storage/storage-account/file-service/share/main.json b/modules/storage/storage-account/file-service/share/main.json index 71c38945c6..8e0004213f 100644 --- a/modules/storage/storage-account/file-service/share/main.json +++ b/modules/storage/storage-account/file-service/share/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "15634855845265993886" + "version": "0.22.6.54827", + "templateHash": "10078506011156678451" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", @@ -150,8 +150,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17068545632348399169" + "version": "0.22.6.54827", + "templateHash": "11207645433031461361" } }, "parameters": { diff --git a/modules/storage/storage-account/local-user/README.md b/modules/storage/storage-account/local-user/README.md index 2fdd397e85..9f2197327d 100644 --- a/modules/storage/storage-account/local-user/README.md +++ b/modules/storage/storage-account/local-user/README.md @@ -19,32 +19,90 @@ This module deploys a Storage Account Local User, which is used for SFTP authent **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `hasSshKey` | bool | Indicates whether SSH key exists. Set it to false to remove existing SSH key. | -| `hasSshPassword` | bool | Indicates whether SSH password exists. Set it to false to remove existing SSH password. | -| `name` | string | The name of the local user used for SFTP Authentication. | -| `permissionScopes` | array | The permission scopes of the local user. | +| [`hasSshKey`](#parameter-hassshkey) | bool | Indicates whether SSH key exists. Set it to false to remove existing SSH key. | +| [`hasSshPassword`](#parameter-hassshpassword) | bool | Indicates whether SSH password exists. Set it to false to remove existing SSH password. | +| [`name`](#parameter-name) | string | The name of the local user used for SFTP Authentication. | +| [`permissionScopes`](#parameter-permissionscopes) | array | The permission scopes of the local user. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `storageAccountName` | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | +| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `hasSharedKey` | bool | `False` | Indicates whether shared key exists. Set it to false to remove existing shared key. | -| `homeDirectory` | string | `''` | The local user home directory. | -| `sshAuthorizedKeys` | array | `[]` | The local user SSH authorized keys for SFTP. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`hasSharedKey`](#parameter-hassharedkey) | bool | Indicates whether shared key exists. Set it to false to remove existing shared key. | +| [`homeDirectory`](#parameter-homedirectory) | string | The local user home directory. | +| [`sshAuthorizedKeys`](#parameter-sshauthorizedkeys) | array | The local user SSH authorized keys for SFTP. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hasSharedKey` + +Indicates whether shared key exists. Set it to false to remove existing shared key. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `hasSshKey` + +Indicates whether SSH key exists. Set it to false to remove existing SSH key. +- Required: Yes +- Type: bool + +### Parameter: `hasSshPassword` + +Indicates whether SSH password exists. Set it to false to remove existing SSH password. +- Required: Yes +- Type: bool + +### Parameter: `homeDirectory` + +The local user home directory. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +The name of the local user used for SFTP Authentication. +- Required: Yes +- Type: string + +### Parameter: `permissionScopes` + +The permission scopes of the local user. +- Required: Yes +- Type: array + +### Parameter: `sshAuthorizedKeys` + +The local user SSH authorized keys for SFTP. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed local user. | | `resourceGroupName` | string | The resource group of the deployed local user. | diff --git a/modules/storage/storage-account/local-user/main.json b/modules/storage/storage-account/local-user/main.json index 6e9675ae6f..274d270140 100644 --- a/modules/storage/storage-account/local-user/main.json +++ b/modules/storage/storage-account/local-user/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17498007234218946474" + "version": "0.22.6.54827", + "templateHash": "17857562856314258952" }, "name": "Storage Account Local Users", "description": "This module deploys a Storage Account Local User, which is used for SFTP authentication.", diff --git a/modules/storage/storage-account/main.json b/modules/storage/storage-account/main.json index 4d7fd6c0e9..8ffb72979b 100644 --- a/modules/storage/storage-account/main.json +++ b/modules/storage/storage-account/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9455165224264382" + "version": "0.22.6.54827", + "templateHash": "5401777351755094753" }, "name": "Storage Accounts", "description": "This module deploys a Storage Account.", @@ -555,8 +555,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11907799862370162022" + "version": "0.22.6.54827", + "templateHash": "11629900401878342598" } }, "parameters": { @@ -748,8 +748,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -948,8 +948,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1086,8 +1086,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -1293,8 +1293,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17802687193811353215" + "version": "0.22.6.54827", + "templateHash": "7686888659208772167" }, "name": "Storage Account Management Policies", "description": "This module deploys a Storage Account Management Policy.", @@ -1421,8 +1421,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5592009806531122832" + "version": "0.22.6.54827", + "templateHash": "17857562856314258952" }, "name": "Storage Account Local Users", "description": "This module deploys a Storage Account Local User, which is used for SFTP authentication.", @@ -1593,8 +1593,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14857884899377443071" + "version": "0.22.6.54827", + "templateHash": "7606881916546008936" }, "name": "Storage Account blob Services", "description": "This module deploys a Storage Account Blob Service.", @@ -1930,8 +1930,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2160985780685831754" + "version": "0.22.6.54827", + "templateHash": "394166978572431989" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", @@ -2096,8 +2096,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2613657638807054807" + "version": "0.22.6.54827", + "templateHash": "5294108325383402237" }, "name": "Storage Account Blob Container Immutability Policies", "description": "This module deploys a Storage Account Blob Container Immutability Policy.", @@ -2235,8 +2235,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5334204341302869645" + "version": "0.22.6.54827", + "templateHash": "3779322696347988040" } }, "parameters": { @@ -2472,8 +2472,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2386001216210231583" + "version": "0.22.6.54827", + "templateHash": "9522240963883457114" }, "name": "Storage Account File Share Services", "description": "This module deploys a Storage Account File Share Service.", @@ -2692,8 +2692,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14297307444519260355" + "version": "0.22.6.54827", + "templateHash": "10078506011156678451" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", @@ -2838,8 +2838,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12515062620278558169" + "version": "0.22.6.54827", + "templateHash": "11207645433031461361" } }, "parameters": { @@ -3076,8 +3076,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1925955822576678061" + "version": "0.22.6.54827", + "templateHash": "2312493242268209495" }, "name": "Storage Account Queue Services", "description": "This module deploys a Storage Account Queue Service.", @@ -3264,8 +3264,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "9907508200314623520" + "version": "0.22.6.54827", + "templateHash": "16140546698784234048" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", @@ -3364,8 +3364,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "256624618142232879" + "version": "0.22.6.54827", + "templateHash": "4094857207316953942" } }, "parameters": { @@ -3599,8 +3599,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18301751490631788521" + "version": "0.22.6.54827", + "templateHash": "922436323351089615" }, "name": "Storage Account Table Services", "description": "This module deploys a Storage Account Table Service.", @@ -3785,8 +3785,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7147839666884687311" + "version": "0.22.6.54827", + "templateHash": "2215203998686662901" }, "name": "Storage Account Table", "description": "This module deploys a Storage Account Table.", diff --git a/modules/storage/storage-account/management-policy/README.md b/modules/storage/storage-account/management-policy/README.md index 063b8d60fa..278fea96ea 100644 --- a/modules/storage/storage-account/management-policy/README.md +++ b/modules/storage/storage-account/management-policy/README.md @@ -19,26 +19,45 @@ This module deploys a Storage Account Management Policy. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `rules` | array | The Storage Account ManagementPolicies Rules. | +| [`rules`](#parameter-rules) | array | The Storage Account ManagementPolicies Rules. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `storageAccountName` | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | +| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `rules` + +The Storage Account ManagementPolicies Rules. +- Required: Yes +- Type: array + +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed management policy. | | `resourceGroupName` | string | The resource group of the deployed management policy. | diff --git a/modules/storage/storage-account/management-policy/main.json b/modules/storage/storage-account/management-policy/main.json index ed8bcbe20d..f559e2b86a 100644 --- a/modules/storage/storage-account/management-policy/main.json +++ b/modules/storage/storage-account/management-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "2581396185828179457" + "version": "0.22.6.54827", + "templateHash": "7686888659208772167" }, "name": "Storage Account Management Policies", "description": "This module deploys a Storage Account Management Policy.", diff --git a/modules/storage/storage-account/queue-service/README.md b/modules/storage/storage-account/queue-service/README.md index 043a0b7c67..87bfc9c6fe 100644 --- a/modules/storage/storage-account/queue-service/README.md +++ b/modules/storage/storage-account/queue-service/README.md @@ -22,28 +22,99 @@ This module deploys a Storage Account Queue Service. **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `storageAccountName` | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | +| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, StorageDelete, StorageRead, StorageWrite]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[Transaction]` | `[Transaction]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of a log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `queues` | array | `[]` | | Queues to create. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of a log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`queues`](#parameter-queues) | array | Queues to create. | + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, StorageDelete, StorageRead, StorageWrite]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[Transaction]` +- Allowed: `[Transaction]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of a log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `queues` + +Queues to create. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed file share service. | | `resourceGroupName` | string | The resource group of the deployed file share service. | diff --git a/modules/storage/storage-account/queue-service/main.json b/modules/storage/storage-account/queue-service/main.json index 33a2c49f58..54e5c74b40 100644 --- a/modules/storage/storage-account/queue-service/main.json +++ b/modules/storage/storage-account/queue-service/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3707030790801090324" + "version": "0.22.6.54827", + "templateHash": "2312493242268209495" }, "name": "Storage Account Queue Services", "description": "This module deploys a Storage Account Queue Service.", @@ -192,8 +192,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "7293459815655804615" + "version": "0.22.6.54827", + "templateHash": "16140546698784234048" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", @@ -292,8 +292,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "16848435230262465953" + "version": "0.22.6.54827", + "templateHash": "4094857207316953942" } }, "parameters": { diff --git a/modules/storage/storage-account/queue-service/queue/README.md b/modules/storage/storage-account/queue-service/queue/README.md index e166adc84f..49f5b6d4c5 100644 --- a/modules/storage/storage-account/queue-service/queue/README.md +++ b/modules/storage/storage-account/queue-service/queue/README.md @@ -20,28 +20,61 @@ This module deploys a Storage Account Queue. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `metadata` | object | A name-value pair that represents queue metadata. | -| `name` | string | The name of the storage queue to deploy. | +| [`metadata`](#parameter-metadata) | object | A name-value pair that represents queue metadata. | +| [`name`](#parameter-name) | string | The name of the storage queue to deploy. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `storageAccountName` | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | +| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `metadata` + +A name-value pair that represents queue metadata. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +The name of the storage queue to deploy. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed queue. | | `resourceGroupName` | string | The resource group of the deployed queue. | diff --git a/modules/storage/storage-account/queue-service/queue/main.json b/modules/storage/storage-account/queue-service/queue/main.json index 76bb7034e3..f866c3407a 100644 --- a/modules/storage/storage-account/queue-service/queue/main.json +++ b/modules/storage/storage-account/queue-service/queue/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "7293459815655804615" + "version": "0.22.6.54827", + "templateHash": "16140546698784234048" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", @@ -104,8 +104,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "16848435230262465953" + "version": "0.22.6.54827", + "templateHash": "4094857207316953942" } }, "parameters": { diff --git a/modules/storage/storage-account/table-service/README.md b/modules/storage/storage-account/table-service/README.md index 978bb97f0d..9755cafd0b 100644 --- a/modules/storage/storage-account/table-service/README.md +++ b/modules/storage/storage-account/table-service/README.md @@ -21,28 +21,99 @@ This module deploys a Storage Account Table Service. **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `storageAccountName` | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | +| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, StorageDelete, StorageRead, StorageWrite]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[Transaction]` | `[Transaction]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of a log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `tables` | array | `[]` | | tables to create. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of a log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`tables`](#parameter-tables) | array | tables to create. | + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, StorageDelete, StorageRead, StorageWrite]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[Transaction]` +- Allowed: `[Transaction]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of a log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `tables` + +tables to create. +- Required: No +- Type: array +- Default: `[]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed table service. | | `resourceGroupName` | string | The resource group of the deployed table service. | diff --git a/modules/storage/storage-account/table-service/main.json b/modules/storage/storage-account/table-service/main.json index 67a9622a48..eb3354cf6a 100644 --- a/modules/storage/storage-account/table-service/main.json +++ b/modules/storage/storage-account/table-service/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "16178057085724361046" + "version": "0.22.6.54827", + "templateHash": "922436323351089615" }, "name": "Storage Account Table Services", "description": "This module deploys a Storage Account Table Service.", @@ -190,8 +190,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3732027241762478422" + "version": "0.22.6.54827", + "templateHash": "2215203998686662901" }, "name": "Storage Account Table", "description": "This module deploys a Storage Account Table.", diff --git a/modules/storage/storage-account/table-service/table/README.md b/modules/storage/storage-account/table-service/table/README.md index 445120d8b4..4d8bb2da13 100644 --- a/modules/storage/storage-account/table-service/table/README.md +++ b/modules/storage/storage-account/table-service/table/README.md @@ -19,26 +19,45 @@ This module deploys a Storage Account Table. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the table. | +| [`name`](#parameter-name) | string | Name of the table. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `storageAccountName` | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | +| [`storageAccountName`](#parameter-storageaccountname) | string | The name of the parent Storage Account. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +Name of the table. +- Required: Yes +- Type: string + +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed file share service. | | `resourceGroupName` | string | The resource group of the deployed file share service. | diff --git a/modules/storage/storage-account/table-service/table/main.json b/modules/storage/storage-account/table-service/table/main.json index 77c0c6ca08..62a6eae7ba 100644 --- a/modules/storage/storage-account/table-service/table/main.json +++ b/modules/storage/storage-account/table-service/table/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3732027241762478422" + "version": "0.22.6.54827", + "templateHash": "2215203998686662901" }, "name": "Storage Account Table", "description": "This module deploys a Storage Account Table.", diff --git a/modules/synapse/private-link-hub/.test/common/main.test.bicep b/modules/synapse/private-link-hub/.test/common/main.test.bicep index b34910f326..fd9d7be35d 100644 --- a/modules/synapse/private-link-hub/.test/common/main.test.bicep +++ b/modules/synapse/private-link-hub/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/synapse/private-link-hub/.test/min/main.test.bicep b/modules/synapse/private-link-hub/.test/min/main.test.bicep index 2430343f70..6c1e056048 100644 --- a/modules/synapse/private-link-hub/.test/min/main.test.bicep +++ b/modules/synapse/private-link-hub/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/synapse/private-link-hub/README.md b/modules/synapse/private-link-hub/README.md index bdf83ecdca..9a56960925 100644 --- a/modules/synapse/private-link-hub/README.md +++ b/modules/synapse/private-link-hub/README.md @@ -5,10 +5,10 @@ This module deploys an Azure Synapse Analytics (Private Link Hub). ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -20,58 +20,28 @@ This module deploys an Azure Synapse Analytics (Private Link Hub). | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | | `Microsoft.Synapse/privateLinkHubs` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Synapse/2021-06-01/privateLinkHubs) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Private Link Hub. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | The geo-location where the resource lives. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed Synapse Private Link Hub. | -| `resourceGroupName` | string | The resource group of the deployed Synapse Private Link Hub. | -| `resourceId` | string | The resource ID of the deployed Synapse Private Link Hub. | +## Usage examples -## Cross-referenced modules +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/synapse.private-link-hub:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module privateLinkHub './synapse/private-link-hub/main.bicep' = { +module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-splhcom' params: { // Required parameters @@ -191,14 +161,17 @@ module privateLinkHub './synapse/private-link-hub/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module privateLinkHub './synapse/private-link-hub/main.bicep' = { +module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-splhmin' params: { // Required parameters @@ -235,3 +208,90 @@ module privateLinkHub './synapse/private-link-hub/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Private Link Hub. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | The geo-location where the resource lives. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +The geo-location where the resource lives. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +The name of the Private Link Hub. +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed Synapse Private Link Hub. | +| `resourceGroupName` | string | The resource group of the deployed Synapse Private Link Hub. | +| `resourceId` | string | The resource ID of the deployed Synapse Private Link Hub. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/synapse/private-link-hub/main.json b/modules/synapse/private-link-hub/main.json index 781140dded..0bb44ec6f8 100644 --- a/modules/synapse/private-link-hub/main.json +++ b/modules/synapse/private-link-hub/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18019491569577635414" + "version": "0.22.6.54827", + "templateHash": "691957729768991822" }, "name": "Azure Synapse Analytics", "description": "This module deploys an Azure Synapse Analytics (Private Link Hub).", @@ -139,8 +139,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6315388244089684837" + "version": "0.22.6.54827", + "templateHash": "2697027648534286095" } }, "parameters": { @@ -299,8 +299,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -499,8 +499,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -637,8 +637,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { diff --git a/modules/synapse/workspace/.test/common/main.test.bicep b/modules/synapse/workspace/.test/common/main.test.bicep index f5f4948778..0791962ad8 100644 --- a/modules/synapse/workspace/.test/common/main.test.bicep +++ b/modules/synapse/workspace/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/synapse/workspace/.test/min/main.test.bicep b/modules/synapse/workspace/.test/min/main.test.bicep index 4ac01b80d6..9354fa703e 100644 --- a/modules/synapse/workspace/.test/min/main.test.bicep +++ b/modules/synapse/workspace/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index 3446019c20..dacfa2772f 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -5,10 +5,10 @@ This module deploys a Synapse Workspace. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -24,94 +24,31 @@ This module deploys a Synapse Workspace. | `Microsoft.Synapse/workspaces/integrationRuntimes` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Synapse/2021-06-01/workspaces/integrationRuntimes) | | `Microsoft.Synapse/workspaces/keys` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Synapse/2021-06-01/workspaces/keys) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `defaultDataLakeStorageAccountResourceId` | string | Resource ID of the default ADLS Gen2 storage account. | -| `defaultDataLakeStorageFilesystem` | string | The default ADLS Gen2 file system. | -| `name` | string | The name of the Synapse Workspace. | -| `sqlAdministratorLogin` | string | Login for administrator access to the workspace's SQL pools. | +## Usage examples -**Conditional parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/synapse.workspace:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `allowedAadTenantIdsForLinking` | array | `[]` | | Allowed AAD Tenant IDs For Linking. | -| `azureADOnlyAuthentication` | bool | `False` | | Enable or Disable AzureADOnlyAuthentication on All Workspace sub-resource. | -| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | -| `cMKUserAssignedIdentityResourceId` | string | `''` | | The ID of User Assigned Managed identity that will be used to access your customer-managed key stored in key vault. | -| `cMKUseSystemAssignedIdentity` | bool | `False` | | Use System Assigned Managed identity that will be used to access your customer-managed key stored in key vault. | -| `defaultDataLakeStorageCreateManagedPrivateEndpoint` | bool | `False` | | Create managed private endpoint to the default storage account or not. If Yes is selected, a managed private endpoint connection request is sent to the workspace's primary Data Lake Storage Gen2 account for Spark pools to access data. This must be approved by an owner of the storage account. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, BuiltinSqlReqsEnded, GatewayApiRequests, IntegrationActivityRuns, IntegrationPipelineRuns, IntegrationTriggerRuns, SQLSecurityAuditEvents, SynapseLinkEvent, SynapseRbacOperations]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `encryption` | bool | `False` | | Double encryption using a customer-managed key. | -| `encryptionActivateWorkspace` | bool | `False` | | Activate workspace by adding the system managed identity in the KeyVault containing the customer managed key and activating the workspace. | -| `initialWorkspaceAdminObjectID` | string | `''` | | AAD object ID of initial workspace admin. | -| `integrationRuntimes` | array | `[]` | | The Integration Runtimes to create. | -| `linkedAccessCheckOnTargetResource` | bool | `False` | | Linked Access Check On Target Resource. | -| `location` | string | `[resourceGroup().location]` | | The geo-location where the resource lives. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `managedResourceGroupName` | string | `''` | | Workspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.'. | -| `managedVirtualNetwork` | bool | `False` | | Enable this to ensure that connection from your workspace to your data sources use Azure Private Links. You can create managed private endpoints to your data sources. | -| `preventDataExfiltration` | bool | `False` | | Prevent Data Exfiltration. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | Enable or Disable public network access to workspace. | -| `purviewResourceID` | string | `''` | | Purview Resource ID. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sqlAdministratorLoginPassword` | string | `''` | | Password for administrator access to the workspace's SQL pools. If you don't provide a password, one will be automatically generated. You can change the password later. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `workspaceRepositoryConfiguration` | object | `{object}` | | Git integration settings. | +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Encrwsai](#example-2-encrwsai) +- [Encrwuai](#example-3-encrwuai) +- [Managedvnet](#example-4-managedvnet) +- [Using only defaults](#example-5-using-only-defaults) +### Example 1: _Using large parameter set_ -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `connectivityEndpoints` | object | The workspace connectivity endpoints. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed Synapse Workspace. | -| `resourceGroupName` | string | The resource group of the deployed Synapse Workspace. | -| `resourceID` | string | The resource ID of the deployed Synapse Workspace. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module workspace './synapse/workspace/main.bicep' = { +module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-swcom' params: { // Required parameters @@ -281,14 +218,14 @@ module workspace './synapse/workspace/main.bicep' = {

-

Example 2: Encrwsai

+### Example 2: _Encrwsai_
via Bicep module ```bicep -module workspace './synapse/workspace/main.bicep' = { +module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-swensa' params: { // Required parameters @@ -358,14 +295,14 @@ module workspace './synapse/workspace/main.bicep' = {

-

Example 3: Encrwuai

+### Example 3: _Encrwuai_
via Bicep module ```bicep -module workspace './synapse/workspace/main.bicep' = { +module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-swenua' params: { // Required parameters @@ -443,14 +380,14 @@ module workspace './synapse/workspace/main.bicep' = {

-

Example 4: Managedvnet

+### Example 4: _Managedvnet_
via Bicep module ```bicep -module workspace './synapse/workspace/main.bicep' = { +module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-swmanv' params: { // Required parameters @@ -528,14 +465,17 @@ module workspace './synapse/workspace/main.bicep' = {

-

Example 5: Min

+### Example 5: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module workspace './synapse/workspace/main.bicep' = { +module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-swmin' params: { // Required parameters @@ -584,3 +524,328 @@ module workspace './synapse/workspace/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`defaultDataLakeStorageAccountResourceId`](#parameter-defaultdatalakestorageaccountresourceid) | string | Resource ID of the default ADLS Gen2 storage account. | +| [`defaultDataLakeStorageFilesystem`](#parameter-defaultdatalakestoragefilesystem) | string | The default ADLS Gen2 file system. | +| [`name`](#parameter-name) | string | The name of the Synapse Workspace. | +| [`sqlAdministratorLogin`](#parameter-sqladministratorlogin) | string | Login for administrator access to the workspace's SQL pools. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowedAadTenantIdsForLinking`](#parameter-allowedaadtenantidsforlinking) | array | Allowed AAD Tenant IDs For Linking. | +| [`azureADOnlyAuthentication`](#parameter-azureadonlyauthentication) | bool | Enable or Disable AzureADOnlyAuthentication on All Workspace sub-resource. | +| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | +| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | The ID of User Assigned Managed identity that will be used to access your customer-managed key stored in key vault. | +| [`cMKUseSystemAssignedIdentity`](#parameter-cmkusesystemassignedidentity) | bool | Use System Assigned Managed identity that will be used to access your customer-managed key stored in key vault. | +| [`defaultDataLakeStorageCreateManagedPrivateEndpoint`](#parameter-defaultdatalakestoragecreatemanagedprivateendpoint) | bool | Create managed private endpoint to the default storage account or not. If Yes is selected, a managed private endpoint connection request is sent to the workspace's primary Data Lake Storage Gen2 account for Spark pools to access data. This must be approved by an owner of the storage account. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`encryption`](#parameter-encryption) | bool | Double encryption using a customer-managed key. | +| [`encryptionActivateWorkspace`](#parameter-encryptionactivateworkspace) | bool | Activate workspace by adding the system managed identity in the KeyVault containing the customer managed key and activating the workspace. | +| [`initialWorkspaceAdminObjectID`](#parameter-initialworkspaceadminobjectid) | string | AAD object ID of initial workspace admin. | +| [`integrationRuntimes`](#parameter-integrationruntimes) | array | The Integration Runtimes to create. | +| [`linkedAccessCheckOnTargetResource`](#parameter-linkedaccesscheckontargetresource) | bool | Linked Access Check On Target Resource. | +| [`location`](#parameter-location) | string | The geo-location where the resource lives. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`managedResourceGroupName`](#parameter-managedresourcegroupname) | string | Workspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.'. | +| [`managedVirtualNetwork`](#parameter-managedvirtualnetwork) | bool | Enable this to ensure that connection from your workspace to your data sources use Azure Private Links. You can create managed private endpoints to your data sources. | +| [`preventDataExfiltration`](#parameter-preventdataexfiltration) | bool | Prevent Data Exfiltration. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Enable or Disable public network access to workspace. | +| [`purviewResourceID`](#parameter-purviewresourceid) | string | Purview Resource ID. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`sqlAdministratorLoginPassword`](#parameter-sqladministratorloginpassword) | string | Password for administrator access to the workspace's SQL pools. If you don't provide a password, one will be automatically generated. You can change the password later. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`workspaceRepositoryConfiguration`](#parameter-workspacerepositoryconfiguration) | object | Git integration settings. | + +### Parameter: `allowedAadTenantIdsForLinking` + +Allowed AAD Tenant IDs For Linking. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `azureADOnlyAuthentication` + +Enable or Disable AzureADOnlyAuthentication on All Workspace sub-resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `cMKKeyName` + +The name of the customer managed key to use for encryption. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKUserAssignedIdentityResourceId` + +The ID of User Assigned Managed identity that will be used to access your customer-managed key stored in key vault. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKUseSystemAssignedIdentity` + +Use System Assigned Managed identity that will be used to access your customer-managed key stored in key vault. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `defaultDataLakeStorageAccountResourceId` + +Resource ID of the default ADLS Gen2 storage account. +- Required: Yes +- Type: string + +### Parameter: `defaultDataLakeStorageCreateManagedPrivateEndpoint` + +Create managed private endpoint to the default storage account or not. If Yes is selected, a managed private endpoint connection request is sent to the workspace's primary Data Lake Storage Gen2 account for Spark pools to access data. This must be approved by an owner of the storage account. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `defaultDataLakeStorageFilesystem` + +The default ADLS Gen2 file system. +- Required: Yes +- Type: string + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, BuiltinSqlReqsEnded, GatewayApiRequests, IntegrationActivityRuns, IntegrationPipelineRuns, IntegrationTriggerRuns, SQLSecurityAuditEvents, SynapseLinkEvent, SynapseRbacOperations]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `encryption` + +Double encryption using a customer-managed key. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `encryptionActivateWorkspace` + +Activate workspace by adding the system managed identity in the KeyVault containing the customer managed key and activating the workspace. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `initialWorkspaceAdminObjectID` + +AAD object ID of initial workspace admin. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `integrationRuntimes` + +The Integration Runtimes to create. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `linkedAccessCheckOnTargetResource` + +Linked Access Check On Target Resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `location` + +The geo-location where the resource lives. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `managedResourceGroupName` + +Workspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.'. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `managedVirtualNetwork` + +Enable this to ensure that connection from your workspace to your data sources use Azure Private Links. You can create managed private endpoints to your data sources. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `name` + +The name of the Synapse Workspace. +- Required: Yes +- Type: string + +### Parameter: `preventDataExfiltration` + +Prevent Data Exfiltration. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Enable or Disable public network access to workspace. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `purviewResourceID` + +Purview Resource ID. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sqlAdministratorLogin` + +Login for administrator access to the workspace's SQL pools. +- Required: Yes +- Type: string + +### Parameter: `sqlAdministratorLoginPassword` + +Password for administrator access to the workspace's SQL pools. If you don't provide a password, one will be automatically generated. You can change the password later. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `workspaceRepositoryConfiguration` + +Git integration settings. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `connectivityEndpoints` | object | The workspace connectivity endpoints. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the deployed Synapse Workspace. | +| `resourceGroupName` | string | The resource group of the deployed Synapse Workspace. | +| `resourceID` | string | The resource ID of the deployed Synapse Workspace. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/synapse/workspace/integration-runtime/README.md b/modules/synapse/workspace/integration-runtime/README.md index 8f755fea09..584577e12b 100644 --- a/modules/synapse/workspace/integration-runtime/README.md +++ b/modules/synapse/workspace/integration-runtime/README.md @@ -19,28 +19,61 @@ This module deploys a Synapse Workspace Integration Runtime. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `name` | string | | The name of the Integration Runtime. | -| `type` | string | `[Managed, SelfHosted]` | The type of Integration Runtime. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the Integration Runtime. | +| [`type`](#parameter-type) | string | The type of Integration Runtime. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `typeProperties` | object | Integration Runtime type properties. Required if type is "Managed". | -| `workspaceName` | string | The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment. | +| [`typeProperties`](#parameter-typeproperties) | object | Integration Runtime type properties. Required if type is "Managed". | +| [`workspaceName`](#parameter-workspacename) | string | The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The name of the Integration Runtime. +- Required: Yes +- Type: string + +### Parameter: `type` + +The type of Integration Runtime. +- Required: Yes +- Type: string +- Allowed: `[Managed, SelfHosted]` + +### Parameter: `typeProperties` + +Integration Runtime type properties. Required if type is "Managed". +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `workspaceName` + +The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the Integration Runtime. | | `resourceGroupName` | string | The name of the Resource Group the Integration Runtime was created in. | diff --git a/modules/synapse/workspace/integration-runtime/main.json b/modules/synapse/workspace/integration-runtime/main.json index 758aa10c62..c5f4521231 100644 --- a/modules/synapse/workspace/integration-runtime/main.json +++ b/modules/synapse/workspace/integration-runtime/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3836470848906868544" + "version": "0.22.6.54827", + "templateHash": "3121962670071772951" }, "name": "Synapse Workspace Integration Runtimes", "description": "This module deploys a Synapse Workspace Integration Runtime.", diff --git a/modules/synapse/workspace/key/README.md b/modules/synapse/workspace/key/README.md index f540c885ba..59e663a007 100644 --- a/modules/synapse/workspace/key/README.md +++ b/modules/synapse/workspace/key/README.md @@ -19,29 +19,68 @@ This module deploys a Synapse Workspaces Key. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `isActiveCMK` | bool | Used to activate the workspace after a customer managed key is provided. | -| `name` | string | Encryption key name. | +| [`isActiveCMK`](#parameter-isactivecmk) | bool | Used to activate the workspace after a customer managed key is provided. | +| [`name`](#parameter-name) | string | Encryption key name. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `workspaceName` | string | The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment. | +| [`workspaceName`](#parameter-workspacename) | string | The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `keyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. | -| `location` | string | `[resourceGroup().location]` | The geo-location where the resource lives. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`keyVaultResourceId`](#parameter-keyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`location`](#parameter-location) | string | The geo-location where the resource lives. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `isActiveCMK` + +Used to activate the workspace after a customer managed key is provided. +- Required: Yes +- Type: bool + +### Parameter: `keyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `location` + +The geo-location where the resource lives. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +Encryption key name. +- Required: Yes +- Type: string + +### Parameter: `workspaceName` + +The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed key. | | `resourceGroupName` | string | The resource group of the deployed key. | diff --git a/modules/synapse/workspace/key/main.json b/modules/synapse/workspace/key/main.json index 95d5cd7e00..7000d1e035 100644 --- a/modules/synapse/workspace/key/main.json +++ b/modules/synapse/workspace/key/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11818706446850681387" + "version": "0.22.6.54827", + "templateHash": "14713531383006172248" }, "name": "Synapse Workspaces Keys", "description": "This module deploys a Synapse Workspaces Key.", diff --git a/modules/synapse/workspace/main.json b/modules/synapse/workspace/main.json index bc6309b583..0642e4d17a 100644 --- a/modules/synapse/workspace/main.json +++ b/modules/synapse/workspace/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16715469261263670474" + "version": "0.22.6.54827", + "templateHash": "14937890692678451468" }, "name": "Synapse Workspaces", "description": "This module deploys a Synapse Workspace.", @@ -413,8 +413,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8201597103818743595" + "version": "0.22.6.54827", + "templateHash": "3121962670071772951" }, "name": "Synapse Workspace Integration Runtimes", "description": "This module deploys a Synapse Workspace Integration Runtime.", @@ -532,8 +532,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17608936971543596719" + "version": "0.22.6.54827", + "templateHash": "7188161900918132964" } }, "parameters": { @@ -619,8 +619,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2656188060474374649" + "version": "0.22.6.54827", + "templateHash": "14713531383006172248" }, "name": "Synapse Workspaces Keys", "description": "This module deploys a Synapse Workspaces Key.", @@ -752,8 +752,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "5709952380943553719" + "version": "0.22.6.54827", + "templateHash": "14152899593799062400" } }, "parameters": { @@ -852,8 +852,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1052,8 +1052,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1190,8 +1190,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { diff --git a/modules/virtual-machine-images/image-template/.test/common/main.test.bicep b/modules/virtual-machine-images/image-template/.test/common/main.test.bicep index d3e92ca621..87d86aad95 100644 --- a/modules/virtual-machine-images/image-template/.test/common/main.test.bicep +++ b/modules/virtual-machine-images/image-template/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/virtual-machine-images/image-template/.test/min/main.test.bicep b/modules/virtual-machine-images/image-template/.test/min/main.test.bicep index 04594dbef8..491e1f25c6 100644 --- a/modules/virtual-machine-images/image-template/.test/min/main.test.bicep +++ b/modules/virtual-machine-images/image-template/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/virtual-machine-images/image-template/README.md b/modules/virtual-machine-images/image-template/README.md index 727825a17e..a06d6c5360 100644 --- a/modules/virtual-machine-images/image-template/README.md +++ b/modules/virtual-machine-images/image-template/README.md @@ -4,14 +4,14 @@ This module deploys a Virtual Machine Image Template that can be consumed by Azu ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -19,78 +19,28 @@ This module deploys a Virtual Machine Image Template that can be consumed by Azu | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.VirtualMachineImages/imageTemplates` | [2022-02-14](https://learn.microsoft.com/en-us/azure/templates/Microsoft.VirtualMachineImages/2022-02-14/imageTemplates) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `customizationSteps` | array | Customization steps to be run when building the VM image. | -| `imageSource` | object | Image source definition in object format. | -| `name` | string | Name prefix of the Image Template to be built by the Azure Image Builder service. | -| `userMsiName` | string | Name of the User Assigned Identity to be used to deploy Image Templates in Azure Image Builder. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `buildTimeoutInMinutes` | int | `0` | | Image build timeout in minutes. Allowed values: 0-960. 0 means the default 240 minutes. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `excludeFromLatest` | bool | `False` | | Exclude the created Azure Compute Gallery image version from the latest. | -| `imageReplicationRegions` | array | `[]` | | List of the regions the image produced by this solution should be stored in the Shared Image Gallery. When left empty, the deployment's location will be taken as a default value. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `managedImageName` | string | `''` | | Name of the managed image that will be created in the AIB resourcegroup. | -| `osDiskSizeGB` | int | `128` | | Specifies the size of OS disk. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sigImageDefinitionId` | string | `''` | | Resource ID of Shared Image Gallery to distribute image to, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/. | -| `sigImageVersion` | string | `''` | | Version of the Shared Image Gallery Image. Supports the following Version Syntax: Major.Minor.Build (i.e., '1.1.1' or '10.1.2'). | -| `stagingResourceGroup` | string | `''` | | Resource ID of the staging resource group in the same subscription and location as the image template that will be used to build the image.

If this field is empty, a resource group with a random name will be created.

If the resource group specified in this field doesn't exist, it will be created with the same name.

If the resource group specified exists, it must be empty and in the same region as the image template.

The resource group created will be deleted during template deletion if this field is empty or the resource group specified doesn't exist,

but if the resource group specified exists the resources created in the resource group will be deleted during template deletion and the resource group itself will remain. | -| `storageAccountType` | string | `'Standard_LRS'` | `[Standard_LRS, Standard_ZRS]` | Storage account type to be used to store the image in the Azure Compute Gallery. | -| `subnetId` | string | `''` | | Resource ID of an already existing subnet, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/.

If no value is provided, a new temporary VNET and subnet will be created in the staging resource group and will be deleted along with the remaining temporary resources. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `unManagedImageName` | string | `''` | | Name of the unmanaged image that will be created in the AIB resourcegroup. | -| `userAssignedIdentities` | array | `[]` | | List of User-Assigned Identities associated to the Build VM for accessing Azure resources such as Key Vaults from your customizer scripts.

Be aware, the user assigned identity specified in the 'userMsiName' parameter must have the 'Managed Identity Operator' role assignment on all the user assigned identities specified in this parameter for Azure Image Builder to be able to associate them to the build VM. | -| `userMsiResourceGroup` | string | `[resourceGroup().name]` | | Resource group of the user assigned identity. | -| `vmSize` | string | `'Standard_D2s_v3'` | | Specifies the size for the VM. | - -**Generated parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `baseTime` | string | `[utcNow('yyyy-MM-dd-HH-mm-ss')]` | Do not provide a value! This date value is used to generate a unique image template name. | - - -## Outputs +## Usage examples -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The full name of the deployed image template. | -| `namePrefix` | string | The prefix of the image template name provided as input. | -| `resourceGroupName` | string | The resource group the image template was deployed into. | -| `resourceId` | string | The resource ID of the image template. | -| `runThisCommand` | string | The command to run in order to trigger the image build. | +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/virtual-machine-images.image-template:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module imageTemplate './virtual-machine-images/image-template/main.bicep' = { +module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-vmiitcom' params: { // Required parameters @@ -250,14 +200,17 @@ module imageTemplate './virtual-machine-images/image-template/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module imageTemplate './virtual-machine-images/image-template/main.bicep' = { +module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-vmiitmin' params: { // Required parameters @@ -338,6 +291,229 @@ module imageTemplate './virtual-machine-images/image-template/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`customizationSteps`](#parameter-customizationsteps) | array | Customization steps to be run when building the VM image. | +| [`imageSource`](#parameter-imagesource) | object | Image source definition in object format. | +| [`name`](#parameter-name) | string | Name prefix of the Image Template to be built by the Azure Image Builder service. | +| [`userMsiName`](#parameter-usermsiname) | string | Name of the User Assigned Identity to be used to deploy Image Templates in Azure Image Builder. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`buildTimeoutInMinutes`](#parameter-buildtimeoutinminutes) | int | Image build timeout in minutes. Allowed values: 0-960. 0 means the default 240 minutes. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`excludeFromLatest`](#parameter-excludefromlatest) | bool | Exclude the created Azure Compute Gallery image version from the latest. | +| [`imageReplicationRegions`](#parameter-imagereplicationregions) | array | List of the regions the image produced by this solution should be stored in the Shared Image Gallery. When left empty, the deployment's location will be taken as a default value. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`managedImageName`](#parameter-managedimagename) | string | Name of the managed image that will be created in the AIB resourcegroup. | +| [`osDiskSizeGB`](#parameter-osdisksizegb) | int | Specifies the size of OS disk. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`sigImageDefinitionId`](#parameter-sigimagedefinitionid) | string | Resource ID of Shared Image Gallery to distribute image to, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/. | +| [`sigImageVersion`](#parameter-sigimageversion) | string | Version of the Shared Image Gallery Image. Supports the following Version Syntax: Major.Minor.Build (i.e., '1.1.1' or '10.1.2'). | +| [`stagingResourceGroup`](#parameter-stagingresourcegroup) | string | Resource ID of the staging resource group in the same subscription and location as the image template that will be used to build the image.

If this field is empty, a resource group with a random name will be created.

If the resource group specified in this field doesn't exist, it will be created with the same name.

If the resource group specified exists, it must be empty and in the same region as the image template.

The resource group created will be deleted during template deletion if this field is empty or the resource group specified doesn't exist,

but if the resource group specified exists the resources created in the resource group will be deleted during template deletion and the resource group itself will remain. | +| [`storageAccountType`](#parameter-storageaccounttype) | string | Storage account type to be used to store the image in the Azure Compute Gallery. | +| [`subnetId`](#parameter-subnetid) | string | Resource ID of an already existing subnet, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/.

If no value is provided, a new temporary VNET and subnet will be created in the staging resource group and will be deleted along with the remaining temporary resources. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`unManagedImageName`](#parameter-unmanagedimagename) | string | Name of the unmanaged image that will be created in the AIB resourcegroup. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | array | List of User-Assigned Identities associated to the Build VM for accessing Azure resources such as Key Vaults from your customizer scripts.

Be aware, the user assigned identity specified in the 'userMsiName' parameter must have the 'Managed Identity Operator' role assignment on all the user assigned identities specified in this parameter for Azure Image Builder to be able to associate them to the build VM. | +| [`userMsiResourceGroup`](#parameter-usermsiresourcegroup) | string | Resource group of the user assigned identity. | +| [`vmSize`](#parameter-vmsize) | string | Specifies the size for the VM. | + +**Generated parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date value is used to generate a unique image template name. | + +### Parameter: `baseTime` + +Do not provide a value! This date value is used to generate a unique image template name. +- Required: No +- Type: string +- Default: `[utcNow('yyyy-MM-dd-HH-mm-ss')]` + +### Parameter: `buildTimeoutInMinutes` + +Image build timeout in minutes. Allowed values: 0-960. 0 means the default 240 minutes. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `customizationSteps` + +Customization steps to be run when building the VM image. +- Required: Yes +- Type: array + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `excludeFromLatest` + +Exclude the created Azure Compute Gallery image version from the latest. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `imageReplicationRegions` + +List of the regions the image produced by this solution should be stored in the Shared Image Gallery. When left empty, the deployment's location will be taken as a default value. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `imageSource` + +Image source definition in object format. +- Required: Yes +- Type: object + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `managedImageName` + +Name of the managed image that will be created in the AIB resourcegroup. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `name` + +Name prefix of the Image Template to be built by the Azure Image Builder service. +- Required: Yes +- Type: string + +### Parameter: `osDiskSizeGB` + +Specifies the size of OS disk. +- Required: No +- Type: int +- Default: `128` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sigImageDefinitionId` + +Resource ID of Shared Image Gallery to distribute image to, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `sigImageVersion` + +Version of the Shared Image Gallery Image. Supports the following Version Syntax: Major.Minor.Build (i.e., '1.1.1' or '10.1.2'). +- Required: No +- Type: string +- Default: `''` + +### Parameter: `stagingResourceGroup` + +Resource ID of the staging resource group in the same subscription and location as the image template that will be used to build the image.

If this field is empty, a resource group with a random name will be created.

If the resource group specified in this field doesn't exist, it will be created with the same name.

If the resource group specified exists, it must be empty and in the same region as the image template.

The resource group created will be deleted during template deletion if this field is empty or the resource group specified doesn't exist,

but if the resource group specified exists the resources created in the resource group will be deleted during template deletion and the resource group itself will remain. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `storageAccountType` + +Storage account type to be used to store the image in the Azure Compute Gallery. +- Required: No +- Type: string +- Default: `'Standard_LRS'` +- Allowed: `[Standard_LRS, Standard_ZRS]` + +### Parameter: `subnetId` + +Resource ID of an already existing subnet, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/.

If no value is provided, a new temporary VNET and subnet will be created in the staging resource group and will be deleted along with the remaining temporary resources. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `unManagedImageName` + +Name of the unmanaged image that will be created in the AIB resourcegroup. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `userAssignedIdentities` + +List of User-Assigned Identities associated to the Build VM for accessing Azure resources such as Key Vaults from your customizer scripts.

Be aware, the user assigned identity specified in the 'userMsiName' parameter must have the 'Managed Identity Operator' role assignment on all the user assigned identities specified in this parameter for Azure Image Builder to be able to associate them to the build VM. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `userMsiName` + +Name of the User Assigned Identity to be used to deploy Image Templates in Azure Image Builder. +- Required: Yes +- Type: string + +### Parameter: `userMsiResourceGroup` + +Resource group of the user assigned identity. +- Required: No +- Type: string +- Default: `[resourceGroup().name]` + +### Parameter: `vmSize` + +Specifies the size for the VM. +- Required: No +- Type: string +- Default: `'Standard_D2s_v3'` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The full name of the deployed image template. | +| `namePrefix` | string | The prefix of the image template name provided as input. | +| `resourceGroupName` | string | The resource group the image template was deployed into. | +| `resourceId` | string | The resource ID of the image template. | +| `runThisCommand` | string | The command to run in order to trigger the image build. | + +## Cross-referenced modules + +_None_ + ## Notes ### Parameter Usage: `imageSource` diff --git a/modules/virtual-machine-images/image-template/main.json b/modules/virtual-machine-images/image-template/main.json index e2212ceb0b..0905d7ecbb 100644 --- a/modules/virtual-machine-images/image-template/main.json +++ b/modules/virtual-machine-images/image-template/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13466746733111552709" + "version": "0.22.6.54827", + "templateHash": "2649219392883054229" }, "name": "Virtual Machine Image Templates", "description": "This module deploys a Virtual Machine Image Template that can be consumed by Azure Image Builder (AIB).", @@ -337,8 +337,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "675387888330318413" + "version": "0.22.6.54827", + "templateHash": "14467994353590988540" } }, "parameters": { diff --git a/modules/web/connection/.test/common/main.test.bicep b/modules/web/connection/.test/common/main.test.bicep index d9be8f90e4..0491801800 100644 --- a/modules/web/connection/.test/common/main.test.bicep +++ b/modules/web/connection/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/web/connection/README.md b/modules/web/connection/README.md index 4353443b6b..930a3eee78 100644 --- a/modules/web/connection/README.md +++ b/modules/web/connection/README.md @@ -4,13 +4,13 @@ This module deploys an Azure API Connection. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -18,60 +18,27 @@ This module deploys an Azure API Connection. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Web/connections` | [2016-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2016-06-01/connections) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `displayName` | string | Display name connection. Example: 'blobconnection' when using blobs. It can change depending on the resource. | -| `name` | string | Connection name for connection. Example: 'azureblob' when using blobs. It can change depending on the resource. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `api` | object | `{object}` | | Specific values for some API connections. | -| `customParameterValues` | object | `{object}` | | Customized parameter values for specific connections. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location of the deployment. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `nonSecretParameterValues` | object | `{object}` | | Dictionary of nonsecret parameter values. | -| `parameterValues` | secureObject | `{object}` | | Connection strings or access keys for connection. Example: 'accountName' and 'accessKey' when using blobs. It can change depending on the resource. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `statuses` | array | `[]` | | Status of the connection. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `testLinks` | array | `[]` | | Links to test the API connection. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the connection. | -| `resourceGroupName` | string | The resource group the connection was deployed into. | -| `resourceId` | string | The resource ID of the connection. | - -## Cross-referenced modules +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -_None_ +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/web.connection:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module connection './web/connection/main.bicep' = { +module connection 'br:bicep/modules/web.connection:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-wccom' params: { // Required parameters @@ -156,3 +123,133 @@ module connection './web/connection/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`displayName`](#parameter-displayname) | string | Display name connection. Example: 'blobconnection' when using blobs. It can change depending on the resource. | +| [`name`](#parameter-name) | string | Connection name for connection. Example: 'azureblob' when using blobs. It can change depending on the resource. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`api`](#parameter-api) | object | Specific values for some API connections. | +| [`customParameterValues`](#parameter-customparametervalues) | object | Customized parameter values for specific connections. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location of the deployment. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`nonSecretParameterValues`](#parameter-nonsecretparametervalues) | object | Dictionary of nonsecret parameter values. | +| [`parameterValues`](#parameter-parametervalues) | secureObject | Connection strings or access keys for connection. Example: 'accountName' and 'accessKey' when using blobs. It can change depending on the resource. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`statuses`](#parameter-statuses) | array | Status of the connection. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`testLinks`](#parameter-testlinks) | array | Links to test the API connection. | + +### Parameter: `api` + +Specific values for some API connections. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `customParameterValues` + +Customized parameter values for specific connections. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `displayName` + +Display name connection. Example: 'blobconnection' when using blobs. It can change depending on the resource. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location of the deployment. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Connection name for connection. Example: 'azureblob' when using blobs. It can change depending on the resource. +- Required: Yes +- Type: string + +### Parameter: `nonSecretParameterValues` + +Dictionary of nonsecret parameter values. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `parameterValues` + +Connection strings or access keys for connection. Example: 'accountName' and 'accessKey' when using blobs. It can change depending on the resource. +- Required: No +- Type: secureObject +- Default: `{object}` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `statuses` + +Status of the connection. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `testLinks` + +Links to test the API connection. +- Required: No +- Type: array +- Default: `[]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the connection. | +| `resourceGroupName` | string | The resource group the connection was deployed into. | +| `resourceId` | string | The resource ID of the connection. | + +## Cross-referenced modules + +_None_ diff --git a/modules/web/connection/main.json b/modules/web/connection/main.json index fcc7401247..46f8e7e722 100644 --- a/modules/web/connection/main.json +++ b/modules/web/connection/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8124229126186371962" + "version": "0.22.6.54827", + "templateHash": "1868688579888274089" }, "name": "API Connections", "description": "This module deploys an Azure API Connection.", @@ -186,8 +186,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16133609981398716025" + "version": "0.22.6.54827", + "templateHash": "4656118963929706650" } }, "parameters": { diff --git a/modules/web/hosting-environment/README.md b/modules/web/hosting-environment/README.md index dd8fac9921..277ad756dd 100644 --- a/modules/web/hosting-environment/README.md +++ b/modules/web/hosting-environment/README.md @@ -4,13 +4,13 @@ This module deploys an App Service Environment. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -20,85 +20,25 @@ This module deploys an App Service Environment. | `Microsoft.Web/hostingEnvironments` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-03-01/hostingEnvironments) | | `Microsoft.Web/hostingEnvironments/configurations` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/hostingEnvironments/configurations) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the App Service Environment. | -| `subnetResourceId` | string | ResourceId for the subnet. | - -**Conditional parameters** - -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `customDnsSuffixCertificateUrl` | string | `''` | The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2. | -| `customDnsSuffixKeyVaultReferenceIdentity` | string | `''` | The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `allowNewPrivateEndpointConnections` | bool | `False` | | Property to enable and disable new private endpoint connection creation on ASE. Ignored when kind is set to ASEv2. | -| `clusterSettings` | array | `[System.Management.Automation.OrderedHashtable]` | | Custom settings for changing the behavior of the App Service Environment. | -| `customDnsSuffix` | string | `''` | | Enable the default custom domain suffix to use for all sites deployed on the ASE. If provided, then customDnsSuffixCertificateUrl and customDnsSuffixKeyVaultReferenceIdentity are required. Cannot be used when kind is set to ASEv2. | -| `dedicatedHostCount` | int | `0` | | The Dedicated Host Count. If `zoneRedundant` is false, and you want physical hardware isolation enabled, set to 2. Otherwise 0. Cannot be used when kind is set to ASEv2. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[allLogs]` | `['', allLogs, AppServiceEnvironmentPlatformLogs]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `dnsSuffix` | string | `''` | | DNS suffix of the App Service Environment. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `frontEndScaleFactor` | int | `15` | | Scale factor for frontends. | -| `ftpEnabled` | bool | `False` | | Property to enable and disable FTP on ASEV3. Ignored when kind is set to ASEv2. | -| `inboundIpAddressOverride` | string | `''` | | Customer provided Inbound IP Address. Only able to be set on Ase create. Ignored when kind is set to ASEv2. | -| `internalLoadBalancingMode` | string | `'None'` | `[None, Publishing, Web, Web, Publishing]` | Specifies which endpoints to serve internally in the Virtual Network for the App Service Environment. - None, Web, Publishing, Web,Publishing. "None" Exposes the ASE-hosted apps on an internet-accessible IP address. | -| `ipsslAddressCount` | int | `0` | | Number of IP SSL addresses reserved for the App Service Environment. Cannot be used when kind is set to ASEv3. | -| `kind` | string | `'ASEv3'` | `[ASEv2, ASEv3]` | Kind of resource. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `multiSize` | string | `''` | `['', ExtraLarge, Large, Medium, Standard_D1_V2, Standard_D2, Standard_D2_V2, Standard_D3, Standard_D3_V2, Standard_D4, Standard_D4_V2]` | Frontend VM size. Cannot be used when kind is set to ASEv3. | -| `remoteDebugEnabled` | bool | `False` | | Property to enable and disable Remote Debug on ASEv3. Ignored when kind is set to ASEv2. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Resource tags. | -| `upgradePreference` | string | `'None'` | `[Early, Late, Manual, None]` | Specify preference for when and how the planned maintenance is applied. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `userWhitelistedIpRanges` | array | `[]` | | User added IP ranges to whitelist on ASE DB. Cannot be used with 'kind' `ASEv3`. | -| `zoneRedundant` | bool | `False` | | Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`. | - +## Usage examples -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the App Service Environment. | -| `resourceGroupName` | string | The resource group the App Service Environment was deployed into. | -| `resourceId` | string | The resource ID of the App Service Environment. | - -## Cross-referenced modules +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -_None_ - -## Deployment examples +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/web.hosting-environment:1.0.0`. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +- [Asev2](#example-1-asev2) +- [Asev3](#example-2-asev3) -

Example 1: Asev2

+### Example 1: _Asev2_
via Bicep module ```bicep -module hostingEnvironment './web/hosting-environment/main.bicep' = { +module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-whasev2' params: { // Required parameters @@ -234,14 +174,14 @@ module hostingEnvironment './web/hosting-environment/main.bicep' = {

-

Example 2: Asev3

+### Example 2: _Asev3_
via Bicep module ```bicep -module hostingEnvironment './web/hosting-environment/main.bicep' = { +module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-whasev3' params: { // Required parameters @@ -400,3 +340,303 @@ module hostingEnvironment './web/hosting-environment/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the App Service Environment. | +| [`subnetResourceId`](#parameter-subnetresourceid) | string | ResourceId for the subnet. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`customDnsSuffixCertificateUrl`](#parameter-customdnssuffixcertificateurl) | string | The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2. | +| [`customDnsSuffixKeyVaultReferenceIdentity`](#parameter-customdnssuffixkeyvaultreferenceidentity) | string | The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowNewPrivateEndpointConnections`](#parameter-allownewprivateendpointconnections) | bool | Property to enable and disable new private endpoint connection creation on ASE. Ignored when kind is set to ASEv2. | +| [`clusterSettings`](#parameter-clustersettings) | array | Custom settings for changing the behavior of the App Service Environment. | +| [`customDnsSuffix`](#parameter-customdnssuffix) | string | Enable the default custom domain suffix to use for all sites deployed on the ASE. If provided, then customDnsSuffixCertificateUrl and customDnsSuffixKeyVaultReferenceIdentity are required. Cannot be used when kind is set to ASEv2. | +| [`dedicatedHostCount`](#parameter-dedicatedhostcount) | int | The Dedicated Host Count. If `zoneRedundant` is false, and you want physical hardware isolation enabled, set to 2. Otherwise 0. Cannot be used when kind is set to ASEv2. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`dnsSuffix`](#parameter-dnssuffix) | string | DNS suffix of the App Service Environment. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`frontEndScaleFactor`](#parameter-frontendscalefactor) | int | Scale factor for frontends. | +| [`ftpEnabled`](#parameter-ftpenabled) | bool | Property to enable and disable FTP on ASEV3. Ignored when kind is set to ASEv2. | +| [`inboundIpAddressOverride`](#parameter-inboundipaddressoverride) | string | Customer provided Inbound IP Address. Only able to be set on Ase create. Ignored when kind is set to ASEv2. | +| [`internalLoadBalancingMode`](#parameter-internalloadbalancingmode) | string | Specifies which endpoints to serve internally in the Virtual Network for the App Service Environment. - None, Web, Publishing, Web,Publishing. "None" Exposes the ASE-hosted apps on an internet-accessible IP address. | +| [`ipsslAddressCount`](#parameter-ipssladdresscount) | int | Number of IP SSL addresses reserved for the App Service Environment. Cannot be used when kind is set to ASEv3. | +| [`kind`](#parameter-kind) | string | Kind of resource. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`multiSize`](#parameter-multisize) | string | Frontend VM size. Cannot be used when kind is set to ASEv3. | +| [`remoteDebugEnabled`](#parameter-remotedebugenabled) | bool | Property to enable and disable Remote Debug on ASEv3. Ignored when kind is set to ASEv2. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Resource tags. | +| [`upgradePreference`](#parameter-upgradepreference) | string | Specify preference for when and how the planned maintenance is applied. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`userWhitelistedIpRanges`](#parameter-userwhitelistedipranges) | array | User added IP ranges to whitelist on ASE DB. Cannot be used with 'kind' `ASEv3`. | +| [`zoneRedundant`](#parameter-zoneredundant) | bool | Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`. | + +### Parameter: `allowNewPrivateEndpointConnections` + +Property to enable and disable new private endpoint connection creation on ASE. Ignored when kind is set to ASEv2. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `clusterSettings` + +Custom settings for changing the behavior of the App Service Environment. +- Required: No +- Type: array +- Default: `[System.Management.Automation.OrderedHashtable]` + +### Parameter: `customDnsSuffix` + +Enable the default custom domain suffix to use for all sites deployed on the ASE. If provided, then customDnsSuffixCertificateUrl and customDnsSuffixKeyVaultReferenceIdentity are required. Cannot be used when kind is set to ASEv2. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `customDnsSuffixCertificateUrl` + +The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `customDnsSuffixKeyVaultReferenceIdentity` + +The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `dedicatedHostCount` + +The Dedicated Host Count. If `zoneRedundant` is false, and you want physical hardware isolation enabled, set to 2. Otherwise 0. Cannot be used when kind is set to ASEv2. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[allLogs]` +- Allowed: `['', allLogs, AppServiceEnvironmentPlatformLogs]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `dnsSuffix` + +DNS suffix of the App Service Environment. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `frontEndScaleFactor` + +Scale factor for frontends. +- Required: No +- Type: int +- Default: `15` + +### Parameter: `ftpEnabled` + +Property to enable and disable FTP on ASEV3. Ignored when kind is set to ASEv2. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `inboundIpAddressOverride` + +Customer provided Inbound IP Address. Only able to be set on Ase create. Ignored when kind is set to ASEv2. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `internalLoadBalancingMode` + +Specifies which endpoints to serve internally in the Virtual Network for the App Service Environment. - None, Web, Publishing, Web,Publishing. "None" Exposes the ASE-hosted apps on an internet-accessible IP address. +- Required: No +- Type: string +- Default: `'None'` +- Allowed: `[None, Publishing, Web, Web, Publishing]` + +### Parameter: `ipsslAddressCount` + +Number of IP SSL addresses reserved for the App Service Environment. Cannot be used when kind is set to ASEv3. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `kind` + +Kind of resource. +- Required: No +- Type: string +- Default: `'ASEv3'` +- Allowed: `[ASEv2, ASEv3]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `multiSize` + +Frontend VM size. Cannot be used when kind is set to ASEv3. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', ExtraLarge, Large, Medium, Standard_D1_V2, Standard_D2, Standard_D2_V2, Standard_D3, Standard_D3_V2, Standard_D4, Standard_D4_V2]` + +### Parameter: `name` + +Name of the App Service Environment. +- Required: Yes +- Type: string + +### Parameter: `remoteDebugEnabled` + +Property to enable and disable Remote Debug on ASEv3. Ignored when kind is set to ASEv2. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `subnetResourceId` + +ResourceId for the subnet. +- Required: Yes +- Type: string + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Resource tags. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `upgradePreference` + +Specify preference for when and how the planned maintenance is applied. +- Required: No +- Type: string +- Default: `'None'` +- Allowed: `[Early, Late, Manual, None]` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userWhitelistedIpRanges` + +User added IP ranges to whitelist on ASE DB. Cannot be used with 'kind' `ASEv3`. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `zoneRedundant` + +Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`. +- Required: No +- Type: bool +- Default: `False` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the App Service Environment. | +| `resourceGroupName` | string | The resource group the App Service Environment was deployed into. | +| `resourceId` | string | The resource ID of the App Service Environment. | + +## Cross-referenced modules + +_None_ diff --git a/modules/web/hosting-environment/configuration--customdnssuffix/README.md b/modules/web/hosting-environment/configuration--customdnssuffix/README.md index 674d6e7662..cc00a5bf05 100644 --- a/modules/web/hosting-environment/configuration--customdnssuffix/README.md +++ b/modules/web/hosting-environment/configuration--customdnssuffix/README.md @@ -19,28 +19,59 @@ This module deploys a Hosting Environment Custom DNS Suffix Configuration. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `certificateUrl` | string | The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix. | -| `dnsSuffix` | string | Enable the default custom domain suffix to use for all sites deployed on the ASE. | -| `keyVaultReferenceIdentity` | string | The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available. | +| [`certificateUrl`](#parameter-certificateurl) | string | The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix. | +| [`dnsSuffix`](#parameter-dnssuffix) | string | Enable the default custom domain suffix to use for all sites deployed on the ASE. | +| [`keyVaultReferenceIdentity`](#parameter-keyvaultreferenceidentity) | string | The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `hostingEnvironmentName` | string | The name of the parent Hosting Environment. Required if the template is used in a standalone deployment. | +| [`hostingEnvironmentName`](#parameter-hostingenvironmentname) | string | The name of the parent Hosting Environment. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `certificateUrl` + +The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix. +- Required: Yes +- Type: string + +### Parameter: `dnsSuffix` + +Enable the default custom domain suffix to use for all sites deployed on the ASE. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hostingEnvironmentName` + +The name of the parent Hosting Environment. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `keyVaultReferenceIdentity` + +The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the configuration. | | `resourceGroupName` | string | The resource group of the deployed configuration. | diff --git a/modules/web/hosting-environment/configuration--customdnssuffix/main.json b/modules/web/hosting-environment/configuration--customdnssuffix/main.json index a09f93e81e..c4d514811f 100644 --- a/modules/web/hosting-environment/configuration--customdnssuffix/main.json +++ b/modules/web/hosting-environment/configuration--customdnssuffix/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11788859333407565296" + "version": "0.22.6.54827", + "templateHash": "10660520916707434118" }, "name": "Hosting Environment Custom DNS Suffix Configuration", "description": "This module deploys a Hosting Environment Custom DNS Suffix Configuration.", diff --git a/modules/web/hosting-environment/configuration--networking/README.md b/modules/web/hosting-environment/configuration--networking/README.md index 78c62314cb..9fb9176940 100644 --- a/modules/web/hosting-environment/configuration--networking/README.md +++ b/modules/web/hosting-environment/configuration--networking/README.md @@ -19,24 +19,65 @@ This module deploys a Hosting Environment Network Configuration. **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `hostingEnvironmentName` | string | The name of the parent Hosting Environment. Required if the template is used in a standalone deployment. | +| [`hostingEnvironmentName`](#parameter-hostingenvironmentname) | string | The name of the parent Hosting Environment. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `allowNewPrivateEndpointConnections` | bool | `False` | Property to enable and disable new private endpoint connection creation on ASE. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `ftpEnabled` | bool | `False` | Property to enable and disable FTP on ASEV3. | -| `inboundIpAddressOverride` | string | `''` | Customer provided Inbound IP Address. Only able to be set on Ase create. | -| `remoteDebugEnabled` | bool | `False` | Property to enable and disable Remote Debug on ASEv3. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowNewPrivateEndpointConnections`](#parameter-allownewprivateendpointconnections) | bool | Property to enable and disable new private endpoint connection creation on ASE. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`ftpEnabled`](#parameter-ftpenabled) | bool | Property to enable and disable FTP on ASEV3. | +| [`inboundIpAddressOverride`](#parameter-inboundipaddressoverride) | string | Customer provided Inbound IP Address. Only able to be set on Ase create. | +| [`remoteDebugEnabled`](#parameter-remotedebugenabled) | bool | Property to enable and disable Remote Debug on ASEv3. | + +### Parameter: `allowNewPrivateEndpointConnections` + +Property to enable and disable new private endpoint connection creation on ASE. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `ftpEnabled` + +Property to enable and disable FTP on ASEV3. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `hostingEnvironmentName` + +The name of the parent Hosting Environment. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `inboundIpAddressOverride` + +Customer provided Inbound IP Address. Only able to be set on Ase create. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `remoteDebugEnabled` + +Property to enable and disable Remote Debug on ASEv3. +- Required: No +- Type: bool +- Default: `False` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the configuration. | | `resourceGroupName` | string | The resource group of the deployed configuration. | diff --git a/modules/web/hosting-environment/configuration--networking/main.json b/modules/web/hosting-environment/configuration--networking/main.json index 4ed8ea7eae..0630c14d2c 100644 --- a/modules/web/hosting-environment/configuration--networking/main.json +++ b/modules/web/hosting-environment/configuration--networking/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "16351992787760940933" + "version": "0.22.6.54827", + "templateHash": "5725974299523715311" }, "name": "Hosting Environment Network Configuration", "description": "This module deploys a Hosting Environment Network Configuration.", diff --git a/modules/web/hosting-environment/main.json b/modules/web/hosting-environment/main.json index 74760aadb6..5c6d2298d8 100644 --- a/modules/web/hosting-environment/main.json +++ b/modules/web/hosting-environment/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13433747178095563994" + "version": "0.22.6.54827", + "templateHash": "3036162001475975434" }, "name": "App Service Environments", "description": "This module deploys an App Service Environment.", @@ -412,8 +412,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "11895516864893390983" + "version": "0.22.6.54827", + "templateHash": "5725974299523715311" }, "name": "Hosting Environment Network Configuration", "description": "This module deploys a Hosting Environment Network Configuration.", @@ -551,8 +551,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15244434465859250047" + "version": "0.22.6.54827", + "templateHash": "10660520916707434118" }, "name": "Hosting Environment Custom DNS Suffix Configuration", "description": "This module deploys a Hosting Environment Custom DNS Suffix Configuration.", @@ -680,8 +680,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "17589810269723384288" + "version": "0.22.6.54827", + "templateHash": "8235504163379537540" } }, "parameters": { diff --git a/modules/web/serverfarm/.test/common/main.test.bicep b/modules/web/serverfarm/.test/common/main.test.bicep index 0e5d4b233f..3e75d2847a 100644 --- a/modules/web/serverfarm/.test/common/main.test.bicep +++ b/modules/web/serverfarm/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index 52b2606816..ff4421dcd7 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -5,10 +5,10 @@ This module deploys an App Service Plan. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -19,68 +19,27 @@ This module deploys an App Service Plan. | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Web/serverfarms` | [2021-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2021-02-01/serverfarms) | -## Parameters +## Usage examples -**Required parameters** +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the app service plan to deploy. | -| `sku` | object | Defines the name, tier, size, family and capacity of the App Service Plan. | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -**Optional parameters** +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/web.serverfarm:1.0.0`. -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `appServiceEnvironmentId` | string | `''` | | The Resource ID of the App Service Environment to use for the App Service Plan. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `maximumElasticWorkerCount` | int | `1` | | Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan. | -| `perSiteScaling` | bool | `False` | | If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `serverOS` | string | `'Windows'` | `[Linux, Windows]` | Kind of server OS. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `targetWorkerCount` | int | `0` | | Scaling worker count. | -| `targetWorkerSize` | int | `0` | `[0, 1, 2]` | The instance size of the hosting plan (small, medium, or large). | -| `workerTierName` | string | `''` | | Target worker tier assigned to the App Service plan. | -| `zoneRedundant` | bool | `False` | | When true, this App Service Plan will perform availability zone balancing. | +- [Using large parameter set](#example-1-using-large-parameter-set) +### Example 1: _Using large parameter set_ -## Outputs +This instance deploys the module with most of its features enabled. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the app service plan. | -| `resourceGroupName` | string | The resource group the app service plan was deployed into. | -| `resourceId` | string | The resource ID of the app service plan. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

via Bicep module ```bicep -module serverfarm './web/serverfarm/main.bicep' = { +module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-wsfcom' params: { // Required parameters @@ -185,3 +144,200 @@ module serverfarm './web/serverfarm/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the app service plan to deploy. | +| [`sku`](#parameter-sku) | object | Defines the name, tier, size, family and capacity of the App Service Plan. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`appServiceEnvironmentId`](#parameter-appserviceenvironmentid) | string | The Resource ID of the App Service Environment to use for the App Service Plan. | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`maximumElasticWorkerCount`](#parameter-maximumelasticworkercount) | int | Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan. | +| [`perSiteScaling`](#parameter-persitescaling) | bool | If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`serverOS`](#parameter-serveros) | string | Kind of server OS. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`targetWorkerCount`](#parameter-targetworkercount) | int | Scaling worker count. | +| [`targetWorkerSize`](#parameter-targetworkersize) | int | The instance size of the hosting plan (small, medium, or large). | +| [`workerTierName`](#parameter-workertiername) | string | Target worker tier assigned to the App Service plan. | +| [`zoneRedundant`](#parameter-zoneredundant) | bool | When true, this App Service Plan will perform availability zone balancing. | + +### Parameter: `appServiceEnvironmentId` + +The Resource ID of the App Service Environment to use for the App Service Plan. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `maximumElasticWorkerCount` + +Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan. +- Required: No +- Type: int +- Default: `1` + +### Parameter: `name` + +The name of the app service plan to deploy. +- Required: Yes +- Type: string + +### Parameter: `perSiteScaling` + +If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `serverOS` + +Kind of server OS. +- Required: No +- Type: string +- Default: `'Windows'` +- Allowed: `[Linux, Windows]` + +### Parameter: `sku` + +Defines the name, tier, size, family and capacity of the App Service Plan. +- Required: Yes +- Type: object + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `targetWorkerCount` + +Scaling worker count. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `targetWorkerSize` + +The instance size of the hosting plan (small, medium, or large). +- Required: No +- Type: int +- Default: `0` +- Allowed: `[0, 1, 2]` + +### Parameter: `workerTierName` + +Target worker tier assigned to the App Service plan. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `zoneRedundant` + +When true, this App Service Plan will perform availability zone balancing. +- Required: No +- Type: bool +- Default: `False` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the app service plan. | +| `resourceGroupName` | string | The resource group the app service plan was deployed into. | +| `resourceId` | string | The resource ID of the app service plan. | + +## Cross-referenced modules + +_None_ diff --git a/modules/web/serverfarm/main.json b/modules/web/serverfarm/main.json index 85d6d397ce..b89ace3754 100644 --- a/modules/web/serverfarm/main.json +++ b/modules/web/serverfarm/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "10712218641588923205" + "version": "0.22.6.54827", + "templateHash": "1970232317602434102" }, "name": "App Service Plans", "description": "This module deploys an App Service Plan.", @@ -292,8 +292,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14948974445589608249" + "version": "0.22.6.54827", + "templateHash": "17362454573845910972" } }, "parameters": { diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 7abafc3801..2e79002447 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -4,14 +4,14 @@ This module deploys a Web or Function App. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -30,105 +30,27 @@ This module deploys a Web or Function App. | `Microsoft.Web/sites/slots/config` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | | `Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-09-01/sites/slots/hybridConnectionNamespaces/relays) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `kind` | string | `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` | Type of site to deploy. | -| `name` | string | | Name of the site. | -| `serverFarmResourceId` | string | | The resource ID of the app service plan to use for the site. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `appInsightResourceId` | string | `''` | | Resource ID of the app insight to leverage for this resource. | -| `appServiceEnvironmentResourceId` | string | `''` | | The resource ID of the app service environment to use for this resource. | -| `appSettingsKeyValuePairs` | object | `{object}` | | The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. | -| `authSettingV2Configuration` | object | `{object}` | | The auth settings V2 configuration. | -| `basicPublishingCredentialsPolicies` | array | `[]` | | The site publishing credential policy names which are associated with the sites. | -| `clientAffinityEnabled` | bool | `True` | | If client affinity is enabled. | -| `clientCertEnabled` | bool | `False` | | To enable client certificate authentication (TLS mutual authentication). | -| `clientCertExclusionPaths` | string | `''` | | Client certificate authentication comma-separated exclusion paths. | -| `clientCertMode` | string | `'Optional'` | `[Optional, OptionalInteractiveUser, Required]` | This composes with ClientCertEnabled setting.

- ClientCertEnabled: false means ClientCert is ignored.

- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.

- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted. | -| `cloningInfo` | object | `{object}` | | If specified during app creation, the app is cloned from a source app. | -| `containerSize` | int | `-1` | | Size of the function container. | -| `customDomainVerificationId` | string | `''` | | Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification. | -| `dailyMemoryTimeQuota` | int | `-1` | | Maximum allowed daily memory-time quota (applicable on dynamic apps only). | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[if(equals(parameters('kind'), 'functionapp'), createArray('FunctionAppLogs'), createArray('AppServiceHTTPLogs', 'AppServiceConsoleLogs', 'AppServiceAppLogs', 'AppServiceAuditLogs', 'AppServiceIPSecAuditLogs', 'AppServicePlatformLogs'))]` | `['', allLogs, AppServiceAppLogs, AppServiceAuditLogs, AppServiceConsoleLogs, AppServiceHTTPLogs, AppServiceIPSecAuditLogs, AppServicePlatformLogs, FunctionAppLogs]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of log analytics workspace. | -| `enabled` | bool | `True` | | Setting this value to false disables the app (takes the app offline). | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `hostNameSslStates` | array | `[]` | | Hostname SSL states are used to manage the SSL bindings for app's hostnames. | -| `httpsOnly` | bool | `True` | | Configures a site to accept only HTTPS requests. Issues redirect for HTTP requests. | -| `hybridConnectionRelays` | array | `[]` | | Names of hybrid connection relays to connect app with. | -| `hyperV` | bool | `False` | | Hyper-V sandbox. | -| `keyVaultAccessIdentityResourceId` | string | `''` | | The resource ID of the assigned identity to be used to access a key vault with. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| `redundancyMode` | string | `'None'` | `[ActiveActive, Failover, GeoRedundant, Manual, None]` | Site redundancy mode. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `scmSiteAlsoStopped` | bool | `False` | | Stop SCM (KUDU) site when the app is stopped. | -| `setAzureWebJobsDashboard` | bool | `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` | | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | -| `siteConfig` | object | `{object}` | | The site config object. | -| `slots` | array | `[]` | | Configuration for deployment slots for an app. | -| `storageAccountRequired` | bool | `False` | | Checks if Customer provided storage account is required. | -| `storageAccountResourceId` | string | `''` | | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `virtualNetworkSubnetId` | string | `''` | | Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. | -| `vnetContentShareEnabled` | bool | `False` | | To enable accessing content over virtual network. | -| `vnetImagePullEnabled` | bool | `False` | | To enable pulling image over Virtual Network. | -| `vnetRouteAllEnabled` | bool | `False` | | Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `defaultHostname` | string | Default hostname of the app. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the site. | -| `resourceGroupName` | string | The resource group the site was deployed into. | -| `resourceId` | string | The resource ID of the site. | -| `slotResourceIds` | array | The list of the slot resource ids. | -| `slots` | array | The list of the slots. | -| `slotSystemAssignedPrincipalIds` | array | The principal ID of the system assigned identity of slots. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +## Usage examples -## Cross-referenced modules +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -## Deployment examples +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/web.site:1.0.0`. -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +- [Functionappcommon](#example-1-functionappcommon) +- [Functionappmin](#example-2-functionappmin) +- [Webappcommon](#example-3-webappcommon) +- [Webappmin](#example-4-webappmin) - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Functionappcommon

+### Example 1: _Functionappcommon_
via Bicep module ```bicep -module site './web/site/main.bicep' = { +module site 'br:bicep/modules/web.site:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-wsfacom' params: { // Required parameters @@ -440,14 +362,14 @@ module site './web/site/main.bicep' = {

-

Example 2: Functionappmin

+### Example 2: _Functionappmin_
via Bicep module ```bicep -module site './web/site/main.bicep' = { +module site 'br:bicep/modules/web.site:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-wsfamin' params: { // Required parameters @@ -501,14 +423,14 @@ module site './web/site/main.bicep' = {

-

Example 3: Webappcommon

+### Example 3: _Webappcommon_
via Bicep module ```bicep -module site './web/site/main.bicep' = { +module site 'br:bicep/modules/web.site:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-wswa' params: { // Required parameters @@ -818,14 +740,14 @@ module site './web/site/main.bicep' = {

-

Example 4: Webappmin

+### Example 4: _Webappmin_
via Bicep module ```bicep -module site './web/site/main.bicep' = { +module site 'br:bicep/modules/web.site:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-wswamin' params: { // Required parameters @@ -872,6 +794,437 @@ module site './web/site/main.bicep' = {

+## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-kind) | string | Type of site to deploy. | +| [`name`](#parameter-name) | string | Name of the site. | +| [`serverFarmResourceId`](#parameter-serverfarmresourceid) | string | The resource ID of the app service plan to use for the site. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`appInsightResourceId`](#parameter-appinsightresourceid) | string | Resource ID of the app insight to leverage for this resource. | +| [`appServiceEnvironmentResourceId`](#parameter-appserviceenvironmentresourceid) | string | The resource ID of the app service environment to use for this resource. | +| [`appSettingsKeyValuePairs`](#parameter-appsettingskeyvaluepairs) | object | The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. | +| [`authSettingV2Configuration`](#parameter-authsettingv2configuration) | object | The auth settings V2 configuration. | +| [`basicPublishingCredentialsPolicies`](#parameter-basicpublishingcredentialspolicies) | array | The site publishing credential policy names which are associated with the sites. | +| [`clientAffinityEnabled`](#parameter-clientaffinityenabled) | bool | If client affinity is enabled. | +| [`clientCertEnabled`](#parameter-clientcertenabled) | bool | To enable client certificate authentication (TLS mutual authentication). | +| [`clientCertExclusionPaths`](#parameter-clientcertexclusionpaths) | string | Client certificate authentication comma-separated exclusion paths. | +| [`clientCertMode`](#parameter-clientcertmode) | string | This composes with ClientCertEnabled setting.

- ClientCertEnabled: false means ClientCert is ignored.

- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.

- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted. | +| [`cloningInfo`](#parameter-cloninginfo) | object | If specified during app creation, the app is cloned from a source app. | +| [`containerSize`](#parameter-containersize) | int | Size of the function container. | +| [`customDomainVerificationId`](#parameter-customdomainverificationid) | string | Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification. | +| [`dailyMemoryTimeQuota`](#parameter-dailymemorytimequota) | int | Maximum allowed daily memory-time quota (applicable on dynamic apps only). | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of log analytics workspace. | +| [`enabled`](#parameter-enabled) | bool | Setting this value to false disables the app (takes the app offline). | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`hostNameSslStates`](#parameter-hostnamesslstates) | array | Hostname SSL states are used to manage the SSL bindings for app's hostnames. | +| [`httpsOnly`](#parameter-httpsonly) | bool | Configures a site to accept only HTTPS requests. Issues redirect for HTTP requests. | +| [`hybridConnectionRelays`](#parameter-hybridconnectionrelays) | array | Names of hybrid connection relays to connect app with. | +| [`hyperV`](#parameter-hyperv) | bool | Hyper-V sandbox. | +| [`keyVaultAccessIdentityResourceId`](#parameter-keyvaultaccessidentityresourceid) | string | The resource ID of the assigned identity to be used to access a key vault with. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | +| [`redundancyMode`](#parameter-redundancymode) | string | Site redundancy mode. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`scmSiteAlsoStopped`](#parameter-scmsitealsostopped) | bool | Stop SCM (KUDU) site when the app is stopped. | +| [`setAzureWebJobsDashboard`](#parameter-setazurewebjobsdashboard) | bool | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | +| [`siteConfig`](#parameter-siteconfig) | object | The site config object. | +| [`slots`](#parameter-slots) | array | Configuration for deployment slots for an app. | +| [`storageAccountRequired`](#parameter-storageaccountrequired) | bool | Checks if Customer provided storage account is required. | +| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`virtualNetworkSubnetId`](#parameter-virtualnetworksubnetid) | string | Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. | +| [`vnetContentShareEnabled`](#parameter-vnetcontentshareenabled) | bool | To enable accessing content over virtual network. | +| [`vnetImagePullEnabled`](#parameter-vnetimagepullenabled) | bool | To enable pulling image over Virtual Network. | +| [`vnetRouteAllEnabled`](#parameter-vnetrouteallenabled) | bool | Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. | + +### Parameter: `appInsightResourceId` + +Resource ID of the app insight to leverage for this resource. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `appServiceEnvironmentResourceId` + +The resource ID of the app service environment to use for this resource. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `appSettingsKeyValuePairs` + +The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `authSettingV2Configuration` + +The auth settings V2 configuration. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `basicPublishingCredentialsPolicies` + +The site publishing credential policy names which are associated with the sites. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `clientAffinityEnabled` + +If client affinity is enabled. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `clientCertEnabled` + +To enable client certificate authentication (TLS mutual authentication). +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `clientCertExclusionPaths` + +Client certificate authentication comma-separated exclusion paths. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `clientCertMode` + +This composes with ClientCertEnabled setting.

- ClientCertEnabled: false means ClientCert is ignored.

- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.

- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted. +- Required: No +- Type: string +- Default: `'Optional'` +- Allowed: `[Optional, OptionalInteractiveUser, Required]` + +### Parameter: `cloningInfo` + +If specified during app creation, the app is cloned from a source app. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `containerSize` + +Size of the function container. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `customDomainVerificationId` + +Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `dailyMemoryTimeQuota` + +Maximum allowed daily memory-time quota (applicable on dynamic apps only). +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +- Required: No +- Type: array +- Default: `[if(equals(parameters('kind'), 'functionapp'), createArray('FunctionAppLogs'), createArray('AppServiceHTTPLogs', 'AppServiceConsoleLogs', 'AppServiceAppLogs', 'AppServiceAuditLogs', 'AppServiceIPSecAuditLogs', 'AppServicePlatformLogs'))]` +- Allowed: `['', allLogs, AppServiceAppLogs, AppServiceAuditLogs, AppServiceConsoleLogs, AppServiceHTTPLogs, AppServiceIPSecAuditLogs, AppServicePlatformLogs, FunctionAppLogs]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enabled` + +Setting this value to false disables the app (takes the app offline). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hostNameSslStates` + +Hostname SSL states are used to manage the SSL bindings for app's hostnames. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `httpsOnly` + +Configures a site to accept only HTTPS requests. Issues redirect for HTTP requests. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hybridConnectionRelays` + +Names of hybrid connection relays to connect app with. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `hyperV` + +Hyper-V sandbox. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `keyVaultAccessIdentityResourceId` + +The resource ID of the assigned identity to be used to access a key vault with. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `kind` + +Type of site to deploy. +- Required: Yes +- Type: string +- Allowed: `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the site. +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `redundancyMode` + +Site redundancy mode. +- Required: No +- Type: string +- Default: `'None'` +- Allowed: `[ActiveActive, Failover, GeoRedundant, Manual, None]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `scmSiteAlsoStopped` + +Stop SCM (KUDU) site when the app is stopped. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `serverFarmResourceId` + +The resource ID of the app service plan to use for the site. +- Required: Yes +- Type: string + +### Parameter: `setAzureWebJobsDashboard` + +For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. +- Required: No +- Type: bool +- Default: `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` + +### Parameter: `siteConfig` + +The site config object. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `slots` + +Configuration for deployment slots for an app. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `storageAccountRequired` + +Checks if Customer provided storage account is required. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `storageAccountResourceId` + +Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `virtualNetworkSubnetId` + +Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `vnetContentShareEnabled` + +To enable accessing content over virtual network. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `vnetImagePullEnabled` + +To enable pulling image over Virtual Network. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `vnetRouteAllEnabled` + +Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. +- Required: No +- Type: bool +- Default: `False` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `defaultHostname` | string | Default hostname of the app. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the site. | +| `resourceGroupName` | string | The resource group the site was deployed into. | +| `resourceId` | string | The resource ID of the site. | +| `slotResourceIds` | array | The list of the slot resource ids. | +| `slots` | array | The list of the slots. | +| `slotSystemAssignedPrincipalIds` | array | The principal ID of the system assigned identity of slots. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | + ## Notes ### Parameter Usage: `appSettingsKeyValuePairs` diff --git a/modules/web/site/basic-publishing-credentials-policy/README.md b/modules/web/site/basic-publishing-credentials-policy/README.md index 6feeb0be21..e6cfbc594b 100644 --- a/modules/web/site/basic-publishing-credentials-policy/README.md +++ b/modules/web/site/basic-publishing-credentials-policy/README.md @@ -19,27 +19,54 @@ This module deploys a Web Site Basic Publishing Credentials Policy. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `name` | string | `[ftp, scm]` | The name of the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the resource. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `webAppName` | string | The name of the parent web site. Required if the template is used in a standalone deployment. | +| [`webAppName`](#parameter-webappname) | string | The name of the parent web site. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all Resources. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all Resources. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the resource. +- Required: Yes +- Type: string +- Allowed: `[ftp, scm]` + +### Parameter: `webAppName` + +The name of the parent web site. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the basic publishing credential policy. | diff --git a/modules/web/site/basic-publishing-credentials-policy/main.json b/modules/web/site/basic-publishing-credentials-policy/main.json index 91ba685431..fb7d1f7388 100644 --- a/modules/web/site/basic-publishing-credentials-policy/main.json +++ b/modules/web/site/basic-publishing-credentials-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12641846967338527190" + "version": "0.22.6.54827", + "templateHash": "5305729672150633375" }, "name": "Web Site Basic Publishing Credentials Policies", "description": "This module deploys a Web Site Basic Publishing Credentials Policy.", diff --git a/modules/web/site/config--appsettings/README.md b/modules/web/site/config--appsettings/README.md index 3be5e82252..2e08ed883c 100644 --- a/modules/web/site/config--appsettings/README.md +++ b/modules/web/site/config--appsettings/README.md @@ -20,30 +20,78 @@ This module deploys a Site App Setting. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `kind` | string | `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` | Type of site to deploy. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-kind) | string | Type of site to deploy. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `appName` | string | The name of the parent site resource. Required if the template is used in a standalone deployment. | +| [`appName`](#parameter-appname) | string | The name of the parent site resource. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `appInsightResourceId` | string | `''` | Resource ID of the app insight to leverage for this resource. | -| `appSettingsKeyValuePairs` | object | `{object}` | The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `setAzureWebJobsDashboard` | bool | `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | -| `storageAccountResourceId` | string | `''` | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`appInsightResourceId`](#parameter-appinsightresourceid) | string | Resource ID of the app insight to leverage for this resource. | +| [`appSettingsKeyValuePairs`](#parameter-appsettingskeyvaluepairs) | object | The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`setAzureWebJobsDashboard`](#parameter-setazurewebjobsdashboard) | bool | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | +| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | + +### Parameter: `appInsightResourceId` + +Resource ID of the app insight to leverage for this resource. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `appName` + +The name of the parent site resource. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `appSettingsKeyValuePairs` + +The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `kind` + +Type of site to deploy. +- Required: Yes +- Type: string +- Allowed: `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` + +### Parameter: `setAzureWebJobsDashboard` + +For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. +- Required: No +- Type: bool +- Default: `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` + +### Parameter: `storageAccountResourceId` + +Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the site config. | | `resourceGroupName` | string | The resource group the site config was deployed into. | diff --git a/modules/web/site/config--appsettings/main.json b/modules/web/site/config--appsettings/main.json index cef5e418d0..c5bb4f96d9 100644 --- a/modules/web/site/config--appsettings/main.json +++ b/modules/web/site/config--appsettings/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "113124702348316001" + "version": "0.22.6.54827", + "templateHash": "12140652943143922490" }, "name": "Site App Settings", "description": "This module deploys a Site App Setting.", diff --git a/modules/web/site/config--authsettingsv2/README.md b/modules/web/site/config--authsettingsv2/README.md index 94dad58be5..345ad28201 100644 --- a/modules/web/site/config--authsettingsv2/README.md +++ b/modules/web/site/config--authsettingsv2/README.md @@ -19,27 +19,53 @@ This module deploys a Site Auth Settings V2 Configuration. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `authSettingV2Configuration` | object | | The auth settings V2 configuration. | -| `kind` | string | `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` | Type of site to deploy. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`authSettingV2Configuration`](#parameter-authsettingv2configuration) | object | The auth settings V2 configuration. | +| [`kind`](#parameter-kind) | string | Type of site to deploy. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `appName` | string | The name of the parent site resource. Required if the template is used in a standalone deployment. | +| [`appName`](#parameter-appname) | string | The name of the parent site resource. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + +### Parameter: `appName` + +The name of the parent site resource. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `authSettingV2Configuration` + +The auth settings V2 configuration. +- Required: Yes +- Type: object + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `kind` + +Type of site to deploy. +- Required: Yes +- Type: string +- Allowed: `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the site config. | | `resourceGroupName` | string | The resource group the site config was deployed into. | diff --git a/modules/web/site/config--authsettingsv2/main.json b/modules/web/site/config--authsettingsv2/main.json index 03425cac80..3ecec714d3 100644 --- a/modules/web/site/config--authsettingsv2/main.json +++ b/modules/web/site/config--authsettingsv2/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15491598085214996541" + "version": "0.22.6.54827", + "templateHash": "1120403064106188130" }, "name": "Site Auth Settings V2 Config", "description": "This module deploys a Site Auth Settings V2 Configuration.", diff --git a/modules/web/site/hybrid-connection-namespace/relay/README.md b/modules/web/site/hybrid-connection-namespace/relay/README.md index f043a8d416..20be37abae 100644 --- a/modules/web/site/hybrid-connection-namespace/relay/README.md +++ b/modules/web/site/hybrid-connection-namespace/relay/README.md @@ -19,28 +19,61 @@ This module deploys a Site Hybrid Connection Namespace Relay. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `hybridConnectionResourceId` | string | The resource ID of the relay namespace hybrid connection. | +| [`hybridConnectionResourceId`](#parameter-hybridconnectionresourceid) | string | The resource ID of the relay namespace hybrid connection. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `appName` | string | The name of the parent web site. Required if the template is used in a standalone deployment. | +| [`appName`](#parameter-appname) | string | The name of the parent web site. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all Resources. | -| `sendKeyName` | string | `'defaultSender'` | Name of the authorization rule send key to use. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`sendKeyName`](#parameter-sendkeyname) | string | Name of the authorization rule send key to use. | + +### Parameter: `appName` + +The name of the parent web site. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hybridConnectionResourceId` + +The resource ID of the relay namespace hybrid connection. +- Required: Yes +- Type: string + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `sendKeyName` + +Name of the authorization rule send key to use. +- Required: No +- Type: string +- Default: `'defaultSender'` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the hybrid connection relay.. | | `resourceGroupName` | string | The name of the resource group the resource was deployed into. | diff --git a/modules/web/site/hybrid-connection-namespace/relay/main.json b/modules/web/site/hybrid-connection-namespace/relay/main.json index 2b6535908c..bc3ae19be6 100644 --- a/modules/web/site/hybrid-connection-namespace/relay/main.json +++ b/modules/web/site/hybrid-connection-namespace/relay/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8921333553708930079" + "version": "0.22.6.54827", + "templateHash": "10458383238656360850" }, "name": "Web/Function Apps Hybrid Connection Relay", "description": "This module deploys a Site Hybrid Connection Namespace Relay.", diff --git a/modules/web/site/main.json b/modules/web/site/main.json index 26e1779829..af5a3ed4e0 100644 --- a/modules/web/site/main.json +++ b/modules/web/site/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6298363568449273285" + "version": "0.22.6.54827", + "templateHash": "16969766511662743845" }, "name": "Web/Function Apps", "description": "This module deploys a Web or Function App.", @@ -544,8 +544,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "113124702348316001" + "version": "0.22.6.54827", + "templateHash": "12140652943143922490" }, "name": "Site App Settings", "description": "This module deploys a Site App Setting.", @@ -689,8 +689,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15491598085214996541" + "version": "0.22.6.54827", + "templateHash": "1120403064106188130" }, "name": "Site Auth Settings V2 Config", "description": "This module deploys a Site Auth Settings V2 Configuration.", @@ -865,8 +865,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7597641242156251930" + "version": "0.22.6.54827", + "templateHash": "14108540523970367707" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -1390,8 +1390,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6824589216099571528" + "version": "0.22.6.54827", + "templateHash": "13223616826795830599" }, "name": "Site Slot App Settings", "description": "This module deploys a Site Slot App Setting.", @@ -1544,8 +1544,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15013002348606979820" + "version": "0.22.6.54827", + "templateHash": "16157844933162881953" }, "name": "Site Slot Auth Settings V2 Config", "description": "This module deploys a Site Auth Settings V2 Configuration.", @@ -1677,8 +1677,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1505854425120658866" + "version": "0.22.6.54827", + "templateHash": "11888981629758921842" }, "name": "Web/Function Apps Slot Hybrid Connection Relay", "description": "This module deploys a Site Slot Hybrid Connection Namespace Relay.", @@ -1817,8 +1817,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18344556157010848654" + "version": "0.22.6.54827", + "templateHash": "12072533589555151999" } }, "parameters": { @@ -1955,8 +1955,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2155,8 +2155,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -2293,8 +2293,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { @@ -2547,8 +2547,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "12641846967338527190" + "version": "0.22.6.54827", + "templateHash": "5305729672150633375" }, "name": "Web Site Basic Publishing Credentials Policies", "description": "This module deploys a Web Site Basic Publishing Credentials Policy.", @@ -2678,8 +2678,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "8921333553708930079" + "version": "0.22.6.54827", + "templateHash": "10458383238656360850" }, "name": "Web/Function Apps Hybrid Connection Relay", "description": "This module deploys a Site Hybrid Connection Namespace Relay.", @@ -2814,8 +2814,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7292070864296261914" + "version": "0.22.6.54827", + "templateHash": "8219747135768194918" } }, "parameters": { @@ -2981,8 +2981,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -3181,8 +3181,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -3319,8 +3319,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index a2c44834f2..f5250fc317 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -4,13 +4,13 @@ This module deploys a Web or Function App Deployment Slot. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) - [Notes](#Notes) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -29,70 +29,403 @@ This module deploys a Web or Function App Deployment Slot. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `kind` | string | `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` | Type of slot to deploy. | -| `name` | string | | Name of the slot. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-kind) | string | Type of slot to deploy. | +| [`name`](#parameter-name) | string | Name of the slot. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `appName` | string | The name of the parent site resource. Required if the template is used in a standalone deployment. | +| [`appName`](#parameter-appname) | string | The name of the parent site resource. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `appInsightResourceId` | string | `''` | | Resource ID of the app insight to leverage for this resource. | -| `appServiceEnvironmentResourceId` | string | `''` | | The resource ID of the app service environment to use for this resource. | -| `appSettingsKeyValuePairs` | object | `{object}` | | The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. | -| `authSettingV2Configuration` | object | `{object}` | | The auth settings V2 configuration. | -| `clientAffinityEnabled` | bool | `True` | | If client affinity is enabled. | -| `clientCertEnabled` | bool | `False` | | To enable client certificate authentication (TLS mutual authentication). | -| `clientCertExclusionPaths` | string | `''` | | Client certificate authentication comma-separated exclusion paths. | -| `clientCertMode` | string | `'Optional'` | `[Optional, OptionalInteractiveUser, Required]` | This composes with ClientCertEnabled setting.

- ClientCertEnabled: false means ClientCert is ignored.

- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.

- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted. | -| `cloningInfo` | object | `{object}` | | If specified during app creation, the app is cloned from a source app. | -| `containerSize` | int | `-1` | | Size of the function container. | -| `customDomainVerificationId` | string | `''` | | Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification. | -| `dailyMemoryTimeQuota` | int | `-1` | | Maximum allowed daily memory-time quota (applicable on dynamic apps only). | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[if(equals(parameters('kind'), 'functionapp'), createArray('FunctionAppLogs'), createArray('AppServiceHTTPLogs', 'AppServiceConsoleLogs', 'AppServiceAppLogs', 'AppServiceAuditLogs', 'AppServiceIPSecAuditLogs', 'AppServicePlatformLogs'))]` | `[AppServiceAppLogs, AppServiceAuditLogs, AppServiceConsoleLogs, AppServiceHTTPLogs, AppServiceIPSecAuditLogs, AppServicePlatformLogs, FunctionAppLogs]` | The name of logs that will be streamed. | -| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `diagnosticSettingsName` | string | `''` | | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of log analytics workspace. | -| `enabled` | bool | `True` | | Setting this value to false disables the app (takes the app offline). | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `hostNameSslStates` | array | `[]` | | Hostname SSL states are used to manage the SSL bindings for app's hostnames. | -| `httpsOnly` | bool | `True` | | Configures a slot to accept only HTTPS requests. Issues redirect for HTTP requests. | -| `hybridConnectionRelays` | array | `[]` | | Names of hybrid connection relays to connect app with. | -| `hyperV` | bool | `False` | | Hyper-V sandbox. | -| `keyVaultAccessIdentityResourceId` | string | `''` | | The resource ID of the assigned identity to be used to access a key vault with. | -| `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. | -| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Allow or block all public traffic. | -| `redundancyMode` | string | `'None'` | `[ActiveActive, Failover, GeoRedundant, Manual, None]` | Site redundancy mode. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `serverFarmResourceId` | string | `''` | | The resource ID of the app service plan to use for the slot. | -| `setAzureWebJobsDashboard` | bool | `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` | | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | -| `siteConfig` | object | `{object}` | | The site config object. | -| `storageAccountRequired` | bool | `False` | | Checks if Customer provided storage account is required. | -| `storageAccountResourceId` | string | `''` | | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `virtualNetworkSubnetId` | string | `''` | | Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. | -| `vnetContentShareEnabled` | bool | `False` | | To enable accessing content over virtual network. | -| `vnetImagePullEnabled` | bool | `False` | | To enable pulling image over Virtual Network. | -| `vnetRouteAllEnabled` | bool | `False` | | Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`appInsightResourceId`](#parameter-appinsightresourceid) | string | Resource ID of the app insight to leverage for this resource. | +| [`appServiceEnvironmentResourceId`](#parameter-appserviceenvironmentresourceid) | string | The resource ID of the app service environment to use for this resource. | +| [`appSettingsKeyValuePairs`](#parameter-appsettingskeyvaluepairs) | object | The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. | +| [`authSettingV2Configuration`](#parameter-authsettingv2configuration) | object | The auth settings V2 configuration. | +| [`clientAffinityEnabled`](#parameter-clientaffinityenabled) | bool | If client affinity is enabled. | +| [`clientCertEnabled`](#parameter-clientcertenabled) | bool | To enable client certificate authentication (TLS mutual authentication). | +| [`clientCertExclusionPaths`](#parameter-clientcertexclusionpaths) | string | Client certificate authentication comma-separated exclusion paths. | +| [`clientCertMode`](#parameter-clientcertmode) | string | This composes with ClientCertEnabled setting.

- ClientCertEnabled: false means ClientCert is ignored.

- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.

- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted. | +| [`cloningInfo`](#parameter-cloninginfo) | object | If specified during app creation, the app is cloned from a source app. | +| [`containerSize`](#parameter-containersize) | int | Size of the function container. | +| [`customDomainVerificationId`](#parameter-customdomainverificationid) | string | Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification. | +| [`dailyMemoryTimeQuota`](#parameter-dailymemorytimequota) | int | Maximum allowed daily memory-time quota (applicable on dynamic apps only). | +| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. | +| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | +| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | +| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of log analytics workspace. | +| [`enabled`](#parameter-enabled) | bool | Setting this value to false disables the app (takes the app offline). | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| [`hostNameSslStates`](#parameter-hostnamesslstates) | array | Hostname SSL states are used to manage the SSL bindings for app's hostnames. | +| [`httpsOnly`](#parameter-httpsonly) | bool | Configures a slot to accept only HTTPS requests. Issues redirect for HTTP requests. | +| [`hybridConnectionRelays`](#parameter-hybridconnectionrelays) | array | Names of hybrid connection relays to connect app with. | +| [`hyperV`](#parameter-hyperv) | bool | Hyper-V sandbox. | +| [`keyVaultAccessIdentityResourceId`](#parameter-keyvaultaccessidentityresourceid) | string | The resource ID of the assigned identity to be used to access a key vault with. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Allow or block all public traffic. | +| [`redundancyMode`](#parameter-redundancymode) | string | Site redundancy mode. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`serverFarmResourceId`](#parameter-serverfarmresourceid) | string | The resource ID of the app service plan to use for the slot. | +| [`setAzureWebJobsDashboard`](#parameter-setazurewebjobsdashboard) | bool | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | +| [`siteConfig`](#parameter-siteconfig) | object | The site config object. | +| [`storageAccountRequired`](#parameter-storageaccountrequired) | bool | Checks if Customer provided storage account is required. | +| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +| [`virtualNetworkSubnetId`](#parameter-virtualnetworksubnetid) | string | Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. | +| [`vnetContentShareEnabled`](#parameter-vnetcontentshareenabled) | bool | To enable accessing content over virtual network. | +| [`vnetImagePullEnabled`](#parameter-vnetimagepullenabled) | bool | To enable pulling image over Virtual Network. | +| [`vnetRouteAllEnabled`](#parameter-vnetrouteallenabled) | bool | Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. | + +### Parameter: `appInsightResourceId` + +Resource ID of the app insight to leverage for this resource. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `appName` + +The name of the parent site resource. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `appServiceEnvironmentResourceId` + +The resource ID of the app service environment to use for this resource. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `appSettingsKeyValuePairs` + +The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `authSettingV2Configuration` + +The auth settings V2 configuration. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `clientAffinityEnabled` + +If client affinity is enabled. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `clientCertEnabled` + +To enable client certificate authentication (TLS mutual authentication). +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `clientCertExclusionPaths` + +Client certificate authentication comma-separated exclusion paths. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `clientCertMode` + +This composes with ClientCertEnabled setting.

- ClientCertEnabled: false means ClientCert is ignored.

- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.

- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted. +- Required: No +- Type: string +- Default: `'Optional'` +- Allowed: `[Optional, OptionalInteractiveUser, Required]` + +### Parameter: `cloningInfo` + +If specified during app creation, the app is cloned from a source app. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `containerSize` + +Size of the function container. +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `customDomainVerificationId` + +Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `dailyMemoryTimeQuota` + +Maximum allowed daily memory-time quota (applicable on dynamic apps only). +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `diagnosticEventHubAuthorizationRuleId` + +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticEventHubName` + +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticLogCategoriesToEnable` + +The name of logs that will be streamed. +- Required: No +- Type: array +- Default: `[if(equals(parameters('kind'), 'functionapp'), createArray('FunctionAppLogs'), createArray('AppServiceHTTPLogs', 'AppServiceConsoleLogs', 'AppServiceAppLogs', 'AppServiceAuditLogs', 'AppServiceIPSecAuditLogs', 'AppServicePlatformLogs'))]` +- Allowed: `[AppServiceAppLogs, AppServiceAuditLogs, AppServiceConsoleLogs, AppServiceHTTPLogs, AppServiceIPSecAuditLogs, AppServicePlatformLogs, FunctionAppLogs]` + +### Parameter: `diagnosticMetricsToEnable` + +The name of metrics that will be streamed. +- Required: No +- Type: array +- Default: `[AllMetrics]` +- Allowed: `[AllMetrics]` + +### Parameter: `diagnosticSettingsName` + +The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticStorageAccountId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `diagnosticWorkspaceId` + +Resource ID of log analytics workspace. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enabled` + +Setting this value to false disables the app (takes the app offline). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hostNameSslStates` + +Hostname SSL states are used to manage the SSL bindings for app's hostnames. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `httpsOnly` + +Configures a slot to accept only HTTPS requests. Issues redirect for HTTP requests. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hybridConnectionRelays` + +Names of hybrid connection relays to connect app with. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `hyperV` + +Hyper-V sandbox. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `keyVaultAccessIdentityResourceId` + +The resource ID of the assigned identity to be used to access a key vault with. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `kind` + +Type of slot to deploy. +- Required: Yes +- Type: string +- Allowed: `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the slot. +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `publicNetworkAccess` + +Allow or block all public traffic. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Disabled, Enabled]` + +### Parameter: `redundancyMode` + +Site redundancy mode. +- Required: No +- Type: string +- Default: `'None'` +- Allowed: `[ActiveActive, Failover, GeoRedundant, Manual, None]` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `serverFarmResourceId` + +The resource ID of the app service plan to use for the slot. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `setAzureWebJobsDashboard` + +For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. +- Required: No +- Type: bool +- Default: `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` + +### Parameter: `siteConfig` + +The site config object. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `storageAccountRequired` + +Checks if Customer provided storage account is required. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `storageAccountResourceId` + +Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `virtualNetworkSubnetId` + +Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `vnetContentShareEnabled` + +To enable accessing content over virtual network. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `vnetImagePullEnabled` + +To enable pulling image over Virtual Network. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `vnetRouteAllEnabled` + +Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. +- Required: No +- Type: bool +- Default: `False` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the slot. | @@ -106,7 +439,7 @@ This section gives you an overview of all local-referenced module files (i.e., o | Reference | Type | | :-- | :-- | -| `network/private-endpoint` | Local reference | +| `modules/network/private-endpoint` | Local reference | ## Notes diff --git a/modules/web/site/slot/config--appsettings/README.md b/modules/web/site/slot/config--appsettings/README.md index e41825e801..4301a04146 100644 --- a/modules/web/site/slot/config--appsettings/README.md +++ b/modules/web/site/slot/config--appsettings/README.md @@ -20,31 +20,85 @@ This module deploys a Site Slot App Setting. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `kind` | string | `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` | Type of slot to deploy. | -| `slotName` | string | | Slot name to be configured. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-kind) | string | Type of slot to deploy. | +| [`slotName`](#parameter-slotname) | string | Slot name to be configured. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `appName` | string | The name of the parent site resource. Required if the template is used in a standalone deployment. | +| [`appName`](#parameter-appname) | string | The name of the parent site resource. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `appInsightResourceId` | string | `''` | Resource ID of the app insight to leverage for this resource. | -| `appSettingsKeyValuePairs` | object | `{object}` | The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `setAzureWebJobsDashboard` | bool | `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | -| `storageAccountResourceId` | string | `''` | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`appInsightResourceId`](#parameter-appinsightresourceid) | string | Resource ID of the app insight to leverage for this resource. | +| [`appSettingsKeyValuePairs`](#parameter-appsettingskeyvaluepairs) | object | The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| [`setAzureWebJobsDashboard`](#parameter-setazurewebjobsdashboard) | bool | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | +| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | + +### Parameter: `appInsightResourceId` + +Resource ID of the app insight to leverage for this resource. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `appName` + +The name of the parent site resource. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `appSettingsKeyValuePairs` + +The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `kind` + +Type of slot to deploy. +- Required: Yes +- Type: string +- Allowed: `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` + +### Parameter: `setAzureWebJobsDashboard` + +For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. +- Required: No +- Type: bool +- Default: `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` + +### Parameter: `slotName` + +Slot name to be configured. +- Required: Yes +- Type: string + +### Parameter: `storageAccountResourceId` + +Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. +- Required: No +- Type: string +- Default: `''` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the slot config. | | `resourceGroupName` | string | The resource group the slot config was deployed into. | diff --git a/modules/web/site/slot/config--appsettings/main.json b/modules/web/site/slot/config--appsettings/main.json index c9f90eb770..c4220e1b9a 100644 --- a/modules/web/site/slot/config--appsettings/main.json +++ b/modules/web/site/slot/config--appsettings/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6824589216099571528" + "version": "0.22.6.54827", + "templateHash": "13223616826795830599" }, "name": "Site Slot App Settings", "description": "This module deploys a Site Slot App Setting.", diff --git a/modules/web/site/slot/config--authsettingsv2/README.md b/modules/web/site/slot/config--authsettingsv2/README.md index ecd2214ba4..f2620b132c 100644 --- a/modules/web/site/slot/config--authsettingsv2/README.md +++ b/modules/web/site/slot/config--authsettingsv2/README.md @@ -19,28 +19,60 @@ This module deploys a Site Auth Settings V2 Configuration. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `authSettingV2Configuration` | object | | The auth settings V2 configuration. | -| `kind` | string | `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` | Type of slot to deploy. | -| `slotName` | string | | Slot name to be configured. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`authSettingV2Configuration`](#parameter-authsettingv2configuration) | object | The auth settings V2 configuration. | +| [`kind`](#parameter-kind) | string | Type of slot to deploy. | +| [`slotName`](#parameter-slotname) | string | Slot name to be configured. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `appName` | string | The name of the parent site resource. Required if the template is used in a standalone deployment. | +| [`appName`](#parameter-appname) | string | The name of the parent site resource. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | + +### Parameter: `appName` + +The name of the parent site resource. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `authSettingV2Configuration` + +The auth settings V2 configuration. +- Required: Yes +- Type: object + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `kind` + +Type of slot to deploy. +- Required: Yes +- Type: string +- Allowed: `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` + +### Parameter: `slotName` + +Slot name to be configured. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the slot config. | | `resourceGroupName` | string | The resource group the slot config was deployed into. | diff --git a/modules/web/site/slot/config--authsettingsv2/main.json b/modules/web/site/slot/config--authsettingsv2/main.json index 62d26661ff..bfdb1d3153 100644 --- a/modules/web/site/slot/config--authsettingsv2/main.json +++ b/modules/web/site/slot/config--authsettingsv2/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15013002348606979820" + "version": "0.22.6.54827", + "templateHash": "16157844933162881953" }, "name": "Site Slot Auth Settings V2 Config", "description": "This module deploys a Site Auth Settings V2 Configuration.", diff --git a/modules/web/site/slot/hybrid-connection-namespace/relay/README.md b/modules/web/site/slot/hybrid-connection-namespace/relay/README.md index f99bd3bde4..33b731809b 100644 --- a/modules/web/site/slot/hybrid-connection-namespace/relay/README.md +++ b/modules/web/site/slot/hybrid-connection-namespace/relay/README.md @@ -19,29 +19,68 @@ This module deploys a Site Slot Hybrid Connection Namespace Relay. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `hybridConnectionResourceId` | string | The resource ID of the relay namespace hybrid connection. | +| [`hybridConnectionResourceId`](#parameter-hybridconnectionresourceid) | string | The resource ID of the relay namespace hybrid connection. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `appName` | string | The name of the parent web site. Required if the template is used in a standalone deployment. | -| `slotName` | string | The name of the site slot. Required if the template is used in a standalone deployment. | +| [`appName`](#parameter-appname) | string | The name of the parent web site. Required if the template is used in a standalone deployment. | +| [`slotName`](#parameter-slotname) | string | The name of the site slot. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all Resources. | -| `sendKeyName` | string | `'defaultSender'` | Name of the authorization rule send key to use. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`sendKeyName`](#parameter-sendkeyname) | string | Name of the authorization rule send key to use. | + +### Parameter: `appName` + +The name of the parent web site. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hybridConnectionResourceId` + +The resource ID of the relay namespace hybrid connection. +- Required: Yes +- Type: string + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `sendKeyName` + +Name of the authorization rule send key to use. +- Required: No +- Type: string +- Default: `'defaultSender'` + +### Parameter: `slotName` + +The name of the site slot. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the hybrid connection relay.. | | `resourceGroupName` | string | The name of the resource group the resource was deployed into. | diff --git a/modules/web/site/slot/hybrid-connection-namespace/relay/main.json b/modules/web/site/slot/hybrid-connection-namespace/relay/main.json index 5d0d08e41c..5381c3268e 100644 --- a/modules/web/site/slot/hybrid-connection-namespace/relay/main.json +++ b/modules/web/site/slot/hybrid-connection-namespace/relay/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1505854425120658866" + "version": "0.22.6.54827", + "templateHash": "11888981629758921842" }, "name": "Web/Function Apps Slot Hybrid Connection Relay", "description": "This module deploys a Site Slot Hybrid Connection Namespace Relay.", diff --git a/modules/web/site/slot/main.json b/modules/web/site/slot/main.json index 6ba8505194..4e604fd935 100644 --- a/modules/web/site/slot/main.json +++ b/modules/web/site/slot/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "7597641242156251930" + "version": "0.22.6.54827", + "templateHash": "14108540523970367707" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -529,8 +529,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "6824589216099571528" + "version": "0.22.6.54827", + "templateHash": "13223616826795830599" }, "name": "Site Slot App Settings", "description": "This module deploys a Site Slot App Setting.", @@ -683,8 +683,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "15013002348606979820" + "version": "0.22.6.54827", + "templateHash": "16157844933162881953" }, "name": "Site Slot Auth Settings V2 Config", "description": "This module deploys a Site Auth Settings V2 Configuration.", @@ -816,8 +816,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "1505854425120658866" + "version": "0.22.6.54827", + "templateHash": "11888981629758921842" }, "name": "Web/Function Apps Slot Hybrid Connection Relay", "description": "This module deploys a Site Slot Hybrid Connection Namespace Relay.", @@ -956,8 +956,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "18344556157010848654" + "version": "0.22.6.54827", + "templateHash": "12072533589555151999" } }, "parameters": { @@ -1094,8 +1094,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "14580007913383558904" + "version": "0.22.6.54827", + "templateHash": "2884140170473394983" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1294,8 +1294,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "2469208411936339153" + "version": "0.22.6.54827", + "templateHash": "5610247137574346230" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1432,8 +1432,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "13032708393704093995" + "version": "0.22.6.54827", + "templateHash": "14351187799927334028" } }, "parameters": { diff --git a/modules/web/static-site/.test/common/main.test.bicep b/modules/web/static-site/.test/common/main.test.bicep index 80bb39a5bd..914204e453 100644 --- a/modules/web/static-site/.test/common/main.test.bicep +++ b/modules/web/static-site/.test/common/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + // ========== // // Parameters // // ========== // diff --git a/modules/web/static-site/.test/min/main.test.bicep b/modules/web/static-site/.test/min/main.test.bicep index 6d9b73c2af..393f828b3a 100644 --- a/modules/web/static-site/.test/min/main.test.bicep +++ b/modules/web/static-site/.test/min/main.test.bicep @@ -1,5 +1,8 @@ targetScope = 'subscription' +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + // ========== // // Parameters // // ========== // diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index 0e40acc22d..8e0bfb8865 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -5,10 +5,10 @@ This module deploys a Static Web App. ## Navigation - [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Cross-referenced modules](#Cross-referenced-modules) -- [Deployment examples](#Deployment-examples) ## Resource Types @@ -23,76 +23,28 @@ This module deploys a Static Web App. | `Microsoft.Web/staticSites/customDomains` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-03-01/staticSites/customDomains) | | `Microsoft.Web/staticSites/linkedBackends` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-03-01/staticSites/linkedBackends) | -## Parameters - -**Required parameters** - -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the static site. | - -**Optional parameters** - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `allowConfigFileUpdates` | bool | `True` | | False if config file is locked for this static web app; otherwise, true. | -| `appSettings` | object | `{object}` | | Static site app settings. | -| `branch` | string | `''` | | The branch name of the GitHub repository. | -| `buildProperties` | object | `{object}` | | Build properties for the static site. | -| `customDomains` | array | `[]` | | The custom domains associated with this static site. The deployment will fail as long as the validation records are not present. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enterpriseGradeCdnStatus` | string | `'Disabled'` | `[Disabled, Disabling, Enabled, Enabling]` | State indicating the status of the enterprise grade CDN serving traffic to the static web app. | -| `functionAppSettings` | object | `{object}` | | Function app settings. | -| `linkedBackend` | _[linkedBackend](linked-backend/README.md)_ object | `{object}` | | Object with "resourceId" and "location" of the a user defined function app. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'sku' to be 'Standard'. | -| `provider` | string | `'None'` | | The provider that submitted the last deployment to the primary environment of the static site. | -| `repositoryToken` | securestring | `''` | | The Personal Access Token for accessing the GitHub repository. | -| `repositoryUrl` | string | `''` | | The name of the GitHub repository. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sku` | string | `'Free'` | `[Free, Standard]` | Type of static site to deploy. | -| `stagingEnvironmentPolicy` | string | `'Enabled'` | `[Disabled, Enabled]` | State indicating whether staging environments are allowed or not allowed for a static web app. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `templateProperties` | object | `{object}` | | Template Options for the static site. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | +## Usage examples +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. -## Outputs +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `defaultHostname` | string | The default autogenerated hostname for the static site. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the static site. | -| `resourceGroupName` | string | The resource group the static site was deployed into. | -| `resourceId` | string | The resource ID of the static site. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `network/private-endpoint` | Local reference | +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/web.static-site:1.0.0`. -## Deployment examples +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. +### Example 1: _Using large parameter set_ - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +This instance deploys the module with most of its features enabled. -

Example 1: Common

via Bicep module ```bicep -module staticSite './web/static-site/main.bicep' = { +module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-wsscom' params: { // Required parameters @@ -256,14 +208,17 @@ module staticSite './web/static-site/main.bicep' = {

-

Example 2: Min

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +
via Bicep module ```bicep -module staticSite './web/static-site/main.bicep' = { +module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-wssmin' params: { // Required parameters @@ -300,3 +255,223 @@ module staticSite './web/static-site/main.bicep' = {

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the static site. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowConfigFileUpdates`](#parameter-allowconfigfileupdates) | bool | False if config file is locked for this static web app; otherwise, true. | +| [`appSettings`](#parameter-appsettings) | object | Static site app settings. | +| [`branch`](#parameter-branch) | string | The branch name of the GitHub repository. | +| [`buildProperties`](#parameter-buildproperties) | object | Build properties for the static site. | +| [`customDomains`](#parameter-customdomains) | array | The custom domains associated with this static site. The deployment will fail as long as the validation records are not present. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enterpriseGradeCdnStatus`](#parameter-enterprisegradecdnstatus) | string | State indicating the status of the enterprise grade CDN serving traffic to the static web app. | +| [`functionAppSettings`](#parameter-functionappsettings) | object | Function app settings. | +| [`linkedBackend`](#parameter-linkedbackend) | object | Object with "resourceId" and "location" of the a user defined function app. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'sku' to be 'Standard'. | +| [`provider`](#parameter-provider) | string | The provider that submitted the last deployment to the primary environment of the static site. | +| [`repositoryToken`](#parameter-repositorytoken) | securestring | The Personal Access Token for accessing the GitHub repository. | +| [`repositoryUrl`](#parameter-repositoryurl) | string | The name of the GitHub repository. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`sku`](#parameter-sku) | string | Type of static site to deploy. | +| [`stagingEnvironmentPolicy`](#parameter-stagingenvironmentpolicy) | string | State indicating whether staging environments are allowed or not allowed for a static web app. | +| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`templateProperties`](#parameter-templateproperties) | object | Template Options for the static site. | +| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | + +### Parameter: `allowConfigFileUpdates` + +False if config file is locked for this static web app; otherwise, true. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `appSettings` + +Static site app settings. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `branch` + +The branch name of the GitHub repository. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `buildProperties` + +Build properties for the static site. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `customDomains` + +The custom domains associated with this static site. The deployment will fail as long as the validation records are not present. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enterpriseGradeCdnStatus` + +State indicating the status of the enterprise grade CDN serving traffic to the static web app. +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: `[Disabled, Disabling, Enabled, Enabling]` + +### Parameter: `functionAppSettings` + +Function app settings. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `linkedBackend` + +Object with "resourceId" and "location" of the a user defined function app. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +Specify the type of lock. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', CanNotDelete, ReadOnly]` + +### Parameter: `name` + +Name of the static site. +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints` + +Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'sku' to be 'Standard'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `provider` + +The provider that submitted the last deployment to the primary environment of the static site. +- Required: No +- Type: string +- Default: `'None'` + +### Parameter: `repositoryToken` + +The Personal Access Token for accessing the GitHub repository. +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `repositoryUrl` + +The name of the GitHub repository. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `sku` + +Type of static site to deploy. +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: `[Free, Standard]` + +### Parameter: `stagingEnvironmentPolicy` + +State indicating whether staging environments are allowed or not allowed for a static web app. +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: `[Disabled, Enabled]` + +### Parameter: `systemAssignedIdentity` + +Enables system assigned managed identity on the resource. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `templateProperties` + +Template Options for the static site. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `userAssignedIdentities` + +The ID(s) to assign to the resource. +- Required: No +- Type: object +- Default: `{object}` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `defaultHostname` | string | The default autogenerated hostname for the static site. | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the static site. | +| `resourceGroupName` | string | The resource group the static site was deployed into. | +| `resourceId` | string | The resource ID of the static site. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `modules/network/private-endpoint` | Local reference | diff --git a/modules/web/static-site/config/README.md b/modules/web/static-site/config/README.md index ca28109abb..ac76bb3933 100644 --- a/modules/web/static-site/config/README.md +++ b/modules/web/static-site/config/README.md @@ -19,28 +19,61 @@ This module deploys a Static Web App Site Config. **Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `kind` | string | `[appsettings, functionappsettings]` | Type of settings to apply. | -| `properties` | object | | App settings. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-kind) | string | Type of settings to apply. | +| [`properties`](#parameter-properties) | object | App settings. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `staticSiteName` | string | The name of the parent Static Web App. Required if the template is used in a standalone deployment. | +| [`staticSiteName`](#parameter-staticsitename) | string | The name of the parent Static Web App. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `kind` + +Type of settings to apply. +- Required: Yes +- Type: string +- Allowed: `[appsettings, functionappsettings]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `properties` + +App settings. +- Required: Yes +- Type: object + +### Parameter: `staticSiteName` + +The name of the parent Static Web App. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the config. | | `resourceGroupName` | string | The name of the resource group the config was created in. | diff --git a/modules/web/static-site/config/main.json b/modules/web/static-site/config/main.json index 117377cfd0..e063d1a3c3 100644 --- a/modules/web/static-site/config/main.json +++ b/modules/web/static-site/config/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "5981963633647576119" + "version": "0.22.6.54827", + "templateHash": "8340850851413090940" }, "name": "Static Web App Site Config", "description": "This module deploys a Static Web App Site Config.", diff --git a/modules/web/static-site/custom-domain/README.md b/modules/web/static-site/custom-domain/README.md index cd8472bbfe..f5b55f3ad5 100644 --- a/modules/web/static-site/custom-domain/README.md +++ b/modules/web/static-site/custom-domain/README.md @@ -19,28 +19,61 @@ This module deploys a Static Web App Site Custom Domain. **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `name` | string | The custom domain name. | +| [`name`](#parameter-name) | string | The custom domain name. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `staticSiteName` | string | The name of the parent Static Web App. Required if the template is used in a standalone deployment. | +| [`staticSiteName`](#parameter-staticsitename) | string | The name of the parent Static Web App. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | -| `validationMethod` | string | `'cname-delegation'` | Validation method for adding a custom domain. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`validationMethod`](#parameter-validationmethod) | string | Validation method for adding a custom domain. | + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The custom domain name. +- Required: Yes +- Type: string + +### Parameter: `staticSiteName` + +The name of the parent Static Web App. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `validationMethod` + +Validation method for adding a custom domain. +- Required: No +- Type: string +- Default: `'cname-delegation'` ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the static site custom domain. | | `resourceGroupName` | string | The resource group the static site custom domain was deployed into. | diff --git a/modules/web/static-site/linked-backend/README.md b/modules/web/static-site/linked-backend/README.md index a29d9dbb30..c77db73a84 100644 --- a/modules/web/static-site/linked-backend/README.md +++ b/modules/web/static-site/linked-backend/README.md @@ -19,29 +19,69 @@ This module deploys a Custom Function App into a Static Web App Site using the L **Required parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `backendResourceId` | string | The resource ID of the backend linked to the static site. | +| [`backendResourceId`](#parameter-backendresourceid) | string | The resource ID of the backend linked to the static site. | **Conditional parameters** -| Parameter Name | Type | Description | +| Parameter | Type | Description | | :-- | :-- | :-- | -| `staticSiteName` | string | The name of the parent Static Web App. Required if the template is used in a standalone deployment. | +| [`staticSiteName`](#parameter-staticsitename) | string | The name of the parent Static Web App. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | -| `name` | string | `[uniqueString(parameters('backendResourceId'))]` | Name of the backend to link to the static site. | -| `region` | string | `[resourceGroup().location]` | The region of the backend linked to the static site. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`name`](#parameter-name) | string | Name of the backend to link to the static site. | +| [`region`](#parameter-region) | string | The region of the backend linked to the static site. | + +### Parameter: `backendResourceId` + +The resource ID of the backend linked to the static site. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +Name of the backend to link to the static site. +- Required: No +- Type: string +- Default: `[uniqueString(parameters('backendResourceId'))]` + +### Parameter: `region` + +The region of the backend linked to the static site. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `staticSiteName` + +The name of the parent Static Web App. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string ## Outputs -| Output Name | Type | Description | +| Output | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the static site linked backend. | | `resourceGroupName` | string | The resource group the static site linked backend was deployed into. | diff --git a/modules/web/static-site/linked-backend/main.json b/modules/web/static-site/linked-backend/main.json index daa994ad65..78a05690f0 100644 --- a/modules/web/static-site/linked-backend/main.json +++ b/modules/web/static-site/linked-backend/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "7461352396319136343" + "version": "0.22.6.54827", + "templateHash": "13553590806488370796" }, "name": "Static Web App Site Linked Backends", "description": "This module deploys a Custom Function App into a Static Web App Site using the Linked Backends property.", diff --git a/utilities/pipelines/resourcePublish/Get-PrivateRegistryRepositoryName.ps1 b/utilities/pipelines/resourcePublish/Get-PrivateRegistryRepositoryName.ps1 index 1b4070c6a6..f877fdedfa 100644 --- a/utilities/pipelines/resourcePublish/Get-PrivateRegistryRepositoryName.ps1 +++ b/utilities/pipelines/resourcePublish/Get-PrivateRegistryRepositoryName.ps1 @@ -33,7 +33,7 @@ function Get-PrivateRegistryRepositoryName { if ($UseApiSpecsAlignedName) { # Load helper script - . (Join-Path (Get-Item -Path $PSScriptRoot).Parent.Parent 'tools' 'helper' 'Get-SpecsAlignedResourceName.ps1') + . (Join-Path (Get-Item -Path $PSScriptRoot).Parent.Parent 'pipelines' 'sharedScripts' 'helper' 'Get-SpecsAlignedResourceName.ps1') $moduleIdentifier = Get-SpecsAlignedResourceName -ResourceIdentifier $moduleIdentifier } diff --git a/utilities/pipelines/resourcePublish/Get-TemplateSpecsName.ps1 b/utilities/pipelines/resourcePublish/Get-TemplateSpecsName.ps1 index 89777d6308..2ca2ebaba3 100644 --- a/utilities/pipelines/resourcePublish/Get-TemplateSpecsName.ps1 +++ b/utilities/pipelines/resourcePublish/Get-TemplateSpecsName.ps1 @@ -33,7 +33,7 @@ function Get-TemplateSpecsName { if ($UseApiSpecsAlignedName) { # Load helper script - . (Join-Path (Get-Item -Path $PSScriptRoot).Parent.Parent 'tools' 'helper' 'Get-SpecsAlignedResourceName.ps1') + . (Join-Path (Get-Item -Path $PSScriptRoot).Parent.Parent 'pipelines' 'sharedScripts' 'helper' 'Get-SpecsAlignedResourceName.ps1') $moduleIdentifier = Get-SpecsAlignedResourceName -ResourceIdentifier $moduleIdentifier $moduleIdentifier = $moduleIdentifier -replace 'microsoft', 'ms' } diff --git a/utilities/pipelines/resourcePublish/Get-UniversalArtifactsName.ps1 b/utilities/pipelines/resourcePublish/Get-UniversalArtifactsName.ps1 index 9cc29a5091..d394a8c5a6 100644 --- a/utilities/pipelines/resourcePublish/Get-UniversalArtifactsName.ps1 +++ b/utilities/pipelines/resourcePublish/Get-UniversalArtifactsName.ps1 @@ -35,7 +35,7 @@ function Get-UniversalArtifactsName { if ($UseApiSpecsAlignedName) { # Load helper script - . (Join-Path (Get-Item -Path $PSScriptRoot).Parent.Parent 'tools' 'helper' 'Get-SpecsAlignedResourceName.ps1') + . (Join-Path (Get-Item -Path $PSScriptRoot).Parent.Parent 'pipelines' 'sharedScripts' 'helper' 'Get-SpecsAlignedResourceName.ps1') $universalPackageModuleName = Get-SpecsAlignedResourceName -ResourceIdentifier $universalPackageModuleName } diff --git a/utilities/pipelines/sharedScripts/Get-LocallyReferencedFileList.ps1 b/utilities/pipelines/sharedScripts/Get-LocallyReferencedFileList.ps1 index 87cd3f2e01..31b6c20a1b 100644 --- a/utilities/pipelines/sharedScripts/Get-LocallyReferencedFileList.ps1 +++ b/utilities/pipelines/sharedScripts/Get-LocallyReferencedFileList.ps1 @@ -9,6 +9,9 @@ That means if module A references module B, which references module C, then all .PARAMETER FilePath Mandatory. The path to the template to investigate. +.PARAMETER TemplateMap +Optional. The hashtable of templatePath-templateContent to search in. Can be provided to speed up runtime. + .EXAMPLE Get-LocallyReferencedFileList -FilePath 'C:/modules/key-vault/vault/main.bicep' @@ -18,19 +21,22 @@ function Get-LocallyReferencedFileList { [CmdletBinding()] param ( - [Parameter()] - [string] $FilePath + [Parameter(Mandatory = $true)] + [string] $FilePath, + + [Parameter(Mandatory = $false)] + [hashtable] $TemplateMap = @{} ) $resList = @() - $fileContent = Get-Content $FilePath + $fileContent = ($TemplateMap.Count -gt 0 -and $TemplateMap.Keys -contains $FilePath) ? $TemplateMap[$FilePath] : (Get-Content $FilePath) $resList += $fileContent | Where-Object { $_ -match "^module .+ '(.+.bicep)' .+$" } | ForEach-Object { (Resolve-Path (Join-Path (Split-Path $FilePath) $matches[1])).Path } if ($resList.Count -gt 0) { foreach ($containedFilePath in $resList) { - $resList += Get-LocallyReferencedFileList -FilePath $containedFilePath + $resList += Get-LocallyReferencedFileList -FilePath $containedFilePath -TemplateMap $TemplateMap } } diff --git a/utilities/tools/Set-ModuleReadMe.ps1 b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 similarity index 78% rename from utilities/tools/Set-ModuleReadMe.ps1 rename to utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 index fc1ca2f07c..3d24f83b64 100644 --- a/utilities/tools/Set-ModuleReadMe.ps1 +++ b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 @@ -1,5 +1,4 @@ #requires -version 7.3 -#requires -Modules powershell-yaml <# .SYNOPSIS @@ -44,9 +43,6 @@ function Set-ResourceTypesSection { [string[]] $ResourceTypesToExclude = @('Microsoft.Resources/deployments') ) - # Loading used functions - . (Join-Path (Split-Path $PSScriptRoot -Parent) 'pipelines' 'sharedScripts' 'Get-NestedResourceList.ps1') - # Process content $SectionContent = [System.Collections.ArrayList]@( '| Resource Type | API Version |', @@ -88,7 +84,7 @@ function Set-ResourceTypesSection { # Build result if ($PSCmdlet.ShouldProcess('Original file with new resource type content', 'Merge')) { - $updatedFileContent = Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $SectionContent -SectionStartIdentifier $SectionStartIdentifier -contentType 'table' + $updatedFileContent = Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $SectionContent -SectionStartIdentifier $SectionStartIdentifier -contentType 'nextH2' } return $updatedFileContent } @@ -141,6 +137,18 @@ function Set-ParametersSection { [string[]] $ColumnsInOrder = @('Required', 'Conditional', 'Optional', 'Generated') ) + # Collect sources for parameter usage section + $parameterUsageContentMap = @{} + if (Test-Path (Join-Path $PSScriptRoot 'moduleReadMeSource')) { + if ($resourceUsageSourceFiles = Get-ChildItem (Join-Path $PSScriptRoot 'moduleReadMeSource') -Recurse -Filter 'resourceUsage-*') { + foreach ($sourceFile in $resourceUsageSourceFiles.FullName) { + $parameterName = (Split-Path $sourceFile -LeafBase).Replace('resourceUsage-', '') + + $parameterUsageContentMap[$parameterName] = Get-Content $sourceFile -Raw + } + } + } + # Get all descriptions $descriptions = $TemplateFileContent.parameters.Values.metadata.description @@ -152,14 +160,12 @@ function Set-ParametersSection { # Add all others that exist but are not specified in the columnsInOrder parameter $sortedParamCategories += $paramCategories | Where-Object { $ColumnsInOrder -notcontains $_ } - # Collect file information - $currentLevelFolders = Get-ChildItem -Path $currentFolderPath -Directory -Depth 0 - $folderNames = ($null -ne $currentLevelFolders) ? ($currentLevelFolders.FullName | ForEach-Object { Split-Path $_ -Leaf }) : @() - # Add name as property for later reference $TemplateFileContent.parameters.Keys | ForEach-Object { $TemplateFileContent.parameters[$_]['name'] = $_ } $newSectionContent = [System.Collections.ArrayList]@() + $parameterList = @{} + # Create parameter blocks foreach ($category in $sortedParamCategories) { @@ -167,66 +173,191 @@ function Set-ParametersSection { # Filter to relevant items [array] $categoryParameters = $TemplateFileContent.parameters.Values | Where-Object { $_.metadata.description -like "$category. *" } | Sort-Object -Property 'Name' -Culture 'en-US' - # Check properties for later reference - $hasDefault = $categoryParameters.defaultValue.count -gt 0 - $hasAllowed = $categoryParameters.allowedValues.count -gt 0 - - # 2. Create header including optional columns + # 2. Create header including optional columns & initiate the parameter list $newSectionContent += @( ('**{0} parameters**' -f $category), '', - ('| Parameter Name | Type | {0}{1}Description |' -f ($hasDefault ? 'Default Value | ' : ''), ($hasAllowed ? 'Allowed Values | ' : '')), - ('| :-- | :-- | {0}{1}:-- |' -f ($hasDefault ? ':-- | ' : ''), ($hasAllowed ? ':-- | ' : '')) + '| Parameter | Type | Description |', + '| :-- | :-- | :-- |' ) # 3. Add individual parameters foreach ($parameter in $categoryParameters) { - - # Convert parameter name to kebab-case, as that would be the correspondent child module folder to refer to - # (?').Replace("`n", '

') - $allowedValue = ($parameter.allowedValues -is [array]) ? ('[{0}]' -f (($parameter.allowedValues | Sort-Object) -join ', ')) : (($parameter.allowedValues -is [hashtable]) ? '{object}' : $parameter.allowedValues) + $allowedValues = ($rawAllowedValues -is [array]) ? ('[{0}]' -f (($rawAllowedValues | Sort-Object) -join ', ')) : (($rawAllowedValues -is [hashtable]) ? '{object}' : $rawAllowedValues) # Further, replace all "empty string" default values with actual visible quotes - if ([regex]::Match($allowedValue, '^(\[\s*,.+)|(\[.+,\s*,)|(.+,\s*\])$').Captures.Count -gt 0) { - $allowedValue = $allowedValue -replace '\[\s*,', "[''," -replace ',\s*,', ", ''," -replace ',\s*\]', ", '']" + if ([regex]::Match($allowedValues, '^(\[\s*,.+)|(\[.+,\s*,)|(.+,\s*\])$').Captures.Count -gt 0) { + $allowedValues = $allowedValues -replace '\[\s*,', "[''," -replace ',\s*,', ", ''," -replace ',\s*\]', ", '']" } # Update parameter table content based on parameter category ## Remove category from parameter description $description = $description.substring("$category. ".Length) - $defaultValueColumnValue = ($hasDefault ? (-not [String]::IsNullOrEmpty($defaultValue) ? "``$defaultValue`` | " : ' | ') : '') - $allowedValueColumnValue = ($hasAllowed ? (-not [String]::IsNullOrEmpty($allowedValue) ? "``$allowedValue`` | " : ' | ') : '') - $newSectionContent += ('| `{0}` | {1} | {2}{3}{4} |' -f $parameter.name, $type, $defaultValueColumnValue, $allowedValueColumnValue, $description) + $newSectionContent += ('| [`{0}`]({1}) | {2} | {3} |' -f $parameter.name, $paramIdentifier, $type, $description) + + $parameterList += @{ + $paramIdentifier = @( + $paramHeader, + '', + $description, + ('- Required: {0}' -f ($isRequired ? 'Yes' : 'No')), + ('- Type: {0}' -f $type), + ((-not [String]::IsNullOrEmpty($defaultValue)) ? ('- Default: `{0}`' -f $defaultValue) : $null), + ((-not [String]::IsNullOrEmpty($allowedValues)) ? ('- Allowed: `{0}`' -f $allowedValues) : $null), + '', + (($parameterUsageContentMap.Keys -contains $parameter.name) ? $parameterUsageContentMap[$parameter.name] : $null) + ) | Where-Object { $null -ne $_ } + } + + if (($parameter.Keys -contains '$ref') -or ($parameter.Keys -contains 'items' -and $parameter.items.Keys -contains '$ref')) { + # Has a user-defined type + $identifier = ($parameter.Keys -contains '$ref') ? (Split-Path $parameter.'$ref' -Leaf) : (Split-Path $parameter.items.'$ref' -Leaf) + $definition = $TemplateFileContent.definitions[$identifier] + $properties = ($definition.Keys -contains 'items' ? $definition['items']['properties'] : $definition['properties']) + $parameterList[$paramIdentifier] += Set-DefinitionSection -TemplateFileContent $TemplateFileContent -Properties $properties -ParentName $parameter.name -ParentIdentifierLink $paramIdentifier + } } $newSectionContent += '' } + $sortedFlatParamList = [System.Collections.ArrayList]@() + foreach ($key in ($parameterList.Keys | Sort-Object)) { + $sortedFlatParamList += $parameterList[$key] + } + $newSectionContent += $sortedFlatParamList + # Build result if ($PSCmdlet.ShouldProcess('Original file with new parameters content', 'Merge')) { - $updatedFileContent = Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $newSectionContent -SectionStartIdentifier $SectionStartIdentifier -contentType 'none' + $updatedFileContent = Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $newSectionContent -SectionStartIdentifier $SectionStartIdentifier -contentType 'nextH2' } return $updatedFileContent } +<# +.SYNOPSIS +Update parts of the 'parameters' section of the given readme file, if user defined types are used + +.DESCRIPTION +Adds user defined types to the 'parameters' section of the given readme file + +.PARAMETER TemplateFileContent +Mandatory. The template file content object to crawl data from + +.PARAMETER Properties +Mandatory. Hashtable of the user defined properties + +.PARAMETER ParentName +Mandatory. Name of the parameter, that has the user defined types + +.PARAMETER ParentIdentifierLink +Mandatory. Link of the parameter, that has the user defined types + +.EXAMPLE +Set-DefinitionSection -TemplateFileContent @{ resource = @{}; ... } -Properties @{ resource = @{}; ... } -ParentName 'diagnosticSettings' -ParentIdentifierLink '#parameter-diagnosticsettings' + +.NOTES +The function is recursive and will also output grand, great grand children, ... . +#> +function Set-DefinitionSection { + param ( + [Parameter(Mandatory)] + [hashtable] $TemplateFileContent, + + [Parameter(Mandatory)] + [hashtable] $Properties, + + [Parameter(Mandatory)] + [string] $ParentName, + + [Parameter(Mandatory)] + [string] $ParentIdentifierLink + ) + $newSectionContent = @( + '', + '| Name | Required | Type | Description |', + '| :-- | :-- | :--| :-- |' + ) + $tableSectionContent = [System.Collections.ArrayList]@() + $listSectionContent = [System.Collections.ArrayList]@() + + foreach ($parameterName in $Properties.Keys | Sort-Object) { + $parameterValue = $Properties[$parameterName] + $paramIdentifier = '{0}.{1}' -f $ParentName, $parameterName + $paramIdentifierLink = ('{0}{1}' -f $ParentIdentifierLink, $parameterName).ToLower() + + # definition type (if any) + if ($parameterValue.Keys -contains '$ref') { + $definition = $TemplateFileContent.definitions[(Split-Path $parameterValue.'$ref' -Leaf)] + } else { + $definition = $null + } + + $isRequired = (Get-IsParameterRequired -TemplateFileContent $TemplateFileContent -Parameter $parameterValue) ? 'Yes' : 'No' + $type = ($parameterValue.Keys -contains '$ref') ? $definition.type : $parameterValue['type'] + $description = $parameterValue.ContainsKey('metadata') ? $parameterValue['metadata']['description'] : $null + + # build table for definition properties + $tableSectionContent += ('| [`{0}`]({1}) | {2} | {3} | {4} |' -f $parameterName, $paramIdentifierLink, $isRequired, $type, $description) + $allowedValues = ($parameterValue.ContainsKey('allowedValues')) ? (($parameterValue['allowedValues'] -is [array]) ? ('[{0}]' -f (($parameterValue['allowedValues'] | Sort-Object) -join ', ')) : (($parameterValue['allowedValues'] -is [hashtable]) ? '{object}' : $parameterValue['allowedValues'])) : $null + + #build flat list for definition properties + $listSectionContent += @( + '', + ('### Parameter: `{0}`' -f $paramIdentifier), + ($parameterValue.ContainsKey('metadata') ? '' : $null), + ($parameterValue.ContainsKey('metadata') ? $parameterValue['metadata']['description'] : $null), + ($parameterValue.ContainsKey('metadata') ? '' : $null), + ('- Required: {0}' -f $isRequired), + ('- Type: {0}' -f $type), + (($null -ne $allowedValues) ? ('- Allowed: `{0}`' -f $allowedValues) : $null) + ) | Where-Object { $null -ne $_ } + + #recursive call for children + if ($parameterValue.ContainsKey('items') -and $parameterValue['items'].ContainsKey('properties')) { + $childProperties = $parameterValue['items']['properties'] + $listSectionContent += Set-DefinitionSection -TemplateFileContent $TemplateFileContent -Properties $childProperties -ParentName $paramIdentifier -ParentIdentifierLink $paramIdentifierLink + } + } + + $newSectionContent += $tableSectionContent + $newSectionContent += $listSectionContent + $newSectionContent += '' + + return $newSectionContent +} + <# .SYNOPSIS Update the 'outputs' section of the given readme file @@ -267,7 +398,7 @@ function Set-OutputsSection { if ($TemplateFileContent.outputs.Values.metadata) { # Template has output descriptions $SectionContent = [System.Collections.ArrayList]@( - '| Output Name | Type | Description |', + '| Output | Type | Description |', '| :-- | :-- | :-- |' ) foreach ($outputName in ($templateFileContent.outputs.Keys | Sort-Object -Culture 'en-US')) { @@ -277,7 +408,7 @@ function Set-OutputsSection { } } else { $SectionContent = [System.Collections.ArrayList]@( - '| Output Name | Type |', + '| Output | Type |', '| :-- | :-- |' ) foreach ($outputName in ($templateFileContent.outputs.Keys | Sort-Object -Culture 'en-US')) { @@ -288,7 +419,7 @@ function Set-OutputsSection { # Build result if ($PSCmdlet.ShouldProcess('Original file with new output content', 'Merge')) { - $updatedFileContent = Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $SectionContent -SectionStartIdentifier $SectionStartIdentifier -contentType 'table' + $updatedFileContent = Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $SectionContent -SectionStartIdentifier $SectionStartIdentifier -contentType 'nextH2' } return $updatedFileContent } @@ -315,8 +446,11 @@ Mandatory. The readme file content array to update .PARAMETER SectionStartIdentifier Optional. The identifier of the 'outputs' section. Defaults to '## Cross-referenced modules' +.PARAMETER CrossReferencedModuleList +Required. The Cross Module References to consider when refreshing the readme. + .EXAMPLE -Set-CrossReferencesSection -ModuleRoot 'C:/key-vault/vault' -FullModuleIdentifier 'key-vault/vault' -TemplateFileContent @{ resource = @{}; ... } -ReadMeFileContent @('# Title', '', '## Section 1', ...) +Set-CrossReferencesSection -ModuleRoot 'C:/key-vault/vault' -FullModuleIdentifier 'key-vault/vault' -TemplateFileContent @{ resource = @{}; ... } -ReadMeFileContent @('# Title', '', '## Section 1', ...) -CrossReferencedModuleList @{} Update the given readme file's 'Cross-referenced modules' section based on the given template file content #> function Set-CrossReferencesSection { @@ -335,12 +469,13 @@ function Set-CrossReferencesSection { [Parameter(Mandatory)] [object[]] $ReadMeFileContent, + [Parameter(Mandatory)] + [hashtable] $CrossReferencedModuleList, + [Parameter(Mandatory = $false)] [string] $SectionStartIdentifier = '## Cross-referenced modules' ) - . (Join-Path (Split-Path $PSScriptRoot -Parent) 'tools' 'Get-CrossReferencedModuleList.ps1') - # Process content $SectionContent = [System.Collections.ArrayList]@( 'This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs).', @@ -349,7 +484,7 @@ function Set-CrossReferencesSection { '| :-- | :-- |' ) - $dependencies = (Get-CrossReferencedModuleList)[$FullModuleIdentifier] + $dependencies = $CrossReferencedModuleList[$FullModuleIdentifier] if ($dependencies.Keys -contains 'localPathReferences' -and $dependencies['localPathReferences']) { foreach ($reference in ($dependencies['localPathReferences'] | Sort-Object)) { @@ -371,7 +506,7 @@ function Set-CrossReferencesSection { # Build result if ($PSCmdlet.ShouldProcess('Original file with new output content', 'Merge')) { - $updatedFileContent = Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $SectionContent -SectionStartIdentifier $SectionStartIdentifier -contentType 'none' + $updatedFileContent = Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $SectionContent -SectionStartIdentifier $SectionStartIdentifier -contentType 'nextH2' } return $updatedFileContent } @@ -834,7 +969,7 @@ function ConvertTo-FormattedBicep { $splitInputObject = @{ BicepParams = $bicepParams RequiredParametersList = $RequiredParametersList - AllParametersList = $JSONParameters.psbase.Keys + AllParametersList = $JSONParameters.psBase.Keys } $commentedBicepParams = Add-BicepParameterTypeComment @splitInputObject @@ -843,10 +978,60 @@ function ConvertTo-FormattedBicep { <# .SYNOPSIS -Generate 'Deployment examples' for the ReadMe out of the parameter files currently used to test the template +Based on the provided parameter metadata, determine whether the parameter is required or not + +.DESCRIPTION +Based on the provided parameter metadata, determine whether the parameter is required or not + +.PARAMETER Parameter +The parameter metadata to analyze. + +For example: @{ + type = 'string' + metadata = @{ + description = 'Required. The name of the Public IP Address.' + } +} + +.PARAMETER TemplateFileContent +Mandatory. The template file content object to crawl data from. + +.EXAMPLE +Get-IsParameterRequired -TemplateFileContent @{ resource = @{}; ... } -Parameter @{ type = 'string'; metadata = @{ description = 'Required. The name of the Public IP Address.' } } + +Check the given parameter whether it is required. Would result into true. +#> +function Get-IsParameterRequired { + + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true)] + [hashtable] $Parameter, + + [Parameter(Mandatory)] + [hashtable] $TemplateFileContent + ) + + $hasParameterNoDefault = $Parameter.Keys -notcontains 'defaultValue' + $isParameterNullable = $Parameter['nullable'] + # User defined type + $isUserDefinedType = $Parameter.Keys -contains '$ref' + $isUserDefinedTypeNullable = $Parameter.Keys -contains '$ref' ? $TemplateFileContent.definitions[(Split-Path $Parameter.'$ref' -Leaf)]['nullable'] : $false + + # Evaluation + # The parameter is required IF it + # - has no default value, + # - is not nullable + # - has no nullable user-defined type + return $hasParameterNoDefault -and -not $isParameterNullable -and -not ($isUserDefinedType -and $isUserDefinedTypeNullable) +} + +<# +.SYNOPSIS +Generate 'Usage examples' for the ReadMe out of the parameter files currently used to test the template .DESCRIPTION -Generate 'Deployment examples' for the ReadMe out of the parameter files currently used to test the template +Generate 'Usage examples' for the ReadMe out of the parameter files currently used to test the template .PARAMETER ModuleRoot Mandatory. The file path to the module's root @@ -861,20 +1046,20 @@ Mandatory. The template file content object to crawl data from Mandatory. The readme file content array to update .PARAMETER SectionStartIdentifier -Optional. The identifier of the 'outputs' section. Defaults to '## Deployment examples' +Optional. The identifier of the 'outputs' section. Defaults to '## Usage examples' .PARAMETER addJson Optional. A switch to control whether or not to add a ARM-JSON-Parameter file example. Defaults to true. .PARAMETER addBicep -Optional. A switch to control whether or not to add a Bicep deployment example. Defaults to true. +Optional. A switch to control whether or not to add a Bicep usage example. Defaults to true. .EXAMPLE -Set-DeploymentExamplesSection -ModuleRoot 'C:/key-vault/vault' -FullModuleIdentifier 'key-vault/vault' -TemplateFileContent @{ resource = @{}; ... } -ReadMeFileContent @('# Title', '', '## Section 1', ...) +Set-UsageExamplesSection -ModuleRoot 'C:/key-vault/vault' -FullModuleIdentifier 'key-vault/vault' -TemplateFileContent @{ resource = @{}; ... } -ReadMeFileContent @('# Title', '', '## Section 1', ...) -Update the given readme file's 'Deployment Examples' section based on the given template file content +Update the given readme file's 'Usage Examples' section based on the given template file content #> -function Set-DeploymentExamplesSection { +function Set-UsageExamplesSection { [CmdletBinding(SupportsShouldProcess)] param ( @@ -897,18 +1082,22 @@ function Set-DeploymentExamplesSection { [bool] $addBicep = $true, [Parameter(Mandatory = $false)] - [string] $SectionStartIdentifier = '## Deployment examples' + [string] $SectionStartIdentifier = '## Usage examples' ) # Load used function(s) - . (Join-Path (Split-Path $PSScriptRoot -Parent) 'pipelines' 'sharedScripts' 'Get-ModuleTestFileList.ps1') + . (Join-Path $PSScriptRoot 'Get-ModuleTestFileList.ps1') + . (Join-Path (Split-Path $PSScriptRoot -Parent) 'resourcePublish' 'Get-PrivateRegistryRepositoryName.ps1') + + $brLink = Get-PrivateRegistryRepositoryName -TemplateFilePath $TemplateFilePath # Process content $SectionContent = [System.Collections.ArrayList]@( - 'The following module usage examples are retrieved from the content of the files hosted in the module''s `.test` folder.', - ' >**Note**: The name of each example is based on the name of the file from which it is taken.', + "The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository.", + '', + '>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.', '', - ' >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.', + ('>**Note**: To reference the module, please use the following syntax `br:{0}:1.0.0`.' -f $brLink), '' ) @@ -934,29 +1123,54 @@ function Set-DeploymentExamplesSection { } $testFilePaths = Get-ModuleTestFileList -ModulePath $moduleRoot | ForEach-Object { Join-Path $moduleRoot $_ } - $RequiredParametersList = $TemplateFileContent.parameters.Keys | Where-Object { $TemplateFileContent.parameters[$_].Keys -notcontains 'defaultValue' } | Sort-Object + + $RequiredParametersList = $TemplateFileContent.parameters.Keys | Where-Object { + Get-IsParameterRequired -TemplateFileContent $TemplateFileContent -Parameter $TemplateFileContent.parameters[$_] + } | Sort-Object ############################ ## Process test files ## ############################ $pathIndex = 1 + $usageExampleSectionHeaders = @() + $testFilesContent = @() foreach ($testFilePath in $testFilePaths) { # Read content $rawContentArray = Get-Content -Path $testFilePath + $compiledTestFileContent = bicep build $testFilePath --stdout | ConvertFrom-Json -AsHashtable $rawContent = Get-Content -Path $testFilePath -Encoding 'utf8' | Out-String # Format example header - if ((Split-Path (Split-Path $testFilePath -Parent) -Leaf) -ne '.test') { - $exampleTitle = Split-Path (Split-Path $testFilePath -Parent) -Leaf + if ($compiledTestFileContent.metadata.Keys -contains 'name') { + $exampleTitle = $compiledTestFileContent.metadata.name } else { - $exampleTitle = ((Split-Path $testFilePath -LeafBase) -replace '\.', ' ') -replace ' parameters', '' + if ((Split-Path (Split-Path $testFilePath -Parent) -Leaf) -ne '.test') { + $exampleTitle = Split-Path (Split-Path $testFilePath -Parent) -Leaf + } else { + $exampleTitle = ((Split-Path $testFilePath -LeafBase) -replace '\.', ' ') -replace ' parameters', '' + } + $textInfo = (Get-Culture -Name 'en-US').TextInfo + $exampleTitle = $textInfo.ToTitleCase($exampleTitle) } - $textInfo = (Get-Culture -Name 'en-US').TextInfo - $exampleTitle = $textInfo.ToTitleCase($exampleTitle) - $SectionContent += @( - '

Example {0}: {1}

' -f $pathIndex, $exampleTitle + + $fullTestFileTitle = '### Example {0}: _{1}_' -f $pathIndex, $exampleTitle + $testFilesContent += @( + $fullTestFileTitle ) + $usageExampleSectionHeaders += @{ + title = $exampleTitle + header = $fullTestFileTitle + } + + # If a description is added in the template's metadata, we can add it too + if ($compiledTestFileContent.metadata.Keys -contains 'description') { + $testFilesContent += @( + '', + $compiledTestFileContent.metadata.description, + '' + ) + } ## ----------------------------------- ## ## Handle by type (Bicep vs. JSON) ## @@ -977,7 +1191,6 @@ function Set-DeploymentExamplesSection { $rawBicepExample = $rawContentArray[$bicepTestStartIndex..$bicepTestEndIndex] - # In case a loop was used for the test if ($rawBicepExample[-1] -eq '}]') { $rawBicepExample[-1] = '}' } @@ -989,12 +1202,12 @@ function Set-DeploymentExamplesSection { $rawBicepExampleString = $rawBicepExampleString -replace '\$\{serviceShort\}', $serviceShort $rawBicepExampleString = $rawBicepExampleString -replace '\$\{namePrefix\}[-|\.|_]?', '' # Replacing with empty to not expose prefix and avoid potential deployment conflicts $rawBicepExampleString = $rawBicepExampleString -replace '(?m):\s*location\s*$', ': ''''' + $rawBicepExampleString = $rawBicepExampleString -replace '-\$\{iteration\}', '' # [3/6] Format header, remove scope property & any empty line $rawBicepExample = $rawBicepExampleString -split '\n' - $rawBicepExample[0] = "module $moduleNameCamelCase './$fullModuleIdentifier/main.bicep' = {" + $rawBicepExample[0] = "module $moduleNameCamelCase 'br:$($brLink):1.0.0' = {" $rawBicepExample = $rawBicepExample | Where-Object { $_ -notmatch 'scope: *' } | Where-Object { -not [String]::IsNullOrEmpty($_) } - # [4/6] Extract param block $rawBicepExampleArray = $rawBicepExample -split '\n' $moduleDeploymentPropertyIndent = ([regex]::Match($rawBicepExampleArray[1], '^(\s+).*')).Captures.Groups[1].Value.Length @@ -1049,7 +1262,7 @@ function Set-DeploymentExamplesSection { } # Build result - $SectionContent += @( + $testFilesContent += @( '', '
' '' @@ -1077,7 +1290,7 @@ function Set-DeploymentExamplesSection { $orderedJSONExample = Build-OrderedJSONObject @orderingInputObject # [2/2] Create the final content block - $SectionContent += @( + $testFilesContent += @( '', '
' '' @@ -1121,7 +1334,7 @@ function Set-DeploymentExamplesSection { # e.g. "[format('{0}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-paramNested', uniqueString(deployment().name, parameters('location')))), '2020-10-01').outputs.managedIdentityResourceId.value)]": {} $expectedValue = $matches[1] } elseif ($row -match '\[.*reference\(extensionResourceId.+\.([a-zA-Z]+).*\].*"') { - # e.g. "[reference(extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policySetDefinitions', format('dep-[[namePrefix]]-polSet-{0}', parameters('serviceShort'))), '2021-06-01').policyDefinitions[0].policyDefinitionReferenceId]" + # e.g. "[reference(extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policySetDefinitions', format('dep-#_namePrefix_#-polSet-{0}', parameters('serviceShort'))), '2021-06-01').policyDefinitions[0].policyDefinitionReferenceId]" $expectedValue = $matches[1] } else { throw "Unhandled case [$row] in file [$testFilePath]" @@ -1138,7 +1351,7 @@ function Set-DeploymentExamplesSection { if ($jsonParameterContentArray[$index] -match '(\s*"value"): "\[.+\]"') { # e.g. # "policyAssignmentId": { - # "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyAssignments', format('dep-[[namePrefix]]-psa-{0}', parameters('serviceShort')))]" + # "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyAssignments', format('dep-#_namePrefix_#-psa-{0}', parameters('serviceShort')))]" $prefix = $matches[1] $headerIndex = $index @@ -1156,7 +1369,7 @@ function Set-DeploymentExamplesSection { # e.g. # "policyDefinitionReferenceIds": { # "value": [ - # "[reference(subscriptionResourceId('Microsoft.Authorization/policySetDefinitions', format('dep-[[namePrefix]]-polSet-{0}', parameters('serviceShort'))), '2021-06-01').policyDefinitions[0].policyDefinitionReferenceId]" + # "[reference(subscriptionResourceId('Microsoft.Authorization/policySetDefinitions', format('dep-#_namePrefix_#-polSet-{0}', parameters('serviceShort'))), '2021-06-01').policyDefinitions[0].policyDefinitionReferenceId]" $prefix = $matches[1] $headerIndex = $index @@ -1238,7 +1451,7 @@ function Set-DeploymentExamplesSection { # - the 'existing' Key Vault resources # - a 'module' header that mimics a module deployment # - all parameters in Bicep format - $SectionContent += @( + $testFilesContent += @( '', '
' '' @@ -1272,7 +1485,7 @@ function Set-DeploymentExamplesSection { $orderedJSONExample = Build-OrderedJSONObject @orderingInputObject # [2/2] Create the final content block - $SectionContent += @( + $testFilesContent += @( '', '
', '', @@ -1288,19 +1501,28 @@ function Set-DeploymentExamplesSection { } } - $SectionContent += @( + $testFilesContent += @( '' ) $pathIndex++ } + foreach ($rawHeader in $usageExampleSectionHeaders) { + $navigationHeader = (($rawHeader.header -replace '<\/?.+?>|[^A-Za-z0-9\s-]').Trim() -replace '\s+', '-').ToLower() # Remove any html and non-identifer elements + $SectionContent += '- [{0}](#{1})' -f $rawHeader.title, $navigationHeader + } + $SectionContent += '' + + + $SectionContent += $testFilesContent + ###################### ## Built result ## ###################### if ($SectionContent) { if ($PSCmdlet.ShouldProcess('Original file with new template references content', 'Merge')) { - return Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $SectionContent -SectionStartIdentifier $SectionStartIdentifier + return Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $SectionContent -SectionStartIdentifier $SectionStartIdentifier -ContentType 'nextH2' } } else { return $ReadMeFileContent @@ -1357,8 +1579,8 @@ function Set-TableOfContent { } # Build result - if ($PSCmdlet.ShouldProcess('Original file with new parameters content', 'Merge')) { - $updatedFileContent = Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $newSectionContent -SectionStartIdentifier $SectionStartIdentifier -contentType 'none' + if ($PSCmdlet.ShouldProcess('Original file with new navigation content', 'Merge')) { + $updatedFileContent = Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $newSectionContent -SectionStartIdentifier $SectionStartIdentifier -contentType 'nextH2' } return $updatedFileContent @@ -1369,8 +1591,7 @@ function Set-TableOfContent { Initialize the readme file .DESCRIPTION -If no readme file exists, the initial content is generated (e.g., the skeleton of the section headers). -If a readme file does exist, its title and description are updated with whatever is documented as metadata in the template file. +Create the initial skeleton of the section headers, name & description. .PARAMETER ReadMeFilePath Required. The path to the readme file to initialize. @@ -1401,12 +1622,12 @@ function Initialize-ReadMe { ) . (Join-Path $PSScriptRoot 'helper' 'Get-SpecsAlignedResourceName.ps1') - . (Join-Path (Split-Path $PSScriptRoot -Parent) 'pipelines' 'sharedScripts' 'Get-NestedResourceList.ps1') - + . (Join-Path $PSScriptRoot 'Get-NestedResourceList.ps1') $moduleName = $TemplateFileContent.metadata.name $moduleDescription = $TemplateFileContent.metadata.description $formattedResourceType = Get-SpecsAlignedResourceName -ResourceIdentifier $FullModuleIdentifier + $hasTests = (Get-ChildItem -Path (Split-Path $ReadMeFilePath) -Recurse -Filter 'main.test.bicep' -File -Force).count -gt 0 $inTemplateResourceType = (Get-NestedResourceList $TemplateFileContent).type | Select-Object -Unique | Where-Object { $_ -match "^$formattedResourceType$" @@ -1417,47 +1638,24 @@ function Initialize-ReadMe { $inTemplateResourceType = $formattedResourceType } - if (-not (Test-Path $ReadMeFilePath) -or ([String]::IsNullOrEmpty((Get-Content $ReadMeFilePath -Raw)))) { - - $initialContent = @( - "# $moduleName ``[$inTemplateResourceType]``", - '', - $moduleDescription, - '' - '## Resource Types', - '', - '## Parameters', - '', - '## Outputs' - ) - $readMeFileContent = $initialContent - } else { - $readMeFileContent = Get-Content -Path $ReadMeFilePath -Encoding 'utf8' - $readMeFileContent[0] = "# $moduleName ``[$inTemplateResourceType]``" - - # We want to inject the description right below the header and before the [Resource Types] section - - # Find start- and end-index of description section - $startIndex = 1 # One after the readme header - $endIndex = $startIndex - - while (-not ($endIndex -ge $readMeFileContent.Count - 1) -and -not $readMeFileContent[$endIndex].StartsWith('#')) { - $endIndex++ - } - - # Build result - $startContent = @( - $readMeFileContent[0], - '' - ) - $newContent = @( - $moduleDescription, - '' - ) - $endContent = $readMeFileContent[$endIndex..($readMeFileContent.Count - 1)] - - $readMeFileContent = (($startContent + $newContent + $endContent) | Out-String).TrimEnd().Replace("`r", '').Split("`n") - } + $initialContent = @( + "# $moduleName ``[$inTemplateResourceType]``", + '', + $moduleDescription, + '' + '## Resource Types', + '' + ($hasTests ? '## Usage examples' : $null), + ($hasTests ? '' : $null), + '## Parameters', + '', + '## Outputs', + '', + '## Cross-referenced modules', + '', + '## Notes' + ) | Where-Object { $null -ne $_ } # Filter null values + $readMeFileContent = $initialContent return $readMeFileContent } @@ -1485,6 +1683,9 @@ Optional. The path to the readme to update. If not provided assumes a 'README.md Optional. The sections to update. By default it refreshes all that are supported. Currently supports: 'Resource Types', 'Parameters', 'Outputs', 'Template references' +.PARAMETER CrossReferencedModuleList +Optional. Cross Module References to consider when refreshing the readme. Can be provided to speed up the generation. If not provided, is fetched by this script. + .EXAMPLE Set-ModuleReadMe -TemplateFilePath 'C:\main.bicep' @@ -1524,29 +1725,33 @@ function Set-ModuleReadMe { [Parameter(Mandatory = $false)] [string] $ReadMeFilePath = (Join-Path (Split-Path $TemplateFilePath -Parent) 'README.md'), + [Parameter(Mandatory = $false)] + [hashtable] $CrossReferencedModuleList = @{}, + [Parameter(Mandatory = $false)] [ValidateSet( 'Resource Types', + 'Usage examples', 'Parameters', 'Outputs', 'CrossReferences', 'Template references', - 'Navigation', - 'Deployment examples' + 'Navigation' )] [string[]] $SectionsToRefresh = @( 'Resource Types', + 'Usage examples', 'Parameters', 'Outputs', 'CrossReferences', 'Template references', - 'Navigation', - 'Deployment examples' + 'Navigation' ) ) # Load external functions . (Join-Path $PSScriptRoot 'helper' 'Merge-FileWithNewContent.ps1') + . (Join-Path $PSScriptRoot 'Get-NestedResourceList.ps1') # Check template & make full path $TemplateFilePath = Resolve-Path -Path $TemplateFilePath -ErrorAction Stop @@ -1559,7 +1764,7 @@ function Set-ModuleReadMe { if ((Split-Path -Path $TemplateFilePath -Extension) -eq '.bicep') { $templateFileContent = bicep build $TemplateFilePath --stdout | ConvertFrom-Json -AsHashtable } else { - $templateFileContent = ConvertFrom-Json (Get-Content $TemplateFilePath -Encoding 'utf8' -Raw) -ErrorAction Stop -AsHashtable + $templateFileContent = ConvertFrom-Json (Get-Content $TemplateFilePath -Encoding 'utf8' -Raw) -ErrorAction 'Stop' -AsHashtable } } @@ -1576,6 +1781,32 @@ function Set-ModuleReadMe { $fullModuleIdentifier = $fullModuleIdentifier.split($customModuleSeparator)[0] } + # ===================== # + # Preparation steps # + # ===================== # + # Read original readme, if any. Then delete it to build from scratch + if ((Test-Path $ReadMeFilePath) -and -not ([String]::IsNullOrEmpty((Get-Content $ReadMeFilePath -Raw)))) { + $readMeFileContent = Get-Content -Path $ReadMeFilePath -Encoding 'utf8' + # Delete original readme + if ($PSCmdlet.ShouldProcess("File in path [$ReadMeFilePath]", 'Delete')) { + $null = Remove-Item $ReadMeFilePath -Force + } + } + # Make sure we preserve any manual notes a user might have added in the corresponding section + if ($match = $readMeFileContent | Select-String -Pattern '## Notes') { + $startIndex = $match.LineNumber + + $endIndex = $startIndex + 1 + + while (-not (($endIndex + 1) -gt $readMeFileContent.count) -and $readMeFileContent[($endIndex + 1)] -notlike '## *') { + $endIndex++ + } + + $notes = $readMeFileContent[($startIndex - 1)..$endIndex] + } else { + $notes = @() + } + # Initialize readme $inputObject = @{ ReadMeFilePath = $ReadMeFilePath @@ -1584,7 +1815,9 @@ function Set-ModuleReadMe { } $readMeFileContent = Initialize-ReadMe @inputObject - # Set content + # =============== # + # Set content # + # =============== # if ($SectionsToRefresh -contains 'Resource Types') { # Handle [Resource Types] section # =============================== @@ -1595,6 +1828,19 @@ function Set-ModuleReadMe { $readMeFileContent = Set-ResourceTypesSection @inputObject } + $hasTests = (Get-ChildItem -Path $moduleRoot -Recurse -Filter 'main.test.bicep' -File -Force).count -gt 0 + if ($SectionsToRefresh -contains 'Usage examples' -and $hasTests) { + # Handle [Usage examples] section + # =================================== + $inputObject = @{ + ModuleRoot = $ModuleRoot + FullModuleIdentifier = $fullModuleIdentifier + ReadMeFileContent = $readMeFileContent + TemplateFileContent = $templateFileContent + } + $readMeFileContent = Set-UsageExamplesSection @inputObject + } + if ($SectionsToRefresh -contains 'Parameters') { # Handle [Parameters] section # =========================== @@ -1619,27 +1865,24 @@ function Set-ModuleReadMe { if ($SectionsToRefresh -contains 'CrossReferences') { # Handle [CrossReferences] section # ======================== + if ($CrossReferencedModuleList.Count -eq 0) { + . (Join-Path (Get-Item $PSScriptRoot).Parent.Parent 'tools' 'Get-CrossReferencedModuleList.ps1') + $CrossReferencedModuleList = Get-CrossReferencedModuleList + } $inputObject = @{ - ModuleRoot = $ModuleRoot - FullModuleIdentifier = $fullModuleIdentifier - ReadMeFileContent = $readMeFileContent - TemplateFileContent = $templateFileContent + ModuleRoot = $ModuleRoot + FullModuleIdentifier = $fullModuleIdentifier + ReadMeFileContent = $readMeFileContent + TemplateFileContent = $templateFileContent + CrossReferencedModuleList = $CrossReferencedModuleList } $readMeFileContent = Set-CrossReferencesSection @inputObject } - - $testFolderPath = Join-Path $moduleRoot '.test' - $hasTests = (Test-Path $testFolderPath) ? (Get-ChildItem -Path $testFolderPath -Recurse -Include 'main.test.*').count -gt 0 : $false - if ($SectionsToRefresh -contains 'Deployment examples' -and $hasTests) { - # Handle [Deployment examples] section - # =================================== - $inputObject = @{ - ModuleRoot = $ModuleRoot - FullModuleIdentifier = $fullModuleIdentifier - ReadMeFileContent = $readMeFileContent - TemplateFileContent = $templateFileContent - } - $readMeFileContent = Set-DeploymentExamplesSection @inputObject + # Handle [Notes] section + # ======================== + if ($notes) { + $readMeFileContent += @( '' ) + $readMeFileContent += $notes } if ($SectionsToRefresh -contains 'Navigation') { diff --git a/utilities/tools/helper/ConvertTo-OrderedHashtable.ps1 b/utilities/pipelines/sharedScripts/helper/ConvertTo-OrderedHashtable.ps1 similarity index 100% rename from utilities/tools/helper/ConvertTo-OrderedHashtable.ps1 rename to utilities/pipelines/sharedScripts/helper/ConvertTo-OrderedHashtable.ps1 diff --git a/utilities/tools/helper/Get-SpecsAlignedResourceName.ps1 b/utilities/pipelines/sharedScripts/helper/Get-SpecsAlignedResourceName.ps1 similarity index 97% rename from utilities/tools/helper/Get-SpecsAlignedResourceName.ps1 rename to utilities/pipelines/sharedScripts/helper/Get-SpecsAlignedResourceName.ps1 index 7cfab64e1d..a82711b65b 100644 --- a/utilities/tools/helper/Get-SpecsAlignedResourceName.ps1 +++ b/utilities/pipelines/sharedScripts/helper/Get-SpecsAlignedResourceName.ps1 @@ -60,7 +60,7 @@ function Get-SpecsAlignedResourceName { [string] $ResourceIdentifier, [Parameter(Mandatory = $false)] - [string] $SpecsFilePath = (Join-Path (Split-Path (Split-Path $PSScriptRoot)) 'src' 'apiSpecsList.json') + [string] $SpecsFilePath = (Join-Path (Get-Item $PSScriptRoot).Parent.Parent.Parent 'src' 'apiSpecsList.json') ) $specs = ConvertFrom-Json (Get-Content $specsFilePath -Raw) -AsHashtable diff --git a/utilities/tools/helper/Merge-FileWithNewContent.ps1 b/utilities/pipelines/sharedScripts/helper/Merge-FileWithNewContent.ps1 similarity index 94% rename from utilities/tools/helper/Merge-FileWithNewContent.ps1 rename to utilities/pipelines/sharedScripts/helper/Merge-FileWithNewContent.ps1 index 04db4a0bb4..e64bbd5a58 100644 --- a/utilities/tools/helper/Merge-FileWithNewContent.ps1 +++ b/utilities/pipelines/sharedScripts/helper/Merge-FileWithNewContent.ps1 @@ -111,7 +111,7 @@ function Merge-FileWithNewContent { [string] $SectionStartIdentifier, [Parameter(Mandatory = $false)] - [ValidateSet('table', 'list', 'none')] + [ValidateSet('table', 'list', 'none', 'nextH2')] [string] $ContentType = 'none' ) @@ -215,6 +215,18 @@ function Merge-FileWithNewContent { } } } + 'nextH2' { + $endIndex = $startIndex + 1 + + while (-not $OldContent[$endIndex].StartsWith('## ') -and -not (($endIndex + 1) -ge $OldContent.count)) { + $endIndex++ + } + + $startContent = $OldContent[0..($startIndex)] + if ($endIndex -ne $OldContent.Count - 1) { + $endContent = $OldContent[$endIndex..($OldContent.Count - 1)] + } + } Default {} } } diff --git a/utilities/pipelines/staticValidation/helper/helper.psm1 b/utilities/pipelines/staticValidation/helper/helper.psm1 index 1afedb79fb..3bfd42e141 100644 --- a/utilities/pipelines/staticValidation/helper/helper.psm1 +++ b/utilities/pipelines/staticValidation/helper/helper.psm1 @@ -6,8 +6,8 @@ $repoRootPath = (Get-Item $PSScriptRoot).Parent.Parent.Parent.Parent.FullName . (Join-Path $repoRootPath 'utilities' 'pipelines' 'sharedScripts' 'Get-NestedResourceList.ps1') . (Join-Path $repoRootPath 'utilities' 'pipelines' 'sharedScripts' 'Get-ScopeOfTemplateFile.ps1') . (Join-Path $repoRootPath 'utilities' 'pipelines' 'sharedScripts' 'Get-ModuleTestFileList.ps1') +. (Join-Path $repoRootPath 'utilities' 'pipelines' 'sharedScripts' 'helper' 'ConvertTo-OrderedHashtable.ps1') . (Join-Path $repoRootPath 'utilities' 'tools' 'Get-CrossReferencedModuleList.ps1') -. (Join-Path $repoRootPath 'utilities' 'tools' 'helper' 'ConvertTo-OrderedHashtable.ps1') . (Join-Path $repoRootPath 'utilities' 'tools' 'helper' 'Get-PipelineFileName.ps1') #################################### diff --git a/utilities/pipelines/staticValidation/module.tests.ps1 b/utilities/pipelines/staticValidation/module.tests.ps1 index 5011b27ff9..617609b9bd 100644 --- a/utilities/pipelines/staticValidation/module.tests.ps1 +++ b/utilities/pipelines/staticValidation/module.tests.ps1 @@ -221,7 +221,7 @@ Describe 'Pipeline tests' -Tag 'Pipeline' { $missingCrossModuleReferenceTriggers = [System.Collections.ArrayList] @() foreach ($localReference in $localReferences) { - $expectedPath = "modules/$localReference/**" + $expectedPath = "$localReference/**" if ($workflowModuleTriggerPaths -notcontains $expectedPath) { $missingCrossModuleReferenceTriggers += $expectedPath } @@ -291,7 +291,7 @@ Describe 'Pipeline tests' -Tag 'Pipeline' { $missingCrossModuleReferenceTriggers = [System.Collections.ArrayList] @() foreach ($localReference in $localReferences) { - $expectedPath = "/modules/$localReference/*" + $expectedPath = "/$localReference/*" if ($moduleTriggerPaths -notcontains $expectedPath) { $missingCrossModuleReferenceTriggers += $expectedPath } @@ -364,291 +364,6 @@ Describe 'Module tests' -Tag 'Module' { $readMeContent | Should -Not -BeNullOrEmpty } - It '[] `README.md` file should contain these sections in order: Navigation, Resource Types, Parameters, Outputs, Cross-referenced modules, Deployment examples.' -TestCases $readmeFileTestCases { - - param( - [string] $moduleFolderName, - [object[]] $readMeContent, - [boolean] $isTopLevelModule - ) - - $expectedHeadersInOrder = @('Navigation', 'Resource types', 'Parameters', 'Outputs', 'Cross-referenced modules') - - if ($isTopLevelModule) { - # Only top-level modules have parameter files and hence deployment examples - $expectedHeadersInOrder += 'Deployment examples' - } - - $actualHeadersInOrder = $readMeContent | Where-Object { $_ -like '#*' } | ForEach-Object { ($_ -replace '#', '').TrimStart() } - - $filteredActuals = $actualHeadersInOrder | Where-Object { $expectedHeadersInOrder -contains $_ } - - $missingHeaders = $expectedHeadersInOrder | Where-Object { $actualHeadersInOrder -notcontains $_ } - $missingHeaders.Count | Should -Be 0 -Because ('the list of missing headers [{0}] should be empty.' -f ($missingHeaders -join ',')) - - $filteredActuals | Should -Be $expectedHeadersInOrder -Because 'the headers should exist in the expected order' - } - - It '[] Resources section should contain all resources from the template file.' -TestCases $readmeFileTestCases { - - param( - [string] $moduleFolderName, - [hashtable] $templateContent, - [object[]] $readMeContent - ) - - # Get ReadMe data - $tableStartIndex, $tableEndIndex = Get-TableStartAndEndIndex -ReadMeContent $readMeContent -MarkdownSectionIdentifier '*# Resource Types' - - $ReadMeResourcesList = [System.Collections.ArrayList]@() - for ($index = $tableStartIndex + 2; $index -lt $tableEndIndex; $index++) { - $ReadMeResourcesList += $readMeContent[$index].Split('|')[1].Replace('`', '').Trim() - } - - # Get template data - $templateResources = (Get-NestedResourceList -TemplateFileContent $templateContent | Where-Object { - $_.type -notin @('Microsoft.Resources/deployments') -and $_ }).type | Select-Object -Unique - - # Compare - $differentiatingItems = $templateResources | Where-Object { $ReadMeResourcesList -notcontains $_ } - $differentiatingItems.Count | Should -Be 0 -Because ("list of template resources missing from the ReadMe's list [{0}] should be empty" -f ($differentiatingItems -join ',')) - } - - It '[] Resources section should not contain more resources than the template file.' -TestCases $readmeFileTestCases { - - param( - [string] $moduleFolderName, - [hashtable] $templateContent, - [object[]] $readMeContent - ) - - # Get ReadMe data - $tableStartIndex, $tableEndIndex = Get-TableStartAndEndIndex -ReadMeContent $readMeContent -MarkdownSectionIdentifier '*# Resource Types' - - $ReadMeResourcesList = [System.Collections.ArrayList]@() - for ($index = $tableStartIndex + 2; $index -lt $tableEndIndex; $index++) { - $ReadMeResourcesList += $readMeContent[$index].Split('|')[1].Replace('`', '').Trim() - } - - # Get template data - $templateResources = (Get-NestedResourceList -TemplateFileContent $templateContent | Where-Object { - $_.type -notin @('Microsoft.Resources/deployments') -and $_ }).type | Select-Object -Unique - - # Compare - $differentiatingItems = $templateResources | Where-Object { $ReadMeResourcesList -notcontains $_ } - $differentiatingItems.Count | Should -Be 0 -Because ("list of resources in the ReadMe's list [{0}] not in the template file should be empty" -f ($differentiatingItems -join ',')) - } - - It '[] Parameters section should contain a table for each existing parameter category in the following order: Required, Conditional, Optional, Generated.' -TestCases $readmeFileTestCases { - - param( - [string] $moduleFolderName, - [hashtable] $templateContent, - [object[]] $readMeContent - ) - - $expectColumnsInOrder = @('Required', 'Conditional', 'Optional', 'Generated') - - ## Get all descriptions - $descriptions = $templateContent.parameters.Values.metadata.description - - ## Get the module parameter categories - $expectedParamCategories = $descriptions | ForEach-Object { $_.Split('.')[0] } | Select-Object -Unique # Get categories in template - $expectedParamCategoriesInOrder = $expectColumnsInOrder | Where-Object { $_ -in $expectedParamCategories } # add required ones in order - $expectedParamCategoriesInOrder += $expectedParamCategories | Where-Object { $_ -notin $expectColumnsInOrder } # add non-required ones after - - $actualParamCategories = $readMeContent | Select-String -Pattern '^\*\*(.+) parameters\*\*$' -AllMatches | ForEach-Object { $_.Matches.Groups[1].Value } # get actual in readme - - $actualParamCategories | Should -Be $expectedParamCategoriesInOrder - } - - It '[] Parameter tables should provide columns in the following order: Parameter Name, Type, Default Value, Allowed Values, Description. Each column should be present unless empty for all the rows.' -TestCases $readmeFileTestCases { - - param( - [string] $moduleFolderName, - [hashtable] $templateContent, - [object[]] $readMeContent - ) - - ## Get all descriptions - $descriptions = $templateContent.parameters.Values.metadata.description - - ## Get the module parameter categories - $paramCategories = $descriptions | ForEach-Object { $_.Split('.')[0] } | Select-Object -Unique - - foreach ($paramCategory in $paramCategories) { - - # Filter to relevant items - [array] $categoryParameters = $templateContent.parameters.Values | Where-Object { $_.metadata.description -like "$paramCategory. *" } | Sort-Object -Property 'Name' -Culture 'en-US' - - # Check properties for later reference - $shouldHaveDefault = $categoryParameters.defaultValue.count -gt 0 - $shouldHaveAllowed = $categoryParameters.allowedValues.count -gt 0 - - $expectedColumnsInOrder = @('Parameter Name', 'Type') - if ($shouldHaveDefault) { $expectedColumnsInOrder += @('Default Value') } - if ($shouldHaveAllowed) { $expectedColumnsInOrder += @('Allowed Values') } - $expectedColumnsInOrder += @('Description') - - $readMeCategoryIndex = $readMeContent | Select-String -Pattern "^\*\*$paramCategory parameters\*\*$" | ForEach-Object { $_.LineNumber } - - $tableStartIndex = $readMeCategoryIndex - while ($readMeContent[$tableStartIndex] -notlike '*|*' -and -not ($tableStartIndex -ge $readMeContent.count)) { - $tableStartIndex++ - } - - $readmeCategoryColumns = ($readMeContent[$tableStartIndex] -split '\|') | ForEach-Object { $_.Trim() } | Where-Object { -not [String]::IsNullOrEmpty($_) } - $readmeCategoryColumns | Should -Be $expectedColumnsInOrder - } - } - - It '[] Parameters section should contain all parameters from the template file.' -TestCases $readmeFileTestCases { - - param( - [string] $moduleFolderName, - [hashtable] $templateContent, - [object[]] $readMeContent - ) - - # Get Template data - $parameters = $templateContent.parameters.Keys - - # Get ReadMe data - ## Get section start index - $sectionStartIndex = Get-MarkdownSectionStartIndex -ReadMeContent $readMeContent -MarkdownSectionIdentifier '*# Parameters' - - if ($sectionStartIndex -ge $readMeContent.count) { - throw 'Parameters section is missing in the Readme. Please add and re-run the tests.' - } - - $parametersSectionEndIndex = Get-MarkdownSectionEndIndex -ReadMeContent $readMeContent -SectionStartIndex $sectionStartIndex - - ## Iterate over all parameter tables - $parametersList = [System.Collections.ArrayList]@() - $sectionIndex = $sectionStartIndex - while ($sectionIndex -lt $parametersSectionEndIndex) { - ### Get table start index - $parametersTableStartIndex = $sectionIndex - while ($readMeContent[$parametersTableStartIndex] -notlike '*|*' -and -not ($parametersTableStartIndex -ge $readMeContent.count)) { - $parametersTableStartIndex++ - } - Write-Verbose ("[loop] Start row of the parameter table: $parametersTableStartIndex") - - ### Get table end index - $parametersTableEndIndex = $parametersTableStartIndex + 2 # Header row + table separator row - while ($readMeContent[$parametersTableEndIndex] -like '*|*' -and -not ($parametersTableEndIndex -ge $readMeContent.count)) { - $parametersTableEndIndex++ - } - Write-Verbose ("[loop] End row of the parameter table: $parametersTableEndIndex") - - for ($tableIndex = $parametersTableStartIndex + 2; $tableIndex -lt $parametersTableEndIndex; $tableIndex++) { - $parametersList += $readMeContent[$tableIndex].Split('|')[1].Replace('`', '').Trim() - } - $sectionIndex = $parametersTableEndIndex + 1 - } - - # Test - $differentiatingItems = $parameters | Where-Object { $parametersList -notcontains $_ } - $differentiatingItems.Count | Should -Be 0 -Because ('list of template parameters missing in the ReadMe file [{0}] should be empty.' -f ($differentiatingItems -join ',')) - } - - It '[] Outputs section should contain a table with these column names in order: Output Name, Type.' -TestCases $readmeFileTestCases { - - param( - [string] $moduleFolderName, - $readMeContent - ) - - $tableStartIndex, $tableEndIndex = Get-TableStartAndEndIndex -ReadMeContent $readMeContent -MarkdownSectionIdentifier '*# Outputs' - - $outputsTableHeader = $readMeContent[$tableStartIndex].Split('|').Trim() | Where-Object { -not [String]::IsNullOrEmpty($_) } - - # Test - $expectedOutputsTableOrder = @('Output Name', 'Type') - $differentiatingItems = $expectedOutputsTableOrder | Where-Object { $outputsTableHeader -notcontains $_ } - $differentiatingItems.Count | Should -Be 0 -Because ('list of "Outputs" table columns missing in the ReadMe file [{0}] should be empty.' -f ($differentiatingItems -join ',')) - } - - It '[] Output section should contain all outputs defined in the template file.' -TestCases $readmeFileTestCases { - - param( - [string] $moduleFolderName, - [hashtable] $templateContent, - [object[]] $readMeContent - ) - - # Get ReadMe data - $tableStartIndex, $tableEndIndex = Get-TableStartAndEndIndex -ReadMeContent $readMeContent -MarkdownSectionIdentifier '*# Outputs' - - $ReadMeOutputsList = [System.Collections.ArrayList]@() - for ($index = $tableStartIndex + 2; $index -lt $tableEndIndex; $index++) { - $ReadMeOutputsList += $readMeContent[$index].Split('|')[1].Replace('`', '').Trim() - } - - # Template data - $expectedOutputs = $templateContent.outputs.Keys - - # Test - $differentiatingItems = $expectedOutputs | Where-Object { $ReadMeOutputsList -notcontains $_ } - $differentiatingItems.Count | Should -Be 0 -Because ('list of template outputs missing in the ReadMe file [{0}] should be empty.' -f ($differentiatingItems -join ',')) - - $differentiatingItems = $ReadMeOutputsList | Where-Object { $expectedOutputs -notcontains $_ } - $differentiatingItems.Count | Should -Be 0 -Because ('list of excess template outputs defined in the ReadMe file [{0}] should be empty.' -f ($differentiatingItems -join ',')) - } - - It '[] Dependencies section should contain all cross-references defined in the template file.' -TestCases $readmeFileTestCases { - - param( - [string] $moduleFolderName, - [hashtable] $templateContent, - [object[]] $readMeContent, - [string] $resourceTypeIdentifier, - [hashtable] $templateReferences - ) - - # Get ReadMe data - $tableStartIndex, $tableEndIndex = Get-TableStartAndEndIndex -ReadMeContent $readMeContent -MarkdownSectionIdentifier '*## Cross-referenced modules' - - $ReadMeDependenciesList = @{ - localPathReferences = @() - remoteReferences = @() - } - for ($index = $tableStartIndex + 2; $index -lt $tableEndIndex; $index++) { - $type = $readMeContent[$index].Split('|')[2].Trim() - - switch ($type) { - 'Local reference' { - $ReadMeDependenciesList.localPathReferences += $readMeContent[$index].Split('|')[1].Replace('`', '').Trim() - } - 'Remote reference' { - $ReadMeDependenciesList.remoteReferences += $readMeContent[$index].Split('|')[1].Replace('`', '').Trim() - } - Default { - throw "Unkown type reference [$type]. Only [Local reference] & [Remote reference] are known. Please update ReadMe or test script." - } - } - } - - # Test - if ($templateReferences.localPathReferences) { - $differentiatingItems = @() + $templateReferences.localPathReferences | Where-Object { $ReadMeDependenciesList.localPathReferences -notcontains $_ } - $differentiatingItems.Count | Should -Be 0 -Because ('list of local template dependencies missing in the ReadMe file [{0}] should be empty.' -f ($differentiatingItems -join ',')) - - - $differentiatingItems = @() + $ReadMeDependenciesList.localPathReferences | Where-Object { $templateReferences.localPathReferences -notcontains $_ } - $differentiatingItems.Count | Should -Be 0 -Because ('list of excess local template references defined in the ReadMe file [{0}] should be empty.' -f ($differentiatingItems -join ',')) - } - - if ($templateReferences.remoteReferences) { - $differentiatingItems = @() + $templateReferences.remoteReferences | Where-Object { $ReadMeDependenciesList.remoteReferences -notcontains $_ } - $differentiatingItems.Count | Should -Be 0 -Because ('list of remote template dependencies missing in the ReadMe file [{0}] should be empty.' -f ($differentiatingItems -join ',')) - - - $differentiatingItems = @() + $ReadMeDependenciesList.remoteReferences | Where-Object { $templateReferences.remoteReferences -notcontains $_ } - $differentiatingItems.Count | Should -Be 0 -Because ('list of excess remote template references defined in the ReadMe file [{0}] should be empty.' -f ($differentiatingItems -join ',')) - } - } - It '[] `Set-ModuleReadMe` script should not apply any updates.' -TestCases $readmeFileTestCases { param( @@ -662,7 +377,7 @@ Describe 'Module tests' -Tag 'Module' { $fileHashBefore = (Get-FileHash $readMeFilePath).Hash # Load function - . (Join-Path $repoRootPath 'utilities' 'tools' 'Set-ModuleReadMe.ps1') + . (Join-Path $repoRootPath 'utilities' 'pipelines' 'sharedScripts' 'Set-ModuleReadMe.ps1') # Apply update with already compiled template content Set-ModuleReadMe -TemplateFilePath $templateFilePath -TemplateFileContent $templateContent @@ -1257,7 +972,7 @@ Describe 'Module tests' -Tag 'Module' { } $metadataFileTestCases += @{ - moduleFolderName = $resourceTypeIdentifier + moduleFolderName = $moduleFolderName templateFileContent = $templateContent } } diff --git a/utilities/tools/Get-CrossReferencedModuleList.ps1 b/utilities/tools/Get-CrossReferencedModuleList.ps1 index 8153fffce8..5971dd9dc9 100644 --- a/utilities/tools/Get-CrossReferencedModuleList.ps1 +++ b/utilities/tools/Get-CrossReferencedModuleList.ps1 @@ -1,4 +1,5 @@ -<# +#region helper functions +<# .SYNOPSIS Find any nested dependency recursively @@ -51,8 +52,11 @@ This includes local references, online/remote references & resource deployments .PARAMETER ModuleTemplateFilePath Mandatory. The path to the template to search the references for +.PARAMETER TemplateMap +Mandatory. The hashtable of templatePath-templateContent to search in + .EXAMPLE -Get-ReferenceObject -ModuleTemplateFilePath 'C:\dev\key-vault\vault\main.bicep' +Get-ReferenceObject -ModuleTemplateFilePath 'C:\dev\key-vault\vault\main.bicep' -TemplateMap @{ 'C:\modules\key-vault\vault\main.bicep' = @{ '$schema' = '...'; parameters = @( ... ); resources = @{ ... } } } Search all references for module 'key-vault\vault' #> @@ -61,12 +65,14 @@ function Get-ReferenceObject { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] - [string] $ModuleTemplateFilePath + [string] $ModuleTemplateFilePath, + + [Parameter(Mandatory = $true)] + [hashtable] $TemplateMap ) . (Join-Path (Get-Item $PSScriptRoot).Parent 'pipelines' 'sharedScripts' 'Get-LocallyReferencedFileList.ps1') - - $involvedFilePaths = Get-LocallyReferencedFileList -FilePath $ModuleTemplateFilePath + $involvedFilePaths = Get-LocallyReferencedFileList -FilePath $ModuleTemplateFilePath -TemplateMap $TemplateMap $resultSet = @{ resourceReferences = @() @@ -83,7 +89,7 @@ function Get-ReferenceObject { } foreach ($involvedFilePath in (@($ModuleTemplateFilePath) + @($involvedFilePaths))) { - $moduleContent = Get-Content -Path $involvedFilePath + $moduleContent = $TemplateMap[$involvedFilePath] $resultSet.resourceReferences += @() + $moduleContent | Where-Object { $_ -match "^resource .+ '(.+)' .+$" } | ForEach-Object { $matches[1] } $resultSet.remoteReferences += @() + $moduleContent | Where-Object { $_ -match "^module .+ '(.+:.+)' .+$" } | ForEach-Object { $matches[1] } @@ -95,6 +101,8 @@ function Get-ReferenceObject { localPathReferences = $resultSet.localPathReferences | Sort-Object -Unique } } +#endregion + <# .SYNOPSIS Get a list of all resource/module references in a given module path @@ -102,12 +110,10 @@ Get a list of all resource/module references in a given module path .DESCRIPTION As an output you will receive a hashtable that (for each provider namespace) lists the - Directly deployed resources (e.g. via "resource myDeployment 'Microsoft.(..)/(..)@(..)'") -- Linked local module templates (e.g. via "module myDeployment '../../main.bicep'") - Linked remote module tempaltes (e.g. via "module rg 'br/modules:(..):(..)'") .PARAMETER Path -Optional. The path to search in. Defaults to the 'modules' folder. -Note, any local references will only be searched within this path too. +Optional. The path to search in. Defaults to the 'res' folder. .EXAMPLE Get-CrossReferencedModuleList @@ -118,9 +124,10 @@ Invoke the function with the default path. Returns an object such as: "localPathReferences": [ recovery-service/vault/protection-container/protected-item network/public-ip-address - network/network-interface ], - "remoteReferences": null, + "remoteReferences": [ + "avm-res-network-networkinterface" + ], "resourceReferences": [ "Microsoft.Resources/deployments@2021-04-01", "Microsoft.Compute/availabilitySets@2021-07-01", @@ -142,16 +149,23 @@ function Get-CrossReferencedModuleList { [CmdletBinding()] param ( [Parameter()] - [string] $Path = (Join-Path (Split-Path (Split-Path $PSScriptRoot -Parent) -Parent) 'modules') + [string] $Path = (Join-Path (Get-Item $PSScriptRoot).Parent.Parent 'modules') ) - $repoRoot = ($Path -split '[\/|\\]{1}modules[\/|\\]{1}')[0] + $repoRoot = ($Path -split '[\/|\\]{1}modules[\/|\\]?')[0] $resultSet = [ordered]@{} - $moduleTemplatePaths = (Get-ChildItem -Path $Path -Recurse -File -Filter 'main.bicep').FullName + # Collect data + $moduleTemplatePaths = (Get-ChildItem -Path $path -Recurse -File -Filter 'main.bicep').FullName + $templateMap = @{} + foreach ($moduleTemplatePath in $moduleTemplatePaths) { + $templateMap[$moduleTemplatePath] = Get-Content -Path $moduleTemplatePath + } + + # Process data foreach ($moduleTemplatePath in $moduleTemplatePaths) { - $referenceObject = Get-ReferenceObject -ModuleTemplateFilePath $moduleTemplatePath + $referenceObject = Get-ReferenceObject -ModuleTemplateFilePath $moduleTemplatePath -TemplateMap $templateMap # Convert local absolute references to relative references $referenceObject.localPathReferences = $referenceObject.localPathReferences | ForEach-Object { diff --git a/utilities/tools/Get-ModulesFeatureOutline.ps1 b/utilities/tools/Get-ModulesFeatureOutline.ps1 index b0d181df11..eea7ecaee9 100644 --- a/utilities/tools/Get-ModulesFeatureOutline.ps1 +++ b/utilities/tools/Get-ModulesFeatureOutline.ps1 @@ -93,7 +93,7 @@ function Get-ModulesFeatureOutline { # Load external functions . (Join-Path $PSScriptRoot 'helper' 'Get-PipelineStatusUrl.ps1') - . (Join-Path $PSScriptRoot 'helper' 'Get-SpecsAlignedResourceName.ps1') + . (Join-Path (Split-Path $PSScriptRoot) 'pipelines' 'sharedScripts' 'helper' 'Get-SpecsAlignedResourceName.ps1') if ($OnlyTopLevel) { $moduleTemplatePaths = (Get-ChildItem $ModuleFolderPath -Recurse -Filter 'main.bicep' -Depth 2).FullName diff --git a/utilities/tools/Set-Module.ps1 b/utilities/tools/Set-Module.ps1 new file mode 100644 index 0000000000..4d322caa90 --- /dev/null +++ b/utilities/tools/Set-Module.ps1 @@ -0,0 +1,168 @@ +#requires -version 7.3 +<# +.SYNOPSIS +Create/update all content of an AVM module that can be generated for the user + +.DESCRIPTION +Create/update all content of an AVM module that can be generated for the user +This includes +- The `main.json` template(s) +- The `README.md` file(s) + +.PARAMETER ModuleFolderPath +Mandatory. The path to the module folder to generate the content for. + +.PARAMETER Recurse +Optional. Set this parameter if you not only want to generate the content for one module, but also any nested module in the same path. + +.PARAMETER Depth +Optional. Recursion depth for the module search. + +.PARAMETER SkipBuild +Optional. Set this parameter if you don't want to build/compile the JSON template(s) for the contained `main.bicep` file(s). + +.PARAMETER SkipReadMe +Optional. Set this parameter if you don't want to generate the ReadMe file(s) for the module(s). + +.PARAMETER SkipFileAndFolderSetup +Optional. Set this parameter if you don't want to setup the file & folder structure for the module(s). + +.PARAMETER ThrottleLimit +Optional. The number of parallel threads to use for the generation. Defaults to 5. + +.EXAMPLE +Set-Module -ModuleFolderPath 'C:\avm\res\key-vault\vault' + +For the [key-vault\vault] module, build the Bicep module template & generate its ReadMe. + +.EXAMPLE +Set-Module -ModuleFolderPath 'C:\avm\res\key-vault\vault' -Recurse + +For the [key-vault\vault] module or any of its children, build the Bicep module template & generate the ReadMe. + +.EXAMPLE +Set-Module -ModuleFolderPath 'C:\avm\res\key-vault\vault' -Recurse -SkipReadMe + +For the [key-vault\vault] module or any of its children, build only the Bicep module template. + +.EXAMPLE +Set-Module -ModuleFolderPath 'C:\avm\res' -Recurse + +For all modules in path [C:\avm\res], build the Bicep module template & generate the ReadMe. +#> +function Set-Module { + + [CmdletBinding(SupportsShouldProcess = $true)] + param ( + [Parameter(Mandatory = $true)] + [string] $ModuleFolderPath, + + [Parameter(Mandatory = $false)] + [switch] $Recurse, + + [Parameter(Mandatory = $false)] + [switch] $SkipBuild, + + [Parameter(Mandatory = $false)] + [switch] $SkipReadMe, + + [Parameter(Mandatory = $false)] + [switch] $SkipFileAndFolderSetup, + + [Parameter(Mandatory = $false)] + [int] $ThrottleLimit = 5, + + [Parameter(Mandatory = $false)] + [int] $Depth + ) + + # # Load helper scripts + # . (Join-Path $PSScriptRoot 'helper' 'Set-ModuleFileAndFolderSetup.ps1') + + $resolvedPath = (Resolve-Path $ModuleFolderPath).Path + + # Build up module file & folder structure if not yet existing. Should only run if an actual module path was provided (and not any of their parent paths) + # if (-not $SkipFileAndFolderSetup -and ((($resolvedPath -split '\bavm\b')[1].Trim('\,/') -split '[\/|\\]').Count -gt 2)) { + # if ($PSCmdlet.ShouldProcess("File & folder structure for path [$resolvedPath]", "Setup")) { + # Set-ModuleFileAndFolderSetup -FullModuleFolderPath $resolvedPath + # } + # } + + if ($Recurse) { + $childInput = @{ + Path = $resolvedPath + Recurse = $Recurse + File = $true + Filter = 'main.bicep' + } + if ($Depth) { + $childInput.Depth = $Depth + } + $relevantTemplatePaths = (Get-ChildItem @childInput).FullName + } else { + $relevantTemplatePaths = Join-Path $resolvedPath 'main.bicep' + } + + # Load recurring information we'll need for the modules + if (-not $SkipReadMe) { + . (Join-Path $PSScriptRoot 'Get-CrossReferencedModuleList.ps1') + # load cross-references + $crossReferencedModuleList = Get-CrossReferencedModuleList + + # create reference as it must be loaded in the thread to work + $ReadMeScriptFilePath = (Join-Path (Get-Item $PSScriptRoot).Parent.FullName 'pipelines' 'sharedScripts' 'Set-ModuleReadMe.ps1') + } + + # Using threading to speed up the process + if ($PSCmdlet.ShouldProcess(('Building & generation of [{0}] modules in path [{1}]' -f $relevantTemplatePaths.Count, $resolvedPath), 'Execute')) { + try { + $job = $relevantTemplatePaths | ForEach-Object -ThrottleLimit $ThrottleLimit -AsJob -Parallel { + $resourceTypeIdentifier = ((Split-Path $_) -split '[\/|\\]{1}modules[\/|\\]{1}')[1] # avm/res// + + . $using:ReadMeScriptFilePath + + ############### + ## Build ## + ############### + if (-not $using:SkipBuild) { + Write-Output "Building [$resourceTypeIdentifier]" + bicep build $_ + } + + ################ + ## ReadMe ## + ################ + if (-not $using:SkipReadMe) { + Write-Output "Generating readme for [$resourceTypeIdentifier]" + + # If the template was just build, we can pass the JSON into the readme script to be more efficient + $readmeTemplateFilePath = (-not $using:SkipBuild) ? (Join-Path (Split-Path $_ -Parent) 'main.json') : $_ + + Set-ModuleReadMe -TemplateFilePath $readmeTemplateFilePath -CrossReferencedModuleList $using:crossReferencedModuleList + } + } + + do { + # Sleep a bit to allow the threads to run - adjust as desired. + Start-Sleep -Seconds 0.5 + + # Determine how many jobs have completed so far. + $completedJobsCount = ($job.ChildJobs | Where-Object { $_.State -notin @('NotStarted', 'Running') }).Count + + # Relay any pending output from the child jobs. + $job | Receive-Job + + # Update the progress display. + [int] $percent = ($completedJobsCount / $job.ChildJobs.Count) * 100 + Write-Progress -Activity ("Processed [$completedJobsCount/{0}] files" -f $relevantTemplatePaths.Count) -Status "$percent% complete" -PercentComplete $percent + + } while ($completedJobsCount -lt $job.ChildJobs.Count) + + # Clean up the job. + $job | Remove-Job + } finally { + # In case the user cancelled the process, we need to make sure to stop all running jobs + $job | Remove-Job -Force -ErrorAction 'SilentlyContinue' + } + } +} diff --git a/utilities/tools/helper/Get-ModulesAsMarkdownTable.ps1 b/utilities/tools/helper/Get-ModulesAsMarkdownTable.ps1 index 7b4baa2d6f..acb027f6bb 100644 --- a/utilities/tools/helper/Get-ModulesAsMarkdownTable.ps1 +++ b/utilities/tools/helper/Get-ModulesAsMarkdownTable.ps1 @@ -428,8 +428,9 @@ function Get-ModulesAsMarkdownTable { ) # Load external functions - . (Join-Path $PSScriptRoot 'Get-PipelineStatusUrl.ps1') - . (Join-Path $PSScriptRoot 'Get-SpecsAlignedResourceName.ps1') + $utilitiesRoot = (Get-Item -Path $PSScriptRoot).Parent.Parent + . (Join-Path $utilitiesRoot 'tools' 'helper' 'Get-PipelineStatusUrl.ps1') + . (Join-Path $utilitiesRoot 'pipelines' 'sharedScripts' 'helper' 'Get-SpecsAlignedResourceName.ps1') # Header # ------ diff --git a/utilities/tools/helper/Get-PipelineFileName.ps1 b/utilities/tools/helper/Get-PipelineFileName.ps1 index 032a14d5d9..2072eb02a2 100644 --- a/utilities/tools/helper/Get-PipelineFileName.ps1 +++ b/utilities/tools/helper/Get-PipelineFileName.ps1 @@ -27,7 +27,8 @@ function Get-PipelineFileName { [string] $ResourceIdentifier ) - . (Join-Path $PSScriptRoot 'Get-SpecsAlignedResourceName.ps1') + $utilitiesRoot = (Get-Item -Path $PSScriptRoot).Parent.Parent + . (Join-Path $utilitiesRoot 'pipelines' 'sharedScripts' 'helper' 'Get-SpecsAlignedResourceName.ps1') $provider, $parentType, $childTypeString = $ResourceIdentifier -split '[\/|\\]', 3 $parentResourceIdentifier = $provider, $parentType -join '/' diff --git a/utilities/tools/platform/Set-ModuleOverviewTable.ps1 b/utilities/tools/platform/Set-ModuleOverviewTable.ps1 index 965678fbfd..5e5a67e471 100644 --- a/utilities/tools/platform/Set-ModuleOverviewTable.ps1 +++ b/utilities/tools/platform/Set-ModuleOverviewTable.ps1 @@ -54,9 +54,9 @@ function Set-ModuleOverviewTable { ) # Load external functions - $toolsRoot = Split-Path $PSScriptRoot -Parent - . (Join-Path $toolsRoot 'helper' 'Merge-FileWithNewContent.ps1') - . (Join-Path $toolsRoot 'Get-ModulesFeatureOutline.ps1') + $utilitiesRoot = Split-Path (Split-Path $PSScriptRoot) + . (Join-Path $utilitiesRoot 'pipelines' 'sharedScripts' 'helper' 'Merge-FileWithNewContent.ps1') + . (Join-Path $utilitiesRoot 'tools' 'Get-ModulesFeatureOutline.ps1') # Logic $originalContentArray = Get-Content -Path $markdownFilePath diff --git a/utilities/tools/platform/Set-ReadMeModuleTable.ps1 b/utilities/tools/platform/Set-ReadMeModuleTable.ps1 index f2968f085e..d1e7c296bc 100644 --- a/utilities/tools/platform/Set-ReadMeModuleTable.ps1 +++ b/utilities/tools/platform/Set-ReadMeModuleTable.ps1 @@ -65,9 +65,9 @@ function Set-ReadMeModuleTable { ) # Load external functions - $toolsRoot = Split-Path $PSScriptRoot -Parent - . (Join-Path $toolsRoot 'helper' 'Merge-FileWithNewContent.ps1') - . (Join-Path $toolsRoot 'helper' 'Get-ModulesAsMarkdownTable.ps1') + $utilitiesRoot = Split-Path (Split-Path $PSScriptRoot) + . (Join-Path $utilitiesRoot 'pipelines' 'sharedScripts' 'helper' 'Merge-FileWithNewContent.ps1') + . (Join-Path $utilitiesRoot 'tools' 'helper' 'Get-ModulesAsMarkdownTable.ps1') # Logic $contentArray = Get-Content -Path $FilePath diff --git a/utilities/tools/platform/Set-ReadMePlatformTable.ps1 b/utilities/tools/platform/Set-ReadMePlatformTable.ps1 index b238dfbdf1..dcfc8baf43 100644 --- a/utilities/tools/platform/Set-ReadMePlatformTable.ps1 +++ b/utilities/tools/platform/Set-ReadMePlatformTable.ps1 @@ -53,10 +53,13 @@ function Set-ReadMePlatformTable { # Load external functions $repoRoot = (Get-Item $PSScriptRoot).Parent.Parent.Parent.FullName - . (Join-Path $repoRoot 'utilities' 'tools' 'helper' 'Merge-FileWithNewContent.ps1') + . (Join-Path $repoRoot 'utilities' 'pipelines' 'sharedScripts' 'helper' 'Merge-FileWithNewContent.ps1') . (Join-Path $repoRoot 'utilities' 'tools' 'helper' 'Get-PipelineStatusUrl.ps1') . (Join-Path $repoRoot 'utilities' 'tools' 'helper' 'Get-PipelineNameFromFile.ps1') + + + # Logic $contentArray = Get-Content -Path $FilePath diff --git a/utilities/tools/platform/Set-StaticTestDocumentation.ps1 b/utilities/tools/platform/Set-StaticTestDocumentation.ps1 index f6b01e7741..503c9bc0e9 100644 --- a/utilities/tools/platform/Set-StaticTestDocumentation.ps1 +++ b/utilities/tools/platform/Set-StaticTestDocumentation.ps1 @@ -76,8 +76,8 @@ function Set-StaticTestDocumentation { ) # Load external functions - $toolsRoot = Split-Path $PSScriptRoot -Parent - . (Join-Path $toolsRoot 'helper' 'Merge-FileWithNewContent.ps1') + $utilitiesRoot = Split-Path (Split-Path $PSScriptRoot) + . (Join-Path $utilitiesRoot 'pipelines' 'sharedScripts' 'helper' 'Merge-FileWithNewContent.ps1') # Logic $contentArray = Get-Content -Path $WikiFilePath From 507d8c0f651f44156663f9f12942d2748a08353d Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 18 Oct 2023 08:42:08 +1100 Subject: [PATCH 030/178] [Modules] Update the SQL - Server module API version to the latest documented version (#4102) * [Modules] Updated SQL Server API to latest documented * jsons * updated readme --- .../.bicep/nested_roleAssignments.bicep | 2 +- modules/sql/server/README.md | 14 ++++---- modules/sql/server/database/README.md | 11 ++++++- modules/sql/server/database/main.bicep | 13 ++++++-- modules/sql/server/database/main.json | 19 +++++++++-- modules/sql/server/elastic-pool/README.md | 2 +- modules/sql/server/elastic-pool/main.bicep | 4 +-- modules/sql/server/elastic-pool/main.json | 6 ++-- .../sql/server/encryption-protector/README.md | 2 +- .../server/encryption-protector/main.bicep | 4 +-- .../sql/server/encryption-protector/main.json | 4 +-- modules/sql/server/firewall-rule/README.md | 2 +- modules/sql/server/firewall-rule/main.bicep | 4 +-- modules/sql/server/firewall-rule/main.json | 4 +-- modules/sql/server/main.json | 33 +++++++++++++------ .../server/security-alert-policy/README.md | 2 +- .../server/security-alert-policy/main.bicep | 4 +-- .../server/security-alert-policy/main.json | 4 +-- .../sql/server/virtual-network-rule/README.md | 2 +- .../server/virtual-network-rule/main.bicep | 4 +-- .../sql/server/virtual-network-rule/main.json | 4 +-- .../server/vulnerability-assessment/README.md | 2 +- .../vulnerability-assessment/main.bicep | 4 +-- .../server/vulnerability-assessment/main.json | 4 +-- 24 files changed, 99 insertions(+), 55 deletions(-) diff --git a/modules/sql/server/.bicep/nested_roleAssignments.bicep b/modules/sql/server/.bicep/nested_roleAssignments.bicep index 0468e9e747..b4734d4462 100644 --- a/modules/sql/server/.bicep/nested_roleAssignments.bicep +++ b/modules/sql/server/.bicep/nested_roleAssignments.bicep @@ -56,7 +56,7 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource server 'Microsoft.Sql/servers@2022-02-01-preview' existing = { +resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { name: last(split(resourceId, '/'))! } diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index c19646e425..36bc8f5f0a 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -21,16 +21,16 @@ This module deploys an Azure SQL Server. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | | `Microsoft.Sql/servers` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers) | -| `Microsoft.Sql/servers/databases` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-11-01/servers/databases) | +| `Microsoft.Sql/servers/databases` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases) | | `Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases/backupLongTermRetentionPolicies) | | `Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases/backupShortTermRetentionPolicies) | -| `Microsoft.Sql/servers/elasticPools` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/elasticPools) | -| `Microsoft.Sql/servers/encryptionProtector` | [2022-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/servers/encryptionProtector) | -| `Microsoft.Sql/servers/firewallRules` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/firewallRules) | +| `Microsoft.Sql/servers/elasticPools` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/elasticPools) | +| `Microsoft.Sql/servers/encryptionProtector` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/encryptionProtector) | +| `Microsoft.Sql/servers/firewallRules` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/firewallRules) | | `Microsoft.Sql/servers/keys` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/keys) | -| `Microsoft.Sql/servers/securityAlertPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/securityAlertPolicies) | -| `Microsoft.Sql/servers/virtualNetworkRules` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/virtualNetworkRules) | -| `Microsoft.Sql/servers/vulnerabilityAssessments` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/vulnerabilityAssessments) | +| `Microsoft.Sql/servers/securityAlertPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/securityAlertPolicies) | +| `Microsoft.Sql/servers/virtualNetworkRules` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/virtualNetworkRules) | +| `Microsoft.Sql/servers/vulnerabilityAssessments` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/vulnerabilityAssessments) | ## Usage examples diff --git a/modules/sql/server/database/README.md b/modules/sql/server/database/README.md index e6ac170a59..73ac2bae07 100644 --- a/modules/sql/server/database/README.md +++ b/modules/sql/server/database/README.md @@ -14,7 +14,7 @@ This module deploys an Azure SQL Server Database. | Resource Type | API Version | | :-- | :-- | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Sql/servers/databases` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-11-01/servers/databases) | +| `Microsoft.Sql/servers/databases` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases) | | `Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases/backupLongTermRetentionPolicies) | | `Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases/backupShortTermRetentionPolicies) | @@ -57,6 +57,7 @@ This module deploys an Azure SQL Server Database. | [`maintenanceConfigurationId`](#parameter-maintenanceconfigurationid) | string | Maintenance configuration ID assigned to the database. This configuration defines the period when the maintenance updates will occur. | | [`maxSizeBytes`](#parameter-maxsizebytes) | int | The max size of the database expressed in bytes. | | [`minCapacity`](#parameter-mincapacity) | string | Minimal capacity that database will always have allocated. | +| [`preferredEnclaveType`](#parameter-preferredenclavetype) | string | Type of enclave requested on the database i.e. Default or VBS enclaves. | | [`readScale`](#parameter-readscale) | string | The state of read-only routing. | | [`recoveryServicesRecoveryPointResourceId`](#parameter-recoveryservicesrecoverypointresourceid) | string | Resource ID of backup if createMode set to RestoreLongTermRetentionBackup. | | [`requestedBackupStorageRedundancy`](#parameter-requestedbackupstorageredundancy) | string | The storage account type to be used to store backups for this database. | @@ -228,6 +229,14 @@ The name of the database. - Required: Yes - Type: string +### Parameter: `preferredEnclaveType` + +Type of enclave requested on the database i.e. Default or VBS enclaves. +- Required: No +- Type: string +- Default: `''` +- Allowed: `['', Default, VBS]` + ### Parameter: `readScale` The state of read-only routing. diff --git a/modules/sql/server/database/main.bicep b/modules/sql/server/database/main.bicep index d41562b0be..67a545d328 100644 --- a/modules/sql/server/database/main.bicep +++ b/modules/sql/server/database/main.bicep @@ -20,6 +20,14 @@ param skuName string = 'GP_Gen5_2' @description('Optional. Capacity of the particular SKU.') param skuCapacity int = -1 +@description('Optional. Type of enclave requested on the database i.e. Default or VBS enclaves.') +@allowed([ + '' + 'Default' + 'VBS' +]) +param preferredEnclaveType string = '' + @description('Optional. If the service has different generations of hardware, for the same SKU, then that can be captured here.') param skuFamily string = '' @@ -202,16 +210,17 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource server 'Microsoft.Sql/servers@2021-11-01' existing = { +resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { name: serverName } -resource database 'Microsoft.Sql/servers/databases@2021-11-01' = { +resource database 'Microsoft.Sql/servers/databases@2022-05-01-preview' = { name: name parent: server location: location tags: tags properties: { + preferredEnclaveType: !empty(preferredEnclaveType) ? preferredEnclaveType : null collation: collation maxSizeBytes: maxSizeBytes sampleName: sampleName diff --git a/modules/sql/server/database/main.json b/modules/sql/server/database/main.json index 13c0eb69b1..47c37b2299 100644 --- a/modules/sql/server/database/main.json +++ b/modules/sql/server/database/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7000207485744795208" + "templateHash": "14921090017328805601" }, "name": "SQL Server Database", "description": "This module deploys an Azure SQL Server Database.", @@ -52,6 +52,18 @@ "description": "Optional. Capacity of the particular SKU." } }, + "preferredEnclaveType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "Default", + "VBS" + ], + "metadata": { + "description": "Optional. Type of enclave requested on the database i.e. Default or VBS enclaves." + } + }, "skuFamily": { "type": "string", "defaultValue": "", @@ -356,11 +368,12 @@ }, { "type": "Microsoft.Sql/servers/databases", - "apiVersion": "2021-11-01", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { + "preferredEnclaveType": "[if(not(empty(parameters('preferredEnclaveType'))), parameters('preferredEnclaveType'), null())]", "collation": "[parameters('collation')]", "maxSizeBytes": "[parameters('maxSizeBytes')]", "sampleName": "[parameters('sampleName')]", @@ -688,7 +701,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('name')), '2021-11-01', 'full').location]" + "value": "[reference(resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('name')), '2022-05-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/sql/server/elastic-pool/README.md b/modules/sql/server/elastic-pool/README.md index a9b07265b1..8cbfe4e622 100644 --- a/modules/sql/server/elastic-pool/README.md +++ b/modules/sql/server/elastic-pool/README.md @@ -13,7 +13,7 @@ This module deploys an Azure SQL Server Elastic Pool. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Sql/servers/elasticPools` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/elasticPools) | +| `Microsoft.Sql/servers/elasticPools` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/elasticPools) | ## Parameters diff --git a/modules/sql/server/elastic-pool/main.bicep b/modules/sql/server/elastic-pool/main.bicep index cf9e837f11..0a1246a96d 100644 --- a/modules/sql/server/elastic-pool/main.bicep +++ b/modules/sql/server/elastic-pool/main.bicep @@ -66,11 +66,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource server 'Microsoft.Sql/servers@2021-11-01' existing = { +resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { name: serverName } -resource elasticPool 'Microsoft.Sql/servers/elasticPools@2022-02-01-preview' = { +resource elasticPool 'Microsoft.Sql/servers/elasticPools@2022-05-01-preview' = { name: name location: location parent: server diff --git a/modules/sql/server/elastic-pool/main.json b/modules/sql/server/elastic-pool/main.json index 4f107f39b6..d530033524 100644 --- a/modules/sql/server/elastic-pool/main.json +++ b/modules/sql/server/elastic-pool/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1361594412163336206" + "templateHash": "2069769222124842536" }, "name": "SQL Server Elastic Pool", "description": "This module deploys an Azure SQL Server Elastic Pool.", @@ -144,7 +144,7 @@ }, { "type": "Microsoft.Sql/servers/elasticPools", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -194,7 +194,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Sql/servers/elasticPools', parameters('serverName'), parameters('name')), '2022-02-01-preview', 'full').location]" + "value": "[reference(resourceId('Microsoft.Sql/servers/elasticPools', parameters('serverName'), parameters('name')), '2022-05-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/sql/server/encryption-protector/README.md b/modules/sql/server/encryption-protector/README.md index 435f550d8a..1b0d3b9083 100644 --- a/modules/sql/server/encryption-protector/README.md +++ b/modules/sql/server/encryption-protector/README.md @@ -13,7 +13,7 @@ This module deploys an Azure SQL Server Encryption Protector. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Sql/servers/encryptionProtector` | [2022-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/servers/encryptionProtector) | +| `Microsoft.Sql/servers/encryptionProtector` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/encryptionProtector) | ## Parameters diff --git a/modules/sql/server/encryption-protector/main.bicep b/modules/sql/server/encryption-protector/main.bicep index dcf563b936..1f2b50faa3 100644 --- a/modules/sql/server/encryption-protector/main.bicep +++ b/modules/sql/server/encryption-protector/main.bicep @@ -33,11 +33,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource sqlServer 'Microsoft.Sql/servers@2022-08-01-preview' existing = { +resource sqlServer 'Microsoft.Sql/servers@2022-05-01-preview' existing = { name: sqlServerName } -resource encryptionProtector 'Microsoft.Sql/servers/encryptionProtector@2022-08-01-preview' = { +resource encryptionProtector 'Microsoft.Sql/servers/encryptionProtector@2022-05-01-preview' = { name: 'current' parent: sqlServer properties: { diff --git a/modules/sql/server/encryption-protector/main.json b/modules/sql/server/encryption-protector/main.json index 097ded1243..718cfcff2b 100644 --- a/modules/sql/server/encryption-protector/main.json +++ b/modules/sql/server/encryption-protector/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1128739845456097575" + "templateHash": "17224807912051676418" }, "name": "Azure SQL Server Encryption Protector", "description": "This module deploys an Azure SQL Server Encryption Protector.", @@ -67,7 +67,7 @@ }, { "type": "Microsoft.Sql/servers/encryptionProtector", - "apiVersion": "2022-08-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('sqlServerName'), 'current')]", "properties": { "serverKeyType": "[parameters('serverKeyType')]", diff --git a/modules/sql/server/firewall-rule/README.md b/modules/sql/server/firewall-rule/README.md index 02a9a24294..ba542bf482 100644 --- a/modules/sql/server/firewall-rule/README.md +++ b/modules/sql/server/firewall-rule/README.md @@ -13,7 +13,7 @@ This module deploys an Azure SQL Server Firewall Rule. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Sql/servers/firewallRules` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/firewallRules) | +| `Microsoft.Sql/servers/firewallRules` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/firewallRules) | ## Parameters diff --git a/modules/sql/server/firewall-rule/main.bicep b/modules/sql/server/firewall-rule/main.bicep index 17d4682df0..3cfee2a3f7 100644 --- a/modules/sql/server/firewall-rule/main.bicep +++ b/modules/sql/server/firewall-rule/main.bicep @@ -29,11 +29,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource server 'Microsoft.Sql/servers@2022-02-01-preview' existing = { +resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { name: serverName } -resource firewallRule 'Microsoft.Sql/servers/firewallRules@2022-02-01-preview' = { +resource firewallRule 'Microsoft.Sql/servers/firewallRules@2022-05-01-preview' = { name: name parent: server properties: { diff --git a/modules/sql/server/firewall-rule/main.json b/modules/sql/server/firewall-rule/main.json index 4c7a239b94..23cfad9e0d 100644 --- a/modules/sql/server/firewall-rule/main.json +++ b/modules/sql/server/firewall-rule/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17694214441241917212" + "templateHash": "17045860485834879442" }, "name": "Azure SQL Server Firewall Rule", "description": "This module deploys an Azure SQL Server Firewall Rule.", @@ -63,7 +63,7 @@ }, { "type": "Microsoft.Sql/servers/firewallRules", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", "properties": { "endIpAddress": "[parameters('endIpAddress')]", diff --git a/modules/sql/server/main.json b/modules/sql/server/main.json index 37cb2893eb..c7b7b619ef 100644 --- a/modules/sql/server/main.json +++ b/modules/sql/server/main.json @@ -521,6 +521,18 @@ "description": "Optional. Capacity of the particular SKU." } }, + "preferredEnclaveType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "Default", + "VBS" + ], + "metadata": { + "description": "Optional. Type of enclave requested on the database i.e. Default or VBS enclaves." + } + }, "skuFamily": { "type": "string", "defaultValue": "", @@ -825,11 +837,12 @@ }, { "type": "Microsoft.Sql/servers/databases", - "apiVersion": "2021-11-01", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { + "preferredEnclaveType": "[if(not(empty(parameters('preferredEnclaveType'))), parameters('preferredEnclaveType'), null())]", "collation": "[parameters('collation')]", "maxSizeBytes": "[parameters('maxSizeBytes')]", "sampleName": "[parameters('sampleName')]", @@ -1157,7 +1170,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('name')), '2021-11-01', 'full').location]" + "value": "[reference(resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('name')), '2022-05-01-preview', 'full').location]" } } } @@ -1352,7 +1365,7 @@ }, { "type": "Microsoft.Sql/servers/elasticPools", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -1402,7 +1415,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Sql/servers/elasticPools', parameters('serverName'), parameters('name')), '2022-02-01-preview', 'full').location]" + "value": "[reference(resourceId('Microsoft.Sql/servers/elasticPools', parameters('serverName'), parameters('name')), '2022-05-01-preview', 'full').location]" } } } @@ -2066,7 +2079,7 @@ }, { "type": "Microsoft.Sql/servers/firewallRules", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", "properties": { "endIpAddress": "[parameters('endIpAddress')]", @@ -2195,7 +2208,7 @@ }, { "type": "Microsoft.Sql/servers/virtualNetworkRules", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", "properties": { "ignoreMissingVnetServiceEndpoint": "[parameters('ignoreMissingVnetServiceEndpoint')]", @@ -2367,7 +2380,7 @@ }, { "type": "Microsoft.Sql/servers/securityAlertPolicies", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", "properties": { "disabledAlerts": "[parameters('disabledAlerts')]", @@ -2513,7 +2526,7 @@ }, { "type": "Microsoft.Sql/servers/vulnerabilityAssessments", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", "properties": { "storageContainerPath": "[format('https://{0}.blob.{1}/vulnerability-assessment/', last(split(parameters('storageAccountResourceId'), '/')), environment().suffixes.storage)]", @@ -2784,7 +2797,7 @@ }, { "type": "Microsoft.Sql/servers/encryptionProtector", - "apiVersion": "2022-08-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('sqlServerName'), 'current')]", "properties": { "serverKeyType": "[parameters('serverKeyType')]", @@ -2861,4 +2874,4 @@ "value": "[reference(resourceId('Microsoft.Sql/servers', parameters('name')), '2022-05-01-preview', 'full').location]" } } -} \ No newline at end of file +} diff --git a/modules/sql/server/security-alert-policy/README.md b/modules/sql/server/security-alert-policy/README.md index 765094b147..aea40673ca 100644 --- a/modules/sql/server/security-alert-policy/README.md +++ b/modules/sql/server/security-alert-policy/README.md @@ -13,7 +13,7 @@ This module deploys an Azure SQL Server Security Alert Policy. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Sql/servers/securityAlertPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/securityAlertPolicies) | +| `Microsoft.Sql/servers/securityAlertPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/securityAlertPolicies) | ## Parameters diff --git a/modules/sql/server/security-alert-policy/main.bicep b/modules/sql/server/security-alert-policy/main.bicep index ef82c114e2..458579d834 100644 --- a/modules/sql/server/security-alert-policy/main.bicep +++ b/modules/sql/server/security-alert-policy/main.bicep @@ -49,11 +49,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource server 'Microsoft.Sql/servers@2022-02-01-preview' existing = { +resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { name: serverName } -resource securityAlertPolicy 'Microsoft.Sql/servers/securityAlertPolicies@2022-02-01-preview' = { +resource securityAlertPolicy 'Microsoft.Sql/servers/securityAlertPolicies@2022-05-01-preview' = { name: name parent: server properties: { diff --git a/modules/sql/server/security-alert-policy/main.json b/modules/sql/server/security-alert-policy/main.json index 5e45eacbe7..f7e0552ee2 100644 --- a/modules/sql/server/security-alert-policy/main.json +++ b/modules/sql/server/security-alert-policy/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13278850436753309790" + "templateHash": "6325803563225314820" }, "name": "Azure SQL Server Security Alert Policies", "description": "This module deploys an Azure SQL Server Security Alert Policy.", @@ -102,7 +102,7 @@ }, { "type": "Microsoft.Sql/servers/securityAlertPolicies", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", "properties": { "disabledAlerts": "[parameters('disabledAlerts')]", diff --git a/modules/sql/server/virtual-network-rule/README.md b/modules/sql/server/virtual-network-rule/README.md index 9124257799..147908a95b 100644 --- a/modules/sql/server/virtual-network-rule/README.md +++ b/modules/sql/server/virtual-network-rule/README.md @@ -13,7 +13,7 @@ This module deploys an Azure SQL Server Virtual Network Rule. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Sql/servers/virtualNetworkRules` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/virtualNetworkRules) | +| `Microsoft.Sql/servers/virtualNetworkRules` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/virtualNetworkRules) | ## Parameters diff --git a/modules/sql/server/virtual-network-rule/main.bicep b/modules/sql/server/virtual-network-rule/main.bicep index 87c7073c6d..ce53442168 100644 --- a/modules/sql/server/virtual-network-rule/main.bicep +++ b/modules/sql/server/virtual-network-rule/main.bicep @@ -29,11 +29,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource server 'Microsoft.Sql/servers@2022-02-01-preview' existing = { +resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { name: serverName } -resource virtualNetworkRule 'Microsoft.Sql/servers/virtualNetworkRules@2022-02-01-preview' = { +resource virtualNetworkRule 'Microsoft.Sql/servers/virtualNetworkRules@2022-05-01-preview' = { name: name parent: server properties: { diff --git a/modules/sql/server/virtual-network-rule/main.json b/modules/sql/server/virtual-network-rule/main.json index b718729e1a..bc545b9b1e 100644 --- a/modules/sql/server/virtual-network-rule/main.json +++ b/modules/sql/server/virtual-network-rule/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6942471200332924480" + "templateHash": "938348054010287381" }, "name": "Azure SQL Server Virtual Network Rules", "description": "This module deploys an Azure SQL Server Virtual Network Rule.", @@ -62,7 +62,7 @@ }, { "type": "Microsoft.Sql/servers/virtualNetworkRules", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", "properties": { "ignoreMissingVnetServiceEndpoint": "[parameters('ignoreMissingVnetServiceEndpoint')]", diff --git a/modules/sql/server/vulnerability-assessment/README.md b/modules/sql/server/vulnerability-assessment/README.md index ca920e3719..ba96061893 100644 --- a/modules/sql/server/vulnerability-assessment/README.md +++ b/modules/sql/server/vulnerability-assessment/README.md @@ -13,7 +13,7 @@ This module deploys an Azure SQL Server Vulnerability Assessment. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Sql/servers/vulnerabilityAssessments` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/vulnerabilityAssessments) | +| `Microsoft.Sql/servers/vulnerabilityAssessments` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/vulnerabilityAssessments) | ## Parameters diff --git a/modules/sql/server/vulnerability-assessment/main.bicep b/modules/sql/server/vulnerability-assessment/main.bicep index 8357c30622..7821e1dea5 100644 --- a/modules/sql/server/vulnerability-assessment/main.bicep +++ b/modules/sql/server/vulnerability-assessment/main.bicep @@ -35,11 +35,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource server 'Microsoft.Sql/servers@2022-02-01-preview' existing = { +resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { name: serverName } -resource vulnerabilityAssessment 'Microsoft.Sql/servers/vulnerabilityAssessments@2022-02-01-preview' = { +resource vulnerabilityAssessment 'Microsoft.Sql/servers/vulnerabilityAssessments@2022-05-01-preview' = { name: name parent: server properties: { diff --git a/modules/sql/server/vulnerability-assessment/main.json b/modules/sql/server/vulnerability-assessment/main.json index 1e52c4fa98..29a24e8faa 100644 --- a/modules/sql/server/vulnerability-assessment/main.json +++ b/modules/sql/server/vulnerability-assessment/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10943798083405880032" + "templateHash": "2049927305875122003" }, "name": "Azure SQL Server Vulnerability Assessments", "description": "This module deploys an Azure SQL Server Vulnerability Assessment.", @@ -77,7 +77,7 @@ }, { "type": "Microsoft.Sql/servers/vulnerabilityAssessments", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", "properties": { "storageContainerPath": "[format('https://{0}.blob.{1}/vulnerability-assessment/', last(split(parameters('storageAccountResourceId'), '/')), environment().suffixes.storage)]", From 9f9e380009a7a09ff9e1daf0ca64b1c696d5a0a3 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 18 Oct 2023 16:13:59 +1100 Subject: [PATCH 031/178] [Modules] Updated AKS Module API Version (#4103) * added config * updated JSON files --- .../managed-cluster/README.md | 4 +-- .../managed-cluster/agent-pool/README.md | 2 +- .../managed-cluster/agent-pool/main.bicep | 4 +-- .../managed-cluster/agent-pool/main.json | 4 +-- .../managed-cluster/main.bicep | 2 +- .../managed-cluster/main.json | 28 +++++++++---------- 6 files changed, 22 insertions(+), 22 deletions(-) diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index 6f6331ad58..9f90a041fc 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -17,8 +17,8 @@ This module deploys an Azure Kubernetes Service (AKS) Managed Cluster. | :-- | :-- | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.ContainerService/managedClusters` | [2023-06-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-06-02-preview/managedClusters) | -| `Microsoft.ContainerService/managedClusters/agentPools` | [2023-06-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-06-02-preview/managedClusters/agentPools) | +| `Microsoft.ContainerService/managedClusters` | [2023-07-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-07-02-preview/managedClusters) | +| `Microsoft.ContainerService/managedClusters/agentPools` | [2023-07-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-07-02-preview/managedClusters/agentPools) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.KubernetesConfiguration/extensions` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/extensions) | | `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/fluxConfigurations) | diff --git a/modules/container-service/managed-cluster/agent-pool/README.md b/modules/container-service/managed-cluster/agent-pool/README.md index 3c02efae7a..860074f5aa 100644 --- a/modules/container-service/managed-cluster/agent-pool/README.md +++ b/modules/container-service/managed-cluster/agent-pool/README.md @@ -13,7 +13,7 @@ This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool | Resource Type | API Version | | :-- | :-- | -| `Microsoft.ContainerService/managedClusters/agentPools` | [2023-06-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-06-02-preview/managedClusters/agentPools) | +| `Microsoft.ContainerService/managedClusters/agentPools` | [2023-07-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-07-02-preview/managedClusters/agentPools) | ## Parameters diff --git a/modules/container-service/managed-cluster/agent-pool/main.bicep b/modules/container-service/managed-cluster/agent-pool/main.bicep index 3f2ebbfa1d..f1ea13e08b 100644 --- a/modules/container-service/managed-cluster/agent-pool/main.bicep +++ b/modules/container-service/managed-cluster/agent-pool/main.bicep @@ -173,11 +173,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource managedCluster 'Microsoft.ContainerService/managedClusters@2023-06-02-preview' existing = { +resource managedCluster 'Microsoft.ContainerService/managedClusters@2023-07-02-preview' existing = { name: managedClusterName } -resource agentPool 'Microsoft.ContainerService/managedClusters/agentPools@2023-06-02-preview' = { +resource agentPool 'Microsoft.ContainerService/managedClusters/agentPools@2023-07-02-preview' = { name: name parent: managedCluster properties: { diff --git a/modules/container-service/managed-cluster/agent-pool/main.json b/modules/container-service/managed-cluster/agent-pool/main.json index 9325db5ebe..e1b8d0e5e8 100644 --- a/modules/container-service/managed-cluster/agent-pool/main.json +++ b/modules/container-service/managed-cluster/agent-pool/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4102221439423294777" + "templateHash": "14295298572292657386" }, "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.", @@ -335,7 +335,7 @@ }, { "type": "Microsoft.ContainerService/managedClusters/agentPools", - "apiVersion": "2023-06-02-preview", + "apiVersion": "2023-07-02-preview", "name": "[format('{0}/{1}', parameters('managedClusterName'), parameters('name'))]", "properties": { "availabilityZones": "[parameters('availabilityZones')]", diff --git a/modules/container-service/managed-cluster/main.bicep b/modules/container-service/managed-cluster/main.bicep index f3842b759e..40a4e6e1b9 100644 --- a/modules/container-service/managed-cluster/main.bicep +++ b/modules/container-service/managed-cluster/main.bicep @@ -449,7 +449,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (ena } } -resource managedCluster 'Microsoft.ContainerService/managedClusters@2023-06-02-preview' = { +resource managedCluster 'Microsoft.ContainerService/managedClusters@2023-07-02-preview' = { name: name location: location tags: tags diff --git a/modules/container-service/managed-cluster/main.json b/modules/container-service/managed-cluster/main.json index ad17d46755..1636bf303e 100644 --- a/modules/container-service/managed-cluster/main.json +++ b/modules/container-service/managed-cluster/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5840083578872726906" + "templateHash": "7077356343713969250" }, "name": "Azure Kubernetes Service (AKS) Managed Clusters", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", @@ -854,7 +854,7 @@ }, { "type": "Microsoft.ContainerService/managedClusters", - "apiVersion": "2023-06-02-preview", + "apiVersion": "2023-07-02-preview", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -1031,7 +1031,7 @@ "name": "[guid(parameters('dnsZoneResourceId'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314'), 'DNS Zone Contributor')]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "principalId": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').ingressProfile.webAppRouting.identity.objectId]", + "principalId": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').ingressProfile.webAppRouting.identity.objectId]", "principalType": "ServicePrincipal" }, "dependsOn": [ @@ -1103,7 +1103,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4102221439423294777" + "templateHash": "14295298572292657386" }, "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.", @@ -1433,7 +1433,7 @@ }, { "type": "Microsoft.ContainerService/managedClusters/agentPools", - "apiVersion": "2023-06-02-preview", + "apiVersion": "2023-07-02-preview", "name": "[format('{0}/{1}', parameters('managedClusterName'), parameters('name'))]", "properties": { "availabilityZones": "[parameters('availabilityZones')]", @@ -2085,63 +2085,63 @@ "metadata": { "description": "The control plane FQDN of the managed cluster." }, - "value": "[if(parameters('enablePrivateCluster'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').privateFQDN, reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').fqdn)]" + "value": "[if(parameters('enablePrivateCluster'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').privateFQDN, reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').fqdn)]" }, "systemAssignedPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview', 'full').identity, 'principalId')), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview', 'full').identity, 'principalId')), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview', 'full').identity.principalId, '')]" }, "kubeletidentityObjectId": { "type": "string", "metadata": { "description": "The Object ID of the AKS identity." }, - "value": "[if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview'), 'identityProfile'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').identityProfile, 'kubeletidentity'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').identityProfile.kubeletidentity.objectId, ''), '')]" + "value": "[if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview'), 'identityProfile'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').identityProfile, 'kubeletidentity'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').identityProfile.kubeletidentity.objectId, ''), '')]" }, "omsagentIdentityObjectId": { "type": "string", "metadata": { "description": "The Object ID of the OMS agent identity." }, - "value": "[if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview'), 'addonProfiles'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').addonProfiles, 'omsagent'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').addonProfiles.omsagent, 'identity'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').addonProfiles.omsagent.identity.objectId, ''), ''), '')]" + "value": "[if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview'), 'addonProfiles'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles, 'omsagent'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles.omsagent, 'identity'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles.omsagent.identity.objectId, ''), ''), '')]" }, "keyvaultIdentityObjectId": { "type": "string", "metadata": { "description": "The Object ID of the Key Vault Secrets Provider identity." }, - "value": "[if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview'), 'addonProfiles'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').addonProfiles, 'azureKeyvaultSecretsProvider'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').addonProfiles.azureKeyvaultSecretsProvider, 'identity'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').addonProfiles.azureKeyvaultSecretsProvider.identity.objectId, ''), ''), '')]" + "value": "[if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview'), 'addonProfiles'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles, 'azureKeyvaultSecretsProvider'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles.azureKeyvaultSecretsProvider, 'identity'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles.azureKeyvaultSecretsProvider.identity.objectId, ''), ''), '')]" }, "keyvaultIdentityClientId": { "type": "string", "metadata": { "description": "The Client ID of the Key Vault Secrets Provider identity." }, - "value": "[if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview'), 'addonProfiles'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').addonProfiles, 'azureKeyvaultSecretsProvider'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').addonProfiles.azureKeyvaultSecretsProvider, 'identity'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').addonProfiles.azureKeyvaultSecretsProvider.identity.clientId, ''), ''), '')]" + "value": "[if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview'), 'addonProfiles'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles, 'azureKeyvaultSecretsProvider'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles.azureKeyvaultSecretsProvider, 'identity'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles.azureKeyvaultSecretsProvider.identity.clientId, ''), ''), '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview', 'full').location]" + "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview', 'full').location]" }, "oidcIssuerUrl": { "type": "string", "metadata": { "description": "The OIDC token issuer URL." }, - "value": "[if(parameters('enableOidcIssuerProfile'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').oidcIssuerProfile.issuerURL, '')]" + "value": "[if(parameters('enableOidcIssuerProfile'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').oidcIssuerProfile.issuerURL, '')]" }, "addonProfiles": { "type": "object", "metadata": { "description": "The addonProfiles of the Kubernetes cluster." }, - "value": "[if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview'), 'addonProfiles'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').addonProfiles, createObject())]" + "value": "[if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview'), 'addonProfiles'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles, createObject())]" } } } \ No newline at end of file From 07ba69c50d7dbb0054bc914d58c6e3577bfbec3c Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 19 Oct 2023 02:10:54 +1100 Subject: [PATCH 032/178] [Modules] Updated App Configuration Module to use the latest APIs and added support for CMK (#4105) * [Modules] Updated App Configuration Module API Version and added CMK * Updated Tests * Updated * Updated module --- .../.bicep/nested_roleAssignments.bicep | 4 +- .../.test/common/dependencies.bicep | 3 + .../.test/common/main.test.bicep | 5 +- .../.test/encr/dependencies.bicep | 61 +++++ .../.test/encr/main.test.bicep | 98 ++++++++ .../configuration-store/README.md | 213 +++++++++++++++++- .../.bicep/nested_roleAssignments.bicep | 2 +- .../configuration-store/key-value/README.md | 2 +- .../configuration-store/key-value/main.bicep | 4 +- .../configuration-store/key-value/main.json | 4 +- .../configuration-store/main.bicep | 36 ++- .../configuration-store/main.json | 47 +++- 12 files changed, 451 insertions(+), 28 deletions(-) create mode 100644 modules/app-configuration/configuration-store/.test/encr/dependencies.bicep create mode 100644 modules/app-configuration/configuration-store/.test/encr/main.test.bicep diff --git a/modules/app-configuration/configuration-store/.bicep/nested_roleAssignments.bicep b/modules/app-configuration/configuration-store/.bicep/nested_roleAssignments.bicep index bd3923df33..065a1a3976 100644 --- a/modules/app-configuration/configuration-store/.bicep/nested_roleAssignments.bicep +++ b/modules/app-configuration/configuration-store/.bicep/nested_roleAssignments.bicep @@ -34,6 +34,8 @@ param conditionVersion string = '2.0' param delegatedManagedIdentityResourceId string = '' var builtInRoleNames = { + 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') + 'App Compliance Automation Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e') 'App Configuration Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b') 'App Configuration Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '516239f1-63e1-4d78-a4de-a74fb236a071') Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') @@ -51,7 +53,7 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2021-10-01-preview' existing = { +resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = { name: last(split(resourceId, '/'))! } diff --git a/modules/app-configuration/configuration-store/.test/common/dependencies.bicep b/modules/app-configuration/configuration-store/.test/common/dependencies.bicep index 29b9641692..bd63a95634 100644 --- a/modules/app-configuration/configuration-store/.test/common/dependencies.bicep +++ b/modules/app-configuration/configuration-store/.test/common/dependencies.bicep @@ -11,3 +11,6 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018- @description('The principal ID of the created managed identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/app-configuration/configuration-store/.test/common/main.test.bicep b/modules/app-configuration/configuration-store/.test/common/main.test.bicep index 9c5e54e5f8..8eb3658b39 100644 --- a/modules/app-configuration/configuration-store/.test/common/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/common/main.test.bicep @@ -100,7 +100,10 @@ module testDeployment '../../main.bicep' = { } ] softDeleteRetentionInDays: 1 - systemAssignedIdentity: true + systemAssignedIdentity: false + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/app-configuration/configuration-store/.test/encr/dependencies.bicep b/modules/app-configuration/configuration-store/.test/encr/dependencies.bicep new file mode 100644 index 0000000000..bebad9a289 --- /dev/null +++ b/modules/app-configuration/configuration-store/.test/encr/dependencies.bicep @@ -0,0 +1,61 @@ +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: true + softDeleteRetentionInDays: 90 + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2023-02-01' = { + name: 'keyEncryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') + scope: keyVault::key + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User + principalType: 'ServicePrincipal' + } +} + +@description('The principal ID of the created managed identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The name of the created encryption key.') +output keyName string = keyVault::key.name diff --git a/modules/app-configuration/configuration-store/.test/encr/main.test.bicep b/modules/app-configuration/configuration-store/.test/encr/main.test.bicep new file mode 100644 index 0000000000..01a2825ad0 --- /dev/null +++ b/modules/app-configuration/configuration-store/.test/encr/main.test.bicep @@ -0,0 +1,98 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-appconfiguration.configurationstores-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'accencr' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + createMode: 'Default' + disableLocalAuth: false + enablePurgeProtection: false + keyValues: [ + { + contentType: 'contentType' + name: 'keyName' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalIds: [ + nestedDependencies.outputs.managedIdentityPrincipalId + ] + principalType: 'ServicePrincipal' + } + ] + value: 'valueName' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalIds: [ + nestedDependencies.outputs.managedIdentityPrincipalId + ] + principalType: 'ServicePrincipal' + } + ] + softDeleteRetentionInDays: 1 + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + cMKKeyName: nestedDependencies.outputs.keyName + cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + } +} diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index fbbd683f2b..bd34bd6772 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -14,8 +14,8 @@ This module deploys an App Configuration Store. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.AppConfiguration/configurationStores` | [2021-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.AppConfiguration/2021-10-01-preview/configurationStores) | -| `Microsoft.AppConfiguration/configurationStores/keyValues` | [2021-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.AppConfiguration/2021-10-01-preview/configurationStores/keyValues) | +| `Microsoft.AppConfiguration/configurationStores` | [2023-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.AppConfiguration/2023-03-01/configurationStores) | +| `Microsoft.AppConfiguration/configurationStores/keyValues` | [2023-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.AppConfiguration/2023-03-01/configurationStores/keyValues) | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | @@ -31,8 +31,9 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/app-configuration.configuration-store:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) -- [Pe](#example-3-pe) +- [Encr](#example-2-encr) +- [Using only defaults](#example-3-using-only-defaults) +- [Pe](#example-4-pe) ### Example 1: _Using large parameter set_ @@ -85,12 +86,15 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor } ] softDeleteRetentionInDays: 1 - systemAssignedIdentity: true + systemAssignedIdentity: false tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } + userAssignedIdentities: { + '': {} + } } } ``` @@ -172,7 +176,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor "value": 1 }, "systemAssignedIdentity": { - "value": true + "value": false }, "tags": { "value": { @@ -180,6 +184,72 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } + }, + "userAssignedIdentities": { + "value": { + "": {} + } + } + } +} +``` + +
+

+ +### Example 2: _Encr_ + +

+ +via Bicep module + +```bicep +module configurationStore 'br:bicep/modules/app-configuration.configuration-store:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-accencr' + params: { + // Required parameters + name: 'accencr001' + // Non-required parameters + cMKKeyName: '' + cMKKeyVaultResourceId: '' + cMKUserAssignedIdentityResourceId: '' + createMode: 'Default' + disableLocalAuth: false + enableDefaultTelemetry: '' + enablePurgeProtection: false + keyValues: [ + { + contentType: 'contentType' + name: 'keyName' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + value: 'valueName' + } + ] + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + softDeleteRetentionInDays: 1 + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + userAssignedIdentities: { + '': {} } } } @@ -188,7 +258,93 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor

-### Example 2: _Using only defaults_ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "accencr001" + }, + // Non-required parameters + "cMKKeyName": { + "value": "" + }, + "cMKKeyVaultResourceId": { + "value": "" + }, + "cMKUserAssignedIdentityResourceId": { + "value": "" + }, + "createMode": { + "value": "Default" + }, + "disableLocalAuth": { + "value": false + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enablePurgeProtection": { + "value": false + }, + "keyValues": { + "value": [ + { + "contentType": "contentType", + "name": "keyName", + "roleAssignments": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "value": "valueName" + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "softDeleteRetentionInDays": { + "value": 1 + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "userAssignedIdentities": { + "value": { + "": {} + } + } + } +} +``` + +
+

+ +### Example 3: _Using only defaults_ This instance deploys the module with the minimum set of required parameters. @@ -236,7 +392,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor

-### Example 3: _Pe_ +### Example 4: _Pe_

@@ -352,10 +508,19 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor | :-- | :-- | :-- | | [`name`](#parameter-name) | string | Name of the Azure App Configuration. | +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty. | +| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty. | + **Optional parameters** | Parameter | Type | Description | | :-- | :-- | :-- | +| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | +| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | [`createMode`](#parameter-createmode) | string | Indicates whether the configuration store need to be recovered. | | [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | @@ -367,7 +532,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor | [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Disables all authentication methods other than AAD authentication. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`enablePurgeProtection`](#parameter-enablepurgeprotection) | bool | Property specifying whether protection against purge is enabled for this configuration store. | -| [`keyValues`](#parameter-keyvalues) | array | All Key / Values to create. | +| [`keyValues`](#parameter-keyvalues) | array | All Key / Values to create. Requires local authentication to be enabled. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | string | Specify the type of lock. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | @@ -379,6 +544,34 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | +### Parameter: `cMKKeyName` + +The name of the customer managed key to use for encryption. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKKeyVersion` + +The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `cMKUserAssignedIdentityResourceId` + +User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty. +- Required: No +- Type: string +- Default: `''` + ### Parameter: `createMode` Indicates whether the configuration store need to be recovered. @@ -461,7 +654,7 @@ Property specifying whether protection against purge is enabled for this configu ### Parameter: `keyValues` -All Key / Values to create. +All Key / Values to create. Requires local authentication to be enabled. - Required: No - Type: array - Default: `[]` diff --git a/modules/app-configuration/configuration-store/key-value/.bicep/nested_roleAssignments.bicep b/modules/app-configuration/configuration-store/key-value/.bicep/nested_roleAssignments.bicep index bd3923df33..2b0b5813ba 100644 --- a/modules/app-configuration/configuration-store/key-value/.bicep/nested_roleAssignments.bicep +++ b/modules/app-configuration/configuration-store/key-value/.bicep/nested_roleAssignments.bicep @@ -51,7 +51,7 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2021-10-01-preview' existing = { +resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = { name: last(split(resourceId, '/'))! } diff --git a/modules/app-configuration/configuration-store/key-value/README.md b/modules/app-configuration/configuration-store/key-value/README.md index 7aba86936e..3fb836e1b5 100644 --- a/modules/app-configuration/configuration-store/key-value/README.md +++ b/modules/app-configuration/configuration-store/key-value/README.md @@ -13,7 +13,7 @@ This module deploys an App Configuration Store Key Value. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.AppConfiguration/configurationStores/keyValues` | [2021-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.AppConfiguration/2021-10-01-preview/configurationStores/keyValues) | +| `Microsoft.AppConfiguration/configurationStores/keyValues` | [2023-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.AppConfiguration/2023-03-01/configurationStores/keyValues) | ## Parameters diff --git a/modules/app-configuration/configuration-store/key-value/main.bicep b/modules/app-configuration/configuration-store/key-value/main.bicep index 09c43a245e..199bad6726 100644 --- a/modules/app-configuration/configuration-store/key-value/main.bicep +++ b/modules/app-configuration/configuration-store/key-value/main.bicep @@ -32,11 +32,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2021-10-01-preview' existing = { +resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = { name: appConfigurationName } -resource keyValues 'Microsoft.AppConfiguration/configurationStores/keyValues@2021-10-01-preview' = { +resource keyValues 'Microsoft.AppConfiguration/configurationStores/keyValues@2023-03-01' = { name: name parent: appConfiguration properties: { diff --git a/modules/app-configuration/configuration-store/key-value/main.json b/modules/app-configuration/configuration-store/key-value/main.json index bd6ba98307..7737b18021 100644 --- a/modules/app-configuration/configuration-store/key-value/main.json +++ b/modules/app-configuration/configuration-store/key-value/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16698134952769248111" + "templateHash": "16264229277476024063" }, "name": "App Configuration Stores Key Values", "description": "This module deploys an App Configuration Store Key Value.", @@ -69,7 +69,7 @@ }, { "type": "Microsoft.AppConfiguration/configurationStores/keyValues", - "apiVersion": "2021-10-01-preview", + "apiVersion": "2023-03-01", "name": "[format('{0}/{1}', parameters('appConfigurationName'), parameters('name'))]", "properties": { "contentType": "[parameters('contentType')]", diff --git a/modules/app-configuration/configuration-store/main.bicep b/modules/app-configuration/configuration-store/main.bicep index 8572b9abc3..30ae719fe0 100644 --- a/modules/app-configuration/configuration-store/main.bicep +++ b/modules/app-configuration/configuration-store/main.bicep @@ -47,7 +47,19 @@ param publicNetworkAccess string = '' @maxValue(7) param softDeleteRetentionInDays int = 1 -@description('Optional. All Key / Values to create.') +@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty.') +param cMKKeyVaultResourceId string = '' + +@description('Optional. The name of the customer managed key to use for encryption.') +param cMKKeyName string = '' + +@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') +param cMKKeyVersion string = '' + +@description('Conditional. User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty.') +param cMKUserAssignedIdentityResourceId string = '' + +@description('Optional. All Key / Values to create. Requires local authentication to be enabled.') param keyValues array = [] @description('Optional. Resource ID of the diagnostic storage account.') @@ -143,7 +155,21 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource configurationStore 'Microsoft.AppConfiguration/configurationStores@2021-10-01-preview' = { +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split(cMKKeyVaultResourceId, '/'))! + scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) + + resource cMKKey 'keys@2022-07-01' existing = if (!empty(cMKKeyName)) { + name: cMKKeyName + } +} + +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { + name: last(split(cMKUserAssignedIdentityResourceId, '/'))! + scope: resourceGroup(split(cMKUserAssignedIdentityResourceId, '/')[2], split(cMKUserAssignedIdentityResourceId, '/')[4]) +} + +resource configurationStore 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = { name: name location: location tags: tags @@ -155,6 +181,12 @@ resource configurationStore 'Microsoft.AppConfiguration/configurationStores@2021 createMode: createMode disableLocalAuth: disableLocalAuth enablePurgeProtection: sku == 'Free' ? false : enablePurgeProtection + encryption: !empty(cMKKeyName) ? { + keyVaultProperties: { + keyIdentifier: !empty(cMKKeyVersion) ? '${cMKKeyVault::cMKKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion + identityClientId: cMKUserAssignedIdentity.properties.clientId + } + } : null publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : null softDeleteRetentionInDays: sku == 'Free' ? 0 : softDeleteRetentionInDays } diff --git a/modules/app-configuration/configuration-store/main.json b/modules/app-configuration/configuration-store/main.json index 9864464e86..d2673179c6 100644 --- a/modules/app-configuration/configuration-store/main.json +++ b/modules/app-configuration/configuration-store/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10110269901043104603" + "templateHash": "9177345783229255097" }, "name": "App Configuration Stores", "description": "This module deploys an App Configuration Store.", @@ -96,11 +96,39 @@ "description": "Optional. The amount of time in days that the configuration store will be retained when it is soft deleted." } }, + "cMKKeyVaultResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \"cMKKeyName\" is not empty." + } + }, + "cMKKeyName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The name of the customer managed key to use for encryption." + } + }, + "cMKKeyVersion": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used." + } + }, + "cMKUserAssignedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Conditional. User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if \"cMKKeyName\" is not empty." + } + }, "keyValues": { "type": "array", "defaultValue": [], "metadata": { - "description": "Optional. All Key / Values to create." + "description": "Optional. All Key / Values to create. Requires local authentication to be enabled." } }, "diagnosticStorageAccountId": { @@ -251,7 +279,7 @@ }, { "type": "Microsoft.AppConfiguration/configurationStores", - "apiVersion": "2021-10-01-preview", + "apiVersion": "2023-03-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -263,6 +291,7 @@ "createMode": "[parameters('createMode')]", "disableLocalAuth": "[parameters('disableLocalAuth')]", "enablePurgeProtection": "[if(equals(parameters('sku'), 'Free'), false(), parameters('enablePurgeProtection'))]", + "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keyVaultProperties', createObject('keyIdentifier', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '2022-07-01').keyUri, parameters('cMKKeyVersion')), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '2022-07-01').keyUriWithVersion), 'identityClientId', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKUserAssignedIdentityResourceId'), '/')[2], split(parameters('cMKUserAssignedIdentityResourceId'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(parameters('cMKUserAssignedIdentityResourceId'), '/'))), '2023-01-31').clientId)), null())]", "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), null())]", "softDeleteRetentionInDays": "[if(equals(parameters('sku'), 'Free'), 0, parameters('softDeleteRetentionInDays'))]" } @@ -335,7 +364,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16698134952769248111" + "templateHash": "16264229277476024063" }, "name": "App Configuration Stores Key Values", "description": "This module deploys an App Configuration Store Key Value.", @@ -399,7 +428,7 @@ }, { "type": "Microsoft.AppConfiguration/configurationStores/keyValues", - "apiVersion": "2021-10-01-preview", + "apiVersion": "2023-03-01", "name": "[format('{0}/{1}', parameters('appConfigurationName'), parameters('name'))]", "properties": { "contentType": "[parameters('contentType')]", @@ -472,7 +501,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17212866457936326905" + "templateHash": "13848128808282670402" } }, "parameters": { @@ -543,6 +572,8 @@ }, "variables": { "builtInRoleNames": { + "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", + "App Compliance Automation Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e')]", "App Configuration Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", "App Configuration Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '516239f1-63e1-4d78-a4de-a74fb236a071')]", "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -1179,14 +1210,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name')), '2021-10-01-preview', 'full').identity, 'principalId')), reference(resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name')), '2021-10-01-preview', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name')), '2023-03-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name')), '2023-03-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name')), '2021-10-01-preview', 'full').location]" + "value": "[reference(resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name')), '2023-03-01', 'full').location]" } } } \ No newline at end of file From 5877d75fbbebc006793743a95a09334a2913639c Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Wed, 18 Oct 2023 15:11:30 +0000 Subject: [PATCH 033/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 24415b24a1..d3d6849cce 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -16,7 +16,7 @@ This section provides an overview of the library's feature set. | 1 | aad

domain-service | [![AAD - DomainServices](https://github.com/Azure/ResourceModules/workflows/AAD%20-%20DomainServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.aad.domainservices.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 226 | | 2 | analysis-services

server | [![AnalysisServices - Servers](https://github.com/Azure/ResourceModules/workflows/AnalysisServices%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.analysisservices.servers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 141 | | 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:11, L2:3] | 417 | -| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 206 | +| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 231 | | 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 176 | | 6 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 135 | | 7 | authorization

lock | [![Authorization - Locks](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20Locks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.locks.yml) | | | | | | | [L1:2] | 62 | @@ -149,7 +149,7 @@ This section provides an overview of the library's feature set. | 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 154 | | 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 385 | | 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:3] | 196 | -| Sum | | | 111 | 110 | 119 | 57 | 30 | 2 | 234 | 24435 | +| Sum | | | 111 | 110 | 119 | 57 | 30 | 2 | 234 | 24460 | ## Legend From 700f436c7111576240e77c717ff9da840030421d Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 19 Oct 2023 06:10:00 +1100 Subject: [PATCH 034/178] [Modules] Updated SQL Managed Instance module API Version (#4104) --- .../.bicep/nested_roleAssignments.bicep | 4 +- modules/sql/managed-instance/README.md | 18 +++---- .../managed-instance/administrator/README.md | 2 +- .../managed-instance/administrator/main.bicep | 4 +- .../managed-instance/administrator/main.json | 4 +- .../sql/managed-instance/database/README.md | 6 +-- .../README.md | 2 +- .../main.bicep | 6 +-- .../main.json | 4 +- .../README.md | 2 +- .../main.bicep | 6 +-- .../main.json | 4 +- .../sql/managed-instance/database/main.bicep | 4 +- .../sql/managed-instance/database/main.json | 14 +++--- .../encryption-protector/README.md | 2 +- .../encryption-protector/main.bicep | 4 +- .../encryption-protector/main.json | 4 +- modules/sql/managed-instance/key/README.md | 2 +- modules/sql/managed-instance/key/main.bicep | 4 +- modules/sql/managed-instance/key/main.json | 4 +- modules/sql/managed-instance/main.bicep | 2 +- modules/sql/managed-instance/main.json | 50 ++++++++++--------- .../security-alert-policy/README.md | 2 +- .../security-alert-policy/main.bicep | 4 +- .../security-alert-policy/main.json | 4 +- .../.bicep/nested_storageRoleAssignment.bicep | 2 +- .../vulnerability-assessment/README.md | 2 +- .../vulnerability-assessment/main.bicep | 6 +-- .../vulnerability-assessment/main.json | 6 +-- 29 files changed, 91 insertions(+), 87 deletions(-) diff --git a/modules/sql/managed-instance/.bicep/nested_roleAssignments.bicep b/modules/sql/managed-instance/.bicep/nested_roleAssignments.bicep index 5d09a8ce07..228bf4e97d 100644 --- a/modules/sql/managed-instance/.bicep/nested_roleAssignments.bicep +++ b/modules/sql/managed-instance/.bicep/nested_roleAssignments.bicep @@ -34,6 +34,8 @@ param conditionVersion string = '2.0' param delegatedManagedIdentityResourceId string = '' var builtInRoleNames = { + 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') + 'App Compliance Automation Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e') Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') @@ -56,7 +58,7 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource managedInstance 'Microsoft.Sql/managedInstances@2022-02-01-preview' existing = { +resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { name: last(split(resourceId, '/'))! } diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index 8fcdbe6649..e1ab517342 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -18,15 +18,15 @@ This module deploys a SQL Managed Instance. | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Sql/managedInstances` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances) | -| `Microsoft.Sql/managedInstances/administrators` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/administrators) | -| `Microsoft.Sql/managedInstances/databases` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/databases) | -| `Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/databases/backupLongTermRetentionPolicies) | -| `Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/databases/backupShortTermRetentionPolicies) | -| `Microsoft.Sql/managedInstances/encryptionProtector` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/encryptionProtector) | -| `Microsoft.Sql/managedInstances/keys` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/keys) | -| `Microsoft.Sql/managedInstances/securityAlertPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/securityAlertPolicies) | -| `Microsoft.Sql/managedInstances/vulnerabilityAssessments` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/vulnerabilityAssessments) | +| `Microsoft.Sql/managedInstances` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances) | +| `Microsoft.Sql/managedInstances/administrators` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/administrators) | +| `Microsoft.Sql/managedInstances/databases` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/databases) | +| `Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/databases/backupLongTermRetentionPolicies) | +| `Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/databases/backupShortTermRetentionPolicies) | +| `Microsoft.Sql/managedInstances/encryptionProtector` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/encryptionProtector) | +| `Microsoft.Sql/managedInstances/keys` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/keys) | +| `Microsoft.Sql/managedInstances/securityAlertPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/securityAlertPolicies) | +| `Microsoft.Sql/managedInstances/vulnerabilityAssessments` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/vulnerabilityAssessments) | ## Usage examples diff --git a/modules/sql/managed-instance/administrator/README.md b/modules/sql/managed-instance/administrator/README.md index e14642b81c..8382a3a1c6 100644 --- a/modules/sql/managed-instance/administrator/README.md +++ b/modules/sql/managed-instance/administrator/README.md @@ -13,7 +13,7 @@ This module deploys a SQL Managed Instance Administrator. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Sql/managedInstances/administrators` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/administrators) | +| `Microsoft.Sql/managedInstances/administrators` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/administrators) | ## Parameters diff --git a/modules/sql/managed-instance/administrator/main.bicep b/modules/sql/managed-instance/administrator/main.bicep index 60c82beb76..ccac8ce6ed 100644 --- a/modules/sql/managed-instance/administrator/main.bicep +++ b/modules/sql/managed-instance/administrator/main.bicep @@ -29,11 +29,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource managedInstance 'Microsoft.Sql/managedInstances@2022-02-01-preview' existing = { +resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { name: managedInstanceName } -resource administrator 'Microsoft.Sql/managedInstances/administrators@2022-02-01-preview' = { +resource administrator 'Microsoft.Sql/managedInstances/administrators@2022-05-01-preview' = { name: 'ActiveDirectory' parent: managedInstance properties: { diff --git a/modules/sql/managed-instance/administrator/main.json b/modules/sql/managed-instance/administrator/main.json index 57f5b1407f..aa680fae76 100644 --- a/modules/sql/managed-instance/administrator/main.json +++ b/modules/sql/managed-instance/administrator/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15854210755739319953" + "templateHash": "11038010290222457255" }, "name": "SQL Managed Instances Administrator", "description": "This module deploys a SQL Managed Instance Administrator.", @@ -62,7 +62,7 @@ }, { "type": "Microsoft.Sql/managedInstances/administrators", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('managedInstanceName'), 'ActiveDirectory')]", "properties": { "administratorType": "ActiveDirectory", diff --git a/modules/sql/managed-instance/database/README.md b/modules/sql/managed-instance/database/README.md index a4c70e1c9a..bb78204f3f 100644 --- a/modules/sql/managed-instance/database/README.md +++ b/modules/sql/managed-instance/database/README.md @@ -15,9 +15,9 @@ This module deploys a SQL Managed Instance Database. | :-- | :-- | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Sql/managedInstances/databases` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/databases) | -| `Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/databases/backupLongTermRetentionPolicies) | -| `Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/databases/backupShortTermRetentionPolicies) | +| `Microsoft.Sql/managedInstances/databases` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/databases) | +| `Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/databases/backupLongTermRetentionPolicies) | +| `Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/databases/backupShortTermRetentionPolicies) | ## Parameters diff --git a/modules/sql/managed-instance/database/backup-long-term-retention-policy/README.md b/modules/sql/managed-instance/database/backup-long-term-retention-policy/README.md index 287c3fbaf2..9456833a1b 100644 --- a/modules/sql/managed-instance/database/backup-long-term-retention-policy/README.md +++ b/modules/sql/managed-instance/database/backup-long-term-retention-policy/README.md @@ -13,7 +13,7 @@ This module deploys a SQL Managed Instance Database Backup Long-Term Retention P | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/databases/backupLongTermRetentionPolicies) | +| `Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/databases/backupLongTermRetentionPolicies) | ## Parameters diff --git a/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.bicep b/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.bicep index 330dc0a115..e72c24bfc2 100644 --- a/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.bicep +++ b/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.bicep @@ -38,15 +38,15 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource managedInstance 'Microsoft.Sql/managedInstances@2022-02-01-preview' existing = { +resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { name: managedInstanceName - resource managedInstaceDatabase 'databases@2020-02-02-preview' existing = { + resource managedInstaceDatabase 'databases@2022-05-01-preview' existing = { name: databaseName } } -resource backupLongTermRetentionPolicy 'Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies@2022-02-01-preview' = { +resource backupLongTermRetentionPolicy 'Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies@2022-05-01-preview' = { name: name parent: managedInstance::managedInstaceDatabase properties: { diff --git a/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.json b/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.json index f5ed047237..e6b1c504bd 100644 --- a/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.json +++ b/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15408301285980793830" + "templateHash": "10571563219835680436" }, "name": "SQL Managed Instance Database Backup Long-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Long-Term Retention Policy.", @@ -83,7 +83,7 @@ }, { "type": "Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}/{2}', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]", "properties": { "monthlyRetention": "[parameters('monthlyRetention')]", diff --git a/modules/sql/managed-instance/database/backup-short-term-retention-policy/README.md b/modules/sql/managed-instance/database/backup-short-term-retention-policy/README.md index 7b228f8d1f..85fbd84c25 100644 --- a/modules/sql/managed-instance/database/backup-short-term-retention-policy/README.md +++ b/modules/sql/managed-instance/database/backup-short-term-retention-policy/README.md @@ -13,7 +13,7 @@ This module deploys a SQL Managed Instance Database Backup Short-Term Retention | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/databases/backupShortTermRetentionPolicies) | +| `Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/databases/backupShortTermRetentionPolicies) | ## Parameters diff --git a/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.bicep b/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.bicep index 889f469250..3d279edffd 100644 --- a/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.bicep +++ b/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.bicep @@ -29,15 +29,15 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource managedInstance 'Microsoft.Sql/managedInstances@2022-02-01-preview' existing = { +resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { name: managedInstanceName - resource managedInstaceDatabase 'databases@2020-02-02-preview' existing = { + resource managedInstaceDatabase 'databases@2022-05-01-preview' existing = { name: databaseName } } -resource backupShortTermRetentionPolicy 'Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies@2022-02-01-preview' = { +resource backupShortTermRetentionPolicy 'Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies@2022-05-01-preview' = { name: name parent: managedInstance::managedInstaceDatabase properties: { diff --git a/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.json b/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.json index ea00e3c99f..bbbd9a5c3b 100644 --- a/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.json +++ b/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14876398050931373256" + "templateHash": "1444574199601154138" }, "name": "SQL Managed Instance Database Backup Short-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Short-Term Retention Policy.", @@ -62,7 +62,7 @@ }, { "type": "Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}/{2}', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]", "properties": { "retentionDays": "[parameters('retentionDays')]" diff --git a/modules/sql/managed-instance/database/main.bicep b/modules/sql/managed-instance/database/main.bicep index dd6a4914f3..cd6cab2d08 100644 --- a/modules/sql/managed-instance/database/main.bicep +++ b/modules/sql/managed-instance/database/main.bicep @@ -122,11 +122,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource managedInstance 'Microsoft.Sql/managedInstances@2022-02-01-preview' existing = { +resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { name: managedInstanceName } -resource database 'Microsoft.Sql/managedInstances/databases@2022-02-01-preview' = { +resource database 'Microsoft.Sql/managedInstances/databases@2022-05-01-preview' = { name: name parent: managedInstance location: location diff --git a/modules/sql/managed-instance/database/main.json b/modules/sql/managed-instance/database/main.json index 3b07ade1a8..a22c997575 100644 --- a/modules/sql/managed-instance/database/main.json +++ b/modules/sql/managed-instance/database/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17690558463959058243" + "templateHash": "6503511608072200864" }, "name": "SQL Managed Instance Databases", "description": "This module deploys a SQL Managed Instance Database.", @@ -232,7 +232,7 @@ }, { "type": "Microsoft.Sql/managedInstances/databases", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('managedInstanceName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -312,7 +312,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14876398050931373256" + "templateHash": "1444574199601154138" }, "name": "SQL Managed Instance Database Backup Short-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Short-Term Retention Policy.", @@ -369,7 +369,7 @@ }, { "type": "Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}/{2}', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]", "properties": { "retentionDays": "[parameters('retentionDays')]" @@ -440,7 +440,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15408301285980793830" + "templateHash": "10571563219835680436" }, "name": "SQL Managed Instance Database Backup Long-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Long-Term Retention Policy.", @@ -518,7 +518,7 @@ }, { "type": "Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}/{2}', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]", "properties": { "monthlyRetention": "[parameters('monthlyRetention')]", @@ -585,7 +585,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('name')), '2022-02-01-preview', 'full').location]" + "value": "[reference(resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('name')), '2022-05-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/sql/managed-instance/encryption-protector/README.md b/modules/sql/managed-instance/encryption-protector/README.md index 47e58ba01b..2b4cd9b2f6 100644 --- a/modules/sql/managed-instance/encryption-protector/README.md +++ b/modules/sql/managed-instance/encryption-protector/README.md @@ -13,7 +13,7 @@ This module deploys a SQL Managed Instance Encryption Protector. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Sql/managedInstances/encryptionProtector` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/encryptionProtector) | +| `Microsoft.Sql/managedInstances/encryptionProtector` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/encryptionProtector) | ## Parameters diff --git a/modules/sql/managed-instance/encryption-protector/main.bicep b/modules/sql/managed-instance/encryption-protector/main.bicep index 043f011caa..3ce435b710 100644 --- a/modules/sql/managed-instance/encryption-protector/main.bicep +++ b/modules/sql/managed-instance/encryption-protector/main.bicep @@ -33,11 +33,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource managedInstance 'Microsoft.Sql/managedInstances@2022-02-01-preview' existing = { +resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { name: managedInstanceName } -resource encryptionProtector 'Microsoft.Sql/managedInstances/encryptionProtector@2022-02-01-preview' = { +resource encryptionProtector 'Microsoft.Sql/managedInstances/encryptionProtector@2022-05-01-preview' = { name: 'current' parent: managedInstance properties: { diff --git a/modules/sql/managed-instance/encryption-protector/main.json b/modules/sql/managed-instance/encryption-protector/main.json index ca49af4351..8ae990e86f 100644 --- a/modules/sql/managed-instance/encryption-protector/main.json +++ b/modules/sql/managed-instance/encryption-protector/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8970010319946939362" + "templateHash": "368930923603337685" }, "name": "SQL Managed Instance Encryption Protector", "description": "This module deploys a SQL Managed Instance Encryption Protector.", @@ -67,7 +67,7 @@ }, { "type": "Microsoft.Sql/managedInstances/encryptionProtector", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('managedInstanceName'), 'current')]", "properties": { "autoRotationEnabled": "[parameters('autoRotationEnabled')]", diff --git a/modules/sql/managed-instance/key/README.md b/modules/sql/managed-instance/key/README.md index 139793834e..d820e021e8 100644 --- a/modules/sql/managed-instance/key/README.md +++ b/modules/sql/managed-instance/key/README.md @@ -13,7 +13,7 @@ This module deploys a SQL Managed Instance Key. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Sql/managedInstances/keys` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/keys) | +| `Microsoft.Sql/managedInstances/keys` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/keys) | ## Parameters diff --git a/modules/sql/managed-instance/key/main.bicep b/modules/sql/managed-instance/key/main.bicep index aa08210566..dd9ac18a17 100644 --- a/modules/sql/managed-instance/key/main.bicep +++ b/modules/sql/managed-instance/key/main.bicep @@ -39,11 +39,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource managedInstance 'Microsoft.Sql/managedInstances@2022-02-01-preview' existing = { +resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { name: managedInstanceName } -resource key 'Microsoft.Sql/managedInstances/keys@2022-02-01-preview' = { +resource key 'Microsoft.Sql/managedInstances/keys@2022-05-01-preview' = { name: !empty(name) ? name : serverKeyName parent: managedInstance properties: { diff --git a/modules/sql/managed-instance/key/main.json b/modules/sql/managed-instance/key/main.json index 7d289bb17b..bb44b47e19 100644 --- a/modules/sql/managed-instance/key/main.json +++ b/modules/sql/managed-instance/key/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18326031332279100252" + "templateHash": "7006376985801799255" }, "name": "SQL Managed Instance Keys", "description": "This module deploys a SQL Managed Instance Key.", @@ -71,7 +71,7 @@ }, { "type": "Microsoft.Sql/managedInstances/keys", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('managedInstanceName'), if(not(empty(parameters('name'))), parameters('name'), variables('serverKeyName')))]", "properties": { "serverKeyType": "[parameters('serverKeyType')]", diff --git a/modules/sql/managed-instance/main.bicep b/modules/sql/managed-instance/main.bicep index ac87614828..dadd1e4f71 100644 --- a/modules/sql/managed-instance/main.bicep +++ b/modules/sql/managed-instance/main.bicep @@ -221,7 +221,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource managedInstance 'Microsoft.Sql/managedInstances@2022-02-01-preview' = { +resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = { name: name location: location identity: identity diff --git a/modules/sql/managed-instance/main.json b/modules/sql/managed-instance/main.json index b67031103b..8313b95372 100644 --- a/modules/sql/managed-instance/main.json +++ b/modules/sql/managed-instance/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18227197832977916011" + "templateHash": "8514585732181524503" }, "name": "SQL Managed Instances", "description": "This module deploys a SQL Managed Instance.", @@ -406,7 +406,7 @@ }, { "type": "Microsoft.Sql/managedInstances", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": "[variables('identity')]", @@ -508,7 +508,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4115807259026871068" + "templateHash": "3370454362462964422" } }, "parameters": { @@ -579,6 +579,8 @@ }, "variables": { "builtInRoleNames": { + "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", + "App Compliance Automation Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e')]", "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", @@ -654,7 +656,7 @@ "diagnosticStorageAccountId": "[if(contains(parameters('databases')[copyIndex()], 'diagnosticStorageAccountId'), createObject('value', parameters('databases')[copyIndex()].diagnosticStorageAccountId), createObject('value', ''))]", "diagnosticEventHubAuthorizationRuleId": "[if(contains(parameters('databases')[copyIndex()], 'diagnosticEventHubAuthorizationRuleId'), createObject('value', parameters('databases')[copyIndex()].diagnosticEventHubAuthorizationRuleId), createObject('value', ''))]", "diagnosticEventHubName": "[if(contains(parameters('databases')[copyIndex()], 'diagnosticEventHubName'), createObject('value', parameters('databases')[copyIndex()].diagnosticEventHubName), createObject('value', ''))]", - "location": "[if(contains(parameters('databases')[copyIndex()], 'location'), createObject('value', parameters('databases')[copyIndex()].location), createObject('value', reference(resourceId('Microsoft.Sql/managedInstances', parameters('name')), '2022-02-01-preview', 'full').location))]", + "location": "[if(contains(parameters('databases')[copyIndex()], 'location'), createObject('value', parameters('databases')[copyIndex()].location), createObject('value', reference(resourceId('Microsoft.Sql/managedInstances', parameters('name')), '2022-05-01-preview', 'full').location))]", "lock": "[if(contains(parameters('databases')[copyIndex()], 'lock'), createObject('value', parameters('databases')[copyIndex()].lock), createObject('value', ''))]", "longTermRetentionBackupResourceId": "[if(contains(parameters('databases')[copyIndex()], 'longTermRetentionBackupResourceId'), createObject('value', parameters('databases')[copyIndex()].longTermRetentionBackupResourceId), createObject('value', ''))]", "recoverableDatabaseId": "[if(contains(parameters('databases')[copyIndex()], 'recoverableDatabaseId'), createObject('value', parameters('databases')[copyIndex()].recoverableDatabaseId), createObject('value', ''))]", @@ -678,7 +680,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17690558463959058243" + "templateHash": "6503511608072200864" }, "name": "SQL Managed Instance Databases", "description": "This module deploys a SQL Managed Instance Database.", @@ -905,7 +907,7 @@ }, { "type": "Microsoft.Sql/managedInstances/databases", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('managedInstanceName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -985,7 +987,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14876398050931373256" + "templateHash": "1444574199601154138" }, "name": "SQL Managed Instance Database Backup Short-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Short-Term Retention Policy.", @@ -1042,7 +1044,7 @@ }, { "type": "Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}/{2}', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]", "properties": { "retentionDays": "[parameters('retentionDays')]" @@ -1113,7 +1115,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15408301285980793830" + "templateHash": "10571563219835680436" }, "name": "SQL Managed Instance Database Backup Long-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Long-Term Retention Policy.", @@ -1191,7 +1193,7 @@ }, { "type": "Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}/{2}', parameters('managedInstanceName'), parameters('databaseName'), parameters('name'))]", "properties": { "monthlyRetention": "[parameters('monthlyRetention')]", @@ -1258,7 +1260,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('name')), '2022-02-01-preview', 'full').location]" + "value": "[reference(resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('name')), '2022-05-01-preview', 'full').location]" } } } @@ -1297,7 +1299,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "744224666214582478" + "templateHash": "73480634697264424" }, "name": "SQL Managed Instance Security Alert Policies", "description": "This module deploys a SQL Managed Instance Security Alert Policy.", @@ -1359,7 +1361,7 @@ }, { "type": "Microsoft.Sql/managedInstances/securityAlertPolicies", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('managedInstanceName'), parameters('name'))]", "properties": { "state": "[parameters('state')]", @@ -1432,7 +1434,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18315887045308503469" + "templateHash": "16419324698366777740" }, "name": "SQL Managed Instance Vulnerability Assessments", "description": "This module deploys a SQL Managed Instance Vulnerability Assessment.", @@ -1520,7 +1522,7 @@ }, { "type": "Microsoft.Sql/managedInstances/vulnerabilityAssessments", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('managedInstanceName'), parameters('name'))]", "properties": { "storageContainerPath": "[format('https://{0}.blob.{1}/vulnerability-assessment/', last(split(parameters('storageAccountResourceId'), '/')), environment().suffixes.storage)]", @@ -1548,7 +1550,7 @@ "value": "[last(variables('splitStorageAccountResourceId'))]" }, "managedInstanceIdentityPrincipalId": { - "value": "[reference(resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName')), '2022-02-01-preview', 'full').identity.principalId]" + "value": "[reference(resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName')), '2022-05-01-preview', 'full').identity.principalId]" } }, "template": { @@ -1649,7 +1651,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18326031332279100252" + "templateHash": "7006376985801799255" }, "name": "SQL Managed Instance Keys", "description": "This module deploys a SQL Managed Instance Key.", @@ -1715,7 +1717,7 @@ }, { "type": "Microsoft.Sql/managedInstances/keys", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('managedInstanceName'), if(not(empty(parameters('name'))), parameters('name'), variables('serverKeyName')))]", "properties": { "serverKeyType": "[parameters('serverKeyType')]", @@ -1782,7 +1784,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8970010319946939362" + "templateHash": "368930923603337685" }, "name": "SQL Managed Instance Encryption Protector", "description": "This module deploys a SQL Managed Instance Encryption Protector.", @@ -1844,7 +1846,7 @@ }, { "type": "Microsoft.Sql/managedInstances/encryptionProtector", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('managedInstanceName'), 'current')]", "properties": { "autoRotationEnabled": "[parameters('autoRotationEnabled')]", @@ -1915,7 +1917,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15854210755739319953" + "templateHash": "11038010290222457255" }, "name": "SQL Managed Instances Administrator", "description": "This module deploys a SQL Managed Instance Administrator.", @@ -1972,7 +1974,7 @@ }, { "type": "Microsoft.Sql/managedInstances/administrators", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('managedInstanceName'), 'ActiveDirectory')]", "properties": { "administratorType": "ActiveDirectory", @@ -2039,14 +2041,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.Sql/managedInstances', parameters('name')), '2022-02-01-preview', 'full').identity, 'principalId')), reference(resourceId('Microsoft.Sql/managedInstances', parameters('name')), '2022-02-01-preview', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.Sql/managedInstances', parameters('name')), '2022-05-01-preview', 'full').identity, 'principalId')), reference(resourceId('Microsoft.Sql/managedInstances', parameters('name')), '2022-05-01-preview', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Sql/managedInstances', parameters('name')), '2022-02-01-preview', 'full').location]" + "value": "[reference(resourceId('Microsoft.Sql/managedInstances', parameters('name')), '2022-05-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/sql/managed-instance/security-alert-policy/README.md b/modules/sql/managed-instance/security-alert-policy/README.md index 7b14687f6d..5d5bf9b072 100644 --- a/modules/sql/managed-instance/security-alert-policy/README.md +++ b/modules/sql/managed-instance/security-alert-policy/README.md @@ -13,7 +13,7 @@ This module deploys a SQL Managed Instance Security Alert Policy. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Sql/managedInstances/securityAlertPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/securityAlertPolicies) | +| `Microsoft.Sql/managedInstances/securityAlertPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/securityAlertPolicies) | ## Parameters diff --git a/modules/sql/managed-instance/security-alert-policy/main.bicep b/modules/sql/managed-instance/security-alert-policy/main.bicep index a8a1918d1b..a0e786183d 100644 --- a/modules/sql/managed-instance/security-alert-policy/main.bicep +++ b/modules/sql/managed-instance/security-alert-policy/main.bicep @@ -33,11 +33,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource managedInstance 'Microsoft.Sql/managedInstances@2022-02-01-preview' existing = { +resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { name: managedInstanceName } -resource securityAlertPolicy 'Microsoft.Sql/managedInstances/securityAlertPolicies@2022-02-01-preview' = { +resource securityAlertPolicy 'Microsoft.Sql/managedInstances/securityAlertPolicies@2022-05-01-preview' = { name: name parent: managedInstance properties: { diff --git a/modules/sql/managed-instance/security-alert-policy/main.json b/modules/sql/managed-instance/security-alert-policy/main.json index 9aa85a482c..3cc136b702 100644 --- a/modules/sql/managed-instance/security-alert-policy/main.json +++ b/modules/sql/managed-instance/security-alert-policy/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "744224666214582478" + "templateHash": "73480634697264424" }, "name": "SQL Managed Instance Security Alert Policies", "description": "This module deploys a SQL Managed Instance Security Alert Policy.", @@ -67,7 +67,7 @@ }, { "type": "Microsoft.Sql/managedInstances/securityAlertPolicies", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('managedInstanceName'), parameters('name'))]", "properties": { "state": "[parameters('state')]", diff --git a/modules/sql/managed-instance/vulnerability-assessment/.bicep/nested_storageRoleAssignment.bicep b/modules/sql/managed-instance/vulnerability-assessment/.bicep/nested_storageRoleAssignment.bicep index a6f133a27a..7855e9f142 100644 --- a/modules/sql/managed-instance/vulnerability-assessment/.bicep/nested_storageRoleAssignment.bicep +++ b/modules/sql/managed-instance/vulnerability-assessment/.bicep/nested_storageRoleAssignment.bicep @@ -1,7 +1,7 @@ param storageAccountName string param managedInstanceIdentityPrincipalId string -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' existing = { +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = { name: storageAccountName } diff --git a/modules/sql/managed-instance/vulnerability-assessment/README.md b/modules/sql/managed-instance/vulnerability-assessment/README.md index 52747a9955..f785799af0 100644 --- a/modules/sql/managed-instance/vulnerability-assessment/README.md +++ b/modules/sql/managed-instance/vulnerability-assessment/README.md @@ -14,7 +14,7 @@ This module deploys a SQL Managed Instance Vulnerability Assessment. | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Sql/managedInstances/vulnerabilityAssessments` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/vulnerabilityAssessments) | +| `Microsoft.Sql/managedInstances/vulnerabilityAssessments` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/managedInstances/vulnerabilityAssessments) | ## Parameters diff --git a/modules/sql/managed-instance/vulnerability-assessment/main.bicep b/modules/sql/managed-instance/vulnerability-assessment/main.bicep index 61d6360335..522882e99a 100644 --- a/modules/sql/managed-instance/vulnerability-assessment/main.bicep +++ b/modules/sql/managed-instance/vulnerability-assessment/main.bicep @@ -29,7 +29,7 @@ param createStorageRoleAssignment bool = true @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var splitStorageAccountResourceId = split (storageAccountResourceId, '/') +var splitStorageAccountResourceId = split(storageAccountResourceId, '/') resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -43,7 +43,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource managedInstance 'Microsoft.Sql/managedInstances@2022-02-01-preview' existing = { +resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { name: managedInstanceName } @@ -57,7 +57,7 @@ module storageAccount_sbdc_rbac '.bicep/nested_storageRoleAssignment.bicep' = if } } -resource vulnerabilityAssessment 'Microsoft.Sql/managedInstances/vulnerabilityAssessments@2022-02-01-preview' = { +resource vulnerabilityAssessment 'Microsoft.Sql/managedInstances/vulnerabilityAssessments@2022-05-01-preview' = { name: name parent: managedInstance properties: { diff --git a/modules/sql/managed-instance/vulnerability-assessment/main.json b/modules/sql/managed-instance/vulnerability-assessment/main.json index 985b3b0dca..bf1f2597ca 100644 --- a/modules/sql/managed-instance/vulnerability-assessment/main.json +++ b/modules/sql/managed-instance/vulnerability-assessment/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18315887045308503469" + "templateHash": "16419324698366777740" }, "name": "SQL Managed Instance Vulnerability Assessments", "description": "This module deploys a SQL Managed Instance Vulnerability Assessment.", @@ -93,7 +93,7 @@ }, { "type": "Microsoft.Sql/managedInstances/vulnerabilityAssessments", - "apiVersion": "2022-02-01-preview", + "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('managedInstanceName'), parameters('name'))]", "properties": { "storageContainerPath": "[format('https://{0}.blob.{1}/vulnerability-assessment/', last(split(parameters('storageAccountResourceId'), '/')), environment().suffixes.storage)]", @@ -121,7 +121,7 @@ "value": "[last(variables('splitStorageAccountResourceId'))]" }, "managedInstanceIdentityPrincipalId": { - "value": "[reference(resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName')), '2022-02-01-preview', 'full').identity.principalId]" + "value": "[reference(resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName')), '2022-05-01-preview', 'full').identity.principalId]" } }, "template": { From f114e2686b9fc07deb1cd24c1a79ea00f5570cef Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Thu, 19 Oct 2023 12:08:05 +0200 Subject: [PATCH 035/178] [Modules/Utilities] Migrated PE from AVM + enabled UDT for nested resources (#4109) * Migrated PE from AVM + enabled UDT for nested resources * Re-added version.json * Updated PE ref * Updated more tests and added rule suppresion * Updated remaining tests * Moved paths * Regenerated all readmes * Small lock update * Adjusted how hash is detected * Update to latest * Added removed telemetry * Update to latest --- bicepconfig.json | 3 + .../.test/pe/dependencies.bicep | 2 +- .../.test/pe/main.test.bicep | 2 +- .../configuration-store/README.md | 4 +- .../configuration-store/main.bicep | 7 +- .../configuration-store/main.json | 419 ++-- .../.test/common/main.test.bicep | 16 +- .../automation/automation-account/README.md | 32 +- .../automation/automation-account/main.bicep | 7 +- .../automation/automation-account/main.json | 419 ++-- .../.test/common/main.test.bicep | 8 +- .../batch-account/.test/encr/main.test.bicep | 8 +- modules/batch/batch-account/README.md | 32 +- modules/batch/batch-account/main.bicep | 7 +- modules/batch/batch-account/main.json | 419 ++-- .../.test/common/dependencies.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- modules/cache/redis-enterprise/README.md | 4 +- modules/cache/redis-enterprise/main.bicep | 7 +- modules/cache/redis-enterprise/main.json | 419 ++-- .../redis/.test/common/dependencies.bicep | 2 +- .../cache/redis/.test/common/main.test.bicep | 2 +- modules/cache/redis/README.md | 4 +- modules/cache/redis/main.bicep | 7 +- modules/cache/redis/main.json | 419 ++-- .../account/.test/common/main.test.bicep | 8 +- .../account/.test/speech/main.test.bicep | 8 +- modules/cognitive-services/account/README.md | 32 +- modules/cognitive-services/account/main.bicep | 7 +- modules/cognitive-services/account/main.json | 419 ++-- .../registry/.test/common/main.test.bicep | 8 +- .../registry/.test/pe/main.test.bicep | 8 +- modules/container-registry/registry/README.md | 32 +- .../container-registry/registry/main.bicep | 7 +- modules/container-registry/registry/main.json | 419 ++-- .../factory/.test/common/dependencies.bicep | 2 +- .../factory/.test/common/main.test.bicep | 2 +- modules/data-factory/factory/README.md | 4 +- modules/data-factory/factory/main.bicep | 7 +- modules/data-factory/factory/main.json | 419 ++-- .../workspace/.test/common/dependencies.bicep | 2 +- .../workspace/.test/common/main.test.bicep | 2 +- modules/databricks/workspace/README.md | 4 +- modules/databricks/workspace/main.bicep | 7 +- modules/databricks/workspace/main.json | 419 ++-- .../.test/private/dependencies.bicep | 2 +- .../.test/private/main.test.bicep | 2 +- .../.test/private/dependencies.bicep | 2 +- .../.test/private/main.test.bicep | 2 +- .../.test/common/dependencies.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../digital-twins-instance/README.md | 4 +- .../digital-twins-instance/main.bicep | 5 +- .../digital-twins-instance/main.json | 417 ++-- .../.test/sqldb/dependencies.bicep | 2 +- .../.test/sqldb/main.test.bicep | 2 +- .../document-db/database-account/README.md | 4 +- .../document-db/database-account/main.bicep | 7 +- .../document-db/database-account/main.json | 419 ++-- .../domain/.test/common/main.test.bicep | 8 +- .../domain/.test/pe/main.test.bicep | 8 +- modules/event-grid/domain/README.md | 32 +- modules/event-grid/domain/main.bicep | 7 +- modules/event-grid/domain/main.json | 419 ++-- .../topic/.test/common/main.test.bicep | 8 +- .../event-grid/topic/.test/pe/main.test.bicep | 8 +- modules/event-grid/topic/README.md | 32 +- modules/event-grid/topic/main.bicep | 7 +- modules/event-grid/topic/main.json | 419 ++-- .../namespace/.test/common/main.test.bicep | 8 +- .../namespace/.test/pe/main.test.bicep | 8 +- modules/event-hub/namespace/README.md | 32 +- modules/event-hub/namespace/main.bicep | 7 +- modules/event-hub/namespace/main.json | 419 ++-- .../.test/common/dependencies.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- modules/insights/private-link-scope/README.md | 4 +- .../insights/private-link-scope/main.bicep | 7 +- modules/insights/private-link-scope/main.json | 419 ++-- .../vault/.test/common/dependencies.bicep | 2 +- .../vault/.test/common/main.test.bicep | 2 +- .../vault/.test/pe/dependencies.bicep | 2 +- .../key-vault/vault/.test/pe/main.test.bicep | 2 +- modules/key-vault/vault/README.md | 8 +- modules/key-vault/vault/main.bicep | 7 +- modules/key-vault/vault/main.json | 419 ++-- .../workspace/.test/common/main.test.bicep | 8 +- .../workspace/.test/encr/main.test.bicep | 8 +- .../workspace/README.md | 32 +- .../workspace/main.bicep | 5 +- .../workspace/main.json | 417 ++-- .../.test/common/main.test.bicep | 8 +- modules/network/application-gateway/README.md | 16 +- .../network/application-gateway/main.bicep | 7 +- modules/network/application-gateway/main.json | 419 ++-- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 20 +- modules/network/private-endpoint/README.md | 162 +- modules/network/private-endpoint/main.bicep | 129 +- modules/network/private-endpoint/main.json | 410 ++-- .../private-dns-zone-group/README.md | 4 +- .../private-dns-zone-group/main.bicep | 16 +- .../private-dns-zone-group/main.json | 4 +- modules/network/private-endpoint/version.json | 2 +- modules/purview/account/main.bicep | 35 +- modules/purview/account/main.json | 2111 ++++++++--------- .../vault/.test/common/dependencies.bicep | 2 +- .../vault/.test/common/main.test.bicep | 2 +- modules/recovery-services/vault/README.md | 4 +- modules/recovery-services/vault/main.bicep | 7 +- modules/recovery-services/vault/main.json | 419 ++-- .../namespace/.test/common/main.test.bicep | 8 +- .../relay/namespace/.test/pe/main.test.bicep | 8 +- modules/relay/namespace/README.md | 32 +- modules/relay/namespace/main.bicep | 7 +- modules/relay/namespace/main.json | 419 ++-- .../search-service/.test/pe/main.test.bicep | 14 +- modules/search/search-service/README.md | 28 +- modules/search/search-service/main.bicep | 7 +- modules/search/search-service/main.json | 419 ++-- .../namespace/.test/common/main.test.bicep | 8 +- .../namespace/.test/pe/main.test.bicep | 8 +- modules/service-bus/namespace/README.md | 32 +- modules/service-bus/namespace/main.bicep | 7 +- modules/service-bus/namespace/main.json | 419 ++-- .../signal-r/.test/common/dependencies.bicep | 2 +- .../signal-r/.test/common/main.test.bicep | 2 +- modules/signal-r-service/signal-r/README.md | 4 +- modules/signal-r-service/signal-r/main.bicep | 7 +- modules/signal-r-service/signal-r/main.json | 419 ++-- .../.test/common/dependencies.bicep | 2 +- .../web-pub-sub/.test/common/main.test.bicep | 2 +- .../web-pub-sub/.test/pe/dependencies.bicep | 2 +- .../web-pub-sub/.test/pe/main.test.bicep | 2 +- .../signal-r-service/web-pub-sub/README.md | 8 +- .../signal-r-service/web-pub-sub/main.bicep | 7 +- .../signal-r-service/web-pub-sub/main.json | 419 ++-- .../server/.test/common/dependencies.bicep | 2 +- .../sql/server/.test/common/main.test.bicep | 2 +- .../sql/server/.test/pe/dependencies.bicep | 2 +- modules/sql/server/.test/pe/main.test.bicep | 2 +- modules/sql/server/README.md | 8 +- modules/sql/server/main.bicep | 7 +- modules/sql/server/main.json | 435 ++-- .../.test/common/main.test.bicep | 8 +- .../.test/encr/main.test.bicep | 8 +- modules/storage/storage-account/README.md | 32 +- modules/storage/storage-account/main.bicep | 7 +- modules/storage/storage-account/main.json | 419 ++-- .../.test/common/dependencies.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- modules/synapse/private-link-hub/README.md | 4 +- modules/synapse/private-link-hub/main.bicep | 7 +- modules/synapse/private-link-hub/main.json | 419 ++-- .../workspace/.test/common/dependencies.bicep | 2 +- .../workspace/.test/common/main.test.bicep | 2 +- modules/synapse/workspace/README.md | 4 +- modules/synapse/workspace/main.bicep | 7 +- modules/synapse/workspace/main.json | 419 ++-- .../.test/functionAppCommon/main.test.bicep | 8 +- .../site/.test/webAppCommon/main.test.bicep | 8 +- modules/web/site/README.md | 32 +- modules/web/site/main.bicep | 7 +- modules/web/site/main.json | 836 +++---- modules/web/site/slot/main.bicep | 5 +- modules/web/site/slot/main.json | 417 ++-- .../static-site/.test/common/main.test.bicep | 8 +- modules/web/static-site/README.md | 16 +- modules/web/static-site/main.bicep | 7 +- modules/web/static-site/main.json | 419 ++-- .../sharedScripts/Get-NestedResourceList.ps1 | 13 +- .../sharedScripts/Set-ModuleReadMe.ps1 | 68 +- .../helper/Get-IsParameterRequired.ps1 | 49 + .../staticValidation/helper/helper.psm1 | 1 + .../staticValidation/module.tests.ps1 | 31 +- 175 files changed, 8052 insertions(+), 9548 deletions(-) delete mode 100644 modules/network/private-endpoint/.bicep/nested_roleAssignments.bicep create mode 100644 utilities/pipelines/sharedScripts/helper/Get-IsParameterRequired.ps1 diff --git a/bicepconfig.json b/bicepconfig.json index 6a7b736a19..9eb7e0fc3b 100644 --- a/bicepconfig.json +++ b/bicepconfig.json @@ -7,6 +7,9 @@ "rules": { "explicit-values-for-loc-params": { "level": "off" // Reason: Our modules default to e.g. the location of their parent resource group which is sufficient if deploying a self-contained solution + }, + "no-deployments-resources": { + "level": "off" // Reason: The telemetry resource only has a single output and is self-contained in a deployment } } } diff --git a/modules/app-configuration/configuration-store/.test/pe/dependencies.bicep b/modules/app-configuration/configuration-store/.test/pe/dependencies.bicep index ab851cae4a..ee93b3e1e3 100644 --- a/modules/app-configuration/configuration-store/.test/pe/dependencies.bicep +++ b/modules/app-configuration/configuration-store/.test/pe/dependencies.bicep @@ -46,4 +46,4 @@ resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/app-configuration/configuration-store/.test/pe/main.test.bicep b/modules/app-configuration/configuration-store/.test/pe/main.test.bicep index 09174e7625..9dc6bc074a 100644 --- a/modules/app-configuration/configuration-store/.test/pe/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/pe/main.test.bicep @@ -56,7 +56,7 @@ module testDeployment '../../main.bicep' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] } service: 'configurationStores' diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index bd34bd6772..cad35ecf3a 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -413,7 +413,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] } service: 'configurationStores' @@ -469,7 +469,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ] }, "service": "configurationStores", diff --git a/modules/app-configuration/configuration-store/main.bicep b/modules/app-configuration/configuration-store/main.bicep index 30ae719fe0..4168650dca 100644 --- a/modules/app-configuration/configuration-store/main.bicep +++ b/modules/app-configuration/configuration-store/main.bicep @@ -250,14 +250,15 @@ module configurationStore_privateEndpoints '../../network/private-endpoint/main. subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/app-configuration/configuration-store/main.json b/modules/app-configuration/configuration-store/main.json index d2673179c6..fa81c86079 100644 --- a/modules/app-configuration/configuration-store/main.json +++ b/modules/app-configuration/configuration-store/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9177345783229255097" + "templateHash": "1438402426319950203" }, "name": "App Configuration Stores", "description": "This module deploys an App Configuration Store.", @@ -648,29 +648,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -690,23 +785,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -717,11 +812,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -732,41 +834,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -775,15 +870,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -797,18 +904,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -823,33 +938,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -865,7 +1005,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -897,7 +1037,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -965,187 +1105,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1173,7 +1136,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/automation/automation-account/.test/common/main.test.bicep b/modules/automation/automation-account/.test/common/main.test.bicep index 7bfe9ab16b..5ed8331c4f 100644 --- a/modules/automation/automation-account/.test/common/main.test.bicep +++ b/modules/automation/automation-account/.test/common/main.test.bicep @@ -97,11 +97,9 @@ module testDeployment '../../main.bicep' = { ] privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] service: 'Webhook' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { @@ -111,11 +109,9 @@ module testDeployment '../../main.bicep' = { } } { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] service: 'DSCAndHybridWorker' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index 52e1318985..8e4211c951 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -87,11 +87,9 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' ] privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'Webhook' subnetResourceId: '' tags: { @@ -101,11 +99,9 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' } } { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'DSCAndHybridWorker' subnetResourceId: '' tags: { @@ -312,11 +308,9 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "Webhook", "subnetResourceId": "", "tags": { @@ -326,11 +320,9 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' } }, { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "DSCAndHybridWorker", "subnetResourceId": "", "tags": { diff --git a/modules/automation/automation-account/main.bicep b/modules/automation/automation-account/main.bicep index 330c5c6828..3a7b1d9982 100644 --- a/modules/automation/automation-account/main.bicep +++ b/modules/automation/automation-account/main.bicep @@ -381,14 +381,15 @@ module automationAccount_privateEndpoints '../../network/private-endpoint/main.b subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/automation/automation-account/main.json b/modules/automation/automation-account/main.json index e99ac28588..0bd2c0c53d 100644 --- a/modules/automation/automation-account/main.json +++ b/modules/automation/automation-account/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14616774767362362836" + "templateHash": "17321818753856998075" }, "name": "Automation Accounts", "description": "This module deploys an Azure Automation Account.", @@ -2019,29 +2019,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -2061,23 +2156,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -2088,11 +2183,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -2103,41 +2205,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -2146,15 +2241,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2168,18 +2275,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -2194,33 +2309,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -2236,7 +2376,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -2268,7 +2408,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -2336,187 +2476,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -2544,7 +2507,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/batch/batch-account/.test/common/main.test.bicep b/modules/batch/batch-account/.test/common/main.test.bicep index b81a0e4036..c25cddb39d 100644 --- a/modules/batch/batch-account/.test/common/main.test.bicep +++ b/modules/batch/batch-account/.test/common/main.test.bicep @@ -79,11 +79,9 @@ module testDeployment '../../main.bicep' = { { service: 'batchAccount' subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/batch/batch-account/.test/encr/main.test.bicep b/modules/batch/batch-account/.test/encr/main.test.bicep index a19340f12a..5aebae0710 100644 --- a/modules/batch/batch-account/.test/encr/main.test.bicep +++ b/modules/batch/batch-account/.test/encr/main.test.bicep @@ -64,11 +64,9 @@ module testDeployment '../../main.bicep' = { { service: 'batchAccount' subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index 17cd685691..28319537f0 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -59,11 +59,9 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { poolAllocationMode: 'BatchService' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] roleAssignments: [ { principalIds: [ @@ -138,11 +136,9 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "roleAssignments": [ { "principalIds": [ @@ -205,11 +201,9 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { poolAllocationMode: 'BatchService' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'batchAccount' subnetResourceId: '' tags: { @@ -268,11 +262,9 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "batchAccount", "subnetResourceId": "", "tags": { diff --git a/modules/batch/batch-account/main.bicep b/modules/batch/batch-account/main.bicep index 88fe410734..eee1855165 100644 --- a/modules/batch/batch-account/main.bicep +++ b/modules/batch/batch-account/main.bicep @@ -248,14 +248,15 @@ module batchAccount_privateEndpoints '../../network/private-endpoint/main.bicep' subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/batch/batch-account/main.json b/modules/batch/batch-account/main.json index 0253e6c50b..d169073f0f 100644 --- a/modules/batch/batch-account/main.json +++ b/modules/batch/batch-account/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12201052807403978225" + "templateHash": "2591446309015635136" }, "name": "Batch Accounts", "description": "This module deploys a Batch Account.", @@ -375,29 +375,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -417,23 +512,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -444,11 +539,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -459,41 +561,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -502,15 +597,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -524,18 +631,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -550,33 +665,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -592,7 +732,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -624,7 +764,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -692,187 +832,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -900,7 +863,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/cache/redis-enterprise/.test/common/dependencies.bicep b/modules/cache/redis-enterprise/.test/common/dependencies.bicep index 179f4e64a2..59ae30a575 100644 --- a/modules/cache/redis-enterprise/.test/common/dependencies.bicep +++ b/modules/cache/redis-enterprise/.test/common/dependencies.bicep @@ -54,7 +54,7 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018- output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id @description('The principal ID of the created Managed Identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/cache/redis-enterprise/.test/common/main.test.bicep b/modules/cache/redis-enterprise/.test/common/main.test.bicep index 70adc46f2c..91edd54e87 100644 --- a/modules/cache/redis-enterprise/.test/common/main.test.bicep +++ b/modules/cache/redis-enterprise/.test/common/main.test.bicep @@ -89,7 +89,7 @@ module testDeployment '../../main.bicep' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] } service: 'redisEnterprise' diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index 79e8069cff..7911f628ee 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -82,7 +82,7 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] } service: 'redisEnterprise' @@ -182,7 +182,7 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ] }, "service": "redisEnterprise", diff --git a/modules/cache/redis-enterprise/main.bicep b/modules/cache/redis-enterprise/main.bicep index 6cd4f4da66..ea5c05e878 100644 --- a/modules/cache/redis-enterprise/main.bicep +++ b/modules/cache/redis-enterprise/main.bicep @@ -204,14 +204,15 @@ module redisCacheEnterprise_privateEndpoints '../../network/private-endpoint/mai subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/cache/redis-enterprise/main.json b/modules/cache/redis-enterprise/main.json index 0dae10b9b6..bd9889f874 100644 --- a/modules/cache/redis-enterprise/main.json +++ b/modules/cache/redis-enterprise/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15719841187562389936" + "templateHash": "4614393026190076893" }, "name": "Redis Cache Enterprise", "description": "This module deploys a Redis Cache Enterprise.", @@ -673,29 +673,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -715,23 +810,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -742,11 +837,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -757,41 +859,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -800,15 +895,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -822,18 +929,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -848,33 +963,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -890,7 +1030,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -922,7 +1062,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -990,187 +1130,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1198,7 +1161,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/cache/redis/.test/common/dependencies.bicep b/modules/cache/redis/.test/common/dependencies.bicep index 5bb5dc56bd..bbf0956900 100644 --- a/modules/cache/redis/.test/common/dependencies.bicep +++ b/modules/cache/redis/.test/common/dependencies.bicep @@ -46,4 +46,4 @@ resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/cache/redis/.test/common/main.test.bicep b/modules/cache/redis/.test/common/main.test.bicep index 5428f2e9cb..6d7769223c 100644 --- a/modules/cache/redis/.test/common/main.test.bicep +++ b/modules/cache/redis/.test/common/main.test.bicep @@ -81,7 +81,7 @@ module testDeployment '../../main.bicep' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] } service: 'redisCache' diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index 8360ae347a..d1de73e1b5 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -63,7 +63,7 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] } service: 'redisCache' @@ -145,7 +145,7 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ] }, "service": "redisCache", diff --git a/modules/cache/redis/main.bicep b/modules/cache/redis/main.bicep index 84350bf9bc..3794244f46 100644 --- a/modules/cache/redis/main.bicep +++ b/modules/cache/redis/main.bicep @@ -256,14 +256,15 @@ module redisCache_privateEndpoints '../../network/private-endpoint/main.bicep' = subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/cache/redis/main.json b/modules/cache/redis/main.json index d503dc74b8..04b6f51cbf 100644 --- a/modules/cache/redis/main.json +++ b/modules/cache/redis/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5929435185460509109" + "templateHash": "2042912837463951821" }, "name": "Redis Cache", "description": "This module deploys a Redis Cache.", @@ -559,29 +559,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -601,23 +696,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -628,11 +723,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -643,41 +745,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -686,15 +781,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -708,18 +815,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -734,33 +849,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -776,7 +916,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -808,7 +948,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -876,187 +1016,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1084,7 +1047,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/cognitive-services/account/.test/common/main.test.bicep b/modules/cognitive-services/account/.test/common/main.test.bicep index 39d0bbbd26..70f40c8a95 100644 --- a/modules/cognitive-services/account/.test/common/main.test.bicep +++ b/modules/cognitive-services/account/.test/common/main.test.bicep @@ -104,11 +104,9 @@ module testDeployment '../../main.bicep' = { } privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] service: 'account' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/cognitive-services/account/.test/speech/main.test.bicep b/modules/cognitive-services/account/.test/speech/main.test.bicep index 3333126f73..7bb871851f 100644 --- a/modules/cognitive-services/account/.test/speech/main.test.bicep +++ b/modules/cognitive-services/account/.test/speech/main.test.bicep @@ -53,11 +53,9 @@ module testDeployment '../../main.bicep' = { customSubDomainName: '${namePrefix}speechdomain' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] service: 'account' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index 1d92f15fb0..3647314693 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -75,11 +75,9 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { } privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'account' subnetResourceId: '' tags: { @@ -172,11 +170,9 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "account", "subnetResourceId": "", "tags": { @@ -374,11 +370,9 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { enableDefaultTelemetry: '' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'account' subnetResourceId: '' tags: { @@ -431,11 +425,9 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "account", "subnetResourceId": "", "tags": { diff --git a/modules/cognitive-services/account/main.bicep b/modules/cognitive-services/account/main.bicep index 093b347969..04f882bb27 100644 --- a/modules/cognitive-services/account/main.bicep +++ b/modules/cognitive-services/account/main.bicep @@ -291,14 +291,15 @@ module cognitiveServices_privateEndpoints '../../network/private-endpoint/main.b subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/cognitive-services/account/main.json b/modules/cognitive-services/account/main.json index cbee7b00f2..02c0c637fc 100644 --- a/modules/cognitive-services/account/main.json +++ b/modules/cognitive-services/account/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13442875800072342008" + "templateHash": "10920180822593223575" }, "name": "Cognitive Services", "description": "This module deploys a Cognitive Service.", @@ -436,29 +436,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -478,23 +573,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -505,11 +600,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -520,41 +622,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -563,15 +658,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -585,18 +692,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -611,33 +726,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -653,7 +793,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -685,7 +825,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -753,187 +893,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -961,7 +924,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/container-registry/registry/.test/common/main.test.bicep b/modules/container-registry/registry/.test/common/main.test.bicep index 1cba142a21..0ce7c9487d 100644 --- a/modules/container-registry/registry/.test/common/main.test.bicep +++ b/modules/container-registry/registry/.test/common/main.test.bicep @@ -85,11 +85,9 @@ module testDeployment '../../main.bicep' = { { service: 'registry' subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/container-registry/registry/.test/pe/main.test.bicep b/modules/container-registry/registry/.test/pe/main.test.bicep index bcb6fbfa3d..19f4dd9c96 100644 --- a/modules/container-registry/registry/.test/pe/main.test.bicep +++ b/modules/container-registry/registry/.test/pe/main.test.bicep @@ -54,11 +54,9 @@ module testDeployment '../../main.bicep' = { { service: 'registry' subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index c1c5ee9a5d..e6e6561a0e 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -81,11 +81,9 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { ] privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'registry' subnetResourceId: '' tags: { @@ -203,11 +201,9 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "registry", "subnetResourceId": "", "tags": { @@ -429,11 +425,9 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { enableDefaultTelemetry: '' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'registry' subnetResourceId: '' tags: { @@ -478,11 +472,9 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "registry", "subnetResourceId": "", "tags": { diff --git a/modules/container-registry/registry/main.bicep b/modules/container-registry/registry/main.bicep index e70d4ad89d..7de517205e 100644 --- a/modules/container-registry/registry/main.bicep +++ b/modules/container-registry/registry/main.bicep @@ -382,14 +382,15 @@ module registry_privateEndpoints '../../network/private-endpoint/main.bicep' = [ subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/container-registry/registry/main.json b/modules/container-registry/registry/main.json index eb1edb3019..f718008dad 100644 --- a/modules/container-registry/registry/main.json +++ b/modules/container-registry/registry/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "810724730181048401" + "templateHash": "1580319527153380248" }, "name": "Azure Container Registries (ACR)", "description": "This module deploys an Azure Container Registry (ACR).", @@ -1164,29 +1164,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1206,23 +1301,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -1233,11 +1328,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -1248,41 +1350,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -1291,15 +1386,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1313,18 +1420,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -1339,33 +1454,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -1381,7 +1521,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1413,7 +1553,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -1481,187 +1621,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1689,7 +1652,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/data-factory/factory/.test/common/dependencies.bicep b/modules/data-factory/factory/.test/common/dependencies.bicep index 5c91900d1a..a6ab43ad7a 100644 --- a/modules/data-factory/factory/.test/common/dependencies.bicep +++ b/modules/data-factory/factory/.test/common/dependencies.bicep @@ -108,7 +108,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id @description('The resource ID of the created Key Vault.') output keyVaultResourceId string = keyVault.id diff --git a/modules/data-factory/factory/.test/common/main.test.bicep b/modules/data-factory/factory/.test/common/main.test.bicep index 9d7ac74872..42da93e9d8 100644 --- a/modules/data-factory/factory/.test/common/main.test.bicep +++ b/modules/data-factory/factory/.test/common/main.test.bicep @@ -116,7 +116,7 @@ module testDeployment '../../main.bicep' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] } service: 'dataFactory' diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index f9473fa622..c577484c79 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -99,7 +99,7 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] } service: 'dataFactory' @@ -225,7 +225,7 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ] }, "service": "dataFactory", diff --git a/modules/data-factory/factory/main.bicep b/modules/data-factory/factory/main.bicep index 14d6d25a1e..ae480b9cc8 100644 --- a/modules/data-factory/factory/main.bicep +++ b/modules/data-factory/factory/main.bicep @@ -279,14 +279,15 @@ module dataFactory_privateEndpoints '../../network/private-endpoint/main.bicep' subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/data-factory/factory/main.json b/modules/data-factory/factory/main.json index ca428834bc..dcf981878b 100644 --- a/modules/data-factory/factory/main.json +++ b/modules/data-factory/factory/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5636410891768038353" + "templateHash": "2061647637227926206" }, "name": "Data Factories", "description": "This module deploys a Data Factory.", @@ -955,29 +955,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -997,23 +1092,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -1024,11 +1119,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -1039,41 +1141,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -1082,15 +1177,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1104,18 +1211,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -1130,33 +1245,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -1172,7 +1312,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1204,7 +1344,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -1272,187 +1412,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1480,7 +1443,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/databricks/workspace/.test/common/dependencies.bicep b/modules/databricks/workspace/.test/common/dependencies.bicep index 7030a8aa0a..31203d82a3 100644 --- a/modules/databricks/workspace/.test/common/dependencies.bicep +++ b/modules/databricks/workspace/.test/common/dependencies.bicep @@ -312,7 +312,7 @@ output customPrivateSubnetName string = virtualNetwork.properties.subnets[2].nam output virtualNetworkResourceId string = virtualNetwork.id @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id @description('The resource ID of the created Azure Machine Learning Workspace.') output machineLearningWorkspaceResourceId string = machineLearningWorkspace.id diff --git a/modules/databricks/workspace/.test/common/main.test.bicep b/modules/databricks/workspace/.test/common/main.test.bicep index cd9bef2b09..8f19bc3b68 100644 --- a/modules/databricks/workspace/.test/common/main.test.bicep +++ b/modules/databricks/workspace/.test/common/main.test.bicep @@ -120,7 +120,7 @@ module testDeployment '../../main.bicep' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] } service: 'databricks_ui_api' diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index 79dd99e50c..cda1211cd8 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -80,7 +80,7 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] } service: 'databricks_ui_api' @@ -214,7 +214,7 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ] }, "service": "databricks_ui_api", diff --git a/modules/databricks/workspace/main.bicep b/modules/databricks/workspace/main.bicep index fe0ae931b5..17a6daca95 100644 --- a/modules/databricks/workspace/main.bicep +++ b/modules/databricks/workspace/main.bicep @@ -344,14 +344,15 @@ module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/databricks/workspace/main.json b/modules/databricks/workspace/main.json index c729c6ec4f..2b0c724494 100644 --- a/modules/databricks/workspace/main.json +++ b/modules/databricks/workspace/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11204795410714061974" + "templateHash": "2200640508767792289" }, "name": "Azure Databricks Workspaces", "description": "This module deploys an Azure Databricks Workspace.", @@ -567,29 +567,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -609,23 +704,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -636,11 +731,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -651,41 +753,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -694,15 +789,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -716,18 +823,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -742,33 +857,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -784,7 +924,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -816,7 +956,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -884,187 +1024,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1092,7 +1055,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/db-for-my-sql/flexible-server/.test/private/dependencies.bicep b/modules/db-for-my-sql/flexible-server/.test/private/dependencies.bicep index f3f77e9536..ca3c6ceec6 100644 --- a/modules/db-for-my-sql/flexible-server/.test/private/dependencies.bicep +++ b/modules/db-for-my-sql/flexible-server/.test/private/dependencies.bicep @@ -62,7 +62,7 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023- output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id @description('The name of the created Managed Identity.') output managedIdentityName string = managedIdentity.name diff --git a/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep b/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep index 742d0d57b6..e81954bc6b 100644 --- a/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep @@ -89,7 +89,7 @@ module testDeployment '../../main.bicep' = { skuName: 'Standard_D2ds_v4' tier: 'GeneralPurpose' delegatedSubnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceId: nestedDependencies.outputs.privateDNSResourceId + privateDnsZoneResourceId: nestedDependencies.outputs.privateDNSZoneResourceId storageAutoIoScaling: 'Enabled' storageSizeGB: 64 storageIOPS: 400 diff --git a/modules/db-for-postgre-sql/flexible-server/.test/private/dependencies.bicep b/modules/db-for-postgre-sql/flexible-server/.test/private/dependencies.bicep index 1ea4046132..45875179d8 100644 --- a/modules/db-for-postgre-sql/flexible-server/.test/private/dependencies.bicep +++ b/modules/db-for-postgre-sql/flexible-server/.test/private/dependencies.bicep @@ -62,7 +62,7 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018- output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id @description('The principal ID of the created Managed Identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/db-for-postgre-sql/flexible-server/.test/private/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/.test/private/main.test.bicep index 1852c4dffe..d5bd21da2c 100644 --- a/modules/db-for-postgre-sql/flexible-server/.test/private/main.test.bicep +++ b/modules/db-for-postgre-sql/flexible-server/.test/private/main.test.bicep @@ -100,7 +100,7 @@ module testDeployment '../../main.bicep' = { diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName geoRedundantBackup: 'Enabled' - privateDnsZoneArmResourceId: nestedDependencies.outputs.privateDNSResourceId + privateDnsZoneArmResourceId: nestedDependencies.outputs.privateDNSZoneResourceId tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/digital-twins/digital-twins-instance/.test/common/dependencies.bicep b/modules/digital-twins/digital-twins-instance/.test/common/dependencies.bicep index 997053fec3..87c0cf8a6f 100644 --- a/modules/digital-twins/digital-twins-instance/.test/common/dependencies.bicep +++ b/modules/digital-twins/digital-twins-instance/.test/common/dependencies.bicep @@ -132,7 +132,7 @@ output subnetResourceId string = virtualNetwork.properties.subnets[0].id output managedIdentityPrincipalResourceId string = managedIdentity.properties.principalId @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id @description('The name of the Event Hub Namespace.') output eventhubNamespaceName string = eventHubNamespace.name diff --git a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep index fceb1ad4b6..b9deae3ddd 100644 --- a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep @@ -99,7 +99,7 @@ module testDeployment '../../main.bicep' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] } service: 'API' diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index 7c92db6dec..1f27071965 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -70,7 +70,7 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] } service: 'API' @@ -158,7 +158,7 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ] }, "service": "API", diff --git a/modules/digital-twins/digital-twins-instance/main.bicep b/modules/digital-twins/digital-twins-instance/main.bicep index de3a9f3ce7..139a665887 100644 --- a/modules/digital-twins/digital-twins-instance/main.bicep +++ b/modules/digital-twins/digital-twins-instance/main.bicep @@ -200,8 +200,9 @@ module digitalTwinsInstance_privateEndpoints '../../network/private-endpoint/mai subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] diff --git a/modules/digital-twins/digital-twins-instance/main.json b/modules/digital-twins/digital-twins-instance/main.json index 5f9ecd3472..958cae8390 100644 --- a/modules/digital-twins/digital-twins-instance/main.json +++ b/modules/digital-twins/digital-twins-instance/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4594245496875399302" + "templateHash": "5421587631064538780" }, "name": "Digital Twins Instances", "description": "This module deploys an Azure Digital Twins Instance.", @@ -827,8 +827,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", @@ -836,17 +837,111 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -866,23 +961,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -893,11 +988,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -908,41 +1010,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -951,15 +1046,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -973,18 +1080,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -999,33 +1114,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -1041,7 +1181,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1073,7 +1213,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -1141,187 +1281,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1349,7 +1312,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/document-db/database-account/.test/sqldb/dependencies.bicep b/modules/document-db/database-account/.test/sqldb/dependencies.bicep index a360a07947..c3dd593b88 100644 --- a/modules/document-db/database-account/.test/sqldb/dependencies.bicep +++ b/modules/document-db/database-account/.test/sqldb/dependencies.bicep @@ -96,4 +96,4 @@ output managedIdentityResourceId string = managedIdentity.id output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/document-db/database-account/.test/sqldb/main.test.bicep b/modules/document-db/database-account/.test/sqldb/main.test.bicep index 8a944c41f5..c9c5272585 100644 --- a/modules/document-db/database-account/.test/sqldb/main.test.bicep +++ b/modules/document-db/database-account/.test/sqldb/main.test.bicep @@ -86,7 +86,7 @@ module testDeployment '../../main.bicep' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] } service: 'Sql' diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index 69a8c77859..b5cad9ee10 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -928,7 +928,7 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] } service: 'Sql' @@ -1091,7 +1091,7 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ] }, "service": "Sql", diff --git a/modules/document-db/database-account/main.bicep b/modules/document-db/database-account/main.bicep index 585557fd51..2b5481b411 100644 --- a/modules/document-db/database-account/main.bicep +++ b/modules/document-db/database-account/main.bicep @@ -362,14 +362,15 @@ module databaseAccount_privateEndpoints '../../network/private-endpoint/main.bic subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/document-db/database-account/main.json b/modules/document-db/database-account/main.json index 8c6c60a55b..92692742b6 100644 --- a/modules/document-db/database-account/main.json +++ b/modules/document-db/database-account/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1321966146332079883" + "templateHash": "14731361995400554127" }, "name": "DocumentDB Database Accounts", "description": "This module deploys a DocumentDB Database Account.", @@ -1587,29 +1587,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1629,23 +1724,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -1656,11 +1751,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -1671,41 +1773,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -1714,15 +1809,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1736,18 +1843,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -1762,33 +1877,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -1804,7 +1944,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1836,7 +1976,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -1904,187 +2044,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -2112,7 +2075,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/event-grid/domain/.test/common/main.test.bicep b/modules/event-grid/domain/.test/common/main.test.bicep index 868878e147..1c62ba2b2b 100644 --- a/modules/event-grid/domain/.test/common/main.test.bicep +++ b/modules/event-grid/domain/.test/common/main.test.bicep @@ -80,11 +80,9 @@ module testDeployment '../../main.bicep' = { lock: 'CanNotDelete' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] service: 'domain' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/event-grid/domain/.test/pe/main.test.bicep b/modules/event-grid/domain/.test/pe/main.test.bicep index ff90a984c0..5cf831f7c2 100644 --- a/modules/event-grid/domain/.test/pe/main.test.bicep +++ b/modules/event-grid/domain/.test/pe/main.test.bicep @@ -51,11 +51,9 @@ module testDeployment '../../main.bicep' = { name: '${namePrefix}${serviceShort}001' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] service: 'domain' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/event-grid/domain/README.md b/modules/event-grid/domain/README.md index 1b981ed272..a5d51bc6c9 100644 --- a/modules/event-grid/domain/README.md +++ b/modules/event-grid/domain/README.md @@ -64,11 +64,9 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { lock: 'CanNotDelete' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'domain' subnetResourceId: '' tags: { @@ -145,11 +143,9 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "domain", "subnetResourceId": "", "tags": { @@ -254,11 +250,9 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { enableDefaultTelemetry: '' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'domain' subnetResourceId: '' tags: { @@ -300,11 +294,9 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "domain", "subnetResourceId": "", "tags": { diff --git a/modules/event-grid/domain/main.bicep b/modules/event-grid/domain/main.bicep index 10c4724836..fec69f3e16 100644 --- a/modules/event-grid/domain/main.bicep +++ b/modules/event-grid/domain/main.bicep @@ -169,14 +169,15 @@ module domain_privateEndpoints '../../network/private-endpoint/main.bicep' = [fo subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/event-grid/domain/main.json b/modules/event-grid/domain/main.json index dcfe142327..a9c801166c 100644 --- a/modules/event-grid/domain/main.json +++ b/modules/event-grid/domain/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7856347884267755946" + "templateHash": "4315845252350634330" }, "name": "Event Grid Domains", "description": "This module deploys an Event Grid Domain.", @@ -399,29 +399,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -441,23 +536,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -468,11 +563,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -483,41 +585,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -526,15 +621,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -548,18 +655,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -574,33 +689,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -616,7 +756,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -648,7 +788,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -716,187 +856,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -924,7 +887,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/event-grid/topic/.test/common/main.test.bicep b/modules/event-grid/topic/.test/common/main.test.bicep index b78bcf0f8c..61bec19754 100644 --- a/modules/event-grid/topic/.test/common/main.test.bicep +++ b/modules/event-grid/topic/.test/common/main.test.bicep @@ -104,11 +104,9 @@ module testDeployment '../../main.bicep' = { lock: 'CanNotDelete' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] service: 'topic' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/event-grid/topic/.test/pe/main.test.bicep b/modules/event-grid/topic/.test/pe/main.test.bicep index 096f27cbcb..a5c992940d 100644 --- a/modules/event-grid/topic/.test/pe/main.test.bicep +++ b/modules/event-grid/topic/.test/pe/main.test.bicep @@ -51,11 +51,9 @@ module testDeployment '../../main.bicep' = { name: '${namePrefix}${serviceShort}001' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] service: 'topic' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index db0e345ab6..7987d9b586 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -88,11 +88,9 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { lock: 'CanNotDelete' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'topic' subnetResourceId: '' tags: { @@ -192,11 +190,9 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "topic", "subnetResourceId": "", "tags": { @@ -296,11 +292,9 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { enableDefaultTelemetry: '' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'topic' subnetResourceId: '' tags: { @@ -342,11 +336,9 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "topic", "subnetResourceId": "", "tags": { diff --git a/modules/event-grid/topic/main.bicep b/modules/event-grid/topic/main.bicep index 80b44ca077..2f76ab44df 100644 --- a/modules/event-grid/topic/main.bicep +++ b/modules/event-grid/topic/main.bicep @@ -171,14 +171,15 @@ module topic_privateEndpoints '../../network/private-endpoint/main.bicep' = [for subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/event-grid/topic/main.json b/modules/event-grid/topic/main.json index f60d2077df..67baf2c2eb 100644 --- a/modules/event-grid/topic/main.json +++ b/modules/event-grid/topic/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17347618398012771479" + "templateHash": "607231381512069832" }, "name": "Event Grid Topics", "description": "This module deploys an Event Grid Topic.", @@ -476,29 +476,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -518,23 +613,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -545,11 +640,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -560,41 +662,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -603,15 +698,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -625,18 +732,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -651,33 +766,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -693,7 +833,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -725,7 +865,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -793,187 +933,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1001,7 +964,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/event-hub/namespace/.test/common/main.test.bicep b/modules/event-hub/namespace/.test/common/main.test.bicep index 9852491947..755484f15e 100644 --- a/modules/event-hub/namespace/.test/common/main.test.bicep +++ b/modules/event-hub/namespace/.test/common/main.test.bicep @@ -179,11 +179,9 @@ module testDeployment '../../main.bicep' = { } privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] service: 'namespace' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/event-hub/namespace/.test/pe/main.test.bicep b/modules/event-hub/namespace/.test/pe/main.test.bicep index a335175c6e..73335efe06 100644 --- a/modules/event-hub/namespace/.test/pe/main.test.bicep +++ b/modules/event-hub/namespace/.test/pe/main.test.bicep @@ -54,11 +54,9 @@ module testDeployment '../../main.bicep' = { zoneRedundant: true privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] service: 'namespace' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index de5b7fa061..1f3585e075 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -170,11 +170,9 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { } privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'namespace' subnetResourceId: '' tags: { @@ -370,11 +368,9 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "namespace", "subnetResourceId": "", "tags": { @@ -587,11 +583,9 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { enableDefaultTelemetry: '' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'namespace' subnetResourceId: '' tags: { @@ -636,11 +630,9 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "namespace", "subnetResourceId": "", "tags": { diff --git a/modules/event-hub/namespace/main.bicep b/modules/event-hub/namespace/main.bicep index 891c0c92d9..5c3dc8808d 100644 --- a/modules/event-hub/namespace/main.bicep +++ b/modules/event-hub/namespace/main.bicep @@ -325,14 +325,15 @@ module eventHubNamespace_privateEndpoints '../../network/private-endpoint/main.b subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/event-hub/namespace/main.json b/modules/event-hub/namespace/main.json index f95385acf9..c25cd5d3ef 100644 --- a/modules/event-hub/namespace/main.json +++ b/modules/event-hub/namespace/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1995710596888287584" + "templateHash": "6491527792941921170" }, "name": "Event Hub Namespaces", "description": "This module deploys an Event Hub Namespace.", @@ -1609,29 +1609,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1651,23 +1746,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -1678,11 +1773,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -1693,41 +1795,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -1736,15 +1831,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1758,18 +1865,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -1784,33 +1899,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -1826,7 +1966,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1858,7 +1998,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -1926,187 +2066,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -2134,7 +2097,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/insights/private-link-scope/.test/common/dependencies.bicep b/modules/insights/private-link-scope/.test/common/dependencies.bicep index c0529b4ac9..e09c9b5a0c 100644 --- a/modules/insights/private-link-scope/.test/common/dependencies.bicep +++ b/modules/insights/private-link-scope/.test/common/dependencies.bicep @@ -65,7 +65,7 @@ output subnetResourceId string = virtualNetwork.properties.subnets[0].id output managedIdentityPrincipalId string = managedIdentity.properties.principalId @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id @description('The resource ID of the created Log Analytics Workspace.') output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/modules/insights/private-link-scope/.test/common/main.test.bicep b/modules/insights/private-link-scope/.test/common/main.test.bicep index 9b899bd5c8..a1dcee39dc 100644 --- a/modules/insights/private-link-scope/.test/common/main.test.bicep +++ b/modules/insights/private-link-scope/.test/common/main.test.bicep @@ -64,7 +64,7 @@ module testDeployment '../../main.bicep' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] } service: 'azuremonitor' diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index 95d6f651da..c268c5b76d 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -52,7 +52,7 @@ This instance deploys the module with most of its features enabled. { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] } service: 'azuremonitor' @@ -113,7 +113,7 @@ This instance deploys the module with most of its features enabled. { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ] }, "service": "azuremonitor", diff --git a/modules/insights/private-link-scope/main.bicep b/modules/insights/private-link-scope/main.bicep index 2eb0f2cdb2..578dac4911 100644 --- a/modules/insights/private-link-scope/main.bicep +++ b/modules/insights/private-link-scope/main.bicep @@ -83,14 +83,15 @@ module privateLinkScope_privateEndpoints '../../network/private-endpoint/main.bi subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/insights/private-link-scope/main.json b/modules/insights/private-link-scope/main.json index 309a70ce4d..ee38f7fe59 100644 --- a/modules/insights/private-link-scope/main.json +++ b/modules/insights/private-link-scope/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9824068275707710634" + "templateHash": "14715354343666542323" }, "name": "Azure Monitor Private Link Scopes", "description": "This module deploys an Azure Monitor Private Link Scope.", @@ -266,29 +266,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -308,23 +403,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -335,11 +430,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -350,41 +452,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -393,15 +488,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -415,18 +522,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -441,33 +556,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -483,7 +623,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -515,7 +655,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -583,187 +723,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -791,7 +754,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/key-vault/vault/.test/common/dependencies.bicep b/modules/key-vault/vault/.test/common/dependencies.bicep index f433490224..6c3754d07f 100644 --- a/modules/key-vault/vault/.test/common/dependencies.bicep +++ b/modules/key-vault/vault/.test/common/dependencies.bicep @@ -62,4 +62,4 @@ output subnetResourceId string = virtualNetwork.properties.subnets[0].id output managedIdentityPrincipalId string = managedIdentity.properties.principalId @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/key-vault/vault/.test/common/main.test.bicep b/modules/key-vault/vault/.test/common/main.test.bicep index 179de80d30..4c17765b86 100644 --- a/modules/key-vault/vault/.test/common/main.test.bicep +++ b/modules/key-vault/vault/.test/common/main.test.bicep @@ -134,7 +134,7 @@ module testDeployment '../../main.bicep' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] } service: 'vault' diff --git a/modules/key-vault/vault/.test/pe/dependencies.bicep b/modules/key-vault/vault/.test/pe/dependencies.bicep index b9eb57d972..b796986047 100644 --- a/modules/key-vault/vault/.test/pe/dependencies.bicep +++ b/modules/key-vault/vault/.test/pe/dependencies.bicep @@ -51,4 +51,4 @@ resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/key-vault/vault/.test/pe/main.test.bicep b/modules/key-vault/vault/.test/pe/main.test.bicep index 6230f07e42..2a99bb5bf2 100644 --- a/modules/key-vault/vault/.test/pe/main.test.bicep +++ b/modules/key-vault/vault/.test/pe/main.test.bicep @@ -89,7 +89,7 @@ module testDeployment '../../main.bicep' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] privateEndpointName: 'dep-${namePrefix}-pe-${serviceShort}' } diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 2160f1abf6..13101ac107 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -292,7 +292,7 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] } service: 'vault' @@ -445,7 +445,7 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ] }, "service": "vault", @@ -599,7 +599,7 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] privateEndpointName: 'dep-pe-kvvpe' } @@ -681,7 +681,7 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ], "privateEndpointName": "dep-pe-kvvpe" }, diff --git a/modules/key-vault/vault/main.bicep b/modules/key-vault/vault/main.bicep index 08892f54ee..299ed864a3 100644 --- a/modules/key-vault/vault/main.bicep +++ b/modules/key-vault/vault/main.bicep @@ -271,14 +271,15 @@ module keyVault_privateEndpoints '../../network/private-endpoint/main.bicep' = [ subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/key-vault/vault/main.json b/modules/key-vault/vault/main.json index c270216400..18c95c024b 100644 --- a/modules/key-vault/vault/main.json +++ b/modules/key-vault/vault/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2257250292452239694" + "templateHash": "428199812087139263" }, "name": "Key Vaults", "description": "This module deploys a Key Vault.", @@ -1210,29 +1210,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1252,23 +1347,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -1279,11 +1374,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -1294,41 +1396,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -1337,15 +1432,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1359,18 +1466,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -1385,33 +1500,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -1427,7 +1567,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1459,7 +1599,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -1527,187 +1667,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1735,7 +1698,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/machine-learning-services/workspace/.test/common/main.test.bicep b/modules/machine-learning-services/workspace/.test/common/main.test.bicep index 1955aee361..858b81f335 100644 --- a/modules/machine-learning-services/workspace/.test/common/main.test.bicep +++ b/modules/machine-learning-services/workspace/.test/common/main.test.bicep @@ -116,11 +116,9 @@ module testDeployment '../../main.bicep' = { { service: 'amlworkspace' subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/machine-learning-services/workspace/.test/encr/main.test.bicep b/modules/machine-learning-services/workspace/.test/encr/main.test.bicep index 258e4cb2ec..195155da41 100644 --- a/modules/machine-learning-services/workspace/.test/encr/main.test.bicep +++ b/modules/machine-learning-services/workspace/.test/encr/main.test.bicep @@ -69,11 +69,9 @@ module testDeployment '../../main.bicep' = { { service: 'amlworkspace' subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index ff8b39bf37..8240128522 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -95,11 +95,9 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = primaryUserAssignedIdentity: '' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'amlworkspace' subnetResourceId: '' tags: { @@ -223,11 +221,9 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "amlworkspace", "subnetResourceId": "", "tags": { @@ -295,11 +291,9 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = primaryUserAssignedIdentity: '' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'amlworkspace' subnetResourceId: '' tags: { @@ -369,11 +363,9 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "amlworkspace", "subnetResourceId": "", "tags": { diff --git a/modules/machine-learning-services/workspace/main.bicep b/modules/machine-learning-services/workspace/main.bicep index 5aaa86fae8..afce9701f6 100644 --- a/modules/machine-learning-services/workspace/main.bicep +++ b/modules/machine-learning-services/workspace/main.bicep @@ -287,8 +287,9 @@ module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] diff --git a/modules/machine-learning-services/workspace/main.json b/modules/machine-learning-services/workspace/main.json index 85a28a93ad..7d2fd747c0 100644 --- a/modules/machine-learning-services/workspace/main.json +++ b/modules/machine-learning-services/workspace/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15135710804774691863" + "templateHash": "15631837219684432270" }, "name": "Machine Learning Services Workspaces", "description": "This module deploys a Machine Learning Services Workspace.", @@ -668,8 +668,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", @@ -677,17 +678,111 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -707,23 +802,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -734,11 +829,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -749,41 +851,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -792,15 +887,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -814,18 +921,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -840,33 +955,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -882,7 +1022,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -914,7 +1054,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -982,187 +1122,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1190,7 +1153,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/network/application-gateway/.test/common/main.test.bicep b/modules/network/application-gateway/.test/common/main.test.bicep index 548ada9bbd..246478d423 100644 --- a/modules/network/application-gateway/.test/common/main.test.bicep +++ b/modules/network/application-gateway/.test/common/main.test.bicep @@ -147,11 +147,9 @@ module testDeployment '../../main.bicep' = { ] privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] service: 'public' subnetResourceId: nestedDependencies.outputs.privateLinkSubnetResourceId tags: { diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index aaee08b326..04d88f199b 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -227,11 +227,9 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = lock: 'CanNotDelete' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'public' subnetResourceId: '' tags: { @@ -687,11 +685,9 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "public", "subnetResourceId": "", "tags": { diff --git a/modules/network/application-gateway/main.bicep b/modules/network/application-gateway/main.bicep index a346bcf980..8d9a2f022d 100644 --- a/modules/network/application-gateway/main.bicep +++ b/modules/network/application-gateway/main.bicep @@ -376,14 +376,15 @@ module applicationGateway_privateEndpoints '../../network/private-endpoint/main. subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/network/application-gateway/main.json b/modules/network/application-gateway/main.json index c1c3844517..9856294bf1 100644 --- a/modules/network/application-gateway/main.json +++ b/modules/network/application-gateway/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "214441703213354743" + "templateHash": "9800511203053042141" }, "name": "Network Application Gateways", "description": "This module deploys a Network Application Gateway.", @@ -571,29 +571,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -613,23 +708,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -640,11 +735,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -655,41 +757,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -698,15 +793,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -720,18 +827,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -746,33 +861,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -788,7 +928,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -820,7 +960,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -888,187 +1028,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1096,7 +1059,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/network/private-endpoint/.bicep/nested_roleAssignments.bicep b/modules/network/private-endpoint/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 817cb46aa6..0000000000 --- a/modules/network/private-endpoint/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(privateEndpoint.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: privateEndpoint -}] diff --git a/modules/network/private-endpoint/.test/common/main.test.bicep b/modules/network/private-endpoint/.test/common/main.test.bicep index 856807277f..a33f922bd9 100644 --- a/modules/network/private-endpoint/.test/common/main.test.bicep +++ b/modules/network/private-endpoint/.test/common/main.test.bicep @@ -60,18 +60,16 @@ module testDeployment '../../main.bicep' = { ] serviceResourceId: nestedDependencies.outputs.keyVaultResourceId subnetResourceId: nestedDependencies.outputs.subnetResourceId - lock: 'CanNotDelete' - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] + lock: { + kind: 'CanNotDelete' } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -86,10 +84,8 @@ module testDeployment '../../main.bicep' = { } ] customNetworkInterfaceName: '${namePrefix}${serviceShort}001nic' - applicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } + applicationSecurityGroupResourceIds: [ + nestedDependencies.outputs.applicationSecurityGroupResourceId ] tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/network/private-endpoint/README.md b/modules/network/private-endpoint/README.md index 241b1e441a..552f6fac64 100644 --- a/modules/network/private-endpoint/README.md +++ b/modules/network/private-endpoint/README.md @@ -51,10 +51,8 @@ module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { serviceResourceId: '' subnetResourceId: '' // Non-required parameters - applicationSecurityGroups: [ - { - id: '' - } + applicationSecurityGroupResourceIds: [ + '' ] customNetworkInterfaceName: 'npecom001nic' enableDefaultTelemetry: '' @@ -68,17 +66,15 @@ module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { } } ] - lock: 'CanNotDelete' - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] + lock: { + kind: 'CanNotDelete' } + privateDnsZoneResourceIds: [ + '' + ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -120,11 +116,9 @@ module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { "value": "" }, // Non-required parameters - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "value": [ - { - "id": "" - } + "" ] }, "customNetworkInterfaceName": { @@ -146,21 +140,19 @@ module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { ] }, "lock": { - "value": "CanNotDelete" - }, - "privateDnsZoneGroup": { "value": { - "privateDNSResourceIds": [ - "" - ] + "kind": "CanNotDelete" } }, + "privateDnsZoneResourceIds": { + "value": [ + "" + ] + }, "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -260,42 +252,40 @@ module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | -| [`applicationSecurityGroups`](#parameter-applicationsecuritygroups) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`applicationSecurityGroupResourceIds`](#parameter-applicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | | [`customDnsConfigs`](#parameter-customdnsconfigs) | array | Custom DNS configurations. | | [`customNetworkInterfaceName`](#parameter-customnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable/Disable usage telemetry for module. | | [`ipConfigurations`](#parameter-ipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`manualPrivateLinkServiceConnections`](#parameter-manualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | -| [`privateDnsZoneGroup`](#parameter-privatednszonegroup) | object | The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones. | +| [`privateDnsZoneGroupName`](#parameter-privatednszonegroupname) | string | The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags to be applied on all resources/resource groups in this deployment. | -### Parameter: `applicationSecurityGroups` +### Parameter: `applicationSecurityGroupResourceIds` Application security groups in which the private endpoint IP configuration is included. - Required: No - Type: array -- Default: `[]` ### Parameter: `customDnsConfigs` Custom DNS configurations. - Required: No - Type: array -- Default: `[]` ### Parameter: `customNetworkInterfaceName` The custom name of the network interface attached to the private endpoint. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` -Enable telemetry via a Globally Unique Identifier (GUID). +Enable/Disable usage telemetry for module. - Required: No - Type: bool - Default: `True` @@ -311,7 +301,6 @@ Subtype(s) of the connection to be created. The allowed values depend on the typ A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -- Default: `[]` ### Parameter: `location` @@ -322,18 +311,36 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `manualPrivateLinkServiceConnections` Manual PrivateLink Service Connections. - Required: No - Type: array -- Default: `[]` ### Parameter: `name` @@ -341,19 +348,85 @@ Name of the private endpoint resource to create. - Required: Yes - Type: string -### Parameter: `privateDnsZoneGroup` +### Parameter: `privateDnsZoneGroupName` -The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones. +The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided. - Required: No -- Type: object -- Default: `{object}` +- Type: string + +### Parameter: `privateDnsZoneResourceIds` + +The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones. +- Required: No +- Type: array ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `serviceResourceId` @@ -372,7 +445,6 @@ Resource ID of the subnet where the endpoint needs to be created. Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/network/private-endpoint/main.bicep b/modules/network/private-endpoint/main.bicep index c47ebca698..c432aaf71e 100644 --- a/modules/network/private-endpoint/main.bicep +++ b/modules/network/private-endpoint/main.bicep @@ -12,48 +12,59 @@ param subnetResourceId string param serviceResourceId string @description('Optional. Application security groups in which the private endpoint IP configuration is included.') -param applicationSecurityGroups array = [] +param applicationSecurityGroupResourceIds array? @description('Optional. The custom name of the network interface attached to the private endpoint.') -param customNetworkInterfaceName string = '' +param customNetworkInterfaceName string? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') -param ipConfigurations array = [] +param ipConfigurations array? @description('Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to.') param groupIds array -@description('Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones.') -param privateDnsZoneGroup object = {} +@description('Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided.') +param privateDnsZoneGroupName string? + +@description('Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones.') +param privateDnsZoneResourceIds array? @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') -param tags object = {} +param tags object? @description('Optional. Custom DNS configurations.') -param customDnsConfigs array = [] +param customDnsConfigs array? @description('Optional. Manual PrivateLink Service Connections.') -param manualPrivateLinkServiceConnections array = [] +param manualPrivateLinkServiceConnections array? -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +@description('Optional. Enable/Disable usage telemetry for module.') param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -71,11 +82,13 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = { location: location tags: tags properties: { - applicationSecurityGroups: applicationSecurityGroups - customDnsConfigs: customDnsConfigs - customNetworkInterfaceName: customNetworkInterfaceName - ipConfigurations: ipConfigurations - manualPrivateLinkServiceConnections: manualPrivateLinkServiceConnections + applicationSecurityGroups: [for applicationSecurityGroupResourceId in (applicationSecurityGroupResourceIds ?? []): { + id: applicationSecurityGroupResourceId + }] + customDnsConfigs: customDnsConfigs ?? [] + customNetworkInterfaceName: customNetworkInterfaceName ?? '' + ipConfigurations: ipConfigurations ?? [] + manualPrivateLinkServiceConnections: manualPrivateLinkServiceConnections ?? [] privateLinkServiceConnections: [ { name: name @@ -88,39 +101,40 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = { subnet: { id: subnetResourceId } - } } -module privateEndpoint_privateDnsZoneGroup 'private-dns-zone-group/main.bicep' = if (!empty(privateDnsZoneGroup)) { - name: '${uniqueString(deployment().name)}-PE-PrivateDnsZoneGroup' +module privateEndpoint_privateDnsZoneGroup 'private-dns-zone-group/main.bicep' = if (!empty(privateDnsZoneResourceIds)) { + name: '${uniqueString(deployment().name)}-PrivateEndpoint-PrivateDnsZoneGroup' params: { - privateDNSResourceIds: privateDnsZoneGroup.privateDNSResourceIds + name: privateDnsZoneGroupName ?? 'default' + privateDNSResourceIds: privateDnsZoneResourceIds ?? [] privateEndpointName: privateEndpoint.name enableDefaultTelemetry: enableReferencedModulesTelemetry } } -resource privateEndpoint_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${privateEndpoint.name}-${lock}-lock' +resource privateEndpoint_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: privateEndpoint } -module privateEndpoint_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-PrivateEndpoint-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: privateEndpoint.id +resource privateEndpoint_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(privateEndpoint.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: privateEndpoint }] @description('The resource group the private endpoint was deployed into.') @@ -134,3 +148,38 @@ output name string = privateEndpoint.name @description('The location the resource was deployed into.') output location string = privateEndpoint.location + +// ================ // +// Definitions // +// ================ // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/private-endpoint/main.json b/modules/network/private-endpoint/main.json index afc81174b1..a4b1899571 100644 --- a/modules/network/private-endpoint/main.json +++ b/modules/network/private-endpoint/main.json @@ -1,16 +1,110 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -30,23 +124,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -57,11 +151,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -72,41 +173,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -115,15 +209,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -137,18 +243,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -163,33 +277,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -205,7 +344,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -237,7 +376,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -305,187 +444,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -513,7 +475,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/private-endpoint/private-dns-zone-group/README.md b/modules/network/private-endpoint/private-dns-zone-group/README.md index 2aebf21298..d6c0e0b294 100644 --- a/modules/network/private-endpoint/private-dns-zone-group/README.md +++ b/modules/network/private-endpoint/private-dns-zone-group/README.md @@ -33,12 +33,12 @@ This module deploys a Private Endpoint Private DNS Zone Group. | Parameter | Type | Description | | :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable/Disable usage telemetry for module. | | [`name`](#parameter-name) | string | The name of the private DNS zone group. | ### Parameter: `enableDefaultTelemetry` -Enable telemetry via a Globally Unique Identifier (GUID). +Enable/Disable usage telemetry for module. - Required: No - Type: bool - Default: `True` diff --git a/modules/network/private-endpoint/private-dns-zone-group/main.bicep b/modules/network/private-endpoint/private-dns-zone-group/main.bicep index 316f0800b6..49a089a700 100644 --- a/modules/network/private-endpoint/private-dns-zone-group/main.bicep +++ b/modules/network/private-endpoint/private-dns-zone-group/main.bicep @@ -13,9 +13,16 @@ param privateDNSResourceIds array @description('Optional. The name of the private DNS zone group.') param name string = 'default' -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +@description('Optional. Enable/Disable usage telemetry for module.') param enableDefaultTelemetry bool = true +var privateDnsZoneConfigs = [for privateDNSResourceId in privateDNSResourceIds: { + name: last(split(privateDNSResourceId, '/'))! + properties: { + privateDnsZoneId: privateDNSResourceId + } +}] + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -28,13 +35,6 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -var privateDnsZoneConfigs = [for privateDNSResourceId in privateDNSResourceIds: { - name: last(split(privateDNSResourceId, '/'))! - properties: { - privateDnsZoneId: privateDNSResourceId - } -}] - resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' existing = { name: privateEndpointName } diff --git a/modules/network/private-endpoint/private-dns-zone-group/main.json b/modules/network/private-endpoint/private-dns-zone-group/main.json index a631f45296..4216fc2481 100644 --- a/modules/network/private-endpoint/private-dns-zone-group/main.json +++ b/modules/network/private-endpoint/private-dns-zone-group/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -37,7 +37,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, diff --git a/modules/network/private-endpoint/version.json b/modules/network/private-endpoint/version.json index 04a0dd1a80..7fa401bdf7 100644 --- a/modules/network/private-endpoint/version.json +++ b/modules/network/private-endpoint/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", + "version": "0.1", "pathFilters": [ "./main.json" ] diff --git a/modules/purview/account/main.bicep b/modules/purview/account/main.bicep index a5eedb8ff6..a28b7465fe 100644 --- a/modules/purview/account/main.bicep +++ b/modules/purview/account/main.bicep @@ -179,14 +179,15 @@ module account_privateEndpoints '../../network/private-endpoint/main.bicep' = [f subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] @@ -202,14 +203,15 @@ module portal_privateEndpoints '../../network/private-endpoint/main.bicep' = [fo subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] @@ -225,14 +227,15 @@ module blob_privateEndpoints '../../network/private-endpoint/main.bicep' = [for subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] @@ -248,14 +251,15 @@ module queue_privateEndpoints '../../network/private-endpoint/main.bicep' = [for subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] @@ -271,14 +275,15 @@ module eventHub_privateEndpoints '../../network/private-endpoint/main.bicep' = [ subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/purview/account/main.json b/modules/purview/account/main.json index 9133d24ca9..6e06abbf04 100644 --- a/modules/purview/account/main.json +++ b/modules/purview/account/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5252602419334487318" + "templateHash": "15558179031727764706" }, "name": "Purview Accounts", "description": "This module deploys a Purview Account.", @@ -300,29 +300,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('accountPrivateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -342,23 +437,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -369,11 +464,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -384,41 +486,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -427,15 +522,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -449,18 +556,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -475,33 +590,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -517,7 +657,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -549,7 +689,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -617,187 +757,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -825,7 +788,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } @@ -864,29 +827,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('portalPrivateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -906,23 +964,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -933,11 +991,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -948,41 +1013,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -991,15 +1049,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1013,18 +1083,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -1039,33 +1117,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -1081,7 +1184,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1113,7 +1216,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -1181,199 +1284,22 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] + } + }, + "outputs": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the private endpoint was deployed into." + }, + "value": "[resourceGroup().name]" }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the private endpoint." }, "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" }, @@ -1389,7 +1315,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } @@ -1428,29 +1354,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('storageBlobPrivateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1470,23 +1491,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -1497,11 +1518,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -1512,41 +1540,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -1555,15 +1576,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1577,18 +1610,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -1603,33 +1644,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -1645,7 +1711,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1677,7 +1743,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -1745,187 +1811,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1953,7 +1842,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } @@ -1992,29 +1881,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('storageQueuePrivateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -2034,23 +2018,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -2061,11 +2045,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -2076,41 +2067,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -2119,15 +2103,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2141,18 +2137,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -2167,33 +2171,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -2209,7 +2238,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -2241,7 +2270,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -2309,187 +2338,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -2517,7 +2369,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } @@ -2556,29 +2408,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('eventHubPrivateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -2598,23 +2545,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -2625,11 +2572,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -2640,41 +2594,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -2683,15 +2630,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2705,18 +2664,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -2731,33 +2698,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -2773,7 +2765,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -2805,7 +2797,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -2873,187 +2865,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -3081,7 +2896,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/recovery-services/vault/.test/common/dependencies.bicep b/modules/recovery-services/vault/.test/common/dependencies.bicep index e18632bb52..12b8653f54 100644 --- a/modules/recovery-services/vault/.test/common/dependencies.bicep +++ b/modules/recovery-services/vault/.test/common/dependencies.bicep @@ -60,4 +60,4 @@ output managedIdentityPrincipalId string = managedIdentity.properties.principalI output managedIdentityResourceId string = managedIdentity.id @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/recovery-services/vault/.test/common/main.test.bicep b/modules/recovery-services/vault/.test/common/main.test.bicep index aa714983ad..3f19289ce8 100644 --- a/modules/recovery-services/vault/.test/common/main.test.bicep +++ b/modules/recovery-services/vault/.test/common/main.test.bicep @@ -321,7 +321,7 @@ module testDeployment '../../main.bicep' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] } service: 'AzureSiteRecovery' diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index c7bbaa77ff..0c6de6ac3a 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -315,7 +315,7 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] } service: 'AzureSiteRecovery' @@ -651,7 +651,7 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ] }, "service": "AzureSiteRecovery", diff --git a/modules/recovery-services/vault/main.bicep b/modules/recovery-services/vault/main.bicep index 5a7a9bdaf3..ec42444c6c 100644 --- a/modules/recovery-services/vault/main.bicep +++ b/modules/recovery-services/vault/main.bicep @@ -295,14 +295,15 @@ module rsv_privateEndpoints '../../network/private-endpoint/main.bicep' = [for ( subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/recovery-services/vault/main.json b/modules/recovery-services/vault/main.json index 8a77b1b8fe..e8468c9338 100644 --- a/modules/recovery-services/vault/main.json +++ b/modules/recovery-services/vault/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9931998458625198588" + "templateHash": "1948691212198738102" }, "name": "Recovery Services Vaults", "description": "This module deploys a Recovery Services Vault.", @@ -1904,29 +1904,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1946,23 +2041,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -1973,11 +2068,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -1988,41 +2090,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -2031,15 +2126,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2053,18 +2160,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -2079,33 +2194,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -2121,7 +2261,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -2153,7 +2293,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -2221,187 +2361,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -2429,7 +2392,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/relay/namespace/.test/common/main.test.bicep b/modules/relay/namespace/.test/common/main.test.bicep index 219a764842..a08444f919 100644 --- a/modules/relay/namespace/.test/common/main.test.bicep +++ b/modules/relay/namespace/.test/common/main.test.bicep @@ -160,11 +160,9 @@ module testDeployment '../../main.bicep' = { { service: 'namespace' subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/relay/namespace/.test/pe/main.test.bicep b/modules/relay/namespace/.test/pe/main.test.bicep index a2d978e556..30ac3bfaba 100644 --- a/modules/relay/namespace/.test/pe/main.test.bicep +++ b/modules/relay/namespace/.test/pe/main.test.bicep @@ -54,11 +54,9 @@ module testDeployment '../../main.bicep' = { { service: 'namespace' subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index f9d8f5efff..2df4924adc 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -117,11 +117,9 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { } privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'namespace' subnetResourceId: '' tags: { @@ -263,11 +261,9 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "namespace", "subnetResourceId": "", "tags": { @@ -387,11 +383,9 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { enableDefaultTelemetry: '' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'namespace' subnetResourceId: '' tags: { @@ -434,11 +428,9 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "namespace", "subnetResourceId": "", "tags": { diff --git a/modules/relay/namespace/main.bicep b/modules/relay/namespace/main.bicep index 58fe8148c0..f6644258f3 100644 --- a/modules/relay/namespace/main.bicep +++ b/modules/relay/namespace/main.bicep @@ -256,14 +256,15 @@ module namespace_privateEndpoints '../../network/private-endpoint/main.bicep' = subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/relay/namespace/main.json b/modules/relay/namespace/main.json index cc816b07e5..b055137299 100644 --- a/modules/relay/namespace/main.json +++ b/modules/relay/namespace/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14563908102814128404" + "templateHash": "23772418360996492" }, "name": "Relay Namespaces", "description": "This module deploys a Relay Namespace", @@ -1538,29 +1538,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1580,23 +1675,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -1607,11 +1702,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -1622,41 +1724,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -1665,15 +1760,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1687,18 +1794,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -1713,33 +1828,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -1755,7 +1895,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1787,7 +1927,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -1855,187 +1995,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -2063,7 +2026,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/search/search-service/.test/pe/main.test.bicep b/modules/search/search-service/.test/pe/main.test.bicep index a8e7fbd9b9..8c0b99b109 100644 --- a/modules/search/search-service/.test/pe/main.test.bicep +++ b/modules/search/search-service/.test/pe/main.test.bicep @@ -56,16 +56,12 @@ module testDeployment '../../main.bicep' = { publicNetworkAccess: 'disabled' privateEndpoints: [ { - applicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } + applicationSecurityGroupResourceIds: [ + nestedDependencies.outputs.applicationSecurityGroupResourceId + ] + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId ] - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } service: 'searchService' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index 3cc54ce756..18d24c635b 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -274,16 +274,12 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { enableDefaultTelemetry: '' privateEndpoints: [ { - applicationSecurityGroups: [ - { - id: '' - } + applicationSecurityGroupResourceIds: [ + '' + ] + privateDnsZoneResourceIds: [ + '' ] - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } service: 'searchService' subnetResourceId: '' tags: { @@ -338,16 +334,12 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { "privateEndpoints": { "value": [ { - "applicationSecurityGroups": [ - { - "id": "" - } + "applicationSecurityGroupResourceIds": [ + "" + ], + "privateDnsZoneResourceIds": [ + "" ], - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, "service": "searchService", "subnetResourceId": "", "tags": { diff --git a/modules/search/search-service/main.bicep b/modules/search/search-service/main.bicep index 7e6828f7ed..b0b9eba7d9 100644 --- a/modules/search/search-service/main.bicep +++ b/modules/search/search-service/main.bicep @@ -229,14 +229,15 @@ module searchService_privateEndpoints '../../network/private-endpoint/main.bicep subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/search/search-service/main.json b/modules/search/search-service/main.json index 7a348d26c6..1b70046741 100644 --- a/modules/search/search-service/main.json +++ b/modules/search/search-service/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6550974299074570161" + "templateHash": "3190976543296510988" }, "name": "Search Services", "description": "This module deploys a Search Service.", @@ -504,29 +504,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -546,23 +641,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -573,11 +668,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -588,41 +690,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -631,15 +726,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -653,18 +760,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -679,33 +794,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -721,7 +861,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -753,7 +893,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -821,187 +961,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1029,7 +992,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/service-bus/namespace/.test/common/main.test.bicep b/modules/service-bus/namespace/.test/common/main.test.bicep index b7ffb57b2a..73f2d61db6 100644 --- a/modules/service-bus/namespace/.test/common/main.test.bicep +++ b/modules/service-bus/namespace/.test/common/main.test.bicep @@ -195,11 +195,9 @@ module testDeployment '../../main.bicep' = { { service: 'namespace' subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/service-bus/namespace/.test/pe/main.test.bicep b/modules/service-bus/namespace/.test/pe/main.test.bicep index 6d1ab9dcc2..a8152faa4b 100644 --- a/modules/service-bus/namespace/.test/pe/main.test.bicep +++ b/modules/service-bus/namespace/.test/pe/main.test.bicep @@ -55,11 +55,9 @@ module testDeployment '../../main.bicep' = { { service: 'namespace' subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 67765a898b..b66c706fd1 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -106,11 +106,9 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { premiumMessagingPartitions: 1 privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'namespace' subnetResourceId: '' tags: { @@ -298,11 +296,9 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "namespace", "subnetResourceId": "", "tags": { @@ -673,11 +669,9 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { enableDefaultTelemetry: '' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'namespace' subnetResourceId: '' tags: { @@ -721,11 +715,9 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "namespace", "subnetResourceId": "", "tags": { diff --git a/modules/service-bus/namespace/main.bicep b/modules/service-bus/namespace/main.bicep index df6693bb49..2b275b2bab 100644 --- a/modules/service-bus/namespace/main.bicep +++ b/modules/service-bus/namespace/main.bicep @@ -386,14 +386,15 @@ module serviceBusNamespace_privateEndpoints '../../network/private-endpoint/main subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/service-bus/namespace/main.json b/modules/service-bus/namespace/main.json index 974d711c69..4e96afbb9d 100644 --- a/modules/service-bus/namespace/main.json +++ b/modules/service-bus/namespace/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2912791825816834309" + "templateHash": "662928290271524993" }, "name": "Service Bus Namespaces", "description": "This module deploys a Service Bus Namespace.", @@ -2143,29 +2143,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -2185,23 +2280,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -2212,11 +2307,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -2227,41 +2329,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -2270,15 +2365,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2292,18 +2399,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -2318,33 +2433,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -2360,7 +2500,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -2392,7 +2532,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -2460,187 +2600,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -2668,7 +2631,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/signal-r-service/signal-r/.test/common/dependencies.bicep b/modules/signal-r-service/signal-r/.test/common/dependencies.bicep index bb13e27479..3f02e7b5ad 100644 --- a/modules/signal-r-service/signal-r/.test/common/dependencies.bicep +++ b/modules/signal-r-service/signal-r/.test/common/dependencies.bicep @@ -56,7 +56,7 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018- output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id @description('The principal ID of the created Managed Identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/signal-r-service/signal-r/.test/common/main.test.bicep b/modules/signal-r-service/signal-r/.test/common/main.test.bicep index 433523a64f..fe31b8c146 100644 --- a/modules/signal-r-service/signal-r/.test/common/main.test.bicep +++ b/modules/signal-r-service/signal-r/.test/common/main.test.bicep @@ -85,7 +85,7 @@ module testDeployment '../../main.bicep' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] } service: 'signalr' diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index 3a6b8ee2c8..f802d9ca98 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -79,7 +79,7 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] } service: 'signalr' @@ -180,7 +180,7 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ] }, "service": "signalr", diff --git a/modules/signal-r-service/signal-r/main.bicep b/modules/signal-r-service/signal-r/main.bicep index 94f0d16b8e..f872032e37 100644 --- a/modules/signal-r-service/signal-r/main.bicep +++ b/modules/signal-r-service/signal-r/main.bicep @@ -172,14 +172,15 @@ module signalR_privateEndpoints '../../network/private-endpoint/main.bicep' = [f serviceResourceId: signalR.id subnetResourceId: privateEndpoint.subnetResourceId location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/signal-r-service/signal-r/main.json b/modules/signal-r-service/signal-r/main.json index 9936aee029..cae060bd25 100644 --- a/modules/signal-r-service/signal-r/main.json +++ b/modules/signal-r-service/signal-r/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1694197592231434947" + "templateHash": "18228985273880895122" }, "name": "SignalR Service SignalR", "description": "This module deploys a SignalR Service SignalR.", @@ -303,29 +303,124 @@ "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -345,23 +440,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -372,11 +467,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -387,41 +489,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -430,15 +525,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -452,18 +559,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -478,33 +593,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -520,7 +660,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -552,7 +692,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -620,187 +760,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -828,7 +791,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/signal-r-service/web-pub-sub/.test/common/dependencies.bicep b/modules/signal-r-service/web-pub-sub/.test/common/dependencies.bicep index 9ce0af1118..53f60ba74f 100644 --- a/modules/signal-r-service/web-pub-sub/.test/common/dependencies.bicep +++ b/modules/signal-r-service/web-pub-sub/.test/common/dependencies.bicep @@ -56,7 +56,7 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018- output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id @description('The principal ID of the created Managed Identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep b/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep index 841d4abf2d..e43e249e61 100644 --- a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep @@ -83,7 +83,7 @@ module testDeployment '../../main.bicep' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] } service: 'webpubsub' diff --git a/modules/signal-r-service/web-pub-sub/.test/pe/dependencies.bicep b/modules/signal-r-service/web-pub-sub/.test/pe/dependencies.bicep index 4570a6d4b1..7817f5a5af 100644 --- a/modules/signal-r-service/web-pub-sub/.test/pe/dependencies.bicep +++ b/modules/signal-r-service/web-pub-sub/.test/pe/dependencies.bicep @@ -48,4 +48,4 @@ resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep b/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep index c2aaac2b49..d72345d64b 100644 --- a/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep @@ -53,7 +53,7 @@ module testDeployment '../../main.bicep' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] } service: 'webpubsub' diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index 834852ff3f..0e2c18cbaa 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -79,7 +79,7 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] } service: 'webpubsub' @@ -178,7 +178,7 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ] }, "service": "webpubsub", @@ -292,7 +292,7 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] } service: 'webpubsub' @@ -339,7 +339,7 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ] }, "service": "webpubsub", diff --git a/modules/signal-r-service/web-pub-sub/main.bicep b/modules/signal-r-service/web-pub-sub/main.bicep index 455a9fc8a2..69b0410853 100644 --- a/modules/signal-r-service/web-pub-sub/main.bicep +++ b/modules/signal-r-service/web-pub-sub/main.bicep @@ -132,14 +132,15 @@ module webPubSub_privateEndpoints '../../network/private-endpoint/main.bicep' = serviceResourceId: webPubSub.id subnetResourceId: privateEndpoint.subnetResourceId location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/signal-r-service/web-pub-sub/main.json b/modules/signal-r-service/web-pub-sub/main.json index ac949dffda..7bca5bb716 100644 --- a/modules/signal-r-service/web-pub-sub/main.json +++ b/modules/signal-r-service/web-pub-sub/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16709379153478427185" + "templateHash": "11691998078416920042" }, "name": "SignalR Web PubSub Services", "description": "This module deploys a SignalR Web PubSub Service.", @@ -250,29 +250,124 @@ "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -292,23 +387,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -319,11 +414,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -334,41 +436,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -377,15 +472,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -399,18 +506,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -425,33 +540,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -467,7 +607,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -499,7 +639,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -567,187 +707,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -775,7 +738,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/sql/server/.test/common/dependencies.bicep b/modules/sql/server/.test/common/dependencies.bicep index 161cf4486f..5f68856202 100644 --- a/modules/sql/server/.test/common/dependencies.bicep +++ b/modules/sql/server/.test/common/dependencies.bicep @@ -99,7 +99,7 @@ output privateEndpointSubnetResourceId string = virtualNetwork.properties.subnet output serviceEndpointSubnetResourceId string = virtualNetwork.properties.subnets[1].id @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id @description('The URL of the created Key Vault Encryption Key.') output keyVaultEncryptionKeyUrl string = keyVault::key.properties.keyUriWithVersion diff --git a/modules/sql/server/.test/common/main.test.bicep b/modules/sql/server/.test/common/main.test.bicep index 6c3153cc5e..b0a38b0ad7 100644 --- a/modules/sql/server/.test/common/main.test.bicep +++ b/modules/sql/server/.test/common/main.test.bicep @@ -164,7 +164,7 @@ module testDeployment '../../main.bicep' = { service: 'sqlServer' privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] } tags: { diff --git a/modules/sql/server/.test/pe/dependencies.bicep b/modules/sql/server/.test/pe/dependencies.bicep index f9a6790672..ef2f9239a0 100644 --- a/modules/sql/server/.test/pe/dependencies.bicep +++ b/modules/sql/server/.test/pe/dependencies.bicep @@ -47,4 +47,4 @@ resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/sql/server/.test/pe/main.test.bicep b/modules/sql/server/.test/pe/main.test.bicep index 4be390e0ab..8a638d4dd9 100644 --- a/modules/sql/server/.test/pe/main.test.bicep +++ b/modules/sql/server/.test/pe/main.test.bicep @@ -60,7 +60,7 @@ module testDeployment '../../main.bicep' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] } service: 'sqlServer' diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 36bc8f5f0a..329c07b9ff 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -181,7 +181,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] } service: 'sqlServer' @@ -335,7 +335,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ] }, "service": "sqlServer", @@ -434,7 +434,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] } service: 'sqlServer' @@ -486,7 +486,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ] }, "service": "sqlServer", diff --git a/modules/sql/server/main.bicep b/modules/sql/server/main.bicep index f41f7bbfd1..e3ade2a5f8 100644 --- a/modules/sql/server/main.bicep +++ b/modules/sql/server/main.bicep @@ -241,14 +241,15 @@ module server_privateEndpoints '../../network/private-endpoint/main.bicep' = [fo subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/sql/server/main.json b/modules/sql/server/main.json index c7b7b619ef..ce9273e1dc 100644 --- a/modules/sql/server/main.json +++ b/modules/sql/server/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9716612519097639469" + "templateHash": "4323187915659355433" }, "name": "Azure SQL Servers", "description": "This module deploys an Azure SQL Server.", @@ -474,7 +474,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7000207485744795208" + "templateHash": "14921090017328805601" }, "name": "SQL Server Database", "description": "This module deploys an Azure SQL Server Database.", @@ -1226,7 +1226,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1361594412163336206" + "templateHash": "2069769222124842536" }, "name": "SQL Server Elastic Pool", "description": "This module deploys an Azure SQL Server Elastic Pool.", @@ -1454,29 +1454,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1496,23 +1591,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -1523,11 +1618,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -1538,41 +1640,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -1581,15 +1676,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1603,18 +1710,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -1629,33 +1744,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -1671,7 +1811,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1703,7 +1843,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -1771,187 +1911,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1979,7 +1942,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } @@ -2021,7 +1984,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17694214441241917212" + "templateHash": "17045860485834879442" }, "name": "Azure SQL Server Firewall Rule", "description": "This module deploys an Azure SQL Server Firewall Rule.", @@ -2151,7 +2114,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6942471200332924480" + "templateHash": "938348054010287381" }, "name": "Azure SQL Server Virtual Network Rules", "description": "This module deploys an Azure SQL Server Virtual Network Rule.", @@ -2283,7 +2246,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13278850436753309790" + "templateHash": "6325803563225314820" }, "name": "Azure SQL Server Security Alert Policies", "description": "This module deploys an Azure SQL Server Security Alert Policy.", @@ -2454,7 +2417,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10943798083405880032" + "templateHash": "2049927305875122003" }, "name": "Azure SQL Server Vulnerability Assessments", "description": "This module deploys an Azure SQL Server Vulnerability Assessment.", @@ -2735,7 +2698,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1128739845456097575" + "templateHash": "17224807912051676418" }, "name": "Azure SQL Server Encryption Protector", "description": "This module deploys an Azure SQL Server Encryption Protector.", @@ -2874,4 +2837,4 @@ "value": "[reference(resourceId('Microsoft.Sql/servers', parameters('name')), '2022-05-01-preview', 'full').location]" } } -} +} \ No newline at end of file diff --git a/modules/storage/storage-account/.test/common/main.test.bicep b/modules/storage/storage-account/.test/common/main.test.bicep index 4a706b1279..fd7f6d82b4 100644 --- a/modules/storage/storage-account/.test/common/main.test.bicep +++ b/modules/storage/storage-account/.test/common/main.test.bicep @@ -79,11 +79,9 @@ module testDeployment '../../main.bicep' = { { service: 'blob' subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/storage/storage-account/.test/encr/main.test.bicep b/modules/storage/storage-account/.test/encr/main.test.bicep index 70659aa8f5..8d2d24e464 100644 --- a/modules/storage/storage-account/.test/encr/main.test.bicep +++ b/modules/storage/storage-account/.test/encr/main.test.bicep @@ -62,11 +62,9 @@ module testDeployment '../../main.bicep' = { { service: 'blob' subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 257e7ecc6c..5be3a36433 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -208,11 +208,9 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { } privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'blob' subnetResourceId: '' tags: { @@ -480,11 +478,9 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "blob", "subnetResourceId": "", "tags": { @@ -620,11 +616,9 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { enableDefaultTelemetry: '' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'blob' subnetResourceId: '' tags: { @@ -707,11 +701,9 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "blob", "subnetResourceId": "", "tags": { diff --git a/modules/storage/storage-account/main.bicep b/modules/storage/storage-account/main.bicep index 89a565312e..e67cd0168b 100644 --- a/modules/storage/storage-account/main.bicep +++ b/modules/storage/storage-account/main.bicep @@ -351,14 +351,15 @@ module storageAccount_privateEndpoints '../../network/private-endpoint/main.bice subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/storage/storage-account/main.json b/modules/storage/storage-account/main.json index 8ffb72979b..37226f763b 100644 --- a/modules/storage/storage-account/main.json +++ b/modules/storage/storage-account/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5401777351755094753" + "templateHash": "4491569988152591675" }, "name": "Storage Accounts", "description": "This module deploys a Storage Account.", @@ -732,29 +732,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -774,23 +869,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -801,11 +896,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -816,41 +918,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -859,15 +954,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -881,18 +988,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -907,33 +1022,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -949,7 +1089,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -981,7 +1121,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -1049,187 +1189,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1257,7 +1220,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/synapse/private-link-hub/.test/common/dependencies.bicep b/modules/synapse/private-link-hub/.test/common/dependencies.bicep index 8321451459..d7ca02fccb 100644 --- a/modules/synapse/private-link-hub/.test/common/dependencies.bicep +++ b/modules/synapse/private-link-hub/.test/common/dependencies.bicep @@ -68,7 +68,7 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018- output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id @description('The principal ID of the created Managed Identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/synapse/private-link-hub/.test/common/main.test.bicep b/modules/synapse/private-link-hub/.test/common/main.test.bicep index fd9d7be35d..d907000003 100644 --- a/modules/synapse/private-link-hub/.test/common/main.test.bicep +++ b/modules/synapse/private-link-hub/.test/common/main.test.bicep @@ -59,7 +59,7 @@ module testDeployment '../../main.bicep' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] } service: 'Web' diff --git a/modules/synapse/private-link-hub/README.md b/modules/synapse/private-link-hub/README.md index 9a56960925..ddc5efb77d 100644 --- a/modules/synapse/private-link-hub/README.md +++ b/modules/synapse/private-link-hub/README.md @@ -53,7 +53,7 @@ module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] } service: 'Web' @@ -117,7 +117,7 @@ module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ] }, "service": "Web", diff --git a/modules/synapse/private-link-hub/main.bicep b/modules/synapse/private-link-hub/main.bicep index 6c70f61162..f377f95757 100644 --- a/modules/synapse/private-link-hub/main.bicep +++ b/modules/synapse/private-link-hub/main.bicep @@ -84,14 +84,15 @@ module privateLinkHub_privateEndpoints '../../network/private-endpoint/main.bice subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/synapse/private-link-hub/main.json b/modules/synapse/private-link-hub/main.json index 0bb44ec6f8..080b2e1d7a 100644 --- a/modules/synapse/private-link-hub/main.json +++ b/modules/synapse/private-link-hub/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "691957729768991822" + "templateHash": "11333441944276260174" }, "name": "Azure Synapse Analytics", "description": "This module deploys an Azure Synapse Analytics (Private Link Hub).", @@ -283,29 +283,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -325,23 +420,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -352,11 +447,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -367,41 +469,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -410,15 +505,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -432,18 +539,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -458,33 +573,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -500,7 +640,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -532,7 +672,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -600,187 +740,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -808,7 +771,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/synapse/workspace/.test/common/dependencies.bicep b/modules/synapse/workspace/.test/common/dependencies.bicep index c49fab5adc..52da267176 100644 --- a/modules/synapse/workspace/.test/common/dependencies.bicep +++ b/modules/synapse/workspace/.test/common/dependencies.bicep @@ -83,7 +83,7 @@ output managedIdentityResourceId string = managedIdentity.id output subnetResourceId string = virtualNetwork.properties.subnets[0].id @description('The resource ID of the created Private DNS Zone.') -output privateDNSResourceId string = privateDNSZone.id +output privateDNSZoneResourceId string = privateDNSZone.id @description('The resource ID of the created Storage Account.') output storageAccountResourceId string = storageAccount.id diff --git a/modules/synapse/workspace/.test/common/main.test.bicep b/modules/synapse/workspace/.test/common/main.test.bicep index 0791962ad8..b0c3a9f6e5 100644 --- a/modules/synapse/workspace/.test/common/main.test.bicep +++ b/modules/synapse/workspace/.test/common/main.test.bicep @@ -89,7 +89,7 @@ module testDeployment '../../main.bicep' = { service: 'SQL' privateDnsZoneGroup: { privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSResourceId + nestedDependencies.outputs.privateDNSZoneResourceId ] } tags: { diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index dacfa2772f..7f228e9711 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -84,7 +84,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { { privateDnsZoneGroup: { privateDNSResourceIds: [ - '' + '' ] } service: 'SQL' @@ -183,7 +183,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { { "privateDnsZoneGroup": { "privateDNSResourceIds": [ - "" + "" ] }, "service": "SQL", diff --git a/modules/synapse/workspace/main.bicep b/modules/synapse/workspace/main.bicep index 6dabffcafb..ec1e80bd8e 100644 --- a/modules/synapse/workspace/main.bicep +++ b/modules/synapse/workspace/main.bicep @@ -300,14 +300,15 @@ module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/synapse/workspace/main.json b/modules/synapse/workspace/main.json index 0642e4d17a..3f91c6fb88 100644 --- a/modules/synapse/workspace/main.json +++ b/modules/synapse/workspace/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14937890692678451468" + "templateHash": "14717079863067599908" }, "name": "Synapse Workspaces", "description": "This module deploys a Synapse Workspace.", @@ -836,29 +836,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -878,23 +973,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -905,11 +1000,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -920,41 +1022,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -963,15 +1058,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -985,18 +1092,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -1011,33 +1126,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -1053,7 +1193,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1085,7 +1225,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -1153,187 +1293,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1361,7 +1324,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/web/site/.test/functionAppCommon/main.test.bicep b/modules/web/site/.test/functionAppCommon/main.test.bicep index 1e12bb9d94..dd5a5d4bc4 100644 --- a/modules/web/site/.test/functionAppCommon/main.test.bicep +++ b/modules/web/site/.test/functionAppCommon/main.test.bicep @@ -149,11 +149,9 @@ module testDeployment '../../main.bicep' = { { service: 'sites' subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/web/site/.test/webAppCommon/main.test.bicep b/modules/web/site/.test/webAppCommon/main.test.bicep index 96c3cde865..1c2525b809 100644 --- a/modules/web/site/.test/webAppCommon/main.test.bicep +++ b/modules/web/site/.test/webAppCommon/main.test.bicep @@ -129,11 +129,9 @@ module testDeployment '../../main.bicep' = { { service: 'sites' subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 2e79002447..1e11c9249f 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -142,11 +142,9 @@ module site 'br:bicep/modules/web.site:1.0.0' = { lock: 'CanNotDelete' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'sites' subnetResourceId: '' tags: { @@ -309,11 +307,9 @@ module site 'br:bicep/modules/web.site:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "sites", "subnetResourceId": "", "tags": { @@ -460,11 +456,9 @@ module site 'br:bicep/modules/web.site:1.0.0' = { ] privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'sites' subnetResourceId: '' tags: { @@ -619,11 +613,9 @@ module site 'br:bicep/modules/web.site:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "sites", "subnetResourceId": "", "tags": { diff --git a/modules/web/site/main.bicep b/modules/web/site/main.bicep index f234ad2d46..68150dd4bd 100644 --- a/modules/web/site/main.bicep +++ b/modules/web/site/main.bicep @@ -419,14 +419,15 @@ module app_privateEndpoints '../../network/private-endpoint/main.bicep' = [for ( subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/web/site/main.json b/modules/web/site/main.json index af5a3ed4e0..b4f7e806bc 100644 --- a/modules/web/site/main.json +++ b/modules/web/site/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16969766511662743845" + "templateHash": "1810314773455463979" }, "name": "Web/Function Apps", "description": "This module deploys a Web or Function App.", @@ -866,7 +866,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14108540523970367707" + "templateHash": "10608087316287962337" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -1942,8 +1942,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", @@ -1951,17 +1952,111 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1981,23 +2076,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -2008,11 +2103,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -2023,41 +2125,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -2066,15 +2161,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2088,18 +2195,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -2114,33 +2229,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -2156,7 +2296,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -2188,7 +2328,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -2256,187 +2396,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -2464,7 +2427,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } @@ -2965,29 +2928,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -3007,23 +3065,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -3034,11 +3092,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -3049,41 +3114,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -3092,15 +3150,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -3114,18 +3184,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -3140,33 +3218,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -3182,7 +3285,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -3214,7 +3317,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -3282,187 +3385,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -3490,7 +3416,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/web/site/slot/main.bicep b/modules/web/site/slot/main.bicep index f6435e2a38..c915d9df01 100644 --- a/modules/web/site/slot/main.bicep +++ b/modules/web/site/slot/main.bicep @@ -347,8 +347,9 @@ module slot_privateEndpoints '../../../network/private-endpoint/main.bicep' = [f subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] diff --git a/modules/web/site/slot/main.json b/modules/web/site/slot/main.json index 4e604fd935..2201875b2b 100644 --- a/modules/web/site/slot/main.json +++ b/modules/web/site/slot/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14108540523970367707" + "templateHash": "10608087316287962337" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -1081,8 +1081,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", @@ -1090,17 +1091,111 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1120,23 +1215,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -1147,11 +1242,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -1162,41 +1264,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -1205,15 +1300,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1227,18 +1334,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -1253,33 +1368,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -1295,7 +1435,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1327,7 +1467,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -1395,187 +1535,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1603,7 +1566,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/modules/web/static-site/.test/common/main.test.bicep b/modules/web/static-site/.test/common/main.test.bicep index 914204e453..1b11689d2d 100644 --- a/modules/web/static-site/.test/common/main.test.bicep +++ b/modules/web/static-site/.test/common/main.test.bicep @@ -62,11 +62,9 @@ module testDeployment '../../main.bicep' = { { service: 'staticSites' subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index 8e0bfb8865..ec237dd4ab 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -67,11 +67,9 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { lock: 'CanNotDelete' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'staticSites' subnetResourceId: '' tags: { @@ -154,11 +152,9 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "staticSites", "subnetResourceId": "", "tags": { diff --git a/modules/web/static-site/main.bicep b/modules/web/static-site/main.bicep index 1dad12c914..9ac9ab96cb 100644 --- a/modules/web/static-site/main.bicep +++ b/modules/web/static-site/main.bicep @@ -205,14 +205,15 @@ module staticSite_privateEndpoints '../../network/private-endpoint/main.bicep' = subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' } }] diff --git a/modules/web/static-site/main.json b/modules/web/static-site/main.json index b37f808c2f..5e59eef334 100644 --- a/modules/web/static-site/main.json +++ b/modules/web/static-site/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12872096460250206815" + "templateHash": "3230698398886586988" }, "name": "Static Web Apps", "description": "This module deploys a Static Web App.", @@ -885,29 +885,124 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', parameters('lock')))]", - "privateDnsZoneGroup": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroup'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroup), createObject('value', createObject()))]", + "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", + "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroups": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroups'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroups), createObject('value', createArray()))]", + "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2884140170473394983" + "templateHash": "16178508232344722616" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -927,23 +1022,23 @@ "description": "Required. Resource ID of the resource that needs to be connected to the network." } }, - "applicationSecurityGroups": { + "applicationSecurityGroupResourceIds": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, "customNetworkInterfaceName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, "ipConfigurations": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } @@ -954,11 +1049,18 @@ "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." } }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "nullable": true, "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." } }, "location": { @@ -969,41 +1071,34 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, "customDnsConfigs": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Manual PrivateLink Service Connections." } @@ -1012,15 +1107,27 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1034,18 +1141,26 @@ } } }, - { + "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", "privateLinkServiceConnections": [ { "name": "[parameters('name')]", @@ -1060,33 +1175,58 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "privateEndpoint_roleAssignments": { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { + "name": { + "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" + }, "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" }, "privateEndpointName": { "value": "[parameters('name')]" @@ -1102,7 +1242,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5610247137574346230" + "templateHash": "16391702514342252839" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1134,7 +1274,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, @@ -1202,187 +1342,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14351187799927334028" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + "privateEndpoint" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1410,7 +1373,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" } } } diff --git a/utilities/pipelines/sharedScripts/Get-NestedResourceList.ps1 b/utilities/pipelines/sharedScripts/Get-NestedResourceList.ps1 index 6d4eefd0f3..c00d655c9c 100644 --- a/utilities/pipelines/sharedScripts/Get-NestedResourceList.ps1 +++ b/utilities/pipelines/sharedScripts/Get-NestedResourceList.ps1 @@ -24,8 +24,19 @@ function Get-NestedResourceList { $res = @() $currLevelResources = @() + if ($TemplateFileContent.resources) { - $currLevelResources += $TemplateFileContent.resources + if ($TemplateFileContent.resources -is [System.Collections.Hashtable]) { + # With the introduction of user defined types, a compiled template's resources are not part of an ordered hashtable instead of an array. + $currLevelResources += $TemplateFileContent.resources.Keys | ForEach-Object { + $TemplateFileContent.resources[$_] + } | Where-Object { + $_.existing -ne $true + } + } else { + # Default array + $currLevelResources += $TemplateFileContent.resources + } } foreach ($resource in $currLevelResources) { $res += $resource diff --git a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 index 3d24f83b64..13f8d4af6f 100644 --- a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 +++ b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 @@ -628,9 +628,6 @@ function Get-OrderedParametersJSON { [string[]] $RequiredParametersList = @() ) - # Load used function(s) - . (Join-Path $PSScriptRoot 'helper' 'ConvertTo-OrderedHashtable.ps1') - # [1/3] Get all parameters from the parameter object and order them recursively $orderedContentInJSONFormat = ConvertTo-OrderedHashtable -JSONInputObject $parametersJSON @@ -976,56 +973,6 @@ function ConvertTo-FormattedBicep { return $commentedBicepParams } -<# -.SYNOPSIS -Based on the provided parameter metadata, determine whether the parameter is required or not - -.DESCRIPTION -Based on the provided parameter metadata, determine whether the parameter is required or not - -.PARAMETER Parameter -The parameter metadata to analyze. - -For example: @{ - type = 'string' - metadata = @{ - description = 'Required. The name of the Public IP Address.' - } -} - -.PARAMETER TemplateFileContent -Mandatory. The template file content object to crawl data from. - -.EXAMPLE -Get-IsParameterRequired -TemplateFileContent @{ resource = @{}; ... } -Parameter @{ type = 'string'; metadata = @{ description = 'Required. The name of the Public IP Address.' } } - -Check the given parameter whether it is required. Would result into true. -#> -function Get-IsParameterRequired { - - [CmdletBinding()] - param ( - [Parameter(Mandatory = $true)] - [hashtable] $Parameter, - - [Parameter(Mandatory)] - [hashtable] $TemplateFileContent - ) - - $hasParameterNoDefault = $Parameter.Keys -notcontains 'defaultValue' - $isParameterNullable = $Parameter['nullable'] - # User defined type - $isUserDefinedType = $Parameter.Keys -contains '$ref' - $isUserDefinedTypeNullable = $Parameter.Keys -contains '$ref' ? $TemplateFileContent.definitions[(Split-Path $Parameter.'$ref' -Leaf)]['nullable'] : $false - - # Evaluation - # The parameter is required IF it - # - has no default value, - # - is not nullable - # - has no nullable user-defined type - return $hasParameterNoDefault -and -not $isParameterNullable -and -not ($isUserDefinedType -and $isUserDefinedTypeNullable) -} - <# .SYNOPSIS Generate 'Usage examples' for the ReadMe out of the parameter files currently used to test the template @@ -1085,10 +1032,6 @@ function Set-UsageExamplesSection { [string] $SectionStartIdentifier = '## Usage examples' ) - # Load used function(s) - . (Join-Path $PSScriptRoot 'Get-ModuleTestFileList.ps1') - . (Join-Path (Split-Path $PSScriptRoot -Parent) 'resourcePublish' 'Get-PrivateRegistryRepositoryName.ps1') - $brLink = Get-PrivateRegistryRepositoryName -TemplateFilePath $TemplateFilePath # Process content @@ -1621,9 +1564,6 @@ function Initialize-ReadMe { [hashtable] $TemplateFileContent ) - . (Join-Path $PSScriptRoot 'helper' 'Get-SpecsAlignedResourceName.ps1') - . (Join-Path $PSScriptRoot 'Get-NestedResourceList.ps1') - $moduleName = $TemplateFileContent.metadata.name $moduleDescription = $TemplateFileContent.metadata.description $formattedResourceType = Get-SpecsAlignedResourceName -ResourceIdentifier $FullModuleIdentifier @@ -1750,8 +1690,14 @@ function Set-ModuleReadMe { ) # Load external functions - . (Join-Path $PSScriptRoot 'helper' 'Merge-FileWithNewContent.ps1') . (Join-Path $PSScriptRoot 'Get-NestedResourceList.ps1') + . (Join-Path $PSScriptRoot 'Get-ModuleTestFileList.ps1') + . (Join-Path $PSScriptRoot 'helper' 'Merge-FileWithNewContent.ps1') + . (Join-Path $PSScriptRoot 'helper' 'Get-IsParameterRequired.ps1') + . (Join-Path $PSScriptRoot 'helper' 'Get-SpecsAlignedResourceName.ps1') + . (Join-Path $PSScriptRoot 'helper' 'ConvertTo-OrderedHashtable.ps1') + . (Join-Path (Split-Path $PSScriptRoot -Parent) 'resourcePublish' 'Get-PrivateRegistryRepositoryName.ps1') + # Check template & make full path $TemplateFilePath = Resolve-Path -Path $TemplateFilePath -ErrorAction Stop diff --git a/utilities/pipelines/sharedScripts/helper/Get-IsParameterRequired.ps1 b/utilities/pipelines/sharedScripts/helper/Get-IsParameterRequired.ps1 new file mode 100644 index 0000000000..25db0d8322 --- /dev/null +++ b/utilities/pipelines/sharedScripts/helper/Get-IsParameterRequired.ps1 @@ -0,0 +1,49 @@ +<# +.SYNOPSIS +Based on the provided parameter metadata, determine whether the parameter is required or not + +.DESCRIPTION +Based on the provided parameter metadata, determine whether the parameter is required or not + +.PARAMETER Parameter +The parameter metadata to analyze. + +For example: @{ + type = 'string' + metadata = @{ + description = 'Required. The name of the Public IP Address.' + } +} + +.PARAMETER TemplateFileContent +Mandatory. The template file content object to crawl data from. + +.EXAMPLE +Get-IsParameterRequired -TemplateFileContent @{ resource = @{}; ... } -Parameter @{ type = 'string'; metadata = @{ description = 'Required. The name of the Public IP Address.' } } + +Check the given parameter whether it is required. Would result into true. +#> +function Get-IsParameterRequired { + + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true)] + [hashtable] $Parameter, + + [Parameter(Mandatory)] + [hashtable] $TemplateFileContent + ) + + $hasParameterNoDefault = $Parameter.Keys -notcontains 'defaultValue' + $isParameterNullable = $Parameter['nullable'] + # User defined type + $isUserDefinedType = $Parameter.Keys -contains '$ref' + $isUserDefinedTypeNullable = $Parameter.Keys -contains '$ref' ? $TemplateFileContent.definitions[(Split-Path $Parameter.'$ref' -Leaf)]['nullable'] : $false + + # Evaluation + # The parameter is required IF it + # - has no default value, + # - is not nullable + # - has no nullable user-defined type + return $hasParameterNoDefault -and -not $isParameterNullable -and -not ($isUserDefinedType -and $isUserDefinedTypeNullable) +} diff --git a/utilities/pipelines/staticValidation/helper/helper.psm1 b/utilities/pipelines/staticValidation/helper/helper.psm1 index 3bfd42e141..ab80fbbac0 100644 --- a/utilities/pipelines/staticValidation/helper/helper.psm1 +++ b/utilities/pipelines/staticValidation/helper/helper.psm1 @@ -7,6 +7,7 @@ $repoRootPath = (Get-Item $PSScriptRoot).Parent.Parent.Parent.Parent.FullName . (Join-Path $repoRootPath 'utilities' 'pipelines' 'sharedScripts' 'Get-ScopeOfTemplateFile.ps1') . (Join-Path $repoRootPath 'utilities' 'pipelines' 'sharedScripts' 'Get-ModuleTestFileList.ps1') . (Join-Path $repoRootPath 'utilities' 'pipelines' 'sharedScripts' 'helper' 'ConvertTo-OrderedHashtable.ps1') +. (Join-Path $repoRootPath 'utilities' 'pipelines' 'sharedScripts' 'helper' 'Get-IsParameterRequired.ps1') . (Join-Path $repoRootPath 'utilities' 'tools' 'Get-CrossReferencedModuleList.ps1') . (Join-Path $repoRootPath 'utilities' 'tools' 'helper' 'Get-PipelineFileName.ps1') diff --git a/utilities/pipelines/staticValidation/module.tests.ps1 b/utilities/pipelines/staticValidation/module.tests.ps1 index 617609b9bd..59805a7a6d 100644 --- a/utilities/pipelines/staticValidation/module.tests.ps1 +++ b/utilities/pipelines/staticValidation/module.tests.ps1 @@ -492,7 +492,7 @@ Describe 'Module tests' -Tag 'Module' { $testFileTestCases = @() $templateFile_Parameters = $templateContent.parameters $TemplateFile_AllParameterNames = $templateFile_Parameters.Keys | Sort-Object - $TemplateFile_RequiredParametersNames = ($templateFile_Parameters.Keys | Where-Object { -not $templateFile_Parameters[$_].ContainsKey('defaultValue') }) | Sort-Object + $TemplateFile_RequiredParametersNames = ($templateFile_Parameters.Keys | Where-Object { Get-IsParameterRequired -TemplateFileContent $templateContent -Parameter $templateFile_Parameters[$_] }) | Sort-Object if (Test-Path (Join-Path $moduleFolderPath '.test')) { @@ -621,10 +621,17 @@ Describe 'Module tests' -Tag 'Module' { [string] $moduleFolderName, [hashtable] $templateContent ) - if ($lock = $templateContent.parameters.lock) { - $lock.Keys | Should -Contain 'defaultValue' - $lock.defaultValue | Should -Be '' + $lock = $templateContent.parameters.lock + + if (-not $lock) { + Set-ItResult -Skipped -Because 'the module template has no lock parameter implemented' } + + $isNullable = $lock.nullable + $hasEmptyDefault = $lock.defaultValue -eq '' + $hasNullableUDT = ($lock.Keys -contains '$ref') ? $templateContent.definitions[(Split-Path $lock.'$ref' -Leaf)].nullable : $false + + ($isNullable -or $hasEmptyDefault -or $hasNullableUDT) | Should -Be $true -Because 'the lock should either have an empty default value, be nullable, or have a nullable user-defined type to not enforce locks by default' } It '[] Parameter names should be camel-cased (no dashes or underscores and must start with lower-case letter).' -TestCases $deploymentFolderTestCases { @@ -701,16 +708,22 @@ Describe 'Module tests' -Tag 'Module' { [string] $moduleFolderName, [hashtable] $templateContent ) - $enableDefaultTelemetryFlag = @() $Schemaverion = $templateContent.'$schema' if ((($Schemaverion.Split('/')[5]).Split('.')[0]) -eq (($RGdeployment.Split('/')[5]).Split('.')[0])) { - if (($templateContent.resources.type -ccontains 'Microsoft.Resources/deployments' -and $templateContent.resources.condition -like "*[parameters('enableDefaultTelemetry')]*") -or ($templateContent.resources.resources.type -ccontains 'Microsoft.Resources/deployments' -and $templateContent.resources.resources.condition -like "*[parameters('enableDefaultTelemetry')]*")) { - $enableDefaultTelemetryFlag += $true + + if ($templateContent.resources -is [hashtable]) { + # Template with User-defined-types + $templateContent.resources.Keys | Should -Contain 'defaultTelemetry' + $templateContent.resources['defaultTelemetry'].condition | Should -Be "[parameters('enableDefaultTelemetry')]" } else { - $enableDefaultTelemetryFlag += $false + # Template without User-defined-types + $telemetryDeployment = $templateContent.resources | Where-Object { + $_.type -eq 'Microsoft.Resources/deployments' -and + $_.condition -eq "[parameters('enableDefaultTelemetry')]" + } + $telemetryDeployment | Should -Not -BeNullOrEmpty } } - $enableDefaultTelemetryFlag | Should -Not -Contain $false } It '[] The Location should be defined as a parameter, with the default value of [resourceGroup().Location] or global for ResourceGroup deployment scope.' -TestCases $deploymentFolderTestCases { From 952a8940c8f3829c1720dfbb7ddbcff21a95ab84 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Thu, 19 Oct 2023 10:09:30 +0000 Subject: [PATCH 036/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 66 +++++++++++----------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index d3d6849cce..5a5281811c 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -16,7 +16,7 @@ This section provides an overview of the library's feature set. | 1 | aad

domain-service | [![AAD - DomainServices](https://github.com/Azure/ResourceModules/workflows/AAD%20-%20DomainServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.aad.domainservices.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 226 | | 2 | analysis-services

server | [![AnalysisServices - Servers](https://github.com/Azure/ResourceModules/workflows/AnalysisServices%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.analysisservices.servers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 141 | | 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:11, L2:3] | 417 | -| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 231 | +| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 232 | | 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 176 | | 6 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 135 | | 7 | authorization

lock | [![Authorization - Locks](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20Locks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.locks.yml) | | | | | | | [L1:2] | 62 | @@ -26,12 +26,12 @@ This section provides an overview of the library's feature set. | 11 | authorization

policy-set-definition | [![Authorization - PolicySetDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicySetDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policysetdefinitions.yml) | | | | | | | [L1:2] | 76 | | 12 | authorization

role-assignment | [![Authorization - RoleAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roleassignments.yml) | | | | | | | [L1:3] | 107 | | 13 | authorization

role-definition | [![Authorization - RoleDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roledefinitions.yml) | | | | | | | [L1:3] | 94 | -| 14 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6] | 365 | -| 15 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 227 | -| 16 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 240 | -| 17 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 197 | +| 14 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6] | 366 | +| 15 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 228 | +| 16 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 241 | +| 17 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 198 | | 18 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:6, L2:4] | 188 | -| 19 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 282 | +| 19 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 283 | | 20 | compute

availability-set | [![Compute - AvailabilitySets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20AvailabilitySets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.availabilitysets.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 83 | | 21 | compute

disk | [![Compute - Disks](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Disks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.disks.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 185 | | 22 | compute

disk-encryption-set | [![Compute - DiskEncryptionSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20DiskEncryptionSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.diskencryptionsets.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 129 | @@ -43,12 +43,12 @@ This section provides an overview of the library's feature set. | 28 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 557 | | 29 | consumption

budget | [![Consumption - Budgets](https://github.com/Azure/ResourceModules/workflows/Consumption%20-%20Budgets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.consumption.budgets.yml) | | | | | | | | 92 | | 30 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | :white_check_mark: | :white_check_mark: | | | | | 160 | -| 31 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 351 | +| 31 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 352 | | 32 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 624 | -| 33 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:2, L2:1] | 254 | +| 33 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:2, L2:1] | 255 | | 34 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1] | 125 | | 35 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 76 | -| 36 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 315 | +| 36 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 316 | | 37 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:3] | 340 | | 38 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:4] | 336 | | 39 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 148 | @@ -56,12 +56,12 @@ This section provides an overview of the library's feature set. | 41 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 154 | | 42 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 119 | | 43 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:6, L2:1] | 265 | -| 44 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 221 | -| 45 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3, L2:3] | 332 | -| 46 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 174 | +| 44 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 222 | +| 45 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3, L2:3] | 333 | +| 46 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 175 | | 47 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 159 | -| 48 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 178 | -| 49 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 331 | +| 48 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 179 | +| 49 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 332 | | 50 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 84 | | 51 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:3, L2:1] | 175 | | 52 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | :white_check_mark: | | :white_check_mark: | | | | | 88 | @@ -71,20 +71,20 @@ This section provides an overview of the library's feature set. | 56 | insights

data-collection-rule | [![Insights - DataCollectionRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionrules.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 101 | | 57 | insights

diagnostic-setting | [![Insights - DiagnosticSettings](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DiagnosticSettings/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.diagnosticsettings.yml) | | | | :white_check_mark: | | | | 75 | | 58 | insights

metric-alert | [![Insights - MetricAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20MetricAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.metricalerts.yml) | :white_check_mark: | | :white_check_mark: | | | | | 125 | -| 59 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:1] | 103 | +| 59 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:1] | 104 | | 60 | insights

scheduled-query-rule | [![Insights - ScheduledQueryRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ScheduledQueryRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml) | :white_check_mark: | | :white_check_mark: | | | | | 109 | | 61 | insights

webtest | [![Insights - Web Tests](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Web%20Tests/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.webtests.yml) | :white_check_mark: | :white_check_mark: | | | | | | 124 | -| 62 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 268 | +| 62 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 269 | | 63 | kubernetes-configuration

extension | [![KubernetesConfiguration - Extensions](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20Extensions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.extensions.yml) | | | | | | | | 88 | | 64 | kubernetes-configuration

flux-configuration | [![KubernetesConfiguration - FluxConfigurations](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20FluxConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml) | | | | | | | | 71 | | 65 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 195 | -| 66 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 275 | +| 66 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 276 | | 67 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 107 | | 68 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1] | 83 | | 69 | managed-services

registration-definition | [![ManagedServices - RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices%20-%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | | | | | | | 67 | | 70 | management

management-group | [![Management - ManagementGroups](https://github.com/Azure/ResourceModules/workflows/Management%20-%20ManagementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml) | | | | | | | | 50 | | 71 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1, L2:1] | 119 | -| 72 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 347 | +| 72 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 348 | | 73 | network

application-gateway-web-application-firewall-policy | [![Network - ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGatewayWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 47 | | 74 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 66 | | 75 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | 330 | @@ -108,7 +108,7 @@ This section provides an overview of the library's feature set. | 93 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 157 | | 94 | network

network-watcher | [![Network - NetworkWatchers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkWatchers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatchers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:2] | 100 | | 95 | network

private-dns-zone | [![Network - PrivateDnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateDnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:9] | 192 | -| 96 | network

private-endpoint | [![Network - PrivateEndpoints](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privateendpoints.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1] | 111 | +| 96 | network

private-endpoint | [![Network - PrivateEndpoints](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privateendpoints.yml) | | | | | | | [L1:1] | 149 | | 97 | network

private-link-service | [![Network - PrivateLinkServices](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateLinkServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatelinkservices.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 88 | | 98 | network

public-ip-address | [![Network - PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 185 | | 99 | network

public-ip-prefix | [![Network - PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 80 | @@ -125,31 +125,31 @@ This section provides an overview of the library's feature set. | 110 | operations-management

solution | [![OperationsManagement - Solutions](https://github.com/Azure/ResourceModules/workflows/OperationsManagement%20-%20Solutions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationsmanagement.solutions.yml) | | | | | | | | 53 | | 111 | policy-insights

remediation | [![PolicyInsights - Remediations](https://github.com/Azure/ResourceModules/workflows/PolicyInsights%20-%20Remediations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.policyinsights.remediations.yml) | | | | | | | [L1:3] | 106 | | 112 | power-bi-dedicated

capacity | [![PowerBiDedicated - Capacities](https://github.com/Azure/ResourceModules/workflows/PowerBiDedicated%20-%20Capacities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.powerbidedicated.capacities.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 99 | -| 113 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 278 | -| 114 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:7, L2:2, L3:2] | 287 | -| 115 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 258 | +| 113 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 283 | +| 114 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:7, L2:2, L3:2] | 288 | +| 115 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 259 | | 116 | resource-graph

query | [![ResourceGraph - Queries](https://github.com/Azure/ResourceModules/workflows/ResourceGraph%20-%20Queries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resourcegraph.queries.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 73 | | 117 | resources

deployment-script | [![Resources - DeploymentScripts](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | :white_check_mark: | :white_check_mark: | | | | | 124 | | 118 | resources

resource-group | [![Resources - ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 69 | | 119 | resources

tags | [![Resources - Tags](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20Tags/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.tags.yml) | | | :white_check_mark: | | | | [L1:2] | 54 | -| 120 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 231 | +| 120 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 232 | | 121 | security

azure-security-center | [![Security - AzureSecurityCenter](https://github.com/Azure/ResourceModules/workflows/Security%20-%20AzureSecurityCenter/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.security.azuresecuritycenter.yml) | | | | | | | | 220 | -| 122 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:2] | 368 | +| 122 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:2] | 369 | | 123 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1] | 284 | -| 124 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 189 | -| 125 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 159 | +| 124 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 190 | +| 125 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 160 | | 126 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:2] | 336 | -| 127 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:8, L2:2] | 304 | -| 128 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:4, L3:1] | 425 | -| 129 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 93 | -| 130 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:2] | 286 | +| 127 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:8, L2:2] | 305 | +| 128 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:4, L3:1] | 426 | +| 129 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 94 | +| 130 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:2] | 287 | | 131 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 188 | | 132 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 90 | | 133 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:2] | 227 | | 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 154 | -| 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 385 | -| 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:3] | 196 | -| Sum | | | 111 | 110 | 119 | 57 | 30 | 2 | 234 | 24460 | +| 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 386 | +| 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:3] | 197 | +| Sum | | | 110 | 109 | 118 | 57 | 30 | 2 | 234 | 24533 | ## Legend From 351abb1d78d0716bb1cc703ed92925061447319b Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Fri, 20 Oct 2023 18:26:58 +0200 Subject: [PATCH 037/178] Updated dns references (#4119) --- .../.test/pe/main.test.bicep | 10 +++--- .../configuration-store/README.md | 16 ++++------ .../.test/common/main.test.bicep | 10 +++--- modules/cache/redis-enterprise/README.md | 16 ++++------ .../cache/redis/.test/common/main.test.bicep | 10 +++--- modules/cache/redis/README.md | 16 ++++------ .../factory/.test/common/main.test.bicep | 10 +++--- modules/data-factory/factory/README.md | 16 ++++------ .../workspace/.test/common/main.test.bicep | 10 +++--- modules/databricks/workspace/README.md | 16 ++++------ .../.test/common/main.test.bicep | 10 +++--- .../digital-twins-instance/README.md | 16 ++++------ .../.test/sqldb/main.test.bicep | 10 +++--- .../document-db/database-account/README.md | 16 ++++------ .../.test/common/main.test.bicep | 10 +++--- modules/insights/private-link-scope/README.md | 16 ++++------ .../vault/.test/common/main.test.bicep | 10 +++--- modules/key-vault/vault/README.md | 16 ++++------ .../vault/.test/common/main.test.bicep | 10 +++--- modules/recovery-services/vault/README.md | 16 ++++------ .../signal-r/.test/common/main.test.bicep | 10 +++--- modules/signal-r-service/signal-r/README.md | 16 ++++------ .../web-pub-sub/.test/common/main.test.bicep | 10 +++--- .../web-pub-sub/.test/pe/main.test.bicep | 10 +++--- .../signal-r-service/web-pub-sub/README.md | 32 +++++++------------ .../sql/server/.test/common/main.test.bicep | 10 +++--- modules/sql/server/.test/pe/main.test.bicep | 10 +++--- modules/sql/server/README.md | 32 +++++++------------ .../.test/common/main.test.bicep | 10 +++--- modules/synapse/private-link-hub/README.md | 16 ++++------ .../workspace/.test/common/main.test.bicep | 10 +++--- modules/synapse/workspace/README.md | 16 ++++------ .../site/.test/webAppCommon/main.test.bicep | 10 +++--- modules/web/site/README.md | 16 ++++------ 34 files changed, 198 insertions(+), 270 deletions(-) diff --git a/modules/app-configuration/configuration-store/.test/pe/main.test.bicep b/modules/app-configuration/configuration-store/.test/pe/main.test.bicep index 9dc6bc074a..b38ce56091 100644 --- a/modules/app-configuration/configuration-store/.test/pe/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/pe/main.test.bicep @@ -54,11 +54,11 @@ module testDeployment '../../main.bicep' = { enablePurgeProtection: false privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] service: 'configurationStores' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index cad35ecf3a..cbeabcead0 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -411,11 +411,9 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor enablePurgeProtection: false privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'configurationStores' subnetResourceId: '' tags: { @@ -467,11 +465,9 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "configurationStores", "subnetResourceId": "", "tags": { diff --git a/modules/cache/redis-enterprise/.test/common/main.test.bicep b/modules/cache/redis-enterprise/.test/common/main.test.bicep index 91edd54e87..40a9e53eef 100644 --- a/modules/cache/redis-enterprise/.test/common/main.test.bicep +++ b/modules/cache/redis-enterprise/.test/common/main.test.bicep @@ -87,11 +87,11 @@ module testDeployment '../../main.bicep' = { zoneRedundant: true privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] service: 'redisEnterprise' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index 7911f628ee..3fb04f5ffd 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -80,11 +80,9 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { minimumTlsVersion: '1.2' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'redisEnterprise' subnetResourceId: '' tags: { @@ -180,11 +178,9 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "redisEnterprise", "subnetResourceId": "", "tags": { diff --git a/modules/cache/redis/.test/common/main.test.bicep b/modules/cache/redis/.test/common/main.test.bicep index 6d7769223c..cf59ecb453 100644 --- a/modules/cache/redis/.test/common/main.test.bicep +++ b/modules/cache/redis/.test/common/main.test.bicep @@ -79,11 +79,11 @@ module testDeployment '../../main.bicep' = { zones: [ 1, 2 ] privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] service: 'redisCache' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index d1de73e1b5..6e05f21b0f 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -61,11 +61,9 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { minimumTlsVersion: '1.2' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'redisCache' subnetResourceId: '' tags: { @@ -143,11 +141,9 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "redisCache", "subnetResourceId": "", "tags": { diff --git a/modules/data-factory/factory/.test/common/main.test.bicep b/modules/data-factory/factory/.test/common/main.test.bicep index 42da93e9d8..1e63c8e199 100644 --- a/modules/data-factory/factory/.test/common/main.test.bicep +++ b/modules/data-factory/factory/.test/common/main.test.bicep @@ -114,11 +114,11 @@ module testDeployment '../../main.bicep' = { managedVirtualNetworkName: 'default' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] service: 'dataFactory' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index c577484c79..340ded817a 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -97,11 +97,9 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { managedVirtualNetworkName: 'default' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'dataFactory' subnetResourceId: '' tags: { @@ -223,11 +221,9 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "dataFactory", "subnetResourceId": "", "tags": { diff --git a/modules/databricks/workspace/.test/common/main.test.bicep b/modules/databricks/workspace/.test/common/main.test.bicep index 8f19bc3b68..53d62eb128 100644 --- a/modules/databricks/workspace/.test/common/main.test.bicep +++ b/modules/databricks/workspace/.test/common/main.test.bicep @@ -118,11 +118,11 @@ module testDeployment '../../main.bicep' = { customVirtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] service: 'databricks_ui_api' subnetResourceId: nestedDependencies.outputs.defaultSubnetResourceId tags: { diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index cda1211cd8..ce7e970e42 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -78,11 +78,9 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { prepareEncryption: true privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'databricks_ui_api' subnetResourceId: '' tags: { @@ -212,11 +210,9 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "databricks_ui_api", "subnetResourceId": "", "tags": { diff --git a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep index b9deae3ddd..21623ed47d 100644 --- a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep @@ -97,11 +97,11 @@ module testDeployment '../../main.bicep' = { lock: 'CanNotDelete' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] service: 'API' subnetResourceId: nestedDependencies.outputs.subnetResourceId } diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index 1f27071965..36f5f810ab 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -68,11 +68,9 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan lock: 'CanNotDelete' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'API' subnetResourceId: '' } @@ -156,11 +154,9 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "API", "subnetResourceId": "" } diff --git a/modules/document-db/database-account/.test/sqldb/main.test.bicep b/modules/document-db/database-account/.test/sqldb/main.test.bicep index c9c5272585..970cbc6ebc 100644 --- a/modules/document-db/database-account/.test/sqldb/main.test.bicep +++ b/modules/document-db/database-account/.test/sqldb/main.test.bicep @@ -84,11 +84,11 @@ module testDeployment '../../main.bicep' = { location: location privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] service: 'Sql' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index b5cad9ee10..e0616a7595 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -926,11 +926,9 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { location: '' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'Sql' subnetResourceId: '' tags: { @@ -1089,11 +1087,9 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "Sql", "subnetResourceId": "", "tags": { diff --git a/modules/insights/private-link-scope/.test/common/main.test.bicep b/modules/insights/private-link-scope/.test/common/main.test.bicep index a1dcee39dc..3e9e0ea69c 100644 --- a/modules/insights/private-link-scope/.test/common/main.test.bicep +++ b/modules/insights/private-link-scope/.test/common/main.test.bicep @@ -62,11 +62,11 @@ module testDeployment '../../main.bicep' = { ] privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] service: 'azuremonitor' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index c268c5b76d..2d991fa8d8 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -50,11 +50,9 @@ This instance deploys the module with most of its features enabled. enableDefaultTelemetry: '' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'azuremonitor' subnetResourceId: '' tags: { @@ -111,11 +109,9 @@ This instance deploys the module with most of its features enabled. "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "azuremonitor", "subnetResourceId": "", "tags": { diff --git a/modules/key-vault/vault/.test/common/main.test.bicep b/modules/key-vault/vault/.test/common/main.test.bicep index 4c17765b86..9e0a717286 100644 --- a/modules/key-vault/vault/.test/common/main.test.bicep +++ b/modules/key-vault/vault/.test/common/main.test.bicep @@ -132,11 +132,11 @@ module testDeployment '../../main.bicep' = { } privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] service: 'vault' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 13101ac107..39402576cf 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -290,11 +290,9 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { } privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'vault' subnetResourceId: '' tags: { @@ -443,11 +441,9 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "vault", "subnetResourceId": "", "tags": { diff --git a/modules/recovery-services/vault/.test/common/main.test.bicep b/modules/recovery-services/vault/.test/common/main.test.bicep index 3f19289ce8..24f1b765df 100644 --- a/modules/recovery-services/vault/.test/common/main.test.bicep +++ b/modules/recovery-services/vault/.test/common/main.test.bicep @@ -319,11 +319,11 @@ module testDeployment '../../main.bicep' = { lock: 'CanNotDelete' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] service: 'AzureSiteRecovery' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index 0c6de6ac3a..486c35456f 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -313,11 +313,9 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { } privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'AzureSiteRecovery' subnetResourceId: '' tags: { @@ -649,11 +647,9 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "AzureSiteRecovery", "subnetResourceId": "", "tags": { diff --git a/modules/signal-r-service/signal-r/.test/common/main.test.bicep b/modules/signal-r-service/signal-r/.test/common/main.test.bicep index fe31b8c146..5fd96ee2cc 100644 --- a/modules/signal-r-service/signal-r/.test/common/main.test.bicep +++ b/modules/signal-r-service/signal-r/.test/common/main.test.bicep @@ -83,11 +83,11 @@ module testDeployment '../../main.bicep' = { } privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] service: 'signalr' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index f802d9ca98..523d6673b8 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -77,11 +77,9 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { } privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'signalr' subnetResourceId: '' tags: { @@ -178,11 +176,9 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "signalr", "subnetResourceId": "", "tags": { diff --git a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep b/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep index e43e249e61..0a4609a9bc 100644 --- a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep @@ -81,11 +81,11 @@ module testDeployment '../../main.bicep' = { } privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] service: 'webpubsub' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep b/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep index d72345d64b..f3e03b566e 100644 --- a/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep @@ -51,11 +51,11 @@ module testDeployment '../../main.bicep' = { name: '${namePrefix}-${serviceShort}-001' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] service: 'webpubsub' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index 0e2c18cbaa..84dacd3e4d 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -77,11 +77,9 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { } privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'webpubsub' subnetResourceId: '' tags: { @@ -176,11 +174,9 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "webpubsub", "subnetResourceId": "", "tags": { @@ -290,11 +286,9 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { enableDefaultTelemetry: '' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'webpubsub' subnetResourceId: '' tags: { @@ -337,11 +331,9 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "webpubsub", "subnetResourceId": "", "tags": { diff --git a/modules/sql/server/.test/common/main.test.bicep b/modules/sql/server/.test/common/main.test.bicep index b0a38b0ad7..d1dcf9b1e5 100644 --- a/modules/sql/server/.test/common/main.test.bicep +++ b/modules/sql/server/.test/common/main.test.bicep @@ -162,11 +162,11 @@ module testDeployment '../../main.bicep' = { { subnetResourceId: nestedDependencies.outputs.privateEndpointSubnetResourceId service: 'sqlServer' - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/sql/server/.test/pe/main.test.bicep b/modules/sql/server/.test/pe/main.test.bicep index 8a638d4dd9..b0c7032988 100644 --- a/modules/sql/server/.test/pe/main.test.bicep +++ b/modules/sql/server/.test/pe/main.test.bicep @@ -58,11 +58,11 @@ module testDeployment '../../main.bicep' = { administratorLoginPassword: password privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] service: 'sqlServer' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 329c07b9ff..b29f850977 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -179,11 +179,9 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { primaryUserAssignedIdentityId: '' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'sqlServer' subnetResourceId: '' tags: { @@ -333,11 +331,9 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "sqlServer", "subnetResourceId": "", "tags": { @@ -432,11 +428,9 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { enableDefaultTelemetry: '' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'sqlServer' subnetResourceId: '' tags: { @@ -484,11 +478,9 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "sqlServer", "subnetResourceId": "", "tags": { diff --git a/modules/synapse/private-link-hub/.test/common/main.test.bicep b/modules/synapse/private-link-hub/.test/common/main.test.bicep index d907000003..91ad5e191b 100644 --- a/modules/synapse/private-link-hub/.test/common/main.test.bicep +++ b/modules/synapse/private-link-hub/.test/common/main.test.bicep @@ -57,11 +57,11 @@ module testDeployment '../../main.bicep' = { lock: 'CanNotDelete' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] service: 'Web' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/synapse/private-link-hub/README.md b/modules/synapse/private-link-hub/README.md index ddc5efb77d..05f4411690 100644 --- a/modules/synapse/private-link-hub/README.md +++ b/modules/synapse/private-link-hub/README.md @@ -51,11 +51,9 @@ module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { lock: 'CanNotDelete' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'Web' subnetResourceId: '' tags: { @@ -115,11 +113,9 @@ module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "Web", "subnetResourceId": "", "tags": { diff --git a/modules/synapse/workspace/.test/common/main.test.bicep b/modules/synapse/workspace/.test/common/main.test.bicep index b0c3a9f6e5..a18415d374 100644 --- a/modules/synapse/workspace/.test/common/main.test.bicep +++ b/modules/synapse/workspace/.test/common/main.test.bicep @@ -87,11 +87,11 @@ module testDeployment '../../main.bicep' = { { subnetResourceId: nestedDependencies.outputs.subnetResourceId service: 'SQL' - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index 7f228e9711..12a0448450 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -82,11 +82,9 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { managedVirtualNetwork: true privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'SQL' subnetResourceId: '' tags: { @@ -181,11 +179,9 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "SQL", "subnetResourceId": "", "tags": { diff --git a/modules/web/site/.test/webAppCommon/main.test.bicep b/modules/web/site/.test/webAppCommon/main.test.bicep index 1c2525b809..93369c3ed2 100644 --- a/modules/web/site/.test/webAppCommon/main.test.bicep +++ b/modules/web/site/.test/webAppCommon/main.test.bicep @@ -84,11 +84,11 @@ module testDeployment '../../main.bicep' = { { service: 'sites' subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - } + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 1e11c9249f..9b82c6ccb3 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -503,11 +503,9 @@ module site 'br:bicep/modules/web.site:1.0.0' = { name: 'slot1' privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'sites' subnetResourceId: '' tags: { @@ -670,11 +668,9 @@ module site 'br:bicep/modules/web.site:1.0.0' = { "name": "slot1", "privateEndpoints": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "sites", "subnetResourceId": "", "tags": { From 293175c0185839d518c5420cd64cf6ef298513c6 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sat, 21 Oct 2023 14:50:38 +0200 Subject: [PATCH 038/178] [Modules] Updated locks to UDT as per AVM specs (#4112) * Updated locks & implementation. Parameter and UDT pending * Replaced param * Added UDT * Small fix * Fixed diverse templates * Refreshed json * Fixed bicep templates * Further fixes * Updated PE lock * File regen * small api fixes * Fix for healthcare lock * Fixed power BI lock * Fixed insights data collection * Updated RG * Fixed lock passthru on several instances * Adjusted scope * Adjusted cmk for service bus ns * Updated ref * Updated cmk with udt workaround * Updated storage * Updated cmk * Fixed readme * Updated cmk for app-config * Updated cmk for batch * Updated cmk for cognitive * Updated cmk for container instance * Updated logs for data collection * Updated cmk for auto * Updated batch pe test * Updated cog ser json * Updated VM * Container group refresh * Updated reg * Updated managed service * Updated databricks * Udated data factory * Fixed msi ref * Fixed script ref & cog * Fixed cotainer reg * Atempted to fix managed-cluster * Try & fix new key treating in databricks * Updated db-for * Updated log for digital twin * Updated ML * Update synapse * Updated databricks to work around new bicep limitation * Updated KVLT + Purview * Added batch to security center to how to fix update bug * Added write host for readme in case of diff for troubleshooting * Rollback --- docs/wiki/The library - Module design.md | 21 +- .../.test/common/main.test.bicep | 5 +- modules/aad/domain-service/README.md | 37 +- modules/aad/domain-service/main.bicep | 29 +- modules/aad/domain-service/main.json | 70 ++-- .../server/.test/common/main.test.bicep | 5 +- .../server/.test/max/main.test.bicep | 5 +- modules/analysis-services/server/README.md | 47 ++- modules/analysis-services/server/main.bicep | 29 +- modules/analysis-services/server/main.json | 70 ++-- .../service/.test/common/main.test.bicep | 5 +- .../service/.test/max/main.test.bicep | 5 +- modules/api-management/service/README.md | 47 ++- modules/api-management/service/main.bicep | 33 +- modules/api-management/service/main.json | 118 +++--- .../.test/common/main.test.bicep | 5 +- .../configuration-store/README.md | 37 +- .../configuration-store/main.bicep | 45 ++- .../configuration-store/main.json | 122 +++++-- .../.test/common/main.test.bicep | 5 +- modules/app/container-app/README.md | 37 +- modules/app/container-app/main.bicep | 29 +- modules/app/container-app/main.json | 66 ++-- .../.test/common/main.test.bicep | 5 +- modules/app/managed-environment/README.md | 37 +- modules/app/managed-environment/main.bicep | 29 +- modules/app/managed-environment/main.json | 82 +++-- .../.test/common/main.test.bicep | 5 +- .../automation/automation-account/README.md | 37 +- .../automation/automation-account/main.bicep | 44 ++- .../automation/automation-account/main.json | 140 +++++--- .../.test/common/main.test.bicep | 9 +- modules/batch/batch-account/README.md | 45 ++- modules/batch/batch-account/main.bicep | 48 +-- modules/batch/batch-account/main.json | 104 ++++-- .../.test/common/main.test.bicep | 5 +- modules/cache/redis-enterprise/README.md | 37 +- modules/cache/redis-enterprise/main.bicep | 31 +- modules/cache/redis-enterprise/main.json | 84 +++-- .../cache/redis/.test/common/main.test.bicep | 5 +- modules/cache/redis/README.md | 37 +- modules/cache/redis/main.bicep | 31 +- modules/cache/redis/main.json | 84 +++-- modules/cdn/profile/.test/afd/main.test.bicep | 5 +- .../cdn/profile/.test/common/main.test.bicep | 5 +- modules/cdn/profile/README.md | 47 ++- modules/cdn/profile/main.bicep | 29 +- modules/cdn/profile/main.json | 90 +++-- .../account/.test/common/main.test.bicep | 5 +- modules/cognitive-services/account/README.md | 37 +- modules/cognitive-services/account/main.bicep | 50 +-- modules/cognitive-services/account/main.json | 120 +++++-- .../.test/common/main.test.bicep | 5 +- modules/compute/availability-set/README.md | 37 +- modules/compute/availability-set/main.bicep | 29 +- modules/compute/availability-set/main.json | 66 ++-- .../.test/common/main.test.bicep | 5 +- modules/compute/disk-encryption-set/README.md | 37 +- .../compute/disk-encryption-set/main.bicep | 29 +- modules/compute/disk-encryption-set/main.json | 101 ++++-- .../compute/disk/.test/common/main.test.bicep | 5 +- modules/compute/disk/README.md | 37 +- modules/compute/disk/main.bicep | 29 +- modules/compute/disk/main.json | 66 ++-- .../gallery/.test/common/main.test.bicep | 5 +- modules/compute/gallery/README.md | 37 +- modules/compute/gallery/main.bicep | 29 +- modules/compute/gallery/main.json | 74 ++-- .../.test/common/main.test.bicep | 5 +- .../proximity-placement-group/README.md | 37 +- .../proximity-placement-group/main.bicep | 29 +- .../proximity-placement-group/main.json | 66 ++-- modules/compute/ssh-public-key/README.md | 27 +- modules/compute/ssh-public-key/main.bicep | 29 +- modules/compute/ssh-public-key/main.json | 66 ++-- .../.test/linux/main.test.bicep | 5 +- .../.test/windows/main.test.bicep | 5 +- .../virtual-machine-scale-set/README.md | 47 ++- .../virtual-machine-scale-set/main.bicep | 33 +- .../virtual-machine-scale-set/main.json | 124 ++++--- .../.bicep/nested_networkInterface.bicep | 14 +- .../.test/linux/main.test.bicep | 5 +- .../.test/windows/main.test.bicep | 5 +- modules/compute/virtual-machine/README.md | 47 ++- modules/compute/virtual-machine/main.bicep | 33 +- modules/compute/virtual-machine/main.json | 333 +++++++++++------ .../.test/common/main.test.bicep | 5 +- .../.test/encr/main.test.bicep | 5 +- .../.test/private/main.test.bicep | 5 +- .../container-group/README.md | 57 ++- .../container-group/main.bicep | 46 +-- .../container-group/main.json | 92 +++-- .../registry/.test/common/main.test.bicep | 5 +- modules/container-registry/registry/README.md | 37 +- .../container-registry/registry/main.bicep | 49 ++- modules/container-registry/registry/main.json | 130 +++++-- .../.test/azure/main.test.bicep | 5 +- .../managed-cluster/README.md | 37 +- .../managed-cluster/main.bicep | 35 +- .../managed-cluster/main.json | 112 +++--- .../factory/.test/common/main.test.bicep | 5 +- modules/data-factory/factory/README.md | 37 +- modules/data-factory/factory/main.bicep | 35 +- modules/data-factory/factory/main.json | 106 ++++-- .../backup-vault/.test/common/main.test.bicep | 5 +- .../data-protection/backup-vault/README.md | 37 +- .../data-protection/backup-vault/main.bicep | 29 +- .../data-protection/backup-vault/main.json | 72 ++-- .../.test/common/main.test.bicep | 5 +- modules/databricks/access-connector/README.md | 37 +- .../databricks/access-connector/main.bicep | 29 +- modules/databricks/access-connector/main.json | 66 ++-- .../workspace/.test/common/dependencies.bicep | 35 ++ .../workspace/.test/common/main.test.bicep | 10 +- modules/databricks/workspace/README.md | 37 +- modules/databricks/workspace/main.bicep | 61 ++-- modules/databricks/workspace/main.json | 128 +++++-- .../.test/private/main.test.bicep | 5 +- .../.test/public/main.test.bicep | 5 +- .../db-for-my-sql/flexible-server/README.md | 47 ++- .../db-for-my-sql/flexible-server/main.bicep | 47 +-- .../db-for-my-sql/flexible-server/main.json | 132 +++++-- .../flexible-server/README.md | 27 +- .../flexible-server/main.bicep | 41 ++- .../flexible-server/main.json | 114 ++++-- .../.test/common/main.test.bicep | 5 +- .../application-group/README.md | 37 +- .../application-group/main.bicep | 29 +- .../application-group/main.json | 85 +++-- .../host-pool/.test/common/main.test.bicep | 5 +- .../host-pool/README.md | 37 +- .../host-pool/main.bicep | 29 +- .../host-pool/main.json | 70 ++-- .../workspace/.test/common/main.test.bicep | 5 +- .../workspace/README.md | 37 +- .../workspace/main.bicep | 29 +- .../workspace/main.json | 70 ++-- .../lab/.test/common/main.test.bicep | 5 +- modules/dev-test-lab/lab/README.md | 37 +- modules/dev-test-lab/lab/main.bicep | 29 +- modules/dev-test-lab/lab/main.json | 94 +++-- .../.test/common/main.test.bicep | 5 +- .../digital-twins-instance/README.md | 38 +- .../digital-twins-instance/main.bicep | 31 +- .../digital-twins-instance/main.json | 94 +++-- .../.test/plain/main.test.bicep | 5 +- .../document-db/database-account/README.md | 37 +- .../document-db/database-account/main.bicep | 31 +- .../document-db/database-account/main.json | 92 +++-- .../domain/.test/common/main.test.bicep | 5 +- modules/event-grid/domain/README.md | 37 +- modules/event-grid/domain/main.bicep | 31 +- modules/event-grid/domain/main.json | 82 +++-- .../system-topic/.test/common/main.test.bicep | 5 +- modules/event-grid/system-topic/README.md | 37 +- modules/event-grid/system-topic/main.bicep | 29 +- modules/event-grid/system-topic/main.json | 78 ++-- .../topic/.test/common/main.test.bicep | 5 +- modules/event-grid/topic/README.md | 37 +- modules/event-grid/topic/main.bicep | 31 +- modules/event-grid/topic/main.json | 84 +++-- .../namespace/.test/common/main.test.bicep | 5 +- modules/event-hub/namespace/README.md | 37 +- .../event-hub/namespace/eventhub/README.md | 27 +- .../event-hub/namespace/eventhub/main.bicep | 29 +- .../event-hub/namespace/eventhub/main.json | 83 +++-- modules/event-hub/namespace/main.bicep | 41 ++- modules/event-hub/namespace/main.json | 211 +++++++---- .../health-bot/.test/common/main.test.bicep | 5 +- modules/health-bot/health-bot/README.md | 37 +- modules/health-bot/health-bot/main.bicep | 29 +- modules/health-bot/health-bot/main.json | 66 ++-- .../workspace/.test/common/main.test.bicep | 5 +- modules/healthcare-apis/workspace/README.md | 37 +- .../workspace/dicomservice/README.md | 27 +- .../workspace/dicomservice/main.bicep | 29 +- .../workspace/dicomservice/main.json | 79 +++-- .../workspace/fhirservice/README.md | 27 +- .../workspace/fhirservice/main.bicep | 29 +- .../workspace/fhirservice/main.json | 83 +++-- .../workspace/iotconnector/README.md | 27 +- .../workspace/iotconnector/main.bicep | 29 +- .../workspace/iotconnector/main.json | 83 +++-- modules/healthcare-apis/workspace/main.bicep | 35 +- modules/healthcare-apis/workspace/main.json | 335 ++++++++++++------ .../.test/common/main.test.bicep | 5 +- .../data-collection-endpoint/README.md | 39 +- .../data-collection-endpoint/main.bicep | 29 +- .../data-collection-endpoint/main.json | 68 ++-- .../.test/customadv/main.test.bicep | 5 +- .../.test/custombasic/main.test.bicep | 5 +- .../.test/customiis/main.test.bicep | 5 +- .../.test/linux/main.test.bicep | 5 +- .../.test/windows/main.test.bicep | 5 +- .../insights/data-collection-rule/README.md | 79 ++++- .../insights/data-collection-rule/main.bicep | 29 +- .../insights/data-collection-rule/main.json | 68 ++-- modules/insights/private-link-scope/README.md | 27 +- .../insights/private-link-scope/main.bicep | 31 +- modules/insights/private-link-scope/main.json | 78 ++-- .../webtest/.test/common/main.test.bicep | 5 +- modules/insights/webtest/README.md | 37 +- modules/insights/webtest/main.bicep | 29 +- modules/insights/webtest/main.json | 66 ++-- .../vault/.test/common/main.test.bicep | 7 +- .../key-vault/vault/.test/pe/main.test.bicep | 10 +- modules/key-vault/vault/README.md | 57 ++- modules/key-vault/vault/main.bicep | 31 +- modules/key-vault/vault/main.json | 92 +++-- .../workflow/.test/common/main.test.bicep | 5 +- modules/logic/workflow/README.md | 37 +- modules/logic/workflow/main.bicep | 29 +- modules/logic/workflow/main.json | 72 ++-- .../workspace/.test/common/main.test.bicep | 5 +- .../workspace/README.md | 37 +- .../workspace/main.bicep | 43 ++- .../workspace/main.json | 112 ++++-- .../.test/common/main.test.bicep | 5 +- .../maintenance-configuration/README.md | 37 +- .../maintenance-configuration/main.bicep | 29 +- .../maintenance-configuration/main.json | 66 ++-- .../.test/common/main.test.bicep | 5 +- .../user-assigned-identity/README.md | 37 +- .../user-assigned-identity/main.bicep | 29 +- .../user-assigned-identity/main.json | 74 ++-- .../.test/nfs3/main.test.bicep | 5 +- modules/net-app/net-app-account/README.md | 37 +- modules/net-app/net-app-account/main.bicep | 29 +- modules/net-app/net-app-account/main.json | 70 ++-- .../.test/common/main.test.bicep | 5 +- modules/network/application-gateway/README.md | 37 +- .../network/application-gateway/main.bicep | 31 +- modules/network/application-gateway/main.json | 78 ++-- .../.test/common/main.test.bicep | 5 +- .../application-security-group/README.md | 37 +- .../application-security-group/main.bicep | 29 +- .../application-security-group/main.json | 66 ++-- .../.test/common/main.test.bicep | 5 +- modules/network/azure-firewall/README.md | 37 +- modules/network/azure-firewall/main.bicep | 29 +- modules/network/azure-firewall/main.json | 228 +++++++----- .../bastion-host/.test/common/main.test.bicep | 5 +- modules/network/bastion-host/README.md | 37 +- modules/network/bastion-host/main.bicep | 29 +- modules/network/bastion-host/main.json | 150 +++++--- .../.test/vnet2vnet/main.test.bicep | 5 +- modules/network/connection/README.md | 37 +- modules/network/connection/main.bicep | 29 +- modules/network/connection/main.json | 62 ++-- .../.test/common/main.test.bicep | 5 +- .../network/ddos-protection-plan/README.md | 37 +- .../network/ddos-protection-plan/main.bicep | 29 +- .../network/ddos-protection-plan/main.json | 66 ++-- .../.test/common/main.test.bicep | 5 +- .../network/dns-forwarding-ruleset/README.md | 37 +- .../network/dns-forwarding-ruleset/main.bicep | 31 +- .../network/dns-forwarding-ruleset/main.json | 76 ++-- modules/network/dns-resolver/README.md | 27 +- modules/network/dns-resolver/main.bicep | 29 +- modules/network/dns-resolver/main.json | 74 ++-- .../dns-zone/.test/common/main.test.bicep | 5 +- modules/network/dns-zone/README.md | 37 +- modules/network/dns-zone/main.bicep | 29 +- modules/network/dns-zone/main.json | 106 +++--- .../.test/common/main.test.bicep | 5 +- .../network/express-route-circuit/README.md | 37 +- .../network/express-route-circuit/main.bicep | 29 +- .../network/express-route-circuit/main.json | 70 ++-- .../.test/common/main.test.bicep | 5 +- .../network/express-route-gateway/README.md | 37 +- .../network/express-route-gateway/main.bicep | 29 +- .../network/express-route-gateway/main.json | 66 ++-- .../.test/common/main.test.bicep | 5 +- .../README.md | 37 +- .../main.bicep | 29 +- .../main.json | 66 ++-- .../front-door/.test/common/main.test.bicep | 5 +- modules/network/front-door/README.md | 37 +- modules/network/front-door/main.bicep | 29 +- modules/network/front-door/main.json | 68 ++-- .../ip-group/.test/common/main.test.bicep | 5 +- modules/network/ip-group/README.md | 37 +- modules/network/ip-group/main.bicep | 29 +- modules/network/ip-group/main.json | 66 ++-- .../.test/common/main.test.bicep | 5 +- modules/network/load-balancer/README.md | 37 +- modules/network/load-balancer/main.bicep | 29 +- modules/network/load-balancer/main.json | 80 +++-- .../.test/common/main.test.bicep | 5 +- .../network/local-network-gateway/README.md | 37 +- .../network/local-network-gateway/main.bicep | 29 +- .../network/local-network-gateway/main.json | 66 ++-- .../nat-gateway/.test/common/main.test.bicep | 5 +- modules/network/nat-gateway/README.md | 37 +- modules/network/nat-gateway/main.bicep | 29 +- modules/network/nat-gateway/main.json | 142 +++++--- .../.test/common/main.test.bicep | 5 +- modules/network/network-interface/README.md | 37 +- modules/network/network-interface/main.bicep | 29 +- modules/network/network-interface/main.json | 70 ++-- .../.test/common/main.test.bicep | 5 +- modules/network/network-manager/README.md | 37 +- modules/network/network-manager/main.bicep | 29 +- modules/network/network-manager/main.json | 82 +++-- .../.test/common/main.test.bicep | 5 +- .../network/network-security-group/README.md | 37 +- .../network/network-security-group/main.bicep | 29 +- .../network/network-security-group/main.json | 74 ++-- modules/network/network-watcher/README.md | 27 +- modules/network/network-watcher/main.bicep | 29 +- modules/network/network-watcher/main.json | 74 ++-- .../.test/common/main.test.bicep | 5 +- modules/network/private-dns-zone/README.md | 37 +- modules/network/private-dns-zone/main.bicep | 29 +- modules/network/private-dns-zone/main.json | 102 +++--- .../.test/common/main.test.bicep | 1 + modules/network/private-endpoint/README.md | 4 +- modules/network/private-endpoint/main.bicep | 2 +- .../.test/common/main.test.bicep | 5 +- .../network/private-link-service/README.md | 37 +- .../network/private-link-service/main.bicep | 29 +- .../network/private-link-service/main.json | 66 ++-- .../.test/common/main.test.bicep | 5 +- modules/network/public-ip-address/README.md | 37 +- modules/network/public-ip-address/main.bicep | 29 +- modules/network/public-ip-address/main.json | 72 ++-- .../.test/common/main.test.bicep | 5 +- modules/network/public-ip-prefix/README.md | 37 +- modules/network/public-ip-prefix/main.bicep | 29 +- modules/network/public-ip-prefix/main.json | 66 ++-- .../route-table/.test/common/main.test.bicep | 5 +- modules/network/route-table/README.md | 37 +- modules/network/route-table/main.bicep | 29 +- modules/network/route-table/main.json | 66 ++-- .../.test/common/main.test.bicep | 5 +- .../network/service-endpoint-policy/README.md | 37 +- .../service-endpoint-policy/main.bicep | 29 +- .../network/service-endpoint-policy/main.json | 66 ++-- .../.test/common/main.test.bicep | 5 +- .../network/trafficmanagerprofile/README.md | 37 +- .../network/trafficmanagerprofile/main.bicep | 29 +- .../network/trafficmanagerprofile/main.json | 68 ++-- .../virtual-hub/.test/common/main.test.bicep | 5 +- modules/network/virtual-hub/README.md | 37 +- modules/network/virtual-hub/main.bicep | 29 +- modules/network/virtual-hub/main.json | 70 ++-- .../.test/aadvpn/main.test.bicep | 5 +- .../.test/vpn/main.test.bicep | 5 +- .../network/virtual-network-gateway/README.md | 47 ++- .../virtual-network-gateway/main.bicep | 29 +- .../network/virtual-network-gateway/main.json | 150 +++++--- .../.test/common/main.test.bicep | 5 +- modules/network/virtual-network/README.md | 37 +- modules/network/virtual-network/main.bicep | 29 +- modules/network/virtual-network/main.json | 82 +++-- .../virtual-wan/.test/common/main.test.bicep | 5 +- modules/network/virtual-wan/README.md | 37 +- modules/network/virtual-wan/main.bicep | 29 +- modules/network/virtual-wan/main.json | 66 ++-- .../vpn-gateway/.test/common/main.test.bicep | 5 +- modules/network/vpn-gateway/README.md | 37 +- modules/network/vpn-gateway/main.bicep | 29 +- modules/network/vpn-gateway/main.json | 70 ++-- .../vpn-site/.test/common/main.test.bicep | 5 +- modules/network/vpn-site/README.md | 37 +- modules/network/vpn-site/main.bicep | 29 +- modules/network/vpn-site/main.json | 66 ++-- .../workspace/.test/adv/main.test.bicep | 5 +- .../workspace/.test/common/main.test.bicep | 5 +- .../operational-insights/workspace/README.md | 47 ++- .../operational-insights/workspace/main.bicep | 29 +- .../operational-insights/workspace/main.json | 106 +++--- .../capacity/.test/common/main.test.bicep | 5 +- modules/power-bi-dedicated/capacity/README.md | 39 +- .../power-bi-dedicated/capacity/main.bicep | 30 +- modules/power-bi-dedicated/capacity/main.json | 69 ++-- .../account/.test/common/main.test.bicep | 45 +-- modules/purview/account/README.md | 117 +++--- modules/purview/account/main.bicep | 43 ++- modules/purview/account/main.json | 128 ++++--- .../vault/.test/common/main.test.bicep | 5 +- modules/recovery-services/vault/README.md | 37 +- modules/recovery-services/vault/main.bicep | 31 +- modules/recovery-services/vault/main.json | 108 +++--- .../namespace/.test/common/main.test.bicep | 5 +- modules/relay/namespace/README.md | 37 +- .../namespace/hybrid-connection/README.md | 27 +- .../namespace/hybrid-connection/main.bicep | 29 +- .../namespace/hybrid-connection/main.json | 79 +++-- modules/relay/namespace/main.bicep | 31 +- modules/relay/namespace/main.json | 252 ++++++++----- modules/relay/namespace/wcf-relay/README.md | 27 +- modules/relay/namespace/wcf-relay/main.bicep | 29 +- modules/relay/namespace/wcf-relay/main.json | 79 +++-- .../query/.test/common/main.test.bicep | 5 +- modules/resource-graph/query/README.md | 37 +- modules/resource-graph/query/main.bicep | 29 +- modules/resource-graph/query/main.json | 66 ++-- .../.test/ps/main.test.bicep | 5 +- modules/resources/deployment-script/README.md | 37 +- .../resources/deployment-script/main.bicep | 29 +- modules/resources/deployment-script/main.json | 64 ++-- .../resource-group/.bicep/nested_lock.bicep | 25 ++ .../.test/common/main.test.bicep | 5 +- modules/resources/resource-group/README.md | 43 ++- modules/resources/resource-group/main.bicep | 29 +- modules/resources/resource-group/main.json | 185 +++++----- .../.test/common/main.test.bicep | 5 +- modules/search/search-service/README.md | 37 +- modules/search/search-service/main.bicep | 31 +- modules/search/search-service/main.json | 82 +++-- .../security/azure-security-center/main.bicep | 1 + .../security/azure-security-center/main.json | 6 +- .../namespace/.test/common/main.test.bicep | 5 +- modules/service-bus/namespace/README.md | 37 +- modules/service-bus/namespace/main.bicep | 48 +-- modules/service-bus/namespace/main.json | 300 +++++++++++----- modules/service-bus/namespace/queue/README.md | 27 +- .../service-bus/namespace/queue/main.bicep | 29 +- modules/service-bus/namespace/queue/main.json | 81 +++-- modules/service-bus/namespace/topic/README.md | 27 +- .../service-bus/namespace/topic/main.bicep | 29 +- modules/service-bus/namespace/topic/main.json | 79 +++-- .../cluster/.test/common/main.test.bicep | 5 +- modules/service-fabric/cluster/README.md | 37 +- modules/service-fabric/cluster/main.bicep | 29 +- modules/service-fabric/cluster/main.json | 72 ++-- .../signal-r/.test/common/main.test.bicep | 5 +- modules/signal-r-service/signal-r/README.md | 37 +- modules/signal-r-service/signal-r/main.bicep | 31 +- modules/signal-r-service/signal-r/main.json | 74 ++-- .../web-pub-sub/.test/common/main.test.bicep | 5 +- .../signal-r-service/web-pub-sub/README.md | 37 +- .../signal-r-service/web-pub-sub/main.bicep | 31 +- .../signal-r-service/web-pub-sub/main.json | 82 +++-- .../.test/common/main.test.bicep | 5 +- modules/sql/managed-instance/README.md | 37 +- .../sql/managed-instance/database/README.md | 27 +- .../sql/managed-instance/database/main.bicep | 21 +- .../sql/managed-instance/database/main.json | 77 ++-- modules/sql/managed-instance/main.bicep | 31 +- modules/sql/managed-instance/main.json | 181 ++++++---- .../sql/server/.test/common/main.test.bicep | 5 +- modules/sql/server/README.md | 37 +- modules/sql/server/main.bicep | 31 +- modules/sql/server/main.json | 108 +++--- .../.test/common/main.test.bicep | 5 +- .../storage-account/.test/nfs/main.test.bicep | 5 +- modules/storage/storage-account/README.md | 47 ++- modules/storage/storage-account/main.bicep | 37 +- modules/storage/storage-account/main.json | 122 ++++--- .../.test/common/main.test.bicep | 5 +- modules/synapse/private-link-hub/README.md | 37 +- modules/synapse/private-link-hub/main.bicep | 31 +- modules/synapse/private-link-hub/main.json | 74 ++-- modules/synapse/workspace/README.md | 27 +- modules/synapse/workspace/main.bicep | 44 ++- modules/synapse/workspace/main.json | 131 ++++--- .../.test/common/main.test.bicep | 5 +- .../image-template/README.md | 37 +- .../image-template/main.bicep | 29 +- .../image-template/main.json | 66 ++-- .../connection/.test/common/main.test.bicep | 5 +- modules/web/connection/README.md | 37 +- modules/web/connection/main.bicep | 29 +- modules/web/connection/main.json | 66 ++-- .../.test/asev2/main.test.bicep | 5 +- .../.test/asev3/main.test.bicep | 5 +- modules/web/hosting-environment/README.md | 47 ++- modules/web/hosting-environment/main.bicep | 29 +- modules/web/hosting-environment/main.json | 78 ++-- .../serverfarm/.test/common/main.test.bicep | 5 +- modules/web/serverfarm/README.md | 37 +- modules/web/serverfarm/main.bicep | 29 +- modules/web/serverfarm/main.json | 70 ++-- .../.test/functionAppCommon/main.test.bicep | 5 +- modules/web/site/README.md | 37 +- modules/web/site/main.bicep | 31 +- modules/web/site/main.json | 205 +++++++---- modules/web/site/slot/README.md | 27 +- modules/web/site/slot/main.bicep | 23 +- modules/web/site/slot/main.json | 99 ++++-- .../static-site/.test/common/main.test.bicep | 5 +- modules/web/static-site/README.md | 37 +- modules/web/static-site/main.bicep | 31 +- modules/web/static-site/main.json | 94 +++-- .../sharedScripts/Set-ModuleReadMe.ps1 | 15 +- utilities/tools/Set-Module.ps1 | 3 +- 488 files changed, 14290 insertions(+), 6347 deletions(-) create mode 100644 modules/resources/resource-group/.bicep/nested_lock.bicep diff --git a/docs/wiki/The library - Module design.md b/docs/wiki/The library - Module design.md index 09691d5115..b3c95193c2 100644 --- a/docs/wiki/The library - Module design.md +++ b/docs/wiki/The library - Module design.md @@ -143,19 +143,14 @@ The locks extension can be added as a `resource` to the resource template direct

Details ```bicep -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType -resource _lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${.name}-${lock}-lock' +resource _lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: } @@ -165,12 +160,12 @@ resource _lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e > > - Child and extension resources > - Locks are not automatically passed down, as they are inherited by default in Azure -> - The reference of the child/extension template should look similar to: `lock: contains(, 'lock') ? .lock : ''` +> - The reference of the child/extension template should look similar to: `lock: .?lock ?? lock` > - Using this implementation, a lock is only deployed to the child/extension resource if explicitly specified in the module's test file > - For example, the lock of a Storage Account module is not automatically passed to a Storage Container child-deployment. Instead, the Storage Container resource is automatically locked by Azure together with a locked Storage Account > - Cross-referenced resources > - All cross-referenced resources share the lock with the main resource to prevent depending resources to be changed or deleted -> - The reference of the cross-referenced resource template should look similar to: `lock: contains(, 'lock') ? .lock : lock` +> - The reference of the cross-referenced resource template should look similar to: `lock: .?lock ?? lock` > - Using this implementation, a lock of the main resource is implicitly passed to the referenced module template > - For example, the lock of a Key Vault module is automatically passed to an also deployed Private Endpoint module deployment diff --git a/modules/aad/domain-service/.test/common/main.test.bicep b/modules/aad/domain-service/.test/common/main.test.bicep index 6df70643ed..0575d1a848 100644 --- a/modules/aad/domain-service/.test/common/main.test.bicep +++ b/modules/aad/domain-service/.test/common/main.test.bicep @@ -82,7 +82,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } pfxCertificate: keyVault.getSecret(nestedDependencies.outputs.certSecretName) pfxCertificatePassword: keyVault.getSecret(nestedDependencies.outputs.certPWSecretName) replicaSets: [ diff --git a/modules/aad/domain-service/README.md b/modules/aad/domain-service/README.md index 89ea3e1a49..88cbe897e8 100644 --- a/modules/aad/domain-service/README.md +++ b/modules/aad/domain-service/README.md @@ -54,7 +54,10 @@ module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } name: 'aaddscom001' pfxCertificate: '' pfxCertificatePassword: '' @@ -112,7 +115,10 @@ module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "name": { "value": "aaddscom001" @@ -182,7 +188,7 @@ module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = { | [`kerberosRc4Encryption`](#parameter-kerberosrc4encryption) | string | The value is to enable Kerberos requests that use RC4 encryption. | | [`ldaps`](#parameter-ldaps) | string | A flag to determine whether or not Secure LDAP is enabled or disabled. | | [`location`](#parameter-location) | string | The location to deploy the Azure ADDS Services. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`name`](#parameter-name) | string | The name of the AADDS resource. Defaults to the domain name specific to the Azure ADDS service. | | [`notifyDcAdmins`](#parameter-notifydcadmins) | string | The value is to notify the DC Admins. | | [`notifyGlobalAdmins`](#parameter-notifyglobaladmins) | string | The value is to notify the Global Admins. | @@ -307,11 +313,30 @@ The location to deploy the Azure ADDS Services. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/aad/domain-service/main.bicep b/modules/aad/domain-service/main.bicep index e8aa4ad471..9b7955f9f2 100644 --- a/modules/aad/domain-service/main.bicep +++ b/modules/aad/domain-service/main.bicep @@ -133,13 +133,8 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -230,11 +225,11 @@ resource domainService_diagnosticSettings 'Microsoft.Insights/diagnosticSettings scope: domainService } -resource domainService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${domainService.name}-${lock}-lock' +resource domainService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: domainService } @@ -263,3 +258,15 @@ output resourceId string = domainService.id @description('The location the resource was deployed into.') output location string = domainService.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/aad/domain-service/main.json b/modules/aad/domain-service/main.json index 0f206dd1ce..db6b6c7286 100644 --- a/modules/aad/domain-service/main.json +++ b/modules/aad/domain-service/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10694057578652449276" + "templateHash": "15488600110889393374" }, "name": "Azure Active Directory Domain Services", "description": "This module deploys an Azure Active Directory Domain Services (AADDS).", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -243,15 +271,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -297,8 +319,8 @@ ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -312,7 +334,7 @@ } } }, - { + "domainService": { "type": "Microsoft.AAD/domainServices", "apiVersion": "2021-05-01", "name": "[parameters('name')]", @@ -345,7 +367,7 @@ "sku": "[parameters('sku')]" } }, - { + "domainService_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -359,24 +381,24 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.AAD/domainServices', parameters('name'))]" + "domainService" ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "domainService_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.AAD/domainServices/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.AAD/domainServices', parameters('name'))]" + "domainService" ] }, - { + "domainService_roleAssignments": { "copy": { "name": "domainService_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -524,10 +546,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.AAD/domainServices', parameters('name'))]" + "domainService" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -555,7 +577,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.AAD/domainServices', parameters('name')), '2021-05-01', 'full').location]" + "value": "[reference('domainService', '2021-05-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/analysis-services/server/.test/common/main.test.bicep b/modules/analysis-services/server/.test/common/main.test.bicep index 527c3c1c71..1857916d7b 100644 --- a/modules/analysis-services/server/.test/common/main.test.bicep +++ b/modules/analysis-services/server/.test/common/main.test.bicep @@ -66,7 +66,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } skuName: 'S0' roleAssignments: [ { diff --git a/modules/analysis-services/server/.test/max/main.test.bicep b/modules/analysis-services/server/.test/max/main.test.bicep index 582c804860..4c9bff9711 100644 --- a/modules/analysis-services/server/.test/max/main.test.bicep +++ b/modules/analysis-services/server/.test/max/main.test.bicep @@ -63,7 +63,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } skuName: 'S0' skuCapacity: 1 firewallSettings: { diff --git a/modules/analysis-services/server/README.md b/modules/analysis-services/server/README.md index bd06d1cc84..1464915f28 100644 --- a/modules/analysis-services/server/README.md +++ b/modules/analysis-services/server/README.md @@ -52,7 +52,10 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -105,7 +108,10 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -170,7 +176,10 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { } ] } - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -242,7 +251,10 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { } }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -339,7 +351,7 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`firewallSettings`](#parameter-firewallsettings) | object | The inbound firewall rules to define on the server. If not specified, firewall is disabled. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`skuCapacity`](#parameter-skucapacity) | int | The total number of query replica scale-out instances. | | [`skuName`](#parameter-skuname) | string | The SKU name of the Azure Analysis Services server to create. | @@ -419,11 +431,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/analysis-services/server/main.bicep b/modules/analysis-services/server/main.bicep index 0b0ca98d44..18cc0d10f9 100644 --- a/modules/analysis-services/server/main.bicep +++ b/modules/analysis-services/server/main.bicep @@ -38,13 +38,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -120,11 +115,11 @@ resource server 'Microsoft.AnalysisServices/servers@2017-08-01' = { } } -resource server_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${server.name}-${lock}-lock' +resource server_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: server } @@ -166,3 +161,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = server.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/analysis-services/server/main.json b/modules/analysis-services/server/main.json index 9855c786cd..7a88c2863b 100644 --- a/modules/analysis-services/server/main.json +++ b/modules/analysis-services/server/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5443858044342002150" + "templateHash": "8360081126452950096" }, "name": "Analysis Services Servers", "description": "This module deploys an Analysis Services Server.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -84,15 +112,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -173,8 +195,8 @@ ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -188,7 +210,7 @@ } } }, - { + "server": { "type": "Microsoft.AnalysisServices/servers", "apiVersion": "2017-08-01", "name": "[parameters('name')]", @@ -202,21 +224,21 @@ "ipV4FirewallSettings": "[parameters('firewallSettings')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "server_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.AnalysisServices/servers/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.AnalysisServices/servers', parameters('name'))]" + "server" ] }, - { + "server_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -231,10 +253,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.AnalysisServices/servers', parameters('name'))]" + "server" ] }, - { + "server_roleAssignments": { "copy": { "name": "server_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -379,10 +401,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.AnalysisServices/servers', parameters('name'))]" + "server" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -410,7 +432,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.AnalysisServices/servers', parameters('name')), '2017-08-01', 'full').location]" + "value": "[reference('server', '2017-08-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/api-management/service/.test/common/main.test.bicep b/modules/api-management/service/.test/common/main.test.bicep index d00d8943f8..fd416833ae 100644 --- a/modules/api-management/service/.test/common/main.test.bicep +++ b/modules/api-management/service/.test/common/main.test.bicep @@ -54,7 +54,10 @@ module testDeployment '../../main.bicep' = { name: '${namePrefix}${serviceShort}001' publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' publisherName: '${namePrefix}-az-amorg-x-001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } policies: [ { format: 'xml' diff --git a/modules/api-management/service/.test/max/main.test.bicep b/modules/api-management/service/.test/max/main.test.bicep index d9dde652c7..df6c7f2bc8 100644 --- a/modules/api-management/service/.test/max/main.test.bicep +++ b/modules/api-management/service/.test/max/main.test.bicep @@ -126,7 +126,10 @@ module testDeployment '../../main.bicep' = { name: 'aadProvider' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } namedValues: [ { displayName: 'apimkey' diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index 9d2bea3e8d..b026c84175 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -65,7 +65,10 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { publisherName: 'az-amorg-x-001' // Non-required parameters enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } policies: [ { format: 'xml' @@ -135,7 +138,10 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "policies": { "value": [ @@ -263,7 +269,10 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { name: 'aadProvider' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } namedValues: [ { displayName: 'apimkey' @@ -441,7 +450,10 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "namedValues": { "value": [ @@ -631,7 +643,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { | [`hostnameConfigurations`](#parameter-hostnameconfigurations) | array | Custom hostname configuration of the API Management service. | | [`identityProviders`](#parameter-identityproviders) | array | Identity providers. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`minApiVersion`](#parameter-minapiversion) | string | Limit control plane API calls to API Management service with version equal to or newer than this value. | | [`namedValues`](#parameter-namedvalues) | array | Named values. | | [`newGuidValue`](#parameter-newguidvalue) | string | Necessary to create a new GUID. | @@ -802,11 +814,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `minApiVersion` diff --git a/modules/api-management/service/main.bicep b/modules/api-management/service/main.bicep index cdc0d4c0d6..80b8735a04 100644 --- a/modules/api-management/service/main.bicep +++ b/modules/api-management/service/main.bicep @@ -45,13 +45,8 @@ param userAssignedIdentities object = {} @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Limit control plane API calls to API Management service with version equal to or newer than this value.') param minApiVersion string = '' @@ -435,16 +430,16 @@ module service_subscriptions 'subscription/main.bicep' = [for (subscription, ind } }] -resource apiManagementService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${service.name}-${lock}-lock' +resource service_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: service } -resource apiManagementService_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { +resource service_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' properties: { storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null @@ -457,7 +452,7 @@ resource apiManagementService_diagnosticSettings 'Microsoft.Insights/diagnosticS scope: service } -module apiManagementService_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module service_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-Apim-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' @@ -484,3 +479,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(ser @description('The location the resource was deployed into.') output location string = service.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/api-management/service/main.json b/modules/api-management/service/main.json index 0eca3efbe5..664026fbd7 100644 --- a/modules/api-management/service/main.json +++ b/modules/api-management/service/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12476936893104821390" + "templateHash": "7131184550588177223" }, "name": "API Management Services", "description": "This module deploys an API Management Service.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "additionalLocations": { "type": "array", @@ -111,15 +139,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "minApiVersion": { @@ -371,8 +393,8 @@ "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -386,7 +408,7 @@ } } }, - { + "service": { "type": "Microsoft.ApiManagement/service", "apiVersion": "2021-08-01", "name": "[parameters('name')]", @@ -414,21 +436,21 @@ "restore": "[parameters('restore')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "service_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.ApiManagement/service/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]" + "service" ] }, - { + "service_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -443,10 +465,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]" + "service" ] }, - { + "service_apis": { "copy": { "name": "service_apis", "count": "[length(parameters('apis'))]" @@ -916,11 +938,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]", + "service", "service_apiVersionSets" ] }, - { + "service_apiVersionSets": { "copy": { "name": "service_apiVersionSets", "count": "[length(parameters('apiVersionSets'))]" @@ -1035,10 +1057,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]" + "service" ] }, - { + "service_authorizationServers": { "copy": { "name": "service_authorizationServers", "count": "[length(variables('authorizationServerList'))]" @@ -1297,10 +1319,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]" + "service" ] }, - { + "service_backends": { "copy": { "name": "service_backends", "count": "[length(parameters('backends'))]" @@ -1492,10 +1514,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]" + "service" ] }, - { + "service_caches": { "copy": { "name": "service_caches", "count": "[length(parameters('caches'))]" @@ -1640,10 +1662,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]" + "service" ] }, - { + "service_identityProviders": { "copy": { "name": "service_identityProviders", "count": "[length(parameters('identityProviders'))]" @@ -1860,10 +1882,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]" + "service" ] }, - { + "service_namedValues": { "copy": { "name": "service_namedValues", "count": "[length(parameters('namedValues'))]" @@ -2019,10 +2041,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]" + "service" ] }, - { + "service_portalsettings": { "copy": { "name": "service_portalsettings", "count": "[length(parameters('portalsettings'))]" @@ -2142,10 +2164,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]" + "service" ] }, - { + "service_policies": { "copy": { "name": "service_policies", "count": "[length(parameters('policies'))]" @@ -2275,10 +2297,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]" + "service" ] }, - { + "service_products": { "copy": { "name": "service_products", "count": "[length(parameters('products'))]" @@ -2707,11 +2729,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]", + "service", "service_apis" ] }, - { + "service_subscriptions": { "copy": { "name": "service_subscriptions", "count": "[length(parameters('subscriptions'))]" @@ -2871,12 +2893,12 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]" + "service" ] }, - { + "service_roleAssignments": { "copy": { - "name": "apiManagementService_roleAssignments", + "name": "service_roleAssignments", "count": "[length(parameters('roleAssignments'))]" }, "type": "Microsoft.Resources/deployments", @@ -3023,10 +3045,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]" + "service" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -3054,14 +3076,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.ApiManagement/service', parameters('name')), '2021-08-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.ApiManagement/service', parameters('name')), '2021-08-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('service', '2021-08-01', 'full').identity, 'principalId')), reference('service', '2021-08-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.ApiManagement/service', parameters('name')), '2021-08-01', 'full').location]" + "value": "[reference('service', '2021-08-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/app-configuration/configuration-store/.test/common/main.test.bicep b/modules/app-configuration/configuration-store/.test/common/main.test.bicep index 8eb3658b39..21f5a65bb4 100644 --- a/modules/app-configuration/configuration-store/.test/common/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/common/main.test.bicep @@ -89,7 +89,10 @@ module testDeployment '../../main.bicep' = { value: 'valueName' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index cbeabcead0..99c954324a 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -75,7 +75,10 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor value: 'valueName' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -159,7 +162,10 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -530,7 +536,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor | [`enablePurgeProtection`](#parameter-enablepurgeprotection) | bool | Property specifying whether protection against purge is enabled for this configuration store. | | [`keyValues`](#parameter-keyvalues) | array | All Key / Values to create. Requires local authentication to be enabled. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -664,11 +670,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/app-configuration/configuration-store/main.bicep b/modules/app-configuration/configuration-store/main.bicep index 4168650dca..84d4bf947f 100644 --- a/modules/app-configuration/configuration-store/main.bicep +++ b/modules/app-configuration/configuration-store/main.bicep @@ -74,13 +74,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -155,18 +150,18 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split(cMKKeyVaultResourceId, '/'))! - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! + scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) - resource cMKKey 'keys@2022-07-01' existing = if (!empty(cMKKeyName)) { - name: cMKKeyName + resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { + name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' } } resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { - name: last(split(cMKUserAssignedIdentityResourceId, '/'))! - scope: resourceGroup(split(cMKUserAssignedIdentityResourceId, '/')[2], split(cMKUserAssignedIdentityResourceId, '/')[4]) + name: last(split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : 'dummyMsi'), '/'))! + scope: resourceGroup(split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : '//'), '/')[2], split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : '////'), '/')[4]) } resource configurationStore 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = { @@ -204,11 +199,11 @@ module configurationStore_keyValues 'key-value/main.bicep' = [for (keyValue, ind } }] -resource configurationStore_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${configurationStore.name}-${lock}-lock' +resource configurationStore_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: configurationStore } @@ -250,7 +245,7 @@ module configurationStore_privateEndpoints '../../network/private-endpoint/main. subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -277,3 +272,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(con @description('The location the resource was deployed into.') output location string = configurationStore.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/app-configuration/configuration-store/main.json b/modules/app-configuration/configuration-store/main.json index fa81c86079..b39777fc07 100644 --- a/modules/app-configuration/configuration-store/main.json +++ b/modules/app-configuration/configuration-store/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1438402426319950203" + "templateHash": "14429413611786326402" }, "name": "App Configuration Stores", "description": "This module deploys an App Configuration Store.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -160,15 +188,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -262,8 +284,20 @@ "userAssignedIdentities": "[if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())]" } }, - "resources": [ - { + "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -277,7 +311,25 @@ } } }, - { + "cMKKeyVault": { + "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKUserAssignedIdentity": { + "condition": "[not(empty(parameters('cMKUserAssignedIdentityResourceId')))]", + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "subscriptionId": "[split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" + }, + "configurationStore": { "type": "Microsoft.AppConfiguration/configurationStores", "apiVersion": "2023-03-01", "name": "[parameters('name')]", @@ -291,26 +343,30 @@ "createMode": "[parameters('createMode')]", "disableLocalAuth": "[parameters('disableLocalAuth')]", "enablePurgeProtection": "[if(equals(parameters('sku'), 'Free'), false(), parameters('enablePurgeProtection'))]", - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keyVaultProperties', createObject('keyIdentifier', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '2022-07-01').keyUri, parameters('cMKKeyVersion')), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '2022-07-01').keyUriWithVersion), 'identityClientId', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKUserAssignedIdentityResourceId'), '/')[2], split(parameters('cMKUserAssignedIdentityResourceId'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(parameters('cMKUserAssignedIdentityResourceId'), '/'))), '2023-01-31').clientId)), null())]", + "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keyVaultProperties', createObject('keyIdentifier', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('cMKKeyVersion')), reference('cMKKeyVault::cMKKey').keyUriWithVersion), 'identityClientId', reference('cMKUserAssignedIdentity').clientId)), null())]", "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), null())]", "softDeleteRetentionInDays": "[if(equals(parameters('sku'), 'Free'), 0, parameters('softDeleteRetentionInDays'))]" - } + }, + "dependsOn": [ + "cMKKeyVault", + "cMKUserAssignedIdentity" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "configurationStore_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.AppConfiguration/configurationStores/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name'))]" + "configurationStore" ] }, - { + "configurationStore_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -325,10 +381,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name'))]" + "configurationStore" ] }, - { + "configurationStore_keyValues": { "copy": { "name": "configurationStore_keyValues", "count": "[length(parameters('keyValues'))]" @@ -463,10 +519,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name'))]" + "configurationStore" ] }, - { + "configurationStore_roleAssignments": { "copy": { "name": "configurationStore_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -615,10 +671,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name'))]" + "configurationStore" ] }, - { + "configurationStore_privateEndpoints": { "copy": { "name": "configurationStore_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -648,7 +704,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -1142,10 +1200,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name'))]" + "configurationStore" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1173,14 +1231,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name')), '2023-03-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name')), '2023-03-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('configurationStore', '2023-03-01', 'full').identity, 'principalId')), reference('configurationStore', '2023-03-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name')), '2023-03-01', 'full').location]" + "value": "[reference('configurationStore', '2023-03-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/app/container-app/.test/common/main.test.bicep b/modules/app/container-app/.test/common/main.test.bicep index 9667da2fbe..9e032bfcd3 100644 --- a/modules/app/container-app/.test/common/main.test.bicep +++ b/modules/app/container-app/.test/common/main.test.bicep @@ -60,7 +60,10 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry environmentId: nestedDependencies.outputs.managedEnvironmentResourceId location: location - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } userAssignedIdentities: { '${nestedDependencies.outputs.managedIdentityResourceId}': {} } diff --git a/modules/app/container-app/README.md b/modules/app/container-app/README.md index 870012dd19..a37030cd5c 100644 --- a/modules/app/container-app/README.md +++ b/modules/app/container-app/README.md @@ -75,7 +75,10 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { // Non-required parameters enableDefaultTelemetry: '' location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } secrets: { secureList: [ { @@ -151,7 +154,10 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "secrets": { "value": { @@ -296,7 +302,7 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { | [`initContainersTemplate`](#parameter-initcontainerstemplate) | array | List of specialized containers that run before app containers. | | [`ipSecurityRestrictions`](#parameter-ipsecurityrestrictions) | array | Rules to restrict incoming IP address. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maxInactiveRevisions`](#parameter-maxinactiverevisions) | int | Max inactive revisions a Container App can have. | | [`registries`](#parameter-registries) | array | Collection of private container registry credentials for containers used by the Container app. | | [`revisionSuffix`](#parameter-revisionsuffix) | string | User friendly suffix that is appended to the revision name. | @@ -415,11 +421,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `maxInactiveRevisions` diff --git a/modules/app/container-app/main.bicep b/modules/app/container-app/main.bicep index 8d3ed86720..c1b43f8772 100644 --- a/modules/app/container-app/main.bicep +++ b/modules/app/container-app/main.bicep @@ -45,13 +45,8 @@ param activeRevisionsMode string = 'Single' @description('Required. Resource ID of environment.') param environmentId string -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Tags of the resource.') param tags object = {} @@ -184,11 +179,11 @@ resource containerApp 'Microsoft.App/containerApps@2022-10-01' = { } } -resource containerApp_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${containerApp.name}-${lock}-lock' +resource containerApp_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: containerApp } @@ -217,3 +212,15 @@ output name string = containerApp.name @description('The location the resource was deployed into.') output location string = containerApp.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/app/container-app/main.json b/modules/app/container-app/main.json index 1d501046a4..ab2f16b6bf 100644 --- a/modules/app/container-app/main.json +++ b/modules/app/container-app/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2221038631504030167" + "templateHash": "12099824985619995147" }, "name": "Container Apps", "description": "This module deploys a Container App.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -98,15 +126,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "tags": { @@ -261,8 +283,8 @@ "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -276,7 +298,7 @@ } } }, - { + "containerApp": { "type": "Microsoft.App/containerApps", "apiVersion": "2022-10-01", "name": "[parameters('name')]", @@ -323,21 +345,21 @@ "workloadProfileType": "[parameters('workloadProfileType')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "containerApp_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.App/containerApps/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.App/containerApps', parameters('name'))]" + "containerApp" ] }, - { + "containerApp_roleAssignments": { "copy": { "name": "containerApp_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -483,10 +505,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.App/containerApps', parameters('name'))]" + "containerApp" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -514,7 +536,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.App/containerApps', parameters('name')), '2022-10-01', 'full').location]" + "value": "[reference('containerApp', '2022-10-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/app/managed-environment/.test/common/main.test.bicep b/modules/app/managed-environment/.test/common/main.test.bicep index 6a3a769e96..84b3e08239 100644 --- a/modules/app/managed-environment/.test/common/main.test.bicep +++ b/modules/app/managed-environment/.test/common/main.test.bicep @@ -60,7 +60,10 @@ module testDeployment '../../main.bicep' = { platformReservedCidr: '172.17.17.0/24' platformReservedDnsIP: '172.17.17.17' infrastructureSubnetId: nestedDependencies.outputs.subnetResourceId - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } tags: { 'hidden-title': 'This is visible in the resource name' Env: 'test' diff --git a/modules/app/managed-environment/README.md b/modules/app/managed-environment/README.md index 19638dbf5b..b334bdfcb5 100644 --- a/modules/app/managed-environment/README.md +++ b/modules/app/managed-environment/README.md @@ -51,7 +51,10 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { infrastructureSubnetId: '' internal: true location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } platformReservedCidr: '172.17.17.0/24' platformReservedDnsIP: '172.17.17.17' skuName: 'Consumption' @@ -99,7 +102,10 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "platformReservedCidr": { "value": "172.17.17.0/24" @@ -202,7 +208,7 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`internal`](#parameter-internal) | bool | Boolean indicating the environment only has an internal load balancer. These environments do not have a public static IP resource. If set to true, then "infrastructureSubnetId" must be provided. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`logsDestination`](#parameter-logsdestination) | string | Logs destination. | | [`platformReservedCidr`](#parameter-platformreservedcidr) | string | IP range in CIDR notation that can be reserved for environment infrastructure IP addresses. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | | [`platformReservedDnsIP`](#parameter-platformreserveddnsip) | string | An IP address from the IP range defined by "platformReservedCidr" that will be reserved for the internal DNS server. It must not be the first address in the range and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | @@ -283,11 +289,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `logAnalyticsWorkspaceResourceId` diff --git a/modules/app/managed-environment/main.bicep b/modules/app/managed-environment/main.bicep index ac532ea529..503eb178dd 100644 --- a/modules/app/managed-environment/main.bicep +++ b/modules/app/managed-environment/main.bicep @@ -67,13 +67,8 @@ param certificateValue string = '' @description('Optional. DNS suffix for the environment domain.') param dnsSuffix string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Workload profiles configured for the Managed Environment.') param workloadProfiles array = [] @@ -142,11 +137,11 @@ module managedEnvironment_roleAssignments '.bicep/nested_roleAssignments.bicep' } }] -resource managedEnvironment_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${managedEnvironment.name}-${lock}-lock' +resource managedEnvironment_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: managedEnvironment } @@ -162,3 +157,15 @@ output name string = managedEnvironment.name @description('The resource ID of the Managed Environment.') output resourceId string = managedEnvironment.id + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/app/managed-environment/main.json b/modules/app/managed-environment/main.json index 71407f0d6d..d278601942 100644 --- a/modules/app/managed-environment/main.json +++ b/modules/app/managed-environment/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3480452524372003572" + "templateHash": "10531866391221761404" }, "name": "App ManagedEnvironments", "description": "This module deploys an App Managed Environment (also known as a Container App Environment).", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -147,15 +175,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "workloadProfiles": { @@ -166,8 +188,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -181,7 +203,16 @@ } } }, - { + "logAnalyticsWorkspace": { + "condition": "[not(empty(parameters('logAnalyticsWorkspaceResourceId')))]", + "existing": true, + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2021-06-01", + "subscriptionId": "[split(parameters('logAnalyticsWorkspaceResourceId'), '/')[2]]", + "resourceGroup": "[split(parameters('logAnalyticsWorkspaceResourceId'), '/')[4]]", + "name": "[last(split(parameters('logAnalyticsWorkspaceResourceId'), '/'))]" + }, + "managedEnvironment": { "type": "Microsoft.App/managedEnvironments", "apiVersion": "2022-10-01", "name": "[parameters('name')]", @@ -194,7 +225,7 @@ "appLogsConfiguration": { "destination": "[parameters('logsDestination')]", "logAnalyticsConfiguration": { - "customerId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('logAnalyticsWorkspaceResourceId'), '/')[2], split(parameters('logAnalyticsWorkspaceResourceId'), '/')[4]), 'Microsoft.OperationalInsights/workspaces', last(split(parameters('logAnalyticsWorkspaceResourceId'), '/'))), '2021-06-01').customerId]", + "customerId": "[reference('logAnalyticsWorkspace').customerId]", "sharedKey": "[listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('logAnalyticsWorkspaceResourceId'), '/')[2], split(parameters('logAnalyticsWorkspaceResourceId'), '/')[4]), 'Microsoft.OperationalInsights/workspaces', last(split(parameters('logAnalyticsWorkspaceResourceId'), '/'))), '2021-06-01').primarySharedKey]" } }, @@ -214,23 +245,26 @@ }, "workloadProfiles": "[if(not(empty(parameters('workloadProfiles'))), parameters('workloadProfiles'), null())]", "zoneRedundant": "[parameters('zoneRedundant')]" - } + }, + "dependsOn": [ + "logAnalyticsWorkspace" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "managedEnvironment_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.App/managedEnvironments/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]" + "managedEnvironment" ] }, - { + "managedEnvironment_roleAssignments": { "copy": { "name": "managedEnvironment_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -376,10 +410,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]" + "managedEnvironment" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -393,7 +427,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.App/managedEnvironments', parameters('name')), '2022-10-01', 'full').location]" + "value": "[reference('managedEnvironment', '2022-10-01', 'full').location]" }, "name": { "type": "string", diff --git a/modules/automation/automation-account/.test/common/main.test.bicep b/modules/automation/automation-account/.test/common/main.test.bicep index 5ed8331c4f..fd3698cc91 100644 --- a/modules/automation/automation-account/.test/common/main.test.bicep +++ b/modules/automation/automation-account/.test/common/main.test.bicep @@ -87,7 +87,10 @@ module testDeployment '../../main.bicep' = { ] disableLocalAuth: true linkedWorkspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } modules: [ { name: 'PSWindowsUpdate' diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index 8e4211c951..b4ace1295b 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -77,7 +77,10 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' } ] linkedWorkspaceResourceId: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } modules: [ { name: 'PSWindowsUpdate' @@ -294,7 +297,10 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "modules": { "value": [ @@ -627,7 +633,7 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' | [`jobSchedules`](#parameter-jobschedules) | array | List of jobSchedules to be created in the automation account. | | [`linkedWorkspaceResourceId`](#parameter-linkedworkspaceresourceid) | string | ID of the log analytics workspace to be linked to the deployed automation account. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`modules`](#parameter-modules) | array | List of modules to be created in the automation account. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | @@ -764,11 +770,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `modules` diff --git a/modules/automation/automation-account/main.bicep b/modules/automation/automation-account/main.bicep index 3a7b1d9982..cf1f10bfe0 100644 --- a/modules/automation/automation-account/main.bicep +++ b/modules/automation/automation-account/main.bicep @@ -83,13 +83,8 @@ param systemAssignedIdentity bool = false @description('Optional. The ID(s) to assign to the resource.') param userAssignedIdentities object = {} -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -163,13 +158,12 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split(cMKKeyVaultResourceId, '/'))! - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) -} + name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! + scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) -resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName)) { - name: '${last(split(cMKKeyVaultResourceId, '/'))}/${cMKKeyName}'! - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) + resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { + name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + } } resource automationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' = { @@ -189,7 +183,7 @@ resource automationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' keyVaultProperties: { keyName: cMKKeyName keyVaultUri: cMKKeyVault.properties.vaultUri - keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVaultKey.properties.keyUriWithVersion, '/')) + keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) } } : null publicNetworkAccess: !empty(publicNetworkAccess) ? (publicNetworkAccess == 'Disabled' ? false : true) : (!empty(privateEndpoints) ? false : null) @@ -348,11 +342,11 @@ module automationAccount_softwareUpdateConfigurations 'software-update-configura ] }] -resource automationAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${automationAccount.name}-${lock}-lock' +resource automationAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: automationAccount } @@ -381,7 +375,7 @@ module automationAccount_privateEndpoints '../../network/private-endpoint/main.b subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -421,3 +415,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(aut @description('The location the resource was deployed into.') output location string = automationAccount.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/automation/automation-account/main.json b/modules/automation/automation-account/main.json index 0bd2c0c53d..78fbfa0b65 100644 --- a/modules/automation/automation-account/main.json +++ b/modules/automation/automation-account/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17321818753856998075" + "templateHash": "7950772312586811014" }, "name": "Automation Accounts", "description": "This module deploys an Azure Automation Account.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -189,15 +217,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -282,8 +304,20 @@ "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" }, - "resources": [ - { + "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -297,7 +331,16 @@ } } }, - { + "cMKKeyVault": { + "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "automationAccount": { "type": "Microsoft.Automation/automationAccounts", "apiVersion": "2022-08-08", "name": "[parameters('name')]", @@ -308,26 +351,29 @@ "sku": { "name": "[parameters('skuName')]" }, - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'identity', createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), 'keyVaultProperties', createObject('keyName', parameters('cMKKeyName'), 'keyVaultUri', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('cMKKeyVaultResourceId'), '/'))), '2021-10-01').vaultUri, 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[0], split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[1]), '2021-10-01').keyUriWithVersion, '/'))))), null())]", + "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'identity', createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), 'keyVaultProperties', createObject('keyName', parameters('cMKKeyName'), 'keyVaultUri', reference('cMKKeyVault').vaultUri, 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), null())]", "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), if(equals(parameters('publicNetworkAccess'), 'Disabled'), false(), true()), if(not(empty(parameters('privateEndpoints'))), false(), null()))]", "disableLocalAuth": "[parameters('disableLocalAuth')]" - } + }, + "dependsOn": [ + "cMKKeyVault" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "automationAccount_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Automation/automationAccounts/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Automation/automationAccounts', parameters('name'))]" + "automationAccount" ] }, - { + "automationAccount_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -342,10 +388,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Automation/automationAccounts', parameters('name'))]" + "automationAccount" ] }, - { + "automationAccount_modules": { "copy": { "name": "automationAccount_modules", "count": "[length(parameters('modules'))]" @@ -504,10 +550,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Automation/automationAccounts', parameters('name'))]" + "automationAccount" ] }, - { + "automationAccount_schedules": { "copy": { "name": "automationAccount_schedules", "count": "[length(parameters('schedules'))]" @@ -695,10 +741,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Automation/automationAccounts', parameters('name'))]" + "automationAccount" ] }, - { + "automationAccount_runbooks": { "copy": { "name": "automationAccount_runbooks", "count": "[length(parameters('runbooks'))]" @@ -907,10 +953,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Automation/automationAccounts', parameters('name'))]" + "automationAccount" ] }, - { + "automationAccount_jobSchedules": { "copy": { "name": "automationAccount_jobSchedules", "count": "[length(parameters('jobSchedules'))]" @@ -1057,12 +1103,12 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Automation/automationAccounts', parameters('name'))]", + "automationAccount", "automationAccount_runbooks", "automationAccount_schedules" ] }, - { + "automationAccount_variables": { "copy": { "name": "automationAccount_variables", "count": "[length(parameters('variables'))]" @@ -1197,10 +1243,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Automation/automationAccounts', parameters('name'))]" + "automationAccount" ] }, - { + "automationAccount_linkedService": { "condition": "[not(empty(parameters('linkedWorkspaceResourceId')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1336,10 +1382,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Automation/automationAccounts', parameters('name'))]" + "automationAccount" ] }, - { + "automationAccount_solutions": { "copy": { "name": "automationAccount_solutions", "count": "[length(parameters('gallerySolutions'))]" @@ -1494,10 +1540,10 @@ } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', if(not(empty(parameters('linkedWorkspaceResourceId'))), split(parameters('linkedWorkspaceResourceId'), '/')[2], subscription().subscriptionId), if(not(empty(parameters('linkedWorkspaceResourceId'))), split(parameters('linkedWorkspaceResourceId'), '/')[4], resourceGroup().name)), 'Microsoft.Resources/deployments', format('{0}-AutoAccount-LinkedService', uniqueString(deployment().name, parameters('location'))))]" + "automationAccount_linkedService" ] }, - { + "automationAccount_softwareUpdateConfigurations": { "copy": { "name": "automationAccount_softwareUpdateConfigurations", "count": "[length(parameters('softwareUpdateConfigurations'))]" @@ -1985,11 +2031,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Automation/automationAccounts', parameters('name'))]", + "automationAccount", "automationAccount_solutions" ] }, - { + "automationAccount_privateEndpoints": { "copy": { "name": "automationAccount_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -2019,7 +2065,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -2513,10 +2561,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Automation/automationAccounts', parameters('name'))]" + "automationAccount" ] }, - { + "automationAccount_roleAssignments": { "copy": { "name": "automationAccount_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -2665,10 +2713,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Automation/automationAccounts', parameters('name'))]" + "automationAccount" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2696,14 +2744,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.Automation/automationAccounts', parameters('name')), '2022-08-08', 'full').identity, 'principalId')), reference(resourceId('Microsoft.Automation/automationAccounts', parameters('name')), '2022-08-08', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('automationAccount', '2022-08-08', 'full').identity, 'principalId')), reference('automationAccount', '2022-08-08', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Automation/automationAccounts', parameters('name')), '2022-08-08', 'full').location]" + "value": "[reference('automationAccount', '2022-08-08', 'full').location]" } } } \ No newline at end of file diff --git a/modules/batch/batch-account/.test/common/main.test.bicep b/modules/batch/batch-account/.test/common/main.test.bicep index c25cddb39d..0c9dc0bec0 100644 --- a/modules/batch/batch-account/.test/common/main.test.bicep +++ b/modules/batch/batch-account/.test/common/main.test.bicep @@ -73,7 +73,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } poolAllocationMode: 'BatchService' privateEndpoints: [ { @@ -85,9 +88,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index 28319537f0..74a18e3afd 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -55,7 +55,10 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } poolAllocationMode: 'BatchService' privateEndpoints: [ { @@ -64,9 +67,7 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -128,7 +129,10 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "poolAllocationMode": { "value": "BatchService" @@ -141,9 +145,7 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { ], "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -385,7 +387,7 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { | [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`networkProfileAllowedIpRanges`](#parameter-networkprofileallowedipranges) | array | Array of IP ranges to filter client IP address. It is only applicable when publicNetworkAccess is not explicitly disabled. | | [`networkProfileDefaultAction`](#parameter-networkprofiledefaultaction) | string | The network profile default action for endpoint access. It is only applicable when publicNetworkAccess is not explicitly disabled. | | [`poolAllocationMode`](#parameter-poolallocationmode) | string | The allocation mode for creating pools in the Batch account. Determines which quota will be used. | @@ -500,11 +502,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/batch/batch-account/main.bicep b/modules/batch/batch-account/main.bicep index eee1855165..e0f720a1d2 100644 --- a/modules/batch/batch-account/main.bicep +++ b/modules/batch/batch-account/main.bicep @@ -70,13 +70,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Tags of the resource.') param tags object = {} @@ -176,14 +171,13 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource keyVaultReferenceKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(keyVaultReferenceResourceId)) { - name: last(split(keyVaultReferenceResourceId, '/'))! - scope: resourceGroup(split(keyVaultReferenceResourceId, '/')[2], split(keyVaultReferenceResourceId, '/')[4]) -} +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! + scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) -resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName)) { - name: '${last(split(cMKKeyVaultResourceId, '/'))}/${cMKKeyName}' - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) + resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { + name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + } } resource batchAccount 'Microsoft.Batch/batchAccounts@2022-06-01' = { @@ -197,12 +191,12 @@ resource batchAccount 'Microsoft.Batch/batchAccounts@2022-06-01' = { encryption: !empty(cMKKeyName) ? { keySource: 'Microsoft.KeyVault' keyVaultProperties: { - keyIdentifier: !empty(cMKKeyVersion) ? '${cMKKeyVaultKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVaultKey.properties.keyUriWithVersion + keyIdentifier: !empty(cMKKeyVersion) ? '${cMKKeyVault::cMKKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion } } : null keyVaultReference: poolAllocationMode == 'UserSubscription' ? { id: keyVaultReferenceResourceId - url: keyVaultReferenceKeyVault.properties.vaultUri + url: cMKKeyVault.properties.vaultUri } : null networkProfile: (publicNetworkAccess == 'Disabled') || empty(networkProfileAllowedIpRanges) ? null : { accountAccess: { @@ -215,11 +209,11 @@ resource batchAccount 'Microsoft.Batch/batchAccounts@2022-06-01' = { } } -resource batchAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${batchAccount.name}-${lock}-lock' +resource batchAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: batchAccount } @@ -248,7 +242,7 @@ module batchAccount_privateEndpoints '../../network/private-endpoint/main.bicep' subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -272,3 +266,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = batchAccount.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/batch/batch-account/main.json b/modules/batch/batch-account/main.json index d169073f0f..3c256755bd 100644 --- a/modules/batch/batch-account/main.json +++ b/modules/batch/batch-account/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2591446309015635136" + "templateHash": "2439163015108038599" }, "name": "Batch Accounts", "description": "This module deploys a Batch Account.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -147,15 +175,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "tags": { @@ -281,8 +303,20 @@ }, "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -296,7 +330,16 @@ } } }, - { + "cMKKeyVault": { + "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "batchAccount": { "type": "Microsoft.Batch/batchAccounts", "apiVersion": "2022-06-01", "name": "[parameters('name')]", @@ -306,28 +349,31 @@ "properties": { "allowedAuthenticationModes": "[parameters('allowedAuthenticationModes')]", "autoStorage": "[variables('autoStorageConfig')]", - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createObject('keyIdentifier', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[0], split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[1]), '2021-10-01').keyUri, parameters('cMKKeyVersion')), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[0], split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[1]), '2021-10-01').keyUriWithVersion))), null())]", - "keyVaultReference": "[if(equals(parameters('poolAllocationMode'), 'UserSubscription'), createObject('id', parameters('keyVaultReferenceResourceId'), 'url', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('keyVaultReferenceResourceId'), '/')[2], split(parameters('keyVaultReferenceResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('keyVaultReferenceResourceId'), '/'))), '2021-10-01').vaultUri), null())]", + "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createObject('keyIdentifier', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('cMKKeyVersion')), reference('cMKKeyVault::cMKKey').keyUriWithVersion))), null())]", + "keyVaultReference": "[if(equals(parameters('poolAllocationMode'), 'UserSubscription'), createObject('id', parameters('keyVaultReferenceResourceId'), 'url', reference('cMKKeyVault').vaultUri), null())]", "networkProfile": "[if(or(equals(parameters('publicNetworkAccess'), 'Disabled'), empty(parameters('networkProfileAllowedIpRanges'))), null(), createObject('accountAccess', createObject('defaultAction', parameters('networkProfileDefaultAction'), 'ipRules', variables('networkProfileIpRules'))))]", "poolAllocationMode": "[parameters('poolAllocationMode')]", "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkProfileAllowedIpRanges'))), 'Disabled', null()))]" - } + }, + "dependsOn": [ + "cMKKeyVault" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "batchAccount_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Batch/batchAccounts/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Batch/batchAccounts', parameters('name'))]" + "batchAccount" ] }, - { + "batchAccount_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -342,10 +388,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Batch/batchAccounts', parameters('name'))]" + "batchAccount" ] }, - { + "batchAccount_privateEndpoints": { "copy": { "name": "batchAccount_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -375,7 +421,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -869,10 +917,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Batch/batchAccounts', parameters('name'))]" + "batchAccount" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -900,7 +948,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Batch/batchAccounts', parameters('name')), '2022-06-01', 'full').location]" + "value": "[reference('batchAccount', '2022-06-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/cache/redis-enterprise/.test/common/main.test.bicep b/modules/cache/redis-enterprise/.test/common/main.test.bicep index 40a9e53eef..74c01eb8d0 100644 --- a/modules/cache/redis-enterprise/.test/common/main.test.bicep +++ b/modules/cache/redis-enterprise/.test/common/main.test.bicep @@ -73,7 +73,10 @@ module testDeployment '../../main.bicep' = { diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName diagnosticSettingsName: 'redisdiagnostics' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index 3fb04f5ffd..e9afb7bd4f 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -76,7 +76,10 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } minimumTlsVersion: '1.2' privateEndpoints: [ { @@ -170,7 +173,10 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "minimumTlsVersion": { "value": "1.2" @@ -411,7 +417,7 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { | [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | The geo-location where the resource lives. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | Requires clients to use a specified TLS version (or higher) to connect. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -500,11 +506,30 @@ The geo-location where the resource lives. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `minimumTlsVersion` diff --git a/modules/cache/redis-enterprise/main.bicep b/modules/cache/redis-enterprise/main.bicep index ea5c05e878..be865f3cda 100644 --- a/modules/cache/redis-enterprise/main.bicep +++ b/modules/cache/redis-enterprise/main.bicep @@ -8,13 +8,8 @@ param location string = resourceGroup().location @description('Required. The name of the Redis Cache Enterprise resource.') param name string -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -139,11 +134,11 @@ resource redisCacheEnterprise 'Microsoft.Cache/redisEnterprise@2022-01-01' = { zones: availabilityZones } -resource redisCacheEnterprise_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${redisCacheEnterprise.name}-${lock}-lock' +resource redisCacheEnterprise_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: redisCacheEnterprise } @@ -204,7 +199,7 @@ module redisCacheEnterprise_privateEndpoints '../../network/private-endpoint/mai subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -231,3 +226,15 @@ output hostName string = redisCacheEnterprise.properties.hostName @description('The location the resource was deployed into.') output location string = redisCacheEnterprise.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/cache/redis-enterprise/main.json b/modules/cache/redis-enterprise/main.json index bd9889f874..b574498959 100644 --- a/modules/cache/redis-enterprise/main.json +++ b/modules/cache/redis-enterprise/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4614393026190076893" + "templateHash": "13843091580416749127" }, "name": "Redis Cache Enterprise", "description": "This module deploys a Redis Cache Enterprise.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "location": { "type": "string", @@ -26,15 +54,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -200,8 +222,8 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -215,7 +237,7 @@ } } }, - { + "redisCacheEnterprise": { "type": "Microsoft.Cache/redisEnterprise", "apiVersion": "2022-01-01", "name": "[parameters('name')]", @@ -230,21 +252,21 @@ }, "zones": "[variables('availabilityZones')]" }, - { - "condition": "[not(empty(parameters('lock')))]", + "redisCacheEnterprise_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Cache/redisEnterprise/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Cache/redisEnterprise', parameters('name'))]" + "redisCacheEnterprise" ] }, - { + "redisCacheEnterprise_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -259,10 +281,10 @@ "logs": "[if(and(and(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('diagnosticWorkspaceId'))), empty(parameters('diagnosticEventHubAuthorizationRuleId'))), empty(parameters('diagnosticEventHubName'))), null(), variables('diagnosticsLogs'))]" }, "dependsOn": [ - "[resourceId('Microsoft.Cache/redisEnterprise', parameters('name'))]" + "redisCacheEnterprise" ] }, - { + "redisCacheEnterprise_rbac": { "copy": { "name": "redisCacheEnterprise_rbac", "count": "[length(parameters('roleAssignments'))]" @@ -408,10 +430,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Cache/redisEnterprise', parameters('name'))]" + "redisCacheEnterprise" ] }, - { + "redisCacheEnterprise_databases": { "copy": { "name": "redisCacheEnterprise_databases", "count": "[length(parameters('databases'))]" @@ -640,10 +662,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Cache/redisEnterprise', parameters('name'))]" + "redisCacheEnterprise" ] }, - { + "redisCacheEnterprise_privateEndpoints": { "copy": { "name": "redisCacheEnterprise_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -673,7 +695,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -1167,10 +1191,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Cache/redisEnterprise', parameters('name'))]" + "redisCacheEnterprise" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1198,14 +1222,14 @@ "metadata": { "description": "Redis hostname." }, - "value": "[reference(resourceId('Microsoft.Cache/redisEnterprise', parameters('name')), '2022-01-01').hostName]" + "value": "[reference('redisCacheEnterprise').hostName]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Cache/redisEnterprise', parameters('name')), '2022-01-01', 'full').location]" + "value": "[reference('redisCacheEnterprise', '2022-01-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/cache/redis/.test/common/main.test.bicep b/modules/cache/redis/.test/common/main.test.bicep index cf59ecb453..04f213bff5 100644 --- a/modules/cache/redis/.test/common/main.test.bicep +++ b/modules/cache/redis/.test/common/main.test.bicep @@ -73,7 +73,10 @@ module testDeployment '../../main.bicep' = { diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName diagnosticSettingsName: 'redisdiagnostics' enableNonSslPort: true - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } minimumTlsVersion: '1.2' zoneRedundant: true zones: [ 1, 2 ] diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index 6e05f21b0f..ba16041709 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -57,7 +57,10 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { diagnosticWorkspaceId: '' enableDefaultTelemetry: '' enableNonSslPort: true - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } minimumTlsVersion: '1.2' privateEndpoints: [ { @@ -133,7 +136,10 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { "value": true }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "minimumTlsVersion": { "value": "1.2" @@ -263,7 +269,7 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`enableNonSslPort`](#parameter-enablenonsslport) | bool | Specifies whether the non-ssl Redis server port (6379) is enabled. | | [`location`](#parameter-location) | string | The location to deploy the Redis cache service. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | Requires clients to use a specified TLS version (or higher) to connect. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | @@ -365,11 +371,30 @@ The location to deploy the Redis cache service. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `minimumTlsVersion` diff --git a/modules/cache/redis/main.bicep b/modules/cache/redis/main.bicep index 3794244f46..3c78068ad7 100644 --- a/modules/cache/redis/main.bicep +++ b/modules/cache/redis/main.bicep @@ -8,13 +8,8 @@ param location string = resourceGroup().location @description('Required. The name of the Redis cache resource.') param name string -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -210,11 +205,11 @@ resource redisCache 'Microsoft.Cache/redis@2022-06-01' = { zones: availabilityZones } -resource redisCache_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${redisCache.name}-${lock}-lock' +resource redisCache_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: redisCache } @@ -256,7 +251,7 @@ module redisCache_privateEndpoints '../../network/private-endpoint/main.bicep' = subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -289,3 +284,15 @@ output subnetId string = !empty(subnetId) ? redisCache.properties.subnetId : '' @description('The location the resource was deployed into.') output location string = redisCache.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/cache/redis/main.json b/modules/cache/redis/main.json index 04b6f51cbf..5d189f577b 100644 --- a/modules/cache/redis/main.json +++ b/modules/cache/redis/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2042912837463951821" + "templateHash": "4426369279242408346" }, "name": "Redis Cache", "description": "This module deploys a Redis Cache.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "location": { "type": "string", @@ -26,15 +54,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -306,8 +328,8 @@ }, "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -321,7 +343,7 @@ } } }, - { + "redisCache": { "type": "Microsoft.Cache/redis", "apiVersion": "2022-06-01", "name": "[parameters('name')]", @@ -348,21 +370,21 @@ }, "zones": "[variables('availabilityZones')]" }, - { - "condition": "[not(empty(parameters('lock')))]", + "redisCache_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Cache/redis/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Cache/redis', parameters('name'))]" + "redisCache" ] }, - { + "redisCache_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -377,10 +399,10 @@ "logs": "[if(and(and(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('diagnosticWorkspaceId'))), empty(parameters('diagnosticEventHubAuthorizationRuleId'))), empty(parameters('diagnosticEventHubName'))), null(), variables('diagnosticsLogs'))]" }, "dependsOn": [ - "[resourceId('Microsoft.Cache/redis', parameters('name'))]" + "redisCache" ] }, - { + "redisCache_rbac": { "copy": { "name": "redisCache_rbac", "count": "[length(parameters('roleAssignments'))]" @@ -526,10 +548,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Cache/redis', parameters('name'))]" + "redisCache" ] }, - { + "redisCache_privateEndpoints": { "copy": { "name": "redisCache_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -559,7 +581,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -1053,10 +1077,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Cache/redis', parameters('name'))]" + "redisCache" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1084,28 +1108,28 @@ "metadata": { "description": "Redis hostname." }, - "value": "[reference(resourceId('Microsoft.Cache/redis', parameters('name')), '2022-06-01').hostName]" + "value": "[reference('redisCache').hostName]" }, "sslPort": { "type": "int", "metadata": { "description": "Redis SSL port." }, - "value": "[reference(resourceId('Microsoft.Cache/redis', parameters('name')), '2022-06-01').sslPort]" + "value": "[reference('redisCache').sslPort]" }, "subnetId": { "type": "string", "metadata": { "description": "The full resource ID of a subnet in a virtual network where the Redis Cache was deployed in." }, - "value": "[if(not(empty(parameters('subnetId'))), reference(resourceId('Microsoft.Cache/redis', parameters('name')), '2022-06-01').subnetId, '')]" + "value": "[if(not(empty(parameters('subnetId'))), reference('redisCache').subnetId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Cache/redis', parameters('name')), '2022-06-01', 'full').location]" + "value": "[reference('redisCache', '2022-06-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/cdn/profile/.test/afd/main.test.bicep b/modules/cdn/profile/.test/afd/main.test.bicep index a8eec32f82..10c448e3b8 100644 --- a/modules/cdn/profile/.test/afd/main.test.bicep +++ b/modules/cdn/profile/.test/afd/main.test.bicep @@ -50,7 +50,10 @@ module testDeployment '../../main.bicep' = { params: { name: 'dep-${namePrefix}-test-${serviceShort}' location: 'global' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } originResponseTimeoutSeconds: 60 sku: 'Standard_AzureFrontDoor' enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/cdn/profile/.test/common/main.test.bicep b/modules/cdn/profile/.test/common/main.test.bicep index d8dcf730f7..20344b0e7a 100644 --- a/modules/cdn/profile/.test/common/main.test.bicep +++ b/modules/cdn/profile/.test/common/main.test.bicep @@ -53,7 +53,10 @@ module testDeployment '../../main.bicep' = { params: { name: 'dep-${namePrefix}-test-${serviceShort}' location: location - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } originResponseTimeoutSeconds: 60 sku: 'Standard_Verizon' enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/cdn/profile/README.md b/modules/cdn/profile/README.md index 04388adbbd..0648822403 100644 --- a/modules/cdn/profile/README.md +++ b/modules/cdn/profile/README.md @@ -79,7 +79,10 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { ] enableDefaultTelemetry: '' location: 'global' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } originResponseTimeoutSeconds: 60 origionGroups: [ { @@ -188,7 +191,10 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { "value": "global" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "originResponseTimeoutSeconds": { "value": 60 @@ -303,7 +309,10 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { queryStringCachingBehavior: 'IgnoreQueryString' } location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } originResponseTimeoutSeconds: 60 roleAssignments: [ { @@ -377,7 +386,10 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "originResponseTimeoutSeconds": { "value": 60 @@ -426,7 +438,7 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { | [`endpointName`](#parameter-endpointname) | string | Name of the endpoint under the profile which is unique globally. | | [`endpointProperties`](#parameter-endpointproperties) | object | Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details). | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`originResponseTimeoutSeconds`](#parameter-originresponsetimeoutseconds) | int | Send and receive timeout on forwarding request to the origin. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`ruleSets`](#parameter-rulesets) | array | Array of rule set objects. | @@ -477,11 +489,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/cdn/profile/main.bicep b/modules/cdn/profile/main.bicep index 072f1ddba5..028821ae9a 100644 --- a/modules/cdn/profile/main.bicep +++ b/modules/cdn/profile/main.bicep @@ -53,13 +53,8 @@ param afdEndpoints array = [] @description('Optional. Endpoint tags.') param tags object = {} -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -93,11 +88,11 @@ resource profile 'Microsoft.Cdn/profiles@2023-05-01' = { tags: tags } -resource profile_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${profile.name}-${lock}-lock' +resource profile_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: profile } @@ -216,3 +211,15 @@ output profileType string = profile.type @description('The location the resource was deployed into.') output location string = profile.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/cdn/profile/main.json b/modules/cdn/profile/main.json index b46a4cdf8d..62440e268a 100644 --- a/modules/cdn/profile/main.json +++ b/modules/cdn/profile/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14280184708897109589" + "templateHash": "3308793853973967081" }, "name": "CDN Profiles", "description": "This module deploys a CDN Profile.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -110,15 +138,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -139,8 +161,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -154,7 +176,7 @@ } } }, - { + "profile": { "type": "Microsoft.Cdn/profiles", "apiVersion": "2023-05-01", "name": "[parameters('name')]", @@ -167,21 +189,21 @@ }, "tags": "[parameters('tags')]" }, - { - "condition": "[not(empty(parameters('lock')))]", + "profile_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Cdn/profiles/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Cdn/profiles', parameters('name'))]" + "profile" ] }, - { + "profile_roleAssignments": { "copy": { "name": "profile_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -334,10 +356,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Cdn/profiles', parameters('name'))]" + "profile" ] }, - { + "profile_endpoint": { "condition": "[not(empty(parameters('endpointProperties')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -685,10 +707,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Cdn/profiles', parameters('name'))]" + "profile" ] }, - { + "profile_secret": { "copy": { "name": "profile_secret", "count": "[length(parameters('secrets'))]" @@ -848,10 +870,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Cdn/profiles', parameters('name'))]" + "profile" ] }, - { + "profile_custom_domain": { "copy": { "name": "profile_custom_domain", "count": "[length(parameters('customDomains'))]" @@ -1033,11 +1055,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Cdn/profiles', parameters('name'))]", + "profile", "profile_secret" ] }, - { + "profile_origionGroup": { "copy": { "name": "profile_origionGroup", "count": "[length(parameters('origionGroups'))]" @@ -1410,10 +1432,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Cdn/profiles', parameters('name'))]" + "profile" ] }, - { + "profile_ruleSet": { "copy": { "name": "profile_ruleSet", "count": "[length(parameters('ruleSets'))]" @@ -1689,10 +1711,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Cdn/profiles', parameters('name'))]" + "profile" ] }, - { + "profile_afdEndpoint": { "copy": { "name": "profile_afdEndpoint", "count": "[length(parameters('afdEndpoints'))]" @@ -2113,13 +2135,13 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Cdn/profiles', parameters('name'))]", + "profile", "profile_custom_domain", "profile_origionGroup", "profile_ruleSet" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2154,7 +2176,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Cdn/profiles', parameters('name')), '2023-05-01', 'full').location]" + "value": "[reference('profile', '2023-05-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/cognitive-services/account/.test/common/main.test.bicep b/modules/cognitive-services/account/.test/common/main.test.bicep index 70f40c8a95..16b050db44 100644 --- a/modules/cognitive-services/account/.test/common/main.test.bicep +++ b/modules/cognitive-services/account/.test/common/main.test.bicep @@ -73,7 +73,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } networkAcls: { defaultAction: 'Deny' ipRules: [ diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index 3647314693..5613b3b75f 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -58,7 +58,10 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } networkAcls: { defaultAction: 'Deny' ipRules: [ @@ -149,7 +152,10 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "networkAcls": { "value": { @@ -501,7 +507,7 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { | [`dynamicThrottlingEnabled`](#parameter-dynamicthrottlingenabled) | bool | The flag to enable dynamic throttling. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`migrationToken`](#parameter-migrationtoken) | string | Resource migration token. | | [`networkAcls`](#parameter-networkacls) | object | A collection of rules governing the accessibility from specific network locations. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | @@ -651,11 +657,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `migrationToken` diff --git a/modules/cognitive-services/account/main.bicep b/modules/cognitive-services/account/main.bicep index 04f882bb27..9bee40a178 100644 --- a/modules/cognitive-services/account/main.bicep +++ b/modules/cognitive-services/account/main.bicep @@ -92,13 +92,8 @@ param systemAssignedIdentity bool = false @description('Conditional. The ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.') param userAssignedIdentities object = {} -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -206,19 +201,18 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (ena } } -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split(cMKKeyVaultResourceId, '/'))! - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) -} +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! + scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) -resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2023-02-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName)) { - name: '${last(split(cMKKeyVaultResourceId, '/'))}/${cMKKeyName}'! - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) + resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { + name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + } } resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { - name: last(split(cMKUserAssignedIdentityResourceId, '/'))! - scope: resourceGroup(split(cMKUserAssignedIdentityResourceId, '/')[2], split(cMKUserAssignedIdentityResourceId, '/')[4]) + name: last(split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : 'dummyMsi'), '/'))! + scope: resourceGroup(split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : '//'), '/')[2], split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : '////'), '/')[4]) } resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2022-12-01' = { @@ -247,7 +241,7 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2022-12-01' = { identityClientId: cMKUserAssignedIdentity.properties.clientId keyVaultUri: cMKKeyVault.properties.vaultUri keyName: cMKKeyName - keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVaultKey.properties.keyUriWithVersion, '/')) + keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) } } : null migrationToken: !empty(migrationToken) ? migrationToken : null @@ -258,11 +252,11 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2022-12-01' = { } } -resource cognitiveServices_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${cognitiveServices.name}-${lock}-lock' +resource cognitiveServices_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: cognitiveServices } @@ -291,7 +285,7 @@ module cognitiveServices_privateEndpoints '../../network/private-endpoint/main.b subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -334,3 +328,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(cog @description('The location the resource was deployed into.') output location string = cognitiveServices.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/cognitive-services/account/main.json b/modules/cognitive-services/account/main.json index 02c0c637fc..c4e3c4d5a8 100644 --- a/modules/cognitive-services/account/main.json +++ b/modules/cognitive-services/account/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10920180822593223575" + "templateHash": "333012564949665738" }, "name": "Cognitive Services", "description": "This module deploys a Cognitive Service.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -157,15 +185,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -333,8 +355,20 @@ "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" }, - "resources": [ - { + "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -348,7 +382,25 @@ } } }, - { + "cMKKeyVault": { + "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKUserAssignedIdentity": { + "condition": "[not(empty(parameters('cMKUserAssignedIdentityResourceId')))]", + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "subscriptionId": "[split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" + }, + "cognitiveServices": { "type": "Microsoft.CognitiveServices/accounts", "apiVersion": "2022-12-01", "name": "[parameters('name')]", @@ -366,29 +418,33 @@ "allowedFqdnList": "[parameters('allowedFqdnList')]", "apiProperties": "[parameters('apiProperties')]", "disableLocalAuth": "[parameters('disableLocalAuth')]", - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createObject('identityClientId', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKUserAssignedIdentityResourceId'), '/')[2], split(parameters('cMKUserAssignedIdentityResourceId'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(parameters('cMKUserAssignedIdentityResourceId'), '/'))), '2023-01-31').clientId, 'keyVaultUri', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('cMKKeyVaultResourceId'), '/'))), '2023-02-01').vaultUri, 'keyName', parameters('cMKKeyName'), 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[0], split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[1]), '2023-02-01').keyUriWithVersion, '/'))))), null())]", + "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createObject('identityClientId', reference('cMKUserAssignedIdentity').clientId, 'keyVaultUri', reference('cMKKeyVault').vaultUri, 'keyName', parameters('cMKKeyName'), 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), null())]", "migrationToken": "[if(not(empty(parameters('migrationToken'))), parameters('migrationToken'), null())]", "restore": "[parameters('restore')]", "restrictOutboundNetworkAccess": "[parameters('restrictOutboundNetworkAccess')]", "userOwnedStorage": "[if(not(empty(parameters('userOwnedStorage'))), parameters('userOwnedStorage'), null())]", "dynamicThrottlingEnabled": "[parameters('dynamicThrottlingEnabled')]" - } + }, + "dependsOn": [ + "cMKKeyVault", + "cMKUserAssignedIdentity" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "cognitiveServices_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.CognitiveServices/accounts/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.CognitiveServices/accounts', parameters('name'))]" + "cognitiveServices" ] }, - { + "cognitiveServices_diagnosticSettingName": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -403,10 +459,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.CognitiveServices/accounts', parameters('name'))]" + "cognitiveServices" ] }, - { + "cognitiveServices_privateEndpoints": { "copy": { "name": "cognitiveServices_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -436,7 +492,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -930,10 +988,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.CognitiveServices/accounts', parameters('name'))]" + "cognitiveServices" ] }, - { + "cognitiveServices_roleAssignments": { "copy": { "name": "cognitiveServices_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1102,10 +1160,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.CognitiveServices/accounts', parameters('name'))]" + "cognitiveServices" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1133,21 +1191,21 @@ "metadata": { "description": "The service endpoint of the cognitive services account." }, - "value": "[reference(resourceId('Microsoft.CognitiveServices/accounts', parameters('name')), '2022-12-01').endpoint]" + "value": "[reference('cognitiveServices').endpoint]" }, "systemAssignedPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.CognitiveServices/accounts', parameters('name')), '2022-12-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.CognitiveServices/accounts', parameters('name')), '2022-12-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('cognitiveServices', '2022-12-01', 'full').identity, 'principalId')), reference('cognitiveServices', '2022-12-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.CognitiveServices/accounts', parameters('name')), '2022-12-01', 'full').location]" + "value": "[reference('cognitiveServices', '2022-12-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/compute/availability-set/.test/common/main.test.bicep b/modules/compute/availability-set/.test/common/main.test.bicep index ae1d4d2684..7e6829e7a7 100644 --- a/modules/compute/availability-set/.test/common/main.test.bicep +++ b/modules/compute/availability-set/.test/common/main.test.bicep @@ -53,7 +53,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId roleAssignments: [ { diff --git a/modules/compute/availability-set/README.md b/modules/compute/availability-set/README.md index 84aafa7e4b..cddca05dfe 100644 --- a/modules/compute/availability-set/README.md +++ b/modules/compute/availability-set/README.md @@ -46,7 +46,10 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { name: 'cascom001' // Non-required parameters enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } proximityPlacementGroupResourceId: '' roleAssignments: [ { @@ -87,7 +90,10 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "proximityPlacementGroupResourceId": { "value": "" @@ -180,7 +186,7 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Resource location. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`platformFaultDomainCount`](#parameter-platformfaultdomaincount) | int | The number of fault domains to use. | | [`platformUpdateDomainCount`](#parameter-platformupdatedomaincount) | int | The number of update domains to use. | | [`proximityPlacementGroupResourceId`](#parameter-proximityplacementgroupresourceid) | string | Resource ID of a proximity placement group. | @@ -204,11 +210,30 @@ Resource location. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/compute/availability-set/main.bicep b/modules/compute/availability-set/main.bicep index 9931d26df3..551732b90d 100644 --- a/modules/compute/availability-set/main.bicep +++ b/modules/compute/availability-set/main.bicep @@ -20,13 +20,8 @@ param proximityPlacementGroupResourceId string = '' @description('Optional. Resource location.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -65,11 +60,11 @@ resource availabilitySet 'Microsoft.Compute/availabilitySets@2022-11-01' = { } } -resource availabilitySet_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${availabilitySet.name}-${lock}-lock' +resource availabilitySet_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: availabilitySet } @@ -98,3 +93,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = availabilitySet.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/compute/availability-set/main.json b/modules/compute/availability-set/main.json index 19bcaa1b81..2431428757 100644 --- a/modules/compute/availability-set/main.json +++ b/modules/compute/availability-set/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9507883477012630410" + "templateHash": "215934081213678222" }, "name": "Availability Sets", "description": "This module deploys an Availability Set.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -54,15 +82,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -87,8 +109,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -102,7 +124,7 @@ } } }, - { + "availabilitySet": { "type": "Microsoft.Compute/availabilitySets", "apiVersion": "2022-11-01", "name": "[parameters('name')]", @@ -117,21 +139,21 @@ "name": "[parameters('skuName')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "availabilitySet_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Compute/availabilitySets/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Compute/availabilitySets', parameters('name'))]" + "availabilitySet" ] }, - { + "availabilitySet_roleAssignments": { "copy": { "name": "availabilitySet_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -298,10 +320,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/availabilitySets', parameters('name'))]" + "availabilitySet" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -329,7 +351,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/availabilitySets', parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('availabilitySet', '2022-11-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/compute/disk-encryption-set/.test/common/main.test.bicep b/modules/compute/disk-encryption-set/.test/common/main.test.bicep index a6ad758a86..40abeb6339 100644 --- a/modules/compute/disk-encryption-set/.test/common/main.test.bicep +++ b/modules/compute/disk-encryption-set/.test/common/main.test.bicep @@ -57,7 +57,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } keyName: nestedDependencies.outputs.keyName keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId roleAssignments: [ diff --git a/modules/compute/disk-encryption-set/README.md b/modules/compute/disk-encryption-set/README.md index c6bac4b9e8..c1dc0eef08 100644 --- a/modules/compute/disk-encryption-set/README.md +++ b/modules/compute/disk-encryption-set/README.md @@ -147,7 +147,10 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = name: 'cdescom001' // Non-required parameters enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -197,7 +200,10 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -259,7 +265,7 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = | [`federatedClientId`](#parameter-federatedclientid) | string | Multi-tenant application client ID to access key vault in a different tenant. Setting the value to "None" will clear the property. | | [`keyVersion`](#parameter-keyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | [`location`](#parameter-location) | string | Resource location. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`rotationToLatestKeyVersionEnabled`](#parameter-rotationtolatestkeyversionenabled) | bool | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | | [`tags`](#parameter-tags) | object | Tags of the disk encryption resource. | @@ -314,11 +320,30 @@ Resource location. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/compute/disk-encryption-set/main.bicep b/modules/compute/disk-encryption-set/main.bicep index dda18b29ee..4a0bd45dd2 100644 --- a/modules/compute/disk-encryption-set/main.bicep +++ b/modules/compute/disk-encryption-set/main.bicep @@ -8,13 +8,8 @@ param name string @description('Optional. Resource location.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Required. Resource ID of the KeyVault containing the key or secret.') param keyVaultResourceId string @@ -127,11 +122,11 @@ module diskEncryptionSet_roleAssignments '.bicep/nested_roleAssignments.bicep' = } }] -resource diskEncryptionSet_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${diskEncryptionSet.name}-${lock}-lock' +resource diskEncryptionSet_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: diskEncryptionSet } @@ -156,3 +151,15 @@ output keyVaultName string = last(split(keyVaultResourceId, '/'))! @description('The location the resource was deployed into.') output location string = diskEncryptionSet.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/compute/disk-encryption-set/main.json b/modules/compute/disk-encryption-set/main.json index d695c7fa4b..82d040ffa9 100644 --- a/modules/compute/disk-encryption-set/main.json +++ b/modules/compute/disk-encryption-set/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2262193414925411787" + "templateHash": "9514360048740923625" }, "name": "Disk Encryption Sets", "description": "This module deploys a Disk Encryption Set.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -26,15 +54,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "keyVaultResourceId": { @@ -124,8 +146,19 @@ "userAssignedIdentities": "[if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())]" } }, - "resources": [ - { + "resources": { + "keyVault::key": { + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(parameters('keyVaultResourceId'), '/')[2]]", + "resourceGroup": "[split(parameters('keyVaultResourceId'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(parameters('keyVaultResourceId'), '/')), parameters('keyName'))]", + "dependsOn": [ + "keyVault" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -139,7 +172,15 @@ } } }, - { + "keyVault": { + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(parameters('keyVaultResourceId'), '/')[2]]", + "resourceGroup": "[split(parameters('keyVaultResourceId'), '/')[4]]", + "name": "[last(split(parameters('keyVaultResourceId'), '/'))]" + }, + "diskEncryptionSet": { "type": "Microsoft.Compute/diskEncryptionSets", "apiVersion": "2022-07-02", "name": "[parameters('name')]", @@ -151,31 +192,32 @@ "sourceVault": { "id": "[parameters('keyVaultResourceId')]" }, - "keyUrl": "[if(not(empty(parameters('keyVersion'))), format('{0}/{1}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('keyVaultResourceId'), '/')[2], split(parameters('keyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', last(split(parameters('keyVaultResourceId'), '/')), parameters('keyName')), '2021-10-01').keyUri, parameters('keyVersion')), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('keyVaultResourceId'), '/')[2], split(parameters('keyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', last(split(parameters('keyVaultResourceId'), '/')), parameters('keyName')), '2021-10-01').keyUriWithVersion)]" + "keyUrl": "[if(not(empty(parameters('keyVersion'))), format('{0}/{1}', reference('keyVault::key').keyUri, parameters('keyVersion')), reference('keyVault::key').keyUriWithVersion)]" }, "encryptionType": "[parameters('encryptionType')]", "federatedClientId": "[parameters('federatedClientId')]", "rotationToLatestKeyVersionEnabled": "[parameters('rotationToLatestKeyVersionEnabled')]" }, "dependsOn": [ + "keyVault", "keyVaultPermissions" ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "diskEncryptionSet_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Compute/diskEncryptionSets/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Compute/diskEncryptionSets', parameters('name'))]" + "diskEncryptionSet" ] }, - { + "keyVaultPermissions": { "copy": { "name": "keyVaultPermissions", "count": "[length(items(parameters('userAssignedIdentities')))]" @@ -201,7 +243,7 @@ "value": "[items(parameters('userAssignedIdentities'))[copyIndex()].key]" }, "rbacAuthorizationEnabled": { - "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('keyVaultResourceId'), '/')[2], split(parameters('keyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('keyVaultResourceId'), '/'))), '2021-10-01').enableRbacAuthorization]" + "value": "[reference('keyVault').enableRbacAuthorization]" } }, "template": { @@ -456,9 +498,12 @@ } ] } - } + }, + "dependsOn": [ + "keyVault" + ] }, - { + "diskEncryptionSet_roleAssignments": { "copy": { "name": "diskEncryptionSet_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -625,10 +670,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/diskEncryptionSets', parameters('name'))]" + "diskEncryptionSet" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -656,14 +701,14 @@ "metadata": { "description": "The principal ID of the disk encryption set." }, - "value": "[if(equals(parameters('systemAssignedIdentity'), true()), reference(resourceId('Microsoft.Compute/diskEncryptionSets', parameters('name')), '2022-07-02', 'full').identity.principalId, '')]" + "value": "[if(equals(parameters('systemAssignedIdentity'), true()), reference('diskEncryptionSet', '2022-07-02', 'full').identity.principalId, '')]" }, "identities": { "type": "object", "metadata": { "description": "The idenities of the disk encryption set." }, - "value": "[reference(resourceId('Microsoft.Compute/diskEncryptionSets', parameters('name')), '2022-07-02', 'full').identity]" + "value": "[reference('diskEncryptionSet', '2022-07-02', 'full').identity]" }, "keyVaultName": { "type": "string", @@ -677,7 +722,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/diskEncryptionSets', parameters('name')), '2022-07-02', 'full').location]" + "value": "[reference('diskEncryptionSet', '2022-07-02', 'full').location]" } } } \ No newline at end of file diff --git a/modules/compute/disk/.test/common/main.test.bicep b/modules/compute/disk/.test/common/main.test.bicep index aa9864c7ed..a2324a9a76 100644 --- a/modules/compute/disk/.test/common/main.test.bicep +++ b/modules/compute/disk/.test/common/main.test.bicep @@ -55,7 +55,10 @@ module testDeployment '../../main.bicep' = { diskIOPSReadWrite: 500 diskMBpsReadWrite: 60 diskSizeGB: 128 - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } logicalSectorSize: 512 osType: 'Windows' publicNetworkAccess: 'Enabled' diff --git a/modules/compute/disk/README.md b/modules/compute/disk/README.md index 1443faa26e..0a099cb76c 100644 --- a/modules/compute/disk/README.md +++ b/modules/compute/disk/README.md @@ -52,7 +52,10 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { diskMBpsReadWrite: 60 diskSizeGB: 128 enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } logicalSectorSize: 512 osType: 'Windows' publicNetworkAccess: 'Enabled' @@ -107,7 +110,10 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "logicalSectorSize": { "value": 512 @@ -413,7 +419,7 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { | [`hyperVGeneration`](#parameter-hypervgeneration) | string | The hypervisor generation of the Virtual Machine. Applicable to OS disks only. | | [`imageReferenceId`](#parameter-imagereferenceid) | string | A relative uri containing either a Platform Image Repository or user image reference. | | [`location`](#parameter-location) | string | Resource location. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`logicalSectorSize`](#parameter-logicalsectorsize) | int | Logical sector size in bytes for Ultra disks. Supported values are 512 ad 4096. | | [`maxShares`](#parameter-maxshares) | int | The maximum number of VMs that can attach to the disk at the same time. Default value is 0. | | [`networkAccessPolicy`](#parameter-networkaccesspolicy) | string | Policy for accessing the disk via network. | @@ -516,11 +522,30 @@ Resource location. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `logicalSectorSize` diff --git a/modules/compute/disk/main.bicep b/modules/compute/disk/main.bicep index d8fa0fe054..b97710495b 100644 --- a/modules/compute/disk/main.bicep +++ b/modules/compute/disk/main.bicep @@ -118,13 +118,8 @@ param publicNetworkAccess string = 'Disabled' @description('Optional. True if the image from which the OS disk is created supports accelerated networking.') param acceleratedNetwork bool = false -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -185,11 +180,11 @@ resource disk 'Microsoft.Compute/disks@2022-07-02' = { } } -resource disk_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${disk.name}-${lock}-lock' +resource disk_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: disk } @@ -218,3 +213,15 @@ output name string = disk.name @description('The location the resource was deployed into.') output location string = disk.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/compute/disk/main.json b/modules/compute/disk/main.json index 84ea41a567..48535f3bee 100644 --- a/modules/compute/disk/main.json +++ b/modules/compute/disk/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12764361220335313353" + "templateHash": "8327315950062299298" }, "name": "Compute Disks", "description": "This module deploys a Compute Disk", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -223,15 +251,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -256,8 +278,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -271,7 +293,7 @@ } } }, - { + "disk": { "type": "Microsoft.Compute/disks", "apiVersion": "2022-07-02", "name": "[parameters('name')]", @@ -305,21 +327,21 @@ "supportedCapabilities": "[if(empty(parameters('osType')), createObject(), createObject('acceleratedNetwork', parameters('acceleratedNetwork'), 'architecture', if(empty(parameters('architecture')), null(), parameters('architecture'))))]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "disk_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Compute/disks/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Compute/disks', parameters('name'))]" + "disk" ] }, - { + "disk_roleAssignments": { "copy": { "name": "disk_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -486,10 +508,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/disks', parameters('name'))]" + "disk" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -517,7 +539,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/disks', parameters('name')), '2022-07-02', 'full').location]" + "value": "[reference('disk', '2022-07-02', 'full').location]" } } } \ No newline at end of file diff --git a/modules/compute/gallery/.test/common/main.test.bicep b/modules/compute/gallery/.test/common/main.test.bicep index 661d7c9463..df503cc635 100644 --- a/modules/compute/gallery/.test/common/main.test.bicep +++ b/modules/compute/gallery/.test/common/main.test.bicep @@ -52,7 +52,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } applications: [ { name: '${namePrefix}-${serviceShort}-appd-001' diff --git a/modules/compute/gallery/README.md b/modules/compute/gallery/README.md index 61b8789f43..bc21780e0a 100644 --- a/modules/compute/gallery/README.md +++ b/modules/compute/gallery/README.md @@ -175,7 +175,10 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { sku: '20_04-lts-gen2' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -346,7 +349,10 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -439,7 +445,7 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`images`](#parameter-images) | array | Images to create. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags for all resources. | @@ -480,11 +486,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/compute/gallery/main.bicep b/modules/compute/gallery/main.bicep index e3caa5992b..414c4c94f1 100644 --- a/modules/compute/gallery/main.bicep +++ b/modules/compute/gallery/main.bicep @@ -18,13 +18,8 @@ param applications array = [] @sys.description('Optional. Images to create.') param images array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@sys.description('Optional. Specify the type of lock.') -param lock string = '' +@sys.description('Optional. The lock settings of the service.') +param lock lockType @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -59,11 +54,11 @@ resource gallery 'Microsoft.Compute/galleries@2022-03-03' = { } } -resource gallery_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${gallery.name}-${lock}-lock' +resource gallery_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: gallery } @@ -143,3 +138,15 @@ output name string = gallery.name @sys.description('The location the resource was deployed into.') output location string = gallery.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @sys.description('Optional. Specify the name of lock.') + name: string? + + @sys.description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/compute/gallery/main.json b/modules/compute/gallery/main.json index d1a6ae1c3b..4b41595c8f 100644 --- a/modules/compute/gallery/main.json +++ b/modules/compute/gallery/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18299186787302449822" + "templateHash": "13827150813589575122" }, "name": "Azure Compute Galleries", "description": "This module deploys an Azure Compute Gallery (formerly known as Shared Image Gallery).", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -48,15 +76,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -84,8 +106,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -99,7 +121,7 @@ } } }, - { + "gallery": { "type": "Microsoft.Compute/galleries", "apiVersion": "2022-03-03", "name": "[parameters('name')]", @@ -110,21 +132,21 @@ "identifier": {} } }, - { - "condition": "[not(empty(parameters('lock')))]", + "gallery_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Compute/galleries/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Compute/galleries', parameters('name'))]" + "gallery" ] }, - { + "gallery_roleAssignments": { "copy": { "name": "gallery_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -291,10 +313,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/galleries', parameters('name'))]" + "gallery" ] }, - { + "galleries_applications": { "copy": { "name": "galleries_applications", "count": "[length(parameters('applications'))]" @@ -671,10 +693,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/galleries', parameters('name'))]" + "gallery" ] }, - { + "galleries_images": { "copy": { "name": "galleries_images", "count": "[length(parameters('images'))]" @@ -1225,10 +1247,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/galleries', parameters('name'))]" + "gallery" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -1256,7 +1278,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/galleries', parameters('name')), '2022-03-03', 'full').location]" + "value": "[reference('gallery', '2022-03-03', 'full').location]" } } } \ No newline at end of file diff --git a/modules/compute/proximity-placement-group/.test/common/main.test.bicep b/modules/compute/proximity-placement-group/.test/common/main.test.bicep index 38de4fd5d1..ffa39a5ba6 100644 --- a/modules/compute/proximity-placement-group/.test/common/main.test.bicep +++ b/modules/compute/proximity-placement-group/.test/common/main.test.bicep @@ -52,7 +52,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/compute/proximity-placement-group/README.md b/modules/compute/proximity-placement-group/README.md index 69368d6058..36c6b39b63 100644 --- a/modules/compute/proximity-placement-group/README.md +++ b/modules/compute/proximity-placement-group/README.md @@ -58,7 +58,10 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro 'Standard_B4ms' ] } - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -118,7 +121,10 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro } }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -218,7 +224,7 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`intent`](#parameter-intent) | object | Specifies the user intent of the proximity placement group. | | [`location`](#parameter-location) | string | Resource location. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the proximity placement group resource. | | [`type`](#parameter-type) | string | Specifies the type of the proximity placement group. | @@ -254,11 +260,30 @@ Resource location. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/compute/proximity-placement-group/main.bicep b/modules/compute/proximity-placement-group/main.bicep index 31f5c92195..3aea13dd5b 100644 --- a/modules/compute/proximity-placement-group/main.bicep +++ b/modules/compute/proximity-placement-group/main.bicep @@ -15,13 +15,8 @@ param type string = 'Standard' @description('Optional. Resource location.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -65,11 +60,11 @@ resource proximityPlacementGroup 'Microsoft.Compute/proximityPlacementGroups@202 } } -resource proximityPlacementGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${proximityPlacementGroup.name}-${lock}-lock' +resource proximityPlacementGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: proximityPlacementGroup } @@ -98,3 +93,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = proximityPlacementGroup.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/compute/proximity-placement-group/main.json b/modules/compute/proximity-placement-group/main.json index 515ff086af..cf86736c07 100644 --- a/modules/compute/proximity-placement-group/main.json +++ b/modules/compute/proximity-placement-group/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6477295143375151288" + "templateHash": "9736582155386866738" }, "name": "Proximity Placement Groups", "description": "This module deploys a Proximity Placement Group.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -37,15 +65,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -91,8 +113,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -106,7 +128,7 @@ } } }, - { + "proximityPlacementGroup": { "type": "Microsoft.Compute/proximityPlacementGroups", "apiVersion": "2022-08-01", "name": "[parameters('name')]", @@ -119,21 +141,21 @@ "intent": "[if(not(empty(parameters('intent'))), parameters('intent'), null())]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "proximityPlacementGroup_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Compute/proximityPlacementGroups/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Compute/proximityPlacementGroups', parameters('name'))]" + "proximityPlacementGroup" ] }, - { + "proximityPlacementGroup_roleAssignments": { "copy": { "name": "proximityPlacementGroup_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -300,10 +322,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/proximityPlacementGroups', parameters('name'))]" + "proximityPlacementGroup" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -331,7 +353,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/proximityPlacementGroups', parameters('name')), '2022-08-01', 'full').location]" + "value": "[reference('proximityPlacementGroup', '2022-08-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/compute/ssh-public-key/README.md b/modules/compute/ssh-public-key/README.md index d55794c19a..210914120a 100644 --- a/modules/compute/ssh-public-key/README.md +++ b/modules/compute/ssh-public-key/README.md @@ -146,7 +146,7 @@ module sshPublicKey 'br:bicep/modules/compute.ssh-public-key:1.0.0' = { | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Resource location. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`publicKey`](#parameter-publickey) | string | SSH public key used to authenticate to a virtual machine through SSH. If this property is not initially provided when the resource is created, the publicKey property will be populated when generateKeyPair is called. If the public key is provided upon resource creation, the provided public key needs to be at least 2048-bit and in ssh-rsa format. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the availability set resource. | @@ -167,11 +167,30 @@ Resource location. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/compute/ssh-public-key/main.bicep b/modules/compute/ssh-public-key/main.bicep index c6697e0a06..be80807c30 100644 --- a/modules/compute/ssh-public-key/main.bicep +++ b/modules/compute/ssh-public-key/main.bicep @@ -13,13 +13,8 @@ param location string = resourceGroup().location @description('Optional. SSH public key used to authenticate to a virtual machine through SSH. If this property is not initially provided when the resource is created, the publicKey property will be populated when generateKeyPair is called. If the public key is provided upon resource creation, the provided public key needs to be at least 2048-bit and in ssh-rsa format.') param publicKey string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -51,11 +46,11 @@ resource sshPublicKey 'Microsoft.Compute/sshPublicKeys@2022-08-01' = { } } -resource sshPublicKey_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${sshPublicKey.name}-${lock}-lock' +resource sshPublicKey_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: sshPublicKey } @@ -84,3 +79,15 @@ output name string = sshPublicKey.name @description('The location the resource was deployed into.') output location string = sshPublicKey.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/compute/ssh-public-key/main.json b/modules/compute/ssh-public-key/main.json index b0179a9ba4..ba8c7cbd15 100644 --- a/modules/compute/ssh-public-key/main.json +++ b/modules/compute/ssh-public-key/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10030504426335419860" + "templateHash": "5313076718925573271" }, "name": "Public SSH Keys", "description": "This module deploys a Public SSH Key.\r\n\r\n> Note: The resource does not auto-generate the key for you.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -33,15 +61,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -66,8 +88,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -81,7 +103,7 @@ } } }, - { + "sshPublicKey": { "type": "Microsoft.Compute/sshPublicKeys", "apiVersion": "2022-08-01", "name": "[parameters('name')]", @@ -91,21 +113,21 @@ "publicKey": "[if(not(empty(parameters('publicKey'))), parameters('publicKey'), null())]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "sshPublicKey_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Compute/sshPublicKeys/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Compute/sshPublicKeys', parameters('name'))]" + "sshPublicKey" ] }, - { + "sshPublicKey_roleAssignments": { "copy": { "name": "sshPublicKey_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -272,10 +294,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/sshPublicKeys', parameters('name'))]" + "sshPublicKey" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -303,7 +325,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/sshPublicKeys', parameters('name')), '2022-08-01', 'full').location]" + "value": "[reference('sshPublicKey', '2022-08-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep b/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep index 66500b75f0..918b24bc6f 100644 --- a/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep @@ -147,7 +147,10 @@ module testDeployment '../../main.bicep' = { extensionNetworkWatcherAgentConfig: { enabled: true } - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } nicConfigurations: [ { ipConfigurations: [ diff --git a/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep b/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep index f9735b759b..467fd37f32 100644 --- a/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep @@ -149,7 +149,10 @@ module testDeployment '../../main.bicep' = { extensionNetworkWatcherAgentConfig: { enabled: true } - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } nicConfigurations: [ { ipConfigurations: [ diff --git a/modules/compute/virtual-machine-scale-set/README.md b/modules/compute/virtual-machine-scale-set/README.md index 7bd3a39ad8..0bef11fad9 100644 --- a/modules/compute/virtual-machine-scale-set/README.md +++ b/modules/compute/virtual-machine-scale-set/README.md @@ -127,7 +127,10 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se extensionNetworkWatcherAgentConfig: { enabled: true } - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } nicConfigurations: [ { ipConfigurations: [ @@ -312,7 +315,10 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se } }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "nicConfigurations": { "value": [ @@ -801,7 +807,10 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se extensionNetworkWatcherAgentConfig: { enabled: true } - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } nicConfigurations: [ { ipConfigurations: [ @@ -977,7 +986,10 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se } }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "nicConfigurations": { "value": [ @@ -1218,7 +1230,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se | [`gracePeriod`](#parameter-graceperiod) | string | The amount of time for which automatic repairs are suspended due to a state change on VM. The grace time starts after the state change has completed. This helps avoid premature or accidental repairs. The time duration should be specified in ISO 8601 format. The minimum allowed grace period is 30 minutes (PT30M). The maximum allowed grace period is 90 minutes (PT90M). | | [`licenseType`](#parameter-licensetype) | string | Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maxBatchInstancePercent`](#parameter-maxbatchinstancepercent) | int | The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability. | | [`maxPriceForLowPriorityVm`](#parameter-maxpriceforlowpriorityvm) | string | Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | | [`maxUnhealthyInstancePercent`](#parameter-maxunhealthyinstancepercent) | int | The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. | @@ -1513,11 +1525,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `maxBatchInstancePercent` diff --git a/modules/compute/virtual-machine-scale-set/main.bicep b/modules/compute/virtual-machine-scale-set/main.bicep index fbd688e838..d7da341351 100644 --- a/modules/compute/virtual-machine-scale-set/main.bicep +++ b/modules/compute/virtual-machine-scale-set/main.bicep @@ -146,13 +146,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Specifies the mode of an upgrade to virtual machines in the scale set.\' Manual - You control the application of updates to virtual machines in the scale set. You do this by using the manualUpgrade action. ; Automatic - All virtual machines in the scale set are automatically updated at the same time. - Automatic, Manual, Rolling.') @allowed([ @@ -499,8 +494,8 @@ module vmss_microsoftAntiMalwareExtension 'extension/main.bicep' = if (extension } resource vmss_logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = if (!empty(monitoringWorkspaceId)) { - name: last(split(monitoringWorkspaceId, '/'))! - scope: resourceGroup(split(monitoringWorkspaceId, '/')[2], split(monitoringWorkspaceId, '/')[4]) + name: last(split((!empty(monitoringWorkspaceId) ? monitoringWorkspaceId : 'law'), '/'))! + scope: az.resourceGroup(split((!empty(monitoringWorkspaceId) ? monitoringWorkspaceId : '//'), '/')[2], split((!empty(monitoringWorkspaceId) ? monitoringWorkspaceId : '////'), '/')[4]) } module vmss_microsoftMonitoringAgentExtension 'extension/main.bicep' = if (extensionMonitoringAgentConfig.enabled) { @@ -608,11 +603,11 @@ module vmss_azureDiskEncryptionExtension 'extension/main.bicep' = if (extensionA ] } -resource vmss_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${vmss.name}-${lock}-lock' +resource vmss_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: vmss } @@ -656,3 +651,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(vms @description('The location the resource was deployed into.') output location string = vmss.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/compute/virtual-machine-scale-set/main.json b/modules/compute/virtual-machine-scale-set/main.json index 59b04e2594..9274a59e54 100644 --- a/modules/compute/virtual-machine-scale-set/main.json +++ b/modules/compute/virtual-machine-scale-set/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1180320046795963031" + "templateHash": "6686356746172129467" }, "name": "Virtual Machine Scale Sets", "description": "This module deploys a Virtual Machine Scale Set.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -302,15 +330,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "upgradePolicyMode": { @@ -629,8 +651,8 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -644,7 +666,7 @@ } } }, - { + "vmss": { "type": "Microsoft.Compute/virtualMachineScaleSets", "apiVersion": "2022-11-01", "name": "[parameters('name')]", @@ -767,21 +789,30 @@ }, "plan": "[if(not(empty(parameters('plan'))), parameters('plan'), null())]" }, - { - "condition": "[not(empty(parameters('lock')))]", + "vmss_logAnalyticsWorkspace": { + "condition": "[not(empty(parameters('monitoringWorkspaceId')))]", + "existing": true, + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2021-06-01", + "subscriptionId": "[split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), 'law'), '/'))]" + }, + "vmss_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Compute/virtualMachineScaleSets/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name'))]" + "vmss" ] }, - { + "vmss_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -795,10 +826,10 @@ "metrics": "[variables('diagnosticsMetrics')]" }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name'))]" + "vmss" ] }, - { + "vmss_domainJoinExtension": { "condition": "[parameters('extensionDomainJoinConfig').enabled]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -986,10 +1017,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name'))]" + "vmss" ] }, - { + "vmss_microsoftAntiMalwareExtension": { "condition": "[parameters('extensionAntiMalwareConfig').enabled]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1172,10 +1203,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name'))]" + "vmss" ] }, - { + "vmss_microsoftMonitoringAgentExtension": { "condition": "[parameters('extensionMonitoringAgentConfig').enabled]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1201,12 +1232,12 @@ "enableAutomaticUpgrade": "[if(contains(parameters('extensionMonitoringAgentConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionMonitoringAgentConfig').enableAutomaticUpgrade), createObject('value', false()))]", "settings": { "value": { - "workspaceId": "[if(not(empty(parameters('monitoringWorkspaceId'))), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('monitoringWorkspaceId'), '/')[2], split(parameters('monitoringWorkspaceId'), '/')[4]), 'Microsoft.OperationalInsights/workspaces', last(split(parameters('monitoringWorkspaceId'), '/'))), '2021-06-01').customerId, '')]" + "workspaceId": "[if(not(empty(parameters('monitoringWorkspaceId'))), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '//'), '/')[2], split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '////'), '/')[4]), 'Microsoft.OperationalInsights/workspaces', last(split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), 'law'), '/'))), '2021-06-01').customerId, '')]" } }, "protectedSettings": { "value": { - "workspaceKey": "[if(not(empty(parameters('monitoringWorkspaceId'))), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('monitoringWorkspaceId'), '/')[2], split(parameters('monitoringWorkspaceId'), '/')[4]), 'Microsoft.OperationalInsights/workspaces', last(split(parameters('monitoringWorkspaceId'), '/'))), '2021-06-01').primarySharedKey, '')]" + "workspaceKey": "[if(not(empty(parameters('monitoringWorkspaceId'))), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '//'), '/')[2], split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '////'), '/')[4]), 'Microsoft.OperationalInsights/workspaces', last(split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), 'law'), '/'))), '2021-06-01').primarySharedKey, '')]" } }, "enableDefaultTelemetry": { @@ -1363,10 +1394,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name'))]" + "vmss", + "vmss_logAnalyticsWorkspace" ] }, - { + "vmss_dependencyAgentExtension": { "condition": "[parameters('extensionDependencyAgentConfig').enabled]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1544,10 +1576,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name'))]" + "vmss" ] }, - { + "vmss_networkWatcherAgentExtension": { "condition": "[parameters('extensionNetworkWatcherAgentConfig').enabled]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1725,10 +1757,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name'))]" + "vmss" ] }, - { + "vmss_desiredStateConfigurationExtension": { "condition": "[parameters('extensionDSCConfig').enabled]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1910,10 +1942,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name'))]" + "vmss" ] }, - { + "vmss_customScriptExtension": { "condition": "[parameters('extensionCustomScriptConfig').enabled]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -2101,11 +2133,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name'))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-VMSS-DesiredStateConfiguration', uniqueString(deployment().name, parameters('location'))))]" + "vmss", + "vmss_desiredStateConfigurationExtension" ] }, - { + "vmss_azureDiskEncryptionExtension": { "condition": "[parameters('extensionAzureDiskEncryptionConfig').enabled]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -2287,12 +2319,12 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name'))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-VMSS-CustomScriptExtension', uniqueString(deployment().name, parameters('location'))))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-VMSS-MicrosoftMonitoringAgent', uniqueString(deployment().name, parameters('location'))))]" + "vmss", + "vmss_customScriptExtension", + "vmss_microsoftMonitoringAgentExtension" ] }, - { + "vmss_roleAssignments": { "copy": { "name": "vmss_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -2459,10 +2491,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name'))]" + "vmss" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -2490,14 +2522,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name')), '2022-11-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name')), '2022-11-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('vmss', '2022-11-01', 'full').identity, 'principalId')), reference('vmss', '2022-11-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('vmss', '2022-11-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/compute/virtual-machine/.bicep/nested_networkInterface.bicep b/modules/compute/virtual-machine/.bicep/nested_networkInterface.bicep index 20386a51b8..7187f4f7a8 100644 --- a/modules/compute/virtual-machine/.bicep/nested_networkInterface.bicep +++ b/modules/compute/virtual-machine/.bicep/nested_networkInterface.bicep @@ -10,7 +10,7 @@ param dnsServers array = [] param networkSecurityGroupResourceId string = '' param ipConfigurations array -param lock string = '' +param lock lockType param diagnosticStorageAccountId string param diagnosticWorkspaceId string param diagnosticEventHubAuthorizationRuleId string @@ -94,3 +94,15 @@ module networkInterface '../../../network/network-interface/main.bicep' = { networkInterface_publicIPAddresses ] } + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/compute/virtual-machine/.test/linux/main.test.bicep b/modules/compute/virtual-machine/.test/linux/main.test.bicep index f8c1ce0f07..7b2171042f 100644 --- a/modules/compute/virtual-machine/.test/linux/main.test.bicep +++ b/modules/compute/virtual-machine/.test/linux/main.test.bicep @@ -248,7 +248,10 @@ module testDeployment '../../main.bicep' = { Role: 'DeploymentValidation' } } - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } monitoringWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId publicKeys: [ { diff --git a/modules/compute/virtual-machine/.test/windows/main.test.bicep b/modules/compute/virtual-machine/.test/windows/main.test.bicep index 0cc62fbf54..d6395c280a 100644 --- a/modules/compute/virtual-machine/.test/windows/main.test.bicep +++ b/modules/compute/virtual-machine/.test/windows/main.test.bicep @@ -274,7 +274,10 @@ module testDeployment '../../main.bicep' = { Role: 'DeploymentValidation' } } - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } monitoringWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId roleAssignments: [ diff --git a/modules/compute/virtual-machine/README.md b/modules/compute/virtual-machine/README.md index f833ed5a15..9fbeb457c1 100644 --- a/modules/compute/virtual-machine/README.md +++ b/modules/compute/virtual-machine/README.md @@ -228,7 +228,10 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } } location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } monitoringWorkspaceId: '' name: 'cvmlincom' patchMode: 'AutomaticByPlatform' @@ -508,7 +511,10 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "monitoringWorkspaceId": { "value": "" @@ -1090,7 +1096,10 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } } location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } monitoringWorkspaceId: '' name: 'cvmwincom' patchMode: 'AutomaticByPlatform' @@ -1390,7 +1399,10 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "monitoringWorkspaceId": { "value": "" @@ -1903,7 +1915,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { | [`extensionNetworkWatcherAgentConfig`](#parameter-extensionnetworkwatcheragentconfig) | object | The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. | | [`licenseType`](#parameter-licensetype) | string | Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maxPriceForLowPriorityVm`](#parameter-maxpriceforlowpriorityvm) | string | Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | | [`monitoringWorkspaceId`](#parameter-monitoringworkspaceid) | string | Resource ID of the monitoring log analytics workspace. Must be set when extensionMonitoringAgentConfig is set to true. | | [`name`](#parameter-name) | string | The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | @@ -2234,11 +2246,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `maxPriceForLowPriorityVm` diff --git a/modules/compute/virtual-machine/main.bicep b/modules/compute/virtual-machine/main.bicep index 3cd09f6b51..b3c15c8c7f 100644 --- a/modules/compute/virtual-machine/main.bicep +++ b/modules/compute/virtual-machine/main.bicep @@ -235,13 +235,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -563,8 +558,8 @@ module vm_microsoftAntiMalwareExtension 'extension/main.bicep' = if (extensionAn } resource vm_logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = if (!empty(monitoringWorkspaceId)) { - name: last(split(monitoringWorkspaceId, '/'))! - scope: az.resourceGroup(split(monitoringWorkspaceId, '/')[2], split(monitoringWorkspaceId, '/')[4]) + name: last(split((!empty(monitoringWorkspaceId) ? monitoringWorkspaceId : 'law'), '/'))! + scope: az.resourceGroup(split((!empty(monitoringWorkspaceId) ? monitoringWorkspaceId : '//'), '/')[2], split((!empty(monitoringWorkspaceId) ? monitoringWorkspaceId : '////'), '/')[4]) } module vm_microsoftMonitoringAgentExtension 'extension/main.bicep' = if (extensionMonitoringAgentConfig.enabled) { @@ -702,11 +697,11 @@ module vm_backup '../../recovery-services/vault/backup-fabric/protection-contain ] } -resource vm_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${vm.name}-${lock}-lock' +resource vm_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: vm } @@ -738,3 +733,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(vm. @description('The location the resource was deployed into.') output location string = vm.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/compute/virtual-machine/main.json b/modules/compute/virtual-machine/main.json index 202cf5e053..c2ef35d1a5 100644 --- a/modules/compute/virtual-machine/main.json +++ b/modules/compute/virtual-machine/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16514436583417262148" + "templateHash": "6984217347675709865" }, "name": "Virtual Machines", "description": "This module deploys a Virtual Machine with one or multiple NICs and optionally one or multiple public IPs.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -461,15 +489,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -635,8 +657,8 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -650,7 +672,7 @@ } } }, - { + "vm": { "type": "Microsoft.Compute/virtualMachines", "apiVersion": "2022-11-01", "name": "[parameters('name')]", @@ -746,7 +768,7 @@ "vm_nic" ] }, - { + "vm_configurationProfileAssignment": { "condition": "[not(empty(parameters('configurationProfile')))]", "type": "Microsoft.Automanage/configurationProfileAssignments", "apiVersion": "2021-04-30-preview", @@ -756,24 +778,33 @@ "configurationProfile": "[parameters('configurationProfile')]" }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + "vm" ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "vm_logAnalyticsWorkspace": { + "condition": "[not(empty(parameters('monitoringWorkspaceId')))]", + "existing": true, + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2021-06-01", + "subscriptionId": "[split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), 'law'), '/'))]" + }, + "vm_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + "vm" ] }, - { + "vm_nic": { "copy": { "name": "vm_nic", "count": "[length(parameters('nicConfigurations'))]" @@ -840,12 +871,40 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8548313386789098939" + "templateHash": "12516880950554869158" + } + }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true } }, "parameters": { @@ -884,8 +943,7 @@ "type": "array" }, "lock": { - "type": "string", - "defaultValue": "" + "$ref": "#/definitions/lockType" }, "diagnosticStorageAccountId": { "type": "string" @@ -933,8 +991,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "networkInterface_publicIPAddresses": { "copy": { "name": "networkInterface_publicIPAddresses", "count": "[length(parameters('ipConfigurations'))]" @@ -995,17 +1053,45 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4317747709004918530" + "templateHash": "7177220893233117141" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1135,15 +1221,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "location": { @@ -1232,8 +1312,8 @@ ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1247,7 +1327,7 @@ } } }, - { + "publicIpAddress": { "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -1267,21 +1347,21 @@ "ipTags": [] } }, - { - "condition": "[not(empty(parameters('lock')))]", + "publicIpAddress_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] }, - { + "publicIpAddress_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -1296,10 +1376,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] }, - { + "publicIpAddress_roleAssignments": { "copy": { "name": "publicIpAddress_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1473,10 +1553,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1504,20 +1584,20 @@ "metadata": { "description": "The public IP address of the public IP address resource." }, - "value": "[if(contains(reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01'), 'ipAddress'), reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01').ipAddress, '')]" + "value": "[if(contains(reference('publicIpAddress'), 'ipAddress'), reference('publicIpAddress').ipAddress, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('publicIpAddress', '2023-04-01', 'full').location]" } } } } }, - { + "networkInterface": { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-NetworkInterface', deployment().name)]", @@ -1581,17 +1661,45 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14479255820598719580" + "templateHash": "3998904758858607142" }, "name": "Network Interface", "description": "This module deploys a Network Interface.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1688,15 +1796,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -1767,8 +1869,8 @@ } ] }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1782,7 +1884,7 @@ } } }, - { + "networkInterface": { "type": "Microsoft.Network/networkInterfaces", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -1823,7 +1925,7 @@ "networkSecurityGroup": "[if(not(empty(parameters('networkSecurityGroupResourceId'))), createObject('id', parameters('networkSecurityGroupResourceId')), null())]" } }, - { + "networkInterface_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -1837,24 +1939,24 @@ "metrics": "[variables('diagnosticsMetrics')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" + "networkInterface" ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "networkInterface_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/networkInterfaces/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" + "networkInterface" ] }, - { + "networkInterface_roleAssignments": { "copy": { "name": "networkInterface_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -2028,10 +2130,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" + "networkInterface" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2059,7 +2161,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/networkInterfaces', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('networkInterface', '2023-04-01', 'full').location]" } } } @@ -2068,11 +2170,11 @@ "networkInterface_publicIPAddresses" ] } - ] + } } } }, - { + "vm_aadJoinExtension": { "condition": "[parameters('extensionAadJoinConfig').enabled]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -2272,10 +2374,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + "vm" ] }, - { + "vm_domainJoinExtension": { "condition": "[parameters('extensionDomainJoinConfig').enabled]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -2487,10 +2589,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + "vm" ] }, - { + "vm_microsoftAntiMalwareExtension": { "condition": "[parameters('extensionAntiMalwareConfig').enabled]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -2697,10 +2799,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + "vm" ] }, - { + "vm_microsoftMonitoringAgentExtension": { "condition": "[parameters('extensionMonitoringAgentConfig').enabled]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -2726,13 +2828,13 @@ "enableAutomaticUpgrade": "[if(contains(parameters('extensionMonitoringAgentConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionMonitoringAgentConfig').enableAutomaticUpgrade), createObject('value', false()))]", "settings": { "value": { - "workspaceId": "[if(not(empty(parameters('monitoringWorkspaceId'))), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('monitoringWorkspaceId'), '/')[2], split(parameters('monitoringWorkspaceId'), '/')[4]), 'Microsoft.OperationalInsights/workspaces', last(split(parameters('monitoringWorkspaceId'), '/'))), '2021-06-01').customerId, '')]" + "workspaceId": "[if(not(empty(parameters('monitoringWorkspaceId'))), reference('vm_logAnalyticsWorkspace').customerId, '')]" } }, "tags": "[if(contains(parameters('extensionMonitoringAgentConfig'), 'tags'), createObject('value', parameters('extensionMonitoringAgentConfig').tags), createObject('value', createObject()))]", "protectedSettings": { "value": { - "workspaceKey": "[if(not(empty(parameters('monitoringWorkspaceId'))), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('monitoringWorkspaceId'), '/')[2], split(parameters('monitoringWorkspaceId'), '/')[4]), 'Microsoft.OperationalInsights/workspaces', last(split(parameters('monitoringWorkspaceId'), '/'))), '2021-06-01').primarySharedKey, '')]" + "workspaceKey": "[if(not(empty(parameters('monitoringWorkspaceId'))), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '//'), '/')[2], split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '////'), '/')[4]), 'Microsoft.OperationalInsights/workspaces', last(split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), 'law'), '/'))), '2021-06-01').primarySharedKey, '')]" } }, "enableDefaultTelemetry": { @@ -2912,10 +3014,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + "vm", + "vm_logAnalyticsWorkspace" ] }, - { + "vm_dependencyAgentExtension": { "condition": "[parameters('extensionDependencyAgentConfig').enabled]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -3117,10 +3220,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + "vm" ] }, - { + "vm_networkWatcherAgentExtension": { "condition": "[parameters('extensionNetworkWatcherAgentConfig').enabled]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -3322,10 +3425,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + "vm" ] }, - { + "vm_desiredStateConfigurationExtension": { "condition": "[parameters('extensionDSCConfig').enabled]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -3531,10 +3634,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + "vm" ] }, - { + "vm_customScriptExtension": { "condition": "[parameters('extensionCustomScriptConfig').enabled]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -3748,11 +3851,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-VM-DesiredStateConfiguration', uniqueString(deployment().name, parameters('location'))))]" + "vm", + "vm_desiredStateConfigurationExtension" ] }, - { + "vm_azureDiskEncryptionExtension": { "condition": "[parameters('extensionAzureDiskEncryptionConfig').enabled]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -3958,12 +4061,12 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-VM-CustomScriptExtension', uniqueString(deployment().name, parameters('location'))))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-VM-MicrosoftMonitoringAgent', uniqueString(deployment().name, parameters('location'))))]" + "vm", + "vm_customScriptExtension", + "vm_microsoftMonitoringAgentExtension" ] }, - { + "vm_backup": { "condition": "[not(empty(parameters('backupVaultName')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -4127,18 +4230,18 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-VM-AADLogin', uniqueString(deployment().name, parameters('location'))))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-VM-CustomScriptExtension', uniqueString(deployment().name, parameters('location'))))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-VM-DependencyAgent', uniqueString(deployment().name, parameters('location'))))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-VM-DesiredStateConfiguration', uniqueString(deployment().name, parameters('location'))))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-VM-DomainJoin', uniqueString(deployment().name, parameters('location'))))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-VM-MicrosoftAntiMalware', uniqueString(deployment().name, parameters('location'))))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-VM-MicrosoftMonitoringAgent', uniqueString(deployment().name, parameters('location'))))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-VM-NetworkWatcherAgent', uniqueString(deployment().name, parameters('location'))))]" + "vm", + "vm_aadJoinExtension", + "vm_customScriptExtension", + "vm_dependencyAgentExtension", + "vm_desiredStateConfigurationExtension", + "vm_domainJoinExtension", + "vm_microsoftAntiMalwareExtension", + "vm_microsoftMonitoringAgentExtension", + "vm_networkWatcherAgentExtension" ] }, - { + "vm_roleAssignments": { "copy": { "name": "vm_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -4305,10 +4408,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" + "vm" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -4336,14 +4439,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.Compute/virtualMachines', parameters('name')), '2022-11-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.Compute/virtualMachines', parameters('name')), '2022-11-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('vm', '2022-11-01', 'full').identity, 'principalId')), reference('vm', '2022-11-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/virtualMachines', parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('vm', '2022-11-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/container-instance/container-group/.test/common/main.test.bicep b/modules/container-instance/container-group/.test/common/main.test.bicep index 76374c71e0..14ebfbb887 100644 --- a/modules/container-instance/container-group/.test/common/main.test.bicep +++ b/modules/container-instance/container-group/.test/common/main.test.bicep @@ -52,7 +52,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } containers: [ { name: '${namePrefix}-az-aci-x-001' diff --git a/modules/container-instance/container-group/.test/encr/main.test.bicep b/modules/container-instance/container-group/.test/encr/main.test.bicep index 402d20eda2..b86cfbfaf3 100644 --- a/modules/container-instance/container-group/.test/encr/main.test.bicep +++ b/modules/container-instance/container-group/.test/encr/main.test.bicep @@ -54,7 +54,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } containers: [ { name: '${namePrefix}-az-aci-x-001' diff --git a/modules/container-instance/container-group/.test/private/main.test.bicep b/modules/container-instance/container-group/.test/private/main.test.bicep index 316a0431d6..84f4dc64ed 100644 --- a/modules/container-instance/container-group/.test/private/main.test.bicep +++ b/modules/container-instance/container-group/.test/private/main.test.bicep @@ -50,7 +50,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } containers: [ { name: '${namePrefix}-az-aci-x-001' diff --git a/modules/container-instance/container-group/README.md b/modules/container-instance/container-group/README.md index 66e52bf7e2..b59196c147 100644 --- a/modules/container-instance/container-group/README.md +++ b/modules/container-instance/container-group/README.md @@ -104,7 +104,10 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 protocol: 'Tcp' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } systemAssignedIdentity: true tags: { Environment: 'Non-Prod' @@ -199,7 +202,10 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "systemAssignedIdentity": { "value": true @@ -296,7 +302,10 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 protocol: 'Tcp' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } systemAssignedIdentity: true tags: { Environment: 'Non-Prod' @@ -400,7 +409,10 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "systemAssignedIdentity": { "value": true @@ -609,7 +621,10 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 } ] ipAddressType: 'Private' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } subnetId: '' systemAssignedIdentity: true tags: { @@ -724,7 +739,10 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 "value": "Private" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "subnetId": { "value": "" @@ -792,7 +810,7 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 | [`initContainers`](#parameter-initcontainers) | array | A list of container definitions which will be executed before the application container starts. | | [`ipAddressType`](#parameter-ipaddresstype) | string | Specifies if the IP is exposed to the public internet or private VNET. - Public or Private. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`osType`](#parameter-ostype) | string | The operating system type required by the containers in the container group. - Windows or Linux. | | [`restartPolicy`](#parameter-restartpolicy) | string | Restart policy for all containers within the container group. - Always: Always restart. OnFailure: Restart on failure. Never: Never restart. - Always, OnFailure, Never. | | [`sku`](#parameter-sku) | string | The container group SKU. | @@ -910,11 +928,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/container-instance/container-group/main.bicep b/modules/container-instance/container-group/main.bicep index cd1e09d762..c6ae9e6363 100644 --- a/modules/container-instance/container-group/main.bicep +++ b/modules/container-instance/container-group/main.bicep @@ -63,13 +63,8 @@ param subnetId string = '' @description('Optional. Specify if volumes (emptyDir, AzureFileShare or GitRepo) shall be attached to your containergroup.') param volumes array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -121,14 +116,13 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource cmkKeyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split(cMKKeyVaultResourceId, '/'))! - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) -} +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! + scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) -resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName)) { - name: '${last(split(cMKKeyVaultResourceId, '/'))}/${cMKKeyName}'! - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) + resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { + name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + } } resource containergroup 'Microsoft.ContainerInstance/containerGroups@2022-09-01' = { @@ -141,8 +135,8 @@ resource containergroup 'Microsoft.ContainerInstance/containerGroups@2022-09-01' encryptionProperties: !empty(cMKKeyName) ? { identity: cMKUserAssignedIdentityResourceId keyName: cMKKeyName - keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVaultKey.properties.keyUriWithVersion, '/')) - vaultBaseUrl: cmkKeyVault.properties.vaultUri + keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) + vaultBaseUrl: cMKKeyVault.properties.vaultUri } : null imageRegistryCredentials: imageRegistryCredentials initContainers: initContainers @@ -169,11 +163,11 @@ resource containergroup 'Microsoft.ContainerInstance/containerGroups@2022-09-01' } : {}) } -resource containergroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${containergroup.name}-${lock}-lock' +resource containergroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: containergroup } @@ -195,3 +189,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(con @description('The location the resource was deployed into.') output location string = containergroup.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/container-instance/container-group/main.json b/modules/container-instance/container-group/main.json index de3ed088b2..6d60f75d9f 100644 --- a/modules/container-instance/container-group/main.json +++ b/modules/container-instance/container-group/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3196122826827836156" + "templateHash": "745176097189380240" }, "name": "Container Instances Container Groups", "description": "This module deploys a Container Instance Container Group.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -132,15 +160,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "systemAssignedIdentity": { @@ -215,8 +237,20 @@ "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" }, - "resources": [ - { + "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -230,30 +264,42 @@ } } }, - { + "cMKKeyVault": { + "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "containergroup": { "type": "Microsoft.ContainerInstance/containerGroups", "apiVersion": "2022-09-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": "[variables('identity')]", "tags": "[parameters('tags')]", - "properties": "[union(createObject('containers', parameters('containers'), 'encryptionProperties', if(not(empty(parameters('cMKKeyName'))), createObject('identity', parameters('cMKUserAssignedIdentityResourceId'), 'keyName', parameters('cMKKeyName'), 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[0], split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[1]), '2021-10-01').keyUriWithVersion, '/'))), 'vaultBaseUrl', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('cMKKeyVaultResourceId'), '/'))), '2021-06-01-preview').vaultUri), null()), 'imageRegistryCredentials', parameters('imageRegistryCredentials'), 'initContainers', parameters('initContainers'), 'restartPolicy', parameters('restartPolicy'), 'osType', parameters('osType'), 'ipAddress', createObject('type', parameters('ipAddressType'), 'autoGeneratedDomainNameLabelScope', if(not(empty(parameters('dnsNameServers'))), parameters('autoGeneratedDomainNameLabelScope'), null()), 'dnsNameLabel', parameters('dnsNameLabel'), 'ports', parameters('ipAddressPorts')), 'sku', parameters('sku'), 'subnetIds', if(not(empty(parameters('subnetId'))), createArray(createObject('id', parameters('subnetId'))), null()), 'volumes', parameters('volumes')), if(not(empty(parameters('dnsNameServers'))), createObject('dnsConfig', createObject('nameServers', parameters('dnsNameServers'), 'searchDomains', parameters('dnsSearchDomains'))), createObject()))]" + "properties": "[union(createObject('containers', parameters('containers'), 'encryptionProperties', if(not(empty(parameters('cMKKeyName'))), createObject('identity', parameters('cMKUserAssignedIdentityResourceId'), 'keyName', parameters('cMKKeyName'), 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))), 'vaultBaseUrl', reference('cMKKeyVault').vaultUri), null()), 'imageRegistryCredentials', parameters('imageRegistryCredentials'), 'initContainers', parameters('initContainers'), 'restartPolicy', parameters('restartPolicy'), 'osType', parameters('osType'), 'ipAddress', createObject('type', parameters('ipAddressType'), 'autoGeneratedDomainNameLabelScope', if(not(empty(parameters('dnsNameServers'))), parameters('autoGeneratedDomainNameLabelScope'), null()), 'dnsNameLabel', parameters('dnsNameLabel'), 'ports', parameters('ipAddressPorts')), 'sku', parameters('sku'), 'subnetIds', if(not(empty(parameters('subnetId'))), createArray(createObject('id', parameters('subnetId'))), null()), 'volumes', parameters('volumes')), if(not(empty(parameters('dnsNameServers'))), createObject('dnsConfig', createObject('nameServers', parameters('dnsNameServers'), 'searchDomains', parameters('dnsSearchDomains'))), createObject()))]", + "dependsOn": [ + "cMKKeyVault" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "containergroup_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.ContainerInstance/containerGroups/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.ContainerInstance/containerGroups', parameters('name'))]" + "containergroup" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -281,21 +327,21 @@ "metadata": { "description": "The IPv4 address of the container group." }, - "value": "[reference(resourceId('Microsoft.ContainerInstance/containerGroups', parameters('name')), '2022-09-01').ipAddress.ip]" + "value": "[reference('containergroup').ipAddress.ip]" }, "systemAssignedPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.ContainerInstance/containerGroups', parameters('name')), '2022-09-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.ContainerInstance/containerGroups', parameters('name')), '2022-09-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('containergroup', '2022-09-01', 'full').identity, 'principalId')), reference('containergroup', '2022-09-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.ContainerInstance/containerGroups', parameters('name')), '2022-09-01', 'full').location]" + "value": "[reference('containergroup', '2022-09-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/container-registry/registry/.test/common/main.test.bicep b/modules/container-registry/registry/.test/common/main.test.bicep index 0ce7c9487d..3035cf8ad0 100644 --- a/modules/container-registry/registry/.test/common/main.test.bicep +++ b/modules/container-registry/registry/.test/common/main.test.bicep @@ -80,7 +80,10 @@ module testDeployment '../../main.bicep' = { azureADAuthenticationAsArmPolicyStatus: 'enabled' softDeletePolicyStatus: 'disabled' softDeletePolicyDays: 7 - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } privateEndpoints: [ { service: 'registry' diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index e6e6561a0e..84e25e335c 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -72,7 +72,10 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { diagnosticWorkspaceId: '' enableDefaultTelemetry: '' exportPolicyStatus: 'enabled' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } networkRuleSetIpRules: [ { action: 'Allow' @@ -188,7 +191,10 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { "value": "enabled" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "networkRuleSetIpRules": { "value": [ @@ -537,7 +543,7 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`exportPolicyStatus`](#parameter-exportpolicystatus) | string | The value that indicates whether the export policy is enabled or not. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`networkRuleBypassOptions`](#parameter-networkrulebypassoptions) | string | Whether to allow trusted Azure services to access a network restricted registry. | | [`networkRuleSetDefaultAction`](#parameter-networkrulesetdefaultaction) | string | The default action of allow or deny when no other rules match. | | [`networkRuleSetIpRules`](#parameter-networkrulesetiprules) | array | The IP ACL rules. Note, requires the 'acrSku' to be 'Premium'. | @@ -704,11 +710,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/container-registry/registry/main.bicep b/modules/container-registry/registry/main.bicep index 7de517205e..b4a3c04050 100644 --- a/modules/container-registry/registry/main.bicep +++ b/modules/container-registry/registry/main.bicep @@ -116,13 +116,8 @@ param replications array = [] @description('Optional. All webhooks to create.') param webhooks array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -227,14 +222,18 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { - name: last(split(cMKUserAssignedIdentityResourceId, '/'))! - scope: resourceGroup(split(cMKUserAssignedIdentityResourceId, '/')[2], split(cMKUserAssignedIdentityResourceId, '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! + scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) + + resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { + name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + } } -resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName)) { - name: '${last(split(cMKKeyVaultResourceId, '/'))}/${cMKKeyName}' - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { + name: last(split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : 'dummyMsi'), '/'))! + scope: resourceGroup(split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : '//'), '/')[2], split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : '////'), '/')[4]) } resource registry 'Microsoft.ContainerRegistry/registries@2023-06-01-preview' = { @@ -252,7 +251,7 @@ resource registry 'Microsoft.ContainerRegistry/registries@2023-06-01-preview' = status: 'enabled' keyVaultProperties: { identity: cMKUserAssignedIdentity.properties.clientId - keyIdentifier: !empty(cMKKeyVersion) ? '${cMKKeyVaultKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVaultKey.properties.keyUriWithVersion + keyIdentifier: !empty(cMKKeyVersion) ? '${cMKKeyVault::cMKKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion } } : null policies: { @@ -336,11 +335,11 @@ module registry_webhooks 'webhook/main.bicep' = [for (webhook, index) in webhook } }] -resource registry_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${registry.name}-${lock}-lock' +resource registry_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: registry } @@ -382,7 +381,7 @@ module registry_privateEndpoints '../../network/private-endpoint/main.bicep' = [ subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -412,3 +411,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(reg @description('The location the resource was deployed into.') output location string = registry.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/container-registry/registry/main.json b/modules/container-registry/registry/main.json index f718008dad..a12b37dde0 100644 --- a/modules/container-registry/registry/main.json +++ b/modules/container-registry/registry/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1580319527153380248" + "templateHash": "13715645846097523943" }, "name": "Azure Container Registries (ACR)", "description": "This module deploys an Azure Container Registry (ACR).", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -214,15 +242,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "systemAssignedIdentity": { @@ -383,8 +405,20 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -398,7 +432,25 @@ } } }, - { + "cMKKeyVault": { + "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKUserAssignedIdentity": { + "condition": "[not(empty(parameters('cMKUserAssignedIdentityResourceId')))]", + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "subscriptionId": "[split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" + }, + "registry": { "type": "Microsoft.ContainerRegistry/registries", "apiVersion": "2023-06-01-preview", "name": "[parameters('name')]", @@ -411,7 +463,7 @@ "properties": { "anonymousPullEnabled": "[parameters('anonymousPullEnabled')]", "adminUserEnabled": "[parameters('acrAdminUserEnabled')]", - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('status', 'enabled', 'keyVaultProperties', createObject('identity', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKUserAssignedIdentityResourceId'), '/')[2], split(parameters('cMKUserAssignedIdentityResourceId'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(parameters('cMKUserAssignedIdentityResourceId'), '/'))), '2018-11-30').clientId, 'keyIdentifier', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[0], split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[1]), '2021-10-01').keyUri, parameters('cMKKeyVersion')), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[0], split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[1]), '2021-10-01').keyUriWithVersion))), null())]", + "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('status', 'enabled', 'keyVaultProperties', createObject('identity', reference('cMKUserAssignedIdentity').clientId, 'keyIdentifier', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('cMKKeyVersion')), reference('cMKKeyVault::cMKKey').keyUriWithVersion))), null())]", "policies": { "azureADAuthenticationAsArmPolicy": { "status": "[parameters('azureADAuthenticationAsArmPolicyStatus')]" @@ -435,23 +487,27 @@ "networkRuleBypassOptions": "[parameters('networkRuleBypassOptions')]", "networkRuleSet": "[if(not(empty(parameters('networkRuleSetIpRules'))), createObject('defaultAction', parameters('networkRuleSetDefaultAction'), 'ipRules', parameters('networkRuleSetIpRules')), null())]", "zoneRedundancy": "[if(equals(parameters('acrSku'), 'Premium'), parameters('zoneRedundancy'), null())]" - } + }, + "dependsOn": [ + "cMKKeyVault", + "cMKUserAssignedIdentity" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "registry_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" + "registry" ] }, - { + "registry_diagnosticSettingName": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -466,10 +522,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" + "registry" ] }, - { + "registry_replications": { "copy": { "name": "registry_replications", "count": "[length(parameters('replications'))]" @@ -625,10 +681,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" + "registry" ] }, - { + "registry_cacheRules": { "copy": { "name": "registry_cacheRules", "count": "[length(parameters('cacheRules'))]" @@ -762,10 +818,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" + "registry" ] }, - { + "registry_webhooks": { "copy": { "name": "registry_webhooks", "count": "[length(parameters('webhooks'))]" @@ -977,10 +1033,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" + "registry" ] }, - { + "registry_roleAssignments": { "copy": { "name": "registry_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1131,10 +1187,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" + "registry" ] }, - { + "registry_privateEndpoints": { "copy": { "name": "registry_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -1164,7 +1220,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -1658,10 +1716,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" + "registry" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1696,14 +1754,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('name')), '2023-06-01-preview', 'full').identity, 'principalId')), reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('name')), '2023-06-01-preview', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('registry', '2023-06-01-preview', 'full').identity, 'principalId')), reference('registry', '2023-06-01-preview', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('name')), '2023-06-01-preview', 'full').location]" + "value": "[reference('registry', '2023-06-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/container-service/managed-cluster/.test/azure/main.test.bicep b/modules/container-service/managed-cluster/.test/azure/main.test.bicep index 99dc2a49ea..8a84302766 100644 --- a/modules/container-service/managed-cluster/.test/azure/main.test.bicep +++ b/modules/container-service/managed-cluster/.test/azure/main.test.bicep @@ -177,7 +177,10 @@ module testDeployment '../../main.bicep' = { enableAzureDefender: true enableKeyvaultSecretsProvider: true enablePodSecurityPolicy: false - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index 9f90a041fc..e95c168a1c 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -200,7 +200,10 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' resourceId: '' } } - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } monitoringWorkspaceId: '' networkDataplane: 'azure' networkPlugin: 'azure' @@ -437,7 +440,10 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' } }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "monitoringWorkspaceId": { "value": "" @@ -1149,7 +1155,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' | [`kubernetesVersion`](#parameter-kubernetesversion) | string | Version of Kubernetes specified when creating the managed cluster. | | [`loadBalancerSku`](#parameter-loadbalancersku) | string | Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools. | | [`location`](#parameter-location) | string | Specifies the location of AKS cluster. It picks up Resource Group's location by default. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedOutboundIPCount`](#parameter-managedoutboundipcount) | int | Outbound IP Count for the Load balancer. | | [`monitoringWorkspaceId`](#parameter-monitoringworkspaceid) | string | Resource ID of the monitoring log analytics workspace. | | [`networkDataplane`](#parameter-networkdataplane) | string | Network dataplane used in the Kubernetes cluster. Not compatible with kubenet network plugin. | @@ -1684,11 +1690,30 @@ Specifies the location of AKS cluster. It picks up Resource Group's location by ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `managedOutboundIPCount` diff --git a/modules/container-service/managed-cluster/main.bicep b/modules/container-service/managed-cluster/main.bicep index 40a4e6e1b9..3e3648a527 100644 --- a/modules/container-service/managed-cluster/main.bicep +++ b/modules/container-service/managed-cluster/main.bicep @@ -338,13 +338,8 @@ param enableDefaultTelemetry bool = true @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Tags of the resource.') param tags object = {} @@ -470,7 +465,9 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2023-07-02-p ingressProfile: { webAppRouting: { enabled: webApplicationRoutingEnabled - dnsZoneResourceId: !empty(dnsZoneResourceId) ? any(dnsZoneResourceId) : null + dnsZoneResourceIds: !empty(dnsZoneResourceId) ? [ + dnsZoneResourceId + ] : null } } addonProfiles: { @@ -665,11 +662,11 @@ module managedCluster_extension '../../kubernetes-configuration/extension/main.b } } -resource managedCluster_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${managedCluster.name}-${lock}-lock' +resource managedCluster_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: managedCluster } @@ -701,7 +698,7 @@ module managedCluster_roleAssignments '.bicep/nested_roleAssignments.bicep' = [f }] resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = if (dnsZoneResourceId != null && webApplicationRoutingEnabled) { - name: last(split(dnsZoneResourceId, '/'))! + name: last(split((!empty(dnsZoneResourceId) ? dnsZoneResourceId : '/dummmyZone'), '/'))! } resource dnsZone_roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (enableDnsZoneContributorRoleAssignment == true && dnsZoneResourceId != null && webApplicationRoutingEnabled) { @@ -749,3 +746,15 @@ output oidcIssuerUrl string = enableOidcIssuerProfile ? managedCluster.propertie @description('The addonProfiles of the Kubernetes cluster.') output addonProfiles object = contains(managedCluster.properties, 'addonProfiles') ? managedCluster.properties.addonProfiles : {} + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/container-service/managed-cluster/main.json b/modules/container-service/managed-cluster/main.json index 1636bf303e..a2363b3784 100644 --- a/modules/container-service/managed-cluster/main.json +++ b/modules/container-service/managed-cluster/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7077356343713969250" + "templateHash": "9142221246471978199" }, "name": "Azure Kubernetes Service (AKS) Managed Clusters", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -700,15 +728,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "tags": { @@ -837,8 +859,8 @@ }, "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -852,7 +874,7 @@ } } }, - { + "managedCluster": { "type": "Microsoft.ContainerService/managedClusters", "apiVersion": "2023-07-02-preview", "name": "[parameters('name')]", @@ -875,7 +897,7 @@ "ingressProfile": { "webAppRouting": { "enabled": "[parameters('webApplicationRoutingEnabled')]", - "dnsZoneResourceId": "[if(not(empty(parameters('dnsZoneResourceId'))), parameters('dnsZoneResourceId'), null())]" + "dnsZoneResourceIds": "[if(not(empty(parameters('dnsZoneResourceId'))), createArray(parameters('dnsZoneResourceId')), null())]" } }, "addonProfiles": { @@ -991,21 +1013,21 @@ "supportPlan": "[parameters('supportPlan')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "managedCluster_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" + "managedCluster" ] }, - { + "managedCluster_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -1020,25 +1042,33 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" + "managedCluster" ] }, - { + "dnsZone": { + "condition": "[and(not(equals(parameters('dnsZoneResourceId'), null())), parameters('webApplicationRoutingEnabled'))]", + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[last(split(if(not(empty(parameters('dnsZoneResourceId'))), parameters('dnsZoneResourceId'), '/dummmyZone'), '/'))]" + }, + "dnsZone_roleAssignment": { "condition": "[and(and(equals(parameters('enableDnsZoneContributorRoleAssignment'), true()), not(equals(parameters('dnsZoneResourceId'), null()))), parameters('webApplicationRoutingEnabled'))]", "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}', last(split(parameters('dnsZoneResourceId'), '/')))]", + "scope": "[format('Microsoft.Network/dnsZones/{0}', last(split(if(not(empty(parameters('dnsZoneResourceId'))), parameters('dnsZoneResourceId'), '/dummmyZone'), '/')))]", "name": "[guid(parameters('dnsZoneResourceId'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314'), 'DNS Zone Contributor')]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "principalId": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').ingressProfile.webAppRouting.identity.objectId]", + "principalId": "[reference('managedCluster').ingressProfile.webAppRouting.identity.objectId]", "principalType": "ServicePrincipal" }, "dependsOn": [ - "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" + "dnsZone", + "managedCluster" ] }, - { + "managedCluster_agentPools": { "copy": { "name": "managedCluster_agentPools", "count": "[length(parameters('agentPools'))]" @@ -1499,10 +1529,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" + "managedCluster" ] }, - { + "managedCluster_extension": { "condition": "[not(empty(parameters('fluxExtension')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1892,10 +1922,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" + "managedCluster" ] }, - { + "managedCluster_roleAssignments": { "copy": { "name": "managedCluster_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -2054,10 +2084,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" + "managedCluster" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -2085,63 +2115,63 @@ "metadata": { "description": "The control plane FQDN of the managed cluster." }, - "value": "[if(parameters('enablePrivateCluster'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').privateFQDN, reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').fqdn)]" + "value": "[if(parameters('enablePrivateCluster'), reference('managedCluster').privateFQDN, reference('managedCluster').fqdn)]" }, "systemAssignedPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview', 'full').identity, 'principalId')), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('managedCluster', '2023-07-02-preview', 'full').identity, 'principalId')), reference('managedCluster', '2023-07-02-preview', 'full').identity.principalId, '')]" }, "kubeletidentityObjectId": { "type": "string", "metadata": { "description": "The Object ID of the AKS identity." }, - "value": "[if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview'), 'identityProfile'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').identityProfile, 'kubeletidentity'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').identityProfile.kubeletidentity.objectId, ''), '')]" + "value": "[if(contains(reference('managedCluster'), 'identityProfile'), if(contains(reference('managedCluster').identityProfile, 'kubeletidentity'), reference('managedCluster').identityProfile.kubeletidentity.objectId, ''), '')]" }, "omsagentIdentityObjectId": { "type": "string", "metadata": { "description": "The Object ID of the OMS agent identity." }, - "value": "[if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview'), 'addonProfiles'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles, 'omsagent'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles.omsagent, 'identity'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles.omsagent.identity.objectId, ''), ''), '')]" + "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), if(contains(reference('managedCluster').addonProfiles, 'omsagent'), if(contains(reference('managedCluster').addonProfiles.omsagent, 'identity'), reference('managedCluster').addonProfiles.omsagent.identity.objectId, ''), ''), '')]" }, "keyvaultIdentityObjectId": { "type": "string", "metadata": { "description": "The Object ID of the Key Vault Secrets Provider identity." }, - "value": "[if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview'), 'addonProfiles'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles, 'azureKeyvaultSecretsProvider'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles.azureKeyvaultSecretsProvider, 'identity'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles.azureKeyvaultSecretsProvider.identity.objectId, ''), ''), '')]" + "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), if(contains(reference('managedCluster').addonProfiles, 'azureKeyvaultSecretsProvider'), if(contains(reference('managedCluster').addonProfiles.azureKeyvaultSecretsProvider, 'identity'), reference('managedCluster').addonProfiles.azureKeyvaultSecretsProvider.identity.objectId, ''), ''), '')]" }, "keyvaultIdentityClientId": { "type": "string", "metadata": { "description": "The Client ID of the Key Vault Secrets Provider identity." }, - "value": "[if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview'), 'addonProfiles'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles, 'azureKeyvaultSecretsProvider'), if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles.azureKeyvaultSecretsProvider, 'identity'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles.azureKeyvaultSecretsProvider.identity.clientId, ''), ''), '')]" + "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), if(contains(reference('managedCluster').addonProfiles, 'azureKeyvaultSecretsProvider'), if(contains(reference('managedCluster').addonProfiles.azureKeyvaultSecretsProvider, 'identity'), reference('managedCluster').addonProfiles.azureKeyvaultSecretsProvider.identity.clientId, ''), ''), '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview', 'full').location]" + "value": "[reference('managedCluster', '2023-07-02-preview', 'full').location]" }, "oidcIssuerUrl": { "type": "string", "metadata": { "description": "The OIDC token issuer URL." }, - "value": "[if(parameters('enableOidcIssuerProfile'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').oidcIssuerProfile.issuerURL, '')]" + "value": "[if(parameters('enableOidcIssuerProfile'), reference('managedCluster').oidcIssuerProfile.issuerURL, '')]" }, "addonProfiles": { "type": "object", "metadata": { "description": "The addonProfiles of the Kubernetes cluster." }, - "value": "[if(contains(reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview'), 'addonProfiles'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-07-02-preview').addonProfiles, createObject())]" + "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), reference('managedCluster').addonProfiles, createObject())]" } } } \ No newline at end of file diff --git a/modules/data-factory/factory/.test/common/main.test.bicep b/modules/data-factory/factory/.test/common/main.test.bicep index 1e63c8e199..1d27e2246c 100644 --- a/modules/data-factory/factory/.test/common/main.test.bicep +++ b/modules/data-factory/factory/.test/common/main.test.bicep @@ -100,7 +100,10 @@ module testDeployment '../../main.bicep' = { type: 'SelfHosted' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } managedPrivateEndpoints: [ { fqdns: [ diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index 340ded817a..8b9528904a 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -83,7 +83,10 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { type: 'SelfHosted' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } managedPrivateEndpoints: [ { fqdns: [ @@ -201,7 +204,10 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "managedPrivateEndpoints": { "value": [ @@ -356,7 +362,7 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { | [`globalParameters`](#parameter-globalparameters) | object | List of Global Parameters for the factory. | | [`integrationRuntimes`](#parameter-integrationruntimes) | array | An array of objects for the configuration of an Integration Runtime. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedPrivateEndpoints`](#parameter-managedprivateendpoints) | array | An array of managed private endpoints objects created in the Data Factory managed virtual network. | | [`managedVirtualNetworkName`](#parameter-managedvirtualnetworkname) | string | The name of the Managed Virtual Network. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | @@ -538,11 +544,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `managedPrivateEndpoints` diff --git a/modules/data-factory/factory/main.bicep b/modules/data-factory/factory/main.bicep index ae480b9cc8..973f187561 100644 --- a/modules/data-factory/factory/main.bicep +++ b/modules/data-factory/factory/main.bicep @@ -67,13 +67,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -162,8 +157,8 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split(cMKKeyVaultResourceId, '/'))! - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) + name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! + scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) } resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { @@ -233,11 +228,11 @@ module dataFactory_integrationRuntimes 'integration-runtime/main.bicep' = [for ( ] }] -resource dataFactory_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${dataFactory.name}-${lock}-lock' +resource dataFactory_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: dataFactory } @@ -279,7 +274,7 @@ module dataFactory_privateEndpoints '../../network/private-endpoint/main.bicep' subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -306,3 +301,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(dat @description('The location the resource was deployed into.') output location string = dataFactory.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/data-factory/factory/main.json b/modules/data-factory/factory/main.json index dcf981878b..c52194153a 100644 --- a/modules/data-factory/factory/main.json +++ b/modules/data-factory/factory/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2061647637227926206" + "templateHash": "7844406569986738481" }, "name": "Data Factories", "description": "This module deploys a Data Factory.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -157,15 +185,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "systemAssignedIdentity": { @@ -305,8 +327,17 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "cMKKeyVault": { + "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -320,7 +351,7 @@ } } }, - { + "dataFactory": { "type": "Microsoft.DataFactory/factories", "apiVersion": "2018-06-01", "name": "[parameters('name')]", @@ -331,24 +362,27 @@ "repoConfiguration": "[if(bool(parameters('gitConfigureLater')), null(), union(createObject('type', parameters('gitRepoType'), 'hostName', parameters('gitHostName'), 'accountName', parameters('gitAccountName'), 'repositoryName', parameters('gitRepositoryName'), 'collaborationBranch', parameters('gitCollaborationBranch'), 'rootFolder', parameters('gitRootFolder'), 'disablePublish', parameters('gitDisablePublish')), if(equals(parameters('gitRepoType'), 'FactoryVSTSConfiguration'), createObject('projectName', parameters('gitProjectName')), createObject()), createObject()))]", "globalParameters": "[if(not(empty(parameters('globalParameters'))), parameters('globalParameters'), null())]", "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(not(empty(parameters('privateEndpoints'))), 'Disabled', null()))]", - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('identity', createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), 'keyName', parameters('cMKKeyName'), 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), null()), 'vaultBaseUrl', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('cMKKeyVaultResourceId'), '/'))), '2021-10-01').vaultUri), null())]" - } + "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('identity', createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), 'keyName', parameters('cMKKeyName'), 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), null()), 'vaultBaseUrl', reference('cMKKeyVault').vaultUri), null())]" + }, + "dependsOn": [ + "cMKKeyVault" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "dataFactory_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.DataFactory/factories/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.DataFactory/factories', parameters('name'))]" + "dataFactory" ] }, - { + "dataFactory_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -363,10 +397,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.DataFactory/factories', parameters('name'))]" + "dataFactory" ] }, - { + "dataFactory_managedVirtualNetwork": { "condition": "[not(empty(parameters('managedVirtualNetworkName')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -628,10 +662,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DataFactory/factories', parameters('name'))]" + "dataFactory" ] }, - { + "dataFactory_integrationRuntimes": { "copy": { "name": "dataFactory_integrationRuntimes", "count": "[length(parameters('integrationRuntimes'))]" @@ -772,11 +806,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DataFactory/factories', parameters('name'))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-DataFactory-ManagedVNet', uniqueString(deployment().name, parameters('location'))))]" + "dataFactory", + "dataFactory_managedVirtualNetwork" ] }, - { + "dataFactory_roleAssignments": { "copy": { "name": "dataFactory_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -922,10 +956,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DataFactory/factories', parameters('name'))]" + "dataFactory" ] }, - { + "dataFactory_privateEndpoints": { "copy": { "name": "dataFactory_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -955,7 +989,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -1449,10 +1485,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DataFactory/factories', parameters('name'))]" + "dataFactory" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1480,14 +1516,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.DataFactory/factories', parameters('name')), '2018-06-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.DataFactory/factories', parameters('name')), '2018-06-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('dataFactory', '2018-06-01', 'full').identity, 'principalId')), reference('dataFactory', '2018-06-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.DataFactory/factories', parameters('name')), '2018-06-01', 'full').location]" + "value": "[reference('dataFactory', '2018-06-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/data-protection/backup-vault/.test/common/main.test.bicep b/modules/data-protection/backup-vault/.test/common/main.test.bicep index 18be93ad16..45d3083a53 100644 --- a/modules/data-protection/backup-vault/.test/common/main.test.bicep +++ b/modules/data-protection/backup-vault/.test/common/main.test.bicep @@ -125,7 +125,10 @@ module testDeployment '../../main.bicep' = { } } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/data-protection/backup-vault/README.md b/modules/data-protection/backup-vault/README.md index bf67a3843d..9fcda953f4 100644 --- a/modules/data-protection/backup-vault/README.md +++ b/modules/data-protection/backup-vault/README.md @@ -111,7 +111,10 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { } ] enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -219,7 +222,10 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -316,7 +322,7 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`featureSettings`](#parameter-featuresettings) | object | Feature settings for the backup vault. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`securitySettings`](#parameter-securitysettings) | object | Security settings for the backup vault. | | [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | @@ -369,11 +375,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/data-protection/backup-vault/main.bicep b/modules/data-protection/backup-vault/main.bicep index 4708219cfc..89601af230 100644 --- a/modules/data-protection/backup-vault/main.bicep +++ b/modules/data-protection/backup-vault/main.bicep @@ -14,13 +14,8 @@ param location string = resourceGroup().location @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -112,11 +107,11 @@ module backupVault_backupPolicies 'backup-policy/main.bicep' = [for (backupPolic } }] -resource backupVault_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${backupVault.name}-${lock}-lock' +resource backupVault_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: backupVault } @@ -148,3 +143,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(bac @description('The location the resource was deployed into.') output location string = backupVault.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/data-protection/backup-vault/main.json b/modules/data-protection/backup-vault/main.json index 0251fbd6b9..44f040b926 100644 --- a/modules/data-protection/backup-vault/main.json +++ b/modules/data-protection/backup-vault/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "758221244478675783" + "templateHash": "15651036518447625148" }, "name": "Data Protection Backup Vaults", "description": "This module deploys a Data Protection Backup Vault.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -40,15 +68,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "systemAssignedIdentity": { @@ -127,8 +149,8 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType')), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -142,7 +164,7 @@ } } }, - { + "backupVault": { "type": "Microsoft.DataProtection/backupVaults", "apiVersion": "2023-05-01", "name": "[parameters('name')]", @@ -165,21 +187,21 @@ "securitySettings": "[parameters('securitySettings')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "backupVault_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.DataProtection/backupVaults/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.DataProtection/backupVaults', parameters('name'))]" + "backupVault" ] }, - { + "backupVault_backupPolicies": { "copy": { "name": "backupVault_backupPolicies", "count": "[length(parameters('backupPolicies'))]" @@ -296,10 +318,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DataProtection/backupVaults', parameters('name'))]" + "backupVault" ] }, - { + "backupVault_roleAssignments": { "copy": { "name": "backupVault_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -447,10 +469,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DataProtection/backupVaults', parameters('name'))]" + "backupVault" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -478,14 +500,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.DataProtection/backupVaults', parameters('name')), '2023-05-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.DataProtection/backupVaults', parameters('name')), '2023-05-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('backupVault', '2023-05-01', 'full').identity, 'principalId')), reference('backupVault', '2023-05-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.DataProtection/backupVaults', parameters('name')), '2023-05-01', 'full').location]" + "value": "[reference('backupVault', '2023-05-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/databricks/access-connector/.test/common/main.test.bicep b/modules/databricks/access-connector/.test/common/main.test.bicep index 81dfb69963..106b58bac1 100644 --- a/modules/databricks/access-connector/.test/common/main.test.bicep +++ b/modules/databricks/access-connector/.test/common/main.test.bicep @@ -52,7 +52,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } systemAssignedIdentity: true userAssignedIdentities: { '${nestedDependencies.outputs.managedIdentityResourceId}': {} diff --git a/modules/databricks/access-connector/README.md b/modules/databricks/access-connector/README.md index 75b28ed04e..f282d649ca 100644 --- a/modules/databricks/access-connector/README.md +++ b/modules/databricks/access-connector/README.md @@ -47,7 +47,10 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { // Non-required parameters enableDefaultTelemetry: '' location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -94,7 +97,10 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -192,7 +198,7 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -214,11 +220,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/databricks/access-connector/main.bicep b/modules/databricks/access-connector/main.bicep index 249e53593b..cb0ea6af0c 100644 --- a/modules/databricks/access-connector/main.bicep +++ b/modules/databricks/access-connector/main.bicep @@ -14,13 +14,8 @@ param location string = resourceGroup().location @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -58,11 +53,11 @@ resource accessConnector 'Microsoft.Databricks/accessConnectors@2022-10-01-previ properties: {} } -resource accessConnector_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${accessConnector.name}-${lock}-lock' +resource accessConnector_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: accessConnector } @@ -91,3 +86,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = accessConnector.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/databricks/access-connector/main.json b/modules/databricks/access-connector/main.json index e7e834fff8..aaaff87d8f 100644 --- a/modules/databricks/access-connector/main.json +++ b/modules/databricks/access-connector/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8282781227910546878" + "templateHash": "8192050845924017676" }, "name": "Azure Databricks Access Connectors", "description": "This module deploys an Azure Databricks Access Connector.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -40,15 +68,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "systemAssignedIdentity": { @@ -77,8 +99,8 @@ "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -92,7 +114,7 @@ } } }, - { + "accessConnector": { "type": "Microsoft.Databricks/accessConnectors", "apiVersion": "2022-10-01-preview", "name": "[parameters('name')]", @@ -101,21 +123,21 @@ "identity": "[variables('identity')]", "properties": {} }, - { - "condition": "[not(empty(parameters('lock')))]", + "accessConnector_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Databricks/accessConnectors/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Databricks/accessConnectors', parameters('name'))]" + "accessConnector" ] }, - { + "accessConnector_roleAssignments": { "copy": { "name": "accessConnector_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -262,10 +284,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Databricks/accessConnectors', parameters('name'))]" + "accessConnector" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -293,7 +315,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Databricks/accessConnectors', parameters('name')), '2022-10-01-preview', 'full').location]" + "value": "[reference('accessConnector', '2022-10-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/databricks/workspace/.test/common/dependencies.bicep b/modules/databricks/workspace/.test/common/dependencies.bicep index 31203d82a3..4c074d6ae8 100644 --- a/modules/databricks/workspace/.test/common/dependencies.bicep +++ b/modules/databricks/workspace/.test/common/dependencies.bicep @@ -7,6 +7,9 @@ param managedIdentityName string @description('Required. The name of the Key Vault to create.') param keyVaultName string +@description('Required. The name of the Key Vault for Disk Encryption to create.') +param keyVaultDiskName string + @description('Required. The name of the Azure Machine Learning Workspace to create.') param amlWorkspaceName string @@ -58,6 +61,32 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { } } +resource keyVaultDisk 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultDiskName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: true // Required by batch account + softDeleteRetentionInDays: 7 + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'keyEncryptionKeyDisk' + properties: { + kty: 'RSA' + } + } +} + resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Key-Vault-Crypto-User-RoleAssignment') scope: keyVault::key @@ -320,6 +349,9 @@ output machineLearningWorkspaceResourceId string = machineLearningWorkspace.id @description('The resource ID of the created Key Vault.') output keyVaultResourceId string = keyVault.id +@description('The resource ID of the created Disk Key Vault.') +output keyVaultDiskResourceId string = keyVaultDisk.id + @description('The resource ID of the created Load Balancer.') output loadBalancerResourceId string = loadBalancer.id @@ -329,5 +361,8 @@ output loadBalancerBackendPoolName string = loadBalancer.properties.backendAddre @description('The name of the created Key Vault encryption key.') output keyVaultKeyName string = keyVault::key.name +@description('The name of the created Key Vault Disk encryption key.') +output keyVaultDiskKeyName string = keyVaultDisk::key.name + @description('The principal ID of the created Managed Identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/databricks/workspace/.test/common/main.test.bicep b/modules/databricks/workspace/.test/common/main.test.bicep index 53d62eb128..57dc4188f3 100644 --- a/modules/databricks/workspace/.test/common/main.test.bicep +++ b/modules/databricks/workspace/.test/common/main.test.bicep @@ -50,6 +50,7 @@ module nestedDependencies 'dependencies.bicep' = { networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + keyVaultDiskName: 'dep-${namePrefix}-kve-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' } } @@ -81,7 +82,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' @@ -98,8 +102,8 @@ module testDeployment '../../main.bicep' = { } cMKManagedServicesKeyName: nestedDependencies.outputs.keyVaultKeyName cMKManagedServicesKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKManagedDisksKeyName: nestedDependencies.outputs.keyVaultKeyName - cMKManagedDisksKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + cMKManagedDisksKeyName: nestedDependencies.outputs.keyVaultDiskKeyName + cMKManagedDisksKeyVaultResourceId: nestedDependencies.outputs.keyVaultDiskResourceId cMKManagedDisksKeyRotationToLatestKeyVersionEnabled: true storageAccountName: 'sa${namePrefix}${serviceShort}001' storageAccountSkuName: 'Standard_ZRS' diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index ce7e970e42..29a1fbafa0 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -72,7 +72,10 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { loadBalancerBackendPoolName: '' loadBalancerResourceId: '' location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } managedResourceGroupResourceId: '' natGatewayName: 'nat-gateway' prepareEncryption: true @@ -196,7 +199,10 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "managedResourceGroupResourceId": { "value": "" @@ -359,7 +365,7 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { | [`loadBalancerBackendPoolName`](#parameter-loadbalancerbackendpoolname) | string | Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP). | | [`loadBalancerResourceId`](#parameter-loadbalancerresourceid) | string | Resource URI of Outbound Load balancer for Secure Cluster Connectivity (No Public IP) workspace. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedResourceGroupResourceId`](#parameter-managedresourcegroupresourceid) | string | The managed resource group ID. It is created by the module as per the to-be resource ID you provide. | | [`natGatewayName`](#parameter-natgatewayname) | string | Name of the NAT gateway for Secure Cluster Connectivity (No Public IP) workspace subnets. | | [`prepareEncryption`](#parameter-prepareencryption) | bool | Prepare the workspace for encryption. Enables the Managed Identity for managed storage account. | @@ -532,11 +538,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `managedResourceGroupResourceId` diff --git a/modules/databricks/workspace/main.bicep b/modules/databricks/workspace/main.bicep index 17a6daca95..cdf70662ed 100644 --- a/modules/databricks/workspace/main.bicep +++ b/modules/databricks/workspace/main.bicep @@ -34,13 +34,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Tags of the resource.') param tags object = {} @@ -176,24 +171,22 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource cMKManagedDisksKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(cMKManagedDisksKeyVaultResourceId)) { - name: last(split(cMKManagedDisksKeyVaultResourceId, '/'))! - scope: resourceGroup(split(cMKManagedDisksKeyVaultResourceId, '/')[2], split(cMKManagedDisksKeyVaultResourceId, '/')[4]) -} +resource cMKManagedDisksKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKManagedDisksKeyVaultResourceId)) { + name: last(split((!empty(cMKManagedDisksKeyVaultResourceId) ? cMKManagedDisksKeyVaultResourceId : 'dummyVault'), '/'))! + scope: resourceGroup(split((!empty(cMKManagedDisksKeyVaultResourceId) ? cMKManagedDisksKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKManagedDisksKeyVaultResourceId) ? cMKManagedDisksKeyVaultResourceId : '////'), '/')[4]) -resource cMKManagedDisksKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2023-02-01' existing = if (!empty(cMKManagedDisksKeyVaultResourceId) && !empty(cMKManagedDisksKeyName)) { - name: '${last(split(cMKManagedDisksKeyVaultResourceId, '/'))}/${cMKManagedDisksKeyName}'! - scope: resourceGroup(split(cMKManagedDisksKeyVaultResourceId, '/')[2], split(cMKManagedDisksKeyVaultResourceId, '/')[4]) + resource cMKKeyDisk 'keys@2023-02-01' existing = if (!empty(cMKManagedDisksKeyName)) { + name: !empty(cMKManagedDisksKeyName) ? cMKManagedDisksKeyName : 'dummyKey' + } } -resource cMKManagedServicesKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(cMKManagedServicesKeyVaultResourceId)) { - name: last(split(cMKManagedServicesKeyVaultResourceId, '/'))! - scope: resourceGroup(split(cMKManagedServicesKeyVaultResourceId, '/')[2], split(cMKManagedServicesKeyVaultResourceId, '/')[4]) -} +resource cMKManagedServicesKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKManagedServicesKeyVaultResourceId)) { + name: last(split((!empty(cMKManagedServicesKeyVaultResourceId) ? cMKManagedServicesKeyVaultResourceId : 'dummyVault'), '/'))! + scope: resourceGroup(split((!empty(cMKManagedServicesKeyVaultResourceId) ? cMKManagedServicesKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKManagedServicesKeyVaultResourceId) ? cMKManagedServicesKeyVaultResourceId : '////'), '/')[4]) -resource cMKManagedServicesKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2023-02-01' existing = if (!empty(cMKManagedServicesKeyVaultResourceId) && !empty(cMKManagedServicesKeyName)) { - name: '${last(split(cMKManagedServicesKeyVaultResourceId, '/'))}/${cMKManagedServicesKeyName}'! - scope: resourceGroup(split(cMKManagedServicesKeyVaultResourceId, '/')[2], split(cMKManagedServicesKeyVaultResourceId, '/')[4]) + resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKManagedServicesKeyName)) { + name: !empty(cMKManagedServicesKeyName) ? cMKManagedServicesKeyName : 'dummyKey' + } } resource workspace 'Microsoft.Databricks/workspaces@2023-02-01' = { @@ -281,7 +274,7 @@ resource workspace 'Microsoft.Databricks/workspaces@2023-02-01' = { keyVaultProperties: { keyVaultUri: cMKManagedServicesKeyVault.properties.vaultUri keyName: cMKManagedServicesKeyName - keyVersion: !empty(cMKManagedServicesKeyVersion) ? cMKManagedServicesKeyVersion : last(split(cMKManagedServicesKeyVaultKey.properties.keyUriWithVersion, '/')) + keyVersion: !empty(cMKManagedServicesKeyVersion) ? cMKManagedServicesKeyVersion : last(split(cMKManagedServicesKeyVault::cMKKey.properties.keyUriWithVersion, '/')) } } : null managedDisk: !empty(cMKManagedDisksKeyName) ? { @@ -289,7 +282,7 @@ resource workspace 'Microsoft.Databricks/workspaces@2023-02-01' = { keyVaultProperties: { keyVaultUri: cMKManagedDisksKeyVault.properties.vaultUri keyName: cMKManagedDisksKeyName - keyVersion: !empty(cMKManagedDisksKeyVersion) ? cMKManagedDisksKeyVersion : last(split(cMKManagedDisksKeyVaultKey.properties.keyUriWithVersion, '/')) + keyVersion: !empty(cMKManagedDisksKeyVersion) ? cMKManagedDisksKeyVersion : last(split(cMKManagedDisksKeyVault::cMKKeyDisk.properties.keyUriWithVersion, '/')) } rotationToLatestKeyVersionEnabled: cMKManagedDisksKeyRotationToLatestKeyVersionEnabled } : null @@ -298,11 +291,11 @@ resource workspace 'Microsoft.Databricks/workspaces@2023-02-01' = { } } -resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${workspace.name}-${lock}-lock' +resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: workspace } @@ -344,7 +337,7 @@ module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -368,3 +361,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = workspace.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/databricks/workspace/main.json b/modules/databricks/workspace/main.json index 2b0c724494..a176ae81d9 100644 --- a/modules/databricks/workspace/main.json +++ b/modules/databricks/workspace/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2200640508767792289" + "templateHash": "16205616448170164073" }, "name": "Azure Databricks Workspaces", "description": "This module deploys an Azure Databricks Workspace.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -80,15 +108,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "tags": { @@ -326,8 +348,32 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "cMKManagedDisksKeyVault::cMKKeyDisk": { + "condition": "[and(not(empty(parameters('cMKManagedDisksKeyVaultResourceId'))), not(empty(parameters('cMKManagedDisksKeyName'))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKManagedDisksKeyVaultResourceId'))), parameters('cMKManagedDisksKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKManagedDisksKeyVaultResourceId'))), parameters('cMKManagedDisksKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKManagedDisksKeyVaultResourceId'))), parameters('cMKManagedDisksKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKManagedDisksKeyName'))), parameters('cMKManagedDisksKeyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKManagedDisksKeyVault" + ] + }, + "cMKManagedServicesKeyVault::cMKKey": { + "condition": "[and(not(empty(parameters('cMKManagedServicesKeyVaultResourceId'))), not(empty(parameters('cMKManagedServicesKeyName'))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKManagedServicesKeyVaultResourceId'))), parameters('cMKManagedServicesKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKManagedServicesKeyVaultResourceId'))), parameters('cMKManagedServicesKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKManagedServicesKeyVaultResourceId'))), parameters('cMKManagedServicesKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKManagedServicesKeyName'))), parameters('cMKManagedServicesKeyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKManagedServicesKeyVault" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -341,7 +387,25 @@ } } }, - { + "cMKManagedDisksKeyVault": { + "condition": "[not(empty(parameters('cMKManagedDisksKeyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKManagedDisksKeyVaultResourceId'))), parameters('cMKManagedDisksKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKManagedDisksKeyVaultResourceId'))), parameters('cMKManagedDisksKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKManagedDisksKeyVaultResourceId'))), parameters('cMKManagedDisksKeyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKManagedServicesKeyVault": { + "condition": "[not(empty(parameters('cMKManagedServicesKeyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKManagedServicesKeyVaultResourceId'))), parameters('cMKManagedServicesKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKManagedServicesKeyVaultResourceId'))), parameters('cMKManagedServicesKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKManagedServicesKeyVaultResourceId'))), parameters('cMKManagedServicesKeyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "workspace": { "type": "Microsoft.Databricks/workspaces", "apiVersion": "2023-02-01", "name": "[parameters('name')]", @@ -355,24 +419,28 @@ "parameters": "[union(createObject('enableNoPublicIp', createObject('value', parameters('disablePublicIp')), 'prepareEncryption', createObject('value', parameters('prepareEncryption')), 'vnetAddressPrefix', createObject('value', parameters('vnetAddressPrefix')), 'requireInfrastructureEncryption', createObject('value', parameters('requireInfrastructureEncryption'))), if(not(empty(parameters('customVirtualNetworkResourceId'))), createObject('customVirtualNetworkId', createObject('value', parameters('customVirtualNetworkResourceId'))), createObject()), if(not(empty(parameters('amlWorkspaceResourceId'))), createObject('amlWorkspaceId', createObject('value', parameters('amlWorkspaceResourceId'))), createObject()), if(not(empty(parameters('customPrivateSubnetName'))), createObject('customPrivateSubnetName', createObject('value', parameters('customPrivateSubnetName'))), createObject()), if(not(empty(parameters('customPublicSubnetName'))), createObject('customPublicSubnetName', createObject('value', parameters('customPublicSubnetName'))), createObject()), if(not(empty(parameters('loadBalancerBackendPoolName'))), createObject('loadBalancerBackendPoolName', createObject('value', parameters('loadBalancerBackendPoolName'))), createObject()), if(not(empty(parameters('loadBalancerResourceId'))), createObject('loadBalancerId', createObject('value', parameters('loadBalancerResourceId'))), createObject()), if(not(empty(parameters('natGatewayName'))), createObject('natGatewayName', createObject('value', parameters('natGatewayName'))), createObject()), if(not(empty(parameters('publicIpName'))), createObject('publicIpName', createObject('value', parameters('publicIpName'))), createObject()), if(not(empty(parameters('storageAccountName'))), createObject('storageAccountName', createObject('value', parameters('storageAccountName'))), createObject()), if(not(empty(parameters('storageAccountSkuName'))), createObject('storageAccountSkuName', createObject('value', parameters('storageAccountSkuName'))), createObject()))]", "publicNetworkAccess": "[parameters('publicNetworkAccess')]", "requiredNsgRules": "[parameters('requiredNsgRules')]", - "encryption": "[if(or(not(empty(parameters('cMKManagedServicesKeyName'))), not(empty(parameters('cMKManagedServicesKeyName')))), createObject('entities', createObject('managedServices', if(not(empty(parameters('cMKManagedServicesKeyName'))), createObject('keySource', 'Microsoft.Keyvault', 'keyVaultProperties', createObject('keyVaultUri', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKManagedServicesKeyVaultResourceId'), '/')[2], split(parameters('cMKManagedServicesKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('cMKManagedServicesKeyVaultResourceId'), '/'))), '2023-02-01').vaultUri, 'keyName', parameters('cMKManagedServicesKeyName'), 'keyVersion', if(not(empty(parameters('cMKManagedServicesKeyVersion'))), parameters('cMKManagedServicesKeyVersion'), last(split(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKManagedServicesKeyVaultResourceId'), '/')[2], split(parameters('cMKManagedServicesKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('cMKManagedServicesKeyVaultResourceId'), '/')), parameters('cMKManagedServicesKeyName')), '/')[0], split(format('{0}/{1}', last(split(parameters('cMKManagedServicesKeyVaultResourceId'), '/')), parameters('cMKManagedServicesKeyName')), '/')[1]), '2023-02-01').keyUriWithVersion, '/'))))), null()), 'managedDisk', if(not(empty(parameters('cMKManagedDisksKeyName'))), createObject('keySource', 'Microsoft.Keyvault', 'keyVaultProperties', createObject('keyVaultUri', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKManagedDisksKeyVaultResourceId'), '/')[2], split(parameters('cMKManagedDisksKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('cMKManagedDisksKeyVaultResourceId'), '/'))), '2023-02-01').vaultUri, 'keyName', parameters('cMKManagedDisksKeyName'), 'keyVersion', if(not(empty(parameters('cMKManagedDisksKeyVersion'))), parameters('cMKManagedDisksKeyVersion'), last(split(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKManagedDisksKeyVaultResourceId'), '/')[2], split(parameters('cMKManagedDisksKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('cMKManagedDisksKeyVaultResourceId'), '/')), parameters('cMKManagedDisksKeyName')), '/')[0], split(format('{0}/{1}', last(split(parameters('cMKManagedDisksKeyVaultResourceId'), '/')), parameters('cMKManagedDisksKeyName')), '/')[1]), '2023-02-01').keyUriWithVersion, '/')))), 'rotationToLatestKeyVersionEnabled', parameters('cMKManagedDisksKeyRotationToLatestKeyVersionEnabled')), null()))), null())]" - } + "encryption": "[if(or(not(empty(parameters('cMKManagedServicesKeyName'))), not(empty(parameters('cMKManagedServicesKeyName')))), createObject('entities', createObject('managedServices', if(not(empty(parameters('cMKManagedServicesKeyName'))), createObject('keySource', 'Microsoft.Keyvault', 'keyVaultProperties', createObject('keyVaultUri', reference('cMKManagedServicesKeyVault').vaultUri, 'keyName', parameters('cMKManagedServicesKeyName'), 'keyVersion', if(not(empty(parameters('cMKManagedServicesKeyVersion'))), parameters('cMKManagedServicesKeyVersion'), last(split(reference('cMKManagedServicesKeyVault::cMKKey').keyUriWithVersion, '/'))))), null()), 'managedDisk', if(not(empty(parameters('cMKManagedDisksKeyName'))), createObject('keySource', 'Microsoft.Keyvault', 'keyVaultProperties', createObject('keyVaultUri', reference('cMKManagedDisksKeyVault').vaultUri, 'keyName', parameters('cMKManagedDisksKeyName'), 'keyVersion', if(not(empty(parameters('cMKManagedDisksKeyVersion'))), parameters('cMKManagedDisksKeyVersion'), last(split(reference('cMKManagedDisksKeyVault::cMKKeyDisk').keyUriWithVersion, '/')))), 'rotationToLatestKeyVersionEnabled', parameters('cMKManagedDisksKeyRotationToLatestKeyVersionEnabled')), null()))), null())]" + }, + "dependsOn": [ + "cMKManagedDisksKeyVault", + "cMKManagedServicesKeyVault" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "workspace_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Databricks/workspaces/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Databricks/workspaces', parameters('name'))]" + "workspace" ] }, - { + "workspace_diagnosticSettings": { "condition": "[and(equals(parameters('skuName'), 'premium'), or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName')))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -386,10 +454,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Databricks/workspaces', parameters('name'))]" + "workspace" ] }, - { + "workspace_roleAssignments": { "copy": { "name": "workspace_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -534,10 +602,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Databricks/workspaces', parameters('name'))]" + "workspace" ] }, - { + "workspace_privateEndpoints": { "copy": { "name": "workspace_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -567,7 +635,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -1061,10 +1131,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Databricks/workspaces', parameters('name'))]" + "workspace" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1092,7 +1162,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Databricks/workspaces', parameters('name')), '2023-02-01', 'full').location]" + "value": "[reference('workspace', '2023-02-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep b/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep index e81954bc6b..c7d0cf9a73 100644 --- a/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep @@ -69,7 +69,10 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' location: resourceGroup.location - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep b/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep index 18f1ae8515..cfc5ce3c28 100644 --- a/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep @@ -87,7 +87,10 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' location: resourceGroup.location - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/db-for-my-sql/flexible-server/README.md b/modules/db-for-my-sql/flexible-server/README.md index 5b936154cd..bce5faa7d7 100644 --- a/modules/db-for-my-sql/flexible-server/README.md +++ b/modules/db-for-my-sql/flexible-server/README.md @@ -136,7 +136,10 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { enableDefaultTelemetry: '' highAvailability: 'SameZone' location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } privateDnsZoneResourceId: '' roleAssignments: [ { @@ -236,7 +239,10 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "privateDnsZoneResourceId": { "value": "" @@ -343,7 +349,10 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { geoRedundantBackup: 'Enabled' highAvailability: 'SameZone' location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -480,7 +489,10 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -581,7 +593,7 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { | [`geoRedundantBackup`](#parameter-georedundantbackup) | string | A value indicating whether Geo-Redundant backup is enabled on the server. If "Enabled" and "cMKKeyName" is not empty, then "geoBackupCMKKeyVaultResourceId" and "cMKUserAssignedIdentityResourceId" are also required. | | [`highAvailability`](#parameter-highavailability) | string | The mode for High Availability (HA). It is not supported for the Burstable pricing tier and Zone redundant HA can only be set during server provisioning. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maintenanceWindow`](#parameter-maintenancewindow) | object | Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". | | [`replicationRole`](#parameter-replicationrole) | string | The replication role. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the "roleDefinitionIdOrName" and "principalId" to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11". | @@ -795,11 +807,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `maintenanceWindow` diff --git a/modules/db-for-my-sql/flexible-server/main.bicep b/modules/db-for-my-sql/flexible-server/main.bicep index cb13edabb3..419cf6b925 100644 --- a/modules/db-for-my-sql/flexible-server/main.bicep +++ b/modules/db-for-my-sql/flexible-server/main.bicep @@ -5,13 +5,8 @@ metadata owner = 'Azure/module-maintainers' @description('Required. The name of the MySQL flexible server.') param name string -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Location for all resources.') param location string = resourceGroup().location @@ -255,21 +250,21 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (ena } } -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split(cMKKeyVaultResourceId, '/'))! - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! + scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) - resource cMKKey 'keys@2022-07-01' existing = if (!empty(cMKKeyName)) { - name: cMKKeyName + resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { + name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' } } -resource geoBackupCMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(geoBackupCMKKeyVaultResourceId)) { - name: last(split(geoBackupCMKKeyVaultResourceId, '/'))! - scope: resourceGroup(split(geoBackupCMKKeyVaultResourceId, '/')[2], split(geoBackupCMKKeyVaultResourceId, '/')[4]) +resource geoBackupCMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(geoBackupCMKKeyVaultResourceId)) { + name: last(split((!empty(geoBackupCMKKeyVaultResourceId) ? geoBackupCMKKeyVaultResourceId : 'dummyVault'), '/'))! + scope: resourceGroup(split((!empty(geoBackupCMKKeyVaultResourceId) ? geoBackupCMKKeyVaultResourceId : '//'), '/')[2], split((!empty(geoBackupCMKKeyVaultResourceId) ? geoBackupCMKKeyVaultResourceId : '////'), '/')[4]) resource geoBackupCMKKey 'keys@2023-02-01' existing = if (!empty(geoBackupCMKKeyName)) { - name: geoBackupCMKKeyName + name: !empty(geoBackupCMKKeyName) ? geoBackupCMKKeyName : 'dummyKey' } } @@ -325,11 +320,11 @@ resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2022-09-30-preview } } -resource flexibleServer_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${flexibleServer.name}-${lock}-lock' +resource flexibleServer_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: flexibleServer } @@ -404,3 +399,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = flexibleServer.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/db-for-my-sql/flexible-server/main.json b/modules/db-for-my-sql/flexible-server/main.json index da56c4087f..803d30c7b5 100644 --- a/modules/db-for-my-sql/flexible-server/main.json +++ b/modules/db-for-my-sql/flexible-server/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1515305312622683890" + "templateHash": "4402521755740806457" }, "name": "DBforMySQL Flexible Servers", "description": "This module deploys a DBforMySQL Flexible Server.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -19,15 +47,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "location": { @@ -428,8 +450,32 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, + "geoBackupCMKKeyVault::geoBackupCMKKey": { + "condition": "[and(not(empty(parameters('geoBackupCMKKeyVaultResourceId'))), not(empty(parameters('geoBackupCMKKeyName'))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(if(not(empty(parameters('geoBackupCMKKeyVaultResourceId'))), parameters('geoBackupCMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('geoBackupCMKKeyVaultResourceId'))), parameters('geoBackupCMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('geoBackupCMKKeyVaultResourceId'))), parameters('geoBackupCMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('geoBackupCMKKeyName'))), parameters('geoBackupCMKKeyName'), 'dummyKey'))]", + "dependsOn": [ + "geoBackupCMKKeyVault" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -443,7 +489,25 @@ } } }, - { + "cMKKeyVault": { + "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "geoBackupCMKKeyVault": { + "condition": "[not(empty(parameters('geoBackupCMKKeyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(if(not(empty(parameters('geoBackupCMKKeyVaultResourceId'))), parameters('geoBackupCMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('geoBackupCMKKeyVaultResourceId'))), parameters('geoBackupCMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('geoBackupCMKKeyVaultResourceId'))), parameters('geoBackupCMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "flexibleServer": { "type": "Microsoft.DBforMySQL/flexibleServers", "apiVersion": "2022-09-30-preview", "name": "[parameters('name')]", @@ -463,7 +527,7 @@ "geoRedundantBackup": "[parameters('geoRedundantBackup')]" }, "createMode": "[parameters('createMode')]", - "dataEncryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('type', 'AzureKeyVault', 'geoBackupKeyURI', if(equals(parameters('geoRedundantBackup'), 'Enabled'), if(not(empty(parameters('geoBackupCMKKeyVersion'))), format('{0}/{1}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('geoBackupCMKKeyVaultResourceId'), '/')[2], split(parameters('geoBackupCMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', last(split(parameters('geoBackupCMKKeyVaultResourceId'), '/')), parameters('geoBackupCMKKeyName')), '2023-02-01').keyUri, parameters('geoBackupCMKKeyVersion')), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('geoBackupCMKKeyVaultResourceId'), '/')[2], split(parameters('geoBackupCMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', last(split(parameters('geoBackupCMKKeyVaultResourceId'), '/')), parameters('geoBackupCMKKeyName')), '2023-02-01').keyUriWithVersion), null()), 'geoBackupUserAssignedIdentityId', if(equals(parameters('geoRedundantBackup'), 'Enabled'), parameters('geoBackupCMKUserAssignedIdentityResourceId'), null()), 'primaryKeyURI', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '2022-07-01').keyUri, parameters('cMKKeyVersion')), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '2022-07-01').keyUriWithVersion), 'primaryUserAssignedIdentityId', parameters('cMKUserAssignedIdentityResourceId')), null())]", + "dataEncryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('type', 'AzureKeyVault', 'geoBackupKeyURI', if(equals(parameters('geoRedundantBackup'), 'Enabled'), if(not(empty(parameters('geoBackupCMKKeyVersion'))), format('{0}/{1}', reference('geoBackupCMKKeyVault::geoBackupCMKKey').keyUri, parameters('geoBackupCMKKeyVersion')), reference('geoBackupCMKKeyVault::geoBackupCMKKey').keyUriWithVersion), null()), 'geoBackupUserAssignedIdentityId', if(equals(parameters('geoRedundantBackup'), 'Enabled'), parameters('geoBackupCMKUserAssignedIdentityResourceId'), null()), 'primaryKeyURI', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('cMKKeyVersion')), reference('cMKKeyVault::cMKKey').keyUriWithVersion), 'primaryUserAssignedIdentityId', parameters('cMKUserAssignedIdentityResourceId')), null())]", "highAvailability": { "mode": "[parameters('highAvailability')]", "standbyAvailabilityZone": "[if(equals(parameters('highAvailability'), 'SameZone'), parameters('availabilityZone'), null())]" @@ -480,23 +544,27 @@ "storageSizeGB": "[parameters('storageSizeGB')]" }, "version": "[parameters('version')]" - } + }, + "dependsOn": [ + "cMKKeyVault", + "geoBackupCMKKeyVault" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "flexibleServer_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.DBforMySQL/flexibleServers/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('name'))]" + "flexibleServer" ] }, - { + "flexibleServer_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -511,10 +579,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('name'))]" + "flexibleServer" ] }, - { + "flexibleServer_roleAssignments": { "copy": { "name": "flexibleServer_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -660,10 +728,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('name'))]" + "flexibleServer" ] }, - { + "flexibleServer_databases": { "copy": { "name": "flexibleServer_databases", "count": "[length(parameters('databases'))]" @@ -795,10 +863,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('name'))]" + "flexibleServer" ] }, - { + "flexibleServer_firewallRules": { "copy": { "name": "flexibleServer_firewallRules", "count": "[length(parameters('firewallRules'))]" @@ -925,10 +993,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('name'))]" + "flexibleServer" ] }, - { + "flexibleServer_administrators": { "copy": { "name": "flexibleServer_administrators", "count": "[length(parameters('administrators'))]" @@ -1070,10 +1138,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('name'))]" + "flexibleServer" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1101,7 +1169,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('name')), '2022-09-30-preview', 'full').location]" + "value": "[reference('flexibleServer', '2022-09-30-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/db-for-postgre-sql/flexible-server/README.md b/modules/db-for-postgre-sql/flexible-server/README.md index 4895dea492..152b9d243a 100644 --- a/modules/db-for-postgre-sql/flexible-server/README.md +++ b/modules/db-for-postgre-sql/flexible-server/README.md @@ -516,7 +516,7 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 | [`geoRedundantBackup`](#parameter-georedundantbackup) | string | A value indicating whether Geo-Redundant backup is enabled on the server. Should be left disabled if 'cMKKeyName' is not empty. | | [`highAvailability`](#parameter-highavailability) | string | The mode for high availability. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maintenanceWindow`](#parameter-maintenancewindow) | object | Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". | | [`passwordAuth`](#parameter-passwordauth) | string | If Enabled, password authentication is enabled. | | [`privateDnsZoneArmResourceId`](#parameter-privatednszonearmresourceid) | string | Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access" and required when "delegatedSubnetResourceId" is used. The Private DNS Zone must be lined to the Virtual Network referenced in "delegatedSubnetResourceId". | @@ -717,11 +717,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `maintenanceWindow` diff --git a/modules/db-for-postgre-sql/flexible-server/main.bicep b/modules/db-for-postgre-sql/flexible-server/main.bicep index af23c95f5a..16b25a4744 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.bicep +++ b/modules/db-for-postgre-sql/flexible-server/main.bicep @@ -149,13 +149,8 @@ param databases array = [] @description('Optional. The configurations to create in the server.') param configurations array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -236,9 +231,13 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2022-07-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName)) { - name: '${last(split(cMKKeyVaultResourceId, '/'))}/${cMKKeyName}' - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! + scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) + + resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { + name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + } } resource flexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = { @@ -268,7 +267,7 @@ resource flexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = } createMode: createMode dataEncryption: !empty(cMKKeyName) ? { - primaryKeyURI: !empty(cMKKeyVersion) ? '${cMKKeyVaultKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVaultKey.properties.keyUriWithVersion + primaryKeyURI: !empty(cMKKeyVersion) ? '${cMKKeyVault::cMKKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion primaryUserAssignedIdentityId: cMKUserAssignedIdentityResourceId type: 'AzureKeyVault' } : null @@ -295,11 +294,11 @@ resource flexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = } } -resource flexibleServer_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${flexibleServer.name}-${lock}-lock' +resource flexibleServer_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: flexibleServer } @@ -392,3 +391,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = flexibleServer.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/db-for-postgre-sql/flexible-server/main.json b/modules/db-for-postgre-sql/flexible-server/main.json index e737116aa5..d432f9e923 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.json +++ b/modules/db-for-postgre-sql/flexible-server/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2675797994216094359" + "templateHash": "12105259818259511725" }, "name": "DBforPostgreSQL Flexible Servers", "description": "This module deploys a DBforPostgreSQL Flexible Server.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -275,15 +303,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -397,8 +419,20 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -412,7 +446,16 @@ } } }, - { + "cMKKeyVault": { + "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "flexibleServer": { "type": "Microsoft.DBforPostgreSQL/flexibleServers", "apiVersion": "2022-12-01", "name": "[parameters('name')]", @@ -440,7 +483,7 @@ "geoRedundantBackup": "[parameters('geoRedundantBackup')]" }, "createMode": "[parameters('createMode')]", - "dataEncryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('primaryKeyURI', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[0], split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[1]), '2022-07-01').keyUri, parameters('cMKKeyVersion')), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[0], split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[1]), '2022-07-01').keyUriWithVersion), 'primaryUserAssignedIdentityId', parameters('cMKUserAssignedIdentityResourceId'), 'type', 'AzureKeyVault'), null())]", + "dataEncryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('primaryKeyURI', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('cMKKeyVersion')), reference('cMKKeyVault::cMKKey').keyUriWithVersion), 'primaryUserAssignedIdentityId', parameters('cMKUserAssignedIdentityResourceId'), 'type', 'AzureKeyVault'), null())]", "highAvailability": { "mode": "[parameters('highAvailability')]", "standbyAvailabilityZone": "[if(equals(parameters('highAvailability'), 'SameZone'), parameters('availabilityZone'), null())]" @@ -453,23 +496,26 @@ "storageSizeGB": "[parameters('storageSizeGB')]" }, "version": "[parameters('version')]" - } + }, + "dependsOn": [ + "cMKKeyVault" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "flexibleServer_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.DBforPostgreSQL/flexibleServers/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers', parameters('name'))]" + "flexibleServer" ] }, - { + "flexibleServer_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -484,10 +530,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers', parameters('name'))]" + "flexibleServer" ] }, - { + "flexibleServer_roleAssignments": { "copy": { "name": "flexibleServer_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -632,10 +678,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers', parameters('name'))]" + "flexibleServer" ] }, - { + "flexibleServer_databases": { "copy": { "name": "flexibleServer_databases", "count": "[length(parameters('databases'))]" @@ -767,10 +813,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers', parameters('name'))]" + "flexibleServer" ] }, - { + "flexibleServer_firewallRules": { "copy": { "name": "flexibleServer_firewallRules", "count": "[length(parameters('firewallRules'))]" @@ -897,11 +943,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers', parameters('name'))]", + "flexibleServer", "flexibleServer_databases" ] }, - { + "flexibleServer_configurations": { "copy": { "name": "flexibleServer_configurations", "count": "[length(parameters('configurations'))]", @@ -1035,11 +1081,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers', parameters('name'))]", + "flexibleServer", "flexibleServer_firewallRules" ] }, - { + "flexibleServer_administrators": { "copy": { "name": "flexibleServer_administrators", "count": "[length(parameters('administrators'))]" @@ -1185,10 +1231,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers', parameters('name'))]" + "flexibleServer" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1216,7 +1262,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.DBforPostgreSQL/flexibleServers', parameters('name')), '2022-12-01', 'full').location]" + "value": "[reference('flexibleServer', '2022-12-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/desktop-virtualization/application-group/.test/common/main.test.bicep b/modules/desktop-virtualization/application-group/.test/common/main.test.bicep index 673b79551f..f63f6bd345 100644 --- a/modules/desktop-virtualization/application-group/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/application-group/.test/common/main.test.bicep @@ -94,7 +94,10 @@ module testDeployment '../../main.bicep' = { diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName friendlyName: 'Remote Applications 1' location: location - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/desktop-virtualization/application-group/README.md b/modules/desktop-virtualization/application-group/README.md index 9738f61981..69318e6750 100644 --- a/modules/desktop-virtualization/application-group/README.md +++ b/modules/desktop-virtualization/application-group/README.md @@ -75,7 +75,10 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro enableDefaultTelemetry: '' friendlyName: 'Remote Applications 1' location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -162,7 +165,10 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -271,7 +277,7 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`friendlyName`](#parameter-friendlyname) | string | The friendly name of the Application Group to be created. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -368,11 +374,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/desktop-virtualization/application-group/main.bicep b/modules/desktop-virtualization/application-group/main.bicep index 1323b46739..ed9329f309 100644 --- a/modules/desktop-virtualization/application-group/main.bicep +++ b/modules/desktop-virtualization/application-group/main.bicep @@ -40,13 +40,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@sys.description('Optional. Specify the type of lock.') -param lock string = '' +@sys.description('Optional. The lock settings of the service.') +param lock lockType @sys.description('Optional. Tags of the resource.') param tags object = {} @@ -114,11 +109,11 @@ resource appGroup 'Microsoft.DesktopVirtualization/applicationGroups@2022-09-09' } } -resource appGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${appGroup.name}-${lock}-lock' +resource appGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: appGroup } @@ -176,3 +171,15 @@ output name string = appGroup.name @sys.description('The location the resource was deployed into.') output location string = appGroup.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @sys.description('Optional. Specify the name of lock.') + name: string? + + @sys.description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/desktop-virtualization/application-group/main.json b/modules/desktop-virtualization/application-group/main.json index a84976fdda..79e4a8b94c 100644 --- a/modules/desktop-virtualization/application-group/main.json +++ b/modules/desktop-virtualization/application-group/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8705022781837382520" + "templateHash": "14151741428867025425" }, "name": "Azure Virtual Desktop (AVD) Application Groups", "description": "This module deploys an Azure Virtual Desktop (AVD) Application Group.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -92,15 +120,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "tags": { @@ -162,8 +184,8 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -177,7 +199,13 @@ } } }, - { + "appGroup_hostpool": { + "existing": true, + "type": "Microsoft.DesktopVirtualization/hostPools", + "apiVersion": "2022-09-09", + "name": "[parameters('hostpoolName')]" + }, + "appGroup": { "type": "Microsoft.DesktopVirtualization/applicationGroups", "apiVersion": "2022-09-09", "name": "[parameters('name')]", @@ -188,23 +216,26 @@ "friendlyName": "[parameters('friendlyName')]", "description": "[parameters('description')]", "applicationGroupType": "[parameters('applicationGroupType')]" - } + }, + "dependsOn": [ + "appGroup_hostpool" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "appGroup_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.DesktopVirtualization/applicationGroups/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.DesktopVirtualization/applicationGroups', parameters('name'))]" + "appGroup" ] }, - { + "appGroup_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -218,10 +249,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.DesktopVirtualization/applicationGroups', parameters('name'))]" + "appGroup" ] }, - { + "appGroup_applications": { "copy": { "name": "appGroup_applications", "count": "[length(parameters('applications'))]" @@ -405,10 +436,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DesktopVirtualization/applicationGroups', parameters('name'))]" + "appGroup" ] }, - { + "appGroup_roleAssignments": { "copy": { "name": "appGroup_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -567,10 +598,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DesktopVirtualization/applicationGroups', parameters('name'))]" + "appGroup" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -598,7 +629,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.DesktopVirtualization/applicationGroups', parameters('name')), '2022-09-09', 'full').location]" + "value": "[reference('appGroup', '2022-09-09', 'full').location]" } } } \ No newline at end of file diff --git a/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep b/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep index ae07838fee..a72b947abb 100644 --- a/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep @@ -76,7 +76,10 @@ module testDeployment '../../main.bicep' = { type: 'Pooled' loadBalancerType: 'BreadthFirst' location: location - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } maxSessionLimit: 99999 personalDesktopAssignmentType: 'Automatic' roleAssignments: [ diff --git a/modules/desktop-virtualization/host-pool/README.md b/modules/desktop-virtualization/host-pool/README.md index aeced854d6..0d1ab1e93e 100644 --- a/modules/desktop-virtualization/host-pool/README.md +++ b/modules/desktop-virtualization/host-pool/README.md @@ -71,7 +71,10 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { friendlyName: 'AVDv2' loadBalancerType: 'BreadthFirst' location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } maxSessionLimit: 99999 personalDesktopAssignmentType: 'Automatic' roleAssignments: [ @@ -175,7 +178,10 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "maxSessionLimit": { "value": 99999 @@ -310,7 +316,7 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { | [`friendlyName`](#parameter-friendlyname) | string | The friendly name of the Host Pool to be created. | | [`loadBalancerType`](#parameter-loadbalancertype) | string | Type of load balancer algorithm. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maxSessionLimit`](#parameter-maxsessionlimit) | int | Maximum number of sessions. | | [`personalDesktopAssignmentType`](#parameter-personaldesktopassignmenttype) | string | Set the type of assignment for a Personal Host Pool type. | | [`preferredAppGroupType`](#parameter-preferredappgrouptype) | string | The type of preferred application group type, default to Desktop Application Group. | @@ -479,11 +485,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `maxSessionLimit` diff --git a/modules/desktop-virtualization/host-pool/main.bicep b/modules/desktop-virtualization/host-pool/main.bicep index 79ea1e7407..4ec3daa00b 100644 --- a/modules/desktop-virtualization/host-pool/main.bicep +++ b/modules/desktop-virtualization/host-pool/main.bicep @@ -68,13 +68,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@sys.description('Optional. Specify the type of lock.') -param lock string = '' +@sys.description('Optional. The lock settings of the service.') +param lock lockType @sys.description('Optional. Tags of the resource.') param tags object = {} @@ -240,11 +235,11 @@ resource hostPool 'Microsoft.DesktopVirtualization/hostPools@2022-09-09' = { } } -resource hostPool_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${hostPool.name}-${lock}-lock' +resource hostPool_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: hostPool } @@ -288,3 +283,15 @@ output tokenExpirationTime string = dateTimeAdd(baseTime, tokenValidityLength) @sys.description('The location the resource was deployed into.') output location string = hostPool.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @sys.description('Optional. Specify the name of lock.') + name: string? + + @sys.description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/desktop-virtualization/host-pool/main.json b/modules/desktop-virtualization/host-pool/main.json index 9f61db2a23..9b948e77f8 100644 --- a/modules/desktop-virtualization/host-pool/main.json +++ b/modules/desktop-virtualization/host-pool/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15971169028304265471" + "templateHash": "14351870232207146144" }, "name": "Azure Virtual Desktop (AVD) Host Pools", "description": "This module deploys an Azure Virtual Desktop (AVD) Host Pool.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -146,15 +174,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "tags": { @@ -354,8 +376,8 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "tokenExpirationTime": "[dateTimeAdd(parameters('baseTime'), parameters('tokenValidityLength'))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -369,7 +391,7 @@ } } }, - { + "hostPool": { "type": "Microsoft.DesktopVirtualization/hostPools", "apiVersion": "2022-09-09", "name": "[parameters('name')]", @@ -400,21 +422,21 @@ "ssoSecretType": "[if(not(empty(parameters('ssoSecretType'))), parameters('ssoSecretType'), null())]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "hostPool_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.DesktopVirtualization/hostPools/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.DesktopVirtualization/hostPools', parameters('name'))]" + "hostPool" ] }, - { + "hostPool_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -428,10 +450,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.DesktopVirtualization/hostPools', parameters('name'))]" + "hostPool" ] }, - { + "hostPool_roleAssignments": { "copy": { "name": "hostPool_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -590,10 +612,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DesktopVirtualization/hostPools', parameters('name'))]" + "hostPool" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -628,7 +650,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.DesktopVirtualization/hostPools', parameters('name')), '2022-09-09', 'full').location]" + "value": "[reference('hostPool', '2022-09-09', 'full').location]" } } } \ No newline at end of file diff --git a/modules/desktop-virtualization/workspace/.test/common/main.test.bicep b/modules/desktop-virtualization/workspace/.test/common/main.test.bicep index d98e112b0f..08f36e4d8a 100644 --- a/modules/desktop-virtualization/workspace/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/workspace/.test/common/main.test.bicep @@ -76,7 +76,10 @@ module testDeployment '../../main.bicep' = { diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName location: location - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/desktop-virtualization/workspace/README.md b/modules/desktop-virtualization/workspace/README.md index 176ee1f214..c864a267f3 100644 --- a/modules/desktop-virtualization/workspace/README.md +++ b/modules/desktop-virtualization/workspace/README.md @@ -57,7 +57,10 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { enableDefaultTelemetry: '' friendlyName: 'My first AVD Workspace' location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -123,7 +126,10 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -222,7 +228,7 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`friendlyName`](#parameter-friendlyname) | string | The friendly name of the Workspace to be created. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -306,11 +312,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/desktop-virtualization/workspace/main.bicep b/modules/desktop-virtualization/workspace/main.bicep index 6cf547dee5..dbb747db0c 100644 --- a/modules/desktop-virtualization/workspace/main.bicep +++ b/modules/desktop-virtualization/workspace/main.bicep @@ -29,13 +29,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@sys.description('Optional. Specify the type of lock.') -param lock string = '' +@sys.description('Optional. The lock settings of the service.') +param lock lockType @sys.description('Optional. Tags of the resource.') param tags object = {} @@ -97,11 +92,11 @@ resource workspace 'Microsoft.DesktopVirtualization/workspaces@2022-09-09' = { } } -resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${workspace.name}-${lock}-lock' +resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: workspace } @@ -142,3 +137,15 @@ output name string = workspace.name @sys.description('The location the resource was deployed into.') output location string = workspace.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @sys.description('Optional. Specify the name of lock.') + name: string? + + @sys.description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/desktop-virtualization/workspace/main.json b/modules/desktop-virtualization/workspace/main.json index b96c1b5e6c..8de43e23ad 100644 --- a/modules/desktop-virtualization/workspace/main.json +++ b/modules/desktop-virtualization/workspace/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8129248040868416848" + "templateHash": "346606574867500631" }, "name": "Azure Virtual Desktop (AVD) Workspaces", "description": "This module deploys an Azure Virtual Desktop (AVD) Workspace.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -75,15 +103,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "tags": { @@ -145,8 +167,8 @@ ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -160,7 +182,7 @@ } } }, - { + "workspace": { "type": "Microsoft.DesktopVirtualization/workspaces", "apiVersion": "2022-09-09", "name": "[parameters('name')]", @@ -172,21 +194,21 @@ "friendlyName": "[parameters('friendlyName')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "workspace_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.DesktopVirtualization/workspaces/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.DesktopVirtualization/workspaces', parameters('name'))]" + "workspace" ] }, - { + "workspace_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -200,10 +222,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.DesktopVirtualization/workspaces', parameters('name'))]" + "workspace" ] }, - { + "workspace_roleAssignments": { "copy": { "name": "workspace_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -362,10 +384,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DesktopVirtualization/workspaces', parameters('name'))]" + "workspace" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -393,7 +415,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.DesktopVirtualization/workspaces', parameters('name')), '2022-09-09', 'full').location]" + "value": "[reference('workspace', '2022-09-09', 'full').location]" } } } \ No newline at end of file diff --git a/modules/dev-test-lab/lab/.test/common/main.test.bicep b/modules/dev-test-lab/lab/.test/common/main.test.bicep index c63a75d0ae..3552e13297 100644 --- a/modules/dev-test-lab/lab/.test/common/main.test.bicep +++ b/modules/dev-test-lab/lab/.test/common/main.test.bicep @@ -61,7 +61,10 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' location: resourceGroup.location - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/dev-test-lab/lab/README.md b/modules/dev-test-lab/lab/README.md index 03bc402078..086d52b067 100644 --- a/modules/dev-test-lab/lab/README.md +++ b/modules/dev-test-lab/lab/README.md @@ -97,7 +97,10 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { isolateLabResources: 'Enabled' labStorageType: 'Premium' location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } managementIdentities: { '': {} } @@ -367,7 +370,10 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "managementIdentities": { "value": { @@ -652,7 +658,7 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { | [`isolateLabResources`](#parameter-isolatelabresources) | string | Enable lab resources isolation from the public internet. | | [`labStorageType`](#parameter-labstoragetype) | string | Type of storage used by the lab. It can be either Premium or Standard. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managementIdentities`](#parameter-managementidentities) | object | The ID(s) to assign to the virtual machines associated with this lab. | | [`mandatoryArtifactsResourceIdsLinux`](#parameter-mandatoryartifactsresourceidslinux) | array | The ordered list of artifact resource IDs that should be applied on all Linux VM creations by default, prior to the artifacts specified by the user. | | [`mandatoryArtifactsResourceIdsWindows`](#parameter-mandatoryartifactsresourceidswindows) | array | The ordered list of artifact resource IDs that should be applied on all Windows VM creations by default, prior to the artifacts specified by the user. | @@ -771,11 +777,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `managementIdentities` diff --git a/modules/dev-test-lab/lab/main.bicep b/modules/dev-test-lab/lab/main.bicep index bb996a3239..91e29b6080 100644 --- a/modules/dev-test-lab/lab/main.bicep +++ b/modules/dev-test-lab/lab/main.bicep @@ -8,13 +8,8 @@ param name string @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -163,11 +158,11 @@ resource lab 'Microsoft.DevTestLab/labs@2018-10-15-preview' = { } } -resource lab_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${lab.name}-${lock}-lock' +resource lab_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: lab } @@ -308,3 +303,15 @@ output name string = lab.name @description('The location the resource was deployed into.') output location string = lab.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/dev-test-lab/lab/main.json b/modules/dev-test-lab/lab/main.json index a83a20dd30..75806465ef 100644 --- a/modules/dev-test-lab/lab/main.json +++ b/modules/dev-test-lab/lab/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12564230212135431557" + "templateHash": "13792715418328262207" }, "name": "DevTest Labs", "description": "This module deploys a DevTest Lab.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -26,15 +54,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -248,8 +270,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -263,7 +285,7 @@ } } }, - { + "lab": { "type": "Microsoft.DevTestLab/labs", "apiVersion": "2018-10-15-preview", "name": "[parameters('name')]", @@ -294,21 +316,21 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "lab_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.DevTestLab/labs/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.DevTestLab/labs', parameters('name'))]" + "lab" ] }, - { + "lab_virtualNetworks": { "copy": { "name": "lab_virtualNetworks", "count": "[length(parameters('virtualnetworks'))]" @@ -463,10 +485,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DevTestLab/labs', parameters('name'))]" + "lab" ] }, - { + "lab_policies": { "copy": { "name": "lab_policies", "count": "[length(parameters('policies'))]" @@ -668,10 +690,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DevTestLab/labs', parameters('name'))]" + "lab" ] }, - { + "lab_schedules": { "copy": { "name": "lab_schedules", "count": "[length(parameters('schedules'))]" @@ -886,10 +908,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DevTestLab/labs', parameters('name'))]" + "lab" ] }, - { + "lab_notificationChannels": { "copy": { "name": "lab_notificationChannels", "count": "[length(parameters('notificationchannels'))]" @@ -1058,10 +1080,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DevTestLab/labs', parameters('name'))]" + "lab" ] }, - { + "lab_artifactSources": { "copy": { "name": "lab_artifactSources", "count": "[length(parameters('artifactsources'))]" @@ -1261,10 +1283,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DevTestLab/labs', parameters('name'))]" + "lab" ] }, - { + "lab_costs": { "condition": "[not(empty(parameters('costs')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1599,10 +1621,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DevTestLab/labs', parameters('name'))]" + "lab" ] }, - { + "lab_roleAssignments": { "copy": { "name": "lab_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1749,24 +1771,24 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DevTestLab/labs', parameters('name'))]" + "lab" ] } - ], + }, "outputs": { "systemAssignedPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[reference(resourceId('Microsoft.DevTestLab/labs', parameters('name')), '2018-10-15-preview', 'full').identity.principalId]" + "value": "[reference('lab', '2018-10-15-preview', 'full').identity.principalId]" }, "uniqueIdentifier": { "type": "string", "metadata": { "description": "The unique identifier for the lab. Used to track tags that the lab applies to each resource that it creates." }, - "value": "[reference(resourceId('Microsoft.DevTestLab/labs', parameters('name')), '2018-10-15-preview').uniqueIdentifier]" + "value": "[reference('lab').uniqueIdentifier]" }, "resourceGroupName": { "type": "string", @@ -1794,7 +1816,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.DevTestLab/labs', parameters('name')), '2018-10-15-preview', 'full').location]" + "value": "[reference('lab', '2018-10-15-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep index 21623ed47d..214300847b 100644 --- a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep @@ -94,7 +94,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } privateEndpoints: [ { privateDnsZoneResourceIds: [ diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index 36f5f810ab..103d299b2c 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -14,7 +14,6 @@ This module deploys an Azure Digital Twins Instance. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Authorization/locks` | [2017-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.DigitalTwins/digitalTwinsInstances` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DigitalTwins/2023-01-31/digitalTwinsInstances) | @@ -65,7 +64,10 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan entityPath: '' userAssignedIdentity: '' } - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -149,7 +151,10 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan } }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "privateEndpoints": { "value": [ @@ -272,7 +277,7 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan | [`eventGridEndpoint`](#parameter-eventgridendpoint) | object | Event Grid Endpoint. | | [`eventHubEndpoint`](#parameter-eventhubendpoint) | object | Event Hub Endpoint. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -362,11 +367,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/digital-twins/digital-twins-instance/main.bicep b/modules/digital-twins/digital-twins-instance/main.bicep index 139a665887..1b66f5077c 100644 --- a/modules/digital-twins/digital-twins-instance/main.bicep +++ b/modules/digital-twins/digital-twins-instance/main.bicep @@ -13,13 +13,8 @@ param location string = resourceGroup().location @description('Optional. Resource tags.') param tags object = {} -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -200,7 +195,7 @@ module digitalTwinsInstance_privateEndpoints '../../network/private-endpoint/mai subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -210,11 +205,11 @@ module digitalTwinsInstance_privateEndpoints '../../network/private-endpoint/mai } }] -resource digitalTwinsInstance_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { - name: '${digitalTwinsInstance.name}-${lock}-lock' +resource digitalTwinsInstance_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: digitalTwinsInstance } @@ -259,3 +254,15 @@ output hostname string = digitalTwinsInstance.properties.hostName @description('The location the resource was deployed into.') output location string = digitalTwinsInstance.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/digital-twins/digital-twins-instance/main.json b/modules/digital-twins/digital-twins-instance/main.json index 958cae8390..f156f61380 100644 --- a/modules/digital-twins/digital-twins-instance/main.json +++ b/modules/digital-twins/digital-twins-instance/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5421587631064538780" + "templateHash": "18430271797869106154" }, "name": "Digital Twins Instances", "description": "This module deploys an Azure Digital Twins Instance.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -35,15 +63,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "systemAssignedIdentity": { @@ -206,8 +228,8 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -221,7 +243,7 @@ } } }, - { + "digitalTwinsInstance": { "type": "Microsoft.DigitalTwins/digitalTwinsInstances", "apiVersion": "2023-01-31", "name": "[parameters('name')]", @@ -232,21 +254,21 @@ "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(not(empty(parameters('privateEndpoints'))), 'Disabled', 'Enabled'))]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "digitalTwinsInstance_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", - "apiVersion": "2017-04-01", + "apiVersion": "2020-05-01", "scope": "[format('Microsoft.DigitalTwins/digitalTwinsInstances/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name'))]" + "digitalTwinsInstance" ] }, - { + "digitalTwinsInstance_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -261,10 +283,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name'))]" + "digitalTwinsInstance" ] }, - { + "digitalTwinsInstance_eventHubEndpoint": { "condition": "[not(empty(parameters('eventHubEndpoint')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -456,10 +478,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name'))]" + "digitalTwinsInstance" ] }, - { + "digitalTwinsInstance_eventGridEndpoint": { "condition": "[not(empty(parameters('eventGridEndpoint')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -599,10 +621,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name'))]" + "digitalTwinsInstance" ] }, - { + "digitalTwinsInstance_serviceBusEndpoint": { "condition": "[not(empty(parameters('serviceBusEndpoint')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -794,10 +816,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name'))]" + "digitalTwinsInstance" ] }, - { + "digitalTwinsInstance_privateEndpoints": { "copy": { "name": "digitalTwinsInstance_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -827,7 +849,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -1318,10 +1342,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name'))]" + "digitalTwinsInstance" ] }, - { + "digitalTwinsInstance_roleAssignments": { "copy": { "name": "digitalTwinsInstance_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1469,10 +1493,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name'))]" + "digitalTwinsInstance" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -1500,14 +1524,14 @@ "metadata": { "description": "The hostname of the Digital Twins Instance." }, - "value": "[reference(resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name')), '2023-01-31').hostName]" + "value": "[reference('digitalTwinsInstance').hostName]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name')), '2023-01-31', 'full').location]" + "value": "[reference('digitalTwinsInstance', '2023-01-31', 'full').location]" } } } \ No newline at end of file diff --git a/modules/document-db/database-account/.test/plain/main.test.bicep b/modules/document-db/database-account/.test/plain/main.test.bicep index 2d6dfa43d6..edc31ecb87 100644 --- a/modules/document-db/database-account/.test/plain/main.test.bicep +++ b/modules/document-db/database-account/.test/plain/main.test.bicep @@ -80,7 +80,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index e0616a7595..9031e0fb1e 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -800,7 +800,10 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -866,7 +869,10 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -1242,7 +1248,7 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { | [`enableFreeTier`](#parameter-enablefreetier) | bool | Flag to indicate whether Free Tier is enabled. | | [`gremlinDatabases`](#parameter-gremlindatabases) | array | Gremlin Databases configurations. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maxIntervalInSeconds`](#parameter-maxintervalinseconds) | int | Max lag time (minutes). Required for BoundedStaleness. Valid ranges, Single Region: 5 to 84600. Multi Region: 300 to 86400. | | [`maxStalenessPrefix`](#parameter-maxstalenessprefix) | int | Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: 10 to 1000000. Multi Region: 100000 to 1000000. | | [`mongodbDatabases`](#parameter-mongodbdatabases) | array | MongoDB Databases configurations. | @@ -1410,11 +1416,30 @@ Locations enabled for the Cosmos DB account. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `maxIntervalInSeconds` diff --git a/modules/document-db/database-account/main.bicep b/modules/document-db/database-account/main.bicep index 2b5481b411..37ab5669f4 100644 --- a/modules/document-db/database-account/main.bicep +++ b/modules/document-db/database-account/main.bicep @@ -73,13 +73,8 @@ param gremlinDatabases array = [] @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -284,11 +279,11 @@ resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' = { properties: databaseAccount_properties } -resource databaseAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${databaseAccount.name}-${lock}-lock' +resource databaseAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: databaseAccount } @@ -362,7 +357,7 @@ module databaseAccount_privateEndpoints '../../network/private-endpoint/main.bic subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -389,3 +384,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(dat @description('The location the resource was deployed into.') output location string = databaseAccount.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/document-db/database-account/main.json b/modules/document-db/database-account/main.json index 92692742b6..79808d511c 100644 --- a/modules/document-db/database-account/main.json +++ b/modules/document-db/database-account/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14731361995400554127" + "templateHash": "13886795261024794795" }, "name": "DocumentDB Database Accounts", "description": "This module deploys a DocumentDB Database Account.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -150,15 +178,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -375,8 +397,8 @@ "backupPolicy": "[if(equals(parameters('backupPolicyType'), 'Continuous'), createObject('type', parameters('backupPolicyType'), 'continuousModeProperties', createObject('tier', parameters('backupPolicyContinuousTier'))), createObject('type', parameters('backupPolicyType'), 'periodicModeProperties', createObject('backupIntervalInMinutes', parameters('backupIntervalInMinutes'), 'backupRetentionIntervalInHours', parameters('backupRetentionIntervalInHours'), 'backupStorageRedundancy', parameters('backupStorageRedundancy'))))]", "databaseAccount_properties": "[union(createObject('databaseAccountOfferType', parameters('databaseAccountOfferType')), if(or(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('mongodbDatabases')))), not(empty(parameters('gremlinDatabases')))), createObject('consistencyPolicy', variables('consistencyPolicy')[parameters('defaultConsistencyLevel')], 'locations', variables('databaseAccount_locations'), 'capabilities', variables('capabilities'), 'enableFreeTier', parameters('enableFreeTier'), 'backupPolicy', variables('backupPolicy')), createObject()), if(not(empty(parameters('sqlDatabases'))), createObject('enableAutomaticFailover', parameters('automaticFailover')), createObject()), if(not(empty(parameters('mongodbDatabases'))), createObject('apiProperties', createObject('serverVersion', parameters('serverVersion'))), createObject()))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -390,7 +412,7 @@ } } }, - { + "databaseAccount": { "type": "Microsoft.DocumentDB/databaseAccounts", "apiVersion": "2023-04-15", "name": "[parameters('name')]", @@ -400,21 +422,21 @@ "kind": "[variables('kind')]", "properties": "[variables('databaseAccount_properties')]" }, - { - "condition": "[not(empty(parameters('lock')))]", + "databaseAccount_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.DocumentDB/databaseAccounts/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]" + "databaseAccount" ] }, - { + "databaseAccount_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -429,10 +451,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]" + "databaseAccount" ] }, - { + "databaseAccount_roleAssignments": { "copy": { "name": "databaseAccount_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -582,10 +604,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]" + "databaseAccount" ] }, - { + "databaseAccount_sqlDatabases": { "copy": { "name": "databaseAccount_sqlDatabases", "count": "[length(parameters('sqlDatabases'))]" @@ -951,10 +973,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]" + "databaseAccount" ] }, - { + "databaseAccount_mongodbDatabases": { "copy": { "name": "databaseAccount_mongodbDatabases", "count": "[length(parameters('mongodbDatabases'))]" @@ -1241,10 +1263,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]" + "databaseAccount" ] }, - { + "databaseAccount_gremlinDatabases": { "copy": { "name": "databaseAccount_gremlinDatabases", "count": "[length(parameters('gremlinDatabases'))]" @@ -1554,10 +1576,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]" + "databaseAccount" ] }, - { + "databaseAccount_privateEndpoints": { "copy": { "name": "databaseAccount_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -1587,7 +1609,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -2081,10 +2105,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]" + "databaseAccount" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2112,14 +2136,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), '2023-04-15', 'full').identity, 'principalId')), reference(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), '2023-04-15', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('databaseAccount', '2023-04-15', 'full').identity, 'principalId')), reference('databaseAccount', '2023-04-15', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), '2023-04-15', 'full').location]" + "value": "[reference('databaseAccount', '2023-04-15', 'full').location]" } } } \ No newline at end of file diff --git a/modules/event-grid/domain/.test/common/main.test.bicep b/modules/event-grid/domain/.test/common/main.test.bicep index 1c62ba2b2b..373d3bee63 100644 --- a/modules/event-grid/domain/.test/common/main.test.bicep +++ b/modules/event-grid/domain/.test/common/main.test.bicep @@ -77,7 +77,10 @@ module testDeployment '../../main.bicep' = { ipMask: '40.74.28.0/23' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } privateEndpoints: [ { privateDnsZoneResourceIds: [ diff --git a/modules/event-grid/domain/README.md b/modules/event-grid/domain/README.md index a5d51bc6c9..f384027758 100644 --- a/modules/event-grid/domain/README.md +++ b/modules/event-grid/domain/README.md @@ -61,7 +61,10 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { ipMask: '40.74.28.0/23' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -138,7 +141,10 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "privateEndpoints": { "value": [ @@ -346,7 +352,7 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`inboundIpRules`](#parameter-inboundiprules) | array | This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -441,11 +447,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/event-grid/domain/main.bicep b/modules/event-grid/domain/main.bicep index fec69f3e16..3a3c6dbf0f 100644 --- a/modules/event-grid/domain/main.bicep +++ b/modules/event-grid/domain/main.bicep @@ -43,13 +43,8 @@ param privateEndpoints array = [] @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Tags of the resource.') param tags object = {} @@ -136,11 +131,11 @@ module domain_topics 'topic/main.bicep' = [for (topic, index) in topics: { } }] -resource domain_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${domain.name}-${lock}-lock' +resource domain_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: domain } @@ -169,7 +164,7 @@ module domain_privateEndpoints '../../network/private-endpoint/main.bicep' = [fo subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -206,3 +201,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = domain.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/event-grid/domain/main.json b/modules/event-grid/domain/main.json index a9c801166c..182826febc 100644 --- a/modules/event-grid/domain/main.json +++ b/modules/event-grid/domain/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4315845252350634330" + "templateHash": "17128943362553592156" }, "name": "Event Grid Domains", "description": "This module deploys an Event Grid Domain.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -101,15 +129,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "tags": { @@ -191,8 +213,8 @@ "enableReferencedModulesTelemetry": false, "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -206,7 +228,7 @@ } } }, - { + "domain": { "type": "Microsoft.EventGrid/domains", "apiVersion": "2022-06-15", "name": "[parameters('name')]", @@ -219,21 +241,21 @@ "autoDeleteTopicWithLastSubscription": "[parameters('autoDeleteTopicWithLastSubscription')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "domain_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.EventGrid/domains/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.EventGrid/domains', parameters('name'))]" + "domain" ] }, - { + "domain_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -248,10 +270,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.EventGrid/domains', parameters('name'))]" + "domain" ] }, - { + "domain_topics": { "copy": { "name": "domain_topics", "count": "[length(parameters('topics'))]" @@ -366,10 +388,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventGrid/domains', parameters('name'))]" + "domain" ] }, - { + "domain_privateEndpoints": { "copy": { "name": "domain_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -399,7 +421,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -893,10 +917,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventGrid/domains', parameters('name'))]" + "domain" ] }, - { + "domain_roleAssignments": { "copy": { "name": "domain_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1047,10 +1071,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventGrid/domains', parameters('name'))]" + "domain" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1078,7 +1102,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.EventGrid/domains', parameters('name')), '2022-06-15', 'full').location]" + "value": "[reference('domain', '2022-06-15', 'full').location]" } } } \ No newline at end of file diff --git a/modules/event-grid/system-topic/.test/common/main.test.bicep b/modules/event-grid/system-topic/.test/common/main.test.bicep index 316cfc5c48..0c4c9c5284 100644 --- a/modules/event-grid/system-topic/.test/common/main.test.bicep +++ b/modules/event-grid/system-topic/.test/common/main.test.bicep @@ -96,7 +96,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/event-grid/system-topic/README.md b/modules/event-grid/system-topic/README.md index e605059de0..e70f28338f 100644 --- a/modules/event-grid/system-topic/README.md +++ b/modules/event-grid/system-topic/README.md @@ -78,7 +78,10 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { } } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -162,7 +165,10 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -270,7 +276,7 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`eventSubscriptions`](#parameter-eventsubscriptions) | array | Event subscriptions to deploy. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -350,11 +356,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/event-grid/system-topic/main.bicep b/modules/event-grid/system-topic/main.bicep index 5358a5ea6f..f9795708b8 100644 --- a/modules/event-grid/system-topic/main.bicep +++ b/modules/event-grid/system-topic/main.bicep @@ -32,13 +32,8 @@ param diagnosticEventHubName string = '' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -141,11 +136,11 @@ module systemTopics_eventSubscriptions 'event-subscription/main.bicep' = [for (e } }] -resource systemTopic_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${systemTopic.name}-${lock}-lock' +resource systemTopic_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: systemTopic } @@ -190,3 +185,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(sys @description('The location the resource was deployed into.') output location string = systemTopic.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/event-grid/system-topic/main.json b/modules/event-grid/system-topic/main.json index d47e0b9d3f..56564d3be1 100644 --- a/modules/event-grid/system-topic/main.json +++ b/modules/event-grid/system-topic/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13215489869065606829" + "templateHash": "5976620650016374171" }, "name": "Event Grid System Topics", "description": "This module deploys an Event Grid System Topic.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -80,15 +108,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "systemAssignedIdentity": { @@ -177,8 +199,8 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -192,7 +214,7 @@ } } }, - { + "systemTopic": { "type": "Microsoft.EventGrid/systemTopics", "apiVersion": "2021-12-01", "name": "[parameters('name')]", @@ -204,21 +226,21 @@ "topicType": "[parameters('topicType')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "systemTopic_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.EventGrid/systemTopics/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.EventGrid/systemTopics', parameters('name'))]" + "systemTopic" ] }, - { + "systemTopic_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -233,10 +255,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.EventGrid/systemTopics', parameters('name'))]" + "systemTopic" ] }, - { + "systemTopics_eventSubscriptions": { "copy": { "name": "systemTopics_eventSubscriptions", "count": "[length(parameters('eventSubscriptions'))]" @@ -267,7 +289,7 @@ "expirationTimeUtc": "[if(contains(parameters('eventSubscriptions')[copyIndex()], 'expirationTimeUtc'), createObject('value', parameters('eventSubscriptions')[copyIndex()].expirationTimeUtc), createObject('value', ''))]", "filter": "[if(contains(parameters('eventSubscriptions')[copyIndex()], 'filter'), createObject('value', parameters('eventSubscriptions')[copyIndex()].filter), createObject('value', createObject()))]", "labels": "[if(contains(parameters('eventSubscriptions')[copyIndex()], 'labels'), createObject('value', parameters('eventSubscriptions')[copyIndex()].labels), createObject('value', createArray()))]", - "location": "[if(contains(parameters('eventSubscriptions')[copyIndex()], 'location'), createObject('value', parameters('eventSubscriptions')[copyIndex()].location), createObject('value', reference(resourceId('Microsoft.EventGrid/systemTopics', parameters('name')), '2021-12-01', 'full').location))]", + "location": "[if(contains(parameters('eventSubscriptions')[copyIndex()], 'location'), createObject('value', parameters('eventSubscriptions')[copyIndex()].location), createObject('value', reference('systemTopic', '2021-12-01', 'full').location))]", "retryPolicy": "[if(contains(parameters('eventSubscriptions')[copyIndex()], 'retryPolicy'), createObject('value', parameters('eventSubscriptions')[copyIndex()].retryPolicy), createObject('value', createObject()))]" }, "template": { @@ -444,10 +466,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventGrid/systemTopics', parameters('name'))]" + "systemTopic" ] }, - { + "systemTopic_roleAssignments": { "copy": { "name": "systemTopic_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -598,10 +620,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventGrid/systemTopics', parameters('name'))]" + "systemTopic" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -629,14 +651,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.EventGrid/systemTopics', parameters('name')), '2021-12-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.EventGrid/systemTopics', parameters('name')), '2021-12-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('systemTopic', '2021-12-01', 'full').identity, 'principalId')), reference('systemTopic', '2021-12-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.EventGrid/systemTopics', parameters('name')), '2021-12-01', 'full').location]" + "value": "[reference('systemTopic', '2021-12-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/event-grid/topic/.test/common/main.test.bicep b/modules/event-grid/topic/.test/common/main.test.bicep index 61bec19754..1e9e0bec23 100644 --- a/modules/event-grid/topic/.test/common/main.test.bicep +++ b/modules/event-grid/topic/.test/common/main.test.bicep @@ -101,7 +101,10 @@ module testDeployment '../../main.bicep' = { ipMask: '40.74.28.0/23' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } privateEndpoints: [ { privateDnsZoneResourceIds: [ diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index 7987d9b586..ce94a6b52d 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -85,7 +85,10 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { ipMask: '40.74.28.0/23' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -185,7 +188,10 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "privateEndpoints": { "value": [ @@ -387,7 +393,7 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { | [`eventSubscriptions`](#parameter-eventsubscriptions) | array | Event subscriptions to deploy. | | [`inboundIpRules`](#parameter-inboundiprules) | array | This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -474,11 +480,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/event-grid/topic/main.bicep b/modules/event-grid/topic/main.bicep index 2f76ab44df..2ad0af32b8 100644 --- a/modules/event-grid/topic/main.bicep +++ b/modules/event-grid/topic/main.bicep @@ -40,13 +40,8 @@ param privateEndpoints array = [] @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Tags of the resource.') param tags object = {} @@ -138,11 +133,11 @@ module topics_eventSubscriptions 'event-subscription/main.bicep' = [for (eventSu } }] -resource topic_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${topic.name}-${lock}-lock' +resource topic_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: topic } @@ -171,7 +166,7 @@ module topic_privateEndpoints '../../network/private-endpoint/main.bicep' = [for subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -208,3 +203,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = topic.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/event-grid/topic/main.json b/modules/event-grid/topic/main.json index 67baf2c2eb..5852af83e4 100644 --- a/modules/event-grid/topic/main.json +++ b/modules/event-grid/topic/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "607231381512069832" + "templateHash": "9509385509021367133" }, "name": "Event Grid Topics", "description": "This module deploys an Event Grid Topic.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -94,15 +122,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "tags": { @@ -177,8 +199,8 @@ "enableReferencedModulesTelemetry": false, "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -192,7 +214,7 @@ } } }, - { + "topic": { "type": "Microsoft.EventGrid/topics", "apiVersion": "2020-06-01", "name": "[parameters('name')]", @@ -203,21 +225,21 @@ "inboundIpRules": "[if(empty(parameters('inboundIpRules')), null(), parameters('inboundIpRules'))]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "topic_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.EventGrid/topics/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.EventGrid/topics', parameters('name'))]" + "topic" ] }, - { + "topic_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -232,10 +254,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.EventGrid/topics', parameters('name'))]" + "topic" ] }, - { + "topics_eventSubscriptions": { "copy": { "name": "topics_eventSubscriptions", "count": "[length(parameters('eventSubscriptions'))]" @@ -266,7 +288,7 @@ "expirationTimeUtc": "[if(contains(parameters('eventSubscriptions'), 'expirationTimeUtc'), createObject('value', parameters('eventSubscriptions')[copyIndex()].expirationTimeUtc), createObject('value', ''))]", "filter": "[if(contains(parameters('eventSubscriptions'), 'filter'), createObject('value', parameters('eventSubscriptions')[copyIndex()].filter), createObject('value', createObject()))]", "labels": "[if(contains(parameters('eventSubscriptions'), 'labels'), createObject('value', parameters('eventSubscriptions')[copyIndex()].labels), createObject('value', createArray()))]", - "location": "[if(contains(parameters('eventSubscriptions'), 'location'), createObject('value', parameters('eventSubscriptions')[copyIndex()].location), createObject('value', reference(resourceId('Microsoft.EventGrid/topics', parameters('name')), '2020-06-01', 'full').location))]", + "location": "[if(contains(parameters('eventSubscriptions'), 'location'), createObject('value', parameters('eventSubscriptions')[copyIndex()].location), createObject('value', reference('topic', '2020-06-01', 'full').location))]", "retryPolicy": "[if(contains(parameters('eventSubscriptions'), 'retryPolicy'), createObject('value', parameters('eventSubscriptions')[copyIndex()].retryPolicy), createObject('value', createObject()))]" }, "template": { @@ -443,10 +465,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventGrid/topics', parameters('name'))]" + "topic" ] }, - { + "topic_privateEndpoints": { "copy": { "name": "topic_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -476,7 +498,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -970,10 +994,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventGrid/topics', parameters('name'))]" + "topic" ] }, - { + "topic_roleAssignments": { "copy": { "name": "topic_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1124,10 +1148,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventGrid/topics', parameters('name'))]" + "topic" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1155,7 +1179,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.EventGrid/topics', parameters('name')), '2020-06-01', 'full').location]" + "value": "[reference('topic', '2020-06-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/event-hub/namespace/.test/common/main.test.bicep b/modules/event-hub/namespace/.test/common/main.test.bicep index 755484f15e..4d6819b790 100644 --- a/modules/event-hub/namespace/.test/common/main.test.bicep +++ b/modules/event-hub/namespace/.test/common/main.test.bicep @@ -160,7 +160,10 @@ module testDeployment '../../main.bicep' = { retentionDescriptionTombstoneRetentionTimeInHours: 24 } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } networkRuleSets: { defaultAction: 'Deny' ipRules: [ diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index 1f3585e075..68c432211b 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -149,7 +149,10 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { ] isAutoInflateEnabled: true kafkaEnabled: true - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } maximumThroughputUnits: 4 minimumTlsVersion: '1.2' networkRuleSets: { @@ -339,7 +342,10 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "value": true }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "maximumThroughputUnits": { "value": 4 @@ -703,7 +709,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { | [`isAutoInflateEnabled`](#parameter-isautoinflateenabled) | bool | Switch to enable the Auto Inflate feature of Event Hub. Auto Inflate is not supported in Premium SKU EventHub. | | [`kafkaEnabled`](#parameter-kafkaenabled) | bool | Value that indicates whether Kafka is enabled for Event Hubs Namespace. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maximumThroughputUnits`](#parameter-maximumthroughputunits) | int | Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units. | | [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | The minimum TLS version for the cluster to support. | | [`networkRuleSets`](#parameter-networkrulesets) | object | Configure networking options. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | @@ -855,11 +861,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `maximumThroughputUnits` diff --git a/modules/event-hub/namespace/eventhub/README.md b/modules/event-hub/namespace/eventhub/README.md index 006f14d3e3..936f144c4d 100644 --- a/modules/event-hub/namespace/eventhub/README.md +++ b/modules/event-hub/namespace/eventhub/README.md @@ -49,7 +49,7 @@ This module deploys an Event Hub Namespace Event Hub. | [`captureDescriptionSkipEmptyArchives`](#parameter-capturedescriptionskipemptyarchives) | bool | A value that indicates whether to Skip Empty Archives. | | [`consumergroups`](#parameter-consumergroups) | array | The consumer groups to create in this event hub instance. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`messageRetentionInDays`](#parameter-messageretentionindays) | int | Number of days to retain the events for this Event Hub, value should be 1 to 7 days. Will be automatically set to infinite retention if cleanup policy is set to "Compact". | | [`partitionCount`](#parameter-partitioncount) | int | Number of partitions created for the Event Hub, allowed values are from 1 to 32 partitions. | | [`retentionDescriptionCleanupPolicy`](#parameter-retentiondescriptioncleanuppolicy) | string | Retention cleanup policy. Enumerates the possible values for cleanup policy. | @@ -145,11 +145,30 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `messageRetentionInDays` diff --git a/modules/event-hub/namespace/eventhub/main.bicep b/modules/event-hub/namespace/eventhub/main.bicep index 1a7d5a2e74..f35b2c1461 100644 --- a/modules/event-hub/namespace/eventhub/main.bicep +++ b/modules/event-hub/namespace/eventhub/main.bicep @@ -51,13 +51,8 @@ param consumergroups array = [ } ] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -170,11 +165,11 @@ resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2022-10-01-preview' = properties: captureDescriptionEnabled ? union(eventHubProperties, eventHubPropertiesCapture) : eventHubProperties } -resource eventHub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${eventHub.name}-${lock}-lock' +resource eventHub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: eventHub } @@ -225,3 +220,15 @@ output resourceGroupName string = resourceGroup().name @description('The authentication rule resource ID of the event hub.') output resourceId string = az.resourceId('Microsoft.EventHub/namespaces/authorizationRules', namespaceName, 'RootManageSharedAccessKey') + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/event-hub/namespace/eventhub/main.json b/modules/event-hub/namespace/eventhub/main.json index 9ce1247a9f..7a1ba6bd1c 100644 --- a/modules/event-hub/namespace/eventhub/main.json +++ b/modules/event-hub/namespace/eventhub/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11568505658717744379" + "templateHash": "13288816158537037984" }, "name": "Event Hub Namespace Event Hubs", "description": "This module deploys an Event Hub Namespace Event Hub.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "namespaceName": { "type": "string", @@ -88,15 +116,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -244,8 +266,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -259,27 +281,36 @@ } } }, - { + "namespace": { + "existing": true, + "type": "Microsoft.EventHub/namespaces", + "apiVersion": "2022-10-01-preview", + "name": "[parameters('namespaceName')]" + }, + "eventHub": { "type": "Microsoft.EventHub/namespaces/eventhubs", "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": "[if(parameters('captureDescriptionEnabled'), union(variables('eventHubProperties'), variables('eventHubPropertiesCapture')), variables('eventHubProperties'))]" + "properties": "[if(parameters('captureDescriptionEnabled'), union(variables('eventHubProperties'), variables('eventHubPropertiesCapture')), variables('eventHubProperties'))]", + "dependsOn": [ + "namespace" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "eventHub_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name'))]" + "eventHub" ] }, - { + "eventHub_consumergroups": { "copy": { "name": "eventHub_consumergroups", "count": "[length(parameters('consumergroups'))]" @@ -404,10 +435,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name'))]" + "eventHub" ] }, - { + "eventHub_authorizationRules": { "copy": { "name": "eventHub_authorizationRules", "count": "[length(parameters('authorizationRules'))]" @@ -537,10 +568,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name'))]" + "eventHub" ] }, - { + "eventHub_roleAssignments": { "copy": { "name": "eventHub_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -690,10 +721,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name'))]" + "eventHub" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/event-hub/namespace/main.bicep b/modules/event-hub/namespace/main.bicep index 5c3dc8808d..3bfd039efa 100644 --- a/modules/event-hub/namespace/main.bicep +++ b/modules/event-hub/namespace/main.bicep @@ -86,13 +86,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -188,12 +183,12 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split(cMKKeyVaultResourceId, '/'))! - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! + scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { - name: cMKKeyName + name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' } } @@ -289,7 +284,7 @@ module eventHubNamespace_eventhubs 'eventhub/main.bicep' = [for (eventHub, index captureDescriptionSizeLimitInBytes: contains(eventHub, 'captureDescriptionSizeLimitInBytes') ? eventHub.captureDescriptionSizeLimitInBytes : 314572800 captureDescriptionSkipEmptyArchives: contains(eventHub, 'captureDescriptionSkipEmptyArchives') ? eventHub.captureDescriptionSkipEmptyArchives : false consumergroups: contains(eventHub, 'consumergroups') ? eventHub.consumergroups : [] - lock: contains(eventHub, 'lock') ? eventHub.lock : '' + lock: eventHub.?lock ?? lock messageRetentionInDays: contains(eventHub, 'messageRetentionInDays') ? eventHub.messageRetentionInDays : 1 partitionCount: contains(eventHub, 'partitionCount') ? eventHub.partitionCount : 2 roleAssignments: contains(eventHub, 'roleAssignments') ? eventHub.roleAssignments : [] @@ -325,7 +320,7 @@ module eventHubNamespace_privateEndpoints '../../network/private-endpoint/main.b subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -351,11 +346,11 @@ module eventHubNamespace_roleAssignments '.bicep/nested_roleAssignments.bicep' = } }] -resource eventHubNamespace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${eventHubNamespace.name}-${lock}-lock' +resource eventHubNamespace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: eventHubNamespace } @@ -387,3 +382,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(eve @description('The location the resource was deployed into.') output location string = eventHubNamespace.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/event-hub/namespace/main.json b/modules/event-hub/namespace/main.json index c25cd5d3ef..1c0cc32b12 100644 --- a/modules/event-hub/namespace/main.json +++ b/modules/event-hub/namespace/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6491527792941921170" + "templateHash": "11328063440515261641" }, "name": "Event Hub Namespaces", "description": "This module deploys an Event Hub Namespace.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -168,15 +196,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "systemAssignedIdentity": { @@ -331,8 +353,29 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, + "cMKKeyVault": { + "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -346,7 +389,7 @@ } } }, - { + "eventHubNamespace": { "type": "Microsoft.EventHub/namespaces", "apiVersion": "2022-10-01-preview", "name": "[parameters('name')]", @@ -360,30 +403,33 @@ }, "properties": { "disableLocalAuth": "[parameters('disableLocalAuth')]", - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createArray(createObject('identity', if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), null()), 'keyName', parameters('cMKKeyName'), 'keyVaultUri', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('cMKKeyVaultResourceId'), '/'))), '2023-02-01').vaultUri, 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '2023-02-01').keyUriWithVersion, '/'))))), 'requireInfrastructureEncryption', parameters('requireInfrastructureEncryption')), null())]", + "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createArray(createObject('identity', if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), null()), 'keyName', parameters('cMKKeyName'), 'keyVaultUri', reference('cMKKeyVault').vaultUri, 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), 'requireInfrastructureEncryption', parameters('requireInfrastructureEncryption')), null())]", "isAutoInflateEnabled": "[parameters('isAutoInflateEnabled')]", "kafkaEnabled": "[parameters('kafkaEnabled')]", "maximumThroughputUnits": "[variables('maximumThroughputUnitsVar')]", "minimumTlsVersion": "[parameters('minimumTlsVersion')]", "publicNetworkAccess": "[if(contains(parameters('networkRuleSets'), 'publicNetworkAccess'), parameters('networkRuleSets').publicNetworkAccess, if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkRuleSets'))), 'Disabled', parameters('publicNetworkAccess')))]", "zoneRedundant": "[parameters('zoneRedundant')]" - } + }, + "dependsOn": [ + "cMKKeyVault" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "eventHubNamespace_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.EventHub/namespaces/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.EventHub/namespaces', parameters('name'))]" + "eventHubNamespace" ] }, - { + "eventHubNamespace_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -398,10 +444,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.EventHub/namespaces', parameters('name'))]" + "eventHubNamespace" ] }, - { + "eventHubNamespace_authorizationRules": { "copy": { "name": "eventHubNamespace_authorizationRules", "count": "[length(parameters('authorizationRules'))]" @@ -522,10 +568,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventHub/namespaces', parameters('name'))]" + "eventHubNamespace" ] }, - { + "eventHubNamespace_disasterRecoveryConfig": { "condition": "[not(empty(parameters('disasterRecoveryConfig')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -638,10 +684,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventHub/namespaces', parameters('name'))]" + "eventHubNamespace" ] }, - { + "eventHubNamespace_eventhubs": { "copy": { "name": "eventHubNamespace_eventhubs", "count": "[length(parameters('eventhubs'))]" @@ -672,7 +718,9 @@ "captureDescriptionSizeLimitInBytes": "[if(contains(parameters('eventhubs')[copyIndex()], 'captureDescriptionSizeLimitInBytes'), createObject('value', parameters('eventhubs')[copyIndex()].captureDescriptionSizeLimitInBytes), createObject('value', 314572800))]", "captureDescriptionSkipEmptyArchives": "[if(contains(parameters('eventhubs')[copyIndex()], 'captureDescriptionSkipEmptyArchives'), createObject('value', parameters('eventhubs')[copyIndex()].captureDescriptionSkipEmptyArchives), createObject('value', false()))]", "consumergroups": "[if(contains(parameters('eventhubs')[copyIndex()], 'consumergroups'), createObject('value', parameters('eventhubs')[copyIndex()].consumergroups), createObject('value', createArray()))]", - "lock": "[if(contains(parameters('eventhubs')[copyIndex()], 'lock'), createObject('value', parameters('eventhubs')[copyIndex()].lock), createObject('value', ''))]", + "lock": { + "value": "[coalesce(tryGet(parameters('eventhubs')[copyIndex()], 'lock'), parameters('lock'))]" + }, "messageRetentionInDays": "[if(contains(parameters('eventhubs')[copyIndex()], 'messageRetentionInDays'), createObject('value', parameters('eventhubs')[copyIndex()].messageRetentionInDays), createObject('value', 1))]", "partitionCount": "[if(contains(parameters('eventhubs')[copyIndex()], 'partitionCount'), createObject('value', parameters('eventhubs')[copyIndex()].partitionCount), createObject('value', 2))]", "roleAssignments": "[if(contains(parameters('eventhubs')[copyIndex()], 'roleAssignments'), createObject('value', parameters('eventhubs')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -686,17 +734,45 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11568505658717744379" + "templateHash": "13288816158537037984" }, "name": "Event Hub Namespace Event Hubs", "description": "This module deploys an Event Hub Namespace Event Hub.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "namespaceName": { "type": "string", @@ -774,15 +850,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -930,8 +1000,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -945,27 +1015,36 @@ } } }, - { + "namespace": { + "existing": true, + "type": "Microsoft.EventHub/namespaces", + "apiVersion": "2022-10-01-preview", + "name": "[parameters('namespaceName')]" + }, + "eventHub": { "type": "Microsoft.EventHub/namespaces/eventhubs", "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", - "properties": "[if(parameters('captureDescriptionEnabled'), union(variables('eventHubProperties'), variables('eventHubPropertiesCapture')), variables('eventHubProperties'))]" + "properties": "[if(parameters('captureDescriptionEnabled'), union(variables('eventHubProperties'), variables('eventHubPropertiesCapture')), variables('eventHubProperties'))]", + "dependsOn": [ + "namespace" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "eventHub_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name'))]" + "eventHub" ] }, - { + "eventHub_consumergroups": { "copy": { "name": "eventHub_consumergroups", "count": "[length(parameters('consumergroups'))]" @@ -1090,10 +1169,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name'))]" + "eventHub" ] }, - { + "eventHub_authorizationRules": { "copy": { "name": "eventHub_authorizationRules", "count": "[length(parameters('authorizationRules'))]" @@ -1223,10 +1302,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name'))]" + "eventHub" ] }, - { + "eventHub_roleAssignments": { "copy": { "name": "eventHub_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1376,10 +1455,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name'))]" + "eventHub" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1413,10 +1492,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventHub/namespaces', parameters('name'))]" + "eventHubNamespace" ] }, - { + "eventHubNamespace_networkRuleSet": { "condition": "[or(not(empty(parameters('networkRuleSets'))), not(empty(parameters('privateEndpoints'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1576,10 +1655,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventHub/namespaces', parameters('name'))]" + "eventHubNamespace" ] }, - { + "eventHubNamespace_privateEndpoints": { "copy": { "name": "eventHubNamespace_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -1609,7 +1688,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -2103,10 +2184,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventHub/namespaces', parameters('name'))]" + "eventHubNamespace" ] }, - { + "eventHubNamespace_roleAssignments": { "copy": { "name": "eventHubNamespace_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -2256,10 +2337,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.EventHub/namespaces', parameters('name'))]" + "eventHubNamespace" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2287,14 +2368,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.EventHub/namespaces', parameters('name')), '2022-10-01-preview', 'full').identity, 'principalId')), reference(resourceId('Microsoft.EventHub/namespaces', parameters('name')), '2022-10-01-preview', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('eventHubNamespace', '2022-10-01-preview', 'full').identity, 'principalId')), reference('eventHubNamespace', '2022-10-01-preview', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.EventHub/namespaces', parameters('name')), '2022-10-01-preview', 'full').location]" + "value": "[reference('eventHubNamespace', '2022-10-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/health-bot/health-bot/.test/common/main.test.bicep b/modules/health-bot/health-bot/.test/common/main.test.bicep index 25523eb3d0..256cebfa4e 100644 --- a/modules/health-bot/health-bot/.test/common/main.test.bicep +++ b/modules/health-bot/health-bot/.test/common/main.test.bicep @@ -52,7 +52,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/health-bot/health-bot/README.md b/modules/health-bot/health-bot/README.md index fe8b3adee4..db3645ccdd 100644 --- a/modules/health-bot/health-bot/README.md +++ b/modules/health-bot/health-bot/README.md @@ -47,7 +47,10 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { sku: 'F0' // Non-required parameters enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -93,7 +96,10 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -193,7 +199,7 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | @@ -214,11 +220,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/health-bot/health-bot/main.bicep b/modules/health-bot/health-bot/main.bicep index 356c71c0ae..99b2aaf3f8 100644 --- a/modules/health-bot/health-bot/main.bicep +++ b/modules/health-bot/health-bot/main.bicep @@ -19,13 +19,8 @@ param userAssignedIdentities object = {} @description('Optional. Location for all resources.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -66,11 +61,11 @@ resource azureHealthBot 'Microsoft.HealthBot/healthBots@2022-08-08' = { properties: {} } -resource azureHealthBot_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${azureHealthBot.name}-${lock}-lock' +resource azureHealthBot_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: azureHealthBot } @@ -99,3 +94,15 @@ output resourceId string = azureHealthBot.id @description('The location the resource was deployed into.') output location string = azureHealthBot.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/health-bot/health-bot/main.json b/modules/health-bot/health-bot/main.json index 517c93ef00..6c4a2a9e11 100644 --- a/modules/health-bot/health-bot/main.json +++ b/modules/health-bot/health-bot/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1397739701759067802" + "templateHash": "17507209096139592862" }, "name": "Azure Health Bots", "description": "This module deploys an Azure Health Bot.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -44,15 +72,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -81,8 +103,8 @@ "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None')]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -96,7 +118,7 @@ } } }, - { + "azureHealthBot": { "type": "Microsoft.HealthBot/healthBots", "apiVersion": "2022-08-08", "name": "[parameters('name')]", @@ -108,21 +130,21 @@ }, "properties": {} }, - { - "condition": "[not(empty(parameters('lock')))]", + "azureHealthBot_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.HealthBot/healthBots/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.HealthBot/healthBots', parameters('name'))]" + "azureHealthBot" ] }, - { + "healthBot_roleAssignments": { "copy": { "name": "healthBot_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -267,10 +289,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.HealthBot/healthBots', parameters('name'))]" + "azureHealthBot" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -298,7 +320,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.HealthBot/healthBots', parameters('name')), '2022-08-08', 'full').location]" + "value": "[reference('azureHealthBot', '2022-08-08', 'full').location]" } } } \ No newline at end of file diff --git a/modules/healthcare-apis/workspace/.test/common/main.test.bicep b/modules/healthcare-apis/workspace/.test/common/main.test.bicep index e64ff1eea7..dbc8e30330 100644 --- a/modules/healthcare-apis/workspace/.test/common/main.test.bicep +++ b/modules/healthcare-apis/workspace/.test/common/main.test.bicep @@ -70,7 +70,10 @@ module testDeployment '../../main.bicep' = { name: '${namePrefix}${serviceShort}001' location: location publicNetworkAccess: 'Enabled' - lock: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } fhirservices: [ { name: '${namePrefix}-az-fhir-x-001' diff --git a/modules/healthcare-apis/workspace/README.md b/modules/healthcare-apis/workspace/README.md index 075bb5dbba..150ad94859 100644 --- a/modules/healthcare-apis/workspace/README.md +++ b/modules/healthcare-apis/workspace/README.md @@ -123,7 +123,10 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { } ] location: '' - lock: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } publicNetworkAccess: 'Enabled' tags: { Environment: 'Non-Prod' @@ -232,7 +235,10 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { "value": "" }, "lock": { - "value": "" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "publicNetworkAccess": { "value": "Enabled" @@ -325,7 +331,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { | [`fhirservices`](#parameter-fhirservices) | array | Deploy FHIR services. | | [`iotconnectors`](#parameter-iotconnectors) | array | Deploy IOT connectors. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -367,11 +373,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/healthcare-apis/workspace/dicomservice/README.md b/modules/healthcare-apis/workspace/dicomservice/README.md index 4fa8abe468..8310adf22f 100644 --- a/modules/healthcare-apis/workspace/dicomservice/README.md +++ b/modules/healthcare-apis/workspace/dicomservice/README.md @@ -48,7 +48,7 @@ This module deploys a Healthcare API Workspace DICOM Service. | [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | | [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -149,11 +149,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/healthcare-apis/workspace/dicomservice/main.bicep b/modules/healthcare-apis/workspace/dicomservice/main.bicep index b15727ce45..eb9b1cd1bf 100644 --- a/modules/healthcare-apis/workspace/dicomservice/main.bicep +++ b/modules/healthcare-apis/workspace/dicomservice/main.bicep @@ -47,13 +47,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @allowed([ 'Disabled' @@ -134,11 +129,11 @@ resource dicom 'Microsoft.HealthcareApis/workspaces/dicomservices@2022-06-01' = } } -resource dicom_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${dicom.name}-${lock}-lock' +resource dicom_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: dicom } @@ -170,3 +165,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(dic @description('The location the resource was deployed into.') output location string = dicom.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/healthcare-apis/workspace/dicomservice/main.json b/modules/healthcare-apis/workspace/dicomservice/main.json index bd72aa17df..0c22bd6db4 100644 --- a/modules/healthcare-apis/workspace/dicomservice/main.json +++ b/modules/healthcare-apis/workspace/dicomservice/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12318721261811271092" + "templateHash": "16609630624404769037" }, "name": "Healthcare API Workspace DICOM Services", "description": "This module deploys a Healthcare API Workspace DICOM Service.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -104,15 +132,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "publicNetworkAccess": { @@ -188,8 +210,8 @@ "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -203,7 +225,13 @@ } } }, - { + "workspace": { + "existing": true, + "type": "Microsoft.HealthcareApis/workspaces", + "apiVersion": "2022-06-01", + "name": "[parameters('workspaceName')]" + }, + "dicom": { "type": "Microsoft.HealthcareApis/workspaces/dicomservices", "apiVersion": "2022-06-01", "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", @@ -219,23 +247,26 @@ "origins": "[parameters('corsOrigins')]" }, "publicNetworkAccess": "[parameters('publicNetworkAccess')]" - } + }, + "dependsOn": [ + "workspace" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "dicom_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/dicomservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces/dicomservices', parameters('workspaceName'), parameters('name'))]" + "dicom" ] }, - { + "dicom_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -250,10 +281,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces/dicomservices', parameters('workspaceName'), parameters('name'))]" + "dicom" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -281,14 +312,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.HealthcareApis/workspaces/dicomservices', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.HealthcareApis/workspaces/dicomservices', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('dicom', '2022-06-01', 'full').identity, 'principalId')), reference('dicom', '2022-06-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.HealthcareApis/workspaces/dicomservices', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').location]" + "value": "[reference('dicom', '2022-06-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/healthcare-apis/workspace/fhirservice/README.md b/modules/healthcare-apis/workspace/fhirservice/README.md index 710e6b336b..54b9c8776c 100644 --- a/modules/healthcare-apis/workspace/fhirservice/README.md +++ b/modules/healthcare-apis/workspace/fhirservice/README.md @@ -61,7 +61,7 @@ This module deploys a Healthcare API Workspace FHIR Service. | [`initialImportMode`](#parameter-initialimportmode) | bool | If the FHIR service is in InitialImportMode. | | [`kind`](#parameter-kind) | string | The kind of the service. Defaults to R4. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | | [`resourceVersionOverrides`](#parameter-resourceversionoverrides) | object | A list of FHIR Resources and their version policy overrides. | | [`resourceVersionPolicy`](#parameter-resourceversionpolicy) | string | The default value for tracking history across all resources. | @@ -245,11 +245,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/healthcare-apis/workspace/fhirservice/main.bicep b/modules/healthcare-apis/workspace/fhirservice/main.bicep index f724cbe5a0..de1c549920 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.bicep +++ b/modules/healthcare-apis/workspace/fhirservice/main.bicep @@ -81,13 +81,8 @@ param importEnabled bool = false @description('Optional. If the FHIR service is in InitialImportMode.') param initialImportMode bool = false -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -228,11 +223,11 @@ resource fhir 'Microsoft.HealthcareApis/workspaces/fhirservices@2022-06-01' = { } } -resource fhir_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${fhir.name}-${lock}-lock' +resource fhir_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: fhir } @@ -280,3 +275,15 @@ output location string = fhir.location @description('The name of the fhir workspace.') output workspaceName string = workspace.name + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/healthcare-apis/workspace/fhirservice/main.json b/modules/healthcare-apis/workspace/fhirservice/main.json index 96a6c13806..bf6663e287 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.json +++ b/modules/healthcare-apis/workspace/fhirservice/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11687946305671678451" + "templateHash": "5251491466026222190" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -178,15 +206,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -326,8 +348,8 @@ "storageAccountName": "[parameters('exportStorageAccountName')]" } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -341,7 +363,13 @@ } } }, - { + "workspace": { + "existing": true, + "type": "Microsoft.HealthcareApis/workspaces", + "apiVersion": "2022-06-01", + "name": "[parameters('workspaceName')]" + }, + "fhir": { "type": "Microsoft.HealthcareApis/workspaces/fhirservices", "apiVersion": "2022-06-01", "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", @@ -378,23 +406,26 @@ "loginServers": "[parameters('acrLoginServers')]", "ociArtifacts": "[if(empty(parameters('acrOciArtifacts')), null(), parameters('acrOciArtifacts'))]" } - } + }, + "dependsOn": [ + "workspace" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "fhir_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name'))]" + "fhir" ] }, - { + "fhir_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -409,10 +440,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name'))]" + "fhir" ] }, - { + "fhir_roleAssignments": { "copy": { "name": "fhir_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -566,10 +597,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name'))]" + "fhir" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -597,14 +628,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('fhir', '2022-06-01', 'full').identity, 'principalId')), reference('fhir', '2022-06-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').location]" + "value": "[reference('fhir', '2022-06-01', 'full').location]" }, "workspaceName": { "type": "string", diff --git a/modules/healthcare-apis/workspace/iotconnector/README.md b/modules/healthcare-apis/workspace/iotconnector/README.md index d250583016..bde9fa418c 100644 --- a/modules/healthcare-apis/workspace/iotconnector/README.md +++ b/modules/healthcare-apis/workspace/iotconnector/README.md @@ -51,7 +51,7 @@ This module deploys a Healthcare API Workspace IoT Connector. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`fhirdestination`](#parameter-fhirdestination) | object | FHIR Destination. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | @@ -156,11 +156,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/healthcare-apis/workspace/iotconnector/main.bicep b/modules/healthcare-apis/workspace/iotconnector/main.bicep index 137108bd31..68e31cca6b 100644 --- a/modules/healthcare-apis/workspace/iotconnector/main.bicep +++ b/modules/healthcare-apis/workspace/iotconnector/main.bicep @@ -42,13 +42,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -138,11 +133,11 @@ resource iotConnector 'Microsoft.HealthcareApis/workspaces/iotconnectors@2022-06 } } -resource iotConnector_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${iotConnector.name}-${lock}-lock' +resource iotConnector_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: iotConnector } @@ -194,3 +189,15 @@ output location string = iotConnector.location @description('The name of the medtech workspace.') output workspaceName string = workspace.name + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/healthcare-apis/workspace/iotconnector/main.json b/modules/healthcare-apis/workspace/iotconnector/main.json index cce29e9a45..169dfcdfbb 100644 --- a/modules/healthcare-apis/workspace/iotconnector/main.json +++ b/modules/healthcare-apis/workspace/iotconnector/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3714179156189652458" + "templateHash": "8966290140169117967" }, "name": "Healthcare API Workspace IoT Connectors", "description": "This module deploys a Healthcare API Workspace IoT Connector.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -97,15 +125,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "systemAssignedIdentity": { @@ -192,8 +214,8 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -207,7 +229,13 @@ } } }, - { + "workspace": { + "existing": true, + "type": "Microsoft.HealthcareApis/workspaces", + "apiVersion": "2022-06-01", + "name": "[parameters('workspaceName')]" + }, + "iotConnector": { "type": "Microsoft.HealthcareApis/workspaces/iotconnectors", "apiVersion": "2022-06-01", "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", @@ -223,23 +251,26 @@ "deviceMapping": { "content": "[parameters('deviceMapping')]" } - } + }, + "dependsOn": [ + "workspace" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "iotConnector_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/iotconnectors/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors', parameters('workspaceName'), parameters('name'))]" + "iotConnector" ] }, - { + "iotConnector_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -254,10 +285,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors', parameters('workspaceName'), parameters('name'))]" + "iotConnector" ] }, - { + "fhir_destination": { "condition": "[not(empty(parameters('fhirdestination')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -433,10 +464,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors', parameters('workspaceName'), parameters('name'))]" + "iotConnector" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -464,14 +495,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('iotConnector', '2022-06-01', 'full').identity, 'principalId')), reference('iotConnector', '2022-06-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').location]" + "value": "[reference('iotConnector', '2022-06-01', 'full').location]" }, "workspaceName": { "type": "string", diff --git a/modules/healthcare-apis/workspace/main.bicep b/modules/healthcare-apis/workspace/main.bicep index 00251abaca..933c998407 100644 --- a/modules/healthcare-apis/workspace/main.bicep +++ b/modules/healthcare-apis/workspace/main.bicep @@ -9,13 +9,8 @@ param name string @description('Optional. Location for all resources.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -68,11 +63,11 @@ resource workspace 'Microsoft.HealthcareApis/workspaces@2022-06-01' = { } } -resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${workspace.name}-${lock}-lock' +resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: workspace } @@ -119,7 +114,7 @@ module workspace_fhirservices 'fhirservice/main.bicep' = [for (fhir, index) in f importStorageAccountName: contains(fhir, 'importStorageAccountName') ? fhir.importStorageAccountName : '' importEnabled: contains(fhir, 'importEnabled') ? fhir.importEnabled : false initialImportMode: contains(fhir, 'initialImportMode') ? fhir.initialImportMode : false - lock: contains(fhir, 'lock') ? fhir.lock : '' + lock: fhir.?lock ?? lock resourceVersionPolicy: contains(fhir, 'resourceVersionPolicy') ? fhir.resourceVersionPolicy : 'versioned' resourceVersionOverrides: contains(fhir, 'resourceVersionOverrides') ? fhir.resourceVersionOverrides : {} smartProxyEnabled: contains(fhir, 'smartProxyEnabled') ? fhir.smartProxyEnabled : false @@ -148,7 +143,7 @@ module workspace_dicomservices 'dicomservice/main.bicep' = [for (dicom, index) i diagnosticWorkspaceId: contains(dicom, 'diagnosticWorkspaceId') ? dicom.diagnosticWorkspaceId : '' diagnosticEventHubAuthorizationRuleId: contains(dicom, 'diagnosticEventHubAuthorizationRuleId') ? dicom.diagnosticEventHubAuthorizationRuleId : '' diagnosticEventHubName: contains(dicom, 'diagnosticEventHubName') ? dicom.diagnosticEventHubName : '' - lock: contains(dicom, 'lock') ? dicom.lock : '' + lock: dicom.?lock ?? lock userAssignedIdentities: contains(dicom, 'userAssignedIdentities') ? dicom.userAssignedIdentities : {} diagnosticLogCategoriesToEnable: contains(dicom, 'diagnosticLogCategoriesToEnable') ? dicom.diagnosticLogCategoriesToEnable : [ 'AuditLogs' ] enableDefaultTelemetry: enableReferencedModulesTelemetry @@ -175,7 +170,7 @@ module workspace_iotconnector 'iotconnector/main.bicep' = [for (iotConnector, in diagnosticWorkspaceId: contains(iotConnector, 'diagnosticWorkspaceId') ? iotConnector.diagnosticWorkspaceId : '' diagnosticEventHubAuthorizationRuleId: contains(iotConnector, 'diagnosticEventHubAuthorizationRuleId') ? iotConnector.diagnosticEventHubAuthorizationRuleId : '' diagnosticEventHubName: contains(iotConnector, 'diagnosticEventHubName') ? iotConnector.diagnosticEventHubName : '' - lock: contains(iotConnector, 'lock') ? iotConnector.lock : '' + lock: iotConnector.?lock ?? lock userAssignedIdentities: contains(iotConnector, 'userAssignedIdentities') ? iotConnector.userAssignedIdentities : {} diagnosticLogCategoriesToEnable: contains(iotConnector, 'diagnosticLogCategoriesToEnable') ? iotConnector.diagnosticLogCategoriesToEnable : [ 'DiagnosticLogs' ] diagnosticMetricsToEnable: contains(iotConnector, 'diagnosticMetricsToEnable') ? iotConnector.diagnosticMetricsToEnable : [ 'AllMetrics' ] @@ -194,3 +189,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = workspace.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/healthcare-apis/workspace/main.json b/modules/healthcare-apis/workspace/main.json index 3437138b45..41a468c521 100644 --- a/modules/healthcare-apis/workspace/main.json +++ b/modules/healthcare-apis/workspace/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5818866804276261569" + "templateHash": "14046183075929419967" }, "name": "Healthcare API Workspaces", "description": "This module deploys a Healthcare API Workspace.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -27,15 +55,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -95,8 +117,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -110,7 +132,7 @@ } } }, - { + "workspace": { "type": "Microsoft.HealthcareApis/workspaces", "apiVersion": "2022-06-01", "name": "[parameters('name')]", @@ -120,21 +142,21 @@ "publicNetworkAccess": "[parameters('publicNetworkAccess')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "workspace_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces', parameters('name'))]" + "workspace" ] }, - { + "workspace_roleAssignments": { "copy": { "name": "workspace_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -288,10 +310,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces', parameters('name'))]" + "workspace" ] }, - { + "workspace_fhirservices": { "copy": { "name": "workspace_fhirservices", "count": "[length(parameters('fhirservices'))]" @@ -339,7 +361,9 @@ "importStorageAccountName": "[if(contains(parameters('fhirservices')[copyIndex()], 'importStorageAccountName'), createObject('value', parameters('fhirservices')[copyIndex()].importStorageAccountName), createObject('value', ''))]", "importEnabled": "[if(contains(parameters('fhirservices')[copyIndex()], 'importEnabled'), createObject('value', parameters('fhirservices')[copyIndex()].importEnabled), createObject('value', false()))]", "initialImportMode": "[if(contains(parameters('fhirservices')[copyIndex()], 'initialImportMode'), createObject('value', parameters('fhirservices')[copyIndex()].initialImportMode), createObject('value', false()))]", - "lock": "[if(contains(parameters('fhirservices')[copyIndex()], 'lock'), createObject('value', parameters('fhirservices')[copyIndex()].lock), createObject('value', ''))]", + "lock": { + "value": "[coalesce(tryGet(parameters('fhirservices')[copyIndex()], 'lock'), parameters('lock'))]" + }, "resourceVersionPolicy": "[if(contains(parameters('fhirservices')[copyIndex()], 'resourceVersionPolicy'), createObject('value', parameters('fhirservices')[copyIndex()].resourceVersionPolicy), createObject('value', 'versioned'))]", "resourceVersionOverrides": "[if(contains(parameters('fhirservices')[copyIndex()], 'resourceVersionOverrides'), createObject('value', parameters('fhirservices')[copyIndex()].resourceVersionOverrides), createObject('value', createObject()))]", "smartProxyEnabled": "[if(contains(parameters('fhirservices')[copyIndex()], 'smartProxyEnabled'), createObject('value', parameters('fhirservices')[copyIndex()].smartProxyEnabled), createObject('value', false()))]", @@ -352,17 +376,45 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11687946305671678451" + "templateHash": "5251491466026222190" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -530,15 +582,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -678,8 +724,8 @@ "storageAccountName": "[parameters('exportStorageAccountName')]" } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -693,7 +739,13 @@ } } }, - { + "workspace": { + "existing": true, + "type": "Microsoft.HealthcareApis/workspaces", + "apiVersion": "2022-06-01", + "name": "[parameters('workspaceName')]" + }, + "fhir": { "type": "Microsoft.HealthcareApis/workspaces/fhirservices", "apiVersion": "2022-06-01", "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", @@ -730,23 +782,26 @@ "loginServers": "[parameters('acrLoginServers')]", "ociArtifacts": "[if(empty(parameters('acrOciArtifacts')), null(), parameters('acrOciArtifacts'))]" } - } + }, + "dependsOn": [ + "workspace" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "fhir_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name'))]" + "fhir" ] }, - { + "fhir_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -761,10 +816,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name'))]" + "fhir" ] }, - { + "fhir_roleAssignments": { "copy": { "name": "fhir_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -918,10 +973,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name'))]" + "fhir" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -949,14 +1004,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('fhir', '2022-06-01', 'full').identity, 'principalId')), reference('fhir', '2022-06-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').location]" + "value": "[reference('fhir', '2022-06-01', 'full').location]" }, "workspaceName": { "type": "string", @@ -969,10 +1024,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces', parameters('name'))]" + "workspace" ] }, - { + "workspace_dicomservices": { "copy": { "name": "workspace_dicomservices", "count": "[length(parameters('dicomservices'))]" @@ -1007,7 +1062,9 @@ "diagnosticWorkspaceId": "[if(contains(parameters('dicomservices')[copyIndex()], 'diagnosticWorkspaceId'), createObject('value', parameters('dicomservices')[copyIndex()].diagnosticWorkspaceId), createObject('value', ''))]", "diagnosticEventHubAuthorizationRuleId": "[if(contains(parameters('dicomservices')[copyIndex()], 'diagnosticEventHubAuthorizationRuleId'), createObject('value', parameters('dicomservices')[copyIndex()].diagnosticEventHubAuthorizationRuleId), createObject('value', ''))]", "diagnosticEventHubName": "[if(contains(parameters('dicomservices')[copyIndex()], 'diagnosticEventHubName'), createObject('value', parameters('dicomservices')[copyIndex()].diagnosticEventHubName), createObject('value', ''))]", - "lock": "[if(contains(parameters('dicomservices')[copyIndex()], 'lock'), createObject('value', parameters('dicomservices')[copyIndex()].lock), createObject('value', ''))]", + "lock": { + "value": "[coalesce(tryGet(parameters('dicomservices')[copyIndex()], 'lock'), parameters('lock'))]" + }, "userAssignedIdentities": "[if(contains(parameters('dicomservices')[copyIndex()], 'userAssignedIdentities'), createObject('value', parameters('dicomservices')[copyIndex()].userAssignedIdentities), createObject('value', createObject()))]", "diagnosticLogCategoriesToEnable": "[if(contains(parameters('dicomservices')[copyIndex()], 'diagnosticLogCategoriesToEnable'), createObject('value', parameters('dicomservices')[copyIndex()].diagnosticLogCategoriesToEnable), createObject('value', createArray('AuditLogs')))]", "enableDefaultTelemetry": { @@ -1016,17 +1073,45 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12318721261811271092" + "templateHash": "16609630624404769037" }, "name": "Healthcare API Workspace DICOM Services", "description": "This module deploys a Healthcare API Workspace DICOM Service.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1120,15 +1205,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "publicNetworkAccess": { @@ -1204,8 +1283,8 @@ "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1219,7 +1298,13 @@ } } }, - { + "workspace": { + "existing": true, + "type": "Microsoft.HealthcareApis/workspaces", + "apiVersion": "2022-06-01", + "name": "[parameters('workspaceName')]" + }, + "dicom": { "type": "Microsoft.HealthcareApis/workspaces/dicomservices", "apiVersion": "2022-06-01", "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", @@ -1235,23 +1320,26 @@ "origins": "[parameters('corsOrigins')]" }, "publicNetworkAccess": "[parameters('publicNetworkAccess')]" - } + }, + "dependsOn": [ + "workspace" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "dicom_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/dicomservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces/dicomservices', parameters('workspaceName'), parameters('name'))]" + "dicom" ] }, - { + "dicom_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -1266,10 +1354,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces/dicomservices', parameters('workspaceName'), parameters('name'))]" + "dicom" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1297,23 +1385,23 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.HealthcareApis/workspaces/dicomservices', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.HealthcareApis/workspaces/dicomservices', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('dicom', '2022-06-01', 'full').identity, 'principalId')), reference('dicom', '2022-06-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.HealthcareApis/workspaces/dicomservices', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').location]" + "value": "[reference('dicom', '2022-06-01', 'full').location]" } } } }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces', parameters('name'))]" + "workspace" ] }, - { + "workspace_iotconnector": { "copy": { "name": "workspace_iotconnector", "count": "[length(parameters('iotconnectors'))]" @@ -1351,7 +1439,9 @@ "diagnosticWorkspaceId": "[if(contains(parameters('iotconnectors')[copyIndex()], 'diagnosticWorkspaceId'), createObject('value', parameters('iotconnectors')[copyIndex()].diagnosticWorkspaceId), createObject('value', ''))]", "diagnosticEventHubAuthorizationRuleId": "[if(contains(parameters('iotconnectors')[copyIndex()], 'diagnosticEventHubAuthorizationRuleId'), createObject('value', parameters('iotconnectors')[copyIndex()].diagnosticEventHubAuthorizationRuleId), createObject('value', ''))]", "diagnosticEventHubName": "[if(contains(parameters('iotconnectors')[copyIndex()], 'diagnosticEventHubName'), createObject('value', parameters('iotconnectors')[copyIndex()].diagnosticEventHubName), createObject('value', ''))]", - "lock": "[if(contains(parameters('iotconnectors')[copyIndex()], 'lock'), createObject('value', parameters('iotconnectors')[copyIndex()].lock), createObject('value', ''))]", + "lock": { + "value": "[coalesce(tryGet(parameters('iotconnectors')[copyIndex()], 'lock'), parameters('lock'))]" + }, "userAssignedIdentities": "[if(contains(parameters('iotconnectors')[copyIndex()], 'userAssignedIdentities'), createObject('value', parameters('iotconnectors')[copyIndex()].userAssignedIdentities), createObject('value', createObject()))]", "diagnosticLogCategoriesToEnable": "[if(contains(parameters('iotconnectors')[copyIndex()], 'diagnosticLogCategoriesToEnable'), createObject('value', parameters('iotconnectors')[copyIndex()].diagnosticLogCategoriesToEnable), createObject('value', createArray('DiagnosticLogs')))]", "diagnosticMetricsToEnable": "[if(contains(parameters('iotconnectors')[copyIndex()], 'diagnosticMetricsToEnable'), createObject('value', parameters('iotconnectors')[copyIndex()].diagnosticMetricsToEnable), createObject('value', createArray('AllMetrics')))]", @@ -1361,17 +1451,45 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3714179156189652458" + "templateHash": "8966290140169117967" }, "name": "Healthcare API Workspace IoT Connectors", "description": "This module deploys a Healthcare API Workspace IoT Connector.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1458,15 +1576,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "systemAssignedIdentity": { @@ -1553,8 +1665,8 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1568,7 +1680,13 @@ } } }, - { + "workspace": { + "existing": true, + "type": "Microsoft.HealthcareApis/workspaces", + "apiVersion": "2022-06-01", + "name": "[parameters('workspaceName')]" + }, + "iotConnector": { "type": "Microsoft.HealthcareApis/workspaces/iotconnectors", "apiVersion": "2022-06-01", "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", @@ -1584,23 +1702,26 @@ "deviceMapping": { "content": "[parameters('deviceMapping')]" } - } + }, + "dependsOn": [ + "workspace" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "iotConnector_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/iotconnectors/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors', parameters('workspaceName'), parameters('name'))]" + "iotConnector" ] }, - { + "iotConnector_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -1615,10 +1736,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors', parameters('workspaceName'), parameters('name'))]" + "iotConnector" ] }, - { + "fhir_destination": { "condition": "[not(empty(parameters('fhirdestination')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1794,10 +1915,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors', parameters('workspaceName'), parameters('name'))]" + "iotConnector" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1825,14 +1946,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('iotConnector', '2022-06-01', 'full').identity, 'principalId')), reference('iotConnector', '2022-06-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.HealthcareApis/workspaces/iotconnectors', parameters('workspaceName'), parameters('name')), '2022-06-01', 'full').location]" + "value": "[reference('iotConnector', '2022-06-01', 'full').location]" }, "workspaceName": { "type": "string", @@ -1845,10 +1966,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.HealthcareApis/workspaces', parameters('name'))]" + "workspace" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1876,7 +1997,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.HealthcareApis/workspaces', parameters('name')), '2022-06-01', 'full').location]" + "value": "[reference('workspace', '2022-06-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/insights/data-collection-endpoint/.test/common/main.test.bicep b/modules/insights/data-collection-endpoint/.test/common/main.test.bicep index 5c0660113b..38434e41b8 100644 --- a/modules/insights/data-collection-endpoint/.test/common/main.test.bicep +++ b/modules/insights/data-collection-endpoint/.test/common/main.test.bicep @@ -54,7 +54,10 @@ module testDeployment '../../main.bicep' = { name: '${namePrefix}${serviceShort}001' publicNetworkAccess: 'Enabled' kind: 'Windows' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/insights/data-collection-endpoint/README.md b/modules/insights/data-collection-endpoint/README.md index b967448c1e..77a855bbb2 100644 --- a/modules/insights/data-collection-endpoint/README.md +++ b/modules/insights/data-collection-endpoint/README.md @@ -14,7 +14,7 @@ This module deploys a Data Collection Endpoint. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Authorization/locks` | [2017-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | +| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/dataCollectionEndpoints` | [2021-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-04-01/dataCollectionEndpoints) | @@ -47,7 +47,10 @@ module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoin // Non-required parameters enableDefaultTelemetry: '' kind: 'Windows' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } publicNetworkAccess: 'Enabled' roleAssignments: [ { @@ -91,7 +94,10 @@ module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoin "value": "Windows" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "publicNetworkAccess": { "value": "Enabled" @@ -185,7 +191,7 @@ module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoin | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`kind`](#parameter-kind) | string | The kind of the resource. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | The configuration to set whether network access from public internet to the endpoints are allowed. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Resource tags. | @@ -214,11 +220,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/insights/data-collection-endpoint/main.bicep b/modules/insights/data-collection-endpoint/main.bicep index 52427ec886..acff2f2fea 100644 --- a/modules/insights/data-collection-endpoint/main.bicep +++ b/modules/insights/data-collection-endpoint/main.bicep @@ -22,13 +22,8 @@ param kind string = 'Linux' @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@description('Optional. Specify the type of lock.') -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -71,11 +66,11 @@ resource dataCollectionEndpoint 'Microsoft.Insights/dataCollectionEndpoints@2021 } } -resource dataCollectionEndpoint_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { - name: '${dataCollectionEndpoint.name}-${lock}-lock' +resource dataCollectionEndpoint_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: dataCollectionEndpoint } @@ -108,3 +103,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = dataCollectionEndpoint.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/insights/data-collection-endpoint/main.json b/modules/insights/data-collection-endpoint/main.json index f40ef19865..1ef931a6cf 100644 --- a/modules/insights/data-collection-endpoint/main.json +++ b/modules/insights/data-collection-endpoint/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13275626141321439645" + "templateHash": "18059348054064453777" }, "name": "Data Collection Endpoints", "description": "This module deploys a Data Collection Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -44,15 +72,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -81,8 +103,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -96,7 +118,7 @@ } } }, - { + "dataCollectionEndpoint": { "type": "Microsoft.Insights/dataCollectionEndpoints", "apiVersion": "2021-04-01", "name": "[parameters('name')]", @@ -109,21 +131,21 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "dataCollectionEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", - "apiVersion": "2017-04-01", + "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Insights/dataCollectionEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Insights/dataCollectionEndpoints', parameters('name'))]" + "dataCollectionEndpoint" ] }, - { + "dataCollectionEndpoint_roleAssignments": { "copy": { "name": "dataCollectionEndpoint_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -398,10 +420,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Insights/dataCollectionEndpoints', parameters('name'))]" + "dataCollectionEndpoint" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -429,7 +451,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Insights/dataCollectionEndpoints', parameters('name')), '2021-04-01', 'full').location]" + "value": "[reference('dataCollectionEndpoint', '2021-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/insights/data-collection-rule/.test/customadv/main.test.bicep b/modules/insights/data-collection-rule/.test/customadv/main.test.bicep index 1cf0e970d1..c4481adbbf 100644 --- a/modules/insights/data-collection-rule/.test/customadv/main.test.bicep +++ b/modules/insights/data-collection-rule/.test/customadv/main.test.bicep @@ -124,7 +124,10 @@ module testDeployment '../../main.bicep' = { } enableDefaultTelemetry: enableDefaultTelemetry kind: 'Windows' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/insights/data-collection-rule/.test/custombasic/main.test.bicep b/modules/insights/data-collection-rule/.test/custombasic/main.test.bicep index 6c63236ece..541899d269 100644 --- a/modules/insights/data-collection-rule/.test/custombasic/main.test.bicep +++ b/modules/insights/data-collection-rule/.test/custombasic/main.test.bicep @@ -108,7 +108,10 @@ module testDeployment '../../main.bicep' = { } enableDefaultTelemetry: enableDefaultTelemetry kind: 'Windows' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/insights/data-collection-rule/.test/customiis/main.test.bicep b/modules/insights/data-collection-rule/.test/customiis/main.test.bicep index 241333333f..a128245e24 100644 --- a/modules/insights/data-collection-rule/.test/customiis/main.test.bicep +++ b/modules/insights/data-collection-rule/.test/customiis/main.test.bicep @@ -87,7 +87,10 @@ module testDeployment '../../main.bicep' = { } enableDefaultTelemetry: enableDefaultTelemetry kind: 'Windows' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/insights/data-collection-rule/.test/linux/main.test.bicep b/modules/insights/data-collection-rule/.test/linux/main.test.bicep index 81a4953413..685aae6520 100644 --- a/modules/insights/data-collection-rule/.test/linux/main.test.bicep +++ b/modules/insights/data-collection-rule/.test/linux/main.test.bicep @@ -200,7 +200,10 @@ module testDeployment '../../main.bicep' = { ] enableDefaultTelemetry: enableDefaultTelemetry kind: 'Linux' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/insights/data-collection-rule/.test/windows/main.test.bicep b/modules/insights/data-collection-rule/.test/windows/main.test.bicep index 77ac653b2f..0c1b810c6b 100644 --- a/modules/insights/data-collection-rule/.test/windows/main.test.bicep +++ b/modules/insights/data-collection-rule/.test/windows/main.test.bicep @@ -154,7 +154,10 @@ module testDeployment '../../main.bicep' = { ] enableDefaultTelemetry: enableDefaultTelemetry kind: 'Windows' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/insights/data-collection-rule/README.md b/modules/insights/data-collection-rule/README.md index d1ce364f66..a2632e8b5f 100644 --- a/modules/insights/data-collection-rule/README.md +++ b/modules/insights/data-collection-rule/README.md @@ -14,7 +14,7 @@ This module deploys a Data Collection Rule. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Authorization/locks` | [2017-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | +| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/dataCollectionRules` | [2021-09-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-09-01-preview/dataCollectionRules) | @@ -90,7 +90,10 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' description: 'Collecting custom text logs with ingestion-time transformation to columns. Expected format of a log line (comma separated values): \'\' for example: \'2023-01-25T20:15:05ZERROR404Page not found\'' enableDefaultTelemetry: '' kind: 'Windows' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -215,7 +218,10 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' "value": "Windows" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -331,7 +337,10 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' description: 'Collecting custom text logs without ingestion-time transformation.' enableDefaultTelemetry: '' kind: 'Windows' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -440,7 +449,10 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' "value": "Windows" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -533,7 +545,10 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' description: 'Collecting IIS logs.' enableDefaultTelemetry: '' kind: 'Windows' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -621,7 +636,10 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' "value": "Windows" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -811,7 +829,10 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' description: 'Collecting Linux-specific performance counters and Linux Syslog' enableDefaultTelemetry: '' kind: 'Linux' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -1010,7 +1031,10 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' "value": "Linux" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -1288,7 +1312,10 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' description: 'Collecting Windows-specific performance counters and Windows Event Logs' enableDefaultTelemetry: '' kind: 'Windows' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -1441,7 +1468,10 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' "value": "Windows" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -1489,7 +1519,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`kind`](#parameter-kind) | string | The kind of the resource. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`streamDeclarations`](#parameter-streamdeclarations) | object | Declaration of custom streams used in this rule. | | [`tags`](#parameter-tags) | object | Resource tags. | @@ -1550,11 +1580,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/insights/data-collection-rule/main.bicep b/modules/insights/data-collection-rule/main.bicep index 139fe62a5a..1c17c12f6a 100644 --- a/modules/insights/data-collection-rule/main.bicep +++ b/modules/insights/data-collection-rule/main.bicep @@ -37,13 +37,8 @@ param kind string = 'Linux' @sys.description('Optional. Location for all Resources.') param location string = resourceGroup().location -@sys.description('Optional. Specify the type of lock.') -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -param lock string = '' +@sys.description('Optional. The lock settings of the service.') +param lock lockType @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -85,11 +80,11 @@ resource dataCollectionRule 'Microsoft.Insights/dataCollectionRules@2021-09-01-p } } -resource dataCollectionRule_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { - name: '${dataCollectionRule.name}-${lock}-lock' +resource dataCollectionRule_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: dataCollectionRule } @@ -122,3 +117,15 @@ output resourceGroupName string = resourceGroup().name @sys.description('The location the resource was deployed into.') output location string = dataCollectionRule.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @sys.description('Optional. Specify the name of lock.') + name: string? + + @sys.description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/insights/data-collection-rule/main.json b/modules/insights/data-collection-rule/main.json index 9fd6a4d083..81c24ae888 100644 --- a/modules/insights/data-collection-rule/main.json +++ b/modules/insights/data-collection-rule/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12233779363216703767" + "templateHash": "3483587059200697547" }, "name": "Data Collection Rules", "description": "This module deploys a Data Collection Rule.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -76,15 +104,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -109,8 +131,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -124,7 +146,7 @@ } } }, - { + "dataCollectionRule": { "type": "Microsoft.Insights/dataCollectionRules", "apiVersion": "2021-09-01-preview", "name": "[parameters('name')]", @@ -140,21 +162,21 @@ "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "dataCollectionRule_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", - "apiVersion": "2017-04-01", + "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Insights/dataCollectionRules/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Insights/dataCollectionRules', parameters('name'))]" + "dataCollectionRule" ] }, - { + "dataCollectionRule_roleAssignments": { "copy": { "name": "dataCollectionRule_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -429,10 +451,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Insights/dataCollectionRules', parameters('name'))]" + "dataCollectionRule" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -460,7 +482,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', parameters('name')), '2021-09-01-preview', 'full').location]" + "value": "[reference('dataCollectionRule', '2021-09-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index 2d991fa8d8..6f44a2d959 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -217,7 +217,7 @@ This instance deploys the module with the minimum set of required parameters. | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | The location of the private link scope. Should be global. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`scopedResources`](#parameter-scopedresources) | array | Configuration details for Azure Monitor Resources. | @@ -239,11 +239,30 @@ The location of the private link scope. Should be global. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/insights/private-link-scope/main.bicep b/modules/insights/private-link-scope/main.bicep index 578dac4911..dd426808f0 100644 --- a/modules/insights/private-link-scope/main.bicep +++ b/modules/insights/private-link-scope/main.bicep @@ -9,13 +9,8 @@ param name string @description('Optional. The location of the private link scope. Should be global.') param location string = 'global' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -63,11 +58,11 @@ module privateLinkScope_scopedResource 'scoped-resource/main.bicep' = [for (scop } }] -resource privateLinkScope_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${privateLinkScope.name}-${lock}-lock' +resource privateLinkScope_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: privateLinkScope } @@ -83,7 +78,7 @@ module privateLinkScope_privateEndpoints '../../network/private-endpoint/main.bi subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -120,3 +115,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = privateLinkScope.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/insights/private-link-scope/main.json b/modules/insights/private-link-scope/main.json index ee38f7fe59..fcc3551f3e 100644 --- a/modules/insights/private-link-scope/main.json +++ b/modules/insights/private-link-scope/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14715354343666542323" + "templateHash": "8075984663327390200" }, "name": "Azure Monitor Private Link Scopes", "description": "This module deploys an Azure Monitor Private Link Scope.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -27,15 +55,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -77,8 +99,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -92,7 +114,7 @@ } } }, - { + "privateLinkScope": { "type": "microsoft.insights/privateLinkScopes", "apiVersion": "2019-10-17-preview", "name": "[parameters('name')]", @@ -100,21 +122,21 @@ "tags": "[parameters('tags')]", "properties": {} }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateLinkScope_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('microsoft.insights/privateLinkScopes/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('microsoft.insights/privateLinkScopes', parameters('name'))]" + "privateLinkScope" ] }, - { + "privateLinkScope_scopedResource": { "copy": { "name": "privateLinkScope_scopedResource", "count": "[length(parameters('scopedResources'))]" @@ -233,10 +255,10 @@ } }, "dependsOn": [ - "[resourceId('microsoft.insights/privateLinkScopes', parameters('name'))]" + "privateLinkScope" ] }, - { + "privateLinkScope_privateEndpoints": { "copy": { "name": "privateLinkScope_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -266,7 +288,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -760,10 +784,10 @@ } }, "dependsOn": [ - "[resourceId('microsoft.insights/privateLinkScopes', parameters('name'))]" + "privateLinkScope" ] }, - { + "privateLinkScope_roleAssignments": { "copy": { "name": "privateLinkScope_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1038,10 +1062,10 @@ } }, "dependsOn": [ - "[resourceId('microsoft.insights/privateLinkScopes', parameters('name'))]" + "privateLinkScope" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1069,7 +1093,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('microsoft.insights/privateLinkScopes', parameters('name')), '2019-10-17-preview', 'full').location]" + "value": "[reference('privateLinkScope', '2019-10-17-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/insights/webtest/.test/common/main.test.bicep b/modules/insights/webtest/.test/common/main.test.bicep index 2c96c3c4dd..6e4f1097cd 100644 --- a/modules/insights/webtest/.test/common/main.test.bicep +++ b/modules/insights/webtest/.test/common/main.test.bicep @@ -69,6 +69,9 @@ module testDeployment '../../main.bicep' = { RequestUrl: 'https://learn.microsoft.com/en-us/' HttpVerb: 'GET' } - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } } } diff --git a/modules/insights/webtest/README.md b/modules/insights/webtest/README.md index e875e2c3a4..f04f2eedbb 100644 --- a/modules/insights/webtest/README.md +++ b/modules/insights/webtest/README.md @@ -60,7 +60,10 @@ module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { Id: 'emea-nl-ams-azr' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } syntheticMonitorId: 'iwtcom001' } } @@ -109,7 +112,10 @@ module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "syntheticMonitorId": { "value": "iwtcom001" @@ -217,7 +223,7 @@ module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { | [`kind`](#parameter-kind) | string | The kind of WebTest that this web test watches. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`locations`](#parameter-locations) | array | List of where to physically run the tests from to give global coverage for accessibility of your application. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`retryEnabled`](#parameter-retryenabled) | bool | Allow for retries should this WebTest fail. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`syntheticMonitorId`](#parameter-syntheticmonitorid) | string | Unique ID of this WebTest. | @@ -283,11 +289,30 @@ List of where to physically run the tests from to give global coverage for acces ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/insights/webtest/main.bicep b/modules/insights/webtest/main.bicep index 246c2c8f82..8dc56e6208 100644 --- a/modules/insights/webtest/main.bicep +++ b/modules/insights/webtest/main.bicep @@ -68,13 +68,8 @@ param validationRules object = {} @sys.description('Optional. An XML configuration specification for a WebTest.') param configuration object = {} -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@sys.description('Optional. Specify the type of lock.') -param lock string = '' +@sys.description('Optional. The lock settings of the service.') +param lock lockType @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -114,11 +109,11 @@ resource webtest 'Microsoft.Insights/webtests@2022-06-15' = { } } -resource webtest_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${webtest.name}-${lock}-lock' +resource webtest_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: webtest } @@ -147,3 +142,15 @@ output resourceGroupName string = resourceGroup().name @sys.description('The location the resource was deployed into.') output location string = webtest.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @sys.description('Optional. Specify the name of lock.') + name: string? + + @sys.description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/insights/webtest/main.json b/modules/insights/webtest/main.json index 334ab5e53b..3421143fd2 100644 --- a/modules/insights/webtest/main.json +++ b/modules/insights/webtest/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17812769147790423288" + "templateHash": "5083769874568956542" }, "name": "Web Tests", "description": "This module deploys a Web Test.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -135,15 +163,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -161,8 +183,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -176,7 +198,7 @@ } } }, - { + "webtest": { "type": "Microsoft.Insights/webtests", "apiVersion": "2022-06-15", "name": "[parameters('name')]", @@ -197,21 +219,21 @@ "Configuration": "[parameters('configuration')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "webtest_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Insights/webtests/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Insights/webtests', parameters('name'))]" + "webtest" ] }, - { + "webtest_roleAssignments": { "copy": { "name": "webtest_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -486,10 +508,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Insights/webtests', parameters('name'))]" + "webtest" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -517,7 +539,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Insights/webtests', parameters('name')), '2022-06-15', 'full').location]" + "value": "[reference('webtest', '2022-06-15', 'full').location]" } } } \ No newline at end of file diff --git a/modules/key-vault/vault/.test/common/main.test.bicep b/modules/key-vault/vault/.test/common/main.test.bicep index 9e0a717286..54db495112 100644 --- a/modules/key-vault/vault/.test/common/main.test.bicep +++ b/modules/key-vault/vault/.test/common/main.test.bicep @@ -114,7 +114,10 @@ module testDeployment '../../main.bicep' = { } } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } networkAcls: { bypass: 'AzureServices' defaultAction: 'Deny' @@ -133,9 +136,7 @@ module testDeployment '../../main.bicep' = { privateEndpoints: [ { privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] service: 'vault' subnetResourceId: nestedDependencies.outputs.subnetResourceId diff --git a/modules/key-vault/vault/.test/pe/main.test.bicep b/modules/key-vault/vault/.test/pe/main.test.bicep index 2a99bb5bf2..32078f69a2 100644 --- a/modules/key-vault/vault/.test/pe/main.test.bicep +++ b/modules/key-vault/vault/.test/pe/main.test.bicep @@ -87,12 +87,10 @@ module testDeployment '../../main.bicep' = { } privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - privateEndpointName: 'dep-${namePrefix}-pe-${serviceShort}' - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + name: 'dep-${namePrefix}-pe-${serviceShort}' service: 'vault' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 39402576cf..ef1ac097eb 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -272,7 +272,10 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { } } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } networkAcls: { bypass: 'AzureServices' defaultAction: 'Deny' @@ -419,7 +422,10 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "networkAcls": { "value": { @@ -593,12 +599,10 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { } privateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - privateEndpointName: 'dep-pe-kvvpe' - } + name: 'dep-pe-kvvpe' + privateDnsZoneResourceIds: [ + '' + ] service: 'vault' subnetResourceId: '' tags: { @@ -675,12 +679,10 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { "privateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ], - "privateEndpointName": "dep-pe-kvvpe" - }, + "name": "dep-pe-kvvpe", + "privateDnsZoneResourceIds": [ + "" + ], "service": "vault", "subnetResourceId": "", "tags": { @@ -736,7 +738,7 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { | [`enableVaultForTemplateDeployment`](#parameter-enablevaultfortemplatedeployment) | bool | Specifies if the vault is enabled for a template deployment. | | [`keys`](#parameter-keys) | array | All keys to create. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`networkAcls`](#parameter-networkacls) | object | Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. | @@ -876,11 +878,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/key-vault/vault/main.bicep b/modules/key-vault/vault/main.bicep index 299ed864a3..2c57f21433 100644 --- a/modules/key-vault/vault/main.bicep +++ b/modules/key-vault/vault/main.bicep @@ -76,13 +76,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -194,11 +189,11 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { } } -resource keyVault_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${keyVault.name}-${lock}-lock' +resource keyVault_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: keyVault } @@ -271,7 +266,7 @@ module keyVault_privateEndpoints '../../network/private-endpoint/main.bicep' = [ subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -314,3 +309,15 @@ output uri string = keyVault.properties.vaultUri @description('The location the resource was deployed into.') output location string = keyVault.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/key-vault/vault/main.json b/modules/key-vault/vault/main.json index 18c95c024b..b005c249e1 100644 --- a/modules/key-vault/vault/main.json +++ b/modules/key-vault/vault/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "428199812087139263" + "templateHash": "7889486567916946321" }, "name": "Key Vaults", "description": "This module deploys a Key Vault.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -162,15 +190,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -270,8 +292,8 @@ "secretList": "[if(not(empty(parameters('secrets'))), parameters('secrets').secureList, createArray())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -285,7 +307,7 @@ } } }, - { + "keyVault": { "type": "Microsoft.KeyVault/vaults", "apiVersion": "2022-07-01", "name": "[parameters('name')]", @@ -310,21 +332,21 @@ "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkAcls'))), 'Disabled', null()))]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "keyVault_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" + "keyVault" ] }, - { + "keyVault_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -339,10 +361,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" + "keyVault" ] }, - { + "keyVault_accessPolicies": { "condition": "[not(empty(parameters('accessPolicies')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -462,10 +484,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" + "keyVault" ] }, - { + "keyVault_secrets": { "copy": { "name": "keyVault_secrets", "count": "[length(variables('secretList'))]" @@ -796,10 +818,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" + "keyVault" ] }, - { + "keyVault_keys": { "copy": { "name": "keyVault_keys", "count": "[length(parameters('keys'))]" @@ -1177,10 +1199,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" + "keyVault" ] }, - { + "keyVault_privateEndpoints": { "copy": { "name": "keyVault_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -1210,7 +1232,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -1704,10 +1728,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" + "keyVault" ] }, - { + "keyVault_roleAssignments": { "copy": { "name": "keyVault_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1863,10 +1887,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" + "keyVault" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -1894,14 +1918,14 @@ "metadata": { "description": "The URI of the key vault." }, - "value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('name')), '2022-07-01').vaultUri]" + "value": "[reference('keyVault').vaultUri]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('name')), '2022-07-01', 'full').location]" + "value": "[reference('keyVault', '2022-07-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/logic/workflow/.test/common/main.test.bicep b/modules/logic/workflow/.test/common/main.test.bicep index 80c5e688ac..9442a3a726 100644 --- a/modules/logic/workflow/.test/common/main.test.bicep +++ b/modules/logic/workflow/.test/common/main.test.bicep @@ -70,7 +70,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index 19d3961c81..268e6d4d36 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -51,7 +51,10 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -137,7 +140,10 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -232,7 +238,7 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { | [`integrationAccount`](#parameter-integrationaccount) | object | The integration account. | | [`integrationServiceEnvironmentResourceId`](#parameter-integrationserviceenvironmentresourceid) | string | The integration service environment Id. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`state`](#parameter-state) | string | The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended. | | [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | @@ -356,11 +362,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/logic/workflow/main.bicep b/modules/logic/workflow/main.bicep index 9562898748..e21738baf0 100644 --- a/modules/logic/workflow/main.bicep +++ b/modules/logic/workflow/main.bicep @@ -47,13 +47,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -189,11 +184,11 @@ resource logicApp 'Microsoft.Logic/workflows@2019-05-01' = { } } -resource logicApp_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${logicApp.name}-${lock}-lock' +resource logicApp_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: logicApp } @@ -238,3 +233,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(log @description('The location the resource was deployed into.') output location string = logicApp.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/logic/workflow/main.json b/modules/logic/workflow/main.json index dde2332a12..8764000248 100644 --- a/modules/logic/workflow/main.json +++ b/modules/logic/workflow/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4385100753259148556" + "templateHash": "13172151573954232150" }, "name": "Logic Apps (Workflows)", "description": "This module deploys a Logic App (Workflow).", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -117,15 +145,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -271,8 +293,8 @@ "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -286,7 +308,7 @@ } } }, - { + "logicApp": { "type": "Microsoft.Logic/workflows", "apiVersion": "2019-05-01", "name": "[parameters('name')]", @@ -319,21 +341,21 @@ "parameters": "[parameters('definitionParameters')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "logicApp_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Logic/workflows/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Logic/workflows', parameters('name'))]" + "logicApp" ] }, - { + "logicApp_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -348,10 +370,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Logic/workflows', parameters('name'))]" + "logicApp" ] }, - { + "logicApp_roleAssignments": { "copy": { "name": "logicApp_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -502,10 +524,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Logic/workflows', parameters('name'))]" + "logicApp" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -533,14 +555,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.Logic/workflows', parameters('name')), '2019-05-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.Logic/workflows', parameters('name')), '2019-05-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('logicApp', '2019-05-01', 'full').identity, 'principalId')), reference('logicApp', '2019-05-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Logic/workflows', parameters('name')), '2019-05-01', 'full').location]" + "value": "[reference('logicApp', '2019-05-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/machine-learning-services/workspace/.test/common/main.test.bicep b/modules/machine-learning-services/workspace/.test/common/main.test.bicep index 858b81f335..497b86c749 100644 --- a/modules/machine-learning-services/workspace/.test/common/main.test.bicep +++ b/modules/machine-learning-services/workspace/.test/common/main.test.bicep @@ -110,7 +110,10 @@ module testDeployment '../../main.bicep' = { diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName discoveryUrl: 'http://example.com' imageBuildCompute: 'testcompute' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } primaryUserAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId privateEndpoints: [ { diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index 8240128522..2ee7b8950f 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -91,7 +91,10 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = discoveryUrl: 'http://example.com' enableDefaultTelemetry: '' imageBuildCompute: 'testcompute' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } primaryUserAssignedIdentity: '' privateEndpoints: [ { @@ -213,7 +216,10 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "value": "testcompute" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "primaryUserAssignedIdentity": { "value": "" @@ -511,7 +517,7 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = | [`hbiWorkspace`](#parameter-hbiworkspace) | bool | The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service. | | [`imageBuildCompute`](#parameter-imagebuildcompute) | string | The compute name for image build. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -681,11 +687,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/machine-learning-services/workspace/main.bicep b/modules/machine-learning-services/workspace/main.bicep index afce9701f6..38af26ff9f 100644 --- a/modules/machine-learning-services/workspace/main.bicep +++ b/modules/machine-learning-services/workspace/main.bicep @@ -32,13 +32,8 @@ param associatedApplicationInsightsResourceId string @sys.description('Optional. The resource ID of the associated Container Registry.') param associatedContainerRegistryResourceId string = '' -@sys.allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@sys.description('Optional. Specify the type of lock.') -param lock string = '' +@sys.description('Optional. The lock settings of the service.') +param lock lockType @sys.description('Optional. The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service.') param hbiWorkspace bool = false @@ -189,9 +184,13 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName)) { - name: '${last(split(cMKKeyVaultResourceId, '/'))}/${cMKKeyName}' - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! + scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) + + resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { + name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + } } resource workspace 'Microsoft.MachineLearningServices/workspaces@2022-10-01' = { @@ -220,7 +219,7 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2022-10-01' = { } : null keyVaultProperties: { keyVaultArmId: cMKKeyVaultResourceId - keyIdentifier: !empty(cMKKeyVersion) ? '${cMKKeyVaultKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVaultKey.properties.keyUriWithVersion + keyIdentifier: !empty(cMKKeyVersion) ? '${cMKKeyVault::cMKKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion } } : null imageBuildCompute: imageBuildCompute @@ -254,11 +253,11 @@ module workspace_computes 'compute/main.bicep' = [for compute in computes: { ] }] -resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${workspace.name}-${lock}-lock' +resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: workspace } @@ -287,7 +286,7 @@ module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -328,3 +327,15 @@ output principalId string = (!empty(identity) && contains(identity.type, 'System @sys.description('The location the resource was deployed into.') output location string = workspace.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @sys.description('Optional. Specify the name of lock.') + name: string? + + @sys.description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/machine-learning-services/workspace/main.json b/modules/machine-learning-services/workspace/main.json index 7d2fd747c0..5f059e2b37 100644 --- a/modules/machine-learning-services/workspace/main.json +++ b/modules/machine-learning-services/workspace/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15631837219684432270" + "templateHash": "7851635446929911077" }, "name": "Machine Learning Services Workspaces", "description": "This module deploys a Machine Learning Services Workspace.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -63,15 +91,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "hbiWorkspace": { @@ -310,8 +332,20 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -325,7 +359,16 @@ } } }, - { + "cMKKeyVault": { + "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "workspace": { "type": "Microsoft.MachineLearningServices/workspaces", "apiVersion": "2022-10-01", "name": "[parameters('name')]", @@ -346,29 +389,32 @@ "allowPublicAccessWhenBehindVnet": "[parameters('allowPublicAccessWhenBehindVnet')]", "description": "[parameters('description')]", "discoveryUrl": "[parameters('discoveryUrl')]", - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('status', 'Enabled', 'identity', if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), null()), 'keyVaultProperties', createObject('keyVaultArmId', parameters('cMKKeyVaultResourceId'), 'keyIdentifier', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[0], split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[1]), '2021-10-01').keyUri, parameters('cMKKeyVersion')), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[0], split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[1]), '2021-10-01').keyUriWithVersion))), null())]", + "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('status', 'Enabled', 'identity', if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), null()), 'keyVaultProperties', createObject('keyVaultArmId', parameters('cMKKeyVaultResourceId'), 'keyIdentifier', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('cMKKeyVersion')), reference('cMKKeyVault::cMKKey').keyUriWithVersion))), null())]", "imageBuildCompute": "[parameters('imageBuildCompute')]", "primaryUserAssignedIdentity": "[parameters('primaryUserAssignedIdentity')]", "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(not(empty(parameters('privateEndpoints'))), 'Disabled', 'Enabled'))]", "serviceManagedResourcesSettings": "[parameters('serviceManagedResourcesSettings')]", "sharedPrivateLinkResources": "[parameters('sharedPrivateLinkResources')]" - } + }, + "dependsOn": [ + "cMKKeyVault" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "workspace_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.MachineLearningServices/workspaces/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]" + "workspace" ] }, - { + "workspace_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -383,10 +429,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]" + "workspace" ] }, - { + "workspace_computes": { "copy": { "name": "workspace_computes", "count": "[length(parameters('computes'))]" @@ -634,11 +680,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]", + "workspace", "workspace_privateEndpoints" ] }, - { + "workspace_privateEndpoints": { "copy": { "name": "workspace_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -668,7 +714,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -1159,10 +1207,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]" + "workspace" ] }, - { + "workspace_roleAssignments": { "copy": { "name": "workspace_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1312,10 +1360,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]" + "workspace" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -1343,14 +1391,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(not(empty(variables('identity'))), contains(variables('identity').type, 'SystemAssigned')), reference(resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name')), '2022-10-01', 'full').identity.principalId, '')]" + "value": "[if(and(not(empty(variables('identity'))), contains(variables('identity').type, 'SystemAssigned')), reference('workspace', '2022-10-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name')), '2022-10-01', 'full').location]" + "value": "[reference('workspace', '2022-10-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep b/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep index 4606ff4c70..a7ae7e0b34 100644 --- a/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep @@ -55,7 +55,10 @@ module testDeployment '../../main.bicep' = { extensionProperties: { InGuestPatchMode: 'User' } - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/maintenance/maintenance-configuration/README.md b/modules/maintenance/maintenance-configuration/README.md index 75f6334537..07317ba130 100644 --- a/modules/maintenance/maintenance-configuration/README.md +++ b/modules/maintenance/maintenance-configuration/README.md @@ -65,7 +65,10 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config kbNumbersToInclude: '' } } - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } maintenanceWindow: { duration: '03:00' expirationDateTime: '9999-12-31 23:59:59' @@ -137,7 +140,10 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config } }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "maintenanceWindow": { "value": { @@ -244,7 +250,7 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config | [`extensionProperties`](#parameter-extensionproperties) | object | Gets or sets extensionProperties of the maintenanceConfiguration. | | [`installPatches`](#parameter-installpatches) | object | Configuration settings for VM guest patching with Azure Update Manager. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maintenanceScope`](#parameter-maintenancescope) | string | Gets or sets maintenanceScope of the configuration. | | [`maintenanceWindow`](#parameter-maintenancewindow) | object | Definition of a MaintenanceWindow. | | [`namespace`](#parameter-namespace) | string | Gets or sets namespace of the resource. | @@ -282,11 +288,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `maintenanceScope` diff --git a/modules/maintenance/maintenance-configuration/main.bicep b/modules/maintenance/maintenance-configuration/main.bicep index cb6d711d8c..7c1563e5cb 100644 --- a/modules/maintenance/maintenance-configuration/main.bicep +++ b/modules/maintenance/maintenance-configuration/main.bicep @@ -18,13 +18,8 @@ param extensionProperties object = {} @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@description('Optional. Specify the type of lock.') -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Gets or sets maintenanceScope of the configuration.') @allowed([ @@ -90,11 +85,11 @@ resource maintenanceConfiguration 'Microsoft.Maintenance/maintenanceConfiguratio } } -resource maintenanceConfiguration_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${maintenanceConfiguration.name}-${lock}-lock' +resource maintenanceConfiguration_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: maintenanceConfiguration } @@ -127,3 +122,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the Maintenance Configuration was created in.') output location string = maintenanceConfiguration.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/maintenance/maintenance-configuration/main.json b/modules/maintenance/maintenance-configuration/main.json index 1215f56f14..06577a9c39 100644 --- a/modules/maintenance/maintenance-configuration/main.json +++ b/modules/maintenance/maintenance-configuration/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2646666210857505384" + "templateHash": "4333184280413980220" }, "name": "Maintenance Configurations", "description": "This module deploys a Maintenance Configuration.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -40,15 +68,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "maintenanceScope": { @@ -114,8 +136,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -129,7 +151,7 @@ } } }, - { + "maintenanceConfiguration": { "type": "Microsoft.Maintenance/maintenanceConfigurations", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -144,21 +166,21 @@ "installPatches": "[if(equals(parameters('maintenanceScope'), 'InGuestPatch'), parameters('installPatches'), null())]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "maintenanceConfiguration_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Maintenance/maintenanceConfigurations/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Maintenance/maintenanceConfigurations', parameters('name'))]" + "maintenanceConfiguration" ] }, - { + "maintenanceConfiguration_roleAssignments": { "copy": { "name": "maintenanceConfiguration_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -304,10 +326,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Maintenance/maintenanceConfigurations', parameters('name'))]" + "maintenanceConfiguration" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -335,7 +357,7 @@ "metadata": { "description": "The location the Maintenance Configuration was created in." }, - "value": "[reference(resourceId('Microsoft.Maintenance/maintenanceConfigurations', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('maintenanceConfiguration', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep b/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep index d99f3b2a60..87518c8a84 100644 --- a/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep @@ -52,7 +52,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } federatedIdentityCredentials: [ { name: 'test-fed-cred-${serviceShort}-001' diff --git a/modules/managed-identity/user-assigned-identity/README.md b/modules/managed-identity/user-assigned-identity/README.md index bcf7800957..e37e89000b 100644 --- a/modules/managed-identity/user-assigned-identity/README.md +++ b/modules/managed-identity/user-assigned-identity/README.md @@ -54,7 +54,10 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide subject: 'system:serviceaccount:default:workload-identity-sa' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } name: 'miuaicom001' roleAssignments: [ { @@ -102,7 +105,10 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "name": { "value": "miuaicom001" @@ -182,7 +188,7 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`federatedIdentityCredentials`](#parameter-federatedidentitycredentials) | array | The federated identity credentials list to indicate which token from the external IdP should be trusted by your application. Federated identity credentials are supported on applications only. A maximum of 20 federated identity credentials can be added per application object. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`name`](#parameter-name) | string | Name of the User Assigned Identity. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -210,11 +216,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/managed-identity/user-assigned-identity/main.bicep b/modules/managed-identity/user-assigned-identity/main.bicep index 9d42e74ee0..8b95e0c538 100644 --- a/modules/managed-identity/user-assigned-identity/main.bicep +++ b/modules/managed-identity/user-assigned-identity/main.bicep @@ -11,13 +11,8 @@ param location string = resourceGroup().location @description('Optional. The federated identity credentials list to indicate which token from the external IdP should be trusted by your application. Federated identity credentials are supported on applications only. A maximum of 20 federated identity credentials can be added per application object.') param federatedIdentityCredentials array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -48,11 +43,11 @@ resource userMsi 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = tags: tags } -resource userMsi_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${userMsi.name}-${lock}-lock' +resource userMsi_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: userMsi } @@ -99,3 +94,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = userMsi.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/managed-identity/user-assigned-identity/main.json b/modules/managed-identity/user-assigned-identity/main.json index 8b93e98d84..02d9a242bf 100644 --- a/modules/managed-identity/user-assigned-identity/main.json +++ b/modules/managed-identity/user-assigned-identity/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "689312003789935835" + "templateHash": "4654525005739967405" }, "name": "User Assigned Identities", "description": "This module deploys a User Assigned Identity.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -34,15 +62,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -70,8 +92,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -85,28 +107,28 @@ } } }, - { + "userMsi": { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2023-01-31", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]" }, - { - "condition": "[not(empty(parameters('lock')))]", + "userMsi_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.ManagedIdentity/userAssignedIdentities/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" + "userMsi" ] }, - { + "userMsi_federatedIdentityCredentials": { "copy": { "name": "userMsi_federatedIdentityCredentials", "count": "[length(parameters('federatedIdentityCredentials'))]" @@ -243,10 +265,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" + "userMsi" ] }, - { + "userMsi_roleAssignments": { "copy": { "name": "userMsi_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -393,10 +415,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" + "userMsi" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -417,14 +439,14 @@ "metadata": { "description": "The principal ID (object ID) of the user assigned identity." }, - "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')), '2023-01-31').principalId]" + "value": "[reference('userMsi').principalId]" }, "clientId": { "type": "string", "metadata": { "description": "The client ID (application ID) of the user assigned identity." }, - "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')), '2023-01-31').clientId]" + "value": "[reference('userMsi').clientId]" }, "resourceGroupName": { "type": "string", @@ -438,7 +460,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')), '2023-01-31', 'full').location]" + "value": "[reference('userMsi', '2023-01-31', 'full').location]" } } } \ No newline at end of file diff --git a/modules/net-app/net-app-account/.test/nfs3/main.test.bicep b/modules/net-app/net-app-account/.test/nfs3/main.test.bicep index 962e223224..c5db1e5500 100644 --- a/modules/net-app/net-app-account/.test/nfs3/main.test.bicep +++ b/modules/net-app/net-app-account/.test/nfs3/main.test.bicep @@ -118,7 +118,10 @@ module testDeployment '../../main.bicep' = { volumes: [] } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/net-app/net-app-account/README.md b/modules/net-app/net-app-account/README.md index c589ef8523..41ea771920 100644 --- a/modules/net-app/net-app-account/README.md +++ b/modules/net-app/net-app-account/README.md @@ -162,7 +162,10 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { } ] enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -276,7 +279,10 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -579,7 +585,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { | [`domainName`](#parameter-domainname) | string | Fully Qualified Active Directory DNS Domain Name (e.g. 'contoso.com'). | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`smbServerNamePrefix`](#parameter-smbservernameprefix) | string | Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes. | | [`tags`](#parameter-tags) | object | Tags for all resources. | @@ -643,11 +649,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/net-app/net-app-account/main.bicep b/modules/net-app/net-app-account/main.bicep index 12fc192758..9deadc4a33 100644 --- a/modules/net-app/net-app-account/main.bicep +++ b/modules/net-app/net-app-account/main.bicep @@ -36,13 +36,8 @@ param roleAssignments array = [] @description('Optional. Location for all resources.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Tags for all resources.') param tags object = {} @@ -92,11 +87,11 @@ resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-11-01' = { } } -resource netAppAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${netAppAccount.name}-${lock}-lock' +resource netAppAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: netAppAccount } @@ -143,3 +138,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = netAppAccount.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/net-app/net-app-account/main.json b/modules/net-app/net-app-account/main.json index 60bd7acee6..1fedbb3e06 100644 --- a/modules/net-app/net-app-account/main.json +++ b/modules/net-app/net-app-account/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5505435135426261272" + "templateHash": "9658557760968373164" }, "name": "Azure NetApp Files", "description": "This module deploys an Azure NetApp File.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -89,15 +117,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "tags": { @@ -130,8 +152,8 @@ "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None')]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -145,7 +167,7 @@ } } }, - { + "netAppAccount": { "type": "Microsoft.NetApp/netAppAccounts", "apiVersion": "2022-11-01", "name": "[parameters('name')]", @@ -156,21 +178,21 @@ "activeDirectories": "[if(not(empty(parameters('domainName'))), variables('activeDirectoryConnectionProperties'), null())]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "netAppAccount_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.NetApp/netAppAccounts', parameters('name'))]" + "netAppAccount" ] }, - { + "netAppAccount_roleAssignments": { "copy": { "name": "netAppAccount_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -315,10 +337,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.NetApp/netAppAccounts', parameters('name'))]" + "netAppAccount" ] }, - { + "netAppAccount_capacityPools": { "copy": { "name": "netAppAccount_capacityPools", "count": "[length(parameters('capacityPools'))]" @@ -1038,10 +1060,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.NetApp/netAppAccounts', parameters('name'))]" + "netAppAccount" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1069,7 +1091,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts', parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('netAppAccount', '2022-11-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/application-gateway/.test/common/main.test.bicep b/modules/network/application-gateway/.test/common/main.test.bicep index 246478d423..0b726f6d54 100644 --- a/modules/network/application-gateway/.test/common/main.test.bicep +++ b/modules/network/application-gateway/.test/common/main.test.bicep @@ -282,7 +282,10 @@ module testDeployment '../../main.bicep' = { } } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } probes: [ { name: 'privateVmHttpSettingProbe' diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index 04d88f199b..872745291e 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -224,7 +224,10 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = } } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -680,7 +683,10 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "privateEndpoints": { "value": [ @@ -986,7 +992,7 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = | [`listeners`](#parameter-listeners) | array | Listeners of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits). | | [`loadDistributionPolicies`](#parameter-loaddistributionpolicies) | array | Load distribution policies of the application gateway resource. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`privateLinkConfigurations`](#parameter-privatelinkconfigurations) | array | PrivateLink configurations on application gateway. | | [`probes`](#parameter-probes) | array | Probes of the application gateway resource. | @@ -1210,11 +1216,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/application-gateway/main.bicep b/modules/network/application-gateway/main.bicep index 8d9a2f022d..0b042bc9d9 100644 --- a/modules/network/application-gateway/main.bicep +++ b/modules/network/application-gateway/main.bicep @@ -242,13 +242,8 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { enabled: true }] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -343,11 +338,11 @@ resource applicationGateway 'Microsoft.Network/applicationGateways@2023-04-01' = zones: zones } -resource applicationGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${applicationGateway.name}-${lock}-lock' +resource applicationGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: applicationGateway } @@ -376,7 +371,7 @@ module applicationGateway_privateEndpoints '../../network/private-endpoint/main. subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -413,3 +408,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = applicationGateway.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/application-gateway/main.json b/modules/network/application-gateway/main.json index 9856294bf1..311fe73b19 100644 --- a/modules/network/application-gateway/main.json +++ b/modules/network/application-gateway/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9800511203053042141" + "templateHash": "18329589916932941538" }, "name": "Network Application Gateways", "description": "This module deploys a Network Application Gateway.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -405,15 +433,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -484,8 +506,8 @@ "enableReferencedModulesTelemetry": false, "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -499,7 +521,7 @@ } } }, - { + "applicationGateway": { "type": "Microsoft.Network/applicationGateways", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -509,21 +531,21 @@ "properties": "[union(createObject('authenticationCertificates', parameters('authenticationCertificates'), 'autoscaleConfiguration', if(and(greater(parameters('autoscaleMaxCapacity'), 0), greaterOrEquals(parameters('autoscaleMinCapacity'), 0)), createObject('maxCapacity', parameters('autoscaleMaxCapacity'), 'minCapacity', parameters('autoscaleMinCapacity')), null()), 'backendAddressPools', parameters('backendAddressPools'), 'backendHttpSettingsCollection', parameters('backendHttpSettingsCollection'), 'backendSettingsCollection', parameters('backendSettingsCollection'), 'customErrorConfigurations', parameters('customErrorConfigurations'), 'enableHttp2', parameters('enableHttp2'), 'firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'forceFirewallPolicyAssociation', not(empty(parameters('firewallPolicyId'))), 'frontendIPConfigurations', parameters('frontendIPConfigurations'), 'frontendPorts', parameters('frontendPorts'), 'gatewayIPConfigurations', parameters('gatewayIPConfigurations'), 'globalConfiguration', if(endsWith(parameters('sku'), 'v2'), createObject('enableRequestBuffering', parameters('enableRequestBuffering'), 'enableResponseBuffering', parameters('enableResponseBuffering')), null()), 'httpListeners', parameters('httpListeners'), 'loadDistributionPolicies', parameters('loadDistributionPolicies'), 'listeners', parameters('listeners'), 'privateLinkConfigurations', parameters('privateLinkConfigurations'), 'probes', parameters('probes'), 'redirectConfigurations', parameters('redirectConfigurations'), 'requestRoutingRules', parameters('requestRoutingRules'), 'routingRules', parameters('routingRules'), 'rewriteRuleSets', parameters('rewriteRuleSets'), 'sku', createObject('name', parameters('sku'), 'tier', if(endsWith(parameters('sku'), 'v2'), parameters('sku'), substring(parameters('sku'), 0, indexOf(parameters('sku'), '_'))), 'capacity', if(and(greater(parameters('autoscaleMaxCapacity'), 0), greaterOrEquals(parameters('autoscaleMinCapacity'), 0)), null(), parameters('capacity'))), 'sslCertificates', parameters('sslCertificates'), 'sslPolicy', if(not(equals(parameters('sslPolicyType'), 'Predefined')), createObject('cipherSuites', parameters('sslPolicyCipherSuites'), 'minProtocolVersion', parameters('sslPolicyMinProtocolVersion'), 'policyName', if(empty(parameters('sslPolicyName')), null(), parameters('sslPolicyName')), 'policyType', parameters('sslPolicyType')), createObject('policyName', if(empty(parameters('sslPolicyName')), null(), parameters('sslPolicyName')), 'policyType', parameters('sslPolicyType'))), 'sslProfiles', parameters('sslProfiles'), 'trustedClientCertificates', parameters('trustedClientCertificates'), 'trustedRootCertificates', parameters('trustedRootCertificates'), 'urlPathMaps', parameters('urlPathMaps')), if(parameters('enableFips'), createObject('enableFips', parameters('enableFips')), createObject()), if(not(empty(parameters('webApplicationFirewallConfiguration'))), createObject('webApplicationFirewallConfiguration', parameters('webApplicationFirewallConfiguration')), createObject()))]", "zones": "[parameters('zones')]" }, - { - "condition": "[not(empty(parameters('lock')))]", + "applicationGateway_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/applicationGateways/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/applicationGateways', parameters('name'))]" + "applicationGateway" ] }, - { + "applicationGateway_diagnosticSettingName": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -538,10 +560,10 @@ "logs": "[if(and(and(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('diagnosticWorkspaceId'))), empty(parameters('diagnosticEventHubAuthorizationRuleId'))), empty(parameters('diagnosticEventHubName'))), null(), variables('diagnosticsLogs'))]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/applicationGateways', parameters('name'))]" + "applicationGateway" ] }, - { + "applicationGateway_privateEndpoints": { "copy": { "name": "applicationGateway_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -571,7 +593,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -1065,10 +1089,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/applicationGateways', parameters('name'))]" + "applicationGateway" ] }, - { + "applicationGateway_roleAssignments": { "copy": { "name": "applicationGateway_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1242,10 +1266,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/applicationGateways', parameters('name'))]" + "applicationGateway" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1273,7 +1297,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/applicationGateways', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('applicationGateway', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/application-security-group/.test/common/main.test.bicep b/modules/network/application-security-group/.test/common/main.test.bicep index d97c89d410..8783a868c4 100644 --- a/modules/network/application-security-group/.test/common/main.test.bicep +++ b/modules/network/application-security-group/.test/common/main.test.bicep @@ -52,7 +52,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/network/application-security-group/README.md b/modules/network/application-security-group/README.md index dd4a0b47e3..f86e110e60 100644 --- a/modules/network/application-security-group/README.md +++ b/modules/network/application-security-group/README.md @@ -45,7 +45,10 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g name: 'nasgcom001' // Non-required parameters enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -85,7 +88,10 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -127,7 +133,7 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -147,11 +153,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/application-security-group/main.bicep b/modules/network/application-security-group/main.bicep index fa7054d1eb..53f1b4a0d5 100644 --- a/modules/network/application-security-group/main.bicep +++ b/modules/network/application-security-group/main.bicep @@ -8,13 +8,8 @@ param name string @description('Optional. Location for all resources.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -44,11 +39,11 @@ resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2 properties: {} } -resource applicationSecurityGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${applicationSecurityGroup.name}-${lock}-lock' +resource applicationSecurityGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: applicationSecurityGroup } @@ -77,3 +72,15 @@ output name string = applicationSecurityGroup.name @description('The location the resource was deployed into.') output location string = applicationSecurityGroup.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/application-security-group/main.json b/modules/network/application-security-group/main.json index a733a611db..a67333aaed 100644 --- a/modules/network/application-security-group/main.json +++ b/modules/network/application-security-group/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4115045672718601619" + "templateHash": "17355011424146278209" }, "name": "Application Security Groups (ASG)", "description": "This module deploys an Application Security Group (ASG).", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -26,15 +54,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -59,8 +81,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -74,7 +96,7 @@ } } }, - { + "applicationSecurityGroup": { "type": "Microsoft.Network/applicationSecurityGroups", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -82,21 +104,21 @@ "tags": "[parameters('tags')]", "properties": {} }, - { - "condition": "[not(empty(parameters('lock')))]", + "applicationSecurityGroup_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/applicationSecurityGroups/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name'))]" + "applicationSecurityGroup" ] }, - { + "applicationSecurityGroup_roleAssignments": { "copy": { "name": "applicationSecurityGroup_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -270,10 +292,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name'))]" + "applicationSecurityGroup" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -301,7 +323,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('applicationSecurityGroup', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/azure-firewall/.test/common/main.test.bicep b/modules/network/azure-firewall/.test/common/main.test.bicep index 17193997bd..cf719551ab 100644 --- a/modules/network/azure-firewall/.test/common/main.test.bicep +++ b/modules/network/azure-firewall/.test/common/main.test.bicep @@ -126,7 +126,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } networkRuleCollections: [ { name: 'allow-network-rules' diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index 73137eee0b..c437b47819 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -213,7 +213,10 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } networkRuleCollections: [ { name: 'allow-network-rules' @@ -355,7 +358,10 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "networkRuleCollections": { "value": [ @@ -762,7 +768,7 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { | [`firewallPolicyId`](#parameter-firewallpolicyid) | string | Resource ID of the Firewall Policy that should be attached. | | [`isCreateDefaultPublicIP`](#parameter-iscreatedefaultpublicip) | bool | Specifies if a Public IP should be created by default if one is not provided. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managementIPAddressObject`](#parameter-managementipaddressobject) | object | Specifies the properties of the Management Public IP to create and be used by Azure Firewall. If it's not provided and managementIPResourceID is empty, a '-mip' suffix will be appended to the Firewall's name. | | [`managementIPResourceID`](#parameter-managementipresourceid) | string | The Management Public IP resource ID to associate to the AzureFirewallManagementSubnet. If empty, then the Management Public IP that is created as part of this module will be applied to the AzureFirewallManagementSubnet. | | [`natRuleCollections`](#parameter-natrulecollections) | array | Collection of NAT rule collections used by Azure Firewall. | @@ -884,11 +890,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `managementIPAddressObject` diff --git a/modules/network/azure-firewall/main.bicep b/modules/network/azure-firewall/main.bicep index 83e3b2a2af..3acc34d362 100644 --- a/modules/network/azure-firewall/main.bicep +++ b/modules/network/azure-firewall/main.bicep @@ -82,13 +82,8 @@ param diagnosticEventHubName string = '' @description('Optional. Location for all resources.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -321,11 +316,11 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2023-04-01' = { ] } -resource azureFirewall_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${azureFirewall.name}-${lock}-lock' +resource azureFirewall_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: azureFirewall } @@ -382,3 +377,15 @@ output natRuleCollections array = natRuleCollections @description('The location the resource was deployed into.') output location string = azureFirewall.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/azure-firewall/main.json b/modules/network/azure-firewall/main.json index e51d5158ae..7f9ab7552b 100644 --- a/modules/network/azure-firewall/main.json +++ b/modules/network/azure-firewall/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11388637561853566149" + "templateHash": "10604850495131804287" }, "name": "Azure Firewalls", "description": "This module deploys an Azure Firewall.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -180,15 +208,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -304,8 +326,8 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -319,34 +341,34 @@ } } }, - { + "azureFirewall": { "type": "Microsoft.Network/azureFirewalls", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "zones": "[if(equals(length(parameters('zones')), 0), null(), parameters('zones'))]", "tags": "[parameters('tags')]", - "properties": "[if(equals(variables('azureSkuName'), 'AZFW_VNet'), createObject('threatIntelMode', parameters('threatIntelMode'), 'firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'ipConfigurations', concat(createArray(createObject('name', if(not(empty(parameters('publicIPResourceID'))), last(split(parameters('publicIPResourceID'), '/')), reference(resourceId('Microsoft.Resources/deployments', format('{0}-Firewall-PIP', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value), 'properties', union(variables('subnetVar'), if(not(empty(parameters('publicIPResourceID'))), variables('existingPip'), createObject()), if(parameters('isCreateDefaultPublicIP'), createObject('publicIPAddress', if(and(empty(parameters('publicIPResourceID')), parameters('isCreateDefaultPublicIP')), createObject('id', reference(resourceId('Microsoft.Resources/deployments', format('{0}-Firewall-PIP', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value), null())), createObject())))), variables('additionalPublicIpConfigurationsVar')), 'managementIpConfiguration', if(variables('requiresManagementIp'), createObject('name', if(not(empty(parameters('managementIPResourceID'))), last(split(parameters('managementIPResourceID'), '/')), reference(resourceId('Microsoft.Resources/deployments', format('{0}-Firewall-MIP', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value), 'properties', union(variables('managementSubnetVar'), if(not(empty(parameters('managementIPResourceID'))), variables('existingMip'), createObject()), if(variables('isCreateDefaultManagementIP'), createObject('publicIPAddress', if(and(empty(parameters('managementIPResourceID')), variables('isCreateDefaultManagementIP')), createObject('id', reference(resourceId('Microsoft.Resources/deployments', format('{0}-Firewall-MIP', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value), null())), createObject()))), null()), 'sku', createObject('name', variables('azureSkuName'), 'tier', parameters('azureSkuTier')), 'applicationRuleCollections', parameters('applicationRuleCollections'), 'natRuleCollections', parameters('natRuleCollections'), 'networkRuleCollections', parameters('networkRuleCollections')), createObject('firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'sku', createObject('name', variables('azureSkuName'), 'tier', parameters('azureSkuTier')), 'hubIPAddresses', if(not(empty(parameters('hubIPAddresses'))), parameters('hubIPAddresses'), null()), 'virtualHub', if(not(empty(parameters('virtualHubId'))), createObject('id', parameters('virtualHubId')), null())))]", + "properties": "[if(equals(variables('azureSkuName'), 'AZFW_VNet'), createObject('threatIntelMode', parameters('threatIntelMode'), 'firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'ipConfigurations', concat(createArray(createObject('name', if(not(empty(parameters('publicIPResourceID'))), last(split(parameters('publicIPResourceID'), '/')), reference('publicIPAddress').outputs.name.value), 'properties', union(variables('subnetVar'), if(not(empty(parameters('publicIPResourceID'))), variables('existingPip'), createObject()), if(parameters('isCreateDefaultPublicIP'), createObject('publicIPAddress', if(and(empty(parameters('publicIPResourceID')), parameters('isCreateDefaultPublicIP')), createObject('id', reference('publicIPAddress').outputs.resourceId.value), null())), createObject())))), variables('additionalPublicIpConfigurationsVar')), 'managementIpConfiguration', if(variables('requiresManagementIp'), createObject('name', if(not(empty(parameters('managementIPResourceID'))), last(split(parameters('managementIPResourceID'), '/')), reference('managementIPAddress').outputs.name.value), 'properties', union(variables('managementSubnetVar'), if(not(empty(parameters('managementIPResourceID'))), variables('existingMip'), createObject()), if(variables('isCreateDefaultManagementIP'), createObject('publicIPAddress', if(and(empty(parameters('managementIPResourceID')), variables('isCreateDefaultManagementIP')), createObject('id', reference('managementIPAddress').outputs.resourceId.value), null())), createObject()))), null()), 'sku', createObject('name', variables('azureSkuName'), 'tier', parameters('azureSkuTier')), 'applicationRuleCollections', parameters('applicationRuleCollections'), 'natRuleCollections', parameters('natRuleCollections'), 'networkRuleCollections', parameters('networkRuleCollections')), createObject('firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'sku', createObject('name', variables('azureSkuName'), 'tier', parameters('azureSkuTier')), 'hubIPAddresses', if(not(empty(parameters('hubIPAddresses'))), parameters('hubIPAddresses'), null()), 'virtualHub', if(not(empty(parameters('virtualHubId'))), createObject('id', parameters('virtualHubId')), null())))]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', format('{0}-Firewall-MIP', uniqueString(deployment().name, parameters('location'))))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-Firewall-PIP', uniqueString(deployment().name, parameters('location'))))]" + "managementIPAddress", + "publicIPAddress" ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "azureFirewall_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/azureFirewalls', parameters('name'))]" + "azureFirewall" ] }, - { + "azureFirewall_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -361,10 +383,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/azureFirewalls', parameters('name'))]" + "azureFirewall" ] }, - { + "publicIPAddress": { "condition": "[and(and(empty(parameters('publicIPResourceID')), parameters('isCreateDefaultPublicIP')), equals(variables('azureSkuName'), 'AZFW_VNet'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -413,17 +435,45 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4317747709004918530" + "templateHash": "7177220893233117141" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -553,15 +603,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "location": { @@ -650,8 +694,8 @@ ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -665,7 +709,7 @@ } } }, - { + "publicIpAddress": { "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -685,21 +729,21 @@ "ipTags": [] } }, - { - "condition": "[not(empty(parameters('lock')))]", + "publicIpAddress_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] }, - { + "publicIpAddress_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -714,10 +758,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] }, - { + "publicIpAddress_roleAssignments": { "copy": { "name": "publicIpAddress_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -891,10 +935,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -922,20 +966,20 @@ "metadata": { "description": "The public IP address of the public IP address resource." }, - "value": "[if(contains(reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01'), 'ipAddress'), reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01').ipAddress, '')]" + "value": "[if(contains(reference('publicIpAddress'), 'ipAddress'), reference('publicIpAddress').ipAddress, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('publicIpAddress', '2023-04-01', 'full').location]" } } } } }, - { + "managementIPAddress": { "condition": "[and(and(empty(parameters('managementIPResourceID')), variables('isCreateDefaultManagementIP')), equals(variables('azureSkuName'), 'AZFW_VNet'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -984,17 +1028,45 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4317747709004918530" + "templateHash": "7177220893233117141" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1124,15 +1196,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "location": { @@ -1221,8 +1287,8 @@ ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1236,7 +1302,7 @@ } } }, - { + "publicIpAddress": { "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -1256,21 +1322,21 @@ "ipTags": [] } }, - { - "condition": "[not(empty(parameters('lock')))]", + "publicIpAddress_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] }, - { + "publicIpAddress_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -1285,10 +1351,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] }, - { + "publicIpAddress_roleAssignments": { "copy": { "name": "publicIpAddress_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1462,10 +1528,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1493,20 +1559,20 @@ "metadata": { "description": "The public IP address of the public IP address resource." }, - "value": "[if(contains(reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01'), 'ipAddress'), reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01').ipAddress, '')]" + "value": "[if(contains(reference('publicIpAddress'), 'ipAddress'), reference('publicIpAddress').ipAddress, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('publicIpAddress', '2023-04-01', 'full').location]" } } } } }, - { + "azureFirewall_roleAssignments": { "copy": { "name": "azureFirewall_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1680,10 +1746,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/azureFirewalls', parameters('name'))]" + "azureFirewall" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -1711,14 +1777,14 @@ "metadata": { "description": "The private IP of the Azure firewall." }, - "value": "[if(contains(reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), '2023-04-01'), 'ipConfigurations'), reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), '2023-04-01').ipConfigurations[0].properties.privateIPAddress, '')]" + "value": "[if(contains(reference('azureFirewall'), 'ipConfigurations'), reference('azureFirewall').ipConfigurations[0].properties.privateIPAddress, '')]" }, "ipConfAzureFirewallSubnet": { "type": "object", "metadata": { "description": "The Public IP configuration object for the Azure Firewall Subnet." }, - "value": "[if(contains(reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), '2023-04-01'), 'ipConfigurations'), reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), '2023-04-01').ipConfigurations[0], createObject())]" + "value": "[if(contains(reference('azureFirewall'), 'ipConfigurations'), reference('azureFirewall').ipConfigurations[0], createObject())]" }, "applicationRuleCollections": { "type": "array", @@ -1746,7 +1812,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('azureFirewall', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/bastion-host/.test/common/main.test.bicep b/modules/network/bastion-host/.test/common/main.test.bicep index 5d384c25e9..02f6497c2d 100644 --- a/modules/network/bastion-host/.test/common/main.test.bicep +++ b/modules/network/bastion-host/.test/common/main.test.bicep @@ -78,7 +78,10 @@ module testDeployment '../../main.bicep' = { enableFileCopy: false enableIpConnect: false enableShareableLink: false - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index 8aa5825b04..0a6a4c85fe 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -59,7 +59,10 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { enableFileCopy: false enableIpConnect: false enableShareableLink: false - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -131,7 +134,10 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { "value": false }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -366,7 +372,7 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { | [`enableShareableLink`](#parameter-enableshareablelink) | bool | Choose to disable or enable Shareable Link. | | [`isCreateDefaultPublicIP`](#parameter-iscreatedefaultpublicip) | bool | Specifies if a Public IP should be created by default if one is not provided. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`publicIPAddressObject`](#parameter-publicipaddressobject) | object | Specifies the properties of the Public IP to create and be used by Azure Bastion. If it's not provided and publicIPAddressResourceId is empty, a '-pip' suffix will be appended to the Bastion's name. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`scaleUnits`](#parameter-scaleunits) | int | The scale units for the Bastion Host resource. | @@ -481,11 +487,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/bastion-host/main.bicep b/modules/network/bastion-host/main.bicep index f0b0ea9427..4bba12cf4b 100644 --- a/modules/network/bastion-host/main.bicep +++ b/modules/network/bastion-host/main.bicep @@ -32,13 +32,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @allowed([ 'Basic' @@ -201,11 +196,11 @@ resource azureBastion 'Microsoft.Network/bastionHosts@2022-11-01' = { properties: bastionpropertiesVar } -resource azureBastion_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${azureBastion.name}-${lock}-lock' +resource azureBastion_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: azureBastion } @@ -249,3 +244,15 @@ output location string = azureBastion.location @description('The Public IPconfiguration object for the AzureBastionSubnet.') output ipConfAzureBastionSubnet object = azureBastion.properties.ipConfigurations[0] + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/bastion-host/main.json b/modules/network/bastion-host/main.json index ab504b7428..057acedabb 100644 --- a/modules/network/bastion-host/main.json +++ b/modules/network/bastion-host/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18039554301844568366" + "templateHash": "7681317257874084680" }, "name": "Bastion Hosts", "description": "This module deploys a Bastion Host.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -81,15 +109,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "skuName": { @@ -214,8 +236,8 @@ }, "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -229,7 +251,7 @@ } } }, - { + "azureBastion": { "type": "Microsoft.Network/bastionHosts", "apiVersion": "2022-11-01", "name": "[parameters('name')]", @@ -238,26 +260,26 @@ "sku": { "name": "[parameters('skuName')]" }, - "properties": "[if(equals(parameters('skuName'), 'Standard'), createObject('scaleUnits', variables('scaleUnitsVar'), 'ipConfigurations', createArray(createObject('name', 'IpConfAzureBastionSubnet', 'properties', union(variables('subnetVar'), if(not(empty(parameters('bastionSubnetPublicIpResourceId'))), variables('existingPip'), createObject()), if(parameters('isCreateDefaultPublicIP'), createObject('publicIPAddress', if(and(empty(parameters('bastionSubnetPublicIpResourceId')), parameters('isCreateDefaultPublicIP')), createObject('id', reference(resourceId('Microsoft.Resources/deployments', format('{0}-Bastion-PIP', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value), null())), createObject())))), 'enableTunneling', variables('enableTunneling'), 'disableCopyPaste', parameters('disableCopyPaste'), 'enableFileCopy', parameters('enableFileCopy'), 'enableIpConnect', parameters('enableIpConnect'), 'enableKerberos', parameters('enableKerberos'), 'enableShareableLink', parameters('enableShareableLink')), createObject('scaleUnits', variables('scaleUnitsVar'), 'ipConfigurations', createArray(createObject('name', 'IpConfAzureBastionSubnet', 'properties', union(variables('subnetVar'), if(not(empty(parameters('bastionSubnetPublicIpResourceId'))), variables('existingPip'), createObject()), if(parameters('isCreateDefaultPublicIP'), createObject('publicIPAddress', if(and(empty(parameters('bastionSubnetPublicIpResourceId')), parameters('isCreateDefaultPublicIP')), createObject('id', reference(resourceId('Microsoft.Resources/deployments', format('{0}-Bastion-PIP', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value), null())), createObject())))), 'enableKerberos', parameters('enableKerberos')))]", + "properties": "[if(equals(parameters('skuName'), 'Standard'), createObject('scaleUnits', variables('scaleUnitsVar'), 'ipConfigurations', createArray(createObject('name', 'IpConfAzureBastionSubnet', 'properties', union(variables('subnetVar'), if(not(empty(parameters('bastionSubnetPublicIpResourceId'))), variables('existingPip'), createObject()), if(parameters('isCreateDefaultPublicIP'), createObject('publicIPAddress', if(and(empty(parameters('bastionSubnetPublicIpResourceId')), parameters('isCreateDefaultPublicIP')), createObject('id', reference('publicIPAddress').outputs.resourceId.value), null())), createObject())))), 'enableTunneling', variables('enableTunneling'), 'disableCopyPaste', parameters('disableCopyPaste'), 'enableFileCopy', parameters('enableFileCopy'), 'enableIpConnect', parameters('enableIpConnect'), 'enableKerberos', parameters('enableKerberos'), 'enableShareableLink', parameters('enableShareableLink')), createObject('scaleUnits', variables('scaleUnitsVar'), 'ipConfigurations', createArray(createObject('name', 'IpConfAzureBastionSubnet', 'properties', union(variables('subnetVar'), if(not(empty(parameters('bastionSubnetPublicIpResourceId'))), variables('existingPip'), createObject()), if(parameters('isCreateDefaultPublicIP'), createObject('publicIPAddress', if(and(empty(parameters('bastionSubnetPublicIpResourceId')), parameters('isCreateDefaultPublicIP')), createObject('id', reference('publicIPAddress').outputs.resourceId.value), null())), createObject())))), 'enableKerberos', parameters('enableKerberos')))]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', format('{0}-Bastion-PIP', uniqueString(deployment().name, parameters('location'))))]" + "publicIPAddress" ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "azureBastion_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/bastionHosts/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/bastionHosts', parameters('name'))]" + "azureBastion" ] }, - { + "azureBastion_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -271,10 +293,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/bastionHosts', parameters('name'))]" + "azureBastion" ] }, - { + "publicIPAddress": { "condition": "[and(empty(parameters('bastionSubnetPublicIpResourceId')), parameters('isCreateDefaultPublicIP'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -322,17 +344,45 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4317747709004918530" + "templateHash": "7177220893233117141" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -462,15 +512,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "location": { @@ -559,8 +603,8 @@ ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -574,7 +618,7 @@ } } }, - { + "publicIpAddress": { "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -594,21 +638,21 @@ "ipTags": [] } }, - { - "condition": "[not(empty(parameters('lock')))]", + "publicIpAddress_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] }, - { + "publicIpAddress_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -623,10 +667,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] }, - { + "publicIpAddress_roleAssignments": { "copy": { "name": "publicIpAddress_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -800,10 +844,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -831,20 +875,20 @@ "metadata": { "description": "The public IP address of the public IP address resource." }, - "value": "[if(contains(reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01'), 'ipAddress'), reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01').ipAddress, '')]" + "value": "[if(contains(reference('publicIpAddress'), 'ipAddress'), reference('publicIpAddress').ipAddress, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('publicIpAddress', '2023-04-01', 'full').location]" } } } } }, - { + "azureBastion_roleAssignments": { "copy": { "name": "azureBastion_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1018,10 +1062,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/bastionHosts', parameters('name'))]" + "azureBastion" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1049,14 +1093,14 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/bastionHosts', parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('azureBastion', '2022-11-01', 'full').location]" }, "ipConfAzureBastionSubnet": { "type": "object", "metadata": { "description": "The Public IPconfiguration object for the AzureBastionSubnet." }, - "value": "[reference(resourceId('Microsoft.Network/bastionHosts', parameters('name')), '2022-11-01').ipConfigurations[0]]" + "value": "[reference('azureBastion').ipConfigurations[0]]" } } } \ No newline at end of file diff --git a/modules/network/connection/.test/vnet2vnet/main.test.bicep b/modules/network/connection/.test/vnet2vnet/main.test.bicep index 5d1cbca2c3..9450e5be59 100644 --- a/modules/network/connection/.test/vnet2vnet/main.test.bicep +++ b/modules/network/connection/.test/vnet2vnet/main.test.bicep @@ -62,7 +62,10 @@ module testDeployment '../../main.bicep' = { id: nestedDependencies.outputs.primaryVNETGatewayResourceID } enableBgp: false - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } virtualNetworkGateway2: { id: nestedDependencies.outputs.secondaryVNETGatewayResourceID } diff --git a/modules/network/connection/README.md b/modules/network/connection/README.md index 7275058f5a..f43ea0a938 100644 --- a/modules/network/connection/README.md +++ b/modules/network/connection/README.md @@ -47,7 +47,10 @@ module connection 'br:bicep/modules/network.connection:1.0.0' = { connectionType: 'Vnet2Vnet' enableBgp: false enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -93,7 +96,10 @@ module connection 'br:bicep/modules/network.connection:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "tags": { "value": { @@ -143,7 +149,7 @@ module connection 'br:bicep/modules/network.connection:1.0.0' = { | [`expressRouteGatewayBypass`](#parameter-expressroutegatewaybypass) | bool | Bypass ExpressRoute Gateway for data forwarding. Only available when connection connectionType is Express Route. | | [`localNetworkGateway2`](#parameter-localnetworkgateway2) | object | The local network gateway. Used for connection type [IPsec]. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the connectionType of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`peer`](#parameter-peer) | object | The remote peer. Used for connection connectionType [ExpressRoute]. | | [`routingWeight`](#parameter-routingweight) | int | The weight added to routes learned from this BGP speaker. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -241,11 +247,30 @@ Location for all resources. ### Parameter: `lock` -Specify the connectionType of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/connection/main.bicep b/modules/network/connection/main.bicep index 809a56c5c6..0cdd0d0a83 100644 --- a/modules/network/connection/main.bicep +++ b/modules/network/connection/main.bicep @@ -71,13 +71,8 @@ param customIPSecPolicy object = { @description('Optional. The weight added to routes learned from this BGP speaker.') param routingWeight int = -1 -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the connectionType of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Tags of the resource.') param tags object = {} @@ -149,11 +144,11 @@ resource connection 'Microsoft.Network/connections@2023-04-01' = { } } -resource connection_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${connection.name}-${lock}-lock' +resource connection_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: connection } @@ -169,3 +164,15 @@ output resourceId string = connection.id @description('The location the resource was deployed into.') output location string = connection.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/connection/main.json b/modules/network/connection/main.json index e72fe07213..1166323e83 100644 --- a/modules/network/connection/main.json +++ b/modules/network/connection/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4819464445955431710" + "templateHash": "10325872136554369855" }, "name": "Virtual Network Gateway Connections", "description": "This module deploys a Virtual Network Gateway Connection.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -136,15 +164,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the connectionType of lock." + "description": "Optional. The lock settings of the service." } }, "tags": { @@ -196,8 +218,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -211,7 +233,7 @@ } } }, - { + "connection": { "type": "Microsoft.Network/connections", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -237,21 +259,21 @@ "useLocalAzureIpAddress": "[if(equals(parameters('connectionType'), 'IPsec'), parameters('useLocalAzureIpAddress'), null())]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "connection_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/connections/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/connections', parameters('name'))]" + "connection" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -279,7 +301,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/connections', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('connection', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/ddos-protection-plan/.test/common/main.test.bicep b/modules/network/ddos-protection-plan/.test/common/main.test.bicep index 07f548e028..5f76122a56 100644 --- a/modules/network/ddos-protection-plan/.test/common/main.test.bicep +++ b/modules/network/ddos-protection-plan/.test/common/main.test.bicep @@ -52,7 +52,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/network/ddos-protection-plan/README.md b/modules/network/ddos-protection-plan/README.md index ce299dd18a..55b6ee35f8 100644 --- a/modules/network/ddos-protection-plan/README.md +++ b/modules/network/ddos-protection-plan/README.md @@ -46,7 +46,10 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' name: 'ndppcom001' // Non-required parameters enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -86,7 +89,10 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -176,7 +182,7 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -196,11 +202,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/ddos-protection-plan/main.bicep b/modules/network/ddos-protection-plan/main.bicep index 159a71942f..97f048cc44 100644 --- a/modules/network/ddos-protection-plan/main.bicep +++ b/modules/network/ddos-protection-plan/main.bicep @@ -9,13 +9,8 @@ param name string @description('Optional. Location for all resources.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -45,11 +40,11 @@ resource ddosProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2023-04-01' = properties: {} } -resource ddosProtectionPlan_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${ddosProtectionPlan.name}-${lock}-lock' +resource ddosProtectionPlan_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: ddosProtectionPlan } @@ -78,3 +73,15 @@ output name string = ddosProtectionPlan.name @description('The location the resource was deployed into.') output location string = ddosProtectionPlan.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/ddos-protection-plan/main.json b/modules/network/ddos-protection-plan/main.json index f67227f30a..6b377c3378 100644 --- a/modules/network/ddos-protection-plan/main.json +++ b/modules/network/ddos-protection-plan/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10705912154060159414" + "templateHash": "5335931212602685116" }, "name": "DDoS Protection Plans", "description": "This module deploys a DDoS Protection Plan.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -27,15 +55,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -60,8 +82,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +97,7 @@ } } }, - { + "ddosProtectionPlan": { "type": "Microsoft.Network/ddosProtectionPlans", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -83,21 +105,21 @@ "tags": "[parameters('tags')]", "properties": {} }, - { - "condition": "[not(empty(parameters('lock')))]", + "ddosProtectionPlan_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/ddosProtectionPlans/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/ddosProtectionPlans', parameters('name'))]" + "ddosProtectionPlan" ] }, - { + "ddosProtectionPlan_roleAssignments": { "copy": { "name": "ddosProtectionPlan_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -271,10 +293,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/ddosProtectionPlans', parameters('name'))]" + "ddosProtectionPlan" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -302,7 +324,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/ddosProtectionPlans', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('ddosProtectionPlan', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep b/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep index 1580914504..e3c7eb4a8e 100644 --- a/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep +++ b/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep @@ -83,7 +83,10 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/dns-forwarding-ruleset/README.md b/modules/network/dns-forwarding-ruleset/README.md index 100d91455b..c6774af681 100644 --- a/modules/network/dns-forwarding-ruleset/README.md +++ b/modules/network/dns-forwarding-ruleset/README.md @@ -64,7 +64,10 @@ module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0 ] } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -127,7 +130,10 @@ module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0 ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -232,7 +238,7 @@ module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0 | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`forwardingRules`](#parameter-forwardingrules) | array | Array of forwarding rules. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`vNetLinks`](#parameter-vnetlinks) | array | Array of virtual network links. | @@ -266,11 +272,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/dns-forwarding-ruleset/main.bicep b/modules/network/dns-forwarding-ruleset/main.bicep index 205acc5938..368c9d487e 100644 --- a/modules/network/dns-forwarding-ruleset/main.bicep +++ b/modules/network/dns-forwarding-ruleset/main.bicep @@ -9,13 +9,8 @@ param name string @description('Optional. Location for all resources.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -77,16 +72,16 @@ module dnsForwardingRuleset_virtualNetworkLinks 'virtual-network-link/main.bicep } }] -resource dnsForwardingRulesets_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${dnsForwardingRuleset.name}-${lock}-lock' +resource dnsForwardingRuleset_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: dnsForwardingRuleset } -module dnsForwardingRulesets_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module dnsForwardingRuleset_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-dnsResolver-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' @@ -110,3 +105,15 @@ output name string = dnsForwardingRuleset.name @description('The location the resource was deployed into.') output location string = dnsForwardingRuleset.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/dns-forwarding-ruleset/main.json b/modules/network/dns-forwarding-ruleset/main.json index 19ee04a44f..494c2005b7 100644 --- a/modules/network/dns-forwarding-ruleset/main.json +++ b/modules/network/dns-forwarding-ruleset/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3259269947258844338" + "templateHash": "7214112438295019717" }, "name": "Dns Forwarding Rulesets", "description": "This template deploys an dns forwarding ruleset.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -27,15 +55,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -80,8 +102,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -95,7 +117,7 @@ } } }, - { + "dnsForwardingRuleset": { "type": "Microsoft.Network/dnsForwardingRulesets", "apiVersion": "2022-07-01", "name": "[parameters('name')]", @@ -113,21 +135,21 @@ ] } }, - { - "condition": "[not(empty(parameters('lock')))]", + "dnsForwardingRuleset_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/dnsForwardingRulesets/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsForwardingRulesets', parameters('name'))]" + "dnsForwardingRuleset" ] }, - { + "dnsForwardingRuleset_forwardingRule": { "copy": { "name": "dnsForwardingRuleset_forwardingRule", "count": "[length(parameters('forwardingRules'))]" @@ -282,10 +304,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsForwardingRulesets', parameters('name'))]" + "dnsForwardingRuleset" ] }, - { + "dnsForwardingRuleset_virtualNetworkLinks": { "copy": { "name": "dnsForwardingRuleset_virtualNetworkLinks", "count": "[length(parameters('vNetLinks'))]" @@ -404,12 +426,12 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsForwardingRulesets', parameters('name'))]" + "dnsForwardingRuleset" ] }, - { + "dnsForwardingRuleset_roleAssignments": { "copy": { - "name": "dnsForwardingRulesets_roleAssignments", + "name": "dnsForwardingRuleset_roleAssignments", "count": "[length(parameters('roleAssignments'))]" }, "type": "Microsoft.Resources/deployments", @@ -581,10 +603,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsForwardingRulesets', parameters('name'))]" + "dnsForwardingRuleset" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -612,7 +634,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/dnsForwardingRulesets', parameters('name')), '2022-07-01', 'full').location]" + "value": "[reference('dnsForwardingRuleset', '2022-07-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/dns-resolver/README.md b/modules/network/dns-resolver/README.md index 682f0e5b10..0b3ae78e7f 100644 --- a/modules/network/dns-resolver/README.md +++ b/modules/network/dns-resolver/README.md @@ -139,7 +139,7 @@ module dnsResolver 'br:bicep/modules/network.dns-resolver:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`inboundEndpoints`](#parameter-inboundendpoints) | array | Inbound Endpoints for Private DNS Resolver. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`outboundEndpoints`](#parameter-outboundendpoints) | array | Outbound Endpoints for Private DNS Resolver. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -167,11 +167,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/dns-resolver/main.bicep b/modules/network/dns-resolver/main.bicep index b0d58fa614..5b4c01b342 100644 --- a/modules/network/dns-resolver/main.bicep +++ b/modules/network/dns-resolver/main.bicep @@ -9,13 +9,8 @@ param name string @description('Optional. Location for all resources.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -86,11 +81,11 @@ resource dnsResolver_outboundEndpoint 'Microsoft.Network/dnsResolvers/outboundEn } }] -resource dnsResolver_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${dnsResolver.name}-${lock}-lock' +resource dnsResolver_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: dnsResolver } @@ -119,3 +114,15 @@ output name string = dnsResolver.name @description('The location the resource was deployed into.') output location string = dnsResolver.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/dns-resolver/main.json b/modules/network/dns-resolver/main.json index f4fde16620..a9733ecbfe 100644 --- a/modules/network/dns-resolver/main.json +++ b/modules/network/dns-resolver/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "317150262818676597" + "templateHash": "11864164290736408459" }, "name": "DNS Resolvers", "description": "This module deploys a DNS Resolver.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -27,15 +55,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -80,8 +102,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -95,7 +117,7 @@ } } }, - { + "dnsResolver": { "type": "Microsoft.Network/dnsResolvers", "apiVersion": "2022-07-01", "name": "[parameters('name')]", @@ -107,7 +129,7 @@ } } }, - { + "dnsResolver_inboundEndpoint": { "copy": { "name": "dnsResolver_inboundEndpoint", "count": "[length(parameters('inboundEndpoints'))]" @@ -127,10 +149,10 @@ ] }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsResolvers', parameters('name'))]" + "dnsResolver" ] }, - { + "dnsResolver_outboundEndpoint": { "copy": { "name": "dnsResolver_outboundEndpoint", "count": "[length(parameters('outboundEndpoints'))]" @@ -146,24 +168,24 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsResolvers', parameters('name'))]" + "dnsResolver" ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "dnsResolver_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/dnsResolvers/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsResolvers', parameters('name'))]" + "dnsResolver" ] }, - { + "dnsResolver_roleAssignments": { "copy": { "name": "dnsResolver_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -337,10 +359,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsResolvers', parameters('name'))]" + "dnsResolver" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -368,7 +390,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/dnsResolvers', parameters('name')), '2022-07-01', 'full').location]" + "value": "[reference('dnsResolver', '2022-07-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/dns-zone/.test/common/main.test.bicep b/modules/network/dns-zone/.test/common/main.test.bicep index f23e497864..667e7e4e00 100644 --- a/modules/network/dns-zone/.test/common/main.test.bicep +++ b/modules/network/dns-zone/.test/common/main.test.bicep @@ -106,7 +106,10 @@ module testDeployment '../../main.bicep' = { targetResourceId: nestedDependencies.outputs.trafficManagerProfileResourceId } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } mx: [ { mxRecords: [ diff --git a/modules/network/dns-zone/README.md b/modules/network/dns-zone/README.md index cf007e7fc7..3d4407d678 100644 --- a/modules/network/dns-zone/README.md +++ b/modules/network/dns-zone/README.md @@ -109,7 +109,10 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { } ] enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } mx: [ { mxRecords: [ @@ -318,7 +321,10 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "mx": { "value": [ @@ -532,7 +538,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { | [`cname`](#parameter-cname) | array | Array of CNAME records. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | The location of the dnsZone. Should be global. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`mx`](#parameter-mx) | array | Array of MX records. | | [`ns`](#parameter-ns) | array | Array of NS records. | | [`ptr`](#parameter-ptr) | array | Array of PTR records. | @@ -586,11 +592,30 @@ The location of the dnsZone. Should be global. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `mx` diff --git a/modules/network/dns-zone/main.bicep b/modules/network/dns-zone/main.bicep index 5f182697f8..84d8fd6120 100644 --- a/modules/network/dns-zone/main.bicep +++ b/modules/network/dns-zone/main.bicep @@ -46,13 +46,8 @@ param roleAssignments array = [] @description('Optional. Tags of the resource.') param tags object = {} -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -213,11 +208,11 @@ module dnsZone_TXT 'txt/main.bicep' = [for (txtRecord, index) in txt: { } }] -resource dnsZone_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${dnsZone.name}-${lock}-lock' +resource dnsZone_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: dnsZone } @@ -246,3 +241,15 @@ output resourceId string = dnsZone.id @description('The location the resource was deployed into.') output location string = dnsZone.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/dns-zone/main.json b/modules/network/dns-zone/main.json index 2050ccbfa3..6cc1b04100 100644 --- a/modules/network/dns-zone/main.json +++ b/modules/network/dns-zone/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9774189040753970370" + "templateHash": "14872051751998229436" }, "name": "Public DNS Zones", "description": "This module deploys a Public DNS zone.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -112,15 +140,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "enableDefaultTelemetry": { @@ -134,8 +156,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -149,7 +171,7 @@ } } }, - { + "dnsZone": { "type": "Microsoft.Network/dnsZones", "apiVersion": "2018-05-01", "name": "[parameters('name')]", @@ -159,21 +181,21 @@ "zoneType": "Public" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "dnsZone_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/dnsZones/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones', parameters('name'))]" + "dnsZone" ] }, - { + "dnsZone_A": { "copy": { "name": "dnsZone_A", "count": "[length(parameters('a'))]" @@ -501,10 +523,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones', parameters('name'))]" + "dnsZone" ] }, - { + "dnsZone_AAAA": { "copy": { "name": "dnsZone_AAAA", "count": "[length(parameters('aaaa'))]" @@ -832,10 +854,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones', parameters('name'))]" + "dnsZone" ] }, - { + "dnsZone_CNAME": { "copy": { "name": "dnsZone_CNAME", "count": "[length(parameters('cname'))]" @@ -1163,10 +1185,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones', parameters('name'))]" + "dnsZone" ] }, - { + "dnsZone_CAA": { "copy": { "name": "dnsZone_CAA", "count": "[length(parameters('caa'))]" @@ -1485,10 +1507,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones', parameters('name'))]" + "dnsZone" ] }, - { + "dnsZone_MX": { "copy": { "name": "dnsZone_MX", "count": "[length(parameters('mx'))]" @@ -1807,10 +1829,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones', parameters('name'))]" + "dnsZone" ] }, - { + "dnsZone_NS": { "copy": { "name": "dnsZone_NS", "count": "[length(parameters('ns'))]" @@ -2129,10 +2151,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones', parameters('name'))]" + "dnsZone" ] }, - { + "dnsZone_PTR": { "copy": { "name": "dnsZone_PTR", "count": "[length(parameters('ptr'))]" @@ -2451,10 +2473,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones', parameters('name'))]" + "dnsZone" ] }, - { + "dnsZone_SOA": { "copy": { "name": "dnsZone_SOA", "count": "[length(parameters('soa'))]" @@ -2773,10 +2795,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones', parameters('name'))]" + "dnsZone" ] }, - { + "dnsZone_SRV": { "copy": { "name": "dnsZone_SRV", "count": "[length(parameters('srv'))]" @@ -3095,10 +3117,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones', parameters('name'))]" + "dnsZone" ] }, - { + "dnsZone_TXT": { "copy": { "name": "dnsZone_TXT", "count": "[length(parameters('txt'))]" @@ -3417,10 +3439,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones', parameters('name'))]" + "dnsZone" ] }, - { + "dnsZone_roleAssignments": { "copy": { "name": "dnsZone_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -3594,10 +3616,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones', parameters('name'))]" + "dnsZone" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -3625,7 +3647,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/dnsZones', parameters('name')), '2018-05-01', 'full').location]" + "value": "[reference('dnsZone', '2018-05-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/express-route-circuit/.test/common/main.test.bicep b/modules/network/express-route-circuit/.test/common/main.test.bicep index 58ce2762f0..befce2285b 100644 --- a/modules/network/express-route-circuit/.test/common/main.test.bicep +++ b/modules/network/express-route-circuit/.test/common/main.test.bicep @@ -73,7 +73,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/network/express-route-circuit/README.md b/modules/network/express-route-circuit/README.md index 3acc1d2f3c..95c6548f62 100644 --- a/modules/network/express-route-circuit/README.md +++ b/modules/network/express-route-circuit/README.md @@ -55,7 +55,10 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -121,7 +124,10 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -243,7 +249,7 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 | [`expressRoutePortResourceId`](#parameter-expressrouteportresourceid) | string | The reference to the ExpressRoutePort resource when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct. | | [`globalReachEnabled`](#parameter-globalreachenabled) | bool | Flag denoting global reach status. To enable ExpressRoute Global Reach between different geopolitical regions, your circuits must be Premium SKU. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`peerASN`](#parameter-peerasn) | int | The autonomous system number of the customer/connectivity provider. | | [`peering`](#parameter-peering) | bool | Enabled BGP peering type for the Circuit. | | [`peeringType`](#parameter-peeringtype) | string | BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering. | @@ -357,11 +363,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/express-route-circuit/main.bicep b/modules/network/express-route-circuit/main.bicep index f979f2c2e7..b40145e29c 100644 --- a/modules/network/express-route-circuit/main.bicep +++ b/modules/network/express-route-circuit/main.bicep @@ -81,13 +81,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -188,11 +183,11 @@ resource expressRouteCircuits 'Microsoft.Network/expressRouteCircuits@2023-04-01 } } -resource expressRouteCircuits_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${expressRouteCircuits.name}-${lock}-lock' +resource expressRouteCircuits_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: expressRouteCircuits } @@ -237,3 +232,15 @@ output serviceKey string = reference(expressRouteCircuits.id, '2021-02-01').serv @description('The location the resource was deployed into.') output location string = expressRouteCircuits.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/express-route-circuit/main.json b/modules/network/express-route-circuit/main.json index 74d56855cd..024719dcd6 100644 --- a/modules/network/express-route-circuit/main.json +++ b/modules/network/express-route-circuit/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15387700502783731966" + "templateHash": "14824487476304731061" }, "name": "ExpressRoute Circuits", "description": "This module deploys an Express Route Circuit.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -176,15 +204,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -277,8 +299,8 @@ } ] }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -292,7 +314,7 @@ } } }, - { + "expressRouteCircuits": { "type": "Microsoft.Network/expressRouteCircuits", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -316,21 +338,21 @@ "peerings": "[if(parameters('peering'), variables('peeringConfiguration'), null())]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "expressRouteCircuits_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/expressRouteCircuits/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/expressRouteCircuits', parameters('name'))]" + "expressRouteCircuits" ] }, - { + "expressRouteCircuits_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -345,10 +367,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/expressRouteCircuits', parameters('name'))]" + "expressRouteCircuits" ] }, - { + "expressRouteCircuits_roleAssignments": { "copy": { "name": "expressRouteCircuits_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -522,10 +544,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/expressRouteCircuits', parameters('name'))]" + "expressRouteCircuits" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -560,7 +582,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/expressRouteCircuits', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('expressRouteCircuits', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/express-route-gateway/.test/common/main.test.bicep b/modules/network/express-route-gateway/.test/common/main.test.bicep index 9dd58dbbe3..d99873cd46 100644 --- a/modules/network/express-route-gateway/.test/common/main.test.bicep +++ b/modules/network/express-route-gateway/.test/common/main.test.bicep @@ -60,7 +60,10 @@ module testDeployment '../../main.bicep' = { autoScaleConfigurationBoundsMin: 2 autoScaleConfigurationBoundsMax: 3 virtualHubId: nestedDependencies.outputs.virtualHubResourceId - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/network/express-route-gateway/README.md b/modules/network/express-route-gateway/README.md index 8221723ccf..9042aa9cd3 100644 --- a/modules/network/express-route-gateway/README.md +++ b/modules/network/express-route-gateway/README.md @@ -49,7 +49,10 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 autoScaleConfigurationBoundsMax: 3 autoScaleConfigurationBoundsMin: 2 enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -97,7 +100,10 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -195,7 +201,7 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`expressRouteConnections`](#parameter-expressrouteconnections) | array | List of ExpressRoute connections to the ExpressRoute gateway. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the Firewall policy resource. | @@ -243,11 +249,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/express-route-gateway/main.bicep b/modules/network/express-route-gateway/main.bicep index 0858bcf18d..42f9de6e84 100644 --- a/modules/network/express-route-gateway/main.bicep +++ b/modules/network/express-route-gateway/main.bicep @@ -32,13 +32,8 @@ param roleAssignments array = [] @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -71,11 +66,11 @@ resource expressRouteGateway 'Microsoft.Network/expressRouteGateways@2023-04-01' } } -resource expressRouteGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${expressRouteGateway.name}-${lock}-lock' +resource expressRouteGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: expressRouteGateway } @@ -104,3 +99,15 @@ output name string = expressRouteGateway.name @description('The location the resource was deployed into.') output location string = expressRouteGateway.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/express-route-gateway/main.json b/modules/network/express-route-gateway/main.json index 084701ac54..1487410b23 100644 --- a/modules/network/express-route-gateway/main.json +++ b/modules/network/express-route-gateway/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8092497363245159180" + "templateHash": "3687139000883539372" }, "name": "Express Route Gateways", "description": "This module deploys an Express Route Gateway.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -81,20 +109,14 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -108,7 +130,7 @@ } } }, - { + "expressRouteGateway": { "type": "Microsoft.Network/expressRouteGateways", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -128,21 +150,21 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "expressRouteGateway_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/expressRouteGateways/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/expressRouteGateways', parameters('name'))]" + "expressRouteGateway" ] }, - { + "expressRouteGateway_roleAssignments": { "copy": { "name": "expressRouteGateway_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -316,10 +338,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/expressRouteGateways', parameters('name'))]" + "expressRouteGateway" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -347,7 +369,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/expressRouteGateways', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('expressRouteGateway', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep index a971d68691..9473957b31 100644 --- a/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep @@ -52,7 +52,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } sku: 'Premium_AzureFrontDoor' policySettings: { mode: 'Prevention' diff --git a/modules/network/front-door-web-application-firewall-policy/README.md b/modules/network/front-door-web-application-firewall-policy/README.md index 8cf0e4a016..1503783dc9 100644 --- a/modules/network/front-door-web-application-firewall-policy/README.md +++ b/modules/network/front-door-web-application-firewall-policy/README.md @@ -94,7 +94,10 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo ] } enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } managedRules: { managedRuleSets: [ { @@ -199,7 +202,10 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "managedRules": { "value": { @@ -311,7 +317,7 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo | [`customRules`](#parameter-customrules) | object | The custom rules inside the policy. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedRules`](#parameter-managedrules) | object | Describes the managedRules structure. | | [`policySettings`](#parameter-policysettings) | object | The PolicySettings for policy. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -341,11 +347,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `managedRules` diff --git a/modules/network/front-door-web-application-firewall-policy/main.bicep b/modules/network/front-door-web-application-firewall-policy/main.bicep index 3ecc47cd21..2cd8421795 100644 --- a/modules/network/front-door-web-application-firewall-policy/main.bicep +++ b/modules/network/front-door-web-application-firewall-policy/main.bicep @@ -69,13 +69,8 @@ param policySettings object = { mode: 'Prevention' } -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -106,11 +101,11 @@ resource frontDoorWAFPolicy 'Microsoft.Network/FrontDoorWebApplicationFirewallPo } } -resource frontDoorWAFPolicy_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${frontDoorWAFPolicy.name}-${lock}-lock' +resource frontDoorWAFPolicy_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: frontDoorWAFPolicy } @@ -139,3 +134,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = frontDoorWAFPolicy.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/front-door-web-application-firewall-policy/main.json b/modules/network/front-door-web-application-firewall-policy/main.json index a2dffd263e..a9208e608a 100644 --- a/modules/network/front-door-web-application-firewall-policy/main.json +++ b/modules/network/front-door-web-application-firewall-policy/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9522616710967870505" + "templateHash": "11436451701483228580" }, "name": "Front Door Web Application Firewall (WAF) Policies", "description": "This module deploys a Front Door Web Application Firewall (WAF) Policy.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -113,15 +141,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -132,8 +154,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -147,7 +169,7 @@ } } }, - { + "frontDoorWAFPolicy": { "type": "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies", "apiVersion": "2022-05-01", "name": "[parameters('name')]", @@ -162,21 +184,21 @@ "policySettings": "[parameters('policySettings')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "frontDoorWAFPolicy_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies', parameters('name'))]" + "frontDoorWAFPolicy" ] }, - { + "frontDoorWAFPolicy_roleAssignments": { "copy": { "name": "frontDoorWAFPolicy_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -319,10 +341,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies', parameters('name'))]" + "frontDoorWAFPolicy" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -350,7 +372,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies', parameters('name')), '2022-05-01', 'full').location]" + "value": "[reference('frontDoorWAFPolicy', '2022-05-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/front-door/.test/common/main.test.bicep b/modules/network/front-door/.test/common/main.test.bicep index dfc4e2b726..485d7f052f 100644 --- a/modules/network/front-door/.test/common/main.test.bicep +++ b/modules/network/front-door/.test/common/main.test.bicep @@ -113,7 +113,10 @@ module testDeployment '../../main.bicep' = { } } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } routingRules: [ { name: 'routingRule' diff --git a/modules/network/front-door/README.md b/modules/network/front-door/README.md index f9b46052f3..e0106bd90b 100644 --- a/modules/network/front-door/README.md +++ b/modules/network/front-door/README.md @@ -135,7 +135,10 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { // Non-required parameters enableDefaultTelemetry: '' enforceCertificateNameCheck: 'Disabled' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -276,7 +279,10 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { "value": "Disabled" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -550,7 +556,7 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { | [`enforceCertificateNameCheck`](#parameter-enforcecertificatenamecheck) | string | Enforce certificate name check of the frontdoor resource. | | [`friendlyName`](#parameter-friendlyname) | string | Friendly name of the frontdoor resource. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`metricsToEnable`](#parameter-metricstoenable) | array | The name of metrics that will be streamed. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`sendRecvTimeoutSeconds`](#parameter-sendrecvtimeoutseconds) | int | Certificate name check time of the frontdoor resource. | @@ -653,11 +659,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `metricsToEnable` diff --git a/modules/network/front-door/main.bicep b/modules/network/front-door/main.bicep index fe4dac367a..a8ca37dab7 100644 --- a/modules/network/front-door/main.bicep +++ b/modules/network/front-door/main.bicep @@ -10,13 +10,8 @@ param name string @description('Optional. Location for all resources.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -135,11 +130,11 @@ resource frontDoor 'Microsoft.Network/frontDoors@2020-05-01' = { } } -resource frontDoor_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${frontDoor.name}-${lock}-lock' +resource frontDoor_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: frontDoor } @@ -178,3 +173,15 @@ output resourceId string = frontDoor.id @description('The resource group the front door was deployed into.') output resourceGroupName string = resourceGroup().name + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/front-door/main.json b/modules/network/front-door/main.json index 3722abf630..bb1efe12fc 100644 --- a/modules/network/front-door/main.json +++ b/modules/network/front-door/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1800137372393005313" + "templateHash": "4137545584331429686" }, "name": "Azure Front Doors", "description": "This module deploys an Azure Front Door.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -28,15 +56,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -197,8 +219,8 @@ ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -212,7 +234,7 @@ } } }, - { + "frontDoor": { "type": "Microsoft.Network/frontDoors", "apiVersion": "2020-05-01", "name": "[parameters('name')]", @@ -232,21 +254,21 @@ "routingRules": "[parameters('routingRules')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "frontDoor_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/frontDoors/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/frontDoors', parameters('name'))]" + "frontDoor" ] }, - { + "frontDoor_diagnosticSettingName": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -261,10 +283,10 @@ "logs": "[if(and(and(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('diagnosticWorkspaceId'))), empty(parameters('diagnosticEventHubAuthorizationRuleId'))), empty(parameters('diagnosticEventHubName'))), null(), variables('diagnosticsLogs'))]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/frontDoors', parameters('name'))]" + "frontDoor" ] }, - { + "frontDoor_roleAssignments": { "copy": { "name": "frontDoor_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -438,10 +460,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/frontDoors', parameters('name'))]" + "frontDoor" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/ip-group/.test/common/main.test.bicep b/modules/network/ip-group/.test/common/main.test.bicep index 61476fd930..e58ccd5a53 100644 --- a/modules/network/ip-group/.test/common/main.test.bicep +++ b/modules/network/ip-group/.test/common/main.test.bicep @@ -56,7 +56,10 @@ module testDeployment '../../main.bicep' = { '10.0.0.1' '10.0.0.2' ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/network/ip-group/README.md b/modules/network/ip-group/README.md index 2de276d682..d4e54a7b7e 100644 --- a/modules/network/ip-group/README.md +++ b/modules/network/ip-group/README.md @@ -50,7 +50,10 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { '10.0.0.1' '10.0.0.2' ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -96,7 +99,10 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -187,7 +193,7 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`ipAddresses`](#parameter-ipaddresses) | array | IpAddresses/IpAddressPrefixes in the IpGroups resource. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Resource tags. | @@ -214,11 +220,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/ip-group/main.bicep b/modules/network/ip-group/main.bicep index b9a45120cd..7e6c24fa4a 100644 --- a/modules/network/ip-group/main.bicep +++ b/modules/network/ip-group/main.bicep @@ -12,13 +12,8 @@ param location string = resourceGroup().location @description('Optional. IpAddresses/IpAddressPrefixes in the IpGroups resource.') param ipAddresses array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -50,11 +45,11 @@ resource ipGroup 'Microsoft.Network/ipGroups@2023-04-01' = { } } -resource ipGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${ipGroup.name}-${lock}-lock' +resource ipGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: ipGroup } @@ -83,3 +78,15 @@ output name string = ipGroup.name @description('The location the resource was deployed into.') output location string = ipGroup.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/ip-group/main.json b/modules/network/ip-group/main.json index 3d3b61dbe5..5df42e25f4 100644 --- a/modules/network/ip-group/main.json +++ b/modules/network/ip-group/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3722289923159347480" + "templateHash": "1770501120161769084" }, "name": "IP Groups", "description": "This module deploys an IP Group.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -34,15 +62,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -67,8 +89,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -82,7 +104,7 @@ } } }, - { + "ipGroup": { "type": "Microsoft.Network/ipGroups", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -92,21 +114,21 @@ "ipAddresses": "[parameters('ipAddresses')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "ipGroup_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/ipGroups/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/ipGroups', parameters('name'))]" + "ipGroup" ] }, - { + "ipGroup_roleAssignments": { "copy": { "name": "ipGroup_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -280,10 +302,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/ipGroups', parameters('name'))]" + "ipGroup" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -311,7 +333,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/ipGroups', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('ipGroup', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/load-balancer/.test/common/main.test.bicep b/modules/network/load-balancer/.test/common/main.test.bicep index 6efb446ead..190d42404e 100644 --- a/modules/network/load-balancer/.test/common/main.test.bicep +++ b/modules/network/load-balancer/.test/common/main.test.bicep @@ -128,7 +128,10 @@ module testDeployment '../../main.bicep' = { probeName: 'probe2' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } outboundRules: [ { allocatedOutboundPorts: 63984 diff --git a/modules/network/load-balancer/README.md b/modules/network/load-balancer/README.md index 779036371c..046fd30771 100644 --- a/modules/network/load-balancer/README.md +++ b/modules/network/load-balancer/README.md @@ -112,7 +112,10 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { probeName: 'probe2' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } outboundRules: [ { allocatedOutboundPorts: 63984 @@ -252,7 +255,10 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "outboundRules": { "value": [ @@ -608,7 +614,7 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { | [`inboundNatRules`](#parameter-inboundnatrules) | array | Collection of inbound NAT Rules used by a load balancer. Defining inbound NAT rules on your load balancer is mutually exclusive with defining an inbound NAT pool. Inbound NAT pools are referenced from virtual machine scale sets. NICs that are associated with individual virtual machines cannot reference an Inbound NAT pool. They have to reference individual inbound NAT rules. | | [`loadBalancingRules`](#parameter-loadbalancingrules) | array | Array of objects containing all load balancing rules. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`outboundRules`](#parameter-outboundrules) | array | The outbound rules. | | [`probes`](#parameter-probes) | array | Array of objects containing all probes, these are references in the load balancing rules. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -701,11 +707,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/load-balancer/main.bicep b/modules/network/load-balancer/main.bicep index 0f15931f27..cf9a0670fe 100644 --- a/modules/network/load-balancer/main.bicep +++ b/modules/network/load-balancer/main.bicep @@ -40,13 +40,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -221,11 +216,11 @@ module loadBalancer_inboundNATRules 'inbound-nat-rule/main.bicep' = [for (inboun ] }] -resource loadBalancer_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${loadBalancer.name}-${lock}-lock' +resource loadBalancer_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: loadBalancer } @@ -269,3 +264,15 @@ output backendpools array = loadBalancer.properties.backendAddressPools @description('The location the resource was deployed into.') output location string = loadBalancer.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/load-balancer/main.json b/modules/network/load-balancer/main.json index 974b7006fd..3762e54063 100644 --- a/modules/network/load-balancer/main.json +++ b/modules/network/load-balancer/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4129476930281729422" + "templateHash": "10984234034894076123" }, "name": "Load Balancers", "description": "This module deploys a Load Balancer.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -93,15 +121,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -257,8 +279,8 @@ ], "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -272,7 +294,7 @@ } } }, - { + "loadBalancer": { "type": "Microsoft.Network/loadBalancers", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -289,21 +311,21 @@ "probes": "[variables('probesVar')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "loadBalancer_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/loadBalancers/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/loadBalancers', parameters('name'))]" + "loadBalancer" ] }, - { + "loadBalancer_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -317,10 +339,10 @@ "metrics": "[variables('diagnosticsMetrics')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/loadBalancers', parameters('name'))]" + "loadBalancer" ] }, - { + "loadBalancer_backendAddressPools": { "copy": { "name": "loadBalancer_backendAddressPools", "count": "[length(parameters('backendAddressPools'))]" @@ -467,10 +489,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/loadBalancers', parameters('name'))]" + "loadBalancer" ] }, - { + "loadBalancer_inboundNATRules": { "copy": { "name": "loadBalancer_inboundNATRules", "count": "[length(parameters('inboundNatRules'))]" @@ -684,11 +706,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/loadBalancers', parameters('name'))]", + "loadBalancer", "loadBalancer_backendAddressPools" ] }, - { + "loadBalancer_roleAssignments": { "copy": { "name": "loadBalancer_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -862,10 +884,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/loadBalancers', parameters('name'))]" + "loadBalancer" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -893,14 +915,14 @@ "metadata": { "description": "The backend address pools available in the load balancer." }, - "value": "[reference(resourceId('Microsoft.Network/loadBalancers', parameters('name')), '2023-04-01').backendAddressPools]" + "value": "[reference('loadBalancer').backendAddressPools]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/loadBalancers', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('loadBalancer', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/local-network-gateway/.test/common/main.test.bicep b/modules/network/local-network-gateway/.test/common/main.test.bicep index 8bebc4a7aa..0d7e13410f 100644 --- a/modules/network/local-network-gateway/.test/common/main.test.bicep +++ b/modules/network/local-network-gateway/.test/common/main.test.bicep @@ -58,7 +58,10 @@ module testDeployment '../../main.bicep' = { localGatewayPublicIpAddress: '8.8.8.8' localAsn: '65123' localBgpPeeringAddress: '192.168.1.5' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/network/local-network-gateway/README.md b/modules/network/local-network-gateway/README.md index 0f26183ba5..463aeea4d3 100644 --- a/modules/network/local-network-gateway/README.md +++ b/modules/network/local-network-gateway/README.md @@ -52,7 +52,10 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 enableDefaultTelemetry: '' localAsn: '65123' localBgpPeeringAddress: '192.168.1.5' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -106,7 +109,10 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 "value": "192.168.1.5" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -214,7 +220,7 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 | [`localBgpPeeringAddress`](#parameter-localbgppeeringaddress) | string | The BGP peering address and BGP identifier of this BGP speaker. Not providing this value will automatically disable BGP on this Local Network Gateway resource. | | [`localPeerWeight`](#parameter-localpeerweight) | string | The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -274,11 +280,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/local-network-gateway/main.bicep b/modules/network/local-network-gateway/main.bicep index 7030202e79..f8d3ba46fa 100644 --- a/modules/network/local-network-gateway/main.bicep +++ b/modules/network/local-network-gateway/main.bicep @@ -24,13 +24,8 @@ param localBgpPeeringAddress string = '' @description('Optional. The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided.') param localPeerWeight string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -76,11 +71,11 @@ resource localNetworkGateway 'Microsoft.Network/localNetworkGateways@2023-04-01' } } -resource localNetworkGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${localNetworkGateway.name}-${lock}-lock' +resource localNetworkGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: localNetworkGateway } @@ -109,3 +104,15 @@ output name string = localNetworkGateway.name @description('The location the resource was deployed into.') output location string = localNetworkGateway.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/local-network-gateway/main.json b/modules/network/local-network-gateway/main.json index 7ddb2effdf..3f59f99a0b 100644 --- a/modules/network/local-network-gateway/main.json +++ b/modules/network/local-network-gateway/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3075207124319652071" + "templateHash": "3611172321623700485" }, "name": "Local Network Gateways", "description": "This module deploys a Local Network Gateway.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -60,15 +88,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -107,8 +129,8 @@ "peerWeight": "[if(not(empty(parameters('localPeerWeight'))), parameters('localPeerWeight'), '0')]" } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -122,7 +144,7 @@ } } }, - { + "localNetworkGateway": { "type": "Microsoft.Network/localNetworkGateways", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -137,21 +159,21 @@ "bgpSettings": "[if(and(not(empty(parameters('localAsn'))), not(empty(parameters('localBgpPeeringAddress')))), variables('bgpSettings'), null())]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "localNetworkGateway_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/localNetworkGateways/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/localNetworkGateways', parameters('name'))]" + "localNetworkGateway" ] }, - { + "localNetworkGateway_roleAssignments": { "copy": { "name": "localNetworkGateway_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -325,10 +347,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/localNetworkGateways', parameters('name'))]" + "localNetworkGateway" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -356,7 +378,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/localNetworkGateways', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('localNetworkGateway', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/nat-gateway/.test/common/main.test.bicep b/modules/network/nat-gateway/.test/common/main.test.bicep index 178f58c027..f999e3cb3a 100644 --- a/modules/network/nat-gateway/.test/common/main.test.bicep +++ b/modules/network/nat-gateway/.test/common/main.test.bicep @@ -70,7 +70,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } natGatewayPublicIpAddress: true roleAssignments: [ { diff --git a/modules/network/nat-gateway/README.md b/modules/network/nat-gateway/README.md index 8d239324a4..2e759c3bfe 100644 --- a/modules/network/nat-gateway/README.md +++ b/modules/network/nat-gateway/README.md @@ -51,7 +51,10 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } natGatewayPublicIpAddress: true roleAssignments: [ { @@ -104,7 +107,10 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "natGatewayPublicIpAddress": { "value": true @@ -158,7 +164,7 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`idleTimeoutInMinutes`](#parameter-idletimeoutinminutes) | int | The idle timeout of the NAT gateway. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`natGatewayPipName`](#parameter-natgatewaypipname) | string | Specifies the name of the Public IP used by the NAT Gateway. If it's not provided, a '-pip' suffix will be appended to the Bastion's name. | | [`natGatewayPublicIpAddress`](#parameter-natgatewaypublicipaddress) | bool | Use to have a new Public IP Address created for the NAT Gateway. | | [`publicIpAddresses`](#parameter-publicipaddresses) | array | Existing Public IP Address resource names to use for the NAT Gateway. | @@ -249,11 +255,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/nat-gateway/main.bicep b/modules/network/nat-gateway/main.bicep index f7094fff0c..2f7bf732e6 100644 --- a/modules/network/nat-gateway/main.bicep +++ b/modules/network/nat-gateway/main.bicep @@ -44,13 +44,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -153,11 +148,11 @@ resource natGateway 'Microsoft.Network/natGateways@2023-04-01' = { dependsOn: [ publicIPAddress ] } -resource natGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${natGateway.name}-${lock}-lock' +resource natGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: natGateway } @@ -186,3 +181,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = natGateway.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/nat-gateway/main.json b/modules/network/nat-gateway/main.json index ffc7620f1a..eaa850c981 100644 --- a/modules/network/nat-gateway/main.json +++ b/modules/network/nat-gateway/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9634258356447527908" + "templateHash": "17911120011754183628" }, "name": "NAT Gateways", "description": "This module deploys a NAT Gateway.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -110,15 +138,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -197,8 +219,8 @@ ], "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -212,7 +234,7 @@ } } }, - { + "natGateway": { "type": "Microsoft.Network/natGateways", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -228,24 +250,24 @@ }, "zones": "[parameters('zones')]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', format('{0}-NatGateway-PIP', uniqueString(deployment().name, parameters('location'))))]" + "publicIPAddress" ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "natGateway_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/natGateways/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/natGateways', parameters('name'))]" + "natGateway" ] }, - { + "publicIPAddress": { "condition": "[parameters('natGatewayPublicIpAddress')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -310,17 +332,45 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4317747709004918530" + "templateHash": "7177220893233117141" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -450,15 +500,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "location": { @@ -547,8 +591,8 @@ ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -562,7 +606,7 @@ } } }, - { + "publicIpAddress": { "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -582,21 +626,21 @@ "ipTags": [] } }, - { - "condition": "[not(empty(parameters('lock')))]", + "publicIpAddress_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] }, - { + "publicIpAddress_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -611,10 +655,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] }, - { + "publicIpAddress_roleAssignments": { "copy": { "name": "publicIpAddress_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -788,10 +832,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -819,20 +863,20 @@ "metadata": { "description": "The public IP address of the public IP address resource." }, - "value": "[if(contains(reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01'), 'ipAddress'), reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01').ipAddress, '')]" + "value": "[if(contains(reference('publicIpAddress'), 'ipAddress'), reference('publicIpAddress').ipAddress, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('publicIpAddress', '2023-04-01', 'full').location]" } } } } }, - { + "natGateway_roleAssignments": { "copy": { "name": "natGateway_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1006,10 +1050,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/natGateways', parameters('name'))]" + "natGateway" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1037,7 +1081,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/natGateways', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('natGateway', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/network-interface/.test/common/main.test.bicep b/modules/network/network-interface/.test/common/main.test.bicep index 5a7bfcf666..4fcb9fd47d 100644 --- a/modules/network/network-interface/.test/common/main.test.bicep +++ b/modules/network/network-interface/.test/common/main.test.bicep @@ -97,7 +97,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/network/network-interface/README.md b/modules/network/network-interface/README.md index ee9c528fdd..be06487b77 100644 --- a/modules/network/network-interface/README.md +++ b/modules/network/network-interface/README.md @@ -75,7 +75,10 @@ module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -153,7 +156,10 @@ module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -270,7 +276,7 @@ module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`enableIPForwarding`](#parameter-enableipforwarding) | bool | Indicates whether IP forwarding is enabled on this network interface. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`networkSecurityGroupResourceId`](#parameter-networksecuritygroupresourceid) | string | The network security group (NSG) to attach to the network interface. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -384,11 +390,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/network-interface/main.bicep b/modules/network/network-interface/main.bicep index 43f79f1528..efa2c6d6c4 100644 --- a/modules/network/network-interface/main.bicep +++ b/modules/network/network-interface/main.bicep @@ -50,13 +50,8 @@ param disableTcpStateTracking bool = false @description('Required. A list of IPConfigurations of the network interface.') param ipConfigurations array -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -154,11 +149,11 @@ resource networkInterface_diagnosticSettings 'Microsoft.Insights/diagnosticSetti scope: networkInterface } -resource networkInterface_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${networkInterface.name}-${lock}-lock' +resource networkInterface_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: networkInterface } @@ -187,3 +182,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = networkInterface.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/network-interface/main.json b/modules/network/network-interface/main.json index 20e292dd8f..299670b87c 100644 --- a/modules/network/network-interface/main.json +++ b/modules/network/network-interface/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14479255820598719580" + "templateHash": "3998904758858607142" }, "name": "Network Interface", "description": "This module deploys a Network Interface.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -107,15 +135,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -186,8 +208,8 @@ } ] }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -201,7 +223,7 @@ } } }, - { + "networkInterface": { "type": "Microsoft.Network/networkInterfaces", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -242,7 +264,7 @@ "networkSecurityGroup": "[if(not(empty(parameters('networkSecurityGroupResourceId'))), createObject('id', parameters('networkSecurityGroupResourceId')), null())]" } }, - { + "networkInterface_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -256,24 +278,24 @@ "metrics": "[variables('diagnosticsMetrics')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" + "networkInterface" ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "networkInterface_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/networkInterfaces/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" + "networkInterface" ] }, - { + "networkInterface_roleAssignments": { "copy": { "name": "networkInterface_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -447,10 +469,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" + "networkInterface" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -478,7 +500,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/networkInterfaces', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('networkInterface', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/network-manager/.test/common/main.test.bicep b/modules/network/network-manager/.test/common/main.test.bicep index e0899bd41c..25ba582f7c 100644 --- a/modules/network/network-manager/.test/common/main.test.bicep +++ b/modules/network/network-manager/.test/common/main.test.bicep @@ -59,7 +59,10 @@ module testDeployment '../../main.bicep' = { params: { name: networkManagerName enableDefaultTelemetry: enableDefaultTelemetry - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/network/network-manager/README.md b/modules/network/network-manager/README.md index 86e3036e2f..07fd87d1d6 100644 --- a/modules/network/network-manager/README.md +++ b/modules/network/network-manager/README.md @@ -100,7 +100,10 @@ module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { } ] enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } networkGroups: [ { description: 'network-group-spokes description' @@ -322,7 +325,10 @@ module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "networkGroups": { "value": [ @@ -509,7 +515,7 @@ module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { | [`description`](#parameter-description) | string | A description of the network manager. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`scopeConnections`](#parameter-scopeconnections) | array | Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant. | | [`securityAdminConfigurations`](#parameter-securityadminconfigurations) | array | Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to. | @@ -545,11 +551,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/network-manager/main.bicep b/modules/network/network-manager/main.bicep index 21c5a261c0..60d9286d7b 100644 --- a/modules/network/network-manager/main.bicep +++ b/modules/network/network-manager/main.bicep @@ -10,13 +10,8 @@ param name string @sys.description('Optional. Location for all resources.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@sys.description('Optional. Specify the type of lock.') -param lock string = '' +@sys.description('Optional. The lock settings of the service.') +param lock lockType @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -126,11 +121,11 @@ module networkManager_securityAdminConfigurations 'security-admin-configuration/ dependsOn: networkManager_networkGroups }] -resource networkManager_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${networkManager.name}-${lock}-lock' +resource networkManager_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: networkManager } @@ -159,3 +154,15 @@ output name string = networkManager.name @sys.description('The location the resource was deployed into.') output location string = networkManager.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @sys.description('Optional. Specify the name of lock.') + name: string? + + @sys.description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/network-manager/main.json b/modules/network/network-manager/main.json index be5b31c5ee..8ad603bd07 100644 --- a/modules/network/network-manager/main.json +++ b/modules/network/network-manager/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17206951315494060900" + "templateHash": "10611241672258166058" }, "name": "Network Managers", "description": "This module deploys a Network Manager.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -28,15 +56,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -112,8 +134,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -127,7 +149,7 @@ } } }, - { + "networkManager": { "type": "Microsoft.Network/networkManagers", "apiVersion": "2023-02-01", "name": "[parameters('name')]", @@ -139,21 +161,21 @@ "networkManagerScopes": "[parameters('networkManagerScopes')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "networkManager_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/networkManagers/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', parameters('name'))]" + "networkManager" ] }, - { + "networkManager_networkGroups": { "copy": { "name": "networkManager_networkGroups", "count": "[length(parameters('networkGroups'))]" @@ -411,10 +433,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', parameters('name'))]" + "networkManager" ] }, - { + "networkManager_connectivityConfigurations": { "copy": { "name": "networkManager_connectivityConfigurations", "count": "[length(parameters('connectivityConfigurations'))]" @@ -592,11 +614,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', parameters('name'))]", + "networkManager", "networkManager_networkGroups" ] }, - { + "networkManager_scopeConnections": { "copy": { "name": "networkManager_scopeConnections", "count": "[length(parameters('scopeConnections'))]" @@ -734,10 +756,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', parameters('name'))]" + "networkManager" ] }, - { + "networkManager_securityAdminConfigurations": { "copy": { "name": "networkManager_securityAdminConfigurations", "count": "[length(parameters('securityAdminConfigurations'))]" @@ -1268,11 +1290,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', parameters('name'))]", + "networkManager", "networkManager_networkGroups" ] }, - { + "networkManager_roleAssignments": { "copy": { "name": "networkManager_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1446,10 +1468,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkManagers', parameters('name'))]" + "networkManager" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1477,7 +1499,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/networkManagers', parameters('name')), '2023-02-01', 'full').location]" + "value": "[reference('networkManager', '2023-02-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/network-security-group/.test/common/main.test.bicep b/modules/network/network-security-group/.test/common/main.test.bicep index b3d3aa351f..66532c02ae 100644 --- a/modules/network/network-security-group/.test/common/main.test.bicep +++ b/modules/network/network-security-group/.test/common/main.test.bicep @@ -71,7 +71,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/network/network-security-group/README.md b/modules/network/network-security-group/README.md index 9cc85e94be..0428a3fe08 100644 --- a/modules/network/network-security-group/README.md +++ b/modules/network/network-security-group/README.md @@ -52,7 +52,10 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -168,7 +171,10 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -331,7 +337,7 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`flushConnection`](#parameter-flushconnection) | bool | When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. Network Security Group connection flushing is not available in all regions. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`securityRules`](#parameter-securityrules) | array | Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. | | [`tags`](#parameter-tags) | object | Tags of the NSG resource. | @@ -402,11 +408,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/network-security-group/main.bicep b/modules/network/network-security-group/main.bicep index 5ee9437903..597a5fa6c6 100644 --- a/modules/network/network-security-group/main.bicep +++ b/modules/network/network-security-group/main.bicep @@ -26,13 +26,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -136,11 +131,11 @@ module networkSecurityGroup_securityRules 'security-rule/main.bicep' = [for (sec } }] -resource networkSecurityGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${networkSecurityGroup.name}-${lock}-lock' +resource networkSecurityGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: networkSecurityGroup } @@ -181,3 +176,15 @@ output name string = networkSecurityGroup.name @description('The location the resource was deployed into.') output location string = networkSecurityGroup.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/network-security-group/main.json b/modules/network/network-security-group/main.json index abb0e70fca..bf1db4aa59 100644 --- a/modules/network/network-security-group/main.json +++ b/modules/network/network-security-group/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8128749516786730234" + "templateHash": "10938606814486481441" }, "name": "Network Security Groups", "description": "This module deploys a Network security Group (NSG).", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -68,15 +96,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -137,8 +159,8 @@ "enableReferencedModulesTelemetry": false, "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -152,7 +174,7 @@ } } }, - { + "networkSecurityGroup": { "type": "Microsoft.Network/networkSecurityGroups", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -188,21 +210,21 @@ "flushConnection": "[parameters('flushConnection')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "networkSecurityGroup_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" + "networkSecurityGroup" ] }, - { + "networkSecurityGroup_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -216,10 +238,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" + "networkSecurityGroup" ] }, - { + "networkSecurityGroup_securityRules": { "copy": { "name": "networkSecurityGroup_securityRules", "count": "[length(parameters('securityRules'))]" @@ -483,10 +505,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" + "networkSecurityGroup" ] }, - { + "networkSecurityGroup_roleAssignments": { "copy": { "name": "networkSecurityGroup_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -660,10 +682,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" + "networkSecurityGroup" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -691,7 +713,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/networkSecurityGroups', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('networkSecurityGroup', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/network-watcher/README.md b/modules/network/network-watcher/README.md index 9019a60077..d5c48189bd 100644 --- a/modules/network/network-watcher/README.md +++ b/modules/network/network-watcher/README.md @@ -308,7 +308,7 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`flowLogs`](#parameter-flowlogs) | array | Array that contains the Flow Logs. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`name`](#parameter-name) | string | Name of the Network Watcher resource (hidden). | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -343,11 +343,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/network-watcher/main.bicep b/modules/network/network-watcher/main.bicep index 2fbae1f1cd..52735e831f 100644 --- a/modules/network/network-watcher/main.bicep +++ b/modules/network/network-watcher/main.bicep @@ -15,13 +15,8 @@ param connectionMonitors array = [] @description('Optional. Array that contains the Flow Logs.') param flowLogs array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -53,11 +48,11 @@ resource networkWatcher 'Microsoft.Network/networkWatchers@2023-04-01' = { properties: {} } -resource networkWatcher_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${networkWatcher.name}-${lock}-lock' +resource networkWatcher_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: networkWatcher } @@ -116,3 +111,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = networkWatcher.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/network-watcher/main.json b/modules/network/network-watcher/main.json index 7d746b120d..0997ef0280 100644 --- a/modules/network/network-watcher/main.json +++ b/modules/network/network-watcher/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3515911577845014451" + "templateHash": "11619532621785794685" }, "name": "Network Watchers", "description": "This module deploys a Network Watcher.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -42,15 +70,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -78,8 +100,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -93,7 +115,7 @@ } } }, - { + "networkWatcher": { "type": "Microsoft.Network/networkWatchers", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -101,21 +123,21 @@ "tags": "[parameters('tags')]", "properties": {} }, - { - "condition": "[not(empty(parameters('lock')))]", + "networkWatcher_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/networkWatchers/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkWatchers', parameters('name'))]" + "networkWatcher" ] }, - { + "networkWatcher_roleAssignments": { "copy": { "name": "networkWatcher_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -289,10 +311,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkWatchers', parameters('name'))]" + "networkWatcher" ] }, - { + "networkWatcher_connectionMonitors": { "copy": { "name": "networkWatcher_connectionMonitors", "count": "[length(parameters('connectionMonitors'))]" @@ -462,10 +484,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkWatchers', parameters('name'))]" + "networkWatcher" ] }, - { + "networkWatcher_flowLogs": { "copy": { "name": "networkWatcher_flowLogs", "count": "[length(parameters('flowLogs'))]" @@ -679,10 +701,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/networkWatchers', parameters('name'))]" + "networkWatcher" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -710,7 +732,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/networkWatchers', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('networkWatcher', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/private-dns-zone/.test/common/main.test.bicep b/modules/network/private-dns-zone/.test/common/main.test.bicep index d3e5ad38db..b8fd61f780 100644 --- a/modules/network/private-dns-zone/.test/common/main.test.bicep +++ b/modules/network/private-dns-zone/.test/common/main.test.bicep @@ -102,7 +102,10 @@ module testDeployment '../../main.bicep' = { ttl: 3600 } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } mx: [ { mxRecords: [ diff --git a/modules/network/private-dns-zone/README.md b/modules/network/private-dns-zone/README.md index 54fc9873d1..e9f195e023 100644 --- a/modules/network/private-dns-zone/README.md +++ b/modules/network/private-dns-zone/README.md @@ -104,7 +104,10 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { } ] enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } mx: [ { mxRecords: [ @@ -315,7 +318,10 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "mx": { "value": [ @@ -536,7 +542,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { | [`cname`](#parameter-cname) | array | Array of CNAME records. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | The location of the PrivateDNSZone. Should be global. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`mx`](#parameter-mx) | array | Array of MX records. | | [`ptr`](#parameter-ptr) | array | Array of PTR records. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -583,11 +589,30 @@ The location of the PrivateDNSZone. Should be global. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `mx` diff --git a/modules/network/private-dns-zone/main.bicep b/modules/network/private-dns-zone/main.bicep index 75d433791a..c504da6975 100644 --- a/modules/network/private-dns-zone/main.bicep +++ b/modules/network/private-dns-zone/main.bicep @@ -41,13 +41,8 @@ param roleAssignments array = [] @description('Optional. Tags of the resource.') param tags object = {} -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -189,11 +184,11 @@ module privateDnsZone_virtualNetworkLinks 'virtual-network-link/main.bicep' = [f } }] -resource privateDnsZone_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${privateDnsZone.name}-${lock}-lock' +resource privateDnsZone_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: privateDnsZone } @@ -222,3 +217,15 @@ output resourceId string = privateDnsZone.id @description('The location the resource was deployed into.') output location string = privateDnsZone.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/private-dns-zone/main.json b/modules/network/private-dns-zone/main.json index 575b535727..aebba29c1e 100644 --- a/modules/network/private-dns-zone/main.json +++ b/modules/network/private-dns-zone/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7094231343264488816" + "templateHash": "13138896803212134974" }, "name": "Private DNS Zones", "description": "This module deploys a Private DNS zone.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -103,15 +131,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "enableDefaultTelemetry": { @@ -125,8 +147,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -140,28 +162,28 @@ } } }, - { + "privateDnsZone": { "type": "Microsoft.Network/privateDnsZones", "apiVersion": "2020-06-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]" }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateDnsZone_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateDnsZones/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', parameters('name'))]" + "privateDnsZone" ] }, - { + "privateDnsZone_A": { "copy": { "name": "privateDnsZone_A", "count": "[length(parameters('a'))]" @@ -480,10 +502,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', parameters('name'))]" + "privateDnsZone" ] }, - { + "privateDnsZone_AAAA": { "copy": { "name": "privateDnsZone_AAAA", "count": "[length(parameters('aaaa'))]" @@ -802,10 +824,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', parameters('name'))]" + "privateDnsZone" ] }, - { + "privateDnsZone_CNAME": { "copy": { "name": "privateDnsZone_CNAME", "count": "[length(parameters('cname'))]" @@ -1130,10 +1152,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', parameters('name'))]" + "privateDnsZone" ] }, - { + "privateDnsZone_MX": { "copy": { "name": "privateDnsZone_MX", "count": "[length(parameters('mx'))]" @@ -1452,10 +1474,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', parameters('name'))]" + "privateDnsZone" ] }, - { + "privateDnsZone_PTR": { "copy": { "name": "privateDnsZone_PTR", "count": "[length(parameters('ptr'))]" @@ -1774,10 +1796,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', parameters('name'))]" + "privateDnsZone" ] }, - { + "privateDnsZone_SOA": { "copy": { "name": "privateDnsZone_SOA", "count": "[length(parameters('soa'))]" @@ -2096,10 +2118,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', parameters('name'))]" + "privateDnsZone" ] }, - { + "privateDnsZone_SRV": { "copy": { "name": "privateDnsZone_SRV", "count": "[length(parameters('srv'))]" @@ -2418,10 +2440,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', parameters('name'))]" + "privateDnsZone" ] }, - { + "privateDnsZone_TXT": { "copy": { "name": "privateDnsZone_TXT", "count": "[length(parameters('txt'))]" @@ -2740,10 +2762,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', parameters('name'))]" + "privateDnsZone" ] }, - { + "privateDnsZone_virtualNetworkLinks": { "copy": { "name": "privateDnsZone_virtualNetworkLinks", "count": "[length(parameters('virtualNetworkLinks'))]" @@ -2895,10 +2917,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', parameters('name'))]" + "privateDnsZone" ] }, - { + "privateDnsZone_roleAssignments": { "copy": { "name": "privateDnsZone_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -3072,10 +3094,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', parameters('name'))]" + "privateDnsZone" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -3103,7 +3125,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateDnsZones', parameters('name')), '2020-06-01', 'full').location]" + "value": "[reference('privateDnsZone', '2020-06-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/private-endpoint/.test/common/main.test.bicep b/modules/network/private-endpoint/.test/common/main.test.bicep index a33f922bd9..8b0abeaf5c 100644 --- a/modules/network/private-endpoint/.test/common/main.test.bicep +++ b/modules/network/private-endpoint/.test/common/main.test.bicep @@ -62,6 +62,7 @@ module testDeployment '../../main.bicep' = { subnetResourceId: nestedDependencies.outputs.subnetResourceId lock: { kind: 'CanNotDelete' + name: 'myCustomLockName' } privateDnsZoneResourceIds: [ nestedDependencies.outputs.privateDNSZoneResourceId diff --git a/modules/network/private-endpoint/README.md b/modules/network/private-endpoint/README.md index 552f6fac64..f09fb62f47 100644 --- a/modules/network/private-endpoint/README.md +++ b/modules/network/private-endpoint/README.md @@ -68,6 +68,7 @@ module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { ] lock: { kind: 'CanNotDelete' + name: 'myCustomLockName' } privateDnsZoneResourceIds: [ '' @@ -141,7 +142,8 @@ module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { }, "lock": { "value": { - "kind": "CanNotDelete" + "kind": "CanNotDelete", + "name": "myCustomLockName" } }, "privateDnsZoneResourceIds": { diff --git a/modules/network/private-endpoint/main.bicep b/modules/network/private-endpoint/main.bicep index c432aaf71e..f5df07a07b 100644 --- a/modules/network/private-endpoint/main.bicep +++ b/modules/network/private-endpoint/main.bicep @@ -150,7 +150,7 @@ output name string = privateEndpoint.name output location string = privateEndpoint.location // ================ // -// Definitions // +// Definitions // // ================ // type roleAssignmentType = { diff --git a/modules/network/private-link-service/.test/common/main.test.bicep b/modules/network/private-link-service/.test/common/main.test.bicep index 2566dda08b..b7cbc93723 100644 --- a/modules/network/private-link-service/.test/common/main.test.bicep +++ b/modules/network/private-link-service/.test/common/main.test.bicep @@ -54,7 +54,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } ipConfigurations: [ { name: '${serviceShort}01' diff --git a/modules/network/private-link-service/README.md b/modules/network/private-link-service/README.md index a1182c3ce1..15bd8feb94 100644 --- a/modules/network/private-link-service/README.md +++ b/modules/network/private-link-service/README.md @@ -74,7 +74,10 @@ module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' id: '' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -155,7 +158,10 @@ module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -291,7 +297,7 @@ module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' | [`ipConfigurations`](#parameter-ipconfigurations) | array | An array of private link service IP configurations. | | [`loadBalancerFrontendIpConfigurations`](#parameter-loadbalancerfrontendipconfigurations) | array | An array of references to the load balancer IP configurations. The Private Link service is tied to the frontend IP address of a Standard Load Balancer. All traffic destined for the service will reach the frontend of the SLB. You can configure SLB rules to direct this traffic to appropriate backend pools where your applications are running. Load balancer frontend IP configurations are different than NAT IP configurations. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags to be applied on all resources/resource groups in this deployment. | | [`visibility`](#parameter-visibility) | object | Controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control (Azure RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions. | @@ -354,11 +360,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/private-link-service/main.bicep b/modules/network/private-link-service/main.bicep index e9f91ecae5..3bcdd83798 100644 --- a/modules/network/private-link-service/main.bicep +++ b/modules/network/private-link-service/main.bicep @@ -8,13 +8,8 @@ param name string @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') param tags object = {} @@ -73,11 +68,11 @@ resource privateLinkService 'Microsoft.Network/privateLinkServices@2022-11-01' = } } -resource privateLinkService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${privateLinkService.name}-${lock}-lock' +resource privateLinkService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: privateLinkService } @@ -106,3 +101,15 @@ output name string = privateLinkService.name @description('The location the resource was deployed into.') output location string = privateLinkService.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/private-link-service/main.json b/modules/network/private-link-service/main.json index fedfe30695..bca152c1d8 100644 --- a/modules/network/private-link-service/main.json +++ b/modules/network/private-link-service/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15026904267969319263" + "templateHash": "8807571087134722220" }, "name": "Private Link Services", "description": "This module deploys a Private Link Service.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -26,15 +54,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "tags": { @@ -108,8 +130,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -123,7 +145,7 @@ } } }, - { + "privateLinkService": { "type": "Microsoft.Network/privateLinkServices", "apiVersion": "2022-11-01", "name": "[parameters('name')]", @@ -139,21 +161,21 @@ "visibility": "[parameters('visibility')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateLinkService_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/privateLinkServices/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateLinkServices', parameters('name'))]" + "privateLinkService" ] }, - { + "privateLinkService_roleAssignments": { "copy": { "name": "privateLinkService_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -327,10 +349,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateLinkServices', parameters('name'))]" + "privateLinkService" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -358,7 +380,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateLinkServices', parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('privateLinkService', '2022-11-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/public-ip-address/.test/common/main.test.bicep b/modules/network/public-ip-address/.test/common/main.test.bicep index 73fe5bb4a5..eadd4eb23a 100644 --- a/modules/network/public-ip-address/.test/common/main.test.bicep +++ b/modules/network/public-ip-address/.test/common/main.test.bicep @@ -70,7 +70,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } publicIPAllocationMethod: 'Static' roleAssignments: [ { diff --git a/modules/network/public-ip-address/README.md b/modules/network/public-ip-address/README.md index d66c035af4..59af68c72d 100644 --- a/modules/network/public-ip-address/README.md +++ b/modules/network/public-ip-address/README.md @@ -51,7 +51,10 @@ module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } publicIPAllocationMethod: 'Static' roleAssignments: [ { @@ -110,7 +113,10 @@ module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "publicIPAllocationMethod": { "value": "Static" @@ -223,7 +229,7 @@ module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`fqdn`](#parameter-fqdn) | string | The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`publicIPAddressVersion`](#parameter-publicipaddressversion) | string | IP address version. | | [`publicIPAllocationMethod`](#parameter-publicipallocationmethod) | string | The public IP address allocation method. | | [`publicIPPrefixResourceId`](#parameter-publicipprefixresourceid) | string | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | @@ -323,11 +329,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/public-ip-address/main.bicep b/modules/network/public-ip-address/main.bicep index 9df17390ea..b1258e8630 100644 --- a/modules/network/public-ip-address/main.bicep +++ b/modules/network/public-ip-address/main.bicep @@ -70,13 +70,8 @@ param fqdn string = '' @description('Optional. The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN.') param reverseFqdn string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Location for all resources.') param location string = resourceGroup().location @@ -169,11 +164,11 @@ resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2023-04-01' = { } } -resource publicIpAddress_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${publicIpAddress.name}-${lock}-lock' +resource publicIpAddress_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: publicIpAddress } @@ -218,3 +213,15 @@ output ipAddress string = contains(publicIpAddress.properties, 'ipAddress') ? pu @description('The location the resource was deployed into.') output location string = publicIpAddress.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/public-ip-address/main.json b/modules/network/public-ip-address/main.json index 583eea8a97..6f690a5a8f 100644 --- a/modules/network/public-ip-address/main.json +++ b/modules/network/public-ip-address/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4317747709004918530" + "templateHash": "7177220893233117141" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -140,15 +168,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "location": { @@ -237,8 +259,8 @@ ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -252,7 +274,7 @@ } } }, - { + "publicIpAddress": { "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -272,21 +294,21 @@ "ipTags": [] } }, - { - "condition": "[not(empty(parameters('lock')))]", + "publicIpAddress_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] }, - { + "publicIpAddress_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -301,10 +323,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] }, - { + "publicIpAddress_roleAssignments": { "copy": { "name": "publicIpAddress_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -478,10 +500,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -509,14 +531,14 @@ "metadata": { "description": "The public IP address of the public IP address resource." }, - "value": "[if(contains(reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01'), 'ipAddress'), reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01').ipAddress, '')]" + "value": "[if(contains(reference('publicIpAddress'), 'ipAddress'), reference('publicIpAddress').ipAddress, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('publicIpAddress', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/public-ip-prefix/.test/common/main.test.bicep b/modules/network/public-ip-prefix/.test/common/main.test.bicep index 4c96332650..86dba8a94f 100644 --- a/modules/network/public-ip-prefix/.test/common/main.test.bicep +++ b/modules/network/public-ip-prefix/.test/common/main.test.bicep @@ -53,7 +53,10 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' prefixLength: 28 - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/network/public-ip-prefix/README.md b/modules/network/public-ip-prefix/README.md index b10bc8730b..f19a2d2c8d 100644 --- a/modules/network/public-ip-prefix/README.md +++ b/modules/network/public-ip-prefix/README.md @@ -47,7 +47,10 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { prefixLength: 28 // Non-required parameters enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -90,7 +93,10 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -186,7 +192,7 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { | [`customIPPrefix`](#parameter-customipprefix) | object | The customIpPrefix that this prefix is associated with. A custom IP address prefix is a contiguous range of IP addresses owned by an external customer and provisioned into a subscription. When a custom IP prefix is in Provisioned, Commissioning, or Commissioned state, a linked public IP prefix can be created. Either as a subset of the custom IP prefix range or the entire range. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -213,11 +219,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/public-ip-prefix/main.bicep b/modules/network/public-ip-prefix/main.bicep index 2781103a65..8ee5bccc30 100644 --- a/modules/network/public-ip-prefix/main.bicep +++ b/modules/network/public-ip-prefix/main.bicep @@ -14,13 +14,8 @@ param location string = resourceGroup().location @maxValue(31) param prefixLength int -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -60,11 +55,11 @@ resource publicIpPrefix 'Microsoft.Network/publicIPPrefixes@2023-04-01' = { } } -resource publicIpPrefix_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${publicIpPrefix.name}-${lock}-lock' +resource publicIpPrefix_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: publicIpPrefix } @@ -93,3 +88,15 @@ output name string = publicIpPrefix.name @description('The location the resource was deployed into.') output location string = publicIpPrefix.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/public-ip-prefix/main.json b/modules/network/public-ip-prefix/main.json index be4b9e2e6f..24715f2bfe 100644 --- a/modules/network/public-ip-prefix/main.json +++ b/modules/network/public-ip-prefix/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "823818284337127737" + "templateHash": "15055641726196349086" }, "name": "Public IP Prefixes", "description": "This module deploys a Public IP Prefix.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -35,15 +63,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -75,8 +97,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -90,7 +112,7 @@ } } }, - { + "publicIpPrefix": { "type": "Microsoft.Network/publicIPPrefixes", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -105,21 +127,21 @@ "prefixLength": "[parameters('prefixLength')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "publicIpPrefix_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/publicIPPrefixes/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPPrefixes', parameters('name'))]" + "publicIpPrefix" ] }, - { + "publicIpPrefix_roleAssignments": { "copy": { "name": "publicIpPrefix_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -293,10 +315,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPPrefixes', parameters('name'))]" + "publicIpPrefix" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -324,7 +346,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/publicIPPrefixes', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('publicIpPrefix', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/route-table/.test/common/main.test.bicep b/modules/network/route-table/.test/common/main.test.bicep index 760b5c2741..cab828e429 100644 --- a/modules/network/route-table/.test/common/main.test.bicep +++ b/modules/network/route-table/.test/common/main.test.bicep @@ -52,7 +52,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/network/route-table/README.md b/modules/network/route-table/README.md index ce2ec44629..385b178512 100644 --- a/modules/network/route-table/README.md +++ b/modules/network/route-table/README.md @@ -46,7 +46,10 @@ module routeTable 'br:bicep/modules/network.route-table:1.0.0' = { name: 'nrtcom001' // Non-required parameters enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -96,7 +99,10 @@ module routeTable 'br:bicep/modules/network.route-table:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -199,7 +205,7 @@ module routeTable 'br:bicep/modules/network.route-table:1.0.0' = { | [`disableBgpRoutePropagation`](#parameter-disablebgproutepropagation) | bool | Switch to disable BGP route propagation. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`routes`](#parameter-routes) | array | An Array of Routes to be established within the hub route table. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -227,11 +233,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/route-table/main.bicep b/modules/network/route-table/main.bicep index f32660a665..6a690a4a00 100644 --- a/modules/network/route-table/main.bicep +++ b/modules/network/route-table/main.bicep @@ -14,13 +14,8 @@ param routes array = [] @description('Optional. Switch to disable BGP route propagation.') param disableBgpRoutePropagation bool = false -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -53,11 +48,11 @@ resource routeTable 'Microsoft.Network/routeTables@2023-04-01' = { } } -resource routeTable_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${routeTable.name}-${lock}-lock' +resource routeTable_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: routeTable } @@ -86,3 +81,15 @@ output resourceId string = routeTable.id @description('The location the resource was deployed into.') output location string = routeTable.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/route-table/main.json b/modules/network/route-table/main.json index af2f4acac1..06b736128a 100644 --- a/modules/network/route-table/main.json +++ b/modules/network/route-table/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14175124869769293837" + "templateHash": "7087068475486809138" }, "name": "Route Tables", "description": "This module deploys a User Defined Route Table (UDR).", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -40,15 +68,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -73,8 +95,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -88,7 +110,7 @@ } } }, - { + "routeTable": { "type": "Microsoft.Network/routeTables", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -99,21 +121,21 @@ "disableBgpRoutePropagation": "[parameters('disableBgpRoutePropagation')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "routeTable_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/routeTables/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" + "routeTable" ] }, - { + "routeTable_roleAssignments": { "copy": { "name": "routeTable_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -287,10 +309,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" + "routeTable" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -318,7 +340,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/routeTables', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('routeTable', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/service-endpoint-policy/.test/common/main.test.bicep b/modules/network/service-endpoint-policy/.test/common/main.test.bicep index ef6675cda3..82ee681383 100644 --- a/modules/network/service-endpoint-policy/.test/common/main.test.bicep +++ b/modules/network/service-endpoint-policy/.test/common/main.test.bicep @@ -52,7 +52,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}-001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/network/service-endpoint-policy/README.md b/modules/network/service-endpoint-policy/README.md index f58b19c384..74b5e231a9 100644 --- a/modules/network/service-endpoint-policy/README.md +++ b/modules/network/service-endpoint-policy/README.md @@ -46,7 +46,10 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1 name: 'nsnpcom-001' // Non-required parameters enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -99,7 +102,10 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1 "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -205,7 +211,7 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1 | [`contextualServiceEndpointPolicies`](#parameter-contextualserviceendpointpolicies) | array | An Array of contextual service endpoint policy. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`serviceAlias`](#parameter-servicealias) | string | The alias indicating if the policy belongs to a service. | | [`serviceEndpointPolicyDefinitions`](#parameter-serviceendpointpolicydefinitions) | array | An Array of service endpoint policy definitions. | @@ -234,11 +240,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/service-endpoint-policy/main.bicep b/modules/network/service-endpoint-policy/main.bicep index 357a2055e5..722a350d3a 100644 --- a/modules/network/service-endpoint-policy/main.bicep +++ b/modules/network/service-endpoint-policy/main.bicep @@ -17,13 +17,8 @@ param contextualServiceEndpointPolicies array = [] @description('Optional. The alias indicating if the policy belongs to a service.') param serviceAlias string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -57,11 +52,11 @@ resource serviceEndpointPolicy 'Microsoft.Network/serviceEndpointPolicies@2023-0 } } -resource serviceEndpointPolicy_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${serviceEndpointPolicy.name}-${lock}-lock' +resource serviceEndpointPolicy_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: serviceEndpointPolicy } @@ -90,3 +85,15 @@ output resourceId string = serviceEndpointPolicy.id @description('The location the resource was deployed into.') output location string = serviceEndpointPolicy.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/service-endpoint-policy/main.json b/modules/network/service-endpoint-policy/main.json index da6271e05c..9f43b9b6b0 100644 --- a/modules/network/service-endpoint-policy/main.json +++ b/modules/network/service-endpoint-policy/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "702238259297546605" + "templateHash": "13410463869934874502" }, "name": "Service Endpoint Policies", "description": "This module deploys a Service Endpoint Policy.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -47,15 +75,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -80,8 +102,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -95,7 +117,7 @@ } } }, - { + "serviceEndpointPolicy": { "type": "Microsoft.Network/serviceEndpointPolicies", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -107,21 +129,21 @@ "serviceEndpointPolicyDefinitions": "[if(not(empty(parameters('serviceEndpointPolicyDefinitions'))), parameters('serviceEndpointPolicyDefinitions'), null())]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "serviceEndpointPolicy_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/serviceEndpointPolicies/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/serviceEndpointPolicies', parameters('name'))]" + "serviceEndpointPolicy" ] }, - { + "serviceEndpointPolicy_roleAssignments": { "copy": { "name": "serviceEndpointPolicy_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -295,10 +317,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/serviceEndpointPolicies', parameters('name'))]" + "serviceEndpointPolicy" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -326,7 +348,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/serviceEndpointPolicies', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('serviceEndpointPolicy', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/trafficmanagerprofile/.test/common/main.test.bicep b/modules/network/trafficmanagerprofile/.test/common/main.test.bicep index 14ba90e0c3..9a466dd925 100644 --- a/modules/network/trafficmanagerprofile/.test/common/main.test.bicep +++ b/modules/network/trafficmanagerprofile/.test/common/main.test.bicep @@ -71,7 +71,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/network/trafficmanagerprofile/README.md b/modules/network/trafficmanagerprofile/README.md index 614ac693bf..a483630586 100644 --- a/modules/network/trafficmanagerprofile/README.md +++ b/modules/network/trafficmanagerprofile/README.md @@ -53,7 +53,10 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -108,7 +111,10 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -210,7 +216,7 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 | [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`endpoints`](#parameter-endpoints) | array | The list of endpoints in the Traffic Manager profile. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maxReturn`](#parameter-maxreturn) | int | Maximum number of endpoints to be returned for MultiValue routing type. | | [`monitorConfig`](#parameter-monitorconfig) | object | The endpoint monitoring settings of the Traffic Manager profile. | | [`profileStatus`](#parameter-profilestatus) | string | The status of the Traffic Manager profile. | @@ -287,11 +293,30 @@ The list of endpoints in the Traffic Manager profile. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `maxReturn` diff --git a/modules/network/trafficmanagerprofile/main.bicep b/modules/network/trafficmanagerprofile/main.bicep index bfb057fe76..78383c2b97 100644 --- a/modules/network/trafficmanagerprofile/main.bicep +++ b/modules/network/trafficmanagerprofile/main.bicep @@ -62,13 +62,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -148,11 +143,11 @@ resource trafficManagerProfile 'Microsoft.Network/trafficmanagerprofiles@2018-08 } } -resource trafficManagerProfile_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${trafficManagerProfile.name}-${lock}-lock' +resource trafficManagerProfile_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: trafficManagerProfile } @@ -191,3 +186,15 @@ output resourceGroupName string = resourceGroup().name @description('The name of the traffic manager was deployed into.') output name string = trafficManagerProfile.name + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/trafficmanagerprofile/main.json b/modules/network/trafficmanagerprofile/main.json index 2d333fa853..74da3a3382 100644 --- a/modules/network/trafficmanagerprofile/main.json +++ b/modules/network/trafficmanagerprofile/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10820097547945525322" + "templateHash": "15585979978664772684" }, "name": "Traffic Manager Profiles", "description": "This module deploys a Traffic Manager Profile.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -123,15 +151,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -211,8 +233,8 @@ ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -226,7 +248,7 @@ } } }, - { + "trafficManagerProfile": { "type": "Microsoft.Network/trafficmanagerprofiles", "apiVersion": "2018-08-01", "name": "[parameters('name')]", @@ -245,21 +267,21 @@ "maxReturn": "[parameters('maxReturn')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "trafficManagerProfile_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/trafficmanagerprofiles/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/trafficmanagerprofiles', parameters('name'))]" + "trafficManagerProfile" ] }, - { + "trafficManagerProfile_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -274,10 +296,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/trafficmanagerprofiles', parameters('name'))]" + "trafficManagerProfile" ] }, - { + "trafficManagerProfile_roleAssignments": { "copy": { "name": "trafficManagerProfile_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -451,10 +473,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/trafficmanagerprofiles', parameters('name'))]" + "trafficManagerProfile" ] } - ], + }, "outputs": { "resourceId": { "type": "string", diff --git a/modules/network/virtual-hub/.test/common/main.test.bicep b/modules/network/virtual-hub/.test/common/main.test.bicep index f6186c40cf..52f78ecbb6 100644 --- a/modules/network/virtual-hub/.test/common/main.test.bicep +++ b/modules/network/virtual-hub/.test/common/main.test.bicep @@ -53,7 +53,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } addressPrefix: '10.1.0.0/16' virtualWanId: nestedDependencies.outputs.virtualWWANResourceId hubRouteTables: [ diff --git a/modules/network/virtual-hub/README.md b/modules/network/virtual-hub/README.md index be143b75c0..8196fcc635 100644 --- a/modules/network/virtual-hub/README.md +++ b/modules/network/virtual-hub/README.md @@ -76,7 +76,10 @@ module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = { } } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -143,7 +146,10 @@ module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = { ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "tags": { "value": { @@ -236,7 +242,7 @@ module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = { | [`hubRouteTables`](#parameter-hubroutetables) | array | Route tables to create for the virtual hub. | | [`hubVirtualNetworkConnections`](#parameter-hubvirtualnetworkconnections) | array | Virtual network connections to create for the virtual hub. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`p2SVpnGatewayId`](#parameter-p2svpngatewayid) | string | Resource ID of the Point-to-Site VPN Gateway to link to. | | [`preferredRoutingGateway`](#parameter-preferredroutinggateway) | string | The preferred routing gateway types. | | [`routeTableRoutes`](#parameter-routetableroutes) | array | VirtualHub route tables. | @@ -299,11 +305,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/virtual-hub/main.bicep b/modules/network/virtual-hub/main.bicep index 282b1c1e98..8c18bacd2e 100644 --- a/modules/network/virtual-hub/main.bicep +++ b/modules/network/virtual-hub/main.bicep @@ -70,13 +70,8 @@ param hubRouteTables array = [] @description('Optional. Virtual network connections to create for the virtual hub.') param hubVirtualNetworkConnections array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -129,11 +124,11 @@ resource virtualHub 'Microsoft.Network/virtualHubs@2022-11-01' = { } } -resource virtualHub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${virtualHub.name}-${lock}-lock' +resource virtualHub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: virtualHub } @@ -175,3 +170,15 @@ output name string = virtualHub.name @description('The location the resource was deployed into.') output location string = virtualHub.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/virtual-hub/main.json b/modules/network/virtual-hub/main.json index 5e0c591d00..b5d004bbf0 100644 --- a/modules/network/virtual-hub/main.json +++ b/modules/network/virtual-hub/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6969570927166088400" + "templateHash": "18370273919471051889" }, "name": "Virtual Hubs", "description": "This module deploys a Virtual Hub.\r\nIf you are planning to deploy a Secure Virtual Hub (with an Azure Firewall integrated), please refer to the Azure Firewall module.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -153,15 +181,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "enableDefaultTelemetry": { @@ -175,8 +197,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -190,7 +212,7 @@ } } }, - { + "virtualHub": { "type": "Microsoft.Network/virtualHubs", "apiVersion": "2022-11-01", "name": "[parameters('name')]", @@ -215,21 +237,21 @@ "vpnGateway": "[if(not(empty(parameters('vpnGatewayId'))), createObject('id', parameters('vpnGatewayId')), null())]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "virtualHub_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/virtualHubs/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualHubs', parameters('name'))]" + "virtualHub" ] }, - { + "virtualHub_routeTables": { "copy": { "name": "virtualHub_routeTables", "count": "[length(parameters('hubRouteTables'))]" @@ -354,10 +376,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualHubs', parameters('name'))]" + "virtualHub" ] }, - { + "virtualHub_hubVirtualNetworkConnections": { "copy": { "name": "virtualHub_hubVirtualNetworkConnections", "count": "[length(parameters('hubVirtualNetworkConnections'))]" @@ -494,11 +516,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualHubs', parameters('name'))]", + "virtualHub", "virtualHub_routeTables" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -526,7 +548,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/virtualHubs', parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('virtualHub', '2022-11-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep b/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep index 3a784a64e4..fe61f76c04 100644 --- a/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep +++ b/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep @@ -75,7 +75,10 @@ module testDeployment '../../main.bicep' = { domainNameLabel: [ '${namePrefix}-dm-${serviceShort}' ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } publicIpZones: [ '1' '2' diff --git a/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep b/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep index 16c5132474..1845a4fff4 100644 --- a/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep +++ b/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep @@ -77,7 +77,10 @@ module testDeployment '../../main.bicep' = { domainNameLabel: [ '${namePrefix}-dm-${serviceShort}' ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } publicIpZones: [ '1' '2' diff --git a/modules/network/virtual-network-gateway/README.md b/modules/network/virtual-network-gateway/README.md index 98a0acccc9..d1424ab0b2 100644 --- a/modules/network/virtual-network-gateway/README.md +++ b/modules/network/virtual-network-gateway/README.md @@ -58,7 +58,10 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 'dm-nvngavpn' ] enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } publicIpZones: [ '1' '2' @@ -144,7 +147,10 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "publicIpZones": { "value": [ @@ -359,7 +365,10 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 enableDefaultTelemetry: '' enablePrivateIpAddress: true gatewayDefaultSiteLocalNetworkGatewayId: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } natRules: [ { externalMappings: [ @@ -483,7 +492,10 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "natRules": { "value": [ @@ -597,7 +609,7 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 | [`gatewayDefaultSiteLocalNetworkGatewayId`](#parameter-gatewaydefaultsitelocalnetworkgatewayid) | string | The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. | | [`gatewayPipName`](#parameter-gatewaypipname) | string | Specifies the name of the Public IP used by the Virtual Network Gateway. If it's not provided, a '-pip' suffix will be appended to the gateway's name. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`natRules`](#parameter-natrules) | array | NatRules for virtual network gateway. NAT is supported on the the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ and is supported for IPsec/IKE cross-premises connections only. | | [`publicIpdiagnosticLogCategoriesToEnable`](#parameter-publicipdiagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | | [`publicIpDiagnosticSettingsName`](#parameter-publicipdiagnosticsettingsname) | string | The name of the public IP diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | @@ -782,11 +794,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/virtual-network-gateway/main.bicep b/modules/network/virtual-network-gateway/main.bicep index 3603f8132e..702b760280 100644 --- a/modules/network/virtual-network-gateway/main.bicep +++ b/modules/network/virtual-network-gateway/main.bicep @@ -127,13 +127,8 @@ param diagnosticEventHubName string = '' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Tags of the resource.') param tags object = {} @@ -402,11 +397,11 @@ module virtualNetworkGateway_natRules 'nat-rule/main.bicep' = [for (natRule, ind } }] -resource virtualNetworkGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${virtualNetworkGateway.name}-${lock}-lock' +resource virtualNetworkGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: virtualNetworkGateway } @@ -454,3 +449,15 @@ output activeActive bool = virtualNetworkGateway.properties.activeActive @description('The location the resource was deployed into.') output location string = virtualNetworkGateway.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/virtual-network-gateway/main.json b/modules/network/virtual-network-gateway/main.json index 0404971daa..8e213cc2b9 100644 --- a/modules/network/virtual-network-gateway/main.json +++ b/modules/network/virtual-network-gateway/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1318421731566619997" + "templateHash": "13696920156449738955" }, "name": "Virtual Network Gateways", "description": "This module deploys a Virtual Network Gateway.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -258,15 +286,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "tags": { @@ -395,8 +417,8 @@ "vpnClientConfiguration": "[if(not(empty(parameters('clientRootCertData'))), createObject('vpnClientAddressPool', createObject('addressPrefixes', createArray(parameters('vpnClientAddressPoolPrefix'))), 'vpnClientRootCertificates', createArray(createObject('name', 'RootCert1', 'properties', createObject('PublicCertData', parameters('clientRootCertData')))), 'vpnClientRevokedCertificates', if(not(empty(parameters('clientRevokedCertThumbprint'))), createArray(createObject('name', 'RevokedCert1', 'properties', createObject('Thumbprint', parameters('clientRevokedCertThumbprint')))), null())), if(not(empty(parameters('vpnClientAadConfiguration'))), createObject('vpnClientAddressPool', createObject('addressPrefixes', createArray(parameters('vpnClientAddressPoolPrefix'))), 'aadTenant', parameters('vpnClientAadConfiguration').aadTenant, 'aadAudience', parameters('vpnClientAadConfiguration').aadAudience, 'aadIssuer', parameters('vpnClientAadConfiguration').aadIssuer, 'vpnAuthenticationTypes', parameters('vpnClientAadConfiguration').vpnAuthenticationTypes, 'vpnClientProtocols', parameters('vpnClientAadConfiguration').vpnClientProtocols), null()))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -410,7 +432,7 @@ } } }, - { + "virtualNetworkGateway": { "type": "Microsoft.Network/virtualNetworkGateways", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -441,21 +463,21 @@ "publicIPAddress" ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "virtualNetworkGateway_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/virtualNetworkGateways/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworkGateways', parameters('name'))]" + "virtualNetworkGateway" ] }, - { + "virtualNetworkGateway_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -470,10 +492,10 @@ "logs": "[variables('virtualNetworkGatewayDiagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworkGateways', parameters('name'))]" + "virtualNetworkGateway" ] }, - { + "publicIPAddress": { "copy": { "name": "publicIPAddress", "count": "[length(variables('virtualGatewayPipNameVar'))]", @@ -535,17 +557,45 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4317747709004918530" + "templateHash": "7177220893233117141" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -675,15 +725,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "location": { @@ -772,8 +816,8 @@ ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -787,7 +831,7 @@ } } }, - { + "publicIpAddress": { "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -807,21 +851,21 @@ "ipTags": [] } }, - { - "condition": "[not(empty(parameters('lock')))]", + "publicIpAddress_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] }, - { + "publicIpAddress_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -836,10 +880,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] }, - { + "publicIpAddress_roleAssignments": { "copy": { "name": "publicIpAddress_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1013,10 +1057,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + "publicIpAddress" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1044,20 +1088,20 @@ "metadata": { "description": "The public IP address of the public IP address resource." }, - "value": "[if(contains(reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01'), 'ipAddress'), reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01').ipAddress, '')]" + "value": "[if(contains(reference('publicIpAddress'), 'ipAddress'), reference('publicIpAddress').ipAddress, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('publicIpAddress', '2023-04-01', 'full').location]" } } } } }, - { + "virtualNetworkGateway_natRules": { "copy": { "name": "virtualNetworkGateway_natRules", "count": "[length(parameters('natRules'))]" @@ -1219,10 +1263,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworkGateways', parameters('name'))]" + "virtualNetworkGateway" ] }, - { + "virtualNetworkGateway_roleAssignments": { "copy": { "name": "virtualNetworkGateway_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1396,10 +1440,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworkGateways', parameters('name'))]" + "virtualNetworkGateway" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1427,14 +1471,14 @@ "metadata": { "description": "Shows if the virtual network gateway is configured in active-active mode." }, - "value": "[reference(resourceId('Microsoft.Network/virtualNetworkGateways', parameters('name')), '2023-04-01').activeActive]" + "value": "[reference('virtualNetworkGateway').activeActive]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/virtualNetworkGateways', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('virtualNetworkGateway', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/virtual-network/.test/common/main.test.bicep b/modules/network/virtual-network/.test/common/main.test.bicep index 832c76cfc0..766e2acdb0 100644 --- a/modules/network/virtual-network/.test/common/main.test.bicep +++ b/modules/network/virtual-network/.test/common/main.test.bicep @@ -80,7 +80,10 @@ module testDeployment '../../main.bicep' = { '10.0.1.4' '10.0.1.5' ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/network/virtual-network/README.md b/modules/network/virtual-network/README.md index cff0a58411..0710f85a85 100644 --- a/modules/network/virtual-network/README.md +++ b/modules/network/virtual-network/README.md @@ -63,7 +63,10 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { ] enableDefaultTelemetry: '' flowTimeoutInMinutes: 20 - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -176,7 +179,10 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { "value": 20 }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -441,7 +447,7 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`flowTimeoutInMinutes`](#parameter-flowtimeoutinminutes) | int | The flow timeout in minutes for the Virtual Network, which is used to enable connection tracking for intra-VM flows. Possible values are between 4 and 30 minutes. Default value 0 will set the property to null. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`peerings`](#parameter-peerings) | array | Virtual Network Peerings configurations. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`subnets`](#parameter-subnets) | array | An Array of subnets to deploy to the Virtual Network. | @@ -543,11 +549,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/virtual-network/main.bicep b/modules/network/virtual-network/main.bicep index 1b00114e5e..83da2e2521 100644 --- a/modules/network/virtual-network/main.bicep +++ b/modules/network/virtual-network/main.bicep @@ -49,13 +49,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -232,11 +227,11 @@ module virtualNetwork_peering_remote 'virtual-network-peering/main.bicep' = [for } }] -resource virtualNetwork_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${virtualNetwork.name}-${lock}-lock' +resource virtualNetwork_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: virtualNetwork } @@ -287,3 +282,15 @@ output location string = virtualNetwork.location @description('The Diagnostic Settings of the virtual network.') output diagnosticsLogs array = diagnosticsLogs + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/virtual-network/main.json b/modules/network/virtual-network/main.json index 2da9232c9d..aa8e8ff76e 100644 --- a/modules/network/virtual-network/main.json +++ b/modules/network/virtual-network/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6996162426151376576" + "templateHash": "13568581294067247622" }, "name": "Virtual Networks", "description": "This module deploys a Virtual Network (vNet).", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -114,15 +142,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -209,8 +231,8 @@ }, "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -224,7 +246,7 @@ } } }, - { + "virtualNetwork": { "type": "Microsoft.Network/virtualNetworks", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -264,21 +286,21 @@ "flowTimeoutInMinutes": "[if(not(equals(parameters('flowTimeoutInMinutes'), 0)), parameters('flowTimeoutInMinutes'), null())]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "virtualNetwork_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" + "virtualNetwork" ] }, - { + "virtualNetwork_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -293,10 +315,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" + "virtualNetwork" ] }, - { + "virtualNetwork_subnets": { "copy": { "name": "virtualNetwork_subnets", "count": "[length(parameters('subnets'))]" @@ -721,10 +743,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" + "virtualNetwork" ] }, - { + "virtualNetwork_peering_local": { "copy": { "name": "virtualNetwork_peering_local", "count": "[length(parameters('peerings'))]" @@ -887,10 +909,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" + "virtualNetwork" ] }, - { + "virtualNetwork_peering_remote": { "copy": { "name": "virtualNetwork_peering_remote", "count": "[length(parameters('peerings'))]" @@ -1056,10 +1078,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" + "virtualNetwork" ] }, - { + "virtualNetwork_roleAssignments": { "copy": { "name": "virtualNetwork_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1233,10 +1255,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" + "virtualNetwork" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1284,7 +1306,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('virtualNetwork', '2023-04-01', 'full').location]" }, "diagnosticsLogs": { "type": "array", diff --git a/modules/network/virtual-wan/.test/common/main.test.bicep b/modules/network/virtual-wan/.test/common/main.test.bicep index ab7ace98d9..cc243543eb 100644 --- a/modules/network/virtual-wan/.test/common/main.test.bicep +++ b/modules/network/virtual-wan/.test/common/main.test.bicep @@ -55,7 +55,10 @@ module testDeployment '../../main.bicep' = { allowBranchToBranchTraffic: true allowVnetToVnetTraffic: true disableVpnEncryption: true - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/network/virtual-wan/README.md b/modules/network/virtual-wan/README.md index 4d6f442bb2..208fd58305 100644 --- a/modules/network/virtual-wan/README.md +++ b/modules/network/virtual-wan/README.md @@ -49,7 +49,10 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { allowVnetToVnetTraffic: true disableVpnEncryption: true enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -99,7 +102,10 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -195,7 +201,7 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { | [`disableVpnEncryption`](#parameter-disablevpnencryption) | bool | VPN encryption to be disabled or not. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location where all resources will be created. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`type`](#parameter-type) | string | The type of the Virtual WAN. | @@ -237,11 +243,30 @@ Location where all resources will be created. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/virtual-wan/main.bicep b/modules/network/virtual-wan/main.bicep index 320389906b..6c9d775386 100644 --- a/modules/network/virtual-wan/main.bicep +++ b/modules/network/virtual-wan/main.bicep @@ -33,13 +33,8 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -65,11 +60,11 @@ resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { } } -resource virtualWan_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${virtualWan.name}-${lock}-lock' +resource virtualWan_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: virtualWan } @@ -98,3 +93,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = virtualWan.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/virtual-wan/main.json b/modules/network/virtual-wan/main.json index f7c0e84e62..6c7e53b57c 100644 --- a/modules/network/virtual-wan/main.json +++ b/modules/network/virtual-wan/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6166970702359791938" + "templateHash": "11532161823681864290" }, "name": "Virtual WANs", "description": "This module deploys a Virtual WAN.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "location": { "type": "string", @@ -79,20 +107,14 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -106,7 +128,7 @@ } } }, - { + "virtualWan": { "type": "Microsoft.Network/virtualWans", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -119,21 +141,21 @@ "type": "[parameters('type')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "virtualWan_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/virtualWans/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualWans', parameters('name'))]" + "virtualWan" ] }, - { + "virtualWan_roleAssignments": { "copy": { "name": "virtualWan_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -307,10 +329,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualWans', parameters('name'))]" + "virtualWan" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -338,7 +360,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/virtualWans', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('virtualWan', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/vpn-gateway/.test/common/main.test.bicep b/modules/network/vpn-gateway/.test/common/main.test.bicep index 7496548a25..9c12de8234 100644 --- a/modules/network/vpn-gateway/.test/common/main.test.bicep +++ b/modules/network/vpn-gateway/.test/common/main.test.bicep @@ -72,7 +72,10 @@ module testDeployment '../../main.bicep' = { routingWeight: 0 } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } natRules: [ { externalMappings: [ diff --git a/modules/network/vpn-gateway/README.md b/modules/network/vpn-gateway/README.md index 67cfe344a8..5328158034 100644 --- a/modules/network/vpn-gateway/README.md +++ b/modules/network/vpn-gateway/README.md @@ -53,7 +53,10 @@ module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = { peerWeight: 0 } enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } natRules: [ { externalMappings: [ @@ -124,7 +127,10 @@ module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "natRules": { "value": [ @@ -246,7 +252,7 @@ module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`isRoutingPreferenceInternet`](#parameter-isroutingpreferenceinternet) | bool | Enable routing preference property for the public IP interface of the VPN gateway. | | [`location`](#parameter-location) | string | Location where all resources will be created. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`natRules`](#parameter-natrules) | array | List of all the NAT Rules to associate with the gateway. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`vpnConnections`](#parameter-vpnconnections) | array | The VPN connections to create in the VPN gateway. | @@ -289,11 +295,30 @@ Location where all resources will be created. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/vpn-gateway/main.bicep b/modules/network/vpn-gateway/main.bicep index 58acd01951..748199118f 100644 --- a/modules/network/vpn-gateway/main.bicep +++ b/modules/network/vpn-gateway/main.bicep @@ -32,13 +32,8 @@ param vpnGatewayScaleUnit int = 2 @description('Optional. Tags of the resource.') param tags object = {} -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -72,11 +67,11 @@ resource vpnGateway 'Microsoft.Network/vpnGateways@2023-04-01' = { } } -resource vpnGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${vpnGateway.name}-${lock}-lock' +resource vpnGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: vpnGateway } @@ -129,3 +124,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = vpnGateway.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/vpn-gateway/main.json b/modules/network/vpn-gateway/main.json index 16bd090a25..553c9b6c38 100644 --- a/modules/network/vpn-gateway/main.json +++ b/modules/network/vpn-gateway/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9631635231747205865" + "templateHash": "18343688551152828699" }, "name": "VPN Gateways", "description": "This module deploys a VPN Gateway.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -81,15 +109,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "enableDefaultTelemetry": { @@ -103,8 +125,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -118,7 +140,7 @@ } } }, - { + "vpnGateway": { "type": "Microsoft.Network/vpnGateways", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -134,21 +156,21 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "vpnGateway_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/vpnGateways/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/vpnGateways', parameters('name'))]" + "vpnGateway" ] }, - { + "vpnGateway_natRules": { "copy": { "name": "vpnGateway_natRules", "count": "[length(parameters('natRules'))]" @@ -310,10 +332,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/vpnGateways', parameters('name'))]" + "vpnGateway" ] }, - { + "vpnGateway_vpnConnections": { "copy": { "name": "vpnGateway_vpnConnections", "count": "[length(parameters('vpnConnections'))]" @@ -550,10 +572,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/vpnGateways', parameters('name'))]" + "vpnGateway" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -581,7 +603,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/vpnGateways', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('vpnGateway', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/vpn-site/.test/common/main.test.bicep b/modules/network/vpn-site/.test/common/main.test.bicep index bfcbcbb6ad..2bdea975b3 100644 --- a/modules/network/vpn-site/.test/common/main.test.bicep +++ b/modules/network/vpn-site/.test/common/main.test.bicep @@ -54,7 +54,10 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' virtualWanId: nestedDependencies.outputs.virtualWWANResourceId - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } tags: { 'hidden-title': 'This is visible in the resource name' tagA: 'valueA' diff --git a/modules/network/vpn-site/README.md b/modules/network/vpn-site/README.md index d231248df9..c04dae993b 100644 --- a/modules/network/vpn-site/README.md +++ b/modules/network/vpn-site/README.md @@ -51,7 +51,10 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { linkSpeedInMbps: 0 } enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } o365Policy: { breakOutCategories: { allow: true @@ -136,7 +139,10 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "o365Policy": { "value": { @@ -294,7 +300,7 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { | [`ipAddress`](#parameter-ipaddress) | string | The IP-address for the VPN-site. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. | | [`isSecuritySite`](#parameter-issecuritysite) | bool | IsSecuritySite flag. | | [`location`](#parameter-location) | string | Location where all resources will be created. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`o365Policy`](#parameter-o365policy) | object | The Office365 breakout policy. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -351,11 +357,30 @@ Location where all resources will be created. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/network/vpn-site/main.bicep b/modules/network/vpn-site/main.bicep index 3d50b1d9d2..f743eabaa2 100644 --- a/modules/network/vpn-site/main.bicep +++ b/modules/network/vpn-site/main.bicep @@ -38,13 +38,8 @@ param enableDefaultTelemetry bool = true @description('Optional. List of all VPN site links.') param vpnSiteLinks array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -81,11 +76,11 @@ resource vpnSite 'Microsoft.Network/vpnSites@2023-04-01' = { } } -resource vpnSite_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${vpnSite.name}-${lock}-lock' +resource vpnSite_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: vpnSite } @@ -110,3 +105,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = vpnSite.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/network/vpn-site/main.json b/modules/network/vpn-site/main.json index 859ddc6ba1..5e8f72b522 100644 --- a/modules/network/vpn-site/main.json +++ b/modules/network/vpn-site/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1375112363272688444" + "templateHash": "18191511551539064045" }, "name": "VPN Sites", "description": "This module deploys a VPN Site.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -95,15 +123,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -114,8 +136,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -129,7 +151,7 @@ } } }, - { + "vpnSite": { "type": "Microsoft.Network/vpnSites", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -148,21 +170,21 @@ "vpnSiteLinks": "[if(not(empty(parameters('vpnSiteLinks'))), parameters('vpnSiteLinks'), null())]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "vpnSite_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Network/vpnSites/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/vpnSites', parameters('name'))]" + "vpnSite" ] }, - { + "vpnSite_roleAssignments": { "copy": { "name": "vpnSite_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -277,10 +299,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/vpnSites', parameters('name'))]" + "vpnSite" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -308,7 +330,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/vpnSites', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('vpnSite', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/operational-insights/workspace/.test/adv/main.test.bicep b/modules/operational-insights/workspace/.test/adv/main.test.bicep index f449c7cc6d..b18387c3af 100644 --- a/modules/operational-insights/workspace/.test/adv/main.test.bicep +++ b/modules/operational-insights/workspace/.test/adv/main.test.bicep @@ -181,7 +181,10 @@ module testDeployment '../../main.bicep' = { resourceId: nestedDependencies.outputs.storageAccountResourceId } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } publicNetworkAccessForIngestion: 'Disabled' publicNetworkAccessForQuery: 'Disabled' savedSearches: [ diff --git a/modules/operational-insights/workspace/.test/common/main.test.bicep b/modules/operational-insights/workspace/.test/common/main.test.bicep index 2e994d7fed..8f4ef65925 100644 --- a/modules/operational-insights/workspace/.test/common/main.test.bicep +++ b/modules/operational-insights/workspace/.test/common/main.test.bicep @@ -182,7 +182,10 @@ module testDeployment '../../main.bicep' = { resourceId: nestedDependencies.outputs.storageAccountResourceId } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } publicNetworkAccessForIngestion: 'Disabled' publicNetworkAccessForQuery: 'Disabled' savedSearches: [ diff --git a/modules/operational-insights/workspace/README.md b/modules/operational-insights/workspace/README.md index b0e47dc105..e5ce2697aa 100644 --- a/modules/operational-insights/workspace/README.md +++ b/modules/operational-insights/workspace/README.md @@ -193,7 +193,10 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { resourceId: '' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } publicNetworkAccessForIngestion: 'Disabled' publicNetworkAccessForQuery: 'Disabled' savedSearches: [ @@ -461,7 +464,10 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "publicNetworkAccessForIngestion": { "value": "Disabled" @@ -699,7 +705,10 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { resourceId: '' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } publicNetworkAccessForIngestion: 'Disabled' publicNetworkAccessForQuery: 'Disabled' roleAssignments: [ @@ -894,7 +903,10 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "publicNetworkAccessForIngestion": { "value": "Disabled" @@ -1039,7 +1051,7 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { | [`gallerySolutions`](#parameter-gallerysolutions) | array | List of gallerySolutions to be created in the log analytics workspace. | | [`linkedServices`](#parameter-linkedservices) | array | List of services to be linked. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`publicNetworkAccessForIngestion`](#parameter-publicnetworkaccessforingestion) | string | The network access type for accessing Log Analytics ingestion. | | [`publicNetworkAccessForQuery`](#parameter-publicnetworkaccessforquery) | string | The network access type for accessing Log Analytics query. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -1176,11 +1188,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/operational-insights/workspace/main.bicep b/modules/operational-insights/workspace/main.bicep index d162a45732..b16423bc9a 100644 --- a/modules/operational-insights/workspace/main.bicep +++ b/modules/operational-insights/workspace/main.bicep @@ -97,13 +97,8 @@ param diagnosticEventHubName string = '' @description('Optional. Indicates whether customer managed storage is mandatory for query management.') param forceCmkForQuery bool = true -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -324,11 +319,11 @@ module logAnalyticsWorkspace_solutions '../../operations-management/solution/mai } }] -resource logAnalyticsWorkspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${logAnalyticsWorkspace.name}-${lock}-lock' +resource logAnalyticsWorkspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: logAnalyticsWorkspace } @@ -363,3 +358,15 @@ output location string = logAnalyticsWorkspace.location @description('The principal ID of the system assigned identity.') output systemAssignedIdentityPrincipalId string = systemAssignedIdentity && contains(logAnalyticsWorkspace.identity, 'principalId') ? logAnalyticsWorkspace.identity.principalId : '' + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/operational-insights/workspace/main.json b/modules/operational-insights/workspace/main.json index 67aba2675c..df8e6a3a74 100644 --- a/modules/operational-insights/workspace/main.json +++ b/modules/operational-insights/workspace/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13390587976888913833" + "templateHash": "8781060608655801013" }, "name": "Log Analytics Workspaces", "description": "This module deploys a Log Analytics Workspace.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -203,15 +231,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -295,8 +317,8 @@ "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -310,7 +332,7 @@ } } }, - { + "logAnalyticsWorkspace": { "type": "Microsoft.OperationalInsights/workspaces", "apiVersion": "2022-10-01", "name": "[parameters('name')]", @@ -335,7 +357,7 @@ }, "identity": "[variables('identity')]" }, - { + "logAnalyticsWorkspace_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -350,24 +372,24 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]" + "logAnalyticsWorkspace" ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "logAnalyticsWorkspace_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.OperationalInsights/workspaces/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]" + "logAnalyticsWorkspace" ] }, - { + "logAnalyticsWorkspace_storageInsightConfigs": { "copy": { "name": "logAnalyticsWorkspace_storageInsightConfigs", "count": "[length(parameters('storageInsightsConfigs'))]" @@ -511,10 +533,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]" + "logAnalyticsWorkspace" ] }, - { + "logAnalyticsWorkspace_linkedServices": { "copy": { "name": "logAnalyticsWorkspace_linkedServices", "count": "[length(parameters('linkedServices'))]" @@ -647,10 +669,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]" + "logAnalyticsWorkspace" ] }, - { + "logAnalyticsWorkspace_linkedStorageAccounts": { "copy": { "name": "logAnalyticsWorkspace_linkedStorageAccounts", "count": "[length(parameters('linkedStorageAccounts'))]" @@ -775,10 +797,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]" + "logAnalyticsWorkspace" ] }, - { + "logAnalyticsWorkspace_savedSearches": { "copy": { "name": "logAnalyticsWorkspace_savedSearches", "count": "[length(parameters('savedSearches'))]" @@ -959,11 +981,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]", + "logAnalyticsWorkspace", "logAnalyticsWorkspace_linkedStorageAccounts" ] }, - { + "logAnalyticsWorkspace_dataExports": { "copy": { "name": "logAnalyticsWorkspace_dataExports", "count": "[length(parameters('dataExports'))]" @@ -1099,10 +1121,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]" + "logAnalyticsWorkspace" ] }, - { + "logAnalyticsWorkspace_dataSources": { "copy": { "name": "logAnalyticsWorkspace_dataSources", "count": "[length(parameters('dataSources'))]" @@ -1337,10 +1359,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]" + "logAnalyticsWorkspace" ] }, - { + "logAnalyticsWorkspace_tables": { "copy": { "name": "logAnalyticsWorkspace_tables", "count": "[length(parameters('tables'))]" @@ -1509,10 +1531,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]" + "logAnalyticsWorkspace" ] }, - { + "logAnalyticsWorkspace_solutions": { "copy": { "name": "logAnalyticsWorkspace_solutions", "count": "[length(parameters('gallerySolutions'))]" @@ -1665,10 +1687,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]" + "logAnalyticsWorkspace" ] }, - { + "logAnalyticsWorkspace_roleAssignments": { "copy": { "name": "logAnalyticsWorkspace_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1821,10 +1843,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]" + "logAnalyticsWorkspace" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -1852,21 +1874,21 @@ "metadata": { "description": "The ID associated with the workspace." }, - "value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('name')), '2022-10-01').customerId]" + "value": "[reference('logAnalyticsWorkspace').customerId]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('name')), '2022-10-01', 'full').location]" + "value": "[reference('logAnalyticsWorkspace', '2022-10-01', 'full').location]" }, "systemAssignedIdentityPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('name')), '2022-10-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('name')), '2022-10-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('logAnalyticsWorkspace', '2022-10-01', 'full').identity, 'principalId')), reference('logAnalyticsWorkspace', '2022-10-01', 'full').identity.principalId, '')]" } } } \ No newline at end of file diff --git a/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep b/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep index e2222db5b8..9492810703 100644 --- a/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep +++ b/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep @@ -53,7 +53,10 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' skuCapacity: 1 - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } members: [ nestedDependencies.outputs.managedIdentityPrincipalId ] diff --git a/modules/power-bi-dedicated/capacity/README.md b/modules/power-bi-dedicated/capacity/README.md index 8257071543..3f4ceb5003 100644 --- a/modules/power-bi-dedicated/capacity/README.md +++ b/modules/power-bi-dedicated/capacity/README.md @@ -14,7 +14,7 @@ This module deploys a Power BI Dedicated Capacity. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Authorization/locks` | [2016-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/locks) | +| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.PowerBIDedicated/capacities` | [2021-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.PowerBIDedicated/2021-01-01/capacities) | @@ -50,7 +50,10 @@ module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { skuCapacity: 1 // Non-required parameters enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -98,7 +101,10 @@ module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -202,7 +208,7 @@ module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`mode`](#parameter-mode) | string | Mode of the resource. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`skuName`](#parameter-skuname) | string | SkuCapacity of the resource. | @@ -225,11 +231,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, NotSpecified, ReadOnly]` ### Parameter: `members` diff --git a/modules/power-bi-dedicated/capacity/main.bicep b/modules/power-bi-dedicated/capacity/main.bicep index e6918730b0..7da60eafd3 100644 --- a/modules/power-bi-dedicated/capacity/main.bicep +++ b/modules/power-bi-dedicated/capacity/main.bicep @@ -46,14 +46,8 @@ param members array @description('Optional. Mode of the resource.') param mode string = 'Gen2' -@allowed([ - '' - 'CanNotDelete' - 'NotSpecified' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -87,11 +81,11 @@ resource powerbi 'Microsoft.PowerBIDedicated/capacities@2021-01-01' = { } } -resource powerbi_lock 'Microsoft.Authorization/locks@2016-09-01' = if (!empty(lock)) { - name: '${powerbi.name}-${lock}-lock' +resource powerbi_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: lock - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: powerbi } @@ -115,3 +109,15 @@ output name string = powerbi.name @description('The location the resource was deployed into.') output location string = powerbi.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/power-bi-dedicated/capacity/main.json b/modules/power-bi-dedicated/capacity/main.json index aafdb27cf3..374cd8802c 100644 --- a/modules/power-bi-dedicated/capacity/main.json +++ b/modules/power-bi-dedicated/capacity/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9399428020393768552" + "templateHash": "14918936094313843131" }, "name": "Power BI Dedicated Capacities", "description": "This module deploys a Power BI Dedicated Capacity.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -90,16 +118,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "NotSpecified", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -110,8 +131,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -125,7 +146,7 @@ } } }, - { + "powerbi": { "type": "Microsoft.PowerBIDedicated/capacities", "apiVersion": "2021-01-01", "name": "[parameters('name')]", @@ -143,21 +164,21 @@ "mode": "[parameters('mode')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "powerbi_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", - "apiVersion": "2016-09-01", + "apiVersion": "2020-05-01", "scope": "[format('Microsoft.PowerBIDedicated/capacities/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.PowerBIDedicated/capacities', parameters('name'))]" + "powerbi" ] }, - { + "powerbi_rbac": { "copy": { "name": "powerbi_rbac", "count": "[length(parameters('roleAssignments'))]" @@ -232,10 +253,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.PowerBIDedicated/capacities', parameters('name'))]" + "powerbi" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -263,7 +284,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.PowerBIDedicated/capacities', parameters('name')), '2021-01-01', 'full').location]" + "value": "[reference('powerbi', '2021-01-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/purview/account/.test/common/main.test.bicep b/modules/purview/account/.test/common/main.test.bicep index e2746b7ebf..1db2c2caf0 100644 --- a/modules/purview/account/.test/common/main.test.bicep +++ b/modules/purview/account/.test/common/main.test.bicep @@ -92,11 +92,9 @@ module testDeployment '../../main.bicep' = { ] accountPrivateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.purviewAccountPrivateDNSResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.purviewAccountPrivateDNSResourceId + ] service: 'account' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { @@ -108,11 +106,9 @@ module testDeployment '../../main.bicep' = { ] portalPrivateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.purviewPortalPrivateDNSResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.purviewPortalPrivateDNSResourceId + ] service: 'portal' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { @@ -124,11 +120,9 @@ module testDeployment '../../main.bicep' = { ] storageBlobPrivateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.storageBlobPrivateDNSResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.storageBlobPrivateDNSResourceId + ] service: 'blob' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { @@ -140,11 +134,9 @@ module testDeployment '../../main.bicep' = { ] storageQueuePrivateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.storageQueuePrivateDNSResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.storageQueuePrivateDNSResourceId + ] service: 'queue' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { @@ -156,11 +148,9 @@ module testDeployment '../../main.bicep' = { ] eventHubPrivateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - nestedDependencies.outputs.eventHubPrivateDNSResourceId - ] - } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.eventHubPrivateDNSResourceId + ] service: 'namespace' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { @@ -173,6 +163,9 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry diagnosticLogCategoriesToEnable: [ 'allLogs' ] diagnosticMetricsToEnable: [ 'AllMetrics' ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } } } diff --git a/modules/purview/account/README.md b/modules/purview/account/README.md index 78a48d77ad..c41e02d5c5 100644 --- a/modules/purview/account/README.md +++ b/modules/purview/account/README.md @@ -50,11 +50,9 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { // Non-required parameters accountPrivateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'account' subnetResourceId: '' tags: { @@ -77,11 +75,9 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { enableDefaultTelemetry: '' eventHubPrivateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'namespace' subnetResourceId: '' tags: { @@ -92,15 +88,16 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { } ] location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } managedResourceGroupName: 'pvacom001-managed-rg' portalPrivateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'portal' subnetResourceId: '' tags: { @@ -122,11 +119,9 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { ] storageBlobPrivateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'blob' subnetResourceId: '' tags: { @@ -138,11 +133,9 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { ] storageQueuePrivateEndpoints: [ { - privateDnsZoneGroup: { - privateDNSResourceIds: [ - '' - ] - } + privateDnsZoneResourceIds: [ + '' + ] service: 'queue' subnetResourceId: '' tags: { @@ -184,11 +177,9 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { "accountPrivateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "account", "subnetResourceId": "", "tags": { @@ -227,11 +218,9 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { "eventHubPrivateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "namespace", "subnetResourceId": "", "tags": { @@ -246,7 +235,10 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "managedResourceGroupName": { "value": "pvacom001-managed-rg" @@ -254,11 +246,9 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { "portalPrivateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "portal", "subnetResourceId": "", "tags": { @@ -286,11 +276,9 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { "storageBlobPrivateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "blob", "subnetResourceId": "", "tags": { @@ -304,11 +292,9 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { "storageQueuePrivateEndpoints": { "value": [ { - "privateDnsZoneGroup": { - "privateDNSResourceIds": [ - "" - ] - }, + "privateDnsZoneResourceIds": [ + "" + ], "service": "queue", "subnetResourceId": "", "tags": { @@ -414,7 +400,7 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`eventHubPrivateEndpoints`](#parameter-eventhubprivateendpoints) | array | Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'namespace'. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedResourceGroupName`](#parameter-managedresourcegroupname) | string | The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-'. | | [`portalPrivateEndpoints`](#parameter-portalprivateendpoints) | array | Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | @@ -505,11 +491,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `managedResourceGroupName` diff --git a/modules/purview/account/main.bicep b/modules/purview/account/main.bicep index a28b7465fe..c954128917 100644 --- a/modules/purview/account/main.bicep +++ b/modules/purview/account/main.bicep @@ -83,13 +83,8 @@ param diagnosticMetricsToEnable array = [ @description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') param diagnosticSettingsName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType // =========== // // Variables // @@ -146,16 +141,16 @@ resource account 'Microsoft.Purview/accounts@2021-07-01' = { } } -resource purview_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${account.name}-${lock}-lock' +resource account_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: account } -resource purview_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { +resource account_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' properties: { storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null @@ -179,7 +174,7 @@ module account_privateEndpoints '../../network/private-endpoint/main.bicep' = [f subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -203,7 +198,7 @@ module portal_privateEndpoints '../../network/private-endpoint/main.bicep' = [fo subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -227,7 +222,7 @@ module blob_privateEndpoints '../../network/private-endpoint/main.bicep' = [for subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -251,7 +246,7 @@ module queue_privateEndpoints '../../network/private-endpoint/main.bicep' = [for subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -275,7 +270,7 @@ module eventHub_privateEndpoints '../../network/private-endpoint/main.bicep' = [ subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -288,7 +283,7 @@ module eventHub_privateEndpoints '../../network/private-endpoint/main.bicep' = [ } }] -module purview_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module account_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-Account-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' @@ -327,3 +322,15 @@ output managedEventHubId string = account.properties.managedResources.eventHubNa @description('The principal ID of the system assigned identity.') output systemAssignedPrincipalId string = account.identity.principalId + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/purview/account/main.json b/modules/purview/account/main.json index 6e06abbf04..fb86ba2b52 100644 --- a/modules/purview/account/main.json +++ b/modules/purview/account/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15558179031727764706" + "templateHash": "8110028747434281687" }, "name": "Purview Accounts", "description": "This module deploys a Purview Account.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -173,15 +201,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } } }, @@ -210,8 +232,8 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -225,7 +247,7 @@ } } }, - { + "account": { "type": "Microsoft.Purview/accounts", "apiVersion": "2021-07-01", "name": "[parameters('name')]", @@ -238,21 +260,21 @@ "publicNetworkAccess": "[parameters('publicNetworkAccess')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "account_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Purview/accounts/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Purview/accounts', parameters('name'))]" + "account" ] }, - { + "account_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -267,10 +289,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Purview/accounts', parameters('name'))]" + "account" ] }, - { + "account_privateEndpoints": { "copy": { "name": "account_privateEndpoints", "count": "[length(parameters('accountPrivateEndpoints'))]" @@ -300,7 +322,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('accountPrivateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('accountPrivateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -794,10 +818,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Purview/accounts', parameters('name'))]" + "account" ] }, - { + "portal_privateEndpoints": { "copy": { "name": "portal_privateEndpoints", "count": "[length(parameters('portalPrivateEndpoints'))]" @@ -827,7 +851,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('portalPrivateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('portalPrivateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -1321,10 +1347,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Purview/accounts', parameters('name'))]" + "account" ] }, - { + "blob_privateEndpoints": { "copy": { "name": "blob_privateEndpoints", "count": "[length(parameters('storageBlobPrivateEndpoints'))]" @@ -1345,7 +1371,7 @@ }, "name": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), parameters('storageBlobPrivateEndpoints')[copyIndex()].service, copyIndex())))]", "serviceResourceId": { - "value": "[reference(resourceId('Microsoft.Purview/accounts', parameters('name')), '2021-07-01').managedResources.storageAccount]" + "value": "[reference('account').managedResources.storageAccount]" }, "subnetResourceId": { "value": "[parameters('storageBlobPrivateEndpoints')[copyIndex()].subnetResourceId]" @@ -1354,7 +1380,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('storageBlobPrivateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -1848,10 +1876,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Purview/accounts', parameters('name'))]" + "account" ] }, - { + "queue_privateEndpoints": { "copy": { "name": "queue_privateEndpoints", "count": "[length(parameters('storageQueuePrivateEndpoints'))]" @@ -1872,7 +1900,7 @@ }, "name": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), parameters('storageQueuePrivateEndpoints')[copyIndex()].service, copyIndex())))]", "serviceResourceId": { - "value": "[reference(resourceId('Microsoft.Purview/accounts', parameters('name')), '2021-07-01').managedResources.storageAccount]" + "value": "[reference('account').managedResources.storageAccount]" }, "subnetResourceId": { "value": "[parameters('storageQueuePrivateEndpoints')[copyIndex()].subnetResourceId]" @@ -1881,7 +1909,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('storageQueuePrivateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -2375,10 +2405,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Purview/accounts', parameters('name'))]" + "account" ] }, - { + "eventHub_privateEndpoints": { "copy": { "name": "eventHub_privateEndpoints", "count": "[length(parameters('eventHubPrivateEndpoints'))]" @@ -2399,7 +2429,7 @@ }, "name": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), parameters('eventHubPrivateEndpoints')[copyIndex()].service, copyIndex())))]", "serviceResourceId": { - "value": "[reference(resourceId('Microsoft.Purview/accounts', parameters('name')), '2021-07-01').managedResources.eventHubNamespace]" + "value": "[reference('account').managedResources.eventHubNamespace]" }, "subnetResourceId": { "value": "[parameters('eventHubPrivateEndpoints')[copyIndex()].subnetResourceId]" @@ -2408,7 +2438,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('eventHubPrivateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('eventHubPrivateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -2902,12 +2934,12 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Purview/accounts', parameters('name'))]" + "account" ] }, - { + "account_roleAssignments": { "copy": { - "name": "purview_roleAssignments", + "name": "account_roleAssignments", "count": "[length(parameters('roleAssignments'))]" }, "type": "Microsoft.Resources/deployments", @@ -3053,10 +3085,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Purview/accounts', parameters('name'))]" + "account" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -3084,42 +3116,42 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Purview/accounts', parameters('name')), '2021-07-01', 'full').location]" + "value": "[reference('account', '2021-07-01', 'full').location]" }, "managedResourceGroupName": { "type": "string", "metadata": { "description": "The name of the managed resource group." }, - "value": "[reference(resourceId('Microsoft.Purview/accounts', parameters('name')), '2021-07-01').managedResourceGroupName]" + "value": "[reference('account').managedResourceGroupName]" }, "managedResourceGroupId": { "type": "string", "metadata": { "description": "The resource ID of the managed resource group." }, - "value": "[reference(resourceId('Microsoft.Purview/accounts', parameters('name')), '2021-07-01').managedResources.resourceGroup]" + "value": "[reference('account').managedResources.resourceGroup]" }, "managedStorageAccountId": { "type": "string", "metadata": { "description": "The resource ID of the managed storage account." }, - "value": "[reference(resourceId('Microsoft.Purview/accounts', parameters('name')), '2021-07-01').managedResources.storageAccount]" + "value": "[reference('account').managedResources.storageAccount]" }, "managedEventHubId": { "type": "string", "metadata": { "description": "The resource ID of the managed Event Hub Namespace." }, - "value": "[reference(resourceId('Microsoft.Purview/accounts', parameters('name')), '2021-07-01').managedResources.eventHubNamespace]" + "value": "[reference('account').managedResources.eventHubNamespace]" }, "systemAssignedPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[reference(resourceId('Microsoft.Purview/accounts', parameters('name')), '2021-07-01', 'full').identity.principalId]" + "value": "[reference('account', '2021-07-01', 'full').identity.principalId]" } } } \ No newline at end of file diff --git a/modules/recovery-services/vault/.test/common/main.test.bicep b/modules/recovery-services/vault/.test/common/main.test.bicep index 24f1b765df..9dff63f908 100644 --- a/modules/recovery-services/vault/.test/common/main.test.bicep +++ b/modules/recovery-services/vault/.test/common/main.test.bicep @@ -316,7 +316,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } privateEndpoints: [ { privateDnsZoneResourceIds: [ diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index 486c35456f..899a6821f5 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -302,7 +302,10 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } monitoringSettings: { azureMonitorAlertSettings: { alertsForAllJobFailures: 'Enabled' @@ -632,7 +635,10 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "monitoringSettings": { "value": { @@ -945,7 +951,7 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { | [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`monitoringSettings`](#parameter-monitoringsettings) | object | Monitoring Settings of the vault. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`protectionContainers`](#parameter-protectioncontainers) | array | List of all protection containers. | @@ -1047,11 +1053,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `monitoringSettings` diff --git a/modules/recovery-services/vault/main.bicep b/modules/recovery-services/vault/main.bicep index ec42444c6c..9aba253cc8 100644 --- a/modules/recovery-services/vault/main.bicep +++ b/modules/recovery-services/vault/main.bicep @@ -50,13 +50,8 @@ param diagnosticEventHubName string = '' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -262,11 +257,11 @@ module rsv_replicationAlertSettings 'replication-alert-setting/main.bicep' = if } } -resource rsv_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${rsv.name}-${lock}-lock' +resource rsv_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: rsv } @@ -295,7 +290,7 @@ module rsv_privateEndpoints '../../network/private-endpoint/main.bicep' = [for ( subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -335,3 +330,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(rsv @description('The location the resource was deployed into.') output location string = rsv.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/recovery-services/vault/main.json b/modules/recovery-services/vault/main.json index e8468c9338..7279f70adf 100644 --- a/modules/recovery-services/vault/main.json +++ b/modules/recovery-services/vault/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1948691212198738102" + "templateHash": "7509304735116539135" }, "name": "Recovery Services Vaults", "description": "This module deploys a Recovery Services Vault.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -120,15 +148,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "systemAssignedIdentity": { @@ -256,8 +278,8 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -271,7 +293,7 @@ } } }, - { + "rsv": { "type": "Microsoft.RecoveryServices/vaults", "apiVersion": "2023-01-01", "name": "[parameters('name')]", @@ -288,21 +310,21 @@ "publicNetworkAccess": "[parameters('publicNetworkAccess')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "rsv_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.RecoveryServices/vaults/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults', parameters('name'))]" + "rsv" ] }, - { + "rsv_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -317,10 +339,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults', parameters('name'))]" + "rsv" ] }, - { + "rsv_replicationFabrics": { "copy": { "name": "rsv_replicationFabrics", "count": "[length(parameters('replicationFabrics'))]" @@ -763,11 +785,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults', parameters('name'))]", + "rsv", "rsv_replicationPolicies" ] }, - { + "rsv_replicationPolicies": { "copy": { "name": "rsv_replicationPolicies", "count": "[length(parameters('replicationPolicies'))]" @@ -917,10 +939,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults', parameters('name'))]" + "rsv" ] }, - { + "rsv_backupStorageConfiguration": { "condition": "[not(empty(parameters('backupStorageConfig')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1050,10 +1072,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults', parameters('name'))]" + "rsv" ] }, - { + "rsv_backupFabric_protectionContainers": { "copy": { "name": "rsv_backupFabric_protectionContainers", "count": "[length(parameters('protectionContainers'))]" @@ -1421,10 +1443,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults', parameters('name'))]" + "rsv" ] }, - { + "rsv_backupPolicies": { "copy": { "name": "rsv_backupPolicies", "count": "[length(parameters('backupPolicies'))]" @@ -1539,10 +1561,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults', parameters('name'))]" + "rsv" ] }, - { + "rsv_backupConfig": { "condition": "[not(empty(parameters('backupConfig')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1732,10 +1754,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults', parameters('name'))]" + "rsv" ] }, - { + "rsv_replicationAlertSettings": { "condition": "[not(empty(parameters('replicationAlertSettings')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1871,10 +1893,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults', parameters('name'))]" + "rsv" ] }, - { + "rsv_privateEndpoints": { "copy": { "name": "rsv_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -1904,7 +1926,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -2398,10 +2422,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults', parameters('name'))]" + "rsv" ] }, - { + "rsv_roleAssignments": { "copy": { "name": "rsv_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -2553,10 +2577,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.RecoveryServices/vaults', parameters('name'))]" + "rsv" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -2584,14 +2608,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.RecoveryServices/vaults', parameters('name')), '2023-01-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.RecoveryServices/vaults', parameters('name')), '2023-01-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('rsv', '2023-01-01', 'full').identity, 'principalId')), reference('rsv', '2023-01-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.RecoveryServices/vaults', parameters('name')), '2023-01-01', 'full').location]" + "value": "[reference('rsv', '2023-01-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/relay/namespace/.test/common/main.test.bicep b/modules/relay/namespace/.test/common/main.test.bicep index a08444f919..6aedc4696c 100644 --- a/modules/relay/namespace/.test/common/main.test.bicep +++ b/modules/relay/namespace/.test/common/main.test.bicep @@ -67,7 +67,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } skuName: 'Standard' tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index 2df4924adc..f6401b007e 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -92,7 +92,10 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { userMetadata: '[{\'key\':\'endpoint\'\'value\':\'db-server.constoso.com:1433\'}]' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } networkRuleSets: { defaultAction: 'Deny' ipRules: [ @@ -232,7 +235,10 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "networkRuleSets": { "value": { @@ -482,7 +488,7 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`hybridConnections`](#parameter-hybridconnections) | array | The hybrid connections to create in the relay namespace. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`networkRuleSets`](#parameter-networkrulesets) | object | Configure networking options for Relay. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -571,11 +577,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/relay/namespace/hybrid-connection/README.md b/modules/relay/namespace/hybrid-connection/README.md index c2b68a3256..456584f99d 100644 --- a/modules/relay/namespace/hybrid-connection/README.md +++ b/modules/relay/namespace/hybrid-connection/README.md @@ -39,7 +39,7 @@ This module deploys a Relay Namespace Hybrid Connection. | :-- | :-- | :-- | | [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the Relay Hybrid Connection. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`requiresClientAuthorization`](#parameter-requiresclientauthorization) | bool | A value indicating if this hybrid connection requires client authorization. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -59,11 +59,30 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/relay/namespace/hybrid-connection/main.bicep b/modules/relay/namespace/hybrid-connection/main.bicep index 280f1efc02..583897efa2 100644 --- a/modules/relay/namespace/hybrid-connection/main.bicep +++ b/modules/relay/namespace/hybrid-connection/main.bicep @@ -42,13 +42,8 @@ param authorizationRules array = [ } ] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -94,11 +89,11 @@ module hybridConnection_authorizationRules 'authorization-rule/main.bicep' = [fo } }] -resource hybridConnection_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${hybridConnection.name}-${lock}-lock' +resource hybridConnection_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: hybridConnection } @@ -124,3 +119,15 @@ output resourceId string = hybridConnection.id @description('The resource group of the deployed hybrid connection.') output resourceGroupName string = resourceGroup().name + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/relay/namespace/hybrid-connection/main.json b/modules/relay/namespace/hybrid-connection/main.json index 0056c9f29a..6f5b28688d 100644 --- a/modules/relay/namespace/hybrid-connection/main.json +++ b/modules/relay/namespace/hybrid-connection/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8795172246215834185" + "templateHash": "5557057389279222101" }, "name": "Relay Namespace Hybrid Connections", "description": "This module deploys a Relay Namespace Hybrid Connection.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "namespaceName": { "type": "string", @@ -70,15 +98,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -99,8 +121,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -114,30 +136,39 @@ } } }, - { + "namespace": { + "existing": true, + "type": "Microsoft.Relay/namespaces", + "apiVersion": "2021-11-01", + "name": "[parameters('namespaceName')]" + }, + "hybridConnection": { "type": "Microsoft.Relay/namespaces/hybridConnections", "apiVersion": "2021-11-01", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", "properties": { "requiresClientAuthorization": "[parameters('requiresClientAuthorization')]", "userMetadata": "[parameters('userMetadata')]" - } + }, + "dependsOn": [ + "namespace" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "hybridConnection_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Relay/namespaces/{0}/hybridConnections/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name'))]" + "hybridConnection" ] }, - { + "hybridConnection_authorizationRules": { "copy": { "name": "hybridConnection_authorizationRules", "count": "[length(parameters('authorizationRules'))]" @@ -267,10 +298,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name'))]" + "hybridConnection" ] }, - { + "hybridConnection_roleAssignments": { "copy": { "name": "hybridConnection_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -419,10 +450,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name'))]" + "hybridConnection" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/relay/namespace/main.bicep b/modules/relay/namespace/main.bicep index f6644258f3..f046b74a59 100644 --- a/modules/relay/namespace/main.bicep +++ b/modules/relay/namespace/main.bicep @@ -40,13 +40,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -223,11 +218,11 @@ module namespace_wcfRelays 'wcf-relay/main.bicep' = [for (wcfRelay, index) in wc } }] -resource namespace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${namespace.name}-${lock}-lock' +resource namespace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: namespace } @@ -256,7 +251,7 @@ module namespace_privateEndpoints '../../network/private-endpoint/main.bicep' = subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -293,3 +288,15 @@ output name string = namespace.name @description('The location the resource was deployed into.') output location string = namespace.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/relay/namespace/main.json b/modules/relay/namespace/main.json index b055137299..6ecc2df310 100644 --- a/modules/relay/namespace/main.json +++ b/modules/relay/namespace/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "23772418360996492" + "templateHash": "9772930782726431930" }, "name": "Relay Namespaces", "description": "This module deploys a Relay Namespace", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -82,15 +110,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -201,8 +223,8 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -216,7 +238,7 @@ } } }, - { + "namespace": { "type": "Microsoft.Relay/namespaces", "apiVersion": "2021-11-01", "name": "[parameters('name')]", @@ -227,21 +249,21 @@ }, "properties": {} }, - { - "condition": "[not(empty(parameters('lock')))]", + "namespace_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Relay/namespaces/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces', parameters('name'))]" + "namespace" ] }, - { + "namespace_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -256,10 +278,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces', parameters('name'))]" + "namespace" ] }, - { + "namespace_authorizationRules": { "copy": { "name": "namespace_authorizationRules", "count": "[length(parameters('authorizationRules'))]" @@ -382,10 +404,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces', parameters('name'))]" + "namespace" ] }, - { + "namespace_networkRuleSet": { "condition": "[or(not(empty(parameters('networkRuleSets'))), not(empty(parameters('privateEndpoints'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -517,10 +539,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces', parameters('name'))]" + "namespace" ] }, - { + "namespace_hybridConnections": { "copy": { "name": "namespace_hybridConnections", "count": "[length(parameters('hybridConnections'))]" @@ -551,17 +573,45 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8795172246215834185" + "templateHash": "5557057389279222101" }, "name": "Relay Namespace Hybrid Connections", "description": "This module deploys a Relay Namespace Hybrid Connection.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "namespaceName": { "type": "string", @@ -621,15 +671,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -650,8 +694,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -665,30 +709,39 @@ } } }, - { + "namespace": { + "existing": true, + "type": "Microsoft.Relay/namespaces", + "apiVersion": "2021-11-01", + "name": "[parameters('namespaceName')]" + }, + "hybridConnection": { "type": "Microsoft.Relay/namespaces/hybridConnections", "apiVersion": "2021-11-01", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", "properties": { "requiresClientAuthorization": "[parameters('requiresClientAuthorization')]", "userMetadata": "[parameters('userMetadata')]" - } + }, + "dependsOn": [ + "namespace" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "hybridConnection_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Relay/namespaces/{0}/hybridConnections/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name'))]" + "hybridConnection" ] }, - { + "hybridConnection_authorizationRules": { "copy": { "name": "hybridConnection_authorizationRules", "count": "[length(parameters('authorizationRules'))]" @@ -818,10 +871,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name'))]" + "hybridConnection" ] }, - { + "hybridConnection_roleAssignments": { "copy": { "name": "hybridConnection_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -970,10 +1023,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name'))]" + "hybridConnection" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1000,10 +1053,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces', parameters('name'))]" + "namespace" ] }, - { + "namespace_wcfRelays": { "copy": { "name": "namespace_wcfRelays", "count": "[length(parameters('wcfRelays'))]" @@ -1036,17 +1089,45 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16339805298138761905" + "templateHash": "6670763361607677898" }, "name": "Relay Namespace WCF Relays", "description": "This module deploys a Relay Namespace WCF Relay.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "namespaceName": { "type": "string", @@ -1124,15 +1205,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -1153,8 +1228,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1168,7 +1243,13 @@ } } }, - { + "namespace": { + "existing": true, + "type": "Microsoft.Relay/namespaces", + "apiVersion": "2021-11-01", + "name": "[parameters('namespaceName')]" + }, + "wcfRelay": { "type": "Microsoft.Relay/namespaces/wcfRelays", "apiVersion": "2021-11-01", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", @@ -1177,23 +1258,26 @@ "requiresClientAuthorization": "[parameters('requiresClientAuthorization')]", "requiresTransportSecurity": "[parameters('requiresTransportSecurity')]", "userMetadata": "[if(not(empty(parameters('userMetadata'))), parameters('userMetadata'), null())]" - } + }, + "dependsOn": [ + "namespace" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "wcfRelay_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Relay/namespaces/{0}/wcfRelays/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name'))]" + "wcfRelay" ] }, - { + "wcfRelay_authorizationRules": { "copy": { "name": "wcfRelay_authorizationRules", "count": "[length(parameters('authorizationRules'))]" @@ -1323,10 +1407,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name'))]" + "wcfRelay" ] }, - { + "wcfRelay_roleAssignments": { "copy": { "name": "wcfRelay_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1475,10 +1559,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name'))]" + "wcfRelay" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1505,10 +1589,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces', parameters('name'))]" + "namespace" ] }, - { + "namespace_privateEndpoints": { "copy": { "name": "namespace_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -1538,7 +1622,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -2032,10 +2118,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces', parameters('name'))]" + "namespace" ] }, - { + "namespace_roleAssignments": { "copy": { "name": "namespace_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -2184,10 +2270,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces', parameters('name'))]" + "namespace" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -2215,7 +2301,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Relay/namespaces', parameters('name')), '2021-11-01', 'full').location]" + "value": "[reference('namespace', '2021-11-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/relay/namespace/wcf-relay/README.md b/modules/relay/namespace/wcf-relay/README.md index bb155573b1..84650d63d5 100644 --- a/modules/relay/namespace/wcf-relay/README.md +++ b/modules/relay/namespace/wcf-relay/README.md @@ -39,7 +39,7 @@ This module deploys a Relay Namespace WCF Relay. | :-- | :-- | :-- | | [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the WCF Relay. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`requiresClientAuthorization`](#parameter-requiresclientauthorization) | bool | A value indicating if this relay requires client authorization. | | [`requiresTransportSecurity`](#parameter-requirestransportsecurity) | bool | A value indicating if this relay requires transport security. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -61,11 +61,30 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/relay/namespace/wcf-relay/main.bicep b/modules/relay/namespace/wcf-relay/main.bicep index 171e2d99ba..ba660d2bb3 100644 --- a/modules/relay/namespace/wcf-relay/main.bicep +++ b/modules/relay/namespace/wcf-relay/main.bicep @@ -52,13 +52,8 @@ param authorizationRules array = [ } ] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -106,11 +101,11 @@ module wcfRelay_authorizationRules 'authorization-rule/main.bicep' = [for (autho } }] -resource wcfRelay_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${wcfRelay.name}-${lock}-lock' +resource wcfRelay_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: wcfRelay } @@ -136,3 +131,15 @@ output resourceId string = wcfRelay.id @description('The resource group of the deployed wcf relay.') output resourceGroupName string = resourceGroup().name + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/relay/namespace/wcf-relay/main.json b/modules/relay/namespace/wcf-relay/main.json index 4ad90c10ee..305d7a9463 100644 --- a/modules/relay/namespace/wcf-relay/main.json +++ b/modules/relay/namespace/wcf-relay/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16339805298138761905" + "templateHash": "6670763361607677898" }, "name": "Relay Namespace WCF Relays", "description": "This module deploys a Relay Namespace WCF Relay.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "namespaceName": { "type": "string", @@ -88,15 +116,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -117,8 +139,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -132,7 +154,13 @@ } } }, - { + "namespace": { + "existing": true, + "type": "Microsoft.Relay/namespaces", + "apiVersion": "2021-11-01", + "name": "[parameters('namespaceName')]" + }, + "wcfRelay": { "type": "Microsoft.Relay/namespaces/wcfRelays", "apiVersion": "2021-11-01", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", @@ -141,23 +169,26 @@ "requiresClientAuthorization": "[parameters('requiresClientAuthorization')]", "requiresTransportSecurity": "[parameters('requiresTransportSecurity')]", "userMetadata": "[if(not(empty(parameters('userMetadata'))), parameters('userMetadata'), null())]" - } + }, + "dependsOn": [ + "namespace" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "wcfRelay_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Relay/namespaces/{0}/wcfRelays/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name'))]" + "wcfRelay" ] }, - { + "wcfRelay_authorizationRules": { "copy": { "name": "wcfRelay_authorizationRules", "count": "[length(parameters('authorizationRules'))]" @@ -287,10 +318,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name'))]" + "wcfRelay" ] }, - { + "wcfRelay_roleAssignments": { "copy": { "name": "wcfRelay_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -439,10 +470,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name'))]" + "wcfRelay" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/resource-graph/query/.test/common/main.test.bicep b/modules/resource-graph/query/.test/common/main.test.bicep index 77af84a74d..a898c05ab8 100644 --- a/modules/resource-graph/query/.test/common/main.test.bicep +++ b/modules/resource-graph/query/.test/common/main.test.bicep @@ -52,7 +52,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/resource-graph/query/README.md b/modules/resource-graph/query/README.md index 5d725b3c03..3b88be6cc5 100644 --- a/modules/resource-graph/query/README.md +++ b/modules/resource-graph/query/README.md @@ -47,7 +47,10 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { query: 'resources | take 10' // Non-required parameters enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } queryDescription: 'An example query to list first 10 resources in the subscription.' roleAssignments: [ { @@ -91,7 +94,10 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "queryDescription": { "value": "An example query to list first 10 resources in the subscription." @@ -189,7 +195,7 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`queryDescription`](#parameter-querydescription) | string | The description of a graph query. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -210,11 +216,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/resource-graph/query/main.bicep b/modules/resource-graph/query/main.bicep index f9ec7eaa26..4ac5218dad 100644 --- a/modules/resource-graph/query/main.bicep +++ b/modules/resource-graph/query/main.bicep @@ -8,13 +8,8 @@ param name string @description('Optional. Location for all resources.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -53,11 +48,11 @@ resource rgQuery 'Microsoft.ResourceGraph/queries@2018-09-01-preview' = { } } -resource rgQuery_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${rgQuery.name}-${lock}-lock' +resource rgQuery_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: rgQuery } @@ -86,3 +81,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = rgQuery.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/resource-graph/query/main.json b/modules/resource-graph/query/main.json index 637ac21f0a..e771012ee7 100644 --- a/modules/resource-graph/query/main.json +++ b/modules/resource-graph/query/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5318766686585928680" + "templateHash": "17790521881386542677" }, "name": "Resource Graph Queries", "description": "This module deploys a Resource Graph Query.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -26,15 +54,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -72,8 +94,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -87,7 +109,7 @@ } } }, - { + "rgQuery": { "type": "Microsoft.ResourceGraph/queries", "apiVersion": "2018-09-01-preview", "name": "[parameters('name')]", @@ -98,21 +120,21 @@ "description": "[parameters('queryDescription')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "rgQuery_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.ResourceGraph/queries/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.ResourceGraph/queries', parameters('name'))]" + "rgQuery" ] }, - { + "rgQuery_roleAssignments": { "copy": { "name": "rgQuery_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -258,10 +280,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ResourceGraph/queries', parameters('name'))]" + "rgQuery" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -289,7 +311,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.ResourceGraph/queries', parameters('name')), '2018-09-01-preview', 'full').location]" + "value": "[reference('rgQuery', '2018-09-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/resources/deployment-script/.test/ps/main.test.bicep b/modules/resources/deployment-script/.test/ps/main.test.bicep index 25dc575fc1..e3a9c55382 100644 --- a/modules/resources/deployment-script/.test/ps/main.test.bicep +++ b/modules/resources/deployment-script/.test/ps/main.test.bicep @@ -53,7 +53,10 @@ module testDeployment '../../main.bicep' = { azPowerShellVersion: '8.0' cleanupPreference: 'Always' kind: 'AzurePowerShell' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } retentionInterval: 'P1D' runOnce: false scriptContent: 'Write-Host \'The cake is a lie!\'' diff --git a/modules/resources/deployment-script/README.md b/modules/resources/deployment-script/README.md index 16d4b28844..35e3486eb6 100644 --- a/modules/resources/deployment-script/README.md +++ b/modules/resources/deployment-script/README.md @@ -168,7 +168,10 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { cleanupPreference: 'Always' enableDefaultTelemetry: '' kind: 'AzurePowerShell' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } retentionInterval: 'P1D' runOnce: false scriptContent: 'Write-Host \'The cake is a lie!\'' @@ -216,7 +219,10 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { "value": "AzurePowerShell" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "retentionInterval": { "value": "P1D" @@ -274,7 +280,7 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { | [`environmentVariables`](#parameter-environmentvariables) | secureObject | The environment variables to pass over to the script. The list is passed as an object with a key name "secureList" and the value is the list of environment variables (array). The list must have a 'name' and a 'value' or a 'secretValue' property for each object. | | [`kind`](#parameter-kind) | string | Type of the script. AzurePowerShell, AzureCLI. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`primaryScriptUri`](#parameter-primaryscripturi) | string | Uri for the external script. This is the entry point for the external script. To run an internal script, use the scriptContent instead. | | [`retentionInterval`](#parameter-retentioninterval) | string | Interval for which the service retains the script resource after it reaches a terminal state. Resource will be deleted when this duration expires. Duration is based on ISO 8601 pattern (for example P7D means one week). | | [`runOnce`](#parameter-runonce) | bool | When set to false, script will run every time the template is deployed. When set to true, the script will only run once. | @@ -365,11 +371,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/resources/deployment-script/main.bicep b/modules/resources/deployment-script/main.bicep index fe29c5b502..f596af33f9 100644 --- a/modules/resources/deployment-script/main.bicep +++ b/modules/resources/deployment-script/main.bicep @@ -66,13 +66,8 @@ param timeout string = 'PT1H' @description('Generated. Do not provide a value! This date value is used to make sure the script run every time the template is deployed.') param baseTime string = utcNow('yyyy-MM-dd-HH-mm-ss') -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Tags of the resource.') param tags object = {} @@ -131,11 +126,11 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { } } -resource deploymentScript_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${deploymentScript.name}-${lock}-lock' +resource deploymentScript_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: deploymentScript } @@ -154,3 +149,15 @@ output location string = deploymentScript.location @description('The output of the deployment script.') output outputs object = contains(deploymentScript.properties, 'outputs') ? deploymentScript.properties.outputs : {} + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/resources/deployment-script/main.json b/modules/resources/deployment-script/main.json index 2f4d4f4a0d..fc7ac9db4a 100644 --- a/modules/resources/deployment-script/main.json +++ b/modules/resources/deployment-script/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13171333688007785690" + "templateHash": "2858511394966028740" }, "name": "Deployment Scripts", "description": "This module deploys a Deployment Script.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -147,15 +175,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "tags": { @@ -180,8 +202,8 @@ "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None')]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -195,7 +217,7 @@ } } }, - { + "deploymentScript": { "type": "Microsoft.Resources/deploymentScripts", "apiVersion": "2020-10-01", "name": "[parameters('name')]", @@ -219,21 +241,21 @@ "timeout": "[parameters('timeout')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "deploymentScript_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Resources/deploymentScripts/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Resources/deploymentScripts', parameters('name'))]" + "deploymentScript" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -261,14 +283,14 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Resources/deploymentScripts', parameters('name')), '2020-10-01', 'full').location]" + "value": "[reference('deploymentScript', '2020-10-01', 'full').location]" }, "outputs": { "type": "object", "metadata": { "description": "The output of the deployment script." }, - "value": "[if(contains(reference(resourceId('Microsoft.Resources/deploymentScripts', parameters('name')), '2020-10-01'), 'outputs'), reference(resourceId('Microsoft.Resources/deploymentScripts', parameters('name')), '2020-10-01').outputs, createObject())]" + "value": "[if(contains(reference('deploymentScript'), 'outputs'), reference('deploymentScript').outputs, createObject())]" } } } \ No newline at end of file diff --git a/modules/resources/resource-group/.bicep/nested_lock.bicep b/modules/resources/resource-group/.bicep/nested_lock.bicep new file mode 100644 index 0000000000..40ae513015 --- /dev/null +++ b/modules/resources/resource-group/.bicep/nested_lock.bicep @@ -0,0 +1,25 @@ +@description('Optional. The lock settings of the service.') +param lock lockType + +@description('Required. The name of the Resource Group.') +param name string + +resource resourceGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' + properties: { + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' + } +} + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/resources/resource-group/.test/common/main.test.bicep b/modules/resources/resource-group/.test/common/main.test.bicep index 0090211eb1..6a47e86bce 100644 --- a/modules/resources/resource-group/.test/common/main.test.bicep +++ b/modules/resources/resource-group/.test/common/main.test.bicep @@ -51,7 +51,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/resources/resource-group/README.md b/modules/resources/resource-group/README.md index e57cc52c30..c104241da0 100644 --- a/modules/resources/resource-group/README.md +++ b/modules/resources/resource-group/README.md @@ -46,7 +46,10 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { name: 'rrgcom001' // Non-required parameters enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -86,7 +89,10 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -176,7 +182,7 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location of the Resource Group. It uses the deployment's location when not provided. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedBy`](#parameter-managedby) | string | The ID of the resource that manages this resource group. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the storage account resource. | @@ -197,11 +203,30 @@ Location of the Resource Group. It uses the deployment's location when not provi ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `managedBy` @@ -241,8 +266,4 @@ Tags of the storage account resource. ## Cross-referenced modules -This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). - -| Reference | Type | -| :-- | :-- | -| `modules/authorization/lock/resource-group` | Local reference | +_None_ diff --git a/modules/resources/resource-group/main.bicep b/modules/resources/resource-group/main.bicep index c0a80d63de..d210a418df 100644 --- a/modules/resources/resource-group/main.bicep +++ b/modules/resources/resource-group/main.bicep @@ -10,13 +10,8 @@ param name string @description('Optional. Location of the Resource Group. It uses the deployment\'s location when not provided.') param location string = deployment().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -51,11 +46,11 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { properties: {} } -module resourceGroup_lock '../../authorization/lock/resource-group/main.bicep' = if (!empty(lock)) { - name: '${uniqueString(deployment().name, location)}-${lock}-Lock' +module resourceGroup_lock '.bicep/nested_lock.bicep' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: '${uniqueString(deployment().name, location)}-RG-Lock' params: { - level: any(lock) - name: '${resourceGroup.name}-${lock}-lock' + lock: lock + name: resourceGroup.name } scope: resourceGroup } @@ -81,3 +76,15 @@ output resourceId string = resourceGroup.id @description('The location the resource was deployed into.') output location string = resourceGroup.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/resources/resource-group/main.json b/modules/resources/resource-group/main.json index 311d143451..7c296e5557 100644 --- a/modules/resources/resource-group/main.json +++ b/modules/resources/resource-group/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "698589074683460032" + "templateHash": "15355408892272442414" }, "name": "Resource Groups", "description": "This module deploys a Resource Group.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -26,15 +54,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -66,8 +88,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -82,7 +104,7 @@ } } }, - { + "resourceGroup": { "type": "Microsoft.Resources/resourceGroups", "apiVersion": "2021-04-01", "name": "[parameters('name')]", @@ -91,11 +113,11 @@ "managedBy": "[parameters('managedBy')]", "properties": {} }, - { - "condition": "[not(empty(parameters('lock')))]", + "resourceGroup_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-{1}-Lock', uniqueString(deployment().name, parameters('location')), parameters('lock'))]", + "name": "[format('{0}-RG-Lock', uniqueString(deployment().name, parameters('location')))]", "resourceGroup": "[parameters('name')]", "properties": { "expressionEvaluationOptions": { @@ -103,121 +125,84 @@ }, "mode": "Incremental", "parameters": { - "level": { + "lock": { "value": "[parameters('lock')]" }, "name": { - "value": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]" + "value": "[parameters('name')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8961143332409950444" - }, - "name": "Authorization Locks (Resource Group scope)", - "description": "This module deploys an Authorization Lock at a Resource Group scope.", - "owner": "Azure/module-maintainers" + "templateHash": "17703781580329850458" + } + }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } }, "parameters": { - "name": { - "type": "string", - "defaultValue": "[format('{0}-lock', parameters('level'))]", + "lock": { + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. The name of the lock." + "description": "Optional. The lock settings of the service." } }, - "level": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "ReadOnly" - ], - "metadata": { - "description": "Required. Set lock level." - } - }, - "notes": { + "name": { "type": "string", - "defaultValue": "[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]", "metadata": { - "description": "Optional. The decription attached to the lock." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Required. The name of the Resource Group." } } }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { + "resources": { + "resourceGroup_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", - "name": "[parameters('name')]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('level')]", - "notes": "[parameters('notes')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" } } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the lock." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the lock." - }, - "value": "[resourceId('Microsoft.Authorization/locks', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group name the lock was applied to." - }, - "value": "[resourceGroup().name]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this lock applies to." - }, - "value": "[resourceGroup().id]" - } } } }, "dependsOn": [ - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name'))]" + "resourceGroup" ] }, - { + "resourceGroup_roleAssignments": { "copy": { "name": "resourceGroup_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -545,10 +530,10 @@ } }, "dependsOn": [ - "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name'))]" + "resourceGroup" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -569,7 +554,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name')), '2021-04-01', 'full').location]" + "value": "[reference('resourceGroup', '2021-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/search/search-service/.test/common/main.test.bicep b/modules/search/search-service/.test/common/main.test.bicep index 299cc6438a..d975b5f231 100644 --- a/modules/search/search-service/.test/common/main.test.bicep +++ b/modules/search/search-service/.test/common/main.test.bicep @@ -78,7 +78,10 @@ module testDeployment '../../main.bicep' = { partitionCount: 2 replicaCount: 3 systemAssignedIdentity: true - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index 18d24c635b..e9f3856044 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -63,7 +63,10 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { disableLocalAuth: false enableDefaultTelemetry: '' hostingMode: 'highDensity' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } networkRuleSet: { ipRules: [ { @@ -152,7 +155,10 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { "value": "highDensity" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "networkRuleSet": { "value": { @@ -407,7 +413,7 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`hostingMode`](#parameter-hostingmode) | string | Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either 'default' or 'highDensity'. For all other SKUs, this value must be 'default'. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`networkRuleSet`](#parameter-networkruleset) | object | Network specific rules that determine how the Azure Cognitive Search service may be reached. | | [`partitionCount`](#parameter-partitioncount) | int | The number of partitions in the search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For 'standard3' services with hostingMode set to 'highDensity', the allowed values are between 1 and 3. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | @@ -516,11 +522,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/search/search-service/main.bicep b/modules/search/search-service/main.bicep index b0b9eba7d9..ec23b415e8 100644 --- a/modules/search/search-service/main.bicep +++ b/modules/search/search-service/main.bicep @@ -36,13 +36,8 @@ param hostingMode string = 'default' @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@description('Optional. Specify the type of lock.') -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Network specific rules that determine how the Azure Cognitive Search service may be reached.') param networkRuleSet object = {} @@ -196,11 +191,11 @@ resource searchService_diagnosticSettings 'Microsoft.Insights/diagnosticsettings scope: searchService } -resource searchService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${searchService.name}-${lock}-lock' +resource searchService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: searchService } @@ -229,7 +224,7 @@ module searchService_privateEndpoints '../../network/private-endpoint/main.bicep subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -274,3 +269,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = searchService.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/search/search-service/main.json b/modules/search/search-service/main.json index 1b70046741..d9f5e34419 100644 --- a/modules/search/search-service/main.json +++ b/modules/search/search-service/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3190976543296510988" + "templateHash": "13836936896028260597" }, "name": "Search Services", "description": "This module deploys a Search Service.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -70,15 +98,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "networkRuleSet": { @@ -252,8 +274,8 @@ "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', 'None')]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType')), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -267,7 +289,7 @@ } } }, - { + "searchService": { "type": "Microsoft.Search/searchServices", "apiVersion": "2022-09-01", "name": "[parameters('name')]", @@ -290,7 +312,7 @@ "publicNetworkAccess": "[parameters('publicNetworkAccess')]" } }, - { + "searchService_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -305,24 +327,24 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Search/searchServices', parameters('name'))]" + "searchService" ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "searchService_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Search/searchServices/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Search/searchServices', parameters('name'))]" + "searchService" ] }, - { + "searchService_roleAssignments": { "copy": { "name": "searchService_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -471,10 +493,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Search/searchServices', parameters('name'))]" + "searchService" ] }, - { + "searchService_privateEndpoints": { "copy": { "name": "searchService_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -504,7 +526,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -998,10 +1022,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Search/searchServices', parameters('name'))]" + "searchService" ] }, - { + "searchService_sharedPrivateLinkResources": { "copy": { "name": "searchService_sharedPrivateLinkResources", "count": "[length(parameters('sharedPrivateLinkResources'))]", @@ -1143,10 +1167,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Search/searchServices', parameters('name'))]" + "searchService" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1174,7 +1198,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Search/searchServices', parameters('name')), '2022-09-01', 'full').location]" + "value": "[reference('searchService', '2022-09-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/security/azure-security-center/main.bicep b/modules/security/azure-security-center/main.bicep index e1f9fbcab4..d0adb8211a 100644 --- a/modules/security/azure-security-center/main.bicep +++ b/modules/security/azure-security-center/main.bicep @@ -191,6 +191,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } +@batchSize(1) resource pricingTiers 'Microsoft.Security/pricings@2018-06-01' = [for (pricing, index) in pricings: { name: pricing.name properties: { diff --git a/modules/security/azure-security-center/main.json b/modules/security/azure-security-center/main.json index cf4fce1f0b..757ee94252 100644 --- a/modules/security/azure-security-center/main.json +++ b/modules/security/azure-security-center/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5337788890835022528" + "templateHash": "6628258573559470770" }, "name": "Azure Security Center (Defender for Cloud)", "description": "This module deploys an Azure Security Center (Defender for Cloud) Configuration.", @@ -289,7 +289,9 @@ { "copy": { "name": "pricingTiers", - "count": "[length(variables('pricings'))]" + "count": "[length(variables('pricings'))]", + "mode": "serial", + "batchSize": 1 }, "type": "Microsoft.Security/pricings", "apiVersion": "2018-06-01", diff --git a/modules/service-bus/namespace/.test/common/main.test.bicep b/modules/service-bus/namespace/.test/common/main.test.bicep index 73f2d61db6..8e60f2b946 100644 --- a/modules/service-bus/namespace/.test/common/main.test.bicep +++ b/modules/service-bus/namespace/.test/common/main.test.bicep @@ -67,7 +67,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } skuName: 'Premium' skuCapacity: 2 premiumMessagingPartitions: 1 diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index b66c706fd1..5570075f12 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -81,7 +81,10 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { diagnosticWorkspaceId: '' disableLocalAuth: true enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } minimumTlsVersion: '1.2' networkRuleSets: { defaultAction: 'Deny' @@ -263,7 +266,10 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "minimumTlsVersion": { "value": "1.2" @@ -783,7 +789,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { | [`disasterRecoveryConfigs`](#parameter-disasterrecoveryconfigs) | object | The disaster recovery configuration. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`migrationConfigurations`](#parameter-migrationconfigurations) | object | The migration configuration. | | [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | The minimum TLS version for the cluster to support. | | [`networkRuleSets`](#parameter-networkrulesets) | object | Configure networking options for Premium SKU Service Bus. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | @@ -924,11 +930,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `migrationConfigurations` diff --git a/modules/service-bus/namespace/main.bicep b/modules/service-bus/namespace/main.bicep index 2b275b2bab..a3d10b116d 100644 --- a/modules/service-bus/namespace/main.bicep +++ b/modules/service-bus/namespace/main.bicep @@ -75,13 +75,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -198,13 +193,12 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split(cMKKeyVaultResourceId, '/'))! - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) -} + name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! + scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) -resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName)) { - name: '${last(split(cMKKeyVaultResourceId, '/'))}/${cMKKeyName}'! - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) + resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { + name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + } } resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = { @@ -232,7 +226,7 @@ resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview } : null keyName: cMKKeyName keyVaultUri: cMKKeyVault.properties.vaultUri - keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVaultKey.properties.keyUriWithVersion, '/')) + keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) } ] requireInfrastructureEncryption: requireInfrastructureEncryption @@ -309,7 +303,7 @@ module serviceBusNamespace_queues 'queue/main.bicep' = [for (queue, index) in qu enableBatchedOperations: contains(queue, 'enableBatchedOperations') ? queue.enableBatchedOperations : true enableExpress: contains(queue, 'enableExpress') ? queue.enableExpress : false enablePartitioning: contains(queue, 'enablePartitioning') ? queue.enablePartitioning : false - lock: contains(queue, 'lock') ? queue.lock : '' + lock: queue.?lock ?? lock lockDuration: contains(queue, 'lockDuration') ? queue.lockDuration : 'PT1M' maxDeliveryCount: contains(queue, 'maxDeliveryCount') ? queue.maxDeliveryCount : 10 maxSizeInMegabytes: contains(queue, 'maxSizeInMegabytes') ? queue.maxSizeInMegabytes : 1024 @@ -342,7 +336,7 @@ module serviceBusNamespace_topics 'topic/main.bicep' = [for (topic, index) in to enableBatchedOperations: contains(topic, 'enableBatchedOperations') ? topic.enableBatchedOperations : true enableExpress: contains(topic, 'enableExpress') ? topic.enableExpress : false enablePartitioning: contains(topic, 'enablePartitioning') ? topic.enablePartitioning : false - lock: contains(topic, 'lock') ? topic.lock : '' + lock: topic.?lock ?? lock maxMessageSizeInKilobytes: contains(topic, 'maxMessageSizeInKilobytes') ? topic.maxMessageSizeInKilobytes : 1024 maxSizeInMegabytes: contains(topic, 'maxSizeInMegabytes') ? topic.maxSizeInMegabytes : 1024 requiresDuplicateDetection: contains(topic, 'requiresDuplicateDetection') ? topic.requiresDuplicateDetection : false @@ -353,11 +347,11 @@ module serviceBusNamespace_topics 'topic/main.bicep' = [for (topic, index) in to } }] -resource serviceBusNamespace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${serviceBusNamespace.name}-${lock}-lock' +resource serviceBusNamespace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: serviceBusNamespace } @@ -386,7 +380,7 @@ module serviceBusNamespace_privateEndpoints '../../network/private-endpoint/main subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -426,3 +420,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(ser @description('The location the resource was deployed into.') output location string = serviceBusNamespace.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/service-bus/namespace/main.json b/modules/service-bus/namespace/main.json index 4e96afbb9d..dbe9a914ec 100644 --- a/modules/service-bus/namespace/main.json +++ b/modules/service-bus/namespace/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "662928290271524993" + "templateHash": "16649033312069788826" }, "name": "Service Bus Namespaces", "description": "This module deploys a Service Bus Namespace.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -145,15 +173,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "systemAssignedIdentity": { @@ -333,8 +355,20 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -348,7 +382,16 @@ } } }, - { + "cMKKeyVault": { + "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "serviceBusNamespace": { "type": "Microsoft.ServiceBus/namespaces", "apiVersion": "2022-10-01-preview", "name": "[parameters('name')]", @@ -366,24 +409,27 @@ "zoneRedundant": "[parameters('zoneRedundant')]", "disableLocalAuth": "[parameters('disableLocalAuth')]", "premiumMessagingPartitions": "[if(equals(parameters('skuName'), 'Premium'), parameters('premiumMessagingPartitions'), 0)]", - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createArray(createObject('identity', if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), null()), 'keyName', parameters('cMKKeyName'), 'keyVaultUri', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('cMKKeyVaultResourceId'), '/'))), '2021-10-01').vaultUri, 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[0], split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[1]), '2021-10-01').keyUriWithVersion, '/'))))), 'requireInfrastructureEncryption', parameters('requireInfrastructureEncryption')), null())]" - } + "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createArray(createObject('identity', if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), null()), 'keyName', parameters('cMKKeyName'), 'keyVaultUri', reference('cMKKeyVault').vaultUri, 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), 'requireInfrastructureEncryption', parameters('requireInfrastructureEncryption')), null())]" + }, + "dependsOn": [ + "cMKKeyVault" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "serviceBusNamespace_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.ServiceBus/namespaces/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]" + "serviceBusNamespace" ] }, - { + "serviceBusNamespace_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -398,10 +444,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]" + "serviceBusNamespace" ] }, - { + "serviceBusNamespace_authorizationRules": { "copy": { "name": "serviceBusNamespace_authorizationRules", "count": "[length(parameters('authorizationRules'))]" @@ -524,10 +570,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]" + "serviceBusNamespace" ] }, - { + "serviceBusNamespace_disasterRecoveryConfig": { "condition": "[not(empty(parameters('disasterRecoveryConfigs')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -650,10 +696,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]" + "serviceBusNamespace" ] }, - { + "serviceBusNamespace_migrationConfigurations": { "condition": "[not(empty(parameters('migrationConfigurations')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -770,10 +816,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]" + "serviceBusNamespace" ] }, - { + "serviceBusNamespace_networkRuleSet": { "condition": "[or(not(empty(parameters('networkRuleSets'))), not(empty(parameters('privateEndpoints'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -935,10 +981,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]" + "serviceBusNamespace" ] }, - { + "serviceBusNamespace_queues": { "copy": { "name": "serviceBusNamespace_queues", "count": "[length(parameters('queues'))]" @@ -969,7 +1015,9 @@ "enableBatchedOperations": "[if(contains(parameters('queues')[copyIndex()], 'enableBatchedOperations'), createObject('value', parameters('queues')[copyIndex()].enableBatchedOperations), createObject('value', true()))]", "enableExpress": "[if(contains(parameters('queues')[copyIndex()], 'enableExpress'), createObject('value', parameters('queues')[copyIndex()].enableExpress), createObject('value', false()))]", "enablePartitioning": "[if(contains(parameters('queues')[copyIndex()], 'enablePartitioning'), createObject('value', parameters('queues')[copyIndex()].enablePartitioning), createObject('value', false()))]", - "lock": "[if(contains(parameters('queues')[copyIndex()], 'lock'), createObject('value', parameters('queues')[copyIndex()].lock), createObject('value', ''))]", + "lock": { + "value": "[coalesce(tryGet(parameters('queues')[copyIndex()], 'lock'), parameters('lock'))]" + }, "lockDuration": "[if(contains(parameters('queues')[copyIndex()], 'lockDuration'), createObject('value', parameters('queues')[copyIndex()].lockDuration), createObject('value', 'PT1M'))]", "maxDeliveryCount": "[if(contains(parameters('queues')[copyIndex()], 'maxDeliveryCount'), createObject('value', parameters('queues')[copyIndex()].maxDeliveryCount), createObject('value', 10))]", "maxSizeInMegabytes": "[if(contains(parameters('queues')[copyIndex()], 'maxSizeInMegabytes'), createObject('value', parameters('queues')[copyIndex()].maxSizeInMegabytes), createObject('value', 1024))]", @@ -983,17 +1031,45 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14235495639787970719" + "templateHash": "2387432860804743160" }, "name": "Service Bus Namespace Queue", "description": "This module deploys a Service Bus Namespace Queue.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "namespaceName": { "type": "string", @@ -1153,15 +1229,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -1182,8 +1252,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1197,7 +1267,13 @@ } } }, - { + "namespace": { + "existing": true, + "type": "Microsoft.ServiceBus/namespaces", + "apiVersion": "2022-10-01-preview", + "name": "[parameters('namespaceName')]" + }, + "queue": { "type": "Microsoft.ServiceBus/namespaces/queues", "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", @@ -1213,28 +1289,31 @@ "forwardTo": "[if(not(empty(parameters('forwardTo'))), parameters('forwardTo'), null())]", "lockDuration": "[parameters('lockDuration')]", "maxDeliveryCount": "[parameters('maxDeliveryCount')]", - "maxMessageSizeInKilobytes": "[if(equals(reference(resourceId('Microsoft.ServiceBus/namespaces', parameters('namespaceName')), '2022-10-01-preview', 'full').sku.name, 'Premium'), parameters('maxMessageSizeInKilobytes'), null())]", + "maxMessageSizeInKilobytes": "[if(equals(reference('namespace', '2022-10-01-preview', 'full').sku.name, 'Premium'), parameters('maxMessageSizeInKilobytes'), null())]", "maxSizeInMegabytes": "[parameters('maxSizeInMegabytes')]", "requiresDuplicateDetection": "[parameters('requiresDuplicateDetection')]", "requiresSession": "[parameters('requiresSession')]", "status": "[parameters('status')]" - } + }, + "dependsOn": [ + "namespace" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "queue_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/queues/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name'))]" + "queue" ] }, - { + "queue_authorizationRules": { "copy": { "name": "queue_authorizationRules", "count": "[length(parameters('authorizationRules'))]" @@ -1364,10 +1443,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name'))]" + "queue" ] }, - { + "queue_roleAssignments": { "copy": { "name": "queue_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -1515,10 +1594,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name'))]" + "queue" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1545,10 +1624,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]" + "serviceBusNamespace" ] }, - { + "serviceBusNamespace_topics": { "copy": { "name": "serviceBusNamespace_topics", "count": "[length(parameters('topics'))]" @@ -1575,7 +1654,9 @@ "enableBatchedOperations": "[if(contains(parameters('topics')[copyIndex()], 'enableBatchedOperations'), createObject('value', parameters('topics')[copyIndex()].enableBatchedOperations), createObject('value', true()))]", "enableExpress": "[if(contains(parameters('topics')[copyIndex()], 'enableExpress'), createObject('value', parameters('topics')[copyIndex()].enableExpress), createObject('value', false()))]", "enablePartitioning": "[if(contains(parameters('topics')[copyIndex()], 'enablePartitioning'), createObject('value', parameters('topics')[copyIndex()].enablePartitioning), createObject('value', false()))]", - "lock": "[if(contains(parameters('topics')[copyIndex()], 'lock'), createObject('value', parameters('topics')[copyIndex()].lock), createObject('value', ''))]", + "lock": { + "value": "[coalesce(tryGet(parameters('topics')[copyIndex()], 'lock'), parameters('lock'))]" + }, "maxMessageSizeInKilobytes": "[if(contains(parameters('topics')[copyIndex()], 'maxMessageSizeInKilobytes'), createObject('value', parameters('topics')[copyIndex()].maxMessageSizeInKilobytes), createObject('value', 1024))]", "maxSizeInMegabytes": "[if(contains(parameters('topics')[copyIndex()], 'maxSizeInMegabytes'), createObject('value', parameters('topics')[copyIndex()].maxSizeInMegabytes), createObject('value', 1024))]", "requiresDuplicateDetection": "[if(contains(parameters('topics')[copyIndex()], 'requiresDuplicateDetection'), createObject('value', parameters('topics')[copyIndex()].requiresDuplicateDetection), createObject('value', false()))]", @@ -1588,17 +1669,45 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7517242660485501194" + "templateHash": "17853944786928243085" }, "name": "Service Bus Namespace Topic", "description": "This module deploys a Service Bus Namespace Topic.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "namespaceName": { "type": "string", @@ -1723,15 +1832,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -1752,8 +1855,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1767,7 +1870,13 @@ } } }, - { + "namespace": { + "existing": true, + "type": "Microsoft.ServiceBus/namespaces", + "apiVersion": "2022-10-01-preview", + "name": "[parameters('namespaceName')]" + }, + "topic": { "type": "Microsoft.ServiceBus/namespaces/topics", "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", @@ -1783,23 +1892,26 @@ "requiresDuplicateDetection": "[parameters('requiresDuplicateDetection')]", "status": "[parameters('status')]", "supportOrdering": "[parameters('supportOrdering')]" - } + }, + "dependsOn": [ + "namespace" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "topic_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/topics/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name'))]" + "topic" ] }, - { + "topic_authorizationRules": { "copy": { "name": "topic_authorizationRules", "count": "[length(parameters('authorizationRules'))]" @@ -1929,10 +2041,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name'))]" + "topic" ] }, - { + "topic_roleAssignments": { "copy": { "name": "topic_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -2080,10 +2192,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name'))]" + "topic" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2110,10 +2222,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]" + "serviceBusNamespace" ] }, - { + "serviceBusNamespace_privateEndpoints": { "copy": { "name": "serviceBusNamespace_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -2143,7 +2255,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -2637,10 +2751,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]" + "serviceBusNamespace" ] }, - { + "serviceBusNamespace_roleAssignments": { "copy": { "name": "serviceBusNamespace_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -2788,10 +2902,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]" + "serviceBusNamespace" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -2819,14 +2933,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), '2022-10-01-preview', 'full').identity, 'principalId')), reference(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), '2022-10-01-preview', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('serviceBusNamespace', '2022-10-01-preview', 'full').identity, 'principalId')), reference('serviceBusNamespace', '2022-10-01-preview', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), '2022-10-01-preview', 'full').location]" + "value": "[reference('serviceBusNamespace', '2022-10-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/service-bus/namespace/queue/README.md b/modules/service-bus/namespace/queue/README.md index e77f024a24..34e5ebc5f7 100644 --- a/modules/service-bus/namespace/queue/README.md +++ b/modules/service-bus/namespace/queue/README.md @@ -47,7 +47,7 @@ This module deploys a Service Bus Namespace Queue. | [`enablePartitioning`](#parameter-enablepartitioning) | bool | A value that indicates whether the queue is to be partitioned across multiple message brokers. | | [`forwardDeadLetteredMessagesTo`](#parameter-forwarddeadletteredmessagesto) | string | Queue/Topic name to forward the Dead Letter message. | | [`forwardTo`](#parameter-forwardto) | string | Queue/Topic name to forward the messages. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`lockDuration`](#parameter-lockduration) | string | ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute. | | [`maxDeliveryCount`](#parameter-maxdeliverycount) | int | The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10. | | [`maxMessageSizeInKilobytes`](#parameter-maxmessagesizeinkilobytes) | int | Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024. | @@ -136,11 +136,30 @@ Queue/Topic name to forward the messages. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `lockDuration` diff --git a/modules/service-bus/namespace/queue/main.bicep b/modules/service-bus/namespace/queue/main.bicep index fc7f3276ec..be91444c0a 100644 --- a/modules/service-bus/namespace/queue/main.bicep +++ b/modules/service-bus/namespace/queue/main.bicep @@ -85,13 +85,8 @@ param authorizationRules array = [ } ] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -151,11 +146,11 @@ module queue_authorizationRules 'authorization-rule/main.bicep' = [for (authoriz } }] -resource queue_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${queue.name}-${lock}-lock' +resource queue_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: queue } @@ -181,3 +176,15 @@ output resourceId string = queue.id @description('The resource group of the deployed queue.') output resourceGroupName string = resourceGroup().name + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/service-bus/namespace/queue/main.json b/modules/service-bus/namespace/queue/main.json index db9c7d315a..8eaa66214c 100644 --- a/modules/service-bus/namespace/queue/main.json +++ b/modules/service-bus/namespace/queue/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14235495639787970719" + "templateHash": "2387432860804743160" }, "name": "Service Bus Namespace Queue", "description": "This module deploys a Service Bus Namespace Queue.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "namespaceName": { "type": "string", @@ -170,15 +198,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -199,8 +221,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -214,7 +236,13 @@ } } }, - { + "namespace": { + "existing": true, + "type": "Microsoft.ServiceBus/namespaces", + "apiVersion": "2022-10-01-preview", + "name": "[parameters('namespaceName')]" + }, + "queue": { "type": "Microsoft.ServiceBus/namespaces/queues", "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", @@ -230,28 +258,31 @@ "forwardTo": "[if(not(empty(parameters('forwardTo'))), parameters('forwardTo'), null())]", "lockDuration": "[parameters('lockDuration')]", "maxDeliveryCount": "[parameters('maxDeliveryCount')]", - "maxMessageSizeInKilobytes": "[if(equals(reference(resourceId('Microsoft.ServiceBus/namespaces', parameters('namespaceName')), '2022-10-01-preview', 'full').sku.name, 'Premium'), parameters('maxMessageSizeInKilobytes'), null())]", + "maxMessageSizeInKilobytes": "[if(equals(reference('namespace', '2022-10-01-preview', 'full').sku.name, 'Premium'), parameters('maxMessageSizeInKilobytes'), null())]", "maxSizeInMegabytes": "[parameters('maxSizeInMegabytes')]", "requiresDuplicateDetection": "[parameters('requiresDuplicateDetection')]", "requiresSession": "[parameters('requiresSession')]", "status": "[parameters('status')]" - } + }, + "dependsOn": [ + "namespace" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "queue_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/queues/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name'))]" + "queue" ] }, - { + "queue_authorizationRules": { "copy": { "name": "queue_authorizationRules", "count": "[length(parameters('authorizationRules'))]" @@ -381,10 +412,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name'))]" + "queue" ] }, - { + "queue_roleAssignments": { "copy": { "name": "queue_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -532,10 +563,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name'))]" + "queue" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/service-bus/namespace/topic/README.md b/modules/service-bus/namespace/topic/README.md index a554531ad1..00edc62f20 100644 --- a/modules/service-bus/namespace/topic/README.md +++ b/modules/service-bus/namespace/topic/README.md @@ -44,7 +44,7 @@ This module deploys a Service Bus Namespace Topic. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`enableExpress`](#parameter-enableexpress) | bool | A value that indicates whether Express Entities are enabled. An express topic holds a message in memory temporarily before writing it to persistent storage. | | [`enablePartitioning`](#parameter-enablepartitioning) | bool | A value that indicates whether the topic is to be partitioned across multiple message brokers. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maxMessageSizeInKilobytes`](#parameter-maxmessagesizeinkilobytes) | int | Maximum size (in KB) of the message payload that can be accepted by the topic. This property is only used in Premium today and default is 1024. | | [`maxSizeInMegabytes`](#parameter-maxsizeinmegabytes) | int | The maximum size of the topic in megabytes, which is the size of memory allocated for the topic. Default is 1024. | | [`requiresDuplicateDetection`](#parameter-requiresduplicatedetection) | bool | A value indicating if this topic requires duplicate detection. | @@ -110,11 +110,30 @@ A value that indicates whether the topic is to be partitioned across multiple me ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `maxMessageSizeInKilobytes` diff --git a/modules/service-bus/namespace/topic/main.bicep b/modules/service-bus/namespace/topic/main.bicep index 25140d0269..5f07a9b2bb 100644 --- a/modules/service-bus/namespace/topic/main.bicep +++ b/modules/service-bus/namespace/topic/main.bicep @@ -70,13 +70,8 @@ param authorizationRules array = [ } ] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -131,11 +126,11 @@ module topic_authorizationRules 'authorization-rule/main.bicep' = [for (authoriz } }] -resource topic_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${topic.name}-${lock}-lock' +resource topic_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: topic } @@ -161,3 +156,15 @@ output resourceId string = topic.id @description('The resource group of the deployed topic.') output resourceGroupName string = resourceGroup().name + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/service-bus/namespace/topic/main.json b/modules/service-bus/namespace/topic/main.json index 52d011eb5d..e7341c8e2d 100644 --- a/modules/service-bus/namespace/topic/main.json +++ b/modules/service-bus/namespace/topic/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7517242660485501194" + "templateHash": "17853944786928243085" }, "name": "Service Bus Namespace Topic", "description": "This module deploys a Service Bus Namespace Topic.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "namespaceName": { "type": "string", @@ -135,15 +163,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -164,8 +186,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -179,7 +201,13 @@ } } }, - { + "namespace": { + "existing": true, + "type": "Microsoft.ServiceBus/namespaces", + "apiVersion": "2022-10-01-preview", + "name": "[parameters('namespaceName')]" + }, + "topic": { "type": "Microsoft.ServiceBus/namespaces/topics", "apiVersion": "2022-10-01-preview", "name": "[format('{0}/{1}', parameters('namespaceName'), parameters('name'))]", @@ -195,23 +223,26 @@ "requiresDuplicateDetection": "[parameters('requiresDuplicateDetection')]", "status": "[parameters('status')]", "supportOrdering": "[parameters('supportOrdering')]" - } + }, + "dependsOn": [ + "namespace" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "topic_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/topics/{1}', parameters('namespaceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name'))]" + "topic" ] }, - { + "topic_authorizationRules": { "copy": { "name": "topic_authorizationRules", "count": "[length(parameters('authorizationRules'))]" @@ -341,10 +372,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name'))]" + "topic" ] }, - { + "topic_roleAssignments": { "copy": { "name": "topic_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -492,10 +523,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name'))]" + "topic" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/service-fabric/cluster/.test/common/main.test.bicep b/modules/service-fabric/cluster/.test/common/main.test.bicep index 1f35cd24db..a84afa9e53 100644 --- a/modules/service-fabric/cluster/.test/common/main.test.bicep +++ b/modules/service-fabric/cluster/.test/common/main.test.bicep @@ -53,7 +53,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } tags: { 'hidden-title': 'This is visible in the resource name' resourceType: 'Service Fabric' diff --git a/modules/service-fabric/cluster/README.md b/modules/service-fabric/cluster/README.md index 4df1e6c55e..9a23c79968 100644 --- a/modules/service-fabric/cluster/README.md +++ b/modules/service-fabric/cluster/README.md @@ -274,7 +274,10 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { ] } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } maxUnusedVersionsToKeep: 2 notifications: [ { @@ -485,7 +488,10 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "maxUnusedVersionsToKeep": { "value": 2 @@ -677,7 +683,7 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { | [`fabricSettings`](#parameter-fabricsettings) | array | The list of custom fabric settings to configure the cluster. | | [`infrastructureServiceManager`](#parameter-infrastructureservicemanager) | bool | Indicates if infrastructure service manager is enabled. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maxUnusedVersionsToKeep`](#parameter-maxunusedversionstokeep) | int | Number of unused versions per application type to keep. | | [`notifications`](#parameter-notifications) | array | Indicates a list of notification channels for cluster events. | | [`reverseProxyCertificate`](#parameter-reverseproxycertificate) | object | Describes the certificate details. | @@ -795,11 +801,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `managementEndpoint` diff --git a/modules/service-fabric/cluster/main.bicep b/modules/service-fabric/cluster/main.bicep index 3cf80e1cb6..d91b99db39 100644 --- a/modules/service-fabric/cluster/main.bicep +++ b/modules/service-fabric/cluster/main.bicep @@ -11,13 +11,8 @@ param location string = resourceGroup().location @description('Optional. Tags of the resource.') param tags object = {} -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -284,11 +279,11 @@ resource serviceFabricCluster 'Microsoft.ServiceFabric/clusters@2021-06-01' = { } // Service Fabric cluster resource lock -resource serviceFabricCluster_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${serviceFabricCluster.name}-${lock}-lock' +resource serviceFabricCluster_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: serviceFabricCluster } @@ -332,3 +327,15 @@ output endpoint string = serviceFabricCluster.properties.clusterEndpoint @description('The location the resource was deployed into.') output location string = serviceFabricCluster.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/service-fabric/cluster/main.json b/modules/service-fabric/cluster/main.json index 66d8a1770e..7573b8a154 100644 --- a/modules/service-fabric/cluster/main.json +++ b/modules/service-fabric/cluster/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "212662749954902934" + "templateHash": "3676240704825809090" }, "name": "Service Fabric Clusters", "description": "This module deploys a Service Fabric Cluster.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -33,15 +61,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "enableDefaultTelemetry": { @@ -342,8 +364,8 @@ "enableReferencedModulesTelemetry": false, "upgradeDescriptionVar": "[union(createObject('deltaHealthPolicy', createObject('applicationDeltaHealthPolicies', if(contains(parameters('upgradeDescription'), 'applicationDeltaHealthPolicies'), parameters('upgradeDescription').applicationDeltaHealthPolicies, createObject()), 'maxPercentDeltaUnhealthyApplications', if(contains(parameters('upgradeDescription'), 'maxPercentDeltaUnhealthyApplications'), parameters('upgradeDescription').maxPercentDeltaUnhealthyApplications, 0), 'maxPercentDeltaUnhealthyNodes', if(contains(parameters('upgradeDescription'), 'maxPercentDeltaUnhealthyNodes'), parameters('upgradeDescription').maxPercentDeltaUnhealthyNodes, 0), 'maxPercentUpgradeDomainDeltaUnhealthyNodes', if(contains(parameters('upgradeDescription'), 'maxPercentUpgradeDomainDeltaUnhealthyNodes'), parameters('upgradeDescription').maxPercentUpgradeDomainDeltaUnhealthyNodes, 0)), 'forceRestart', if(contains(parameters('upgradeDescription'), 'forceRestart'), parameters('upgradeDescription').forceRestart, false()), 'healthCheckRetryTimeout', if(contains(parameters('upgradeDescription'), 'healthCheckRetryTimeout'), parameters('upgradeDescription').healthCheckRetryTimeout, '00:45:00'), 'healthCheckStableDuration', if(contains(parameters('upgradeDescription'), 'healthCheckStableDuration'), parameters('upgradeDescription').healthCheckStableDuration, '00:01:00'), 'healthCheckWaitDuration', if(contains(parameters('upgradeDescription'), 'healthCheckWaitDuration'), parameters('upgradeDescription').healthCheckWaitDuration, '00:00:30'), 'upgradeDomainTimeout', if(contains(parameters('upgradeDescription'), 'upgradeDomainTimeout'), parameters('upgradeDescription').upgradeDomainTimeout, '02:00:00'), 'upgradeReplicaSetCheckTimeout', if(contains(parameters('upgradeDescription'), 'upgradeReplicaSetCheckTimeout'), parameters('upgradeDescription').upgradeReplicaSetCheckTimeout, '1.00:00:00'), 'upgradeTimeout', if(contains(parameters('upgradeDescription'), 'upgradeTimeout'), parameters('upgradeDescription').upgradeTimeout, '02:00:00')), if(contains(parameters('upgradeDescription'), 'healthPolicy'), createObject('healthPolicy', createObject('applicationHealthPolicies', if(contains(parameters('upgradeDescription').healthPolicy, 'applicationHealthPolicies'), parameters('upgradeDescription').healthPolicy.applicationHealthPolicies, createObject()), 'maxPercentUnhealthyApplications', if(contains(parameters('upgradeDescription').healthPolicy, 'maxPercentUnhealthyApplications'), parameters('upgradeDescription').healthPolicy.maxPercentUnhealthyApplications, 0), 'maxPercentUnhealthyNodes', if(contains(parameters('upgradeDescription').healthPolicy, 'maxPercentUnhealthyNodes'), parameters('upgradeDescription').healthPolicy.maxPercentUnhealthyNodes, 0))), createObject()))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -357,7 +379,7 @@ } } }, - { + "serviceFabricCluster": { "type": "Microsoft.ServiceFabric/clusters", "apiVersion": "2021-06-01", "name": "[parameters('name')]", @@ -395,21 +417,21 @@ "waveUpgradePaused": "[parameters('waveUpgradePaused')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "serviceFabricCluster_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.ServiceFabric/clusters/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.ServiceFabric/clusters', parameters('name'))]" + "serviceFabricCluster" ] }, - { + "serviceFabricCluster_roleAssignments": { "copy": { "name": "serviceFabricCluster_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -554,10 +576,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceFabric/clusters', parameters('name'))]" + "serviceFabricCluster" ] }, - { + "serviceFabricCluster_applicationTypes": { "copy": { "name": "serviceFabricCluster_applicationTypes", "count": "[length(parameters('applicationTypes'))]" @@ -672,10 +694,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.ServiceFabric/clusters', parameters('name'))]" + "serviceFabricCluster" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -703,14 +725,14 @@ "metadata": { "description": "The Service Fabric Cluster endpoint." }, - "value": "[reference(resourceId('Microsoft.ServiceFabric/clusters', parameters('name')), '2021-06-01').clusterEndpoint]" + "value": "[reference('serviceFabricCluster').clusterEndpoint]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.ServiceFabric/clusters', parameters('name')), '2021-06-01', 'full').location]" + "value": "[reference('serviceFabricCluster', '2021-06-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/signal-r-service/signal-r/.test/common/main.test.bicep b/modules/signal-r-service/signal-r/.test/common/main.test.bicep index 5fd96ee2cc..0724522270 100644 --- a/modules/signal-r-service/signal-r/.test/common/main.test.bicep +++ b/modules/signal-r-service/signal-r/.test/common/main.test.bicep @@ -58,7 +58,10 @@ module testDeployment '../../main.bicep' = { disableAadAuth: false disableLocalAuth: true location: location - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } kind: 'SignalR' networkAcls: { defaultAction: 'Allow' diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index 523d6673b8..fdfe345029 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -54,7 +54,10 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { enableDefaultTelemetry: '' kind: 'SignalR' location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } networkAcls: { defaultAction: 'Allow' privateEndpoints: [ @@ -149,7 +152,10 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "networkAcls": { "value": { @@ -292,7 +298,7 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { | [`kind`](#parameter-kind) | string | The kind of the service. | | [`liveTraceCatagoriesToEnable`](#parameter-livetracecatagoriestoenable) | array | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | | [`location`](#parameter-location) | string | The location for the resource. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`networkAcls`](#parameter-networkacls) | object | Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | @@ -376,11 +382,30 @@ The location for the resource. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/signal-r-service/signal-r/main.bicep b/modules/signal-r-service/signal-r/main.bicep index f872032e37..ac72680f58 100644 --- a/modules/signal-r-service/signal-r/main.bicep +++ b/modules/signal-r-service/signal-r/main.bicep @@ -92,13 +92,8 @@ param upstreamTemplatesToEnable array = [] @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -172,7 +167,7 @@ module signalR_privateEndpoints '../../network/private-endpoint/main.bicep' = [f serviceResourceId: signalR.id subnetResourceId: privateEndpoint.subnetResourceId location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -185,11 +180,11 @@ module signalR_privateEndpoints '../../network/private-endpoint/main.bicep' = [f } }] -resource signalR_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${signalR.name}-${lock}-lock' +resource signalR_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: signalR } @@ -218,3 +213,15 @@ output resourceId string = signalR.id @description('The location the resource was deployed into.') output location string = signalR.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/signal-r-service/signal-r/main.json b/modules/signal-r-service/signal-r/main.json index cae060bd25..2dd19e4b97 100644 --- a/modules/signal-r-service/signal-r/main.json +++ b/modules/signal-r-service/signal-r/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18228985273880895122" + "templateHash": "855016656643960526" }, "name": "SignalR Service SignalR", "description": "This module deploys a SignalR Service SignalR.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "location": { "type": "string", @@ -170,15 +198,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -216,8 +238,8 @@ } ] }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -231,7 +253,7 @@ } } }, - { + "signalR": { "type": "Microsoft.SignalRService/signalR", "apiVersion": "2022-02-01", "name": "[parameters('name')]", @@ -262,21 +284,21 @@ "upstream": "[if(not(empty(parameters('upstreamTemplatesToEnable'))), createObject('templates', parameters('upstreamTemplatesToEnable')), createObject())]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "signalR_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.SignalRService/signalR/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.SignalRService/signalR', parameters('name'))]" + "signalR" ] }, - { + "signalR_privateEndpoints": { "copy": { "name": "signalR_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -303,7 +325,9 @@ "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -797,10 +821,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.SignalRService/signalR', parameters('name'))]" + "signalR" ] }, - { + "signalR_rbac": { "copy": { "name": "signalR_rbac", "count": "[length(parameters('roleAssignments'))]" @@ -953,10 +977,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.SignalRService/signalR', parameters('name'))]" + "signalR" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -984,7 +1008,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.SignalRService/signalR', parameters('name')), '2022-02-01', 'full').location]" + "value": "[reference('signalR', '2022-02-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep b/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep index 0a4609a9bc..ede9095527 100644 --- a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep @@ -58,7 +58,10 @@ module testDeployment '../../main.bicep' = { disableAadAuth: false disableLocalAuth: true location: location - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } networkAcls: { defaultAction: 'Allow' privateEndpoints: [ diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index 84dacd3e4d..e698195835 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -54,7 +54,10 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { disableLocalAuth: true enableDefaultTelemetry: '' location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } networkAcls: { defaultAction: 'Allow' privateEndpoints: [ @@ -147,7 +150,10 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "networkAcls": { "value": { @@ -380,7 +386,7 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { | [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Disables all authentication methods other than AAD authentication. For security reasons, this value should be set to `true`. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | The location for the resource. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`networkAcls`](#parameter-networkacls) | object | Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | @@ -435,11 +441,30 @@ The location for the resource. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/signal-r-service/web-pub-sub/main.bicep b/modules/signal-r-service/web-pub-sub/main.bicep index 69b0410853..3e566959f7 100644 --- a/modules/signal-r-service/web-pub-sub/main.bicep +++ b/modules/signal-r-service/web-pub-sub/main.bicep @@ -11,13 +11,8 @@ param name string @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -132,7 +127,7 @@ module webPubSub_privateEndpoints '../../network/private-endpoint/main.bicep' = serviceResourceId: webPubSub.id subnetResourceId: privateEndpoint.subnetResourceId location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -145,11 +140,11 @@ module webPubSub_privateEndpoints '../../network/private-endpoint/main.bicep' = } }] -resource webPubSub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${webPubSub.name}-${lock}-lock' +resource webPubSub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: webPubSub } @@ -190,3 +185,15 @@ output serverPort int = webPubSub.properties.serverPort @description('The location the resource was deployed into.') output location string = webPubSub.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/signal-r-service/web-pub-sub/main.json b/modules/signal-r-service/web-pub-sub/main.json index 7bca5bb716..a89045fd58 100644 --- a/modules/signal-r-service/web-pub-sub/main.json +++ b/modules/signal-r-service/web-pub-sub/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11691998078416920042" + "templateHash": "13130629422708725988" }, "name": "SignalR Web PubSub Services", "description": "This module deploys a SignalR Web PubSub Service.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "location": { "type": "string", @@ -33,15 +61,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -169,8 +191,8 @@ "userAssignedIdentities": "[if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())]" } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -184,7 +206,7 @@ } } }, - { + "webPubSub": { "type": "Microsoft.SignalRService/webPubSub", "apiVersion": "2021-10-01", "name": "[parameters('name')]", @@ -209,21 +231,21 @@ } } }, - { - "condition": "[not(empty(parameters('lock')))]", + "webPubSub_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.SignalRService/webPubSub/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.SignalRService/webPubSub', parameters('name'))]" + "webPubSub" ] }, - { + "webPubSub_privateEndpoints": { "copy": { "name": "webPubSub_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -250,7 +272,9 @@ "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -744,10 +768,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.SignalRService/webPubSub', parameters('name'))]" + "webPubSub" ] }, - { + "webPubSub_rbac": { "copy": { "name": "webPubSub_rbac", "count": "[length(parameters('roleAssignments'))]" @@ -900,10 +924,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.SignalRService/webPubSub', parameters('name'))]" + "webPubSub" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -931,35 +955,35 @@ "metadata": { "description": "The Web PubSub externalIP." }, - "value": "[reference(resourceId('Microsoft.SignalRService/webPubSub', parameters('name')), '2021-10-01').externalIP]" + "value": "[reference('webPubSub').externalIP]" }, "hostName": { "type": "string", "metadata": { "description": "The Web PubSub hostName." }, - "value": "[reference(resourceId('Microsoft.SignalRService/webPubSub', parameters('name')), '2021-10-01').hostName]" + "value": "[reference('webPubSub').hostName]" }, "publicPort": { "type": "int", "metadata": { "description": "The Web PubSub publicPort." }, - "value": "[reference(resourceId('Microsoft.SignalRService/webPubSub', parameters('name')), '2021-10-01').publicPort]" + "value": "[reference('webPubSub').publicPort]" }, "serverPort": { "type": "int", "metadata": { "description": "The Web PubSub serverPort." }, - "value": "[reference(resourceId('Microsoft.SignalRService/webPubSub', parameters('name')), '2021-10-01').serverPort]" + "value": "[reference('webPubSub').serverPort]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.SignalRService/webPubSub', parameters('name')), '2021-10-01', 'full').location]" + "value": "[reference('webPubSub', '2021-10-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/sql/managed-instance/.test/common/main.test.bicep b/modules/sql/managed-instance/.test/common/main.test.bicep index f13416a55e..fe67a03897 100644 --- a/modules/sql/managed-instance/.test/common/main.test.bicep +++ b/modules/sql/managed-instance/.test/common/main.test.bicep @@ -112,7 +112,10 @@ module testDeployment '../../main.bicep' = { } ] licenseType: 'LicenseIncluded' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } primaryUserAssignedIdentityId: nestedDependencies.outputs.managedIdentityResourceId proxyOverride: 'Proxy' publicDataEndpointEnabled: false diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index e1ab517342..ac4a8865d5 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -90,7 +90,10 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { } ] licenseType: 'LicenseIncluded' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } primaryUserAssignedIdentityId: '' proxyOverride: 'Proxy' publicDataEndpointEnabled: false @@ -216,7 +219,10 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { "value": "LicenseIncluded" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "primaryUserAssignedIdentityId": { "value": "" @@ -503,7 +509,7 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { | [`keys`](#parameter-keys) | array | The keys to configure. | | [`licenseType`](#parameter-licensetype) | string | The license type. Possible values are 'LicenseIncluded' (regular price inclusive of a new SQL license) and 'BasePrice' (discounted AHB price for bringing your own SQL licenses). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedInstanceCreateMode`](#parameter-managedinstancecreatemode) | string | Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified. | | [`minimalTlsVersion`](#parameter-minimaltlsversion) | string | Minimal TLS version allowed. | | [`proxyOverride`](#parameter-proxyoverride) | string | Connection type used for connecting to the instance. | @@ -668,11 +674,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `managedInstanceCreateMode` diff --git a/modules/sql/managed-instance/database/README.md b/modules/sql/managed-instance/database/README.md index bb78204f3f..03ea3aeb62 100644 --- a/modules/sql/managed-instance/database/README.md +++ b/modules/sql/managed-instance/database/README.md @@ -56,7 +56,7 @@ This module deploys a SQL Managed Instance Database. | [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`restorableDroppedDatabaseId`](#parameter-restorabledroppeddatabaseid) | string | The restorable dropped database resource ID to restore when creating this database. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -155,11 +155,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `longTermRetentionBackupResourceId` diff --git a/modules/sql/managed-instance/database/main.bicep b/modules/sql/managed-instance/database/main.bicep index cd6cab2d08..e304555fdb 100644 --- a/modules/sql/managed-instance/database/main.bicep +++ b/modules/sql/managed-instance/database/main.bicep @@ -60,13 +60,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. The configuration for the backup short term retention policy definition.') param backupShortTermRetentionPoliciesObj object = {} @@ -202,3 +197,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = database.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/sql/managed-instance/database/main.json b/modules/sql/managed-instance/database/main.json index a22c997575..eb042f863f 100644 --- a/modules/sql/managed-instance/database/main.json +++ b/modules/sql/managed-instance/database/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6503511608072200864" + "templateHash": "6248092272830092402" }, "name": "SQL Managed Instance Databases", "description": "This module deploys a SQL Managed Instance Database.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -137,15 +165,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "backupShortTermRetentionPoliciesObj": { @@ -215,8 +237,8 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -230,7 +252,13 @@ } } }, - { + "managedInstance": { + "existing": true, + "type": "Microsoft.Sql/managedInstances", + "apiVersion": "2022-05-01-preview", + "name": "[parameters('managedInstanceName')]" + }, + "database": { "type": "Microsoft.Sql/managedInstances/databases", "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('managedInstanceName'), parameters('name'))]", @@ -247,9 +275,12 @@ "storageContainerSasToken": "[if(empty(parameters('storageContainerSasToken')), null(), parameters('storageContainerSasToken'))]", "recoverableDatabaseId": "[if(empty(parameters('recoverableDatabaseId')), null(), parameters('recoverableDatabaseId'))]", "longTermRetentionBackupResourceId": "[if(empty(parameters('longTermRetentionBackupResourceId')), null(), parameters('longTermRetentionBackupResourceId'))]" - } + }, + "dependsOn": [ + "managedInstance" + ] }, - { + "database_lock": { "condition": "[not(empty(parameters('lock')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", @@ -260,10 +291,10 @@ "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('name'))]" + "database" ] }, - { + "database_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -277,10 +308,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('name'))]" + "database" ] }, - { + "database_backupShortTermRetentionPolicy": { "condition": "[not(empty(parameters('backupShortTermRetentionPoliciesObj')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -402,10 +433,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('name'))]" + "database" ] }, - { + "database_backupLongTermRetentionPolicy": { "condition": "[not(empty(parameters('backupLongTermRetentionPoliciesObj')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -554,10 +585,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('name'))]" + "database" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -585,7 +616,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('name')), '2022-05-01-preview', 'full').location]" + "value": "[reference('database', '2022-05-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/sql/managed-instance/main.bicep b/modules/sql/managed-instance/main.bicep index dadd1e4f71..1bf99be979 100644 --- a/modules/sql/managed-instance/main.bicep +++ b/modules/sql/managed-instance/main.bicep @@ -98,13 +98,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -257,11 +252,11 @@ resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = { } } -resource managedInstance_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${managedInstance.name}-${lock}-lock' +resource managedInstance_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: managedInstance } @@ -304,7 +299,7 @@ module managedInstance_databases 'database/main.bicep' = [for (database, index) diagnosticEventHubAuthorizationRuleId: contains(database, 'diagnosticEventHubAuthorizationRuleId') ? database.diagnosticEventHubAuthorizationRuleId : '' diagnosticEventHubName: contains(database, 'diagnosticEventHubName') ? database.diagnosticEventHubName : '' location: contains(database, 'location') ? database.location : managedInstance.location - lock: contains(database, 'lock') ? database.lock : '' + lock: database.?lock ?? lock longTermRetentionBackupResourceId: contains(database, 'longTermRetentionBackupResourceId') ? database.longTermRetentionBackupResourceId : '' recoverableDatabaseId: contains(database, 'recoverableDatabaseId') ? database.recoverableDatabaseId : '' restorableDroppedDatabaseId: contains(database, 'restorableDroppedDatabaseId') ? database.restorableDroppedDatabaseId : '' @@ -399,3 +394,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(man @description('The location the resource was deployed into.') output location string = managedInstance.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/sql/managed-instance/main.json b/modules/sql/managed-instance/main.json index 8313b95372..21ce21a1d0 100644 --- a/modules/sql/managed-instance/main.json +++ b/modules/sql/managed-instance/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8514585732181524503" + "templateHash": "15164808450251247513" }, "name": "SQL Managed Instances", "description": "This module deploys a SQL Managed Instance.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -208,15 +236,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -389,8 +411,8 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -404,7 +426,7 @@ } } }, - { + "managedInstance": { "type": "Microsoft.Sql/managedInstances", "apiVersion": "2022-05-01-preview", "name": "[parameters('name')]", @@ -441,21 +463,21 @@ "minimalTlsVersion": "[parameters('minimalTlsVersion')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "managedInstance_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Sql/managedInstances/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Sql/managedInstances', parameters('name'))]" + "managedInstance" ] }, - { + "managedInstance_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -470,10 +492,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Sql/managedInstances', parameters('name'))]" + "managedInstance" ] }, - { + "managedInstance_roleAssignments": { "copy": { "name": "managedInstance_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -627,10 +649,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/managedInstances', parameters('name'))]" + "managedInstance" ] }, - { + "managedInstance_databases": { "copy": { "name": "managedInstance_databases", "count": "[length(parameters('databases'))]" @@ -656,8 +678,10 @@ "diagnosticStorageAccountId": "[if(contains(parameters('databases')[copyIndex()], 'diagnosticStorageAccountId'), createObject('value', parameters('databases')[copyIndex()].diagnosticStorageAccountId), createObject('value', ''))]", "diagnosticEventHubAuthorizationRuleId": "[if(contains(parameters('databases')[copyIndex()], 'diagnosticEventHubAuthorizationRuleId'), createObject('value', parameters('databases')[copyIndex()].diagnosticEventHubAuthorizationRuleId), createObject('value', ''))]", "diagnosticEventHubName": "[if(contains(parameters('databases')[copyIndex()], 'diagnosticEventHubName'), createObject('value', parameters('databases')[copyIndex()].diagnosticEventHubName), createObject('value', ''))]", - "location": "[if(contains(parameters('databases')[copyIndex()], 'location'), createObject('value', parameters('databases')[copyIndex()].location), createObject('value', reference(resourceId('Microsoft.Sql/managedInstances', parameters('name')), '2022-05-01-preview', 'full').location))]", - "lock": "[if(contains(parameters('databases')[copyIndex()], 'lock'), createObject('value', parameters('databases')[copyIndex()].lock), createObject('value', ''))]", + "location": "[if(contains(parameters('databases')[copyIndex()], 'location'), createObject('value', parameters('databases')[copyIndex()].location), createObject('value', reference('managedInstance', '2022-05-01-preview', 'full').location))]", + "lock": { + "value": "[coalesce(tryGet(parameters('databases')[copyIndex()], 'lock'), parameters('lock'))]" + }, "longTermRetentionBackupResourceId": "[if(contains(parameters('databases')[copyIndex()], 'longTermRetentionBackupResourceId'), createObject('value', parameters('databases')[copyIndex()].longTermRetentionBackupResourceId), createObject('value', ''))]", "recoverableDatabaseId": "[if(contains(parameters('databases')[copyIndex()], 'recoverableDatabaseId'), createObject('value', parameters('databases')[copyIndex()].recoverableDatabaseId), createObject('value', ''))]", "restorableDroppedDatabaseId": "[if(contains(parameters('databases')[copyIndex()], 'restorableDroppedDatabaseId'), createObject('value', parameters('databases')[copyIndex()].restorableDroppedDatabaseId), createObject('value', ''))]", @@ -675,17 +699,45 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6503511608072200864" + "templateHash": "6248092272830092402" }, "name": "SQL Managed Instance Databases", "description": "This module deploys a SQL Managed Instance Database.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -812,15 +864,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "backupShortTermRetentionPoliciesObj": { @@ -890,8 +936,8 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -905,7 +951,13 @@ } } }, - { + "managedInstance": { + "existing": true, + "type": "Microsoft.Sql/managedInstances", + "apiVersion": "2022-05-01-preview", + "name": "[parameters('managedInstanceName')]" + }, + "database": { "type": "Microsoft.Sql/managedInstances/databases", "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('managedInstanceName'), parameters('name'))]", @@ -922,9 +974,12 @@ "storageContainerSasToken": "[if(empty(parameters('storageContainerSasToken')), null(), parameters('storageContainerSasToken'))]", "recoverableDatabaseId": "[if(empty(parameters('recoverableDatabaseId')), null(), parameters('recoverableDatabaseId'))]", "longTermRetentionBackupResourceId": "[if(empty(parameters('longTermRetentionBackupResourceId')), null(), parameters('longTermRetentionBackupResourceId'))]" - } + }, + "dependsOn": [ + "managedInstance" + ] }, - { + "database_lock": { "condition": "[not(empty(parameters('lock')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", @@ -935,10 +990,10 @@ "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('name'))]" + "database" ] }, - { + "database_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -952,10 +1007,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('name'))]" + "database" ] }, - { + "database_backupShortTermRetentionPolicy": { "condition": "[not(empty(parameters('backupShortTermRetentionPoliciesObj')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1077,10 +1132,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('name'))]" + "database" ] }, - { + "database_backupLongTermRetentionPolicy": { "condition": "[not(empty(parameters('backupLongTermRetentionPoliciesObj')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1229,10 +1284,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('name'))]" + "database" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1260,16 +1315,16 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Sql/managedInstances/databases', parameters('managedInstanceName'), parameters('name')), '2022-05-01-preview', 'full').location]" + "value": "[reference('database', '2022-05-01-preview', 'full').location]" } } } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/managedInstances', parameters('name'))]" + "managedInstance" ] }, - { + "managedInstance_securityAlertPolicy": { "condition": "[not(empty(parameters('securityAlertPoliciesObj')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1395,10 +1450,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/managedInstances', parameters('name'))]" + "managedInstance" ] }, - { + "managedInstance_vulnerabilityAssessment": { "condition": "[and(not(empty(parameters('vulnerabilityAssessmentsObj'))), parameters('systemAssignedIdentity'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1614,11 +1669,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/managedInstances', parameters('name'))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-SqlMi-SecAlertPol', uniqueString(deployment().name, parameters('location'))))]" + "managedInstance", + "managedInstance_securityAlertPolicy" ] }, - { + "managedInstance_keys": { "copy": { "name": "managedInstance_keys", "count": "[length(parameters('keys'))]" @@ -1751,10 +1806,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/managedInstances', parameters('name'))]" + "managedInstance" ] }, - { + "managedInstance_encryptionProtector": { "condition": "[not(empty(parameters('encryptionProtectorObj')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1881,11 +1936,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/managedInstances', parameters('name'))]", + "managedInstance", "managedInstance_keys" ] }, - { + "managedInstance_administrator": { "condition": "[not(empty(parameters('administratorsObj')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -2010,10 +2065,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/managedInstances', parameters('name'))]" + "managedInstance" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2041,14 +2096,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.Sql/managedInstances', parameters('name')), '2022-05-01-preview', 'full').identity, 'principalId')), reference(resourceId('Microsoft.Sql/managedInstances', parameters('name')), '2022-05-01-preview', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('managedInstance', '2022-05-01-preview', 'full').identity, 'principalId')), reference('managedInstance', '2022-05-01-preview', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Sql/managedInstances', parameters('name')), '2022-05-01-preview', 'full').location]" + "value": "[reference('managedInstance', '2022-05-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/sql/server/.test/common/main.test.bicep b/modules/sql/server/.test/common/main.test.bicep index d1dcf9b1e5..c6bf91abb0 100644 --- a/modules/sql/server/.test/common/main.test.bicep +++ b/modules/sql/server/.test/common/main.test.bicep @@ -73,7 +73,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } primaryUserAssignedIdentityId: nestedDependencies.outputs.managedIdentityResourceId administratorLogin: 'adminUserName' administratorLoginPassword: password diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index b29f850977..6277bb6fd1 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -175,7 +175,10 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { } ] location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } primaryUserAssignedIdentityId: '' privateEndpoints: [ { @@ -323,7 +326,10 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "primaryUserAssignedIdentityId": { "value": "" @@ -621,7 +627,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { | [`firewallRules`](#parameter-firewallrules) | array | The firewall rules to create in the server. | | [`keys`](#parameter-keys) | array | The keys to configure. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`minimalTlsVersion`](#parameter-minimaltlsversion) | string | Minimal TLS version allowed. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. | @@ -706,11 +712,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `minimalTlsVersion` diff --git a/modules/sql/server/main.bicep b/modules/sql/server/main.bicep index e3ade2a5f8..bce8cddafd 100644 --- a/modules/sql/server/main.bicep +++ b/modules/sql/server/main.bicep @@ -24,13 +24,8 @@ param userAssignedIdentities object = {} @description('Conditional. The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty.') param primaryUserAssignedIdentityId string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -140,11 +135,11 @@ resource server 'Microsoft.Sql/servers@2022-05-01-preview' = { } } -resource server_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${server.name}-${lock}-lock' +resource server_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: server } @@ -241,7 +236,7 @@ module server_privateEndpoints '../../network/private-endpoint/main.bicep' = [fo subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -347,3 +342,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(ser @description('The location the resource was deployed into.') output location string = server.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/sql/server/main.json b/modules/sql/server/main.json index ce9273e1dc..6b01072bdf 100644 --- a/modules/sql/server/main.json +++ b/modules/sql/server/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4323187915659355433" + "templateHash": "18434767573775023159" }, "name": "Azure SQL Servers", "description": "This module deploys an Azure SQL Server.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "administratorLogin": { "type": "string", @@ -61,15 +89,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -205,8 +227,8 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -220,7 +242,7 @@ } } }, - { + "server": { "type": "Microsoft.Sql/servers", "apiVersion": "2022-05-01-preview", "name": "[parameters('name')]", @@ -238,21 +260,21 @@ "restrictOutboundNetworkAccess": "[if(not(empty(parameters('restrictOutboundNetworkAccess'))), parameters('restrictOutboundNetworkAccess'), null())]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "server_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Sql/servers/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', parameters('name'))]" + "server" ] }, - { + "server_roleAssignments": { "copy": { "name": "server_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -404,10 +426,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', parameters('name'))]" + "server" ] }, - { + "server_databases": { "copy": { "name": "server_databases", "count": "[length(parameters('databases'))]" @@ -1176,11 +1198,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', parameters('name'))]", + "server", "server_elasticPools" ] }, - { + "server_elasticPools": { "copy": { "name": "server_elasticPools", "count": "[length(parameters('elasticPools'))]" @@ -1421,10 +1443,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', parameters('name'))]" + "server" ] }, - { + "server_privateEndpoints": { "copy": { "name": "server_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -1454,7 +1476,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -1948,10 +1972,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', parameters('name'))]" + "server" ] }, - { + "server_firewallRules": { "copy": { "name": "server_firewallRules", "count": "[length(parameters('firewallRules'))]" @@ -2076,10 +2100,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', parameters('name'))]" + "server" ] }, - { + "server_virtualNetworkRules": { "copy": { "name": "server_virtualNetworkRules", "count": "[length(parameters('virtualNetworkRules'))]" @@ -2205,10 +2229,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', parameters('name'))]" + "server" ] }, - { + "server_securityAlertPolicies": { "copy": { "name": "server_securityAlertPolicies", "count": "[length(parameters('securityAlertPolicies'))]" @@ -2382,10 +2406,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', parameters('name'))]" + "server" ] }, - { + "server_vulnerabilityAssessment": { "condition": "[not(empty(parameters('vulnerabilityAssessmentsObj')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -2528,11 +2552,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', parameters('name'))]", + "server", "server_securityAlertPolicies" ] }, - { + "server_keys": { "copy": { "name": "server_keys", "count": "[length(parameters('keys'))]" @@ -2665,10 +2689,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', parameters('name'))]" + "server" ] }, - { + "server_encryptionProtector": { "condition": "[not(empty(parameters('encryptionProtectorObj')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -2795,11 +2819,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', parameters('name'))]", + "server", "server_keys" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2827,14 +2851,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.Sql/servers', parameters('name')), '2022-05-01-preview', 'full').identity, 'principalId')), reference(resourceId('Microsoft.Sql/servers', parameters('name')), '2022-05-01-preview', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('server', '2022-05-01-preview', 'full').identity, 'principalId')), reference('server', '2022-05-01-preview', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Sql/servers', parameters('name')), '2022-05-01-preview', 'full').location]" + "value": "[reference('server', '2022-05-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/storage/storage-account/.test/common/main.test.bicep b/modules/storage/storage-account/.test/common/main.test.bicep index fd7f6d82b4..7a14f34337 100644 --- a/modules/storage/storage-account/.test/common/main.test.bicep +++ b/modules/storage/storage-account/.test/common/main.test.bicep @@ -71,7 +71,10 @@ module testDeployment '../../main.bicep' = { allowBlobPublicAccess: false requireInfrastructureEncryption: true largeFileSharesState: 'Enabled' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } enableHierarchicalNamespace: true enableSftp: true enableNfsV3: true diff --git a/modules/storage/storage-account/.test/nfs/main.test.bicep b/modules/storage/storage-account/.test/nfs/main.test.bicep index 712fe58733..8403155a98 100644 --- a/modules/storage/storage-account/.test/nfs/main.test.bicep +++ b/modules/storage/storage-account/.test/nfs/main.test.bicep @@ -67,7 +67,10 @@ module testDeployment '../../main.bicep' = { kind: 'FileStorage' allowBlobPublicAccess: false supportsHttpsTrafficOnly: false - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } fileServices: { shares: [ { diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 5be3a36433..76ae6d27a8 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -155,7 +155,10 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { storageAccountName: 'ssacom001' } ] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } managementPolicyRules: [ { definition: { @@ -419,7 +422,10 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { ] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "managementPolicyRules": { "value": [ @@ -822,7 +828,10 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { ] } kind: 'FileStorage' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -896,7 +905,10 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "value": "FileStorage" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -1051,7 +1063,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { | [`largeFileSharesState`](#parameter-largefilesharesstate) | string | Allow large file shares if sets to 'Enabled'. It cannot be disabled once it is enabled. Only supported on locally redundant and zone redundant file shares. It cannot be set on FileStorage storage accounts (storage accounts for premium file shares). | | [`localUsers`](#parameter-localusers) | array | Local users to deploy for SFTP authentication. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managementPolicyRules`](#parameter-managementpolicyrules) | array | The Storage Account ManagementPolicies Rules. | | [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | Set the minimum TLS version on request to storage. | | [`networkAcls`](#parameter-networkacls) | object | Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny. | @@ -1293,11 +1305,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `managementPolicyRules` diff --git a/modules/storage/storage-account/main.bicep b/modules/storage/storage-account/main.bicep index e67cd0168b..cfbb81990d 100644 --- a/modules/storage/storage-account/main.bicep +++ b/modules/storage/storage-account/main.bicep @@ -144,13 +144,8 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Tags of the resource.') param tags object = {} @@ -232,9 +227,9 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split(cMKKeyVaultResourceId, '/'))! - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! + scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) } resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { @@ -318,11 +313,11 @@ resource storageAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSetting scope: storageAccount } -resource storageAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${storageAccount.name}-${lock}-lock' +resource storageAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: storageAccount } @@ -351,7 +346,7 @@ module storageAccount_privateEndpoints '../../network/private-endpoint/main.bice subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -494,3 +489,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && contains(sto @description('The location the resource was deployed into.') output location string = storageAccount.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/storage/storage-account/main.json b/modules/storage/storage-account/main.json index 37226f763b..38d1cc9dd2 100644 --- a/modules/storage/storage-account/main.json +++ b/modules/storage/storage-account/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4491569988152591675" + "templateHash": "2987578024127826531" }, "name": "Storage Accounts", "description": "This module deploys a Storage Account.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -294,15 +322,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "tags": { @@ -423,8 +445,8 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -438,7 +460,16 @@ } } }, - { + "keyVault": { + "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "storageAccount": { "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2022-09-01", "name": "[parameters('name')]", @@ -473,7 +504,7 @@ } }, "requireInfrastructureEncryption": "[if(not(equals(parameters('kind'), 'Storage')), parameters('requireInfrastructureEncryption'), null())]", - "keyvaultproperties": "[if(not(empty(parameters('cMKKeyName'))), createObject('keyname', parameters('cMKKeyName'), 'keyvaulturi', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('cMKKeyVaultResourceId'), '/'))), '2021-06-01-preview').vaultUri, 'keyversion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), null())), null())]", + "keyvaultproperties": "[if(not(empty(parameters('cMKKeyName'))), createObject('keyname', parameters('cMKKeyName'), 'keyvaulturi', reference('keyVault').vaultUri, 'keyversion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), null())), null())]", "identity": "[if(not(empty(parameters('cMKKeyName'))), createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), null())]" }, "accessTier": "[if(not(equals(parameters('kind'), 'Storage')), parameters('accessTier'), null())]", @@ -488,9 +519,12 @@ "allowBlobPublicAccess": "[parameters('allowBlobPublicAccess')]", "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkAcls'))), 'Disabled', null()))]", "azureFilesIdentityBasedAuthentication": "[if(not(empty(parameters('azureFilesIdentityBasedAuthentication'))), parameters('azureFilesIdentityBasedAuthentication'), null())]" - } + }, + "dependsOn": [ + "keyVault" + ] }, - { + "storageAccount_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -504,24 +538,24 @@ "metrics": "[variables('diagnosticsMetrics')]" }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" + "storageAccount" ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "storageAccount_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" + "storageAccount" ] }, - { + "storageAccount_roleAssignments": { "copy": { "name": "storageAccount_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -699,10 +733,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" + "storageAccount" ] }, - { + "storageAccount_privateEndpoints": { "copy": { "name": "storageAccount_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -732,7 +766,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -1226,10 +1262,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" + "storageAccount" ] }, - { + "storageAccount_managementPolicies": { "condition": "[not(empty(parameters('managementPolicyRules')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1338,11 +1374,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-Storage-BlobServices', uniqueString(deployment().name, parameters('location'))))]" + "storageAccount", + "storageAccount_blobServices" ] }, - { + "storageAccount_localUsers": { "copy": { "name": "storageAccount_localUsers", "count": "[length(parameters('localUsers'))]" @@ -1507,10 +1543,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" + "storageAccount" ] }, - { + "storageAccount_blobServices": { "condition": "[not(empty(parameters('blobServices')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -2399,10 +2435,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" + "storageAccount" ] }, - { + "storageAccount_fileServices": { "condition": "[not(empty(parameters('fileServices')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -3005,10 +3041,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" + "storageAccount" ] }, - { + "storageAccount_queueServices": { "condition": "[not(empty(parameters('queueServices')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -3528,10 +3564,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" + "storageAccount" ] }, - { + "storageAccount_tableServices": { "condition": "[not(empty(parameters('tableServices')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -3851,10 +3887,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" + "storageAccount" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -3889,14 +3925,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.Storage/storageAccounts', parameters('name')), '2022-09-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.Storage/storageAccounts', parameters('name')), '2022-09-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('storageAccount', '2022-09-01', 'full').identity, 'principalId')), reference('storageAccount', '2022-09-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('name')), '2022-09-01', 'full').location]" + "value": "[reference('storageAccount', '2022-09-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/synapse/private-link-hub/.test/common/main.test.bicep b/modules/synapse/private-link-hub/.test/common/main.test.bicep index 91ad5e191b..86db3ae553 100644 --- a/modules/synapse/private-link-hub/.test/common/main.test.bicep +++ b/modules/synapse/private-link-hub/.test/common/main.test.bicep @@ -54,7 +54,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } privateEndpoints: [ { privateDnsZoneResourceIds: [ diff --git a/modules/synapse/private-link-hub/README.md b/modules/synapse/private-link-hub/README.md index 05f4411690..6b1f40cf22 100644 --- a/modules/synapse/private-link-hub/README.md +++ b/modules/synapse/private-link-hub/README.md @@ -48,7 +48,10 @@ module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { name: 'splhcom001' // Non-required parameters enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -108,7 +111,10 @@ module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "privateEndpoints": { "value": [ @@ -220,7 +226,7 @@ module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | The geo-location where the resource lives. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -241,11 +247,30 @@ The geo-location where the resource lives. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/synapse/private-link-hub/main.bicep b/modules/synapse/private-link-hub/main.bicep index f377f95757..cfb50ac903 100644 --- a/modules/synapse/private-link-hub/main.bicep +++ b/modules/synapse/private-link-hub/main.bicep @@ -11,13 +11,8 @@ param location string = resourceGroup().location @description('Optional. Tags of the resource.') param tags object = {} -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -49,11 +44,11 @@ resource privateLinkHub 'Microsoft.Synapse/privateLinkHubs@2021-06-01' = { } // Resource Lock -resource privateLinkHub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${privateLinkHub.name}-${lock}-lock' +resource privateLinkHub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: privateLinkHub } @@ -84,7 +79,7 @@ module privateLinkHub_privateEndpoints '../../network/private-endpoint/main.bice subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -108,3 +103,15 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = privateLinkHub.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/synapse/private-link-hub/main.json b/modules/synapse/private-link-hub/main.json index 080b2e1d7a..f96d97ebc8 100644 --- a/modules/synapse/private-link-hub/main.json +++ b/modules/synapse/private-link-hub/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11333441944276260174" + "templateHash": "11576206008807931590" }, "name": "Azure Synapse Analytics", "description": "This module deploys an Azure Synapse Analytics (Private Link Hub).", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -33,15 +61,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "enableDefaultTelemetry": { @@ -69,8 +91,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -84,28 +106,28 @@ } } }, - { + "privateLinkHub": { "type": "Microsoft.Synapse/privateLinkHubs", "apiVersion": "2021-06-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]" }, - { - "condition": "[not(empty(parameters('lock')))]", + "privateLinkHub_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Synapse/privateLinkHubs/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Synapse/privateLinkHubs', parameters('name'))]" + "privateLinkHub" ] }, - { + "privateLinkHub_roleAssignments": { "copy": { "name": "privateLinkHub_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -250,10 +272,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Synapse/privateLinkHubs', parameters('name'))]" + "privateLinkHub" ] }, - { + "privateLinkHub_privateEndpoints": { "copy": { "name": "privateLinkHub_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -283,7 +305,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -777,10 +801,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Synapse/privateLinkHubs', parameters('name'))]" + "privateLinkHub" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -808,7 +832,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Synapse/privateLinkHubs', parameters('name')), '2021-06-01', 'full').location]" + "value": "[reference('privateLinkHub', '2021-06-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index 12a0448450..590844f253 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -562,7 +562,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { | [`integrationRuntimes`](#parameter-integrationruntimes) | array | The Integration Runtimes to create. | | [`linkedAccessCheckOnTargetResource`](#parameter-linkedaccesscheckontargetresource) | bool | Linked Access Check On Target Resource. | | [`location`](#parameter-location) | string | The geo-location where the resource lives. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedResourceGroupName`](#parameter-managedresourcegroupname) | string | Workspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.'. | | [`managedVirtualNetwork`](#parameter-managedvirtualnetwork) | bool | Enable this to ensure that connection from your workspace to your data sources use Azure Private Links. You can create managed private endpoints to your data sources. | | [`preventDataExfiltration`](#parameter-preventdataexfiltration) | bool | Prevent Data Exfiltration. | @@ -730,11 +730,30 @@ The geo-location where the resource lives. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `managedResourceGroupName` diff --git a/modules/synapse/workspace/main.bicep b/modules/synapse/workspace/main.bicep index ec1e80bd8e..9f1bac808f 100644 --- a/modules/synapse/workspace/main.bicep +++ b/modules/synapse/workspace/main.bicep @@ -91,13 +91,8 @@ param workspaceRepositoryConfiguration object = {} @description('Optional. The ID(s) to assign to the resource.') param userAssignedIdentities object = {} -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -164,13 +159,12 @@ var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ var enableReferencedModulesTelemetry = false resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split(cMKKeyVaultResourceId, '/'))! - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) -} + name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! + scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) -resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName)) { - name: '${last(split(cMKKeyVaultResourceId, '/'))}/${cMKKeyName}'! - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) + resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { + name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + } } resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { @@ -208,7 +202,7 @@ resource workspace 'Microsoft.Synapse/workspaces@2021-06-01' = { useSystemAssignedIdentity: cMKUseSystemAssignedIdentity } key: { - keyVaultUrl: cMKKeyVaultKey.properties.keyUri + keyVaultUrl: cMKKeyVault::cMKKey.properties.keyUri name: cMKKeyName } } @@ -269,11 +263,11 @@ module workspace_key './key/main.bicep' = if (encryptionActivateWorkspace) { } // Resource Lock -resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${workspace.name}-${lock}-lock' +resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: workspace } @@ -300,7 +294,7 @@ module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -343,3 +337,15 @@ output systemAssignedPrincipalId string = contains(workspace.identity, 'principa @description('The location the resource was deployed into.') output location string = workspace.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/synapse/workspace/main.json b/modules/synapse/workspace/main.json index 3f91c6fb88..8c6486e6ea 100644 --- a/modules/synapse/workspace/main.json +++ b/modules/synapse/workspace/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14717079863067599908" + "templateHash": "2812430715889836837" }, "name": "Synapse Workspaces", "description": "This module deploys a Synapse Workspace.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -204,15 +232,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -306,8 +328,29 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, + "cMKKeyVault": { + "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-10-01", + "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -321,7 +364,7 @@ } } }, - { + "workspace": { "type": "Microsoft.Synapse/workspaces", "apiVersion": "2021-06-01", "name": "[parameters('name')]", @@ -337,7 +380,7 @@ "filesystem": "[parameters('defaultDataLakeStorageFilesystem')]", "createManagedPrivateEndpoint": "[if(parameters('managedVirtualNetwork'), parameters('defaultDataLakeStorageCreateManagedPrivateEndpoint'), null())]" }, - "encryption": "[if(parameters('encryption'), createObject('cmk', createObject('kekIdentity', createObject('userAssignedIdentity', if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), null()), 'useSystemAssignedIdentity', parameters('cMKUseSystemAssignedIdentity')), 'key', createObject('keyVaultUrl', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[0], split(format('{0}/{1}', last(split(parameters('cMKKeyVaultResourceId'), '/')), parameters('cMKKeyName')), '/')[1]), '2021-10-01').keyUri, 'name', parameters('cMKKeyName')))), null())]", + "encryption": "[if(parameters('encryption'), createObject('cmk', createObject('kekIdentity', createObject('userAssignedIdentity', if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), null()), 'useSystemAssignedIdentity', parameters('cMKUseSystemAssignedIdentity')), 'key', createObject('keyVaultUrl', reference('cMKKeyVault::cMKKey').keyUri, 'name', parameters('cMKKeyName')))), null())]", "managedResourceGroupName": "[if(not(empty(parameters('managedResourceGroupName'))), parameters('managedResourceGroupName'), null())]", "managedVirtualNetwork": "[if(parameters('managedVirtualNetwork'), 'default', null())]", "managedVirtualNetworkSettings": "[if(parameters('managedVirtualNetwork'), createObject('allowedAadTenantIdsForLinking', parameters('allowedAadTenantIdsForLinking'), 'linkedAccessCheckOnTargetResource', parameters('linkedAccessCheckOnTargetResource'), 'preventDataExfiltration', parameters('preventDataExfiltration')), null())]", @@ -346,23 +389,26 @@ "sqlAdministratorLogin": "[parameters('sqlAdministratorLogin')]", "sqlAdministratorLoginPassword": "[if(not(empty(parameters('sqlAdministratorLoginPassword'))), parameters('sqlAdministratorLoginPassword'), null())]", "workspaceRepositoryConfiguration": "[parameters('workspaceRepositoryConfiguration')]" - } + }, + "dependsOn": [ + "cMKKeyVault" + ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "workspace_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Synapse/workspaces/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Synapse/workspaces', parameters('name'))]" + "workspace" ] }, - { + "workspace_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -376,10 +422,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Synapse/workspaces', parameters('name'))]" + "workspace" ] }, - { + "synapse_integrationRuntimes": { "copy": { "name": "synapse_integrationRuntimes", "count": "[length(parameters('integrationRuntimes'))]" @@ -506,10 +552,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Synapse/workspaces', parameters('name'))]" + "workspace" ] }, - { + "workspace_cmk_rbac": { "condition": "[parameters('encryptionActivateWorkspace')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -521,10 +567,10 @@ "mode": "Incremental", "parameters": { "workspaceIndentityPrincipalId": { - "value": "[reference(resourceId('Microsoft.Synapse/workspaces', parameters('name')), '2021-06-01', 'full').identity.principalId]" + "value": "[reference('workspace', '2021-06-01', 'full').identity.principalId]" }, - "keyvaultName": "[if(not(empty(parameters('cMKKeyVaultResourceId'))), createObject('value', last(split(parameters('cMKKeyVaultResourceId'), '/'))), createObject('value', ''))]", - "usesRbacAuthorization": "[if(not(empty(parameters('cMKKeyVaultResourceId'))), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('cMKKeyVaultResourceId'), '/'))), '2021-10-01').enableRbacAuthorization), createObject('value', true()))]" + "keyvaultName": "[if(not(empty(parameters('cMKKeyVaultResourceId'))), createObject('value', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))), createObject('value', ''))]", + "usesRbacAuthorization": "[if(not(empty(parameters('cMKKeyVaultResourceId'))), createObject('value', reference('cMKKeyVault').enableRbacAuthorization), createObject('value', true()))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -586,10 +632,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Synapse/workspaces', parameters('name'))]" + "cMKKeyVault", + "workspace" ] }, - { + "workspace_key": { "condition": "[parameters('encryptionActivateWorkspace')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -718,11 +765,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Synapse/workspaces', parameters('name'))]", - "[resourceId('Microsoft.Resources/deployments', format('{0}-cmk-rbac', parameters('name')))]" + "workspace", + "workspace_cmk_rbac" ] }, - { + "workspace_rbac": { "copy": { "name": "workspace_rbac", "count": "[length(parameters('roleAssignments'))]" @@ -803,10 +850,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Synapse/workspaces', parameters('name'))]" + "workspace" ] }, - { + "workspace_privateEndpoints": { "copy": { "name": "workspace_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -836,7 +883,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -1330,10 +1379,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Synapse/workspaces', parameters('name'))]" + "workspace" ] } - ], + }, "outputs": { "resourceID": { "type": "string", @@ -1361,21 +1410,21 @@ "metadata": { "description": "The workspace connectivity endpoints." }, - "value": "[reference(resourceId('Microsoft.Synapse/workspaces', parameters('name')), '2021-06-01').connectivityEndpoints]" + "value": "[reference('workspace').connectivityEndpoints]" }, "systemAssignedPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(contains(reference(resourceId('Microsoft.Synapse/workspaces', parameters('name')), '2021-06-01', 'full').identity, 'principalId'), reference(resourceId('Microsoft.Synapse/workspaces', parameters('name')), '2021-06-01', 'full').identity.principalId, '')]" + "value": "[if(contains(reference('workspace', '2021-06-01', 'full').identity, 'principalId'), reference('workspace', '2021-06-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Synapse/workspaces', parameters('name')), '2021-06-01', 'full').location]" + "value": "[reference('workspace', '2021-06-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/virtual-machine-images/image-template/.test/common/main.test.bicep b/modules/virtual-machine-images/image-template/.test/common/main.test.bicep index 87d86aad95..3844885f12 100644 --- a/modules/virtual-machine-images/image-template/.test/common/main.test.bicep +++ b/modules/virtual-machine-images/image-template/.test/common/main.test.bicep @@ -86,7 +86,10 @@ module testDeployment '../../main.bicep' = { } buildTimeoutInMinutes: 60 imageReplicationRegions: [] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } managedImageName: '${namePrefix}-mi-${serviceShort}-001' osDiskSizeGB: 127 roleAssignments: [ diff --git a/modules/virtual-machine-images/image-template/README.md b/modules/virtual-machine-images/image-template/README.md index a06d6c5360..9a2d0010eb 100644 --- a/modules/virtual-machine-images/image-template/README.md +++ b/modules/virtual-machine-images/image-template/README.md @@ -63,7 +63,10 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 buildTimeoutInMinutes: 60 enableDefaultTelemetry: '' imageReplicationRegions: [] - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } managedImageName: 'mi-vmiitcom-001' osDiskSizeGB: 127 roleAssignments: [ @@ -141,7 +144,10 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 "value": [] }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "managedImageName": { "value": "mi-vmiitcom-001" @@ -311,7 +317,7 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 | [`excludeFromLatest`](#parameter-excludefromlatest) | bool | Exclude the created Azure Compute Gallery image version from the latest. | | [`imageReplicationRegions`](#parameter-imagereplicationregions) | array | List of the regions the image produced by this solution should be stored in the Shared Image Gallery. When left empty, the deployment's location will be taken as a default value. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedImageName`](#parameter-managedimagename) | string | Name of the managed image that will be created in the AIB resourcegroup. | | [`osDiskSizeGB`](#parameter-osdisksizegb) | int | Specifies the size of OS disk. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -388,11 +394,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `managedImageName` diff --git a/modules/virtual-machine-images/image-template/main.bicep b/modules/virtual-machine-images/image-template/main.bicep index b8c9cd08bc..4e05b291f6 100644 --- a/modules/virtual-machine-images/image-template/main.bicep +++ b/modules/virtual-machine-images/image-template/main.bicep @@ -65,13 +65,8 @@ param storageAccountType string = 'Standard_LRS' @description('Optional. Resource ID of the staging resource group in the same subscription and location as the image template that will be used to build the image.

If this field is empty, a resource group with a random name will be created.

If the resource group specified in this field doesn\'t exist, it will be created with the same name.

If the resource group specified exists, it must be empty and in the same region as the image template.

The resource group created will be deleted during template deletion if this field is empty or the resource group specified doesn\'t exist,

but if the resource group specified exists the resources created in the resource group will be deleted during template deletion and the resource group itself will remain.') param stagingResourceGroup string = '' -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Tags of the resource.') param tags object = {} @@ -182,11 +177,11 @@ resource imageTemplate 'Microsoft.VirtualMachineImages/imageTemplates@2022-02-14 } } -resource imageTemplate_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${imageTemplate.name}-${lock}-lock' +resource imageTemplate_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: imageTemplate } @@ -221,3 +216,15 @@ output runThisCommand string = 'Invoke-AzResourceAction -ResourceName ${imageTem @description('The location the resource was deployed into.') output location string = imageTemplate.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/virtual-machine-images/image-template/main.json b/modules/virtual-machine-images/image-template/main.json index 0905d7ecbb..82a30b1eec 100644 --- a/modules/virtual-machine-images/image-template/main.json +++ b/modules/virtual-machine-images/image-template/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2649219392883054229" + "templateHash": "7243500275007115201" }, "name": "Virtual Machine Image Templates", "description": "This module deploys a Virtual Machine Image Template that can be consumed by Azure Image Builder (AIB).", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -148,15 +176,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "tags": { @@ -248,8 +270,8 @@ "subnetId": "[parameters('subnetId')]" } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -263,7 +285,7 @@ } } }, - { + "imageTemplate": { "type": "Microsoft.VirtualMachineImages/imageTemplates", "apiVersion": "2022-02-14", "name": "[format('{0}-{1}', parameters('name'), parameters('baseTime'))]", @@ -289,21 +311,21 @@ "stagingResourceGroup": "[parameters('stagingResourceGroup')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "imageTemplate_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.VirtualMachineImages/imageTemplates/{0}', format('{0}-{1}', parameters('name'), parameters('baseTime')))]", - "name": "[format('{0}-{1}-lock', format('{0}-{1}', parameters('name'), parameters('baseTime')), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.VirtualMachineImages/imageTemplates', format('{0}-{1}', parameters('name'), parameters('baseTime')))]" + "imageTemplate" ] }, - { + "imageTemplate_roleAssignments": { "copy": { "name": "imageTemplate_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -448,10 +470,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.VirtualMachineImages/imageTemplates', format('{0}-{1}', parameters('name'), parameters('baseTime')))]" + "imageTemplate" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -493,7 +515,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.VirtualMachineImages/imageTemplates', format('{0}-{1}', parameters('name'), parameters('baseTime'))), '2022-02-14', 'full').location]" + "value": "[reference('imageTemplate', '2022-02-14', 'full').location]" } } } \ No newline at end of file diff --git a/modules/web/connection/.test/common/main.test.bicep b/modules/web/connection/.test/common/main.test.bicep index 0491801800..73975fe689 100644 --- a/modules/web/connection/.test/common/main.test.bicep +++ b/modules/web/connection/.test/common/main.test.bicep @@ -57,7 +57,10 @@ module testDeployment '../../main.bicep' = { id: '${subscription().id}/providers/Microsoft.Web/locations/westeurope/managedApis/azuremonitorlogs' } - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/web/connection/README.md b/modules/web/connection/README.md index 930a3eee78..9675791fd6 100644 --- a/modules/web/connection/README.md +++ b/modules/web/connection/README.md @@ -49,7 +49,10 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = { id: '' } enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -97,7 +100,10 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -142,7 +148,7 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = { | [`customParameterValues`](#parameter-customparametervalues) | object | Customized parameter values for specific connections. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location of the deployment. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`nonSecretParameterValues`](#parameter-nonsecretparametervalues) | object | Dictionary of nonsecret parameter values. | | [`parameterValues`](#parameter-parametervalues) | secureObject | Connection strings or access keys for connection. Example: 'accountName' and 'accessKey' when using blobs. It can change depending on the resource. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -186,11 +192,30 @@ Location of the deployment. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/web/connection/main.bicep b/modules/web/connection/main.bicep index af0149864e..a0fbe5458e 100644 --- a/modules/web/connection/main.bicep +++ b/modules/web/connection/main.bicep @@ -34,13 +34,8 @@ param roleAssignments array = [] @description('Optional. Status of the connection.') param statuses array = [] -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Tags of the resource.') param tags object = {} @@ -75,11 +70,11 @@ resource connection 'Microsoft.Web/connections@2016-06-01' = { } } -resource connection_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${connection.name}-${lock}-lock' +resource connection_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: connection } @@ -108,3 +103,15 @@ output name string = connection.name @description('The location the resource was deployed into.') output location string = connection.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/web/connection/main.json b/modules/web/connection/main.json index 46f8e7e722..b74ef8effb 100644 --- a/modules/web/connection/main.json +++ b/modules/web/connection/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1868688579888274089" + "templateHash": "9051119645490158211" }, "name": "API Connections", "description": "This module deploys an Azure API Connection.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "api": { "type": "object", @@ -81,15 +109,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "tags": { @@ -107,8 +129,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -122,7 +144,7 @@ } } }, - { + "connection": { "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", "name": "[parameters('name')]", @@ -138,21 +160,21 @@ "statuses": "[if(not(empty(parameters('statuses'))), parameters('statuses'), null())]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "connection_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Web/connections/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Web/connections', parameters('name'))]" + "connection" ] }, - { + "connection_roleAssignments": { "copy": { "name": "connection_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -303,10 +325,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/connections', parameters('name'))]" + "connection" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -334,7 +356,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Web/connections', parameters('name')), '2016-06-01', 'full').location]" + "value": "[reference('connection', '2016-06-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/web/hosting-environment/.test/asev2/main.test.bicep b/modules/web/hosting-environment/.test/asev2/main.test.bicep index e15556f50e..144e9687c2 100644 --- a/modules/web/hosting-environment/.test/asev2/main.test.bicep +++ b/modules/web/hosting-environment/.test/asev2/main.test.bicep @@ -66,7 +66,10 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' location: resourceGroup.location - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/web/hosting-environment/.test/asev3/main.test.bicep b/modules/web/hosting-environment/.test/asev3/main.test.bicep index beaf49c542..230dc541a7 100644 --- a/modules/web/hosting-environment/.test/asev3/main.test.bicep +++ b/modules/web/hosting-environment/.test/asev3/main.test.bicep @@ -68,7 +68,10 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' location: resourceGroup.location - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/web/hosting-environment/README.md b/modules/web/hosting-environment/README.md index 277ad756dd..c599b24620 100644 --- a/modules/web/hosting-environment/README.md +++ b/modules/web/hosting-environment/README.md @@ -59,7 +59,10 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { ipsslAddressCount: 2 kind: 'ASEv2' location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } multiSize: 'Standard_D1_V2' roleAssignments: [ { @@ -136,7 +139,10 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "multiSize": { "value": "Standard_D1_V2" @@ -207,7 +213,10 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { inboundIpAddressOverride: '10.0.0.10' internalLoadBalancingMode: 'Web Publishing' location: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } remoteDebugEnabled: true roleAssignments: [ { @@ -300,7 +309,10 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "remoteDebugEnabled": { "value": true @@ -381,7 +393,7 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { | [`ipsslAddressCount`](#parameter-ipssladdresscount) | int | Number of IP SSL addresses reserved for the App Service Environment. Cannot be used when kind is set to ASEv3. | | [`kind`](#parameter-kind) | string | Kind of resource. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`multiSize`](#parameter-multisize) | string | Frontend VM size. Cannot be used when kind is set to ASEv3. | | [`remoteDebugEnabled`](#parameter-remotedebugenabled) | bool | Property to enable and disable Remote Debug on ASEv3. Ignored when kind is set to ASEv2. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -544,11 +556,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `multiSize` diff --git a/modules/web/hosting-environment/main.bicep b/modules/web/hosting-environment/main.bicep index dbaade31fd..12313f7d2b 100644 --- a/modules/web/hosting-environment/main.bicep +++ b/modules/web/hosting-environment/main.bicep @@ -9,13 +9,8 @@ param name string @description('Optional. Location for all resources.') param location string = resourceGroup().location -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -227,11 +222,11 @@ module appServiceEnvironment_configurations_customDnsSuffix 'configuration--cust } } -resource appServiceEnvironment_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${appServiceEnvironment.name}-${lock}-lock' +resource appServiceEnvironment_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: appServiceEnvironment } @@ -272,3 +267,15 @@ output name string = appServiceEnvironment.name @description('The location the resource was deployed into.') output location string = appServiceEnvironment.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/web/hosting-environment/main.json b/modules/web/hosting-environment/main.json index 5c6d2298d8..8536c48b22 100644 --- a/modules/web/hosting-environment/main.json +++ b/modules/web/hosting-environment/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3036162001475975434" + "templateHash": "9619387957951306854" }, "name": "App Service Environments", "description": "This module deploys an App Service Environment.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -27,15 +55,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -305,8 +327,8 @@ "enableReferencedModulesTelemetry": false, "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -320,7 +342,7 @@ } } }, - { + "appServiceEnvironment": { "type": "Microsoft.Web/hostingEnvironments", "apiVersion": "2022-03-01", "name": "[parameters('name')]", @@ -345,21 +367,21 @@ "zoneRedundant": "[parameters('zoneRedundant')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "appServiceEnvironment_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Web/hostingEnvironments/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Web/hostingEnvironments', parameters('name'))]" + "appServiceEnvironment" ] }, - { + "appServiceEnvironment_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -373,10 +395,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Web/hostingEnvironments', parameters('name'))]" + "appServiceEnvironment" ] }, - { + "appServiceEnvironment_configurations_networking": { "condition": "[equals(parameters('kind'), 'ASEv3')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -515,10 +537,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/hostingEnvironments', parameters('name'))]" + "appServiceEnvironment" ] }, - { + "appServiceEnvironment_configurations_customDnsSuffix": { "condition": "[and(equals(parameters('kind'), 'ASEv3'), not(empty(parameters('customDnsSuffix'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -643,10 +665,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/hostingEnvironments', parameters('name'))]" + "appServiceEnvironment" ] }, - { + "appServiceEnvironment_roleAssignments": { "copy": { "name": "appServiceEnvironment_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -797,10 +819,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/hostingEnvironments', parameters('name'))]" + "appServiceEnvironment" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -828,7 +850,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Web/hostingEnvironments', parameters('name')), '2022-03-01', 'full').location]" + "value": "[reference('appServiceEnvironment', '2022-03-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/web/serverfarm/.test/common/main.test.bicep b/modules/web/serverfarm/.test/common/main.test.bicep index 3e75d2847a..e01036dec7 100644 --- a/modules/web/serverfarm/.test/common/main.test.bicep +++ b/modules/web/serverfarm/.test/common/main.test.bicep @@ -77,7 +77,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index ff4421dcd7..6210f6bb52 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -57,7 +57,10 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } roleAssignments: [ { principalIds: [ @@ -118,7 +121,10 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "roleAssignments": { "value": [ @@ -168,7 +174,7 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { | [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maximumElasticWorkerCount`](#parameter-maximumelasticworkercount) | int | Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan. | | [`perSiteScaling`](#parameter-persitescaling) | bool | If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -245,11 +251,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `maximumElasticWorkerCount` diff --git a/modules/web/serverfarm/main.bicep b/modules/web/serverfarm/main.bicep index e94ffce02d..9a69b5e62c 100644 --- a/modules/web/serverfarm/main.bicep +++ b/modules/web/serverfarm/main.bicep @@ -46,13 +46,8 @@ param targetWorkerCount int = 0 ]) param targetWorkerSize int = 0 -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -146,11 +141,11 @@ resource appServicePlan_diagnosticSettings 'Microsoft.Insights/diagnosticsetting scope: appServicePlan } -resource appServicePlan_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${appServicePlan.name}-${lock}-lock' +resource appServicePlan_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: appServicePlan } @@ -182,3 +177,15 @@ output resourceId string = appServicePlan.id @description('The location the resource was deployed into.') output location string = appServicePlan.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/web/serverfarm/main.json b/modules/web/serverfarm/main.json index b89ace3754..7f5bd9f651 100644 --- a/modules/web/serverfarm/main.json +++ b/modules/web/serverfarm/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1970232317602434102" + "templateHash": "7158644970816385337" }, "name": "App Service Plans", "description": "This module deploys an App Service Plan.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -92,15 +120,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "roleAssignments": { @@ -192,8 +214,8 @@ } ] }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -207,7 +229,7 @@ } } }, - { + "appServicePlan": { "type": "Microsoft.Web/serverfarms", "apiVersion": "2021-02-01", "name": "[parameters('name')]", @@ -226,7 +248,7 @@ "zoneRedundant": "[parameters('zoneRedundant')]" } }, - { + "appServicePlan_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -241,24 +263,24 @@ "logs": [] }, "dependsOn": [ - "[resourceId('Microsoft.Web/serverfarms', parameters('name'))]" + "appServicePlan" ] }, - { - "condition": "[not(empty(parameters('lock')))]", + "appServicePlan_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Web/serverfarms/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Web/serverfarms', parameters('name'))]" + "appServicePlan" ] }, - { + "appServicePlan_roleAssignments": { "copy": { "name": "appServicePlan_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -409,10 +431,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/serverfarms', parameters('name'))]" + "appServicePlan" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -440,7 +462,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Web/serverfarms', parameters('name')), '2021-02-01', 'full').location]" + "value": "[reference('appServicePlan', '2021-02-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/web/site/.test/functionAppCommon/main.test.bicep b/modules/web/site/.test/functionAppCommon/main.test.bicep index dd5a5d4bc4..9bebb6ca35 100644 --- a/modules/web/site/.test/functionAppCommon/main.test.bicep +++ b/modules/web/site/.test/functionAppCommon/main.test.bicep @@ -144,7 +144,10 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } privateEndpoints: [ { service: 'sites' diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 9b82c6ccb3..4368025501 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -139,7 +139,10 @@ module site 'br:bicep/modules/web.site:1.0.0' = { } ] keyVaultAccessIdentityResourceId: '' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -302,7 +305,10 @@ module site 'br:bicep/modules/web.site:1.0.0' = { "value": "" }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "privateEndpoints": { "value": [ @@ -824,7 +830,7 @@ module site 'br:bicep/modules/web.site:1.0.0' = { | [`hyperV`](#parameter-hyperv) | bool | Hyper-V sandbox. | | [`keyVaultAccessIdentityResourceId`](#parameter-keyvaultaccessidentityresourceid) | string | The resource ID of the assigned identity to be used to access a key vault with. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`redundancyMode`](#parameter-redundancymode) | string | Site redundancy mode. | @@ -1051,11 +1057,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/web/site/main.bicep b/modules/web/site/main.bicep index 68150dd4bd..01ac6d6720 100644 --- a/modules/web/site/main.bicep +++ b/modules/web/site/main.bicep @@ -75,13 +75,8 @@ param appSettingsKeyValuePairs object = {} @description('Optional. The auth settings V2 configuration.') param authSettingV2Configuration object = {} -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints array = [] @@ -373,11 +368,11 @@ module app_hybridConnectionRelays 'hybrid-connection-namespace/relay/main.bicep' } }] -resource app_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${app.name}-${lock}-lock' +resource app_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: app } @@ -419,7 +414,7 @@ module app_privateEndpoints '../../network/private-endpoint/main.bicep' = [for ( subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -458,3 +453,15 @@ output location string = app.location @description('Default hostname of the app.') output defaultHostname string = app.properties.defaultHostName + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/web/site/main.json b/modules/web/site/main.json index b4f7e806bc..5e16338289 100644 --- a/modules/web/site/main.json +++ b/modules/web/site/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1810314773455463979" + "templateHash": "6021180257136349048" }, "name": "Web/Function Apps", "description": "This module deploys a Web or Function App.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -171,15 +199,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "privateEndpoints": { @@ -423,8 +445,8 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -438,7 +460,7 @@ } } }, - { + "app": { "type": "Microsoft.Web/sites", "apiVersion": "2022-09-01", "name": "[parameters('name')]", @@ -473,21 +495,21 @@ "scmSiteAlsoStopped": "[parameters('scmSiteAlsoStopped')]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "app_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Web/sites/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites', parameters('name'))]" + "app" ] }, - { + "app_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -502,10 +524,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites', parameters('name'))]" + "app" ] }, - { + "app_appsettings": { "condition": "[not(empty(parameters('appSettingsKeyValuePairs')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -656,10 +678,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites', parameters('name'))]" + "app" ] }, - { + "app_authsettingsv2": { "condition": "[not(empty(parameters('authSettingV2Configuration')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -779,10 +801,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites', parameters('name'))]" + "app" ] }, - { + "app_slots": { "copy": { "name": "app_slots", "count": "[length(parameters('slots'))]", @@ -861,17 +883,45 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10608087316287962337" + "templateHash": "9880661409366046894" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1011,15 +1061,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "privateEndpoints": { @@ -1267,8 +1311,14 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "app": { + "existing": true, + "type": "Microsoft.Web/sites", + "apiVersion": "2021-03-01", + "name": "[parameters('appName')]" + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1282,7 +1332,7 @@ } } }, - { + "slot": { "type": "Microsoft.Web/sites/slots", "apiVersion": "2022-09-01", "name": "[format('{0}/{1}', parameters('appName'), parameters('name'))]", @@ -1314,9 +1364,12 @@ "vnetContentShareEnabled": "[parameters('vnetContentShareEnabled')]", "vnetImagePullEnabled": "[parameters('vnetImagePullEnabled')]", "vnetRouteAllEnabled": "[parameters('vnetRouteAllEnabled')]" - } + }, + "dependsOn": [ + "app" + ] }, - { + "slot_lock": { "condition": "[not(empty(parameters('lock')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2017-04-01", @@ -1327,10 +1380,10 @@ "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" + "slot" ] }, - { + "slot_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -1345,10 +1398,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" + "slot" ] }, - { + "slot_appsettings": { "condition": "[not(empty(parameters('appSettingsKeyValuePairs')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1508,10 +1561,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" + "app", + "slot" ] }, - { + "slot_authsettingsv2": { "condition": "[not(empty(parameters('authSettingV2Configuration')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1640,10 +1694,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" + "app", + "slot" ] }, - { + "slot_hybridConnectionRelays": { "copy": { "name": "slot_hybridConnectionRelays", "count": "[length(parameters('hybridConnectionRelays'))]" @@ -1782,10 +1837,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" + "app", + "slot" ] }, - { + "slot_rbac": { "copy": { "name": "slot_rbac", "count": "[length(parameters('roleAssignments'))]" @@ -1909,10 +1965,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" + "slot" ] }, - { + "slot_privateEndpoints": { "copy": { "name": "slot_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -1942,7 +1998,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -2433,10 +2491,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" + "app", + "slot" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2464,23 +2523,23 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), if(contains(reference(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), '2022-09-01', 'full'), 'identity'), contains(reference(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), '2022-09-01', 'full').identity, 'principalId'), false())), reference(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), '2022-09-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), if(contains(reference('slot', '2022-09-01', 'full'), 'identity'), contains(reference('slot', '2022-09-01', 'full').identity, 'principalId'), false())), reference('slot', '2022-09-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), '2022-09-01', 'full').location]" + "value": "[reference('slot', '2022-09-01', 'full').location]" } } } }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites', parameters('name'))]" + "app" ] }, - { + "app_basicPublishingCredentialsPolicies": { "copy": { "name": "app_basicPublishingCredentialsPolicies", "count": "[length(parameters('basicPublishingCredentialsPolicies'))]" @@ -2607,10 +2666,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites', parameters('name'))]" + "app" ] }, - { + "app_hybridConnectionRelays": { "copy": { "name": "app_hybridConnectionRelays", "count": "[length(parameters('hybridConnectionRelays'))]" @@ -2740,10 +2799,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites', parameters('name'))]" + "app" ] }, - { + "app_roleAssignments": { "copy": { "name": "app_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -2895,10 +2954,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites', parameters('name'))]" + "app" ] }, - { + "app_privateEndpoints": { "copy": { "name": "app_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -2928,7 +2987,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -3422,10 +3483,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites', parameters('name'))]" + "app" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -3458,7 +3519,7 @@ }, "copy": { "count": "[length(parameters('slots'))]", - "input": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-Slot-{1}', uniqueString(deployment().name, parameters('location')), parameters('slots')[copyIndex()].name)), '2022-09-01').outputs.resourceId.value]" + "input": "[reference(format('app_slots[{0}]', copyIndex())).outputs.resourceId.value]" } }, "resourceGroupName": { @@ -3473,7 +3534,7 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.Web/sites', parameters('name')), '2022-09-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.Web/sites', parameters('name')), '2022-09-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('app', '2022-09-01', 'full').identity, 'principalId')), reference('app', '2022-09-01', 'full').identity.principalId, '')]" }, "slotSystemAssignedPrincipalIds": { "type": "array", @@ -3482,7 +3543,7 @@ }, "copy": { "count": "[length(parameters('slots'))]", - "input": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-Slot-{1}', uniqueString(deployment().name, parameters('location')), parameters('slots')[copyIndex()].name)), '2022-09-01').outputs.systemAssignedPrincipalId.value]" + "input": "[reference(format('app_slots[{0}]', copyIndex())).outputs.systemAssignedPrincipalId.value]" } }, "location": { @@ -3490,14 +3551,14 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Web/sites', parameters('name')), '2022-09-01', 'full').location]" + "value": "[reference('app', '2022-09-01', 'full').location]" }, "defaultHostname": { "type": "string", "metadata": { "description": "Default hostname of the app." }, - "value": "[reference(resourceId('Microsoft.Web/sites', parameters('name')), '2022-09-01').defaultHostName]" + "value": "[reference('app').defaultHostName]" } } } \ No newline at end of file diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index f5250fc317..4f390f4b1a 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -71,7 +71,7 @@ This module deploys a Web or Function App Deployment Slot. | [`hyperV`](#parameter-hyperv) | bool | Hyper-V sandbox. | | [`keyVaultAccessIdentityResourceId`](#parameter-keyvaultaccessidentityresourceid) | string | The resource ID of the assigned identity to be used to access a key vault with. | | [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Allow or block all public traffic. | | [`redundancyMode`](#parameter-redundancymode) | string | Site redundancy mode. | @@ -296,11 +296,30 @@ Location for all Resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/web/site/slot/main.bicep b/modules/web/site/slot/main.bicep index c915d9df01..8ae07a51b2 100644 --- a/modules/web/site/slot/main.bicep +++ b/modules/web/site/slot/main.bicep @@ -66,13 +66,8 @@ param appSettingsKeyValuePairs object = {} @description('Optional. The auth settings V2 configuration.') param authSettingV2Configuration object = {} -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Configuration details for private endpoints.') param privateEndpoints array = [] @@ -347,7 +342,7 @@ module slot_privateEndpoints '../../../network/private-endpoint/main.bicep' = [f subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -371,3 +366,15 @@ output systemAssignedPrincipalId string = systemAssignedIdentity && (contains(sl @description('The location the resource was deployed into.') output location string = slot.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/web/site/slot/main.json b/modules/web/site/slot/main.json index 2201875b2b..f316337fdd 100644 --- a/modules/web/site/slot/main.json +++ b/modules/web/site/slot/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10608087316287962337" + "templateHash": "9880661409366046894" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -150,15 +178,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "privateEndpoints": { @@ -406,8 +428,14 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "app": { + "existing": true, + "type": "Microsoft.Web/sites", + "apiVersion": "2021-03-01", + "name": "[parameters('appName')]" + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -421,7 +449,7 @@ } } }, - { + "slot": { "type": "Microsoft.Web/sites/slots", "apiVersion": "2022-09-01", "name": "[format('{0}/{1}', parameters('appName'), parameters('name'))]", @@ -453,9 +481,12 @@ "vnetContentShareEnabled": "[parameters('vnetContentShareEnabled')]", "vnetImagePullEnabled": "[parameters('vnetImagePullEnabled')]", "vnetRouteAllEnabled": "[parameters('vnetRouteAllEnabled')]" - } + }, + "dependsOn": [ + "app" + ] }, - { + "slot_lock": { "condition": "[not(empty(parameters('lock')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2017-04-01", @@ -466,10 +497,10 @@ "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" + "slot" ] }, - { + "slot_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -484,10 +515,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" + "slot" ] }, - { + "slot_appsettings": { "condition": "[not(empty(parameters('appSettingsKeyValuePairs')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -647,10 +678,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" + "app", + "slot" ] }, - { + "slot_authsettingsv2": { "condition": "[not(empty(parameters('authSettingV2Configuration')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -779,10 +811,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" + "app", + "slot" ] }, - { + "slot_hybridConnectionRelays": { "copy": { "name": "slot_hybridConnectionRelays", "count": "[length(parameters('hybridConnectionRelays'))]" @@ -921,10 +954,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" + "app", + "slot" ] }, - { + "slot_rbac": { "copy": { "name": "slot_rbac", "count": "[length(parameters('roleAssignments'))]" @@ -1048,10 +1082,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" + "slot" ] }, - { + "slot_privateEndpoints": { "copy": { "name": "slot_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -1081,7 +1115,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -1572,10 +1608,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" + "app", + "slot" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1603,14 +1640,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), if(contains(reference(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), '2022-09-01', 'full'), 'identity'), contains(reference(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), '2022-09-01', 'full').identity, 'principalId'), false())), reference(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), '2022-09-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), if(contains(reference('slot', '2022-09-01', 'full'), 'identity'), contains(reference('slot', '2022-09-01', 'full').identity, 'principalId'), false())), reference('slot', '2022-09-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), '2022-09-01', 'full').location]" + "value": "[reference('slot', '2022-09-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/web/static-site/.test/common/main.test.bicep b/modules/web/static-site/.test/common/main.test.bicep index 1b11689d2d..7b07cd7f76 100644 --- a/modules/web/static-site/.test/common/main.test.bicep +++ b/modules/web/static-site/.test/common/main.test.bicep @@ -57,7 +57,10 @@ module testDeployment '../../main.bicep' = { name: '${namePrefix}${serviceShort}001' allowConfigFileUpdates: true enterpriseGradeCdnStatus: 'Disabled' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } privateEndpoints: [ { service: 'staticSites' diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index ec237dd4ab..269e77d0d1 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -64,7 +64,10 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { linkedBackend: { resourceId: '' } - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -147,7 +150,10 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { } }, "lock": { - "value": "CanNotDelete" + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } }, "privateEndpoints": { "value": [ @@ -275,7 +281,7 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { | [`functionAppSettings`](#parameter-functionappsettings) | object | Function app settings. | | [`linkedBackend`](#parameter-linkedbackend) | object | Object with "resourceId" and "location" of the a user defined function app. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`lock`](#parameter-lock) | string | Specify the type of lock. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'sku' to be 'Standard'. | | [`provider`](#parameter-provider) | string | The provider that submitted the last deployment to the primary environment of the static site. | | [`repositoryToken`](#parameter-repositorytoken) | securestring | The Personal Access Token for accessing the GitHub repository. | @@ -361,11 +367,30 @@ Location for all resources. ### Parameter: `lock` -Specify the type of lock. +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + - Required: No - Type: string -- Default: `''` -- Allowed: `['', CanNotDelete, ReadOnly]` ### Parameter: `name` diff --git a/modules/web/static-site/main.bicep b/modules/web/static-site/main.bicep index 9ac9ab96cb..0097d465d6 100644 --- a/modules/web/static-site/main.bicep +++ b/modules/web/static-site/main.bicep @@ -61,13 +61,8 @@ param systemAssignedIdentity bool = false @description('Optional. The ID(s) to assign to the resource.') param userAssignedIdentities object = {} -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' +@description('Optional. The lock settings of the service.') +param lock lockType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the \'sku\' to be \'Standard\'.') param privateEndpoints array = [] @@ -176,11 +171,11 @@ module staticSite_customDomains 'custom-domain/main.bicep' = [for (customDomain, } }] -resource staticSite_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${staticSite.name}-${lock}-lock' +resource staticSite_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: staticSite } @@ -205,7 +200,7 @@ module staticSite_privateEndpoints '../../network/private-endpoint/main.bicep' = subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : null + lock: privateEndpoint.?lock ?? lock privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] @@ -235,3 +230,15 @@ output location string = staticSite.location @description('The default autogenerated hostname for the static site.') output defaultHostname string = staticSite.properties.defaultHostname + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? diff --git a/modules/web/static-site/main.json b/modules/web/static-site/main.json index 5e59eef334..342f27617e 100644 --- a/modules/web/static-site/main.json +++ b/modules/web/static-site/main.json @@ -1,16 +1,44 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3230698398886586988" + "templateHash": "6968838794819347181" }, "name": "Static Web Apps", "description": "This module deploys a Static Web App.", "owner": "Azure/module-maintainers" }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -126,15 +154,9 @@ } }, "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], + "$ref": "#/definitions/lockType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. The lock settings of the service." } }, "privateEndpoints": { @@ -199,8 +221,8 @@ "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -214,7 +236,7 @@ } } }, - { + "staticSite": { "type": "Microsoft.Web/staticSites", "apiVersion": "2021-03-01", "name": "[parameters('name')]", @@ -237,21 +259,21 @@ "templateProperties": "[if(not(empty(parameters('templateProperties'))), parameters('templateProperties'), null())]" } }, - { - "condition": "[not(empty(parameters('lock')))]", + "staticSite_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Web/staticSites/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "[resourceId('Microsoft.Web/staticSites', parameters('name'))]" + "staticSite" ] }, - { + "staticSite_linkedBackend": { "condition": "[not(empty(parameters('linkedBackend')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -379,10 +401,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/staticSites', parameters('name'))]" + "staticSite" ] }, - { + "staticSite_appSettings": { "condition": "[not(empty(parameters('appSettings')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -505,10 +527,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/staticSites', parameters('name'))]" + "staticSite" ] }, - { + "staticSite_functionAppSettings": { "condition": "[not(empty(parameters('functionAppSettings')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -631,10 +653,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/staticSites', parameters('name'))]" + "staticSite" ] }, - { + "staticSite_customDomains": { "copy": { "name": "staticSite_customDomains", "count": "[length(parameters('customDomains'))]" @@ -757,10 +779,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/staticSites', parameters('name'))]" + "staticSite" ] }, - { + "staticSite_roleAssignments": { "copy": { "name": "staticSite_roleAssignments", "count": "[length(parameters('roleAssignments'))]" @@ -852,10 +874,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/staticSites', parameters('name'))]" + "staticSite" ] }, - { + "staticSite_privateEndpoints": { "copy": { "name": "staticSite_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" @@ -885,7 +907,9 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", - "lock": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'lock'), createObject('value', parameters('privateEndpoints')[copyIndex()].lock), createObject('value', null()))]", + "lock": { + "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -1379,10 +1403,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Web/staticSites', parameters('name'))]" + "staticSite" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1410,21 +1434,21 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.Web/staticSites', parameters('name')), '2021-03-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.Web/staticSites', parameters('name')), '2021-03-01', 'full').identity.principalId, '')]" + "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('staticSite', '2021-03-01', 'full').identity, 'principalId')), reference('staticSite', '2021-03-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Web/staticSites', parameters('name')), '2021-03-01', 'full').location]" + "value": "[reference('staticSite', '2021-03-01', 'full').location]" }, "defaultHostname": { "type": "string", "metadata": { "description": "The default autogenerated hostname for the static site." }, - "value": "[reference(resourceId('Microsoft.Web/staticSites', parameters('name')), '2021-03-01').defaultHostname]" + "value": "[reference('staticSite').defaultHostname]" } } } \ No newline at end of file diff --git a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 index 13f8d4af6f..9b4e124fb8 100644 --- a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 +++ b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 @@ -538,7 +538,10 @@ Add type comments to given bicep params string, using one required parameter 'na // Required parameters name: 'carml' // Non-required parameters - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } ' #> function Add-BicepParameterTypeComment { @@ -613,7 +616,10 @@ Order the given JSON object alphabetically. Would result into: @{ name: 'carml' - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } } #> function Get-OrderedParametersJSON { @@ -903,7 +909,10 @@ Convert the given JSONParameters object with one required parameter to a formatt // Required parameters name: 'carml' // Non-required parameters - lock: 'CanNotDelete' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } ' #> function ConvertTo-FormattedBicep { diff --git a/utilities/tools/Set-Module.ps1 b/utilities/tools/Set-Module.ps1 index 4d322caa90..874cf09ddc 100644 --- a/utilities/tools/Set-Module.ps1 +++ b/utilities/tools/Set-Module.ps1 @@ -119,8 +119,6 @@ function Set-Module { $job = $relevantTemplatePaths | ForEach-Object -ThrottleLimit $ThrottleLimit -AsJob -Parallel { $resourceTypeIdentifier = ((Split-Path $_) -split '[\/|\\]{1}modules[\/|\\]{1}')[1] # avm/res// - . $using:ReadMeScriptFilePath - ############### ## Build ## ############### @@ -134,6 +132,7 @@ function Set-Module { ################ if (-not $using:SkipReadMe) { Write-Output "Generating readme for [$resourceTypeIdentifier]" + . $using:ReadMeScriptFilePath # If the template was just build, we can pass the JSON into the readme script to be more efficient $readmeTemplateFilePath = (-not $using:SkipBuild) ? (Join-Path (Split-Path $_ -Parent) 'main.json') : $_ From d3494268eae64bd2c6945e14c57c3a21151d778e Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sat, 21 Oct 2023 12:51:37 +0000 Subject: [PATCH 039/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 222 ++++++++++----------- 1 file changed, 111 insertions(+), 111 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 5a5281811c..2e0db53d37 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -13,12 +13,12 @@ This section provides an overview of the library's feature set. | # | Module | Status | RBAC | Locks | Tags | Diag | PE | PIP | # children | # lines | | - | - | - | - | - | - | - | - | - | - | - | -| 1 | aad

domain-service | [![AAD - DomainServices](https://github.com/Azure/ResourceModules/workflows/AAD%20-%20DomainServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.aad.domainservices.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 226 | -| 2 | analysis-services

server | [![AnalysisServices - Servers](https://github.com/Azure/ResourceModules/workflows/AnalysisServices%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.analysisservices.servers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 141 | -| 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:11, L2:3] | 417 | -| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 232 | -| 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 176 | -| 6 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 135 | +| 1 | aad

domain-service | [![AAD - DomainServices](https://github.com/Azure/ResourceModules/workflows/AAD%20-%20DomainServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.aad.domainservices.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 230 | +| 2 | analysis-services

server | [![AnalysisServices - Servers](https://github.com/Azure/ResourceModules/workflows/AnalysisServices%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.analysisservices.servers.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 145 | +| 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:11, L2:3] | 421 | +| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 236 | +| 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | :white_check_mark: | | :white_check_mark: | | | | | 180 | +| 6 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | :white_check_mark: | | :white_check_mark: | | | | | 139 | | 7 | authorization

lock | [![Authorization - Locks](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20Locks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.locks.yml) | | | | | | | [L1:2] | 62 | | 8 | authorization

policy-assignment | [![Authorization - PolicyAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policyassignments.yml) | | | | | | | [L1:3] | 143 | | 9 | authorization

policy-definition | [![Authorization - PolicyDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policydefinitions.yml) | | | | | | | [L1:2] | 86 | @@ -26,130 +26,130 @@ This section provides an overview of the library's feature set. | 11 | authorization

policy-set-definition | [![Authorization - PolicySetDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicySetDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policysetdefinitions.yml) | | | | | | | [L1:2] | 76 | | 12 | authorization

role-assignment | [![Authorization - RoleAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roleassignments.yml) | | | | | | | [L1:3] | 107 | | 13 | authorization

role-definition | [![Authorization - RoleDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roledefinitions.yml) | | | | | | | [L1:3] | 94 | -| 14 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6] | 366 | -| 15 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 228 | -| 16 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 241 | -| 17 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 198 | -| 18 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:6, L2:4] | 188 | -| 19 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 283 | -| 20 | compute

availability-set | [![Compute - AvailabilitySets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20AvailabilitySets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.availabilitysets.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 83 | -| 21 | compute

disk | [![Compute - Disks](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Disks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.disks.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 185 | -| 22 | compute

disk-encryption-set | [![Compute - DiskEncryptionSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20DiskEncryptionSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.diskencryptionsets.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 129 | -| 23 | compute

gallery | [![Compute - Galleries](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Galleries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.galleries.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:2] | 126 | +| 14 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6] | 369 | +| 15 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 231 | +| 16 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 245 | +| 17 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 202 | +| 18 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:6, L2:4] | 192 | +| 19 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 286 | +| 20 | compute

availability-set | [![Compute - AvailabilitySets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20AvailabilitySets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.availabilitysets.yml) | :white_check_mark: | | :white_check_mark: | | | | | 87 | +| 21 | compute

disk | [![Compute - Disks](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Disks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.disks.yml) | :white_check_mark: | | :white_check_mark: | | | | | 189 | +| 22 | compute

disk-encryption-set | [![Compute - DiskEncryptionSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20DiskEncryptionSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.diskencryptionsets.yml) | :white_check_mark: | | :white_check_mark: | | | | | 133 | +| 23 | compute

gallery | [![Compute - Galleries](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Galleries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.galleries.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:2] | 130 | | 24 | compute

image | [![Compute - Images](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Images/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.images.yml) | :white_check_mark: | | :white_check_mark: | | | | | 110 | -| 25 | compute

proximity-placement-group | [![Compute - ProximityPlacementGroups](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20ProximityPlacementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.proximityplacementgroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 83 | -| 26 | compute

ssh-public-key | [![Compute - SshPublicKeys](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20SshPublicKeys/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.sshpublickeys.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 71 | -| 27 | compute

virtual-machine | [![Compute - VirtualMachines](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachines/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 639 | -| 28 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 557 | +| 25 | compute

proximity-placement-group | [![Compute - ProximityPlacementGroups](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20ProximityPlacementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.proximityplacementgroups.yml) | :white_check_mark: | | :white_check_mark: | | | | | 87 | +| 26 | compute

ssh-public-key | [![Compute - SshPublicKeys](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20SshPublicKeys/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.sshpublickeys.yml) | :white_check_mark: | | :white_check_mark: | | | | | 75 | +| 27 | compute

virtual-machine | [![Compute - VirtualMachines](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachines/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 643 | +| 28 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 561 | | 29 | consumption

budget | [![Consumption - Budgets](https://github.com/Azure/ResourceModules/workflows/Consumption%20-%20Budgets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.consumption.budgets.yml) | | | | | | | | 92 | -| 30 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | :white_check_mark: | :white_check_mark: | | | | | 160 | -| 31 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 352 | -| 32 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 624 | -| 33 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:2, L2:1] | 255 | -| 34 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1] | 125 | -| 35 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 76 | -| 36 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 316 | -| 37 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:3] | 340 | -| 38 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:4] | 336 | -| 39 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 148 | -| 40 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 241 | +| 30 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | :white_check_mark: | | | | | 163 | +| 31 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 359 | +| 32 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 630 | +| 33 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:2, L2:1] | 259 | +| 34 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:1] | 129 | +| 35 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | :white_check_mark: | | :white_check_mark: | | | | | 80 | +| 36 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 318 | +| 37 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:3] | 344 | +| 38 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:4] | 343 | +| 39 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 152 | +| 40 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 245 | | 41 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 154 | -| 42 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 119 | -| 43 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:6, L2:1] | 265 | -| 44 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 222 | -| 45 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3, L2:3] | 333 | -| 46 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 175 | -| 47 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 159 | -| 48 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 179 | -| 49 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 332 | -| 50 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 84 | -| 51 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:3, L2:1] | 175 | +| 42 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 123 | +| 43 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:6, L2:1] | 269 | +| 44 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 226 | +| 45 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3, L2:3] | 337 | +| 46 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 179 | +| 47 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 163 | +| 48 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 183 | +| 49 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 336 | +| 50 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | :white_check_mark: | | :white_check_mark: | | | | | 88 | +| 51 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:3, L2:1] | 179 | | 52 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | :white_check_mark: | | :white_check_mark: | | | | | 88 | | 53 | insights

activity-log-alert | [![Insights - ActivityLogAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActivityLogAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.activitylogalerts.yml) | :white_check_mark: | | :white_check_mark: | | | | | 77 | | 54 | insights

component | [![Insights - Components](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Components/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.components.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 165 | -| 55 | insights

data-collection-endpoint | [![Insights - DataCollectionEndpoints](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionendpoints.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 92 | -| 56 | insights

data-collection-rule | [![Insights - DataCollectionRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionrules.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 101 | +| 55 | insights

data-collection-endpoint | [![Insights - DataCollectionEndpoints](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionendpoints.yml) | :white_check_mark: | | :white_check_mark: | | | | | 96 | +| 56 | insights

data-collection-rule | [![Insights - DataCollectionRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionrules.yml) | :white_check_mark: | | :white_check_mark: | | | | | 105 | | 57 | insights

diagnostic-setting | [![Insights - DiagnosticSettings](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DiagnosticSettings/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.diagnosticsettings.yml) | | | | :white_check_mark: | | | | 75 | | 58 | insights

metric-alert | [![Insights - MetricAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20MetricAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.metricalerts.yml) | :white_check_mark: | | :white_check_mark: | | | | | 125 | -| 59 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:1] | 104 | +| 59 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | :white_check_mark: | | :white_check_mark: | | :white_check_mark: | | [L1:1] | 108 | | 60 | insights

scheduled-query-rule | [![Insights - ScheduledQueryRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ScheduledQueryRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml) | :white_check_mark: | | :white_check_mark: | | | | | 109 | -| 61 | insights

webtest | [![Insights - Web Tests](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Web%20Tests/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.webtests.yml) | :white_check_mark: | :white_check_mark: | | | | | | 124 | -| 62 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 269 | +| 61 | insights

webtest | [![Insights - Web Tests](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Web%20Tests/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.webtests.yml) | :white_check_mark: | | | | | | | 128 | +| 62 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 273 | | 63 | kubernetes-configuration

extension | [![KubernetesConfiguration - Extensions](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20Extensions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.extensions.yml) | | | | | | | | 88 | | 64 | kubernetes-configuration

flux-configuration | [![KubernetesConfiguration - FluxConfigurations](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20FluxConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml) | | | | | | | | 71 | -| 65 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 195 | -| 66 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 276 | -| 67 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 107 | -| 68 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1] | 83 | +| 65 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 199 | +| 66 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 283 | +| 67 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | :white_check_mark: | | :white_check_mark: | | | | | 111 | +| 68 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:1] | 87 | | 69 | managed-services

registration-definition | [![ManagedServices - RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices%20-%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | | | | | | | 67 | | 70 | management

management-group | [![Management - ManagementGroups](https://github.com/Azure/ResourceModules/workflows/Management%20-%20ManagementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml) | | | | | | | | 50 | -| 71 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1, L2:1] | 119 | -| 72 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 348 | +| 71 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:1, L2:1] | 123 | +| 72 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 352 | | 73 | network

application-gateway-web-application-firewall-policy | [![Network - ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGatewayWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 47 | -| 74 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 66 | -| 75 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | 330 | -| 76 | network

bastion-host | [![Network - BastionHosts](https://github.com/Azure/ResourceModules/workflows/Network%20-%20BastionHosts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.bastionhosts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | 209 | -| 77 | network

connection | [![Network - Connections](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.connections.yml) | | :white_check_mark: | :white_check_mark: | | | | | 143 | -| 78 | network

ddos-protection-plan | [![Network - DdosProtectionPlans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DdosProtectionPlans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ddosprotectionplans.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 67 | -| 79 | network

dns-forwarding-ruleset | [![Network - DNS Forwarding Rulesets](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Forwarding%20Rulesets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsforwardingrulesets.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:2] | 94 | -| 80 | network

dns-resolver | [![Network - DNS Resolvers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Resolvers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsresolvers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 103 | -| 81 | network

dns-zone | [![Network - Public DnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Public%20DnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnszones.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:10] | 214 | -| 82 | network

express-route-circuit | [![Network - ExpressRouteCircuits](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteCircuits/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutecircuits.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 197 | -| 83 | network

express-route-gateway | [![Network - ExpressRouteGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutegateways.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 88 | +| 74 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | :white_check_mark: | | :white_check_mark: | | | | | 70 | +| 75 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | 334 | +| 76 | network

bastion-host | [![Network - BastionHosts](https://github.com/Azure/ResourceModules/workflows/Network%20-%20BastionHosts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.bastionhosts.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | 213 | +| 77 | network

connection | [![Network - Connections](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.connections.yml) | | | :white_check_mark: | | | | | 147 | +| 78 | network

ddos-protection-plan | [![Network - DdosProtectionPlans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DdosProtectionPlans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ddosprotectionplans.yml) | :white_check_mark: | | :white_check_mark: | | | | | 71 | +| 79 | network

dns-forwarding-ruleset | [![Network - DNS Forwarding Rulesets](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Forwarding%20Rulesets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsforwardingrulesets.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:2] | 98 | +| 80 | network

dns-resolver | [![Network - DNS Resolvers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Resolvers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsresolvers.yml) | :white_check_mark: | | :white_check_mark: | | | | | 107 | +| 81 | network

dns-zone | [![Network - Public DnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Public%20DnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnszones.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:10] | 218 | +| 82 | network

express-route-circuit | [![Network - ExpressRouteCircuits](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteCircuits/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutecircuits.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 201 | +| 83 | network

express-route-gateway | [![Network - ExpressRouteGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutegateways.yml) | :white_check_mark: | | :white_check_mark: | | | | | 92 | | 84 | network

firewall-policy | [![Network - FirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.firewallpolicies.yml) | | | :white_check_mark: | | | | [L1:1] | 166 | -| 85 | network

front-door | [![Network - Frontdoors](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Frontdoors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoors.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 149 | -| 86 | network

front-door-web-application-firewall-policy | [![Network - FrontDoorWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FrontDoorWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 124 | -| 87 | network

ip-group | [![Network - IpGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20IpGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ipgroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 71 | -| 88 | network

load-balancer | [![Network - LoadBalancers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LoadBalancers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.loadbalancers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:2] | 234 | -| 89 | network

local-network-gateway | [![Network - LocalNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LocalNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.localnetworkgateways.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 91 | -| 90 | network

nat-gateway | [![Network - NatGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NatGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.natgateways.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 156 | -| 91 | network

network-interface | [![Network - NetworkInterfaces](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkInterfaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkinterfaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 160 | -| 92 | network

network-manager | [![Network - Network Managers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Network%20Managers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkmanagers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:4, L2:2, L3:1] | 136 | -| 93 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 157 | -| 94 | network

network-watcher | [![Network - NetworkWatchers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkWatchers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatchers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:2] | 100 | -| 95 | network

private-dns-zone | [![Network - PrivateDnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateDnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:9] | 192 | +| 85 | network

front-door | [![Network - Frontdoors](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Frontdoors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoors.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 153 | +| 86 | network

front-door-web-application-firewall-policy | [![Network - FrontDoorWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FrontDoorWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml) | :white_check_mark: | | :white_check_mark: | | | | | 128 | +| 87 | network

ip-group | [![Network - IpGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20IpGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ipgroups.yml) | :white_check_mark: | | :white_check_mark: | | | | | 75 | +| 88 | network

load-balancer | [![Network - LoadBalancers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LoadBalancers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.loadbalancers.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:2] | 238 | +| 89 | network

local-network-gateway | [![Network - LocalNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LocalNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.localnetworkgateways.yml) | :white_check_mark: | | :white_check_mark: | | | | | 95 | +| 90 | network

nat-gateway | [![Network - NatGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NatGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.natgateways.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 160 | +| 91 | network

network-interface | [![Network - NetworkInterfaces](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkInterfaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkinterfaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 164 | +| 92 | network

network-manager | [![Network - Network Managers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Network%20Managers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkmanagers.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:4, L2:2, L3:1] | 140 | +| 93 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 161 | +| 94 | network

network-watcher | [![Network - NetworkWatchers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkWatchers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatchers.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:2] | 104 | +| 95 | network

private-dns-zone | [![Network - PrivateDnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateDnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:9] | 196 | | 96 | network

private-endpoint | [![Network - PrivateEndpoints](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privateendpoints.yml) | | | | | | | [L1:1] | 149 | -| 97 | network

private-link-service | [![Network - PrivateLinkServices](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateLinkServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatelinkservices.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 88 | -| 98 | network

public-ip-address | [![Network - PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 185 | -| 99 | network

public-ip-prefix | [![Network - PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 80 | -| 100 | network

route-table | [![Network - RouteTables](https://github.com/Azure/ResourceModules/workflows/Network%20-%20RouteTables/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.routetables.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 73 | -| 101 | network

service-endpoint-policy | [![Network - ServiceEndpointPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ServiceEndpointPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.serviceendpointpolicies.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 76 | -| 102 | network

trafficmanagerprofile | [![Network - TrafficManagerProfiles](https://github.com/Azure/ResourceModules/workflows/Network%20-%20TrafficManagerProfiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 163 | -| 103 | network

virtual-hub | [![Network - VirtualHubs](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualhubs.yml) | | :white_check_mark: | :white_check_mark: | | | | [L1:2] | 147 | -| 104 | network

virtual-network | [![Network - VirtualNetworks](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:2] | 247 | -| 105 | network

virtual-network-gateway | [![Network - VirtualNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworkgateways.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:1] | 394 | -| 106 | network

virtual-wan | [![Network - VirtualWans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualWans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualwans.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 83 | -| 107 | network

vpn-gateway | [![Network - VPNGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPNGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpngateways.yml) | | :white_check_mark: | :white_check_mark: | | | | [L1:2] | 110 | -| 108 | network

vpn-site | [![Network - VPN Sites](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPN%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpnsites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 91 | -| 109 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:7] | 309 | +| 97 | network

private-link-service | [![Network - PrivateLinkServices](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateLinkServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatelinkservices.yml) | :white_check_mark: | | :white_check_mark: | | | | | 92 | +| 98 | network

public-ip-address | [![Network - PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 189 | +| 99 | network

public-ip-prefix | [![Network - PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | :white_check_mark: | | :white_check_mark: | | | | | 84 | +| 100 | network

route-table | [![Network - RouteTables](https://github.com/Azure/ResourceModules/workflows/Network%20-%20RouteTables/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.routetables.yml) | :white_check_mark: | | :white_check_mark: | | | | | 77 | +| 101 | network

service-endpoint-policy | [![Network - ServiceEndpointPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ServiceEndpointPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.serviceendpointpolicies.yml) | :white_check_mark: | | :white_check_mark: | | | | | 80 | +| 102 | network

trafficmanagerprofile | [![Network - TrafficManagerProfiles](https://github.com/Azure/ResourceModules/workflows/Network%20-%20TrafficManagerProfiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 167 | +| 103 | network

virtual-hub | [![Network - VirtualHubs](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualhubs.yml) | | | :white_check_mark: | | | | [L1:2] | 151 | +| 104 | network

virtual-network | [![Network - VirtualNetworks](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:2] | 251 | +| 105 | network

virtual-network-gateway | [![Network - VirtualNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworkgateways.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 398 | +| 106 | network

virtual-wan | [![Network - VirtualWans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualWans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualwans.yml) | :white_check_mark: | | :white_check_mark: | | | | | 87 | +| 107 | network

vpn-gateway | [![Network - VPNGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPNGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpngateways.yml) | | | :white_check_mark: | | | | [L1:2] | 114 | +| 108 | network

vpn-site | [![Network - VPN Sites](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPN%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpnsites.yml) | :white_check_mark: | | :white_check_mark: | | | | | 95 | +| 109 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:7] | 313 | | 110 | operations-management

solution | [![OperationsManagement - Solutions](https://github.com/Azure/ResourceModules/workflows/OperationsManagement%20-%20Solutions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationsmanagement.solutions.yml) | | | | | | | | 53 | | 111 | policy-insights

remediation | [![PolicyInsights - Remediations](https://github.com/Azure/ResourceModules/workflows/PolicyInsights%20-%20Remediations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.policyinsights.remediations.yml) | | | | | | | [L1:3] | 106 | -| 112 | power-bi-dedicated

capacity | [![PowerBiDedicated - Capacities](https://github.com/Azure/ResourceModules/workflows/PowerBiDedicated%20-%20Capacities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.powerbidedicated.capacities.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 99 | -| 113 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 283 | -| 114 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:7, L2:2, L3:2] | 288 | -| 115 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 259 | -| 116 | resource-graph

query | [![ResourceGraph - Queries](https://github.com/Azure/ResourceModules/workflows/ResourceGraph%20-%20Queries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resourcegraph.queries.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 73 | -| 117 | resources

deployment-script | [![Resources - DeploymentScripts](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | :white_check_mark: | :white_check_mark: | | | | | 124 | -| 118 | resources

resource-group | [![Resources - ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 69 | +| 112 | power-bi-dedicated

capacity | [![PowerBiDedicated - Capacities](https://github.com/Azure/ResourceModules/workflows/PowerBiDedicated%20-%20Capacities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.powerbidedicated.capacities.yml) | :white_check_mark: | | :white_check_mark: | | | | | 102 | +| 113 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 287 | +| 114 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:7, L2:2, L3:2] | 292 | +| 115 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 263 | +| 116 | resource-graph

query | [![ResourceGraph - Queries](https://github.com/Azure/ResourceModules/workflows/ResourceGraph%20-%20Queries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resourcegraph.queries.yml) | :white_check_mark: | | :white_check_mark: | | | | | 77 | +| 117 | resources

deployment-script | [![Resources - DeploymentScripts](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | | :white_check_mark: | | | | | 128 | +| 118 | resources

resource-group | [![Resources - ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | :white_check_mark: | | :white_check_mark: | | | | | 73 | | 119 | resources

tags | [![Resources - Tags](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20Tags/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.tags.yml) | | | :white_check_mark: | | | | [L1:2] | 54 | -| 120 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 232 | -| 121 | security

azure-security-center | [![Security - AzureSecurityCenter](https://github.com/Azure/ResourceModules/workflows/Security%20-%20AzureSecurityCenter/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.security.azuresecuritycenter.yml) | | | | | | | | 220 | -| 122 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:2] | 369 | -| 123 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | [L1:1] | 284 | -| 124 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 190 | -| 125 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 160 | -| 126 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:2] | 336 | -| 127 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:8, L2:2] | 305 | -| 128 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:4, L3:1] | 426 | -| 129 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | | 94 | -| 130 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:2] | 287 | -| 131 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 188 | -| 132 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | 90 | -| 133 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | [L1:2] | 227 | -| 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | 154 | -| 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 386 | -| 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | [L1:3] | 197 | -| Sum | | | 110 | 109 | 118 | 57 | 30 | 2 | 234 | 24533 | +| 120 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 236 | +| 121 | security

azure-security-center | [![Security - AzureSecurityCenter](https://github.com/Azure/ResourceModules/workflows/Security%20-%20AzureSecurityCenter/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.security.azuresecuritycenter.yml) | | | | | | | | 221 | +| 122 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:2] | 372 | +| 123 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:1] | 288 | +| 124 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | :white_check_mark: | | :white_check_mark: | | :white_check_mark: | | | 194 | +| 125 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | :white_check_mark: | | :white_check_mark: | | :white_check_mark: | | | 164 | +| 126 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:2] | 340 | +| 127 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | :white_check_mark: | | :white_check_mark: | | :white_check_mark: | | [L1:8, L2:2] | 309 | +| 128 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:4, L3:1] | 430 | +| 129 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | :white_check_mark: | | :white_check_mark: | | :white_check_mark: | | | 98 | +| 130 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:2] | 290 | +| 131 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | :white_check_mark: | | :white_check_mark: | | | | | 192 | +| 132 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | :white_check_mark: | | :white_check_mark: | | | | | 94 | +| 133 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:2] | 231 | +| 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 158 | +| 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 390 | +| 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | :white_check_mark: | | :white_check_mark: | | :white_check_mark: | | [L1:3] | 201 | +| Sum | | | 110 | 0 | 118 | 57 | 30 | 2 | 234 | 24972 | ## Legend From bbb68916ff4aa7cc3d592cc44831eeaba1613ea8 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sun, 22 Oct 2023 08:02:03 +0200 Subject: [PATCH 040/178] [Modules] Migrated batch [1/4] to AVM RBAC (#4125) * Updated first badge of templates (readmes pending) * Update to latest * Compiled templates * Compiled templates * Compiled first few readmes * Updated test files * Updated readmes * Reduced roles * Updated templates * Rollback different branches' changes * Updated nic & pip * Fixed test file * Refreshed vm --- .../.bicep/nested_roleAssignments.bicep | 71 -- modules/aad/domain-service/README.md | 63 +- modules/aad/domain-service/main.bicep | 54 +- modules/aad/domain-service/main.json | 233 ++--- .../.bicep/nested_roleAssignments.bicep | 68 -- .../server/.test/common/main.test.bicep | 185 ++-- .../server/.test/max/main.test.bicep | 205 +++-- modules/analysis-services/server/README.md | 79 +- modules/analysis-services/server/main.bicep | 54 +- modules/analysis-services/server/main.json | 230 ++--- .../.bicep/nested_roleAssignments.bicep | 72 -- .../service/.test/common/main.test.bicep | 199 +++-- .../service/.test/max/main.test.bicep | 411 +++++---- modules/api-management/service/README.md | 79 +- modules/api-management/service/main.bicep | 58 +- modules/api-management/service/main.json | 258 +++--- .../.bicep/nested_roleAssignments.bicep | 72 -- .../.test/common/main.test.bicep | 229 +++-- .../.test/encr/main.test.bicep | 193 ++--- .../configuration-store/README.md | 95 +- .../configuration-store/main.bicep | 58 +- .../configuration-store/main.json | 256 +++--- .../.bicep/nested_roleAssignments.bicep | 69 -- modules/app/container-app/README.md | 63 +- modules/app/container-app/main.bicep | 55 +- modules/app/container-app/main.json | 232 ++--- .../.bicep/nested_roleAssignments.bicep | 69 -- modules/app/managed-environment/README.md | 63 +- modules/app/managed-environment/main.bicep | 54 +- modules/app/managed-environment/main.json | 251 +++--- .../management-group/main.bicep | 401 +-------- .../role-assignment/resource-group/main.bicep | 402 +-------- .../role-assignment/subscription/main.bicep | 402 +-------- .../.bicep/nested_roleAssignments.bicep | 72 -- .../.test/common/main.test.bicep | 501 ++++++----- .../automation/automation-account/README.md | 71 +- .../automation/automation-account/main.bicep | 58 +- .../automation/automation-account/main.json | 258 +++--- .../.bicep/nested_roleAssignments.bicep | 69 -- .../.test/common/main.test.bicep | 261 +++--- modules/cache/redis-enterprise/README.md | 71 +- modules/cache/redis-enterprise/main.bicep | 83 +- modules/cache/redis-enterprise/main.json | 264 +++--- .../redis/.bicep/nested_roleAssignments.bicep | 69 -- modules/cache/redis/README.md | 63 +- modules/cache/redis/main.bicep | 83 +- modules/cache/redis/main.json | 262 +++--- .../.bicep/nested_roleAssignments.bicep | 76 -- modules/cdn/profile/.test/afd/main.test.bicep | 265 +++--- .../cdn/profile/.test/common/main.test.bicep | 205 +++-- modules/cdn/profile/README.md | 79 +- modules/cdn/profile/main.bicep | 58 +- modules/cdn/profile/main.json | 242 ++---- .../.bicep/nested_roleAssignments.bicep | 92 -- .../account/.test/common/main.test.bicep | 255 +++--- modules/cognitive-services/account/README.md | 71 +- modules/cognitive-services/account/main.bicep | 78 +- modules/cognitive-services/account/main.json | 298 +++---- .../.bicep/nested_roleAssignments.bicep | 90 -- .../.test/common/main.test.bicep | 151 ++-- modules/compute/availability-set/README.md | 71 +- modules/compute/availability-set/main.bicep | 55 +- modules/compute/availability-set/main.json | 252 ++---- .../.bicep/nested_roleAssignments.bicep | 90 -- .../.test/accessPolicies/main.test.bicep | 155 ++-- .../.test/common/main.test.bicep | 169 ++-- modules/compute/disk-encryption-set/README.md | 79 +- .../compute/disk-encryption-set/main.bicep | 62 +- modules/compute/disk-encryption-set/main.json | 275 +++--- .../nested_keyVaultPermissions.bicep | 0 .../nested_managedIdentityReference.bicep | 0 .../disk/.bicep/nested_roleAssignments.bicep | 90 -- .../compute/disk/.test/common/main.test.bicep | 159 ++-- .../compute/disk/.test/image/main.test.bicep | 137 ++- .../compute/disk/.test/import/main.test.bicep | 147 ++-- modules/compute/disk/README.md | 87 +- modules/compute/disk/main.bicep | 59 +- modules/compute/disk/main.json | 257 ++---- .../.bicep/nested_roleAssignments.bicep | 90 -- .../gallery/.test/common/main.test.bicep | 391 ++++----- modules/compute/gallery/README.md | 111 ++- .../.bicep/nested_roleAssignments.bicep | 90 -- modules/compute/gallery/application/README.md | 63 +- .../compute/gallery/application/main.bicep | 58 +- modules/compute/gallery/application/main.json | 283 +++--- .../image/.bicep/nested_roleAssignments.bicep | 90 -- modules/compute/gallery/image/README.md | 63 +- modules/compute/gallery/image/main.bicep | 58 +- modules/compute/gallery/image/main.json | 283 +++--- modules/compute/gallery/main.bicep | 55 +- modules/compute/gallery/main.json | 819 +++++++----------- .../image/.bicep/nested_roleAssignments.bicep | 90 -- .../image/.test/common/main.test.bicep | 175 ++-- modules/compute/image/README.md | 71 +- modules/compute/image/main.bicep | 57 +- modules/compute/image/main.json | 269 +++--- .../.bicep/nested_roleAssignments.bicep | 90 -- .../.test/common/main.test.bicep | 179 ++-- .../proximity-placement-group/README.md | 71 +- .../proximity-placement-group/main.bicep | 54 +- .../proximity-placement-group/main.json | 252 ++---- .../.bicep/nested_roleAssignments.bicep | 90 -- modules/compute/ssh-public-key/README.md | 63 +- modules/compute/ssh-public-key/main.bicep | 54 +- modules/compute/ssh-public-key/main.json | 252 ++---- .../.bicep/nested_roleAssignments.bicep | 90 -- .../.test/linux/main.test.bicep | 395 +++++---- .../.test/windows/main.test.bicep | 387 +++++---- .../virtual-machine-scale-set/README.md | 79 +- .../virtual-machine-scale-set/main.bicep | 67 +- .../virtual-machine-scale-set/main.json | 285 +++--- .../.bicep/nested_roleAssignments.bicep | 90 -- .../.test/linux/main.test.bicep | 15 +- .../.test/windows/main.test.bicep | 599 +++++++------ modules/compute/virtual-machine/README.md | 111 ++- modules/compute/virtual-machine/main.bicep | 69 +- modules/compute/virtual-machine/main.json | 807 +++++++---------- .../nested_networkInterface.bicep | 0 .../.bicep/nested_roleAssignments.bicep | 74 -- .../registry/.test/common/main.test.bicep | 299 ++++--- modules/container-registry/registry/README.md | 71 +- .../container-registry/registry/main.bicep | 60 +- modules/container-registry/registry/main.json | 262 +++--- .../.bicep/nested_roleAssignments.bicep | 82 -- .../.test/azure/main.test.bicep | 513 ++++++----- .../.test/kubenet/main.test.bicep | 319 ++++--- .../managed-cluster/README.md | 79 +- .../managed-cluster/main.bicep | 68 +- .../managed-cluster/main.json | 278 +++--- .../.bicep/nested_roleAssignments.bicep | 69 -- .../factory/.test/common/main.test.bicep | 303 ++++--- modules/data-factory/factory/README.md | 71 +- modules/data-factory/factory/main.bicep | 55 +- modules/data-factory/factory/main.json | 252 +++--- .../.bicep/nested_roleAssignments.bicep | 71 -- .../backup-vault/.test/common/main.test.bicep | 275 +++--- .../data-protection/backup-vault/README.md | 71 +- .../data-protection/backup-vault/main.bicep | 57 +- .../data-protection/backup-vault/main.json | 256 +++--- .../.bicep/nested_roleAssignments.bicep | 70 -- .../.test/common/main.test.bicep | 157 ++-- modules/databricks/access-connector/README.md | 71 +- .../databricks/access-connector/main.bicep | 54 +- modules/databricks/access-connector/main.json | 232 ++--- .../.bicep/nested_roleAssignments.bicep | 68 -- .../workspace/.test/common/main.test.bicep | 295 ++++--- modules/databricks/workspace/README.md | 71 +- modules/databricks/workspace/main.bicep | 54 +- modules/databricks/workspace/main.json | 230 ++--- .../.bicep/nested_roleAssignments.bicep | 69 -- .../.test/private/main.test.bicep | 245 +++--- .../.test/public/main.test.bicep | 327 ++++--- .../db-for-my-sql/flexible-server/README.md | 79 +- .../db-for-my-sql/flexible-server/main.bicep | 55 +- .../db-for-my-sql/flexible-server/main.json | 252 +++--- .../.bicep/nested_roleAssignments.bicep | 68 -- .../flexible-server/README.md | 63 +- .../flexible-server/main.bicep | 54 +- .../flexible-server/main.json | 250 +++--- .../.bicep/nested_roleAssignments.bicep | 82 -- .../.test/common/main.test.bicep | 231 +++-- .../application-group/README.md | 71 +- .../application-group/main.bicep | 68 +- .../application-group/main.json | 278 +++--- .../.bicep/nested_roleAssignments.bicep | 82 -- .../host-pool/.test/common/main.test.bicep | 263 +++--- .../host-pool/README.md | 71 +- .../host-pool/main.bicep | 68 +- .../host-pool/main.json | 258 +++--- .../.bicep/nested_roleAssignments.bicep | 82 -- .../scaling-plan/.test/common/main.test.bicep | 259 +++--- .../scaling-plan/README.md | 71 +- .../scaling-plan/main.bicep | 71 +- .../scaling-plan/main.json | 279 +++--- .../.bicep/nested_roleAssignments.bicep | 82 -- .../workspace/.test/common/main.test.bicep | 199 +++-- .../workspace/README.md | 71 +- .../workspace/main.bicep | 68 +- .../workspace/main.json | 258 +++--- .../lab/.bicep/nested_roleAssignments.bicep | 70 -- .../lab/.test/common/main.test.bicep | 571 ++++++------ modules/dev-test-lab/lab/README.md | 71 +- modules/dev-test-lab/lab/main.bicep | 56 +- modules/dev-test-lab/lab/main.json | 254 +++--- .../.bicep/nested_roleAssignments.bicep | 71 -- .../.test/common/main.test.bicep | 253 +++--- .../digital-twins-instance/README.md | 71 +- .../digital-twins-instance/main.bicep | 56 +- .../digital-twins-instance/main.json | 255 +++--- .../.bicep/nested_roleAssignments.bicep | 73 -- .../.test/gremlindb/main.test.bicep | 301 ++++--- .../.test/mongodb/main.test.bicep | 567 ++++++------ .../.test/plain/main.test.bicep | 203 +++-- .../.test/sqldb/main.test.bicep | 389 +++++---- .../document-db/database-account/README.md | 95 +- .../document-db/database-account/main.bicep | 59 +- .../document-db/database-account/main.json | 240 ++--- .../.bicep/nested_roleAssignments.bicep | 97 --- .../.test/common/main.test.bicep | 237 +++-- modules/network/network-interface/README.md | 71 +- modules/network/network-interface/main.bicep | 55 +- modules/network/network-interface/main.json | 260 ++---- .../.bicep/nested_roleAssignments.bicep | 97 --- .../.test/common/main.test.bicep | 197 +++-- modules/network/public-ip-address/README.md | 71 +- modules/network/public-ip-address/main.bicep | 55 +- modules/network/public-ip-address/main.json | 260 ++---- 207 files changed, 14871 insertions(+), 18232 deletions(-) delete mode 100644 modules/aad/domain-service/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/analysis-services/server/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/api-management/service/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/app-configuration/configuration-store/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/app/container-app/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/app/managed-environment/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/automation/automation-account/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/cache/redis-enterprise/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/cache/redis/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/cdn/profile/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/cognitive-services/account/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/compute/availability-set/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/compute/disk-encryption-set/.bicep/nested_roleAssignments.bicep rename modules/compute/disk-encryption-set/{.bicep => modules}/nested_keyVaultPermissions.bicep (100%) rename modules/compute/disk-encryption-set/{.bicep => modules}/nested_managedIdentityReference.bicep (100%) delete mode 100644 modules/compute/disk/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/compute/gallery/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/compute/gallery/application/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/compute/gallery/image/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/compute/image/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/compute/proximity-placement-group/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/compute/ssh-public-key/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/compute/virtual-machine-scale-set/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/compute/virtual-machine/.bicep/nested_roleAssignments.bicep rename modules/compute/virtual-machine/{.bicep => modules}/nested_networkInterface.bicep (100%) delete mode 100644 modules/container-registry/registry/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/container-service/managed-cluster/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/data-factory/factory/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/data-protection/backup-vault/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/databricks/access-connector/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/databricks/workspace/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/db-for-my-sql/flexible-server/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/db-for-postgre-sql/flexible-server/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/desktop-virtualization/application-group/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/desktop-virtualization/host-pool/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/desktop-virtualization/scaling-plan/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/desktop-virtualization/workspace/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/dev-test-lab/lab/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/digital-twins/digital-twins-instance/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/document-db/database-account/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/network-interface/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/public-ip-address/.bicep/nested_roleAssignments.bicep diff --git a/modules/aad/domain-service/.bicep/nested_roleAssignments.bicep b/modules/aad/domain-service/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 823ea8001a..0000000000 --- a/modules/aad/domain-service/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,71 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'HDInsight Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d8d5a11-05d3-4bda-a417-a08778121c7c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource AzureADDS 'Microsoft.AAD/DomainServices@2021-05-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(AzureADDS.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: AzureADDS -}] diff --git a/modules/aad/domain-service/README.md b/modules/aad/domain-service/README.md index 88cbe897e8..b2e097b4b8 100644 --- a/modules/aad/domain-service/README.md +++ b/modules/aad/domain-service/README.md @@ -395,7 +395,68 @@ Additional replica set for the managed domain. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `sku` diff --git a/modules/aad/domain-service/main.bicep b/modules/aad/domain-service/main.bicep index 9b7955f9f2..e7226cc521 100644 --- a/modules/aad/domain-service/main.bicep +++ b/modules/aad/domain-service/main.bicep @@ -137,7 +137,7 @@ param enableDefaultTelemetry bool = true param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') @allowed([ @@ -169,6 +169,14 @@ var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ } ] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -234,17 +242,18 @@ resource domainService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!em scope: domainService } -module domainService_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-VNet-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: domainService.id +resource domainService_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(domainService.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: domainService }] @description('The domain name of the Azure Active Directory Domain Services(Azure ADDS).') @@ -270,3 +279,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/aad/domain-service/main.json b/modules/aad/domain-service/main.json index db6b6c7286..dbaa1c8a8f 100644 --- a/modules/aad/domain-service/main.json +++ b/modules/aad/domain-service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15488600110889393374" + "templateHash": "12649043045609686921" }, "name": "Azure Active Directory Domain Services", "description": "This module deploys an Azure Active Directory Domain Services (AADDS).", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -277,8 +343,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -317,7 +382,14 @@ } } ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -401,149 +473,20 @@ "domainService_roleAssignments": { "copy": { "name": "domainService_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VNet-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.AAD/domainServices/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.AAD/domainServices', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.AAD/domainServices', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4984019978971427023" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "HDInsight Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.AAD/domainServices/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.AAD/domainServices', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "domainService" diff --git a/modules/analysis-services/server/.bicep/nested_roleAssignments.bicep b/modules/analysis-services/server/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 9bfc9a1f18..0000000000 --- a/modules/analysis-services/server/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource server 'Microsoft.AnalysisServices/servers@2017-08-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(server.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: server -}] diff --git a/modules/analysis-services/server/.test/common/main.test.bicep b/modules/analysis-services/server/.test/common/main.test.bicep index 1857916d7b..6addd17c94 100644 --- a/modules/analysis-services/server/.test/common/main.test.bicep +++ b/modules/analysis-services/server/.test/common/main.test.bicep @@ -1,93 +1,92 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.analysisservices.servers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'asscom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - skuName: 'S0' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.analysisservices.servers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'asscom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + skuName: 'S0' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/analysis-services/server/.test/max/main.test.bicep b/modules/analysis-services/server/.test/max/main.test.bicep index 4c9bff9711..dedb04408c 100644 --- a/modules/analysis-services/server/.test/max/main.test.bicep +++ b/modules/analysis-services/server/.test/max/main.test.bicep @@ -1,103 +1,102 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.analysisservices.servers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'assmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: az.resourceGroup(resourceGroupName) - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - skuName: 'S0' - skuCapacity: 1 - firewallSettings: { - firewallRules: [ - { - firewallRuleName: 'AllowFromAll' - rangeStart: '0.0.0.0' - rangeEnd: '255.255.255.255' - } - ] - enablePowerBIService: true - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - diagnosticLogCategoriesToEnable: [ - 'Engine' - 'Service' - ] - diagnosticMetricsToEnable: [ - 'AllMetrics' - ] - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.analysisservices.servers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'assmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: az.resourceGroup(resourceGroupName) + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + skuName: 'S0' + skuCapacity: 1 + firewallSettings: { + firewallRules: [ + { + firewallRuleName: 'AllowFromAll' + rangeStart: '0.0.0.0' + rangeEnd: '255.255.255.255' + } + ] + enablePowerBIService: true + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticLogCategoriesToEnable: [ + 'Engine' + 'Service' + ] + diagnosticMetricsToEnable: [ + 'AllMetrics' + ] + } +} + diff --git a/modules/analysis-services/server/README.md b/modules/analysis-services/server/README.md index 1464915f28..ebbbdb8263 100644 --- a/modules/analysis-services/server/README.md +++ b/modules/analysis-services/server/README.md @@ -58,9 +58,7 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -116,9 +114,7 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -182,9 +178,7 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -259,9 +253,7 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -467,7 +459,68 @@ The name of the Azure Analysis Services server to create. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `skuCapacity` diff --git a/modules/analysis-services/server/main.bicep b/modules/analysis-services/server/main.bicep index 18cc0d10f9..df315bfdb7 100644 --- a/modules/analysis-services/server/main.bicep +++ b/modules/analysis-services/server/main.bicep @@ -42,7 +42,7 @@ param diagnosticEventHubName string = '' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -90,6 +90,14 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { enabled: true }] +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -137,17 +145,18 @@ resource server_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-0 scope: server } -module server_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-AnServicesServer-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: server.id +resource server_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(server.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: server }] @description('The name of the analysis service.') @@ -173,3 +182,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/analysis-services/server/main.json b/modules/analysis-services/server/main.json index 7a88c2863b..f1e639e5db 100644 --- a/modules/analysis-services/server/main.json +++ b/modules/analysis-services/server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8360081126452950096" + "templateHash": "3188902804288997738" }, "name": "Analysis Services Servers", "description": "This module deploys an Analysis Services Server.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -118,8 +184,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -193,7 +258,14 @@ } } ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -259,146 +331,20 @@ "server_roleAssignments": { "copy": { "name": "server_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AnServicesServer-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.AnalysisServices/servers/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.AnalysisServices/servers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.AnalysisServices/servers', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7231657665941581698" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.AnalysisServices/servers/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.AnalysisServices/servers', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "server" diff --git a/modules/api-management/service/.bicep/nested_roleAssignments.bicep b/modules/api-management/service/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 2a2a446e46..0000000000 --- a/modules/api-management/service/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,72 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'API Management Developer Portal Content Editor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c031e6a8-4391-4de0-8d69-4706a7ed3729') - 'API Management Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c') - 'API Management Service Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61') - 'API Management Service Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource service 'Microsoft.ApiManagement/service@2020-12-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(service.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: service -}] diff --git a/modules/api-management/service/.test/common/main.test.bicep b/modules/api-management/service/.test/common/main.test.bicep index fd416833ae..217f502f87 100644 --- a/modules/api-management/service/.test/common/main.test.bicep +++ b/modules/api-management/service/.test/common/main.test.bicep @@ -1,100 +1,99 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.apimanagement.service-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apiscom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' - publisherName: '${namePrefix}-az-amorg-x-001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - policies: [ - { - format: 'xml' - value: ' ' - } - ] - portalsettings: [ - { - name: 'signin' - properties: { - enabled: false - } - } - { - name: 'signup' - properties: { - enabled: false - termsOfService: { - consentRequired: false - enabled: false - } - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.apimanagement.service-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'apiscom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' + publisherName: '${namePrefix}-az-amorg-x-001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + policies: [ + { + format: 'xml' + value: ' ' + } + ] + portalsettings: [ + { + name: 'signin' + properties: { + enabled: false + } + } + { + name: 'signup' + properties: { + enabled: false + termsOfService: { + consentRequired: false + enabled: false + } + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/api-management/service/.test/max/main.test.bicep b/modules/api-management/service/.test/max/main.test.bicep index df6c7f2bc8..b5d444c517 100644 --- a/modules/api-management/service/.test/max/main.test.bicep +++ b/modules/api-management/service/.test/max/main.test.bicep @@ -1,206 +1,205 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.apimanagement.service-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apismax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -@description('Optional. The secret to leverage for authorization server authentication.') -@secure() -param customSecret string = newGuid() - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' - publisherName: '${namePrefix}-az-amorg-x-001' - apis: [ - { - apiVersionSet: { - name: 'echo-version-set' - properties: { - description: 'echo-version-set' - displayName: 'echo-version-set' - versioningScheme: 'Segment' - } - } - displayName: 'Echo API' - name: 'echo-api' - path: 'echo' - serviceUrl: 'http://echoapi.cloudapp.net/api' - } - ] - authorizationServers: { - secureList: [ - { - authorizationEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/authorize' - clientId: 'apimclientid' - clientSecret: customSecret - clientRegistrationEndpoint: 'http://localhost' - grantTypes: [ - 'authorizationCode' - ] - name: 'AuthServer1' - tokenEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/token' - } - ] - } - backends: [ - { - name: 'backend' - tls: { - validateCertificateChain: false - validateCertificateName: false - } - url: 'http://echoapi.cloudapp.net/api' - } - ] - caches: [ - { - connectionString: 'connectionstringtest' - name: 'westeurope' - useFromLocation: 'westeurope' - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - identityProviders: [ - { - name: 'aadProvider' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - namedValues: [ - { - displayName: 'apimkey' - name: 'apimkey' - secret: true - } - ] - policies: [ - { - format: 'xml' - value: ' ' - } - ] - portalsettings: [ - { - name: 'signin' - properties: { - enabled: false - } - } - { - name: 'signup' - properties: { - enabled: false - termsOfService: { - consentRequired: false - enabled: false - } - } - } - ] - products: [ - { - apis: [ - { - name: 'echo-api' - } - ] - approvalRequired: false - groups: [ - { - name: 'developers' - } - ] - name: 'Starter' - subscriptionRequired: false - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - subscriptions: [ - { - name: 'testArmSubscriptionAllApis' - scope: '/apis' - } - ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.apimanagement.service-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'apismax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +@description('Optional. The secret to leverage for authorization server authentication.') +@secure() +param customSecret string = newGuid() + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' + publisherName: '${namePrefix}-az-amorg-x-001' + apis: [ + { + apiVersionSet: { + name: 'echo-version-set' + properties: { + description: 'echo-version-set' + displayName: 'echo-version-set' + versioningScheme: 'Segment' + } + } + displayName: 'Echo API' + name: 'echo-api' + path: 'echo' + serviceUrl: 'http://echoapi.cloudapp.net/api' + } + ] + authorizationServers: { + secureList: [ + { + authorizationEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/authorize' + clientId: 'apimclientid' + clientSecret: customSecret + clientRegistrationEndpoint: 'http://localhost' + grantTypes: [ + 'authorizationCode' + ] + name: 'AuthServer1' + tokenEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/token' + } + ] + } + backends: [ + { + name: 'backend' + tls: { + validateCertificateChain: false + validateCertificateName: false + } + url: 'http://echoapi.cloudapp.net/api' + } + ] + caches: [ + { + connectionString: 'connectionstringtest' + name: 'westeurope' + useFromLocation: 'westeurope' + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + identityProviders: [ + { + name: 'aadProvider' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + namedValues: [ + { + displayName: 'apimkey' + name: 'apimkey' + secret: true + } + ] + policies: [ + { + format: 'xml' + value: ' ' + } + ] + portalsettings: [ + { + name: 'signin' + properties: { + enabled: false + } + } + { + name: 'signup' + properties: { + enabled: false + termsOfService: { + consentRequired: false + enabled: false + } + } + } + ] + products: [ + { + apis: [ + { + name: 'echo-api' + } + ] + approvalRequired: false + groups: [ + { + name: 'developers' + } + ] + name: 'Starter' + subscriptionRequired: false + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + subscriptions: [ + { + name: 'testArmSubscriptionAllApis' + scope: '/apis' + } + ] + systemAssignedIdentity: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index b026c84175..af278b9e89 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -95,9 +95,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -174,9 +172,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -323,9 +319,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -514,9 +508,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -918,7 +910,68 @@ Undelete API Management Service if it was previously soft-deleted. If this flag Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `sku` diff --git a/modules/api-management/service/main.bicep b/modules/api-management/service/main.bicep index 80b8735a04..c368241c46 100644 --- a/modules/api-management/service/main.bicep +++ b/modules/api-management/service/main.bicep @@ -64,7 +64,7 @@ param publisherName string param restore bool = false @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. The pricing tier of this API Management service.') @allowed([ @@ -189,6 +189,18 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null +var builtInRoleNames = { + 'API Management Developer Portal Content Editor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c031e6a8-4391-4de0-8d69-4706a7ed3729') + 'API Management Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c') + 'API Management Service Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61') + 'API Management Service Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -452,17 +464,18 @@ resource service_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021- scope: service } -module service_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Apim-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: service.id +resource service_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(service.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: service }] @description('The name of the API management service.') @@ -491,3 +504,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/api-management/service/main.json b/modules/api-management/service/main.json index 664026fbd7..43efbef293 100644 --- a/modules/api-management/service/main.json +++ b/modules/api-management/service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7131184550588177223" + "templateHash": "7614932191394773383" }, "name": "API Management Services", "description": "This module deploys an API Management Service.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -178,8 +244,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -391,7 +456,18 @@ "authorizationServerList": "[if(not(empty(parameters('authorizationServers'))), parameters('authorizationServers').secureList, createArray())]", "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "builtInRoleNames": { + "API Management Developer Portal Content Editor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c031e6a8-4391-4de0-8d69-4706a7ed3729')]", + "API Management Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", + "API Management Service Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", + "API Management Service Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -468,6 +544,28 @@ "service" ] }, + "service_roleAssignments": { + "copy": { + "name": "service_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.ApiManagement/service/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.ApiManagement/service', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "service" + ] + }, "service_apis": { "copy": { "name": "service_apis", @@ -2895,158 +2993,6 @@ "dependsOn": [ "service" ] - }, - "service_roleAssignments": { - "copy": { - "name": "service_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Apim-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1194193235287598548" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "API Management Developer Portal Content Editor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c031e6a8-4391-4de0-8d69-4706a7ed3729')]", - "API Management Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ApiManagement/service/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.ApiManagement/service', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "service" - ] } }, "outputs": { diff --git a/modules/app-configuration/configuration-store/.bicep/nested_roleAssignments.bicep b/modules/app-configuration/configuration-store/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 065a1a3976..0000000000 --- a/modules/app-configuration/configuration-store/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,72 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') - 'App Compliance Automation Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e') - 'App Configuration Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b') - 'App Configuration Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '516239f1-63e1-4d78-a4de-a74fb236a071') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(appConfiguration.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: appConfiguration -}] diff --git a/modules/app-configuration/configuration-store/.test/common/main.test.bicep b/modules/app-configuration/configuration-store/.test/common/main.test.bicep index 21f5a65bb4..3c93d1fb33 100644 --- a/modules/app-configuration/configuration-store/.test/common/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/common/main.test.bicep @@ -1,116 +1,113 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.appconfiguration.configurationstores-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'acccom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - createMode: 'Default' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - disableLocalAuth: false - enablePurgeProtection: false - keyValues: [ - { - contentType: 'contentType' - name: 'keyName' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - value: 'valueName' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - softDeleteRetentionInDays: 1 - systemAssignedIdentity: false - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.appconfiguration.configurationstores-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'acccom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + createMode: 'Default' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + disableLocalAuth: false + enablePurgeProtection: false + keyValues: [ + { + contentType: 'contentType' + name: 'keyName' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + value: 'valueName' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + softDeleteRetentionInDays: 1 + systemAssignedIdentity: false + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/app-configuration/configuration-store/.test/encr/main.test.bicep b/modules/app-configuration/configuration-store/.test/encr/main.test.bicep index 01a2825ad0..5ef3540bc5 100644 --- a/modules/app-configuration/configuration-store/.test/encr/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/encr/main.test.bicep @@ -1,98 +1,95 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-appconfiguration.configurationstores-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'accencr' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - createMode: 'Default' - disableLocalAuth: false - enablePurgeProtection: false - keyValues: [ - { - contentType: 'contentType' - name: 'keyName' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - value: 'valueName' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - softDeleteRetentionInDays: 1 - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKKeyName: nestedDependencies.outputs.keyName - cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-appconfiguration.configurationstores-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'accencr' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + createMode: 'Default' + disableLocalAuth: false + enablePurgeProtection: false + keyValues: [ + { + contentType: 'contentType' + name: 'keyName' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + value: 'valueName' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + softDeleteRetentionInDays: 1 + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + cMKKeyName: nestedDependencies.outputs.keyName + cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + } +} + diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index 99c954324a..cb2b945d6f 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -65,9 +65,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor name: 'keyName' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -81,9 +79,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -150,9 +146,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor "name": "keyName", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -170,9 +164,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -229,9 +221,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor name: 'keyName' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -241,9 +231,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -306,9 +294,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor "name": "keyName", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -320,9 +306,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -721,7 +705,68 @@ Whether or not public network access is allowed for this resource. For security Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `sku` diff --git a/modules/app-configuration/configuration-store/main.bicep b/modules/app-configuration/configuration-store/main.bicep index 84d4bf947f..2853afd817 100644 --- a/modules/app-configuration/configuration-store/main.bicep +++ b/modules/app-configuration/configuration-store/main.bicep @@ -78,7 +78,7 @@ param diagnosticEventHubName string = '' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -138,6 +138,18 @@ var identity = { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } +var builtInRoleNames = { + 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') + 'App Compliance Automation Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e') + 'App Configuration Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b') + 'App Configuration Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '516239f1-63e1-4d78-a4de-a74fb236a071') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -221,17 +233,18 @@ resource configurationStore_diagnosticSettings 'Microsoft.Insights/diagnosticset scope: configurationStore } -module configurationStore_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-AppConfig-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: configurationStore.id +resource configurationStore_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(configurationStore.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: configurationStore }] module configurationStore_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { @@ -284,3 +297,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/app-configuration/configuration-store/main.json b/modules/app-configuration/configuration-store/main.json index b39777fc07..b33ac571a2 100644 --- a/modules/app-configuration/configuration-store/main.json +++ b/modules/app-configuration/configuration-store/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14429413611786326402" + "templateHash": "6369795198823213489" }, "name": "App Configuration Stores", "description": "This module deploys an App Configuration Store.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -194,8 +260,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -282,6 +347,17 @@ "identity": { "type": "[variables('identityType')]", "userAssignedIdentities": "[if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())]" + }, + "builtInRoleNames": { + "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", + "App Compliance Automation Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e')]", + "App Configuration Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", + "App Configuration Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '516239f1-63e1-4d78-a4de-a74fb236a071')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" } }, "resources": { @@ -384,6 +460,28 @@ "configurationStore" ] }, + "configurationStore_roleAssignments": { + "copy": { + "name": "configurationStore_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.AppConfiguration/configurationStores/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "configurationStore" + ] + }, "configurationStore_keyValues": { "copy": { "name": "configurationStore_keyValues", @@ -522,158 +620,6 @@ "configurationStore" ] }, - "configurationStore_roleAssignments": { - "copy": { - "name": "configurationStore_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AppConfig-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13848128808282670402" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", - "App Compliance Automation Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e')]", - "App Configuration Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", - "App Configuration Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '516239f1-63e1-4d78-a4de-a74fb236a071')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.AppConfiguration/configurationStores/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.AppConfiguration/configurationStores', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "configurationStore" - ] - }, "configurationStore_privateEndpoints": { "copy": { "name": "configurationStore_privateEndpoints", diff --git a/modules/app/container-app/.bicep/nested_roleAssignments.bicep b/modules/app/container-app/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index e9d22d0550..0000000000 --- a/modules/app/container-app/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,69 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'ContainerApp Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource containerApp 'Microsoft.App/containerApps@2022-10-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(containerApp.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: containerApp -}] diff --git a/modules/app/container-app/README.md b/modules/app/container-app/README.md index a37030cd5c..dd5a6c3f12 100644 --- a/modules/app/container-app/README.md +++ b/modules/app/container-app/README.md @@ -478,7 +478,68 @@ User friendly suffix that is appended to the revision name. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `scaleMaxReplicas` diff --git a/modules/app/container-app/main.bicep b/modules/app/container-app/main.bicep index c1b43f8772..cb4df29cfa 100644 --- a/modules/app/container-app/main.bicep +++ b/modules/app/container-app/main.bicep @@ -61,7 +61,7 @@ param systemAssignedIdentity bool = false param userAssignedIdentities object = {} @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -121,6 +121,15 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null +var builtInRoleNames = { + 'ContainerApp Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -188,17 +197,18 @@ resource containerApp_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!emp scope: containerApp } -module containerApp_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-containerApp-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: containerApp.id +resource containerApp_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(containerApp.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: containerApp }] @description('The resource ID of the Container App.') @@ -224,3 +234,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/app/container-app/main.json b/modules/app/container-app/main.json index ab2f16b6bf..904218dfda 100644 --- a/modules/app/container-app/main.json +++ b/modules/app/container-app/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12099824985619995147" + "templateHash": "15975254087801616307" }, "name": "Container Apps", "description": "This module deploys a Container App.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -160,8 +226,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute." } @@ -281,7 +346,15 @@ "variables": { "secretList": "[if(not(empty(parameters('secrets'))), parameters('secrets').secureList, createArray())]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "builtInRoleNames": { + "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -362,147 +435,20 @@ "containerApp_roleAssignments": { "copy": { "name": "containerApp_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-containerApp-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.App/containerApps/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.App/containerApps', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.App/containerApps', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6133741258710054291" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.App/containerApps/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.App/containerApps', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "containerApp" diff --git a/modules/app/managed-environment/.bicep/nested_roleAssignments.bicep b/modules/app/managed-environment/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index b6d4a0059f..0000000000 --- a/modules/app/managed-environment/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,69 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'ContainerApp Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource managedEnvironment 'Microsoft.App/managedEnvironments@2022-10-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(managedEnvironment.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: managedEnvironment -}] diff --git a/modules/app/managed-environment/README.md b/modules/app/managed-environment/README.md index b334bdfcb5..9c41524275 100644 --- a/modules/app/managed-environment/README.md +++ b/modules/app/managed-environment/README.md @@ -352,7 +352,68 @@ An IP address from the IP range defined by "platformReservedCidr" that will be r Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `skuName` diff --git a/modules/app/managed-environment/main.bicep b/modules/app/managed-environment/main.bicep index 503eb178dd..6e635bbab9 100644 --- a/modules/app/managed-environment/main.bicep +++ b/modules/app/managed-environment/main.bicep @@ -15,7 +15,7 @@ param location string = resourceGroup().location param tags object = {} @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @allowed([ 'Consumption' @@ -73,6 +73,14 @@ param lock lockType @description('Optional. Workload profiles configured for the Managed Environment.') param workloadProfiles array = [] +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -124,17 +132,18 @@ resource managedEnvironment 'Microsoft.App/managedEnvironments@2022-10-01' = { } } -module managedEnvironment_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-ManagedEnvironment-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: managedEnvironment.id +resource managedEnvironment_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(managedEnvironment.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: managedEnvironment }] resource managedEnvironment_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { @@ -169,3 +178,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/app/managed-environment/main.json b/modules/app/managed-environment/main.json index d278601942..706f39cd1e 100644 --- a/modules/app/managed-environment/main.json +++ b/modules/app/managed-environment/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10531866391221761404" + "templateHash": "12554616847424518267" }, "name": "App ManagedEnvironments", "description": "This module deploys an App Managed Environment (also known as a Container App Environment).", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -67,8 +133,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -188,6 +253,15 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -250,6 +324,28 @@ "logAnalyticsWorkspace" ] }, + "managedEnvironment_roleAssignments": { + "copy": { + "name": "managedEnvironment_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.App/managedEnvironments/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.App/managedEnvironments', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "managedEnvironment" + ] + }, "managedEnvironment_lock": { "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", @@ -263,155 +359,6 @@ "dependsOn": [ "managedEnvironment" ] - }, - "managedEnvironment_roleAssignments": { - "copy": { - "name": "managedEnvironment_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ManagedEnvironment-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18101859194273235473" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.App/managedEnvironments/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.App/managedEnvironments', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "managedEnvironment" - ] } }, "outputs": { diff --git a/modules/authorization/role-assignment/management-group/main.bicep b/modules/authorization/role-assignment/management-group/main.bicep index 978c69ab74..382599a094 100644 --- a/modules/authorization/role-assignment/management-group/main.bicep +++ b/modules/authorization/role-assignment/management-group/main.bicep @@ -46,403 +46,12 @@ param enableDefaultTelemetry bool = true param location string = deployment().location var builtInRoleNames = { - 'Access Review Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/76cc9ee4-d5d3-4a45-a930-26add3d73475' - AcrDelete: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - AcrImageSigner: '/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f' - AcrPull: '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d' - AcrPush: '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' - AcrQuarantineReader: '/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04' - AcrQuarantineWriter: '/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608' - 'AgFood Platform Sensor Partner Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6b77f0a0-0d89-41cc-acd1-579c22c17a67' - 'AgFood Platform Service Admin': '/providers/Microsoft.Authorization/roleDefinitions/f8da80de-1ff9-4747-ad80-a19b7f6079e3' - 'AgFood Platform Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8508508a-4469-4e45-963b-2518ee0bb728' - 'AgFood Platform Service Reader': '/providers/Microsoft.Authorization/roleDefinitions/7ec7ccdc-f61e-41fe-9aaf-980df0a44eba' - 'AnyBuild Builder': '/providers/Microsoft.Authorization/roleDefinitions/a2138dac-4907-4679-a376-736901ed8ad8' - 'API Management Developer Portal Content Editor': '/providers/Microsoft.Authorization/roleDefinitions/c031e6a8-4391-4de0-8d69-4706a7ed3729' - 'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c' - 'API Management Service Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61' - 'API Management Service Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d' - 'App Configuration Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b' - 'App Configuration Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071' - 'Application Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ca6382a4-1721-4bcf-a114-ff0c70227b6b' - 'Application Insights Component Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e' - 'Application Insights Snapshot Debugger': '/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b' - 'Attestation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e' - 'Attestation Reader': '/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3' - 'Automation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f353d9bd-d4a6-484e-a77a-8050b599b867' - 'Automation Job Operator': '/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f' - 'Automation Operator': '/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404' - 'Automation Runbook Operator': '/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5' - 'Autonomous Development Platform Data Contributor (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/b8b15564-4fa6-4a59-ab12-03e1d9594795' - 'Autonomous Development Platform Data Owner (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/27f8b550-c507-4db9-86f2-f4b8e816d59d' - 'Autonomous Development Platform Data Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/d63b75f7-47ea-4f27-92ac-e0d173aaf093' - 'Avere Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a' - 'Avere Operator': '/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9' - 'Azure Arc Enabled Kubernetes Cluster User Role': '/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd' - 'Azure Arc Kubernetes Admin': '/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96' - 'Azure Arc Kubernetes Cluster Admin': '/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2' - 'Azure Arc Kubernetes Viewer': '/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4' - 'Azure Arc Kubernetes Writer': '/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1' - 'Azure Arc ScVmm Administrator role': '/providers/Microsoft.Authorization/roleDefinitions/a92dfd61-77f9-4aec-a531-19858b406c87' - 'Azure Arc ScVmm Private Cloud User': '/providers/Microsoft.Authorization/roleDefinitions/c0781e91-8102-4553-8951-97c6d4243cda' - 'Azure Arc ScVmm Private Clouds Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9' - 'Azure Arc ScVmm VM Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e582369a-e17b-42a5-b10c-874c387c530b' - 'Azure Arc VMware Administrator role ': '/providers/Microsoft.Authorization/roleDefinitions/ddc140ed-e463-4246-9145-7c664192013f' - 'Azure Arc VMware Private Cloud User': '/providers/Microsoft.Authorization/roleDefinitions/ce551c02-7c42-47e0-9deb-e3b6fc3a9a83' - 'Azure Arc VMware Private Clouds Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/67d33e57-3129-45e6-bb0b-7cc522f762fa' - 'Azure Arc VMware VM Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b748a06d-6150-4f8a-aaa9-ce3940cd96cb' - 'Azure Center for SAP solutions administrator': '/providers/Microsoft.Authorization/roleDefinitions/7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7' - 'Azure Center for SAP solutions Management role': '/providers/Microsoft.Authorization/roleDefinitions/6d949e1d-41e2-46e3-8920-c6e4f31a8310' - 'Azure Center for SAP solutions reader': '/providers/Microsoft.Authorization/roleDefinitions/05352d14-a920-4328-a0de-4cbe7430e26b' - 'Azure Center for SAP solutions service role': '/providers/Microsoft.Authorization/roleDefinitions/aabbc5dd-1af0-458b-a942-81af88f9c138' - 'Azure Center for SAP solutions Service role for management': '/providers/Microsoft.Authorization/roleDefinitions/0105a6b0-4bb9-43d2-982a-12806f9faddb' - 'Azure Connected Machine Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7' - 'Azure Connected Machine Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302' - 'Azure Connected Machine Resource Manager': '/providers/Microsoft.Authorization/roleDefinitions/f5819b54-e033-4d82-ac66-4fec3cbf3f4c' - 'Azure Connected SQL Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508' - 'Azure Digital Twins Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe' - 'Azure Digital Twins Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3' - 'Azure Event Hubs Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec' - 'Azure Event Hubs Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde' - 'Azure Event Hubs Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975' - 'Azure Extension for SQL Server Deployment': '/providers/Microsoft.Authorization/roleDefinitions/7392c568-9289-4bde-aaaa-b7131215889d' - 'Azure Front Door Domain Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0ab34830-df19-4f8c-b84e-aa85b8afa6e8' - 'Azure Front Door Domain Reader': '/providers/Microsoft.Authorization/roleDefinitions/0f99d363-226e-4dca-9920-b807cf8e1a5f' - 'Azure Front Door Secret Contributor': '/providers/Microsoft.Authorization/roleDefinitions/3f2eb865-5811-4578-b90a-6fc6fa0df8e5' - 'Azure Front Door Secret Reader': '/providers/Microsoft.Authorization/roleDefinitions/0db238c4-885e-4c4f-a933-aa2cef684fca' - 'Azure Kubernetes Fleet Manager Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf' - 'Azure Kubernetes Fleet Manager RBAC Admin': '/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba' - 'Azure Kubernetes Fleet Manager RBAC Cluster Admin': '/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69' - 'Azure Kubernetes Fleet Manager RBAC Reader': '/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80' - 'Azure Kubernetes Fleet Manager RBAC Writer': '/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683' - 'Azure Kubernetes Service Cluster Admin Role': '/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8' - 'Azure Kubernetes Service Cluster Monitoring User': '/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6' - 'Azure Kubernetes Service Cluster User Role': '/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f' - 'Azure Kubernetes Service Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' - 'Azure Kubernetes Service Policy Add-on Deployment': '/providers/Microsoft.Authorization/roleDefinitions/18ed5180-3e48-46fd-8541-4ea054d57064' - 'Azure Kubernetes Service RBAC Admin': '/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7' - 'Azure Kubernetes Service RBAC Cluster Admin': '/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b' - 'Azure Kubernetes Service RBAC Reader': '/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db' - 'Azure Kubernetes Service RBAC Writer': '/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb' - 'Azure Maps Contributor': '/providers/Microsoft.Authorization/roleDefinitions/dba33070-676a-4fb0-87fa-064dc56ff7fb' - 'Azure Maps Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204' - 'Azure Maps Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa' - 'Azure Maps Search and Render Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/6be48352-4f82-47c9-ad5e-0acacefdb005' - 'Azure Relay Listener': '/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d' - 'Azure Relay Owner': '/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38' - 'Azure Relay Sender': '/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d' - 'Azure Service Bus Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419' - 'Azure Service Bus Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' - 'Azure Service Bus Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' - 'Azure Spring Apps Connect Role': '/providers/Microsoft.Authorization/roleDefinitions/80558df3-64f9-4c0f-b32d-e5094b036b0b' - 'Azure Spring Apps Remote Debugging Role': '/providers/Microsoft.Authorization/roleDefinitions/a99b0159-1064-4c22-a57b-c9b3caa1c054' - 'Azure Spring Cloud Config Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b' - 'Azure Spring Cloud Config Server Reader': '/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7' - 'Azure Spring Cloud Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c' - 'Azure Spring Cloud Service Registry Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1' - 'Azure Spring Cloud Service Registry Reader': '/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65' - 'Azure Stack HCI registration role': '/providers/Microsoft.Authorization/roleDefinitions/bda0d508-adf1-4af0-9c28-88919fc3ae06' - 'Azure Stack Registration Owner': '/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a' - 'Azure Traffic Controller Configuration Manager': '/providers/Microsoft.Authorization/roleDefinitions/fbc52c3f-28ad-4303-a892-8a056630b8f1' - 'Azure Usage Billing Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/f0310ce6-e953-4cf8-b892-fb1c87eaf7f6' - 'Azure VM Managed identities restore Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6ae96244-5829-4925-a7d3-5975537d91dd' - 'AzureML Compute Operator': '/providers/Microsoft.Authorization/roleDefinitions/e503ece1-11d0-4e8e-8e2c-7a6c3bf38815' - 'AzureML Data Scientist': '/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121' - 'AzureML Metrics Writer (preview)': '/providers/Microsoft.Authorization/roleDefinitions/635dd51f-9968-44d3-b7fb-6d9a6bd613ae' - 'AzureML Registry User': '/providers/Microsoft.Authorization/roleDefinitions/1823dd4f-9b8c-4ab6-ab4e-7397a3684615' - 'Backup Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b' - 'Backup Operator': '/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324' - 'Backup Reader': '/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912' - 'Bayer Ag Powered Services CWUM Solution User Role': '/providers/Microsoft.Authorization/roleDefinitions/a9b99099-ead7-47db-8fcf-072597a61dfa' - 'Bayer Ag Powered Services GDU Solution': '/providers/Microsoft.Authorization/roleDefinitions/c4bc862a-3b64-4a35-a021-a380c159b042' - 'Bayer Ag Powered Services Imagery Solution': '/providers/Microsoft.Authorization/roleDefinitions/ef29765d-0d37-4119-a4f8-f9f9902c9588' - 'Billing Reader': '/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64' - 'BizTalk Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342' - 'Blockchain Member Node Access (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24' - 'Blueprint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4' - 'Blueprint Operator': '/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090' - 'CDN Endpoint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45' - 'CDN Endpoint Reader': '/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd' - 'CDN Profile Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432' - 'CDN Profile Reader': '/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af' - 'Chamber Admin': '/providers/Microsoft.Authorization/roleDefinitions/4e9b8407-af2e-495b-ae54-bb60a55b1b5a' - 'Chamber User': '/providers/Microsoft.Authorization/roleDefinitions/4447db05-44ed-4da3-ae60-6cbece780e32' - 'Classic Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f' - 'Classic Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25' - 'Classic Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d' - 'Classic Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb' - 'ClearDB MySQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe' - 'Code Signing Certificate Profile Signer': '/providers/Microsoft.Authorization/roleDefinitions/2837e146-70d7-4cfd-ad55-7efa6464f958' - 'Code Signing Identity Verifier': '/providers/Microsoft.Authorization/roleDefinitions/4339b7cf-9826-4e41-b4ed-c7f4505dac08' - 'Cognitive Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68' - 'Cognitive Services Custom Vision Contributor': '/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3' - 'Cognitive Services Custom Vision Deployment': '/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f' - 'Cognitive Services Custom Vision Labeler': '/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c' - 'Cognitive Services Custom Vision Reader': '/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73' - 'Cognitive Services Custom Vision Trainer': '/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b' - 'Cognitive Services Data Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c' - 'Cognitive Services Face Recognizer': '/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7' - 'Cognitive Services Immersive Reader User': '/providers/Microsoft.Authorization/roleDefinitions/b2de6794-95db-4659-8781-7e080d3f2b9d' - 'Cognitive Services Language Owner': '/providers/Microsoft.Authorization/roleDefinitions/f07febfe-79bc-46b1-8b37-790e26e6e498' - 'Cognitive Services Language Reader': '/providers/Microsoft.Authorization/roleDefinitions/7628b7b8-a8b2-4cdc-b46f-e9b35248918e' - 'Cognitive Services Language Writer': '/providers/Microsoft.Authorization/roleDefinitions/f2310ca1-dc64-4889-bb49-c8e0fa3d47a8' - 'Cognitive Services LUIS Owner': '/providers/Microsoft.Authorization/roleDefinitions/f72c8140-2111-481c-87ff-72b910f6e3f8' - 'Cognitive Services LUIS Reader': '/providers/Microsoft.Authorization/roleDefinitions/18e81cdc-4e98-4e29-a639-e7d10c5a6226' - 'Cognitive Services LUIS Writer': '/providers/Microsoft.Authorization/roleDefinitions/6322a993-d5c9-4bed-b113-e49bbea25b27' - 'Cognitive Services Metrics Advisor Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a' - 'Cognitive Services Metrics Advisor User': '/providers/Microsoft.Authorization/roleDefinitions/3b20f47b-3825-43cb-8114-4bd2201156a8' - 'Cognitive Services OpenAI Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a001fd3d-188f-4b5d-821b-7da978bf7442' - 'Cognitive Services OpenAI User': '/providers/Microsoft.Authorization/roleDefinitions/5e0bd9bd-7b93-4f28-af87-19fc36ad61bd' - 'Cognitive Services QnA Maker Editor': '/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025' - 'Cognitive Services QnA Maker Reader': '/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126' - 'Cognitive Services Speech Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0e75ca1e-0464-4b4d-8b93-68208a576181' - 'Cognitive Services Speech User': '/providers/Microsoft.Authorization/roleDefinitions/f2dc8367-1007-4938-bd23-fe263f013447' - 'Cognitive Services User': '/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908' - 'Collaborative Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/daa9e50b-21df-454c-94a6-a8050adab352' - 'Collaborative Runtime Operator': '/providers/Microsoft.Authorization/roleDefinitions/7a6f0e70-c033-4fb1-828c-08514e5f4102' - 'Compute Gallery Sharing Admin': '/providers/Microsoft.Authorization/roleDefinitions/1ef6a3be-d0ac-425d-8c01-acb62866290b' - 'ContainerApp Reader': '/providers/Microsoft.Authorization/roleDefinitions/ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b' - Contributor: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - 'Cosmos DB Account Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8' - 'Cosmos DB Operator': '/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa' - CosmosBackupOperator: '/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb' - CosmosRestoreOperator: '/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f' - 'Cost Management Contributor': '/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430' - 'Cost Management Reader': '/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3' - 'Data Box Contributor': '/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5' - 'Data Box Reader': '/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027' - 'Data Factory Contributor': '/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5' - 'Data Labeling - Labeler': '/providers/Microsoft.Authorization/roleDefinitions/c6decf44-fd0a-444c-a844-d653c394e7ab' - 'Data Lake Analytics Developer': '/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88' - 'Data Operator for Managed Disks': '/providers/Microsoft.Authorization/roleDefinitions/959f8984-c045-4866-89c7-12bf9737be2e' - 'Data Purger': '/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90' - 'Deployment Environments User': '/providers/Microsoft.Authorization/roleDefinitions/18e40d4e-8d2e-438d-97e1-9528336e149c' - 'Desktop Virtualization Application Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-4c43-887b-b61143f32ba8' - 'Desktop Virtualization Application Group Reader': '/providers/Microsoft.Authorization/roleDefinitions/aebf23d0-b568-4e86-b8f9-fe83a2c6ab55' - 'Desktop Virtualization Contributor': '/providers/Microsoft.Authorization/roleDefinitions/082f0a83-3be5-4ba1-904c-961cca79b387' - 'Desktop Virtualization Host Pool Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e307426c-f9b6-4e81-87de-d99efb3c32bc' - 'Desktop Virtualization Host Pool Reader': '/providers/Microsoft.Authorization/roleDefinitions/ceadfde2-b300-400a-ab7b-6143895aa822' - 'Desktop Virtualization Power On Contributor': '/providers/Microsoft.Authorization/roleDefinitions/489581de-a3bd-480d-9518-53dea7416b33' - 'Desktop Virtualization Power On Off Contributor': '/providers/Microsoft.Authorization/roleDefinitions/40c5ff49-9181-41f8-ae61-143b0e78555e' - 'Desktop Virtualization Reader': '/providers/Microsoft.Authorization/roleDefinitions/49a72310-ab8d-41df-bbb0-79b649203868' - 'Desktop Virtualization Session Host Operator': '/providers/Microsoft.Authorization/roleDefinitions/2ad6aaab-ead9-4eaa-8ac5-da422f562408' - 'Desktop Virtualization User': '/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63' - 'Desktop Virtualization User Session Operator': '/providers/Microsoft.Authorization/roleDefinitions/ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6' - 'Desktop Virtualization Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a959dbd1-f747-45e3-8ba6-dd80f235f97c' - 'Desktop Virtualization Workspace Contributor': '/providers/Microsoft.Authorization/roleDefinitions/21efdde3-836f-432b-bf3d-3e8e734d4b2b' - 'Desktop Virtualization Workspace Reader': '/providers/Microsoft.Authorization/roleDefinitions/0fa44ee9-7a7d-466b-9bb2-2bf446b1204d' - 'DevCenter Dev Box User': '/providers/Microsoft.Authorization/roleDefinitions/45d50f46-0b78-4001-a660-4198cbe8cd05' - 'DevCenter Project Admin': '/providers/Microsoft.Authorization/roleDefinitions/331c37c6-af14-46d9-b9f4-e1909e1b95a0' - 'Device Provisioning Service Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/dfce44e4-17b7-4bd1-a6d1-04996ec95633' - 'Device Provisioning Service Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/10745317-c249-44a1-a5ce-3a4353c0bbd8' - 'Device Update Administrator': '/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a' - 'Device Update Content Administrator': '/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98' - 'Device Update Content Reader': '/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b' - 'Device Update Deployments Administrator': '/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432' - 'Device Update Deployments Reader': '/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f' - 'Device Update Reader': '/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f' - 'DevTest Labs User': '/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64' - 'DICOM Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/58a3b984-7adf-4c20-983a-32417c86fbc8' - 'DICOM Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a' - 'Disk Backup Reader': '/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24' - 'Disk Pool Operator': '/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840' - 'Disk Restore Operator': '/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13' - 'Disk Snapshot Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce' - 'DNS Resolver Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d' - 'DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314' - 'DocumentDB Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450' - 'Domain Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2' - 'Domain Services Reader': '/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb' - 'Elastic SAN Owner': '/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406' - 'Elastic SAN Reader': '/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca' - 'Elastic SAN Volume Group Owner': '/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23' - 'EventGrid Contributor': '/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de' - 'EventGrid Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7' - 'EventGrid EventSubscription Contributor': '/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443' - 'EventGrid EventSubscription Reader': '/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405' - 'Experimentation Administrator': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c' - 'Experimentation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c' - 'Experimentation Metric Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6188b7c9-7d01-4f99-a59f-c88b630326c0' - 'Experimentation Reader': '/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1' - 'FHIR Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd' - 'FHIR Data Converter': '/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24' - 'FHIR Data Exporter': '/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843' - 'FHIR Data Importer': '/providers/Microsoft.Authorization/roleDefinitions/4465e953-8ced-4406-a58e-0f6e3f3b530b' - 'FHIR Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508' - 'FHIR Data Writer': '/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913' - 'FHIR SMART User': '/providers/Microsoft.Authorization/roleDefinitions/4ba50f17-9666-485c-a643-ff00808643f0' - 'Grafana Admin': '/providers/Microsoft.Authorization/roleDefinitions/22926164-76b3-42b3-bc55-97df8dab3e41' - 'Grafana Editor': '/providers/Microsoft.Authorization/roleDefinitions/a79a5197-3a5c-4973-a920-486035ffd60f' - 'Grafana Viewer': '/providers/Microsoft.Authorization/roleDefinitions/60921a7e-fef1-4a43-9b16-a26c52ad4769' - 'Graph Owner': '/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9' - 'Guest Configuration Resource Contributor': '/providers/Microsoft.Authorization/roleDefinitions/088ab73d-1256-47ae-bea9-9de8e7131f31' - 'HDInsight Cluster Operator': '/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a' - 'HDInsight Domain Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c' - 'Hierarchy Settings Administrator': '/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d' - 'Hybrid Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb' - 'Hybrid Server Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624' - 'Impact Reader': '/providers/Microsoft.Authorization/roleDefinitions/68ff5d27-c7f5-4fa9-a21c-785d0df7bd9e' - 'Impact Reporter': '/providers/Microsoft.Authorization/roleDefinitions/36e80216-a7e8-4f42-a7e1-f12c98cbaf8a' - 'Integration Service Environment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8' - 'Integration Service Environment Developer': '/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec' - 'Intelligent Systems Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e' - 'IoT Hub Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f' - 'IoT Hub Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3' - 'IoT Hub Registry Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47' - 'IoT Hub Twin Contributor': '/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c' - 'Key Vault Administrator': '/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483' - 'Key Vault Certificates Officer': '/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985' - 'Key Vault Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395' - 'Key Vault Crypto Officer': '/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603' - 'Key Vault Crypto Service Encryption User': '/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6' - 'Key Vault Crypto User': '/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424' - 'Key Vault Reader': '/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2' - 'Key Vault Secrets Officer': '/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7' - 'Key Vault Secrets User': '/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6' - 'Knowledge Consumer': '/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c' - 'Kubernetes Agentless Operator': '/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6' - 'Kubernetes Cluster - Azure Arc Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41' - 'Kubernetes Extension Contributor': '/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717' - 'Kubernetes Namespace User': '/providers/Microsoft.Authorization/roleDefinitions/ba79058c-0414-4a34-9e42-c3399d80cd5a' - 'Lab Assistant': '/providers/Microsoft.Authorization/roleDefinitions/ce40b423-cede-4313-a93f-9b28290b72e1' - 'Lab Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5daaa2af-1fe8-407c-9122-bba179798270' - 'Lab Creator': '/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead' - 'Lab Operator': '/providers/Microsoft.Authorization/roleDefinitions/a36e6959-b6be-4b12-8e9f-ef4b474d304d' - 'Lab Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f69b8690-cc87-41d6-b77a-a4bc3c0a966f' - 'Lab Services Reader': '/providers/Microsoft.Authorization/roleDefinitions/2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc' - 'Load Test Contributor': '/providers/Microsoft.Authorization/roleDefinitions/749a398d-560b-491b-bb21-08924219302e' - 'Load Test Owner': '/providers/Microsoft.Authorization/roleDefinitions/45bb0b16-2f0c-4e78-afaa-a07599b003f6' - 'Load Test Reader': '/providers/Microsoft.Authorization/roleDefinitions/3ae3fb29-0000-4ccd-bf80-542e7b26e081' - 'LocalNGFirewallAdministrator role': '/providers/Microsoft.Authorization/roleDefinitions/a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2' - 'LocalRulestacksAdministrator role': '/providers/Microsoft.Authorization/roleDefinitions/bfc3b73d-c6ff-45eb-9a5f-40298295bf20' - 'Log Analytics Contributor': '/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' - 'Log Analytics Reader': '/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893' - 'Logic App Contributor': '/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e' - 'Logic App Operator': '/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe' - 'Managed Application Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' - 'Managed Application Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae' - 'Managed Applications Reader': '/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44' - 'Managed HSM contributor': '/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d' - 'Managed Identity Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59' - 'Managed Identity Operator': '/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830' - 'Managed Services Registration assignment Delete Role': '/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46' - 'Management Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c' - 'Management Group Reader': '/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d' - 'Media Services Account Administrator': '/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466' - 'Media Services Live Events Administrator': '/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77' - 'Media Services Media Operator': '/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c' - 'Media Services Policy Administrator': '/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae' - 'Media Services Streaming Endpoints Administrator': '/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804' - 'Microsoft Sentinel Automation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a' - 'Microsoft Sentinel Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade' - 'Microsoft Sentinel Playbook Operator': '/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5' - 'Microsoft Sentinel Reader': '/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb' - 'Microsoft Sentinel Responder': '/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056' - 'Microsoft.Kubernetes connected cluster role': '/providers/Microsoft.Authorization/roleDefinitions/5548b2cf-c94c-4228-90ba-30851930a12f' - 'Monitoring Contributor': '/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' - 'Monitoring Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/b0d8363b-8ddd-447d-831f-62ca05bff136' - 'Monitoring Metrics Publisher': '/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb' - 'Monitoring Reader': '/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05' - 'MySQL Backup And Export Operator': '/providers/Microsoft.Authorization/roleDefinitions/d18ad5f3-1baf-4119-b49b-d944edb1f9d0' - 'Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7' - 'New Relic APM Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237' - 'Object Anchors Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/ca0835dd-bacc-42dd-8ed2-ed5e7230d15b' - 'Object Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/4a167cdf-cb95-4554-9203-2347fe489bd9' - 'Object Understanding Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745' - 'Object Understanding Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/d18777c0-1514-4662-8490-608db7d334b6' - Owner: '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' - 'PlayFab Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0c8b84dc-067c-4039-9615-fa1a4b77c726' - 'PlayFab Reader': '/providers/Microsoft.Authorization/roleDefinitions/a9a19cc5-31f4-447c-901f-56c0bb18fcaf' - 'Policy Insights Data Writer (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84' - 'Private DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f' - 'Project Babylon Data Curator': '/providers/Microsoft.Authorization/roleDefinitions/9ef4ef9c-a049-46b0-82ab-dd8ac094c889' - 'Project Babylon Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/c8d896ba-346d-4f50-bc1d-7d1c84130446' - 'Project Babylon Data Source Administrator': '/providers/Microsoft.Authorization/roleDefinitions/05b7651b-dc44-475e-b74d-df3db49fae0f' - 'Purview role 1 (Deprecated)': '/providers/Microsoft.Authorization/roleDefinitions/8a3c2885-9b38-4fd2-9d99-91af537c1347' - 'Purview role 2 (Deprecated)': '/providers/Microsoft.Authorization/roleDefinitions/200bba9e-f0c8-430f-892b-6f0794863803' - 'Purview role 3 (Deprecated)': '/providers/Microsoft.Authorization/roleDefinitions/ff100721-1b9d-43d8-af52-42b69c1272db' - 'Quota Request Operator': '/providers/Microsoft.Authorization/roleDefinitions/0e5f05e5-9ab9-446b-b98d-1e2157c94125' - Reader: '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' - 'Reader and Data Access': '/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349' - 'Redis Cache Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17' - 'Remote Rendering Administrator': '/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e' - 'Remote Rendering Client': '/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a' - 'Reservation Purchaser': '/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-4b75-91c3-6b41c27c1689' + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' - 'Role Based Access Control Administrator (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168' - 'Scheduled Patching Contributor': '/providers/Microsoft.Authorization/roleDefinitions/cd08ab90-6b14-449c-ad9a-8f8e549482c6' - 'Scheduler Job Collections Contributor': '/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94' - 'Schema Registry Contributor (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-4216-b2bc-10343a5abb25' - 'Schema Registry Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-40a6-83c0-9d98858bc7d2' - 'Search Index Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-43f5-93ac-243d3dce84a7' - 'Search Index Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f' - 'Search Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0' - 'Security Admin': '/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd' - 'Security Assessment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5' - 'Security Detonation Chamber Publisher': '/providers/Microsoft.Authorization/roleDefinitions/352470b3-6a9c-4686-b503-35deb827e500' - 'Security Detonation Chamber Reader': '/providers/Microsoft.Authorization/roleDefinitions/28241645-39f8-410b-ad48-87863e2951d5' - 'Security Detonation Chamber Submission Manager': '/providers/Microsoft.Authorization/roleDefinitions/a37b566d-3efa-4beb-a2f2-698963fa42ce' - 'Security Detonation Chamber Submitter': '/providers/Microsoft.Authorization/roleDefinitions/0b555d9b-b4a7-4f43-b330-627f0e5be8f0' - 'Security Manager (Legacy)': '/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10' - 'Security Reader': '/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4' - 'Services Hub Operator': '/providers/Microsoft.Authorization/roleDefinitions/82200a5b-e217-47a5-b665-6d8765ee745b' - 'SignalR AccessKey Reader': '/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e' - 'SignalR App Server': '/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7' - 'SignalR REST API Owner': '/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521' - 'SignalR REST API Reader': '/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035' - 'SignalR Service Owner': '/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3' - 'SignalR/Web PubSub Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761' - 'Site Recovery Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567' - 'Site Recovery Operator': '/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca' - 'Site Recovery Reader': '/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149' - 'Spatial Anchors Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827' - 'Spatial Anchors Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c' - 'Spatial Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413' - 'SQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' - 'SQL Managed Instance Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d' - 'SQL Security Manager': '/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3' - 'SQL Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437' - 'SqlDb Migration Role': '/providers/Microsoft.Authorization/roleDefinitions/189207d4-bb67-4208-a635-b06afe8b2c57' - 'SqlMI Migration Role': '/providers/Microsoft.Authorization/roleDefinitions/1d335eef-eee1-47fe-a9e0-53214eba8872' - 'SqlVM Migration Role': '/providers/Microsoft.Authorization/roleDefinitions/ae8036db-e102-405b-a1b9-bae082ea436d' - 'Storage Account Backup Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1' - 'Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab' - 'Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12' - 'Storage Blob Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe' - 'Storage Blob Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b' - 'Storage Blob Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' - 'Storage Blob Delegator': '/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a' - 'Storage File Data SMB Share Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb' - 'Storage File Data SMB Share Elevated Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7' - 'Storage File Data SMB Share Reader': '/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314' - 'Storage Queue Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88' - 'Storage Queue Data Message Processor': '/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed' - 'Storage Queue Data Message Sender': '/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a' - 'Storage Queue Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925' - 'Storage Table Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3' - 'Storage Table Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6' - 'Stream Analytics Query Tester': '/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf' - 'Support Request Contributor': '/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e' - 'Tag Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' - 'Template Spec Contributor': '/providers/Microsoft.Authorization/roleDefinitions/1c9b6475-caf0-4164-b5a1-2142a7116f4b' - 'Template Spec Reader': '/providers/Microsoft.Authorization/roleDefinitions/392ae280-861d-42bd-9ea5-08ee6d83b80e' - 'Test Base Reader': '/providers/Microsoft.Authorization/roleDefinitions/15e0f5a1-3450-4248-8e25-e2afe88a9e85' - 'Traffic Manager Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7' - 'User Access Administrator': '/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' - 'Video Indexer Restricted Viewer': '/providers/Microsoft.Authorization/roleDefinitions/a2c4a527-7dc0-4ee3-897b-403ade70fafb' - 'Virtual Machine Administrator Login': '/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4' - 'Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c' - 'Virtual Machine Local User Login': '/providers/Microsoft.Authorization/roleDefinitions/602da2ba-a5c2-41da-b01d-5360126ab525' - 'Virtual Machine User Login': '/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52' - 'VM Scanner Operator': '/providers/Microsoft.Authorization/roleDefinitions/d24ecba3-c1f4-40fa-a7bb-4588a071e8fd' - 'Web Plan Contributor': '/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b' - 'Web PubSub Service Owner (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/12cf5a90-567b-43ae-8102-96cf46c7d9b4' - 'Web PubSub Service Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf' - 'Website Contributor': '/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772' - 'Windows Admin Center Administrator Login': '/providers/Microsoft.Authorization/roleDefinitions/a6333a3e-0164-44c3-b281-7a577aff287f' - 'Workbook Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad' - 'Workbook Reader': '/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d' - 'WorkloadBuilder Migration Agent Role': '/providers/Microsoft.Authorization/roleDefinitions/d17ce0a2-0697-43bc-aac5-9113337ab61c' + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } var roleDefinitionIdVar = (contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName) diff --git a/modules/authorization/role-assignment/resource-group/main.bicep b/modules/authorization/role-assignment/resource-group/main.bicep index 02a6545a95..4382d3694d 100644 --- a/modules/authorization/role-assignment/resource-group/main.bicep +++ b/modules/authorization/role-assignment/resource-group/main.bicep @@ -46,403 +46,11 @@ param principalType string = '' param enableDefaultTelemetry bool = true var builtInRoleNames = { - 'Access Review Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/76cc9ee4-d5d3-4a45-a930-26add3d73475' - AcrDelete: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - AcrImageSigner: '/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f' - AcrPull: '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d' - AcrPush: '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' - AcrQuarantineReader: '/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04' - AcrQuarantineWriter: '/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608' - 'AgFood Platform Sensor Partner Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6b77f0a0-0d89-41cc-acd1-579c22c17a67' - 'AgFood Platform Service Admin': '/providers/Microsoft.Authorization/roleDefinitions/f8da80de-1ff9-4747-ad80-a19b7f6079e3' - 'AgFood Platform Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8508508a-4469-4e45-963b-2518ee0bb728' - 'AgFood Platform Service Reader': '/providers/Microsoft.Authorization/roleDefinitions/7ec7ccdc-f61e-41fe-9aaf-980df0a44eba' - 'AnyBuild Builder': '/providers/Microsoft.Authorization/roleDefinitions/a2138dac-4907-4679-a376-736901ed8ad8' - 'API Management Developer Portal Content Editor': '/providers/Microsoft.Authorization/roleDefinitions/c031e6a8-4391-4de0-8d69-4706a7ed3729' - 'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c' - 'API Management Service Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61' - 'API Management Service Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d' - 'App Configuration Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b' - 'App Configuration Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071' - 'Application Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ca6382a4-1721-4bcf-a114-ff0c70227b6b' - 'Application Insights Component Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e' - 'Application Insights Snapshot Debugger': '/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b' - 'Attestation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e' - 'Attestation Reader': '/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3' - 'Automation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f353d9bd-d4a6-484e-a77a-8050b599b867' - 'Automation Job Operator': '/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f' - 'Automation Operator': '/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404' - 'Automation Runbook Operator': '/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5' - 'Autonomous Development Platform Data Contributor (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/b8b15564-4fa6-4a59-ab12-03e1d9594795' - 'Autonomous Development Platform Data Owner (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/27f8b550-c507-4db9-86f2-f4b8e816d59d' - 'Autonomous Development Platform Data Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/d63b75f7-47ea-4f27-92ac-e0d173aaf093' - 'Avere Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a' - 'Avere Operator': '/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9' - 'Azure Arc Enabled Kubernetes Cluster User Role': '/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd' - 'Azure Arc Kubernetes Admin': '/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96' - 'Azure Arc Kubernetes Cluster Admin': '/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2' - 'Azure Arc Kubernetes Viewer': '/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4' - 'Azure Arc Kubernetes Writer': '/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1' - 'Azure Arc ScVmm Administrator role': '/providers/Microsoft.Authorization/roleDefinitions/a92dfd61-77f9-4aec-a531-19858b406c87' - 'Azure Arc ScVmm Private Cloud User': '/providers/Microsoft.Authorization/roleDefinitions/c0781e91-8102-4553-8951-97c6d4243cda' - 'Azure Arc ScVmm Private Clouds Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9' - 'Azure Arc ScVmm VM Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e582369a-e17b-42a5-b10c-874c387c530b' - 'Azure Arc VMware Administrator role ': '/providers/Microsoft.Authorization/roleDefinitions/ddc140ed-e463-4246-9145-7c664192013f' - 'Azure Arc VMware Private Cloud User': '/providers/Microsoft.Authorization/roleDefinitions/ce551c02-7c42-47e0-9deb-e3b6fc3a9a83' - 'Azure Arc VMware Private Clouds Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/67d33e57-3129-45e6-bb0b-7cc522f762fa' - 'Azure Arc VMware VM Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b748a06d-6150-4f8a-aaa9-ce3940cd96cb' - 'Azure Center for SAP solutions administrator': '/providers/Microsoft.Authorization/roleDefinitions/7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7' - 'Azure Center for SAP solutions Management role': '/providers/Microsoft.Authorization/roleDefinitions/6d949e1d-41e2-46e3-8920-c6e4f31a8310' - 'Azure Center for SAP solutions reader': '/providers/Microsoft.Authorization/roleDefinitions/05352d14-a920-4328-a0de-4cbe7430e26b' - 'Azure Center for SAP solutions service role': '/providers/Microsoft.Authorization/roleDefinitions/aabbc5dd-1af0-458b-a942-81af88f9c138' - 'Azure Center for SAP solutions Service role for management': '/providers/Microsoft.Authorization/roleDefinitions/0105a6b0-4bb9-43d2-982a-12806f9faddb' - 'Azure Connected Machine Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7' - 'Azure Connected Machine Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302' - 'Azure Connected Machine Resource Manager': '/providers/Microsoft.Authorization/roleDefinitions/f5819b54-e033-4d82-ac66-4fec3cbf3f4c' - 'Azure Connected SQL Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508' - 'Azure Digital Twins Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe' - 'Azure Digital Twins Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3' - 'Azure Event Hubs Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec' - 'Azure Event Hubs Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde' - 'Azure Event Hubs Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975' - 'Azure Extension for SQL Server Deployment': '/providers/Microsoft.Authorization/roleDefinitions/7392c568-9289-4bde-aaaa-b7131215889d' - 'Azure Front Door Domain Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0ab34830-df19-4f8c-b84e-aa85b8afa6e8' - 'Azure Front Door Domain Reader': '/providers/Microsoft.Authorization/roleDefinitions/0f99d363-226e-4dca-9920-b807cf8e1a5f' - 'Azure Front Door Secret Contributor': '/providers/Microsoft.Authorization/roleDefinitions/3f2eb865-5811-4578-b90a-6fc6fa0df8e5' - 'Azure Front Door Secret Reader': '/providers/Microsoft.Authorization/roleDefinitions/0db238c4-885e-4c4f-a933-aa2cef684fca' - 'Azure Kubernetes Fleet Manager Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf' - 'Azure Kubernetes Fleet Manager RBAC Admin': '/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba' - 'Azure Kubernetes Fleet Manager RBAC Cluster Admin': '/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69' - 'Azure Kubernetes Fleet Manager RBAC Reader': '/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80' - 'Azure Kubernetes Fleet Manager RBAC Writer': '/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683' - 'Azure Kubernetes Service Cluster Admin Role': '/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8' - 'Azure Kubernetes Service Cluster Monitoring User': '/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6' - 'Azure Kubernetes Service Cluster User Role': '/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f' - 'Azure Kubernetes Service Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' - 'Azure Kubernetes Service Policy Add-on Deployment': '/providers/Microsoft.Authorization/roleDefinitions/18ed5180-3e48-46fd-8541-4ea054d57064' - 'Azure Kubernetes Service RBAC Admin': '/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7' - 'Azure Kubernetes Service RBAC Cluster Admin': '/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b' - 'Azure Kubernetes Service RBAC Reader': '/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db' - 'Azure Kubernetes Service RBAC Writer': '/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb' - 'Azure Maps Contributor': '/providers/Microsoft.Authorization/roleDefinitions/dba33070-676a-4fb0-87fa-064dc56ff7fb' - 'Azure Maps Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204' - 'Azure Maps Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa' - 'Azure Maps Search and Render Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/6be48352-4f82-47c9-ad5e-0acacefdb005' - 'Azure Relay Listener': '/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d' - 'Azure Relay Owner': '/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38' - 'Azure Relay Sender': '/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d' - 'Azure Service Bus Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419' - 'Azure Service Bus Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' - 'Azure Service Bus Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' - 'Azure Spring Apps Connect Role': '/providers/Microsoft.Authorization/roleDefinitions/80558df3-64f9-4c0f-b32d-e5094b036b0b' - 'Azure Spring Apps Remote Debugging Role': '/providers/Microsoft.Authorization/roleDefinitions/a99b0159-1064-4c22-a57b-c9b3caa1c054' - 'Azure Spring Cloud Config Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b' - 'Azure Spring Cloud Config Server Reader': '/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7' - 'Azure Spring Cloud Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c' - 'Azure Spring Cloud Service Registry Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1' - 'Azure Spring Cloud Service Registry Reader': '/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65' - 'Azure Stack HCI registration role': '/providers/Microsoft.Authorization/roleDefinitions/bda0d508-adf1-4af0-9c28-88919fc3ae06' - 'Azure Stack Registration Owner': '/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a' - 'Azure Traffic Controller Configuration Manager': '/providers/Microsoft.Authorization/roleDefinitions/fbc52c3f-28ad-4303-a892-8a056630b8f1' - 'Azure Usage Billing Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/f0310ce6-e953-4cf8-b892-fb1c87eaf7f6' - 'Azure VM Managed identities restore Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6ae96244-5829-4925-a7d3-5975537d91dd' - 'AzureML Compute Operator': '/providers/Microsoft.Authorization/roleDefinitions/e503ece1-11d0-4e8e-8e2c-7a6c3bf38815' - 'AzureML Data Scientist': '/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121' - 'AzureML Metrics Writer (preview)': '/providers/Microsoft.Authorization/roleDefinitions/635dd51f-9968-44d3-b7fb-6d9a6bd613ae' - 'AzureML Registry User': '/providers/Microsoft.Authorization/roleDefinitions/1823dd4f-9b8c-4ab6-ab4e-7397a3684615' - 'Backup Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b' - 'Backup Operator': '/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324' - 'Backup Reader': '/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912' - 'Bayer Ag Powered Services CWUM Solution User Role': '/providers/Microsoft.Authorization/roleDefinitions/a9b99099-ead7-47db-8fcf-072597a61dfa' - 'Bayer Ag Powered Services GDU Solution': '/providers/Microsoft.Authorization/roleDefinitions/c4bc862a-3b64-4a35-a021-a380c159b042' - 'Bayer Ag Powered Services Imagery Solution': '/providers/Microsoft.Authorization/roleDefinitions/ef29765d-0d37-4119-a4f8-f9f9902c9588' - 'Billing Reader': '/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64' - 'BizTalk Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342' - 'Blockchain Member Node Access (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24' - 'Blueprint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4' - 'Blueprint Operator': '/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090' - 'CDN Endpoint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45' - 'CDN Endpoint Reader': '/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd' - 'CDN Profile Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432' - 'CDN Profile Reader': '/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af' - 'Chamber Admin': '/providers/Microsoft.Authorization/roleDefinitions/4e9b8407-af2e-495b-ae54-bb60a55b1b5a' - 'Chamber User': '/providers/Microsoft.Authorization/roleDefinitions/4447db05-44ed-4da3-ae60-6cbece780e32' - 'Classic Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f' - 'Classic Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25' - 'Classic Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d' - 'Classic Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb' - 'ClearDB MySQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe' - 'Code Signing Certificate Profile Signer': '/providers/Microsoft.Authorization/roleDefinitions/2837e146-70d7-4cfd-ad55-7efa6464f958' - 'Code Signing Identity Verifier': '/providers/Microsoft.Authorization/roleDefinitions/4339b7cf-9826-4e41-b4ed-c7f4505dac08' - 'Cognitive Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68' - 'Cognitive Services Custom Vision Contributor': '/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3' - 'Cognitive Services Custom Vision Deployment': '/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f' - 'Cognitive Services Custom Vision Labeler': '/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c' - 'Cognitive Services Custom Vision Reader': '/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73' - 'Cognitive Services Custom Vision Trainer': '/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b' - 'Cognitive Services Data Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c' - 'Cognitive Services Face Recognizer': '/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7' - 'Cognitive Services Immersive Reader User': '/providers/Microsoft.Authorization/roleDefinitions/b2de6794-95db-4659-8781-7e080d3f2b9d' - 'Cognitive Services Language Owner': '/providers/Microsoft.Authorization/roleDefinitions/f07febfe-79bc-46b1-8b37-790e26e6e498' - 'Cognitive Services Language Reader': '/providers/Microsoft.Authorization/roleDefinitions/7628b7b8-a8b2-4cdc-b46f-e9b35248918e' - 'Cognitive Services Language Writer': '/providers/Microsoft.Authorization/roleDefinitions/f2310ca1-dc64-4889-bb49-c8e0fa3d47a8' - 'Cognitive Services LUIS Owner': '/providers/Microsoft.Authorization/roleDefinitions/f72c8140-2111-481c-87ff-72b910f6e3f8' - 'Cognitive Services LUIS Reader': '/providers/Microsoft.Authorization/roleDefinitions/18e81cdc-4e98-4e29-a639-e7d10c5a6226' - 'Cognitive Services LUIS Writer': '/providers/Microsoft.Authorization/roleDefinitions/6322a993-d5c9-4bed-b113-e49bbea25b27' - 'Cognitive Services Metrics Advisor Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a' - 'Cognitive Services Metrics Advisor User': '/providers/Microsoft.Authorization/roleDefinitions/3b20f47b-3825-43cb-8114-4bd2201156a8' - 'Cognitive Services OpenAI Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a001fd3d-188f-4b5d-821b-7da978bf7442' - 'Cognitive Services OpenAI User': '/providers/Microsoft.Authorization/roleDefinitions/5e0bd9bd-7b93-4f28-af87-19fc36ad61bd' - 'Cognitive Services QnA Maker Editor': '/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025' - 'Cognitive Services QnA Maker Reader': '/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126' - 'Cognitive Services Speech Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0e75ca1e-0464-4b4d-8b93-68208a576181' - 'Cognitive Services Speech User': '/providers/Microsoft.Authorization/roleDefinitions/f2dc8367-1007-4938-bd23-fe263f013447' - 'Cognitive Services User': '/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908' - 'Collaborative Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/daa9e50b-21df-454c-94a6-a8050adab352' - 'Collaborative Runtime Operator': '/providers/Microsoft.Authorization/roleDefinitions/7a6f0e70-c033-4fb1-828c-08514e5f4102' - 'Compute Gallery Sharing Admin': '/providers/Microsoft.Authorization/roleDefinitions/1ef6a3be-d0ac-425d-8c01-acb62866290b' - 'ContainerApp Reader': '/providers/Microsoft.Authorization/roleDefinitions/ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b' - Contributor: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - 'Cosmos DB Account Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8' - 'Cosmos DB Operator': '/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa' - CosmosBackupOperator: '/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb' - CosmosRestoreOperator: '/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f' - 'Cost Management Contributor': '/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430' - 'Cost Management Reader': '/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3' - 'Data Box Contributor': '/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5' - 'Data Box Reader': '/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027' - 'Data Factory Contributor': '/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5' - 'Data Labeling - Labeler': '/providers/Microsoft.Authorization/roleDefinitions/c6decf44-fd0a-444c-a844-d653c394e7ab' - 'Data Lake Analytics Developer': '/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88' - 'Data Operator for Managed Disks': '/providers/Microsoft.Authorization/roleDefinitions/959f8984-c045-4866-89c7-12bf9737be2e' - 'Data Purger': '/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90' - 'Deployment Environments User': '/providers/Microsoft.Authorization/roleDefinitions/18e40d4e-8d2e-438d-97e1-9528336e149c' - 'Desktop Virtualization Application Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-4c43-887b-b61143f32ba8' - 'Desktop Virtualization Application Group Reader': '/providers/Microsoft.Authorization/roleDefinitions/aebf23d0-b568-4e86-b8f9-fe83a2c6ab55' - 'Desktop Virtualization Contributor': '/providers/Microsoft.Authorization/roleDefinitions/082f0a83-3be5-4ba1-904c-961cca79b387' - 'Desktop Virtualization Host Pool Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e307426c-f9b6-4e81-87de-d99efb3c32bc' - 'Desktop Virtualization Host Pool Reader': '/providers/Microsoft.Authorization/roleDefinitions/ceadfde2-b300-400a-ab7b-6143895aa822' - 'Desktop Virtualization Power On Contributor': '/providers/Microsoft.Authorization/roleDefinitions/489581de-a3bd-480d-9518-53dea7416b33' - 'Desktop Virtualization Power On Off Contributor': '/providers/Microsoft.Authorization/roleDefinitions/40c5ff49-9181-41f8-ae61-143b0e78555e' - 'Desktop Virtualization Reader': '/providers/Microsoft.Authorization/roleDefinitions/49a72310-ab8d-41df-bbb0-79b649203868' - 'Desktop Virtualization Session Host Operator': '/providers/Microsoft.Authorization/roleDefinitions/2ad6aaab-ead9-4eaa-8ac5-da422f562408' - 'Desktop Virtualization User': '/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63' - 'Desktop Virtualization User Session Operator': '/providers/Microsoft.Authorization/roleDefinitions/ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6' - 'Desktop Virtualization Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a959dbd1-f747-45e3-8ba6-dd80f235f97c' - 'Desktop Virtualization Workspace Contributor': '/providers/Microsoft.Authorization/roleDefinitions/21efdde3-836f-432b-bf3d-3e8e734d4b2b' - 'Desktop Virtualization Workspace Reader': '/providers/Microsoft.Authorization/roleDefinitions/0fa44ee9-7a7d-466b-9bb2-2bf446b1204d' - 'DevCenter Dev Box User': '/providers/Microsoft.Authorization/roleDefinitions/45d50f46-0b78-4001-a660-4198cbe8cd05' - 'DevCenter Project Admin': '/providers/Microsoft.Authorization/roleDefinitions/331c37c6-af14-46d9-b9f4-e1909e1b95a0' - 'Device Provisioning Service Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/dfce44e4-17b7-4bd1-a6d1-04996ec95633' - 'Device Provisioning Service Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/10745317-c249-44a1-a5ce-3a4353c0bbd8' - 'Device Update Administrator': '/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a' - 'Device Update Content Administrator': '/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98' - 'Device Update Content Reader': '/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b' - 'Device Update Deployments Administrator': '/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432' - 'Device Update Deployments Reader': '/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f' - 'Device Update Reader': '/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f' - 'DevTest Labs User': '/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64' - 'DICOM Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/58a3b984-7adf-4c20-983a-32417c86fbc8' - 'DICOM Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a' - 'Disk Backup Reader': '/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24' - 'Disk Pool Operator': '/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840' - 'Disk Restore Operator': '/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13' - 'Disk Snapshot Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce' - 'DNS Resolver Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d' - 'DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314' - 'DocumentDB Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450' - 'Domain Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2' - 'Domain Services Reader': '/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb' - 'Elastic SAN Owner': '/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406' - 'Elastic SAN Reader': '/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca' - 'Elastic SAN Volume Group Owner': '/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23' - 'EventGrid Contributor': '/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de' - 'EventGrid Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7' - 'EventGrid EventSubscription Contributor': '/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443' - 'EventGrid EventSubscription Reader': '/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405' - 'Experimentation Administrator': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c' - 'Experimentation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c' - 'Experimentation Metric Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6188b7c9-7d01-4f99-a59f-c88b630326c0' - 'Experimentation Reader': '/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1' - 'FHIR Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd' - 'FHIR Data Converter': '/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24' - 'FHIR Data Exporter': '/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843' - 'FHIR Data Importer': '/providers/Microsoft.Authorization/roleDefinitions/4465e953-8ced-4406-a58e-0f6e3f3b530b' - 'FHIR Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508' - 'FHIR Data Writer': '/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913' - 'FHIR SMART User': '/providers/Microsoft.Authorization/roleDefinitions/4ba50f17-9666-485c-a643-ff00808643f0' - 'Grafana Admin': '/providers/Microsoft.Authorization/roleDefinitions/22926164-76b3-42b3-bc55-97df8dab3e41' - 'Grafana Editor': '/providers/Microsoft.Authorization/roleDefinitions/a79a5197-3a5c-4973-a920-486035ffd60f' - 'Grafana Viewer': '/providers/Microsoft.Authorization/roleDefinitions/60921a7e-fef1-4a43-9b16-a26c52ad4769' - 'Graph Owner': '/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9' - 'Guest Configuration Resource Contributor': '/providers/Microsoft.Authorization/roleDefinitions/088ab73d-1256-47ae-bea9-9de8e7131f31' - 'HDInsight Cluster Operator': '/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a' - 'HDInsight Domain Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c' - 'Hierarchy Settings Administrator': '/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d' - 'Hybrid Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb' - 'Hybrid Server Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624' - 'Impact Reader': '/providers/Microsoft.Authorization/roleDefinitions/68ff5d27-c7f5-4fa9-a21c-785d0df7bd9e' - 'Impact Reporter': '/providers/Microsoft.Authorization/roleDefinitions/36e80216-a7e8-4f42-a7e1-f12c98cbaf8a' - 'Integration Service Environment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8' - 'Integration Service Environment Developer': '/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec' - 'Intelligent Systems Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e' - 'IoT Hub Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f' - 'IoT Hub Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3' - 'IoT Hub Registry Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47' - 'IoT Hub Twin Contributor': '/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c' - 'Key Vault Administrator': '/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483' - 'Key Vault Certificates Officer': '/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985' - 'Key Vault Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395' - 'Key Vault Crypto Officer': '/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603' - 'Key Vault Crypto Service Encryption User': '/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6' - 'Key Vault Crypto User': '/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424' - 'Key Vault Reader': '/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2' - 'Key Vault Secrets Officer': '/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7' - 'Key Vault Secrets User': '/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6' - 'Knowledge Consumer': '/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c' - 'Kubernetes Agentless Operator': '/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6' - 'Kubernetes Cluster - Azure Arc Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41' - 'Kubernetes Extension Contributor': '/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717' - 'Kubernetes Namespace User': '/providers/Microsoft.Authorization/roleDefinitions/ba79058c-0414-4a34-9e42-c3399d80cd5a' - 'Lab Assistant': '/providers/Microsoft.Authorization/roleDefinitions/ce40b423-cede-4313-a93f-9b28290b72e1' - 'Lab Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5daaa2af-1fe8-407c-9122-bba179798270' - 'Lab Creator': '/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead' - 'Lab Operator': '/providers/Microsoft.Authorization/roleDefinitions/a36e6959-b6be-4b12-8e9f-ef4b474d304d' - 'Lab Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f69b8690-cc87-41d6-b77a-a4bc3c0a966f' - 'Lab Services Reader': '/providers/Microsoft.Authorization/roleDefinitions/2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc' - 'Load Test Contributor': '/providers/Microsoft.Authorization/roleDefinitions/749a398d-560b-491b-bb21-08924219302e' - 'Load Test Owner': '/providers/Microsoft.Authorization/roleDefinitions/45bb0b16-2f0c-4e78-afaa-a07599b003f6' - 'Load Test Reader': '/providers/Microsoft.Authorization/roleDefinitions/3ae3fb29-0000-4ccd-bf80-542e7b26e081' - 'LocalNGFirewallAdministrator role': '/providers/Microsoft.Authorization/roleDefinitions/a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2' - 'LocalRulestacksAdministrator role': '/providers/Microsoft.Authorization/roleDefinitions/bfc3b73d-c6ff-45eb-9a5f-40298295bf20' - 'Log Analytics Contributor': '/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' - 'Log Analytics Reader': '/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893' - 'Logic App Contributor': '/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e' - 'Logic App Operator': '/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe' - 'Managed Application Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' - 'Managed Application Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae' - 'Managed Applications Reader': '/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44' - 'Managed HSM contributor': '/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d' - 'Managed Identity Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59' - 'Managed Identity Operator': '/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830' - 'Managed Services Registration assignment Delete Role': '/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46' - 'Management Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c' - 'Management Group Reader': '/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d' - 'Media Services Account Administrator': '/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466' - 'Media Services Live Events Administrator': '/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77' - 'Media Services Media Operator': '/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c' - 'Media Services Policy Administrator': '/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae' - 'Media Services Streaming Endpoints Administrator': '/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804' - 'Microsoft Sentinel Automation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a' - 'Microsoft Sentinel Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade' - 'Microsoft Sentinel Playbook Operator': '/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5' - 'Microsoft Sentinel Reader': '/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb' - 'Microsoft Sentinel Responder': '/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056' - 'Microsoft.Kubernetes connected cluster role': '/providers/Microsoft.Authorization/roleDefinitions/5548b2cf-c94c-4228-90ba-30851930a12f' - 'Monitoring Contributor': '/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' - 'Monitoring Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/b0d8363b-8ddd-447d-831f-62ca05bff136' - 'Monitoring Metrics Publisher': '/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb' - 'Monitoring Reader': '/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05' - 'MySQL Backup And Export Operator': '/providers/Microsoft.Authorization/roleDefinitions/d18ad5f3-1baf-4119-b49b-d944edb1f9d0' - 'Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7' - 'New Relic APM Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237' - 'Object Anchors Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/ca0835dd-bacc-42dd-8ed2-ed5e7230d15b' - 'Object Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/4a167cdf-cb95-4554-9203-2347fe489bd9' - 'Object Understanding Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745' - 'Object Understanding Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/d18777c0-1514-4662-8490-608db7d334b6' - Owner: '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' - 'PlayFab Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0c8b84dc-067c-4039-9615-fa1a4b77c726' - 'PlayFab Reader': '/providers/Microsoft.Authorization/roleDefinitions/a9a19cc5-31f4-447c-901f-56c0bb18fcaf' - 'Policy Insights Data Writer (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84' - 'Private DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f' - 'Project Babylon Data Curator': '/providers/Microsoft.Authorization/roleDefinitions/9ef4ef9c-a049-46b0-82ab-dd8ac094c889' - 'Project Babylon Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/c8d896ba-346d-4f50-bc1d-7d1c84130446' - 'Project Babylon Data Source Administrator': '/providers/Microsoft.Authorization/roleDefinitions/05b7651b-dc44-475e-b74d-df3db49fae0f' - 'Purview role 1 (Deprecated)': '/providers/Microsoft.Authorization/roleDefinitions/8a3c2885-9b38-4fd2-9d99-91af537c1347' - 'Purview role 2 (Deprecated)': '/providers/Microsoft.Authorization/roleDefinitions/200bba9e-f0c8-430f-892b-6f0794863803' - 'Purview role 3 (Deprecated)': '/providers/Microsoft.Authorization/roleDefinitions/ff100721-1b9d-43d8-af52-42b69c1272db' - 'Quota Request Operator': '/providers/Microsoft.Authorization/roleDefinitions/0e5f05e5-9ab9-446b-b98d-1e2157c94125' - Reader: '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' - 'Reader and Data Access': '/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349' - 'Redis Cache Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17' - 'Remote Rendering Administrator': '/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e' - 'Remote Rendering Client': '/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a' - 'Reservation Purchaser': '/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-4b75-91c3-6b41c27c1689' - 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' - 'Role Based Access Control Administrator (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168' - 'Scheduled Patching Contributor': '/providers/Microsoft.Authorization/roleDefinitions/cd08ab90-6b14-449c-ad9a-8f8e549482c6' - 'Scheduler Job Collections Contributor': '/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94' - 'Schema Registry Contributor (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-4216-b2bc-10343a5abb25' - 'Schema Registry Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-40a6-83c0-9d98858bc7d2' - 'Search Index Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-43f5-93ac-243d3dce84a7' - 'Search Index Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f' - 'Search Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0' - 'Security Admin': '/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd' - 'Security Assessment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5' - 'Security Detonation Chamber Publisher': '/providers/Microsoft.Authorization/roleDefinitions/352470b3-6a9c-4686-b503-35deb827e500' - 'Security Detonation Chamber Reader': '/providers/Microsoft.Authorization/roleDefinitions/28241645-39f8-410b-ad48-87863e2951d5' - 'Security Detonation Chamber Submission Manager': '/providers/Microsoft.Authorization/roleDefinitions/a37b566d-3efa-4beb-a2f2-698963fa42ce' - 'Security Detonation Chamber Submitter': '/providers/Microsoft.Authorization/roleDefinitions/0b555d9b-b4a7-4f43-b330-627f0e5be8f0' - 'Security Manager (Legacy)': '/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10' - 'Security Reader': '/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4' - 'Services Hub Operator': '/providers/Microsoft.Authorization/roleDefinitions/82200a5b-e217-47a5-b665-6d8765ee745b' - 'SignalR AccessKey Reader': '/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e' - 'SignalR App Server': '/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7' - 'SignalR REST API Owner': '/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521' - 'SignalR REST API Reader': '/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035' - 'SignalR Service Owner': '/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3' - 'SignalR/Web PubSub Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761' - 'Site Recovery Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567' - 'Site Recovery Operator': '/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca' - 'Site Recovery Reader': '/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149' - 'Spatial Anchors Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827' - 'Spatial Anchors Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c' - 'Spatial Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413' - 'SQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' - 'SQL Managed Instance Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d' - 'SQL Security Manager': '/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3' - 'SQL Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437' - 'SqlDb Migration Role': '/providers/Microsoft.Authorization/roleDefinitions/189207d4-bb67-4208-a635-b06afe8b2c57' - 'SqlMI Migration Role': '/providers/Microsoft.Authorization/roleDefinitions/1d335eef-eee1-47fe-a9e0-53214eba8872' - 'SqlVM Migration Role': '/providers/Microsoft.Authorization/roleDefinitions/ae8036db-e102-405b-a1b9-bae082ea436d' - 'Storage Account Backup Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1' - 'Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab' - 'Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12' - 'Storage Blob Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe' - 'Storage Blob Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b' - 'Storage Blob Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' - 'Storage Blob Delegator': '/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a' - 'Storage File Data SMB Share Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb' - 'Storage File Data SMB Share Elevated Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7' - 'Storage File Data SMB Share Reader': '/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314' - 'Storage Queue Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88' - 'Storage Queue Data Message Processor': '/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed' - 'Storage Queue Data Message Sender': '/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a' - 'Storage Queue Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925' - 'Storage Table Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3' - 'Storage Table Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6' - 'Stream Analytics Query Tester': '/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf' - 'Support Request Contributor': '/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e' - 'Tag Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' - 'Template Spec Contributor': '/providers/Microsoft.Authorization/roleDefinitions/1c9b6475-caf0-4164-b5a1-2142a7116f4b' - 'Template Spec Reader': '/providers/Microsoft.Authorization/roleDefinitions/392ae280-861d-42bd-9ea5-08ee6d83b80e' - 'Test Base Reader': '/providers/Microsoft.Authorization/roleDefinitions/15e0f5a1-3450-4248-8e25-e2afe88a9e85' - 'Traffic Manager Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7' - 'User Access Administrator': '/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' - 'Video Indexer Restricted Viewer': '/providers/Microsoft.Authorization/roleDefinitions/a2c4a527-7dc0-4ee3-897b-403ade70fafb' - 'Virtual Machine Administrator Login': '/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4' - 'Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c' - 'Virtual Machine Local User Login': '/providers/Microsoft.Authorization/roleDefinitions/602da2ba-a5c2-41da-b01d-5360126ab525' - 'Virtual Machine User Login': '/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52' - 'VM Scanner Operator': '/providers/Microsoft.Authorization/roleDefinitions/d24ecba3-c1f4-40fa-a7bb-4588a071e8fd' - 'Web Plan Contributor': '/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b' - 'Web PubSub Service Owner (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/12cf5a90-567b-43ae-8102-96cf46c7d9b4' - 'Web PubSub Service Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf' - 'Website Contributor': '/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772' - 'Windows Admin Center Administrator Login': '/providers/Microsoft.Authorization/roleDefinitions/a6333a3e-0164-44c3-b281-7a577aff287f' - 'Workbook Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad' - 'Workbook Reader': '/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d' - 'WorkloadBuilder Migration Agent Role': '/providers/Microsoft.Authorization/roleDefinitions/d17ce0a2-0697-43bc-aac5-9113337ab61c' + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } var roleDefinitionIdVar = (contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName) diff --git a/modules/authorization/role-assignment/subscription/main.bicep b/modules/authorization/role-assignment/subscription/main.bicep index a337fde5b5..277e9c2a15 100644 --- a/modules/authorization/role-assignment/subscription/main.bicep +++ b/modules/authorization/role-assignment/subscription/main.bicep @@ -46,403 +46,11 @@ param principalType string = '' param enableDefaultTelemetry bool = true var builtInRoleNames = { - 'Access Review Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/76cc9ee4-d5d3-4a45-a930-26add3d73475' - AcrDelete: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - AcrImageSigner: '/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f' - AcrPull: '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d' - AcrPush: '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' - AcrQuarantineReader: '/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04' - AcrQuarantineWriter: '/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608' - 'AgFood Platform Sensor Partner Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6b77f0a0-0d89-41cc-acd1-579c22c17a67' - 'AgFood Platform Service Admin': '/providers/Microsoft.Authorization/roleDefinitions/f8da80de-1ff9-4747-ad80-a19b7f6079e3' - 'AgFood Platform Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8508508a-4469-4e45-963b-2518ee0bb728' - 'AgFood Platform Service Reader': '/providers/Microsoft.Authorization/roleDefinitions/7ec7ccdc-f61e-41fe-9aaf-980df0a44eba' - 'AnyBuild Builder': '/providers/Microsoft.Authorization/roleDefinitions/a2138dac-4907-4679-a376-736901ed8ad8' - 'API Management Developer Portal Content Editor': '/providers/Microsoft.Authorization/roleDefinitions/c031e6a8-4391-4de0-8d69-4706a7ed3729' - 'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c' - 'API Management Service Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61' - 'API Management Service Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d' - 'App Configuration Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b' - 'App Configuration Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071' - 'Application Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ca6382a4-1721-4bcf-a114-ff0c70227b6b' - 'Application Insights Component Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e' - 'Application Insights Snapshot Debugger': '/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b' - 'Attestation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e' - 'Attestation Reader': '/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3' - 'Automation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f353d9bd-d4a6-484e-a77a-8050b599b867' - 'Automation Job Operator': '/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f' - 'Automation Operator': '/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404' - 'Automation Runbook Operator': '/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5' - 'Autonomous Development Platform Data Contributor (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/b8b15564-4fa6-4a59-ab12-03e1d9594795' - 'Autonomous Development Platform Data Owner (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/27f8b550-c507-4db9-86f2-f4b8e816d59d' - 'Autonomous Development Platform Data Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/d63b75f7-47ea-4f27-92ac-e0d173aaf093' - 'Avere Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a' - 'Avere Operator': '/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9' - 'Azure Arc Enabled Kubernetes Cluster User Role': '/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd' - 'Azure Arc Kubernetes Admin': '/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96' - 'Azure Arc Kubernetes Cluster Admin': '/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2' - 'Azure Arc Kubernetes Viewer': '/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4' - 'Azure Arc Kubernetes Writer': '/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1' - 'Azure Arc ScVmm Administrator role': '/providers/Microsoft.Authorization/roleDefinitions/a92dfd61-77f9-4aec-a531-19858b406c87' - 'Azure Arc ScVmm Private Cloud User': '/providers/Microsoft.Authorization/roleDefinitions/c0781e91-8102-4553-8951-97c6d4243cda' - 'Azure Arc ScVmm Private Clouds Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9' - 'Azure Arc ScVmm VM Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e582369a-e17b-42a5-b10c-874c387c530b' - 'Azure Arc VMware Administrator role ': '/providers/Microsoft.Authorization/roleDefinitions/ddc140ed-e463-4246-9145-7c664192013f' - 'Azure Arc VMware Private Cloud User': '/providers/Microsoft.Authorization/roleDefinitions/ce551c02-7c42-47e0-9deb-e3b6fc3a9a83' - 'Azure Arc VMware Private Clouds Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/67d33e57-3129-45e6-bb0b-7cc522f762fa' - 'Azure Arc VMware VM Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b748a06d-6150-4f8a-aaa9-ce3940cd96cb' - 'Azure Center for SAP solutions administrator': '/providers/Microsoft.Authorization/roleDefinitions/7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7' - 'Azure Center for SAP solutions Management role': '/providers/Microsoft.Authorization/roleDefinitions/6d949e1d-41e2-46e3-8920-c6e4f31a8310' - 'Azure Center for SAP solutions reader': '/providers/Microsoft.Authorization/roleDefinitions/05352d14-a920-4328-a0de-4cbe7430e26b' - 'Azure Center for SAP solutions service role': '/providers/Microsoft.Authorization/roleDefinitions/aabbc5dd-1af0-458b-a942-81af88f9c138' - 'Azure Center for SAP solutions Service role for management': '/providers/Microsoft.Authorization/roleDefinitions/0105a6b0-4bb9-43d2-982a-12806f9faddb' - 'Azure Connected Machine Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7' - 'Azure Connected Machine Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302' - 'Azure Connected Machine Resource Manager': '/providers/Microsoft.Authorization/roleDefinitions/f5819b54-e033-4d82-ac66-4fec3cbf3f4c' - 'Azure Connected SQL Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508' - 'Azure Digital Twins Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe' - 'Azure Digital Twins Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3' - 'Azure Event Hubs Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec' - 'Azure Event Hubs Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde' - 'Azure Event Hubs Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975' - 'Azure Extension for SQL Server Deployment': '/providers/Microsoft.Authorization/roleDefinitions/7392c568-9289-4bde-aaaa-b7131215889d' - 'Azure Front Door Domain Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0ab34830-df19-4f8c-b84e-aa85b8afa6e8' - 'Azure Front Door Domain Reader': '/providers/Microsoft.Authorization/roleDefinitions/0f99d363-226e-4dca-9920-b807cf8e1a5f' - 'Azure Front Door Secret Contributor': '/providers/Microsoft.Authorization/roleDefinitions/3f2eb865-5811-4578-b90a-6fc6fa0df8e5' - 'Azure Front Door Secret Reader': '/providers/Microsoft.Authorization/roleDefinitions/0db238c4-885e-4c4f-a933-aa2cef684fca' - 'Azure Kubernetes Fleet Manager Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf' - 'Azure Kubernetes Fleet Manager RBAC Admin': '/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba' - 'Azure Kubernetes Fleet Manager RBAC Cluster Admin': '/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69' - 'Azure Kubernetes Fleet Manager RBAC Reader': '/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80' - 'Azure Kubernetes Fleet Manager RBAC Writer': '/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683' - 'Azure Kubernetes Service Cluster Admin Role': '/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8' - 'Azure Kubernetes Service Cluster Monitoring User': '/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6' - 'Azure Kubernetes Service Cluster User Role': '/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f' - 'Azure Kubernetes Service Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' - 'Azure Kubernetes Service Policy Add-on Deployment': '/providers/Microsoft.Authorization/roleDefinitions/18ed5180-3e48-46fd-8541-4ea054d57064' - 'Azure Kubernetes Service RBAC Admin': '/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7' - 'Azure Kubernetes Service RBAC Cluster Admin': '/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b' - 'Azure Kubernetes Service RBAC Reader': '/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db' - 'Azure Kubernetes Service RBAC Writer': '/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb' - 'Azure Maps Contributor': '/providers/Microsoft.Authorization/roleDefinitions/dba33070-676a-4fb0-87fa-064dc56ff7fb' - 'Azure Maps Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204' - 'Azure Maps Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa' - 'Azure Maps Search and Render Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/6be48352-4f82-47c9-ad5e-0acacefdb005' - 'Azure Relay Listener': '/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d' - 'Azure Relay Owner': '/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38' - 'Azure Relay Sender': '/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d' - 'Azure Service Bus Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419' - 'Azure Service Bus Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' - 'Azure Service Bus Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' - 'Azure Spring Apps Connect Role': '/providers/Microsoft.Authorization/roleDefinitions/80558df3-64f9-4c0f-b32d-e5094b036b0b' - 'Azure Spring Apps Remote Debugging Role': '/providers/Microsoft.Authorization/roleDefinitions/a99b0159-1064-4c22-a57b-c9b3caa1c054' - 'Azure Spring Cloud Config Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b' - 'Azure Spring Cloud Config Server Reader': '/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7' - 'Azure Spring Cloud Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c' - 'Azure Spring Cloud Service Registry Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1' - 'Azure Spring Cloud Service Registry Reader': '/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65' - 'Azure Stack HCI registration role': '/providers/Microsoft.Authorization/roleDefinitions/bda0d508-adf1-4af0-9c28-88919fc3ae06' - 'Azure Stack Registration Owner': '/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a' - 'Azure Traffic Controller Configuration Manager': '/providers/Microsoft.Authorization/roleDefinitions/fbc52c3f-28ad-4303-a892-8a056630b8f1' - 'Azure Usage Billing Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/f0310ce6-e953-4cf8-b892-fb1c87eaf7f6' - 'Azure VM Managed identities restore Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6ae96244-5829-4925-a7d3-5975537d91dd' - 'AzureML Compute Operator': '/providers/Microsoft.Authorization/roleDefinitions/e503ece1-11d0-4e8e-8e2c-7a6c3bf38815' - 'AzureML Data Scientist': '/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121' - 'AzureML Metrics Writer (preview)': '/providers/Microsoft.Authorization/roleDefinitions/635dd51f-9968-44d3-b7fb-6d9a6bd613ae' - 'AzureML Registry User': '/providers/Microsoft.Authorization/roleDefinitions/1823dd4f-9b8c-4ab6-ab4e-7397a3684615' - 'Backup Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b' - 'Backup Operator': '/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324' - 'Backup Reader': '/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912' - 'Bayer Ag Powered Services CWUM Solution User Role': '/providers/Microsoft.Authorization/roleDefinitions/a9b99099-ead7-47db-8fcf-072597a61dfa' - 'Bayer Ag Powered Services GDU Solution': '/providers/Microsoft.Authorization/roleDefinitions/c4bc862a-3b64-4a35-a021-a380c159b042' - 'Bayer Ag Powered Services Imagery Solution': '/providers/Microsoft.Authorization/roleDefinitions/ef29765d-0d37-4119-a4f8-f9f9902c9588' - 'Billing Reader': '/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64' - 'BizTalk Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342' - 'Blockchain Member Node Access (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24' - 'Blueprint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4' - 'Blueprint Operator': '/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090' - 'CDN Endpoint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45' - 'CDN Endpoint Reader': '/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd' - 'CDN Profile Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432' - 'CDN Profile Reader': '/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af' - 'Chamber Admin': '/providers/Microsoft.Authorization/roleDefinitions/4e9b8407-af2e-495b-ae54-bb60a55b1b5a' - 'Chamber User': '/providers/Microsoft.Authorization/roleDefinitions/4447db05-44ed-4da3-ae60-6cbece780e32' - 'Classic Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f' - 'Classic Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25' - 'Classic Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d' - 'Classic Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb' - 'ClearDB MySQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe' - 'Code Signing Certificate Profile Signer': '/providers/Microsoft.Authorization/roleDefinitions/2837e146-70d7-4cfd-ad55-7efa6464f958' - 'Code Signing Identity Verifier': '/providers/Microsoft.Authorization/roleDefinitions/4339b7cf-9826-4e41-b4ed-c7f4505dac08' - 'Cognitive Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68' - 'Cognitive Services Custom Vision Contributor': '/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3' - 'Cognitive Services Custom Vision Deployment': '/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f' - 'Cognitive Services Custom Vision Labeler': '/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c' - 'Cognitive Services Custom Vision Reader': '/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73' - 'Cognitive Services Custom Vision Trainer': '/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b' - 'Cognitive Services Data Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c' - 'Cognitive Services Face Recognizer': '/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7' - 'Cognitive Services Immersive Reader User': '/providers/Microsoft.Authorization/roleDefinitions/b2de6794-95db-4659-8781-7e080d3f2b9d' - 'Cognitive Services Language Owner': '/providers/Microsoft.Authorization/roleDefinitions/f07febfe-79bc-46b1-8b37-790e26e6e498' - 'Cognitive Services Language Reader': '/providers/Microsoft.Authorization/roleDefinitions/7628b7b8-a8b2-4cdc-b46f-e9b35248918e' - 'Cognitive Services Language Writer': '/providers/Microsoft.Authorization/roleDefinitions/f2310ca1-dc64-4889-bb49-c8e0fa3d47a8' - 'Cognitive Services LUIS Owner': '/providers/Microsoft.Authorization/roleDefinitions/f72c8140-2111-481c-87ff-72b910f6e3f8' - 'Cognitive Services LUIS Reader': '/providers/Microsoft.Authorization/roleDefinitions/18e81cdc-4e98-4e29-a639-e7d10c5a6226' - 'Cognitive Services LUIS Writer': '/providers/Microsoft.Authorization/roleDefinitions/6322a993-d5c9-4bed-b113-e49bbea25b27' - 'Cognitive Services Metrics Advisor Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a' - 'Cognitive Services Metrics Advisor User': '/providers/Microsoft.Authorization/roleDefinitions/3b20f47b-3825-43cb-8114-4bd2201156a8' - 'Cognitive Services OpenAI Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a001fd3d-188f-4b5d-821b-7da978bf7442' - 'Cognitive Services OpenAI User': '/providers/Microsoft.Authorization/roleDefinitions/5e0bd9bd-7b93-4f28-af87-19fc36ad61bd' - 'Cognitive Services QnA Maker Editor': '/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025' - 'Cognitive Services QnA Maker Reader': '/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126' - 'Cognitive Services Speech Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0e75ca1e-0464-4b4d-8b93-68208a576181' - 'Cognitive Services Speech User': '/providers/Microsoft.Authorization/roleDefinitions/f2dc8367-1007-4938-bd23-fe263f013447' - 'Cognitive Services User': '/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908' - 'Collaborative Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/daa9e50b-21df-454c-94a6-a8050adab352' - 'Collaborative Runtime Operator': '/providers/Microsoft.Authorization/roleDefinitions/7a6f0e70-c033-4fb1-828c-08514e5f4102' - 'Compute Gallery Sharing Admin': '/providers/Microsoft.Authorization/roleDefinitions/1ef6a3be-d0ac-425d-8c01-acb62866290b' - 'ContainerApp Reader': '/providers/Microsoft.Authorization/roleDefinitions/ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b' - Contributor: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - 'Cosmos DB Account Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8' - 'Cosmos DB Operator': '/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa' - CosmosBackupOperator: '/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb' - CosmosRestoreOperator: '/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f' - 'Cost Management Contributor': '/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430' - 'Cost Management Reader': '/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3' - 'Data Box Contributor': '/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5' - 'Data Box Reader': '/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027' - 'Data Factory Contributor': '/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5' - 'Data Labeling - Labeler': '/providers/Microsoft.Authorization/roleDefinitions/c6decf44-fd0a-444c-a844-d653c394e7ab' - 'Data Lake Analytics Developer': '/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88' - 'Data Operator for Managed Disks': '/providers/Microsoft.Authorization/roleDefinitions/959f8984-c045-4866-89c7-12bf9737be2e' - 'Data Purger': '/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90' - 'Deployment Environments User': '/providers/Microsoft.Authorization/roleDefinitions/18e40d4e-8d2e-438d-97e1-9528336e149c' - 'Desktop Virtualization Application Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-4c43-887b-b61143f32ba8' - 'Desktop Virtualization Application Group Reader': '/providers/Microsoft.Authorization/roleDefinitions/aebf23d0-b568-4e86-b8f9-fe83a2c6ab55' - 'Desktop Virtualization Contributor': '/providers/Microsoft.Authorization/roleDefinitions/082f0a83-3be5-4ba1-904c-961cca79b387' - 'Desktop Virtualization Host Pool Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e307426c-f9b6-4e81-87de-d99efb3c32bc' - 'Desktop Virtualization Host Pool Reader': '/providers/Microsoft.Authorization/roleDefinitions/ceadfde2-b300-400a-ab7b-6143895aa822' - 'Desktop Virtualization Power On Contributor': '/providers/Microsoft.Authorization/roleDefinitions/489581de-a3bd-480d-9518-53dea7416b33' - 'Desktop Virtualization Power On Off Contributor': '/providers/Microsoft.Authorization/roleDefinitions/40c5ff49-9181-41f8-ae61-143b0e78555e' - 'Desktop Virtualization Reader': '/providers/Microsoft.Authorization/roleDefinitions/49a72310-ab8d-41df-bbb0-79b649203868' - 'Desktop Virtualization Session Host Operator': '/providers/Microsoft.Authorization/roleDefinitions/2ad6aaab-ead9-4eaa-8ac5-da422f562408' - 'Desktop Virtualization User': '/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63' - 'Desktop Virtualization User Session Operator': '/providers/Microsoft.Authorization/roleDefinitions/ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6' - 'Desktop Virtualization Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a959dbd1-f747-45e3-8ba6-dd80f235f97c' - 'Desktop Virtualization Workspace Contributor': '/providers/Microsoft.Authorization/roleDefinitions/21efdde3-836f-432b-bf3d-3e8e734d4b2b' - 'Desktop Virtualization Workspace Reader': '/providers/Microsoft.Authorization/roleDefinitions/0fa44ee9-7a7d-466b-9bb2-2bf446b1204d' - 'DevCenter Dev Box User': '/providers/Microsoft.Authorization/roleDefinitions/45d50f46-0b78-4001-a660-4198cbe8cd05' - 'DevCenter Project Admin': '/providers/Microsoft.Authorization/roleDefinitions/331c37c6-af14-46d9-b9f4-e1909e1b95a0' - 'Device Provisioning Service Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/dfce44e4-17b7-4bd1-a6d1-04996ec95633' - 'Device Provisioning Service Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/10745317-c249-44a1-a5ce-3a4353c0bbd8' - 'Device Update Administrator': '/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a' - 'Device Update Content Administrator': '/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98' - 'Device Update Content Reader': '/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b' - 'Device Update Deployments Administrator': '/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432' - 'Device Update Deployments Reader': '/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f' - 'Device Update Reader': '/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f' - 'DevTest Labs User': '/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64' - 'DICOM Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/58a3b984-7adf-4c20-983a-32417c86fbc8' - 'DICOM Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a' - 'Disk Backup Reader': '/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24' - 'Disk Pool Operator': '/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840' - 'Disk Restore Operator': '/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13' - 'Disk Snapshot Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce' - 'DNS Resolver Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d' - 'DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314' - 'DocumentDB Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450' - 'Domain Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2' - 'Domain Services Reader': '/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb' - 'Elastic SAN Owner': '/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406' - 'Elastic SAN Reader': '/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca' - 'Elastic SAN Volume Group Owner': '/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23' - 'EventGrid Contributor': '/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de' - 'EventGrid Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7' - 'EventGrid EventSubscription Contributor': '/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443' - 'EventGrid EventSubscription Reader': '/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405' - 'Experimentation Administrator': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c' - 'Experimentation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c' - 'Experimentation Metric Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6188b7c9-7d01-4f99-a59f-c88b630326c0' - 'Experimentation Reader': '/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1' - 'FHIR Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd' - 'FHIR Data Converter': '/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24' - 'FHIR Data Exporter': '/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843' - 'FHIR Data Importer': '/providers/Microsoft.Authorization/roleDefinitions/4465e953-8ced-4406-a58e-0f6e3f3b530b' - 'FHIR Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508' - 'FHIR Data Writer': '/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913' - 'FHIR SMART User': '/providers/Microsoft.Authorization/roleDefinitions/4ba50f17-9666-485c-a643-ff00808643f0' - 'Grafana Admin': '/providers/Microsoft.Authorization/roleDefinitions/22926164-76b3-42b3-bc55-97df8dab3e41' - 'Grafana Editor': '/providers/Microsoft.Authorization/roleDefinitions/a79a5197-3a5c-4973-a920-486035ffd60f' - 'Grafana Viewer': '/providers/Microsoft.Authorization/roleDefinitions/60921a7e-fef1-4a43-9b16-a26c52ad4769' - 'Graph Owner': '/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9' - 'Guest Configuration Resource Contributor': '/providers/Microsoft.Authorization/roleDefinitions/088ab73d-1256-47ae-bea9-9de8e7131f31' - 'HDInsight Cluster Operator': '/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a' - 'HDInsight Domain Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c' - 'Hierarchy Settings Administrator': '/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d' - 'Hybrid Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb' - 'Hybrid Server Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624' - 'Impact Reader': '/providers/Microsoft.Authorization/roleDefinitions/68ff5d27-c7f5-4fa9-a21c-785d0df7bd9e' - 'Impact Reporter': '/providers/Microsoft.Authorization/roleDefinitions/36e80216-a7e8-4f42-a7e1-f12c98cbaf8a' - 'Integration Service Environment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8' - 'Integration Service Environment Developer': '/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec' - 'Intelligent Systems Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e' - 'IoT Hub Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f' - 'IoT Hub Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3' - 'IoT Hub Registry Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47' - 'IoT Hub Twin Contributor': '/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c' - 'Key Vault Administrator': '/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483' - 'Key Vault Certificates Officer': '/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985' - 'Key Vault Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395' - 'Key Vault Crypto Officer': '/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603' - 'Key Vault Crypto Service Encryption User': '/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6' - 'Key Vault Crypto User': '/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424' - 'Key Vault Reader': '/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2' - 'Key Vault Secrets Officer': '/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7' - 'Key Vault Secrets User': '/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6' - 'Knowledge Consumer': '/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c' - 'Kubernetes Agentless Operator': '/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6' - 'Kubernetes Cluster - Azure Arc Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41' - 'Kubernetes Extension Contributor': '/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717' - 'Kubernetes Namespace User': '/providers/Microsoft.Authorization/roleDefinitions/ba79058c-0414-4a34-9e42-c3399d80cd5a' - 'Lab Assistant': '/providers/Microsoft.Authorization/roleDefinitions/ce40b423-cede-4313-a93f-9b28290b72e1' - 'Lab Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5daaa2af-1fe8-407c-9122-bba179798270' - 'Lab Creator': '/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead' - 'Lab Operator': '/providers/Microsoft.Authorization/roleDefinitions/a36e6959-b6be-4b12-8e9f-ef4b474d304d' - 'Lab Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f69b8690-cc87-41d6-b77a-a4bc3c0a966f' - 'Lab Services Reader': '/providers/Microsoft.Authorization/roleDefinitions/2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc' - 'Load Test Contributor': '/providers/Microsoft.Authorization/roleDefinitions/749a398d-560b-491b-bb21-08924219302e' - 'Load Test Owner': '/providers/Microsoft.Authorization/roleDefinitions/45bb0b16-2f0c-4e78-afaa-a07599b003f6' - 'Load Test Reader': '/providers/Microsoft.Authorization/roleDefinitions/3ae3fb29-0000-4ccd-bf80-542e7b26e081' - 'LocalNGFirewallAdministrator role': '/providers/Microsoft.Authorization/roleDefinitions/a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2' - 'LocalRulestacksAdministrator role': '/providers/Microsoft.Authorization/roleDefinitions/bfc3b73d-c6ff-45eb-9a5f-40298295bf20' - 'Log Analytics Contributor': '/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' - 'Log Analytics Reader': '/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893' - 'Logic App Contributor': '/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e' - 'Logic App Operator': '/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe' - 'Managed Application Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' - 'Managed Application Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae' - 'Managed Applications Reader': '/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44' - 'Managed HSM contributor': '/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d' - 'Managed Identity Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59' - 'Managed Identity Operator': '/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830' - 'Managed Services Registration assignment Delete Role': '/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46' - 'Management Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c' - 'Management Group Reader': '/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d' - 'Media Services Account Administrator': '/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466' - 'Media Services Live Events Administrator': '/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77' - 'Media Services Media Operator': '/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c' - 'Media Services Policy Administrator': '/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae' - 'Media Services Streaming Endpoints Administrator': '/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804' - 'Microsoft Sentinel Automation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a' - 'Microsoft Sentinel Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade' - 'Microsoft Sentinel Playbook Operator': '/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5' - 'Microsoft Sentinel Reader': '/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb' - 'Microsoft Sentinel Responder': '/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056' - 'Microsoft.Kubernetes connected cluster role': '/providers/Microsoft.Authorization/roleDefinitions/5548b2cf-c94c-4228-90ba-30851930a12f' - 'Monitoring Contributor': '/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' - 'Monitoring Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/b0d8363b-8ddd-447d-831f-62ca05bff136' - 'Monitoring Metrics Publisher': '/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb' - 'Monitoring Reader': '/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05' - 'MySQL Backup And Export Operator': '/providers/Microsoft.Authorization/roleDefinitions/d18ad5f3-1baf-4119-b49b-d944edb1f9d0' - 'Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7' - 'New Relic APM Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237' - 'Object Anchors Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/ca0835dd-bacc-42dd-8ed2-ed5e7230d15b' - 'Object Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/4a167cdf-cb95-4554-9203-2347fe489bd9' - 'Object Understanding Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745' - 'Object Understanding Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/d18777c0-1514-4662-8490-608db7d334b6' - Owner: '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' - 'PlayFab Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0c8b84dc-067c-4039-9615-fa1a4b77c726' - 'PlayFab Reader': '/providers/Microsoft.Authorization/roleDefinitions/a9a19cc5-31f4-447c-901f-56c0bb18fcaf' - 'Policy Insights Data Writer (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84' - 'Private DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f' - 'Project Babylon Data Curator': '/providers/Microsoft.Authorization/roleDefinitions/9ef4ef9c-a049-46b0-82ab-dd8ac094c889' - 'Project Babylon Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/c8d896ba-346d-4f50-bc1d-7d1c84130446' - 'Project Babylon Data Source Administrator': '/providers/Microsoft.Authorization/roleDefinitions/05b7651b-dc44-475e-b74d-df3db49fae0f' - 'Purview role 1 (Deprecated)': '/providers/Microsoft.Authorization/roleDefinitions/8a3c2885-9b38-4fd2-9d99-91af537c1347' - 'Purview role 2 (Deprecated)': '/providers/Microsoft.Authorization/roleDefinitions/200bba9e-f0c8-430f-892b-6f0794863803' - 'Purview role 3 (Deprecated)': '/providers/Microsoft.Authorization/roleDefinitions/ff100721-1b9d-43d8-af52-42b69c1272db' - 'Quota Request Operator': '/providers/Microsoft.Authorization/roleDefinitions/0e5f05e5-9ab9-446b-b98d-1e2157c94125' - Reader: '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' - 'Reader and Data Access': '/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349' - 'Redis Cache Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17' - 'Remote Rendering Administrator': '/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e' - 'Remote Rendering Client': '/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a' - 'Reservation Purchaser': '/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-4b75-91c3-6b41c27c1689' - 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' - 'Role Based Access Control Administrator (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168' - 'Scheduled Patching Contributor': '/providers/Microsoft.Authorization/roleDefinitions/cd08ab90-6b14-449c-ad9a-8f8e549482c6' - 'Scheduler Job Collections Contributor': '/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94' - 'Schema Registry Contributor (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-4216-b2bc-10343a5abb25' - 'Schema Registry Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-40a6-83c0-9d98858bc7d2' - 'Search Index Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-43f5-93ac-243d3dce84a7' - 'Search Index Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f' - 'Search Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0' - 'Security Admin': '/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd' - 'Security Assessment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5' - 'Security Detonation Chamber Publisher': '/providers/Microsoft.Authorization/roleDefinitions/352470b3-6a9c-4686-b503-35deb827e500' - 'Security Detonation Chamber Reader': '/providers/Microsoft.Authorization/roleDefinitions/28241645-39f8-410b-ad48-87863e2951d5' - 'Security Detonation Chamber Submission Manager': '/providers/Microsoft.Authorization/roleDefinitions/a37b566d-3efa-4beb-a2f2-698963fa42ce' - 'Security Detonation Chamber Submitter': '/providers/Microsoft.Authorization/roleDefinitions/0b555d9b-b4a7-4f43-b330-627f0e5be8f0' - 'Security Manager (Legacy)': '/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10' - 'Security Reader': '/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4' - 'Services Hub Operator': '/providers/Microsoft.Authorization/roleDefinitions/82200a5b-e217-47a5-b665-6d8765ee745b' - 'SignalR AccessKey Reader': '/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e' - 'SignalR App Server': '/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7' - 'SignalR REST API Owner': '/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521' - 'SignalR REST API Reader': '/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035' - 'SignalR Service Owner': '/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3' - 'SignalR/Web PubSub Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761' - 'Site Recovery Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567' - 'Site Recovery Operator': '/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca' - 'Site Recovery Reader': '/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149' - 'Spatial Anchors Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827' - 'Spatial Anchors Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c' - 'Spatial Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413' - 'SQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' - 'SQL Managed Instance Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d' - 'SQL Security Manager': '/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3' - 'SQL Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437' - 'SqlDb Migration Role': '/providers/Microsoft.Authorization/roleDefinitions/189207d4-bb67-4208-a635-b06afe8b2c57' - 'SqlMI Migration Role': '/providers/Microsoft.Authorization/roleDefinitions/1d335eef-eee1-47fe-a9e0-53214eba8872' - 'SqlVM Migration Role': '/providers/Microsoft.Authorization/roleDefinitions/ae8036db-e102-405b-a1b9-bae082ea436d' - 'Storage Account Backup Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1' - 'Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab' - 'Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12' - 'Storage Blob Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe' - 'Storage Blob Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b' - 'Storage Blob Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' - 'Storage Blob Delegator': '/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a' - 'Storage File Data SMB Share Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb' - 'Storage File Data SMB Share Elevated Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7' - 'Storage File Data SMB Share Reader': '/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314' - 'Storage Queue Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88' - 'Storage Queue Data Message Processor': '/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed' - 'Storage Queue Data Message Sender': '/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a' - 'Storage Queue Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925' - 'Storage Table Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3' - 'Storage Table Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6' - 'Stream Analytics Query Tester': '/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf' - 'Support Request Contributor': '/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e' - 'Tag Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' - 'Template Spec Contributor': '/providers/Microsoft.Authorization/roleDefinitions/1c9b6475-caf0-4164-b5a1-2142a7116f4b' - 'Template Spec Reader': '/providers/Microsoft.Authorization/roleDefinitions/392ae280-861d-42bd-9ea5-08ee6d83b80e' - 'Test Base Reader': '/providers/Microsoft.Authorization/roleDefinitions/15e0f5a1-3450-4248-8e25-e2afe88a9e85' - 'Traffic Manager Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7' - 'User Access Administrator': '/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' - 'Video Indexer Restricted Viewer': '/providers/Microsoft.Authorization/roleDefinitions/a2c4a527-7dc0-4ee3-897b-403ade70fafb' - 'Virtual Machine Administrator Login': '/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4' - 'Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c' - 'Virtual Machine Local User Login': '/providers/Microsoft.Authorization/roleDefinitions/602da2ba-a5c2-41da-b01d-5360126ab525' - 'Virtual Machine User Login': '/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52' - 'VM Scanner Operator': '/providers/Microsoft.Authorization/roleDefinitions/d24ecba3-c1f4-40fa-a7bb-4588a071e8fd' - 'Web Plan Contributor': '/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b' - 'Web PubSub Service Owner (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/12cf5a90-567b-43ae-8102-96cf46c7d9b4' - 'Web PubSub Service Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf' - 'Website Contributor': '/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772' - 'Windows Admin Center Administrator Login': '/providers/Microsoft.Authorization/roleDefinitions/a6333a3e-0164-44c3-b281-7a577aff287f' - 'Workbook Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad' - 'Workbook Reader': '/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d' - 'WorkloadBuilder Migration Agent Role': '/providers/Microsoft.Authorization/roleDefinitions/d17ce0a2-0697-43bc-aac5-9113337ab61c' + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { diff --git a/modules/automation/automation-account/.bicep/nested_roleAssignments.bicep b/modules/automation/automation-account/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 575f471ef5..0000000000 --- a/modules/automation/automation-account/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,72 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867') - 'Automation Job Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f') - 'Automation Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404') - 'Automation Runbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource automationAccount 'Microsoft.Automation/automationAccounts@2020-01-13-preview' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(automationAccount.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: automationAccount -}] diff --git a/modules/automation/automation-account/.test/common/main.test.bicep b/modules/automation/automation-account/.test/common/main.test.bicep index fd3698cc91..b0ae64aef0 100644 --- a/modules/automation/automation-account/.test/common/main.test.bicep +++ b/modules/automation/automation-account/.test/common/main.test.bicep @@ -1,251 +1,250 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.automation.account-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'aacom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - gallerySolutions: [ - { - name: 'Updates' - product: 'OMSGallery' - publisher: 'Microsoft' - } - ] - jobSchedules: [ - { - runbookName: 'TestRunbook' - scheduleName: 'TestSchedule' - } - ] - disableLocalAuth: true - linkedWorkspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - modules: [ - { - name: 'PSWindowsUpdate' - uri: 'https://www.powershellgallery.com/api/v2/package' - version: 'latest' - } - ] - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'Webhook' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'DSCAndHybridWorker' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - runbooks: [ - { - description: 'Test runbook' - name: 'TestRunbook' - type: 'PowerShell' - uri: 'https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/scripts/AzureAutomationTutorial.ps1' - version: '1.0.0.0' - } - ] - schedules: [ - { - advancedSchedule: {} - expiryTime: '9999-12-31T13:00' - frequency: 'Hour' - interval: 12 - name: 'TestSchedule' - startTime: '' - timeZone: 'Europe/Berlin' - } - ] - softwareUpdateConfigurations: [ - { - excludeUpdates: [ - '123456' - ] - frequency: 'Month' - includeUpdates: [ - '654321' - ] - interval: 1 - maintenanceWindow: 'PT4H' - monthlyOccurrences: [ - { - day: 'Friday' - occurrence: 3 - } - ] - name: 'Windows_ZeroDay' - operatingSystem: 'Windows' - rebootSetting: 'IfRequired' - scopeByTags: { - Update: [ - 'Automatic-Wave1' - ] - } - startTime: '22:00' - updateClassifications: [ - 'Critical' - 'Definition' - 'FeaturePack' - 'Security' - 'ServicePack' - 'Tools' - 'UpdateRollup' - 'Updates' - ] - } - { - excludeUpdates: [ - 'icacls' - ] - frequency: 'OneTime' - includeUpdates: [ - 'kernel' - ] - maintenanceWindow: 'PT4H' - name: 'Linux_ZeroDay' - operatingSystem: 'Linux' - rebootSetting: 'IfRequired' - startTime: '22:00' - updateClassifications: [ - 'Critical' - 'Other' - 'Security' - ] - } - ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - variables: [ - { - description: 'TestStringDescription' - name: 'TestString' - value: '\'TestString\'' - } - { - description: 'TestIntegerDescription' - name: 'TestInteger' - value: '500' - } - { - description: 'TestBooleanDescription' - name: 'TestBoolean' - value: 'false' - } - { - description: 'TestDateTimeDescription' - isEncrypted: false - name: 'TestDateTime' - value: '\'\\/Date(1637934042656)\\/\'' - } - { - description: 'TestEncryptedDescription' - name: 'TestEncryptedVariable' - value: '\'TestEncryptedValue\'' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.automation.account-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'aacom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + gallerySolutions: [ + { + name: 'Updates' + product: 'OMSGallery' + publisher: 'Microsoft' + } + ] + jobSchedules: [ + { + runbookName: 'TestRunbook' + scheduleName: 'TestSchedule' + } + ] + disableLocalAuth: true + linkedWorkspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + modules: [ + { + name: 'PSWindowsUpdate' + uri: 'https://www.powershellgallery.com/api/v2/package' + version: 'latest' + } + ] + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'Webhook' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'DSCAndHybridWorker' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + runbooks: [ + { + description: 'Test runbook' + name: 'TestRunbook' + type: 'PowerShell' + uri: 'https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/scripts/AzureAutomationTutorial.ps1' + version: '1.0.0.0' + } + ] + schedules: [ + { + advancedSchedule: {} + expiryTime: '9999-12-31T13:00' + frequency: 'Hour' + interval: 12 + name: 'TestSchedule' + startTime: '' + timeZone: 'Europe/Berlin' + } + ] + softwareUpdateConfigurations: [ + { + excludeUpdates: [ + '123456' + ] + frequency: 'Month' + includeUpdates: [ + '654321' + ] + interval: 1 + maintenanceWindow: 'PT4H' + monthlyOccurrences: [ + { + day: 'Friday' + occurrence: 3 + } + ] + name: 'Windows_ZeroDay' + operatingSystem: 'Windows' + rebootSetting: 'IfRequired' + scopeByTags: { + Update: [ + 'Automatic-Wave1' + ] + } + startTime: '22:00' + updateClassifications: [ + 'Critical' + 'Definition' + 'FeaturePack' + 'Security' + 'ServicePack' + 'Tools' + 'UpdateRollup' + 'Updates' + ] + } + { + excludeUpdates: [ + 'icacls' + ] + frequency: 'OneTime' + includeUpdates: [ + 'kernel' + ] + maintenanceWindow: 'PT4H' + name: 'Linux_ZeroDay' + operatingSystem: 'Linux' + rebootSetting: 'IfRequired' + startTime: '22:00' + updateClassifications: [ + 'Critical' + 'Other' + 'Security' + ] + } + ] + systemAssignedIdentity: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + variables: [ + { + description: 'TestStringDescription' + name: 'TestString' + value: '\'TestString\'' + } + { + description: 'TestIntegerDescription' + name: 'TestInteger' + value: '500' + } + { + description: 'TestBooleanDescription' + name: 'TestBoolean' + value: 'false' + } + { + description: 'TestDateTimeDescription' + isEncrypted: false + name: 'TestDateTime' + value: '\'\\/Date(1637934042656)\\/\'' + } + { + description: 'TestEncryptedDescription' + name: 'TestEncryptedVariable' + value: '\'TestEncryptedValue\'' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index b4ace1295b..1930cea49f 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -116,9 +116,7 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -342,9 +340,7 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -828,7 +824,68 @@ Whether or not public network access is allowed for this resource. For security Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `runbooks` diff --git a/modules/automation/automation-account/main.bicep b/modules/automation/automation-account/main.bicep index cf1f10bfe0..6afbd479a3 100644 --- a/modules/automation/automation-account/main.bicep +++ b/modules/automation/automation-account/main.bicep @@ -87,7 +87,7 @@ param userAssignedIdentities object = {} param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the Automation Account resource.') param tags object = {} @@ -145,6 +145,18 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null +var builtInRoleNames = { + 'Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867') + 'Automation Job Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f') + 'Automation Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404') + 'Automation Runbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -388,17 +400,18 @@ module automationAccount_privateEndpoints '../../network/private-endpoint/main.b } }] -module automationAccount_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-AutoAccount-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: automationAccount.id +resource automationAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(automationAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: automationAccount }] @description('The name of the deployed automation account.') @@ -427,3 +440,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/automation/automation-account/main.json b/modules/automation/automation-account/main.json index 78fbfa0b65..985e446999 100644 --- a/modules/automation/automation-account/main.json +++ b/modules/automation/automation-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7950772312586811014" + "templateHash": "3326115311371302534" }, "name": "Automation Accounts", "description": "This module deploys an Azure Automation Account.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -223,8 +289,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -302,7 +367,18 @@ "enableReferencedModulesTelemetry": false, "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "builtInRoleNames": { + "Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867')]", + "Automation Job Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", + "Automation Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404')]", + "Automation Runbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "cMKKeyVault::cMKKey": { @@ -391,6 +467,28 @@ "automationAccount" ] }, + "automationAccount_roleAssignments": { + "copy": { + "name": "automationAccount_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Automation/automationAccounts/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Automation/automationAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "automationAccount" + ] + }, "automationAccount_modules": { "copy": { "name": "automationAccount_modules", @@ -2563,158 +2661,6 @@ "dependsOn": [ "automationAccount" ] - }, - "automationAccount_roleAssignments": { - "copy": { - "name": "automationAccount_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AutoAccount-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Automation/automationAccounts', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10195514445399502357" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867')]", - "Automation Job Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Automation/automationAccounts/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Automation/automationAccounts', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "automationAccount" - ] } }, "outputs": { diff --git a/modules/cache/redis-enterprise/.bicep/nested_roleAssignments.bicep b/modules/cache/redis-enterprise/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index f888e4ca02..0000000000 --- a/modules/cache/redis-enterprise/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,69 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Redis Cache Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource redisCacheEnterprise 'Microsoft.Cache/redisEnterprise@2022-01-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(redisCacheEnterprise.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: redisCacheEnterprise -}] diff --git a/modules/cache/redis-enterprise/.test/common/main.test.bicep b/modules/cache/redis-enterprise/.test/common/main.test.bicep index 74c01eb8d0..ec84ed832c 100644 --- a/modules/cache/redis-enterprise/.test/common/main.test.bicep +++ b/modules/cache/redis-enterprise/.test/common/main.test.bicep @@ -1,131 +1,130 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.cache.redisenterprise-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crecom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - capacity: 2 - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - diagnosticSettingsName: 'redisdiagnostics' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - minimumTlsVersion: '1.2' - zoneRedundant: true - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - - nestedDependencies.outputs.privateDNSZoneResourceId - - ] - service: 'redisEnterprise' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - databases: [ - { - clusteringPolicy: 'EnterpriseCluster' - evictionPolicy: 'AllKeysLFU' - modules: [ - { - name: 'RedisBloom' - } - { - name: 'RedisTimeSeries' - args: 'RETENTION_POLICY 20' - } - ] - persistenceAofEnabled: true - persistenceAofFrequency: '1s' - persistenceRdbEnabled: false - port: 10000 - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Redis Cache Enterprise' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.cache.redisenterprise-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'crecom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + capacity: 2 + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettingsName: 'redisdiagnostics' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + minimumTlsVersion: '1.2' + zoneRedundant: true + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] + service: 'redisEnterprise' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + databases: [ + { + clusteringPolicy: 'EnterpriseCluster' + evictionPolicy: 'AllKeysLFU' + modules: [ + { + name: 'RedisBloom' + } + { + name: 'RedisTimeSeries' + args: 'RETENTION_POLICY 20' + } + ] + persistenceAofEnabled: true + persistenceAofFrequency: '1s' + persistenceRdbEnabled: false + port: 10000 + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'Redis Cache Enterprise' + } + } +} + diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index e9afb7bd4f..6b9779d29b 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -97,9 +97,7 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -200,9 +198,7 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -557,7 +553,68 @@ Configuration details for private endpoints. For security reasons, it is recomme Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `skuName` diff --git a/modules/cache/redis-enterprise/main.bicep b/modules/cache/redis-enterprise/main.bicep index be865f3cda..5def57823e 100644 --- a/modules/cache/redis-enterprise/main.bicep +++ b/modules/cache/redis-enterprise/main.bicep @@ -12,7 +12,7 @@ param name string param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -108,6 +108,15 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Redis Cache Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -120,7 +129,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource redisCacheEnterprise 'Microsoft.Cache/redisEnterprise@2022-01-01' = { +resource redisEnterprise 'Microsoft.Cache/redisEnterprise@2022-01-01' = { name: name location: location tags: tags @@ -134,16 +143,16 @@ resource redisCacheEnterprise 'Microsoft.Cache/redisEnterprise@2022-01-01' = { zones: availabilityZones } -resource redisCacheEnterprise_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { +resource redisEnterprise_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { name: lock.?name ?? 'lock-${name}' properties: { level: lock.?kind ?? '' notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } - scope: redisCacheEnterprise + scope: redisEnterprise } -resource redisCacheEnterprise_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { +resource redisEnterprise_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' properties: { storageAccountId: empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId @@ -153,26 +162,27 @@ resource redisCacheEnterprise_diagnosticSettings 'Microsoft.Insights/diagnosticS metrics: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsMetrics logs: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsLogs } - scope: redisCacheEnterprise + scope: redisEnterprise } -module redisCacheEnterprise_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-redisCacheEnterprise-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: redisCacheEnterprise.id +resource redisEnterprise_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(redisEnterprise.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: redisEnterprise }] -module redisCacheEnterprise_databases 'database/main.bicep' = [for (database, index) in databases: { +module redisEnterprise_databases 'database/main.bicep' = [for (database, index) in databases: { name: '${uniqueString(deployment().name, location)}-redisCacheEnterprise-DB-${index}' params: { - redisCacheEnterpriseName: redisCacheEnterprise.name + redisCacheEnterpriseName: redisEnterprise.name location: location clientProtocol: contains(database, 'clientProtocol') ? database.clientProtocol : 'Encrypted' clusteringPolicy: contains(database, 'clusteringPolicy') ? database.clusteringPolicy : 'OSSCluster' @@ -188,14 +198,14 @@ module redisCacheEnterprise_databases 'database/main.bicep' = [for (database, in } }] -module redisCacheEnterprise_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { +module redisEnterprise_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { name: '${uniqueString(deployment().name, location)}-redisCacheEnterprise-PrivateEndpoint-${index}' params: { groupIds: [ privateEndpoint.service ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(redisCacheEnterprise.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: redisCacheEnterprise.id + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(redisEnterprise.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: redisEnterprise.id subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location @@ -213,19 +223,19 @@ module redisCacheEnterprise_privateEndpoints '../../network/private-endpoint/mai }] @description('The name of the redis cache enterprise.') -output name string = redisCacheEnterprise.name +output name string = redisEnterprise.name @description('The resource ID of the redis cache enterprise.') -output resourceId string = redisCacheEnterprise.id +output resourceId string = redisEnterprise.id @description('The name of the resource group the redis cache enterprise was created in.') output resourceGroupName string = resourceGroup().name @description('Redis hostname.') -output hostName string = redisCacheEnterprise.properties.hostName +output hostName string = redisEnterprise.properties.hostName @description('The location the resource was deployed into.') -output location string = redisCacheEnterprise.location +output location string = redisEnterprise.location // =============== // // Definitions // @@ -238,3 +248,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/cache/redis-enterprise/main.json b/modules/cache/redis-enterprise/main.json index b574498959..dd581fe4b8 100644 --- a/modules/cache/redis-enterprise/main.json +++ b/modules/cache/redis-enterprise/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13843091580416749127" + "templateHash": "6097715803536632685" }, "name": "Redis Cache Enterprise", "description": "This module deploys a Redis Cache Enterprise.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -60,8 +126,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -220,7 +285,15 @@ ], "availabilityZones": "[if(parameters('zoneRedundant'), pickZones('Microsoft.Cache', 'redisEnterprise', parameters('location'), 3), createArray())]", "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Redis Cache Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -237,7 +310,7 @@ } } }, - "redisCacheEnterprise": { + "redisEnterprise": { "type": "Microsoft.Cache/redisEnterprise", "apiVersion": "2022-01-01", "name": "[parameters('name')]", @@ -252,7 +325,7 @@ }, "zones": "[variables('availabilityZones')]" }, - "redisCacheEnterprise_lock": { + "redisEnterprise_lock": { "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", @@ -263,10 +336,10 @@ "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "redisCacheEnterprise" + "redisEnterprise" ] }, - "redisCacheEnterprise_diagnosticSettings": { + "redisEnterprise_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -281,161 +354,34 @@ "logs": "[if(and(and(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('diagnosticWorkspaceId'))), empty(parameters('diagnosticEventHubAuthorizationRuleId'))), empty(parameters('diagnosticEventHubName'))), null(), variables('diagnosticsLogs'))]" }, "dependsOn": [ - "redisCacheEnterprise" + "redisEnterprise" ] }, - "redisCacheEnterprise_rbac": { + "redisEnterprise_roleAssignments": { "copy": { - "name": "redisCacheEnterprise_rbac", - "count": "[length(parameters('roleAssignments'))]" + "name": "redisEnterprise_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-redisCacheEnterprise-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Cache/redisEnterprise/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Cache/redisEnterprise', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Cache/redisEnterprise', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12607572296541142934" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Redis Cache Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Cache/redisEnterprise/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Cache/redisEnterprise', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "redisCacheEnterprise" + "redisEnterprise" ] }, - "redisCacheEnterprise_databases": { + "redisEnterprise_databases": { "copy": { - "name": "redisCacheEnterprise_databases", + "name": "redisEnterprise_databases", "count": "[length(parameters('databases'))]" }, "type": "Microsoft.Resources/deployments", @@ -662,12 +608,12 @@ } }, "dependsOn": [ - "redisCacheEnterprise" + "redisEnterprise" ] }, - "redisCacheEnterprise_privateEndpoints": { + "redisEnterprise_privateEndpoints": { "copy": { - "name": "redisCacheEnterprise_privateEndpoints", + "name": "redisEnterprise_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" }, "type": "Microsoft.Resources/deployments", @@ -1191,7 +1137,7 @@ } }, "dependsOn": [ - "redisCacheEnterprise" + "redisEnterprise" ] } }, @@ -1222,14 +1168,14 @@ "metadata": { "description": "Redis hostname." }, - "value": "[reference('redisCacheEnterprise').hostName]" + "value": "[reference('redisEnterprise').hostName]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('redisCacheEnterprise', '2022-01-01', 'full').location]" + "value": "[reference('redisEnterprise', '2022-01-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/cache/redis/.bicep/nested_roleAssignments.bicep b/modules/cache/redis/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 636cba1395..0000000000 --- a/modules/cache/redis/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,69 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Redis Cache Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource redisCache 'Microsoft.Cache/redis@2022-06-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(redisCache.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: redisCache -}] diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index ba16041709..1b199e2075 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -459,7 +459,68 @@ The number of replicas to be created per primary. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `shardCount` diff --git a/modules/cache/redis/main.bicep b/modules/cache/redis/main.bicep index 3c78068ad7..eadf8ece68 100644 --- a/modules/cache/redis/main.bicep +++ b/modules/cache/redis/main.bicep @@ -12,7 +12,7 @@ param name string param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -167,6 +167,15 @@ var identity = { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Redis Cache Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -179,7 +188,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource redisCache 'Microsoft.Cache/redis@2022-06-01' = { +resource redis 'Microsoft.Cache/redis@2022-06-01' = { name: name location: location tags: tags @@ -205,16 +214,16 @@ resource redisCache 'Microsoft.Cache/redis@2022-06-01' = { zones: availabilityZones } -resource redisCache_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { +resource redis_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { name: lock.?name ?? 'lock-${name}' properties: { level: lock.?kind ?? '' notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } - scope: redisCache + scope: redis } -resource redisCache_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { +resource redis_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' properties: { storageAccountId: empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId @@ -224,30 +233,31 @@ resource redisCache_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@20 metrics: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsMetrics logs: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsLogs } - scope: redisCache + scope: redis } -module redisCache_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-redisCache-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: redisCache.id +resource redis_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(redis.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: redis }] -module redisCache_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { +module redis_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { name: '${uniqueString(deployment().name, location)}-redisCache-PrivateEndpoint-${index}' params: { groupIds: [ privateEndpoint.service ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(redisCache.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: redisCache.id + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(redis.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: redis.id subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location @@ -265,25 +275,25 @@ module redisCache_privateEndpoints '../../network/private-endpoint/main.bicep' = }] @description('The name of the Redis Cache.') -output name string = redisCache.name +output name string = redis.name @description('The resource ID of the Redis Cache.') -output resourceId string = redisCache.id +output resourceId string = redis.id @description('The name of the resource group the Redis Cache was created in.') output resourceGroupName string = resourceGroup().name @description('Redis hostname.') -output hostName string = redisCache.properties.hostName +output hostName string = redis.properties.hostName @description('Redis SSL port.') -output sslPort int = redisCache.properties.sslPort +output sslPort int = redis.properties.sslPort @description('The full resource ID of a subnet in a virtual network where the Redis Cache was deployed in.') -output subnetId string = !empty(subnetId) ? redisCache.properties.subnetId : '' +output subnetId string = !empty(subnetId) ? redis.properties.subnetId : '' @description('The location the resource was deployed into.') -output location string = redisCache.location +output location string = redis.location // =============== // // Definitions // @@ -296,3 +306,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/cache/redis/main.json b/modules/cache/redis/main.json index 5d189f577b..97179d1921 100644 --- a/modules/cache/redis/main.json +++ b/modules/cache/redis/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4426369279242408346" + "templateHash": "14560598039949913276" }, "name": "Redis Cache", "description": "This module deploys a Redis Cache.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -60,8 +126,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -326,7 +391,15 @@ "type": "[variables('identityType')]", "userAssignedIdentities": "[if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())]" }, - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Redis Cache Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -343,7 +416,7 @@ } } }, - "redisCache": { + "redis": { "type": "Microsoft.Cache/redis", "apiVersion": "2022-06-01", "name": "[parameters('name')]", @@ -370,7 +443,7 @@ }, "zones": "[variables('availabilityZones')]" }, - "redisCache_lock": { + "redis_lock": { "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", @@ -381,10 +454,10 @@ "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "redisCache" + "redis" ] }, - "redisCache_diagnosticSettings": { + "redis_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -399,161 +472,34 @@ "logs": "[if(and(and(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('diagnosticWorkspaceId'))), empty(parameters('diagnosticEventHubAuthorizationRuleId'))), empty(parameters('diagnosticEventHubName'))), null(), variables('diagnosticsLogs'))]" }, "dependsOn": [ - "redisCache" + "redis" ] }, - "redisCache_rbac": { + "redis_roleAssignments": { "copy": { - "name": "redisCache_rbac", - "count": "[length(parameters('roleAssignments'))]" + "name": "redis_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-redisCache-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Cache/redis/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Cache/redis', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Cache/redis', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4475888832005151593" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Redis Cache Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Cache/redis/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Cache/redis', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "redisCache" + "redis" ] }, - "redisCache_privateEndpoints": { + "redis_privateEndpoints": { "copy": { - "name": "redisCache_privateEndpoints", + "name": "redis_privateEndpoints", "count": "[length(parameters('privateEndpoints'))]" }, "type": "Microsoft.Resources/deployments", @@ -1077,7 +1023,7 @@ } }, "dependsOn": [ - "redisCache" + "redis" ] } }, @@ -1108,28 +1054,28 @@ "metadata": { "description": "Redis hostname." }, - "value": "[reference('redisCache').hostName]" + "value": "[reference('redis').hostName]" }, "sslPort": { "type": "int", "metadata": { "description": "Redis SSL port." }, - "value": "[reference('redisCache').sslPort]" + "value": "[reference('redis').sslPort]" }, "subnetId": { "type": "string", "metadata": { "description": "The full resource ID of a subnet in a virtual network where the Redis Cache was deployed in." }, - "value": "[if(not(empty(parameters('subnetId'))), reference('redisCache').subnetId, '')]" + "value": "[if(not(empty(parameters('subnetId'))), reference('redis').subnetId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('redisCache', '2022-06-01', 'full').location]" + "value": "[reference('redis', '2022-06-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/cdn/profile/.bicep/nested_roleAssignments.bicep b/modules/cdn/profile/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 3de7f073b9..0000000000 --- a/modules/cdn/profile/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,76 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Azure Front Door Domain Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab34830-df19-4f8c-b84e-aa85b8afa6e8') - 'Azure Front Door Domain Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f99d363-226e-4dca-9920-b807cf8e1a5f') - 'Azure Front Door Secret Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f2eb865-5811-4578-b90a-6fc6fa0df8e5') - 'Azure Front Door Secret Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0db238c4-885e-4c4f-a933-aa2cef684fca') - 'CDN Endpoint Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45') - 'CDN Endpoint Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd') - 'CDN Profile Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432') - 'CDN Profile Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource cdnProfile 'Microsoft.Cdn/profiles@2021-06-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(cdnProfile.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: cdnProfile -}] diff --git a/modules/cdn/profile/.test/afd/main.test.bicep b/modules/cdn/profile/.test/afd/main.test.bicep index 10c448e3b8..97e2a2db80 100644 --- a/modules/cdn/profile/.test/afd/main.test.bicep +++ b/modules/cdn/profile/.test/afd/main.test.bicep @@ -1,133 +1,132 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.cdn.profiles-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdnpafd' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - storageAccountName: 'dep${namePrefix}cdnstore${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - name: 'dep-${namePrefix}-test-${serviceShort}' - location: 'global' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - originResponseTimeoutSeconds: 60 - sku: 'Standard_AzureFrontDoor' - enableDefaultTelemetry: enableDefaultTelemetry - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - customDomains: [ - { - name: 'dep-${namePrefix}-test-${serviceShort}-custom-domain' - hostName: 'dep-${namePrefix}-test-${serviceShort}-custom-domain.azurewebsites.net' - certificateType: 'ManagedCertificate' - } - ] - origionGroups: [ - { - name: 'dep-${namePrefix}-test-${serviceShort}-origin-group' - loadBalancingSettings: { - additionalLatencyInMilliseconds: 50 - sampleSize: 4 - successfulSamplesRequired: 3 - } - origins: [ - { - name: 'dep-${namePrefix}-test-${serviceShort}-origin' - hostName: 'dep-${namePrefix}-test-${serviceShort}-origin.azurewebsites.net' - } - ] - } - ] - ruleSets: [ - { - name: 'dep${namePrefix}test${serviceShort}ruleset' - rules: [ - { - name: 'dep${namePrefix}test${serviceShort}rule' - order: 1 - actions: [ - { - name: 'UrlRedirect' - parameters: { - typeName: 'DeliveryRuleUrlRedirectActionParameters' - redirectType: 'PermanentRedirect' - destinationProtocol: 'Https' - customPath: '/test123' - customHostname: 'dev-etradefd.trade.azure.defra.cloud' - } - } - ] - } - ] - } - ] - afdEndpoints: [ - { - name: 'dep-${namePrefix}-test-${serviceShort}-afd-endpoint' - routes: [ - { - name: 'dep-${namePrefix}-test-${serviceShort}-afd-route' - originGroupName: 'dep-${namePrefix}-test-${serviceShort}-origin-group' - customDomainName: 'dep-${namePrefix}-test-${serviceShort}-custom-domain' - ruleSets: [ - { - name: 'dep${namePrefix}test${serviceShort}ruleset' - } - ] - } - ] - } - ] - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.cdn.profiles-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdnpafd' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + storageAccountName: 'dep${namePrefix}cdnstore${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: 'dep-${namePrefix}-test-${serviceShort}' + location: 'global' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + originResponseTimeoutSeconds: 60 + sku: 'Standard_AzureFrontDoor' + enableDefaultTelemetry: enableDefaultTelemetry + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + customDomains: [ + { + name: 'dep-${namePrefix}-test-${serviceShort}-custom-domain' + hostName: 'dep-${namePrefix}-test-${serviceShort}-custom-domain.azurewebsites.net' + certificateType: 'ManagedCertificate' + } + ] + origionGroups: [ + { + name: 'dep-${namePrefix}-test-${serviceShort}-origin-group' + loadBalancingSettings: { + additionalLatencyInMilliseconds: 50 + sampleSize: 4 + successfulSamplesRequired: 3 + } + origins: [ + { + name: 'dep-${namePrefix}-test-${serviceShort}-origin' + hostName: 'dep-${namePrefix}-test-${serviceShort}-origin.azurewebsites.net' + } + ] + } + ] + ruleSets: [ + { + name: 'dep${namePrefix}test${serviceShort}ruleset' + rules: [ + { + name: 'dep${namePrefix}test${serviceShort}rule' + order: 1 + actions: [ + { + name: 'UrlRedirect' + parameters: { + typeName: 'DeliveryRuleUrlRedirectActionParameters' + redirectType: 'PermanentRedirect' + destinationProtocol: 'Https' + customPath: '/test123' + customHostname: 'dev-etradefd.trade.azure.defra.cloud' + } + } + ] + } + ] + } + ] + afdEndpoints: [ + { + name: 'dep-${namePrefix}-test-${serviceShort}-afd-endpoint' + routes: [ + { + name: 'dep-${namePrefix}-test-${serviceShort}-afd-route' + originGroupName: 'dep-${namePrefix}-test-${serviceShort}-origin-group' + customDomainName: 'dep-${namePrefix}-test-${serviceShort}-custom-domain' + ruleSets: [ + { + name: 'dep${namePrefix}test${serviceShort}ruleset' + } + ] + } + ] + } + ] + } +} + diff --git a/modules/cdn/profile/.test/common/main.test.bicep b/modules/cdn/profile/.test/common/main.test.bicep index 20344b0e7a..6846ec0476 100644 --- a/modules/cdn/profile/.test/common/main.test.bicep +++ b/modules/cdn/profile/.test/common/main.test.bicep @@ -1,103 +1,102 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.cdn.profiles-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdnpcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - storageAccountName: 'dep${namePrefix}cdnstore${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - name: 'dep-${namePrefix}-test-${serviceShort}' - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - originResponseTimeoutSeconds: 60 - sku: 'Standard_Verizon' - enableDefaultTelemetry: enableDefaultTelemetry - endpointProperties: { - originHostHeader: '${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}' - contentTypesToCompress: [ - 'text/plain' - 'text/html' - 'text/css' - 'text/javascript' - 'application/x-javascript' - 'application/javascript' - 'application/json' - 'application/xml' - ] - isCompressionEnabled: true - isHttpAllowed: true - isHttpsAllowed: true - queryStringCachingBehavior: 'IgnoreQueryString' - origins: [ - { - name: 'dep-${namePrefix}-cdn-endpoint01' - properties: { - hostName: '${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}' - httpPort: 80 - httpsPort: 443 - enabled: true - } - } - ] - originGroups: [] - geoFilters: [] - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.cdn.profiles-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdnpcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + storageAccountName: 'dep${namePrefix}cdnstore${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: 'dep-${namePrefix}-test-${serviceShort}' + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + originResponseTimeoutSeconds: 60 + sku: 'Standard_Verizon' + enableDefaultTelemetry: enableDefaultTelemetry + endpointProperties: { + originHostHeader: '${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}' + contentTypesToCompress: [ + 'text/plain' + 'text/html' + 'text/css' + 'text/javascript' + 'application/x-javascript' + 'application/javascript' + 'application/json' + 'application/xml' + ] + isCompressionEnabled: true + isHttpAllowed: true + isHttpsAllowed: true + queryStringCachingBehavior: 'IgnoreQueryString' + origins: [ + { + name: 'dep-${namePrefix}-cdn-endpoint01' + properties: { + hostName: '${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}' + httpPort: 80 + httpsPort: 443 + enabled: true + } + } + ] + originGroups: [] + geoFilters: [] + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } +} + diff --git a/modules/cdn/profile/README.md b/modules/cdn/profile/README.md index 0648822403..1212e7e137 100644 --- a/modules/cdn/profile/README.md +++ b/modules/cdn/profile/README.md @@ -102,9 +102,7 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -220,9 +218,7 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -316,9 +312,7 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { originResponseTimeoutSeconds: 60 roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -397,9 +391,7 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -539,7 +531,68 @@ Array of origin group objects. Required if the afdEndpoints is specified. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `ruleSets` diff --git a/modules/cdn/profile/main.bicep b/modules/cdn/profile/main.bicep index 028821ae9a..c8371f87f5 100644 --- a/modules/cdn/profile/main.bicep +++ b/modules/cdn/profile/main.bicep @@ -57,13 +57,25 @@ param tags object = {} param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + 'CDN Endpoint Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45') + 'CDN Endpoint Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd') + 'CDN Profile Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432') + 'CDN Profile Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -97,17 +109,18 @@ resource profile_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo scope: profile } -module profile_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Profile-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: profile.id +resource profile_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(profile.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: profile }] module profile_endpoint 'endpoint/main.bicep' = if (!empty(endpointProperties)) { @@ -223,3 +236,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/cdn/profile/main.json b/modules/cdn/profile/main.json index 62440e268a..a7c0699e0d 100644 --- a/modules/cdn/profile/main.json +++ b/modules/cdn/profile/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3308793853973967081" + "templateHash": "31081249188890418" }, "name": "CDN Profiles", "description": "This module deploys a CDN Profile.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -144,8 +210,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -159,7 +224,18 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "CDN Endpoint Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", + "CDN Endpoint Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", + "CDN Profile Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", + "CDN Profile Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -206,154 +282,20 @@ "profile_roleAssignments": { "copy": { "name": "profile_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Profile-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Cdn/profiles/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Cdn/profiles', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Cdn/profiles', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6345074970145673737" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Azure Front Door Domain Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab34830-df19-4f8c-b84e-aa85b8afa6e8')]", - "Azure Front Door Domain Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f99d363-226e-4dca-9920-b807cf8e1a5f')]", - "Azure Front Door Secret Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f2eb865-5811-4578-b90a-6fc6fa0df8e5')]", - "Azure Front Door Secret Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0db238c4-885e-4c4f-a933-aa2cef684fca')]", - "CDN Endpoint Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Cdn/profiles/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Cdn/profiles', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "profile" diff --git a/modules/cognitive-services/account/.bicep/nested_roleAssignments.bicep b/modules/cognitive-services/account/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 534b96aa8d..0000000000 --- a/modules/cognitive-services/account/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,92 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Cognitive Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68') - 'Cognitive Services Custom Vision Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3') - 'Cognitive Services Custom Vision Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5c4089e1-6d96-4d2f-b296-c1bc7137275f') - 'Cognitive Services Custom Vision Labeler': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '88424f51-ebe7-446f-bc41-7fa16989e96c') - 'Cognitive Services Custom Vision Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '93586559-c37d-4a6b-ba08-b9f0940c2d73') - 'Cognitive Services Custom Vision Trainer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b') - 'Cognitive Services Data Reader (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b59867f0-fa02-499b-be73-45a86b5b3e1c') - 'Cognitive Services Face Recognizer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9894cab4-e18a-44aa-828b-cb588cd6f2d7') - 'Cognitive Services Immersive Reader User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b2de6794-95db-4659-8781-7e080d3f2b9d') - 'Cognitive Services Language Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f07febfe-79bc-46b1-8b37-790e26e6e498') - 'Cognitive Services Language Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7628b7b8-a8b2-4cdc-b46f-e9b35248918e') - 'Cognitive Services Language Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f2310ca1-dc64-4889-bb49-c8e0fa3d47a8') - 'Cognitive Services LUIS Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f72c8140-2111-481c-87ff-72b910f6e3f8') - 'Cognitive Services LUIS Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18e81cdc-4e98-4e29-a639-e7d10c5a6226') - 'Cognitive Services LUIS Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6322a993-d5c9-4bed-b113-e49bbea25b27') - 'Cognitive Services Metrics Advisor Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cb43c632-a144-4ec5-977c-e80c4affc34a') - 'Cognitive Services Metrics Advisor User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3b20f47b-3825-43cb-8114-4bd2201156a8') - 'Cognitive Services OpenAI Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a001fd3d-188f-4b5d-821b-7da978bf7442') - 'Cognitive Services OpenAI User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd') - 'Cognitive Services QnA Maker Editor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025') - 'Cognitive Services QnA Maker Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '466ccd10-b268-4a11-b098-b4849f024126') - 'Cognitive Services Speech Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e75ca1e-0464-4b4d-8b93-68208a576181') - 'Cognitive Services Speech User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f2dc8367-1007-4938-bd23-fe263f013447') - 'Cognitive Services User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource account 'Microsoft.CognitiveServices/accounts@2022-12-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(account.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: account -}] diff --git a/modules/cognitive-services/account/.test/common/main.test.bicep b/modules/cognitive-services/account/.test/common/main.test.bicep index 16b050db44..5f9a58f7df 100644 --- a/modules/cognitive-services/account/.test/common/main.test.bicep +++ b/modules/cognitive-services/account/.test/common/main.test.bicep @@ -1,128 +1,127 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.cognitiveservices.accounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'csacom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - kind: 'Face' - customSubDomainName: '${namePrefix}xdomain' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkAcls: { - defaultAction: 'Deny' - ipRules: [ - { - value: '40.74.28.0/23' - } - ] - virtualNetworkRules: [ - { - id: nestedDependencies.outputs.subnetResourceId - ignoreMissingVnetServiceEndpoint: false - } - ] - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - sku: 'S0' - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'account' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.cognitiveservices.accounts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'csacom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + kind: 'Face' + customSubDomainName: '${namePrefix}xdomain' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkAcls: { + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: nestedDependencies.outputs.subnetResourceId + ignoreMissingVnetServiceEndpoint: false + } + ] + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: 'S0' + systemAssignedIdentity: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'account' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index 5613b3b75f..f4a53494f4 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -92,9 +92,7 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -192,9 +190,7 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -736,7 +732,68 @@ Restrict outbound network access. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `sku` diff --git a/modules/cognitive-services/account/main.bicep b/modules/cognitive-services/account/main.bicep index 9bee40a178..80194a13c1 100644 --- a/modules/cognitive-services/account/main.bicep +++ b/modules/cognitive-services/account/main.bicep @@ -96,7 +96,7 @@ param userAssignedIdentities object = {} param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -189,6 +189,38 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null +var builtInRoleNames = { + 'Cognitive Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68') + 'Cognitive Services Custom Vision Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3') + 'Cognitive Services Custom Vision Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5c4089e1-6d96-4d2f-b296-c1bc7137275f') + 'Cognitive Services Custom Vision Labeler': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '88424f51-ebe7-446f-bc41-7fa16989e96c') + 'Cognitive Services Custom Vision Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '93586559-c37d-4a6b-ba08-b9f0940c2d73') + 'Cognitive Services Custom Vision Trainer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b') + 'Cognitive Services Data Reader (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b59867f0-fa02-499b-be73-45a86b5b3e1c') + 'Cognitive Services Face Recognizer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9894cab4-e18a-44aa-828b-cb588cd6f2d7') + 'Cognitive Services Immersive Reader User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b2de6794-95db-4659-8781-7e080d3f2b9d') + 'Cognitive Services Language Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f07febfe-79bc-46b1-8b37-790e26e6e498') + 'Cognitive Services Language Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7628b7b8-a8b2-4cdc-b46f-e9b35248918e') + 'Cognitive Services Language Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f2310ca1-dc64-4889-bb49-c8e0fa3d47a8') + 'Cognitive Services LUIS Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f72c8140-2111-481c-87ff-72b910f6e3f8') + 'Cognitive Services LUIS Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18e81cdc-4e98-4e29-a639-e7d10c5a6226') + 'Cognitive Services LUIS Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6322a993-d5c9-4bed-b113-e49bbea25b27') + 'Cognitive Services Metrics Advisor Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cb43c632-a144-4ec5-977c-e80c4affc34a') + 'Cognitive Services Metrics Advisor User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3b20f47b-3825-43cb-8114-4bd2201156a8') + 'Cognitive Services OpenAI Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a001fd3d-188f-4b5d-821b-7da978bf7442') + 'Cognitive Services OpenAI User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd') + 'Cognitive Services QnA Maker Editor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025') + 'Cognitive Services QnA Maker Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '466ccd10-b268-4a11-b098-b4849f024126') + 'Cognitive Services Speech Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e75ca1e-0464-4b4d-8b93-68208a576181') + 'Cognitive Services Speech User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f2dc8367-1007-4938-bd23-fe263f013447') + 'Cognitive Services User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -298,17 +330,18 @@ module cognitiveServices_privateEndpoints '../../network/private-endpoint/main.b } }] -module cognitiveServices_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-CognitiveServices-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: cognitiveServices.id +resource cognitiveServices_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(cognitiveServices.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: cognitiveServices }] @description('The name of the cognitive services account.') @@ -340,3 +373,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/cognitive-services/account/main.json b/modules/cognitive-services/account/main.json index c4e3c4d5a8..757da4d9aa 100644 --- a/modules/cognitive-services/account/main.json +++ b/modules/cognitive-services/account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "333012564949665738" + "templateHash": "7200785404401861698" }, "name": "Cognitive Services", "description": "This module deploys a Cognitive Service.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -191,8 +257,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -353,7 +418,38 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false, "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "builtInRoleNames": { + "Cognitive Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", + "Cognitive Services Custom Vision Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", + "Cognitive Services Custom Vision Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", + "Cognitive Services Custom Vision Labeler": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", + "Cognitive Services Custom Vision Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", + "Cognitive Services Custom Vision Trainer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", + "Cognitive Services Data Reader (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", + "Cognitive Services Face Recognizer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9894cab4-e18a-44aa-828b-cb588cd6f2d7')]", + "Cognitive Services Immersive Reader User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b2de6794-95db-4659-8781-7e080d3f2b9d')]", + "Cognitive Services Language Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f07febfe-79bc-46b1-8b37-790e26e6e498')]", + "Cognitive Services Language Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7628b7b8-a8b2-4cdc-b46f-e9b35248918e')]", + "Cognitive Services Language Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f2310ca1-dc64-4889-bb49-c8e0fa3d47a8')]", + "Cognitive Services LUIS Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f72c8140-2111-481c-87ff-72b910f6e3f8')]", + "Cognitive Services LUIS Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18e81cdc-4e98-4e29-a639-e7d10c5a6226')]", + "Cognitive Services LUIS Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6322a993-d5c9-4bed-b113-e49bbea25b27')]", + "Cognitive Services Metrics Advisor Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cb43c632-a144-4ec5-977c-e80c4affc34a')]", + "Cognitive Services Metrics Advisor User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3b20f47b-3825-43cb-8114-4bd2201156a8')]", + "Cognitive Services OpenAI Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a001fd3d-188f-4b5d-821b-7da978bf7442')]", + "Cognitive Services OpenAI User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd')]", + "Cognitive Services QnA Maker Editor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", + "Cognitive Services QnA Maker Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '466ccd10-b268-4a11-b098-b4849f024126')]", + "Cognitive Services Speech Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e75ca1e-0464-4b4d-8b93-68208a576181')]", + "Cognitive Services Speech User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f2dc8367-1007-4938-bd23-fe263f013447')]", + "Cognitive Services User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "cMKKeyVault::cMKKey": { @@ -462,6 +558,28 @@ "cognitiveServices" ] }, + "cognitiveServices_roleAssignments": { + "copy": { + "name": "cognitiveServices_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.CognitiveServices/accounts/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.CognitiveServices/accounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "cognitiveServices" + ] + }, "cognitiveServices_privateEndpoints": { "copy": { "name": "cognitiveServices_privateEndpoints", @@ -990,178 +1108,6 @@ "dependsOn": [ "cognitiveServices" ] - }, - "cognitiveServices_roleAssignments": { - "copy": { - "name": "cognitiveServices_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-CognitiveServices-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.CognitiveServices/accounts', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2121072685211673304" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Cognitive Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services Custom Vision Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", - "Cognitive Services Custom Vision Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", - "Cognitive Services Custom Vision Labeler": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", - "Cognitive Services Custom Vision Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", - "Cognitive Services Custom Vision Trainer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", - "Cognitive Services Data Reader (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", - "Cognitive Services Face Recognizer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9894cab4-e18a-44aa-828b-cb588cd6f2d7')]", - "Cognitive Services Immersive Reader User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b2de6794-95db-4659-8781-7e080d3f2b9d')]", - "Cognitive Services Language Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f07febfe-79bc-46b1-8b37-790e26e6e498')]", - "Cognitive Services Language Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7628b7b8-a8b2-4cdc-b46f-e9b35248918e')]", - "Cognitive Services Language Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f2310ca1-dc64-4889-bb49-c8e0fa3d47a8')]", - "Cognitive Services LUIS Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f72c8140-2111-481c-87ff-72b910f6e3f8')]", - "Cognitive Services LUIS Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18e81cdc-4e98-4e29-a639-e7d10c5a6226')]", - "Cognitive Services LUIS Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6322a993-d5c9-4bed-b113-e49bbea25b27')]", - "Cognitive Services Metrics Advisor Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cb43c632-a144-4ec5-977c-e80c4affc34a')]", - "Cognitive Services Metrics Advisor User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3b20f47b-3825-43cb-8114-4bd2201156a8')]", - "Cognitive Services OpenAI Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a001fd3d-188f-4b5d-821b-7da978bf7442')]", - "Cognitive Services OpenAI User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd')]", - "Cognitive Services QnA Maker Editor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", - "Cognitive Services QnA Maker Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '466ccd10-b268-4a11-b098-b4849f024126')]", - "Cognitive Services Speech Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e75ca1e-0464-4b4d-8b93-68208a576181')]", - "Cognitive Services Speech User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f2dc8367-1007-4938-bd23-fe263f013447')]", - "Cognitive Services User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.CognitiveServices/accounts/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.CognitiveServices/accounts', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "cognitiveServices" - ] } }, "outputs": { diff --git a/modules/compute/availability-set/.bicep/nested_roleAssignments.bicep b/modules/compute/availability-set/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index dae8e981ab..0000000000 --- a/modules/compute/availability-set/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,90 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource availabilitySet 'Microsoft.Compute/availabilitySets@2022-11-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(availabilitySet.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: availabilitySet -}] diff --git a/modules/compute/availability-set/.test/common/main.test.bicep b/modules/compute/availability-set/.test/common/main.test.bicep index 7e6829e7a7..a82280e4e5 100644 --- a/modules/compute/availability-set/.test/common/main.test.bicep +++ b/modules/compute/availability-set/.test/common/main.test.bicep @@ -1,76 +1,75 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.availabilitysets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cascom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.compute.availabilitysets-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cascom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/compute/availability-set/README.md b/modules/compute/availability-set/README.md index cddca05dfe..0b835022f9 100644 --- a/modules/compute/availability-set/README.md +++ b/modules/compute/availability-set/README.md @@ -53,9 +53,7 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { proximityPlacementGroupResourceId: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -101,9 +99,7 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -267,7 +263,68 @@ Resource ID of a proximity placement group. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `skuName` diff --git a/modules/compute/availability-set/main.bicep b/modules/compute/availability-set/main.bicep index 551732b90d..eb7de3b390 100644 --- a/modules/compute/availability-set/main.bicep +++ b/modules/compute/availability-set/main.bicep @@ -24,7 +24,7 @@ param location string = resourceGroup().location param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the availability set resource.') param tags object = {} @@ -32,6 +32,15 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -69,17 +78,18 @@ resource availabilitySet_lock 'Microsoft.Authorization/locks@2020-05-01' = if (! scope: availabilitySet } -module availabilitySet_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-AvSet-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: availabilitySet.id +resource availabilitySet_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(availabilitySet.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: availabilitySet }] @description('The name of the availability set.') @@ -105,3 +115,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/compute/availability-set/main.json b/modules/compute/availability-set/main.json index 2431428757..36fcd16020 100644 --- a/modules/compute/availability-set/main.json +++ b/modules/compute/availability-set/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "215934081213678222" + "templateHash": "9800465206429537522" }, "name": "Availability Sets", "description": "This module deploys an Availability Set.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -88,8 +154,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -109,6 +174,15 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -156,168 +230,20 @@ "availabilitySet_roleAssignments": { "copy": { "name": "availabilitySet_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AvSet-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Compute/availabilitySets/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Compute/availabilitySets', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Compute/availabilitySets', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5622639352313082546" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/availabilitySets/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Compute/availabilitySets', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "availabilitySet" diff --git a/modules/compute/disk-encryption-set/.bicep/nested_roleAssignments.bicep b/modules/compute/disk-encryption-set/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 41bc21d57e..0000000000 --- a/modules/compute/disk-encryption-set/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,90 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2020-12-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(diskEncryptionSet.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: diskEncryptionSet -}] diff --git a/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep b/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep index caf5d3fd14..c3089e3cb5 100644 --- a/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep +++ b/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep @@ -1,78 +1,77 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.diskencryptionsets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdesap' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - keyName: nestedDependencies.outputs.keyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.compute.diskencryptionsets-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdesap' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + keyName: nestedDependencies.outputs.keyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + systemAssignedIdentity: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/compute/disk-encryption-set/.test/common/main.test.bicep b/modules/compute/disk-encryption-set/.test/common/main.test.bicep index 40abeb6339..f098a1a7a3 100644 --- a/modules/compute/disk-encryption-set/.test/common/main.test.bicep +++ b/modules/compute/disk-encryption-set/.test/common/main.test.bicep @@ -1,85 +1,84 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.diskencryptionsets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdescom' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - keyName: nestedDependencies.outputs.keyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - systemAssignedIdentity: false - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.compute.diskencryptionsets-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdescom' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + keyName: nestedDependencies.outputs.keyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + systemAssignedIdentity: false + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/compute/disk-encryption-set/README.md b/modules/compute/disk-encryption-set/README.md index c1dc0eef08..ab8dcafd9f 100644 --- a/modules/compute/disk-encryption-set/README.md +++ b/modules/compute/disk-encryption-set/README.md @@ -49,9 +49,7 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = enableDefaultTelemetry: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -98,9 +96,7 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -153,9 +149,7 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -208,9 +202,7 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -356,7 +348,68 @@ The name of the disk encryption set that is being created. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `rotationToLatestKeyVersionEnabled` diff --git a/modules/compute/disk-encryption-set/main.bicep b/modules/compute/disk-encryption-set/main.bicep index 4a0bd45dd2..217d90e175 100644 --- a/modules/compute/disk-encryption-set/main.bicep +++ b/modules/compute/disk-encryption-set/main.bicep @@ -40,7 +40,7 @@ param systemAssignedIdentity bool = true param userAssignedIdentities object = {} @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the disk encryption resource.') param tags object = {} @@ -55,6 +55,20 @@ var identity = { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } +var builtInRoleNames = { + + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') + 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') + 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') + 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') + 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -77,7 +91,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = { } // Note: This is only enabled for user-assigned identities as the service's system-assigned identity isn't available during its initial deployment -module keyVaultPermissions '.bicep/nested_keyVaultPermissions.bicep' = [for (userAssignedIdentityId, index) in items(userAssignedIdentities): { +module keyVaultPermissions 'modules/nested_keyVaultPermissions.bicep' = [for (userAssignedIdentityId, index) in items(userAssignedIdentities): { name: '${uniqueString(deployment().name, location)}-DiskEncrSet-KVPermissions-${index}' params: { keyName: keyName @@ -109,17 +123,18 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2022-07-02' = { ] } -module diskEncryptionSet_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-DiskEncrSet-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: diskEncryptionSet.id +resource diskEncryptionSet_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(diskEncryptionSet.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: diskEncryptionSet }] resource diskEncryptionSet_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { @@ -163,3 +178,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/compute/disk-encryption-set/main.json b/modules/compute/disk-encryption-set/main.json index 82d040ffa9..79860c078c 100644 --- a/modules/compute/disk-encryption-set/main.json +++ b/modules/compute/disk-encryption-set/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9514360048740923625" + "templateHash": "580365923172310918" }, "name": "Disk Encryption Sets", "description": "This module deploys a Disk Encryption Set.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -118,8 +184,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -144,6 +209,18 @@ "identity": { "type": "[variables('identityType')]", "userAssignedIdentities": "[if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())]" + }, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", + "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", + "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", + "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", + "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" } }, "resources": { @@ -203,6 +280,28 @@ "keyVaultPermissions" ] }, + "diskEncryptionSet_roleAssignments": { + "copy": { + "name": "diskEncryptionSet_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Compute/diskEncryptionSets/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Compute/diskEncryptionSets', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "diskEncryptionSet" + ] + }, "diskEncryptionSet_lock": { "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", @@ -502,176 +601,6 @@ "dependsOn": [ "keyVault" ] - }, - "diskEncryptionSet_roleAssignments": { - "copy": { - "name": "diskEncryptionSet_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DiskEncrSet-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Compute/diskEncryptionSets', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17225067072833999246" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/diskEncryptionSets/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Compute/diskEncryptionSets', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "diskEncryptionSet" - ] } }, "outputs": { diff --git a/modules/compute/disk-encryption-set/.bicep/nested_keyVaultPermissions.bicep b/modules/compute/disk-encryption-set/modules/nested_keyVaultPermissions.bicep similarity index 100% rename from modules/compute/disk-encryption-set/.bicep/nested_keyVaultPermissions.bicep rename to modules/compute/disk-encryption-set/modules/nested_keyVaultPermissions.bicep diff --git a/modules/compute/disk-encryption-set/.bicep/nested_managedIdentityReference.bicep b/modules/compute/disk-encryption-set/modules/nested_managedIdentityReference.bicep similarity index 100% rename from modules/compute/disk-encryption-set/.bicep/nested_managedIdentityReference.bicep rename to modules/compute/disk-encryption-set/modules/nested_managedIdentityReference.bicep diff --git a/modules/compute/disk/.bicep/nested_roleAssignments.bicep b/modules/compute/disk/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index fe29113509..0000000000 --- a/modules/compute/disk/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,90 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource disk 'Microsoft.Compute/disks@2022-07-02' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(disk.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: disk -}] diff --git a/modules/compute/disk/.test/common/main.test.bicep b/modules/compute/disk/.test/common/main.test.bicep index a2324a9a76..dfa0b2c401 100644 --- a/modules/compute/disk/.test/common/main.test.bicep +++ b/modules/compute/disk/.test/common/main.test.bicep @@ -1,80 +1,79 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.images-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}001' - sku: 'UltraSSD_LRS' - diskIOPSReadWrite: 500 - diskMBpsReadWrite: 60 - diskSizeGB: 128 - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - logicalSectorSize: 512 - osType: 'Windows' - publicNetworkAccess: 'Enabled' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.compute.images-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}001' + sku: 'UltraSSD_LRS' + diskIOPSReadWrite: 500 + diskMBpsReadWrite: 60 + diskSizeGB: 128 + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + logicalSectorSize: 512 + osType: 'Windows' + publicNetworkAccess: 'Enabled' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/compute/disk/.test/image/main.test.bicep b/modules/compute/disk/.test/image/main.test.bicep index 3c57deae15..faebcf95c8 100644 --- a/modules/compute/disk/.test/image/main.test.bicep +++ b/modules/compute/disk/.test/image/main.test.bicep @@ -1,69 +1,68 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.images-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdimg' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}001' - sku: 'Standard_LRS' - createOption: 'FromImage' - imageReferenceId: '${subscription().id}/Providers/Microsoft.Compute/Locations/westeurope/Publishers/MicrosoftWindowsServer/ArtifactTypes/VMImage/Offers/WindowsServer/Skus/2022-datacenter-azure-edition/Versions/20348.1006.220908' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.compute.images-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdimg' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}001' + sku: 'Standard_LRS' + createOption: 'FromImage' + imageReferenceId: '${subscription().id}/Providers/Microsoft.Compute/Locations/westeurope/Publishers/MicrosoftWindowsServer/ArtifactTypes/VMImage/Offers/WindowsServer/Skus/2022-datacenter-azure-edition/Versions/20348.1006.220908' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/compute/disk/.test/import/main.test.bicep b/modules/compute/disk/.test/import/main.test.bicep index 2d16393ece..5c55c1a820 100644 --- a/modules/compute/disk/.test/import/main.test.bicep +++ b/modules/compute/disk/.test/import/main.test.bicep @@ -1,74 +1,73 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.images-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdimp' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - imageTemplateNamePrefix: 'dep-${namePrefix}-imgt-${serviceShort}' - triggerImageDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-triggerImageTemplate' - copyVhdDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-copyVhdToStorage' - } -} - -// ============== // -// Test Execution // -// ============== // -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}001' - sku: 'Standard_LRS' - createOption: 'Import' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - sourceUri: nestedDependencies.outputs.vhdUri - storageAccountId: nestedDependencies.outputs.storageAccountResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.compute.images-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdimp' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}01' + imageTemplateNamePrefix: 'dep-${namePrefix}-imgt-${serviceShort}' + triggerImageDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-triggerImageTemplate' + copyVhdDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-copyVhdToStorage' + } +} + +// ============== // +// Test Execution // +// ============== // +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}001' + sku: 'Standard_LRS' + createOption: 'Import' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sourceUri: nestedDependencies.outputs.vhdUri + storageAccountId: nestedDependencies.outputs.storageAccountResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/compute/disk/README.md b/modules/compute/disk/README.md index 0a099cb76c..69240d24d3 100644 --- a/modules/compute/disk/README.md +++ b/modules/compute/disk/README.md @@ -61,9 +61,7 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { publicNetworkAccess: 'Enabled' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -127,9 +125,7 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -168,9 +164,7 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { imageReferenceId: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -216,9 +210,7 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -256,9 +248,7 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { enableDefaultTelemetry: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -303,9 +293,7 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -603,7 +591,68 @@ Policy for controlling export on the disk. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `securityDataUri` diff --git a/modules/compute/disk/main.bicep b/modules/compute/disk/main.bicep index b97710495b..97763d0072 100644 --- a/modules/compute/disk/main.bicep +++ b/modules/compute/disk/main.bicep @@ -122,7 +122,7 @@ param acceleratedNetwork bool = false param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the availability set resource.') param tags object = {} @@ -130,6 +130,19 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') + 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') + 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') + 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') + 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -189,17 +202,18 @@ resource disk_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock scope: disk } -module disk_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-AvSet-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: disk.id +resource disk_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(disk.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: disk }] @description('The resource group the disk was deployed into.') @@ -225,3 +239,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/compute/disk/main.json b/modules/compute/disk/main.json index 48535f3bee..13b6907981 100644 --- a/modules/compute/disk/main.json +++ b/modules/compute/disk/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8327315950062299298" + "templateHash": "11610180604623373886" }, "name": "Compute Disks", "description": "This module deploys a Compute Disk", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -257,8 +323,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -278,6 +343,20 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", + "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", + "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", + "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", + "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -344,168 +423,20 @@ "disk_roleAssignments": { "copy": { "name": "disk_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AvSet-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Compute/disks/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Compute/disks', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Compute/disks', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9743538331774034121" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/disks/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Compute/disks', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "disk" diff --git a/modules/compute/gallery/.bicep/nested_roleAssignments.bicep b/modules/compute/gallery/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index ddb6cb7747..0000000000 --- a/modules/compute/gallery/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,90 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource gallery 'Microsoft.Compute/galleries@2021-10-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(gallery.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: gallery -}] diff --git a/modules/compute/gallery/.test/common/main.test.bicep b/modules/compute/gallery/.test/common/main.test.bicep index df503cc635..82c3104ba6 100644 --- a/modules/compute/gallery/.test/common/main.test.bicep +++ b/modules/compute/gallery/.test/common/main.test.bicep @@ -1,201 +1,190 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.galleries-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cgcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - applications: [ - { - name: '${namePrefix}-${serviceShort}-appd-001' - } - { - name: '${namePrefix}-${serviceShort}-appd-002' - supportedOSType: 'Windows' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - } - ] - images: [ - { - name: '${namePrefix}-az-imgd-ws-001' - } - { - hyperVGeneration: 'V1' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: '${namePrefix}-az-imgd-ws-002' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - sku: '2022-datacenter-azure-edition' - } - { - hyperVGeneration: 'V2' - isHibernateSupported: 'true' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: '${namePrefix}-az-imgd-ws-003' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - sku: '2022-datacenter-azure-edition-hibernate' - } - { - hyperVGeneration: 'V2' - isAcceleratedNetworkSupported: 'true' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: '${namePrefix}-az-imgd-ws-004' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - sku: '2022-datacenter-azure-edition-accnet' - } - { - hyperVGeneration: 'V2' - securityType: 'TrustedLaunch' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 4 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: '${namePrefix}-az-imgd-wdtl-002' - offer: 'WindowsDesktop' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsDesktop' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - sku: 'Win11-21H2' - } - { - hyperVGeneration: 'V2' - maxRecommendedMemory: 32 - maxRecommendedvCPUs: 4 - minRecommendedMemory: 4 - minRecommendedvCPUs: 1 - name: '${namePrefix}-az-imgd-us-001' - offer: '0001-com-ubuntu-server-focal' - osState: 'Generalized' - osType: 'Linux' - publisher: 'canonical' - sku: '20_04-lts-gen2' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.compute.galleries-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cgcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + applications: [ + { + name: '${namePrefix}-${serviceShort}-appd-001' + } + { + name: '${namePrefix}-${serviceShort}-appd-002' + supportedOSType: 'Windows' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } + ] + images: [ + { + name: '${namePrefix}-az-imgd-ws-001' + } + { + hyperVGeneration: 'V1' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: '${namePrefix}-az-imgd-ws-002' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: '2022-datacenter-azure-edition' + } + { + hyperVGeneration: 'V2' + isHibernateSupported: 'true' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: '${namePrefix}-az-imgd-ws-003' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: '2022-datacenter-azure-edition-hibernate' + } + { + hyperVGeneration: 'V2' + isAcceleratedNetworkSupported: 'true' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: '${namePrefix}-az-imgd-ws-004' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: '2022-datacenter-azure-edition-accnet' + } + { + hyperVGeneration: 'V2' + securityType: 'TrustedLaunch' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 4 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: '${namePrefix}-az-imgd-wdtl-002' + offer: 'WindowsDesktop' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsDesktop' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: 'Win11-21H2' + } + { + hyperVGeneration: 'V2' + maxRecommendedMemory: 32 + maxRecommendedvCPUs: 4 + minRecommendedMemory: 4 + minRecommendedvCPUs: 1 + name: '${namePrefix}-az-imgd-us-001' + offer: '0001-com-ubuntu-server-focal' + osState: 'Generalized' + osType: 'Linux' + publisher: 'canonical' + sku: '20_04-lts-gen2' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/compute/gallery/README.md b/modules/compute/gallery/README.md index bc21780e0a..af9c047b55 100644 --- a/modules/compute/gallery/README.md +++ b/modules/compute/gallery/README.md @@ -55,9 +55,7 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { name: 'cgcom-appd-002' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -83,9 +81,7 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { publisher: 'MicrosoftWindowsServer' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -106,9 +102,7 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { publisher: 'MicrosoftWindowsServer' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -129,9 +123,7 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { publisher: 'MicrosoftWindowsServer' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -151,9 +143,7 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { publisher: 'MicrosoftWindowsDesktop' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -181,9 +171,7 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -223,9 +211,7 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { "name": "cgcom-appd-002", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -255,9 +241,7 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { "publisher": "MicrosoftWindowsServer", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -278,9 +262,7 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { "publisher": "MicrosoftWindowsServer", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -301,9 +283,7 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { "publisher": "MicrosoftWindowsServer", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -323,9 +303,7 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { "publisher": "MicrosoftWindowsDesktop", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -357,9 +335,7 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -522,7 +498,68 @@ Name of the Azure Compute Gallery. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/compute/gallery/application/.bicep/nested_roleAssignments.bicep b/modules/compute/gallery/application/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index ad474870b7..0000000000 --- a/modules/compute/gallery/application/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,90 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource galleryApplication 'Microsoft.Compute/galleries/applications@2022-03-03' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(galleryApplication.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: galleryApplication -}] diff --git a/modules/compute/gallery/application/README.md b/modules/compute/gallery/application/README.md index 9f581840d4..1c393f79b8 100644 --- a/modules/compute/gallery/application/README.md +++ b/modules/compute/gallery/application/README.md @@ -120,7 +120,68 @@ The release note uri. Has to be a valid URL. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `supportedOSType` diff --git a/modules/compute/gallery/application/main.bicep b/modules/compute/gallery/application/main.bicep index a8ed2be0ed..7ba3361d61 100644 --- a/modules/compute/gallery/application/main.bicep +++ b/modules/compute/gallery/application/main.bicep @@ -38,7 +38,7 @@ param supportedOSType string = 'Windows' param endOfLifeDate string = '' @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @sys.description('Optional. Tags for all resources.') param tags object = {} @@ -46,6 +46,15 @@ param tags object = {} @sys.description('Optional. A list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application.') param customActions array = [] +var builtInRoleNames = { + 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -78,17 +87,18 @@ resource application 'Microsoft.Compute/galleries/applications@2022-03-03' = { } } -module galleryApplication_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: application.id +resource application_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(application.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: application }] @sys.description('The resource group the image was deployed into.') @@ -102,3 +112,29 @@ output name string = application.name @sys.description('The location the resource was deployed into.') output location string = application.location +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @sys.description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @sys.description('Optional. The description of the role assignment.') + description: string? + + @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @sys.description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @sys.description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/compute/gallery/application/main.json b/modules/compute/gallery/application/main.json index c845191f4c..31d60925d6 100644 --- a/modules/compute/gallery/application/main.json +++ b/modules/compute/gallery/application/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16139720757397534180" + "templateHash": "13186916483114520290" }, "name": "Compute Galleries Applications", "description": "This module deploys an Azure Compute Gallery Application.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -86,8 +155,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -107,8 +175,18 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -122,7 +200,13 @@ } } }, - { + "gallery": { + "existing": true, + "type": "Microsoft.Compute/galleries", + "apiVersion": "2022-03-03", + "name": "[parameters('galleryName')]" + }, + "application": { "type": "Microsoft.Compute/galleries/applications", "apiVersion": "2022-03-03", "name": "[format('{0}/{1}', parameters('galleryName'), parameters('name'))]", @@ -136,179 +220,34 @@ "privacyStatementUri": "[parameters('privacyStatementUri')]", "releaseNoteUri": "[parameters('releaseNoteUri')]", "supportedOSType": "[parameters('supportedOSType')]" - } + }, + "dependsOn": [ + "gallery" + ] }, - { + "application_roleAssignments": { "copy": { - "name": "galleryApplication_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "name": "application_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Compute/galleries/{0}/applications/{1}', parameters('galleryName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Compute/galleries/applications', parameters('galleryName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Compute/galleries/applications', parameters('galleryName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13281580182526787077" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/galleries/{0}/applications/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Compute/galleries/applications', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Compute/galleries/applications', parameters('galleryName'), parameters('name'))]" + "application" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -336,7 +275,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/galleries/applications', parameters('galleryName'), parameters('name')), '2022-03-03', 'full').location]" + "value": "[reference('application', '2022-03-03', 'full').location]" } } } \ No newline at end of file diff --git a/modules/compute/gallery/image/.bicep/nested_roleAssignments.bicep b/modules/compute/gallery/image/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 3584f5ad8b..0000000000 --- a/modules/compute/gallery/image/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,90 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource galleryImage 'Microsoft.Compute/galleries/images@2021-10-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(galleryImage.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: galleryImage -}] diff --git a/modules/compute/gallery/image/README.md b/modules/compute/gallery/image/README.md index 3ad27fb151..1bba091667 100644 --- a/modules/compute/gallery/image/README.md +++ b/modules/compute/gallery/image/README.md @@ -237,7 +237,68 @@ The release note uri. Has to be a valid URL. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `securityType` diff --git a/modules/compute/gallery/image/main.bicep b/modules/compute/gallery/image/main.bicep index c6f89f3d76..e9e349d0db 100644 --- a/modules/compute/gallery/image/main.bicep +++ b/modules/compute/gallery/image/main.bicep @@ -117,11 +117,20 @@ param endOfLife string = '' param excludedDiskTypes array = [] @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @sys.description('Optional. Tags for all resources.') param tags object = {} +var builtInRoleNames = { + 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -201,17 +210,18 @@ resource image 'Microsoft.Compute/galleries/images@2022-03-03' = { } } -module galleryImage_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: image.id +resource image_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(image.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: image }] @sys.description('The resource group the image was deployed into.') @@ -225,3 +235,29 @@ output name string = image.name @sys.description('The location the resource was deployed into.') output location string = image.location +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @sys.description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @sys.description('Optional. The description of the role assignment.') + description: string? + + @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @sys.description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @sys.description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/compute/gallery/image/main.json b/modules/compute/gallery/image/main.json index 27cd77a9d9..b823bbfc2d 100644 --- a/modules/compute/gallery/image/main.json +++ b/modules/compute/gallery/image/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12756969313323460277" + "templateHash": "13132790244989513026" }, "name": "Compute Galleries Image Definitions", "description": "This module deploys an Azure Compute Gallery Image Definition.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -229,8 +298,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -243,8 +311,18 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -258,7 +336,13 @@ } } }, - { + "gallery": { + "existing": true, + "type": "Microsoft.Compute/galleries", + "apiVersion": "2022-03-03", + "name": "[parameters('galleryName')]" + }, + "image": { "type": "Microsoft.Compute/galleries/images", "apiVersion": "2022-03-03", "name": "[format('{0}/{1}', parameters('galleryName'), parameters('name'))]", @@ -297,179 +381,34 @@ "disallowed": { "diskTypes": "[parameters('excludedDiskTypes')]" } - } + }, + "dependsOn": [ + "gallery" + ] }, - { + "image_roleAssignments": { "copy": { - "name": "galleryImage_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "name": "image_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Compute/galleries/{0}/images/{1}', parameters('galleryName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11966293152836776526" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/galleries/{0}/images/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Compute/galleries/images', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('name'))]" + "image" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -497,7 +436,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('name')), '2022-03-03', 'full').location]" + "value": "[reference('image', '2022-03-03', 'full').location]" } } } \ No newline at end of file diff --git a/modules/compute/gallery/main.bicep b/modules/compute/gallery/main.bicep index 414c4c94f1..46be75d168 100644 --- a/modules/compute/gallery/main.bicep +++ b/modules/compute/gallery/main.bicep @@ -22,7 +22,7 @@ param images array = [] param lock lockType @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @sys.description('Optional. Tags for all resources.') param tags object = {} @@ -32,6 +32,15 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -63,17 +72,18 @@ resource gallery_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo scope: gallery } -module gallery_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Gallery-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: gallery.id +resource gallery_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(gallery.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: gallery }] // Applications @@ -150,3 +160,26 @@ type lockType = { @sys.description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @sys.description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @sys.description('Optional. The description of the role assignment.') + description: string? + + @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @sys.description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @sys.description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/compute/gallery/main.json b/modules/compute/gallery/main.json index 4b41595c8f..49c768695e 100644 --- a/modules/compute/gallery/main.json +++ b/modules/compute/gallery/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13827150813589575122" + "templateHash": "17534490293657424034" }, "name": "Azure Compute Galleries", "description": "This module deploys an Azure Compute Gallery (formerly known as Shared Image Gallery).", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -82,8 +148,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -104,7 +169,15 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -149,168 +222,20 @@ "gallery_roleAssignments": { "copy": { "name": "gallery_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Gallery-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Compute/galleries/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Compute/galleries', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Compute/galleries', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14589885933064386870" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/galleries/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Compute/galleries', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "gallery" @@ -351,17 +276,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16139720757397534180" + "templateHash": "13186916483114520290" }, "name": "Compute Galleries Applications", "description": "This module deploys an Azure Compute Gallery Application.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -437,8 +431,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -458,8 +451,18 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -473,7 +476,13 @@ } } }, - { + "gallery": { + "existing": true, + "type": "Microsoft.Compute/galleries", + "apiVersion": "2022-03-03", + "name": "[parameters('galleryName')]" + }, + "application": { "type": "Microsoft.Compute/galleries/applications", "apiVersion": "2022-03-03", "name": "[format('{0}/{1}', parameters('galleryName'), parameters('name'))]", @@ -487,179 +496,34 @@ "privacyStatementUri": "[parameters('privacyStatementUri')]", "releaseNoteUri": "[parameters('releaseNoteUri')]", "supportedOSType": "[parameters('supportedOSType')]" - } + }, + "dependsOn": [ + "gallery" + ] }, - { + "application_roleAssignments": { "copy": { - "name": "galleryApplication_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "name": "application_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Compute/galleries/{0}/applications/{1}', parameters('galleryName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Compute/galleries/applications', parameters('galleryName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Compute/galleries/applications', parameters('galleryName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13281580182526787077" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/galleries/{0}/applications/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Compute/galleries/applications', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Compute/galleries/applications', parameters('galleryName'), parameters('name'))]" + "application" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -687,7 +551,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/galleries/applications', parameters('galleryName'), parameters('name')), '2022-03-03', 'full').location]" + "value": "[reference('application', '2022-03-03', 'full').location]" } } } @@ -744,17 +608,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12756969313323460277" + "templateHash": "13132790244989513026" }, "name": "Compute Galleries Image Definitions", "description": "This module deploys an Azure Compute Gallery Image Definition.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -973,8 +906,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -987,8 +919,18 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1002,7 +944,13 @@ } } }, - { + "gallery": { + "existing": true, + "type": "Microsoft.Compute/galleries", + "apiVersion": "2022-03-03", + "name": "[parameters('galleryName')]" + }, + "image": { "type": "Microsoft.Compute/galleries/images", "apiVersion": "2022-03-03", "name": "[format('{0}/{1}', parameters('galleryName'), parameters('name'))]", @@ -1041,179 +989,34 @@ "disallowed": { "diskTypes": "[parameters('excludedDiskTypes')]" } - } + }, + "dependsOn": [ + "gallery" + ] }, - { + "image_roleAssignments": { "copy": { - "name": "galleryImage_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "name": "image_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Compute/galleries/{0}/images/{1}', parameters('galleryName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11966293152836776526" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/galleries/{0}/images/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Compute/galleries/images', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('name'))]" + "image" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -1241,7 +1044,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('name')), '2022-03-03', 'full').location]" + "value": "[reference('image', '2022-03-03', 'full').location]" } } } diff --git a/modules/compute/image/.bicep/nested_roleAssignments.bicep b/modules/compute/image/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index a7d7af56cc..0000000000 --- a/modules/compute/image/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,90 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource image 'Microsoft.Compute/images@2022-11-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(image.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: image -}] diff --git a/modules/compute/image/.test/common/main.test.bicep b/modules/compute/image/.test/common/main.test.bicep index 64743cb96c..b7e33ae82f 100644 --- a/modules/compute/image/.test/common/main.test.bicep +++ b/modules/compute/image/.test/common/main.test.bicep @@ -1,88 +1,87 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.images-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cicom' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - imageTemplateNamePrefix: 'dep-${namePrefix}-imgt-${serviceShort}' - triggerImageDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-triggerImageTemplate' - copyVhdDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-copyVhdToStorage' - } -} - -// ============== // -// Test Execution // -// ============== // -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - osAccountType: 'Premium_LRS' - osDiskBlobUri: nestedDependencies.outputs.vhdUri - osDiskCaching: 'ReadWrite' - osType: 'Windows' - hyperVGeneration: 'V1' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - zoneResilient: true - diskEncryptionSetResourceId: nestedDependencies.outputs.diskEncryptionSetResourceId - osState: 'Generalized' - diskSizeGB: 128 - tags: { - 'hidden-title': 'This is visible in the resource name' - tagA: 'You\'re it' - tagB: 'Player' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.compute.images-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cicom' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}01' + imageTemplateNamePrefix: 'dep-${namePrefix}-imgt-${serviceShort}' + triggerImageDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-triggerImageTemplate' + copyVhdDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-copyVhdToStorage' + } +} + +// ============== // +// Test Execution // +// ============== // +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + osAccountType: 'Premium_LRS' + osDiskBlobUri: nestedDependencies.outputs.vhdUri + osDiskCaching: 'ReadWrite' + osType: 'Windows' + hyperVGeneration: 'V1' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + zoneResilient: true + diskEncryptionSetResourceId: nestedDependencies.outputs.diskEncryptionSetResourceId + osState: 'Generalized' + diskSizeGB: 128 + tags: { + 'hidden-title': 'This is visible in the resource name' + tagA: 'You\'re it' + tagB: 'Player' + } + } +} + diff --git a/modules/compute/image/README.md b/modules/compute/image/README.md index 2616327300..20977af57d 100644 --- a/modules/compute/image/README.md +++ b/modules/compute/image/README.md @@ -54,9 +54,7 @@ module image 'br:bicep/modules/compute.image:1.0.0' = { osState: 'Generalized' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -118,9 +116,7 @@ module image 'br:bicep/modules/compute.image:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -274,7 +270,68 @@ This property allows you to specify the type of the OS that is included in the d Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `snapshotResourceId` diff --git a/modules/compute/image/main.bicep b/modules/compute/image/main.bicep index 85d26d6a8a..203a121a09 100644 --- a/modules/compute/image/main.bicep +++ b/modules/compute/image/main.bicep @@ -27,7 +27,7 @@ param zoneResilient bool = false param hyperVGeneration string = 'V1' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -63,6 +63,14 @@ param dataDisks array = [] @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -109,17 +117,18 @@ resource image 'Microsoft.Compute/images@2022-11-01' = { } } -module image_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Image-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: image.id +resource image_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(image.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: image }] @description('The resource ID of the image.') @@ -133,3 +142,29 @@ output name string = image.name @description('The location the resource was deployed into.') output location string = image.location +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/compute/image/main.json b/modules/compute/image/main.json index 4d5551e4a8..2c9b478e60 100644 --- a/modules/compute/image/main.json +++ b/modules/compute/image/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10714756522840080401" + "templateHash": "15652042467625410891" }, "name": "Images", "description": "This module deploys a Compute Image.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -64,8 +133,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -145,8 +213,17 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -160,7 +237,7 @@ } } }, - { + "image": { "type": "Microsoft.Compute/images", "apiVersion": "2022-11-01", "name": "[parameters('name')]", @@ -187,177 +264,29 @@ "sourceVirtualMachine": "[if(not(empty(parameters('sourceVirtualMachineResourceId'))), createObject('id', parameters('sourceVirtualMachineResourceId')), null())]" } }, - { + "image_roleAssignments": { "copy": { "name": "image_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Image-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Compute/images/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Compute/images', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Compute/images', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17260715174516023943" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/images/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Compute/images', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Compute/images', parameters('name'))]" + "image" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -385,7 +314,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/images', parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('image', '2022-11-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/compute/proximity-placement-group/.bicep/nested_roleAssignments.bicep b/modules/compute/proximity-placement-group/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 942fdd1682..0000000000 --- a/modules/compute/proximity-placement-group/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,90 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource proximityPlacementGroup 'Microsoft.Compute/proximityPlacementGroups@2021-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(proximityPlacementGroup.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: proximityPlacementGroup -}] diff --git a/modules/compute/proximity-placement-group/.test/common/main.test.bicep b/modules/compute/proximity-placement-group/.test/common/main.test.bicep index ffa39a5ba6..ebd18b054a 100644 --- a/modules/compute/proximity-placement-group/.test/common/main.test.bicep +++ b/modules/compute/proximity-placement-group/.test/common/main.test.bicep @@ -1,90 +1,89 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.proximityplacementgroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cppgcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - zones: [ - '1' - ] - type: 'Standard' - tags: { - 'hidden-title': 'This is visible in the resource name' - TagA: 'Would you kindly...' - TagB: 'Tags for sale' - } - colocationStatus: { - code: 'ColocationStatus/Aligned' - displayStatus: 'Aligned' - level: 'Info' - message: 'I\'m a default error message' - } - intent: { - vmSizes: [ - 'Standard_B1ms' - 'Standard_B4ms' - ] - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.compute.proximityplacementgroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cppgcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + zones: [ + '1' + ] + type: 'Standard' + tags: { + 'hidden-title': 'This is visible in the resource name' + TagA: 'Would you kindly...' + TagB: 'Tags for sale' + } + colocationStatus: { + code: 'ColocationStatus/Aligned' + displayStatus: 'Aligned' + level: 'Info' + message: 'I\'m a default error message' + } + intent: { + vmSizes: [ + 'Standard_B1ms' + 'Standard_B4ms' + ] + } + } +} + diff --git a/modules/compute/proximity-placement-group/README.md b/modules/compute/proximity-placement-group/README.md index 36c6b39b63..44c419f431 100644 --- a/modules/compute/proximity-placement-group/README.md +++ b/modules/compute/proximity-placement-group/README.md @@ -64,9 +64,7 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -129,9 +127,7 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -296,7 +292,68 @@ The name of the proximity placement group that is being created. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/compute/proximity-placement-group/main.bicep b/modules/compute/proximity-placement-group/main.bicep index 3aea13dd5b..363c1885ac 100644 --- a/modules/compute/proximity-placement-group/main.bicep +++ b/modules/compute/proximity-placement-group/main.bicep @@ -19,7 +19,7 @@ param location string = resourceGroup().location param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the proximity placement group resource.') param tags object = {} @@ -36,6 +36,14 @@ param enableDefaultTelemetry bool = true @description('Optional. Specifies the user intent of the proximity placement group.') param intent object = {} +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -69,17 +77,18 @@ resource proximityPlacementGroup_lock 'Microsoft.Authorization/locks@2020-05-01' scope: proximityPlacementGroup } -module proximityPlacementGroup_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-ProxPlaceGroup-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: proximityPlacementGroup.id +resource proximityPlacementGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(proximityPlacementGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: proximityPlacementGroup }] @description('The name of the proximity placement group.') @@ -105,3 +114,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/compute/proximity-placement-group/main.json b/modules/compute/proximity-placement-group/main.json index cf86736c07..213b46fea4 100644 --- a/modules/compute/proximity-placement-group/main.json +++ b/modules/compute/proximity-placement-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9736582155386866738" + "templateHash": "7967405335324639786" }, "name": "Proximity Placement Groups", "description": "This module deploys a Proximity Placement Group.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -71,8 +137,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -113,6 +178,15 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -158,168 +232,20 @@ "proximityPlacementGroup_roleAssignments": { "copy": { "name": "proximityPlacementGroup_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ProxPlaceGroup-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Compute/proximityPlacementGroups/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Compute/proximityPlacementGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Compute/proximityPlacementGroups', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "843117559787773713" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/proximityPlacementGroups/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Compute/proximityPlacementGroups', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "proximityPlacementGroup" diff --git a/modules/compute/ssh-public-key/.bicep/nested_roleAssignments.bicep b/modules/compute/ssh-public-key/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index b7f80f662b..0000000000 --- a/modules/compute/ssh-public-key/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,90 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource sshKey 'Microsoft.Compute/sshPublicKeys@2022-11-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(resourceId, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: sshKey -}] diff --git a/modules/compute/ssh-public-key/README.md b/modules/compute/ssh-public-key/README.md index 210914120a..c0c7d0c68d 100644 --- a/modules/compute/ssh-public-key/README.md +++ b/modules/compute/ssh-public-key/README.md @@ -210,7 +210,68 @@ SSH public key used to authenticate to a virtual machine through SSH. If this pr Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/compute/ssh-public-key/main.bicep b/modules/compute/ssh-public-key/main.bicep index be80807c30..e32c99c496 100644 --- a/modules/compute/ssh-public-key/main.bicep +++ b/modules/compute/ssh-public-key/main.bicep @@ -17,7 +17,7 @@ param publicKey string = '' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the availability set resource.') param tags object = {} @@ -25,6 +25,14 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -55,17 +63,18 @@ resource sshPublicKey_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!emp scope: sshPublicKey } -module sshPublicKey_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-sshPublicKey-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: sshPublicKey.id +resource sshPublicKey_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(sshPublicKey.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: sshPublicKey }] @description('The name of the Resource Group the Public SSH Key was created in.') @@ -91,3 +100,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/compute/ssh-public-key/main.json b/modules/compute/ssh-public-key/main.json index ba8c7cbd15..943b880282 100644 --- a/modules/compute/ssh-public-key/main.json +++ b/modules/compute/ssh-public-key/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5313076718925573271" + "templateHash": "15947534421126412986" }, "name": "Public SSH Keys", "description": "This module deploys a Public SSH Key.\r\n\r\n> Note: The resource does not auto-generate the key for you.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -67,8 +133,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -88,6 +153,15 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -130,168 +204,20 @@ "sshPublicKey_roleAssignments": { "copy": { "name": "sshPublicKey_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-sshPublicKey-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Compute/sshPublicKeys/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Compute/sshPublicKeys', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Compute/sshPublicKeys', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12934875075357551454" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/sshPublicKeys/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(parameters('resourceId'), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "sshPublicKey" diff --git a/modules/compute/virtual-machine-scale-set/.bicep/nested_roleAssignments.bicep b/modules/compute/virtual-machine-scale-set/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 2bacbe066d..0000000000 --- a/modules/compute/virtual-machine-scale-set/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,90 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(vmss.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: vmss -}] diff --git a/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep b/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep index 918b24bc6f..66ed49e535 100644 --- a/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep @@ -1,198 +1,197 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.virtualmachinescalesets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmsslin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' - sshDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - sshKeyName: 'dep-${namePrefix}-ssh-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - adminUsername: 'scaleSetAdmin' - imageReference: { - publisher: 'Canonical' - offer: '0001-com-ubuntu-server-jammy' - sku: '22_04-lts-gen2' - version: 'latest' - } - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - skuName: 'Standard_B12ms' - availabilityZones: [ - '2' - ] - bootDiagnosticStorageAccountName: nestedDependencies.outputs.storageAccountName - dataDisks: [ - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '256' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - disablePasswordAuthentication: true - encryptionAtHost: false - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: nestedDependencies.outputs.storageAccountResourceId - uri: nestedDependencies.outputs.storageAccountCSEFileUrl - } - ] - protectedSettings: { - commandToExecute: 'sudo apt-get update' - } - } - extensionDependencyAgentConfig: { - enabled: true - } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: nestedDependencies.outputs.keyVaultEncryptionKeyUrl - KeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyVaultURL: nestedDependencies.outputs.keyVaultUrl - ResizeOSDisk: 'false' - VolumeType: 'All' - } - } - extensionMonitoringAgentConfig: { - enabled: true - } - extensionNetworkWatcherAgentConfig: { - enabled: true - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: nestedDependencies.outputs.subnetResourceId - } - } - } - ] - nicSuffix: '-nic01' - } - ] - publicKeys: [ - { - keyData: nestedDependencies.outputs.SSHKeyPublicKey - path: '/home/scaleSetAdmin/.ssh/authorized_keys' - } - ] - roleAssignments: [ - { - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - roleDefinitionIdOrName: 'Reader' - } - ] - scaleSetFaultDomain: 1 - skuCapacity: 1 - systemAssignedIdentity: true - upgradePolicyMode: 'Manual' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - vmNamePrefix: 'vmsslinvm' - vmPriority: 'Regular' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.compute.virtualmachinescalesets-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cvmsslin' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}01' + storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' + sshDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + sshKeyName: 'dep-${namePrefix}-ssh-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + adminUsername: 'scaleSetAdmin' + imageReference: { + publisher: 'Canonical' + offer: '0001-com-ubuntu-server-jammy' + sku: '22_04-lts-gen2' + version: 'latest' + } + osDisk: { + createOption: 'fromImage' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + osType: 'Linux' + skuName: 'Standard_B12ms' + availabilityZones: [ + '2' + ] + bootDiagnosticStorageAccountName: nestedDependencies.outputs.storageAccountName + dataDisks: [ + { + caching: 'ReadOnly' + createOption: 'Empty' + diskSizeGB: '256' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + { + caching: 'ReadOnly' + createOption: 'Empty' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + disablePasswordAuthentication: true + encryptionAtHost: false + extensionCustomScriptConfig: { + enabled: true + fileData: [ + { + storageAccountId: nestedDependencies.outputs.storageAccountResourceId + uri: nestedDependencies.outputs.storageAccountCSEFileUrl + } + ] + protectedSettings: { + commandToExecute: 'sudo apt-get update' + } + } + extensionDependencyAgentConfig: { + enabled: true + } + extensionAzureDiskEncryptionConfig: { + enabled: true + settings: { + EncryptionOperation: 'EnableEncryption' + KekVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + KeyEncryptionAlgorithm: 'RSA-OAEP' + KeyEncryptionKeyURL: nestedDependencies.outputs.keyVaultEncryptionKeyUrl + KeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + KeyVaultURL: nestedDependencies.outputs.keyVaultUrl + ResizeOSDisk: 'false' + VolumeType: 'All' + } + } + extensionMonitoringAgentConfig: { + enabled: true + } + extensionNetworkWatcherAgentConfig: { + enabled: true + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + nicConfigurations: [ + { + ipConfigurations: [ + { + name: 'ipconfig1' + properties: { + subnet: { + id: nestedDependencies.outputs.subnetResourceId + } + } + } + ] + nicSuffix: '-nic01' + } + ] + publicKeys: [ + { + keyData: nestedDependencies.outputs.SSHKeyPublicKey + path: '/home/scaleSetAdmin/.ssh/authorized_keys' + } + ] + roleAssignments: [ + { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Reader' + } + ] + scaleSetFaultDomain: 1 + skuCapacity: 1 + systemAssignedIdentity: true + upgradePolicyMode: 'Manual' + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + vmNamePrefix: 'vmsslinvm' + vmPriority: 'Regular' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep b/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep index 467fd37f32..b4e0eca794 100644 --- a/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep @@ -1,194 +1,193 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.virtualmachinescalesets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmsswin' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' - proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - adminUsername: 'localAdminUser' - imageReference: { - publisher: 'MicrosoftWindowsServer' - offer: 'WindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' - } - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - skuName: 'Standard_B12ms' - adminPassword: password - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - encryptionAtHost: false - extensionAntiMalwareConfig: { - enabled: true - settings: { - AntimalwareEnabled: true - Exclusions: { - Extensions: '.log;.ldf' - Paths: 'D:\\IISlogs;D:\\DatabaseLogs' - Processes: 'mssence.svc' - } - RealtimeProtectionEnabled: true - ScheduledScanSettings: { - day: '7' - isEnabled: 'true' - scanType: 'Quick' - time: '120' - } - } - } - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: nestedDependencies.outputs.storageAccountResourceId - uri: nestedDependencies.outputs.storageAccountCSEFileUrl - } - ] - protectedSettings: { - commandToExecute: 'powershell -ExecutionPolicy Unrestricted -Command "& ./${nestedDependencies.outputs.storageAccountCSEFileName}"' - } - } - extensionDependencyAgentConfig: { - enabled: true - } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: nestedDependencies.outputs.keyVaultEncryptionKeyUrl - KeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyVaultURL: nestedDependencies.outputs.keyVaultUrl - ResizeOSDisk: 'false' - VolumeType: 'All' - } - } - extensionDSCConfig: { - enabled: true - } - extensionMonitoringAgentConfig: { - enabled: true - } - extensionNetworkWatcherAgentConfig: { - enabled: true - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: nestedDependencies.outputs.subnetResourceId - } - } - } - ] - nicSuffix: '-nic01' - } - ] - proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId - roleAssignments: [ - { - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - roleDefinitionIdOrName: 'Reader' - } - ] - skuCapacity: 1 - systemAssignedIdentity: true - upgradePolicyMode: 'Manual' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - vmNamePrefix: 'vmsswinvm' - vmPriority: 'Regular' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.compute.virtualmachinescalesets-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cvmsswin' + +@description('Optional. The password to leverage for the login.') +@secure() +param password string = newGuid() + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}01' + storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' + proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + adminUsername: 'localAdminUser' + imageReference: { + publisher: 'MicrosoftWindowsServer' + offer: 'WindowsServer' + sku: '2022-datacenter-azure-edition' + version: 'latest' + } + osDisk: { + createOption: 'fromImage' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + osType: 'Windows' + skuName: 'Standard_B12ms' + adminPassword: password + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + encryptionAtHost: false + extensionAntiMalwareConfig: { + enabled: true + settings: { + AntimalwareEnabled: true + Exclusions: { + Extensions: '.log;.ldf' + Paths: 'D:\\IISlogs;D:\\DatabaseLogs' + Processes: 'mssence.svc' + } + RealtimeProtectionEnabled: true + ScheduledScanSettings: { + day: '7' + isEnabled: 'true' + scanType: 'Quick' + time: '120' + } + } + } + extensionCustomScriptConfig: { + enabled: true + fileData: [ + { + storageAccountId: nestedDependencies.outputs.storageAccountResourceId + uri: nestedDependencies.outputs.storageAccountCSEFileUrl + } + ] + protectedSettings: { + commandToExecute: 'powershell -ExecutionPolicy Unrestricted -Command "& ./${nestedDependencies.outputs.storageAccountCSEFileName}"' + } + } + extensionDependencyAgentConfig: { + enabled: true + } + extensionAzureDiskEncryptionConfig: { + enabled: true + settings: { + EncryptionOperation: 'EnableEncryption' + KekVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + KeyEncryptionAlgorithm: 'RSA-OAEP' + KeyEncryptionKeyURL: nestedDependencies.outputs.keyVaultEncryptionKeyUrl + KeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + KeyVaultURL: nestedDependencies.outputs.keyVaultUrl + ResizeOSDisk: 'false' + VolumeType: 'All' + } + } + extensionDSCConfig: { + enabled: true + } + extensionMonitoringAgentConfig: { + enabled: true + } + extensionNetworkWatcherAgentConfig: { + enabled: true + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + nicConfigurations: [ + { + ipConfigurations: [ + { + name: 'ipconfig1' + properties: { + subnet: { + id: nestedDependencies.outputs.subnetResourceId + } + } + } + ] + nicSuffix: '-nic01' + } + ] + proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId + roleAssignments: [ + { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Reader' + } + ] + skuCapacity: 1 + systemAssignedIdentity: true + upgradePolicyMode: 'Manual' + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + vmNamePrefix: 'vmsswinvm' + vmPriority: 'Regular' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/compute/virtual-machine-scale-set/README.md b/modules/compute/virtual-machine-scale-set/README.md index 0bef11fad9..434217f815 100644 --- a/modules/compute/virtual-machine-scale-set/README.md +++ b/modules/compute/virtual-machine-scale-set/README.md @@ -154,9 +154,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' roleDefinitionIdOrName: 'Reader' } ] @@ -348,9 +346,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "roleDefinitionIdOrName": "Reader" } ] @@ -829,9 +825,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se proximityPlacementGroupResourceId: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' roleDefinitionIdOrName: 'Reader' } ] @@ -1014,9 +1008,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "roleDefinitionIdOrName": "Reader" } ] @@ -1665,7 +1657,68 @@ The list of SSH public keys used to authenticate with linux based VMs. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `sasTokenValidityLength` diff --git a/modules/compute/virtual-machine-scale-set/main.bicep b/modules/compute/virtual-machine-scale-set/main.bicep index d7da341351..aa0e1dff83 100644 --- a/modules/compute/virtual-machine-scale-set/main.bicep +++ b/modules/compute/virtual-machine-scale-set/main.bicep @@ -47,7 +47,7 @@ param adminPassword string = '' param customData string = '' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Fault Domain count for each placement group.') param scaleSetFaultDomain int = 2 @@ -325,6 +325,27 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') + 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') + 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') + 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') + 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') + 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') + 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') + 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') + 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') + 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') + 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') + 'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -624,17 +645,18 @@ resource vmss_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05- scope: vmss } -module vmss_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-VMSS-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: vmss.id +resource vmss_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(vmss.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: vmss }] @description('The resource ID of the virtual machine scale set.') @@ -663,3 +685,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/compute/virtual-machine-scale-set/main.json b/modules/compute/virtual-machine-scale-set/main.json index 9274a59e54..3fb151f8a4 100644 --- a/modules/compute/virtual-machine-scale-set/main.json +++ b/modules/compute/virtual-machine-scale-set/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6686356746172129467" + "templateHash": "12697907700096334702" }, "name": "Virtual Machine Scale Sets", "description": "This module deploys a Virtual Machine Scale Set.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -135,8 +201,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -649,7 +714,27 @@ }, "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", + "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", + "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", + "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", + "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", + "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", + "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", + "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]" + } }, "resources": { "defaultTelemetry": { @@ -829,6 +914,28 @@ "vmss" ] }, + "vmss_roleAssignments": { + "copy": { + "name": "vmss_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Compute/virtualMachineScaleSets/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "vmss" + ] + }, "vmss_domainJoinExtension": { "condition": "[parameters('extensionDomainJoinConfig').enabled]", "type": "Microsoft.Resources/deployments", @@ -2323,176 +2430,6 @@ "vmss_customScriptExtension", "vmss_microsoftMonitoringAgentExtension" ] - }, - "vmss_roleAssignments": { - "copy": { - "name": "vmss_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VMSS-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2683570948982482973" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/virtualMachineScaleSets/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Compute/virtualMachineScaleSets', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "vmss" - ] } }, "outputs": { diff --git a/modules/compute/virtual-machine/.bicep/nested_roleAssignments.bicep b/modules/compute/virtual-machine/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 9cc3dcf757..0000000000 --- a/modules/compute/virtual-machine/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,90 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource virtualMachine 'Microsoft.Compute/virtualMachines@2022-11-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(virtualMachine.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: virtualMachine -}] diff --git a/modules/compute/virtual-machine/.test/linux/main.test.bicep b/modules/compute/virtual-machine/.test/linux/main.test.bicep index 7b2171042f..bca0ffc1c5 100644 --- a/modules/compute/virtual-machine/.test/linux/main.test.bicep +++ b/modules/compute/virtual-machine/.test/linux/main.test.bicep @@ -103,9 +103,8 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' } ] @@ -122,9 +121,8 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' } ] @@ -262,9 +260,8 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' } ] diff --git a/modules/compute/virtual-machine/.test/windows/main.test.bicep b/modules/compute/virtual-machine/.test/windows/main.test.bicep index d6395c280a..568a50982e 100644 --- a/modules/compute/virtual-machine/.test/windows/main.test.bicep +++ b/modules/compute/virtual-machine/.test/windows/main.test.bicep @@ -1,302 +1,297 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.virtualMachines-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmwincom' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - location: location - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' - recoveryServicesVaultName: 'dep-${namePrefix}-rsv-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' - proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - location: location - name: '${namePrefix}${serviceShort}' - computerName: '${namePrefix}winvm1' - adminUsername: 'VMAdmin' - imageReference: { - publisher: 'MicrosoftWindowsServer' - offer: 'WindowsServer' - sku: '2019-datacenter' - version: 'latest' - } - nicConfigurations: [ - { - deleteOption: 'Delete' - ipConfigurations: [ - { - applicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } - ] - loadBalancerBackendAddressPools: [ - { - id: nestedDependencies.outputs.loadBalancerBackendPoolResourceId - } - ] - name: 'ipconfig01' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - } - zones: [ - '1' - '2' - '3' - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - ] - nicSuffix: '-nic-01' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - } - ] - osDisk: { - caching: 'None' - createOption: 'fromImage' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - vmSize: 'Standard_DS2_v2' - adminPassword: password - availabilityZone: 2 - backupPolicyName: nestedDependencies.outputs.recoveryServicesVaultBackupPolicyName - backupVaultName: nestedDependencies.outputs.recoveryServicesVaultName - backupVaultResourceGroup: nestedDependencies.outputs.recoveryServicesVaultResourceGroupName - dataDisks: [ - { - caching: 'None' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - { - caching: 'None' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - ] - enableAutomaticUpdates: true - patchMode: 'AutomaticByPlatform' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - encryptionAtHost: false - extensionAntiMalwareConfig: { - enabled: true - settings: { - AntimalwareEnabled: 'true' - Exclusions: { - Extensions: '.ext1;.ext2' - Paths: 'c:\\excluded-path-1;c:\\excluded-path-2' - Processes: 'excludedproc1.exe;excludedproc2.exe' - } - RealtimeProtectionEnabled: 'true' - ScheduledScanSettings: { - day: '7' - isEnabled: 'true' - scanType: 'Quick' - time: '120' - } - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: nestedDependencies.outputs.storageAccountResourceId - uri: nestedDependencies.outputs.storageAccountCSEFileUrl - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionCustomScriptProtectedSetting: { - commandToExecute: 'powershell -ExecutionPolicy Unrestricted -Command "& ./${nestedDependencies.outputs.storageAccountCSEFileName}"' - } - extensionDependencyAgentConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: nestedDependencies.outputs.keyVaultEncryptionKeyUrl - KeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyVaultURL: nestedDependencies.outputs.keyVaultUrl - ResizeOSDisk: 'false' - VolumeType: 'All' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - } - extensionAadJoinConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionDSCConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionMonitoringAgentConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionNetworkWatcherAgentConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - monitoringWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.compute.virtualMachines-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cvmwincom' + +@description('Optional. The password to leverage for the login.') +@secure() +param password string = newGuid() + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + location: location + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' + recoveryServicesVaultName: 'dep-${namePrefix}-rsv-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}01' + storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' + proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + location: location + name: '${namePrefix}${serviceShort}' + computerName: '${namePrefix}winvm1' + adminUsername: 'VMAdmin' + imageReference: { + publisher: 'MicrosoftWindowsServer' + offer: 'WindowsServer' + sku: '2019-datacenter' + version: 'latest' + } + nicConfigurations: [ + { + deleteOption: 'Delete' + ipConfigurations: [ + { + applicationSecurityGroups: [ + { + id: nestedDependencies.outputs.applicationSecurityGroupResourceId + } + ] + loadBalancerBackendAddressPools: [ + { + id: nestedDependencies.outputs.loadBalancerBackendPoolResourceId + } + ] + name: 'ipconfig01' + pipConfiguration: { + publicIpNameSuffix: '-pip-01' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } + zones: [ + '1' + '2' + '3' + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + ] + nicSuffix: '-nic-01' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } + ] + osDisk: { + caching: 'None' + createOption: 'fromImage' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + osType: 'Windows' + vmSize: 'Standard_DS2_v2' + adminPassword: password + availabilityZone: 2 + backupPolicyName: nestedDependencies.outputs.recoveryServicesVaultBackupPolicyName + backupVaultName: nestedDependencies.outputs.recoveryServicesVaultName + backupVaultResourceGroup: nestedDependencies.outputs.recoveryServicesVaultResourceGroupName + dataDisks: [ + { + caching: 'None' + createOption: 'Empty' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + { + caching: 'None' + createOption: 'Empty' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + ] + enableAutomaticUpdates: true + patchMode: 'AutomaticByPlatform' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + encryptionAtHost: false + extensionAntiMalwareConfig: { + enabled: true + settings: { + AntimalwareEnabled: 'true' + Exclusions: { + Extensions: '.ext1;.ext2' + Paths: 'c:\\excluded-path-1;c:\\excluded-path-2' + Processes: 'excludedproc1.exe;excludedproc2.exe' + } + RealtimeProtectionEnabled: 'true' + ScheduledScanSettings: { + day: '7' + isEnabled: 'true' + scanType: 'Quick' + time: '120' + } + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + extensionCustomScriptConfig: { + enabled: true + fileData: [ + { + storageAccountId: nestedDependencies.outputs.storageAccountResourceId + uri: nestedDependencies.outputs.storageAccountCSEFileUrl + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + extensionCustomScriptProtectedSetting: { + commandToExecute: 'powershell -ExecutionPolicy Unrestricted -Command "& ./${nestedDependencies.outputs.storageAccountCSEFileName}"' + } + extensionDependencyAgentConfig: { + enabled: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + extensionAzureDiskEncryptionConfig: { + enabled: true + settings: { + EncryptionOperation: 'EnableEncryption' + KekVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + KeyEncryptionAlgorithm: 'RSA-OAEP' + KeyEncryptionKeyURL: nestedDependencies.outputs.keyVaultEncryptionKeyUrl + KeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + KeyVaultURL: nestedDependencies.outputs.keyVaultUrl + ResizeOSDisk: 'false' + VolumeType: 'All' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + } + extensionAadJoinConfig: { + enabled: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + extensionDSCConfig: { + enabled: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + extensionMonitoringAgentConfig: { + enabled: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + extensionNetworkWatcherAgentConfig: { + enabled: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + monitoringWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + systemAssignedIdentity: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/compute/virtual-machine/README.md b/modules/compute/virtual-machine/README.md index 9fbeb457c1..871b4ed5c5 100644 --- a/modules/compute/virtual-machine/README.md +++ b/modules/compute/virtual-machine/README.md @@ -79,9 +79,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { publicIpNameSuffix: '-pip-01' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -98,9 +96,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { nicSuffix: '-nic-01' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -243,9 +239,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -308,9 +302,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "publicIpNameSuffix": "-pip-01", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -327,9 +319,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "nicSuffix": "-nic-01", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -536,9 +526,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -924,9 +912,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { publicIpNameSuffix: '-pip-01' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -943,9 +929,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { nicSuffix: '-nic-01' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -1106,9 +1090,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { proximityPlacementGroupResourceId: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -1171,9 +1153,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "publicIpNameSuffix": "-pip-01", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -1190,9 +1170,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "nicSuffix": "-nic-01", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -1419,9 +1397,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -2406,7 +2382,68 @@ The list of SSH public keys used to authenticate with linux based VMs. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `sasTokenValidityLength` diff --git a/modules/compute/virtual-machine/main.bicep b/modules/compute/virtual-machine/main.bicep index b3c15c8c7f..ba623225aa 100644 --- a/modules/compute/virtual-machine/main.bicep +++ b/modules/compute/virtual-machine/main.bicep @@ -239,7 +239,7 @@ param diagnosticEventHubName string = '' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -363,6 +363,27 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e') + 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') + 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') + 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') + 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') + 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') + 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') + 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') + 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') + 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') + 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') + 'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -375,7 +396,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -module vm_nic '.bicep/nested_networkInterface.bicep' = [for (nicConfiguration, index) in nicConfigurations: { +module vm_nic 'modules/nested_networkInterface.bicep' = [for (nicConfiguration, index) in nicConfigurations: { name: '${uniqueString(deployment().name, location)}-VM-Nic-${index}' params: { networkInterfaceName: '${name}${nicConfiguration.nicSuffix}' @@ -706,17 +727,18 @@ resource vm_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? scope: vm } -module vm_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-VM-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: vm.id +resource vm_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(vm.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: vm }] @description('The name of the VM.') @@ -745,3 +767,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/compute/virtual-machine/main.json b/modules/compute/virtual-machine/main.json index c2ef35d1a5..6188582242 100644 --- a/modules/compute/virtual-machine/main.json +++ b/modules/compute/virtual-machine/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6984217347675709865" + "templateHash": "17296216559349998726" }, "name": "Virtual Machines", "description": "This module deploys a Virtual Machine with one or multiple NICs and optionally one or multiple public IPs.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -495,8 +561,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -655,7 +720,27 @@ }, "identityType": "[if(if(parameters('extensionAadJoinConfig').enabled, true(), parameters('systemAssignedIdentity')), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", + "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", + "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", + "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", + "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", + "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", + "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", + "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]" + } }, "resources": { "defaultTelemetry": { @@ -804,6 +889,28 @@ "vm" ] }, + "vm_roleAssignments": { + "copy": { + "name": "vm_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Compute/virtualMachines', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "vm" + ] + }, "vm_nic": { "copy": { "name": "vm_nic", @@ -877,7 +984,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12516880950554869158" + "templateHash": "586060813007467238" } }, "definitions": { @@ -1059,7 +1166,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7177220893233117141" + "templateHash": "17964103943026732172" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -1090,6 +1197,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1234,8 +1407,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -1310,7 +1482,16 @@ } } ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -1382,175 +1563,19 @@ "publicIpAddress_roleAssignments": { "copy": { "name": "publicIpAddress_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PIPAddress-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9976109177347918049" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "publicIpAddress" @@ -1667,7 +1692,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3998904758858607142" + "templateHash": "11496161506514027711" }, "name": "Network Interface", "description": "This module deploys a Network Interface.", @@ -1698,6 +1723,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1802,8 +1893,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -1867,7 +1957,16 @@ "enabled": true } } - ] + ], + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -1959,175 +2058,19 @@ "networkInterface_roleAssignments": { "copy": { "name": "networkInterface_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NIC-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceId('Microsoft.Network/networkInterfaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11518733977101662334" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/networkInterfaces/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/networkInterfaces', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "networkInterface" @@ -4240,176 +4183,6 @@ "vm_microsoftMonitoringAgentExtension", "vm_networkWatcherAgentExtension" ] - }, - "vm_roleAssignments": { - "copy": { - "name": "vm_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VM-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16523538632311306099" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Compute Gallery Sharing Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Compute/virtualMachines/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Compute/virtualMachines', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "vm" - ] } }, "outputs": { diff --git a/modules/compute/virtual-machine/.bicep/nested_networkInterface.bicep b/modules/compute/virtual-machine/modules/nested_networkInterface.bicep similarity index 100% rename from modules/compute/virtual-machine/.bicep/nested_networkInterface.bicep rename to modules/compute/virtual-machine/modules/nested_networkInterface.bicep diff --git a/modules/container-registry/registry/.bicep/nested_roleAssignments.bicep b/modules/container-registry/registry/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 655ba7adf0..0000000000 --- a/modules/container-registry/registry/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,74 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - AcrDelete: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11') - AcrImageSigner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6cef56e8-d556-48e5-a04f-b8e64114680f') - AcrPull: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d') - AcrPush: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8311e382-0749-4cb8-b61a-304f252e45ec') - AcrQuarantineReader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cdda3590-29a3-44f6-95f2-9f980659eb04') - AcrQuarantineWriter: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource registry 'Microsoft.ContainerRegistry/registries@2023-06-01-preview' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(registry.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: registry -}] diff --git a/modules/container-registry/registry/.test/common/main.test.bicep b/modules/container-registry/registry/.test/common/main.test.bicep index 3035cf8ad0..8e52191585 100644 --- a/modules/container-registry/registry/.test/common/main.test.bicep +++ b/modules/container-registry/registry/.test/common/main.test.bicep @@ -1,150 +1,149 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.containerregistry.registries-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crrcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - location: location - managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - acrAdminUserEnabled: false - acrSku: 'Premium' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - exportPolicyStatus: 'enabled' - azureADAuthenticationAsArmPolicyStatus: 'enabled' - softDeletePolicyStatus: 'disabled' - softDeletePolicyDays: 7 - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - service: 'registry' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - networkRuleSetIpRules: [ - { - action: 'Allow' - value: '40.74.28.0/23' - } - ] - quarantinePolicyStatus: 'enabled' - replications: [ - { - location: nestedDependencies.outputs.pairedRegionName - name: nestedDependencies.outputs.pairedRegionName - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - systemAssignedIdentity: true - trustPolicyStatus: 'enabled' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - cacheRules: [ - { - name: 'customRule' - sourceRepository: 'docker.io/library/hello-world' - targetRepository: 'cached-docker-hub/hello-world' - } - { - sourceRepository: 'docker.io/library/hello-world' - } - ] - webhooks: [ - { - name: '${namePrefix}acrx001webhook' - serviceUri: 'https://www.contoso.com/webhook' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.containerregistry.registries-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'crrcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + location: location + managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + acrAdminUserEnabled: false + acrSku: 'Premium' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + exportPolicyStatus: 'enabled' + azureADAuthenticationAsArmPolicyStatus: 'enabled' + softDeletePolicyStatus: 'disabled' + softDeletePolicyDays: 7 + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + service: 'registry' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + networkRuleSetIpRules: [ + { + action: 'Allow' + value: '40.74.28.0/23' + } + ] + quarantinePolicyStatus: 'enabled' + replications: [ + { + location: nestedDependencies.outputs.pairedRegionName + name: nestedDependencies.outputs.pairedRegionName + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + systemAssignedIdentity: true + trustPolicyStatus: 'enabled' + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + cacheRules: [ + { + name: 'customRule' + sourceRepository: 'docker.io/library/hello-world' + targetRepository: 'cached-docker-hub/hello-world' + } + { + sourceRepository: 'docker.io/library/hello-world' + } + ] + webhooks: [ + { + name: '${namePrefix}acrx001webhook' + serviceUri: 'https://www.contoso.com/webhook' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index 84e25e335c..a538ee678a 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -105,9 +105,7 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -234,9 +232,7 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -814,7 +810,68 @@ The value that indicates whether the retention policy is enabled or not. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `softDeletePolicyDays` diff --git a/modules/container-registry/registry/main.bicep b/modules/container-registry/registry/main.bicep index b4a3c04050..6cd474fcec 100644 --- a/modules/container-registry/registry/main.bicep +++ b/modules/container-registry/registry/main.bicep @@ -14,7 +14,7 @@ param acrAdminUserEnabled bool = false param location string = resourceGroup().location @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tier of your Azure container registry.') @allowed([ @@ -210,6 +210,20 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + AcrDelete: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11') + AcrImageSigner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6cef56e8-d556-48e5-a04f-b8e64114680f') + AcrPull: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d') + AcrPush: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8311e382-0749-4cb8-b61a-304f252e45ec') + AcrQuarantineReader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cdda3590-29a3-44f6-95f2-9f980659eb04') + AcrQuarantineWriter: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -357,17 +371,18 @@ resource registry_diagnosticSettingName 'Microsoft.Insights/diagnosticsettings@2 scope: registry } -module registry_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-ContainerRegistry-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: registry.id +resource registry_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(registry.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: registry }] module registry_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { @@ -423,3 +438,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/container-registry/registry/main.json b/modules/container-registry/registry/main.json index a12b37dde0..d643bb198c 100644 --- a/modules/container-registry/registry/main.json +++ b/modules/container-registry/registry/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13715645846097523943" + "templateHash": "1785285011964376463" }, "name": "Azure Container Registries (ACR)", "description": "This module deploys an Azure Container Registry (ACR).", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -63,8 +129,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -403,7 +468,20 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "AcrDelete": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", + "AcrImageSigner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", + "AcrPull": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", + "AcrPush": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8311e382-0749-4cb8-b61a-304f252e45ec')]", + "AcrQuarantineReader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", + "AcrQuarantineWriter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "cMKKeyVault::cMKKey": { @@ -525,6 +603,28 @@ "registry" ] }, + "registry_roleAssignments": { + "copy": { + "name": "registry_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.ContainerRegistry/registries', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "registry" + ] + }, "registry_replications": { "copy": { "name": "registry_replications", @@ -1036,160 +1136,6 @@ "registry" ] }, - "registry_roleAssignments": { - "copy": { - "name": "registry_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ContainerRegistry-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16788652740395923269" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "AcrDelete": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", - "AcrImageSigner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", - "AcrPull": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", - "AcrPush": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8311e382-0749-4cb8-b61a-304f252e45ec')]", - "AcrQuarantineReader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", - "AcrQuarantineWriter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.ContainerRegistry/registries', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "registry" - ] - }, "registry_privateEndpoints": { "copy": { "name": "registry_privateEndpoints", diff --git a/modules/container-service/managed-cluster/.bicep/nested_roleAssignments.bicep b/modules/container-service/managed-cluster/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 7035b41472..0000000000 --- a/modules/container-service/managed-cluster/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,82 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Azure Kubernetes Fleet Manager Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63bb64ad-9799-4770-b5c3-24ed299a07bf') - 'Azure Kubernetes Fleet Manager RBAC Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '434fb43a-c01c-447e-9f67-c3ad923cfaba') - 'Azure Kubernetes Fleet Manager RBAC Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ab4d3d-a1bf-4477-8ad9-8359bc988f69') - 'Azure Kubernetes Fleet Manager RBAC Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '30b27cfc-9c84-438e-b0ce-70e35255df80') - 'Azure Kubernetes Fleet Manager RBAC Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5af6afb3-c06c-4fa4-8848-71a8aee05683') - 'Azure Kubernetes Service Cluster Admin Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8') - 'Azure Kubernetes Service Cluster Monitoring User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1afdec4b-e479-420e-99e7-f82237c7c5e6') - 'Azure Kubernetes Service Cluster User Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f') - 'Azure Kubernetes Service Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8') - 'Azure Kubernetes Service RBAC Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3498e952-d568-435e-9b2c-8d77e338d7f7') - 'Azure Kubernetes Service RBAC Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b') - 'Azure Kubernetes Service RBAC Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f6c6a51-bcf8-42ba-9220-52d62157d7db') - 'Azure Kubernetes Service RBAC Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Kubernetes Agentless Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a2ae44-610b-4500-93be-660a0c5f5ca6') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource managedCluster 'Microsoft.ContainerService/managedClusters@2023-03-02-preview' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(managedCluster.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: managedCluster -}] diff --git a/modules/container-service/managed-cluster/.test/azure/main.test.bicep b/modules/container-service/managed-cluster/.test/azure/main.test.bicep index 8a84302766..35a7bc0355 100644 --- a/modules/container-service/managed-cluster/.test/azure/main.test.bicep +++ b/modules/container-service/managed-cluster/.test/azure/main.test.bicep @@ -1,257 +1,256 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.containerservice.managedclusters-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'csmaz' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - managedIdentityKubeletIdentityName: 'dep-${namePrefix}-msiki-${serviceShort}' - diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' - proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - dnsZoneName: 'dep-${namePrefix}-dns-${serviceShort}.com' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - primaryAgentPoolProfile: [ - { - availabilityZones: [ - '3' - ] - count: 1 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - mode: 'System' - name: 'systempool' - osDiskSizeGB: 0 - osType: 'Linux' - serviceCidr: '' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - vnetSubnetID: nestedDependencies.outputs.subnetResourceIds[0] - } - ] - agentPools: [ - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool1' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - vnetSubnetID: nestedDependencies.outputs.subnetResourceIds[1] - proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId - } - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool2' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - vnetSubnetID: nestedDependencies.outputs.subnetResourceIds[2] - } - ] - autoUpgradeProfileUpgradeChannel: 'stable' - enableWorkloadIdentity: true - enableOidcIssuerProfile: true - networkPlugin: 'azure' - networkDataplane: 'azure' - networkPluginMode: 'overlay' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - diskEncryptionSetID: nestedDependencies.outputs.diskEncryptionSetResourceId - openServiceMeshEnabled: true - enableStorageProfileBlobCSIDriver: true - enableStorageProfileDiskCSIDriver: true - enableStorageProfileFileCSIDriver: true - enableStorageProfileSnapshotController: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - identityProfile: { - kubeletidentity: { - resourceId: nestedDependencies.outputs.managedIdentityKubeletIdentityResourceId - } - } - omsAgentEnabled: true - monitoringWorkspaceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId - enableAzureDefender: true - enableKeyvaultSecretsProvider: true - enablePodSecurityPolicy: false - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - fluxExtension: { - configurationSettings: { - 'helm-controller.enabled': 'true' - 'source-controller.enabled': 'true' - 'kustomize-controller.enabled': 'true' - 'notification-controller.enabled': 'true' - 'image-automation-controller.enabled': 'false' - 'image-reflector-controller.enabled': 'false' - } - configurations: [ - { - namespace: 'flux-system' - scope: 'cluster' - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/mspnp/aks-baseline' - } - } - { - namespace: 'flux-system-helm' - scope: 'cluster' - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/Azure/gitops-flux2-kustomize-helm-mt' - } - kustomizations: { - infra: { - path: './infrastructure' - dependsOn: [] - timeoutInSeconds: 600 - syncIntervalInSeconds: 600 - validation: 'none' - prune: true - } - apps: { - path: './apps/staging' - dependsOn: [ - 'infra' - ] - timeoutInSeconds: 600 - syncIntervalInSeconds: 600 - retryIntervalInSeconds: 120 - prune: true - } - } - } - ] - } - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.containerservice.managedclusters-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'csmaz' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + managedIdentityKubeletIdentityName: 'dep-${namePrefix}-msiki-${serviceShort}' + diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' + proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + dnsZoneName: 'dep-${namePrefix}-dns-${serviceShort}.com' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + primaryAgentPoolProfile: [ + { + availabilityZones: [ + '3' + ] + count: 1 + enableAutoScaling: true + maxCount: 3 + maxPods: 30 + minCount: 1 + mode: 'System' + name: 'systempool' + osDiskSizeGB: 0 + osType: 'Linux' + serviceCidr: '' + storageProfile: 'ManagedDisks' + type: 'VirtualMachineScaleSets' + vmSize: 'Standard_DS2_v2' + vnetSubnetID: nestedDependencies.outputs.subnetResourceIds[0] + } + ] + agentPools: [ + { + availabilityZones: [ + '3' + ] + count: 2 + enableAutoScaling: true + maxCount: 3 + maxPods: 30 + minCount: 1 + minPods: 2 + mode: 'User' + name: 'userpool1' + nodeLabels: {} + nodeTaints: [ + 'CriticalAddonsOnly=true:NoSchedule' + ] + osDiskSizeGB: 128 + osType: 'Linux' + scaleSetEvictionPolicy: 'Delete' + scaleSetPriority: 'Regular' + storageProfile: 'ManagedDisks' + type: 'VirtualMachineScaleSets' + vmSize: 'Standard_DS2_v2' + vnetSubnetID: nestedDependencies.outputs.subnetResourceIds[1] + proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId + } + { + availabilityZones: [ + '3' + ] + count: 2 + enableAutoScaling: true + maxCount: 3 + maxPods: 30 + minCount: 1 + minPods: 2 + mode: 'User' + name: 'userpool2' + nodeLabels: {} + nodeTaints: [ + 'CriticalAddonsOnly=true:NoSchedule' + ] + osDiskSizeGB: 128 + osType: 'Linux' + scaleSetEvictionPolicy: 'Delete' + scaleSetPriority: 'Regular' + storageProfile: 'ManagedDisks' + type: 'VirtualMachineScaleSets' + vmSize: 'Standard_DS2_v2' + vnetSubnetID: nestedDependencies.outputs.subnetResourceIds[2] + } + ] + autoUpgradeProfileUpgradeChannel: 'stable' + enableWorkloadIdentity: true + enableOidcIssuerProfile: true + networkPlugin: 'azure' + networkDataplane: 'azure' + networkPluginMode: 'overlay' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diskEncryptionSetID: nestedDependencies.outputs.diskEncryptionSetResourceId + openServiceMeshEnabled: true + enableStorageProfileBlobCSIDriver: true + enableStorageProfileDiskCSIDriver: true + enableStorageProfileFileCSIDriver: true + enableStorageProfileSnapshotController: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + identityProfile: { + kubeletidentity: { + resourceId: nestedDependencies.outputs.managedIdentityKubeletIdentityResourceId + } + } + omsAgentEnabled: true + monitoringWorkspaceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId + enableAzureDefender: true + enableKeyvaultSecretsProvider: true + enablePodSecurityPolicy: false + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + fluxExtension: { + configurationSettings: { + 'helm-controller.enabled': 'true' + 'source-controller.enabled': 'true' + 'kustomize-controller.enabled': 'true' + 'notification-controller.enabled': 'true' + 'image-automation-controller.enabled': 'false' + 'image-reflector-controller.enabled': 'false' + } + configurations: [ + { + namespace: 'flux-system' + scope: 'cluster' + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/mspnp/aks-baseline' + } + } + { + namespace: 'flux-system-helm' + scope: 'cluster' + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/Azure/gitops-flux2-kustomize-helm-mt' + } + kustomizations: { + infra: { + path: './infrastructure' + dependsOn: [] + timeoutInSeconds: 600 + syncIntervalInSeconds: 600 + validation: 'none' + prune: true + } + apps: { + path: './apps/staging' + dependsOn: [ + 'infra' + ] + timeoutInSeconds: 600 + syncIntervalInSeconds: 600 + retryIntervalInSeconds: 120 + prune: true + } + } + } + ] + } + } +} + diff --git a/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep b/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep index 66803468ef..2f445e1328 100644 --- a/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep +++ b/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep @@ -1,160 +1,159 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.containerservice.managedclusters-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'csmkube' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - dnsZoneName: 'dep-${namePrefix}-dns-${serviceShort}.com' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - primaryAgentPoolProfile: [ - { - availabilityZones: [ - '3' - ] - count: 1 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - mode: 'System' - name: 'systempool' - osDiskSizeGB: 0 - osType: 'Linux' - serviceCidr: '' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - } - ] - agentPools: [ - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool1' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - } - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool2' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - } - ] - networkPlugin: 'kubenet' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.containerservice.managedclusters-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'csmkube' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + dnsZoneName: 'dep-${namePrefix}-dns-${serviceShort}.com' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + primaryAgentPoolProfile: [ + { + availabilityZones: [ + '3' + ] + count: 1 + enableAutoScaling: true + maxCount: 3 + maxPods: 30 + minCount: 1 + mode: 'System' + name: 'systempool' + osDiskSizeGB: 0 + osType: 'Linux' + serviceCidr: '' + storageProfile: 'ManagedDisks' + type: 'VirtualMachineScaleSets' + vmSize: 'Standard_DS2_v2' + } + ] + agentPools: [ + { + availabilityZones: [ + '3' + ] + count: 2 + enableAutoScaling: true + maxCount: 3 + maxPods: 30 + minCount: 1 + minPods: 2 + mode: 'User' + name: 'userpool1' + nodeLabels: {} + nodeTaints: [ + 'CriticalAddonsOnly=true:NoSchedule' + ] + osDiskSizeGB: 128 + osType: 'Linux' + scaleSetEvictionPolicy: 'Delete' + scaleSetPriority: 'Regular' + storageProfile: 'ManagedDisks' + type: 'VirtualMachineScaleSets' + vmSize: 'Standard_DS2_v2' + } + { + availabilityZones: [ + '3' + ] + count: 2 + enableAutoScaling: true + maxCount: 3 + maxPods: 30 + minCount: 1 + minPods: 2 + mode: 'User' + name: 'userpool2' + nodeLabels: {} + nodeTaints: [ + 'CriticalAddonsOnly=true:NoSchedule' + ] + osDiskSizeGB: 128 + osType: 'Linux' + scaleSetEvictionPolicy: 'Delete' + scaleSetPriority: 'Regular' + storageProfile: 'ManagedDisks' + type: 'VirtualMachineScaleSets' + vmSize: 'Standard_DS2_v2' + } + ] + networkPlugin: 'kubenet' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index e95c168a1c..81b0ac0576 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -212,9 +212,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' openServiceMeshEnabled: true roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -466,9 +464,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -584,9 +580,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' networkPlugin: 'kubenet' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -715,9 +709,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -1849,7 +1841,68 @@ Private DNS Zone configuration. Set to 'system' and AKS will create a private DN Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `serviceCidr` diff --git a/modules/container-service/managed-cluster/main.bicep b/modules/container-service/managed-cluster/main.bicep index 3e3648a527..fc2de0e96b 100644 --- a/modules/container-service/managed-cluster/main.bicep +++ b/modules/container-service/managed-cluster/main.bicep @@ -336,7 +336,7 @@ param diagnosticEventHubName string = '' param enableDefaultTelemetry bool = true @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') param lock lockType @@ -432,6 +432,28 @@ var lbProfile = { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + 'Azure Kubernetes Fleet Manager Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63bb64ad-9799-4770-b5c3-24ed299a07bf') + 'Azure Kubernetes Fleet Manager RBAC Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '434fb43a-c01c-447e-9f67-c3ad923cfaba') + 'Azure Kubernetes Fleet Manager RBAC Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ab4d3d-a1bf-4477-8ad9-8359bc988f69') + 'Azure Kubernetes Fleet Manager RBAC Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '30b27cfc-9c84-438e-b0ce-70e35255df80') + 'Azure Kubernetes Fleet Manager RBAC Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5af6afb3-c06c-4fa4-8848-71a8aee05683') + 'Azure Kubernetes Service Cluster Admin Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8') + 'Azure Kubernetes Service Cluster Monitoring User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1afdec4b-e479-420e-99e7-f82237c7c5e6') + 'Azure Kubernetes Service Cluster User Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f') + 'Azure Kubernetes Service Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8') + 'Azure Kubernetes Service RBAC Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3498e952-d568-435e-9b2c-8d77e338d7f7') + 'Azure Kubernetes Service RBAC Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b') + 'Azure Kubernetes Service RBAC Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f6c6a51-bcf8-42ba-9220-52d62157d7db') + 'Azure Kubernetes Service RBAC Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Kubernetes Agentless Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a2ae44-610b-4500-93be-660a0c5f5ca6') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -684,17 +706,18 @@ resource managedCluster_diagnosticSettings 'Microsoft.Insights/diagnosticSetting scope: managedCluster } -module managedCluster_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-ManagedCluster-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: managedCluster.id +resource managedCluster_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(managedCluster.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: managedCluster }] resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = if (dnsZoneResourceId != null && webApplicationRoutingEnabled) { @@ -758,3 +781,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/container-service/managed-cluster/main.json b/modules/container-service/managed-cluster/main.json index a2363b3784..9923e70e43 100644 --- a/modules/container-service/managed-cluster/main.json +++ b/modules/container-service/managed-cluster/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9142221246471978199" + "templateHash": "9286702996832369711" }, "name": "Azure Kubernetes Service (AKS) Managed Clusters", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -721,8 +787,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -857,7 +922,28 @@ }, "effectiveOutboundIPs": [] }, - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Azure Kubernetes Fleet Manager Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63bb64ad-9799-4770-b5c3-24ed299a07bf')]", + "Azure Kubernetes Fleet Manager RBAC Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '434fb43a-c01c-447e-9f67-c3ad923cfaba')]", + "Azure Kubernetes Fleet Manager RBAC Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ab4d3d-a1bf-4477-8ad9-8359bc988f69')]", + "Azure Kubernetes Fleet Manager RBAC Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '30b27cfc-9c84-438e-b0ce-70e35255df80')]", + "Azure Kubernetes Fleet Manager RBAC Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5af6afb3-c06c-4fa4-8848-71a8aee05683')]", + "Azure Kubernetes Service Cluster Admin Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster Monitoring User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1afdec4b-e479-420e-99e7-f82237c7c5e6')]", + "Azure Kubernetes Service Cluster User Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Kubernetes Service RBAC Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3498e952-d568-435e-9b2c-8d77e338d7f7')]", + "Azure Kubernetes Service RBAC Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b')]", + "Azure Kubernetes Service RBAC Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f6c6a51-bcf8-42ba-9220-52d62157d7db')]", + "Azure Kubernetes Service RBAC Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Kubernetes Agentless Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a2ae44-610b-4500-93be-660a0c5f5ca6')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -1045,6 +1131,28 @@ "managedCluster" ] }, + "managedCluster_roleAssignments": { + "copy": { + "name": "managedCluster_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "managedCluster" + ] + }, "dnsZone": { "condition": "[and(not(equals(parameters('dnsZoneResourceId'), null())), parameters('webApplicationRoutingEnabled'))]", "existing": true, @@ -1924,168 +2032,6 @@ "dependsOn": [ "managedCluster" ] - }, - "managedCluster_roleAssignments": { - "copy": { - "name": "managedCluster_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ManagedCluster-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "921005320898310167" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Azure Kubernetes Fleet Manager Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63bb64ad-9799-4770-b5c3-24ed299a07bf')]", - "Azure Kubernetes Fleet Manager RBAC Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '434fb43a-c01c-447e-9f67-c3ad923cfaba')]", - "Azure Kubernetes Fleet Manager RBAC Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ab4d3d-a1bf-4477-8ad9-8359bc988f69')]", - "Azure Kubernetes Fleet Manager RBAC Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '30b27cfc-9c84-438e-b0ce-70e35255df80')]", - "Azure Kubernetes Fleet Manager RBAC Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5af6afb3-c06c-4fa4-8848-71a8aee05683')]", - "Azure Kubernetes Service Cluster Admin Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", - "Azure Kubernetes Service Cluster Monitoring User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1afdec4b-e479-420e-99e7-f82237c7c5e6')]", - "Azure Kubernetes Service Cluster User Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", - "Azure Kubernetes Service Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", - "Azure Kubernetes Service RBAC Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3498e952-d568-435e-9b2c-8d77e338d7f7')]", - "Azure Kubernetes Service RBAC Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b')]", - "Azure Kubernetes Service RBAC Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f6c6a51-bcf8-42ba-9220-52d62157d7db')]", - "Azure Kubernetes Service RBAC Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Kubernetes Agentless Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a2ae44-610b-4500-93be-660a0c5f5ca6')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.ContainerService/managedClusters', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "managedCluster" - ] } }, "outputs": { diff --git a/modules/data-factory/factory/.bicep/nested_roleAssignments.bicep b/modules/data-factory/factory/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 602a515be8..0000000000 --- a/modules/data-factory/factory/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,69 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Factory Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource dataFactory 'Microsoft.DataFactory/factories@2018-06-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(dataFactory.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: dataFactory -}] diff --git a/modules/data-factory/factory/.test/common/main.test.bicep b/modules/data-factory/factory/.test/common/main.test.bicep index 1d27e2246c..07059a312f 100644 --- a/modules/data-factory/factory/.test/common/main.test.bicep +++ b/modules/data-factory/factory/.test/common/main.test.bicep @@ -1,152 +1,151 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.datafactory.factories-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dffcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}st${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - cMKKeyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - gitConfigureLater: true - globalParameters: { - testParameter1: { - type: 'String' - value: 'testValue1' - } - } - integrationRuntimes: [ - { - managedVirtualNetworkName: 'default' - name: 'AutoResolveIntegrationRuntime' - type: 'Managed' - typeProperties: { - computeProperties: { - location: 'AutoResolve' - } - } - } - - { - name: 'TestRuntime' - type: 'SelfHosted' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedPrivateEndpoints: [ - { - fqdns: [ - nestedDependencies.outputs.storageAccountBlobEndpoint - ] - groupId: 'blob' - name: '${nestedDependencies.outputs.storageAccountName}-managed-privateEndpoint' - privateLinkResourceId: nestedDependencies.outputs.storageAccountResourceId - } - ] - managedVirtualNetworkName: 'default' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - - nestedDependencies.outputs.privateDNSZoneResourceId - - ] - service: 'dataFactory' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - application: 'CARML' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.datafactory.factories-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dffcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}st${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + cMKKeyName: nestedDependencies.outputs.keyVaultEncryptionKeyName + cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + gitConfigureLater: true + globalParameters: { + testParameter1: { + type: 'String' + value: 'testValue1' + } + } + integrationRuntimes: [ + { + managedVirtualNetworkName: 'default' + name: 'AutoResolveIntegrationRuntime' + type: 'Managed' + typeProperties: { + computeProperties: { + location: 'AutoResolve' + } + } + } + + { + name: 'TestRuntime' + type: 'SelfHosted' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedPrivateEndpoints: [ + { + fqdns: [ + nestedDependencies.outputs.storageAccountBlobEndpoint + ] + groupId: 'blob' + name: '${nestedDependencies.outputs.storageAccountName}-managed-privateEndpoint' + privateLinkResourceId: nestedDependencies.outputs.storageAccountResourceId + } + ] + managedVirtualNetworkName: 'default' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] + service: 'dataFactory' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + application: 'CARML' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + systemAssignedIdentity: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index 8b9528904a..6ae177c9e1 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -113,9 +113,7 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -242,9 +240,7 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -609,7 +605,68 @@ Whether or not public network access is allowed for this resource. For security Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `systemAssignedIdentity` diff --git a/modules/data-factory/factory/main.bicep b/modules/data-factory/factory/main.bicep index 973f187561..c90d4d9801 100644 --- a/modules/data-factory/factory/main.bicep +++ b/modules/data-factory/factory/main.bicep @@ -139,7 +139,7 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { }] @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -156,6 +156,15 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Data Factory Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) @@ -250,17 +259,18 @@ resource dataFactory_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2 scope: dataFactory } -module dataFactory_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-DataFactory-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: dataFactory.id +resource dataFactory_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(dataFactory.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: dataFactory }] module dataFactory_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { @@ -313,3 +323,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/data-factory/factory/main.json b/modules/data-factory/factory/main.json index c52194153a..1213204e82 100644 --- a/modules/data-factory/factory/main.json +++ b/modules/data-factory/factory/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7844406569986738481" + "templateHash": "6726222528334503492" }, "name": "Data Factories", "description": "This module deploys a Data Factory.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -281,8 +347,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -325,7 +390,15 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Data Factory Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "cMKKeyVault": { @@ -400,6 +473,28 @@ "dataFactory" ] }, + "dataFactory_roleAssignments": { + "copy": { + "name": "dataFactory_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.DataFactory/factories/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.DataFactory/factories', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "dataFactory" + ] + }, "dataFactory_managedVirtualNetwork": { "condition": "[not(empty(parameters('managedVirtualNetworkName')))]", "type": "Microsoft.Resources/deployments", @@ -810,155 +905,6 @@ "dataFactory_managedVirtualNetwork" ] }, - "dataFactory_roleAssignments": { - "copy": { - "name": "dataFactory_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DataFactory-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.DataFactory/factories', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18126264566074899156" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Factory Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DataFactory/factories/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.DataFactory/factories', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "dataFactory" - ] - }, "dataFactory_privateEndpoints": { "copy": { "name": "dataFactory_privateEndpoints", diff --git a/modules/data-protection/backup-vault/.bicep/nested_roleAssignments.bicep b/modules/data-protection/backup-vault/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 3101f82d5f..0000000000 --- a/modules/data-protection/backup-vault/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,71 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - 'Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a795c7a0-d4a2-40c1-ae25-d81f01202912') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource backupVault 'Microsoft.DataProtection/backupVaults@2023-05-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(backupVault.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: backupVault -}] diff --git a/modules/data-protection/backup-vault/.test/common/main.test.bicep b/modules/data-protection/backup-vault/.test/common/main.test.bicep index 45d3083a53..05924632cf 100644 --- a/modules/data-protection/backup-vault/.test/common/main.test.bicep +++ b/modules/data-protection/backup-vault/.test/common/main.test.bicep @@ -1,138 +1,137 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.dataprotection.backupvaults-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dpbvcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - azureMonitorAlertSettingsAlertsForAllJobFailures: 'Disabled' - systemAssignedIdentity: true - backupPolicies: [ - { - name: 'DefaultPolicy' - properties: { - datasourceTypes: [ - 'Microsoft.Compute/disks' - ] - objectType: 'BackupPolicy' - policyRules: [ - { - backupParameters: { - backupType: 'Incremental' - objectType: 'AzureBackupParams' - } - dataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - name: 'BackupDaily' - objectType: 'AzureBackupRule' - trigger: { - objectType: 'ScheduleBasedTriggerContext' - schedule: { - repeatingTimeIntervals: [ - 'R/2022-05-31T23:30:00+01:00/P1D' - ] - timeZone: 'W. Europe Standard Time' - } - taggingCriteria: [ - { - isDefault: true - taggingPriority: 99 - tagInfo: { - id: 'Default_' - tagName: 'Default' - } - } - ] - } - } - { - isDefault: true - lifecycles: [ - { - deleteAfter: { - duration: 'P7D' - objectType: 'AbsoluteDeleteOption' - } - sourceDataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - targetDataStoreCopySettings: [] - } - ] - name: 'Default' - objectType: 'AzureRetentionRule' - } - ] - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.dataprotection.backupvaults-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dpbvcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + azureMonitorAlertSettingsAlertsForAllJobFailures: 'Disabled' + systemAssignedIdentity: true + backupPolicies: [ + { + name: 'DefaultPolicy' + properties: { + datasourceTypes: [ + 'Microsoft.Compute/disks' + ] + objectType: 'BackupPolicy' + policyRules: [ + { + backupParameters: { + backupType: 'Incremental' + objectType: 'AzureBackupParams' + } + dataStore: { + dataStoreType: 'OperationalStore' + objectType: 'DataStoreInfoBase' + } + name: 'BackupDaily' + objectType: 'AzureBackupRule' + trigger: { + objectType: 'ScheduleBasedTriggerContext' + schedule: { + repeatingTimeIntervals: [ + 'R/2022-05-31T23:30:00+01:00/P1D' + ] + timeZone: 'W. Europe Standard Time' + } + taggingCriteria: [ + { + isDefault: true + taggingPriority: 99 + tagInfo: { + id: 'Default_' + tagName: 'Default' + } + } + ] + } + } + { + isDefault: true + lifecycles: [ + { + deleteAfter: { + duration: 'P7D' + objectType: 'AbsoluteDeleteOption' + } + sourceDataStore: { + dataStoreType: 'OperationalStore' + objectType: 'DataStoreInfoBase' + } + targetDataStoreCopySettings: [] + } + ] + name: 'Default' + objectType: 'AzureRetentionRule' + } + ] + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/data-protection/backup-vault/README.md b/modules/data-protection/backup-vault/README.md index 9fcda953f4..22e624a5c0 100644 --- a/modules/data-protection/backup-vault/README.md +++ b/modules/data-protection/backup-vault/README.md @@ -117,9 +117,7 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -230,9 +228,7 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -411,7 +407,68 @@ Name of the Backup Vault. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `securitySettings` diff --git a/modules/data-protection/backup-vault/main.bicep b/modules/data-protection/backup-vault/main.bicep index 89601af230..caab5b84fa 100644 --- a/modules/data-protection/backup-vault/main.bicep +++ b/modules/data-protection/backup-vault/main.bicep @@ -12,7 +12,7 @@ param enableDefaultTelemetry bool = true param location string = resourceGroup().location @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') param lock lockType @@ -63,6 +63,17 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') + 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') + 'Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a795c7a0-d4a2-40c1-ae25-d81f01202912') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -116,17 +127,18 @@ resource backupVault_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empt scope: backupVault } -module backupVault_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-bv-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: backupVault.id +resource backupVault_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(backupVault.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: backupVault }] @description('The resource ID of the backup vault.') @@ -155,3 +167,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/data-protection/backup-vault/main.json b/modules/data-protection/backup-vault/main.json index 44f040b926..868f140db9 100644 --- a/modules/data-protection/backup-vault/main.json +++ b/modules/data-protection/backup-vault/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15651036518447625148" + "templateHash": "8939931538076574162" }, "name": "Data Protection Backup Vaults", "description": "This module deploys a Data Protection Backup Vault.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -61,8 +127,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -147,7 +212,17 @@ "variables": { "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', 'None')]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType')), null())]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -201,6 +276,28 @@ "backupVault" ] }, + "backupVault_roleAssignments": { + "copy": { + "name": "backupVault_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.DataProtection/backupVaults/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.DataProtection/backupVaults', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "backupVault" + ] + }, "backupVault_backupPolicies": { "copy": { "name": "backupVault_backupPolicies", @@ -320,157 +417,6 @@ "dependsOn": [ "backupVault" ] - }, - "backupVault_roleAssignments": { - "copy": { - "name": "backupVault_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-bv-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.DataProtection/backupVaults', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14959625805292931026" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DataProtection/backupVaults/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.DataProtection/backupVaults', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "backupVault" - ] } }, "outputs": { diff --git a/modules/databricks/access-connector/.bicep/nested_roleAssignments.bicep b/modules/databricks/access-connector/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 772322584b..0000000000 --- a/modules/databricks/access-connector/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,70 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') - 'App Compliance Automation Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource accessConnector 'Microsoft.Databricks/accessConnectors@2022-10-01-preview' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(accessConnector.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: accessConnector -}] diff --git a/modules/databricks/access-connector/.test/common/main.test.bicep b/modules/databricks/access-connector/.test/common/main.test.bicep index 106b58bac1..6395e13ed7 100644 --- a/modules/databricks/access-connector/.test/common/main.test.bicep +++ b/modules/databricks/access-connector/.test/common/main.test.bicep @@ -1,79 +1,78 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.databricks.accessconnectors-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'daccom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - location: resourceGroup.location - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.databricks.accessconnectors-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'daccom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + systemAssignedIdentity: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + location: resourceGroup.location + } +} + diff --git a/modules/databricks/access-connector/README.md b/modules/databricks/access-connector/README.md index f282d649ca..c965dbdf4f 100644 --- a/modules/databricks/access-connector/README.md +++ b/modules/databricks/access-connector/README.md @@ -53,9 +53,7 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -105,9 +103,7 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -256,7 +252,68 @@ The name of the Azure Databricks access connector to create. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `systemAssignedIdentity` diff --git a/modules/databricks/access-connector/main.bicep b/modules/databricks/access-connector/main.bicep index cb0ea6af0c..ca7d88ef21 100644 --- a/modules/databricks/access-connector/main.bicep +++ b/modules/databricks/access-connector/main.bicep @@ -12,7 +12,7 @@ param tags object = {} param location string = resourceGroup().location @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') param lock lockType @@ -33,6 +33,14 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -62,17 +70,18 @@ resource accessConnector_lock 'Microsoft.Authorization/locks@2020-05-01' = if (! scope: accessConnector } -module accessConnector_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Databricks-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: accessConnector.id +resource accessConnector_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(accessConnector.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: accessConnector }] @description('The name of the deployed access connector.') @@ -98,3 +107,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/databricks/access-connector/main.json b/modules/databricks/access-connector/main.json index aaaff87d8f..6098e38098 100644 --- a/modules/databricks/access-connector/main.json +++ b/modules/databricks/access-connector/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8192050845924017676" + "templateHash": "11496388120257494229" }, "name": "Azure Databricks Access Connectors", "description": "This module deploys an Azure Databricks Access Connector.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -61,8 +127,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -97,7 +162,14 @@ }, "variables": { "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -140,148 +212,20 @@ "accessConnector_roleAssignments": { "copy": { "name": "accessConnector_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Databricks-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Databricks/accessConnectors/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Databricks/accessConnectors', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Databricks/accessConnectors', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9290418788736930611" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", - "App Compliance Automation Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Databricks/accessConnectors/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Databricks/accessConnectors', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "accessConnector" diff --git a/modules/databricks/workspace/.bicep/nested_roleAssignments.bicep b/modules/databricks/workspace/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 22520b5668..0000000000 --- a/modules/databricks/workspace/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource workspace 'Microsoft.Databricks/workspaces@2018-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(workspace.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: workspace -}] diff --git a/modules/databricks/workspace/.test/common/main.test.bicep b/modules/databricks/workspace/.test/common/main.test.bicep index 57dc4188f3..b980001a04 100644 --- a/modules/databricks/workspace/.test/common/main.test.bicep +++ b/modules/databricks/workspace/.test/common/main.test.bicep @@ -1,148 +1,147 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.databricks.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dwcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - amlWorkspaceName: 'dep-${namePrefix}-aml-${serviceShort}' - applicationInsightsName: 'dep-${namePrefix}-appi-${serviceShort}' - loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - keyVaultDiskName: 'dep-${namePrefix}-kve-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - cMKManagedServicesKeyName: nestedDependencies.outputs.keyVaultKeyName - cMKManagedServicesKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKManagedDisksKeyName: nestedDependencies.outputs.keyVaultDiskKeyName - cMKManagedDisksKeyVaultResourceId: nestedDependencies.outputs.keyVaultDiskResourceId - cMKManagedDisksKeyRotationToLatestKeyVersionEnabled: true - storageAccountName: 'sa${namePrefix}${serviceShort}001' - storageAccountSkuName: 'Standard_ZRS' - publicIpName: 'nat-gw-public-ip' - natGatewayName: 'nat-gateway' - prepareEncryption: true - requiredNsgRules: 'NoAzureDatabricksRules' - skuName: 'premium' - amlWorkspaceResourceId: nestedDependencies.outputs.machineLearningWorkspaceResourceId - customPrivateSubnetName: nestedDependencies.outputs.customPrivateSubnetName - customPublicSubnetName: nestedDependencies.outputs.customPublicSubnetName - publicNetworkAccess: 'Disabled' - disablePublicIp: true - loadBalancerResourceId: nestedDependencies.outputs.loadBalancerResourceId - loadBalancerBackendPoolName: nestedDependencies.outputs.loadBalancerBackendPoolName - customVirtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - - nestedDependencies.outputs.privateDNSZoneResourceId - - ] - service: 'databricks_ui_api' - subnetResourceId: nestedDependencies.outputs.defaultSubnetResourceId - tags: { - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - managedResourceGroupResourceId: '${subscription().id}/resourceGroups/rg-${resourceGroupName}-managed' - diagnosticLogCategoriesToEnable: [ - 'jobs' - 'notebook' - ] - diagnosticSettingsName: 'diag${namePrefix}${serviceShort}001' - requireInfrastructureEncryption: true - vnetAddressPrefix: '10.100' - location: resourceGroup.location - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.databricks.workspaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dwcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + amlWorkspaceName: 'dep-${namePrefix}-aml-${serviceShort}' + applicationInsightsName: 'dep-${namePrefix}-appi-${serviceShort}' + loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + keyVaultDiskName: 'dep-${namePrefix}-kve-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + cMKManagedServicesKeyName: nestedDependencies.outputs.keyVaultKeyName + cMKManagedServicesKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + cMKManagedDisksKeyName: nestedDependencies.outputs.keyVaultDiskKeyName + cMKManagedDisksKeyVaultResourceId: nestedDependencies.outputs.keyVaultDiskResourceId + cMKManagedDisksKeyRotationToLatestKeyVersionEnabled: true + storageAccountName: 'sa${namePrefix}${serviceShort}001' + storageAccountSkuName: 'Standard_ZRS' + publicIpName: 'nat-gw-public-ip' + natGatewayName: 'nat-gateway' + prepareEncryption: true + requiredNsgRules: 'NoAzureDatabricksRules' + skuName: 'premium' + amlWorkspaceResourceId: nestedDependencies.outputs.machineLearningWorkspaceResourceId + customPrivateSubnetName: nestedDependencies.outputs.customPrivateSubnetName + customPublicSubnetName: nestedDependencies.outputs.customPublicSubnetName + publicNetworkAccess: 'Disabled' + disablePublicIp: true + loadBalancerResourceId: nestedDependencies.outputs.loadBalancerResourceId + loadBalancerBackendPoolName: nestedDependencies.outputs.loadBalancerBackendPoolName + customVirtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] + service: 'databricks_ui_api' + subnetResourceId: nestedDependencies.outputs.defaultSubnetResourceId + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + managedResourceGroupResourceId: '${subscription().id}/resourceGroups/rg-${resourceGroupName}-managed' + diagnosticLogCategoriesToEnable: [ + 'jobs' + 'notebook' + ] + diagnosticSettingsName: 'diag${namePrefix}${serviceShort}001' + requireInfrastructureEncryption: true + vnetAddressPrefix: '10.100' + location: resourceGroup.location + } +} + diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index 29a1fbafa0..7b1bdd1cb9 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -98,9 +98,7 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { requireInfrastructureEncryption: true roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -243,9 +241,7 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -632,7 +628,68 @@ A boolean indicating whether or not the DBFS root file system will be enabled wi Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `skuName` diff --git a/modules/databricks/workspace/main.bicep b/modules/databricks/workspace/main.bicep index cdf70662ed..64c3bb3b4f 100644 --- a/modules/databricks/workspace/main.bicep +++ b/modules/databricks/workspace/main.bicep @@ -20,7 +20,7 @@ param skuName string = 'premium' param location string = resourceGroup().location @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Resource ID of the diagnostic storage account.') param diagnosticStorageAccountId string = '' @@ -159,6 +159,14 @@ var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -313,17 +321,18 @@ resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@202 scope: workspace } -module workspace_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Databricks-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: workspace.id +resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: workspace }] module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { @@ -373,3 +382,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/databricks/workspace/main.json b/modules/databricks/workspace/main.json index a176ae81d9..e52357cddd 100644 --- a/modules/databricks/workspace/main.json +++ b/modules/databricks/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16205616448170164073" + "templateHash": "1159355257291506829" }, "name": "Azure Databricks Workspaces", "description": "This module deploys an Azure Databricks Workspace.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -73,8 +139,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -346,7 +411,14 @@ } ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "cMKManagedDisksKeyVault::cMKKeyDisk": { @@ -460,146 +532,20 @@ "workspace_roleAssignments": { "copy": { "name": "workspace_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Databricks-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Databricks/workspaces/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Databricks/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Databricks/workspaces', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3551736854871241675" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Databricks/workspaces/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Databricks/workspaces', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "workspace" diff --git a/modules/db-for-my-sql/flexible-server/.bicep/nested_roleAssignments.bicep b/modules/db-for-my-sql/flexible-server/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 02c44be1b7..0000000000 --- a/modules/db-for-my-sql/flexible-server/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,69 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'MySQL Backup And Export Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd18ad5f3-1baf-4119-b49b-d944edb1f9d0') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2022-09-30-preview' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(flexibleServer.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: flexibleServer -}] diff --git a/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep b/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep index c7d0cf9a73..2b9182a40c 100644 --- a/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep @@ -1,123 +1,122 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.dbformysql.flexibleservers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dfmsfspvt' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: resourceGroup.location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'MySQL Flexible Server' - serverName: '${namePrefix}${serviceShort}001' - } - administratorLogin: 'adminUserName' - administratorLoginPassword: password - skuName: 'Standard_D2ds_v4' - tier: 'GeneralPurpose' - delegatedSubnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceId: nestedDependencies.outputs.privateDNSZoneResourceId - storageAutoIoScaling: 'Enabled' - storageSizeGB: 64 - storageIOPS: 400 - backupRetentionDays: 10 - databases: [ - { - - name: 'testdb1' - } - ] - highAvailability: 'SameZone' - storageAutoGrow: 'Enabled' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - administrators: [ - { - identityResourceId: nestedDependencies.outputs.managedIdentityResourceId - login: nestedDependencies.outputs.managedIdentityName - sid: nestedDependencies.outputs.managedIdentityPrincipalId - } - ] - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.dbformysql.flexibleservers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dfmsfspvt' + +@description('Optional. The password to leverage for the login.') +@secure() +param password string = newGuid() + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + location: resourceGroup.location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'MySQL Flexible Server' + serverName: '${namePrefix}${serviceShort}001' + } + administratorLogin: 'adminUserName' + administratorLoginPassword: password + skuName: 'Standard_D2ds_v4' + tier: 'GeneralPurpose' + delegatedSubnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceId: nestedDependencies.outputs.privateDNSZoneResourceId + storageAutoIoScaling: 'Enabled' + storageSizeGB: 64 + storageIOPS: 400 + backupRetentionDays: 10 + databases: [ + { + + name: 'testdb1' + } + ] + highAvailability: 'SameZone' + storageAutoGrow: 'Enabled' + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + administrators: [ + { + identityResourceId: nestedDependencies.outputs.managedIdentityResourceId + login: nestedDependencies.outputs.managedIdentityName + sid: nestedDependencies.outputs.managedIdentityPrincipalId + } + ] + } +} + diff --git a/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep b/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep index cfc5ce3c28..7684cbf777 100644 --- a/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep @@ -1,164 +1,163 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.dbformysql.flexibleservers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dfmsfsp' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies1 'dependencies1.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies1' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - location: location - managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -module nestedDependencies2 'dependencies2.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies2' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - geoBackupKeyVaultName: 'dep-${namePrefix}-kvp-${serviceShort}-${substring(uniqueString(baseTime), 0, 2)}' - geoBackupManagedIdentityName: 'dep-${namePrefix}-msip-${serviceShort}' - geoBackupLocation: nestedDependencies1.outputs.pairedRegionName - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: resourceGroup.location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies2.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'MySQL Flexible Server' - serverName: '${namePrefix}${serviceShort}001' - } - administratorLogin: 'adminUserName' - administratorLoginPassword: password - skuName: 'Standard_D2ds_v4' - tier: 'GeneralPurpose' - storageAutoIoScaling: 'Enabled' - storageSizeGB: 32 - storageIOPS: 400 - backupRetentionDays: 20 - availabilityZone: '1' - databases: [ - { - - name: 'testdb1' - } - { - name: 'testdb2' - charset: 'ascii' - collation: 'ascii_general_ci' - } - ] - firewallRules: [ - { - endIpAddress: '0.0.0.0' - name: 'AllowAllWindowsAzureIps' - startIpAddress: '0.0.0.0' - } - { - endIpAddress: '10.10.10.10' - name: 'test-rule1' - startIpAddress: '10.10.10.1' - } - { - endIpAddress: '100.100.100.10' - name: 'test-rule2' - startIpAddress: '100.100.100.1' - } - ] - highAvailability: 'SameZone' - storageAutoGrow: 'Enabled' - version: '8.0.21' - cMKKeyVaultResourceId: nestedDependencies2.outputs.keyVaultResourceId - cMKKeyName: nestedDependencies2.outputs.keyName - cMKUserAssignedIdentityResourceId: nestedDependencies2.outputs.managedIdentityResourceId - geoRedundantBackup: 'Enabled' - geoBackupCMKKeyVaultResourceId: nestedDependencies2.outputs.geoBackupKeyVaultResourceId - geoBackupCMKKeyName: nestedDependencies2.outputs.geoBackupKeyName - geoBackupCMKUserAssignedIdentityResourceId: nestedDependencies2.outputs.geoBackupManagedIdentityResourceId - userAssignedIdentities: { - '${nestedDependencies2.outputs.managedIdentityResourceId}': {} - '${nestedDependencies2.outputs.geoBackupManagedIdentityResourceId}': {} - } - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.dbformysql.flexibleservers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dfmsfsp' + +@description('Optional. The password to leverage for the login.') +@secure() +param password string = newGuid() + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies1 'dependencies1.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies1' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + location: location + managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' + pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + } +} + +module nestedDependencies2 'dependencies2.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies2' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + geoBackupKeyVaultName: 'dep-${namePrefix}-kvp-${serviceShort}-${substring(uniqueString(baseTime), 0, 2)}' + geoBackupManagedIdentityName: 'dep-${namePrefix}-msip-${serviceShort}' + geoBackupLocation: nestedDependencies1.outputs.pairedRegionName + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + location: resourceGroup.location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies2.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'MySQL Flexible Server' + serverName: '${namePrefix}${serviceShort}001' + } + administratorLogin: 'adminUserName' + administratorLoginPassword: password + skuName: 'Standard_D2ds_v4' + tier: 'GeneralPurpose' + storageAutoIoScaling: 'Enabled' + storageSizeGB: 32 + storageIOPS: 400 + backupRetentionDays: 20 + availabilityZone: '1' + databases: [ + { + + name: 'testdb1' + } + { + name: 'testdb2' + charset: 'ascii' + collation: 'ascii_general_ci' + } + ] + firewallRules: [ + { + endIpAddress: '0.0.0.0' + name: 'AllowAllWindowsAzureIps' + startIpAddress: '0.0.0.0' + } + { + endIpAddress: '10.10.10.10' + name: 'test-rule1' + startIpAddress: '10.10.10.1' + } + { + endIpAddress: '100.100.100.10' + name: 'test-rule2' + startIpAddress: '100.100.100.1' + } + ] + highAvailability: 'SameZone' + storageAutoGrow: 'Enabled' + version: '8.0.21' + cMKKeyVaultResourceId: nestedDependencies2.outputs.keyVaultResourceId + cMKKeyName: nestedDependencies2.outputs.keyName + cMKUserAssignedIdentityResourceId: nestedDependencies2.outputs.managedIdentityResourceId + geoRedundantBackup: 'Enabled' + geoBackupCMKKeyVaultResourceId: nestedDependencies2.outputs.geoBackupKeyVaultResourceId + geoBackupCMKKeyName: nestedDependencies2.outputs.geoBackupKeyName + geoBackupCMKUserAssignedIdentityResourceId: nestedDependencies2.outputs.geoBackupManagedIdentityResourceId + userAssignedIdentities: { + '${nestedDependencies2.outputs.managedIdentityResourceId}': {} + '${nestedDependencies2.outputs.geoBackupManagedIdentityResourceId}': {} + } + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + } +} + diff --git a/modules/db-for-my-sql/flexible-server/README.md b/modules/db-for-my-sql/flexible-server/README.md index bce5faa7d7..94163adb79 100644 --- a/modules/db-for-my-sql/flexible-server/README.md +++ b/modules/db-for-my-sql/flexible-server/README.md @@ -143,9 +143,7 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { privateDnsZoneResourceId: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -250,9 +248,7 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -355,9 +351,7 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -497,9 +491,7 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -872,7 +864,68 @@ Restore point creation time (ISO8601 format), specifying the time to restore fro Array of role assignment objects that contain the "roleDefinitionIdOrName" and "principalId" to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11". - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `skuName` diff --git a/modules/db-for-my-sql/flexible-server/main.bicep b/modules/db-for-my-sql/flexible-server/main.bicep index 419cf6b925..d9c6538134 100644 --- a/modules/db-for-my-sql/flexible-server/main.bicep +++ b/modules/db-for-my-sql/flexible-server/main.bicep @@ -172,7 +172,7 @@ param databases array = [] param firewallRules array = [] @description('Optional. Array of role assignment objects that contain the "roleDefinitionIdOrName" and "principalId" to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11".') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Resource ID of the diagnostic storage account.') param diagnosticStorageAccountId string = '' @@ -238,6 +238,15 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'MySQL Backup And Export Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd18ad5f3-1baf-4119-b49b-d944edb1f9d0') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -329,17 +338,18 @@ resource flexibleServer_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e scope: flexibleServer } -module flexibleServer_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-MySQL-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: flexibleServer.id +resource flexibleServer_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(flexibleServer.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: flexibleServer }] module flexibleServer_databases 'database/main.bicep' = [for (database, index) in databases: { @@ -411,3 +421,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/db-for-my-sql/flexible-server/main.json b/modules/db-for-my-sql/flexible-server/main.json index 803d30c7b5..534d43fbf2 100644 --- a/modules/db-for-my-sql/flexible-server/main.json +++ b/modules/db-for-my-sql/flexible-server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4402521755740806457" + "templateHash": "10515587925363037266" }, "name": "DBforMySQL Flexible Servers", "description": "This module deploys a DBforMySQL Flexible Server.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -349,8 +415,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the \"roleDefinitionIdOrName\" and \"principalId\" to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \"/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\"." } @@ -448,7 +513,15 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None')]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "MySQL Backup And Export Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd18ad5f3-1baf-4119-b49b-d944edb1f9d0')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "cMKKeyVault::cMKKey": { @@ -564,6 +637,28 @@ "flexibleServer" ] }, + "flexibleServer_roleAssignments": { + "copy": { + "name": "flexibleServer_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.DBforMySQL/flexibleServers/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "flexibleServer" + ] + }, "flexibleServer_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", @@ -582,155 +677,6 @@ "flexibleServer" ] }, - "flexibleServer_roleAssignments": { - "copy": { - "name": "flexibleServer_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-MySQL-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17516117596765839904" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "MySQL Backup And Export Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd18ad5f3-1baf-4119-b49b-d944edb1f9d0')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DBforMySQL/flexibleServers/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.DBforMySQL/flexibleServers', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "flexibleServer" - ] - }, "flexibleServer_databases": { "copy": { "name": "flexibleServer_databases", diff --git a/modules/db-for-postgre-sql/flexible-server/.bicep/nested_roleAssignments.bicep b/modules/db-for-postgre-sql/flexible-server/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index b6ca729690..0000000000 --- a/modules/db-for-postgre-sql/flexible-server/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource flexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-01-20-preview' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(flexibleServer.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: flexibleServer -}] diff --git a/modules/db-for-postgre-sql/flexible-server/README.md b/modules/db-for-postgre-sql/flexible-server/README.md index 152b9d243a..e4ee71ee82 100644 --- a/modules/db-for-postgre-sql/flexible-server/README.md +++ b/modules/db-for-postgre-sql/flexible-server/README.md @@ -782,7 +782,68 @@ Private dns zone arm resource ID. Used when the desired connectivity mode is "Pr Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `skuName` diff --git a/modules/db-for-postgre-sql/flexible-server/main.bicep b/modules/db-for-postgre-sql/flexible-server/main.bicep index 16b25a4744..3dc5ebad53 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.bicep +++ b/modules/db-for-postgre-sql/flexible-server/main.bicep @@ -153,7 +153,7 @@ param configurations array = [] param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -219,6 +219,14 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -303,17 +311,18 @@ resource flexibleServer_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e scope: flexibleServer } -module flexibleServer_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-PostgreSQL-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: flexibleServer.id +resource flexibleServer_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(flexibleServer.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: flexibleServer }] module flexibleServer_databases 'database/main.bicep' = [for (database, index) in databases: { @@ -403,3 +412,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/db-for-postgre-sql/flexible-server/main.json b/modules/db-for-postgre-sql/flexible-server/main.json index d432f9e923..d180a4afa1 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.json +++ b/modules/db-for-postgre-sql/flexible-server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12105259818259511725" + "templateHash": "9711960157528543821" }, "name": "DBforPostgreSQL Flexible Servers", "description": "This module deploys a DBforPostgreSQL Flexible Server.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -309,8 +375,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -417,7 +482,14 @@ } ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "cMKKeyVault::cMKKey": { @@ -515,6 +587,28 @@ "flexibleServer" ] }, + "flexibleServer_roleAssignments": { + "copy": { + "name": "flexibleServer_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.DBforPostgreSQL/flexibleServers/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.DBforPostgreSQL/flexibleServers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "flexibleServer" + ] + }, "flexibleServer_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", @@ -533,154 +627,6 @@ "flexibleServer" ] }, - "flexibleServer_roleAssignments": { - "copy": { - "name": "flexibleServer_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PostgreSQL-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.DBforPostgreSQL/flexibleServers', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6100419547048418453" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DBforPostgreSQL/flexibleServers/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.DBforPostgreSQL/flexibleServers', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "flexibleServer" - ] - }, "flexibleServer_databases": { "copy": { "name": "flexibleServer_databases", diff --git a/modules/desktop-virtualization/application-group/.bicep/nested_roleAssignments.bicep b/modules/desktop-virtualization/application-group/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index c7809aafe0..0000000000 --- a/modules/desktop-virtualization/application-group/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,82 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource appGroup 'Microsoft.DesktopVirtualization/applicationGroups@2022-09-09' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(appGroup.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: appGroup -}] diff --git a/modules/desktop-virtualization/application-group/.test/common/main.test.bicep b/modules/desktop-virtualization/application-group/.test/common/main.test.bicep index f63f6bd345..62add5be1c 100644 --- a/modules/desktop-virtualization/application-group/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/application-group/.test/common/main.test.bicep @@ -1,116 +1,115 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.desktopvirtualization.applicationgroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvagcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - hostPoolName: 'dep-${namePrefix}-hp-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - applicationGroupType: 'RemoteApp' - hostpoolName: nestedDependencies.outputs.hostPoolName - applications: [ - { - commandLineArguments: '' - commandLineSetting: 'DoNotAllow' - description: 'Notepad by ARM template' - filePath: 'C:\\Windows\\System32\\notepad.exe' - friendlyName: 'Notepad' - iconIndex: 0 - iconPath: 'C:\\Windows\\System32\\notepad.exe' - name: 'notepad' - showInPortal: true - } - { - filePath: 'C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe' - friendlyName: 'Wordpad' - name: 'wordpad' - } - ] - description: 'This is my first Remote Applications bundle' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - friendlyName: 'Remote Applications 1' - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.desktopvirtualization.applicationgroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dvagcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + hostPoolName: 'dep-${namePrefix}-hp-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + applicationGroupType: 'RemoteApp' + hostpoolName: nestedDependencies.outputs.hostPoolName + applications: [ + { + commandLineArguments: '' + commandLineSetting: 'DoNotAllow' + description: 'Notepad by ARM template' + filePath: 'C:\\Windows\\System32\\notepad.exe' + friendlyName: 'Notepad' + iconIndex: 0 + iconPath: 'C:\\Windows\\System32\\notepad.exe' + name: 'notepad' + showInPortal: true + } + { + filePath: 'C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe' + friendlyName: 'Wordpad' + name: 'wordpad' + } + ] + description: 'This is my first Remote Applications bundle' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + friendlyName: 'Remote Applications 1' + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/desktop-virtualization/application-group/README.md b/modules/desktop-virtualization/application-group/README.md index 69318e6750..57580128cb 100644 --- a/modules/desktop-virtualization/application-group/README.md +++ b/modules/desktop-virtualization/application-group/README.md @@ -81,9 +81,7 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -173,9 +171,7 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -410,7 +406,68 @@ Name of the Application Group to create this application in. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/desktop-virtualization/application-group/main.bicep b/modules/desktop-virtualization/application-group/main.bicep index ed9329f309..a532c2001a 100644 --- a/modules/desktop-virtualization/application-group/main.bicep +++ b/modules/desktop-virtualization/application-group/main.bicep @@ -26,7 +26,7 @@ param friendlyName string = '' param description string = '' @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @sys.description('Optional. Resource ID of the diagnostic storage account.') param diagnosticStorageAccountId string = '' @@ -81,6 +81,28 @@ var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') + 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') + 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') + 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') + 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') + 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') + 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') + 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') + 'Desktop Virtualization User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63') + 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') + 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') + 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') + 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -147,17 +169,18 @@ module appGroup_applications 'application/main.bicep' = [for (application, index } }] -module appGroup_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-AppGroup-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: appGroup.id +resource appGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(appGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: appGroup }] @sys.description('The resource ID of the AVD application group.') @@ -183,3 +206,26 @@ type lockType = { @sys.description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @sys.description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @sys.description('Optional. The description of the role assignment.') + description: string? + + @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @sys.description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @sys.description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/desktop-virtualization/application-group/main.json b/modules/desktop-virtualization/application-group/main.json index 79e4a8b94c..fbcf269f91 100644 --- a/modules/desktop-virtualization/application-group/main.json +++ b/modules/desktop-virtualization/application-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14151741428867025425" + "templateHash": "16969600668086963016" }, "name": "Azure Virtual Desktop (AVD) Application Groups", "description": "This module deploys an Azure Virtual Desktop (AVD) Application Group.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -85,8 +151,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -182,7 +247,28 @@ } ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", + "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", + "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", + "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", + "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", + "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", + "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", + "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", + "Desktop Virtualization User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", + "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", + "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", + "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -252,6 +338,28 @@ "appGroup" ] }, + "appGroup_roleAssignments": { + "copy": { + "name": "appGroup_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.DesktopVirtualization/applicationGroups/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.DesktopVirtualization/applicationGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "appGroup" + ] + }, "appGroup_applications": { "copy": { "name": "appGroup_applications", @@ -438,168 +546,6 @@ "dependsOn": [ "appGroup" ] - }, - "appGroup_roleAssignments": { - "copy": { - "name": "appGroup_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AppGroup-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.DesktopVirtualization/applicationGroups', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16875966944342044136" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DesktopVirtualization/applicationGroups/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.DesktopVirtualization/applicationGroups', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "appGroup" - ] } }, "outputs": { diff --git a/modules/desktop-virtualization/host-pool/.bicep/nested_roleAssignments.bicep b/modules/desktop-virtualization/host-pool/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 26992c24af..0000000000 --- a/modules/desktop-virtualization/host-pool/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,82 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource hostPool 'Microsoft.DesktopVirtualization/hostPools@2022-09-09' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(hostPool.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: hostPool -}] diff --git a/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep b/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep index a72b947abb..32ceebbc21 100644 --- a/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep @@ -1,132 +1,131 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.desktopvirtualization.hostpools-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvhpcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - customRdpProperty: 'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - description: 'My first AVD Host Pool' - friendlyName: 'AVDv2' - type: 'Pooled' - loadBalancerType: 'BreadthFirst' - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - maxSessionLimit: 99999 - personalDesktopAssignmentType: 'Automatic' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - vmTemplate: { - customImageId: null - domain: 'domainname.onmicrosoft.com' - galleryImageOffer: 'office-365' - galleryImagePublisher: 'microsoftwindowsdesktop' - galleryImageSKU: '20h1-evd-o365pp' - imageType: 'Gallery' - imageUri: null - namePrefix: 'avdv2' - osDiskType: 'StandardSSD_LRS' - useManagedDisks: true - vmSize: { - cores: 2 - id: 'Standard_D2s_v3' - ram: 8 - } - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - agentUpdate: { - type: 'Scheduled' - useSessionHostLocalTime: false - maintenanceWindowTimeZone: 'Alaskan Standard Time' - maintenanceWindows: [ - { - hour: 7 - dayOfWeek: 'Friday' - } - { - hour: 8 - dayOfWeek: 'Saturday' - } - ] - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.desktopvirtualization.hostpools-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dvhpcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + customRdpProperty: 'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + description: 'My first AVD Host Pool' + friendlyName: 'AVDv2' + type: 'Pooled' + loadBalancerType: 'BreadthFirst' + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + maxSessionLimit: 99999 + personalDesktopAssignmentType: 'Automatic' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + vmTemplate: { + customImageId: null + domain: 'domainname.onmicrosoft.com' + galleryImageOffer: 'office-365' + galleryImagePublisher: 'microsoftwindowsdesktop' + galleryImageSKU: '20h1-evd-o365pp' + imageType: 'Gallery' + imageUri: null + namePrefix: 'avdv2' + osDiskType: 'StandardSSD_LRS' + useManagedDisks: true + vmSize: { + cores: 2 + id: 'Standard_D2s_v3' + ram: 8 + } + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + agentUpdate: { + type: 'Scheduled' + useSessionHostLocalTime: false + maintenanceWindowTimeZone: 'Alaskan Standard Time' + maintenanceWindows: [ + { + hour: 7 + dayOfWeek: 'Friday' + } + { + hour: 8 + dayOfWeek: 'Saturday' + } + ] + } + } +} + diff --git a/modules/desktop-virtualization/host-pool/README.md b/modules/desktop-virtualization/host-pool/README.md index 0d1ab1e93e..308494dfb9 100644 --- a/modules/desktop-virtualization/host-pool/README.md +++ b/modules/desktop-virtualization/host-pool/README.md @@ -79,9 +79,7 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { personalDesktopAssignmentType: 'Automatic' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -192,9 +190,7 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -551,7 +547,68 @@ The ring number of HostPool. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `ssoadfsAuthority` diff --git a/modules/desktop-virtualization/host-pool/main.bicep b/modules/desktop-virtualization/host-pool/main.bicep index 4ec3daa00b..618cba9ea6 100644 --- a/modules/desktop-virtualization/host-pool/main.bicep +++ b/modules/desktop-virtualization/host-pool/main.bicep @@ -89,7 +89,7 @@ param preferredAppGroupType string = 'Desktop' param startVMOnConnect bool = false @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @sys.description('Optional. Enable scheduled agent updates, Default means agent updates will automatically be installed by AVD when they become available.') @allowed([ @@ -193,6 +193,28 @@ var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ var tokenExpirationTime = dateTimeAdd(baseTime, tokenValidityLength) +var builtInRoleNames = { + 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') + 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') + 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') + 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') + 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') + 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') + 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') + 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') + 'Desktop Virtualization User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63') + 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') + 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') + 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') + 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -256,17 +278,18 @@ resource hostPool_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021 scope: hostPool } -module hostPool_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-HostPool-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: hostPool.id +resource hostPool_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(hostPool.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: hostPool }] @sys.description('The resource ID of the AVD host pool.') @@ -295,3 +318,26 @@ type lockType = { @sys.description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @sys.description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @sys.description('Optional. The description of the role assignment.') + description: string? + + @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @sys.description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @sys.description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/desktop-virtualization/host-pool/main.json b/modules/desktop-virtualization/host-pool/main.json index 9b948e77f8..da16cab4eb 100644 --- a/modules/desktop-virtualization/host-pool/main.json +++ b/modules/desktop-virtualization/host-pool/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14351870232207146144" + "templateHash": "5367057716312563267" }, "name": "Azure Virtual Desktop (AVD) Host Pools", "description": "This module deploys an Azure Virtual Desktop (AVD) Host Pool.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -213,8 +279,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -374,7 +439,28 @@ } ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", - "tokenExpirationTime": "[dateTimeAdd(parameters('baseTime'), parameters('tokenValidityLength'))]" + "tokenExpirationTime": "[dateTimeAdd(parameters('baseTime'), parameters('tokenValidityLength'))]", + "builtInRoleNames": { + "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", + "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", + "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", + "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", + "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", + "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", + "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", + "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", + "Desktop Virtualization User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", + "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", + "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", + "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -456,160 +542,20 @@ "hostPool_roleAssignments": { "copy": { "name": "hostPool_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-HostPool-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.DesktopVirtualization/hostPools/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.DesktopVirtualization/hostPools', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.DesktopVirtualization/hostPools', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11172902539120316456" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DesktopVirtualization/hostPools/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.DesktopVirtualization/hostPools', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "hostPool" diff --git a/modules/desktop-virtualization/scaling-plan/.bicep/nested_roleAssignments.bicep b/modules/desktop-virtualization/scaling-plan/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 517b6b8cdc..0000000000 --- a/modules/desktop-virtualization/scaling-plan/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,82 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource scalingPlan 'Microsoft.DesktopVirtualization/scalingPlans@2022-09-09' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(scalingPlan.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: scalingPlan -}] diff --git a/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep b/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep index b346cfc8ad..8bac8f3c16 100644 --- a/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep @@ -1,130 +1,129 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.desktopvirtualization.scalingplans-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvspcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - hostPoolType: 'Pooled' - friendlyName: 'My Scaling Plan' - description: 'My Scaling Plan Description' - schedules: [ { - rampUpStartTime: { - hour: 7 - minute: 0 - } - peakStartTime: { - hour: 9 - minute: 0 - } - rampDownStartTime: { - hour: 18 - minute: 0 - } - offPeakStartTime: { - hour: 20 - minute: 0 - } - name: 'weekdays_schedule' - daysOfWeek: [ - 'Monday' - 'Tuesday' - 'Wednesday' - 'Thursday' - 'Friday' - ] - rampUpLoadBalancingAlgorithm: 'DepthFirst' - rampUpMinimumHostsPct: 20 - rampUpCapacityThresholdPct: 60 - peakLoadBalancingAlgorithm: 'DepthFirst' - rampDownLoadBalancingAlgorithm: 'DepthFirst' - rampDownMinimumHostsPct: 10 - rampDownCapacityThresholdPct: 90 - rampDownForceLogoffUsers: true - rampDownWaitTimeMinutes: 30 - rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' - rampDownStopHostsWhen: 'ZeroSessions' - offPeakLoadBalancingAlgorithm: 'DepthFirst' - } - ] - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.desktopvirtualization.scalingplans-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dvspcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + hostPoolType: 'Pooled' + friendlyName: 'My Scaling Plan' + description: 'My Scaling Plan Description' + schedules: [ { + rampUpStartTime: { + hour: 7 + minute: 0 + } + peakStartTime: { + hour: 9 + minute: 0 + } + rampDownStartTime: { + hour: 18 + minute: 0 + } + offPeakStartTime: { + hour: 20 + minute: 0 + } + name: 'weekdays_schedule' + daysOfWeek: [ + 'Monday' + 'Tuesday' + 'Wednesday' + 'Thursday' + 'Friday' + ] + rampUpLoadBalancingAlgorithm: 'DepthFirst' + rampUpMinimumHostsPct: 20 + rampUpCapacityThresholdPct: 60 + peakLoadBalancingAlgorithm: 'DepthFirst' + rampDownLoadBalancingAlgorithm: 'DepthFirst' + rampDownMinimumHostsPct: 10 + rampDownCapacityThresholdPct: 90 + rampDownForceLogoffUsers: true + rampDownWaitTimeMinutes: 30 + rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' + rampDownStopHostsWhen: 'ZeroSessions' + offPeakLoadBalancingAlgorithm: 'DepthFirst' + } + ] + } +} + diff --git a/modules/desktop-virtualization/scaling-plan/README.md b/modules/desktop-virtualization/scaling-plan/README.md index bc75544c2e..78bd59f231 100644 --- a/modules/desktop-virtualization/scaling-plan/README.md +++ b/modules/desktop-virtualization/scaling-plan/README.md @@ -55,9 +55,7 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' hostPoolType: 'Pooled' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -155,9 +153,7 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -394,7 +390,68 @@ Name of the scaling plan. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `schedules` diff --git a/modules/desktop-virtualization/scaling-plan/main.bicep b/modules/desktop-virtualization/scaling-plan/main.bicep index dab1c3fff6..0a995dedad 100644 --- a/modules/desktop-virtualization/scaling-plan/main.bicep +++ b/modules/desktop-virtualization/scaling-plan/main.bicep @@ -88,7 +88,7 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -115,6 +115,28 @@ var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ } ] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified +var builtInRoleNames = { + 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') + 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') + 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') + 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') + 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') + 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') + 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') + 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') + 'Desktop Virtualization User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63') + 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') + 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') + 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') + 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -154,17 +176,18 @@ resource scalingplan_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2 scope: scalingPlan } -module scalingplan_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Workspace-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: scalingPlan.id +resource scalingplan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(scalingPlan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: scalingPlan }] @sys.description('The resource ID of the AVD scaling plan.') @@ -178,3 +201,29 @@ output name string = scalingPlan.name @sys.description('The location the resource was deployed into.') output location string = scalingPlan.location +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @sys.description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @sys.description('Optional. The description of the role assignment.') + description: string? + + @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @sys.description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @sys.description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/desktop-virtualization/scaling-plan/main.json b/modules/desktop-virtualization/scaling-plan/main.json index ce7aa1ec9b..21c65bb3a2 100644 --- a/modules/desktop-virtualization/scaling-plan/main.json +++ b/modules/desktop-virtualization/scaling-plan/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2358392324334042734" + "templateHash": "17071490045717679430" }, "name": "Azure Virtual Desktop (AVD) Scaling Plans", "description": "This module deploys an Azure Virtual Desktop (AVD) Scaling Plan.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -153,8 +222,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -192,10 +260,31 @@ } } ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", + "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", + "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", + "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", + "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", + "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", + "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", + "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", + "Desktop Virtualization User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", + "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", + "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", + "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -209,7 +298,7 @@ } } }, - { + "scalingPlan": { "type": "Microsoft.DesktopVirtualization/scalingPlans", "apiVersion": "2022-09-09", "name": "[parameters('name')]", @@ -225,7 +314,7 @@ "description": "[parameters('description')]" } }, - { + "scalingplan_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -239,172 +328,32 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.DesktopVirtualization/scalingPlans', parameters('name'))]" + "scalingPlan" ] }, - { + "scalingplan_roleAssignments": { "copy": { "name": "scalingplan_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Workspace-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.DesktopVirtualization/scalingPlans/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.DesktopVirtualization/scalingPlans', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.DesktopVirtualization/scalingPlans', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "919506430332723114" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DesktopVirtualization/scalingPlans/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.DesktopVirtualization/scalingPlans', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.DesktopVirtualization/scalingPlans', parameters('name'))]" + "scalingPlan" ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -432,7 +381,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.DesktopVirtualization/scalingPlans', parameters('name')), '2022-09-09', 'full').location]" + "value": "[reference('scalingPlan', '2022-09-09', 'full').location]" } } } \ No newline at end of file diff --git a/modules/desktop-virtualization/workspace/.bicep/nested_roleAssignments.bicep b/modules/desktop-virtualization/workspace/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 7e2b4e3804..0000000000 --- a/modules/desktop-virtualization/workspace/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,82 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource workspace 'Microsoft.DesktopVirtualization/workspaces@2022-09-09' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(workspace.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: workspace -}] diff --git a/modules/desktop-virtualization/workspace/.test/common/main.test.bicep b/modules/desktop-virtualization/workspace/.test/common/main.test.bicep index 08f36e4d8a..32f56ddeb9 100644 --- a/modules/desktop-virtualization/workspace/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/workspace/.test/common/main.test.bicep @@ -1,100 +1,99 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.desktopvirtualization.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvwcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - applicationGroupName: 'dep-${namePrefix}-appGroup-${serviceShort}' - hostPoolName: 'dep-${namePrefix}-hp-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - appGroupResourceIds: [ - nestedDependencies.outputs.applicationGroupResourceId - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - description: 'This is my first AVD Workspace' - friendlyName: 'My first AVD Workspace' - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.desktopvirtualization.workspaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dvwcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + applicationGroupName: 'dep-${namePrefix}-appGroup-${serviceShort}' + hostPoolName: 'dep-${namePrefix}-hp-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + appGroupResourceIds: [ + nestedDependencies.outputs.applicationGroupResourceId + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + description: 'This is my first AVD Workspace' + friendlyName: 'My first AVD Workspace' + } +} + diff --git a/modules/desktop-virtualization/workspace/README.md b/modules/desktop-virtualization/workspace/README.md index c864a267f3..b05c088ce9 100644 --- a/modules/desktop-virtualization/workspace/README.md +++ b/modules/desktop-virtualization/workspace/README.md @@ -63,9 +63,7 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -134,9 +132,7 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -348,7 +344,68 @@ The name of the workspace to be attach to new Application Group. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/desktop-virtualization/workspace/main.bicep b/modules/desktop-virtualization/workspace/main.bicep index dbb747db0c..c2e95510fb 100644 --- a/modules/desktop-virtualization/workspace/main.bicep +++ b/modules/desktop-virtualization/workspace/main.bicep @@ -39,7 +39,7 @@ param tags object = {} param enableDefaultTelemetry bool = true @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') @allowed([ @@ -69,6 +69,28 @@ var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ } ] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified +var builtInRoleNames = { + 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') + 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') + 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') + 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') + 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') + 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') + 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') + 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') + 'Desktop Virtualization User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63') + 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') + 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') + 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') + 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -113,17 +135,18 @@ resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@202 scope: workspace } -module workspace_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Workspace-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: workspace.id +resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: workspace }] @sys.description('The resource ID of the AVD workspace.') @@ -149,3 +172,26 @@ type lockType = { @sys.description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @sys.description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @sys.description('Optional. The description of the role assignment.') + description: string? + + @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @sys.description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @sys.description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/desktop-virtualization/workspace/main.json b/modules/desktop-virtualization/workspace/main.json index 8de43e23ad..c459d621e0 100644 --- a/modules/desktop-virtualization/workspace/main.json +++ b/modules/desktop-virtualization/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "346606574867500631" + "templateHash": "6072334613714480138" }, "name": "Azure Virtual Desktop (AVD) Workspaces", "description": "This module deploys an Azure Virtual Desktop (AVD) Workspace.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -123,8 +189,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -165,7 +230,28 @@ } } ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", + "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", + "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", + "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", + "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", + "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", + "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", + "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", + "Desktop Virtualization User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", + "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", + "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", + "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", + "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -228,160 +314,20 @@ "workspace_roleAssignments": { "copy": { "name": "workspace_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Workspace-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.DesktopVirtualization/workspaces/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.DesktopVirtualization/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.DesktopVirtualization/workspaces', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10387281728055526723" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DesktopVirtualization/workspaces/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.DesktopVirtualization/workspaces', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "workspace" diff --git a/modules/dev-test-lab/lab/.bicep/nested_roleAssignments.bicep b/modules/dev-test-lab/lab/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 63c64c9666..0000000000 --- a/modules/dev-test-lab/lab/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,70 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') -} - -resource lab 'Microsoft.DevTestLab/labs@2018-09-15' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(lab.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: lab -}] diff --git a/modules/dev-test-lab/lab/.test/common/main.test.bicep b/modules/dev-test-lab/lab/.test/common/main.test.bicep index 3552e13297..2e1638c01f 100644 --- a/modules/dev-test-lab/lab/.test/common/main.test.bicep +++ b/modules/dev-test-lab/lab/.test/common/main.test.bicep @@ -1,286 +1,285 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.devtestlab.labs-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dtllcom' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: resourceGroup.location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'DevTest Lab' - labName: '${namePrefix}${serviceShort}001' - } - announcement: { - enabled: 'Enabled' - expirationDate: '2025-12-30T13:00:00.000Z' - markdown: 'DevTest Lab announcement text.
New line. It also supports Markdown' - title: 'DevTest announcement title' - } - environmentPermission: 'Contributor' - extendedProperties: { - RdpConnectionType: '7' - } - labStorageType: 'Premium' - artifactsStorageAccount: nestedDependencies.outputs.storageAccountResourceId - premiumDataDisks: 'Enabled' - support: { - enabled: 'Enabled' - markdown: 'DevTest Lab support text.
New line. It also supports Markdown' - } - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - managementIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - vmCreationResourceGroupId: resourceGroup.id - browserConnect: 'Enabled' - disableAutoUpgradeCseMinorVersion: true - isolateLabResources: 'Enabled' - encryptionType: 'EncryptionAtRestWithCustomerKey' - encryptionDiskEncryptionSetId: nestedDependencies.outputs.diskEncryptionSetResourceId - virtualnetworks: [ - { - name: nestedDependencies.outputs.virtualNetworkName - externalProviderResourceId: nestedDependencies.outputs.virtualNetworkResourceId - description: 'lab virtual network description' - allowedSubnets: [ - { - labSubnetName: nestedDependencies.outputs.subnetName - resourceId: nestedDependencies.outputs.subnetResourceId - allowPublicIp: 'Allow' - } - ] - subnetOverrides: [ - { - labSubnetName: nestedDependencies.outputs.subnetName - resourceId: nestedDependencies.outputs.subnetResourceId - useInVmCreationPermission: 'Allow' - usePublicIpAddressPermission: 'Allow' - sharedPublicIpAddressConfiguration: { - allowedPorts: [ - { - transportProtocol: 'Tcp' - backendPort: 3389 - } - { - transportProtocol: 'Tcp' - backendPort: 22 - } - ] - } - } - ] - } - ] - policies: [ - { - name: nestedDependencies.outputs.subnetName - evaluatorType: 'MaxValuePolicy' - factData: nestedDependencies.outputs.subnetResourceId - factName: 'UserOwnedLabVmCountInSubnet' - threshold: '1' - } - { - name: 'MaxVmsAllowedPerUser' - evaluatorType: 'MaxValuePolicy' - factName: 'UserOwnedLabVmCount' - threshold: '2' - } - { - name: 'MaxPremiumVmsAllowedPerUser' - evaluatorType: 'MaxValuePolicy' - factName: 'UserOwnedLabPremiumVmCount' - status: 'Disabled' - threshold: '1' - } - { - name: 'MaxVmsAllowedPerLab' - evaluatorType: 'MaxValuePolicy' - factName: 'LabVmCount' - threshold: '3' - } - { - name: 'MaxPremiumVmsAllowedPerLab' - evaluatorType: 'MaxValuePolicy' - factName: 'LabPremiumVmCount' - threshold: '2' - } - { - name: 'AllowedVmSizesInLab' - evaluatorType: 'AllowedValuesPolicy' - factData: '' - factName: 'LabVmSize' - threshold: ' ${string('["Basic_A0","Basic_A1"]')}' - status: 'Enabled' - } - { - name: 'ScheduleEditPermission' - evaluatorType: 'AllowedValuesPolicy' - factName: 'ScheduleEditPermission' - threshold: ' ${string('["None","Modify"]')}' - } - { - name: 'GalleryImage' - evaluatorType: 'AllowedValuesPolicy' - factName: 'GalleryImage' - threshold: ' ${string('["{\\"offer\\":\\"WindowsServer\\",\\"publisher\\":\\"MicrosoftWindowsServer\\",\\"sku\\":\\"2019-Datacenter-smalldisk\\",\\"osType\\":\\"Windows\\",\\"version\\":\\"latest\\"}","{\\"offer\\":\\"WindowsServer\\",\\"publisher\\":\\"MicrosoftWindowsServer\\",\\"sku\\":\\"2022-datacenter-smalldisk\\",\\"osType\\":\\"Windows\\",\\"version\\":\\"latest\\"}"]')}' - } - { - name: 'EnvironmentTemplate' - description: 'Public Environment Policy' - evaluatorType: 'AllowedValuesPolicy' - factName: 'EnvironmentTemplate' - threshold: ' ${string('[""]')}' - } - ] - schedules: [ - { - name: 'LabVmsShutdown' - taskType: 'LabVmsShutdownTask' - status: 'Enabled' - timeZoneId: 'AUS Eastern Standard Time' - dailyRecurrence: { - time: '0000' - } - notificationSettingsStatus: 'Enabled' - notificationSettingsTimeInMinutes: 30 - } - { - name: 'LabVmAutoStart' - taskType: 'LabVmsStartupTask' - status: 'Enabled' - timeZoneId: 'AUS Eastern Standard Time' - weeklyRecurrence: { - time: '0700' - weekdays: [ - 'Monday' - 'Tuesday' - 'Wednesday' - 'Thursday' - 'Friday' - ] - } - } - ] - notificationchannels: [ - { - name: 'autoShutdown' - description: 'Integration configured for auto-shutdown' - events: [ - { - eventName: 'AutoShutdown' - } - ] - emailRecipient: 'mail@contosodtlmail.com' - webHookUrl: 'https://webhook.contosotest.com' - notificationLocale: 'en' - } - { - name: 'costThreshold' - events: [ - { - eventName: 'Cost' - } - ] - webHookUrl: 'https://webhook.contosotest.com' - } - ] - artifactsources: [ - { - name: 'Public Repo' - displayName: 'Public Artifact Repo' - status: 'Disabled' - uri: 'https://github.com/Azure/azure-devtestlab.git' - sourceType: 'GitHub' - branchRef: 'master' - folderPath: '/Artifacts' - } - { - name: 'Public Environment Repo' - displayName: 'Public Environment Repo' - status: 'Disabled' - uri: 'https://github.com/Azure/azure-devtestlab.git' - sourceType: 'GitHub' - branchRef: 'master' - armTemplateFolderPath: '/Environments' - } - ] - costs: { - status: 'Enabled' - cycleType: 'CalendarMonth' - target: 450 - thresholdValue100DisplayOnChart: 'Enabled' - thresholdValue100SendNotificationWhenExceeded: 'Enabled' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.devtestlab.labs-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dtllcom' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + location: resourceGroup.location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'DevTest Lab' + labName: '${namePrefix}${serviceShort}001' + } + announcement: { + enabled: 'Enabled' + expirationDate: '2025-12-30T13:00:00.000Z' + markdown: 'DevTest Lab announcement text.
New line. It also supports Markdown' + title: 'DevTest announcement title' + } + environmentPermission: 'Contributor' + extendedProperties: { + RdpConnectionType: '7' + } + labStorageType: 'Premium' + artifactsStorageAccount: nestedDependencies.outputs.storageAccountResourceId + premiumDataDisks: 'Enabled' + support: { + enabled: 'Enabled' + markdown: 'DevTest Lab support text.
New line. It also supports Markdown' + } + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + managementIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + vmCreationResourceGroupId: resourceGroup.id + browserConnect: 'Enabled' + disableAutoUpgradeCseMinorVersion: true + isolateLabResources: 'Enabled' + encryptionType: 'EncryptionAtRestWithCustomerKey' + encryptionDiskEncryptionSetId: nestedDependencies.outputs.diskEncryptionSetResourceId + virtualnetworks: [ + { + name: nestedDependencies.outputs.virtualNetworkName + externalProviderResourceId: nestedDependencies.outputs.virtualNetworkResourceId + description: 'lab virtual network description' + allowedSubnets: [ + { + labSubnetName: nestedDependencies.outputs.subnetName + resourceId: nestedDependencies.outputs.subnetResourceId + allowPublicIp: 'Allow' + } + ] + subnetOverrides: [ + { + labSubnetName: nestedDependencies.outputs.subnetName + resourceId: nestedDependencies.outputs.subnetResourceId + useInVmCreationPermission: 'Allow' + usePublicIpAddressPermission: 'Allow' + sharedPublicIpAddressConfiguration: { + allowedPorts: [ + { + transportProtocol: 'Tcp' + backendPort: 3389 + } + { + transportProtocol: 'Tcp' + backendPort: 22 + } + ] + } + } + ] + } + ] + policies: [ + { + name: nestedDependencies.outputs.subnetName + evaluatorType: 'MaxValuePolicy' + factData: nestedDependencies.outputs.subnetResourceId + factName: 'UserOwnedLabVmCountInSubnet' + threshold: '1' + } + { + name: 'MaxVmsAllowedPerUser' + evaluatorType: 'MaxValuePolicy' + factName: 'UserOwnedLabVmCount' + threshold: '2' + } + { + name: 'MaxPremiumVmsAllowedPerUser' + evaluatorType: 'MaxValuePolicy' + factName: 'UserOwnedLabPremiumVmCount' + status: 'Disabled' + threshold: '1' + } + { + name: 'MaxVmsAllowedPerLab' + evaluatorType: 'MaxValuePolicy' + factName: 'LabVmCount' + threshold: '3' + } + { + name: 'MaxPremiumVmsAllowedPerLab' + evaluatorType: 'MaxValuePolicy' + factName: 'LabPremiumVmCount' + threshold: '2' + } + { + name: 'AllowedVmSizesInLab' + evaluatorType: 'AllowedValuesPolicy' + factData: '' + factName: 'LabVmSize' + threshold: ' ${string('["Basic_A0","Basic_A1"]')}' + status: 'Enabled' + } + { + name: 'ScheduleEditPermission' + evaluatorType: 'AllowedValuesPolicy' + factName: 'ScheduleEditPermission' + threshold: ' ${string('["None","Modify"]')}' + } + { + name: 'GalleryImage' + evaluatorType: 'AllowedValuesPolicy' + factName: 'GalleryImage' + threshold: ' ${string('["{\\"offer\\":\\"WindowsServer\\",\\"publisher\\":\\"MicrosoftWindowsServer\\",\\"sku\\":\\"2019-Datacenter-smalldisk\\",\\"osType\\":\\"Windows\\",\\"version\\":\\"latest\\"}","{\\"offer\\":\\"WindowsServer\\",\\"publisher\\":\\"MicrosoftWindowsServer\\",\\"sku\\":\\"2022-datacenter-smalldisk\\",\\"osType\\":\\"Windows\\",\\"version\\":\\"latest\\"}"]')}' + } + { + name: 'EnvironmentTemplate' + description: 'Public Environment Policy' + evaluatorType: 'AllowedValuesPolicy' + factName: 'EnvironmentTemplate' + threshold: ' ${string('[""]')}' + } + ] + schedules: [ + { + name: 'LabVmsShutdown' + taskType: 'LabVmsShutdownTask' + status: 'Enabled' + timeZoneId: 'AUS Eastern Standard Time' + dailyRecurrence: { + time: '0000' + } + notificationSettingsStatus: 'Enabled' + notificationSettingsTimeInMinutes: 30 + } + { + name: 'LabVmAutoStart' + taskType: 'LabVmsStartupTask' + status: 'Enabled' + timeZoneId: 'AUS Eastern Standard Time' + weeklyRecurrence: { + time: '0700' + weekdays: [ + 'Monday' + 'Tuesday' + 'Wednesday' + 'Thursday' + 'Friday' + ] + } + } + ] + notificationchannels: [ + { + name: 'autoShutdown' + description: 'Integration configured for auto-shutdown' + events: [ + { + eventName: 'AutoShutdown' + } + ] + emailRecipient: 'mail@contosodtlmail.com' + webHookUrl: 'https://webhook.contosotest.com' + notificationLocale: 'en' + } + { + name: 'costThreshold' + events: [ + { + eventName: 'Cost' + } + ] + webHookUrl: 'https://webhook.contosotest.com' + } + ] + artifactsources: [ + { + name: 'Public Repo' + displayName: 'Public Artifact Repo' + status: 'Disabled' + uri: 'https://github.com/Azure/azure-devtestlab.git' + sourceType: 'GitHub' + branchRef: 'master' + folderPath: '/Artifacts' + } + { + name: 'Public Environment Repo' + displayName: 'Public Environment Repo' + status: 'Disabled' + uri: 'https://github.com/Azure/azure-devtestlab.git' + sourceType: 'GitHub' + branchRef: 'master' + armTemplateFolderPath: '/Environments' + } + ] + costs: { + status: 'Enabled' + cycleType: 'CalendarMonth' + target: 450 + thresholdValue100DisplayOnChart: 'Enabled' + thresholdValue100SendNotificationWhenExceeded: 'Enabled' + } + } +} + diff --git a/modules/dev-test-lab/lab/README.md b/modules/dev-test-lab/lab/README.md index 086d52b067..2a87c61821 100644 --- a/modules/dev-test-lab/lab/README.md +++ b/modules/dev-test-lab/lab/README.md @@ -191,9 +191,7 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { premiumDataDisks: 'Enabled' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -474,9 +472,7 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -856,7 +852,68 @@ The setting to enable usage of premium data disks. When its value is "Enabled", Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `schedules` diff --git a/modules/dev-test-lab/lab/main.bicep b/modules/dev-test-lab/lab/main.bicep index 91e29b6080..f11bfed17d 100644 --- a/modules/dev-test-lab/lab/main.bicep +++ b/modules/dev-test-lab/lab/main.bicep @@ -12,7 +12,7 @@ param location string = resourceGroup().location param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -116,6 +116,16 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -273,17 +283,18 @@ module lab_costs 'cost/main.bicep' = if (!empty(costs)) { } } -module lab_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: lab.id +resource lab_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(lab.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: lab }] @description('The principal ID of the system assigned identity.') @@ -315,3 +326,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/dev-test-lab/lab/main.json b/modules/dev-test-lab/lab/main.json index 75806465ef..96178a5f66 100644 --- a/modules/dev-test-lab/lab/main.json +++ b/modules/dev-test-lab/lab/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13792715418328262207" + "templateHash": "2990102608284967773" }, "name": "DevTest Labs", "description": "This module deploys a DevTest Lab.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -60,8 +126,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -268,7 +333,16 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]" + } }, "resources": { "defaultTelemetry": { @@ -330,6 +404,28 @@ "lab" ] }, + "lab_roleAssignments": { + "copy": { + "name": "lab_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.DevTestLab/labs/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.DevTestLab/labs', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "lab" + ] + }, "lab_virtualNetworks": { "copy": { "name": "lab_virtualNetworks", @@ -1623,156 +1719,6 @@ "dependsOn": [ "lab" ] - }, - "lab_roleAssignments": { - "copy": { - "name": "lab_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.DevTestLab/labs', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5435640009728678460" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DevTestLab/labs/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.DevTestLab/labs', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "lab" - ] } }, "outputs": { diff --git a/modules/digital-twins/digital-twins-instance/.bicep/nested_roleAssignments.bicep b/modules/digital-twins/digital-twins-instance/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 97c49e423b..0000000000 --- a/modules/digital-twins/digital-twins-instance/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,71 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Azure Digital Twins Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe') - 'Azure Digital Twins Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource digitalTwinsInstance 'Microsoft.DigitalTwins/digitalTwinsInstances@2022-05-31' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(digitalTwinsInstance.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: digitalTwinsInstance -}] diff --git a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep index 214300847b..c22b836915 100644 --- a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep @@ -1,127 +1,126 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.digitaltwins.digitaltwinsinstances-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dtdticom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - eventHubName: 'dt-${uniqueString(serviceShort)}-evh-01' - eventHubNamespaceName: 'dt-${uniqueString(serviceShort)}-evhns-01' - serviceBusName: 'dt-${uniqueString(serviceShort)}-sb-01' - eventGridDomainName: 'dt-${uniqueString(serviceShort)}-evg-01' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${uniqueString(serviceShort)}-evh-01' - eventHubNamespaceName: 'dep-${uniqueString(serviceShort)}-evh-01' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - eventHubEndpoint: { - authenticationType: 'IdentityBased' - endpointUri: 'sb://${nestedDependencies.outputs.eventhubNamespaceName}.servicebus.windows.net/' - entityPath: nestedDependencies.outputs.eventhubName - userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId - } - serviceBusEndpoint: { - authenticationType: 'IdentityBased' - endpointUri: 'sb://${nestedDependencies.outputs.serviceBusName}.servicebus.windows.net/' - entityPath: nestedDependencies.outputs.serviceBusTopicName - userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId - } - eventGridEndpoint: { - eventGridDomainId: nestedDependencies.outputs.eventGridDomainResourceId - topicEndpoint: nestedDependencies.outputs.eventGridEndpoint - } - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - - nestedDependencies.outputs.privateDNSZoneResourceId - - ] - service: 'API' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalResourceId - ] - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.digitaltwins.digitaltwinsinstances-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dtdticom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + eventHubName: 'dt-${uniqueString(serviceShort)}-evh-01' + eventHubNamespaceName: 'dt-${uniqueString(serviceShort)}-evhns-01' + serviceBusName: 'dt-${uniqueString(serviceShort)}-sb-01' + eventGridDomainName: 'dt-${uniqueString(serviceShort)}-evg-01' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${uniqueString(serviceShort)}-evh-01' + eventHubNamespaceName: 'dep-${uniqueString(serviceShort)}-evh-01' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + eventHubEndpoint: { + authenticationType: 'IdentityBased' + endpointUri: 'sb://${nestedDependencies.outputs.eventhubNamespaceName}.servicebus.windows.net/' + entityPath: nestedDependencies.outputs.eventhubName + userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + } + serviceBusEndpoint: { + authenticationType: 'IdentityBased' + endpointUri: 'sb://${nestedDependencies.outputs.serviceBusName}.servicebus.windows.net/' + entityPath: nestedDependencies.outputs.serviceBusTopicName + userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + } + eventGridEndpoint: { + eventGridDomainId: nestedDependencies.outputs.eventGridDomainResourceId + topicEndpoint: nestedDependencies.outputs.eventGridEndpoint + } + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] + service: 'API' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalResourceId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index 103d299b2c..072c8dcdb8 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -79,9 +79,7 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -170,9 +168,7 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -418,7 +414,68 @@ Whether or not public network access is allowed for this resource. For security Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `serviceBusEndpoint` diff --git a/modules/digital-twins/digital-twins-instance/main.bicep b/modules/digital-twins/digital-twins-instance/main.bicep index 1b66f5077c..afb4470480 100644 --- a/modules/digital-twins/digital-twins-instance/main.bicep +++ b/modules/digital-twins/digital-twins-instance/main.bicep @@ -84,7 +84,7 @@ param diagnosticMetricsToEnable array = [ ] @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType var enableReferencedModulesTelemetry = false @@ -113,6 +113,16 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { enabled: true }] +var builtInRoleNames = { + 'Azure Digital Twins Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe') + 'Azure Digital Twins Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -227,17 +237,18 @@ resource digitalTwinsInstance_diagnosticSettings 'Microsoft.Insights/diagnostics scope: digitalTwinsInstance } -module digitalTwinsInstance_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: digitalTwinsInstance.id +resource digitalTwinsInstance_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(digitalTwinsInstance.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: digitalTwinsInstance }] @description('The resource ID of the Digital Twins Instance.') @@ -266,3 +277,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/digital-twins/digital-twins-instance/main.json b/modules/digital-twins/digital-twins-instance/main.json index f156f61380..6c8da212c8 100644 --- a/modules/digital-twins/digital-twins-instance/main.json +++ b/modules/digital-twins/digital-twins-instance/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18430271797869106154" + "templateHash": "3171798738610144721" }, "name": "Digital Twins Instances", "description": "This module deploys an Azure Digital Twins Instance.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -196,8 +262,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -226,7 +291,16 @@ "enableReferencedModulesTelemetry": false, "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Azure Digital Twins Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", + "Azure Digital Twins Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -286,6 +360,28 @@ "digitalTwinsInstance" ] }, + "digitalTwinsInstance_roleAssignments": { + "copy": { + "name": "digitalTwinsInstance_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.DigitalTwins/digitalTwinsInstances/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "digitalTwinsInstance" + ] + }, "digitalTwinsInstance_eventHubEndpoint": { "condition": "[not(empty(parameters('eventHubEndpoint')))]", "type": "Microsoft.Resources/deployments", @@ -1344,157 +1440,6 @@ "dependsOn": [ "digitalTwinsInstance" ] - }, - "digitalTwinsInstance_roleAssignments": { - "copy": { - "name": "digitalTwinsInstance_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4249531612554442902" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Azure Digital Twins Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", - "Azure Digital Twins Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DigitalTwins/digitalTwinsInstances/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "digitalTwinsInstance" - ] } }, "outputs": { diff --git a/modules/document-db/database-account/.bicep/nested_roleAssignments.bicep b/modules/document-db/database-account/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 33516ef837..0000000000 --- a/modules/document-db/database-account/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,73 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Account Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - CosmosBackupOperator: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb') - CosmosRestoreOperator: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5432c526-bc82-444a-b7ba-57c5b0b5b34f') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(databaseAccount.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: databaseAccount -}] diff --git a/modules/document-db/database-account/.test/gremlindb/main.test.bicep b/modules/document-db/database-account/.test/gremlindb/main.test.bicep index 9fa566c8d1..2e866cecf8 100644 --- a/modules/document-db/database-account/.test/gremlindb/main.test.bicep +++ b/modules/document-db/database-account/.test/gremlindb/main.test.bicep @@ -1,151 +1,150 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.documentdb.databaseaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dddagrm' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}002' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: location - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: nestedDependencies.outputs.pairedRegionName - } - ] - capabilitiesToAdd: [ - 'EnableGremlin' - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - gremlinDatabases: [ - { - graphs: [ - { - indexingPolicy: { - automatic: true - } - name: 'car_collection' - partitionKeyPaths: [ - '/car_id' - ] - } - { - indexingPolicy: { - automatic: true - } - name: 'truck_collection' - partitionKeyPaths: [ - '/truck_id' - ] - } - ] - name: '${namePrefix}-gdb-${serviceShort}-001' - } - { - collections: [ - { - indexingPolicy: { - automatic: true - } - name: 'bike_collection' - partitionKeyPaths: [ - '/bike_id' - ] - } - { - indexingPolicy: { - automatic: true - } - name: 'bicycle_collection' - partitionKeyPaths: [ - '/bicycle_id' - ] - } - ] - name: '${namePrefix}-gdb-${serviceShort}-002' - } - ] - location: location - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - systemAssignedIdentity: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.documentdb.databaseaccounts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dddagrm' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}002' + locations: [ + { + failoverPriority: 0 + isZoneRedundant: false + locationName: location + } + { + failoverPriority: 1 + isZoneRedundant: false + locationName: nestedDependencies.outputs.pairedRegionName + } + ] + capabilitiesToAdd: [ + 'EnableGremlin' + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + gremlinDatabases: [ + { + graphs: [ + { + indexingPolicy: { + automatic: true + } + name: 'car_collection' + partitionKeyPaths: [ + '/car_id' + ] + } + { + indexingPolicy: { + automatic: true + } + name: 'truck_collection' + partitionKeyPaths: [ + '/truck_id' + ] + } + ] + name: '${namePrefix}-gdb-${serviceShort}-001' + } + { + collections: [ + { + indexingPolicy: { + automatic: true + } + name: 'bike_collection' + partitionKeyPaths: [ + '/bike_id' + ] + } + { + indexingPolicy: { + automatic: true + } + name: 'bicycle_collection' + partitionKeyPaths: [ + '/bicycle_id' + ] + } + ] + name: '${namePrefix}-gdb-${serviceShort}-002' + } + ] + location: location + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + systemAssignedIdentity: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/document-db/database-account/.test/mongodb/main.test.bicep b/modules/document-db/database-account/.test/mongodb/main.test.bicep index 96321848a4..ced367df7d 100644 --- a/modules/document-db/database-account/.test/mongodb/main.test.bicep +++ b/modules/document-db/database-account/.test/mongodb/main.test.bicep @@ -1,284 +1,283 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.documentdb.databaseaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dddamng' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: location - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: nestedDependencies.outputs.pairedRegionName - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - location: location - mongodbDatabases: [ - { - collections: [ - { - indexes: [ - { - key: { - keys: [ - '_id' - ] - } - } - { - key: { - keys: [ - '$**' - ] - } - } - { - key: { - keys: [ - 'car_id' - 'car_model' - ] - } - options: { - unique: true - } - } - { - key: { - keys: [ - '_ts' - ] - } - options: { - expireAfterSeconds: 2629746 - } - } - ] - name: 'car_collection' - shardKey: { - car_id: 'Hash' - } - } - { - indexes: [ - { - key: { - keys: [ - '_id' - ] - } - } - { - key: { - keys: [ - '$**' - ] - } - } - { - key: { - keys: [ - 'truck_id' - 'truck_model' - ] - } - options: { - unique: true - } - } - { - key: { - keys: [ - '_ts' - ] - } - options: { - expireAfterSeconds: 2629746 - } - } - ] - name: 'truck_collection' - shardKey: { - truck_id: 'Hash' - } - } - ] - name: '${namePrefix}-mdb-${serviceShort}-001' - } - { - collections: [ - { - indexes: [ - { - key: { - keys: [ - '_id' - ] - } - } - { - key: { - keys: [ - '$**' - ] - } - } - { - key: { - keys: [ - 'bike_id' - 'bike_model' - ] - } - options: { - unique: true - } - } - { - key: { - keys: [ - '_ts' - ] - } - options: { - expireAfterSeconds: 2629746 - } - } - ] - name: 'bike_collection' - shardKey: { - bike_id: 'Hash' - } - } - { - indexes: [ - { - key: { - keys: [ - '_id' - ] - } - } - { - key: { - keys: [ - '$**' - ] - } - } - { - key: { - keys: [ - 'bicycle_id' - 'bicycle_model' - ] - } - options: { - unique: true - } - } - { - key: { - keys: [ - '_ts' - ] - } - options: { - expireAfterSeconds: 2629746 - } - } - ] - name: 'bicycle_collection' - shardKey: { - bicycle_id: 'Hash' - } - } - ] - name: '${namePrefix}-mdb-${serviceShort}-002' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - systemAssignedIdentity: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.documentdb.databaseaccounts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dddamng' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + locations: [ + { + failoverPriority: 0 + isZoneRedundant: false + locationName: location + } + { + failoverPriority: 1 + isZoneRedundant: false + locationName: nestedDependencies.outputs.pairedRegionName + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + location: location + mongodbDatabases: [ + { + collections: [ + { + indexes: [ + { + key: { + keys: [ + '_id' + ] + } + } + { + key: { + keys: [ + '$**' + ] + } + } + { + key: { + keys: [ + 'car_id' + 'car_model' + ] + } + options: { + unique: true + } + } + { + key: { + keys: [ + '_ts' + ] + } + options: { + expireAfterSeconds: 2629746 + } + } + ] + name: 'car_collection' + shardKey: { + car_id: 'Hash' + } + } + { + indexes: [ + { + key: { + keys: [ + '_id' + ] + } + } + { + key: { + keys: [ + '$**' + ] + } + } + { + key: { + keys: [ + 'truck_id' + 'truck_model' + ] + } + options: { + unique: true + } + } + { + key: { + keys: [ + '_ts' + ] + } + options: { + expireAfterSeconds: 2629746 + } + } + ] + name: 'truck_collection' + shardKey: { + truck_id: 'Hash' + } + } + ] + name: '${namePrefix}-mdb-${serviceShort}-001' + } + { + collections: [ + { + indexes: [ + { + key: { + keys: [ + '_id' + ] + } + } + { + key: { + keys: [ + '$**' + ] + } + } + { + key: { + keys: [ + 'bike_id' + 'bike_model' + ] + } + options: { + unique: true + } + } + { + key: { + keys: [ + '_ts' + ] + } + options: { + expireAfterSeconds: 2629746 + } + } + ] + name: 'bike_collection' + shardKey: { + bike_id: 'Hash' + } + } + { + indexes: [ + { + key: { + keys: [ + '_id' + ] + } + } + { + key: { + keys: [ + '$**' + ] + } + } + { + key: { + keys: [ + 'bicycle_id' + 'bicycle_model' + ] + } + options: { + unique: true + } + } + { + key: { + keys: [ + '_ts' + ] + } + options: { + expireAfterSeconds: 2629746 + } + } + ] + name: 'bicycle_collection' + shardKey: { + bicycle_id: 'Hash' + } + } + ] + name: '${namePrefix}-mdb-${serviceShort}-002' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + systemAssignedIdentity: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/document-db/database-account/.test/plain/main.test.bicep b/modules/document-db/database-account/.test/plain/main.test.bicep index edc31ecb87..d04162c5a2 100644 --- a/modules/document-db/database-account/.test/plain/main.test.bicep +++ b/modules/document-db/database-account/.test/plain/main.test.bicep @@ -1,102 +1,101 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.documentdb.databaseaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dddapln' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: location - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: nestedDependencies.outputs.pairedRegionName - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.documentdb.databaseaccounts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dddapln' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + locations: [ + { + failoverPriority: 0 + isZoneRedundant: false + locationName: location + } + { + failoverPriority: 1 + isZoneRedundant: false + locationName: nestedDependencies.outputs.pairedRegionName + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/document-db/database-account/.test/sqldb/main.test.bicep b/modules/document-db/database-account/.test/sqldb/main.test.bicep index 970cbc6ebc..1f3bf9433f 100644 --- a/modules/document-db/database-account/.test/sqldb/main.test.bicep +++ b/modules/document-db/database-account/.test/sqldb/main.test.bicep @@ -1,195 +1,194 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.documentdb.databaseaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dddasql' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: location - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: nestedDependencies.outputs.pairedRegionName - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - location: location - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - - nestedDependencies.outputs.privateDNSZoneResourceId - - ] - service: 'Sql' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - sqlDatabases: [ - { - containers: [ - { - kind: 'Hash' - name: 'container-001' - indexingPolicy: { - automatic: true - } - paths: [ - '/myPartitionKey' - ] - analyticalStorageTtl: 0 - conflictResolutionPolicy: { - conflictResolutionPath: '/myCustomId' - mode: 'LastWriterWins' - } - defaultTtl: 1000 - uniqueKeyPolicyKeys: [ - { - paths: [ - '/firstName' - ] - } - { - paths: [ - '/lastName' - ] - } - ] - throughput: 600 - } - ] - name: '${namePrefix}-sql-${serviceShort}-001' - throughput: 1000 - } - { - containers: [] - name: '${namePrefix}-sql-${serviceShort}-002' - } - { - containers: [ - { - kind: 'Hash' - name: 'container-003' - autoscaleSettingsMaxThroughput: 1000 - indexingPolicy: { - automatic: true - } - paths: [ - '/myPartitionKey' - ] - analyticalStorageTtl: 0 - conflictResolutionPolicy: { - conflictResolutionPath: '/myCustomId' - mode: 'LastWriterWins' - } - defaultTtl: 1000 - uniqueKeyPolicyKeys: [ - { - paths: [ - '/firstName' - ] - } - { - paths: [ - '/lastName' - ] - } - ] - } - ] - name: '${namePrefix}-sql-${serviceShort}-003' - autoscaleSettingsMaxThroughput: 1000 - } - ] - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.documentdb.databaseaccounts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dddasql' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + locations: [ + { + failoverPriority: 0 + isZoneRedundant: false + locationName: location + } + { + failoverPriority: 1 + isZoneRedundant: false + locationName: nestedDependencies.outputs.pairedRegionName + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + location: location + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] + service: 'Sql' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sqlDatabases: [ + { + containers: [ + { + kind: 'Hash' + name: 'container-001' + indexingPolicy: { + automatic: true + } + paths: [ + '/myPartitionKey' + ] + analyticalStorageTtl: 0 + conflictResolutionPolicy: { + conflictResolutionPath: '/myCustomId' + mode: 'LastWriterWins' + } + defaultTtl: 1000 + uniqueKeyPolicyKeys: [ + { + paths: [ + '/firstName' + ] + } + { + paths: [ + '/lastName' + ] + } + ] + throughput: 600 + } + ] + name: '${namePrefix}-sql-${serviceShort}-001' + throughput: 1000 + } + { + containers: [] + name: '${namePrefix}-sql-${serviceShort}-002' + } + { + containers: [ + { + kind: 'Hash' + name: 'container-003' + autoscaleSettingsMaxThroughput: 1000 + indexingPolicy: { + automatic: true + } + paths: [ + '/myPartitionKey' + ] + analyticalStorageTtl: 0 + conflictResolutionPolicy: { + conflictResolutionPath: '/myCustomId' + mode: 'LastWriterWins' + } + defaultTtl: 1000 + uniqueKeyPolicyKeys: [ + { + paths: [ + '/firstName' + ] + } + { + paths: [ + '/lastName' + ] + } + ] + } + ] + name: '${namePrefix}-sql-${serviceShort}-003' + autoscaleSettingsMaxThroughput: 1000 + } + ] + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index 9031e0fb1e..5f94a99e44 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -124,9 +124,7 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { location: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -248,9 +246,7 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -490,9 +486,7 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -745,9 +739,7 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -806,9 +798,7 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -877,9 +867,7 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -946,9 +934,7 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -1109,9 +1095,7 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -1480,7 +1464,68 @@ Configuration details for private endpoints. For security reasons, it is recomme Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `serverVersion` diff --git a/modules/document-db/database-account/main.bicep b/modules/document-db/database-account/main.bicep index 37ab5669f4..5f69ff9d06 100644 --- a/modules/document-db/database-account/main.bicep +++ b/modules/document-db/database-account/main.bicep @@ -77,7 +77,7 @@ param enableDefaultTelemetry bool = true param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Resource ID of the diagnostic storage account.') param diagnosticStorageAccountId string = '' @@ -258,6 +258,19 @@ var databaseAccount_properties = union({ } } : {})) +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Cosmos DB Account Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8') + 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') + CosmosBackupOperator: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb') + CosmosRestoreOperator: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5432c526-bc82-444a-b7ba-57c5b0b5b34f') + 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -301,17 +314,18 @@ resource databaseAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettin scope: databaseAccount } -module databaseAccount_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: databaseAccount.id +resource databaseAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(databaseAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: databaseAccount }] module databaseAccount_sqlDatabases 'sql-database/main.bicep' = [for sqlDatabase in sqlDatabases: { @@ -396,3 +410,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/document-db/database-account/main.json b/modules/document-db/database-account/main.json index 79808d511c..363ae739f7 100644 --- a/modules/document-db/database-account/main.json +++ b/modules/document-db/database-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13886795261024794795" + "templateHash": "10157225997571423198" }, "name": "DocumentDB Database Accounts", "description": "This module deploys a DocumentDB Database Account.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -184,8 +250,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -395,7 +460,19 @@ "kind": "[if(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('gremlinDatabases')))), 'GlobalDocumentDB', if(not(empty(parameters('mongodbDatabases'))), 'MongoDB', 'Parse'))]", "enableReferencedModulesTelemetry": false, "backupPolicy": "[if(equals(parameters('backupPolicyType'), 'Continuous'), createObject('type', parameters('backupPolicyType'), 'continuousModeProperties', createObject('tier', parameters('backupPolicyContinuousTier'))), createObject('type', parameters('backupPolicyType'), 'periodicModeProperties', createObject('backupIntervalInMinutes', parameters('backupIntervalInMinutes'), 'backupRetentionIntervalInHours', parameters('backupRetentionIntervalInHours'), 'backupStorageRedundancy', parameters('backupStorageRedundancy'))))]", - "databaseAccount_properties": "[union(createObject('databaseAccountOfferType', parameters('databaseAccountOfferType')), if(or(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('mongodbDatabases')))), not(empty(parameters('gremlinDatabases')))), createObject('consistencyPolicy', variables('consistencyPolicy')[parameters('defaultConsistencyLevel')], 'locations', variables('databaseAccount_locations'), 'capabilities', variables('capabilities'), 'enableFreeTier', parameters('enableFreeTier'), 'backupPolicy', variables('backupPolicy')), createObject()), if(not(empty(parameters('sqlDatabases'))), createObject('enableAutomaticFailover', parameters('automaticFailover')), createObject()), if(not(empty(parameters('mongodbDatabases'))), createObject('apiProperties', createObject('serverVersion', parameters('serverVersion'))), createObject()))]" + "databaseAccount_properties": "[union(createObject('databaseAccountOfferType', parameters('databaseAccountOfferType')), if(or(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('mongodbDatabases')))), not(empty(parameters('gremlinDatabases')))), createObject('consistencyPolicy', variables('consistencyPolicy')[parameters('defaultConsistencyLevel')], 'locations', variables('databaseAccount_locations'), 'capabilities', variables('capabilities'), 'enableFreeTier', parameters('enableFreeTier'), 'backupPolicy', variables('backupPolicy')), createObject()), if(not(empty(parameters('sqlDatabases'))), createObject('enableAutomaticFailover', parameters('automaticFailover')), createObject()), if(not(empty(parameters('mongodbDatabases'))), createObject('apiProperties', createObject('serverVersion', parameters('serverVersion'))), createObject()))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Account Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", + "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "CosmosBackupOperator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", + "CosmosRestoreOperator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5432c526-bc82-444a-b7ba-57c5b0b5b34f')]", + "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -457,151 +534,20 @@ "databaseAccount_roleAssignments": { "copy": { "name": "databaseAccount_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.DocumentDB/databaseAccounts/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9195274417066284555" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "CosmosBackupOperator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", - "CosmosRestoreOperator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5432c526-bc82-444a-b7ba-57c5b0b5b34f')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.DocumentDB/databaseAccounts/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.DocumentDB/databaseAccounts', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "databaseAccount" diff --git a/modules/network/network-interface/.bicep/nested_roleAssignments.bicep b/modules/network/network-interface/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 902582a911..0000000000 --- a/modules/network/network-interface/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource networkInterface 'Microsoft.Network/networkInterfaces@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(networkInterface.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: networkInterface -}] diff --git a/modules/network/network-interface/.test/common/main.test.bicep b/modules/network/network-interface/.test/common/main.test.bicep index 4fcb9fd47d..980dbff520 100644 --- a/modules/network/network-interface/.test/common/main.test.bicep +++ b/modules/network/network-interface/.test/common/main.test.bicep @@ -1,119 +1,118 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.network.networkinterfaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnicom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' - loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - ipConfigurations: [ - { - applicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } - ] - loadBalancerBackendAddressPools: [ - { - id: nestedDependencies.outputs.loadBalancerBackendPoolResourceId - } - ] - name: 'ipconfig01' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - applicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } - ] - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.network.networkinterfaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nnicom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' + loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + ipConfigurations: [ + { + applicationSecurityGroups: [ + { + id: nestedDependencies.outputs.applicationSecurityGroupResourceId + } + ] + loadBalancerBackendAddressPools: [ + { + id: nestedDependencies.outputs.loadBalancerBackendPoolResourceId + } + ] + name: 'ipconfig01' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + { + subnetResourceId: nestedDependencies.outputs.subnetResourceId + applicationSecurityGroups: [ + { + id: nestedDependencies.outputs.applicationSecurityGroupResourceId + } + ] + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/network/network-interface/README.md b/modules/network/network-interface/README.md index be06487b77..e9af14e2b3 100644 --- a/modules/network/network-interface/README.md +++ b/modules/network/network-interface/README.md @@ -81,9 +81,7 @@ module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -164,9 +162,7 @@ module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -433,7 +429,68 @@ The network security group (NSG) to attach to the network interface. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/network/network-interface/main.bicep b/modules/network/network-interface/main.bicep index efa2c6d6c4..0caf07f3a7 100644 --- a/modules/network/network-interface/main.bicep +++ b/modules/network/network-interface/main.bicep @@ -54,7 +54,7 @@ param ipConfigurations array param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Resource ID of the diagnostic storage account.') param diagnosticStorageAccountId string = '' @@ -85,6 +85,16 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { enabled: true }] +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -158,16 +168,16 @@ resource networkInterface_lock 'Microsoft.Authorization/locks@2020-05-01' = if ( scope: networkInterface } -module networkInterface_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-NIC-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: networkInterface.id +resource networkInterface_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(networkInterface.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } }] @@ -194,3 +204,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/network-interface/main.json b/modules/network/network-interface/main.json index 299670b87c..dd8eb177aa 100644 --- a/modules/network/network-interface/main.json +++ b/modules/network/network-interface/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3998904758858607142" + "templateHash": "11496161506514027711" }, "name": "Network Interface", "description": "This module deploys a Network Interface.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -141,8 +207,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -206,7 +271,16 @@ "enabled": true } } - ] + ], + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -298,175 +372,19 @@ "networkInterface_roleAssignments": { "copy": { "name": "networkInterface_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NIC-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceId('Microsoft.Network/networkInterfaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11518733977101662334" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/networkInterfaces/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/networkInterfaces', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "networkInterface" diff --git a/modules/network/public-ip-address/.bicep/nested_roleAssignments.bicep b/modules/network/public-ip-address/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 9943b5bd9d..0000000000 --- a/modules/network/public-ip-address/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(publicIpAddress.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: publicIpAddress -}] diff --git a/modules/network/public-ip-address/.test/common/main.test.bicep b/modules/network/public-ip-address/.test/common/main.test.bicep index eadd4eb23a..36ef8bc40a 100644 --- a/modules/network/public-ip-address/.test/common/main.test.bicep +++ b/modules/network/public-ip-address/.test/common/main.test.bicep @@ -1,99 +1,98 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.network.publicipaddresses-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npiacom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicIPAllocationMethod: 'Static' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - skuName: 'Standard' - zones: [ - '1' - '2' - '3' - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.network.publicipaddresses-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'npiacom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicIPAllocationMethod: 'Static' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + skuName: 'Standard' + zones: [ + '1' + '2' + '3' + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} + diff --git a/modules/network/public-ip-address/README.md b/modules/network/public-ip-address/README.md index 59af68c72d..96de4e5541 100644 --- a/modules/network/public-ip-address/README.md +++ b/modules/network/public-ip-address/README.md @@ -58,9 +58,7 @@ module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { publicIPAllocationMethod: 'Static' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -124,9 +122,7 @@ module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -395,7 +391,68 @@ The reverse FQDN. A user-visible, fully qualified domain name that resolves to t Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `skuName` diff --git a/modules/network/public-ip-address/main.bicep b/modules/network/public-ip-address/main.bicep index b1258e8630..8e4dbc9e75 100644 --- a/modules/network/public-ip-address/main.bicep +++ b/modules/network/public-ip-address/main.bicep @@ -77,7 +77,7 @@ param lock lockType param location string = resourceGroup().location @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -126,6 +126,16 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { enabled: true }] +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -186,16 +196,16 @@ resource publicIpAddress_diagnosticSettings 'Microsoft.Insights/diagnosticSettin scope: publicIpAddress } -module publicIpAddress_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-PIPAddress-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: publicIpAddress.id +resource publicIpAddress_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(publicIpAddress.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } }] @@ -225,3 +235,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/public-ip-address/main.json b/modules/network/public-ip-address/main.json index 6f690a5a8f..f0fa08f211 100644 --- a/modules/network/public-ip-address/main.json +++ b/modules/network/public-ip-address/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7177220893233117141" + "templateHash": "17964103943026732172" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -181,8 +247,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -257,7 +322,16 @@ } } ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -329,175 +403,19 @@ "publicIpAddress_roleAssignments": { "copy": { "name": "publicIpAddress_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PIPAddress-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9976109177347918049" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "publicIpAddress" From c1074fe2e41e0bde915ec6bd016284a4130314d2 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 22 Oct 2023 06:02:53 +0000 Subject: [PATCH 041/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 76 +++++++++++----------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 2e0db53d37..2803cc3d71 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -13,12 +13,12 @@ This section provides an overview of the library's feature set. | # | Module | Status | RBAC | Locks | Tags | Diag | PE | PIP | # children | # lines | | - | - | - | - | - | - | - | - | - | - | - | -| 1 | aad

domain-service | [![AAD - DomainServices](https://github.com/Azure/ResourceModules/workflows/AAD%20-%20DomainServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.aad.domainservices.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 230 | -| 2 | analysis-services

server | [![AnalysisServices - Servers](https://github.com/Azure/ResourceModules/workflows/AnalysisServices%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.analysisservices.servers.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 145 | -| 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:11, L2:3] | 421 | -| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 236 | -| 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | :white_check_mark: | | :white_check_mark: | | | | | 180 | -| 6 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | :white_check_mark: | | :white_check_mark: | | | | | 139 | +| 1 | aad

domain-service | [![AAD - DomainServices](https://github.com/Azure/ResourceModules/workflows/AAD%20-%20DomainServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.aad.domainservices.yml) | | | :white_check_mark: | :white_check_mark: | | | | 254 | +| 2 | analysis-services

server | [![AnalysisServices - Servers](https://github.com/Azure/ResourceModules/workflows/AnalysisServices%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.analysisservices.servers.yml) | | | :white_check_mark: | :white_check_mark: | | | | 169 | +| 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:11, L2:3] | 449 | +| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 264 | +| 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | | | :white_check_mark: | | | | | 205 | +| 6 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | | | :white_check_mark: | | | | | 163 | | 7 | authorization

lock | [![Authorization - Locks](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20Locks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.locks.yml) | | | | | | | [L1:2] | 62 | | 8 | authorization

policy-assignment | [![Authorization - PolicyAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policyassignments.yml) | | | | | | | [L1:3] | 143 | | 9 | authorization

policy-definition | [![Authorization - PolicyDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policydefinitions.yml) | | | | | | | [L1:2] | 86 | @@ -26,38 +26,38 @@ This section provides an overview of the library's feature set. | 11 | authorization

policy-set-definition | [![Authorization - PolicySetDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicySetDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policysetdefinitions.yml) | | | | | | | [L1:2] | 76 | | 12 | authorization

role-assignment | [![Authorization - RoleAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roleassignments.yml) | | | | | | | [L1:3] | 107 | | 13 | authorization

role-definition | [![Authorization - RoleDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roledefinitions.yml) | | | | | | | [L1:3] | 94 | -| 14 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6] | 369 | +| 14 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6] | 397 | | 15 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 231 | -| 16 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 245 | -| 17 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 202 | -| 18 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:6, L2:4] | 192 | -| 19 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 286 | -| 20 | compute

availability-set | [![Compute - AvailabilitySets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20AvailabilitySets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.availabilitysets.yml) | :white_check_mark: | | :white_check_mark: | | | | | 87 | -| 21 | compute

disk | [![Compute - Disks](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Disks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.disks.yml) | :white_check_mark: | | :white_check_mark: | | | | | 189 | -| 22 | compute

disk-encryption-set | [![Compute - DiskEncryptionSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20DiskEncryptionSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.diskencryptionsets.yml) | :white_check_mark: | | :white_check_mark: | | | | | 133 | -| 23 | compute

gallery | [![Compute - Galleries](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Galleries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.galleries.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:2] | 130 | -| 24 | compute

image | [![Compute - Images](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Images/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.images.yml) | :white_check_mark: | | :white_check_mark: | | | | | 110 | -| 25 | compute

proximity-placement-group | [![Compute - ProximityPlacementGroups](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20ProximityPlacementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.proximityplacementgroups.yml) | :white_check_mark: | | :white_check_mark: | | | | | 87 | -| 26 | compute

ssh-public-key | [![Compute - SshPublicKeys](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20SshPublicKeys/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.sshpublickeys.yml) | :white_check_mark: | | :white_check_mark: | | | | | 75 | -| 27 | compute

virtual-machine | [![Compute - VirtualMachines](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachines/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 643 | -| 28 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 561 | +| 16 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 270 | +| 17 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 227 | +| 18 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | | | :white_check_mark: | | | | [L1:6, L2:4] | 220 | +| 19 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 334 | +| 20 | compute

availability-set | [![Compute - AvailabilitySets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20AvailabilitySets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.availabilitysets.yml) | | | :white_check_mark: | | | | | 111 | +| 21 | compute

disk | [![Compute - Disks](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Disks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.disks.yml) | | | :white_check_mark: | | | | | 218 | +| 22 | compute

disk-encryption-set | [![Compute - DiskEncryptionSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20DiskEncryptionSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.diskencryptionsets.yml) | | | :white_check_mark: | | | | [L1:1] | 162 | +| 23 | compute

gallery | [![Compute - Galleries](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Galleries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.galleries.yml) | | | :white_check_mark: | | | | [L1:2] | 155 | +| 24 | compute

image | [![Compute - Images](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Images/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.images.yml) | | | :white_check_mark: | | | | | 137 | +| 25 | compute

proximity-placement-group | [![Compute - ProximityPlacementGroups](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20ProximityPlacementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.proximityplacementgroups.yml) | | | :white_check_mark: | | | | | 111 | +| 26 | compute

ssh-public-key | [![Compute - SshPublicKeys](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20SshPublicKeys/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.sshpublickeys.yml) | | | :white_check_mark: | | | | | 99 | +| 27 | compute

virtual-machine | [![Compute - VirtualMachines](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachines/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:2] | 680 | +| 28 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 598 | | 29 | consumption

budget | [![Consumption - Budgets](https://github.com/Azure/ResourceModules/workflows/Consumption%20-%20Budgets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.consumption.budgets.yml) | | | | | | | | 92 | | 30 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | :white_check_mark: | | | | | 163 | -| 31 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 359 | -| 32 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 630 | -| 33 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:2, L2:1] | 259 | -| 34 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:1] | 129 | -| 35 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | :white_check_mark: | | :white_check_mark: | | | | | 80 | -| 36 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 318 | -| 37 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:3] | 344 | -| 38 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:4] | 343 | -| 39 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 152 | -| 40 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 245 | -| 41 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 154 | -| 42 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 123 | -| 43 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:6, L2:1] | 269 | -| 44 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 226 | -| 45 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3, L2:3] | 337 | +| 31 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 389 | +| 32 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 668 | +| 33 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:2, L2:1] | 284 | +| 34 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | | :white_check_mark: | | | | [L1:1] | 156 | +| 35 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | | | :white_check_mark: | | | | | 104 | +| 36 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 342 | +| 37 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:3] | 369 | +| 38 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:4] | 367 | +| 39 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 190 | +| 40 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | | | :white_check_mark: | :white_check_mark: | | | | 283 | +| 41 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | | | :white_check_mark: | :white_check_mark: | | | | 195 | +| 42 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | | | | 161 | +| 43 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | | | :white_check_mark: | | | | [L1:6, L2:1] | 295 | +| 44 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 252 | +| 45 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3, L2:3] | 366 | | 46 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 179 | | 47 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 163 | | 48 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 183 | @@ -103,14 +103,14 @@ This section provides an overview of the library's feature set. | 88 | network

load-balancer | [![Network - LoadBalancers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LoadBalancers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.loadbalancers.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:2] | 238 | | 89 | network

local-network-gateway | [![Network - LocalNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LocalNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.localnetworkgateways.yml) | :white_check_mark: | | :white_check_mark: | | | | | 95 | | 90 | network

nat-gateway | [![Network - NatGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NatGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.natgateways.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 160 | -| 91 | network

network-interface | [![Network - NetworkInterfaces](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkInterfaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkinterfaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 164 | +| 91 | network

network-interface | [![Network - NetworkInterfaces](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkInterfaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkinterfaces.yml) | | | :white_check_mark: | :white_check_mark: | | | | 189 | | 92 | network

network-manager | [![Network - Network Managers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Network%20Managers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkmanagers.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:4, L2:2, L3:1] | 140 | | 93 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 161 | | 94 | network

network-watcher | [![Network - NetworkWatchers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkWatchers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatchers.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:2] | 104 | | 95 | network

private-dns-zone | [![Network - PrivateDnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateDnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:9] | 196 | | 96 | network

private-endpoint | [![Network - PrivateEndpoints](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privateendpoints.yml) | | | | | | | [L1:1] | 149 | | 97 | network

private-link-service | [![Network - PrivateLinkServices](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateLinkServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatelinkservices.yml) | :white_check_mark: | | :white_check_mark: | | | | | 92 | -| 98 | network

public-ip-address | [![Network - PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 189 | +| 98 | network

public-ip-address | [![Network - PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | | | :white_check_mark: | :white_check_mark: | | | | 214 | | 99 | network

public-ip-prefix | [![Network - PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | :white_check_mark: | | :white_check_mark: | | | | | 84 | | 100 | network

route-table | [![Network - RouteTables](https://github.com/Azure/ResourceModules/workflows/Network%20-%20RouteTables/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.routetables.yml) | :white_check_mark: | | :white_check_mark: | | | | | 77 | | 101 | network

service-endpoint-policy | [![Network - ServiceEndpointPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ServiceEndpointPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.serviceendpointpolicies.yml) | :white_check_mark: | | :white_check_mark: | | | | | 80 | @@ -149,7 +149,7 @@ This section provides an overview of the library's feature set. | 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 158 | | 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 390 | | 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | :white_check_mark: | | :white_check_mark: | | :white_check_mark: | | [L1:3] | 201 | -| Sum | | | 110 | 0 | 118 | 57 | 30 | 2 | 234 | 24972 | +| Sum | | | 73 | 0 | 118 | 57 | 30 | 2 | 236 | 26038 | ## Legend From af9f6bd4aa82e7cf5add6f525a7748946274493b Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 22 Oct 2023 12:06:49 +0000 Subject: [PATCH 042/178] Push updated API Specs file --- utilities/src/apiSpecsList.json | 802 ++++++++++++++++++++++---------- 1 file changed, 561 insertions(+), 241 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index d017fc29d5..3f72b6e1c0 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -529,7 +529,29 @@ "2023-07-01-preview" ], "services": [ - "2023-07-01-preview" + "2023-07-01-preview", + "2024-03-01" + ], + "services/metadataSchemas": [ + "2024-03-01" + ], + "services/workspaces": [ + "2024-03-01" + ], + "services/workspaces/apis": [ + "2024-03-01" + ], + "services/workspaces/apis/deployments": [ + "2024-03-01" + ], + "services/workspaces/apis/versions": [ + "2024-03-01" + ], + "services/workspaces/apis/versions/definitions": [ + "2024-03-01" + ], + "services/workspaces/environments": [ + "2024-03-01" ] }, "Microsoft.ApiManagement": { @@ -4033,8 +4055,9 @@ "2023-03-01", "2023-06-01", "2023-07-01-preview", + "2023-08-01", "2023-08-01-preview", - "2023-09-01" + "2023-09-01-preview" ], "locations/operationstatuses": [ "2020-10-01", @@ -4057,7 +4080,7 @@ "2023-07-01-preview", "2023-08-01", "2023-08-01-preview", - "2023-09-01" + "2023-09-01-preview" ], "logicalNetworks": [ "2023-09-01-preview" @@ -4096,8 +4119,9 @@ "2023-03-01", "2023-06-01", "2023-07-01-preview", + "2023-08-01", "2023-08-01-preview", - "2023-09-01" + "2023-09-01-preview" ], "registeredSubscriptions": [ "2022-09-01", @@ -4105,7 +4129,8 @@ "2022-12-01", "2023-02-01", "2023-03-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "storageContainers": [ "2021-09-01-preview", @@ -4196,7 +4221,8 @@ "bareMetalInstances": [ "2020-08-06-preview", "2021-08-09", - "2023-04-06" + "2023-04-06", + "2023-08-04-preview" ], "bareMetalStorageInstances": [ "2023-04-06", @@ -4205,15 +4231,18 @@ "locations": [ "2020-08-06-preview", "2021-08-09", - "2023-04-06" + "2023-04-06", + "2023-08-04-preview" ], "locations/operationsStatus": [ - "2020-08-06-preview" + "2020-08-06-preview", + "2023-08-04-preview" ], "operations": [ "2020-08-06-preview", "2021-08-09", - "2023-04-06" + "2023-04-06", + "2023-08-04-preview" ] }, "Microsoft.Batch": { @@ -4573,7 +4602,8 @@ "billingAccounts/billingProfiles/billingRoleDefinitions": [ "2019-10-01-preview", "2020-05-01", - "2020-12-15-privatepreview" + "2020-12-15-privatepreview", + "2022-10-01-privatepreview" ], "billingAccounts/billingProfiles/billingSubscriptions": [ "2018-11-01-preview", @@ -4585,11 +4615,22 @@ "billingAccounts/billingProfiles/createBillingRoleAssignment": [ "2019-10-01-preview", "2020-05-01", - "2020-12-15-privatepreview" + "2020-12-15-privatepreview", + "2022-10-01-privatepreview" ], "billingAccounts/billingProfiles/customers": [ "2019-10-01-preview", - "2020-05-01" + "2020-05-01", + "2022-10-01-privatepreview" + ], + "billingAccounts/billingProfiles/customers/billingPermissions": [ + "2022-10-01-privatepreview" + ], + "billingAccounts/billingProfiles/customers/billingRoleAssignments": [ + "2022-10-01-privatepreview" + ], + "billingAccounts/billingProfiles/customers/billingRoleDefinitions": [ + "2022-10-01-privatepreview" ], "billingAccounts/billingProfiles/departments": [ "2022-10-01-privatepreview" @@ -4628,6 +4669,12 @@ "2020-05-01", "2020-11-01-privatepreview" ], + "billingAccounts/billingProfiles/invoices/operationResults": [ + "2018-11-01-preview", + "2019-10-01-preview", + "2020-05-01", + "2020-11-01-privatepreview" + ], "billingAccounts/billingProfiles/invoices/pricesheet": [ "2018-11-01-preview", "2019-10-01-preview" @@ -4640,22 +4687,26 @@ "2019-10-01-preview", "2020-05-01", "2020-11-01-privatepreview", - "2020-12-15-privatepreview" + "2020-12-15-privatepreview", + "2022-10-01-privatepreview" ], "billingAccounts/billingProfiles/invoiceSections/billingPermissions": [ "2019-10-01-preview", "2020-05-01", - "2020-12-15-privatepreview" + "2020-12-15-privatepreview", + "2022-10-01-privatepreview" ], "billingAccounts/billingProfiles/invoiceSections/billingRoleAssignments": [ "2019-10-01-preview", "2020-05-01", - "2020-12-15-privatepreview" + "2020-12-15-privatepreview", + "2022-10-01-privatepreview" ], "billingAccounts/billingProfiles/invoiceSections/billingRoleDefinitions": [ "2019-10-01-preview", "2020-05-01", - "2020-12-15-privatepreview" + "2020-12-15-privatepreview", + "2022-10-01-privatepreview" ], "billingAccounts/billingProfiles/invoiceSections/billingSubscriptions": [ "2019-10-01-preview", @@ -4664,7 +4715,8 @@ "billingAccounts/billingProfiles/invoiceSections/createBillingRoleAssignment": [ "2019-10-01-preview", "2020-05-01", - "2020-12-15-privatepreview" + "2020-12-15-privatepreview", + "2022-10-01-privatepreview" ], "billingAccounts/billingProfiles/invoiceSections/initiateTransfer": [ "2019-10-01-preview" @@ -4753,7 +4805,8 @@ "billingAccounts/billingRoleDefinitions": [ "2019-10-01-preview", "2020-05-01", - "2020-12-15-privatepreview" + "2020-12-15-privatepreview", + "2022-10-01-privatepreview" ], "billingAccounts/billingSubscriptionAliases": [ "2021-10-01" @@ -4777,13 +4830,28 @@ "2020-05-01", "2020-11-01-privatepreview" ], + "billingAccounts/billingSubscriptions/invoices/operationResults": [ + "2019-10-01-preview", + "2020-05-01", + "2020-11-01-privatepreview" + ], + "billingAccounts/billingSubscriptions/operationResults": [ + "2018-11-01-preview", + "2019-10-01-preview", + "2020-05-01", + "2020-11-01-privatepreview", + "2020-12-15-privatepreview", + "2021-10-01", + "2022-10-01-privatepreview" + ], "billingAccounts/billingSubscriptions/policies": [ "2022-10-01-privatepreview" ], "billingAccounts/createBillingRoleAssignment": [ "2019-10-01-preview", "2020-05-01", - "2020-12-15-privatepreview" + "2020-12-15-privatepreview", + "2022-10-01-privatepreview" ], "billingAccounts/createInvoiceSectionOperations": [ "2018-11-01-preview" @@ -4792,7 +4860,8 @@ "2018-11-01-preview", "2019-10-01-preview", "2020-05-01", - "2020-12-15-privatepreview" + "2020-12-15-privatepreview", + "2022-10-01-privatepreview" ], "billingAccounts/customers/billingPermissions": [ "2019-10-01-preview", @@ -4819,7 +4888,8 @@ "billingAccounts/customers/policies": [ "2019-10-01-preview", "2020-05-01", - "2020-11-01-privatepreview" + "2020-11-01-privatepreview", + "2022-10-01-privatepreview" ], "billingAccounts/customers/products": [ "2019-10-01-preview", @@ -4867,6 +4937,10 @@ "2019-10-01-preview", "2020-12-15-privatepreview" ], + "billingAccounts/enrollmentAccounts/activationStatus": [ + "2019-10-01-preview", + "2020-12-15-privatepreview" + ], "billingAccounts/enrollmentAccounts/billingPermissions": [ "2019-10-01-preview", "2020-05-01", @@ -4897,6 +4971,12 @@ "2020-05-01", "2020-11-01-privatepreview" ], + "billingAccounts/invoices/operationResults": [ + "2018-11-01-preview", + "2019-10-01-preview", + "2020-05-01", + "2020-11-01-privatepreview" + ], "billingAccounts/invoices/summary": [ "2020-11-01-privatepreview" ], @@ -5123,12 +5203,13 @@ "permissionRequests": [ "2020-11-01-privatepreview" ], - "policies": [ - "2022-10-01-privatepreview" - ], "promotionalCredits": [ "2020-11-01-privatepreview" ], + "promotionalCredits/operationResults": [ + "2020-11-01-privatepreview", + "2022-10-01-privatepreview" + ], "promotions": [ "2020-09-01-preview", "2020-11-01-preview" @@ -5513,7 +5594,8 @@ "2023-03-01-preview", "2023-04-01", "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "locations/asyncOperations": [ "2019-07-01", @@ -5535,7 +5617,8 @@ "2022-01-01", "2022-11-01-preview", "2023-03-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "locations/operationResults": [ "2014-04-01", @@ -5565,7 +5648,8 @@ "2022-01-01", "2022-11-01-preview", "2023-03-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "operations": [ "2014-04-01", @@ -5590,7 +5674,8 @@ "2023-03-01-preview", "2023-04-01", "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "redis": [ "2014-04-01", @@ -5761,7 +5846,8 @@ "2022-01-01", "2022-11-01-preview", "2023-03-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "RedisEnterprise/privateEndpointConnectionProxies/operationresults": [ "2020-04-01-preview", @@ -5772,7 +5858,8 @@ "2022-01-01", "2022-11-01-preview", "2023-03-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "RedisEnterprise/privateEndpointConnectionProxies/validate": [ "2020-04-01-preview", @@ -5783,7 +5870,8 @@ "2022-01-01", "2022-11-01-preview", "2023-03-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "redisEnterprise/privateEndpointConnections": [ "2020-04-01-preview", @@ -5807,7 +5895,8 @@ "2022-01-01", "2022-11-01-preview", "2023-03-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "RedisEnterprise/privateLinkResources": [ "2020-04-01-preview", @@ -5818,7 +5907,8 @@ "2022-01-01", "2022-11-01-preview", "2023-03-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ] }, "Microsoft.Capacity": { @@ -6904,7 +6994,8 @@ "2022-10-01-preview", "2023-04-01-preview", "2023-04-15-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-27-preview" ], "locations": [ "2021-09-15-preview", @@ -6912,13 +7003,16 @@ "2022-10-01-preview", "2023-04-01-preview", "2023-04-15-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-27-preview" ], "locations/operationResults": [ - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-27-preview" ], "locations/operationStatuses": [ - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-27-preview" ], "locations/targetTypes": [ "2021-09-15-preview", @@ -6926,7 +7020,8 @@ "2022-10-01-preview", "2023-04-01-preview", "2023-04-15-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-27-preview" ], "operations": [ "2021-07-01-preview", @@ -6937,7 +7032,8 @@ "2022-10-01-preview", "2023-04-01-preview", "2023-04-15-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-27-preview" ], "targets": [ "2021-09-15-preview", @@ -6945,7 +7041,8 @@ "2022-10-01-preview", "2023-04-01-preview", "2023-04-15-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-27-preview" ], "targets/capabilities": [ "2021-09-15-preview", @@ -8935,7 +9032,8 @@ "2021-05-13-preview", "2022-05-13", "2022-09-08-preview", - "2023-01-26-preview" + "2023-01-26-preview", + "2023-06-28-preview" ], "ledgers": [ "2020-12-01-preview", @@ -8950,7 +9048,8 @@ "2021-05-13-preview", "2022-05-13", "2022-09-08-preview", - "2023-01-26-preview" + "2023-01-26-preview", + "2023-06-28-preview" ], "Locations/operations": [ "2020-12-01-preview", @@ -8962,7 +9061,8 @@ "2021-05-13-preview", "2022-05-13", "2022-09-08-preview", - "2023-01-26-preview" + "2023-01-26-preview", + "2023-06-28-preview" ], "managedCCFs": [ "2022-09-08-preview", @@ -8974,7 +9074,8 @@ "2021-05-13-preview", "2022-05-13", "2022-09-08-preview", - "2023-01-26-preview" + "2023-01-26-preview", + "2023-06-28-preview" ] }, "Microsoft.Confluent": { @@ -9276,7 +9377,8 @@ "2019-10-01", "2021-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "Balances": [ "2017-06-30-preview", @@ -9293,7 +9395,8 @@ "2021-10-01", "2022-09-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "budgets": [ "2017-12-30-preview", @@ -9329,7 +9432,8 @@ "2019-10-01", "2021-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "costTags": [ "2018-03-31", @@ -9342,7 +9446,8 @@ "2019-11-01", "2021-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "credits": [ "2018-08-31", @@ -9352,7 +9457,8 @@ "2021-05-01", "2021-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "events": [ "2018-08-31", @@ -9362,7 +9468,8 @@ "2021-05-01", "2021-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "Forecasts": [ "2018-05-31", @@ -9373,7 +9480,8 @@ "2019-05-01", "2019-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "lots": [ "2018-08-31", @@ -9383,7 +9491,8 @@ "2021-05-01", "2021-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "Marketplaces": [ "2018-01-31", @@ -9397,7 +9506,8 @@ "2019-10-01", "2021-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "OperationResults": [ "2018-08-31", @@ -9413,7 +9523,8 @@ "2021-10-01", "2022-06-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "Operations": [ "2017-06-30-preview", @@ -9432,7 +9543,8 @@ "2021-10-01", "2022-06-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "OperationStatus": [ "2018-08-31", @@ -9449,7 +9561,8 @@ "2022-06-01", "2022-09-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "Pricesheets": [ "2017-06-30-preview", @@ -9467,7 +9580,8 @@ "2021-10-01", "2022-06-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "products": [ "2018-08-31", @@ -9475,7 +9589,8 @@ "2019-10-01", "2021-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "ReservationDetails": [ "2017-06-30-preview", @@ -9491,13 +9606,15 @@ "2019-10-01", "2021-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "ReservationRecommendationDetails": [ "2019-10-01", "2021-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "ReservationRecommendations": [ "2018-03-31", @@ -9510,7 +9627,8 @@ "2019-10-01", "2021-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "ReservationSummaries": [ "2017-06-30-preview", @@ -9526,7 +9644,8 @@ "2019-10-01", "2021-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "ReservationTransactions": [ "2017-06-30-preview", @@ -9542,7 +9661,8 @@ "2019-10-01", "2021-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "Tags": [ "2018-03-31", @@ -9560,7 +9680,8 @@ "2019-11-01", "2021-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "tenants": [ "2018-10-01", @@ -9569,7 +9690,8 @@ "2019-10-01", "2021-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "Terms": [ "2017-12-30-preview", @@ -9583,7 +9705,8 @@ "2019-10-01", "2021-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "UsageDetails": [ "2017-06-30-preview", @@ -9605,7 +9728,8 @@ "2021-01-01", "2021-10-01", "2023-03-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ] }, "Microsoft.ContainerInstance": { @@ -9867,9 +9991,7 @@ }, "Microsoft.ContainerRegistry": { "checkNameAvailability": [ - "2016-06-27-preview", "2017-03-01", - "2017-06-01-preview", "2017-10-01", "2019-05-01", "2019-12-01-preview", @@ -9886,7 +10008,6 @@ "2023-08-01-preview" ], "locations": [ - "2017-06-01-preview", "2017-10-01", "2019-05-01", "2019-05-01-preview", @@ -9903,9 +10024,6 @@ "2023-07-01", "2023-08-01-preview" ], - "locations/authorize": [ - "2018-02-01-preview" - ], "locations/deleteVirtualNetworkOrSubnets": [ "2017-10-01", "2019-05-01" @@ -9927,12 +10045,8 @@ "2023-07-01", "2023-08-01-preview" ], - "locations/setupAuth": [ - "2018-02-01-preview" - ], "operations": [ "2017-03-01", - "2017-06-01-preview", "2017-10-01", "2019-05-01", "2019-12-01-preview", @@ -9976,27 +10090,12 @@ "registries/agentPoolsOperationResults": [ "2019-06-01-preview" ], - "registries/builds": [ - "2018-02-01-preview" - ], - "registries/builds/cancel": [ - "2018-02-01-preview" - ], - "registries/builds/getLogLink": [ - "2018-02-01-preview" - ], "registries/buildTasks": [ "2018-02-01-preview" ], - "registries/buildTasks/listSourceRepositoryProperties": [ - "2018-02-01-preview" - ], "registries/buildTasks/steps": [ "2018-02-01-preview" ], - "registries/buildTasks/steps/listBuildArguments": [ - "2018-02-01-preview" - ], "registries/cacheRules": [ "2023-01-01-preview", "2023-06-01-preview", @@ -10059,12 +10158,6 @@ "2023-07-01", "2023-08-01-preview" ], - "registries/getBuildSourceUploadUrl": [ - "2018-02-01-preview" - ], - "registries/GetCredentials": [ - "2016-06-27-preview" - ], "registries/importImage": [ "2017-10-01", "2019-05-01", @@ -10208,9 +10301,6 @@ "2023-07-01", "2023-08-01-preview" ], - "registries/queueBuild": [ - "2018-02-01-preview" - ], "registries/regenerateCredential": [ "2017-03-01", "2017-10-01", @@ -10228,9 +10318,6 @@ "2023-07-01", "2023-08-01-preview" ], - "registries/regenerateCredentials": [ - "2016-06-27-preview" - ], "registries/replications": [ "2017-06-01-preview", "2017-10-01", @@ -10842,7 +10929,8 @@ "2023-07-01", "2023-07-02-preview", "2023-08-01", - "2023-08-02-preview" + "2023-08-02-preview", + "2023-09-01" ], "ManagedClusters/eventGridFilters": [ "2021-02-01", @@ -10936,7 +11024,8 @@ "2023-07-01", "2023-07-02-preview", "2023-08-01", - "2023-08-02-preview" + "2023-08-02-preview", + "2023-09-01" ], "managedClusters/privateEndpointConnections": [ "2020-06-01", @@ -10987,7 +11076,8 @@ "2023-07-01", "2023-07-02-preview", "2023-08-01", - "2023-08-02-preview" + "2023-08-02-preview", + "2023-09-01" ], "managedClusters/trustedAccessRoleBindings": [ "2022-04-02-preview", @@ -11006,7 +11096,8 @@ "2023-05-02-preview", "2023-06-02-preview", "2023-07-02-preview", - "2023-08-02-preview" + "2023-08-02-preview", + "2023-09-01" ], "managedclustersnapshots": [ "2022-02-02-preview", @@ -11171,30 +11262,35 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "BenefitRecommendations": [ "2021-11-15-preview", "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "BenefitUtilizationSummaries": [ "2021-11-15-preview", "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "BenefitUtilizationSummariesOperationResults": [ "2023-03-01", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "BillingAccounts": [ "2018-03-31", "2023-03-01", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "budgets": [ "2019-04-01-preview", @@ -11204,7 +11300,8 @@ "2022-10-01-preview", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "CalculateCost": [ "2023-04-01-preview" @@ -11215,7 +11312,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "CheckConnectorEligibility": [ "2019-03-01-preview" @@ -11227,7 +11325,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "cloudConnectors": [ "2019-03-01-preview" @@ -11237,19 +11336,22 @@ ], "costAllocationRules": [ "2020-03-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "CostDetailsOperationResults": [ "2022-05-01", "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "Departments": [ "2018-03-31", "2023-03-01", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "Dimensions": [ "2018-05-31", @@ -11267,12 +11369,14 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "EnrollmentAccounts": [ "2018-03-31", "2023-03-01", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "exports": [ "2019-01-01", @@ -11288,7 +11392,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "ExternalBillingAccounts": [ "2019-03-01-preview" @@ -11300,7 +11405,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "ExternalBillingAccounts/Dimensions": [ "2019-03-01-preview", @@ -11312,7 +11418,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "ExternalBillingAccounts/Forecast": [ "2018-12-01-preview", @@ -11325,7 +11432,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "ExternalBillingAccounts/Query": [ "2019-03-01-preview", @@ -11337,12 +11445,14 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "externalSubscriptions": [ "2019-03-01-preview", "2023-03-01", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "ExternalSubscriptions/Alerts": [ "2018-08-01-preview", @@ -11351,7 +11461,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "ExternalSubscriptions/Dimensions": [ "2019-03-01-preview", @@ -11363,7 +11474,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "ExternalSubscriptions/Forecast": [ "2018-12-01-preview", @@ -11376,7 +11488,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "ExternalSubscriptions/Query": [ "2019-03-01-preview", @@ -11388,7 +11501,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "fetchMarketplacePrices": [ "2022-03-01", @@ -11396,14 +11510,16 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "fetchMicrosoftPrices": [ "2022-03-01", "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "fetchPrices": [ "2020-01-01-preview", @@ -11421,18 +11537,21 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "GenerateBenefitUtilizationSummariesReport": [ "2023-03-01", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "GenerateCostDetailsReport": [ "2022-05-01", "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "GenerateDetailedCostReport": [ "2020-12-01-preview", @@ -11441,7 +11560,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "GenerateReservationDetailsReport": [ "2019-11-01", @@ -11449,7 +11569,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "Insights": [ "2020-08-01-preview" @@ -11467,7 +11588,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "operations": [ "2018-08-01-preview", @@ -11479,7 +11601,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "OperationStatus": [ "2020-12-01-preview", @@ -11491,7 +11614,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "Pricesheets": [ "2022-02-01-preview", @@ -11500,7 +11624,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "Publish": [ "2021-04-01-preview" @@ -11521,14 +11646,16 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "register": [ "2019-03-01-preview" ], "reportconfigs": [ "2018-05-31", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "reports": [ "2018-08-01-preview", @@ -11540,7 +11667,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "scheduledActions": [ "2020-03-01-preview", @@ -11549,7 +11677,8 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "SendMessage": [ "2023-04-01-preview" @@ -11563,14 +11692,16 @@ "2022-10-05-preview", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "showbackRules": [ "2019-02-01-alpha", "2019-02-02-alpha", "2019-02-03-alpha", "2019-03-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ], "StartConversation": [ "2023-04-01-preview" @@ -11587,7 +11718,8 @@ "2022-10-05-preview", "2023-03-01", "2023-04-01-preview", - "2023-08-01" + "2023-08-01", + "2023-09-01" ] }, "Microsoft.CostManagementExports": { @@ -11672,6 +11804,9 @@ "locations": [ "2018-09-01-preview" ], + "locations/operationResults": [ + "2018-09-01-preview" + ], "locations/operationStatuses": [ "2018-09-01-preview" ], @@ -11680,6 +11815,12 @@ ], "resourceProviders": [ "2018-09-01-preview" + ], + "resourceProviders/operationResults": [ + "2018-09-01-preview" + ], + "resourceProviders/operationStatuses": [ + "2018-09-01-preview" ] }, "Microsoft.D365CustomerInsights": { @@ -12626,7 +12767,8 @@ "2020-09-01-preview", "2021-10-30-preview", "2022-01-30-preview", - "2022-03-30-preview" + "2022-03-30-preview", + "2023-07-15-preview" ], "locations": [ "2017-04-15-privatepreview", @@ -12639,7 +12781,8 @@ "2021-06-30", "2021-10-30-preview", "2022-01-30-preview", - "2022-03-30-preview" + "2022-03-30-preview", + "2023-07-15-preview" ], "locations/checkNameAvailability": [ "2017-04-15-privatepreview", @@ -12652,7 +12795,11 @@ "2021-06-30", "2021-10-30-preview", "2022-01-30-preview", - "2022-03-30-preview" + "2022-03-30-preview", + "2023-07-15-preview" + ], + "locations/migrationServiceOperationResults": [ + "2023-07-15-preview" ], "locations/operationResults": [ "2017-04-15-privatepreview", @@ -12665,7 +12812,8 @@ "2021-06-30", "2021-10-30-preview", "2022-01-30-preview", - "2022-03-30-preview" + "2022-03-30-preview", + "2023-07-15-preview" ], "locations/operationStatuses": [ "2017-04-15-privatepreview", @@ -12678,25 +12826,32 @@ "2021-06-30", "2021-10-30-preview", "2022-01-30-preview", - "2022-03-30-preview" + "2022-03-30-preview", + "2023-07-15-preview" ], "Locations/OperationTypes": [ "2020-09-01-preview", "2021-10-30-preview", "2022-01-30-preview", - "2022-03-30-preview" + "2022-03-30-preview", + "2023-07-15-preview" ], "Locations/sqlMigrationServiceOperationResults": [ "2020-09-01-preview", "2021-10-30-preview", "2022-01-30-preview", - "2022-03-30-preview" + "2022-03-30-preview", + "2023-07-15-preview" + ], + "migrationServices": [ + "2023-07-15-preview" ], "operations": [ "2020-09-01-preview", "2021-10-30-preview", "2022-01-30-preview", - "2022-03-30-preview" + "2022-03-30-preview", + "2023-07-15-preview" ], "services": [ "2017-04-15-privatepreview", @@ -12709,7 +12864,8 @@ "2021-06-30", "2021-10-30-preview", "2022-01-30-preview", - "2022-03-30-preview" + "2022-03-30-preview", + "2023-07-15-preview" ], "services/projects": [ "2017-04-15-privatepreview", @@ -12722,7 +12878,8 @@ "2021-06-30", "2021-10-30-preview", "2022-01-30-preview", - "2022-03-30-preview" + "2022-03-30-preview", + "2023-07-15-preview" ], "services/projects/files": [ "2018-07-15-preview", @@ -12753,7 +12910,8 @@ "2020-09-01-preview", "2021-10-30-preview", "2022-01-30-preview", - "2022-03-30-preview" + "2022-03-30-preview", + "2023-07-15-preview" ] }, "Microsoft.DataProtection": { @@ -18486,7 +18644,8 @@ "2022-06-01", "2022-10-01-preview", "2022-12-01", - "2023-02-28" + "2023-02-28", + "2023-10-15-preview" ], "services/iomtconnectors": [ "2020-05-01-preview" @@ -18505,7 +18664,8 @@ "2022-05-15", "2022-06-01", "2022-12-01", - "2023-02-28" + "2023-02-28", + "2023-10-15-preview" ], "services/privateEndpointConnections": [ "2020-03-30", @@ -18517,7 +18677,8 @@ "2022-06-01", "2022-10-01-preview", "2022-12-01", - "2023-02-28" + "2023-02-28", + "2023-10-15-preview" ], "services/privateLinkResources": [ "2020-03-30", @@ -18527,7 +18688,8 @@ "2022-05-15", "2022-06-01", "2022-12-01", - "2023-02-28" + "2023-02-28", + "2023-10-15-preview" ], "validateMedtechMappings": [ "2022-01-31-preview" @@ -18540,7 +18702,8 @@ "2022-06-01", "2022-10-01-preview", "2022-12-01", - "2023-02-28" + "2023-02-28", + "2023-10-15-preview" ], "workspaces/analyticsconnectors": [ "2022-10-01-preview" @@ -18553,7 +18716,8 @@ "2022-06-01", "2022-10-01-preview", "2022-12-01", - "2023-02-28" + "2023-02-28", + "2023-10-15-preview" ], "workspaces/eventGridFilters": [ "2021-11-01", @@ -18599,7 +18763,8 @@ "2022-05-15", "2022-06-01", "2022-12-01", - "2023-02-28" + "2023-02-28", + "2023-10-15-preview" ], "workspaces/privateEndpointConnections": [ "2021-11-01", @@ -18608,7 +18773,8 @@ "2022-06-01", "2022-10-01-preview", "2022-12-01", - "2023-02-28" + "2023-02-28", + "2023-10-15-preview" ], "workspaces/privateLinkResources": [ "2021-11-01", @@ -18616,7 +18782,8 @@ "2022-05-15", "2022-06-01", "2022-12-01", - "2023-02-28" + "2023-02-28", + "2023-10-15-preview" ] }, "Microsoft.HealthDataAIServices": { @@ -19910,6 +20077,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "checkNameAvailability": [ @@ -19927,6 +20095,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "deletedManagedHSMs": [ @@ -19939,6 +20108,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "deletedVaults": [ @@ -19955,6 +20125,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "locations": [ @@ -19971,6 +20142,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "locations/deletedManagedHSMs": [ @@ -19983,6 +20155,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "locations/deletedVaults": [ @@ -19999,6 +20172,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "locations/deleteVirtualNetworkOrSubnets": [ @@ -20015,6 +20189,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "locations/managedHsmOperationResults": [ @@ -20027,6 +20202,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "locations/notifyNetworkSecurityPerimeterUpdatesAvailable": [ @@ -20034,6 +20210,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "locations/operationResults": [ @@ -20050,6 +20227,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "managedHSMs": [ @@ -20075,6 +20253,7 @@ "managedHSMs/keys/versions": [ "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "managedHSMs/privateEndpointConnections": [ @@ -20104,6 +20283,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "vaults": [ @@ -20155,6 +20335,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "vaults/keys": [ @@ -20182,6 +20363,7 @@ "2022-07-01", "2022-11-01", "2023-02-01", + "2023-07-01", "2023-08-01-PREVIEW" ], "vaults/privateEndpointConnections": [ @@ -20964,6 +21146,9 @@ ] }, "Microsoft.MachineLearningServices": { + "capacityReservationGroups": [ + "2023-08-01-preview" + ], "capacityReserverationGroups": [ "2023-08-01-preview" ], @@ -21361,6 +21546,12 @@ "2023-08-01-preview", "2023-10-01" ], + "registries/datareferences": [ + "2023-10-01" + ], + "registries/datareferences/versions": [ + "2023-10-01" + ], "registries/environments": [ "2022-10-01-preview", "2022-12-01-preview", @@ -21587,7 +21778,8 @@ "2023-04-01", "2023-04-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-10-01" ], "workspaces/data": [ "2021-03-01-preview", @@ -21640,6 +21832,10 @@ "2023-08-01-preview", "2023-10-01" ], + "workspaces/endpoints": [ + "2023-08-01-preview", + "2023-10-01" + ], "workspaces/environments": [ "2021-03-01-preview", "2021-10-01", @@ -21866,7 +22062,8 @@ "workspaces/outboundRules": [ "2023-04-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-10-01" ], "workspaces/privateEndpointConnections": [ "2020-01-01", @@ -21894,7 +22091,8 @@ "2023-04-01", "2023-04-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-10-01" ], "workspaces/schedules": [ "2022-06-01-preview", @@ -21945,7 +22143,8 @@ "2021-09-01-preview", "2022-07-01-preview", "2022-11-01-preview", - "2023-04-01" + "2023-04-01", + "2023-09-01-preview" ], "maintenanceConfigurations": [ "2016-01-01", @@ -23014,28 +23213,45 @@ "2020-05-01-preview", "2022-02-02-preview", "2023-03-03", + "2023-03-15", "2023-04-01-preview" ], "assessmentProjects/groups": [ - "2019-10-01" + "2019-10-01", + "2023-03-15" ], "assessmentProjects/groups/assessments": [ - "2019-10-01" + "2019-10-01", + "2023-03-15" + ], + "assessmentProjects/groups/avsAssessments": [ + "2023-03-15" + ], + "assessmentProjects/groups/sqlAssessments": [ + "2023-03-15" ], "assessmentProjects/hypervcollectors": [ - "2019-10-01" + "2019-10-01", + "2023-03-15" ], "assessmentProjects/importcollectors": [ - "2019-10-01" + "2019-10-01", + "2023-03-15" ], "assessmentprojects/privateEndpointConnections": [ - "2019-10-01" + "2019-10-01", + "2023-03-15" ], "assessmentProjects/servercollectors": [ - "2019-10-01" + "2019-10-01", + "2023-03-15" + ], + "assessmentProjects/sqlcollectors": [ + "2023-03-15" ], "assessmentProjects/vmwarecollectors": [ - "2019-10-01" + "2019-10-01", + "2023-03-15" ], "locations": [ "2017-09-25-privatepreview", @@ -23135,6 +23351,18 @@ "2023-02-01-preview", "2023-08-01-preview" ], + "communities/communityEndpoints": [ + "2023-02-01-preview", + "2023-08-01-preview" + ], + "communities/transitHubs": [ + "2023-02-01-preview", + "2023-08-01-preview" + ], + "enclaveConnections": [ + "2023-02-01-preview", + "2023-08-01-preview" + ], "externalConnections": [ "2023-02-01-preview", "2023-08-01-preview" @@ -23159,6 +23387,10 @@ "2023-02-01-preview", "2023-08-01-preview" ], + "virtualEnclaves/enclaveEndpoints": [ + "2023-02-01-preview", + "2023-08-01-preview" + ], "virtualEnclaves/endpoints": [ "2023-02-01-preview", "2023-08-01-preview" @@ -24791,15 +25023,21 @@ ], "dnsForwardingRulesets": [ "2020-04-01-preview", - "2022-07-01" + "2022-07-01", + "2023-07-01", + "2023-07-01-preview" ], "dnsForwardingRulesets/forwardingRules": [ "2020-04-01-preview", - "2022-07-01" + "2022-07-01", + "2023-07-01", + "2023-07-01-preview" ], "dnsForwardingRulesets/virtualNetworkLinks": [ "2020-04-01-preview", - "2022-07-01" + "2022-07-01", + "2023-07-01", + "2023-07-01-preview" ], "dnsOperationResults": [ "2016-04-01", @@ -24821,15 +25059,21 @@ ], "dnsResolvers": [ "2020-04-01-preview", - "2022-07-01" + "2022-07-01", + "2023-07-01", + "2023-07-01-preview" ], "dnsResolvers/inboundEndpoints": [ "2020-04-01-preview", - "2022-07-01" + "2022-07-01", + "2023-07-01", + "2023-07-01-preview" ], "dnsResolvers/outboundEndpoints": [ "2020-04-01-preview", - "2022-07-01" + "2022-07-01", + "2023-07-01", + "2023-07-01-preview" ], "dnsZones": [ "2015-05-04-preview", @@ -26405,11 +26649,21 @@ ], "locations/dnsResolverOperationResults": [ "2020-04-01-preview", - "2022-07-01" + "2022-07-01", + "2023-07-01", + "2023-07-01-preview" ], "locations/dnsResolverOperationStatuses": [ "2020-04-01-preview", - "2022-07-01" + "2022-07-01", + "2023-07-01", + "2023-07-01-preview" + ], + "locations/dnsResolverPolicyOperationResults": [ + "2023-07-01-preview" + ], + "locations/dnsResolverPolicyOperationStatuses": [ + "2023-07-01-preview" ], "locations/effectiveResourceOwnership": [ "2018-04-01", @@ -29165,11 +29419,15 @@ ], "virtualNetworks/listDnsForwardingRulesets": [ "2020-04-01-preview", - "2022-07-01" + "2022-07-01", + "2023-07-01", + "2023-07-01-preview" ], "virtualNetworks/listDnsResolvers": [ "2020-04-01-preview", - "2022-07-01" + "2022-07-01", + "2023-07-01", + "2023-07-01-preview" ], "virtualNetworks/listNetworkManagerEffectiveConnectivityConfigurations": [ "2022-01-01", @@ -31151,17 +31409,20 @@ "2023-02-01" ], "operationsStatus": [ - "2021-03-15-preview" + "2021-03-15-preview", + "2023-02-01" ], "quotaRequests": [ - "2021-03-15-preview" + "2021-03-15-preview", + "2023-02-01" ], "quotas": [ "2021-03-15-preview", "2023-02-01" ], "usages": [ - "2021-03-15-preview" + "2021-03-15-preview", + "2023-02-01" ] }, "Microsoft.RecommendationsService": { @@ -32155,12 +32416,14 @@ "2022-04-01", "2022-09-04", "2023-04-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-09-04" ], "locations/openshiftversions": [ "2022-09-04", "2023-04-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-09-04" ], "locations/operationresults": [ "2020-04-30", @@ -32168,7 +32431,8 @@ "2022-04-01", "2022-09-04", "2023-04-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-09-04" ], "locations/operationsstatus": [ "2020-04-30", @@ -32176,7 +32440,8 @@ "2022-04-01", "2022-09-04", "2023-04-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-09-04" ], "openShiftClusters": [ "2020-04-30", @@ -32218,7 +32483,8 @@ "2022-04-01", "2022-09-04", "2023-04-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-09-04" ] }, "Microsoft.Relay": { @@ -33260,12 +33526,14 @@ "availabilitySets": [ "2020-06-05-preview", "2022-05-21-preview", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-10-07" ], "clouds": [ "2020-06-05-preview", "2022-05-21-preview", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-10-07" ], "locations": [ "2020-06-05-preview", @@ -33283,10 +33551,12 @@ "2023-04-01-preview" ], "virtualMachineInstances": [ - "2023-04-01-preview" + "2023-04-01-preview", + "2023-10-07" ], "virtualMachineInstances/guestAgents": [ - "2023-04-01-preview" + "2023-04-01-preview", + "2023-10-07" ], "virtualMachines": [ "2020-06-05-preview", @@ -33308,22 +33578,26 @@ "virtualMachineTemplates": [ "2020-06-05-preview", "2022-05-21-preview", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-10-07" ], "virtualNetworks": [ "2020-06-05-preview", "2022-05-21-preview", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-10-07" ], "vmmServers": [ "2020-06-05-preview", "2022-05-21-preview", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-10-07" ], "vmmServers/inventoryItems": [ "2020-06-05-preview", "2022-05-21-preview", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-10-07" ] }, "Microsoft.Search": { @@ -35693,31 +35967,38 @@ "Microsoft.ServiceNetworking": { "locations": [ "2022-10-01-preview", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-11-01" ], "locations/operationResults": [ "2022-10-01-preview", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-11-01" ], "locations/operations": [ "2022-10-01-preview", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-11-01" ], "operations": [ "2022-10-01-preview", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-11-01" ], "trafficControllers": [ "2022-10-01-preview", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-11-01" ], "trafficControllers/associations": [ "2022-10-01-preview", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-11-01" ], "trafficControllers/frontends": [ "2022-10-01-preview", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-11-01" ] }, "Microsoft.ServicesHub": { @@ -36769,7 +37050,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/failoverGroupOperationResults": [ "2015-05-01-preview", @@ -36789,7 +37071,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "locations/firewallRulesAzureAsyncOperation": [ "2015-05-01-preview", @@ -40128,11 +40411,13 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/failoverGroups/tryPlannedBeforeForcedFailover": [ "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/firewallRules": [ "2014-04-01", @@ -40700,7 +40985,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "deletedAccounts": [ "2019-06-01", @@ -40714,7 +41000,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "locations": [ "2016-01-01", @@ -40738,7 +41025,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "locations/asyncoperations": [ "2015-05-01-preview", @@ -40764,7 +41052,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "locations/checkNameAvailability": [ "2016-12-01", @@ -40785,7 +41074,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "locations/deletedAccounts": [ "2019-06-01", @@ -40799,7 +41089,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "locations/deleteVirtualNetworkOrSubnets": [ "2016-07-01", @@ -40822,13 +41113,15 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "locations/notifyNetworkSecurityPerimeterUpdatesAvailable": [ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "locations/usages": [ "2016-12-01", @@ -40850,7 +41143,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "operations": [ "2015-05-01-preview", @@ -40876,7 +41170,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "storageAccounts": [ "2015-05-01-preview", @@ -40902,7 +41197,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "storageAccounts/blobServices": [ "2016-05-01", @@ -40925,7 +41221,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "storageAccounts/blobServices/containers": [ "2018-02-01", @@ -40975,7 +41272,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "storageAccounts/fileServices": [ "2016-05-01", @@ -40998,7 +41296,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "storageAccounts/fileServices/shares": [ "2019-04-01", @@ -41048,7 +41347,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "storageAccounts/listServiceSas": [ "2016-05-01", @@ -41071,7 +41371,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "storageAccounts/localUsers": [ "2021-08-01", @@ -41143,7 +41444,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "storageAccounts/queueServices/queues": [ "2019-06-01", @@ -41168,7 +41470,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "storageAccounts/tableServices": [ "2016-05-01", @@ -41191,7 +41494,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "storageAccounts/tableServices/tables": [ "2019-06-01", @@ -41210,7 +41514,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ], "usages": [ "2015-05-01-preview", @@ -41236,7 +41541,8 @@ "2021-09-01", "2022-05-01", "2022-09-01", - "2023-01-01" + "2023-01-01", + "2023-04-01" ] }, "Microsoft.Storage.Admin": { @@ -42761,7 +43067,8 @@ "2021-11-10-preview", "2022-04-13-preview", "2022-07-20-preview", - "2022-08-01" + "2022-08-01", + "2024-01-01" ], "checknameavailability": [ "2021-10-18-preview", @@ -42841,7 +43148,8 @@ "2023-07-01" ], "imageTemplates/triggers": [ - "2022-07-01" + "2022-07-01", + "2023-07-01" ], "locations": [ "2019-05-01-preview", @@ -42880,7 +43188,6 @@ "2017-11-01-preview" ], "account/project": [ - "2014-02-26", "2014-04-01-preview", "2017-11-01-preview", "2018-08-01-preview" @@ -42952,6 +43259,13 @@ "2023-04-03", "2023-07-13-preview", "2023-09-01" + ], + "registeredSubscriptions": [ + "2022-12-01-preview", + "2023-01-31", + "2023-04-03", + "2023-07-13-preview", + "2023-09-01" ] }, "Microsoft.VSOnline": { @@ -45129,6 +45443,12 @@ ] }, "Microsoft.Workloads": { + "connectors": [ + "2023-10-01-preview" + ], + "connectors/acssBackups": [ + "2023-10-01-preview" + ], "Locations": [ "2021-12-01-preview", "2022-10-15-preview", From 6dbfe34636b1b768c6233c79cee727a7adbc93d5 Mon Sep 17 00:00:00 2001 From: Erika Gressi <56914614+eriqua@users.noreply.github.com> Date: Sun, 22 Oct 2023 22:47:14 +0200 Subject: [PATCH 043/178] [CI environment] Add nameprefix to rg test names (#4130) * rename rg * add nameprefix * add nameprefix tags --- .../.test/common/main.test.bicep | 2 +- .../server/.test/common/main.test.bicep | 184 +++--- .../server/.test/max/main.test.bicep | 204 +++--- .../server/.test/min/main.test.bicep | 2 +- .../service/.test/common/main.test.bicep | 198 +++--- .../service/.test/max/main.test.bicep | 410 ++++++------ .../service/.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 227 +++---- .../.test/min/main.test.bicep | 2 +- .../.test/pe/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../container-app/.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../lock/.test/common/main.test.bicep | 5 +- .../.test/rg.common/main.test.bicep | 2 +- .../.test/rg.min/main.test.bicep | 2 +- .../.test/sub.common/main.test.bicep | 2 +- .../.test/rg.common/main.test.bicep | 2 +- .../.test/rg.min/main.test.bicep | 2 +- .../.test/mg.common/main.test.bicep | 2 +- .../.test/mg.min/main.test.bicep | 2 +- .../.test/rg.common/main.test.bicep | 2 +- .../.test/rg.min/main.test.bicep | 2 +- .../.test/sub.common/main.test.bicep | 2 +- .../.test/sub.min/main.test.bicep | 2 +- .../.test/rg.common/main.test.bicep | 2 +- .../.test/rg.min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 500 +++++++-------- .../.test/encr/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../batch-account/.test/encr/main.test.bicep | 2 +- .../batch-account/.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 261 ++++---- .../.test/geo/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../cache/redis/.test/common/main.test.bicep | 2 +- modules/cache/redis/.test/min/main.test.bicep | 2 +- modules/cdn/profile/.test/afd/main.test.bicep | 264 ++++---- .../cdn/profile/.test/common/main.test.bicep | 204 +++--- .../account/.test/common/main.test.bicep | 254 ++++---- .../account/.test/encr/main.test.bicep | 2 +- .../account/.test/min/main.test.bicep | 2 +- .../account/.test/speech/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 150 ++--- .../.test/min/main.test.bicep | 2 +- .../.test/accessPolicies/main.test.bicep | 154 ++--- .../.test/common/main.test.bicep | 168 ++--- .../compute/disk/.test/common/main.test.bicep | 158 ++--- .../compute/disk/.test/image/main.test.bicep | 136 ++-- .../compute/disk/.test/import/main.test.bicep | 146 ++--- .../compute/disk/.test/min/main.test.bicep | 2 +- .../gallery/.test/common/main.test.bicep | 385 +++++------ .../compute/gallery/.test/min/main.test.bicep | 2 +- .../image/.test/common/main.test.bicep | 174 ++--- .../.test/common/main.test.bicep | 178 +++--- .../.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../ssh-public-key/.test/min/main.test.bicep | 2 +- .../.test/linux.min/main.test.bicep | 2 +- .../.test/linux.ssecmk/main.test.bicep | 2 +- .../.test/linux/main.test.bicep | 394 ++++++------ .../.test/windows.min/main.test.bicep | 2 +- .../.test/windows/main.test.bicep | 386 ++++++------ .../.test/linux.atmg/main.test.bicep | 2 +- .../.test/linux.min/main.test.bicep | 2 +- .../.test/linux/main.test.bicep | 2 +- .../.test/windows.atmg/main.test.bicep | 2 +- .../.test/windows.min/main.test.bicep | 2 +- .../.test/windows.ssecmk/main.test.bicep | 2 +- .../.test/windows/main.test.bicep | 596 +++++++++--------- .../.test/common/main.test.bicep | 2 +- .../.test/encr/main.test.bicep | 2 +- .../container-group/.test/min/main.test.bicep | 2 +- .../.test/private/main.test.bicep | 2 +- .../registry/.test/common/main.test.bicep | 298 ++++----- .../registry/.test/encr/main.test.bicep | 2 +- .../registry/.test/min/main.test.bicep | 2 +- .../registry/.test/pe/main.test.bicep | 2 +- .../.test/azure/main.test.bicep | 512 +++++++-------- .../.test/kubenet/main.test.bicep | 318 +++++----- .../managed-cluster/.test/min/main.test.bicep | 2 +- .../.test/priv/main.test.bicep | 2 +- .../factory/.test/common/main.test.bicep | 302 ++++----- .../factory/.test/min/main.test.bicep | 2 +- .../backup-vault/.test/common/main.test.bicep | 274 ++++---- .../backup-vault/.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 156 ++--- .../.test/min/main.test.bicep | 2 +- .../workspace/.test/common/main.test.bicep | 294 ++++----- .../workspace/.test/min/main.test.bicep | 2 +- .../flexible-server/.test/min/main.test.bicep | 2 +- .../.test/private/main.test.bicep | 244 +++---- .../.test/public/main.test.bicep | 326 +++++----- .../flexible-server/.test/min/main.test.bicep | 2 +- .../.test/private/main.test.bicep | 2 +- .../.test/public/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 230 +++---- .../.test/min/main.test.bicep | 2 +- .../host-pool/.test/common/main.test.bicep | 262 ++++---- .../host-pool/.test/min/main.test.bicep | 2 +- .../scaling-plan/.test/common/main.test.bicep | 258 ++++---- .../scaling-plan/.test/min/main.test.bicep | 2 +- .../workspace/.test/common/main.test.bicep | 198 +++--- .../workspace/.test/min/main.test.bicep | 2 +- .../lab/.test/common/main.test.bicep | 570 ++++++++--------- .../lab/.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 252 ++++---- .../.test/min/main.test.bicep | 2 +- .../.test/gremlindb/main.test.bicep | 300 ++++----- .../.test/mongodb/main.test.bicep | 566 ++++++++--------- .../.test/plain/main.test.bicep | 202 +++--- .../.test/sqldb/main.test.bicep | 388 ++++++------ .../domain/.test/common/main.test.bicep | 2 +- .../domain/.test/min/main.test.bicep | 2 +- .../domain/.test/pe/main.test.bicep | 2 +- .../system-topic/.test/common/main.test.bicep | 2 +- .../system-topic/.test/min/main.test.bicep | 2 +- .../topic/.test/common/main.test.bicep | 2 +- .../topic/.test/min/main.test.bicep | 2 +- .../event-grid/topic/.test/pe/main.test.bicep | 2 +- .../namespace/.test/common/main.test.bicep | 2 +- .../namespace/.test/encr/main.test.bicep | 2 +- .../namespace/.test/min/main.test.bicep | 2 +- .../namespace/.test/pe/main.test.bicep | 2 +- .../health-bot/.test/common/main.test.bicep | 2 +- .../health-bot/.test/min/main.test.bicep | 2 +- .../workspace/.test/common/main.test.bicep | 2 +- .../workspace/.test/min/main.test.bicep | 2 +- .../action-group/.test/common/main.test.bicep | 2 +- .../action-group/.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../component/.test/common/main.test.bicep | 2 +- .../component/.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../.test/customadv/main.test.bicep | 2 +- .../.test/custombasic/main.test.bicep | 2 +- .../.test/customiis/main.test.bicep | 2 +- .../.test/linux/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../.test/windows/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../metric-alert/.test/common/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../webtest/.test/common/main.test.bicep | 2 +- .../webtest/.test/min/main.test.bicep | 2 +- .../.test/accesspolicies/main.test.bicep | 2 +- .../vault/.test/common/main.test.bicep | 2 +- .../key-vault/vault/.test/min/main.test.bicep | 2 +- .../key-vault/vault/.test/pe/main.test.bicep | 2 +- .../extension/.test/common/main.test.bicep | 2 +- .../extension/.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../workflow/.test/common/main.test.bicep | 2 +- .../workspace/.test/common/main.test.bicep | 2 +- .../workspace/.test/encr/main.test.bicep | 2 +- .../workspace/.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 5 +- .../.test/rg/main.test.bicep | 2 +- .../net-app-account/.test/min/main.test.bicep | 2 +- .../.test/nfs3/main.test.bicep | 2 +- .../.test/nfs41/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/addpip/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/custompip/main.test.bicep | 2 +- .../.test/hubcommon/main.test.bicep | 2 +- .../.test/hubmin/main.test.bicep | 2 +- .../azure-firewall/.test/min/main.test.bicep | 2 +- .../bastion-host/.test/common/main.test.bicep | 2 +- .../.test/custompip/main.test.bicep | 2 +- .../bastion-host/.test/min/main.test.bicep | 2 +- .../.test/vnet2vnet/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../dns-resolver/.test/common/main.test.bicep | 2 +- .../dns-zone/.test/common/main.test.bicep | 2 +- .../dns-zone/.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../firewall-policy/.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../front-door/.test/common/main.test.bicep | 2 +- .../front-door/.test/min/main.test.bicep | 2 +- .../ip-group/.test/common/main.test.bicep | 2 +- .../ip-group/.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/internal/main.test.bicep | 2 +- .../load-balancer/.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../nat-gateway/.test/common/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 236 +++---- .../.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 196 +++--- .../.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../route-table/.test/common/main.test.bicep | 2 +- .../route-table/.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../virtual-hub/.test/common/main.test.bicep | 2 +- .../virtual-hub/.test/min/main.test.bicep | 2 +- .../.test/aadvpn/main.test.bicep | 2 +- .../.test/expressRoute/main.test.bicep | 2 +- .../.test/vpn/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../virtual-network/.test/min/main.test.bicep | 2 +- .../.test/vnetPeering/main.test.bicep | 2 +- .../virtual-wan/.test/common/main.test.bicep | 2 +- .../virtual-wan/.test/min/main.test.bicep | 2 +- .../vpn-gateway/.test/common/main.test.bicep | 2 +- .../vpn-gateway/.test/min/main.test.bicep | 2 +- .../vpn-site/.test/common/main.test.bicep | 2 +- .../vpn-site/.test/min/main.test.bicep | 2 +- .../workspace/.test/adv/main.test.bicep | 2 +- .../workspace/.test/common/main.test.bicep | 2 +- .../workspace/.test/min/main.test.bicep | 2 +- .../solution/.test/min/main.test.bicep | 2 +- .../solution/.test/ms/main.test.bicep | 2 +- .../solution/.test/nonms/main.test.bicep | 2 +- .../.test/rg.common/main.test.bicep | 2 +- .../remediation/.test/rg.min/main.test.bicep | 2 +- .../capacity/.test/common/main.test.bicep | 2 +- .../capacity/.test/min/main.test.bicep | 2 +- .../account/.test/common/main.test.bicep | 2 +- .../purview/account/.test/min/main.test.bicep | 2 +- .../vault/.test/common/main.test.bicep | 2 +- .../vault/.test/dr/main.test.bicep | 2 +- .../vault/.test/min/main.test.bicep | 2 +- .../namespace/.test/common/main.test.bicep | 2 +- .../relay/namespace/.test/min/main.test.bicep | 2 +- .../relay/namespace/.test/pe/main.test.bicep | 2 +- .../query/.test/common/main.test.bicep | 2 +- .../query/.test/min/main.test.bicep | 2 +- .../.test/cli/main.test.bicep | 2 +- .../.test/ps/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../resources/tags/.test/rg/main.test.bicep | 5 +- .../.test/common/main.test.bicep | 2 +- .../search-service/.test/min/main.test.bicep | 2 +- .../search-service/.test/pe/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../namespace/.test/common/main.test.bicep | 2 +- .../namespace/.test/encr/main.test.bicep | 2 +- .../namespace/.test/min/main.test.bicep | 2 +- .../namespace/.test/pe/main.test.bicep | 2 +- .../cluster/.test/cert/main.test.bicep | 2 +- .../cluster/.test/common/main.test.bicep | 2 +- .../cluster/.test/min/main.test.bicep | 2 +- .../signal-r/.test/common/main.test.bicep | 2 +- .../signal-r/.test/min/main.test.bicep | 2 +- .../web-pub-sub/.test/common/main.test.bicep | 2 +- .../web-pub-sub/.test/min/main.test.bicep | 2 +- .../web-pub-sub/.test/pe/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../.test/vulnAssm/main.test.bicep | 2 +- .../sql/server/.test/admin/main.test.bicep | 2 +- .../sql/server/.test/common/main.test.bicep | 2 +- modules/sql/server/.test/pe/main.test.bicep | 2 +- .../server/.test/secondary/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/encr/main.test.bicep | 2 +- .../storage-account/.test/min/main.test.bicep | 2 +- .../storage-account/.test/nfs/main.test.bicep | 2 +- .../storage-account/.test/v1/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../.test/min/main.test.bicep | 2 +- .../workspace/.test/common/main.test.bicep | 2 +- .../workspace/.test/encrwsai/main.test.bicep | 2 +- .../workspace/.test/encrwuai/main.test.bicep | 2 +- .../.test/managedvnet/main.test.bicep | 2 +- .../workspace/.test/min/main.test.bicep | 2 +- .../.test/common/main.test.bicep | 2 +- .../image-template/.test/min/main.test.bicep | 2 +- .../connection/.test/common/main.test.bicep | 2 +- .../.test/asev2/main.test.bicep | 2 +- .../.test/asev3/main.test.bicep | 2 +- .../serverfarm/.test/common/main.test.bicep | 2 +- .../.test/functionAppCommon/main.test.bicep | 2 +- .../site/.test/functionAppMin/main.test.bicep | 2 +- .../site/.test/webAppCommon/main.test.bicep | 2 +- .../web/site/.test/webAppMin/main.test.bicep | 2 +- .../static-site/.test/common/main.test.bicep | 2 +- .../web/static-site/.test/min/main.test.bicep | 2 +- 314 files changed, 6341 insertions(+), 6323 deletions(-) diff --git a/modules/aad/domain-service/.test/common/main.test.bicep b/modules/aad/domain-service/.test/common/main.test.bicep index 0575d1a848..51585097f2 100644 --- a/modules/aad/domain-service/.test/common/main.test.bicep +++ b/modules/aad/domain-service/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.aad.domainservices-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-aad.domainservices-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/analysis-services/server/.test/common/main.test.bicep b/modules/analysis-services/server/.test/common/main.test.bicep index 6addd17c94..91cf783f0e 100644 --- a/modules/analysis-services/server/.test/common/main.test.bicep +++ b/modules/analysis-services/server/.test/common/main.test.bicep @@ -1,92 +1,92 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.analysisservices.servers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'asscom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - skuName: 'S0' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-analysisservices.servers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'asscom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + skuName: 'S0' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/analysis-services/server/.test/max/main.test.bicep b/modules/analysis-services/server/.test/max/main.test.bicep index dedb04408c..12d56eb4a5 100644 --- a/modules/analysis-services/server/.test/max/main.test.bicep +++ b/modules/analysis-services/server/.test/max/main.test.bicep @@ -1,102 +1,102 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.analysisservices.servers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'assmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: az.resourceGroup(resourceGroupName) - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - skuName: 'S0' - skuCapacity: 1 - firewallSettings: { - firewallRules: [ - { - firewallRuleName: 'AllowFromAll' - rangeStart: '0.0.0.0' - rangeEnd: '255.255.255.255' - } - ] - enablePowerBIService: true - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - diagnosticLogCategoriesToEnable: [ - 'Engine' - 'Service' - ] - diagnosticMetricsToEnable: [ - 'AllMetrics' - ] - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-analysisservices.servers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'assmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: az.resourceGroup(resourceGroupName) + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + skuName: 'S0' + skuCapacity: 1 + firewallSettings: { + firewallRules: [ + { + firewallRuleName: 'AllowFromAll' + rangeStart: '0.0.0.0' + rangeEnd: '255.255.255.255' + } + ] + enablePowerBIService: true + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticLogCategoriesToEnable: [ + 'Engine' + 'Service' + ] + diagnosticMetricsToEnable: [ + 'AllMetrics' + ] + } +} diff --git a/modules/analysis-services/server/.test/min/main.test.bicep b/modules/analysis-services/server/.test/min/main.test.bicep index e89ac48c07..2c00bf27fd 100644 --- a/modules/analysis-services/server/.test/min/main.test.bicep +++ b/modules/analysis-services/server/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.analysisservices.servers-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-analysisservices.servers-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/api-management/service/.test/common/main.test.bicep b/modules/api-management/service/.test/common/main.test.bicep index 217f502f87..178551760c 100644 --- a/modules/api-management/service/.test/common/main.test.bicep +++ b/modules/api-management/service/.test/common/main.test.bicep @@ -1,99 +1,99 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.apimanagement.service-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apiscom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' - publisherName: '${namePrefix}-az-amorg-x-001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - policies: [ - { - format: 'xml' - value: ' ' - } - ] - portalsettings: [ - { - name: 'signin' - properties: { - enabled: false - } - } - { - name: 'signup' - properties: { - enabled: false - termsOfService: { - consentRequired: false - enabled: false - } - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-apimanagement.service-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'apiscom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' + publisherName: '${namePrefix}-az-amorg-x-001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + policies: [ + { + format: 'xml' + value: ' ' + } + ] + portalsettings: [ + { + name: 'signin' + properties: { + enabled: false + } + } + { + name: 'signup' + properties: { + enabled: false + termsOfService: { + consentRequired: false + enabled: false + } + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/api-management/service/.test/max/main.test.bicep b/modules/api-management/service/.test/max/main.test.bicep index b5d444c517..762ae9bf2b 100644 --- a/modules/api-management/service/.test/max/main.test.bicep +++ b/modules/api-management/service/.test/max/main.test.bicep @@ -1,205 +1,205 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.apimanagement.service-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apismax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -@description('Optional. The secret to leverage for authorization server authentication.') -@secure() -param customSecret string = newGuid() - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' - publisherName: '${namePrefix}-az-amorg-x-001' - apis: [ - { - apiVersionSet: { - name: 'echo-version-set' - properties: { - description: 'echo-version-set' - displayName: 'echo-version-set' - versioningScheme: 'Segment' - } - } - displayName: 'Echo API' - name: 'echo-api' - path: 'echo' - serviceUrl: 'http://echoapi.cloudapp.net/api' - } - ] - authorizationServers: { - secureList: [ - { - authorizationEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/authorize' - clientId: 'apimclientid' - clientSecret: customSecret - clientRegistrationEndpoint: 'http://localhost' - grantTypes: [ - 'authorizationCode' - ] - name: 'AuthServer1' - tokenEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/token' - } - ] - } - backends: [ - { - name: 'backend' - tls: { - validateCertificateChain: false - validateCertificateName: false - } - url: 'http://echoapi.cloudapp.net/api' - } - ] - caches: [ - { - connectionString: 'connectionstringtest' - name: 'westeurope' - useFromLocation: 'westeurope' - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - identityProviders: [ - { - name: 'aadProvider' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - namedValues: [ - { - displayName: 'apimkey' - name: 'apimkey' - secret: true - } - ] - policies: [ - { - format: 'xml' - value: ' ' - } - ] - portalsettings: [ - { - name: 'signin' - properties: { - enabled: false - } - } - { - name: 'signup' - properties: { - enabled: false - termsOfService: { - consentRequired: false - enabled: false - } - } - } - ] - products: [ - { - apis: [ - { - name: 'echo-api' - } - ] - approvalRequired: false - groups: [ - { - name: 'developers' - } - ] - name: 'Starter' - subscriptionRequired: false - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - subscriptions: [ - { - name: 'testArmSubscriptionAllApis' - scope: '/apis' - } - ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-apimanagement.service-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'apismax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +@description('Optional. The secret to leverage for authorization server authentication.') +@secure() +param customSecret string = newGuid() + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' + publisherName: '${namePrefix}-az-amorg-x-001' + apis: [ + { + apiVersionSet: { + name: 'echo-version-set' + properties: { + description: 'echo-version-set' + displayName: 'echo-version-set' + versioningScheme: 'Segment' + } + } + displayName: 'Echo API' + name: 'echo-api' + path: 'echo' + serviceUrl: 'http://echoapi.cloudapp.net/api' + } + ] + authorizationServers: { + secureList: [ + { + authorizationEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/authorize' + clientId: 'apimclientid' + clientSecret: customSecret + clientRegistrationEndpoint: 'http://localhost' + grantTypes: [ + 'authorizationCode' + ] + name: 'AuthServer1' + tokenEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/token' + } + ] + } + backends: [ + { + name: 'backend' + tls: { + validateCertificateChain: false + validateCertificateName: false + } + url: 'http://echoapi.cloudapp.net/api' + } + ] + caches: [ + { + connectionString: 'connectionstringtest' + name: 'westeurope' + useFromLocation: 'westeurope' + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + identityProviders: [ + { + name: 'aadProvider' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + namedValues: [ + { + displayName: 'apimkey' + name: 'apimkey' + secret: true + } + ] + policies: [ + { + format: 'xml' + value: ' ' + } + ] + portalsettings: [ + { + name: 'signin' + properties: { + enabled: false + } + } + { + name: 'signup' + properties: { + enabled: false + termsOfService: { + consentRequired: false + enabled: false + } + } + } + ] + products: [ + { + apis: [ + { + name: 'echo-api' + } + ] + approvalRequired: false + groups: [ + { + name: 'developers' + } + ] + name: 'Starter' + subscriptionRequired: false + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + subscriptions: [ + { + name: 'testArmSubscriptionAllApis' + scope: '/apis' + } + ] + systemAssignedIdentity: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/api-management/service/.test/min/main.test.bicep b/modules/api-management/service/.test/min/main.test.bicep index f4e9fd87a5..0f6785d024 100644 --- a/modules/api-management/service/.test/min/main.test.bicep +++ b/modules/api-management/service/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.apimanagement.service-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-apimanagement.service-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/app-configuration/configuration-store/.test/common/main.test.bicep b/modules/app-configuration/configuration-store/.test/common/main.test.bicep index 3c93d1fb33..fcf880f426 100644 --- a/modules/app-configuration/configuration-store/.test/common/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/common/main.test.bicep @@ -1,113 +1,114 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.appconfiguration.configurationstores-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'acccom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - createMode: 'Default' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - disableLocalAuth: false - enablePurgeProtection: false - keyValues: [ - { - contentType: 'contentType' - name: 'keyName' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - value: 'valueName' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - softDeleteRetentionInDays: 1 - systemAssignedIdentity: false - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-appconfiguration.configurationstores-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'acccom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + createMode: 'Default' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + disableLocalAuth: false + enablePurgeProtection: false + keyValues: [ + { + contentType: 'contentType' + name: 'keyName' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + value: 'valueName' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + softDeleteRetentionInDays: 1 + systemAssignedIdentity: false + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/app-configuration/configuration-store/.test/min/main.test.bicep b/modules/app-configuration/configuration-store/.test/min/main.test.bicep index 8770a7a8ca..05c1075df5 100644 --- a/modules/app-configuration/configuration-store/.test/min/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.appconfiguration.configurationstores-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-appconfiguration.configurationstores-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/app-configuration/configuration-store/.test/pe/main.test.bicep b/modules/app-configuration/configuration-store/.test/pe/main.test.bicep index b38ce56091..967fb336b2 100644 --- a/modules/app-configuration/configuration-store/.test/pe/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/pe/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.appconfiguration.configurationstores-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-appconfiguration.configurationstores-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/app/container-app/.test/common/main.test.bicep b/modules/app/container-app/.test/common/main.test.bicep index 9e032bfcd3..19585fed16 100644 --- a/modules/app/container-app/.test/common/main.test.bicep +++ b/modules/app/container-app/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.app.containerApps-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-app.containerApps-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/app/container-app/.test/min/main.test.bicep b/modules/app/container-app/.test/min/main.test.bicep index 8969d7e6e3..ac2621ddef 100644 --- a/modules/app/container-app/.test/min/main.test.bicep +++ b/modules/app/container-app/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.app.containerApps-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-app.containerApps-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/app/managed-environment/.test/common/main.test.bicep b/modules/app/managed-environment/.test/common/main.test.bicep index 84b3e08239..cd936f208c 100644 --- a/modules/app/managed-environment/.test/common/main.test.bicep +++ b/modules/app/managed-environment/.test/common/main.test.bicep @@ -8,7 +8,7 @@ metadata description = 'This instance deploys the module with most of its featur // ========== // @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.app.managedenvironments-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-app.managedenvironments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/app/managed-environment/.test/min/main.test.bicep b/modules/app/managed-environment/.test/min/main.test.bicep index ceab992425..63e784e123 100644 --- a/modules/app/managed-environment/.test/min/main.test.bicep +++ b/modules/app/managed-environment/.test/min/main.test.bicep @@ -8,7 +8,7 @@ metadata description = 'This instance deploys the module with the minimum set of // ========== // @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.app.managedenvironments-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-app.managedenvironments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/authorization/lock/.test/common/main.test.bicep b/modules/authorization/lock/.test/common/main.test.bicep index aa9099f4a9..69c8663433 100644 --- a/modules/authorization/lock/.test/common/main.test.bicep +++ b/modules/authorization/lock/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.authorization.locks-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-authorization.locks-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location @@ -20,6 +20,9 @@ param serviceShort string = 'alcom' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + // ============ // // Dependencies // // ============ // diff --git a/modules/authorization/policy-assignment/.test/rg.common/main.test.bicep b/modules/authorization/policy-assignment/.test/rg.common/main.test.bicep index 064a7646e2..e32a642345 100644 --- a/modules/authorization/policy-assignment/.test/rg.common/main.test.bicep +++ b/modules/authorization/policy-assignment/.test/rg.common/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.authorization.policyassignments-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-authorization.policyassignments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/authorization/policy-assignment/.test/rg.min/main.test.bicep b/modules/authorization/policy-assignment/.test/rg.min/main.test.bicep index 16a4076f5c..f84a97178a 100644 --- a/modules/authorization/policy-assignment/.test/rg.min/main.test.bicep +++ b/modules/authorization/policy-assignment/.test/rg.min/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.authorization.policyassignments-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-authorization.policyassignments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/authorization/policy-assignment/.test/sub.common/main.test.bicep b/modules/authorization/policy-assignment/.test/sub.common/main.test.bicep index 46e6a39420..5ac56a6167 100644 --- a/modules/authorization/policy-assignment/.test/sub.common/main.test.bicep +++ b/modules/authorization/policy-assignment/.test/sub.common/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.authorization.policyassignments-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-authorization.policyassignments-${serviceShort}-rg' @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'apasubcom' diff --git a/modules/authorization/policy-exemption/.test/rg.common/main.test.bicep b/modules/authorization/policy-exemption/.test/rg.common/main.test.bicep index 929007e04f..af4faa0c25 100644 --- a/modules/authorization/policy-exemption/.test/rg.common/main.test.bicep +++ b/modules/authorization/policy-exemption/.test/rg.common/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.authorization.policyexemptions-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-authorization.policyexemptions-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/authorization/policy-exemption/.test/rg.min/main.test.bicep b/modules/authorization/policy-exemption/.test/rg.min/main.test.bicep index 364f997c67..9f2269817c 100644 --- a/modules/authorization/policy-exemption/.test/rg.min/main.test.bicep +++ b/modules/authorization/policy-exemption/.test/rg.min/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.authorization.policyexemptions-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-authorization.policyexemptions-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/authorization/role-assignment/.test/mg.common/main.test.bicep b/modules/authorization/role-assignment/.test/mg.common/main.test.bicep index af85a59176..7e87bc88b2 100644 --- a/modules/authorization/role-assignment/.test/mg.common/main.test.bicep +++ b/modules/authorization/role-assignment/.test/mg.common/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'managementGroup' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.authorization.roleassignments-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/authorization/role-assignment/.test/mg.min/main.test.bicep b/modules/authorization/role-assignment/.test/mg.min/main.test.bicep index 2b24b7d280..96d88fc845 100644 --- a/modules/authorization/role-assignment/.test/mg.min/main.test.bicep +++ b/modules/authorization/role-assignment/.test/mg.min/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'managementGroup' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.authorization.roleassignments-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/authorization/role-assignment/.test/rg.common/main.test.bicep b/modules/authorization/role-assignment/.test/rg.common/main.test.bicep index 624ac5f4ec..57afbad937 100644 --- a/modules/authorization/role-assignment/.test/rg.common/main.test.bicep +++ b/modules/authorization/role-assignment/.test/rg.common/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.authorization.roleassignments-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/authorization/role-assignment/.test/rg.min/main.test.bicep b/modules/authorization/role-assignment/.test/rg.min/main.test.bicep index 10bfd6db80..62cdccccac 100644 --- a/modules/authorization/role-assignment/.test/rg.min/main.test.bicep +++ b/modules/authorization/role-assignment/.test/rg.min/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.authorization.roleassignments-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/authorization/role-assignment/.test/sub.common/main.test.bicep b/modules/authorization/role-assignment/.test/sub.common/main.test.bicep index 3eabd37a63..96f2dede38 100644 --- a/modules/authorization/role-assignment/.test/sub.common/main.test.bicep +++ b/modules/authorization/role-assignment/.test/sub.common/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.authorization.roleassignments-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/authorization/role-assignment/.test/sub.min/main.test.bicep b/modules/authorization/role-assignment/.test/sub.min/main.test.bicep index 17643fa7ff..20fc2149a8 100644 --- a/modules/authorization/role-assignment/.test/sub.min/main.test.bicep +++ b/modules/authorization/role-assignment/.test/sub.min/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.authorization.roleassignments-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/authorization/role-definition/.test/rg.common/main.test.bicep b/modules/authorization/role-definition/.test/rg.common/main.test.bicep index 5c357b3ed5..56f0ddfaa3 100644 --- a/modules/authorization/role-definition/.test/rg.common/main.test.bicep +++ b/modules/authorization/role-definition/.test/rg.common/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.authorization.roledefinitions-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-authorization.roledefinitions-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/authorization/role-definition/.test/rg.min/main.test.bicep b/modules/authorization/role-definition/.test/rg.min/main.test.bicep index fa9d1c9379..63ce946cc0 100644 --- a/modules/authorization/role-definition/.test/rg.min/main.test.bicep +++ b/modules/authorization/role-definition/.test/rg.min/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.authorization.roledefinitions-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-authorization.roledefinitions-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/automation/automation-account/.test/common/main.test.bicep b/modules/automation/automation-account/.test/common/main.test.bicep index b0ae64aef0..4abb71d751 100644 --- a/modules/automation/automation-account/.test/common/main.test.bicep +++ b/modules/automation/automation-account/.test/common/main.test.bicep @@ -1,250 +1,250 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.automation.account-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'aacom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - gallerySolutions: [ - { - name: 'Updates' - product: 'OMSGallery' - publisher: 'Microsoft' - } - ] - jobSchedules: [ - { - runbookName: 'TestRunbook' - scheduleName: 'TestSchedule' - } - ] - disableLocalAuth: true - linkedWorkspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - modules: [ - { - name: 'PSWindowsUpdate' - uri: 'https://www.powershellgallery.com/api/v2/package' - version: 'latest' - } - ] - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'Webhook' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'DSCAndHybridWorker' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - runbooks: [ - { - description: 'Test runbook' - name: 'TestRunbook' - type: 'PowerShell' - uri: 'https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/scripts/AzureAutomationTutorial.ps1' - version: '1.0.0.0' - } - ] - schedules: [ - { - advancedSchedule: {} - expiryTime: '9999-12-31T13:00' - frequency: 'Hour' - interval: 12 - name: 'TestSchedule' - startTime: '' - timeZone: 'Europe/Berlin' - } - ] - softwareUpdateConfigurations: [ - { - excludeUpdates: [ - '123456' - ] - frequency: 'Month' - includeUpdates: [ - '654321' - ] - interval: 1 - maintenanceWindow: 'PT4H' - monthlyOccurrences: [ - { - day: 'Friday' - occurrence: 3 - } - ] - name: 'Windows_ZeroDay' - operatingSystem: 'Windows' - rebootSetting: 'IfRequired' - scopeByTags: { - Update: [ - 'Automatic-Wave1' - ] - } - startTime: '22:00' - updateClassifications: [ - 'Critical' - 'Definition' - 'FeaturePack' - 'Security' - 'ServicePack' - 'Tools' - 'UpdateRollup' - 'Updates' - ] - } - { - excludeUpdates: [ - 'icacls' - ] - frequency: 'OneTime' - includeUpdates: [ - 'kernel' - ] - maintenanceWindow: 'PT4H' - name: 'Linux_ZeroDay' - operatingSystem: 'Linux' - rebootSetting: 'IfRequired' - startTime: '22:00' - updateClassifications: [ - 'Critical' - 'Other' - 'Security' - ] - } - ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - variables: [ - { - description: 'TestStringDescription' - name: 'TestString' - value: '\'TestString\'' - } - { - description: 'TestIntegerDescription' - name: 'TestInteger' - value: '500' - } - { - description: 'TestBooleanDescription' - name: 'TestBoolean' - value: 'false' - } - { - description: 'TestDateTimeDescription' - isEncrypted: false - name: 'TestDateTime' - value: '\'\\/Date(1637934042656)\\/\'' - } - { - description: 'TestEncryptedDescription' - name: 'TestEncryptedVariable' - value: '\'TestEncryptedValue\'' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-automation.account-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'aacom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + gallerySolutions: [ + { + name: 'Updates' + product: 'OMSGallery' + publisher: 'Microsoft' + } + ] + jobSchedules: [ + { + runbookName: 'TestRunbook' + scheduleName: 'TestSchedule' + } + ] + disableLocalAuth: true + linkedWorkspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + modules: [ + { + name: 'PSWindowsUpdate' + uri: 'https://www.powershellgallery.com/api/v2/package' + version: 'latest' + } + ] + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'Webhook' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'DSCAndHybridWorker' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + runbooks: [ + { + description: 'Test runbook' + name: 'TestRunbook' + type: 'PowerShell' + uri: 'https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/scripts/AzureAutomationTutorial.ps1' + version: '1.0.0.0' + } + ] + schedules: [ + { + advancedSchedule: {} + expiryTime: '9999-12-31T13:00' + frequency: 'Hour' + interval: 12 + name: 'TestSchedule' + startTime: '' + timeZone: 'Europe/Berlin' + } + ] + softwareUpdateConfigurations: [ + { + excludeUpdates: [ + '123456' + ] + frequency: 'Month' + includeUpdates: [ + '654321' + ] + interval: 1 + maintenanceWindow: 'PT4H' + monthlyOccurrences: [ + { + day: 'Friday' + occurrence: 3 + } + ] + name: 'Windows_ZeroDay' + operatingSystem: 'Windows' + rebootSetting: 'IfRequired' + scopeByTags: { + Update: [ + 'Automatic-Wave1' + ] + } + startTime: '22:00' + updateClassifications: [ + 'Critical' + 'Definition' + 'FeaturePack' + 'Security' + 'ServicePack' + 'Tools' + 'UpdateRollup' + 'Updates' + ] + } + { + excludeUpdates: [ + 'icacls' + ] + frequency: 'OneTime' + includeUpdates: [ + 'kernel' + ] + maintenanceWindow: 'PT4H' + name: 'Linux_ZeroDay' + operatingSystem: 'Linux' + rebootSetting: 'IfRequired' + startTime: '22:00' + updateClassifications: [ + 'Critical' + 'Other' + 'Security' + ] + } + ] + systemAssignedIdentity: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + variables: [ + { + description: 'TestStringDescription' + name: 'TestString' + value: '\'TestString\'' + } + { + description: 'TestIntegerDescription' + name: 'TestInteger' + value: '500' + } + { + description: 'TestBooleanDescription' + name: 'TestBoolean' + value: 'false' + } + { + description: 'TestDateTimeDescription' + isEncrypted: false + name: 'TestDateTime' + value: '\'\\/Date(1637934042656)\\/\'' + } + { + description: 'TestEncryptedDescription' + name: 'TestEncryptedVariable' + value: '\'TestEncryptedValue\'' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/automation/automation-account/.test/encr/main.test.bicep b/modules/automation/automation-account/.test/encr/main.test.bicep index 4a4e476170..8fa4abaa5d 100644 --- a/modules/automation/automation-account/.test/encr/main.test.bicep +++ b/modules/automation/automation-account/.test/encr/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.automation.account-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-automation.account-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/automation/automation-account/.test/min/main.test.bicep b/modules/automation/automation-account/.test/min/main.test.bicep index 3156e8971b..775f93260b 100644 --- a/modules/automation/automation-account/.test/min/main.test.bicep +++ b/modules/automation/automation-account/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.automation.account-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-automation.account-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/batch/batch-account/.test/common/main.test.bicep b/modules/batch/batch-account/.test/common/main.test.bicep index 0c9dc0bec0..f579e79863 100644 --- a/modules/batch/batch-account/.test/common/main.test.bicep +++ b/modules/batch/batch-account/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.batch.batchaccounts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-batch.batchaccounts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/batch/batch-account/.test/encr/main.test.bicep b/modules/batch/batch-account/.test/encr/main.test.bicep index 5aebae0710..19c638ffcc 100644 --- a/modules/batch/batch-account/.test/encr/main.test.bicep +++ b/modules/batch/batch-account/.test/encr/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.batch.batchaccounts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-batch.batchaccounts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/batch/batch-account/.test/min/main.test.bicep b/modules/batch/batch-account/.test/min/main.test.bicep index 8d213101ab..4e9f4bd0f4 100644 --- a/modules/batch/batch-account/.test/min/main.test.bicep +++ b/modules/batch/batch-account/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.batch.batchaccounts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-batch.batchaccounts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/cache/redis-enterprise/.test/common/main.test.bicep b/modules/cache/redis-enterprise/.test/common/main.test.bicep index ec84ed832c..7e5df4fdfb 100644 --- a/modules/cache/redis-enterprise/.test/common/main.test.bicep +++ b/modules/cache/redis-enterprise/.test/common/main.test.bicep @@ -1,130 +1,131 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.cache.redisenterprise-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crecom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - capacity: 2 - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - diagnosticSettingsName: 'redisdiagnostics' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - minimumTlsVersion: '1.2' - zoneRedundant: true - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - - nestedDependencies.outputs.privateDNSZoneResourceId - - ] - service: 'redisEnterprise' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - databases: [ - { - clusteringPolicy: 'EnterpriseCluster' - evictionPolicy: 'AllKeysLFU' - modules: [ - { - name: 'RedisBloom' - } - { - name: 'RedisTimeSeries' - args: 'RETENTION_POLICY 20' - } - ] - persistenceAofEnabled: true - persistenceAofFrequency: '1s' - persistenceRdbEnabled: false - port: 10000 - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Redis Cache Enterprise' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-cache.redisenterprise-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'crecom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + capacity: 2 + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettingsName: 'redisdiagnostics' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + minimumTlsVersion: '1.2' + zoneRedundant: true + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] + service: 'redisEnterprise' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + databases: [ + { + clusteringPolicy: 'EnterpriseCluster' + evictionPolicy: 'AllKeysLFU' + modules: [ + { + name: 'RedisBloom' + } + { + name: 'RedisTimeSeries' + args: 'RETENTION_POLICY 20' + } + ] + persistenceAofEnabled: true + persistenceAofFrequency: '1s' + persistenceRdbEnabled: false + port: 10000 + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'Redis Cache Enterprise' + } + } +} + diff --git a/modules/cache/redis-enterprise/.test/geo/main.test.bicep b/modules/cache/redis-enterprise/.test/geo/main.test.bicep index 492bd50848..6bf434e55f 100644 --- a/modules/cache/redis-enterprise/.test/geo/main.test.bicep +++ b/modules/cache/redis-enterprise/.test/geo/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.cache.redisenterprise-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-cache.redisenterprise-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/cache/redis-enterprise/.test/min/main.test.bicep b/modules/cache/redis-enterprise/.test/min/main.test.bicep index 19ab84407e..768b4cb167 100644 --- a/modules/cache/redis-enterprise/.test/min/main.test.bicep +++ b/modules/cache/redis-enterprise/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.cache.redisenterprise-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-cache.redisenterprise-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/cache/redis/.test/common/main.test.bicep b/modules/cache/redis/.test/common/main.test.bicep index 04f213bff5..2b0142168f 100644 --- a/modules/cache/redis/.test/common/main.test.bicep +++ b/modules/cache/redis/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.cache.redis-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-cache.redis-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/cache/redis/.test/min/main.test.bicep b/modules/cache/redis/.test/min/main.test.bicep index 4ab171428a..f2bdf186e7 100644 --- a/modules/cache/redis/.test/min/main.test.bicep +++ b/modules/cache/redis/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.cache.redis-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-cache.redis-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/cdn/profile/.test/afd/main.test.bicep b/modules/cdn/profile/.test/afd/main.test.bicep index 97e2a2db80..ea900ffaad 100644 --- a/modules/cdn/profile/.test/afd/main.test.bicep +++ b/modules/cdn/profile/.test/afd/main.test.bicep @@ -1,132 +1,132 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.cdn.profiles-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdnpafd' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - storageAccountName: 'dep${namePrefix}cdnstore${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - name: 'dep-${namePrefix}-test-${serviceShort}' - location: 'global' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - originResponseTimeoutSeconds: 60 - sku: 'Standard_AzureFrontDoor' - enableDefaultTelemetry: enableDefaultTelemetry - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - customDomains: [ - { - name: 'dep-${namePrefix}-test-${serviceShort}-custom-domain' - hostName: 'dep-${namePrefix}-test-${serviceShort}-custom-domain.azurewebsites.net' - certificateType: 'ManagedCertificate' - } - ] - origionGroups: [ - { - name: 'dep-${namePrefix}-test-${serviceShort}-origin-group' - loadBalancingSettings: { - additionalLatencyInMilliseconds: 50 - sampleSize: 4 - successfulSamplesRequired: 3 - } - origins: [ - { - name: 'dep-${namePrefix}-test-${serviceShort}-origin' - hostName: 'dep-${namePrefix}-test-${serviceShort}-origin.azurewebsites.net' - } - ] - } - ] - ruleSets: [ - { - name: 'dep${namePrefix}test${serviceShort}ruleset' - rules: [ - { - name: 'dep${namePrefix}test${serviceShort}rule' - order: 1 - actions: [ - { - name: 'UrlRedirect' - parameters: { - typeName: 'DeliveryRuleUrlRedirectActionParameters' - redirectType: 'PermanentRedirect' - destinationProtocol: 'Https' - customPath: '/test123' - customHostname: 'dev-etradefd.trade.azure.defra.cloud' - } - } - ] - } - ] - } - ] - afdEndpoints: [ - { - name: 'dep-${namePrefix}-test-${serviceShort}-afd-endpoint' - routes: [ - { - name: 'dep-${namePrefix}-test-${serviceShort}-afd-route' - originGroupName: 'dep-${namePrefix}-test-${serviceShort}-origin-group' - customDomainName: 'dep-${namePrefix}-test-${serviceShort}-custom-domain' - ruleSets: [ - { - name: 'dep${namePrefix}test${serviceShort}ruleset' - } - ] - } - ] - } - ] - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-cdn.profiles-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdnpafd' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + storageAccountName: 'dep${namePrefix}cdnstore${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: 'dep-${namePrefix}-test-${serviceShort}' + location: 'global' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + originResponseTimeoutSeconds: 60 + sku: 'Standard_AzureFrontDoor' + enableDefaultTelemetry: enableDefaultTelemetry + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + customDomains: [ + { + name: 'dep-${namePrefix}-test-${serviceShort}-custom-domain' + hostName: 'dep-${namePrefix}-test-${serviceShort}-custom-domain.azurewebsites.net' + certificateType: 'ManagedCertificate' + } + ] + origionGroups: [ + { + name: 'dep-${namePrefix}-test-${serviceShort}-origin-group' + loadBalancingSettings: { + additionalLatencyInMilliseconds: 50 + sampleSize: 4 + successfulSamplesRequired: 3 + } + origins: [ + { + name: 'dep-${namePrefix}-test-${serviceShort}-origin' + hostName: 'dep-${namePrefix}-test-${serviceShort}-origin.azurewebsites.net' + } + ] + } + ] + ruleSets: [ + { + name: 'dep${namePrefix}test${serviceShort}ruleset' + rules: [ + { + name: 'dep${namePrefix}test${serviceShort}rule' + order: 1 + actions: [ + { + name: 'UrlRedirect' + parameters: { + typeName: 'DeliveryRuleUrlRedirectActionParameters' + redirectType: 'PermanentRedirect' + destinationProtocol: 'Https' + customPath: '/test123' + customHostname: 'dev-etradefd.trade.azure.defra.cloud' + } + } + ] + } + ] + } + ] + afdEndpoints: [ + { + name: 'dep-${namePrefix}-test-${serviceShort}-afd-endpoint' + routes: [ + { + name: 'dep-${namePrefix}-test-${serviceShort}-afd-route' + originGroupName: 'dep-${namePrefix}-test-${serviceShort}-origin-group' + customDomainName: 'dep-${namePrefix}-test-${serviceShort}-custom-domain' + ruleSets: [ + { + name: 'dep${namePrefix}test${serviceShort}ruleset' + } + ] + } + ] + } + ] + } +} diff --git a/modules/cdn/profile/.test/common/main.test.bicep b/modules/cdn/profile/.test/common/main.test.bicep index 6846ec0476..1bcb6228f0 100644 --- a/modules/cdn/profile/.test/common/main.test.bicep +++ b/modules/cdn/profile/.test/common/main.test.bicep @@ -1,102 +1,102 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.cdn.profiles-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdnpcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - storageAccountName: 'dep${namePrefix}cdnstore${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - name: 'dep-${namePrefix}-test-${serviceShort}' - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - originResponseTimeoutSeconds: 60 - sku: 'Standard_Verizon' - enableDefaultTelemetry: enableDefaultTelemetry - endpointProperties: { - originHostHeader: '${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}' - contentTypesToCompress: [ - 'text/plain' - 'text/html' - 'text/css' - 'text/javascript' - 'application/x-javascript' - 'application/javascript' - 'application/json' - 'application/xml' - ] - isCompressionEnabled: true - isHttpAllowed: true - isHttpsAllowed: true - queryStringCachingBehavior: 'IgnoreQueryString' - origins: [ - { - name: 'dep-${namePrefix}-cdn-endpoint01' - properties: { - hostName: '${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}' - httpPort: 80 - httpsPort: 443 - enabled: true - } - } - ] - originGroups: [] - geoFilters: [] - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-cdn.profiles-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdnpcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + storageAccountName: 'dep${namePrefix}cdnstore${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: 'dep-${namePrefix}-test-${serviceShort}' + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + originResponseTimeoutSeconds: 60 + sku: 'Standard_Verizon' + enableDefaultTelemetry: enableDefaultTelemetry + endpointProperties: { + originHostHeader: '${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}' + contentTypesToCompress: [ + 'text/plain' + 'text/html' + 'text/css' + 'text/javascript' + 'application/x-javascript' + 'application/javascript' + 'application/json' + 'application/xml' + ] + isCompressionEnabled: true + isHttpAllowed: true + isHttpsAllowed: true + queryStringCachingBehavior: 'IgnoreQueryString' + origins: [ + { + name: 'dep-${namePrefix}-cdn-endpoint01' + properties: { + hostName: '${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}' + httpPort: 80 + httpsPort: 443 + enabled: true + } + } + ] + originGroups: [] + geoFilters: [] + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + } +} diff --git a/modules/cognitive-services/account/.test/common/main.test.bicep b/modules/cognitive-services/account/.test/common/main.test.bicep index 5f9a58f7df..3f94c31fd7 100644 --- a/modules/cognitive-services/account/.test/common/main.test.bicep +++ b/modules/cognitive-services/account/.test/common/main.test.bicep @@ -1,127 +1,127 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.cognitiveservices.accounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'csacom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - kind: 'Face' - customSubDomainName: '${namePrefix}xdomain' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkAcls: { - defaultAction: 'Deny' - ipRules: [ - { - value: '40.74.28.0/23' - } - ] - virtualNetworkRules: [ - { - id: nestedDependencies.outputs.subnetResourceId - ignoreMissingVnetServiceEndpoint: false - } - ] - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sku: 'S0' - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'account' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-cognitiveservices.accounts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'csacom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + kind: 'Face' + customSubDomainName: '${namePrefix}xdomain' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkAcls: { + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: nestedDependencies.outputs.subnetResourceId + ignoreMissingVnetServiceEndpoint: false + } + ] + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + sku: 'S0' + systemAssignedIdentity: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'account' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/cognitive-services/account/.test/encr/main.test.bicep b/modules/cognitive-services/account/.test/encr/main.test.bicep index 06468b33b2..ad4bdf6ad6 100644 --- a/modules/cognitive-services/account/.test/encr/main.test.bicep +++ b/modules/cognitive-services/account/.test/encr/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.cognitiveservices.accounts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-cognitiveservices.accounts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/cognitive-services/account/.test/min/main.test.bicep b/modules/cognitive-services/account/.test/min/main.test.bicep index c24b67f868..82892d7e39 100644 --- a/modules/cognitive-services/account/.test/min/main.test.bicep +++ b/modules/cognitive-services/account/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.cognitiveservices.accounts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-cognitiveservices.accounts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/cognitive-services/account/.test/speech/main.test.bicep b/modules/cognitive-services/account/.test/speech/main.test.bicep index 7bb871851f..c341a3d3cb 100644 --- a/modules/cognitive-services/account/.test/speech/main.test.bicep +++ b/modules/cognitive-services/account/.test/speech/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.cognitiveservices.accounts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-cognitiveservices.accounts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/compute/availability-set/.test/common/main.test.bicep b/modules/compute/availability-set/.test/common/main.test.bicep index a82280e4e5..e4d37ca872 100644 --- a/modules/compute/availability-set/.test/common/main.test.bicep +++ b/modules/compute/availability-set/.test/common/main.test.bicep @@ -1,75 +1,75 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.availabilitysets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cascom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.availabilitysets-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cascom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/availability-set/.test/min/main.test.bicep b/modules/compute/availability-set/.test/min/main.test.bicep index 9160e72cc4..0881b94536 100644 --- a/modules/compute/availability-set/.test/min/main.test.bicep +++ b/modules/compute/availability-set/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.compute.availabilitysets-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-compute.availabilitysets-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep b/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep index c3089e3cb5..3b0e1e4c7e 100644 --- a/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep +++ b/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep @@ -1,77 +1,77 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.diskencryptionsets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdesap' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - keyName: nestedDependencies.outputs.keyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.diskencryptionsets-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdesap' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + keyName: nestedDependencies.outputs.keyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + systemAssignedIdentity: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/disk-encryption-set/.test/common/main.test.bicep b/modules/compute/disk-encryption-set/.test/common/main.test.bicep index f098a1a7a3..6bea195aca 100644 --- a/modules/compute/disk-encryption-set/.test/common/main.test.bicep +++ b/modules/compute/disk-encryption-set/.test/common/main.test.bicep @@ -1,84 +1,84 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.diskencryptionsets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdescom' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - keyName: nestedDependencies.outputs.keyName - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - systemAssignedIdentity: false - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.diskencryptionsets-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdescom' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + keyName: nestedDependencies.outputs.keyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + systemAssignedIdentity: false + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/disk/.test/common/main.test.bicep b/modules/compute/disk/.test/common/main.test.bicep index dfa0b2c401..6585ab265f 100644 --- a/modules/compute/disk/.test/common/main.test.bicep +++ b/modules/compute/disk/.test/common/main.test.bicep @@ -1,79 +1,79 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.images-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}001' - sku: 'UltraSSD_LRS' - diskIOPSReadWrite: 500 - diskMBpsReadWrite: 60 - diskSizeGB: 128 - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - logicalSectorSize: 512 - osType: 'Windows' - publicNetworkAccess: 'Enabled' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}001' + sku: 'UltraSSD_LRS' + diskIOPSReadWrite: 500 + diskMBpsReadWrite: 60 + diskSizeGB: 128 + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + logicalSectorSize: 512 + osType: 'Windows' + publicNetworkAccess: 'Enabled' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/disk/.test/image/main.test.bicep b/modules/compute/disk/.test/image/main.test.bicep index faebcf95c8..d811fa984d 100644 --- a/modules/compute/disk/.test/image/main.test.bicep +++ b/modules/compute/disk/.test/image/main.test.bicep @@ -1,68 +1,68 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.images-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdimg' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}001' - sku: 'Standard_LRS' - createOption: 'FromImage' - imageReferenceId: '${subscription().id}/Providers/Microsoft.Compute/Locations/westeurope/Publishers/MicrosoftWindowsServer/ArtifactTypes/VMImage/Offers/WindowsServer/Skus/2022-datacenter-azure-edition/Versions/20348.1006.220908' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdimg' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}001' + sku: 'Standard_LRS' + createOption: 'FromImage' + imageReferenceId: '${subscription().id}/Providers/Microsoft.Compute/Locations/westeurope/Publishers/MicrosoftWindowsServer/ArtifactTypes/VMImage/Offers/WindowsServer/Skus/2022-datacenter-azure-edition/Versions/20348.1006.220908' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/disk/.test/import/main.test.bicep b/modules/compute/disk/.test/import/main.test.bicep index 5c55c1a820..bec7da7f0b 100644 --- a/modules/compute/disk/.test/import/main.test.bicep +++ b/modules/compute/disk/.test/import/main.test.bicep @@ -1,73 +1,73 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.images-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdimp' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - imageTemplateNamePrefix: 'dep-${namePrefix}-imgt-${serviceShort}' - triggerImageDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-triggerImageTemplate' - copyVhdDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-copyVhdToStorage' - } -} - -// ============== // -// Test Execution // -// ============== // -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}-${serviceShort}001' - sku: 'Standard_LRS' - createOption: 'Import' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sourceUri: nestedDependencies.outputs.vhdUri - storageAccountId: nestedDependencies.outputs.storageAccountResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdimp' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}01' + imageTemplateNamePrefix: 'dep-${namePrefix}-imgt-${serviceShort}' + triggerImageDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-triggerImageTemplate' + copyVhdDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-copyVhdToStorage' + } +} + +// ============== // +// Test Execution // +// ============== // +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}001' + sku: 'Standard_LRS' + createOption: 'Import' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + sourceUri: nestedDependencies.outputs.vhdUri + storageAccountId: nestedDependencies.outputs.storageAccountResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/disk/.test/min/main.test.bicep b/modules/compute/disk/.test/min/main.test.bicep index 6a69bbe644..00ddc7f8c9 100644 --- a/modules/compute/disk/.test/min/main.test.bicep +++ b/modules/compute/disk/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.compute.images-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/compute/gallery/.test/common/main.test.bicep b/modules/compute/gallery/.test/common/main.test.bicep index 82c3104ba6..9cb9aa0b51 100644 --- a/modules/compute/gallery/.test/common/main.test.bicep +++ b/modules/compute/gallery/.test/common/main.test.bicep @@ -1,190 +1,195 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.galleries-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cgcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - applications: [ - { - name: '${namePrefix}-${serviceShort}-appd-001' - } - { - name: '${namePrefix}-${serviceShort}-appd-002' - supportedOSType: 'Windows' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - ] - images: [ - { - name: '${namePrefix}-az-imgd-ws-001' - } - { - hyperVGeneration: 'V1' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: '${namePrefix}-az-imgd-ws-002' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sku: '2022-datacenter-azure-edition' - } - { - hyperVGeneration: 'V2' - isHibernateSupported: 'true' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: '${namePrefix}-az-imgd-ws-003' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sku: '2022-datacenter-azure-edition-hibernate' - } - { - hyperVGeneration: 'V2' - isAcceleratedNetworkSupported: 'true' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: '${namePrefix}-az-imgd-ws-004' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sku: '2022-datacenter-azure-edition-accnet' - } - { - hyperVGeneration: 'V2' - securityType: 'TrustedLaunch' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 4 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: '${namePrefix}-az-imgd-wdtl-002' - offer: 'WindowsDesktop' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsDesktop' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sku: 'Win11-21H2' - } - { - hyperVGeneration: 'V2' - maxRecommendedMemory: 32 - maxRecommendedvCPUs: 4 - minRecommendedMemory: 4 - minRecommendedvCPUs: 1 - name: '${namePrefix}-az-imgd-us-001' - offer: '0001-com-ubuntu-server-focal' - osState: 'Generalized' - osType: 'Linux' - publisher: 'canonical' - sku: '20_04-lts-gen2' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.galleries-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cgcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + applications: [ + { + name: '${namePrefix}-${serviceShort}-appd-001' + } + { + name: '${namePrefix}-${serviceShort}-appd-002' + supportedOSType: 'Windows' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + } + ] + images: [ + { + name: '${namePrefix}-az-imgd-ws-001' + } + { + hyperVGeneration: 'V1' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: '${namePrefix}-az-imgd-ws-002' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + sku: '2022-datacenter-azure-edition' + } + { + hyperVGeneration: 'V2' + isHibernateSupported: 'true' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: '${namePrefix}-az-imgd-ws-003' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + sku: '2022-datacenter-azure-edition-hibernate' + } + { + hyperVGeneration: 'V2' + isAcceleratedNetworkSupported: 'true' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: '${namePrefix}-az-imgd-ws-004' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + sku: '2022-datacenter-azure-edition-accnet' + } + { + hyperVGeneration: 'V2' + securityType: 'TrustedLaunch' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 4 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: '${namePrefix}-az-imgd-wdtl-002' + offer: 'WindowsDesktop' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsDesktop' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + sku: 'Win11-21H2' + } + { + hyperVGeneration: 'V2' + maxRecommendedMemory: 32 + maxRecommendedvCPUs: 4 + minRecommendedMemory: 4 + minRecommendedvCPUs: 1 + name: '${namePrefix}-az-imgd-us-001' + offer: '0001-com-ubuntu-server-focal' + osState: 'Generalized' + osType: 'Linux' + publisher: 'canonical' + sku: '20_04-lts-gen2' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/gallery/.test/min/main.test.bicep b/modules/compute/gallery/.test/min/main.test.bicep index 363ba87906..86f8f257b5 100644 --- a/modules/compute/gallery/.test/min/main.test.bicep +++ b/modules/compute/gallery/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.compute.galleries-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-compute.galleries-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/compute/image/.test/common/main.test.bicep b/modules/compute/image/.test/common/main.test.bicep index b7e33ae82f..14b3372fa4 100644 --- a/modules/compute/image/.test/common/main.test.bicep +++ b/modules/compute/image/.test/common/main.test.bicep @@ -1,87 +1,87 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.images-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cicom' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - imageTemplateNamePrefix: 'dep-${namePrefix}-imgt-${serviceShort}' - triggerImageDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-triggerImageTemplate' - copyVhdDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-copyVhdToStorage' - } -} - -// ============== // -// Test Execution // -// ============== // -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - osAccountType: 'Premium_LRS' - osDiskBlobUri: nestedDependencies.outputs.vhdUri - osDiskCaching: 'ReadWrite' - osType: 'Windows' - hyperVGeneration: 'V1' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - zoneResilient: true - diskEncryptionSetResourceId: nestedDependencies.outputs.diskEncryptionSetResourceId - osState: 'Generalized' - diskSizeGB: 128 - tags: { - 'hidden-title': 'This is visible in the resource name' - tagA: 'You\'re it' - tagB: 'Player' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cicom' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}01' + imageTemplateNamePrefix: 'dep-${namePrefix}-imgt-${serviceShort}' + triggerImageDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-triggerImageTemplate' + copyVhdDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-copyVhdToStorage' + } +} + +// ============== // +// Test Execution // +// ============== // +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + osAccountType: 'Premium_LRS' + osDiskBlobUri: nestedDependencies.outputs.vhdUri + osDiskCaching: 'ReadWrite' + osType: 'Windows' + hyperVGeneration: 'V1' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + zoneResilient: true + diskEncryptionSetResourceId: nestedDependencies.outputs.diskEncryptionSetResourceId + osState: 'Generalized' + diskSizeGB: 128 + tags: { + 'hidden-title': 'This is visible in the resource name' + tagA: 'You\'re it' + tagB: 'Player' + } + } +} diff --git a/modules/compute/proximity-placement-group/.test/common/main.test.bicep b/modules/compute/proximity-placement-group/.test/common/main.test.bicep index ebd18b054a..1afa2b0789 100644 --- a/modules/compute/proximity-placement-group/.test/common/main.test.bicep +++ b/modules/compute/proximity-placement-group/.test/common/main.test.bicep @@ -1,89 +1,89 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.proximityplacementgroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cppgcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - zones: [ - '1' - ] - type: 'Standard' - tags: { - 'hidden-title': 'This is visible in the resource name' - TagA: 'Would you kindly...' - TagB: 'Tags for sale' - } - colocationStatus: { - code: 'ColocationStatus/Aligned' - displayStatus: 'Aligned' - level: 'Info' - message: 'I\'m a default error message' - } - intent: { - vmSizes: [ - 'Standard_B1ms' - 'Standard_B4ms' - ] - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.proximityplacementgroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cppgcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + zones: [ + '1' + ] + type: 'Standard' + tags: { + 'hidden-title': 'This is visible in the resource name' + TagA: 'Would you kindly...' + TagB: 'Tags for sale' + } + colocationStatus: { + code: 'ColocationStatus/Aligned' + displayStatus: 'Aligned' + level: 'Info' + message: 'I\'m a default error message' + } + intent: { + vmSizes: [ + 'Standard_B1ms' + 'Standard_B4ms' + ] + } + } +} diff --git a/modules/compute/proximity-placement-group/.test/min/main.test.bicep b/modules/compute/proximity-placement-group/.test/min/main.test.bicep index cb745a8bda..1805333d13 100644 --- a/modules/compute/proximity-placement-group/.test/min/main.test.bicep +++ b/modules/compute/proximity-placement-group/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.compute.proximityplacementgroups-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-compute.proximityplacementgroups-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/compute/ssh-public-key/.test/common/main.test.bicep b/modules/compute/ssh-public-key/.test/common/main.test.bicep index f20494fb87..f40946b0cf 100644 --- a/modules/compute/ssh-public-key/.test/common/main.test.bicep +++ b/modules/compute/ssh-public-key/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.compute.sshPublicKeys-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-compute.sshPublicKeys-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/compute/ssh-public-key/.test/min/main.test.bicep b/modules/compute/ssh-public-key/.test/min/main.test.bicep index dfc7cdd0ec..02a014853b 100644 --- a/modules/compute/ssh-public-key/.test/min/main.test.bicep +++ b/modules/compute/ssh-public-key/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.compute.sshPublicKeys-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-compute.sshPublicKeys-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/compute/virtual-machine-scale-set/.test/linux.min/main.test.bicep b/modules/compute/virtual-machine-scale-set/.test/linux.min/main.test.bicep index da12188343..3e94abd26d 100644 --- a/modules/compute/virtual-machine-scale-set/.test/linux.min/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/.test/linux.min/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.compute.virtualmachinescalesets-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-compute.virtualmachinescalesets-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/compute/virtual-machine-scale-set/.test/linux.ssecmk/main.test.bicep b/modules/compute/virtual-machine-scale-set/.test/linux.ssecmk/main.test.bicep index ecd4107f17..e78d392469 100644 --- a/modules/compute/virtual-machine-scale-set/.test/linux.ssecmk/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/.test/linux.ssecmk/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.compute.virtualmachinescalesets-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-compute.virtualmachinescalesets-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep b/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep index 66ed49e535..42e5492661 100644 --- a/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep @@ -1,197 +1,197 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.virtualmachinescalesets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmsslin' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' - sshDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - sshKeyName: 'dep-${namePrefix}-ssh-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - adminUsername: 'scaleSetAdmin' - imageReference: { - publisher: 'Canonical' - offer: '0001-com-ubuntu-server-jammy' - sku: '22_04-lts-gen2' - version: 'latest' - } - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - skuName: 'Standard_B12ms' - availabilityZones: [ - '2' - ] - bootDiagnosticStorageAccountName: nestedDependencies.outputs.storageAccountName - dataDisks: [ - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '256' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - disablePasswordAuthentication: true - encryptionAtHost: false - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: nestedDependencies.outputs.storageAccountResourceId - uri: nestedDependencies.outputs.storageAccountCSEFileUrl - } - ] - protectedSettings: { - commandToExecute: 'sudo apt-get update' - } - } - extensionDependencyAgentConfig: { - enabled: true - } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: nestedDependencies.outputs.keyVaultEncryptionKeyUrl - KeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyVaultURL: nestedDependencies.outputs.keyVaultUrl - ResizeOSDisk: 'false' - VolumeType: 'All' - } - } - extensionMonitoringAgentConfig: { - enabled: true - } - extensionNetworkWatcherAgentConfig: { - enabled: true - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: nestedDependencies.outputs.subnetResourceId - } - } - } - ] - nicSuffix: '-nic01' - } - ] - publicKeys: [ - { - keyData: nestedDependencies.outputs.SSHKeyPublicKey - path: '/home/scaleSetAdmin/.ssh/authorized_keys' - } - ] - roleAssignments: [ - { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Reader' - } - ] - scaleSetFaultDomain: 1 - skuCapacity: 1 - systemAssignedIdentity: true - upgradePolicyMode: 'Manual' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - vmNamePrefix: 'vmsslinvm' - vmPriority: 'Regular' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.virtualmachinescalesets-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cvmsslin' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}01' + storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' + sshDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + sshKeyName: 'dep-${namePrefix}-ssh-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + adminUsername: 'scaleSetAdmin' + imageReference: { + publisher: 'Canonical' + offer: '0001-com-ubuntu-server-jammy' + sku: '22_04-lts-gen2' + version: 'latest' + } + osDisk: { + createOption: 'fromImage' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + osType: 'Linux' + skuName: 'Standard_B12ms' + availabilityZones: [ + '2' + ] + bootDiagnosticStorageAccountName: nestedDependencies.outputs.storageAccountName + dataDisks: [ + { + caching: 'ReadOnly' + createOption: 'Empty' + diskSizeGB: '256' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + { + caching: 'ReadOnly' + createOption: 'Empty' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + disablePasswordAuthentication: true + encryptionAtHost: false + extensionCustomScriptConfig: { + enabled: true + fileData: [ + { + storageAccountId: nestedDependencies.outputs.storageAccountResourceId + uri: nestedDependencies.outputs.storageAccountCSEFileUrl + } + ] + protectedSettings: { + commandToExecute: 'sudo apt-get update' + } + } + extensionDependencyAgentConfig: { + enabled: true + } + extensionAzureDiskEncryptionConfig: { + enabled: true + settings: { + EncryptionOperation: 'EnableEncryption' + KekVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + KeyEncryptionAlgorithm: 'RSA-OAEP' + KeyEncryptionKeyURL: nestedDependencies.outputs.keyVaultEncryptionKeyUrl + KeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + KeyVaultURL: nestedDependencies.outputs.keyVaultUrl + ResizeOSDisk: 'false' + VolumeType: 'All' + } + } + extensionMonitoringAgentConfig: { + enabled: true + } + extensionNetworkWatcherAgentConfig: { + enabled: true + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + nicConfigurations: [ + { + ipConfigurations: [ + { + name: 'ipconfig1' + properties: { + subnet: { + id: nestedDependencies.outputs.subnetResourceId + } + } + } + ] + nicSuffix: '-nic01' + } + ] + publicKeys: [ + { + keyData: nestedDependencies.outputs.SSHKeyPublicKey + path: '/home/scaleSetAdmin/.ssh/authorized_keys' + } + ] + roleAssignments: [ + { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + roleDefinitionIdOrName: 'Reader' + } + ] + scaleSetFaultDomain: 1 + skuCapacity: 1 + systemAssignedIdentity: true + upgradePolicyMode: 'Manual' + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + vmNamePrefix: 'vmsslinvm' + vmPriority: 'Regular' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/virtual-machine-scale-set/.test/windows.min/main.test.bicep b/modules/compute/virtual-machine-scale-set/.test/windows.min/main.test.bicep index 9ca365743e..9beeb880a2 100644 --- a/modules/compute/virtual-machine-scale-set/.test/windows.min/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/.test/windows.min/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.compute.virtualmachinescalesets-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-compute.virtualmachinescalesets-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep b/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep index b4e0eca794..ad9e06de2e 100644 --- a/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep @@ -1,193 +1,193 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.virtualmachinescalesets-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmsswin' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' - proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - adminUsername: 'localAdminUser' - imageReference: { - publisher: 'MicrosoftWindowsServer' - offer: 'WindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' - } - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - skuName: 'Standard_B12ms' - adminPassword: password - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - encryptionAtHost: false - extensionAntiMalwareConfig: { - enabled: true - settings: { - AntimalwareEnabled: true - Exclusions: { - Extensions: '.log;.ldf' - Paths: 'D:\\IISlogs;D:\\DatabaseLogs' - Processes: 'mssence.svc' - } - RealtimeProtectionEnabled: true - ScheduledScanSettings: { - day: '7' - isEnabled: 'true' - scanType: 'Quick' - time: '120' - } - } - } - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: nestedDependencies.outputs.storageAccountResourceId - uri: nestedDependencies.outputs.storageAccountCSEFileUrl - } - ] - protectedSettings: { - commandToExecute: 'powershell -ExecutionPolicy Unrestricted -Command "& ./${nestedDependencies.outputs.storageAccountCSEFileName}"' - } - } - extensionDependencyAgentConfig: { - enabled: true - } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: nestedDependencies.outputs.keyVaultEncryptionKeyUrl - KeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyVaultURL: nestedDependencies.outputs.keyVaultUrl - ResizeOSDisk: 'false' - VolumeType: 'All' - } - } - extensionDSCConfig: { - enabled: true - } - extensionMonitoringAgentConfig: { - enabled: true - } - extensionNetworkWatcherAgentConfig: { - enabled: true - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: nestedDependencies.outputs.subnetResourceId - } - } - } - ] - nicSuffix: '-nic01' - } - ] - proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId - roleAssignments: [ - { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Reader' - } - ] - skuCapacity: 1 - systemAssignedIdentity: true - upgradePolicyMode: 'Manual' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - vmNamePrefix: 'vmsswinvm' - vmPriority: 'Regular' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.virtualmachinescalesets-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cvmsswin' + +@description('Optional. The password to leverage for the login.') +@secure() +param password string = newGuid() + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}01' + storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' + proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + adminUsername: 'localAdminUser' + imageReference: { + publisher: 'MicrosoftWindowsServer' + offer: 'WindowsServer' + sku: '2022-datacenter-azure-edition' + version: 'latest' + } + osDisk: { + createOption: 'fromImage' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + osType: 'Windows' + skuName: 'Standard_B12ms' + adminPassword: password + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + encryptionAtHost: false + extensionAntiMalwareConfig: { + enabled: true + settings: { + AntimalwareEnabled: true + Exclusions: { + Extensions: '.log;.ldf' + Paths: 'D:\\IISlogs;D:\\DatabaseLogs' + Processes: 'mssence.svc' + } + RealtimeProtectionEnabled: true + ScheduledScanSettings: { + day: '7' + isEnabled: 'true' + scanType: 'Quick' + time: '120' + } + } + } + extensionCustomScriptConfig: { + enabled: true + fileData: [ + { + storageAccountId: nestedDependencies.outputs.storageAccountResourceId + uri: nestedDependencies.outputs.storageAccountCSEFileUrl + } + ] + protectedSettings: { + commandToExecute: 'powershell -ExecutionPolicy Unrestricted -Command "& ./${nestedDependencies.outputs.storageAccountCSEFileName}"' + } + } + extensionDependencyAgentConfig: { + enabled: true + } + extensionAzureDiskEncryptionConfig: { + enabled: true + settings: { + EncryptionOperation: 'EnableEncryption' + KekVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + KeyEncryptionAlgorithm: 'RSA-OAEP' + KeyEncryptionKeyURL: nestedDependencies.outputs.keyVaultEncryptionKeyUrl + KeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + KeyVaultURL: nestedDependencies.outputs.keyVaultUrl + ResizeOSDisk: 'false' + VolumeType: 'All' + } + } + extensionDSCConfig: { + enabled: true + } + extensionMonitoringAgentConfig: { + enabled: true + } + extensionNetworkWatcherAgentConfig: { + enabled: true + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + nicConfigurations: [ + { + ipConfigurations: [ + { + name: 'ipconfig1' + properties: { + subnet: { + id: nestedDependencies.outputs.subnetResourceId + } + } + } + ] + nicSuffix: '-nic01' + } + ] + proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId + roleAssignments: [ + { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + roleDefinitionIdOrName: 'Reader' + } + ] + skuCapacity: 1 + systemAssignedIdentity: true + upgradePolicyMode: 'Manual' + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + vmNamePrefix: 'vmsswinvm' + vmPriority: 'Regular' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/virtual-machine/.test/linux.atmg/main.test.bicep b/modules/compute/virtual-machine/.test/linux.atmg/main.test.bicep index 74894f3536..5bb0690a4e 100644 --- a/modules/compute/virtual-machine/.test/linux.atmg/main.test.bicep +++ b/modules/compute/virtual-machine/.test/linux.atmg/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.compute.virtualMachines-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-compute.virtualMachines-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/compute/virtual-machine/.test/linux.min/main.test.bicep b/modules/compute/virtual-machine/.test/linux.min/main.test.bicep index f74fd4fcb4..6b00f10652 100644 --- a/modules/compute/virtual-machine/.test/linux.min/main.test.bicep +++ b/modules/compute/virtual-machine/.test/linux.min/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.compute.virtualMachines-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-compute.virtualMachines-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/compute/virtual-machine/.test/linux/main.test.bicep b/modules/compute/virtual-machine/.test/linux/main.test.bicep index bca0ffc1c5..ba5c8f714f 100644 --- a/modules/compute/virtual-machine/.test/linux/main.test.bicep +++ b/modules/compute/virtual-machine/.test/linux/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.compute.virtualMachines-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-compute.virtualMachines-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/compute/virtual-machine/.test/windows.atmg/main.test.bicep b/modules/compute/virtual-machine/.test/windows.atmg/main.test.bicep index 52c5e35db0..ccee52176b 100644 --- a/modules/compute/virtual-machine/.test/windows.atmg/main.test.bicep +++ b/modules/compute/virtual-machine/.test/windows.atmg/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.compute.virtualMachines-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-compute.virtualMachines-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/compute/virtual-machine/.test/windows.min/main.test.bicep b/modules/compute/virtual-machine/.test/windows.min/main.test.bicep index efb300edf1..0d2a846d66 100644 --- a/modules/compute/virtual-machine/.test/windows.min/main.test.bicep +++ b/modules/compute/virtual-machine/.test/windows.min/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.compute.virtualMachines-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-compute.virtualMachines-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/compute/virtual-machine/.test/windows.ssecmk/main.test.bicep b/modules/compute/virtual-machine/.test/windows.ssecmk/main.test.bicep index b829bbcf1c..d20da897b7 100644 --- a/modules/compute/virtual-machine/.test/windows.ssecmk/main.test.bicep +++ b/modules/compute/virtual-machine/.test/windows.ssecmk/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.compute.virtualMachines-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-compute.virtualMachines-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/compute/virtual-machine/.test/windows/main.test.bicep b/modules/compute/virtual-machine/.test/windows/main.test.bicep index 568a50982e..51c37b16c6 100644 --- a/modules/compute/virtual-machine/.test/windows/main.test.bicep +++ b/modules/compute/virtual-machine/.test/windows/main.test.bicep @@ -1,297 +1,299 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.virtualMachines-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cvmwincom' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - location: location - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' - recoveryServicesVaultName: 'dep-${namePrefix}-rsv-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}01' - storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' - proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - location: location - name: '${namePrefix}${serviceShort}' - computerName: '${namePrefix}winvm1' - adminUsername: 'VMAdmin' - imageReference: { - publisher: 'MicrosoftWindowsServer' - offer: 'WindowsServer' - sku: '2019-datacenter' - version: 'latest' - } - nicConfigurations: [ - { - deleteOption: 'Delete' - ipConfigurations: [ - { - applicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } - ] - loadBalancerBackendAddressPools: [ - { - id: nestedDependencies.outputs.loadBalancerBackendPoolResourceId - } - ] - name: 'ipconfig01' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - zones: [ - '1' - '2' - '3' - ] - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - ] - nicSuffix: '-nic-01' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - } - ] - osDisk: { - caching: 'None' - createOption: 'fromImage' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - vmSize: 'Standard_DS2_v2' - adminPassword: password - availabilityZone: 2 - backupPolicyName: nestedDependencies.outputs.recoveryServicesVaultBackupPolicyName - backupVaultName: nestedDependencies.outputs.recoveryServicesVaultName - backupVaultResourceGroup: nestedDependencies.outputs.recoveryServicesVaultResourceGroupName - dataDisks: [ - { - caching: 'None' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - { - caching: 'None' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - ] - enableAutomaticUpdates: true - patchMode: 'AutomaticByPlatform' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - encryptionAtHost: false - extensionAntiMalwareConfig: { - enabled: true - settings: { - AntimalwareEnabled: 'true' - Exclusions: { - Extensions: '.ext1;.ext2' - Paths: 'c:\\excluded-path-1;c:\\excluded-path-2' - Processes: 'excludedproc1.exe;excludedproc2.exe' - } - RealtimeProtectionEnabled: 'true' - ScheduledScanSettings: { - day: '7' - isEnabled: 'true' - scanType: 'Quick' - time: '120' - } - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: nestedDependencies.outputs.storageAccountResourceId - uri: nestedDependencies.outputs.storageAccountCSEFileUrl - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionCustomScriptProtectedSetting: { - commandToExecute: 'powershell -ExecutionPolicy Unrestricted -Command "& ./${nestedDependencies.outputs.storageAccountCSEFileName}"' - } - extensionDependencyAgentConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: nestedDependencies.outputs.keyVaultEncryptionKeyUrl - KeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - KeyVaultURL: nestedDependencies.outputs.keyVaultUrl - ResizeOSDisk: 'false' - VolumeType: 'All' - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - } - extensionAadJoinConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionDSCConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionMonitoringAgentConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - extensionNetworkWatcherAgentConfig: { - enabled: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - monitoringWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.virtualMachines-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cvmwincom' + +@description('Optional. The password to leverage for the login.') +@secure() +param password string = newGuid() + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + location: location + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' + recoveryServicesVaultName: 'dep-${namePrefix}-rsv-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}01' + storageUploadDeploymentScriptName: 'dep-${namePrefix}-sads-${serviceShort}' + proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + location: location + name: '${namePrefix}${serviceShort}' + computerName: '${namePrefix}winvm1' + adminUsername: 'VMAdmin' + imageReference: { + publisher: 'MicrosoftWindowsServer' + offer: 'WindowsServer' + sku: '2019-datacenter' + version: 'latest' + } + nicConfigurations: [ + { + deleteOption: 'Delete' + ipConfigurations: [ + { + applicationSecurityGroups: [ + { + id: nestedDependencies.outputs.applicationSecurityGroupResourceId + } + ] + loadBalancerBackendAddressPools: [ + { + id: nestedDependencies.outputs.loadBalancerBackendPoolResourceId + } + ] + name: 'ipconfig01' + pipConfiguration: { + publicIpNameSuffix: '-pip-01' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + } + zones: [ + '1' + '2' + '3' + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + ] + nicSuffix: '-nic-01' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + } + ] + osDisk: { + caching: 'None' + createOption: 'fromImage' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + osType: 'Windows' + vmSize: 'Standard_DS2_v2' + adminPassword: password + availabilityZone: 2 + backupPolicyName: nestedDependencies.outputs.recoveryServicesVaultBackupPolicyName + backupVaultName: nestedDependencies.outputs.recoveryServicesVaultName + backupVaultResourceGroup: nestedDependencies.outputs.recoveryServicesVaultResourceGroupName + dataDisks: [ + { + caching: 'None' + createOption: 'Empty' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + { + caching: 'None' + createOption: 'Empty' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + ] + enableAutomaticUpdates: true + patchMode: 'AutomaticByPlatform' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + encryptionAtHost: false + extensionAntiMalwareConfig: { + enabled: true + settings: { + AntimalwareEnabled: 'true' + Exclusions: { + Extensions: '.ext1;.ext2' + Paths: 'c:\\excluded-path-1;c:\\excluded-path-2' + Processes: 'excludedproc1.exe;excludedproc2.exe' + } + RealtimeProtectionEnabled: 'true' + ScheduledScanSettings: { + day: '7' + isEnabled: 'true' + scanType: 'Quick' + time: '120' + } + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + extensionCustomScriptConfig: { + enabled: true + fileData: [ + { + storageAccountId: nestedDependencies.outputs.storageAccountResourceId + uri: nestedDependencies.outputs.storageAccountCSEFileUrl + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + extensionCustomScriptProtectedSetting: { + commandToExecute: 'powershell -ExecutionPolicy Unrestricted -Command "& ./${nestedDependencies.outputs.storageAccountCSEFileName}"' + } + extensionDependencyAgentConfig: { + enabled: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + extensionAzureDiskEncryptionConfig: { + enabled: true + settings: { + EncryptionOperation: 'EnableEncryption' + KekVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + KeyEncryptionAlgorithm: 'RSA-OAEP' + KeyEncryptionKeyURL: nestedDependencies.outputs.keyVaultEncryptionKeyUrl + KeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + KeyVaultURL: nestedDependencies.outputs.keyVaultUrl + ResizeOSDisk: 'false' + VolumeType: 'All' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + } + extensionAadJoinConfig: { + enabled: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + extensionDSCConfig: { + enabled: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + extensionMonitoringAgentConfig: { + enabled: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + extensionNetworkWatcherAgentConfig: { + enabled: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + monitoringWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + systemAssignedIdentity: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/container-instance/container-group/.test/common/main.test.bicep b/modules/container-instance/container-group/.test/common/main.test.bicep index 14ebfbb887..2dc87dd5b1 100644 --- a/modules/container-instance/container-group/.test/common/main.test.bicep +++ b/modules/container-instance/container-group/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.containerinstance.containergroups-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-containerinstance.containergroups-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/container-instance/container-group/.test/encr/main.test.bicep b/modules/container-instance/container-group/.test/encr/main.test.bicep index b86cfbfaf3..be4c18e369 100644 --- a/modules/container-instance/container-group/.test/encr/main.test.bicep +++ b/modules/container-instance/container-group/.test/encr/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.containerinstance.containergroups-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-containerinstance.containergroups-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/container-instance/container-group/.test/min/main.test.bicep b/modules/container-instance/container-group/.test/min/main.test.bicep index 240ce76d42..55144600d3 100644 --- a/modules/container-instance/container-group/.test/min/main.test.bicep +++ b/modules/container-instance/container-group/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.containerinstance.containergroups-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-containerinstance.containergroups-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/container-instance/container-group/.test/private/main.test.bicep b/modules/container-instance/container-group/.test/private/main.test.bicep index 84f4dc64ed..541422f6e5 100644 --- a/modules/container-instance/container-group/.test/private/main.test.bicep +++ b/modules/container-instance/container-group/.test/private/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.containerinstance.containergroups-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-containerinstance.containergroups-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/container-registry/registry/.test/common/main.test.bicep b/modules/container-registry/registry/.test/common/main.test.bicep index 8e52191585..826dfdd5ab 100644 --- a/modules/container-registry/registry/.test/common/main.test.bicep +++ b/modules/container-registry/registry/.test/common/main.test.bicep @@ -1,149 +1,149 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.containerregistry.registries-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crrcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - location: location - managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - acrAdminUserEnabled: false - acrSku: 'Premium' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - exportPolicyStatus: 'enabled' - azureADAuthenticationAsArmPolicyStatus: 'enabled' - softDeletePolicyStatus: 'disabled' - softDeletePolicyDays: 7 - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - service: 'registry' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - networkRuleSetIpRules: [ - { - action: 'Allow' - value: '40.74.28.0/23' - } - ] - quarantinePolicyStatus: 'enabled' - replications: [ - { - location: nestedDependencies.outputs.pairedRegionName - name: nestedDependencies.outputs.pairedRegionName - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - systemAssignedIdentity: true - trustPolicyStatus: 'enabled' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - cacheRules: [ - { - name: 'customRule' - sourceRepository: 'docker.io/library/hello-world' - targetRepository: 'cached-docker-hub/hello-world' - } - { - sourceRepository: 'docker.io/library/hello-world' - } - ] - webhooks: [ - { - name: '${namePrefix}acrx001webhook' - serviceUri: 'https://www.contoso.com/webhook' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-containerregistry.registries-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'crrcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + location: location + managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + acrAdminUserEnabled: false + acrSku: 'Premium' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + exportPolicyStatus: 'enabled' + azureADAuthenticationAsArmPolicyStatus: 'enabled' + softDeletePolicyStatus: 'disabled' + softDeletePolicyDays: 7 + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + service: 'registry' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + networkRuleSetIpRules: [ + { + action: 'Allow' + value: '40.74.28.0/23' + } + ] + quarantinePolicyStatus: 'enabled' + replications: [ + { + location: nestedDependencies.outputs.pairedRegionName + name: nestedDependencies.outputs.pairedRegionName + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + systemAssignedIdentity: true + trustPolicyStatus: 'enabled' + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + cacheRules: [ + { + name: 'customRule' + sourceRepository: 'docker.io/library/hello-world' + targetRepository: 'cached-docker-hub/hello-world' + } + { + sourceRepository: 'docker.io/library/hello-world' + } + ] + webhooks: [ + { + name: '${namePrefix}acrx001webhook' + serviceUri: 'https://www.contoso.com/webhook' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/container-registry/registry/.test/encr/main.test.bicep b/modules/container-registry/registry/.test/encr/main.test.bicep index f6b8fd3f61..3648f55a8f 100644 --- a/modules/container-registry/registry/.test/encr/main.test.bicep +++ b/modules/container-registry/registry/.test/encr/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.containerregistry.registries-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-containerregistry.registries-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/container-registry/registry/.test/min/main.test.bicep b/modules/container-registry/registry/.test/min/main.test.bicep index 0db5d24fdd..3d4f3030e4 100644 --- a/modules/container-registry/registry/.test/min/main.test.bicep +++ b/modules/container-registry/registry/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.containerregistry.registries-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-containerregistry.registries-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/container-registry/registry/.test/pe/main.test.bicep b/modules/container-registry/registry/.test/pe/main.test.bicep index 19f4dd9c96..a0708497ad 100644 --- a/modules/container-registry/registry/.test/pe/main.test.bicep +++ b/modules/container-registry/registry/.test/pe/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.containerregistry.registries-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-containerregistry.registries-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/container-service/managed-cluster/.test/azure/main.test.bicep b/modules/container-service/managed-cluster/.test/azure/main.test.bicep index 35a7bc0355..f438df827e 100644 --- a/modules/container-service/managed-cluster/.test/azure/main.test.bicep +++ b/modules/container-service/managed-cluster/.test/azure/main.test.bicep @@ -1,256 +1,256 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.containerservice.managedclusters-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'csmaz' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - managedIdentityKubeletIdentityName: 'dep-${namePrefix}-msiki-${serviceShort}' - diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' - proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - dnsZoneName: 'dep-${namePrefix}-dns-${serviceShort}.com' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - primaryAgentPoolProfile: [ - { - availabilityZones: [ - '3' - ] - count: 1 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - mode: 'System' - name: 'systempool' - osDiskSizeGB: 0 - osType: 'Linux' - serviceCidr: '' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - vnetSubnetID: nestedDependencies.outputs.subnetResourceIds[0] - } - ] - agentPools: [ - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool1' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - vnetSubnetID: nestedDependencies.outputs.subnetResourceIds[1] - proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId - } - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool2' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - vnetSubnetID: nestedDependencies.outputs.subnetResourceIds[2] - } - ] - autoUpgradeProfileUpgradeChannel: 'stable' - enableWorkloadIdentity: true - enableOidcIssuerProfile: true - networkPlugin: 'azure' - networkDataplane: 'azure' - networkPluginMode: 'overlay' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - diskEncryptionSetID: nestedDependencies.outputs.diskEncryptionSetResourceId - openServiceMeshEnabled: true - enableStorageProfileBlobCSIDriver: true - enableStorageProfileDiskCSIDriver: true - enableStorageProfileFileCSIDriver: true - enableStorageProfileSnapshotController: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - identityProfile: { - kubeletidentity: { - resourceId: nestedDependencies.outputs.managedIdentityKubeletIdentityResourceId - } - } - omsAgentEnabled: true - monitoringWorkspaceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId - enableAzureDefender: true - enableKeyvaultSecretsProvider: true - enablePodSecurityPolicy: false - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - fluxExtension: { - configurationSettings: { - 'helm-controller.enabled': 'true' - 'source-controller.enabled': 'true' - 'kustomize-controller.enabled': 'true' - 'notification-controller.enabled': 'true' - 'image-automation-controller.enabled': 'false' - 'image-reflector-controller.enabled': 'false' - } - configurations: [ - { - namespace: 'flux-system' - scope: 'cluster' - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/mspnp/aks-baseline' - } - } - { - namespace: 'flux-system-helm' - scope: 'cluster' - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/Azure/gitops-flux2-kustomize-helm-mt' - } - kustomizations: { - infra: { - path: './infrastructure' - dependsOn: [] - timeoutInSeconds: 600 - syncIntervalInSeconds: 600 - validation: 'none' - prune: true - } - apps: { - path: './apps/staging' - dependsOn: [ - 'infra' - ] - timeoutInSeconds: 600 - syncIntervalInSeconds: 600 - retryIntervalInSeconds: 120 - prune: true - } - } - } - ] - } - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-containerservice.managedclusters-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'csmaz' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + managedIdentityKubeletIdentityName: 'dep-${namePrefix}-msiki-${serviceShort}' + diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' + proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + dnsZoneName: 'dep-${namePrefix}-dns-${serviceShort}.com' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + primaryAgentPoolProfile: [ + { + availabilityZones: [ + '3' + ] + count: 1 + enableAutoScaling: true + maxCount: 3 + maxPods: 30 + minCount: 1 + mode: 'System' + name: 'systempool' + osDiskSizeGB: 0 + osType: 'Linux' + serviceCidr: '' + storageProfile: 'ManagedDisks' + type: 'VirtualMachineScaleSets' + vmSize: 'Standard_DS2_v2' + vnetSubnetID: nestedDependencies.outputs.subnetResourceIds[0] + } + ] + agentPools: [ + { + availabilityZones: [ + '3' + ] + count: 2 + enableAutoScaling: true + maxCount: 3 + maxPods: 30 + minCount: 1 + minPods: 2 + mode: 'User' + name: 'userpool1' + nodeLabels: {} + nodeTaints: [ + 'CriticalAddonsOnly=true:NoSchedule' + ] + osDiskSizeGB: 128 + osType: 'Linux' + scaleSetEvictionPolicy: 'Delete' + scaleSetPriority: 'Regular' + storageProfile: 'ManagedDisks' + type: 'VirtualMachineScaleSets' + vmSize: 'Standard_DS2_v2' + vnetSubnetID: nestedDependencies.outputs.subnetResourceIds[1] + proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId + } + { + availabilityZones: [ + '3' + ] + count: 2 + enableAutoScaling: true + maxCount: 3 + maxPods: 30 + minCount: 1 + minPods: 2 + mode: 'User' + name: 'userpool2' + nodeLabels: {} + nodeTaints: [ + 'CriticalAddonsOnly=true:NoSchedule' + ] + osDiskSizeGB: 128 + osType: 'Linux' + scaleSetEvictionPolicy: 'Delete' + scaleSetPriority: 'Regular' + storageProfile: 'ManagedDisks' + type: 'VirtualMachineScaleSets' + vmSize: 'Standard_DS2_v2' + vnetSubnetID: nestedDependencies.outputs.subnetResourceIds[2] + } + ] + autoUpgradeProfileUpgradeChannel: 'stable' + enableWorkloadIdentity: true + enableOidcIssuerProfile: true + networkPlugin: 'azure' + networkDataplane: 'azure' + networkPluginMode: 'overlay' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diskEncryptionSetID: nestedDependencies.outputs.diskEncryptionSetResourceId + openServiceMeshEnabled: true + enableStorageProfileBlobCSIDriver: true + enableStorageProfileDiskCSIDriver: true + enableStorageProfileFileCSIDriver: true + enableStorageProfileSnapshotController: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + identityProfile: { + kubeletidentity: { + resourceId: nestedDependencies.outputs.managedIdentityKubeletIdentityResourceId + } + } + omsAgentEnabled: true + monitoringWorkspaceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId + enableAzureDefender: true + enableKeyvaultSecretsProvider: true + enablePodSecurityPolicy: false + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + fluxExtension: { + configurationSettings: { + 'helm-controller.enabled': 'true' + 'source-controller.enabled': 'true' + 'kustomize-controller.enabled': 'true' + 'notification-controller.enabled': 'true' + 'image-automation-controller.enabled': 'false' + 'image-reflector-controller.enabled': 'false' + } + configurations: [ + { + namespace: 'flux-system' + scope: 'cluster' + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/mspnp/aks-baseline' + } + } + { + namespace: 'flux-system-helm' + scope: 'cluster' + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/Azure/gitops-flux2-kustomize-helm-mt' + } + kustomizations: { + infra: { + path: './infrastructure' + dependsOn: [] + timeoutInSeconds: 600 + syncIntervalInSeconds: 600 + validation: 'none' + prune: true + } + apps: { + path: './apps/staging' + dependsOn: [ + 'infra' + ] + timeoutInSeconds: 600 + syncIntervalInSeconds: 600 + retryIntervalInSeconds: 120 + prune: true + } + } + } + ] + } + } +} diff --git a/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep b/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep index 2f445e1328..8fb322a2b9 100644 --- a/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep +++ b/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep @@ -1,159 +1,159 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.containerservice.managedclusters-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'csmkube' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - dnsZoneName: 'dep-${namePrefix}-dns-${serviceShort}.com' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - primaryAgentPoolProfile: [ - { - availabilityZones: [ - '3' - ] - count: 1 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - mode: 'System' - name: 'systempool' - osDiskSizeGB: 0 - osType: 'Linux' - serviceCidr: '' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - } - ] - agentPools: [ - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool1' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - } - { - availabilityZones: [ - '3' - ] - count: 2 - enableAutoScaling: true - maxCount: 3 - maxPods: 30 - minCount: 1 - minPods: 2 - mode: 'User' - name: 'userpool2' - nodeLabels: {} - nodeTaints: [ - 'CriticalAddonsOnly=true:NoSchedule' - ] - osDiskSizeGB: 128 - osType: 'Linux' - scaleSetEvictionPolicy: 'Delete' - scaleSetPriority: 'Regular' - storageProfile: 'ManagedDisks' - type: 'VirtualMachineScaleSets' - vmSize: 'Standard_DS2_v2' - } - ] - networkPlugin: 'kubenet' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-containerservice.managedclusters-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'csmkube' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + dnsZoneName: 'dep-${namePrefix}-dns-${serviceShort}.com' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + primaryAgentPoolProfile: [ + { + availabilityZones: [ + '3' + ] + count: 1 + enableAutoScaling: true + maxCount: 3 + maxPods: 30 + minCount: 1 + mode: 'System' + name: 'systempool' + osDiskSizeGB: 0 + osType: 'Linux' + serviceCidr: '' + storageProfile: 'ManagedDisks' + type: 'VirtualMachineScaleSets' + vmSize: 'Standard_DS2_v2' + } + ] + agentPools: [ + { + availabilityZones: [ + '3' + ] + count: 2 + enableAutoScaling: true + maxCount: 3 + maxPods: 30 + minCount: 1 + minPods: 2 + mode: 'User' + name: 'userpool1' + nodeLabels: {} + nodeTaints: [ + 'CriticalAddonsOnly=true:NoSchedule' + ] + osDiskSizeGB: 128 + osType: 'Linux' + scaleSetEvictionPolicy: 'Delete' + scaleSetPriority: 'Regular' + storageProfile: 'ManagedDisks' + type: 'VirtualMachineScaleSets' + vmSize: 'Standard_DS2_v2' + } + { + availabilityZones: [ + '3' + ] + count: 2 + enableAutoScaling: true + maxCount: 3 + maxPods: 30 + minCount: 1 + minPods: 2 + mode: 'User' + name: 'userpool2' + nodeLabels: {} + nodeTaints: [ + 'CriticalAddonsOnly=true:NoSchedule' + ] + osDiskSizeGB: 128 + osType: 'Linux' + scaleSetEvictionPolicy: 'Delete' + scaleSetPriority: 'Regular' + storageProfile: 'ManagedDisks' + type: 'VirtualMachineScaleSets' + vmSize: 'Standard_DS2_v2' + } + ] + networkPlugin: 'kubenet' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/container-service/managed-cluster/.test/min/main.test.bicep b/modules/container-service/managed-cluster/.test/min/main.test.bicep index 477264b2e2..ec5bf9306f 100644 --- a/modules/container-service/managed-cluster/.test/min/main.test.bicep +++ b/modules/container-service/managed-cluster/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.containerservice.managedclusters-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-containerservice.managedclusters-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/container-service/managed-cluster/.test/priv/main.test.bicep b/modules/container-service/managed-cluster/.test/priv/main.test.bicep index aeeae2fbfc..26729a14da 100644 --- a/modules/container-service/managed-cluster/.test/priv/main.test.bicep +++ b/modules/container-service/managed-cluster/.test/priv/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.containerservice.managedclusters-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-containerservice.managedclusters-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/data-factory/factory/.test/common/main.test.bicep b/modules/data-factory/factory/.test/common/main.test.bicep index 07059a312f..6bea31ebf1 100644 --- a/modules/data-factory/factory/.test/common/main.test.bicep +++ b/modules/data-factory/factory/.test/common/main.test.bicep @@ -1,151 +1,151 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.datafactory.factories-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dffcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - storageAccountName: 'dep${namePrefix}st${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - cMKKeyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - gitConfigureLater: true - globalParameters: { - testParameter1: { - type: 'String' - value: 'testValue1' - } - } - integrationRuntimes: [ - { - managedVirtualNetworkName: 'default' - name: 'AutoResolveIntegrationRuntime' - type: 'Managed' - typeProperties: { - computeProperties: { - location: 'AutoResolve' - } - } - } - - { - name: 'TestRuntime' - type: 'SelfHosted' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedPrivateEndpoints: [ - { - fqdns: [ - nestedDependencies.outputs.storageAccountBlobEndpoint - ] - groupId: 'blob' - name: '${nestedDependencies.outputs.storageAccountName}-managed-privateEndpoint' - privateLinkResourceId: nestedDependencies.outputs.storageAccountResourceId - } - ] - managedVirtualNetworkName: 'default' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - - nestedDependencies.outputs.privateDNSZoneResourceId - - ] - service: 'dataFactory' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - application: 'CARML' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-datafactory.factories-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dffcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}st${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + cMKKeyName: nestedDependencies.outputs.keyVaultEncryptionKeyName + cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + gitConfigureLater: true + globalParameters: { + testParameter1: { + type: 'String' + value: 'testValue1' + } + } + integrationRuntimes: [ + { + managedVirtualNetworkName: 'default' + name: 'AutoResolveIntegrationRuntime' + type: 'Managed' + typeProperties: { + computeProperties: { + location: 'AutoResolve' + } + } + } + + { + name: 'TestRuntime' + type: 'SelfHosted' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedPrivateEndpoints: [ + { + fqdns: [ + nestedDependencies.outputs.storageAccountBlobEndpoint + ] + groupId: 'blob' + name: '${nestedDependencies.outputs.storageAccountName}-managed-privateEndpoint' + privateLinkResourceId: nestedDependencies.outputs.storageAccountResourceId + } + ] + managedVirtualNetworkName: 'default' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] + service: 'dataFactory' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + application: 'CARML' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + systemAssignedIdentity: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/data-factory/factory/.test/min/main.test.bicep b/modules/data-factory/factory/.test/min/main.test.bicep index f5dadd9372..b182ddfc97 100644 --- a/modules/data-factory/factory/.test/min/main.test.bicep +++ b/modules/data-factory/factory/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.datafactory.factories-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-datafactory.factories-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/data-protection/backup-vault/.test/common/main.test.bicep b/modules/data-protection/backup-vault/.test/common/main.test.bicep index 05924632cf..fe1b319ceb 100644 --- a/modules/data-protection/backup-vault/.test/common/main.test.bicep +++ b/modules/data-protection/backup-vault/.test/common/main.test.bicep @@ -1,137 +1,137 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.dataprotection.backupvaults-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dpbvcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - azureMonitorAlertSettingsAlertsForAllJobFailures: 'Disabled' - systemAssignedIdentity: true - backupPolicies: [ - { - name: 'DefaultPolicy' - properties: { - datasourceTypes: [ - 'Microsoft.Compute/disks' - ] - objectType: 'BackupPolicy' - policyRules: [ - { - backupParameters: { - backupType: 'Incremental' - objectType: 'AzureBackupParams' - } - dataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - name: 'BackupDaily' - objectType: 'AzureBackupRule' - trigger: { - objectType: 'ScheduleBasedTriggerContext' - schedule: { - repeatingTimeIntervals: [ - 'R/2022-05-31T23:30:00+01:00/P1D' - ] - timeZone: 'W. Europe Standard Time' - } - taggingCriteria: [ - { - isDefault: true - taggingPriority: 99 - tagInfo: { - id: 'Default_' - tagName: 'Default' - } - } - ] - } - } - { - isDefault: true - lifecycles: [ - { - deleteAfter: { - duration: 'P7D' - objectType: 'AbsoluteDeleteOption' - } - sourceDataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - targetDataStoreCopySettings: [] - } - ] - name: 'Default' - objectType: 'AzureRetentionRule' - } - ] - } - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-dataprotection.backupvaults-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dpbvcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + azureMonitorAlertSettingsAlertsForAllJobFailures: 'Disabled' + systemAssignedIdentity: true + backupPolicies: [ + { + name: 'DefaultPolicy' + properties: { + datasourceTypes: [ + 'Microsoft.Compute/disks' + ] + objectType: 'BackupPolicy' + policyRules: [ + { + backupParameters: { + backupType: 'Incremental' + objectType: 'AzureBackupParams' + } + dataStore: { + dataStoreType: 'OperationalStore' + objectType: 'DataStoreInfoBase' + } + name: 'BackupDaily' + objectType: 'AzureBackupRule' + trigger: { + objectType: 'ScheduleBasedTriggerContext' + schedule: { + repeatingTimeIntervals: [ + 'R/2022-05-31T23:30:00+01:00/P1D' + ] + timeZone: 'W. Europe Standard Time' + } + taggingCriteria: [ + { + isDefault: true + taggingPriority: 99 + tagInfo: { + id: 'Default_' + tagName: 'Default' + } + } + ] + } + } + { + isDefault: true + lifecycles: [ + { + deleteAfter: { + duration: 'P7D' + objectType: 'AbsoluteDeleteOption' + } + sourceDataStore: { + dataStoreType: 'OperationalStore' + objectType: 'DataStoreInfoBase' + } + targetDataStoreCopySettings: [] + } + ] + name: 'Default' + objectType: 'AzureRetentionRule' + } + ] + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/data-protection/backup-vault/.test/min/main.test.bicep b/modules/data-protection/backup-vault/.test/min/main.test.bicep index e96ec60caf..28e222baca 100644 --- a/modules/data-protection/backup-vault/.test/min/main.test.bicep +++ b/modules/data-protection/backup-vault/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.dataprotection.backupvaults-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-dataprotection.backupvaults-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/databricks/access-connector/.test/common/main.test.bicep b/modules/databricks/access-connector/.test/common/main.test.bicep index 6395e13ed7..1ea97bd6c4 100644 --- a/modules/databricks/access-connector/.test/common/main.test.bicep +++ b/modules/databricks/access-connector/.test/common/main.test.bicep @@ -1,78 +1,78 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.databricks.accessconnectors-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'daccom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - location: resourceGroup.location - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-databricks.accessconnectors-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'daccom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + systemAssignedIdentity: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + location: resourceGroup.location + } +} diff --git a/modules/databricks/access-connector/.test/min/main.test.bicep b/modules/databricks/access-connector/.test/min/main.test.bicep index 1c8b923b29..b353cb47c5 100644 --- a/modules/databricks/access-connector/.test/min/main.test.bicep +++ b/modules/databricks/access-connector/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.databricks.accessconnectors-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-databricks.accessconnectors-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/databricks/workspace/.test/common/main.test.bicep b/modules/databricks/workspace/.test/common/main.test.bicep index b980001a04..39e8d023af 100644 --- a/modules/databricks/workspace/.test/common/main.test.bicep +++ b/modules/databricks/workspace/.test/common/main.test.bicep @@ -1,147 +1,147 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.databricks.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dwcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - amlWorkspaceName: 'dep-${namePrefix}-aml-${serviceShort}' - applicationInsightsName: 'dep-${namePrefix}-appi-${serviceShort}' - loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - keyVaultDiskName: 'dep-${namePrefix}-kve-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - cMKManagedServicesKeyName: nestedDependencies.outputs.keyVaultKeyName - cMKManagedServicesKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKManagedDisksKeyName: nestedDependencies.outputs.keyVaultDiskKeyName - cMKManagedDisksKeyVaultResourceId: nestedDependencies.outputs.keyVaultDiskResourceId - cMKManagedDisksKeyRotationToLatestKeyVersionEnabled: true - storageAccountName: 'sa${namePrefix}${serviceShort}001' - storageAccountSkuName: 'Standard_ZRS' - publicIpName: 'nat-gw-public-ip' - natGatewayName: 'nat-gateway' - prepareEncryption: true - requiredNsgRules: 'NoAzureDatabricksRules' - skuName: 'premium' - amlWorkspaceResourceId: nestedDependencies.outputs.machineLearningWorkspaceResourceId - customPrivateSubnetName: nestedDependencies.outputs.customPrivateSubnetName - customPublicSubnetName: nestedDependencies.outputs.customPublicSubnetName - publicNetworkAccess: 'Disabled' - disablePublicIp: true - loadBalancerResourceId: nestedDependencies.outputs.loadBalancerResourceId - loadBalancerBackendPoolName: nestedDependencies.outputs.loadBalancerBackendPoolName - customVirtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - - nestedDependencies.outputs.privateDNSZoneResourceId - - ] - service: 'databricks_ui_api' - subnetResourceId: nestedDependencies.outputs.defaultSubnetResourceId - tags: { - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - managedResourceGroupResourceId: '${subscription().id}/resourceGroups/rg-${resourceGroupName}-managed' - diagnosticLogCategoriesToEnable: [ - 'jobs' - 'notebook' - ] - diagnosticSettingsName: 'diag${namePrefix}${serviceShort}001' - requireInfrastructureEncryption: true - vnetAddressPrefix: '10.100' - location: resourceGroup.location - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-databricks.workspaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dwcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + amlWorkspaceName: 'dep-${namePrefix}-aml-${serviceShort}' + applicationInsightsName: 'dep-${namePrefix}-appi-${serviceShort}' + loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + keyVaultDiskName: 'dep-${namePrefix}-kve-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + cMKManagedServicesKeyName: nestedDependencies.outputs.keyVaultKeyName + cMKManagedServicesKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + cMKManagedDisksKeyName: nestedDependencies.outputs.keyVaultDiskKeyName + cMKManagedDisksKeyVaultResourceId: nestedDependencies.outputs.keyVaultDiskResourceId + cMKManagedDisksKeyRotationToLatestKeyVersionEnabled: true + storageAccountName: 'sa${namePrefix}${serviceShort}001' + storageAccountSkuName: 'Standard_ZRS' + publicIpName: 'nat-gw-public-ip' + natGatewayName: 'nat-gateway' + prepareEncryption: true + requiredNsgRules: 'NoAzureDatabricksRules' + skuName: 'premium' + amlWorkspaceResourceId: nestedDependencies.outputs.machineLearningWorkspaceResourceId + customPrivateSubnetName: nestedDependencies.outputs.customPrivateSubnetName + customPublicSubnetName: nestedDependencies.outputs.customPublicSubnetName + publicNetworkAccess: 'Disabled' + disablePublicIp: true + loadBalancerResourceId: nestedDependencies.outputs.loadBalancerResourceId + loadBalancerBackendPoolName: nestedDependencies.outputs.loadBalancerBackendPoolName + customVirtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] + service: 'databricks_ui_api' + subnetResourceId: nestedDependencies.outputs.defaultSubnetResourceId + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + managedResourceGroupResourceId: '${subscription().id}/resourceGroups/rg-${resourceGroupName}-managed' + diagnosticLogCategoriesToEnable: [ + 'jobs' + 'notebook' + ] + diagnosticSettingsName: 'diag${namePrefix}${serviceShort}001' + requireInfrastructureEncryption: true + vnetAddressPrefix: '10.100' + location: resourceGroup.location + } +} diff --git a/modules/databricks/workspace/.test/min/main.test.bicep b/modules/databricks/workspace/.test/min/main.test.bicep index 00e0a9cd89..1ee4cd5c32 100644 --- a/modules/databricks/workspace/.test/min/main.test.bicep +++ b/modules/databricks/workspace/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.databricks.workspaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-databricks.workspaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/db-for-my-sql/flexible-server/.test/min/main.test.bicep b/modules/db-for-my-sql/flexible-server/.test/min/main.test.bicep index 61b5a01a27..55d2de2958 100644 --- a/modules/db-for-my-sql/flexible-server/.test/min/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.dbformysql.flexibleservers-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-dbformysql.flexibleservers-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep b/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep index 2b9182a40c..94e139af85 100644 --- a/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep @@ -1,122 +1,122 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.dbformysql.flexibleservers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dfmsfspvt' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: resourceGroup.location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'MySQL Flexible Server' - serverName: '${namePrefix}${serviceShort}001' - } - administratorLogin: 'adminUserName' - administratorLoginPassword: password - skuName: 'Standard_D2ds_v4' - tier: 'GeneralPurpose' - delegatedSubnetResourceId: nestedDependencies.outputs.subnetResourceId - privateDnsZoneResourceId: nestedDependencies.outputs.privateDNSZoneResourceId - storageAutoIoScaling: 'Enabled' - storageSizeGB: 64 - storageIOPS: 400 - backupRetentionDays: 10 - databases: [ - { - - name: 'testdb1' - } - ] - highAvailability: 'SameZone' - storageAutoGrow: 'Enabled' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - administrators: [ - { - identityResourceId: nestedDependencies.outputs.managedIdentityResourceId - login: nestedDependencies.outputs.managedIdentityName - sid: nestedDependencies.outputs.managedIdentityPrincipalId - } - ] - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-dbformysql.flexibleservers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dfmsfspvt' + +@description('Optional. The password to leverage for the login.') +@secure() +param password string = newGuid() + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + location: resourceGroup.location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'MySQL Flexible Server' + serverName: '${namePrefix}${serviceShort}001' + } + administratorLogin: 'adminUserName' + administratorLoginPassword: password + skuName: 'Standard_D2ds_v4' + tier: 'GeneralPurpose' + delegatedSubnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceId: nestedDependencies.outputs.privateDNSZoneResourceId + storageAutoIoScaling: 'Enabled' + storageSizeGB: 64 + storageIOPS: 400 + backupRetentionDays: 10 + databases: [ + { + + name: 'testdb1' + } + ] + highAvailability: 'SameZone' + storageAutoGrow: 'Enabled' + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + administrators: [ + { + identityResourceId: nestedDependencies.outputs.managedIdentityResourceId + login: nestedDependencies.outputs.managedIdentityName + sid: nestedDependencies.outputs.managedIdentityPrincipalId + } + ] + } +} diff --git a/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep b/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep index 7684cbf777..fe359f406f 100644 --- a/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep @@ -1,163 +1,163 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.dbformysql.flexibleservers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dfmsfsp' - -@description('Optional. The password to leverage for the login.') -@secure() -param password string = newGuid() - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies1 'dependencies1.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies1' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - location: location - managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -module nestedDependencies2 'dependencies2.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies2' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - geoBackupKeyVaultName: 'dep-${namePrefix}-kvp-${serviceShort}-${substring(uniqueString(baseTime), 0, 2)}' - geoBackupManagedIdentityName: 'dep-${namePrefix}-msip-${serviceShort}' - geoBackupLocation: nestedDependencies1.outputs.pairedRegionName - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: resourceGroup.location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies2.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'MySQL Flexible Server' - serverName: '${namePrefix}${serviceShort}001' - } - administratorLogin: 'adminUserName' - administratorLoginPassword: password - skuName: 'Standard_D2ds_v4' - tier: 'GeneralPurpose' - storageAutoIoScaling: 'Enabled' - storageSizeGB: 32 - storageIOPS: 400 - backupRetentionDays: 20 - availabilityZone: '1' - databases: [ - { - - name: 'testdb1' - } - { - name: 'testdb2' - charset: 'ascii' - collation: 'ascii_general_ci' - } - ] - firewallRules: [ - { - endIpAddress: '0.0.0.0' - name: 'AllowAllWindowsAzureIps' - startIpAddress: '0.0.0.0' - } - { - endIpAddress: '10.10.10.10' - name: 'test-rule1' - startIpAddress: '10.10.10.1' - } - { - endIpAddress: '100.100.100.10' - name: 'test-rule2' - startIpAddress: '100.100.100.1' - } - ] - highAvailability: 'SameZone' - storageAutoGrow: 'Enabled' - version: '8.0.21' - cMKKeyVaultResourceId: nestedDependencies2.outputs.keyVaultResourceId - cMKKeyName: nestedDependencies2.outputs.keyName - cMKUserAssignedIdentityResourceId: nestedDependencies2.outputs.managedIdentityResourceId - geoRedundantBackup: 'Enabled' - geoBackupCMKKeyVaultResourceId: nestedDependencies2.outputs.geoBackupKeyVaultResourceId - geoBackupCMKKeyName: nestedDependencies2.outputs.geoBackupKeyName - geoBackupCMKUserAssignedIdentityResourceId: nestedDependencies2.outputs.geoBackupManagedIdentityResourceId - userAssignedIdentities: { - '${nestedDependencies2.outputs.managedIdentityResourceId}': {} - '${nestedDependencies2.outputs.geoBackupManagedIdentityResourceId}': {} - } - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-dbformysql.flexibleservers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dfmsfsp' + +@description('Optional. The password to leverage for the login.') +@secure() +param password string = newGuid() + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies1 'dependencies1.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies1' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + location: location + managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' + pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + } +} + +module nestedDependencies2 'dependencies2.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies2' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + geoBackupKeyVaultName: 'dep-${namePrefix}-kvp-${serviceShort}-${substring(uniqueString(baseTime), 0, 2)}' + geoBackupManagedIdentityName: 'dep-${namePrefix}-msip-${serviceShort}' + geoBackupLocation: nestedDependencies1.outputs.pairedRegionName + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + location: resourceGroup.location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies2.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'MySQL Flexible Server' + serverName: '${namePrefix}${serviceShort}001' + } + administratorLogin: 'adminUserName' + administratorLoginPassword: password + skuName: 'Standard_D2ds_v4' + tier: 'GeneralPurpose' + storageAutoIoScaling: 'Enabled' + storageSizeGB: 32 + storageIOPS: 400 + backupRetentionDays: 20 + availabilityZone: '1' + databases: [ + { + + name: 'testdb1' + } + { + name: 'testdb2' + charset: 'ascii' + collation: 'ascii_general_ci' + } + ] + firewallRules: [ + { + endIpAddress: '0.0.0.0' + name: 'AllowAllWindowsAzureIps' + startIpAddress: '0.0.0.0' + } + { + endIpAddress: '10.10.10.10' + name: 'test-rule1' + startIpAddress: '10.10.10.1' + } + { + endIpAddress: '100.100.100.10' + name: 'test-rule2' + startIpAddress: '100.100.100.1' + } + ] + highAvailability: 'SameZone' + storageAutoGrow: 'Enabled' + version: '8.0.21' + cMKKeyVaultResourceId: nestedDependencies2.outputs.keyVaultResourceId + cMKKeyName: nestedDependencies2.outputs.keyName + cMKUserAssignedIdentityResourceId: nestedDependencies2.outputs.managedIdentityResourceId + geoRedundantBackup: 'Enabled' + geoBackupCMKKeyVaultResourceId: nestedDependencies2.outputs.geoBackupKeyVaultResourceId + geoBackupCMKKeyName: nestedDependencies2.outputs.geoBackupKeyName + geoBackupCMKUserAssignedIdentityResourceId: nestedDependencies2.outputs.geoBackupManagedIdentityResourceId + userAssignedIdentities: { + '${nestedDependencies2.outputs.managedIdentityResourceId}': {} + '${nestedDependencies2.outputs.geoBackupManagedIdentityResourceId}': {} + } + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + } +} diff --git a/modules/db-for-postgre-sql/flexible-server/.test/min/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/.test/min/main.test.bicep index 1386d47e69..6257b66663 100644 --- a/modules/db-for-postgre-sql/flexible-server/.test/min/main.test.bicep +++ b/modules/db-for-postgre-sql/flexible-server/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.dbforpostgresql.flexibleservers-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-dbforpostgresql.flexibleservers-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/db-for-postgre-sql/flexible-server/.test/private/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/.test/private/main.test.bicep index d5bd21da2c..da83caf5ac 100644 --- a/modules/db-for-postgre-sql/flexible-server/.test/private/main.test.bicep +++ b/modules/db-for-postgre-sql/flexible-server/.test/private/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.dbforpostgresql.flexibleservers-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-dbforpostgresql.flexibleservers-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep index 93fdbb9416..ea31d8b80f 100644 --- a/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep +++ b/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.dbforpostgresql.flexibleservers-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-dbforpostgresql.flexibleservers-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/desktop-virtualization/application-group/.test/common/main.test.bicep b/modules/desktop-virtualization/application-group/.test/common/main.test.bicep index 62add5be1c..93431181fa 100644 --- a/modules/desktop-virtualization/application-group/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/application-group/.test/common/main.test.bicep @@ -1,115 +1,115 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.desktopvirtualization.applicationgroups-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvagcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - hostPoolName: 'dep-${namePrefix}-hp-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - applicationGroupType: 'RemoteApp' - hostpoolName: nestedDependencies.outputs.hostPoolName - applications: [ - { - commandLineArguments: '' - commandLineSetting: 'DoNotAllow' - description: 'Notepad by ARM template' - filePath: 'C:\\Windows\\System32\\notepad.exe' - friendlyName: 'Notepad' - iconIndex: 0 - iconPath: 'C:\\Windows\\System32\\notepad.exe' - name: 'notepad' - showInPortal: true - } - { - filePath: 'C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe' - friendlyName: 'Wordpad' - name: 'wordpad' - } - ] - description: 'This is my first Remote Applications bundle' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - friendlyName: 'Remote Applications 1' - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.applicationgroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dvagcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + hostPoolName: 'dep-${namePrefix}-hp-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + applicationGroupType: 'RemoteApp' + hostpoolName: nestedDependencies.outputs.hostPoolName + applications: [ + { + commandLineArguments: '' + commandLineSetting: 'DoNotAllow' + description: 'Notepad by ARM template' + filePath: 'C:\\Windows\\System32\\notepad.exe' + friendlyName: 'Notepad' + iconIndex: 0 + iconPath: 'C:\\Windows\\System32\\notepad.exe' + name: 'notepad' + showInPortal: true + } + { + filePath: 'C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe' + friendlyName: 'Wordpad' + name: 'wordpad' + } + ] + description: 'This is my first Remote Applications bundle' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + friendlyName: 'Remote Applications 1' + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/desktop-virtualization/application-group/.test/min/main.test.bicep b/modules/desktop-virtualization/application-group/.test/min/main.test.bicep index 8dae8dc2d4..dc7a01bd2d 100644 --- a/modules/desktop-virtualization/application-group/.test/min/main.test.bicep +++ b/modules/desktop-virtualization/application-group/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.desktopvirtualization.applicationgroups-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.applicationgroups-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep b/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep index 32ceebbc21..1f31acac55 100644 --- a/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep @@ -1,131 +1,131 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.desktopvirtualization.hostpools-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvhpcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - customRdpProperty: 'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - description: 'My first AVD Host Pool' - friendlyName: 'AVDv2' - type: 'Pooled' - loadBalancerType: 'BreadthFirst' - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - maxSessionLimit: 99999 - personalDesktopAssignmentType: 'Automatic' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - vmTemplate: { - customImageId: null - domain: 'domainname.onmicrosoft.com' - galleryImageOffer: 'office-365' - galleryImagePublisher: 'microsoftwindowsdesktop' - galleryImageSKU: '20h1-evd-o365pp' - imageType: 'Gallery' - imageUri: null - namePrefix: 'avdv2' - osDiskType: 'StandardSSD_LRS' - useManagedDisks: true - vmSize: { - cores: 2 - id: 'Standard_D2s_v3' - ram: 8 - } - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - agentUpdate: { - type: 'Scheduled' - useSessionHostLocalTime: false - maintenanceWindowTimeZone: 'Alaskan Standard Time' - maintenanceWindows: [ - { - hour: 7 - dayOfWeek: 'Friday' - } - { - hour: 8 - dayOfWeek: 'Saturday' - } - ] - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.hostpools-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dvhpcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + customRdpProperty: 'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + description: 'My first AVD Host Pool' + friendlyName: 'AVDv2' + type: 'Pooled' + loadBalancerType: 'BreadthFirst' + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + maxSessionLimit: 99999 + personalDesktopAssignmentType: 'Automatic' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + vmTemplate: { + customImageId: null + domain: 'domainname.onmicrosoft.com' + galleryImageOffer: 'office-365' + galleryImagePublisher: 'microsoftwindowsdesktop' + galleryImageSKU: '20h1-evd-o365pp' + imageType: 'Gallery' + imageUri: null + namePrefix: 'avdv2' + osDiskType: 'StandardSSD_LRS' + useManagedDisks: true + vmSize: { + cores: 2 + id: 'Standard_D2s_v3' + ram: 8 + } + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + agentUpdate: { + type: 'Scheduled' + useSessionHostLocalTime: false + maintenanceWindowTimeZone: 'Alaskan Standard Time' + maintenanceWindows: [ + { + hour: 7 + dayOfWeek: 'Friday' + } + { + hour: 8 + dayOfWeek: 'Saturday' + } + ] + } + } +} diff --git a/modules/desktop-virtualization/host-pool/.test/min/main.test.bicep b/modules/desktop-virtualization/host-pool/.test/min/main.test.bicep index 7691ccaa51..2f46ec4302 100644 --- a/modules/desktop-virtualization/host-pool/.test/min/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.desktopvirtualization.hostpools-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.hostpools-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep b/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep index 8bac8f3c16..51db20c88f 100644 --- a/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep @@ -1,129 +1,129 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.desktopvirtualization.scalingplans-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvspcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - hostPoolType: 'Pooled' - friendlyName: 'My Scaling Plan' - description: 'My Scaling Plan Description' - schedules: [ { - rampUpStartTime: { - hour: 7 - minute: 0 - } - peakStartTime: { - hour: 9 - minute: 0 - } - rampDownStartTime: { - hour: 18 - minute: 0 - } - offPeakStartTime: { - hour: 20 - minute: 0 - } - name: 'weekdays_schedule' - daysOfWeek: [ - 'Monday' - 'Tuesday' - 'Wednesday' - 'Thursday' - 'Friday' - ] - rampUpLoadBalancingAlgorithm: 'DepthFirst' - rampUpMinimumHostsPct: 20 - rampUpCapacityThresholdPct: 60 - peakLoadBalancingAlgorithm: 'DepthFirst' - rampDownLoadBalancingAlgorithm: 'DepthFirst' - rampDownMinimumHostsPct: 10 - rampDownCapacityThresholdPct: 90 - rampDownForceLogoffUsers: true - rampDownWaitTimeMinutes: 30 - rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' - rampDownStopHostsWhen: 'ZeroSessions' - offPeakLoadBalancingAlgorithm: 'DepthFirst' - } - ] - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.scalingplans-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dvspcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + hostPoolType: 'Pooled' + friendlyName: 'My Scaling Plan' + description: 'My Scaling Plan Description' + schedules: [ { + rampUpStartTime: { + hour: 7 + minute: 0 + } + peakStartTime: { + hour: 9 + minute: 0 + } + rampDownStartTime: { + hour: 18 + minute: 0 + } + offPeakStartTime: { + hour: 20 + minute: 0 + } + name: 'weekdays_schedule' + daysOfWeek: [ + 'Monday' + 'Tuesday' + 'Wednesday' + 'Thursday' + 'Friday' + ] + rampUpLoadBalancingAlgorithm: 'DepthFirst' + rampUpMinimumHostsPct: 20 + rampUpCapacityThresholdPct: 60 + peakLoadBalancingAlgorithm: 'DepthFirst' + rampDownLoadBalancingAlgorithm: 'DepthFirst' + rampDownMinimumHostsPct: 10 + rampDownCapacityThresholdPct: 90 + rampDownForceLogoffUsers: true + rampDownWaitTimeMinutes: 30 + rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' + rampDownStopHostsWhen: 'ZeroSessions' + offPeakLoadBalancingAlgorithm: 'DepthFirst' + } + ] + } +} diff --git a/modules/desktop-virtualization/scaling-plan/.test/min/main.test.bicep b/modules/desktop-virtualization/scaling-plan/.test/min/main.test.bicep index 9eac3af179..edfaf01186 100644 --- a/modules/desktop-virtualization/scaling-plan/.test/min/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.desktopvirtualization.scalingplans-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.scalingplans-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/desktop-virtualization/workspace/.test/common/main.test.bicep b/modules/desktop-virtualization/workspace/.test/common/main.test.bicep index 32f56ddeb9..15b19e5eeb 100644 --- a/modules/desktop-virtualization/workspace/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/workspace/.test/common/main.test.bicep @@ -1,99 +1,99 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.desktopvirtualization.workspaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvwcom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - applicationGroupName: 'dep-${namePrefix}-appGroup-${serviceShort}' - hostPoolName: 'dep-${namePrefix}-hp-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - appGroupResourceIds: [ - nestedDependencies.outputs.applicationGroupResourceId - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - location: location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - description: 'This is my first AVD Workspace' - friendlyName: 'My first AVD Workspace' - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.workspaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dvwcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + applicationGroupName: 'dep-${namePrefix}-appGroup-${serviceShort}' + hostPoolName: 'dep-${namePrefix}-hp-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + appGroupResourceIds: [ + nestedDependencies.outputs.applicationGroupResourceId + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + description: 'This is my first AVD Workspace' + friendlyName: 'My first AVD Workspace' + } +} diff --git a/modules/desktop-virtualization/workspace/.test/min/main.test.bicep b/modules/desktop-virtualization/workspace/.test/min/main.test.bicep index 78df110582..478c8a8f34 100644 --- a/modules/desktop-virtualization/workspace/.test/min/main.test.bicep +++ b/modules/desktop-virtualization/workspace/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.desktopvirtualization.workspaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.workspaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/dev-test-lab/lab/.test/common/main.test.bicep b/modules/dev-test-lab/lab/.test/common/main.test.bicep index 2e1638c01f..8d2d71c3c4 100644 --- a/modules/dev-test-lab/lab/.test/common/main.test.bicep +++ b/modules/dev-test-lab/lab/.test/common/main.test.bicep @@ -1,285 +1,285 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.devtestlab.labs-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dtllcom' - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' - storageAccountName: 'dep${namePrefix}sa${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - location: resourceGroup.location - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'DevTest Lab' - labName: '${namePrefix}${serviceShort}001' - } - announcement: { - enabled: 'Enabled' - expirationDate: '2025-12-30T13:00:00.000Z' - markdown: 'DevTest Lab announcement text.
New line. It also supports Markdown' - title: 'DevTest announcement title' - } - environmentPermission: 'Contributor' - extendedProperties: { - RdpConnectionType: '7' - } - labStorageType: 'Premium' - artifactsStorageAccount: nestedDependencies.outputs.storageAccountResourceId - premiumDataDisks: 'Enabled' - support: { - enabled: 'Enabled' - markdown: 'DevTest Lab support text.
New line. It also supports Markdown' - } - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - managementIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - vmCreationResourceGroupId: resourceGroup.id - browserConnect: 'Enabled' - disableAutoUpgradeCseMinorVersion: true - isolateLabResources: 'Enabled' - encryptionType: 'EncryptionAtRestWithCustomerKey' - encryptionDiskEncryptionSetId: nestedDependencies.outputs.diskEncryptionSetResourceId - virtualnetworks: [ - { - name: nestedDependencies.outputs.virtualNetworkName - externalProviderResourceId: nestedDependencies.outputs.virtualNetworkResourceId - description: 'lab virtual network description' - allowedSubnets: [ - { - labSubnetName: nestedDependencies.outputs.subnetName - resourceId: nestedDependencies.outputs.subnetResourceId - allowPublicIp: 'Allow' - } - ] - subnetOverrides: [ - { - labSubnetName: nestedDependencies.outputs.subnetName - resourceId: nestedDependencies.outputs.subnetResourceId - useInVmCreationPermission: 'Allow' - usePublicIpAddressPermission: 'Allow' - sharedPublicIpAddressConfiguration: { - allowedPorts: [ - { - transportProtocol: 'Tcp' - backendPort: 3389 - } - { - transportProtocol: 'Tcp' - backendPort: 22 - } - ] - } - } - ] - } - ] - policies: [ - { - name: nestedDependencies.outputs.subnetName - evaluatorType: 'MaxValuePolicy' - factData: nestedDependencies.outputs.subnetResourceId - factName: 'UserOwnedLabVmCountInSubnet' - threshold: '1' - } - { - name: 'MaxVmsAllowedPerUser' - evaluatorType: 'MaxValuePolicy' - factName: 'UserOwnedLabVmCount' - threshold: '2' - } - { - name: 'MaxPremiumVmsAllowedPerUser' - evaluatorType: 'MaxValuePolicy' - factName: 'UserOwnedLabPremiumVmCount' - status: 'Disabled' - threshold: '1' - } - { - name: 'MaxVmsAllowedPerLab' - evaluatorType: 'MaxValuePolicy' - factName: 'LabVmCount' - threshold: '3' - } - { - name: 'MaxPremiumVmsAllowedPerLab' - evaluatorType: 'MaxValuePolicy' - factName: 'LabPremiumVmCount' - threshold: '2' - } - { - name: 'AllowedVmSizesInLab' - evaluatorType: 'AllowedValuesPolicy' - factData: '' - factName: 'LabVmSize' - threshold: ' ${string('["Basic_A0","Basic_A1"]')}' - status: 'Enabled' - } - { - name: 'ScheduleEditPermission' - evaluatorType: 'AllowedValuesPolicy' - factName: 'ScheduleEditPermission' - threshold: ' ${string('["None","Modify"]')}' - } - { - name: 'GalleryImage' - evaluatorType: 'AllowedValuesPolicy' - factName: 'GalleryImage' - threshold: ' ${string('["{\\"offer\\":\\"WindowsServer\\",\\"publisher\\":\\"MicrosoftWindowsServer\\",\\"sku\\":\\"2019-Datacenter-smalldisk\\",\\"osType\\":\\"Windows\\",\\"version\\":\\"latest\\"}","{\\"offer\\":\\"WindowsServer\\",\\"publisher\\":\\"MicrosoftWindowsServer\\",\\"sku\\":\\"2022-datacenter-smalldisk\\",\\"osType\\":\\"Windows\\",\\"version\\":\\"latest\\"}"]')}' - } - { - name: 'EnvironmentTemplate' - description: 'Public Environment Policy' - evaluatorType: 'AllowedValuesPolicy' - factName: 'EnvironmentTemplate' - threshold: ' ${string('[""]')}' - } - ] - schedules: [ - { - name: 'LabVmsShutdown' - taskType: 'LabVmsShutdownTask' - status: 'Enabled' - timeZoneId: 'AUS Eastern Standard Time' - dailyRecurrence: { - time: '0000' - } - notificationSettingsStatus: 'Enabled' - notificationSettingsTimeInMinutes: 30 - } - { - name: 'LabVmAutoStart' - taskType: 'LabVmsStartupTask' - status: 'Enabled' - timeZoneId: 'AUS Eastern Standard Time' - weeklyRecurrence: { - time: '0700' - weekdays: [ - 'Monday' - 'Tuesday' - 'Wednesday' - 'Thursday' - 'Friday' - ] - } - } - ] - notificationchannels: [ - { - name: 'autoShutdown' - description: 'Integration configured for auto-shutdown' - events: [ - { - eventName: 'AutoShutdown' - } - ] - emailRecipient: 'mail@contosodtlmail.com' - webHookUrl: 'https://webhook.contosotest.com' - notificationLocale: 'en' - } - { - name: 'costThreshold' - events: [ - { - eventName: 'Cost' - } - ] - webHookUrl: 'https://webhook.contosotest.com' - } - ] - artifactsources: [ - { - name: 'Public Repo' - displayName: 'Public Artifact Repo' - status: 'Disabled' - uri: 'https://github.com/Azure/azure-devtestlab.git' - sourceType: 'GitHub' - branchRef: 'master' - folderPath: '/Artifacts' - } - { - name: 'Public Environment Repo' - displayName: 'Public Environment Repo' - status: 'Disabled' - uri: 'https://github.com/Azure/azure-devtestlab.git' - sourceType: 'GitHub' - branchRef: 'master' - armTemplateFolderPath: '/Environments' - } - ] - costs: { - status: 'Enabled' - cycleType: 'CalendarMonth' - target: 450 - thresholdValue100DisplayOnChart: 'Enabled' - thresholdValue100SendNotificationWhenExceeded: 'Enabled' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-devtestlab.labs-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dtllcom' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + location: resourceGroup.location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'DevTest Lab' + labName: '${namePrefix}${serviceShort}001' + } + announcement: { + enabled: 'Enabled' + expirationDate: '2025-12-30T13:00:00.000Z' + markdown: 'DevTest Lab announcement text.
New line. It also supports Markdown' + title: 'DevTest announcement title' + } + environmentPermission: 'Contributor' + extendedProperties: { + RdpConnectionType: '7' + } + labStorageType: 'Premium' + artifactsStorageAccount: nestedDependencies.outputs.storageAccountResourceId + premiumDataDisks: 'Enabled' + support: { + enabled: 'Enabled' + markdown: 'DevTest Lab support text.
New line. It also supports Markdown' + } + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + managementIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + vmCreationResourceGroupId: resourceGroup.id + browserConnect: 'Enabled' + disableAutoUpgradeCseMinorVersion: true + isolateLabResources: 'Enabled' + encryptionType: 'EncryptionAtRestWithCustomerKey' + encryptionDiskEncryptionSetId: nestedDependencies.outputs.diskEncryptionSetResourceId + virtualnetworks: [ + { + name: nestedDependencies.outputs.virtualNetworkName + externalProviderResourceId: nestedDependencies.outputs.virtualNetworkResourceId + description: 'lab virtual network description' + allowedSubnets: [ + { + labSubnetName: nestedDependencies.outputs.subnetName + resourceId: nestedDependencies.outputs.subnetResourceId + allowPublicIp: 'Allow' + } + ] + subnetOverrides: [ + { + labSubnetName: nestedDependencies.outputs.subnetName + resourceId: nestedDependencies.outputs.subnetResourceId + useInVmCreationPermission: 'Allow' + usePublicIpAddressPermission: 'Allow' + sharedPublicIpAddressConfiguration: { + allowedPorts: [ + { + transportProtocol: 'Tcp' + backendPort: 3389 + } + { + transportProtocol: 'Tcp' + backendPort: 22 + } + ] + } + } + ] + } + ] + policies: [ + { + name: nestedDependencies.outputs.subnetName + evaluatorType: 'MaxValuePolicy' + factData: nestedDependencies.outputs.subnetResourceId + factName: 'UserOwnedLabVmCountInSubnet' + threshold: '1' + } + { + name: 'MaxVmsAllowedPerUser' + evaluatorType: 'MaxValuePolicy' + factName: 'UserOwnedLabVmCount' + threshold: '2' + } + { + name: 'MaxPremiumVmsAllowedPerUser' + evaluatorType: 'MaxValuePolicy' + factName: 'UserOwnedLabPremiumVmCount' + status: 'Disabled' + threshold: '1' + } + { + name: 'MaxVmsAllowedPerLab' + evaluatorType: 'MaxValuePolicy' + factName: 'LabVmCount' + threshold: '3' + } + { + name: 'MaxPremiumVmsAllowedPerLab' + evaluatorType: 'MaxValuePolicy' + factName: 'LabPremiumVmCount' + threshold: '2' + } + { + name: 'AllowedVmSizesInLab' + evaluatorType: 'AllowedValuesPolicy' + factData: '' + factName: 'LabVmSize' + threshold: ' ${string('["Basic_A0","Basic_A1"]')}' + status: 'Enabled' + } + { + name: 'ScheduleEditPermission' + evaluatorType: 'AllowedValuesPolicy' + factName: 'ScheduleEditPermission' + threshold: ' ${string('["None","Modify"]')}' + } + { + name: 'GalleryImage' + evaluatorType: 'AllowedValuesPolicy' + factName: 'GalleryImage' + threshold: ' ${string('["{\\"offer\\":\\"WindowsServer\\",\\"publisher\\":\\"MicrosoftWindowsServer\\",\\"sku\\":\\"2019-Datacenter-smalldisk\\",\\"osType\\":\\"Windows\\",\\"version\\":\\"latest\\"}","{\\"offer\\":\\"WindowsServer\\",\\"publisher\\":\\"MicrosoftWindowsServer\\",\\"sku\\":\\"2022-datacenter-smalldisk\\",\\"osType\\":\\"Windows\\",\\"version\\":\\"latest\\"}"]')}' + } + { + name: 'EnvironmentTemplate' + description: 'Public Environment Policy' + evaluatorType: 'AllowedValuesPolicy' + factName: 'EnvironmentTemplate' + threshold: ' ${string('[""]')}' + } + ] + schedules: [ + { + name: 'LabVmsShutdown' + taskType: 'LabVmsShutdownTask' + status: 'Enabled' + timeZoneId: 'AUS Eastern Standard Time' + dailyRecurrence: { + time: '0000' + } + notificationSettingsStatus: 'Enabled' + notificationSettingsTimeInMinutes: 30 + } + { + name: 'LabVmAutoStart' + taskType: 'LabVmsStartupTask' + status: 'Enabled' + timeZoneId: 'AUS Eastern Standard Time' + weeklyRecurrence: { + time: '0700' + weekdays: [ + 'Monday' + 'Tuesday' + 'Wednesday' + 'Thursday' + 'Friday' + ] + } + } + ] + notificationchannels: [ + { + name: 'autoShutdown' + description: 'Integration configured for auto-shutdown' + events: [ + { + eventName: 'AutoShutdown' + } + ] + emailRecipient: 'mail@contosodtlmail.com' + webHookUrl: 'https://webhook.contosotest.com' + notificationLocale: 'en' + } + { + name: 'costThreshold' + events: [ + { + eventName: 'Cost' + } + ] + webHookUrl: 'https://webhook.contosotest.com' + } + ] + artifactsources: [ + { + name: 'Public Repo' + displayName: 'Public Artifact Repo' + status: 'Disabled' + uri: 'https://github.com/Azure/azure-devtestlab.git' + sourceType: 'GitHub' + branchRef: 'master' + folderPath: '/Artifacts' + } + { + name: 'Public Environment Repo' + displayName: 'Public Environment Repo' + status: 'Disabled' + uri: 'https://github.com/Azure/azure-devtestlab.git' + sourceType: 'GitHub' + branchRef: 'master' + armTemplateFolderPath: '/Environments' + } + ] + costs: { + status: 'Enabled' + cycleType: 'CalendarMonth' + target: 450 + thresholdValue100DisplayOnChart: 'Enabled' + thresholdValue100SendNotificationWhenExceeded: 'Enabled' + } + } +} diff --git a/modules/dev-test-lab/lab/.test/min/main.test.bicep b/modules/dev-test-lab/lab/.test/min/main.test.bicep index 7989d9f4d2..d78c982d07 100644 --- a/modules/dev-test-lab/lab/.test/min/main.test.bicep +++ b/modules/dev-test-lab/lab/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.devtestlab.labs-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-devtestlab.labs-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep index c22b836915..f8d12541d5 100644 --- a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep @@ -1,126 +1,126 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.digitaltwins.digitaltwinsinstances-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dtdticom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - eventHubName: 'dt-${uniqueString(serviceShort)}-evh-01' - eventHubNamespaceName: 'dt-${uniqueString(serviceShort)}-evhns-01' - serviceBusName: 'dt-${uniqueString(serviceShort)}-sb-01' - eventGridDomainName: 'dt-${uniqueString(serviceShort)}-evg-01' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${uniqueString(serviceShort)}-evh-01' - eventHubNamespaceName: 'dep-${uniqueString(serviceShort)}-evh-01' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - eventHubEndpoint: { - authenticationType: 'IdentityBased' - endpointUri: 'sb://${nestedDependencies.outputs.eventhubNamespaceName}.servicebus.windows.net/' - entityPath: nestedDependencies.outputs.eventhubName - userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId - } - serviceBusEndpoint: { - authenticationType: 'IdentityBased' - endpointUri: 'sb://${nestedDependencies.outputs.serviceBusName}.servicebus.windows.net/' - entityPath: nestedDependencies.outputs.serviceBusTopicName - userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId - } - eventGridEndpoint: { - eventGridDomainId: nestedDependencies.outputs.eventGridDomainResourceId - topicEndpoint: nestedDependencies.outputs.eventGridEndpoint - } - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - - nestedDependencies.outputs.privateDNSZoneResourceId - - ] - service: 'API' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalResourceId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-digitaltwins.digitaltwinsinstances-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dtdticom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + eventHubName: 'dt-${uniqueString(serviceShort)}-evh-01' + eventHubNamespaceName: 'dt-${uniqueString(serviceShort)}-evhns-01' + serviceBusName: 'dt-${uniqueString(serviceShort)}-sb-01' + eventGridDomainName: 'dt-${uniqueString(serviceShort)}-evg-01' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${uniqueString(serviceShort)}-evh-01' + eventHubNamespaceName: 'dep-${uniqueString(serviceShort)}-evh-01' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + eventHubEndpoint: { + authenticationType: 'IdentityBased' + endpointUri: 'sb://${nestedDependencies.outputs.eventhubNamespaceName}.servicebus.windows.net/' + entityPath: nestedDependencies.outputs.eventhubName + userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + } + serviceBusEndpoint: { + authenticationType: 'IdentityBased' + endpointUri: 'sb://${nestedDependencies.outputs.serviceBusName}.servicebus.windows.net/' + entityPath: nestedDependencies.outputs.serviceBusTopicName + userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + } + eventGridEndpoint: { + eventGridDomainId: nestedDependencies.outputs.eventGridDomainResourceId + topicEndpoint: nestedDependencies.outputs.eventGridEndpoint + } + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] + service: 'API' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalResourceId + + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/digital-twins/digital-twins-instance/.test/min/main.test.bicep b/modules/digital-twins/digital-twins-instance/.test/min/main.test.bicep index f970096185..7d9b327dc3 100644 --- a/modules/digital-twins/digital-twins-instance/.test/min/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.digitaltwins.digitaltwinsinstances-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-digitaltwins.digitaltwinsinstances-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/document-db/database-account/.test/gremlindb/main.test.bicep b/modules/document-db/database-account/.test/gremlindb/main.test.bicep index 2e866cecf8..19b9e89bce 100644 --- a/modules/document-db/database-account/.test/gremlindb/main.test.bicep +++ b/modules/document-db/database-account/.test/gremlindb/main.test.bicep @@ -1,150 +1,150 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.documentdb.databaseaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dddagrm' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}002' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: location - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: nestedDependencies.outputs.pairedRegionName - } - ] - capabilitiesToAdd: [ - 'EnableGremlin' - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - gremlinDatabases: [ - { - graphs: [ - { - indexingPolicy: { - automatic: true - } - name: 'car_collection' - partitionKeyPaths: [ - '/car_id' - ] - } - { - indexingPolicy: { - automatic: true - } - name: 'truck_collection' - partitionKeyPaths: [ - '/truck_id' - ] - } - ] - name: '${namePrefix}-gdb-${serviceShort}-001' - } - { - collections: [ - { - indexingPolicy: { - automatic: true - } - name: 'bike_collection' - partitionKeyPaths: [ - '/bike_id' - ] - } - { - indexingPolicy: { - automatic: true - } - name: 'bicycle_collection' - partitionKeyPaths: [ - '/bicycle_id' - ] - } - ] - name: '${namePrefix}-gdb-${serviceShort}-002' - } - ] - location: location - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - systemAssignedIdentity: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-documentdb.databaseaccounts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dddagrm' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}002' + locations: [ + { + failoverPriority: 0 + isZoneRedundant: false + locationName: location + } + { + failoverPriority: 1 + isZoneRedundant: false + locationName: nestedDependencies.outputs.pairedRegionName + } + ] + capabilitiesToAdd: [ + 'EnableGremlin' + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + gremlinDatabases: [ + { + graphs: [ + { + indexingPolicy: { + automatic: true + } + name: 'car_collection' + partitionKeyPaths: [ + '/car_id' + ] + } + { + indexingPolicy: { + automatic: true + } + name: 'truck_collection' + partitionKeyPaths: [ + '/truck_id' + ] + } + ] + name: '${namePrefix}-gdb-${serviceShort}-001' + } + { + collections: [ + { + indexingPolicy: { + automatic: true + } + name: 'bike_collection' + partitionKeyPaths: [ + '/bike_id' + ] + } + { + indexingPolicy: { + automatic: true + } + name: 'bicycle_collection' + partitionKeyPaths: [ + '/bicycle_id' + ] + } + ] + name: '${namePrefix}-gdb-${serviceShort}-002' + } + ] + location: location + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + systemAssignedIdentity: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/document-db/database-account/.test/mongodb/main.test.bicep b/modules/document-db/database-account/.test/mongodb/main.test.bicep index ced367df7d..f035b3a833 100644 --- a/modules/document-db/database-account/.test/mongodb/main.test.bicep +++ b/modules/document-db/database-account/.test/mongodb/main.test.bicep @@ -1,283 +1,283 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.documentdb.databaseaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dddamng' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: location - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: nestedDependencies.outputs.pairedRegionName - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - location: location - mongodbDatabases: [ - { - collections: [ - { - indexes: [ - { - key: { - keys: [ - '_id' - ] - } - } - { - key: { - keys: [ - '$**' - ] - } - } - { - key: { - keys: [ - 'car_id' - 'car_model' - ] - } - options: { - unique: true - } - } - { - key: { - keys: [ - '_ts' - ] - } - options: { - expireAfterSeconds: 2629746 - } - } - ] - name: 'car_collection' - shardKey: { - car_id: 'Hash' - } - } - { - indexes: [ - { - key: { - keys: [ - '_id' - ] - } - } - { - key: { - keys: [ - '$**' - ] - } - } - { - key: { - keys: [ - 'truck_id' - 'truck_model' - ] - } - options: { - unique: true - } - } - { - key: { - keys: [ - '_ts' - ] - } - options: { - expireAfterSeconds: 2629746 - } - } - ] - name: 'truck_collection' - shardKey: { - truck_id: 'Hash' - } - } - ] - name: '${namePrefix}-mdb-${serviceShort}-001' - } - { - collections: [ - { - indexes: [ - { - key: { - keys: [ - '_id' - ] - } - } - { - key: { - keys: [ - '$**' - ] - } - } - { - key: { - keys: [ - 'bike_id' - 'bike_model' - ] - } - options: { - unique: true - } - } - { - key: { - keys: [ - '_ts' - ] - } - options: { - expireAfterSeconds: 2629746 - } - } - ] - name: 'bike_collection' - shardKey: { - bike_id: 'Hash' - } - } - { - indexes: [ - { - key: { - keys: [ - '_id' - ] - } - } - { - key: { - keys: [ - '$**' - ] - } - } - { - key: { - keys: [ - 'bicycle_id' - 'bicycle_model' - ] - } - options: { - unique: true - } - } - { - key: { - keys: [ - '_ts' - ] - } - options: { - expireAfterSeconds: 2629746 - } - } - ] - name: 'bicycle_collection' - shardKey: { - bicycle_id: 'Hash' - } - } - ] - name: '${namePrefix}-mdb-${serviceShort}-002' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - systemAssignedIdentity: true - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-documentdb.databaseaccounts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dddamng' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + locations: [ + { + failoverPriority: 0 + isZoneRedundant: false + locationName: location + } + { + failoverPriority: 1 + isZoneRedundant: false + locationName: nestedDependencies.outputs.pairedRegionName + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + location: location + mongodbDatabases: [ + { + collections: [ + { + indexes: [ + { + key: { + keys: [ + '_id' + ] + } + } + { + key: { + keys: [ + '$**' + ] + } + } + { + key: { + keys: [ + 'car_id' + 'car_model' + ] + } + options: { + unique: true + } + } + { + key: { + keys: [ + '_ts' + ] + } + options: { + expireAfterSeconds: 2629746 + } + } + ] + name: 'car_collection' + shardKey: { + car_id: 'Hash' + } + } + { + indexes: [ + { + key: { + keys: [ + '_id' + ] + } + } + { + key: { + keys: [ + '$**' + ] + } + } + { + key: { + keys: [ + 'truck_id' + 'truck_model' + ] + } + options: { + unique: true + } + } + { + key: { + keys: [ + '_ts' + ] + } + options: { + expireAfterSeconds: 2629746 + } + } + ] + name: 'truck_collection' + shardKey: { + truck_id: 'Hash' + } + } + ] + name: '${namePrefix}-mdb-${serviceShort}-001' + } + { + collections: [ + { + indexes: [ + { + key: { + keys: [ + '_id' + ] + } + } + { + key: { + keys: [ + '$**' + ] + } + } + { + key: { + keys: [ + 'bike_id' + 'bike_model' + ] + } + options: { + unique: true + } + } + { + key: { + keys: [ + '_ts' + ] + } + options: { + expireAfterSeconds: 2629746 + } + } + ] + name: 'bike_collection' + shardKey: { + bike_id: 'Hash' + } + } + { + indexes: [ + { + key: { + keys: [ + '_id' + ] + } + } + { + key: { + keys: [ + '$**' + ] + } + } + { + key: { + keys: [ + 'bicycle_id' + 'bicycle_model' + ] + } + options: { + unique: true + } + } + { + key: { + keys: [ + '_ts' + ] + } + options: { + expireAfterSeconds: 2629746 + } + } + ] + name: 'bicycle_collection' + shardKey: { + bicycle_id: 'Hash' + } + } + ] + name: '${namePrefix}-mdb-${serviceShort}-002' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + systemAssignedIdentity: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/document-db/database-account/.test/plain/main.test.bicep b/modules/document-db/database-account/.test/plain/main.test.bicep index d04162c5a2..498377bc47 100644 --- a/modules/document-db/database-account/.test/plain/main.test.bicep +++ b/modules/document-db/database-account/.test/plain/main.test.bicep @@ -1,101 +1,101 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.documentdb.databaseaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dddapln' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: location - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: nestedDependencies.outputs.pairedRegionName - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-documentdb.databaseaccounts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dddapln' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + locations: [ + { + failoverPriority: 0 + isZoneRedundant: false + locationName: location + } + { + failoverPriority: 1 + isZoneRedundant: false + locationName: nestedDependencies.outputs.pairedRegionName + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/document-db/database-account/.test/sqldb/main.test.bicep b/modules/document-db/database-account/.test/sqldb/main.test.bicep index 1f3bf9433f..1ab334873d 100644 --- a/modules/document-db/database-account/.test/sqldb/main.test.bicep +++ b/modules/document-db/database-account/.test/sqldb/main.test.bicep @@ -1,194 +1,194 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.documentdb.databaseaccounts-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dddasql' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: location - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: nestedDependencies.outputs.pairedRegionName - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - location: location - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - - nestedDependencies.outputs.privateDNSZoneResourceId - - ] - service: 'Sql' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - sqlDatabases: [ - { - containers: [ - { - kind: 'Hash' - name: 'container-001' - indexingPolicy: { - automatic: true - } - paths: [ - '/myPartitionKey' - ] - analyticalStorageTtl: 0 - conflictResolutionPolicy: { - conflictResolutionPath: '/myCustomId' - mode: 'LastWriterWins' - } - defaultTtl: 1000 - uniqueKeyPolicyKeys: [ - { - paths: [ - '/firstName' - ] - } - { - paths: [ - '/lastName' - ] - } - ] - throughput: 600 - } - ] - name: '${namePrefix}-sql-${serviceShort}-001' - throughput: 1000 - } - { - containers: [] - name: '${namePrefix}-sql-${serviceShort}-002' - } - { - containers: [ - { - kind: 'Hash' - name: 'container-003' - autoscaleSettingsMaxThroughput: 1000 - indexingPolicy: { - automatic: true - } - paths: [ - '/myPartitionKey' - ] - analyticalStorageTtl: 0 - conflictResolutionPolicy: { - conflictResolutionPath: '/myCustomId' - mode: 'LastWriterWins' - } - defaultTtl: 1000 - uniqueKeyPolicyKeys: [ - { - paths: [ - '/firstName' - ] - } - { - paths: [ - '/lastName' - ] - } - ] - } - ] - name: '${namePrefix}-sql-${serviceShort}-003' - autoscaleSettingsMaxThroughput: 1000 - } - ] - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-documentdb.databaseaccounts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dddasql' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + locations: [ + { + failoverPriority: 0 + isZoneRedundant: false + locationName: location + } + { + failoverPriority: 1 + isZoneRedundant: false + locationName: nestedDependencies.outputs.pairedRegionName + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + location: location + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + + nestedDependencies.outputs.privateDNSZoneResourceId + + ] + service: 'Sql' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + sqlDatabases: [ + { + containers: [ + { + kind: 'Hash' + name: 'container-001' + indexingPolicy: { + automatic: true + } + paths: [ + '/myPartitionKey' + ] + analyticalStorageTtl: 0 + conflictResolutionPolicy: { + conflictResolutionPath: '/myCustomId' + mode: 'LastWriterWins' + } + defaultTtl: 1000 + uniqueKeyPolicyKeys: [ + { + paths: [ + '/firstName' + ] + } + { + paths: [ + '/lastName' + ] + } + ] + throughput: 600 + } + ] + name: '${namePrefix}-sql-${serviceShort}-001' + throughput: 1000 + } + { + containers: [] + name: '${namePrefix}-sql-${serviceShort}-002' + } + { + containers: [ + { + kind: 'Hash' + name: 'container-003' + autoscaleSettingsMaxThroughput: 1000 + indexingPolicy: { + automatic: true + } + paths: [ + '/myPartitionKey' + ] + analyticalStorageTtl: 0 + conflictResolutionPolicy: { + conflictResolutionPath: '/myCustomId' + mode: 'LastWriterWins' + } + defaultTtl: 1000 + uniqueKeyPolicyKeys: [ + { + paths: [ + '/firstName' + ] + } + { + paths: [ + '/lastName' + ] + } + ] + } + ] + name: '${namePrefix}-sql-${serviceShort}-003' + autoscaleSettingsMaxThroughput: 1000 + } + ] + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/event-grid/domain/.test/common/main.test.bicep b/modules/event-grid/domain/.test/common/main.test.bicep index 373d3bee63..c823327b94 100644 --- a/modules/event-grid/domain/.test/common/main.test.bicep +++ b/modules/event-grid/domain/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.eventgrid.domains-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-eventgrid.domains-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/event-grid/domain/.test/min/main.test.bicep b/modules/event-grid/domain/.test/min/main.test.bicep index f7238a4aaa..a531c4d003 100644 --- a/modules/event-grid/domain/.test/min/main.test.bicep +++ b/modules/event-grid/domain/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.eventgrid.domains-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-eventgrid.domains-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/event-grid/domain/.test/pe/main.test.bicep b/modules/event-grid/domain/.test/pe/main.test.bicep index 5cf831f7c2..cd166546be 100644 --- a/modules/event-grid/domain/.test/pe/main.test.bicep +++ b/modules/event-grid/domain/.test/pe/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.eventgrid.domains-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-eventgrid.domains-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/event-grid/system-topic/.test/common/main.test.bicep b/modules/event-grid/system-topic/.test/common/main.test.bicep index 0c4c9c5284..94540717ab 100644 --- a/modules/event-grid/system-topic/.test/common/main.test.bicep +++ b/modules/event-grid/system-topic/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.eventgrid.systemtopics-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-eventgrid.systemtopics-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/event-grid/system-topic/.test/min/main.test.bicep b/modules/event-grid/system-topic/.test/min/main.test.bicep index 52ccd0b7bc..c8767d484b 100644 --- a/modules/event-grid/system-topic/.test/min/main.test.bicep +++ b/modules/event-grid/system-topic/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.eventgrid.systemtopics-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-eventgrid.systemtopics-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/event-grid/topic/.test/common/main.test.bicep b/modules/event-grid/topic/.test/common/main.test.bicep index 1e9e0bec23..a8b73d8fb5 100644 --- a/modules/event-grid/topic/.test/common/main.test.bicep +++ b/modules/event-grid/topic/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.eventgrid.topics-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-eventgrid.topics-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/event-grid/topic/.test/min/main.test.bicep b/modules/event-grid/topic/.test/min/main.test.bicep index 6e3cc70796..f8ec16cb64 100644 --- a/modules/event-grid/topic/.test/min/main.test.bicep +++ b/modules/event-grid/topic/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.eventgrid.topics-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-eventgrid.topics-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/event-grid/topic/.test/pe/main.test.bicep b/modules/event-grid/topic/.test/pe/main.test.bicep index a5c992940d..377965d0ec 100644 --- a/modules/event-grid/topic/.test/pe/main.test.bicep +++ b/modules/event-grid/topic/.test/pe/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.eventgrid.topics-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-eventgrid.topics-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/event-hub/namespace/.test/common/main.test.bicep b/modules/event-hub/namespace/.test/common/main.test.bicep index 4d6819b790..f136c3226c 100644 --- a/modules/event-hub/namespace/.test/common/main.test.bicep +++ b/modules/event-hub/namespace/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.eventhub.namespaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-eventhub.namespaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/event-hub/namespace/.test/encr/main.test.bicep b/modules/event-hub/namespace/.test/encr/main.test.bicep index 1a5985d41c..39a945d650 100644 --- a/modules/event-hub/namespace/.test/encr/main.test.bicep +++ b/modules/event-hub/namespace/.test/encr/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.eventhub.namespaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-eventhub.namespaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/event-hub/namespace/.test/min/main.test.bicep b/modules/event-hub/namespace/.test/min/main.test.bicep index 282a233685..5b731169d3 100644 --- a/modules/event-hub/namespace/.test/min/main.test.bicep +++ b/modules/event-hub/namespace/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.eventhub.namespaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-eventhub.namespaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/event-hub/namespace/.test/pe/main.test.bicep b/modules/event-hub/namespace/.test/pe/main.test.bicep index 73335efe06..66d56ba9f6 100644 --- a/modules/event-hub/namespace/.test/pe/main.test.bicep +++ b/modules/event-hub/namespace/.test/pe/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.eventhub.namespaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-eventhub.namespaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/health-bot/health-bot/.test/common/main.test.bicep b/modules/health-bot/health-bot/.test/common/main.test.bicep index 256cebfa4e..c749c0fb14 100644 --- a/modules/health-bot/health-bot/.test/common/main.test.bicep +++ b/modules/health-bot/health-bot/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.healthbot.healthbots-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-healthbot.healthbots-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/health-bot/health-bot/.test/min/main.test.bicep b/modules/health-bot/health-bot/.test/min/main.test.bicep index 6c9996b611..29b0984187 100644 --- a/modules/health-bot/health-bot/.test/min/main.test.bicep +++ b/modules/health-bot/health-bot/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.healthbot.healthbots-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-healthbot.healthbots-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/healthcare-apis/workspace/.test/common/main.test.bicep b/modules/healthcare-apis/workspace/.test/common/main.test.bicep index dbc8e30330..9c8387d95f 100644 --- a/modules/healthcare-apis/workspace/.test/common/main.test.bicep +++ b/modules/healthcare-apis/workspace/.test/common/main.test.bicep @@ -8,7 +8,7 @@ metadata description = 'This instance deploys the module with most of its featur // ========== // @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.healthcareapis.workspaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-healthcareapis.workspaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/healthcare-apis/workspace/.test/min/main.test.bicep b/modules/healthcare-apis/workspace/.test/min/main.test.bicep index 95061177c5..cc3b068314 100644 --- a/modules/healthcare-apis/workspace/.test/min/main.test.bicep +++ b/modules/healthcare-apis/workspace/.test/min/main.test.bicep @@ -8,7 +8,7 @@ metadata description = 'This instance deploys the module with the minimum set of // ========== // @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.healthcareapis.workspaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-healthcareapis.workspaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/action-group/.test/common/main.test.bicep b/modules/insights/action-group/.test/common/main.test.bicep index 4f4d8071b8..0e979a0e1e 100644 --- a/modules/insights/action-group/.test/common/main.test.bicep +++ b/modules/insights/action-group/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.actiongroups-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.actiongroups-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/action-group/.test/min/main.test.bicep b/modules/insights/action-group/.test/min/main.test.bicep index 22938cd7a3..51ccd12b5c 100644 --- a/modules/insights/action-group/.test/min/main.test.bicep +++ b/modules/insights/action-group/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.actiongroups-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.actiongroups-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/activity-log-alert/.test/common/main.test.bicep b/modules/insights/activity-log-alert/.test/common/main.test.bicep index 49d570477c..d69c866a34 100644 --- a/modules/insights/activity-log-alert/.test/common/main.test.bicep +++ b/modules/insights/activity-log-alert/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.activityLogAlerts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.activityLogAlerts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/component/.test/common/main.test.bicep b/modules/insights/component/.test/common/main.test.bicep index 31b26886ab..a4d4b19f86 100644 --- a/modules/insights/component/.test/common/main.test.bicep +++ b/modules/insights/component/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.components-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.components-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/component/.test/min/main.test.bicep b/modules/insights/component/.test/min/main.test.bicep index 965482d24d..15a5d43c53 100644 --- a/modules/insights/component/.test/min/main.test.bicep +++ b/modules/insights/component/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.components-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.components-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/data-collection-endpoint/.test/common/main.test.bicep b/modules/insights/data-collection-endpoint/.test/common/main.test.bicep index 38434e41b8..8eaa84fa6d 100644 --- a/modules/insights/data-collection-endpoint/.test/common/main.test.bicep +++ b/modules/insights/data-collection-endpoint/.test/common/main.test.bicep @@ -8,7 +8,7 @@ metadata description = 'This instance deploys the module with most of its featur // ========== // @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.dataCollectionEndpoints-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionEndpoints-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/data-collection-endpoint/.test/min/main.test.bicep b/modules/insights/data-collection-endpoint/.test/min/main.test.bicep index 0ac9115755..39a8e35586 100644 --- a/modules/insights/data-collection-endpoint/.test/min/main.test.bicep +++ b/modules/insights/data-collection-endpoint/.test/min/main.test.bicep @@ -8,7 +8,7 @@ metadata description = 'This instance deploys the module with the minimum set of // ========== // @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.dataCollectionEndpoints-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionEndpoints-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/data-collection-rule/.test/customadv/main.test.bicep b/modules/insights/data-collection-rule/.test/customadv/main.test.bicep index c4481adbbf..622b276f22 100644 --- a/modules/insights/data-collection-rule/.test/customadv/main.test.bicep +++ b/modules/insights/data-collection-rule/.test/customadv/main.test.bicep @@ -5,7 +5,7 @@ targetScope = 'subscription' // ========== // @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.dataCollectionRules-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionRules-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/data-collection-rule/.test/custombasic/main.test.bicep b/modules/insights/data-collection-rule/.test/custombasic/main.test.bicep index 541899d269..945b688f12 100644 --- a/modules/insights/data-collection-rule/.test/custombasic/main.test.bicep +++ b/modules/insights/data-collection-rule/.test/custombasic/main.test.bicep @@ -5,7 +5,7 @@ targetScope = 'subscription' // ========== // @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.dataCollectionRules-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionRules-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/data-collection-rule/.test/customiis/main.test.bicep b/modules/insights/data-collection-rule/.test/customiis/main.test.bicep index a128245e24..3d2c5bd603 100644 --- a/modules/insights/data-collection-rule/.test/customiis/main.test.bicep +++ b/modules/insights/data-collection-rule/.test/customiis/main.test.bicep @@ -5,7 +5,7 @@ targetScope = 'subscription' // ========== // @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.dataCollectionRules-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionRules-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/data-collection-rule/.test/linux/main.test.bicep b/modules/insights/data-collection-rule/.test/linux/main.test.bicep index 685aae6520..781cf7f52e 100644 --- a/modules/insights/data-collection-rule/.test/linux/main.test.bicep +++ b/modules/insights/data-collection-rule/.test/linux/main.test.bicep @@ -5,7 +5,7 @@ targetScope = 'subscription' // ========== // @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.dataCollectionRules-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionRules-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/data-collection-rule/.test/min/main.test.bicep b/modules/insights/data-collection-rule/.test/min/main.test.bicep index e18f5d9ef8..01cff01377 100644 --- a/modules/insights/data-collection-rule/.test/min/main.test.bicep +++ b/modules/insights/data-collection-rule/.test/min/main.test.bicep @@ -8,7 +8,7 @@ metadata description = 'This instance deploys the module with the minimum set of // ========== // @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.dataCollectionRules-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionRules-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/data-collection-rule/.test/windows/main.test.bicep b/modules/insights/data-collection-rule/.test/windows/main.test.bicep index 0c1b810c6b..cb9e2f49ab 100644 --- a/modules/insights/data-collection-rule/.test/windows/main.test.bicep +++ b/modules/insights/data-collection-rule/.test/windows/main.test.bicep @@ -5,7 +5,7 @@ targetScope = 'subscription' // ========== // @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.dataCollectionRules-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionRules-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/diagnostic-setting/.test/common/main.test.bicep b/modules/insights/diagnostic-setting/.test/common/main.test.bicep index 4fdfbd0770..8bca17ef33 100644 --- a/modules/insights/diagnostic-setting/.test/common/main.test.bicep +++ b/modules/insights/diagnostic-setting/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.diagnosticsettings-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.diagnosticsettings-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/metric-alert/.test/common/main.test.bicep b/modules/insights/metric-alert/.test/common/main.test.bicep index a5fcd52873..7d7b2bdf99 100644 --- a/modules/insights/metric-alert/.test/common/main.test.bicep +++ b/modules/insights/metric-alert/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.metricalerts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.metricalerts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/private-link-scope/.test/common/main.test.bicep b/modules/insights/private-link-scope/.test/common/main.test.bicep index 3e9e0ea69c..92f4e840e6 100644 --- a/modules/insights/private-link-scope/.test/common/main.test.bicep +++ b/modules/insights/private-link-scope/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.privatelinkscopes-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.privatelinkscopes-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/private-link-scope/.test/min/main.test.bicep b/modules/insights/private-link-scope/.test/min/main.test.bicep index 38e1bad335..a9a01570d3 100644 --- a/modules/insights/private-link-scope/.test/min/main.test.bicep +++ b/modules/insights/private-link-scope/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.privatelinkscopes-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.privatelinkscopes-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/scheduled-query-rule/.test/common/main.test.bicep b/modules/insights/scheduled-query-rule/.test/common/main.test.bicep index 225e5a94d4..7a197f090c 100644 --- a/modules/insights/scheduled-query-rule/.test/common/main.test.bicep +++ b/modules/insights/scheduled-query-rule/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.scheduledqueryrules-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.scheduledqueryrules-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/webtest/.test/common/main.test.bicep b/modules/insights/webtest/.test/common/main.test.bicep index 6e4f1097cd..ec14cb0b5c 100644 --- a/modules/insights/webtest/.test/common/main.test.bicep +++ b/modules/insights/webtest/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.webtests-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.webtests-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/insights/webtest/.test/min/main.test.bicep b/modules/insights/webtest/.test/min/main.test.bicep index b5fd4f6831..7a0273b7e4 100644 --- a/modules/insights/webtest/.test/min/main.test.bicep +++ b/modules/insights/webtest/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.insights.webtests-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-insights.webtests-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep index f51833d1cb..cbca9f9b04 100644 --- a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep +++ b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.keyvault.vaults-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-keyvault.vaults-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/key-vault/vault/.test/common/main.test.bicep b/modules/key-vault/vault/.test/common/main.test.bicep index 54db495112..f1d6ac03e3 100644 --- a/modules/key-vault/vault/.test/common/main.test.bicep +++ b/modules/key-vault/vault/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.keyvault.vaults-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-keyvault.vaults-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/key-vault/vault/.test/min/main.test.bicep b/modules/key-vault/vault/.test/min/main.test.bicep index 1fe0290488..0e27563ae4 100644 --- a/modules/key-vault/vault/.test/min/main.test.bicep +++ b/modules/key-vault/vault/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.keyvault.vaults-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-keyvault.vaults-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/key-vault/vault/.test/pe/main.test.bicep b/modules/key-vault/vault/.test/pe/main.test.bicep index 32078f69a2..10a68eca40 100644 --- a/modules/key-vault/vault/.test/pe/main.test.bicep +++ b/modules/key-vault/vault/.test/pe/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.keyvault.vaults-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-keyvault.vaults-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/kubernetes-configuration/extension/.test/common/main.test.bicep b/modules/kubernetes-configuration/extension/.test/common/main.test.bicep index aed37f7e01..1d954e3c6a 100644 --- a/modules/kubernetes-configuration/extension/.test/common/main.test.bicep +++ b/modules/kubernetes-configuration/extension/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.kubernetesconfiguration.extensions-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.extensions-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/kubernetes-configuration/extension/.test/min/main.test.bicep b/modules/kubernetes-configuration/extension/.test/min/main.test.bicep index e387fdf629..96b7926186 100644 --- a/modules/kubernetes-configuration/extension/.test/min/main.test.bicep +++ b/modules/kubernetes-configuration/extension/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.kubernetesconfiguration.extensions-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.extensions-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/kubernetes-configuration/flux-configuration/.test/common/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/.test/common/main.test.bicep index fc42c880db..4f1883372b 100644 --- a/modules/kubernetes-configuration/flux-configuration/.test/common/main.test.bicep +++ b/modules/kubernetes-configuration/flux-configuration/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.kubernetesconfiguration.fluxconfigurations-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.fluxconfigurations-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/kubernetes-configuration/flux-configuration/.test/min/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/.test/min/main.test.bicep index deffae3122..f7f5c7191b 100644 --- a/modules/kubernetes-configuration/flux-configuration/.test/min/main.test.bicep +++ b/modules/kubernetes-configuration/flux-configuration/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.kubernetesconfiguration.fluxconfigurations-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.fluxconfigurations-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/logic/workflow/.test/common/main.test.bicep b/modules/logic/workflow/.test/common/main.test.bicep index 9442a3a726..08510b7dc2 100644 --- a/modules/logic/workflow/.test/common/main.test.bicep +++ b/modules/logic/workflow/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.logic.workflows-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-logic.workflows-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/machine-learning-services/workspace/.test/common/main.test.bicep b/modules/machine-learning-services/workspace/.test/common/main.test.bicep index 497b86c749..00428ae7bd 100644 --- a/modules/machine-learning-services/workspace/.test/common/main.test.bicep +++ b/modules/machine-learning-services/workspace/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.machinelearningservices.workspaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-machinelearningservices.workspaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/machine-learning-services/workspace/.test/encr/main.test.bicep b/modules/machine-learning-services/workspace/.test/encr/main.test.bicep index 195155da41..fcf4a6a6b1 100644 --- a/modules/machine-learning-services/workspace/.test/encr/main.test.bicep +++ b/modules/machine-learning-services/workspace/.test/encr/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.machinelearningservices.workspaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-machinelearningservices.workspaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/machine-learning-services/workspace/.test/min/main.test.bicep b/modules/machine-learning-services/workspace/.test/min/main.test.bicep index 65a73dfd4d..8c8e79eeae 100644 --- a/modules/machine-learning-services/workspace/.test/min/main.test.bicep +++ b/modules/machine-learning-services/workspace/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.machinelearningservices.workspaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-machinelearningservices.workspaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep b/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep index a7ae7e0b34..6467bd54d7 100644 --- a/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.maintenance.maintenanceconfigurations-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-maintenance.maintenanceconfigurations-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/maintenance/maintenance-configuration/.test/min/main.test.bicep b/modules/maintenance/maintenance-configuration/.test/min/main.test.bicep index 1120f4565b..f23eada34d 100644 --- a/modules/maintenance/maintenance-configuration/.test/min/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.maintenance.maintenanceconfigurations-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-maintenance.maintenanceconfigurations-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep b/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep index 87518c8a84..48a1d41af0 100644 --- a/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.managedidentity.userassignedidentities-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-managedidentity.userassignedidentities-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/managed-identity/user-assigned-identity/.test/min/main.test.bicep b/modules/managed-identity/user-assigned-identity/.test/min/main.test.bicep index 4a83660c9c..d7da3a5c01 100644 --- a/modules/managed-identity/user-assigned-identity/.test/min/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.managedidentity.userassignedidentities-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-managedidentity.userassignedidentities-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location @@ -20,6 +20,9 @@ param serviceShort string = 'miuaimin' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + // ============ // // Dependencies // // ============ // diff --git a/modules/managed-services/registration-definition/.test/rg/main.test.bicep b/modules/managed-services/registration-definition/.test/rg/main.test.bicep index 990d3cf1ef..e6d5fe9145 100644 --- a/modules/managed-services/registration-definition/.test/rg/main.test.bicep +++ b/modules/managed-services/registration-definition/.test/rg/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.managedservices.registrationdefinitions-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-managedservices.registrationdefinitions-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/net-app/net-app-account/.test/min/main.test.bicep b/modules/net-app/net-app-account/.test/min/main.test.bicep index 509217aef3..8c3ceb52c3 100644 --- a/modules/net-app/net-app-account/.test/min/main.test.bicep +++ b/modules/net-app/net-app-account/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.netapp.netappaccounts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-netapp.netappaccounts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/net-app/net-app-account/.test/nfs3/main.test.bicep b/modules/net-app/net-app-account/.test/nfs3/main.test.bicep index c5db1e5500..25924e73f9 100644 --- a/modules/net-app/net-app-account/.test/nfs3/main.test.bicep +++ b/modules/net-app/net-app-account/.test/nfs3/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.netapp.netappaccounts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-netapp.netappaccounts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/net-app/net-app-account/.test/nfs41/main.test.bicep b/modules/net-app/net-app-account/.test/nfs41/main.test.bicep index f87ae67141..bc1413283d 100644 --- a/modules/net-app/net-app-account/.test/nfs41/main.test.bicep +++ b/modules/net-app/net-app-account/.test/nfs41/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.netapp.netappaccounts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-netapp.netappaccounts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/application-gateway-web-application-firewall-policy/.test/common/main.test.bicep b/modules/network/application-gateway-web-application-firewall-policy/.test/common/main.test.bicep index 0c71d78598..0c7f1fe7f3 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/.test/common/main.test.bicep +++ b/modules/network/application-gateway-web-application-firewall-policy/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.applicationGatewayWebApplicationFirewallPolicies-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.applicationGatewayWebApplicationFirewallPolicies-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/application-gateway/.test/common/main.test.bicep b/modules/network/application-gateway/.test/common/main.test.bicep index 0b726f6d54..039dd1b2a6 100644 --- a/modules/network/application-gateway/.test/common/main.test.bicep +++ b/modules/network/application-gateway/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.applicationgateways-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.applicationgateways-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/application-security-group/.test/common/main.test.bicep b/modules/network/application-security-group/.test/common/main.test.bicep index 8783a868c4..2d7c4f2f95 100644 --- a/modules/network/application-security-group/.test/common/main.test.bicep +++ b/modules/network/application-security-group/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.applicationsecuritygroups-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.applicationsecuritygroups-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/azure-firewall/.test/addpip/main.test.bicep b/modules/network/azure-firewall/.test/addpip/main.test.bicep index b1117edf58..3406fcf6b3 100644 --- a/modules/network/azure-firewall/.test/addpip/main.test.bicep +++ b/modules/network/azure-firewall/.test/addpip/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.azurefirewalls-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.azurefirewalls-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/azure-firewall/.test/common/main.test.bicep b/modules/network/azure-firewall/.test/common/main.test.bicep index cf719551ab..9d72856614 100644 --- a/modules/network/azure-firewall/.test/common/main.test.bicep +++ b/modules/network/azure-firewall/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.azurefirewalls-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.azurefirewalls-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/azure-firewall/.test/custompip/main.test.bicep b/modules/network/azure-firewall/.test/custompip/main.test.bicep index a1f03ffaa9..44717d83cf 100644 --- a/modules/network/azure-firewall/.test/custompip/main.test.bicep +++ b/modules/network/azure-firewall/.test/custompip/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.azurefirewalls-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.azurefirewalls-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/azure-firewall/.test/hubcommon/main.test.bicep b/modules/network/azure-firewall/.test/hubcommon/main.test.bicep index eff51c688e..24f9abf6d4 100644 --- a/modules/network/azure-firewall/.test/hubcommon/main.test.bicep +++ b/modules/network/azure-firewall/.test/hubcommon/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.azurefirewalls-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.azurefirewalls-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/azure-firewall/.test/hubmin/main.test.bicep b/modules/network/azure-firewall/.test/hubmin/main.test.bicep index 862f32d241..85056db679 100644 --- a/modules/network/azure-firewall/.test/hubmin/main.test.bicep +++ b/modules/network/azure-firewall/.test/hubmin/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.azurefirewalls-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.azurefirewalls-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/azure-firewall/.test/min/main.test.bicep b/modules/network/azure-firewall/.test/min/main.test.bicep index 28620b7046..c0d9f84edc 100644 --- a/modules/network/azure-firewall/.test/min/main.test.bicep +++ b/modules/network/azure-firewall/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.azurefirewalls-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.azurefirewalls-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/bastion-host/.test/common/main.test.bicep b/modules/network/bastion-host/.test/common/main.test.bicep index 02f6497c2d..3688f87735 100644 --- a/modules/network/bastion-host/.test/common/main.test.bicep +++ b/modules/network/bastion-host/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.bastionhosts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.bastionhosts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/bastion-host/.test/custompip/main.test.bicep b/modules/network/bastion-host/.test/custompip/main.test.bicep index 4d9c25e73d..9cf1ef28dc 100644 --- a/modules/network/bastion-host/.test/custompip/main.test.bicep +++ b/modules/network/bastion-host/.test/custompip/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.bastionhosts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.bastionhosts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/bastion-host/.test/min/main.test.bicep b/modules/network/bastion-host/.test/min/main.test.bicep index 8292377077..0c178876f0 100644 --- a/modules/network/bastion-host/.test/min/main.test.bicep +++ b/modules/network/bastion-host/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.bastionhosts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.bastionhosts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/connection/.test/vnet2vnet/main.test.bicep b/modules/network/connection/.test/vnet2vnet/main.test.bicep index 9450e5be59..4a3da829cf 100644 --- a/modules/network/connection/.test/vnet2vnet/main.test.bicep +++ b/modules/network/connection/.test/vnet2vnet/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.connections-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.connections-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/ddos-protection-plan/.test/common/main.test.bicep b/modules/network/ddos-protection-plan/.test/common/main.test.bicep index 5f76122a56..7aeecb00c5 100644 --- a/modules/network/ddos-protection-plan/.test/common/main.test.bicep +++ b/modules/network/ddos-protection-plan/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.ddosprotectionplans-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.ddosprotectionplans-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/ddos-protection-plan/.test/min/main.test.bicep b/modules/network/ddos-protection-plan/.test/min/main.test.bicep index 3f06befe16..ca85cb56f0 100644 --- a/modules/network/ddos-protection-plan/.test/min/main.test.bicep +++ b/modules/network/ddos-protection-plan/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.ddosprotectionplans-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.ddosprotectionplans-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep b/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep index e3c7eb4a8e..43cb92fd4d 100644 --- a/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep +++ b/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.dnsForwardingRuleset-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.dnsForwardingRuleset-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/dns-forwarding-ruleset/.test/min/main.test.bicep b/modules/network/dns-forwarding-ruleset/.test/min/main.test.bicep index 0d95972412..ed1fc457c5 100644 --- a/modules/network/dns-forwarding-ruleset/.test/min/main.test.bicep +++ b/modules/network/dns-forwarding-ruleset/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.dnsForwardingRuleset-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.dnsForwardingRuleset-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/dns-resolver/.test/common/main.test.bicep b/modules/network/dns-resolver/.test/common/main.test.bicep index 10ca18a16f..b7c060dd2f 100644 --- a/modules/network/dns-resolver/.test/common/main.test.bicep +++ b/modules/network/dns-resolver/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.dnsResolvers-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.dnsResolvers-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/dns-zone/.test/common/main.test.bicep b/modules/network/dns-zone/.test/common/main.test.bicep index 667e7e4e00..ed751afbbd 100644 --- a/modules/network/dns-zone/.test/common/main.test.bicep +++ b/modules/network/dns-zone/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.dnszones-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.dnszones-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/dns-zone/.test/min/main.test.bicep b/modules/network/dns-zone/.test/min/main.test.bicep index 99dd5b9612..3e13b00238 100644 --- a/modules/network/dns-zone/.test/min/main.test.bicep +++ b/modules/network/dns-zone/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.dnszones-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.dnszones-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/express-route-circuit/.test/common/main.test.bicep b/modules/network/express-route-circuit/.test/common/main.test.bicep index befce2285b..ab72f6d9c0 100644 --- a/modules/network/express-route-circuit/.test/common/main.test.bicep +++ b/modules/network/express-route-circuit/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.expressroutecircuits-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.expressroutecircuits-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/express-route-circuit/.test/min/main.test.bicep b/modules/network/express-route-circuit/.test/min/main.test.bicep index 9023c41dfe..6bc6b2b580 100644 --- a/modules/network/express-route-circuit/.test/min/main.test.bicep +++ b/modules/network/express-route-circuit/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.expressroutecircuits-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.expressroutecircuits-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/express-route-gateway/.test/common/main.test.bicep b/modules/network/express-route-gateway/.test/common/main.test.bicep index d99873cd46..72ddf4c851 100644 --- a/modules/network/express-route-gateway/.test/common/main.test.bicep +++ b/modules/network/express-route-gateway/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.expressRouteGateway-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.expressRouteGateway-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/express-route-gateway/.test/min/main.test.bicep b/modules/network/express-route-gateway/.test/min/main.test.bicep index b410608160..49b5c52596 100644 --- a/modules/network/express-route-gateway/.test/min/main.test.bicep +++ b/modules/network/express-route-gateway/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.expressRouteGateway-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.expressRouteGateway-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/firewall-policy/.test/common/main.test.bicep b/modules/network/firewall-policy/.test/common/main.test.bicep index b0f3e73de8..f3447f4ce4 100644 --- a/modules/network/firewall-policy/.test/common/main.test.bicep +++ b/modules/network/firewall-policy/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.firewallpolicies-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.firewallpolicies-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/firewall-policy/.test/min/main.test.bicep b/modules/network/firewall-policy/.test/min/main.test.bicep index 2efbeaeead..e5ce72720a 100644 --- a/modules/network/firewall-policy/.test/min/main.test.bicep +++ b/modules/network/firewall-policy/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.firewallpolicies-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.firewallpolicies-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep index 9473957b31..368546b37b 100644 --- a/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.frontdoorWebApplicationFirewallPolicies-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.frontdoorWebApplicationFirewallPolicies-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/front-door-web-application-firewall-policy/.test/min/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/.test/min/main.test.bicep index e6dc94614a..833631084c 100644 --- a/modules/network/front-door-web-application-firewall-policy/.test/min/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.frontdoorWebApplicationFirewallPolicies-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.frontdoorWebApplicationFirewallPolicies-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/front-door/.test/common/main.test.bicep b/modules/network/front-door/.test/common/main.test.bicep index 485d7f052f..c914c6eb8b 100644 --- a/modules/network/front-door/.test/common/main.test.bicep +++ b/modules/network/front-door/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.frontdoors-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.frontdoors-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/front-door/.test/min/main.test.bicep b/modules/network/front-door/.test/min/main.test.bicep index d924dcbb25..347cd6dbd1 100644 --- a/modules/network/front-door/.test/min/main.test.bicep +++ b/modules/network/front-door/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.frontdoors-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.frontdoors-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/ip-group/.test/common/main.test.bicep b/modules/network/ip-group/.test/common/main.test.bicep index e58ccd5a53..739303e9a1 100644 --- a/modules/network/ip-group/.test/common/main.test.bicep +++ b/modules/network/ip-group/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.ipgroups-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.ipgroups-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/ip-group/.test/min/main.test.bicep b/modules/network/ip-group/.test/min/main.test.bicep index 174c87ae38..e9bc5c3f60 100644 --- a/modules/network/ip-group/.test/min/main.test.bicep +++ b/modules/network/ip-group/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.ipgroups-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.ipgroups-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/load-balancer/.test/common/main.test.bicep b/modules/network/load-balancer/.test/common/main.test.bicep index 190d42404e..e08dc8a218 100644 --- a/modules/network/load-balancer/.test/common/main.test.bicep +++ b/modules/network/load-balancer/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.loadbalancers-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.loadbalancers-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/load-balancer/.test/internal/main.test.bicep b/modules/network/load-balancer/.test/internal/main.test.bicep index 0e828f0415..bf22fa5b0c 100644 --- a/modules/network/load-balancer/.test/internal/main.test.bicep +++ b/modules/network/load-balancer/.test/internal/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.loadbalancers-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.loadbalancers-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/load-balancer/.test/min/main.test.bicep b/modules/network/load-balancer/.test/min/main.test.bicep index dbb4ca6571..d5d20d4d72 100644 --- a/modules/network/load-balancer/.test/min/main.test.bicep +++ b/modules/network/load-balancer/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.loadbalancers-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.loadbalancers-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/local-network-gateway/.test/common/main.test.bicep b/modules/network/local-network-gateway/.test/common/main.test.bicep index 0d7e13410f..877aee9a00 100644 --- a/modules/network/local-network-gateway/.test/common/main.test.bicep +++ b/modules/network/local-network-gateway/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.localnetworkgateways-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.localnetworkgateways-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/local-network-gateway/.test/min/main.test.bicep b/modules/network/local-network-gateway/.test/min/main.test.bicep index b9577924ea..738c5439e1 100644 --- a/modules/network/local-network-gateway/.test/min/main.test.bicep +++ b/modules/network/local-network-gateway/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.localnetworkgateways-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.localnetworkgateways-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/nat-gateway/.test/common/main.test.bicep b/modules/network/nat-gateway/.test/common/main.test.bicep index f999e3cb3a..2bbf68f7cd 100644 --- a/modules/network/nat-gateway/.test/common/main.test.bicep +++ b/modules/network/nat-gateway/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.natgateways-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.natgateways-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/network-interface/.test/common/main.test.bicep b/modules/network/network-interface/.test/common/main.test.bicep index 980dbff520..71462f0114 100644 --- a/modules/network/network-interface/.test/common/main.test.bicep +++ b/modules/network/network-interface/.test/common/main.test.bicep @@ -1,118 +1,118 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.network.networkinterfaces-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnicom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' - loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - ipConfigurations: [ - { - applicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } - ] - loadBalancerBackendAddressPools: [ - { - id: nestedDependencies.outputs.loadBalancerBackendPoolResourceId - } - ] - name: 'ipconfig01' - subnetResourceId: nestedDependencies.outputs.subnetResourceId - } - { - subnetResourceId: nestedDependencies.outputs.subnetResourceId - applicationSecurityGroups: [ - { - id: nestedDependencies.outputs.applicationSecurityGroupResourceId - } - ] - } - ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.networkinterfaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nnicom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' + loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + ipConfigurations: [ + { + applicationSecurityGroups: [ + { + id: nestedDependencies.outputs.applicationSecurityGroupResourceId + } + ] + loadBalancerBackendAddressPools: [ + { + id: nestedDependencies.outputs.loadBalancerBackendPoolResourceId + } + ] + name: 'ipconfig01' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + { + subnetResourceId: nestedDependencies.outputs.subnetResourceId + applicationSecurityGroups: [ + { + id: nestedDependencies.outputs.applicationSecurityGroupResourceId + } + ] + } + ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/network-interface/.test/min/main.test.bicep b/modules/network/network-interface/.test/min/main.test.bicep index 8a045fec44..a5d77cf3cb 100644 --- a/modules/network/network-interface/.test/min/main.test.bicep +++ b/modules/network/network-interface/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.networkinterfaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.networkinterfaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/network-manager/.test/common/main.test.bicep b/modules/network/network-manager/.test/common/main.test.bicep index 25ba582f7c..d1d30c49f1 100644 --- a/modules/network/network-manager/.test/common/main.test.bicep +++ b/modules/network/network-manager/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.networkmanagers-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.networkmanagers-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/network-security-group/.test/common/main.test.bicep b/modules/network/network-security-group/.test/common/main.test.bicep index 66532c02ae..a82db647c3 100644 --- a/modules/network/network-security-group/.test/common/main.test.bicep +++ b/modules/network/network-security-group/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.networksecuritygroups-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.networksecuritygroups-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/network-security-group/.test/min/main.test.bicep b/modules/network/network-security-group/.test/min/main.test.bicep index 225b630945..5408cedcc5 100644 --- a/modules/network/network-security-group/.test/min/main.test.bicep +++ b/modules/network/network-security-group/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.networksecuritygroups-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.networksecuritygroups-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/private-dns-zone/.test/common/main.test.bicep b/modules/network/private-dns-zone/.test/common/main.test.bicep index b8fd61f780..523554c445 100644 --- a/modules/network/private-dns-zone/.test/common/main.test.bicep +++ b/modules/network/private-dns-zone/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.privatednszones-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.privatednszones-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/private-dns-zone/.test/min/main.test.bicep b/modules/network/private-dns-zone/.test/min/main.test.bicep index db60e58143..0426b7b5d0 100644 --- a/modules/network/private-dns-zone/.test/min/main.test.bicep +++ b/modules/network/private-dns-zone/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.privatednszones-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.privatednszones-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/private-endpoint/.test/common/main.test.bicep b/modules/network/private-endpoint/.test/common/main.test.bicep index 8b0abeaf5c..a5f036c296 100644 --- a/modules/network/private-endpoint/.test/common/main.test.bicep +++ b/modules/network/private-endpoint/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.privateendpoints-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.privateendpoints-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/private-endpoint/.test/min/main.test.bicep b/modules/network/private-endpoint/.test/min/main.test.bicep index 6d5c80f1b3..95f011a2b2 100644 --- a/modules/network/private-endpoint/.test/min/main.test.bicep +++ b/modules/network/private-endpoint/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.privateendpoints-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.privateendpoints-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/private-link-service/.test/common/main.test.bicep b/modules/network/private-link-service/.test/common/main.test.bicep index b7cbc93723..f8f5819498 100644 --- a/modules/network/private-link-service/.test/common/main.test.bicep +++ b/modules/network/private-link-service/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.privatelinkservices-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.privatelinkservices-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/private-link-service/.test/min/main.test.bicep b/modules/network/private-link-service/.test/min/main.test.bicep index d56543c89b..d7e063e3d4 100644 --- a/modules/network/private-link-service/.test/min/main.test.bicep +++ b/modules/network/private-link-service/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.privatelinkservices-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.privatelinkservices-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/public-ip-address/.test/common/main.test.bicep b/modules/network/public-ip-address/.test/common/main.test.bicep index 36ef8bc40a..b61ac3a4aa 100644 --- a/modules/network/public-ip-address/.test/common/main.test.bicep +++ b/modules/network/public-ip-address/.test/common/main.test.bicep @@ -1,98 +1,98 @@ -targetScope = 'subscription' - -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.network.publicipaddresses-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npiacom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - publicIPAllocationMethod: 'Static' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - skuName: 'Standard' - zones: [ - '1' - '2' - '3' - ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} - +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.publicipaddresses-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'npiacom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicIPAllocationMethod: 'Static' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + skuName: 'Standard' + zones: [ + '1' + '2' + '3' + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/public-ip-address/.test/min/main.test.bicep b/modules/network/public-ip-address/.test/min/main.test.bicep index e0f4f0d87d..b759ba4dda 100644 --- a/modules/network/public-ip-address/.test/min/main.test.bicep +++ b/modules/network/public-ip-address/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.publicipaddresses-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.publicipaddresses-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/public-ip-prefix/.test/common/main.test.bicep b/modules/network/public-ip-prefix/.test/common/main.test.bicep index 86dba8a94f..c69da59569 100644 --- a/modules/network/public-ip-prefix/.test/common/main.test.bicep +++ b/modules/network/public-ip-prefix/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.publicipprefixes-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.publicipprefixes-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/public-ip-prefix/.test/min/main.test.bicep b/modules/network/public-ip-prefix/.test/min/main.test.bicep index 8115e852ed..979dc0e0af 100644 --- a/modules/network/public-ip-prefix/.test/min/main.test.bicep +++ b/modules/network/public-ip-prefix/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.publicipprefixes-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.publicipprefixes-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/route-table/.test/common/main.test.bicep b/modules/network/route-table/.test/common/main.test.bicep index cab828e429..a14ec3fb4b 100644 --- a/modules/network/route-table/.test/common/main.test.bicep +++ b/modules/network/route-table/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.routetables-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.routetables-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/route-table/.test/min/main.test.bicep b/modules/network/route-table/.test/min/main.test.bicep index 1515b9a8fb..a5b93df8a8 100644 --- a/modules/network/route-table/.test/min/main.test.bicep +++ b/modules/network/route-table/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.routetables-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.routetables-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/service-endpoint-policy/.test/common/main.test.bicep b/modules/network/service-endpoint-policy/.test/common/main.test.bicep index 82ee681383..3a0c8c2c75 100644 --- a/modules/network/service-endpoint-policy/.test/common/main.test.bicep +++ b/modules/network/service-endpoint-policy/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.serviceendpointpolicies-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.serviceendpointpolicies-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/service-endpoint-policy/.test/min/main.test.bicep b/modules/network/service-endpoint-policy/.test/min/main.test.bicep index 7ac8d7747a..154fe68b53 100644 --- a/modules/network/service-endpoint-policy/.test/min/main.test.bicep +++ b/modules/network/service-endpoint-policy/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.serviceendpointpolicies-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.serviceendpointpolicies-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/trafficmanagerprofile/.test/common/main.test.bicep b/modules/network/trafficmanagerprofile/.test/common/main.test.bicep index 9a466dd925..0c00e5b2b8 100644 --- a/modules/network/trafficmanagerprofile/.test/common/main.test.bicep +++ b/modules/network/trafficmanagerprofile/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.trafficmanagerprofiles-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.trafficmanagerprofiles-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/trafficmanagerprofile/.test/min/main.test.bicep b/modules/network/trafficmanagerprofile/.test/min/main.test.bicep index b0100513d4..78292ead79 100644 --- a/modules/network/trafficmanagerprofile/.test/min/main.test.bicep +++ b/modules/network/trafficmanagerprofile/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.trafficmanagerprofiles-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.trafficmanagerprofiles-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/virtual-hub/.test/common/main.test.bicep b/modules/network/virtual-hub/.test/common/main.test.bicep index 52f78ecbb6..3686e52eb7 100644 --- a/modules/network/virtual-hub/.test/common/main.test.bicep +++ b/modules/network/virtual-hub/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.virtualHub-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.virtualHub-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/virtual-hub/.test/min/main.test.bicep b/modules/network/virtual-hub/.test/min/main.test.bicep index 56a53cb235..be7e2a2955 100644 --- a/modules/network/virtual-hub/.test/min/main.test.bicep +++ b/modules/network/virtual-hub/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.virtualHub-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.virtualHub-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep b/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep index fe61f76c04..d02d24dcbf 100644 --- a/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep +++ b/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.virtualnetworkgateways-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.virtualnetworkgateways-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/virtual-network-gateway/.test/expressRoute/main.test.bicep b/modules/network/virtual-network-gateway/.test/expressRoute/main.test.bicep index c2bc8286c6..7b706acf5e 100644 --- a/modules/network/virtual-network-gateway/.test/expressRoute/main.test.bicep +++ b/modules/network/virtual-network-gateway/.test/expressRoute/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.virtualnetworkgateways-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.virtualnetworkgateways-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep b/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep index 1845a4fff4..4bb4048a26 100644 --- a/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep +++ b/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.virtualnetworkgateways-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.virtualnetworkgateways-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/virtual-network/.test/common/main.test.bicep b/modules/network/virtual-network/.test/common/main.test.bicep index 766e2acdb0..cc944f6070 100644 --- a/modules/network/virtual-network/.test/common/main.test.bicep +++ b/modules/network/virtual-network/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.virtualnetworks-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.virtualnetworks-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/virtual-network/.test/min/main.test.bicep b/modules/network/virtual-network/.test/min/main.test.bicep index 1cd5b5d90a..5d77b3ccee 100644 --- a/modules/network/virtual-network/.test/min/main.test.bicep +++ b/modules/network/virtual-network/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.virtualnetworks-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.virtualnetworks-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/virtual-network/.test/vnetPeering/main.test.bicep b/modules/network/virtual-network/.test/vnetPeering/main.test.bicep index f1c57ad4c6..34df29c754 100644 --- a/modules/network/virtual-network/.test/vnetPeering/main.test.bicep +++ b/modules/network/virtual-network/.test/vnetPeering/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.virtualnetworks-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.virtualnetworks-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/virtual-wan/.test/common/main.test.bicep b/modules/network/virtual-wan/.test/common/main.test.bicep index cc243543eb..b253f9af0a 100644 --- a/modules/network/virtual-wan/.test/common/main.test.bicep +++ b/modules/network/virtual-wan/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.virtualwans-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.virtualwans-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/virtual-wan/.test/min/main.test.bicep b/modules/network/virtual-wan/.test/min/main.test.bicep index 8247a6e863..da77dcc8fc 100644 --- a/modules/network/virtual-wan/.test/min/main.test.bicep +++ b/modules/network/virtual-wan/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.virtualwans-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.virtualwans-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/vpn-gateway/.test/common/main.test.bicep b/modules/network/vpn-gateway/.test/common/main.test.bicep index 9c12de8234..857d52c3a2 100644 --- a/modules/network/vpn-gateway/.test/common/main.test.bicep +++ b/modules/network/vpn-gateway/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.vpngateways-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.vpngateways-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/vpn-gateway/.test/min/main.test.bicep b/modules/network/vpn-gateway/.test/min/main.test.bicep index f050ca9adc..959c3c8182 100644 --- a/modules/network/vpn-gateway/.test/min/main.test.bicep +++ b/modules/network/vpn-gateway/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.vpngateways-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.vpngateways-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/vpn-site/.test/common/main.test.bicep b/modules/network/vpn-site/.test/common/main.test.bicep index 2bdea975b3..d51318aff1 100644 --- a/modules/network/vpn-site/.test/common/main.test.bicep +++ b/modules/network/vpn-site/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.vpnSites-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.vpnSites-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/network/vpn-site/.test/min/main.test.bicep b/modules/network/vpn-site/.test/min/main.test.bicep index 7a564ddcfa..e452f365d1 100644 --- a/modules/network/vpn-site/.test/min/main.test.bicep +++ b/modules/network/vpn-site/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.network.vpnSites-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-network.vpnSites-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/operational-insights/workspace/.test/adv/main.test.bicep b/modules/operational-insights/workspace/.test/adv/main.test.bicep index b18387c3af..f898f556e3 100644 --- a/modules/operational-insights/workspace/.test/adv/main.test.bicep +++ b/modules/operational-insights/workspace/.test/adv/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.operationalinsights.workspaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-operationalinsights.workspaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/operational-insights/workspace/.test/common/main.test.bicep b/modules/operational-insights/workspace/.test/common/main.test.bicep index 8f4ef65925..b55b5e3dbd 100644 --- a/modules/operational-insights/workspace/.test/common/main.test.bicep +++ b/modules/operational-insights/workspace/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.operationalinsights.workspaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-operationalinsights.workspaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/operational-insights/workspace/.test/min/main.test.bicep b/modules/operational-insights/workspace/.test/min/main.test.bicep index cb56d8a1a8..efb01b22ac 100644 --- a/modules/operational-insights/workspace/.test/min/main.test.bicep +++ b/modules/operational-insights/workspace/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.operationalinsights.workspaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-operationalinsights.workspaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/operations-management/solution/.test/min/main.test.bicep b/modules/operations-management/solution/.test/min/main.test.bicep index 0fea432bd3..b59040e411 100644 --- a/modules/operations-management/solution/.test/min/main.test.bicep +++ b/modules/operations-management/solution/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.operationsmanagement.solutions-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-operationsmanagement.solutions-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/operations-management/solution/.test/ms/main.test.bicep b/modules/operations-management/solution/.test/ms/main.test.bicep index dd3a506108..a055a0c15a 100644 --- a/modules/operations-management/solution/.test/ms/main.test.bicep +++ b/modules/operations-management/solution/.test/ms/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.operationsmanagement.solutions-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-operationsmanagement.solutions-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/operations-management/solution/.test/nonms/main.test.bicep b/modules/operations-management/solution/.test/nonms/main.test.bicep index f37927d1e9..e3e4e9d126 100644 --- a/modules/operations-management/solution/.test/nonms/main.test.bicep +++ b/modules/operations-management/solution/.test/nonms/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.operationsmanagement.solutions-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-operationsmanagement.solutions-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/policy-insights/remediation/.test/rg.common/main.test.bicep b/modules/policy-insights/remediation/.test/rg.common/main.test.bicep index 62590b7dce..7052879293 100644 --- a/modules/policy-insights/remediation/.test/rg.common/main.test.bicep +++ b/modules/policy-insights/remediation/.test/rg.common/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.policyinsights.remediations-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-policyinsights.remediations-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/policy-insights/remediation/.test/rg.min/main.test.bicep b/modules/policy-insights/remediation/.test/rg.min/main.test.bicep index 7f67473575..8d80250f13 100644 --- a/modules/policy-insights/remediation/.test/rg.min/main.test.bicep +++ b/modules/policy-insights/remediation/.test/rg.min/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.policyinsights.remediations-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-policyinsights.remediations-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep b/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep index 9492810703..813c5ed01a 100644 --- a/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep +++ b/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.powerbidedicated.capacities-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-powerbidedicated.capacities-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/power-bi-dedicated/capacity/.test/min/main.test.bicep b/modules/power-bi-dedicated/capacity/.test/min/main.test.bicep index dea599ae13..3cbc57c794 100644 --- a/modules/power-bi-dedicated/capacity/.test/min/main.test.bicep +++ b/modules/power-bi-dedicated/capacity/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.powerbidedicated.capacities-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-powerbidedicated.capacities-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/purview/account/.test/common/main.test.bicep b/modules/purview/account/.test/common/main.test.bicep index 1db2c2caf0..2e89ea8f5b 100644 --- a/modules/purview/account/.test/common/main.test.bicep +++ b/modules/purview/account/.test/common/main.test.bicep @@ -8,7 +8,7 @@ metadata description = 'This instance deploys the module with most of its featur // ========== // @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.purview-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-purview-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = 'eastus' // Only available in selected locations: eastus, eastus2, southcentralus, westcentralus, westus, westus2, westus3 diff --git a/modules/purview/account/.test/min/main.test.bicep b/modules/purview/account/.test/min/main.test.bicep index 8cf13684b3..085922c251 100644 --- a/modules/purview/account/.test/min/main.test.bicep +++ b/modules/purview/account/.test/min/main.test.bicep @@ -8,7 +8,7 @@ metadata description = 'This instance deploys the module with the minimum set of // ========== // @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.purview-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-purview-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = 'eastus' // Only available in selected locations: eastus, eastus2, southcentralus, westcentralus, westus, westus2, westus3 diff --git a/modules/recovery-services/vault/.test/common/main.test.bicep b/modules/recovery-services/vault/.test/common/main.test.bicep index 9dff63f908..8303605f63 100644 --- a/modules/recovery-services/vault/.test/common/main.test.bicep +++ b/modules/recovery-services/vault/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.recoveryservices.vaults-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-recoveryservices.vaults-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/recovery-services/vault/.test/dr/main.test.bicep b/modules/recovery-services/vault/.test/dr/main.test.bicep index 4e4ad6096d..ab0df3f202 100644 --- a/modules/recovery-services/vault/.test/dr/main.test.bicep +++ b/modules/recovery-services/vault/.test/dr/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.recoveryservices.vaults-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-recoveryservices.vaults-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/recovery-services/vault/.test/min/main.test.bicep b/modules/recovery-services/vault/.test/min/main.test.bicep index 8477f9fb08..84b52bfe7b 100644 --- a/modules/recovery-services/vault/.test/min/main.test.bicep +++ b/modules/recovery-services/vault/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.recoveryservices.vaults-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-recoveryservices.vaults-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/relay/namespace/.test/common/main.test.bicep b/modules/relay/namespace/.test/common/main.test.bicep index 6aedc4696c..0a7b794cc7 100644 --- a/modules/relay/namespace/.test/common/main.test.bicep +++ b/modules/relay/namespace/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.relay.namespaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-relay.namespaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/relay/namespace/.test/min/main.test.bicep b/modules/relay/namespace/.test/min/main.test.bicep index 25c3225ee0..b58e52706a 100644 --- a/modules/relay/namespace/.test/min/main.test.bicep +++ b/modules/relay/namespace/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.relay.namespaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-relay.namespaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/relay/namespace/.test/pe/main.test.bicep b/modules/relay/namespace/.test/pe/main.test.bicep index 30ac3bfaba..380e33d618 100644 --- a/modules/relay/namespace/.test/pe/main.test.bicep +++ b/modules/relay/namespace/.test/pe/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.relay.namespaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-relay.namespaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/resource-graph/query/.test/common/main.test.bicep b/modules/resource-graph/query/.test/common/main.test.bicep index a898c05ab8..2d657d504c 100644 --- a/modules/resource-graph/query/.test/common/main.test.bicep +++ b/modules/resource-graph/query/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.resourcegraph.queries-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-resourcegraph.queries-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/resource-graph/query/.test/min/main.test.bicep b/modules/resource-graph/query/.test/min/main.test.bicep index f03ce1a8a9..662a8d6a1b 100644 --- a/modules/resource-graph/query/.test/min/main.test.bicep +++ b/modules/resource-graph/query/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.resourcegraph.queries-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-resourcegraph.queries-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/resources/deployment-script/.test/cli/main.test.bicep b/modules/resources/deployment-script/.test/cli/main.test.bicep index fe7f95dc0d..9c2194b2cc 100644 --- a/modules/resources/deployment-script/.test/cli/main.test.bicep +++ b/modules/resources/deployment-script/.test/cli/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.resources.deploymentscripts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-resources.deploymentscripts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/resources/deployment-script/.test/ps/main.test.bicep b/modules/resources/deployment-script/.test/ps/main.test.bicep index e3a9c55382..00cea68eaf 100644 --- a/modules/resources/deployment-script/.test/ps/main.test.bicep +++ b/modules/resources/deployment-script/.test/ps/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.resources.deploymentscripts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-resources.deploymentscripts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/resources/resource-group/.test/common/main.test.bicep b/modules/resources/resource-group/.test/common/main.test.bicep index 6a47e86bce..d5b9883a8d 100644 --- a/modules/resources/resource-group/.test/common/main.test.bicep +++ b/modules/resources/resource-group/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.resources.resourcegroups-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-resources.resourcegroups-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/resources/tags/.test/rg/main.test.bicep b/modules/resources/tags/.test/rg/main.test.bicep index 3827831870..ef95040057 100644 --- a/modules/resources/tags/.test/rg/main.test.bicep +++ b/modules/resources/tags/.test/rg/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.resources.tags-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-resources.tags-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location @@ -17,6 +17,9 @@ param serviceShort string = 'rtrg' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + // ============ // // Dependencies // // ============ // diff --git a/modules/search/search-service/.test/common/main.test.bicep b/modules/search/search-service/.test/common/main.test.bicep index d975b5f231..25eb01eb67 100644 --- a/modules/search/search-service/.test/common/main.test.bicep +++ b/modules/search/search-service/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.search.searchservices-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-search.searchservices-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/search/search-service/.test/min/main.test.bicep b/modules/search/search-service/.test/min/main.test.bicep index 4f66e7b2e4..3383746985 100644 --- a/modules/search/search-service/.test/min/main.test.bicep +++ b/modules/search/search-service/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.search.searchservices-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-search.searchservices-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/search/search-service/.test/pe/main.test.bicep b/modules/search/search-service/.test/pe/main.test.bicep index 8c0b99b109..0c4ab94004 100644 --- a/modules/search/search-service/.test/pe/main.test.bicep +++ b/modules/search/search-service/.test/pe/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.search.searchservices-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-search.searchservices-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/security/azure-security-center/.test/common/main.test.bicep b/modules/security/azure-security-center/.test/common/main.test.bicep index a1caae0519..e3621cd32f 100644 --- a/modules/security/azure-security-center/.test/common/main.test.bicep +++ b/modules/security/azure-security-center/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.security.azureSecurityCenter-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-security.azureSecurityCenter-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/service-bus/namespace/.test/common/main.test.bicep b/modules/service-bus/namespace/.test/common/main.test.bicep index 8e60f2b946..9cb9283457 100644 --- a/modules/service-bus/namespace/.test/common/main.test.bicep +++ b/modules/service-bus/namespace/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.servicebus.namespaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-servicebus.namespaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/service-bus/namespace/.test/encr/main.test.bicep b/modules/service-bus/namespace/.test/encr/main.test.bicep index adede3e81f..1d7dc3802b 100644 --- a/modules/service-bus/namespace/.test/encr/main.test.bicep +++ b/modules/service-bus/namespace/.test/encr/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.servicebus.namespaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-servicebus.namespaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/service-bus/namespace/.test/min/main.test.bicep b/modules/service-bus/namespace/.test/min/main.test.bicep index 81c5af272a..b11f92b41e 100644 --- a/modules/service-bus/namespace/.test/min/main.test.bicep +++ b/modules/service-bus/namespace/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.servicebus.namespaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-servicebus.namespaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/service-bus/namespace/.test/pe/main.test.bicep b/modules/service-bus/namespace/.test/pe/main.test.bicep index a8152faa4b..936692a3b1 100644 --- a/modules/service-bus/namespace/.test/pe/main.test.bicep +++ b/modules/service-bus/namespace/.test/pe/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.servicebus.namespaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-servicebus.namespaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/service-fabric/cluster/.test/cert/main.test.bicep b/modules/service-fabric/cluster/.test/cert/main.test.bicep index 92318e7b59..edd7a2d36a 100644 --- a/modules/service-fabric/cluster/.test/cert/main.test.bicep +++ b/modules/service-fabric/cluster/.test/cert/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.servicefabric.clusters-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-servicefabric.clusters-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/service-fabric/cluster/.test/common/main.test.bicep b/modules/service-fabric/cluster/.test/common/main.test.bicep index a84afa9e53..642a4e2882 100644 --- a/modules/service-fabric/cluster/.test/common/main.test.bicep +++ b/modules/service-fabric/cluster/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.servicefabric.clusters-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-servicefabric.clusters-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/service-fabric/cluster/.test/min/main.test.bicep b/modules/service-fabric/cluster/.test/min/main.test.bicep index e7bf07187d..49d19006fd 100644 --- a/modules/service-fabric/cluster/.test/min/main.test.bicep +++ b/modules/service-fabric/cluster/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.servicefabric.clusters-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-servicefabric.clusters-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/signal-r-service/signal-r/.test/common/main.test.bicep b/modules/signal-r-service/signal-r/.test/common/main.test.bicep index 0724522270..8364d963e6 100644 --- a/modules/signal-r-service/signal-r/.test/common/main.test.bicep +++ b/modules/signal-r-service/signal-r/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.signalrservice.signalr-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-signalrservice.signalr-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/signal-r-service/signal-r/.test/min/main.test.bicep b/modules/signal-r-service/signal-r/.test/min/main.test.bicep index 3f7d469ad1..b8d61468f3 100644 --- a/modules/signal-r-service/signal-r/.test/min/main.test.bicep +++ b/modules/signal-r-service/signal-r/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.signalrservice.signalr-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-signalrservice.signalr-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep b/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep index ede9095527..9205abc457 100644 --- a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.signalrservice.webpubsub-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-signalrservice.webpubsub-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/signal-r-service/web-pub-sub/.test/min/main.test.bicep b/modules/signal-r-service/web-pub-sub/.test/min/main.test.bicep index 0afc1a7936..ac0f2990f4 100644 --- a/modules/signal-r-service/web-pub-sub/.test/min/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.signalrservice.webpubsub-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-signalrservice.webpubsub-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep b/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep index f3e03b566e..cff16d9528 100644 --- a/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.signalrservice.webpubsub-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-signalrservice.webpubsub-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/sql/managed-instance/.test/common/main.test.bicep b/modules/sql/managed-instance/.test/common/main.test.bicep index fe67a03897..4d81f21d66 100644 --- a/modules/sql/managed-instance/.test/common/main.test.bicep +++ b/modules/sql/managed-instance/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.sql.managedinstances-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-sql.managedinstances-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/sql/managed-instance/.test/min/main.test.bicep b/modules/sql/managed-instance/.test/min/main.test.bicep index 0c9d4bbe75..a9d1d45a88 100644 --- a/modules/sql/managed-instance/.test/min/main.test.bicep +++ b/modules/sql/managed-instance/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.sql.managedinstances-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-sql.managedinstances-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/sql/managed-instance/.test/vulnAssm/main.test.bicep b/modules/sql/managed-instance/.test/vulnAssm/main.test.bicep index 1238ce7a47..aecb08b1b7 100644 --- a/modules/sql/managed-instance/.test/vulnAssm/main.test.bicep +++ b/modules/sql/managed-instance/.test/vulnAssm/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.sql.managedinstances-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-sql.managedinstances-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/sql/server/.test/admin/main.test.bicep b/modules/sql/server/.test/admin/main.test.bicep index 0f6850169f..72d7db6de4 100644 --- a/modules/sql/server/.test/admin/main.test.bicep +++ b/modules/sql/server/.test/admin/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.sql.servers-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-sql.servers-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/sql/server/.test/common/main.test.bicep b/modules/sql/server/.test/common/main.test.bicep index c6bf91abb0..ff55dde98d 100644 --- a/modules/sql/server/.test/common/main.test.bicep +++ b/modules/sql/server/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.sql.servers-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-sql.servers-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/sql/server/.test/pe/main.test.bicep b/modules/sql/server/.test/pe/main.test.bicep index b0c7032988..f813715f36 100644 --- a/modules/sql/server/.test/pe/main.test.bicep +++ b/modules/sql/server/.test/pe/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.sql.servers-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-sql.servers-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/sql/server/.test/secondary/main.test.bicep b/modules/sql/server/.test/secondary/main.test.bicep index 6fef08a476..c88c13fcef 100644 --- a/modules/sql/server/.test/secondary/main.test.bicep +++ b/modules/sql/server/.test/secondary/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.sql.servers-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-sql.servers-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/storage/storage-account/.test/common/main.test.bicep b/modules/storage/storage-account/.test/common/main.test.bicep index 7a14f34337..2e90efc8b5 100644 --- a/modules/storage/storage-account/.test/common/main.test.bicep +++ b/modules/storage/storage-account/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.storage.storageaccounts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-storage.storageaccounts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/storage/storage-account/.test/encr/main.test.bicep b/modules/storage/storage-account/.test/encr/main.test.bicep index 8d2d24e464..acdcccd5d9 100644 --- a/modules/storage/storage-account/.test/encr/main.test.bicep +++ b/modules/storage/storage-account/.test/encr/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.storage.storageaccounts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-storage.storageaccounts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/storage/storage-account/.test/min/main.test.bicep b/modules/storage/storage-account/.test/min/main.test.bicep index c96293aff1..24b565b8b6 100644 --- a/modules/storage/storage-account/.test/min/main.test.bicep +++ b/modules/storage/storage-account/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.storage.storageaccounts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-storage.storageaccounts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/storage/storage-account/.test/nfs/main.test.bicep b/modules/storage/storage-account/.test/nfs/main.test.bicep index 8403155a98..9f42e517d7 100644 --- a/modules/storage/storage-account/.test/nfs/main.test.bicep +++ b/modules/storage/storage-account/.test/nfs/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.storage.storageaccounts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-storage.storageaccounts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/storage/storage-account/.test/v1/main.test.bicep b/modules/storage/storage-account/.test/v1/main.test.bicep index 96023bdd36..554750255f 100644 --- a/modules/storage/storage-account/.test/v1/main.test.bicep +++ b/modules/storage/storage-account/.test/v1/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.storage.storageaccounts-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-storage.storageaccounts-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/synapse/private-link-hub/.test/common/main.test.bicep b/modules/synapse/private-link-hub/.test/common/main.test.bicep index 86db3ae553..84d8dd7b87 100644 --- a/modules/synapse/private-link-hub/.test/common/main.test.bicep +++ b/modules/synapse/private-link-hub/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.synapse.privatelinkhubs-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-synapse.privatelinkhubs-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/synapse/private-link-hub/.test/min/main.test.bicep b/modules/synapse/private-link-hub/.test/min/main.test.bicep index 6c1e056048..8256ac8c67 100644 --- a/modules/synapse/private-link-hub/.test/min/main.test.bicep +++ b/modules/synapse/private-link-hub/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.synapse.privatelinkhubs-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-synapse.privatelinkhubs-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/synapse/workspace/.test/common/main.test.bicep b/modules/synapse/workspace/.test/common/main.test.bicep index a18415d374..ec666fb633 100644 --- a/modules/synapse/workspace/.test/common/main.test.bicep +++ b/modules/synapse/workspace/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.synapse.workspaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-synapse.workspaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/synapse/workspace/.test/encrwsai/main.test.bicep b/modules/synapse/workspace/.test/encrwsai/main.test.bicep index 1637803f58..31ef9e1a20 100644 --- a/modules/synapse/workspace/.test/encrwsai/main.test.bicep +++ b/modules/synapse/workspace/.test/encrwsai/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.synapse.workspaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-synapse.workspaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/synapse/workspace/.test/encrwuai/main.test.bicep b/modules/synapse/workspace/.test/encrwuai/main.test.bicep index d21ce8959f..85911c61ec 100644 --- a/modules/synapse/workspace/.test/encrwuai/main.test.bicep +++ b/modules/synapse/workspace/.test/encrwuai/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.synapse.workspaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-synapse.workspaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/synapse/workspace/.test/managedvnet/main.test.bicep b/modules/synapse/workspace/.test/managedvnet/main.test.bicep index 545c90ea67..fdf11b38c7 100644 --- a/modules/synapse/workspace/.test/managedvnet/main.test.bicep +++ b/modules/synapse/workspace/.test/managedvnet/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.synapse.workspaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-synapse.workspaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/synapse/workspace/.test/min/main.test.bicep b/modules/synapse/workspace/.test/min/main.test.bicep index 9354fa703e..66e9c02a88 100644 --- a/modules/synapse/workspace/.test/min/main.test.bicep +++ b/modules/synapse/workspace/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.synapse.workspaces-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-synapse.workspaces-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/virtual-machine-images/image-template/.test/common/main.test.bicep b/modules/virtual-machine-images/image-template/.test/common/main.test.bicep index 3844885f12..d3f2bab602 100644 --- a/modules/virtual-machine-images/image-template/.test/common/main.test.bicep +++ b/modules/virtual-machine-images/image-template/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.virtualmachineimages.imagetemplates-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-virtualmachineimages.imagetemplates-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/virtual-machine-images/image-template/.test/min/main.test.bicep b/modules/virtual-machine-images/image-template/.test/min/main.test.bicep index 491e1f25c6..ed5cb3f858 100644 --- a/modules/virtual-machine-images/image-template/.test/min/main.test.bicep +++ b/modules/virtual-machine-images/image-template/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.virtualmachineimages.imagetemplates-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-virtualmachineimages.imagetemplates-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/web/connection/.test/common/main.test.bicep b/modules/web/connection/.test/common/main.test.bicep index 73975fe689..28a802c0df 100644 --- a/modules/web/connection/.test/common/main.test.bicep +++ b/modules/web/connection/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.web.connections-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-web.connections-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/web/hosting-environment/.test/asev2/main.test.bicep b/modules/web/hosting-environment/.test/asev2/main.test.bicep index 144e9687c2..a19d8a4384 100644 --- a/modules/web/hosting-environment/.test/asev2/main.test.bicep +++ b/modules/web/hosting-environment/.test/asev2/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.web.hostingenvironments-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-web.hostingenvironments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/web/hosting-environment/.test/asev3/main.test.bicep b/modules/web/hosting-environment/.test/asev3/main.test.bicep index 230dc541a7..e2a1a47b59 100644 --- a/modules/web/hosting-environment/.test/asev3/main.test.bicep +++ b/modules/web/hosting-environment/.test/asev3/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.web.hostingenvironments-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-web.hostingenvironments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/web/serverfarm/.test/common/main.test.bicep b/modules/web/serverfarm/.test/common/main.test.bicep index e01036dec7..e9f7a02483 100644 --- a/modules/web/serverfarm/.test/common/main.test.bicep +++ b/modules/web/serverfarm/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.web.serverfarms-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-web.serverfarms-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/web/site/.test/functionAppCommon/main.test.bicep b/modules/web/site/.test/functionAppCommon/main.test.bicep index 9bebb6ca35..56ecd15412 100644 --- a/modules/web/site/.test/functionAppCommon/main.test.bicep +++ b/modules/web/site/.test/functionAppCommon/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.web.sites-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-web.sites-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/web/site/.test/functionAppMin/main.test.bicep b/modules/web/site/.test/functionAppMin/main.test.bicep index 9890f4842f..9fe64f0fdc 100644 --- a/modules/web/site/.test/functionAppMin/main.test.bicep +++ b/modules/web/site/.test/functionAppMin/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.web.sites-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-web.sites-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/web/site/.test/webAppCommon/main.test.bicep b/modules/web/site/.test/webAppCommon/main.test.bicep index 93369c3ed2..5ab87a1473 100644 --- a/modules/web/site/.test/webAppCommon/main.test.bicep +++ b/modules/web/site/.test/webAppCommon/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.web.sites-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-web.sites-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/web/site/.test/webAppMin/main.test.bicep b/modules/web/site/.test/webAppMin/main.test.bicep index b056ec67eb..1446d9d389 100644 --- a/modules/web/site/.test/webAppMin/main.test.bicep +++ b/modules/web/site/.test/webAppMin/main.test.bicep @@ -6,7 +6,7 @@ targetScope = 'subscription' @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.web.sites-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-web.sites-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/web/static-site/.test/common/main.test.bicep b/modules/web/static-site/.test/common/main.test.bicep index 7b07cd7f76..356108e612 100644 --- a/modules/web/static-site/.test/common/main.test.bicep +++ b/modules/web/static-site/.test/common/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with most of its featur @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.web.staticsites-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-web.staticsites-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location diff --git a/modules/web/static-site/.test/min/main.test.bicep b/modules/web/static-site/.test/min/main.test.bicep index 393f828b3a..9f31a0d7a0 100644 --- a/modules/web/static-site/.test/min/main.test.bicep +++ b/modules/web/static-site/.test/min/main.test.bicep @@ -9,7 +9,7 @@ metadata description = 'This instance deploys the module with the minimum set of @description('Optional. The name of the resource group to deploy for testing purposes.') @maxLength(90) -param resourceGroupName string = 'ms.web.staticsites-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}-web.staticsites-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param location string = deployment().location From 953fc31bf15a3250ce979aa81f8ce5ab4a9f2d6f Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sun, 22 Oct 2023 23:11:29 +0200 Subject: [PATCH 044/178] [Modules] Migrated batch [2/4] to AVM RBAC (#4126) * Updated templates * Filtered rules & regen templates * Small changes to kvlt * added missing scopes * Refreshed templates * Added missing scope * Refrehsed health api & bot * Updated templates --- .../authorization/role-assignment/main.json | 1196 +---------------- .../.test/linux/main.test.bicep | 1 - .../.bicep/nested_roleAssignments.bicep | 74 - .../domain/.test/common/main.test.bicep | 4 +- modules/event-grid/domain/README.md | 71 +- modules/event-grid/domain/main.bicep | 58 +- modules/event-grid/domain/main.json | 260 ++-- .../.bicep/nested_roleAssignments.bicep | 74 - .../system-topic/.test/common/main.test.bicep | 4 +- modules/event-grid/system-topic/README.md | 71 +- modules/event-grid/system-topic/main.bicep | 58 +- modules/event-grid/system-topic/main.json | 260 ++-- .../topic/.bicep/nested_roleAssignments.bicep | 74 - .../topic/.test/common/main.test.bicep | 4 +- modules/event-grid/topic/README.md | 71 +- modules/event-grid/topic/main.bicep | 58 +- modules/event-grid/topic/main.json | 260 ++-- .../.bicep/nested_roleAssignments.bicep | 73 - .../namespace/.test/common/main.test.bicep | 12 +- modules/event-hub/namespace/README.md | 87 +- .../.bicep/nested_roleAssignments.bicep | 73 - .../event-hub/namespace/eventhub/README.md | 63 +- .../event-hub/namespace/eventhub/main.bicep | 57 +- .../event-hub/namespace/eventhub/main.json | 256 ++-- modules/event-hub/namespace/main.bicep | 57 +- modules/event-hub/namespace/main.json | 514 +++---- .../.bicep/nested_roleAssignments.bicep | 68 - .../health-bot/.test/common/main.test.bicep | 4 +- modules/health-bot/health-bot/README.md | 71 +- modules/health-bot/health-bot/main.bicep | 66 +- modules/health-bot/health-bot/main.json | 240 ++-- .../.bicep/nested_roleAssignments.bicep | 77 -- .../workspace/.test/common/main.test.bicep | 4 +- modules/healthcare-apis/workspace/README.md | 71 +- .../.bicep/nested_roleAssignments.bicep | 81 -- .../workspace/fhirservice/README.md | 63 +- .../workspace/fhirservice/main.bicep | 63 +- .../workspace/fhirservice/main.json | 246 ++-- modules/healthcare-apis/workspace/main.bicep | 63 +- modules/healthcare-apis/workspace/main.json | 494 +++---- .../.bicep/nested_roleAssignments.bicep | 198 --- .../action-group/.test/common/main.test.bicep | 5 +- modules/insights/action-group/README.md | 73 +- modules/insights/action-group/main.bicep | 57 +- modules/insights/action-group/main.json | 377 ++---- .../.bicep/nested_roleAssignments.bicep | 198 --- .../.test/common/main.test.bicep | 4 +- modules/insights/activity-log-alert/README.md | 71 +- .../insights/activity-log-alert/main.bicep | 57 +- modules/insights/activity-log-alert/main.json | 377 ++---- .../.bicep/nested_roleAssignments.bicep | 198 --- .../component/.test/common/main.test.bicep | 4 +- modules/insights/component/README.md | 71 +- modules/insights/component/main.bicep | 58 +- modules/insights/component/main.json | 401 ++---- .../.bicep/nested_roleAssignments.bicep | 198 --- .../.test/common/main.test.bicep | 4 +- .../data-collection-endpoint/README.md | 71 +- .../data-collection-endpoint/main.bicep | 54 +- .../data-collection-endpoint/main.json | 360 ++--- .../.bicep/nested_roleAssignments.bicep | 198 --- .../.test/customadv/main.test.bicep | 4 +- .../.test/custombasic/main.test.bicep | 4 +- .../.test/customiis/main.test.bicep | 4 +- .../.test/linux/main.test.bicep | 4 +- .../.test/windows/main.test.bicep | 4 +- .../insights/data-collection-rule/README.md | 103 +- .../insights/data-collection-rule/main.bicep | 54 +- .../insights/data-collection-rule/main.json | 360 ++--- .../.bicep/nested_roleAssignments.bicep | 198 --- .../metric-alert/.test/common/main.test.bicep | 4 +- modules/insights/metric-alert/README.md | 71 +- modules/insights/metric-alert/main.bicep | 57 +- modules/insights/metric-alert/main.json | 377 ++---- .../.bicep/nested_roleAssignments.bicep | 198 --- .../.test/common/main.test.bicep | 4 +- modules/insights/private-link-scope/README.md | 71 +- .../insights/private-link-scope/main.bicep | 54 +- modules/insights/private-link-scope/main.json | 380 ++---- .../.bicep/nested_roleAssignments.bicep | 198 --- .../.test/common/main.test.bicep | 4 +- .../insights/scheduled-query-rule/README.md | 71 +- .../insights/scheduled-query-rule/main.bicep | 57 +- .../insights/scheduled-query-rule/main.json | 377 ++---- .../.bicep/nested_roleAssignments.bicep | 198 --- modules/insights/webtest/README.md | 63 +- modules/insights/webtest/main.bicep | 54 +- modules/insights/webtest/main.json | 360 ++--- .../vault/.bicep/nested_roleAssignments.bicep | 79 -- .../vault/.test/common/main.test.bicep | 13 +- modules/key-vault/vault/README.md | 87 +- .../key/.bicep/nested_roleAssignments.bicep | 79 -- modules/key-vault/vault/key/README.md | 63 +- modules/key-vault/vault/key/main.bicep | 66 +- modules/key-vault/vault/key/main.json | 276 ++-- modules/key-vault/vault/main.bicep | 63 +- modules/key-vault/vault/main.json | 822 +++++------ .../.bicep/nested_roleAssignments.bicep | 79 -- modules/key-vault/vault/secret/README.md | 63 +- modules/key-vault/vault/secret/main.bicep | 67 +- modules/key-vault/vault/secret/main.json | 276 ++-- .../.bicep/nested_roleAssignments.bicep | 74 - .../workflow/.test/common/main.test.bicep | 4 +- modules/logic/workflow/README.md | 71 +- modules/logic/workflow/main.bicep | 56 +- modules/logic/workflow/main.json | 238 ++-- .../.bicep/nested_roleAssignments.bicep | 73 - .../workspace/.test/common/main.test.bicep | 4 +- .../workspace/README.md | 71 +- .../workspace/main.bicep | 58 +- .../workspace/main.json | 259 ++-- .../.bicep/nested_roleAssignments.bicep | 69 - .../.test/common/main.test.bicep | 4 +- .../maintenance-configuration/README.md | 71 +- .../maintenance-configuration/main.bicep | 55 +- .../maintenance-configuration/main.json | 232 ++-- .../.bicep/nested_roleAssignments.bicep | 70 - .../.test/common/main.test.bicep | 4 +- .../user-assigned-identity/README.md | 71 +- .../user-assigned-identity/main.bicep | 72 +- .../user-assigned-identity/main.json | 266 ++-- .../.bicep/nested_roleAssignments.bicep | 68 - .../.test/nfs3/main.test.bicep | 16 +- .../.test/nfs41/main.test.bicep | 16 +- modules/net-app/net-app-account/README.md | 127 +- .../.bicep/nested_roleAssignments.bicep | 68 - .../net-app-account/capacity-pool/README.md | 63 +- .../net-app-account/capacity-pool/main.bicep | 57 +- .../net-app-account/capacity-pool/main.json | 546 ++++---- .../.bicep/nested_roleAssignments.bicep | 68 - .../capacity-pool/volume/README.md | 63 +- .../capacity-pool/volume/main.bicep | 57 +- .../capacity-pool/volume/main.json | 267 ++-- modules/net-app/net-app-account/main.bicep | 54 +- modules/net-app/net-app-account/main.json | 776 +++++------ 135 files changed, 6569 insertions(+), 11300 deletions(-) delete mode 100644 modules/event-grid/domain/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/event-grid/system-topic/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/event-grid/topic/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/event-hub/namespace/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/event-hub/namespace/eventhub/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/health-bot/health-bot/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/healthcare-apis/workspace/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/healthcare-apis/workspace/fhirservice/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/insights/action-group/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/insights/activity-log-alert/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/insights/component/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/insights/data-collection-endpoint/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/insights/data-collection-rule/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/insights/metric-alert/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/insights/private-link-scope/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/insights/scheduled-query-rule/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/insights/webtest/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/key-vault/vault/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/key-vault/vault/key/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/key-vault/vault/secret/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/logic/workflow/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/machine-learning-services/workspace/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/maintenance/maintenance-configuration/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/managed-identity/user-assigned-identity/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/net-app/net-app-account/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/net-app/net-app-account/capacity-pool/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/net-app/net-app-account/capacity-pool/volume/.bicep/nested_roleAssignments.bicep diff --git a/modules/authorization/role-assignment/main.json b/modules/authorization/role-assignment/main.json index 0cf8880ab7..74220f8e48 100644 --- a/modules/authorization/role-assignment/main.json +++ b/modules/authorization/role-assignment/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "807341397297135440" + "templateHash": "12927302280582111720" }, "name": "Role Assignments (All scopes)", "description": "This module deploys a Role Assignment at a Management Group, Subscription or Resource Group scope.", @@ -168,7 +168,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3058280694250439865" + "templateHash": "8641191964516032264" }, "name": "Role Assignments (Management Group scope)", "description": "This module deploys a Role Assignment at a Management Group scope.", @@ -257,403 +257,11 @@ }, "variables": { "builtInRoleNames": { - "Access Review Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/76cc9ee4-d5d3-4a45-a930-26add3d73475", - "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", - "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", - "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", - "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", - "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", - "AgFood Platform Sensor Partner Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6b77f0a0-0d89-41cc-acd1-579c22c17a67", - "AgFood Platform Service Admin": "/providers/Microsoft.Authorization/roleDefinitions/f8da80de-1ff9-4747-ad80-a19b7f6079e3", - "AgFood Platform Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8508508a-4469-4e45-963b-2518ee0bb728", - "AgFood Platform Service Reader": "/providers/Microsoft.Authorization/roleDefinitions/7ec7ccdc-f61e-41fe-9aaf-980df0a44eba", - "AnyBuild Builder": "/providers/Microsoft.Authorization/roleDefinitions/a2138dac-4907-4679-a376-736901ed8ad8", - "API Management Developer Portal Content Editor": "/providers/Microsoft.Authorization/roleDefinitions/c031e6a8-4391-4de0-8d69-4706a7ed3729", - "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", - "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", - "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", - "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", - "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", - "Application Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ca6382a4-1721-4bcf-a114-ff0c70227b6b", - "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", - "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", - "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", - "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", - "Automation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f353d9bd-d4a6-484e-a77a-8050b599b867", - "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", - "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", - "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", - "Autonomous Development Platform Data Contributor (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b8b15564-4fa6-4a59-ab12-03e1d9594795", - "Autonomous Development Platform Data Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/27f8b550-c507-4db9-86f2-f4b8e816d59d", - "Autonomous Development Platform Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d63b75f7-47ea-4f27-92ac-e0d173aaf093", - "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", - "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", - "Azure Arc Enabled Kubernetes Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd", - "Azure Arc Kubernetes Admin": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96", - "Azure Arc Kubernetes Cluster Admin": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2", - "Azure Arc Kubernetes Viewer": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4", - "Azure Arc Kubernetes Writer": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1", - "Azure Arc ScVmm Administrator role": "/providers/Microsoft.Authorization/roleDefinitions/a92dfd61-77f9-4aec-a531-19858b406c87", - "Azure Arc ScVmm Private Cloud User": "/providers/Microsoft.Authorization/roleDefinitions/c0781e91-8102-4553-8951-97c6d4243cda", - "Azure Arc ScVmm Private Clouds Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9", - "Azure Arc ScVmm VM Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e582369a-e17b-42a5-b10c-874c387c530b", - "Azure Arc VMware Administrator role ": "/providers/Microsoft.Authorization/roleDefinitions/ddc140ed-e463-4246-9145-7c664192013f", - "Azure Arc VMware Private Cloud User": "/providers/Microsoft.Authorization/roleDefinitions/ce551c02-7c42-47e0-9deb-e3b6fc3a9a83", - "Azure Arc VMware Private Clouds Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/67d33e57-3129-45e6-bb0b-7cc522f762fa", - "Azure Arc VMware VM Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b748a06d-6150-4f8a-aaa9-ce3940cd96cb", - "Azure Center for SAP solutions administrator": "/providers/Microsoft.Authorization/roleDefinitions/7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7", - "Azure Center for SAP solutions Management role": "/providers/Microsoft.Authorization/roleDefinitions/6d949e1d-41e2-46e3-8920-c6e4f31a8310", - "Azure Center for SAP solutions reader": "/providers/Microsoft.Authorization/roleDefinitions/05352d14-a920-4328-a0de-4cbe7430e26b", - "Azure Center for SAP solutions service role": "/providers/Microsoft.Authorization/roleDefinitions/aabbc5dd-1af0-458b-a942-81af88f9c138", - "Azure Center for SAP solutions Service role for management": "/providers/Microsoft.Authorization/roleDefinitions/0105a6b0-4bb9-43d2-982a-12806f9faddb", - "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", - "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", - "Azure Connected Machine Resource Manager": "/providers/Microsoft.Authorization/roleDefinitions/f5819b54-e033-4d82-ac66-4fec3cbf3f4c", - "Azure Connected SQL Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508", - "Azure Digital Twins Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", - "Azure Digital Twins Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", - "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", - "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", - "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", - "Azure Extension for SQL Server Deployment": "/providers/Microsoft.Authorization/roleDefinitions/7392c568-9289-4bde-aaaa-b7131215889d", - "Azure Front Door Domain Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0ab34830-df19-4f8c-b84e-aa85b8afa6e8", - "Azure Front Door Domain Reader": "/providers/Microsoft.Authorization/roleDefinitions/0f99d363-226e-4dca-9920-b807cf8e1a5f", - "Azure Front Door Secret Contributor": "/providers/Microsoft.Authorization/roleDefinitions/3f2eb865-5811-4578-b90a-6fc6fa0df8e5", - "Azure Front Door Secret Reader": "/providers/Microsoft.Authorization/roleDefinitions/0db238c4-885e-4c4f-a933-aa2cef684fca", - "Azure Kubernetes Fleet Manager Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf", - "Azure Kubernetes Fleet Manager RBAC Admin": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba", - "Azure Kubernetes Fleet Manager RBAC Cluster Admin": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69", - "Azure Kubernetes Fleet Manager RBAC Reader": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80", - "Azure Kubernetes Fleet Manager RBAC Writer": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683", - "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", - "Azure Kubernetes Service Cluster Monitoring User": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6", - "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", - "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", - "Azure Kubernetes Service Policy Add-on Deployment": "/providers/Microsoft.Authorization/roleDefinitions/18ed5180-3e48-46fd-8541-4ea054d57064", - "Azure Kubernetes Service RBAC Admin": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7", - "Azure Kubernetes Service RBAC Cluster Admin": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b", - "Azure Kubernetes Service RBAC Reader": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db", - "Azure Kubernetes Service RBAC Writer": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb", - "Azure Maps Contributor": "/providers/Microsoft.Authorization/roleDefinitions/dba33070-676a-4fb0-87fa-064dc56ff7fb", - "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", - "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", - "Azure Maps Search and Render Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/6be48352-4f82-47c9-ad5e-0acacefdb005", - "Azure Relay Listener": "/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d", - "Azure Relay Owner": "/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38", - "Azure Relay Sender": "/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d", - "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", - "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", - "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", - "Azure Spring Apps Connect Role": "/providers/Microsoft.Authorization/roleDefinitions/80558df3-64f9-4c0f-b32d-e5094b036b0b", - "Azure Spring Apps Remote Debugging Role": "/providers/Microsoft.Authorization/roleDefinitions/a99b0159-1064-4c22-a57b-c9b3caa1c054", - "Azure Spring Cloud Config Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b", - "Azure Spring Cloud Config Server Reader": "/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7", - "Azure Spring Cloud Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c", - "Azure Spring Cloud Service Registry Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1", - "Azure Spring Cloud Service Registry Reader": "/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65", - "Azure Stack HCI registration role": "/providers/Microsoft.Authorization/roleDefinitions/bda0d508-adf1-4af0-9c28-88919fc3ae06", - "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", - "Azure Traffic Controller Configuration Manager": "/providers/Microsoft.Authorization/roleDefinitions/fbc52c3f-28ad-4303-a892-8a056630b8f1", - "Azure Usage Billing Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/f0310ce6-e953-4cf8-b892-fb1c87eaf7f6", - "Azure VM Managed identities restore Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6ae96244-5829-4925-a7d3-5975537d91dd", - "AzureML Compute Operator": "/providers/Microsoft.Authorization/roleDefinitions/e503ece1-11d0-4e8e-8e2c-7a6c3bf38815", - "AzureML Data Scientist": "/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121", - "AzureML Metrics Writer (preview)": "/providers/Microsoft.Authorization/roleDefinitions/635dd51f-9968-44d3-b7fb-6d9a6bd613ae", - "AzureML Registry User": "/providers/Microsoft.Authorization/roleDefinitions/1823dd4f-9b8c-4ab6-ab4e-7397a3684615", - "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", - "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", - "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", - "Bayer Ag Powered Services CWUM Solution User Role": "/providers/Microsoft.Authorization/roleDefinitions/a9b99099-ead7-47db-8fcf-072597a61dfa", - "Bayer Ag Powered Services GDU Solution": "/providers/Microsoft.Authorization/roleDefinitions/c4bc862a-3b64-4a35-a021-a380c159b042", - "Bayer Ag Powered Services Imagery Solution": "/providers/Microsoft.Authorization/roleDefinitions/ef29765d-0d37-4119-a4f8-f9f9902c9588", - "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", - "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", - "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", - "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", - "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", - "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", - "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", - "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", - "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", - "Chamber Admin": "/providers/Microsoft.Authorization/roleDefinitions/4e9b8407-af2e-495b-ae54-bb60a55b1b5a", - "Chamber User": "/providers/Microsoft.Authorization/roleDefinitions/4447db05-44ed-4da3-ae60-6cbece780e32", - "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", - "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", - "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", - "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", - "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", - "Code Signing Certificate Profile Signer": "/providers/Microsoft.Authorization/roleDefinitions/2837e146-70d7-4cfd-ad55-7efa6464f958", - "Code Signing Identity Verifier": "/providers/Microsoft.Authorization/roleDefinitions/4339b7cf-9826-4e41-b4ed-c7f4505dac08", - "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", - "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", - "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", - "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", - "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", - "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", - "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", - "Cognitive Services Face Recognizer": "/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7", - "Cognitive Services Immersive Reader User": "/providers/Microsoft.Authorization/roleDefinitions/b2de6794-95db-4659-8781-7e080d3f2b9d", - "Cognitive Services Language Owner": "/providers/Microsoft.Authorization/roleDefinitions/f07febfe-79bc-46b1-8b37-790e26e6e498", - "Cognitive Services Language Reader": "/providers/Microsoft.Authorization/roleDefinitions/7628b7b8-a8b2-4cdc-b46f-e9b35248918e", - "Cognitive Services Language Writer": "/providers/Microsoft.Authorization/roleDefinitions/f2310ca1-dc64-4889-bb49-c8e0fa3d47a8", - "Cognitive Services LUIS Owner": "/providers/Microsoft.Authorization/roleDefinitions/f72c8140-2111-481c-87ff-72b910f6e3f8", - "Cognitive Services LUIS Reader": "/providers/Microsoft.Authorization/roleDefinitions/18e81cdc-4e98-4e29-a639-e7d10c5a6226", - "Cognitive Services LUIS Writer": "/providers/Microsoft.Authorization/roleDefinitions/6322a993-d5c9-4bed-b113-e49bbea25b27", - "Cognitive Services Metrics Advisor Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a", - "Cognitive Services Metrics Advisor User": "/providers/Microsoft.Authorization/roleDefinitions/3b20f47b-3825-43cb-8114-4bd2201156a8", - "Cognitive Services OpenAI Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a001fd3d-188f-4b5d-821b-7da978bf7442", - "Cognitive Services OpenAI User": "/providers/Microsoft.Authorization/roleDefinitions/5e0bd9bd-7b93-4f28-af87-19fc36ad61bd", - "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", - "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", - "Cognitive Services Speech Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0e75ca1e-0464-4b4d-8b93-68208a576181", - "Cognitive Services Speech User": "/providers/Microsoft.Authorization/roleDefinitions/f2dc8367-1007-4938-bd23-fe263f013447", - "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", - "Collaborative Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/daa9e50b-21df-454c-94a6-a8050adab352", - "Collaborative Runtime Operator": "/providers/Microsoft.Authorization/roleDefinitions/7a6f0e70-c033-4fb1-828c-08514e5f4102", - "Compute Gallery Sharing Admin": "/providers/Microsoft.Authorization/roleDefinitions/1ef6a3be-d0ac-425d-8c01-acb62866290b", - "ContainerApp Reader": "/providers/Microsoft.Authorization/roleDefinitions/ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b", "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", - "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", - "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", - "CosmosRestoreOperator": "/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f", - "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", - "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", - "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", - "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", - "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", - "Data Labeling - Labeler": "/providers/Microsoft.Authorization/roleDefinitions/c6decf44-fd0a-444c-a844-d653c394e7ab", - "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", - "Data Operator for Managed Disks": "/providers/Microsoft.Authorization/roleDefinitions/959f8984-c045-4866-89c7-12bf9737be2e", - "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", - "Deployment Environments User": "/providers/Microsoft.Authorization/roleDefinitions/18e40d4e-8d2e-438d-97e1-9528336e149c", - "Desktop Virtualization Application Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-4c43-887b-b61143f32ba8", - "Desktop Virtualization Application Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/aebf23d0-b568-4e86-b8f9-fe83a2c6ab55", - "Desktop Virtualization Contributor": "/providers/Microsoft.Authorization/roleDefinitions/082f0a83-3be5-4ba1-904c-961cca79b387", - "Desktop Virtualization Host Pool Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e307426c-f9b6-4e81-87de-d99efb3c32bc", - "Desktop Virtualization Host Pool Reader": "/providers/Microsoft.Authorization/roleDefinitions/ceadfde2-b300-400a-ab7b-6143895aa822", - "Desktop Virtualization Power On Contributor": "/providers/Microsoft.Authorization/roleDefinitions/489581de-a3bd-480d-9518-53dea7416b33", - "Desktop Virtualization Power On Off Contributor": "/providers/Microsoft.Authorization/roleDefinitions/40c5ff49-9181-41f8-ae61-143b0e78555e", - "Desktop Virtualization Reader": "/providers/Microsoft.Authorization/roleDefinitions/49a72310-ab8d-41df-bbb0-79b649203868", - "Desktop Virtualization Session Host Operator": "/providers/Microsoft.Authorization/roleDefinitions/2ad6aaab-ead9-4eaa-8ac5-da422f562408", - "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", - "Desktop Virtualization User Session Operator": "/providers/Microsoft.Authorization/roleDefinitions/ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6", - "Desktop Virtualization Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a959dbd1-f747-45e3-8ba6-dd80f235f97c", - "Desktop Virtualization Workspace Contributor": "/providers/Microsoft.Authorization/roleDefinitions/21efdde3-836f-432b-bf3d-3e8e734d4b2b", - "Desktop Virtualization Workspace Reader": "/providers/Microsoft.Authorization/roleDefinitions/0fa44ee9-7a7d-466b-9bb2-2bf446b1204d", - "DevCenter Dev Box User": "/providers/Microsoft.Authorization/roleDefinitions/45d50f46-0b78-4001-a660-4198cbe8cd05", - "DevCenter Project Admin": "/providers/Microsoft.Authorization/roleDefinitions/331c37c6-af14-46d9-b9f4-e1909e1b95a0", - "Device Provisioning Service Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/dfce44e4-17b7-4bd1-a6d1-04996ec95633", - "Device Provisioning Service Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/10745317-c249-44a1-a5ce-3a4353c0bbd8", - "Device Update Administrator": "/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a", - "Device Update Content Administrator": "/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98", - "Device Update Content Reader": "/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b", - "Device Update Deployments Administrator": "/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432", - "Device Update Deployments Reader": "/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f", - "Device Update Reader": "/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f", - "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", - "DICOM Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/58a3b984-7adf-4c20-983a-32417c86fbc8", - "DICOM Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a", - "Disk Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24", - "Disk Pool Operator": "/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840", - "Disk Restore Operator": "/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13", - "Disk Snapshot Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce", - "DNS Resolver Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d", - "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", - "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", - "Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2", - "Domain Services Reader": "/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb", - "Elastic SAN Owner": "/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406", - "Elastic SAN Reader": "/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca", - "Elastic SAN Volume Group Owner": "/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23", - "EventGrid Contributor": "/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de", - "EventGrid Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7", - "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", - "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", - "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", - "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", - "Experimentation Metric Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6188b7c9-7d01-4f99-a59f-c88b630326c0", - "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", - "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", - "FHIR Data Converter": "/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24", - "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", - "FHIR Data Importer": "/providers/Microsoft.Authorization/roleDefinitions/4465e953-8ced-4406-a58e-0f6e3f3b530b", - "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", - "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", - "FHIR SMART User": "/providers/Microsoft.Authorization/roleDefinitions/4ba50f17-9666-485c-a643-ff00808643f0", - "Grafana Admin": "/providers/Microsoft.Authorization/roleDefinitions/22926164-76b3-42b3-bc55-97df8dab3e41", - "Grafana Editor": "/providers/Microsoft.Authorization/roleDefinitions/a79a5197-3a5c-4973-a920-486035ffd60f", - "Grafana Viewer": "/providers/Microsoft.Authorization/roleDefinitions/60921a7e-fef1-4a43-9b16-a26c52ad4769", - "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", - "Guest Configuration Resource Contributor": "/providers/Microsoft.Authorization/roleDefinitions/088ab73d-1256-47ae-bea9-9de8e7131f31", - "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", - "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", - "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", - "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", - "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", - "Impact Reader": "/providers/Microsoft.Authorization/roleDefinitions/68ff5d27-c7f5-4fa9-a21c-785d0df7bd9e", - "Impact Reporter": "/providers/Microsoft.Authorization/roleDefinitions/36e80216-a7e8-4f42-a7e1-f12c98cbaf8a", - "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", - "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", - "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", - "IoT Hub Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f", - "IoT Hub Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3", - "IoT Hub Registry Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47", - "IoT Hub Twin Contributor": "/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c", - "Key Vault Administrator": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483", - "Key Vault Certificates Officer": "/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985", - "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", - "Key Vault Crypto Officer": "/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603", - "Key Vault Crypto Service Encryption User": "/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6", - "Key Vault Crypto User": "/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424", - "Key Vault Reader": "/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2", - "Key Vault Secrets Officer": "/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7", - "Key Vault Secrets User": "/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6", - "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", - "Kubernetes Agentless Operator": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6", - "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", - "Kubernetes Extension Contributor": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717", - "Kubernetes Namespace User": "/providers/Microsoft.Authorization/roleDefinitions/ba79058c-0414-4a34-9e42-c3399d80cd5a", - "Lab Assistant": "/providers/Microsoft.Authorization/roleDefinitions/ce40b423-cede-4313-a93f-9b28290b72e1", - "Lab Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5daaa2af-1fe8-407c-9122-bba179798270", - "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", - "Lab Operator": "/providers/Microsoft.Authorization/roleDefinitions/a36e6959-b6be-4b12-8e9f-ef4b474d304d", - "Lab Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f69b8690-cc87-41d6-b77a-a4bc3c0a966f", - "Lab Services Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc", - "Load Test Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749a398d-560b-491b-bb21-08924219302e", - "Load Test Owner": "/providers/Microsoft.Authorization/roleDefinitions/45bb0b16-2f0c-4e78-afaa-a07599b003f6", - "Load Test Reader": "/providers/Microsoft.Authorization/roleDefinitions/3ae3fb29-0000-4ccd-bf80-542e7b26e081", - "LocalNGFirewallAdministrator role": "/providers/Microsoft.Authorization/roleDefinitions/a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2", - "LocalRulestacksAdministrator role": "/providers/Microsoft.Authorization/roleDefinitions/bfc3b73d-c6ff-45eb-9a5f-40298295bf20", - "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", - "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", - "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", - "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", - "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", - "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", - "Managed HSM contributor": "/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d", - "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", - "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", - "Managed Services Registration assignment Delete Role": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", - "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", - "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", - "Media Services Account Administrator": "/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466", - "Media Services Live Events Administrator": "/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77", - "Media Services Media Operator": "/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c", - "Media Services Policy Administrator": "/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae", - "Media Services Streaming Endpoints Administrator": "/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804", - "Microsoft Sentinel Automation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a", - "Microsoft Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", - "Microsoft Sentinel Playbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5", - "Microsoft Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", - "Microsoft Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", - "Microsoft.Kubernetes connected cluster role": "/providers/Microsoft.Authorization/roleDefinitions/5548b2cf-c94c-4228-90ba-30851930a12f", - "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "Monitoring Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/b0d8363b-8ddd-447d-831f-62ca05bff136", - "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", - "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", - "MySQL Backup And Export Operator": "/providers/Microsoft.Authorization/roleDefinitions/d18ad5f3-1baf-4119-b49b-d944edb1f9d0", - "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", - "Object Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/ca0835dd-bacc-42dd-8ed2-ed5e7230d15b", - "Object Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/4a167cdf-cb95-4554-9203-2347fe489bd9", - "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", - "Object Understanding Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/d18777c0-1514-4662-8490-608db7d334b6", "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "PlayFab Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c8b84dc-067c-4039-9615-fa1a4b77c726", - "PlayFab Reader": "/providers/Microsoft.Authorization/roleDefinitions/a9a19cc5-31f4-447c-901f-56c0bb18fcaf", - "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", - "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", - "Project Babylon Data Curator": "/providers/Microsoft.Authorization/roleDefinitions/9ef4ef9c-a049-46b0-82ab-dd8ac094c889", - "Project Babylon Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/c8d896ba-346d-4f50-bc1d-7d1c84130446", - "Project Babylon Data Source Administrator": "/providers/Microsoft.Authorization/roleDefinitions/05b7651b-dc44-475e-b74d-df3db49fae0f", - "Purview role 1 (Deprecated)": "/providers/Microsoft.Authorization/roleDefinitions/8a3c2885-9b38-4fd2-9d99-91af537c1347", - "Purview role 2 (Deprecated)": "/providers/Microsoft.Authorization/roleDefinitions/200bba9e-f0c8-430f-892b-6f0794863803", - "Purview role 3 (Deprecated)": "/providers/Microsoft.Authorization/roleDefinitions/ff100721-1b9d-43d8-af52-42b69c1272db", - "Quota Request Operator": "/providers/Microsoft.Authorization/roleDefinitions/0e5f05e5-9ab9-446b-b98d-1e2157c94125", "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", - "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", - "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", - "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", - "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", - "Reservation Purchaser": "/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-4b75-91c3-6b41c27c1689", - "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", - "Role Based Access Control Administrator (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168", - "Scheduled Patching Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cd08ab90-6b14-449c-ad9a-8f8e549482c6", - "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", - "Schema Registry Contributor (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-4216-b2bc-10343a5abb25", - "Schema Registry Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-40a6-83c0-9d98858bc7d2", - "Search Index Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-43f5-93ac-243d3dce84a7", - "Search Index Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f", - "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", - "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", - "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", - "Security Detonation Chamber Publisher": "/providers/Microsoft.Authorization/roleDefinitions/352470b3-6a9c-4686-b503-35deb827e500", - "Security Detonation Chamber Reader": "/providers/Microsoft.Authorization/roleDefinitions/28241645-39f8-410b-ad48-87863e2951d5", - "Security Detonation Chamber Submission Manager": "/providers/Microsoft.Authorization/roleDefinitions/a37b566d-3efa-4beb-a2f2-698963fa42ce", - "Security Detonation Chamber Submitter": "/providers/Microsoft.Authorization/roleDefinitions/0b555d9b-b4a7-4f43-b330-627f0e5be8f0", - "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", - "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", - "Services Hub Operator": "/providers/Microsoft.Authorization/roleDefinitions/82200a5b-e217-47a5-b665-6d8765ee745b", - "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", - "SignalR App Server": "/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7", - "SignalR REST API Owner": "/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521", - "SignalR REST API Reader": "/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035", - "SignalR Service Owner": "/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3", - "SignalR/Web PubSub Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", - "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", - "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", - "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", - "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", - "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", - "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", - "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", - "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", - "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", - "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", - "SqlDb Migration Role": "/providers/Microsoft.Authorization/roleDefinitions/189207d4-bb67-4208-a635-b06afe8b2c57", - "SqlMI Migration Role": "/providers/Microsoft.Authorization/roleDefinitions/1d335eef-eee1-47fe-a9e0-53214eba8872", - "SqlVM Migration Role": "/providers/Microsoft.Authorization/roleDefinitions/ae8036db-e102-405b-a1b9-bae082ea436d", - "Storage Account Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1", - "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", - "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", - "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", - "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", - "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", - "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", - "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", - "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", - "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", - "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", - "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", - "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", - "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", - "Storage Table Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3", - "Storage Table Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6", - "Stream Analytics Query Tester": "/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf", - "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", - "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", - "Template Spec Contributor": "/providers/Microsoft.Authorization/roleDefinitions/1c9b6475-caf0-4164-b5a1-2142a7116f4b", - "Template Spec Reader": "/providers/Microsoft.Authorization/roleDefinitions/392ae280-861d-42bd-9ea5-08ee6d83b80e", - "Test Base Reader": "/providers/Microsoft.Authorization/roleDefinitions/15e0f5a1-3450-4248-8e25-e2afe88a9e85", - "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", - "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", - "Video Indexer Restricted Viewer": "/providers/Microsoft.Authorization/roleDefinitions/a2c4a527-7dc0-4ee3-897b-403ade70fafb", - "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", - "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "Virtual Machine Local User Login": "/providers/Microsoft.Authorization/roleDefinitions/602da2ba-a5c2-41da-b01d-5360126ab525", - "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", - "VM Scanner Operator": "/providers/Microsoft.Authorization/roleDefinitions/d24ecba3-c1f4-40fa-a7bb-4588a071e8fd", - "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", - "Web PubSub Service Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/12cf5a90-567b-43ae-8102-96cf46c7d9b4", - "Web PubSub Service Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf", - "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", - "Windows Admin Center Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/a6333a3e-0164-44c3-b281-7a577aff287f", - "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", - "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d", - "WorkloadBuilder Migration Agent Role": "/providers/Microsoft.Authorization/roleDefinitions/d17ce0a2-0697-43bc-aac5-9113337ab61c" + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" }, "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" }, @@ -757,7 +365,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1741591761510469286" + "templateHash": "4188885227036067326" }, "name": "Role Assignments (Subscription scope)", "description": "This module deploys a Role Assignment at a Subscription scope.", @@ -846,403 +454,11 @@ }, "variables": { "builtInRoleNames": { - "Access Review Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/76cc9ee4-d5d3-4a45-a930-26add3d73475", - "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", - "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", - "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", - "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", - "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", - "AgFood Platform Sensor Partner Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6b77f0a0-0d89-41cc-acd1-579c22c17a67", - "AgFood Platform Service Admin": "/providers/Microsoft.Authorization/roleDefinitions/f8da80de-1ff9-4747-ad80-a19b7f6079e3", - "AgFood Platform Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8508508a-4469-4e45-963b-2518ee0bb728", - "AgFood Platform Service Reader": "/providers/Microsoft.Authorization/roleDefinitions/7ec7ccdc-f61e-41fe-9aaf-980df0a44eba", - "AnyBuild Builder": "/providers/Microsoft.Authorization/roleDefinitions/a2138dac-4907-4679-a376-736901ed8ad8", - "API Management Developer Portal Content Editor": "/providers/Microsoft.Authorization/roleDefinitions/c031e6a8-4391-4de0-8d69-4706a7ed3729", - "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", - "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", - "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", - "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", - "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", - "Application Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ca6382a4-1721-4bcf-a114-ff0c70227b6b", - "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", - "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", - "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", - "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", - "Automation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f353d9bd-d4a6-484e-a77a-8050b599b867", - "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", - "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", - "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", - "Autonomous Development Platform Data Contributor (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b8b15564-4fa6-4a59-ab12-03e1d9594795", - "Autonomous Development Platform Data Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/27f8b550-c507-4db9-86f2-f4b8e816d59d", - "Autonomous Development Platform Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d63b75f7-47ea-4f27-92ac-e0d173aaf093", - "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", - "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", - "Azure Arc Enabled Kubernetes Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd", - "Azure Arc Kubernetes Admin": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96", - "Azure Arc Kubernetes Cluster Admin": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2", - "Azure Arc Kubernetes Viewer": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4", - "Azure Arc Kubernetes Writer": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1", - "Azure Arc ScVmm Administrator role": "/providers/Microsoft.Authorization/roleDefinitions/a92dfd61-77f9-4aec-a531-19858b406c87", - "Azure Arc ScVmm Private Cloud User": "/providers/Microsoft.Authorization/roleDefinitions/c0781e91-8102-4553-8951-97c6d4243cda", - "Azure Arc ScVmm Private Clouds Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9", - "Azure Arc ScVmm VM Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e582369a-e17b-42a5-b10c-874c387c530b", - "Azure Arc VMware Administrator role ": "/providers/Microsoft.Authorization/roleDefinitions/ddc140ed-e463-4246-9145-7c664192013f", - "Azure Arc VMware Private Cloud User": "/providers/Microsoft.Authorization/roleDefinitions/ce551c02-7c42-47e0-9deb-e3b6fc3a9a83", - "Azure Arc VMware Private Clouds Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/67d33e57-3129-45e6-bb0b-7cc522f762fa", - "Azure Arc VMware VM Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b748a06d-6150-4f8a-aaa9-ce3940cd96cb", - "Azure Center for SAP solutions administrator": "/providers/Microsoft.Authorization/roleDefinitions/7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7", - "Azure Center for SAP solutions Management role": "/providers/Microsoft.Authorization/roleDefinitions/6d949e1d-41e2-46e3-8920-c6e4f31a8310", - "Azure Center for SAP solutions reader": "/providers/Microsoft.Authorization/roleDefinitions/05352d14-a920-4328-a0de-4cbe7430e26b", - "Azure Center for SAP solutions service role": "/providers/Microsoft.Authorization/roleDefinitions/aabbc5dd-1af0-458b-a942-81af88f9c138", - "Azure Center for SAP solutions Service role for management": "/providers/Microsoft.Authorization/roleDefinitions/0105a6b0-4bb9-43d2-982a-12806f9faddb", - "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", - "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", - "Azure Connected Machine Resource Manager": "/providers/Microsoft.Authorization/roleDefinitions/f5819b54-e033-4d82-ac66-4fec3cbf3f4c", - "Azure Connected SQL Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508", - "Azure Digital Twins Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", - "Azure Digital Twins Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", - "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", - "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", - "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", - "Azure Extension for SQL Server Deployment": "/providers/Microsoft.Authorization/roleDefinitions/7392c568-9289-4bde-aaaa-b7131215889d", - "Azure Front Door Domain Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0ab34830-df19-4f8c-b84e-aa85b8afa6e8", - "Azure Front Door Domain Reader": "/providers/Microsoft.Authorization/roleDefinitions/0f99d363-226e-4dca-9920-b807cf8e1a5f", - "Azure Front Door Secret Contributor": "/providers/Microsoft.Authorization/roleDefinitions/3f2eb865-5811-4578-b90a-6fc6fa0df8e5", - "Azure Front Door Secret Reader": "/providers/Microsoft.Authorization/roleDefinitions/0db238c4-885e-4c4f-a933-aa2cef684fca", - "Azure Kubernetes Fleet Manager Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf", - "Azure Kubernetes Fleet Manager RBAC Admin": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba", - "Azure Kubernetes Fleet Manager RBAC Cluster Admin": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69", - "Azure Kubernetes Fleet Manager RBAC Reader": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80", - "Azure Kubernetes Fleet Manager RBAC Writer": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683", - "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", - "Azure Kubernetes Service Cluster Monitoring User": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6", - "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", - "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", - "Azure Kubernetes Service Policy Add-on Deployment": "/providers/Microsoft.Authorization/roleDefinitions/18ed5180-3e48-46fd-8541-4ea054d57064", - "Azure Kubernetes Service RBAC Admin": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7", - "Azure Kubernetes Service RBAC Cluster Admin": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b", - "Azure Kubernetes Service RBAC Reader": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db", - "Azure Kubernetes Service RBAC Writer": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb", - "Azure Maps Contributor": "/providers/Microsoft.Authorization/roleDefinitions/dba33070-676a-4fb0-87fa-064dc56ff7fb", - "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", - "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", - "Azure Maps Search and Render Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/6be48352-4f82-47c9-ad5e-0acacefdb005", - "Azure Relay Listener": "/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d", - "Azure Relay Owner": "/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38", - "Azure Relay Sender": "/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d", - "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", - "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", - "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", - "Azure Spring Apps Connect Role": "/providers/Microsoft.Authorization/roleDefinitions/80558df3-64f9-4c0f-b32d-e5094b036b0b", - "Azure Spring Apps Remote Debugging Role": "/providers/Microsoft.Authorization/roleDefinitions/a99b0159-1064-4c22-a57b-c9b3caa1c054", - "Azure Spring Cloud Config Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b", - "Azure Spring Cloud Config Server Reader": "/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7", - "Azure Spring Cloud Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c", - "Azure Spring Cloud Service Registry Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1", - "Azure Spring Cloud Service Registry Reader": "/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65", - "Azure Stack HCI registration role": "/providers/Microsoft.Authorization/roleDefinitions/bda0d508-adf1-4af0-9c28-88919fc3ae06", - "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", - "Azure Traffic Controller Configuration Manager": "/providers/Microsoft.Authorization/roleDefinitions/fbc52c3f-28ad-4303-a892-8a056630b8f1", - "Azure Usage Billing Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/f0310ce6-e953-4cf8-b892-fb1c87eaf7f6", - "Azure VM Managed identities restore Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6ae96244-5829-4925-a7d3-5975537d91dd", - "AzureML Compute Operator": "/providers/Microsoft.Authorization/roleDefinitions/e503ece1-11d0-4e8e-8e2c-7a6c3bf38815", - "AzureML Data Scientist": "/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121", - "AzureML Metrics Writer (preview)": "/providers/Microsoft.Authorization/roleDefinitions/635dd51f-9968-44d3-b7fb-6d9a6bd613ae", - "AzureML Registry User": "/providers/Microsoft.Authorization/roleDefinitions/1823dd4f-9b8c-4ab6-ab4e-7397a3684615", - "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", - "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", - "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", - "Bayer Ag Powered Services CWUM Solution User Role": "/providers/Microsoft.Authorization/roleDefinitions/a9b99099-ead7-47db-8fcf-072597a61dfa", - "Bayer Ag Powered Services GDU Solution": "/providers/Microsoft.Authorization/roleDefinitions/c4bc862a-3b64-4a35-a021-a380c159b042", - "Bayer Ag Powered Services Imagery Solution": "/providers/Microsoft.Authorization/roleDefinitions/ef29765d-0d37-4119-a4f8-f9f9902c9588", - "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", - "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", - "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", - "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", - "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", - "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", - "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", - "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", - "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", - "Chamber Admin": "/providers/Microsoft.Authorization/roleDefinitions/4e9b8407-af2e-495b-ae54-bb60a55b1b5a", - "Chamber User": "/providers/Microsoft.Authorization/roleDefinitions/4447db05-44ed-4da3-ae60-6cbece780e32", - "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", - "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", - "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", - "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", - "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", - "Code Signing Certificate Profile Signer": "/providers/Microsoft.Authorization/roleDefinitions/2837e146-70d7-4cfd-ad55-7efa6464f958", - "Code Signing Identity Verifier": "/providers/Microsoft.Authorization/roleDefinitions/4339b7cf-9826-4e41-b4ed-c7f4505dac08", - "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", - "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", - "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", - "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", - "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", - "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", - "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", - "Cognitive Services Face Recognizer": "/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7", - "Cognitive Services Immersive Reader User": "/providers/Microsoft.Authorization/roleDefinitions/b2de6794-95db-4659-8781-7e080d3f2b9d", - "Cognitive Services Language Owner": "/providers/Microsoft.Authorization/roleDefinitions/f07febfe-79bc-46b1-8b37-790e26e6e498", - "Cognitive Services Language Reader": "/providers/Microsoft.Authorization/roleDefinitions/7628b7b8-a8b2-4cdc-b46f-e9b35248918e", - "Cognitive Services Language Writer": "/providers/Microsoft.Authorization/roleDefinitions/f2310ca1-dc64-4889-bb49-c8e0fa3d47a8", - "Cognitive Services LUIS Owner": "/providers/Microsoft.Authorization/roleDefinitions/f72c8140-2111-481c-87ff-72b910f6e3f8", - "Cognitive Services LUIS Reader": "/providers/Microsoft.Authorization/roleDefinitions/18e81cdc-4e98-4e29-a639-e7d10c5a6226", - "Cognitive Services LUIS Writer": "/providers/Microsoft.Authorization/roleDefinitions/6322a993-d5c9-4bed-b113-e49bbea25b27", - "Cognitive Services Metrics Advisor Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a", - "Cognitive Services Metrics Advisor User": "/providers/Microsoft.Authorization/roleDefinitions/3b20f47b-3825-43cb-8114-4bd2201156a8", - "Cognitive Services OpenAI Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a001fd3d-188f-4b5d-821b-7da978bf7442", - "Cognitive Services OpenAI User": "/providers/Microsoft.Authorization/roleDefinitions/5e0bd9bd-7b93-4f28-af87-19fc36ad61bd", - "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", - "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", - "Cognitive Services Speech Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0e75ca1e-0464-4b4d-8b93-68208a576181", - "Cognitive Services Speech User": "/providers/Microsoft.Authorization/roleDefinitions/f2dc8367-1007-4938-bd23-fe263f013447", - "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", - "Collaborative Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/daa9e50b-21df-454c-94a6-a8050adab352", - "Collaborative Runtime Operator": "/providers/Microsoft.Authorization/roleDefinitions/7a6f0e70-c033-4fb1-828c-08514e5f4102", - "Compute Gallery Sharing Admin": "/providers/Microsoft.Authorization/roleDefinitions/1ef6a3be-d0ac-425d-8c01-acb62866290b", - "ContainerApp Reader": "/providers/Microsoft.Authorization/roleDefinitions/ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b", "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", - "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", - "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", - "CosmosRestoreOperator": "/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f", - "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", - "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", - "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", - "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", - "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", - "Data Labeling - Labeler": "/providers/Microsoft.Authorization/roleDefinitions/c6decf44-fd0a-444c-a844-d653c394e7ab", - "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", - "Data Operator for Managed Disks": "/providers/Microsoft.Authorization/roleDefinitions/959f8984-c045-4866-89c7-12bf9737be2e", - "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", - "Deployment Environments User": "/providers/Microsoft.Authorization/roleDefinitions/18e40d4e-8d2e-438d-97e1-9528336e149c", - "Desktop Virtualization Application Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-4c43-887b-b61143f32ba8", - "Desktop Virtualization Application Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/aebf23d0-b568-4e86-b8f9-fe83a2c6ab55", - "Desktop Virtualization Contributor": "/providers/Microsoft.Authorization/roleDefinitions/082f0a83-3be5-4ba1-904c-961cca79b387", - "Desktop Virtualization Host Pool Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e307426c-f9b6-4e81-87de-d99efb3c32bc", - "Desktop Virtualization Host Pool Reader": "/providers/Microsoft.Authorization/roleDefinitions/ceadfde2-b300-400a-ab7b-6143895aa822", - "Desktop Virtualization Power On Contributor": "/providers/Microsoft.Authorization/roleDefinitions/489581de-a3bd-480d-9518-53dea7416b33", - "Desktop Virtualization Power On Off Contributor": "/providers/Microsoft.Authorization/roleDefinitions/40c5ff49-9181-41f8-ae61-143b0e78555e", - "Desktop Virtualization Reader": "/providers/Microsoft.Authorization/roleDefinitions/49a72310-ab8d-41df-bbb0-79b649203868", - "Desktop Virtualization Session Host Operator": "/providers/Microsoft.Authorization/roleDefinitions/2ad6aaab-ead9-4eaa-8ac5-da422f562408", - "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", - "Desktop Virtualization User Session Operator": "/providers/Microsoft.Authorization/roleDefinitions/ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6", - "Desktop Virtualization Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a959dbd1-f747-45e3-8ba6-dd80f235f97c", - "Desktop Virtualization Workspace Contributor": "/providers/Microsoft.Authorization/roleDefinitions/21efdde3-836f-432b-bf3d-3e8e734d4b2b", - "Desktop Virtualization Workspace Reader": "/providers/Microsoft.Authorization/roleDefinitions/0fa44ee9-7a7d-466b-9bb2-2bf446b1204d", - "DevCenter Dev Box User": "/providers/Microsoft.Authorization/roleDefinitions/45d50f46-0b78-4001-a660-4198cbe8cd05", - "DevCenter Project Admin": "/providers/Microsoft.Authorization/roleDefinitions/331c37c6-af14-46d9-b9f4-e1909e1b95a0", - "Device Provisioning Service Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/dfce44e4-17b7-4bd1-a6d1-04996ec95633", - "Device Provisioning Service Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/10745317-c249-44a1-a5ce-3a4353c0bbd8", - "Device Update Administrator": "/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a", - "Device Update Content Administrator": "/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98", - "Device Update Content Reader": "/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b", - "Device Update Deployments Administrator": "/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432", - "Device Update Deployments Reader": "/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f", - "Device Update Reader": "/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f", - "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", - "DICOM Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/58a3b984-7adf-4c20-983a-32417c86fbc8", - "DICOM Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a", - "Disk Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24", - "Disk Pool Operator": "/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840", - "Disk Restore Operator": "/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13", - "Disk Snapshot Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce", - "DNS Resolver Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d", - "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", - "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", - "Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2", - "Domain Services Reader": "/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb", - "Elastic SAN Owner": "/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406", - "Elastic SAN Reader": "/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca", - "Elastic SAN Volume Group Owner": "/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23", - "EventGrid Contributor": "/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de", - "EventGrid Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7", - "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", - "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", - "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", - "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", - "Experimentation Metric Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6188b7c9-7d01-4f99-a59f-c88b630326c0", - "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", - "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", - "FHIR Data Converter": "/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24", - "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", - "FHIR Data Importer": "/providers/Microsoft.Authorization/roleDefinitions/4465e953-8ced-4406-a58e-0f6e3f3b530b", - "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", - "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", - "FHIR SMART User": "/providers/Microsoft.Authorization/roleDefinitions/4ba50f17-9666-485c-a643-ff00808643f0", - "Grafana Admin": "/providers/Microsoft.Authorization/roleDefinitions/22926164-76b3-42b3-bc55-97df8dab3e41", - "Grafana Editor": "/providers/Microsoft.Authorization/roleDefinitions/a79a5197-3a5c-4973-a920-486035ffd60f", - "Grafana Viewer": "/providers/Microsoft.Authorization/roleDefinitions/60921a7e-fef1-4a43-9b16-a26c52ad4769", - "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", - "Guest Configuration Resource Contributor": "/providers/Microsoft.Authorization/roleDefinitions/088ab73d-1256-47ae-bea9-9de8e7131f31", - "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", - "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", - "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", - "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", - "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", - "Impact Reader": "/providers/Microsoft.Authorization/roleDefinitions/68ff5d27-c7f5-4fa9-a21c-785d0df7bd9e", - "Impact Reporter": "/providers/Microsoft.Authorization/roleDefinitions/36e80216-a7e8-4f42-a7e1-f12c98cbaf8a", - "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", - "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", - "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", - "IoT Hub Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f", - "IoT Hub Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3", - "IoT Hub Registry Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47", - "IoT Hub Twin Contributor": "/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c", - "Key Vault Administrator": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483", - "Key Vault Certificates Officer": "/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985", - "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", - "Key Vault Crypto Officer": "/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603", - "Key Vault Crypto Service Encryption User": "/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6", - "Key Vault Crypto User": "/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424", - "Key Vault Reader": "/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2", - "Key Vault Secrets Officer": "/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7", - "Key Vault Secrets User": "/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6", - "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", - "Kubernetes Agentless Operator": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6", - "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", - "Kubernetes Extension Contributor": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717", - "Kubernetes Namespace User": "/providers/Microsoft.Authorization/roleDefinitions/ba79058c-0414-4a34-9e42-c3399d80cd5a", - "Lab Assistant": "/providers/Microsoft.Authorization/roleDefinitions/ce40b423-cede-4313-a93f-9b28290b72e1", - "Lab Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5daaa2af-1fe8-407c-9122-bba179798270", - "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", - "Lab Operator": "/providers/Microsoft.Authorization/roleDefinitions/a36e6959-b6be-4b12-8e9f-ef4b474d304d", - "Lab Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f69b8690-cc87-41d6-b77a-a4bc3c0a966f", - "Lab Services Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc", - "Load Test Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749a398d-560b-491b-bb21-08924219302e", - "Load Test Owner": "/providers/Microsoft.Authorization/roleDefinitions/45bb0b16-2f0c-4e78-afaa-a07599b003f6", - "Load Test Reader": "/providers/Microsoft.Authorization/roleDefinitions/3ae3fb29-0000-4ccd-bf80-542e7b26e081", - "LocalNGFirewallAdministrator role": "/providers/Microsoft.Authorization/roleDefinitions/a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2", - "LocalRulestacksAdministrator role": "/providers/Microsoft.Authorization/roleDefinitions/bfc3b73d-c6ff-45eb-9a5f-40298295bf20", - "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", - "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", - "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", - "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", - "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", - "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", - "Managed HSM contributor": "/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d", - "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", - "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", - "Managed Services Registration assignment Delete Role": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", - "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", - "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", - "Media Services Account Administrator": "/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466", - "Media Services Live Events Administrator": "/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77", - "Media Services Media Operator": "/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c", - "Media Services Policy Administrator": "/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae", - "Media Services Streaming Endpoints Administrator": "/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804", - "Microsoft Sentinel Automation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a", - "Microsoft Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", - "Microsoft Sentinel Playbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5", - "Microsoft Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", - "Microsoft Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", - "Microsoft.Kubernetes connected cluster role": "/providers/Microsoft.Authorization/roleDefinitions/5548b2cf-c94c-4228-90ba-30851930a12f", - "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "Monitoring Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/b0d8363b-8ddd-447d-831f-62ca05bff136", - "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", - "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", - "MySQL Backup And Export Operator": "/providers/Microsoft.Authorization/roleDefinitions/d18ad5f3-1baf-4119-b49b-d944edb1f9d0", - "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", - "Object Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/ca0835dd-bacc-42dd-8ed2-ed5e7230d15b", - "Object Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/4a167cdf-cb95-4554-9203-2347fe489bd9", - "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", - "Object Understanding Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/d18777c0-1514-4662-8490-608db7d334b6", "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "PlayFab Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c8b84dc-067c-4039-9615-fa1a4b77c726", - "PlayFab Reader": "/providers/Microsoft.Authorization/roleDefinitions/a9a19cc5-31f4-447c-901f-56c0bb18fcaf", - "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", - "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", - "Project Babylon Data Curator": "/providers/Microsoft.Authorization/roleDefinitions/9ef4ef9c-a049-46b0-82ab-dd8ac094c889", - "Project Babylon Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/c8d896ba-346d-4f50-bc1d-7d1c84130446", - "Project Babylon Data Source Administrator": "/providers/Microsoft.Authorization/roleDefinitions/05b7651b-dc44-475e-b74d-df3db49fae0f", - "Purview role 1 (Deprecated)": "/providers/Microsoft.Authorization/roleDefinitions/8a3c2885-9b38-4fd2-9d99-91af537c1347", - "Purview role 2 (Deprecated)": "/providers/Microsoft.Authorization/roleDefinitions/200bba9e-f0c8-430f-892b-6f0794863803", - "Purview role 3 (Deprecated)": "/providers/Microsoft.Authorization/roleDefinitions/ff100721-1b9d-43d8-af52-42b69c1272db", - "Quota Request Operator": "/providers/Microsoft.Authorization/roleDefinitions/0e5f05e5-9ab9-446b-b98d-1e2157c94125", "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", - "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", - "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", - "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", - "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", - "Reservation Purchaser": "/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-4b75-91c3-6b41c27c1689", - "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", - "Role Based Access Control Administrator (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168", - "Scheduled Patching Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cd08ab90-6b14-449c-ad9a-8f8e549482c6", - "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", - "Schema Registry Contributor (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-4216-b2bc-10343a5abb25", - "Schema Registry Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-40a6-83c0-9d98858bc7d2", - "Search Index Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-43f5-93ac-243d3dce84a7", - "Search Index Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f", - "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", - "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", - "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", - "Security Detonation Chamber Publisher": "/providers/Microsoft.Authorization/roleDefinitions/352470b3-6a9c-4686-b503-35deb827e500", - "Security Detonation Chamber Reader": "/providers/Microsoft.Authorization/roleDefinitions/28241645-39f8-410b-ad48-87863e2951d5", - "Security Detonation Chamber Submission Manager": "/providers/Microsoft.Authorization/roleDefinitions/a37b566d-3efa-4beb-a2f2-698963fa42ce", - "Security Detonation Chamber Submitter": "/providers/Microsoft.Authorization/roleDefinitions/0b555d9b-b4a7-4f43-b330-627f0e5be8f0", - "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", - "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", - "Services Hub Operator": "/providers/Microsoft.Authorization/roleDefinitions/82200a5b-e217-47a5-b665-6d8765ee745b", - "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", - "SignalR App Server": "/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7", - "SignalR REST API Owner": "/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521", - "SignalR REST API Reader": "/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035", - "SignalR Service Owner": "/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3", - "SignalR/Web PubSub Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", - "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", - "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", - "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", - "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", - "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", - "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", - "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", - "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", - "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", - "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", - "SqlDb Migration Role": "/providers/Microsoft.Authorization/roleDefinitions/189207d4-bb67-4208-a635-b06afe8b2c57", - "SqlMI Migration Role": "/providers/Microsoft.Authorization/roleDefinitions/1d335eef-eee1-47fe-a9e0-53214eba8872", - "SqlVM Migration Role": "/providers/Microsoft.Authorization/roleDefinitions/ae8036db-e102-405b-a1b9-bae082ea436d", - "Storage Account Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1", - "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", - "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", - "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", - "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", - "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", - "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", - "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", - "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", - "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", - "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", - "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", - "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", - "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", - "Storage Table Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3", - "Storage Table Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6", - "Stream Analytics Query Tester": "/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf", - "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", - "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", - "Template Spec Contributor": "/providers/Microsoft.Authorization/roleDefinitions/1c9b6475-caf0-4164-b5a1-2142a7116f4b", - "Template Spec Reader": "/providers/Microsoft.Authorization/roleDefinitions/392ae280-861d-42bd-9ea5-08ee6d83b80e", - "Test Base Reader": "/providers/Microsoft.Authorization/roleDefinitions/15e0f5a1-3450-4248-8e25-e2afe88a9e85", - "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", - "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", - "Video Indexer Restricted Viewer": "/providers/Microsoft.Authorization/roleDefinitions/a2c4a527-7dc0-4ee3-897b-403ade70fafb", - "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", - "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "Virtual Machine Local User Login": "/providers/Microsoft.Authorization/roleDefinitions/602da2ba-a5c2-41da-b01d-5360126ab525", - "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", - "VM Scanner Operator": "/providers/Microsoft.Authorization/roleDefinitions/d24ecba3-c1f4-40fa-a7bb-4588a071e8fd", - "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", - "Web PubSub Service Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/12cf5a90-567b-43ae-8102-96cf46c7d9b4", - "Web PubSub Service Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf", - "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", - "Windows Admin Center Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/a6333a3e-0164-44c3-b281-7a577aff287f", - "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", - "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d", - "WorkloadBuilder Migration Agent Role": "/providers/Microsoft.Authorization/roleDefinitions/d17ce0a2-0697-43bc-aac5-9113337ab61c" + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" }, "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" }, @@ -1346,7 +562,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13714993030578518060" + "templateHash": "2647750743416719652" }, "name": "Role Assignments (Resource Group scope)", "description": "This module deploys a Role Assignment at a Resource Group scope.", @@ -1435,403 +651,11 @@ }, "variables": { "builtInRoleNames": { - "Access Review Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/76cc9ee4-d5d3-4a45-a930-26add3d73475", - "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", - "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", - "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", - "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", - "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", - "AgFood Platform Sensor Partner Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6b77f0a0-0d89-41cc-acd1-579c22c17a67", - "AgFood Platform Service Admin": "/providers/Microsoft.Authorization/roleDefinitions/f8da80de-1ff9-4747-ad80-a19b7f6079e3", - "AgFood Platform Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8508508a-4469-4e45-963b-2518ee0bb728", - "AgFood Platform Service Reader": "/providers/Microsoft.Authorization/roleDefinitions/7ec7ccdc-f61e-41fe-9aaf-980df0a44eba", - "AnyBuild Builder": "/providers/Microsoft.Authorization/roleDefinitions/a2138dac-4907-4679-a376-736901ed8ad8", - "API Management Developer Portal Content Editor": "/providers/Microsoft.Authorization/roleDefinitions/c031e6a8-4391-4de0-8d69-4706a7ed3729", - "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", - "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", - "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", - "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", - "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", - "Application Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ca6382a4-1721-4bcf-a114-ff0c70227b6b", - "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", - "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", - "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", - "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", - "Automation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f353d9bd-d4a6-484e-a77a-8050b599b867", - "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", - "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", - "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", - "Autonomous Development Platform Data Contributor (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b8b15564-4fa6-4a59-ab12-03e1d9594795", - "Autonomous Development Platform Data Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/27f8b550-c507-4db9-86f2-f4b8e816d59d", - "Autonomous Development Platform Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d63b75f7-47ea-4f27-92ac-e0d173aaf093", - "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", - "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", - "Azure Arc Enabled Kubernetes Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd", - "Azure Arc Kubernetes Admin": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96", - "Azure Arc Kubernetes Cluster Admin": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2", - "Azure Arc Kubernetes Viewer": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4", - "Azure Arc Kubernetes Writer": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1", - "Azure Arc ScVmm Administrator role": "/providers/Microsoft.Authorization/roleDefinitions/a92dfd61-77f9-4aec-a531-19858b406c87", - "Azure Arc ScVmm Private Cloud User": "/providers/Microsoft.Authorization/roleDefinitions/c0781e91-8102-4553-8951-97c6d4243cda", - "Azure Arc ScVmm Private Clouds Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9", - "Azure Arc ScVmm VM Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e582369a-e17b-42a5-b10c-874c387c530b", - "Azure Arc VMware Administrator role ": "/providers/Microsoft.Authorization/roleDefinitions/ddc140ed-e463-4246-9145-7c664192013f", - "Azure Arc VMware Private Cloud User": "/providers/Microsoft.Authorization/roleDefinitions/ce551c02-7c42-47e0-9deb-e3b6fc3a9a83", - "Azure Arc VMware Private Clouds Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/67d33e57-3129-45e6-bb0b-7cc522f762fa", - "Azure Arc VMware VM Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b748a06d-6150-4f8a-aaa9-ce3940cd96cb", - "Azure Center for SAP solutions administrator": "/providers/Microsoft.Authorization/roleDefinitions/7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7", - "Azure Center for SAP solutions Management role": "/providers/Microsoft.Authorization/roleDefinitions/6d949e1d-41e2-46e3-8920-c6e4f31a8310", - "Azure Center for SAP solutions reader": "/providers/Microsoft.Authorization/roleDefinitions/05352d14-a920-4328-a0de-4cbe7430e26b", - "Azure Center for SAP solutions service role": "/providers/Microsoft.Authorization/roleDefinitions/aabbc5dd-1af0-458b-a942-81af88f9c138", - "Azure Center for SAP solutions Service role for management": "/providers/Microsoft.Authorization/roleDefinitions/0105a6b0-4bb9-43d2-982a-12806f9faddb", - "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", - "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", - "Azure Connected Machine Resource Manager": "/providers/Microsoft.Authorization/roleDefinitions/f5819b54-e033-4d82-ac66-4fec3cbf3f4c", - "Azure Connected SQL Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508", - "Azure Digital Twins Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", - "Azure Digital Twins Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", - "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", - "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", - "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", - "Azure Extension for SQL Server Deployment": "/providers/Microsoft.Authorization/roleDefinitions/7392c568-9289-4bde-aaaa-b7131215889d", - "Azure Front Door Domain Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0ab34830-df19-4f8c-b84e-aa85b8afa6e8", - "Azure Front Door Domain Reader": "/providers/Microsoft.Authorization/roleDefinitions/0f99d363-226e-4dca-9920-b807cf8e1a5f", - "Azure Front Door Secret Contributor": "/providers/Microsoft.Authorization/roleDefinitions/3f2eb865-5811-4578-b90a-6fc6fa0df8e5", - "Azure Front Door Secret Reader": "/providers/Microsoft.Authorization/roleDefinitions/0db238c4-885e-4c4f-a933-aa2cef684fca", - "Azure Kubernetes Fleet Manager Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf", - "Azure Kubernetes Fleet Manager RBAC Admin": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba", - "Azure Kubernetes Fleet Manager RBAC Cluster Admin": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69", - "Azure Kubernetes Fleet Manager RBAC Reader": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80", - "Azure Kubernetes Fleet Manager RBAC Writer": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683", - "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", - "Azure Kubernetes Service Cluster Monitoring User": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6", - "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", - "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", - "Azure Kubernetes Service Policy Add-on Deployment": "/providers/Microsoft.Authorization/roleDefinitions/18ed5180-3e48-46fd-8541-4ea054d57064", - "Azure Kubernetes Service RBAC Admin": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7", - "Azure Kubernetes Service RBAC Cluster Admin": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b", - "Azure Kubernetes Service RBAC Reader": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db", - "Azure Kubernetes Service RBAC Writer": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb", - "Azure Maps Contributor": "/providers/Microsoft.Authorization/roleDefinitions/dba33070-676a-4fb0-87fa-064dc56ff7fb", - "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", - "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", - "Azure Maps Search and Render Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/6be48352-4f82-47c9-ad5e-0acacefdb005", - "Azure Relay Listener": "/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d", - "Azure Relay Owner": "/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38", - "Azure Relay Sender": "/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d", - "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", - "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", - "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", - "Azure Spring Apps Connect Role": "/providers/Microsoft.Authorization/roleDefinitions/80558df3-64f9-4c0f-b32d-e5094b036b0b", - "Azure Spring Apps Remote Debugging Role": "/providers/Microsoft.Authorization/roleDefinitions/a99b0159-1064-4c22-a57b-c9b3caa1c054", - "Azure Spring Cloud Config Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b", - "Azure Spring Cloud Config Server Reader": "/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7", - "Azure Spring Cloud Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c", - "Azure Spring Cloud Service Registry Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1", - "Azure Spring Cloud Service Registry Reader": "/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65", - "Azure Stack HCI registration role": "/providers/Microsoft.Authorization/roleDefinitions/bda0d508-adf1-4af0-9c28-88919fc3ae06", - "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", - "Azure Traffic Controller Configuration Manager": "/providers/Microsoft.Authorization/roleDefinitions/fbc52c3f-28ad-4303-a892-8a056630b8f1", - "Azure Usage Billing Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/f0310ce6-e953-4cf8-b892-fb1c87eaf7f6", - "Azure VM Managed identities restore Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6ae96244-5829-4925-a7d3-5975537d91dd", - "AzureML Compute Operator": "/providers/Microsoft.Authorization/roleDefinitions/e503ece1-11d0-4e8e-8e2c-7a6c3bf38815", - "AzureML Data Scientist": "/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121", - "AzureML Metrics Writer (preview)": "/providers/Microsoft.Authorization/roleDefinitions/635dd51f-9968-44d3-b7fb-6d9a6bd613ae", - "AzureML Registry User": "/providers/Microsoft.Authorization/roleDefinitions/1823dd4f-9b8c-4ab6-ab4e-7397a3684615", - "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", - "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", - "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", - "Bayer Ag Powered Services CWUM Solution User Role": "/providers/Microsoft.Authorization/roleDefinitions/a9b99099-ead7-47db-8fcf-072597a61dfa", - "Bayer Ag Powered Services GDU Solution": "/providers/Microsoft.Authorization/roleDefinitions/c4bc862a-3b64-4a35-a021-a380c159b042", - "Bayer Ag Powered Services Imagery Solution": "/providers/Microsoft.Authorization/roleDefinitions/ef29765d-0d37-4119-a4f8-f9f9902c9588", - "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", - "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", - "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", - "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", - "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", - "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", - "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", - "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", - "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", - "Chamber Admin": "/providers/Microsoft.Authorization/roleDefinitions/4e9b8407-af2e-495b-ae54-bb60a55b1b5a", - "Chamber User": "/providers/Microsoft.Authorization/roleDefinitions/4447db05-44ed-4da3-ae60-6cbece780e32", - "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", - "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", - "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", - "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", - "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", - "Code Signing Certificate Profile Signer": "/providers/Microsoft.Authorization/roleDefinitions/2837e146-70d7-4cfd-ad55-7efa6464f958", - "Code Signing Identity Verifier": "/providers/Microsoft.Authorization/roleDefinitions/4339b7cf-9826-4e41-b4ed-c7f4505dac08", - "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", - "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", - "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", - "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", - "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", - "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", - "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", - "Cognitive Services Face Recognizer": "/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7", - "Cognitive Services Immersive Reader User": "/providers/Microsoft.Authorization/roleDefinitions/b2de6794-95db-4659-8781-7e080d3f2b9d", - "Cognitive Services Language Owner": "/providers/Microsoft.Authorization/roleDefinitions/f07febfe-79bc-46b1-8b37-790e26e6e498", - "Cognitive Services Language Reader": "/providers/Microsoft.Authorization/roleDefinitions/7628b7b8-a8b2-4cdc-b46f-e9b35248918e", - "Cognitive Services Language Writer": "/providers/Microsoft.Authorization/roleDefinitions/f2310ca1-dc64-4889-bb49-c8e0fa3d47a8", - "Cognitive Services LUIS Owner": "/providers/Microsoft.Authorization/roleDefinitions/f72c8140-2111-481c-87ff-72b910f6e3f8", - "Cognitive Services LUIS Reader": "/providers/Microsoft.Authorization/roleDefinitions/18e81cdc-4e98-4e29-a639-e7d10c5a6226", - "Cognitive Services LUIS Writer": "/providers/Microsoft.Authorization/roleDefinitions/6322a993-d5c9-4bed-b113-e49bbea25b27", - "Cognitive Services Metrics Advisor Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a", - "Cognitive Services Metrics Advisor User": "/providers/Microsoft.Authorization/roleDefinitions/3b20f47b-3825-43cb-8114-4bd2201156a8", - "Cognitive Services OpenAI Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a001fd3d-188f-4b5d-821b-7da978bf7442", - "Cognitive Services OpenAI User": "/providers/Microsoft.Authorization/roleDefinitions/5e0bd9bd-7b93-4f28-af87-19fc36ad61bd", - "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", - "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", - "Cognitive Services Speech Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0e75ca1e-0464-4b4d-8b93-68208a576181", - "Cognitive Services Speech User": "/providers/Microsoft.Authorization/roleDefinitions/f2dc8367-1007-4938-bd23-fe263f013447", - "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", - "Collaborative Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/daa9e50b-21df-454c-94a6-a8050adab352", - "Collaborative Runtime Operator": "/providers/Microsoft.Authorization/roleDefinitions/7a6f0e70-c033-4fb1-828c-08514e5f4102", - "Compute Gallery Sharing Admin": "/providers/Microsoft.Authorization/roleDefinitions/1ef6a3be-d0ac-425d-8c01-acb62866290b", - "ContainerApp Reader": "/providers/Microsoft.Authorization/roleDefinitions/ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b", "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", - "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", - "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", - "CosmosRestoreOperator": "/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f", - "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", - "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", - "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", - "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", - "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", - "Data Labeling - Labeler": "/providers/Microsoft.Authorization/roleDefinitions/c6decf44-fd0a-444c-a844-d653c394e7ab", - "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", - "Data Operator for Managed Disks": "/providers/Microsoft.Authorization/roleDefinitions/959f8984-c045-4866-89c7-12bf9737be2e", - "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", - "Deployment Environments User": "/providers/Microsoft.Authorization/roleDefinitions/18e40d4e-8d2e-438d-97e1-9528336e149c", - "Desktop Virtualization Application Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-4c43-887b-b61143f32ba8", - "Desktop Virtualization Application Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/aebf23d0-b568-4e86-b8f9-fe83a2c6ab55", - "Desktop Virtualization Contributor": "/providers/Microsoft.Authorization/roleDefinitions/082f0a83-3be5-4ba1-904c-961cca79b387", - "Desktop Virtualization Host Pool Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e307426c-f9b6-4e81-87de-d99efb3c32bc", - "Desktop Virtualization Host Pool Reader": "/providers/Microsoft.Authorization/roleDefinitions/ceadfde2-b300-400a-ab7b-6143895aa822", - "Desktop Virtualization Power On Contributor": "/providers/Microsoft.Authorization/roleDefinitions/489581de-a3bd-480d-9518-53dea7416b33", - "Desktop Virtualization Power On Off Contributor": "/providers/Microsoft.Authorization/roleDefinitions/40c5ff49-9181-41f8-ae61-143b0e78555e", - "Desktop Virtualization Reader": "/providers/Microsoft.Authorization/roleDefinitions/49a72310-ab8d-41df-bbb0-79b649203868", - "Desktop Virtualization Session Host Operator": "/providers/Microsoft.Authorization/roleDefinitions/2ad6aaab-ead9-4eaa-8ac5-da422f562408", - "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", - "Desktop Virtualization User Session Operator": "/providers/Microsoft.Authorization/roleDefinitions/ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6", - "Desktop Virtualization Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a959dbd1-f747-45e3-8ba6-dd80f235f97c", - "Desktop Virtualization Workspace Contributor": "/providers/Microsoft.Authorization/roleDefinitions/21efdde3-836f-432b-bf3d-3e8e734d4b2b", - "Desktop Virtualization Workspace Reader": "/providers/Microsoft.Authorization/roleDefinitions/0fa44ee9-7a7d-466b-9bb2-2bf446b1204d", - "DevCenter Dev Box User": "/providers/Microsoft.Authorization/roleDefinitions/45d50f46-0b78-4001-a660-4198cbe8cd05", - "DevCenter Project Admin": "/providers/Microsoft.Authorization/roleDefinitions/331c37c6-af14-46d9-b9f4-e1909e1b95a0", - "Device Provisioning Service Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/dfce44e4-17b7-4bd1-a6d1-04996ec95633", - "Device Provisioning Service Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/10745317-c249-44a1-a5ce-3a4353c0bbd8", - "Device Update Administrator": "/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a", - "Device Update Content Administrator": "/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98", - "Device Update Content Reader": "/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b", - "Device Update Deployments Administrator": "/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432", - "Device Update Deployments Reader": "/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f", - "Device Update Reader": "/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f", - "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", - "DICOM Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/58a3b984-7adf-4c20-983a-32417c86fbc8", - "DICOM Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a", - "Disk Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24", - "Disk Pool Operator": "/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840", - "Disk Restore Operator": "/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13", - "Disk Snapshot Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce", - "DNS Resolver Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d", - "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", - "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", - "Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2", - "Domain Services Reader": "/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb", - "Elastic SAN Owner": "/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406", - "Elastic SAN Reader": "/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca", - "Elastic SAN Volume Group Owner": "/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23", - "EventGrid Contributor": "/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de", - "EventGrid Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7", - "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", - "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", - "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", - "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", - "Experimentation Metric Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6188b7c9-7d01-4f99-a59f-c88b630326c0", - "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", - "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", - "FHIR Data Converter": "/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24", - "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", - "FHIR Data Importer": "/providers/Microsoft.Authorization/roleDefinitions/4465e953-8ced-4406-a58e-0f6e3f3b530b", - "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", - "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", - "FHIR SMART User": "/providers/Microsoft.Authorization/roleDefinitions/4ba50f17-9666-485c-a643-ff00808643f0", - "Grafana Admin": "/providers/Microsoft.Authorization/roleDefinitions/22926164-76b3-42b3-bc55-97df8dab3e41", - "Grafana Editor": "/providers/Microsoft.Authorization/roleDefinitions/a79a5197-3a5c-4973-a920-486035ffd60f", - "Grafana Viewer": "/providers/Microsoft.Authorization/roleDefinitions/60921a7e-fef1-4a43-9b16-a26c52ad4769", - "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", - "Guest Configuration Resource Contributor": "/providers/Microsoft.Authorization/roleDefinitions/088ab73d-1256-47ae-bea9-9de8e7131f31", - "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", - "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", - "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", - "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", - "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", - "Impact Reader": "/providers/Microsoft.Authorization/roleDefinitions/68ff5d27-c7f5-4fa9-a21c-785d0df7bd9e", - "Impact Reporter": "/providers/Microsoft.Authorization/roleDefinitions/36e80216-a7e8-4f42-a7e1-f12c98cbaf8a", - "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", - "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", - "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", - "IoT Hub Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f", - "IoT Hub Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3", - "IoT Hub Registry Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47", - "IoT Hub Twin Contributor": "/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c", - "Key Vault Administrator": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483", - "Key Vault Certificates Officer": "/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985", - "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", - "Key Vault Crypto Officer": "/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603", - "Key Vault Crypto Service Encryption User": "/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6", - "Key Vault Crypto User": "/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424", - "Key Vault Reader": "/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2", - "Key Vault Secrets Officer": "/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7", - "Key Vault Secrets User": "/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6", - "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", - "Kubernetes Agentless Operator": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6", - "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", - "Kubernetes Extension Contributor": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717", - "Kubernetes Namespace User": "/providers/Microsoft.Authorization/roleDefinitions/ba79058c-0414-4a34-9e42-c3399d80cd5a", - "Lab Assistant": "/providers/Microsoft.Authorization/roleDefinitions/ce40b423-cede-4313-a93f-9b28290b72e1", - "Lab Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5daaa2af-1fe8-407c-9122-bba179798270", - "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", - "Lab Operator": "/providers/Microsoft.Authorization/roleDefinitions/a36e6959-b6be-4b12-8e9f-ef4b474d304d", - "Lab Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f69b8690-cc87-41d6-b77a-a4bc3c0a966f", - "Lab Services Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc", - "Load Test Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749a398d-560b-491b-bb21-08924219302e", - "Load Test Owner": "/providers/Microsoft.Authorization/roleDefinitions/45bb0b16-2f0c-4e78-afaa-a07599b003f6", - "Load Test Reader": "/providers/Microsoft.Authorization/roleDefinitions/3ae3fb29-0000-4ccd-bf80-542e7b26e081", - "LocalNGFirewallAdministrator role": "/providers/Microsoft.Authorization/roleDefinitions/a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2", - "LocalRulestacksAdministrator role": "/providers/Microsoft.Authorization/roleDefinitions/bfc3b73d-c6ff-45eb-9a5f-40298295bf20", - "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", - "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", - "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", - "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", - "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", - "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", - "Managed HSM contributor": "/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d", - "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", - "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", - "Managed Services Registration assignment Delete Role": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", - "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", - "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", - "Media Services Account Administrator": "/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466", - "Media Services Live Events Administrator": "/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77", - "Media Services Media Operator": "/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c", - "Media Services Policy Administrator": "/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae", - "Media Services Streaming Endpoints Administrator": "/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804", - "Microsoft Sentinel Automation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a", - "Microsoft Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", - "Microsoft Sentinel Playbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5", - "Microsoft Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", - "Microsoft Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", - "Microsoft.Kubernetes connected cluster role": "/providers/Microsoft.Authorization/roleDefinitions/5548b2cf-c94c-4228-90ba-30851930a12f", - "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "Monitoring Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/b0d8363b-8ddd-447d-831f-62ca05bff136", - "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", - "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", - "MySQL Backup And Export Operator": "/providers/Microsoft.Authorization/roleDefinitions/d18ad5f3-1baf-4119-b49b-d944edb1f9d0", - "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", - "Object Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/ca0835dd-bacc-42dd-8ed2-ed5e7230d15b", - "Object Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/4a167cdf-cb95-4554-9203-2347fe489bd9", - "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", - "Object Understanding Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/d18777c0-1514-4662-8490-608db7d334b6", "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "PlayFab Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c8b84dc-067c-4039-9615-fa1a4b77c726", - "PlayFab Reader": "/providers/Microsoft.Authorization/roleDefinitions/a9a19cc5-31f4-447c-901f-56c0bb18fcaf", - "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", - "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", - "Project Babylon Data Curator": "/providers/Microsoft.Authorization/roleDefinitions/9ef4ef9c-a049-46b0-82ab-dd8ac094c889", - "Project Babylon Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/c8d896ba-346d-4f50-bc1d-7d1c84130446", - "Project Babylon Data Source Administrator": "/providers/Microsoft.Authorization/roleDefinitions/05b7651b-dc44-475e-b74d-df3db49fae0f", - "Purview role 1 (Deprecated)": "/providers/Microsoft.Authorization/roleDefinitions/8a3c2885-9b38-4fd2-9d99-91af537c1347", - "Purview role 2 (Deprecated)": "/providers/Microsoft.Authorization/roleDefinitions/200bba9e-f0c8-430f-892b-6f0794863803", - "Purview role 3 (Deprecated)": "/providers/Microsoft.Authorization/roleDefinitions/ff100721-1b9d-43d8-af52-42b69c1272db", - "Quota Request Operator": "/providers/Microsoft.Authorization/roleDefinitions/0e5f05e5-9ab9-446b-b98d-1e2157c94125", "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", - "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", - "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", - "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", - "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", - "Reservation Purchaser": "/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-4b75-91c3-6b41c27c1689", - "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", - "Role Based Access Control Administrator (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168", - "Scheduled Patching Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cd08ab90-6b14-449c-ad9a-8f8e549482c6", - "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", - "Schema Registry Contributor (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-4216-b2bc-10343a5abb25", - "Schema Registry Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-40a6-83c0-9d98858bc7d2", - "Search Index Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-43f5-93ac-243d3dce84a7", - "Search Index Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f", - "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", - "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", - "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", - "Security Detonation Chamber Publisher": "/providers/Microsoft.Authorization/roleDefinitions/352470b3-6a9c-4686-b503-35deb827e500", - "Security Detonation Chamber Reader": "/providers/Microsoft.Authorization/roleDefinitions/28241645-39f8-410b-ad48-87863e2951d5", - "Security Detonation Chamber Submission Manager": "/providers/Microsoft.Authorization/roleDefinitions/a37b566d-3efa-4beb-a2f2-698963fa42ce", - "Security Detonation Chamber Submitter": "/providers/Microsoft.Authorization/roleDefinitions/0b555d9b-b4a7-4f43-b330-627f0e5be8f0", - "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", - "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", - "Services Hub Operator": "/providers/Microsoft.Authorization/roleDefinitions/82200a5b-e217-47a5-b665-6d8765ee745b", - "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", - "SignalR App Server": "/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7", - "SignalR REST API Owner": "/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521", - "SignalR REST API Reader": "/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035", - "SignalR Service Owner": "/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3", - "SignalR/Web PubSub Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", - "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", - "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", - "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", - "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", - "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", - "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", - "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", - "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", - "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", - "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", - "SqlDb Migration Role": "/providers/Microsoft.Authorization/roleDefinitions/189207d4-bb67-4208-a635-b06afe8b2c57", - "SqlMI Migration Role": "/providers/Microsoft.Authorization/roleDefinitions/1d335eef-eee1-47fe-a9e0-53214eba8872", - "SqlVM Migration Role": "/providers/Microsoft.Authorization/roleDefinitions/ae8036db-e102-405b-a1b9-bae082ea436d", - "Storage Account Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1", - "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", - "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", - "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", - "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", - "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", - "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", - "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", - "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", - "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", - "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", - "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", - "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", - "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", - "Storage Table Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3", - "Storage Table Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6", - "Stream Analytics Query Tester": "/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf", - "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", - "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", - "Template Spec Contributor": "/providers/Microsoft.Authorization/roleDefinitions/1c9b6475-caf0-4164-b5a1-2142a7116f4b", - "Template Spec Reader": "/providers/Microsoft.Authorization/roleDefinitions/392ae280-861d-42bd-9ea5-08ee6d83b80e", - "Test Base Reader": "/providers/Microsoft.Authorization/roleDefinitions/15e0f5a1-3450-4248-8e25-e2afe88a9e85", - "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", - "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", - "Video Indexer Restricted Viewer": "/providers/Microsoft.Authorization/roleDefinitions/a2c4a527-7dc0-4ee3-897b-403ade70fafb", - "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", - "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "Virtual Machine Local User Login": "/providers/Microsoft.Authorization/roleDefinitions/602da2ba-a5c2-41da-b01d-5360126ab525", - "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", - "VM Scanner Operator": "/providers/Microsoft.Authorization/roleDefinitions/d24ecba3-c1f4-40fa-a7bb-4588a071e8fd", - "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", - "Web PubSub Service Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/12cf5a90-567b-43ae-8102-96cf46c7d9b4", - "Web PubSub Service Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf", - "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", - "Windows Admin Center Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/a6333a3e-0164-44c3-b281-7a577aff287f", - "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", - "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d", - "WorkloadBuilder Migration Agent Role": "/providers/Microsoft.Authorization/roleDefinitions/d17ce0a2-0697-43bc-aac5-9113337ab61c" + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" }, "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" }, diff --git a/modules/compute/virtual-machine/.test/linux/main.test.bicep b/modules/compute/virtual-machine/.test/linux/main.test.bicep index ba5c8f714f..66f46a1038 100644 --- a/modules/compute/virtual-machine/.test/linux/main.test.bicep +++ b/modules/compute/virtual-machine/.test/linux/main.test.bicep @@ -261,7 +261,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/event-grid/domain/.bicep/nested_roleAssignments.bicep b/modules/event-grid/domain/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 24298f3f65..0000000000 --- a/modules/event-grid/domain/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,74 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Factory Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5') - 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') - 'EventGrid Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') - 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') - 'EventGrid EventSubscription Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405') - 'Key Vault Crypto Service Encryption User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource domain 'Microsoft.EventGrid/domains@2022-06-15' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(domain.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: domain -}] diff --git a/modules/event-grid/domain/.test/common/main.test.bicep b/modules/event-grid/domain/.test/common/main.test.bicep index c823327b94..da1d56564a 100644 --- a/modules/event-grid/domain/.test/common/main.test.bicep +++ b/modules/event-grid/domain/.test/common/main.test.bicep @@ -98,9 +98,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/event-grid/domain/README.md b/modules/event-grid/domain/README.md index f384027758..987ecbd5b0 100644 --- a/modules/event-grid/domain/README.md +++ b/modules/event-grid/domain/README.md @@ -81,9 +81,7 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -165,9 +163,7 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -498,7 +494,68 @@ Whether or not public network access is allowed for this resource. For security Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/event-grid/domain/main.bicep b/modules/event-grid/domain/main.bicep index 3a3c6dbf0f..705dad53d0 100644 --- a/modules/event-grid/domain/main.bicep +++ b/modules/event-grid/domain/main.bicep @@ -41,7 +41,7 @@ param diagnosticEventHubName string = '' param privateEndpoints array = [] @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') param lock lockType @@ -97,6 +97,18 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { enabled: true }] +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') + 'EventGrid Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') + 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') + 'EventGrid EventSubscription Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -177,17 +189,18 @@ module domain_privateEndpoints '../../network/private-endpoint/main.bicep' = [fo } }] -module domain_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Domain-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: domain.id +resource domain_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(domain.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: domain }] @description('The name of the event grid domain.') @@ -213,3 +226,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/event-grid/domain/main.json b/modules/event-grid/domain/main.json index 182826febc..b9500a20b8 100644 --- a/modules/event-grid/domain/main.json +++ b/modules/event-grid/domain/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17128943362553592156" + "templateHash": "5102513293970152919" }, "name": "Event Grid Domains", "description": "This module deploys an Event Grid Domain.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -122,8 +188,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -211,7 +276,18 @@ } ], "enableReferencedModulesTelemetry": false, - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", + "EventGrid Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7')]", + "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -273,6 +349,28 @@ "domain" ] }, + "domain_roleAssignments": { + "copy": { + "name": "domain_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.EventGrid/domains/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.EventGrid/domains', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "domain" + ] + }, "domain_topics": { "copy": { "name": "domain_topics", @@ -919,160 +1017,6 @@ "dependsOn": [ "domain" ] - }, - "domain_roleAssignments": { - "copy": { - "name": "domain_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Domain-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.EventGrid/domains', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1659842695042016822" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Factory Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", - "EventGrid Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7')]", - "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "EventGrid EventSubscription Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405')]", - "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.EventGrid/domains/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.EventGrid/domains', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "domain" - ] } }, "outputs": { diff --git a/modules/event-grid/system-topic/.bicep/nested_roleAssignments.bicep b/modules/event-grid/system-topic/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 0c5e1742a5..0000000000 --- a/modules/event-grid/system-topic/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,74 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Factory Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5') - 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') - 'EventGrid Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') - 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') - 'EventGrid EventSubscription Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405') - 'Key Vault Crypto Service Encryption User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource systemTopic 'Microsoft.EventGrid/systemTopics@2021-12-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(systemTopic.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: systemTopic -}] diff --git a/modules/event-grid/system-topic/.test/common/main.test.bicep b/modules/event-grid/system-topic/.test/common/main.test.bicep index 94540717ab..ae009c0082 100644 --- a/modules/event-grid/system-topic/.test/common/main.test.bicep +++ b/modules/event-grid/system-topic/.test/common/main.test.bicep @@ -103,9 +103,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/event-grid/system-topic/README.md b/modules/event-grid/system-topic/README.md index e70f28338f..d782afe5a1 100644 --- a/modules/event-grid/system-topic/README.md +++ b/modules/event-grid/system-topic/README.md @@ -84,9 +84,7 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -173,9 +171,7 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -392,7 +388,68 @@ The name of the Event Grid Topic. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `source` diff --git a/modules/event-grid/system-topic/main.bicep b/modules/event-grid/system-topic/main.bicep index f9795708b8..532641bb41 100644 --- a/modules/event-grid/system-topic/main.bicep +++ b/modules/event-grid/system-topic/main.bicep @@ -30,7 +30,7 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') param lock lockType @@ -93,6 +93,18 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { enabled: true }] +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') + 'EventGrid Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') + 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') + 'EventGrid EventSubscription Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -158,17 +170,18 @@ resource systemTopic_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2 scope: systemTopic } -module systemTopic_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-EventGrid-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: systemTopic.id +resource systemTopic_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(systemTopic.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: systemTopic }] @description('The name of the event grid system topic.') @@ -197,3 +210,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/event-grid/system-topic/main.json b/modules/event-grid/system-topic/main.json index 56564d3be1..0b8683dd98 100644 --- a/modules/event-grid/system-topic/main.json +++ b/modules/event-grid/system-topic/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5976620650016374171" + "templateHash": "14004525159573490649" }, "name": "Event Grid System Topics", "description": "This module deploys an Event Grid System Topic.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -101,8 +167,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -197,7 +262,18 @@ ], "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", + "EventGrid Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7')]", + "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -258,6 +334,28 @@ "systemTopic" ] }, + "systemTopic_roleAssignments": { + "copy": { + "name": "systemTopic_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.EventGrid/systemTopics/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.EventGrid/systemTopics', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "systemTopic" + ] + }, "systemTopics_eventSubscriptions": { "copy": { "name": "systemTopics_eventSubscriptions", @@ -468,160 +566,6 @@ "dependsOn": [ "systemTopic" ] - }, - "systemTopic_roleAssignments": { - "copy": { - "name": "systemTopic_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-EventGrid-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.EventGrid/systemTopics', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12562324298360461829" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Factory Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", - "EventGrid Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7')]", - "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "EventGrid EventSubscription Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405')]", - "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.EventGrid/systemTopics/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.EventGrid/systemTopics', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "systemTopic" - ] } }, "outputs": { diff --git a/modules/event-grid/topic/.bicep/nested_roleAssignments.bicep b/modules/event-grid/topic/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 8d9f2d8716..0000000000 --- a/modules/event-grid/topic/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,74 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Factory Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5') - 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') - 'EventGrid Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') - 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') - 'EventGrid EventSubscription Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405') - 'Key Vault Crypto Service Encryption User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource eventGrid 'Microsoft.EventGrid/topics@2020-06-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(eventGrid.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: eventGrid -}] diff --git a/modules/event-grid/topic/.test/common/main.test.bicep b/modules/event-grid/topic/.test/common/main.test.bicep index a8b73d8fb5..379c92f7f5 100644 --- a/modules/event-grid/topic/.test/common/main.test.bicep +++ b/modules/event-grid/topic/.test/common/main.test.bicep @@ -122,9 +122,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index ce94a6b52d..ea41b5b492 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -105,9 +105,7 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -212,9 +210,7 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -531,7 +527,68 @@ Whether or not public network access is allowed for this resource. For security Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/event-grid/topic/main.bicep b/modules/event-grid/topic/main.bicep index 2ad0af32b8..f0ee5f204b 100644 --- a/modules/event-grid/topic/main.bicep +++ b/modules/event-grid/topic/main.bicep @@ -38,7 +38,7 @@ param diagnosticEventHubName string = '' param privateEndpoints array = [] @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') param lock lockType @@ -91,6 +91,18 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { enabled: true }] +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') + 'EventGrid Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') + 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') + 'EventGrid EventSubscription Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -179,17 +191,18 @@ module topic_privateEndpoints '../../network/private-endpoint/main.bicep' = [for } }] -module topic_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-topic-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: topic.id +resource topic_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(topic.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: topic }] @description('The name of the event grid topic.') @@ -215,3 +228,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/event-grid/topic/main.json b/modules/event-grid/topic/main.json index 5852af83e4..eff81c7e61 100644 --- a/modules/event-grid/topic/main.json +++ b/modules/event-grid/topic/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9509385509021367133" + "templateHash": "875855876117363195" }, "name": "Event Grid Topics", "description": "This module deploys an Event Grid Topic.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -115,8 +181,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -197,7 +262,18 @@ } ], "enableReferencedModulesTelemetry": false, - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", + "EventGrid Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7')]", + "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", + "EventGrid EventSubscription Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -257,6 +333,28 @@ "topic" ] }, + "topic_roleAssignments": { + "copy": { + "name": "topic_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.EventGrid/topics/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.EventGrid/topics', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "topic" + ] + }, "topics_eventSubscriptions": { "copy": { "name": "topics_eventSubscriptions", @@ -996,160 +1094,6 @@ "dependsOn": [ "topic" ] - }, - "topic_roleAssignments": { - "copy": { - "name": "topic_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-topic-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.EventGrid/topics', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8293298385688392206" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Factory Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", - "EventGrid Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7')]", - "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "EventGrid EventSubscription Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405')]", - "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.EventGrid/topics/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.EventGrid/topics', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "topic" - ] } }, "outputs": { diff --git a/modules/event-hub/namespace/.bicep/nested_roleAssignments.bicep b/modules/event-hub/namespace/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 43c8aaffa3..0000000000 --- a/modules/event-hub/namespace/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,73 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Azure Event Hubs Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f526a384-b230-433a-b45c-95f59c4a2dec') - 'Azure Event Hubs Data Receiver': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde') - 'Azure Event Hubs Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Schema Registry Contributor (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5dffeca3-4936-4216-b2bc-10343a5abb25') - 'Schema Registry Reader (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2c56ea50-c6b3-40a6-83c0-9d98858bc7d2') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource eventHubNamespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(eventHubNamespace.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: eventHubNamespace -}] diff --git a/modules/event-hub/namespace/.test/common/main.test.bicep b/modules/event-hub/namespace/.test/common/main.test.bicep index f136c3226c..ddfb1fc9a1 100644 --- a/modules/event-hub/namespace/.test/common/main.test.bicep +++ b/modules/event-hub/namespace/.test/common/main.test.bicep @@ -98,9 +98,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -144,9 +142,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -197,9 +193,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index 68c432211b..551da7d1b6 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -84,9 +84,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { name: 'az-evh-x-001' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -132,9 +130,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { retentionDescriptionRetentionTimeInHours: 3 roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -188,9 +184,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { publicNetworkAccess: 'Disabled' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -271,9 +265,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "name": "az-evh-x-001", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -319,9 +311,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "retentionDescriptionRetentionTimeInHours": 3, "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -393,9 +383,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -941,7 +929,68 @@ Enable infrastructure encryption (double encryption). Note, this setting require Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `skuCapacity` diff --git a/modules/event-hub/namespace/eventhub/.bicep/nested_roleAssignments.bicep b/modules/event-hub/namespace/eventhub/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 0689bff486..0000000000 --- a/modules/event-hub/namespace/eventhub/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,73 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Azure Event Hubs Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f526a384-b230-433a-b45c-95f59c4a2dec') - 'Azure Event Hubs Data Receiver': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde') - 'Azure Event Hubs Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Schema Registry Contributor (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5dffeca3-4936-4216-b2bc-10343a5abb25') - 'Schema Registry Reader (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2c56ea50-c6b3-40a6-83c0-9d98858bc7d2') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2022-10-01-preview' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(eventHub.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: eventHub -}] diff --git a/modules/event-hub/namespace/eventhub/README.md b/modules/event-hub/namespace/eventhub/README.md index 936f144c4d..600b84c374 100644 --- a/modules/event-hub/namespace/eventhub/README.md +++ b/modules/event-hub/namespace/eventhub/README.md @@ -223,7 +223,68 @@ Retention cleanup policy. Number of hours to retain the tombstone markers of a c Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `status` diff --git a/modules/event-hub/namespace/eventhub/main.bicep b/modules/event-hub/namespace/eventhub/main.bicep index f35b2c1461..466bc57c36 100644 --- a/modules/event-hub/namespace/eventhub/main.bicep +++ b/modules/event-hub/namespace/eventhub/main.bicep @@ -55,7 +55,7 @@ param consumergroups array = [ param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Name for capture destination.') param captureDescriptionDestinationName string = 'EventHubArchive.AzureBlockBlob' @@ -143,6 +143,17 @@ var eventHubPropertiesCapture = { } } +var builtInRoleNames = { + 'Azure Event Hubs Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f526a384-b230-433a-b45c-95f59c4a2dec') + 'Azure Event Hubs Data Receiver': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde') + 'Azure Event Hubs Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -196,17 +207,18 @@ module eventHub_authorizationRules 'authorization-rule/main.bicep' = [for (autho } }] -module eventHub_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: eventHub.id +resource eventHub_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(eventHub.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: eventHub }] @description('The name of the event hub.') @@ -232,3 +244,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/event-hub/namespace/eventhub/main.json b/modules/event-hub/namespace/eventhub/main.json index 7a1ba6bd1c..6a49ec7b04 100644 --- a/modules/event-hub/namespace/eventhub/main.json +++ b/modules/event-hub/namespace/eventhub/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13288816158537037984" + "templateHash": "5933888781308133415" }, "name": "Event Hub Namespace Event Hubs", "description": "This module deploys an Event Hub Namespace Event Hub.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -122,8 +188,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -264,6 +329,16 @@ "sizeLimitInBytes": "[parameters('captureDescriptionSizeLimitInBytes')]", "skipEmptyArchives": "[parameters('captureDescriptionSkipEmptyArchives')]" } + }, + "builtInRoleNames": { + "Azure Event Hubs Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" } }, "resources": { @@ -310,6 +385,28 @@ "eventHub" ] }, + "eventHub_roleAssignments": { + "copy": { + "name": "eventHub_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', parameters('namespaceName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "eventHub" + ] + }, "eventHub_consumergroups": { "copy": { "name": "eventHub_consumergroups", @@ -570,159 +667,6 @@ "dependsOn": [ "eventHub" ] - }, - "eventHub_roleAssignments": { - "copy": { - "name": "eventHub_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5794309156960386834" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Azure Event Hubs Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", - "Azure Event Hubs Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", - "Azure Event Hubs Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Schema Registry Contributor (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5dffeca3-4936-4216-b2bc-10343a5abb25')]", - "Schema Registry Reader (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2c56ea50-c6b3-40a6-83c0-9d98858bc7d2')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.EventHub/namespaces/eventhubs', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "eventHub" - ] } }, "outputs": { diff --git a/modules/event-hub/namespace/main.bicep b/modules/event-hub/namespace/main.bicep index 3bfd039efa..c5a61777c1 100644 --- a/modules/event-hub/namespace/main.bicep +++ b/modules/event-hub/namespace/main.bicep @@ -111,7 +111,7 @@ param cMKUserAssignedIdentityResourceId string = '' param requireInfrastructureEncryption bool = false @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -183,6 +183,17 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + 'Azure Event Hubs Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f526a384-b230-433a-b45c-95f59c4a2dec') + 'Azure Event Hubs Data Receiver': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde') + 'Azure Event Hubs Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) @@ -333,17 +344,18 @@ module eventHubNamespace_privateEndpoints '../../network/private-endpoint/main.b } }] -module eventHubNamespace_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-EvhbNamespace-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: eventHubNamespace.id +resource eventHubNamespace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(eventHubNamespace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: eventHubNamespace }] resource eventHubNamespace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { @@ -394,3 +406,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/event-hub/namespace/main.json b/modules/event-hub/namespace/main.json index 1c0cc32b12..101a26a405 100644 --- a/modules/event-hub/namespace/main.json +++ b/modules/event-hub/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11328063440515261641" + "templateHash": "12601630852101639901" }, "name": "Event Hub Namespaces", "description": "This module deploys an Event Hub Namespace.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -251,8 +317,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -351,7 +416,17 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Azure Event Hubs Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "cMKKeyVault::cMKKey": { @@ -415,6 +490,28 @@ "cMKKeyVault" ] }, + "eventHubNamespace_roleAssignments": { + "copy": { + "name": "eventHubNamespace_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.EventHub/namespaces/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.EventHub/namespaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "eventHubNamespace" + ] + }, "eventHubNamespace_lock": { "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", @@ -740,7 +837,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13288816158537037984" + "templateHash": "5933888781308133415" }, "name": "Event Hub Namespace Event Hubs", "description": "This module deploys an Event Hub Namespace Event Hub.", @@ -771,6 +868,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -856,8 +1019,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -998,6 +1160,16 @@ "sizeLimitInBytes": "[parameters('captureDescriptionSizeLimitInBytes')]", "skipEmptyArchives": "[parameters('captureDescriptionSkipEmptyArchives')]" } + }, + "builtInRoleNames": { + "Azure Event Hubs Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", + "Azure Event Hubs Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", + "Azure Event Hubs Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" } }, "resources": { @@ -1044,6 +1216,28 @@ "eventHub" ] }, + "eventHub_roleAssignments": { + "copy": { + "name": "eventHub_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', parameters('namespaceName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "eventHub" + ] + }, "eventHub_consumergroups": { "copy": { "name": "eventHub_consumergroups", @@ -1304,159 +1498,6 @@ "dependsOn": [ "eventHub" ] - }, - "eventHub_roleAssignments": { - "copy": { - "name": "eventHub_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5794309156960386834" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Azure Event Hubs Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", - "Azure Event Hubs Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", - "Azure Event Hubs Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Schema Registry Contributor (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5dffeca3-4936-4216-b2bc-10343a5abb25')]", - "Schema Registry Reader (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2c56ea50-c6b3-40a6-83c0-9d98858bc7d2')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.EventHub/namespaces/eventhubs', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "eventHub" - ] } }, "outputs": { @@ -2186,159 +2227,6 @@ "dependsOn": [ "eventHubNamespace" ] - }, - "eventHubNamespace_roleAssignments": { - "copy": { - "name": "eventHubNamespace_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-EvhbNamespace-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.EventHub/namespaces', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3195673782424292860" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Azure Event Hubs Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", - "Azure Event Hubs Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", - "Azure Event Hubs Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Schema Registry Contributor (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5dffeca3-4936-4216-b2bc-10343a5abb25')]", - "Schema Registry Reader (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2c56ea50-c6b3-40a6-83c0-9d98858bc7d2')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.EventHub/namespaces/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.EventHub/namespaces', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "eventHubNamespace" - ] } }, "outputs": { diff --git a/modules/health-bot/health-bot/.bicep/nested_roleAssignments.bicep b/modules/health-bot/health-bot/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 782c7f3741..0000000000 --- a/modules/health-bot/health-bot/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource healthBot 'Microsoft.HealthBot/healthBots@2022-08-08' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(healthBot.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: healthBot -}] diff --git a/modules/health-bot/health-bot/.test/common/main.test.bicep b/modules/health-bot/health-bot/.test/common/main.test.bicep index c749c0fb14..e75da7bcbc 100644 --- a/modules/health-bot/health-bot/.test/common/main.test.bicep +++ b/modules/health-bot/health-bot/.test/common/main.test.bicep @@ -59,9 +59,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/health-bot/health-bot/README.md b/modules/health-bot/health-bot/README.md index db3645ccdd..709308b105 100644 --- a/modules/health-bot/health-bot/README.md +++ b/modules/health-bot/health-bot/README.md @@ -53,9 +53,7 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -104,9 +102,7 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -256,7 +252,68 @@ Name of the resource. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `sku` diff --git a/modules/health-bot/health-bot/main.bicep b/modules/health-bot/health-bot/main.bicep index 99b2aaf3f8..5667441e75 100644 --- a/modules/health-bot/health-bot/main.bicep +++ b/modules/health-bot/health-bot/main.bicep @@ -23,7 +23,7 @@ param location string = resourceGroup().location param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -38,6 +38,14 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -50,7 +58,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource azureHealthBot 'Microsoft.HealthBot/healthBots@2022-08-08' = { +resource healthBot 'Microsoft.HealthBot/healthBots@2022-08-08' = { name: name location: location tags: tags @@ -61,39 +69,40 @@ resource azureHealthBot 'Microsoft.HealthBot/healthBots@2022-08-08' = { properties: {} } -resource azureHealthBot_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { +resource healthBot_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { name: lock.?name ?? 'lock-${name}' properties: { level: lock.?kind ?? '' notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } - scope: azureHealthBot + scope: healthBot } -module healthBot_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-HealthBot-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: azureHealthBot.id +resource healthBot_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(healthBot.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: healthBot }] @description('The resource group the health bot was deployed into.') output resourceGroupName string = resourceGroup().name @description('The name of the health bot.') -output name string = azureHealthBot.name +output name string = healthBot.name @description('The resource ID of the health bot.') -output resourceId string = azureHealthBot.id +output resourceId string = healthBot.id @description('The location the resource was deployed into.') -output location string = azureHealthBot.location +output location string = healthBot.location // =============== // // Definitions // @@ -106,3 +115,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/health-bot/health-bot/main.json b/modules/health-bot/health-bot/main.json index 6c4a2a9e11..7103f10ea1 100644 --- a/modules/health-bot/health-bot/main.json +++ b/modules/health-bot/health-bot/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17507209096139592862" + "templateHash": "5623490364397811090" }, "name": "Azure Health Bots", "description": "This module deploys an Azure Health Bot.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -78,8 +144,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -101,7 +166,14 @@ }, "variables": { "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None')]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -118,7 +190,7 @@ } } }, - "azureHealthBot": { + "healthBot": { "type": "Microsoft.HealthBot/healthBots", "apiVersion": "2022-08-08", "name": "[parameters('name')]", @@ -130,7 +202,7 @@ }, "properties": {} }, - "azureHealthBot_lock": { + "healthBot_lock": { "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", @@ -141,155 +213,29 @@ "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "azureHealthBot" + "healthBot" ] }, "healthBot_roleAssignments": { "copy": { "name": "healthBot_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-HealthBot-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.HealthBot/healthBots/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.HealthBot/healthBots', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.HealthBot/healthBots', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4105513755228551985" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.HealthBot/healthBots/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.HealthBot/healthBots', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "azureHealthBot" + "healthBot" ] } }, @@ -320,7 +266,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('azureHealthBot', '2022-08-08', 'full').location]" + "value": "[reference('healthBot', '2022-08-08', 'full').location]" } } } \ No newline at end of file diff --git a/modules/healthcare-apis/workspace/.bicep/nested_roleAssignments.bicep b/modules/healthcare-apis/workspace/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index cc5d77182c..0000000000 --- a/modules/healthcare-apis/workspace/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,77 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DICOM Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '58a3b984-7adf-4c20-983a-32417c86fbc8') - 'DICOM Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a') - 'FHIR Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd') - 'FHIR Data Converter': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a1705bd2-3a8f-45a5-8683-466fcfd5cc24') - 'FHIR Data Exporter': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3db33094-8700-4567-8da5-1501d4e7e843') - 'FHIR Data Importer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4465e953-8ced-4406-a58e-0f6e3f3b530b') - 'FHIR Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4c8d0bbc-75d3-4935-991f-5f3c56d81508') - 'FHIR Data Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f88fce4-5892-4214-ae73-ba5294559913') - 'FHIR SMART User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4ba50f17-9666-485c-a643-ff00808643f0') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource workspace 'Microsoft.HealthcareApis/workspaces@2022-06-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(workspace.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: workspace -}] diff --git a/modules/healthcare-apis/workspace/.test/common/main.test.bicep b/modules/healthcare-apis/workspace/.test/common/main.test.bicep index 9c8387d95f..bcac722b91 100644 --- a/modules/healthcare-apis/workspace/.test/common/main.test.bicep +++ b/modules/healthcare-apis/workspace/.test/common/main.test.bicep @@ -102,9 +102,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: resourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd') - principalIds: [ - resourceGroupResources.outputs.managedIdentityPrincipalId - ] + principalId: resourceGroupResources.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/healthcare-apis/workspace/README.md b/modules/healthcare-apis/workspace/README.md index 150ad94859..8285f16546 100644 --- a/modules/healthcare-apis/workspace/README.md +++ b/modules/healthcare-apis/workspace/README.md @@ -107,9 +107,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { resourceVersionPolicy: 'versioned' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: '' } @@ -215,9 +213,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { "resourceVersionPolicy": "versioned", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "" } @@ -417,7 +413,68 @@ Control permission for data plane traffic coming from public networks while priv Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/healthcare-apis/workspace/fhirservice/.bicep/nested_roleAssignments.bicep b/modules/healthcare-apis/workspace/fhirservice/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 8973527791..0000000000 --- a/modules/healthcare-apis/workspace/fhirservice/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,81 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'DICOM Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '58a3b984-7adf-4c20-983a-32417c86fbc8') - 'DICOM Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a') - 'FHIR Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd') - 'FHIR Data Converter': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a1705bd2-3a8f-45a5-8683-466fcfd5cc24') - 'FHIR Data Exporter': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3db33094-8700-4567-8da5-1501d4e7e843') - 'FHIR Data Importer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4465e953-8ced-4406-a58e-0f6e3f3b530b') - 'FHIR Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4c8d0bbc-75d3-4935-991f-5f3c56d81508') - 'FHIR Data Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f88fce4-5892-4214-ae73-ba5294559913') - 'FHIR SMART User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4ba50f17-9666-485c-a643-ff00808643f0') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource workspace 'Microsoft.HealthcareApis/workspaces@2022-06-01' existing = { - name: split(resourceId, '/')[8] - - resource fhir 'fhirservices@2022-06-01' existing = { - name: split(resourceId, '/')[10] - } -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(workspace::fhir.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: workspace::fhir -}] diff --git a/modules/healthcare-apis/workspace/fhirservice/README.md b/modules/healthcare-apis/workspace/fhirservice/README.md index 54b9c8776c..0edb384b28 100644 --- a/modules/healthcare-apis/workspace/fhirservice/README.md +++ b/modules/healthcare-apis/workspace/fhirservice/README.md @@ -304,7 +304,68 @@ The default value for tracking history across all resources. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `smartProxyEnabled` diff --git a/modules/healthcare-apis/workspace/fhirservice/main.bicep b/modules/healthcare-apis/workspace/fhirservice/main.bicep index de1c549920..e689358883 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.bicep +++ b/modules/healthcare-apis/workspace/fhirservice/main.bicep @@ -85,7 +85,7 @@ param initialImportMode bool = false param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @allowed([ 'Disabled' @@ -168,6 +168,23 @@ var exportConfiguration = { // =========== // // Deployments // // =========== // +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DICOM Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '58a3b984-7adf-4c20-983a-32417c86fbc8') + 'DICOM Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a') + 'FHIR Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd') + 'FHIR Data Converter': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a1705bd2-3a8f-45a5-8683-466fcfd5cc24') + 'FHIR Data Exporter': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3db33094-8700-4567-8da5-1501d4e7e843') + 'FHIR Data Importer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4465e953-8ced-4406-a58e-0f6e3f3b530b') + 'FHIR Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4c8d0bbc-75d3-4935-991f-5f3c56d81508') + 'FHIR Data Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f88fce4-5892-4214-ae73-ba5294559913') + 'FHIR SMART User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4ba50f17-9666-485c-a643-ff00808643f0') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -245,17 +262,18 @@ resource fhir_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05- scope: fhir } -module fhir_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: fhir.id +resource fhir_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(fhir.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: fhir }] @description('The name of the fhir service.') @@ -287,3 +305,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/healthcare-apis/workspace/fhirservice/main.json b/modules/healthcare-apis/workspace/fhirservice/main.json index bf6663e287..40452de2c7 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.json +++ b/modules/healthcare-apis/workspace/fhirservice/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5251491466026222190" + "templateHash": "9263507770658770799" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -212,8 +278,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -346,6 +411,22 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "exportConfiguration": { "storageAccountName": "[parameters('exportStorageAccountName')]" + }, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DICOM Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '58a3b984-7adf-4c20-983a-32417c86fbc8')]", + "DICOM Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a')]", + "FHIR Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Converter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a1705bd2-3a8f-45a5-8683-466fcfd5cc24')]", + "FHIR Data Exporter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Importer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4465e953-8ced-4406-a58e-0f6e3f3b530b')]", + "FHIR Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "FHIR SMART User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4ba50f17-9666-485c-a643-ff00808643f0')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" } }, "resources": { @@ -446,155 +527,20 @@ "fhir_roleAssignments": { "copy": { "name": "fhir_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', parameters('workspaceName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13260238293612966350" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DICOM Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '58a3b984-7adf-4c20-983a-32417c86fbc8')]", - "DICOM Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a')]", - "FHIR Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", - "FHIR Data Converter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a1705bd2-3a8f-45a5-8683-466fcfd5cc24')]", - "FHIR Data Exporter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3db33094-8700-4567-8da5-1501d4e7e843')]", - "FHIR Data Importer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4465e953-8ced-4406-a58e-0f6e3f3b530b')]", - "FHIR Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", - "FHIR Data Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f88fce4-5892-4214-ae73-ba5294559913')]", - "FHIR SMART User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4ba50f17-9666-485c-a643-ff00808643f0')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10])]", - "name": "[guid(resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "fhir" diff --git a/modules/healthcare-apis/workspace/main.bicep b/modules/healthcare-apis/workspace/main.bicep index 933c998407..61810fe4e0 100644 --- a/modules/healthcare-apis/workspace/main.bicep +++ b/modules/healthcare-apis/workspace/main.bicep @@ -13,7 +13,7 @@ param location string = resourceGroup().location param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @allowed([ 'Disabled' @@ -42,6 +42,23 @@ var enableReferencedModulesTelemetry = false // =========== // // Deployments // // =========== // +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DICOM Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '58a3b984-7adf-4c20-983a-32417c86fbc8') + 'DICOM Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a') + 'FHIR Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd') + 'FHIR Data Converter': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a1705bd2-3a8f-45a5-8683-466fcfd5cc24') + 'FHIR Data Exporter': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3db33094-8700-4567-8da5-1501d4e7e843') + 'FHIR Data Importer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4465e953-8ced-4406-a58e-0f6e3f3b530b') + 'FHIR Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4c8d0bbc-75d3-4935-991f-5f3c56d81508') + 'FHIR Data Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f88fce4-5892-4214-ae73-ba5294559913') + 'FHIR SMART User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4ba50f17-9666-485c-a643-ff00808643f0') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -72,17 +89,18 @@ resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty( scope: workspace } -module workspace_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: workspace.id +resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: workspace }] module workspace_fhirservices 'fhirservice/main.bicep' = [for (fhir, index) in fhirservices: { @@ -201,3 +219,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/healthcare-apis/workspace/main.json b/modules/healthcare-apis/workspace/main.json index 41a468c521..945b8fe719 100644 --- a/modules/healthcare-apis/workspace/main.json +++ b/modules/healthcare-apis/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14046183075929419967" + "templateHash": "15321867905041634894" }, "name": "Healthcare API Workspaces", "description": "This module deploys a Healthcare API Workspace.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -61,8 +127,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -115,7 +180,23 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DICOM Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '58a3b984-7adf-4c20-983a-32417c86fbc8')]", + "DICOM Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a')]", + "FHIR Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Converter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a1705bd2-3a8f-45a5-8683-466fcfd5cc24')]", + "FHIR Data Exporter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Importer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4465e953-8ced-4406-a58e-0f6e3f3b530b')]", + "FHIR Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "FHIR SMART User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4ba50f17-9666-485c-a643-ff00808643f0')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -159,155 +240,20 @@ "workspace_roleAssignments": { "copy": { "name": "workspace_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.HealthcareApis/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.HealthcareApis/workspaces', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4822666259108954856" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DICOM Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '58a3b984-7adf-4c20-983a-32417c86fbc8')]", - "DICOM Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a')]", - "FHIR Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", - "FHIR Data Converter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a1705bd2-3a8f-45a5-8683-466fcfd5cc24')]", - "FHIR Data Exporter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3db33094-8700-4567-8da5-1501d4e7e843')]", - "FHIR Data Importer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4465e953-8ced-4406-a58e-0f6e3f3b530b')]", - "FHIR Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", - "FHIR Data Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f88fce4-5892-4214-ae73-ba5294559913')]", - "FHIR SMART User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4ba50f17-9666-485c-a643-ff00808643f0')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.HealthcareApis/workspaces', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "workspace" @@ -382,7 +328,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5251491466026222190" + "templateHash": "9263507770658770799" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", @@ -413,6 +359,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -588,8 +600,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -722,6 +733,22 @@ "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "exportConfiguration": { "storageAccountName": "[parameters('exportStorageAccountName')]" + }, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DICOM Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '58a3b984-7adf-4c20-983a-32417c86fbc8')]", + "DICOM Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a')]", + "FHIR Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", + "FHIR Data Converter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a1705bd2-3a8f-45a5-8683-466fcfd5cc24')]", + "FHIR Data Exporter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3db33094-8700-4567-8da5-1501d4e7e843')]", + "FHIR Data Importer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4465e953-8ced-4406-a58e-0f6e3f3b530b')]", + "FHIR Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", + "FHIR Data Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f88fce4-5892-4214-ae73-ba5294559913')]", + "FHIR SMART User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4ba50f17-9666-485c-a643-ff00808643f0')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" } }, "resources": { @@ -822,155 +849,20 @@ "fhir_roleAssignments": { "copy": { "name": "fhir_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', parameters('workspaceName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13260238293612966350" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DICOM Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '58a3b984-7adf-4c20-983a-32417c86fbc8')]", - "DICOM Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a')]", - "FHIR Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", - "FHIR Data Converter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a1705bd2-3a8f-45a5-8683-466fcfd5cc24')]", - "FHIR Data Exporter": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3db33094-8700-4567-8da5-1501d4e7e843')]", - "FHIR Data Importer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4465e953-8ced-4406-a58e-0f6e3f3b530b')]", - "FHIR Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", - "FHIR Data Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f88fce4-5892-4214-ae73-ba5294559913')]", - "FHIR SMART User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4ba50f17-9666-485c-a643-ff00808643f0')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10])]", - "name": "[guid(resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "fhir" diff --git a/modules/insights/action-group/.bicep/nested_roleAssignments.bicep b/modules/insights/action-group/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index f147f7490d..0000000000 --- a/modules/insights/action-group/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,198 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'API Management Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c') - 'API Management Service Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61') - 'API Management Service Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d') - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - 'Application Insights Component Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e') - 'Application Insights Snapshot Debugger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b') - 'Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867') - 'Automation Job Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f') - 'Automation Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404') - 'Automation Runbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5') - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Azure Arc Enabled Kubernetes Cluster User Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd') - 'Azure Arc Kubernetes Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96') - 'Azure Arc Kubernetes Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2') - 'Azure Arc Kubernetes Viewer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4') - 'Azure Arc Kubernetes Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1') - 'Azure Arc ScVmm Administrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87') - 'Azure Arc ScVmm Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda') - 'Azure Arc ScVmm Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9') - 'Azure Arc ScVmm VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b') - 'Azure Arc VMware Administrator role ': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f') - 'Azure Arc VMware Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83') - 'Azure Arc VMware Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa') - 'Azure Arc VMware VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'BizTalk Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342') - 'CDN Endpoint Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45') - 'CDN Endpoint Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd') - 'CDN Profile Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432') - 'CDN Profile Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af') - 'Classic Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f') - 'Classic Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25') - 'Classic Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb') - 'ClearDB MySQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe') - 'Cognitive Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68') - 'Cognitive Services User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908') - 'Collaborative Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352') - 'Collaborative Runtime Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102') - 'ContainerApp Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Account Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Data Factory Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5') - 'Data Lake Analytics Developer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88') - 'Data Purger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - 'Device Update Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a') - 'Device Update Content Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98') - 'Device Update Content Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b') - 'Device Update Deployments Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432') - 'Device Update Deployments Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f') - 'Device Update Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') - 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') - 'HDInsight Cluster Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a') - 'Intelligent Systems Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e') - 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') - 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') - 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') - 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') - 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') - 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') - 'Kubernetes Cluster - Azure Arc Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41') - 'Kubernetes Extension Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717') - 'Lab Assistant': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1') - 'Lab Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270') - 'Lab Creator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead') - 'Lab Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d') - 'Lab Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f') - 'Load Test Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e') - 'Load Test Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6') - 'Load Test Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'LocalRulestacksAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Managed Identity Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59') - 'Managed Identity Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') - 'Media Services Account Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466') - 'Media Services Live Events Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77') - 'Media Services Media Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c') - 'Media Services Policy Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae') - 'Media Services Streaming Endpoints Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804') - 'Microsoft Sentinel Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade') - 'Microsoft Sentinel Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb') - 'Microsoft Sentinel Responder': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - 'New Relic APM Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - 'Quota Request Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Redis Cache Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Scheduler Job Collections Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94') - 'Search Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0') - 'Security Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd') - 'Security Manager (Legacy)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10') - 'Security Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4') - 'SignalR/Web PubSub Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Tag Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') - 'Workbook Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad') - 'Workbook Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d') -} - -resource actionGroup 'Microsoft.Insights/actionGroups@2023-01-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(actionGroup.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: actionGroup -}] diff --git a/modules/insights/action-group/.test/common/main.test.bicep b/modules/insights/action-group/.test/common/main.test.bicep index 0e979a0e1e..3e80b2db1b 100644 --- a/modules/insights/action-group/.test/common/main.test.bicep +++ b/modules/insights/action-group/.test/common/main.test.bicep @@ -74,10 +74,9 @@ module testDeployment '../../main.bicep' = { ] roleAssignments: [ { - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId roleDefinitionIdOrName: 'Reader' + principalType: 'ServicePrincipal' } ] tags: { diff --git a/modules/insights/action-group/README.md b/modules/insights/action-group/README.md index fd46d2712c..2b2d2fcbfa 100644 --- a/modules/insights/action-group/README.md +++ b/modules/insights/action-group/README.md @@ -61,9 +61,8 @@ module actionGroup 'br:bicep/modules/insights.action-group:1.0.0' = { enableDefaultTelemetry: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' + principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } ] @@ -123,9 +122,8 @@ module actionGroup 'br:bicep/modules/insights.action-group:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", + "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } ] @@ -322,7 +320,68 @@ The name of the action group. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `smsReceivers` diff --git a/modules/insights/action-group/main.bicep b/modules/insights/action-group/main.bicep index 0b9d360188..cc70da7f68 100644 --- a/modules/insights/action-group/main.bicep +++ b/modules/insights/action-group/main.bicep @@ -12,7 +12,7 @@ param groupShortName string param enabled bool = true @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. The list of email receivers that are part of this action group.') param emailReceivers array = [] @@ -53,6 +53,14 @@ param enableDefaultTelemetry bool = true @description('Optional. Location for all resources.') param location string = 'global' +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -85,17 +93,18 @@ resource actionGroup 'Microsoft.Insights/actionGroups@2023-01-01' = { } } -module actionGroup_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-ActionGroup-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: actionGroup.id +resource actionGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(actionGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: actionGroup }] @description('The resource group the action group was deployed into.') @@ -109,3 +118,29 @@ output resourceId string = actionGroup.id @description('The location the resource was deployed into.') output location string = actionGroup.location +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/insights/action-group/main.json b/modules/insights/action-group/main.json index 2a88b67d97..792fd37d16 100644 --- a/modules/insights/action-group/main.json +++ b/modules/insights/action-group/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11117499491590178682" + "templateHash": "38103589755829738" }, "name": "Action Groups", "description": "This module deploys an Action Group.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -32,8 +101,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -130,8 +198,17 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -145,7 +222,7 @@ } } }, - { + "actionGroup": { "type": "Microsoft.Insights/actionGroups", "apiVersion": "2023-01-01", "name": "[parameters('name')]", @@ -166,285 +243,29 @@ "armRoleReceivers": "[if(empty(parameters('armRoleReceivers')), null(), parameters('armRoleReceivers'))]" } }, - { + "actionGroup_roleAssignments": { "copy": { "name": "actionGroup_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ActionGroup-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Insights/actionGroups/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Insights/actionGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Insights/actionGroups', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3593800460322974765" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "API Management Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Application Insights Component Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867')]", - "Automation Job Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Azure Arc Enabled Kubernetes Cluster User Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd')]", - "Azure Arc Kubernetes Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96')]", - "Azure Arc Kubernetes Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2')]", - "Azure Arc Kubernetes Viewer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4')]", - "Azure Arc Kubernetes Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1')]", - "Azure Arc ScVmm Administrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87')]", - "Azure Arc ScVmm Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda')]", - "Azure Arc ScVmm Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9')]", - "Azure Arc ScVmm VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b')]", - "Azure Arc VMware Administrator role ": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f')]", - "Azure Arc VMware Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83')]", - "Azure Arc VMware Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa')]", - "Azure Arc VMware VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "BizTalk Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "CDN Endpoint Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Collaborative Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352')]", - "Collaborative Runtime Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102')]", - "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Data Factory Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Device Update Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a')]", - "Device Update Content Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98')]", - "Device Update Content Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b')]", - "Device Update Deployments Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432')]", - "Device Update Deployments Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f')]", - "Device Update Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", - "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "HDInsight Cluster Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "Intelligent Systems Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Kubernetes Extension Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717')]", - "Lab Assistant": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1')]", - "Lab Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270')]", - "Lab Creator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Lab Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d')]", - "Lab Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f')]", - "Load Test Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e')]", - "Load Test Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6')]", - "Load Test Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "LocalRulestacksAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Media Services Account Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466')]", - "Media Services Live Events Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77')]", - "Media Services Media Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c')]", - "Media Services Policy Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae')]", - "Media Services Streaming Endpoints Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804')]", - "Microsoft Sentinel Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Microsoft Sentinel Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Microsoft Sentinel Responder": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Quota Request Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Redis Cache Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Scheduler Job Collections Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Manager (Legacy)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR/Web PubSub Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Tag Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Insights/actionGroups/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Insights/actionGroups', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Insights/actionGroups', parameters('name'))]" + "actionGroup" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -472,7 +293,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Insights/actionGroups', parameters('name')), '2023-01-01', 'full').location]" + "value": "[reference('actionGroup', '2023-01-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/insights/activity-log-alert/.bicep/nested_roleAssignments.bicep b/modules/insights/activity-log-alert/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 0212b972de..0000000000 --- a/modules/insights/activity-log-alert/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,198 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'API Management Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c') - 'API Management Service Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61') - 'API Management Service Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d') - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - 'Application Insights Component Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e') - 'Application Insights Snapshot Debugger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b') - 'Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867') - 'Automation Job Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f') - 'Automation Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404') - 'Automation Runbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5') - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Azure Arc Enabled Kubernetes Cluster User Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd') - 'Azure Arc Kubernetes Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96') - 'Azure Arc Kubernetes Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2') - 'Azure Arc Kubernetes Viewer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4') - 'Azure Arc Kubernetes Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1') - 'Azure Arc ScVmm Administrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87') - 'Azure Arc ScVmm Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda') - 'Azure Arc ScVmm Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9') - 'Azure Arc ScVmm VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b') - 'Azure Arc VMware Administrator role ': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f') - 'Azure Arc VMware Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83') - 'Azure Arc VMware Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa') - 'Azure Arc VMware VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'BizTalk Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342') - 'CDN Endpoint Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45') - 'CDN Endpoint Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd') - 'CDN Profile Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432') - 'CDN Profile Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af') - 'Classic Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f') - 'Classic Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25') - 'Classic Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb') - 'ClearDB MySQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe') - 'Cognitive Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68') - 'Cognitive Services User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908') - 'Collaborative Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352') - 'Collaborative Runtime Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102') - 'ContainerApp Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Account Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Data Factory Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5') - 'Data Lake Analytics Developer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88') - 'Data Purger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - 'Device Update Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a') - 'Device Update Content Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98') - 'Device Update Content Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b') - 'Device Update Deployments Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432') - 'Device Update Deployments Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f') - 'Device Update Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') - 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') - 'HDInsight Cluster Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a') - 'Intelligent Systems Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e') - 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') - 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') - 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') - 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') - 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') - 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') - 'Kubernetes Cluster - Azure Arc Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41') - 'Kubernetes Extension Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717') - 'Lab Assistant': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1') - 'Lab Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270') - 'Lab Creator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead') - 'Lab Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d') - 'Lab Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f') - 'Load Test Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e') - 'Load Test Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6') - 'Load Test Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'LocalRulestacksAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Managed Identity Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59') - 'Managed Identity Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') - 'Media Services Account Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466') - 'Media Services Live Events Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77') - 'Media Services Media Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c') - 'Media Services Policy Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae') - 'Media Services Streaming Endpoints Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804') - 'Microsoft Sentinel Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade') - 'Microsoft Sentinel Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb') - 'Microsoft Sentinel Responder': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - 'New Relic APM Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - 'Quota Request Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Redis Cache Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Scheduler Job Collections Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94') - 'Search Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0') - 'Security Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd') - 'Security Manager (Legacy)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10') - 'Security Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4') - 'SignalR/Web PubSub Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Tag Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') - 'Workbook Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad') - 'Workbook Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d') -} - -resource activityLogAlert 'Microsoft.Insights/activityLogAlerts@2020-10-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(activityLogAlert.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: activityLogAlert -}] diff --git a/modules/insights/activity-log-alert/.test/common/main.test.bicep b/modules/insights/activity-log-alert/.test/common/main.test.bicep index d69c866a34..6810340316 100644 --- a/modules/insights/activity-log-alert/.test/common/main.test.bicep +++ b/modules/insights/activity-log-alert/.test/common/main.test.bicep @@ -93,9 +93,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/insights/activity-log-alert/README.md b/modules/insights/activity-log-alert/README.md index 0e825a2959..6fee0f6567 100644 --- a/modules/insights/activity-log-alert/README.md +++ b/modules/insights/activity-log-alert/README.md @@ -83,9 +83,7 @@ module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { enableDefaultTelemetry: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -166,9 +164,7 @@ module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -268,7 +264,68 @@ The name of the alert. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `scopes` diff --git a/modules/insights/activity-log-alert/main.bicep b/modules/insights/activity-log-alert/main.bicep index b31bb74665..b2abd44709 100644 --- a/modules/insights/activity-log-alert/main.bicep +++ b/modules/insights/activity-log-alert/main.bicep @@ -26,7 +26,7 @@ param actions array = [] param conditions array @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -39,6 +39,14 @@ var actionGroups = [for action in actions: { webhookProperties: contains(action, 'webhookProperties') ? action.webhookProperties : null }] +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -68,17 +76,18 @@ resource activityLogAlert 'Microsoft.Insights/activityLogAlerts@2020-10-01' = { } } -module activityLogAlert_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-ActivityLogAlert-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: activityLogAlert.id +resource activityLogAlert_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(activityLogAlert.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: activityLogAlert }] @description('The name of the activity log alert.') @@ -92,3 +101,29 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = activityLogAlert.location +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/insights/activity-log-alert/main.json b/modules/insights/activity-log-alert/main.json index b3d35d5ff4..011805c14a 100644 --- a/modules/insights/activity-log-alert/main.json +++ b/modules/insights/activity-log-alert/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7845044983132371204" + "templateHash": "16411085736743453279" }, "name": "Activity Log Alerts", "description": "This module deploys an Activity Log Alert.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -62,8 +131,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -93,10 +161,17 @@ "webhookProperties": "[if(contains(parameters('actions')[copyIndex('actionGroups')], 'webhookProperties'), parameters('actions')[copyIndex('actionGroups')].webhookProperties, null())]" } } - ] + ], + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -110,7 +185,7 @@ } } }, - { + "activityLogAlert": { "type": "Microsoft.Insights/activityLogAlerts", "apiVersion": "2020-10-01", "name": "[parameters('name')]", @@ -128,285 +203,29 @@ "description": "[parameters('alertDescription')]" } }, - { + "activityLogAlert_roleAssignments": { "copy": { "name": "activityLogAlert_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ActivityLogAlert-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Insights/activityLogAlerts/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Insights/activityLogAlerts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Insights/activityLogAlerts', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9472664752100118667" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "API Management Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Application Insights Component Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867')]", - "Automation Job Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Azure Arc Enabled Kubernetes Cluster User Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd')]", - "Azure Arc Kubernetes Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96')]", - "Azure Arc Kubernetes Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2')]", - "Azure Arc Kubernetes Viewer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4')]", - "Azure Arc Kubernetes Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1')]", - "Azure Arc ScVmm Administrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87')]", - "Azure Arc ScVmm Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda')]", - "Azure Arc ScVmm Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9')]", - "Azure Arc ScVmm VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b')]", - "Azure Arc VMware Administrator role ": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f')]", - "Azure Arc VMware Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83')]", - "Azure Arc VMware Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa')]", - "Azure Arc VMware VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "BizTalk Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "CDN Endpoint Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Collaborative Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352')]", - "Collaborative Runtime Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102')]", - "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Data Factory Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Device Update Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a')]", - "Device Update Content Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98')]", - "Device Update Content Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b')]", - "Device Update Deployments Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432')]", - "Device Update Deployments Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f')]", - "Device Update Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", - "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "HDInsight Cluster Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "Intelligent Systems Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Kubernetes Extension Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717')]", - "Lab Assistant": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1')]", - "Lab Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270')]", - "Lab Creator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Lab Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d')]", - "Lab Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f')]", - "Load Test Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e')]", - "Load Test Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6')]", - "Load Test Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "LocalRulestacksAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Media Services Account Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466')]", - "Media Services Live Events Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77')]", - "Media Services Media Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c')]", - "Media Services Policy Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae')]", - "Media Services Streaming Endpoints Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804')]", - "Microsoft Sentinel Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Microsoft Sentinel Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Microsoft Sentinel Responder": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Quota Request Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Redis Cache Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Scheduler Job Collections Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Manager (Legacy)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR/Web PubSub Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Tag Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Insights/activityLogAlerts/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Insights/activityLogAlerts', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Insights/activityLogAlerts', parameters('name'))]" + "activityLogAlert" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -434,7 +253,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Insights/activityLogAlerts', parameters('name')), '2020-10-01', 'full').location]" + "value": "[reference('activityLogAlert', '2020-10-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/insights/component/.bicep/nested_roleAssignments.bicep b/modules/insights/component/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 01a40b94f5..0000000000 --- a/modules/insights/component/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,198 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'API Management Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c') - 'API Management Service Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61') - 'API Management Service Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d') - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - 'Application Insights Component Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e') - 'Application Insights Snapshot Debugger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b') - 'Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867') - 'Automation Job Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f') - 'Automation Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404') - 'Automation Runbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5') - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Azure Arc Enabled Kubernetes Cluster User Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd') - 'Azure Arc Kubernetes Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96') - 'Azure Arc Kubernetes Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2') - 'Azure Arc Kubernetes Viewer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4') - 'Azure Arc Kubernetes Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1') - 'Azure Arc ScVmm Administrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87') - 'Azure Arc ScVmm Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda') - 'Azure Arc ScVmm Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9') - 'Azure Arc ScVmm VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b') - 'Azure Arc VMware Administrator role ': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f') - 'Azure Arc VMware Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83') - 'Azure Arc VMware Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa') - 'Azure Arc VMware VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'BizTalk Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342') - 'CDN Endpoint Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45') - 'CDN Endpoint Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd') - 'CDN Profile Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432') - 'CDN Profile Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af') - 'Classic Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f') - 'Classic Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25') - 'Classic Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb') - 'ClearDB MySQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe') - 'Cognitive Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68') - 'Cognitive Services User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908') - 'Collaborative Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352') - 'Collaborative Runtime Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102') - 'ContainerApp Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Account Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Data Factory Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5') - 'Data Lake Analytics Developer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88') - 'Data Purger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - 'Device Update Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a') - 'Device Update Content Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98') - 'Device Update Content Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b') - 'Device Update Deployments Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432') - 'Device Update Deployments Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f') - 'Device Update Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') - 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') - 'HDInsight Cluster Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a') - 'Intelligent Systems Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e') - 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') - 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') - 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') - 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') - 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') - 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') - 'Kubernetes Cluster - Azure Arc Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41') - 'Kubernetes Extension Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717') - 'Lab Assistant': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1') - 'Lab Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270') - 'Lab Creator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead') - 'Lab Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d') - 'Lab Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f') - 'Load Test Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e') - 'Load Test Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6') - 'Load Test Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'LocalRulestacksAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Managed Identity Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59') - 'Managed Identity Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') - 'Media Services Account Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466') - 'Media Services Live Events Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77') - 'Media Services Media Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c') - 'Media Services Policy Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae') - 'Media Services Streaming Endpoints Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804') - 'Microsoft Sentinel Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade') - 'Microsoft Sentinel Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb') - 'Microsoft Sentinel Responder': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - 'New Relic APM Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - 'Quota Request Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Redis Cache Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Scheduler Job Collections Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94') - 'Search Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0') - 'Security Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd') - 'Security Manager (Legacy)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10') - 'Security Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4') - 'SignalR/Web PubSub Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Tag Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') - 'Workbook Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad') - 'Workbook Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d') -} - -resource appInsights 'Microsoft.Insights/components@2020-02-02' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(appInsights.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: appInsights -}] diff --git a/modules/insights/component/.test/common/main.test.bicep b/modules/insights/component/.test/common/main.test.bicep index a4d4b19f86..ccedab0557 100644 --- a/modules/insights/component/.test/common/main.test.bicep +++ b/modules/insights/component/.test/common/main.test.bicep @@ -74,9 +74,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/insights/component/README.md b/modules/insights/component/README.md index 161ac02871..dcf1b0b21f 100644 --- a/modules/insights/component/README.md +++ b/modules/insights/component/README.md @@ -53,9 +53,7 @@ module component 'br:bicep/modules/insights.component:1.0.0' = { enableDefaultTelemetry: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -107,9 +105,7 @@ module component 'br:bicep/modules/insights.component:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -328,7 +324,68 @@ Retention period in days. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `samplingPercentage` diff --git a/modules/insights/component/main.bicep b/modules/insights/component/main.bicep index f6f6eb774d..f4cdb40399 100644 --- a/modules/insights/component/main.bicep +++ b/modules/insights/component/main.bicep @@ -55,7 +55,7 @@ param kind string = '' param location string = resourceGroup().location @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -123,6 +123,15 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { timeGrain: null enabled: true }] + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -150,17 +159,18 @@ resource appInsights 'Microsoft.Insights/components@2020-02-02' = { } } -module appInsights_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-AppInsights-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: appInsights.id +resource appInsights_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(appInsights.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: appInsights }] resource appInsights_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { @@ -192,3 +202,29 @@ output location string = appInsights.location @description('Application Insights Instrumentation key. A read-only value that applications can use to identify the destination for all telemetry sent to Azure Application Insights. This value will be supplied upon construction of each new Application Insights component.') output instrumentationKey string = appInsights.properties.InstrumentationKey +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/insights/component/main.json b/modules/insights/component/main.json index b3eddedc41..c7b7c5359e 100644 --- a/modules/insights/component/main.json +++ b/modules/insights/component/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10525905837638712461" + "templateHash": "2528627786354955521" }, "name": "Application Insights", "description": "This component deploys an Application Insights instance.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -99,8 +168,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -211,10 +279,17 @@ } } ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -228,7 +303,7 @@ } } }, - { + "appInsights": { "type": "Microsoft.Insights/components", "apiVersion": "2020-02-02", "name": "[parameters('name')]", @@ -244,7 +319,29 @@ "SamplingPercentage": "[parameters('samplingPercentage')]" } }, - { + "appInsights_roleAssignments": { + "copy": { + "name": "appInsights_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Insights/components/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Insights/components', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "appInsights" + ] + }, + "appInsights_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", @@ -259,288 +356,10 @@ "logs": "[variables('diagnosticsLogs')]" }, "dependsOn": [ - "[resourceId('Microsoft.Insights/components', parameters('name'))]" - ] - }, - { - "copy": { - "name": "appInsights_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AppInsights-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Insights/components', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11402620495113145502" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "API Management Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Application Insights Component Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867')]", - "Automation Job Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Azure Arc Enabled Kubernetes Cluster User Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd')]", - "Azure Arc Kubernetes Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96')]", - "Azure Arc Kubernetes Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2')]", - "Azure Arc Kubernetes Viewer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4')]", - "Azure Arc Kubernetes Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1')]", - "Azure Arc ScVmm Administrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87')]", - "Azure Arc ScVmm Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda')]", - "Azure Arc ScVmm Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9')]", - "Azure Arc ScVmm VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b')]", - "Azure Arc VMware Administrator role ": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f')]", - "Azure Arc VMware Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83')]", - "Azure Arc VMware Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa')]", - "Azure Arc VMware VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "BizTalk Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "CDN Endpoint Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Collaborative Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352')]", - "Collaborative Runtime Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102')]", - "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Data Factory Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Device Update Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a')]", - "Device Update Content Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98')]", - "Device Update Content Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b')]", - "Device Update Deployments Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432')]", - "Device Update Deployments Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f')]", - "Device Update Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", - "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "HDInsight Cluster Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "Intelligent Systems Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Kubernetes Extension Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717')]", - "Lab Assistant": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1')]", - "Lab Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270')]", - "Lab Creator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Lab Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d')]", - "Lab Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f')]", - "Load Test Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e')]", - "Load Test Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6')]", - "Load Test Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "LocalRulestacksAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Media Services Account Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466')]", - "Media Services Live Events Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77')]", - "Media Services Media Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c')]", - "Media Services Policy Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae')]", - "Media Services Streaming Endpoints Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804')]", - "Microsoft Sentinel Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Microsoft Sentinel Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Microsoft Sentinel Responder": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Quota Request Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Redis Cache Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Scheduler Job Collections Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Manager (Legacy)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR/Web PubSub Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Tag Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Insights/components/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Insights/components', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Insights/components', parameters('name'))]" + "appInsights" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -568,21 +387,21 @@ "metadata": { "description": "The application ID of the application insights component." }, - "value": "[reference(resourceId('Microsoft.Insights/components', parameters('name')), '2020-02-02').AppId]" + "value": "[reference('appInsights').AppId]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Insights/components', parameters('name')), '2020-02-02', 'full').location]" + "value": "[reference('appInsights', '2020-02-02', 'full').location]" }, "instrumentationKey": { "type": "string", "metadata": { "description": "Application Insights Instrumentation key. A read-only value that applications can use to identify the destination for all telemetry sent to Azure Application Insights. This value will be supplied upon construction of each new Application Insights component." }, - "value": "[reference(resourceId('Microsoft.Insights/components', parameters('name')), '2020-02-02').InstrumentationKey]" + "value": "[reference('appInsights').InstrumentationKey]" } } } \ No newline at end of file diff --git a/modules/insights/data-collection-endpoint/.bicep/nested_roleAssignments.bicep b/modules/insights/data-collection-endpoint/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index cb2c60be94..0000000000 --- a/modules/insights/data-collection-endpoint/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,198 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'API Management Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c') - 'API Management Service Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61') - 'API Management Service Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d') - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - 'Application Insights Component Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e') - 'Application Insights Snapshot Debugger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b') - 'Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867') - 'Automation Job Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f') - 'Automation Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404') - 'Automation Runbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5') - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Azure Arc Enabled Kubernetes Cluster User Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd') - 'Azure Arc Kubernetes Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96') - 'Azure Arc Kubernetes Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2') - 'Azure Arc Kubernetes Viewer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4') - 'Azure Arc Kubernetes Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1') - 'Azure Arc ScVmm Administrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87') - 'Azure Arc ScVmm Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda') - 'Azure Arc ScVmm Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9') - 'Azure Arc ScVmm VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b') - 'Azure Arc VMware Administrator role ': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f') - 'Azure Arc VMware Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83') - 'Azure Arc VMware Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa') - 'Azure Arc VMware VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'BizTalk Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342') - 'CDN Endpoint Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45') - 'CDN Endpoint Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd') - 'CDN Profile Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432') - 'CDN Profile Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af') - 'Classic Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f') - 'Classic Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25') - 'Classic Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb') - 'ClearDB MySQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe') - 'Cognitive Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68') - 'Cognitive Services User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908') - 'Collaborative Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352') - 'Collaborative Runtime Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102') - 'ContainerApp Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Account Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Data Factory Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5') - 'Data Lake Analytics Developer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88') - 'Data Purger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - 'Device Update Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a') - 'Device Update Content Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98') - 'Device Update Content Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b') - 'Device Update Deployments Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432') - 'Device Update Deployments Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f') - 'Device Update Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') - 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') - 'HDInsight Cluster Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a') - 'Intelligent Systems Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e') - 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') - 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') - 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') - 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') - 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') - 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') - 'Kubernetes Cluster - Azure Arc Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41') - 'Kubernetes Extension Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717') - 'Lab Assistant': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1') - 'Lab Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270') - 'Lab Creator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead') - 'Lab Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d') - 'Lab Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f') - 'Load Test Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e') - 'Load Test Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6') - 'Load Test Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'LocalRulestacksAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Managed Identity Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59') - 'Managed Identity Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') - 'Media Services Account Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466') - 'Media Services Live Events Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77') - 'Media Services Media Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c') - 'Media Services Policy Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae') - 'Media Services Streaming Endpoints Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804') - 'Microsoft Sentinel Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade') - 'Microsoft Sentinel Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb') - 'Microsoft Sentinel Responder': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - 'New Relic APM Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - 'Quota Request Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Redis Cache Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Scheduler Job Collections Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94') - 'Search Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0') - 'Security Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd') - 'Security Manager (Legacy)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10') - 'Security Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4') - 'SignalR/Web PubSub Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Tag Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') - 'Workbook Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad') - 'Workbook Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d') -} - -resource dataCollectionEndpoint 'Microsoft.Insights/dataCollectionEndpoints@2021-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(dataCollectionEndpoint.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: dataCollectionEndpoint -}] diff --git a/modules/insights/data-collection-endpoint/.test/common/main.test.bicep b/modules/insights/data-collection-endpoint/.test/common/main.test.bicep index 8eaa84fa6d..d4518f92ad 100644 --- a/modules/insights/data-collection-endpoint/.test/common/main.test.bicep +++ b/modules/insights/data-collection-endpoint/.test/common/main.test.bicep @@ -61,9 +61,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - resourceGroupResources.outputs.managedIdentityPrincipalId - ] + principalId: resourceGroupResources.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/insights/data-collection-endpoint/README.md b/modules/insights/data-collection-endpoint/README.md index 77a855bbb2..19f10616c4 100644 --- a/modules/insights/data-collection-endpoint/README.md +++ b/modules/insights/data-collection-endpoint/README.md @@ -54,9 +54,7 @@ module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoin publicNetworkAccess: 'Enabled' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -105,9 +103,7 @@ module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoin "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -264,7 +260,68 @@ The configuration to set whether network access from public internet to the endp Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/insights/data-collection-endpoint/main.bicep b/modules/insights/data-collection-endpoint/main.bicep index acff2f2fea..246b4d305a 100644 --- a/modules/insights/data-collection-endpoint/main.bicep +++ b/modules/insights/data-collection-endpoint/main.bicep @@ -26,7 +26,7 @@ param location string = resourceGroup().location param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. The configuration to set whether network access from public internet to the endpoints are allowed.') @allowed([ @@ -38,6 +38,14 @@ param publicNetworkAccess string = 'Disabled' @description('Optional. Resource tags.') param tags object = {} +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + // =============== // // Deployments // // =============== // @@ -75,17 +83,18 @@ resource dataCollectionEndpoint_lock 'Microsoft.Authorization/locks@2020-05-01' scope: dataCollectionEndpoint } -module dataCollectionEndpoint_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-dataCollectionEndpoint-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: dataCollectionEndpoint.id +resource dataCollectionEndpoint_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(dataCollectionEndpoint.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: dataCollectionEndpoint }] // =========== // @@ -115,3 +124,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/insights/data-collection-endpoint/main.json b/modules/insights/data-collection-endpoint/main.json index 1ef931a6cf..8696ca8b76 100644 --- a/modules/insights/data-collection-endpoint/main.json +++ b/modules/insights/data-collection-endpoint/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18059348054064453777" + "templateHash": "5064319070805092308" }, "name": "Data Collection Endpoints", "description": "This module deploys a Data Collection Endpoint.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -78,8 +144,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -103,6 +168,15 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -148,276 +222,20 @@ "dataCollectionEndpoint_roleAssignments": { "copy": { "name": "dataCollectionEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-dataCollectionEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Insights/dataCollectionEndpoints/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Insights/dataCollectionEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Insights/dataCollectionEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5079554613850149123" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "API Management Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Application Insights Component Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867')]", - "Automation Job Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Azure Arc Enabled Kubernetes Cluster User Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd')]", - "Azure Arc Kubernetes Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96')]", - "Azure Arc Kubernetes Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2')]", - "Azure Arc Kubernetes Viewer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4')]", - "Azure Arc Kubernetes Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1')]", - "Azure Arc ScVmm Administrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87')]", - "Azure Arc ScVmm Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda')]", - "Azure Arc ScVmm Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9')]", - "Azure Arc ScVmm VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b')]", - "Azure Arc VMware Administrator role ": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f')]", - "Azure Arc VMware Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83')]", - "Azure Arc VMware Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa')]", - "Azure Arc VMware VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "BizTalk Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "CDN Endpoint Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Collaborative Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352')]", - "Collaborative Runtime Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102')]", - "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Data Factory Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Device Update Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a')]", - "Device Update Content Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98')]", - "Device Update Content Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b')]", - "Device Update Deployments Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432')]", - "Device Update Deployments Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f')]", - "Device Update Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", - "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "HDInsight Cluster Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "Intelligent Systems Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Kubernetes Extension Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717')]", - "Lab Assistant": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1')]", - "Lab Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270')]", - "Lab Creator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Lab Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d')]", - "Lab Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f')]", - "Load Test Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e')]", - "Load Test Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6')]", - "Load Test Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "LocalRulestacksAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Media Services Account Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466')]", - "Media Services Live Events Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77')]", - "Media Services Media Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c')]", - "Media Services Policy Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae')]", - "Media Services Streaming Endpoints Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804')]", - "Microsoft Sentinel Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Microsoft Sentinel Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Microsoft Sentinel Responder": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Quota Request Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Redis Cache Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Scheduler Job Collections Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Manager (Legacy)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR/Web PubSub Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Tag Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Insights/dataCollectionEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Insights/dataCollectionEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "dataCollectionEndpoint" diff --git a/modules/insights/data-collection-rule/.bicep/nested_roleAssignments.bicep b/modules/insights/data-collection-rule/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 83fa78801d..0000000000 --- a/modules/insights/data-collection-rule/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,198 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'API Management Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c') - 'API Management Service Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61') - 'API Management Service Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d') - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - 'Application Insights Component Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e') - 'Application Insights Snapshot Debugger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b') - 'Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867') - 'Automation Job Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f') - 'Automation Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404') - 'Automation Runbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5') - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Azure Arc Enabled Kubernetes Cluster User Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd') - 'Azure Arc Kubernetes Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96') - 'Azure Arc Kubernetes Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2') - 'Azure Arc Kubernetes Viewer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4') - 'Azure Arc Kubernetes Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1') - 'Azure Arc ScVmm Administrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87') - 'Azure Arc ScVmm Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda') - 'Azure Arc ScVmm Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9') - 'Azure Arc ScVmm VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b') - 'Azure Arc VMware Administrator role ': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f') - 'Azure Arc VMware Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83') - 'Azure Arc VMware Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa') - 'Azure Arc VMware VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'BizTalk Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342') - 'CDN Endpoint Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45') - 'CDN Endpoint Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd') - 'CDN Profile Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432') - 'CDN Profile Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af') - 'Classic Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f') - 'Classic Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25') - 'Classic Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb') - 'ClearDB MySQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe') - 'Cognitive Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68') - 'Cognitive Services User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908') - 'Collaborative Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352') - 'Collaborative Runtime Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102') - 'ContainerApp Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Account Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Data Factory Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5') - 'Data Lake Analytics Developer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88') - 'Data Purger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - 'Device Update Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a') - 'Device Update Content Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98') - 'Device Update Content Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b') - 'Device Update Deployments Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432') - 'Device Update Deployments Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f') - 'Device Update Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') - 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') - 'HDInsight Cluster Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a') - 'Intelligent Systems Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e') - 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') - 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') - 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') - 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') - 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') - 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') - 'Kubernetes Cluster - Azure Arc Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41') - 'Kubernetes Extension Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717') - 'Lab Assistant': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1') - 'Lab Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270') - 'Lab Creator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead') - 'Lab Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d') - 'Lab Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f') - 'Load Test Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e') - 'Load Test Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6') - 'Load Test Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'LocalRulestacksAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Managed Identity Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59') - 'Managed Identity Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') - 'Media Services Account Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466') - 'Media Services Live Events Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77') - 'Media Services Media Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c') - 'Media Services Policy Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae') - 'Media Services Streaming Endpoints Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804') - 'Microsoft Sentinel Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade') - 'Microsoft Sentinel Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb') - 'Microsoft Sentinel Responder': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - 'New Relic APM Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - 'Quota Request Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Redis Cache Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Scheduler Job Collections Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94') - 'Search Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0') - 'Security Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd') - 'Security Manager (Legacy)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10') - 'Security Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4') - 'SignalR/Web PubSub Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Tag Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') - 'Workbook Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad') - 'Workbook Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d') -} - -resource dataCollectionRule 'Microsoft.Insights/dataCollectionRules@2021-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(dataCollectionRule.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: dataCollectionRule -}] diff --git a/modules/insights/data-collection-rule/.test/customadv/main.test.bicep b/modules/insights/data-collection-rule/.test/customadv/main.test.bicep index 622b276f22..4006013380 100644 --- a/modules/insights/data-collection-rule/.test/customadv/main.test.bicep +++ b/modules/insights/data-collection-rule/.test/customadv/main.test.bicep @@ -131,9 +131,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - resourceGroupResources.outputs.managedIdentityPrincipalId - ] + principalId: resourceGroupResources.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/insights/data-collection-rule/.test/custombasic/main.test.bicep b/modules/insights/data-collection-rule/.test/custombasic/main.test.bicep index 945b688f12..a9cccb78d0 100644 --- a/modules/insights/data-collection-rule/.test/custombasic/main.test.bicep +++ b/modules/insights/data-collection-rule/.test/custombasic/main.test.bicep @@ -115,9 +115,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - resourceGroupResources.outputs.managedIdentityPrincipalId - ] + principalId: resourceGroupResources.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/insights/data-collection-rule/.test/customiis/main.test.bicep b/modules/insights/data-collection-rule/.test/customiis/main.test.bicep index 3d2c5bd603..5b6ddb4d3d 100644 --- a/modules/insights/data-collection-rule/.test/customiis/main.test.bicep +++ b/modules/insights/data-collection-rule/.test/customiis/main.test.bicep @@ -94,9 +94,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - resourceGroupResources.outputs.managedIdentityPrincipalId - ] + principalId: resourceGroupResources.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/insights/data-collection-rule/.test/linux/main.test.bicep b/modules/insights/data-collection-rule/.test/linux/main.test.bicep index 781cf7f52e..30b9856a25 100644 --- a/modules/insights/data-collection-rule/.test/linux/main.test.bicep +++ b/modules/insights/data-collection-rule/.test/linux/main.test.bicep @@ -207,9 +207,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - resourceGroupResources.outputs.managedIdentityPrincipalId - ] + principalId: resourceGroupResources.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/insights/data-collection-rule/.test/windows/main.test.bicep b/modules/insights/data-collection-rule/.test/windows/main.test.bicep index cb9e2f49ab..ba4727637a 100644 --- a/modules/insights/data-collection-rule/.test/windows/main.test.bicep +++ b/modules/insights/data-collection-rule/.test/windows/main.test.bicep @@ -161,9 +161,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - resourceGroupResources.outputs.managedIdentityPrincipalId - ] + principalId: resourceGroupResources.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/insights/data-collection-rule/README.md b/modules/insights/data-collection-rule/README.md index a2632e8b5f..04dec0ae15 100644 --- a/modules/insights/data-collection-rule/README.md +++ b/modules/insights/data-collection-rule/README.md @@ -96,9 +96,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -226,9 +224,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -343,9 +339,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -457,9 +451,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -551,9 +543,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -644,9 +634,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -835,9 +823,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -1039,9 +1025,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -1318,9 +1302,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -1476,9 +1458,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -1616,7 +1596,68 @@ The name of the data collection rule. The name is case insensitive. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `streamDeclarations` diff --git a/modules/insights/data-collection-rule/main.bicep b/modules/insights/data-collection-rule/main.bicep index 1c17c12f6a..ea8f7a0f0d 100644 --- a/modules/insights/data-collection-rule/main.bicep +++ b/modules/insights/data-collection-rule/main.bicep @@ -41,7 +41,7 @@ param location string = resourceGroup().location param lock lockType @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @sys.description('Optional. Declaration of custom streams used in this rule.') param streamDeclarations object = {} @@ -53,6 +53,14 @@ param tags object = {} // Deployments // // =============== // +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -89,17 +97,18 @@ resource dataCollectionRule_lock 'Microsoft.Authorization/locks@2020-05-01' = if scope: dataCollectionRule } -module dataCollectionRule_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-dataCollectionRule-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: dataCollectionRule.id +resource dataCollectionRule_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(dataCollectionRule.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: dataCollectionRule }] // =========== // @@ -129,3 +138,26 @@ type lockType = { @sys.description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @sys.description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @sys.description('Optional. The description of the role assignment.') + description: string? + + @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @sys.description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @sys.description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/insights/data-collection-rule/main.json b/modules/insights/data-collection-rule/main.json index 81c24ae888..444a20be3f 100644 --- a/modules/insights/data-collection-rule/main.json +++ b/modules/insights/data-collection-rule/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3483587059200697547" + "templateHash": "12929247318394653560" }, "name": "Data Collection Rules", "description": "This module deploys a Data Collection Rule.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -110,8 +176,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -131,6 +196,15 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -179,276 +253,20 @@ "dataCollectionRule_roleAssignments": { "copy": { "name": "dataCollectionRule_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-dataCollectionRule-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Insights/dataCollectionRules/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Insights/dataCollectionRules', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Insights/dataCollectionRules', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15006261932688103990" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "API Management Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Application Insights Component Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867')]", - "Automation Job Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Azure Arc Enabled Kubernetes Cluster User Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd')]", - "Azure Arc Kubernetes Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96')]", - "Azure Arc Kubernetes Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2')]", - "Azure Arc Kubernetes Viewer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4')]", - "Azure Arc Kubernetes Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1')]", - "Azure Arc ScVmm Administrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87')]", - "Azure Arc ScVmm Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda')]", - "Azure Arc ScVmm Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9')]", - "Azure Arc ScVmm VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b')]", - "Azure Arc VMware Administrator role ": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f')]", - "Azure Arc VMware Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83')]", - "Azure Arc VMware Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa')]", - "Azure Arc VMware VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "BizTalk Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "CDN Endpoint Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Collaborative Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352')]", - "Collaborative Runtime Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102')]", - "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Data Factory Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Device Update Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a')]", - "Device Update Content Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98')]", - "Device Update Content Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b')]", - "Device Update Deployments Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432')]", - "Device Update Deployments Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f')]", - "Device Update Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", - "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "HDInsight Cluster Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "Intelligent Systems Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Kubernetes Extension Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717')]", - "Lab Assistant": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1')]", - "Lab Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270')]", - "Lab Creator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Lab Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d')]", - "Lab Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f')]", - "Load Test Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e')]", - "Load Test Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6')]", - "Load Test Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "LocalRulestacksAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Media Services Account Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466')]", - "Media Services Live Events Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77')]", - "Media Services Media Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c')]", - "Media Services Policy Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae')]", - "Media Services Streaming Endpoints Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804')]", - "Microsoft Sentinel Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Microsoft Sentinel Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Microsoft Sentinel Responder": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Quota Request Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Redis Cache Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Scheduler Job Collections Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Manager (Legacy)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR/Web PubSub Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Tag Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Insights/dataCollectionRules/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Insights/dataCollectionRules', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "dataCollectionRule" diff --git a/modules/insights/metric-alert/.bicep/nested_roleAssignments.bicep b/modules/insights/metric-alert/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index ad04f79f7a..0000000000 --- a/modules/insights/metric-alert/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,198 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'API Management Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c') - 'API Management Service Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61') - 'API Management Service Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d') - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - 'Application Insights Component Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e') - 'Application Insights Snapshot Debugger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b') - 'Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867') - 'Automation Job Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f') - 'Automation Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404') - 'Automation Runbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5') - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Azure Arc Enabled Kubernetes Cluster User Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd') - 'Azure Arc Kubernetes Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96') - 'Azure Arc Kubernetes Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2') - 'Azure Arc Kubernetes Viewer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4') - 'Azure Arc Kubernetes Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1') - 'Azure Arc ScVmm Administrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87') - 'Azure Arc ScVmm Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda') - 'Azure Arc ScVmm Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9') - 'Azure Arc ScVmm VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b') - 'Azure Arc VMware Administrator role ': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f') - 'Azure Arc VMware Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83') - 'Azure Arc VMware Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa') - 'Azure Arc VMware VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'BizTalk Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342') - 'CDN Endpoint Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45') - 'CDN Endpoint Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd') - 'CDN Profile Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432') - 'CDN Profile Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af') - 'Classic Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f') - 'Classic Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25') - 'Classic Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb') - 'ClearDB MySQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe') - 'Cognitive Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68') - 'Cognitive Services User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908') - 'Collaborative Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352') - 'Collaborative Runtime Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102') - 'ContainerApp Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Account Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Data Factory Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5') - 'Data Lake Analytics Developer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88') - 'Data Purger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - 'Device Update Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a') - 'Device Update Content Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98') - 'Device Update Content Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b') - 'Device Update Deployments Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432') - 'Device Update Deployments Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f') - 'Device Update Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') - 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') - 'HDInsight Cluster Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a') - 'Intelligent Systems Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e') - 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') - 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') - 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') - 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') - 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') - 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') - 'Kubernetes Cluster - Azure Arc Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41') - 'Kubernetes Extension Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717') - 'Lab Assistant': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1') - 'Lab Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270') - 'Lab Creator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead') - 'Lab Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d') - 'Lab Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f') - 'Load Test Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e') - 'Load Test Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6') - 'Load Test Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'LocalRulestacksAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Managed Identity Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59') - 'Managed Identity Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') - 'Media Services Account Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466') - 'Media Services Live Events Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77') - 'Media Services Media Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c') - 'Media Services Policy Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae') - 'Media Services Streaming Endpoints Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804') - 'Microsoft Sentinel Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade') - 'Microsoft Sentinel Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb') - 'Microsoft Sentinel Responder': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - 'New Relic APM Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - 'Quota Request Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Redis Cache Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Scheduler Job Collections Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94') - 'Search Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0') - 'Security Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd') - 'Security Manager (Legacy)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10') - 'Security Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4') - 'SignalR/Web PubSub Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Tag Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') - 'Workbook Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad') - 'Workbook Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d') -} - -resource metricAlert 'Microsoft.Insights/metricAlerts@2018-03-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(metricAlert.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: metricAlert -}] diff --git a/modules/insights/metric-alert/.test/common/main.test.bicep b/modules/insights/metric-alert/.test/common/main.test.bicep index 7d7b2bdf99..c8711dd79a 100644 --- a/modules/insights/metric-alert/.test/common/main.test.bicep +++ b/modules/insights/metric-alert/.test/common/main.test.bicep @@ -71,9 +71,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/insights/metric-alert/README.md b/modules/insights/metric-alert/README.md index 9167bd19af..d218665401 100644 --- a/modules/insights/metric-alert/README.md +++ b/modules/insights/metric-alert/README.md @@ -61,9 +61,7 @@ module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { enableDefaultTelemetry: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -124,9 +122,7 @@ module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -265,7 +261,68 @@ The name of the alert. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `scopes` diff --git a/modules/insights/metric-alert/main.bicep b/modules/insights/metric-alert/main.bicep index 978e41e69e..1c9c7fa2fc 100644 --- a/modules/insights/metric-alert/main.bicep +++ b/modules/insights/metric-alert/main.bicep @@ -76,7 +76,7 @@ param alertCriteriaType string = 'Microsoft.Azure.Monitor.MultipleResourceMultip param criterias array @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -89,6 +89,14 @@ var actionGroups = [for action in actions: { webHookProperties: contains(action, 'webHookProperties') ? action.webHookProperties : null }] +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -123,17 +131,18 @@ resource metricAlert 'Microsoft.Insights/metricAlerts@2018-03-01' = { } } -module metricAlert_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-MetricAlert-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: metricAlert.id +resource metricAlert_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(metricAlert.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: metricAlert }] @description('The resource group the metric alert was deployed into.') @@ -147,3 +156,29 @@ output resourceId string = metricAlert.id @description('The location the resource was deployed into.') output location string = metricAlert.location +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/insights/metric-alert/main.json b/modules/insights/metric-alert/main.json index dd0d30a3f6..596264f7b2 100644 --- a/modules/insights/metric-alert/main.json +++ b/modules/insights/metric-alert/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15731967065620351074" + "templateHash": "12768498740595616170" }, "name": "Metric Alerts", "description": "This module deploys a Metric Alert.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -140,8 +209,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -171,10 +239,17 @@ "webHookProperties": "[if(contains(parameters('actions')[copyIndex('actionGroups')], 'webHookProperties'), parameters('actions')[copyIndex('actionGroups')].webHookProperties, null())]" } } - ] + ], + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -188,7 +263,7 @@ } } }, - { + "metricAlert": { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[parameters('name')]", @@ -211,285 +286,29 @@ "actions": "[variables('actionGroups')]" } }, - { + "metricAlert_roleAssignments": { "copy": { "name": "metricAlert_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-MetricAlert-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Insights/metricAlerts/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Insights/metricAlerts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Insights/metricAlerts', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14564060617945907933" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "API Management Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Application Insights Component Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867')]", - "Automation Job Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Azure Arc Enabled Kubernetes Cluster User Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd')]", - "Azure Arc Kubernetes Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96')]", - "Azure Arc Kubernetes Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2')]", - "Azure Arc Kubernetes Viewer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4')]", - "Azure Arc Kubernetes Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1')]", - "Azure Arc ScVmm Administrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87')]", - "Azure Arc ScVmm Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda')]", - "Azure Arc ScVmm Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9')]", - "Azure Arc ScVmm VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b')]", - "Azure Arc VMware Administrator role ": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f')]", - "Azure Arc VMware Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83')]", - "Azure Arc VMware Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa')]", - "Azure Arc VMware VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "BizTalk Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "CDN Endpoint Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Collaborative Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352')]", - "Collaborative Runtime Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102')]", - "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Data Factory Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Device Update Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a')]", - "Device Update Content Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98')]", - "Device Update Content Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b')]", - "Device Update Deployments Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432')]", - "Device Update Deployments Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f')]", - "Device Update Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", - "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "HDInsight Cluster Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "Intelligent Systems Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Kubernetes Extension Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717')]", - "Lab Assistant": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1')]", - "Lab Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270')]", - "Lab Creator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Lab Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d')]", - "Lab Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f')]", - "Load Test Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e')]", - "Load Test Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6')]", - "Load Test Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "LocalRulestacksAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Media Services Account Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466')]", - "Media Services Live Events Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77')]", - "Media Services Media Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c')]", - "Media Services Policy Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae')]", - "Media Services Streaming Endpoints Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804')]", - "Microsoft Sentinel Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Microsoft Sentinel Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Microsoft Sentinel Responder": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Quota Request Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Redis Cache Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Scheduler Job Collections Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Manager (Legacy)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR/Web PubSub Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Tag Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Insights/metricAlerts/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Insights/metricAlerts', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Insights/metricAlerts', parameters('name'))]" + "metricAlert" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -517,7 +336,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Insights/metricAlerts', parameters('name')), '2018-03-01', 'full').location]" + "value": "[reference('metricAlert', '2018-03-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/insights/private-link-scope/.bicep/nested_roleAssignments.bicep b/modules/insights/private-link-scope/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 2825eb379c..0000000000 --- a/modules/insights/private-link-scope/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,198 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'API Management Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c') - 'API Management Service Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61') - 'API Management Service Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d') - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - 'Application Insights Component Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e') - 'Application Insights Snapshot Debugger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b') - 'Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867') - 'Automation Job Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f') - 'Automation Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404') - 'Automation Runbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5') - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Azure Arc Enabled Kubernetes Cluster User Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd') - 'Azure Arc Kubernetes Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96') - 'Azure Arc Kubernetes Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2') - 'Azure Arc Kubernetes Viewer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4') - 'Azure Arc Kubernetes Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1') - 'Azure Arc ScVmm Administrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87') - 'Azure Arc ScVmm Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda') - 'Azure Arc ScVmm Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9') - 'Azure Arc ScVmm VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b') - 'Azure Arc VMware Administrator role ': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f') - 'Azure Arc VMware Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83') - 'Azure Arc VMware Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa') - 'Azure Arc VMware VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'BizTalk Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342') - 'CDN Endpoint Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45') - 'CDN Endpoint Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd') - 'CDN Profile Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432') - 'CDN Profile Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af') - 'Classic Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f') - 'Classic Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25') - 'Classic Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb') - 'ClearDB MySQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe') - 'Cognitive Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68') - 'Cognitive Services User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908') - 'Collaborative Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352') - 'Collaborative Runtime Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102') - 'ContainerApp Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Account Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Data Factory Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5') - 'Data Lake Analytics Developer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88') - 'Data Purger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - 'Device Update Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a') - 'Device Update Content Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98') - 'Device Update Content Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b') - 'Device Update Deployments Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432') - 'Device Update Deployments Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f') - 'Device Update Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') - 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') - 'HDInsight Cluster Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a') - 'Intelligent Systems Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e') - 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') - 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') - 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') - 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') - 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') - 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') - 'Kubernetes Cluster - Azure Arc Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41') - 'Kubernetes Extension Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717') - 'Lab Assistant': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1') - 'Lab Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270') - 'Lab Creator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead') - 'Lab Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d') - 'Lab Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f') - 'Load Test Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e') - 'Load Test Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6') - 'Load Test Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'LocalRulestacksAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Managed Identity Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59') - 'Managed Identity Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') - 'Media Services Account Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466') - 'Media Services Live Events Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77') - 'Media Services Media Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c') - 'Media Services Policy Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae') - 'Media Services Streaming Endpoints Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804') - 'Microsoft Sentinel Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade') - 'Microsoft Sentinel Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb') - 'Microsoft Sentinel Responder': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - 'New Relic APM Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - 'Quota Request Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Redis Cache Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Scheduler Job Collections Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94') - 'Search Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0') - 'Security Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd') - 'Security Manager (Legacy)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10') - 'Security Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4') - 'SignalR/Web PubSub Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Tag Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') - 'Workbook Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad') - 'Workbook Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d') -} - -resource privateLinkScope 'Microsoft.Insights/privateLinkScopes@2019-10-17-preview' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(privateLinkScope.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: privateLinkScope -}] diff --git a/modules/insights/private-link-scope/.test/common/main.test.bicep b/modules/insights/private-link-scope/.test/common/main.test.bicep index 92f4e840e6..373e51553f 100644 --- a/modules/insights/private-link-scope/.test/common/main.test.bicep +++ b/modules/insights/private-link-scope/.test/common/main.test.bicep @@ -79,9 +79,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index 6f44a2d959..14f386ae96 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -64,9 +64,7 @@ This instance deploys the module with most of its features enabled. ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -125,9 +123,7 @@ This instance deploys the module with most of its features enabled. "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -282,7 +278,68 @@ Configuration details for private endpoints. For security reasons, it is recomme Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `scopedResources` diff --git a/modules/insights/private-link-scope/main.bicep b/modules/insights/private-link-scope/main.bicep index dd426808f0..fc8e46f04a 100644 --- a/modules/insights/private-link-scope/main.bicep +++ b/modules/insights/private-link-scope/main.bicep @@ -13,7 +13,7 @@ param location string = 'global' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Configuration details for Azure Monitor Resources.') param scopedResources array = [] @@ -29,6 +29,14 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -91,17 +99,18 @@ module privateLinkScope_privateEndpoints '../../network/private-endpoint/main.bi } }] -module privateLinkScope_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-PvtLinkScope-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: privateLinkScope.id +resource privateLinkScope_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(privateLinkScope.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: privateLinkScope }] @description('The name of the private link scope.') @@ -127,3 +136,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/insights/private-link-scope/main.json b/modules/insights/private-link-scope/main.json index fcc3551f3e..0e402b915a 100644 --- a/modules/insights/private-link-scope/main.json +++ b/modules/insights/private-link-scope/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8075984663327390200" + "templateHash": "10019971976836793472" }, "name": "Azure Monitor Private Link Scopes", "description": "This module deploys an Azure Monitor Private Link Scope.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -61,8 +127,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -97,7 +162,14 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -136,6 +208,28 @@ "privateLinkScope" ] }, + "privateLinkScope_roleAssignments": { + "copy": { + "name": "privateLinkScope_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('microsoft.insights/privateLinkScopes/{0}', parameters('name'))]", + "name": "[guid(resourceId('microsoft.insights/privateLinkScopes', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateLinkScope" + ] + }, "privateLinkScope_scopedResource": { "copy": { "name": "privateLinkScope_scopedResource", @@ -786,284 +880,6 @@ "dependsOn": [ "privateLinkScope" ] - }, - "privateLinkScope_roleAssignments": { - "copy": { - "name": "privateLinkScope_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PvtLinkScope-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('microsoft.insights/privateLinkScopes', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5166949819431915903" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "API Management Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Application Insights Component Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867')]", - "Automation Job Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Azure Arc Enabled Kubernetes Cluster User Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd')]", - "Azure Arc Kubernetes Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96')]", - "Azure Arc Kubernetes Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2')]", - "Azure Arc Kubernetes Viewer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4')]", - "Azure Arc Kubernetes Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1')]", - "Azure Arc ScVmm Administrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87')]", - "Azure Arc ScVmm Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda')]", - "Azure Arc ScVmm Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9')]", - "Azure Arc ScVmm VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b')]", - "Azure Arc VMware Administrator role ": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f')]", - "Azure Arc VMware Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83')]", - "Azure Arc VMware Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa')]", - "Azure Arc VMware VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "BizTalk Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "CDN Endpoint Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Collaborative Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352')]", - "Collaborative Runtime Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102')]", - "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Data Factory Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Device Update Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a')]", - "Device Update Content Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98')]", - "Device Update Content Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b')]", - "Device Update Deployments Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432')]", - "Device Update Deployments Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f')]", - "Device Update Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", - "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "HDInsight Cluster Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "Intelligent Systems Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Kubernetes Extension Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717')]", - "Lab Assistant": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1')]", - "Lab Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270')]", - "Lab Creator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Lab Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d')]", - "Lab Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f')]", - "Load Test Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e')]", - "Load Test Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6')]", - "Load Test Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "LocalRulestacksAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Media Services Account Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466')]", - "Media Services Live Events Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77')]", - "Media Services Media Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c')]", - "Media Services Policy Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae')]", - "Media Services Streaming Endpoints Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804')]", - "Microsoft Sentinel Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Microsoft Sentinel Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Microsoft Sentinel Responder": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Quota Request Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Redis Cache Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Scheduler Job Collections Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Manager (Legacy)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR/Web PubSub Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Tag Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('microsoft.insights/privateLinkScopes/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('microsoft.insights/privateLinkScopes', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "privateLinkScope" - ] } }, "outputs": { diff --git a/modules/insights/scheduled-query-rule/.bicep/nested_roleAssignments.bicep b/modules/insights/scheduled-query-rule/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 4db63e69f8..0000000000 --- a/modules/insights/scheduled-query-rule/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,198 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'API Management Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c') - 'API Management Service Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61') - 'API Management Service Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d') - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - 'Application Insights Component Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e') - 'Application Insights Snapshot Debugger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b') - 'Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867') - 'Automation Job Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f') - 'Automation Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404') - 'Automation Runbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5') - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Azure Arc Enabled Kubernetes Cluster User Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd') - 'Azure Arc Kubernetes Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96') - 'Azure Arc Kubernetes Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2') - 'Azure Arc Kubernetes Viewer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4') - 'Azure Arc Kubernetes Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1') - 'Azure Arc ScVmm Administrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87') - 'Azure Arc ScVmm Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda') - 'Azure Arc ScVmm Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9') - 'Azure Arc ScVmm VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b') - 'Azure Arc VMware Administrator role ': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f') - 'Azure Arc VMware Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83') - 'Azure Arc VMware Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa') - 'Azure Arc VMware VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'BizTalk Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342') - 'CDN Endpoint Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45') - 'CDN Endpoint Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd') - 'CDN Profile Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432') - 'CDN Profile Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af') - 'Classic Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f') - 'Classic Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25') - 'Classic Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb') - 'ClearDB MySQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe') - 'Cognitive Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68') - 'Cognitive Services User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908') - 'Collaborative Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352') - 'Collaborative Runtime Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102') - 'ContainerApp Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Account Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Data Factory Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5') - 'Data Lake Analytics Developer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88') - 'Data Purger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - 'Device Update Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a') - 'Device Update Content Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98') - 'Device Update Content Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b') - 'Device Update Deployments Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432') - 'Device Update Deployments Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f') - 'Device Update Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') - 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') - 'HDInsight Cluster Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a') - 'Intelligent Systems Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e') - 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') - 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') - 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') - 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') - 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') - 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') - 'Kubernetes Cluster - Azure Arc Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41') - 'Kubernetes Extension Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717') - 'Lab Assistant': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1') - 'Lab Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270') - 'Lab Creator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead') - 'Lab Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d') - 'Lab Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f') - 'Load Test Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e') - 'Load Test Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6') - 'Load Test Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'LocalRulestacksAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Managed Identity Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59') - 'Managed Identity Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') - 'Media Services Account Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466') - 'Media Services Live Events Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77') - 'Media Services Media Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c') - 'Media Services Policy Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae') - 'Media Services Streaming Endpoints Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804') - 'Microsoft Sentinel Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade') - 'Microsoft Sentinel Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb') - 'Microsoft Sentinel Responder': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - 'New Relic APM Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - 'Quota Request Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Redis Cache Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Scheduler Job Collections Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94') - 'Search Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0') - 'Security Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd') - 'Security Manager (Legacy)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10') - 'Security Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4') - 'SignalR/Web PubSub Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Tag Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') - 'Workbook Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad') - 'Workbook Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d') -} - -resource queryAlert 'Microsoft.Insights/scheduledQueryRules@2018-04-16' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(queryAlert.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: queryAlert -}] diff --git a/modules/insights/scheduled-query-rule/.test/common/main.test.bicep b/modules/insights/scheduled-query-rule/.test/common/main.test.bicep index 7a197f090c..ece99e7a5d 100644 --- a/modules/insights/scheduled-query-rule/.test/common/main.test.bicep +++ b/modules/insights/scheduled-query-rule/.test/common/main.test.bicep @@ -87,9 +87,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/insights/scheduled-query-rule/README.md b/modules/insights/scheduled-query-rule/README.md index 6a30bc24a4..c5a4ea3e0a 100644 --- a/modules/insights/scheduled-query-rule/README.md +++ b/modules/insights/scheduled-query-rule/README.md @@ -80,9 +80,7 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' queryTimeRange: 'PT5M' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -167,9 +165,7 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -308,7 +304,68 @@ If specified (in ISO 8601 duration format) then overrides the query time range. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `scopes` diff --git a/modules/insights/scheduled-query-rule/main.bicep b/modules/insights/scheduled-query-rule/main.bicep index 3f08e996f4..226ecce844 100644 --- a/modules/insights/scheduled-query-rule/main.bicep +++ b/modules/insights/scheduled-query-rule/main.bicep @@ -34,7 +34,7 @@ param skipQueryValidation bool = false param targetResourceTypes array = [] @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Required. The list of resource IDs that this scheduled query rule is scoped to.') param scopes array @@ -70,6 +70,14 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -108,17 +116,18 @@ resource queryRule 'Microsoft.Insights/scheduledQueryRules@2021-02-01-preview' = } } -module queryRule_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-QueryRule-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: queryRule.id +resource queryRule_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(queryRule.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: queryRule }] @description('The Name of the created query rule.') @@ -132,3 +141,29 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = queryRule.location +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/insights/scheduled-query-rule/main.json b/modules/insights/scheduled-query-rule/main.json index 5f912821a8..bfaf29b63b 100644 --- a/modules/insights/scheduled-query-rule/main.json +++ b/modules/insights/scheduled-query-rule/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5166537476303359521" + "templateHash": "12829815846590991969" }, "name": "Scheduled Query Rules", "description": "This module deploys a Scheduled Query Rule.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -79,8 +148,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -154,8 +222,17 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -169,7 +246,7 @@ } } }, - { + "queryRule": { "type": "Microsoft.Insights/scheduledQueryRules", "apiVersion": "2021-02-01-preview", "name": "[parameters('name')]", @@ -196,285 +273,29 @@ "windowSize": "[if(and(equals(parameters('kind'), 'LogAlert'), not(empty(parameters('windowSize')))), parameters('windowSize'), null())]" } }, - { + "queryRule_roleAssignments": { "copy": { "name": "queryRule_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-QueryRule-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Insights/scheduledQueryRules/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Insights/scheduledQueryRules', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Insights/scheduledQueryRules', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10545808551952818846" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "API Management Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Application Insights Component Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867')]", - "Automation Job Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Azure Arc Enabled Kubernetes Cluster User Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd')]", - "Azure Arc Kubernetes Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96')]", - "Azure Arc Kubernetes Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2')]", - "Azure Arc Kubernetes Viewer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4')]", - "Azure Arc Kubernetes Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1')]", - "Azure Arc ScVmm Administrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87')]", - "Azure Arc ScVmm Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda')]", - "Azure Arc ScVmm Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9')]", - "Azure Arc ScVmm VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b')]", - "Azure Arc VMware Administrator role ": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f')]", - "Azure Arc VMware Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83')]", - "Azure Arc VMware Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa')]", - "Azure Arc VMware VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "BizTalk Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "CDN Endpoint Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Collaborative Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352')]", - "Collaborative Runtime Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102')]", - "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Data Factory Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Device Update Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a')]", - "Device Update Content Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98')]", - "Device Update Content Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b')]", - "Device Update Deployments Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432')]", - "Device Update Deployments Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f')]", - "Device Update Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", - "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "HDInsight Cluster Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "Intelligent Systems Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Kubernetes Extension Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717')]", - "Lab Assistant": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1')]", - "Lab Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270')]", - "Lab Creator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Lab Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d')]", - "Lab Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f')]", - "Load Test Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e')]", - "Load Test Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6')]", - "Load Test Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "LocalRulestacksAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Media Services Account Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466')]", - "Media Services Live Events Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77')]", - "Media Services Media Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c')]", - "Media Services Policy Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae')]", - "Media Services Streaming Endpoints Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804')]", - "Microsoft Sentinel Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Microsoft Sentinel Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Microsoft Sentinel Responder": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Quota Request Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Redis Cache Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Scheduler Job Collections Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Manager (Legacy)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR/Web PubSub Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Tag Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Insights/scheduledQueryRules/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Insights/scheduledQueryRules', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Insights/scheduledQueryRules', parameters('name'))]" + "queryRule" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -502,7 +323,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Insights/scheduledQueryRules', parameters('name')), '2021-02-01-preview', 'full').location]" + "value": "[reference('queryRule', '2021-02-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/insights/webtest/.bicep/nested_roleAssignments.bicep b/modules/insights/webtest/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index db6798b5eb..0000000000 --- a/modules/insights/webtest/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,198 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'API Management Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c') - 'API Management Service Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61') - 'API Management Service Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d') - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - 'Application Insights Component Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e') - 'Application Insights Snapshot Debugger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b') - 'Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867') - 'Automation Job Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f') - 'Automation Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404') - 'Automation Runbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5') - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Azure Arc Enabled Kubernetes Cluster User Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd') - 'Azure Arc Kubernetes Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96') - 'Azure Arc Kubernetes Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2') - 'Azure Arc Kubernetes Viewer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4') - 'Azure Arc Kubernetes Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1') - 'Azure Arc ScVmm Administrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87') - 'Azure Arc ScVmm Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda') - 'Azure Arc ScVmm Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9') - 'Azure Arc ScVmm VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b') - 'Azure Arc VMware Administrator role ': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f') - 'Azure Arc VMware Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83') - 'Azure Arc VMware Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa') - 'Azure Arc VMware VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'BizTalk Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342') - 'CDN Endpoint Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45') - 'CDN Endpoint Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd') - 'CDN Profile Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432') - 'CDN Profile Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af') - 'Classic Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f') - 'Classic Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25') - 'Classic Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb') - 'ClearDB MySQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe') - 'Cognitive Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68') - 'Cognitive Services User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908') - 'Collaborative Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352') - 'Collaborative Runtime Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102') - 'ContainerApp Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Account Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Data Factory Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5') - 'Data Lake Analytics Developer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88') - 'Data Purger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - 'Device Update Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a') - 'Device Update Content Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98') - 'Device Update Content Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b') - 'Device Update Deployments Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432') - 'Device Update Deployments Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f') - 'Device Update Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') - 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') - 'HDInsight Cluster Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a') - 'Intelligent Systems Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e') - 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') - 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') - 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') - 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') - 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') - 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') - 'Kubernetes Cluster - Azure Arc Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41') - 'Kubernetes Extension Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717') - 'Lab Assistant': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1') - 'Lab Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270') - 'Lab Creator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead') - 'Lab Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d') - 'Lab Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f') - 'Load Test Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e') - 'Load Test Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6') - 'Load Test Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'LocalRulestacksAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Managed Identity Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59') - 'Managed Identity Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') - 'Media Services Account Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466') - 'Media Services Live Events Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77') - 'Media Services Media Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c') - 'Media Services Policy Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae') - 'Media Services Streaming Endpoints Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804') - 'Microsoft Sentinel Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade') - 'Microsoft Sentinel Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb') - 'Microsoft Sentinel Responder': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - 'New Relic APM Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - 'Quota Request Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Redis Cache Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Scheduler Job Collections Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94') - 'Search Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0') - 'Security Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd') - 'Security Manager (Legacy)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10') - 'Security Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4') - 'SignalR/Web PubSub Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Tag Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') - 'Workbook Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad') - 'Workbook Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d') -} - -resource webtest 'Microsoft.Insights/webtests@2022-06-15' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(webtest.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: webtest -}] diff --git a/modules/insights/webtest/README.md b/modules/insights/webtest/README.md index f04f2eedbb..c0fb2f99fe 100644 --- a/modules/insights/webtest/README.md +++ b/modules/insights/webtest/README.md @@ -338,7 +338,68 @@ Allow for retries should this WebTest fail. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `syntheticMonitorId` diff --git a/modules/insights/webtest/main.bicep b/modules/insights/webtest/main.bicep index 8dc56e6208..543f21664c 100644 --- a/modules/insights/webtest/main.bicep +++ b/modules/insights/webtest/main.bicep @@ -72,11 +72,19 @@ param configuration object = {} param lock lockType @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -118,17 +126,18 @@ resource webtest_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo scope: webtest } -module webtest_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-WebTests-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: webtest.id +resource webtest_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(webtest.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: webtest }] @sys.description('The name of the webtest.') @@ -154,3 +163,26 @@ type lockType = { @sys.description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @sys.description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @sys.description('Optional. The description of the role assignment.') + description: string? + + @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @sys.description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @sys.description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/insights/webtest/main.json b/modules/insights/webtest/main.json index 3421143fd2..31d4a00dd5 100644 --- a/modules/insights/webtest/main.json +++ b/modules/insights/webtest/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5083769874568956542" + "templateHash": "15753684775174621493" }, "name": "Web Tests", "description": "This module deploys a Web Test.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -169,8 +235,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -183,6 +248,15 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -236,276 +310,20 @@ "webtest_roleAssignments": { "copy": { "name": "webtest_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-WebTests-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Insights/webtests/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Insights/webtests', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Insights/webtests', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13954103255282067786" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "API Management Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Application Insights Component Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867')]", - "Automation Job Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Azure Arc Enabled Kubernetes Cluster User Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd')]", - "Azure Arc Kubernetes Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96')]", - "Azure Arc Kubernetes Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2')]", - "Azure Arc Kubernetes Viewer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4')]", - "Azure Arc Kubernetes Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1')]", - "Azure Arc ScVmm Administrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87')]", - "Azure Arc ScVmm Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda')]", - "Azure Arc ScVmm Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9')]", - "Azure Arc ScVmm VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b')]", - "Azure Arc VMware Administrator role ": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f')]", - "Azure Arc VMware Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83')]", - "Azure Arc VMware Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa')]", - "Azure Arc VMware VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "BizTalk Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "CDN Endpoint Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Collaborative Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352')]", - "Collaborative Runtime Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102')]", - "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Data Factory Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "Device Update Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a')]", - "Device Update Content Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98')]", - "Device Update Content Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b')]", - "Device Update Deployments Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432')]", - "Device Update Deployments Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f')]", - "Device Update Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", - "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "HDInsight Cluster Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "Intelligent Systems Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Kubernetes Extension Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717')]", - "Lab Assistant": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1')]", - "Lab Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270')]", - "Lab Creator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Lab Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d')]", - "Lab Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f')]", - "Load Test Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e')]", - "Load Test Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6')]", - "Load Test Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "LocalRulestacksAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Media Services Account Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466')]", - "Media Services Live Events Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77')]", - "Media Services Media Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c')]", - "Media Services Policy Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae')]", - "Media Services Streaming Endpoints Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804')]", - "Microsoft Sentinel Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Microsoft Sentinel Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Microsoft Sentinel Responder": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Quota Request Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Redis Cache Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Scheduler Job Collections Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Manager (Legacy)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR/Web PubSub Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Tag Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Insights/webtests/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Insights/webtests', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "webtest" diff --git a/modules/key-vault/vault/.bicep/nested_roleAssignments.bicep b/modules/key-vault/vault/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 82b46c7e7c..0000000000 --- a/modules/key-vault/vault/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,79 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') - 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') - 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') - 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') - 'Key Vault Crypto Service Encryption User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') - 'Key Vault Crypto User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') - 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') - 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') - 'Key Vault Secrets User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Managed HSM contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18500a29-7fe2-46b2-a342-b16a415e101d') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(keyVault.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: keyVault -}] diff --git a/modules/key-vault/vault/.test/common/main.test.bicep b/modules/key-vault/vault/.test/common/main.test.bicep index f1d6ac03e3..a1aff587d5 100644 --- a/modules/key-vault/vault/.test/common/main.test.bicep +++ b/modules/key-vault/vault/.test/common/main.test.bicep @@ -67,7 +67,6 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}002' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId @@ -83,9 +82,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -150,9 +147,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -166,9 +161,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index ef1ac097eb..5b1339de2b 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -240,9 +240,7 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { name: 'keyName' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -307,9 +305,7 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -323,9 +319,7 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { name: 'secretName' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -388,9 +382,7 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { "name": "keyName", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -463,9 +455,7 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -481,9 +471,7 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { "name": "secretName", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -936,7 +924,68 @@ Whether or not public network access is allowed for this resource. For security Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `secrets` diff --git a/modules/key-vault/vault/key/.bicep/nested_roleAssignments.bicep b/modules/key-vault/vault/key/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index cb52c49d18..0000000000 --- a/modules/key-vault/vault/key/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,79 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') - 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') - 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') - 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') - 'Key Vault Crypto Service Encryption User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') - 'Key Vault Crypto User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') - 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') - 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') - 'Key Vault Secrets User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Managed HSM contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18500a29-7fe2-46b2-a342-b16a415e101d') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource key 'Microsoft.KeyVault/vaults/keys@2022-07-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(key.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: key -}] diff --git a/modules/key-vault/vault/key/README.md b/modules/key-vault/vault/key/README.md index df45c90f3d..1e576869c8 100644 --- a/modules/key-vault/vault/key/README.md +++ b/modules/key-vault/vault/key/README.md @@ -123,7 +123,68 @@ The name of the key. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `rotationPolicy` diff --git a/modules/key-vault/vault/key/main.bicep b/modules/key-vault/vault/key/main.bicep index 5db4a3ebf3..f506bd7937 100644 --- a/modules/key-vault/vault/key/main.bicep +++ b/modules/key-vault/vault/key/main.bicep @@ -54,7 +54,7 @@ param keySize int = -1 param kty string = 'EC' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Key rotation policy properties object.') param rotationPolicy object = {} @@ -62,6 +62,23 @@ param rotationPolicy object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') + 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') + 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') + 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') + 'Key Vault Crypto Service Encryption User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') + 'Key Vault Crypto User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') + 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') + 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') + 'Key Vault Secrets User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -96,17 +113,18 @@ resource key 'Microsoft.KeyVault/vaults/keys@2022-07-01' = { } } -module key_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: key.id +resource key_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(key.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: key }] @description('The name of the key.') @@ -117,3 +135,29 @@ output resourceId string = key.id @description('The name of the resource group the key was created in.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/key-vault/vault/key/main.json b/modules/key-vault/vault/key/main.json index 84cf8349fb..9188cec34a 100644 --- a/modules/key-vault/vault/key/main.json +++ b/modules/key-vault/vault/key/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3444180240240001557" + "templateHash": "15473816229466025012" }, "name": "Key Vault Keys", "description": "This module deploys a Key Vault Key.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "keyVaultName": { "type": "string", @@ -102,8 +171,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -123,8 +191,26 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", + "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", + "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", + "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", + "Key Vault Crypto User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", + "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", + "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", + "Key Vault Secrets User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -138,7 +224,13 @@ } } }, - { + "keyVault": { + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2022-07-01", + "name": "[parameters('keyVaultName')]" + }, + "key": { "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2022-07-01", "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('name'))]", @@ -154,168 +246,34 @@ "keySize": "[if(not(equals(parameters('keySize'), -1)), parameters('keySize'), null())]", "kty": "[parameters('kty')]", "rotationPolicy": "[if(not(empty(parameters('rotationPolicy'))), parameters('rotationPolicy'), null())]" - } + }, + "dependsOn": [ + "keyVault" + ] }, - { + "key_roleAssignments": { "copy": { "name": "key_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.KeyVault/vaults/{0}/keys/{1}', parameters('keyVaultName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.KeyVault/vaults/keys', parameters('keyVaultName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.KeyVault/vaults/keys', parameters('keyVaultName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14547096535874536511" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", - "Key Vault Crypto User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Key Vault Secrets User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed HSM contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18500a29-7fe2-46b2-a342-b16a415e101d')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.KeyVault/vaults/{0}/keys/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults/keys', parameters('keyVaultName'), parameters('name'))]" + "key" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/key-vault/vault/main.bicep b/modules/key-vault/vault/main.bicep index 2c57f21433..5977b4faf0 100644 --- a/modules/key-vault/vault/main.bicep +++ b/modules/key-vault/vault/main.bicep @@ -80,7 +80,7 @@ param diagnosticEventHubName string = '' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints array = [] @@ -148,6 +148,23 @@ var enableReferencedModulesTelemetry = false // ============ // // Dependencies // // ============ // +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') + 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') + 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') + 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') + 'Key Vault Crypto Service Encryption User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') + 'Key Vault Crypto User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') + 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') + 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') + 'Key Vault Secrets User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -279,17 +296,18 @@ module keyVault_privateEndpoints '../../network/private-endpoint/main.bicep' = [ } }] -module keyVault_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-KeyVault-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: keyVault.id +resource keyVault_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(keyVault.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: keyVault }] // =========== // @@ -321,3 +339,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/key-vault/vault/main.json b/modules/key-vault/vault/main.json index b005c249e1..3efab0881e 100644 --- a/modules/key-vault/vault/main.json +++ b/modules/key-vault/vault/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7889486567916946321" + "templateHash": "2886634889186543886" }, "name": "Key Vaults", "description": "This module deploys a Key Vault.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -196,8 +262,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -290,7 +355,23 @@ ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "secretList": "[if(not(empty(parameters('secrets'))), parameters('secrets').secureList, createArray())]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", + "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", + "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", + "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", + "Key Vault Crypto User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", + "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", + "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", + "Key Vault Secrets User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -364,6 +445,28 @@ "keyVault" ] }, + "keyVault_roleAssignments": { + "copy": { + "name": "keyVault_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.KeyVault/vaults', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "keyVault" + ] + }, "keyVault_accessPolicies": { "condition": "[not(empty(parameters('accessPolicies')))]", "type": "Microsoft.Resources/deployments", @@ -522,17 +625,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15496955101876834904" + "templateHash": "829178043317702363" }, "name": "Key Vault Secrets", "description": "This module deploys a Key Vault Secret.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "keyVaultName": { "type": "string", @@ -595,15 +767,32 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", + "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", + "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", + "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", + "Key Vault Crypto User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", + "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", + "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", + "Key Vault Secrets User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -617,7 +806,13 @@ } } }, - { + "keyVault": { + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2022-07-01", + "name": "[parameters('keyVaultName')]" + }, + "secret": { "type": "Microsoft.KeyVault/vaults/secrets", "apiVersion": "2022-07-01", "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('name'))]", @@ -630,168 +825,34 @@ "nbf": "[if(not(equals(parameters('attributesNbf'), -1)), parameters('attributesNbf'), null())]" }, "value": "[parameters('value')]" - } + }, + "dependsOn": [ + "keyVault" + ] }, - { + "secret_roleAssignments": { "copy": { "name": "secret_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.KeyVault/vaults/{0}/secrets/{1}', parameters('keyVaultName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17395736576734421648" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", - "Key Vault Crypto User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Key Vault Secrets User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed HSM contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18500a29-7fe2-46b2-a342-b16a415e101d')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.KeyVault/vaults/{0}/secrets/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.KeyVault/vaults/secrets', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('name'))]" + "secret" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -857,17 +918,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3444180240240001557" + "templateHash": "15473816229466025012" }, "name": "Key Vault Keys", "description": "This module deploys a Key Vault Key.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "keyVaultName": { "type": "string", @@ -959,8 +1089,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -980,8 +1109,26 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", + "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", + "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", + "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", + "Key Vault Crypto User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", + "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", + "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", + "Key Vault Secrets User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -995,7 +1142,13 @@ } } }, - { + "keyVault": { + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2022-07-01", + "name": "[parameters('keyVaultName')]" + }, + "key": { "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2022-07-01", "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('name'))]", @@ -1011,168 +1164,34 @@ "keySize": "[if(not(equals(parameters('keySize'), -1)), parameters('keySize'), null())]", "kty": "[parameters('kty')]", "rotationPolicy": "[if(not(empty(parameters('rotationPolicy'))), parameters('rotationPolicy'), null())]" - } + }, + "dependsOn": [ + "keyVault" + ] }, - { + "key_roleAssignments": { "copy": { "name": "key_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.KeyVault/vaults/{0}/keys/{1}', parameters('keyVaultName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.KeyVault/vaults/keys', parameters('keyVaultName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.KeyVault/vaults/keys', parameters('keyVaultName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14547096535874536511" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", - "Key Vault Crypto User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Key Vault Secrets User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed HSM contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18500a29-7fe2-46b2-a342-b16a415e101d')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.KeyVault/vaults/{0}/keys/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults/keys', parameters('keyVaultName'), parameters('name'))]" + "key" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1730,165 +1749,6 @@ "dependsOn": [ "keyVault" ] - }, - "keyVault_roleAssignments": { - "copy": { - "name": "keyVault_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-KeyVault-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13908410767908593601" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", - "Key Vault Crypto User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Key Vault Secrets User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed HSM contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18500a29-7fe2-46b2-a342-b16a415e101d')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.KeyVault/vaults/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.KeyVault/vaults', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "keyVault" - ] } }, "outputs": { diff --git a/modules/key-vault/vault/secret/.bicep/nested_roleAssignments.bicep b/modules/key-vault/vault/secret/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 4ab9f94b16..0000000000 --- a/modules/key-vault/vault/secret/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,79 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') - 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') - 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') - 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') - 'Key Vault Crypto Service Encryption User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') - 'Key Vault Crypto User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') - 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') - 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') - 'Key Vault Secrets User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Managed HSM contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18500a29-7fe2-46b2-a342-b16a415e101d') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource secret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(secret.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: secret -}] diff --git a/modules/key-vault/vault/secret/README.md b/modules/key-vault/vault/secret/README.md index 240a6475e6..46608a5240 100644 --- a/modules/key-vault/vault/secret/README.md +++ b/modules/key-vault/vault/secret/README.md @@ -95,7 +95,68 @@ The name of the secret. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/key-vault/vault/secret/main.bicep b/modules/key-vault/vault/secret/main.bicep index 75f0388c4b..e20b690b6f 100644 --- a/modules/key-vault/vault/secret/main.bicep +++ b/modules/key-vault/vault/secret/main.bicep @@ -32,7 +32,24 @@ param value string param enableDefaultTelemetry bool = true @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') + 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') + 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') + 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') + 'Key Vault Crypto Service Encryption User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') + 'Key Vault Crypto User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') + 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') + 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') + 'Key Vault Secrets User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -65,17 +82,18 @@ resource secret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = { } } -module secret_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: secret.id +resource secret_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(secret.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: secret }] @description('The name of the secret.') @@ -86,3 +104,30 @@ output resourceId string = secret.id @description('The name of the resource group the secret was created in.') output resourceGroupName string = resourceGroup().name + +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/key-vault/vault/secret/main.json b/modules/key-vault/vault/secret/main.json index 07f0947902..18a714a470 100644 --- a/modules/key-vault/vault/secret/main.json +++ b/modules/key-vault/vault/secret/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15496955101876834904" + "templateHash": "829178043317702363" }, "name": "Key Vault Secrets", "description": "This module deploys a Key Vault Secret.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "keyVaultName": { "type": "string", @@ -73,15 +142,32 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", + "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", + "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", + "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", + "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", + "Key Vault Crypto User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", + "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", + "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", + "Key Vault Secrets User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -95,7 +181,13 @@ } } }, - { + "keyVault": { + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2022-07-01", + "name": "[parameters('keyVaultName')]" + }, + "secret": { "type": "Microsoft.KeyVault/vaults/secrets", "apiVersion": "2022-07-01", "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('name'))]", @@ -108,168 +200,34 @@ "nbf": "[if(not(equals(parameters('attributesNbf'), -1)), parameters('attributesNbf'), null())]" }, "value": "[parameters('value')]" - } + }, + "dependsOn": [ + "keyVault" + ] }, - { + "secret_roleAssignments": { "copy": { "name": "secret_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.KeyVault/vaults/{0}/secrets/{1}', parameters('keyVaultName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17395736576734421648" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Crypto Service Encryption User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]", - "Key Vault Crypto User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Key Vault Secrets User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed HSM contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18500a29-7fe2-46b2-a342-b16a415e101d')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.KeyVault/vaults/{0}/secrets/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.KeyVault/vaults/secrets', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('name'))]" + "secret" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/logic/workflow/.bicep/nested_roleAssignments.bicep b/modules/logic/workflow/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index eea681537a..0000000000 --- a/modules/logic/workflow/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,74 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Integration Service Environment Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8') - 'Integration Service Environment Developer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Microsoft Sentinel Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4c81013-99ee-4d62-a7ee-b3f1f648599a') - 'Microsoft Sentinel Playbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '51d6186e-6489-4900-b93f-92e23144cca5') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource logicApp 'Microsoft.Logic/workflows@2019-05-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(logicApp.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: logicApp -}] diff --git a/modules/logic/workflow/.test/common/main.test.bicep b/modules/logic/workflow/.test/common/main.test.bicep index 08510b7dc2..443256b468 100644 --- a/modules/logic/workflow/.test/common/main.test.bicep +++ b/modules/logic/workflow/.test/common/main.test.bicep @@ -77,9 +77,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index 268e6d4d36..f76ec3acde 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -57,9 +57,7 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -148,9 +146,7 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -398,7 +394,68 @@ The logic app workflow name. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `state` diff --git a/modules/logic/workflow/main.bicep b/modules/logic/workflow/main.bicep index e21738baf0..9a3c4bffe4 100644 --- a/modules/logic/workflow/main.bicep +++ b/modules/logic/workflow/main.bicep @@ -51,7 +51,7 @@ param diagnosticEventHubName string = '' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended.') @allowed([ @@ -137,6 +137,16 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') + 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -206,17 +216,18 @@ resource logicApp_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021 scope: logicApp } -module logicApp_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-LogicApp-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: logicApp.id +resource logicApp_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(logicApp.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: logicApp }] @description('The name of the logic app.') @@ -245,3 +256,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/logic/workflow/main.json b/modules/logic/workflow/main.json index 8764000248..8e531f39a0 100644 --- a/modules/logic/workflow/main.json +++ b/modules/logic/workflow/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13172151573954232150" + "templateHash": "15935516241989416159" }, "name": "Logic Apps (Workflows)", "description": "This module deploys a Logic App (Workflow).", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -151,8 +217,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -291,7 +356,16 @@ ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", + "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -376,152 +450,20 @@ "logicApp_roleAssignments": { "copy": { "name": "logicApp_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-LogicApp-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Logic/workflows/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Logic/workflows', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Logic/workflows', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4086758110722720032" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Integration Service Environment Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", - "Integration Service Environment Developer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Microsoft Sentinel Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4c81013-99ee-4d62-a7ee-b3f1f648599a')]", - "Microsoft Sentinel Playbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '51d6186e-6489-4900-b93f-92e23144cca5')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Logic/workflows/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Logic/workflows', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "logicApp" diff --git a/modules/machine-learning-services/workspace/.bicep/nested_roleAssignments.bicep b/modules/machine-learning-services/workspace/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 13cf9a2109..0000000000 --- a/modules/machine-learning-services/workspace/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,73 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'AzureML Compute Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e503ece1-11d0-4e8e-8e2c-7a6c3bf38815') - 'AzureML Data Scientist': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f6c7c914-8db3-469d-8ca1-694a8f32e121') - 'AzureML Metrics Writer (preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '635dd51f-9968-44d3-b7fb-6d9a6bd613ae') - 'AzureML Registry User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1823dd4f-9b8c-4ab6-ab4e-7397a3684615') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Labeling - Labeler': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6decf44-fd0a-444c-a844-d653c394e7ab') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource workspace 'Microsoft.MachineLearningServices/workspaces@2022-05-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(workspace.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: workspace -}] diff --git a/modules/machine-learning-services/workspace/.test/common/main.test.bicep b/modules/machine-learning-services/workspace/.test/common/main.test.bicep index 00428ae7bd..c1353d2cb1 100644 --- a/modules/machine-learning-services/workspace/.test/common/main.test.bicep +++ b/modules/machine-learning-services/workspace/.test/common/main.test.bicep @@ -132,9 +132,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index 2ee7b8950f..a631dfac05 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -112,9 +112,7 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -243,9 +241,7 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -745,7 +741,68 @@ Whether or not public network access is allowed for this resource. For security Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `serviceManagedResourcesSettings` diff --git a/modules/machine-learning-services/workspace/main.bicep b/modules/machine-learning-services/workspace/main.bicep index 38af26ff9f..ca840eaec5 100644 --- a/modules/machine-learning-services/workspace/main.bicep +++ b/modules/machine-learning-services/workspace/main.bicep @@ -42,7 +42,7 @@ param hbiWorkspace bool = false param allowPublicAccessWhenBehindVnet bool = false @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @sys.description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints array = [] @@ -172,6 +172,18 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { // ================// // Deployments // // ================// +var builtInRoleNames = { + 'AzureML Compute Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e503ece1-11d0-4e8e-8e2c-7a6c3bf38815') + 'AzureML Data Scientist': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f6c7c914-8db3-469d-8ca1-694a8f32e121') + 'AzureML Metrics Writer (preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '635dd51f-9968-44d3-b7fb-6d9a6bd613ae') + 'AzureML Registry User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1823dd4f-9b8c-4ab6-ab4e-7397a3684615') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -296,17 +308,18 @@ module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = } }] -module workspace_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-MLWorkspace-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: workspace.id +resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: workspace }] // ================// @@ -339,3 +352,26 @@ type lockType = { @sys.description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @sys.description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @sys.description('Optional. The description of the role assignment.') + description: string? + + @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @sys.description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @sys.description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/machine-learning-services/workspace/main.json b/modules/machine-learning-services/workspace/main.json index 5f059e2b37..afeeb96c69 100644 --- a/modules/machine-learning-services/workspace/main.json +++ b/modules/machine-learning-services/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7851635446929911077" + "templateHash": "16042425062775405859" }, "name": "Machine Learning Services Workspaces", "description": "This module deploys a Machine Learning Services Workspace.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -111,8 +177,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -330,7 +395,18 @@ "enableReferencedModulesTelemetry": false, "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "AzureML Compute Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e503ece1-11d0-4e8e-8e2c-7a6c3bf38815')]", + "AzureML Data Scientist": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f6c7c914-8db3-469d-8ca1-694a8f32e121')]", + "AzureML Metrics Writer (preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '635dd51f-9968-44d3-b7fb-6d9a6bd613ae')]", + "AzureML Registry User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1823dd4f-9b8c-4ab6-ab4e-7397a3684615')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "cMKKeyVault::cMKKey": { @@ -432,6 +508,28 @@ "workspace" ] }, + "workspace_roleAssignments": { + "copy": { + "name": "workspace_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.MachineLearningServices/workspaces/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "workspace" + ] + }, "workspace_computes": { "copy": { "name": "workspace_computes", @@ -1209,159 +1307,6 @@ "dependsOn": [ "workspace" ] - }, - "workspace_roleAssignments": { - "copy": { - "name": "workspace_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-MLWorkspace-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4724282348303599635" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "AzureML Compute Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e503ece1-11d0-4e8e-8e2c-7a6c3bf38815')]", - "AzureML Data Scientist": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f6c7c914-8db3-469d-8ca1-694a8f32e121')]", - "AzureML Metrics Writer (preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '635dd51f-9968-44d3-b7fb-6d9a6bd613ae')]", - "AzureML Registry User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1823dd4f-9b8c-4ab6-ab4e-7397a3684615')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Labeling - Labeler": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6decf44-fd0a-444c-a844-d653c394e7ab')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.MachineLearningServices/workspaces/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.MachineLearningServices/workspaces', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "workspace" - ] } }, "outputs": { diff --git a/modules/maintenance/maintenance-configuration/.bicep/nested_roleAssignments.bicep b/modules/maintenance/maintenance-configuration/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index e61842f731..0000000000 --- a/modules/maintenance/maintenance-configuration/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,69 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Scheduled Patching Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cd08ab90-6b14-449c-ad9a-8f8e549482c6') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource maintenanceConfiguration 'Microsoft.Maintenance/maintenanceConfigurations@2021-05-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(maintenanceConfiguration.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: maintenanceConfiguration -}] diff --git a/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep b/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep index 6467bd54d7..41ea585f30 100644 --- a/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep @@ -67,9 +67,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/maintenance/maintenance-configuration/README.md b/modules/maintenance/maintenance-configuration/README.md index 07317ba130..c30dd213ec 100644 --- a/modules/maintenance/maintenance-configuration/README.md +++ b/modules/maintenance/maintenance-configuration/README.md @@ -79,9 +79,7 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config namespace: 'mmccomns' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -160,9 +158,7 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -346,7 +342,68 @@ Gets or sets namespace of the resource. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/maintenance/maintenance-configuration/main.bicep b/modules/maintenance/maintenance-configuration/main.bicep index 7c1563e5cb..7d90624ab9 100644 --- a/modules/maintenance/maintenance-configuration/main.bicep +++ b/modules/maintenance/maintenance-configuration/main.bicep @@ -39,7 +39,7 @@ param maintenanceWindow object = {} param namespace string = '' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Gets or sets tags of the resource.') param tags object = {} @@ -59,6 +59,15 @@ param installPatches object = {} // Deployments // // =============== // +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'Scheduled Patching Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cd08ab90-6b14-449c-ad9a-8f8e549482c6') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -94,17 +103,18 @@ resource maintenanceConfiguration_lock 'Microsoft.Authorization/locks@2020-05-01 scope: maintenanceConfiguration } -module maintenanceConfiguration_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-maintenanceConfiguration-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: maintenanceConfiguration.id +resource maintenanceConfiguration_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(maintenanceConfiguration.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: maintenanceConfiguration }] // =========== // @@ -134,3 +144,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/maintenance/maintenance-configuration/main.json b/modules/maintenance/maintenance-configuration/main.json index 06577a9c39..33019922ee 100644 --- a/modules/maintenance/maintenance-configuration/main.json +++ b/modules/maintenance/maintenance-configuration/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4333184280413980220" + "templateHash": "8241237134482664102" }, "name": "Maintenance Configurations", "description": "This module deploys a Maintenance Configuration.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -103,8 +169,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -136,6 +201,16 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Scheduled Patching Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cd08ab90-6b14-449c-ad9a-8f8e549482c6')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -183,147 +258,20 @@ "maintenanceConfiguration_roleAssignments": { "copy": { "name": "maintenanceConfiguration_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-maintenanceConfiguration-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Maintenance/maintenanceConfigurations/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Maintenance/maintenanceConfigurations', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Maintenance/maintenanceConfigurations', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17730168206359180764" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Scheduled Patching Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cd08ab90-6b14-449c-ad9a-8f8e549482c6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Maintenance/maintenanceConfigurations/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Maintenance/maintenanceConfigurations', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "maintenanceConfiguration" diff --git a/modules/managed-identity/user-assigned-identity/.bicep/nested_roleAssignments.bicep b/modules/managed-identity/user-assigned-identity/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 19a13565d0..0000000000 --- a/modules/managed-identity/user-assigned-identity/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,70 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Managed Identity Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59') - 'Managed Identity Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource userMsi 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(userMsi.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: userMsi -}] diff --git a/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep b/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep index 48a1d41af0..a382b213a5 100644 --- a/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep @@ -69,9 +69,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/managed-identity/user-assigned-identity/README.md b/modules/managed-identity/user-assigned-identity/README.md index e37e89000b..1779464ca7 100644 --- a/modules/managed-identity/user-assigned-identity/README.md +++ b/modules/managed-identity/user-assigned-identity/README.md @@ -61,9 +61,7 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide name: 'miuaicom001' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -116,9 +114,7 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -253,7 +249,68 @@ Name of the User Assigned Identity. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/managed-identity/user-assigned-identity/main.bicep b/modules/managed-identity/user-assigned-identity/main.bicep index 8b95e0c538..1b1a737132 100644 --- a/modules/managed-identity/user-assigned-identity/main.bicep +++ b/modules/managed-identity/user-assigned-identity/main.bicep @@ -15,7 +15,7 @@ param federatedIdentityCredentials array = [] param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -25,6 +25,16 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Managed Identity Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59') + 'Managed Identity Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -37,7 +47,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource userMsi 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { +resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { name: name location: location tags: tags @@ -49,14 +59,14 @@ resource userMsi_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo level: lock.?kind ?? '' notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } - scope: userMsi + scope: userAssignedIdentity } module userMsi_federatedIdentityCredentials 'federated-identity-credential/main.bicep' = [for (federatedIdentityCredential, index) in federatedIdentityCredentials: { name: '${uniqueString(deployment().name, location)}-UserMSI-FederatedIdentityCredential-${index}' params: { name: federatedIdentityCredential.name - userAssignedIdentityName: userMsi.name + userAssignedIdentityName: userAssignedIdentity.name audiences: federatedIdentityCredential.audiences issuer: federatedIdentityCredential.issuer subject: federatedIdentityCredential.subject @@ -64,36 +74,37 @@ module userMsi_federatedIdentityCredentials 'federated-identity-credential/main. } }] -module userMsi_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-UserMSI-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: userMsi.id +resource userMsi_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(userAssignedIdentity.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: userAssignedIdentity }] @description('The name of the user assigned identity.') -output name string = userMsi.name +output name string = userAssignedIdentity.name @description('The resource ID of the user assigned identity.') -output resourceId string = userMsi.id +output resourceId string = userAssignedIdentity.id @description('The principal ID (object ID) of the user assigned identity.') -output principalId string = userMsi.properties.principalId +output principalId string = userAssignedIdentity.properties.principalId @description('The client ID (application ID) of the user assigned identity.') -output clientId string = userMsi.properties.clientId +output clientId string = userAssignedIdentity.properties.clientId @description('The resource group the user assigned identity was deployed into.') output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') -output location string = userMsi.location +output location string = userAssignedIdentity.location // =============== // // Definitions // @@ -106,3 +117,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/managed-identity/user-assigned-identity/main.json b/modules/managed-identity/user-assigned-identity/main.json index 02d9a242bf..590f927f11 100644 --- a/modules/managed-identity/user-assigned-identity/main.json +++ b/modules/managed-identity/user-assigned-identity/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4654525005739967405" + "templateHash": "10195612761440584932" }, "name": "User Assigned Identities", "description": "This module deploys a User Assigned Identity.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -68,8 +134,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -90,7 +155,16 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -107,7 +181,7 @@ } } }, - "userMsi": { + "userAssignedIdentity": { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2023-01-31", "name": "[parameters('name')]", @@ -125,7 +199,29 @@ "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "userMsi" + "userAssignedIdentity" + ] + }, + "userMsi_roleAssignments": { + "copy": { + "name": "userMsi_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.ManagedIdentity/userAssignedIdentities/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "userAssignedIdentity" ] }, "userMsi_federatedIdentityCredentials": { @@ -265,157 +361,7 @@ } }, "dependsOn": [ - "userMsi" - ] - }, - "userMsi_roleAssignments": { - "copy": { - "name": "userMsi_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-UserMSI-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2246284698738978006" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ManagedIdentity/userAssignedIdentities/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "userMsi" + "userAssignedIdentity" ] } }, @@ -439,14 +385,14 @@ "metadata": { "description": "The principal ID (object ID) of the user assigned identity." }, - "value": "[reference('userMsi').principalId]" + "value": "[reference('userAssignedIdentity').principalId]" }, "clientId": { "type": "string", "metadata": { "description": "The client ID (application ID) of the user assigned identity." }, - "value": "[reference('userMsi').clientId]" + "value": "[reference('userAssignedIdentity').clientId]" }, "resourceGroupName": { "type": "string", @@ -460,7 +406,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('userMsi', '2023-01-31', 'full').location]" + "value": "[reference('userAssignedIdentity', '2023-01-31', 'full').location]" } } } \ No newline at end of file diff --git a/modules/net-app/net-app-account/.bicep/nested_roleAssignments.bicep b/modules/net-app/net-app-account/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index cd13718e3e..0000000000 --- a/modules/net-app/net-app-account/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-09-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(netAppAccount.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: netAppAccount -}] diff --git a/modules/net-app/net-app-account/.test/nfs3/main.test.bicep b/modules/net-app/net-app-account/.test/nfs3/main.test.bicep index 25924e73f9..c1105a2b17 100644 --- a/modules/net-app/net-app-account/.test/nfs3/main.test.bicep +++ b/modules/net-app/net-app-account/.test/nfs3/main.test.bicep @@ -56,9 +56,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -83,9 +81,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -107,9 +103,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -125,9 +119,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/net-app/net-app-account/.test/nfs41/main.test.bicep b/modules/net-app/net-app-account/.test/nfs41/main.test.bicep index bc1413283d..c80906d8fd 100644 --- a/modules/net-app/net-app-account/.test/nfs41/main.test.bicep +++ b/modules/net-app/net-app-account/.test/nfs41/main.test.bicep @@ -56,9 +56,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -83,9 +81,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -117,9 +113,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -131,9 +125,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/net-app/net-app-account/README.md b/modules/net-app/net-app-account/README.md index 41ea771920..8f0db1332a 100644 --- a/modules/net-app/net-app-account/README.md +++ b/modules/net-app/net-app-account/README.md @@ -98,9 +98,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { name: 'nanaanfs3-cp-001' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -125,9 +123,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -149,9 +145,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { name: 'nanaanfs3-cp-002' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -168,9 +162,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -211,9 +203,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { "name": "nanaanfs3-cp-001", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -238,9 +228,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { ], "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -262,9 +250,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { "name": "nanaanfs3-cp-002", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -287,9 +273,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -331,9 +315,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { name: 'nanaanfs41-cp-001' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -358,9 +340,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -392,9 +372,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { name: 'nanaanfs41-cp-002' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -407,9 +385,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { enableDefaultTelemetry: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -453,9 +429,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { "name": "nanaanfs41-cp-001", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -480,9 +454,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { ], "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -514,9 +486,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { "name": "nanaanfs41-cp-002", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -533,9 +503,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -685,7 +653,68 @@ The name of the NetApp account. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `smbServerNamePrefix` diff --git a/modules/net-app/net-app-account/capacity-pool/.bicep/nested_roleAssignments.bicep b/modules/net-app/net-app-account/capacity-pool/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index d4daf2f9d9..0000000000 --- a/modules/net-app/net-app-account/capacity-pool/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource capacityPool 'Microsoft.NetApp/netAppAccounts/capacityPools@2022-05-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(capacityPool.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: capacityPool -}] diff --git a/modules/net-app/net-app-account/capacity-pool/README.md b/modules/net-app/net-app-account/capacity-pool/README.md index 527a0d6555..f69ec8cc8c 100644 --- a/modules/net-app/net-app-account/capacity-pool/README.md +++ b/modules/net-app/net-app-account/capacity-pool/README.md @@ -100,7 +100,68 @@ The qos type of the pool. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `serviceLevel` diff --git a/modules/net-app/net-app-account/capacity-pool/main.bicep b/modules/net-app/net-app-account/capacity-pool/main.bicep index 1743590ca9..c2b88a88d3 100644 --- a/modules/net-app/net-app-account/capacity-pool/main.bicep +++ b/modules/net-app/net-app-account/capacity-pool/main.bicep @@ -40,7 +40,7 @@ param volumes array = [] param coolAccess bool = false @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool.') @allowed([ @@ -54,6 +54,14 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -103,17 +111,18 @@ module capacityPool_volumes 'volume/main.bicep' = [for (volume, index) in volume } }] -module capacityPool_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: capacityPool.id +resource capacityPool_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(capacityPool.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: capacityPool }] @description('The name of the Capacity Pool.') @@ -127,3 +136,29 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = capacityPool.location +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/net-app/net-app-account/capacity-pool/main.json b/modules/net-app/net-app-account/capacity-pool/main.json index 799fc661e7..31a073b294 100644 --- a/modules/net-app/net-app-account/capacity-pool/main.json +++ b/modules/net-app/net-app-account/capacity-pool/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12343130799883120576" + "templateHash": "14242430981421830183" }, "name": "Azure NetApp Files Capacity Pools", "description": "This module deploys an Azure NetApp Files Capacity Pool.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "netAppAccountName": { "type": "string", @@ -83,8 +152,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -109,10 +177,17 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -126,7 +201,13 @@ } } }, - { + "netAppAccount": { + "existing": true, + "type": "Microsoft.NetApp/netAppAccounts", + "apiVersion": "2022-11-01", + "name": "[parameters('netAppAccountName')]" + }, + "capacityPool": { "type": "Microsoft.NetApp/netAppAccounts/capacityPools", "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('netAppAccountName'), parameters('name'))]", @@ -138,9 +219,34 @@ "qosType": "[parameters('qosType')]", "coolAccess": "[parameters('coolAccess')]", "encryptionType": "[parameters('encryptionType')]" - } + }, + "dependsOn": [ + "netAppAccount" + ] }, - { + "capacityPool_roleAssignments": { + "copy": { + "name": "capacityPool_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}', parameters('netAppAccountName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "capacityPool" + ] + }, + "capacityPool_volumes": { "copy": { "name": "capacityPool_volumes", "count": "[length(parameters('volumes'))]", @@ -187,17 +293,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14691007687090359135" + "templateHash": "15651177191996280153" }, "name": "Azure NetApp Files Capacity Pool Volumes", "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "netAppAccountName": { "type": "string", @@ -271,8 +446,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -285,8 +459,26 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "netAppAccount::capacityPool": { + "existing": true, + "type": "Microsoft.NetApp/netAppAccounts/capacityPools", + "apiVersion": "2022-11-01", + "name": "[format('{0}/{1}', parameters('netAppAccountName'), parameters('capacityPoolName'))]", + "dependsOn": [ + "netAppAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -300,7 +492,13 @@ } } }, - { + "netAppAccount": { + "existing": true, + "type": "Microsoft.NetApp/netAppAccounts", + "apiVersion": "2022-11-01", + "name": "[parameters('netAppAccountName')]" + }, + "volume": { "type": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes", "apiVersion": "2022-11-01", "name": "[format('{0}/{1}/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", @@ -312,157 +510,34 @@ "protocolTypes": "[parameters('protocolTypes')]", "subnetId": "[parameters('subnetResourceId')]", "exportPolicy": "[if(not(empty(parameters('exportPolicyRules'))), createObject('rules', parameters('exportPolicyRules')), null())]" - } + }, + "dependsOn": [ + "netAppAccount::capacityPool" + ] }, - { + "volume_roleAssignments": { "copy": { "name": "volume_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}/volumes/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11293747403075474966" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}/volumes/{2}', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2])]", - "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]" + "volume" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -490,164 +565,17 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('volume', '2022-11-01', 'full').location]" } } } }, "dependsOn": [ - "[resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name'))]" - ] - }, - { - "copy": { - "name": "capacityPool_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "121785236396056059" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name'))]" + "capacityPool", + "netAppAccount" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -675,7 +603,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('capacityPool', '2022-11-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/net-app/net-app-account/capacity-pool/volume/.bicep/nested_roleAssignments.bicep b/modules/net-app/net-app-account/capacity-pool/volume/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 9fb35a70fd..0000000000 --- a/modules/net-app/net-app-account/capacity-pool/volume/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource volume 'Microsoft.NetApp/netAppAccounts/capacityPools/volumes@2022-05-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}/${split(resourceId, '/')[12]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(volume.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: volume -}] diff --git a/modules/net-app/net-app-account/capacity-pool/volume/README.md b/modules/net-app/net-app-account/capacity-pool/volume/README.md index c0d9409c13..9e060fc9af 100644 --- a/modules/net-app/net-app-account/capacity-pool/volume/README.md +++ b/modules/net-app/net-app-account/capacity-pool/volume/README.md @@ -103,7 +103,68 @@ Set of protocol types. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `serviceLevel` diff --git a/modules/net-app/net-app-account/capacity-pool/volume/main.bicep b/modules/net-app/net-app-account/capacity-pool/volume/main.bicep index f6181b6089..317947161f 100644 --- a/modules/net-app/net-app-account/capacity-pool/volume/main.bicep +++ b/modules/net-app/net-app-account/capacity-pool/volume/main.bicep @@ -39,11 +39,19 @@ param subnetResourceId string param exportPolicyRules array = [] @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -80,17 +88,18 @@ resource volume 'Microsoft.NetApp/netAppAccounts/capacityPools/volumes@2022-11-0 } } -module volume_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: volume.id +resource volume_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(volume.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: volume }] @description('The name of the Volume.') @@ -104,3 +113,29 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = volume.location +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/net-app/net-app-account/capacity-pool/volume/main.json b/modules/net-app/net-app-account/capacity-pool/volume/main.json index 67e9e039f4..ac86c91c85 100644 --- a/modules/net-app/net-app-account/capacity-pool/volume/main.json +++ b/modules/net-app/net-app-account/capacity-pool/volume/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14691007687090359135" + "templateHash": "15651177191996280153" }, "name": "Azure NetApp Files Capacity Pool Volumes", "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "netAppAccountName": { "type": "string", @@ -84,8 +153,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -98,8 +166,26 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "netAppAccount::capacityPool": { + "existing": true, + "type": "Microsoft.NetApp/netAppAccounts/capacityPools", + "apiVersion": "2022-11-01", + "name": "[format('{0}/{1}', parameters('netAppAccountName'), parameters('capacityPoolName'))]", + "dependsOn": [ + "netAppAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -113,7 +199,13 @@ } } }, - { + "netAppAccount": { + "existing": true, + "type": "Microsoft.NetApp/netAppAccounts", + "apiVersion": "2022-11-01", + "name": "[parameters('netAppAccountName')]" + }, + "volume": { "type": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes", "apiVersion": "2022-11-01", "name": "[format('{0}/{1}/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", @@ -125,157 +217,34 @@ "protocolTypes": "[parameters('protocolTypes')]", "subnetId": "[parameters('subnetResourceId')]", "exportPolicy": "[if(not(empty(parameters('exportPolicyRules'))), createObject('rules', parameters('exportPolicyRules')), null())]" - } + }, + "dependsOn": [ + "netAppAccount::capacityPool" + ] }, - { + "volume_roleAssignments": { "copy": { "name": "volume_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}/volumes/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11293747403075474966" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}/volumes/{2}', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2])]", - "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]" + "volume" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -303,7 +272,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('volume', '2022-11-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/net-app/net-app-account/main.bicep b/modules/net-app/net-app-account/main.bicep index 9deadc4a33..92f867153d 100644 --- a/modules/net-app/net-app-account/main.bicep +++ b/modules/net-app/net-app-account/main.bicep @@ -31,7 +31,7 @@ param capacityPools array = [] param userAssignedIdentities object = {} @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Location for all resources.') param location string = resourceGroup().location @@ -65,6 +65,14 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -96,17 +104,18 @@ resource netAppAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!em scope: netAppAccount } -module netAppAccount_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-ANFAccount-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: netAppAccount.id +resource netAppAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(netAppAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: netAppAccount }] module netAppAccount_capacityPools 'capacity-pool/main.bicep' = [for (capacityPool, index) in capacityPools: { @@ -150,3 +159,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/net-app/net-app-account/main.json b/modules/net-app/net-app-account/main.json index 1fedbb3e06..72636832be 100644 --- a/modules/net-app/net-app-account/main.json +++ b/modules/net-app/net-app-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9658557760968373164" + "templateHash": "6454914933986539170" }, "name": "Azure NetApp Files", "description": "This module deploys an Azure NetApp File.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -103,8 +169,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -150,7 +215,14 @@ } ], "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None')]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -195,146 +267,20 @@ "netAppAccount_roleAssignments": { "copy": { "name": "netAppAccount_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ANFAccount-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.NetApp/netAppAccounts', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4540603330973895229" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "netAppAccount" @@ -379,17 +325,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12343130799883120576" + "templateHash": "14242430981421830183" }, "name": "Azure NetApp Files Capacity Pools", "description": "This module deploys an Azure NetApp Files Capacity Pool.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "netAppAccountName": { "type": "string", @@ -462,8 +477,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -488,10 +502,17 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -505,7 +526,13 @@ } } }, - { + "netAppAccount": { + "existing": true, + "type": "Microsoft.NetApp/netAppAccounts", + "apiVersion": "2022-11-01", + "name": "[parameters('netAppAccountName')]" + }, + "capacityPool": { "type": "Microsoft.NetApp/netAppAccounts/capacityPools", "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('netAppAccountName'), parameters('name'))]", @@ -517,9 +544,34 @@ "qosType": "[parameters('qosType')]", "coolAccess": "[parameters('coolAccess')]", "encryptionType": "[parameters('encryptionType')]" - } + }, + "dependsOn": [ + "netAppAccount" + ] + }, + "capacityPool_roleAssignments": { + "copy": { + "name": "capacityPool_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}', parameters('netAppAccountName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "capacityPool" + ] }, - { + "capacityPool_volumes": { "copy": { "name": "capacityPool_volumes", "count": "[length(parameters('volumes'))]", @@ -566,17 +618,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14691007687090359135" + "templateHash": "15651177191996280153" }, "name": "Azure NetApp Files Capacity Pool Volumes", "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "netAppAccountName": { "type": "string", @@ -650,8 +771,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -664,8 +784,26 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "netAppAccount::capacityPool": { + "existing": true, + "type": "Microsoft.NetApp/netAppAccounts/capacityPools", + "apiVersion": "2022-11-01", + "name": "[format('{0}/{1}', parameters('netAppAccountName'), parameters('capacityPoolName'))]", + "dependsOn": [ + "netAppAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -679,7 +817,13 @@ } } }, - { + "netAppAccount": { + "existing": true, + "type": "Microsoft.NetApp/netAppAccounts", + "apiVersion": "2022-11-01", + "name": "[parameters('netAppAccountName')]" + }, + "volume": { "type": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes", "apiVersion": "2022-11-01", "name": "[format('{0}/{1}/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", @@ -691,157 +835,34 @@ "protocolTypes": "[parameters('protocolTypes')]", "subnetId": "[parameters('subnetResourceId')]", "exportPolicy": "[if(not(empty(parameters('exportPolicyRules'))), createObject('rules', parameters('exportPolicyRules')), null())]" - } + }, + "dependsOn": [ + "netAppAccount::capacityPool" + ] }, - { + "volume_roleAssignments": { "copy": { "name": "volume_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}/volumes/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11293747403075474966" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}/volumes/{2}', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2])]", - "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]" + "volume" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -869,164 +890,17 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('volume', '2022-11-01', 'full').location]" } } } }, "dependsOn": [ - "[resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name'))]" - ] - }, - { - "copy": { - "name": "capacityPool_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "121785236396056059" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name'))]" + "capacityPool", + "netAppAccount" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1054,7 +928,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('capacityPool', '2022-11-01', 'full').location]" } } } From ecb4a4b36afc3a452410dec780b8ee9783fbc5e2 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 22 Oct 2023 21:12:07 +0000 Subject: [PATCH 045/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 44 +++++++++++----------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 2803cc3d71..3b78fb6585 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -58,32 +58,32 @@ This section provides an overview of the library's feature set. | 43 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | | | :white_check_mark: | | | | [L1:6, L2:1] | 295 | | 44 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 252 | | 45 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3, L2:3] | 366 | -| 46 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 179 | -| 47 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 163 | -| 48 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 183 | -| 49 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 336 | -| 50 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | :white_check_mark: | | :white_check_mark: | | | | | 88 | -| 51 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:3, L2:1] | 179 | -| 52 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | :white_check_mark: | | :white_check_mark: | | | | | 88 | -| 53 | insights

activity-log-alert | [![Insights - ActivityLogAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActivityLogAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.activitylogalerts.yml) | :white_check_mark: | | :white_check_mark: | | | | | 77 | -| 54 | insights

component | [![Insights - Components](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Components/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.components.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 165 | -| 55 | insights

data-collection-endpoint | [![Insights - DataCollectionEndpoints](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionendpoints.yml) | :white_check_mark: | | :white_check_mark: | | | | | 96 | -| 56 | insights

data-collection-rule | [![Insights - DataCollectionRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionrules.yml) | :white_check_mark: | | :white_check_mark: | | | | | 105 | +| 46 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 207 | +| 47 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 191 | +| 48 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 211 | +| 49 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 363 | +| 50 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | | | :white_check_mark: | | | | | 112 | +| 51 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | | | :white_check_mark: | | | | [L1:3, L2:1] | 212 | +| 52 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | | | :white_check_mark: | | | | | 115 | +| 53 | insights

activity-log-alert | [![Insights - ActivityLogAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActivityLogAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.activitylogalerts.yml) | | | :white_check_mark: | | | | | 104 | +| 54 | insights

component | [![Insights - Components](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Components/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.components.yml) | | | :white_check_mark: | :white_check_mark: | | | | 192 | +| 55 | insights

data-collection-endpoint | [![Insights - DataCollectionEndpoints](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionendpoints.yml) | | | :white_check_mark: | | | | | 120 | +| 56 | insights

data-collection-rule | [![Insights - DataCollectionRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionrules.yml) | | | :white_check_mark: | | | | | 129 | | 57 | insights

diagnostic-setting | [![Insights - DiagnosticSettings](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DiagnosticSettings/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.diagnosticsettings.yml) | | | | :white_check_mark: | | | | 75 | -| 58 | insights

metric-alert | [![Insights - MetricAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20MetricAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.metricalerts.yml) | :white_check_mark: | | :white_check_mark: | | | | | 125 | -| 59 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | :white_check_mark: | | :white_check_mark: | | :white_check_mark: | | [L1:1] | 108 | -| 60 | insights

scheduled-query-rule | [![Insights - ScheduledQueryRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ScheduledQueryRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml) | :white_check_mark: | | :white_check_mark: | | | | | 109 | -| 61 | insights

webtest | [![Insights - Web Tests](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Web%20Tests/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.webtests.yml) | :white_check_mark: | | | | | | | 128 | -| 62 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 273 | +| 58 | insights

metric-alert | [![Insights - MetricAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20MetricAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.metricalerts.yml) | | | :white_check_mark: | | | | | 152 | +| 59 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | | | :white_check_mark: | | :white_check_mark: | | [L1:1] | 132 | +| 60 | insights

scheduled-query-rule | [![Insights - ScheduledQueryRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ScheduledQueryRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml) | | | :white_check_mark: | | | | | 136 | +| 61 | insights

webtest | [![Insights - Web Tests](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Web%20Tests/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.webtests.yml) | | | | | | | | 152 | +| 62 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 306 | | 63 | kubernetes-configuration

extension | [![KubernetesConfiguration - Extensions](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20Extensions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.extensions.yml) | | | | | | | | 88 | | 64 | kubernetes-configuration

flux-configuration | [![KubernetesConfiguration - FluxConfigurations](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20FluxConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml) | | | | | | | | 71 | -| 65 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 199 | -| 66 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 283 | -| 67 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | :white_check_mark: | | :white_check_mark: | | | | | 111 | -| 68 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:1] | 87 | +| 65 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | | | :white_check_mark: | :white_check_mark: | | | | 225 | +| 66 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 311 | +| 67 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | | | :white_check_mark: | | | | | 136 | +| 68 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | | | :white_check_mark: | | | | [L1:1] | 113 | | 69 | managed-services

registration-definition | [![ManagedServices - RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices%20-%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | | | | | | | 67 | | 70 | management

management-group | [![Management - ManagementGroups](https://github.com/Azure/ResourceModules/workflows/Management%20-%20ManagementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml) | | | | | | | | 50 | -| 71 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:1, L2:1] | 123 | +| 71 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | | | :white_check_mark: | | | | [L1:1, L2:1] | 147 | | 72 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 352 | | 73 | network

application-gateway-web-application-firewall-policy | [![Network - ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGatewayWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 47 | | 74 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | :white_check_mark: | | :white_check_mark: | | | | | 70 | @@ -149,7 +149,7 @@ This section provides an overview of the library's feature set. | 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 158 | | 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 390 | | 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | :white_check_mark: | | :white_check_mark: | | :white_check_mark: | | [L1:3] | 201 | -| Sum | | | 73 | 0 | 118 | 57 | 30 | 2 | 236 | 26038 | +| Sum | | | 52 | 0 | 118 | 57 | 30 | 2 | 236 | 26599 | ## Legend From f70aba5b85d7127682ff5cb6015e858643eab70b Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sun, 22 Oct 2023 23:32:02 +0200 Subject: [PATCH 046/178] [Fixes] Removed redundant empty lines in test files (#4133) * Updated first badge of templates (readmes pending) * Update to latest * Compiled templates * Compiled templates * Compiled first few readmes * Updated test files * Updated readmes * Reduced roles * Updated templates * Rollback different branches' changes * Updated nic & pip * Fixed test file * Refreshed vm * Remvoed empty rows * Update to latest --- .../server/.test/common/main.test.bicep | 1 - .../server/.test/max/main.test.bicep | 1 - .../service/.test/common/main.test.bicep | 1 - .../service/.test/max/main.test.bicep | 1 - .../.test/common/main.test.bicep | 2 - .../.test/encr/main.test.bicep | 190 +++++++++--------- .../.test/common/main.test.bicep | 1 - .../.test/common/main.test.bicep | 2 - modules/cdn/profile/.test/afd/main.test.bicep | 1 - .../cdn/profile/.test/common/main.test.bicep | 1 - .../account/.test/common/main.test.bicep | 1 - .../.test/common/main.test.bicep | 1 - .../.test/accessPolicies/main.test.bicep | 1 - .../.test/common/main.test.bicep | 1 - .../compute/disk/.test/common/main.test.bicep | 1 - .../compute/disk/.test/image/main.test.bicep | 1 - .../compute/disk/.test/import/main.test.bicep | 1 - .../gallery/.test/common/main.test.bicep | 6 - .../image/.test/common/main.test.bicep | 1 - .../.test/common/main.test.bicep | 1 - .../.test/linux/main.test.bicep | 2 +- .../.test/windows/main.test.bicep | 2 +- .../virtual-machine-scale-set/README.md | 4 + .../.test/linux/main.test.bicep | 2 - .../.test/windows/main.test.bicep | 3 - .../registry/.test/common/main.test.bicep | 1 - .../.test/azure/main.test.bicep | 1 - .../.test/kubenet/main.test.bicep | 1 - .../factory/.test/common/main.test.bicep | 1 - .../backup-vault/.test/common/main.test.bicep | 1 - .../.test/common/main.test.bicep | 1 - .../workspace/.test/common/main.test.bicep | 1 - .../.test/private/main.test.bicep | 1 - .../.test/public/main.test.bicep | 1 - .../.test/common/main.test.bicep | 1 - .../host-pool/.test/common/main.test.bicep | 1 - .../scaling-plan/.test/common/main.test.bicep | 1 - .../workspace/.test/common/main.test.bicep | 1 - .../lab/.test/common/main.test.bicep | 1 - .../.test/common/main.test.bicep | 1 - .../.test/gremlindb/main.test.bicep | 1 - .../.test/mongodb/main.test.bicep | 1 - .../.test/plain/main.test.bicep | 1 - .../.test/sqldb/main.test.bicep | 1 - .../.test/common/main.test.bicep | 1 - .../.test/common/main.test.bicep | 1 - 46 files changed, 101 insertions(+), 149 deletions(-) diff --git a/modules/analysis-services/server/.test/common/main.test.bicep b/modules/analysis-services/server/.test/common/main.test.bicep index 91cf783f0e..7d91a3f264 100644 --- a/modules/analysis-services/server/.test/common/main.test.bicep +++ b/modules/analysis-services/server/.test/common/main.test.bicep @@ -75,7 +75,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/analysis-services/server/.test/max/main.test.bicep b/modules/analysis-services/server/.test/max/main.test.bicep index 12d56eb4a5..e20d076bc3 100644 --- a/modules/analysis-services/server/.test/max/main.test.bicep +++ b/modules/analysis-services/server/.test/max/main.test.bicep @@ -83,7 +83,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/api-management/service/.test/common/main.test.bicep b/modules/api-management/service/.test/common/main.test.bicep index 178551760c..fbed3af64f 100644 --- a/modules/api-management/service/.test/common/main.test.bicep +++ b/modules/api-management/service/.test/common/main.test.bicep @@ -86,7 +86,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/api-management/service/.test/max/main.test.bicep b/modules/api-management/service/.test/max/main.test.bicep index 762ae9bf2b..39de365c7e 100644 --- a/modules/api-management/service/.test/max/main.test.bicep +++ b/modules/api-management/service/.test/max/main.test.bicep @@ -182,7 +182,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/app-configuration/configuration-store/.test/common/main.test.bicep b/modules/app-configuration/configuration-store/.test/common/main.test.bicep index fcf880f426..273cfd4b3f 100644 --- a/modules/app-configuration/configuration-store/.test/common/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/common/main.test.bicep @@ -81,7 +81,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] @@ -96,7 +95,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/app-configuration/configuration-store/.test/encr/main.test.bicep b/modules/app-configuration/configuration-store/.test/encr/main.test.bicep index 5ef3540bc5..28c092fff8 100644 --- a/modules/app-configuration/configuration-store/.test/encr/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/encr/main.test.bicep @@ -1,95 +1,95 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-appconfiguration.configurationstores-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'accencr' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Generated. Used as a basis for unique resource names.') -param baseTime string = utcNow('u') - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - createMode: 'Default' - disableLocalAuth: false - enablePurgeProtection: false - keyValues: [ - { - contentType: 'contentType' - name: 'keyName' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - value: 'valueName' - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - softDeleteRetentionInDays: 1 - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKKeyName: nestedDependencies.outputs.keyName - cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - } -} - +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-appconfiguration.configurationstores-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'accencr' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + createMode: 'Default' + disableLocalAuth: false + enablePurgeProtection: false + keyValues: [ + { + contentType: 'contentType' + name: 'keyName' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + value: 'valueName' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + softDeleteRetentionInDays: 1 + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + cMKKeyName: nestedDependencies.outputs.keyName + cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + } +} diff --git a/modules/automation/automation-account/.test/common/main.test.bicep b/modules/automation/automation-account/.test/common/main.test.bicep index 4abb71d751..987ed84bf7 100644 --- a/modules/automation/automation-account/.test/common/main.test.bicep +++ b/modules/automation/automation-account/.test/common/main.test.bicep @@ -128,7 +128,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/cache/redis-enterprise/.test/common/main.test.bicep b/modules/cache/redis-enterprise/.test/common/main.test.bicep index 7e5df4fdfb..dafcb37396 100644 --- a/modules/cache/redis-enterprise/.test/common/main.test.bicep +++ b/modules/cache/redis-enterprise/.test/common/main.test.bicep @@ -81,7 +81,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] @@ -128,4 +127,3 @@ module testDeployment '../../main.bicep' = { } } } - diff --git a/modules/cdn/profile/.test/afd/main.test.bicep b/modules/cdn/profile/.test/afd/main.test.bicep index ea900ffaad..516f35298a 100644 --- a/modules/cdn/profile/.test/afd/main.test.bicep +++ b/modules/cdn/profile/.test/afd/main.test.bicep @@ -61,7 +61,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/cdn/profile/.test/common/main.test.bicep b/modules/cdn/profile/.test/common/main.test.bicep index 1bcb6228f0..1d6b703c01 100644 --- a/modules/cdn/profile/.test/common/main.test.bicep +++ b/modules/cdn/profile/.test/common/main.test.bicep @@ -94,7 +94,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/cognitive-services/account/.test/common/main.test.bicep b/modules/cognitive-services/account/.test/common/main.test.bicep index 3f94c31fd7..4c1d011d2e 100644 --- a/modules/cognitive-services/account/.test/common/main.test.bicep +++ b/modules/cognitive-services/account/.test/common/main.test.bicep @@ -95,7 +95,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/compute/availability-set/.test/common/main.test.bicep b/modules/compute/availability-set/.test/common/main.test.bicep index e4d37ca872..17f56e1c0f 100644 --- a/modules/compute/availability-set/.test/common/main.test.bicep +++ b/modules/compute/availability-set/.test/common/main.test.bicep @@ -62,7 +62,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep b/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep index 3b0e1e4c7e..c2b4062ec7 100644 --- a/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep +++ b/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep @@ -60,7 +60,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/compute/disk-encryption-set/.test/common/main.test.bicep b/modules/compute/disk-encryption-set/.test/common/main.test.bicep index 6bea195aca..e061df91fc 100644 --- a/modules/compute/disk-encryption-set/.test/common/main.test.bicep +++ b/modules/compute/disk-encryption-set/.test/common/main.test.bicep @@ -67,7 +67,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/compute/disk/.test/common/main.test.bicep b/modules/compute/disk/.test/common/main.test.bicep index 6585ab265f..7a5b019c2d 100644 --- a/modules/compute/disk/.test/common/main.test.bicep +++ b/modules/compute/disk/.test/common/main.test.bicep @@ -66,7 +66,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/compute/disk/.test/image/main.test.bicep b/modules/compute/disk/.test/image/main.test.bicep index d811fa984d..3038d1b07b 100644 --- a/modules/compute/disk/.test/image/main.test.bicep +++ b/modules/compute/disk/.test/image/main.test.bicep @@ -55,7 +55,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/compute/disk/.test/import/main.test.bicep b/modules/compute/disk/.test/import/main.test.bicep index bec7da7f0b..7acdeafcbe 100644 --- a/modules/compute/disk/.test/import/main.test.bicep +++ b/modules/compute/disk/.test/import/main.test.bicep @@ -58,7 +58,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/compute/gallery/.test/common/main.test.bicep b/modules/compute/gallery/.test/common/main.test.bicep index 9cb9aa0b51..ca9db82385 100644 --- a/modules/compute/gallery/.test/common/main.test.bicep +++ b/modules/compute/gallery/.test/common/main.test.bicep @@ -67,7 +67,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] @@ -92,7 +91,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] @@ -114,7 +112,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] @@ -136,7 +133,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] @@ -158,7 +154,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] @@ -182,7 +177,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/compute/image/.test/common/main.test.bicep b/modules/compute/image/.test/common/main.test.bicep index 14b3372fa4..edb30dddbc 100644 --- a/modules/compute/image/.test/common/main.test.bicep +++ b/modules/compute/image/.test/common/main.test.bicep @@ -70,7 +70,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/compute/proximity-placement-group/.test/common/main.test.bicep b/modules/compute/proximity-placement-group/.test/common/main.test.bicep index 1afa2b0789..a4dcb9881d 100644 --- a/modules/compute/proximity-placement-group/.test/common/main.test.bicep +++ b/modules/compute/proximity-placement-group/.test/common/main.test.bicep @@ -60,7 +60,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep b/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep index 42e5492661..46c0a5bcda 100644 --- a/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep @@ -175,8 +175,8 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Reader' + principalType: 'ServicePrincipal' } ] scaleSetFaultDomain: 1 diff --git a/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep b/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep index ad9e06de2e..1004d1b817 100644 --- a/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep @@ -172,8 +172,8 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Reader' + principalType: 'ServicePrincipal' } ] skuCapacity: 1 diff --git a/modules/compute/virtual-machine-scale-set/README.md b/modules/compute/virtual-machine-scale-set/README.md index 434217f815..1678966c3f 100644 --- a/modules/compute/virtual-machine-scale-set/README.md +++ b/modules/compute/virtual-machine-scale-set/README.md @@ -155,6 +155,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se roleAssignments: [ { principalId: '' + principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } ] @@ -347,6 +348,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se "value": [ { "principalId": "", + "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } ] @@ -826,6 +828,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se roleAssignments: [ { principalId: '' + principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } ] @@ -1009,6 +1012,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se "value": [ { "principalId": "", + "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } ] diff --git a/modules/compute/virtual-machine/.test/linux/main.test.bicep b/modules/compute/virtual-machine/.test/linux/main.test.bicep index 66f46a1038..e10ff4188d 100644 --- a/modules/compute/virtual-machine/.test/linux/main.test.bicep +++ b/modules/compute/virtual-machine/.test/linux/main.test.bicep @@ -104,7 +104,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] @@ -122,7 +121,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/compute/virtual-machine/.test/windows/main.test.bicep b/modules/compute/virtual-machine/.test/windows/main.test.bicep index 51c37b16c6..3a81daae0c 100644 --- a/modules/compute/virtual-machine/.test/windows/main.test.bicep +++ b/modules/compute/virtual-machine/.test/windows/main.test.bicep @@ -107,7 +107,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] @@ -125,7 +124,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] @@ -282,7 +280,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/container-registry/registry/.test/common/main.test.bicep b/modules/container-registry/registry/.test/common/main.test.bicep index 826dfdd5ab..96ba6082dc 100644 --- a/modules/container-registry/registry/.test/common/main.test.bicep +++ b/modules/container-registry/registry/.test/common/main.test.bicep @@ -115,7 +115,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/container-service/managed-cluster/.test/azure/main.test.bicep b/modules/container-service/managed-cluster/.test/azure/main.test.bicep index f438df827e..95e80ee3c3 100644 --- a/modules/container-service/managed-cluster/.test/azure/main.test.bicep +++ b/modules/container-service/managed-cluster/.test/azure/main.test.bicep @@ -185,7 +185,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep b/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep index 8fb322a2b9..cdb76302d8 100644 --- a/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep +++ b/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep @@ -143,7 +143,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/data-factory/factory/.test/common/main.test.bicep b/modules/data-factory/factory/.test/common/main.test.bicep index 6bea31ebf1..1fae6339c0 100644 --- a/modules/data-factory/factory/.test/common/main.test.bicep +++ b/modules/data-factory/factory/.test/common/main.test.bicep @@ -134,7 +134,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/data-protection/backup-vault/.test/common/main.test.bicep b/modules/data-protection/backup-vault/.test/common/main.test.bicep index fe1b319ceb..286a2b51c5 100644 --- a/modules/data-protection/backup-vault/.test/common/main.test.bicep +++ b/modules/data-protection/backup-vault/.test/common/main.test.bicep @@ -56,7 +56,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/databricks/access-connector/.test/common/main.test.bicep b/modules/databricks/access-connector/.test/common/main.test.bicep index 1ea97bd6c4..1c6ad77107 100644 --- a/modules/databricks/access-connector/.test/common/main.test.bicep +++ b/modules/databricks/access-connector/.test/common/main.test.bicep @@ -64,7 +64,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/databricks/workspace/.test/common/main.test.bicep b/modules/databricks/workspace/.test/common/main.test.bicep index 39e8d023af..756379bda5 100644 --- a/modules/databricks/workspace/.test/common/main.test.bicep +++ b/modules/databricks/workspace/.test/common/main.test.bicep @@ -90,7 +90,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep b/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep index 94e139af85..69b96807e5 100644 --- a/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep @@ -77,7 +77,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep b/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep index fe359f406f..664d236160 100644 --- a/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep @@ -95,7 +95,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies2.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/desktop-virtualization/application-group/.test/common/main.test.bicep b/modules/desktop-virtualization/application-group/.test/common/main.test.bicep index 93431181fa..9a7b140bb1 100644 --- a/modules/desktop-virtualization/application-group/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/application-group/.test/common/main.test.bicep @@ -102,7 +102,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep b/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep index 1f31acac55..3d55bac12c 100644 --- a/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep @@ -86,7 +86,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep b/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep index 51db20c88f..f1454d689b 100644 --- a/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep @@ -70,7 +70,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/desktop-virtualization/workspace/.test/common/main.test.bicep b/modules/desktop-virtualization/workspace/.test/common/main.test.bicep index 15b19e5eeb..f96ad8f7b9 100644 --- a/modules/desktop-virtualization/workspace/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/workspace/.test/common/main.test.bicep @@ -84,7 +84,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/dev-test-lab/lab/.test/common/main.test.bicep b/modules/dev-test-lab/lab/.test/common/main.test.bicep index 8d2d71c3c4..41ab747bc6 100644 --- a/modules/dev-test-lab/lab/.test/common/main.test.bicep +++ b/modules/dev-test-lab/lab/.test/common/main.test.bicep @@ -69,7 +69,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep index f8d12541d5..e28f648c50 100644 --- a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep @@ -113,7 +113,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalResourceId - principalType: 'ServicePrincipal' } ] diff --git a/modules/document-db/database-account/.test/gremlindb/main.test.bicep b/modules/document-db/database-account/.test/gremlindb/main.test.bicep index 19b9e89bce..c8ca5f6406 100644 --- a/modules/document-db/database-account/.test/gremlindb/main.test.bicep +++ b/modules/document-db/database-account/.test/gremlindb/main.test.bicep @@ -136,7 +136,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/document-db/database-account/.test/mongodb/main.test.bicep b/modules/document-db/database-account/.test/mongodb/main.test.bicep index f035b3a833..a887c89772 100644 --- a/modules/document-db/database-account/.test/mongodb/main.test.bicep +++ b/modules/document-db/database-account/.test/mongodb/main.test.bicep @@ -269,7 +269,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/document-db/database-account/.test/plain/main.test.bicep b/modules/document-db/database-account/.test/plain/main.test.bicep index 498377bc47..08cd51278c 100644 --- a/modules/document-db/database-account/.test/plain/main.test.bicep +++ b/modules/document-db/database-account/.test/plain/main.test.bicep @@ -88,7 +88,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/document-db/database-account/.test/sqldb/main.test.bicep b/modules/document-db/database-account/.test/sqldb/main.test.bicep index 1ab334873d..5d54bf3d10 100644 --- a/modules/document-db/database-account/.test/sqldb/main.test.bicep +++ b/modules/document-db/database-account/.test/sqldb/main.test.bicep @@ -102,7 +102,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/network/network-interface/.test/common/main.test.bicep b/modules/network/network-interface/.test/common/main.test.bicep index 71462f0114..bb28e92347 100644 --- a/modules/network/network-interface/.test/common/main.test.bicep +++ b/modules/network/network-interface/.test/common/main.test.bicep @@ -105,7 +105,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] diff --git a/modules/network/public-ip-address/.test/common/main.test.bicep b/modules/network/public-ip-address/.test/common/main.test.bicep index b61ac3a4aa..f9272e5c56 100644 --- a/modules/network/public-ip-address/.test/common/main.test.bicep +++ b/modules/network/public-ip-address/.test/common/main.test.bicep @@ -79,7 +79,6 @@ module testDeployment '../../main.bicep' = { { roleDefinitionIdOrName: 'Reader' principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' } ] From 29633cea001aa0927942cdcd005a84c414f369f2 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sun, 22 Oct 2023 23:33:23 +0200 Subject: [PATCH 047/178] [Modules] Migrated batch [3/4] to AVM RBAC (#4127) * Generated content for batch 3 * Updated roles * Update to latest * Update to latest * Updated bastion * Regen firewall template * Remvoed empty rows --- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 4 +- modules/network/application-gateway/README.md | 71 +- .../network/application-gateway/main.bicep | 54 +- modules/network/application-gateway/main.json | 279 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 4 +- .../application-security-group/README.md | 71 +- .../application-security-group/main.bicep | 54 +- .../application-security-group/main.json | 259 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/addpip/main.test.bicep | 4 +- .../.test/common/main.test.bicep | 4 +- .../.test/custompip/main.test.bicep | 4 +- modules/network/azure-firewall/README.md | 87 +- modules/network/azure-firewall/main.bicep | 54 +- modules/network/azure-firewall/main.json | 799 ++-- .../.bicep/nested_roleAssignments.bicep | 97 - .../bastion-host/.test/common/main.test.bicep | 4 +- .../.test/custompip/main.test.bicep | 4 +- modules/network/bastion-host/README.md | 79 +- modules/network/bastion-host/main.bicep | 91 +- modules/network/bastion-host/main.json | 576 ++- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 4 +- .../network/ddos-protection-plan/README.md | 71 +- .../network/ddos-protection-plan/main.bicep | 54 +- .../network/ddos-protection-plan/main.json | 259 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 4 +- .../network/dns-forwarding-ruleset/README.md | 71 +- .../network/dns-forwarding-ruleset/main.bicep | 58 +- .../network/dns-forwarding-ruleset/main.json | 283 +- .../.bicep/nested_roleAssignments.bicep | 97 - modules/network/dns-resolver/README.md | 63 +- modules/network/dns-resolver/main.bicep | 60 +- modules/network/dns-resolver/main.json | 265 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../dns-zone/.test/common/main.test.bicep | 32 +- modules/network/dns-zone/README.md | 127 +- .../a/.bicep/nested_roleAssignments.bicep | 97 - modules/network/dns-zone/a/README.md | 63 +- modules/network/dns-zone/a/main.bicep | 63 +- modules/network/dns-zone/a/main.json | 291 +- .../aaaa/.bicep/nested_roleAssignments.bicep | 97 - modules/network/dns-zone/aaaa/README.md | 63 +- modules/network/dns-zone/aaaa/main.bicep | 63 +- modules/network/dns-zone/aaaa/main.json | 291 +- .../caa/.bicep/nested_roleAssignments.bicep | 97 - modules/network/dns-zone/caa/README.md | 63 +- modules/network/dns-zone/caa/main.bicep | 63 +- modules/network/dns-zone/caa/main.json | 291 +- .../cname/.bicep/nested_roleAssignments.bicep | 97 - modules/network/dns-zone/cname/README.md | 63 +- modules/network/dns-zone/cname/main.bicep | 63 +- modules/network/dns-zone/cname/main.json | 291 +- modules/network/dns-zone/main.bicep | 60 +- modules/network/dns-zone/main.json | 3209 +++++++---------- .../mx/.bicep/nested_roleAssignments.bicep | 97 - modules/network/dns-zone/mx/README.md | 63 +- modules/network/dns-zone/mx/main.bicep | 63 +- modules/network/dns-zone/mx/main.json | 291 +- .../ns/.bicep/nested_roleAssignments.bicep | 97 - modules/network/dns-zone/ns/README.md | 63 +- modules/network/dns-zone/ns/main.bicep | 63 +- modules/network/dns-zone/ns/main.json | 291 +- .../ptr/.bicep/nested_roleAssignments.bicep | 97 - modules/network/dns-zone/ptr/README.md | 63 +- modules/network/dns-zone/ptr/main.bicep | 63 +- modules/network/dns-zone/ptr/main.json | 291 +- .../soa/.bicep/nested_roleAssignments.bicep | 97 - modules/network/dns-zone/soa/README.md | 63 +- modules/network/dns-zone/soa/main.bicep | 63 +- modules/network/dns-zone/soa/main.json | 291 +- .../srv/.bicep/nested_roleAssignments.bicep | 97 - modules/network/dns-zone/srv/README.md | 63 +- modules/network/dns-zone/srv/main.bicep | 63 +- modules/network/dns-zone/srv/main.json | 291 +- .../txt/.bicep/nested_roleAssignments.bicep | 97 - modules/network/dns-zone/txt/README.md | 63 +- modules/network/dns-zone/txt/main.bicep | 63 +- modules/network/dns-zone/txt/main.json | 291 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 4 +- .../network/express-route-circuit/README.md | 71 +- .../network/express-route-circuit/main.bicep | 55 +- .../network/express-route-circuit/main.json | 260 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 4 +- .../network/express-route-gateway/README.md | 71 +- .../network/express-route-gateway/main.bicep | 55 +- .../network/express-route-gateway/main.json | 260 +- .../.bicep/nested_roleAssignments.bicep | 66 - .../.test/common/main.test.bicep | 4 +- .../README.md | 71 +- .../main.bicep | 54 +- .../main.json | 228 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../front-door/.test/common/main.test.bicep | 4 +- modules/network/front-door/README.md | 71 +- modules/network/front-door/main.bicep | 55 +- modules/network/front-door/main.json | 260 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../ip-group/.test/common/main.test.bicep | 4 +- modules/network/ip-group/README.md | 71 +- modules/network/ip-group/main.bicep | 55 +- modules/network/ip-group/main.json | 260 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 4 +- .../.test/internal/main.test.bicep | 4 +- modules/network/load-balancer/README.md | 79 +- modules/network/load-balancer/main.bicep | 55 +- modules/network/load-balancer/main.json | 280 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 4 +- .../network/local-network-gateway/README.md | 71 +- .../network/local-network-gateway/main.bicep | 55 +- .../network/local-network-gateway/main.json | 258 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../nat-gateway/.test/common/main.test.bicep | 4 +- modules/network/nat-gateway/README.md | 71 +- modules/network/nat-gateway/main.bicep | 55 +- modules/network/nat-gateway/main.json | 540 +-- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 4 +- modules/network/network-manager/README.md | 71 +- modules/network/network-manager/main.bicep | 55 +- modules/network/network-manager/main.json | 280 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 4 +- .../network/network-security-group/README.md | 71 +- .../network/network-security-group/main.bicep | 55 +- .../network/network-security-group/main.json | 280 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 4 +- modules/network/network-watcher/README.md | 71 +- modules/network/network-watcher/main.bicep | 55 +- modules/network/network-watcher/main.json | 260 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 32 +- modules/network/private-dns-zone/README.md | 127 +- .../a/.bicep/nested_roleAssignments.bicep | 97 - modules/network/private-dns-zone/a/README.md | 63 +- modules/network/private-dns-zone/a/main.bicep | 63 +- modules/network/private-dns-zone/a/main.json | 291 +- .../aaaa/.bicep/nested_roleAssignments.bicep | 97 - .../network/private-dns-zone/aaaa/README.md | 63 +- .../network/private-dns-zone/aaaa/main.bicep | 63 +- .../network/private-dns-zone/aaaa/main.json | 291 +- .../cname/.bicep/nested_roleAssignments.bicep | 99 - .../network/private-dns-zone/cname/README.md | 63 +- .../network/private-dns-zone/cname/main.bicep | 63 +- .../network/private-dns-zone/cname/main.json | 297 +- modules/network/private-dns-zone/main.bicep | 60 +- modules/network/private-dns-zone/main.json | 2653 ++++++-------- .../mx/.bicep/nested_roleAssignments.bicep | 97 - modules/network/private-dns-zone/mx/README.md | 63 +- .../network/private-dns-zone/mx/main.bicep | 63 +- modules/network/private-dns-zone/mx/main.json | 291 +- .../ptr/.bicep/nested_roleAssignments.bicep | 97 - .../network/private-dns-zone/ptr/README.md | 63 +- .../network/private-dns-zone/ptr/main.bicep | 63 +- .../network/private-dns-zone/ptr/main.json | 301 +- .../soa/.bicep/nested_roleAssignments.bicep | 97 - .../network/private-dns-zone/soa/README.md | 63 +- .../network/private-dns-zone/soa/main.bicep | 63 +- .../network/private-dns-zone/soa/main.json | 291 +- .../srv/.bicep/nested_roleAssignments.bicep | 97 - .../network/private-dns-zone/srv/README.md | 63 +- .../network/private-dns-zone/srv/main.bicep | 63 +- .../network/private-dns-zone/srv/main.json | 291 +- .../txt/.bicep/nested_roleAssignments.bicep | 97 - .../network/private-dns-zone/txt/README.md | 63 +- .../network/private-dns-zone/txt/main.bicep | 63 +- .../network/private-dns-zone/txt/main.json | 291 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 5 +- .../network/private-link-service/README.md | 73 +- .../network/private-link-service/main.bicep | 59 +- .../network/private-link-service/main.json | 264 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 4 +- modules/network/public-ip-prefix/README.md | 71 +- modules/network/public-ip-prefix/main.bicep | 55 +- modules/network/public-ip-prefix/main.json | 260 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../route-table/.test/common/main.test.bicep | 4 +- modules/network/route-table/README.md | 71 +- modules/network/route-table/main.bicep | 55 +- modules/network/route-table/main.json | 260 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 4 +- .../network/service-endpoint-policy/README.md | 71 +- .../service-endpoint-policy/main.bicep | 55 +- .../network/service-endpoint-policy/main.json | 260 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 4 +- .../network/trafficmanagerprofile/README.md | 71 +- .../network/trafficmanagerprofile/main.bicep | 56 +- .../network/trafficmanagerprofile/main.json | 261 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/aadvpn/main.test.bicep | 4 +- .../.test/expressRoute/main.test.bicep | 5 +- .../.test/vpn/main.test.bicep | 5 +- .../network/virtual-network-gateway/README.md | 91 +- .../virtual-network-gateway/main.bicep | 56 +- .../network/virtual-network-gateway/main.json | 540 +-- .../.bicep/nested_roleAssignments.bicep | 97 - .../.test/common/main.test.bicep | 8 +- modules/network/virtual-network/README.md | 79 +- modules/network/virtual-network/main.bicep | 55 +- modules/network/virtual-network/main.json | 570 ++- .../.bicep/nested_roleAssignments.bicep | 97 - .../network/virtual-network/subnet/README.md | 63 +- .../network/virtual-network/subnet/main.bicep | 58 +- .../network/virtual-network/subnet/main.json | 290 +- .../.bicep/nested_roleAssignments.bicep | 97 - .../virtual-wan/.test/common/main.test.bicep | 4 +- modules/network/virtual-wan/README.md | 71 +- modules/network/virtual-wan/main.bicep | 55 +- modules/network/virtual-wan/main.json | 260 +- .../.bicep/nested_roleAssignments.bicep | 63 - .../vpn-site/.test/common/main.test.bicep | 4 +- modules/network/vpn-site/README.md | 71 +- modules/network/vpn-site/main.bicep | 51 +- modules/network/vpn-site/main.json | 201 +- 226 files changed, 13013 insertions(+), 18207 deletions(-) delete mode 100644 modules/network/application-gateway/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/application-security-group/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/azure-firewall/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/bastion-host/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/ddos-protection-plan/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/dns-forwarding-ruleset/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/dns-resolver/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/dns-zone/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/dns-zone/a/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/dns-zone/aaaa/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/dns-zone/caa/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/dns-zone/cname/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/dns-zone/mx/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/dns-zone/ns/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/dns-zone/ptr/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/dns-zone/soa/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/dns-zone/srv/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/dns-zone/txt/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/express-route-circuit/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/express-route-gateway/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/front-door-web-application-firewall-policy/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/front-door/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/ip-group/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/load-balancer/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/local-network-gateway/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/nat-gateway/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/network-manager/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/network-security-group/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/network-watcher/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/private-dns-zone/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/private-dns-zone/a/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/private-dns-zone/aaaa/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/private-dns-zone/cname/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/private-dns-zone/mx/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/private-dns-zone/ptr/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/private-dns-zone/soa/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/private-dns-zone/srv/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/private-dns-zone/txt/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/private-link-service/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/public-ip-prefix/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/route-table/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/service-endpoint-policy/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/trafficmanagerprofile/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/virtual-network-gateway/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/virtual-network/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/virtual-network/subnet/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/virtual-wan/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/network/vpn-site/.bicep/nested_roleAssignments.bicep diff --git a/modules/network/application-gateway/.bicep/nested_roleAssignments.bicep b/modules/network/application-gateway/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 2bd352a75d..0000000000 --- a/modules/network/application-gateway/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource applicationGateway 'Microsoft.Network/applicationGateways@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(applicationGateway.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: applicationGateway -}] diff --git a/modules/network/application-gateway/.test/common/main.test.bicep b/modules/network/application-gateway/.test/common/main.test.bicep index 039dd1b2a6..4049fdb162 100644 --- a/modules/network/application-gateway/.test/common/main.test.bicep +++ b/modules/network/application-gateway/.test/common/main.test.bicep @@ -407,9 +407,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index 872745291e..f1c4883c3f 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -409,9 +409,7 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -882,9 +880,7 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -1294,7 +1290,68 @@ Rewrite rules for the application gateway resource. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `routingRules` diff --git a/modules/network/application-gateway/main.bicep b/modules/network/application-gateway/main.bicep index 0b042bc9d9..e354836b98 100644 --- a/modules/network/application-gateway/main.bicep +++ b/modules/network/application-gateway/main.bicep @@ -246,7 +246,7 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Resource tags.') param tags object = {} @@ -263,6 +263,14 @@ param routingRules array = [] @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -384,17 +392,18 @@ module applicationGateway_privateEndpoints '../../network/private-endpoint/main. } }] -module applicationGateway_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-AppGateway-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: applicationGateway.id +resource applicationGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(applicationGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: applicationGateway }] @description('The name of the application gateway.') @@ -420,3 +429,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/application-gateway/main.json b/modules/network/application-gateway/main.json index 311fe73b19..89f19b3046 100644 --- a/modules/network/application-gateway/main.json +++ b/modules/network/application-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18329589916932941538" + "templateHash": "15010715914019570085" }, "name": "Network Application Gateways", "description": "This module deploys a Network Application Gateway.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -439,8 +505,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -504,7 +569,14 @@ "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None')]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -563,6 +635,28 @@ "applicationGateway" ] }, + "applicationGateway_roleAssignments": { + "copy": { + "name": "applicationGateway_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/applicationGateways/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/applicationGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "applicationGateway" + ] + }, "applicationGateway_privateEndpoints": { "copy": { "name": "applicationGateway_privateEndpoints", @@ -1091,183 +1185,6 @@ "dependsOn": [ "applicationGateway" ] - }, - "applicationGateway_roleAssignments": { - "copy": { - "name": "applicationGateway_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AppGateway-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/applicationGateways', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4623397595540345983" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/applicationGateways/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/applicationGateways', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "applicationGateway" - ] } }, "outputs": { diff --git a/modules/network/application-security-group/.bicep/nested_roleAssignments.bicep b/modules/network/application-security-group/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index b349156bec..0000000000 --- a/modules/network/application-security-group/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(applicationSecurityGroup.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: applicationSecurityGroup -}] diff --git a/modules/network/application-security-group/.test/common/main.test.bicep b/modules/network/application-security-group/.test/common/main.test.bicep index 2d7c4f2f95..70aeed0b0d 100644 --- a/modules/network/application-security-group/.test/common/main.test.bicep +++ b/modules/network/application-security-group/.test/common/main.test.bicep @@ -59,9 +59,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/application-security-group/README.md b/modules/network/application-security-group/README.md index f86e110e60..8dc312de2b 100644 --- a/modules/network/application-security-group/README.md +++ b/modules/network/application-security-group/README.md @@ -51,9 +51,7 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -96,9 +94,7 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -189,7 +185,68 @@ Name of the Application Security Group. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/network/application-security-group/main.bicep b/modules/network/application-security-group/main.bicep index 53f1b4a0d5..45732a77c4 100644 --- a/modules/network/application-security-group/main.bicep +++ b/modules/network/application-security-group/main.bicep @@ -12,7 +12,7 @@ param location string = resourceGroup().location param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -20,6 +20,14 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -48,17 +56,18 @@ resource applicationSecurityGroup_lock 'Microsoft.Authorization/locks@2020-05-01 scope: applicationSecurityGroup } -module applicationSecurityGroup_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-AppSecurityGroup-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: applicationSecurityGroup.id +resource applicationSecurityGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(applicationSecurityGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: applicationSecurityGroup }] @description('The resource group the application security group was deployed into.') @@ -84,3 +93,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/application-security-group/main.json b/modules/network/application-security-group/main.json index a67333aaed..a8c2e42829 100644 --- a/modules/network/application-security-group/main.json +++ b/modules/network/application-security-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17355011424146278209" + "templateHash": "1514656226322598076" }, "name": "Application Security Groups (ASG)", "description": "This module deploys an Application Security Group (ASG).", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -60,8 +126,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -81,6 +146,15 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -121,175 +195,20 @@ "applicationSecurityGroup_roleAssignments": { "copy": { "name": "applicationSecurityGroup_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AppSecurityGroup-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/applicationSecurityGroups/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1920288953009439364" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/applicationSecurityGroups/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/applicationSecurityGroups', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "applicationSecurityGroup" diff --git a/modules/network/azure-firewall/.bicep/nested_roleAssignments.bicep b/modules/network/azure-firewall/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index cbed9e6958..0000000000 --- a/modules/network/azure-firewall/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource azureFirewall 'Microsoft.Network/azureFirewalls@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(azureFirewall.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: azureFirewall -}] diff --git a/modules/network/azure-firewall/.test/addpip/main.test.bicep b/modules/network/azure-firewall/.test/addpip/main.test.bicep index 3406fcf6b3..f2a115cb3b 100644 --- a/modules/network/azure-firewall/.test/addpip/main.test.bicep +++ b/modules/network/azure-firewall/.test/addpip/main.test.bicep @@ -64,9 +64,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/azure-firewall/.test/common/main.test.bicep b/modules/network/azure-firewall/.test/common/main.test.bicep index 9d72856614..0cb1b461c3 100644 --- a/modules/network/azure-firewall/.test/common/main.test.bicep +++ b/modules/network/azure-firewall/.test/common/main.test.bicep @@ -162,9 +162,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/azure-firewall/.test/custompip/main.test.bicep b/modules/network/azure-firewall/.test/custompip/main.test.bicep index 44717d83cf..72e63d7934 100644 --- a/modules/network/azure-firewall/.test/custompip/main.test.bicep +++ b/modules/network/azure-firewall/.test/custompip/main.test.bicep @@ -66,9 +66,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index c437b47819..cd6da89ea7 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -60,9 +60,7 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { publicIPAllocationMethod: 'Static' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -114,9 +112,7 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { "publicIPAllocationMethod": "Static", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -249,9 +245,7 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { publicIPResourceID: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -400,9 +394,7 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -460,9 +452,7 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { publicIPPrefixResourceId: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -515,9 +505,7 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { "publicIPPrefixResourceId": "", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -968,7 +956,68 @@ The Public IP resource ID to associate to the AzureFirewallSubnet. If empty, the Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/network/azure-firewall/main.bicep b/modules/network/azure-firewall/main.bicep index 3acc34d362..904b09f250 100644 --- a/modules/network/azure-firewall/main.bicep +++ b/modules/network/azure-firewall/main.bicep @@ -86,7 +86,7 @@ param location string = resourceGroup().location param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the Azure Firewall resource.') param tags object = {} @@ -206,6 +206,14 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -338,17 +346,18 @@ resource azureFirewall_diagnosticSettings 'Microsoft.Insights/diagnosticSettings scope: azureFirewall } -module azureFirewall_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-AzFW-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: azureFirewall.id +resource azureFirewall_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(azureFirewall.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: azureFirewall }] @description('The resource ID of the Azure Firewall.') @@ -389,3 +398,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/azure-firewall/main.json b/modules/network/azure-firewall/main.json index 7f9ab7552b..766e5059eb 100644 --- a/modules/network/azure-firewall/main.json +++ b/modules/network/azure-firewall/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10604850495131804287" + "templateHash": "3226240362527583277" }, "name": "Azure Firewalls", "description": "This module deploys an Azure Firewall.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -214,8 +280,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -324,7 +389,14 @@ } }, "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -386,6 +458,28 @@ "azureFirewall" ] }, + "azureFirewall_roleAssignments": { + "copy": { + "name": "azureFirewall_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "azureFirewall" + ] + }, "publicIPAddress": { "condition": "[and(and(empty(parameters('publicIPResourceID')), parameters('isCreateDefaultPublicIP')), equals(variables('azureSkuName'), 'AZFW_VNet'))]", "type": "Microsoft.Resources/deployments", @@ -441,7 +535,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7177220893233117141" + "templateHash": "17964103943026732172" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -472,6 +566,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -616,8 +776,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -692,7 +851,16 @@ } } ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -764,175 +932,19 @@ "publicIpAddress_roleAssignments": { "copy": { "name": "publicIpAddress_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PIPAddress-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9976109177347918049" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "publicIpAddress" @@ -1034,7 +1046,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7177220893233117141" + "templateHash": "17964103943026732172" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -1065,6 +1077,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1209,8 +1287,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -1285,7 +1362,16 @@ } } ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -1357,175 +1443,19 @@ "publicIpAddress_roleAssignments": { "copy": { "name": "publicIpAddress_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PIPAddress-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9976109177347918049" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "publicIpAddress" @@ -1571,183 +1501,6 @@ } } } - }, - "azureFirewall_roleAssignments": { - "copy": { - "name": "azureFirewall_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AzFW-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/azureFirewalls', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11885290344977420864" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/azureFirewalls/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/azureFirewalls', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "azureFirewall" - ] } }, "outputs": { diff --git a/modules/network/bastion-host/.bicep/nested_roleAssignments.bicep b/modules/network/bastion-host/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index bb49421f37..0000000000 --- a/modules/network/bastion-host/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource azureBastion 'Microsoft.Network/bastionHosts@2022-11-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(azureBastion.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: azureBastion -}] diff --git a/modules/network/bastion-host/.test/common/main.test.bicep b/modules/network/bastion-host/.test/common/main.test.bicep index 3688f87735..695f4a5a95 100644 --- a/modules/network/bastion-host/.test/common/main.test.bicep +++ b/modules/network/bastion-host/.test/common/main.test.bicep @@ -85,9 +85,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/bastion-host/.test/custompip/main.test.bicep b/modules/network/bastion-host/.test/custompip/main.test.bicep index 9cf1ef28dc..0fc773e852 100644 --- a/modules/network/bastion-host/.test/custompip/main.test.bicep +++ b/modules/network/bastion-host/.test/custompip/main.test.bicep @@ -66,9 +66,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index 0a6a4c85fe..1c87cd6286 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -65,9 +65,7 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -142,9 +140,7 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -199,9 +195,7 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { publicIPPrefixResourceId: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -261,9 +255,7 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { "publicIPPrefixResourceId": "", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -530,7 +522,68 @@ Specifies the properties of the Public IP to create and be used by Azure Bastion Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `scaleUnits` diff --git a/modules/network/bastion-host/main.bicep b/modules/network/bastion-host/main.bicep index 4bba12cf4b..f6d9fc28ac 100644 --- a/modules/network/bastion-host/main.bicep +++ b/modules/network/bastion-host/main.bicep @@ -61,7 +61,7 @@ param enableShareableLink bool = false param scaleUnits int = 2 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -131,6 +131,51 @@ var enableReferencedModulesTelemetry = false // ---------------------------------------------------------------------------- +var builtInRoleNames = { + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') + 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') + 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') + 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') + 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') + 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') + 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') + 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') + 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') + 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') + 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') + 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') + 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') + 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') + 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') + 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') + 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -217,17 +262,18 @@ resource azureBastion_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@ scope: azureBastion } -module azureBastion_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Bastion-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: azureBastion.id +resource azureBastion_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(azureBastion.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: azureBastion }] @description('The resource group the Azure Bastion was deployed into.') @@ -256,3 +302,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/bastion-host/main.json b/modules/network/bastion-host/main.json index 057acedabb..32533015a4 100644 --- a/modules/network/bastion-host/main.json +++ b/modules/network/bastion-host/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7681317257874084680" + "templateHash": "18230214289197340904" }, "name": "Bastion Hosts", "description": "This module deploys a Bastion Host.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -168,8 +234,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -234,7 +299,51 @@ "id": "[parameters('bastionSubnetPublicIpResourceId')]" } }, - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", + "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", + "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", + "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", + "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", + "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", + "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" + } }, "resources": { "defaultTelemetry": { @@ -296,6 +405,28 @@ "azureBastion" ] }, + "azureBastion_roleAssignments": { + "copy": { + "name": "azureBastion_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/bastionHosts/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/bastionHosts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "azureBastion" + ] + }, "publicIPAddress": { "condition": "[and(empty(parameters('bastionSubnetPublicIpResourceId')), parameters('isCreateDefaultPublicIP'))]", "type": "Microsoft.Resources/deployments", @@ -350,7 +481,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7177220893233117141" + "templateHash": "17964103943026732172" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -381,6 +512,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -525,8 +722,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -601,7 +797,16 @@ } } ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -673,175 +878,19 @@ "publicIpAddress_roleAssignments": { "copy": { "name": "publicIpAddress_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PIPAddress-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9976109177347918049" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "publicIpAddress" @@ -887,183 +936,6 @@ } } } - }, - "azureBastion_roleAssignments": { - "copy": { - "name": "azureBastion_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Bastion-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/bastionHosts', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7732571198100682148" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/bastionHosts/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/bastionHosts', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "azureBastion" - ] } }, "outputs": { diff --git a/modules/network/ddos-protection-plan/.bicep/nested_roleAssignments.bicep b/modules/network/ddos-protection-plan/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 8cacd68005..0000000000 --- a/modules/network/ddos-protection-plan/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource ddosProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(ddosProtectionPlan.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: ddosProtectionPlan -}] diff --git a/modules/network/ddos-protection-plan/.test/common/main.test.bicep b/modules/network/ddos-protection-plan/.test/common/main.test.bicep index 7aeecb00c5..8324e7f8dc 100644 --- a/modules/network/ddos-protection-plan/.test/common/main.test.bicep +++ b/modules/network/ddos-protection-plan/.test/common/main.test.bicep @@ -59,9 +59,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/ddos-protection-plan/README.md b/modules/network/ddos-protection-plan/README.md index 55b6ee35f8..fcb623a87a 100644 --- a/modules/network/ddos-protection-plan/README.md +++ b/modules/network/ddos-protection-plan/README.md @@ -52,9 +52,7 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -97,9 +95,7 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -238,7 +234,68 @@ Name of the DDoS protection plan to assign the VNET to. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/network/ddos-protection-plan/main.bicep b/modules/network/ddos-protection-plan/main.bicep index 97f048cc44..7cb5d14c7b 100644 --- a/modules/network/ddos-protection-plan/main.bicep +++ b/modules/network/ddos-protection-plan/main.bicep @@ -13,7 +13,7 @@ param location string = resourceGroup().location param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -21,6 +21,14 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -49,17 +57,18 @@ resource ddosProtectionPlan_lock 'Microsoft.Authorization/locks@2020-05-01' = if scope: ddosProtectionPlan } -module ddosProtectionPlan_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-DDoSProtectionPlan-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: ddosProtectionPlan.id +resource ddosProtectionPlan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(ddosProtectionPlan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: ddosProtectionPlan }] @description('The resource group the DDOS protection plan was deployed into.') @@ -85,3 +94,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/ddos-protection-plan/main.json b/modules/network/ddos-protection-plan/main.json index 6b377c3378..eeeab32e03 100644 --- a/modules/network/ddos-protection-plan/main.json +++ b/modules/network/ddos-protection-plan/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5335931212602685116" + "templateHash": "4054513314022675341" }, "name": "DDoS Protection Plans", "description": "This module deploys a DDoS Protection Plan.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -61,8 +127,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -82,6 +147,15 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -122,175 +196,20 @@ "ddosProtectionPlan_roleAssignments": { "copy": { "name": "ddosProtectionPlan_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DDoSProtectionPlan-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/ddosProtectionPlans/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/ddosProtectionPlans', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/ddosProtectionPlans', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17533391111719842656" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/ddosProtectionPlans/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/ddosProtectionPlans', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "ddosProtectionPlan" diff --git a/modules/network/dns-forwarding-ruleset/.bicep/nested_roleAssignments.bicep b/modules/network/dns-forwarding-ruleset/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 36ec1e8f9b..0000000000 --- a/modules/network/dns-forwarding-ruleset/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource dnsForwardingRuleset 'Microsoft.Network/dnsForwardingRulesets@2022-07-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(dnsForwardingRuleset.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: dnsForwardingRuleset -}] diff --git a/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep b/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep index 43cb92fd4d..b8cc208e18 100644 --- a/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep +++ b/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep @@ -77,9 +77,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/dns-forwarding-ruleset/README.md b/modules/network/dns-forwarding-ruleset/README.md index c6774af681..f502927b87 100644 --- a/modules/network/dns-forwarding-ruleset/README.md +++ b/modules/network/dns-forwarding-ruleset/README.md @@ -70,9 +70,7 @@ module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0 } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -138,9 +136,7 @@ module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0 "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -308,7 +304,68 @@ Name of the DNS Forwarding Ruleset. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/network/dns-forwarding-ruleset/main.bicep b/modules/network/dns-forwarding-ruleset/main.bicep index 368c9d487e..83781a4051 100644 --- a/modules/network/dns-forwarding-ruleset/main.bicep +++ b/modules/network/dns-forwarding-ruleset/main.bicep @@ -13,7 +13,7 @@ param location string = resourceGroup().location param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -30,6 +30,18 @@ param vNetLinks array = [] @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -81,17 +93,18 @@ resource dnsForwardingRuleset_lock 'Microsoft.Authorization/locks@2020-05-01' = scope: dnsForwardingRuleset } -module dnsForwardingRuleset_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-dnsResolver-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: dnsForwardingRuleset.id +resource dnsForwardingRuleset_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(dnsForwardingRuleset.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: dnsForwardingRuleset }] @description('The resource group the DNS Forwarding Ruleset was deployed into.') @@ -117,3 +130,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/dns-forwarding-ruleset/main.json b/modules/network/dns-forwarding-ruleset/main.json index 494c2005b7..fc7f737bbb 100644 --- a/modules/network/dns-forwarding-ruleset/main.json +++ b/modules/network/dns-forwarding-ruleset/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7214112438295019717" + "templateHash": "6979780770360614224" }, "name": "Dns Forwarding Rulesets", "description": "This template deploys an dns forwarding ruleset.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -61,8 +127,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -102,6 +167,19 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -149,6 +227,28 @@ "dnsForwardingRuleset" ] }, + "dnsForwardingRuleset_roleAssignments": { + "copy": { + "name": "dnsForwardingRuleset_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsForwardingRulesets/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsForwardingRulesets', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "dnsForwardingRuleset" + ] + }, "dnsForwardingRuleset_forwardingRule": { "copy": { "name": "dnsForwardingRuleset_forwardingRule", @@ -428,183 +528,6 @@ "dependsOn": [ "dnsForwardingRuleset" ] - }, - "dnsForwardingRuleset_roleAssignments": { - "copy": { - "name": "dnsForwardingRuleset_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-dnsResolver-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsForwardingRulesets', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8279185746379392662" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsForwardingRulesets/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/dnsForwardingRulesets', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "dnsForwardingRuleset" - ] } }, "outputs": { diff --git a/modules/network/dns-resolver/.bicep/nested_roleAssignments.bicep b/modules/network/dns-resolver/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index fcb665babd..0000000000 --- a/modules/network/dns-resolver/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource dnsResolver 'Microsoft.Network/dnsResolvers@2022-07-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(dnsResolver.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: dnsResolver -}] diff --git a/modules/network/dns-resolver/README.md b/modules/network/dns-resolver/README.md index 0b3ae78e7f..3846d4fbc5 100644 --- a/modules/network/dns-resolver/README.md +++ b/modules/network/dns-resolver/README.md @@ -210,7 +210,68 @@ Outbound Endpoints for Private DNS Resolver. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/network/dns-resolver/main.bicep b/modules/network/dns-resolver/main.bicep index 5b4c01b342..59c079f6d7 100644 --- a/modules/network/dns-resolver/main.bicep +++ b/modules/network/dns-resolver/main.bicep @@ -13,7 +13,7 @@ param location string = resourceGroup().location param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -30,6 +30,20 @@ param inboundEndpoints array = [] @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -90,17 +104,18 @@ resource dnsResolver_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empt scope: dnsResolver } -module dnsResolver_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-dnsResolver-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: dnsResolver.id +resource dnsResolver_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(dnsResolver.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: dnsResolver }] @description('The resource group the Private DNS Resolver was deployed into.') @@ -126,3 +141,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/dns-resolver/main.json b/modules/network/dns-resolver/main.json index a9733ecbfe..dbedeac136 100644 --- a/modules/network/dns-resolver/main.json +++ b/modules/network/dns-resolver/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11864164290736408459" + "templateHash": "12605363186151510083" }, "name": "DNS Resolvers", "description": "This module deploys a DNS Resolver.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -61,8 +127,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -102,6 +167,21 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -188,175 +268,20 @@ "dnsResolver_roleAssignments": { "copy": { "name": "dnsResolver_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-dnsResolver-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsResolvers/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsResolvers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsResolvers', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14781577945075842659" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsResolvers/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/dnsResolvers', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "dnsResolver" diff --git a/modules/network/dns-zone/.bicep/nested_roleAssignments.bicep b/modules/network/dns-zone/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index f513aeda8d..0000000000 --- a/modules/network/dns-zone/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(dnsZone.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: dnsZone -}] diff --git a/modules/network/dns-zone/.test/common/main.test.bicep b/modules/network/dns-zone/.test/common/main.test.bicep index ed751afbbd..d7a20bd945 100644 --- a/modules/network/dns-zone/.test/common/main.test.bicep +++ b/modules/network/dns-zone/.test/common/main.test.bicep @@ -64,9 +64,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -93,9 +91,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -122,9 +118,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -142,9 +136,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -154,9 +146,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -166,9 +156,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -190,9 +178,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -213,9 +199,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/dns-zone/README.md b/modules/network/dns-zone/README.md index 3d4407d678..75edd92cfa 100644 --- a/modules/network/dns-zone/README.md +++ b/modules/network/dns-zone/README.md @@ -65,9 +65,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { name: 'A_10.240.4.4' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -94,9 +92,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { name: 'CNAME_test' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -124,9 +120,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { name: 'MX_contoso' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -144,9 +138,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -156,9 +148,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -168,9 +158,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { name: '@' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -192,9 +180,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { name: 'SRV_contoso' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -220,9 +206,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { name: 'TXT_test' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -269,9 +253,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { "name": "A_10.240.4.4", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -302,9 +284,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { "name": "CNAME_test", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -338,9 +318,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { "name": "MX_contoso", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -360,9 +338,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { ], "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -374,9 +350,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -388,9 +362,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { "name": "@", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -414,9 +386,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { "name": "SRV_contoso", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -446,9 +416,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { "name": "TXT_test", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -649,7 +617,68 @@ Array of PTR records. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `soa` diff --git a/modules/network/dns-zone/a/.bicep/nested_roleAssignments.bicep b/modules/network/dns-zone/a/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 47a1b20732..0000000000 --- a/modules/network/dns-zone/a/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource A 'Microsoft.Network/dnsZones/A@2018-05-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(A.name, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: A -}] diff --git a/modules/network/dns-zone/a/README.md b/modules/network/dns-zone/a/README.md index 0929f596ca..8f6ad2bc21 100644 --- a/modules/network/dns-zone/a/README.md +++ b/modules/network/dns-zone/a/README.md @@ -79,7 +79,68 @@ The name of the A record. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `targetResourceId` diff --git a/modules/network/dns-zone/a/main.bicep b/modules/network/dns-zone/a/main.bicep index cdf6db2701..458ec8ad2a 100644 --- a/modules/network/dns-zone/a/main.bicep +++ b/modules/network/dns-zone/a/main.bicep @@ -24,7 +24,21 @@ param targetResourceId string = '' param enableDefaultTelemetry bool = true @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -55,17 +69,18 @@ resource A 'Microsoft.Network/dnsZones/A@2018-05-01' = { } } -module A_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-DNSA-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: A.id +resource A_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(A.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: A }] @description('The name of the deployed A record.') @@ -76,3 +91,29 @@ output resourceId string = A.id @description('The resource group of the deployed A record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/dns-zone/a/main.json b/modules/network/dns-zone/a/main.json index 9aeb4218f1..b06788a26a 100644 --- a/modules/network/dns-zone/a/main.json +++ b/modules/network/dns-zone/a/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6542208080967583866" + "templateHash": "10974837461645436691" }, "name": "Public DNS Zone A record", "description": "This module deploys a Public DNS Zone A record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -60,15 +129,29 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -82,7 +165,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "A": { "type": "Microsoft.Network/dnsZones/A", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -91,186 +180,34 @@ "metadata": "[parameters('metadata')]", "TTL": "[parameters('ttl')]", "targetResource": "[if(not(empty(parameters('targetResourceId'))), createObject('id', parameters('targetResourceId')), null())]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "A_roleAssignments": { "copy": { "name": "A_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSA-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/A/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/A', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/A', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12863297534613170503" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/A/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/A', parameters('dnsZoneName'), parameters('name'))]" + "A" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/dns-zone/aaaa/.bicep/nested_roleAssignments.bicep b/modules/network/dns-zone/aaaa/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 91f5021a96..0000000000 --- a/modules/network/dns-zone/aaaa/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource AAAA 'Microsoft.Network/dnsZones/AAAA@2018-05-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(AAAA.name, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: AAAA -}] diff --git a/modules/network/dns-zone/aaaa/README.md b/modules/network/dns-zone/aaaa/README.md index c4e820ffe6..75adf53933 100644 --- a/modules/network/dns-zone/aaaa/README.md +++ b/modules/network/dns-zone/aaaa/README.md @@ -79,7 +79,68 @@ The name of the AAAA record. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `targetResourceId` diff --git a/modules/network/dns-zone/aaaa/main.bicep b/modules/network/dns-zone/aaaa/main.bicep index a0bda62d90..8156688cdd 100644 --- a/modules/network/dns-zone/aaaa/main.bicep +++ b/modules/network/dns-zone/aaaa/main.bicep @@ -24,7 +24,21 @@ param targetResourceId string = '' param enableDefaultTelemetry bool = true @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -55,17 +69,18 @@ resource AAAA 'Microsoft.Network/dnsZones/AAAA@2018-05-01' = { } } -module AAAA_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-DNSAAAA-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: AAAA.id +resource AAAA_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(AAAA.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: AAAA }] @description('The name of the deployed AAAA record.') @@ -76,3 +91,29 @@ output resourceId string = AAAA.id @description('The resource group of the deployed AAAA record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/dns-zone/aaaa/main.json b/modules/network/dns-zone/aaaa/main.json index 1a9f64999a..8b707375df 100644 --- a/modules/network/dns-zone/aaaa/main.json +++ b/modules/network/dns-zone/aaaa/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3710520452642205212" + "templateHash": "11266429358803831455" }, "name": "Public DNS Zone AAAA record", "description": "This module deploys a Public DNS Zone AAAA record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -60,15 +129,29 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -82,7 +165,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "AAAA": { "type": "Microsoft.Network/dnsZones/AAAA", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -91,186 +180,34 @@ "metadata": "[parameters('metadata')]", "TTL": "[parameters('ttl')]", "targetResource": "[if(not(empty(parameters('targetResourceId'))), createObject('id', parameters('targetResourceId')), null())]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "AAAA_roleAssignments": { "copy": { "name": "AAAA_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSAAAA-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/AAAA/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/AAAA', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/AAAA', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8289108097363297951" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/AAAA/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/AAAA', parameters('dnsZoneName'), parameters('name'))]" + "AAAA" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/dns-zone/caa/.bicep/nested_roleAssignments.bicep b/modules/network/dns-zone/caa/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 390053595e..0000000000 --- a/modules/network/dns-zone/caa/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource CAA 'Microsoft.Network/dnsZones/CAA@2018-05-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(CAA.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: CAA -}] diff --git a/modules/network/dns-zone/caa/README.md b/modules/network/dns-zone/caa/README.md index 9bfa2bb020..29980a362d 100644 --- a/modules/network/dns-zone/caa/README.md +++ b/modules/network/dns-zone/caa/README.md @@ -78,7 +78,68 @@ The name of the CAA record. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `ttl` diff --git a/modules/network/dns-zone/caa/main.bicep b/modules/network/dns-zone/caa/main.bicep index 73230e29d4..789edca66f 100644 --- a/modules/network/dns-zone/caa/main.bicep +++ b/modules/network/dns-zone/caa/main.bicep @@ -18,11 +18,25 @@ param caaRecords array = [] param ttl int = 3600 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -49,17 +63,18 @@ resource CAA 'Microsoft.Network/dnsZones/CAA@2018-05-01' = { } } -module CAA_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-DNSCAA-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: CAA.id +resource CAA_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(CAA.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: CAA }] @description('The name of the deployed CAA record.') @@ -70,3 +85,29 @@ output resourceId string = CAA.id @description('The resource group of the deployed CAA record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/dns-zone/caa/main.json b/modules/network/dns-zone/caa/main.json index c0b6623111..bc7befc61b 100644 --- a/modules/network/dns-zone/caa/main.json +++ b/modules/network/dns-zone/caa/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "139457689749453308" + "templateHash": "17336929917389994115" }, "name": "Public DNS Zone CAA record", "description": "This module deploys a Public DNS Zone CAA record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -46,8 +115,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -60,8 +128,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +158,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "CAA": { "type": "Microsoft.Network/dnsZones/CAA", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -83,186 +172,34 @@ "metadata": "[parameters('metadata')]", "caaRecords": "[parameters('caaRecords')]", "TTL": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "CAA_roleAssignments": { "copy": { "name": "CAA_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSCAA-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/CAA/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/CAA', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/CAA', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9470565833545804306" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/CAA/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/CAA', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/CAA', parameters('dnsZoneName'), parameters('name'))]" + "CAA" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/dns-zone/cname/.bicep/nested_roleAssignments.bicep b/modules/network/dns-zone/cname/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index feeb4803a3..0000000000 --- a/modules/network/dns-zone/cname/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource CNAME 'Microsoft.Network/dnsZones/CNAME@2018-05-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(CNAME.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: CNAME -}] diff --git a/modules/network/dns-zone/cname/README.md b/modules/network/dns-zone/cname/README.md index d58c077c0d..2f06be8f3a 100644 --- a/modules/network/dns-zone/cname/README.md +++ b/modules/network/dns-zone/cname/README.md @@ -79,7 +79,68 @@ The name of the CNAME record. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `targetResourceId` diff --git a/modules/network/dns-zone/cname/main.bicep b/modules/network/dns-zone/cname/main.bicep index 852408229f..251924db52 100644 --- a/modules/network/dns-zone/cname/main.bicep +++ b/modules/network/dns-zone/cname/main.bicep @@ -21,11 +21,25 @@ param ttl int = 3600 param targetResourceId string = '' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -55,17 +69,18 @@ resource CNAME 'Microsoft.Network/dnsZones/CNAME@2018-05-01' = { } } -module CNAME_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-DNSCNAME-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: CNAME.id +resource CNAME_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(CNAME.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: CNAME }] @description('The name of the deployed CNAME record.') @@ -76,3 +91,29 @@ output resourceId string = CNAME.id @description('The resource group of the deployed CNAME record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/dns-zone/cname/main.json b/modules/network/dns-zone/cname/main.json index 78d4dd61c0..b33300806f 100644 --- a/modules/network/dns-zone/cname/main.json +++ b/modules/network/dns-zone/cname/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9638487977820751575" + "templateHash": "13232609782269052972" }, "name": "Public DNS Zone CNAME record", "description": "This module deploys a Public DNS Zone CNAME record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -53,8 +122,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -67,8 +135,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -82,7 +165,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "CNAME": { "type": "Microsoft.Network/dnsZones/CNAME", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -91,186 +180,34 @@ "metadata": "[parameters('metadata')]", "TTL": "[parameters('ttl')]", "targetResource": "[if(not(empty(parameters('targetResourceId'))), createObject('id', parameters('targetResourceId')), null())]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "CNAME_roleAssignments": { "copy": { "name": "CNAME_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSCNAME-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/CNAME/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/CNAME', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/CNAME', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9902709125102553327" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/CNAME/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/CNAME', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/CNAME', parameters('dnsZoneName'), parameters('name'))]" + "CNAME" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/dns-zone/main.bicep b/modules/network/dns-zone/main.bicep index 84d8fd6120..61c03dc82a 100644 --- a/modules/network/dns-zone/main.bicep +++ b/modules/network/dns-zone/main.bicep @@ -41,7 +41,7 @@ param txt array = [] param location string = 'global' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -54,6 +54,20 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -217,17 +231,18 @@ resource dnsZone_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo scope: dnsZone } -module dnsZone_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-dnsZone-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: dnsZone.id +resource dnsZone_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(dnsZone.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: dnsZone }] @description('The resource group the DNS zone was deployed into.') @@ -253,3 +268,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/dns-zone/main.json b/modules/network/dns-zone/main.json index 6cc1b04100..735a3f2f26 100644 --- a/modules/network/dns-zone/main.json +++ b/modules/network/dns-zone/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14872051751998229436" + "templateHash": "1680239342296037315" }, "name": "Public DNS Zones", "description": "This module deploys a Public DNS zone.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -126,8 +192,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -154,7 +219,20 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -195,6 +273,28 @@ "dnsZone" ] }, + "dnsZone_roleAssignments": { + "copy": { + "name": "dnsZone_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "dnsZone" + ] + }, "dnsZone_A": { "copy": { "name": "dnsZone_A", @@ -226,17 +326,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6542208080967583866" + "templateHash": "10974837461645436691" }, "name": "Public DNS Zone A record", "description": "This module deploys a Public DNS Zone A record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -286,15 +455,29 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -308,7 +491,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "A": { "type": "Microsoft.Network/dnsZones/A", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -317,186 +506,34 @@ "metadata": "[parameters('metadata')]", "TTL": "[parameters('ttl')]", "targetResource": "[if(not(empty(parameters('targetResourceId'))), createObject('id', parameters('targetResourceId')), null())]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "A_roleAssignments": { "copy": { "name": "A_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSA-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/A/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/A', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/A', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12863297534613170503" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/A/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/A', parameters('dnsZoneName'), parameters('name'))]" + "A" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -557,17 +594,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3710520452642205212" + "templateHash": "11266429358803831455" }, "name": "Public DNS Zone AAAA record", "description": "This module deploys a Public DNS Zone AAAA record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -617,15 +723,29 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -639,7 +759,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "AAAA": { "type": "Microsoft.Network/dnsZones/AAAA", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -648,186 +774,34 @@ "metadata": "[parameters('metadata')]", "TTL": "[parameters('ttl')]", "targetResource": "[if(not(empty(parameters('targetResourceId'))), createObject('id', parameters('targetResourceId')), null())]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "AAAA_roleAssignments": { "copy": { "name": "AAAA_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSAAAA-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/AAAA/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/AAAA', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/AAAA', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8289108097363297951" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/AAAA/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/AAAA', parameters('dnsZoneName'), parameters('name'))]" + "AAAA" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -888,17 +862,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9638487977820751575" + "templateHash": "13232609782269052972" }, "name": "Public DNS Zone CNAME record", "description": "This module deploys a Public DNS Zone CNAME record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -941,8 +984,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -955,8 +997,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -970,7 +1027,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "CNAME": { "type": "Microsoft.Network/dnsZones/CNAME", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -979,186 +1042,34 @@ "metadata": "[parameters('metadata')]", "TTL": "[parameters('ttl')]", "targetResource": "[if(not(empty(parameters('targetResourceId'))), createObject('id', parameters('targetResourceId')), null())]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "CNAME_roleAssignments": { "copy": { "name": "CNAME_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSCNAME-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/CNAME/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/CNAME', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/CNAME', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9902709125102553327" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/CNAME/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/CNAME', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/CNAME', parameters('dnsZoneName'), parameters('name'))]" + "CNAME" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1218,17 +1129,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "139457689749453308" + "templateHash": "17336929917389994115" }, "name": "Public DNS Zone CAA record", "description": "This module deploys a Public DNS Zone CAA record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -1264,8 +1244,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -1278,22 +1257,43 @@ } } }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [] } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "CAA": { "type": "Microsoft.Network/dnsZones/CAA", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -1301,186 +1301,34 @@ "metadata": "[parameters('metadata')]", "caaRecords": "[parameters('caaRecords')]", "TTL": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "CAA_roleAssignments": { "copy": { "name": "CAA_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSCAA-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/CAA/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/CAA', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/CAA', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9470565833545804306" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/CAA/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/CAA', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/CAA', parameters('dnsZoneName'), parameters('name'))]" + "CAA" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1540,17 +1388,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17935109453553054168" + "templateHash": "16614736782890395121" }, "name": "Public DNS Zone MX record", "description": "This module deploys a Public DNS Zone MX record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -1586,8 +1503,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -1600,8 +1516,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1615,7 +1546,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "MX": { "type": "Microsoft.Network/dnsZones/MX", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -1623,186 +1560,34 @@ "metadata": "[parameters('metadata')]", "MXRecords": "[parameters('mxRecords')]", "TTL": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "MX_roleAssignments": { "copy": { "name": "MX_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSMX-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/MX/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/MX', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/MX', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3617371994879925017" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/MX/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/MX', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/MX', parameters('dnsZoneName'), parameters('name'))]" + "MX" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1862,17 +1647,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5114862259619051357" + "templateHash": "10360566575253611568" }, "name": "Public DNS Zone NS record", "description": "This module deploys a Public DNS Zone NS record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -1908,8 +1762,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -1922,8 +1775,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1937,7 +1805,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "NS": { "type": "Microsoft.Network/dnsZones/NS", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -1945,186 +1819,34 @@ "metadata": "[parameters('metadata')]", "NSRecords": "[parameters('nsRecords')]", "TTL": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "NS_roleAssignments": { "copy": { "name": "NS_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSNS-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/NS/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/NS', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/NS', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14367633254025428198" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/NS/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/NS', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/NS', parameters('dnsZoneName'), parameters('name'))]" + "NS" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2184,17 +1906,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10998530599333888745" + "templateHash": "694884293764156099" }, "name": "Public DNS Zone PTR record", "description": "This module deploys a Public DNS Zone PTR record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -2230,8 +2021,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -2244,8 +2034,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2259,7 +2064,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "PTR": { "type": "Microsoft.Network/dnsZones/PTR", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -2267,186 +2078,34 @@ "metadata": "[parameters('metadata')]", "PTRRecords": "[parameters('ptrRecords')]", "TTL": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "PTR_roleAssignments": { "copy": { "name": "PTR_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSPTR-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/PTR/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/PTR', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/PTR', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17983831737512612600" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/PTR/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/PTR', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/PTR', parameters('dnsZoneName'), parameters('name'))]" + "PTR" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2506,17 +2165,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10118634861239112279" + "templateHash": "10526329700400149290" }, "name": "Public DNS Zone SOA record", "description": "This module deploys a Public DNS Zone SOA record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -2552,8 +2280,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -2566,8 +2293,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2581,7 +2323,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "SOA": { "type": "Microsoft.Network/dnsZones/SOA", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -2589,186 +2337,34 @@ "metadata": "[parameters('metadata')]", "SOARecord": "[parameters('soaRecord')]", "TTL": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "SOA_roleAssignments": { "copy": { "name": "SOA_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSSOA-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/SOA/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/SOA', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/SOA', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7383644209973085042" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/SOA/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/SOA', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/SOA', parameters('dnsZoneName'), parameters('name'))]" + "SOA" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2828,17 +2424,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17870818057963659035" + "templateHash": "2773338273433722142" }, "name": "Public DNS Zone SRV record", "description": "This module deploys a Public DNS Zone SRV record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -2874,8 +2539,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -2888,8 +2552,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2903,7 +2582,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "SRV": { "type": "Microsoft.Network/dnsZones/SRV", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -2911,186 +2596,34 @@ "metadata": "[parameters('metadata')]", "SRVRecords": "[parameters('srvRecords')]", "TTL": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "SRV_roleAssignments": { "copy": { "name": "SRV_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSSRV-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/SRV/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/SRV', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/SRV', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1743157605226588693" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/SRV/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/SRV', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/SRV', parameters('dnsZoneName'), parameters('name'))]" + "SRV" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -3150,17 +2683,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13941492299186927650" + "templateHash": "8314659933691992641" }, "name": "Public DNS Zone TXT record", "description": "This module deploys a Public DNS Zone TXT record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -3196,8 +2798,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -3210,8 +2811,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -3225,7 +2841,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "TXT": { "type": "Microsoft.Network/dnsZones/TXT", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -3233,186 +2855,34 @@ "metadata": "[parameters('metadata')]", "TTL": "[parameters('ttl')]", "TXTRecords": "[parameters('txtRecords')]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "TXT_roleAssignments": { "copy": { "name": "TXT_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSTXT-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/TXT/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/TXT', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/TXT', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7288997439030042721" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/TXT/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/TXT', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/TXT', parameters('dnsZoneName'), parameters('name'))]" + "TXT" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -3441,183 +2911,6 @@ "dependsOn": [ "dnsZone" ] - }, - "dnsZone_roleAssignments": { - "copy": { - "name": "dnsZone_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-dnsZone-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10745925950629635011" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "dnsZone" - ] } }, "outputs": { diff --git a/modules/network/dns-zone/mx/.bicep/nested_roleAssignments.bicep b/modules/network/dns-zone/mx/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index c8346086b5..0000000000 --- a/modules/network/dns-zone/mx/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource MX 'Microsoft.Network/dnsZones/MX@2018-05-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(MX.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: MX -}] diff --git a/modules/network/dns-zone/mx/README.md b/modules/network/dns-zone/mx/README.md index 2404e76d3a..a2f9f80afd 100644 --- a/modules/network/dns-zone/mx/README.md +++ b/modules/network/dns-zone/mx/README.md @@ -78,7 +78,68 @@ The name of the MX record. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `ttl` diff --git a/modules/network/dns-zone/mx/main.bicep b/modules/network/dns-zone/mx/main.bicep index d503d49a33..6814f1c3a1 100644 --- a/modules/network/dns-zone/mx/main.bicep +++ b/modules/network/dns-zone/mx/main.bicep @@ -18,11 +18,25 @@ param mxRecords array = [] param ttl int = 3600 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -49,17 +63,18 @@ resource MX 'Microsoft.Network/dnsZones/MX@2018-05-01' = { } } -module MX_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-DNSMX-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: MX.id +resource MX_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(MX.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: MX }] @description('The name of the deployed MX record.') @@ -70,3 +85,29 @@ output resourceId string = MX.id @description('The resource group of the deployed MX record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/dns-zone/mx/main.json b/modules/network/dns-zone/mx/main.json index 1c740cd6dc..e45e0fe6f1 100644 --- a/modules/network/dns-zone/mx/main.json +++ b/modules/network/dns-zone/mx/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17935109453553054168" + "templateHash": "16614736782890395121" }, "name": "Public DNS Zone MX record", "description": "This module deploys a Public DNS Zone MX record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -46,8 +115,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -60,8 +128,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +158,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "MX": { "type": "Microsoft.Network/dnsZones/MX", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -83,186 +172,34 @@ "metadata": "[parameters('metadata')]", "MXRecords": "[parameters('mxRecords')]", "TTL": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "MX_roleAssignments": { "copy": { "name": "MX_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSMX-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/MX/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/MX', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/MX', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3617371994879925017" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/MX/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/MX', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/MX', parameters('dnsZoneName'), parameters('name'))]" + "MX" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/dns-zone/ns/.bicep/nested_roleAssignments.bicep b/modules/network/dns-zone/ns/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index a4a9fa499c..0000000000 --- a/modules/network/dns-zone/ns/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource NS 'Microsoft.Network/dnsZones/NS@2018-05-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(NS.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: NS -}] diff --git a/modules/network/dns-zone/ns/README.md b/modules/network/dns-zone/ns/README.md index f95a252125..8a48a9ed9e 100644 --- a/modules/network/dns-zone/ns/README.md +++ b/modules/network/dns-zone/ns/README.md @@ -78,7 +78,68 @@ The list of NS records in the record set. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `ttl` diff --git a/modules/network/dns-zone/ns/main.bicep b/modules/network/dns-zone/ns/main.bicep index bef96de554..3964d72597 100644 --- a/modules/network/dns-zone/ns/main.bicep +++ b/modules/network/dns-zone/ns/main.bicep @@ -18,11 +18,25 @@ param nsRecords array = [] param ttl int = 3600 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -49,17 +63,18 @@ resource NS 'Microsoft.Network/dnsZones/NS@2018-05-01' = { } } -module NS_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-DNSNS-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: NS.id +resource NS_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(NS.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: NS }] @description('The name of the deployed NS record.') @@ -70,3 +85,29 @@ output resourceId string = NS.id @description('The resource group of the deployed NS record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/dns-zone/ns/main.json b/modules/network/dns-zone/ns/main.json index 0324b74495..d840dcd791 100644 --- a/modules/network/dns-zone/ns/main.json +++ b/modules/network/dns-zone/ns/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5114862259619051357" + "templateHash": "10360566575253611568" }, "name": "Public DNS Zone NS record", "description": "This module deploys a Public DNS Zone NS record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -46,8 +115,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -60,8 +128,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +158,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "NS": { "type": "Microsoft.Network/dnsZones/NS", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -83,186 +172,34 @@ "metadata": "[parameters('metadata')]", "NSRecords": "[parameters('nsRecords')]", "TTL": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "NS_roleAssignments": { "copy": { "name": "NS_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSNS-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/NS/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/NS', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/NS', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14367633254025428198" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/NS/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/NS', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/NS', parameters('dnsZoneName'), parameters('name'))]" + "NS" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/dns-zone/ptr/.bicep/nested_roleAssignments.bicep b/modules/network/dns-zone/ptr/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index b718a4be7f..0000000000 --- a/modules/network/dns-zone/ptr/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource PTR 'Microsoft.Network/dnsZones/PTR@2018-05-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(PTR.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: PTR -}] diff --git a/modules/network/dns-zone/ptr/README.md b/modules/network/dns-zone/ptr/README.md index 04db682bb4..fb72f7e423 100644 --- a/modules/network/dns-zone/ptr/README.md +++ b/modules/network/dns-zone/ptr/README.md @@ -78,7 +78,68 @@ The list of PTR records in the record set. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `ttl` diff --git a/modules/network/dns-zone/ptr/main.bicep b/modules/network/dns-zone/ptr/main.bicep index 72275f3b9b..ed72b8e283 100644 --- a/modules/network/dns-zone/ptr/main.bicep +++ b/modules/network/dns-zone/ptr/main.bicep @@ -18,11 +18,25 @@ param ptrRecords array = [] param ttl int = 3600 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -49,17 +63,18 @@ resource PTR 'Microsoft.Network/dnsZones/PTR@2018-05-01' = { } } -module PTR_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-DNSPTR-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: PTR.id +resource PTR_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(PTR.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: PTR }] @description('The name of the deployed PTR record.') @@ -70,3 +85,29 @@ output resourceId string = PTR.id @description('The resource group of the deployed PTR record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/dns-zone/ptr/main.json b/modules/network/dns-zone/ptr/main.json index d596d246fc..ad029b2b73 100644 --- a/modules/network/dns-zone/ptr/main.json +++ b/modules/network/dns-zone/ptr/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10998530599333888745" + "templateHash": "694884293764156099" }, "name": "Public DNS Zone PTR record", "description": "This module deploys a Public DNS Zone PTR record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -46,8 +115,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -60,8 +128,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +158,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "PTR": { "type": "Microsoft.Network/dnsZones/PTR", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -83,186 +172,34 @@ "metadata": "[parameters('metadata')]", "PTRRecords": "[parameters('ptrRecords')]", "TTL": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "PTR_roleAssignments": { "copy": { "name": "PTR_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSPTR-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/PTR/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/PTR', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/PTR', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17983831737512612600" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/PTR/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/PTR', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/PTR', parameters('dnsZoneName'), parameters('name'))]" + "PTR" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/dns-zone/soa/.bicep/nested_roleAssignments.bicep b/modules/network/dns-zone/soa/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 06b0982acd..0000000000 --- a/modules/network/dns-zone/soa/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource SOA 'Microsoft.Network/dnsZones/SOA@2018-05-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(SOA.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: SOA -}] diff --git a/modules/network/dns-zone/soa/README.md b/modules/network/dns-zone/soa/README.md index ec6efc70ec..a9c838ea26 100644 --- a/modules/network/dns-zone/soa/README.md +++ b/modules/network/dns-zone/soa/README.md @@ -71,7 +71,68 @@ The name of the SOA record. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `soaRecord` diff --git a/modules/network/dns-zone/soa/main.bicep b/modules/network/dns-zone/soa/main.bicep index d070a9b7c9..64b31163cc 100644 --- a/modules/network/dns-zone/soa/main.bicep +++ b/modules/network/dns-zone/soa/main.bicep @@ -18,11 +18,25 @@ param soaRecord object = {} param ttl int = 3600 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -49,17 +63,18 @@ resource SOA 'Microsoft.Network/dnsZones/SOA@2018-05-01' = { } } -module SOA_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-DNSSOA-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: SOA.id +resource SOA_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(SOA.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: SOA }] @description('The name of the deployed SOA record.') @@ -70,3 +85,29 @@ output resourceId string = SOA.id @description('The resource group of the deployed SOA record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/dns-zone/soa/main.json b/modules/network/dns-zone/soa/main.json index 17ba5d7803..b3486a03bf 100644 --- a/modules/network/dns-zone/soa/main.json +++ b/modules/network/dns-zone/soa/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10118634861239112279" + "templateHash": "10526329700400149290" }, "name": "Public DNS Zone SOA record", "description": "This module deploys a Public DNS Zone SOA record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -46,8 +115,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -60,8 +128,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +158,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "SOA": { "type": "Microsoft.Network/dnsZones/SOA", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -83,186 +172,34 @@ "metadata": "[parameters('metadata')]", "SOARecord": "[parameters('soaRecord')]", "TTL": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "SOA_roleAssignments": { "copy": { "name": "SOA_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSSOA-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/SOA/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/SOA', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/SOA', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7383644209973085042" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/SOA/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/SOA', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/SOA', parameters('dnsZoneName'), parameters('name'))]" + "SOA" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/dns-zone/srv/.bicep/nested_roleAssignments.bicep b/modules/network/dns-zone/srv/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index c0c1b1b43e..0000000000 --- a/modules/network/dns-zone/srv/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource SRV 'Microsoft.Network/dnsZones/SRV@2018-05-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(SRV.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: SRV -}] diff --git a/modules/network/dns-zone/srv/README.md b/modules/network/dns-zone/srv/README.md index 8947cd2a5f..32dd9091a8 100644 --- a/modules/network/dns-zone/srv/README.md +++ b/modules/network/dns-zone/srv/README.md @@ -71,7 +71,68 @@ The name of the SRV record. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `srvRecords` diff --git a/modules/network/dns-zone/srv/main.bicep b/modules/network/dns-zone/srv/main.bicep index 25b51ebf89..87d1466c0d 100644 --- a/modules/network/dns-zone/srv/main.bicep +++ b/modules/network/dns-zone/srv/main.bicep @@ -18,11 +18,25 @@ param srvRecords array = [] param ttl int = 3600 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -49,17 +63,18 @@ resource SRV 'Microsoft.Network/dnsZones/SRV@2018-05-01' = { } } -module SRV_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-DNSSRV-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: SRV.id +resource SRV_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(SRV.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: SRV }] @description('The name of the deployed SRV record.') @@ -70,3 +85,29 @@ output resourceId string = SRV.id @description('The resource group of the deployed SRV record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/dns-zone/srv/main.json b/modules/network/dns-zone/srv/main.json index d0c3e30324..b98e3e817c 100644 --- a/modules/network/dns-zone/srv/main.json +++ b/modules/network/dns-zone/srv/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17870818057963659035" + "templateHash": "2773338273433722142" }, "name": "Public DNS Zone SRV record", "description": "This module deploys a Public DNS Zone SRV record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -46,8 +115,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -60,8 +128,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +158,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "SRV": { "type": "Microsoft.Network/dnsZones/SRV", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -83,186 +172,34 @@ "metadata": "[parameters('metadata')]", "SRVRecords": "[parameters('srvRecords')]", "TTL": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "SRV_roleAssignments": { "copy": { "name": "SRV_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSSRV-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/SRV/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/SRV', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/SRV', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1743157605226588693" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/SRV/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/SRV', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/SRV', parameters('dnsZoneName'), parameters('name'))]" + "SRV" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/dns-zone/txt/.bicep/nested_roleAssignments.bicep b/modules/network/dns-zone/txt/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 2eded50f7a..0000000000 --- a/modules/network/dns-zone/txt/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource TXT 'Microsoft.Network/dnsZones/TXT@2018-05-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(TXT.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: TXT -}] diff --git a/modules/network/dns-zone/txt/README.md b/modules/network/dns-zone/txt/README.md index 54111ce95e..bfc46bccd2 100644 --- a/modules/network/dns-zone/txt/README.md +++ b/modules/network/dns-zone/txt/README.md @@ -71,7 +71,68 @@ The name of the TXT record. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `ttl` diff --git a/modules/network/dns-zone/txt/main.bicep b/modules/network/dns-zone/txt/main.bicep index 9b378efae4..0a3b81aabb 100644 --- a/modules/network/dns-zone/txt/main.bicep +++ b/modules/network/dns-zone/txt/main.bicep @@ -18,11 +18,25 @@ param ttl int = 3600 param txtRecords array = [] @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -49,17 +63,18 @@ resource TXT 'Microsoft.Network/dnsZones/TXT@2018-05-01' = { } } -module TXT_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-DNSTXT-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: TXT.id +resource TXT_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(TXT.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: TXT }] @description('The name of the deployed TXT record.') @@ -70,3 +85,29 @@ output resourceId string = TXT.id @description('The resource group of the deployed TXT record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/dns-zone/txt/main.json b/modules/network/dns-zone/txt/main.json index d6a56e6411..8a4fe8146f 100644 --- a/modules/network/dns-zone/txt/main.json +++ b/modules/network/dns-zone/txt/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13941492299186927650" + "templateHash": "8314659933691992641" }, "name": "Public DNS Zone TXT record", "description": "This module deploys a Public DNS Zone TXT record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "dnsZoneName": { "type": "string", @@ -46,8 +115,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -60,8 +128,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +158,13 @@ } } }, - { + "dnsZone": { + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[parameters('dnsZoneName')]" + }, + "TXT": { "type": "Microsoft.Network/dnsZones/TXT", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('dnsZoneName'), parameters('name'))]", @@ -83,186 +172,34 @@ "metadata": "[parameters('metadata')]", "TTL": "[parameters('ttl')]", "TXTRecords": "[parameters('txtRecords')]" - } + }, + "dependsOn": [ + "dnsZone" + ] }, - { + "TXT_roleAssignments": { "copy": { "name": "TXT_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DNSTXT-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}/TXT/{1}', parameters('dnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/dnsZones/TXT', parameters('dnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/dnsZones/TXT', parameters('dnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7288997439030042721" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}/TXT/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/dnsZones/TXT', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/dnsZones/TXT', parameters('dnsZoneName'), parameters('name'))]" + "TXT" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/express-route-circuit/.bicep/nested_roleAssignments.bicep b/modules/network/express-route-circuit/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 17c48155cf..0000000000 --- a/modules/network/express-route-circuit/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource expressRouteCircuits 'Microsoft.Network/expressRouteCircuits@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(expressRouteCircuits.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: expressRouteCircuits -}] diff --git a/modules/network/express-route-circuit/.test/common/main.test.bicep b/modules/network/express-route-circuit/.test/common/main.test.bicep index ab72f6d9c0..2bbdb986ad 100644 --- a/modules/network/express-route-circuit/.test/common/main.test.bicep +++ b/modules/network/express-route-circuit/.test/common/main.test.bicep @@ -80,9 +80,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/express-route-circuit/README.md b/modules/network/express-route-circuit/README.md index 95c6548f62..05d0420d52 100644 --- a/modules/network/express-route-circuit/README.md +++ b/modules/network/express-route-circuit/README.md @@ -61,9 +61,7 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -132,9 +130,7 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -434,7 +430,68 @@ A /30 subnet used to configure IP addresses for interfaces on Link1. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `secondaryPeerAddressPrefix` diff --git a/modules/network/express-route-circuit/main.bicep b/modules/network/express-route-circuit/main.bicep index b40145e29c..21aa72f2c0 100644 --- a/modules/network/express-route-circuit/main.bicep +++ b/modules/network/express-route-circuit/main.bicep @@ -85,7 +85,7 @@ param diagnosticEventHubName string = '' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -146,6 +146,15 @@ var peeringConfiguration = [ } ] +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -205,17 +214,18 @@ resource expressRouteCircuits_diagnosticSettings 'Microsoft.Insights/diagnosticS scope: expressRouteCircuits } -module expressRouteCircuits_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-ExpRouteCircuits-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: expressRouteCircuits.id +resource expressRouteCircuits_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(expressRouteCircuits.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: expressRouteCircuits }] @description('The resource ID of express route curcuit.') @@ -244,3 +254,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/express-route-circuit/main.json b/modules/network/express-route-circuit/main.json index 024719dcd6..020ef12461 100644 --- a/modules/network/express-route-circuit/main.json +++ b/modules/network/express-route-circuit/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14824487476304731061" + "templateHash": "1604127789628579134" }, "name": "ExpressRoute Circuits", "description": "This module deploys an Express Route Circuit.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -210,8 +276,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -297,7 +362,15 @@ "vlanId": "[parameters('vlanId')]" } } - ] + ], + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -373,175 +446,20 @@ "expressRouteCircuits_roleAssignments": { "copy": { "name": "expressRouteCircuits_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ExpRouteCircuits-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/expressRouteCircuits/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/expressRouteCircuits', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/expressRouteCircuits', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14124226202821764051" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/expressRouteCircuits/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/expressRouteCircuits', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "expressRouteCircuits" diff --git a/modules/network/express-route-gateway/.bicep/nested_roleAssignments.bicep b/modules/network/express-route-gateway/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 4d458aa3c5..0000000000 --- a/modules/network/express-route-gateway/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource expressRouteGateway 'Microsoft.Network/expressRouteGateways@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(expressRouteGateway.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: expressRouteGateway -}] diff --git a/modules/network/express-route-gateway/.test/common/main.test.bicep b/modules/network/express-route-gateway/.test/common/main.test.bicep index 72ddf4c851..cb8e6e36f5 100644 --- a/modules/network/express-route-gateway/.test/common/main.test.bicep +++ b/modules/network/express-route-gateway/.test/common/main.test.bicep @@ -67,9 +67,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/express-route-gateway/README.md b/modules/network/express-route-gateway/README.md index 9042aa9cd3..91a977399f 100644 --- a/modules/network/express-route-gateway/README.md +++ b/modules/network/express-route-gateway/README.md @@ -55,9 +55,7 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -108,9 +106,7 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -285,7 +281,68 @@ Name of the Express Route Gateway. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/network/express-route-gateway/main.bicep b/modules/network/express-route-gateway/main.bicep index 42f9de6e84..dbb6fef291 100644 --- a/modules/network/express-route-gateway/main.bicep +++ b/modules/network/express-route-gateway/main.bicep @@ -27,7 +27,7 @@ param expressRouteConnections array = [] param virtualHubId string @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -35,6 +35,15 @@ param enableDefaultTelemetry bool = true @description('Optional. The lock settings of the service.') param lock lockType +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -75,17 +84,18 @@ resource expressRouteGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = i scope: expressRouteGateway } -module expressRouteGateway_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-ExpressRouteGateway-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: expressRouteGateway.id +resource expressRouteGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(expressRouteGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: expressRouteGateway }] @description('The resource ID of the ExpressRoute Gateway.') @@ -111,3 +121,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/express-route-gateway/main.json b/modules/network/express-route-gateway/main.json index 1487410b23..17e2edaeb5 100644 --- a/modules/network/express-route-gateway/main.json +++ b/modules/network/express-route-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3687139000883539372" + "templateHash": "8352062821101863575" }, "name": "Express Route Gateways", "description": "This module deploys an Express Route Gateway.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -95,8 +161,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -115,6 +180,16 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -167,175 +242,20 @@ "expressRouteGateway_roleAssignments": { "copy": { "name": "expressRouteGateway_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ExpressRouteGateway-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/expressRouteGateways/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/expressRouteGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/expressRouteGateways', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10999249246469924012" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/expressRouteGateways/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/expressRouteGateways', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "expressRouteGateway" diff --git a/modules/network/front-door-web-application-firewall-policy/.bicep/nested_roleAssignments.bicep b/modules/network/front-door-web-application-firewall-policy/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 4fbea05ef9..0000000000 --- a/modules/network/front-door-web-application-firewall-policy/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,66 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource frontDoorWAFPolicy 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(frontDoorWAFPolicy.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: frontDoorWAFPolicy -}] diff --git a/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep index 368546b37b..6cbf4d59eb 100644 --- a/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep @@ -127,9 +127,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/front-door-web-application-firewall-policy/README.md b/modules/network/front-door-web-application-firewall-policy/README.md index 1503783dc9..e92ec90d70 100644 --- a/modules/network/front-door-web-application-firewall-policy/README.md +++ b/modules/network/front-door-web-application-firewall-policy/README.md @@ -114,9 +114,7 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -228,9 +226,7 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -397,7 +393,68 @@ The PolicySettings for policy. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `sku` diff --git a/modules/network/front-door-web-application-firewall-policy/main.bicep b/modules/network/front-door-web-application-firewall-policy/main.bicep index 2cd8421795..fde3401f7c 100644 --- a/modules/network/front-door-web-application-firewall-policy/main.bicep +++ b/modules/network/front-door-web-application-firewall-policy/main.bicep @@ -73,7 +73,15 @@ param policySettings object = { param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -110,17 +118,18 @@ resource frontDoorWAFPolicy_lock 'Microsoft.Authorization/locks@2020-05-01' = if scope: frontDoorWAFPolicy } -module frontDoorWAFPolicy_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-FDWAFP-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: frontDoorWAFPolicy.id +resource frontDoorWAFPolicy_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(frontDoorWAFPolicy.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: frontDoorWAFPolicy }] @description('The name of the Front Door WAF policy.') @@ -146,3 +155,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/front-door-web-application-firewall-policy/main.json b/modules/network/front-door-web-application-firewall-policy/main.json index a9208e608a..037bc87efb 100644 --- a/modules/network/front-door-web-application-firewall-policy/main.json +++ b/modules/network/front-door-web-application-firewall-policy/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11436451701483228580" + "templateHash": "16196358261363679288" }, "name": "Front Door Web Application Firewall (WAF) Policies", "description": "This module deploys a Front Door Web Application Firewall (WAF) Policy.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -147,13 +213,21 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -201,144 +275,20 @@ "frontDoorWAFPolicy_roleAssignments": { "copy": { "name": "frontDoorWAFPolicy_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-FDWAFP-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15230534892714027949" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "frontDoorWAFPolicy" diff --git a/modules/network/front-door/.bicep/nested_roleAssignments.bicep b/modules/network/front-door/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 2090906dd6..0000000000 --- a/modules/network/front-door/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource frontDoor 'Microsoft.Network/frontDoors@2020-05-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(frontDoor.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: frontDoor -}] diff --git a/modules/network/front-door/.test/common/main.test.bicep b/modules/network/front-door/.test/common/main.test.bicep index c914c6eb8b..279bf41640 100644 --- a/modules/network/front-door/.test/common/main.test.bicep +++ b/modules/network/front-door/.test/common/main.test.bicep @@ -148,9 +148,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/front-door/README.md b/modules/network/front-door/README.md index e0106bd90b..e17db844f4 100644 --- a/modules/network/front-door/README.md +++ b/modules/network/front-door/README.md @@ -141,9 +141,7 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -287,9 +285,7 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -703,7 +699,68 @@ The name of the frontDoor. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `routingRules` diff --git a/modules/network/front-door/main.bicep b/modules/network/front-door/main.bicep index a8ca37dab7..a24fc1e5dd 100644 --- a/modules/network/front-door/main.bicep +++ b/modules/network/front-door/main.bicep @@ -14,7 +14,7 @@ param location string = resourceGroup().location param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Resource tags.') param tags object = {} @@ -99,6 +99,15 @@ var diagnosticsMetrics = [for metric in metricsToEnable: { enabled: true }] +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -152,17 +161,18 @@ resource frontDoor_diagnosticSettingName 'Microsoft.Insights/diagnosticSettings@ scope: frontDoor } -module frontDoor_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-AppGateway-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: frontDoor.id +resource frontDoor_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(frontDoor.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: frontDoor }] @description('The name of the front door.') @@ -185,3 +195,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/front-door/main.json b/modules/network/front-door/main.json index bb1efe12fc..1d49b36495 100644 --- a/modules/network/front-door/main.json +++ b/modules/network/front-door/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4137545584331429686" + "templateHash": "17030611333529770965" }, "name": "Azure Front Doors", "description": "This module deploys an Azure Front Door.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -62,8 +128,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -217,7 +282,15 @@ } } ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -289,175 +362,20 @@ "frontDoor_roleAssignments": { "copy": { "name": "frontDoor_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AppGateway-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/frontDoors/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/frontDoors', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/frontDoors', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9337028153232884606" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/frontDoors/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/frontDoors', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "frontDoor" diff --git a/modules/network/ip-group/.bicep/nested_roleAssignments.bicep b/modules/network/ip-group/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index cf16819442..0000000000 --- a/modules/network/ip-group/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource ipGroup 'Microsoft.Network/ipGroups@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(ipGroup.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: ipGroup -}] diff --git a/modules/network/ip-group/.test/common/main.test.bicep b/modules/network/ip-group/.test/common/main.test.bicep index 739303e9a1..90aee1fac5 100644 --- a/modules/network/ip-group/.test/common/main.test.bicep +++ b/modules/network/ip-group/.test/common/main.test.bicep @@ -63,9 +63,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/ip-group/README.md b/modules/network/ip-group/README.md index d4e54a7b7e..c81eb57f92 100644 --- a/modules/network/ip-group/README.md +++ b/modules/network/ip-group/README.md @@ -56,9 +56,7 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -107,9 +105,7 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -256,7 +252,68 @@ The name of the ipGroups. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/network/ip-group/main.bicep b/modules/network/ip-group/main.bicep index 7e6c24fa4a..7443bef583 100644 --- a/modules/network/ip-group/main.bicep +++ b/modules/network/ip-group/main.bicep @@ -16,7 +16,7 @@ param ipAddresses array = [] param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Resource tags.') param tags object = {} @@ -24,6 +24,15 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -54,17 +63,18 @@ resource ipGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo scope: ipGroup } -module ipGroup_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-IPGroup-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: ipGroup.id +resource ipGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(ipGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: ipGroup }] @description('The resource ID of the IP group.') @@ -90,3 +100,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/ip-group/main.json b/modules/network/ip-group/main.json index 5df42e25f4..347b80b7b6 100644 --- a/modules/network/ip-group/main.json +++ b/modules/network/ip-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1770501120161769084" + "templateHash": "17427239082953045444" }, "name": "IP Groups", "description": "This module deploys an IP Group.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -68,8 +134,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -89,6 +154,16 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -131,175 +206,20 @@ "ipGroup_roleAssignments": { "copy": { "name": "ipGroup_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-IPGroup-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/ipGroups/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/ipGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/ipGroups', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11934973470926193389" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/ipGroups/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/ipGroups', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "ipGroup" diff --git a/modules/network/load-balancer/.bicep/nested_roleAssignments.bicep b/modules/network/load-balancer/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index f92b1683cf..0000000000 --- a/modules/network/load-balancer/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(loadBalancer.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: loadBalancer -}] diff --git a/modules/network/load-balancer/.test/common/main.test.bicep b/modules/network/load-balancer/.test/common/main.test.bicep index e08dc8a218..bea8cb619b 100644 --- a/modules/network/load-balancer/.test/common/main.test.bicep +++ b/modules/network/load-balancer/.test/common/main.test.bicep @@ -158,9 +158,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/load-balancer/.test/internal/main.test.bicep b/modules/network/load-balancer/.test/internal/main.test.bicep index bf22fa5b0c..792b2c5377 100644 --- a/modules/network/load-balancer/.test/internal/main.test.bicep +++ b/modules/network/load-balancer/.test/internal/main.test.bicep @@ -126,9 +126,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/load-balancer/README.md b/modules/network/load-balancer/README.md index 046fd30771..54a6511051 100644 --- a/modules/network/load-balancer/README.md +++ b/modules/network/load-balancer/README.md @@ -141,9 +141,7 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -290,9 +288,7 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -386,9 +382,7 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -502,9 +496,7 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -757,7 +749,68 @@ Array of objects containing all probes, these are references in the load balanci Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `skuName` diff --git a/modules/network/load-balancer/main.bicep b/modules/network/load-balancer/main.bicep index cf9a0670fe..6039269605 100644 --- a/modules/network/load-balancer/main.bicep +++ b/modules/network/load-balancer/main.bicep @@ -44,7 +44,7 @@ param diagnosticEventHubName string = '' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -154,6 +154,15 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { enabled: true }] +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -237,17 +246,18 @@ resource loadBalancer_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@ scope: loadBalancer } -module loadBalancer_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-LoadBalancer-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: loadBalancer.id +resource loadBalancer_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(loadBalancer.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: loadBalancer }] @description('The name of the load balancer.') @@ -276,3 +286,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/load-balancer/main.json b/modules/network/load-balancer/main.json index 3762e54063..28b6826820 100644 --- a/modules/network/load-balancer/main.json +++ b/modules/network/load-balancer/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10984234034894076123" + "templateHash": "6906928073962159514" }, "name": "Load Balancers", "description": "This module deploys a Load Balancer.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -127,8 +193,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -277,7 +342,15 @@ } } ], - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -342,6 +415,28 @@ "loadBalancer" ] }, + "loadBalancer_roleAssignments": { + "copy": { + "name": "loadBalancer_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/loadBalancers/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/loadBalancers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "loadBalancer" + ] + }, "loadBalancer_backendAddressPools": { "copy": { "name": "loadBalancer_backendAddressPools", @@ -709,183 +804,6 @@ "loadBalancer", "loadBalancer_backendAddressPools" ] - }, - "loadBalancer_roleAssignments": { - "copy": { - "name": "loadBalancer_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-LoadBalancer-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/loadBalancers', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14340033754168371744" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/loadBalancers/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/loadBalancers', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "loadBalancer" - ] } }, "outputs": { diff --git a/modules/network/local-network-gateway/.bicep/nested_roleAssignments.bicep b/modules/network/local-network-gateway/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 6cc482997e..0000000000 --- a/modules/network/local-network-gateway/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource localNetworkGateway 'Microsoft.Network/localNetworkGateways@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(localNetworkGateway.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: localNetworkGateway -}] diff --git a/modules/network/local-network-gateway/.test/common/main.test.bicep b/modules/network/local-network-gateway/.test/common/main.test.bicep index 877aee9a00..9b40213f0b 100644 --- a/modules/network/local-network-gateway/.test/common/main.test.bicep +++ b/modules/network/local-network-gateway/.test/common/main.test.bicep @@ -65,9 +65,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/local-network-gateway/README.md b/modules/network/local-network-gateway/README.md index 463aeea4d3..6c65ef5a66 100644 --- a/modules/network/local-network-gateway/README.md +++ b/modules/network/local-network-gateway/README.md @@ -58,9 +58,7 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -117,9 +115,7 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -316,7 +312,68 @@ Name of the Local Network Gateway. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/network/local-network-gateway/main.bicep b/modules/network/local-network-gateway/main.bicep index f8d3ba46fa..d097fff9d7 100644 --- a/modules/network/local-network-gateway/main.bicep +++ b/modules/network/local-network-gateway/main.bicep @@ -28,7 +28,7 @@ param localPeerWeight string = '' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -45,6 +45,15 @@ var bgpSettings = { peerWeight: !empty(localPeerWeight) ? localPeerWeight : '0' } +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -80,17 +89,18 @@ resource localNetworkGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = i scope: localNetworkGateway } -module localNetworkGateway_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-LocalNetworkGateway-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: localNetworkGateway.id +resource localNetworkGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(localNetworkGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: localNetworkGateway }] @description('The resource ID of the local network gateway.') @@ -116,3 +126,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/local-network-gateway/main.json b/modules/network/local-network-gateway/main.json index 3f59f99a0b..b3b121662c 100644 --- a/modules/network/local-network-gateway/main.json +++ b/modules/network/local-network-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3611172321623700485" + "templateHash": "17118988135887784728" }, "name": "Local Network Gateways", "description": "This module deploys a Local Network Gateway.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -94,8 +160,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -127,6 +192,14 @@ "asn": "[parameters('localAsn')]", "bgpPeeringAddress": "[parameters('localBgpPeeringAddress')]", "peerWeight": "[if(not(empty(parameters('localPeerWeight'))), parameters('localPeerWeight'), '0')]" + }, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" } }, "resources": { @@ -176,175 +249,20 @@ "localNetworkGateway_roleAssignments": { "copy": { "name": "localNetworkGateway_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-LocalNetworkGateway-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/localNetworkGateways/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/localNetworkGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/localNetworkGateways', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "181485081298307705" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/localNetworkGateways/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/localNetworkGateways', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "localNetworkGateway" diff --git a/modules/network/nat-gateway/.bicep/nested_roleAssignments.bicep b/modules/network/nat-gateway/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index b351e7930d..0000000000 --- a/modules/network/nat-gateway/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource natGateway 'Microsoft.Network/natGateways@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(natGateway.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: natGateway -}] diff --git a/modules/network/nat-gateway/.test/common/main.test.bicep b/modules/network/nat-gateway/.test/common/main.test.bicep index 2bbf68f7cd..c957795383 100644 --- a/modules/network/nat-gateway/.test/common/main.test.bicep +++ b/modules/network/nat-gateway/.test/common/main.test.bicep @@ -78,9 +78,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/nat-gateway/README.md b/modules/network/nat-gateway/README.md index 2e759c3bfe..9f4217d79a 100644 --- a/modules/network/nat-gateway/README.md +++ b/modules/network/nat-gateway/README.md @@ -58,9 +58,7 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { natGatewayPublicIpAddress: true roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -118,9 +116,7 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -326,7 +322,68 @@ Resource ID of the Public IP Prefix object. This is only needed if you want your Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/network/nat-gateway/main.bicep b/modules/network/nat-gateway/main.bicep index 2f7bf732e6..c12615e8cb 100644 --- a/modules/network/nat-gateway/main.bicep +++ b/modules/network/nat-gateway/main.bicep @@ -48,7 +48,7 @@ param diagnosticEventHubName string = '' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags for the resource.') param tags object = {} @@ -89,6 +89,15 @@ var publicIPAddressResourceIds = [for publicIpAddress in publicIpAddresses: { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -157,17 +166,18 @@ resource natGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty scope: natGateway } -module natGateway_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-NatGateway-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: natGateway.id +resource natGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(natGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: natGateway }] @description('The name of the NAT Gateway.') @@ -193,3 +203,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/nat-gateway/main.json b/modules/network/nat-gateway/main.json index eaa850c981..f23a35e221 100644 --- a/modules/network/nat-gateway/main.json +++ b/modules/network/nat-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17911120011754183628" + "templateHash": "6575907047681154194" }, "name": "NAT Gateways", "description": "This module deploys a NAT Gateway.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -144,8 +210,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -217,7 +282,15 @@ } } ], - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -267,6 +340,28 @@ "natGateway" ] }, + "natGateway_roleAssignments": { + "copy": { + "name": "natGateway_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/natGateways/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/natGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "natGateway" + ] + }, "publicIPAddress": { "condition": "[parameters('natGatewayPublicIpAddress')]", "type": "Microsoft.Resources/deployments", @@ -338,7 +433,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7177220893233117141" + "templateHash": "17964103943026732172" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -369,6 +464,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -513,8 +674,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -589,7 +749,16 @@ } } ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -661,175 +830,19 @@ "publicIpAddress_roleAssignments": { "copy": { "name": "publicIpAddress_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PIPAddress-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9976109177347918049" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "publicIpAddress" @@ -875,183 +888,6 @@ } } } - }, - "natGateway_roleAssignments": { - "copy": { - "name": "natGateway_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NatGateway-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/natGateways', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15036243165894053484" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/natGateways/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/natGateways', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "natGateway" - ] } }, "outputs": { diff --git a/modules/network/network-manager/.bicep/nested_roleAssignments.bicep b/modules/network/network-manager/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index adf291e784..0000000000 --- a/modules/network/network-manager/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource networkManager 'Microsoft.Network/networkManagers@2023-02-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(networkManager.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: networkManager -}] diff --git a/modules/network/network-manager/.test/common/main.test.bicep b/modules/network/network-manager/.test/common/main.test.bicep index d1d30c49f1..b1376229e6 100644 --- a/modules/network/network-manager/.test/common/main.test.bicep +++ b/modules/network/network-manager/.test/common/main.test.bicep @@ -66,9 +66,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/network-manager/README.md b/modules/network/network-manager/README.md index 07fd87d1d6..138f67d217 100644 --- a/modules/network/network-manager/README.md +++ b/modules/network/network-manager/README.md @@ -122,9 +122,7 @@ module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -351,9 +349,7 @@ module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -606,7 +602,68 @@ Scope of Network Manager. Contains a list of management groups or a list of subs Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `scopeConnections` diff --git a/modules/network/network-manager/main.bicep b/modules/network/network-manager/main.bicep index 60d9286d7b..45f5df3133 100644 --- a/modules/network/network-manager/main.bicep +++ b/modules/network/network-manager/main.bicep @@ -14,7 +14,7 @@ param location string = resourceGroup().location param lock lockType @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @sys.description('Optional. Tags of the resource.') param tags object = {} @@ -46,6 +46,15 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -130,17 +139,18 @@ resource networkManager_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e scope: networkManager } -module networkManager_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-NetworkManager-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: networkManager.id +resource networkManager_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(networkManager.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: networkManager }] @sys.description('The resource group the network manager was deployed into.') @@ -166,3 +176,26 @@ type lockType = { @sys.description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @sys.description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @sys.description('Optional. The description of the role assignment.') + description: string? + + @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @sys.description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @sys.description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/network-manager/main.json b/modules/network/network-manager/main.json index 8ad603bd07..1f38af5d1e 100644 --- a/modules/network/network-manager/main.json +++ b/modules/network/network-manager/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10611241672258166058" + "templateHash": "13647410280137569380" }, "name": "Network Managers", "description": "This module deploys a Network Manager.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -62,8 +128,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -132,7 +197,15 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -175,6 +248,28 @@ "networkManager" ] }, + "networkManager_roleAssignments": { + "copy": { + "name": "networkManager_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/networkManagers/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/networkManagers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "networkManager" + ] + }, "networkManager_networkGroups": { "copy": { "name": "networkManager_networkGroups", @@ -1293,183 +1388,6 @@ "networkManager", "networkManager_networkGroups" ] - }, - "networkManager_roleAssignments": { - "copy": { - "name": "networkManager_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NetworkManager-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/networkManagers', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11211131176904314262" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/networkManagers/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/networkManagers', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "networkManager" - ] } }, "outputs": { diff --git a/modules/network/network-security-group/.bicep/nested_roleAssignments.bicep b/modules/network/network-security-group/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index c84dea0a9e..0000000000 --- a/modules/network/network-security-group/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(networkSecurityGroup.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: networkSecurityGroup -}] diff --git a/modules/network/network-security-group/.test/common/main.test.bicep b/modules/network/network-security-group/.test/common/main.test.bicep index a82db647c3..58fc3f0b32 100644 --- a/modules/network/network-security-group/.test/common/main.test.bicep +++ b/modules/network/network-security-group/.test/common/main.test.bicep @@ -78,9 +78,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/network-security-group/README.md b/modules/network/network-security-group/README.md index 0428a3fe08..be4e1e6da2 100644 --- a/modules/network/network-security-group/README.md +++ b/modules/network/network-security-group/README.md @@ -58,9 +58,7 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -179,9 +177,7 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -444,7 +440,68 @@ Name of the Network Security Group. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `securityRules` diff --git a/modules/network/network-security-group/main.bicep b/modules/network/network-security-group/main.bicep index 597a5fa6c6..2c2b1d558a 100644 --- a/modules/network/network-security-group/main.bicep +++ b/modules/network/network-security-group/main.bicep @@ -30,7 +30,7 @@ param diagnosticEventHubName string = '' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the NSG resource.') param tags object = {} @@ -66,6 +66,15 @@ var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ } ] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -152,17 +161,18 @@ resource networkSecurityGroup_diagnosticSettings 'Microsoft.Insights/diagnosticS scope: networkSecurityGroup } -module networkSecurityGroup_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-NSG-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: networkSecurityGroup.id +resource networkSecurityGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(networkSecurityGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: networkSecurityGroup }] @description('The resource group the network security group was deployed into.') @@ -188,3 +198,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/network-security-group/main.json b/modules/network/network-security-group/main.json index bf1db4aa59..9e78131db8 100644 --- a/modules/network/network-security-group/main.json +++ b/modules/network/network-security-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10938606814486481441" + "templateHash": "3466176824922648413" }, "name": "Network Security Groups", "description": "This module deploys a Network security Group (NSG).", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -102,8 +168,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -157,7 +222,15 @@ } ], "enableReferencedModulesTelemetry": false, - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -241,6 +314,28 @@ "networkSecurityGroup" ] }, + "networkSecurityGroup_roleAssignments": { + "copy": { + "name": "networkSecurityGroup_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/networkSecurityGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "networkSecurityGroup" + ] + }, "networkSecurityGroup_securityRules": { "copy": { "name": "networkSecurityGroup_securityRules", @@ -507,183 +602,6 @@ "dependsOn": [ "networkSecurityGroup" ] - }, - "networkSecurityGroup_roleAssignments": { - "copy": { - "name": "networkSecurityGroup_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NSG-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12098965438500552299" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/networkSecurityGroups', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "networkSecurityGroup" - ] } }, "outputs": { diff --git a/modules/network/network-watcher/.bicep/nested_roleAssignments.bicep b/modules/network/network-watcher/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index b81fb2f9e5..0000000000 --- a/modules/network/network-watcher/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource networkWatcher 'Microsoft.Network/networkWatchers@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(networkWatcher.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: networkWatcher -}] diff --git a/modules/network/network-watcher/.test/common/main.test.bicep b/modules/network/network-watcher/.test/common/main.test.bicep index ddc0677786..9730732a54 100644 --- a/modules/network/network-watcher/.test/common/main.test.bicep +++ b/modules/network/network-watcher/.test/common/main.test.bicep @@ -145,9 +145,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/network-watcher/README.md b/modules/network/network-watcher/README.md index d5c48189bd..fdd4d5f38e 100644 --- a/modules/network/network-watcher/README.md +++ b/modules/network/network-watcher/README.md @@ -118,9 +118,7 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { name: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -231,9 +229,7 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -380,7 +376,68 @@ Name of the Network Watcher resource (hidden). Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/network/network-watcher/main.bicep b/modules/network/network-watcher/main.bicep index 52735e831f..a20af3f5e0 100644 --- a/modules/network/network-watcher/main.bicep +++ b/modules/network/network-watcher/main.bicep @@ -19,7 +19,7 @@ param flowLogs array = [] param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -29,6 +29,15 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -57,17 +66,18 @@ resource networkWatcher_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e scope: networkWatcher } -module networkWatcher_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-NW-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: networkWatcher.id +resource networkWatcher_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(networkWatcher.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: networkWatcher }] module networkWatcher_connectionMonitors 'connection-monitor/main.bicep' = [for (connectionMonitor, index) in connectionMonitors: { @@ -123,3 +133,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/network-watcher/main.json b/modules/network/network-watcher/main.json index 0997ef0280..6fb1e7c468 100644 --- a/modules/network/network-watcher/main.json +++ b/modules/network/network-watcher/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11619532621785794685" + "templateHash": "13987242665374495916" }, "name": "Network Watchers", "description": "This module deploys a Network Watcher.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -76,8 +142,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -98,7 +163,15 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -140,175 +213,20 @@ "networkWatcher_roleAssignments": { "copy": { "name": "networkWatcher_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NW-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/networkWatchers/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/networkWatchers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/networkWatchers', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9894011822541177112" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/networkWatchers/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/networkWatchers', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "networkWatcher" diff --git a/modules/network/private-dns-zone/.bicep/nested_roleAssignments.bicep b/modules/network/private-dns-zone/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 8c8f013896..0000000000 --- a/modules/network/private-dns-zone/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource privateDnsZone 'Microsoft.Network/privateDnsZones@2018-09-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(privateDnsZone.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: privateDnsZone -}] diff --git a/modules/network/private-dns-zone/.test/common/main.test.bicep b/modules/network/private-dns-zone/.test/common/main.test.bicep index 523554c445..96d913639a 100644 --- a/modules/network/private-dns-zone/.test/common/main.test.bicep +++ b/modules/network/private-dns-zone/.test/common/main.test.bicep @@ -64,9 +64,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -93,9 +91,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -118,9 +114,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -138,9 +132,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -150,9 +142,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -162,9 +152,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -186,9 +174,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -209,9 +195,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/private-dns-zone/README.md b/modules/network/private-dns-zone/README.md index e9f195e023..b48571f56a 100644 --- a/modules/network/private-dns-zone/README.md +++ b/modules/network/private-dns-zone/README.md @@ -64,9 +64,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { name: 'A_10.240.4.4' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -93,9 +91,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { name: 'CNAME_test' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -119,9 +115,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { name: 'MX_contoso' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -139,9 +133,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -151,9 +143,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -163,9 +153,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { name: '@' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -187,9 +175,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { name: 'SRV_contoso' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -215,9 +201,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { name: 'TXT_test' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -270,9 +254,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { "name": "A_10.240.4.4", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -303,9 +285,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { "name": "CNAME_test", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -335,9 +315,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { "name": "MX_contoso", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -357,9 +335,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { ], "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -371,9 +347,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -385,9 +359,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { "name": "@", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -411,9 +383,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { "name": "SRV_contoso", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -443,9 +413,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { "name": "TXT_test", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -639,7 +607,68 @@ Array of PTR records. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `soa` diff --git a/modules/network/private-dns-zone/a/.bicep/nested_roleAssignments.bicep b/modules/network/private-dns-zone/a/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 65ecd6c84f..0000000000 --- a/modules/network/private-dns-zone/a/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource A 'Microsoft.Network/privateDnsZones/A@2018-09-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(A.name, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: A -}] diff --git a/modules/network/private-dns-zone/a/README.md b/modules/network/private-dns-zone/a/README.md index c3368e5187..e7413b50ac 100644 --- a/modules/network/private-dns-zone/a/README.md +++ b/modules/network/private-dns-zone/a/README.md @@ -78,7 +78,68 @@ The name of the parent Private DNS zone. Required if the template is used in a s Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `ttl` diff --git a/modules/network/private-dns-zone/a/main.bicep b/modules/network/private-dns-zone/a/main.bicep index ea46e9eeab..103ed79f76 100644 --- a/modules/network/private-dns-zone/a/main.bicep +++ b/modules/network/private-dns-zone/a/main.bicep @@ -21,7 +21,21 @@ param ttl int = 3600 param enableDefaultTelemetry bool = true @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -49,17 +63,18 @@ resource A 'Microsoft.Network/privateDnsZones/A@2020-06-01' = { } } -module A_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-PDNSA-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: A.id +resource A_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(A.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: A }] @description('The name of the deployed A record.') @@ -70,3 +85,29 @@ output resourceId string = A.id @description('The resource group of the deployed A record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/private-dns-zone/a/main.json b/modules/network/private-dns-zone/a/main.json index a6c913362e..93e1b28b45 100644 --- a/modules/network/private-dns-zone/a/main.json +++ b/modules/network/private-dns-zone/a/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3286674755199812485" + "templateHash": "12900025093691887371" }, "name": "Private DNS Zone A record", "description": "This module deploys a Private DNS Zone A record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "privateDnsZoneName": { "type": "string", @@ -53,15 +122,29 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +158,13 @@ } } }, - { + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "A": { "type": "Microsoft.Network/privateDnsZones/A", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -83,186 +172,34 @@ "aRecords": "[parameters('aRecords')]", "metadata": "[parameters('metadata')]", "ttl": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "privateDnsZone" + ] }, - { + "A_roleAssignments": { "copy": { "name": "A_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PDNSA-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/A/{1}', parameters('privateDnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/A', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateDnsZones/A', parameters('privateDnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13885309482367640092" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/A/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones/A', parameters('privateDnsZoneName'), parameters('name'))]" + "A" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/private-dns-zone/aaaa/.bicep/nested_roleAssignments.bicep b/modules/network/private-dns-zone/aaaa/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index d36e17cd5a..0000000000 --- a/modules/network/private-dns-zone/aaaa/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource AAAA 'Microsoft.Network/privateDnsZones/AAAA@2018-09-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(AAAA.name, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: AAAA -}] diff --git a/modules/network/private-dns-zone/aaaa/README.md b/modules/network/private-dns-zone/aaaa/README.md index 8519032b83..fecf313e79 100644 --- a/modules/network/private-dns-zone/aaaa/README.md +++ b/modules/network/private-dns-zone/aaaa/README.md @@ -78,7 +78,68 @@ The name of the parent Private DNS zone. Required if the template is used in a s Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `ttl` diff --git a/modules/network/private-dns-zone/aaaa/main.bicep b/modules/network/private-dns-zone/aaaa/main.bicep index 67f057f783..6e1c76213b 100644 --- a/modules/network/private-dns-zone/aaaa/main.bicep +++ b/modules/network/private-dns-zone/aaaa/main.bicep @@ -21,7 +21,21 @@ param ttl int = 3600 param enableDefaultTelemetry bool = true @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -49,17 +63,18 @@ resource AAAA 'Microsoft.Network/privateDnsZones/AAAA@2020-06-01' = { } } -module AAAA_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-PDNSAAAA-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: AAAA.id +resource AAAA_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(AAAA.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: AAAA }] @description('The name of the deployed AAAA record.') @@ -70,3 +85,29 @@ output resourceId string = AAAA.id @description('The resource group of the deployed AAAA record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/private-dns-zone/aaaa/main.json b/modules/network/private-dns-zone/aaaa/main.json index 5d0169ad3e..8f1297ff92 100644 --- a/modules/network/private-dns-zone/aaaa/main.json +++ b/modules/network/private-dns-zone/aaaa/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17200265918515224034" + "templateHash": "4724178141308652025" }, "name": "Private DNS Zone AAAA record", "description": "This module deploys a Private DNS Zone AAAA record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "privateDnsZoneName": { "type": "string", @@ -53,15 +122,29 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +158,13 @@ } } }, - { + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "AAAA": { "type": "Microsoft.Network/privateDnsZones/AAAA", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -83,186 +172,34 @@ "aaaaRecords": "[parameters('aaaaRecords')]", "metadata": "[parameters('metadata')]", "ttl": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "privateDnsZone" + ] }, - { + "AAAA_roleAssignments": { "copy": { "name": "AAAA_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PDNSAAAA-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/AAAA/{1}', parameters('privateDnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/AAAA', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateDnsZones/AAAA', parameters('privateDnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "370590810970469037" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/AAAA/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones/AAAA', parameters('privateDnsZoneName'), parameters('name'))]" + "AAAA" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/private-dns-zone/cname/.bicep/nested_roleAssignments.bicep b/modules/network/private-dns-zone/cname/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index ee869eadd3..0000000000 --- a/modules/network/private-dns-zone/cname/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,99 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource CNAME 'Microsoft.Network/privateDnsZones/CNAME@2018-09-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(CNAME.name, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: CNAME -}] - -output id string = roleAssignment[0].name diff --git a/modules/network/private-dns-zone/cname/README.md b/modules/network/private-dns-zone/cname/README.md index 258427ccc4..a22ac7e936 100644 --- a/modules/network/private-dns-zone/cname/README.md +++ b/modules/network/private-dns-zone/cname/README.md @@ -78,7 +78,68 @@ The name of the parent Private DNS zone. Required if the template is used in a s Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `ttl` diff --git a/modules/network/private-dns-zone/cname/main.bicep b/modules/network/private-dns-zone/cname/main.bicep index 626f6890b9..cd53e7ee37 100644 --- a/modules/network/private-dns-zone/cname/main.bicep +++ b/modules/network/private-dns-zone/cname/main.bicep @@ -18,11 +18,25 @@ param metadata object = {} param ttl int = 3600 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -49,17 +63,18 @@ resource CNAME 'Microsoft.Network/privateDnsZones/CNAME@2020-06-01' = { } } -module CNAME_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-PDNSCNAME-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: CNAME.id +resource CNAME_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(CNAME.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: CNAME }] @description('The name of the deployed CNAME record.') @@ -70,3 +85,29 @@ output resourceId string = CNAME.id @description('The resource group of the deployed CNAME record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/private-dns-zone/cname/main.json b/modules/network/private-dns-zone/cname/main.json index a5b1b40592..d1dbff765d 100644 --- a/modules/network/private-dns-zone/cname/main.json +++ b/modules/network/private-dns-zone/cname/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1218346372201244802" + "templateHash": "14332603634620066077" }, "name": "Private DNS Zone CNAME record", "description": "This module deploys a Private DNS Zone CNAME record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "privateDnsZoneName": { "type": "string", @@ -46,8 +115,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -60,8 +128,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +158,13 @@ } } }, - { + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "CNAME": { "type": "Microsoft.Network/privateDnsZones/CNAME", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -83,192 +172,34 @@ "cnameRecord": "[parameters('cnameRecord')]", "metadata": "[parameters('metadata')]", "ttl": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "privateDnsZone" + ] }, - { + "CNAME_roleAssignments": { "copy": { "name": "CNAME_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PDNSCNAME-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/CNAME/{1}', parameters('privateDnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/CNAME', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateDnsZones/CNAME', parameters('privateDnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3701509590842402185" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/CNAME/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[0], parameters('roleDefinitionIdOrName'))]" - } - } - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones/CNAME', parameters('privateDnsZoneName'), parameters('name'))]" + "CNAME" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/private-dns-zone/main.bicep b/modules/network/private-dns-zone/main.bicep index c504da6975..4054c86be0 100644 --- a/modules/network/private-dns-zone/main.bicep +++ b/modules/network/private-dns-zone/main.bicep @@ -36,7 +36,7 @@ param virtualNetworkLinks array = [] param location string = 'global' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -49,6 +49,20 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -193,17 +207,18 @@ resource privateDnsZone_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e scope: privateDnsZone } -module privateDnsZone_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-PrivateDnsZone-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: privateDnsZone.id +resource privateDnsZone_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(privateDnsZone.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: privateDnsZone }] @description('The resource group the private DNS zone was deployed into.') @@ -229,3 +244,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/private-dns-zone/main.json b/modules/network/private-dns-zone/main.json index aebba29c1e..0dbb326495 100644 --- a/modules/network/private-dns-zone/main.json +++ b/modules/network/private-dns-zone/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13138896803212134974" + "templateHash": "18339813658426001901" }, "name": "Private DNS Zones", "description": "This module deploys a Private DNS zone.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -117,8 +183,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -145,7 +210,20 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -183,6 +261,28 @@ "privateDnsZone" ] }, + "privateDnsZone_roleAssignments": { + "copy": { + "name": "privateDnsZone_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateDnsZones', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "privateDnsZone" + ] + }, "privateDnsZone_A": { "copy": { "name": "privateDnsZone_A", @@ -213,17 +313,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3286674755199812485" + "templateHash": "12900025093691887371" }, "name": "Private DNS Zone A record", "description": "This module deploys a Private DNS Zone A record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "privateDnsZoneName": { "type": "string", @@ -266,15 +435,29 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -288,7 +471,13 @@ } } }, - { + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "A": { "type": "Microsoft.Network/privateDnsZones/A", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -296,186 +485,34 @@ "aRecords": "[parameters('aRecords')]", "metadata": "[parameters('metadata')]", "ttl": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "privateDnsZone" + ] }, - { + "A_roleAssignments": { "copy": { "name": "A_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PDNSA-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/A/{1}', parameters('privateDnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/A', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateDnsZones/A', parameters('privateDnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13885309482367640092" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/A/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones/A', parameters('privateDnsZoneName'), parameters('name'))]" + "A" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -535,17 +572,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17200265918515224034" + "templateHash": "4724178141308652025" }, "name": "Private DNS Zone AAAA record", "description": "This module deploys a Private DNS Zone AAAA record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "privateDnsZoneName": { "type": "string", @@ -588,15 +694,29 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -610,7 +730,13 @@ } } }, - { + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "AAAA": { "type": "Microsoft.Network/privateDnsZones/AAAA", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -618,186 +744,34 @@ "aaaaRecords": "[parameters('aaaaRecords')]", "metadata": "[parameters('metadata')]", "ttl": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "privateDnsZone" + ] }, - { + "AAAA_roleAssignments": { "copy": { "name": "AAAA_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PDNSAAAA-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/AAAA/{1}', parameters('privateDnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/AAAA', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateDnsZones/AAAA', parameters('privateDnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "370590810970469037" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/AAAA/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones/AAAA', parameters('privateDnsZoneName'), parameters('name'))]" + "AAAA" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -857,17 +831,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1218346372201244802" + "templateHash": "14332603634620066077" }, "name": "Private DNS Zone CNAME record", "description": "This module deploys a Private DNS Zone CNAME record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "privateDnsZoneName": { "type": "string", @@ -903,8 +946,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -917,8 +959,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -932,7 +989,13 @@ } } }, - { + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "CNAME": { "type": "Microsoft.Network/privateDnsZones/CNAME", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -940,192 +1003,34 @@ "cnameRecord": "[parameters('cnameRecord')]", "metadata": "[parameters('metadata')]", "ttl": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "privateDnsZone" + ] }, - { + "CNAME_roleAssignments": { "copy": { "name": "CNAME_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PDNSCNAME-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/CNAME/{1}', parameters('privateDnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/CNAME', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateDnsZones/CNAME', parameters('privateDnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3701509590842402185" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/CNAME/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ], - "outputs": { - "id": { - "type": "string", - "value": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[0], parameters('roleDefinitionIdOrName'))]" - } - } - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones/CNAME', parameters('privateDnsZoneName'), parameters('name'))]" + "CNAME" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1185,29 +1090,98 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "498719698216860438" + "templateHash": "13915386259037819236" }, "name": "Private DNS Zone MX record", "description": "This module deploys a Private DNS Zone MX record.", "owner": "Azure/module-maintainers" }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the MX record." - } + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, + "parameters": { + "privateDnsZoneName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the MX record." + } }, "metadata": { "type": "object", @@ -1231,8 +1205,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -1245,8 +1218,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1260,7 +1248,13 @@ } } }, - { + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "MX": { "type": "Microsoft.Network/privateDnsZones/MX", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -1268,186 +1262,34 @@ "metadata": "[parameters('metadata')]", "mxRecords": "[parameters('mxRecords')]", "ttl": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "privateDnsZone" + ] }, - { + "MX_roleAssignments": { "copy": { "name": "MX_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PDNSMX-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/MX/{1}', parameters('privateDnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/MX', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateDnsZones/MX', parameters('privateDnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3875667684091614842" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/MX/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones/MX', parameters('privateDnsZoneName'), parameters('name'))]" + "MX" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1507,17 +1349,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15278019758073479253" + "templateHash": "8103973730749015801" }, "name": "Private DNS Zone PTR record", "description": "This module deploys a Private DNS Zone PTR record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "privateDnsZoneName": { "type": "string", @@ -1553,8 +1464,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -1567,8 +1477,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1582,7 +1507,35 @@ } } }, - { + "PTR_roleAssignments": { + "copy": { + "name": "PTR_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/PTR/{1}', parameters('privateDnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/PTR', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "PTR" + ] + }, + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "PTR": { "type": "Microsoft.Network/privateDnsZones/PTR", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -1590,186 +1543,12 @@ "metadata": "[parameters('metadata')]", "ptrRecords": "[parameters('ptrRecords')]", "ttl": "[parameters('ttl')]" - } - }, - { - "copy": { - "name": "PTR_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PDNSPTR-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateDnsZones/PTR', parameters('privateDnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1115653551360161833" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/PTR/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones/PTR', parameters('privateDnsZoneName'), parameters('name'))]" + "privateDnsZone" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1829,17 +1608,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2312801328936888366" + "templateHash": "11066047807464279527" }, "name": "Private DNS Zone SOA record", "description": "This module deploys a Private DNS Zone SOA record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "privateDnsZoneName": { "type": "string", @@ -1875,8 +1723,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -1889,8 +1736,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1904,7 +1766,13 @@ } } }, - { + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "SOA": { "type": "Microsoft.Network/privateDnsZones/SOA", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -1912,186 +1780,34 @@ "metadata": "[parameters('metadata')]", "soaRecord": "[parameters('soaRecord')]", "ttl": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "privateDnsZone" + ] }, - { + "SOA_roleAssignments": { "copy": { "name": "SOA_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PDNSSOA-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/SOA/{1}', parameters('privateDnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/SOA', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateDnsZones/SOA', parameters('privateDnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7407904296801266090" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/SOA/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones/SOA', parameters('privateDnsZoneName'), parameters('name'))]" + "SOA" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2151,17 +1867,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5952665052269893806" + "templateHash": "6734977459689095702" }, "name": "Private DNS Zone SRV record", "description": "This module deploys a Private DNS Zone SRV record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "privateDnsZoneName": { "type": "string", @@ -2197,8 +1982,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -2211,8 +1995,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2226,7 +2025,13 @@ } } }, - { + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "SRV": { "type": "Microsoft.Network/privateDnsZones/SRV", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -2234,186 +2039,34 @@ "metadata": "[parameters('metadata')]", "srvRecords": "[parameters('srvRecords')]", "ttl": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "privateDnsZone" + ] }, - { + "SRV_roleAssignments": { "copy": { "name": "SRV_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PDNSSRV-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/SRV/{1}', parameters('privateDnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/SRV', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateDnsZones/SRV', parameters('privateDnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7603100820795358011" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/SRV/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones/SRV', parameters('privateDnsZoneName'), parameters('name'))]" + "SRV" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2473,17 +2126,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1124215030878784014" + "templateHash": "15093956155477786576" }, "name": "Private DNS Zone TXT record", "description": "This module deploys a Private DNS Zone TXT record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "privateDnsZoneName": { "type": "string", @@ -2519,8 +2241,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -2533,8 +2254,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2548,7 +2284,13 @@ } } }, - { + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "TXT": { "type": "Microsoft.Network/privateDnsZones/TXT", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -2556,186 +2298,34 @@ "metadata": "[parameters('metadata')]", "ttl": "[parameters('ttl')]", "txtRecords": "[parameters('txtRecords')]" - } + }, + "dependsOn": [ + "privateDnsZone" + ] }, - { + "TXT_roleAssignments": { "copy": { "name": "TXT_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PDNSTXT-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/TXT/{1}', parameters('privateDnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/TXT', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateDnsZones/TXT', parameters('privateDnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16791864516622438253" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/TXT/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones/TXT', parameters('privateDnsZoneName'), parameters('name'))]" + "TXT" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2919,183 +2509,6 @@ "dependsOn": [ "privateDnsZone" ] - }, - "privateDnsZone_roleAssignments": { - "copy": { - "name": "privateDnsZone_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateDnsZones', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2044377995221762227" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateDnsZones', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "privateDnsZone" - ] } }, "outputs": { diff --git a/modules/network/private-dns-zone/mx/.bicep/nested_roleAssignments.bicep b/modules/network/private-dns-zone/mx/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 809a04c7ba..0000000000 --- a/modules/network/private-dns-zone/mx/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource MX 'Microsoft.Network/privateDnsZones/MX@2018-09-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(MX.name, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: MX -}] diff --git a/modules/network/private-dns-zone/mx/README.md b/modules/network/private-dns-zone/mx/README.md index 66a893a225..86277ddc26 100644 --- a/modules/network/private-dns-zone/mx/README.md +++ b/modules/network/private-dns-zone/mx/README.md @@ -78,7 +78,68 @@ The name of the parent Private DNS zone. Required if the template is used in a s Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `ttl` diff --git a/modules/network/private-dns-zone/mx/main.bicep b/modules/network/private-dns-zone/mx/main.bicep index b499fdc5ef..b98ddcd479 100644 --- a/modules/network/private-dns-zone/mx/main.bicep +++ b/modules/network/private-dns-zone/mx/main.bicep @@ -18,11 +18,25 @@ param mxRecords array = [] param ttl int = 3600 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -49,17 +63,18 @@ resource MX 'Microsoft.Network/privateDnsZones/MX@2020-06-01' = { } } -module MX_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-PDNSMX-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: MX.id +resource MX_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(MX.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: MX }] @description('The name of the deployed MX record.') @@ -70,3 +85,29 @@ output resourceId string = MX.id @description('The resource group of the deployed MX record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/private-dns-zone/mx/main.json b/modules/network/private-dns-zone/mx/main.json index 1e0f858136..903f0c7413 100644 --- a/modules/network/private-dns-zone/mx/main.json +++ b/modules/network/private-dns-zone/mx/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "498719698216860438" + "templateHash": "13915386259037819236" }, "name": "Private DNS Zone MX record", "description": "This module deploys a Private DNS Zone MX record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "privateDnsZoneName": { "type": "string", @@ -46,8 +115,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -60,8 +128,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +158,13 @@ } } }, - { + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "MX": { "type": "Microsoft.Network/privateDnsZones/MX", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -83,186 +172,34 @@ "metadata": "[parameters('metadata')]", "mxRecords": "[parameters('mxRecords')]", "ttl": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "privateDnsZone" + ] }, - { + "MX_roleAssignments": { "copy": { "name": "MX_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PDNSMX-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/MX/{1}', parameters('privateDnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/MX', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateDnsZones/MX', parameters('privateDnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3875667684091614842" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/MX/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones/MX', parameters('privateDnsZoneName'), parameters('name'))]" + "MX" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/private-dns-zone/ptr/.bicep/nested_roleAssignments.bicep b/modules/network/private-dns-zone/ptr/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 792d01b6c6..0000000000 --- a/modules/network/private-dns-zone/ptr/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource PTR 'Microsoft.Network/privateDnsZones/PTR@2018-09-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(PTR.name, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: PTR -}] diff --git a/modules/network/private-dns-zone/ptr/README.md b/modules/network/private-dns-zone/ptr/README.md index f680fea464..0aac5aedb4 100644 --- a/modules/network/private-dns-zone/ptr/README.md +++ b/modules/network/private-dns-zone/ptr/README.md @@ -78,7 +78,68 @@ The list of PTR records in the record set. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `ttl` diff --git a/modules/network/private-dns-zone/ptr/main.bicep b/modules/network/private-dns-zone/ptr/main.bicep index dd75483aa0..60c40c86c6 100644 --- a/modules/network/private-dns-zone/ptr/main.bicep +++ b/modules/network/private-dns-zone/ptr/main.bicep @@ -18,11 +18,25 @@ param ptrRecords array = [] param ttl int = 3600 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -35,17 +49,18 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -module PTR_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-PDNSPTR-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: PTR.id +resource PTR_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(PTR.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: PTR }] resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = { @@ -70,3 +85,29 @@ output resourceId string = PTR.id @description('The resource group of the deployed PTR record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/private-dns-zone/ptr/main.json b/modules/network/private-dns-zone/ptr/main.json index fd96b1c0b3..297450c58f 100644 --- a/modules/network/private-dns-zone/ptr/main.json +++ b/modules/network/private-dns-zone/ptr/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15278019758073479253" + "templateHash": "8103973730749015801" }, "name": "Private DNS Zone PTR record", "description": "This module deploys a Private DNS Zone PTR record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "privateDnsZoneName": { "type": "string", @@ -46,8 +115,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -60,8 +128,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +158,35 @@ } } }, - { + "PTR_roleAssignments": { + "copy": { + "name": "PTR_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/PTR/{1}', parameters('privateDnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/PTR', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "PTR" + ] + }, + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "PTR": { "type": "Microsoft.Network/privateDnsZones/PTR", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -83,186 +194,12 @@ "metadata": "[parameters('metadata')]", "ptrRecords": "[parameters('ptrRecords')]", "ttl": "[parameters('ttl')]" - } - }, - { - "copy": { - "name": "PTR_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PDNSPTR-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateDnsZones/PTR', parameters('privateDnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1115653551360161833" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/PTR/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones/PTR', parameters('privateDnsZoneName'), parameters('name'))]" + "privateDnsZone" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/private-dns-zone/soa/.bicep/nested_roleAssignments.bicep b/modules/network/private-dns-zone/soa/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index d24a71ffcf..0000000000 --- a/modules/network/private-dns-zone/soa/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource SOA 'Microsoft.Network/privateDnsZones/SOA@2018-09-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(SOA.name, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: SOA -}] diff --git a/modules/network/private-dns-zone/soa/README.md b/modules/network/private-dns-zone/soa/README.md index 67fd6e00e6..253483e9db 100644 --- a/modules/network/private-dns-zone/soa/README.md +++ b/modules/network/private-dns-zone/soa/README.md @@ -71,7 +71,68 @@ The name of the parent Private DNS zone. Required if the template is used in a s Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `soaRecord` diff --git a/modules/network/private-dns-zone/soa/main.bicep b/modules/network/private-dns-zone/soa/main.bicep index cdfb88ebbd..74f46f53c7 100644 --- a/modules/network/private-dns-zone/soa/main.bicep +++ b/modules/network/private-dns-zone/soa/main.bicep @@ -18,11 +18,25 @@ param soaRecord object = {} param ttl int = 3600 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -49,17 +63,18 @@ resource SOA 'Microsoft.Network/privateDnsZones/SOA@2020-06-01' = { } } -module SOA_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-PDNSSOA-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: SOA.id +resource SOA_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(SOA.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: SOA }] @description('The name of the deployed SOA record.') @@ -70,3 +85,29 @@ output resourceId string = SOA.id @description('The resource group of the deployed SOA record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/private-dns-zone/soa/main.json b/modules/network/private-dns-zone/soa/main.json index 0cb2fbaa4c..27b4d7d86f 100644 --- a/modules/network/private-dns-zone/soa/main.json +++ b/modules/network/private-dns-zone/soa/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2312801328936888366" + "templateHash": "11066047807464279527" }, "name": "Private DNS Zone SOA record", "description": "This module deploys a Private DNS Zone SOA record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "privateDnsZoneName": { "type": "string", @@ -46,8 +115,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -60,8 +128,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +158,13 @@ } } }, - { + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "SOA": { "type": "Microsoft.Network/privateDnsZones/SOA", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -83,186 +172,34 @@ "metadata": "[parameters('metadata')]", "soaRecord": "[parameters('soaRecord')]", "ttl": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "privateDnsZone" + ] }, - { + "SOA_roleAssignments": { "copy": { "name": "SOA_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PDNSSOA-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/SOA/{1}', parameters('privateDnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/SOA', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateDnsZones/SOA', parameters('privateDnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7407904296801266090" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/SOA/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones/SOA', parameters('privateDnsZoneName'), parameters('name'))]" + "SOA" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/private-dns-zone/srv/.bicep/nested_roleAssignments.bicep b/modules/network/private-dns-zone/srv/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 8237ff3178..0000000000 --- a/modules/network/private-dns-zone/srv/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource SRV 'Microsoft.Network/privateDnsZones/SRV@2018-09-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(SRV.name, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: SRV -}] diff --git a/modules/network/private-dns-zone/srv/README.md b/modules/network/private-dns-zone/srv/README.md index 9fddfb9099..d216712172 100644 --- a/modules/network/private-dns-zone/srv/README.md +++ b/modules/network/private-dns-zone/srv/README.md @@ -71,7 +71,68 @@ The name of the parent Private DNS zone. Required if the template is used in a s Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `srvRecords` diff --git a/modules/network/private-dns-zone/srv/main.bicep b/modules/network/private-dns-zone/srv/main.bicep index dd6147d4f2..7857e20730 100644 --- a/modules/network/private-dns-zone/srv/main.bicep +++ b/modules/network/private-dns-zone/srv/main.bicep @@ -18,11 +18,25 @@ param srvRecords array = [] param ttl int = 3600 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -49,17 +63,18 @@ resource SRV 'Microsoft.Network/privateDnsZones/SRV@2020-06-01' = { } } -module SRV_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-PDNSSRV-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: SRV.id +resource SRV_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(SRV.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: SRV }] @description('The name of the deployed SRV record.') @@ -70,3 +85,29 @@ output resourceId string = SRV.id @description('The resource group of the deployed SRV record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/private-dns-zone/srv/main.json b/modules/network/private-dns-zone/srv/main.json index 0380f2b5a4..7a8c0468f4 100644 --- a/modules/network/private-dns-zone/srv/main.json +++ b/modules/network/private-dns-zone/srv/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5952665052269893806" + "templateHash": "6734977459689095702" }, "name": "Private DNS Zone SRV record", "description": "This module deploys a Private DNS Zone SRV record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "privateDnsZoneName": { "type": "string", @@ -46,8 +115,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -60,8 +128,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +158,13 @@ } } }, - { + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "SRV": { "type": "Microsoft.Network/privateDnsZones/SRV", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -83,186 +172,34 @@ "metadata": "[parameters('metadata')]", "srvRecords": "[parameters('srvRecords')]", "ttl": "[parameters('ttl')]" - } + }, + "dependsOn": [ + "privateDnsZone" + ] }, - { + "SRV_roleAssignments": { "copy": { "name": "SRV_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PDNSSRV-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/SRV/{1}', parameters('privateDnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/SRV', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateDnsZones/SRV', parameters('privateDnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7603100820795358011" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/SRV/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones/SRV', parameters('privateDnsZoneName'), parameters('name'))]" + "SRV" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/private-dns-zone/txt/.bicep/nested_roleAssignments.bicep b/modules/network/private-dns-zone/txt/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 7408476589..0000000000 --- a/modules/network/private-dns-zone/txt/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource TXT 'Microsoft.Network/privateDnsZones/TXT@2018-09-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(TXT.name, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: TXT -}] diff --git a/modules/network/private-dns-zone/txt/README.md b/modules/network/private-dns-zone/txt/README.md index 10472d8fbd..78aaaf1497 100644 --- a/modules/network/private-dns-zone/txt/README.md +++ b/modules/network/private-dns-zone/txt/README.md @@ -71,7 +71,68 @@ The name of the parent Private DNS zone. Required if the template is used in a s Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `ttl` diff --git a/modules/network/private-dns-zone/txt/main.bicep b/modules/network/private-dns-zone/txt/main.bicep index b1328e4c07..cc07200f18 100644 --- a/modules/network/private-dns-zone/txt/main.bicep +++ b/modules/network/private-dns-zone/txt/main.bicep @@ -18,11 +18,25 @@ param ttl int = 3600 param txtRecords array = [] @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -49,17 +63,18 @@ resource TXT 'Microsoft.Network/privateDnsZones/TXT@2020-06-01' = { } } -module TXT_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-PDNSTXT-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: TXT.id +resource TXT_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(TXT.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: TXT }] @description('The name of the deployed TXT record.') @@ -70,3 +85,29 @@ output resourceId string = TXT.id @description('The resource group of the deployed TXT record.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/private-dns-zone/txt/main.json b/modules/network/private-dns-zone/txt/main.json index 49da878984..65fa0ceb85 100644 --- a/modules/network/private-dns-zone/txt/main.json +++ b/modules/network/private-dns-zone/txt/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1124215030878784014" + "templateHash": "15093956155477786576" }, "name": "Private DNS Zone TXT record", "description": "This module deploys a Private DNS Zone TXT record.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "privateDnsZoneName": { "type": "string", @@ -46,8 +115,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -60,8 +128,23 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +158,13 @@ } } }, - { + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "TXT": { "type": "Microsoft.Network/privateDnsZones/TXT", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -83,186 +172,34 @@ "metadata": "[parameters('metadata')]", "ttl": "[parameters('ttl')]", "txtRecords": "[parameters('txtRecords')]" - } + }, + "dependsOn": [ + "privateDnsZone" + ] }, - { + "TXT_roleAssignments": { "copy": { "name": "TXT_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PDNSTXT-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/TXT/{1}', parameters('privateDnsZoneName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateDnsZones/TXT', parameters('privateDnsZoneName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateDnsZones/TXT', parameters('privateDnsZoneName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16791864516622438253" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/TXT/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones/TXT', parameters('privateDnsZoneName'), parameters('name'))]" + "TXT" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/network/private-link-service/.bicep/nested_roleAssignments.bicep b/modules/network/private-link-service/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 1c051d9d53..0000000000 --- a/modules/network/private-link-service/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource privateLinkService 'Microsoft.Network/privateLinkServices@2022-11-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(privateLinkService.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: privateLinkService -}] diff --git a/modules/network/private-link-service/.test/common/main.test.bicep b/modules/network/private-link-service/.test/common/main.test.bicep index f8f5819498..ba974b6e46 100644 --- a/modules/network/private-link-service/.test/common/main.test.bicep +++ b/modules/network/private-link-service/.test/common/main.test.bicep @@ -92,10 +92,9 @@ module testDeployment '../../main.bicep' = { ] roleAssignments: [ { - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId roleDefinitionIdOrName: 'Reader' + principalType: 'ServicePrincipal' } ] tags: { diff --git a/modules/network/private-link-service/README.md b/modules/network/private-link-service/README.md index 15bd8feb94..6ff4cb081d 100644 --- a/modules/network/private-link-service/README.md +++ b/modules/network/private-link-service/README.md @@ -80,9 +80,8 @@ module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' + principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } ] @@ -166,9 +165,8 @@ module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", + "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } ] @@ -396,7 +394,68 @@ Name of the private link service to create. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/network/private-link-service/main.bicep b/modules/network/private-link-service/main.bicep index 3bcdd83798..b964c1d180 100644 --- a/modules/network/private-link-service/main.bicep +++ b/modules/network/private-link-service/main.bicep @@ -39,7 +39,20 @@ param visibility object = {} param enableDefaultTelemetry bool = true @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') + 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') + 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') + 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') +} resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -77,17 +90,18 @@ resource privateLinkService_lock 'Microsoft.Authorization/locks@2020-05-01' = if scope: privateLinkService } -module privateLinkService_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-PrivateLinkService-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: privateLinkService.id +resource privateLinkService_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(privateLinkService.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: privateLinkService }] @description('The resource group the private link service was deployed into.') @@ -113,3 +127,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/private-link-service/main.json b/modules/network/private-link-service/main.json index bca152c1d8..3ecea13bbf 100644 --- a/modules/network/private-link-service/main.json +++ b/modules/network/private-link-service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8807571087134722220" + "templateHash": "14019322744522497377" }, "name": "Private Link Services", "description": "This module deploys a Private Link Service.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -123,13 +189,26 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -178,175 +257,20 @@ "privateLinkService_roleAssignments": { "copy": { "name": "privateLinkService_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateLinkService-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateLinkServices/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/privateLinkServices', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateLinkServices', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "535852805558824015" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateLinkServices/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateLinkServices', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "privateLinkService" diff --git a/modules/network/public-ip-prefix/.bicep/nested_roleAssignments.bicep b/modules/network/public-ip-prefix/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index ac7f1d6f8f..0000000000 --- a/modules/network/public-ip-prefix/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource publicIpPrefix 'Microsoft.Network/publicIPPrefixes@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(publicIpPrefix.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: publicIpPrefix -}] diff --git a/modules/network/public-ip-prefix/.test/common/main.test.bicep b/modules/network/public-ip-prefix/.test/common/main.test.bicep index c69da59569..60824222df 100644 --- a/modules/network/public-ip-prefix/.test/common/main.test.bicep +++ b/modules/network/public-ip-prefix/.test/common/main.test.bicep @@ -60,9 +60,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/public-ip-prefix/README.md b/modules/network/public-ip-prefix/README.md index f19a2d2c8d..c38f10e3a0 100644 --- a/modules/network/public-ip-prefix/README.md +++ b/modules/network/public-ip-prefix/README.md @@ -53,9 +53,7 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -101,9 +99,7 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -261,7 +257,68 @@ Length of the Public IP Prefix. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/network/public-ip-prefix/main.bicep b/modules/network/public-ip-prefix/main.bicep index 8ee5bccc30..23c2c7b056 100644 --- a/modules/network/public-ip-prefix/main.bicep +++ b/modules/network/public-ip-prefix/main.bicep @@ -18,7 +18,7 @@ param prefixLength int param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -29,6 +29,15 @@ param customIPPrefix object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -64,17 +73,18 @@ resource publicIpPrefix_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e scope: publicIpPrefix } -module publicIpPrefix_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-PIPPrefix-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: publicIpPrefix.id +resource publicIpPrefix_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(publicIpPrefix.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: publicIpPrefix }] @description('The resource ID of the public IP prefix.') @@ -100,3 +110,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/public-ip-prefix/main.json b/modules/network/public-ip-prefix/main.json index 24715f2bfe..25e8f2aff0 100644 --- a/modules/network/public-ip-prefix/main.json +++ b/modules/network/public-ip-prefix/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15055641726196349086" + "templateHash": "17531002451033298883" }, "name": "Public IP Prefixes", "description": "This module deploys a Public IP Prefix.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -69,8 +135,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -97,6 +162,16 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -144,175 +219,20 @@ "publicIpPrefix_roleAssignments": { "copy": { "name": "publicIpPrefix_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PIPPrefix-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/publicIPPrefixes/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/publicIPPrefixes', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/publicIPPrefixes', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11602921617847310411" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/publicIPPrefixes/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/publicIPPrefixes', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "publicIpPrefix" diff --git a/modules/network/route-table/.bicep/nested_roleAssignments.bicep b/modules/network/route-table/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index f801db3937..0000000000 --- a/modules/network/route-table/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource routeTable 'Microsoft.Network/routeTables@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(routeTable.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: routeTable -}] diff --git a/modules/network/route-table/.test/common/main.test.bicep b/modules/network/route-table/.test/common/main.test.bicep index a14ec3fb4b..956148cbd0 100644 --- a/modules/network/route-table/.test/common/main.test.bicep +++ b/modules/network/route-table/.test/common/main.test.bicep @@ -59,9 +59,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/route-table/README.md b/modules/network/route-table/README.md index 385b178512..9af978eec2 100644 --- a/modules/network/route-table/README.md +++ b/modules/network/route-table/README.md @@ -52,9 +52,7 @@ module routeTable 'br:bicep/modules/network.route-table:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -107,9 +105,7 @@ module routeTable 'br:bicep/modules/network.route-table:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -269,7 +265,68 @@ Name given for the hub route table. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `routes` diff --git a/modules/network/route-table/main.bicep b/modules/network/route-table/main.bicep index 6a690a4a00..ff4eb5bb3a 100644 --- a/modules/network/route-table/main.bicep +++ b/modules/network/route-table/main.bicep @@ -18,7 +18,7 @@ param disableBgpRoutePropagation bool = false param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -26,6 +26,15 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -57,17 +66,18 @@ resource routeTable_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty scope: routeTable } -module routeTable_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-RouteTable-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: routeTable.id +resource routeTable_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(routeTable.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: routeTable }] @description('The resource group the route table was deployed into.') @@ -93,3 +103,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/route-table/main.json b/modules/network/route-table/main.json index 06b736128a..2bb3a3f95a 100644 --- a/modules/network/route-table/main.json +++ b/modules/network/route-table/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7087068475486809138" + "templateHash": "15729767550329872027" }, "name": "Route Tables", "description": "This module deploys a User Defined Route Table (UDR).", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -74,8 +140,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -95,6 +160,16 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -138,175 +213,20 @@ "routeTable_roleAssignments": { "copy": { "name": "routeTable_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RouteTable-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/routeTables/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/routeTables', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5854028200493831551" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/routeTables/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/routeTables', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "routeTable" diff --git a/modules/network/service-endpoint-policy/.bicep/nested_roleAssignments.bicep b/modules/network/service-endpoint-policy/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 6bd3061e96..0000000000 --- a/modules/network/service-endpoint-policy/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource serviceEndpointPolicy 'Microsoft.Network/serviceEndpointPolicies@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(serviceEndpointPolicy.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: serviceEndpointPolicy -}] diff --git a/modules/network/service-endpoint-policy/.test/common/main.test.bicep b/modules/network/service-endpoint-policy/.test/common/main.test.bicep index 3a0c8c2c75..0dca71cf41 100644 --- a/modules/network/service-endpoint-policy/.test/common/main.test.bicep +++ b/modules/network/service-endpoint-policy/.test/common/main.test.bicep @@ -59,9 +59,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/service-endpoint-policy/README.md b/modules/network/service-endpoint-policy/README.md index 74b5e231a9..9865933bc5 100644 --- a/modules/network/service-endpoint-policy/README.md +++ b/modules/network/service-endpoint-policy/README.md @@ -52,9 +52,7 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1 } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -110,9 +108,7 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1 "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -276,7 +272,68 @@ The Service Endpoint Policy name. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `serviceAlias` diff --git a/modules/network/service-endpoint-policy/main.bicep b/modules/network/service-endpoint-policy/main.bicep index 722a350d3a..fe50a768e4 100644 --- a/modules/network/service-endpoint-policy/main.bicep +++ b/modules/network/service-endpoint-policy/main.bicep @@ -21,7 +21,7 @@ param serviceAlias string = '' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -29,6 +29,15 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -61,17 +70,18 @@ resource serviceEndpointPolicy_lock 'Microsoft.Authorization/locks@2020-05-01' = scope: serviceEndpointPolicy } -module serviceEndpointPolicy_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-ServiceEndpointPolicy-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: serviceEndpointPolicy.id +resource serviceEndpointPolicy_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(serviceEndpointPolicy.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: serviceEndpointPolicy }] @description('The resource group the Service Endpoint Policy was deployed into.') @@ -97,3 +107,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/service-endpoint-policy/main.json b/modules/network/service-endpoint-policy/main.json index 9f43b9b6b0..c1fbae80ab 100644 --- a/modules/network/service-endpoint-policy/main.json +++ b/modules/network/service-endpoint-policy/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13410463869934874502" + "templateHash": "379140032937405547" }, "name": "Service Endpoint Policies", "description": "This module deploys a Service Endpoint Policy.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -81,8 +147,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -102,6 +167,16 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -146,175 +221,20 @@ "serviceEndpointPolicy_roleAssignments": { "copy": { "name": "serviceEndpointPolicy_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ServiceEndpointPolicy-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/serviceEndpointPolicies/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/serviceEndpointPolicies', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/serviceEndpointPolicies', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1377119003389114371" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/serviceEndpointPolicies/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/serviceEndpointPolicies', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "serviceEndpointPolicy" diff --git a/modules/network/trafficmanagerprofile/.bicep/nested_roleAssignments.bicep b/modules/network/trafficmanagerprofile/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 4ef17ff891..0000000000 --- a/modules/network/trafficmanagerprofile/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource trafficmanagerprofile 'Microsoft.Network/trafficmanagerprofiles@2018-08-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(trafficmanagerprofile.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: trafficmanagerprofile -}] diff --git a/modules/network/trafficmanagerprofile/.test/common/main.test.bicep b/modules/network/trafficmanagerprofile/.test/common/main.test.bicep index 0c00e5b2b8..7afc5571c4 100644 --- a/modules/network/trafficmanagerprofile/.test/common/main.test.bicep +++ b/modules/network/trafficmanagerprofile/.test/common/main.test.bicep @@ -78,9 +78,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/trafficmanagerprofile/README.md b/modules/network/trafficmanagerprofile/README.md index a483630586..d7a7d8de43 100644 --- a/modules/network/trafficmanagerprofile/README.md +++ b/modules/network/trafficmanagerprofile/README.md @@ -59,9 +59,7 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -119,9 +117,7 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -357,7 +353,68 @@ The relative DNS name provided by this Traffic Manager profile. This value is co Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/network/trafficmanagerprofile/main.bicep b/modules/network/trafficmanagerprofile/main.bicep index 78383c2b97..f7c3913340 100644 --- a/modules/network/trafficmanagerprofile/main.bicep +++ b/modules/network/trafficmanagerprofile/main.bicep @@ -66,7 +66,7 @@ param diagnosticEventHubName string = '' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Resource tags.') param tags object = {} @@ -113,6 +113,16 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { enabled: true }] +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -165,17 +175,18 @@ resource trafficManagerProfile_diagnosticSettings 'Microsoft.Insights/diagnostic scope: trafficManagerProfile } -module trafficManagerProfile_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name)}-TrafficManagerProfile-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: trafficManagerProfile.id +resource trafficManagerProfile_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(trafficManagerProfile.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: trafficManagerProfile }] @description('The resource ID of the traffic manager.') @@ -198,3 +209,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/trafficmanagerprofile/main.json b/modules/network/trafficmanagerprofile/main.json index 74da3a3382..93f05400a2 100644 --- a/modules/network/trafficmanagerprofile/main.json +++ b/modules/network/trafficmanagerprofile/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15585979978664772684" + "templateHash": "15030506362801103601" }, "name": "Traffic Manager Profiles", "description": "This module deploys a Traffic Manager Profile.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -157,8 +223,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -231,7 +296,16 @@ } } ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -302,175 +376,20 @@ "trafficManagerProfile_roleAssignments": { "copy": { "name": "trafficManagerProfile_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-TrafficManagerProfile-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/trafficmanagerprofiles/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/trafficmanagerprofiles', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/trafficmanagerprofiles', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5157762725404408248" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/trafficmanagerprofiles/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/trafficmanagerprofiles', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "trafficManagerProfile" diff --git a/modules/network/virtual-network-gateway/.bicep/nested_roleAssignments.bicep b/modules/network/virtual-network-gateway/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 51ed7dd0ac..0000000000 --- a/modules/network/virtual-network-gateway/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource virtualNetworkGateway 'Microsoft.Network/virtualNetworkGateways@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(virtualNetworkGateway.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: virtualNetworkGateway -}] diff --git a/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep b/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep index d02d24dcbf..5a7f3fad8f 100644 --- a/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep +++ b/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep @@ -87,9 +87,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/virtual-network-gateway/.test/expressRoute/main.test.bicep b/modules/network/virtual-network-gateway/.test/expressRoute/main.test.bicep index 7b706acf5e..55bce8b7a8 100644 --- a/modules/network/virtual-network-gateway/.test/expressRoute/main.test.bicep +++ b/modules/network/virtual-network-gateway/.test/expressRoute/main.test.bicep @@ -77,10 +77,9 @@ module testDeployment '../../main.bicep' = { gatewayPipName: '${namePrefix}-pip-${serviceShort}' roleAssignments: [ { - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId roleDefinitionIdOrName: 'Reader' + principalType: 'ServicePrincipal' } ] tags: { diff --git a/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep b/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep index 4bb4048a26..ddb059e2d7 100644 --- a/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep +++ b/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep @@ -88,10 +88,9 @@ module testDeployment '../../main.bicep' = { ] roleAssignments: [ { - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId roleDefinitionIdOrName: 'Reader' + principalType: 'ServicePrincipal' } ] vpnType: 'RouteBased' diff --git a/modules/network/virtual-network-gateway/README.md b/modules/network/virtual-network-gateway/README.md index d1424ab0b2..3db958c670 100644 --- a/modules/network/virtual-network-gateway/README.md +++ b/modules/network/virtual-network-gateway/README.md @@ -69,9 +69,7 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -162,9 +160,7 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -232,9 +228,8 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' + principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } ] @@ -310,9 +305,8 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", + "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } ] @@ -410,9 +404,8 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' + principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } ] @@ -543,9 +536,8 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", + "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } ] @@ -866,7 +858,68 @@ Specifies the zones of the Public IP address. Basic IP SKU does not support Avai Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `skuName` diff --git a/modules/network/virtual-network-gateway/main.bicep b/modules/network/virtual-network-gateway/main.bicep index 702b760280..8a60fe45f9 100644 --- a/modules/network/virtual-network-gateway/main.bicep +++ b/modules/network/virtual-network-gateway/main.bicep @@ -125,7 +125,7 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') param lock lockType @@ -309,9 +309,19 @@ var vpnClientConfiguration = !empty(clientRootCertData) ? { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + // ================// // Deployments // // ================// + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -419,17 +429,18 @@ resource virtualNetworkGateway_diagnosticSettings 'Microsoft.Insights/diagnostic scope: virtualNetworkGateway } -module virtualNetworkGateway_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-VNetGateway-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: virtualNetworkGateway.id +resource virtualNetworkGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(virtualNetworkGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: virtualNetworkGateway }] // ================// @@ -461,3 +472,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/virtual-network-gateway/main.json b/modules/network/virtual-network-gateway/main.json index 8e213cc2b9..38b96ccc31 100644 --- a/modules/network/virtual-network-gateway/main.json +++ b/modules/network/virtual-network-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13696920156449738955" + "templateHash": "682172415254356637" }, "name": "Virtual Network Gateways", "description": "This module deploys a Virtual Network Gateway.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -279,8 +345,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -415,7 +480,15 @@ }, "ipConfiguration": "[if(variables('isActiveActiveValid'), createArray(createObject('properties', createObject('privateIPAllocationMethod', 'Dynamic', 'subnet', createObject('id', format('{0}/subnets/GatewaySubnet', parameters('vNetResourceId'))), 'publicIPAddress', createObject('id', resourceId('Microsoft.Network/publicIPAddresses', parameters('gatewayPipName')))), 'name', 'vNetGatewayConfig1'), createObject('properties', createObject('privateIPAllocationMethod', 'Dynamic', 'subnet', createObject('id', format('{0}/subnets/GatewaySubnet', parameters('vNetResourceId'))), 'publicIPAddress', createObject('id', if(variables('isActiveActiveValid'), resourceId('Microsoft.Network/publicIPAddresses', parameters('activeGatewayPipName')), resourceId('Microsoft.Network/publicIPAddresses', parameters('gatewayPipName'))))), 'name', 'vNetGatewayConfig2')), createArray(createObject('properties', createObject('privateIPAllocationMethod', 'Dynamic', 'subnet', createObject('id', format('{0}/subnets/GatewaySubnet', parameters('vNetResourceId'))), 'publicIPAddress', createObject('id', resourceId('Microsoft.Network/publicIPAddresses', parameters('gatewayPipName')))), 'name', 'vNetGatewayConfig1')))]", "vpnClientConfiguration": "[if(not(empty(parameters('clientRootCertData'))), createObject('vpnClientAddressPool', createObject('addressPrefixes', createArray(parameters('vpnClientAddressPoolPrefix'))), 'vpnClientRootCertificates', createArray(createObject('name', 'RootCert1', 'properties', createObject('PublicCertData', parameters('clientRootCertData')))), 'vpnClientRevokedCertificates', if(not(empty(parameters('clientRevokedCertThumbprint'))), createArray(createObject('name', 'RevokedCert1', 'properties', createObject('Thumbprint', parameters('clientRevokedCertThumbprint')))), null())), if(not(empty(parameters('vpnClientAadConfiguration'))), createObject('vpnClientAddressPool', createObject('addressPrefixes', createArray(parameters('vpnClientAddressPoolPrefix'))), 'aadTenant', parameters('vpnClientAadConfiguration').aadTenant, 'aadAudience', parameters('vpnClientAadConfiguration').aadAudience, 'aadIssuer', parameters('vpnClientAadConfiguration').aadIssuer, 'vpnAuthenticationTypes', parameters('vpnClientAadConfiguration').vpnAuthenticationTypes, 'vpnClientProtocols', parameters('vpnClientAadConfiguration').vpnClientProtocols), null()))]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -495,6 +568,28 @@ "virtualNetworkGateway" ] }, + "virtualNetworkGateway_roleAssignments": { + "copy": { + "name": "virtualNetworkGateway_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/virtualNetworkGateways/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/virtualNetworkGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "virtualNetworkGateway" + ] + }, "publicIPAddress": { "copy": { "name": "publicIPAddress", @@ -563,7 +658,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7177220893233117141" + "templateHash": "17964103943026732172" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -594,6 +689,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -738,8 +899,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -814,7 +974,16 @@ } } ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -886,175 +1055,19 @@ "publicIpAddress_roleAssignments": { "copy": { "name": "publicIpAddress_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PIPAddress-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9976109177347918049" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "publicIpAddress" @@ -1265,183 +1278,6 @@ "dependsOn": [ "virtualNetworkGateway" ] - }, - "virtualNetworkGateway_roleAssignments": { - "copy": { - "name": "virtualNetworkGateway_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VNetGateway-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/virtualNetworkGateways', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3489304115292603489" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/virtualNetworkGateways/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/virtualNetworkGateways', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "virtualNetworkGateway" - ] } }, "outputs": { diff --git a/modules/network/virtual-network/.bicep/nested_roleAssignments.bicep b/modules/network/virtual-network/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index b6685d3853..0000000000 --- a/modules/network/virtual-network/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(virtualNetwork.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: virtualNetwork -}] diff --git a/modules/network/virtual-network/.test/common/main.test.bicep b/modules/network/virtual-network/.test/common/main.test.bicep index cc944f6070..91e4c94774 100644 --- a/modules/network/virtual-network/.test/common/main.test.bicep +++ b/modules/network/virtual-network/.test/common/main.test.bicep @@ -87,9 +87,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -106,9 +104,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/virtual-network/README.md b/modules/network/virtual-network/README.md index 0710f85a85..6fc6c587f9 100644 --- a/modules/network/virtual-network/README.md +++ b/modules/network/virtual-network/README.md @@ -69,9 +69,7 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -87,9 +85,7 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { networkSecurityGroupId: '' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -187,9 +183,7 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -207,9 +201,7 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { "networkSecurityGroupId": "", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -592,7 +584,68 @@ Virtual Network Peerings configurations. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `subnets` diff --git a/modules/network/virtual-network/main.bicep b/modules/network/virtual-network/main.bicep index 83da2e2521..e095c29389 100644 --- a/modules/network/virtual-network/main.bicep +++ b/modules/network/virtual-network/main.bicep @@ -53,7 +53,7 @@ param diagnosticEventHubName string = '' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -110,6 +110,15 @@ var ddosProtectionPlan = { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -249,17 +258,18 @@ resource virtualNetwork_diagnosticSettings 'Microsoft.Insights/diagnosticSetting scope: virtualNetwork } -module virtualNetwork_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-VNet-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: virtualNetwork.id +resource virtualNetwork_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(virtualNetwork.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: virtualNetwork }] @description('The resource group the virtual network was deployed into.') @@ -294,3 +304,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/virtual-network/main.json b/modules/network/virtual-network/main.json index aa8e8ff76e..5c1e4d2f7c 100644 --- a/modules/network/virtual-network/main.json +++ b/modules/network/virtual-network/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13568581294067247622" + "templateHash": "1599358796462967622" }, "name": "Virtual Networks", "description": "This module deploys a Virtual Network (vNet).", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -148,8 +214,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -229,7 +294,15 @@ "ddosProtectionPlan": { "id": "[parameters('ddosProtectionPlanId')]" }, - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -318,6 +391,28 @@ "virtualNetwork" ] }, + "virtualNetwork_roleAssignments": { + "copy": { + "name": "virtualNetwork_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/virtualNetworks', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "virtualNetwork" + ] + }, "virtualNetwork_subnets": { "copy": { "name": "virtualNetwork_subnets", @@ -359,17 +454,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8758167910677571979" + "templateHash": "17180599685720534663" }, "name": "Virtual Network Subnets", "description": "This module deploys a Virtual Network Subnet.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -477,8 +641,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -491,8 +654,18 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -506,7 +679,13 @@ } } }, - { + "virtualNetwork": { + "existing": true, + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2023-04-01", + "name": "[parameters('virtualNetworkName')]" + }, + "subnet": { "type": "Microsoft.Network/virtualNetworks/subnets", "apiVersion": "2023-04-01", "name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('name'))]", @@ -523,186 +702,34 @@ "applicationGatewayIPConfigurations": "[parameters('applicationGatewayIPConfigurations')]", "ipAllocations": "[parameters('ipAllocations')]", "serviceEndpointPolicies": "[parameters('serviceEndpointPolicies')]" - } + }, + "dependsOn": [ + "virtualNetwork" + ] }, - { + "subnet_roleAssignments": { "copy": { "name": "subnet_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Subnet-Rbac-{1}', uniqueString(deployment().name, resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name'))), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3698261669800089456" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name'))]" + "subnet" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -730,14 +757,14 @@ "metadata": { "description": "The address prefix for the subnet." }, - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name')), '2023-04-01').addressPrefix]" + "value": "[reference('subnet').addressPrefix]" }, "subnetAddressPrefixes": { "type": "array", "metadata": { "description": "List of address prefixes for the subnet." }, - "value": "[if(not(empty(parameters('addressPrefixes'))), reference(resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name')), '2023-04-01').addressPrefixes, createArray())]" + "value": "[if(not(empty(parameters('addressPrefixes'))), reference('subnet').addressPrefixes, createArray())]" } } } @@ -1080,183 +1107,6 @@ "dependsOn": [ "virtualNetwork" ] - }, - "virtualNetwork_roleAssignments": { - "copy": { - "name": "virtualNetwork_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VNet-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9735784247686217836" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/virtualNetworks/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/virtualNetworks', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "virtualNetwork" - ] } }, "outputs": { diff --git a/modules/network/virtual-network/subnet/.bicep/nested_roleAssignments.bicep b/modules/network/virtual-network/subnet/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 5095a2d7c0..0000000000 --- a/modules/network/virtual-network/subnet/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource subnet 'Microsoft.Network/virtualNetworks/subnets@2023-04-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(subnet.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: subnet -}] diff --git a/modules/network/virtual-network/subnet/README.md b/modules/network/virtual-network/subnet/README.md index 643c00ebdc..b499e44cee 100644 --- a/modules/network/virtual-network/subnet/README.md +++ b/modules/network/virtual-network/subnet/README.md @@ -132,7 +132,68 @@ enable or disable apply network policies on private link service in the subnet. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `routeTableId` diff --git a/modules/network/virtual-network/subnet/main.bicep b/modules/network/virtual-network/subnet/main.bicep index a114960005..a6ae7b85b1 100644 --- a/modules/network/virtual-network/subnet/main.bicep +++ b/modules/network/virtual-network/subnet/main.bicep @@ -55,11 +55,20 @@ param ipAllocations array = [] param serviceEndpointPolicies array = [] @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -101,17 +110,18 @@ resource subnet 'Microsoft.Network/virtualNetworks/subnets@2023-04-01' = { } } -module subnet_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, subnet.id)}-Subnet-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: subnet.id +resource subnet_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(subnet.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: subnet }] @description('The resource group the virtual network peering was deployed into.') @@ -128,3 +138,29 @@ output subnetAddressPrefix string = subnet.properties.addressPrefix @description('List of address prefixes for the subnet.') output subnetAddressPrefixes array = !empty(addressPrefixes) ? subnet.properties.addressPrefixes : [] +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/virtual-network/subnet/main.json b/modules/network/virtual-network/subnet/main.json index 084f994df1..35790fa29b 100644 --- a/modules/network/virtual-network/subnet/main.json +++ b/modules/network/virtual-network/subnet/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8758167910677571979" + "templateHash": "17180599685720534663" }, "name": "Virtual Network Subnets", "description": "This module deploys a Virtual Network Subnet.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -118,8 +187,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -132,8 +200,18 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -147,7 +225,13 @@ } } }, - { + "virtualNetwork": { + "existing": true, + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2023-04-01", + "name": "[parameters('virtualNetworkName')]" + }, + "subnet": { "type": "Microsoft.Network/virtualNetworks/subnets", "apiVersion": "2023-04-01", "name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('name'))]", @@ -164,186 +248,34 @@ "applicationGatewayIPConfigurations": "[parameters('applicationGatewayIPConfigurations')]", "ipAllocations": "[parameters('ipAllocations')]", "serviceEndpointPolicies": "[parameters('serviceEndpointPolicies')]" - } + }, + "dependsOn": [ + "virtualNetwork" + ] }, - { + "subnet_roleAssignments": { "copy": { "name": "subnet_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Subnet-Rbac-{1}', uniqueString(deployment().name, resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name'))), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3698261669800089456" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name'))]" + "subnet" ] } - ], + }, "outputs": { "resourceGroupName": { "type": "string", @@ -371,14 +303,14 @@ "metadata": { "description": "The address prefix for the subnet." }, - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name')), '2023-04-01').addressPrefix]" + "value": "[reference('subnet').addressPrefix]" }, "subnetAddressPrefixes": { "type": "array", "metadata": { "description": "List of address prefixes for the subnet." }, - "value": "[if(not(empty(parameters('addressPrefixes'))), reference(resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name')), '2023-04-01').addressPrefixes, createArray())]" + "value": "[if(not(empty(parameters('addressPrefixes'))), reference('subnet').addressPrefixes, createArray())]" } } } \ No newline at end of file diff --git a/modules/network/virtual-wan/.bicep/nested_roleAssignments.bicep b/modules/network/virtual-wan/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 7a505837c0..0000000000 --- a/modules/network/virtual-wan/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,97 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(virtualWan.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: virtualWan -}] diff --git a/modules/network/virtual-wan/.test/common/main.test.bicep b/modules/network/virtual-wan/.test/common/main.test.bicep index b253f9af0a..6f47c362b4 100644 --- a/modules/network/virtual-wan/.test/common/main.test.bicep +++ b/modules/network/virtual-wan/.test/common/main.test.bicep @@ -62,9 +62,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/virtual-wan/README.md b/modules/network/virtual-wan/README.md index 208fd58305..78d5f5ebf7 100644 --- a/modules/network/virtual-wan/README.md +++ b/modules/network/virtual-wan/README.md @@ -55,9 +55,7 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -110,9 +108,7 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -279,7 +275,68 @@ Name of the Virtual WAN. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/network/virtual-wan/main.bicep b/modules/network/virtual-wan/main.bicep index 6c9d775386..12bdd5defc 100644 --- a/modules/network/virtual-wan/main.bicep +++ b/modules/network/virtual-wan/main.bicep @@ -25,7 +25,7 @@ param allowVnetToVnetTraffic bool = false param disableVpnEncryption bool = false @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -36,6 +36,15 @@ param enableDefaultTelemetry bool = true @description('Optional. The lock settings of the service.') param lock lockType +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -69,17 +78,18 @@ resource virtualWan_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty scope: virtualWan } -module virtualWan_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-VWan-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: virtualWan.id +resource virtualWan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(virtualWan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: virtualWan }] @description('The name of the virtual WAN.') @@ -105,3 +115,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/virtual-wan/main.json b/modules/network/virtual-wan/main.json index 6c7e53b57c..92b46f097e 100644 --- a/modules/network/virtual-wan/main.json +++ b/modules/network/virtual-wan/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11532161823681864290" + "templateHash": "10009504626840542150" }, "name": "Virtual WANs", "description": "This module deploys a Virtual WAN.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -86,8 +152,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -113,6 +178,16 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -158,175 +233,20 @@ "virtualWan_roleAssignments": { "copy": { "name": "virtualWan_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VWan-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/virtualWans/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/virtualWans', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/virtualWans', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2713904896388571012" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/virtualWans/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/virtualWans', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "virtualWan" diff --git a/modules/network/vpn-site/.bicep/nested_roleAssignments.bicep b/modules/network/vpn-site/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 2ba49c6f30..0000000000 --- a/modules/network/vpn-site/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,63 +0,0 @@ -param principalIds array -param principalType string = '' -param roleDefinitionIdOrName string -param resourceId string - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') -} - -resource vpnSite 'Microsoft.Network/vpnSites@2023-04-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(vpnSite.id, principalId, roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - } - scope: vpnSite -}] diff --git a/modules/network/vpn-site/.test/common/main.test.bicep b/modules/network/vpn-site/.test/common/main.test.bicep index d51318aff1..3e40997a52 100644 --- a/modules/network/vpn-site/.test/common/main.test.bicep +++ b/modules/network/vpn-site/.test/common/main.test.bicep @@ -106,9 +106,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/network/vpn-site/README.md b/modules/network/vpn-site/README.md index c04dae993b..59e4d270e4 100644 --- a/modules/network/vpn-site/README.md +++ b/modules/network/vpn-site/README.md @@ -64,9 +64,7 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -156,9 +154,7 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -400,7 +396,68 @@ The Office365 breakout policy. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/network/vpn-site/main.bicep b/modules/network/vpn-site/main.bicep index f743eabaa2..860a2fab72 100644 --- a/modules/network/vpn-site/main.bicep +++ b/modules/network/vpn-site/main.bicep @@ -42,7 +42,16 @@ param vpnSiteLinks array = [] param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -85,13 +94,18 @@ resource vpnSite_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo scope: vpnSite } -module vpnSite_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-VWan-Rbac-${index}' - params: { - principalIds: roleAssignment.principalIds - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - resourceId: vpnSite.id +resource vpnSite_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(vpnSite.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: vpnSite }] @description('The name of the VPN site.') @@ -117,3 +131,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/network/vpn-site/main.json b/modules/network/vpn-site/main.json index 5e8f72b522..fe722b1c34 100644 --- a/modules/network/vpn-site/main.json +++ b/modules/network/vpn-site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18191511551539064045" + "templateHash": "6363080366806288405" }, "name": "VPN Sites", "description": "This module deploys a VPN Site.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -129,13 +195,22 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -187,116 +262,20 @@ "vpnSite_roleAssignments": { "copy": { "name": "vpnSite_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-VWan-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/vpnSites/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/vpnSites', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "resourceId": { - "value": "[resourceId('Microsoft.Network/vpnSites', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13348048560732484926" - } - }, - "parameters": { - "principalIds": { - "type": "array" - }, - "principalType": { - "type": "string", - "defaultValue": "" - }, - "roleDefinitionIdOrName": { - "type": "string" - }, - "resourceId": { - "type": "string" - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/vpnSites/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/vpnSites', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "vpnSite" From 4ceedd15c5c225832451b39992e937515bba1f63 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 22 Oct 2023 21:34:08 +0000 Subject: [PATCH 048/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 60 +++++++++++----------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 3b78fb6585..2dcbde233f 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -84,43 +84,43 @@ This section provides an overview of the library's feature set. | 69 | managed-services

registration-definition | [![ManagedServices - RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices%20-%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | | | | | | | 67 | | 70 | management

management-group | [![Management - ManagementGroups](https://github.com/Azure/ResourceModules/workflows/Management%20-%20ManagementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml) | | | | | | | | 50 | | 71 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | | | :white_check_mark: | | | | [L1:1, L2:1] | 147 | -| 72 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 352 | +| 72 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 376 | | 73 | network

application-gateway-web-application-firewall-policy | [![Network - ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGatewayWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 47 | -| 74 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | :white_check_mark: | | :white_check_mark: | | | | | 70 | -| 75 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | 334 | -| 76 | network

bastion-host | [![Network - BastionHosts](https://github.com/Azure/ResourceModules/workflows/Network%20-%20BastionHosts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.bastionhosts.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | 213 | +| 74 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | | | :white_check_mark: | | | | | 94 | +| 75 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | | | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | 358 | +| 76 | network

bastion-host | [![Network - BastionHosts](https://github.com/Azure/ResourceModules/workflows/Network%20-%20BastionHosts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.bastionhosts.yml) | | | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | 274 | | 77 | network

connection | [![Network - Connections](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.connections.yml) | | | :white_check_mark: | | | | | 147 | -| 78 | network

ddos-protection-plan | [![Network - DdosProtectionPlans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DdosProtectionPlans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ddosprotectionplans.yml) | :white_check_mark: | | :white_check_mark: | | | | | 71 | -| 79 | network

dns-forwarding-ruleset | [![Network - DNS Forwarding Rulesets](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Forwarding%20Rulesets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsforwardingrulesets.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:2] | 98 | -| 80 | network

dns-resolver | [![Network - DNS Resolvers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Resolvers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsresolvers.yml) | :white_check_mark: | | :white_check_mark: | | | | | 107 | -| 81 | network

dns-zone | [![Network - Public DnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Public%20DnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnszones.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:10] | 218 | -| 82 | network

express-route-circuit | [![Network - ExpressRouteCircuits](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteCircuits/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutecircuits.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 201 | -| 83 | network

express-route-gateway | [![Network - ExpressRouteGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutegateways.yml) | :white_check_mark: | | :white_check_mark: | | | | | 92 | +| 78 | network

ddos-protection-plan | [![Network - DdosProtectionPlans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DdosProtectionPlans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ddosprotectionplans.yml) | | | :white_check_mark: | | | | | 95 | +| 79 | network

dns-forwarding-ruleset | [![Network - DNS Forwarding Rulesets](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Forwarding%20Rulesets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsforwardingrulesets.yml) | | | :white_check_mark: | | | | [L1:2] | 126 | +| 80 | network

dns-resolver | [![Network - DNS Resolvers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Resolvers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsresolvers.yml) | | | :white_check_mark: | | | | | 137 | +| 81 | network

dns-zone | [![Network - Public DnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Public%20DnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnszones.yml) | | | :white_check_mark: | | | | [L1:10] | 248 | +| 82 | network

express-route-circuit | [![Network - ExpressRouteCircuits](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteCircuits/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutecircuits.yml) | | | :white_check_mark: | :white_check_mark: | | | | 226 | +| 83 | network

express-route-gateway | [![Network - ExpressRouteGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutegateways.yml) | | | :white_check_mark: | | | | | 117 | | 84 | network

firewall-policy | [![Network - FirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.firewallpolicies.yml) | | | :white_check_mark: | | | | [L1:1] | 166 | -| 85 | network

front-door | [![Network - Frontdoors](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Frontdoors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoors.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 153 | -| 86 | network

front-door-web-application-firewall-policy | [![Network - FrontDoorWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FrontDoorWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml) | :white_check_mark: | | :white_check_mark: | | | | | 128 | -| 87 | network

ip-group | [![Network - IpGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20IpGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ipgroups.yml) | :white_check_mark: | | :white_check_mark: | | | | | 75 | -| 88 | network

load-balancer | [![Network - LoadBalancers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LoadBalancers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.loadbalancers.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:2] | 238 | -| 89 | network

local-network-gateway | [![Network - LocalNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LocalNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.localnetworkgateways.yml) | :white_check_mark: | | :white_check_mark: | | | | | 95 | -| 90 | network

nat-gateway | [![Network - NatGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NatGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.natgateways.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 160 | +| 85 | network

front-door | [![Network - Frontdoors](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Frontdoors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoors.yml) | | | :white_check_mark: | :white_check_mark: | | | | 178 | +| 86 | network

front-door-web-application-firewall-policy | [![Network - FrontDoorWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FrontDoorWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 152 | +| 87 | network

ip-group | [![Network - IpGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20IpGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ipgroups.yml) | | | :white_check_mark: | | | | | 100 | +| 88 | network

load-balancer | [![Network - LoadBalancers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LoadBalancers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.loadbalancers.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:2] | 263 | +| 89 | network

local-network-gateway | [![Network - LocalNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LocalNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.localnetworkgateways.yml) | | | :white_check_mark: | | | | | 120 | +| 90 | network

nat-gateway | [![Network - NatGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NatGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.natgateways.yml) | | | :white_check_mark: | :white_check_mark: | | | | 185 | | 91 | network

network-interface | [![Network - NetworkInterfaces](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkInterfaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkinterfaces.yml) | | | :white_check_mark: | :white_check_mark: | | | | 189 | -| 92 | network

network-manager | [![Network - Network Managers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Network%20Managers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkmanagers.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:4, L2:2, L3:1] | 140 | -| 93 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 161 | -| 94 | network

network-watcher | [![Network - NetworkWatchers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkWatchers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatchers.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:2] | 104 | -| 95 | network

private-dns-zone | [![Network - PrivateDnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateDnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:9] | 196 | +| 92 | network

network-manager | [![Network - Network Managers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Network%20Managers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkmanagers.yml) | | | :white_check_mark: | | | | [L1:4, L2:2, L3:1] | 165 | +| 93 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 186 | +| 94 | network

network-watcher | [![Network - NetworkWatchers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkWatchers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatchers.yml) | | | :white_check_mark: | | | | [L1:2] | 129 | +| 95 | network

private-dns-zone | [![Network - PrivateDnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateDnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | | | :white_check_mark: | | | | [L1:9] | 226 | | 96 | network

private-endpoint | [![Network - PrivateEndpoints](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privateendpoints.yml) | | | | | | | [L1:1] | 149 | -| 97 | network

private-link-service | [![Network - PrivateLinkServices](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateLinkServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatelinkservices.yml) | :white_check_mark: | | :white_check_mark: | | | | | 92 | +| 97 | network

private-link-service | [![Network - PrivateLinkServices](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateLinkServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatelinkservices.yml) | | | :white_check_mark: | | | | | 121 | | 98 | network

public-ip-address | [![Network - PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | | | :white_check_mark: | :white_check_mark: | | | | 214 | -| 99 | network

public-ip-prefix | [![Network - PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | :white_check_mark: | | :white_check_mark: | | | | | 84 | -| 100 | network

route-table | [![Network - RouteTables](https://github.com/Azure/ResourceModules/workflows/Network%20-%20RouteTables/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.routetables.yml) | :white_check_mark: | | :white_check_mark: | | | | | 77 | -| 101 | network

service-endpoint-policy | [![Network - ServiceEndpointPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ServiceEndpointPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.serviceendpointpolicies.yml) | :white_check_mark: | | :white_check_mark: | | | | | 80 | -| 102 | network

trafficmanagerprofile | [![Network - TrafficManagerProfiles](https://github.com/Azure/ResourceModules/workflows/Network%20-%20TrafficManagerProfiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 167 | +| 99 | network

public-ip-prefix | [![Network - PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | | | :white_check_mark: | | | | | 109 | +| 100 | network

route-table | [![Network - RouteTables](https://github.com/Azure/ResourceModules/workflows/Network%20-%20RouteTables/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.routetables.yml) | | | :white_check_mark: | | | | | 102 | +| 101 | network

service-endpoint-policy | [![Network - ServiceEndpointPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ServiceEndpointPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.serviceendpointpolicies.yml) | | | :white_check_mark: | | | | | 105 | +| 102 | network

trafficmanagerprofile | [![Network - TrafficManagerProfiles](https://github.com/Azure/ResourceModules/workflows/Network%20-%20TrafficManagerProfiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml) | | | :white_check_mark: | :white_check_mark: | | | | 193 | | 103 | network

virtual-hub | [![Network - VirtualHubs](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualhubs.yml) | | | :white_check_mark: | | | | [L1:2] | 151 | -| 104 | network

virtual-network | [![Network - VirtualNetworks](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:2] | 251 | -| 105 | network

virtual-network-gateway | [![Network - VirtualNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworkgateways.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 398 | -| 106 | network

virtual-wan | [![Network - VirtualWans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualWans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualwans.yml) | :white_check_mark: | | :white_check_mark: | | | | | 87 | +| 104 | network

virtual-network | [![Network - VirtualNetworks](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:2] | 276 | +| 105 | network

virtual-network-gateway | [![Network - VirtualNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworkgateways.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 423 | +| 106 | network

virtual-wan | [![Network - VirtualWans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualWans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualwans.yml) | | | :white_check_mark: | | | | | 112 | | 107 | network

vpn-gateway | [![Network - VPNGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPNGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpngateways.yml) | | | :white_check_mark: | | | | [L1:2] | 114 | -| 108 | network

vpn-site | [![Network - VPN Sites](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPN%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpnsites.yml) | :white_check_mark: | | :white_check_mark: | | | | | 95 | +| 108 | network

vpn-site | [![Network - VPN Sites](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPN%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpnsites.yml) | | | :white_check_mark: | | | | | 124 | | 109 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:7] | 313 | | 110 | operations-management

solution | [![OperationsManagement - Solutions](https://github.com/Azure/ResourceModules/workflows/OperationsManagement%20-%20Solutions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationsmanagement.solutions.yml) | | | | | | | | 53 | | 111 | policy-insights

remediation | [![PolicyInsights - Remediations](https://github.com/Azure/ResourceModules/workflows/PolicyInsights%20-%20Remediations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.policyinsights.remediations.yml) | | | | | | | [L1:3] | 106 | @@ -149,7 +149,7 @@ This section provides an overview of the library's feature set. | 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 158 | | 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 390 | | 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | :white_check_mark: | | :white_check_mark: | | :white_check_mark: | | [L1:3] | 201 | -| Sum | | | 52 | 0 | 118 | 57 | 30 | 2 | 236 | 26599 | +| Sum | | | 23 | 0 | 118 | 57 | 30 | 2 | 236 | 27382 | ## Legend From 29b06f4d89eb2003b331dbcfb7686174003090f0 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Mon, 23 Oct 2023 00:42:25 +0200 Subject: [PATCH 049/178] [Utilities] Implemented several improvments for readme script (#4134) * First readme update * tested changes * Remvoed file deletion * Added URL test retry * Added support for orphaned & moved readmes * Ran readme utility --- modules/compute/ssh-public-key/README.md | 2 + modules/key-vault/vault/README.md | 2 + .../extension/README.md | 2 + .../flux-configuration/README.md | 2 + modules/network/private-endpoint/README.md | 2 + modules/network/public-ip-address/README.md | 2 + .../sharedScripts/Set-ModuleReadMe.ps1 | 528 +++++++----------- utilities/tools/Set-Module.ps1 | 2 +- 8 files changed, 206 insertions(+), 336 deletions(-) diff --git a/modules/compute/ssh-public-key/README.md b/modules/compute/ssh-public-key/README.md index c0c7d0c68d..45ffe72032 100644 --- a/modules/compute/ssh-public-key/README.md +++ b/modules/compute/ssh-public-key/README.md @@ -1,5 +1,7 @@ # Public SSH Keys `[Microsoft.Compute/sshPublicKeys]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Public SSH Key. > Note: The resource does not auto-generate the key for you. diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 5b1339de2b..81cb74a612 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -1,5 +1,7 @@ # Key Vaults `[Microsoft.KeyVault/vaults]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Key Vault. ## Navigation diff --git a/modules/kubernetes-configuration/extension/README.md b/modules/kubernetes-configuration/extension/README.md index ced229237b..b084bf2dd2 100644 --- a/modules/kubernetes-configuration/extension/README.md +++ b/modules/kubernetes-configuration/extension/README.md @@ -1,5 +1,7 @@ # Kubernetes Configuration Extensions `[Microsoft.KubernetesConfiguration/extensions]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Kubernetes Configuration Extension. ## Navigation diff --git a/modules/kubernetes-configuration/flux-configuration/README.md b/modules/kubernetes-configuration/flux-configuration/README.md index 5e19132a78..4920286fde 100644 --- a/modules/kubernetes-configuration/flux-configuration/README.md +++ b/modules/kubernetes-configuration/flux-configuration/README.md @@ -1,5 +1,7 @@ # Kubernetes Configuration Flux Configurations `[Microsoft.KubernetesConfiguration/fluxConfigurations]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Kubernetes Configuration Flux Configuration. ## Navigation diff --git a/modules/network/private-endpoint/README.md b/modules/network/private-endpoint/README.md index f09fb62f47..c9dfacedfe 100644 --- a/modules/network/private-endpoint/README.md +++ b/modules/network/private-endpoint/README.md @@ -1,5 +1,7 @@ # Private Endpoints `[Microsoft.Network/privateEndpoints]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Private Endpoint. ## Navigation diff --git a/modules/network/public-ip-address/README.md b/modules/network/public-ip-address/README.md index 96de4e5541..1485a2c32e 100644 --- a/modules/network/public-ip-address/README.md +++ b/modules/network/public-ip-address/README.md @@ -1,5 +1,7 @@ # Public IP Addresses `[Microsoft.Network/publicIPAddresses]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Public IP Address. ## Navigation diff --git a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 index 9b4e124fb8..fb9fdbfd9f 100644 --- a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 +++ b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 @@ -1,5 +1,50 @@ #requires -version 7.3 +#region helper functions +<# +.SYNOPSIS +Test if an URL points to a valid online endpoint + +.DESCRIPTION +Test if an URL points to a valid online endpoint + +.PARAMETER URL +Mandatory. The URL to check + +.PARAMETER Retries +Optional. The amount of times to retry + +.EXAMPLE +Test-URl -URL 'www.github.com' + +Returns $true if the 'www.github.com' is valid, $false otherwise +#> +function Test-Url { + + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true)] + [string] $URL, + + [Parameter(Mandatory = $false)] + [int] $Retries = 3 + ) + + $currentAttempt = 1 + + while ($currentAttempt -le $Retries) { + try { + $null = Invoke-WebRequest -Uri $URL + return $true + } catch { + $currentAttempt++ + Start-Sleep -Seconds 1 + } + } + + return $false +} + <# .SYNOPSIS Update the 'Resource Types' section of the given readme file @@ -59,24 +104,22 @@ function Set-ResourceTypesSection { $ProviderNamespace, $ResourceType = $resourceTypeObject.Type -split '/', 2 # Validate if Reference URL is working $TemplatesBaseUrl = 'https://learn.microsoft.com/en-us/azure/templates' - try { - $ResourceReferenceUrl = '{0}/{1}/{2}/{3}' -f $TemplatesBaseUrl, $ProviderNamespace, $resourceTypeObject.ApiVersion, $ResourceType - $null = Invoke-WebRequest -Uri $ResourceReferenceUrl - } catch { + + $ResourceReferenceUrl = '{0}/{1}/{2}/{3}' -f $TemplatesBaseUrl, $ProviderNamespace, $resourceTypeObject.ApiVersion, $ResourceType + if (-not (Test-Url $ResourceReferenceUrl)) { # Validate if Reference URL is working using the latest documented API version (with no API version in the URL) - try { - $ResourceReferenceUrl = '{0}/{1}/{2}' -f $TemplatesBaseUrl, $ProviderNamespace, $ResourceType - $null = Invoke-WebRequest -Uri $ResourceReferenceUrl - } catch { - # Check if the resource is a child resource - if ($ResourceType.Split('/').length -gt 1) { - $ResourceReferenceUrl = '{0}/{1}/{2}' -f $TemplatesBaseUrl, $ProviderNamespace, $ResourceType.Split('/')[0] - } else { - # Use the default Templates URL (Last resort) - $ResourceReferenceUrl = '{0}' -f $TemplatesBaseUrl - } + $ResourceReferenceUrl = '{0}/{1}/{2}' -f $TemplatesBaseUrl, $ProviderNamespace, $ResourceType + } + if (-not (Test-Url $ResourceReferenceUrl)) { + # Check if the resource is a child resource + if ($ResourceType.Split('/').length -gt 1) { + $ResourceReferenceUrl = '{0}/{1}/{2}' -f $TemplatesBaseUrl, $ProviderNamespace, $ResourceType.Split('/')[0] + } else { + # Use the default Templates URL (Last resort) + $ResourceReferenceUrl = '{0}' -f $TemplatesBaseUrl } } + $SectionContent += ('| `{0}` | [{1}]({2}) |' -f $resourceTypeObject.type, $resourceTypeObject.apiVersion, $ResourceReferenceUrl) } $ProgressPreference = 'Continue' @@ -910,8 +953,8 @@ Convert the given JSONParameters object with one required parameter to a formatt name: 'carml' // Non-required parameters lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' + kind: 'CanNotDelete' + name: 'myCustomLockName' } ' #> @@ -1065,13 +1108,10 @@ function Set-UsageExamplesSection { if ($specialConversionHash.ContainsKey($moduleName)) { # Convert moduleName using specialConversionHash $moduleNameCamelCase = $specialConversionHash[$moduleName] - $moduleNamePascalCase = $moduleNameCamelCase.Replace($moduleNameCamelCase[0], $moduleNameCamelCase[0].ToString().ToUpper()) } else { # Convert moduleName from kebab-case to camelCase $First, $Rest = $moduleName -Split '-', 2 $moduleNameCamelCase = $First.Tolower() + (Get-Culture).TextInfo.ToTitleCase($Rest) -Replace '-' - # Convert moduleName from kebab-case to PascalCase - $moduleNamePascalCase = (Get-Culture).TextInfo.ToTitleCase($moduleName) -Replace '-' } $testFilePaths = Get-ModuleTestFileList -ModulePath $moduleRoot | ForEach-Object { Join-Path $moduleRoot $_ } @@ -1124,342 +1164,141 @@ function Set-UsageExamplesSection { ) } - ## ----------------------------------- ## - ## Handle by type (Bicep vs. JSON) ## - ## ----------------------------------- ## - if ((Split-Path $testFilePath -Extension) -eq '.bicep') { - - # ------------------------- # - # Prepare Bicep to JSON # - # ------------------------- # - - # [1/6] Search for the relevant parameter start & end index - $bicepTestStartIndex = ($rawContentArray | Select-String ("^module testDeployment '..\/.*main.bicep' = ") | ForEach-Object { $_.LineNumber - 1 })[0] - - $bicepTestEndIndex = $bicepTestStartIndex - do { - $bicepTestEndIndex++ - } while ($rawContentArray[$bicepTestEndIndex] -notin @('}', '}]')) - - $rawBicepExample = $rawContentArray[$bicepTestStartIndex..$bicepTestEndIndex] - - if ($rawBicepExample[-1] -eq '}]') { - $rawBicepExample[-1] = '}' - } - - # [2/6] Replace placeholders - $serviceShort = ([regex]::Match($rawContent, "(?m)^param serviceShort string = '(.+)'\s*$")).Captures.Groups[1].Value - - $rawBicepExampleString = ($rawBicepExample | Out-String) - $rawBicepExampleString = $rawBicepExampleString -replace '\$\{serviceShort\}', $serviceShort - $rawBicepExampleString = $rawBicepExampleString -replace '\$\{namePrefix\}[-|\.|_]?', '' # Replacing with empty to not expose prefix and avoid potential deployment conflicts - $rawBicepExampleString = $rawBicepExampleString -replace '(?m):\s*location\s*$', ': ''''' - $rawBicepExampleString = $rawBicepExampleString -replace '-\$\{iteration\}', '' - - # [3/6] Format header, remove scope property & any empty line - $rawBicepExample = $rawBicepExampleString -split '\n' - $rawBicepExample[0] = "module $moduleNameCamelCase 'br:$($brLink):1.0.0' = {" - $rawBicepExample = $rawBicepExample | Where-Object { $_ -notmatch 'scope: *' } | Where-Object { -not [String]::IsNullOrEmpty($_) } - # [4/6] Extract param block - $rawBicepExampleArray = $rawBicepExample -split '\n' - $moduleDeploymentPropertyIndent = ([regex]::Match($rawBicepExampleArray[1], '^(\s+).*')).Captures.Groups[1].Value.Length - $paramsStartIndex = ($rawBicepExampleArray | Select-String ("^[\s]{$moduleDeploymentPropertyIndent}params:[\s]*\{") | ForEach-Object { $_.LineNumber - 1 })[0] + 1 - if ($rawBicepExampleArray[$paramsStartIndex].Trim() -ne '}') { - # Handle case where param block is empty - $paramsEndIndex = ($rawBicepExampleArray[($paramsStartIndex + 1)..($rawBicepExampleArray.Count)] | Select-String "^[\s]{$moduleDeploymentPropertyIndent}\}" | ForEach-Object { $_.LineNumber - 1 })[0] + $paramsStartIndex - $paramBlock = ($rawBicepExampleArray[$paramsStartIndex..$paramsEndIndex] | Out-String).TrimEnd() - } else { - $paramBlock = '' - $paramsEndIndex = $paramsStartIndex - } - - # [5/6] Convert Bicep parameter block to JSON parameter block to enable processing - $conversionInputObject = @{ - BicepParamBlock = $paramBlock - CurrentFilePath = $testFilePath - } - $paramsInJSONFormat = ConvertTo-FormattedJSONParameterObject @conversionInputObject - - # [6/6] Convert JSON parameters back to Bicep and order & format them - $conversionInputObject = @{ - JSONParameters = $paramsInJSONFormat - RequiredParametersList = $RequiredParametersList - } - $bicepExample = ConvertTo-FormattedBicep @conversionInputObject + # ------------------------- # + # Prepare Bicep to JSON # + # ------------------------- # - # --------------------- # - # Add Bicep example # - # --------------------- # - if ($addBicep) { + # [1/6] Search for the relevant parameter start & end index + $bicepTestStartIndex = ($rawContentArray | Select-String ("^module testDeployment '..\/.*main.bicep' = ") | ForEach-Object { $_.LineNumber - 1 })[0] - if ([String]::IsNullOrEmpty($paramBlock)) { - # Handle case where param block is empty - $formattedBicepExample = $rawBicepExample[0..($paramsStartIndex - 1)] + $rawBicepExample[($paramsEndIndex)..($rawBicepExample.Count)] - } else { - $formattedBicepExample = $rawBicepExample[0..($paramsStartIndex - 1)] + ($bicepExample -split '\n') + $rawBicepExample[($paramsEndIndex + 1)..($rawBicepExample.Count)] - } + $bicepTestEndIndex = $bicepTestStartIndex + do { + $bicepTestEndIndex++ + } while ($rawContentArray[$bicepTestEndIndex] -notin @('}', '}]')) - # Remove any dependsOn as it it test specific - if ($detected = ($formattedBicepExample | Select-String "^\s{$moduleDeploymentPropertyIndent}dependsOn:\s*\[\s*$" | ForEach-Object { $_.LineNumber - 1 })) { - $dependsOnStartIndex = $detected[0] + $rawBicepExample = $rawContentArray[$bicepTestStartIndex..$bicepTestEndIndex] - # Find out where the 'dependsOn' ends - $dependsOnEndIndex = $dependsOnStartIndex - do { - $dependsOnEndIndex++ - } while ($formattedBicepExample[$dependsOnEndIndex] -notmatch '^\s*\]\s*$') - - # Cut the 'dependsOn' block out - $formattedBicepExample = $formattedBicepExample[0..($dependsOnStartIndex - 1)] + $formattedBicepExample[($dependsOnEndIndex + 1)..($formattedBicepExample.Count)] - } + if ($rawBicepExample[-1] -eq '}]') { + $rawBicepExample[-1] = '}' + } - # Build result - $testFilesContent += @( - '', - '

' - '' - 'via Bicep module' - '' - '```bicep', - ($formattedBicepExample | ForEach-Object { "$_" }).TrimEnd(), - '```', - '', - '
', - '

' - ) - } + # [2/6] Replace placeholders + $serviceShort = ([regex]::Match($rawContent, "(?m)^param serviceShort string = '(.+)'\s*$")).Captures.Groups[1].Value + + $rawBicepExampleString = ($rawBicepExample | Out-String) + $rawBicepExampleString = $rawBicepExampleString -replace '\$\{serviceShort\}', $serviceShort + $rawBicepExampleString = $rawBicepExampleString -replace '\$\{namePrefix\}[-|\.|_]?', '' # Replacing with empty to not expose prefix and avoid potential deployment conflicts + $rawBicepExampleString = $rawBicepExampleString -replace '(?m):\s*location\s*$', ': ''''' + $rawBicepExampleString = $rawBicepExampleString -replace '-\$\{iteration\}', '' + + # [3/6] Format header, remove scope property & any empty line + $rawBicepExample = $rawBicepExampleString -split '\n' + $rawBicepExample[0] = "module $moduleNameCamelCase 'br:$($brLink):1.0.0' = {" + $rawBicepExample = $rawBicepExample | Where-Object { $_ -notmatch 'scope: *' } | Where-Object { -not [String]::IsNullOrEmpty($_) } + # [4/6] Extract param block + $rawBicepExampleArray = $rawBicepExample -split '\n' + $moduleDeploymentPropertyIndent = ([regex]::Match($rawBicepExampleArray[1], '^(\s+).*')).Captures.Groups[1].Value.Length + $paramsStartIndex = ($rawBicepExampleArray | Select-String ("^[\s]{$moduleDeploymentPropertyIndent}params:[\s]*\{") | ForEach-Object { $_.LineNumber - 1 })[0] + 1 + if ($rawBicepExampleArray[$paramsStartIndex].Trim() -ne '}') { + # Handle case where param block is empty + $paramsEndIndex = ($rawBicepExampleArray[($paramsStartIndex + 1)..($rawBicepExampleArray.Count)] | Select-String "^[\s]{$moduleDeploymentPropertyIndent}\}" | ForEach-Object { $_.LineNumber - 1 })[0] + $paramsStartIndex + $paramBlock = ($rawBicepExampleArray[$paramsStartIndex..$paramsEndIndex] | Out-String).TrimEnd() + } else { + $paramBlock = '' + $paramsEndIndex = $paramsStartIndex + } - # -------------------- # - # Add JSON example # - # -------------------- # - if ($addJson) { + # [5/6] Convert Bicep parameter block to JSON parameter block to enable processing + $conversionInputObject = @{ + BicepParamBlock = $paramBlock + CurrentFilePath = $testFilePath + } + $paramsInJSONFormat = ConvertTo-FormattedJSONParameterObject @conversionInputObject - # [1/2] Get all parameters from the parameter object and order them recursively - $orderingInputObject = @{ - ParametersJSON = $paramsInJSONFormat | ConvertTo-Json -Depth 99 - RequiredParametersList = $RequiredParametersList - } - $orderedJSONExample = Build-OrderedJSONObject @orderingInputObject + # [6/6] Convert JSON parameters back to Bicep and order & format them + $conversionInputObject = @{ + JSONParameters = $paramsInJSONFormat + RequiredParametersList = $RequiredParametersList + } + $bicepExample = ConvertTo-FormattedBicep @conversionInputObject - # [2/2] Create the final content block - $testFilesContent += @( - '', - '

' - '' - 'via JSON Parameter file' - '' - '```json', - $orderedJSONExample.Trim() - '```', - '', - '
', - '

' - ) - } - } else { - # ------------------------- # - # Prepare JSON to Bicep # - # ------------------------- # - - $rawContentHashtable = $rawContent | ConvertFrom-Json -Depth 99 -AsHashtable -NoEnumerate - - # First we need to check if we're dealing with classic JSON-Parameter file, or a deployment test file (which contains resource deployments & parameters) - $isParameterFile = $rawContentHashtable.'$schema' -like '*deploymentParameters*' - if (-not $isParameterFile) { - # Case 1: Uses deployment test file (instead of parameter file). - # [1/4] Need to extract parameters. The target is to get an object which 1:1 represents a classic JSON-Parameter file (aside from KeyVault references) - $testResource = $rawContentHashtable.resources | Where-Object { $_.name -like '*-test-*' } - - # [2/4] Build the full ARM-JSON parameter file - $jsonParameterContent = [ordered]@{ - '$schema' = 'https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#' - contentVersion = '1.0.0.0' - parameters = $testResource.properties.parameters - } - $jsonParameterContent = ($jsonParameterContent | ConvertTo-Json -Depth 99).TrimEnd() - - # [3/4] Remove 'externalResourceReferences' that are generated for Bicep's 'existing' resource references. Removing them will make the file more readable - $jsonParameterContentArray = $jsonParameterContent -split '\n' - foreach ($row in ($jsonParameterContentArray | Where-Object { $_ -like '*reference(extensionResourceId*' })) { - if ($row -match '\[.*reference\(extensionResourceId.+\.([a-zA-Z]+)\..*\].*"') { - # e.g. "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-diagnosticDependencies', uniqueString(deployment().name, parameters('location')))), '2020-10-01').outputs.logAnalyticsWorkspaceResourceId.value]" - # e.g. "[format('{0}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-paramNested', uniqueString(deployment().name, parameters('location')))), '2020-10-01').outputs.managedIdentityResourceId.value)]": {} - $expectedValue = $matches[1] - } elseif ($row -match '\[.*reference\(extensionResourceId.+\.([a-zA-Z]+).*\].*"') { - # e.g. "[reference(extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policySetDefinitions', format('dep-#_namePrefix_#-polSet-{0}', parameters('serviceShort'))), '2021-06-01').policyDefinitions[0].policyDefinitionReferenceId]" - $expectedValue = $matches[1] - } else { - throw "Unhandled case [$row] in file [$testFilePath]" - } - - $toReplaceValue = ([regex]::Match($row, '"(\[.+)"')).Captures.Groups[1].Value - - $jsonParameterContent = $jsonParameterContent.Replace($toReplaceValue, ('<{0}>' -f $expectedValue)) - } + # --------------------- # + # Add Bicep example # + # --------------------- # + if ($addBicep) { - # [4/4] Removing template specific functions - $jsonParameterContentArray = $jsonParameterContent -split '\n' - for ($index = 0; $index -lt $jsonParameterContentArray.Count; $index++) { - if ($jsonParameterContentArray[$index] -match '(\s*"value"): "\[.+\]"') { - # e.g. - # "policyAssignmentId": { - # "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyAssignments', format('dep-#_namePrefix_#-psa-{0}', parameters('serviceShort')))]" - $prefix = $matches[1] - - $headerIndex = $index - while (($jsonParameterContentArray[$headerIndex] -notmatch '.+": (\{|\[)+' -or $jsonParameterContentArray[$headerIndex] -like '*"value"*') -and $headerIndex -gt -1) { - $headerIndex-- - } - - $value = (($jsonParameterContentArray[$headerIndex] -split ':')[0] -replace '"').Trim() - $jsonParameterContentArray[$index] = ('{0}: "<{1}>"{2}' -f $prefix, $value, ($jsonParameterContentArray[$index].Trim() -like '*,' ? ',' : '')) - } elseif ($jsonParameterContentArray[$index] -match '(\s*)"([\w]+)": "\[.+\]"') { - # e.g. "name": "[format('{0}01', parameters('serviceShort'))]" - $jsonParameterContentArray[$index] = ('{0}"{1}": "<{1}>"{2}' -f $matches[1], $matches[2], ($jsonParameterContentArray[$index].Trim() -like '*,' ? ',' : '')) - } elseif ($jsonParameterContentArray[$index] -match '(\s*)"\[.+\]"') { - # -and $jsonParameterContentArray[$index - 1] -like '*"value"*') { - # e.g. - # "policyDefinitionReferenceIds": { - # "value": [ - # "[reference(subscriptionResourceId('Microsoft.Authorization/policySetDefinitions', format('dep-#_namePrefix_#-polSet-{0}', parameters('serviceShort'))), '2021-06-01').policyDefinitions[0].policyDefinitionReferenceId]" - $prefix = $matches[1] - - $headerIndex = $index - while (($jsonParameterContentArray[$headerIndex] -notmatch '.+": (\{|\[)+' -or $jsonParameterContentArray[$headerIndex] -like '*"value"*') -and $headerIndex -gt -1) { - $headerIndex-- - } - - $value = (($jsonParameterContentArray[$headerIndex] -split ':')[0] -replace '"').Trim() - - $jsonParameterContentArray[$index] = ('{0}"<{1}>"{2}' -f $prefix, $value, ($jsonParameterContentArray[$index].Trim() -like '*,' ? ',' : '')) - } - } - $jsonParameterContent = $jsonParameterContentArray | Out-String + if ([String]::IsNullOrEmpty($paramBlock)) { + # Handle case where param block is empty + $formattedBicepExample = $rawBicepExample[0..($paramsStartIndex - 1)] + $rawBicepExample[($paramsEndIndex)..($rawBicepExample.Count)] } else { - # Case 2: Uses ARM-JSON parameter file - $jsonParameterContent = $rawContent.TrimEnd() + $formattedBicepExample = $rawBicepExample[0..($paramsStartIndex - 1)] + ($bicepExample -split '\n') + $rawBicepExample[($paramsEndIndex + 1)..($rawBicepExample.Count)] } - # --------------------- # - # Add Bicep example # - # --------------------- # - if ($addBicep) { - - # [1/5] Get all parameters from the parameter object - $JSONParametersHashTable = (ConvertFrom-Json $jsonParameterContent -AsHashtable -Depth 99).parameters - - # [2/5] Handle the special case of Key Vault secret references (that have a 'reference' instead of a 'value' property) - # [2.1] Find all references and split them into managable objects - $keyVaultReferences = $JSONParametersHashTable.Keys | Where-Object { $JSONParametersHashTable[$_].Keys -contains 'reference' } - - if ($keyVaultReferences.Count -gt 0) { - $keyVaultReferenceData = @() - foreach ($reference in $keyVaultReferences) { - $resourceIdElem = $JSONParametersHashTable[$reference].reference.keyVault.id -split '/' - $keyVaultReferenceData += @{ - subscriptionId = $resourceIdElem[2] - resourceGroupName = $resourceIdElem[4] - vaultName = $resourceIdElem[-1] - secretName = $JSONParametersHashTable[$reference].reference.secretName - parameterName = $reference - } - } - } - - # [2.2] Remove any duplicates from the referenced key vaults and build 'existing' Key Vault references in Bicep format from them. - # Also, add a link to the corresponding Key Vault 'resource' to each identified Key Vault secret reference - $extendedKeyVaultReferences = @() - $counter = 0 - foreach ($reference in ($keyVaultReferenceData | Sort-Object -Property 'vaultName' -Unique)) { - $counter++ - $extendedKeyVaultReferences += @( - "resource kv$counter 'Microsoft.KeyVault/vaults@2019-09-01' existing = {", - (" name: '{0}'" -f $reference.vaultName), - (" scope: resourceGroup('{0}','{1}')" -f $reference.subscriptionId, $reference.resourceGroupName), - '}', - '' - ) - - # Add attribute for later correct reference - $keyVaultReferenceData | Where-Object { $_.vaultName -eq $reference.vaultName } | ForEach-Object { - $_['vaultResourceReference'] = "kv$counter" - } - } - - # [3/5] Replace all 'references' with the link to one of the 'existing' Key Vault resources - foreach ($parameterName in ($JSONParametersHashTable.Keys | Where-Object { $JSONParametersHashTable[$_].Keys -contains 'reference' })) { - $matchingTuple = $keyVaultReferenceData | Where-Object { $_.parameterName -eq $parameterName } - $JSONParametersHashTable[$parameterName] = "{0}.getSecret('{1}')" -f $matchingTuple.vaultResourceReference, $matchingTuple.secretName - } + # Remove any dependsOn as it it test specific + if ($detected = ($formattedBicepExample | Select-String "^\s{$moduleDeploymentPropertyIndent}dependsOn:\s*\[\s*$" | ForEach-Object { $_.LineNumber - 1 })) { + $dependsOnStartIndex = $detected[0] - # [4/5] Convert the JSON parameters to a Bicep parameters block - $conversionInputObject = @{ - JSONParameters = $JSONParametersHashTable - RequiredParametersList = $null -ne $RequiredParametersList ? $RequiredParametersList : @() - } - $bicepExample = ConvertTo-FormattedBicep @conversionInputObject + # Find out where the 'dependsOn' ends + $dependsOnEndIndex = $dependsOnStartIndex + do { + $dependsOnEndIndex++ + } while ($formattedBicepExample[$dependsOnEndIndex] -notmatch '^\s*\]\s*$') - # [5/5] Create the final content block: That means - # - the 'existing' Key Vault resources - # - a 'module' header that mimics a module deployment - # - all parameters in Bicep format - $testFilesContent += @( - '', - '

' - '' - 'via Bicep module' - '' - '```bicep', - $extendedKeyVaultReferences, - "module $moduleNameCamelCase 'ts/modules:$(($FullModuleIdentifier -replace '\\|\/', '.').ToLower()):1.0.0 = {" - " name: '`${uniqueString(deployment().name)}-$moduleNamePascalCase'" - ' params: {' - $bicepExample.TrimEnd(), - ' }' - '}' - '```', - '', - '
' - '

' - ) + # Cut the 'dependsOn' block out + $formattedBicepExample = $formattedBicepExample[0..($dependsOnStartIndex - 1)] + $formattedBicepExample[($dependsOnEndIndex + 1)..($formattedBicepExample.Count)] } - # -------------------- # - # Add JSON example # - # -------------------- # - if ($addJson) { + # Build result + $testFilesContent += @( + '', + '

' + '' + 'via Bicep module' + '' + '```bicep', + ($formattedBicepExample | ForEach-Object { "$_" }).TrimEnd(), + '```', + '', + '
', + '

' + ) + } - # [1/2] Get all parameters from the parameter object and order them recursively - $orderingInputObject = @{ - ParametersJSON = (($jsonParameterContent | ConvertFrom-Json).parameters | ConvertTo-Json -Depth 99) - RequiredParametersList = $null -ne $RequiredParametersList ? $RequiredParametersList : @() - } - $orderedJSONExample = Build-OrderedJSONObject @orderingInputObject + # -------------------- # + # Add JSON example # + # -------------------- # + if ($addJson) { - # [2/2] Create the final content block - $testFilesContent += @( - '', - '

', - '', - 'via JSON Parameter file', - '', - '```json', - $orderedJSONExample.TrimEnd(), - '```', - '', - '
' - '

' - ) + # [1/2] Get all parameters from the parameter object and order them recursively + $orderingInputObject = @{ + ParametersJSON = $paramsInJSONFormat | ConvertTo-Json -Depth 99 + RequiredParametersList = $RequiredParametersList } + $orderedJSONExample = Build-OrderedJSONObject @orderingInputObject + + # [2/2] Create the final content block + $testFilesContent += @( + '', + '

' + '' + 'via JSON Parameter file' + '' + '```json', + $orderedJSONExample.Trim() + '```', + '', + '
', + '

' + ) } + $testFilesContent += @( '' ) $pathIndex++ } - foreach ($rawHeader in $usageExampleSectionHeaders) { $navigationHeader = (($rawHeader.header -replace '<\/?.+?>|[^A-Za-z0-9\s-]').Trim() -replace '\s+', '-').ToLower() # Remove any html and non-identifer elements $SectionContent += '- [{0}](#{1})' -f $rawHeader.title, $navigationHeader @@ -1587,9 +1426,25 @@ function Initialize-ReadMe { $inTemplateResourceType = $formattedResourceType } + # Orphaned readme existing? + $orphanedReadMeFilePath = Join-Path (Split-Path $ReadMeFilePath -Parent) 'ORPHANED.md' + if (Test-Path $orphanedReadMeFilePath) { + $orphanedReadMeContent = Get-Content -Path $orphanedReadMeFilePath | ForEach-Object { "> $_" } + } + + # Moved readme existing? + $movedReadMeFilePath = Join-Path (Split-Path $ReadMeFilePath -Parent) 'MOVED-TO-AVM.md' + if (Test-Path $movedReadMeFilePath) { + $movedReadMeContent = Get-Content -Path $movedReadMeFilePath | ForEach-Object { "> $_" } + } + $initialContent = @( "# $moduleName ``[$inTemplateResourceType]``", '', + ((Test-Path $orphanedReadMeFilePath) ? $orphanedReadMeContent : $null), + ((Test-Path $orphanedReadMeFilePath) ? '' : $null), + ((Test-Path $movedReadMeFilePath) ? $movedReadMeContent : $null), + ((Test-Path $movedReadMeFilePath) ? '' : $null), $moduleDescription, '' '## Resource Types', @@ -1742,10 +1597,6 @@ function Set-ModuleReadMe { # Read original readme, if any. Then delete it to build from scratch if ((Test-Path $ReadMeFilePath) -and -not ([String]::IsNullOrEmpty((Get-Content $ReadMeFilePath -Raw)))) { $readMeFileContent = Get-Content -Path $ReadMeFilePath -Encoding 'utf8' - # Delete original readme - if ($PSCmdlet.ShouldProcess("File in path [$ReadMeFilePath]", 'Delete')) { - $null = Remove-Item $ReadMeFilePath -Force - } } # Make sure we preserve any manual notes a user might have added in the corresponding section if ($match = $readMeFileContent | Select-String -Pattern '## Notes') { @@ -1853,8 +1704,15 @@ function Set-ModuleReadMe { Write-Verbose '============' Write-Verbose ($readMeFileContent | Out-String) - if ($PSCmdlet.ShouldProcess("File in path [$ReadMeFilePath]", 'Overwrite')) { - Set-Content -Path $ReadMeFilePath -Value $readMeFileContent -Force -Encoding 'utf8' + if (Test-Path $ReadMeFilePath) { + if ($PSCmdlet.ShouldProcess("File in path [$ReadMeFilePath]", 'Overwrite')) { + Set-Content -Path $ReadMeFilePath -Value $readMeFileContent -Force -Encoding 'utf8' + } Write-Verbose "File [$ReadMeFilePath] updated" -Verbose + } else { + if ($PSCmdlet.ShouldProcess("File in path [$ReadMeFilePath]", 'Create')) { + $null = New-Item -Path $ReadMeFilePath -Value $readMeFileContent -Force + } + Write-Verbose "File [$ReadMeFilePath] created" -Verbose } } diff --git a/utilities/tools/Set-Module.ps1 b/utilities/tools/Set-Module.ps1 index 874cf09ddc..b5b1f6378c 100644 --- a/utilities/tools/Set-Module.ps1 +++ b/utilities/tools/Set-Module.ps1 @@ -132,11 +132,11 @@ function Set-Module { ################ if (-not $using:SkipReadMe) { Write-Output "Generating readme for [$resourceTypeIdentifier]" - . $using:ReadMeScriptFilePath # If the template was just build, we can pass the JSON into the readme script to be more efficient $readmeTemplateFilePath = (-not $using:SkipBuild) ? (Join-Path (Split-Path $_ -Parent) 'main.json') : $_ + . $using:ReadMeScriptFilePath Set-ModuleReadMe -TemplateFilePath $readmeTemplateFilePath -CrossReferencedModuleList $using:crossReferencedModuleList } } From a8a4b6cbc861070c0b39ebb784e185279fa91e2e Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Mon, 23 Oct 2023 22:45:40 +0200 Subject: [PATCH 050/178] [Modules] Migrated batch [4/4] to AVM RBAC (#4132) * Updated PowerBI to convention * Update to latest * Updated templates * Reduced roles * Regen templates * Updated Operational Insights roles * Update to latest * Removed redundant newline * Updated readmes * Regenerated templates * Update to latest * Fixed SQL-MI db lock * Fixed web site slot lock * Update to latest * Removed redundant empty line * Adjusted cmk for synapse workspace * Fallback --- .../.bicep/nested_roleAssignments.bicep | 76 - .../workspace/.test/common/main.test.bicep | 4 +- .../operational-insights/workspace/README.md | 71 +- .../operational-insights/workspace/main.bicep | 60 +- .../operational-insights/workspace/main.json | 264 ++-- .../.bicep/nested_roleAssignments.bicep | 31 - .../capacity/.test/common/main.test.bicep | 4 +- modules/power-bi-dedicated/capacity/README.md | 75 +- .../power-bi-dedicated/capacity/main.bicep | 67 +- modules/power-bi-dedicated/capacity/main.json | 180 +-- .../.bicep/nested_roleAssignments.bicep | 71 - .../account/.test/common/main.test.bicep | 4 +- modules/purview/account/README.md | 71 +- modules/purview/account/main.bicep | 54 +- modules/purview/account/main.json | 253 ++-- .../vault/.bicep/nested_roleAssignments.bicep | 75 - .../vault/.test/common/main.test.bicep | 4 +- modules/recovery-services/vault/README.md | 71 +- modules/recovery-services/vault/main.bicep | 60 +- modules/recovery-services/vault/main.json | 263 ++-- .../.bicep/nested_roleAssignments.bicep | 72 - .../namespace/.test/common/main.test.bicep | 12 +- modules/relay/namespace/README.md | 87 +- .../.bicep/nested_roleAssignments.bicep | 72 - .../namespace/hybrid-connection/README.md | 63 +- .../namespace/hybrid-connection/main.bicep | 57 +- .../namespace/hybrid-connection/main.json | 257 ++-- modules/relay/namespace/main.bicep | 57 +- modules/relay/namespace/main.json | 771 ++++------ .../.bicep/nested_roleAssignments.bicep | 72 - modules/relay/namespace/wcf-relay/README.md | 63 +- modules/relay/namespace/wcf-relay/main.bicep | 57 +- modules/relay/namespace/wcf-relay/main.json | 257 ++-- .../query/.bicep/nested_roleAssignments.bicep | 69 - .../query/.test/common/main.test.bicep | 4 +- modules/resource-graph/query/README.md | 71 +- modules/resource-graph/query/main.bicep | 54 +- modules/resource-graph/query/main.json | 231 ++- .../.bicep/nested_roleAssignments.bicep | 248 ---- .../.test/common/main.test.bicep | 4 +- modules/resources/resource-group/README.md | 71 +- modules/resources/resource-group/main.bicep | 60 +- modules/resources/resource-group/main.json | 437 ++---- .../{.bicep => modules}/nested_lock.bicep | 0 .../.bicep/nested_roleAssignments.bicep | 72 - .../.test/common/main.test.bicep | 8 +- modules/search/search-service/README.md | 79 +- modules/search/search-service/main.bicep | 57 +- modules/search/search-service/main.json | 237 ++-- .../.bicep/nested_roleAssignments.bicep | 71 - .../namespace/.test/common/main.test.bicep | 13 +- .../namespace/.test/encr/main.test.bicep | 4 +- modules/service-bus/namespace/README.md | 95 +- modules/service-bus/namespace/main.bicep | 57 +- modules/service-bus/namespace/main.json | 768 ++++------ .../queue/.bicep/nested_roleAssignments.bicep | 71 - modules/service-bus/namespace/queue/README.md | 63 +- .../service-bus/namespace/queue/main.bicep | 57 +- modules/service-bus/namespace/queue/main.json | 256 ++-- .../topic/.bicep/nested_roleAssignments.bicep | 71 - modules/service-bus/namespace/topic/README.md | 63 +- .../service-bus/namespace/topic/main.bicep | 57 +- modules/service-bus/namespace/topic/main.json | 256 ++-- .../.bicep/nested_roleAssignments.bicep | 68 - .../cluster/.test/common/main.test.bicep | 4 +- modules/service-fabric/cluster/README.md | 71 +- modules/service-fabric/cluster/main.bicep | 54 +- modules/service-fabric/cluster/main.json | 230 ++- .../.bicep/nested_roleAssignments.bicep | 76 - .../signal-r/.test/common/main.test.bicep | 5 +- modules/signal-r-service/signal-r/README.md | 73 +- modules/signal-r-service/signal-r/main.bicep | 62 +- modules/signal-r-service/signal-r/main.json | 266 ++-- .../.bicep/nested_roleAssignments.bicep | 76 - .../web-pub-sub/.test/common/main.test.bicep | 5 +- .../signal-r-service/web-pub-sub/README.md | 73 +- .../signal-r-service/web-pub-sub/main.bicep | 62 +- .../signal-r-service/web-pub-sub/main.json | 264 ++-- .../.bicep/nested_roleAssignments.bicep | 77 - .../.test/common/main.test.bicep | 5 +- modules/sql/managed-instance/README.md | 73 +- .../sql/managed-instance/database/main.bicep | 8 +- .../sql/managed-instance/database/main.json | 10 +- modules/sql/managed-instance/main.bicep | 61 +- modules/sql/managed-instance/main.json | 256 ++-- .../.bicep/nested_roleAssignments.bicep | 75 - .../sql/server/.test/common/main.test.bicep | 4 +- modules/sql/server/README.md | 71 +- modules/sql/server/main.bicep | 61 +- modules/sql/server/main.json | 244 ++-- .../.bicep/nested_roleAssignments.bicep | 101 -- .../.test/common/main.test.bicep | 16 +- .../storage-account/.test/nfs/main.test.bicep | 4 +- modules/storage/storage-account/README.md | 103 +- .../.bicep/nested_roleAssignments.bicep | 101 -- .../blob-service/container/README.md | 63 +- .../blob-service/container/main.bicep | 74 +- .../blob-service/container/main.json | 336 ++--- .../storage-account/blob-service/main.json | 338 ++--- .../storage-account/file-service/main.json | 317 ++--- .../share/.bicep/nested_roleAssignments.bicep | 101 -- .../file-service/share/README.md | 63 +- .../file-service/share/main.bicep | 74 +- .../file-service/share/main.json | 315 ++--- modules/storage/storage-account/main.bicep | 71 +- modules/storage/storage-account/main.json | 1252 +++++++---------- .../storage-account/queue-service/main.json | 317 ++--- .../queue/.bicep/nested_roleAssignments.bicep | 101 -- .../queue-service/queue/README.md | 63 +- .../queue-service/queue/main.bicep | 74 +- .../queue-service/queue/main.json | 315 ++--- .../.bicep/nested_roleAssignments.bicep | 68 - .../.test/common/main.test.bicep | 9 +- modules/synapse/private-link-hub/README.md | 81 +- modules/synapse/private-link-hub/main.bicep | 54 +- modules/synapse/private-link-hub/main.json | 230 ++- .../.bicep/nested_roleAssignments.bicep | 32 - .../workspace/.test/common/main.test.bicep | 6 +- .../.test/managedvnet/main.test.bicep | 1 - modules/synapse/workspace/README.md | 73 +- modules/synapse/workspace/main.bicep | 55 +- modules/synapse/workspace/main.json | 187 +-- .../{.bicep => modules}/nested_cmkRbac.bicep | 0 .../.bicep/nested_roleAssignments.bicep | 68 - .../.test/common/main.test.bicep | 4 +- .../image-template/README.md | 71 +- .../image-template/main.bicep | 54 +- .../image-template/main.json | 228 ++- .../.bicep/nested_roleAssignments.bicep | 74 - .../connection/.test/common/main.test.bicep | 4 +- modules/web/connection/README.md | 71 +- modules/web/connection/main.bicep | 54 +- modules/web/connection/main.json | 236 ++-- .../.bicep/nested_roleAssignments.bicep | 74 - .../.test/asev2/main.test.bicep | 4 +- .../.test/asev3/main.test.bicep | 4 +- modules/web/hosting-environment/README.md | 79 +- modules/web/hosting-environment/main.bicep | 54 +- modules/web/hosting-environment/main.json | 256 ++-- .../.bicep/nested_roleAssignments.bicep | 74 - .../serverfarm/.test/common/main.test.bicep | 4 +- modules/web/serverfarm/README.md | 71 +- modules/web/serverfarm/main.bicep | 56 +- modules/web/serverfarm/main.json | 238 ++-- .../site/.bicep/nested_roleAssignments.bicep | 75 - .../.test/functionAppCommon/main.test.bicep | 4 +- .../site/.test/webAppCommon/main.test.bicep | 12 +- modules/web/site/README.md | 99 +- modules/web/site/main.bicep | 57 +- modules/web/site/main.json | 502 +++---- .../slot/.bicep/nested_roleAssignments.bicep | 65 - modules/web/site/slot/README.md | 65 +- modules/web/site/slot/main.bicep | 63 +- modules/web/site/slot/main.json | 242 ++-- .../.bicep/nested_roleAssignments.bicep | 40 - .../static-site/.test/common/main.test.bicep | 4 +- modules/web/static-site/README.md | 71 +- modules/web/static-site/main.bicep | 52 +- modules/web/static-site/main.json | 199 +-- utilities/tools/Set-Module.ps1 | 4 + 160 files changed, 8087 insertions(+), 9833 deletions(-) delete mode 100644 modules/operational-insights/workspace/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/power-bi-dedicated/capacity/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/purview/account/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/recovery-services/vault/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/relay/namespace/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/relay/namespace/hybrid-connection/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/relay/namespace/wcf-relay/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/resource-graph/query/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/resources/resource-group/.bicep/nested_roleAssignments.bicep rename modules/resources/resource-group/{.bicep => modules}/nested_lock.bicep (100%) delete mode 100644 modules/search/search-service/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/service-bus/namespace/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/service-bus/namespace/queue/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/service-bus/namespace/topic/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/service-fabric/cluster/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/signal-r-service/signal-r/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/signal-r-service/web-pub-sub/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/sql/managed-instance/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/sql/server/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/storage/storage-account/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/storage/storage-account/blob-service/container/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/storage/storage-account/file-service/share/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/storage/storage-account/queue-service/queue/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/synapse/private-link-hub/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/synapse/workspace/.bicep/nested_roleAssignments.bicep rename modules/synapse/workspace/{.bicep => modules}/nested_cmkRbac.bicep (100%) delete mode 100644 modules/virtual-machine-images/image-template/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/web/connection/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/web/hosting-environment/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/web/serverfarm/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/web/site/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/web/site/slot/.bicep/nested_roleAssignments.bicep delete mode 100644 modules/web/static-site/.bicep/nested_roleAssignments.bicep diff --git a/modules/operational-insights/workspace/.bicep/nested_roleAssignments.bicep b/modules/operational-insights/workspace/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 28cecaa270..0000000000 --- a/modules/operational-insights/workspace/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,76 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Purger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Microsoft Sentinel Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade') - 'Microsoft Sentinel Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb') - 'Microsoft Sentinel Responder': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Security Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd') - 'Security Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(logAnalyticsWorkspace.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: logAnalyticsWorkspace -}] diff --git a/modules/operational-insights/workspace/.test/common/main.test.bicep b/modules/operational-insights/workspace/.test/common/main.test.bicep index b55b5e3dbd..f85727e8c2 100644 --- a/modules/operational-insights/workspace/.test/common/main.test.bicep +++ b/modules/operational-insights/workspace/.test/common/main.test.bicep @@ -217,9 +217,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/operational-insights/workspace/README.md b/modules/operational-insights/workspace/README.md index e5ce2697aa..7de79e3cb0 100644 --- a/modules/operational-insights/workspace/README.md +++ b/modules/operational-insights/workspace/README.md @@ -713,9 +713,7 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { publicNetworkAccessForQuery: 'Disabled' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -917,9 +915,7 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -1240,7 +1236,68 @@ The network access type for accessing Log Analytics query. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `savedSearches` diff --git a/modules/operational-insights/workspace/main.bicep b/modules/operational-insights/workspace/main.bicep index b16423bc9a..7a1589af2c 100644 --- a/modules/operational-insights/workspace/main.bicep +++ b/modules/operational-insights/workspace/main.bicep @@ -101,7 +101,7 @@ param forceCmkForQuery bool = true param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -159,6 +159,20 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'Security Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd') + 'Security Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -328,17 +342,18 @@ resource logAnalyticsWorkspace_lock 'Microsoft.Authorization/locks@2020-05-01' = scope: logAnalyticsWorkspace } -module logAnalyticsWorkspace_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-LAW-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: logAnalyticsWorkspace.id +resource logAnalyticsWorkspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(logAnalyticsWorkspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: logAnalyticsWorkspace }] @description('The resource ID of the deployed log analytics workspace.') @@ -370,3 +385,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/operational-insights/workspace/main.json b/modules/operational-insights/workspace/main.json index df8e6a3a74..4e549ac05b 100644 --- a/modules/operational-insights/workspace/main.json +++ b/modules/operational-insights/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8781060608655801013" + "templateHash": "9109089637085766608" }, "name": "Log Analytics Workspaces", "description": "This module deploys a Log Analytics Workspace.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -237,8 +303,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -315,7 +380,20 @@ "logAnalyticsSearchVersion": 1, "enableReferencedModulesTelemetry": false, "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Security Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", + "Security Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -389,6 +467,28 @@ "logAnalyticsWorkspace" ] }, + "logAnalyticsWorkspace_roleAssignments": { + "copy": { + "name": "logAnalyticsWorkspace_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.OperationalInsights/workspaces/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.OperationalInsights/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "logAnalyticsWorkspace" + ] + }, "logAnalyticsWorkspace_storageInsightConfigs": { "copy": { "name": "logAnalyticsWorkspace_storageInsightConfigs", @@ -1689,162 +1789,6 @@ "dependsOn": [ "logAnalyticsWorkspace" ] - }, - "logAnalyticsWorkspace_roleAssignments": { - "copy": { - "name": "logAnalyticsWorkspace_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-LAW-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17191832464911210338" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Data Purger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Microsoft Sentinel Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Microsoft Sentinel Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Microsoft Sentinel Responder": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Security Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.OperationalInsights/workspaces/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.OperationalInsights/workspaces', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "logAnalyticsWorkspace" - ] } }, "outputs": { diff --git a/modules/power-bi-dedicated/capacity/.bicep/nested_roleAssignments.bicep b/modules/power-bi-dedicated/capacity/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 6b6f33bf1c..0000000000 --- a/modules/power-bi-dedicated/capacity/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,31 +0,0 @@ -param roleAssignmentObj object -param resourceName string - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource powerbi 'Microsoft.PowerBIDedicated/capacities@2021-01-01' existing = { - name: resourceName -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in roleAssignmentObj.principalIds: { - name: guid(powerbi.name, principalId, roleAssignmentObj.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName - principalId: principalId - } - scope: powerbi -}] diff --git a/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep b/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep index 813c5ed01a..67bba9fa1b 100644 --- a/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep +++ b/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep @@ -63,9 +63,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/power-bi-dedicated/capacity/README.md b/modules/power-bi-dedicated/capacity/README.md index 3f4ceb5003..20ee5d05cf 100644 --- a/modules/power-bi-dedicated/capacity/README.md +++ b/modules/power-bi-dedicated/capacity/README.md @@ -56,9 +56,7 @@ module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -109,9 +107,7 @@ module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -281,7 +277,68 @@ Name of the PowerBI Embedded. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `skuCapacity` @@ -318,9 +375,9 @@ Tags of the resource. | Output | Type | Description | | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | -| `name` | string | The Name of the PowerBi Embedded. | +| `name` | string | The Name of the PowerBi Embedded instance. | | `resourceGroupName` | string | The name of the resource group the PowerBi Embedded was created in. | -| `resourceId` | string | The resource ID of the PowerBi Embedded. | +| `resourceId` | string | The resource ID of the PowerBi Embedded instance. | ## Cross-referenced modules diff --git a/modules/power-bi-dedicated/capacity/main.bicep b/modules/power-bi-dedicated/capacity/main.bicep index 7da60eafd3..2628ce35b9 100644 --- a/modules/power-bi-dedicated/capacity/main.bicep +++ b/modules/power-bi-dedicated/capacity/main.bicep @@ -50,7 +50,17 @@ param mode string = 'Gen2' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -64,7 +74,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource powerbi 'Microsoft.PowerBIDedicated/capacities@2021-01-01' = { +resource capacity 'Microsoft.PowerBIDedicated/capacities@2021-01-01' = { name: name location: location tags: tags @@ -81,34 +91,40 @@ resource powerbi 'Microsoft.PowerBIDedicated/capacities@2021-01-01' = { } } -resource powerbi_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { +resource capacity_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { name: lock.?name ?? 'lock-${name}' properties: { level: lock.?kind ?? '' notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } - scope: powerbi + scope: capacity } -module powerbi_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-rbac-${index}' - params: { - roleAssignmentObj: roleAssignment - resourceName: powerbi.name +resource capacity_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(capacity.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: capacity }] -@description('The resource ID of the PowerBi Embedded.') -output resourceId string = powerbi.id +@description('The resource ID of the PowerBi Embedded instance.') +output resourceId string = capacity.id @description('The name of the resource group the PowerBi Embedded was created in.') output resourceGroupName string = resourceGroup().name -@description('The Name of the PowerBi Embedded.') -output name string = powerbi.name +@description('The Name of the PowerBi Embedded instance.') +output name string = capacity.name @description('The location the resource was deployed into.') -output location string = powerbi.location +output location string = capacity.location // =============== // // Definitions // @@ -121,3 +137,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/power-bi-dedicated/capacity/main.json b/modules/power-bi-dedicated/capacity/main.json index 374cd8802c..d99608fce2 100644 --- a/modules/power-bi-dedicated/capacity/main.json +++ b/modules/power-bi-dedicated/capacity/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14918936094313843131" + "templateHash": "14932984418951732668" }, "name": "Power BI Dedicated Capacities", "description": "This module deploys a Power BI Dedicated Capacity.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -124,13 +190,23 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -146,7 +222,7 @@ } } }, - "powerbi": { + "capacity": { "type": "Microsoft.PowerBIDedicated/capacities", "apiVersion": "2021-01-01", "name": "[parameters('name')]", @@ -164,7 +240,7 @@ "mode": "[parameters('mode')]" } }, - "powerbi_lock": { + "capacity_lock": { "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", @@ -175,85 +251,29 @@ "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "powerbi" + "capacity" ] }, - "powerbi_rbac": { + "capacity_roleAssignments": { "copy": { - "name": "powerbi_rbac", - "count": "[length(parameters('roleAssignments'))]" + "name": "capacity_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.PowerBIDedicated/capacities/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.PowerBIDedicated/capacities', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "roleAssignmentObj": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "resourceName": { - "value": "[parameters('name')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4655209444733495279" - } - }, - "parameters": { - "roleAssignmentObj": { - "type": "object" - }, - "resourceName": { - "type": "string" - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('roleAssignmentObj').principalIds)]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.PowerBIDedicated/capacities/{0}', parameters('resourceName'))]", - "name": "[guid(parameters('resourceName'), parameters('roleAssignmentObj').principalIds[copyIndex()], parameters('roleAssignmentObj').roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleAssignmentObj').roleDefinitionIdOrName), variables('builtInRoleNames')[parameters('roleAssignmentObj').roleDefinitionIdOrName], parameters('roleAssignmentObj').roleDefinitionIdOrName)]", - "principalId": "[parameters('roleAssignmentObj').principalIds[copyIndex()]]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "powerbi" + "capacity" ] } }, @@ -261,7 +281,7 @@ "resourceId": { "type": "string", "metadata": { - "description": "The resource ID of the PowerBi Embedded." + "description": "The resource ID of the PowerBi Embedded instance." }, "value": "[resourceId('Microsoft.PowerBIDedicated/capacities', parameters('name'))]" }, @@ -275,7 +295,7 @@ "name": { "type": "string", "metadata": { - "description": "The Name of the PowerBi Embedded." + "description": "The Name of the PowerBi Embedded instance." }, "value": "[parameters('name')]" }, @@ -284,7 +304,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('powerbi', '2021-01-01', 'full').location]" + "value": "[reference('capacity', '2021-01-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/purview/account/.bicep/nested_roleAssignments.bicep b/modules/purview/account/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 726c2313a3..0000000000 --- a/modules/purview/account/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,71 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Purview role 1 (Deprecated)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a3c2885-9b38-4fd2-9d99-91af537c1347') - 'Purview role 2 (Deprecated)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '200bba9e-f0c8-430f-892b-6f0794863803') - 'Purview role 3 (Deprecated)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ff100721-1b9d-43d8-af52-42b69c1272db') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource purviewAccount 'Microsoft.Purview/accounts@2021-07-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(purviewAccount.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: purviewAccount -}] diff --git a/modules/purview/account/.test/common/main.test.bicep b/modules/purview/account/.test/common/main.test.bicep index 2e89ea8f5b..c6bd0f2c67 100644 --- a/modules/purview/account/.test/common/main.test.bicep +++ b/modules/purview/account/.test/common/main.test.bicep @@ -84,9 +84,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/purview/account/README.md b/modules/purview/account/README.md index c41e02d5c5..cd06723941 100644 --- a/modules/purview/account/README.md +++ b/modules/purview/account/README.md @@ -110,9 +110,7 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { publicNetworkAccess: 'Disabled' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -265,9 +263,7 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -549,7 +545,68 @@ Whether or not public network access is allowed for this resource. For security Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `storageBlobPrivateEndpoints` diff --git a/modules/purview/account/main.bicep b/modules/purview/account/main.bicep index c954128917..4cd40ed8fc 100644 --- a/modules/purview/account/main.bicep +++ b/modules/purview/account/main.bicep @@ -40,7 +40,7 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to \'account\'.') param accountPrivateEndpoints array = [] @@ -117,6 +117,14 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -283,17 +291,18 @@ module eventHub_privateEndpoints '../../network/private-endpoint/main.bicep' = [ } }] -module account_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Account-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: account.id +resource account_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(account.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: account }] @description('The name of the Purview Account.') @@ -334,3 +343,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/purview/account/main.json b/modules/purview/account/main.json index fb86ba2b52..3eafa9c4e2 100644 --- a/modules/purview/account/main.json +++ b/modules/purview/account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8110028747434281687" + "templateHash": "5805240201913733834" }, "name": "Purview Accounts", "description": "This module deploys a Purview Account.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -117,8 +183,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -230,7 +295,14 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned')]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -292,6 +364,28 @@ "account" ] }, + "account_roleAssignments": { + "copy": { + "name": "account_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Purview/accounts/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Purview/accounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "account" + ] + }, "account_privateEndpoints": { "copy": { "name": "account_privateEndpoints", @@ -2936,157 +3030,6 @@ "dependsOn": [ "account" ] - }, - "account_roleAssignments": { - "copy": { - "name": "account_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Account-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Purview/accounts', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15861709353924438880" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Purview role 1 (Deprecated)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a3c2885-9b38-4fd2-9d99-91af537c1347')]", - "Purview role 2 (Deprecated)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '200bba9e-f0c8-430f-892b-6f0794863803')]", - "Purview role 3 (Deprecated)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ff100721-1b9d-43d8-af52-42b69c1272db')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Purview/accounts/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Purview/accounts', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "account" - ] } }, "outputs": { diff --git a/modules/recovery-services/vault/.bicep/nested_roleAssignments.bicep b/modules/recovery-services/vault/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index ca46ac46db..0000000000 --- a/modules/recovery-services/vault/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,75 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - 'Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a795c7a0-d4a2-40c1-ae25-d81f01202912') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'Site Recovery Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dbaa88c4-0c30-4179-9fb3-46319faa6149') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') -} - -resource rsv 'Microsoft.RecoveryServices/vaults@2023-01-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(rsv.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: rsv -}] diff --git a/modules/recovery-services/vault/.test/common/main.test.bicep b/modules/recovery-services/vault/.test/common/main.test.bicep index 8303605f63..acd15c2819 100644 --- a/modules/recovery-services/vault/.test/common/main.test.bicep +++ b/modules/recovery-services/vault/.test/common/main.test.bicep @@ -339,9 +339,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index 899a6821f5..b8853bbe5e 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -337,9 +337,7 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -678,9 +676,7 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -1139,7 +1135,68 @@ List of all replication policies. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `securitySettings` diff --git a/modules/recovery-services/vault/main.bicep b/modules/recovery-services/vault/main.bicep index 9aba253cc8..54fa5cdfc4 100644 --- a/modules/recovery-services/vault/main.bicep +++ b/modules/recovery-services/vault/main.bicep @@ -48,7 +48,7 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') param lock lockType @@ -139,6 +139,20 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') + 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') + 'Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a795c7a0-d4a2-40c1-ae25-d81f01202912') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') + 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') + 'Site Recovery Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dbaa88c4-0c30-4179-9fb3-46319faa6149') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -303,17 +317,18 @@ module rsv_privateEndpoints '../../network/private-endpoint/main.bicep' = [for ( } }] -module rsv_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-RSV-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: rsv.id +resource rsv_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(rsv.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: rsv }] @description('The resource ID of the recovery services vault.') @@ -342,3 +357,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/recovery-services/vault/main.json b/modules/recovery-services/vault/main.json index 7279f70adf..a511b9ec81 100644 --- a/modules/recovery-services/vault/main.json +++ b/modules/recovery-services/vault/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7509304735116539135" + "templateHash": "5878546840192732516" }, "name": "Recovery Services Vaults", "description": "This module deploys a Recovery Services Vault.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -141,8 +207,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -276,7 +341,20 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", + "Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "Site Recovery Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -342,6 +420,28 @@ "rsv" ] }, + "rsv_roleAssignments": { + "copy": { + "name": "rsv_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.RecoveryServices/vaults/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.RecoveryServices/vaults', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "rsv" + ] + }, "rsv_replicationFabrics": { "copy": { "name": "rsv_replicationFabrics", @@ -2424,161 +2524,6 @@ "dependsOn": [ "rsv" ] - }, - "rsv_roleAssignments": { - "copy": { - "name": "rsv_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RSV-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.RecoveryServices/vaults', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8436896073465306731" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "Site Recovery Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.RecoveryServices/vaults/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.RecoveryServices/vaults', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "rsv" - ] } }, "outputs": { diff --git a/modules/relay/namespace/.bicep/nested_roleAssignments.bicep b/modules/relay/namespace/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index fac857dc45..0000000000 --- a/modules/relay/namespace/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,72 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') - 'Azure Relay Listener': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d') - 'Azure Relay Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38') - 'Azure Relay Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource namespace 'Microsoft.Relay/namespaces@2021-11-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(namespace.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: namespace -}] diff --git a/modules/relay/namespace/.test/common/main.test.bicep b/modules/relay/namespace/.test/common/main.test.bicep index 0a7b794cc7..0543c88576 100644 --- a/modules/relay/namespace/.test/common/main.test.bicep +++ b/modules/relay/namespace/.test/common/main.test.bicep @@ -80,9 +80,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -131,9 +129,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -146,9 +142,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index f6401b007e..9d8a11f544 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -82,9 +82,7 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { name: 'rncomhc001' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -134,9 +132,7 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -153,9 +149,7 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { relayType: 'NetTcp' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -223,9 +217,7 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { "name": "rncomhc001", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -283,9 +275,7 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -308,9 +298,7 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { "relayType": "NetTcp", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -627,7 +615,68 @@ Configuration details for private endpoints. For security reasons, it is recomme Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `skuName` diff --git a/modules/relay/namespace/hybrid-connection/.bicep/nested_roleAssignments.bicep b/modules/relay/namespace/hybrid-connection/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 95709ae56f..0000000000 --- a/modules/relay/namespace/hybrid-connection/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,72 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') - 'Azure Relay Listener': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d') - 'Azure Relay Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38') - 'Azure Relay Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource hybridConnection 'Microsoft.Relay/namespaces/hybridConnections@2021-11-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssigment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(hybridConnection.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: hybridConnection -}] diff --git a/modules/relay/namespace/hybrid-connection/README.md b/modules/relay/namespace/hybrid-connection/README.md index 456584f99d..bc08a7c81c 100644 --- a/modules/relay/namespace/hybrid-connection/README.md +++ b/modules/relay/namespace/hybrid-connection/README.md @@ -108,7 +108,68 @@ A value indicating if this hybrid connection requires client authorization. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `userMetadata` diff --git a/modules/relay/namespace/hybrid-connection/main.bicep b/modules/relay/namespace/hybrid-connection/main.bicep index 583897efa2..0ba09b0cec 100644 --- a/modules/relay/namespace/hybrid-connection/main.bicep +++ b/modules/relay/namespace/hybrid-connection/main.bicep @@ -46,13 +46,24 @@ param authorizationRules array = [ param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + 'Azure Relay Listener': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d') + 'Azure Relay Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38') + 'Azure Relay Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -98,17 +109,18 @@ resource hybridConnection_lock 'Microsoft.Authorization/locks@2020-05-01' = if ( scope: hybridConnection } -module hybridConnection_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: hybridConnection.id +resource hybridConnection_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(hybridConnection.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: hybridConnection }] @description('The name of the deployed hybrid connection.') @@ -131,3 +143,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/relay/namespace/hybrid-connection/main.json b/modules/relay/namespace/hybrid-connection/main.json index 6f5b28688d..1e8f46af01 100644 --- a/modules/relay/namespace/hybrid-connection/main.json +++ b/modules/relay/namespace/hybrid-connection/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5557057389279222101" + "templateHash": "7588969568395991504" }, "name": "Relay Namespace Hybrid Connections", "description": "This module deploys a Relay Namespace Hybrid Connection.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -104,8 +170,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -119,7 +184,17 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Azure Relay Listener": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d')]", + "Azure Relay Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38')]", + "Azure Relay Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -168,6 +243,28 @@ "hybridConnection" ] }, + "hybridConnection_roleAssignments": { + "copy": { + "name": "hybridConnection_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Relay/namespaces/{0}/hybridConnections/{1}', parameters('namespaceName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "hybridConnection" + ] + }, "hybridConnection_authorizationRules": { "copy": { "name": "hybridConnection_authorizationRules", @@ -300,158 +397,6 @@ "dependsOn": [ "hybridConnection" ] - }, - "hybridConnection_roleAssignments": { - "copy": { - "name": "hybridConnection_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9757505768958218088" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", - "Azure Relay Listener": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d')]", - "Azure Relay Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38')]", - "Azure Relay Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssigment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Relay/namespaces/{0}/hybridConnections/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Relay/namespaces/hybridConnections', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "hybridConnection" - ] } }, "outputs": { diff --git a/modules/relay/namespace/main.bicep b/modules/relay/namespace/main.bicep index f046b74a59..5ddc75500b 100644 --- a/modules/relay/namespace/main.bicep +++ b/modules/relay/namespace/main.bicep @@ -44,7 +44,7 @@ param diagnosticEventHubName string = '' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints array = [] @@ -107,6 +107,17 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + 'Azure Relay Listener': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d') + 'Azure Relay Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38') + 'Azure Relay Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -264,17 +275,18 @@ module namespace_privateEndpoints '../../network/private-endpoint/main.bicep' = } }] -module namespace_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: namespace.id +resource namespace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(namespace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: namespace }] @description('The resource ID of the deployed relay namespace.') @@ -300,3 +312,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/relay/namespace/main.json b/modules/relay/namespace/main.json index 6ecc2df310..e3407dc5cd 100644 --- a/modules/relay/namespace/main.json +++ b/modules/relay/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9772930782726431930" + "templateHash": "13773141750088228766" }, "name": "Relay Namespaces", "description": "This module deploys a Relay Namespace", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -116,8 +182,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -221,7 +286,17 @@ } ], "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Azure Relay Listener": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d')]", + "Azure Relay Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38')]", + "Azure Relay Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -281,6 +356,28 @@ "namespace" ] }, + "namespace_roleAssignments": { + "copy": { + "name": "namespace_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Relay/namespaces/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Relay/namespaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "namespace" + ] + }, "namespace_authorizationRules": { "copy": { "name": "namespace_authorizationRules", @@ -579,7 +676,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5557057389279222101" + "templateHash": "7588969568395991504" }, "name": "Relay Namespace Hybrid Connections", "description": "This module deploys a Relay Namespace Hybrid Connection.", @@ -610,6 +707,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -677,8 +840,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -692,7 +854,17 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Azure Relay Listener": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d')]", + "Azure Relay Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38')]", + "Azure Relay Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -741,6 +913,28 @@ "hybridConnection" ] }, + "hybridConnection_roleAssignments": { + "copy": { + "name": "hybridConnection_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Relay/namespaces/{0}/hybridConnections/{1}', parameters('namespaceName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "hybridConnection" + ] + }, "hybridConnection_authorizationRules": { "copy": { "name": "hybridConnection_authorizationRules", @@ -873,158 +1067,6 @@ "dependsOn": [ "hybridConnection" ] - }, - "hybridConnection_roleAssignments": { - "copy": { - "name": "hybridConnection_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9757505768958218088" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", - "Azure Relay Listener": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d')]", - "Azure Relay Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38')]", - "Azure Relay Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssigment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Relay/namespaces/{0}/hybridConnections/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Relay/namespaces/hybridConnections', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "hybridConnection" - ] } }, "outputs": { @@ -1095,7 +1137,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6670763361607677898" + "templateHash": "2747029204512692072" }, "name": "Relay Namespace WCF Relays", "description": "This module deploys a Relay Namespace WCF Relay.", @@ -1126,6 +1168,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1211,8 +1319,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -1226,7 +1333,17 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Azure Relay Listener": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d')]", + "Azure Relay Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38')]", + "Azure Relay Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -1277,6 +1394,28 @@ "wcfRelay" ] }, + "wcfRelay_roleAssignments": { + "copy": { + "name": "wcfRelay_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Relay/namespaces/{0}/wcfRelays/{1}', parameters('namespaceName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "wcfRelay" + ] + }, "wcfRelay_authorizationRules": { "copy": { "name": "wcfRelay_authorizationRules", @@ -1409,158 +1548,6 @@ "dependsOn": [ "wcfRelay" ] - }, - "wcfRelay_roleAssignments": { - "copy": { - "name": "wcfRelay_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3790701104073520156" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", - "Azure Relay Listener": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d')]", - "Azure Relay Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38')]", - "Azure Relay Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssigment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Relay/namespaces/{0}/wcfRelays/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Relay/namespaces/wcfRelays', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "wcfRelay" - ] } }, "outputs": { @@ -2120,158 +2107,6 @@ "dependsOn": [ "namespace" ] - }, - "namespace_roleAssignments": { - "copy": { - "name": "namespace_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Relay/namespaces', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7170472647175450772" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", - "Azure Relay Listener": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d')]", - "Azure Relay Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38')]", - "Azure Relay Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Relay/namespaces/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Relay/namespaces', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "namespace" - ] } }, "outputs": { diff --git a/modules/relay/namespace/wcf-relay/.bicep/nested_roleAssignments.bicep b/modules/relay/namespace/wcf-relay/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index b3be79a81f..0000000000 --- a/modules/relay/namespace/wcf-relay/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,72 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') - 'Azure Relay Listener': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d') - 'Azure Relay Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38') - 'Azure Relay Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource wcfRelay 'Microsoft.Relay/namespaces/wcfRelays@2021-11-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssigment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(wcfRelay.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: wcfRelay -}] diff --git a/modules/relay/namespace/wcf-relay/README.md b/modules/relay/namespace/wcf-relay/README.md index 84650d63d5..05e08fa254 100644 --- a/modules/relay/namespace/wcf-relay/README.md +++ b/modules/relay/namespace/wcf-relay/README.md @@ -124,7 +124,68 @@ A value indicating if this relay requires transport security. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `userMetadata` diff --git a/modules/relay/namespace/wcf-relay/main.bicep b/modules/relay/namespace/wcf-relay/main.bicep index ba660d2bb3..0840630c10 100644 --- a/modules/relay/namespace/wcf-relay/main.bicep +++ b/modules/relay/namespace/wcf-relay/main.bicep @@ -56,13 +56,24 @@ param authorizationRules array = [ param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + 'Azure Relay Listener': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d') + 'Azure Relay Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38') + 'Azure Relay Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -110,17 +121,18 @@ resource wcfRelay_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(l scope: wcfRelay } -module wcfRelay_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: wcfRelay.id +resource wcfRelay_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(wcfRelay.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: wcfRelay }] @description('The name of the deployed wcf relay.') @@ -143,3 +155,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/relay/namespace/wcf-relay/main.json b/modules/relay/namespace/wcf-relay/main.json index 305d7a9463..b03f789e67 100644 --- a/modules/relay/namespace/wcf-relay/main.json +++ b/modules/relay/namespace/wcf-relay/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6670763361607677898" + "templateHash": "2747029204512692072" }, "name": "Relay Namespace WCF Relays", "description": "This module deploys a Relay Namespace WCF Relay.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -122,8 +188,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -137,7 +202,17 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Azure Relay Listener": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d')]", + "Azure Relay Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38')]", + "Azure Relay Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -188,6 +263,28 @@ "wcfRelay" ] }, + "wcfRelay_roleAssignments": { + "copy": { + "name": "wcfRelay_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Relay/namespaces/{0}/wcfRelays/{1}', parameters('namespaceName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "wcfRelay" + ] + }, "wcfRelay_authorizationRules": { "copy": { "name": "wcfRelay_authorizationRules", @@ -320,158 +417,6 @@ "dependsOn": [ "wcfRelay" ] - }, - "wcfRelay_roleAssignments": { - "copy": { - "name": "wcfRelay_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3790701104073520156" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", - "Azure Relay Listener": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d')]", - "Azure Relay Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2787bf04-f1f5-4bfe-8383-c8a24483ee38')]", - "Azure Relay Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26baccc8-eea7-41f1-98f4-1762cc7f685d')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssigment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Relay/namespaces/{0}/wcfRelays/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.Relay/namespaces/wcfRelays', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "wcfRelay" - ] } }, "outputs": { diff --git a/modules/resource-graph/query/.bicep/nested_roleAssignments.bicep b/modules/resource-graph/query/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 29d06d8eaa..0000000000 --- a/modules/resource-graph/query/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,69 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource resourceGraphQuery 'Microsoft.ResourceGraph/queries@2018-09-01-preview' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(resourceGraphQuery.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: resourceGraphQuery -}] diff --git a/modules/resource-graph/query/.test/common/main.test.bicep b/modules/resource-graph/query/.test/common/main.test.bicep index 2d657d504c..88223c9385 100644 --- a/modules/resource-graph/query/.test/common/main.test.bicep +++ b/modules/resource-graph/query/.test/common/main.test.bicep @@ -59,9 +59,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/resource-graph/query/README.md b/modules/resource-graph/query/README.md index 3b88be6cc5..cf85d54dc9 100644 --- a/modules/resource-graph/query/README.md +++ b/modules/resource-graph/query/README.md @@ -54,9 +54,7 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { queryDescription: 'An example query to list first 10 resources in the subscription.' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -105,9 +103,7 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -265,7 +261,68 @@ The description of a graph query. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/resource-graph/query/main.bicep b/modules/resource-graph/query/main.bicep index 4ac5218dad..74e28c0da7 100644 --- a/modules/resource-graph/query/main.bicep +++ b/modules/resource-graph/query/main.bicep @@ -12,7 +12,7 @@ param location string = resourceGroup().location param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -26,6 +26,14 @@ param query string @description('Optional. The description of a graph query.') param queryDescription string = '' +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -57,17 +65,18 @@ resource rgQuery_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo scope: rgQuery } -module rgQuery_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-rgQuery-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: rgQuery.id +resource rgQuery_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(rgQuery.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: rgQuery }] @description('The name of the query.') @@ -93,3 +102,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/resource-graph/query/main.json b/modules/resource-graph/query/main.json index e771012ee7..a23a1f4fb6 100644 --- a/modules/resource-graph/query/main.json +++ b/modules/resource-graph/query/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17790521881386542677" + "templateHash": "9628193183606818689" }, "name": "Resource Graph Queries", "description": "This module deploys a Resource Graph Query.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -60,8 +126,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -94,6 +159,15 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -137,147 +211,20 @@ "rgQuery_roleAssignments": { "copy": { "name": "rgQuery_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-rgQuery-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.ResourceGraph/queries/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.ResourceGraph/queries', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.ResourceGraph/queries', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11432335123187448929" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ResourceGraph/queries/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.ResourceGraph/queries', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "rgQuery" diff --git a/modules/resources/resource-group/.bicep/nested_roleAssignments.bicep b/modules/resources/resource-group/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 47f3db6f96..0000000000 --- a/modules/resources/resource-group/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,248 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string = resourceGroup().id - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'API Management Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c') - 'API Management Service Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61') - 'API Management Service Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d') - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') - 'Application Insights Component Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e') - 'Application Insights Snapshot Debugger': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b') - 'Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867') - 'Automation Job Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f') - 'Automation Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404') - 'Automation Runbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5') - 'Autonomous Development Platform Data Contributor (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b8b15564-4fa6-4a59-ab12-03e1d9594795') - 'Autonomous Development Platform Data Owner (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '27f8b550-c507-4db9-86f2-f4b8e816d59d') - 'Autonomous Development Platform Data Reader (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd63b75f7-47ea-4f27-92ac-e0d173aaf093') - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Arc Enabled Kubernetes Cluster User Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd') - 'Azure Arc Kubernetes Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96') - 'Azure Arc Kubernetes Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2') - 'Azure Arc Kubernetes Viewer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4') - 'Azure Arc Kubernetes Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1') - 'Azure Arc ScVmm Administrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87') - 'Azure Arc ScVmm Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda') - 'Azure Arc ScVmm Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9') - 'Azure Arc ScVmm VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b') - 'Azure Arc VMware Administrator role ': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f') - 'Azure Arc VMware Private Cloud User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83') - 'Azure Arc VMware Private Clouds Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa') - 'Azure Arc VMware VM Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Connected Machine Resource Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cd570a14-e51a-42ad-bac8-bafd67325302') - 'Azure Extension for SQL Server Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7392c568-9289-4bde-aaaa-b7131215889d') - 'Azure Front Door Domain Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab34830-df19-4f8c-b84e-aa85b8afa6e8') - 'Azure Front Door Domain Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f99d363-226e-4dca-9920-b807cf8e1a5f') - 'Azure Front Door Secret Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f2eb865-5811-4578-b90a-6fc6fa0df8e5') - 'Azure Front Door Secret Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0db238c4-885e-4c4f-a933-aa2cef684fca') - 'Azure Kubernetes Fleet Manager Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63bb64ad-9799-4770-b5c3-24ed299a07bf') - 'Azure Kubernetes Fleet Manager RBAC Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '434fb43a-c01c-447e-9f67-c3ad923cfaba') - 'Azure Kubernetes Fleet Manager RBAC Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ab4d3d-a1bf-4477-8ad9-8359bc988f69') - 'Azure Kubernetes Fleet Manager RBAC Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '30b27cfc-9c84-438e-b0ce-70e35255df80') - 'Azure Kubernetes Fleet Manager RBAC Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5af6afb3-c06c-4fa4-8848-71a8aee05683') - 'Azure Kubernetes Service Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Azure Kubernetes Service RBAC Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3498e952-d568-435e-9b2c-8d77e338d7f7') - 'Azure Kubernetes Service RBAC Cluster Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b') - 'Azure Kubernetes Service RBAC Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f6c6a51-bcf8-42ba-9220-52d62157d7db') - 'Azure Kubernetes Service RBAC Writer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb') - 'Azure Maps Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dba33070-676a-4fb0-87fa-064dc56ff7fb') - 'Azure Stack HCI registration role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bda0d508-adf1-4af0-9c28-88919fc3ae06') - 'Azure Traffic Controller Configuration Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbc52c3f-28ad-4303-a892-8a056630b8f1') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - 'BizTalk Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342') - 'Blueprint Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '41077137-e803-4205-871c-5a86e6a753b4') - 'Blueprint Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '437d2ced-4a38-4302-8479-ed2bcb43d090') - 'CDN Endpoint Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45') - 'CDN Endpoint Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd') - 'CDN Profile Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432') - 'CDN Profile Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af') - 'Chamber Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4e9b8407-af2e-495b-ae54-bb60a55b1b5a') - 'Chamber User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4447db05-44ed-4da3-ae60-6cbece780e32') - 'Classic Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f') - 'Classic Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25') - 'Classic Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb') - 'ClearDB MySQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe') - 'Code Signing Certificate Profile Signer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2837e146-70d7-4cfd-ad55-7efa6464f958') - 'Cognitive Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68') - 'Cognitive Services User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908') - 'Collaborative Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352') - 'Collaborative Runtime Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102') - 'ContainerApp Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Account Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Cost Management Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '434105ed-43f6-45c7-a02f-909b2ba83430') - 'Cost Management Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '72fafb9e-0641-4937-9268-a91bfd8191a3') - 'Data Box Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'add466c9-e687-43fc-8d98-dfcf8d720be5') - 'Data Factory Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5') - 'Data Lake Analytics Developer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88') - 'Deployment Environments User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18e40d4e-8d2e-438d-97e1-9528336e149c') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Host Pool Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc') - 'Desktop Virtualization Host Pool Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Session Host Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408') - 'Desktop Virtualization User Session Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - 'DevCenter Dev Box User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45d50f46-0b78-4001-a660-4198cbe8cd05') - 'DevCenter Project Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '331c37c6-af14-46d9-b9f4-e1909e1b95a0') - 'Device Update Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a') - 'Device Update Content Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98') - 'Device Update Content Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b') - 'Device Update Deployments Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432') - 'Device Update Deployments Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f') - 'Device Update Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'Elastic SAN Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '80dcbedb-47ef-405d-95bd-188a1b4ac406') - 'Elastic SAN Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'af6a70f8-3c9f-4105-acf1-d719e9fca4ca') - 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') - 'EventGrid Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') - 'EventGrid EventSubscription Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443') - 'EventGrid EventSubscription Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405') - 'Experimentation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c') - 'Experimentation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c') - 'Guest Configuration Resource Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '088ab73d-1256-47ae-bea9-9de8e7131f31') - 'HDInsight Cluster Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a') - 'Intelligent Systems Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e') - 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') - 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') - 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') - 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') - 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') - 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') - 'Kubernetes Cluster - Azure Arc Onboarding': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41') - 'Kubernetes Extension Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717') - 'Lab Assistant': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1') - 'Lab Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270') - 'Lab Creator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead') - 'Lab Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d') - 'Lab Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f') - 'Lab Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc') - 'Load Test Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e') - 'Load Test Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6') - 'Load Test Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'LocalRulestacksAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Managed Identity Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59') - 'Managed Identity Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') - 'Media Services Account Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466') - 'Media Services Live Events Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77') - 'Media Services Media Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c') - 'Media Services Policy Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae') - 'Media Services Streaming Endpoints Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804') - 'Microsoft Sentinel Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade') - 'Microsoft Sentinel Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb') - 'Microsoft Sentinel Responder': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') - 'New Relic APM Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'PlayFab Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c8b84dc-067c-4039-9615-fa1a4b77c726') - 'PlayFab Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a9a19cc5-31f4-447c-901f-56c0bb18fcaf') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') - 'Quota Request Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Redis Cache Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Scheduler Job Collections Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94') - 'Search Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0') - 'Security Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd') - 'Security Manager (Legacy)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10') - 'Security Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4') - 'Services Hub Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '82200a5b-e217-47a5-b665-6d8765ee745b') - 'SignalR AccessKey Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '04165923-9d83-45d5-8227-78b77b0a687e') - 'SignalR/Web PubSub Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437') - 'Storage Account Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Support Request Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e') - 'Tag Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f') - 'Template Spec Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c9b6475-caf0-4164-b5a1-2142a7116f4b') - 'Template Spec Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '392ae280-861d-42bd-9ea5-08ee6d83b80e') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(resourceId, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } -}] diff --git a/modules/resources/resource-group/.test/common/main.test.bicep b/modules/resources/resource-group/.test/common/main.test.bicep index d5b9883a8d..00f3ec65a3 100644 --- a/modules/resources/resource-group/.test/common/main.test.bicep +++ b/modules/resources/resource-group/.test/common/main.test.bicep @@ -58,9 +58,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/resources/resource-group/README.md b/modules/resources/resource-group/README.md index c104241da0..71e3445bf0 100644 --- a/modules/resources/resource-group/README.md +++ b/modules/resources/resource-group/README.md @@ -52,9 +52,7 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -97,9 +95,7 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -246,7 +242,68 @@ The name of the Resource Group. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/resources/resource-group/main.bicep b/modules/resources/resource-group/main.bicep index d210a418df..5818b3143b 100644 --- a/modules/resources/resource-group/main.bicep +++ b/modules/resources/resource-group/main.bicep @@ -14,7 +14,7 @@ param location string = deployment().location param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the storage account resource.') param tags object = {} @@ -25,6 +25,19 @@ param managedBy string = '' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Quota Request Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'Tag Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f') + 'Template Spec Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c9b6475-caf0-4164-b5a1-2142a7116f4b') + 'Template Spec Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '392ae280-861d-42bd-9ea5-08ee6d83b80e') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' location: location @@ -46,7 +59,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { properties: {} } -module resourceGroup_lock '.bicep/nested_lock.bicep' = if (!empty(lock ?? {}) && lock.?kind != 'None') { +module resourceGroup_lock 'modules/nested_lock.bicep' = if (!empty(lock ?? {}) && lock.?kind != 'None') { name: '${uniqueString(deployment().name, location)}-RG-Lock' params: { lock: lock @@ -55,17 +68,17 @@ module resourceGroup_lock '.bicep/nested_lock.bicep' = if (!empty(lock ?? {}) && scope: resourceGroup } -module resourceGroup_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-RG-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' +resource resourceGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(resourceGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } - scope: resourceGroup }] @description('The name of the resource group.') @@ -88,3 +101,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/resources/resource-group/main.json b/modules/resources/resource-group/main.json index 7c296e5557..58106d57bc 100644 --- a/modules/resources/resource-group/main.json +++ b/modules/resources/resource-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15355408892272442414" + "templateHash": "8742176141262908442" }, "name": "Resource Groups", "description": "This module deploys a Resource Group.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -60,8 +126,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -88,6 +153,20 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Quota Request Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Tag Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", + "Template Spec Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c9b6475-caf0-4164-b5a1-2142a7116f4b')]", + "Template Spec Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '392ae280-861d-42bd-9ea5-08ee6d83b80e')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -113,6 +192,27 @@ "managedBy": "[parameters('managedBy')]", "properties": {} }, + "resourceGroup_roleAssignments": { + "copy": { + "name": "resourceGroup_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "resourceGroup" + ] + }, "resourceGroup_lock": { "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Resources/deployments", @@ -201,337 +301,6 @@ "dependsOn": [ "resourceGroup" ] - }, - "resourceGroup_roleAssignments": { - "copy": { - "name": "resourceGroup_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-RG-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "resourceGroup": "[parameters('name')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9238529270860750175" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "defaultValue": "[resourceGroup().id]", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "API Management Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", - "Application Insights Component Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867')]", - "Automation Job Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Autonomous Development Platform Data Contributor (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b8b15564-4fa6-4a59-ab12-03e1d9594795')]", - "Autonomous Development Platform Data Owner (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '27f8b550-c507-4db9-86f2-f4b8e816d59d')]", - "Autonomous Development Platform Data Reader (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd63b75f7-47ea-4f27-92ac-e0d173aaf093')]", - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Arc Enabled Kubernetes Cluster User Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00493d72-78f6-4148-b6c5-d3ce8e4799dd')]", - "Azure Arc Kubernetes Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dffb1e0c-446f-4dde-a09f-99eb5cc68b96')]", - "Azure Arc Kubernetes Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8393591c-06b9-48a2-a542-1bd6b377f6a2')]", - "Azure Arc Kubernetes Viewer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63f0a09d-1495-4db4-a681-037d84835eb4')]", - "Azure Arc Kubernetes Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5b999177-9696-4545-85c7-50de3797e5a1')]", - "Azure Arc ScVmm Administrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a92dfd61-77f9-4aec-a531-19858b406c87')]", - "Azure Arc ScVmm Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c0781e91-8102-4553-8951-97c6d4243cda')]", - "Azure Arc ScVmm Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9')]", - "Azure Arc ScVmm VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e582369a-e17b-42a5-b10c-874c387c530b')]", - "Azure Arc VMware Administrator role ": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddc140ed-e463-4246-9145-7c664192013f')]", - "Azure Arc VMware Private Cloud User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce551c02-7c42-47e0-9deb-e3b6fc3a9a83')]", - "Azure Arc VMware Private Clouds Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '67d33e57-3129-45e6-bb0b-7cc522f762fa')]", - "Azure Arc VMware VM Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b748a06d-6150-4f8a-aaa9-ce3940cd96cb')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Connected Machine Resource Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", - "Azure Extension for SQL Server Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7392c568-9289-4bde-aaaa-b7131215889d')]", - "Azure Front Door Domain Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab34830-df19-4f8c-b84e-aa85b8afa6e8')]", - "Azure Front Door Domain Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f99d363-226e-4dca-9920-b807cf8e1a5f')]", - "Azure Front Door Secret Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3f2eb865-5811-4578-b90a-6fc6fa0df8e5')]", - "Azure Front Door Secret Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0db238c4-885e-4c4f-a933-aa2cef684fca')]", - "Azure Kubernetes Fleet Manager Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63bb64ad-9799-4770-b5c3-24ed299a07bf')]", - "Azure Kubernetes Fleet Manager RBAC Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '434fb43a-c01c-447e-9f67-c3ad923cfaba')]", - "Azure Kubernetes Fleet Manager RBAC Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ab4d3d-a1bf-4477-8ad9-8359bc988f69')]", - "Azure Kubernetes Fleet Manager RBAC Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '30b27cfc-9c84-438e-b0ce-70e35255df80')]", - "Azure Kubernetes Fleet Manager RBAC Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5af6afb3-c06c-4fa4-8848-71a8aee05683')]", - "Azure Kubernetes Service Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Azure Kubernetes Service RBAC Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3498e952-d568-435e-9b2c-8d77e338d7f7')]", - "Azure Kubernetes Service RBAC Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b')]", - "Azure Kubernetes Service RBAC Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f6c6a51-bcf8-42ba-9220-52d62157d7db')]", - "Azure Kubernetes Service RBAC Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb')]", - "Azure Maps Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dba33070-676a-4fb0-87fa-064dc56ff7fb')]", - "Azure Stack HCI registration role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bda0d508-adf1-4af0-9c28-88919fc3ae06')]", - "Azure Traffic Controller Configuration Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbc52c3f-28ad-4303-a892-8a056630b8f1')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "BizTalk Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "Blueprint Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '41077137-e803-4205-871c-5a86e6a753b4')]", - "Blueprint Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", - "CDN Endpoint Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Chamber Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4e9b8407-af2e-495b-ae54-bb60a55b1b5a')]", - "Chamber User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4447db05-44ed-4da3-ae60-6cbece780e32')]", - "Classic Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Code Signing Certificate Profile Signer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2837e146-70d7-4cfd-ad55-7efa6464f958')]", - "Cognitive Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Collaborative Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'daa9e50b-21df-454c-94a6-a8050adab352')]", - "Collaborative Runtime Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7a6f0e70-c033-4fb1-828c-08514e5f4102')]", - "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Cost Management Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '434105ed-43f6-45c7-a02f-909b2ba83430')]", - "Cost Management Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", - "Data Box Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", - "Data Factory Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Deployment Environments User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18e40d4e-8d2e-438d-97e1-9528336e149c')]", - "Desktop Virtualization Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8')]", - "Desktop Virtualization Application Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55')]", - "Desktop Virtualization Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387')]", - "Desktop Virtualization Host Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e307426c-f9b6-4e81-87de-d99efb3c32bc')]", - "Desktop Virtualization Host Pool Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ceadfde2-b300-400a-ab7b-6143895aa822')]", - "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]", - "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]", - "Desktop Virtualization Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868')]", - "Desktop Virtualization Session Host Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2ad6aaab-ead9-4eaa-8ac5-da422f562408')]", - "Desktop Virtualization User Session Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "Desktop Virtualization Workspace Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b')]", - "Desktop Virtualization Workspace Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d')]", - "DevCenter Dev Box User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45d50f46-0b78-4001-a660-4198cbe8cd05')]", - "DevCenter Project Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '331c37c6-af14-46d9-b9f4-e1909e1b95a0')]", - "Device Update Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '02ca0879-e8e4-47a5-a61e-5c618b76e64a')]", - "Device Update Content Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0378884a-3af5-44ab-8323-f5b22f9f3c98')]", - "Device Update Content Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd1ee9a80-8b14-47f0-bdc2-f4a351625a7b')]", - "Device Update Deployments Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4237640-0e3d-4a46-8fda-70bc94856432')]", - "Device Update Deployments Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49e2f5d2-7741-4835-8efa-19e1fe35e47f')]", - "Device Update Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]", - "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Elastic SAN Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '80dcbedb-47ef-405d-95bd-188a1b4ac406')]", - "Elastic SAN Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'af6a70f8-3c9f-4105-acf1-d719e9fca4ca')]", - "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", - "EventGrid Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7')]", - "EventGrid EventSubscription Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "EventGrid EventSubscription Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2414bbcf-6497-4faf-8c65-045460748405')]", - "Experimentation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", - "Experimentation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", - "Guest Configuration Resource Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '088ab73d-1256-47ae-bea9-9de8e7131f31')]", - "HDInsight Cluster Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "Intelligent Systems Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", - "Key Vault Certificates Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", - "Key Vault Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Key Vault Crypto Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')]", - "Key Vault Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')]", - "Key Vault Secrets Officer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Kubernetes Extension Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '85cb6faf-e071-4c9b-8136-154b5a04f717')]", - "Lab Assistant": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ce40b423-cede-4313-a93f-9b28290b72e1')]", - "Lab Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5daaa2af-1fe8-407c-9122-bba179798270')]", - "Lab Creator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Lab Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a36e6959-b6be-4b12-8e9f-ef4b474d304d')]", - "Lab Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f69b8690-cc87-41d6-b77a-a4bc3c0a966f')]", - "Lab Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc')]", - "Load Test Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749a398d-560b-491b-bb21-08924219302e')]", - "Load Test Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '45bb0b16-2f0c-4e78-afaa-a07599b003f6')]", - "Load Test Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3ae3fb29-0000-4ccd-bf80-542e7b26e081')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "LocalRulestacksAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfc3b73d-c6ff-45eb-9a5f-40298295bf20')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Media Services Account Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '054126f8-9a2b-4f1c-a9ad-eca461f08466')]", - "Media Services Live Events Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '532bc159-b25e-42c0-969e-a1d439f60d77')]", - "Media Services Media Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e4395492-1534-4db2-bedf-88c14621589c')]", - "Media Services Policy Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c4bba371-dacd-4a26-b320-7250bca963ae')]", - "Media Services Streaming Endpoints Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '99dba123-b5fe-44d5-874c-ced7199a5804')]", - "Microsoft Sentinel Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Microsoft Sentinel Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Microsoft Sentinel Responder": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "PlayFab Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c8b84dc-067c-4039-9615-fa1a4b77c726')]", - "PlayFab Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a9a19cc5-31f4-447c-901f-56c0bb18fcaf')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Quota Request Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0e5f05e5-9ab9-446b-b98d-1e2157c94125')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Redis Cache Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Scheduler Job Collections Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Manager (Legacy)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "Services Hub Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '82200a5b-e217-47a5-b665-6d8765ee745b')]", - "SignalR AccessKey Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '04165923-9d83-45d5-8227-78b77b0a687e')]", - "SignalR/Web PubSub Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Support Request Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", - "Tag Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Template Spec Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c9b6475-caf0-4164-b5a1-2142a7116f4b')]", - "Template Spec Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '392ae280-861d-42bd-9ea5-08ee6d83b80e')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('resourceId'), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "resourceGroup" - ] } }, "outputs": { diff --git a/modules/resources/resource-group/.bicep/nested_lock.bicep b/modules/resources/resource-group/modules/nested_lock.bicep similarity index 100% rename from modules/resources/resource-group/.bicep/nested_lock.bicep rename to modules/resources/resource-group/modules/nested_lock.bicep diff --git a/modules/search/search-service/.bicep/nested_roleAssignments.bicep b/modules/search/search-service/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 7f65ecdbb6..0000000000 --- a/modules/search/search-service/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,72 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Search Index Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8ebe5a00-799e-43f5-93ac-243d3dce84a7') - 'Search Index Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1407120a-92aa-4202-b7e9-c0e197c71c8f') - 'Search Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource searchService 'Microsoft.Search/searchServices@2022-09-01' existing = { - name: last(split(resourceId, '/')) -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(searchService.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: searchService -}] diff --git a/modules/search/search-service/.test/common/main.test.bicep b/modules/search/search-service/.test/common/main.test.bicep index 25eb01eb67..b625c612ca 100644 --- a/modules/search/search-service/.test/common/main.test.bicep +++ b/modules/search/search-service/.test/common/main.test.bicep @@ -85,16 +85,12 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } { roleDefinitionIdOrName: 'Search Service Contributor' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index e9f3856044..50cc66d418 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -81,16 +81,12 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { replicaCount: 3 roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Search Service Contributor' } @@ -181,16 +177,12 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" }, { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Search Service Contributor" } @@ -594,7 +586,68 @@ The number of replicas in the search service. If specified, it must be a value b Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `sharedPrivateLinkResources` diff --git a/modules/search/search-service/main.bicep b/modules/search/search-service/main.bicep index ec23b415e8..d35e2da654 100644 --- a/modules/search/search-service/main.bicep +++ b/modules/search/search-service/main.bicep @@ -66,7 +66,7 @@ param publicNetworkAccess string = 'enabled' param replicaCount int = 1 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits.') @allowed([ @@ -144,6 +144,17 @@ var identity = identityType != 'None' ? { // Deployments // // =============== // +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'Search Index Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8ebe5a00-799e-43f5-93ac-243d3dce84a7') + 'Search Index Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1407120a-92aa-4202-b7e9-c0e197c71c8f') + 'Search Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -200,17 +211,18 @@ resource searchService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!em scope: searchService } -module searchService_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-searchService-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: searchService.id +resource searchService_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(searchService.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: searchService }] module searchService_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { @@ -281,3 +293,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/search/search-service/main.json b/modules/search/search-service/main.json index d9f5e34419..5b2de842bb 100644 --- a/modules/search/search-service/main.json +++ b/modules/search/search-service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13836936896028260597" + "templateHash": "5302357571104017921" }, "name": "Search Services", "description": "This module deploys a Search Service.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -154,8 +220,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -272,7 +337,17 @@ ], "enableReferencedModulesTelemetry": false, "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', 'None')]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType')), null())]" + "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType')), null())]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Search Index Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8ebe5a00-799e-43f5-93ac-243d3dce84a7')]", + "Search Index Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1407120a-92aa-4202-b7e9-c0e197c71c8f')]", + "Search Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -347,150 +422,20 @@ "searchService_roleAssignments": { "copy": { "name": "searchService_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-searchService-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Search/searchServices/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Search/searchServices', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Search/searchServices', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18375388175912544361" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Search Index Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8ebe5a00-799e-43f5-93ac-243d3dce84a7')]", - "Search Index Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1407120a-92aa-4202-b7e9-c0e197c71c8f')]", - "Search Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Search/searchServices/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Search/searchServices', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "searchService" diff --git a/modules/service-bus/namespace/.bicep/nested_roleAssignments.bicep b/modules/service-bus/namespace/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 0735266fe0..0000000000 --- a/modules/service-bus/namespace/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,71 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Azure Service Bus Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419') - 'Azure Service Bus Data Receiver': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0') - 'Azure Service Bus Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource namespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(namespace.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: namespace -}] diff --git a/modules/service-bus/namespace/.test/common/main.test.bicep b/modules/service-bus/namespace/.test/common/main.test.bicep index 9cb9283457..258fb6ffca 100644 --- a/modules/service-bus/namespace/.test/common/main.test.bicep +++ b/modules/service-bus/namespace/.test/common/main.test.bicep @@ -83,9 +83,8 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' } ] @@ -132,9 +131,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -165,9 +162,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/service-bus/namespace/.test/encr/main.test.bicep b/modules/service-bus/namespace/.test/encr/main.test.bicep index 1d7dc3802b..c88e244f39 100644 --- a/modules/service-bus/namespace/.test/encr/main.test.bicep +++ b/modules/service-bus/namespace/.test/encr/main.test.bicep @@ -59,9 +59,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 5570075f12..2aea46cd40 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -146,9 +146,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { name: 'sbncomq001' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -157,9 +155,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -194,9 +190,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { name: 'sbncomt001' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -343,9 +337,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { "name": "sbncomq001", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -356,9 +348,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -403,9 +393,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { "name": "sbncomt001", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -484,9 +472,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -578,9 +564,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -1024,7 +1008,68 @@ Enable infrastructure encryption (double encryption). Note, this setting require Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `skuCapacity` diff --git a/modules/service-bus/namespace/main.bicep b/modules/service-bus/namespace/main.bicep index a3d10b116d..86d634ff3c 100644 --- a/modules/service-bus/namespace/main.bicep +++ b/modules/service-bus/namespace/main.bicep @@ -85,7 +85,7 @@ param systemAssignedIdentity bool = false param userAssignedIdentities object = {} @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') @allowed([ @@ -180,6 +180,17 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + 'Azure Service Bus Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419') + 'Azure Service Bus Data Receiver': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0') + 'Azure Service Bus Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -393,17 +404,18 @@ module serviceBusNamespace_privateEndpoints '../../network/private-endpoint/main } }] -module serviceBusNamespace_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: serviceBusNamespace.id +resource serviceBusNamespace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(serviceBusNamespace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: serviceBusNamespace }] @description('The resource ID of the deployed service bus namespace.') @@ -432,3 +444,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/service-bus/namespace/main.json b/modules/service-bus/namespace/main.json index dbe9a914ec..bc6b908053 100644 --- a/modules/service-bus/namespace/main.json +++ b/modules/service-bus/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16649033312069788826" + "templateHash": "9892377327187040976" }, "name": "Service Bus Namespaces", "description": "This module deploys a Service Bus Namespace.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -193,8 +259,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -353,7 +418,17 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "cMKKeyVault::cMKKey": { @@ -447,6 +522,28 @@ "serviceBusNamespace" ] }, + "serviceBusNamespace_roleAssignments": { + "copy": { + "name": "serviceBusNamespace_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.ServiceBus/namespaces/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "serviceBusNamespace" + ] + }, "serviceBusNamespace_authorizationRules": { "copy": { "name": "serviceBusNamespace_authorizationRules", @@ -1037,7 +1134,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2387432860804743160" + "templateHash": "7820306070042751113" }, "name": "Service Bus Namespace Queue", "description": "This module deploys a Service Bus Namespace Queue.", @@ -1068,6 +1165,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1235,8 +1398,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -1250,7 +1412,17 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -1313,6 +1485,28 @@ "queue" ] }, + "queue_roleAssignments": { + "copy": { + "name": "queue_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/queues/{1}', parameters('namespaceName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "queue" + ] + }, "queue_authorizationRules": { "copy": { "name": "queue_authorizationRules", @@ -1445,157 +1639,6 @@ "dependsOn": [ "queue" ] - }, - "queue_roleAssignments": { - "copy": { - "name": "queue_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17304766651287695230" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssigment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/queues/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/queues', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "queue" - ] } }, "outputs": { @@ -1675,7 +1718,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17853944786928243085" + "templateHash": "14755107204839231715" }, "name": "Service Bus Namespace Topic", "description": "This module deploys a Service Bus Namespace Topic.", @@ -1706,6 +1749,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1838,8 +1947,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -1853,7 +1961,17 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -1911,6 +2029,28 @@ "topic" ] }, + "topic_roleAssignments": { + "copy": { + "name": "topic_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/topics/{1}', parameters('namespaceName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "topic" + ] + }, "topic_authorizationRules": { "copy": { "name": "topic_authorizationRules", @@ -2043,157 +2183,6 @@ "dependsOn": [ "topic" ] - }, - "topic_roleAssignments": { - "copy": { - "name": "topic_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13096307217253704125" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssigment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/topics/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/topics', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "topic" - ] } }, "outputs": { @@ -2753,157 +2742,6 @@ "dependsOn": [ "serviceBusNamespace" ] - }, - "serviceBusNamespace_roleAssignments": { - "copy": { - "name": "serviceBusNamespace_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9664927518119461996" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ServiceBus/namespaces/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "serviceBusNamespace" - ] } }, "outputs": { diff --git a/modules/service-bus/namespace/queue/.bicep/nested_roleAssignments.bicep b/modules/service-bus/namespace/queue/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index e4fc9c7bc2..0000000000 --- a/modules/service-bus/namespace/queue/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,71 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Azure Service Bus Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419') - 'Azure Service Bus Data Receiver': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0') - 'Azure Service Bus Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource queue 'Microsoft.ServiceBus/namespaces/queues@2022-10-01-preview' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssigment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(queue.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: queue -}] diff --git a/modules/service-bus/namespace/queue/README.md b/modules/service-bus/namespace/queue/README.md index 34e5ebc5f7..c7a0916536 100644 --- a/modules/service-bus/namespace/queue/README.md +++ b/modules/service-bus/namespace/queue/README.md @@ -220,7 +220,68 @@ A value that indicates whether the queue supports the concept of sessions. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `status` diff --git a/modules/service-bus/namespace/queue/main.bicep b/modules/service-bus/namespace/queue/main.bicep index be91444c0a..025c199199 100644 --- a/modules/service-bus/namespace/queue/main.bicep +++ b/modules/service-bus/namespace/queue/main.bicep @@ -89,13 +89,24 @@ param authorizationRules array = [ param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + 'Azure Service Bus Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419') + 'Azure Service Bus Data Receiver': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0') + 'Azure Service Bus Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -155,17 +166,18 @@ resource queue_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock scope: queue } -module queue_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: queue.id +resource queue_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(queue.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: queue }] @description('The name of the deployed queue.') @@ -188,3 +200,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/service-bus/namespace/queue/main.json b/modules/service-bus/namespace/queue/main.json index 8eaa66214c..266d6b0ba3 100644 --- a/modules/service-bus/namespace/queue/main.json +++ b/modules/service-bus/namespace/queue/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2387432860804743160" + "templateHash": "7820306070042751113" }, "name": "Service Bus Namespace Queue", "description": "This module deploys a Service Bus Namespace Queue.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -204,8 +270,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -219,7 +284,17 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -282,6 +357,28 @@ "queue" ] }, + "queue_roleAssignments": { + "copy": { + "name": "queue_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/queues/{1}', parameters('namespaceName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "queue" + ] + }, "queue_authorizationRules": { "copy": { "name": "queue_authorizationRules", @@ -414,157 +511,6 @@ "dependsOn": [ "queue" ] - }, - "queue_roleAssignments": { - "copy": { - "name": "queue_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17304766651287695230" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssigment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/queues/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/queues', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "queue" - ] } }, "outputs": { diff --git a/modules/service-bus/namespace/topic/.bicep/nested_roleAssignments.bicep b/modules/service-bus/namespace/topic/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 306121abd9..0000000000 --- a/modules/service-bus/namespace/topic/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,71 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Azure Service Bus Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419') - 'Azure Service Bus Data Receiver': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0') - 'Azure Service Bus Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource topic 'Microsoft.ServiceBus/namespaces/topics@2022-10-01-preview' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' -} - -resource roleAssigment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(topic.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: topic -}] diff --git a/modules/service-bus/namespace/topic/README.md b/modules/service-bus/namespace/topic/README.md index 00edc62f20..17d9eba79b 100644 --- a/modules/service-bus/namespace/topic/README.md +++ b/modules/service-bus/namespace/topic/README.md @@ -173,7 +173,68 @@ A value indicating if this topic requires duplicate detection. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `status` diff --git a/modules/service-bus/namespace/topic/main.bicep b/modules/service-bus/namespace/topic/main.bicep index 5f07a9b2bb..37e7d88fc2 100644 --- a/modules/service-bus/namespace/topic/main.bicep +++ b/modules/service-bus/namespace/topic/main.bicep @@ -74,13 +74,24 @@ param authorizationRules array = [ param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + 'Azure Service Bus Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419') + 'Azure Service Bus Data Receiver': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0') + 'Azure Service Bus Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -135,17 +146,18 @@ resource topic_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock scope: topic } -module topic_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: topic.id +resource topic_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(topic.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: topic }] @description('The name of the deployed topic.') @@ -168,3 +180,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/service-bus/namespace/topic/main.json b/modules/service-bus/namespace/topic/main.json index e7341c8e2d..e1787bdfb8 100644 --- a/modules/service-bus/namespace/topic/main.json +++ b/modules/service-bus/namespace/topic/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17853944786928243085" + "templateHash": "14755107204839231715" }, "name": "Service Bus Namespace Topic", "description": "This module deploys a Service Bus Namespace Topic.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -169,8 +235,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -184,7 +249,17 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", + "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", + "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -242,6 +317,28 @@ "topic" ] }, + "topic_roleAssignments": { + "copy": { + "name": "topic_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/topics/{1}', parameters('namespaceName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "topic" + ] + }, "topic_authorizationRules": { "copy": { "name": "topic_authorizationRules", @@ -374,157 +471,6 @@ "dependsOn": [ "topic" ] - }, - "topic_roleAssignments": { - "copy": { - "name": "topic_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13096307217253704125" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssigment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/topics/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", - "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/topics', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "topic" - ] } }, "outputs": { diff --git a/modules/service-fabric/cluster/.bicep/nested_roleAssignments.bicep b/modules/service-fabric/cluster/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 9286fecdae..0000000000 --- a/modules/service-fabric/cluster/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource serviceFabricCluster 'Microsoft.ServiceFabric/clusters@2021-06-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(serviceFabricCluster.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: serviceFabricCluster -}] diff --git a/modules/service-fabric/cluster/.test/common/main.test.bicep b/modules/service-fabric/cluster/.test/common/main.test.bicep index 642a4e2882..2484550321 100644 --- a/modules/service-fabric/cluster/.test/common/main.test.bicep +++ b/modules/service-fabric/cluster/.test/common/main.test.bicep @@ -212,9 +212,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/service-fabric/cluster/README.md b/modules/service-fabric/cluster/README.md index 9a23c79968..4a9a11977f 100644 --- a/modules/service-fabric/cluster/README.md +++ b/modules/service-fabric/cluster/README.md @@ -296,9 +296,7 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -516,9 +514,7 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -884,7 +880,68 @@ Describes a list of server certificates referenced by common name that are used Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `sfZonalUpgradeMode` diff --git a/modules/service-fabric/cluster/main.bicep b/modules/service-fabric/cluster/main.bicep index d91b99db39..cea7afb8f7 100644 --- a/modules/service-fabric/cluster/main.bicep +++ b/modules/service-fabric/cluster/main.bicep @@ -129,7 +129,7 @@ param vmssZonalUpgradeMode string = 'Hierarchical' param waveUpgradePaused bool = false @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Array of Service Fabric cluster application types.') param applicationTypes array = [] @@ -203,6 +203,14 @@ var upgradeDescriptionVar = union({ } } : {}) +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -289,17 +297,18 @@ resource serviceFabricCluster_lock 'Microsoft.Authorization/locks@2020-05-01' = } // Service Fabric cluster RBAC assignment -module serviceFabricCluster_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-ServiceFabric-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - resourceId: serviceFabricCluster.id - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' +resource serviceFabricCluster_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(serviceFabricCluster.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: serviceFabricCluster }] // Service Fabric cluster application types @@ -339,3 +348,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/service-fabric/cluster/main.json b/modules/service-fabric/cluster/main.json index 7573b8a154..7a59bc1f37 100644 --- a/modules/service-fabric/cluster/main.json +++ b/modules/service-fabric/cluster/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3676240704825809090" + "templateHash": "16595935702067786987" }, "name": "Service Fabric Clusters", "description": "This module deploys a Service Fabric Cluster.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -290,8 +356,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -362,7 +427,14 @@ } ], "enableReferencedModulesTelemetry": false, - "upgradeDescriptionVar": "[union(createObject('deltaHealthPolicy', createObject('applicationDeltaHealthPolicies', if(contains(parameters('upgradeDescription'), 'applicationDeltaHealthPolicies'), parameters('upgradeDescription').applicationDeltaHealthPolicies, createObject()), 'maxPercentDeltaUnhealthyApplications', if(contains(parameters('upgradeDescription'), 'maxPercentDeltaUnhealthyApplications'), parameters('upgradeDescription').maxPercentDeltaUnhealthyApplications, 0), 'maxPercentDeltaUnhealthyNodes', if(contains(parameters('upgradeDescription'), 'maxPercentDeltaUnhealthyNodes'), parameters('upgradeDescription').maxPercentDeltaUnhealthyNodes, 0), 'maxPercentUpgradeDomainDeltaUnhealthyNodes', if(contains(parameters('upgradeDescription'), 'maxPercentUpgradeDomainDeltaUnhealthyNodes'), parameters('upgradeDescription').maxPercentUpgradeDomainDeltaUnhealthyNodes, 0)), 'forceRestart', if(contains(parameters('upgradeDescription'), 'forceRestart'), parameters('upgradeDescription').forceRestart, false()), 'healthCheckRetryTimeout', if(contains(parameters('upgradeDescription'), 'healthCheckRetryTimeout'), parameters('upgradeDescription').healthCheckRetryTimeout, '00:45:00'), 'healthCheckStableDuration', if(contains(parameters('upgradeDescription'), 'healthCheckStableDuration'), parameters('upgradeDescription').healthCheckStableDuration, '00:01:00'), 'healthCheckWaitDuration', if(contains(parameters('upgradeDescription'), 'healthCheckWaitDuration'), parameters('upgradeDescription').healthCheckWaitDuration, '00:00:30'), 'upgradeDomainTimeout', if(contains(parameters('upgradeDescription'), 'upgradeDomainTimeout'), parameters('upgradeDescription').upgradeDomainTimeout, '02:00:00'), 'upgradeReplicaSetCheckTimeout', if(contains(parameters('upgradeDescription'), 'upgradeReplicaSetCheckTimeout'), parameters('upgradeDescription').upgradeReplicaSetCheckTimeout, '1.00:00:00'), 'upgradeTimeout', if(contains(parameters('upgradeDescription'), 'upgradeTimeout'), parameters('upgradeDescription').upgradeTimeout, '02:00:00')), if(contains(parameters('upgradeDescription'), 'healthPolicy'), createObject('healthPolicy', createObject('applicationHealthPolicies', if(contains(parameters('upgradeDescription').healthPolicy, 'applicationHealthPolicies'), parameters('upgradeDescription').healthPolicy.applicationHealthPolicies, createObject()), 'maxPercentUnhealthyApplications', if(contains(parameters('upgradeDescription').healthPolicy, 'maxPercentUnhealthyApplications'), parameters('upgradeDescription').healthPolicy.maxPercentUnhealthyApplications, 0), 'maxPercentUnhealthyNodes', if(contains(parameters('upgradeDescription').healthPolicy, 'maxPercentUnhealthyNodes'), parameters('upgradeDescription').healthPolicy.maxPercentUnhealthyNodes, 0))), createObject()))]" + "upgradeDescriptionVar": "[union(createObject('deltaHealthPolicy', createObject('applicationDeltaHealthPolicies', if(contains(parameters('upgradeDescription'), 'applicationDeltaHealthPolicies'), parameters('upgradeDescription').applicationDeltaHealthPolicies, createObject()), 'maxPercentDeltaUnhealthyApplications', if(contains(parameters('upgradeDescription'), 'maxPercentDeltaUnhealthyApplications'), parameters('upgradeDescription').maxPercentDeltaUnhealthyApplications, 0), 'maxPercentDeltaUnhealthyNodes', if(contains(parameters('upgradeDescription'), 'maxPercentDeltaUnhealthyNodes'), parameters('upgradeDescription').maxPercentDeltaUnhealthyNodes, 0), 'maxPercentUpgradeDomainDeltaUnhealthyNodes', if(contains(parameters('upgradeDescription'), 'maxPercentUpgradeDomainDeltaUnhealthyNodes'), parameters('upgradeDescription').maxPercentUpgradeDomainDeltaUnhealthyNodes, 0)), 'forceRestart', if(contains(parameters('upgradeDescription'), 'forceRestart'), parameters('upgradeDescription').forceRestart, false()), 'healthCheckRetryTimeout', if(contains(parameters('upgradeDescription'), 'healthCheckRetryTimeout'), parameters('upgradeDescription').healthCheckRetryTimeout, '00:45:00'), 'healthCheckStableDuration', if(contains(parameters('upgradeDescription'), 'healthCheckStableDuration'), parameters('upgradeDescription').healthCheckStableDuration, '00:01:00'), 'healthCheckWaitDuration', if(contains(parameters('upgradeDescription'), 'healthCheckWaitDuration'), parameters('upgradeDescription').healthCheckWaitDuration, '00:00:30'), 'upgradeDomainTimeout', if(contains(parameters('upgradeDescription'), 'upgradeDomainTimeout'), parameters('upgradeDescription').upgradeDomainTimeout, '02:00:00'), 'upgradeReplicaSetCheckTimeout', if(contains(parameters('upgradeDescription'), 'upgradeReplicaSetCheckTimeout'), parameters('upgradeDescription').upgradeReplicaSetCheckTimeout, '1.00:00:00'), 'upgradeTimeout', if(contains(parameters('upgradeDescription'), 'upgradeTimeout'), parameters('upgradeDescription').upgradeTimeout, '02:00:00')), if(contains(parameters('upgradeDescription'), 'healthPolicy'), createObject('healthPolicy', createObject('applicationHealthPolicies', if(contains(parameters('upgradeDescription').healthPolicy, 'applicationHealthPolicies'), parameters('upgradeDescription').healthPolicy.applicationHealthPolicies, createObject()), 'maxPercentUnhealthyApplications', if(contains(parameters('upgradeDescription').healthPolicy, 'maxPercentUnhealthyApplications'), parameters('upgradeDescription').healthPolicy.maxPercentUnhealthyApplications, 0), 'maxPercentUnhealthyNodes', if(contains(parameters('upgradeDescription').healthPolicy, 'maxPercentUnhealthyNodes'), parameters('upgradeDescription').healthPolicy.maxPercentUnhealthyNodes, 0))), createObject()))]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -434,146 +506,20 @@ "serviceFabricCluster_roleAssignments": { "copy": { "name": "serviceFabricCluster_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ServiceFabric-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.ServiceFabric/clusters/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.ServiceFabric/clusters', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "resourceId": { - "value": "[resourceId('Microsoft.ServiceFabric/clusters', parameters('name'))]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6506040938777455648" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ServiceFabric/clusters/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.ServiceFabric/clusters', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "serviceFabricCluster" diff --git a/modules/signal-r-service/signal-r/.bicep/nested_roleAssignments.bicep b/modules/signal-r-service/signal-r/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 27c5f8a0d9..0000000000 --- a/modules/signal-r-service/signal-r/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,76 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'SignalR AccessKey Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '04165923-9d83-45d5-8227-78b77b0a687e') - 'SignalR App Server': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '420fcaa2-552c-430f-98ca-3264be4806c7') - 'SignalR REST API Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd53cd77-2268-407a-8f46-7e7863d0f521') - 'SignalR REST API Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddde6b66-c0df-4114-a159-3618637b3035') - 'SignalR Service Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7e4f1700-ea5a-4f59-8f37-079cfe29dce3') - 'SignalR/Web PubSub Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Web PubSub Service Owner (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12cf5a90-567b-43ae-8102-96cf46c7d9b4') - 'Web PubSub Service Reader (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf') -} - -resource signalR 'Microsoft.SignalRService/signalR@2022-02-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(signalR.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: signalR -}] diff --git a/modules/signal-r-service/signal-r/.test/common/main.test.bicep b/modules/signal-r-service/signal-r/.test/common/main.test.bicep index 8364d963e6..1b86eadafe 100644 --- a/modules/signal-r-service/signal-r/.test/common/main.test.bicep +++ b/modules/signal-r-service/signal-r/.test/common/main.test.bicep @@ -105,10 +105,9 @@ module testDeployment '../../main.bicep' = { ] roleAssignments: [ { - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId roleDefinitionIdOrName: 'Reader' + principalType: 'ServicePrincipal' } ] sku: 'Standard_S1' diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index fdfe345029..c2662cc6c7 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -97,9 +97,8 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' + principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } ] @@ -203,9 +202,8 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", + "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } ] @@ -448,7 +446,68 @@ Control permission for data plane traffic coming from public networks while priv Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `sku` diff --git a/modules/signal-r-service/signal-r/main.bicep b/modules/signal-r-service/signal-r/main.bicep index ac72680f58..2888dcbf64 100644 --- a/modules/signal-r-service/signal-r/main.bicep +++ b/modules/signal-r-service/signal-r/main.bicep @@ -96,7 +96,7 @@ param privateEndpoints array = [] param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -111,6 +111,22 @@ var resourceLogConfiguration = [for configuration in resourceLogConfigurationsTo enabled: 'true' }] +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'SignalR AccessKey Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '04165923-9d83-45d5-8227-78b77b0a687e') + 'SignalR App Server': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '420fcaa2-552c-430f-98ca-3264be4806c7') + 'SignalR REST API Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd53cd77-2268-407a-8f46-7e7863d0f521') + 'SignalR REST API Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddde6b66-c0df-4114-a159-3618637b3035') + 'SignalR Service Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7e4f1700-ea5a-4f59-8f37-079cfe29dce3') + 'SignalR/Web PubSub Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Web PubSub Service Owner (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12cf5a90-567b-43ae-8102-96cf46c7d9b4') + 'Web PubSub Service Reader (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -189,17 +205,18 @@ resource signalR_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo scope: signalR } -module signalR_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-signalR-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: signalR.id +resource signalR_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(signalR.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: signalR }] @description('The SignalR name.') @@ -225,3 +242,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/signal-r-service/signal-r/main.json b/modules/signal-r-service/signal-r/main.json index 2dd19e4b97..7f28716ce7 100644 --- a/modules/signal-r-service/signal-r/main.json +++ b/modules/signal-r-service/signal-r/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "855016656643960526" + "templateHash": "15253886392220203228" }, "name": "SignalR Service SignalR", "description": "This module deploys a SignalR Service SignalR.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -204,8 +270,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -236,7 +301,22 @@ "enabled": "true" } } - ] + ], + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "SignalR AccessKey Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR App Server": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '420fcaa2-552c-430f-98ca-3264be4806c7')]", + "SignalR REST API Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd53cd77-2268-407a-8f46-7e7863d0f521')]", + "SignalR REST API Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddde6b66-c0df-4114-a159-3618637b3035')]", + "SignalR Service Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7e4f1700-ea5a-4f59-8f37-079cfe29dce3')]", + "SignalR/Web PubSub Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Web PubSub Service Owner (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12cf5a90-567b-43ae-8102-96cf46c7d9b4')]", + "Web PubSub Service Reader (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf')]" + } }, "resources": { "defaultTelemetry": { @@ -298,6 +378,28 @@ "signalR" ] }, + "signalR_roleAssignments": { + "copy": { + "name": "signalR_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.SignalRService/signalR/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.SignalRService/signalR', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "signalR" + ] + }, "signalR_privateEndpoints": { "copy": { "name": "signalR_privateEndpoints", @@ -823,162 +925,6 @@ "dependsOn": [ "signalR" ] - }, - "signalR_rbac": { - "copy": { - "name": "signalR_rbac", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-signalR-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.SignalRService/signalR', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15833181325335121682" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "SignalR AccessKey Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '04165923-9d83-45d5-8227-78b77b0a687e')]", - "SignalR App Server": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '420fcaa2-552c-430f-98ca-3264be4806c7')]", - "SignalR REST API Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd53cd77-2268-407a-8f46-7e7863d0f521')]", - "SignalR REST API Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddde6b66-c0df-4114-a159-3618637b3035')]", - "SignalR Service Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7e4f1700-ea5a-4f59-8f37-079cfe29dce3')]", - "SignalR/Web PubSub Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Web PubSub Service Owner (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12cf5a90-567b-43ae-8102-96cf46c7d9b4')]", - "Web PubSub Service Reader (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.SignalRService/signalR/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.SignalRService/signalR', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "signalR" - ] } }, "outputs": { diff --git a/modules/signal-r-service/web-pub-sub/.bicep/nested_roleAssignments.bicep b/modules/signal-r-service/web-pub-sub/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 25f58111c2..0000000000 --- a/modules/signal-r-service/web-pub-sub/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,76 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'SignalR AccessKey Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '04165923-9d83-45d5-8227-78b77b0a687e') - 'SignalR App Server': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '420fcaa2-552c-430f-98ca-3264be4806c7') - 'SignalR REST API Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd53cd77-2268-407a-8f46-7e7863d0f521') - 'SignalR REST API Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddde6b66-c0df-4114-a159-3618637b3035') - 'SignalR Service Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7e4f1700-ea5a-4f59-8f37-079cfe29dce3') - 'SignalR/Web PubSub Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Web PubSub Service Owner (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12cf5a90-567b-43ae-8102-96cf46c7d9b4') - 'Web PubSub Service Reader (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf') -} - -resource webPubSub 'Microsoft.SignalRService/webPubSub@2021-10-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(webPubSub.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: webPubSub -}] diff --git a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep b/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep index 9205abc457..0993c69ff6 100644 --- a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep @@ -103,10 +103,9 @@ module testDeployment '../../main.bicep' = { ] roleAssignments: [ { - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId roleDefinitionIdOrName: 'Reader' + principalType: 'ServicePrincipal' } ] sku: 'Standard_S1' diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index e698195835..4858ab8413 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -97,9 +97,8 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' + principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } ] @@ -201,9 +200,8 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", + "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } ] @@ -507,7 +505,68 @@ Control permission for data plane traffic coming from public networks while priv Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `sku` diff --git a/modules/signal-r-service/web-pub-sub/main.bicep b/modules/signal-r-service/web-pub-sub/main.bicep index 3e566959f7..8bd0b5101b 100644 --- a/modules/signal-r-service/web-pub-sub/main.bicep +++ b/modules/signal-r-service/web-pub-sub/main.bicep @@ -15,7 +15,7 @@ param privateEndpoints array = [] param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -81,6 +81,22 @@ var identity = { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'SignalR AccessKey Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '04165923-9d83-45d5-8227-78b77b0a687e') + 'SignalR App Server': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '420fcaa2-552c-430f-98ca-3264be4806c7') + 'SignalR REST API Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd53cd77-2268-407a-8f46-7e7863d0f521') + 'SignalR REST API Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddde6b66-c0df-4114-a159-3618637b3035') + 'SignalR Service Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7e4f1700-ea5a-4f59-8f37-079cfe29dce3') + 'SignalR/Web PubSub Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Web PubSub Service Owner (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12cf5a90-567b-43ae-8102-96cf46c7d9b4') + 'Web PubSub Service Reader (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -149,17 +165,18 @@ resource webPubSub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty( scope: webPubSub } -module webPubSub_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-WebPubSub-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: webPubSub.id +resource webPubSub_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(webPubSub.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: webPubSub }] @description('The Web PubSub name.') @@ -197,3 +214,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/signal-r-service/web-pub-sub/main.json b/modules/signal-r-service/web-pub-sub/main.json index a89045fd58..0d635314fa 100644 --- a/modules/signal-r-service/web-pub-sub/main.json +++ b/modules/signal-r-service/web-pub-sub/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13130629422708725988" + "templateHash": "7919051572076224460" }, "name": "SignalR Web PubSub Services", "description": "This module deploys a SignalR Web PubSub Service.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -67,8 +133,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -189,6 +254,21 @@ "identity": { "type": "[variables('identityType')]", "userAssignedIdentities": "[if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())]" + }, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "SignalR AccessKey Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '04165923-9d83-45d5-8227-78b77b0a687e')]", + "SignalR App Server": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '420fcaa2-552c-430f-98ca-3264be4806c7')]", + "SignalR REST API Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd53cd77-2268-407a-8f46-7e7863d0f521')]", + "SignalR REST API Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddde6b66-c0df-4114-a159-3618637b3035')]", + "SignalR Service Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7e4f1700-ea5a-4f59-8f37-079cfe29dce3')]", + "SignalR/Web PubSub Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Web PubSub Service Owner (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12cf5a90-567b-43ae-8102-96cf46c7d9b4')]", + "Web PubSub Service Reader (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf')]" } }, "resources": { @@ -245,6 +325,28 @@ "webPubSub" ] }, + "webPubSub_roleAssignments": { + "copy": { + "name": "webPubSub_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.SignalRService/webPubSub/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.SignalRService/webPubSub', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "webPubSub" + ] + }, "webPubSub_privateEndpoints": { "copy": { "name": "webPubSub_privateEndpoints", @@ -770,162 +872,6 @@ "dependsOn": [ "webPubSub" ] - }, - "webPubSub_rbac": { - "copy": { - "name": "webPubSub_rbac", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-WebPubSub-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.SignalRService/webPubSub', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2385173204571615101" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "SignalR AccessKey Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '04165923-9d83-45d5-8227-78b77b0a687e')]", - "SignalR App Server": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '420fcaa2-552c-430f-98ca-3264be4806c7')]", - "SignalR REST API Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd53cd77-2268-407a-8f46-7e7863d0f521')]", - "SignalR REST API Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ddde6b66-c0df-4114-a159-3618637b3035')]", - "SignalR Service Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7e4f1700-ea5a-4f59-8f37-079cfe29dce3')]", - "SignalR/Web PubSub Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Web PubSub Service Owner (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12cf5a90-567b-43ae-8102-96cf46c7d9b4')]", - "Web PubSub Service Reader (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.SignalRService/webPubSub/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.SignalRService/webPubSub', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "webPubSub" - ] } }, "outputs": { diff --git a/modules/sql/managed-instance/.bicep/nested_roleAssignments.bicep b/modules/sql/managed-instance/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 228bf4e97d..0000000000 --- a/modules/sql/managed-instance/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,77 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') - 'App Compliance Automation Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437') - 'SqlDb Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '189207d4-bb67-4208-a635-b06afe8b2c57') - 'SqlMI Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(managedInstance.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: managedInstance -}] diff --git a/modules/sql/managed-instance/.test/common/main.test.bicep b/modules/sql/managed-instance/.test/common/main.test.bicep index 4d81f21d66..4262b08845 100644 --- a/modules/sql/managed-instance/.test/common/main.test.bicep +++ b/modules/sql/managed-instance/.test/common/main.test.bicep @@ -122,9 +122,8 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' } ] securityAlertPoliciesObj: { diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index ac4a8865d5..ce6959a362 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -99,9 +99,8 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { publicDataEndpointEnabled: false roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' + principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } ] @@ -236,9 +235,8 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", + "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } ] @@ -763,7 +761,68 @@ Specifies the point in time (ISO8601 format) of the source database that will be Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `securityAlertPoliciesObj` diff --git a/modules/sql/managed-instance/database/main.bicep b/modules/sql/managed-instance/database/main.bicep index e304555fdb..caa60c0c36 100644 --- a/modules/sql/managed-instance/database/main.bicep +++ b/modules/sql/managed-instance/database/main.bicep @@ -140,11 +140,11 @@ resource database 'Microsoft.Sql/managedInstances/databases@2022-05-01-preview' } } -resource database_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${last(split(database.name, '/'))}-${lock}-lock' +resource database_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: database } diff --git a/modules/sql/managed-instance/database/main.json b/modules/sql/managed-instance/database/main.json index eb042f863f..195e370b95 100644 --- a/modules/sql/managed-instance/database/main.json +++ b/modules/sql/managed-instance/database/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6248092272830092402" + "templateHash": "8908616981985554666" }, "name": "SQL Managed Instance Databases", "description": "This module deploys a SQL Managed Instance Database.", @@ -281,14 +281,14 @@ ] }, "database_lock": { - "condition": "[not(empty(parameters('lock')))]", + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Sql/managedInstances/{0}/databases/{1}', parameters('managedInstanceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', last(split(parameters('name'), '/')), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "database" diff --git a/modules/sql/managed-instance/main.bicep b/modules/sql/managed-instance/main.bicep index 1bf99be979..ff2d8c9b35 100644 --- a/modules/sql/managed-instance/main.bicep +++ b/modules/sql/managed-instance/main.bicep @@ -102,7 +102,7 @@ param diagnosticEventHubName string = '' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -204,6 +204,21 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec') + 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') + 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') + 'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437') + 'SqlDb Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '189207d4-bb67-4208-a635-b06afe8b2c57') + 'SqlMI Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -274,17 +289,18 @@ resource managedInstance_diagnosticSettings 'Microsoft.Insights/diagnosticsettin scope: managedInstance } -module managedInstance_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-SqlMi-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: managedInstance.id +resource managedInstance_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(managedInstance.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: managedInstance }] module managedInstance_databases 'database/main.bicep' = [for (database, index) in databases: { @@ -406,3 +422,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/sql/managed-instance/main.json b/modules/sql/managed-instance/main.json index 21ce21a1d0..925f909b08 100644 --- a/modules/sql/managed-instance/main.json +++ b/modules/sql/managed-instance/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15164808450251247513" + "templateHash": "7571236887873003427" }, "name": "SQL Managed Instances", "description": "This module deploys a SQL Managed Instance.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -242,8 +308,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -409,7 +474,21 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "SQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "SqlDb Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '189207d4-bb67-4208-a635-b06afe8b2c57')]", + "SqlMI Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -498,155 +577,20 @@ "managedInstance_roleAssignments": { "copy": { "name": "managedInstance_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-SqlMi-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Sql/managedInstances/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Sql/managedInstances', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Sql/managedInstances', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3370454362462964422" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", - "App Compliance Automation Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "SQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "SqlDb Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '189207d4-bb67-4208-a635-b06afe8b2c57')]", - "SqlMI Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Sql/managedInstances/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Sql/managedInstances', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "managedInstance" @@ -705,7 +649,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6248092272830092402" + "templateHash": "8908616981985554666" }, "name": "SQL Managed Instance Databases", "description": "This module deploys a SQL Managed Instance Database.", @@ -980,14 +924,14 @@ ] }, "database_lock": { - "condition": "[not(empty(parameters('lock')))]", + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Sql/managedInstances/{0}/databases/{1}', parameters('managedInstanceName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', last(split(parameters('name'), '/')), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "database" diff --git a/modules/sql/server/.bicep/nested_roleAssignments.bicep b/modules/sql/server/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index b4734d4462..0000000000 --- a/modules/sql/server/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,75 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437') - 'SqlDb Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '189207d4-bb67-4208-a635-b06afe8b2c57') - 'SqlMI Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(server.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: server -}] diff --git a/modules/sql/server/.test/common/main.test.bicep b/modules/sql/server/.test/common/main.test.bicep index ff55dde98d..2c57d1bbae 100644 --- a/modules/sql/server/.test/common/main.test.bicep +++ b/modules/sql/server/.test/common/main.test.bicep @@ -84,9 +84,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 6277bb6fd1..20749d71d0 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -197,9 +197,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { restrictOutboundNetworkAccess: 'Disabled' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -356,9 +354,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -786,7 +782,68 @@ Whether or not to restrict outbound network access for this server. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `securityAlertPolicies` diff --git a/modules/sql/server/main.bicep b/modules/sql/server/main.bicep index bce8cddafd..9a3ba48092 100644 --- a/modules/sql/server/main.bicep +++ b/modules/sql/server/main.bicep @@ -28,7 +28,7 @@ param primaryUserAssignedIdentityId string = '' param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -99,6 +99,21 @@ param encryptionProtectorObj object = {} @description('Optional. The vulnerability assessment configuration.') param vulnerabilityAssessmentsObj object = {} +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec') + 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') + 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') + 'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437') + 'SqlDb Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '189207d4-bb67-4208-a635-b06afe8b2c57') + 'SqlMI Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -144,17 +159,18 @@ resource server_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(loc scope: server } -module server_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Sql-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: server.id +resource server_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(server.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: server }] module server_databases 'database/main.bicep' = [for (database, index) in databases: { @@ -354,3 +370,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/sql/server/main.json b/modules/sql/server/main.json index 6b01072bdf..8becec3ebd 100644 --- a/modules/sql/server/main.json +++ b/modules/sql/server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18434767573775023159" + "templateHash": "6602628409746140291" }, "name": "Azure SQL Servers", "description": "This module deploys an Azure SQL Server.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -95,8 +161,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -225,7 +290,21 @@ "variables": { "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "SQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", + "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "SQL Server Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", + "SqlDb Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '189207d4-bb67-4208-a635-b06afe8b2c57')]", + "SqlMI Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -277,153 +356,20 @@ "server_roleAssignments": { "copy": { "name": "server_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Sql-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Sql/servers/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Sql/servers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Sql/servers', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5938444191464090228" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reservation Purchaser": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "SQL DB Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "SqlDb Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '189207d4-bb67-4208-a635-b06afe8b2c57')]", - "SqlMI Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Sql/servers/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Sql/servers', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "server" diff --git a/modules/storage/storage-account/.bicep/nested_roleAssignments.bicep b/modules/storage/storage-account/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index c07d88f1ec..0000000000 --- a/modules/storage/storage-account/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,101 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reader and Data Access': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SqlMI Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872') - 'SqlVM Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae8036db-e102-405b-a1b9-bae082ea436d') - 'Storage Account Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Storage Account Key Operator Service Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12') - 'Storage Blob Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') - 'Storage Blob Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b') - 'Storage Blob Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1') - 'Storage Blob Delegator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a') - 'Storage File Data SMB Share Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb') - 'Storage File Data SMB Share Elevated Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7') - 'Storage File Data SMB Share Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314') - 'Storage Queue Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88') - 'Storage Queue Data Message Processor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed') - 'Storage Queue Data Message Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a') - 'Storage Queue Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925') - 'Storage Table Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3') - 'Storage Table Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(storageAccount.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: storageAccount -}] diff --git a/modules/storage/storage-account/.test/common/main.test.bicep b/modules/storage/storage-account/.test/common/main.test.bicep index 2e90efc8b5..3377dfe84a 100644 --- a/modules/storage/storage-account/.test/common/main.test.bicep +++ b/modules/storage/storage-account/.test/common/main.test.bicep @@ -140,9 +140,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -177,9 +175,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -215,9 +211,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -236,9 +230,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/storage/storage-account/.test/nfs/main.test.bicep b/modules/storage/storage-account/.test/nfs/main.test.bicep index 9f42e517d7..529f2b8f66 100644 --- a/modules/storage/storage-account/.test/nfs/main.test.bicep +++ b/modules/storage/storage-account/.test/nfs/main.test.bicep @@ -86,9 +86,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 76ae6d27a8..5beadf8bb9 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -76,9 +76,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { publicAccess: 'None' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -122,9 +120,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { name: 'avdprofiles' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -237,9 +233,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { name: 'queue1' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -254,9 +248,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { requireInfrastructureEncryption: true roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -319,9 +311,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "publicAccess": "None", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -383,9 +373,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "name": "avdprofiles", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -512,9 +500,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "name": "queue1", "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -533,9 +519,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -834,9 +818,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -913,9 +895,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -1392,7 +1372,68 @@ A Boolean indicating whether or not the service applies a secondary layer of enc Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `sasExpirationPeriod` diff --git a/modules/storage/storage-account/blob-service/container/.bicep/nested_roleAssignments.bicep b/modules/storage/storage-account/blob-service/container/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 4f15ec38de..0000000000 --- a/modules/storage/storage-account/blob-service/container/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,101 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reader and Data Access': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SqlMI Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872') - 'SqlVM Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae8036db-e102-405b-a1b9-bae082ea436d') - 'Storage Account Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Storage Account Key Operator Service Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12') - 'Storage Blob Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') - 'Storage Blob Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b') - 'Storage Blob Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1') - 'Storage Blob Delegator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a') - 'Storage File Data SMB Share Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb') - 'Storage File Data SMB Share Elevated Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7') - 'Storage File Data SMB Share Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314') - 'Storage Queue Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88') - 'Storage Queue Data Message Processor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed') - 'Storage Queue Data Message Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a') - 'Storage Queue Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925') - 'Storage Table Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3') - 'Storage Table Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') -} - -resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@2022-09-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}/${split(resourceId, '/')[12]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(container.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: container -}] diff --git a/modules/storage/storage-account/blob-service/container/README.md b/modules/storage/storage-account/blob-service/container/README.md index 58e460fa12..117c034ea7 100644 --- a/modules/storage/storage-account/blob-service/container/README.md +++ b/modules/storage/storage-account/blob-service/container/README.md @@ -129,7 +129,68 @@ Specifies whether data in the container may be accessed publicly and the level o Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `storageAccountName` diff --git a/modules/storage/storage-account/blob-service/container/main.bicep b/modules/storage/storage-account/blob-service/container/main.bicep index f9f34c8b36..ea6fe48136 100644 --- a/modules/storage/storage-account/blob-service/container/main.bicep +++ b/modules/storage/storage-account/blob-service/container/main.bicep @@ -42,13 +42,38 @@ param metadata object = {} param publicAccess string = 'None' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Reader and Data Access': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'Storage Account Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1') + 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') + 'Storage Account Key Operator Service Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12') + 'Storage Blob Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') + 'Storage Blob Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b') + 'Storage Blob Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1') + 'Storage Blob Delegator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a') + 'Storage File Data SMB Share Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb') + 'Storage File Data SMB Share Elevated Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7') + 'Storage File Data SMB Share Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314') + 'Storage Queue Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88') + 'Storage Queue Data Message Processor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed') + 'Storage Queue Data Message Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a') + 'Storage Queue Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925') + 'Storage Table Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3') + 'Storage Table Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -97,17 +122,18 @@ module immutabilityPolicy 'immutability-policy/main.bicep' = if (!empty(immutabi } } -module container_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: container.id +resource container_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(container.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: container }] @description('The name of the deployed container.') @@ -118,3 +144,29 @@ output resourceId string = container.id @description('The resource group of the deployed container.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/storage/storage-account/blob-service/container/main.json b/modules/storage/storage-account/blob-service/container/main.json index 8c211d81cf..9eea0c53ae 100644 --- a/modules/storage/storage-account/blob-service/container/main.json +++ b/modules/storage/storage-account/blob-service/container/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "394166978572431989" + "templateHash": "15140230336138320985" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "storageAccountName": { "type": "string", @@ -94,8 +163,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -109,10 +177,43 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", + "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", + "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, - "resources": [ - { + "resources": { + "storageAccount::blobServices": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2022-09-01", + "name": "[format('{0}/{1}', parameters('storageAccountName'), 'default')]", + "dependsOn": [ + "storageAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -126,7 +227,13 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2022-09-01", + "name": "[parameters('storageAccountName')]" + }, + "container": { "type": "Microsoft.Storage/storageAccounts/blobServices/containers", "apiVersion": "2022-09-01", "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", @@ -138,9 +245,34 @@ "immutableStorageWithVersioning": "[if(equals(parameters('immutableStorageWithVersioningEnabled'), true()), createObject('enabled', parameters('immutableStorageWithVersioningEnabled')), null())]", "metadata": "[parameters('metadata')]", "publicAccess": "[parameters('publicAccess')]" - } + }, + "dependsOn": [ + "storageAccount::blobServices" + ] + }, + "container_roleAssignments": { + "copy": { + "name": "container_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}/containers/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "container" + ] }, - { + "immutabilityPolicy": { "condition": "[not(empty(parameters('immutabilityPolicyProperties')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -272,191 +404,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name'))]" - ] - }, - { - "copy": { - "name": "container_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3779322696347988040" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SqlMI Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872')]", - "SqlVM Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae8036db-e102-405b-a1b9-bae082ea436d')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}/containers/{2}', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2])]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name'))]" + "container", + "storageAccount" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/storage/storage-account/blob-service/main.json b/modules/storage/storage-account/blob-service/main.json index 4a0a989e48..2082bbe9ba 100644 --- a/modules/storage/storage-account/blob-service/main.json +++ b/modules/storage/storage-account/blob-service/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7606881916546008936" + "templateHash": "12140382752546157870" }, "name": "Storage Account blob Services", "description": "This module deploys a Storage Account Blob Service.", @@ -337,17 +337,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "394166978572431989" + "templateHash": "15140230336138320985" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "storageAccountName": { "type": "string", @@ -431,8 +500,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -446,10 +514,43 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", + "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", + "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, - "resources": [ - { + "resources": { + "storageAccount::blobServices": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2022-09-01", + "name": "[format('{0}/{1}', parameters('storageAccountName'), 'default')]", + "dependsOn": [ + "storageAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -463,7 +564,13 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2022-09-01", + "name": "[parameters('storageAccountName')]" + }, + "container": { "type": "Microsoft.Storage/storageAccounts/blobServices/containers", "apiVersion": "2022-09-01", "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", @@ -475,9 +582,34 @@ "immutableStorageWithVersioning": "[if(equals(parameters('immutableStorageWithVersioningEnabled'), true()), createObject('enabled', parameters('immutableStorageWithVersioningEnabled')), null())]", "metadata": "[parameters('metadata')]", "publicAccess": "[parameters('publicAccess')]" - } + }, + "dependsOn": [ + "storageAccount::blobServices" + ] + }, + "container_roleAssignments": { + "copy": { + "name": "container_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}/containers/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "container" + ] }, - { + "immutabilityPolicy": { "condition": "[not(empty(parameters('immutabilityPolicyProperties')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -609,191 +741,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name'))]" - ] - }, - { - "copy": { - "name": "container_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3779322696347988040" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SqlMI Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872')]", - "SqlVM Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae8036db-e102-405b-a1b9-bae082ea436d')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}/containers/{2}', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2])]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name'))]" + "container", + "storageAccount" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/storage/storage-account/file-service/main.json b/modules/storage/storage-account/file-service/main.json index 047c971b7f..b7d728dd4b 100644 --- a/modules/storage/storage-account/file-service/main.json +++ b/modules/storage/storage-account/file-service/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9522240963883457114" + "templateHash": "1758644729212955117" }, "name": "Storage Account File Share Services", "description": "This module deploys a Storage Account File Share Service.", @@ -220,17 +220,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10078506011156678451" + "templateHash": "6928373168012003070" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "storageAccountName": { "type": "string", @@ -296,8 +365,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -310,8 +378,43 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", + "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", + "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "storageAccount::fileService": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts/fileServices", + "apiVersion": "2021-09-01", + "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('fileServicesName'))]", + "dependsOn": [ + "storageAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -325,7 +428,13 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-09-01", + "name": "[parameters('storageAccountName')]" + }, + "fileShare": { "type": "Microsoft.Storage/storageAccounts/fileServices/shares", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", @@ -334,190 +443,34 @@ "shareQuota": "[parameters('shareQuota')]", "rootSquash": "[if(equals(parameters('enabledProtocols'), 'NFS'), parameters('rootSquash'), null())]", "enabledProtocols": "[parameters('enabledProtocols')]" - } + }, + "dependsOn": [ + "storageAccount::fileService" + ] }, - { + "fileShare_roleAssignments": { "copy": { "name": "fileShare_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}/shares/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11207645433031461361" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SqlMI Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872')]", - "SqlVM Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae8036db-e102-405b-a1b9-bae082ea436d')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}/shares/{2}', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2])]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]" + "fileShare" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/storage/storage-account/file-service/share/.bicep/nested_roleAssignments.bicep b/modules/storage/storage-account/file-service/share/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index e2bf215bb4..0000000000 --- a/modules/storage/storage-account/file-service/share/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,101 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reader and Data Access': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SqlMI Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872') - 'SqlVM Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae8036db-e102-405b-a1b9-bae082ea436d') - 'Storage Account Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Storage Account Key Operator Service Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12') - 'Storage Blob Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') - 'Storage Blob Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b') - 'Storage Blob Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1') - 'Storage Blob Delegator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a') - 'Storage File Data SMB Share Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb') - 'Storage File Data SMB Share Elevated Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7') - 'Storage File Data SMB Share Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314') - 'Storage Queue Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88') - 'Storage Queue Data Message Processor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed') - 'Storage Queue Data Message Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a') - 'Storage Queue Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925') - 'Storage Table Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3') - 'Storage Table Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') -} - -resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2019-06-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}/${split(resourceId, '/')[12]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(fileShare.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: fileShare -}] diff --git a/modules/storage/storage-account/file-service/share/README.md b/modules/storage/storage-account/file-service/share/README.md index 1e20ba6c67..932885db95 100644 --- a/modules/storage/storage-account/file-service/share/README.md +++ b/modules/storage/storage-account/file-service/share/README.md @@ -83,7 +83,68 @@ The name of the file share to create. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `rootSquash` diff --git a/modules/storage/storage-account/file-service/share/main.bicep b/modules/storage/storage-account/file-service/share/main.bicep index 30f82d266a..1bf50b97a8 100644 --- a/modules/storage/storage-account/file-service/share/main.bicep +++ b/modules/storage/storage-account/file-service/share/main.bicep @@ -40,11 +40,36 @@ param enabledProtocols string = 'SMB' param rootSquash string = 'NoRootSquash' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Reader and Data Access': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'Storage Account Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1') + 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') + 'Storage Account Key Operator Service Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12') + 'Storage Blob Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') + 'Storage Blob Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b') + 'Storage Blob Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1') + 'Storage Blob Delegator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a') + 'Storage File Data SMB Share Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb') + 'Storage File Data SMB Share Elevated Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7') + 'Storage File Data SMB Share Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314') + 'Storage Queue Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88') + 'Storage Queue Data Message Processor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed') + 'Storage Queue Data Message Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a') + 'Storage Queue Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925') + 'Storage Table Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3') + 'Storage Table Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -76,17 +101,18 @@ resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2021-0 } } -module fileShare_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: fileShare.id +resource fileShare_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(fileShare.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: fileShare }] @description('The name of the deployed file share.') @@ -97,3 +123,29 @@ output resourceId string = fileShare.id @description('The resource group of the deployed file share.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/storage/storage-account/file-service/share/main.json b/modules/storage/storage-account/file-service/share/main.json index 8e0004213f..99d21e926d 100644 --- a/modules/storage/storage-account/file-service/share/main.json +++ b/modules/storage/storage-account/file-service/share/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10078506011156678451" + "templateHash": "6928373168012003070" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "storageAccountName": { "type": "string", @@ -76,8 +145,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -90,8 +158,43 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", + "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", + "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "storageAccount::fileService": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts/fileServices", + "apiVersion": "2021-09-01", + "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('fileServicesName'))]", + "dependsOn": [ + "storageAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -105,7 +208,13 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-09-01", + "name": "[parameters('storageAccountName')]" + }, + "fileShare": { "type": "Microsoft.Storage/storageAccounts/fileServices/shares", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", @@ -114,190 +223,34 @@ "shareQuota": "[parameters('shareQuota')]", "rootSquash": "[if(equals(parameters('enabledProtocols'), 'NFS'), parameters('rootSquash'), null())]", "enabledProtocols": "[parameters('enabledProtocols')]" - } + }, + "dependsOn": [ + "storageAccount::fileService" + ] }, - { + "fileShare_roleAssignments": { "copy": { "name": "fileShare_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}/shares/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11207645433031461361" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SqlMI Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872')]", - "SqlVM Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae8036db-e102-405b-a1b9-bae082ea436d')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}/shares/{2}', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2])]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]" + "fileShare" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/storage/storage-account/main.bicep b/modules/storage/storage-account/main.bicep index cfbb81990d..dafb2589f2 100644 --- a/modules/storage/storage-account/main.bicep +++ b/modules/storage/storage-account/main.bicep @@ -10,7 +10,7 @@ param name string param location string = resourceGroup().location @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -215,6 +215,31 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Reader and Data Access': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'Storage Account Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1') + 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') + 'Storage Account Key Operator Service Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12') + 'Storage Blob Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') + 'Storage Blob Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b') + 'Storage Blob Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1') + 'Storage Blob Delegator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a') + 'Storage File Data SMB Share Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb') + 'Storage File Data SMB Share Elevated Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7') + 'Storage File Data SMB Share Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314') + 'Storage Queue Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88') + 'Storage Queue Data Message Processor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed') + 'Storage Queue Data Message Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a') + 'Storage Queue Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925') + 'Storage Table Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3') + 'Storage Table Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -322,17 +347,18 @@ resource storageAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e scope: storageAccount } -module storageAccount_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Storage-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: storageAccount.id +resource storageAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(storageAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: storageAccount }] module storageAccount_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { @@ -501,3 +527,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/storage/storage-account/main.json b/modules/storage/storage-account/main.json index 38d1cc9dd2..fdebcc9bdf 100644 --- a/modules/storage/storage-account/main.json +++ b/modules/storage/storage-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2987578024127826531" + "templateHash": "12807881616729507615" }, "name": "Storage Accounts", "description": "This module deploys a Storage Account.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -55,8 +121,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -443,7 +508,31 @@ "supportsFileService": "[or(or(equals(parameters('kind'), 'FileStorage'), equals(parameters('kind'), 'StorageV2')), equals(parameters('kind'), 'Storage'))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", + "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", + "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -558,179 +647,20 @@ "storageAccount_roleAssignments": { "copy": { "name": "storageAccount_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Storage-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Storage/storageAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11629900401878342598" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SqlMI Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872')]", - "SqlVM Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae8036db-e102-405b-a1b9-bae082ea436d')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "storageAccount" @@ -1593,7 +1523,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7606881916546008936" + "templateHash": "12140382752546157870" }, "name": "Storage Account blob Services", "description": "This module deploys a Storage Account Blob Service.", @@ -1925,17 +1855,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "394166978572431989" + "templateHash": "15140230336138320985" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "storageAccountName": { "type": "string", @@ -2019,8 +2018,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -2034,10 +2032,43 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", + "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", + "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, - "resources": [ - { + "resources": { + "storageAccount::blobServices": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2022-09-01", + "name": "[format('{0}/{1}', parameters('storageAccountName'), 'default')]", + "dependsOn": [ + "storageAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2051,7 +2082,13 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2022-09-01", + "name": "[parameters('storageAccountName')]" + }, + "container": { "type": "Microsoft.Storage/storageAccounts/blobServices/containers", "apiVersion": "2022-09-01", "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", @@ -2063,9 +2100,34 @@ "immutableStorageWithVersioning": "[if(equals(parameters('immutableStorageWithVersioningEnabled'), true()), createObject('enabled', parameters('immutableStorageWithVersioningEnabled')), null())]", "metadata": "[parameters('metadata')]", "publicAccess": "[parameters('publicAccess')]" - } + }, + "dependsOn": [ + "storageAccount::blobServices" + ] }, - { + "container_roleAssignments": { + "copy": { + "name": "container_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}/containers/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "container" + ] + }, + "immutabilityPolicy": { "condition": "[not(empty(parameters('immutabilityPolicyProperties')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -2197,191 +2259,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name'))]" - ] - }, - { - "copy": { - "name": "container_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3779322696347988040" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SqlMI Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872')]", - "SqlVM Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae8036db-e102-405b-a1b9-bae082ea436d')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}/containers/{2}', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2])]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name'))]" + "container", + "storageAccount" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2472,7 +2354,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9522240963883457114" + "templateHash": "1758644729212955117" }, "name": "Storage Account File Share Services", "description": "This module deploys a Storage Account File Share Service.", @@ -2687,17 +2569,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10078506011156678451" + "templateHash": "6928373168012003070" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "storageAccountName": { "type": "string", @@ -2763,8 +2714,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -2777,8 +2727,43 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", + "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", + "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "storageAccount::fileService": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts/fileServices", + "apiVersion": "2021-09-01", + "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('fileServicesName'))]", + "dependsOn": [ + "storageAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2792,7 +2777,13 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-09-01", + "name": "[parameters('storageAccountName')]" + }, + "fileShare": { "type": "Microsoft.Storage/storageAccounts/fileServices/shares", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", @@ -2801,190 +2792,34 @@ "shareQuota": "[parameters('shareQuota')]", "rootSquash": "[if(equals(parameters('enabledProtocols'), 'NFS'), parameters('rootSquash'), null())]", "enabledProtocols": "[parameters('enabledProtocols')]" - } + }, + "dependsOn": [ + "storageAccount::fileService" + ] }, - { + "fileShare_roleAssignments": { "copy": { "name": "fileShare_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}/shares/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11207645433031461361" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SqlMI Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872')]", - "SqlVM Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae8036db-e102-405b-a1b9-bae082ea436d')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}/shares/{2}', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2])]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]" + "fileShare" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -3076,7 +2911,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2312493242268209495" + "templateHash": "1248907780976524503" }, "name": "Storage Account Queue Services", "description": "This module deploys a Storage Account Queue Service.", @@ -3259,17 +3094,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16140546698784234048" + "templateHash": "13802487373528262992" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "storageAccountName": { "type": "string", @@ -3292,8 +3196,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -3306,8 +3209,43 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", + "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", + "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "storageAccount::queueServices": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts/queueServices", + "apiVersion": "2021-09-01", + "name": "[format('{0}/{1}', parameters('storageAccountName'), 'default')]", + "dependsOn": [ + "storageAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -3321,196 +3259,46 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-09-01", + "name": "[parameters('storageAccountName')]" + }, + "queue": { "type": "Microsoft.Storage/storageAccounts/queueServices/queues", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", "properties": { "metadata": "[parameters('metadata')]" - } + }, + "dependsOn": [ + "storageAccount::queueServices" + ] }, - { + "queue_roleAssignments": { "copy": { "name": "queue_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}/queues/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4094857207316953942" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SqlMI Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872')]", - "SqlVM Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae8036db-e102-405b-a1b9-bae082ea436d')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}/queues/{2}', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2])]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name'))]" + "queue" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/storage/storage-account/queue-service/main.json b/modules/storage/storage-account/queue-service/main.json index 54e5c74b40..804add9d71 100644 --- a/modules/storage/storage-account/queue-service/main.json +++ b/modules/storage/storage-account/queue-service/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2312493242268209495" + "templateHash": "1248907780976524503" }, "name": "Storage Account Queue Services", "description": "This module deploys a Storage Account Queue Service.", @@ -188,17 +188,86 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16140546698784234048" + "templateHash": "13802487373528262992" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "storageAccountName": { "type": "string", @@ -221,8 +290,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -235,8 +303,43 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", + "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", + "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "storageAccount::queueServices": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts/queueServices", + "apiVersion": "2021-09-01", + "name": "[format('{0}/{1}', parameters('storageAccountName'), 'default')]", + "dependsOn": [ + "storageAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -250,196 +353,46 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-09-01", + "name": "[parameters('storageAccountName')]" + }, + "queue": { "type": "Microsoft.Storage/storageAccounts/queueServices/queues", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", "properties": { "metadata": "[parameters('metadata')]" - } + }, + "dependsOn": [ + "storageAccount::queueServices" + ] }, - { + "queue_roleAssignments": { "copy": { "name": "queue_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}/queues/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4094857207316953942" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SqlMI Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872')]", - "SqlVM Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae8036db-e102-405b-a1b9-bae082ea436d')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}/queues/{2}', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2])]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name'))]" + "queue" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/storage/storage-account/queue-service/queue/.bicep/nested_roleAssignments.bicep b/modules/storage/storage-account/queue-service/queue/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index efd63e4247..0000000000 --- a/modules/storage/storage-account/queue-service/queue/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,101 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reader and Data Access': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SqlMI Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872') - 'SqlVM Migration Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae8036db-e102-405b-a1b9-bae082ea436d') - 'Storage Account Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Storage Account Key Operator Service Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12') - 'Storage Blob Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') - 'Storage Blob Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b') - 'Storage Blob Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1') - 'Storage Blob Delegator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a') - 'Storage File Data SMB Share Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb') - 'Storage File Data SMB Share Elevated Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7') - 'Storage File Data SMB Share Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314') - 'Storage Queue Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88') - 'Storage Queue Data Message Processor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed') - 'Storage Queue Data Message Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a') - 'Storage Queue Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925') - 'Storage Table Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3') - 'Storage Table Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') -} - -resource queue 'Microsoft.Storage/storageAccounts/queueServices/queues@2021-09-01' existing = { - name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}/${split(resourceId, '/')[12]}' -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(queue.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: queue -}] diff --git a/modules/storage/storage-account/queue-service/queue/README.md b/modules/storage/storage-account/queue-service/queue/README.md index 49f5b6d4c5..94bba1bc19 100644 --- a/modules/storage/storage-account/queue-service/queue/README.md +++ b/modules/storage/storage-account/queue-service/queue/README.md @@ -63,7 +63,68 @@ The name of the storage queue to deploy. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `storageAccountName` diff --git a/modules/storage/storage-account/queue-service/queue/main.bicep b/modules/storage/storage-account/queue-service/queue/main.bicep index b943eecf2d..33dcb6732a 100644 --- a/modules/storage/storage-account/queue-service/queue/main.bicep +++ b/modules/storage/storage-account/queue-service/queue/main.bicep @@ -13,11 +13,36 @@ param name string param metadata object = {} @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Reader and Data Access': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'Storage Account Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1') + 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') + 'Storage Account Key Operator Service Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12') + 'Storage Blob Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') + 'Storage Blob Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b') + 'Storage Blob Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1') + 'Storage Blob Delegator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a') + 'Storage File Data SMB Share Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb') + 'Storage File Data SMB Share Elevated Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7') + 'Storage File Data SMB Share Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314') + 'Storage Queue Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88') + 'Storage Queue Data Message Processor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed') + 'Storage Queue Data Message Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a') + 'Storage Queue Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925') + 'Storage Table Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3') + 'Storage Table Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -46,17 +71,18 @@ resource queue 'Microsoft.Storage/storageAccounts/queueServices/queues@2021-09-0 } } -module queue_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: queue.id +resource queue_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(queue.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: queue }] @description('The name of the deployed queue.') @@ -67,3 +93,29 @@ output resourceId string = queue.id @description('The resource group of the deployed queue.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/storage/storage-account/queue-service/queue/main.json b/modules/storage/storage-account/queue-service/queue/main.json index f866c3407a..60d8e0c5bb 100644 --- a/modules/storage/storage-account/queue-service/queue/main.json +++ b/modules/storage/storage-account/queue-service/queue/main.json @@ -1,16 +1,85 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16140546698784234048" + "templateHash": "13802487373528262992" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", "owner": "Azure/module-maintainers" }, + "definitions": { + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, "parameters": { "storageAccountName": { "type": "string", @@ -33,8 +102,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -47,8 +115,43 @@ } } }, - "resources": [ - { + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", + "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", + "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "storageAccount::queueServices": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts/queueServices", + "apiVersion": "2021-09-01", + "name": "[format('{0}/{1}', parameters('storageAccountName'), 'default')]", + "dependsOn": [ + "storageAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -62,196 +165,46 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-09-01", + "name": "[parameters('storageAccountName')]" + }, + "queue": { "type": "Microsoft.Storage/storageAccounts/queueServices/queues", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", "properties": { "metadata": "[parameters('metadata')]" - } + }, + "dependsOn": [ + "storageAccount::queueServices" + ] }, - { + "queue_roleAssignments": { "copy": { "name": "queue_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}/queues/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4094857207316953942" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SqlMI Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d335eef-eee1-47fe-a9e0-53214eba8872')]", - "SqlVM Migration Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ae8036db-e102-405b-a1b9-bae082ea436d')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}/queues/{2}', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2])]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[0], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[1], split(format('{0}/{1}/{2}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10], split(parameters('resourceId'), '/')[12]), '/')[2]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name'))]" + "queue" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/synapse/private-link-hub/.bicep/nested_roleAssignments.bicep b/modules/synapse/private-link-hub/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index e6851ad570..0000000000 --- a/modules/synapse/private-link-hub/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource privateLinkHub 'Microsoft.Synapse/privateLinkHubs@2021-06-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(privateLinkHub.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: privateLinkHub -}] diff --git a/modules/synapse/private-link-hub/.test/common/main.test.bicep b/modules/synapse/private-link-hub/.test/common/main.test.bicep index 84d8dd7b87..7b59ec1474 100644 --- a/modules/synapse/private-link-hub/.test/common/main.test.bicep +++ b/modules/synapse/private-link-hub/.test/common/main.test.bicep @@ -77,16 +77,13 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } { - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' + principalType: 'ServicePrincipal' } ] tags: { diff --git a/modules/synapse/private-link-hub/README.md b/modules/synapse/private-link-hub/README.md index 6b1f40cf22..d9a6f2056f 100644 --- a/modules/synapse/private-link-hub/README.md +++ b/modules/synapse/private-link-hub/README.md @@ -68,16 +68,13 @@ module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } { - principalIds: [ - '' - ] + principalId: '' + principalType: 'ServicePrincipal' roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' } ] @@ -135,16 +132,13 @@ module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" }, { - "principalIds": [ - "" - ], + "principalId": "", + "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" } ] @@ -290,7 +284,68 @@ Configuration details for private endpoints. For security reasons, it is recomme Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/synapse/private-link-hub/main.bicep b/modules/synapse/private-link-hub/main.bicep index cfb50ac903..a0a809ed93 100644 --- a/modules/synapse/private-link-hub/main.bicep +++ b/modules/synapse/private-link-hub/main.bicep @@ -18,13 +18,21 @@ param lock lockType param enableDefaultTelemetry bool = true @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints array = [] var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -54,17 +62,18 @@ resource privateLinkHub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e } // RBAC -module privateLinkHub_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: privateLinkHub.id +resource privateLinkHub_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(privateLinkHub.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: privateLinkHub }] // Private Endpoints @@ -115,3 +124,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/synapse/private-link-hub/main.json b/modules/synapse/private-link-hub/main.json index f96d97ebc8..903af8a9c2 100644 --- a/modules/synapse/private-link-hub/main.json +++ b/modules/synapse/private-link-hub/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11576206008807931590" + "templateHash": "17913553543039751168" }, "name": "Azure Synapse Analytics", "description": "This module deploys an Azure Synapse Analytics (Private Link Hub).", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -74,8 +140,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -89,7 +154,14 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -130,146 +202,20 @@ "privateLinkHub_roleAssignments": { "copy": { "name": "privateLinkHub_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-rbac-{1}', deployment().name, copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Synapse/privateLinkHubs/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Synapse/privateLinkHubs', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Synapse/privateLinkHubs', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2697027648534286095" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Synapse/privateLinkHubs/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Synapse/privateLinkHubs', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "privateLinkHub" diff --git a/modules/synapse/workspace/.bicep/nested_roleAssignments.bicep b/modules/synapse/workspace/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index b94aef4cf6..0000000000 --- a/modules/synapse/workspace/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,32 +0,0 @@ -param principalIds array -param roleDefinitionIdOrName string -param resourceId string - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource workspace 'Microsoft.Synapse/workspaces@2021-06-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(workspace.name, principalId, roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - } - scope: workspace -}] diff --git a/modules/synapse/workspace/.test/common/main.test.bicep b/modules/synapse/workspace/.test/common/main.test.bicep index ec666fb633..741e51171a 100644 --- a/modules/synapse/workspace/.test/common/main.test.bicep +++ b/modules/synapse/workspace/.test/common/main.test.bicep @@ -77,10 +77,8 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] - + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' } ] privateEndpoints: [ diff --git a/modules/synapse/workspace/.test/managedvnet/main.test.bicep b/modules/synapse/workspace/.test/managedvnet/main.test.bicep index fdf11b38c7..c057f7e2e6 100644 --- a/modules/synapse/workspace/.test/managedvnet/main.test.bicep +++ b/modules/synapse/workspace/.test/managedvnet/main.test.bicep @@ -62,6 +62,5 @@ module testDeployment '../../main.bicep' = { Role: 'DeploymentValidation' } enableDefaultTelemetry: enableDefaultTelemetry - } } diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index 590844f253..868966dd69 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -96,9 +96,8 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' + principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } ] @@ -195,9 +194,8 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", + "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } ] @@ -809,7 +807,68 @@ Purview Resource ID. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `sqlAdministratorLogin` diff --git a/modules/synapse/workspace/main.bicep b/modules/synapse/workspace/main.bicep index 9f1bac808f..08a39588db 100644 --- a/modules/synapse/workspace/main.bicep +++ b/modules/synapse/workspace/main.bicep @@ -95,7 +95,7 @@ param userAssignedIdentities object = {} param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints array = [] @@ -158,6 +158,15 @@ var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) @@ -238,7 +247,7 @@ module synapse_integrationRuntimes 'integration-runtime/main.bicep' = [for (inte // Workspace encryption with customer managed keys // - Assign Synapse Workspace MSI access to encryption key -module workspace_cmk_rbac './.bicep/nested_cmkRbac.bicep' = if (encryptionActivateWorkspace) { +module workspace_cmk_rbac 'modules/nested_cmkRbac.bicep' = if (encryptionActivateWorkspace) { name: '${workspace.name}-cmk-rbac' params: { workspaceIndentityPrincipalId: workspace.identity.principalId @@ -249,7 +258,7 @@ module workspace_cmk_rbac './.bicep/nested_cmkRbac.bicep' = if (encryptionActiva } // - Workspace encryption - Activate Workspace -module workspace_key './key/main.bicep' = if (encryptionActivateWorkspace) { +module workspace_key 'key/main.bicep' = if (encryptionActivateWorkspace) { name: '${workspace.name}-cmk-activation' params: { name: cMKKeyName @@ -273,13 +282,18 @@ resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty( } // RBAC -module workspace_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Workspace-Rbac-${index}' - params: { - principalIds: roleAssignment.principalIds - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - resourceId: workspace.id +resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: workspace }] // Endpoints @@ -349,3 +363,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/synapse/workspace/main.json b/modules/synapse/workspace/main.json index 8c6486e6ea..a772b190e3 100644 --- a/modules/synapse/workspace/main.json +++ b/modules/synapse/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2812430715889836837" + "templateHash": "10923669375290685211" }, "name": "Synapse Workspaces", "description": "This module deploys a Synapse Workspace.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -238,8 +304,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -326,7 +391,15 @@ "userAssignedIdentities": "[if(not(empty(variables('userAssignedIdentitiesUnion'))), variables('userAssignedIdentitiesUnion'), null())]" }, "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "cMKKeyVault::cMKKey": { @@ -408,6 +481,28 @@ "workspace" ] }, + "workspace_roleAssignments": { + "copy": { + "name": "workspace_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Synapse/workspaces/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Synapse/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "workspace" + ] + }, "workspace_diagnosticSettings": { "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", "type": "Microsoft.Insights/diagnosticSettings", @@ -769,90 +864,6 @@ "workspace_cmk_rbac" ] }, - "workspace_rbac": { - "copy": { - "name": "workspace_rbac", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Workspace-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "resourceId": { - "value": "[resourceId('Microsoft.Synapse/workspaces', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14152899593799062400" - } - }, - "parameters": { - "principalIds": { - "type": "array" - }, - "roleDefinitionIdOrName": { - "type": "string" - }, - "resourceId": { - "type": "string" - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Synapse/workspaces/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(last(split(parameters('resourceId'), '/')), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]" - } - } - ] - } - }, - "dependsOn": [ - "workspace" - ] - }, "workspace_privateEndpoints": { "copy": { "name": "workspace_privateEndpoints", diff --git a/modules/synapse/workspace/.bicep/nested_cmkRbac.bicep b/modules/synapse/workspace/modules/nested_cmkRbac.bicep similarity index 100% rename from modules/synapse/workspace/.bicep/nested_cmkRbac.bicep rename to modules/synapse/workspace/modules/nested_cmkRbac.bicep diff --git a/modules/virtual-machine-images/image-template/.bicep/nested_roleAssignments.bicep b/modules/virtual-machine-images/image-template/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 9d8fad5c60..0000000000 --- a/modules/virtual-machine-images/image-template/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,68 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource imageTemplate 'Microsoft.VirtualMachineImages/imageTemplates@2020-02-14' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(imageTemplate.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: imageTemplate -}] diff --git a/modules/virtual-machine-images/image-template/.test/common/main.test.bicep b/modules/virtual-machine-images/image-template/.test/common/main.test.bicep index d3f2bab602..f70aa4df55 100644 --- a/modules/virtual-machine-images/image-template/.test/common/main.test.bicep +++ b/modules/virtual-machine-images/image-template/.test/common/main.test.bicep @@ -95,9 +95,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/virtual-machine-images/image-template/README.md b/modules/virtual-machine-images/image-template/README.md index 9a2d0010eb..40fab0d762 100644 --- a/modules/virtual-machine-images/image-template/README.md +++ b/modules/virtual-machine-images/image-template/README.md @@ -71,9 +71,7 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 osDiskSizeGB: 127 roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -158,9 +156,7 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -444,7 +440,68 @@ Specifies the size of OS disk. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `sigImageDefinitionId` diff --git a/modules/virtual-machine-images/image-template/main.bicep b/modules/virtual-machine-images/image-template/main.bicep index 4e05b291f6..7f0d3b2a07 100644 --- a/modules/virtual-machine-images/image-template/main.bicep +++ b/modules/virtual-machine-images/image-template/main.bicep @@ -78,7 +78,7 @@ param baseTime string = utcNow('yyyy-MM-dd-HH-mm-ss') param enableDefaultTelemetry bool = true @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType var managedImageNameVar = '${managedImageName}-${baseTime}' var managedImageId = '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().name}/providers/Microsoft.Compute/images/${managedImageNameVar}' @@ -140,6 +140,14 @@ var vnetConfig = { subnetId: subnetId } +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -186,17 +194,18 @@ resource imageTemplate_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!em scope: imageTemplate } -module imageTemplate_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-ImageTemplate-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: imageTemplate.id +resource imageTemplate_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(imageTemplate.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: imageTemplate }] @description('The resource ID of the image template.') @@ -228,3 +237,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/virtual-machine-images/image-template/main.json b/modules/virtual-machine-images/image-template/main.json index 82a30b1eec..873da1becd 100644 --- a/modules/virtual-machine-images/image-template/main.json +++ b/modules/virtual-machine-images/image-template/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7243500275007115201" + "templateHash": "13895680092104029246" }, "name": "Virtual Machine Image Templates", "description": "This module deploys a Virtual Machine Image Template that can be consumed by Azure Image Builder (AIB).", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -203,8 +269,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -268,6 +333,13 @@ "distribute": "[concat(variables('conditionalManagedImage'), variables('conditionalSharedImage'), variables('conditionalUnManagedImage'))]", "vnetConfig": { "subnetId": "[parameters('subnetId')]" + }, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" } }, "resources": { @@ -328,146 +400,20 @@ "imageTemplate_roleAssignments": { "copy": { "name": "imageTemplate_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ImageTemplate-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.VirtualMachineImages/imageTemplates/{0}', format('{0}-{1}', parameters('name'), parameters('baseTime')))]", + "name": "[guid(resourceId('Microsoft.VirtualMachineImages/imageTemplates', format('{0}-{1}', parameters('name'), parameters('baseTime'))), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.VirtualMachineImages/imageTemplates', format('{0}-{1}', parameters('name'), parameters('baseTime')))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14467994353590988540" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.VirtualMachineImages/imageTemplates/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.VirtualMachineImages/imageTemplates', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "imageTemplate" diff --git a/modules/web/connection/.bicep/nested_roleAssignments.bicep b/modules/web/connection/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 116b78de2c..0000000000 --- a/modules/web/connection/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,74 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Microsoft Sentinel Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4c81013-99ee-4d62-a7ee-b3f1f648599a') - 'Microsoft Sentinel Playbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '51d6186e-6489-4900-b93f-92e23144cca5') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') -} - -resource connection 'Microsoft.Web/connections@2016-06-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(connection.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: connection -}] diff --git a/modules/web/connection/.test/common/main.test.bicep b/modules/web/connection/.test/common/main.test.bicep index 28a802c0df..dd8de8af36 100644 --- a/modules/web/connection/.test/common/main.test.bicep +++ b/modules/web/connection/.test/common/main.test.bicep @@ -64,9 +64,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/web/connection/README.md b/modules/web/connection/README.md index 9675791fd6..bd1c83f539 100644 --- a/modules/web/connection/README.md +++ b/modules/web/connection/README.md @@ -55,9 +55,7 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -108,9 +106,7 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -242,7 +238,68 @@ Connection strings or access keys for connection. Example: 'accountName' and 'ac Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `statuses` diff --git a/modules/web/connection/main.bicep b/modules/web/connection/main.bicep index a0fbe5458e..db24458661 100644 --- a/modules/web/connection/main.bicep +++ b/modules/web/connection/main.bicep @@ -29,7 +29,7 @@ param nonSecretParameterValues object = {} param parameterValues object = {} @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Status of the connection.') param statuses array = [] @@ -43,6 +43,14 @@ param tags object = {} @description('Optional. Links to test the API connection.') param testLinks array = [] +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -79,17 +87,18 @@ resource connection_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty scope: connection } -module connection_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Connection-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: connection.id +resource connection_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(connection.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: connection }] @description('The resource ID of the connection.') @@ -115,3 +124,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/web/connection/main.json b/modules/web/connection/main.json index b74ef8effb..fa79bdb08e 100644 --- a/modules/web/connection/main.json +++ b/modules/web/connection/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9051119645490158211" + "templateHash": "1935169026150435990" }, "name": "API Connections", "description": "This module deploys an Azure API Connection.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -95,8 +161,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -129,6 +194,15 @@ } } }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, "resources": { "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -177,152 +251,20 @@ "connection_roleAssignments": { "copy": { "name": "connection_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Connection-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Web/connections/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Web/connections', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Web/connections', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4656118963929706650" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Microsoft Sentinel Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4c81013-99ee-4d62-a7ee-b3f1f648599a')]", - "Microsoft Sentinel Playbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '51d6186e-6489-4900-b93f-92e23144cca5')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Web/connections/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Web/connections', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "connection" diff --git a/modules/web/hosting-environment/.bicep/nested_roleAssignments.bicep b/modules/web/hosting-environment/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 1d4ebf0c56..0000000000 --- a/modules/web/hosting-environment/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,74 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Microsoft Sentinel Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4c81013-99ee-4d62-a7ee-b3f1f648599a') - 'Microsoft Sentinel Playbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '51d6186e-6489-4900-b93f-92e23144cca5') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') -} - -resource appServiceEnvironment 'Microsoft.Web/hostingEnvironments@2021-02-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(appServiceEnvironment.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: appServiceEnvironment -}] diff --git a/modules/web/hosting-environment/.test/asev2/main.test.bicep b/modules/web/hosting-environment/.test/asev2/main.test.bicep index a19d8a4384..28203cd5f6 100644 --- a/modules/web/hosting-environment/.test/asev2/main.test.bicep +++ b/modules/web/hosting-environment/.test/asev2/main.test.bicep @@ -73,9 +73,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/web/hosting-environment/.test/asev3/main.test.bicep b/modules/web/hosting-environment/.test/asev3/main.test.bicep index e2a1a47b59..9e2c5bc92e 100644 --- a/modules/web/hosting-environment/.test/asev3/main.test.bicep +++ b/modules/web/hosting-environment/.test/asev3/main.test.bicep @@ -75,9 +75,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/web/hosting-environment/README.md b/modules/web/hosting-environment/README.md index c599b24620..a51c8234e4 100644 --- a/modules/web/hosting-environment/README.md +++ b/modules/web/hosting-environment/README.md @@ -66,9 +66,7 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { multiSize: 'Standard_D1_V2' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -150,9 +148,7 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -220,9 +216,7 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { remoteDebugEnabled: true roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -320,9 +314,7 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -607,7 +599,68 @@ Property to enable and disable Remote Debug on ASEv3. Ignored when kind is set t Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `subnetResourceId` diff --git a/modules/web/hosting-environment/main.bicep b/modules/web/hosting-environment/main.bicep index 12313f7d2b..29fcf1e7bb 100644 --- a/modules/web/hosting-environment/main.bicep +++ b/modules/web/hosting-environment/main.bicep @@ -13,7 +13,7 @@ param location string = resourceGroup().location param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Resource tags.') param tags object = {} @@ -163,6 +163,14 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : any(null) +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -243,17 +251,18 @@ resource appServiceEnvironment_diagnosticSettings 'Microsoft.Insights/diagnostic scope: appServiceEnvironment } -module appServiceEnvironment_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-AppServiceEnv-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: appServiceEnvironment.id +resource appServiceEnvironment_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(appServiceEnvironment.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: appServiceEnvironment }] @description('The resource ID of the App Service Environment.') @@ -279,3 +288,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/web/hosting-environment/main.json b/modules/web/hosting-environment/main.json index 8536c48b22..50b9ab706a 100644 --- a/modules/web/hosting-environment/main.json +++ b/modules/web/hosting-environment/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9619387957951306854" + "templateHash": "5607642767889382613" }, "name": "App Service Environments", "description": "This module deploys an App Service Environment.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -61,8 +127,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -325,7 +390,14 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "enableReferencedModulesTelemetry": false, - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "defaultTelemetry": { @@ -398,6 +470,28 @@ "appServiceEnvironment" ] }, + "appServiceEnvironment_roleAssignments": { + "copy": { + "name": "appServiceEnvironment_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Web/hostingEnvironments/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Web/hostingEnvironments', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "appServiceEnvironment" + ] + }, "appServiceEnvironment_configurations_networking": { "condition": "[equals(parameters('kind'), 'ASEv3')]", "type": "Microsoft.Resources/deployments", @@ -667,160 +761,6 @@ "dependsOn": [ "appServiceEnvironment" ] - }, - "appServiceEnvironment_roleAssignments": { - "copy": { - "name": "appServiceEnvironment_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AppServiceEnv-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Web/hostingEnvironments', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8235504163379537540" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Microsoft Sentinel Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4c81013-99ee-4d62-a7ee-b3f1f648599a')]", - "Microsoft Sentinel Playbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '51d6186e-6489-4900-b93f-92e23144cca5')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Web/hostingEnvironments/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Web/hostingEnvironments', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "appServiceEnvironment" - ] } }, "outputs": { diff --git a/modules/web/serverfarm/.bicep/nested_roleAssignments.bicep b/modules/web/serverfarm/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index ceb4ae0d8f..0000000000 --- a/modules/web/serverfarm/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,74 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Microsoft Sentinel Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4c81013-99ee-4d62-a7ee-b3f1f648599a') - 'Microsoft Sentinel Playbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '51d6186e-6489-4900-b93f-92e23144cca5') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') -} - -resource appServicePlan 'Microsoft.Web/serverfarms@2021-02-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(appServicePlan.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: appServicePlan -}] diff --git a/modules/web/serverfarm/.test/common/main.test.bicep b/modules/web/serverfarm/.test/common/main.test.bicep index e9f7a02483..2be57ba46b 100644 --- a/modules/web/serverfarm/.test/common/main.test.bicep +++ b/modules/web/serverfarm/.test/common/main.test.bicep @@ -84,9 +84,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index 6210f6bb52..1ce43a5618 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -63,9 +63,7 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { } roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -129,9 +127,7 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -301,7 +297,68 @@ If true, apps assigned to this App Service plan can be scaled independently. If Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `serverOS` diff --git a/modules/web/serverfarm/main.bicep b/modules/web/serverfarm/main.bicep index 9a69b5e62c..8f4a5bb899 100644 --- a/modules/web/serverfarm/main.bicep +++ b/modules/web/serverfarm/main.bicep @@ -50,7 +50,7 @@ param targetWorkerSize int = 0 param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} @@ -96,6 +96,16 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { // ============ // // Dependencies // // ============ // +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') + 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -150,17 +160,18 @@ resource appServicePlan_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e scope: appServicePlan } -module appServicePlan_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-AppServicePlan-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: appServicePlan.id +resource appServicePlan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(appServicePlan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: appServicePlan }] // =========== // @@ -189,3 +200,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/web/serverfarm/main.json b/modules/web/serverfarm/main.json index 7f5bd9f651..f35cc3c4b4 100644 --- a/modules/web/serverfarm/main.json +++ b/modules/web/serverfarm/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7158644970816385337" + "templateHash": "10390609619515936643" }, "name": "App Service Plans", "description": "This module deploys an App Service Plan.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -126,8 +192,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -212,7 +277,16 @@ "enabled": true } } - ] + ], + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" + } }, "resources": { "defaultTelemetry": { @@ -283,152 +357,20 @@ "appServicePlan_roleAssignments": { "copy": { "name": "appServicePlan_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AppServicePlan-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Web/serverfarms/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Web/serverfarms', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Web/serverfarms', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17362454573845910972" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Microsoft Sentinel Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4c81013-99ee-4d62-a7ee-b3f1f648599a')]", - "Microsoft Sentinel Playbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '51d6186e-6489-4900-b93f-92e23144cca5')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Web/serverfarms/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Web/serverfarms', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "appServicePlan" diff --git a/modules/web/site/.bicep/nested_roleAssignments.bicep b/modules/web/site/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 788b151f12..0000000000 --- a/modules/web/site/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,75 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Microsoft Sentinel Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4c81013-99ee-4d62-a7ee-b3f1f648599a') - 'Microsoft Sentinel Playbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '51d6186e-6489-4900-b93f-92e23144cca5') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') -} - -resource app 'Microsoft.Web/sites@2022-09-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(app.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: app -}] diff --git a/modules/web/site/.test/functionAppCommon/main.test.bicep b/modules/web/site/.test/functionAppCommon/main.test.bicep index 56ecd15412..efcf051533 100644 --- a/modules/web/site/.test/functionAppCommon/main.test.bicep +++ b/modules/web/site/.test/functionAppCommon/main.test.bicep @@ -165,9 +165,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/web/site/.test/webAppCommon/main.test.bicep b/modules/web/site/.test/webAppCommon/main.test.bicep index 5ab87a1473..5f80c1b05d 100644 --- a/modules/web/site/.test/webAppCommon/main.test.bicep +++ b/modules/web/site/.test/webAppCommon/main.test.bicep @@ -73,6 +73,10 @@ module testDeployment '../../main.bicep' = { diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName httpsOnly: true + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } slots: [ { name: 'slot1' @@ -99,9 +103,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -142,9 +144,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 4368025501..d679f188df 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -16,8 +16,6 @@ This module deploys a Web or Function App. | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/locks` | [2017-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | @@ -159,9 +157,7 @@ module site 'br:bicep/modules/web.site:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -329,9 +325,7 @@ module site 'br:bicep/modules/web.site:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -460,6 +454,10 @@ module site 'br:bicep/modules/web.site:1.0.0' = { sendKeyName: 'defaultSender' } ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -477,9 +475,7 @@ module site 'br:bicep/modules/web.site:1.0.0' = { publicNetworkAccess: 'Disabled' roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -523,9 +519,7 @@ module site 'br:bicep/modules/web.site:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -614,6 +608,12 @@ module site 'br:bicep/modules/web.site:1.0.0' = { } ] }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, "privateEndpoints": { "value": [ { @@ -636,9 +636,7 @@ module site 'br:bicep/modules/web.site:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -688,9 +686,7 @@ module site 'br:bicep/modules/web.site:1.0.0' = { ], "roleAssignments": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -1116,7 +1112,68 @@ Site redundancy mode. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `scmSiteAlsoStopped` diff --git a/modules/web/site/main.bicep b/modules/web/site/main.bicep index 01ac6d6720..0964c9a5db 100644 --- a/modules/web/site/main.bicep +++ b/modules/web/site/main.bicep @@ -91,7 +91,7 @@ param tags object = {} param enableDefaultTelemetry bool = true @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Resource ID of the diagnostic storage account.') param diagnosticStorageAccountId string = '' @@ -225,6 +225,17 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') + 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -390,17 +401,18 @@ resource app_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-0 scope: app } -module app_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Site-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: app.id +resource app_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(app.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: app }] module app_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { @@ -465,3 +477,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/web/site/main.json b/modules/web/site/main.json index 5e16338289..84a1a15880 100644 --- a/modules/web/site/main.json +++ b/modules/web/site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6021180257136349048" + "templateHash": "249993900851794447" }, "name": "Web/Function Apps", "description": "This module deploys a Web or Function App.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -233,8 +299,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -443,7 +508,17 @@ "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" + } }, "resources": { "defaultTelemetry": { @@ -527,6 +602,28 @@ "app" ] }, + "app_roleAssignments": { + "copy": { + "name": "app_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Web/sites/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Web/sites', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "app" + ] + }, "app_appsettings": { "condition": "[not(empty(parameters('appSettingsKeyValuePairs')))]", "type": "Microsoft.Resources/deployments", @@ -889,7 +986,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9880661409366046894" + "templateHash": "11020134105665438870" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -920,6 +1017,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1088,8 +1251,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -1309,7 +1471,17 @@ ], "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" + } }, "resources": { "app": { @@ -1370,14 +1542,14 @@ ] }, "slot_lock": { - "condition": "[not(empty(parameters('lock')))]", + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", - "apiVersion": "2017-04-01", + "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', parameters('appName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "slot" @@ -1401,6 +1573,28 @@ "slot" ] }, + "slot_roleAssignments": { + "copy": { + "name": "slot_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', parameters('appName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "slot" + ] + }, "slot_appsettings": { "condition": "[not(empty(parameters('appSettingsKeyValuePairs')))]", "type": "Microsoft.Resources/deployments", @@ -1841,133 +2035,6 @@ "slot" ] }, - "slot_rbac": { - "copy": { - "name": "slot_rbac", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Slot-{1}-Rbac-{2}', uniqueString(deployment().name, parameters('location')), parameters('name'), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "resourceId": { - "value": "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12072533589555151999" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - } - }, - "variables": { - "builtInRoleNames": { - "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Microsoft Sentinel Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4c81013-99ee-4d62-a7ee-b3f1f648599a')]", - "Microsoft Sentinel Playbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '51d6186e-6489-4900-b93f-92e23144cca5')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" - }, - "appName": "[split(parameters('resourceId'), '/')[add(indexOf(split(parameters('resourceId'), '/'), 'sites'), 1)]]" - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-10-01-preview", - "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', variables('appName'), last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Web/sites/slots', variables('appName'), last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "slot" - ] - }, "slot_privateEndpoints": { "copy": { "name": "slot_privateEndpoints", @@ -2802,161 +2869,6 @@ "app" ] }, - "app_roleAssignments": { - "copy": { - "name": "app_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Site-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Web/sites', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8219747135768194918" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Microsoft Sentinel Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4c81013-99ee-4d62-a7ee-b3f1f648599a')]", - "Microsoft Sentinel Playbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '51d6186e-6489-4900-b93f-92e23144cca5')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Web/sites/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Web/sites', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "app" - ] - }, "app_privateEndpoints": { "copy": { "name": "app_privateEndpoints", diff --git a/modules/web/site/slot/.bicep/nested_roleAssignments.bicep b/modules/web/site/slot/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 2e90bdebb0..0000000000 --- a/modules/web/site/slot/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,65 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -var builtInRoleNames = { - 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Microsoft Sentinel Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4c81013-99ee-4d62-a7ee-b3f1f648599a') - 'Microsoft Sentinel Playbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '51d6186e-6489-4900-b93f-92e23144cca5') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') -} - -var appName = split(resourceId, '/')[indexOf(split(resourceId, '/'), 'sites') + 1] - -resource app 'Microsoft.Web/sites@2022-09-01' existing = { - name: appName - resource slot 'slots' existing = { - name: last(split(resourceId, '/'))! - } -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for principalId in principalIds: { - name: guid(app::slot.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - } - scope: app::slot -}] diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index 4f390f4b1a..0fc2fec8d0 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -14,9 +14,7 @@ This module deploys a Web or Function App Deployment Slot. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Authorization/locks` | [2017-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | @@ -355,7 +353,68 @@ Site redundancy mode. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `serverFarmResourceId` diff --git a/modules/web/site/slot/main.bicep b/modules/web/site/slot/main.bicep index 8ae07a51b2..c0e56d8973 100644 --- a/modules/web/site/slot/main.bicep +++ b/modules/web/site/slot/main.bicep @@ -79,7 +79,7 @@ param tags object = {} param enableDefaultTelemetry bool = true @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Resource ID of the diagnostic storage account.') param diagnosticStorageAccountId string = '' @@ -210,6 +210,17 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') + 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') +} + resource app 'Microsoft.Web/sites@2021-03-01' existing = { name: appName } @@ -298,11 +309,11 @@ module slot_hybridConnectionRelays 'hybrid-connection-namespace/relay/main.bicep } }] -resource slot_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { - name: '${slot.name}-${lock}-lock' +resource slot_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' } scope: slot } @@ -320,15 +331,18 @@ resource slot_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05- scope: slot } -module slot_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-Slot-${name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - resourceId: slot.id +resource slot_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(slot.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: slot }] module slot_privateEndpoints '../../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { @@ -378,3 +392,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/web/site/slot/main.json b/modules/web/site/slot/main.json index f316337fdd..b9498b5fbe 100644 --- a/modules/web/site/slot/main.json +++ b/modules/web/site/slot/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9880661409366046894" + "templateHash": "11020134105665438870" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -205,8 +271,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -426,7 +491,17 @@ ], "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" + } }, "resources": { "app": { @@ -487,14 +562,14 @@ ] }, "slot_lock": { - "condition": "[not(empty(parameters('lock')))]", + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", - "apiVersion": "2017-04-01", + "apiVersion": "2020-05-01", "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', parameters('appName'), parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "slot" @@ -518,6 +593,28 @@ "slot" ] }, + "slot_roleAssignments": { + "copy": { + "name": "slot_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', parameters('appName'), parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "slot" + ] + }, "slot_appsettings": { "condition": "[not(empty(parameters('appSettingsKeyValuePairs')))]", "type": "Microsoft.Resources/deployments", @@ -958,133 +1055,6 @@ "slot" ] }, - "slot_rbac": { - "copy": { - "name": "slot_rbac", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-Slot-{1}-Rbac-{2}', uniqueString(deployment().name, parameters('location')), parameters('name'), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "resourceId": { - "value": "[resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12072533589555151999" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - } - }, - "variables": { - "builtInRoleNames": { - "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Microsoft Sentinel Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4c81013-99ee-4d62-a7ee-b3f1f648599a')]", - "Microsoft Sentinel Playbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '51d6186e-6489-4900-b93f-92e23144cca5')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" - }, - "appName": "[split(parameters('resourceId'), '/')[add(indexOf(split(parameters('resourceId'), '/'), 'sites'), 1)]]" - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-10-01-preview", - "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', variables('appName'), last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Web/sites/slots', variables('appName'), last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "slot" - ] - }, "slot_privateEndpoints": { "copy": { "name": "slot_privateEndpoints", diff --git a/modules/web/static-site/.bicep/nested_roleAssignments.bicep b/modules/web/static-site/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index b61850b960..0000000000 --- a/modules/web/static-site/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,40 +0,0 @@ -param principalIds array -param principalType string = '' -param roleDefinitionIdOrName string -param resourceId string - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Microsoft Sentinel Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4c81013-99ee-4d62-a7ee-b3f1f648599a') - 'Microsoft Sentinel Playbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '51d6186e-6489-4900-b93f-92e23144cca5') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') - 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') -} - -resource staticSite 'Microsoft.Web/staticSites@2021-02-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(staticSite.id, principalId, roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - } - scope: staticSite -}] diff --git a/modules/web/static-site/.test/common/main.test.bicep b/modules/web/static-site/.test/common/main.test.bicep index 356108e612..df0aa09ac0 100644 --- a/modules/web/static-site/.test/common/main.test.bicep +++ b/modules/web/static-site/.test/common/main.test.bicep @@ -78,9 +78,7 @@ module testDeployment '../../main.bicep' = { roleAssignments: [ { roleDefinitionIdOrName: 'Reader' - principalIds: [ - nestedDependencies.outputs.managedIdentityPrincipalId - ] + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index 269e77d0d1..e52301ee36 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -84,9 +84,7 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { ] roleAssignments: [ { - principalIds: [ - '' - ] + principalId: '' principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'Reader' } @@ -174,9 +172,7 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { "roleAssignments": { "value": [ { - "principalIds": [ - "" - ], + "principalId": "", "principalType": "ServicePrincipal", "roleDefinitionIdOrName": "Reader" } @@ -431,7 +427,68 @@ The name of the GitHub repository. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `sku` diff --git a/modules/web/static-site/main.bicep b/modules/web/static-site/main.bicep index 0097d465d6..757e3ae5b6 100644 --- a/modules/web/static-site/main.bicep +++ b/modules/web/static-site/main.bicep @@ -74,7 +74,7 @@ param tags object = {} param enableDefaultTelemetry bool = true @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType @description('Optional. Object with "resourceId" and "location" of the a user defined function app.') param linkedBackend object = {} @@ -97,6 +97,16 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') + 'Website Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -180,13 +190,18 @@ resource staticSite_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty scope: staticSite } -module staticSite_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-StaticSite-Rbac-${index}' - params: { - principalIds: roleAssignment.principalIds - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - resourceId: staticSite.id +resource staticSite_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(staticSite.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId } + scope: staticSite }] module staticSite_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { @@ -242,3 +257,26 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/web/static-site/main.json b/modules/web/static-site/main.json index 342f27617e..3d50d77660 100644 --- a/modules/web/static-site/main.json +++ b/modules/web/static-site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6968838794819347181" + "templateHash": "10437554075248672747" }, "name": "Static Web Apps", "description": "This module deploys a Static Web App.", @@ -37,6 +37,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -181,8 +247,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -219,7 +284,16 @@ "variables": { "enableReferencedModulesTelemetry": false, "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" + } }, "resources": { "defaultTelemetry": { @@ -273,6 +347,28 @@ "staticSite" ] }, + "staticSite_roleAssignments": { + "copy": { + "name": "staticSite_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Web/staticSites/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Web/staticSites', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "staticSite" + ] + }, "staticSite_linkedBackend": { "condition": "[not(empty(parameters('linkedBackend')))]", "type": "Microsoft.Resources/deployments", @@ -782,101 +878,6 @@ "staticSite" ] }, - "staticSite_roleAssignments": { - "copy": { - "name": "staticSite_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-StaticSite-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "resourceId": { - "value": "[resourceId('Microsoft.Web/staticSites', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3353684850635934919" - } - }, - "parameters": { - "principalIds": { - "type": "array" - }, - "principalType": { - "type": "string", - "defaultValue": "" - }, - "roleDefinitionIdOrName": { - "type": "string" - }, - "resourceId": { - "type": "string" - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Microsoft Sentinel Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f4c81013-99ee-4d62-a7ee-b3f1f648599a')]", - "Microsoft Sentinel Playbook Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '51d6186e-6489-4900-b93f-92e23144cca5')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Web/staticSites/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Web/staticSites', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "staticSite" - ] - }, "staticSite_privateEndpoints": { "copy": { "name": "staticSite_privateEndpoints", diff --git a/utilities/tools/Set-Module.ps1 b/utilities/tools/Set-Module.ps1 index b5b1f6378c..ce4f910b5b 100644 --- a/utilities/tools/Set-Module.ps1 +++ b/utilities/tools/Set-Module.ps1 @@ -111,6 +111,10 @@ function Set-Module { # create reference as it must be loaded in the thread to work $ReadMeScriptFilePath = (Join-Path (Get-Item $PSScriptRoot).Parent.FullName 'pipelines' 'sharedScripts' 'Set-ModuleReadMe.ps1') + } else { + # Instatiate values to enable safe $using usage + $crossReferencedModuleList = $null + $ReadMeScriptFilePath = $null } # Using threading to speed up the process From 51a522d6e2c2be7c8ff456fc0c7ae917332f2f9a Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Mon, 23 Oct 2023 20:46:39 +0000 Subject: [PATCH 051/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 48 +++++++++++----------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 2dcbde233f..7214269498 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -121,35 +121,35 @@ This section provides an overview of the library's feature set. | 106 | network

virtual-wan | [![Network - VirtualWans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualWans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualwans.yml) | | | :white_check_mark: | | | | | 112 | | 107 | network

vpn-gateway | [![Network - VPNGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPNGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpngateways.yml) | | | :white_check_mark: | | | | [L1:2] | 114 | | 108 | network

vpn-site | [![Network - VPN Sites](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPN%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpnsites.yml) | | | :white_check_mark: | | | | | 124 | -| 109 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:7] | 313 | +| 109 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:7] | 343 | | 110 | operations-management

solution | [![OperationsManagement - Solutions](https://github.com/Azure/ResourceModules/workflows/OperationsManagement%20-%20Solutions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationsmanagement.solutions.yml) | | | | | | | | 53 | | 111 | policy-insights

remediation | [![PolicyInsights - Remediations](https://github.com/Azure/ResourceModules/workflows/PolicyInsights%20-%20Remediations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.policyinsights.remediations.yml) | | | | | | | [L1:3] | 106 | -| 112 | power-bi-dedicated

capacity | [![PowerBiDedicated - Capacities](https://github.com/Azure/ResourceModules/workflows/PowerBiDedicated%20-%20Capacities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.powerbidedicated.capacities.yml) | :white_check_mark: | | :white_check_mark: | | | | | 102 | -| 113 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 287 | -| 114 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:7, L2:2, L3:2] | 292 | -| 115 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 263 | -| 116 | resource-graph

query | [![ResourceGraph - Queries](https://github.com/Azure/ResourceModules/workflows/ResourceGraph%20-%20Queries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resourcegraph.queries.yml) | :white_check_mark: | | :white_check_mark: | | | | | 77 | +| 112 | power-bi-dedicated

capacity | [![PowerBiDedicated - Capacities](https://github.com/Azure/ResourceModules/workflows/PowerBiDedicated%20-%20Capacities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.powerbidedicated.capacities.yml) | | | :white_check_mark: | | | | | 133 | +| 113 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | | | :white_check_mark: | :white_check_mark: | | | | 311 | +| 114 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:7, L2:2, L3:2] | 322 | +| 115 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 290 | +| 116 | resource-graph

query | [![ResourceGraph - Queries](https://github.com/Azure/ResourceModules/workflows/ResourceGraph%20-%20Queries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resourcegraph.queries.yml) | | | :white_check_mark: | | | | | 101 | | 117 | resources

deployment-script | [![Resources - DeploymentScripts](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | | :white_check_mark: | | | | | 128 | -| 118 | resources

resource-group | [![Resources - ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | :white_check_mark: | | :white_check_mark: | | | | | 73 | +| 118 | resources

resource-group | [![Resources - ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | | | :white_check_mark: | | | | [L1:1] | 101 | | 119 | resources

tags | [![Resources - Tags](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20Tags/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.tags.yml) | | | :white_check_mark: | | | | [L1:2] | 54 | -| 120 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 236 | +| 120 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 263 | | 121 | security

azure-security-center | [![Security - AzureSecurityCenter](https://github.com/Azure/ResourceModules/workflows/Security%20-%20AzureSecurityCenter/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.security.azuresecuritycenter.yml) | | | | | | | | 221 | -| 122 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:2] | 372 | -| 123 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | :white_check_mark: | | :white_check_mark: | | | | [L1:1] | 288 | -| 124 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | :white_check_mark: | | :white_check_mark: | | :white_check_mark: | | | 194 | -| 125 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | :white_check_mark: | | :white_check_mark: | | :white_check_mark: | | | 164 | -| 126 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:2] | 340 | -| 127 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | :white_check_mark: | | :white_check_mark: | | :white_check_mark: | | [L1:8, L2:2] | 309 | -| 128 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:4, L3:1] | 430 | -| 129 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | :white_check_mark: | | :white_check_mark: | | :white_check_mark: | | | 98 | -| 130 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:2] | 290 | -| 131 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | :white_check_mark: | | :white_check_mark: | | | | | 192 | -| 132 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | :white_check_mark: | | :white_check_mark: | | | | | 94 | -| 133 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | [L1:2] | 231 | -| 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | | | | 158 | -| 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | :white_check_mark: | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 390 | -| 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | :white_check_mark: | | :white_check_mark: | | :white_check_mark: | | [L1:3] | 201 | -| Sum | | | 23 | 0 | 118 | 57 | 30 | 2 | 236 | 27382 | +| 122 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:2] | 399 | +| 123 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | | | :white_check_mark: | | | | [L1:1] | 312 | +| 124 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | | | :white_check_mark: | | :white_check_mark: | | | 226 | +| 125 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | | | :white_check_mark: | | :white_check_mark: | | | 196 | +| 126 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:2] | 371 | +| 127 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | :white_check_mark: | | :white_check_mark: | | [L1:8, L2:2] | 340 | +| 128 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:4, L3:1] | 471 | +| 129 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | | | :white_check_mark: | | :white_check_mark: | | | 122 | +| 130 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 319 | +| 131 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | | | :white_check_mark: | | | | | 216 | +| 132 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | | | :white_check_mark: | | | | | 118 | +| 133 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:2] | 255 | +| 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | :white_check_mark: | :white_check_mark: | | | | 184 | +| 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 417 | +| 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | :white_check_mark: | | :white_check_mark: | | [L1:3] | 231 | +| Sum | | | 0 | 0 | 118 | 57 | 30 | 2 | 238 | 28029 | ## Legend From c9c6a8f1b6a13e8e1d8eaf5c5b5efbb118cef739 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 24 Oct 2023 09:15:38 +1100 Subject: [PATCH 052/178] [Modules] Updated App Service Plan API to 2022-09-01 (#4143) * [Modules] Updated App Service Plans API Version * updated plans * Updated JSON and README * Set reserved to conditional --- modules/web/serverfarm/README.md | 33 +++++++++++++++++++++---------- modules/web/serverfarm/main.bicep | 14 +++++++++---- modules/web/serverfarm/main.json | 22 +++++++++++++++------ 3 files changed, 49 insertions(+), 20 deletions(-) diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index 1ce43a5618..63e124fbc3 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -17,7 +17,7 @@ This module deploys an App Service Plan. | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Web/serverfarms` | [2021-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2021-02-01/serverfarms) | +| `Microsoft.Web/serverfarms` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-09-01/serverfarms) | ## Usage examples @@ -157,6 +157,12 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { | [`name`](#parameter-name) | string | The name of the app service plan to deploy. | | [`sku`](#parameter-sku) | object | Defines the name, tier, size, family and capacity of the App Service Plan. | +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`reserved`](#parameter-reserved) | bool | When creating a Linux App Service Plan, the reserved field must be set to true, and when creating a Windows/app App Service Plan the reserved field must be set to false. | + **Optional parameters** | Parameter | Type | Description | @@ -169,12 +175,12 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { | [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`kind`](#parameter-kind) | string | Kind of server OS. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maximumElasticWorkerCount`](#parameter-maximumelasticworkercount) | int | Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan. | | [`perSiteScaling`](#parameter-persitescaling) | bool | If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`serverOS`](#parameter-serveros) | string | Kind of server OS. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`targetWorkerCount`](#parameter-targetworkercount) | int | Scaling worker count. | | [`targetWorkerSize`](#parameter-targetworkersize) | int | The instance size of the hosting plan (small, medium, or large). | @@ -238,6 +244,14 @@ Enable telemetry via a Globally Unique Identifier (GUID). - Type: bool - Default: `True` +### Parameter: `kind` + +Kind of server OS. +- Required: No +- Type: string +- Default: `'Windows'` +- Allowed: `[App, Elastic, FunctionApp, Linux, Windows]` + ### Parameter: `location` Location for all resources. @@ -292,6 +306,13 @@ If true, apps assigned to this App Service plan can be scaled independently. If - Type: bool - Default: `False` +### Parameter: `reserved` + +When creating a Linux App Service Plan, the reserved field must be set to true, and when creating a Windows/app App Service Plan the reserved field must be set to false. +- Required: No +- Type: bool +- Default: `False` + ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. @@ -360,14 +381,6 @@ Required. The name of the role to assign. If it cannot be found you can specify - Required: Yes - Type: string -### Parameter: `serverOS` - -Kind of server OS. -- Required: No -- Type: string -- Default: `'Windows'` -- Allowed: `[Linux, Windows]` - ### Parameter: `sku` Defines the name, tier, size, family and capacity of the App Service Plan. diff --git a/modules/web/serverfarm/main.bicep b/modules/web/serverfarm/main.bicep index 8f4a5bb899..342503d5f1 100644 --- a/modules/web/serverfarm/main.bicep +++ b/modules/web/serverfarm/main.bicep @@ -18,10 +18,16 @@ param location string = resourceGroup().location @description('Optional. Kind of server OS.') @allowed([ + 'App' + 'Elastic' + 'FunctionApp' 'Windows' 'Linux' ]) -param serverOS string = 'Windows' +param kind string = 'Windows' + +@description('Conditional. When creating a Linux App Service Plan, the reserved field must be set to true, and when creating a Windows/app App Service Plan the reserved field must be set to false.') +param reserved bool = false @description('Optional. The Resource ID of the App Service Environment to use for the App Service Plan.') param appServiceEnvironmentId string = '' @@ -118,9 +124,9 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource appServicePlan 'Microsoft.Web/serverfarms@2021-02-01' = { +resource appServicePlan 'Microsoft.Web/serverfarms@2022-09-01' = { name: name - kind: serverOS == 'Windows' ? '' : 'linux' + kind: kind location: location tags: tags sku: sku @@ -131,7 +137,7 @@ resource appServicePlan 'Microsoft.Web/serverfarms@2021-02-01' = { } : null perSiteScaling: perSiteScaling maximumElasticWorkerCount: maximumElasticWorkerCount - reserved: serverOS == 'Linux' + reserved: reserved targetWorkerCount: targetWorkerCount targetWorkerSizeId: targetWorkerSize zoneRedundant: zoneRedundant diff --git a/modules/web/serverfarm/main.json b/modules/web/serverfarm/main.json index f35cc3c4b4..a7e447770f 100644 --- a/modules/web/serverfarm/main.json +++ b/modules/web/serverfarm/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10390609619515936643" + "templateHash": "4349826726843363999" }, "name": "App Service Plans", "description": "This module deploys an App Service Plan.", @@ -127,10 +127,13 @@ "description": "Optional. Location for all resources." } }, - "serverOS": { + "kind": { "type": "string", "defaultValue": "Windows", "allowedValues": [ + "App", + "Elastic", + "FunctionApp", "Windows", "Linux" ], @@ -138,6 +141,13 @@ "description": "Optional. Kind of server OS." } }, + "reserved": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Conditional. When creating a Linux App Service Plan, the reserved field must be set to true, and when creating a Windows/app App Service Plan the reserved field must be set to false." + } + }, "appServiceEnvironmentId": { "type": "string", "defaultValue": "", @@ -305,9 +315,9 @@ }, "appServicePlan": { "type": "Microsoft.Web/serverfarms", - "apiVersion": "2021-02-01", + "apiVersion": "2022-09-01", "name": "[parameters('name')]", - "kind": "[if(equals(parameters('serverOS'), 'Windows'), '', 'linux')]", + "kind": "[parameters('kind')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "sku": "[parameters('sku')]", @@ -316,7 +326,7 @@ "hostingEnvironmentProfile": "[if(not(empty(parameters('appServiceEnvironmentId'))), createObject('id', parameters('appServiceEnvironmentId')), null())]", "perSiteScaling": "[parameters('perSiteScaling')]", "maximumElasticWorkerCount": "[parameters('maximumElasticWorkerCount')]", - "reserved": "[equals(parameters('serverOS'), 'Linux')]", + "reserved": "[parameters('reserved')]", "targetWorkerCount": "[parameters('targetWorkerCount')]", "targetWorkerSizeId": "[parameters('targetWorkerSize')]", "zoneRedundant": "[parameters('zoneRedundant')]" @@ -404,7 +414,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('appServicePlan', '2021-02-01', 'full').location]" + "value": "[reference('appServicePlan', '2022-09-01', 'full').location]" } } } \ No newline at end of file From 4850eb68283ffd7ff9aae0a00ec3188b295bbc27 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Mon, 23 Oct 2023 22:16:30 +0000 Subject: [PATCH 053/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 7214269498..ad11637e3f 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -146,10 +146,10 @@ This section provides an overview of the library's feature set. | 131 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | | | :white_check_mark: | | | | | 216 | | 132 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | | | :white_check_mark: | | | | | 118 | | 133 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:2] | 255 | -| 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | :white_check_mark: | :white_check_mark: | | | | 184 | +| 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | :white_check_mark: | :white_check_mark: | | | | 189 | | 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 417 | | 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | :white_check_mark: | | :white_check_mark: | | [L1:3] | 231 | -| Sum | | | 0 | 0 | 118 | 57 | 30 | 2 | 238 | 28029 | +| Sum | | | 0 | 0 | 118 | 57 | 30 | 2 | 238 | 28034 | ## Legend From 90e7f301aa93f4089b632c1e7b92f3685c0961f3 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 24 Oct 2023 09:51:34 +1100 Subject: [PATCH 054/178] [Modules] Hotfix for the App Service Plan module to fix the conditional parameter description (#4144) * Quick fix to the App Service Plan Module * Updated parameter description --- modules/web/serverfarm/README.md | 4 ++-- modules/web/serverfarm/main.bicep | 2 +- modules/web/serverfarm/main.json | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index 63e124fbc3..65ce8f30ab 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -161,7 +161,7 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | -| [`reserved`](#parameter-reserved) | bool | When creating a Linux App Service Plan, the reserved field must be set to true, and when creating a Windows/app App Service Plan the reserved field must be set to false. | +| [`reserved`](#parameter-reserved) | bool | Defaults to false when creating Windows/app App Service Plan. Required if creating a Linux App Service Plan and must be set to true. | **Optional parameters** @@ -308,7 +308,7 @@ If true, apps assigned to this App Service plan can be scaled independently. If ### Parameter: `reserved` -When creating a Linux App Service Plan, the reserved field must be set to true, and when creating a Windows/app App Service Plan the reserved field must be set to false. +Defaults to false when creating Windows/app App Service Plan. Required if creating a Linux App Service Plan and must be set to true. - Required: No - Type: bool - Default: `False` diff --git a/modules/web/serverfarm/main.bicep b/modules/web/serverfarm/main.bicep index 342503d5f1..05345e30c2 100644 --- a/modules/web/serverfarm/main.bicep +++ b/modules/web/serverfarm/main.bicep @@ -26,7 +26,7 @@ param location string = resourceGroup().location ]) param kind string = 'Windows' -@description('Conditional. When creating a Linux App Service Plan, the reserved field must be set to true, and when creating a Windows/app App Service Plan the reserved field must be set to false.') +@description('Conditional. Defaults to false when creating Windows/app App Service Plan. Required if creating a Linux App Service Plan and must be set to true.') param reserved bool = false @description('Optional. The Resource ID of the App Service Environment to use for the App Service Plan.') diff --git a/modules/web/serverfarm/main.json b/modules/web/serverfarm/main.json index a7e447770f..f479b9e5e9 100644 --- a/modules/web/serverfarm/main.json +++ b/modules/web/serverfarm/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4349826726843363999" + "templateHash": "17683178516724577324" }, "name": "App Service Plans", "description": "This module deploys an App Service Plan.", @@ -145,7 +145,7 @@ "type": "bool", "defaultValue": false, "metadata": { - "description": "Conditional. When creating a Linux App Service Plan, the reserved field must be set to true, and when creating a Windows/app App Service Plan the reserved field must be set to false." + "description": "Conditional. Defaults to false when creating Windows/app App Service Plan. Required if creating a Linux App Service Plan and must be set to true." } }, "appServiceEnvironmentId": { From 579ac9763af18c70a4f5befbff8cafd2fbbf17d4 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 25 Oct 2023 13:23:37 +0200 Subject: [PATCH 055/178] [Modules] Updated PE schema to AVM specs (#4147) * Updated templates * Update to latest * Regenerated templates * Updated readmes * Applied fixes & regen --- .../.test/pe/main.test.bicep | 1 - .../configuration-store/README.md | 165 ++++++- .../configuration-store/main.bicep | 87 +++- .../configuration-store/main.json | 210 ++++++++- .../automation/automation-account/README.md | 163 ++++++- .../automation/automation-account/main.bicep | 85 +++- .../automation/automation-account/main.json | 211 ++++++++- .../.test/common/main.test.bicep | 8 +- modules/batch/batch-account/README.md | 250 ++++++++++- modules/batch/batch-account/main.bicep | 135 +++++- modules/batch/batch-account/main.json | 315 ++++++++++++- .../.test/common/main.test.bicep | 3 - modules/cache/redis-enterprise/README.md | 165 ++++++- modules/cache/redis-enterprise/main.bicep | 87 +++- modules/cache/redis-enterprise/main.json | 210 ++++++++- .../cache/redis/.test/common/main.test.bicep | 3 - modules/cache/redis/README.md | 165 ++++++- modules/cache/redis/main.bicep | 87 +++- modules/cache/redis/main.json | 210 ++++++++- .../account/.test/common/main.test.bicep | 1 - modules/cognitive-services/account/README.md | 165 ++++++- modules/cognitive-services/account/main.bicep | 87 +++- modules/cognitive-services/account/main.json | 210 ++++++++- .../registry/.test/pe/main.test.bicep | 1 - modules/container-registry/registry/README.md | 165 ++++++- .../container-registry/registry/main.bicep | 87 +++- modules/container-registry/registry/main.json | 210 ++++++++- .../factory/.test/common/main.test.bicep | 3 - modules/data-factory/factory/README.md | 165 ++++++- modules/data-factory/factory/main.bicep | 87 +++- modules/data-factory/factory/main.json | 210 ++++++++- .../workspace/.test/common/main.test.bicep | 3 - modules/databricks/workspace/README.md | 165 ++++++- modules/databricks/workspace/main.bicep | 87 +++- modules/databricks/workspace/main.json | 210 ++++++++- .../.test/common/main.test.bicep | 3 - .../digital-twins-instance/README.md | 165 ++++++- .../digital-twins-instance/main.bicep | 82 +++- .../digital-twins-instance/main.json | 205 ++++++++- .../.test/sqldb/main.test.bicep | 2 - .../document-db/database-account/README.md | 163 ++++++- .../document-db/database-account/main.bicep | 85 +++- .../document-db/database-account/main.json | 209 ++++++++- .../domain/.test/pe/main.test.bicep | 1 - modules/event-grid/domain/README.md | 165 ++++++- modules/event-grid/domain/main.bicep | 87 +++- modules/event-grid/domain/main.json | 210 ++++++++- .../event-grid/topic/.test/pe/main.test.bicep | 1 - modules/event-grid/topic/README.md | 165 ++++++- modules/event-grid/topic/main.bicep | 87 +++- modules/event-grid/topic/main.json | 210 ++++++++- .../namespace/.test/pe/main.test.bicep | 1 - modules/event-hub/namespace/README.md | 165 ++++++- modules/event-hub/namespace/main.bicep | 87 +++- modules/event-hub/namespace/main.json | 210 ++++++++- .../.test/common/main.test.bicep | 3 - modules/insights/private-link-scope/README.md | 165 ++++++- .../insights/private-link-scope/main.bicep | 87 +++- modules/insights/private-link-scope/main.json | 212 ++++++++- modules/key-vault/vault/README.md | 163 ++++++- modules/key-vault/vault/main.bicep | 87 +++- modules/key-vault/vault/main.json | 210 ++++++++- .../workspace/.test/common/main.test.bicep | 1 - .../workspace/README.md | 165 ++++++- .../workspace/main.bicep | 84 +++- .../workspace/main.json | 207 ++++++++- modules/network/application-gateway/README.md | 163 ++++++- .../network/application-gateway/main.bicep | 85 +++- modules/network/application-gateway/main.json | 209 ++++++++- modules/purview/account/main.bicep | 10 +- .../vault/.test/common/main.test.bicep | 3 - modules/recovery-services/vault/README.md | 165 ++++++- modules/recovery-services/vault/main.bicep | 87 +++- modules/recovery-services/vault/main.json | 212 ++++++++- .../relay/namespace/.test/pe/main.test.bicep | 1 - modules/relay/namespace/README.md | 165 ++++++- modules/relay/namespace/main.bicep | 87 +++- modules/relay/namespace/main.json | 210 ++++++++- .../search-service/.test/pe/main.test.bicep | 1 - modules/search/search-service/README.md | 165 ++++++- modules/search/search-service/main.bicep | 85 +++- modules/search/search-service/main.json | 208 ++++++++- .../namespace/.test/pe/main.test.bicep | 1 - modules/service-bus/namespace/README.md | 165 ++++++- modules/service-bus/namespace/main.bicep | 87 +++- modules/service-bus/namespace/main.json | 212 ++++++++- .../signal-r/.test/common/main.test.bicep | 3 - modules/signal-r-service/signal-r/README.md | 165 ++++++- modules/signal-r-service/signal-r/main.bicep | 88 +++- modules/signal-r-service/signal-r/main.json | 214 ++++++++- .../web-pub-sub/.test/common/main.test.bicep | 2 - .../web-pub-sub/.test/pe/main.test.bicep | 3 - .../signal-r-service/web-pub-sub/README.md | 165 ++++++- .../signal-r-service/web-pub-sub/main.bicep | 88 +++- .../signal-r-service/web-pub-sub/main.json | 214 ++++++++- .../sql/server/.test/common/main.test.bicep | 2 - modules/sql/server/.test/pe/main.test.bicep | 3 - modules/sql/server/README.md | 165 ++++++- modules/sql/server/main.bicep | 87 +++- modules/sql/server/main.json | 212 ++++++++- modules/storage/storage-account/README.md | 163 ++++++- modules/storage/storage-account/main.bicep | 85 +++- modules/storage/storage-account/main.json | 211 ++++++++- .../.test/common/main.test.bicep | 2 - modules/synapse/private-link-hub/README.md | 163 ++++++- modules/synapse/private-link-hub/main.bicep | 85 +++- modules/synapse/private-link-hub/main.json | 211 ++++++++- .../workspace/.test/common/main.test.bicep | 2 - modules/synapse/workspace/README.md | 163 ++++++- modules/synapse/workspace/main.bicep | 85 +++- modules/synapse/workspace/main.json | 209 ++++++++- .../.test/functionAppCommon/main.test.bicep | 1 - .../site/.test/webAppCommon/main.test.bicep | 2 - modules/web/site/README.md | 169 ++++++- modules/web/site/main.bicep | 87 +++- modules/web/site/main.json | 424 ++++++++++++++++-- modules/web/site/slot/README.md | 163 ++++++- modules/web/site/slot/main.bicep | 84 +++- modules/web/site/slot/main.json | 210 ++++++++- .../static-site/.test/common/main.test.bicep | 1 - modules/web/static-site/README.md | 165 ++++++- modules/web/static-site/main.bicep | 87 +++- modules/web/static-site/main.json | 210 ++++++++- 123 files changed, 13558 insertions(+), 1259 deletions(-) diff --git a/modules/app-configuration/configuration-store/.test/pe/main.test.bicep b/modules/app-configuration/configuration-store/.test/pe/main.test.bicep index 967fb336b2..8b5d2ee82c 100644 --- a/modules/app-configuration/configuration-store/.test/pe/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/pe/main.test.bicep @@ -59,7 +59,6 @@ module testDeployment '../../main.bicep' = { nestedDependencies.outputs.privateDNSZoneResourceId ] - service: 'configurationStores' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index cb2b945d6f..cc0ac05199 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -404,7 +404,6 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor privateDnsZoneResourceIds: [ '' ] - service: 'configurationStores' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -458,7 +457,6 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor "privateDnsZoneResourceIds": [ "" ], - "service": "configurationStores", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -690,7 +688,168 @@ Name of the Azure App Configuration. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/app-configuration/configuration-store/main.bicep b/modules/app-configuration/configuration-store/main.bicep index 2853afd817..e3cb9d897f 100644 --- a/modules/app-configuration/configuration-store/main.bicep +++ b/modules/app-configuration/configuration-store/main.bicep @@ -109,7 +109,7 @@ param diagnosticMetricsToEnable array = [ param diagnosticSettingsName string = '' @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType var enableReferencedModulesTelemetry = false @@ -247,27 +247,27 @@ resource configurationStore_roleAssignments 'Microsoft.Authorization/roleAssignm scope: configurationStore }] -module configurationStore_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-AppConfig-PrivateEndpoint-${index}' +module configurationStore_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-configurationStore-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'configurationStores' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(configurationStore.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(configurationStore.id, '/'))}-${privateEndpoint.?service ?? 'configurationStores'}-${index}' serviceResourceId: configurationStore.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -320,3 +320,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/app-configuration/configuration-store/main.json b/modules/app-configuration/configuration-store/main.json index b33ac571a2..1939f9e922 100644 --- a/modules/app-configuration/configuration-store/main.json +++ b/modules/app-configuration/configuration-store/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6369795198823213489" + "templateHash": "9341270782122671710" }, "name": "App Configuration Stores", "description": "This module deploys an App Configuration Store.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -314,8 +463,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -623,11 +771,11 @@ "configurationStore_privateEndpoints": { "copy": { "name": "configurationStore_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-AppConfig-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-configurationStore-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -636,32 +784,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'configurationStores')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'configurationStores'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index 1930cea49f..c68194e8d3 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -809,7 +809,168 @@ Name of the Automation Account. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/automation/automation-account/main.bicep b/modules/automation/automation-account/main.bicep index 6afbd479a3..1534d5e0c9 100644 --- a/modules/automation/automation-account/main.bicep +++ b/modules/automation/automation-account/main.bicep @@ -63,7 +63,7 @@ param publicNetworkAccess string = '' param disableLocalAuth bool = true @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. Resource ID of the diagnostic storage account.') param diagnosticStorageAccountId string = '' @@ -376,27 +376,27 @@ resource automationAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSett scope: automationAccount } -module automationAccount_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-AutomationAccount-PrivateEndpoint-${index}' +module automationAccount_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-automationAccount-PrivateEndpoint-${index}' params: { groupIds: [ privateEndpoint.service ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(automationAccount.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(automationAccount.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' serviceResourceId: automationAccount.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -463,3 +463,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/automation/automation-account/main.json b/modules/automation/automation-account/main.json index 985e446999..b148064e91 100644 --- a/modules/automation/automation-account/main.json +++ b/modules/automation/automation-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3326115311371302534" + "templateHash": "17662801875891298684" }, "name": "Automation Accounts", "description": "This module deploys an Azure Automation Account.", @@ -103,6 +103,154 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "metadata": { + "description": "Required. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -234,8 +382,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -2136,11 +2283,11 @@ "automationAccount_privateEndpoints": { "copy": { "name": "automationAccount_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-AutomationAccount-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-automationAccount-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -2149,32 +2296,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Automation/automationAccounts', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Automation/automationAccounts', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Automation/automationAccounts', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/batch/batch-account/.test/common/main.test.bicep b/modules/batch/batch-account/.test/common/main.test.bicep index f579e79863..e7fbf8557e 100644 --- a/modules/batch/batch-account/.test/common/main.test.bicep +++ b/modules/batch/batch-account/.test/common/main.test.bicep @@ -78,9 +78,15 @@ module testDeployment '../../main.bicep' = { name: 'myCustomLockName' } poolAllocationMode: 'BatchService' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] privateEndpoints: [ { - service: 'batchAccount' subnetResourceId: nestedDependencies.outputs.subnetResourceId privateDnsZoneResourceIds: [ nestedDependencies.outputs.privateDNSZoneResourceId diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index 74a18e3afd..f6b69b8e94 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -72,7 +72,6 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - service: 'batchAccount' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -81,6 +80,13 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { } } ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] storageAccessIdentity: '' storageAuthenticationMode: 'BatchAccountManagedIdentity' systemAssignedIdentity: true @@ -150,7 +156,6 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { "roleDefinitionIdOrName": "Reader" } ], - "service": "batchAccount", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -160,6 +165,15 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { } ] }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, "storageAccessIdentity": { "value": "" }, @@ -393,6 +407,7 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { | [`poolAllocationMode`](#parameter-poolallocationmode) | string | The allocation mode for creating pools in the Batch account. Determines which quota will be used. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkProfileAllowedIpRanges are not set. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`storageAccessIdentity`](#parameter-storageaccessidentity) | string | The resource ID of a user assigned identity assigned to pools which have compute nodes that need access to auto-storage. | | [`storageAuthenticationMode`](#parameter-storageauthenticationmode) | string | The authentication mode which the Batch service will use to manage the auto-storage account. | | [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | @@ -561,7 +576,168 @@ The allocation mode for creating pools in the Batch account. Determines which qu Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` @@ -571,6 +747,74 @@ Whether or not public network access is allowed for this resource. For security - Default: `''` - Allowed: `['', Disabled, Enabled]` +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string + ### Parameter: `storageAccessIdentity` The resource ID of a user assigned identity assigned to pools which have compute nodes that need access to auto-storage. diff --git a/modules/batch/batch-account/main.bicep b/modules/batch/batch-account/main.bicep index e0f720a1d2..eba075cf69 100644 --- a/modules/batch/batch-account/main.bicep +++ b/modules/batch/batch-account/main.bicep @@ -38,7 +38,7 @@ param poolAllocationMode string = 'BatchService' param keyVaultReferenceResourceId string = '' @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkProfileAllowedIpRanges are not set.') @allowed([ @@ -76,6 +76,9 @@ param lock lockType @description('Optional. Tags of the resource.') param tags object = {} +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +param roleAssignments roleAssignmentType + @allowed([ 'AAD' 'SharedKey' @@ -159,6 +162,14 @@ var autoStorageConfig = { var enableReferencedModulesTelemetry = false +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -231,27 +242,41 @@ resource batchAccount_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@ scope: batchAccount } -module batchAccount_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-BatchAccount-PrivateEndpoint-${index}' +resource batchAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(batchAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId + } + scope: batchAccount +}] + +module batchAccount_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-batchAccount-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'batchAccount' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(batchAccount.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(batchAccount.id, '/'))}-${privateEndpoint.?service ?? 'batchAccount'}-${index}' serviceResourceId: batchAccount.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -278,3 +303,81 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/batch/batch-account/main.json b/modules/batch/batch-account/main.json index 3c256755bd..bb2a24b4de 100644 --- a/modules/batch/batch-account/main.json +++ b/modules/batch/batch-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2439163015108038599" + "templateHash": "1328678841391905998" }, "name": "Batch Accounts", "description": "This module deploys a Batch Account.", @@ -37,6 +37,221 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -110,8 +325,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -187,6 +401,12 @@ "description": "Optional. Tags of the resource." } }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, "allowedAuthenticationModes": { "type": "array", "defaultValue": [], @@ -301,7 +521,14 @@ "nodeIdentityReference": "[variables('nodeIdentityReference')]", "storageAccountId": "[parameters('storageAccountId')]" }, - "enableReferencedModulesTelemetry": false + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } }, "resources": { "cMKKeyVault::cMKKey": { @@ -391,14 +618,36 @@ "batchAccount" ] }, + "batchAccount_roleAssignments": { + "copy": { + "name": "batchAccount_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Batch/batchAccounts/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Batch/batchAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "batchAccount" + ] + }, "batchAccount_privateEndpoints": { "copy": { "name": "batchAccount_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-BatchAccount-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-batchAccount-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -407,32 +656,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'batchAccount')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Batch/batchAccounts', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Batch/batchAccounts', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'batchAccount'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Batch/batchAccounts', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/cache/redis-enterprise/.test/common/main.test.bicep b/modules/cache/redis-enterprise/.test/common/main.test.bicep index dafcb37396..62c880c6f8 100644 --- a/modules/cache/redis-enterprise/.test/common/main.test.bicep +++ b/modules/cache/redis-enterprise/.test/common/main.test.bicep @@ -89,11 +89,8 @@ module testDeployment '../../main.bicep' = { privateEndpoints: [ { privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'redisEnterprise' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index 6b9779d29b..c8f5d1c37f 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -86,7 +86,6 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'redisEnterprise' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -185,7 +184,6 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "redisEnterprise", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -546,7 +544,168 @@ The name of the Redis Cache Enterprise resource. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `roleAssignments` diff --git a/modules/cache/redis-enterprise/main.bicep b/modules/cache/redis-enterprise/main.bicep index 5def57823e..a8c918829d 100644 --- a/modules/cache/redis-enterprise/main.bicep +++ b/modules/cache/redis-enterprise/main.bicep @@ -44,7 +44,7 @@ param skuName string = 'Enterprise_E10' param zoneRedundant bool = true @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. The databases to create in the Redis Cache Enterprise Cluster.') param databases array = [] @@ -198,27 +198,27 @@ module redisEnterprise_databases 'database/main.bicep' = [for (database, index) } }] -module redisEnterprise_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-redisCacheEnterprise-PrivateEndpoint-${index}' +module redisEnterprise_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-redisEnterprise-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'redisEnterprise' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(redisEnterprise.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(redisEnterprise.id, '/'))}-${privateEndpoint.?service ?? 'redisEnterprise'}-${index}' serviceResourceId: redisEnterprise.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -271,3 +271,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/cache/redis-enterprise/main.json b/modules/cache/redis-enterprise/main.json index dd581fe4b8..31d6df1989 100644 --- a/modules/cache/redis-enterprise/main.json +++ b/modules/cache/redis-enterprise/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6097715803536632685" + "templateHash": "12857398091231906452" }, "name": "Redis Cache Enterprise", "description": "This module deploys a Redis Cache Enterprise.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -181,8 +330,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -614,11 +762,11 @@ "redisEnterprise_privateEndpoints": { "copy": { "name": "redisEnterprise_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-redisCacheEnterprise-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-redisEnterprise-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -627,32 +775,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'redisEnterprise')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Cache/redisEnterprise', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Cache/redisEnterprise', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'redisEnterprise'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Cache/redisEnterprise', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/cache/redis/.test/common/main.test.bicep b/modules/cache/redis/.test/common/main.test.bicep index 2b0142168f..9e37b1ba2c 100644 --- a/modules/cache/redis/.test/common/main.test.bicep +++ b/modules/cache/redis/.test/common/main.test.bicep @@ -83,11 +83,8 @@ module testDeployment '../../main.bicep' = { privateEndpoints: [ { privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'redisCache' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index 1b199e2075..3a725e5ead 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -67,7 +67,6 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'redisCache' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -150,7 +149,6 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "redisCache", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -415,7 +413,168 @@ The name of the Redis cache resource. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/cache/redis/main.bicep b/modules/cache/redis/main.bicep index eadf8ece68..947bf9d72c 100644 --- a/modules/cache/redis/main.bicep +++ b/modules/cache/redis/main.bicep @@ -100,7 +100,7 @@ param zoneRedundant bool = true param zones array = [] @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') param diagnosticSettingsName string = '' @@ -250,27 +250,27 @@ resource redis_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04- scope: redis }] -module redis_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-redisCache-PrivateEndpoint-${index}' +module redis_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-redis-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'redisCache' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(redis.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(redis.id, '/'))}-${privateEndpoint.?service ?? 'redisCache'}-${index}' serviceResourceId: redis.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -329,3 +329,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/cache/redis/main.json b/modules/cache/redis/main.json index 97179d1921..063248bb2f 100644 --- a/modules/cache/redis/main.json +++ b/modules/cache/redis/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14560598039949913276" + "templateHash": "17149457763698369113" }, "name": "Redis Cache", "description": "This module deploys a Redis Cache.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -289,8 +438,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -500,11 +648,11 @@ "redis_privateEndpoints": { "copy": { "name": "redis_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-redisCache-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-redis-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -513,32 +661,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'redisCache')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Cache/redis', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Cache/redis', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'redisCache'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Cache/redis', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/cognitive-services/account/.test/common/main.test.bicep b/modules/cognitive-services/account/.test/common/main.test.bicep index 4c1d011d2e..45695d9d0f 100644 --- a/modules/cognitive-services/account/.test/common/main.test.bicep +++ b/modules/cognitive-services/account/.test/common/main.test.bicep @@ -108,7 +108,6 @@ module testDeployment '../../main.bicep' = { privateDnsZoneResourceIds: [ nestedDependencies.outputs.privateDNSZoneResourceId ] - service: 'account' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index f4a53494f4..f156a8eb2b 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -81,7 +81,6 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'account' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -177,7 +176,6 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "account", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -703,7 +701,168 @@ A collection of rules governing the accessibility from specific network location Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/cognitive-services/account/main.bicep b/modules/cognitive-services/account/main.bicep index 80194a13c1..0f980e98b5 100644 --- a/modules/cognitive-services/account/main.bicep +++ b/modules/cognitive-services/account/main.bicep @@ -84,7 +84,7 @@ param customSubDomainName string = '' param networkAcls object = {} @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -306,27 +306,27 @@ resource cognitiveServices_diagnosticSettingName 'Microsoft.Insights/diagnostics scope: cognitiveServices } -module cognitiveServices_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-CognitiveServices-PrivateEndpoint-${index}' +module cognitiveServices_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-cognitiveServices-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'account' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(cognitiveServices.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(cognitiveServices.id, '/'))}-${privateEndpoint.?service ?? 'account'}-${index}' serviceResourceId: cognitiveServices.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -396,3 +396,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/cognitive-services/account/main.json b/modules/cognitive-services/account/main.json index 757da4d9aa..c2cff22d63 100644 --- a/modules/cognitive-services/account/main.json +++ b/modules/cognitive-services/account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7200785404401861698" + "templateHash": "16169766026714928311" }, "name": "Cognitive Services", "description": "This module deploys a Cognitive Service.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -230,8 +379,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -583,11 +731,11 @@ "cognitiveServices_privateEndpoints": { "copy": { "name": "cognitiveServices_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-CognitiveServices-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-cognitiveServices-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -596,32 +744,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'account')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.CognitiveServices/accounts', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.CognitiveServices/accounts', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'account'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.CognitiveServices/accounts', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/container-registry/registry/.test/pe/main.test.bicep b/modules/container-registry/registry/.test/pe/main.test.bicep index a0708497ad..f3f4cf3339 100644 --- a/modules/container-registry/registry/.test/pe/main.test.bicep +++ b/modules/container-registry/registry/.test/pe/main.test.bicep @@ -52,7 +52,6 @@ module testDeployment '../../main.bicep' = { acrSku: 'Premium' privateEndpoints: [ { - service: 'registry' subnetResourceId: nestedDependencies.outputs.subnetResourceId privateDnsZoneResourceIds: [ nestedDependencies.outputs.privateDNSZoneResourceId diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index a538ee678a..c2daee1c97 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -430,7 +430,6 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'registry' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -477,7 +476,6 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "registry", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -765,7 +763,168 @@ The IP ACL rules. Note, requires the 'acrSku' to be 'Premium'. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'acrSku' to be 'Premium'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/container-registry/registry/main.bicep b/modules/container-registry/registry/main.bicep index 6cd474fcec..373ad0d281 100644 --- a/modules/container-registry/registry/main.bicep +++ b/modules/container-registry/registry/main.bicep @@ -101,7 +101,7 @@ param networkRuleSetDefaultAction string = 'Deny' param networkRuleSetIpRules array = [] @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the \'acrSku\' to be \'Premium\'.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @allowed([ 'Disabled' @@ -385,27 +385,27 @@ resource registry_roleAssignments 'Microsoft.Authorization/roleAssignments@2022- scope: registry }] -module registry_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-ContainerRegistry-PrivateEndpoint-${index}' +module registry_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-registry-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'registry' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(registry.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(registry.id, '/'))}-${privateEndpoint.?service ?? 'registry'}-${index}' serviceResourceId: registry.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -461,3 +461,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/container-registry/registry/main.json b/modules/container-registry/registry/main.json index d643bb198c..22da0543a6 100644 --- a/modules/container-registry/registry/main.json +++ b/modules/container-registry/registry/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1785285011964376463" + "templateHash": "13701712585217566427" }, "name": "Azure Container Registries (ACR)", "description": "This module deploys an Azure Container Registry (ACR).", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -275,8 +424,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'acrSku' to be 'Premium'." } @@ -1139,11 +1287,11 @@ "registry_privateEndpoints": { "copy": { "name": "registry_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-ContainerRegistry-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-registry-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -1152,32 +1300,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'registry')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.ContainerRegistry/registries', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.ContainerRegistry/registries', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'registry'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/data-factory/factory/.test/common/main.test.bicep b/modules/data-factory/factory/.test/common/main.test.bicep index 1fae6339c0..c0692ca43a 100644 --- a/modules/data-factory/factory/.test/common/main.test.bicep +++ b/modules/data-factory/factory/.test/common/main.test.bicep @@ -118,11 +118,8 @@ module testDeployment '../../main.bicep' = { privateEndpoints: [ { privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'dataFactory' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index 6ae177c9e1..82283fdb1c 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -103,7 +103,6 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'dataFactory' subnetResourceId: '' tags: { application: 'CARML' @@ -228,7 +227,6 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "dataFactory", "subnetResourceId": "", "tags": { "application": "CARML", @@ -590,7 +588,168 @@ The name of the Azure Factory to create. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/data-factory/factory/main.bicep b/modules/data-factory/factory/main.bicep index c90d4d9801..ead4706f37 100644 --- a/modules/data-factory/factory/main.bicep +++ b/modules/data-factory/factory/main.bicep @@ -77,7 +77,7 @@ param systemAssignedIdentity bool = false param userAssignedIdentities object = {} @description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @@ -273,27 +273,27 @@ resource dataFactory_roleAssignments 'Microsoft.Authorization/roleAssignments@20 scope: dataFactory }] -module dataFactory_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-DataFactory-PrivateEndpoint-${index}' +module dataFactory_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-dataFactory-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'dataFactory' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(dataFactory.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(dataFactory.id, '/'))}-${privateEndpoint.?service ?? 'dataFactory'}-${index}' serviceResourceId: dataFactory.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -346,3 +346,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/data-factory/factory/main.json b/modules/data-factory/factory/main.json index 1213204e82..3537a59a94 100644 --- a/modules/data-factory/factory/main.json +++ b/modules/data-factory/factory/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6726222528334503492" + "templateHash": "3087206117365778401" }, "name": "Data Factories", "description": "This module deploys a Data Factory.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -271,8 +420,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -908,11 +1056,11 @@ "dataFactory_privateEndpoints": { "copy": { "name": "dataFactory_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-DataFactory-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-dataFactory-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -921,32 +1069,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'dataFactory')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.DataFactory/factories', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.DataFactory/factories', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'dataFactory'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.DataFactory/factories', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/databricks/workspace/.test/common/main.test.bicep b/modules/databricks/workspace/.test/common/main.test.bicep index 756379bda5..d007056101 100644 --- a/modules/databricks/workspace/.test/common/main.test.bicep +++ b/modules/databricks/workspace/.test/common/main.test.bicep @@ -121,11 +121,8 @@ module testDeployment '../../main.bicep' = { privateEndpoints: [ { privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'databricks_ui_api' subnetResourceId: nestedDependencies.outputs.defaultSubnetResourceId tags: { Environment: 'Non-Prod' diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index 7b1bdd1cb9..74096d1456 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -84,7 +84,6 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'databricks_ui_api' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -217,7 +216,6 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "databricks_ui_api", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -591,7 +589,168 @@ Prepare the workspace for encryption. Enables the Managed Identity for managed s Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicIpName` diff --git a/modules/databricks/workspace/main.bicep b/modules/databricks/workspace/main.bicep index 64c3bb3b4f..e59beaad47 100644 --- a/modules/databricks/workspace/main.bicep +++ b/modules/databricks/workspace/main.bicep @@ -121,7 +121,7 @@ param publicNetworkAccess string = 'Enabled' param requiredNsgRules string = 'AllRules' @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') @allowed([ @@ -335,27 +335,27 @@ resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022 scope: workspace }] -module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Databricks-PrivateEndpoint-${index}' +module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-workspace-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'databricks_ui_api' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(workspace.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(workspace.id, '/'))}-${privateEndpoint.?service ?? 'databricks_ui_api'}-${index}' serviceResourceId: workspace.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -405,3 +405,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/databricks/workspace/main.json b/modules/databricks/workspace/main.json index e52357cddd..33d22fb540 100644 --- a/modules/databricks/workspace/main.json +++ b/modules/databricks/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1159355257291506829" + "templateHash": "13976222918175315424" }, "name": "Azure Databricks Workspaces", "description": "This module deploys an Azure Databricks Workspace.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -362,8 +511,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -554,11 +702,11 @@ "workspace_privateEndpoints": { "copy": { "name": "workspace_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-Databricks-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-workspace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -567,32 +715,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'databricks_ui_api')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Databricks/workspaces', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Databricks/workspaces', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'databricks_ui_api'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Databricks/workspaces', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep index e28f648c50..749dbf29fd 100644 --- a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep @@ -101,11 +101,8 @@ module testDeployment '../../main.bicep' = { privateEndpoints: [ { privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'API' subnetResourceId: nestedDependencies.outputs.subnetResourceId } ] diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index 072c8dcdb8..e3a5585230 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -73,7 +73,6 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan privateDnsZoneResourceIds: [ '' ] - service: 'API' subnetResourceId: '' } ] @@ -160,7 +159,6 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "privateDnsZoneResourceIds": [ "" ], - "service": "API", "subnetResourceId": "" } ] @@ -399,7 +397,168 @@ The name of the Digital Twin Instance. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/digital-twins/digital-twins-instance/main.bicep b/modules/digital-twins/digital-twins-instance/main.bicep index afb4470480..50675134ab 100644 --- a/modules/digital-twins/digital-twins-instance/main.bicep +++ b/modules/digital-twins/digital-twins-instance/main.bicep @@ -32,7 +32,7 @@ param eventGridEndpoint object = {} param serviceBusEndpoint object = {} @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') @allowed([ @@ -194,24 +194,27 @@ module digitalTwinsInstance_serviceBusEndpoint 'endpoint--service-bus/main.bicep } } -module digitalTwinsInstance_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { +module digitalTwinsInstance_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { name: '${uniqueString(deployment().name, location)}-digitalTwinsInstance-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'API' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(digitalTwinsInstance.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(digitalTwinsInstance.id, '/'))}-${privateEndpoint.?service ?? 'API'}-${index}' serviceResourceId: digitalTwinsInstance.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -300,3 +303,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/digital-twins/digital-twins-instance/main.json b/modules/digital-twins/digital-twins-instance/main.json index 6c8da212c8..482ce8f162 100644 --- a/modules/digital-twins/digital-twins-instance/main.json +++ b/modules/digital-twins/digital-twins-instance/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3171798738610144721" + "templateHash": "9608211624900685479" }, "name": "Digital Twins Instances", "description": "This module deploys an Azure Digital Twins Instance.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -170,8 +319,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -918,7 +1066,7 @@ "digitalTwinsInstance_privateEndpoints": { "copy": { "name": "digitalTwinsInstance_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -931,29 +1079,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'API')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'API'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/document-db/database-account/.test/sqldb/main.test.bicep b/modules/document-db/database-account/.test/sqldb/main.test.bicep index 5d54bf3d10..7188f6732d 100644 --- a/modules/document-db/database-account/.test/sqldb/main.test.bicep +++ b/modules/document-db/database-account/.test/sqldb/main.test.bicep @@ -85,9 +85,7 @@ module testDeployment '../../main.bicep' = { privateEndpoints: [ { privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] service: 'Sql' subnetResourceId: nestedDependencies.outputs.subnetResourceId diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index 5f94a99e44..6ab97ff79f 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -1457,7 +1457,168 @@ Name of the Database Account. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `roleAssignments` diff --git a/modules/document-db/database-account/main.bicep b/modules/document-db/database-account/main.bicep index 5f69ff9d06..6cb9f5b506 100644 --- a/modules/document-db/database-account/main.bicep +++ b/modules/document-db/database-account/main.bicep @@ -164,7 +164,7 @@ param backupRetentionIntervalInHours int = 8 param backupStorageRedundancy string = 'Local' @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { category: category @@ -360,27 +360,27 @@ module databaseAccount_gremlinDatabases 'gremlin-database/main.bicep' = [for gre } }] -module databaseAccount_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-CosmosDB-PrivateEndpoint-${index}' +module databaseAccount_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-databaseAccount-PrivateEndpoint-${index}' params: { groupIds: [ privateEndpoint.service ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(databaseAccount.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(databaseAccount.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' serviceResourceId: databaseAccount.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -433,3 +433,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/document-db/database-account/main.json b/modules/document-db/database-account/main.json index 363ae739f7..498d4cc162 100644 --- a/modules/document-db/database-account/main.json +++ b/modules/document-db/database-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10157225997571423198" + "templateHash": "15078236941078357698" }, "name": "DocumentDB Database Accounts", "description": "This module deploys a DocumentDB Database Account.", @@ -103,6 +103,154 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "metadata": { + "description": "Required. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -392,8 +540,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -1528,11 +1675,11 @@ "databaseAccount_privateEndpoints": { "copy": { "name": "databaseAccount_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-CosmosDB-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-databaseAccount-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -1541,32 +1688,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/event-grid/domain/.test/pe/main.test.bicep b/modules/event-grid/domain/.test/pe/main.test.bicep index cd166546be..43c759532a 100644 --- a/modules/event-grid/domain/.test/pe/main.test.bicep +++ b/modules/event-grid/domain/.test/pe/main.test.bicep @@ -54,7 +54,6 @@ module testDeployment '../../main.bicep' = { privateDnsZoneResourceIds: [ nestedDependencies.outputs.privateDNSZoneResourceId ] - service: 'domain' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/event-grid/domain/README.md b/modules/event-grid/domain/README.md index 987ecbd5b0..99c32bd414 100644 --- a/modules/event-grid/domain/README.md +++ b/modules/event-grid/domain/README.md @@ -255,7 +255,6 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'domain' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -299,7 +298,6 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "domain", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -479,7 +477,168 @@ The name of the Event Grid Domain. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/event-grid/domain/main.bicep b/modules/event-grid/domain/main.bicep index 705dad53d0..51b317cac0 100644 --- a/modules/event-grid/domain/main.bicep +++ b/modules/event-grid/domain/main.bicep @@ -38,7 +38,7 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType @@ -165,27 +165,27 @@ resource domain_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-0 scope: domain } -module domain_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Domain-PrivateEndpoint-${index}' +module domain_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-domain-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'domain' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(domain.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(domain.id, '/'))}-${privateEndpoint.?service ?? 'domain'}-${index}' serviceResourceId: domain.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -249,3 +249,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/event-grid/domain/main.json b/modules/event-grid/domain/main.json index b9500a20b8..a6648e2540 100644 --- a/modules/event-grid/domain/main.json +++ b/modules/event-grid/domain/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5102513293970152919" + "templateHash": "1139242141774790759" }, "name": "Event Grid Domains", "description": "This module deploys an Event Grid Domain.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -181,8 +330,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -492,11 +640,11 @@ "domain_privateEndpoints": { "copy": { "name": "domain_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-Domain-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-domain-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -505,32 +653,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'domain')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.EventGrid/domains', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.EventGrid/domains', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'domain'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.EventGrid/domains', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/event-grid/topic/.test/pe/main.test.bicep b/modules/event-grid/topic/.test/pe/main.test.bicep index 377965d0ec..a70b97b936 100644 --- a/modules/event-grid/topic/.test/pe/main.test.bicep +++ b/modules/event-grid/topic/.test/pe/main.test.bicep @@ -54,7 +54,6 @@ module testDeployment '../../main.bicep' = { privateDnsZoneResourceIds: [ nestedDependencies.outputs.privateDNSZoneResourceId ] - service: 'topic' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index ea41b5b492..edcf1c9672 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -297,7 +297,6 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'topic' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -341,7 +340,6 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "topic", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -512,7 +510,168 @@ The name of the Event Grid Topic. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/event-grid/topic/main.bicep b/modules/event-grid/topic/main.bicep index f0ee5f204b..89d93f0f2b 100644 --- a/modules/event-grid/topic/main.bicep +++ b/modules/event-grid/topic/main.bicep @@ -35,7 +35,7 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType @@ -167,27 +167,27 @@ resource topic_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05 scope: topic } -module topic_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Topic-PrivateEndpoint-${index}' +module topic_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-topic-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'topic' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(topic.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(topic.id, '/'))}-${privateEndpoint.?service ?? 'topic'}-${index}' serviceResourceId: topic.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -251,3 +251,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/event-grid/topic/main.json b/modules/event-grid/topic/main.json index eff81c7e61..0aadfa26de 100644 --- a/modules/event-grid/topic/main.json +++ b/modules/event-grid/topic/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "875855876117363195" + "templateHash": "12386573545698498000" }, "name": "Event Grid Topics", "description": "This module deploys an Event Grid Topic.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -174,8 +323,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -569,11 +717,11 @@ "topic_privateEndpoints": { "copy": { "name": "topic_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-Topic-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-topic-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -582,32 +730,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'topic')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.EventGrid/topics', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.EventGrid/topics', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'topic'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.EventGrid/topics', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/event-hub/namespace/.test/pe/main.test.bicep b/modules/event-hub/namespace/.test/pe/main.test.bicep index 66d56ba9f6..69b842c06e 100644 --- a/modules/event-hub/namespace/.test/pe/main.test.bicep +++ b/modules/event-hub/namespace/.test/pe/main.test.bicep @@ -57,7 +57,6 @@ module testDeployment '../../main.bicep' = { privateDnsZoneResourceIds: [ nestedDependencies.outputs.privateDNSZoneResourceId ] - service: 'namespace' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index 551da7d1b6..f77bda2132 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -580,7 +580,6 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'namespace' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -627,7 +626,6 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "namespace", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -907,7 +905,168 @@ Configure networking options. This object contains IPs/Subnets to allow or restr Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/event-hub/namespace/main.bicep b/modules/event-hub/namespace/main.bicep index c5a61777c1..b8ac4af79d 100644 --- a/modules/event-hub/namespace/main.bicep +++ b/modules/event-hub/namespace/main.bicep @@ -69,7 +69,7 @@ param minimumTlsVersion string = '1.2' param publicNetworkAccess string = '' @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. Configure networking options. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.') param networkRuleSets object = {} @@ -320,27 +320,27 @@ module eventHubNamespace_networkRuleSet 'network-rule-set/main.bicep' = if (!emp } } -module eventHubNamespace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-EvhbNamespace-PrivateEndpoint-${index}' +module eventHubNamespace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-eventHubNamespace-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'namespace' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(eventHubNamespace.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(eventHubNamespace.id, '/'))}-${privateEndpoint.?service ?? 'namespace'}-${index}' serviceResourceId: eventHubNamespace.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -429,3 +429,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/event-hub/namespace/main.json b/modules/event-hub/namespace/main.json index 101a26a405..4f0df97e85 100644 --- a/modules/event-hub/namespace/main.json +++ b/modules/event-hub/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12601630852101639901" + "templateHash": "8192238306230963085" }, "name": "Event Hub Namespaces", "description": "This module deploys an Event Hub Namespace.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -220,8 +369,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -1702,11 +1850,11 @@ "eventHubNamespace_privateEndpoints": { "copy": { "name": "eventHubNamespace_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-EvhbNamespace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-eventHubNamespace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -1715,32 +1863,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'namespace')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.EventHub/namespaces', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.EventHub/namespaces', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'namespace'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.EventHub/namespaces', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/insights/private-link-scope/.test/common/main.test.bicep b/modules/insights/private-link-scope/.test/common/main.test.bicep index 373e51553f..1622c7b7a0 100644 --- a/modules/insights/private-link-scope/.test/common/main.test.bicep +++ b/modules/insights/private-link-scope/.test/common/main.test.bicep @@ -63,11 +63,8 @@ module testDeployment '../../main.bicep' = { privateEndpoints: [ { privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'azuremonitor' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index 14f386ae96..503da87cab 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -53,7 +53,6 @@ This instance deploys the module with most of its features enabled. privateDnsZoneResourceIds: [ '' ] - service: 'azuremonitor' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -110,7 +109,6 @@ This instance deploys the module with most of its features enabled. "privateDnsZoneResourceIds": [ "" ], - "service": "azuremonitor", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -271,7 +269,168 @@ Name of the private link scope. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `roleAssignments` diff --git a/modules/insights/private-link-scope/main.bicep b/modules/insights/private-link-scope/main.bicep index fc8e46f04a..5d9aa08e33 100644 --- a/modules/insights/private-link-scope/main.bicep +++ b/modules/insights/private-link-scope/main.bicep @@ -19,7 +19,7 @@ param roleAssignments roleAssignmentType param scopedResources array = [] @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. Resource tags.') param tags object = {} @@ -75,27 +75,27 @@ resource privateLinkScope_lock 'Microsoft.Authorization/locks@2020-05-01' = if ( scope: privateLinkScope } -module privateLinkScope_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-PvtLinkScope-PrivateEndpoint-${index}' +module privateLinkScope_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-privateLinkScope-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'azuremonitor' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(privateLinkScope.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(privateLinkScope.id, '/'))}-${privateEndpoint.?service ?? 'azuremonitor'}-${index}' serviceResourceId: privateLinkScope.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -159,3 +159,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/insights/private-link-scope/main.json b/modules/insights/private-link-scope/main.json index 0e402b915a..f2fa8337c2 100644 --- a/modules/insights/private-link-scope/main.json +++ b/modules/insights/private-link-scope/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10019971976836793472" + "templateHash": "9175020405944005574" }, "name": "Azure Monitor Private Link Scopes", "description": "This module deploys an Azure Monitor Private Link Scope.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -140,8 +289,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -355,11 +503,11 @@ "privateLinkScope_privateEndpoints": { "copy": { "name": "privateLinkScope_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PvtLinkScope-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-privateLinkScope-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -368,32 +516,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'azuremonitor')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('microsoft.insights/privateLinkScopes', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('microsoft.insights/privateLinkScopes', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'azuremonitor'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('microsoft.insights/privateLinkScopes', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 81cb74a612..33bab3b6b6 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -911,7 +911,168 @@ Service endpoint object information. For security reasons, it is recommended to Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/key-vault/vault/main.bicep b/modules/key-vault/vault/main.bicep index 5977b4faf0..f66a490005 100644 --- a/modules/key-vault/vault/main.bicep +++ b/modules/key-vault/vault/main.bicep @@ -83,7 +83,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. Resource tags.') param tags object = {} @@ -272,27 +272,27 @@ module keyVault_keys 'key/main.bicep' = [for (key, index) in keys: { } }] -module keyVault_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-KeyVault-PrivateEndpoint-${index}' +module keyVault_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-keyVault-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'vault' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(keyVault.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(keyVault.id, '/'))}-${privateEndpoint.?service ?? 'vault'}-${index}' serviceResourceId: keyVault.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -362,3 +362,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/key-vault/vault/main.json b/modules/key-vault/vault/main.json index 3efab0881e..7b155172e1 100644 --- a/modules/key-vault/vault/main.json +++ b/modules/key-vault/vault/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2886634889186543886" + "templateHash": "502304386016256434" }, "name": "Key Vaults", "description": "This module deploys a Key Vault.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -268,8 +417,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -1224,11 +1372,11 @@ "keyVault_privateEndpoints": { "copy": { "name": "keyVault_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-KeyVault-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-keyVault-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -1237,32 +1385,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'vault')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.KeyVault/vaults', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.KeyVault/vaults', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'vault'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/machine-learning-services/workspace/.test/common/main.test.bicep b/modules/machine-learning-services/workspace/.test/common/main.test.bicep index c1353d2cb1..2879c22fbb 100644 --- a/modules/machine-learning-services/workspace/.test/common/main.test.bicep +++ b/modules/machine-learning-services/workspace/.test/common/main.test.bicep @@ -117,7 +117,6 @@ module testDeployment '../../main.bicep' = { primaryUserAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId privateEndpoints: [ { - service: 'amlworkspace' subnetResourceId: nestedDependencies.outputs.subnetResourceId privateDnsZoneResourceIds: [ nestedDependencies.outputs.privateDNSZoneResourceId diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index a631dfac05..9626b84295 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -101,7 +101,6 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = privateDnsZoneResourceIds: [ '' ] - service: 'amlworkspace' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -228,7 +227,6 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "privateDnsZoneResourceIds": [ "" ], - "service": "amlworkspace", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -726,7 +724,168 @@ The user assigned identity resource ID that represents the workspace identity. R Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/machine-learning-services/workspace/main.bicep b/modules/machine-learning-services/workspace/main.bicep index ca840eaec5..28c115e28f 100644 --- a/modules/machine-learning-services/workspace/main.bicep +++ b/modules/machine-learning-services/workspace/main.bicep @@ -45,7 +45,7 @@ param allowPublicAccessWhenBehindVnet bool = false param roleAssignments roleAssignmentType @sys.description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @sys.description('Optional. Computes to create respectively attach to the workspace.') param computes array = [] @@ -287,24 +287,27 @@ resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@202 scope: workspace } -module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Workspace-PrivateEndpoint-${index}' +module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-workspace-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'amlworkspace' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(workspace.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(workspace.id, '/'))}-${privateEndpoint.?service ?? 'amlworkspace'}-${index}' serviceResourceId: workspace.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -375,3 +378,58 @@ type roleAssignmentType = { @sys.description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @sys.description('Optional. The name of the private endpoint.') + name: string? + + @sys.description('Optional. The location to deploy the private endpoint to.') + location: string? + + @sys.description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @sys.description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @sys.description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @sys.description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @sys.description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @sys.description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @sys.description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @sys.description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @sys.description('Optional. Specify the type of lock.') + lock: lockType + + @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @sys.description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @sys.description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @sys.description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/machine-learning-services/workspace/main.json b/modules/machine-learning-services/workspace/main.json index afeeb96c69..ff015569ab 100644 --- a/modules/machine-learning-services/workspace/main.json +++ b/modules/machine-learning-services/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16042425062775405859" + "templateHash": "16867204507762880761" }, "name": "Machine Learning Services Workspaces", "description": "This module deploys a Machine Learning Services Workspace.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -183,8 +332,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -785,11 +933,11 @@ "workspace_privateEndpoints": { "copy": { "name": "workspace_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-Workspace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-workspace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -798,29 +946,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'amlworkspace')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'amlworkspace'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index f1c4883c3f..c9d9112588 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -1248,7 +1248,168 @@ Name of the Application Gateway. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `privateLinkConfigurations` diff --git a/modules/network/application-gateway/main.bicep b/modules/network/application-gateway/main.bicep index e354836b98..caa78a6b4e 100644 --- a/modules/network/application-gateway/main.bicep +++ b/modules/network/application-gateway/main.bicep @@ -61,7 +61,7 @@ param httpListeners array = [] param loadDistributionPolicies array = [] @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. PrivateLink configurations on application gateway.') param privateLinkConfigurations array = [] @@ -368,27 +368,27 @@ resource applicationGateway_diagnosticSettingName 'Microsoft.Insights/diagnostic scope: applicationGateway } -module applicationGateway_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-ApplicationGateway-PrivateEndpoint-${index}' +module applicationGateway_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-applicationGateway-PrivateEndpoint-${index}' params: { groupIds: [ privateEndpoint.service ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(applicationGateway.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(applicationGateway.id, '/'))}-${privateEndpoint.?service ?? 'account'}-${index}' serviceResourceId: applicationGateway.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -452,3 +452,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/network/application-gateway/main.json b/modules/network/application-gateway/main.json index 89f19b3046..e252642bae 100644 --- a/modules/network/application-gateway/main.json +++ b/modules/network/application-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15010715914019570085" + "templateHash": "7698802694566300060" }, "name": "Network Application Gateways", "description": "This module deploys a Network Application Gateway.", @@ -103,6 +103,154 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "metadata": { + "description": "Required. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -240,8 +388,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -660,11 +807,11 @@ "applicationGateway_privateEndpoints": { "copy": { "name": "applicationGateway_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-ApplicationGateway-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-applicationGateway-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -673,32 +820,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Network/applicationGateways', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Network/applicationGateways', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'account'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Network/applicationGateways', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/purview/account/main.bicep b/modules/purview/account/main.bicep index 4cd40ed8fc..7b15416b63 100644 --- a/modules/purview/account/main.bicep +++ b/modules/purview/account/main.bicep @@ -177,7 +177,7 @@ module account_privateEndpoints '../../network/private-endpoint/main.bicep' = [f groupIds: [ privateEndpoint.service ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(account.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' serviceResourceId: account.id subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry @@ -201,7 +201,7 @@ module portal_privateEndpoints '../../network/private-endpoint/main.bicep' = [fo groupIds: [ privateEndpoint.service ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(account.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' serviceResourceId: account.id subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry @@ -225,7 +225,7 @@ module blob_privateEndpoints '../../network/private-endpoint/main.bicep' = [for groupIds: [ privateEndpoint.service ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(account.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' serviceResourceId: account.properties.managedResources.storageAccount subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry @@ -249,7 +249,7 @@ module queue_privateEndpoints '../../network/private-endpoint/main.bicep' = [for groupIds: [ privateEndpoint.service ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(account.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' serviceResourceId: account.properties.managedResources.storageAccount subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry @@ -273,7 +273,7 @@ module eventHub_privateEndpoints '../../network/private-endpoint/main.bicep' = [ groupIds: [ privateEndpoint.service ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(account.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(account.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' serviceResourceId: account.properties.managedResources.eventHubNamespace subnetResourceId: privateEndpoint.subnetResourceId enableDefaultTelemetry: enableReferencedModulesTelemetry diff --git a/modules/recovery-services/vault/.test/common/main.test.bicep b/modules/recovery-services/vault/.test/common/main.test.bicep index acd15c2819..1cf146b1e3 100644 --- a/modules/recovery-services/vault/.test/common/main.test.bicep +++ b/modules/recovery-services/vault/.test/common/main.test.bicep @@ -323,11 +323,8 @@ module testDeployment '../../main.bicep' = { privateEndpoints: [ { privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'AzureSiteRecovery' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index b8853bbe5e..710a8b9d78 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -319,7 +319,6 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'AzureSiteRecovery' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -654,7 +653,6 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "AzureSiteRecovery", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -1092,7 +1090,168 @@ Name of the Azure Recovery Service Vault. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `protectionContainers` diff --git a/modules/recovery-services/vault/main.bicep b/modules/recovery-services/vault/main.bicep index 54fa5cdfc4..9f72358012 100644 --- a/modules/recovery-services/vault/main.bicep +++ b/modules/recovery-services/vault/main.bicep @@ -97,7 +97,7 @@ param diagnosticMetricsToEnable array = [ param diagnosticSettingsName string = '' @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. Monitoring Settings of the vault.') param monitoringSettings object = {} @@ -293,27 +293,27 @@ resource rsv_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-0 scope: rsv } -module rsv_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-RSV-PrivateEndpoint-${index}' +module rsv_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-rsv-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'AzureSiteRecovery' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(rsv.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(rsv.id, '/'))}-${privateEndpoint.?service ?? 'AzureSiteRecovery'}-${index}' serviceResourceId: rsv.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -380,3 +380,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/recovery-services/vault/main.json b/modules/recovery-services/vault/main.json index a511b9ec81..7750cd92af 100644 --- a/modules/recovery-services/vault/main.json +++ b/modules/recovery-services/vault/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5878546840192732516" + "templateHash": "18071219437488325472" }, "name": "Recovery Services Vaults", "description": "This module deploys a Recovery Services Vault.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -286,8 +435,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -1999,11 +2147,11 @@ "rsv_privateEndpoints": { "copy": { "name": "rsv_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-RSV-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-rsv-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -2012,32 +2160,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'AzureSiteRecovery')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.RecoveryServices/vaults', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.RecoveryServices/vaults', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'AzureSiteRecovery'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.RecoveryServices/vaults', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/relay/namespace/.test/pe/main.test.bicep b/modules/relay/namespace/.test/pe/main.test.bicep index 380e33d618..c982c0e55d 100644 --- a/modules/relay/namespace/.test/pe/main.test.bicep +++ b/modules/relay/namespace/.test/pe/main.test.bicep @@ -52,7 +52,6 @@ module testDeployment '../../main.bicep' = { skuName: 'Standard' privateEndpoints: [ { - service: 'namespace' subnetResourceId: nestedDependencies.outputs.subnetResourceId privateDnsZoneResourceIds: [ nestedDependencies.outputs.privateDNSZoneResourceId diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index 9d8a11f544..96fdc19002 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -380,7 +380,6 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'namespace' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -425,7 +424,6 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "namespace", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -608,7 +606,168 @@ Configure networking options for Relay. This object contains IPs/Subnets to allo Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `roleAssignments` diff --git a/modules/relay/namespace/main.bicep b/modules/relay/namespace/main.bicep index 5ddc75500b..0f2299644b 100644 --- a/modules/relay/namespace/main.bicep +++ b/modules/relay/namespace/main.bicep @@ -47,7 +47,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. Configure networking options for Relay. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.') param networkRuleSets object = {} @@ -251,27 +251,27 @@ resource namespace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@202 scope: namespace } -module namespace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Namespace-PrivateEndpoint-${index}' +module namespace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-namespace-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'namespace' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(namespace.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(namespace.id, '/'))}-${privateEndpoint.?service ?? 'namespace'}-${index}' serviceResourceId: namespace.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -335,3 +335,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/relay/namespace/main.json b/modules/relay/namespace/main.json index e3407dc5cd..6d499747c1 100644 --- a/modules/relay/namespace/main.json +++ b/modules/relay/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13773141750088228766" + "templateHash": "16916844695310222136" }, "name": "Relay Namespaces", "description": "This module deploys a Relay Namespace", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -188,8 +337,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -1582,11 +1730,11 @@ "namespace_privateEndpoints": { "copy": { "name": "namespace_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-Namespace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-namespace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -1595,32 +1743,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'namespace')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Relay/namespaces', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Relay/namespaces', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'namespace'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Relay/namespaces', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/search/search-service/.test/pe/main.test.bicep b/modules/search/search-service/.test/pe/main.test.bicep index 0c4ab94004..7fe335da8f 100644 --- a/modules/search/search-service/.test/pe/main.test.bicep +++ b/modules/search/search-service/.test/pe/main.test.bicep @@ -62,7 +62,6 @@ module testDeployment '../../main.bicep' = { privateDnsZoneResourceIds: [ nestedDependencies.outputs.privateDNSZoneResourceId ] - service: 'searchService' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { Environment: 'Non-Prod' diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index 50cc66d418..7dfccea700 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -278,7 +278,6 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'searchService' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -338,7 +337,6 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "searchService", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -564,7 +562,168 @@ The number of partitions in the search service; if specified, it can be 1, 2, 3, Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/search/search-service/main.bicep b/modules/search/search-service/main.bicep index d35e2da654..ad25223fcd 100644 --- a/modules/search/search-service/main.bicep +++ b/modules/search/search-service/main.bicep @@ -48,7 +48,7 @@ param networkRuleSet object = {} param partitionCount int = 1 @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. The sharedPrivateLinkResources to create as part of the search Service.') param sharedPrivateLinkResources array = [] @@ -225,27 +225,27 @@ resource searchService_roleAssignments 'Microsoft.Authorization/roleAssignments@ scope: searchService }] -module searchService_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { +module searchService_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { name: '${uniqueString(deployment().name, location)}-searchService-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'searchService' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(searchService.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(searchService.id, '/'))}-${privateEndpoint.?service ?? 'searchService'}-${index}' serviceResourceId: searchService.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -316,3 +316,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/search/search-service/main.json b/modules/search/search-service/main.json index 5b2de842bb..3297608f20 100644 --- a/modules/search/search-service/main.json +++ b/modules/search/search-service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5302357571104017921" + "templateHash": "9705671416118103227" }, "name": "Search Services", "description": "This module deploys a Search Service.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -186,8 +335,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -444,7 +592,7 @@ "searchService_privateEndpoints": { "copy": { "name": "searchService_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -457,32 +605,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'searchService')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Search/searchServices', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Search/searchServices', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'searchService'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Search/searchServices', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/service-bus/namespace/.test/pe/main.test.bicep b/modules/service-bus/namespace/.test/pe/main.test.bicep index 936692a3b1..90ad3f25ee 100644 --- a/modules/service-bus/namespace/.test/pe/main.test.bicep +++ b/modules/service-bus/namespace/.test/pe/main.test.bicep @@ -53,7 +53,6 @@ module testDeployment '../../main.bicep' = { publicNetworkAccess: 'Disabled' privateEndpoints: [ { - service: 'namespace' subnetResourceId: nestedDependencies.outputs.subnetResourceId privateDnsZoneResourceIds: [ nestedDependencies.outputs.privateDNSZoneResourceId diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 2aea46cd40..684a6dcac6 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -662,7 +662,6 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'namespace' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -708,7 +707,6 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "namespace", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -979,7 +977,168 @@ The number of partitions of a Service Bus namespace. This property is only appli Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/service-bus/namespace/main.bicep b/modules/service-bus/namespace/main.bicep index 86d634ff3c..c819ee7c84 100644 --- a/modules/service-bus/namespace/main.bicep +++ b/modules/service-bus/namespace/main.bicep @@ -97,7 +97,7 @@ param roleAssignments roleAssignmentType param publicNetworkAccess string = '' @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. Configure networking options for Premium SKU Service Bus. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.') param networkRuleSets object = {} @@ -380,27 +380,27 @@ resource serviceBusNamespace_diagnosticSettings 'Microsoft.Insights/diagnosticSe scope: serviceBusNamespace } -module serviceBusNamespace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Namespace-PrivateEndpoint-${index}' +module serviceBusNamespace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-serviceBusNamespace-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'namespace' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(serviceBusNamespace.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(serviceBusNamespace.id, '/'))}-${privateEndpoint.?service ?? 'namespace'}-${index}' serviceResourceId: serviceBusNamespace.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -467,3 +467,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/service-bus/namespace/main.json b/modules/service-bus/namespace/main.json index bc6b908053..2c000d1410 100644 --- a/modules/service-bus/namespace/main.json +++ b/modules/service-bus/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9892377327187040976" + "templateHash": "15092397707699108570" }, "name": "Service Bus Namespaces", "description": "This module deploys a Service Bus Namespace.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -278,8 +427,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -2217,11 +2365,11 @@ "serviceBusNamespace_privateEndpoints": { "copy": { "name": "serviceBusNamespace_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-Namespace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-serviceBusNamespace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -2230,32 +2378,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'namespace')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'namespace'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/signal-r-service/signal-r/.test/common/main.test.bicep b/modules/signal-r-service/signal-r/.test/common/main.test.bicep index 1b86eadafe..ce4fae589c 100644 --- a/modules/signal-r-service/signal-r/.test/common/main.test.bicep +++ b/modules/signal-r-service/signal-r/.test/common/main.test.bicep @@ -87,11 +87,8 @@ module testDeployment '../../main.bicep' = { privateEndpoints: [ { privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'signalr' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index c2662cc6c7..ff3c273afd 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -83,7 +83,6 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'signalr' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -184,7 +183,6 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "signalr", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -423,7 +421,168 @@ Networks ACLs, this value contains IPs to allow and/or Subnet information. Can o Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/signal-r-service/signal-r/main.bicep b/modules/signal-r-service/signal-r/main.bicep index 2888dcbf64..385295b8f2 100644 --- a/modules/signal-r-service/signal-r/main.bicep +++ b/modules/signal-r-service/signal-r/main.bicep @@ -90,7 +90,7 @@ param clientCertEnabled bool = false param upstreamTemplatesToEnable array = [] @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. The lock settings of the service.') param lock lockType @@ -101,6 +101,8 @@ param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var enableReferencedModulesTelemetry = false + var liveTraceCatagories = [for configuration in liveTraceCatagoriesToEnable: { name: configuration enabled: 'true' @@ -173,26 +175,27 @@ resource signalR 'Microsoft.SignalRService/signalR@2022-02-01' = { } } -module signalR_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-SignalR-PrivateEndpoint-${index}' +module signalR_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-signalR-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'signalr' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(signalR.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(signalR.id, '/'))}-${privateEndpoint.?service ?? 'signalr'}-${index}' serviceResourceId: signalR.id subnetResourceId: privateEndpoint.subnetResourceId - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -265,3 +268,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/signal-r-service/signal-r/main.json b/modules/signal-r-service/signal-r/main.json index 7f28716ce7..bf43fef7a7 100644 --- a/modules/signal-r-service/signal-r/main.json +++ b/modules/signal-r-service/signal-r/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15253886392220203228" + "templateHash": "4290982066037624920" }, "name": "SignalR Service SignalR", "description": "This module deploys a SignalR Service SignalR.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -257,8 +406,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -302,6 +450,7 @@ } } ], + "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", @@ -403,11 +552,11 @@ "signalR_privateEndpoints": { "copy": { "name": "signalR_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-SignalR-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-signalR-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -416,29 +565,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'signalr')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.SignalRService/signalR', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.SignalRService/signalR', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'signalr'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.SignalRService/signalR', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" + }, + "enableDefaultTelemetry": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep b/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep index 0993c69ff6..93a4cde2c8 100644 --- a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep @@ -85,9 +85,7 @@ module testDeployment '../../main.bicep' = { privateEndpoints: [ { privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] service: 'webpubsub' subnetResourceId: nestedDependencies.outputs.subnetResourceId diff --git a/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep b/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep index cff16d9528..7a565e6ea8 100644 --- a/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep @@ -52,11 +52,8 @@ module testDeployment '../../main.bicep' = { privateEndpoints: [ { privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'webpubsub' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index 4858ab8413..a1f443b2f3 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -293,7 +293,6 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'webpubsub' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -338,7 +337,6 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "webpubsub", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -482,7 +480,168 @@ Networks ACLs, this value contains IPs to allow and/or Subnet information. Can o Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/signal-r-service/web-pub-sub/main.bicep b/modules/signal-r-service/web-pub-sub/main.bicep index 8bd0b5101b..49fdc78208 100644 --- a/modules/signal-r-service/web-pub-sub/main.bicep +++ b/modules/signal-r-service/web-pub-sub/main.bicep @@ -9,7 +9,7 @@ param location string = resourceGroup().location param name string @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. The lock settings of the service.') param lock lockType @@ -76,6 +76,8 @@ var resourceLogConfiguration = [for configuration in resourceLogConfigurationsTo var identityType = systemAssignedIdentity ? 'SystemAssigned' : !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' +var enableReferencedModulesTelemetry = false + var identity = { type: identityType userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null @@ -133,26 +135,27 @@ resource webPubSub 'Microsoft.SignalRService/webPubSub@2021-10-01' = { } } -module webPubSub_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-WebPubSub-PrivateEndpoint-${index}' +module webPubSub_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-webPubSub-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'webpubsub' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(webPubSub.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(webPubSub.id, '/'))}-${privateEndpoint.?service ?? 'webpubsub'}-${index}' serviceResourceId: webPubSub.id subnetResourceId: privateEndpoint.subnetResourceId - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -237,3 +240,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/signal-r-service/web-pub-sub/main.json b/modules/signal-r-service/web-pub-sub/main.json index 0d635314fa..224d8e6108 100644 --- a/modules/signal-r-service/web-pub-sub/main.json +++ b/modules/signal-r-service/web-pub-sub/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7919051572076224460" + "templateHash": "17322937752748327397" }, "name": "SignalR Web PubSub Services", "description": "This module deploys a SignalR Web PubSub Service.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -120,8 +269,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -251,6 +399,7 @@ } ], "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", + "enableReferencedModulesTelemetry": false, "identity": { "type": "[variables('identityType')]", "userAssignedIdentities": "[if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())]" @@ -350,11 +499,11 @@ "webPubSub_privateEndpoints": { "copy": { "name": "webPubSub_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-WebPubSub-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-webPubSub-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -363,29 +512,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'webpubsub')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.SignalRService/webPubSub', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.SignalRService/webPubSub', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'webpubsub'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.SignalRService/webPubSub', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" + }, + "enableDefaultTelemetry": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/sql/server/.test/common/main.test.bicep b/modules/sql/server/.test/common/main.test.bicep index 2c57d1bbae..82ce535569 100644 --- a/modules/sql/server/.test/common/main.test.bicep +++ b/modules/sql/server/.test/common/main.test.bicep @@ -164,9 +164,7 @@ module testDeployment '../../main.bicep' = { subnetResourceId: nestedDependencies.outputs.privateEndpointSubnetResourceId service: 'sqlServer' privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/sql/server/.test/pe/main.test.bicep b/modules/sql/server/.test/pe/main.test.bicep index f813715f36..13c246150b 100644 --- a/modules/sql/server/.test/pe/main.test.bicep +++ b/modules/sql/server/.test/pe/main.test.bicep @@ -59,11 +59,8 @@ module testDeployment '../../main.bicep' = { privateEndpoints: [ { privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] - service: 'sqlServer' subnetResourceId: nestedDependencies.outputs.subnetResourceId tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 20749d71d0..0026e3da9b 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -433,7 +433,6 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'sqlServer' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -483,7 +482,6 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "sqlServer", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -759,7 +757,168 @@ The resource ID of a user assigned identity to be used by default. Required if " Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/sql/server/main.bicep b/modules/sql/server/main.bicep index 9a3ba48092..9b56c50287 100644 --- a/modules/sql/server/main.bicep +++ b/modules/sql/server/main.bicep @@ -66,7 +66,7 @@ param administrators object = {} param minimalTlsVersion string = '1.2' @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set.') @allowed([ @@ -241,27 +241,27 @@ module server_elasticPools 'elastic-pool/main.bicep' = [for (elasticPool, index) } }] -module server_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-SQLServer-PrivateEndpoint-${index}' +module server_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-server-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'sqlServer' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(server.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(server.id, '/'))}-${privateEndpoint.?service ?? 'sqlServer'}-${index}' serviceResourceId: server.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -393,3 +393,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/sql/server/main.json b/modules/sql/server/main.json index 8becec3ebd..6323877d94 100644 --- a/modules/sql/server/main.json +++ b/modules/sql/server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6602628409746140291" + "templateHash": "15785900556035209583" }, "name": "Azure SQL Servers", "description": "This module deploys an Azure SQL Server.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -242,8 +391,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -1395,11 +1543,11 @@ "server_privateEndpoints": { "copy": { "name": "server_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-SQLServer-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-server-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -1408,32 +1556,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sqlServer')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Sql/servers', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Sql/servers', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sqlServer'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Sql/servers', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 5beadf8bb9..1193a3c7fd 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -1343,7 +1343,168 @@ Networks ACLs, this value contains IPs to whitelist and/or Subnet information. F Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/storage/storage-account/main.bicep b/modules/storage/storage-account/main.bicep index dafb2589f2..e8b9925a88 100644 --- a/modules/storage/storage-account/main.bicep +++ b/modules/storage/storage-account/main.bicep @@ -66,7 +66,7 @@ param defaultToOAuthAuthentication bool = false param allowSharedKeyAccess bool = true @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. The Storage Account ManagementPolicies Rules.') param managementPolicyRules array = [] @@ -361,27 +361,27 @@ resource storageAccount_roleAssignments 'Microsoft.Authorization/roleAssignments scope: storageAccount }] -module storageAccount_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-StorageAccount-PrivateEndpoint-${index}' +module storageAccount_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-storageAccount-PrivateEndpoint-${index}' params: { groupIds: [ privateEndpoint.service ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(storageAccount.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(storageAccount.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' serviceResourceId: storageAccount.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -550,3 +550,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/storage/storage-account/main.json b/modules/storage/storage-account/main.json index fdebcc9bdf..ae9fba4c9b 100644 --- a/modules/storage/storage-account/main.json +++ b/modules/storage/storage-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12807881616729507615" + "templateHash": "7816141440918547974" }, "name": "Storage Accounts", "description": "This module deploys a Storage Account.", @@ -103,6 +103,154 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "metadata": { + "description": "Required. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -216,8 +364,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -669,11 +816,11 @@ "storageAccount_privateEndpoints": { "copy": { "name": "storageAccount_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-StorageAccount-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-storageAccount-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -682,32 +829,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Storage/storageAccounts', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Storage/storageAccounts', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/synapse/private-link-hub/.test/common/main.test.bicep b/modules/synapse/private-link-hub/.test/common/main.test.bicep index 7b59ec1474..7b553d1f14 100644 --- a/modules/synapse/private-link-hub/.test/common/main.test.bicep +++ b/modules/synapse/private-link-hub/.test/common/main.test.bicep @@ -61,9 +61,7 @@ module testDeployment '../../main.bicep' = { privateEndpoints: [ { privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] service: 'Web' subnetResourceId: nestedDependencies.outputs.subnetResourceId diff --git a/modules/synapse/private-link-hub/README.md b/modules/synapse/private-link-hub/README.md index d9a6f2056f..2a0b0cff04 100644 --- a/modules/synapse/private-link-hub/README.md +++ b/modules/synapse/private-link-hub/README.md @@ -277,7 +277,168 @@ The name of the Private Link Hub. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `roleAssignments` diff --git a/modules/synapse/private-link-hub/main.bicep b/modules/synapse/private-link-hub/main.bicep index a0a809ed93..003f53a1dd 100644 --- a/modules/synapse/private-link-hub/main.bicep +++ b/modules/synapse/private-link-hub/main.bicep @@ -21,7 +21,7 @@ param enableDefaultTelemetry bool = true param roleAssignments roleAssignmentType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType var enableReferencedModulesTelemetry = false @@ -77,27 +77,27 @@ resource privateLinkHub_roleAssignments 'Microsoft.Authorization/roleAssignments }] // Private Endpoints -module privateLinkHub_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-PrivateLinkHub-PrivateEndpoint-${index}' +module privateLinkHub_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-privateLinkHub-PrivateEndpoint-${index}' params: { groupIds: [ privateEndpoint.service ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(privateLinkHub.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(privateLinkHub.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' serviceResourceId: privateLinkHub.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -147,3 +147,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/synapse/private-link-hub/main.json b/modules/synapse/private-link-hub/main.json index 903af8a9c2..4fab3419d1 100644 --- a/modules/synapse/private-link-hub/main.json +++ b/modules/synapse/private-link-hub/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17913553543039751168" + "templateHash": "13462616099297553465" }, "name": "Azure Synapse Analytics", "description": "This module deploys an Azure Synapse Analytics (Private Link Hub).", @@ -103,6 +103,154 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "metadata": { + "description": "Required. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -146,8 +294,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -224,11 +371,11 @@ "privateLinkHub_privateEndpoints": { "copy": { "name": "privateLinkHub_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateLinkHub-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-privateLinkHub-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -237,32 +384,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Synapse/privateLinkHubs', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Synapse/privateLinkHubs', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Synapse/privateLinkHubs', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/synapse/workspace/.test/common/main.test.bicep b/modules/synapse/workspace/.test/common/main.test.bicep index 741e51171a..258596f817 100644 --- a/modules/synapse/workspace/.test/common/main.test.bicep +++ b/modules/synapse/workspace/.test/common/main.test.bicep @@ -86,9 +86,7 @@ module testDeployment '../../main.bicep' = { subnetResourceId: nestedDependencies.outputs.subnetResourceId service: 'SQL' privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index 868966dd69..a9af2ce3c1 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -785,7 +785,168 @@ Prevent Data Exfiltration. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/synapse/workspace/main.bicep b/modules/synapse/workspace/main.bicep index 08a39588db..d2616a828a 100644 --- a/modules/synapse/workspace/main.bicep +++ b/modules/synapse/workspace/main.bicep @@ -98,7 +98,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. Resource ID of the diagnostic storage account.') param diagnosticStorageAccountId string = '' @@ -297,27 +297,27 @@ resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022 }] // Endpoints -module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Workspace-PrivateEndpoint-${index}' +module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-workspace-PrivateEndpoint-${index}' params: { groupIds: [ privateEndpoint.service ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(workspace.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(workspace.id, '/'))}-${privateEndpoint.?service ?? privateEndpoint.service}-${index}' serviceResourceId: workspace.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -386,3 +386,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/synapse/workspace/main.json b/modules/synapse/workspace/main.json index a772b190e3..677555b5c2 100644 --- a/modules/synapse/workspace/main.json +++ b/modules/synapse/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10923669375290685211" + "templateHash": "12758052897750463428" }, "name": "Synapse Workspaces", "description": "This module deploys a Synapse Workspace.", @@ -103,6 +103,154 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "metadata": { + "description": "Required. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -310,8 +458,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -867,11 +1014,11 @@ "workspace_privateEndpoints": { "copy": { "name": "workspace_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-Workspace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-workspace-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -880,32 +1027,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Synapse/workspaces', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Synapse/workspaces', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Synapse/workspaces', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/web/site/.test/functionAppCommon/main.test.bicep b/modules/web/site/.test/functionAppCommon/main.test.bicep index efcf051533..9948b9688f 100644 --- a/modules/web/site/.test/functionAppCommon/main.test.bicep +++ b/modules/web/site/.test/functionAppCommon/main.test.bicep @@ -150,7 +150,6 @@ module testDeployment '../../main.bicep' = { } privateEndpoints: [ { - service: 'sites' subnetResourceId: nestedDependencies.outputs.subnetResourceId privateDnsZoneResourceIds: [ nestedDependencies.outputs.privateDNSZoneResourceId diff --git a/modules/web/site/.test/webAppCommon/main.test.bicep b/modules/web/site/.test/webAppCommon/main.test.bicep index 5f80c1b05d..c4d9ff9bb9 100644 --- a/modules/web/site/.test/webAppCommon/main.test.bicep +++ b/modules/web/site/.test/webAppCommon/main.test.bicep @@ -86,7 +86,6 @@ module testDeployment '../../main.bicep' = { diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName privateEndpoints: [ { - service: 'sites' subnetResourceId: nestedDependencies.outputs.subnetResourceId privateDnsZoneResourceIds: [ @@ -129,7 +128,6 @@ module testDeployment '../../main.bicep' = { ] privateEndpoints: [ { - service: 'sites' subnetResourceId: nestedDependencies.outputs.subnetResourceId privateDnsZoneResourceIds: [ nestedDependencies.outputs.privateDNSZoneResourceId diff --git a/modules/web/site/README.md b/modules/web/site/README.md index d679f188df..f748d00c85 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -146,7 +146,6 @@ module site 'br:bicep/modules/web.site:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'sites' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -312,7 +311,6 @@ module site 'br:bicep/modules/web.site:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "sites", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -463,7 +461,6 @@ module site 'br:bicep/modules/web.site:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'sites' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -508,7 +505,6 @@ module site 'br:bicep/modules/web.site:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'sites' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -620,7 +616,6 @@ module site 'br:bicep/modules/web.site:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "sites", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -675,7 +670,6 @@ module site 'br:bicep/modules/web.site:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "sites", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -1089,7 +1083,168 @@ Name of the site. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/web/site/main.bicep b/modules/web/site/main.bicep index 0964c9a5db..8dcd8df3dd 100644 --- a/modules/web/site/main.bicep +++ b/modules/web/site/main.bicep @@ -79,7 +79,7 @@ param authSettingV2Configuration object = {} param lock lockType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. Configuration for deployment slots for an app.') param slots array = [] @@ -415,27 +415,27 @@ resource app_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01 scope: app }] -module app_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Site-PrivateEndpoint-${index}' +module app_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-app-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'sites' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(app.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(app.id, '/'))}-${privateEndpoint.?service ?? 'sites'}-${index}' serviceResourceId: app.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -500,3 +500,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/web/site/main.json b/modules/web/site/main.json index 84a1a15880..1bbe74f580 100644 --- a/modules/web/site/main.json +++ b/modules/web/site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "249993900851794447" + "templateHash": "4843779677918580425" }, "name": "Web/Function Apps", "description": "This module deploys a Web or Function App.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -271,8 +420,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -986,7 +1134,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11020134105665438870" + "templateHash": "17150701166857849727" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -1083,6 +1231,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1230,8 +1527,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints." } @@ -2038,11 +2334,11 @@ "slot_privateEndpoints": { "copy": { "name": "slot_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-Slot-{1}-PrivateEndpoint-{2}', uniqueString(deployment().name, parameters('location')), parameters('name'), copyIndex())]", + "name": "[format('{0}-app-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -2051,29 +2347,54 @@ "parameters": { "groupIds": { "value": [ - "[format('{0}-{1}', parameters('privateEndpoints')[copyIndex()].service, parameters('name'))]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/sites', parameters('appName')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Web/sites', parameters('appName'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -2558,8 +2879,7 @@ } }, "dependsOn": [ - "app", - "slot" + "app" ] } }, @@ -2872,11 +3192,11 @@ "app_privateEndpoints": { "copy": { "name": "app_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-Site-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-app-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -2885,32 +3205,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/sites', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/sites', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Web/sites', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index 0fc2fec8d0..d31c9f3387 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -330,7 +330,168 @@ Name of the slot. Configuration details for private endpoints. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `publicNetworkAccess` diff --git a/modules/web/site/slot/main.bicep b/modules/web/site/slot/main.bicep index c0e56d8973..7b52d9bb53 100644 --- a/modules/web/site/slot/main.bicep +++ b/modules/web/site/slot/main.bicep @@ -70,7 +70,7 @@ param authSettingV2Configuration object = {} param lock lockType @description('Optional. Configuration details for private endpoints.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. Tags of the resource.') param tags object = {} @@ -345,24 +345,27 @@ resource slot_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-0 scope: slot }] -module slot_privateEndpoints '../../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Slot-${name}-PrivateEndpoint-${index}' +module slot_privateEndpoints '../../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-app-PrivateEndpoint-${index}' params: { groupIds: [ - '${privateEndpoint.service}-${name}' + privateEndpoint.?service ?? 'sites' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(slot.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(app.id, '/'))}-${privateEndpoint.?service ?? 'sites'}-${index}' serviceResourceId: app.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -415,3 +418,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/web/site/slot/main.json b/modules/web/site/slot/main.json index b9498b5fbe..3bfc8e59bb 100644 --- a/modules/web/site/slot/main.json +++ b/modules/web/site/slot/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11020134105665438870" + "templateHash": "17150701166857849727" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -250,8 +399,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints." } @@ -1058,11 +1206,11 @@ "slot_privateEndpoints": { "copy": { "name": "slot_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-Slot-{1}-PrivateEndpoint-{2}', uniqueString(deployment().name, parameters('location')), parameters('name'), copyIndex())]", + "name": "[format('{0}-app-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -1071,29 +1219,54 @@ "parameters": { "groupIds": { "value": [ - "[format('{0}-{1}', parameters('privateEndpoints')[copyIndex()].service, parameters('name'))]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/sites', parameters('appName')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Web/sites', parameters('appName'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]" + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -1578,8 +1751,7 @@ } }, "dependsOn": [ - "app", - "slot" + "app" ] } }, diff --git a/modules/web/static-site/.test/common/main.test.bicep b/modules/web/static-site/.test/common/main.test.bicep index df0aa09ac0..cd2de2ac13 100644 --- a/modules/web/static-site/.test/common/main.test.bicep +++ b/modules/web/static-site/.test/common/main.test.bicep @@ -63,7 +63,6 @@ module testDeployment '../../main.bicep' = { } privateEndpoints: [ { - service: 'staticSites' subnetResourceId: nestedDependencies.outputs.subnetResourceId privateDnsZoneResourceIds: [ nestedDependencies.outputs.privateDNSZoneResourceId diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index e52301ee36..0f632c9a57 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -73,7 +73,6 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'staticSites' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -159,7 +158,6 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "staticSites", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -399,7 +397,168 @@ Name of the static site. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'sku' to be 'Standard'. - Required: No - Type: array -- Default: `[]` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | +| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Optional. Application security groups in which the private endpoint IP configuration is included. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.customDnsConfigs` + +Optional. Custom DNS configurations. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | + +### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +- Required: Yes +- Type: array + + +### Parameter: `privateEndpoints.customNetworkInterfaceName` + +Optional. The custom name of the network interface attached to the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.enableTelemetry` + +Optional. Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool + +### Parameter: `privateEndpoints.ipConfigurations` + +Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | +| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.name` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +- Required: Yes +- Type: string + + +### Parameter: `privateEndpoints.location` + +Optional. The location to deploy the private endpoint to. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.lock` + +Optional. Specify the type of lock. + +- Required: No +- Type: object + +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Optional. Manual PrivateLink Service Connections. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` + +Optional. The name of the private endpoint. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` + +Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.roleAssignments` + +Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: No +- Type: array + +### Parameter: `privateEndpoints.service` + +Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.subnetResourceId` + +Required. Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.tags` + +Optional. Tags to be applied on all resources/resource groups in this deployment. + +- Required: No +- Type: object ### Parameter: `provider` diff --git a/modules/web/static-site/main.bicep b/modules/web/static-site/main.bicep index 757e3ae5b6..efe8df8ec6 100644 --- a/modules/web/static-site/main.bicep +++ b/modules/web/static-site/main.bicep @@ -65,7 +65,7 @@ param userAssignedIdentities object = {} param lock lockType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the \'sku\' to be \'Standard\'.') -param privateEndpoints array = [] +param privateEndpoints privateEndpointType @description('Optional. Tags of the resource.') param tags object = {} @@ -204,27 +204,27 @@ resource staticSite_roleAssignments 'Microsoft.Authorization/roleAssignments@202 scope: staticSite }] -module staticSite_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-StaticSite-PrivateEndpoint-${index}' +module staticSite_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-staticSite-PrivateEndpoint-${index}' params: { groupIds: [ - privateEndpoint.service + privateEndpoint.?service ?? 'staticSites' ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(staticSite.id, '/'))}-${privateEndpoint.service}-${index}' + name: privateEndpoint.?name ?? 'pep-${last(split(staticSite.id, '/'))}-${privateEndpoint.?service ?? 'staticSites'}-${index}' serviceResourceId: staticSite.id subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: contains(privateEndpoint, 'location') ? privateEndpoint.location : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + enableDefaultTelemetry: privateEndpoint.?enableDefaultTelemetry ?? enableReferencedModulesTelemetry + location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] - ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] - applicationSecurityGroupResourceIds: contains(privateEndpoint, 'applicationSecurityGroupResourceIds') ? privateEndpoint.applicationSecurityGroupResourceIds : [] - customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName + privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + roleAssignments: privateEndpoint.?roleAssignments + tags: privateEndpoint.?tags ?? tags + manualPrivateLinkServiceConnections: privateEndpoint.?manualPrivateLinkServiceConnections + customDnsConfigs: privateEndpoint.?customDnsConfigs + ipConfigurations: privateEndpoint.?ipConfigurations + applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds + customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName } }] @@ -280,3 +280,58 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type privateEndpointType = { + @description('Optional. The name of the private endpoint.') + name: string? + + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + fqdn: string? + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + name: string + groupId: string + memberName: string + privateIpAddress: string + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? diff --git a/modules/web/static-site/main.json b/modules/web/static-site/main.json index 3d50d77660..b992f8c721 100644 --- a/modules/web/static-site/main.json +++ b/modules/web/static-site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10437554075248672747" + "templateHash": "631543863258215268" }, "name": "Static Web Apps", "description": "This module deploys a Static Web App.", @@ -103,6 +103,155 @@ } }, "nullable": true + }, + "privateEndpointType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the private endpoint to." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The service (sub-) type to deploy the private endpoint for. For example \"vault\" or \"blob\"." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided." + } + }, + "privateDnsZoneResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIpAddress": { + "type": "string" + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -226,8 +375,7 @@ } }, "privateEndpoints": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'sku' to be 'Standard'." } @@ -881,11 +1029,11 @@ "staticSite_privateEndpoints": { "copy": { "name": "staticSite_privateEndpoints", - "count": "[length(parameters('privateEndpoints'))]" + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-StaticSite-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-staticSite-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -894,32 +1042,54 @@ "parameters": { "groupIds": { "value": [ - "[parameters('privateEndpoints')[copyIndex()].service]" + "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'staticSites')]" ] }, - "name": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('privateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/staticSites', parameters('name')), '/')), parameters('privateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/staticSites', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'staticSites'), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Web/staticSites', parameters('name'))]" }, "subnetResourceId": { - "value": "[parameters('privateEndpoints')[copyIndex()].subnetResourceId]" + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'enableDefaultTelemetry'), variables('enableReferencedModulesTelemetry'))]" + }, + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "location": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'location'), createObject('value', parameters('privateEndpoints')[copyIndex()].location), createObject('value', reference(split(parameters('privateEndpoints')[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location))]", "lock": { - "value": "[coalesce(tryGet(parameters('privateEndpoints')[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "privateDnsZoneGroupName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" + }, + "privateDnsZoneResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" }, - "privateDnsZoneGroupName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", - "privateDnsZoneResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", - "roleAssignments": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('privateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('privateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", - "manualPrivateLinkServiceConnections": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('privateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", - "customDnsConfigs": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('privateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", - "ipConfigurations": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('privateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", - "applicationSecurityGroupResourceIds": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'applicationSecurityGroupResourceIds'), createObject('value', parameters('privateEndpoints')[copyIndex()].applicationSecurityGroupResourceIds), createObject('value', createArray()))]", - "customNetworkInterfaceName": "[if(contains(parameters('privateEndpoints')[copyIndex()], 'customNetworkInterfaceName'), createObject('value', parameters('privateEndpoints')[copyIndex()].customNetworkInterfaceName), createObject('value', ''))]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "manualPrivateLinkServiceConnections": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualPrivateLinkServiceConnections')]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", From 2c90d040d3077ea86ff56f9385d54777236e03fe Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Wed, 25 Oct 2023 11:24:28 +0000 Subject: [PATCH 056/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 62 +++++++++++----------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index ad11637e3f..cbadae3858 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -16,7 +16,7 @@ This section provides an overview of the library's feature set. | 1 | aad

domain-service | [![AAD - DomainServices](https://github.com/Azure/ResourceModules/workflows/AAD%20-%20DomainServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.aad.domainservices.yml) | | | :white_check_mark: | :white_check_mark: | | | | 254 | | 2 | analysis-services

server | [![AnalysisServices - Servers](https://github.com/Azure/ResourceModules/workflows/AnalysisServices%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.analysisservices.servers.yml) | | | :white_check_mark: | :white_check_mark: | | | | 169 | | 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:11, L2:3] | 449 | -| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 264 | +| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 304 | | 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | | | :white_check_mark: | | | | | 205 | | 6 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | | | :white_check_mark: | | | | | 163 | | 7 | authorization

lock | [![Authorization - Locks](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20Locks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.locks.yml) | | | | | | | [L1:2] | 62 | @@ -26,12 +26,12 @@ This section provides an overview of the library's feature set. | 11 | authorization

policy-set-definition | [![Authorization - PolicySetDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicySetDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policysetdefinitions.yml) | | | | | | | [L1:2] | 76 | | 12 | authorization

role-assignment | [![Authorization - RoleAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roleassignments.yml) | | | | | | | [L1:3] | 107 | | 13 | authorization

role-definition | [![Authorization - RoleDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roledefinitions.yml) | | | | | | | [L1:3] | 94 | -| 14 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6] | 397 | -| 15 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 231 | -| 16 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 270 | -| 17 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 227 | +| 14 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:6] | 437 | +| 15 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | :white_check_mark: | :white_check_mark: | | | | 309 | +| 16 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | | | :white_check_mark: | :white_check_mark: | | | | 310 | +| 17 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 267 | | 18 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | | | :white_check_mark: | | | | [L1:6, L2:4] | 220 | -| 19 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 334 | +| 19 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | | | :white_check_mark: | :white_check_mark: | | | | 374 | | 20 | compute

availability-set | [![Compute - AvailabilitySets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20AvailabilitySets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.availabilitysets.yml) | | | :white_check_mark: | | | | | 111 | | 21 | compute

disk | [![Compute - Disks](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Disks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.disks.yml) | | | :white_check_mark: | | | | | 218 | | 22 | compute

disk-encryption-set | [![Compute - DiskEncryptionSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20DiskEncryptionSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.diskencryptionsets.yml) | | | :white_check_mark: | | | | [L1:1] | 162 | @@ -43,12 +43,12 @@ This section provides an overview of the library's feature set. | 28 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 598 | | 29 | consumption

budget | [![Consumption - Budgets](https://github.com/Azure/ResourceModules/workflows/Consumption%20-%20Budgets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.consumption.budgets.yml) | | | | | | | | 92 | | 30 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | :white_check_mark: | | | | | 163 | -| 31 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 389 | +| 31 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:3] | 429 | | 32 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 668 | -| 33 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:2, L2:1] | 284 | +| 33 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:2, L2:1] | 324 | | 34 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | | :white_check_mark: | | | | [L1:1] | 156 | | 35 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | | | :white_check_mark: | | | | | 104 | -| 36 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 342 | +| 36 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | | | | 382 | | 37 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:3] | 369 | | 38 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:4] | 367 | | 39 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 190 | @@ -56,12 +56,12 @@ This section provides an overview of the library's feature set. | 41 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | | | :white_check_mark: | :white_check_mark: | | | | 195 | | 42 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | | | | 161 | | 43 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | | | :white_check_mark: | | | | [L1:6, L2:1] | 295 | -| 44 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 252 | -| 45 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3, L2:3] | 366 | -| 46 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 207 | +| 44 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:3] | 295 | +| 45 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:3, L2:3] | 406 | +| 46 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 247 | | 47 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 191 | -| 48 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 211 | -| 49 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 363 | +| 48 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 251 | +| 49 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:4, L2:2] | 403 | | 50 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | | | :white_check_mark: | | | | | 112 | | 51 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | | | :white_check_mark: | | | | [L1:3, L2:1] | 212 | | 52 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | | | :white_check_mark: | | | | | 115 | @@ -71,20 +71,20 @@ This section provides an overview of the library's feature set. | 56 | insights

data-collection-rule | [![Insights - DataCollectionRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionrules.yml) | | | :white_check_mark: | | | | | 129 | | 57 | insights

diagnostic-setting | [![Insights - DiagnosticSettings](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DiagnosticSettings/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.diagnosticsettings.yml) | | | | :white_check_mark: | | | | 75 | | 58 | insights

metric-alert | [![Insights - MetricAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20MetricAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.metricalerts.yml) | | | :white_check_mark: | | | | | 152 | -| 59 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | | | :white_check_mark: | | :white_check_mark: | | [L1:1] | 132 | +| 59 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | | | :white_check_mark: | | | | [L1:1] | 172 | | 60 | insights

scheduled-query-rule | [![Insights - ScheduledQueryRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ScheduledQueryRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml) | | | :white_check_mark: | | | | | 136 | | 61 | insights

webtest | [![Insights - Web Tests](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Web%20Tests/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.webtests.yml) | | | | | | | | 152 | -| 62 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 306 | +| 62 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:3] | 346 | | 63 | kubernetes-configuration

extension | [![KubernetesConfiguration - Extensions](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20Extensions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.extensions.yml) | | | | | | | | 88 | | 64 | kubernetes-configuration

flux-configuration | [![KubernetesConfiguration - FluxConfigurations](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20FluxConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml) | | | | | | | | 71 | | 65 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | | | :white_check_mark: | :white_check_mark: | | | | 225 | -| 66 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 311 | +| 66 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 354 | | 67 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | | | :white_check_mark: | | | | | 136 | | 68 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | | | :white_check_mark: | | | | [L1:1] | 113 | | 69 | managed-services

registration-definition | [![ManagedServices - RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices%20-%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | | | | | | | 67 | | 70 | management

management-group | [![Management - ManagementGroups](https://github.com/Azure/ResourceModules/workflows/Management%20-%20ManagementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml) | | | | | | | | 50 | | 71 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | | | :white_check_mark: | | | | [L1:1, L2:1] | 147 | -| 72 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | 376 | +| 72 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | | | :white_check_mark: | :white_check_mark: | | | | 416 | | 73 | network

application-gateway-web-application-firewall-policy | [![Network - ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGatewayWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 47 | | 74 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | | | :white_check_mark: | | | | | 94 | | 75 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | | | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | 358 | @@ -126,30 +126,30 @@ This section provides an overview of the library's feature set. | 111 | policy-insights

remediation | [![PolicyInsights - Remediations](https://github.com/Azure/ResourceModules/workflows/PolicyInsights%20-%20Remediations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.policyinsights.remediations.yml) | | | | | | | [L1:3] | 106 | | 112 | power-bi-dedicated

capacity | [![PowerBiDedicated - Capacities](https://github.com/Azure/ResourceModules/workflows/PowerBiDedicated%20-%20Capacities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.powerbidedicated.capacities.yml) | | | :white_check_mark: | | | | | 133 | | 113 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | | | :white_check_mark: | :white_check_mark: | | | | 311 | -| 114 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:7, L2:2, L3:2] | 322 | -| 115 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:4, L2:2] | 290 | +| 114 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:7, L2:2, L3:2] | 362 | +| 115 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:4, L2:2] | 330 | | 116 | resource-graph

query | [![ResourceGraph - Queries](https://github.com/Azure/ResourceModules/workflows/ResourceGraph%20-%20Queries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resourcegraph.queries.yml) | | | :white_check_mark: | | | | | 101 | | 117 | resources

deployment-script | [![Resources - DeploymentScripts](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | | :white_check_mark: | | | | | 128 | | 118 | resources

resource-group | [![Resources - ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | | | :white_check_mark: | | | | [L1:1] | 101 | | 119 | resources

tags | [![Resources - Tags](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20Tags/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.tags.yml) | | | :white_check_mark: | | | | [L1:2] | 54 | -| 120 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:1] | 263 | +| 120 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 303 | | 121 | security

azure-security-center | [![Security - AzureSecurityCenter](https://github.com/Azure/ResourceModules/workflows/Security%20-%20AzureSecurityCenter/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.security.azuresecuritycenter.yml) | | | | | | | | 221 | -| 122 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:2] | 399 | +| 122 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:2] | 439 | | 123 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | | | :white_check_mark: | | | | [L1:1] | 312 | -| 124 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | | | :white_check_mark: | | :white_check_mark: | | | 226 | -| 125 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | | | :white_check_mark: | | :white_check_mark: | | | 196 | +| 124 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | | | :white_check_mark: | | | | | 268 | +| 125 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | | | :white_check_mark: | | | | | 238 | | 126 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:2] | 371 | -| 127 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | :white_check_mark: | | :white_check_mark: | | [L1:8, L2:2] | 340 | -| 128 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:6, L2:4, L3:1] | 471 | -| 129 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | | | :white_check_mark: | | :white_check_mark: | | | 122 | -| 130 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:3] | 319 | +| 127 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | :white_check_mark: | | | | [L1:8, L2:2] | 380 | +| 128 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:4, L3:1] | 511 | +| 129 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | | | :white_check_mark: | | | | | 162 | +| 130 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:3] | 359 | | 131 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | | | :white_check_mark: | | | | | 216 | | 132 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | | | :white_check_mark: | | | | | 118 | | 133 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:2] | 255 | | 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | :white_check_mark: | :white_check_mark: | | | | 189 | -| 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | [L1:5, L2:4, L3:1] | 417 | -| 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | :white_check_mark: | | :white_check_mark: | | [L1:3] | 231 | -| Sum | | | 0 | 0 | 118 | 57 | 30 | 2 | 238 | 28034 | +| 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:5, L2:4, L3:1] | 457 | +| 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | :white_check_mark: | | | | [L1:3] | 271 | +| Sum | | | 0 | 0 | 118 | 57 | 0 | 2 | 238 | 29282 | ## Legend From 4003f08b06b279661f5c0c9c7d1f81a1f1e3466a Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Fri, 27 Oct 2023 05:11:42 +1100 Subject: [PATCH 057/178] [Modules] Uplifted the SQL Server - Vulnerability Assessment child module to support Storage RBAC (#4145) * [Modules] Uplifted the Vulnerability Assessment child module for SQL to align with SQL MI * updated readme * Updated dependencies to remove MI Principal ID, not needed --- modules/sql/managed-instance/main.json | 11 +- .../vulnerability-assessment/main.bicep | 8 +- .../vulnerability-assessment/main.json | 9 +- .../nested_storageRoleAssignment.bicep | 0 .../server/.test/vulnAssm/dependencies.bicep | 35 +++++ .../sql/server/.test/vulnAssm/main.test.bicep | 91 +++++++++++++ modules/sql/server/README.md | 128 ++++++++++++++++++ modules/sql/server/main.bicep | 4 +- modules/sql/server/main.json | 84 +++++++++++- .../server/vulnerability-assessment/README.md | 31 ++++- .../vulnerability-assessment/main.bicep | 24 +++- .../server/vulnerability-assessment/main.json | 76 ++++++++++- .../nested_storageRoleAssignment.bicep | 17 +++ 13 files changed, 478 insertions(+), 40 deletions(-) rename modules/sql/managed-instance/vulnerability-assessment/{.bicep => modules}/nested_storageRoleAssignment.bicep (100%) create mode 100644 modules/sql/server/.test/vulnAssm/dependencies.bicep create mode 100644 modules/sql/server/.test/vulnAssm/main.test.bicep create mode 100644 modules/sql/server/vulnerability-assessment/modules/nested_storageRoleAssignment.bicep diff --git a/modules/sql/managed-instance/main.json b/modules/sql/managed-instance/main.json index 925f909b08..c6bb21f7f8 100644 --- a/modules/sql/managed-instance/main.json +++ b/modules/sql/managed-instance/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7571236887873003427" + "templateHash": "7653568276267549552" }, "name": "SQL Managed Instances", "description": "This module deploys a SQL Managed Instance.", @@ -1433,7 +1433,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16419324698366777740" + "templateHash": "5582620280313265167" }, "name": "SQL Managed Instance Vulnerability Assessments", "description": "This module deploys a SQL Managed Instance Vulnerability Assessment.", @@ -1501,9 +1501,6 @@ } } }, - "variables": { - "splitStorageAccountResourceId": "[split(parameters('storageAccountResourceId'), '/')]" - }, "resources": [ { "condition": "[parameters('enableDefaultTelemetry')]", @@ -1538,7 +1535,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-sbdc-rbac', parameters('managedInstanceName'))]", - "resourceGroup": "[variables('splitStorageAccountResourceId')[4]]", + "resourceGroup": "[split(parameters('storageAccountResourceId'), '/')[4]]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -1546,7 +1543,7 @@ "mode": "Incremental", "parameters": { "storageAccountName": { - "value": "[last(variables('splitStorageAccountResourceId'))]" + "value": "[last(split(parameters('storageAccountResourceId'), '/'))]" }, "managedInstanceIdentityPrincipalId": { "value": "[reference(resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName')), '2022-05-01-preview', 'full').identity.principalId]" diff --git a/modules/sql/managed-instance/vulnerability-assessment/main.bicep b/modules/sql/managed-instance/vulnerability-assessment/main.bicep index 522882e99a..81cc946945 100644 --- a/modules/sql/managed-instance/vulnerability-assessment/main.bicep +++ b/modules/sql/managed-instance/vulnerability-assessment/main.bicep @@ -29,8 +29,6 @@ param createStorageRoleAssignment bool = true @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var splitStorageAccountResourceId = split(storageAccountResourceId, '/') - resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -48,11 +46,11 @@ resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' exi } // Assign SQL MI MSI access to storage account -module storageAccount_sbdc_rbac '.bicep/nested_storageRoleAssignment.bicep' = if (!useStorageAccountAccessKey && createStorageRoleAssignment) { +module storageAccount_sbdc_rbac 'modules/nested_storageRoleAssignment.bicep' = if (!useStorageAccountAccessKey && createStorageRoleAssignment) { name: '${managedInstance.name}-sbdc-rbac' - scope: resourceGroup(splitStorageAccountResourceId[4]) + scope: resourceGroup(split(storageAccountResourceId, '/')[4]) params: { - storageAccountName: last(splitStorageAccountResourceId) + storageAccountName: last(split(storageAccountResourceId, '/')) managedInstanceIdentityPrincipalId: managedInstance.identity.principalId } } diff --git a/modules/sql/managed-instance/vulnerability-assessment/main.json b/modules/sql/managed-instance/vulnerability-assessment/main.json index bf1f2597ca..eb70ed8caa 100644 --- a/modules/sql/managed-instance/vulnerability-assessment/main.json +++ b/modules/sql/managed-instance/vulnerability-assessment/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16419324698366777740" + "templateHash": "5582620280313265167" }, "name": "SQL Managed Instance Vulnerability Assessments", "description": "This module deploys a SQL Managed Instance Vulnerability Assessment.", @@ -73,9 +73,6 @@ } } }, - "variables": { - "splitStorageAccountResourceId": "[split(parameters('storageAccountResourceId'), '/')]" - }, "resources": [ { "condition": "[parameters('enableDefaultTelemetry')]", @@ -110,7 +107,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-sbdc-rbac', parameters('managedInstanceName'))]", - "resourceGroup": "[variables('splitStorageAccountResourceId')[4]]", + "resourceGroup": "[split(parameters('storageAccountResourceId'), '/')[4]]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -118,7 +115,7 @@ "mode": "Incremental", "parameters": { "storageAccountName": { - "value": "[last(variables('splitStorageAccountResourceId'))]" + "value": "[last(split(parameters('storageAccountResourceId'), '/'))]" }, "managedInstanceIdentityPrincipalId": { "value": "[reference(resourceId('Microsoft.Sql/managedInstances', parameters('managedInstanceName')), '2022-05-01-preview', 'full').identity.principalId]" diff --git a/modules/sql/managed-instance/vulnerability-assessment/.bicep/nested_storageRoleAssignment.bicep b/modules/sql/managed-instance/vulnerability-assessment/modules/nested_storageRoleAssignment.bicep similarity index 100% rename from modules/sql/managed-instance/vulnerability-assessment/.bicep/nested_storageRoleAssignment.bicep rename to modules/sql/managed-instance/vulnerability-assessment/modules/nested_storageRoleAssignment.bicep diff --git a/modules/sql/server/.test/vulnAssm/dependencies.bicep b/modules/sql/server/.test/vulnAssm/dependencies.bicep new file mode 100644 index 0000000000..6eb808e8c6 --- /dev/null +++ b/modules/sql/server/.test/vulnAssm/dependencies.bicep @@ -0,0 +1,35 @@ +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' + properties: { + allowBlobPublicAccess: false + networkAcls: { + defaultAction: 'Deny' + bypass: 'AzureServices' + } + } +} + +@description('The resource ID of the created managed identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id diff --git a/modules/sql/server/.test/vulnAssm/main.test.bicep b/modules/sql/server/.test/vulnAssm/main.test.bicep new file mode 100644 index 0000000000..5dd0f342e9 --- /dev/null +++ b/modules/sql/server/.test/vulnAssm/main.test.bicep @@ -0,0 +1,91 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-sql.servers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sqlsvln' + +@description('Optional. The password to leverage for the login.') +@secure() +param password string = newGuid() + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}cdnstore${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}' + primaryUserAssignedIdentityId: nestedDependencies.outputs.managedIdentityResourceId + administratorLogin: 'adminUserName' + administratorLoginPassword: password + location: location + vulnerabilityAssessmentsObj: { + emailSubscriptionAdmins: true + name: 'default' + recurringScansEmails: [ + 'test1@contoso.com' + 'test2@contoso.com' + ] + recurringScansIsEnabled: true + storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId + useStorageAccountAccessKey: false + createStorageRoleAssignment: true + } + securityAlertPolicies: [ + { + name: 'Default' + state: 'Enabled' + emailAccountAdmins: true + } + ] + systemAssignedIdentity: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 0026e3da9b..40b906cc47 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -44,6 +44,7 @@ The following section provides usage examples for the module, which were used to - [Using large parameter set](#example-2-using-large-parameter-set) - [Pe](#example-3-pe) - [Secondary](#example-4-secondary) +- [Vulnassm](#example-5-vulnassm) ### Example 1: _Admin_ @@ -592,6 +593,133 @@ module server 'br:bicep/modules/sql.server:1.0.0' = {

+### Example 5: _Vulnassm_ + +

+ +via Bicep module + +```bicep +module server 'br:bicep/modules/sql.server:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-sqlsvln' + params: { + // Required parameters + name: 'sqlsvln' + // Non-required parameters + administratorLogin: 'adminUserName' + administratorLoginPassword: '' + enableDefaultTelemetry: '' + location: '' + primaryUserAssignedIdentityId: '' + securityAlertPolicies: [ + { + emailAccountAdmins: true + name: 'Default' + state: 'Enabled' + } + ] + systemAssignedIdentity: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + userAssignedIdentities: { + '': {} + } + vulnerabilityAssessmentsObj: { + createStorageRoleAssignment: true + emailSubscriptionAdmins: true + name: 'default' + recurringScansEmails: [ + 'test1@contoso.com' + 'test2@contoso.com' + ] + recurringScansIsEnabled: true + storageAccountResourceId: '' + useStorageAccountAccessKey: false + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "sqlsvln" + }, + // Non-required parameters + "administratorLogin": { + "value": "adminUserName" + }, + "administratorLoginPassword": { + "value": "" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "primaryUserAssignedIdentityId": { + "value": "" + }, + "securityAlertPolicies": { + "value": [ + { + "emailAccountAdmins": true, + "name": "Default", + "state": "Enabled" + } + ] + }, + "systemAssignedIdentity": { + "value": true + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "userAssignedIdentities": { + "value": { + "": {} + } + }, + "vulnerabilityAssessmentsObj": { + "value": { + "createStorageRoleAssignment": true, + "emailSubscriptionAdmins": true, + "name": "default", + "recurringScansEmails": [ + "test1@contoso.com", + "test2@contoso.com" + ], + "recurringScansIsEnabled": true, + "storageAccountResourceId": "", + "useStorageAccountAccessKey": false + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/sql/server/main.bicep b/modules/sql/server/main.bicep index 9b56c50287..b62154b8cf 100644 --- a/modules/sql/server/main.bicep +++ b/modules/sql/server/main.bicep @@ -311,7 +311,9 @@ module server_vulnerabilityAssessment 'vulnerability-assessment/main.bicep' = if recurringScansEmails: contains(vulnerabilityAssessmentsObj, 'recurringScansEmails') ? vulnerabilityAssessmentsObj.recurringScansEmails : [] recurringScansEmailSubscriptionAdmins: contains(vulnerabilityAssessmentsObj, 'recurringScansEmailSubscriptionAdmins') ? vulnerabilityAssessmentsObj.recurringScansEmailSubscriptionAdmins : false recurringScansIsEnabled: contains(vulnerabilityAssessmentsObj, 'recurringScansIsEnabled') ? vulnerabilityAssessmentsObj.recurringScansIsEnabled : false - storageAccountResourceId: contains(vulnerabilityAssessmentsObj, 'storageAccountResourceId') ? vulnerabilityAssessmentsObj.storageAccountResourceId : '' + storageAccountResourceId: vulnerabilityAssessmentsObj.storageAccountResourceId + useStorageAccountAccessKey: contains(vulnerabilityAssessmentsObj, 'useStorageAccountAccessKey') ? vulnerabilityAssessmentsObj.useStorageAccountAccessKey : false + createStorageRoleAssignment: contains(vulnerabilityAssessmentsObj, 'createStorageRoleAssignment') ? vulnerabilityAssessmentsObj.createStorageRoleAssignment : true enableDefaultTelemetry: enableReferencedModulesTelemetry } dependsOn: [ diff --git a/modules/sql/server/main.json b/modules/sql/server/main.json index 6323877d94..d3f0fb80b5 100644 --- a/modules/sql/server/main.json +++ b/modules/sql/server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15785900556035209583" + "templateHash": "14708866930444205418" }, "name": "Azure SQL Servers", "description": "This module deploys an Azure SQL Server.", @@ -2545,7 +2545,11 @@ "recurringScansEmails": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'recurringScansEmails'), createObject('value', parameters('vulnerabilityAssessmentsObj').recurringScansEmails), createObject('value', createArray()))]", "recurringScansEmailSubscriptionAdmins": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'recurringScansEmailSubscriptionAdmins'), createObject('value', parameters('vulnerabilityAssessmentsObj').recurringScansEmailSubscriptionAdmins), createObject('value', false()))]", "recurringScansIsEnabled": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'recurringScansIsEnabled'), createObject('value', parameters('vulnerabilityAssessmentsObj').recurringScansIsEnabled), createObject('value', false()))]", - "storageAccountResourceId": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'storageAccountResourceId'), createObject('value', parameters('vulnerabilityAssessmentsObj').storageAccountResourceId), createObject('value', ''))]", + "storageAccountResourceId": { + "value": "[parameters('vulnerabilityAssessmentsObj').storageAccountResourceId]" + }, + "useStorageAccountAccessKey": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'useStorageAccountAccessKey'), createObject('value', parameters('vulnerabilityAssessmentsObj').useStorageAccountAccessKey), createObject('value', false()))]", + "createStorageRoleAssignment": "[if(contains(parameters('vulnerabilityAssessmentsObj'), 'createStorageRoleAssignment'), createObject('value', parameters('vulnerabilityAssessmentsObj').createStorageRoleAssignment), createObject('value', true()))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } @@ -2557,7 +2561,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2049927305875122003" + "templateHash": "1780388510504326565" }, "name": "Azure SQL Server Vulnerability Assessments", "description": "This module deploys an Azure SQL Server Vulnerability Assessment.", @@ -2573,7 +2577,7 @@ "serverName": { "type": "string", "metadata": { - "description": "Required. The Name of SQL Server." + "description": "Conditional. The Name of SQL Server. Required if the template is used in a standalone deployment." } }, "recurringScansIsEnabled": { @@ -2599,9 +2603,22 @@ }, "storageAccountResourceId": { "type": "string", - "defaultValue": "", "metadata": { - "description": "Optional. A blob storage to hold the scan results." + "description": "Required. A blob storage to hold the scan results." + } + }, + "useStorageAccountAccessKey": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL Server system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account." + } + }, + "createStorageRoleAssignment": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account." } }, "enableDefaultTelemetry": { @@ -2633,13 +2650,66 @@ "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", "properties": { "storageContainerPath": "[format('https://{0}.blob.{1}/vulnerability-assessment/', last(split(parameters('storageAccountResourceId'), '/')), environment().suffixes.storage)]", - "storageAccountAccessKey": "[listKeys(parameters('storageAccountResourceId'), '2019-06-01').keys[0].value]", + "storageAccountAccessKey": "[if(parameters('useStorageAccountAccessKey'), listKeys(parameters('storageAccountResourceId'), '2019-06-01').keys[0].value, null())]", "recurringScans": { "isEnabled": "[parameters('recurringScansIsEnabled')]", "emailSubscriptionAdmins": "[parameters('recurringScansEmailSubscriptionAdmins')]", "emails": "[parameters('recurringScansEmails')]" } } + }, + { + "condition": "[and(not(parameters('useStorageAccountAccessKey')), parameters('createStorageRoleAssignment'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-sbdc-rbac', parameters('serverName'))]", + "resourceGroup": "[split(parameters('storageAccountResourceId'), '/')[4]]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "storageAccountName": { + "value": "[last(split(parameters('storageAccountResourceId'), '/'))]" + }, + "managedInstanceIdentityPrincipalId": { + "value": "[reference(resourceId('Microsoft.Sql/servers', parameters('serverName')), '2022-05-01-preview', 'full').identity.principalId]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "9210546972730714858" + } + }, + "parameters": { + "storageAccountName": { + "type": "string" + }, + "managedInstanceIdentityPrincipalId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('storageAccountName'))]", + "name": "[guid(format('{0}-{1}-Storage-Blob-Data-Contributor', resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), parameters('managedInstanceIdentityPrincipalId')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "principalId": "[parameters('managedInstanceIdentityPrincipalId')]", + "principalType": "ServicePrincipal" + } + } + ] + } + } } ], "outputs": { diff --git a/modules/sql/server/vulnerability-assessment/README.md b/modules/sql/server/vulnerability-assessment/README.md index ba96061893..145b70da61 100644 --- a/modules/sql/server/vulnerability-assessment/README.md +++ b/modules/sql/server/vulnerability-assessment/README.md @@ -13,6 +13,7 @@ This module deploys an Azure SQL Server Vulnerability Assessment. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Sql/servers/vulnerabilityAssessments` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/vulnerabilityAssessments) | ## Parameters @@ -22,17 +23,31 @@ This module deploys an Azure SQL Server Vulnerability Assessment. | Parameter | Type | Description | | :-- | :-- | :-- | | [`name`](#parameter-name) | string | The name of the vulnerability assessment. | -| [`serverName`](#parameter-servername) | string | The Name of SQL Server. | +| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | A blob storage to hold the scan results. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`serverName`](#parameter-servername) | string | The Name of SQL Server. Required if the template is used in a standalone deployment. | **Optional parameters** | Parameter | Type | Description | | :-- | :-- | :-- | +| [`createStorageRoleAssignment`](#parameter-createstorageroleassignment) | bool | Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`recurringScansEmails`](#parameter-recurringscansemails) | array | Specifies an array of email addresses to which the scan notification is sent. | | [`recurringScansEmailSubscriptionAdmins`](#parameter-recurringscansemailsubscriptionadmins) | bool | Specifies that the schedule scan notification will be is sent to the subscription administrators. | | [`recurringScansIsEnabled`](#parameter-recurringscansisenabled) | bool | Recurring scans state. | -| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | A blob storage to hold the scan results. | +| [`useStorageAccountAccessKey`](#parameter-usestorageaccountaccesskey) | bool | Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL Server system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account. | + +### Parameter: `createStorageRoleAssignment` + +Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account. +- Required: No +- Type: bool +- Default: `True` ### Parameter: `enableDefaultTelemetry` @@ -70,16 +85,22 @@ Recurring scans state. ### Parameter: `serverName` -The Name of SQL Server. +The Name of SQL Server. Required if the template is used in a standalone deployment. - Required: Yes - Type: string ### Parameter: `storageAccountResourceId` A blob storage to hold the scan results. -- Required: No +- Required: Yes - Type: string -- Default: `''` + +### Parameter: `useStorageAccountAccessKey` + +Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL Server system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account. +- Required: No +- Type: bool +- Default: `False` ## Outputs diff --git a/modules/sql/server/vulnerability-assessment/main.bicep b/modules/sql/server/vulnerability-assessment/main.bicep index 7821e1dea5..de649ee8d3 100644 --- a/modules/sql/server/vulnerability-assessment/main.bicep +++ b/modules/sql/server/vulnerability-assessment/main.bicep @@ -5,7 +5,7 @@ metadata owner = 'Azure/module-maintainers' @description('Required. The name of the vulnerability assessment.') param name string -@description('Required. The Name of SQL Server.') +@description('Conditional. The Name of SQL Server. Required if the template is used in a standalone deployment.') param serverName string @description('Optional. Recurring scans state.') @@ -17,8 +17,14 @@ param recurringScansEmailSubscriptionAdmins bool = false @description('Optional. Specifies an array of email addresses to which the scan notification is sent.') param recurringScansEmails array = [] -@description('Optional. A blob storage to hold the scan results.') -param storageAccountResourceId string = '' +@description('Required. A blob storage to hold the scan results.') +param storageAccountResourceId string + +@description('Optional. Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL Server system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account.') +param useStorageAccountAccessKey bool = false + +@description('Optional. Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account.') +param createStorageRoleAssignment bool = true @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -39,12 +45,22 @@ resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { name: serverName } +// Assign SQL Server MSI access to storage account +module storageAccount_sbdc_rbac 'modules/nested_storageRoleAssignment.bicep' = if (!useStorageAccountAccessKey && createStorageRoleAssignment) { + name: '${server.name}-sbdc-rbac' + scope: resourceGroup(split(storageAccountResourceId, '/')[4]) + params: { + storageAccountName: last(split(storageAccountResourceId, '/')) + managedInstanceIdentityPrincipalId: server.identity.principalId + } +} + resource vulnerabilityAssessment 'Microsoft.Sql/servers/vulnerabilityAssessments@2022-05-01-preview' = { name: name parent: server properties: { storageContainerPath: 'https://${last(split(storageAccountResourceId, '/'))}.blob.${environment().suffixes.storage}/vulnerability-assessment/' - storageAccountAccessKey: listKeys(storageAccountResourceId, '2019-06-01').keys[0].value + storageAccountAccessKey: useStorageAccountAccessKey ? listKeys(storageAccountResourceId, '2019-06-01').keys[0].value : any(null) recurringScans: { isEnabled: recurringScansIsEnabled emailSubscriptionAdmins: recurringScansEmailSubscriptionAdmins diff --git a/modules/sql/server/vulnerability-assessment/main.json b/modules/sql/server/vulnerability-assessment/main.json index 29a24e8faa..3942036e23 100644 --- a/modules/sql/server/vulnerability-assessment/main.json +++ b/modules/sql/server/vulnerability-assessment/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2049927305875122003" + "templateHash": "1780388510504326565" }, "name": "Azure SQL Server Vulnerability Assessments", "description": "This module deploys an Azure SQL Server Vulnerability Assessment.", @@ -21,7 +21,7 @@ "serverName": { "type": "string", "metadata": { - "description": "Required. The Name of SQL Server." + "description": "Conditional. The Name of SQL Server. Required if the template is used in a standalone deployment." } }, "recurringScansIsEnabled": { @@ -47,9 +47,22 @@ }, "storageAccountResourceId": { "type": "string", - "defaultValue": "", "metadata": { - "description": "Optional. A blob storage to hold the scan results." + "description": "Required. A blob storage to hold the scan results." + } + }, + "useStorageAccountAccessKey": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL Server system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account." + } + }, + "createStorageRoleAssignment": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account." } }, "enableDefaultTelemetry": { @@ -81,13 +94,66 @@ "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", "properties": { "storageContainerPath": "[format('https://{0}.blob.{1}/vulnerability-assessment/', last(split(parameters('storageAccountResourceId'), '/')), environment().suffixes.storage)]", - "storageAccountAccessKey": "[listKeys(parameters('storageAccountResourceId'), '2019-06-01').keys[0].value]", + "storageAccountAccessKey": "[if(parameters('useStorageAccountAccessKey'), listKeys(parameters('storageAccountResourceId'), '2019-06-01').keys[0].value, null())]", "recurringScans": { "isEnabled": "[parameters('recurringScansIsEnabled')]", "emailSubscriptionAdmins": "[parameters('recurringScansEmailSubscriptionAdmins')]", "emails": "[parameters('recurringScansEmails')]" } } + }, + { + "condition": "[and(not(parameters('useStorageAccountAccessKey')), parameters('createStorageRoleAssignment'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-sbdc-rbac', parameters('serverName'))]", + "resourceGroup": "[split(parameters('storageAccountResourceId'), '/')[4]]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "storageAccountName": { + "value": "[last(split(parameters('storageAccountResourceId'), '/'))]" + }, + "managedInstanceIdentityPrincipalId": { + "value": "[reference(resourceId('Microsoft.Sql/servers', parameters('serverName')), '2022-05-01-preview', 'full').identity.principalId]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "9210546972730714858" + } + }, + "parameters": { + "storageAccountName": { + "type": "string" + }, + "managedInstanceIdentityPrincipalId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('storageAccountName'))]", + "name": "[guid(format('{0}-{1}-Storage-Blob-Data-Contributor', resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), parameters('managedInstanceIdentityPrincipalId')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "principalId": "[parameters('managedInstanceIdentityPrincipalId')]", + "principalType": "ServicePrincipal" + } + } + ] + } + } } ], "outputs": { diff --git a/modules/sql/server/vulnerability-assessment/modules/nested_storageRoleAssignment.bicep b/modules/sql/server/vulnerability-assessment/modules/nested_storageRoleAssignment.bicep new file mode 100644 index 0000000000..7855e9f142 --- /dev/null +++ b/modules/sql/server/vulnerability-assessment/modules/nested_storageRoleAssignment.bicep @@ -0,0 +1,17 @@ +param storageAccountName string +param managedInstanceIdentityPrincipalId string + +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = { + name: storageAccountName +} + +// Assign Storage Blob Data Contributor RBAC role +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('${storageAccount.id}-${managedInstanceIdentityPrincipalId}-Storage-Blob-Data-Contributor') + scope: storageAccount + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') + principalId: managedInstanceIdentityPrincipalId + principalType: 'ServicePrincipal' + } +} From 3345582bf00d75f2488873a37c8ffd45a1568e7e Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Thu, 26 Oct 2023 18:12:29 +0000 Subject: [PATCH 058/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index cbadae3858..1c0ceb6a24 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -138,8 +138,8 @@ This section provides an overview of the library's feature set. | 123 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | | | :white_check_mark: | | | | [L1:1] | 312 | | 124 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | | | :white_check_mark: | | | | | 268 | | 125 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | | | :white_check_mark: | | | | | 238 | -| 126 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:2] | 371 | -| 127 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | :white_check_mark: | | | | [L1:8, L2:2] | 380 | +| 126 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:3] | 371 | +| 127 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | :white_check_mark: | | | | [L1:8, L2:3] | 382 | | 128 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:4, L3:1] | 511 | | 129 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | | | :white_check_mark: | | | | | 162 | | 130 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:3] | 359 | @@ -149,7 +149,7 @@ This section provides an overview of the library's feature set. | 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | :white_check_mark: | :white_check_mark: | | | | 189 | | 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:5, L2:4, L3:1] | 457 | | 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | :white_check_mark: | | | | [L1:3] | 271 | -| Sum | | | 0 | 0 | 118 | 57 | 0 | 2 | 238 | 29282 | +| Sum | | | 0 | 0 | 118 | 57 | 0 | 2 | 240 | 29284 | ## Legend From 47922db9de709f4d58c430c36c9e9e63dad2943d Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sat, 28 Oct 2023 11:11:33 +0200 Subject: [PATCH 059/178] [Modules] Updated Diagnostic Settings to AVM Specs (#4154) * Updated main templates * Updated most test files * Update to latest * Updated templates, compiled jsons, updated readmes * Missing update * Fixed SQL MI * Fixed SQL Server * Workaround for diag --- .../.test/common/main.test.bicep | 13 +- modules/aad/domain-service/README.md | 131 +- modules/aad/domain-service/main.bicep | 98 +- modules/aad/domain-service/main.json | 170 ++- .../server/.test/common/main.test.bicep | 18 +- .../server/.test/max/main.test.bicep | 31 +- modules/analysis-services/server/README.md | 234 +++- modules/analysis-services/server/main.bicep | 122 +- modules/analysis-services/server/main.json | 211 +-- .../service/.test/max/main.test.bicep | 18 +- modules/api-management/service/README.md | 162 ++- modules/api-management/service/main.bicep | 120 +- modules/api-management/service/main.json | 210 +-- .../.test/common/main.test.bicep | 18 +- .../configuration-store/README.md | 162 ++- .../configuration-store/main.bicep | 122 +- .../configuration-store/main.json | 211 +-- .../.test/common/main.test.bicep | 18 +- .../automation/automation-account/README.md | 162 ++- .../automation/automation-account/main.bicep | 123 +- .../automation/automation-account/main.json | 212 +-- .../.test/common/main.test.bicep | 18 +- modules/batch/batch-account/README.md | 162 ++- modules/batch/batch-account/main.bicep | 121 +- modules/batch/batch-account/main.json | 208 +-- .../.test/common/main.test.bicep | 19 +- modules/cache/redis-enterprise/README.md | 166 ++- modules/cache/redis-enterprise/main.bicep | 122 +- modules/cache/redis-enterprise/main.json | 210 +-- .../cache/redis/.test/common/main.test.bicep | 19 +- modules/cache/redis/README.md | 166 ++- modules/cache/redis/main.bicep | 121 +- modules/cache/redis/main.json | 210 +-- .../account/.test/common/main.test.bicep | 18 +- modules/cognitive-services/account/README.md | 162 ++- modules/cognitive-services/account/main.bicep | 122 +- modules/cognitive-services/account/main.json | 213 +-- .../.test/linux/main.test.bicep | 18 +- .../.test/windows/main.test.bicep | 18 +- .../virtual-machine-scale-set/README.md | 185 ++- .../virtual-machine-scale-set/main.bicep | 83 +- .../virtual-machine-scale-set/main.json | 157 ++- .../.test/linux/main.test.bicep | 32 +- .../.test/windows/main.test.bicep | 32 +- modules/compute/virtual-machine/README.md | 219 +-- modules/compute/virtual-machine/main.bicep | 94 +- modules/compute/virtual-machine/main.json | 780 ++++++----- .../modules/nested_networkInterface.bicep | 70 +- .../registry/.test/common/main.test.bicep | 18 +- modules/container-registry/registry/README.md | 162 ++- .../container-registry/registry/main.bicep | 122 +- modules/container-registry/registry/main.json | 213 +-- .../.test/azure/main.test.bicep | 18 +- .../.test/kubenet/main.test.bicep | 18 +- .../.test/priv/main.test.bicep | 18 +- .../managed-cluster/README.md | 250 +++- .../managed-cluster/main.bicep | 127 +- .../managed-cluster/main.json | 216 +-- .../factory/.test/common/main.test.bicep | 18 +- modules/data-factory/factory/README.md | 162 ++- modules/data-factory/factory/main.bicep | 129 +- modules/data-factory/factory/main.json | 218 +-- .../workspace/.test/common/main.test.bicep | 27 +- modules/databricks/workspace/README.md | 155 ++- modules/databricks/workspace/main.bicep | 102 +- modules/databricks/workspace/main.json | 178 ++- .../.test/private/main.test.bicep | 18 +- .../.test/public/main.test.bicep | 18 +- .../db-for-my-sql/flexible-server/README.md | 206 ++- .../db-for-my-sql/flexible-server/main.bicep | 122 +- .../db-for-my-sql/flexible-server/main.json | 211 +-- .../.test/private/main.test.bicep | 18 +- .../.test/public/main.test.bicep | 18 +- .../flexible-server/README.md | 206 ++- .../flexible-server/main.bicep | 126 +- .../flexible-server/main.json | 215 +-- .../.test/common/main.test.bicep | 13 +- .../application-group/README.md | 131 +- .../application-group/main.bicep | 95 +- .../application-group/main.json | 171 ++- .../host-pool/.test/common/main.test.bicep | 13 +- .../host-pool/README.md | 131 +- .../host-pool/main.bicep | 98 +- .../host-pool/main.json | 174 ++- .../scaling-plan/.test/common/main.test.bicep | 13 +- .../scaling-plan/README.md | 131 +- .../scaling-plan/main.bicep | 90 +- .../scaling-plan/main.json | 164 ++- .../workspace/.test/common/main.test.bicep | 13 +- .../workspace/README.md | 131 +- .../workspace/main.bicep | 96 +- .../workspace/main.json | 172 ++- .../.test/common/main.test.bicep | 18 +- .../digital-twins-instance/README.md | 162 ++- .../digital-twins-instance/main.bicep | 126 +- .../digital-twins-instance/main.json | 215 +-- .../.test/gremlindb/main.test.bicep | 18 +- .../.test/mongodb/main.test.bicep | 18 +- .../.test/plain/main.test.bicep | 18 +- .../.test/sqldb/main.test.bicep | 18 +- .../document-db/database-account/README.md | 294 ++-- .../document-db/database-account/main.bicep | 129 +- .../document-db/database-account/main.json | 216 +-- .../domain/.test/common/main.test.bicep | 18 +- modules/event-grid/domain/README.md | 162 ++- modules/event-grid/domain/main.bicep | 122 +- modules/event-grid/domain/main.json | 211 +-- .../system-topic/.test/common/main.test.bicep | 18 +- modules/event-grid/system-topic/README.md | 162 ++- modules/event-grid/system-topic/main.bicep | 121 +- modules/event-grid/system-topic/main.json | 210 +-- .../topic/.test/common/main.test.bicep | 18 +- modules/event-grid/topic/README.md | 162 ++- modules/event-grid/topic/main.bicep | 122 +- modules/event-grid/topic/main.json | 211 +-- .../namespace/.test/common/main.test.bicep | 18 +- modules/event-hub/namespace/README.md | 162 ++- modules/event-hub/namespace/main.bicep | 129 +- modules/event-hub/namespace/main.json | 218 +-- .../workspace/.test/common/dependencies.bicep | 1 - .../workspace/.test/common/main.test.bicep | 51 +- modules/healthcare-apis/workspace/README.md | 88 +- .../workspace/dicomservice/README.md | 117 +- .../workspace/dicomservice/main.bicep | 98 +- .../workspace/dicomservice/main.json | 186 ++- .../workspace/fhirservice/README.md | 118 +- .../workspace/fhirservice/main.bicep | 112 +- .../workspace/fhirservice/main.json | 205 +-- .../workspace/iotconnector/README.md | 118 +- .../workspace/iotconnector/main.bicep | 112 +- .../workspace/iotconnector/main.json | 207 +-- modules/healthcare-apis/workspace/main.bicep | 20 +- modules/healthcare-apis/workspace/main.json | 626 +++++---- .../component/.test/common/main.test.bicep | 18 +- modules/insights/component/README.md | 162 ++- modules/insights/component/main.bicep | 131 +- modules/insights/component/main.json | 220 +-- .../.test/common/main.test.bicep | 13 +- modules/insights/diagnostic-setting/README.md | 145 +- .../insights/diagnostic-setting/main.bicep | 93 +- modules/insights/diagnostic-setting/main.json | 144 +- .../.test/accesspolicies/main.test.bicep | 18 +- .../vault/.test/common/main.test.bicep | 18 +- .../key-vault/vault/.test/pe/main.test.bicep | 18 +- modules/key-vault/vault/README.md | 250 +++- modules/key-vault/vault/main.bicep | 121 +- modules/key-vault/vault/main.json | 209 +-- .../workflow/.test/common/main.test.bicep | 18 +- modules/logic/workflow/README.md | 162 ++- modules/logic/workflow/main.bicep | 121 +- modules/logic/workflow/main.json | 210 +-- .../workspace/.test/common/main.test.bicep | 18 +- .../workspace/README.md | 162 ++- .../workspace/main.bicep | 124 +- .../workspace/main.json | 214 +-- .../.test/common/main.test.bicep | 18 +- modules/network/application-gateway/README.md | 162 ++- .../network/application-gateway/main.bicep | 123 +- modules/network/application-gateway/main.json | 214 +-- .../.test/common/main.test.bicep | 18 +- .../.test/custompip/main.test.bicep | 36 +- modules/network/azure-firewall/README.md | 202 ++- modules/network/azure-firewall/main.bicep | 150 +- modules/network/azure-firewall/main.json | 671 +++++---- .../bastion-host/.test/common/main.test.bicep | 13 +- .../.test/custompip/main.test.bicep | 36 +- modules/network/bastion-host/README.md | 171 ++- modules/network/bastion-host/main.bicep | 104 +- modules/network/bastion-host/main.json | 398 +++--- .../.test/common/main.test.bicep | 18 +- .../network/express-route-circuit/README.md | 162 ++- .../network/express-route-circuit/main.bicep | 121 +- .../network/express-route-circuit/main.json | 210 +-- modules/network/front-door/README.md | 126 +- modules/network/front-door/main.bicep | 119 +- modules/network/front-door/main.json | 206 +-- .../.test/common/main.test.bicep | 18 +- .../.test/internal/main.test.bicep | 18 +- modules/network/load-balancer/README.md | 177 ++- modules/network/load-balancer/main.bicep | 83 +- modules/network/load-balancer/main.json | 157 ++- .../nat-gateway/.test/common/main.test.bicep | 4 - modules/network/nat-gateway/README.md | 190 ++- modules/network/nat-gateway/main.bicep | 84 +- modules/network/nat-gateway/main.json | 409 +++--- .../.test/common/main.test.bicep | 18 +- modules/network/network-interface/README.md | 133 +- modules/network/network-interface/main.bicep | 83 +- modules/network/network-interface/main.json | 159 ++- .../.test/common/main.test.bicep | 13 +- .../network/network-security-group/README.md | 131 +- .../network/network-security-group/main.bicep | 94 +- .../network/network-security-group/main.json | 170 ++- .../.test/common/main.test.bicep | 18 +- modules/network/public-ip-address/README.md | 162 ++- modules/network/public-ip-address/main.bicep | 123 +- modules/network/public-ip-address/main.json | 212 +-- .../.test/common/main.test.bicep | 18 +- .../network/trafficmanagerprofile/README.md | 162 ++- .../network/trafficmanagerprofile/main.bicep | 121 +- .../network/trafficmanagerprofile/main.json | 210 +-- .../.test/aadvpn/main.test.bicep | 18 +- .../.test/expressRoute/main.test.bicep | 18 +- .../.test/vpn/main.test.bicep | 18 +- .../network/virtual-network-gateway/README.md | 375 +++-- .../virtual-network-gateway/main.bicep | 150 +- .../network/virtual-network-gateway/main.json | 469 ++++--- .../.test/common/main.test.bicep | 18 +- modules/network/virtual-network/README.md | 163 ++- modules/network/virtual-network/main.bicep | 124 +- modules/network/virtual-network/main.json | 217 +-- .../workspace/.test/adv/main.test.bicep | 18 +- .../workspace/.test/common/main.test.bicep | 18 +- .../operational-insights/workspace/README.md | 206 ++- .../operational-insights/workspace/main.bicep | 125 +- .../operational-insights/workspace/main.json | 213 +-- .../account/.test/common/main.test.bicep | 20 +- modules/purview/account/README.md | 172 ++- modules/purview/account/main.bicep | 123 +- modules/purview/account/main.json | 232 ++-- .../vault/.test/common/main.test.bicep | 18 +- modules/recovery-services/vault/README.md | 162 ++- modules/recovery-services/vault/main.bicep | 134 +- modules/recovery-services/vault/main.json | 223 +-- .../namespace/.test/common/main.test.bicep | 18 +- modules/relay/namespace/README.md | 162 ++- modules/relay/namespace/main.bicep | 123 +- modules/relay/namespace/main.json | 212 +-- .../.test/common/main.test.bicep | 18 +- modules/search/search-service/README.md | 162 ++- modules/search/search-service/main.bicep | 112 +- modules/search/search-service/main.json | 207 +-- .../namespace/.test/common/main.test.bicep | 18 +- modules/service-bus/namespace/README.md | 162 ++- modules/service-bus/namespace/main.bicep | 121 +- modules/service-bus/namespace/main.json | 210 +-- .../.test/common/main.test.bicep | 27 +- modules/sql/managed-instance/README.md | 180 ++- .../sql/managed-instance/database/README.md | 97 +- .../sql/managed-instance/database/main.bicep | 96 +- .../sql/managed-instance/database/main.json | 172 ++- modules/sql/managed-instance/main.bicep | 127 +- modules/sql/managed-instance/main.json | 390 +++--- .../sql/server/.test/common/main.test.bicep | 13 +- modules/sql/server/README.md | 26 +- modules/sql/server/database/README.md | 118 +- modules/sql/server/database/main.bicep | 138 +- modules/sql/server/database/main.json | 260 ++-- modules/sql/server/main.bicep | 8 +- modules/sql/server/main.json | 272 ++-- .../.test/common/main.test.bicep | 90 +- .../storage-account/.test/nfs/main.test.bicep | 18 +- modules/storage/storage-account/README.md | 321 +++-- .../storage-account/blob-service/README.md | 118 +- .../storage-account/blob-service/main.bicep | 126 +- .../storage-account/blob-service/main.json | 245 ++-- .../storage-account/file-service/README.md | 118 +- .../storage-account/file-service/main.bicep | 126 +- .../storage-account/file-service/main.json | 245 ++-- modules/storage/storage-account/main.bicep | 111 +- modules/storage/storage-account/main.json | 1215 ++++++++++------- .../storage-account/queue-service/README.md | 118 +- .../storage-account/queue-service/main.bicep | 126 +- .../storage-account/queue-service/main.json | 245 ++-- .../storage-account/table-service/README.md | 118 +- .../storage-account/table-service/main.bicep | 126 +- .../storage-account/table-service/main.json | 245 ++-- .../workspace/.test/common/main.test.bicep | 29 +- modules/synapse/workspace/README.md | 163 ++- modules/synapse/workspace/main.bicep | 100 +- modules/synapse/workspace/main.json | 176 ++- .../.test/asev2/main.test.bicep | 13 +- .../.test/asev3/main.test.bicep | 13 +- modules/web/hosting-environment/README.md | 165 ++- modules/web/hosting-environment/main.bicep | 93 +- modules/web/hosting-environment/main.json | 169 ++- .../serverfarm/.test/common/main.test.bicep | 18 +- modules/web/serverfarm/README.md | 133 +- modules/web/serverfarm/main.bicep | 87 +- modules/web/serverfarm/main.json | 160 ++- .../.test/functionAppCommon/main.test.bicep | 18 +- .../site/.test/webAppCommon/main.test.bicep | 31 +- modules/web/site/README.md | 232 +++- modules/web/site/main.bicep | 141 +- modules/web/site/main.json | 434 +++--- modules/web/site/slot/README.md | 118 +- modules/web/site/slot/main.bicep | 125 +- modules/web/site/slot/main.json | 211 +-- 288 files changed, 23580 insertions(+), 14888 deletions(-) diff --git a/modules/aad/domain-service/.test/common/main.test.bicep b/modules/aad/domain-service/.test/common/main.test.bicep index 51585097f2..59577a7f74 100644 --- a/modules/aad/domain-service/.test/common/main.test.bicep +++ b/modules/aad/domain-service/.test/common/main.test.bicep @@ -78,10 +78,15 @@ module testDeployment '../../main.bicep' = { additionalRecipients: [ '${namePrefix}@noreply.github.com' ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/aad/domain-service/README.md b/modules/aad/domain-service/README.md index b2e097b4b8..f228fda2f2 100644 --- a/modules/aad/domain-service/README.md +++ b/modules/aad/domain-service/README.md @@ -49,10 +49,15 @@ module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = { additionalRecipients: [ '@noreply.github.com' ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' lock: { kind: 'CanNotDelete' @@ -99,17 +104,16 @@ module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = { "@noreply.github.com" ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -175,11 +179,7 @@ module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | | [`additionalRecipients`](#parameter-additionalrecipients) | array | The email recipient value to receive alerts. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`domainConfigurationType`](#parameter-domainconfigurationtype) | string | The value is to provide domain configuration type. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`externalAccess`](#parameter-externalaccess) | string | The value is to enable the Secure LDAP for external services of Azure ADDS Services. | @@ -208,41 +208,100 @@ The email recipient value to receive alerts. - Type: array - Default: `[]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', AccountLogon, AccountManagement, allLogs, DetailTracking, DirectoryServiceAccess, LogonLogoff, ObjectAccess, PolicyChange, PrivilegeUse, SystemSecurity]` -### Parameter: `diagnosticStorageAccountId` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `domainConfigurationType` diff --git a/modules/aad/domain-service/main.bicep b/modules/aad/domain-service/main.bicep index e7226cc521..5a05dd6d1e 100644 --- a/modules/aad/domain-service/main.bicep +++ b/modules/aad/domain-service/main.bicep @@ -115,17 +115,8 @@ param externalAccess string = 'Enabled' ]) param ldaps string = 'Enabled' -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Tags of the resource.') param tags object = {} @@ -139,36 +130,6 @@ param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'SystemSecurity' - 'AccountManagement' - 'LogonLogoff' - 'ObjectAccess' - 'PolicyChange' - 'PrivilegeUse' - 'DetailTracking' - 'DirectoryServiceAccess' - 'AccountLogon' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') @@ -221,17 +182,24 @@ resource domainService 'Microsoft.AAD/DomainServices@2021-05-01' = { } } -resource domainService_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: '${domainService.name}-diagnosticSettings' +resource domainService_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: domainService -} +}] resource domainService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { name: lock.?name ?? 'lock-${name}' @@ -302,3 +270,35 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/aad/domain-service/main.json b/modules/aad/domain-service/main.json index dbaa1c8a8f..f3f96a4b68 100644 --- a/modules/aad/domain-service/main.json +++ b/modules/aad/domain-service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12649043045609686921" + "templateHash": "3764501671926247856" }, "name": "Azure Active Directory Domain Services", "description": "This module deploys an Azure Active Directory Domain Services (AADDS).", @@ -103,6 +103,94 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -294,32 +382,10 @@ "description": "Optional. A flag to determine whether or not Secure LDAP is enabled or disabled." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "tags": { @@ -347,42 +413,9 @@ "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "SystemSecurity", - "AccountManagement", - "LogonLogoff", - "ObjectAccess", - "PolicyChange", - "PrivilegeUse", - "DetailTracking", - "DirectoryServiceAccess", - "AccountLogon" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", @@ -440,17 +473,22 @@ } }, "domainService_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "domainService_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.AAD/domainServices/{0}', parameters('name'))]", - "name": "[format('{0}-diagnosticSettings', parameters('name'))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "domainService" diff --git a/modules/analysis-services/server/.test/common/main.test.bicep b/modules/analysis-services/server/.test/common/main.test.bicep index 7d91a3f264..cbe024449b 100644 --- a/modules/analysis-services/server/.test/common/main.test.bicep +++ b/modules/analysis-services/server/.test/common/main.test.bicep @@ -78,10 +78,20 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/analysis-services/server/.test/max/main.test.bicep b/modules/analysis-services/server/.test/max/main.test.bicep index e20d076bc3..37ef2b9a70 100644 --- a/modules/analysis-services/server/.test/max/main.test.bicep +++ b/modules/analysis-services/server/.test/max/main.test.bicep @@ -86,16 +86,27 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - diagnosticLogCategoriesToEnable: [ - 'Engine' - 'Service' - ] - diagnosticMetricsToEnable: [ - 'AllMetrics' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + logCategoriesAndGroups: [ + { + category: 'Engine' + } + { + category: 'Service' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } ] } } diff --git a/modules/analysis-services/server/README.md b/modules/analysis-services/server/README.md index ebbbdb8263..f5f30b2bdb 100644 --- a/modules/analysis-services/server/README.md +++ b/modules/analysis-services/server/README.md @@ -47,10 +47,20 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { // Required parameters name: 'asscom' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' lock: { kind: 'CanNotDelete' @@ -90,17 +100,21 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { "value": "asscom" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -150,17 +164,28 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { // Required parameters name: 'assmax' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticLogCategoriesToEnable: [ - 'Engine' - 'Service' - ] - diagnosticMetricsToEnable: [ - 'AllMetrics' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + logCategoriesAndGroups: [ + { + category: 'Engine' + } + { + category: 'Service' + } + ] + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } ] - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' enableDefaultTelemetry: '' firewallSettings: { enablePowerBIService: true @@ -206,29 +231,30 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { "value": "assmax" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticLogCategoriesToEnable": { + "diagnosticSettings": { "value": [ - "Engine", - "Service" - ] - }, - "diagnosticMetricsToEnable": { - "value": [ - "AllMetrics" + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "logCategoriesAndGroups": [ + { + "category": "Engine" + }, + { + "category": "Service" + } + ], + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } ] }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" - }, "enableDefaultTelemetry": { "value": "" }, @@ -333,13 +359,7 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`firewallSettings`](#parameter-firewallsettings) | object | The inbound firewall rules to define on the server. If not specified, firewall is disabled. | | [`location`](#parameter-location) | string | Location for all Resources. | @@ -349,56 +369,120 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { | [`skuName`](#parameter-skuname) | string | The SKU name of the Azure Analysis Services server to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` -### Parameter: `diagnosticLogCategoriesToEnable` +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, Engine, Service]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/analysis-services/server/main.bicep b/modules/analysis-services/server/main.bicep index df315bfdb7..3bbaeaf07c 100644 --- a/modules/analysis-services/server/main.bicep +++ b/modules/analysis-services/server/main.bicep @@ -26,17 +26,8 @@ param firewallSettings object = { @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -50,46 +41,6 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'Engine' - 'Service' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') @@ -132,18 +83,31 @@ resource server_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(loc scope: server } -resource server_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource server_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: server -} +}] resource server_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(server.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -205,3 +169,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/analysis-services/server/main.json b/modules/analysis-services/server/main.json index f1e639e5db..ee85f05ff5 100644 --- a/modules/analysis-services/server/main.json +++ b/modules/analysis-services/server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3188902804288997738" + "templateHash": "7051724089747387450" }, "name": "Analysis Services Servers", "description": "This module deploys an Analysis Services Server.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -149,32 +255,10 @@ "description": "Optional. Location for all Resources." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -202,63 +286,9 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "Engine", - "Service" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", @@ -311,18 +341,23 @@ ] }, "server_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "server_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.AnalysisServices/servers/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "server" diff --git a/modules/api-management/service/.test/max/main.test.bicep b/modules/api-management/service/.test/max/main.test.bicep index 39de365c7e..e2902a543c 100644 --- a/modules/api-management/service/.test/max/main.test.bicep +++ b/modules/api-management/service/.test/max/main.test.bicep @@ -117,10 +117,20 @@ module testDeployment '../../main.bicep' = { useFromLocation: 'westeurope' } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] identityProviders: [ { name: 'aadProvider' diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index af278b9e89..81826b9b9c 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -255,10 +255,20 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { useFromLocation: 'westeurope' } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' identityProviders: [ { @@ -421,17 +431,21 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -622,13 +636,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { | [`caches`](#parameter-caches) | array | Caches. | | [`certificates`](#parameter-certificates) | array | List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. | | [`customProperties`](#parameter-customproperties) | object | Custom properties of the API Management service. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableGateway`](#parameter-disablegateway) | bool | Property only valid for an API Management service deployed in multiple locations. This can be used to disable the gateway in master region. | | [`enableClientCertificate`](#parameter-enableclientcertificate) | bool | Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | @@ -711,56 +719,120 @@ Custom properties of the API Management service. - Type: object - Default: `{object}` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, GatewayLogs]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `disableGateway` diff --git a/modules/api-management/service/main.bicep b/modules/api-management/service/main.bicep index c368241c46..2b28c3d8b1 100644 --- a/modules/api-management/service/main.bicep +++ b/modules/api-management/service/main.bicep @@ -18,21 +18,12 @@ param enableDefaultTelemetry bool = true @description('Optional. Custom properties of the API Management service.') param customProperties object = {} -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - @description('Optional. Property only valid for an API Management service deployed in multiple locations. This can be used to disable the gateway in master region.') param disableGateway bool = false @description('Optional. Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway.') param enableClientCertificate bool = false -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' - @description('Optional. Custom hostname configuration of the API Management service.') param hostnameConfigurations array = [] @@ -97,29 +88,12 @@ param tags object = {} ]) param virtualNetworkType string = 'None' -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. A list of availability zones denoting where the resource needs to come from.') param zones array = [] -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'GatewayLogs' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] @description('Optional. Necessary to create a new GUID.') param newGuidValue string = newGuid() @@ -157,31 +131,10 @@ param products array = [] @description('Optional. Subscriptions.') param subscriptions array = [] -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - var enableReferencedModulesTelemetry = false var authorizationServerList = !empty(authorizationServers) ? authorizationServers.secureList : [] -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -451,18 +404,31 @@ resource service_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo scope: service } -resource service_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource service_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: service -} +}] resource service_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(service.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -527,3 +493,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/api-management/service/main.json b/modules/api-management/service/main.json index 43efbef293..7122d8c63c 100644 --- a/modules/api-management/service/main.json +++ b/modules/api-management/service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7614932191394773383" + "templateHash": "5480824753048175780" }, "name": "API Management Services", "description": "This module deploys an API Management Service.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -141,13 +247,6 @@ "description": "Optional. Custom properties of the API Management service." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, "disableGateway": { "type": "bool", "defaultValue": false, @@ -162,20 +261,6 @@ "description": "Optional. Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway." } }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, "hostnameConfigurations": { "type": "array", "defaultValue": [], @@ -300,11 +385,10 @@ "description": "Optional. The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only." } }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." + "description": "Optional. The diagnostic settings of the service." } }, "zones": { @@ -314,32 +398,6 @@ "description": "Optional. A list of availability zones denoting where the resource needs to come from." } }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "GatewayLogs" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, "newGuidValue": { "type": "string", "defaultValue": "[newGuid()]", @@ -423,38 +481,11 @@ "metadata": { "description": "Optional. Subscriptions." } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "enableReferencedModulesTelemetry": false, "authorizationServerList": "[if(not(empty(parameters('authorizationServers'))), parameters('authorizationServers').secureList, createArray())]", - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "builtInRoleNames": { @@ -527,18 +558,23 @@ ] }, "service_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "service_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.ApiManagement/service/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "service" diff --git a/modules/app-configuration/configuration-store/.test/common/main.test.bicep b/modules/app-configuration/configuration-store/.test/common/main.test.bicep index 273cfd4b3f..fca8a214b8 100644 --- a/modules/app-configuration/configuration-store/.test/common/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/common/main.test.bicep @@ -67,10 +67,20 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' createMode: 'Default' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] disableLocalAuth: false enablePurgeProtection: false keyValues: [ diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index cc0ac05199..15a5ab72fc 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -52,10 +52,20 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor name: 'acccom001' // Non-required parameters createMode: 'Default' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] disableLocalAuth: false enableDefaultTelemetry: '' enablePurgeProtection: false @@ -118,17 +128,21 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor "createMode": { "value": "Default" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "disableLocalAuth": { "value": false @@ -506,13 +520,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor | [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | | [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | [`createMode`](#parameter-createmode) | string | Indicates whether the configuration store need to be recovered. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Disables all authentication methods other than AAD authentication. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`enablePurgeProtection`](#parameter-enablepurgeprotection) | bool | Property specifying whether protection against purge is enabled for this configuration store. | @@ -564,56 +572,120 @@ Indicates whether the configuration store need to be recovered. - Default: `'Default'` - Allowed: `[Default, Recover]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, Audit, HttpRequest]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `disableLocalAuth` diff --git a/modules/app-configuration/configuration-store/main.bicep b/modules/app-configuration/configuration-store/main.bicep index e3cb9d897f..e3c46d215d 100644 --- a/modules/app-configuration/configuration-store/main.bicep +++ b/modules/app-configuration/configuration-store/main.bicep @@ -62,17 +62,8 @@ param cMKUserAssignedIdentityResourceId string = '' @description('Optional. All Key / Values to create. Requires local authentication to be enabled.') param keyValues array = [] -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -86,51 +77,11 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'HttpRequest' - 'Audit' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointType var enableReferencedModulesTelemetry = false -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = systemAssignedIdentity ? 'SystemAssigned' : !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' var identity = { @@ -220,18 +171,31 @@ resource configurationStore_lock 'Microsoft.Authorization/locks@2020-05-01' = if scope: configurationStore } -resource configurationStore_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource configurationStore_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: configurationStore -} +}] resource configurationStore_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(configurationStore.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -375,3 +339,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/app-configuration/configuration-store/main.json b/modules/app-configuration/configuration-store/main.json index 1939f9e922..f0132feeea 100644 --- a/modules/app-configuration/configuration-store/main.json +++ b/modules/app-configuration/configuration-store/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9341270782122671710" + "templateHash": "1654739294339670098" }, "name": "App Configuration Stores", "description": "This module deploys an App Configuration Store.", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -374,32 +480,10 @@ "description": "Optional. All Key / Values to create. Requires local authentication to be enabled." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -428,40 +512,6 @@ "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "HttpRequest", - "Audit" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } - }, "privateEndpoints": { "$ref": "#/definitions/privateEndpointType", "metadata": { @@ -470,27 +520,7 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "enableReferencedModulesTelemetry": false, - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": { "type": "[variables('identityType')]", @@ -591,18 +621,23 @@ ] }, "configurationStore_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "configurationStore_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.AppConfiguration/configurationStores/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "configurationStore" diff --git a/modules/automation/automation-account/.test/common/main.test.bicep b/modules/automation/automation-account/.test/common/main.test.bicep index 987ed84bf7..c47be89759 100644 --- a/modules/automation/automation-account/.test/common/main.test.bicep +++ b/modules/automation/automation-account/.test/common/main.test.bicep @@ -68,10 +68,20 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] gallerySolutions: [ { name: 'Updates' diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index c68194e8d3..b832c2ad0c 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -57,10 +57,20 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' // Required parameters name: 'aacom001' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] disableLocalAuth: true enableDefaultTelemetry: '' gallerySolutions: [ @@ -256,17 +266,21 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' "value": "aacom001" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "disableLocalAuth": { "value": true @@ -616,13 +630,7 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' | :-- | :-- | :-- | | [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | | [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Disable local authentication profile used within the resource. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`gallerySolutions`](#parameter-gallerysolutions) | array | List of gallerySolutions to be created in the linked log analytics workspace. | @@ -671,56 +679,120 @@ User assigned identity to use when fetching the customer managed key. Required i - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, DscNodeStatus, JobLogs, JobStreams]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `disableLocalAuth` diff --git a/modules/automation/automation-account/main.bicep b/modules/automation/automation-account/main.bicep index 1534d5e0c9..b921f002e8 100644 --- a/modules/automation/automation-account/main.bicep +++ b/modules/automation/automation-account/main.bicep @@ -65,17 +65,8 @@ param disableLocalAuth bool = true @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointType -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -95,49 +86,8 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'JobLogs' - 'JobStreams' - 'DscNodeStatus' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - var enableReferencedModulesTelemetry = false -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -363,18 +313,31 @@ resource automationAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if scope: automationAccount } -resource automationAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource automationAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: automationAccount -} +}] module automationAccount_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { name: '${uniqueString(deployment().name, location)}-automationAccount-PrivateEndpoint-${index}' @@ -518,3 +481,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/automation/automation-account/main.json b/modules/automation/automation-account/main.json index b148064e91..4c84eda080 100644 --- a/modules/automation/automation-account/main.json +++ b/modules/automation/automation-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17662801875891298684" + "templateHash": "13507604496073736605" }, "name": "Automation Accounts", "description": "This module deploys an Azure Automation Account.", @@ -251,6 +251,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -387,32 +493,10 @@ "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "systemAssignedIdentity": { @@ -454,65 +538,10 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "JobLogs", - "JobStreams", - "DscNodeStatus" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "enableReferencedModulesTelemetry": false, - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "builtInRoleNames": { @@ -597,18 +626,23 @@ ] }, "automationAccount_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "automationAccount_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Automation/automationAccounts/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "automationAccount" diff --git a/modules/batch/batch-account/.test/common/main.test.bicep b/modules/batch/batch-account/.test/common/main.test.bicep index e7fbf8557e..f41129e7f6 100644 --- a/modules/batch/batch-account/.test/common/main.test.bicep +++ b/modules/batch/batch-account/.test/common/main.test.bicep @@ -69,10 +69,20 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' storageAccountId: nestedDependencies.outputs.storageAccountResourceId - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index f6b69b8e94..5c724d1f23 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -50,10 +50,20 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { name: 'bbacom001' storageAccountId: '' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' lock: { kind: 'CanNotDelete' @@ -119,17 +129,21 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { "value": "" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -392,13 +406,7 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { | [`allowedAuthenticationModes`](#parameter-allowedauthenticationmodes) | array | List of allowed authentication modes for the Batch account that can be used to authenticate with the data plane. | | [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | | [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | @@ -443,56 +451,120 @@ The version of the customer managed key to reference for encryption. If not prov - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, ServiceLog]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/batch/batch-account/main.bicep b/modules/batch/batch-account/main.bicep index eba075cf69..e0ca3aaf85 100644 --- a/modules/batch/batch-account/main.bicep +++ b/modules/batch/batch-account/main.bicep @@ -58,17 +58,8 @@ param networkProfileDefaultAction string = 'Deny' @description('Optional. Array of IP ranges to filter client IP address. It is only applicable when publicNetworkAccess is not explicitly disabled.') param networkProfileAllowedIpRanges array = [] -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -99,45 +90,6 @@ param cMKKeyVersion string = '' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'ServiceLog' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = systemAssignedIdentity ? 'SystemAssigned' : !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' var identity = { @@ -229,18 +181,31 @@ resource batchAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!emp scope: batchAccount } -resource batchAccount_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource batchAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: batchAccount -} +}] resource batchAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(batchAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -381,3 +346,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/batch/batch-account/main.json b/modules/batch/batch-account/main.json index bb2a24b4de..a44629002b 100644 --- a/modules/batch/batch-account/main.json +++ b/modules/batch/batch-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1328678841391905998" + "templateHash": "15411894480472906103" }, "name": "Batch Accounts", "description": "This module deploys a Batch Account.", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -360,32 +466,10 @@ "description": "Optional. Array of IP ranges to filter client IP address. It is only applicable when publicNetworkAccess is not explicitly disabled." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -446,60 +530,10 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "ServiceLog" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - }, { "name": "networkProfileIpRules", "count": "[length(parameters('networkProfileAllowedIpRanges'))]", @@ -509,7 +543,6 @@ } } ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": { "type": "[variables('identityType')]", @@ -601,18 +634,23 @@ ] }, "batchAccount_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "batchAccount_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Batch/batchAccounts/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "batchAccount" diff --git a/modules/cache/redis-enterprise/.test/common/main.test.bicep b/modules/cache/redis-enterprise/.test/common/main.test.bicep index 62c880c6f8..ec7d8af260 100644 --- a/modules/cache/redis-enterprise/.test/common/main.test.bicep +++ b/modules/cache/redis-enterprise/.test/common/main.test.bicep @@ -68,11 +68,20 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' capacity: 2 - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - diagnosticSettingsName: 'redisdiagnostics' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index c8f5d1c37f..34dff8de72 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -70,11 +70,20 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { port: 10000 } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticSettingsName: 'redisdiagnostics' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' lock: { kind: 'CanNotDelete' @@ -151,20 +160,21 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticSettingsName": { - "value": "redisdiagnostics" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -402,13 +412,7 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { | :-- | :-- | :-- | | [`capacity`](#parameter-capacity) | int | The size of the Redis Enterprise Cluster. Defaults to 2. Valid values are (2, 4, 6, ...) for Enterprise SKUs and (3, 9, 15, ...) for Flash SKUs. | | [`databases`](#parameter-databases) | array | The databases to create in the Redis Cache Enterprise Cluster. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource, but currently not supported for Redis Cache Enterprise. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | The geo-location where the resource lives. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | @@ -433,56 +437,120 @@ The databases to create in the Redis Cache Enterprise Cluster. - Type: array - Default: `[]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` -### Parameter: `diagnosticLogCategoriesToEnable` +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource, but currently not supported for Redis Cache Enterprise. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[]` -- Allowed: `['', audit, ConnectionEvents]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/cache/redis-enterprise/main.bicep b/modules/cache/redis-enterprise/main.bicep index a8c918829d..dbcd72f0b7 100644 --- a/modules/cache/redis-enterprise/main.bicep +++ b/modules/cache/redis-enterprise/main.bicep @@ -49,63 +49,14 @@ param privateEndpoints privateEndpointType @description('Optional. The databases to create in the Redis Cache Enterprise Cluster.') param databases array = [] -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -@description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticEventHubName string = '' - -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource, but currently not supported for Redis Cache Enterprise. Set to \'\' to disable log collection.') -@allowed([ - '' - // 'allLogs' - 'ConnectionEvents' - 'audit' -]) -param diagnosticLogCategoriesToEnable array = [ - '' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true var availabilityZones = zoneRedundant ? pickZones('Microsoft.Cache', 'redisEnterprise', location, 3) : [] -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var enableReferencedModulesTelemetry = false var builtInRoleNames = { @@ -152,18 +103,31 @@ resource redisEnterprise_lock 'Microsoft.Authorization/locks@2020-05-01' = if (! scope: redisEnterprise } -resource redisEnterprise_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource redisEnterprise_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId - workspaceId: empty(diagnosticWorkspaceId) ? null : diagnosticWorkspaceId - eventHubAuthorizationRuleId: empty(diagnosticEventHubAuthorizationRuleId) ? null : diagnosticEventHubAuthorizationRuleId - eventHubName: empty(diagnosticEventHubName) ? null : diagnosticEventHubName - metrics: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsMetrics - logs: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: redisEnterprise -} +}] resource redisEnterprise_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(redisEnterprise.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -326,3 +290,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/cache/redis-enterprise/main.json b/modules/cache/redis-enterprise/main.json index 31d6df1989..f73b1ecc4f 100644 --- a/modules/cache/redis-enterprise/main.json +++ b/modules/cache/redis-enterprise/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12857398091231906452" + "templateHash": "11394505445953439592" }, "name": "Redis Cache Enterprise", "description": "This module deploys a Redis Cache Enterprise.", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -342,65 +448,10 @@ "description": "Optional. The databases to create in the Redis Cache Enterprise Cluster." } }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "" - ], - "allowedValues": [ - "", - "ConnectionEvents", - "audit" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource, but currently not supported for Redis Cache Enterprise. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." + "description": "Optional. The diagnostic settings of the service." } }, "enableDefaultTelemetry": { @@ -412,27 +463,7 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "availabilityZones": "[if(parameters('zoneRedundant'), pickZones('Microsoft.Cache', 'redisEnterprise', parameters('location'), 3), createArray())]", - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -488,18 +519,23 @@ ] }, "redisEnterprise_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "redisEnterprise_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Cache/redisEnterprise/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), null(), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('diagnosticWorkspaceId')), null(), parameters('diagnosticWorkspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('diagnosticEventHubAuthorizationRuleId')), null(), parameters('diagnosticEventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('diagnosticEventHubName')), null(), parameters('diagnosticEventHubName'))]", - "metrics": "[if(and(and(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('diagnosticWorkspaceId'))), empty(parameters('diagnosticEventHubAuthorizationRuleId'))), empty(parameters('diagnosticEventHubName'))), null(), variables('diagnosticsMetrics'))]", - "logs": "[if(and(and(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('diagnosticWorkspaceId'))), empty(parameters('diagnosticEventHubAuthorizationRuleId'))), empty(parameters('diagnosticEventHubName'))), null(), variables('diagnosticsLogs'))]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "redisEnterprise" diff --git a/modules/cache/redis/.test/common/main.test.bicep b/modules/cache/redis/.test/common/main.test.bicep index 9e37b1ba2c..ccc1f3f939 100644 --- a/modules/cache/redis/.test/common/main.test.bicep +++ b/modules/cache/redis/.test/common/main.test.bicep @@ -67,11 +67,20 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' capacity: 2 - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - diagnosticSettingsName: 'redisdiagnostics' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] enableNonSslPort: true lock: { kind: 'CanNotDelete' diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index 3a725e5ead..16249d853e 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -50,11 +50,20 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { name: 'crcom001' // Non-required parameters capacity: 2 - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticSettingsName: 'redisdiagnostics' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' enableNonSslPort: true lock: { @@ -113,20 +122,21 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { "capacity": { "value": 2 }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticSettingsName": { - "value": "redisdiagnostics" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -257,13 +267,7 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | | [`capacity`](#parameter-capacity) | int | The size of the Redis cache to deploy. Valid values: for C (Basic/Standard) family (0, 1, 2, 3, 4, 5, 6), for P (Premium) family (1, 2, 3, 4). | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`enableNonSslPort`](#parameter-enablenonsslport) | bool | Specifies whether the non-ssl Redis server port (6379) is enabled. | | [`location`](#parameter-location) | string | The location to deploy the Redis cache service. | @@ -295,56 +299,120 @@ The size of the Redis cache to deploy. Valid values: for C (Basic/Standard) fami - Default: `1` - Allowed: `[0, 1, 2, 3, 4, 5, 6]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, ConnectedClientList]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/cache/redis/main.bicep b/modules/cache/redis/main.bicep index 947bf9d72c..6794af2ed2 100644 --- a/modules/cache/redis/main.bicep +++ b/modules/cache/redis/main.bicep @@ -102,62 +102,14 @@ param zones array = [] @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointType -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -@description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticEventHubName string = '' - -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'ConnectedClientList' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true var availabilityZones = skuName == 'Premium' ? zoneRedundant ? !empty(zones) ? zones : pickZones('Microsoft.Cache', 'redis', location, 3) : [] : [] -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = systemAssignedIdentity ? 'SystemAssigned' : !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' var identity = { @@ -223,18 +175,31 @@ resource redis_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock scope: redis } -resource redis_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource redis_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId - workspaceId: empty(diagnosticWorkspaceId) ? null : diagnosticWorkspaceId - eventHubAuthorizationRuleId: empty(diagnosticEventHubAuthorizationRuleId) ? null : diagnosticEventHubAuthorizationRuleId - eventHubName: empty(diagnosticEventHubName) ? null : diagnosticEventHubName - metrics: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsMetrics - logs: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: redis -} +}] resource redis_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(redis.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -384,3 +349,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/cache/redis/main.json b/modules/cache/redis/main.json index 063248bb2f..5a9378fd0b 100644 --- a/modules/cache/redis/main.json +++ b/modules/cache/redis/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17149457763698369113" + "templateHash": "8286975131893372423" }, "name": "Redis Cache", "description": "This module deploys a Redis Cache.", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -443,65 +549,10 @@ "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "ConnectedClientList" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." + "description": "Optional. The diagnostic settings of the service." } }, "enableDefaultTelemetry": { @@ -513,27 +564,7 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "availabilityZones": "[if(equals(parameters('skuName'), 'Premium'), if(parameters('zoneRedundant'), if(not(empty(parameters('zones'))), parameters('zones'), pickZones('Microsoft.Cache', 'redis', parameters('location'), 3)), createArray()), createArray())]", - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": { "type": "[variables('identityType')]", @@ -606,18 +637,23 @@ ] }, "redis_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "redis_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Cache/redis/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), null(), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('diagnosticWorkspaceId')), null(), parameters('diagnosticWorkspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('diagnosticEventHubAuthorizationRuleId')), null(), parameters('diagnosticEventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('diagnosticEventHubName')), null(), parameters('diagnosticEventHubName'))]", - "metrics": "[if(and(and(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('diagnosticWorkspaceId'))), empty(parameters('diagnosticEventHubAuthorizationRuleId'))), empty(parameters('diagnosticEventHubName'))), null(), variables('diagnosticsMetrics'))]", - "logs": "[if(and(and(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('diagnosticWorkspaceId'))), empty(parameters('diagnosticEventHubAuthorizationRuleId'))), empty(parameters('diagnosticEventHubName'))), null(), variables('diagnosticsLogs'))]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "redis" diff --git a/modules/cognitive-services/account/.test/common/main.test.bicep b/modules/cognitive-services/account/.test/common/main.test.bicep index 45695d9d0f..9d515bae9e 100644 --- a/modules/cognitive-services/account/.test/common/main.test.bicep +++ b/modules/cognitive-services/account/.test/common/main.test.bicep @@ -69,10 +69,20 @@ module testDeployment '../../main.bicep' = { name: '${namePrefix}${serviceShort}001' kind: 'Face' customSubDomainName: '${namePrefix}xdomain' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index f156a8eb2b..1ef76d0cbb 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -53,10 +53,20 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { name: 'csacom001' // Non-required parameters customSubDomainName: 'xdomain' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' lock: { kind: 'CanNotDelete' @@ -133,17 +143,21 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { "customSubDomainName": { "value": "xdomain" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -490,13 +504,7 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { | [`apiProperties`](#parameter-apiproperties) | object | The API properties for special APIs. | | [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. | | [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, latest is used. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Allow only Azure AD authentication. Should be enabled for security reasons. | | [`dynamicThrottlingEnabled`](#parameter-dynamicthrottlingenabled) | bool | The flag to enable dynamic throttling. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | @@ -563,56 +571,120 @@ Subdomain name used for token-based authentication. Required if 'networkAcls' or - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, Audit, RequestResponse]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `disableLocalAuth` diff --git a/modules/cognitive-services/account/main.bicep b/modules/cognitive-services/account/main.bicep index 0f980e98b5..bf97759606 100644 --- a/modules/cognitive-services/account/main.bicep +++ b/modules/cognitive-services/account/main.bicep @@ -57,17 +57,8 @@ param sku string = 'S0' @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set.') @allowed([ @@ -140,46 +131,6 @@ param userOwnedStorage array = [] @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'Audit' - 'RequestResponse' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var enableReferencedModulesTelemetry = false var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') @@ -293,18 +244,31 @@ resource cognitiveServices_lock 'Microsoft.Authorization/locks@2020-05-01' = if scope: cognitiveServices } -resource cognitiveServices_diagnosticSettingName 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource cognitiveServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: cognitiveServices -} +}] module cognitiveServices_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { name: '${uniqueString(deployment().name, location)}-cognitiveServices-PrivateEndpoint-${index}' @@ -451,3 +415,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/cognitive-services/account/main.json b/modules/cognitive-services/account/main.json index c2cff22d63..6a47d37088 100644 --- a/modules/cognitive-services/account/main.json +++ b/modules/cognitive-services/account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16169766026714928311" + "templateHash": "15463203925377999389" }, "name": "Cognitive Services", "description": "This module deploys a Cognitive Service.", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -324,32 +430,10 @@ "description": "Optional. Location for all Resources." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "publicNetworkAccess": { @@ -507,63 +591,9 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "Audit", - "RequestResponse" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false, "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", @@ -688,19 +718,24 @@ "cognitiveServices" ] }, - "cognitiveServices_diagnosticSettingName": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "cognitiveServices_diagnosticSettings": { + "copy": { + "name": "cognitiveServices_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.CognitiveServices/accounts/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "cognitiveServices" diff --git a/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep b/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep index 46c0a5bcda..f8563a9b69 100644 --- a/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep @@ -107,10 +107,20 @@ module testDeployment '../../main.bicep' = { } } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] disablePasswordAuthentication: true encryptionAtHost: false extensionCustomScriptConfig: { diff --git a/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep b/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep index 1004d1b817..22bc5ff9ab 100644 --- a/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep @@ -89,10 +89,20 @@ module testDeployment '../../main.bicep' = { osType: 'Windows' skuName: 'Standard_B12ms' adminPassword: password - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] encryptionAtHost: false extensionAntiMalwareConfig: { enabled: true diff --git a/modules/compute/virtual-machine-scale-set/README.md b/modules/compute/virtual-machine-scale-set/README.md index 1678966c3f..94c34dbe2f 100644 --- a/modules/compute/virtual-machine-scale-set/README.md +++ b/modules/compute/virtual-machine-scale-set/README.md @@ -86,10 +86,20 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se } } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] disablePasswordAuthentication: true enableDefaultTelemetry: '' encryptionAtHost: false @@ -248,17 +258,21 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "disablePasswordAuthentication": { "value": true @@ -744,10 +758,20 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se skuName: 'Standard_B12ms' // Non-required parameters adminPassword: '' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' encryptionAtHost: false extensionAntiMalwareConfig: { @@ -895,17 +919,21 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se "adminPassword": { "value": "" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -1201,11 +1229,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se | [`bootDiagnosticStorageAccountUri`](#parameter-bootdiagnosticstorageaccounturi) | string | Storage account boot diagnostic base URI. | | [`customData`](#parameter-customdata) | string | Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | | [`dataDisks`](#parameter-datadisks) | array | Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableAutomaticRollback`](#parameter-disableautomaticrollback) | bool | Whether OS image rollback feature should be disabled. | | [`disablePasswordAuthentication`](#parameter-disablepasswordauthentication) | bool | Specifies whether password authentication should be disabled. | | [`doNotRunExtensionsOnOverprovisionedVMs`](#parameter-donotrunextensionsonoverprovisionedvms) | bool | When Overprovision is enabled, extensions are launched only on the requested number of VMs which are finally kept. This property will hence ensure that the extensions do not run on the extra overprovisioned VMs. | @@ -1237,7 +1261,6 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se | [`plan`](#parameter-plan) | object | Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | | [`provisionVMAgent`](#parameter-provisionvmagent) | bool | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | | [`proximityPlacementGroupResourceId`](#parameter-proximityplacementgroupresourceid) | string | Resource ID of a proximity placement group. | -| [`publicIpDiagnosticSettingsName`](#parameter-publicipdiagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. | | [`publicKeys`](#parameter-publickeys) | array | The list of SSH public keys used to authenticate with linux based VMs. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`sasTokenValidityLength`](#parameter-sastokenvaliditylength) | string | SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | @@ -1336,41 +1359,92 @@ Specifies the data disks. For security reasons, it is recommended to specify Dis - Type: array - Default: `[]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticMetricsToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticStorageAccountId` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `disableAutomaticRollback` @@ -1642,13 +1716,6 @@ Resource ID of a proximity placement group. - Type: string - Default: `''` -### Parameter: `publicIpDiagnosticSettingsName` - -The name of the diagnostic setting, if deployed. -- Required: No -- Type: string -- Default: `[format('{0}-diagnosticSettings', parameters('name'))]` - ### Parameter: `publicKeys` The list of SSH public keys used to authenticate with linux based VMs. diff --git a/modules/compute/virtual-machine-scale-set/main.bicep b/modules/compute/virtual-machine-scale-set/main.bicep index aa0e1dff83..816b04bac2 100644 --- a/modules/compute/virtual-machine-scale-set/main.bicep +++ b/modules/compute/virtual-machine-scale-set/main.bicep @@ -134,17 +134,8 @@ param bootDiagnosticStorageAccountUri string = '.blob.${environment().suffixes.s @description('Optional. Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided.') param bootDiagnosticStorageAccountName string = '' -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -268,23 +259,6 @@ param systemAssignedIdentity bool = false @description('Optional. The ID(s) to assign to the resource.') param userAssignedIdentities object = {} -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed.') -param publicIpDiagnosticSettingsName string = '${name}-diagnosticSettings' - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var publicKeysFormatted = [for publicKey in publicKeys: { path: publicKey.path keyData: publicKey.keyData @@ -633,17 +607,25 @@ resource vmss_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock scope: vmss } -resource vmss_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: publicIpDiagnosticSettingsName +resource vmss_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: vmss -} +}] resource vmss_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(vmss.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -708,3 +690,32 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/compute/virtual-machine-scale-set/main.json b/modules/compute/virtual-machine-scale-set/main.json index 3fb151f8a4..40ef0e4559 100644 --- a/modules/compute/virtual-machine-scale-set/main.json +++ b/modules/compute/virtual-machine-scale-set/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12697907700096334702" + "templateHash": "12670910144865793195" }, "name": "Virtual Machine Scale Sets", "description": "This module deploys a Virtual Machine Scale Set.", @@ -103,6 +103,86 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -366,32 +446,10 @@ "description": "Optional. Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -650,38 +708,10 @@ "metadata": { "description": "Optional. The ID(s) to assign to the resource." } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "publicIpDiagnosticSettingsName": { - "type": "string", - "defaultValue": "[format('{0}-diagnosticSettings', parameters('name'))]", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed." - } } }, "variables": { "copy": [ - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - }, { "name": "publicKeysFormatted", "count": "[length(parameters('publicKeys'))]", @@ -898,17 +928,22 @@ ] }, "vmss_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "vmss_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Compute/virtualMachineScaleSets/{0}', parameters('name'))]", - "name": "[parameters('publicIpDiagnosticSettingsName')]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "vmss" diff --git a/modules/compute/virtual-machine/.test/linux/main.test.bicep b/modules/compute/virtual-machine/.test/linux/main.test.bicep index e10ff4188d..837c436af1 100644 --- a/modules/compute/virtual-machine/.test/linux/main.test.bicep +++ b/modules/compute/virtual-machine/.test/linux/main.test.bicep @@ -114,6 +114,20 @@ module testDeployment '../../main.bicep' = { '3' ] subnetResourceId: nestedDependencies.outputs.subnetResourceId + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] } ] nicSuffix: '-nic-01' @@ -124,6 +138,20 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] } ] osDisk: { @@ -163,10 +191,6 @@ module testDeployment '../../main.bicep' = { ] enableAutomaticUpdates: true patchMode: 'AutomaticByPlatform' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName disablePasswordAuthentication: true encryptionAtHost: false extensionCustomScriptConfig: { diff --git a/modules/compute/virtual-machine/.test/windows/main.test.bicep b/modules/compute/virtual-machine/.test/windows/main.test.bicep index 3a81daae0c..430274c324 100644 --- a/modules/compute/virtual-machine/.test/windows/main.test.bicep +++ b/modules/compute/virtual-machine/.test/windows/main.test.bicep @@ -117,6 +117,20 @@ module testDeployment '../../main.bicep' = { '3' ] subnetResourceId: nestedDependencies.outputs.subnetResourceId + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] } ] nicSuffix: '-nic-01' @@ -127,6 +141,20 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] } ] osDisk: { @@ -167,10 +195,6 @@ module testDeployment '../../main.bicep' = { ] enableAutomaticUpdates: true patchMode: 'AutomaticByPlatform' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName encryptionAtHost: false extensionAntiMalwareConfig: { enabled: true diff --git a/modules/compute/virtual-machine/README.md b/modules/compute/virtual-machine/README.md index 871b4ed5c5..1e11679aeb 100644 --- a/modules/compute/virtual-machine/README.md +++ b/modules/compute/virtual-machine/README.md @@ -62,6 +62,20 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { nicConfigurations: [ { deleteOption: 'Delete' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] ipConfigurations: [ { applicationSecurityGroups: [ @@ -69,6 +83,20 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { id: '' } ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] loadBalancerBackendAddressPools: [ { id: '' @@ -140,10 +168,6 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' disablePasswordAuthentication: true enableAutomaticUpdates: true enableDefaultTelemetry: '' @@ -285,6 +309,20 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "value": [ { "deleteOption": "Delete", + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], "ipConfigurations": [ { "applicationSecurityGroups": [ @@ -292,6 +330,20 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "id": "" } ], + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], "loadBalancerBackendAddressPools": [ { "id": "" @@ -382,18 +434,6 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" - }, "disablePasswordAuthentication": { "value": true }, @@ -895,6 +935,20 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { nicConfigurations: [ { deleteOption: 'Delete' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] ipConfigurations: [ { applicationSecurityGroups: [ @@ -902,6 +956,20 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { id: '' } ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] loadBalancerBackendAddressPools: [ { id: '' @@ -974,10 +1042,6 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' enableAutomaticUpdates: true enableDefaultTelemetry: '' encryptionAtHost: false @@ -1136,6 +1200,20 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "value": [ { "deleteOption": "Delete", + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], "ipConfigurations": [ { "applicationSecurityGroups": [ @@ -1143,6 +1221,20 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "id": "" } ], + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], "loadBalancerBackendAddressPools": [ { "id": "" @@ -1236,18 +1328,6 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" - }, "enableAutomaticUpdates": { "value": true }, @@ -1869,10 +1949,6 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { | [`customData`](#parameter-customdata) | string | Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | | [`dataDisks`](#parameter-datadisks) | array | Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | | [`dedicatedHostId`](#parameter-dedicatedhostid) | string | Specifies resource ID about the dedicated host that the virtual machine resides in. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | | [`disablePasswordAuthentication`](#parameter-disablepasswordauthentication) | bool | Specifies whether password authentication should be disabled. | | [`enableAutomaticUpdates`](#parameter-enableautomaticupdates) | bool | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When patchMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | @@ -1895,13 +1971,8 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { | [`maxPriceForLowPriorityVm`](#parameter-maxpriceforlowpriorityvm) | string | Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | | [`monitoringWorkspaceId`](#parameter-monitoringworkspaceid) | string | Resource ID of the monitoring log analytics workspace. Must be set when extensionMonitoringAgentConfig is set to true. | | [`name`](#parameter-name) | string | The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | -| [`nicdiagnosticMetricsToEnable`](#parameter-nicdiagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`nicDiagnosticSettingsName`](#parameter-nicdiagnosticsettingsname) | string | The name of the NIC diagnostic setting, if deployed. | | [`patchAssessmentMode`](#parameter-patchassessmentmode) | string | VM guest patching assessment mode. Set it to 'AutomaticByPlatform' to enable automatically check for updates every 24 hours. | | [`patchMode`](#parameter-patchmode) | string | VM guest patching orchestration mode. 'AutomaticByOS' & 'Manual' are for Windows only, 'ImageDefault' for Linux only. Refer to 'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching'. | -| [`pipdiagnosticLogCategoriesToEnable`](#parameter-pipdiagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`pipdiagnosticMetricsToEnable`](#parameter-pipdiagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`pipDiagnosticSettingsName`](#parameter-pipdiagnosticsettingsname) | string | The name of the PIP diagnostic setting, if deployed. | | [`plan`](#parameter-plan) | object | Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | | [`priority`](#parameter-priority) | string | Specifies the priority for the virtual machine. | | [`provisionVMAgent`](#parameter-provisionvmagent) | bool | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | @@ -2059,34 +2130,6 @@ Specifies resource ID about the dedicated host that the virtual machine resides - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticEventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticStorageAccountId` - -Resource ID of the diagnostic storage account. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticWorkspaceId` - -Resource ID of the diagnostic log analytics workspace. -- Required: No -- Type: string -- Default: `''` - ### Parameter: `disablePasswordAuthentication` Specifies whether password authentication should be disabled. @@ -2274,21 +2317,6 @@ Configures NICs and PIPs. - Required: Yes - Type: array -### Parameter: `nicdiagnosticMetricsToEnable` - -The name of metrics that will be streamed. -- Required: No -- Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` - -### Parameter: `nicDiagnosticSettingsName` - -The name of the NIC diagnostic setting, if deployed. -- Required: No -- Type: string -- Default: `[format('{0}-diagnosticSettings', parameters('name'))]` - ### Parameter: `osDisk` Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. @@ -2318,29 +2346,6 @@ VM guest patching orchestration mode. 'AutomaticByOS' & 'Manual' are for Windows - Default: `''` - Allowed: `['', AutomaticByOS, AutomaticByPlatform, ImageDefault, Manual]` -### Parameter: `pipdiagnosticLogCategoriesToEnable` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -- Required: No -- Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` - -### Parameter: `pipdiagnosticMetricsToEnable` - -The name of metrics that will be streamed. -- Required: No -- Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` - -### Parameter: `pipDiagnosticSettingsName` - -The name of the PIP diagnostic setting, if deployed. -- Required: No -- Type: string -- Default: `[format('{0}-diagnosticSettings', parameters('name'))]` - ### Parameter: `plan` Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. diff --git a/modules/compute/virtual-machine/main.bicep b/modules/compute/virtual-machine/main.bicep index ba623225aa..891c2396a4 100644 --- a/modules/compute/virtual-machine/main.bicep +++ b/modules/compute/virtual-machine/main.bicep @@ -115,40 +115,6 @@ param availabilityZone int = 0 @description('Required. Configures NICs and PIPs.') param nicConfigurations array -@description('Optional. The name of the PIP diagnostic setting, if deployed.') -param pipDiagnosticSettingsName string = '${name}-diagnosticSettings' - -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'DDoSProtectionNotifications' - 'DDoSMitigationFlowLogs' - 'DDoSMitigationReports' -]) -param pipdiagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param pipdiagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the NIC diagnostic setting, if deployed.') -param nicDiagnosticSettingsName string = '${name}-diagnosticSettings' - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param nicdiagnosticMetricsToEnable array = [ - 'AllMetrics' -] - @description('Optional. Recovery service vault name to add VMs to backup.') param backupVaultName string = '' @@ -223,18 +189,6 @@ param extensionCustomScriptProtectedSetting object = {} @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' - @description('Optional. The lock settings of the service.') param lock lockType @@ -409,15 +363,7 @@ module vm_nic 'modules/nested_networkInterface.bicep' = [for (nicConfiguration, networkSecurityGroupResourceId: contains(nicConfiguration, 'networkSecurityGroupResourceId') ? nicConfiguration.networkSecurityGroupResourceId : '' ipConfigurations: nicConfiguration.ipConfigurations lock: lock - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticWorkspaceId: diagnosticWorkspaceId - diagnosticEventHubAuthorizationRuleId: diagnosticEventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticEventHubName - pipDiagnosticSettingsName: pipDiagnosticSettingsName - nicDiagnosticSettingsName: nicDiagnosticSettingsName - pipdiagnosticMetricsToEnable: pipdiagnosticMetricsToEnable - pipdiagnosticLogCategoriesToEnable: pipdiagnosticLogCategoriesToEnable - nicDiagnosticMetricsToEnable: nicdiagnosticMetricsToEnable + diagnosticSettings: nicConfiguration.?diagnosticSettings roleAssignments: contains(nicConfiguration, 'roleAssignments') ? (!empty(nicConfiguration.roleAssignments) ? nicConfiguration.roleAssignments : []) : [] } }] @@ -790,3 +736,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/compute/virtual-machine/main.json b/modules/compute/virtual-machine/main.json index 6188582242..679af9ef5d 100644 --- a/modules/compute/virtual-machine/main.json +++ b/modules/compute/virtual-machine/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17296216559349998726" + "templateHash": "5085746131014779064" }, "name": "Virtual Machines", "description": "This module deploys a Virtual Machine with one or multiple NICs and optionally one or multiple public IPs.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -334,60 +440,6 @@ "description": "Required. Configures NICs and PIPs." } }, - "pipDiagnosticSettingsName": { - "type": "string", - "defaultValue": "[format('{0}-diagnosticSettings', parameters('name'))]", - "metadata": { - "description": "Optional. The name of the PIP diagnostic setting, if deployed." - } - }, - "pipdiagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "DDoSProtectionNotifications", - "DDoSMitigationFlowLogs", - "DDoSMitigationReports" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "pipdiagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "nicDiagnosticSettingsName": { - "type": "string", - "defaultValue": "[format('{0}-diagnosticSettings', parameters('name'))]", - "metadata": { - "description": "Optional. The name of the NIC diagnostic setting, if deployed." - } - }, - "nicdiagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, "backupVaultName": { "type": "string", "defaultValue": "", @@ -526,34 +578,6 @@ "description": "Optional. Location for all resources." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, "lock": { "$ref": "#/definitions/lockType", "metadata": { @@ -947,32 +971,8 @@ "lock": { "value": "[parameters('lock')]" }, - "diagnosticStorageAccountId": { - "value": "[parameters('diagnosticStorageAccountId')]" - }, - "diagnosticWorkspaceId": { - "value": "[parameters('diagnosticWorkspaceId')]" - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "[parameters('diagnosticEventHubAuthorizationRuleId')]" - }, - "diagnosticEventHubName": { - "value": "[parameters('diagnosticEventHubName')]" - }, - "pipDiagnosticSettingsName": { - "value": "[parameters('pipDiagnosticSettingsName')]" - }, - "nicDiagnosticSettingsName": { - "value": "[parameters('nicDiagnosticSettingsName')]" - }, - "pipdiagnosticMetricsToEnable": { - "value": "[parameters('pipdiagnosticMetricsToEnable')]" - }, - "pipdiagnosticLogCategoriesToEnable": { - "value": "[parameters('pipdiagnosticLogCategoriesToEnable')]" - }, - "nicDiagnosticMetricsToEnable": { - "value": "[parameters('nicdiagnosticMetricsToEnable')]" + "diagnosticSettings": { + "value": "[tryGet(parameters('nicConfigurations')[copyIndex()], 'diagnosticSettings')]" }, "roleAssignments": "[if(contains(parameters('nicConfigurations')[copyIndex()], 'roleAssignments'), if(not(empty(parameters('nicConfigurations')[copyIndex()].roleAssignments)), createObject('value', parameters('nicConfigurations')[copyIndex()].roleAssignments), createObject('value', createArray())), createObject('value', createArray()))]" }, @@ -984,7 +984,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "586060813007467238" + "templateHash": "17831295506111976442" } }, "definitions": { @@ -1012,6 +1012,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \u0007llLogs to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to AllMetrics to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1052,26 +1158,11 @@ "lock": { "$ref": "#/definitions/lockType" }, - "diagnosticStorageAccountId": { - "type": "string" - }, - "diagnosticWorkspaceId": { - "type": "string" - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string" - }, - "diagnosticEventHubName": { - "type": "string" - }, - "pipdiagnosticMetricsToEnable": { - "type": "array" - }, - "pipdiagnosticLogCategoriesToEnable": { - "type": "array" - }, - "nicDiagnosticMetricsToEnable": { - "type": "array" + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", + "metadata": { + "description": "Optional. The diagnostic settings of the Network Interface." + } }, "roleAssignments": { "type": "array", @@ -1079,20 +1170,6 @@ "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } - }, - "pipDiagnosticSettingsName": { - "type": "string", - "defaultValue": "[format('{0}-diagnosticSettings', parameters('virtualMachineName'))]", - "metadata": { - "description": "Optional. The name of the PIP diagnostic setting, if deployed." - } - }, - "nicDiagnosticSettingsName": { - "type": "string", - "defaultValue": "[format('{0}-diagnosticSettings', parameters('virtualMachineName'))]", - "metadata": { - "description": "Optional. The name of the NIC diagnostic setting, if deployed." - } } }, "variables": { @@ -1117,29 +1194,8 @@ "name": { "value": "[format('{0}{1}', parameters('virtualMachineName'), parameters('ipConfigurations')[copyIndex()].pipconfiguration.publicIpNameSuffix)]" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "[parameters('diagnosticEventHubAuthorizationRuleId')]" - }, - "diagnosticEventHubName": { - "value": "[parameters('diagnosticEventHubName')]" - }, - "diagnosticLogCategoriesToEnable": { - "value": "[parameters('pipdiagnosticLogCategoriesToEnable')]" - }, - "diagnosticMetricsToEnable": { - "value": "[parameters('pipdiagnosticMetricsToEnable')]" - }, - "diagnosticSettingsName": { - "value": "[parameters('pipDiagnosticSettingsName')]" - }, - "diagnosticStorageAccountId": { - "value": "[parameters('diagnosticStorageAccountId')]" - }, - "diagnosticWorkspaceId": { - "value": "[parameters('diagnosticWorkspaceId')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "diagnosticSettings": { + "value": "[tryGet(parameters('ipConfigurations')[copyIndex()], 'diagnosticSettings')]" }, "location": { "value": "[parameters('location')]" @@ -1166,7 +1222,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17964103943026732172" + "templateHash": "968771326214380550" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -1263,6 +1319,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1330,32 +1492,10 @@ "description": "Optional. IP address version." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "domainNameLabel": { @@ -1425,64 +1565,9 @@ "metadata": { "description": "Optional. Tags of the resource." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "DDoSProtectionNotifications", - "DDoSMitigationFlowLogs", - "DDoSMitigationReports" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", @@ -1543,18 +1628,23 @@ ] }, "publicIpAddress_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "publicIpAddress_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "publicIpAddress" @@ -1650,23 +1740,8 @@ "tags": { "value": "[parameters('tags')]" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "[parameters('diagnosticEventHubAuthorizationRuleId')]" - }, - "diagnosticEventHubName": { - "value": "[parameters('diagnosticEventHubName')]" - }, - "diagnosticStorageAccountId": { - "value": "[parameters('diagnosticStorageAccountId')]" - }, - "diagnosticMetricsToEnable": { - "value": "[parameters('nicDiagnosticMetricsToEnable')]" - }, - "diagnosticSettingsName": { - "value": "[parameters('nicDiagnosticSettingsName')]" - }, - "diagnosticWorkspaceId": { - "value": "[parameters('diagnosticWorkspaceId')]" + "diagnosticSettings": { + "value": "[parameters('diagnosticSettings')]" }, "dnsServers": "[if(not(empty(parameters('dnsServers'))), createObject('value', parameters('dnsServers')), createObject('value', createArray()))]", "enableAcceleratedNetworking": { @@ -1692,7 +1767,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11496161506514027711" + "templateHash": "8812824728238881787" }, "name": "Network Interface", "description": "This module deploys a Network Interface.", @@ -1789,6 +1864,86 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1898,66 +2053,14 @@ "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of log analytics." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." + "description": "Optional. The diagnostic settings of the service." } } }, "variables": { - "copy": [ - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", @@ -2025,17 +2128,22 @@ } }, "networkInterface_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "networkInterface_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/networkInterfaces/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "networkInterface" diff --git a/modules/compute/virtual-machine/modules/nested_networkInterface.bicep b/modules/compute/virtual-machine/modules/nested_networkInterface.bicep index 7187f4f7a8..87ba4a986a 100644 --- a/modules/compute/virtual-machine/modules/nested_networkInterface.bicep +++ b/modules/compute/virtual-machine/modules/nested_networkInterface.bicep @@ -11,37 +11,20 @@ param networkSecurityGroupResourceId string = '' param ipConfigurations array param lock lockType -param diagnosticStorageAccountId string -param diagnosticWorkspaceId string -param diagnosticEventHubAuthorizationRuleId string -param diagnosticEventHubName string -param pipdiagnosticMetricsToEnable array -param pipdiagnosticLogCategoriesToEnable array -param nicDiagnosticMetricsToEnable array + +@description('Optional. The diagnostic settings of the Network Interface.') +param diagnosticSettings diagnosticSettingType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] -@description('Optional. The name of the PIP diagnostic setting, if deployed.') -param pipDiagnosticSettingsName string = '${virtualMachineName}-diagnosticSettings' - -@description('Optional. The name of the NIC diagnostic setting, if deployed.') -param nicDiagnosticSettingsName string = '${virtualMachineName}-diagnosticSettings' - var enableReferencedModulesTelemetry = false module networkInterface_publicIPAddresses '../../../network/public-ip-address/main.bicep' = [for (ipConfiguration, index) in ipConfigurations: if (contains(ipConfiguration, 'pipconfiguration')) { name: '${deployment().name}-publicIP-${index}' params: { name: '${virtualMachineName}${ipConfiguration.pipconfiguration.publicIpNameSuffix}' - diagnosticEventHubAuthorizationRuleId: diagnosticEventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticEventHubName - diagnosticLogCategoriesToEnable: pipdiagnosticLogCategoriesToEnable - diagnosticMetricsToEnable: pipdiagnosticMetricsToEnable - diagnosticSettingsName: pipDiagnosticSettingsName - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticWorkspaceId: diagnosticWorkspaceId - enableDefaultTelemetry: enableReferencedModulesTelemetry + diagnosticSettings: ipConfiguration.?diagnosticSettings location: location lock: lock publicIPAddressVersion: contains(ipConfiguration, 'publicIPAddressVersion') ? ipConfiguration.publicIPAddressVersion : 'IPv4' @@ -76,12 +59,7 @@ module networkInterface '../../../network/network-interface/main.bicep' = { }] location: location tags: tags - diagnosticEventHubAuthorizationRuleId: diagnosticEventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticEventHubName - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticMetricsToEnable: nicDiagnosticMetricsToEnable - diagnosticSettingsName: nicDiagnosticSettingsName - diagnosticWorkspaceId: diagnosticWorkspaceId + diagnosticSettings: diagnosticSettings dnsServers: !empty(dnsServers) ? dnsServers : [] enableAcceleratedNetworking: enableAcceleratedNetworking enableDefaultTelemetry: enableReferencedModulesTelemetry @@ -106,3 +84,41 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to llLogs to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to AllMetrics to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/container-registry/registry/.test/common/main.test.bicep b/modules/container-registry/registry/.test/common/main.test.bicep index 96ba6082dc..0abe517c6b 100644 --- a/modules/container-registry/registry/.test/common/main.test.bicep +++ b/modules/container-registry/registry/.test/common/main.test.bicep @@ -72,10 +72,20 @@ module testDeployment '../../main.bicep' = { name: '${namePrefix}${serviceShort}001' acrAdminUserEnabled: false acrSku: 'Premium' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] exportPolicyStatus: 'enabled' azureADAuthenticationAsArmPolicyStatus: 'enabled' softDeletePolicyStatus: 'disabled' diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index c2daee1c97..ebf29d6d00 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -66,10 +66,20 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { sourceRepository: 'docker.io/library/hello-world' } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' exportPolicyStatus: 'enabled' lock: { @@ -170,17 +180,21 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -527,13 +541,7 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { | [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Note, CMK requires the 'acrSku' to be 'Premium'. | | [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | [`dataEndpointEnabled`](#parameter-dataendpointenabled) | bool | Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access. Note, requires the 'acrSku' to be 'Premium'. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`exportPolicyStatus`](#parameter-exportpolicystatus) | string | The value that indicates whether the export policy is enabled or not. | | [`location`](#parameter-location) | string | Location for all resources. | @@ -629,56 +637,120 @@ Enable a single data endpoint per region for serving data. Not relevant in case - Type: bool - Default: `False` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, ContainerRegistryLoginEvents, ContainerRegistryRepositoryEvents]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/container-registry/registry/main.bicep b/modules/container-registry/registry/main.bicep index 373ad0d281..0208bf2c91 100644 --- a/modules/container-registry/registry/main.bicep +++ b/modules/container-registry/registry/main.bicep @@ -131,39 +131,8 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'ContainerRegistryRepositoryEvents' - 'ContainerRegistryLoginEvents' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Enables registry-wide pull from unauthenticated clients. It\'s in preview and available in the Standard and Premium service tiers.') param anonymousPullEnabled bool = false @@ -183,24 +152,6 @@ param cMKUserAssignedIdentityResourceId string = '' @description('Optional. Array of Cache Rules. Note: This is a preview feature ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache#cache-for-acr-preview)).') param cacheRules array = [] -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -358,18 +309,31 @@ resource registry_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(l scope: registry } -resource registry_diagnosticSettingName 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource registry_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: registry -} +}] resource registry_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(registry.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -516,3 +480,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/container-registry/registry/main.json b/modules/container-registry/registry/main.json index 22da0543a6..e1044592bd 100644 --- a/modules/container-registry/registry/main.json +++ b/modules/container-registry/registry/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13701712585217566427" + "templateHash": "18353793336919307909" }, "name": "Azure Container Registries (ACR)", "description": "This module deploys an Azure Container Registry (ACR).", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -488,66 +594,10 @@ "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "ContainerRegistryRepositoryEvents", - "ContainerRegistryLoginEvents" - ], + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." + "description": "Optional. The diagnostic settings of the service." } }, "anonymousPullEnabled": { @@ -594,26 +644,6 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, @@ -733,19 +763,24 @@ "registry" ] }, - "registry_diagnosticSettingName": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "registry_diagnosticSettings": { + "copy": { + "name": "registry_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "registry" diff --git a/modules/container-service/managed-cluster/.test/azure/main.test.bicep b/modules/container-service/managed-cluster/.test/azure/main.test.bicep index 95e80ee3c3..21a896e527 100644 --- a/modules/container-service/managed-cluster/.test/azure/main.test.bicep +++ b/modules/container-service/managed-cluster/.test/azure/main.test.bicep @@ -154,10 +154,20 @@ module testDeployment '../../main.bicep' = { networkPlugin: 'azure' networkDataplane: 'azure' networkPluginMode: 'overlay' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] diskEncryptionSetID: nestedDependencies.outputs.diskEncryptionSetResourceId openServiceMeshEnabled: true enableStorageProfileBlobCSIDriver: true diff --git a/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep b/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep index cdb76302d8..9b7e0795fc 100644 --- a/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep +++ b/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep @@ -135,10 +135,20 @@ module testDeployment '../../main.bicep' = { } ] networkPlugin: 'kubenet' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/container-service/managed-cluster/.test/priv/main.test.bicep b/modules/container-service/managed-cluster/.test/priv/main.test.bicep index 26729a14da..df5967f188 100644 --- a/modules/container-service/managed-cluster/.test/priv/main.test.bicep +++ b/modules/container-service/managed-cluster/.test/priv/main.test.bicep @@ -142,10 +142,20 @@ module testDeployment '../../main.bicep' = { skuTier: 'Standard' dnsServiceIP: '10.10.200.10' serviceCidr: '10.10.200.0/24' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] privateDNSZone: nestedDependencies.outputs.privateDnsZoneResourceId userAssignedIdentities: { '${nestedDependencies.outputs.managedIdentityResourceId}': {} diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index 81b0ac0576..b545850d90 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -124,10 +124,20 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' } ] autoUpgradeProfileUpgradeChannel: 'stable' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] diskEncryptionSetID: '' enableAzureDefender: true enableDefaultTelemetry: '' @@ -327,17 +337,21 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' "autoUpgradeProfileUpgradeChannel": { "value": "stable" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "diskEncryptionSetID": { "value": "" @@ -572,10 +586,20 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' vmSize: 'Standard_DS2_v2' } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' networkPlugin: 'kubenet' roleAssignments: [ @@ -688,17 +712,21 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -889,10 +917,20 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' vmSize: 'Standard_DS2_v2' } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] dnsServiceIP: '10.10.200.10' enableDefaultTelemetry: '' enablePrivateCluster: true @@ -1005,17 +1043,21 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "dnsServiceIP": { "value": "10.10.200.10" @@ -1109,13 +1151,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' | [`autoUpgradeProfileUpgradeChannel`](#parameter-autoupgradeprofileupgradechannel) | string | Auto-upgrade channel on the AKS cluster. | | [`azurePolicyEnabled`](#parameter-azurepolicyenabled) | bool | Specifies whether the azurepolicy add-on is enabled or not. For security reasons, this setting should be enabled. | | [`azurePolicyVersion`](#parameter-azurepolicyversion) | string | Specifies the azure policy version to use. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableLocalAccounts`](#parameter-disablelocalaccounts) | bool | If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. | | [`disableRunCommand`](#parameter-disableruncommand) | bool | Whether to disable run command for the cluster or not. | | [`diskEncryptionSetID`](#parameter-diskencryptionsetid) | string | The resource ID of the disc encryption set to apply to the cluster. For security reasons, this value should be provided. | @@ -1410,56 +1446,120 @@ Specifies the azure policy version to use. - Type: string - Default: `'v2'` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, cluster-autoscaler, guard, kube-apiserver, kube-audit, kube-audit-admin, kube-controller-manager, kube-scheduler]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `disableLocalAccounts` diff --git a/modules/container-service/managed-cluster/main.bicep b/modules/container-service/managed-cluster/main.bicep index fc2de0e96b..06b427922c 100644 --- a/modules/container-service/managed-cluster/main.bicep +++ b/modules/container-service/managed-cluster/main.bicep @@ -314,11 +314,8 @@ param enableStorageProfileSnapshotController bool = false @description('Optional. The support plan for the Managed Cluster.') param supportPlan string = 'KubernetesOfficial' -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Specifies whether the OMS agent is enabled.') param omsAgentEnabled bool = true @@ -326,12 +323,6 @@ param omsAgentEnabled bool = true @description('Optional. Resource ID of the monitoring log analytics workspace.') param monitoringWorkspaceId string = '' -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' - @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -360,51 +351,6 @@ param httpProxyConfig object = {} @description('Optional. Identities associated with the cluster.') param identityProfile object = {} -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'kube-apiserver' - 'kube-audit' - 'kube-controller-manager' - 'kube-scheduler' - 'cluster-autoscaler' - 'kube-audit-admin' - 'guard' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = systemAssignedIdentity ? 'SystemAssigned' : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = { @@ -693,18 +639,31 @@ resource managedCluster_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e scope: managedCluster } -resource managedCluster_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource managedCluster_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: managedCluster -} +}] resource managedCluster_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(managedCluster.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -804,3 +763,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/container-service/managed-cluster/main.json b/modules/container-service/managed-cluster/main.json index 9923e70e43..16afb7ba6d 100644 --- a/modules/container-service/managed-cluster/main.json +++ b/modules/container-service/managed-cluster/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9286702996832369711" + "templateHash": "10746697295674152111" }, "name": "Azure Kubernetes Service (AKS) Managed Clusters", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -737,18 +843,10 @@ "description": "Optional. The support plan for the Managed Cluster." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." + "description": "Optional. The diagnostic settings of the service." } }, "omsAgentEnabled": { @@ -765,20 +863,6 @@ "description": "Optional. Resource ID of the monitoring log analytics workspace." } }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, "enableDefaultTelemetry": { "type": "bool", "defaultValue": true, @@ -839,68 +923,9 @@ "metadata": { "description": "Optional. Identities associated with the cluster." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "kube-apiserver", - "kube-audit", - "kube-controller-manager", - "kube-scheduler", - "cluster-autoscaler", - "kube-audit-admin", - "guard" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": { "type": "[variables('identityType')]", @@ -1114,18 +1139,23 @@ ] }, "managedCluster_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "managedCluster_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "managedCluster" diff --git a/modules/data-factory/factory/.test/common/main.test.bicep b/modules/data-factory/factory/.test/common/main.test.bicep index c0692ca43a..16dc9777fd 100644 --- a/modules/data-factory/factory/.test/common/main.test.bicep +++ b/modules/data-factory/factory/.test/common/main.test.bicep @@ -72,10 +72,20 @@ module testDeployment '../../main.bicep' = { cMKKeyName: nestedDependencies.outputs.keyVaultEncryptionKeyName cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] gitConfigureLater: true globalParameters: { testParameter1: { diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index 82283fdb1c..f8be417ef4 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -55,10 +55,20 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { cMKKeyName: '' cMKKeyVaultResourceId: '' cMKUserAssignedIdentityResourceId: '' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' gitConfigureLater: true globalParameters: { @@ -156,17 +166,21 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { "cMKUserAssignedIdentityResourceId": { "value": "" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -336,13 +350,7 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { | :-- | :-- | :-- | | [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | | [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`gitAccountName`](#parameter-gitaccountname) | string | The account name. | | [`gitCollaborationBranch`](#parameter-gitcollaborationbranch) | string | The collaboration branch name. Default is 'main'. | @@ -394,56 +402,120 @@ User assigned identity to use when fetching the customer managed key. Required i - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', ActivityRuns, allLogs, PipelineRuns, SSISIntegrationRuntimeLogs, SSISPackageEventMessageContext, SSISPackageEventMessages, SSISPackageExecutableStatistics, SSISPackageExecutionComponentPhases, SSISPackageExecutionDataStatistics, TriggerRuns]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/data-factory/factory/main.bicep b/modules/data-factory/factory/main.bicep index ead4706f37..5051acac34 100644 --- a/modules/data-factory/factory/main.bicep +++ b/modules/data-factory/factory/main.bicep @@ -55,17 +55,8 @@ param gitHostName string = '' @description('Optional. List of Global Parameters for the factory.') param globalParameters object = {} -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -91,53 +82,6 @@ param cMKKeyVersion string = '' @description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKKeyName\' is not empty.') param cMKUserAssignedIdentityResourceId string = '' -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'ActivityRuns' - 'PipelineRuns' - 'TriggerRuns' - 'SSISPackageEventMessages' - 'SSISPackageExecutableStatistics' - 'SSISPackageEventMessageContext' - 'SSISPackageExecutionComponentPhases' - 'SSISPackageExecutionDataStatistics' - 'SSISIntegrationRuntimeLogs' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType @@ -246,18 +190,31 @@ resource dataFactory_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empt scope: dataFactory } -resource dataFactory_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource dataFactory_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: dataFactory -} +}] resource dataFactory_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(dataFactory.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -401,3 +358,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/data-factory/factory/main.json b/modules/data-factory/factory/main.json index 3537a59a94..b4d1ee215d 100644 --- a/modules/data-factory/factory/main.json +++ b/modules/data-factory/factory/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3087206117365778401" + "templateHash": "12744321553281451212" }, "name": "Data Factories", "description": "This module deploys a Data Factory.", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -371,32 +477,10 @@ "description": "Optional. List of Global Parameters for the factory." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -453,47 +537,6 @@ "description": "Conditional. User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty." } }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "ActivityRuns", - "PipelineRuns", - "TriggerRuns", - "SSISPackageEventMessages", - "SSISPackageExecutableStatistics", - "SSISPackageEventMessageContext", - "SSISPackageExecutionComponentPhases", - "SSISPackageExecutionDataStatistics", - "SSISIntegrationRuntimeLogs" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } - }, "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { @@ -516,26 +559,6 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, @@ -604,18 +627,23 @@ ] }, "dataFactory_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "dataFactory_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.DataFactory/factories/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "dataFactory" diff --git a/modules/databricks/workspace/.test/common/main.test.bicep b/modules/databricks/workspace/.test/common/main.test.bicep index d007056101..93003db078 100644 --- a/modules/databricks/workspace/.test/common/main.test.bicep +++ b/modules/databricks/workspace/.test/common/main.test.bicep @@ -78,10 +78,24 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + logCategoriesAndGroups: [ + { + category: 'jobs' + } + { + category: 'notebook' + + } + ] + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' @@ -131,11 +145,6 @@ module testDeployment '../../main.bicep' = { } ] managedResourceGroupResourceId: '${subscription().id}/resourceGroups/rg-${resourceGroupName}-managed' - diagnosticLogCategoriesToEnable: [ - 'jobs' - 'notebook' - ] - diagnosticSettingsName: 'diag${namePrefix}${serviceShort}001' requireInfrastructureEncryption: true vnetAddressPrefix: '10.100' location: resourceGroup.location diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index 74096d1456..da7f3e5281 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -58,15 +58,23 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { customPrivateSubnetName: '' customPublicSubnetName: '' customVirtualNetworkResourceId: '' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticLogCategoriesToEnable: [ - 'jobs' - 'notebook' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + logCategoriesAndGroups: [ + { + category: 'jobs' + } + { + category: 'notebook' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } ] - diagnosticSettingsName: 'diagdwcom001' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' disablePublicIp: true enableDefaultTelemetry: '' loadBalancerBackendPoolName: '' @@ -159,27 +167,25 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { "customVirtualNetworkResourceId": { "value": "" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticLogCategoriesToEnable": { + "diagnosticSettings": { "value": [ - "jobs", - "notebook" + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "logCategoriesAndGroups": [ + { + "category": "jobs" + }, + { + "category": "notebook" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } ] }, - "diagnosticSettingsName": { - "value": "diagdwcom001" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" - }, "disablePublicIp": { "value": true }, @@ -348,12 +354,7 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { | [`customPrivateSubnetName`](#parameter-customprivatesubnetname) | string | The name of the Private Subnet within the Virtual Network. | | [`customPublicSubnetName`](#parameter-custompublicsubnetname) | string | The name of a Public Subnet within the Virtual Network. | | [`customVirtualNetworkResourceId`](#parameter-customvirtualnetworkresourceid) | string | The resource ID of a Virtual Network where this Databricks Cluster should be created. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disablePublicIp`](#parameter-disablepublicip) | bool | Disable Public IP. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`loadBalancerBackendPoolName`](#parameter-loadbalancerbackendpoolname) | string | Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP). | @@ -452,48 +453,100 @@ The resource ID of a Virtual Network where this Databricks Cluster should be cre - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', accounts, allLogs, clusters, dbfs, instancePools, jobs, notebook, secrets, sqlPermissions, ssh, workspace]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` -Resource ID of the diagnostic log analytics workspace. +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + - Required: No - Type: string -- Default: `''` ### Parameter: `disablePublicIp` diff --git a/modules/databricks/workspace/main.bicep b/modules/databricks/workspace/main.bicep index e59beaad47..7db11dae62 100644 --- a/modules/databricks/workspace/main.bicep +++ b/modules/databricks/workspace/main.bicep @@ -22,17 +22,8 @@ param location string = resourceGroup().location @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -123,40 +114,6 @@ param requiredNsgRules string = 'AllRules' @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointType -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'dbfs' - 'clusters' - 'accounts' - 'jobs' - 'notebook' - 'ssh' - 'workspace' - 'secrets' - 'sqlPermissions' - 'instancePools' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - var enableReferencedModulesTelemetry = false var builtInRoleNames = { @@ -309,17 +266,24 @@ resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty( } // Note: Diagnostic Settings are only supported by the premium tier -resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if (skuName == 'premium' && ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName)))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: workspace -} +}] resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -460,3 +424,35 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/databricks/workspace/main.json b/modules/databricks/workspace/main.json index 33d22fb540..50c3564b16 100644 --- a/modules/databricks/workspace/main.json +++ b/modules/databricks/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13976222918175315424" + "templateHash": "13163681429252258069" }, "name": "Azure Databricks Workspaces", "description": "This module deploys an Azure Databricks Workspace.", @@ -252,6 +252,94 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -293,32 +381,10 @@ "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -515,50 +581,9 @@ "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "dbfs", - "clusters", - "accounts", - "jobs", - "notebook", - "ssh", - "workspace", - "secrets", - "sqlPermissions", - "instancePools" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -661,17 +686,22 @@ ] }, "workspace_diagnosticSettings": { - "condition": "[and(equals(parameters('skuName'), 'premium'), or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName')))))]", + "copy": { + "name": "workspace_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Databricks/workspaces/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "workspace" diff --git a/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep b/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep index 69b96807e5..50b1602869 100644 --- a/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep @@ -106,10 +106,20 @@ module testDeployment '../../main.bicep' = { userAssignedIdentities: { '${nestedDependencies.outputs.managedIdentityResourceId}': {} } - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] administrators: [ { identityResourceId: nestedDependencies.outputs.managedIdentityResourceId diff --git a/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep b/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep index 664d236160..4b29cd3672 100644 --- a/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep @@ -154,9 +154,19 @@ module testDeployment '../../main.bicep' = { '${nestedDependencies2.outputs.managedIdentityResourceId}': {} '${nestedDependencies2.outputs.geoBackupManagedIdentityResourceId}': {} } - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] } } diff --git a/modules/db-for-my-sql/flexible-server/README.md b/modules/db-for-my-sql/flexible-server/README.md index 94163adb79..b606760ece 100644 --- a/modules/db-for-my-sql/flexible-server/README.md +++ b/modules/db-for-my-sql/flexible-server/README.md @@ -129,10 +129,20 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { } ] delegatedSubnetResourceId: '' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' highAvailability: 'SameZone' location: '' @@ -215,17 +225,21 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { "delegatedSubnetResourceId": { "value": "" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -317,10 +331,20 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { name: 'testdb2' } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' firewallRules: [ { @@ -430,17 +454,21 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -571,13 +599,7 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { | [`createMode`](#parameter-createmode) | string | The mode to create a new MySQL server. | | [`databases`](#parameter-databases) | array | The databases to create in the server. | | [`delegatedSubnetResourceId`](#parameter-delegatedsubnetresourceid) | string | Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. Delegation must be enabled on the subnet for MySQL Flexible Servers and subnet CIDR size is /29. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`firewallRules`](#parameter-firewallrules) | array | The firewall rules to create in the MySQL flexible server. | | [`geoBackupCMKKeyName`](#parameter-geobackupcmkkeyname) | string | The name of the customer managed key to use for encryption when geoRedundantBackup is "Enabled". | @@ -681,56 +703,120 @@ Delegated subnet arm resource ID. Used when the desired connectivity mode is "Pr - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, MySqlAuditLogs, MySqlSlowLogs]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/db-for-my-sql/flexible-server/main.bicep b/modules/db-for-my-sql/flexible-server/main.bicep index d9c6538134..8ee3664d6e 100644 --- a/modules/db-for-my-sql/flexible-server/main.bicep +++ b/modules/db-for-my-sql/flexible-server/main.bicep @@ -174,57 +174,8 @@ param firewallRules array = [] @description('Optional. Array of role assignment objects that contain the "roleDefinitionIdOrName" and "principalId" to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11".') param roleAssignments roleAssignmentType -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' - -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'MySqlAuditLogs' - 'MySqlSlowLogs' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -385,18 +336,31 @@ module flexibleServer_administrators 'administrator/main.bicep' = [for (administ } }] -resource flexibleServer_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource flexibleServer_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: flexibleServer -} +}] @description('The name of the deployed MySQL Flexible server.') output name string = flexibleServer.name @@ -444,3 +408,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/db-for-my-sql/flexible-server/main.json b/modules/db-for-my-sql/flexible-server/main.json index 534d43fbf2..a63740f0e8 100644 --- a/modules/db-for-my-sql/flexible-server/main.json +++ b/modules/db-for-my-sql/flexible-server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10515587925363037266" + "templateHash": "13098960413879808793" }, "name": "DBforMySQL Flexible Servers", "description": "This module deploys a DBforMySQL Flexible Server.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -420,66 +526,10 @@ "description": "Optional. Array of role assignment objects that contain the \"roleDefinitionIdOrName\" and \"principalId\" to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \"/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\"." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "MySqlAuditLogs", - "MySqlSlowLogs" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." + "description": "Optional. The diagnostic settings of the service." } }, "enableDefaultTelemetry": { @@ -491,26 +541,6 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None')]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, @@ -660,18 +690,23 @@ ] }, "flexibleServer_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "flexibleServer_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.DBforMySQL/flexibleServers/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "flexibleServer" diff --git a/modules/db-for-postgre-sql/flexible-server/.test/private/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/.test/private/main.test.bicep index da83caf5ac..da9f902b2a 100644 --- a/modules/db-for-postgre-sql/flexible-server/.test/private/main.test.bicep +++ b/modules/db-for-postgre-sql/flexible-server/.test/private/main.test.bicep @@ -95,10 +95,20 @@ module testDeployment '../../main.bicep' = { } ] delegatedSubnetResourceId: nestedDependencies.outputs.subnetResourceId - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] geoRedundantBackup: 'Enabled' privateDnsZoneArmResourceId: nestedDependencies.outputs.privateDNSZoneResourceId tags: { diff --git a/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep index ea31d8b80f..1d5c183c98 100644 --- a/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep +++ b/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep @@ -96,10 +96,20 @@ module testDeployment '../../main.bicep' = { name: 'testdb2' } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] firewallRules: [ { endIpAddress: '0.0.0.0' diff --git a/modules/db-for-postgre-sql/flexible-server/README.md b/modules/db-for-postgre-sql/flexible-server/README.md index e4ee71ee82..dad01ed643 100644 --- a/modules/db-for-postgre-sql/flexible-server/README.md +++ b/modules/db-for-postgre-sql/flexible-server/README.md @@ -139,10 +139,20 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 } ] delegatedSubnetResourceId: '' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' geoRedundantBackup: 'Enabled' privateDnsZoneArmResourceId: '' @@ -213,17 +223,21 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 "delegatedSubnetResourceId": { "value": "" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -292,10 +306,20 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 name: 'testdb2' } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' firewallRules: [ { @@ -399,17 +423,21 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -504,13 +532,7 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 | [`createMode`](#parameter-createmode) | string | The mode to create a new PostgreSQL server. | | [`databases`](#parameter-databases) | array | The databases to create in the server. | | [`delegatedSubnetResourceId`](#parameter-delegatedsubnetresourceid) | string | Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`firewallRules`](#parameter-firewallrules) | array | The firewall rules to create in the PostgreSQL flexible server. | | [`geoRedundantBackup`](#parameter-georedundantbackup) | string | A value indicating whether Geo-Redundant backup is enabled on the server. Should be left disabled if 'cMKKeyName' is not empty. | @@ -627,56 +649,120 @@ Delegated subnet arm resource ID. Used when the desired connectivity mode is "Pr - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, PostgreSQLFlexDatabaseXacts, PostgreSQLFlexQueryStoreRuntime, PostgreSQLFlexQueryStoreWaitStats, PostgreSQLFlexSessions, PostgreSQLFlexTableStats, PostgreSQLLogs]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/db-for-postgre-sql/flexible-server/main.bicep b/modules/db-for-postgre-sql/flexible-server/main.bicep index 3dc5ebad53..fe4c7fe3a7 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.bicep +++ b/modules/db-for-postgre-sql/flexible-server/main.bicep @@ -161,61 +161,8 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' - -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'PostgreSQLLogs' - 'PostgreSQLFlexSessions' - 'PostgreSQLFlexQueryStoreRuntime' - 'PostgreSQLFlexQueryStoreWaitStats' - 'PostgreSQLFlexTableStats' - 'PostgreSQLFlexDatabaseXacts' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType var enableReferencedModulesTelemetry = false @@ -376,18 +323,31 @@ module flexibleServer_administrators 'administrator/main.bicep' = [for (administ } }] -resource flexibleServer_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource flexibleServer_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: flexibleServer -} +}] @description('The name of the deployed PostgreSQL Flexible server.') output name string = flexibleServer.name @@ -435,3 +395,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/db-for-postgre-sql/flexible-server/main.json b/modules/db-for-postgre-sql/flexible-server/main.json index d180a4afa1..06684ab38d 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.json +++ b/modules/db-for-postgre-sql/flexible-server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9711960157528543821" + "templateHash": "17360254476628434817" }, "name": "DBforPostgreSQL Flexible Servers", "description": "This module deploys a DBforPostgreSQL Flexible Server.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -394,94 +500,14 @@ "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "PostgreSQLLogs", - "PostgreSQLFlexSessions", - "PostgreSQLFlexQueryStoreRuntime", - "PostgreSQLFlexQueryStoreWaitStats", - "PostgreSQLFlexTableStats", - "PostgreSQLFlexDatabaseXacts" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." + "description": "Optional. The diagnostic settings of the service." } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -610,18 +636,23 @@ ] }, "flexibleServer_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "flexibleServer_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.DBforPostgreSQL/flexibleServers/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "flexibleServer" diff --git a/modules/desktop-virtualization/application-group/.test/common/main.test.bicep b/modules/desktop-virtualization/application-group/.test/common/main.test.bicep index 9a7b140bb1..682d39b734 100644 --- a/modules/desktop-virtualization/application-group/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/application-group/.test/common/main.test.bicep @@ -88,10 +88,15 @@ module testDeployment '../../main.bicep' = { } ] description: 'This is my first Remote Applications bundle' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] friendlyName: 'Remote Applications 1' location: location lock: { diff --git a/modules/desktop-virtualization/application-group/README.md b/modules/desktop-virtualization/application-group/README.md index 57580128cb..985cff6a86 100644 --- a/modules/desktop-virtualization/application-group/README.md +++ b/modules/desktop-virtualization/application-group/README.md @@ -68,10 +68,15 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro } ] description: 'This is my first Remote Applications bundle' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' friendlyName: 'Remote Applications 1' location: '' @@ -141,17 +146,16 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro "description": { "value": "This is my first Remote Applications bundle" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -264,12 +268,7 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro | :-- | :-- | :-- | | [`applications`](#parameter-applications) | array | List of applications to be created in the Application Group. | | [`description`](#parameter-description) | string | The description of the Application Group to be created. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of log analytics. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`friendlyName`](#parameter-friendlyname) | string | The friendly name of the Application Group to be created. | | [`location`](#parameter-location) | string | Location for all resources. | @@ -298,48 +297,100 @@ The description of the Application Group to be created. - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, Checkpoint, Error, Management]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` -Resource ID of log analytics. +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/desktop-virtualization/application-group/main.bicep b/modules/desktop-virtualization/application-group/main.bicep index a532c2001a..f1adcbb932 100644 --- a/modules/desktop-virtualization/application-group/main.bicep +++ b/modules/desktop-virtualization/application-group/main.bicep @@ -28,17 +28,8 @@ param description string = '' @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType -@sys.description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@sys.description('Optional. Resource ID of log analytics.') -param diagnosticWorkspaceId string = '' - -@sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@sys.description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @sys.description('Optional. The lock settings of the service.') param lock lockType @@ -49,36 +40,9 @@ param tags object = {} @sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'Checkpoint' - 'Error' - 'Management' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - @sys.description('Optional. List of applications to be created in the Application Group.') param applications array = [] -@sys.description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - var enableReferencedModulesTelemetry = false var builtInRoleNames = { @@ -140,17 +104,24 @@ resource appGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(l scope: appGroup } -resource appGroup_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource appGroup_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: appGroup -} +}] module appGroup_applications 'application/main.bicep' = [for (application, index) in applications: { name: '${uniqueString(deployment().name, location)}-AppGroup-App-${index}' @@ -229,3 +200,35 @@ type roleAssignmentType = { @sys.description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @sys.description('Optional. The name of diagnostic setting.') + name: string? + + @sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @sys.description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @sys.description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @sys.description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @sys.description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @sys.description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @sys.description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/desktop-virtualization/application-group/main.json b/modules/desktop-virtualization/application-group/main.json index fbcf269f91..905491e364 100644 --- a/modules/desktop-virtualization/application-group/main.json +++ b/modules/desktop-virtualization/application-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16969600668086963016" + "templateHash": "3165107620977984204" }, "name": "Azure Virtual Desktop (AVD) Application Groups", "description": "This module deploys an Azure Virtual Desktop (AVD) Application Group.", @@ -103,6 +103,94 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -156,32 +244,10 @@ "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of log analytics." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -204,49 +270,15 @@ "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "Checkpoint", - "Error", - "Management" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, "applications": { "type": "array", "defaultValue": [], "metadata": { "description": "Optional. List of applications to be created in the Application Group." } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", @@ -322,17 +354,22 @@ ] }, "appGroup_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "appGroup_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.DesktopVirtualization/applicationGroups/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "appGroup" diff --git a/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep b/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep index 3d55bac12c..674d905c5c 100644 --- a/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep @@ -67,10 +67,15 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' customRdpProperty: 'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] description: 'My first AVD Host Pool' friendlyName: 'AVDv2' type: 'Pooled' diff --git a/modules/desktop-virtualization/host-pool/README.md b/modules/desktop-virtualization/host-pool/README.md index 308494dfb9..ce070fc3ec 100644 --- a/modules/desktop-virtualization/host-pool/README.md +++ b/modules/desktop-virtualization/host-pool/README.md @@ -63,10 +63,15 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { } customRdpProperty: 'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;' description: 'My first AVD Host Pool' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' friendlyName: 'AVDv2' loadBalancerType: 'BreadthFirst' @@ -151,17 +156,16 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { "description": { "value": "My first AVD Host Pool" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -302,12 +306,7 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { | [`agentUpdateUseSessionHostLocalTime`](#parameter-agentupdateusesessionhostlocaltime) | bool | Whether to use localTime of the virtual machine for scheduled agent updates. | | [`customRdpProperty`](#parameter-customrdpproperty) | string | Host Pool RDP properties. | | [`description`](#parameter-description) | string | The description of the Host Pool to be created. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`friendlyName`](#parameter-friendlyname) | string | The friendly name of the Host Pool to be created. | | [`loadBalancerType`](#parameter-loadbalancertype) | string | Type of load balancer algorithm. | @@ -407,48 +406,100 @@ The description of the Host Pool to be created. - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', AgentHealthStatus, allLogs, Checkpoint, Connection, Error, HostRegistration, Management]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` -Resource ID of the diagnostic log analytics workspace. +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/desktop-virtualization/host-pool/main.bicep b/modules/desktop-virtualization/host-pool/main.bicep index 618cba9ea6..cb7f44a990 100644 --- a/modules/desktop-virtualization/host-pool/main.bicep +++ b/modules/desktop-virtualization/host-pool/main.bicep @@ -56,17 +56,8 @@ param tokenValidityLength string = 'PT8H' @sys.description('Generated. Do not provide a value! This date value is used to generate a registration token.') param baseTime string = utcNow('u') -@sys.description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@sys.description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@sys.description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @sys.description('Optional. The lock settings of the service.') param lock lockType @@ -161,36 +152,6 @@ param ssoClientSecretKeyVaultPath string = '' #disable-next-line secure-secrets-in-params param ssoSecretType string = '' -@sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'Checkpoint' - 'Error' - 'Management' - 'Connection' - 'HostRegistration' - 'AgentHealthStatus' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@sys.description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - var tokenExpirationTime = dateTimeAdd(baseTime, tokenValidityLength) var builtInRoleNames = { @@ -266,17 +227,24 @@ resource hostPool_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(l scope: hostPool } -resource hostPool_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource hostPool_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: hostPool -} +}] resource hostPool_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(hostPool.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -341,3 +309,35 @@ type roleAssignmentType = { @sys.description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @sys.description('Optional. The name of diagnostic setting.') + name: string? + + @sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @sys.description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @sys.description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @sys.description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @sys.description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @sys.description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @sys.description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/desktop-virtualization/host-pool/main.json b/modules/desktop-virtualization/host-pool/main.json index da16cab4eb..b2d0786145 100644 --- a/modules/desktop-virtualization/host-pool/main.json +++ b/modules/desktop-virtualization/host-pool/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5367057716312563267" + "templateHash": "16828620493021839895" }, "name": "Azure Virtual Desktop (AVD) Host Pools", "description": "This module deploys an Azure Virtual Desktop (AVD) Host Pool.", @@ -103,6 +103,94 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -211,32 +299,10 @@ "description": "Generated. Do not provide a value! This date value is used to generate a registration token." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -399,46 +465,9 @@ "metadata": { "description": "Optional. The type of single sign on Secret Type." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "Checkpoint", - "Error", - "Management", - "Connection", - "HostRegistration", - "AgentHealthStatus" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "tokenExpirationTime": "[dateTimeAdd(parameters('baseTime'), parameters('tokenValidityLength'))]", "builtInRoleNames": { "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", @@ -523,17 +552,22 @@ ] }, "hostPool_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "hostPool_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.DesktopVirtualization/hostPools/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "hostPool" diff --git a/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep b/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep index f1454d689b..e0e472ce62 100644 --- a/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep @@ -73,10 +73,15 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/desktop-virtualization/scaling-plan/README.md b/modules/desktop-virtualization/scaling-plan/README.md index 78bd59f231..58447da84f 100644 --- a/modules/desktop-virtualization/scaling-plan/README.md +++ b/modules/desktop-virtualization/scaling-plan/README.md @@ -46,10 +46,15 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' name: 'dvspcom001' // Non-required parameters description: 'My Scaling Plan Description' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' friendlyName: 'My Scaling Plan' hostPoolType: 'Pooled' @@ -129,17 +134,16 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' "description": { "value": "My Scaling Plan Description" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -277,11 +281,7 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' | Parameter | Type | Description | | :-- | :-- | :-- | | [`description`](#parameter-description) | string | Description of the scaling plan. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`exclusionTag`](#parameter-exclusiontag) | string | Provide a tag to be used for hosts that should not be affected by the scaling plan. | | [`friendlyName`](#parameter-friendlyname) | string | Friendly Name of the scaling plan. | @@ -300,41 +300,100 @@ Description of the scaling plan. - Type: string - Default: `[parameters('name')]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, Autoscale]` -### Parameter: `diagnosticStorageAccountId` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/desktop-virtualization/scaling-plan/main.bicep b/modules/desktop-virtualization/scaling-plan/main.bicep index 0a995dedad..34f3f687f3 100644 --- a/modules/desktop-virtualization/scaling-plan/main.bicep +++ b/modules/desktop-virtualization/scaling-plan/main.bicep @@ -75,17 +75,8 @@ param hostPoolReferences array = [] @sys.description('Optional. Tags of the resource.') param tags object = {} -@sys.description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@sys.description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@sys.description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType @@ -93,28 +84,6 @@ param roleAssignments roleAssignmentType @sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'Autoscale' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - var builtInRoleNames = { 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') @@ -164,17 +133,24 @@ resource scalingPlan 'Microsoft.DesktopVirtualization/scalingPlans@2022-09-09' = } } -resource scalingplan_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: '${scalingPlan.name}-diagnosticsetting' +resource scalingPlan_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: scalingPlan -} +}] resource scalingplan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(scalingPlan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -227,3 +203,35 @@ type roleAssignmentType = { @sys.description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @sys.description('Optional. The name of diagnostic setting.') + name: string? + + @sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @sys.description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @sys.description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @sys.description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @sys.description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @sys.description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @sys.description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/desktop-virtualization/scaling-plan/main.json b/modules/desktop-virtualization/scaling-plan/main.json index 21c65bb3a2..f392334372 100644 --- a/modules/desktop-virtualization/scaling-plan/main.json +++ b/modules/desktop-virtualization/scaling-plan/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17071490045717679430" + "templateHash": "9923356797606121055" }, "name": "Azure Virtual Desktop (AVD) Scaling Plans", "description": "This module deploys an Azure Virtual Desktop (AVD) Scaling Plan.", @@ -78,6 +78,94 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -193,32 +281,10 @@ "description": "Optional. Tags of the resource." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "roleAssignments": { @@ -233,34 +299,9 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "Autoscale" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -314,18 +355,23 @@ "description": "[parameters('description')]" } }, - "scalingplan_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "scalingPlan_diagnosticSettings": { + "copy": { + "name": "scalingPlan_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.DesktopVirtualization/scalingPlans/{0}', parameters('name'))]", - "name": "[format('{0}-diagnosticsetting', parameters('name'))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "scalingPlan" diff --git a/modules/desktop-virtualization/workspace/.test/common/main.test.bicep b/modules/desktop-virtualization/workspace/.test/common/main.test.bicep index f96ad8f7b9..72fe51a213 100644 --- a/modules/desktop-virtualization/workspace/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/workspace/.test/common/main.test.bicep @@ -71,10 +71,15 @@ module testDeployment '../../main.bicep' = { appGroupResourceIds: [ nestedDependencies.outputs.applicationGroupResourceId ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] location: location lock: { kind: 'CanNotDelete' diff --git a/modules/desktop-virtualization/workspace/README.md b/modules/desktop-virtualization/workspace/README.md index b05c088ce9..6ba2e77ef0 100644 --- a/modules/desktop-virtualization/workspace/README.md +++ b/modules/desktop-virtualization/workspace/README.md @@ -50,10 +50,15 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { '' ] description: 'This is my first AVD Workspace' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' friendlyName: 'My first AVD Workspace' location: '' @@ -102,17 +107,16 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { "description": { "value": "This is my first AVD Workspace" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -215,12 +219,7 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { | :-- | :-- | :-- | | [`appGroupResourceIds`](#parameter-appgroupresourceids) | array | Resource IDs for the existing Application groups this workspace will group together. | | [`description`](#parameter-description) | string | The description of the Workspace to be created. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`friendlyName`](#parameter-friendlyname) | string | The friendly name of the Workspace to be created. | | [`location`](#parameter-location) | string | Location for all resources. | @@ -242,48 +241,100 @@ The description of the Workspace to be created. - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, Checkpoint, Error, Feed, Management]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` -Resource ID of the diagnostic log analytics workspace. +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/desktop-virtualization/workspace/main.bicep b/modules/desktop-virtualization/workspace/main.bicep index c2e95510fb..a3c050f19b 100644 --- a/modules/desktop-virtualization/workspace/main.bicep +++ b/modules/desktop-virtualization/workspace/main.bicep @@ -17,17 +17,8 @@ param friendlyName string = '' @sys.description('Optional. The description of the Workspace to be created.') param description string = '' -@sys.description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@sys.description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@sys.description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @sys.description('Optional. The lock settings of the service.') param lock lockType @@ -41,34 +32,6 @@ param enableDefaultTelemetry bool = true @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType -@sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'Checkpoint' - 'Error' - 'Management' - 'Feed' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@sys.description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - var builtInRoleNames = { 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') @@ -123,17 +86,24 @@ resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty( scope: workspace } -resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: workspace -} +}] resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -195,3 +165,35 @@ type roleAssignmentType = { @sys.description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @sys.description('Optional. The name of diagnostic setting.') + name: string? + + @sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @sys.description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @sys.description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @sys.description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @sys.description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @sys.description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @sys.description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/desktop-virtualization/workspace/main.json b/modules/desktop-virtualization/workspace/main.json index c459d621e0..27edea5a4f 100644 --- a/modules/desktop-virtualization/workspace/main.json +++ b/modules/desktop-virtualization/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6072334613714480138" + "templateHash": "10079774519163544161" }, "name": "Azure Virtual Desktop (AVD) Workspaces", "description": "This module deploys an Azure Virtual Desktop (AVD) Workspace.", @@ -103,6 +103,94 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -140,32 +228,10 @@ "description": "Optional. The description of the Workspace to be created." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -193,44 +259,9 @@ "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "Checkpoint", - "Error", - "Management", - "Feed" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Application Group Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b')]", "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -295,17 +326,22 @@ ] }, "workspace_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "workspace_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.DesktopVirtualization/workspaces/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "workspace" diff --git a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep index 749dbf29fd..e6281b2d8d 100644 --- a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep @@ -90,10 +90,20 @@ module testDeployment '../../main.bicep' = { userAssignedIdentities: { '${nestedDependencies.outputs.managedIdentityResourceId}': {} } - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index e3a5585230..0c42034c49 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -49,10 +49,20 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan // Required parameters name: 'dtdticom001' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' eventGridEndpoint: { eventGridDomainId: '' @@ -118,17 +128,21 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "value": "dtdticom001" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -260,13 +274,7 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan | Parameter | Type | Description | | :-- | :-- | :-- | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`eventGridEndpoint`](#parameter-eventgridendpoint) | object | Event Grid Endpoint. | | [`eventHubEndpoint`](#parameter-eventhubendpoint) | object | Event Hub Endpoint. | @@ -280,56 +288,120 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan | [`tags`](#parameter-tags) | object | Resource tags. | | [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, DataHistoryOperation, DigitalTwinsOperation, EventRoutesOperation, ModelsOperation, QueryOperation, ResourceProviderOperation]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. - Required: No - Type: string -- Default: `[format('{0}-diagnosticSettings', parameters('name'))]` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/digital-twins/digital-twins-instance/main.bicep b/modules/digital-twins/digital-twins-instance/main.bicep index 50675134ab..b7d3117847 100644 --- a/modules/digital-twins/digital-twins-instance/main.bicep +++ b/modules/digital-twins/digital-twins-instance/main.bicep @@ -42,47 +42,12 @@ param privateEndpoints privateEndpointType ]) param publicNetworkAccess string = '' -@description('Optional. The name of the diagnostic setting, if deployed.') -param diagnosticSettingsName string = '${name}-diagnosticSettings' - -@description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'DigitalTwinsOperation' - 'EventRoutesOperation' - 'DataHistoryOperation' - 'ModelsOperation' - 'QueryOperation' - 'ResourceProviderOperation' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType @@ -95,24 +60,6 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var builtInRoleNames = { 'Azure Digital Twins Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe') 'Azure Digital Twins Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3') @@ -227,18 +174,31 @@ resource digitalTwinsInstance_lock 'Microsoft.Authorization/locks@2020-05-01' = scope: digitalTwinsInstance } -resource digitalTwinsInstance_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: diagnosticSettingsName +resource digitalTwinsInstance_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: digitalTwinsInstance -} +}] resource digitalTwinsInstance_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(digitalTwinsInstance.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -358,3 +318,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/digital-twins/digital-twins-instance/main.json b/modules/digital-twins/digital-twins-instance/main.json index 482ce8f162..f7f565c333 100644 --- a/modules/digital-twins/digital-twins-instance/main.json +++ b/modules/digital-twins/digital-twins-instance/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9608211624900685479" + "templateHash": "3851102361558562054" }, "name": "Digital Twins Instances", "description": "This module deploys an Azure Digital Twins Instance.", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -336,39 +442,10 @@ "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." } }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "[format('{0}-diagnosticSettings', parameters('name'))]", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + "description": "Optional. The diagnostic settings of the service." } }, "enableDefaultTelemetry": { @@ -378,37 +455,6 @@ "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." } }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "DigitalTwinsOperation", - "EventRoutesOperation", - "DataHistoryOperation", - "ModelsOperation", - "QueryOperation", - "ResourceProviderOperation" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { @@ -417,29 +463,9 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "enableReferencedModulesTelemetry": false, "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Azure Digital Twins Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", "Azure Digital Twins Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", @@ -491,18 +517,23 @@ ] }, "digitalTwinsInstance_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "digitalTwinsInstance_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.DigitalTwins/digitalTwinsInstances/{0}', parameters('name'))]", - "name": "[parameters('diagnosticSettingsName')]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "digitalTwinsInstance" diff --git a/modules/document-db/database-account/.test/gremlindb/main.test.bicep b/modules/document-db/database-account/.test/gremlindb/main.test.bicep index c8ca5f6406..6d53ccd119 100644 --- a/modules/document-db/database-account/.test/gremlindb/main.test.bicep +++ b/modules/document-db/database-account/.test/gremlindb/main.test.bicep @@ -79,10 +79,20 @@ module testDeployment '../../main.bicep' = { capabilitiesToAdd: [ 'EnableGremlin' ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] gremlinDatabases: [ { graphs: [ diff --git a/modules/document-db/database-account/.test/mongodb/main.test.bicep b/modules/document-db/database-account/.test/mongodb/main.test.bicep index a887c89772..a311718a74 100644 --- a/modules/document-db/database-account/.test/mongodb/main.test.bicep +++ b/modules/document-db/database-account/.test/mongodb/main.test.bicep @@ -76,10 +76,20 @@ module testDeployment '../../main.bicep' = { locationName: nestedDependencies.outputs.pairedRegionName } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] location: location mongodbDatabases: [ { diff --git a/modules/document-db/database-account/.test/plain/main.test.bicep b/modules/document-db/database-account/.test/plain/main.test.bicep index 08cd51278c..ceb6b2fecb 100644 --- a/modules/document-db/database-account/.test/plain/main.test.bicep +++ b/modules/document-db/database-account/.test/plain/main.test.bicep @@ -76,10 +76,20 @@ module testDeployment '../../main.bicep' = { locationName: nestedDependencies.outputs.pairedRegionName } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/document-db/database-account/.test/sqldb/main.test.bicep b/modules/document-db/database-account/.test/sqldb/main.test.bicep index 7188f6732d..48e552ec3d 100644 --- a/modules/document-db/database-account/.test/sqldb/main.test.bicep +++ b/modules/document-db/database-account/.test/sqldb/main.test.bicep @@ -77,10 +77,20 @@ module testDeployment '../../main.bicep' = { locationName: nestedDependencies.outputs.pairedRegionName } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] location: location privateEndpoints: [ { diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index 6ab97ff79f..e0c384329f 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -68,10 +68,20 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { capabilitiesToAdd: [ 'EnableGremlin' ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' gremlinDatabases: [ { @@ -175,17 +185,21 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { "EnableGremlin" ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -294,10 +308,20 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { ] name: 'dddamng001' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' location: '' mongodbDatabases: [ @@ -532,17 +556,21 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { "value": "dddamng001" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -787,10 +815,20 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { ] name: 'dddapln001' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' lock: { kind: 'CanNotDelete' @@ -843,17 +881,21 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { "value": "dddapln001" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -912,10 +954,20 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { ] name: 'dddasql001' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' location: '' privateEndpoints: [ @@ -1058,17 +1110,21 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { "value": "dddasql001" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -1221,13 +1277,7 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { | [`capabilitiesToAdd`](#parameter-capabilitiestoadd) | array | List of Cosmos DB capabilities for the account. | | [`databaseAccountOfferType`](#parameter-databaseaccountoffertype) | string | The offer type for the Cosmos DB database account. | | [`defaultConsistencyLevel`](#parameter-defaultconsistencylevel) | string | The default consistency level of the Cosmos DB account. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`enableFreeTier`](#parameter-enablefreetier) | bool | Flag to indicate whether Free Tier is enabled. | | [`gremlinDatabases`](#parameter-gremlindatabases) | array | Gremlin Databases configurations. | @@ -1313,56 +1363,120 @@ The default consistency level of the Cosmos DB account. - Default: `'Session'` - Allowed: `[BoundedStaleness, ConsistentPrefix, Eventual, Session, Strong]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` +- Allowed: `[AzureDiagnostics, Dedicated]` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, CassandraRequests, ControlPlaneRequests, DataPlaneRequests, GremlinRequests, MongoRequests, PartitionKeyRUConsumption, PartitionKeyStatistics, QueryRuntimeStatistics, TableApiRequests]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[Requests]` -- Allowed: `[Requests]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/document-db/database-account/main.bicep b/modules/document-db/database-account/main.bicep index 6cb9f5b506..ef0e1e141e 100644 --- a/modules/document-db/database-account/main.bicep +++ b/modules/document-db/database-account/main.bicep @@ -79,46 +79,8 @@ param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' - -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'DataPlaneRequests' - 'MongoRequests' - 'QueryRuntimeStatistics' - 'PartitionKeyStatistics' - 'PartitionKeyRUConsumption' - 'ControlPlaneRequests' - 'CassandraRequests' - 'GremlinRequests' - 'TableApiRequests' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'Requests' -]) -param diagnosticMetricsToEnable array = [ - 'Requests' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @allowed([ 'EnableCassandra' @@ -166,24 +128,6 @@ param backupStorageRedundancy string = 'Local' @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointType -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned, UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -301,18 +245,31 @@ resource databaseAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (! scope: databaseAccount } -resource databaseAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource databaseAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: databaseAccount -} +}] resource databaseAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(databaseAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -488,3 +445,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/document-db/database-account/main.json b/modules/document-db/database-account/main.json index 498d4cc162..c64588c998 100644 --- a/modules/document-db/database-account/main.json +++ b/modules/document-db/database-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15078236941078357698" + "templateHash": "7425318537655406397" }, "name": "DocumentDB Database Accounts", "description": "This module deploys a DocumentDB Database Account.", @@ -251,6 +251,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -403,73 +509,10 @@ "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "DataPlaneRequests", - "MongoRequests", - "QueryRuntimeStatistics", - "PartitionKeyStatistics", - "PartitionKeyRUConsumption", - "ControlPlaneRequests", - "CassandraRequests", - "GremlinRequests", - "TableApiRequests" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "Requests" - ], - "allowedValues": [ - "Requests" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." + "description": "Optional. The diagnostic settings of the service." } }, "capabilitiesToAdd": { @@ -548,23 +591,6 @@ }, "variables": { "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - }, { "name": "databaseAccount_locations", "count": "[length(parameters('locations'))]", @@ -582,7 +608,6 @@ } } ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "consistencyPolicy": { @@ -661,18 +686,23 @@ ] }, "databaseAccount_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "databaseAccount_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.DocumentDB/databaseAccounts/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "databaseAccount" diff --git a/modules/event-grid/domain/.test/common/main.test.bicep b/modules/event-grid/domain/.test/common/main.test.bicep index da1d56564a..a6fc193fae 100644 --- a/modules/event-grid/domain/.test/common/main.test.bicep +++ b/modules/event-grid/domain/.test/common/main.test.bicep @@ -67,10 +67,20 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] inboundIpRules: [ { action: 'Allow' diff --git a/modules/event-grid/domain/README.md b/modules/event-grid/domain/README.md index 99c32bd414..6c71635f0a 100644 --- a/modules/event-grid/domain/README.md +++ b/modules/event-grid/domain/README.md @@ -50,10 +50,20 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { // Required parameters name: 'egdcom001' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' inboundIpRules: [ { @@ -115,17 +125,21 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { "value": "egdcom001" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -336,13 +350,7 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { | :-- | :-- | :-- | | [`autoCreateTopicWithFirstSubscription`](#parameter-autocreatetopicwithfirstsubscription) | bool | Location for all Resources. | | [`autoDeleteTopicWithLastSubscription`](#parameter-autodeletetopicwithlastsubscription) | bool | Location for all Resources. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`inboundIpRules`](#parameter-inboundiprules) | array | This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled. | | [`location`](#parameter-location) | string | Location for all Resources. | @@ -367,56 +375,120 @@ Location for all Resources. - Type: bool - Default: `True` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, DeliveryFailures, PublishFailures]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/event-grid/domain/main.bicep b/modules/event-grid/domain/main.bicep index 51b317cac0..148f117db7 100644 --- a/modules/event-grid/domain/main.bicep +++ b/modules/event-grid/domain/main.bicep @@ -25,17 +25,8 @@ param autoDeleteTopicWithLastSubscription bool = true @description('Optional. This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled.') param inboundIpRules array = [] -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointType @@ -52,51 +43,11 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'DeliveryFailures' - 'PublishFailures' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - @description('Optional. The topic names which are associated with the domain.') param topics array = [] var enableReferencedModulesTelemetry = false -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') @@ -152,18 +103,31 @@ resource domain_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(loc scope: domain } -resource domain_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource domain_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: domain -} +}] module domain_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { name: '${uniqueString(deployment().name, location)}-domain-PrivateEndpoint-${index}' @@ -304,3 +268,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/event-grid/domain/main.json b/modules/event-grid/domain/main.json index a6648e2540..c0d3e0b923 100644 --- a/modules/event-grid/domain/main.json +++ b/modules/event-grid/domain/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1139242141774790759" + "templateHash": "16715487695261799270" }, "name": "Event Grid Domains", "description": "This module deploys an Event Grid Domain.", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -301,32 +407,10 @@ "description": "Optional. This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "privateEndpoints": { @@ -361,40 +445,6 @@ "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "DeliveryFailures", - "PublishFailures" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } - }, "topics": { "type": "array", "defaultValue": [], @@ -404,27 +454,7 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "enableReferencedModulesTelemetry": false, - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", @@ -480,18 +510,23 @@ ] }, "domain_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "domain_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.EventGrid/domains/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "domain" diff --git a/modules/event-grid/system-topic/.test/common/main.test.bicep b/modules/event-grid/system-topic/.test/common/main.test.bicep index ae009c0082..fcd8970f07 100644 --- a/modules/event-grid/system-topic/.test/common/main.test.bicep +++ b/modules/event-grid/system-topic/.test/common/main.test.bicep @@ -92,10 +92,20 @@ module testDeployment '../../main.bicep' = { } } } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/event-grid/system-topic/README.md b/modules/event-grid/system-topic/README.md index d782afe5a1..29fe9ed0c9 100644 --- a/modules/event-grid/system-topic/README.md +++ b/modules/event-grid/system-topic/README.md @@ -49,10 +49,20 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { source: '' topicType: 'Microsoft.Storage.StorageAccounts' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' eventSubscriptions: [ { @@ -121,17 +131,21 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { "value": "Microsoft.Storage.StorageAccounts" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -262,13 +276,7 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`eventSubscriptions`](#parameter-eventsubscriptions) | array | Event subscriptions to deploy. | | [`location`](#parameter-location) | string | Location for all Resources. | @@ -278,56 +286,120 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, DeliveryFailures]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/event-grid/system-topic/main.bicep b/modules/event-grid/system-topic/main.bicep index 532641bb41..32ae0e4226 100644 --- a/modules/event-grid/system-topic/main.bicep +++ b/modules/event-grid/system-topic/main.bicep @@ -17,17 +17,8 @@ param topicType string @description('Optional. Event subscriptions to deploy.') param eventSubscriptions array = [] -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType @@ -54,45 +45,6 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'DeliveryFailures' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') @@ -157,18 +109,31 @@ resource systemTopic_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empt scope: systemTopic } -resource systemTopic_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource systemTopic_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: systemTopic -} +}] resource systemTopic_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(systemTopic.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -233,3 +198,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/event-grid/system-topic/main.json b/modules/event-grid/system-topic/main.json index 0b8683dd98..cf3f8afd03 100644 --- a/modules/event-grid/system-topic/main.json +++ b/modules/event-grid/system-topic/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14004525159573490649" + "templateHash": "5581457669856616058" }, "name": "Event Grid System Topics", "description": "This module deploys an Event Grid System Topic.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -138,32 +244,10 @@ "description": "Optional. Event subscriptions to deploy." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "roleAssignments": { @@ -205,64 +289,11 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "DeliveryFailures" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", @@ -317,18 +348,23 @@ ] }, "systemTopic_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "systemTopic_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.EventGrid/systemTopics/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "systemTopic" diff --git a/modules/event-grid/topic/.test/common/main.test.bicep b/modules/event-grid/topic/.test/common/main.test.bicep index 379c92f7f5..94d94440b7 100644 --- a/modules/event-grid/topic/.test/common/main.test.bicep +++ b/modules/event-grid/topic/.test/common/main.test.bicep @@ -69,10 +69,20 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] eventSubscriptions: [ { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index edcf1c9672..7eb867998a 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -50,10 +50,20 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { // Required parameters name: 'egtcom001' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' eventSubscriptions: [ { @@ -136,17 +146,21 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { "value": "egtcom001" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -376,13 +390,7 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`eventSubscriptions`](#parameter-eventsubscriptions) | array | Event subscriptions to deploy. | | [`inboundIpRules`](#parameter-inboundiprules) | array | This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled. | @@ -393,56 +401,120 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, DeliveryFailures, PublishFailures]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/event-grid/topic/main.bicep b/modules/event-grid/topic/main.bicep index 89d93f0f2b..7e24e9c9fc 100644 --- a/modules/event-grid/topic/main.bicep +++ b/modules/event-grid/topic/main.bicep @@ -22,17 +22,8 @@ param inboundIpRules array = [] @description('Optional. Event subscriptions to deploy.') param eventSubscriptions array = [] -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointType @@ -49,48 +40,8 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'DeliveryFailures' - 'PublishFailures' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - var enableReferencedModulesTelemetry = false -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') @@ -154,18 +105,31 @@ resource topic_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock scope: topic } -resource topic_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource topic_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: topic -} +}] module topic_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { name: '${uniqueString(deployment().name, location)}-topic-PrivateEndpoint-${index}' @@ -306,3 +270,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/event-grid/topic/main.json b/modules/event-grid/topic/main.json index 0aadfa26de..7013e9320d 100644 --- a/modules/event-grid/topic/main.json +++ b/modules/event-grid/topic/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12386573545698498000" + "templateHash": "8337019560033170518" }, "name": "Event Grid Topics", "description": "This module deploys an Event Grid Topic.", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -294,32 +400,10 @@ "description": "Optional. Event subscriptions to deploy." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "privateEndpoints": { @@ -353,64 +437,10 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "DeliveryFailures", - "PublishFailures" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "enableReferencedModulesTelemetry": false, - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", @@ -464,18 +494,23 @@ ] }, "topic_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "topic_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.EventGrid/topics/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "topic" diff --git a/modules/event-hub/namespace/.test/common/main.test.bicep b/modules/event-hub/namespace/.test/common/main.test.bicep index ddfb1fc9a1..3a4cef6289 100644 --- a/modules/event-hub/namespace/.test/common/main.test.bicep +++ b/modules/event-hub/namespace/.test/common/main.test.bicep @@ -88,10 +88,20 @@ module testDeployment '../../main.bicep' = { ] } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] eventhubs: [ { name: '${namePrefix}-az-evh-x-001' diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index f77bda2132..f7ec816066 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -73,10 +73,20 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { ] } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] disableLocalAuth: true enableDefaultTelemetry: '' eventhubs: [ @@ -241,17 +251,21 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "disableLocalAuth": { "value": true @@ -681,13 +695,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { | [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the Event Hub namespace. | | [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. Customer-managed key encryption at rest is only available for namespaces of premium SKU or namespaces created in a Dedicated Cluster. | | [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableLocalAuth`](#parameter-disablelocalauth) | bool | This property disables SAS authentication for the Event Hubs namespace. | | [`disasterRecoveryConfig`](#parameter-disasterrecoveryconfig) | object | The disaster recovery config for this namespace. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | @@ -745,56 +753,120 @@ User assigned identity to use when fetching the customer managed key. The identi - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, ApplicationMetricsLogs, ArchiveLogs, AutoScaleLogs, CustomerManagedKeyUserLogs, EventHubVNetConnectionEvent, KafkaCoordinatorLogs, KafkaUserErrorLogs, OperationalLogs, RuntimeAuditLogs]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `disableLocalAuth` diff --git a/modules/event-hub/namespace/main.bicep b/modules/event-hub/namespace/main.bicep index b8ac4af79d..85db737ff3 100644 --- a/modules/event-hub/namespace/main.bicep +++ b/modules/event-hub/namespace/main.bicep @@ -74,17 +74,8 @@ param privateEndpoints privateEndpointType @description('Optional. Configure networking options. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.') param networkRuleSets object = {} -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -125,55 +116,8 @@ param eventhubs array = [] @description('Optional. The disaster recovery config for this namespace.') param disasterRecoveryConfig object = {} -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'ArchiveLogs' - 'OperationalLogs' - 'AutoScaleLogs' - 'KafkaCoordinatorLogs' - 'KafkaUserErrorLogs' - 'EventHubVNetConnectionEvent' - 'CustomerManagedKeyUserLogs' - 'RuntimeAuditLogs' - 'ApplicationMetricsLogs' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - var maximumThroughputUnitsVar = !isAutoInflateEnabled ? 0 : maximumThroughputUnits -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -367,18 +311,31 @@ resource eventHubNamespace_lock 'Microsoft.Authorization/locks@2020-05-01' = if scope: eventHubNamespace } -resource eventHubNamespace_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource eventHubNamespace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: eventHubNamespace -} +}] @description('The name of the eventspace.') output name string = eventHubNamespace.name @@ -484,3 +441,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/event-hub/namespace/main.json b/modules/event-hub/namespace/main.json index 4f0df97e85..d0fd852b27 100644 --- a/modules/event-hub/namespace/main.json +++ b/modules/event-hub/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8192238306230963085" + "templateHash": "14695132323302557393" }, "name": "Event Hub Namespaces", "description": "This module deploys an Event Hub Namespace.", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -381,32 +487,10 @@ "description": "Optional. Configure networking options. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -497,71 +581,10 @@ "metadata": { "description": "Optional. The disaster recovery config for this namespace." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "ArchiveLogs", - "OperationalLogs", - "AutoScaleLogs", - "KafkaCoordinatorLogs", - "KafkaUserErrorLogs", - "EventHubVNetConnectionEvent", - "CustomerManagedKeyUserLogs", - "RuntimeAuditLogs", - "ApplicationMetricsLogs" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "maximumThroughputUnitsVar": "[if(not(parameters('isAutoInflateEnabled')), 0, parameters('maximumThroughputUnits'))]", - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, @@ -675,18 +698,23 @@ ] }, "eventHubNamespace_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "eventHubNamespace_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.EventHub/namespaces/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "eventHubNamespace" diff --git a/modules/healthcare-apis/workspace/.test/common/dependencies.bicep b/modules/healthcare-apis/workspace/.test/common/dependencies.bicep index 5b477eb11a..96f9aff771 100644 --- a/modules/healthcare-apis/workspace/.test/common/dependencies.bicep +++ b/modules/healthcare-apis/workspace/.test/common/dependencies.bicep @@ -58,7 +58,6 @@ output managedIdentityPrincipalId string = managedIdentity.properties.principalI @description('The resource ID of the created Managed Identity.') output managedIdentityResourceId string = managedIdentity.id - @description('The resource ID of the created Storage Account.') output storageAccountResourceId string = storageAccount.id diff --git a/modules/healthcare-apis/workspace/.test/common/main.test.bicep b/modules/healthcare-apis/workspace/.test/common/main.test.bicep index bcac722b91..4c8f4d3f7b 100644 --- a/modules/healthcare-apis/workspace/.test/common/main.test.bicep +++ b/modules/healthcare-apis/workspace/.test/common/main.test.bicep @@ -33,7 +33,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { location: location } -module resourceGroupResources 'dependencies.bicep' = { +module nestedDependencies 'dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-paramNested' params: { @@ -85,10 +85,20 @@ module testDeployment '../../main.bicep' = { corsMaxAge: 600 corsAllowCredentials: false location: location - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] publicNetworkAccess: 'Enabled' resourceVersionPolicy: 'versioned' smartProxyEnabled: false @@ -97,12 +107,12 @@ module testDeployment '../../main.bicep' = { importEnabled: false initialImportMode: false userAssignedIdentities: { - '${resourceGroupResources.outputs.managedIdentityResourceId}': {} + '${nestedDependencies.outputs.managedIdentityResourceId}': {} } roleAssignments: [ { roleDefinitionIdOrName: resourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd') - principalId: resourceGroupResources.outputs.managedIdentityPrincipalId + principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } ] @@ -118,18 +128,35 @@ module testDeployment '../../main.bicep' = { corsMaxAge: 600 corsAllowCredentials: false location: location - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] publicNetworkAccess: 'Enabled' enableDefaultTelemetry: enableDefaultTelemetry systemAssignedIdentity: false userAssignedIdentities: { - '${resourceGroupResources.outputs.managedIdentityResourceId}': {} + '${nestedDependencies.outputs.managedIdentityResourceId}': {} } } ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/healthcare-apis/workspace/README.md b/modules/healthcare-apis/workspace/README.md index 8285f16546..e619b6631f 100644 --- a/modules/healthcare-apis/workspace/README.md +++ b/modules/healthcare-apis/workspace/README.md @@ -64,10 +64,20 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { corsOrigins: [ '*' ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' location: '' name: 'az-dicom-x-001' @@ -93,10 +103,20 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { corsOrigins: [ '*' ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' importEnabled: false initialImportMode: false @@ -126,6 +146,13 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { name: 'myCustomLockName' } publicNetworkAccess: 'Enabled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -166,10 +193,20 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { "corsOrigins": [ "*" ], - "diagnosticEventHubAuthorizationRuleId": "", - "diagnosticEventHubName": "", - "diagnosticStorageAccountId": "", - "diagnosticWorkspaceId": "", + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], "enableDefaultTelemetry": "", "location": "", "name": "az-dicom-x-001", @@ -199,10 +236,20 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { "corsOrigins": [ "*" ], - "diagnosticEventHubAuthorizationRuleId": "", - "diagnosticEventHubName": "", - "diagnosticStorageAccountId": "", - "diagnosticWorkspaceId": "", + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], "enableDefaultTelemetry": "", "importEnabled": false, "initialImportMode": false, @@ -239,6 +286,15 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { "publicNetworkAccess": { "value": "Enabled" }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, "tags": { "value": { "Environment": "Non-Prod", diff --git a/modules/healthcare-apis/workspace/dicomservice/README.md b/modules/healthcare-apis/workspace/dicomservice/README.md index 8310adf22f..b1f46574f1 100644 --- a/modules/healthcare-apis/workspace/dicomservice/README.md +++ b/modules/healthcare-apis/workspace/dicomservice/README.md @@ -40,12 +40,7 @@ This module deploys a Healthcare API Workspace DICOM Service. | [`corsMaxAge`](#parameter-corsmaxage) | int | Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes. | | [`corsMethods`](#parameter-corsmethods) | array | Specify the allowed HTTP methods. | | [`corsOrigins`](#parameter-corsorigins) | array | Specify URLs of origin sites that can access this API, or use "*" to allow access from any site. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | @@ -90,48 +85,120 @@ Specify URLs of origin sites that can access this API, or use "*" to allow acces - Type: array - Default: `[]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. - Required: No - Type: array -- Default: `[AuditLogs]` -- Allowed: `[AuditLogs]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/healthcare-apis/workspace/dicomservice/main.bicep b/modules/healthcare-apis/workspace/dicomservice/main.bicep index eb9b1cd1bf..8ccdf0334b 100644 --- a/modules/healthcare-apis/workspace/dicomservice/main.bicep +++ b/modules/healthcare-apis/workspace/dicomservice/main.bicep @@ -35,17 +35,8 @@ param corsAllowCredentials bool = false @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -69,22 +60,6 @@ param tags object = {} @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed.') -@allowed([ - 'AuditLogs' -]) -param diagnosticLogCategoriesToEnable array = [ - 'AuditLogs' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { - category: category - enabled: true -}] - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -138,18 +113,31 @@ resource dicom_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock scope: dicom } -resource dicom_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource dicom_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: null - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: dicom -} +}] @description('The name of the dicom service.') output name string = dicom.name @@ -177,3 +165,41 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/healthcare-apis/workspace/dicomservice/main.json b/modules/healthcare-apis/workspace/dicomservice/main.json index 0c22bd6db4..2a13e61b2e 100644 --- a/modules/healthcare-apis/workspace/dicomservice/main.json +++ b/modules/healthcare-apis/workspace/dicomservice/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16609630624404769037" + "templateHash": "2513018044740237283" }, "name": "Healthcare API Workspace DICOM Services", "description": "This module deploys a Healthcare API Workspace DICOM Service.", @@ -37,6 +37,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -103,32 +209,10 @@ "description": "Optional. Location for all resources." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -175,38 +259,9 @@ "metadata": { "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "AuditLogs" - ], - "allowedValues": [ - "AuditLogs" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogs", - "count": "[length(parameters('diagnosticLogCategoriesToEnable'))]", - "input": { - "category": "[parameters('diagnosticLogCategoriesToEnable')[copyIndex('diagnosticsLogs')]]", - "enabled": true - } - } - ], "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" }, @@ -267,18 +322,23 @@ ] }, "dicom_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "dicom_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/dicomservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": null, - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "dicom" diff --git a/modules/healthcare-apis/workspace/fhirservice/README.md b/modules/healthcare-apis/workspace/fhirservice/README.md index 0edb384b28..83b67d69e3 100644 --- a/modules/healthcare-apis/workspace/fhirservice/README.md +++ b/modules/healthcare-apis/workspace/fhirservice/README.md @@ -47,13 +47,7 @@ This module deploys a Healthcare API Workspace FHIR Service. | [`corsMaxAge`](#parameter-corsmaxage) | int | Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes. | | [`corsMethods`](#parameter-corsmethods) | array | Specify the allowed HTTP methods. | | [`corsOrigins`](#parameter-corsorigins) | array | Specify URLs of origin sites that can access this API, or use "*" to allow access from any site. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`exportStorageAccountName`](#parameter-exportstorageaccountname) | string | The name of the default export storage account. | | [`importEnabled`](#parameter-importenabled) | bool | If the import operation is enabled. | @@ -142,56 +136,120 @@ Specify URLs of origin sites that can access this API, or use "*" to allow acces - Type: array - Default: `[]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. - Required: No - Type: array -- Default: `[AuditLogs]` -- Allowed: `[AuditLogs]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/healthcare-apis/workspace/fhirservice/main.bicep b/modules/healthcare-apis/workspace/fhirservice/main.bicep index e689358883..448b59adf0 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.bicep +++ b/modules/healthcare-apis/workspace/fhirservice/main.bicep @@ -57,17 +57,8 @@ param corsAllowCredentials bool = false @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The name of the default export storage account.') param exportStorageAccountName string = '' @@ -120,36 +111,6 @@ param tags object = {} @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -@allowed([ - 'AuditLogs' -]) -@description('Optional. The name of logs that will be streamed.') -param diagnosticLogCategoriesToEnable array = [ - 'AuditLogs' -] - -@allowed([ - 'AllMetrics' -]) -@description('Optional. The name of metrics that will be streamed.') -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { - category: category - enabled: true -}] - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -249,18 +210,31 @@ resource fhir_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock scope: fhir } -resource fhir_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource fhir_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: fhir -} +}] resource fhir_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(fhir.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -328,3 +302,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/healthcare-apis/workspace/fhirservice/main.json b/modules/healthcare-apis/workspace/fhirservice/main.json index 40452de2c7..40f6f89c72 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.json +++ b/modules/healthcare-apis/workspace/fhirservice/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9263507770658770799" + "templateHash": "8392198431844501692" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -215,32 +321,10 @@ "description": "Optional. Location for all resources." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "exportStorageAccountName": { @@ -347,58 +431,10 @@ "metadata": { "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "AuditLogs" - ], - "allowedValues": [ - "AuditLogs" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { "copy": [ - { - "name": "diagnosticsLogs", - "count": "[length(parameters('diagnosticLogCategoriesToEnable'))]", - "input": { - "category": "[parameters('diagnosticLogCategoriesToEnable')[copyIndex('diagnosticsLogs')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - }, { "name": "accessPolicies", "count": "[length(parameters('accessPolicyObjectIds'))]", @@ -507,18 +543,23 @@ ] }, "fhir_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "fhir_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "fhir" diff --git a/modules/healthcare-apis/workspace/iotconnector/README.md b/modules/healthcare-apis/workspace/iotconnector/README.md index bde9fa418c..45c4d5da83 100644 --- a/modules/healthcare-apis/workspace/iotconnector/README.md +++ b/modules/healthcare-apis/workspace/iotconnector/README.md @@ -41,13 +41,7 @@ This module deploys a Healthcare API Workspace IoT Connector. | Parameter | Type | Description | | :-- | :-- | :-- | | [`consumerGroup`](#parameter-consumergroup) | string | Consumer group of the event hub to connected to. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`fhirdestination`](#parameter-fhirdestination) | object | FHIR Destination. | | [`location`](#parameter-location) | string | Location for all resources. | @@ -70,56 +64,120 @@ The mapping JSON that determines how incoming device data is normalized. - Type: object - Default: `{object}` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` +- Allowed: `[AzureDiagnostics, Dedicated]` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. - Required: No - Type: array -- Default: `[DiagnosticLogs]` -- Allowed: `[DiagnosticLogs]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/healthcare-apis/workspace/iotconnector/main.bicep b/modules/healthcare-apis/workspace/iotconnector/main.bicep index 68e31cca6b..0bba8614b6 100644 --- a/modules/healthcare-apis/workspace/iotconnector/main.bicep +++ b/modules/healthcare-apis/workspace/iotconnector/main.bicep @@ -30,17 +30,8 @@ param fhirdestination object = {} @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -57,36 +48,6 @@ param tags object = {} @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed.') -@allowed([ - 'DiagnosticLogs' -]) -param diagnosticLogCategoriesToEnable array = [ - 'DiagnosticLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { - category: category - enabled: true -}] - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -142,18 +103,31 @@ resource iotConnector_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!emp scope: iotConnector } -resource iotConnector_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource iotConnector_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: iotConnector -} +}] module fhir_destination 'fhirdestination/main.bicep' = if (!empty(fhirdestination)) { name: '${deployment().name}-FhirDestination' @@ -201,3 +175,41 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/healthcare-apis/workspace/iotconnector/main.json b/modules/healthcare-apis/workspace/iotconnector/main.json index 169dfcdfbb..3dd1ccc584 100644 --- a/modules/healthcare-apis/workspace/iotconnector/main.json +++ b/modules/healthcare-apis/workspace/iotconnector/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8966290140169117967" + "templateHash": "2803151977387469601" }, "name": "Healthcare API Workspace IoT Connectors", "description": "This module deploys a Healthcare API Workspace IoT Connector.", @@ -37,6 +37,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -96,32 +202,10 @@ "description": "Optional. Location for all resources." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -157,59 +241,9 @@ "metadata": { "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "DiagnosticLogs" - ], - "allowedValues": [ - "DiagnosticLogs" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogs", - "count": "[length(parameters('diagnosticLogCategoriesToEnable'))]", - "input": { - "category": "[parameters('diagnosticLogCategoriesToEnable')[copyIndex('diagnosticsLogs')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false @@ -271,18 +305,23 @@ ] }, "iotConnector_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "iotConnector_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/iotconnectors/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "iotConnector" diff --git a/modules/healthcare-apis/workspace/main.bicep b/modules/healthcare-apis/workspace/main.bicep index 61810fe4e0..6f4af7dae0 100644 --- a/modules/healthcare-apis/workspace/main.bicep +++ b/modules/healthcare-apis/workspace/main.bicep @@ -124,10 +124,7 @@ module workspace_fhirservices 'fhirservice/main.bicep' = [for (fhir, index) in f corsMethods: contains(fhir, 'corsMethods') ? fhir.corsMethods : [] corsMaxAge: contains(fhir, 'corsMaxAge') ? fhir.corsMaxAge : -1 corsAllowCredentials: contains(fhir, 'corsAllowCredentials') ? fhir.corsAllowCredentials : false - diagnosticStorageAccountId: contains(fhir, 'diagnosticStorageAccountId') ? fhir.diagnosticStorageAccountId : '' - diagnosticWorkspaceId: contains(fhir, 'diagnosticWorkspaceId') ? fhir.diagnosticWorkspaceId : '' - diagnosticEventHubAuthorizationRuleId: contains(fhir, 'diagnosticEventHubAuthorizationRuleId') ? fhir.diagnosticEventHubAuthorizationRuleId : '' - diagnosticEventHubName: contains(fhir, 'diagnosticEventHubName') ? fhir.diagnosticEventHubName : '' + diagnosticSettings: fhir.?diagnosticSettings exportStorageAccountName: contains(fhir, 'exportStorageAccountName') ? fhir.exportStorageAccountName : '' importStorageAccountName: contains(fhir, 'importStorageAccountName') ? fhir.importStorageAccountName : '' importEnabled: contains(fhir, 'importEnabled') ? fhir.importEnabled : false @@ -137,8 +134,6 @@ module workspace_fhirservices 'fhirservice/main.bicep' = [for (fhir, index) in f resourceVersionOverrides: contains(fhir, 'resourceVersionOverrides') ? fhir.resourceVersionOverrides : {} smartProxyEnabled: contains(fhir, 'smartProxyEnabled') ? fhir.smartProxyEnabled : false userAssignedIdentities: contains(fhir, 'userAssignedIdentities') ? fhir.userAssignedIdentities : {} - diagnosticLogCategoriesToEnable: contains(fhir, 'diagnosticLogCategoriesToEnable') ? fhir.diagnosticLogCategoriesToEnable : [ 'AuditLogs' ] - diagnosticMetricsToEnable: contains(fhir, 'diagnosticMetricsToEnable') ? fhir.diagnosticMetricsToEnable : [ 'AllMetrics' ] enableDefaultTelemetry: enableReferencedModulesTelemetry } }] @@ -157,13 +152,9 @@ module workspace_dicomservices 'dicomservice/main.bicep' = [for (dicom, index) i corsMethods: contains(dicom, 'corsMethods') ? dicom.corsMethods : [] corsMaxAge: contains(dicom, 'corsMaxAge') ? dicom.corsMaxAge : -1 corsAllowCredentials: contains(dicom, 'corsAllowCredentials') ? dicom.corsAllowCredentials : false - diagnosticStorageAccountId: contains(dicom, 'diagnosticStorageAccountId') ? dicom.diagnosticStorageAccountId : '' - diagnosticWorkspaceId: contains(dicom, 'diagnosticWorkspaceId') ? dicom.diagnosticWorkspaceId : '' - diagnosticEventHubAuthorizationRuleId: contains(dicom, 'diagnosticEventHubAuthorizationRuleId') ? dicom.diagnosticEventHubAuthorizationRuleId : '' - diagnosticEventHubName: contains(dicom, 'diagnosticEventHubName') ? dicom.diagnosticEventHubName : '' + diagnosticSettings: dicom.?diagnosticSettings lock: dicom.?lock ?? lock userAssignedIdentities: contains(dicom, 'userAssignedIdentities') ? dicom.userAssignedIdentities : {} - diagnosticLogCategoriesToEnable: contains(dicom, 'diagnosticLogCategoriesToEnable') ? dicom.diagnosticLogCategoriesToEnable : [ 'AuditLogs' ] enableDefaultTelemetry: enableReferencedModulesTelemetry } }] @@ -184,14 +175,9 @@ module workspace_iotconnector 'iotconnector/main.bicep' = [for (iotConnector, in fhirdestination: contains(iotConnector, 'fhirdestination') ? iotConnector.fhirdestination : {} consumerGroup: contains(iotConnector, 'consumerGroup') ? iotConnector.consumerGroup : iotConnector.name systemAssignedIdentity: contains(iotConnector, 'systemAssignedIdentity') ? iotConnector.systemAssignedIdentity : false - diagnosticStorageAccountId: contains(iotConnector, 'diagnosticStorageAccountId') ? iotConnector.diagnosticStorageAccountId : '' - diagnosticWorkspaceId: contains(iotConnector, 'diagnosticWorkspaceId') ? iotConnector.diagnosticWorkspaceId : '' - diagnosticEventHubAuthorizationRuleId: contains(iotConnector, 'diagnosticEventHubAuthorizationRuleId') ? iotConnector.diagnosticEventHubAuthorizationRuleId : '' - diagnosticEventHubName: contains(iotConnector, 'diagnosticEventHubName') ? iotConnector.diagnosticEventHubName : '' + diagnosticSettings: iotConnector.?diagnosticSettings lock: iotConnector.?lock ?? lock userAssignedIdentities: contains(iotConnector, 'userAssignedIdentities') ? iotConnector.userAssignedIdentities : {} - diagnosticLogCategoriesToEnable: contains(iotConnector, 'diagnosticLogCategoriesToEnable') ? iotConnector.diagnosticLogCategoriesToEnable : [ 'DiagnosticLogs' ] - diagnosticMetricsToEnable: contains(iotConnector, 'diagnosticMetricsToEnable') ? iotConnector.diagnosticMetricsToEnable : [ 'AllMetrics' ] enableDefaultTelemetry: enableReferencedModulesTelemetry } }] diff --git a/modules/healthcare-apis/workspace/main.json b/modules/healthcare-apis/workspace/main.json index 945b8fe719..2b5c5ad35c 100644 --- a/modules/healthcare-apis/workspace/main.json +++ b/modules/healthcare-apis/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15321867905041634894" + "templateHash": "984819413297046514" }, "name": "Healthcare API Workspaces", "description": "This module deploys a Healthcare API Workspace.", @@ -299,10 +299,9 @@ "corsMethods": "[if(contains(parameters('fhirservices')[copyIndex()], 'corsMethods'), createObject('value', parameters('fhirservices')[copyIndex()].corsMethods), createObject('value', createArray()))]", "corsMaxAge": "[if(contains(parameters('fhirservices')[copyIndex()], 'corsMaxAge'), createObject('value', parameters('fhirservices')[copyIndex()].corsMaxAge), createObject('value', -1))]", "corsAllowCredentials": "[if(contains(parameters('fhirservices')[copyIndex()], 'corsAllowCredentials'), createObject('value', parameters('fhirservices')[copyIndex()].corsAllowCredentials), createObject('value', false()))]", - "diagnosticStorageAccountId": "[if(contains(parameters('fhirservices')[copyIndex()], 'diagnosticStorageAccountId'), createObject('value', parameters('fhirservices')[copyIndex()].diagnosticStorageAccountId), createObject('value', ''))]", - "diagnosticWorkspaceId": "[if(contains(parameters('fhirservices')[copyIndex()], 'diagnosticWorkspaceId'), createObject('value', parameters('fhirservices')[copyIndex()].diagnosticWorkspaceId), createObject('value', ''))]", - "diagnosticEventHubAuthorizationRuleId": "[if(contains(parameters('fhirservices')[copyIndex()], 'diagnosticEventHubAuthorizationRuleId'), createObject('value', parameters('fhirservices')[copyIndex()].diagnosticEventHubAuthorizationRuleId), createObject('value', ''))]", - "diagnosticEventHubName": "[if(contains(parameters('fhirservices')[copyIndex()], 'diagnosticEventHubName'), createObject('value', parameters('fhirservices')[copyIndex()].diagnosticEventHubName), createObject('value', ''))]", + "diagnosticSettings": { + "value": "[tryGet(parameters('fhirservices')[copyIndex()], 'diagnosticSettings')]" + }, "exportStorageAccountName": "[if(contains(parameters('fhirservices')[copyIndex()], 'exportStorageAccountName'), createObject('value', parameters('fhirservices')[copyIndex()].exportStorageAccountName), createObject('value', ''))]", "importStorageAccountName": "[if(contains(parameters('fhirservices')[copyIndex()], 'importStorageAccountName'), createObject('value', parameters('fhirservices')[copyIndex()].importStorageAccountName), createObject('value', ''))]", "importEnabled": "[if(contains(parameters('fhirservices')[copyIndex()], 'importEnabled'), createObject('value', parameters('fhirservices')[copyIndex()].importEnabled), createObject('value', false()))]", @@ -314,8 +313,6 @@ "resourceVersionOverrides": "[if(contains(parameters('fhirservices')[copyIndex()], 'resourceVersionOverrides'), createObject('value', parameters('fhirservices')[copyIndex()].resourceVersionOverrides), createObject('value', createObject()))]", "smartProxyEnabled": "[if(contains(parameters('fhirservices')[copyIndex()], 'smartProxyEnabled'), createObject('value', parameters('fhirservices')[copyIndex()].smartProxyEnabled), createObject('value', false()))]", "userAssignedIdentities": "[if(contains(parameters('fhirservices')[copyIndex()], 'userAssignedIdentities'), createObject('value', parameters('fhirservices')[copyIndex()].userAssignedIdentities), createObject('value', createObject()))]", - "diagnosticLogCategoriesToEnable": "[if(contains(parameters('fhirservices')[copyIndex()], 'diagnosticLogCategoriesToEnable'), createObject('value', parameters('fhirservices')[copyIndex()].diagnosticLogCategoriesToEnable), createObject('value', createArray('AuditLogs')))]", - "diagnosticMetricsToEnable": "[if(contains(parameters('fhirservices')[copyIndex()], 'diagnosticMetricsToEnable'), createObject('value', parameters('fhirservices')[copyIndex()].diagnosticMetricsToEnable), createObject('value', createArray('AllMetrics')))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } @@ -328,7 +325,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9263507770658770799" + "templateHash": "8392198431844501692" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", @@ -425,6 +422,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -537,32 +640,10 @@ "description": "Optional. Location for all resources." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "exportStorageAccountName": { @@ -669,58 +750,10 @@ "metadata": { "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "AuditLogs" - ], - "allowedValues": [ - "AuditLogs" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { "copy": [ - { - "name": "diagnosticsLogs", - "count": "[length(parameters('diagnosticLogCategoriesToEnable'))]", - "input": { - "category": "[parameters('diagnosticLogCategoriesToEnable')[copyIndex('diagnosticsLogs')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - }, { "name": "accessPolicies", "count": "[length(parameters('accessPolicyObjectIds'))]", @@ -829,18 +862,23 @@ ] }, "fhir_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "fhir_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "fhir" @@ -950,15 +988,13 @@ "corsMethods": "[if(contains(parameters('dicomservices')[copyIndex()], 'corsMethods'), createObject('value', parameters('dicomservices')[copyIndex()].corsMethods), createObject('value', createArray()))]", "corsMaxAge": "[if(contains(parameters('dicomservices')[copyIndex()], 'corsMaxAge'), createObject('value', parameters('dicomservices')[copyIndex()].corsMaxAge), createObject('value', -1))]", "corsAllowCredentials": "[if(contains(parameters('dicomservices')[copyIndex()], 'corsAllowCredentials'), createObject('value', parameters('dicomservices')[copyIndex()].corsAllowCredentials), createObject('value', false()))]", - "diagnosticStorageAccountId": "[if(contains(parameters('dicomservices')[copyIndex()], 'diagnosticStorageAccountId'), createObject('value', parameters('dicomservices')[copyIndex()].diagnosticStorageAccountId), createObject('value', ''))]", - "diagnosticWorkspaceId": "[if(contains(parameters('dicomservices')[copyIndex()], 'diagnosticWorkspaceId'), createObject('value', parameters('dicomservices')[copyIndex()].diagnosticWorkspaceId), createObject('value', ''))]", - "diagnosticEventHubAuthorizationRuleId": "[if(contains(parameters('dicomservices')[copyIndex()], 'diagnosticEventHubAuthorizationRuleId'), createObject('value', parameters('dicomservices')[copyIndex()].diagnosticEventHubAuthorizationRuleId), createObject('value', ''))]", - "diagnosticEventHubName": "[if(contains(parameters('dicomservices')[copyIndex()], 'diagnosticEventHubName'), createObject('value', parameters('dicomservices')[copyIndex()].diagnosticEventHubName), createObject('value', ''))]", + "diagnosticSettings": { + "value": "[tryGet(parameters('dicomservices')[copyIndex()], 'diagnosticSettings')]" + }, "lock": { "value": "[coalesce(tryGet(parameters('dicomservices')[copyIndex()], 'lock'), parameters('lock'))]" }, "userAssignedIdentities": "[if(contains(parameters('dicomservices')[copyIndex()], 'userAssignedIdentities'), createObject('value', parameters('dicomservices')[copyIndex()].userAssignedIdentities), createObject('value', createObject()))]", - "diagnosticLogCategoriesToEnable": "[if(contains(parameters('dicomservices')[copyIndex()], 'diagnosticLogCategoriesToEnable'), createObject('value', parameters('dicomservices')[copyIndex()].diagnosticLogCategoriesToEnable), createObject('value', createArray('AuditLogs')))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } @@ -971,7 +1007,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16609630624404769037" + "templateHash": "2513018044740237283" }, "name": "Healthcare API Workspace DICOM Services", "description": "This module deploys a Healthcare API Workspace DICOM Service.", @@ -1002,6 +1038,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1068,32 +1210,10 @@ "description": "Optional. Location for all resources." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -1140,38 +1260,9 @@ "metadata": { "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "AuditLogs" - ], - "allowedValues": [ - "AuditLogs" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogs", - "count": "[length(parameters('diagnosticLogCategoriesToEnable'))]", - "input": { - "category": "[parameters('diagnosticLogCategoriesToEnable')[copyIndex('diagnosticsLogs')]]", - "enabled": true - } - } - ], "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" }, @@ -1232,18 +1323,23 @@ ] }, "dicom_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "dicom_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/dicomservices/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": null, - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "dicom" @@ -1327,16 +1423,13 @@ "fhirdestination": "[if(contains(parameters('iotconnectors')[copyIndex()], 'fhirdestination'), createObject('value', parameters('iotconnectors')[copyIndex()].fhirdestination), createObject('value', createObject()))]", "consumerGroup": "[if(contains(parameters('iotconnectors')[copyIndex()], 'consumerGroup'), createObject('value', parameters('iotconnectors')[copyIndex()].consumerGroup), createObject('value', parameters('iotconnectors')[copyIndex()].name))]", "systemAssignedIdentity": "[if(contains(parameters('iotconnectors')[copyIndex()], 'systemAssignedIdentity'), createObject('value', parameters('iotconnectors')[copyIndex()].systemAssignedIdentity), createObject('value', false()))]", - "diagnosticStorageAccountId": "[if(contains(parameters('iotconnectors')[copyIndex()], 'diagnosticStorageAccountId'), createObject('value', parameters('iotconnectors')[copyIndex()].diagnosticStorageAccountId), createObject('value', ''))]", - "diagnosticWorkspaceId": "[if(contains(parameters('iotconnectors')[copyIndex()], 'diagnosticWorkspaceId'), createObject('value', parameters('iotconnectors')[copyIndex()].diagnosticWorkspaceId), createObject('value', ''))]", - "diagnosticEventHubAuthorizationRuleId": "[if(contains(parameters('iotconnectors')[copyIndex()], 'diagnosticEventHubAuthorizationRuleId'), createObject('value', parameters('iotconnectors')[copyIndex()].diagnosticEventHubAuthorizationRuleId), createObject('value', ''))]", - "diagnosticEventHubName": "[if(contains(parameters('iotconnectors')[copyIndex()], 'diagnosticEventHubName'), createObject('value', parameters('iotconnectors')[copyIndex()].diagnosticEventHubName), createObject('value', ''))]", + "diagnosticSettings": { + "value": "[tryGet(parameters('iotconnectors')[copyIndex()], 'diagnosticSettings')]" + }, "lock": { "value": "[coalesce(tryGet(parameters('iotconnectors')[copyIndex()], 'lock'), parameters('lock'))]" }, "userAssignedIdentities": "[if(contains(parameters('iotconnectors')[copyIndex()], 'userAssignedIdentities'), createObject('value', parameters('iotconnectors')[copyIndex()].userAssignedIdentities), createObject('value', createObject()))]", - "diagnosticLogCategoriesToEnable": "[if(contains(parameters('iotconnectors')[copyIndex()], 'diagnosticLogCategoriesToEnable'), createObject('value', parameters('iotconnectors')[copyIndex()].diagnosticLogCategoriesToEnable), createObject('value', createArray('DiagnosticLogs')))]", - "diagnosticMetricsToEnable": "[if(contains(parameters('iotconnectors')[copyIndex()], 'diagnosticMetricsToEnable'), createObject('value', parameters('iotconnectors')[copyIndex()].diagnosticMetricsToEnable), createObject('value', createArray('AllMetrics')))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } @@ -1349,7 +1442,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8966290140169117967" + "templateHash": "2803151977387469601" }, "name": "Healthcare API Workspace IoT Connectors", "description": "This module deploys a Healthcare API Workspace IoT Connector.", @@ -1380,6 +1473,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1439,32 +1638,10 @@ "description": "Optional. Location for all resources." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -1500,59 +1677,9 @@ "metadata": { "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "DiagnosticLogs" - ], - "allowedValues": [ - "DiagnosticLogs" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogs", - "count": "[length(parameters('diagnosticLogCategoriesToEnable'))]", - "input": { - "category": "[parameters('diagnosticLogCategoriesToEnable')[copyIndex('diagnosticsLogs')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false @@ -1614,18 +1741,23 @@ ] }, "iotConnector_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "iotConnector_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/iotconnectors/{1}', parameters('workspaceName'), parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "iotConnector" diff --git a/modules/insights/component/.test/common/main.test.bicep b/modules/insights/component/.test/common/main.test.bicep index ccedab0557..979bd07090 100644 --- a/modules/insights/component/.test/common/main.test.bicep +++ b/modules/insights/component/.test/common/main.test.bicep @@ -67,10 +67,20 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/insights/component/README.md b/modules/insights/component/README.md index dcf1b0b21f..166ce61b15 100644 --- a/modules/insights/component/README.md +++ b/modules/insights/component/README.md @@ -46,10 +46,20 @@ module component 'br:bicep/modules/insights.component:1.0.0' = { name: 'iccom001' workspaceResourceId: '' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' roleAssignments: [ { @@ -87,17 +97,21 @@ module component 'br:bicep/modules/insights.component:1.0.0' = { "value": "" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -192,13 +206,7 @@ module component 'br:bicep/modules/insights.component:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | | [`applicationType`](#parameter-applicationtype) | string | Application type. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`kind`](#parameter-kind) | string | The kind of application that this component refers to, used to customize UI. This value is a freeform string, values should typically be one of the following: web, ios, other, store, java, phone. | | [`location`](#parameter-location) | string | Location for all Resources. | @@ -217,56 +225,120 @@ Application type. - Default: `'web'` - Allowed: `[other, web]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, AppAvailabilityResults, AppBrowserTimings, AppDependencies, AppEvents, AppExceptions, AppMetrics, AppPageViews, AppPerformanceCounters, AppRequests, AppSystemEvents, AppTraces]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/insights/component/main.bicep b/modules/insights/component/main.bicep index f4cdb40399..e3084ce4ad 100644 --- a/modules/insights/component/main.bicep +++ b/modules/insights/component/main.bicep @@ -63,66 +63,8 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' - -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'AppAvailabilityResults' - 'AppBrowserTimings' - 'AppEvents' - 'AppMetrics' - 'AppDependencies' - 'AppExceptions' - 'AppPageViews' - 'AppPerformanceCounters' - 'AppRequests' - 'AppSystemEvents' - 'AppTraces' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') @@ -173,18 +115,31 @@ resource appInsights_roleAssignments 'Microsoft.Authorization/roleAssignments@20 scope: appInsights }] -resource appInsights_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource appInsights_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: appInsights -} +}] @description('The name of the application insights component.') output name string = appInsights.name @@ -228,3 +183,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/insights/component/main.json b/modules/insights/component/main.json index c7b7c5359e..beb8c0e634 100644 --- a/modules/insights/component/main.json +++ b/modules/insights/component/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2528627786354955521" + "templateHash": "803183035503673320" }, "name": "Application Insights", "description": "This component deploys an Application Insights instance.", @@ -78,6 +78,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -187,99 +293,14 @@ "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "AppAvailabilityResults", - "AppBrowserTimings", - "AppEvents", - "AppMetrics", - "AppDependencies", - "AppExceptions", - "AppPageViews", - "AppPerformanceCounters", - "AppRequests", - "AppSystemEvents", - "AppTraces" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." + "description": "Optional. The diagnostic settings of the service." } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", @@ -342,18 +363,23 @@ ] }, "appInsights_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "appInsights_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Insights/components/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "appInsights" diff --git a/modules/insights/diagnostic-setting/.test/common/main.test.bicep b/modules/insights/diagnostic-setting/.test/common/main.test.bicep index 8bca17ef33..dad01e9f0e 100644 --- a/modules/insights/diagnostic-setting/.test/common/main.test.bicep +++ b/modules/insights/diagnostic-setting/.test/common/main.test.bicep @@ -57,9 +57,14 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId } } diff --git a/modules/insights/diagnostic-setting/README.md b/modules/insights/diagnostic-setting/README.md index d4369f0915..fd196a7ed3 100644 --- a/modules/insights/diagnostic-setting/README.md +++ b/modules/insights/diagnostic-setting/README.md @@ -39,12 +39,17 @@ This instance deploys the module with most of its features enabled. module diagnosticSetting 'br:bicep/modules/insights.diagnostic-setting:1.0.0' = { name: '${uniqueString(deployment().name, location)}-test-idscom' params: { - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' enableDefaultTelemetry: '' + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] name: 'idscom001' + storageAccountResourceId: '' + workspaceResourceId: '' } } ``` @@ -61,23 +66,30 @@ module diagnosticSetting 'br:bicep/modules/insights.diagnostic-setting:1.0.0' = "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" + "enableDefaultTelemetry": { + "value": "" }, - "diagnosticStorageAccountId": { - "value": "" + "eventHubAuthorizationRuleResourceId": { + "value": "" }, - "diagnosticWorkspaceId": { - "value": "" + "eventHubName": { + "value": "" }, - "enableDefaultTelemetry": { - "value": "" + "metricCategories": { + "value": [ + { + "category": "AllMetrics" + } + ] }, "name": { "value": "idscom001" + }, + "storageAccountResourceId": { + "value": "" + }, + "workspaceResourceId": { + "value": "" } } } @@ -93,71 +105,120 @@ module diagnosticSetting 'br:bicep/modules/insights.diagnostic-setting:1.0.0' = | Parameter | Type | Description | | :-- | :-- | :-- | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`eventHubAuthorizationRuleResourceId`](#parameter-eventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-eventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | [`location`](#parameter-location) | string | Location deployment metadata. | -| [`name`](#parameter-name) | string | Name of the ActivityLog diagnostic settings. | +| [`logAnalyticsDestinationType`](#parameter-loganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-logcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-marketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-metriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-name) | string | Name of the Diagnostic settings. | +| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | Resource ID of the diagnostic storage account. | +| [`workspaceResourceId`](#parameter-workspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. | -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `eventHubAuthorizationRuleResourceId` Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `eventHubName` Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string + +### Parameter: `location` + +Location deployment metadata. +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `logAnalyticsDestinationType` + +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +- Required: No +- Type: string - Default: `''` +- Allowed: `['', AzureDiagnostics, Dedicated]` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `logCategoriesAndGroups` The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', Administrative, Alert, allLogs, Autoscale, Policy, Recommendation, ResourceHealth, Security, ServiceHealth]` -### Parameter: `diagnosticStorageAccountId` -Resource ID of the diagnostic storage account. +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-logcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-logcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` -### Parameter: `enableDefaultTelemetry` +### Parameter: `marketplacePartnerResourceId` -Enable telemetry via a Globally Unique Identifier (GUID). +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No -- Type: bool -- Default: `True` +- Type: string -### Parameter: `location` +### Parameter: `metricCategories` -Location deployment metadata. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-metriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes - Type: string -- Default: `[deployment().location]` ### Parameter: `name` -Name of the ActivityLog diagnostic settings. +Name of the Diagnostic settings. +- Required: No +- Type: string +- Default: `[format('{0}-diagnosticSettings', uniqueString(subscription().id))]` + +### Parameter: `storageAccountResourceId` + +Resource ID of the diagnostic storage account. +- Required: No +- Type: string + +### Parameter: `workspaceResourceId` + +Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `[format('{0}-ActivityLog', uniqueString(subscription().id))]` ## Outputs diff --git a/modules/insights/diagnostic-setting/main.bicep b/modules/insights/diagnostic-setting/main.bicep index 1054a40273..1022dca764 100644 --- a/modules/insights/diagnostic-setting/main.bicep +++ b/modules/insights/diagnostic-setting/main.bicep @@ -4,58 +4,46 @@ metadata owner = 'Azure/module-maintainers' targetScope = 'subscription' -@description('Optional. Name of the ActivityLog diagnostic settings.') +@description('Optional. Name of the Diagnostic settings.') @minLength(1) @maxLength(260) -param name string = '${uniqueString(subscription().id)}-ActivityLog' +param name string = '${uniqueString(subscription().id)}-diagnosticSettings' @description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' +param storageAccountResourceId string? @description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' +param workspaceResourceId string? @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' +param eventHubAuthorizationRuleResourceId string? @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +param eventHubName string? @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') +param logCategoriesAndGroups logCategoriesAndGroupsType + +@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') +param metricCategories metricCategoriesType? + +@description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') @allowed([ '' - 'allLogs' - 'Administrative' - 'Security' - 'ServiceHealth' - 'Alert' - 'Recommendation' - 'Policy' - 'Autoscale' - 'ResourceHealth' + 'Dedicated' + 'AzureDiagnostics' ]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] +param logAnalyticsDestinationType string = '' + +@description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') +param marketplacePartnerResourceId string? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@sys.description('Optional. Location deployment metadata.') +@description('Optional. Location deployment metadata.') param location string = deployment().location -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' location: location @@ -72,11 +60,25 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena resource diagnosticSetting 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = { name: name properties: { - storageAccountId: (empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId) - workspaceId: (empty(diagnosticWorkspaceId) ? null : diagnosticWorkspaceId) - eventHubAuthorizationRuleId: (empty(diagnosticEventHubAuthorizationRuleId) ? null : diagnosticEventHubAuthorizationRuleId) - eventHubName: (empty(diagnosticEventHubName) ? null : diagnosticEventHubName) - logs: ((empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName)) ? null : diagnosticsLogs) + storageAccountId: storageAccountResourceId + workspaceId: workspaceResourceId + eventHubAuthorizationRuleId: eventHubAuthorizationRuleResourceId + eventHubName: eventHubName + logAnalyticsDestinationType: !empty(logAnalyticsDestinationType) ? logAnalyticsDestinationType : null + marketplacePartnerId: marketplacePartnerResourceId + logs: logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + metrics: metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] } } @@ -88,3 +90,22 @@ output resourceId string = diagnosticSetting.id @description('The name of the subscription to deploy into.') output subscriptionName string = subscription().displayName + +// =============== // +// Definitions // +// =============== // + +@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') +type logCategoriesAndGroupsType = { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? +}[]? + +@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') +type metricCategoriesType = { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string +}[]? diff --git a/modules/insights/diagnostic-setting/main.json b/modules/insights/diagnostic-setting/main.json index 7ced987e1c..4ae15a0838 100644 --- a/modules/insights/diagnostic-setting/main.json +++ b/modules/insights/diagnostic-setting/main.json @@ -1,73 +1,131 @@ { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11607957812214718943" + "templateHash": "18398206698301331030" }, "name": "Diagnostic Settings (Activity Logs) for Azure Subscriptions", "description": "This module deploys a Subscription wide export of the Activity Log.", "owner": "Azure/module-maintainers" }, + "definitions": { + "logCategoriesAndGroupsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategoriesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + } + }, "parameters": { "name": { "type": "string", - "defaultValue": "[format('{0}-ActivityLog', uniqueString(subscription().id))]", + "defaultValue": "[format('{0}-diagnosticSettings', uniqueString(subscription().id))]", "minLength": 1, "maxLength": 260, "metadata": { - "description": "Optional. Name of the ActivityLog diagnostic settings." + "description": "Optional. Name of the Diagnostic settings." } }, - "diagnosticStorageAccountId": { + "storageAccountResourceId": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. Resource ID of the diagnostic storage account." } }, - "diagnosticWorkspaceId": { + "workspaceResourceId": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. Resource ID of the diagnostic log analytics workspace." } }, - "diagnosticEventHubAuthorizationRuleId": { + "eventHubAuthorizationRuleResourceId": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." } }, - "diagnosticEventHubName": { + "eventHubName": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." } }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], + "logCategoriesAndGroups": { + "$ref": "#/definitions/logCategoriesAndGroupsType", + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "$ref": "#/definitions/metricCategoriesType", + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "defaultValue": "", "allowedValues": [ "", - "allLogs", - "Administrative", - "Security", - "ServiceHealth", - "Alert", - "Recommendation", - "Policy", - "Autoscale", - "ResourceHealth" + "Dedicated", + "AzureDiagnostics" ], "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." } }, "enableDefaultTelemetry": { @@ -85,21 +143,8 @@ } } }, - "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]" - }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -114,19 +159,22 @@ } } }, - { + "diagnosticSetting": { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "name": "[parameters('name')]", "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), null(), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('diagnosticWorkspaceId')), null(), parameters('diagnosticWorkspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('diagnosticEventHubAuthorizationRuleId')), null(), parameters('diagnosticEventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('diagnosticEventHubName')), null(), parameters('diagnosticEventHubName'))]", - "logs": "[if(and(and(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('diagnosticWorkspaceId'))), empty(parameters('diagnosticEventHubAuthorizationRuleId'))), empty(parameters('diagnosticEventHubName'))), null(), variables('diagnosticsLogs'))]" + "storageAccountId": "[parameters('storageAccountResourceId')]", + "workspaceId": "[parameters('workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[parameters('eventHubName')]", + "logAnalyticsDestinationType": "[if(not(empty(parameters('logAnalyticsDestinationType'))), parameters('logAnalyticsDestinationType'), null())]", + "marketplacePartnerId": "[parameters('marketplacePartnerResourceId')]", + "logs": "[coalesce(parameters('logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "metrics": "[coalesce(parameters('metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]" } } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep index cbca9f9b04..605b5ab57e 100644 --- a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep +++ b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep @@ -64,10 +64,20 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}002' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] enablePurgeProtection: false accessPolicies: [ { diff --git a/modules/key-vault/vault/.test/common/main.test.bicep b/modules/key-vault/vault/.test/common/main.test.bicep index a1aff587d5..56b1e03459 100644 --- a/modules/key-vault/vault/.test/common/main.test.bicep +++ b/modules/key-vault/vault/.test/common/main.test.bicep @@ -67,10 +67,20 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}002' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] // Only for testing purposes enablePurgeProtection: false enableRbacAuthorization: true diff --git a/modules/key-vault/vault/.test/pe/main.test.bicep b/modules/key-vault/vault/.test/pe/main.test.bicep index 10a68eca40..bfa8636faa 100644 --- a/modules/key-vault/vault/.test/pe/main.test.bicep +++ b/modules/key-vault/vault/.test/pe/main.test.bicep @@ -63,10 +63,20 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] // Only for testing purposes enablePurgeProtection: false enableRbacAuthorization: true diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 33bab3b6b6..f8759df26f 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -83,10 +83,20 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { } } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' enablePurgeProtection: false networkAcls: { @@ -163,17 +173,21 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -228,10 +242,20 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { // Required parameters name: 'kvvcom002' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' enablePurgeProtection: false enableRbacAuthorization: true @@ -355,17 +379,21 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { "name": { "value": "kvvcom002" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -565,10 +593,20 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { // Required parameters name: 'kvvpe001' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' enablePurgeProtection: false enableRbacAuthorization: true @@ -628,17 +666,21 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { "value": "kvvpe001" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -712,13 +754,7 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { | :-- | :-- | :-- | | [`accessPolicies`](#parameter-accesspolicies) | array | All access policies to create. | | [`createMode`](#parameter-createmode) | string | The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`enablePurgeProtection`](#parameter-enablepurgeprotection) | bool | Provide 'true' to enable Key Vault's purge protection feature. | | [`enableRbacAuthorization`](#parameter-enablerbacauthorization) | bool | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC. | @@ -752,56 +788,120 @@ The vault's create mode to indicate whether the vault need to be recovered or no - Type: string - Default: `'default'` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, AuditEvent, AzurePolicyEvaluationDetails]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/key-vault/vault/main.bicep b/modules/key-vault/vault/main.bicep index f66a490005..59a9e4b2d9 100644 --- a/modules/key-vault/vault/main.bicep +++ b/modules/key-vault/vault/main.bicep @@ -64,17 +64,8 @@ param networkAcls object = {} ]) param publicNetworkAccess string = '' -@description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -91,48 +82,9 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'AuditEvent' - 'AzurePolicyEvaluationDetails' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - // =========== // // Variables // // =========== // -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] var formattedAccessPolicies = [for accessPolicy in accessPolicies: { applicationId: contains(accessPolicy, 'applicationId') ? accessPolicy.applicationId : '' @@ -215,18 +167,31 @@ resource keyVault_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(l scope: keyVault } -resource keyVault_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource keyVault_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: keyVault -} +}] module keyVault_accessPolicies 'access-policy/main.bicep' = if (!empty(accessPolicies)) { name: '${uniqueString(deployment().name, location)}-KeyVault-AccessPolicies' @@ -417,3 +382,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/key-vault/vault/main.json b/modules/key-vault/vault/main.json index 7b155172e1..48077a0533 100644 --- a/modules/key-vault/vault/main.json +++ b/modules/key-vault/vault/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "502304386016256434" + "templateHash": "11050704115840799182" }, "name": "Key Vaults", "description": "This module deploys a Key Vault.", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -376,32 +482,10 @@ "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -435,61 +519,10 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "AuditEvent", - "AzurePolicyEvaluationDetails" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - }, { "name": "formattedAccessPolicies", "count": "[length(parameters('accessPolicies'))]", @@ -501,7 +534,6 @@ } } ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "secretList": "[if(not(empty(parameters('secrets'))), parameters('secrets').secureList, createArray())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { @@ -576,18 +608,23 @@ ] }, "keyVault_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "keyVault_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "keyVault" diff --git a/modules/logic/workflow/.test/common/main.test.bicep b/modules/logic/workflow/.test/common/main.test.bicep index 443256b468..bac1970672 100644 --- a/modules/logic/workflow/.test/common/main.test.bicep +++ b/modules/logic/workflow/.test/common/main.test.bicep @@ -66,10 +66,20 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index f76ec3acde..ae95fecc20 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -46,10 +46,20 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { // Required parameters name: 'lwcom001' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' lock: { kind: 'CanNotDelete' @@ -122,17 +132,21 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { "value": "lwcom001" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -223,13 +237,7 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { | [`connectorEndpointsConfiguration`](#parameter-connectorendpointsconfiguration) | object | The endpoints configuration: Access endpoint and outgoing IP addresses for the connector. | | [`contentsAccessControlConfiguration`](#parameter-contentsaccesscontrolconfiguration) | object | The access control configuration for accessing workflow run contents. | | [`definitionParameters`](#parameter-definitionparameters) | object | Parameters for the definition template. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`integrationAccount`](#parameter-integrationaccount) | object | The integration account. | | [`integrationServiceEnvironmentResourceId`](#parameter-integrationserviceenvironmentresourceid) | string | The integration service environment Id. | @@ -277,56 +285,120 @@ Parameters for the definition template. - Type: object - Default: `{object}` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, WorkflowRuntime]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/logic/workflow/main.bicep b/modules/logic/workflow/main.bicep index 9a3c4bffe4..fcd0e6e49c 100644 --- a/modules/logic/workflow/main.bicep +++ b/modules/logic/workflow/main.bicep @@ -35,17 +35,8 @@ param integrationServiceEnvironmentResourceId string = '' @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -91,45 +82,6 @@ param workflowStaticResults object = {} @description('Optional. The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer.') param workflowTriggers object = {} -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'WorkflowRuntime' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = systemAssignedIdentity ? 'SystemAssigned' : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -203,18 +155,31 @@ resource logicApp_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(l scope: logicApp } -resource logicApp_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource logicApp_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: logicApp -} +}] resource logicApp_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(logicApp.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -279,3 +244,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/logic/workflow/main.json b/modules/logic/workflow/main.json index 8e531f39a0..6842dd2538 100644 --- a/modules/logic/workflow/main.json +++ b/modules/logic/workflow/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15935516241989416159" + "templateHash": "6277976941114660068" }, "name": "Logic Apps (Workflows)", "description": "This module deploys a Logic App (Workflow).", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -182,32 +288,10 @@ "description": "Optional. Location for all resources." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -299,62 +383,9 @@ "metadata": { "description": "Optional. The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "WorkflowRuntime" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "builtInRoleNames": { @@ -430,18 +461,23 @@ ] }, "logicApp_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "logicApp_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Logic/workflows/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "logicApp" diff --git a/modules/machine-learning-services/workspace/.test/common/main.test.bicep b/modules/machine-learning-services/workspace/.test/common/main.test.bicep index 2879c22fbb..54219ea277 100644 --- a/modules/machine-learning-services/workspace/.test/common/main.test.bicep +++ b/modules/machine-learning-services/workspace/.test/common/main.test.bicep @@ -104,10 +104,20 @@ module testDeployment '../../main.bicep' = { } ] description: 'The cake is a lie.' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] discoveryUrl: 'http://example.com' imageBuildCompute: 'testcompute' lock: { diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index 9626b84295..606d737fb8 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -84,10 +84,20 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = } ] description: 'The cake is a lie.' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] discoveryUrl: 'http://example.com' enableDefaultTelemetry: '' imageBuildCompute: 'testcompute' @@ -191,17 +201,21 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "description": { "value": "The cake is a lie." }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "discoveryUrl": { "value": "http://example.com" @@ -499,13 +513,7 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = | [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | | [`computes`](#parameter-computes) | array | Computes to create respectively attach to the workspace. | | [`description`](#parameter-description) | string | The description of this workspace. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`discoveryUrl`](#parameter-discoveryurl) | string | URL for the discovery service to identify regional endpoints for machine learning experimentation services. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`hbiWorkspace`](#parameter-hbiworkspace) | bool | The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service. | @@ -593,56 +601,120 @@ The description of this workspace. - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, AmlComputeClusterEvent, AmlComputeClusterNodeEvent, AmlComputeCpuGpuUtilization, AmlComputeJobEvent, AmlRunStatusChangedEvent]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `discoveryUrl` diff --git a/modules/machine-learning-services/workspace/main.bicep b/modules/machine-learning-services/workspace/main.bicep index 28c115e28f..797ada84d9 100644 --- a/modules/machine-learning-services/workspace/main.bicep +++ b/modules/machine-learning-services/workspace/main.bicep @@ -64,42 +64,9 @@ param systemAssignedIdentity bool = false param userAssignedIdentities object = {} // Diagnostic Settings -@sys.description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' -@sys.description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' - -@sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'AmlComputeClusterEvent' - 'AmlComputeClusterNodeEvent' - 'AmlComputeJobEvent' - 'AmlComputeCpuGpuUtilization' - 'AmlRunStatusChangedEvent' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@sys.description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@sys.description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' +@sys.description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @sys.description('Optional. The description of this workspace.') param description string = '' @@ -151,24 +118,6 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : any(null) } : any(null) -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - // ================// // Deployments // // ================// @@ -274,18 +223,31 @@ resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty( scope: workspace } -resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: workspace -} +}] module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { name: '${uniqueString(deployment().name, location)}-workspace-PrivateEndpoint-${index}' @@ -433,3 +395,41 @@ type privateEndpointType = { @sys.description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @sys.description('Optional. The name of diagnostic setting.') + name: string? + + @sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @sys.description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @sys.description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @sys.description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @sys.description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @sys.description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @sys.description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @sys.description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/machine-learning-services/workspace/main.json b/modules/machine-learning-services/workspace/main.json index ff015569ab..cd8fde75c5 100644 --- a/modules/machine-learning-services/workspace/main.json +++ b/modules/machine-learning-services/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16867204507762880761" + "templateHash": "9862874616442885683" }, "name": "Machine Learning Services Workspaces", "description": "This module deploys a Machine Learning Services Workspace.", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -372,69 +478,10 @@ "description": "Conditional. The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "AmlComputeClusterEvent", - "AmlComputeClusterNodeEvent", - "AmlComputeJobEvent", - "AmlComputeCpuGpuUtilization", - "AmlRunStatusChangedEvent" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." + "description": "Optional. The diagnostic settings of the service." } }, "description": { @@ -521,29 +568,9 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "enableReferencedModulesTelemetry": false, "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "AzureML Compute Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e503ece1-11d0-4e8e-8e2c-7a6c3bf38815')]", "AzureML Data Scientist": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f6c7c914-8db3-469d-8ca1-694a8f32e121')]", @@ -639,18 +666,23 @@ ] }, "workspace_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "workspace_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.MachineLearningServices/workspaces/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "workspace" diff --git a/modules/network/application-gateway/.test/common/main.test.bicep b/modules/network/application-gateway/.test/common/main.test.bicep index 4049fdb162..dd833556e4 100644 --- a/modules/network/application-gateway/.test/common/main.test.bicep +++ b/modules/network/application-gateway/.test/common/main.test.bicep @@ -119,10 +119,20 @@ module testDeployment '../../main.bicep' = { } } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] enableHttp2: true privateLinkConfigurations: [ { diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index c9d9112588..bea07ec10b 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -94,10 +94,20 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = } } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' enableHttp2: true frontendIPConfigurations: [ @@ -530,17 +540,21 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -968,13 +982,7 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = | [`backendSettingsCollection`](#parameter-backendsettingscollection) | array | Backend settings of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits). | | [`capacity`](#parameter-capacity) | int | The number of Application instances to be configured. | | [`customErrorConfigurations`](#parameter-customerrorconfigurations) | array | Custom error configurations of the application gateway resource. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`enableFips`](#parameter-enablefips) | bool | Whether FIPS is enabled on the application gateway resource. | | [`enableHttp2`](#parameter-enablehttp2) | bool | Whether HTTP2 is enabled on the application gateway resource. | @@ -1068,56 +1076,120 @@ Custom error configurations of the application gateway resource. - Type: array - Default: `[]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, ApplicationGatewayAccessLog, ApplicationGatewayFirewallLog, ApplicationGatewayPerformanceLog]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/network/application-gateway/main.bicep b/modules/network/application-gateway/main.bicep index caa78a6b4e..98595f165f 100644 --- a/modules/network/application-gateway/main.bicep +++ b/modules/network/application-gateway/main.bicep @@ -180,37 +180,8 @@ param webApplicationFirewallConfiguration object = {} @description('Optional. A list of availability zones denoting where the resource needs to come from.') param zones array = [] -@description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticEventHubName string = '' - -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'ApplicationGatewayAccessLog' - 'ApplicationGatewayPerformanceLog' - 'ApplicationGatewayFirewallLog' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType var identityType = !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' @@ -219,29 +190,8 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - var enableReferencedModulesTelemetry = false -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - @description('Optional. The lock settings of the service.') param lock lockType @@ -355,18 +305,31 @@ resource applicationGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if scope: applicationGateway } -resource applicationGateway_diagnosticSettingName 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource applicationGateway_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId - workspaceId: empty(diagnosticWorkspaceId) ? null : diagnosticWorkspaceId - eventHubAuthorizationRuleId: empty(diagnosticEventHubAuthorizationRuleId) ? null : diagnosticEventHubAuthorizationRuleId - eventHubName: empty(diagnosticEventHubName) ? null : diagnosticEventHubName - metrics: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsMetrics - logs: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: applicationGateway -} +}] module applicationGateway_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { name: '${uniqueString(deployment().name, location)}-applicationGateway-PrivateEndpoint-${index}' @@ -507,3 +470,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/network/application-gateway/main.json b/modules/network/application-gateway/main.json index e252642bae..7103d784b0 100644 --- a/modules/network/application-gateway/main.json +++ b/modules/network/application-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7698802694566300060" + "templateHash": "1471682538744123689" }, "name": "Network Application Gateways", "description": "This module deploys a Network Application Gateway.", @@ -251,6 +251,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -582,67 +688,10 @@ "description": "Optional. A list of availability zones denoting where the resource needs to come from." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "ApplicationGatewayAccessLog", - "ApplicationGatewayPerformanceLog", - "ApplicationGatewayFirewallLog" - ], + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -694,29 +743,9 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None')]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", @@ -764,19 +793,24 @@ "applicationGateway" ] }, - "applicationGateway_diagnosticSettingName": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "applicationGateway_diagnosticSettings": { + "copy": { + "name": "applicationGateway_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/applicationGateways/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), null(), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('diagnosticWorkspaceId')), null(), parameters('diagnosticWorkspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('diagnosticEventHubAuthorizationRuleId')), null(), parameters('diagnosticEventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('diagnosticEventHubName')), null(), parameters('diagnosticEventHubName'))]", - "metrics": "[if(and(and(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('diagnosticWorkspaceId'))), empty(parameters('diagnosticEventHubAuthorizationRuleId'))), empty(parameters('diagnosticEventHubName'))), null(), variables('diagnosticsMetrics'))]", - "logs": "[if(and(and(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('diagnosticWorkspaceId'))), empty(parameters('diagnosticEventHubAuthorizationRuleId'))), empty(parameters('diagnosticEventHubName'))), null(), variables('diagnosticsLogs'))]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "applicationGateway" diff --git a/modules/network/azure-firewall/.test/common/main.test.bicep b/modules/network/azure-firewall/.test/common/main.test.bicep index 0cb1b461c3..219cdea813 100644 --- a/modules/network/azure-firewall/.test/common/main.test.bicep +++ b/modules/network/azure-firewall/.test/common/main.test.bicep @@ -122,10 +122,20 @@ module testDeployment '../../main.bicep' = { } ] publicIPResourceID: nestedDependencies.outputs.publicIPResourceId - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/network/azure-firewall/.test/custompip/main.test.bicep b/modules/network/azure-firewall/.test/custompip/main.test.bicep index 72e63d7934..29cd591ce0 100644 --- a/modules/network/azure-firewall/.test/custompip/main.test.bicep +++ b/modules/network/azure-firewall/.test/custompip/main.test.bicep @@ -40,6 +40,20 @@ module nestedDependencies 'dependencies.bicep' = { } } +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' + location: location + } +} + // ============== // // Test Execution // // ============== // @@ -52,14 +66,6 @@ module testDeployment '../../main.bicep' = { name: '${namePrefix}${serviceShort}001' vNetId: nestedDependencies.outputs.virtualNetworkResourceId publicIPAddressObject: { - diagnosticLogCategoriesToEnable: [ - 'DDoSMitigationFlowLogs' - 'DDoSMitigationReports' - 'DDoSProtectionNotifications' - ] - diagnosticMetricsToEnable: [ - 'AllMetrics' - ] name: 'new-${namePrefix}-pip-${serviceShort}' publicIPAllocationMethod: 'Static' publicIPPrefixResourceId: '' @@ -72,6 +78,20 @@ module testDeployment '../../main.bicep' = { ] skuName: 'Standard' skuTier: 'Regional' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index cd6da89ea7..8254d064ea 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -204,10 +204,20 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { } } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' lock: { kind: 'CanNotDelete' @@ -336,17 +346,21 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -439,13 +453,19 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { // Non-required parameters enableDefaultTelemetry: '' publicIPAddressObject: { - diagnosticLogCategoriesToEnable: [ - 'DDoSMitigationFlowLogs' - 'DDoSMitigationReports' - 'DDoSProtectionNotifications' - ] - diagnosticMetricsToEnable: [ - 'AllMetrics' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } ] name: 'new-pip-nafcstpip' publicIPAllocationMethod: 'Static' @@ -492,13 +512,19 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { }, "publicIPAddressObject": { "value": { - "diagnosticLogCategoriesToEnable": [ - "DDoSMitigationFlowLogs", - "DDoSMitigationReports", - "DDoSProtectionNotifications" - ], - "diagnosticMetricsToEnable": [ - "AllMetrics" + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } ], "name": "new-pip-nafcstpip", "publicIPAllocationMethod": "Static", @@ -745,13 +771,7 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { | [`additionalPublicIpConfigurations`](#parameter-additionalpublicipconfigurations) | array | This is to add any additional Public IP configurations on top of the Public IP with subnet IP configuration. | | [`applicationRuleCollections`](#parameter-applicationrulecollections) | array | Collection of application rule collections used by Azure Firewall. | | [`azureSkuTier`](#parameter-azureskutier) | string | Tier of an Azure Firewall. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Diagnostic Storage Account resource identifier. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Log Analytics workspace resource identifier. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`firewallPolicyId`](#parameter-firewallpolicyid) | string | Resource ID of the Firewall Policy that should be attached. | | [`isCreateDefaultPublicIP`](#parameter-iscreatedefaultpublicip) | bool | Specifies if a Public IP should be created by default if one is not provided. | @@ -790,56 +810,120 @@ Tier of an Azure Firewall. - Default: `'Standard'` - Allowed: `[Basic, Premium, Standard]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, AzureFirewallApplicationRule, AzureFirewallDnsProxy, AzureFirewallNetworkRule]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Diagnostic Storage Account resource identifier. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Log Analytics workspace resource identifier. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/network/azure-firewall/main.bicep b/modules/network/azure-firewall/main.bicep index 904b09f250..2f019d752e 100644 --- a/modules/network/azure-firewall/main.bicep +++ b/modules/network/azure-firewall/main.bicep @@ -67,17 +67,8 @@ param zones array = [ '3' ] -@description('Optional. Diagnostic Storage Account resource identifier.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Log Analytics workspace resource identifier.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Location for all resources.') param location string = resourceGroup().location @@ -94,29 +85,6 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'AzureFirewallApplicationRule' - 'AzureFirewallNetworkRule' - 'AzureFirewallDnsProxy' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - var azureSkuName = empty(vNetId) ? 'AZFW_Hub' : 'AZFW_VNet' var requiresManagementIp = azureSkuTier == 'Basic' ? true : false var isCreateDefaultManagementIP = empty(managementIPResourceID) && requiresManagementIp @@ -186,24 +154,6 @@ var managementIPConfiguration = { // ---------------------------------------------------------------------------- -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var enableReferencedModulesTelemetry = false var builtInRoleNames = { @@ -236,19 +186,8 @@ module publicIPAddress '../../network/public-ip-address/main.bicep' = if (empty( skuName: contains(publicIPAddressObject, 'skuName') ? (!(empty(publicIPAddressObject.skuName)) ? publicIPAddressObject.skuName : 'Standard') : 'Standard' skuTier: contains(publicIPAddressObject, 'skuTier') ? (!(empty(publicIPAddressObject.skuTier)) ? publicIPAddressObject.skuTier : 'Regional') : 'Regional' roleAssignments: contains(publicIPAddressObject, 'roleAssignments') ? (!empty(publicIPAddressObject.roleAssignments) ? publicIPAddressObject.roleAssignments : []) : [] - diagnosticMetricsToEnable: contains(publicIPAddressObject, 'diagnosticMetricsToEnable') ? (!(empty(publicIPAddressObject.diagnosticMetricsToEnable)) ? publicIPAddressObject.diagnosticMetricsToEnable : [ - 'AllMetrics' - ]) : [ - 'AllMetrics' - ] - diagnosticLogCategoriesToEnable: contains(publicIPAddressObject, 'diagnosticLogCategoriesToEnable') ? publicIPAddressObject.diagnosticLogCategoriesToEnable : [ - 'allLogs' - ] + diagnosticSettings: publicIPAddressObject.?diagnosticSettings location: location - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticWorkspaceId: diagnosticWorkspaceId - diagnosticEventHubAuthorizationRuleId: diagnosticEventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticEventHubName lock: lock tags: tags zones: zones @@ -266,20 +205,8 @@ module managementIPAddress '../../network/public-ip-address/main.bicep' = if (em skuName: contains(managementIPAddressObject, 'skuName') ? (!(empty(managementIPAddressObject.skuName)) ? managementIPAddressObject.skuName : 'Standard') : 'Standard' skuTier: contains(managementIPAddressObject, 'skuTier') ? (!(empty(managementIPAddressObject.skuTier)) ? managementIPAddressObject.skuTier : 'Regional') : 'Regional' roleAssignments: contains(managementIPAddressObject, 'roleAssignments') ? (!empty(managementIPAddressObject.roleAssignments) ? managementIPAddressObject.roleAssignments : []) : [] - diagnosticMetricsToEnable: contains(managementIPAddressObject, 'diagnosticMetricsToEnable') ? (!(empty(managementIPAddressObject.diagnosticMetricsToEnable)) ? managementIPAddressObject.diagnosticMetricsToEnable : [ - 'AllMetrics' - ]) : [ - 'AllMetrics' - ] - diagnosticLogCategoriesToEnable: contains(managementIPAddressObject, 'diagnosticLogCategoriesToEnable') ? managementIPAddressObject.diagnosticLogCategoriesToEnable : [ - 'allLogs' - ] + diagnosticSettings: managementIPAddressObject.?diagnosticSettings location: location - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticWorkspaceId: diagnosticWorkspaceId - diagnosticEventHubAuthorizationRuleId: diagnosticEventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticEventHubName - lock: lock tags: tags zones: zones enableDefaultTelemetry: enableReferencedModulesTelemetry @@ -333,18 +260,31 @@ resource azureFirewall_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!em scope: azureFirewall } -resource azureFirewall_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource azureFirewall_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: azureFirewall -} +}] resource azureFirewall_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(azureFirewall.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -421,3 +361,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/network/azure-firewall/main.json b/modules/network/azure-firewall/main.json index 766e5059eb..aecc1a207e 100644 --- a/modules/network/azure-firewall/main.json +++ b/modules/network/azure-firewall/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3226240362527583277" + "templateHash": "1602793414373969673" }, "name": "Azure Firewalls", "description": "This module deploys an Azure Firewall.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -238,32 +344,10 @@ "description": "Optional. Zone numbers e.g. 1,2,3." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Diagnostic Storage Account resource identifier." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Log Analytics workspace resource identifier." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "location": { @@ -298,41 +382,6 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "AzureFirewallApplicationRule", - "AzureFirewallNetworkRule", - "AzureFirewallDnsProxy" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { @@ -346,23 +395,6 @@ "publicIPAddress": "[if(contains(parameters('additionalPublicIpConfigurations')[copyIndex('additionalPublicIpConfigurationsVar')], 'publicIPAddressResourceId'), createObject('id', parameters('additionalPublicIpConfigurations')[copyIndex('additionalPublicIpConfigurationsVar')].publicIPAddressResourceId), null())]" } } - }, - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } } ], "azureSkuName": "[if(empty(parameters('vNetId')), 'AZFW_Hub', 'AZFW_VNet')]", @@ -388,7 +420,6 @@ "id": "[parameters('managementIPResourceID')]" } }, - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -441,18 +472,23 @@ ] }, "azureFirewall_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "azureFirewall_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "azureFirewall" @@ -497,23 +533,12 @@ "skuName": "[if(contains(parameters('publicIPAddressObject'), 'skuName'), if(not(empty(parameters('publicIPAddressObject').skuName)), createObject('value', parameters('publicIPAddressObject').skuName), createObject('value', 'Standard')), createObject('value', 'Standard'))]", "skuTier": "[if(contains(parameters('publicIPAddressObject'), 'skuTier'), if(not(empty(parameters('publicIPAddressObject').skuTier)), createObject('value', parameters('publicIPAddressObject').skuTier), createObject('value', 'Regional')), createObject('value', 'Regional'))]", "roleAssignments": "[if(contains(parameters('publicIPAddressObject'), 'roleAssignments'), if(not(empty(parameters('publicIPAddressObject').roleAssignments)), createObject('value', parameters('publicIPAddressObject').roleAssignments), createObject('value', createArray())), createObject('value', createArray()))]", - "diagnosticMetricsToEnable": "[if(contains(parameters('publicIPAddressObject'), 'diagnosticMetricsToEnable'), if(not(empty(parameters('publicIPAddressObject').diagnosticMetricsToEnable)), createObject('value', parameters('publicIPAddressObject').diagnosticMetricsToEnable), createObject('value', createArray('AllMetrics'))), createObject('value', createArray('AllMetrics')))]", - "diagnosticLogCategoriesToEnable": "[if(contains(parameters('publicIPAddressObject'), 'diagnosticLogCategoriesToEnable'), createObject('value', parameters('publicIPAddressObject').diagnosticLogCategoriesToEnable), createObject('value', createArray('allLogs')))]", + "diagnosticSettings": { + "value": "[tryGet(parameters('publicIPAddressObject'), 'diagnosticSettings')]" + }, "location": { "value": "[parameters('location')]" }, - "diagnosticStorageAccountId": { - "value": "[parameters('diagnosticStorageAccountId')]" - }, - "diagnosticWorkspaceId": { - "value": "[parameters('diagnosticWorkspaceId')]" - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "[parameters('diagnosticEventHubAuthorizationRuleId')]" - }, - "diagnosticEventHubName": { - "value": "[parameters('diagnosticEventHubName')]" - }, "lock": { "value": "[parameters('lock')]" }, @@ -535,7 +560,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17964103943026732172" + "templateHash": "968771326214380550" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -632,6 +657,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -699,32 +830,10 @@ "description": "Optional. IP address version." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "domainNameLabel": { @@ -794,64 +903,9 @@ "metadata": { "description": "Optional. Tags of the resource." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "DDoSProtectionNotifications", - "DDoSMitigationFlowLogs", - "DDoSMitigationReports" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", @@ -912,18 +966,23 @@ ] }, "publicIpAddress_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "publicIpAddress_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "publicIpAddress" @@ -1008,26 +1067,12 @@ "skuName": "[if(contains(parameters('managementIPAddressObject'), 'skuName'), if(not(empty(parameters('managementIPAddressObject').skuName)), createObject('value', parameters('managementIPAddressObject').skuName), createObject('value', 'Standard')), createObject('value', 'Standard'))]", "skuTier": "[if(contains(parameters('managementIPAddressObject'), 'skuTier'), if(not(empty(parameters('managementIPAddressObject').skuTier)), createObject('value', parameters('managementIPAddressObject').skuTier), createObject('value', 'Regional')), createObject('value', 'Regional'))]", "roleAssignments": "[if(contains(parameters('managementIPAddressObject'), 'roleAssignments'), if(not(empty(parameters('managementIPAddressObject').roleAssignments)), createObject('value', parameters('managementIPAddressObject').roleAssignments), createObject('value', createArray())), createObject('value', createArray()))]", - "diagnosticMetricsToEnable": "[if(contains(parameters('managementIPAddressObject'), 'diagnosticMetricsToEnable'), if(not(empty(parameters('managementIPAddressObject').diagnosticMetricsToEnable)), createObject('value', parameters('managementIPAddressObject').diagnosticMetricsToEnable), createObject('value', createArray('AllMetrics'))), createObject('value', createArray('AllMetrics')))]", - "diagnosticLogCategoriesToEnable": "[if(contains(parameters('managementIPAddressObject'), 'diagnosticLogCategoriesToEnable'), createObject('value', parameters('managementIPAddressObject').diagnosticLogCategoriesToEnable), createObject('value', createArray('allLogs')))]", + "diagnosticSettings": { + "value": "[tryGet(parameters('managementIPAddressObject'), 'diagnosticSettings')]" + }, "location": { "value": "[parameters('location')]" }, - "diagnosticStorageAccountId": { - "value": "[parameters('diagnosticStorageAccountId')]" - }, - "diagnosticWorkspaceId": { - "value": "[parameters('diagnosticWorkspaceId')]" - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "[parameters('diagnosticEventHubAuthorizationRuleId')]" - }, - "diagnosticEventHubName": { - "value": "[parameters('diagnosticEventHubName')]" - }, - "lock": { - "value": "[parameters('lock')]" - }, "tags": { "value": "[parameters('tags')]" }, @@ -1046,7 +1091,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17964103943026732172" + "templateHash": "968771326214380550" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -1143,6 +1188,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1210,32 +1361,10 @@ "description": "Optional. IP address version." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "domainNameLabel": { @@ -1305,64 +1434,9 @@ "metadata": { "description": "Optional. Tags of the resource." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "DDoSProtectionNotifications", - "DDoSMitigationFlowLogs", - "DDoSMitigationReports" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", @@ -1423,18 +1497,23 @@ ] }, "publicIpAddress_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "publicIpAddress_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "publicIpAddress" diff --git a/modules/network/bastion-host/.test/common/main.test.bicep b/modules/network/bastion-host/.test/common/main.test.bicep index 695f4a5a95..6f6a202a2b 100644 --- a/modules/network/bastion-host/.test/common/main.test.bicep +++ b/modules/network/bastion-host/.test/common/main.test.bicep @@ -70,10 +70,15 @@ module testDeployment '../../main.bicep' = { name: '${namePrefix}${serviceShort}001' vNetId: nestedDependencies.outputs.virtualNetworkResourceId bastionSubnetPublicIpResourceId: nestedDependencies.outputs.publicIPResourceId - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] disableCopyPaste: true enableFileCopy: false enableIpConnect: false diff --git a/modules/network/bastion-host/.test/custompip/main.test.bicep b/modules/network/bastion-host/.test/custompip/main.test.bicep index 0fc773e852..3ac4bb92df 100644 --- a/modules/network/bastion-host/.test/custompip/main.test.bicep +++ b/modules/network/bastion-host/.test/custompip/main.test.bicep @@ -40,6 +40,20 @@ module nestedDependencies 'dependencies.bicep' = { } } +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' + location: location + } +} + // ============== // // Test Execution // // ============== // @@ -52,14 +66,6 @@ module testDeployment '../../main.bicep' = { name: '${namePrefix}${serviceShort}001' vNetId: nestedDependencies.outputs.virtualNetworkResourceId publicIPAddressObject: { - diagnosticLogCategoriesToEnable: [ - 'DDoSMitigationFlowLogs' - 'DDoSMitigationReports' - 'DDoSProtectionNotifications' - ] - diagnosticMetricsToEnable: [ - 'AllMetrics' - ] name: '${namePrefix}${serviceShort}001-pip' allocationMethod: 'Static' publicIPPrefixResourceId: '' @@ -77,6 +83,20 @@ module testDeployment '../../main.bicep' = { '2' '3' ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index 1c87cd6286..3ae0c7066a 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -50,10 +50,15 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { vNetId: '' // Non-required parameters bastionSubnetPublicIpResourceId: '' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] disableCopyPaste: true enableDefaultTelemetry: '' enableFileCopy: false @@ -104,17 +109,16 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { "bastionSubnetPublicIpResourceId": { "value": "" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "disableCopyPaste": { "value": true @@ -183,13 +187,19 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { enableDefaultTelemetry: '' publicIPAddressObject: { allocationMethod: 'Static' - diagnosticLogCategoriesToEnable: [ - 'DDoSMitigationFlowLogs' - 'DDoSMitigationReports' - 'DDoSProtectionNotifications' - ] - diagnosticMetricsToEnable: [ - 'AllMetrics' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } ] name: 'nbhctmpip001-pip' publicIPPrefixResourceId: '' @@ -243,13 +253,19 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { "publicIPAddressObject": { "value": { "allocationMethod": "Static", - "diagnosticLogCategoriesToEnable": [ - "DDoSMitigationFlowLogs", - "DDoSMitigationReports", - "DDoSProtectionNotifications" - ], - "diagnosticMetricsToEnable": [ - "AllMetrics" + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } ], "name": "nbhctmpip001-pip", "publicIPPrefixResourceId": "", @@ -350,12 +366,7 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | | [`bastionSubnetPublicIpResourceId`](#parameter-bastionsubnetpublicipresourceid) | string | The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableCopyPaste`](#parameter-disablecopypaste) | bool | Choose to disable or enable Copy Paste. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`enableFileCopy`](#parameter-enablefilecopy) | bool | Choose to disable or enable File Copy. | @@ -378,48 +389,100 @@ The Public IP resource ID to associate to the azureBastionSubnet. If empty, then - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, BastionAuditLogs]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` -Resource ID of the diagnostic log analytics workspace. +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + - Required: No - Type: string -- Default: `''` ### Parameter: `disableCopyPaste` diff --git a/modules/network/bastion-host/main.bicep b/modules/network/bastion-host/main.bicep index f6d9fc28ac..82f6b39350 100644 --- a/modules/network/bastion-host/main.bicep +++ b/modules/network/bastion-host/main.bicep @@ -20,17 +20,8 @@ param isCreateDefaultPublicIP bool = true @description('Optional. Specifies the properties of the Public IP to create and be used by Azure Bastion. If it\'s not provided and publicIPAddressResourceId is empty, a \'-pip\' suffix will be appended to the Bastion\'s name.') param publicIPAddressObject object = {} -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -69,31 +60,6 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'BastionAuditLogs' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - var enableTunneling = skuName == 'Standard' ? true : null var scaleUnitsVar = skuName == 'Basic' ? 2 : scaleUnits @@ -192,19 +158,10 @@ module publicIPAddress '../public-ip-address/main.bicep' = if (empty(bastionSubn name: '${uniqueString(deployment().name, location)}-Bastion-PIP' params: { name: contains(publicIPAddressObject, 'name') ? publicIPAddressObject.name : '${name}-pip' - diagnosticLogCategoriesToEnable: contains(publicIPAddressObject, 'diagnosticLogCategoriesToEnable') ? publicIPAddressObject.diagnosticLogCategoriesToEnable : [ - 'allLogs' - ] - diagnosticMetricsToEnable: contains(publicIPAddressObject, 'diagnosticMetricsToEnable') ? publicIPAddressObject.diagnosticMetricsToEnable : [ - 'AllMetrics' - ] - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticWorkspaceId: diagnosticWorkspaceId - diagnosticEventHubAuthorizationRuleId: diagnosticEventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticEventHubName enableDefaultTelemetry: enableReferencedModulesTelemetry location: location lock: lock + diagnosticSettings: publicIPAddressObject.?diagnosticSettings publicIPAddressVersion: contains(publicIPAddressObject, 'publicIPAddressVersion') ? publicIPAddressObject.publicIPAddressVersion : 'IPv4' publicIPAllocationMethod: contains(publicIPAddressObject, 'publicIPAllocationMethod') ? publicIPAddressObject.publicIPAllocationMethod : 'Static' publicIPPrefixResourceId: contains(publicIPAddressObject, 'publicIPPrefixResourceId') ? publicIPAddressObject.publicIPPrefixResourceId : '' @@ -250,17 +207,24 @@ resource azureBastion_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!emp scope: azureBastion } -resource azureBastion_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource azureBastion_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: azureBastion -} +}] resource azureBastion_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(azureBastion.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -325,3 +289,35 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/network/bastion-host/main.json b/modules/network/bastion-host/main.json index 32533015a4..1c89cc7c02 100644 --- a/modules/network/bastion-host/main.json +++ b/modules/network/bastion-host/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18230214289197340904" + "templateHash": "10859343620661687019" }, "name": "Bastion Hosts", "description": "This module deploys a Bastion Host.", @@ -103,6 +103,94 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -146,32 +234,10 @@ "description": "Optional. Specifies the properties of the Public IP to create and be used by Azure Bastion. If it's not provided and publicIPAddressResourceId is empty, a '-pip' suffix will be appended to the Bastion's name." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -252,41 +318,9 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "BastionAuditLogs" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableTunneling": "[if(equals(parameters('skuName'), 'Standard'), true(), null())]", "scaleUnitsVar": "[if(equals(parameters('skuName'), 'Basic'), 2, parameters('scaleUnits'))]", "subnetVar": { @@ -389,17 +423,22 @@ ] }, "azureBastion_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "azureBastion_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/bastionHosts/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "azureBastion" @@ -439,20 +478,6 @@ "mode": "Incremental", "parameters": { "name": "[if(contains(parameters('publicIPAddressObject'), 'name'), createObject('value', parameters('publicIPAddressObject').name), createObject('value', format('{0}-pip', parameters('name'))))]", - "diagnosticLogCategoriesToEnable": "[if(contains(parameters('publicIPAddressObject'), 'diagnosticLogCategoriesToEnable'), createObject('value', parameters('publicIPAddressObject').diagnosticLogCategoriesToEnable), createObject('value', createArray('allLogs')))]", - "diagnosticMetricsToEnable": "[if(contains(parameters('publicIPAddressObject'), 'diagnosticMetricsToEnable'), createObject('value', parameters('publicIPAddressObject').diagnosticMetricsToEnable), createObject('value', createArray('AllMetrics')))]", - "diagnosticStorageAccountId": { - "value": "[parameters('diagnosticStorageAccountId')]" - }, - "diagnosticWorkspaceId": { - "value": "[parameters('diagnosticWorkspaceId')]" - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "[parameters('diagnosticEventHubAuthorizationRuleId')]" - }, - "diagnosticEventHubName": { - "value": "[parameters('diagnosticEventHubName')]" - }, "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" }, @@ -462,6 +487,9 @@ "lock": { "value": "[parameters('lock')]" }, + "diagnosticSettings": { + "value": "[tryGet(parameters('publicIPAddressObject'), 'diagnosticSettings')]" + }, "publicIPAddressVersion": "[if(contains(parameters('publicIPAddressObject'), 'publicIPAddressVersion'), createObject('value', parameters('publicIPAddressObject').publicIPAddressVersion), createObject('value', 'IPv4'))]", "publicIPAllocationMethod": "[if(contains(parameters('publicIPAddressObject'), 'publicIPAllocationMethod'), createObject('value', parameters('publicIPAddressObject').publicIPAllocationMethod), createObject('value', 'Static'))]", "publicIPPrefixResourceId": "[if(contains(parameters('publicIPAddressObject'), 'publicIPPrefixResourceId'), createObject('value', parameters('publicIPAddressObject').publicIPPrefixResourceId), createObject('value', ''))]", @@ -481,7 +509,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17964103943026732172" + "templateHash": "968771326214380550" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -578,6 +606,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -645,32 +779,10 @@ "description": "Optional. IP address version." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "domainNameLabel": { @@ -740,64 +852,9 @@ "metadata": { "description": "Optional. Tags of the resource." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "DDoSProtectionNotifications", - "DDoSMitigationFlowLogs", - "DDoSMitigationReports" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", @@ -858,18 +915,23 @@ ] }, "publicIpAddress_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "publicIpAddress_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "publicIpAddress" diff --git a/modules/network/express-route-circuit/.test/common/main.test.bicep b/modules/network/express-route-circuit/.test/common/main.test.bicep index 2bbdb986ad..a1203ca39b 100644 --- a/modules/network/express-route-circuit/.test/common/main.test.bicep +++ b/modules/network/express-route-circuit/.test/common/main.test.bicep @@ -69,10 +69,20 @@ module testDeployment '../../main.bicep' = { bandwidthInMbps: 50 peeringLocation: 'Amsterdam' serviceProviderName: 'Equinix' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/network/express-route-circuit/README.md b/modules/network/express-route-circuit/README.md index 05d0420d52..a31e5f3969 100644 --- a/modules/network/express-route-circuit/README.md +++ b/modules/network/express-route-circuit/README.md @@ -50,10 +50,20 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 serviceProviderName: 'Equinix' // Non-required parameters allowClassicOperations: true - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' lock: { kind: 'CanNotDelete' @@ -106,17 +116,21 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 "allowClassicOperations": { "value": true }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -234,13 +248,7 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 | :-- | :-- | :-- | | [`allowClassicOperations`](#parameter-allowclassicoperations) | bool | Allow classic operations. You can connect to virtual networks in the classic deployment model by setting allowClassicOperations to true. | | [`bandwidthInGbps`](#parameter-bandwidthingbps) | int | The bandwidth of the circuit when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct. Default value of 0 will set the property to null. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`expressRoutePortResourceId`](#parameter-expressrouteportresourceid) | string | The reference to the ExpressRoutePort resource when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct. | | [`globalReachEnabled`](#parameter-globalreachenabled) | bool | Flag denoting global reach status. To enable ExpressRoute Global Reach between different geopolitical regions, your circuits must be Premium SKU. | @@ -278,56 +286,120 @@ This is the bandwidth in Mbps of the circuit being created. It must exactly matc - Required: Yes - Type: int -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, PeeringRouteLog]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/network/express-route-circuit/main.bicep b/modules/network/express-route-circuit/main.bicep index 21aa72f2c0..e9dbfd0122 100644 --- a/modules/network/express-route-circuit/main.bicep +++ b/modules/network/express-route-circuit/main.bicep @@ -69,17 +69,8 @@ param expressRoutePortResourceId string = '' @description('Optional. Flag denoting global reach status. To enable ExpressRoute Global Reach between different geopolitical regions, your circuits must be Premium SKU.') param globalReachEnabled bool = false -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -93,45 +84,6 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'PeeringRouteLog' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var peeringConfiguration = [ { name: peeringType @@ -201,18 +153,31 @@ resource expressRouteCircuits_lock 'Microsoft.Authorization/locks@2020-05-01' = scope: expressRouteCircuits } -resource expressRouteCircuits_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource expressRouteCircuits_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: expressRouteCircuits -} +}] resource expressRouteCircuits_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(expressRouteCircuits.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -277,3 +242,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/network/express-route-circuit/main.json b/modules/network/express-route-circuit/main.json index 020ef12461..f350e468f8 100644 --- a/modules/network/express-route-circuit/main.json +++ b/modules/network/express-route-circuit/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1604127789628579134" + "templateHash": "6885952073630597442" }, "name": "ExpressRoute Circuits", "description": "This module deploys an Express Route Circuit.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -241,32 +347,10 @@ "description": "Optional. Flag denoting global reach status. To enable ExpressRoute Global Reach between different geopolitical regions, your circuits must be Premium SKU." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -294,62 +378,9 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "PeeringRouteLog" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "peeringConfiguration": [ { "name": "[parameters('peeringType')]", @@ -426,18 +457,23 @@ ] }, "expressRouteCircuits_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "expressRouteCircuits_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/expressRouteCircuits/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "expressRouteCircuits" diff --git a/modules/network/front-door/README.md b/modules/network/front-door/README.md index e17db844f4..8bbd416cfb 100644 --- a/modules/network/front-door/README.md +++ b/modules/network/front-door/README.md @@ -542,18 +542,13 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`enabledState`](#parameter-enabledstate) | string | State of the frontdoor resource. | | [`enforceCertificateNameCheck`](#parameter-enforcecertificatenamecheck) | string | Enforce certificate name check of the frontdoor resource. | | [`friendlyName`](#parameter-friendlyname) | string | Friendly name of the frontdoor resource. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`metricsToEnable`](#parameter-metricstoenable) | array | The name of metrics that will be streamed. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`sendRecvTimeoutSeconds`](#parameter-sendrecvtimeoutseconds) | int | Certificate name check time of the frontdoor resource. | | [`tags`](#parameter-tags) | object | Resource tags. | @@ -564,41 +559,120 @@ Backend address pool of the frontdoor resource. - Required: Yes - Type: array -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, FrontdoorAccessLog, FrontdoorWebApplicationFirewallLog]` -### Parameter: `diagnosticStorageAccountId` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` @@ -680,14 +754,6 @@ Optional. Specify the name of lock. - Required: No - Type: string -### Parameter: `metricsToEnable` - -The name of metrics that will be streamed. -- Required: No -- Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` - ### Parameter: `name` The name of the frontDoor. diff --git a/modules/network/front-door/main.bicep b/modules/network/front-door/main.bicep index a24fc1e5dd..5421adb3bb 100644 --- a/modules/network/front-door/main.bicep +++ b/modules/network/front-door/main.bicep @@ -50,54 +50,8 @@ param loadBalancingSettings array @description('Required. Routing rules settings of the frontdoor resource.') param routingRules array -@description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticEventHubName string = '' - -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'FrontdoorAccessLog' - 'FrontdoorWebApplicationFirewallLog' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param metricsToEnable array = [ - 'AllMetrics' -] - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in metricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') @@ -148,18 +102,31 @@ resource frontDoor_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty( scope: frontDoor } -resource frontDoor_diagnosticSettingName 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: '${frontDoor.name}-diagnosticSettings' +resource frontDoor_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId - workspaceId: empty(diagnosticWorkspaceId) ? null : diagnosticWorkspaceId - eventHubAuthorizationRuleId: empty(diagnosticEventHubAuthorizationRuleId) ? null : diagnosticEventHubAuthorizationRuleId - eventHubName: empty(diagnosticEventHubName) ? null : diagnosticEventHubName - metrics: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsMetrics - logs: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: frontDoor -} +}] resource frontDoor_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(frontDoor.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -218,3 +185,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/network/front-door/main.json b/modules/network/front-door/main.json index 1d49b36495..5c73c7964c 100644 --- a/modules/network/front-door/main.json +++ b/modules/network/front-door/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17030611333529770965" + "templateHash": "10762765497515321420" }, "name": "Azure Front Doors", "description": "This module deploys an Azure Front Door.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -206,83 +312,14 @@ "description": "Required. Routing rules settings of the frontdoor resource." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "FrontdoorAccessLog", - "FrontdoorWebApplicationFirewallLog" - ], + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." + "description": "Optional. The diagnostic settings of the service." } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('metricsToEnable'))]", - "input": { - "category": "[parameters('metricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", @@ -341,19 +378,24 @@ "frontDoor" ] }, - "frontDoor_diagnosticSettingName": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "frontDoor_diagnosticSettings": { + "copy": { + "name": "frontDoor_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/frontDoors/{0}', parameters('name'))]", - "name": "[format('{0}-diagnosticSettings', parameters('name'))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), null(), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('diagnosticWorkspaceId')), null(), parameters('diagnosticWorkspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('diagnosticEventHubAuthorizationRuleId')), null(), parameters('diagnosticEventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('diagnosticEventHubName')), null(), parameters('diagnosticEventHubName'))]", - "metrics": "[if(and(and(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('diagnosticWorkspaceId'))), empty(parameters('diagnosticEventHubAuthorizationRuleId'))), empty(parameters('diagnosticEventHubName'))), null(), variables('diagnosticsMetrics'))]", - "logs": "[if(and(and(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('diagnosticWorkspaceId'))), empty(parameters('diagnosticEventHubAuthorizationRuleId'))), empty(parameters('diagnosticEventHubName'))), null(), variables('diagnosticsLogs'))]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "frontDoor" diff --git a/modules/network/load-balancer/.test/common/main.test.bicep b/modules/network/load-balancer/.test/common/main.test.bicep index bea8cb619b..fe358e8a25 100644 --- a/modules/network/load-balancer/.test/common/main.test.bicep +++ b/modules/network/load-balancer/.test/common/main.test.bicep @@ -81,10 +81,20 @@ module testDeployment '../../main.bicep' = { name: 'backendAddressPool2' } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] inboundNatRules: [ { backendPort: 443 diff --git a/modules/network/load-balancer/.test/internal/main.test.bicep b/modules/network/load-balancer/.test/internal/main.test.bicep index 792b2c5377..fd8248a0ed 100644 --- a/modules/network/load-balancer/.test/internal/main.test.bicep +++ b/modules/network/load-balancer/.test/internal/main.test.bicep @@ -75,10 +75,20 @@ module testDeployment '../../main.bicep' = { name: 'servers' } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] inboundNatRules: [ { backendPort: 443 diff --git a/modules/network/load-balancer/README.md b/modules/network/load-balancer/README.md index 54a6511051..22214ac791 100644 --- a/modules/network/load-balancer/README.md +++ b/modules/network/load-balancer/README.md @@ -64,10 +64,20 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { name: 'backendAddressPool2' } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' inboundNatRules: [ { @@ -190,17 +200,21 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -332,10 +346,20 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { name: 'servers' } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' inboundNatRules: [ { @@ -429,17 +453,21 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -596,12 +624,7 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | | [`backendAddressPools`](#parameter-backendaddresspools) | array | Collection of backend address pools used by a load balancer. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`inboundNatRules`](#parameter-inboundnatrules) | array | Collection of inbound NAT Rules used by a load balancer. Defining inbound NAT rules on your load balancer is mutually exclusive with defining an inbound NAT pool. Inbound NAT pools are referenced from virtual machine scale sets. NICs that are associated with individual virtual machines cannot reference an Inbound NAT pool. They have to reference individual inbound NAT rules. | | [`loadBalancingRules`](#parameter-loadbalancingrules) | array | Array of objects containing all load balancing rules. | @@ -620,48 +643,92 @@ Collection of backend address pools used by a load balancer. - Type: array - Default: `[]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` +- Allowed: `[AzureDiagnostics, Dedicated]` -### Parameter: `diagnosticMetricsToEnable` +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/network/load-balancer/main.bicep b/modules/network/load-balancer/main.bicep index 6039269605..adf7d97ea2 100644 --- a/modules/network/load-balancer/main.bicep +++ b/modules/network/load-balancer/main.bicep @@ -28,17 +28,8 @@ param loadBalancingRules array = [] @description('Optional. Array of objects containing all probes, these are references in the load balancing rules.') param probes array = [] -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -135,25 +126,8 @@ var backendAddressPoolNames = [for backendAddressPool in backendAddressPools: { name: backendAddressPool.name }] -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - var enableReferencedModulesTelemetry = false -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') @@ -234,17 +208,25 @@ resource loadBalancer_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!emp scope: loadBalancer } -resource loadBalancer_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource loadBalancer_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: loadBalancer -} +}] resource loadBalancer_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(loadBalancer.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -309,3 +291,32 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/network/load-balancer/main.json b/modules/network/load-balancer/main.json index 28b6826820..2c4512b1ec 100644 --- a/modules/network/load-balancer/main.json +++ b/modules/network/load-balancer/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6906928073962159514" + "templateHash": "2560193995826273246" }, "name": "Load Balancers", "description": "This module deploys a Load Balancer.", @@ -103,6 +103,86 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -158,32 +238,10 @@ "description": "Optional. Array of objects containing all probes, these are references in the load balancing rules." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -225,25 +283,6 @@ "metadata": { "description": "Optional. The outbound rules." } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { @@ -331,15 +370,6 @@ "input": { "name": "[parameters('backendAddressPools')[copyIndex('backendAddressPoolNames')].name]" } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } } ], "enableReferencedModulesTelemetry": false, @@ -399,17 +429,22 @@ ] }, "loadBalancer_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "loadBalancer_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/loadBalancers/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "loadBalancer" diff --git a/modules/network/nat-gateway/.test/common/main.test.bicep b/modules/network/nat-gateway/.test/common/main.test.bicep index c957795383..c4b3aa7ae9 100644 --- a/modules/network/nat-gateway/.test/common/main.test.bicep +++ b/modules/network/nat-gateway/.test/common/main.test.bicep @@ -66,10 +66,6 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/network/nat-gateway/README.md b/modules/network/nat-gateway/README.md index 9f4217d79a..26057347be 100644 --- a/modules/network/nat-gateway/README.md +++ b/modules/network/nat-gateway/README.md @@ -46,10 +46,6 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { // Required parameters name: 'nngcom001' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' enableDefaultTelemetry: '' lock: { kind: 'CanNotDelete' @@ -89,18 +85,6 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { "value": "nngcom001" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" - }, "enableDefaultTelemetry": { "value": "" }, @@ -149,13 +133,6 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the public IP diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | | [`domainNameLabel`](#parameter-domainnamelabel) | string | DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`idleTimeoutInMinutes`](#parameter-idletimeoutinminutes) | int | The idle timeout of the NAT gateway. | @@ -164,63 +141,13 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { | [`natGatewayPipName`](#parameter-natgatewaypipname) | string | Specifies the name of the Public IP used by the NAT Gateway. If it's not provided, a '-pip' suffix will be appended to the Bastion's name. | | [`natGatewayPublicIpAddress`](#parameter-natgatewaypublicipaddress) | bool | Use to have a new Public IP Address created for the NAT Gateway. | | [`publicIpAddresses`](#parameter-publicipaddresses) | array | Existing Public IP Address resource names to use for the NAT Gateway. | +| [`publicIpDiagnosticSettings`](#parameter-publicipdiagnosticsettings) | array | The diagnostic settings of the Public IP. | | [`publicIpPrefixes`](#parameter-publicipprefixes) | array | Existing Public IP Prefixes resource names to use for the NAT Gateway. | | [`publicIPPrefixResourceId`](#parameter-publicipprefixresourceid) | string | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags for the resource. | | [`zones`](#parameter-zones) | array | A list of availability zones denoting the zone in which Nat Gateway should be deployed. | -### Parameter: `diagnosticEventHubAuthorizationRuleId` - -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticEventHubName` - -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticLogCategoriesToEnable` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -- Required: No -- Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` - -### Parameter: `diagnosticMetricsToEnable` - -The name of metrics that will be streamed. -- Required: No -- Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` - -### Parameter: `diagnosticSettingsName` - -The name of the public IP diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticStorageAccountId` - -Resource ID of the diagnostic storage account. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `diagnosticWorkspaceId` - -Resource ID of the diagnostic log analytics workspace. -- Required: No -- Type: string -- Default: `''` - ### Parameter: `domainNameLabel` DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com. @@ -303,6 +230,121 @@ Existing Public IP Address resource names to use for the NAT Gateway. - Type: array - Default: `[]` +### Parameter: `publicIpDiagnosticSettings` + +The diagnostic settings of the Public IP. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-publicipdiagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-publicipdiagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-publicipdiagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-publicipdiagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-publicipdiagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-publicipdiagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-publicipdiagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-publicipdiagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-publicipdiagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `publicIpDiagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. + +- Required: No +- Type: string + +### Parameter: `publicIpDiagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `publicIpDiagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `publicIpDiagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-publicipdiagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-publicipdiagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `publicIpDiagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `publicIpDiagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `publicIpDiagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `publicIpDiagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-publicipdiagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `publicIpDiagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `publicIpDiagnosticSettings.name` + +Optional. The name of diagnostic setting. + +- Required: No +- Type: string + +### Parameter: `publicIpDiagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `publicIpDiagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + ### Parameter: `publicIpPrefixes` Existing Public IP Prefixes resource names to use for the NAT Gateway. diff --git a/modules/network/nat-gateway/main.bicep b/modules/network/nat-gateway/main.bicep index c12615e8cb..82b04b94a0 100644 --- a/modules/network/nat-gateway/main.bicep +++ b/modules/network/nat-gateway/main.bicep @@ -32,18 +32,6 @@ param zones array = [] @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' - @description('Optional. The lock settings of the service.') param lock lockType @@ -53,32 +41,12 @@ param roleAssignments roleAssignmentType @description('Optional. Tags for the resource.') param tags object = {} +@description('Optional. The diagnostic settings of the Public IP.') +param publicIpDiagnosticSettings diagnosticSettingType + @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'DDoSProtectionNotifications' - 'DDoSMitigationFlowLogs' - 'DDoSMitigationReports' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the public IP diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - var publicIPPrefixResourceIds = [for publicIpPrefix in publicIpPrefixes: { id: az.resourceId('Microsoft.Network/publicIPPrefixes', publicIpPrefix) }] @@ -116,13 +84,7 @@ module publicIPAddress '../public-ip-address/main.bicep' = if (natGatewayPublicI name: '${uniqueString(deployment().name, location)}-NatGateway-PIP' params: { name: !empty(natGatewayPipName) ? natGatewayPipName : '${name}-pip' - diagnosticLogCategoriesToEnable: diagnosticLogCategoriesToEnable - diagnosticMetricsToEnable: diagnosticMetricsToEnable - diagnosticSettingsName: !empty(diagnosticSettingsName) ? diagnosticSettingsName : (!empty(natGatewayPipName) ? '${natGatewayPipName}-diagnosticSettings' : '${name}-pip-diagnosticSettings') - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticWorkspaceId: diagnosticWorkspaceId - diagnosticEventHubAuthorizationRuleId: diagnosticEventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticEventHubName + diagnosticSettings: publicIpDiagnosticSettings domainNameLabel: domainNameLabel enableDefaultTelemetry: enableReferencedModulesTelemetry location: location @@ -226,3 +188,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/network/nat-gateway/main.json b/modules/network/nat-gateway/main.json index f23a35e221..f44ad2173c 100644 --- a/modules/network/nat-gateway/main.json +++ b/modules/network/nat-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6575907047681154194" + "templateHash": "18393412325289801618" }, "name": "NAT Gateways", "description": "This module deploys a NAT Gateway.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -175,34 +281,6 @@ "description": "Optional. Location for all resources." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, "lock": { "$ref": "#/definitions/lockType", "metadata": { @@ -222,47 +300,18 @@ "description": "Optional. Tags for the resource." } }, + "publicIpDiagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", + "metadata": { + "description": "Optional. The diagnostic settings of the Public IP." + } + }, "enableDefaultTelemetry": { "type": "bool", "defaultValue": true, "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "DDoSProtectionNotifications", - "DDoSMitigationFlowLogs", - "DDoSMitigationReports" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the public IP diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { @@ -374,24 +423,8 @@ "mode": "Incremental", "parameters": { "name": "[if(not(empty(parameters('natGatewayPipName'))), createObject('value', parameters('natGatewayPipName')), createObject('value', format('{0}-pip', parameters('name'))))]", - "diagnosticLogCategoriesToEnable": { - "value": "[parameters('diagnosticLogCategoriesToEnable')]" - }, - "diagnosticMetricsToEnable": { - "value": "[parameters('diagnosticMetricsToEnable')]" - }, - "diagnosticSettingsName": "[if(not(empty(parameters('diagnosticSettingsName'))), createObject('value', parameters('diagnosticSettingsName')), if(not(empty(parameters('natGatewayPipName'))), createObject('value', format('{0}-diagnosticSettings', parameters('natGatewayPipName'))), createObject('value', format('{0}-pip-diagnosticSettings', parameters('name')))))]", - "diagnosticStorageAccountId": { - "value": "[parameters('diagnosticStorageAccountId')]" - }, - "diagnosticWorkspaceId": { - "value": "[parameters('diagnosticWorkspaceId')]" - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "[parameters('diagnosticEventHubAuthorizationRuleId')]" - }, - "diagnosticEventHubName": { - "value": "[parameters('diagnosticEventHubName')]" + "diagnosticSettings": { + "value": "[parameters('publicIpDiagnosticSettings')]" }, "domainNameLabel": { "value": "[parameters('domainNameLabel')]" @@ -433,7 +466,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17964103943026732172" + "templateHash": "968771326214380550" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -530,6 +563,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -597,32 +736,10 @@ "description": "Optional. IP address version." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "domainNameLabel": { @@ -692,64 +809,9 @@ "metadata": { "description": "Optional. Tags of the resource." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "DDoSProtectionNotifications", - "DDoSMitigationFlowLogs", - "DDoSMitigationReports" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", @@ -810,18 +872,23 @@ ] }, "publicIpAddress_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "publicIpAddress_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "publicIpAddress" diff --git a/modules/network/network-interface/.test/common/main.test.bicep b/modules/network/network-interface/.test/common/main.test.bicep index bb28e92347..c5c0039691 100644 --- a/modules/network/network-interface/.test/common/main.test.bicep +++ b/modules/network/network-interface/.test/common/main.test.bicep @@ -93,10 +93,20 @@ module testDeployment '../../main.bicep' = { ] } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/network/network-interface/README.md b/modules/network/network-interface/README.md index e9af14e2b3..2af3a8f2a0 100644 --- a/modules/network/network-interface/README.md +++ b/modules/network/network-interface/README.md @@ -70,10 +70,20 @@ module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { ] name: 'nnicom001' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' lock: { kind: 'CanNotDelete' @@ -138,17 +148,21 @@ module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { "value": "nnicom001" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -260,12 +274,7 @@ module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { | :-- | :-- | :-- | | [`auxiliaryMode`](#parameter-auxiliarymode) | string | Auxiliary mode of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic. | | [`auxiliarySku`](#parameter-auxiliarysku) | string | Auxiliary sku of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource identifier of log analytics. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableTcpStateTracking`](#parameter-disabletcpstatetracking) | bool | Indicates whether to disable tcp state tracking. Subscription must be registered for the Microsoft.Network/AllowDisableTcpStateTracking feature before this property can be set to true. | | [`dnsServers`](#parameter-dnsservers) | array | List of DNS servers IP addresses. Use 'AzureProvidedDNS' to switch to azure provided DNS resolution. 'AzureProvidedDNS' value cannot be combined with other IPs, it must be the only value in dnsServers collection. | | [`enableAcceleratedNetworking`](#parameter-enableacceleratednetworking) | bool | If the network interface is accelerated networking enabled. | @@ -293,48 +302,92 @@ Auxiliary sku of Network Interface resource. Not all regions are enabled for Aux - Default: `'None'` - Allowed: `[A1, A2, A4, A8, None]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticMetricsToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource identifier of log analytics. - Required: No - Type: string -- Default: `''` ### Parameter: `disableTcpStateTracking` diff --git a/modules/network/network-interface/main.bicep b/modules/network/network-interface/main.bicep index 0caf07f3a7..257ea044cc 100644 --- a/modules/network/network-interface/main.bicep +++ b/modules/network/network-interface/main.bicep @@ -56,34 +56,8 @@ param lock lockType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource identifier of log analytics.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') @@ -147,17 +121,25 @@ resource networkInterface 'Microsoft.Network/networkInterfaces@2023-04-01' = { } } -resource networkInterface_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource networkInterface_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: networkInterface -} +}] resource networkInterface_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { name: lock.?name ?? 'lock-${name}' @@ -227,3 +209,32 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/network/network-interface/main.json b/modules/network/network-interface/main.json index dd8eb177aa..71af44d442 100644 --- a/modules/network/network-interface/main.json +++ b/modules/network/network-interface/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11496161506514027711" + "templateHash": "8812824728238881787" }, "name": "Network Interface", "description": "This module deploys a Network Interface.", @@ -103,6 +103,86 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -212,66 +292,14 @@ "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of log analytics." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." + "description": "Optional. The diagnostic settings of the service." } } }, "variables": { - "copy": [ - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", @@ -339,17 +367,22 @@ } }, "networkInterface_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "networkInterface_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/networkInterfaces/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "networkInterface" diff --git a/modules/network/network-security-group/.test/common/main.test.bicep b/modules/network/network-security-group/.test/common/main.test.bicep index 58fc3f0b32..6f4d0ca1e1 100644 --- a/modules/network/network-security-group/.test/common/main.test.bicep +++ b/modules/network/network-security-group/.test/common/main.test.bicep @@ -67,10 +67,15 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/network/network-security-group/README.md b/modules/network/network-security-group/README.md index be4e1e6da2..3c7254faa2 100644 --- a/modules/network/network-security-group/README.md +++ b/modules/network/network-security-group/README.md @@ -47,10 +47,15 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 // Required parameters name: 'nnsgcom001' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' lock: { kind: 'CanNotDelete' @@ -153,17 +158,16 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 "value": "nnsgcom001" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -324,12 +328,7 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 | Parameter | Type | Description | | :-- | :-- | :-- | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`flushConnection`](#parameter-flushconnection) | bool | When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. Network Security Group connection flushing is not available in all regions. | | [`location`](#parameter-location) | string | Location for all resources. | @@ -338,48 +337,100 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 | [`securityRules`](#parameter-securityrules) | array | Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. | | [`tags`](#parameter-tags) | object | Tags of the NSG resource. | -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` -### Parameter: `diagnosticLogCategoriesToEnable` +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, NetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounter]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/network/network-security-group/main.bicep b/modules/network/network-security-group/main.bicep index 2c2b1d558a..c0a0f46dd4 100644 --- a/modules/network/network-security-group/main.bicep +++ b/modules/network/network-security-group/main.bicep @@ -14,17 +14,8 @@ param securityRules array = [] @description('Optional. When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. Network Security Group connection flushing is not available in all regions.') param flushConnection bool = false -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -38,34 +29,8 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'NetworkSecurityGroupEvent' - 'NetworkSecurityGroupRuleCounter' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - var enableReferencedModulesTelemetry = false -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') @@ -149,17 +114,24 @@ resource networkSecurityGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = scope: networkSecurityGroup } -resource networkSecurityGroup_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource networkSecurityGroup_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: networkSecurityGroup -} +}] resource networkSecurityGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(networkSecurityGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -221,3 +193,35 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/network/network-security-group/main.json b/modules/network/network-security-group/main.json index 9e78131db8..ec731a585b 100644 --- a/modules/network/network-security-group/main.json +++ b/modules/network/network-security-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3466176824922648413" + "templateHash": "6212040398427711437" }, "name": "Network Security Groups", "description": "This module deploys a Network security Group (NSG).", @@ -103,6 +103,94 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -133,32 +221,10 @@ "description": "Optional. When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. Network Security Group connection flushing is not available in all regions." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -186,43 +252,10 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "NetworkSecurityGroupEvent", - "NetworkSecurityGroupRuleCounter" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - } - ], "enableReferencedModulesTelemetry": false, - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", @@ -298,17 +331,22 @@ ] }, "networkSecurityGroup_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "networkSecurityGroup_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "networkSecurityGroup" diff --git a/modules/network/public-ip-address/.test/common/main.test.bicep b/modules/network/public-ip-address/.test/common/main.test.bicep index f9272e5c56..ac137bfc39 100644 --- a/modules/network/public-ip-address/.test/common/main.test.bicep +++ b/modules/network/public-ip-address/.test/common/main.test.bicep @@ -66,10 +66,20 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/network/public-ip-address/README.md b/modules/network/public-ip-address/README.md index 1485a2c32e..3c7c63293d 100644 --- a/modules/network/public-ip-address/README.md +++ b/modules/network/public-ip-address/README.md @@ -48,10 +48,20 @@ module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { // Required parameters name: 'npiacom001' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' lock: { kind: 'CanNotDelete' @@ -97,17 +107,21 @@ module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { "value": "npiacom001" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -215,13 +229,7 @@ module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`domainNameLabel`](#parameter-domainnamelabel) | string | The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system. | | [`domainNameLabelScope`](#parameter-domainnamelabelscope) | string | The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | @@ -238,56 +246,120 @@ module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`zones`](#parameter-zones) | array | A list of availability zones denoting the IP allocated for the resource needs to come from. | -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `domainNameLabel` diff --git a/modules/network/public-ip-address/main.bicep b/modules/network/public-ip-address/main.bicep index 8e4dbc9e75..16eacf4f4d 100644 --- a/modules/network/public-ip-address/main.bicep +++ b/modules/network/public-ip-address/main.bicep @@ -39,17 +39,8 @@ param zones array = [] ]) param publicIPAddressVersion string = 'IPv4' -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system.') param domainNameLabel string = '' @@ -85,47 +76,6 @@ param enableDefaultTelemetry bool = true @description('Optional. Tags of the resource.') param tags object = {} -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'DDoSProtectionNotifications' - 'DDoSMitigationFlowLogs' - 'DDoSMitigationReports' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') @@ -183,18 +133,31 @@ resource publicIpAddress_lock 'Microsoft.Authorization/locks@2020-05-01' = if (! scope: publicIpAddress } -resource publicIpAddress_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource publicIpAddress_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: publicIpAddress -} +}] resource publicIpAddress_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(publicIpAddress.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -258,3 +221,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/network/public-ip-address/main.json b/modules/network/public-ip-address/main.json index f0fa08f211..f1bc72b6c8 100644 --- a/modules/network/public-ip-address/main.json +++ b/modules/network/public-ip-address/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17964103943026732172" + "templateHash": "968771326214380550" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -170,32 +276,10 @@ "description": "Optional. IP address version." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "domainNameLabel": { @@ -265,64 +349,9 @@ "metadata": { "description": "Optional. Tags of the resource." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "DDoSProtectionNotifications", - "DDoSMitigationFlowLogs", - "DDoSMitigationReports" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", @@ -383,18 +412,23 @@ ] }, "publicIpAddress_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "publicIpAddress_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "publicIpAddress" diff --git a/modules/network/trafficmanagerprofile/.test/common/main.test.bicep b/modules/network/trafficmanagerprofile/.test/common/main.test.bicep index 7afc5571c4..b66ca6b816 100644 --- a/modules/network/trafficmanagerprofile/.test/common/main.test.bicep +++ b/modules/network/trafficmanagerprofile/.test/common/main.test.bicep @@ -67,10 +67,20 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: resourceName relativeName: resourceName - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/network/trafficmanagerprofile/README.md b/modules/network/trafficmanagerprofile/README.md index d7a7d8de43..2149dec13e 100644 --- a/modules/network/trafficmanagerprofile/README.md +++ b/modules/network/trafficmanagerprofile/README.md @@ -48,10 +48,20 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 name: '' relativeName: '' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' lock: { kind: 'CanNotDelete' @@ -93,17 +103,21 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 "value": "" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -203,13 +217,7 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 | Parameter | Type | Description | | :-- | :-- | :-- | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`endpoints`](#parameter-endpoints) | array | The list of endpoints in the Traffic Manager profile. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | @@ -222,56 +230,120 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 | [`trafficViewEnrollmentStatus`](#parameter-trafficviewenrollmentstatus) | string | Indicates whether Traffic View is 'Enabled' or 'Disabled' for the Traffic Manager profile. Null, indicates 'Disabled'. Enabling this feature will increase the cost of the Traffic Manage profile. | | [`ttl`](#parameter-ttl) | int | The DNS Time-To-Live (TTL), in seconds. This informs the local DNS resolvers and DNS clients how long to cache DNS responses provided by this Traffic Manager profile. | -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, ProbeHealthStatusEvents]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/network/trafficmanagerprofile/main.bicep b/modules/network/trafficmanagerprofile/main.bicep index f7c3913340..e793655737 100644 --- a/modules/network/trafficmanagerprofile/main.bicep +++ b/modules/network/trafficmanagerprofile/main.bicep @@ -50,17 +50,8 @@ param trafficViewEnrollmentStatus string = 'Disabled' @description('Optional. Maximum number of endpoints to be returned for MultiValue routing type.') param maxReturn int = 1 -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -74,45 +65,6 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'ProbeHealthStatusEvents' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') @@ -162,18 +114,31 @@ resource trafficManagerProfile_lock 'Microsoft.Authorization/locks@2020-05-01' = scope: trafficManagerProfile } -resource trafficManagerProfile_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource trafficManagerProfile_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: trafficManagerProfile -} +}] resource trafficManagerProfile_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(trafficManagerProfile.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -232,3 +197,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/network/trafficmanagerprofile/main.json b/modules/network/trafficmanagerprofile/main.json index 93f05400a2..3f5118b0a4 100644 --- a/modules/network/trafficmanagerprofile/main.json +++ b/modules/network/trafficmanagerprofile/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15030506362801103601" + "templateHash": "2562804839446709562" }, "name": "Traffic Manager Profiles", "description": "This module deploys a Traffic Manager Profile.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -188,32 +294,10 @@ "description": "Optional. Maximum number of endpoints to be returned for MultiValue routing type." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -241,62 +325,9 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "ProbeHealthStatusEvents" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", @@ -356,18 +387,23 @@ ] }, "trafficManagerProfile_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "trafficManagerProfile_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/trafficmanagerprofiles/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "trafficManagerProfile" diff --git a/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep b/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep index 5a7f3fad8f..678babb170 100644 --- a/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep +++ b/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep @@ -68,10 +68,20 @@ module testDeployment '../../main.bicep' = { gatewayType: 'Vpn' vNetResourceId: nestedDependencies.outputs.vnetResourceId activeActive: false - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] domainNameLabel: [ '${namePrefix}-dm-${serviceShort}' ] diff --git a/modules/network/virtual-network-gateway/.test/expressRoute/main.test.bicep b/modules/network/virtual-network-gateway/.test/expressRoute/main.test.bicep index 55bce8b7a8..c65475e33c 100644 --- a/modules/network/virtual-network-gateway/.test/expressRoute/main.test.bicep +++ b/modules/network/virtual-network-gateway/.test/expressRoute/main.test.bicep @@ -67,10 +67,20 @@ module testDeployment '../../main.bicep' = { skuName: 'ErGw1AZ' gatewayType: 'ExpressRoute' vNetResourceId: nestedDependencies.outputs.vnetResourceId - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] domainNameLabel: [ '${namePrefix}-dm-${serviceShort}' ] diff --git a/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep b/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep index ddb059e2d7..85b6eca68f 100644 --- a/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep +++ b/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep @@ -70,10 +70,20 @@ module testDeployment '../../main.bicep' = { gatewayType: 'Vpn' vNetResourceId: nestedDependencies.outputs.vnetResourceId activeActive: true - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] domainNameLabel: [ '${namePrefix}-dm-${serviceShort}' ] diff --git a/modules/network/virtual-network-gateway/README.md b/modules/network/virtual-network-gateway/README.md index 3db958c670..ead289847f 100644 --- a/modules/network/virtual-network-gateway/README.md +++ b/modules/network/virtual-network-gateway/README.md @@ -50,10 +50,20 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 vNetResourceId: '' // Non-required parameters activeActive: false - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] domainNameLabel: [ 'dm-nvngavpn' ] @@ -124,17 +134,21 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 "activeActive": { "value": false }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "domainNameLabel": { "value": [ @@ -212,10 +226,20 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 skuName: 'ErGw1AZ' vNetResourceId: '' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] domainNameLabel: [ 'dm-nvger' ] @@ -272,17 +296,21 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 "value": "" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "domainNameLabel": { "value": [ @@ -347,10 +375,20 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 // Non-required parameters activeActive: true allowRemoteVnetTraffic: true - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] disableIPSecReplayProtection: true domainNameLabel: [ 'dm-nvgvpn' @@ -452,17 +490,21 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 "allowRemoteVnetTraffic": { "value": true }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "disableIPSecReplayProtection": { "value": true @@ -585,12 +627,7 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 | [`asn`](#parameter-asn) | int | ASN value. | | [`clientRevokedCertThumbprint`](#parameter-clientrevokedcertthumbprint) | string | Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet. | | [`clientRootCertData`](#parameter-clientrootcertdata) | string | Client root certificate data used to authenticate VPN clients. Cannot be configured if vpnClientAadConfiguration is provided. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableIPSecReplayProtection`](#parameter-disableipsecreplayprotection) | bool | disableIPSecReplayProtection flag. Used for VPN Gateways. | | [`domainNameLabel`](#parameter-domainnamelabel) | array | DNS name(s) of the Public IP resource(s). If you enabled active-active configuration, you need to provide 2 DNS names, if you want to use this feature. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com. | | [`enableBgp`](#parameter-enablebgp) | bool | Value to specify if BGP is enabled or not. | @@ -603,13 +640,11 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`natRules`](#parameter-natrules) | array | NatRules for virtual network gateway. NAT is supported on the the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ and is supported for IPsec/IKE cross-premises connections only. | -| [`publicIpdiagnosticLogCategoriesToEnable`](#parameter-publicipdiagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`publicIpDiagnosticSettingsName`](#parameter-publicipdiagnosticsettingsname) | string | The name of the public IP diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | +| [`publicIpDiagnosticSettings`](#parameter-publicipdiagnosticsettings) | array | The diagnostic settings of the Public IP. | | [`publicIPPrefixResourceId`](#parameter-publicipprefixresourceid) | string | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | | [`publicIpZones`](#parameter-publicipzones) | array | Specifies the zones of the Public IP address. Basic IP SKU does not support Availability Zones. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`virtualNetworkGatewaydiagnosticLogCategoriesToEnable`](#parameter-virtualnetworkgatewaydiagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | | [`vpnClientAadConfiguration`](#parameter-vpnclientaadconfiguration) | object | Configuration for AAD Authentication for P2S Tunnel Type, Cannot be configured if clientRootCertData is provided. | | [`vpnClientAddressPoolPrefix`](#parameter-vpnclientaddresspoolprefix) | string | The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network. | | [`vpnGatewayGeneration`](#parameter-vpngatewaygeneration) | string | The generation for this VirtualNetworkGateway. Must be None if virtualNetworkGatewayType is not VPN. | @@ -664,48 +699,120 @@ Client root certificate data used to authenticate VPN clients. Cannot be configu - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticMetricsToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` -Resource ID of the diagnostic log analytics workspace. +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + - Required: No - Type: string -- Default: `''` ### Parameter: `disableIPSecReplayProtection` @@ -824,20 +931,120 @@ NatRules for virtual network gateway. NAT is supported on the the following SKUs - Type: array - Default: `[]` -### Parameter: `publicIpdiagnosticLogCategoriesToEnable` +### Parameter: `publicIpDiagnosticSettings` -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The diagnostic settings of the Public IP. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` -### Parameter: `publicIpDiagnosticSettingsName` -The name of the public IP diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-publicipdiagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-publicipdiagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-publicipdiagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-publicipdiagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-publicipdiagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-publicipdiagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-publicipdiagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-publicipdiagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-publicipdiagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `publicIpDiagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. + +- Required: No +- Type: string + +### Parameter: `publicIpDiagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `publicIpDiagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `publicIpDiagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-publicipdiagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-publicipdiagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `publicIpDiagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `publicIpDiagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `publicIpDiagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `publicIpDiagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. + +- Required: No +- Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-publicipdiagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `publicIpDiagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `publicIpDiagnosticSettings.name` + +Optional. The name of diagnostic setting. + +- Required: No +- Type: string + +### Parameter: `publicIpDiagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `publicIpDiagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + - Required: No - Type: string -- Default: `''` ### Parameter: `publicIPPrefixResourceId` @@ -935,14 +1142,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `virtualNetworkGatewaydiagnosticLogCategoriesToEnable` - -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -- Required: No -- Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, GatewayDiagnosticLog, IKEDiagnosticLog, P2SDiagnosticLog, RouteDiagnosticLog, TunnelDiagnosticLog]` - ### Parameter: `vNetResourceId` Virtual Network resource ID. diff --git a/modules/network/virtual-network-gateway/main.bicep b/modules/network/virtual-network-gateway/main.bicep index 8a60fe45f9..4e6e0563c0 100644 --- a/modules/network/virtual-network-gateway/main.bicep +++ b/modules/network/virtual-network-gateway/main.bicep @@ -112,17 +112,11 @@ param clientRootCertData string = '' @description('Optional. Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet.') param clientRevokedCertThumbprint string = '' -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' +@description('Optional. The diagnostic settings of the Public IP.') +param publicIpDiagnosticSettings diagnosticSettingType -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType @@ -136,72 +130,13 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'DDoSProtectionNotifications' - 'DDoSMitigationFlowLogs' - 'DDoSMitigationReports' -]) -param publicIpdiagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'GatewayDiagnosticLog' - 'TunnelDiagnosticLog' - 'RouteDiagnosticLog' - 'IKEDiagnosticLog' - 'P2SDiagnosticLog' -]) -param virtualNetworkGatewaydiagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - @description('Optional. Configuration for AAD Authentication for P2S Tunnel Type, Cannot be configured if clientRootCertData is provided.') param vpnClientAadConfiguration object = {} -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -@description('Optional. The name of the public IP diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param publicIpDiagnosticSettingsName string = '' - // ================// // Variables // // ================// -// Diagnostic Variables -var virtualNetworkGatewayDiagnosticsLogsSpecified = [for category in filter(virtualNetworkGatewaydiagnosticLogCategoriesToEnable, item => item != 'allLogs'): { - category: category - enabled: true -}] - -var virtualNetworkGatewayDiagnosticsLogs = contains(virtualNetworkGatewaydiagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : virtualNetworkGatewayDiagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - // Other Variables var zoneRedundantSkus = [ 'VpnGw1AZ' @@ -340,13 +275,7 @@ module publicIPAddress '../public-ip-address/main.bicep' = [for (virtualGatewayP name: virtualGatewayPublicIpName params: { name: virtualGatewayPublicIpName - diagnosticLogCategoriesToEnable: publicIpdiagnosticLogCategoriesToEnable - diagnosticMetricsToEnable: diagnosticMetricsToEnable - diagnosticSettingsName: !empty(publicIpDiagnosticSettingsName) ? publicIpDiagnosticSettingsName : '${virtualGatewayPublicIpName}-diagnosticSettings' - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticWorkspaceId: diagnosticWorkspaceId - diagnosticEventHubAuthorizationRuleId: diagnosticEventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticEventHubName + diagnosticSettings: publicIpDiagnosticSettings domainNameLabel: length(virtualGatewayPipNameVar) == length(domainNameLabel) ? domainNameLabel[index] : '' enableDefaultTelemetry: enableReferencedModulesTelemetry location: location @@ -416,18 +345,31 @@ resource virtualNetworkGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = scope: virtualNetworkGateway } -resource virtualNetworkGateway_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource virtualNetworkGateway_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: virtualNetworkGatewayDiagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: virtualNetworkGateway -} +}] resource virtualNetworkGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(virtualNetworkGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -495,3 +437,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/network/virtual-network-gateway/main.json b/modules/network/virtual-network-gateway/main.json index 38b96ccc31..091094caf3 100644 --- a/modules/network/virtual-network-gateway/main.json +++ b/modules/network/virtual-network-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "682172415254356637" + "templateHash": "12621713101290509053" }, "name": "Virtual Network Gateways", "description": "This module deploys a Virtual Network Gateway.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -316,32 +422,16 @@ "description": "Optional. Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", + "publicIpDiagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." + "description": "Optional. The diagnostic settings of the Public IP." } }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "roleAssignments": { @@ -370,95 +460,15 @@ "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } }, - "publicIpdiagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "DDoSProtectionNotifications", - "DDoSMitigationFlowLogs", - "DDoSMitigationReports" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "virtualNetworkGatewaydiagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "GatewayDiagnosticLog", - "TunnelDiagnosticLog", - "RouteDiagnosticLog", - "IKEDiagnosticLog", - "P2SDiagnosticLog" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, "vpnClientAadConfiguration": { "type": "object", "defaultValue": {}, "metadata": { "description": "Optional. Configuration for AAD Authentication for P2S Tunnel Type, Cannot be configured if clientRootCertData is provided." } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } - }, - "publicIpDiagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the public IP diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "virtualNetworkGatewayDiagnosticsLogsSpecified", - "count": "[length(filter(parameters('virtualNetworkGatewaydiagnosticLogCategoriesToEnable'), lambda('item', not(equals(lambdaVariables('item'), 'allLogs')))))]", - "input": { - "category": "[filter(parameters('virtualNetworkGatewaydiagnosticLogCategoriesToEnable'), lambda('item', not(equals(lambdaVariables('item'), 'allLogs'))))[copyIndex('virtualNetworkGatewayDiagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "virtualNetworkGatewayDiagnosticsLogs": "[if(contains(parameters('virtualNetworkGatewaydiagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), variables('virtualNetworkGatewayDiagnosticsLogsSpecified'))]", "zoneRedundantSkus": [ "VpnGw1AZ", "VpnGw2AZ", @@ -551,18 +561,23 @@ ] }, "virtualNetworkGateway_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "virtualNetworkGateway_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/virtualNetworkGateways/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('virtualNetworkGatewayDiagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "virtualNetworkGateway" @@ -609,24 +624,8 @@ "name": { "value": "[variables('virtualGatewayPipNameVar')[copyIndex()]]" }, - "diagnosticLogCategoriesToEnable": { - "value": "[parameters('publicIpdiagnosticLogCategoriesToEnable')]" - }, - "diagnosticMetricsToEnable": { - "value": "[parameters('diagnosticMetricsToEnable')]" - }, - "diagnosticSettingsName": "[if(not(empty(parameters('publicIpDiagnosticSettingsName'))), createObject('value', parameters('publicIpDiagnosticSettingsName')), createObject('value', format('{0}-diagnosticSettings', variables('virtualGatewayPipNameVar')[copyIndex()])))]", - "diagnosticStorageAccountId": { - "value": "[parameters('diagnosticStorageAccountId')]" - }, - "diagnosticWorkspaceId": { - "value": "[parameters('diagnosticWorkspaceId')]" - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "[parameters('diagnosticEventHubAuthorizationRuleId')]" - }, - "diagnosticEventHubName": { - "value": "[parameters('diagnosticEventHubName')]" + "diagnosticSettings": { + "value": "[parameters('publicIpDiagnosticSettings')]" }, "domainNameLabel": "[if(equals(length(variables('virtualGatewayPipNameVar')), length(parameters('domainNameLabel'))), createObject('value', parameters('domainNameLabel')[copyIndex()]), createObject('value', ''))]", "enableDefaultTelemetry": { @@ -658,7 +657,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17964103943026732172" + "templateHash": "968771326214380550" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -755,6 +754,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -822,32 +927,10 @@ "description": "Optional. IP address version." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "domainNameLabel": { @@ -917,64 +1000,9 @@ "metadata": { "description": "Optional. Tags of the resource." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "DDoSProtectionNotifications", - "DDoSMitigationFlowLogs", - "DDoSMitigationReports" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", @@ -1035,18 +1063,23 @@ ] }, "publicIpAddress_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "publicIpAddress_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "publicIpAddress" diff --git a/modules/network/virtual-network/.test/common/main.test.bicep b/modules/network/virtual-network/.test/common/main.test.bicep index 91e4c94774..57bdda036d 100644 --- a/modules/network/virtual-network/.test/common/main.test.bicep +++ b/modules/network/virtual-network/.test/common/main.test.bicep @@ -72,10 +72,20 @@ module testDeployment '../../main.bicep' = { addressPrefixes: [ addressPrefix ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] dnsServers: [ '10.0.1.4' '10.0.1.5' diff --git a/modules/network/virtual-network/README.md b/modules/network/virtual-network/README.md index 6fc6c587f9..27ac904abb 100644 --- a/modules/network/virtual-network/README.md +++ b/modules/network/virtual-network/README.md @@ -53,10 +53,20 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { ] name: 'nvncom001' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] dnsServers: [ '10.0.1.4' '10.0.1.5' @@ -150,17 +160,21 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { "value": "nvncom001" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "dnsServers": { "value": [ @@ -428,13 +442,7 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | | [`ddosProtectionPlanId`](#parameter-ddosprotectionplanid) | string | Resource ID of the DDoS protection plan to assign the VNET to. If it's left blank, DDoS protection will not be configured. If it's provided, the VNET created by this template will be attached to the referenced DDoS protection plan. The DDoS protection plan can exist in the same or in a different subscription. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`dnsServers`](#parameter-dnsservers) | array | DNS Servers associated to the Virtual Network. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`flowTimeoutInMinutes`](#parameter-flowtimeoutinminutes) | int | The flow timeout in minutes for the Virtual Network, which is used to enable connection tracking for intra-VM flows. Possible values are between 4 and 30 minutes. Default value 0 will set the property to null. | @@ -460,56 +468,120 @@ Resource ID of the DDoS protection plan to assign the VNET to. If it's left blan - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, VMProtectionAlerts]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `dnsServers` @@ -681,7 +753,6 @@ If the encrypted VNet allows VM that does not support encryption. Can only be us | Output | Type | Description | | :-- | :-- | :-- | -| `diagnosticsLogs` | array | The Diagnostic Settings of the virtual network. | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the virtual network. | | `resourceGroupName` | string | The resource group the virtual network was deployed into. | diff --git a/modules/network/virtual-network/main.bicep b/modules/network/virtual-network/main.bicep index e095c29389..7bfff1e7f2 100644 --- a/modules/network/virtual-network/main.bicep +++ b/modules/network/virtual-network/main.bicep @@ -37,17 +37,8 @@ param vnetEncryptionEnforcement string = 'AllowUnencrypted' @description('Optional. The flow timeout in minutes for the Virtual Network, which is used to enable connection tracking for intra-VM flows. Possible values are between 4 and 30 minutes. Default value 0 will set the property to null.') param flowTimeoutInMinutes int = 0 -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -61,45 +52,6 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'VMProtectionAlerts' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var dnsServersVar = { dnsServers: array(dnsServers) } @@ -245,18 +197,31 @@ resource virtualNetwork_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e scope: virtualNetwork } -resource virtualNetwork_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource virtualNetwork_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: virtualNetwork -} +}] resource virtualNetwork_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(virtualNetwork.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -290,9 +255,6 @@ output subnetResourceIds array = [for subnet in subnets: az.resourceId('Microsof @description('The location the resource was deployed into.') output location string = virtualNetwork.location -@description('The Diagnostic Settings of the virtual network.') -output diagnosticsLogs array = diagnosticsLogs - // =============== // // Definitions // // =============== // @@ -327,3 +289,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/network/virtual-network/main.json b/modules/network/virtual-network/main.json index 5c1e4d2f7c..970f28780d 100644 --- a/modules/network/virtual-network/main.json +++ b/modules/network/virtual-network/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1599358796462967622" + "templateHash": "4487813661219607743" }, "name": "Virtual Networks", "description": "This module deploys a Virtual Network (vNet).", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -179,32 +285,10 @@ "description": "Optional. The flow timeout in minutes for the Virtual Network, which is used to enable connection tracking for intra-VM flows. Possible values are between 4 and 30 minutes. Default value 0 will set the property to null." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -232,62 +316,9 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "VMProtectionAlerts" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "dnsServersVar": { "dnsServers": "[array(parameters('dnsServers'))]" }, @@ -374,18 +405,23 @@ ] }, "virtualNetwork_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "virtualNetwork_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "virtualNetwork" @@ -1157,13 +1193,6 @@ "description": "The location the resource was deployed into." }, "value": "[reference('virtualNetwork', '2023-04-01', 'full').location]" - }, - "diagnosticsLogs": { - "type": "array", - "metadata": { - "description": "The Diagnostic Settings of the virtual network." - }, - "value": "[variables('diagnosticsLogs')]" } } } \ No newline at end of file diff --git a/modules/operational-insights/workspace/.test/adv/main.test.bicep b/modules/operational-insights/workspace/.test/adv/main.test.bicep index f898f556e3..e5050aabd4 100644 --- a/modules/operational-insights/workspace/.test/adv/main.test.bicep +++ b/modules/operational-insights/workspace/.test/adv/main.test.bicep @@ -158,10 +158,20 @@ module testDeployment '../../main.bicep' = { state: 'Enabled' } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] gallerySolutions: [ { name: 'AzureAutomation' diff --git a/modules/operational-insights/workspace/.test/common/main.test.bicep b/modules/operational-insights/workspace/.test/common/main.test.bicep index f85727e8c2..e965cb4bcb 100644 --- a/modules/operational-insights/workspace/.test/common/main.test.bicep +++ b/modules/operational-insights/workspace/.test/common/main.test.bicep @@ -159,10 +159,20 @@ module testDeployment '../../main.bicep' = { state: 'Enabled' } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] gallerySolutions: [ { name: 'AzureAutomation' diff --git a/modules/operational-insights/workspace/README.md b/modules/operational-insights/workspace/README.md index 7de79e3cb0..4975d90de3 100644 --- a/modules/operational-insights/workspace/README.md +++ b/modules/operational-insights/workspace/README.md @@ -169,10 +169,20 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { state: 'Enabled' } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' gallerySolutions: [ { @@ -423,17 +433,21 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -681,10 +695,20 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { state: 'Enabled' } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' gallerySolutions: [ { @@ -860,17 +884,21 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -1035,13 +1063,7 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { | [`dataExports`](#parameter-dataexports) | array | LAW data export instances to be deployed. | | [`dataRetention`](#parameter-dataretention) | int | Number of days data will be retained for. | | [`dataSources`](#parameter-datasources) | array | LAW data sources to configure. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of a log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`forceCmkForQuery`](#parameter-forcecmkforquery) | bool | Indicates whether customer managed storage is mandatory for query management. | | [`gallerySolutions`](#parameter-gallerysolutions) | array | List of gallerySolutions to be created in the log analytics workspace. | @@ -1089,56 +1111,120 @@ LAW data sources to configure. - Type: array - Default: `[]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, Audit]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of a log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/operational-insights/workspace/main.bicep b/modules/operational-insights/workspace/main.bicep index 7a1589af2c..687b0c94bf 100644 --- a/modules/operational-insights/workspace/main.bicep +++ b/modules/operational-insights/workspace/main.bicep @@ -82,17 +82,8 @@ param userAssignedIdentities object = {} @description('Optional. Set to \'true\' to use resource or workspace permissions and \'false\' (or leave empty) to require workspace permissions.') param useResourcePermissions bool = false -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of a log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Indicates whether customer managed storage is mandatory for query management.') param forceCmkForQuery bool = true @@ -109,47 +100,6 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'Audit' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - -var logAnalyticsSearchVersion = 1 - var enableReferencedModulesTelemetry = false var identityType = systemAssignedIdentity ? 'SystemAssigned' : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') @@ -191,7 +141,7 @@ resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10 tags: tags properties: { features: { - searchVersion: logAnalyticsSearchVersion + searchVersion: 1 enableLogAccessUsingOnlyResourcePermissions: useResourcePermissions } sku: { @@ -209,18 +159,31 @@ resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10 identity: identity } -resource logAnalyticsWorkspace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource logAnalyticsWorkspace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: logAnalyticsWorkspace -} +}] module logAnalyticsWorkspace_storageInsightConfigs 'storage-insight-config/main.bicep' = [for (storageInsightsConfig, index) in storageInsightsConfigs: { name: '${uniqueString(deployment().name, location)}-LAW-StorageInsightsConfig-${index}' @@ -408,3 +371,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/operational-insights/workspace/main.json b/modules/operational-insights/workspace/main.json index 4e549ac05b..3bc1884eea 100644 --- a/modules/operational-insights/workspace/main.json +++ b/modules/operational-insights/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9109089637085766608" + "templateHash": "535028874764214077" }, "name": "Log Analytics Workspaces", "description": "This module deploys a Log Analytics Workspace.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -261,32 +367,10 @@ "description": "Optional. Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of a log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "forceCmkForQuery": { @@ -321,63 +405,9 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "Audit" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", - "logAnalyticsSearchVersion": 1, "enableReferencedModulesTelemetry": false, "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", @@ -418,7 +448,7 @@ "tags": "[parameters('tags')]", "properties": { "features": { - "searchVersion": "[variables('logAnalyticsSearchVersion')]", + "searchVersion": 1, "enableLogAccessUsingOnlyResourcePermissions": "[parameters('useResourcePermissions')]" }, "sku": { @@ -436,18 +466,23 @@ "identity": "[variables('identity')]" }, "logAnalyticsWorkspace_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "logAnalyticsWorkspace_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.OperationalInsights/workspaces/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "logAnalyticsWorkspace" diff --git a/modules/purview/account/.test/common/main.test.bicep b/modules/purview/account/.test/common/main.test.bicep index c6bd0f2c67..162aa96a6b 100644 --- a/modules/purview/account/.test/common/main.test.bicep +++ b/modules/purview/account/.test/common/main.test.bicep @@ -77,10 +77,20 @@ module testDeployment '../../main.bicep' = { } managedResourceGroupName: '${namePrefix}${serviceShort}001-managed-rg' publicNetworkAccess: 'Disabled' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] roleAssignments: [ { roleDefinitionIdOrName: 'Reader' @@ -159,8 +169,6 @@ module testDeployment '../../main.bicep' = { } ] enableDefaultTelemetry: enableDefaultTelemetry - diagnosticLogCategoriesToEnable: [ 'allLogs' ] - diagnosticMetricsToEnable: [ 'AllMetrics' ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/purview/account/README.md b/modules/purview/account/README.md index cd06723941..be248ec0f3 100644 --- a/modules/purview/account/README.md +++ b/modules/purview/account/README.md @@ -62,16 +62,20 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { } } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticLogCategoriesToEnable: [ - 'allLogs' - ] - diagnosticMetricsToEnable: [ - 'AllMetrics' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } ] - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' enableDefaultTelemetry: '' eventHubPrivateEndpoints: [ { @@ -188,28 +192,22 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticLogCategoriesToEnable": { - "value": [ - "allLogs" - ] - }, - "diagnosticMetricsToEnable": { + "diagnosticSettings": { "value": [ - "AllMetrics" + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } ] }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" - }, "enableDefaultTelemetry": { "value": "" }, @@ -386,13 +384,7 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | | [`accountPrivateEndpoints`](#parameter-accountprivateendpoints) | array | Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'account'. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`eventHubPrivateEndpoints`](#parameter-eventhubprivateendpoints) | array | Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'namespace'. | | [`location`](#parameter-location) | string | Location for all resources. | @@ -413,56 +405,120 @@ Configuration details for Purview Account private endpoints. For security reason - Type: array - Default: `[]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` +- Allowed: `[AzureDiagnostics, Dedicated]` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, DataSensitivity, PurviewAccountAuditEvents, ScanStatus]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/purview/account/main.bicep b/modules/purview/account/main.bicep index 7b15416b63..ad6ce7da95 100644 --- a/modules/purview/account/main.bicep +++ b/modules/purview/account/main.bicep @@ -27,17 +27,8 @@ param managedResourceGroupName string = 'managed-rg-${name}' ]) param publicNetworkAccess string = 'NotSpecified' -@description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType @@ -60,29 +51,6 @@ param eventHubPrivateEndpoints array = [] @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'ScanStatus' - 'DataSensitivity' - 'PurviewAccountAuditEvents' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - @description('Optional. The lock settings of the service.') param lock lockType @@ -90,24 +58,6 @@ param lock lockType // Variables // // =========== // -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = !empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' var identity = identityType != 'None' ? { @@ -158,18 +108,31 @@ resource account_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo scope: account } -resource account_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource account_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: account -} +}] module account_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in accountPrivateEndpoints: { name: '${uniqueString(deployment().name, location)}-Account-PrivateEndpoint-${index}' @@ -366,3 +329,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/purview/account/main.json b/modules/purview/account/main.json index 3eafa9c4e2..d76b19e9d5 100644 --- a/modules/purview/account/main.json +++ b/modules/purview/account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5805240201913733834" + "templateHash": "13668353398980769357" }, "name": "Purview Accounts", "description": "This module deploys a Purview Account.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -154,32 +260,10 @@ "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + "description": "Optional. The diagnostic settings of the service." } }, "roleAssignments": { @@ -230,41 +314,6 @@ "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "ScanStatus", - "DataSensitivity", - "PurviewAccountAuditEvents" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } - }, "lock": { "$ref": "#/definitions/lockType", "metadata": { @@ -273,26 +322,6 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned')]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, @@ -347,18 +376,23 @@ ] }, "account_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "account_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Purview/accounts/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "account" @@ -405,7 +439,9 @@ "[parameters('accountPrivateEndpoints')[copyIndex()].service]" ] }, - "name": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), parameters('accountPrivateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(parameters('accountPrivateEndpoints')[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), coalesce(tryGet(parameters('accountPrivateEndpoints')[copyIndex()], 'service'), parameters('accountPrivateEndpoints')[copyIndex()].service), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Purview/accounts', parameters('name'))]" }, @@ -934,7 +970,9 @@ "[parameters('portalPrivateEndpoints')[copyIndex()].service]" ] }, - "name": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), parameters('portalPrivateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(parameters('portalPrivateEndpoints')[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), coalesce(tryGet(parameters('portalPrivateEndpoints')[copyIndex()], 'service'), parameters('portalPrivateEndpoints')[copyIndex()].service), copyIndex()))]" + }, "serviceResourceId": { "value": "[resourceId('Microsoft.Purview/accounts', parameters('name'))]" }, @@ -1463,7 +1501,9 @@ "[parameters('storageBlobPrivateEndpoints')[copyIndex()].service]" ] }, - "name": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), parameters('storageBlobPrivateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), coalesce(tryGet(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'service'), parameters('storageBlobPrivateEndpoints')[copyIndex()].service), copyIndex()))]" + }, "serviceResourceId": { "value": "[reference('account').managedResources.storageAccount]" }, @@ -1992,7 +2032,9 @@ "[parameters('storageQueuePrivateEndpoints')[copyIndex()].service]" ] }, - "name": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), parameters('storageQueuePrivateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), coalesce(tryGet(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'service'), parameters('storageQueuePrivateEndpoints')[copyIndex()].service), copyIndex()))]" + }, "serviceResourceId": { "value": "[reference('account').managedResources.storageAccount]" }, @@ -2521,7 +2563,9 @@ "[parameters('eventHubPrivateEndpoints')[copyIndex()].service]" ] }, - "name": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'name'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].name), createObject('value', format('pe-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), parameters('eventHubPrivateEndpoints')[copyIndex()].service, copyIndex())))]", + "name": { + "value": "[coalesce(tryGet(parameters('eventHubPrivateEndpoints')[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Purview/accounts', parameters('name')), '/')), coalesce(tryGet(parameters('eventHubPrivateEndpoints')[copyIndex()], 'service'), parameters('eventHubPrivateEndpoints')[copyIndex()].service), copyIndex()))]" + }, "serviceResourceId": { "value": "[reference('account').managedResources.eventHubNamespace]" }, diff --git a/modules/recovery-services/vault/.test/common/main.test.bicep b/modules/recovery-services/vault/.test/common/main.test.bicep index 1cf146b1e3..942b0c01bf 100644 --- a/modules/recovery-services/vault/.test/common/main.test.bicep +++ b/modules/recovery-services/vault/.test/common/main.test.bicep @@ -312,10 +312,20 @@ module testDeployment '../../main.bicep' = { locale: 'en-US' sendToOwners: 'Send' } - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index 710a8b9d78..b30ccb22f9 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -297,10 +297,20 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { crossRegionRestoreFlag: true storageModelType: 'GeoRedundant' } - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' lock: { kind: 'CanNotDelete' @@ -616,17 +626,21 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { "storageModelType": "GeoRedundant" } }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -936,13 +950,7 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { | [`backupConfig`](#parameter-backupconfig) | object | The backup configuration. | | [`backupPolicies`](#parameter-backuppolicies) | array | List of all backup policies. | | [`backupStorageConfig`](#parameter-backupstorageconfig) | object | The storage configuration for the Azure Recovery Service Vault. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | @@ -980,56 +988,120 @@ The storage configuration for the Azure Recovery Service Vault. - Type: object - Default: `{object}` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` -### Parameter: `diagnosticLogCategoriesToEnable` +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', AddonAzureBackupAlerts, AddonAzureBackupJobs, AddonAzureBackupPolicy, AddonAzureBackupProtectedInstance, AddonAzureBackupStorage, allLogs, AzureBackupReport, AzureSiteRecoveryEvents, AzureSiteRecoveryJobs, AzureSiteRecoveryProtectedDiskDataChurn, AzureSiteRecoveryRecoveryPoints, AzureSiteRecoveryReplicatedItems, AzureSiteRecoveryReplicationDataUploadRate, AzureSiteRecoveryReplicationStats, CoreAzureBackup]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[Health]` -- Allowed: `[Health]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/recovery-services/vault/main.bicep b/modules/recovery-services/vault/main.bicep index 9f72358012..708723f4f4 100644 --- a/modules/recovery-services/vault/main.bicep +++ b/modules/recovery-services/vault/main.bicep @@ -35,17 +35,8 @@ param replicationPolicies array = [] @description('Optional. Replication alert settings.') param replicationAlertSettings object = {} -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType @@ -62,40 +53,6 @@ param userAssignedIdentities object = {} @description('Optional. Tags of the Recovery Service Vault resource.') param tags object = {} -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'AzureBackupReport' - 'CoreAzureBackup' - 'AddonAzureBackupJobs' - 'AddonAzureBackupAlerts' - 'AddonAzureBackupPolicy' - 'AddonAzureBackupStorage' - 'AddonAzureBackupProtectedInstance' - 'AzureSiteRecoveryJobs' - 'AzureSiteRecoveryEvents' - 'AzureSiteRecoveryReplicatedItems' - 'AzureSiteRecoveryReplicationStats' - 'AzureSiteRecoveryRecoveryPoints' - 'AzureSiteRecoveryReplicationDataUploadRate' - 'AzureSiteRecoveryProtectedDiskDataChurn' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'Health' -]) -param diagnosticMetricsToEnable array = [ - 'Health' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointType @@ -112,24 +69,6 @@ param securitySettings object = {} ]) param publicNetworkAccess string = 'Disabled' -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -280,18 +219,31 @@ resource rsv_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ? scope: rsv } -resource rsv_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource rsv_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: rsv -} +}] module rsv_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { name: '${uniqueString(deployment().name, location)}-rsv-PrivateEndpoint-${index}' @@ -435,3 +387,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/recovery-services/vault/main.json b/modules/recovery-services/vault/main.json index 7750cd92af..6fddf5168d 100644 --- a/modules/recovery-services/vault/main.json +++ b/modules/recovery-services/vault/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18071219437488325472" + "templateHash": "15528544750404538266" }, "name": "Recovery Services Vaults", "description": "This module deploys a Recovery Services Vault.", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -327,32 +433,10 @@ "description": "Optional. Replication alert settings." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "roleAssignments": { @@ -388,52 +472,6 @@ "description": "Optional. Tags of the Recovery Service Vault resource." } }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "AzureBackupReport", - "CoreAzureBackup", - "AddonAzureBackupJobs", - "AddonAzureBackupAlerts", - "AddonAzureBackupPolicy", - "AddonAzureBackupStorage", - "AddonAzureBackupProtectedInstance", - "AzureSiteRecoveryJobs", - "AzureSiteRecoveryEvents", - "AzureSiteRecoveryReplicatedItems", - "AzureSiteRecoveryReplicationStats", - "AzureSiteRecoveryRecoveryPoints", - "AzureSiteRecoveryReplicationDataUploadRate", - "AzureSiteRecoveryProtectedDiskDataChurn" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "Health" - ], - "allowedValues": [ - "Health" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } - }, "privateEndpoints": { "$ref": "#/definitions/privateEndpointType", "metadata": { @@ -467,26 +505,6 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, @@ -551,18 +569,23 @@ ] }, "rsv_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "rsv_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.RecoveryServices/vaults/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "rsv" diff --git a/modules/relay/namespace/.test/common/main.test.bicep b/modules/relay/namespace/.test/common/main.test.bicep index 0543c88576..42d99dfca1 100644 --- a/modules/relay/namespace/.test/common/main.test.bicep +++ b/modules/relay/namespace/.test/common/main.test.bicep @@ -149,10 +149,20 @@ module testDeployment '../../main.bicep' = { relayType: 'NetTcp' } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] privateEndpoints: [ { service: 'namespace' diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index 96fdc19002..83d2b108d5 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -72,10 +72,20 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { ] } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' hybridConnections: [ { @@ -196,17 +206,21 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -464,13 +478,7 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | | [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the Relay namespace. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`hybridConnections`](#parameter-hybridconnections) | array | The hybrid connections to create in the relay namespace. | | [`location`](#parameter-location) | string | Location for all resources. | @@ -489,56 +497,120 @@ Authorization Rules for the Relay namespace. - Type: array - Default: `[System.Management.Automation.OrderedHashtable]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` -### Parameter: `diagnosticLogCategoriesToEnable` +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs, hybridConnectionsEvent]` -- Allowed: `['', allLogs, hybridConnectionsEvent, OperationalLogs]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/relay/namespace/main.bicep b/modules/relay/namespace/main.bicep index 0f2299644b..e05491e6b0 100644 --- a/modules/relay/namespace/main.bicep +++ b/modules/relay/namespace/main.bicep @@ -28,17 +28,8 @@ param authorizationRules array = [ } ] -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -64,47 +55,6 @@ param hybridConnections array = [] @description('Optional. The wcf relays to create in the relay namespace.') param wcfRelays array = [] -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'OperationalLogs' - 'hybridConnectionsEvent' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' - 'hybridConnectionsEvent' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var enableReferencedModulesTelemetry = false var builtInRoleNames = { @@ -238,18 +188,31 @@ resource namespace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty( scope: namespace } -resource namespace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource namespace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: namespace -} +}] module namespace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { name: '${uniqueString(deployment().name, location)}-namespace-PrivateEndpoint-${index}' @@ -390,3 +353,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/relay/namespace/main.json b/modules/relay/namespace/main.json index 6d499747c1..086bffddff 100644 --- a/modules/relay/namespace/main.json +++ b/modules/relay/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16916844695310222136" + "templateHash": "14407783319631235509" }, "name": "Relay Namespaces", "description": "This module deploys a Relay Namespace", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -296,32 +402,10 @@ "description": "Optional. Authorization Rules for the Relay namespace." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -376,64 +460,9 @@ "metadata": { "description": "Optional. The wcf relays to create in the relay namespace." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs", - "hybridConnectionsEvent" - ], - "allowedValues": [ - "", - "allLogs", - "OperationalLogs", - "hybridConnectionsEvent" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Azure Relay Listener": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '26e0b698-aa6d-4085-9386-aadae190014d')]", @@ -487,18 +516,23 @@ ] }, "namespace_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "namespace_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Relay/namespaces/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "namespace" diff --git a/modules/search/search-service/.test/common/main.test.bicep b/modules/search/search-service/.test/common/main.test.bicep index b625c612ca..69b3722a94 100644 --- a/modules/search/search-service/.test/common/main.test.bicep +++ b/modules/search/search-service/.test/common/main.test.bicep @@ -104,10 +104,20 @@ module testDeployment '../../main.bicep' = { } ] } - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index 7dfccea700..268380a6de 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -56,10 +56,20 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { } } cmkEnforcement: 'Enabled' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] disableLocalAuth: false enableDefaultTelemetry: '' hostingMode: 'highDensity' @@ -129,17 +139,21 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { "cmkEnforcement": { "value": "Enabled" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "disableLocalAuth": { "value": false @@ -392,13 +406,7 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { | :-- | :-- | :-- | | [`authOptions`](#parameter-authoptions) | object | Defines the options for how the data plane API of a Search service authenticates requests. Must remain an empty object {} if 'disableLocalAuth' is set to true. | | [`cmkEnforcement`](#parameter-cmkenforcement) | string | Describes a policy that determines how resources within the search service are to be encrypted with Customer Managed Keys. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableLocalAuth`](#parameter-disablelocalauth) | bool | When set to true, calls to the search service will not be permitted to utilize API keys for authentication. This cannot be set to true if 'authOptions' are defined. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`hostingMode`](#parameter-hostingmode) | string | Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either 'default' or 'highDensity'. For all other SKUs, this value must be 'default'. | @@ -430,56 +438,120 @@ Describes a policy that determines how resources within the search service are t - Default: `'Unspecified'` - Allowed: `[Disabled, Enabled, Unspecified]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. - Required: No - Type: array -- Default: `[OperationLogs]` -- Allowed: `[OperationLogs]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` ### Parameter: `disableLocalAuth` diff --git a/modules/search/search-service/main.bicep b/modules/search/search-service/main.bicep index ad25223fcd..063f199ee2 100644 --- a/modules/search/search-service/main.bicep +++ b/modules/search/search-service/main.bicep @@ -83,36 +83,8 @@ param sku string = 'standard' @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false -@description('Optional. The name of logs that will be streamed.') -@allowed([ - 'OperationLogs' -]) -param diagnosticLogCategoriesToEnable array = [ - 'OperationLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -@description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Tags to help categorize the resource in the Azure portal.') param tags object = {} @@ -121,17 +93,6 @@ param tags object = {} // Variables // // ============= // -var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { - category: category - enabled: true -}] - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var enableReferencedModulesTelemetry = false var identityType = systemAssignedIdentity ? 'SystemAssigned' : 'None' @@ -189,18 +150,31 @@ resource searchService 'Microsoft.Search/searchServices@2022-09-01' = { } } -resource searchService_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource searchService_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: searchService -} +}] resource searchService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { name: lock.?name ?? 'lock-${name}' @@ -371,3 +345,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/search/search-service/main.json b/modules/search/search-service/main.json index 3297608f20..c40e5596be 100644 --- a/modules/search/search-service/main.json +++ b/modules/search/search-service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9705671416118103227" + "templateHash": "416393199352439530" }, "name": "Search Services", "description": "This module deploys a Search Service.", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -396,63 +502,10 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "OperationLogs" - ], - "allowedValues": [ - "OperationLogs" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + "description": "Optional. The diagnostic settings of the service." } }, "tags": { @@ -464,25 +517,6 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogs", - "count": "[length(parameters('diagnosticLogCategoriesToEnable'))]", - "input": { - "category": "[parameters('diagnosticLogCategoriesToEnable')[copyIndex('diagnosticsLogs')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "enableReferencedModulesTelemetry": false, "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', 'None')]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType')), null())]", @@ -536,18 +570,23 @@ } }, "searchService_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "searchService_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Search/searchServices/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "searchService" diff --git a/modules/service-bus/namespace/.test/common/main.test.bicep b/modules/service-bus/namespace/.test/common/main.test.bicep index 258fb6ffca..02fee0b4ea 100644 --- a/modules/service-bus/namespace/.test/common/main.test.bicep +++ b/modules/service-bus/namespace/.test/common/main.test.bicep @@ -185,10 +185,20 @@ module testDeployment '../../main.bicep' = { ] } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] privateEndpoints: [ { service: 'namespace' diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 684a6dcac6..13de5e2461 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -75,10 +75,20 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { ] } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] disableLocalAuth: true enableDefaultTelemetry: '' lock: { @@ -241,17 +251,21 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "disableLocalAuth": { "value": true @@ -760,13 +774,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { | [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key. | | [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableLocalAuth`](#parameter-disablelocalauth) | bool | This property disables SAS authentication for the Service Bus namespace. | | [`disasterRecoveryConfigs`](#parameter-disasterrecoveryconfigs) | object | The disaster recovery configuration. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | @@ -831,56 +839,120 @@ User assigned identity to use when fetching the customer managed key. If not pro - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, OperationalLogs]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `disableLocalAuth` diff --git a/modules/service-bus/namespace/main.bicep b/modules/service-bus/namespace/main.bicep index c819ee7c84..87ecd77360 100644 --- a/modules/service-bus/namespace/main.bicep +++ b/modules/service-bus/namespace/main.bicep @@ -63,17 +63,8 @@ param migrationConfigurations object = {} @description('Optional. The disaster recovery configuration.') param disasterRecoveryConfigs object = {} -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -132,45 +123,6 @@ param cMKUserAssignedIdentityResourceId string = '' @description('Optional. Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters.') param requireInfrastructureEncryption bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'OperationalLogs' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -367,18 +319,31 @@ resource serviceBusNamespace_lock 'Microsoft.Authorization/locks@2020-05-01' = i scope: serviceBusNamespace } -resource serviceBusNamespace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource serviceBusNamespace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: serviceBusNamespace -} +}] module serviceBusNamespace_privateEndpoints '../../network/private-endpoint/main.bicep' = [for (privateEndpoint, index) in (privateEndpoints ?? []): { name: '${uniqueString(deployment().name, location)}-serviceBusNamespace-PrivateEndpoint-${index}' @@ -522,3 +487,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/service-bus/namespace/main.json b/modules/service-bus/namespace/main.json index 2c000d1410..cc90af1105 100644 --- a/modules/service-bus/namespace/main.json +++ b/modules/service-bus/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15092397707699108570" + "templateHash": "5514287730537410098" }, "name": "Service Bus Namespaces", "description": "This module deploys a Service Bus Namespace.", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -359,32 +465,10 @@ "description": "Optional. The disaster recovery configuration." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -508,62 +592,9 @@ "metadata": { "description": "Optional. Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "OperationalLogs" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, @@ -653,18 +684,23 @@ ] }, "serviceBusNamespace_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "serviceBusNamespace_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.ServiceBus/namespaces/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "serviceBusNamespace" diff --git a/modules/sql/managed-instance/.test/common/main.test.bicep b/modules/sql/managed-instance/.test/common/main.test.bicep index 4262b08845..64c6288ad0 100644 --- a/modules/sql/managed-instance/.test/common/main.test.bicep +++ b/modules/sql/managed-instance/.test/common/main.test.bicep @@ -92,12 +92,31 @@ module testDeployment '../../main.bicep' = { name: 'default' } name: '${namePrefix}-${serviceShort}-db-001' + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName dnsZonePartner: '' encryptionProtectorObj: { serverKeyName: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index ce6959a362..0c6387413b 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -68,13 +68,32 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { backupShortTermRetentionPolicies: { name: 'default' } + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] name: 'sqlmicom-db-001' } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] dnsZonePartner: '' enableDefaultTelemetry: '' encryptionProtectorObj: { @@ -174,21 +193,34 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { "backupShortTermRetentionPolicies": { "name": "default" }, + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], "name": "sqlmicom-db-001" } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "dnsZonePartner": { "value": "" @@ -492,13 +524,7 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { | [`administratorsObj`](#parameter-administratorsobj) | object | The administrator configuration. | | [`collation`](#parameter-collation) | string | Collation of the managed instance. | | [`databases`](#parameter-databases) | array | Databases to create in this server. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`dnsZonePartner`](#parameter-dnszonepartner) | string | The resource ID of another managed instance whose DNS zone this managed instance will share after creation. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`encryptionProtectorObj`](#parameter-encryptionprotectorobj) | object | The encryption protection configuration. | @@ -562,56 +588,120 @@ Databases to create in this server. - Type: array - Default: `[]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, ResourceUsageStats, SQLSecurityAuditEvents]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `dnsZonePartner` diff --git a/modules/sql/managed-instance/database/README.md b/modules/sql/managed-instance/database/README.md index 03ea3aeb62..886dac15da 100644 --- a/modules/sql/managed-instance/database/README.md +++ b/modules/sql/managed-instance/database/README.md @@ -48,12 +48,7 @@ This module deploys a SQL Managed Instance Database. | [`catalogCollation`](#parameter-catalogcollation) | string | Collation of the managed instance. | | [`collation`](#parameter-collation) | string | Collation of the managed instance database. | | [`createMode`](#parameter-createmode) | string | Managed database create mode. PointInTimeRestore: Create a database by restoring a point in time backup of an existing database. SourceDatabaseName, SourceManagedInstanceName and PointInTime must be specified. RestoreExternalBackup: Create a database by restoring from external backup files. Collation, StorageContainerUri and StorageContainerSasToken must be specified. Recovery: Creates a database by restoring a geo-replicated backup. RecoverableDatabaseId must be specified as the recoverable database resource ID to restore. RestoreLongTermRetentionBackup: Create a database by restoring from a long term retention backup (longTermRetentionBackupResourceId required). | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | @@ -96,48 +91,100 @@ Managed database create mode. PointInTimeRestore: Create a database by restoring - Default: `'Default'` - Allowed: `[Default, PointInTimeRestore, Recovery, RestoreExternalBackup, RestoreLongTermRetentionBackup]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, Errors, QueryStoreRuntimeStatistics, QueryStoreWaitStatistics, SQLInsights]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` -Resource ID of the diagnostic log analytics workspace. +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/sql/managed-instance/database/main.bicep b/modules/sql/managed-instance/database/main.bicep index caa60c0c36..5bd0e8cf7b 100644 --- a/modules/sql/managed-instance/database/main.bicep +++ b/modules/sql/managed-instance/database/main.bicep @@ -48,17 +48,8 @@ param recoverableDatabaseId string = '' @description('Conditional. The resource ID of the Long Term Retention backup to be used for restore of this managed database. Required if createMode is RestoreLongTermRetentionBackup.') param longTermRetentionBackupResourceId string = '' -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -75,34 +66,6 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'SQLInsights' - 'QueryStoreRuntimeStatistics' - 'QueryStoreWaitStatistics' - 'Errors' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - var enableReferencedModulesTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { @@ -149,17 +112,24 @@ resource database_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(l scope: database } -resource database_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource database_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: database -} +}] module database_backupShortTermRetentionPolicy 'backup-short-term-retention-policy/main.bicep' = if (!empty(backupShortTermRetentionPoliciesObj)) { name: '${deployment().name}-BackupShortTRetPol' @@ -209,3 +179,35 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/sql/managed-instance/database/main.json b/modules/sql/managed-instance/database/main.json index 195e370b95..db4a4d2966 100644 --- a/modules/sql/managed-instance/database/main.json +++ b/modules/sql/managed-instance/database/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8908616981985554666" + "templateHash": "11809118815295815977" }, "name": "SQL Managed Instance Databases", "description": "This module deploys a SQL Managed Instance Database.", @@ -37,6 +37,94 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -136,32 +224,10 @@ "description": "Conditional. The resource ID of the Long Term Retention backup to be used for restore of this managed database. Required if createMode is RestoreLongTermRetentionBackup." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -197,44 +263,9 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "SQLInsights", - "QueryStoreRuntimeStatistics", - "QueryStoreWaitStatistics", - "Errors" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, "resources": { @@ -295,17 +326,22 @@ ] }, "database_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "database_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Sql/managedInstances/{0}/databases/{1}', parameters('managedInstanceName'), parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "database" diff --git a/modules/sql/managed-instance/main.bicep b/modules/sql/managed-instance/main.bicep index ff2d8c9b35..330edebd43 100644 --- a/modules/sql/managed-instance/main.bicep +++ b/modules/sql/managed-instance/main.bicep @@ -86,17 +86,8 @@ param restorePointInTime string = '' @description('Optional. The resource identifier of the source managed instance associated with create operation of this instance.') param sourceManagedInstanceId string = '' -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -155,46 +146,6 @@ param minimalTlsVersion string = '1.2' ]) param requestedBackupStorageRedundancy string = 'Geo' -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'ResourceUsageStats' - 'SQLSecurityAuditEvents' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -276,18 +227,31 @@ resource managedInstance_lock 'Microsoft.Authorization/locks@2020-05-01' = if (! scope: managedInstance } -resource managedInstance_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource managedInstance_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: managedInstance -} +}] resource managedInstance_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(managedInstance.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -311,9 +275,7 @@ module managedInstance_databases 'database/main.bicep' = [for (database, index) catalogCollation: contains(database, 'catalogCollation') ? database.catalogCollation : 'SQL_Latin1_General_CP1_CI_AS' collation: contains(database, 'collation') ? database.collation : 'SQL_Latin1_General_CP1_CI_AS' createMode: contains(database, 'createMode') ? database.createMode : 'Default' - diagnosticStorageAccountId: contains(database, 'diagnosticStorageAccountId') ? database.diagnosticStorageAccountId : '' - diagnosticEventHubAuthorizationRuleId: contains(database, 'diagnosticEventHubAuthorizationRuleId') ? database.diagnosticEventHubAuthorizationRuleId : '' - diagnosticEventHubName: contains(database, 'diagnosticEventHubName') ? database.diagnosticEventHubName : '' + diagnosticSettings: database.?diagnosticSettings location: contains(database, 'location') ? database.location : managedInstance.location lock: database.?lock ?? lock longTermRetentionBackupResourceId: contains(database, 'longTermRetentionBackupResourceId') ? database.longTermRetentionBackupResourceId : '' @@ -324,7 +286,6 @@ module managedInstance_databases 'database/main.bicep' = [for (database, index) storageContainerSasToken: contains(database, 'storageContainerSasToken') ? database.storageContainerSasToken : '' storageContainerUri: contains(database, 'storageContainerUri') ? database.storageContainerUri : '' tags: contains(database, 'tags') ? database.tags : {} - diagnosticWorkspaceId: contains(database, 'diagnosticWorkspaceId') ? database.diagnosticWorkspaceId : '' backupShortTermRetentionPoliciesObj: contains(database, 'backupShortTermRetentionPolicies') ? database.backupShortTermRetentionPolicies : {} backupLongTermRetentionPoliciesObj: contains(database, 'backupLongTermRetentionPolicies') ? database.backupLongTermRetentionPolicies : {} enableDefaultTelemetry: enableReferencedModulesTelemetry @@ -445,3 +406,41 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/sql/managed-instance/main.json b/modules/sql/managed-instance/main.json index c6bb21f7f8..646e61a20a 100644 --- a/modules/sql/managed-instance/main.json +++ b/modules/sql/managed-instance/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7653568276267549552" + "templateHash": "16983144264523357035" }, "name": "SQL Managed Instances", "description": "This module deploys a SQL Managed Instance.", @@ -103,6 +103,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -273,32 +379,10 @@ "description": "Optional. The resource identifier of the source managed instance associated with create operation of this instance." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -415,63 +499,9 @@ "metadata": { "description": "Optional. The storage account type used to store backups for this database." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "ResourceUsageStats", - "SQLSecurityAuditEvents" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, @@ -557,18 +587,23 @@ ] }, "managedInstance_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "managedInstance_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Sql/managedInstances/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "managedInstance" @@ -619,9 +654,9 @@ "catalogCollation": "[if(contains(parameters('databases')[copyIndex()], 'catalogCollation'), createObject('value', parameters('databases')[copyIndex()].catalogCollation), createObject('value', 'SQL_Latin1_General_CP1_CI_AS'))]", "collation": "[if(contains(parameters('databases')[copyIndex()], 'collation'), createObject('value', parameters('databases')[copyIndex()].collation), createObject('value', 'SQL_Latin1_General_CP1_CI_AS'))]", "createMode": "[if(contains(parameters('databases')[copyIndex()], 'createMode'), createObject('value', parameters('databases')[copyIndex()].createMode), createObject('value', 'Default'))]", - "diagnosticStorageAccountId": "[if(contains(parameters('databases')[copyIndex()], 'diagnosticStorageAccountId'), createObject('value', parameters('databases')[copyIndex()].diagnosticStorageAccountId), createObject('value', ''))]", - "diagnosticEventHubAuthorizationRuleId": "[if(contains(parameters('databases')[copyIndex()], 'diagnosticEventHubAuthorizationRuleId'), createObject('value', parameters('databases')[copyIndex()].diagnosticEventHubAuthorizationRuleId), createObject('value', ''))]", - "diagnosticEventHubName": "[if(contains(parameters('databases')[copyIndex()], 'diagnosticEventHubName'), createObject('value', parameters('databases')[copyIndex()].diagnosticEventHubName), createObject('value', ''))]", + "diagnosticSettings": { + "value": "[tryGet(parameters('databases')[copyIndex()], 'diagnosticSettings')]" + }, "location": "[if(contains(parameters('databases')[copyIndex()], 'location'), createObject('value', parameters('databases')[copyIndex()].location), createObject('value', reference('managedInstance', '2022-05-01-preview', 'full').location))]", "lock": { "value": "[coalesce(tryGet(parameters('databases')[copyIndex()], 'lock'), parameters('lock'))]" @@ -634,7 +669,6 @@ "storageContainerSasToken": "[if(contains(parameters('databases')[copyIndex()], 'storageContainerSasToken'), createObject('value', parameters('databases')[copyIndex()].storageContainerSasToken), createObject('value', ''))]", "storageContainerUri": "[if(contains(parameters('databases')[copyIndex()], 'storageContainerUri'), createObject('value', parameters('databases')[copyIndex()].storageContainerUri), createObject('value', ''))]", "tags": "[if(contains(parameters('databases')[copyIndex()], 'tags'), createObject('value', parameters('databases')[copyIndex()].tags), createObject('value', createObject()))]", - "diagnosticWorkspaceId": "[if(contains(parameters('databases')[copyIndex()], 'diagnosticWorkspaceId'), createObject('value', parameters('databases')[copyIndex()].diagnosticWorkspaceId), createObject('value', ''))]", "backupShortTermRetentionPoliciesObj": "[if(contains(parameters('databases')[copyIndex()], 'backupShortTermRetentionPolicies'), createObject('value', parameters('databases')[copyIndex()].backupShortTermRetentionPolicies), createObject('value', createObject()))]", "backupLongTermRetentionPoliciesObj": "[if(contains(parameters('databases')[copyIndex()], 'backupLongTermRetentionPolicies'), createObject('value', parameters('databases')[copyIndex()].backupLongTermRetentionPolicies), createObject('value', createObject()))]", "enableDefaultTelemetry": { @@ -649,7 +683,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8908616981985554666" + "templateHash": "11809118815295815977" }, "name": "SQL Managed Instance Databases", "description": "This module deploys a SQL Managed Instance Database.", @@ -680,6 +714,94 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -779,32 +901,10 @@ "description": "Conditional. The resource ID of the Long Term Retention backup to be used for restore of this managed database. Required if createMode is RestoreLongTermRetentionBackup." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -840,44 +940,9 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "SQLInsights", - "QueryStoreRuntimeStatistics", - "QueryStoreWaitStatistics", - "Errors" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, "resources": { @@ -938,17 +1003,22 @@ ] }, "database_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "database_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Sql/managedInstances/{0}/databases/{1}', parameters('managedInstanceName'), parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "database" diff --git a/modules/sql/server/.test/common/main.test.bicep b/modules/sql/server/.test/common/main.test.bicep index 82ce535569..0655a40b92 100644 --- a/modules/sql/server/.test/common/main.test.bicep +++ b/modules/sql/server/.test/common/main.test.bicep @@ -117,10 +117,15 @@ module testDeployment '../../main.bicep' = { capacity: 0 maxSizeBytes: 34359738368 licenseType: 'LicenseIncluded' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] elasticPoolId: '${resourceGroup.id}/providers/Microsoft.Sql/servers/${namePrefix}-${serviceShort}/elasticPools/${namePrefix}-${serviceShort}-ep-001' encryptionProtectorObj: { serverKeyType: 'AzureKeyVault' diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 40b906cc47..5acbefa33c 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -135,10 +135,15 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { } capacity: 0 collation: 'SQL_Latin1_General_CP1_CI_AS' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] elasticPoolId: '' encryptionProtectorObj: { serverKeyName: '' @@ -272,10 +277,15 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { }, "capacity": 0, "collation": "SQL_Latin1_General_CP1_CI_AS", - "diagnosticEventHubAuthorizationRuleId": "", - "diagnosticEventHubName": "", - "diagnosticStorageAccountId": "", - "diagnosticWorkspaceId": "", + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], "elasticPoolId": "", "encryptionProtectorObj": { "serverKeyName": "", diff --git a/modules/sql/server/database/README.md b/modules/sql/server/database/README.md index 73ac2bae07..a5f07c4b92 100644 --- a/modules/sql/server/database/README.md +++ b/modules/sql/server/database/README.md @@ -41,13 +41,7 @@ This module deploys an Azure SQL Server Database. | [`backupShortTermRetentionPolicy`](#parameter-backupshorttermretentionpolicy) | object | The short term backup retention policy to create for the database. | | [`collation`](#parameter-collation) | string | The collation of the database. | | [`createMode`](#parameter-createmode) | string | Specifies the mode of database creation. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`elasticPoolId`](#parameter-elasticpoolid) | string | The resource ID of the elastic pool containing this database. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`highAvailabilityReplicaCount`](#parameter-highavailabilityreplicacount) | int | The number of readonly secondary replicas associated with the database. | @@ -109,56 +103,120 @@ Specifies the mode of database creation. - Default: `'Default'` - Allowed: `[Copy, Default, OnlineSecondary, PointInTimeRestore, Recovery, Restore, RestoreLongTermRetentionBackup, Secondary]` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, AutomaticTuning, Blocks, DatabaseWaitStatistics, Deadlocks, DevOpsOperationsAudit, Errors, QueryStoreRuntimeStatistics, QueryStoreWaitStatistics, SQLInsights, SQLSecurityAuditEvents, Timeouts]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[Basic, InstanceAndAppAdvanced, WorkloadManagement]` -- Allowed: `[Basic, InstanceAndAppAdvanced, WorkloadManagement]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `elasticPoolId` diff --git a/modules/sql/server/database/main.bicep b/modules/sql/server/database/main.bicep index 67a545d328..789fd60793 100644 --- a/modules/sql/server/database/main.bicep +++ b/modules/sql/server/database/main.bicep @@ -74,49 +74,8 @@ param location string = resourceGroup().location @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' - -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'SQLInsights' - 'AutomaticTuning' - 'QueryStoreRuntimeStatistics' - 'QueryStoreWaitStatistics' - 'Errors' - 'DatabaseWaitStatistics' - 'Timeouts' - 'Blocks' - 'Deadlocks' - 'DevOpsOperationsAudit' - 'SQLSecurityAuditEvents' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'Basic' - 'InstanceAndAppAdvanced' - 'WorkloadManagement' -]) -param diagnosticMetricsToEnable array = [ - 'Basic' - 'InstanceAndAppAdvanced' - 'WorkloadManagement' -] +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Specifies the mode of database creation.') @allowed([ @@ -143,27 +102,6 @@ param recoveryServicesRecoveryPointResourceId string = '' @description('Optional. Point in time (ISO8601 format) of the source database to restore when createMode set to Restore or PointInTimeRestore.') param restorePointInTime string = '' -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - @description('Optional. The storage account type to be used to store backups for this database.') @allowed([ 'Geo' @@ -243,18 +181,31 @@ resource database 'Microsoft.Sql/servers/databases@2022-05-01-preview' = { sku: skuVar } -resource database_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource database_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: database -} +}] module database_backupShortTermRetentionPolicy 'backup-short-term-retention-policy/main.bicep' = { name: '${uniqueString(deployment().name, location)}-${name}-shBakRetPol' @@ -289,3 +240,44 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = database.location +// =============== // +// Definitions // +// =============== // + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/sql/server/database/main.json b/modules/sql/server/database/main.json index 47c37b2299..c8043872b1 100644 --- a/modules/sql/server/database/main.json +++ b/modules/sql/server/database/main.json @@ -1,16 +1,125 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14921090017328805601" + "templateHash": "7566326750370718720" }, "name": "SQL Server Database", "description": "This module deploys an Azure SQL Server Database.", "owner": "Azure/module-maintainers" }, + "definitions": { + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -166,72 +275,10 @@ "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "SQLInsights", - "AutomaticTuning", - "QueryStoreRuntimeStatistics", - "QueryStoreWaitStatistics", - "Errors", - "DatabaseWaitStatistics", - "Timeouts", - "Blocks", - "Deadlocks", - "DevOpsOperationsAudit", - "SQLSecurityAuditEvents" - ], + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "Basic", - "InstanceAndAppAdvanced", - "WorkloadManagement" - ], - "allowedValues": [ - "Basic", - "InstanceAndAppAdvanced", - "WorkloadManagement" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." + "description": "Optional. The diagnostic settings of the service." } }, "createMode": { @@ -279,13 +326,6 @@ "description": "Optional. Point in time (ISO8601 format) of the source database to restore when createMode set to Restore or PointInTimeRestore." } }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } - }, "requestedBackupStorageRedundancy": { "type": "string", "defaultValue": "", @@ -329,30 +369,10 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "skuVar": "[union(createObject('name', parameters('skuName'), 'tier', parameters('skuTier')), if(not(equals(parameters('skuCapacity'), -1)), createObject('capacity', parameters('skuCapacity')), if(not(empty(parameters('skuFamily'))), createObject('family', parameters('skuFamily')), if(not(empty(parameters('skuSize'))), createObject('size', parameters('skuSize')), createObject()))))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -366,7 +386,13 @@ } } }, - { + "server": { + "existing": true, + "type": "Microsoft.Sql/servers", + "apiVersion": "2022-05-01-preview", + "name": "[parameters('serverName')]" + }, + "database": { "type": "Microsoft.Sql/servers/databases", "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", @@ -393,27 +419,35 @@ "recoveryServicesRecoveryPointId": "[if(not(empty(parameters('recoveryServicesRecoveryPointResourceId'))), parameters('recoveryServicesRecoveryPointResourceId'), null())]", "restorePointInTime": "[if(not(empty(parameters('restorePointInTime'))), parameters('restorePointInTime'), null())]" }, - "sku": "[variables('skuVar')]" + "sku": "[variables('skuVar')]", + "dependsOn": [ + "server" + ] }, - { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "database_diagnosticSettings": { + "copy": { + "name": "database_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', parameters('serverName'), parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ - "[resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('name'))]" + "database" ] }, - { + "database_backupShortTermRetentionPolicy": { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-{1}-shBakRetPol', uniqueString(deployment().name, parameters('location')), parameters('name'))]", @@ -531,10 +565,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('name'))]" + "database" ] }, - { + "database_backupLongTermRetentionPolicy": { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-{1}-lgBakRetPol', uniqueString(deployment().name, parameters('location')), parameters('name'))]", @@ -670,10 +704,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('name'))]" + "database" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -701,7 +735,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('name')), '2022-05-01-preview', 'full').location]" + "value": "[reference('database', '2022-05-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/sql/server/main.bicep b/modules/sql/server/main.bicep index b62154b8cf..fa4351217e 100644 --- a/modules/sql/server/main.bicep +++ b/modules/sql/server/main.bicep @@ -186,24 +186,18 @@ module server_databases 'database/main.bicep' = [for (database, index) in databa collation: contains(database, 'collation') ? database.collation : 'SQL_Latin1_General_CP1_CI_AS' maxSizeBytes: contains(database, 'maxSizeBytes') ? database.maxSizeBytes : 34359738368 autoPauseDelay: contains(database, 'autoPauseDelay') ? database.autoPauseDelay : 0 - diagnosticStorageAccountId: contains(database, 'diagnosticStorageAccountId') ? database.diagnosticStorageAccountId : '' - diagnosticEventHubAuthorizationRuleId: contains(database, 'diagnosticEventHubAuthorizationRuleId') ? database.diagnosticEventHubAuthorizationRuleId : '' - diagnosticEventHubName: contains(database, 'diagnosticEventHubName') ? database.diagnosticEventHubName : '' + diagnosticSettings: database.?diagnosticSettings isLedgerOn: contains(database, 'isLedgerOn') ? database.isLedgerOn : false location: location - diagnosticLogCategoriesToEnable: contains(database, 'diagnosticLogCategoriesToEnable') ? database.diagnosticLogCategoriesToEnable : [] licenseType: contains(database, 'licenseType') ? database.licenseType : '' maintenanceConfigurationId: contains(database, 'maintenanceConfigurationId') ? database.maintenanceConfigurationId : '' minCapacity: contains(database, 'minCapacity') ? database.minCapacity : '' - diagnosticMetricsToEnable: contains(database, 'diagnosticMetricsToEnable') ? database.diagnosticMetricsToEnable : [] highAvailabilityReplicaCount: contains(database, 'highAvailabilityReplicaCount') ? database.highAvailabilityReplicaCount : 0 readScale: contains(database, 'readScale') ? database.readScale : 'Disabled' requestedBackupStorageRedundancy: contains(database, 'requestedBackupStorageRedundancy') ? database.requestedBackupStorageRedundancy : '' sampleName: contains(database, 'sampleName') ? database.sampleName : '' tags: contains(database, 'tags') ? database.tags : {} - diagnosticWorkspaceId: contains(database, 'diagnosticWorkspaceId') ? database.diagnosticWorkspaceId : '' zoneRedundant: contains(database, 'zoneRedundant') ? database.zoneRedundant : false - diagnosticSettingsName: contains(database, 'diagnosticSettingsName') ? database.diagnosticSettingsName : '${database.name}-diagnosticSettings' elasticPoolId: contains(database, 'elasticPoolId') ? database.elasticPoolId : '' enableDefaultTelemetry: enableReferencedModulesTelemetry backupShortTermRetentionPolicy: contains(database, 'backupShortTermRetentionPolicy') ? database.backupShortTermRetentionPolicy : {} diff --git a/modules/sql/server/main.json b/modules/sql/server/main.json index d3f0fb80b5..15f464c1bd 100644 --- a/modules/sql/server/main.json +++ b/modules/sql/server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14708866930444205418" + "templateHash": "9008744149978786783" }, "name": "Azure SQL Servers", "description": "This module deploys an Azure SQL Server.", @@ -551,26 +551,22 @@ "collation": "[if(contains(parameters('databases')[copyIndex()], 'collation'), createObject('value', parameters('databases')[copyIndex()].collation), createObject('value', 'SQL_Latin1_General_CP1_CI_AS'))]", "maxSizeBytes": "[if(contains(parameters('databases')[copyIndex()], 'maxSizeBytes'), createObject('value', parameters('databases')[copyIndex()].maxSizeBytes), createObject('value', json('34359738368')))]", "autoPauseDelay": "[if(contains(parameters('databases')[copyIndex()], 'autoPauseDelay'), createObject('value', parameters('databases')[copyIndex()].autoPauseDelay), createObject('value', 0))]", - "diagnosticStorageAccountId": "[if(contains(parameters('databases')[copyIndex()], 'diagnosticStorageAccountId'), createObject('value', parameters('databases')[copyIndex()].diagnosticStorageAccountId), createObject('value', ''))]", - "diagnosticEventHubAuthorizationRuleId": "[if(contains(parameters('databases')[copyIndex()], 'diagnosticEventHubAuthorizationRuleId'), createObject('value', parameters('databases')[copyIndex()].diagnosticEventHubAuthorizationRuleId), createObject('value', ''))]", - "diagnosticEventHubName": "[if(contains(parameters('databases')[copyIndex()], 'diagnosticEventHubName'), createObject('value', parameters('databases')[copyIndex()].diagnosticEventHubName), createObject('value', ''))]", + "diagnosticSettings": { + "value": "[tryGet(parameters('databases')[copyIndex()], 'diagnosticSettings')]" + }, "isLedgerOn": "[if(contains(parameters('databases')[copyIndex()], 'isLedgerOn'), createObject('value', parameters('databases')[copyIndex()].isLedgerOn), createObject('value', false()))]", "location": { "value": "[parameters('location')]" }, - "diagnosticLogCategoriesToEnable": "[if(contains(parameters('databases')[copyIndex()], 'diagnosticLogCategoriesToEnable'), createObject('value', parameters('databases')[copyIndex()].diagnosticLogCategoriesToEnable), createObject('value', createArray()))]", "licenseType": "[if(contains(parameters('databases')[copyIndex()], 'licenseType'), createObject('value', parameters('databases')[copyIndex()].licenseType), createObject('value', ''))]", "maintenanceConfigurationId": "[if(contains(parameters('databases')[copyIndex()], 'maintenanceConfigurationId'), createObject('value', parameters('databases')[copyIndex()].maintenanceConfigurationId), createObject('value', ''))]", "minCapacity": "[if(contains(parameters('databases')[copyIndex()], 'minCapacity'), createObject('value', parameters('databases')[copyIndex()].minCapacity), createObject('value', ''))]", - "diagnosticMetricsToEnable": "[if(contains(parameters('databases')[copyIndex()], 'diagnosticMetricsToEnable'), createObject('value', parameters('databases')[copyIndex()].diagnosticMetricsToEnable), createObject('value', createArray()))]", "highAvailabilityReplicaCount": "[if(contains(parameters('databases')[copyIndex()], 'highAvailabilityReplicaCount'), createObject('value', parameters('databases')[copyIndex()].highAvailabilityReplicaCount), createObject('value', 0))]", "readScale": "[if(contains(parameters('databases')[copyIndex()], 'readScale'), createObject('value', parameters('databases')[copyIndex()].readScale), createObject('value', 'Disabled'))]", "requestedBackupStorageRedundancy": "[if(contains(parameters('databases')[copyIndex()], 'requestedBackupStorageRedundancy'), createObject('value', parameters('databases')[copyIndex()].requestedBackupStorageRedundancy), createObject('value', ''))]", "sampleName": "[if(contains(parameters('databases')[copyIndex()], 'sampleName'), createObject('value', parameters('databases')[copyIndex()].sampleName), createObject('value', ''))]", "tags": "[if(contains(parameters('databases')[copyIndex()], 'tags'), createObject('value', parameters('databases')[copyIndex()].tags), createObject('value', createObject()))]", - "diagnosticWorkspaceId": "[if(contains(parameters('databases')[copyIndex()], 'diagnosticWorkspaceId'), createObject('value', parameters('databases')[copyIndex()].diagnosticWorkspaceId), createObject('value', ''))]", "zoneRedundant": "[if(contains(parameters('databases')[copyIndex()], 'zoneRedundant'), createObject('value', parameters('databases')[copyIndex()].zoneRedundant), createObject('value', false()))]", - "diagnosticSettingsName": "[if(contains(parameters('databases')[copyIndex()], 'diagnosticSettingsName'), createObject('value', parameters('databases')[copyIndex()].diagnosticSettingsName), createObject('value', format('{0}-diagnosticSettings', parameters('databases')[copyIndex()].name)))]", "elasticPoolId": "[if(contains(parameters('databases')[copyIndex()], 'elasticPoolId'), createObject('value', parameters('databases')[copyIndex()].elasticPoolId), createObject('value', ''))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" @@ -585,17 +581,126 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14921090017328805601" + "templateHash": "7566326750370718720" }, "name": "SQL Server Database", "description": "This module deploys an Azure SQL Server Database.", "owner": "Azure/module-maintainers" }, + "definitions": { + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -751,72 +856,10 @@ "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "SQLInsights", - "AutomaticTuning", - "QueryStoreRuntimeStatistics", - "QueryStoreWaitStatistics", - "Errors", - "DatabaseWaitStatistics", - "Timeouts", - "Blocks", - "Deadlocks", - "DevOpsOperationsAudit", - "SQLSecurityAuditEvents" - ], + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "Basic", - "InstanceAndAppAdvanced", - "WorkloadManagement" - ], - "allowedValues": [ - "Basic", - "InstanceAndAppAdvanced", - "WorkloadManagement" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." + "description": "Optional. The diagnostic settings of the service." } }, "createMode": { @@ -864,13 +907,6 @@ "description": "Optional. Point in time (ISO8601 format) of the source database to restore when createMode set to Restore or PointInTimeRestore." } }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } - }, "requestedBackupStorageRedundancy": { "type": "string", "defaultValue": "", @@ -914,30 +950,10 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "skuVar": "[union(createObject('name', parameters('skuName'), 'tier', parameters('skuTier')), if(not(equals(parameters('skuCapacity'), -1)), createObject('capacity', parameters('skuCapacity')), if(not(empty(parameters('skuFamily'))), createObject('family', parameters('skuFamily')), if(not(empty(parameters('skuSize'))), createObject('size', parameters('skuSize')), createObject()))))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -951,7 +967,13 @@ } } }, - { + "server": { + "existing": true, + "type": "Microsoft.Sql/servers", + "apiVersion": "2022-05-01-preview", + "name": "[parameters('serverName')]" + }, + "database": { "type": "Microsoft.Sql/servers/databases", "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", @@ -978,27 +1000,35 @@ "recoveryServicesRecoveryPointId": "[if(not(empty(parameters('recoveryServicesRecoveryPointResourceId'))), parameters('recoveryServicesRecoveryPointResourceId'), null())]", "restorePointInTime": "[if(not(empty(parameters('restorePointInTime'))), parameters('restorePointInTime'), null())]" }, - "sku": "[variables('skuVar')]" + "sku": "[variables('skuVar')]", + "dependsOn": [ + "server" + ] }, - { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "database_diagnosticSettings": { + "copy": { + "name": "database_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', parameters('serverName'), parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ - "[resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('name'))]" + "database" ] }, - { + "database_backupShortTermRetentionPolicy": { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-{1}-shBakRetPol', uniqueString(deployment().name, parameters('location')), parameters('name'))]", @@ -1116,10 +1146,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('name'))]" + "database" ] }, - { + "database_backupLongTermRetentionPolicy": { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-{1}-lgBakRetPol', uniqueString(deployment().name, parameters('location')), parameters('name'))]", @@ -1255,10 +1285,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('name'))]" + "database" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1286,7 +1316,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Sql/servers/databases', parameters('serverName'), parameters('name')), '2022-05-01-preview', 'full').location]" + "value": "[reference('database', '2022-05-01-preview', 'full').location]" } } } diff --git a/modules/storage/storage-account/.test/common/main.test.bicep b/modules/storage/storage-account/.test/common/main.test.bicep index 3377dfe84a..752c544377 100644 --- a/modules/storage/storage-account/.test/common/main.test.bicep +++ b/modules/storage/storage-account/.test/common/main.test.bicep @@ -127,10 +127,20 @@ module testDeployment '../../main.bicep' = { ] blobServices: { lastAccessTimeTrackingPolicyEnabled: true - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] containers: [ { name: 'avdscripts' @@ -163,10 +173,20 @@ module testDeployment '../../main.bicep' = { deleteRetentionPolicyDays: 9 } fileServices: { - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] shares: [ { name: 'avdprofiles' @@ -187,20 +207,40 @@ module testDeployment '../../main.bicep' = { ] } tableServices: { - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] tables: [ 'table1' 'table2' ] } queueServices: { - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] queues: [ { name: 'queue1' @@ -234,10 +274,20 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] managementPolicyRules: [ { enabled: true diff --git a/modules/storage/storage-account/.test/nfs/main.test.bicep b/modules/storage/storage-account/.test/nfs/main.test.bicep index 529f2b8f66..180b8abb81 100644 --- a/modules/storage/storage-account/.test/nfs/main.test.bicep +++ b/modules/storage/storage-account/.test/nfs/main.test.bicep @@ -90,10 +90,20 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 1193a3c7fd..956cc7475f 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -95,25 +95,55 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { ] deleteRetentionPolicyDays: 9 deleteRetentionPolicyEnabled: true - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] lastAccessTimeTrackingPolicyEnabled: true } - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' enableHierarchicalNamespace: true enableNfsV3: true enableSftp: true fileServices: { - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] shares: [ { accessTier: 'Hot' @@ -220,10 +250,20 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { } ] queueServices: { - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] queues: [ { metadata: { @@ -257,10 +297,20 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { skuName: 'Standard_LRS' systemAssignedIdentity: true tableServices: { - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] tables: [ 'table1' 'table2' @@ -330,24 +380,38 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { ], "deleteRetentionPolicyDays": 9, "deleteRetentionPolicyEnabled": true, - "diagnosticEventHubAuthorizationRuleId": "", - "diagnosticEventHubName": "", - "diagnosticStorageAccountId": "", - "diagnosticWorkspaceId": "", + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], "lastAccessTimeTrackingPolicyEnabled": true } }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -363,10 +427,20 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { }, "fileServices": { "value": { - "diagnosticEventHubAuthorizationRuleId": "", - "diagnosticEventHubName": "", - "diagnosticStorageAccountId": "", - "diagnosticWorkspaceId": "", + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], "shares": [ { "accessTier": "Hot", @@ -487,10 +561,20 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { }, "queueServices": { "value": { - "diagnosticEventHubAuthorizationRuleId": "", - "diagnosticEventHubName": "", - "diagnosticStorageAccountId": "", - "diagnosticWorkspaceId": "", + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], "queues": [ { "metadata": { @@ -536,10 +620,20 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { }, "tableServices": { "value": { - "diagnosticEventHubAuthorizationRuleId": "", - "diagnosticEventHubName": "", - "diagnosticStorageAccountId": "", - "diagnosticWorkspaceId": "", + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], "tables": [ "table1", "table2" @@ -798,10 +892,20 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { name: 'ssanfs001' // Non-required parameters allowBlobPublicAccess: false - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' fileServices: { shares: [ @@ -858,17 +962,21 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "allowBlobPublicAccess": { "value": false }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -1027,12 +1135,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { | [`customDomainName`](#parameter-customdomainname) | string | Sets the custom domain name assigned to the storage account. Name is the CNAME source. | | [`customDomainUseSubDomainName`](#parameter-customdomainusesubdomainname) | bool | Indicates whether indirect CName validation is enabled. This should only be set on updates. | | [`defaultToOAuthAuthentication`](#parameter-defaulttooauthauthentication) | bool | A boolean flag which indicates whether the default authentication is OAuth or not. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`dnsEndpointType`](#parameter-dnsendpointtype) | string | Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`enableNfsV3`](#parameter-enablenfsv3) | bool | If true, enables NFS 3.0 support for the storage account. Requires enableHierarchicalNamespace to be true. | @@ -1160,48 +1263,92 @@ A boolean flag which indicates whether the default authentication is OAuth or no - Type: bool - Default: `False` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticMetricsToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[Transaction]` -- Allowed: `[Transaction]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `dnsEndpointType` diff --git a/modules/storage/storage-account/blob-service/README.md b/modules/storage/storage-account/blob-service/README.md index 366984e3a0..319a320e0b 100644 --- a/modules/storage/storage-account/blob-service/README.md +++ b/modules/storage/storage-account/blob-service/README.md @@ -43,13 +43,7 @@ This module deploys a Storage Account Blob Service. | [`deleteRetentionPolicyAllowPermanentDelete`](#parameter-deleteretentionpolicyallowpermanentdelete) | bool | This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share. | | [`deleteRetentionPolicyDays`](#parameter-deleteretentionpolicydays) | int | Indicates the number of days that the deleted blob should be retained. | | [`deleteRetentionPolicyEnabled`](#parameter-deleteretentionpolicyenabled) | bool | The blob service properties for blob soft delete. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of a log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`isVersioningEnabled`](#parameter-isversioningenabled) | bool | Use versioning to automatically maintain previous versions of your blobs. | | [`lastAccessTimeTrackingPolicyEnabled`](#parameter-lastaccesstimetrackingpolicyenabled) | bool | The blob service property to configure last access time based tracking policy. When set to true last access time based tracking is enabled. | @@ -140,56 +134,120 @@ The blob service properties for blob soft delete. - Type: bool - Default: `True` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, StorageDelete, StorageRead, StorageWrite]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[Transaction]` -- Allowed: `[Transaction]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of a log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/storage/storage-account/blob-service/main.bicep b/modules/storage/storage-account/blob-service/main.bicep index aaca3f7025..26a94e3b66 100644 --- a/modules/storage/storage-account/blob-service/main.bicep +++ b/modules/storage/storage-account/blob-service/main.bicep @@ -61,65 +61,15 @@ param restorePolicyDays int = 6 @description('Optional. Blob containers to create.') param containers array = [] -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of a log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'StorageRead' - 'StorageWrite' - 'StorageDelete' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'Transaction' -]) -param diagnosticMetricsToEnable array = [ - 'Transaction' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - // The name of the blob services var name = 'default' -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var enableReferencedModulesTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { @@ -174,18 +124,31 @@ resource blobServices 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01 } } -resource blobServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource blobServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: blobServices -} +}] module blobServices_container 'container/main.bicep' = [for (container, index) in containers: { name: '${deployment().name}-Container-${index}' @@ -213,3 +176,44 @@ output resourceId string = blobServices.id @description('The name of the deployed blob service.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/storage/storage-account/blob-service/main.json b/modules/storage/storage-account/blob-service/main.json index 2082bbe9ba..fe57c8019f 100644 --- a/modules/storage/storage-account/blob-service/main.json +++ b/modules/storage/storage-account/blob-service/main.json @@ -1,16 +1,125 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12140382752546157870" + "templateHash": "3026533312164325767" }, "name": "Storage Account blob Services", "description": "This module deploys a Storage Account Blob Service.", "owner": "Azure/module-maintainers" }, + "definitions": { + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true + } + }, "parameters": { "storageAccountName": { "type": "string", @@ -138,32 +247,10 @@ "description": "Optional. Blob containers to create." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of a log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "enableDefaultTelemetry": { @@ -172,69 +259,14 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "StorageRead", - "StorageWrite", - "StorageDelete" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "Transaction" - ], - "allowedValues": [ - "Transaction" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "name": "default", - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -248,7 +280,13 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2022-09-01", + "name": "[parameters('storageAccountName')]" + }, + "blobServices": { "type": "Microsoft.Storage/storageAccounts/blobServices", "apiVersion": "2022-09-01", "name": "[format('{0}/{1}', parameters('storageAccountName'), variables('name'))]", @@ -282,27 +320,35 @@ "enabled": "[parameters('restorePolicyEnabled')]", "days": "[if(equals(parameters('restorePolicyEnabled'), true()), parameters('restorePolicyDays'), null())]" } - } + }, + "dependsOn": [ + "storageAccount" + ] }, - { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "blobServices_diagnosticSettings": { + "copy": { + "name": "blobServices_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}', parameters('storageAccountName'), variables('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', variables('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', variables('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('storageAccountName'), variables('name'))]" + "blobServices" ] }, - { + "blobServices_container": { "copy": { "name": "blobServices_container", "count": "[length(parameters('containers'))]" @@ -770,9 +816,12 @@ } } } - } + }, + "dependsOn": [ + "storageAccount" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/storage/storage-account/file-service/README.md b/modules/storage/storage-account/file-service/README.md index 1593b168b2..34a25b6076 100644 --- a/modules/storage/storage-account/file-service/README.md +++ b/modules/storage/storage-account/file-service/README.md @@ -30,69 +30,127 @@ This module deploys a Storage Account File Share Service. | Parameter | Type | Description | | :-- | :-- | :-- | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of a log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`name`](#parameter-name) | string | The name of the file service. | | [`protocolSettings`](#parameter-protocolsettings) | object | Protocol settings for file service. | | [`shareDeleteRetentionPolicy`](#parameter-sharedeleteretentionpolicy) | object | The service properties for soft delete. | | [`shares`](#parameter-shares) | array | File shares to create. | -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, StorageDelete, StorageRead, StorageWrite]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[Transaction]` -- Allowed: `[Transaction]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of a log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/storage/storage-account/file-service/main.bicep b/modules/storage/storage-account/file-service/main.bicep index 49d27c4715..040c3f2583 100644 --- a/modules/storage/storage-account/file-service/main.bicep +++ b/modules/storage/storage-account/file-service/main.bicep @@ -18,17 +18,8 @@ param shareDeleteRetentionPolicy object = { days: 7 } -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of a log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. File shares to create.') param shares array = [] @@ -36,47 +27,6 @@ param shares array = [] @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'StorageRead' - 'StorageWrite' - 'StorageDelete' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'Transaction' -]) -param diagnosticMetricsToEnable array = [ - 'Transaction' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var enableReferencedModulesTelemetry = false var defaultShareAccessTier = storageAccount.kind == 'FileStorage' ? 'Premium' : 'TransactionOptimized' // default share accessTier depends on the Storage Account kind: 'Premium' for 'FileStorage' kind, 'TransactionOptimized' otherwise @@ -106,18 +56,31 @@ resource fileServices 'Microsoft.Storage/storageAccounts/fileServices@2021-09-01 } } -resource fileServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource fileServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: fileServices -} +}] module fileServices_shares 'share/main.bicep' = [for (share, index) in shares: { name: '${deployment().name}-shares-${index}' @@ -142,3 +105,44 @@ output resourceId string = fileServices.id @description('The resource group of the deployed file share service.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/storage/storage-account/file-service/main.json b/modules/storage/storage-account/file-service/main.json index b7d728dd4b..0c3f269cbc 100644 --- a/modules/storage/storage-account/file-service/main.json +++ b/modules/storage/storage-account/file-service/main.json @@ -1,16 +1,125 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1758644729212955117" + "templateHash": "5811848536316127521" }, "name": "Storage Account File Share Services", "description": "This module deploys a Storage Account File Share Service.", "owner": "Azure/module-maintainers" }, + "definitions": { + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true + } + }, "parameters": { "storageAccountName": { "type": "string", @@ -43,32 +152,10 @@ "description": "Optional. The service properties for soft delete." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of a log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "shares": { @@ -84,68 +171,13 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "StorageRead", - "StorageWrite", - "StorageDelete" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "Transaction" - ], - "allowedValues": [ - "Transaction" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -159,34 +191,48 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-09-01", + "name": "[parameters('storageAccountName')]" + }, + "fileServices": { "type": "Microsoft.Storage/storageAccounts/fileServices", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('name'))]", "properties": { "protocolSettings": "[parameters('protocolSettings')]", "shareDeleteRetentionPolicy": "[parameters('shareDeleteRetentionPolicy')]" - } + }, + "dependsOn": [ + "storageAccount" + ] }, - { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "fileServices_diagnosticSettings": { + "copy": { + "name": "fileServices_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}', parameters('storageAccountName'), parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/fileServices', parameters('storageAccountName'), parameters('name'))]" + "fileServices" ] }, - { + "fileServices_shares": { "copy": { "name": "fileServices_shares", "count": "[length(parameters('shares'))]" @@ -209,7 +255,7 @@ "name": { "value": "[parameters('shares')[copyIndex()].name]" }, - "accessTier": "[if(contains(parameters('shares')[copyIndex()], 'accessTier'), createObject('value', parameters('shares')[copyIndex()].accessTier), if(equals(reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2021-09-01', 'full').kind, 'FileStorage'), createObject('value', 'Premium'), createObject('value', 'TransactionOptimized')))]", + "accessTier": "[if(contains(parameters('shares')[copyIndex()], 'accessTier'), createObject('value', parameters('shares')[copyIndex()].accessTier), if(equals(reference('storageAccount', '2021-09-01', 'full').kind, 'FileStorage'), createObject('value', 'Premium'), createObject('value', 'TransactionOptimized')))]", "enabledProtocols": "[if(contains(parameters('shares')[copyIndex()], 'enabledProtocols'), createObject('value', parameters('shares')[copyIndex()].enabledProtocols), createObject('value', 'SMB'))]", "rootSquash": "[if(contains(parameters('shares')[copyIndex()], 'rootSquash'), createObject('value', parameters('shares')[copyIndex()].rootSquash), createObject('value', 'NoRootSquash'))]", "shareQuota": "[if(contains(parameters('shares')[copyIndex()], 'shareQuota'), createObject('value', parameters('shares')[copyIndex()].shareQuota), createObject('value', 5120))]", @@ -497,10 +543,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/fileServices', parameters('storageAccountName'), parameters('name'))]" + "fileServices", + "storageAccount" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/storage/storage-account/main.bicep b/modules/storage/storage-account/main.bicep index e8b9925a88..e8774101f0 100644 --- a/modules/storage/storage-account/main.bicep +++ b/modules/storage/storage-account/main.bicep @@ -132,17 +132,8 @@ param isLocalUserEnabled bool = false @description('Optional. If true, enables NFS 3.0 support for the storage account. Requires enableHierarchicalNamespace to be true.') param enableNfsV3 bool = false -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType @@ -172,14 +163,6 @@ param publicNetworkAccess string = '' @description('Optional. Allows HTTPS traffic only to storage service if sets to true.') param supportsHttpsTrafficOnly bool = true -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'Transaction' -]) -param diagnosticMetricsToEnable array = [ - 'Transaction' -] - @description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @@ -192,18 +175,9 @@ param cMKUserAssignedIdentityResourceId string = '' @description('Optional. The version of the customer managed key to reference for encryption. If not provided, latest is used.') param cMKKeyVersion string = '' -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - @description('Optional. The SAS expiration period. DD.HH:MM:SS.') param sasExpirationPeriod string = '' -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var supportsBlobService = kind == 'BlockBlobStorage' || kind == 'BlobStorage' || kind == 'StorageV2' || kind == 'Storage' var supportsFileService = kind == 'FileStorage' || kind == 'StorageV2' || kind == 'Storage' @@ -326,17 +300,25 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { } } -resource storageAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource storageAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: storageAccount -} +}] resource storageAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { name: lock.?name ?? 'lock-${name}' @@ -435,12 +417,7 @@ module storageAccount_blobServices 'blob-service/main.bicep' = if (!empty(blobSe lastAccessTimeTrackingPolicyEnabled: contains(blobServices, 'lastAccessTimeTrackingPolicyEnabled') ? blobServices.lastAccessTimeTrackingPolicyEnabled : false restorePolicyEnabled: contains(blobServices, 'restorePolicyEnabled') ? blobServices.restorePolicyEnabled : false restorePolicyDays: contains(blobServices, 'restorePolicyDays') ? blobServices.restorePolicyDays : 6 - diagnosticStorageAccountId: contains(blobServices, 'diagnosticStorageAccountId') ? blobServices.diagnosticStorageAccountId : '' - diagnosticEventHubAuthorizationRuleId: contains(blobServices, 'diagnosticEventHubAuthorizationRuleId') ? blobServices.diagnosticEventHubAuthorizationRuleId : '' - diagnosticEventHubName: contains(blobServices, 'diagnosticEventHubName') ? blobServices.diagnosticEventHubName : '' - diagnosticLogCategoriesToEnable: contains(blobServices, 'diagnosticLogCategoriesToEnable') ? blobServices.diagnosticLogCategoriesToEnable : [] - diagnosticMetricsToEnable: contains(blobServices, 'diagnosticMetricsToEnable') ? blobServices.diagnosticMetricsToEnable : [] - diagnosticWorkspaceId: contains(blobServices, 'diagnosticWorkspaceId') ? blobServices.diagnosticWorkspaceId : '' + diagnosticSettings: blobServices.?diagnosticSettings enableDefaultTelemetry: enableReferencedModulesTelemetry } } @@ -450,18 +427,13 @@ module storageAccount_fileServices 'file-service/main.bicep' = if (!empty(fileSe name: '${uniqueString(deployment().name, location)}-Storage-FileServices' params: { storageAccountName: storageAccount.name - diagnosticStorageAccountId: contains(fileServices, 'diagnosticStorageAccountId') ? fileServices.diagnosticStorageAccountId : '' - diagnosticEventHubAuthorizationRuleId: contains(fileServices, 'diagnosticEventHubAuthorizationRuleId') ? fileServices.diagnosticEventHubAuthorizationRuleId : '' - diagnosticEventHubName: contains(fileServices, 'diagnosticEventHubName') ? fileServices.diagnosticEventHubName : '' - diagnosticLogCategoriesToEnable: contains(fileServices, 'diagnosticLogCategoriesToEnable') ? fileServices.diagnosticLogCategoriesToEnable : [] - diagnosticMetricsToEnable: contains(fileServices, 'diagnosticMetricsToEnable') ? fileServices.diagnosticMetricsToEnable : [] + diagnosticSettings: blobServices.?diagnosticSettings protocolSettings: contains(fileServices, 'protocolSettings') ? fileServices.protocolSettings : {} shareDeleteRetentionPolicy: contains(fileServices, 'shareDeleteRetentionPolicy') ? fileServices.shareDeleteRetentionPolicy : { enabled: true days: 7 } shares: contains(fileServices, 'shares') ? fileServices.shares : [] - diagnosticWorkspaceId: contains(fileServices, 'diagnosticWorkspaceId') ? fileServices.diagnosticWorkspaceId : '' enableDefaultTelemetry: enableReferencedModulesTelemetry } } @@ -471,13 +443,8 @@ module storageAccount_queueServices 'queue-service/main.bicep' = if (!empty(queu name: '${uniqueString(deployment().name, location)}-Storage-QueueServices' params: { storageAccountName: storageAccount.name - diagnosticStorageAccountId: contains(queueServices, 'diagnosticStorageAccountId') ? queueServices.diagnosticStorageAccountId : '' - diagnosticEventHubAuthorizationRuleId: contains(queueServices, 'diagnosticEventHubAuthorizationRuleId') ? queueServices.diagnosticEventHubAuthorizationRuleId : '' - diagnosticEventHubName: contains(queueServices, 'diagnosticEventHubName') ? queueServices.diagnosticEventHubName : '' - diagnosticLogCategoriesToEnable: contains(queueServices, 'diagnosticLogCategoriesToEnable') ? queueServices.diagnosticLogCategoriesToEnable : [] - diagnosticMetricsToEnable: contains(queueServices, 'diagnosticMetricsToEnable') ? queueServices.diagnosticMetricsToEnable : [] + diagnosticSettings: blobServices.?diagnosticSettings queues: contains(queueServices, 'queues') ? queueServices.queues : [] - diagnosticWorkspaceId: contains(queueServices, 'diagnosticWorkspaceId') ? queueServices.diagnosticWorkspaceId : '' enableDefaultTelemetry: enableReferencedModulesTelemetry } } @@ -487,13 +454,8 @@ module storageAccount_tableServices 'table-service/main.bicep' = if (!empty(tabl name: '${uniqueString(deployment().name, location)}-Storage-TableServices' params: { storageAccountName: storageAccount.name - diagnosticStorageAccountId: contains(tableServices, 'diagnosticStorageAccountId') ? tableServices.diagnosticStorageAccountId : '' - diagnosticEventHubAuthorizationRuleId: contains(tableServices, 'diagnosticEventHubAuthorizationRuleId') ? tableServices.diagnosticEventHubAuthorizationRuleId : '' - diagnosticEventHubName: contains(tableServices, 'diagnosticEventHubName') ? tableServices.diagnosticEventHubName : '' - diagnosticLogCategoriesToEnable: contains(tableServices, 'diagnosticLogCategoriesToEnable') ? tableServices.diagnosticLogCategoriesToEnable : [] - diagnosticMetricsToEnable: contains(tableServices, 'diagnosticMetricsToEnable') ? tableServices.diagnosticMetricsToEnable : [] + diagnosticSettings: blobServices.?diagnosticSettings tables: contains(tableServices, 'tables') ? tableServices.tables : [] - diagnosticWorkspaceId: contains(tableServices, 'diagnosticWorkspaceId') ? tableServices.diagnosticWorkspaceId : '' enableDefaultTelemetry: enableReferencedModulesTelemetry } } @@ -605,3 +567,32 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/storage/storage-account/main.json b/modules/storage/storage-account/main.json index ae9fba4c9b..a476db610d 100644 --- a/modules/storage/storage-account/main.json +++ b/modules/storage/storage-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7816141440918547974" + "templateHash": "15002662159872818227" }, "name": "Storage Accounts", "description": "This module deploys a Storage Account.", @@ -251,6 +251,86 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -505,32 +585,10 @@ "description": "Optional. If true, enables NFS 3.0 support for the storage account. Requires enableHierarchicalNamespace to be true." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "lock": { @@ -584,18 +642,6 @@ "description": "Optional. Allows HTTPS traffic only to storage service if sets to true." } }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "Transaction" - ], - "allowedValues": [ - "Transaction" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, "cMKKeyVaultResourceId": { "type": "string", "defaultValue": "", @@ -624,13 +670,6 @@ "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, latest is used." } }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } - }, "sasExpirationPeriod": { "type": "string", "defaultValue": "", @@ -640,17 +679,6 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "supportsBlobService": "[or(or(or(equals(parameters('kind'), 'BlockBlobStorage'), equals(parameters('kind'), 'BlobStorage')), equals(parameters('kind'), 'StorageV2')), equals(parameters('kind'), 'Storage'))]", "supportsFileService": "[or(or(equals(parameters('kind'), 'FileStorage'), equals(parameters('kind'), 'StorageV2')), equals(parameters('kind'), 'Storage'))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", @@ -761,17 +789,22 @@ ] }, "storageAccount_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "storageAccount_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "storageAccount" @@ -1675,29 +1708,135 @@ "lastAccessTimeTrackingPolicyEnabled": "[if(contains(parameters('blobServices'), 'lastAccessTimeTrackingPolicyEnabled'), createObject('value', parameters('blobServices').lastAccessTimeTrackingPolicyEnabled), createObject('value', false()))]", "restorePolicyEnabled": "[if(contains(parameters('blobServices'), 'restorePolicyEnabled'), createObject('value', parameters('blobServices').restorePolicyEnabled), createObject('value', false()))]", "restorePolicyDays": "[if(contains(parameters('blobServices'), 'restorePolicyDays'), createObject('value', parameters('blobServices').restorePolicyDays), createObject('value', 6))]", - "diagnosticStorageAccountId": "[if(contains(parameters('blobServices'), 'diagnosticStorageAccountId'), createObject('value', parameters('blobServices').diagnosticStorageAccountId), createObject('value', ''))]", - "diagnosticEventHubAuthorizationRuleId": "[if(contains(parameters('blobServices'), 'diagnosticEventHubAuthorizationRuleId'), createObject('value', parameters('blobServices').diagnosticEventHubAuthorizationRuleId), createObject('value', ''))]", - "diagnosticEventHubName": "[if(contains(parameters('blobServices'), 'diagnosticEventHubName'), createObject('value', parameters('blobServices').diagnosticEventHubName), createObject('value', ''))]", - "diagnosticLogCategoriesToEnable": "[if(contains(parameters('blobServices'), 'diagnosticLogCategoriesToEnable'), createObject('value', parameters('blobServices').diagnosticLogCategoriesToEnable), createObject('value', createArray()))]", - "diagnosticMetricsToEnable": "[if(contains(parameters('blobServices'), 'diagnosticMetricsToEnable'), createObject('value', parameters('blobServices').diagnosticMetricsToEnable), createObject('value', createArray()))]", - "diagnosticWorkspaceId": "[if(contains(parameters('blobServices'), 'diagnosticWorkspaceId'), createObject('value', parameters('blobServices').diagnosticWorkspaceId), createObject('value', ''))]", + "diagnosticSettings": { + "value": "[tryGet(parameters('blobServices'), 'diagnosticSettings')]" + }, "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12140382752546157870" + "templateHash": "3026533312164325767" }, "name": "Storage Account blob Services", "description": "This module deploys a Storage Account Blob Service.", "owner": "Azure/module-maintainers" }, + "definitions": { + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true + } + }, "parameters": { "storageAccountName": { "type": "string", @@ -1825,32 +1964,10 @@ "description": "Optional. Blob containers to create." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of a log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "enableDefaultTelemetry": { @@ -1859,69 +1976,14 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "StorageRead", - "StorageWrite", - "StorageDelete" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "Transaction" - ], - "allowedValues": [ - "Transaction" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "name": "default", - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1935,7 +1997,13 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2022-09-01", + "name": "[parameters('storageAccountName')]" + }, + "blobServices": { "type": "Microsoft.Storage/storageAccounts/blobServices", "apiVersion": "2022-09-01", "name": "[format('{0}/{1}', parameters('storageAccountName'), variables('name'))]", @@ -1969,27 +2037,35 @@ "enabled": "[parameters('restorePolicyEnabled')]", "days": "[if(equals(parameters('restorePolicyEnabled'), true()), parameters('restorePolicyDays'), null())]" } - } + }, + "dependsOn": [ + "storageAccount" + ] }, - { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "blobServices_diagnosticSettings": { + "copy": { + "name": "blobServices_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}', parameters('storageAccountName'), variables('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', variables('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', variables('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('storageAccountName'), variables('name'))]" + "blobServices" ] }, - { + "blobServices_container": { "copy": { "name": "blobServices_container", "count": "[length(parameters('containers'))]" @@ -2457,9 +2533,12 @@ } } } - } + }, + "dependsOn": [ + "storageAccount" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2503,90 +2582,174 @@ "storageAccountName": { "value": "[parameters('name')]" }, - "diagnosticStorageAccountId": "[if(contains(parameters('fileServices'), 'diagnosticStorageAccountId'), createObject('value', parameters('fileServices').diagnosticStorageAccountId), createObject('value', ''))]", - "diagnosticEventHubAuthorizationRuleId": "[if(contains(parameters('fileServices'), 'diagnosticEventHubAuthorizationRuleId'), createObject('value', parameters('fileServices').diagnosticEventHubAuthorizationRuleId), createObject('value', ''))]", - "diagnosticEventHubName": "[if(contains(parameters('fileServices'), 'diagnosticEventHubName'), createObject('value', parameters('fileServices').diagnosticEventHubName), createObject('value', ''))]", - "diagnosticLogCategoriesToEnable": "[if(contains(parameters('fileServices'), 'diagnosticLogCategoriesToEnable'), createObject('value', parameters('fileServices').diagnosticLogCategoriesToEnable), createObject('value', createArray()))]", - "diagnosticMetricsToEnable": "[if(contains(parameters('fileServices'), 'diagnosticMetricsToEnable'), createObject('value', parameters('fileServices').diagnosticMetricsToEnable), createObject('value', createArray()))]", + "diagnosticSettings": { + "value": "[tryGet(parameters('blobServices'), 'diagnosticSettings')]" + }, "protocolSettings": "[if(contains(parameters('fileServices'), 'protocolSettings'), createObject('value', parameters('fileServices').protocolSettings), createObject('value', createObject()))]", "shareDeleteRetentionPolicy": "[if(contains(parameters('fileServices'), 'shareDeleteRetentionPolicy'), createObject('value', parameters('fileServices').shareDeleteRetentionPolicy), createObject('value', createObject('enabled', true(), 'days', 7)))]", "shares": "[if(contains(parameters('fileServices'), 'shares'), createObject('value', parameters('fileServices').shares), createObject('value', createArray()))]", - "diagnosticWorkspaceId": "[if(contains(parameters('fileServices'), 'diagnosticWorkspaceId'), createObject('value', parameters('fileServices').diagnosticWorkspaceId), createObject('value', ''))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1758644729212955117" + "templateHash": "5811848536316127521" }, "name": "Storage Account File Share Services", "description": "This module deploys a Storage Account File Share Service.", "owner": "Azure/module-maintainers" }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the file service." - } - }, - "protocolSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Protocol settings for file service." - } - }, - "shareDeleteRetentionPolicy": { - "type": "object", - "defaultValue": { - "enabled": true, - "days": 7 - }, - "metadata": { - "description": "Optional. The service properties for soft delete." + "definitions": { + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true + } + }, + "parameters": { + "storageAccountName": { + "type": "string", + "maxLength": 24, + "metadata": { + "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." } }, - "diagnosticStorageAccountId": { + "name": { "type": "string", - "defaultValue": "", + "defaultValue": "default", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." + "description": "Optional. The name of the file service." } }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", + "protocolSettings": { + "type": "object", + "defaultValue": {}, "metadata": { - "description": "Optional. Resource ID of a log analytics workspace." + "description": "Optional. Protocol settings for file service." } }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", + "shareDeleteRetentionPolicy": { + "type": "object", + "defaultValue": { + "enabled": true, + "days": 7 + }, "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + "description": "Optional. The service properties for soft delete." } }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "shares": { @@ -2602,68 +2765,13 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "StorageRead", - "StorageWrite", - "StorageDelete" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "Transaction" - ], - "allowedValues": [ - "Transaction" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2677,34 +2785,48 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-09-01", + "name": "[parameters('storageAccountName')]" + }, + "fileServices": { "type": "Microsoft.Storage/storageAccounts/fileServices", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('name'))]", "properties": { "protocolSettings": "[parameters('protocolSettings')]", "shareDeleteRetentionPolicy": "[parameters('shareDeleteRetentionPolicy')]" - } + }, + "dependsOn": [ + "storageAccount" + ] }, - { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "fileServices_diagnosticSettings": { + "copy": { + "name": "fileServices_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}', parameters('storageAccountName'), parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/fileServices', parameters('storageAccountName'), parameters('name'))]" + "fileServices" ] }, - { + "fileServices_shares": { "copy": { "name": "fileServices_shares", "count": "[length(parameters('shares'))]" @@ -2727,7 +2849,7 @@ "name": { "value": "[parameters('shares')[copyIndex()].name]" }, - "accessTier": "[if(contains(parameters('shares')[copyIndex()], 'accessTier'), createObject('value', parameters('shares')[copyIndex()].accessTier), if(equals(reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2021-09-01', 'full').kind, 'FileStorage'), createObject('value', 'Premium'), createObject('value', 'TransactionOptimized')))]", + "accessTier": "[if(contains(parameters('shares')[copyIndex()], 'accessTier'), createObject('value', parameters('shares')[copyIndex()].accessTier), if(equals(reference('storageAccount', '2021-09-01', 'full').kind, 'FileStorage'), createObject('value', 'Premium'), createObject('value', 'TransactionOptimized')))]", "enabledProtocols": "[if(contains(parameters('shares')[copyIndex()], 'enabledProtocols'), createObject('value', parameters('shares')[copyIndex()].enabledProtocols), createObject('value', 'SMB'))]", "rootSquash": "[if(contains(parameters('shares')[copyIndex()], 'rootSquash'), createObject('value', parameters('shares')[copyIndex()].rootSquash), createObject('value', 'NoRootSquash'))]", "shareQuota": "[if(contains(parameters('shares')[copyIndex()], 'shareQuota'), createObject('value', parameters('shares')[copyIndex()].shareQuota), createObject('value', 5120))]", @@ -3015,10 +3137,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/fileServices', parameters('storageAccountName'), parameters('name'))]" + "fileServices", + "storageAccount" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -3062,30 +3185,136 @@ "storageAccountName": { "value": "[parameters('name')]" }, - "diagnosticStorageAccountId": "[if(contains(parameters('queueServices'), 'diagnosticStorageAccountId'), createObject('value', parameters('queueServices').diagnosticStorageAccountId), createObject('value', ''))]", - "diagnosticEventHubAuthorizationRuleId": "[if(contains(parameters('queueServices'), 'diagnosticEventHubAuthorizationRuleId'), createObject('value', parameters('queueServices').diagnosticEventHubAuthorizationRuleId), createObject('value', ''))]", - "diagnosticEventHubName": "[if(contains(parameters('queueServices'), 'diagnosticEventHubName'), createObject('value', parameters('queueServices').diagnosticEventHubName), createObject('value', ''))]", - "diagnosticLogCategoriesToEnable": "[if(contains(parameters('queueServices'), 'diagnosticLogCategoriesToEnable'), createObject('value', parameters('queueServices').diagnosticLogCategoriesToEnable), createObject('value', createArray()))]", - "diagnosticMetricsToEnable": "[if(contains(parameters('queueServices'), 'diagnosticMetricsToEnable'), createObject('value', parameters('queueServices').diagnosticMetricsToEnable), createObject('value', createArray()))]", + "diagnosticSettings": { + "value": "[tryGet(parameters('blobServices'), 'diagnosticSettings')]" + }, "queues": "[if(contains(parameters('queueServices'), 'queues'), createObject('value', parameters('queueServices').queues), createObject('value', createArray()))]", - "diagnosticWorkspaceId": "[if(contains(parameters('queueServices'), 'diagnosticWorkspaceId'), createObject('value', parameters('queueServices').diagnosticWorkspaceId), createObject('value', ''))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1248907780976524503" + "templateHash": "6394050552796909716" }, "name": "Storage Account Queue Services", "description": "This module deploys a Storage Account Queue Service.", "owner": "Azure/module-maintainers" }, + "definitions": { + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true + } + }, "parameters": { "storageAccountName": { "type": "string", @@ -3101,32 +3330,10 @@ "description": "Optional. Queues to create." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of a log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "enableDefaultTelemetry": { @@ -3135,69 +3342,14 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "StorageRead", - "StorageWrite", - "StorageDelete" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "Transaction" - ], - "allowedValues": [ - "Transaction" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "name": "default", - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -3211,31 +3363,45 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-09-01", + "name": "[parameters('storageAccountName')]" + }, + "queueServices": { "type": "Microsoft.Storage/storageAccounts/queueServices", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}', parameters('storageAccountName'), variables('name'))]", - "properties": {} + "properties": {}, + "dependsOn": [ + "storageAccount" + ] }, - { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "queueServices_diagnosticSettings": { + "copy": { + "name": "queueServices_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}', parameters('storageAccountName'), variables('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', variables('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', variables('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/queueServices', parameters('storageAccountName'), variables('name'))]" + "queueServices" ] }, - { + "queueServices_queues": { "copy": { "name": "queueServices_queues", "count": "[length(parameters('queues'))]" @@ -3492,9 +3658,12 @@ } } } - } + }, + "dependsOn": [ + "storageAccount" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -3538,30 +3707,136 @@ "storageAccountName": { "value": "[parameters('name')]" }, - "diagnosticStorageAccountId": "[if(contains(parameters('tableServices'), 'diagnosticStorageAccountId'), createObject('value', parameters('tableServices').diagnosticStorageAccountId), createObject('value', ''))]", - "diagnosticEventHubAuthorizationRuleId": "[if(contains(parameters('tableServices'), 'diagnosticEventHubAuthorizationRuleId'), createObject('value', parameters('tableServices').diagnosticEventHubAuthorizationRuleId), createObject('value', ''))]", - "diagnosticEventHubName": "[if(contains(parameters('tableServices'), 'diagnosticEventHubName'), createObject('value', parameters('tableServices').diagnosticEventHubName), createObject('value', ''))]", - "diagnosticLogCategoriesToEnable": "[if(contains(parameters('tableServices'), 'diagnosticLogCategoriesToEnable'), createObject('value', parameters('tableServices').diagnosticLogCategoriesToEnable), createObject('value', createArray()))]", - "diagnosticMetricsToEnable": "[if(contains(parameters('tableServices'), 'diagnosticMetricsToEnable'), createObject('value', parameters('tableServices').diagnosticMetricsToEnable), createObject('value', createArray()))]", + "diagnosticSettings": { + "value": "[tryGet(parameters('blobServices'), 'diagnosticSettings')]" + }, "tables": "[if(contains(parameters('tableServices'), 'tables'), createObject('value', parameters('tableServices').tables), createObject('value', createArray()))]", - "diagnosticWorkspaceId": "[if(contains(parameters('tableServices'), 'diagnosticWorkspaceId'), createObject('value', parameters('tableServices').diagnosticWorkspaceId), createObject('value', ''))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "922436323351089615" + "templateHash": "15951116507662113563" }, "name": "Storage Account Table Services", "description": "This module deploys a Storage Account Table Service.", "owner": "Azure/module-maintainers" }, + "definitions": { + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true + } + }, "parameters": { "storageAccountName": { "type": "string", @@ -3577,32 +3852,10 @@ "description": "Optional. tables to create." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of a log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "enableDefaultTelemetry": { @@ -3611,69 +3864,14 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "StorageRead", - "StorageWrite", - "StorageDelete" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "Transaction" - ], - "allowedValues": [ - "Transaction" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "name": "default", - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -3687,31 +3885,45 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-09-01", + "name": "[parameters('storageAccountName')]" + }, + "tableServices": { "type": "Microsoft.Storage/storageAccounts/tableServices", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}', parameters('storageAccountName'), variables('name'))]", - "properties": {} + "properties": {}, + "dependsOn": [ + "storageAccount" + ] }, - { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "tableServices_diagnosticSettings": { + "copy": { + "name": "tableServices_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Storage/storageAccounts/{0}/tableServices/{1}', parameters('storageAccountName'), variables('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', variables('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', variables('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/tableServices', parameters('storageAccountName'), variables('name'))]" + "tableServices" ] }, - { + "tableServices_tables": { "copy": { "name": "tableServices_tables", "count": "[length(parameters('tables'))]" @@ -3815,9 +4027,12 @@ } } } - } + }, + "dependsOn": [ + "storageAccount" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/storage/storage-account/queue-service/README.md b/modules/storage/storage-account/queue-service/README.md index 87bfc9c6fe..7543d85557 100644 --- a/modules/storage/storage-account/queue-service/README.md +++ b/modules/storage/storage-account/queue-service/README.md @@ -30,66 +30,124 @@ This module deploys a Storage Account Queue Service. | Parameter | Type | Description | | :-- | :-- | :-- | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of a log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`queues`](#parameter-queues) | array | Queues to create. | -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, StorageDelete, StorageRead, StorageWrite]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[Transaction]` -- Allowed: `[Transaction]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of a log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/storage/storage-account/queue-service/main.bicep b/modules/storage/storage-account/queue-service/main.bicep index 29ee8b7d02..680a52c332 100644 --- a/modules/storage/storage-account/queue-service/main.bicep +++ b/modules/storage/storage-account/queue-service/main.bicep @@ -9,65 +9,15 @@ param storageAccountName string @description('Optional. Queues to create.') param queues array = [] -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of a log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'StorageRead' - 'StorageWrite' - 'StorageDelete' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'Transaction' -]) -param diagnosticMetricsToEnable array = [ - 'Transaction' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - // The name of the blob services var name = 'default' -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var enableReferencedModulesTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { @@ -92,18 +42,31 @@ resource queueServices 'Microsoft.Storage/storageAccounts/queueServices@2021-09- properties: {} } -resource queueServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource queueServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: queueServices -} +}] module queueServices_queues 'queue/main.bicep' = [for (queue, index) in queues: { name: '${deployment().name}-Queue-${index}' @@ -124,3 +87,44 @@ output resourceId string = queueServices.id @description('The resource group of the deployed file share service.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/storage/storage-account/queue-service/main.json b/modules/storage/storage-account/queue-service/main.json index 804add9d71..95aa83129a 100644 --- a/modules/storage/storage-account/queue-service/main.json +++ b/modules/storage/storage-account/queue-service/main.json @@ -1,16 +1,125 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1248907780976524503" + "templateHash": "6394050552796909716" }, "name": "Storage Account Queue Services", "description": "This module deploys a Storage Account Queue Service.", "owner": "Azure/module-maintainers" }, + "definitions": { + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true + } + }, "parameters": { "storageAccountName": { "type": "string", @@ -26,32 +135,10 @@ "description": "Optional. Queues to create." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of a log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "enableDefaultTelemetry": { @@ -60,69 +147,14 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "StorageRead", - "StorageWrite", - "StorageDelete" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "Transaction" - ], - "allowedValues": [ - "Transaction" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "name": "default", - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -136,31 +168,45 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-09-01", + "name": "[parameters('storageAccountName')]" + }, + "queueServices": { "type": "Microsoft.Storage/storageAccounts/queueServices", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}', parameters('storageAccountName'), variables('name'))]", - "properties": {} + "properties": {}, + "dependsOn": [ + "storageAccount" + ] }, - { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "queueServices_diagnosticSettings": { + "copy": { + "name": "queueServices_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}', parameters('storageAccountName'), variables('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', variables('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', variables('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/queueServices', parameters('storageAccountName'), variables('name'))]" + "queueServices" ] }, - { + "queueServices_queues": { "copy": { "name": "queueServices_queues", "count": "[length(parameters('queues'))]" @@ -417,9 +463,12 @@ } } } - } + }, + "dependsOn": [ + "storageAccount" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/storage/storage-account/table-service/README.md b/modules/storage/storage-account/table-service/README.md index 9755cafd0b..87435b1319 100644 --- a/modules/storage/storage-account/table-service/README.md +++ b/modules/storage/storage-account/table-service/README.md @@ -29,66 +29,124 @@ This module deploys a Storage Account Table Service. | Parameter | Type | Description | | :-- | :-- | :-- | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of a log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`tables`](#parameter-tables) | array | tables to create. | -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, StorageDelete, StorageRead, StorageWrite]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[Transaction]` -- Allowed: `[Transaction]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of a log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/storage/storage-account/table-service/main.bicep b/modules/storage/storage-account/table-service/main.bicep index cbf0bf086b..3780974090 100644 --- a/modules/storage/storage-account/table-service/main.bicep +++ b/modules/storage/storage-account/table-service/main.bicep @@ -9,65 +9,15 @@ param storageAccountName string @description('Optional. tables to create.') param tables array = [] -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of a log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'StorageRead' - 'StorageWrite' - 'StorageDelete' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'Transaction' -]) -param diagnosticMetricsToEnable array = [ - 'Transaction' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - // The name of the table service var name = 'default' -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var enableReferencedModulesTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { @@ -92,18 +42,31 @@ resource tableServices 'Microsoft.Storage/storageAccounts/tableServices@2021-09- properties: {} } -resource tableServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource tableServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: tableServices -} +}] module tableServices_tables 'table/main.bicep' = [for (tableName, index) in tables: { name: '${deployment().name}-Table-${index}' @@ -122,3 +85,44 @@ output resourceId string = tableServices.id @description('The resource group of the deployed table service.') output resourceGroupName string = resourceGroup().name +// =============== // +// Definitions // +// =============== // + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/storage/storage-account/table-service/main.json b/modules/storage/storage-account/table-service/main.json index eb3354cf6a..4bde0ded71 100644 --- a/modules/storage/storage-account/table-service/main.json +++ b/modules/storage/storage-account/table-service/main.json @@ -1,16 +1,125 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "922436323351089615" + "templateHash": "15951116507662113563" }, "name": "Storage Account Table Services", "description": "This module deploys a Storage Account Table Service.", "owner": "Azure/module-maintainers" }, + "definitions": { + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true + } + }, "parameters": { "storageAccountName": { "type": "string", @@ -26,32 +135,10 @@ "description": "Optional. tables to create." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of a log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "enableDefaultTelemetry": { @@ -60,69 +147,14 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "StorageRead", - "StorageWrite", - "StorageDelete" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "Transaction" - ], - "allowedValues": [ - "Transaction" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "name": "default", - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -136,31 +168,45 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-09-01", + "name": "[parameters('storageAccountName')]" + }, + "tableServices": { "type": "Microsoft.Storage/storageAccounts/tableServices", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}', parameters('storageAccountName'), variables('name'))]", - "properties": {} + "properties": {}, + "dependsOn": [ + "storageAccount" + ] }, - { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "tableServices_diagnosticSettings": { + "copy": { + "name": "tableServices_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Storage/storageAccounts/{0}/tableServices/{1}', parameters('storageAccountName'), variables('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', variables('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', variables('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/tableServices', parameters('storageAccountName'), variables('name'))]" + "tableServices" ] }, - { + "tableServices_tables": { "copy": { "name": "tableServices_tables", "count": "[length(parameters('tables'))]" @@ -264,9 +310,12 @@ } } } - } + }, + "dependsOn": [ + "storageAccount" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/synapse/workspace/.test/common/main.test.bicep b/modules/synapse/workspace/.test/common/main.test.bicep index 258596f817..9cbb04d190 100644 --- a/modules/synapse/workspace/.test/common/main.test.bicep +++ b/modules/synapse/workspace/.test/common/main.test.bicep @@ -102,19 +102,22 @@ module testDeployment '../../main.bicep' = { name: 'shir01' } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - diagnosticLogCategoriesToEnable: [ - 'SynapseRbacOperations' - 'GatewayApiRequests' - 'BuiltinSqlReqsEnded' - 'IntegrationPipelineRuns' - 'IntegrationActivityRuns' - 'IntegrationTriggerRuns' - 'SQLSecurityAuditEvents' - 'SynapseLinkEvent' + diagnosticSettings: [ + { + name: 'customSetting' + logCategoriesAndGroups: [ + { + category: 'SynapseRbacOperations' + } + { + category: 'SynapseLinkEvent' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } ] enableDefaultTelemetry: enableDefaultTelemetry } diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index a9af2ce3c1..150314f8d8 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -57,20 +57,23 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { name: 'swcom001' sqlAdministratorLogin: 'synwsadmin' // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticLogCategoriesToEnable: [ - 'BuiltinSqlReqsEnded' - 'GatewayApiRequests' - 'IntegrationActivityRuns' - 'IntegrationPipelineRuns' - 'IntegrationTriggerRuns' - 'SQLSecurityAuditEvents' - 'SynapseLinkEvent' - 'SynapseRbacOperations' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + logCategoriesAndGroups: [ + { + category: 'SynapseRbacOperations' + } + { + category: 'SynapseLinkEvent' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } ] - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' enableDefaultTelemetry: '' initialWorkspaceAdminObjectID: '' integrationRuntimes: [ @@ -134,30 +137,25 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "value": "synwsadmin" }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticLogCategoriesToEnable": { + "diagnosticSettings": { "value": [ - "BuiltinSqlReqsEnded", - "GatewayApiRequests", - "IntegrationActivityRuns", - "IntegrationPipelineRuns", - "IntegrationTriggerRuns", - "SQLSecurityAuditEvents", - "SynapseLinkEvent", - "SynapseRbacOperations" + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "logCategoriesAndGroups": [ + { + "category": "SynapseRbacOperations" + }, + { + "category": "SynapseLinkEvent" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } ] }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" - }, "enableDefaultTelemetry": { "value": "" }, @@ -547,12 +545,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { | [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | The ID of User Assigned Managed identity that will be used to access your customer-managed key stored in key vault. | | [`cMKUseSystemAssignedIdentity`](#parameter-cmkusesystemassignedidentity) | bool | Use System Assigned Managed identity that will be used to access your customer-managed key stored in key vault. | | [`defaultDataLakeStorageCreateManagedPrivateEndpoint`](#parameter-defaultdatalakestoragecreatemanagedprivateendpoint) | bool | Create managed private endpoint to the default storage account or not. If Yes is selected, a managed private endpoint connection request is sent to the workspace's primary Data Lake Storage Gen2 account for Spark pools to access data. This must be approved by an owner of the storage account. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`encryption`](#parameter-encryption) | bool | Double encryption using a customer-managed key. | | [`encryptionActivateWorkspace`](#parameter-encryptionactivateworkspace) | bool | Activate workspace by adding the system managed identity in the KeyVault containing the customer managed key and activating the workspace. | @@ -634,48 +627,100 @@ The default ADLS Gen2 file system. - Required: Yes - Type: string -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, BuiltinSqlReqsEnded, GatewayApiRequests, IntegrationActivityRuns, IntegrationPipelineRuns, IntegrationTriggerRuns, SQLSecurityAuditEvents, SynapseLinkEvent, SynapseRbacOperations]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` -Resource ID of the diagnostic log analytics workspace. +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/synapse/workspace/main.bicep b/modules/synapse/workspace/main.bicep index d2616a828a..d7d099043e 100644 --- a/modules/synapse/workspace/main.bicep +++ b/modules/synapse/workspace/main.bicep @@ -100,37 +100,8 @@ param roleAssignments roleAssignmentType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointType -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' - -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'SynapseRbacOperations' - 'GatewayApiRequests' - 'BuiltinSqlReqsEnded' - 'IntegrationPipelineRuns' - 'IntegrationActivityRuns' - 'IntegrationTriggerRuns' - 'SQLSecurityAuditEvents' - 'SynapseLinkEvent' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType // Variables var userAssignedIdentitiesUnion = union(userAssignedIdentities, !empty(cMKUserAssignedIdentityResourceId) ? { @@ -144,18 +115,6 @@ var identity = { userAssignedIdentities: !empty(userAssignedIdentitiesUnion) ? userAssignedIdentitiesUnion : null } -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - var enableReferencedModulesTelemetry = false var builtInRoleNames = { @@ -322,17 +281,24 @@ module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = }] // Diagnostics Settings -resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: workspace -} +}] @description('The resource ID of the deployed Synapse Workspace.') output resourceID string = workspace.id @@ -441,3 +407,35 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/synapse/workspace/main.json b/modules/synapse/workspace/main.json index 677555b5c2..fb713390f4 100644 --- a/modules/synapse/workspace/main.json +++ b/modules/synapse/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12758052897750463428" + "templateHash": "11476274375435948845" }, "name": "Synapse Workspaces", "description": "This module deploys a Synapse Workspace.", @@ -251,6 +251,94 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -463,81 +551,20 @@ "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "SynapseRbacOperations", - "GatewayApiRequests", - "BuiltinSqlReqsEnded", - "IntegrationPipelineRuns", - "IntegrationActivityRuns", - "IntegrationTriggerRuns", - "SQLSecurityAuditEvents", - "SynapseLinkEvent" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." + "description": "Optional. The diagnostic settings of the service." } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - } - ], "userAssignedIdentitiesUnion": "[union(parameters('userAssignedIdentities'), if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), createObject(format('{0}', parameters('cMKUserAssignedIdentityResourceId')), createObject()), createObject()))]", "identityType": "[if(not(empty(variables('userAssignedIdentitiesUnion'))), 'SystemAssigned,UserAssigned', 'SystemAssigned')]", "identity": { "type": "[variables('identityType')]", "userAssignedIdentities": "[if(not(empty(variables('userAssignedIdentitiesUnion'))), variables('userAssignedIdentitiesUnion'), null())]" }, - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -651,17 +678,22 @@ ] }, "workspace_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "workspace_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Synapse/workspaces/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "workspace" diff --git a/modules/web/hosting-environment/.test/asev2/main.test.bicep b/modules/web/hosting-environment/.test/asev2/main.test.bicep index 28203cd5f6..ff34db8bf0 100644 --- a/modules/web/hosting-environment/.test/asev2/main.test.bicep +++ b/modules/web/hosting-environment/.test/asev2/main.test.bicep @@ -89,10 +89,15 @@ module testDeployment '../../main.bicep' = { value: '1' } ] - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] systemAssignedIdentity: true userAssignedIdentities: { '${nestedDependencies.outputs.managedIdentityResourceId}': {} diff --git a/modules/web/hosting-environment/.test/asev3/main.test.bicep b/modules/web/hosting-environment/.test/asev3/main.test.bicep index 9e2c5bc92e..8349a9a8b0 100644 --- a/modules/web/hosting-environment/.test/asev3/main.test.bicep +++ b/modules/web/hosting-environment/.test/asev3/main.test.bicep @@ -97,10 +97,15 @@ module testDeployment '../../main.bicep' = { inboundIpAddressOverride: '10.0.0.10' remoteDebugEnabled: true upgradePreference: 'Late' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] systemAssignedIdentity: true userAssignedIdentities: { '${nestedDependencies.outputs.managedIdentityResourceId}': {} diff --git a/modules/web/hosting-environment/README.md b/modules/web/hosting-environment/README.md index a51c8234e4..8e8690e35a 100644 --- a/modules/web/hosting-environment/README.md +++ b/modules/web/hosting-environment/README.md @@ -51,10 +51,15 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { value: '1' } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' ipsslAddressCount: 2 kind: 'ASEv2' @@ -112,17 +117,16 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -200,10 +204,15 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { customDnsSuffix: 'internal.contoso.com' customDnsSuffixCertificateUrl: '' customDnsSuffixKeyVaultReferenceIdentity: '' - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' ftpEnabled: true inboundIpAddressOverride: '10.0.0.10' @@ -275,17 +284,16 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { "customDnsSuffixKeyVaultReferenceIdentity": { "value": "" }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -370,12 +378,7 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { | [`clusterSettings`](#parameter-clustersettings) | array | Custom settings for changing the behavior of the App Service Environment. | | [`customDnsSuffix`](#parameter-customdnssuffix) | string | Enable the default custom domain suffix to use for all sites deployed on the ASE. If provided, then customDnsSuffixCertificateUrl and customDnsSuffixKeyVaultReferenceIdentity are required. Cannot be used when kind is set to ASEv2. | | [`dedicatedHostCount`](#parameter-dedicatedhostcount) | int | The Dedicated Host Count. If `zoneRedundant` is false, and you want physical hardware isolation enabled, set to 2. Otherwise 0. Cannot be used when kind is set to ASEv2. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`dnsSuffix`](#parameter-dnssuffix) | string | DNS suffix of the App Service Environment. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`frontEndScaleFactor`](#parameter-frontendscalefactor) | int | Scale factor for frontends. | @@ -438,48 +441,100 @@ The Dedicated Host Count. If `zoneRedundant` is false, and you want physical har - Type: int - Default: `0` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[allLogs]` -- Allowed: `['', allLogs, AppServiceEnvironmentPlatformLogs]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` -Resource ID of the diagnostic log analytics workspace. +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. + - Required: No - Type: string -- Default: `''` ### Parameter: `dnsSuffix` diff --git a/modules/web/hosting-environment/main.bicep b/modules/web/hosting-environment/main.bicep index 29fcf1e7bb..da6d56d178 100644 --- a/modules/web/hosting-environment/main.bicep +++ b/modules/web/hosting-environment/main.bicep @@ -115,46 +115,12 @@ param systemAssignedIdentity bool = false @description('Optional. The ID(s) to assign to the resource.') param userAssignedIdentities object = {} -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'AppServiceEnvironmentPlatformLogs' -]) -param diagnosticLogCategoriesToEnable array = [ - 'allLogs' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var enableReferencedModulesTelemetry = false @@ -239,17 +205,24 @@ resource appServiceEnvironment_lock 'Microsoft.Authorization/locks@2020-05-01' = scope: appServiceEnvironment } -resource appServiceEnvironment_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource appServiceEnvironment_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: appServiceEnvironment -} +}] resource appServiceEnvironment_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(appServiceEnvironment.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -311,3 +284,35 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/web/hosting-environment/main.json b/modules/web/hosting-environment/main.json index 50b9ab706a..cd15bf4aab 100644 --- a/modules/web/hosting-environment/main.json +++ b/modules/web/hosting-environment/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5607642767889382613" + "templateHash": "11474223450734881423" }, "name": "App Service Environments", "description": "This module deploys an App Service Environment.", @@ -103,6 +103,94 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -319,32 +407,10 @@ "description": "Optional. The ID(s) to assign to the resource." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + "description": "Optional. The diagnostic settings of the service." } }, "enableDefaultTelemetry": { @@ -353,41 +419,9 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": [ - "allLogs" - ], - "allowedValues": [ - "", - "allLogs", - "AppServiceEnvironmentPlatformLogs" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "enableReferencedModulesTelemetry": false, "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", @@ -454,17 +488,22 @@ ] }, "appServiceEnvironment_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "appServiceEnvironment_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Web/hostingEnvironments/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "appServiceEnvironment" diff --git a/modules/web/serverfarm/.test/common/main.test.bicep b/modules/web/serverfarm/.test/common/main.test.bicep index 2be57ba46b..38af3a47f8 100644 --- a/modules/web/serverfarm/.test/common/main.test.bicep +++ b/modules/web/serverfarm/.test/common/main.test.bicep @@ -73,10 +73,20 @@ module testDeployment '../../main.bicep' = { size: 'S1' tier: 'Standard' } - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index 65ce8f30ab..a8de74f584 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -52,10 +52,20 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { tier: 'Standard' } // Non-required parameters - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' lock: { kind: 'CanNotDelete' @@ -103,17 +113,21 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { } }, // Non-required parameters - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -168,12 +182,7 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | | [`appServiceEnvironmentId`](#parameter-appserviceenvironmentid) | string | The Resource ID of the App Service Environment to use for the App Service Plan. | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`kind`](#parameter-kind) | string | Kind of server OS. | | [`location`](#parameter-location) | string | Location for all resources. | @@ -194,48 +203,92 @@ The Resource ID of the App Service Environment to use for the App Service Plan. - Type: string - Default: `''` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticMetricsToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string -- Default: `''` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/web/serverfarm/main.bicep b/modules/web/serverfarm/main.bicep index 05345e30c2..6beca161de 100644 --- a/modules/web/serverfarm/main.bicep +++ b/modules/web/serverfarm/main.bicep @@ -64,41 +64,12 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' - -@description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') -param diagnosticEventHubName string = '' - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. When true, this App Service Plan will perform availability zone balancing.') param zoneRedundant bool = false -// =========== // -// Variables // -// =========== // -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - // ============ // // Dependencies // // ============ // @@ -144,18 +115,25 @@ resource appServicePlan 'Microsoft.Web/serverfarms@2022-09-01' = { } } -resource appServicePlan_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource appServicePlan_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: [] + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: appServicePlan -} +}] resource appServicePlan_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { name: lock.?name ?? 'lock-${name}' @@ -229,3 +207,32 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/web/serverfarm/main.json b/modules/web/serverfarm/main.json index f479b9e5e9..d02adee91d 100644 --- a/modules/web/serverfarm/main.json +++ b/modules/web/serverfarm/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17683178516724577324" + "templateHash": "3543793483023585730" }, "name": "App Service Plans", "description": "This module deploys an App Service Plan.", @@ -103,6 +103,86 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -221,51 +301,10 @@ "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." + "description": "Optional. The diagnostic settings of the service." } }, "zoneRedundant": { @@ -277,17 +316,6 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", @@ -333,18 +361,22 @@ } }, "appServicePlan_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "appServicePlan_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Web/serverfarms/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": [] + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "appServicePlan" diff --git a/modules/web/site/.test/functionAppCommon/main.test.bicep b/modules/web/site/.test/functionAppCommon/main.test.bicep index 9948b9688f..2a2af35a66 100644 --- a/modules/web/site/.test/functionAppCommon/main.test.bicep +++ b/modules/web/site/.test/functionAppCommon/main.test.bicep @@ -140,10 +140,20 @@ module testDeployment '../../main.bicep' = { runtimeVersion: '~1' } } - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/web/site/.test/webAppCommon/main.test.bicep b/modules/web/site/.test/webAppCommon/main.test.bicep index c4d9ff9bb9..6e61619316 100644 --- a/modules/web/site/.test/webAppCommon/main.test.bicep +++ b/modules/web/site/.test/webAppCommon/main.test.bicep @@ -68,10 +68,20 @@ module testDeployment '../../main.bicep' = { name: '${namePrefix}${serviceShort}001' kind: 'app' serverFarmResourceId: nestedDependencies.outputs.serverFarmResourceId - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] httpsOnly: true lock: { kind: 'CanNotDelete' @@ -80,10 +90,15 @@ module testDeployment '../../main.bicep' = { slots: [ { name: 'slot1' - diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId - diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] privateEndpoints: [ { subnetResourceId: nestedDependencies.outputs.subnetResourceId diff --git a/modules/web/site/README.md b/modules/web/site/README.md index f748d00c85..72c2066fe8 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -125,10 +125,20 @@ module site 'br:bicep/modules/web.site:1.0.0' = { runtimeVersion: '~1' } } - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' hybridConnectionRelays: [ { @@ -273,17 +283,21 @@ module site 'br:bicep/modules/web.site:1.0.0' = { } } }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -440,10 +454,20 @@ module site 'br:bicep/modules/web.site:1.0.0' = { name: 'scm' } ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' httpsOnly: true hybridConnectionRelays: [ @@ -489,10 +513,15 @@ module site 'br:bicep/modules/web.site:1.0.0' = { } slots: [ { - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] hybridConnectionRelays: [ { resourceId: '' @@ -578,17 +607,21 @@ module site 'br:bicep/modules/web.site:1.0.0' = { } ] }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" @@ -654,10 +687,15 @@ module site 'br:bicep/modules/web.site:1.0.0' = { "slots": { "value": [ { - "diagnosticEventHubAuthorizationRuleId": "", - "diagnosticEventHubName": "", - "diagnosticStorageAccountId": "", - "diagnosticWorkspaceId": "", + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], "hybridConnectionRelays": [ { "resourceId": "", @@ -805,13 +843,7 @@ module site 'br:bicep/modules/web.site:1.0.0' = { | [`containerSize`](#parameter-containersize) | int | Size of the function container. | | [`customDomainVerificationId`](#parameter-customdomainverificationid) | string | Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification. | | [`dailyMemoryTimeQuota`](#parameter-dailymemorytimequota) | int | Maximum allowed daily memory-time quota (applicable on dynamic apps only). | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enabled`](#parameter-enabled) | bool | Setting this value to false disables the app (takes the app offline). | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`hostNameSslStates`](#parameter-hostnamesslstates) | array | Hostname SSL states are used to manage the SSL bindings for app's hostnames. | @@ -931,56 +963,120 @@ Maximum allowed daily memory-time quota (applicable on dynamic apps only). - Type: int - Default: `-1` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -- Default: `[if(equals(parameters('kind'), 'functionapp'), createArray('FunctionAppLogs'), createArray('AppServiceHTTPLogs', 'AppServiceConsoleLogs', 'AppServiceAppLogs', 'AppServiceAuditLogs', 'AppServiceIPSecAuditLogs', 'AppServicePlatformLogs'))]` -- Allowed: `['', allLogs, AppServiceAppLogs, AppServiceAuditLogs, AppServiceConsoleLogs, AppServiceHTTPLogs, AppServiceIPSecAuditLogs, AppServicePlatformLogs, FunctionAppLogs]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enabled` diff --git a/modules/web/site/main.bicep b/modules/web/site/main.bicep index 8dcd8df3dd..6e5951ac44 100644 --- a/modules/web/site/main.bicep +++ b/modules/web/site/main.bicep @@ -93,51 +93,8 @@ param enableDefaultTelemetry bool = true @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' - -@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') -@allowed([ - '' - 'allLogs' - 'AppServiceHTTPLogs' - 'AppServiceConsoleLogs' - 'AppServiceAppLogs' - 'AppServiceAuditLogs' - 'AppServiceIPSecAuditLogs' - 'AppServicePlatformLogs' - 'FunctionAppLogs' -]) -param diagnosticLogCategoriesToEnable array = kind == 'functionapp' ? [ - 'FunctionAppLogs' -] : [ - 'AppServiceHTTPLogs' - 'AppServiceConsoleLogs' - 'AppServiceAppLogs' - 'AppServiceAuditLogs' - 'AppServiceIPSecAuditLogs' - 'AppServicePlatformLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. To enable client certificate authentication (TLS mutual authentication).') param clientCertEnabled bool = false @@ -198,24 +155,6 @@ param hybridConnectionRelays array = [] ]) param publicNetworkAccess string = '' -var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { - category: category - enabled: true -}] - -var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [ - { - categoryGroup: 'allLogs' - enabled: true - } -] : contains(diagnosticLogCategoriesToEnable, '') ? [] : diagnosticsLogsSpecified - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -330,12 +269,7 @@ module app_slots 'slot/main.bicep' = [for (slot, index) in slots: { setAzureWebJobsDashboard: contains(slot, 'setAzureWebJobsDashboard') ? slot.setAzureWebJobsDashboard : setAzureWebJobsDashboard authSettingV2Configuration: contains(slot, 'authSettingV2Configuration') ? slot.authSettingV2Configuration : authSettingV2Configuration enableDefaultTelemetry: enableReferencedModulesTelemetry - diagnosticStorageAccountId: contains(slot, 'diagnosticStorageAccountId') ? slot.diagnosticStorageAccountId : diagnosticStorageAccountId - diagnosticWorkspaceId: contains(slot, 'diagnosticWorkspaceId') ? slot.diagnosticWorkspaceId : diagnosticWorkspaceId - diagnosticEventHubAuthorizationRuleId: contains(slot, 'diagnosticEventHubAuthorizationRuleId') ? slot.diagnosticEventHubAuthorizationRuleId : diagnosticEventHubAuthorizationRuleId - diagnosticEventHubName: contains(slot, 'diagnosticEventHubName') ? slot.diagnosticEventHubName : diagnosticEventHubName - diagnosticLogCategoriesToEnable: contains(slot, 'diagnosticLogCategoriesToEnable') ? slot.diagnosticLogCategoriesToEnable : diagnosticLogCategoriesToEnable - diagnosticMetricsToEnable: contains(slot, 'diagnosticMetricsToEnable') ? slot.diagnosticMetricsToEnable : diagnosticMetricsToEnable + diagnosticSettings: slot.?diagnosticSettings roleAssignments: contains(slot, 'roleAssignments') ? slot.roleAssignments : roleAssignments appSettingsKeyValuePairs: contains(slot, 'appSettingsKeyValuePairs') ? slot.appSettingsKeyValuePairs : appSettingsKeyValuePairs lock: contains(slot, 'lock') ? slot.lock : lock @@ -388,18 +322,31 @@ resource app_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ? scope: app } -resource app_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource app_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: app -} +}] resource app_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(app.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -555,3 +502,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/web/site/main.json b/modules/web/site/main.json index 1bbe74f580..d0366d2083 100644 --- a/modules/web/site/main.json +++ b/modules/web/site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4843779677918580425" + "templateHash": "16589112738321066584" }, "name": "Web/Function Apps", "description": "This module deploys a Web or Function App.", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -452,69 +558,10 @@ "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": "[if(equals(parameters('kind'), 'functionapp'), createArray('FunctionAppLogs'), createArray('AppServiceHTTPLogs', 'AppServiceConsoleLogs', 'AppServiceAppLogs', 'AppServiceAuditLogs', 'AppServiceIPSecAuditLogs', 'AppServicePlatformLogs'))]", - "allowedValues": [ - "", - "allLogs", - "AppServiceHTTPLogs", - "AppServiceConsoleLogs", - "AppServiceAppLogs", - "AppServiceAuditLogs", - "AppServiceIPSecAuditLogs", - "AppServicePlatformLogs", - "FunctionAppLogs" - ], + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." + "description": "Optional. The diagnostic settings of the service." } }, "clientCertEnabled": { @@ -634,26 +681,6 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogsSpecified", - "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), ''))))))]", - "input": { - "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', and(not(equals(lambdaVariables('item'), 'allLogs')), not(equals(lambdaVariables('item'), '')))))[copyIndex('diagnosticsLogsSpecified')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], - "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]", "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, @@ -733,18 +760,23 @@ ] }, "app_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "app_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Web/sites/{0}', parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "app" @@ -1096,12 +1128,9 @@ "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" }, - "diagnosticStorageAccountId": "[if(contains(parameters('slots')[copyIndex()], 'diagnosticStorageAccountId'), createObject('value', parameters('slots')[copyIndex()].diagnosticStorageAccountId), createObject('value', parameters('diagnosticStorageAccountId')))]", - "diagnosticWorkspaceId": "[if(contains(parameters('slots')[copyIndex()], 'diagnosticWorkspaceId'), createObject('value', parameters('slots')[copyIndex()].diagnosticWorkspaceId), createObject('value', parameters('diagnosticWorkspaceId')))]", - "diagnosticEventHubAuthorizationRuleId": "[if(contains(parameters('slots')[copyIndex()], 'diagnosticEventHubAuthorizationRuleId'), createObject('value', parameters('slots')[copyIndex()].diagnosticEventHubAuthorizationRuleId), createObject('value', parameters('diagnosticEventHubAuthorizationRuleId')))]", - "diagnosticEventHubName": "[if(contains(parameters('slots')[copyIndex()], 'diagnosticEventHubName'), createObject('value', parameters('slots')[copyIndex()].diagnosticEventHubName), createObject('value', parameters('diagnosticEventHubName')))]", - "diagnosticLogCategoriesToEnable": "[if(contains(parameters('slots')[copyIndex()], 'diagnosticLogCategoriesToEnable'), createObject('value', parameters('slots')[copyIndex()].diagnosticLogCategoriesToEnable), createObject('value', parameters('diagnosticLogCategoriesToEnable')))]", - "diagnosticMetricsToEnable": "[if(contains(parameters('slots')[copyIndex()], 'diagnosticMetricsToEnable'), createObject('value', parameters('slots')[copyIndex()].diagnosticMetricsToEnable), createObject('value', parameters('diagnosticMetricsToEnable')))]", + "diagnosticSettings": { + "value": "[tryGet(parameters('slots')[copyIndex()], 'diagnosticSettings')]" + }, "roleAssignments": "[if(contains(parameters('slots')[copyIndex()], 'roleAssignments'), createObject('value', parameters('slots')[copyIndex()].roleAssignments), createObject('value', parameters('roleAssignments')))]", "appSettingsKeyValuePairs": "[if(contains(parameters('slots')[copyIndex()], 'appSettingsKeyValuePairs'), createObject('value', parameters('slots')[copyIndex()].appSettingsKeyValuePairs), createObject('value', parameters('appSettingsKeyValuePairs')))]", "lock": "[if(contains(parameters('slots')[copyIndex()], 'lock'), createObject('value', parameters('slots')[copyIndex()].lock), createObject('value', parameters('lock')))]", @@ -1134,7 +1163,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17150701166857849727" + "templateHash": "8235549434045732740" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -1380,6 +1409,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1552,67 +1687,10 @@ "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": "[if(equals(parameters('kind'), 'functionapp'), createArray('FunctionAppLogs'), createArray('AppServiceHTTPLogs', 'AppServiceConsoleLogs', 'AppServiceAppLogs', 'AppServiceAuditLogs', 'AppServiceIPSecAuditLogs', 'AppServicePlatformLogs'))]", - "allowedValues": [ - "AppServiceHTTPLogs", - "AppServiceConsoleLogs", - "AppServiceAppLogs", - "AppServiceAuditLogs", - "AppServiceIPSecAuditLogs", - "AppServicePlatformLogs", - "FunctionAppLogs" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." + "description": "Optional. The diagnostic settings of the service." } }, "clientCertEnabled": { @@ -1746,25 +1824,6 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogs", - "count": "[length(parameters('diagnosticLogCategoriesToEnable'))]", - "input": { - "category": "[parameters('diagnosticLogCategoriesToEnable')[copyIndex('diagnosticsLogs')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, @@ -1852,18 +1911,23 @@ ] }, "slot_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "slot_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', parameters('appName'), parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "slot" diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index d31c9f3387..2f035b876f 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -54,13 +54,7 @@ This module deploys a Web or Function App Deployment Slot. | [`containerSize`](#parameter-containersize) | int | Size of the function container. | | [`customDomainVerificationId`](#parameter-customdomainverificationid) | string | Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification. | | [`dailyMemoryTimeQuota`](#parameter-dailymemorytimequota) | int | Maximum allowed daily memory-time quota (applicable on dynamic apps only). | -| [`diagnosticEventHubAuthorizationRuleId`](#parameter-diagnosticeventhubauthorizationruleid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`diagnosticEventHubName`](#parameter-diagnosticeventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| [`diagnosticLogCategoriesToEnable`](#parameter-diagnosticlogcategoriestoenable) | array | The name of logs that will be streamed. | -| [`diagnosticMetricsToEnable`](#parameter-diagnosticmetricstoenable) | array | The name of metrics that will be streamed. | -| [`diagnosticSettingsName`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". | -| [`diagnosticStorageAccountId`](#parameter-diagnosticstorageaccountid) | string | Resource ID of the diagnostic storage account. | -| [`diagnosticWorkspaceId`](#parameter-diagnosticworkspaceid) | string | Resource ID of log analytics workspace. | +| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enabled`](#parameter-enabled) | bool | Setting this value to false disables the app (takes the app offline). | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`hostNameSslStates`](#parameter-hostnamesslstates) | array | Hostname SSL states are used to manage the SSL bindings for app's hostnames. | @@ -178,56 +172,120 @@ Maximum allowed daily memory-time quota (applicable on dynamic apps only). - Type: int - Default: `-1` -### Parameter: `diagnosticEventHubAuthorizationRuleId` +### Parameter: `diagnosticSettings` + +The diagnostic settings of the service. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | + +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` + +Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. -Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticEventHubName` +### Parameter: `diagnosticSettings.eventHubName` + +Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticLogCategoriesToEnable` +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` + +Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + +- Required: No +- Type: string +- Allowed: `[AzureDiagnostics, Dedicated]` + +### Parameter: `diagnosticSettings.logCategoriesAndGroups` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of logs that will be streamed. - Required: No - Type: array -- Default: `[if(equals(parameters('kind'), 'functionapp'), createArray('FunctionAppLogs'), createArray('AppServiceHTTPLogs', 'AppServiceConsoleLogs', 'AppServiceAppLogs', 'AppServiceAuditLogs', 'AppServiceIPSecAuditLogs', 'AppServicePlatformLogs'))]` -- Allowed: `[AppServiceAppLogs, AppServiceAuditLogs, AppServiceConsoleLogs, AppServiceHTTPLogs, AppServiceIPSecAuditLogs, AppServicePlatformLogs, FunctionAppLogs]` -### Parameter: `diagnosticMetricsToEnable` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` + +Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` + +Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. + +- Required: No +- Type: string + + +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` + +Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + +- Required: No +- Type: string + +### Parameter: `diagnosticSettings.metricCategories` + +Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. -The name of metrics that will be streamed. - Required: No - Type: array -- Default: `[AllMetrics]` -- Allowed: `[AllMetrics]` -### Parameter: `diagnosticSettingsName` +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | + +### Parameter: `diagnosticSettings.metricCategories.category` + +Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. + +- Required: Yes +- Type: string + + +### Parameter: `diagnosticSettings.name` + +Optional. The name of diagnostic setting. -The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings". - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticStorageAccountId` +### Parameter: `diagnosticSettings.storageAccountResourceId` + +Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of the diagnostic storage account. - Required: No - Type: string -- Default: `''` -### Parameter: `diagnosticWorkspaceId` +### Parameter: `diagnosticSettings.workspaceResourceId` + +Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. -Resource ID of log analytics workspace. - Required: No - Type: string -- Default: `''` ### Parameter: `enabled` diff --git a/modules/web/site/slot/main.bicep b/modules/web/site/slot/main.bicep index 7b52d9bb53..2a7719afdd 100644 --- a/modules/web/site/slot/main.bicep +++ b/modules/web/site/slot/main.bicep @@ -81,49 +81,8 @@ param enableDefaultTelemetry bool = true @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' - -@description('Optional. The name of logs that will be streamed.') -@allowed([ - 'AppServiceHTTPLogs' - 'AppServiceConsoleLogs' - 'AppServiceAppLogs' - 'AppServiceAuditLogs' - 'AppServiceIPSecAuditLogs' - 'AppServicePlatformLogs' - 'FunctionAppLogs' -]) -param diagnosticLogCategoriesToEnable array = kind == 'functionapp' ? [ - 'FunctionAppLogs' -] : [ - 'AppServiceHTTPLogs' - 'AppServiceConsoleLogs' - 'AppServiceAppLogs' - 'AppServiceAuditLogs' - 'AppServiceIPSecAuditLogs' - 'AppServicePlatformLogs' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') -param diagnosticSettingsName string = '' +@description('Optional. The diagnostic settings of the service.') +param diagnosticSettings diagnosticSettingType @description('Optional. To enable client certificate authentication (TLS mutual authentication).') param clientCertEnabled bool = false @@ -190,17 +149,6 @@ param vnetRouteAllEnabled bool = false @description('Optional. Names of hybrid connection relays to connect app with.') param hybridConnectionRelays array = [] -var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { - category: category - enabled: true -}] - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true -}] - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -318,18 +266,31 @@ resource slot_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock scope: slot } -resource slot_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${name}-diagnosticSettings' +resource slot_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): { + name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs + storageAccountId: diagnosticSetting.?storageAccountResourceId + workspaceId: diagnosticSetting.?workspaceResourceId + eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId + eventHubName: diagnosticSetting.?eventHubName + metrics: diagnosticSetting.?metricCategories ?? [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + } + ] + logs: diagnosticSetting.?logCategoriesAndGroups ?? [ + { + categoryGroup: 'AllLogs' + enabled: true + } + ] + marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId + logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } scope: slot -} +}] resource slot_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(slot.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) @@ -473,3 +434,41 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/web/site/slot/main.json b/modules/web/site/slot/main.json index 3bfc8e59bb..b8898780c5 100644 --- a/modules/web/site/slot/main.json +++ b/modules/web/site/slot/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17150701166857849727" + "templateHash": "8235549434045732740" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -252,6 +252,112 @@ } }, "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -424,67 +530,10 @@ "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account." - } - }, - "diagnosticWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of log analytics workspace." - } - }, - "diagnosticEventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "diagnosticEventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "diagnosticLogCategoriesToEnable": { - "type": "array", - "defaultValue": "[if(equals(parameters('kind'), 'functionapp'), createArray('FunctionAppLogs'), createArray('AppServiceHTTPLogs', 'AppServiceConsoleLogs', 'AppServiceAppLogs', 'AppServiceAuditLogs', 'AppServiceIPSecAuditLogs', 'AppServicePlatformLogs'))]", - "allowedValues": [ - "AppServiceHTTPLogs", - "AppServiceConsoleLogs", - "AppServiceAppLogs", - "AppServiceAuditLogs", - "AppServiceIPSecAuditLogs", - "AppServicePlatformLogs", - "FunctionAppLogs" - ], - "metadata": { - "description": "Optional. The name of logs that will be streamed." - } - }, - "diagnosticMetricsToEnable": { - "type": "array", - "defaultValue": [ - "AllMetrics" - ], - "allowedValues": [ - "AllMetrics" - ], - "metadata": { - "description": "Optional. The name of metrics that will be streamed." - } - }, - "diagnosticSettingsName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." + "description": "Optional. The diagnostic settings of the service." } }, "clientCertEnabled": { @@ -618,25 +667,6 @@ } }, "variables": { - "copy": [ - { - "name": "diagnosticsLogs", - "count": "[length(parameters('diagnosticLogCategoriesToEnable'))]", - "input": { - "category": "[parameters('diagnosticLogCategoriesToEnable')[copyIndex('diagnosticsLogs')]]", - "enabled": true - } - }, - { - "name": "diagnosticsMetrics", - "count": "[length(parameters('diagnosticMetricsToEnable'))]", - "input": { - "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", - "timeGrain": null, - "enabled": true - } - } - ], "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, @@ -724,18 +754,23 @@ ] }, "slot_diagnosticSettings": { - "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "copy": { + "name": "slot_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', parameters('appName'), parameters('name'))]", - "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { - "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", - "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", - "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", - "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", - "metrics": "[variables('diagnosticsMetrics')]", - "logs": "[variables('diagnosticsLogs')]" + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ "slot" From adde08793d795bb59a2d01136dea02c22c61730d Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sat, 28 Oct 2023 09:12:21 +0000 Subject: [PATCH 060/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 120 ++++++++++----------- 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 1c0ceb6a24..0b3fa0a934 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -13,10 +13,10 @@ This section provides an overview of the library's feature set. | # | Module | Status | RBAC | Locks | Tags | Diag | PE | PIP | # children | # lines | | - | - | - | - | - | - | - | - | - | - | - | -| 1 | aad

domain-service | [![AAD - DomainServices](https://github.com/Azure/ResourceModules/workflows/AAD%20-%20DomainServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.aad.domainservices.yml) | | | :white_check_mark: | :white_check_mark: | | | | 254 | -| 2 | analysis-services

server | [![AnalysisServices - Servers](https://github.com/Azure/ResourceModules/workflows/AnalysisServices%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.analysisservices.servers.yml) | | | :white_check_mark: | :white_check_mark: | | | | 169 | -| 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:11, L2:3] | 449 | -| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 304 | +| 1 | aad

domain-service | [![AAD - DomainServices](https://github.com/Azure/ResourceModules/workflows/AAD%20-%20DomainServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.aad.domainservices.yml) | | | :white_check_mark: | | | | | 251 | +| 2 | analysis-services

server | [![AnalysisServices - Servers](https://github.com/Azure/ResourceModules/workflows/AnalysisServices%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.analysisservices.servers.yml) | | | :white_check_mark: | | | | | 170 | +| 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | | | :white_check_mark: | | | | [L1:11, L2:3] | 451 | +| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | | | :white_check_mark: | | | | [L1:1] | 305 | | 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | | | :white_check_mark: | | | | | 205 | | 6 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | | | :white_check_mark: | | | | | 163 | | 7 | authorization

lock | [![Authorization - Locks](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20Locks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.locks.yml) | | | | | | | [L1:2] | 62 | @@ -26,12 +26,12 @@ This section provides an overview of the library's feature set. | 11 | authorization

policy-set-definition | [![Authorization - PolicySetDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicySetDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policysetdefinitions.yml) | | | | | | | [L1:2] | 76 | | 12 | authorization

role-assignment | [![Authorization - RoleAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roleassignments.yml) | | | | | | | [L1:3] | 107 | | 13 | authorization

role-definition | [![Authorization - RoleDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roledefinitions.yml) | | | | | | | [L1:3] | 94 | -| 14 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:6] | 437 | -| 15 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | :white_check_mark: | :white_check_mark: | | | | 309 | -| 16 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | | | :white_check_mark: | :white_check_mark: | | | | 310 | -| 17 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 267 | +| 14 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | :white_check_mark: | | | | [L1:6] | 437 | +| 15 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | :white_check_mark: | | | | | 311 | +| 16 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | | | :white_check_mark: | | | | | 312 | +| 17 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | | | :white_check_mark: | | | | [L1:1] | 268 | | 18 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | | | :white_check_mark: | | | | [L1:6, L2:4] | 220 | -| 19 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | | | :white_check_mark: | :white_check_mark: | | | | 374 | +| 19 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | | | :white_check_mark: | | | | | 375 | | 20 | compute

availability-set | [![Compute - AvailabilitySets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20AvailabilitySets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.availabilitysets.yml) | | | :white_check_mark: | | | | | 111 | | 21 | compute

disk | [![Compute - Disks](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Disks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.disks.yml) | | | :white_check_mark: | | | | | 218 | | 22 | compute

disk-encryption-set | [![Compute - DiskEncryptionSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20DiskEncryptionSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.diskencryptionsets.yml) | | | :white_check_mark: | | | | [L1:1] | 162 | @@ -39,117 +39,117 @@ This section provides an overview of the library's feature set. | 24 | compute

image | [![Compute - Images](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Images/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.images.yml) | | | :white_check_mark: | | | | | 137 | | 25 | compute

proximity-placement-group | [![Compute - ProximityPlacementGroups](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20ProximityPlacementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.proximityplacementgroups.yml) | | | :white_check_mark: | | | | | 111 | | 26 | compute

ssh-public-key | [![Compute - SshPublicKeys](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20SshPublicKeys/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.sshpublickeys.yml) | | | :white_check_mark: | | | | | 99 | -| 27 | compute

virtual-machine | [![Compute - VirtualMachines](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachines/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:2] | 680 | -| 28 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 598 | +| 27 | compute

virtual-machine | [![Compute - VirtualMachines](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachines/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | | | :white_check_mark: | | | | [L1:2] | 663 | +| 28 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | | | :white_check_mark: | | | | [L1:1] | 607 | | 29 | consumption

budget | [![Consumption - Budgets](https://github.com/Azure/ResourceModules/workflows/Consumption%20-%20Budgets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.consumption.budgets.yml) | | | | | | | | 92 | | 30 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | :white_check_mark: | | | | | 163 | -| 31 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:3] | 429 | -| 32 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 668 | -| 33 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:2, L2:1] | 324 | +| 31 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | :white_check_mark: | | | | [L1:3] | 430 | +| 32 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | :white_check_mark: | | | | [L1:1] | 664 | +| 33 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | :white_check_mark: | | | | [L1:2, L2:1] | 318 | | 34 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | | :white_check_mark: | | | | [L1:1] | 156 | | 35 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | | | :white_check_mark: | | | | | 104 | -| 36 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | | | | 382 | -| 37 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:3] | 369 | -| 38 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:4] | 367 | -| 39 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 190 | -| 40 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | | | :white_check_mark: | :white_check_mark: | | | | 283 | -| 41 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | | | :white_check_mark: | :white_check_mark: | | | | 195 | -| 42 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | | | | 161 | +| 36 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | | | :white_check_mark: | | | | | 376 | +| 37 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | | | :white_check_mark: | | | | [L1:3] | 370 | +| 38 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | | | :white_check_mark: | | | | [L1:4] | 364 | +| 39 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | | | :white_check_mark: | | | | [L1:1] | 191 | +| 40 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | | | :white_check_mark: | | | | | 281 | +| 41 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | | | :white_check_mark: | | | | | 200 | +| 42 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | | | :white_check_mark: | | | | | 161 | | 43 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | | | :white_check_mark: | | | | [L1:6, L2:1] | 295 | -| 44 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:3] | 295 | -| 45 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:3, L2:3] | 406 | -| 46 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 247 | -| 47 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 191 | -| 48 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 251 | -| 49 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:4, L2:2] | 403 | +| 44 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | | | :white_check_mark: | | | | [L1:3] | 292 | +| 45 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | | | :white_check_mark: | | | | [L1:3, L2:3] | 400 | +| 46 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | | | :white_check_mark: | | | | [L1:1] | 248 | +| 47 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | | | :white_check_mark: | | | | [L1:1] | 193 | +| 48 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | | | :white_check_mark: | | | | [L1:1] | 252 | +| 49 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | :white_check_mark: | | | | [L1:4, L2:2] | 397 | | 50 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | | | :white_check_mark: | | | | | 112 | -| 51 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | | | :white_check_mark: | | | | [L1:3, L2:1] | 212 | +| 51 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | | | :white_check_mark: | | | | [L1:3, L2:1] | 198 | | 52 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | | | :white_check_mark: | | | | | 115 | | 53 | insights

activity-log-alert | [![Insights - ActivityLogAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActivityLogAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.activitylogalerts.yml) | | | :white_check_mark: | | | | | 104 | -| 54 | insights

component | [![Insights - Components](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Components/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.components.yml) | | | :white_check_mark: | :white_check_mark: | | | | 192 | +| 54 | insights

component | [![Insights - Components](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Components/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.components.yml) | | | :white_check_mark: | | | | | 184 | | 55 | insights

data-collection-endpoint | [![Insights - DataCollectionEndpoints](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionendpoints.yml) | | | :white_check_mark: | | | | | 120 | | 56 | insights

data-collection-rule | [![Insights - DataCollectionRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionrules.yml) | | | :white_check_mark: | | | | | 129 | -| 57 | insights

diagnostic-setting | [![Insights - DiagnosticSettings](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DiagnosticSettings/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.diagnosticsettings.yml) | | | | :white_check_mark: | | | | 75 | +| 57 | insights

diagnostic-setting | [![Insights - DiagnosticSettings](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DiagnosticSettings/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.diagnosticsettings.yml) | | | | | | | | 91 | | 58 | insights

metric-alert | [![Insights - MetricAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20MetricAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.metricalerts.yml) | | | :white_check_mark: | | | | | 152 | | 59 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | | | :white_check_mark: | | | | [L1:1] | 172 | | 60 | insights

scheduled-query-rule | [![Insights - ScheduledQueryRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ScheduledQueryRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml) | | | :white_check_mark: | | | | | 136 | | 61 | insights

webtest | [![Insights - Web Tests](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Web%20Tests/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.webtests.yml) | | | | | | | | 152 | -| 62 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:3] | 346 | +| 62 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | | | :white_check_mark: | | | | [L1:3] | 347 | | 63 | kubernetes-configuration

extension | [![KubernetesConfiguration - Extensions](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20Extensions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.extensions.yml) | | | | | | | | 88 | | 64 | kubernetes-configuration

flux-configuration | [![KubernetesConfiguration - FluxConfigurations](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20FluxConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml) | | | | | | | | 71 | -| 65 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | | | :white_check_mark: | :white_check_mark: | | | | 225 | -| 66 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 354 | +| 65 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | | | :white_check_mark: | | | | | 227 | +| 66 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | | | :white_check_mark: | | | | [L1:1] | 352 | | 67 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | | | :white_check_mark: | | | | | 136 | | 68 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | | | :white_check_mark: | | | | [L1:1] | 113 | | 69 | managed-services

registration-definition | [![ManagedServices - RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices%20-%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | | | | | | | 67 | | 70 | management

management-group | [![Management - ManagementGroups](https://github.com/Azure/ResourceModules/workflows/Management%20-%20ManagementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml) | | | | | | | | 50 | | 71 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | | | :white_check_mark: | | | | [L1:1, L2:1] | 147 | -| 72 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | | | :white_check_mark: | :white_check_mark: | | | | 416 | +| 72 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | | | :white_check_mark: | | | | | 416 | | 73 | network

application-gateway-web-application-firewall-policy | [![Network - ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGatewayWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 47 | | 74 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | | | :white_check_mark: | | | | | 94 | -| 75 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | | | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | 358 | -| 76 | network

bastion-host | [![Network - BastionHosts](https://github.com/Azure/ResourceModules/workflows/Network%20-%20BastionHosts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.bastionhosts.yml) | | | :white_check_mark: | :white_check_mark: | | :white_check_mark: | | 274 | +| 75 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | | | :white_check_mark: | | | :white_check_mark: | | 335 | +| 76 | network

bastion-host | [![Network - BastionHosts](https://github.com/Azure/ResourceModules/workflows/Network%20-%20BastionHosts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.bastionhosts.yml) | | | :white_check_mark: | | | :white_check_mark: | | 268 | | 77 | network

connection | [![Network - Connections](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.connections.yml) | | | :white_check_mark: | | | | | 147 | | 78 | network

ddos-protection-plan | [![Network - DdosProtectionPlans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DdosProtectionPlans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ddosprotectionplans.yml) | | | :white_check_mark: | | | | | 95 | | 79 | network

dns-forwarding-ruleset | [![Network - DNS Forwarding Rulesets](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Forwarding%20Rulesets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsforwardingrulesets.yml) | | | :white_check_mark: | | | | [L1:2] | 126 | | 80 | network

dns-resolver | [![Network - DNS Resolvers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Resolvers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsresolvers.yml) | | | :white_check_mark: | | | | | 137 | | 81 | network

dns-zone | [![Network - Public DnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Public%20DnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnszones.yml) | | | :white_check_mark: | | | | [L1:10] | 248 | -| 82 | network

express-route-circuit | [![Network - ExpressRouteCircuits](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteCircuits/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutecircuits.yml) | | | :white_check_mark: | :white_check_mark: | | | | 226 | +| 82 | network

express-route-circuit | [![Network - ExpressRouteCircuits](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteCircuits/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutecircuits.yml) | | | :white_check_mark: | | | | | 228 | | 83 | network

express-route-gateway | [![Network - ExpressRouteGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutegateways.yml) | | | :white_check_mark: | | | | | 117 | | 84 | network

firewall-policy | [![Network - FirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.firewallpolicies.yml) | | | :white_check_mark: | | | | [L1:1] | 166 | -| 85 | network

front-door | [![Network - Frontdoors](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Frontdoors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoors.yml) | | | :white_check_mark: | :white_check_mark: | | | | 178 | +| 85 | network

front-door | [![Network - Frontdoors](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Frontdoors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoors.yml) | | | :white_check_mark: | | | | | 181 | | 86 | network

front-door-web-application-firewall-policy | [![Network - FrontDoorWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FrontDoorWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 152 | | 87 | network

ip-group | [![Network - IpGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20IpGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ipgroups.yml) | | | :white_check_mark: | | | | | 100 | -| 88 | network

load-balancer | [![Network - LoadBalancers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LoadBalancers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.loadbalancers.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:2] | 263 | +| 88 | network

load-balancer | [![Network - LoadBalancers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LoadBalancers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.loadbalancers.yml) | | | :white_check_mark: | | | | [L1:2] | 272 | | 89 | network

local-network-gateway | [![Network - LocalNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LocalNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.localnetworkgateways.yml) | | | :white_check_mark: | | | | | 120 | -| 90 | network

nat-gateway | [![Network - NatGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NatGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.natgateways.yml) | | | :white_check_mark: | :white_check_mark: | | | | 185 | -| 91 | network

network-interface | [![Network - NetworkInterfaces](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkInterfaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkinterfaces.yml) | | | :white_check_mark: | :white_check_mark: | | | | 189 | +| 90 | network

nat-gateway | [![Network - NatGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NatGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.natgateways.yml) | | | :white_check_mark: | | | | | 181 | +| 91 | network

network-interface | [![Network - NetworkInterfaces](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkInterfaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkinterfaces.yml) | | | :white_check_mark: | | | | | 198 | | 92 | network

network-manager | [![Network - Network Managers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Network%20Managers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkmanagers.yml) | | | :white_check_mark: | | | | [L1:4, L2:2, L3:1] | 165 | -| 93 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 186 | +| 93 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | | | :white_check_mark: | | | | [L1:1] | 188 | | 94 | network

network-watcher | [![Network - NetworkWatchers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkWatchers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatchers.yml) | | | :white_check_mark: | | | | [L1:2] | 129 | | 95 | network

private-dns-zone | [![Network - PrivateDnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateDnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | | | :white_check_mark: | | | | [L1:9] | 226 | | 96 | network

private-endpoint | [![Network - PrivateEndpoints](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privateendpoints.yml) | | | | | | | [L1:1] | 149 | | 97 | network

private-link-service | [![Network - PrivateLinkServices](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateLinkServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatelinkservices.yml) | | | :white_check_mark: | | | | | 121 | -| 98 | network

public-ip-address | [![Network - PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | | | :white_check_mark: | :white_check_mark: | | | | 214 | +| 98 | network

public-ip-address | [![Network - PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | | | :white_check_mark: | | | | | 214 | | 99 | network

public-ip-prefix | [![Network - PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | | | :white_check_mark: | | | | | 109 | | 100 | network

route-table | [![Network - RouteTables](https://github.com/Azure/ResourceModules/workflows/Network%20-%20RouteTables/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.routetables.yml) | | | :white_check_mark: | | | | | 102 | | 101 | network

service-endpoint-policy | [![Network - ServiceEndpointPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ServiceEndpointPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.serviceendpointpolicies.yml) | | | :white_check_mark: | | | | | 105 | -| 102 | network

trafficmanagerprofile | [![Network - TrafficManagerProfiles](https://github.com/Azure/ResourceModules/workflows/Network%20-%20TrafficManagerProfiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml) | | | :white_check_mark: | :white_check_mark: | | | | 193 | +| 102 | network

trafficmanagerprofile | [![Network - TrafficManagerProfiles](https://github.com/Azure/ResourceModules/workflows/Network%20-%20TrafficManagerProfiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml) | | | :white_check_mark: | | | | | 195 | | 103 | network

virtual-hub | [![Network - VirtualHubs](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualhubs.yml) | | | :white_check_mark: | | | | [L1:2] | 151 | -| 104 | network

virtual-network | [![Network - VirtualNetworks](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:2] | 276 | -| 105 | network

virtual-network-gateway | [![Network - VirtualNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworkgateways.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 423 | +| 104 | network

virtual-network | [![Network - VirtualNetworks](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | | | :white_check_mark: | | | | [L1:2] | 276 | +| 105 | network

virtual-network-gateway | [![Network - VirtualNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworkgateways.yml) | | | :white_check_mark: | | | | [L1:1] | 403 | | 106 | network

virtual-wan | [![Network - VirtualWans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualWans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualwans.yml) | | | :white_check_mark: | | | | | 112 | | 107 | network

vpn-gateway | [![Network - VPNGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPNGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpngateways.yml) | | | :white_check_mark: | | | | [L1:2] | 114 | | 108 | network

vpn-site | [![Network - VPN Sites](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPN%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpnsites.yml) | | | :white_check_mark: | | | | | 124 | -| 109 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:7] | 343 | +| 109 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | | | :white_check_mark: | | | | [L1:7] | 344 | | 110 | operations-management

solution | [![OperationsManagement - Solutions](https://github.com/Azure/ResourceModules/workflows/OperationsManagement%20-%20Solutions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationsmanagement.solutions.yml) | | | | | | | | 53 | | 111 | policy-insights

remediation | [![PolicyInsights - Remediations](https://github.com/Azure/ResourceModules/workflows/PolicyInsights%20-%20Remediations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.policyinsights.remediations.yml) | | | | | | | [L1:3] | 106 | | 112 | power-bi-dedicated

capacity | [![PowerBiDedicated - Capacities](https://github.com/Azure/ResourceModules/workflows/PowerBiDedicated%20-%20Capacities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.powerbidedicated.capacities.yml) | | | :white_check_mark: | | | | | 133 | -| 113 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | | | :white_check_mark: | :white_check_mark: | | | | 311 | -| 114 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:7, L2:2, L3:2] | 362 | -| 115 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:4, L2:2] | 330 | +| 113 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | | | :white_check_mark: | | | | | 311 | +| 114 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | | | :white_check_mark: | | | | [L1:7, L2:2, L3:2] | 351 | +| 115 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | | | :white_check_mark: | | | | [L1:4, L2:2] | 330 | | 116 | resource-graph

query | [![ResourceGraph - Queries](https://github.com/Azure/ResourceModules/workflows/ResourceGraph%20-%20Queries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resourcegraph.queries.yml) | | | :white_check_mark: | | | | | 101 | | 117 | resources

deployment-script | [![Resources - DeploymentScripts](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | | :white_check_mark: | | | | | 128 | | 118 | resources

resource-group | [![Resources - ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | | | :white_check_mark: | | | | [L1:1] | 101 | | 119 | resources

tags | [![Resources - Tags](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20Tags/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.tags.yml) | | | :white_check_mark: | | | | [L1:2] | 54 | -| 120 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:1] | 303 | +| 120 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | | | :white_check_mark: | | | | [L1:1] | 313 | | 121 | security

azure-security-center | [![Security - AzureSecurityCenter](https://github.com/Azure/ResourceModules/workflows/Security%20-%20AzureSecurityCenter/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.security.azuresecuritycenter.yml) | | | | | | | | 221 | -| 122 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:2] | 439 | +| 122 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | | | :white_check_mark: | | | | [L1:6, L2:2] | 441 | | 123 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | | | :white_check_mark: | | | | [L1:1] | 312 | | 124 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | | | :white_check_mark: | | | | | 268 | | 125 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | | | :white_check_mark: | | | | | 238 | -| 126 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:3] | 371 | -| 127 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | :white_check_mark: | | | | [L1:8, L2:3] | 382 | -| 128 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:6, L2:4, L3:1] | 511 | +| 126 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | | | :white_check_mark: | | | | [L1:6, L2:3] | 369 | +| 127 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | :white_check_mark: | | | | [L1:8, L2:3] | 376 | +| 128 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | :white_check_mark: | | | | [L1:6, L2:4, L3:1] | 500 | | 129 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | | | :white_check_mark: | | | | | 162 | -| 130 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:3] | 359 | +| 130 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | :white_check_mark: | | | | [L1:3] | 355 | | 131 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | | | :white_check_mark: | | | | | 216 | | 132 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | | | :white_check_mark: | | | | | 118 | -| 133 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:2] | 255 | -| 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | :white_check_mark: | :white_check_mark: | | | | 189 | -| 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | :white_check_mark: | :white_check_mark: | | | [L1:5, L2:4, L3:1] | 457 | +| 133 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | :white_check_mark: | | | | [L1:2] | 258 | +| 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | :white_check_mark: | | | | | 194 | +| 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | :white_check_mark: | | | | [L1:5, L2:4, L3:1] | 441 | | 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | :white_check_mark: | | | | [L1:3] | 271 | -| Sum | | | 0 | 0 | 118 | 57 | 0 | 2 | 240 | 29284 | +| Sum | | | 0 | 0 | 118 | 0 | 0 | 2 | 240 | 29199 | ## Legend From ce3885f30e16caa8358a8f106e68b11879b2fb83 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 29 Oct 2023 12:06:31 +0000 Subject: [PATCH 061/178] Push updated API Specs file --- utilities/src/apiSpecsList.json | 545 +++++++++++++++++++++++--------- 1 file changed, 401 insertions(+), 144 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index 3f72b6e1c0..c2f6a20e57 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -319,7 +319,8 @@ "2020-01-01", "2020-07-01-preview", "2022-10-01", - "2023-01-01-alpha" + "2023-01-01-alpha", + "2023-09-01-preview" ], "recommendations": [ "2016-05-09-preview", @@ -438,6 +439,9 @@ "2019-03-01-preview", "2019-05-05-preview" ], + "investigations": [ + "2023-06-01-preview" + ], "migrateFromSmartDetection": [ "2021-01-01-preview" ], @@ -526,7 +530,8 @@ }, "Microsoft.ApiCenter": { "operations": [ - "2023-07-01-preview" + "2023-07-01-preview", + "2024-03-01" ], "services": [ "2023-07-01-preview", @@ -2124,6 +2129,9 @@ "reports/evidences": [ "2023-02-15-preview" ], + "reports/scopingConfigurations": [ + "2023-02-15-preview" + ], "reports/snapshots": [ "2022-05-10-beta", "2022-05-10-privatepreview", @@ -2374,7 +2382,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/apiPortals": [ "2022-01-01-preview", @@ -2387,7 +2396,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/apiPortals/domains": [ "2022-01-01-preview", @@ -2400,12 +2410,14 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/apms": [ "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/applicationAccelerators": [ "2022-11-01-preview", @@ -2413,7 +2425,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/applicationAccelerators/customizedAccelerators": [ "2022-11-01-preview", @@ -2421,7 +2434,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/applicationLiveViews": [ "2022-11-01-preview", @@ -2429,7 +2443,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/apps": [ "2020-07-01", @@ -2447,7 +2462,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/apps/bindings": [ "2020-07-01", @@ -2465,7 +2481,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/apps/deployments": [ "2020-07-01", @@ -2483,7 +2500,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/apps/domains": [ "2020-07-01", @@ -2501,13 +2519,15 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/buildServices": [ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/buildServices/agentPools": [ "2022-01-01-preview", @@ -2521,7 +2541,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/buildServices/builders": [ "2022-01-01-preview", @@ -2535,7 +2556,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/buildServices/builders/buildpackBindings": [ "2022-01-01-preview", @@ -2549,7 +2571,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/buildServices/builds": [ "2022-01-01-preview", @@ -2563,7 +2586,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/certificates": [ "2020-07-01", @@ -2581,7 +2605,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/configServers": [ "2020-07-01", @@ -2599,7 +2624,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/configurationServices": [ "2022-01-01-preview", @@ -2613,13 +2639,15 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/containerRegistries": [ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/DevToolPortals": [ "2022-11-01-preview", @@ -2627,12 +2655,14 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/eurekaServers": [ "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/gateways": [ "2022-01-01-preview", @@ -2645,7 +2675,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/gateways/domains": [ "2022-01-01-preview", @@ -2658,7 +2689,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/gateways/routeConfigs": [ "2022-01-01-preview", @@ -2671,7 +2703,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/monitoringSettings": [ "2020-07-01", @@ -2689,7 +2722,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/serviceRegistries": [ "2022-01-01-preview", @@ -2703,7 +2737,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring/storages": [ "2021-09-01-preview", @@ -2717,7 +2752,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ] }, "Microsoft.ArcNetworking": { @@ -4059,7 +4095,7 @@ "2023-08-01-preview", "2023-09-01-preview" ], - "locations/operationstatuses": [ + "locations/operationStatuses": [ "2020-10-01", "2021-01-01-preview", "2021-07-01-preview", @@ -6995,7 +7031,8 @@ "2023-04-01-preview", "2023-04-15-preview", "2023-09-01-preview", - "2023-10-27-preview" + "2023-10-27-preview", + "2023-11-01" ], "locations": [ "2021-09-15-preview", @@ -7035,6 +7072,9 @@ "2023-09-01-preview", "2023-10-27-preview" ], + "privateAccesses": [ + "2023-10-27-preview" + ], "targets": [ "2021-09-15-preview", "2022-07-01-preview", @@ -7042,7 +7082,8 @@ "2023-04-01-preview", "2023-04-15-preview", "2023-09-01-preview", - "2023-10-27-preview" + "2023-10-27-preview", + "2023-11-01" ], "targets/capabilities": [ "2021-09-15-preview", @@ -7050,7 +7091,9 @@ "2022-10-01-preview", "2023-04-01-preview", "2023-04-15-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-27-preview", + "2023-11-01" ] }, "Microsoft.ClassicCompute": { @@ -7781,6 +7824,7 @@ "2022-10-01-preview", "2023-03-01-preview", "2023-03-31", + "2023-04-01", "2023-04-01-preview", "2023-06-01-preview" ], @@ -7794,6 +7838,7 @@ "2022-10-01-preview", "2023-03-01-preview", "2023-03-31", + "2023-04-01", "2023-04-01-preview", "2023-06-01-preview" ], @@ -7803,12 +7848,14 @@ "2022-10-01-preview", "2023-03-01-preview", "2023-03-31", + "2023-04-01", "2023-04-01-preview", "2023-06-01-preview" ], "emailServices/domains/senderUsernames": [ "2023-03-01-preview", "2023-03-31", + "2023-04-01", "2023-04-01-preview", "2023-06-01-preview" ], @@ -10803,6 +10850,10 @@ "2023-09-01", "2023-09-02-preview" ], + "locations/usages": [ + "2023-10-01", + "2023-10-02-preview" + ], "managedClusters": [ "2017-08-31", "2018-03-31", @@ -10930,7 +10981,8 @@ "2023-07-02-preview", "2023-08-01", "2023-08-02-preview", - "2023-09-01" + "2023-09-01", + "2023-09-02-preview" ], "ManagedClusters/eventGridFilters": [ "2021-02-01", @@ -11025,7 +11077,8 @@ "2023-07-02-preview", "2023-08-01", "2023-08-02-preview", - "2023-09-01" + "2023-09-01", + "2023-09-02-preview" ], "managedClusters/privateEndpointConnections": [ "2020-06-01", @@ -11077,7 +11130,8 @@ "2023-07-02-preview", "2023-08-01", "2023-08-02-preview", - "2023-09-01" + "2023-09-01", + "2023-09-02-preview" ], "managedClusters/trustedAccessRoleBindings": [ "2022-04-02-preview", @@ -11097,7 +11151,8 @@ "2023-06-02-preview", "2023-07-02-preview", "2023-08-02-preview", - "2023-09-01" + "2023-09-01", + "2023-09-02-preview" ], "managedclustersnapshots": [ "2022-02-02-preview", @@ -13500,18 +13555,21 @@ "flexibleServers/administrators": [ "2021-12-01-preview", "2022-01-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-06-30" ], "flexibleServers/backups": [ "2021-12-01-preview", "2022-01-01", "2022-09-30-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-06-30" ], "flexibleServers/configurations": [ "2021-12-01-preview", "2022-01-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-06-30" ], "flexibleServers/databases": [ "2020-07-01-preview", @@ -13520,7 +13578,8 @@ "2021-05-01-preview", "2021-12-01-preview", "2022-01-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-06-30" ], "flexibleServers/firewallRules": [ "2020-07-01-preview", @@ -13529,7 +13588,8 @@ "2021-05-01-preview", "2021-12-01-preview", "2022-01-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-06-30" ], "flexibleServers/keys": [ "2020-07-01-preview", @@ -14185,7 +14245,8 @@ "2022-12-09-privatepreview", "2023-03-21-privatepreview", "2023-07-07-preview", - "2023-09-05" + "2023-09-05", + "2023-10-04-preview" ], "applicationGroups": [ "2019-01-23-preview", @@ -14213,7 +14274,8 @@ "2022-12-09-privatepreview", "2023-03-21-privatepreview", "2023-07-07-preview", - "2023-09-05" + "2023-09-05", + "2023-10-04-preview" ], "applicationGroups/applications": [ "2019-01-23-preview", @@ -14241,7 +14303,8 @@ "2022-12-09-privatepreview", "2023-03-21-privatepreview", "2023-07-07-preview", - "2023-09-05" + "2023-09-05", + "2023-10-04-preview" ], "applicationgroups/desktops": [ "2019-01-23-preview", @@ -14269,7 +14332,8 @@ "2022-12-09-privatepreview", "2023-03-21-privatepreview", "2023-07-07-preview", - "2023-09-05" + "2023-09-05", + "2023-10-04-preview" ], "applicationgroups/startmenuitems": [ "2019-01-23-preview", @@ -14297,7 +14361,8 @@ "2022-12-09-privatepreview", "2023-03-21-privatepreview", "2023-07-07-preview", - "2023-09-05" + "2023-09-05", + "2023-10-04-preview" ], "hostPools": [ "2019-01-23-preview", @@ -14325,7 +14390,8 @@ "2022-12-09-privatepreview", "2023-03-21-privatepreview", "2023-07-07-preview", - "2023-09-05" + "2023-09-05", + "2023-10-04-preview" ], "hostPools/msixPackages": [ "2019-01-23-preview", @@ -14353,7 +14419,8 @@ "2022-12-09-privatepreview", "2023-03-21-privatepreview", "2023-07-07-preview", - "2023-09-05" + "2023-09-05", + "2023-10-04-preview" ], "hostPools/privateEndpointConnections": [ "2021-04-01-preview", @@ -14390,7 +14457,8 @@ "2022-12-09-privatepreview", "2023-03-21-privatepreview", "2023-07-07-preview", - "2023-09-05" + "2023-09-05", + "2023-10-04-preview" ], "hostpools/sessionhosts/usersessions": [ "2019-01-23-preview", @@ -14418,7 +14486,8 @@ "2022-12-09-privatepreview", "2023-03-21-privatepreview", "2023-07-07-preview", - "2023-09-05" + "2023-09-05", + "2023-10-04-preview" ], "hostpools/usersessions": [ "2019-01-23-preview", @@ -14446,7 +14515,8 @@ "2022-12-09-privatepreview", "2023-03-21-privatepreview", "2023-07-07-preview", - "2023-09-05" + "2023-09-05", + "2023-10-04-preview" ], "operations": [ "2019-01-23-preview", @@ -14484,7 +14554,8 @@ "2023-05-15-privatepreview", "2023-05-18-privatepreview", "2023-07-07-preview", - "2023-09-05" + "2023-09-05", + "2023-10-04-preview" ], "scalingPlans": [ "2019-01-23-preview", @@ -14512,7 +14583,8 @@ "2022-12-09-privatepreview", "2023-03-21-privatepreview", "2023-07-07-preview", - "2023-09-05" + "2023-09-05", + "2023-10-04-preview" ], "scalingPlans/personalSchedules": [ "2023-07-07-preview", @@ -14551,7 +14623,8 @@ "2022-12-09-privatepreview", "2023-03-21-privatepreview", "2023-07-07-preview", - "2023-09-05" + "2023-09-05", + "2023-10-04-preview" ], "workspaces/privateEndpointConnections": [ "2021-04-01-preview", @@ -14909,6 +14982,14 @@ "2023-08-01" ] }, + "Microsoft.DeviceRegistry": { + "assetEndpointProfiles": [ + "2023-11-01-preview" + ], + "assets": [ + "2023-11-01-preview" + ] + }, "Microsoft.Devices": { "checkNameAvailability": [ "2015-08-15-preview", @@ -15661,7 +15742,9 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15", + "2023-11-15-preview" ], "cassandraClusters/dataCenters": [ "2021-03-01-preview", @@ -15721,7 +15804,9 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts": [ "2014-04-01", @@ -15760,7 +15845,9 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/apis/databases": [ "2014-04-01", @@ -16043,7 +16130,9 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/graphs": [ "2021-07-01-preview", @@ -16813,13 +16902,16 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15", + "2023-11-15-preview" ], "locations/checkMongoClusterNameAvailability": [ "2022-10-15-preview", "2023-03-01-preview", "2023-03-15-preview", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15-preview" ], "locations/deleteVirtualNetworkOrSubnets": [ "2014-04-01", @@ -16858,19 +16950,23 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15", + "2023-11-15-preview" ], "locations/mongoClusterAzureAsyncOperation": [ "2022-10-15-preview", "2023-03-01-preview", "2023-03-15-preview", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15-preview" ], "locations/mongoClusterOperationResults": [ "2022-10-15-preview", "2023-03-01-preview", "2023-03-15-preview", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15-preview" ], "locations/notifyNetworkSecurityPerimeterUpdatesAvailable": [ "2022-08-15", @@ -16882,7 +16978,9 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15", + "2023-11-15-preview" ], "locations/operationResults": [ "2014-04-01", @@ -16921,7 +17019,9 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15", + "2023-11-15-preview" ], "locations/operationsStatus": [ "2014-04-01", @@ -16960,7 +17060,9 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15", + "2023-11-15-preview" ], "locations/restorableDatabaseAccounts": [ "2020-06-01-preview", @@ -16984,13 +17086,16 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15", + "2023-11-15-preview" ], "mongoClusters": [ "2022-10-15-preview", "2023-03-01-preview", "2023-03-15-preview", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15-preview" ], "mongoClusters/firewallRules": [ "2023-03-01-preview", @@ -17034,7 +17139,9 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15", + "2023-11-15-preview" ], "operations": [ "2014-04-01", @@ -17073,7 +17180,9 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15", + "2023-11-15-preview" ], "operationsStatus": [ "2014-04-01", @@ -17112,7 +17221,9 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15", + "2023-11-15-preview" ], "restorableDatabaseAccounts": [ "2020-06-01-preview", @@ -17136,7 +17247,9 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15", + "2023-11-15-preview" ] }, "Microsoft.DomainRegistration": { @@ -17297,6 +17410,11 @@ "2023-04-01-preview" ] }, + "Microsoft.EdgeManagement": { + "locations": [ + "2023-09-01-preview" + ] + }, "Microsoft.EdgeMarketPlace": { "operations": [ "2023-04-01-preview", @@ -19247,6 +19365,9 @@ ] }, "Microsoft.HybridContainerService": { + "kubernetesVersions": [ + "2023-11-15-preview" + ], "Locations": [ "2021-08-01-preview", "2021-09-01-preview", @@ -19274,6 +19395,15 @@ "2023-11-01", "2023-11-15-preview" ], + "provisionedClusterInstances": [ + "2023-11-15-preview" + ], + "provisionedClusterInstances/agentPools": [ + "2023-11-15-preview" + ], + "provisionedClusterInstances/hybridIdentityMetadata": [ + "2023-11-15-preview" + ], "provisionedClusters": [ "2021-08-01-preview", "2021-09-01-preview", @@ -19295,13 +19425,17 @@ "provisionedClusters/upgradeProfiles": [ "2022-09-01-preview" ], + "skus": [ + "2023-11-15-preview" + ], "storageSpaces": [ "2022-05-01-preview", "2022-09-01-preview" ], "virtualNetworks": [ "2022-05-01-preview", - "2022-09-01-preview" + "2022-09-01-preview", + "2023-11-15-preview" ] }, "Microsoft.HybridData": { @@ -19319,6 +19453,9 @@ ] }, "Microsoft.HybridNetwork": { + "configurationGroupValues": [ + "2023-09-01" + ], "devices": [ "2020-01-01-preview", "2021-05-01", @@ -19344,7 +19481,8 @@ "2021-06-01-privatepreview", "2022-01-01-preview", "2022-09-01-preview", - "2023-01-01" + "2023-01-01", + "2023-09-01" ], "networkFunctions/components": [ "2022-09-01-preview", @@ -19364,19 +19502,39 @@ "2023-04-01-preview" ], "publishers": [ - "2023-01-01" + "2023-01-01", + "2023-09-01" ], "publishers/artifactStores": [ - "2023-01-01" + "2023-01-01", + "2023-09-01" ], "publishers/artifactStores/artifactManifests": [ - "2023-01-01" + "2023-01-01", + "2023-09-01" + ], + "publishers/configurationGroupSchemas": [ + "2023-09-01" ], "publishers/networkFunctionDefinitionGroups": [ - "2023-01-01" + "2023-01-01", + "2023-09-01" ], "publishers/networkFunctionDefinitionGroups/networkFunctionDefinitionVersions": [ - "2023-01-01" + "2023-01-01", + "2023-09-01" + ], + "publishers/networkServiceDesignGroups": [ + "2023-09-01" + ], + "publishers/networkServiceDesignGroups/networkServiceDesignVersions": [ + "2023-09-01" + ], + "siteNetworkServices": [ + "2023-09-01" + ], + "sites": [ + "2023-09-01" ], "vendors": [ "2020-01-01-preview", @@ -19925,6 +20083,21 @@ ], "operations": [ "2023-11-14-preview" + ], + "spaces": [ + "2023-11-14-preview" + ], + "spaces/applications": [ + "2023-11-14-preview" + ], + "spaces/applications/businessProcesses": [ + "2023-11-14-preview" + ], + "spaces/applications/resources": [ + "2023-11-14-preview" + ], + "spaces/infrastructureResources": [ + "2023-11-14-preview" ] }, "Microsoft.Intune": { @@ -20406,7 +20579,8 @@ "2021-04-01-preview", "2021-10-01", "2022-05-01-preview", - "2022-10-01-preview" + "2022-10-01-preview", + "2023-11-01-preview" ], "locations": [ "2020-01-01-preview", @@ -23452,7 +23626,8 @@ "2022-12-01-privatepreview", "2023-06-01", "2023-07-01-preview", - "2023-09-01" + "2023-09-01", + "2023-10-01-preview" ], "Locations/OperationStatuses": [ "2022-04-01-preview", @@ -23460,7 +23635,8 @@ "2022-12-01-privatepreview", "2023-06-01", "2023-07-01-preview", - "2023-09-01" + "2023-09-01", + "2023-10-01-preview" ], "mobileNetworks": [ "2022-03-01-preview", @@ -23510,7 +23686,8 @@ "2022-12-01-privatepreview", "2023-06-01", "2023-07-01-preview", - "2023-09-01" + "2023-09-01", + "2023-10-01-preview" ], "packetCoreControlPlanes": [ "2022-03-01-preview", @@ -23547,7 +23724,8 @@ "2022-12-01-privatepreview", "2023-06-01", "2023-07-01-preview", - "2023-09-01" + "2023-09-01", + "2023-10-01-preview" ], "simGroups": [ "2022-04-01-preview", @@ -23568,18 +23746,21 @@ "Microsoft.MobilePacketCore": { "Locations": [ "2023-04-15-preview", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-10-15" ], "Locations/OperationStatuses": [ "2023-04-15-preview", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-10-15" ], "networkFunctions": [ "2023-05-15-preview" ], "Operations": [ "2023-04-15-preview", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-10-15" ] }, "Microsoft.ModSimWorkbench": { @@ -23604,6 +23785,10 @@ "2023-04-01", "2023-04-03" ], + "locations/locationOperationStatuses": [ + "2021-06-03-preview", + "2023-04-03" + ], "locations/operationResults": [ "2021-06-03-preview", "2023-04-03" @@ -27861,19 +28046,29 @@ ], "networkSecurityPerimeters": [ "2021-02-01-preview", - "2021-03-01-preview" + "2021-03-01-preview", + "2023-07-01-preview", + "2023-08-01-preview" ], "networkSecurityPerimeters/links": [ - "2021-02-01-preview" + "2021-02-01-preview", + "2023-07-01-preview", + "2023-08-01-preview" ], "networkSecurityPerimeters/profiles": [ - "2021-02-01-preview" + "2021-02-01-preview", + "2023-07-01-preview", + "2023-08-01-preview" ], "networkSecurityPerimeters/profiles/accessRules": [ - "2021-02-01-preview" + "2021-02-01-preview", + "2023-07-01-preview", + "2023-08-01-preview" ], "networkSecurityPerimeters/resourceAssociations": [ - "2021-02-01-preview" + "2021-02-01-preview", + "2023-07-01-preview", + "2023-08-01-preview" ], "networkVirtualAppliances": [ "2019-12-01", @@ -32587,6 +32782,9 @@ "2021-10-31-preview", "2022-04-15-preview", "2022-10-27" + ], + "telemetryconfig": [ + "2022-10-27" ] }, "Microsoft.ResourceGraph": { @@ -33018,6 +33216,9 @@ "locations/deploymentStackOperationStatus": [ "2022-08-01-preview" ], + "mobobrokers": [ + "2023-06-01-preview" + ], "notifyResourceJobs": [ "2018-02-01", "2018-05-01", @@ -33538,17 +33739,20 @@ "locations": [ "2020-06-05-preview", "2022-05-21-preview", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-10-07" ], "Locations/OperationStatuses": [ "2020-06-05-preview", "2022-05-21-preview", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-10-07" ], "operations": [ "2020-06-05-preview", "2022-05-21-preview", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-10-07" ], "virtualMachineInstances": [ "2023-04-01-preview", @@ -33609,7 +33813,8 @@ "2020-08-01-Preview", "2021-04-01-Preview", "2021-06-06-Preview", - "2022-09-01" + "2022-09-01", + "2023-11-01" ], "checkServiceNameAvailability": [ "2014-07-31-Preview", @@ -33624,6 +33829,9 @@ "locations/operationResults": [ "2021-06-06-Preview" ], + "locations/usages": [ + "2023-11-01" + ], "operations": [ "2015-02-28", "2015-08-19", @@ -33633,7 +33841,8 @@ "2020-08-01-Preview", "2021-04-01-Preview", "2021-06-06-Preview", - "2022-09-01" + "2022-09-01", + "2023-11-01" ], "resourceHealthMetadata": [ "2015-08-19", @@ -33643,7 +33852,8 @@ "2020-08-01-Preview", "2021-04-01-Preview", "2021-06-06-Preview", - "2022-09-01" + "2022-09-01", + "2023-11-01" ], "searchServices": [ "2014-07-31-Preview", @@ -33937,7 +34147,8 @@ "2021-12-01-preview", "2022-05-01-preview", "2022-08-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-10-01-preview" ], "securityConnectors/devops": [ "2023-09-01-preview" @@ -39033,7 +39244,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/databases": [ "2017-03-01-preview", @@ -39095,7 +39307,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/databases/ledgerDigestUploads": [ "2022-08-01-preview", @@ -39117,7 +39330,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/databases/securityAlertPolicies": [ "2017-03-01-preview", @@ -39133,7 +39347,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/databases/transparentDataEncryption": [ "2020-02-02-preview", @@ -39148,7 +39363,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/databases/vulnerabilityAssessments": [ "2017-03-01-preview", @@ -39184,7 +39400,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/distributedAvailabilityGroups": [ "2021-05-01-preview", @@ -39195,7 +39412,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/dnsAliases": [ "2021-11-01", @@ -39212,7 +39430,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/encryptionProtector": [ "2017-10-01-preview", @@ -39228,7 +39447,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/keys": [ "2017-10-01-preview", @@ -39244,7 +39464,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/metricDefinitions": [ "2017-03-01-preview", @@ -39299,7 +39520,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/recoverableDatabases": [ "2017-10-01-preview", @@ -39334,7 +39556,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/securityAlertPolicies": [ "2017-03-01-preview", @@ -39350,12 +39573,14 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/serverConfigurationOptions": [ "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/serverTrustCertificates": [ "2021-05-01-preview", @@ -39366,7 +39591,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "managedInstances/sqlAgent": [ "2018-06-01", @@ -39607,7 +39833,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/communicationLinks": [ "2014-01-01", @@ -39867,7 +40094,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/extensions": [ "2014-01-01", @@ -39884,7 +40112,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/geoBackupPolicies": [ "2014-01-01", @@ -39936,7 +40165,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/metricDefinitions": [ "2014-01-01", @@ -39968,6 +40198,9 @@ "2023-02-01-preview", "2023-05-01-preview" ], + "servers/databases/replicationLinks": [ + "2023-05-01-preview" + ], "servers/databases/schemas/tables/columns/sensitivityLabels": [ "2017-03-01-preview", "2020-02-02-preview", @@ -39982,7 +40215,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/securityAlertPolicies": [ "2014-01-01", @@ -40018,14 +40252,16 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/sqlVulnerabilityAssessments/baselines/rules": [ "2022-02-01-preview", "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/syncGroups": [ "2015-05-01-preview", @@ -40151,7 +40387,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databases/VulnerabilityAssessmentScans": [ "2015-05-01-preview", @@ -40226,7 +40463,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/databaseSecurityPolicies": [ "2014-01-01", @@ -40434,7 +40672,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/import": [ "2014-01-01", @@ -40468,7 +40707,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/jobAccounts": [ "2015-05-01-preview" @@ -40507,7 +40747,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/jobAgents/jobs": [ "2017-03-01-preview", @@ -40586,7 +40827,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/keys": [ "2015-05-01-preview", @@ -40624,7 +40866,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/privateEndpointConnections": [ "2018-06-01-preview", @@ -40640,7 +40883,8 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/recommendedElasticPools": [ "2014-01-01", @@ -40726,14 +40970,16 @@ "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/sqlVulnerabilityAssessments/baselines/rules": [ "2022-02-01-preview", "2022-05-01-preview", "2022-08-01-preview", "2022-11-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-05-01-preview" ], "servers/syncAgents": [ "2015-05-01-preview", @@ -43079,7 +43325,8 @@ "2022-08-01", "2023-06-02-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2024-01-01" ], "locations": [ "2021-10-18-preview", @@ -43090,7 +43337,8 @@ "2022-08-01", "2023-06-02-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2024-01-01" ], "locations/classicaccounts": [ "2021-10-27-preview", @@ -43107,7 +43355,8 @@ "2022-07-20-preview", "2022-08-01", "2023-06-02-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2024-01-01" ], "locations/userclassicaccounts": [ "2021-10-27-preview", @@ -43125,7 +43374,8 @@ "2022-08-01", "2023-06-02-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2024-01-01" ] }, "Microsoft.VirtualMachineImages": { @@ -43246,26 +43496,30 @@ "2023-01-31", "2023-04-03", "2023-07-13-preview", - "2023-09-01" + "2023-09-01", + "2023-09-21" ], "locations/checkNameAvailability": [ "2023-01-31", "2023-04-03", "2023-07-13-preview", - "2023-09-01" + "2023-09-01", + "2023-09-21" ], "Operations": [ "2023-01-31", "2023-04-03", "2023-07-13-preview", - "2023-09-01" + "2023-09-01", + "2023-09-21" ], "registeredSubscriptions": [ "2022-12-01-preview", "2023-01-31", "2023-04-03", "2023-07-13-preview", - "2023-09-01" + "2023-09-01", + "2023-09-21" ] }, "Microsoft.VSOnline": { @@ -45668,17 +45922,20 @@ "locations": [ "2022-08-29", "2022-08-29-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-10-preview" ], "Locations/operationStatuses": [ "2022-08-29", "2022-08-29-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-10-preview" ], "operations": [ "2022-08-29", "2022-08-29-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-10-preview" ], "registeredSubscriptions": [ "2022-08-29", From f65a57aae1e8f9e348003036d0b7378566e852a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20M=C3=BCller?= Date: Mon, 30 Oct 2023 13:06:56 +0100 Subject: [PATCH 062/178] [Module] Added Microsoft.App/jobs (#4156) * Module App Container Job * add pipelines * temp trigger for new module validation * fix file endings * trigger test * fixed parameter descriptions * update description in main.json * update readme * trigger validation * fix line ending * trigger validation * fix workload profile * add workload profile test * update readme * reduce test serviceShort * fix test * fix dependency * Prepare PR * Fix spelling of ID * Resolved review topics * added new managed identities method --- .azuredevops/modulePipelines/ms.app.jobs.yml | 50 ++ .github/workflows/ms.app.jobs.yml | 84 +++ .../app/job/.test/common/dependencies.bicep | 40 ++ modules/app/job/.test/common/main.test.bicep | 124 ++++ modules/app/job/.test/min/dependencies.bicep | 21 + modules/app/job/.test/min/main.test.bicep | 79 +++ modules/app/job/README.md | 615 ++++++++++++++++++ modules/app/job/main.bicep | 205 ++++++ modules/app/job/main.json | 400 ++++++++++++ modules/app/job/version.json | 7 + 10 files changed, 1625 insertions(+) create mode 100644 .azuredevops/modulePipelines/ms.app.jobs.yml create mode 100644 .github/workflows/ms.app.jobs.yml create mode 100644 modules/app/job/.test/common/dependencies.bicep create mode 100644 modules/app/job/.test/common/main.test.bicep create mode 100644 modules/app/job/.test/min/dependencies.bicep create mode 100644 modules/app/job/.test/min/main.test.bicep create mode 100644 modules/app/job/README.md create mode 100644 modules/app/job/main.bicep create mode 100644 modules/app/job/main.json create mode 100644 modules/app/job/version.json diff --git a/.azuredevops/modulePipelines/ms.app.jobs.yml b/.azuredevops/modulePipelines/ms.app.jobs.yml new file mode 100644 index 0000000000..beedc2bee1 --- /dev/null +++ b/.azuredevops/modulePipelines/ms.app.jobs.yml @@ -0,0 +1,50 @@ +name: 'App - Jobs' + +parameters: + - name: staticValidation + displayName: Execute static validation + type: boolean + default: true + - name: deploymentValidation + displayName: Execute deployment validation + type: boolean + default: true + - name: removeDeployment + displayName: Remove deployed module + type: boolean + default: true + - name: prerelease + displayName: Publish prerelease module + type: boolean + default: false + +pr: none + +trigger: + batch: true + branches: + include: + - main + paths: + include: + - '/.azuredevops/modulePipelines/ms.app.jobs.yml' + - '/.azuredevops/pipelineTemplates/*.yml' + - '/modules/app/job/*' + - '/utilities/pipelines/*' + exclude: + - '/utilities/pipelines/deploymentRemoval/*' + - '/**/*.md' + +variables: + - template: '../../settings.yml' + - group: 'PLATFORM_VARIABLES' + - name: modulePath + value: '/modules/app/job' + +stages: + - template: /.azuredevops/pipelineTemplates/stages.module.yml + parameters: + staticValidation: '${{ parameters.staticValidation }}' + deploymentValidation: '${{ parameters.deploymentValidation }}' + removeDeployment: '${{ parameters.removeDeployment }}' + prerelease: '${{ parameters.prerelease }}' diff --git a/.github/workflows/ms.app.jobs.yml b/.github/workflows/ms.app.jobs.yml new file mode 100644 index 0000000000..bde1eff318 --- /dev/null +++ b/.github/workflows/ms.app.jobs.yml @@ -0,0 +1,84 @@ +name: 'App - Jobs' + +on: + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: 'Execute static validation' + required: false + default: true + deploymentValidation: + type: boolean + description: 'Execute deployment validation' + required: false + default: true + removeDeployment: + type: boolean + description: 'Remove deployed module' + required: false + default: true + prerelease: + type: boolean + description: 'Publish prerelease module' + required: false + default: false + push: + branches: + - main + paths: + - '.github/actions/templates/**' + - '.github/workflows/template.module.yml' + - '.github/workflows/ms.app.jobs.yml' + - 'modules/app/job/**' + - 'utilities/pipelines/**' + - '!utilities/pipelines/deploymentRemoval/**' + - '!*/**/README.md' + +env: + modulePath: 'modules/app/job' + workflowPath: '.github/workflows/ms.app.jobs.yml' + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-20.04 + name: 'Initialize pipeline' + steps: + - name: 'Checkout' + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: 'Set input parameters to output variables' + id: get-workflow-param + uses: ./.github/actions/templates/getWorkflowInput + with: + workflowPath: '${{ env.workflowPath}}' + - name: 'Get parameter file paths' + id: get-module-test-file-paths + uses: ./.github/actions/templates/getModuleTestFiles + with: + modulePath: '${{ env.modulePath }}' + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + modulePath: '${{ env.modulePath }}' + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: 'Module' + needs: + - job_initialize_pipeline + uses: ./.github/workflows/template.module.yml + with: + workflowInput: '${{ needs.job_initialize_pipeline.outputs.workflowInput }}' + moduleTestFilePaths: '${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}' + modulePath: '${{ needs.job_initialize_pipeline.outputs.modulePath}}' + secrets: inherit diff --git a/modules/app/job/.test/common/dependencies.bicep b/modules/app/job/.test/common/dependencies.bicep new file mode 100644 index 0000000000..b03d4aca93 --- /dev/null +++ b/modules/app/job/.test/common/dependencies.bicep @@ -0,0 +1,40 @@ +@description('Required. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Environment for Container Apps to create.') +param managedEnvironmentName string + +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Required. The name of the workload profile to create.') +param workloadProfileName string + +resource managedEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' = { + name: managedEnvironmentName + location: location + properties: { + workloadProfiles: [ + { + name: workloadProfileName + workloadProfileType: 'D4' + maximumCount: 1 + minimumCount: 1 + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Managed Environment.') +output managedEnvironmentResourceId string = managedEnvironment.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/app/job/.test/common/main.test.bicep b/modules/app/job/.test/common/main.test.bicep new file mode 100644 index 0000000000..5d608f7db8 --- /dev/null +++ b/modules/app/job/.test/common/main.test.bicep @@ -0,0 +1,124 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-app.job-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ajcom' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + location: location + managedEnvironmentName: 'dep-${namePrefix}-menv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + workloadProfileName: serviceShort + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + tags: { + 'hidden-title': 'This is visible in the resource name' + Env: 'test' + } + enableDefaultTelemetry: enableDefaultTelemetry + environmentId: nestedDependencies.outputs.managedEnvironmentResourceId + workloadProfileName: serviceShort + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + secrets: { + secureList: [ + { + name: 'customtest' + value: guid(deployment().name) + } + ] + } + triggerType: 'Manual' + manualTriggerConfig: { + replicaCompletionCount: 1 + parallelism: 1 + } + containers: [ + { + name: 'simple-hello-world-container' + image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' + resources: { + // workaround as 'float' values are not supported in Bicep, yet the resource providers expects them. Related issue: https://github.com/Azure/bicep/issues/1386 + cpu: json('0.25') + memory: '0.5Gi' + } + probes: [ + { + type: 'Liveness' + httpGet: { + path: '/health' + port: 8080 + httpHeaders: [ + { + name: 'Custom-Header' + value: 'Awesome' + } + ] + } + initialDelaySeconds: 3 + periodSeconds: 3 + } + ] + } + ] + roleAssignments: [ + { + principalId: nestedDependencies.outputs.managedIdentityResourceId + roleDefinitionIdOrName: 'ContainerApp Reader' + principalType: 'ServicePrincipal' + } + ] + } +} diff --git a/modules/app/job/.test/min/dependencies.bicep b/modules/app/job/.test/min/dependencies.bicep new file mode 100644 index 0000000000..bb2af3d0f8 --- /dev/null +++ b/modules/app/job/.test/min/dependencies.bicep @@ -0,0 +1,21 @@ +@description('Required. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Environment to create.') +param managedEnvironmentName string + +resource managedEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' = { + name: managedEnvironmentName + location: location + properties: { + workloadProfiles: [ + { + workloadProfileType: 'Consumption' + name: 'Consumption' + } + ] + } +} + +@description('The resource ID of the created Managed Environment.') +output managedEnvironmentResourceId string = managedEnvironment.id diff --git a/modules/app/job/.test/min/main.test.bicep b/modules/app/job/.test/min/main.test.bicep new file mode 100644 index 0000000000..b1e06bbb23 --- /dev/null +++ b/modules/app/job/.test/min/main.test.bicep @@ -0,0 +1,79 @@ +targetScope = 'subscription' + +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-app.job-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ajmin' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + location: location + managedEnvironmentName: 'dep-${namePrefix}-menv-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + tags: { + 'hidden-title': 'This is visible in the resource name' + Env: 'test' + } + enableDefaultTelemetry: enableDefaultTelemetry + environmentId: nestedDependencies.outputs.managedEnvironmentResourceId + location: location + triggerType: 'Manual' + manualTriggerConfig: { + replicaCompletionCount: 1 + parallelism: 1 + } + containers: [ + { + name: 'simple-hello-world-container' + image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' + resources: { + // workaround as 'float' values are not supported in Bicep, yet the resource providers expects them. Related issue: https://github.com/Azure/bicep/issues/1386 + cpu: json('0.25') + memory: '0.5Gi' + } + } + ] + } +} diff --git a/modules/app/job/README.md b/modules/app/job/README.md new file mode 100644 index 0000000000..5d12efcabe --- /dev/null +++ b/modules/app/job/README.md @@ -0,0 +1,615 @@ +# Container App Jobs `[Microsoft.App/jobs]` + +This module deploys a Container App Job. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.App/jobs` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.App/2023-05-01/jobs) | +| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | + +## Usage examples + +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. + +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/app.job:1.0.0`. + +- [Using large parameter set](#example-1-using-large-parameter-set) +- [Using only defaults](#example-2-using-only-defaults) + +### Example 1: _Using large parameter set_ + +This instance deploys the module with most of its features enabled. + + +

+ +via Bicep module + +```bicep +module job 'br:bicep/modules/app.job:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ajcom' + params: { + // Required parameters + containers: [ + { + image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' + name: 'simple-hello-world-container' + probes: [ + { + httpGet: { + httpHeaders: [ + { + name: 'Custom-Header' + value: 'Awesome' + } + ] + path: '/health' + port: 8080 + } + initialDelaySeconds: 3 + periodSeconds: 3 + type: 'Liveness' + } + ] + resources: { + cpu: '' + memory: '0.5Gi' + } + } + ] + environmentId: '' + name: 'ajcom001' + triggerType: 'Manual' + // Non-required parameters + enableDefaultTelemetry: '' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + manualTriggerConfig: { + parallelism: 1 + replicaCompletionCount: 1 + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'ContainerApp Reader' + } + ] + secrets: { + secureList: [ + { + name: 'customtest' + value: '' + } + ] + } + tags: { + Env: 'test' + 'hidden-title': 'This is visible in the resource name' + } + workloadProfileName: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "containers": { + "value": [ + { + "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", + "name": "simple-hello-world-container", + "probes": [ + { + "httpGet": { + "httpHeaders": [ + { + "name": "Custom-Header", + "value": "Awesome" + } + ], + "path": "/health", + "port": 8080 + }, + "initialDelaySeconds": 3, + "periodSeconds": 3, + "type": "Liveness" + } + ], + "resources": { + "cpu": "", + "memory": "0.5Gi" + } + } + ] + }, + "environmentId": { + "value": "" + }, + "name": { + "value": "ajcom001" + }, + "triggerType": { + "value": "Manual" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "manualTriggerConfig": { + "value": { + "parallelism": 1, + "replicaCompletionCount": 1 + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "ContainerApp Reader" + } + ] + }, + "secrets": { + "value": { + "secureList": [ + { + "name": "customtest", + "value": "" + } + ] + } + }, + "tags": { + "value": { + "Env": "test", + "hidden-title": "This is visible in the resource name" + } + }, + "workloadProfileName": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module job 'br:bicep/modules/app.job:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ajmin' + params: { + // Required parameters + containers: [ + { + image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' + name: 'simple-hello-world-container' + resources: { + cpu: '' + memory: '0.5Gi' + } + } + ] + environmentId: '' + name: 'ajmin001' + triggerType: 'Manual' + // Non-required parameters + enableDefaultTelemetry: '' + location: '' + manualTriggerConfig: { + parallelism: 1 + replicaCompletionCount: 1 + } + tags: { + Env: 'test' + 'hidden-title': 'This is visible in the resource name' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "containers": { + "value": [ + { + "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", + "name": "simple-hello-world-container", + "resources": { + "cpu": "", + "memory": "0.5Gi" + } + } + ] + }, + "environmentId": { + "value": "" + }, + "name": { + "value": "ajmin001" + }, + "triggerType": { + "value": "Manual" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "manualTriggerConfig": { + "value": { + "parallelism": 1, + "replicaCompletionCount": 1 + } + }, + "tags": { + "value": { + "Env": "test", + "hidden-title": "This is visible in the resource name" + } + } + } +} +``` + +
+

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`containers`](#parameter-containers) | array | List of container definitions for the Container App. | +| [`environmentId`](#parameter-environmentid) | string | Resource ID of environment. | +| [`name`](#parameter-name) | string | Name of the Container App. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`eventTriggerConfig`](#parameter-eventtriggerconfig) | object | Required if TriggerType is Event. Configuration of an event driven job. | +| [`initContainersTemplate`](#parameter-initcontainerstemplate) | array | List of specialized containers that run before app containers. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | +| [`manualTriggerConfig`](#parameter-manualtriggerconfig) | object | Required if TriggerType is Manual. Configuration of a manual job. | +| [`registries`](#parameter-registries) | array | Collection of private container registry credentials for containers used by the Container app. | +| [`replicaRetryLimit`](#parameter-replicaretrylimit) | int | The maximum number of times a replica can be retried. | +| [`replicaTimeout`](#parameter-replicatimeout) | int | Maximum number of seconds a replica is allowed to run. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute. | +| [`scheduleTriggerConfig`](#parameter-scheduletriggerconfig) | object | Required if TriggerType is Schedule. Configuration of a schedule based job. | +| [`secrets`](#parameter-secrets) | secureObject | The secrets of the Container App. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`triggerType`](#parameter-triggertype) | string | Trigger type of the job. | +| [`volumes`](#parameter-volumes) | array | List of volume definitions for the Container App. | +| [`workloadProfileName`](#parameter-workloadprofilename) | string | The name of the workload profile to use. | + +### Parameter: `containers` + +List of container definitions for the Container App. +- Required: Yes +- Type: array + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `environmentId` + +Resource ID of environment. +- Required: Yes +- Type: string + +### Parameter: `eventTriggerConfig` + +Required if TriggerType is Event. Configuration of an event driven job. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `initContainersTemplate` + +List of specialized containers that run before app containers. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + +- Required: No +- Type: string + +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. + +- Required: No +- Type: array + +### Parameter: `manualTriggerConfig` + +Required if TriggerType is Manual. Configuration of a manual job. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `name` + +Name of the Container App. +- Required: Yes +- Type: string + +### Parameter: `registries` + +Collection of private container registry credentials for containers used by the Container app. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `replicaRetryLimit` + +The maximum number of times a replica can be retried. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `replicaTimeout` + +Maximum number of seconds a replica is allowed to run. +- Required: No +- Type: int +- Default: `1800` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource ID of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource ID of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string + +### Parameter: `scheduleTriggerConfig` + +Required if TriggerType is Schedule. Configuration of a schedule based job. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `secrets` + +The secrets of the Container App. +- Required: No +- Type: secureObject +- Default: `{object}` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{object}` + +### Parameter: `triggerType` + +Trigger type of the job. +- Required: Yes +- Type: string +- Allowed: `[Event, Manual, Schedule]` + +### Parameter: `volumes` + +List of volume definitions for the Container App. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `workloadProfileName` + +The name of the workload profile to use. +- Required: No +- Type: string +- Default: `'Consumption'` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the Container App Job. | +| `resourceGroupName` | string | The name of the resource group the Container App Job was deployed into. | +| `resourceId` | string | The resource ID of the Container App Job. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +_None_ diff --git a/modules/app/job/main.bicep b/modules/app/job/main.bicep new file mode 100644 index 0000000000..75b067268c --- /dev/null +++ b/modules/app/job/main.bicep @@ -0,0 +1,205 @@ +metadata name = 'Container App Jobs' +metadata description = 'This module deploys a Container App Job.' +metadata owner = 'Azure/module-maintainers' + +@description('Required. Name of the Container App.') +param name string + +@description('Optional. Location for all Resources.') +param location string = resourceGroup().location + +@description('Required. Resource ID of environment.') +param environmentId string + +@description('Optional. The lock settings of the service.') +param lock lockType + +@description('Optional. Tags of the resource.') +param tags object = {} + +@description('Optional. Collection of private container registry credentials for containers used by the Container app.') +param registries array = [] + +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute.') +param roleAssignments roleAssignmentType + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Required. List of container definitions for the Container App.') +param containers array + +@description('Optional. List of specialized containers that run before app containers.') +param initContainersTemplate array = [] + +@description('Optional. Required if TriggerType is Event. Configuration of an event driven job.') +param eventTriggerConfig object = {} + +@description('Optional. Required if TriggerType is Schedule. Configuration of a schedule based job.') +param scheduleTriggerConfig object = {} + +@description('Optional. Required if TriggerType is Manual. Configuration of a manual job.') +param manualTriggerConfig object = {} + +@description('Optional. The maximum number of times a replica can be retried.') +param replicaRetryLimit int = 0 + +@description('Optional. The name of the workload profile to use.') +param workloadProfileName string = 'Consumption' + +@description('Optional. The secrets of the Container App.') +@secure() +param secrets object = {} + +@description('Optional. List of volume definitions for the Container App.') +param volumes array = [] + +@description('Optional. Maximum number of seconds a replica is allowed to run.') +param replicaTimeout int = 1800 + +@allowed([ + 'Event' + 'Manual' + 'Schedule' +]) +@description('Optional. Trigger type of the job.') +param triggerType string + +var secretList = !empty(secrets) ? secrets.secureList : [] + +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null +} : null + +var builtInRoleNames = { + 'ContainerApp Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource containerAppJob 'Microsoft.App/jobs@2023-05-01' = { + name: name + tags: tags + location: location + identity: identity + properties: { + environmentId: environmentId + configuration: { + eventTriggerConfig: triggerType == 'Event' ? eventTriggerConfig : null + manualTriggerConfig: triggerType == 'Manual' ? manualTriggerConfig : null + scheduleTriggerConfig: triggerType == 'Schedule' ? scheduleTriggerConfig : null + replicaRetryLimit: replicaRetryLimit + replicaTimeout: replicaTimeout + registries: !empty(registries) ? registries : null + secrets: secretList + triggerType: triggerType + } + template: { + containers: containers + initContainers: !empty(initContainersTemplate) ? initContainersTemplate : null + volumes: !empty(volumes) ? volumes : null + } + workloadProfileName: workloadProfileName + } +} + +resource containerAppJob_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' + properties: { + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' + } + scope: containerAppJob +} + +resource containerAppJob_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(containerAppJob.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId + } + scope: containerAppJob +}] + +@description('The resource ID of the Container App Job.') +output resourceId string = containerAppJob.id + +@description('The name of the resource group the Container App Job was deployed into.') +output resourceGroupName string = resourceGroup().name + +@description('The name of the Container App Job.') +output name string = containerAppJob.name + +@description('The location the resource was deployed into.') +output location string = containerAppJob.location + +@description('The principal ID of the system assigned identity.') +output systemAssignedPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(containerAppJob.identity, 'principalId') ? containerAppJob.identity.principalId : '' + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource ID of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? + +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.') + userAssignedResourcesIds: string[]? +}? diff --git a/modules/app/job/main.json b/modules/app/job/main.json new file mode 100644 index 0000000000..fa8d8beed1 --- /dev/null +++ b/modules/app/job/main.json @@ -0,0 +1,400 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "3431886018605625039" + }, + "name": "Container App Jobs", + "description": "This module deploys a Container App Job.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource ID of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." + } + } + }, + "nullable": true + } + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Name of the Container App." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "environmentId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of environment." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. The lock settings of the service." + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "registries": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Collection of private container registry credentials for containers used by the Container app." + } + }, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", + "metadata": { + "description": "Optional. The managed identity definition for this resource." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + }, + "containers": { + "type": "array", + "metadata": { + "description": "Required. List of container definitions for the Container App." + } + }, + "initContainersTemplate": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List of specialized containers that run before app containers." + } + }, + "eventTriggerConfig": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Required if TriggerType is Event. Configuration of an event driven job." + } + }, + "scheduleTriggerConfig": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Required if TriggerType is Schedule. Configuration of a schedule based job." + } + }, + "manualTriggerConfig": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Required if TriggerType is Manual. Configuration of a manual job." + } + }, + "replicaRetryLimit": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Optional. The maximum number of times a replica can be retried." + } + }, + "workloadProfileName": { + "type": "string", + "defaultValue": "Consumption", + "metadata": { + "description": "Optional. The name of the workload profile to use." + } + }, + "secrets": { + "type": "secureObject", + "defaultValue": {}, + "metadata": { + "description": "Optional. The secrets of the Container App." + } + }, + "volumes": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List of volume definitions for the Container App." + } + }, + "replicaTimeout": { + "type": "int", + "defaultValue": 1800, + "metadata": { + "description": "Optional. Maximum number of seconds a replica is allowed to run." + } + }, + "triggerType": { + "type": "string", + "allowedValues": [ + "Event", + "Manual", + "Schedule" + ], + "metadata": { + "description": "Optional. Trigger type of the job." + } + } + }, + "variables": { + "secretList": "[if(not(empty(parameters('secrets'))), parameters('secrets').secureList, createArray())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "builtInRoleNames": { + "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + "containerAppJob": { + "type": "Microsoft.App/jobs", + "apiVersion": "2023-05-01", + "name": "[parameters('name')]", + "tags": "[parameters('tags')]", + "location": "[parameters('location')]", + "identity": "[variables('identity')]", + "properties": { + "environmentId": "[parameters('environmentId')]", + "configuration": { + "eventTriggerConfig": "[if(equals(parameters('triggerType'), 'Event'), parameters('eventTriggerConfig'), null())]", + "manualTriggerConfig": "[if(equals(parameters('triggerType'), 'Manual'), parameters('manualTriggerConfig'), null())]", + "scheduleTriggerConfig": "[if(equals(parameters('triggerType'), 'Schedule'), parameters('scheduleTriggerConfig'), null())]", + "replicaRetryLimit": "[parameters('replicaRetryLimit')]", + "replicaTimeout": "[parameters('replicaTimeout')]", + "registries": "[if(not(empty(parameters('registries'))), parameters('registries'), null())]", + "secrets": "[variables('secretList')]", + "triggerType": "[parameters('triggerType')]" + }, + "template": { + "containers": "[parameters('containers')]", + "initContainers": "[if(not(empty(parameters('initContainersTemplate'))), parameters('initContainersTemplate'), null())]", + "volumes": "[if(not(empty(parameters('volumes'))), parameters('volumes'), null())]" + }, + "workloadProfileName": "[parameters('workloadProfileName')]" + } + }, + "containerAppJob_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.App/jobs/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + }, + "dependsOn": [ + "containerAppJob" + ] + }, + "containerAppJob_roleAssignments": { + "copy": { + "name": "containerAppJob_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.App/jobs/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.App/jobs', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "containerAppJob" + ] + } + }, + "outputs": { + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Container App Job." + }, + "value": "[resourceId('Microsoft.App/jobs', parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the Container App Job was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the Container App Job." + }, + "value": "[parameters('name')]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference('containerAppJob', '2023-05-01', 'full').location]" + }, + "systemAssignedPrincipalId": { + "type": "string", + "metadata": { + "description": "The principal ID of the system assigned identity." + }, + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('containerAppJob', '2023-05-01', 'full').identity, 'principalId')), reference('containerAppJob', '2023-05-01', 'full').identity.principalId, '')]" + } + } +} \ No newline at end of file diff --git a/modules/app/job/version.json b/modules/app/job/version.json new file mode 100644 index 0000000000..7fa401bdf7 --- /dev/null +++ b/modules/app/job/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": [ + "./main.json" + ] +} From 9b099b8a497d0a4fd6acb7552a861c600f685802 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Mon, 30 Oct 2023 12:07:45 +0000 Subject: [PATCH 063/178] Push updated Readme file(s) --- README.md | 1 + docs/wiki/The library - Module overview.md | 265 +++++++++++---------- 2 files changed, 134 insertions(+), 132 deletions(-) diff --git a/README.md b/README.md index b23a99af1d..2508382277 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,7 @@ The CI environment supports both ARM and Bicep and can be leveraged using GitHub | `Microsoft.AnalysisServices` | [servers](https://github.com/Azure/ResourceModules/tree/main/modules/analysis-services/server) | [Analysis Services Servers](https://github.com/Azure/ResourceModules/tree/main/modules/analysis-services/server) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.ApiManagement` | [service](https://github.com/Azure/ResourceModules/tree/main/modules/api-management/service) | [API Management Services](https://github.com/Azure/ResourceModules/tree/main/modules/api-management/service) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.App` | [containerApps](https://github.com/Azure/ResourceModules/tree/main/modules/app/container-app) | [Container Apps](https://github.com/Azure/ResourceModules/tree/main/modules/app/container-app) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| | [jobs](https://github.com/Azure/ResourceModules/tree/main/modules/app/job) | [Container App Jobs](https://github.com/Azure/ResourceModules/tree/main/modules/app/job) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [managedEnvironments](https://github.com/Azure/ResourceModules/tree/main/modules/app/managed-environment) | [App ManagedEnvironments](https://github.com/Azure/ResourceModules/tree/main/modules/app/managed-environment) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.AppConfiguration` | [configurationStores](https://github.com/Azure/ResourceModules/tree/main/modules/app-configuration/configuration-store) | [App Configuration Stores](https://github.com/Azure/ResourceModules/tree/main/modules/app-configuration/configuration-store) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.Authorization` | [locks](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/lock) | [Authorization Locks (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/lock) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 0b3fa0a934..a25d8ce89f 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -18,138 +18,139 @@ This section provides an overview of the library's feature set. | 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | | | :white_check_mark: | | | | [L1:11, L2:3] | 451 | | 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | | | :white_check_mark: | | | | [L1:1] | 305 | | 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | | | :white_check_mark: | | | | | 205 | -| 6 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | | | :white_check_mark: | | | | | 163 | -| 7 | authorization

lock | [![Authorization - Locks](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20Locks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.locks.yml) | | | | | | | [L1:2] | 62 | -| 8 | authorization

policy-assignment | [![Authorization - PolicyAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policyassignments.yml) | | | | | | | [L1:3] | 143 | -| 9 | authorization

policy-definition | [![Authorization - PolicyDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policydefinitions.yml) | | | | | | | [L1:2] | 86 | -| 10 | authorization

policy-exemption | [![Authorization - PolicyExemptions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyExemptions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policyexemptions.yml) | | | | | | | [L1:3] | 114 | -| 11 | authorization

policy-set-definition | [![Authorization - PolicySetDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicySetDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policysetdefinitions.yml) | | | | | | | [L1:2] | 76 | -| 12 | authorization

role-assignment | [![Authorization - RoleAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roleassignments.yml) | | | | | | | [L1:3] | 107 | -| 13 | authorization

role-definition | [![Authorization - RoleDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roledefinitions.yml) | | | | | | | [L1:3] | 94 | -| 14 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | :white_check_mark: | | | | [L1:6] | 437 | -| 15 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | :white_check_mark: | | | | | 311 | -| 16 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | | | :white_check_mark: | | | | | 312 | -| 17 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | | | :white_check_mark: | | | | [L1:1] | 268 | -| 18 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | | | :white_check_mark: | | | | [L1:6, L2:4] | 220 | -| 19 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | | | :white_check_mark: | | | | | 375 | -| 20 | compute

availability-set | [![Compute - AvailabilitySets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20AvailabilitySets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.availabilitysets.yml) | | | :white_check_mark: | | | | | 111 | -| 21 | compute

disk | [![Compute - Disks](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Disks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.disks.yml) | | | :white_check_mark: | | | | | 218 | -| 22 | compute

disk-encryption-set | [![Compute - DiskEncryptionSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20DiskEncryptionSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.diskencryptionsets.yml) | | | :white_check_mark: | | | | [L1:1] | 162 | -| 23 | compute

gallery | [![Compute - Galleries](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Galleries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.galleries.yml) | | | :white_check_mark: | | | | [L1:2] | 155 | -| 24 | compute

image | [![Compute - Images](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Images/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.images.yml) | | | :white_check_mark: | | | | | 137 | -| 25 | compute

proximity-placement-group | [![Compute - ProximityPlacementGroups](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20ProximityPlacementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.proximityplacementgroups.yml) | | | :white_check_mark: | | | | | 111 | -| 26 | compute

ssh-public-key | [![Compute - SshPublicKeys](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20SshPublicKeys/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.sshpublickeys.yml) | | | :white_check_mark: | | | | | 99 | -| 27 | compute

virtual-machine | [![Compute - VirtualMachines](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachines/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | | | :white_check_mark: | | | | [L1:2] | 663 | -| 28 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | | | :white_check_mark: | | | | [L1:1] | 607 | -| 29 | consumption

budget | [![Consumption - Budgets](https://github.com/Azure/ResourceModules/workflows/Consumption%20-%20Budgets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.consumption.budgets.yml) | | | | | | | | 92 | -| 30 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | :white_check_mark: | | | | | 163 | -| 31 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | :white_check_mark: | | | | [L1:3] | 430 | -| 32 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | :white_check_mark: | | | | [L1:1] | 664 | -| 33 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | :white_check_mark: | | | | [L1:2, L2:1] | 318 | -| 34 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | | :white_check_mark: | | | | [L1:1] | 156 | -| 35 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | | | :white_check_mark: | | | | | 104 | -| 36 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | | | :white_check_mark: | | | | | 376 | -| 37 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | | | :white_check_mark: | | | | [L1:3] | 370 | -| 38 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | | | :white_check_mark: | | | | [L1:4] | 364 | -| 39 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | | | :white_check_mark: | | | | [L1:1] | 191 | -| 40 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | | | :white_check_mark: | | | | | 281 | -| 41 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | | | :white_check_mark: | | | | | 200 | -| 42 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | | | :white_check_mark: | | | | | 161 | -| 43 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | | | :white_check_mark: | | | | [L1:6, L2:1] | 295 | -| 44 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | | | :white_check_mark: | | | | [L1:3] | 292 | -| 45 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | | | :white_check_mark: | | | | [L1:3, L2:3] | 400 | -| 46 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | | | :white_check_mark: | | | | [L1:1] | 248 | -| 47 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | | | :white_check_mark: | | | | [L1:1] | 193 | -| 48 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | | | :white_check_mark: | | | | [L1:1] | 252 | -| 49 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | :white_check_mark: | | | | [L1:4, L2:2] | 397 | -| 50 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | | | :white_check_mark: | | | | | 112 | -| 51 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | | | :white_check_mark: | | | | [L1:3, L2:1] | 198 | -| 52 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | | | :white_check_mark: | | | | | 115 | -| 53 | insights

activity-log-alert | [![Insights - ActivityLogAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActivityLogAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.activitylogalerts.yml) | | | :white_check_mark: | | | | | 104 | -| 54 | insights

component | [![Insights - Components](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Components/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.components.yml) | | | :white_check_mark: | | | | | 184 | -| 55 | insights

data-collection-endpoint | [![Insights - DataCollectionEndpoints](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionendpoints.yml) | | | :white_check_mark: | | | | | 120 | -| 56 | insights

data-collection-rule | [![Insights - DataCollectionRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionrules.yml) | | | :white_check_mark: | | | | | 129 | -| 57 | insights

diagnostic-setting | [![Insights - DiagnosticSettings](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DiagnosticSettings/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.diagnosticsettings.yml) | | | | | | | | 91 | -| 58 | insights

metric-alert | [![Insights - MetricAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20MetricAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.metricalerts.yml) | | | :white_check_mark: | | | | | 152 | -| 59 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | | | :white_check_mark: | | | | [L1:1] | 172 | -| 60 | insights

scheduled-query-rule | [![Insights - ScheduledQueryRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ScheduledQueryRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml) | | | :white_check_mark: | | | | | 136 | -| 61 | insights

webtest | [![Insights - Web Tests](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Web%20Tests/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.webtests.yml) | | | | | | | | 152 | -| 62 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | | | :white_check_mark: | | | | [L1:3] | 347 | -| 63 | kubernetes-configuration

extension | [![KubernetesConfiguration - Extensions](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20Extensions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.extensions.yml) | | | | | | | | 88 | -| 64 | kubernetes-configuration

flux-configuration | [![KubernetesConfiguration - FluxConfigurations](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20FluxConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml) | | | | | | | | 71 | -| 65 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | | | :white_check_mark: | | | | | 227 | -| 66 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | | | :white_check_mark: | | | | [L1:1] | 352 | -| 67 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | | | :white_check_mark: | | | | | 136 | -| 68 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | | | :white_check_mark: | | | | [L1:1] | 113 | -| 69 | managed-services

registration-definition | [![ManagedServices - RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices%20-%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | | | | | | | 67 | -| 70 | management

management-group | [![Management - ManagementGroups](https://github.com/Azure/ResourceModules/workflows/Management%20-%20ManagementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml) | | | | | | | | 50 | -| 71 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | | | :white_check_mark: | | | | [L1:1, L2:1] | 147 | -| 72 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | | | :white_check_mark: | | | | | 416 | -| 73 | network

application-gateway-web-application-firewall-policy | [![Network - ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGatewayWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 47 | -| 74 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | | | :white_check_mark: | | | | | 94 | -| 75 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | | | :white_check_mark: | | | :white_check_mark: | | 335 | -| 76 | network

bastion-host | [![Network - BastionHosts](https://github.com/Azure/ResourceModules/workflows/Network%20-%20BastionHosts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.bastionhosts.yml) | | | :white_check_mark: | | | :white_check_mark: | | 268 | -| 77 | network

connection | [![Network - Connections](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.connections.yml) | | | :white_check_mark: | | | | | 147 | -| 78 | network

ddos-protection-plan | [![Network - DdosProtectionPlans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DdosProtectionPlans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ddosprotectionplans.yml) | | | :white_check_mark: | | | | | 95 | -| 79 | network

dns-forwarding-ruleset | [![Network - DNS Forwarding Rulesets](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Forwarding%20Rulesets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsforwardingrulesets.yml) | | | :white_check_mark: | | | | [L1:2] | 126 | -| 80 | network

dns-resolver | [![Network - DNS Resolvers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Resolvers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsresolvers.yml) | | | :white_check_mark: | | | | | 137 | -| 81 | network

dns-zone | [![Network - Public DnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Public%20DnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnszones.yml) | | | :white_check_mark: | | | | [L1:10] | 248 | -| 82 | network

express-route-circuit | [![Network - ExpressRouteCircuits](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteCircuits/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutecircuits.yml) | | | :white_check_mark: | | | | | 228 | -| 83 | network

express-route-gateway | [![Network - ExpressRouteGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutegateways.yml) | | | :white_check_mark: | | | | | 117 | -| 84 | network

firewall-policy | [![Network - FirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.firewallpolicies.yml) | | | :white_check_mark: | | | | [L1:1] | 166 | -| 85 | network

front-door | [![Network - Frontdoors](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Frontdoors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoors.yml) | | | :white_check_mark: | | | | | 181 | -| 86 | network

front-door-web-application-firewall-policy | [![Network - FrontDoorWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FrontDoorWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 152 | -| 87 | network

ip-group | [![Network - IpGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20IpGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ipgroups.yml) | | | :white_check_mark: | | | | | 100 | -| 88 | network

load-balancer | [![Network - LoadBalancers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LoadBalancers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.loadbalancers.yml) | | | :white_check_mark: | | | | [L1:2] | 272 | -| 89 | network

local-network-gateway | [![Network - LocalNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LocalNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.localnetworkgateways.yml) | | | :white_check_mark: | | | | | 120 | -| 90 | network

nat-gateway | [![Network - NatGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NatGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.natgateways.yml) | | | :white_check_mark: | | | | | 181 | -| 91 | network

network-interface | [![Network - NetworkInterfaces](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkInterfaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkinterfaces.yml) | | | :white_check_mark: | | | | | 198 | -| 92 | network

network-manager | [![Network - Network Managers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Network%20Managers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkmanagers.yml) | | | :white_check_mark: | | | | [L1:4, L2:2, L3:1] | 165 | -| 93 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | | | :white_check_mark: | | | | [L1:1] | 188 | -| 94 | network

network-watcher | [![Network - NetworkWatchers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkWatchers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatchers.yml) | | | :white_check_mark: | | | | [L1:2] | 129 | -| 95 | network

private-dns-zone | [![Network - PrivateDnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateDnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | | | :white_check_mark: | | | | [L1:9] | 226 | -| 96 | network

private-endpoint | [![Network - PrivateEndpoints](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privateendpoints.yml) | | | | | | | [L1:1] | 149 | -| 97 | network

private-link-service | [![Network - PrivateLinkServices](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateLinkServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatelinkservices.yml) | | | :white_check_mark: | | | | | 121 | -| 98 | network

public-ip-address | [![Network - PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | | | :white_check_mark: | | | | | 214 | -| 99 | network

public-ip-prefix | [![Network - PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | | | :white_check_mark: | | | | | 109 | -| 100 | network

route-table | [![Network - RouteTables](https://github.com/Azure/ResourceModules/workflows/Network%20-%20RouteTables/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.routetables.yml) | | | :white_check_mark: | | | | | 102 | -| 101 | network

service-endpoint-policy | [![Network - ServiceEndpointPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ServiceEndpointPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.serviceendpointpolicies.yml) | | | :white_check_mark: | | | | | 105 | -| 102 | network

trafficmanagerprofile | [![Network - TrafficManagerProfiles](https://github.com/Azure/ResourceModules/workflows/Network%20-%20TrafficManagerProfiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml) | | | :white_check_mark: | | | | | 195 | -| 103 | network

virtual-hub | [![Network - VirtualHubs](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualhubs.yml) | | | :white_check_mark: | | | | [L1:2] | 151 | -| 104 | network

virtual-network | [![Network - VirtualNetworks](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | | | :white_check_mark: | | | | [L1:2] | 276 | -| 105 | network

virtual-network-gateway | [![Network - VirtualNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworkgateways.yml) | | | :white_check_mark: | | | | [L1:1] | 403 | -| 106 | network

virtual-wan | [![Network - VirtualWans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualWans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualwans.yml) | | | :white_check_mark: | | | | | 112 | -| 107 | network

vpn-gateway | [![Network - VPNGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPNGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpngateways.yml) | | | :white_check_mark: | | | | [L1:2] | 114 | -| 108 | network

vpn-site | [![Network - VPN Sites](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPN%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpnsites.yml) | | | :white_check_mark: | | | | | 124 | -| 109 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | | | :white_check_mark: | | | | [L1:7] | 344 | -| 110 | operations-management

solution | [![OperationsManagement - Solutions](https://github.com/Azure/ResourceModules/workflows/OperationsManagement%20-%20Solutions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationsmanagement.solutions.yml) | | | | | | | | 53 | -| 111 | policy-insights

remediation | [![PolicyInsights - Remediations](https://github.com/Azure/ResourceModules/workflows/PolicyInsights%20-%20Remediations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.policyinsights.remediations.yml) | | | | | | | [L1:3] | 106 | -| 112 | power-bi-dedicated

capacity | [![PowerBiDedicated - Capacities](https://github.com/Azure/ResourceModules/workflows/PowerBiDedicated%20-%20Capacities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.powerbidedicated.capacities.yml) | | | :white_check_mark: | | | | | 133 | -| 113 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | | | :white_check_mark: | | | | | 311 | -| 114 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | | | :white_check_mark: | | | | [L1:7, L2:2, L3:2] | 351 | -| 115 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | | | :white_check_mark: | | | | [L1:4, L2:2] | 330 | -| 116 | resource-graph

query | [![ResourceGraph - Queries](https://github.com/Azure/ResourceModules/workflows/ResourceGraph%20-%20Queries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resourcegraph.queries.yml) | | | :white_check_mark: | | | | | 101 | -| 117 | resources

deployment-script | [![Resources - DeploymentScripts](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | | :white_check_mark: | | | | | 128 | -| 118 | resources

resource-group | [![Resources - ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | | | :white_check_mark: | | | | [L1:1] | 101 | -| 119 | resources

tags | [![Resources - Tags](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20Tags/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.tags.yml) | | | :white_check_mark: | | | | [L1:2] | 54 | -| 120 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | | | :white_check_mark: | | | | [L1:1] | 313 | -| 121 | security

azure-security-center | [![Security - AzureSecurityCenter](https://github.com/Azure/ResourceModules/workflows/Security%20-%20AzureSecurityCenter/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.security.azuresecuritycenter.yml) | | | | | | | | 221 | -| 122 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | | | :white_check_mark: | | | | [L1:6, L2:2] | 441 | -| 123 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | | | :white_check_mark: | | | | [L1:1] | 312 | -| 124 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | | | :white_check_mark: | | | | | 268 | -| 125 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | | | :white_check_mark: | | | | | 238 | -| 126 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | | | :white_check_mark: | | | | [L1:6, L2:3] | 369 | -| 127 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | :white_check_mark: | | | | [L1:8, L2:3] | 376 | -| 128 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | :white_check_mark: | | | | [L1:6, L2:4, L3:1] | 500 | -| 129 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | | | :white_check_mark: | | | | | 162 | -| 130 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | :white_check_mark: | | | | [L1:3] | 355 | -| 131 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | | | :white_check_mark: | | | | | 216 | -| 132 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | | | :white_check_mark: | | | | | 118 | -| 133 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | :white_check_mark: | | | | [L1:2] | 258 | -| 134 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | :white_check_mark: | | | | | 194 | -| 135 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | :white_check_mark: | | | | [L1:5, L2:4, L3:1] | 441 | -| 136 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | :white_check_mark: | | | | [L1:3] | 271 | -| Sum | | | 0 | 0 | 118 | 0 | 0 | 2 | 240 | 29199 | +| 6 | app

job | [![App - Jobs](https://github.com/Azure/ResourceModules/workflows/App%20-%20Jobs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.jobs.yml) | | | :white_check_mark: | | | | | 162 | +| 7 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | | | :white_check_mark: | | | | | 163 | +| 8 | authorization

lock | [![Authorization - Locks](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20Locks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.locks.yml) | | | | | | | [L1:2] | 62 | +| 9 | authorization

policy-assignment | [![Authorization - PolicyAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policyassignments.yml) | | | | | | | [L1:3] | 143 | +| 10 | authorization

policy-definition | [![Authorization - PolicyDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policydefinitions.yml) | | | | | | | [L1:2] | 86 | +| 11 | authorization

policy-exemption | [![Authorization - PolicyExemptions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyExemptions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policyexemptions.yml) | | | | | | | [L1:3] | 114 | +| 12 | authorization

policy-set-definition | [![Authorization - PolicySetDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicySetDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policysetdefinitions.yml) | | | | | | | [L1:2] | 76 | +| 13 | authorization

role-assignment | [![Authorization - RoleAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roleassignments.yml) | | | | | | | [L1:3] | 107 | +| 14 | authorization

role-definition | [![Authorization - RoleDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roledefinitions.yml) | | | | | | | [L1:3] | 94 | +| 15 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | :white_check_mark: | | | | [L1:6] | 437 | +| 16 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | :white_check_mark: | | | | | 311 | +| 17 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | | | :white_check_mark: | | | | | 312 | +| 18 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | | | :white_check_mark: | | | | [L1:1] | 268 | +| 19 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | | | :white_check_mark: | | | | [L1:6, L2:4] | 220 | +| 20 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | | | :white_check_mark: | | | | | 375 | +| 21 | compute

availability-set | [![Compute - AvailabilitySets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20AvailabilitySets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.availabilitysets.yml) | | | :white_check_mark: | | | | | 111 | +| 22 | compute

disk | [![Compute - Disks](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Disks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.disks.yml) | | | :white_check_mark: | | | | | 218 | +| 23 | compute

disk-encryption-set | [![Compute - DiskEncryptionSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20DiskEncryptionSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.diskencryptionsets.yml) | | | :white_check_mark: | | | | [L1:1] | 162 | +| 24 | compute

gallery | [![Compute - Galleries](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Galleries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.galleries.yml) | | | :white_check_mark: | | | | [L1:2] | 155 | +| 25 | compute

image | [![Compute - Images](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Images/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.images.yml) | | | :white_check_mark: | | | | | 137 | +| 26 | compute

proximity-placement-group | [![Compute - ProximityPlacementGroups](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20ProximityPlacementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.proximityplacementgroups.yml) | | | :white_check_mark: | | | | | 111 | +| 27 | compute

ssh-public-key | [![Compute - SshPublicKeys](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20SshPublicKeys/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.sshpublickeys.yml) | | | :white_check_mark: | | | | | 99 | +| 28 | compute

virtual-machine | [![Compute - VirtualMachines](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachines/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | | | :white_check_mark: | | | | [L1:2] | 663 | +| 29 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | | | :white_check_mark: | | | | [L1:1] | 607 | +| 30 | consumption

budget | [![Consumption - Budgets](https://github.com/Azure/ResourceModules/workflows/Consumption%20-%20Budgets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.consumption.budgets.yml) | | | | | | | | 92 | +| 31 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | :white_check_mark: | | | | | 163 | +| 32 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | :white_check_mark: | | | | [L1:3] | 430 | +| 33 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | :white_check_mark: | | | | [L1:1] | 664 | +| 34 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | :white_check_mark: | | | | [L1:2, L2:1] | 318 | +| 35 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | | :white_check_mark: | | | | [L1:1] | 156 | +| 36 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | | | :white_check_mark: | | | | | 104 | +| 37 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | | | :white_check_mark: | | | | | 376 | +| 38 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | | | :white_check_mark: | | | | [L1:3] | 370 | +| 39 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | | | :white_check_mark: | | | | [L1:4] | 364 | +| 40 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | | | :white_check_mark: | | | | [L1:1] | 191 | +| 41 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | | | :white_check_mark: | | | | | 281 | +| 42 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | | | :white_check_mark: | | | | | 200 | +| 43 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | | | :white_check_mark: | | | | | 161 | +| 44 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | | | :white_check_mark: | | | | [L1:6, L2:1] | 295 | +| 45 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | | | :white_check_mark: | | | | [L1:3] | 292 | +| 46 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | | | :white_check_mark: | | | | [L1:3, L2:3] | 400 | +| 47 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | | | :white_check_mark: | | | | [L1:1] | 248 | +| 48 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | | | :white_check_mark: | | | | [L1:1] | 193 | +| 49 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | | | :white_check_mark: | | | | [L1:1] | 252 | +| 50 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | :white_check_mark: | | | | [L1:4, L2:2] | 397 | +| 51 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | | | :white_check_mark: | | | | | 112 | +| 52 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | | | :white_check_mark: | | | | [L1:3, L2:1] | 198 | +| 53 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | | | :white_check_mark: | | | | | 115 | +| 54 | insights

activity-log-alert | [![Insights - ActivityLogAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActivityLogAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.activitylogalerts.yml) | | | :white_check_mark: | | | | | 104 | +| 55 | insights

component | [![Insights - Components](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Components/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.components.yml) | | | :white_check_mark: | | | | | 184 | +| 56 | insights

data-collection-endpoint | [![Insights - DataCollectionEndpoints](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionendpoints.yml) | | | :white_check_mark: | | | | | 120 | +| 57 | insights

data-collection-rule | [![Insights - DataCollectionRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionrules.yml) | | | :white_check_mark: | | | | | 129 | +| 58 | insights

diagnostic-setting | [![Insights - DiagnosticSettings](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DiagnosticSettings/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.diagnosticsettings.yml) | | | | | | | | 91 | +| 59 | insights

metric-alert | [![Insights - MetricAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20MetricAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.metricalerts.yml) | | | :white_check_mark: | | | | | 152 | +| 60 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | | | :white_check_mark: | | | | [L1:1] | 172 | +| 61 | insights

scheduled-query-rule | [![Insights - ScheduledQueryRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ScheduledQueryRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml) | | | :white_check_mark: | | | | | 136 | +| 62 | insights

webtest | [![Insights - Web Tests](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Web%20Tests/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.webtests.yml) | | | | | | | | 152 | +| 63 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | | | :white_check_mark: | | | | [L1:3] | 347 | +| 64 | kubernetes-configuration

extension | [![KubernetesConfiguration - Extensions](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20Extensions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.extensions.yml) | | | | | | | | 88 | +| 65 | kubernetes-configuration

flux-configuration | [![KubernetesConfiguration - FluxConfigurations](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20FluxConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml) | | | | | | | | 71 | +| 66 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | | | :white_check_mark: | | | | | 227 | +| 67 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | | | :white_check_mark: | | | | [L1:1] | 352 | +| 68 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | | | :white_check_mark: | | | | | 136 | +| 69 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | | | :white_check_mark: | | | | [L1:1] | 113 | +| 70 | managed-services

registration-definition | [![ManagedServices - RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices%20-%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | | | | | | | 67 | +| 71 | management

management-group | [![Management - ManagementGroups](https://github.com/Azure/ResourceModules/workflows/Management%20-%20ManagementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml) | | | | | | | | 50 | +| 72 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | | | :white_check_mark: | | | | [L1:1, L2:1] | 147 | +| 73 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | | | :white_check_mark: | | | | | 416 | +| 74 | network

application-gateway-web-application-firewall-policy | [![Network - ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGatewayWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 47 | +| 75 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | | | :white_check_mark: | | | | | 94 | +| 76 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | | | :white_check_mark: | | | :white_check_mark: | | 335 | +| 77 | network

bastion-host | [![Network - BastionHosts](https://github.com/Azure/ResourceModules/workflows/Network%20-%20BastionHosts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.bastionhosts.yml) | | | :white_check_mark: | | | :white_check_mark: | | 268 | +| 78 | network

connection | [![Network - Connections](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.connections.yml) | | | :white_check_mark: | | | | | 147 | +| 79 | network

ddos-protection-plan | [![Network - DdosProtectionPlans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DdosProtectionPlans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ddosprotectionplans.yml) | | | :white_check_mark: | | | | | 95 | +| 80 | network

dns-forwarding-ruleset | [![Network - DNS Forwarding Rulesets](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Forwarding%20Rulesets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsforwardingrulesets.yml) | | | :white_check_mark: | | | | [L1:2] | 126 | +| 81 | network

dns-resolver | [![Network - DNS Resolvers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Resolvers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsresolvers.yml) | | | :white_check_mark: | | | | | 137 | +| 82 | network

dns-zone | [![Network - Public DnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Public%20DnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnszones.yml) | | | :white_check_mark: | | | | [L1:10] | 248 | +| 83 | network

express-route-circuit | [![Network - ExpressRouteCircuits](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteCircuits/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutecircuits.yml) | | | :white_check_mark: | | | | | 228 | +| 84 | network

express-route-gateway | [![Network - ExpressRouteGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutegateways.yml) | | | :white_check_mark: | | | | | 117 | +| 85 | network

firewall-policy | [![Network - FirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.firewallpolicies.yml) | | | :white_check_mark: | | | | [L1:1] | 166 | +| 86 | network

front-door | [![Network - Frontdoors](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Frontdoors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoors.yml) | | | :white_check_mark: | | | | | 181 | +| 87 | network

front-door-web-application-firewall-policy | [![Network - FrontDoorWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FrontDoorWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 152 | +| 88 | network

ip-group | [![Network - IpGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20IpGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ipgroups.yml) | | | :white_check_mark: | | | | | 100 | +| 89 | network

load-balancer | [![Network - LoadBalancers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LoadBalancers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.loadbalancers.yml) | | | :white_check_mark: | | | | [L1:2] | 272 | +| 90 | network

local-network-gateway | [![Network - LocalNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LocalNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.localnetworkgateways.yml) | | | :white_check_mark: | | | | | 120 | +| 91 | network

nat-gateway | [![Network - NatGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NatGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.natgateways.yml) | | | :white_check_mark: | | | | | 181 | +| 92 | network

network-interface | [![Network - NetworkInterfaces](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkInterfaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkinterfaces.yml) | | | :white_check_mark: | | | | | 198 | +| 93 | network

network-manager | [![Network - Network Managers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Network%20Managers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkmanagers.yml) | | | :white_check_mark: | | | | [L1:4, L2:2, L3:1] | 165 | +| 94 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | | | :white_check_mark: | | | | [L1:1] | 188 | +| 95 | network

network-watcher | [![Network - NetworkWatchers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkWatchers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatchers.yml) | | | :white_check_mark: | | | | [L1:2] | 129 | +| 96 | network

private-dns-zone | [![Network - PrivateDnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateDnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | | | :white_check_mark: | | | | [L1:9] | 226 | +| 97 | network

private-endpoint | [![Network - PrivateEndpoints](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privateendpoints.yml) | | | | | | | [L1:1] | 149 | +| 98 | network

private-link-service | [![Network - PrivateLinkServices](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateLinkServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatelinkservices.yml) | | | :white_check_mark: | | | | | 121 | +| 99 | network

public-ip-address | [![Network - PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | | | :white_check_mark: | | | | | 214 | +| 100 | network

public-ip-prefix | [![Network - PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | | | :white_check_mark: | | | | | 109 | +| 101 | network

route-table | [![Network - RouteTables](https://github.com/Azure/ResourceModules/workflows/Network%20-%20RouteTables/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.routetables.yml) | | | :white_check_mark: | | | | | 102 | +| 102 | network

service-endpoint-policy | [![Network - ServiceEndpointPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ServiceEndpointPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.serviceendpointpolicies.yml) | | | :white_check_mark: | | | | | 105 | +| 103 | network

trafficmanagerprofile | [![Network - TrafficManagerProfiles](https://github.com/Azure/ResourceModules/workflows/Network%20-%20TrafficManagerProfiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml) | | | :white_check_mark: | | | | | 195 | +| 104 | network

virtual-hub | [![Network - VirtualHubs](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualhubs.yml) | | | :white_check_mark: | | | | [L1:2] | 151 | +| 105 | network

virtual-network | [![Network - VirtualNetworks](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | | | :white_check_mark: | | | | [L1:2] | 276 | +| 106 | network

virtual-network-gateway | [![Network - VirtualNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworkgateways.yml) | | | :white_check_mark: | | | | [L1:1] | 403 | +| 107 | network

virtual-wan | [![Network - VirtualWans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualWans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualwans.yml) | | | :white_check_mark: | | | | | 112 | +| 108 | network

vpn-gateway | [![Network - VPNGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPNGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpngateways.yml) | | | :white_check_mark: | | | | [L1:2] | 114 | +| 109 | network

vpn-site | [![Network - VPN Sites](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPN%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpnsites.yml) | | | :white_check_mark: | | | | | 124 | +| 110 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | | | :white_check_mark: | | | | [L1:7] | 344 | +| 111 | operations-management

solution | [![OperationsManagement - Solutions](https://github.com/Azure/ResourceModules/workflows/OperationsManagement%20-%20Solutions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationsmanagement.solutions.yml) | | | | | | | | 53 | +| 112 | policy-insights

remediation | [![PolicyInsights - Remediations](https://github.com/Azure/ResourceModules/workflows/PolicyInsights%20-%20Remediations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.policyinsights.remediations.yml) | | | | | | | [L1:3] | 106 | +| 113 | power-bi-dedicated

capacity | [![PowerBiDedicated - Capacities](https://github.com/Azure/ResourceModules/workflows/PowerBiDedicated%20-%20Capacities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.powerbidedicated.capacities.yml) | | | :white_check_mark: | | | | | 133 | +| 114 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | | | :white_check_mark: | | | | | 311 | +| 115 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | | | :white_check_mark: | | | | [L1:7, L2:2, L3:2] | 351 | +| 116 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | | | :white_check_mark: | | | | [L1:4, L2:2] | 330 | +| 117 | resource-graph

query | [![ResourceGraph - Queries](https://github.com/Azure/ResourceModules/workflows/ResourceGraph%20-%20Queries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resourcegraph.queries.yml) | | | :white_check_mark: | | | | | 101 | +| 118 | resources

deployment-script | [![Resources - DeploymentScripts](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | | :white_check_mark: | | | | | 128 | +| 119 | resources

resource-group | [![Resources - ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | | | :white_check_mark: | | | | [L1:1] | 101 | +| 120 | resources

tags | [![Resources - Tags](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20Tags/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.tags.yml) | | | :white_check_mark: | | | | [L1:2] | 54 | +| 121 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | | | :white_check_mark: | | | | [L1:1] | 313 | +| 122 | security

azure-security-center | [![Security - AzureSecurityCenter](https://github.com/Azure/ResourceModules/workflows/Security%20-%20AzureSecurityCenter/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.security.azuresecuritycenter.yml) | | | | | | | | 221 | +| 123 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | | | :white_check_mark: | | | | [L1:6, L2:2] | 441 | +| 124 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | | | :white_check_mark: | | | | [L1:1] | 312 | +| 125 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | | | :white_check_mark: | | | | | 268 | +| 126 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | | | :white_check_mark: | | | | | 238 | +| 127 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | | | :white_check_mark: | | | | [L1:6, L2:3] | 369 | +| 128 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | :white_check_mark: | | | | [L1:8, L2:3] | 376 | +| 129 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | :white_check_mark: | | | | [L1:6, L2:4, L3:1] | 500 | +| 130 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | | | :white_check_mark: | | | | | 162 | +| 131 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | :white_check_mark: | | | | [L1:3] | 355 | +| 132 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | | | :white_check_mark: | | | | | 216 | +| 133 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | | | :white_check_mark: | | | | | 118 | +| 134 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | :white_check_mark: | | | | [L1:2] | 258 | +| 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | :white_check_mark: | | | | | 194 | +| 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | :white_check_mark: | | | | [L1:5, L2:4, L3:1] | 441 | +| 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | :white_check_mark: | | | | [L1:3] | 271 | +| Sum | | | 0 | 0 | 119 | 0 | 0 | 2 | 240 | 29361 | ## Legend From f36644d60873a61eedb9c1d165ee2097755ba94c Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Mon, 30 Oct 2023 19:13:07 +0000 Subject: [PATCH 064/178] [Modules] Updating Moved-to-avm.md on Migrated Modules (#4164) * Adding Moved-to-AVM.md * updated readme --- modules/network/dns-forwarding-ruleset/MOVED-TO-AVM.md | 1 + modules/network/dns-forwarding-ruleset/README.md | 2 ++ modules/network/dns-resolver/MOVED-TO-AVM.md | 1 + modules/network/dns-resolver/README.md | 2 ++ modules/network/dns-zone/MOVED-TO-AVM.md | 1 + modules/network/dns-zone/README.md | 2 ++ modules/network/private-dns-zone/MOVED-TO-AVM.md | 1 + modules/network/private-dns-zone/README.md | 2 ++ 8 files changed, 12 insertions(+) create mode 100644 modules/network/dns-forwarding-ruleset/MOVED-TO-AVM.md create mode 100644 modules/network/dns-resolver/MOVED-TO-AVM.md create mode 100644 modules/network/dns-zone/MOVED-TO-AVM.md create mode 100644 modules/network/private-dns-zone/MOVED-TO-AVM.md diff --git a/modules/network/dns-forwarding-ruleset/MOVED-TO-AVM.md b/modules/network/dns-forwarding-ruleset/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/network/dns-forwarding-ruleset/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/dns-forwarding-ruleset/README.md b/modules/network/dns-forwarding-ruleset/README.md index f502927b87..b846abe7d3 100644 --- a/modules/network/dns-forwarding-ruleset/README.md +++ b/modules/network/dns-forwarding-ruleset/README.md @@ -1,5 +1,7 @@ # Dns Forwarding Rulesets `[Microsoft.Network/dnsForwardingRulesets]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This template deploys an dns forwarding ruleset. ## Navigation diff --git a/modules/network/dns-resolver/MOVED-TO-AVM.md b/modules/network/dns-resolver/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/network/dns-resolver/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/dns-resolver/README.md b/modules/network/dns-resolver/README.md index 3846d4fbc5..992d53a5c0 100644 --- a/modules/network/dns-resolver/README.md +++ b/modules/network/dns-resolver/README.md @@ -1,5 +1,7 @@ # DNS Resolvers `[Microsoft.Network/dnsResolvers]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a DNS Resolver. ## Navigation diff --git a/modules/network/dns-zone/MOVED-TO-AVM.md b/modules/network/dns-zone/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/network/dns-zone/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/dns-zone/README.md b/modules/network/dns-zone/README.md index 75edd92cfa..bf589f09c1 100644 --- a/modules/network/dns-zone/README.md +++ b/modules/network/dns-zone/README.md @@ -1,5 +1,7 @@ # Public DNS Zones `[Microsoft.Network/dnsZones]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Public DNS zone. ## Navigation diff --git a/modules/network/private-dns-zone/MOVED-TO-AVM.md b/modules/network/private-dns-zone/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/network/private-dns-zone/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/private-dns-zone/README.md b/modules/network/private-dns-zone/README.md index b48571f56a..0191518ff6 100644 --- a/modules/network/private-dns-zone/README.md +++ b/modules/network/private-dns-zone/README.md @@ -1,5 +1,7 @@ # Private DNS Zones `[Microsoft.Network/privateDnsZones]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Private DNS zone. ## Navigation From b61e3b492292796db5640709fd04508891c508d3 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Mon, 30 Oct 2023 23:36:06 +0100 Subject: [PATCH 065/178] Added MOVED-TO-AVM files (#4165) --- modules/batch/batch-account/MOVED-TO-AVM.md | 1 + modules/batch/batch-account/README.md | 2 ++ modules/cognitive-services/account/MOVED-TO-AVM.md | 1 + modules/cognitive-services/account/README.md | 2 ++ modules/insights/action-group/MOVED-TO-AVM.md | 1 + modules/insights/action-group/README.md | 2 ++ modules/network/network-interface/MOVED-TO-AVM.md | 1 + modules/network/network-interface/README.md | 2 ++ 8 files changed, 12 insertions(+) create mode 100644 modules/batch/batch-account/MOVED-TO-AVM.md create mode 100644 modules/cognitive-services/account/MOVED-TO-AVM.md create mode 100644 modules/insights/action-group/MOVED-TO-AVM.md create mode 100644 modules/network/network-interface/MOVED-TO-AVM.md diff --git a/modules/batch/batch-account/MOVED-TO-AVM.md b/modules/batch/batch-account/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/batch/batch-account/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index 5c724d1f23..66ec1ea280 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -1,5 +1,7 @@ # Batch Accounts `[Microsoft.Batch/batchAccounts]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Batch Account. ## Navigation diff --git a/modules/cognitive-services/account/MOVED-TO-AVM.md b/modules/cognitive-services/account/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/cognitive-services/account/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index 1ef76d0cbb..a55ed7a0ae 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -1,5 +1,7 @@ # Cognitive Services `[Microsoft.CognitiveServices/accounts]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Cognitive Service. ## Navigation diff --git a/modules/insights/action-group/MOVED-TO-AVM.md b/modules/insights/action-group/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/insights/action-group/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/action-group/README.md b/modules/insights/action-group/README.md index 2b2d2fcbfa..107e2c2fd1 100644 --- a/modules/insights/action-group/README.md +++ b/modules/insights/action-group/README.md @@ -1,5 +1,7 @@ # Action Groups `[Microsoft.Insights/actionGroups]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys an Action Group. ## Navigation diff --git a/modules/network/network-interface/MOVED-TO-AVM.md b/modules/network/network-interface/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/network/network-interface/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/network-interface/README.md b/modules/network/network-interface/README.md index 2af3a8f2a0..678d9fd744 100644 --- a/modules/network/network-interface/README.md +++ b/modules/network/network-interface/README.md @@ -1,5 +1,7 @@ # Network Interface `[Microsoft.Network/networkInterfaces]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Network Interface. ## Navigation From d57068f2ee07f9d32f8f204d069b4ed08fa5e6fd Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Tue, 31 Oct 2023 13:17:48 +0100 Subject: [PATCH 066/178] [Modules] Updated identities to UDT as per AVM specs - Batch 1 (#4124) * Updated API Management module * Updated Container App module * Updating Configuration Store module (ongoing) * Updated Configuration Store module * Updated Automation Account module * Comment headers formatted * Readme/ARM for first four modules * Updated Batch Account module * Fixed parameter descriptions * Updated Readme and ARM * Updated Redis Cache module * Container App - Fixed parameter descriptions * Updated Cognitive Services module * Updated VMSS module * Updated Container Group module * Updated Container Registry module * Updated Data Factory module * Updated Event Grid / System Topic module * Updated EventHub Namespace module * [Modules] Resolved conflicts (#4129) * [Modules] Migrated batch [1/4] to AVM RBAC (#4125) * Updated first badge of templates (readmes pending) * Update to latest * Compiled templates * Compiled templates * Compiled first few readmes * Updated test files * Updated readmes * Reduced roles * Updated templates * Rollback different branches' changes * Updated nic & pip * Fixed test file * Refreshed vm * Push updated Readme file(s) * Updated templates * Updated templates --------- Co-authored-by: CARMLPipelinePrincipal * Clean-up, some fixes * Removed Azure Firewall changes from branch * Update API common test file * Update API common test file2 * Updated Recovery Services Vault module * Updated ServiceBus Namespace module * Updated SQL Managed Instance module * Updated SQL Server module * Updated Static Website module * Updated Web Site module * Updated website slot readme/arm * Redis Cache - Testing with two identities * Configuration Store module - Testing with two identities * Updated Signal-R WebPub Sub module * Updated Barch module to support only one type of identity * Updated AKS module * Updated Databricks Access Connector module * Updated Disk Encryption Set module * Updated Search Service module * Updated Backup Vault module * Updated Firewall Policy module * Updated MySQL Flexible server module * MySQL Flexible server module - namePrefix reset * Updated Health Bot module * Updated NetApp Account module * Updated App Gateway module * Updated Deployment Script module * Updated PostgreSQL Flexible Server module * Fixed description of userAssignedResourcesIds * Updated Storage Account module * Updated Web Hosting Environment module * Updated Log Analytics Workspace module * Updated Logic Workflow module * Updated ML Workspace module * Updated ML Workspace Compute module * Updated Cosmos DB module * Updated VM module * Updated Digital Twins module * Updated Healthcare APIs module * Updated DevTest Lab module * Updated PurView Account module * Fixed Digital Twins missing references * Fixed DevTest Lab formattedManagementIdentities ref * Purview fix * Purview fix 2 * Purview updated ARM * SQL MI fix * SQL MI updated ARM * SQL MI removed new output * Small fixes * Fixed SQL Server module * DigitalTwins - fixed params * Digital Twins - reset to main * mySQL - updated param description * postgreSQL - updated param description * mySQL - updated conditional param description * postgreSQL - updated conditional param description * Updated param description for "one identity only" modules * Disk Encryption Set - updated keyVaultPermissions implementation * Removed identity from Gremlin DB * Web Hosting Env - changed the way how to suppress warning --------- Co-authored-by: Alexander Sehr Co-authored-by: CARMLPipelinePrincipal --- .../service/.test/common/main.test.bicep | 3 + .../service/.test/max/main.test.bicep | 8 +- modules/api-management/service/README.md | 79 +++++---- modules/api-management/service/main.bicep | 25 +-- modules/api-management/service/main.json | 47 ++++-- .../.test/common/main.test.bicep | 8 +- .../.test/encr/main.test.bicep | 6 +- .../configuration-store/README.md | 91 ++++++----- .../.bicep/nested_roleAssignments.bicep | 70 -------- .../configuration-store/main.bicep | 27 ++-- .../configuration-store/main.json | 50 +++--- .../.test/common/main.test.bicep | 6 +- modules/app/container-app/README.md | 64 +++++--- modules/app/container-app/main.bicep | 26 +-- modules/app/container-app/main.json | 50 ++++-- .../.test/common/main.test.bicep | 8 +- .../.test/encr/main.test.bicep | 6 +- .../automation/automation-account/README.md | 83 ++++++---- .../automation/automation-account/main.bicep | 25 +-- .../automation/automation-account/main.json | 47 ++++-- .../.test/common/main.test.bicep | 4 +- .../batch-account/.test/encr/main.test.bicep | 6 +- modules/batch/batch-account/README.md | 76 +++++---- modules/batch/batch-account/main.bicep | 28 ++-- modules/batch/batch-account/main.json | 53 ++++-- .../redis/.test/common/dependencies.bicep | 11 ++ .../cache/redis/.test/common/main.test.bicep | 8 +- modules/cache/redis/README.md | 62 ++++--- modules/cache/redis/main.bicep | 28 ++-- modules/cache/redis/main.json | 53 ++++-- .../account/.test/common/main.test.bicep | 8 +- .../account/.test/encr/main.test.bicep | 6 +- .../account/.test/speech/main.test.bicep | 8 +- modules/cognitive-services/account/README.md | 117 ++++++++------ modules/cognitive-services/account/main.bicep | 25 +-- modules/cognitive-services/account/main.json | 47 ++++-- .../.test/accessPolicies/main.test.bicep | 8 +- .../.test/common/main.test.bicep | 7 +- modules/compute/disk-encryption-set/README.md | 100 ++++++------ .../compute/disk-encryption-set/main.bicep | 35 ++-- modules/compute/disk-encryption-set/main.json | 58 ++++--- .../.test/linux/main.test.bicep | 10 +- .../.test/windows/main.test.bicep | 10 +- .../virtual-machine-scale-set/README.md | 97 ++++++----- .../virtual-machine-scale-set/main.bicep | 25 +-- .../virtual-machine-scale-set/main.json | 47 ++++-- .../.test/linux/main.test.bicep | 8 +- .../.test/windows/main.test.bicep | 8 +- modules/compute/virtual-machine/README.md | 97 ++++++----- modules/compute/virtual-machine/main.bicep | 39 ++--- modules/compute/virtual-machine/main.json | 47 ++++-- .../.test/common/main.test.bicep | 8 +- .../.test/encr/main.test.bicep | 8 +- .../.test/private/main.test.bicep | 8 +- .../container-group/README.md | 119 ++++++++------ .../container-group/main.bicep | 25 +-- .../container-group/main.json | 47 ++++-- .../registry/.test/common/main.test.bicep | 10 +- .../registry/.test/encr/main.test.bicep | 6 +- modules/container-registry/registry/README.md | 91 ++++++----- .../container-registry/registry/main.bicep | 25 +-- modules/container-registry/registry/main.json | 47 ++++-- .../.test/azure/main.test.bicep | 6 +- .../.test/kubenet/main.test.bicep | 6 +- .../managed-cluster/.test/min/main.test.bicep | 4 +- .../.test/priv/main.test.bicep | 6 +- .../managed-cluster/README.md | 115 ++++++++----- .../managed-cluster/main.bicep | 27 ++-- .../managed-cluster/main.json | 50 +++--- .../factory/.test/common/main.test.bicep | 8 +- modules/data-factory/factory/README.md | 71 ++++---- modules/data-factory/factory/main.bicep | 25 +-- modules/data-factory/factory/main.json | 47 ++++-- .../backup-vault/.test/common/main.test.bicep | 4 +- .../data-protection/backup-vault/README.md | 41 +++-- .../data-protection/backup-vault/main.bicep | 17 +- .../data-protection/backup-vault/main.json | 29 ++-- .../.test/common/main.test.bicep | 8 +- modules/databricks/access-connector/README.md | 70 ++++---- .../databricks/access-connector/main.bicep | 26 +-- modules/databricks/access-connector/main.json | 50 ++++-- .../.test/private/main.test.bicep | 6 +- .../.test/public/main.test.bicep | 8 +- .../db-for-my-sql/flexible-server/README.md | 71 +++++--- .../db-for-my-sql/flexible-server/main.bicep | 17 +- .../db-for-my-sql/flexible-server/main.json | 28 +++- .../.test/public/main.test.bicep | 6 +- .../flexible-server/README.md | 47 ++++-- .../flexible-server/main.bicep | 21 ++- .../flexible-server/main.json | 31 ++-- .../lab/.test/common/main.test.bicep | 12 +- modules/dev-test-lab/lab/README.md | 64 +++++--- modules/dev-test-lab/lab/main.bicep | 32 ++-- modules/dev-test-lab/lab/main.json | 52 ++++-- .../.test/gremlindb/main.test.bicep | 4 +- .../.test/mongodb/main.test.bicep | 4 +- .../.test/sqldb/main.test.bicep | 6 +- .../document-db/database-account/README.md | 89 ++++++---- .../gremlin-database/README.md | 16 -- .../gremlin-database/main.bicep | 24 +-- .../gremlin-database/main.json | 71 +++++--- .../document-db/database-account/main.bicep | 25 +-- .../document-db/database-account/main.json | 118 +++++++++----- .../system-topic/.test/common/main.test.bicep | 3 + modules/event-grid/system-topic/README.md | 53 ++++-- modules/event-grid/system-topic/main.bicep | 25 +-- modules/event-grid/system-topic/main.json | 47 ++++-- .../namespace/.test/common/main.test.bicep | 8 +- .../namespace/.test/encr/main.test.bicep | 8 +- modules/event-hub/namespace/README.md | 97 ++++++----- modules/event-hub/namespace/main.bicep | 25 +-- modules/event-hub/namespace/main.json | 47 ++++-- .../health-bot/.test/common/main.test.bicep | 6 +- modules/health-bot/health-bot/README.md | 47 ++++-- modules/health-bot/health-bot/main.bicep | 17 +- modules/health-bot/health-bot/main.json | 28 +++- .../workspace/.test/common/main.test.bicep | 21 +-- modules/healthcare-apis/workspace/README.md | 40 +++-- .../workspace/dicomservice/README.md | 45 ++++-- .../workspace/dicomservice/main.bicep | 25 +-- .../workspace/dicomservice/main.json | 47 ++++-- .../workspace/fhirservice/README.md | 45 ++++-- .../workspace/fhirservice/main.bicep | 25 +-- .../workspace/fhirservice/main.json | 47 ++++-- .../workspace/iotconnector/README.md | 43 +++-- .../workspace/iotconnector/main.bicep | 25 +-- .../workspace/iotconnector/main.json | 47 ++++-- modules/healthcare-apis/workspace/main.bicep | 9 +- modules/healthcare-apis/workspace/main.json | 152 +++++++++++------- .../workflow/.test/common/main.test.bicep | 6 +- modules/logic/workflow/README.md | 65 +++++--- modules/logic/workflow/main.bicep | 25 +-- modules/logic/workflow/main.json | 47 ++++-- .../workspace/.test/common/main.test.bicep | 16 +- .../workspace/.test/encr/main.test.bicep | 10 +- .../workspace/.test/min/main.test.bicep | 4 +- .../workspace/README.md | 129 +++++++++------ .../workspace/compute/README.md | 45 ++++-- .../workspace/compute/main.bicep | 37 +++-- .../workspace/compute/main.json | 73 ++++++--- .../workspace/main.bicep | 33 ++-- .../workspace/main.json | 125 +++++++++----- .../.test/nfs41/main.test.bicep | 6 +- modules/net-app/net-app-account/README.md | 47 ++++-- modules/net-app/net-app-account/main.bicep | 17 +- modules/net-app/net-app-account/main.json | 28 +++- .../.test/common/main.test.bicep | 6 +- modules/network/application-gateway/README.md | 47 ++++-- .../network/application-gateway/main.bicep | 17 +- modules/network/application-gateway/main.json | 28 +++- modules/network/firewall-policy/README.md | 27 +++- modules/network/firewall-policy/main.bicep | 21 ++- modules/network/firewall-policy/main.json | 45 ++++-- .../workspace/.test/adv/main.test.bicep | 6 +- .../workspace/.test/common/main.test.bicep | 4 +- .../operational-insights/workspace/README.md | 77 +++++---- .../operational-insights/workspace/main.bicep | 25 +-- .../operational-insights/workspace/main.json | 47 ++++-- .../account/.test/common/main.test.bicep | 6 +- modules/purview/account/README.md | 49 ++++-- modules/purview/account/main.bicep | 23 +-- modules/purview/account/main.json | 35 ++-- .../vault/.test/common/main.test.bicep | 6 + modules/recovery-services/vault/README.md | 59 +++++-- modules/recovery-services/vault/main.bicep | 25 +-- modules/recovery-services/vault/main.json | 47 ++++-- .../.test/cli/main.test.bicep | 6 +- .../.test/ps/main.test.bicep | 6 +- modules/resources/deployment-script/README.md | 67 +++++--- .../resources/deployment-script/main.bicep | 17 +- modules/resources/deployment-script/main.json | 28 +++- .../.test/common/main.test.bicep | 4 +- modules/search/search-service/README.md | 40 +++-- modules/search/search-service/main.bicep | 18 ++- modules/search/search-service/main.json | 32 +++- .../namespace/.test/common/main.test.bicep | 8 +- .../namespace/.test/encr/main.test.bicep | 8 +- modules/service-bus/namespace/README.md | 97 ++++++----- modules/service-bus/namespace/main.bicep | 25 +-- modules/service-bus/namespace/main.json | 47 ++++-- .../web-pub-sub/.test/common/main.test.bicep | 4 +- .../signal-r-service/web-pub-sub/README.md | 56 ++++--- .../signal-r-service/web-pub-sub/main.bicep | 32 ++-- .../signal-r-service/web-pub-sub/main.json | 53 ++++-- .../.test/common/main.test.bicep | 10 +- .../.test/vulnAssm/main.test.bicep | 4 +- modules/sql/managed-instance/README.md | 83 ++++++---- modules/sql/managed-instance/main.bicep | 27 ++-- modules/sql/managed-instance/main.json | 49 ++++-- .../sql/server/.test/common/main.test.bicep | 8 +- .../sql/server/.test/vulnAssm/main.test.bicep | 8 +- modules/sql/server/README.md | 97 ++++++----- modules/sql/server/main.bicep | 25 +-- modules/sql/server/main.json | 47 ++++-- .../.test/common/main.test.bicep | 8 +- .../.test/encr/main.test.bicep | 8 +- .../storage-account/.test/nfs/main.test.bicep | 8 +- modules/storage/storage-account/README.md | 123 ++++++++------ modules/storage/storage-account/main.bicep | 26 +-- modules/storage/storage-account/main.json | 47 ++++-- .../.test/asev2/main.test.bicep | 8 +- .../.test/asev3/main.test.bicep | 8 +- modules/web/hosting-environment/README.md | 95 ++++++----- modules/web/hosting-environment/main.bicep | 26 +-- modules/web/hosting-environment/main.json | 43 +++-- .../.test/functionAppCommon/main.test.bicep | 8 +- .../site/.test/webAppCommon/main.test.bicep | 8 +- modules/web/site/README.md | 97 ++++++----- modules/web/site/main.bicep | 30 ++-- modules/web/site/main.json | 99 ++++++++---- modules/web/site/slot/README.md | 45 ++++-- modules/web/site/slot/main.bicep | 25 +-- modules/web/site/slot/main.json | 47 ++++-- .../static-site/.test/common/main.test.bicep | 8 +- modules/web/static-site/README.md | 71 ++++---- modules/web/static-site/main.bicep | 25 +-- modules/web/static-site/main.json | 47 ++++-- 217 files changed, 4835 insertions(+), 2897 deletions(-) delete mode 100644 modules/app-configuration/configuration-store/key-value/.bicep/nested_roleAssignments.bicep diff --git a/modules/api-management/service/.test/common/main.test.bicep b/modules/api-management/service/.test/common/main.test.bicep index fbed3af64f..b2435a08bf 100644 --- a/modules/api-management/service/.test/common/main.test.bicep +++ b/modules/api-management/service/.test/common/main.test.bicep @@ -82,6 +82,9 @@ module testDeployment '../../main.bicep' = { } } ] + managedIdentities: { + systemAssigned: true + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/api-management/service/.test/max/main.test.bicep b/modules/api-management/service/.test/max/main.test.bicep index e2902a543c..4311cd5ebb 100644 --- a/modules/api-management/service/.test/max/main.test.bicep +++ b/modules/api-management/service/.test/max/main.test.bicep @@ -201,9 +201,11 @@ module testDeployment '../../main.bicep' = { scope: '/apis' } ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index 81826b9b9c..8a7569241b 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -69,6 +69,9 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + } policies: [ { format: 'xml' @@ -141,6 +144,11 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, "policies": { "value": [ { @@ -279,6 +287,12 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } namedValues: [ { displayName: 'apimkey' @@ -339,15 +353,11 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { name: 'testArmSubscriptionAllApis' } ] - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -463,6 +473,14 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "namedValues": { "value": [ { @@ -535,20 +553,12 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { } ] }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -644,6 +654,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { | [`identityProviders`](#parameter-identityproviders) | array | Identity providers. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`minApiVersion`](#parameter-minapiversion) | string | Limit control plane API calls to API Management service with version equal to or newer than this value. | | [`namedValues`](#parameter-namedvalues) | array | Named values. | | [`newGuidValue`](#parameter-newguidvalue) | string | Necessary to create a new GUID. | @@ -657,9 +668,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { | [`skuCount`](#parameter-skucount) | int | The instance size of this API Management service. | | [`subnetResourceId`](#parameter-subnetresourceid) | string | The full resource ID of a subnet in a virtual network to deploy the API Management service in. | | [`subscriptions`](#parameter-subscriptions) | array | Subscriptions. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`virtualNetworkType`](#parameter-virtualnetworktype) | string | The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. | | [`zones`](#parameter-zones) | array | A list of availability zones denoting where the resource needs to come from. | @@ -903,6 +912,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `minApiVersion` Limit control plane API calls to API Management service with version equal to or newer than this value. @@ -1075,13 +1110,6 @@ Subscriptions. - Type: array - Default: `[]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -1089,13 +1117,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `virtualNetworkType` The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. @@ -1120,7 +1141,7 @@ A list of availability zones denoting where the resource needs to come from. | `name` | string | The name of the API management service. | | `resourceGroupName` | string | The resource group the API management service was deployed into. | | `resourceId` | string | The resource ID of the API management service. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/api-management/service/main.bicep b/modules/api-management/service/main.bicep index 2b28c3d8b1..9d7119f4b8 100644 --- a/modules/api-management/service/main.bicep +++ b/modules/api-management/service/main.bicep @@ -27,11 +27,8 @@ param enableClientCertificate bool = false @description('Optional. Custom hostname configuration of the API Management service.') param hostnameConfigurations array = [] -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Location for all Resources.') param location string = resourceGroup().location @@ -135,11 +132,11 @@ var enableReferencedModulesTelemetry = false var authorizationServerList = !empty(authorizationServers) ? authorizationServers.secureList : [] -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var builtInRoleNames = { @@ -454,7 +451,7 @@ output resourceId string = service.id output resourceGroupName string = resourceGroup().name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(service.identity, 'principalId') ? service.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(service.identity, 'principalId') ? service.identity.principalId : '' @description('The location the resource was deployed into.') output location string = service.location @@ -463,6 +460,14 @@ output location string = service.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/api-management/service/main.json b/modules/api-management/service/main.json index 7122d8c63c..53e81dd1bd 100644 --- a/modules/api-management/service/main.json +++ b/modules/api-management/service/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5480824753048175780" + "templateHash": "3274387832095626640" }, "name": "API Management Services", "description": "This module deploys an API Management Service.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -268,18 +291,10 @@ "description": "Optional. Custom hostname configuration of the API Management service." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "location": { @@ -486,8 +501,8 @@ "variables": { "enableReferencedModulesTelemetry": false, "authorizationServerList": "[if(not(empty(parameters('authorizationServers'))), parameters('authorizationServers').secureList, createArray())]", - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "API Management Developer Portal Content Editor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c031e6a8-4391-4de0-8d69-4706a7ed3729')]", "API Management Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", @@ -3053,12 +3068,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('service', '2021-08-01', 'full').identity, 'principalId')), reference('service', '2021-08-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('service', '2021-08-01', 'full').identity, 'principalId')), reference('service', '2021-08-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/app-configuration/configuration-store/.test/common/main.test.bicep b/modules/app-configuration/configuration-store/.test/common/main.test.bicep index fca8a214b8..53df736af2 100644 --- a/modules/app-configuration/configuration-store/.test/common/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/common/main.test.bicep @@ -109,9 +109,11 @@ module testDeployment '../../main.bicep' = { } ] softDeleteRetentionInDays: 1 - systemAssignedIdentity: false - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/app-configuration/configuration-store/.test/encr/main.test.bicep b/modules/app-configuration/configuration-store/.test/encr/main.test.bicep index 28c092fff8..51e9ff0202 100644 --- a/modules/app-configuration/configuration-store/.test/encr/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/encr/main.test.bicep @@ -80,8 +80,10 @@ module testDeployment '../../main.bicep' = { } ] softDeleteRetentionInDays: 1 - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index 15a5ab72fc..7e4babb679 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -87,6 +87,12 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } roleAssignments: [ { principalId: '' @@ -95,15 +101,11 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor } ] softDeleteRetentionInDays: 1 - systemAssignedIdentity: false tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -175,6 +177,14 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "roleAssignments": { "value": [ { @@ -187,20 +197,12 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor "softDeleteRetentionInDays": { "value": 1 }, - "systemAssignedIdentity": { - "value": false - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -243,6 +245,11 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor value: 'valueName' } ] + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } roleAssignments: [ { principalId: '' @@ -256,9 +263,6 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -317,6 +321,13 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor } ] }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "roleAssignments": { "value": [ { @@ -335,11 +346,6 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -527,14 +533,13 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor | [`keyValues`](#parameter-keyvalues) | array | All Key / Values to create. Requires local authentication to be enabled. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`sku`](#parameter-sku) | string | Pricing tier of App Configuration. | | [`softDeleteRetentionInDays`](#parameter-softdeleteretentionindays) | int | The amount of time in days that the configuration store will be retained when it is soft deleted. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `cMKKeyName` @@ -749,6 +754,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` Name of the Azure App Configuration. @@ -1014,13 +1045,6 @@ The amount of time in days that the configuration store will be retained when it - Type: int - Default: `1` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -1028,13 +1052,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ## Outputs @@ -1044,7 +1061,7 @@ The ID(s) to assign to the resource. | `name` | string | The name of the app configuration. | | `resourceGroupName` | string | The resource group the app configuration store was deployed into. | | `resourceId` | string | The resource ID of the app configuration. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/app-configuration/configuration-store/key-value/.bicep/nested_roleAssignments.bicep b/modules/app-configuration/configuration-store/key-value/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 2b0b5813ba..0000000000 --- a/modules/app-configuration/configuration-store/key-value/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,70 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - 'App Configuration Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b') - 'App Configuration Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '516239f1-63e1-4d78-a4de-a74fb236a071') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(appConfiguration.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: appConfiguration -}] diff --git a/modules/app-configuration/configuration-store/main.bicep b/modules/app-configuration/configuration-store/main.bicep index e3c46d215d..605a827075 100644 --- a/modules/app-configuration/configuration-store/main.bicep +++ b/modules/app-configuration/configuration-store/main.bicep @@ -8,11 +8,8 @@ param name string @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @allowed([ 'Free' @@ -82,12 +79,12 @@ param privateEndpoints privateEndpointType var enableReferencedModulesTelemetry = false -var identityType = systemAssignedIdentity ? 'SystemAssigned' : !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null -} +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null +} : null var builtInRoleNames = { 'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2') @@ -245,7 +242,7 @@ output resourceId string = configurationStore.id output resourceGroupName string = resourceGroup().name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(configurationStore.identity, 'principalId') ? configurationStore.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(configurationStore.identity, 'principalId') ? configurationStore.identity.principalId : '' @description('The location the resource was deployed into.') output location string = configurationStore.location @@ -254,6 +251,14 @@ output location string = configurationStore.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/app-configuration/configuration-store/main.json b/modules/app-configuration/configuration-store/main.json index f0132feeea..e5b8f23942 100644 --- a/modules/app-configuration/configuration-store/main.json +++ b/modules/app-configuration/configuration-store/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1654739294339670098" + "templateHash": "5839345851698938345" }, "name": "App Configuration Stores", "description": "This module deploys an App Configuration Store.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -374,18 +397,10 @@ "description": "Optional. Location for all Resources." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "sku": { @@ -521,11 +536,8 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": { - "type": "[variables('identityType')]", - "userAssignedIdentities": "[if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())]" - }, + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", "App Compliance Automation Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e')]", @@ -1377,12 +1389,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('configurationStore', '2023-03-01', 'full').identity, 'principalId')), reference('configurationStore', '2023-03-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('configurationStore', '2023-03-01', 'full').identity, 'principalId')), reference('configurationStore', '2023-03-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/app/container-app/.test/common/main.test.bicep b/modules/app/container-app/.test/common/main.test.bicep index 19585fed16..70db0d5eef 100644 --- a/modules/app/container-app/.test/common/main.test.bicep +++ b/modules/app/container-app/.test/common/main.test.bicep @@ -64,8 +64,10 @@ module testDeployment '../../main.bicep' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } secrets: { secureList: [ diff --git a/modules/app/container-app/README.md b/modules/app/container-app/README.md index dd5a6c3f12..4da6b25062 100644 --- a/modules/app/container-app/README.md +++ b/modules/app/container-app/README.md @@ -79,6 +79,11 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } secrets: { secureList: [ { @@ -91,9 +96,6 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { Env: 'test' 'hidden-title': 'This is visible in the resource name' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -159,6 +161,13 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "secrets": { "value": { "secureList": [ @@ -174,11 +183,6 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { "Env": "test", "hidden-title": "This is visible in the resource name" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -303,6 +307,7 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { | [`ipSecurityRestrictions`](#parameter-ipsecurityrestrictions) | array | Rules to restrict incoming IP address. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`maxInactiveRevisions`](#parameter-maxinactiverevisions) | int | Max inactive revisions a Container App can have. | | [`registries`](#parameter-registries) | array | Collection of private container registry credentials for containers used by the Container app. | | [`revisionSuffix`](#parameter-revisionsuffix) | string | User friendly suffix that is appended to the revision name. | @@ -311,13 +316,11 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { | [`scaleMinReplicas`](#parameter-scaleminreplicas) | int | Minimum number of container replicas. | | [`scaleRules`](#parameter-scalerules) | array | Scaling rules. | | [`secrets`](#parameter-secrets) | secureObject | The secrets of the Container App. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`trafficLabel`](#parameter-trafficlabel) | string | Associates a traffic label with a revision. Label name should be consist of lower case alphanumeric characters or dashes. | | [`trafficLatestRevision`](#parameter-trafficlatestrevision) | bool | Indicates that the traffic weight belongs to a latest stable revision. | | [`trafficRevisionName`](#parameter-trafficrevisionname) | string | Name of a revision. | | [`trafficWeight`](#parameter-trafficweight) | int | Traffic weight assigned to a revision. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests. | | [`volumes`](#parameter-volumes) | array | List of volume definitions for the Container App. | | [`workloadProfileType`](#parameter-workloadprofiletype) | string | Workload profile type to pin for container app execution. | @@ -446,6 +449,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `maxInactiveRevisions` Max inactive revisions a Container App can have. @@ -569,13 +598,6 @@ The secrets of the Container App. - Type: secureObject - Default: `{object}` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -611,13 +633,6 @@ Traffic weight assigned to a revision. - Type: int - Default: `100` -### Parameter: `userAssignedIdentities` - -The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `volumes` List of volume definitions for the Container App. @@ -641,6 +656,7 @@ Workload profile type to pin for container app execution. | `name` | string | The name of the Container App. | | `resourceGroupName` | string | The name of the resource group the Container App was deployed into. | | `resourceId` | string | The resource ID of the Container App. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/app/container-app/main.bicep b/modules/app/container-app/main.bicep index cb4df29cfa..6203e95475 100644 --- a/modules/app/container-app/main.bicep +++ b/modules/app/container-app/main.bicep @@ -54,11 +54,8 @@ param tags object = {} @description('Optional. Collection of private container registry credentials for containers used by the Container app.') param registries array = [] -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute.') param roleAssignments roleAssignmentType @@ -114,11 +111,11 @@ param workloadProfileType string = '' var secretList = !empty(secrets) ? secrets.secureList : [] -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var builtInRoleNames = { @@ -220,6 +217,9 @@ output resourceGroupName string = resourceGroup().name @description('The name of the Container App.') output name string = containerApp.name +@description('The principal ID of the system assigned identity.') +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(containerApp.identity, 'principalId') ? containerApp.identity.principalId : '' + @description('The location the resource was deployed into.') output location string = containerApp.location @@ -227,6 +227,14 @@ output location string = containerApp.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/app/container-app/main.json b/modules/app/container-app/main.json index 904218dfda..ee8c7769c7 100644 --- a/modules/app/container-app/main.json +++ b/modules/app/container-app/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15975254087801616307" + "templateHash": "18263232031845288996" }, "name": "Container Apps", "description": "This module deploys a Container App.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -211,18 +234,10 @@ "description": "Optional. Collection of private container registry credentials for containers used by the Container app." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests." + "description": "Optional. The managed identity definition for this resource." } }, "roleAssignments": { @@ -345,8 +360,8 @@ }, "variables": { "secretList": "[if(not(empty(parameters('secrets'))), parameters('secrets').secureList, createArray())]", - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -477,6 +492,13 @@ }, "value": "[parameters('name')]" }, + "systemAssignedMIPrincipalId": { + "type": "string", + "metadata": { + "description": "The principal ID of the system assigned identity." + }, + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('containerApp', '2022-10-01', 'full').identity, 'principalId')), reference('containerApp', '2022-10-01', 'full').identity.principalId, '')]" + }, "location": { "type": "string", "metadata": { diff --git a/modules/automation/automation-account/.test/common/main.test.bicep b/modules/automation/automation-account/.test/common/main.test.bicep index c47be89759..38861ec093 100644 --- a/modules/automation/automation-account/.test/common/main.test.bicep +++ b/modules/automation/automation-account/.test/common/main.test.bicep @@ -218,9 +218,11 @@ module testDeployment '../../main.bicep' = { ] } ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } variables: [ { diff --git a/modules/automation/automation-account/.test/encr/main.test.bicep b/modules/automation/automation-account/.test/encr/main.test.bicep index 8fa4abaa5d..389ca3eae8 100644 --- a/modules/automation/automation-account/.test/encr/main.test.bicep +++ b/modules/automation/automation-account/.test/encr/main.test.bicep @@ -57,8 +57,10 @@ module testDeployment '../../main.bicep' = { cMKKeyName: nestedDependencies.outputs.keyVaultEncryptionKeyName cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } } } diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index b832c2ad0c..de8dee9816 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -91,6 +91,12 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } modules: [ { name: 'PSWindowsUpdate' @@ -208,15 +214,11 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' ] } ] - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } variables: [ { description: 'TestStringDescription' @@ -314,6 +316,14 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "modules": { "value": [ { @@ -443,9 +453,6 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' } ] }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -453,11 +460,6 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' "Role": "DeploymentValidation" } }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, "variables": { "value": [ { @@ -512,8 +514,10 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' cMKKeyVaultResourceId: '' cMKUserAssignedIdentityResourceId: '' enableDefaultTelemetry: '' - userAssignedIdentities: { - '': {} + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] } } } @@ -548,9 +552,11 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' "enableDefaultTelemetry": { "value": "" }, - "userAssignedIdentities": { + "managedIdentities": { "value": { - "": {} + "userAssignedResourcesIds": [ + "" + ] } } } @@ -638,6 +644,7 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' | [`linkedWorkspaceResourceId`](#parameter-linkedworkspaceresourceid) | string | ID of the log analytics workspace to be linked to the deployed automation account. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`modules`](#parameter-modules) | array | List of modules to be created in the automation account. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | @@ -646,9 +653,7 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' | [`schedules`](#parameter-schedules) | array | List of schedules to be created in the automation account. | | [`skuName`](#parameter-skuname) | string | SKU name of the account. | | [`softwareUpdateConfigurations`](#parameter-softwareupdateconfigurations) | array | List of softwareUpdateConfigurations to be created in the automation account. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the Automation Account resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`variables`](#parameter-variables) | array | List of variables to be created in the automation account. | ### Parameter: `cMKKeyName` @@ -863,6 +868,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `modules` List of modules to be created in the automation account. @@ -1149,13 +1180,6 @@ List of softwareUpdateConfigurations to be created in the automation account. - Type: array - Default: `[]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the Automation Account resource. @@ -1163,13 +1187,6 @@ Tags of the Automation Account resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `variables` List of variables to be created in the automation account. @@ -1186,7 +1203,7 @@ List of variables to be created in the automation account. | `name` | string | The name of the deployed automation account. | | `resourceGroupName` | string | The resource group of the deployed automation account. | | `resourceId` | string | The resource ID of the deployed automation account. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/automation/automation-account/main.bicep b/modules/automation/automation-account/main.bicep index b921f002e8..908b6b3811 100644 --- a/modules/automation/automation-account/main.bicep +++ b/modules/automation/automation-account/main.bicep @@ -68,11 +68,8 @@ param privateEndpoints privateEndpointType @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingType -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. The lock settings of the service.') param lock lockType @@ -88,11 +85,11 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var builtInRoleNames = { @@ -387,7 +384,7 @@ output resourceId string = automationAccount.id output resourceGroupName string = resourceGroup().name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(automationAccount.identity, 'principalId') ? automationAccount.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(automationAccount.identity, 'principalId') ? automationAccount.identity.principalId : '' @description('The location the resource was deployed into.') output location string = automationAccount.location @@ -396,6 +393,14 @@ output location string = automationAccount.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/automation/automation-account/main.json b/modules/automation/automation-account/main.json index 4c84eda080..f6484661e3 100644 --- a/modules/automation/automation-account/main.json +++ b/modules/automation/automation-account/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13507604496073736605" + "templateHash": "5962075210200629853" }, "name": "Automation Accounts", "description": "This module deploys an Azure Automation Account.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -499,18 +522,10 @@ "description": "Optional. The diagnostic settings of the service." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "lock": { @@ -542,8 +557,8 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867')]", "Automation Job Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", @@ -2888,12 +2903,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('automationAccount', '2022-08-08', 'full').identity, 'principalId')), reference('automationAccount', '2022-08-08', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('automationAccount', '2022-08-08', 'full').identity, 'principalId')), reference('automationAccount', '2022-08-08', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/batch/batch-account/.test/common/main.test.bicep b/modules/batch/batch-account/.test/common/main.test.bicep index f41129e7f6..8187f404f6 100644 --- a/modules/batch/batch-account/.test/common/main.test.bicep +++ b/modules/batch/batch-account/.test/common/main.test.bicep @@ -117,7 +117,9 @@ module testDeployment '../../main.bicep' = { ] storageAccessIdentity: nestedDependencies.outputs.managedIdentityResourceId storageAuthenticationMode: 'BatchAccountManagedIdentity' - systemAssignedIdentity: true + managedIdentities: { + systemAssigned: true + } tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/batch/batch-account/.test/encr/main.test.bicep b/modules/batch/batch-account/.test/encr/main.test.bicep index 19c638ffcc..c3ae0ef1cc 100644 --- a/modules/batch/batch-account/.test/encr/main.test.bicep +++ b/modules/batch/batch-account/.test/encr/main.test.bicep @@ -76,8 +76,10 @@ module testDeployment '../../main.bicep' = { ] storageAccessIdentity: nestedDependencies.outputs.managedIdentityResourceId storageAuthenticationMode: 'BatchAccountManagedIdentity' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index 66ec1ea280..0669214e97 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -71,6 +71,9 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + } poolAllocationMode: 'BatchService' privateEndpoints: [ { @@ -101,7 +104,6 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { ] storageAccessIdentity: '' storageAuthenticationMode: 'BatchAccountManagedIdentity' - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -156,6 +158,11 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, "poolAllocationMode": { "value": "BatchService" }, @@ -196,9 +203,6 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { "storageAuthenticationMode": { "value": "BatchAccountManagedIdentity" }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -230,6 +234,11 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { cMKKeyName: '' cMKKeyVaultResourceId: '' enableDefaultTelemetry: '' + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } poolAllocationMode: 'BatchService' privateEndpoints: [ { @@ -252,9 +261,6 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -288,6 +294,13 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { "enableDefaultTelemetry": { "value": "" }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "poolAllocationMode": { "value": "BatchService" }, @@ -319,11 +332,6 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -412,6 +420,7 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. | | [`networkProfileAllowedIpRanges`](#parameter-networkprofileallowedipranges) | array | Array of IP ranges to filter client IP address. It is only applicable when publicNetworkAccess is not explicitly disabled. | | [`networkProfileDefaultAction`](#parameter-networkprofiledefaultaction) | string | The network profile default action for endpoint access. It is only applicable when publicNetworkAccess is not explicitly disabled. | | [`poolAllocationMode`](#parameter-poolallocationmode) | string | The allocation mode for creating pools in the Batch account. Determines which quota will be used. | @@ -420,9 +429,7 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`storageAccessIdentity`](#parameter-storageaccessidentity) | string | The resource ID of a user assigned identity assigned to pools which have compute nodes that need access to auto-storage. | | [`storageAuthenticationMode`](#parameter-storageauthenticationmode) | string | The authentication mode which the Batch service will use to manage the auto-storage account. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `allowedAuthenticationModes` @@ -616,6 +623,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` Name of the Azure Batch. @@ -910,13 +943,6 @@ The authentication mode which the Batch service will use to manage the auto-stor - Default: `'StorageKeys'` - Allowed: `[BatchAccountManagedIdentity, StorageKeys]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -924,13 +950,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ## Outputs @@ -940,6 +959,7 @@ The ID(s) to assign to the resource. | `name` | string | The name of the batch account. | | `resourceGroupName` | string | The resource group the batch account was deployed into. | | `resourceId` | string | The resource ID of the batch account. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/batch/batch-account/main.bicep b/modules/batch/batch-account/main.bicep index e0ca3aaf85..4c322f5d36 100644 --- a/modules/batch/batch-account/main.bicep +++ b/modules/batch/batch-account/main.bicep @@ -8,11 +8,8 @@ param name string @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both.') +param managedIdentities managedIdentitiesType @description('Required. The resource ID of the storage account to be used for auto-storage account.') param storageAccountId string @@ -90,12 +87,12 @@ param cMKKeyVersion string = '' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var identityType = systemAssignedIdentity ? 'SystemAssigned' : !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null -} +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null +} : null var networkProfileIpRules = [for networkProfileAllowedIpRange in networkProfileAllowedIpRanges: { action: 'Allow' @@ -257,10 +254,21 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = batchAccount.location +@description('The principal ID of the system assigned identity.') +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(batchAccount.identity, 'principalId') ? batchAccount.identity.principalId : '' + // =============== // // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/batch/batch-account/main.json b/modules/batch/batch-account/main.json index a44629002b..704866f515 100644 --- a/modules/batch/batch-account/main.json +++ b/modules/batch/batch-account/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15411894480472906103" + "templateHash": "8921010374521375351" }, "name": "Batch Accounts", "description": "This module deploys a Batch Account.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -374,18 +397,10 @@ "description": "Optional. Location for all Resources." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." } }, "storageAccountId": { @@ -543,11 +558,8 @@ } } ], - "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": { - "type": "[variables('identityType')]", - "userAssignedIdentities": "[if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())]" - }, + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "nodeIdentityReference": "[if(not(empty(parameters('storageAccessIdentity'))), createObject('resourceId', if(not(empty(parameters('storageAccessIdentity'))), parameters('storageAccessIdentity'), null())), null())]", "autoStorageConfig": { "authenticationMode": "[parameters('storageAuthenticationMode')]", @@ -1258,6 +1270,13 @@ "description": "The location the resource was deployed into." }, "value": "[reference('batchAccount', '2022-06-01', 'full').location]" + }, + "systemAssignedMIPrincipalId": { + "type": "string", + "metadata": { + "description": "The principal ID of the system assigned identity." + }, + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('batchAccount', '2022-06-01', 'full').identity, 'principalId')), reference('batchAccount', '2022-06-01', 'full').identity.principalId, '')]" } } } \ No newline at end of file diff --git a/modules/cache/redis/.test/common/dependencies.bicep b/modules/cache/redis/.test/common/dependencies.bicep index bbf0956900..8218e0c1ad 100644 --- a/modules/cache/redis/.test/common/dependencies.bicep +++ b/modules/cache/redis/.test/common/dependencies.bicep @@ -1,6 +1,9 @@ @description('Optional. The location to deploy resources to.') param location string = resourceGroup().location +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + @description('Required. The name of the Virtual Network to create.') param virtualNetworkName string @@ -42,6 +45,14 @@ resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { } } +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + @description('The resource ID of the created Virtual Network Subnet.') output subnetResourceId string = virtualNetwork.properties.subnets[0].id diff --git a/modules/cache/redis/.test/common/main.test.bicep b/modules/cache/redis/.test/common/main.test.bicep index ccc1f3f939..eba4aadbe5 100644 --- a/modules/cache/redis/.test/common/main.test.bicep +++ b/modules/cache/redis/.test/common/main.test.bicep @@ -38,6 +38,7 @@ module nestedDependencies 'dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-nestedDependencies' params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' } } @@ -106,7 +107,12 @@ module testDeployment '../../main.bicep' = { redisVersion: '6' shardCount: 1 skuName: 'Premium' - systemAssignedIdentity: true + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } tags: { 'hidden-title': 'This is visible in the resource name' resourceType: 'Redis Cache' diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index 16249d853e..580ce90db2 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -70,6 +70,12 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } minimumTlsVersion: '1.2' privateEndpoints: [ { @@ -88,7 +94,6 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { redisVersion: '6' shardCount: 1 skuName: 'Premium' - systemAssignedIdentity: true tags: { 'hidden-title': 'This is visible in the resource name' resourceType: 'Redis Cache' @@ -150,6 +155,14 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "minimumTlsVersion": { "value": "1.2" }, @@ -180,9 +193,6 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { "skuName": { "value": "Premium" }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "hidden-title": "This is visible in the resource name", @@ -272,6 +282,7 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { | [`enableNonSslPort`](#parameter-enablenonsslport) | bool | Specifies whether the non-ssl Redis server port (6379) is enabled. | | [`location`](#parameter-location) | string | The location to deploy the Redis cache service. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | Requires clients to use a specified TLS version (or higher) to connect. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | @@ -284,10 +295,8 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { | [`skuName`](#parameter-skuname) | string | The type of Redis cache to deploy. | | [`staticIP`](#parameter-staticip) | string | Static IP address. Optionally, may be specified when deploying a Redis cache inside an existing Azure Virtual Network; auto assigned by default. | | [`subnetId`](#parameter-subnetid) | string | The full resource ID of a subnet in a virtual network to deploy the Redis cache in. Example format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/Microsoft.{Network|ClassicNetwork}/VirtualNetworks/vnet1/subnets/subnet1. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`tenantSettings`](#parameter-tenantsettings) | object | A dictionary of tenant settings. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`zoneRedundant`](#parameter-zoneredundant) | bool | When true, replicas will be provisioned in availability zones specified in the zones parameter. | | [`zones`](#parameter-zones) | array | If the zoneRedundant parameter is true, replicas will be provisioned in the availability zones specified here. Otherwise, the service will choose where replicas are deployed. | @@ -462,6 +471,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `minimumTlsVersion` Requires clients to use a specified TLS version (or higher) to connect. @@ -778,13 +813,6 @@ The full resource ID of a subnet in a virtual network to deploy the Redis cache - Type: string - Default: `''` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -799,13 +827,6 @@ A dictionary of tenant settings. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `zoneRedundant` When true, replicas will be provisioned in availability zones specified in the zones parameter. @@ -832,6 +853,7 @@ If the zoneRedundant parameter is true, replicas will be provisioned in the avai | `resourceId` | string | The resource ID of the Redis Cache. | | `sslPort` | int | Redis SSL port. | | `subnetId` | string | The full resource ID of a subnet in a virtual network where the Redis Cache was deployed in. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/cache/redis/main.bicep b/modules/cache/redis/main.bicep index 6794af2ed2..f35bce1160 100644 --- a/modules/cache/redis/main.bicep +++ b/modules/cache/redis/main.bicep @@ -17,11 +17,8 @@ param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Specifies whether the non-ssl Redis server port (6379) is enabled.') param enableNonSslPort bool = false @@ -110,12 +107,12 @@ param enableDefaultTelemetry bool = true var availabilityZones = skuName == 'Premium' ? zoneRedundant ? !empty(zones) ? zones : pickZones('Microsoft.Cache', 'redis', location, 3) : [] : [] -var identityType = systemAssignedIdentity ? 'SystemAssigned' : !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null -} +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null +} : null var enableReferencedModulesTelemetry = false @@ -257,6 +254,9 @@ output sslPort int = redis.properties.sslPort @description('The full resource ID of a subnet in a virtual network where the Redis Cache was deployed in.') output subnetId string = !empty(subnetId) ? redis.properties.subnetId : '' +@description('The principal ID of the system assigned identity.') +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(redis.identity, 'principalId') ? redis.identity.principalId : '' + @description('The location the resource was deployed into.') output location string = redis.location @@ -264,6 +264,14 @@ output location string = redis.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/cache/redis/main.json b/modules/cache/redis/main.json index 5a9378fd0b..9a1a25ab90 100644 --- a/modules/cache/redis/main.json +++ b/modules/cache/redis/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8286975131893372423" + "templateHash": "10917457453871237653" }, "name": "Redis Cache", "description": "This module deploys a Redis Cache.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -393,18 +416,10 @@ "description": "Optional. Tags of the resource." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "enableNonSslPort": { @@ -565,11 +580,8 @@ }, "variables": { "availabilityZones": "[if(equals(parameters('skuName'), 'Premium'), if(parameters('zoneRedundant'), if(not(empty(parameters('zones'))), parameters('zones'), pickZones('Microsoft.Cache', 'redis', parameters('location'), 3)), createArray()), createArray())]", - "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": { - "type": "[variables('identityType')]", - "userAssignedIdentities": "[if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())]" - }, + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -1276,6 +1288,13 @@ }, "value": "[if(not(empty(parameters('subnetId'))), reference('redis').subnetId, '')]" }, + "systemAssignedMIPrincipalId": { + "type": "string", + "metadata": { + "description": "The principal ID of the system assigned identity." + }, + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('redis', '2022-06-01', 'full').identity, 'principalId')), reference('redis', '2022-06-01', 'full').identity.principalId, '')]" + }, "location": { "type": "string", "metadata": { diff --git a/modules/cognitive-services/account/.test/common/main.test.bicep b/modules/cognitive-services/account/.test/common/main.test.bicep index 9d515bae9e..a4c6701e77 100644 --- a/modules/cognitive-services/account/.test/common/main.test.bicep +++ b/modules/cognitive-services/account/.test/common/main.test.bicep @@ -109,9 +109,11 @@ module testDeployment '../../main.bicep' = { } ] sku: 'S0' - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } privateEndpoints: [ { diff --git a/modules/cognitive-services/account/.test/encr/main.test.bicep b/modules/cognitive-services/account/.test/encr/main.test.bicep index ad4bdf6ad6..442d5c02fb 100644 --- a/modules/cognitive-services/account/.test/encr/main.test.bicep +++ b/modules/cognitive-services/account/.test/encr/main.test.bicep @@ -61,8 +61,10 @@ module testDeployment '../../main.bicep' = { cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId publicNetworkAccess: 'Enabled' sku: 'S0' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } restrictOutboundNetworkAccess: false } diff --git a/modules/cognitive-services/account/.test/speech/main.test.bicep b/modules/cognitive-services/account/.test/speech/main.test.bicep index c341a3d3cb..d131eefbec 100644 --- a/modules/cognitive-services/account/.test/speech/main.test.bicep +++ b/modules/cognitive-services/account/.test/speech/main.test.bicep @@ -66,9 +66,11 @@ module testDeployment '../../main.bicep' = { } ] sku: 'S0' - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index a55ed7a0ae..e68d966293 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -74,6 +74,12 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } networkAcls: { defaultAction: 'Deny' ipRules: [ @@ -109,15 +115,11 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { } ] sku: 'S0' - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -170,6 +172,14 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "networkAcls": { "value": { "defaultAction": "Deny", @@ -213,20 +223,12 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { "sku": { "value": "S0" }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -253,12 +255,14 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { cMKKeyVaultResourceId: '' cMKUserAssignedIdentityResourceId: '' enableDefaultTelemetry: '' + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } publicNetworkAccess: 'Enabled' restrictOutboundNetworkAccess: false sku: 'S0' - userAssignedIdentities: { - '': {} - } } } ``` @@ -295,6 +299,13 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { "enableDefaultTelemetry": { "value": "" }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "publicNetworkAccess": { "value": "Enabled" }, @@ -303,11 +314,6 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { }, "sku": { "value": "S0" - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -384,6 +390,12 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { // Non-required parameters customSubDomainName: 'speechdomain' enableDefaultTelemetry: '' + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -399,15 +411,11 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { } ] sku: 'S0' - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -438,6 +446,14 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { "enableDefaultTelemetry": { "value": "" }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "privateEndpoints": { "value": [ { @@ -457,20 +473,12 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { "sku": { "value": "S0" }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -496,7 +504,6 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { | [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | | [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | | [`customSubDomainName`](#parameter-customsubdomainname) | string | Subdomain name used for token-based authentication. Required if 'networkAcls' or 'privateEndpoints' are set. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | **Optional parameters** @@ -512,6 +519,7 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`migrationToken`](#parameter-migrationtoken) | string | Resource migration token. | | [`networkAcls`](#parameter-networkacls) | object | A collection of rules governing the accessibility from specific network locations. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | @@ -520,7 +528,6 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { | [`restrictOutboundNetworkAccess`](#parameter-restrictoutboundnetworkaccess) | bool | Restrict outbound network access. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`sku`](#parameter-sku) | string | SKU of the Cognitive Services resource. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`userOwnedStorage`](#parameter-userownedstorage) | array | The storage accounts for this resource. | @@ -750,6 +757,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. + +- Required: No +- Type: array + ### Parameter: `migrationToken` Resource migration token. @@ -1036,13 +1069,6 @@ SKU of the Cognitive Services resource. Use 'Get-AzCognitiveServicesAccountSku' - Default: `'S0'` - Allowed: `[C2, C3, C4, F0, F1, S, S0, S1, S10, S2, S3, S4, S5, S6, S7, S8, S9]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -1050,13 +1076,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `userOwnedStorage` The storage accounts for this resource. @@ -1074,7 +1093,7 @@ The storage accounts for this resource. | `name` | string | The name of the cognitive services account. | | `resourceGroupName` | string | The resource group the cognitive services account was deployed into. | | `resourceId` | string | The resource ID of the cognitive services account. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/cognitive-services/account/main.bicep b/modules/cognitive-services/account/main.bicep index bf97759606..395cd07b2e 100644 --- a/modules/cognitive-services/account/main.bicep +++ b/modules/cognitive-services/account/main.bicep @@ -77,11 +77,8 @@ param networkAcls object = {} @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointType -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Conditional. The ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. The lock settings of the service.') param lock lockType @@ -133,11 +130,11 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var builtInRoleNames = { @@ -321,7 +318,7 @@ output resourceGroupName string = resourceGroup().name output endpoint string = cognitiveServices.properties.endpoint @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(cognitiveServices.identity, 'principalId') ? cognitiveServices.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(cognitiveServices.identity, 'principalId') ? cognitiveServices.identity.principalId : '' @description('The location the resource was deployed into.') output location string = cognitiveServices.location @@ -330,6 +327,14 @@ output location string = cognitiveServices.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/cognitive-services/account/main.json b/modules/cognitive-services/account/main.json index 6a47d37088..8921181da9 100644 --- a/modules/cognitive-services/account/main.json +++ b/modules/cognitive-services/account/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15463203925377999389" + "templateHash": "12216590154280005113" }, "name": "Cognitive Services", "description": "This module deploys a Cognitive Service.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -468,18 +491,10 @@ "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Conditional. The ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." + "description": "Optional. The managed identity definition for this resource." } }, "lock": { @@ -595,8 +610,8 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Cognitive Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", "Cognitive Services Custom Vision Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", @@ -1344,12 +1359,12 @@ }, "value": "[reference('cognitiveServices').endpoint]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('cognitiveServices', '2022-12-01', 'full').identity, 'principalId')), reference('cognitiveServices', '2022-12-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('cognitiveServices', '2022-12-01', 'full').identity, 'principalId')), reference('cognitiveServices', '2022-12-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep b/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep index c2b4062ec7..be6f6c5b35 100644 --- a/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep +++ b/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep @@ -63,9 +63,11 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/compute/disk-encryption-set/.test/common/main.test.bicep b/modules/compute/disk-encryption-set/.test/common/main.test.bicep index e061df91fc..f1dbf22a72 100644 --- a/modules/compute/disk-encryption-set/.test/common/main.test.bicep +++ b/modules/compute/disk-encryption-set/.test/common/main.test.bicep @@ -70,9 +70,10 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - systemAssignedIdentity: false - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/compute/disk-encryption-set/README.md b/modules/compute/disk-encryption-set/README.md index ab8dcafd9f..c089521965 100644 --- a/modules/compute/disk-encryption-set/README.md +++ b/modules/compute/disk-encryption-set/README.md @@ -47,6 +47,12 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = name: 'cdesap001' // Non-required parameters enableDefaultTelemetry: '' + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } roleAssignments: [ { principalId: '' @@ -54,15 +60,11 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = roleDefinitionIdOrName: 'Reader' } ] - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -93,6 +95,14 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = "enableDefaultTelemetry": { "value": "" }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "roleAssignments": { "value": [ { @@ -102,20 +112,12 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = } ] }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -147,6 +149,11 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } roleAssignments: [ { principalId: '' @@ -154,15 +161,11 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = roleDefinitionIdOrName: 'Reader' } ] - systemAssignedIdentity: false tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -199,6 +202,13 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "roleAssignments": { "value": [ { @@ -208,20 +218,12 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = } ] }, - "systemAssignedIdentity": { - "value": false - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -241,13 +243,6 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = | [`keyVaultResourceId`](#parameter-keyvaultresourceid) | string | Resource ID of the KeyVault containing the key or secret. | | [`name`](#parameter-name) | string | The name of the disk encryption set that is being created. | -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. Required if userAssignedIdentities is empty. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. Required if systemAssignedIdentity is set to "false". | - **Optional parameters** | Parameter | Type | Description | @@ -258,6 +253,7 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = | [`keyVersion`](#parameter-keyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | [`location`](#parameter-location) | string | Resource location. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. At least one identity type is required. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`rotationToLatestKeyVersionEnabled`](#parameter-rotationtolatestkeyversionenabled) | bool | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | | [`tags`](#parameter-tags) | object | Tags of the disk encryption resource. | @@ -337,6 +333,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. At least one identity type is required. +- Required: Yes +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` The name of the disk encryption set that is being created. @@ -418,13 +440,6 @@ Set this flag to true to enable auto-updating of this disk encryption set to the - Type: bool - Default: `False` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. Required if userAssignedIdentities is empty. -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `tags` Tags of the disk encryption resource. @@ -432,13 +447,6 @@ Tags of the disk encryption resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. Required if systemAssignedIdentity is set to "false". -- Required: No -- Type: object -- Default: `{object}` - ## Outputs @@ -448,9 +456,9 @@ The ID(s) to assign to the resource. Required if systemAssignedIdentity is set t | `keyVaultName` | string | The name of the key vault with the disk encryption key. | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the disk encryption set. | -| `principalId` | string | The principal ID of the disk encryption set. | | `resourceGroupName` | string | The resource group the disk encryption set was deployed into. | | `resourceId` | string | The resource ID of the disk encryption set. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/compute/disk-encryption-set/main.bicep b/modules/compute/disk-encryption-set/main.bicep index 217d90e175..d58f341dcb 100644 --- a/modules/compute/disk-encryption-set/main.bicep +++ b/modules/compute/disk-encryption-set/main.bicep @@ -33,11 +33,10 @@ param federatedClientId string = 'None' @description('Optional. Set this flag to true to enable auto-updating of this disk encryption set to the latest key version.') param rotationToLatestKeyVersionEnabled bool = false -@description('Conditional. Enables system assigned managed identity on the resource. Required if userAssignedIdentities is empty.') -param systemAssignedIdentity bool = true - -@description('Conditional. The ID(s) to assign to the resource. Required if systemAssignedIdentity is set to "false".') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource. At least one identity type is required.') +param managedIdentities managedIdentitiesType = { + systemAssigned: true +} @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType @@ -48,12 +47,12 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : 'UserAssigned' +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null -} +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null +} : null var builtInRoleNames = { @@ -91,12 +90,12 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = { } // Note: This is only enabled for user-assigned identities as the service's system-assigned identity isn't available during its initial deployment -module keyVaultPermissions 'modules/nested_keyVaultPermissions.bicep' = [for (userAssignedIdentityId, index) in items(userAssignedIdentities): { +module keyVaultPermissions 'modules/nested_keyVaultPermissions.bicep' = [for (userAssignedIdentityResourceId, index) in (managedIdentities.?userAssignedResourcesIds ?? []): { name: '${uniqueString(deployment().name, location)}-DiskEncrSet-KVPermissions-${index}' params: { keyName: keyName keyVaultResourceId: keyVaultResourceId - userAssignedIdentityResourceId: userAssignedIdentityId.key + userAssignedIdentityResourceId: userAssignedIdentityResourceId rbacAuthorizationEnabled: keyVault.properties.enableRbacAuthorization } scope: resourceGroup(split(keyVaultResourceId, '/')[2], split(keyVaultResourceId, '/')[4]) @@ -155,8 +154,8 @@ output name string = diskEncryptionSet.name @description('The resource group the disk encryption set was deployed into.') output resourceGroupName string = resourceGroup().name -@description('The principal ID of the disk encryption set.') -output principalId string = systemAssignedIdentity == true ? diskEncryptionSet.identity.principalId : '' +@description('The principal ID of the system assigned identity.') +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(diskEncryptionSet.identity, 'principalId') ? diskEncryptionSet.identity.principalId : '' @description('The idenities of the disk encryption set.') output identities object = diskEncryptionSet.identity @@ -171,6 +170,14 @@ output location string = diskEncryptionSet.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +} + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/compute/disk-encryption-set/main.json b/modules/compute/disk-encryption-set/main.json index 79860c078c..bc9dabcebb 100644 --- a/modules/compute/disk-encryption-set/main.json +++ b/modules/compute/disk-encryption-set/main.json @@ -6,13 +6,35 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "580365923172310918" + "templateHash": "18120106263067507123" }, "name": "Disk Encryption Sets", "description": "This module deploys a Disk Encryption Set.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + } + }, "lockType": { "type": "object", "properties": { @@ -169,18 +191,13 @@ "description": "Optional. Set this flag to true to enable auto-updating of this disk encryption set to the latest key version." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Conditional. Enables system assigned managed identity on the resource. Required if userAssignedIdentities is empty." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", + "defaultValue": { + "systemAssigned": true + }, "metadata": { - "description": "Conditional. The ID(s) to assign to the resource. Required if systemAssignedIdentity is set to \"false\"." + "description": "Optional. The managed identity definition for this resource. At least one identity type is required." } }, "roleAssignments": { @@ -205,11 +222,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), 'UserAssigned')]", - "identity": { - "type": "[variables('identityType')]", - "userAssignedIdentities": "[if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())]" - }, + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", @@ -319,7 +333,7 @@ "keyVaultPermissions": { "copy": { "name": "keyVaultPermissions", - "count": "[length(items(parameters('userAssignedIdentities')))]" + "count": "[length(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -339,7 +353,7 @@ "value": "[parameters('keyVaultResourceId')]" }, "userAssignedIdentityResourceId": { - "value": "[items(parameters('userAssignedIdentities'))[copyIndex()].key]" + "value": "[coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray())[copyIndex()]]" }, "rbacAuthorizationEnabled": { "value": "[reference('keyVault').enableRbacAuthorization]" @@ -625,12 +639,12 @@ }, "value": "[resourceGroup().name]" }, - "principalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { - "description": "The principal ID of the disk encryption set." + "description": "The principal ID of the system assigned identity." }, - "value": "[if(equals(parameters('systemAssignedIdentity'), true()), reference('diskEncryptionSet', '2022-07-02', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('diskEncryptionSet', '2022-07-02', 'full').identity, 'principalId')), reference('diskEncryptionSet', '2022-07-02', 'full').identity.principalId, '')]" }, "identities": { "type": "object", diff --git a/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep b/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep index f8563a9b69..76e6e02285 100644 --- a/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep @@ -191,11 +191,13 @@ module testDeployment '../../main.bicep' = { ] scaleSetFaultDomain: 1 skuCapacity: 1 - systemAssignedIdentity: true - upgradePolicyMode: 'Manual' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } + upgradePolicyMode: 'Manual' vmNamePrefix: 'vmsslinvm' vmPriority: 'Regular' tags: { diff --git a/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep b/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep index 22bc5ff9ab..705d245b20 100644 --- a/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep @@ -187,11 +187,13 @@ module testDeployment '../../main.bicep' = { } ] skuCapacity: 1 - systemAssignedIdentity: true - upgradePolicyMode: 'Manual' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } + upgradePolicyMode: 'Manual' vmNamePrefix: 'vmsswinvm' vmPriority: 'Regular' tags: { diff --git a/modules/compute/virtual-machine-scale-set/README.md b/modules/compute/virtual-machine-scale-set/README.md index 94c34dbe2f..6835718941 100644 --- a/modules/compute/virtual-machine-scale-set/README.md +++ b/modules/compute/virtual-machine-scale-set/README.md @@ -141,6 +141,12 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } nicConfigurations: [ { ipConfigurations: [ @@ -171,16 +177,12 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se ] scaleSetFaultDomain: 1 skuCapacity: 1 - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } upgradePolicyMode: 'Manual' - userAssignedIdentities: { - '': {} - } vmNamePrefix: 'vmsslinvm' vmPriority: 'Regular' } @@ -333,6 +335,14 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "nicConfigurations": { "value": [ { @@ -373,9 +383,6 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se "skuCapacity": { "value": 1 }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -386,11 +393,6 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se "upgradePolicyMode": { "value": "Manual" }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, "vmNamePrefix": { "value": "vmsslinvm" }, @@ -833,6 +835,12 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } nicConfigurations: [ { ipConfigurations: [ @@ -857,16 +865,12 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se } ] skuCapacity: 1 - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } upgradePolicyMode: 'Manual' - userAssignedIdentities: { - '': {} - } vmNamePrefix: 'vmsswinvm' vmPriority: 'Regular' } @@ -1016,6 +1020,14 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "nicConfigurations": { "value": [ { @@ -1048,9 +1060,6 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se "skuCapacity": { "value": 1 }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -1061,11 +1070,6 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se "upgradePolicyMode": { "value": "Manual" }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, "vmNamePrefix": { "value": "vmsswinvm" }, @@ -1251,6 +1255,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se | [`licenseType`](#parameter-licensetype) | string | Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`maxBatchInstancePercent`](#parameter-maxbatchinstancepercent) | int | The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability. | | [`maxPriceForLowPriorityVm`](#parameter-maxpriceforlowpriorityvm) | string | Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | | [`maxUnhealthyInstancePercent`](#parameter-maxunhealthyinstancepercent) | int | The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. | @@ -1272,12 +1277,10 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se | [`securityType`](#parameter-securitytype) | string | Specifies the SecurityType of the virtual machine scale set. It is set as TrustedLaunch to enable UefiSettings. | | [`singlePlacementGroup`](#parameter-singleplacementgroup) | bool | When true this limits the scale set to a single placement group, of max size 100 virtual machines. NOTE: If singlePlacementGroup is true, it may be modified to false. However, if singlePlacementGroup is false, it may not be modified to true. | | [`skuCapacity`](#parameter-skucapacity) | int | The initial instance count of scale set VMs. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`timeZone`](#parameter-timezone) | string | Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. | | [`ultraSSDEnabled`](#parameter-ultrassdenabled) | bool | The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | | [`upgradePolicyMode`](#parameter-upgradepolicymode) | string | Specifies the mode of an upgrade to virtual machines in the scale set.' Manual - You control the application of updates to virtual machines in the scale set. You do this by using the manualUpgrade action. ; Automatic - All virtual machines in the scale set are automatically updated at the same time. - Automatic, Manual, Rolling. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`vmNamePrefix`](#parameter-vmnameprefix) | string | Specifies the computer name prefix for all of the virtual machines in the scale set. | | [`vmPriority`](#parameter-vmpriority) | string | Specifies the priority for the virtual machine. | | [`vTpmEnabled`](#parameter-vtpmenabled) | bool | Specifies whether vTPM should be enabled on the virtual machine scale set. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | @@ -1620,6 +1623,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `maxBatchInstancePercent` The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability. @@ -1860,13 +1889,6 @@ The SKU size of the VMs. - Required: Yes - Type: string -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -1896,13 +1918,6 @@ Specifies the mode of an upgrade to virtual machines in the scale set.' Manual - - Default: `'Manual'` - Allowed: `[Automatic, Manual, Rolling]` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `vmNamePrefix` Specifies the computer name prefix for all of the virtual machines in the scale set. @@ -1948,7 +1963,7 @@ Whether to force strictly even Virtual Machine distribution cross x-zones in cas | `name` | string | The name of the virtual machine scale set. | | `resourceGroupName` | string | The resource group of the virtual machine scale set. | | `resourceId` | string | The resource ID of the virtual machine scale set. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/compute/virtual-machine-scale-set/main.bicep b/modules/compute/virtual-machine-scale-set/main.bicep index 816b04bac2..cecffd62dd 100644 --- a/modules/compute/virtual-machine-scale-set/main.bicep +++ b/modules/compute/virtual-machine-scale-set/main.bicep @@ -253,11 +253,8 @@ param baseTime string = utcNow('u') @description('Optional. SAS token validity length to use to download files from storage accounts. Usage: \'PT8H\' - valid for 8 hours; \'P5D\' - valid for 5 days; \'P1Y\' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours.') param sasTokenValidityLength string = 'PT8H' -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType var publicKeysFormatted = [for publicKey in publicKeys: { path: publicKey.path @@ -290,11 +287,11 @@ var accountSasProperties = { signedProtocol: 'https' } -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var enableReferencedModulesTelemetry = false @@ -651,7 +648,7 @@ output resourceGroupName string = resourceGroup().name output name string = vmss.name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(vmss.identity, 'principalId') ? vmss.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(vmss.identity, 'principalId') ? vmss.identity.principalId : '' @description('The location the resource was deployed into.') output location string = vmss.location @@ -660,6 +657,14 @@ output location string = vmss.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/compute/virtual-machine-scale-set/main.json b/modules/compute/virtual-machine-scale-set/main.json index 40ef0e4559..e6a0a04847 100644 --- a/modules/compute/virtual-machine-scale-set/main.json +++ b/modules/compute/virtual-machine-scale-set/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12670910144865793195" + "templateHash": "9859921411818274686" }, "name": "Virtual Machine Scale Sets", "description": "This module deploys a Virtual Machine Scale Set.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -695,18 +718,10 @@ "description": "Optional. SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } } }, @@ -742,8 +757,8 @@ "signedResourceTypes": "o", "signedProtocol": "https" }, - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -2489,12 +2504,12 @@ }, "value": "[parameters('name')]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('vmss', '2022-11-01', 'full').identity, 'principalId')), reference('vmss', '2022-11-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('vmss', '2022-11-01', 'full').identity, 'principalId')), reference('vmss', '2022-11-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/compute/virtual-machine/.test/linux/main.test.bicep b/modules/compute/virtual-machine/.test/linux/main.test.bicep index 837c436af1..7832d8e74d 100644 --- a/modules/compute/virtual-machine/.test/linux/main.test.bicep +++ b/modules/compute/virtual-machine/.test/linux/main.test.bicep @@ -286,9 +286,11 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/compute/virtual-machine/.test/windows/main.test.bicep b/modules/compute/virtual-machine/.test/windows/main.test.bicep index 430274c324..4d171f578e 100644 --- a/modules/compute/virtual-machine/.test/windows/main.test.bicep +++ b/modules/compute/virtual-machine/.test/windows/main.test.bicep @@ -307,9 +307,11 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/compute/virtual-machine/README.md b/modules/compute/virtual-machine/README.md index 1e11679aeb..4b20b053d4 100644 --- a/modules/compute/virtual-machine/README.md +++ b/modules/compute/virtual-machine/README.md @@ -252,6 +252,12 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } monitoringWorkspaceId: '' name: 'cvmlincom' patchMode: 'AutomaticByPlatform' @@ -268,15 +274,11 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -546,6 +548,14 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "monitoringWorkspaceId": { "value": "" }, @@ -572,20 +582,12 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } ] }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -1148,6 +1150,12 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } monitoringWorkspaceId: '' name: 'cvmwincom' patchMode: 'AutomaticByPlatform' @@ -1159,15 +1167,11 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -1462,6 +1466,14 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "monitoringWorkspaceId": { "value": "" }, @@ -1483,20 +1495,12 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } ] }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -1968,6 +1972,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { | [`licenseType`](#parameter-licensetype) | string | Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. The system-assigned managed identity will automatically be enabled if extensionAadJoinConfig.enabled = "True". | | [`maxPriceForLowPriorityVm`](#parameter-maxpriceforlowpriorityvm) | string | Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | | [`monitoringWorkspaceId`](#parameter-monitoringworkspaceid) | string | Resource ID of the monitoring log analytics workspace. Must be set when extensionMonitoringAgentConfig is set to true. | | [`name`](#parameter-name) | string | The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | @@ -1982,11 +1987,9 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { | [`sasTokenValidityLength`](#parameter-sastokenvaliditylength) | string | SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | | [`secureBootEnabled`](#parameter-securebootenabled) | bool | Specifies whether secure boot should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | | [`securityType`](#parameter-securitytype) | string | Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to enable UefiSettings. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. The system-assigned managed identity will automatically be enabled if extensionAadJoinConfig.enabled = "True". | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`timeZone`](#parameter-timezone) | string | Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. | | [`ultraSSDEnabled`](#parameter-ultrassdenabled) | bool | The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`vTpmEnabled`](#parameter-vtpmenabled) | bool | Specifies whether vTPM should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | | [`winRM`](#parameter-winrm) | object | Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. | @@ -2290,6 +2293,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. The system-assigned managed identity will automatically be enabled if extensionAadJoinConfig.enabled = "True". +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `maxPriceForLowPriorityVm` Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. @@ -2471,13 +2500,6 @@ Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to - Type: string - Default: `''` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. The system-assigned managed identity will automatically be enabled if extensionAadJoinConfig.enabled = "True". -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -2499,13 +2521,6 @@ The flag that enables or disables a capability to have one or more managed data - Type: bool - Default: `False` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `vmSize` Specifies the size for the VMs. @@ -2535,7 +2550,7 @@ Specifies the Windows Remote Management listeners. This enables remote Windows P | `name` | string | The name of the VM. | | `resourceGroupName` | string | The name of the resource group the VM was created in. | | `resourceId` | string | The resource ID of the VM. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/compute/virtual-machine/main.bicep b/modules/compute/virtual-machine/main.bicep index 891c2396a4..d90fbc7fff 100644 --- a/modules/compute/virtual-machine/main.bicep +++ b/modules/compute/virtual-machine/main.bicep @@ -81,11 +81,8 @@ param licenseType string = '' @description('Optional. The list of SSH public keys used to authenticate with linux based VMs.') param publicKeys array = [] -@description('Optional. Enables system assigned managed identity on the resource. The system-assigned managed identity will automatically be enabled if extensionAadJoinConfig.enabled = "True".') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource. The system-assigned managed identity will automatically be enabled if extensionAadJoinConfig.enabled = "True".') +param managedIdentities managedIdentitiesType @description('Optional. Whether boot diagnostics should be enabled on the Virtual Machine. Boot diagnostics will be enabled with a managed storage account if no bootDiagnosticsStorageAccountName value is provided. If bootDiagnostics and bootDiagnosticsStorageAccountName values are not provided, boot diagnostics will be disabled.') param bootDiagnostics bool = false @@ -297,22 +294,12 @@ var accountSasProperties = { signedProtocol: 'https' } -/* Determine Identity Type. - First, we determine if the System-Assigned Managed Identity should be enabled. - If AADJoin Extension is enabled then we automatically add SystemAssigned to the identityType because AADJoin requires the System-Assigned Managed Identity. - If the AADJoin Extension is not enabled then we add SystemAssigned to the identityType only if the value of the systemAssignedIdentity parameter is true. - Second, we determine if User Assigned Identities are assigned to the VM via the userAssignedIdentities parameter. - Third, we take the outcome of these two values and determine the identityType - If the System Identity and User Identities are assigned then the identityType is 'SystemAssigned,UserAssigned' - If only the system Identity is assigned then the identityType is 'SystemAssigned' - If only user managed Identities are assigned, then the identityType is 'UserAssigned' - Finally, if no identities are assigned, then the identityType is 'none'. -*/ -var identityType = (extensionAadJoinConfig.enabled ? true : systemAssignedIdentity) ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') - -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } + +// If AADJoin Extension is enabled then we automatically enable SystemAssigned (required by AADJoin), otherwise we follow the usual logic. +var identity = !empty(managedIdentities) ? { + type: (extensionAadJoinConfig.enabled ? true : (managedIdentities.?systemAssigned ?? false)) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var enableReferencedModulesTelemetry = false @@ -697,7 +684,7 @@ output resourceId string = vm.id output resourceGroupName string = resourceGroup().name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(vm.identity, 'principalId') ? vm.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(vm.identity, 'principalId') ? vm.identity.principalId : '' @description('The location the resource was deployed into.') output location string = vm.location @@ -706,6 +693,14 @@ output location string = vm.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/compute/virtual-machine/main.json b/modules/compute/virtual-machine/main.json index 679af9ef5d..cb4a01ea7c 100644 --- a/modules/compute/virtual-machine/main.json +++ b/modules/compute/virtual-machine/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5085746131014779064" + "templateHash": "10963953838389818589" }, "name": "Virtual Machines", "description": "This module deploys a Virtual Machine with one or multiple NICs and optionally one or multiple public IPs.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -372,18 +395,10 @@ "description": "Optional. The list of SSH public keys used to authenticate with linux based VMs." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource. The system-assigned managed identity will automatically be enabled if extensionAadJoinConfig.enabled = \"True\"." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource. The system-assigned managed identity will automatically be enabled if extensionAadJoinConfig.enabled = \"True\"." } }, "bootDiagnostics": { @@ -742,8 +757,8 @@ "signedResourceTypes": "o", "signedProtocol": "https" }, - "identityType": "[if(if(parameters('extensionAadJoinConfig').enabled, true(), parameters('systemAssignedIdentity')), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(if(parameters('extensionAadJoinConfig').enabled, true(), coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false())), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -4315,12 +4330,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('vm', '2022-11-01', 'full').identity, 'principalId')), reference('vm', '2022-11-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('vm', '2022-11-01', 'full').identity, 'principalId')), reference('vm', '2022-11-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/container-instance/container-group/.test/common/main.test.bicep b/modules/container-instance/container-group/.test/common/main.test.bicep index 2dc87dd5b1..6ba2e16a9d 100644 --- a/modules/container-instance/container-group/.test/common/main.test.bicep +++ b/modules/container-instance/container-group/.test/common/main.test.bicep @@ -112,9 +112,11 @@ module testDeployment '../../main.bicep' = { port: 443 } ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/container-instance/container-group/.test/encr/main.test.bicep b/modules/container-instance/container-group/.test/encr/main.test.bicep index be4c18e369..ade6cdb091 100644 --- a/modules/container-instance/container-group/.test/encr/main.test.bicep +++ b/modules/container-instance/container-group/.test/encr/main.test.bicep @@ -114,9 +114,11 @@ module testDeployment '../../main.bicep' = { port: 443 } ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } cMKKeyName: nestedDependencies.outputs.keyVaultEncryptionKeyName cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId diff --git a/modules/container-instance/container-group/.test/private/main.test.bicep b/modules/container-instance/container-group/.test/private/main.test.bicep index 541422f6e5..8ca06b9dae 100644 --- a/modules/container-instance/container-group/.test/private/main.test.bicep +++ b/modules/container-instance/container-group/.test/private/main.test.bicep @@ -128,9 +128,11 @@ module testDeployment '../../main.bicep' = { name: 'my-name' } ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/container-instance/container-group/README.md b/modules/container-instance/container-group/README.md index b59196c147..21ae59f1f7 100644 --- a/modules/container-instance/container-group/README.md +++ b/modules/container-instance/container-group/README.md @@ -108,15 +108,17 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 kind: 'CanNotDelete' name: 'myCustomLockName' } - systemAssignedIdentity: true + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -207,8 +209,13 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 "name": "myCustomLockName" } }, - "systemAssignedIdentity": { - "value": true + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } }, "tags": { "value": { @@ -216,11 +223,6 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -306,15 +308,17 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 kind: 'CanNotDelete' name: 'myCustomLockName' } - systemAssignedIdentity: true + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -414,8 +418,13 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 "name": "myCustomLockName" } }, - "systemAssignedIdentity": { - "value": true + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } }, "tags": { "value": { @@ -423,11 +432,6 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -625,16 +629,18 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } subnetId: '' - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } volumes: [ { emptyDir: {} @@ -744,12 +750,17 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "subnetId": { "value": "" }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -757,11 +768,6 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 "Role": "DeploymentValidation" } }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, "volumes": { "value": [ { @@ -811,13 +817,12 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 | [`ipAddressType`](#parameter-ipaddresstype) | string | Specifies if the IP is exposed to the public internet or private VNET. - Public or Private. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`osType`](#parameter-ostype) | string | The operating system type required by the containers in the container group. - Windows or Linux. | | [`restartPolicy`](#parameter-restartpolicy) | string | Restart policy for all containers within the container group. - Always: Always restart. OnFailure: Restart on failure. Never: Never restart. - Always, OnFailure, Never. | | [`sku`](#parameter-sku) | string | The container group SKU. | | [`subnetId`](#parameter-subnetid) | string | Resource ID of the subnet. Only specify when ipAddressType is Private. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`volumes`](#parameter-volumes) | array | Specify if volumes (emptyDir, AzureFileShare or GitRepo) shall be attached to your containergroup. | ### Parameter: `autoGeneratedDomainNameLabelScope` @@ -953,6 +958,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` Name for the container group. @@ -989,13 +1020,6 @@ Resource ID of the subnet. Only specify when ipAddressType is Private. - Type: string - Default: `''` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -1003,13 +1027,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `volumes` Specify if volumes (emptyDir, AzureFileShare or GitRepo) shall be attached to your containergroup. @@ -1027,7 +1044,7 @@ Specify if volumes (emptyDir, AzureFileShare or GitRepo) shall be attached to yo | `name` | string | The name of the container group. | | `resourceGroupName` | string | The resource group the container group was deployed into. | | `resourceId` | string | The resource ID of the container group. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/container-instance/container-group/main.bicep b/modules/container-instance/container-group/main.bicep index c6ae9e6363..ca4a2b89f7 100644 --- a/modules/container-instance/container-group/main.bicep +++ b/modules/container-instance/container-group/main.bicep @@ -66,11 +66,8 @@ param volumes array = [] @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Tags of the resource.') param tags object = {} @@ -97,11 +94,11 @@ param cMKKeyVersion string = '' @description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKKeyName\' is not empty.') param cMKUserAssignedIdentityResourceId string = '' -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { @@ -185,7 +182,7 @@ output resourceGroupName string = resourceGroup().name output iPv4Address string = containergroup.properties.ipAddress.ip @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(containergroup.identity, 'principalId') ? containergroup.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(containergroup.identity, 'principalId') ? containergroup.identity.principalId : '' @description('The location the resource was deployed into.') output location string = containergroup.location @@ -194,6 +191,14 @@ output location string = containergroup.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/container-instance/container-group/main.json b/modules/container-instance/container-group/main.json index 6d60f75d9f..5cbac36a8f 100644 --- a/modules/container-instance/container-group/main.json +++ b/modules/container-instance/container-group/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "745176097189380240" + "templateHash": "15669079272755728924" }, "name": "Container Instances Container Groups", "description": "This module deploys a Container Instance Container Group.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -165,18 +188,10 @@ "description": "Optional. The lock settings of the service." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "tags": { @@ -234,8 +249,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" }, "resources": { "cMKKeyVault::cMKKey": { @@ -329,12 +344,12 @@ }, "value": "[reference('containergroup').ipAddress.ip]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('containergroup', '2022-09-01', 'full').identity, 'principalId')), reference('containergroup', '2022-09-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('containergroup', '2022-09-01', 'full').identity, 'principalId')), reference('containergroup', '2022-09-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/container-registry/registry/.test/common/main.test.bicep b/modules/container-registry/registry/.test/common/main.test.bicep index 0abe517c6b..ff37a24ff3 100644 --- a/modules/container-registry/registry/.test/common/main.test.bicep +++ b/modules/container-registry/registry/.test/common/main.test.bicep @@ -128,11 +128,13 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - systemAssignedIdentity: true - trustPolicyStatus: 'enabled' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } + trustPolicyStatus: 'enabled' cacheRules: [ { name: 'customRule' diff --git a/modules/container-registry/registry/.test/encr/main.test.bicep b/modules/container-registry/registry/.test/encr/main.test.bicep index 3648f55a8f..6865689145 100644 --- a/modules/container-registry/registry/.test/encr/main.test.bicep +++ b/modules/container-registry/registry/.test/encr/main.test.bicep @@ -60,8 +60,10 @@ module testDeployment '../../main.bicep' = { cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId publicNetworkAccess: 'Disabled' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index ebf29d6d00..562b218164 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -86,6 +86,12 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } networkRuleSetIpRules: [ { action: 'Allow' @@ -122,16 +128,12 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { ] softDeletePolicyDays: 7 softDeletePolicyStatus: 'disabled' - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } trustPolicyStatus: 'enabled' - userAssignedIdentities: { - '': {} - } webhooks: [ { name: 'acrx001webhook' @@ -208,6 +210,14 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "networkRuleSetIpRules": { "value": [ { @@ -258,9 +268,6 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { "softDeletePolicyStatus": { "value": "disabled" }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -271,11 +278,6 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { "trustPolicyStatus": { "value": "enabled" }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, "webhooks": { "value": [ { @@ -309,15 +311,17 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { cMKKeyVaultResourceId: '' cMKUserAssignedIdentityResourceId: '' enableDefaultTelemetry: '' + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } publicNetworkAccess: 'Disabled' tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -354,6 +358,13 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { "enableDefaultTelemetry": { "value": "" }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "publicNetworkAccess": { "value": "Disabled" }, @@ -363,11 +374,6 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -546,6 +552,7 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { | [`exportPolicyStatus`](#parameter-exportpolicystatus) | string | The value that indicates whether the export policy is enabled or not. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`networkRuleBypassOptions`](#parameter-networkrulebypassoptions) | string | Whether to allow trusted Azure services to access a network restricted registry. | | [`networkRuleSetDefaultAction`](#parameter-networkrulesetdefaultaction) | string | The default action of allow or deny when no other rules match. | | [`networkRuleSetIpRules`](#parameter-networkrulesetiprules) | array | The IP ACL rules. Note, requires the 'acrSku' to be 'Premium'. | @@ -558,10 +565,8 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`softDeletePolicyDays`](#parameter-softdeletepolicydays) | int | The number of days after which a soft-deleted item is permanently deleted. | | [`softDeletePolicyStatus`](#parameter-softdeletepolicystatus) | string | Soft Delete policy status. Default is disabled. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`trustPolicyStatus`](#parameter-trustpolicystatus) | string | The value that indicates whether the trust policy is enabled or not. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`webhooks`](#parameter-webhooks) | array | All webhooks to create. | | [`zoneRedundancy`](#parameter-zoneredundancy) | string | Whether or not zone redundancy is enabled for this container registry. | @@ -801,6 +806,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` Name of your Azure container registry. @@ -1119,13 +1150,6 @@ Soft Delete policy status. Default is disabled. - Default: `'disabled'` - Allowed: `[disabled, enabled]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -1141,13 +1165,6 @@ The value that indicates whether the trust policy is enabled or not. - Default: `'disabled'` - Allowed: `[disabled, enabled]` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `webhooks` All webhooks to create. @@ -1173,7 +1190,7 @@ Whether or not zone redundancy is enabled for this container registry. | `name` | string | The Name of the Azure container registry. | | `resourceGroupName` | string | The name of the Azure container registry. | | `resourceId` | string | The resource ID of the Azure container registry. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/container-registry/registry/main.bicep b/modules/container-registry/registry/main.bicep index 0208bf2c91..d936cb3207 100644 --- a/modules/container-registry/registry/main.bicep +++ b/modules/container-registry/registry/main.bicep @@ -119,11 +119,8 @@ param webhooks array = [] @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Tags of the resource.') param tags object = {} @@ -152,11 +149,11 @@ param cMKUserAssignedIdentityResourceId string = '' @description('Optional. Array of Cache Rules. Note: This is a preview feature ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache#cache-for-acr-preview)).') param cacheRules array = [] -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var enableReferencedModulesTelemetry = false @@ -386,7 +383,7 @@ output resourceGroupName string = resourceGroup().name output resourceId string = registry.id @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(registry.identity, 'principalId') ? registry.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(registry.identity, 'principalId') ? registry.identity.principalId : '' @description('The location the resource was deployed into.') output location string = registry.location @@ -395,6 +392,14 @@ output location string = registry.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/container-registry/registry/main.json b/modules/container-registry/registry/main.json index e1044592bd..1a70288241 100644 --- a/modules/container-registry/registry/main.json +++ b/modules/container-registry/registry/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18353793336919307909" + "templateHash": "5299367951340146796" }, "name": "Azure Container Registries (ACR)", "description": "This module deploys an Azure Container Registry (ACR).", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -566,18 +589,10 @@ "description": "Optional. The lock settings of the service." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "tags": { @@ -644,8 +659,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "AcrDelete": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", @@ -1900,12 +1915,12 @@ }, "value": "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('registry', '2023-06-01-preview', 'full').identity, 'principalId')), reference('registry', '2023-06-01-preview', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('registry', '2023-06-01-preview', 'full').identity, 'principalId')), reference('registry', '2023-06-01-preview', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/container-service/managed-cluster/.test/azure/main.test.bicep b/modules/container-service/managed-cluster/.test/azure/main.test.bicep index 21a896e527..f1d65fbe4b 100644 --- a/modules/container-service/managed-cluster/.test/azure/main.test.bicep +++ b/modules/container-service/managed-cluster/.test/azure/main.test.bicep @@ -174,8 +174,10 @@ module testDeployment '../../main.bicep' = { enableStorageProfileDiskCSIDriver: true enableStorageProfileFileCSIDriver: true enableStorageProfileSnapshotController: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } identityProfile: { kubeletidentity: { diff --git a/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep b/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep index 9b7e0795fc..e0881cd6d5 100644 --- a/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep +++ b/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep @@ -156,8 +156,10 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/container-service/managed-cluster/.test/min/main.test.bicep b/modules/container-service/managed-cluster/.test/min/main.test.bicep index ec5bf9306f..dc349e269b 100644 --- a/modules/container-service/managed-cluster/.test/min/main.test.bicep +++ b/modules/container-service/managed-cluster/.test/min/main.test.bicep @@ -40,7 +40,9 @@ module testDeployment '../../main.bicep' = { params: { name: '${namePrefix}${serviceShort}001' enableDefaultTelemetry: enableDefaultTelemetry - systemAssignedIdentity: true + managedIdentities: { + systemAssigned: true + } primaryAgentPoolProfile: [ { name: 'systempool' diff --git a/modules/container-service/managed-cluster/.test/priv/main.test.bicep b/modules/container-service/managed-cluster/.test/priv/main.test.bicep index df5967f188..90f3de3f7d 100644 --- a/modules/container-service/managed-cluster/.test/priv/main.test.bicep +++ b/modules/container-service/managed-cluster/.test/priv/main.test.bicep @@ -157,8 +157,10 @@ module testDeployment '../../main.bicep' = { } ] privateDNSZone: nestedDependencies.outputs.privateDnsZoneResourceId - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index b545850d90..0f65581013 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -214,6 +214,11 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } monitoringWorkspaceId: '' networkDataplane: 'azure' networkPlugin: 'azure' @@ -232,9 +237,6 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -457,6 +459,13 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "monitoringWorkspaceId": { "value": "" }, @@ -490,11 +499,6 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -601,6 +605,11 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' } ] enableDefaultTelemetry: '' + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } networkPlugin: 'kubenet' roleAssignments: [ { @@ -614,9 +623,6 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -731,6 +737,13 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' "enableDefaultTelemetry": { "value": "" }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "networkPlugin": { "value": "kubenet" }, @@ -749,11 +762,6 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -787,7 +795,9 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' ] // Non-required parameters enableDefaultTelemetry: '' - systemAssignedIdentity: true + managedIdentities: { + systemAssigned: true + } } } ``` @@ -822,8 +832,10 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' "enableDefaultTelemetry": { "value": "" }, - "systemAssignedIdentity": { - "value": true + "managedIdentities": { + "value": { + "systemAssigned": true + } } } } @@ -934,6 +946,11 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' dnsServiceIP: '10.10.200.10' enableDefaultTelemetry: '' enablePrivateCluster: true + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } networkPlugin: 'azure' privateDNSZone: '' serviceCidr: '10.10.200.0/24' @@ -943,9 +960,6 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -1068,6 +1082,13 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' "enablePrivateCluster": { "value": true }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "networkPlugin": { "value": "azure" }, @@ -1086,11 +1107,6 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -1184,6 +1200,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' | [`loadBalancerSku`](#parameter-loadbalancersku) | string | Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools. | | [`location`](#parameter-location) | string | Specifies the location of AKS cluster. It picks up Resource Group's location by default. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. | | [`managedOutboundIPCount`](#parameter-managedoutboundipcount) | int | Outbound IP Count for the Load balancer. | | [`monitoringWorkspaceId`](#parameter-monitoringworkspaceid) | string | Resource ID of the monitoring log analytics workspace. | | [`networkDataplane`](#parameter-networkdataplane) | string | Network dataplane used in the Kubernetes cluster. Not compatible with kubenet network plugin. | @@ -1205,9 +1222,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' | [`skuTier`](#parameter-skutier) | string | Tier of a managed cluster SKU. - Free or Standard. | | [`sshPublicKey`](#parameter-sshpublickey) | string | Specifies the SSH RSA public key string for the Linux nodes. | | [`supportPlan`](#parameter-supportplan) | string | The support plan for the Managed Cluster. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`webApplicationRoutingEnabled`](#parameter-webapplicationroutingenabled) | bool | Specifies whether the webApplicationRoutingEnabled add-on is enabled or not. | ### Parameter: `aadProfileAdminGroupObjectIDs` @@ -1807,6 +1822,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `managedOutboundIPCount` Outbound IP Count for the Load balancer. @@ -2034,13 +2075,6 @@ The support plan for the Managed Cluster. - Default: `'KubernetesOfficial'` - Allowed: `[AKSLongTermSupport, KubernetesOfficial]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -2048,13 +2082,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `webApplicationRoutingEnabled` Specifies whether the webApplicationRoutingEnabled add-on is enabled or not. @@ -2078,7 +2105,7 @@ Specifies whether the webApplicationRoutingEnabled add-on is enabled or not. | `omsagentIdentityObjectId` | string | The Object ID of the OMS agent identity. | | `resourceGroupName` | string | The resource group the managed cluster was deployed into. | | `resourceId` | string | The resource ID of the managed cluster. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/container-service/managed-cluster/main.bicep b/modules/container-service/managed-cluster/main.bicep index 06b427922c..b9f7f16414 100644 --- a/modules/container-service/managed-cluster/main.bicep +++ b/modules/container-service/managed-cluster/main.bicep @@ -11,11 +11,8 @@ param location string = resourceGroup().location @description('Optional. Specifies the DNS prefix specified when creating the managed cluster.') param dnsPrefix string = name -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both.') +param managedIdentities managedIdentitiesType @description('Optional. Network dataplane used in the Kubernetes cluster. Not compatible with kubenet network plugin.') @allowed([ @@ -351,12 +348,12 @@ param httpProxyConfig object = {} @description('Optional. Identities associated with the cluster.') param identityProfile object = {} -var identityType = systemAssignedIdentity ? 'SystemAssigned' : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null -} +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null +} : null var linuxProfile = { adminUsername: adminUsername @@ -706,7 +703,7 @@ output name string = managedCluster.name output controlPlaneFQDN string = enablePrivateCluster ? managedCluster.properties.privateFQDN : managedCluster.properties.fqdn @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(managedCluster.identity, 'principalId') ? managedCluster.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(managedCluster.identity, 'principalId') ? managedCluster.identity.principalId : '' @description('The Object ID of the AKS identity.') output kubeletidentityObjectId string = contains(managedCluster.properties, 'identityProfile') ? contains(managedCluster.properties.identityProfile, 'kubeletidentity') ? managedCluster.properties.identityProfile.kubeletidentity.objectId : '' : '' @@ -733,6 +730,14 @@ output addonProfiles object = contains(managedCluster.properties, 'addonProfiles // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/container-service/managed-cluster/main.json b/modules/container-service/managed-cluster/main.json index 16afb7ba6d..b35df3cf30 100644 --- a/modules/container-service/managed-cluster/main.json +++ b/modules/container-service/managed-cluster/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10746697295674152111" + "templateHash": "10186677383934049186" }, "name": "Azure Kubernetes Service (AKS) Managed Clusters", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -232,18 +255,10 @@ "description": "Optional. Specifies the DNS prefix specified when creating the managed cluster." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." } }, "networkDataplane": { @@ -926,11 +941,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": { - "type": "[variables('identityType')]", - "userAssignedIdentities": "[if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())]" - }, + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "linuxProfile": { "adminUsername": "[parameters('adminUsername')]", "ssh": { @@ -2093,12 +2105,12 @@ }, "value": "[if(parameters('enablePrivateCluster'), reference('managedCluster').privateFQDN, reference('managedCluster').fqdn)]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('managedCluster', '2023-07-02-preview', 'full').identity, 'principalId')), reference('managedCluster', '2023-07-02-preview', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('managedCluster', '2023-07-02-preview', 'full').identity, 'principalId')), reference('managedCluster', '2023-07-02-preview', 'full').identity.principalId, '')]" }, "kubeletidentityObjectId": { "type": "string", diff --git a/modules/data-factory/factory/.test/common/main.test.bicep b/modules/data-factory/factory/.test/common/main.test.bicep index 16dc9777fd..84cd092e7e 100644 --- a/modules/data-factory/factory/.test/common/main.test.bicep +++ b/modules/data-factory/factory/.test/common/main.test.bicep @@ -144,9 +144,11 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index f8be417ef4..cae941fa39 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -97,6 +97,12 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } managedPrivateEndpoints: [ { fqdns: [ @@ -127,15 +133,11 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -220,6 +222,14 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "managedPrivateEndpoints": { "value": [ { @@ -258,20 +268,12 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { } ] }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -365,14 +367,13 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { | [`integrationRuntimes`](#parameter-integrationruntimes) | array | An array of objects for the configuration of an Integration Runtime. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`managedPrivateEndpoints`](#parameter-managedprivateendpoints) | array | An array of managed private endpoints objects created in the Data Factory managed virtual network. | | [`managedVirtualNetworkName`](#parameter-managedvirtualnetworkname) | string | The name of the Managed Virtual Network. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `cMKKeyName` @@ -635,6 +636,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `managedPrivateEndpoints` An array of managed private endpoints objects created in the Data Factory managed virtual network. @@ -899,13 +926,6 @@ Required. The name of the role to assign. If it cannot be found you can specify - Required: Yes - Type: string -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -913,13 +933,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ## Outputs @@ -929,7 +942,7 @@ The ID(s) to assign to the resource. | `name` | string | The Name of the Azure Data Factory instance. | | `resourceGroupName` | string | The name of the Resource Group with the Data factory. | | `resourceId` | string | The Resource ID of the Data factory. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/data-factory/factory/main.bicep b/modules/data-factory/factory/main.bicep index 5051acac34..b8cce9bea8 100644 --- a/modules/data-factory/factory/main.bicep +++ b/modules/data-factory/factory/main.bicep @@ -61,11 +61,8 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointType @@ -91,11 +88,11 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var enableReferencedModulesTelemetry = false @@ -264,7 +261,7 @@ output resourceId string = dataFactory.id output resourceGroupName string = resourceGroup().name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(dataFactory.identity, 'principalId') ? dataFactory.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(dataFactory.identity, 'principalId') ? dataFactory.identity.principalId : '' @description('The location the resource was deployed into.') output location string = dataFactory.location @@ -273,6 +270,14 @@ output location string = dataFactory.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/data-factory/factory/main.json b/modules/data-factory/factory/main.json index b4d1ee215d..11658501f0 100644 --- a/modules/data-factory/factory/main.json +++ b/modules/data-factory/factory/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12744321553281451212" + "templateHash": "4712647299782394769" }, "name": "Data Factories", "description": "This module deploys a Data Factory.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -489,18 +512,10 @@ "description": "Optional. The lock settings of the service." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "privateEndpoints": { @@ -559,8 +574,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -1655,12 +1670,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('dataFactory', '2018-06-01', 'full').identity, 'principalId')), reference('dataFactory', '2018-06-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('dataFactory', '2018-06-01', 'full').identity, 'principalId')), reference('dataFactory', '2018-06-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/data-protection/backup-vault/.test/common/main.test.bicep b/modules/data-protection/backup-vault/.test/common/main.test.bicep index 286a2b51c5..5a9de2cea8 100644 --- a/modules/data-protection/backup-vault/.test/common/main.test.bicep +++ b/modules/data-protection/backup-vault/.test/common/main.test.bicep @@ -60,7 +60,9 @@ module testDeployment '../../main.bicep' = { } ] azureMonitorAlertSettingsAlertsForAllJobFailures: 'Disabled' - systemAssignedIdentity: true + managedIdentities: { + systemAssigned: true + } backupPolicies: [ { name: 'DefaultPolicy' diff --git a/modules/data-protection/backup-vault/README.md b/modules/data-protection/backup-vault/README.md index 22e624a5c0..94825fc794 100644 --- a/modules/data-protection/backup-vault/README.md +++ b/modules/data-protection/backup-vault/README.md @@ -115,6 +115,9 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + } roleAssignments: [ { principalId: '' @@ -122,7 +125,6 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -225,6 +227,11 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, "roleAssignments": { "value": [ { @@ -234,9 +241,6 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { } ] }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -319,9 +323,9 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { | [`featureSettings`](#parameter-featuresettings) | object | Feature settings for the backup vault. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`securitySettings`](#parameter-securitysettings) | object | Security settings for the backup vault. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the Recovery Service Vault resource. | | [`type`](#parameter-type) | string | The vault redundancy level to use. | @@ -396,6 +400,24 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + ### Parameter: `name` Name of the Backup Vault. @@ -477,13 +499,6 @@ Security settings for the backup vault. - Type: object - Default: `{object}` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the Recovery Service Vault resource. @@ -508,7 +523,7 @@ The vault redundancy level to use. | `name` | string | The Name of the backup vault. | | `resourceGroupName` | string | The name of the resource group the recovery services vault was created in. | | `resourceId` | string | The resource ID of the backup vault. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/data-protection/backup-vault/main.bicep b/modules/data-protection/backup-vault/main.bicep index caab5b84fa..042be9825e 100644 --- a/modules/data-protection/backup-vault/main.bicep +++ b/modules/data-protection/backup-vault/main.bicep @@ -17,8 +17,8 @@ param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Tags of the Recovery Service Vault resource.') param tags object = {} @@ -55,10 +55,8 @@ param securitySettings object = {} @description('Optional. Feature settings for the backup vault.') param featureSettings object = {} -var identityType = systemAssignedIdentity ? 'SystemAssigned' : 'None' - -var identity = identityType != 'None' ? { - type: identityType +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : null } : null var enableReferencedModulesTelemetry = false @@ -151,7 +149,7 @@ output resourceGroupName string = resourceGroup().name output name string = backupVault.name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(backupVault.identity, 'principalId') ? backupVault.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(backupVault.identity, 'principalId') ? backupVault.identity.principalId : '' @description('The location the resource was deployed into.') output location string = backupVault.location @@ -160,6 +158,11 @@ output location string = backupVault.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/data-protection/backup-vault/main.json b/modules/data-protection/backup-vault/main.json index 868f140db9..9db6f483b0 100644 --- a/modules/data-protection/backup-vault/main.json +++ b/modules/data-protection/backup-vault/main.json @@ -6,13 +6,26 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8939931538076574162" + "templateHash": "11392074106571494077" }, "name": "Data Protection Backup Vaults", "description": "This module deploys a Data Protection Backup Vault.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -138,11 +151,10 @@ "description": "Optional. The lock settings of the service." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." + "description": "Optional. The managed identity definition for this resource." } }, "tags": { @@ -210,8 +222,7 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', 'None')]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType')), null())]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", @@ -441,12 +452,12 @@ }, "value": "[parameters('name')]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('backupVault', '2023-05-01', 'full').identity, 'principalId')), reference('backupVault', '2023-05-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('backupVault', '2023-05-01', 'full').identity, 'principalId')), reference('backupVault', '2023-05-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/databricks/access-connector/.test/common/main.test.bicep b/modules/databricks/access-connector/.test/common/main.test.bicep index 1c6ad77107..c4d988caa7 100644 --- a/modules/databricks/access-connector/.test/common/main.test.bicep +++ b/modules/databricks/access-connector/.test/common/main.test.bicep @@ -56,9 +56,11 @@ module testDeployment '../../main.bicep' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } roleAssignments: [ { diff --git a/modules/databricks/access-connector/README.md b/modules/databricks/access-connector/README.md index c965dbdf4f..796b14a8bf 100644 --- a/modules/databricks/access-connector/README.md +++ b/modules/databricks/access-connector/README.md @@ -51,6 +51,12 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } roleAssignments: [ { principalId: '' @@ -58,15 +64,11 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -100,6 +102,14 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "roleAssignments": { "value": [ { @@ -109,20 +119,12 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { } ] }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -195,10 +197,9 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests. | ### Parameter: `enableDefaultTelemetry` @@ -241,6 +242,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` The name of the Azure Databricks access connector to create. @@ -315,13 +342,6 @@ Required. The name of the role to assign. If it cannot be found you can specify - Required: Yes - Type: string -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -329,13 +349,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests. -- Required: No -- Type: object -- Default: `{object}` - ## Outputs @@ -345,6 +358,7 @@ The set of user assigned identities associated with the resource, the userAssign | `name` | string | The name of the deployed access connector. | | `resourceGroupName` | string | The resource group of the deployed access connector. | | `resourceId` | string | The resource ID of the deployed access connector. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/databricks/access-connector/main.bicep b/modules/databricks/access-connector/main.bicep index ca7d88ef21..d8ce4aeee9 100644 --- a/modules/databricks/access-connector/main.bicep +++ b/modules/databricks/access-connector/main.bicep @@ -17,20 +17,17 @@ param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var builtInRoleNames = { @@ -93,6 +90,9 @@ output resourceId string = accessConnector.id @description('The resource group of the deployed access connector.') output resourceGroupName string = resourceGroup().name +@description('The principal ID of the system assigned identity.') +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(accessConnector.identity, 'principalId') ? accessConnector.identity.principalId : '' + @description('The location the resource was deployed into.') output location string = accessConnector.location @@ -100,6 +100,14 @@ output location string = accessConnector.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/databricks/access-connector/main.json b/modules/databricks/access-connector/main.json index 6098e38098..5e8014b2f2 100644 --- a/modules/databricks/access-connector/main.json +++ b/modules/databricks/access-connector/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11496388120257494229" + "templateHash": "9757807827728921562" }, "name": "Azure Databricks Access Connectors", "description": "This module deploys an Azure Databricks Access Connector.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -138,18 +161,10 @@ "description": "Optional. The lock settings of the service." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The set of user assigned identities associated with the resource, the userAssignedIdentities dictionary keys will be ARM resource IDs and The dictionary values can be empty objects ({}) in requests." + "description": "Optional. The managed identity definition for this resource." } }, "enableDefaultTelemetry": { @@ -161,8 +176,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", @@ -254,6 +269,13 @@ }, "value": "[resourceGroup().name]" }, + "systemAssignedMIPrincipalId": { + "type": "string", + "metadata": { + "description": "The principal ID of the system assigned identity." + }, + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('accessConnector', '2022-10-01-preview', 'full').identity, 'principalId')), reference('accessConnector', '2022-10-01-preview', 'full').identity.principalId, '')]" + }, "location": { "type": "string", "metadata": { diff --git a/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep b/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep index 50b1602869..13819511a9 100644 --- a/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep @@ -103,8 +103,10 @@ module testDeployment '../../main.bicep' = { ] highAvailability: 'SameZone' storageAutoGrow: 'Enabled' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } diagnosticSettings: [ { diff --git a/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep b/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep index 4b29cd3672..04f9296d26 100644 --- a/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep @@ -150,9 +150,11 @@ module testDeployment '../../main.bicep' = { geoBackupCMKKeyVaultResourceId: nestedDependencies2.outputs.geoBackupKeyVaultResourceId geoBackupCMKKeyName: nestedDependencies2.outputs.geoBackupKeyName geoBackupCMKUserAssignedIdentityResourceId: nestedDependencies2.outputs.geoBackupManagedIdentityResourceId - userAssignedIdentities: { - '${nestedDependencies2.outputs.managedIdentityResourceId}': {} - '${nestedDependencies2.outputs.geoBackupManagedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies2.outputs.managedIdentityResourceId + nestedDependencies2.outputs.geoBackupManagedIdentityResourceId + ] } diagnosticSettings: [ { diff --git a/modules/db-for-my-sql/flexible-server/README.md b/modules/db-for-my-sql/flexible-server/README.md index b606760ece..ac8fa8150a 100644 --- a/modules/db-for-my-sql/flexible-server/README.md +++ b/modules/db-for-my-sql/flexible-server/README.md @@ -150,6 +150,11 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } privateDnsZoneResourceId: '' roleAssignments: [ { @@ -167,9 +172,6 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { resourceType: 'MySQL Flexible Server' serverName: 'dfmsfspvt001' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -256,6 +258,13 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "privateDnsZoneResourceId": { "value": "" }, @@ -286,11 +295,6 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { "resourceType": "MySQL Flexible Server", "serverName": "dfmsfspvt001" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -373,6 +377,12 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + userAssignedResourcesIds: [ + '' + '' + ] + } roleAssignments: [ { principalId: '' @@ -389,10 +399,6 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { resourceType: 'MySQL Flexible Server' serverName: 'dfmsfsp001' } - userAssignedIdentities: { - '': {} - '': {} - } version: '8.0.21' } } @@ -516,6 +522,14 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "", + "" + ] + } + }, "roleAssignments": { "value": [ { @@ -544,12 +558,6 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { "serverName": "dfmsfsp001" } }, - "userAssignedIdentities": { - "value": { - "": {}, - "": {} - } - }, "version": { "value": "8.0.21" } @@ -579,11 +587,11 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { | [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty. | | [`geoBackupCMKKeyVaultResourceId`](#parameter-geobackupcmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty and geoRedundantBackup is "Enabled". | | [`geoBackupCMKUserAssignedIdentityResourceId`](#parameter-geobackupcmkuserassignedidentityresourceid) | string | Geo backup user identity resource ID as identity cant cross region, need identity in same region as geo backup. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty and geoRedundantBackup is "Enabled". | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Required if 'cMKKeyName' is not empty. | | [`privateDnsZoneResourceId`](#parameter-privatednszoneresourceid) | string | Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access". Required if "delegatedSubnetResourceId" is used and the Private DNS Zone name must end with mysql.database.azure.com in order to be linked to the MySQL Flexible Server. | | [`restorePointInTime`](#parameter-restorepointintime) | string | Restore point creation time (ISO8601 format), specifying the time to restore from. Required if "createMode" is set to "PointInTimeRestore". | | [`sourceServerResourceId`](#parameter-sourceserverresourceid) | string | The source MySQL server ID. Required if "createMode" is set to "PointInTimeRestore". | | [`storageAutoGrow`](#parameter-storageautogrow) | string | Enable Storage Auto Grow or not. Storage auto-growth prevents a server from running out of storage and becoming read-only. Required if "highAvailability" is not "Disabled". | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. Required if "cMKKeyName" is not empty. | **Optional parameters** @@ -917,6 +925,24 @@ Properties for the maintenence window. If provided, "customWindow" property must - Type: object - Default: `{object}` +### Parameter: `managedIdentities` + +The managed identity definition for this resource. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: Yes +- Type: array + ### Parameter: `name` The name of the MySQL flexible server. @@ -1071,13 +1097,6 @@ The tier of the particular SKU. Tier must align with the "skuName" property. Exa - Type: string - Allowed: `[Burstable, GeneralPurpose, MemoryOptimized]` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. Required if "cMKKeyName" is not empty. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `version` MySQL Server version. diff --git a/modules/db-for-my-sql/flexible-server/main.bicep b/modules/db-for-my-sql/flexible-server/main.bicep index 8ee3664d6e..9df9e895a6 100644 --- a/modules/db-for-my-sql/flexible-server/main.bicep +++ b/modules/db-for-my-sql/flexible-server/main.bicep @@ -65,8 +65,8 @@ param geoRedundantBackup string = 'Disabled' @description('Optional. The mode to create a new MySQL server.') param createMode string = 'Default' -@description('Conditional. The ID(s) to assign to the resource. Required if "cMKKeyName" is not empty.') -param userAssignedIdentities object = {} +@description('Conditional. The managed identity definition for this resource. Required if \'cMKKeyName\' is not empty.') +param managedIdentities managedIdentitiesType @description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty.') param cMKKeyVaultResourceId string = '' @@ -180,11 +180,11 @@ param diagnosticSettings diagnosticSettingType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var identityType = !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var enableReferencedModulesTelemetry = false @@ -378,6 +378,11 @@ output location string = flexibleServer.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[] +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/db-for-my-sql/flexible-server/main.json b/modules/db-for-my-sql/flexible-server/main.json index a63740f0e8..de8040ea03 100644 --- a/modules/db-for-my-sql/flexible-server/main.json +++ b/modules/db-for-my-sql/flexible-server/main.json @@ -6,13 +6,28 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13098960413879808793" + "templateHash": "1179455125587700731" }, "name": "DBforMySQL Flexible Servers", "description": "This module deploys a DBforMySQL Flexible Server.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -322,11 +337,10 @@ "description": "Optional. The mode to create a new MySQL server." } }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Conditional. The ID(s) to assign to the resource. Required if \"cMKKeyName\" is not empty." + "description": "Conditional. The managed identity definition for this resource. Required if 'cMKKeyName' is not empty." } }, "cMKKeyVaultResourceId": { @@ -541,8 +555,8 @@ } }, "variables": { - "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None')]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", diff --git a/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep index 1d5c183c98..86320c6f6d 100644 --- a/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep +++ b/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep @@ -135,8 +135,10 @@ module testDeployment '../../main.bicep' = { cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId cMKKeyName: nestedDependencies.outputs.keyName cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/db-for-postgre-sql/flexible-server/README.md b/modules/db-for-postgre-sql/flexible-server/README.md index dad01ed643..2e29c62ecd 100644 --- a/modules/db-for-postgre-sql/flexible-server/README.md +++ b/modules/db-for-postgre-sql/flexible-server/README.md @@ -341,15 +341,17 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 geoRedundantBackup: 'Disabled' highAvailability: 'SameZone' location: '' + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } storageSizeGB: 1024 tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } version: '14' } } @@ -470,6 +472,13 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 "location": { "value": "" }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "storageSizeGB": { "value": 1024 }, @@ -480,11 +489,6 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 "Role": "DeploymentValidation" } }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, "version": { "value": "14" } @@ -512,9 +516,9 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 | :-- | :-- | :-- | | [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | | [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if 'cMKKeyName' is not empty. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Required if 'cMKKeyName' is not empty. | | [`pointInTimeUTC`](#parameter-pointintimeutc) | string | Required if "createMode" is set to "PointInTimeRestore". | | [`sourceServerResourceId`](#parameter-sourceserverresourceid) | string | Required if "createMode" is set to "PointInTimeRestore". | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. Required if 'cMKKeyName' is not empty. | **Optional parameters** @@ -835,6 +839,24 @@ Properties for the maintenence window. If provided, "customWindow" property must - Type: object - Default: `{object}` +### Parameter: `managedIdentities` + +The managed identity definition for this resource. Required if 'cMKKeyName' is not empty. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: Yes +- Type: array + ### Parameter: `name` The name of the PostgreSQL flexible server. @@ -973,13 +995,6 @@ The tier of the particular SKU. Tier must align with the "skuName" property. Exa - Type: string - Allowed: `[Burstable, GeneralPurpose, MemoryOptimized]` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. Required if 'cMKKeyName' is not empty. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `version` PostgreSQL Server version. diff --git a/modules/db-for-postgre-sql/flexible-server/main.bicep b/modules/db-for-postgre-sql/flexible-server/main.bicep index fe4c7fe3a7..3df7813d86 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.bicep +++ b/modules/db-for-postgre-sql/flexible-server/main.bicep @@ -110,8 +110,8 @@ param highAvailability string = 'Disabled' @description('Optional. The mode to create a new PostgreSQL server.') param createMode string = 'Default' -@description('Conditional. The ID(s) to assign to the resource. Required if \'cMKKeyName\' is not empty.') -param userAssignedIdentities object = {} +@description('Conditional. The managed identity definition for this resource. Required if \'cMKKeyName\' is not empty.') +param managedIdentities managedIdentitiesType @description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') param cMKKeyVaultResourceId string = '' @@ -164,6 +164,13 @@ param enableDefaultTelemetry bool = true @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingType +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } + +var identity = !empty(managedIdentities) ? { + type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null +} : null + var enableReferencedModulesTelemetry = false var builtInRoleNames = { @@ -203,10 +210,7 @@ resource flexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = name: skuName tier: tier } - identity: { - type: !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : {} - } + identity: identity properties: { administratorLogin: !empty(administratorLogin) ? administratorLogin : null administratorLoginPassword: !empty(administratorLoginPassword) ? administratorLoginPassword : null @@ -365,6 +369,11 @@ output location string = flexibleServer.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[] +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/db-for-postgre-sql/flexible-server/main.json b/modules/db-for-postgre-sql/flexible-server/main.json index 06684ab38d..fb07682a43 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.json +++ b/modules/db-for-postgre-sql/flexible-server/main.json @@ -6,13 +6,28 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17360254476628434817" + "templateHash": "2134307033398708647" }, "name": "DBforPostgreSQL Flexible Servers", "description": "This module deploys a DBforPostgreSQL Flexible Server.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -383,11 +398,10 @@ "description": "Optional. The mode to create a new PostgreSQL server." } }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Conditional. The ID(s) to assign to the resource. Required if 'cMKKeyName' is not empty." + "description": "Conditional. The managed identity definition for this resource. Required if 'cMKKeyName' is not empty." } }, "cMKKeyVaultResourceId": { @@ -508,6 +522,8 @@ } }, "variables": { + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -563,10 +579,7 @@ "name": "[parameters('skuName')]", "tier": "[parameters('tier')]" }, - "identity": { - "type": "[if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None')]", - "userAssignedIdentities": "[if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), createObject())]" - }, + "identity": "[variables('identity')]", "properties": { "administratorLogin": "[if(not(empty(parameters('administratorLogin'))), parameters('administratorLogin'), null())]", "administratorLoginPassword": "[if(not(empty(parameters('administratorLoginPassword'))), parameters('administratorLoginPassword'), null())]", diff --git a/modules/dev-test-lab/lab/.test/common/main.test.bicep b/modules/dev-test-lab/lab/.test/common/main.test.bicep index 41ab747bc6..a6a84a65bf 100644 --- a/modules/dev-test-lab/lab/.test/common/main.test.bicep +++ b/modules/dev-test-lab/lab/.test/common/main.test.bicep @@ -94,12 +94,14 @@ module testDeployment '../../main.bicep' = { enabled: 'Enabled' markdown: 'DevTest Lab support text.
New line. It also supports Markdown' } - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - managementIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } + managementIdentitiesResourceIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] vmCreationResourceGroupId: resourceGroup.id browserConnect: 'Enabled' disableAutoUpgradeCseMinorVersion: true diff --git a/modules/dev-test-lab/lab/README.md b/modules/dev-test-lab/lab/README.md index 2a87c61821..af50afe9e9 100644 --- a/modules/dev-test-lab/lab/README.md +++ b/modules/dev-test-lab/lab/README.md @@ -101,9 +101,14 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - managementIdentities: { - '': {} + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] } + managementIdentitiesResourceIds: [ + '' + ] notificationchannels: [ { description: 'Integration configured for auto-shutdown' @@ -234,9 +239,6 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { labName: 'dtllcom001' resourceType: 'DevTest Lab' } - userAssignedIdentities: { - '': {} - } virtualnetworks: [ { allowedSubnets: [ @@ -373,11 +375,18 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { "name": "myCustomLockName" } }, - "managementIdentities": { + "managedIdentities": { "value": { - "": {} + "userAssignedResourcesIds": [ + "" + ] } }, + "managementIdentitiesResourceIds": { + "value": [ + "" + ] + }, "notificationchannels": { "value": [ { @@ -522,11 +531,6 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { "resourceType": "DevTest Lab" } }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, "virtualnetworks": { "value": [ { @@ -655,7 +659,8 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { | [`labStorageType`](#parameter-labstoragetype) | string | Type of storage used by the lab. It can be either Premium or Standard. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managementIdentities`](#parameter-managementidentities) | object | The ID(s) to assign to the virtual machines associated with this lab. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | +| [`managementIdentitiesResourceIds`](#parameter-managementidentitiesresourceids) | array | The resource ID(s) to assign to the virtual machines associated with this lab. | | [`mandatoryArtifactsResourceIdsLinux`](#parameter-mandatoryartifactsresourceidslinux) | array | The ordered list of artifact resource IDs that should be applied on all Linux VM creations by default, prior to the artifacts specified by the user. | | [`mandatoryArtifactsResourceIdsWindows`](#parameter-mandatoryartifactsresourceidswindows) | array | The ordered list of artifact resource IDs that should be applied on all Windows VM creations by default, prior to the artifacts specified by the user. | | [`policies`](#parameter-policies) | array | Policies to create for the lab. | @@ -664,7 +669,6 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { | [`schedules`](#parameter-schedules) | array | Schedules to create for the lab. | | [`support`](#parameter-support) | object | The properties of any lab support message associated with this lab. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`virtualnetworks`](#parameter-virtualnetworks) | array | Virtual networks to create for the lab. | | [`vmCreationResourceGroupId`](#parameter-vmcreationresourcegroupid) | string | Resource Group allocation for virtual machines. If left empty, virtual machines will be deployed in their own Resource Groups. Default is the same Resource Group for DevTest Lab. | @@ -798,12 +802,30 @@ Optional. Specify the name of lock. - Required: No - Type: string -### Parameter: `managementIdentities` +### Parameter: `managedIdentities` -The ID(s) to assign to the virtual machines associated with this lab. +The managed identity definition for this resource. - Required: No - Type: object -- Default: `{object}` + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: Yes +- Type: array + +### Parameter: `managementIdentitiesResourceIds` + +The resource ID(s) to assign to the virtual machines associated with this lab. +- Required: No +- Type: array +- Default: `[]` ### Parameter: `mandatoryArtifactsResourceIdsLinux` @@ -936,13 +958,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `virtualnetworks` Virtual networks to create for the lab. @@ -966,6 +981,7 @@ Resource Group allocation for virtual machines. If left empty, virtual machines | `name` | string | The name of the lab. | | `resourceGroupName` | string | The resource group the lab was deployed into. | | `resourceId` | string | The resource ID of the lab. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | | `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | | `uniqueIdentifier` | string | The unique identifier for the lab. Used to track tags that the lab applies to each resource that it creates. | diff --git a/modules/dev-test-lab/lab/main.bicep b/modules/dev-test-lab/lab/main.bicep index f11bfed17d..2d52f27d29 100644 --- a/modules/dev-test-lab/lab/main.bicep +++ b/modules/dev-test-lab/lab/main.bicep @@ -57,11 +57,11 @@ param premiumDataDisks string = 'Disabled' @description('Optional. The properties of any lab support message associated with this lab.') param support object = {} -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType -@description('Optional. The ID(s) to assign to the virtual machines associated with this lab.') -param managementIdentities object = {} +@description('Optional. The resource ID(s) to assign to the virtual machines associated with this lab.') +param managementIdentitiesResourceIds string[] = [] @description('Optional. Resource Group allocation for virtual machines. If left empty, virtual machines will be deployed in their own Resource Groups. Default is the same Resource Group for DevTest Lab.') param vmCreationResourceGroupId string = resourceGroup().id @@ -116,6 +116,15 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } + +var identity = !empty(managedIdentities) ? { + type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null +} : any(null) + +var formattedManagementIdentities = !empty(managementIdentitiesResourceIds) ? reduce(map((managementIdentitiesResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) : {} // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } + var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') @@ -142,10 +151,7 @@ resource lab 'Microsoft.DevTestLab/labs@2018-10-15-preview' = { name: name location: location tags: tags - identity: { - type: !empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : any(null) - } + identity: identity properties: { artifactsStorageAccount: artifactsStorageAccount announcement: announcement @@ -156,7 +162,7 @@ resource lab 'Microsoft.DevTestLab/labs@2018-10-15-preview' = { mandatoryArtifactsResourceIdsWindows: mandatoryArtifactsResourceIdsWindows premiumDataDisks: premiumDataDisks support: support - managementIdentities: managementIdentities + managementIdentities: formattedManagementIdentities vmCreationResourceGroupId: vmCreationResourceGroupId browserConnect: browserConnect disableAutoUpgradeCseMinorVersion: disableAutoUpgradeCseMinorVersion @@ -312,6 +318,9 @@ output resourceId string = lab.id @description('The name of the lab.') output name string = lab.name +@description('The principal ID of the system assigned identity.') +output systemAssignedMIPrincipalId string = contains(lab.identity, 'principalId') ? lab.identity.principalId : '' + @description('The location the resource was deployed into.') output location string = lab.location @@ -319,6 +328,11 @@ output location string = lab.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[] +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/dev-test-lab/lab/main.json b/modules/dev-test-lab/lab/main.json index 96178a5f66..0e566cecde 100644 --- a/modules/dev-test-lab/lab/main.json +++ b/modules/dev-test-lab/lab/main.json @@ -6,13 +6,28 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2990102608284967773" + "templateHash": "15532963443565749928" }, "name": "DevTest Labs", "description": "This module deploys a DevTest Lab.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -214,18 +229,20 @@ "description": "Optional. The properties of any lab support message associated with this lab." } }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, - "managementIdentities": { - "type": "object", - "defaultValue": {}, + "managementIdentitiesResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "defaultValue": [], "metadata": { - "description": "Optional. The ID(s) to assign to the virtual machines associated with this lab." + "description": "Optional. The resource ID(s) to assign to the virtual machines associated with this lab." } }, "vmCreationResourceGroupId": { @@ -334,6 +351,9 @@ }, "variables": { "enableReferencedModulesTelemetry": false, + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedManagementIdentities": "[if(not(empty(parameters('managementIdentitiesResourceIds'))), reduce(map(coalesce(parameters('managementIdentitiesResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next')))), createObject())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", @@ -365,10 +385,7 @@ "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", - "identity": { - "type": "[if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned')]", - "userAssignedIdentities": "[if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())]" - }, + "identity": "[variables('identity')]", "properties": { "artifactsStorageAccount": "[parameters('artifactsStorageAccount')]", "announcement": "[parameters('announcement')]", @@ -379,7 +396,7 @@ "mandatoryArtifactsResourceIdsWindows": "[parameters('mandatoryArtifactsResourceIdsWindows')]", "premiumDataDisks": "[parameters('premiumDataDisks')]", "support": "[parameters('support')]", - "managementIdentities": "[parameters('managementIdentities')]", + "managementIdentities": "[variables('formattedManagementIdentities')]", "vmCreationResourceGroupId": "[parameters('vmCreationResourceGroupId')]", "browserConnect": "[parameters('browserConnect')]", "disableAutoUpgradeCseMinorVersion": "[parameters('disableAutoUpgradeCseMinorVersion')]", @@ -1757,6 +1774,13 @@ }, "value": "[parameters('name')]" }, + "systemAssignedMIPrincipalId": { + "type": "string", + "metadata": { + "description": "The principal ID of the system assigned identity." + }, + "value": "[if(contains(reference('lab', '2018-10-15-preview', 'full').identity, 'principalId'), reference('lab', '2018-10-15-preview', 'full').identity.principalId, '')]" + }, "location": { "type": "string", "metadata": { diff --git a/modules/document-db/database-account/.test/gremlindb/main.test.bicep b/modules/document-db/database-account/.test/gremlindb/main.test.bicep index 6d53ccd119..f1120061d4 100644 --- a/modules/document-db/database-account/.test/gremlindb/main.test.bicep +++ b/modules/document-db/database-account/.test/gremlindb/main.test.bicep @@ -149,7 +149,9 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - systemAssignedIdentity: true + managedIdentities: { + systemAssigned: true + } tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/document-db/database-account/.test/mongodb/main.test.bicep b/modules/document-db/database-account/.test/mongodb/main.test.bicep index a311718a74..e554588b54 100644 --- a/modules/document-db/database-account/.test/mongodb/main.test.bicep +++ b/modules/document-db/database-account/.test/mongodb/main.test.bicep @@ -282,7 +282,9 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - systemAssignedIdentity: true + managedIdentities: { + systemAssigned: true + } tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/document-db/database-account/.test/sqldb/main.test.bicep b/modules/document-db/database-account/.test/sqldb/main.test.bicep index 48e552ec3d..2f9254da17 100644 --- a/modules/document-db/database-account/.test/sqldb/main.test.bicep +++ b/modules/document-db/database-account/.test/sqldb/main.test.bicep @@ -189,8 +189,10 @@ module testDeployment '../../main.bicep' = { autoscaleSettingsMaxThroughput: 1000 } ] - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index e0c384329f..87ab27ddef 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -132,6 +132,9 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { } ] location: '' + managedIdentities: { + systemAssigned: true + } roleAssignments: [ { principalId: '' @@ -139,7 +142,6 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -257,6 +259,11 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { "location": { "value": "" }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, "roleAssignments": { "value": [ { @@ -266,9 +273,6 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { } ] }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -324,6 +328,9 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { ] enableDefaultTelemetry: '' location: '' + managedIdentities: { + systemAssigned: true + } mongodbDatabases: [ { collections: [ @@ -515,7 +522,6 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -578,6 +584,11 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { "location": { "value": "" }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, "mongodbDatabases": { "value": [ { @@ -773,9 +784,6 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { } ] }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -970,6 +978,11 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { ] enableDefaultTelemetry: '' location: '' + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -1072,9 +1085,6 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -1132,6 +1142,13 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { "location": { "value": "" }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "privateEndpoints": { "value": [ { @@ -1241,11 +1258,6 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -1283,6 +1295,7 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { | [`gremlinDatabases`](#parameter-gremlindatabases) | array | Gremlin Databases configurations. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`maxIntervalInSeconds`](#parameter-maxintervalinseconds) | int | Max lag time (minutes). Required for BoundedStaleness. Valid ranges, Single Region: 5 to 84600. Multi Region: 300 to 86400. | | [`maxStalenessPrefix`](#parameter-maxstalenessprefix) | int | Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: 10 to 1000000. Multi Region: 100000 to 1000000. | | [`mongodbDatabases`](#parameter-mongodbdatabases) | array | MongoDB Databases configurations. | @@ -1290,9 +1303,7 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`serverVersion`](#parameter-serverversion) | string | Specifies the MongoDB server version to use. | | [`sqlDatabases`](#parameter-sqldatabases) | array | SQL Databases configurations. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the Database Account resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `automaticFailover` @@ -1539,6 +1550,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `maxIntervalInSeconds` Max lag time (minutes). Required for BoundedStaleness. Valid ranges, Single Region: 5 to 84600. Multi Region: 300 to 86400. @@ -1817,13 +1854,6 @@ SQL Databases configurations. - Type: array - Default: `[]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the Database Account resource. @@ -1831,13 +1861,6 @@ Tags of the Database Account resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ## Outputs @@ -1847,7 +1870,7 @@ The ID(s) to assign to the resource. | `name` | string | The name of the database account. | | `resourceGroupName` | string | The name of the resource group the database account was created in. | | `resourceId` | string | The resource ID of the database account. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/document-db/database-account/gremlin-database/README.md b/modules/document-db/database-account/gremlin-database/README.md index 4a715c8f19..7436326970 100644 --- a/modules/document-db/database-account/gremlin-database/README.md +++ b/modules/document-db/database-account/gremlin-database/README.md @@ -38,10 +38,8 @@ This module deploys a Gremlin Database within a CosmosDB Account. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`graphs`](#parameter-graphs) | array | Array of graphs to deploy in the Gremlin database. | | [`maxThroughput`](#parameter-maxthroughput) | int | Represents maximum throughput, the resource can scale up to. Cannot be set together with `throughput`. If `throughput` is set to something else than -1, this autoscale setting is ignored. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the Gremlin database resource. | | [`throughput`](#parameter-throughput) | int | Request Units per second (for example 10000). Cannot be set together with `maxThroughput`. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `databaseAccountName` @@ -76,13 +74,6 @@ Name of the Gremlin database. - Required: Yes - Type: string -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the Gremlin database resource. @@ -97,13 +88,6 @@ Request Units per second (for example 10000). Cannot be set together with `maxTh - Type: int - Default: `-1` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ## Outputs diff --git a/modules/document-db/database-account/gremlin-database/main.bicep b/modules/document-db/database-account/gremlin-database/main.bicep index 82f0325cbc..bef3ca7288 100644 --- a/modules/document-db/database-account/gremlin-database/main.bicep +++ b/modules/document-db/database-account/gremlin-database/main.bicep @@ -8,12 +8,6 @@ param name string @description('Optional. Tags of the Gremlin database resource.') param tags object = {} -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} - @description('Conditional. The name of the parent Gremlin database. Required if the template is used in a standalone deployment.') param databaseAccountName string @@ -31,8 +25,6 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned, UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') - resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -60,10 +52,6 @@ resource gremlinDatabase 'Microsoft.DocumentDB/databaseAccounts/gremlinDatabases name: name tags: tags parent: databaseAccount - identity: (identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null - } : null)! properties: { options: databaseOptions resource: { @@ -92,3 +80,15 @@ output resourceId string = gremlinDatabase.id @description('The name of the resource group the Gremlin database was created in.') output resourceGroupName string = resourceGroup().name + +// =============== // +// Definitions // +// =============== // + +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? diff --git a/modules/document-db/database-account/gremlin-database/main.json b/modules/document-db/database-account/gremlin-database/main.json index 3a99fdbe58..aef7829f15 100644 --- a/modules/document-db/database-account/gremlin-database/main.json +++ b/modules/document-db/database-account/gremlin-database/main.json @@ -1,16 +1,42 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15423165717770718605" + "templateHash": "1439508098279696940" }, "name": "DocumentDB Database Account Gremlin Databases", "description": "This module deploys a Gremlin Database within a CosmosDB Account.", "owner": "Azure/module-maintainers" }, + "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -25,20 +51,6 @@ "description": "Optional. Tags of the Gremlin database resource." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The ID(s) to assign to the resource." - } - }, "databaseAccountName": { "type": "string", "metadata": { @@ -75,11 +87,10 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false, - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]" + "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -93,20 +104,28 @@ } } }, - { + "databaseAccount": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2023-04-15", + "name": "[parameters('databaseAccountName')]" + }, + "gremlinDatabase": { "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases", "apiVersion": "2023-04-15", "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", "tags": "[parameters('tags')]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "properties": { - "options": "[if(contains(reference(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), '2023-04-15').capabilities, createObject('name', 'EnableServerless')), createObject(), createObject('autoscaleSettings', if(equals(parameters('throughput'), -1), createObject('maxThroughput', parameters('maxThroughput')), null()), 'throughput', if(not(equals(parameters('throughput'), -1)), parameters('throughput'), null())))]", + "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), createObject(), createObject('autoscaleSettings', if(equals(parameters('throughput'), -1), createObject('maxThroughput', parameters('maxThroughput')), null()), 'throughput', if(not(equals(parameters('throughput'), -1)), parameters('throughput'), null())))]", "resource": { "id": "[parameters('name')]" } - } + }, + "dependsOn": [ + "databaseAccount" + ] }, - { + "gremlinDatabase_gremlinGraphs": { "copy": { "name": "gremlinDatabase_gremlinGraphs", "count": "[length(parameters('graphs'))]" @@ -253,10 +272,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DocumentDB/databaseAccounts/gremlinDatabases', parameters('databaseAccountName'), parameters('name'))]" + "gremlinDatabase" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/document-db/database-account/main.bicep b/modules/document-db/database-account/main.bicep index ef0e1e141e..3ac93fcc6a 100644 --- a/modules/document-db/database-account/main.bicep +++ b/modules/document-db/database-account/main.bicep @@ -11,11 +11,8 @@ param location string = resourceGroup().location @description('Optional. Tags of the Database Account resource.') param tags object = {} -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. The offer type for the Cosmos DB database account.') @allowed([ @@ -128,11 +125,11 @@ param backupStorageRedundancy string = 'Local' @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointType -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned, UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var consistencyPolicy = { @@ -351,7 +348,7 @@ output resourceId string = databaseAccount.id output resourceGroupName string = resourceGroup().name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(databaseAccount.identity, 'principalId') ? databaseAccount.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(databaseAccount.identity, 'principalId') ? databaseAccount.identity.principalId : '' @description('The location the resource was deployed into.') output location string = databaseAccount.location @@ -360,6 +357,14 @@ output location string = databaseAccount.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/document-db/database-account/main.json b/modules/document-db/database-account/main.json index c64588c998..47d04e5c6f 100644 --- a/modules/document-db/database-account/main.json +++ b/modules/document-db/database-account/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7425318537655406397" + "templateHash": "15206663104495888656" }, "name": "DocumentDB Database Accounts", "description": "This module deploys a DocumentDB Database Account.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -380,18 +403,10 @@ "description": "Optional. Tags of the Database Account resource." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "databaseAccountOfferType": { @@ -608,8 +623,8 @@ } } ], - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "consistencyPolicy": { "Eventual": { "defaultConsistencyLevel": "Eventual" @@ -1416,17 +1431,43 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15423165717770718605" + "templateHash": "1439508098279696940" }, "name": "DocumentDB Database Account Gremlin Databases", "description": "This module deploys a Gremlin Database within a CosmosDB Account.", "owner": "Azure/module-maintainers" }, + "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1441,20 +1482,6 @@ "description": "Optional. Tags of the Gremlin database resource." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The ID(s) to assign to the resource." - } - }, "databaseAccountName": { "type": "string", "metadata": { @@ -1491,11 +1518,10 @@ } }, "variables": { - "enableReferencedModulesTelemetry": false, - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]" + "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1509,20 +1535,28 @@ } } }, - { + "databaseAccount": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2023-04-15", + "name": "[parameters('databaseAccountName')]" + }, + "gremlinDatabase": { "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases", "apiVersion": "2023-04-15", "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", "tags": "[parameters('tags')]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "properties": { - "options": "[if(contains(reference(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), '2023-04-15').capabilities, createObject('name', 'EnableServerless')), createObject(), createObject('autoscaleSettings', if(equals(parameters('throughput'), -1), createObject('maxThroughput', parameters('maxThroughput')), null()), 'throughput', if(not(equals(parameters('throughput'), -1)), parameters('throughput'), null())))]", + "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), createObject(), createObject('autoscaleSettings', if(equals(parameters('throughput'), -1), createObject('maxThroughput', parameters('maxThroughput')), null()), 'throughput', if(not(equals(parameters('throughput'), -1)), parameters('throughput'), null())))]", "resource": { "id": "[parameters('name')]" } - } + }, + "dependsOn": [ + "databaseAccount" + ] }, - { + "gremlinDatabase_gremlinGraphs": { "copy": { "name": "gremlinDatabase_gremlinGraphs", "count": "[length(parameters('graphs'))]" @@ -1669,10 +1703,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DocumentDB/databaseAccounts/gremlinDatabases', parameters('databaseAccountName'), parameters('name'))]" + "gremlinDatabase" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2276,12 +2310,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('databaseAccount', '2023-04-15', 'full').identity, 'principalId')), reference('databaseAccount', '2023-04-15', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('databaseAccount', '2023-04-15', 'full').identity, 'principalId')), reference('databaseAccount', '2023-04-15', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/event-grid/system-topic/.test/common/main.test.bicep b/modules/event-grid/system-topic/.test/common/main.test.bicep index fcd8970f07..72a3551ad0 100644 --- a/modules/event-grid/system-topic/.test/common/main.test.bicep +++ b/modules/event-grid/system-topic/.test/common/main.test.bicep @@ -110,6 +110,9 @@ module testDeployment '../../main.bicep' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/event-grid/system-topic/README.md b/modules/event-grid/system-topic/README.md index 29fe9ed0c9..76aa28f3f5 100644 --- a/modules/event-grid/system-topic/README.md +++ b/modules/event-grid/system-topic/README.md @@ -92,6 +92,9 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + } roleAssignments: [ { principalId: '' @@ -182,6 +185,11 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, "roleAssignments": { "value": [ { @@ -281,10 +289,9 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { | [`eventSubscriptions`](#parameter-eventsubscriptions) | array | Event subscriptions to deploy. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `diagnosticSettings` @@ -449,6 +456,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` The name of the Event Grid Topic. @@ -529,13 +562,6 @@ Source for the system topic. - Required: Yes - Type: string -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -549,13 +575,6 @@ TopicType for the system topic. - Required: Yes - Type: string -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ## Outputs @@ -565,7 +584,7 @@ The ID(s) to assign to the resource. | `name` | string | The name of the event grid system topic. | | `resourceGroupName` | string | The name of the resource group the event grid system topic was deployed into. | | `resourceId` | string | The resource ID of the event grid system topic. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/event-grid/system-topic/main.bicep b/modules/event-grid/system-topic/main.bicep index 32ae0e4226..f851d03ce8 100644 --- a/modules/event-grid/system-topic/main.bicep +++ b/modules/event-grid/system-topic/main.bicep @@ -26,11 +26,8 @@ param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Tags of the resource.') param tags object = {} @@ -38,11 +35,11 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var builtInRoleNames = { @@ -159,7 +156,7 @@ output resourceId string = systemTopic.id output resourceGroupName string = resourceGroup().name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(systemTopic.identity, 'principalId') ? systemTopic.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(systemTopic.identity, 'principalId') ? systemTopic.identity.principalId : '' @description('The location the resource was deployed into.') output location string = systemTopic.location @@ -168,6 +165,14 @@ output location string = systemTopic.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/event-grid/system-topic/main.json b/modules/event-grid/system-topic/main.json index cf3f8afd03..6e084c85bd 100644 --- a/modules/event-grid/system-topic/main.json +++ b/modules/event-grid/system-topic/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5581457669856616058" + "templateHash": "15694608297739544704" }, "name": "Event Grid System Topics", "description": "This module deploys an Event Grid System Topic.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -262,18 +285,10 @@ "description": "Optional. The lock settings of the service." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "tags": { @@ -292,8 +307,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", @@ -626,12 +641,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('systemTopic', '2021-12-01', 'full').identity, 'principalId')), reference('systemTopic', '2021-12-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('systemTopic', '2021-12-01', 'full').identity, 'principalId')), reference('systemTopic', '2021-12-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/event-hub/namespace/.test/common/main.test.bicep b/modules/event-hub/namespace/.test/common/main.test.bicep index 3a4cef6289..b276b1734f 100644 --- a/modules/event-hub/namespace/.test/common/main.test.bicep +++ b/modules/event-hub/namespace/.test/common/main.test.bicep @@ -207,9 +207,11 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/event-hub/namespace/.test/encr/main.test.bicep b/modules/event-hub/namespace/.test/encr/main.test.bicep index 39a945d650..ce45fd552e 100644 --- a/modules/event-hub/namespace/.test/encr/main.test.bicep +++ b/modules/event-hub/namespace/.test/encr/main.test.bicep @@ -62,9 +62,11 @@ module testDeployment '../../main.bicep' = { Role: 'DeploymentValidation' } skuName: 'Premium' - systemAssignedIdentity: false - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId cMKKeyName: nestedDependencies.outputs.keyName diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index f7ec816066..01537b304d 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -159,6 +159,12 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } maximumThroughputUnits: 4 minimumTlsVersion: '1.2' networkRuleSets: { @@ -201,15 +207,11 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { ] skuCapacity: 2 skuName: 'Standard' - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } zoneRedundant: true } } @@ -351,6 +353,14 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "maximumThroughputUnits": { "value": 4 }, @@ -409,9 +419,6 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "skuName": { "value": "Standard" }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -419,11 +426,6 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "Role": "DeploymentValidation" } }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, "zoneRedundant": { "value": true } @@ -451,18 +453,20 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { cMKKeyVaultResourceId: '' cMKUserAssignedIdentityResourceId: '' enableDefaultTelemetry: '' + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } publicNetworkAccess: 'SecuredByPerimeter' requireInfrastructureEncryption: true skuName: 'Premium' - systemAssignedIdentity: false tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -496,6 +500,14 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "enableDefaultTelemetry": { "value": "" }, + "managedIdentities": { + "value": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + } + }, "publicNetworkAccess": { "value": "SecuredByPerimeter" }, @@ -505,20 +517,12 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "skuName": { "value": "Premium" }, - "systemAssignedIdentity": { - "value": false - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -704,6 +708,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { | [`kafkaEnabled`](#parameter-kafkaenabled) | bool | Value that indicates whether Kafka is enabled for Event Hubs Namespace. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`maximumThroughputUnits`](#parameter-maximumthroughputunits) | int | Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units. | | [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | The minimum TLS version for the cluster to support. | | [`networkRuleSets`](#parameter-networkrulesets) | object | Configure networking options. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | @@ -713,9 +718,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`skuCapacity`](#parameter-skucapacity) | int | The Event Hub's throughput units for Basic or Standard tiers, where value should be 0 to 20 throughput units. The Event Hubs premium units for Premium tier, where value should be 0 to 10 premium units. | | [`skuName`](#parameter-skuname) | string | event hub plan SKU name. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`zoneRedundant`](#parameter-zoneredundant) | bool | Switch to make the Event Hub Namespace zone redundant. | ### Parameter: `authorizationRules` @@ -944,6 +947,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `maximumThroughputUnits` Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units. @@ -1238,13 +1267,6 @@ event hub plan SKU name. - Default: `'Standard'` - Allowed: `[Basic, Premium, Standard]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -1252,13 +1274,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `zoneRedundant` Switch to make the Event Hub Namespace zone redundant. @@ -1275,7 +1290,7 @@ Switch to make the Event Hub Namespace zone redundant. | `name` | string | The name of the eventspace. | | `resourceGroupName` | string | The resource group where the namespace is deployed. | | `resourceId` | string | The resource ID of the eventspace. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/event-hub/namespace/main.bicep b/modules/event-hub/namespace/main.bicep index 85db737ff3..57097a54ea 100644 --- a/modules/event-hub/namespace/main.bicep +++ b/modules/event-hub/namespace/main.bicep @@ -80,11 +80,8 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. The name of the customer managed key to use for encryption. Customer-managed key encryption at rest is only available for namespaces of premium SKU or namespaces created in a Dedicated Cluster.') param cMKKeyName string = '' @@ -118,11 +115,11 @@ param disasterRecoveryConfig object = {} var maximumThroughputUnitsVar = !isAutoInflateEnabled ? 0 : maximumThroughputUnits -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var enableReferencedModulesTelemetry = false @@ -347,7 +344,7 @@ output resourceId string = eventHubNamespace.id output resourceGroupName string = resourceGroup().name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(eventHubNamespace.identity, 'principalId') ? eventHubNamespace.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(eventHubNamespace.identity, 'principalId') ? eventHubNamespace.identity.principalId : '' @description('The location the resource was deployed into.') output location string = eventHubNamespace.location @@ -356,6 +353,14 @@ output location string = eventHubNamespace.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/event-hub/namespace/main.json b/modules/event-hub/namespace/main.json index d0fd852b27..6e2eb2d442 100644 --- a/modules/event-hub/namespace/main.json +++ b/modules/event-hub/namespace/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14695132323302557393" + "templateHash": "4102382527672113808" }, "name": "Event Hub Namespaces", "description": "This module deploys an Event Hub Namespace.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -499,18 +522,10 @@ "description": "Optional. The lock settings of the service." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "cMKKeyName": { @@ -585,8 +600,8 @@ }, "variables": { "maximumThroughputUnitsVar": "[if(not(parameters('isAutoInflateEnabled')), 0, parameters('maximumThroughputUnits'))]", - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Azure Event Hubs Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", @@ -2449,12 +2464,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('eventHubNamespace', '2022-10-01-preview', 'full').identity, 'principalId')), reference('eventHubNamespace', '2022-10-01-preview', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('eventHubNamespace', '2022-10-01-preview', 'full').identity, 'principalId')), reference('eventHubNamespace', '2022-10-01-preview', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/health-bot/health-bot/.test/common/main.test.bicep b/modules/health-bot/health-bot/.test/common/main.test.bicep index e75da7bcbc..36623909f7 100644 --- a/modules/health-bot/health-bot/.test/common/main.test.bicep +++ b/modules/health-bot/health-bot/.test/common/main.test.bicep @@ -69,8 +69,10 @@ module testDeployment '../../main.bicep' = { Role: 'DeploymentValidation' } sku: 'F0' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } } } diff --git a/modules/health-bot/health-bot/README.md b/modules/health-bot/health-bot/README.md index 709308b105..cf5076bc30 100644 --- a/modules/health-bot/health-bot/README.md +++ b/modules/health-bot/health-bot/README.md @@ -51,6 +51,11 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } roleAssignments: [ { principalId: '' @@ -63,9 +68,6 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -99,6 +101,13 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "roleAssignments": { "value": [ { @@ -114,11 +123,6 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -196,9 +200,9 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `enableDefaultTelemetry` @@ -241,6 +245,24 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: Yes +- Type: array + ### Parameter: `name` Name of the resource. @@ -329,13 +351,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ## Outputs diff --git a/modules/health-bot/health-bot/main.bicep b/modules/health-bot/health-bot/main.bicep index 5667441e75..c18e4aa195 100644 --- a/modules/health-bot/health-bot/main.bicep +++ b/modules/health-bot/health-bot/main.bicep @@ -13,8 +13,8 @@ param name string @description('Required. The name of the Azure Health Bot SKU.') param sku string -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Location for all resources.') param location string = resourceGroup().location @@ -31,11 +31,11 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var identityType = !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var builtInRoleNames = { @@ -108,6 +108,11 @@ output location string = healthBot.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[] +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/health-bot/health-bot/main.json b/modules/health-bot/health-bot/main.json index 7103f10ea1..f4ee735e27 100644 --- a/modules/health-bot/health-bot/main.json +++ b/modules/health-bot/health-bot/main.json @@ -6,13 +6,28 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5623490364397811090" + "templateHash": "4815130337915787009" }, "name": "Azure Health Bots", "description": "This module deploys an Azure Health Bot.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -123,11 +138,10 @@ "description": "Required. The name of the Azure Health Bot SKU." } }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "location": { @@ -165,8 +179,8 @@ } }, "variables": { - "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None')]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", diff --git a/modules/healthcare-apis/workspace/.test/common/main.test.bicep b/modules/healthcare-apis/workspace/.test/common/main.test.bicep index 4c8f4d3f7b..fcb3fac8fe 100644 --- a/modules/healthcare-apis/workspace/.test/common/main.test.bicep +++ b/modules/healthcare-apis/workspace/.test/common/main.test.bicep @@ -103,12 +103,14 @@ module testDeployment '../../main.bicep' = { resourceVersionPolicy: 'versioned' smartProxyEnabled: false enableDefaultTelemetry: enableDefaultTelemetry - systemAssignedIdentity: false + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } importEnabled: false initialImportMode: false - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } roleAssignments: [ { roleDefinitionIdOrName: resourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd') @@ -144,11 +146,12 @@ module testDeployment '../../main.bicep' = { ] publicNetworkAccess: 'Enabled' enableDefaultTelemetry: enableDefaultTelemetry - systemAssignedIdentity: false - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} - } - } + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } } ] roleAssignments: [ { diff --git a/modules/healthcare-apis/workspace/README.md b/modules/healthcare-apis/workspace/README.md index e619b6631f..4db6d1c6c8 100644 --- a/modules/healthcare-apis/workspace/README.md +++ b/modules/healthcare-apis/workspace/README.md @@ -80,12 +80,14 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { ] enableDefaultTelemetry: '' location: '' + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } name: 'az-dicom-x-001' publicNetworkAccess: 'Enabled' - systemAssignedIdentity: false - userAssignedIdentities: { - '': {} - } workspaceName: 'hawcom001' } ] @@ -122,6 +124,12 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { initialImportMode: false kind: 'fhir-R4' location: '' + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } name: 'az-fhir-x-001' publicNetworkAccess: 'Enabled' resourceVersionPolicy: 'versioned' @@ -133,10 +141,6 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { } ] smartProxyEnabled: false - systemAssignedIdentity: false - userAssignedIdentities: { - '': {} - } workspaceName: 'hawcom001' } ] @@ -209,12 +213,14 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { ], "enableDefaultTelemetry": "", "location": "", + "managedIdentities": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + }, "name": "az-dicom-x-001", "publicNetworkAccess": "Enabled", - "systemAssignedIdentity": false, - "userAssignedIdentities": { - "": {} - }, "workspaceName": "hawcom001" } ] @@ -255,6 +261,12 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { "initialImportMode": false, "kind": "fhir-R4", "location": "", + "managedIdentities": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + }, "name": "az-fhir-x-001", "publicNetworkAccess": "Enabled", "resourceVersionPolicy": "versioned", @@ -266,10 +278,6 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { } ], "smartProxyEnabled": false, - "systemAssignedIdentity": false, - "userAssignedIdentities": { - "": {} - }, "workspaceName": "hawcom001" } ] diff --git a/modules/healthcare-apis/workspace/dicomservice/README.md b/modules/healthcare-apis/workspace/dicomservice/README.md index b1f46574f1..217bc50b8d 100644 --- a/modules/healthcare-apis/workspace/dicomservice/README.md +++ b/modules/healthcare-apis/workspace/dicomservice/README.md @@ -44,10 +44,9 @@ This module deploys a Healthcare API Workspace DICOM Service. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `corsAllowCredentials` @@ -241,6 +240,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` The name of the DICOM service. @@ -255,13 +280,6 @@ Control permission for data plane traffic coming from public networks while priv - Default: `'Disabled'` - Allowed: `[Disabled, Enabled]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -269,13 +287,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `workspaceName` The name of the parent health data services workspace. Required if the template is used in a standalone deployment. @@ -291,7 +302,7 @@ The name of the parent health data services workspace. Required if the template | `name` | string | The name of the dicom service. | | `resourceGroupName` | string | The resource group where the namespace is deployed. | | `resourceId` | string | The resource ID of the dicom service. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/healthcare-apis/workspace/dicomservice/main.bicep b/modules/healthcare-apis/workspace/dicomservice/main.bicep index 8ccdf0334b..29d0dbcf1f 100644 --- a/modules/healthcare-apis/workspace/dicomservice/main.bicep +++ b/modules/healthcare-apis/workspace/dicomservice/main.bicep @@ -48,11 +48,8 @@ param lock lockType @description('Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled.') param publicNetworkAccess string = 'Disabled' -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Tags of the resource.') param tags object = {} @@ -60,11 +57,11 @@ param tags object = {} @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null // =========== // @@ -149,7 +146,7 @@ output resourceId string = dicom.id output resourceGroupName string = resourceGroup().name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(dicom.identity, 'principalId') ? dicom.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(dicom.identity, 'principalId') ? dicom.identity.principalId : '' @description('The location the resource was deployed into.') output location string = dicom.location @@ -158,6 +155,14 @@ output location string = dicom.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/healthcare-apis/workspace/dicomservice/main.json b/modules/healthcare-apis/workspace/dicomservice/main.json index 2a13e61b2e..f9627046e0 100644 --- a/modules/healthcare-apis/workspace/dicomservice/main.json +++ b/modules/healthcare-apis/workspace/dicomservice/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2513018044740237283" + "templateHash": "4165874741118763430" }, "name": "Healthcare API Workspace DICOM Services", "description": "This module deploys a Healthcare API Workspace DICOM Service.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -232,18 +255,10 @@ "description": "Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "tags": { @@ -262,8 +277,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" }, "resources": { "defaultTelemetry": { @@ -367,12 +382,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('dicom', '2022-06-01', 'full').identity, 'principalId')), reference('dicom', '2022-06-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('dicom', '2022-06-01', 'full').identity, 'principalId')), reference('dicom', '2022-06-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/healthcare-apis/workspace/fhirservice/README.md b/modules/healthcare-apis/workspace/fhirservice/README.md index 83b67d69e3..9ae8dc574e 100644 --- a/modules/healthcare-apis/workspace/fhirservice/README.md +++ b/modules/healthcare-apis/workspace/fhirservice/README.md @@ -56,14 +56,13 @@ This module deploys a Healthcare API Workspace FHIR Service. | [`kind`](#parameter-kind) | string | The kind of the service. Defaults to R4. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | | [`resourceVersionOverrides`](#parameter-resourceversionoverrides) | object | A list of FHIR Resources and their version policy overrides. | | [`resourceVersionPolicy`](#parameter-resourceversionpolicy) | string | The default value for tracking history across all resources. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`smartProxyEnabled`](#parameter-smartproxyenabled) | bool | If the SMART on FHIR proxy is enabled. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `accessPolicyObjectIds` @@ -328,6 +327,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` The name of the FHIR service. @@ -432,13 +457,6 @@ If the SMART on FHIR proxy is enabled. - Type: bool - Default: `False` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -446,13 +464,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `workspaceName` The name of the parent health data services workspace. Required if the template is used in a standalone deployment. @@ -468,7 +479,7 @@ The name of the parent health data services workspace. Required if the template | `name` | string | The name of the fhir service. | | `resourceGroupName` | string | The resource group where the namespace is deployed. | | `resourceId` | string | The resource ID of the fhir service. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | | `workspaceName` | string | The name of the fhir workspace. | ## Cross-referenced modules diff --git a/modules/healthcare-apis/workspace/fhirservice/main.bicep b/modules/healthcare-apis/workspace/fhirservice/main.bicep index 448b59adf0..69c00a4d6a 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.bicep +++ b/modules/healthcare-apis/workspace/fhirservice/main.bicep @@ -99,11 +99,8 @@ param resourceVersionOverrides object = {} @description('Optional. If the SMART on FHIR proxy is enabled.') param smartProxyEnabled bool = false -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Tags of the resource.') param tags object = {} @@ -111,11 +108,11 @@ param tags object = {} @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var accessPolicies = [for id in accessPolicyObjectIds: { @@ -260,7 +257,7 @@ output resourceId string = fhir.id output resourceGroupName string = resourceGroup().name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(fhir.identity, 'principalId') ? fhir.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(fhir.identity, 'principalId') ? fhir.identity.principalId : '' @description('The location the resource was deployed into.') output location string = fhir.location @@ -272,6 +269,14 @@ output workspaceName string = workspace.name // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/healthcare-apis/workspace/fhirservice/main.json b/modules/healthcare-apis/workspace/fhirservice/main.json index 40f6f89c72..3b995855d7 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.json +++ b/modules/healthcare-apis/workspace/fhirservice/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8392198431844501692" + "templateHash": "14914386228020873144" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -404,18 +427,10 @@ "description": "Optional. If the SMART on FHIR proxy is enabled." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "tags": { @@ -443,8 +458,8 @@ } } ], - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "exportConfiguration": { "storageAccountName": "[parameters('exportStorageAccountName')]" }, @@ -610,12 +625,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('fhir', '2022-06-01', 'full').identity, 'principalId')), reference('fhir', '2022-06-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('fhir', '2022-06-01', 'full').identity, 'principalId')), reference('fhir', '2022-06-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/healthcare-apis/workspace/iotconnector/README.md b/modules/healthcare-apis/workspace/iotconnector/README.md index 45c4d5da83..94f9c1bdf3 100644 --- a/modules/healthcare-apis/workspace/iotconnector/README.md +++ b/modules/healthcare-apis/workspace/iotconnector/README.md @@ -46,9 +46,8 @@ This module deploys a Healthcare API Workspace IoT Connector. | [`fhirdestination`](#parameter-fhirdestination) | object | FHIR Destination. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `consumerGroup` @@ -239,29 +238,41 @@ Optional. Specify the name of lock. - Required: No - Type: string -### Parameter: `name` +### Parameter: `managedIdentities` -The name of the MedTech service. -- Required: Yes -- Type: string +The managed identity definition for this resource. +- Required: No +- Type: object -### Parameter: `systemAssignedIdentity` -Enables system assigned managed identity on the resource. +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + - Required: No - Type: bool -- Default: `False` -### Parameter: `tags` +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. -Tags of the resource. - Required: No -- Type: object -- Default: `{object}` +- Type: array + +### Parameter: `name` -### Parameter: `userAssignedIdentities` +The name of the MedTech service. +- Required: Yes +- Type: string -The ID(s) to assign to the resource. +### Parameter: `tags` + +Tags of the resource. - Required: No - Type: object - Default: `{object}` @@ -281,7 +292,7 @@ The name of the parent health data services workspace. Required if the template | `name` | string | The name of the medtech service. | | `resourceGroupName` | string | The resource group where the namespace is deployed. | | `resourceId` | string | The resource ID of the medtech service. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | | `workspaceName` | string | The name of the medtech workspace. | ## Cross-referenced modules diff --git a/modules/healthcare-apis/workspace/iotconnector/main.bicep b/modules/healthcare-apis/workspace/iotconnector/main.bicep index 0bba8614b6..c4d2088098 100644 --- a/modules/healthcare-apis/workspace/iotconnector/main.bicep +++ b/modules/healthcare-apis/workspace/iotconnector/main.bicep @@ -36,11 +36,8 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Tags of the resource.') param tags object = {} @@ -48,11 +45,11 @@ param tags object = {} @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var enableReferencedModulesTelemetry = false @@ -156,7 +153,7 @@ output resourceId string = iotConnector.id output resourceGroupName string = resourceGroup().name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(iotConnector.identity, 'principalId') ? iotConnector.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(iotConnector.identity, 'principalId') ? iotConnector.identity.principalId : '' @description('The location the resource was deployed into.') output location string = iotConnector.location @@ -168,6 +165,14 @@ output workspaceName string = workspace.name // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/healthcare-apis/workspace/iotconnector/main.json b/modules/healthcare-apis/workspace/iotconnector/main.json index 3dd1ccc584..890a2c935e 100644 --- a/modules/healthcare-apis/workspace/iotconnector/main.json +++ b/modules/healthcare-apis/workspace/iotconnector/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2803151977387469601" + "templateHash": "9502385350114367681" }, "name": "Healthcare API Workspace IoT Connectors", "description": "This module deploys a Healthcare API Workspace IoT Connector.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -214,18 +237,10 @@ "description": "Optional. The lock settings of the service." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "tags": { @@ -244,8 +259,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, "resources": { @@ -529,12 +544,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('iotConnector', '2022-06-01', 'full').identity, 'principalId')), reference('iotConnector', '2022-06-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('iotConnector', '2022-06-01', 'full').identity, 'principalId')), reference('iotConnector', '2022-06-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/healthcare-apis/workspace/main.bicep b/modules/healthcare-apis/workspace/main.bicep index 6f4af7dae0..60af91948e 100644 --- a/modules/healthcare-apis/workspace/main.bicep +++ b/modules/healthcare-apis/workspace/main.bicep @@ -112,7 +112,7 @@ module workspace_fhirservices 'fhirservice/main.bicep' = [for (fhir, index) in f kind: fhir.kind tags: contains(fhir, 'tags') ? fhir.tags : {} publicNetworkAccess: contains(fhir, 'publicNetworkAccess') ? fhir.publicNetworkAccess : 'Disabled' - systemAssignedIdentity: contains(fhir, 'systemAssignedIdentity') ? fhir.systemAssignedIdentity : false + managedIdentities: contains(fhir, 'managedIdentities') ? fhir.managedIdentities : null roleAssignments: contains(fhir, 'roleAssignments') ? fhir.roleAssignments : [] accessPolicyObjectIds: contains(fhir, 'accessPolicyObjectIds') ? fhir.accessPolicyObjectIds : [] acrLoginServers: contains(fhir, 'acrLoginServers') ? fhir.acrLoginServers : [] @@ -133,7 +133,6 @@ module workspace_fhirservices 'fhirservice/main.bicep' = [for (fhir, index) in f resourceVersionPolicy: contains(fhir, 'resourceVersionPolicy') ? fhir.resourceVersionPolicy : 'versioned' resourceVersionOverrides: contains(fhir, 'resourceVersionOverrides') ? fhir.resourceVersionOverrides : {} smartProxyEnabled: contains(fhir, 'smartProxyEnabled') ? fhir.smartProxyEnabled : false - userAssignedIdentities: contains(fhir, 'userAssignedIdentities') ? fhir.userAssignedIdentities : {} enableDefaultTelemetry: enableReferencedModulesTelemetry } }] @@ -146,7 +145,7 @@ module workspace_dicomservices 'dicomservice/main.bicep' = [for (dicom, index) i workspaceName: workspace.name tags: contains(dicom, 'tags') ? dicom.tags : {} publicNetworkAccess: contains(dicom, 'publicNetworkAccess') ? dicom.publicNetworkAccess : 'Disabled' - systemAssignedIdentity: contains(dicom, 'systemAssignedIdentity') ? dicom.systemAssignedIdentity : false + managedIdentities: contains(dicom, 'managedIdentities') ? dicom.managedIdentities : null corsOrigins: contains(dicom, 'corsOrigins') ? dicom.corsOrigins : [] corsHeaders: contains(dicom, 'corsHeaders') ? dicom.corsHeaders : [] corsMethods: contains(dicom, 'corsMethods') ? dicom.corsMethods : [] @@ -154,7 +153,6 @@ module workspace_dicomservices 'dicomservice/main.bicep' = [for (dicom, index) i corsAllowCredentials: contains(dicom, 'corsAllowCredentials') ? dicom.corsAllowCredentials : false diagnosticSettings: dicom.?diagnosticSettings lock: dicom.?lock ?? lock - userAssignedIdentities: contains(dicom, 'userAssignedIdentities') ? dicom.userAssignedIdentities : {} enableDefaultTelemetry: enableReferencedModulesTelemetry } }] @@ -174,10 +172,9 @@ module workspace_iotconnector 'iotconnector/main.bicep' = [for (iotConnector, in } fhirdestination: contains(iotConnector, 'fhirdestination') ? iotConnector.fhirdestination : {} consumerGroup: contains(iotConnector, 'consumerGroup') ? iotConnector.consumerGroup : iotConnector.name - systemAssignedIdentity: contains(iotConnector, 'systemAssignedIdentity') ? iotConnector.systemAssignedIdentity : false + managedIdentities: contains(iotConnector, 'managedIdentities') ? iotConnector.managedIdentities : null diagnosticSettings: iotConnector.?diagnosticSettings lock: iotConnector.?lock ?? lock - userAssignedIdentities: contains(iotConnector, 'userAssignedIdentities') ? iotConnector.userAssignedIdentities : {} enableDefaultTelemetry: enableReferencedModulesTelemetry } }] diff --git a/modules/healthcare-apis/workspace/main.json b/modules/healthcare-apis/workspace/main.json index 2b5c5ad35c..9954e2db58 100644 --- a/modules/healthcare-apis/workspace/main.json +++ b/modules/healthcare-apis/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "984819413297046514" + "templateHash": "6558922436832597627" }, "name": "Healthcare API Workspaces", "description": "This module deploys a Healthcare API Workspace.", @@ -287,7 +287,7 @@ }, "tags": "[if(contains(parameters('fhirservices')[copyIndex()], 'tags'), createObject('value', parameters('fhirservices')[copyIndex()].tags), createObject('value', createObject()))]", "publicNetworkAccess": "[if(contains(parameters('fhirservices')[copyIndex()], 'publicNetworkAccess'), createObject('value', parameters('fhirservices')[copyIndex()].publicNetworkAccess), createObject('value', 'Disabled'))]", - "systemAssignedIdentity": "[if(contains(parameters('fhirservices')[copyIndex()], 'systemAssignedIdentity'), createObject('value', parameters('fhirservices')[copyIndex()].systemAssignedIdentity), createObject('value', false()))]", + "managedIdentities": "[if(contains(parameters('fhirservices')[copyIndex()], 'managedIdentities'), createObject('value', parameters('fhirservices')[copyIndex()].managedIdentities), createObject('value', null()))]", "roleAssignments": "[if(contains(parameters('fhirservices')[copyIndex()], 'roleAssignments'), createObject('value', parameters('fhirservices')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "accessPolicyObjectIds": "[if(contains(parameters('fhirservices')[copyIndex()], 'accessPolicyObjectIds'), createObject('value', parameters('fhirservices')[copyIndex()].accessPolicyObjectIds), createObject('value', createArray()))]", "acrLoginServers": "[if(contains(parameters('fhirservices')[copyIndex()], 'acrLoginServers'), createObject('value', parameters('fhirservices')[copyIndex()].acrLoginServers), createObject('value', createArray()))]", @@ -312,7 +312,6 @@ "resourceVersionPolicy": "[if(contains(parameters('fhirservices')[copyIndex()], 'resourceVersionPolicy'), createObject('value', parameters('fhirservices')[copyIndex()].resourceVersionPolicy), createObject('value', 'versioned'))]", "resourceVersionOverrides": "[if(contains(parameters('fhirservices')[copyIndex()], 'resourceVersionOverrides'), createObject('value', parameters('fhirservices')[copyIndex()].resourceVersionOverrides), createObject('value', createObject()))]", "smartProxyEnabled": "[if(contains(parameters('fhirservices')[copyIndex()], 'smartProxyEnabled'), createObject('value', parameters('fhirservices')[copyIndex()].smartProxyEnabled), createObject('value', false()))]", - "userAssignedIdentities": "[if(contains(parameters('fhirservices')[copyIndex()], 'userAssignedIdentities'), createObject('value', parameters('fhirservices')[copyIndex()].userAssignedIdentities), createObject('value', createObject()))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } @@ -325,13 +324,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8392198431844501692" + "templateHash": "14914386228020873144" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -723,18 +745,10 @@ "description": "Optional. If the SMART on FHIR proxy is enabled." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "tags": { @@ -762,8 +776,8 @@ } } ], - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "exportConfiguration": { "storageAccountName": "[parameters('exportStorageAccountName')]" }, @@ -929,12 +943,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('fhir', '2022-06-01', 'full').identity, 'principalId')), reference('fhir', '2022-06-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('fhir', '2022-06-01', 'full').identity, 'principalId')), reference('fhir', '2022-06-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", @@ -982,7 +996,7 @@ }, "tags": "[if(contains(parameters('dicomservices')[copyIndex()], 'tags'), createObject('value', parameters('dicomservices')[copyIndex()].tags), createObject('value', createObject()))]", "publicNetworkAccess": "[if(contains(parameters('dicomservices')[copyIndex()], 'publicNetworkAccess'), createObject('value', parameters('dicomservices')[copyIndex()].publicNetworkAccess), createObject('value', 'Disabled'))]", - "systemAssignedIdentity": "[if(contains(parameters('dicomservices')[copyIndex()], 'systemAssignedIdentity'), createObject('value', parameters('dicomservices')[copyIndex()].systemAssignedIdentity), createObject('value', false()))]", + "managedIdentities": "[if(contains(parameters('dicomservices')[copyIndex()], 'managedIdentities'), createObject('value', parameters('dicomservices')[copyIndex()].managedIdentities), createObject('value', null()))]", "corsOrigins": "[if(contains(parameters('dicomservices')[copyIndex()], 'corsOrigins'), createObject('value', parameters('dicomservices')[copyIndex()].corsOrigins), createObject('value', createArray()))]", "corsHeaders": "[if(contains(parameters('dicomservices')[copyIndex()], 'corsHeaders'), createObject('value', parameters('dicomservices')[copyIndex()].corsHeaders), createObject('value', createArray()))]", "corsMethods": "[if(contains(parameters('dicomservices')[copyIndex()], 'corsMethods'), createObject('value', parameters('dicomservices')[copyIndex()].corsMethods), createObject('value', createArray()))]", @@ -994,7 +1008,6 @@ "lock": { "value": "[coalesce(tryGet(parameters('dicomservices')[copyIndex()], 'lock'), parameters('lock'))]" }, - "userAssignedIdentities": "[if(contains(parameters('dicomservices')[copyIndex()], 'userAssignedIdentities'), createObject('value', parameters('dicomservices')[copyIndex()].userAssignedIdentities), createObject('value', createObject()))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } @@ -1007,13 +1020,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2513018044740237283" + "templateHash": "4165874741118763430" }, "name": "Healthcare API Workspace DICOM Services", "description": "This module deploys a Healthcare API Workspace DICOM Service.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -1233,18 +1269,10 @@ "description": "Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "tags": { @@ -1263,8 +1291,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" }, "resources": { "defaultTelemetry": { @@ -1368,12 +1396,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('dicom', '2022-06-01', 'full').identity, 'principalId')), reference('dicom', '2022-06-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('dicom', '2022-06-01', 'full').identity, 'principalId')), reference('dicom', '2022-06-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", @@ -1422,14 +1450,13 @@ "deviceMapping": "[if(contains(parameters('iotconnectors')[copyIndex()], 'deviceMapping'), createObject('value', parameters('iotconnectors')[copyIndex()].deviceMapping), createObject('value', createObject('templateType', 'CollectionContent', 'template', createArray())))]", "fhirdestination": "[if(contains(parameters('iotconnectors')[copyIndex()], 'fhirdestination'), createObject('value', parameters('iotconnectors')[copyIndex()].fhirdestination), createObject('value', createObject()))]", "consumerGroup": "[if(contains(parameters('iotconnectors')[copyIndex()], 'consumerGroup'), createObject('value', parameters('iotconnectors')[copyIndex()].consumerGroup), createObject('value', parameters('iotconnectors')[copyIndex()].name))]", - "systemAssignedIdentity": "[if(contains(parameters('iotconnectors')[copyIndex()], 'systemAssignedIdentity'), createObject('value', parameters('iotconnectors')[copyIndex()].systemAssignedIdentity), createObject('value', false()))]", + "managedIdentities": "[if(contains(parameters('iotconnectors')[copyIndex()], 'managedIdentities'), createObject('value', parameters('iotconnectors')[copyIndex()].managedIdentities), createObject('value', null()))]", "diagnosticSettings": { "value": "[tryGet(parameters('iotconnectors')[copyIndex()], 'diagnosticSettings')]" }, "lock": { "value": "[coalesce(tryGet(parameters('iotconnectors')[copyIndex()], 'lock'), parameters('lock'))]" }, - "userAssignedIdentities": "[if(contains(parameters('iotconnectors')[copyIndex()], 'userAssignedIdentities'), createObject('value', parameters('iotconnectors')[copyIndex()].userAssignedIdentities), createObject('value', createObject()))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } @@ -1442,13 +1469,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2803151977387469601" + "templateHash": "9502385350114367681" }, "name": "Healthcare API Workspace IoT Connectors", "description": "This module deploys a Healthcare API Workspace IoT Connector.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -1650,18 +1700,10 @@ "description": "Optional. The lock settings of the service." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "tags": { @@ -1680,8 +1722,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, "resources": { @@ -1965,12 +2007,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('iotConnector', '2022-06-01', 'full').identity, 'principalId')), reference('iotConnector', '2022-06-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('iotConnector', '2022-06-01', 'full').identity, 'principalId')), reference('iotConnector', '2022-06-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/logic/workflow/.test/common/main.test.bicep b/modules/logic/workflow/.test/common/main.test.bicep index bac1970672..f41202d4d8 100644 --- a/modules/logic/workflow/.test/common/main.test.bicep +++ b/modules/logic/workflow/.test/common/main.test.bicep @@ -91,8 +91,10 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index ae95fecc20..c1fd8389ad 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -65,6 +65,11 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } roleAssignments: [ { principalId: '' @@ -77,9 +82,6 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } workflowActions: { HTTP: { inputs: { @@ -157,6 +159,13 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "roleAssignments": { "value": [ { @@ -173,11 +182,6 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { "Role": "DeploymentValidation" } }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, "workflowActions": { "value": { "HTTP": { @@ -243,12 +247,11 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { | [`integrationServiceEnvironmentResourceId`](#parameter-integrationserviceenvironmentresourceid) | string | The integration service environment Id. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`state`](#parameter-state) | string | The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`triggersAccessControlConfiguration`](#parameter-triggersaccesscontrolconfiguration) | object | The access control configuration for invoking workflow triggers. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`workflowActions`](#parameter-workflowactions) | object | The definitions for one or more actions to execute at workflow runtime. | | [`workflowEndpointsConfiguration`](#parameter-workflowendpointsconfiguration) | object | The endpoints configuration: Access endpoint and outgoing IP addresses for the workflow. | | [`workflowManagementAccessControlConfiguration`](#parameter-workflowmanagementaccesscontrolconfiguration) | object | The access control configuration for workflow management. | @@ -455,6 +458,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` The logic app workflow name. @@ -537,13 +566,6 @@ The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended. - Default: `'Enabled'` - Allowed: `[Completed, Deleted, Disabled, Enabled, NotSpecified, Suspended]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -558,13 +580,6 @@ The access control configuration for invoking workflow triggers. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `workflowActions` The definitions for one or more actions to execute at workflow runtime. @@ -623,7 +638,7 @@ The definitions for one or more triggers that instantiate your workflow. You can | `name` | string | The name of the logic app. | | `resourceGroupName` | string | The resource group the logic app was deployed into. | | `resourceId` | string | The resource ID of the logic app. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/logic/workflow/main.bicep b/modules/logic/workflow/main.bicep index fcd0e6e49c..42d7ede88b 100644 --- a/modules/logic/workflow/main.bicep +++ b/modules/logic/workflow/main.bicep @@ -20,11 +20,8 @@ param enableDefaultTelemetry bool = true @description('Optional. Parameters for the definition template.') param definitionParameters object = {} -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both.') +param managedIdentities managedIdentitiesType @description('Optional. The integration account.') param integrationAccount object = {} @@ -82,11 +79,11 @@ param workflowStaticResults object = {} @description('Optional. The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer.') param workflowTriggers object = {} -var identityType = systemAssignedIdentity ? 'SystemAssigned' : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var builtInRoleNames = { @@ -205,7 +202,7 @@ output resourceGroupName string = resourceGroup().name output resourceId string = logicApp.id @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(logicApp.identity, 'principalId') ? logicApp.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(logicApp.identity, 'principalId') ? logicApp.identity.principalId : '' @description('The location the resource was deployed into.') output location string = logicApp.location @@ -214,6 +211,14 @@ output location string = logicApp.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/logic/workflow/main.json b/modules/logic/workflow/main.json index 6842dd2538..fe4b5ccdc9 100644 --- a/modules/logic/workflow/main.json +++ b/modules/logic/workflow/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6277976941114660068" + "templateHash": "16480420514715732092" }, "name": "Logic Apps (Workflows)", "description": "This module deploys a Logic App (Workflow).", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -253,18 +276,10 @@ "description": "Optional. Parameters for the definition template." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." } }, "integrationAccount": { @@ -386,8 +401,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", @@ -528,12 +543,12 @@ }, "value": "[resourceId('Microsoft.Logic/workflows', parameters('name'))]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('logicApp', '2019-05-01', 'full').identity, 'principalId')), reference('logicApp', '2019-05-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('logicApp', '2019-05-01', 'full').identity, 'principalId')), reference('logicApp', '2019-05-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/machine-learning-services/workspace/.test/common/main.test.bicep b/modules/machine-learning-services/workspace/.test/common/main.test.bicep index 54219ea277..fa544e14f4 100644 --- a/modules/machine-learning-services/workspace/.test/common/main.test.bicep +++ b/modules/machine-learning-services/workspace/.test/common/main.test.bicep @@ -97,9 +97,11 @@ module testDeployment '../../main.bicep' = { } sku: 'Basic' // Must be false if `primaryUserAssignedIdentity` is provided - systemAssignedIdentity: false - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } } ] @@ -145,9 +147,11 @@ module testDeployment '../../main.bicep' = { principalType: 'ServicePrincipal' } ] - systemAssignedIdentity: false - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/machine-learning-services/workspace/.test/encr/main.test.bicep b/modules/machine-learning-services/workspace/.test/encr/main.test.bicep index fcf4a6a6b1..495c4a1b1e 100644 --- a/modules/machine-learning-services/workspace/.test/encr/main.test.bicep +++ b/modules/machine-learning-services/workspace/.test/encr/main.test.bicep @@ -79,10 +79,12 @@ module testDeployment '../../main.bicep' = { } } ] - // Must be false if `primaryUserAssignedIdentity` is provided - systemAssignedIdentity: false - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + // systemAssigned must be false if `primaryUserAssignedIdentity` is provided + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/machine-learning-services/workspace/.test/min/main.test.bicep b/modules/machine-learning-services/workspace/.test/min/main.test.bicep index 8c8e79eeae..94dc5beaab 100644 --- a/modules/machine-learning-services/workspace/.test/min/main.test.bicep +++ b/modules/machine-learning-services/workspace/.test/min/main.test.bicep @@ -58,6 +58,8 @@ module testDeployment '../../main.bicep' = { associatedKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId associatedStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId sku: 'Basic' - systemAssignedIdentity: true + managedIdentities: { + systemAssigned: true + } } } diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index 606d737fb8..7432a94b53 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -62,6 +62,12 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = description: 'Default CPU Cluster' disableLocalAuth: false location: 'westeurope' + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } name: 'DefaultCPU' properties: { enableNodePublicIp: true @@ -77,10 +83,6 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = vmSize: 'STANDARD_DS11_V2' } sku: 'Basic' - systemAssignedIdentity: false - userAssignedIdentities: { - '': {} - } } ] description: 'The cake is a lie.' @@ -105,6 +107,12 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } primaryUserAssignedIdentity: '' privateEndpoints: [ { @@ -126,15 +134,11 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = roleDefinitionIdOrName: 'Reader' } ] - systemAssignedIdentity: false tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -176,6 +180,12 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "description": "Default CPU Cluster", "disableLocalAuth": false, "location": "westeurope", + "managedIdentities": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + }, "name": "DefaultCPU", "properties": { "enableNodePublicIp": true, @@ -190,11 +200,7 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "vmPriority": "Dedicated", "vmSize": "STANDARD_DS11_V2" }, - "sku": "Basic", - "systemAssignedIdentity": false, - "userAssignedIdentities": { - "": {} - } + "sku": "Basic" } ] }, @@ -232,6 +238,14 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + } + }, "primaryUserAssignedIdentity": { "value": "" }, @@ -259,20 +273,12 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = } ] }, - "systemAssignedIdentity": { - "value": false - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -302,6 +308,12 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = cMKKeyVaultResourceId: '' cMKUserAssignedIdentityResourceId: '' enableDefaultTelemetry: '' + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } primaryUserAssignedIdentity: '' privateEndpoints: [ { @@ -317,15 +329,11 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = } } ] - systemAssignedIdentity: false tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -371,6 +379,14 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "enableDefaultTelemetry": { "value": "" }, + "managedIdentities": { + "value": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + } + }, "primaryUserAssignedIdentity": { "value": "" }, @@ -390,20 +406,12 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = } ] }, - "systemAssignedIdentity": { - "value": false - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -433,7 +441,9 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = sku: 'Basic' // Non-required parameters enableDefaultTelemetry: '' - systemAssignedIdentity: true + managedIdentities: { + systemAssigned: true + } } } ``` @@ -470,8 +480,10 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "enableDefaultTelemetry": { "value": "" }, - "systemAssignedIdentity": { - "value": true + "managedIdentities": { + "value": { + "systemAssigned": true + } } } } @@ -499,8 +511,6 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = | :-- | :-- | :-- | | [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | | [`primaryUserAssignedIdentity`](#parameter-primaryuserassignedidentity) | string | The user assigned identity resource ID that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false. | **Optional parameters** @@ -520,6 +530,7 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = | [`imageBuildCompute`](#parameter-imagebuildcompute) | string | The compute name for image build. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. At least one identity type is required. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -778,6 +789,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. At least one identity type is required. +- Required: Yes +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` The name of the machine learning workspace. @@ -1056,13 +1093,6 @@ Specifies the SKU, also referred as 'edition' of the Azure Machine Learning work - Type: string - Allowed: `[Basic, Free, Premium, Standard]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Resource tags. @@ -1070,13 +1100,6 @@ Resource tags. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false. -- Required: No -- Type: object -- Default: `{object}` - ## Outputs @@ -1084,9 +1107,9 @@ The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set | :-- | :-- | :-- | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the machine learning service. | -| `principalId` | string | The principal ID of the system assigned identity. | | `resourceGroupName` | string | The resource group the machine learning service was deployed into. | | `resourceId` | string | The resource ID of the machine learning service. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/machine-learning-services/workspace/compute/README.md b/modules/machine-learning-services/workspace/compute/README.md index 78fb6a7eee..0e8ebdd101 100644 --- a/modules/machine-learning-services/workspace/compute/README.md +++ b/modules/machine-learning-services/workspace/compute/README.md @@ -42,12 +42,11 @@ Attaching a compute is not idempotent and will fail in case you try to redeploy | [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Opt-out of local authentication and ensure customers can use only MSI and AAD exclusively for authentication. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Specifies the location of the resource. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`properties`](#parameter-properties) | object | The properties of the compute. Will be ignored in case "resourceId" is set. | | [`resourceId`](#parameter-resourceid) | string | ARM resource ID of the underlying compute. | | [`sku`](#parameter-sku) | string | Specifies the sku, also referred as "edition". Required for creating a compute resource. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | | [`tags`](#parameter-tags) | object | Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | ### Parameter: `computeLocation` @@ -104,6 +103,32 @@ The name of the parent Machine Learning Workspace. Required if the template is u - Required: Yes - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` Name of the compute. @@ -132,13 +157,6 @@ Specifies the sku, also referred as "edition". Required for creating a compute r - Default: `''` - Allowed: `['', Basic, Free, Premium, Standard]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID. @@ -146,13 +164,6 @@ Contains resource tags defined as key-value pairs. Ignored when attaching a comp - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID. -- Required: No -- Type: object -- Default: `{object}` - ## Outputs @@ -162,7 +173,7 @@ The ID(s) to assign to the resource. Ignored when attaching a compute resource, | `name` | string | The name of the compute. | | `resourceGroupName` | string | The resource group the compute was deployed into. | | `resourceId` | string | The resource ID of the compute. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. Is null in case of attaching a compute resource, i.e. when you provide a resource ID. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/machine-learning-services/workspace/compute/main.bicep b/modules/machine-learning-services/workspace/compute/main.bicep index 9d401399fa..c71f7bc3a0 100644 --- a/modules/machine-learning-services/workspace/compute/main.bicep +++ b/modules/machine-learning-services/workspace/compute/main.bicep @@ -7,6 +7,7 @@ metadata owner = 'Azure/module-maintainers' // ================ // // Parameters // // ================ // + @sys.description('Conditional. The name of the parent Machine Learning Workspace. Required if the template is used in a standalone deployment.') param machineLearningWorkspaceName string @@ -67,26 +68,24 @@ param properties object = {} @sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -// Identity -@sys.description('Optional. Enables system assigned managed identity on the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID.') -param systemAssignedIdentity bool = false - -@sys.description('Optional. The ID(s) to assign to the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID.') -param userAssignedIdentities object = {} +@sys.description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType // ================// // Variables // // ================// -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : any(null) -} : any(null) +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } + +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null +} : null // ============================= // // Existing resources references // // ============================= // + resource machineLearningWorkspace 'Microsoft.MachineLearningServices/workspaces@2022-10-01' existing = { name: machineLearningWorkspaceName } @@ -140,8 +139,20 @@ output resourceId string = machineLearningWorkspaceCompute.id @sys.description('The resource group the compute was deployed into.') output resourceGroupName string = resourceGroup().name -@sys.description('The principal ID of the system assigned identity. Is null in case of attaching a compute resource, i.e. when you provide a resource ID.') -output systemAssignedPrincipalId string = empty(resourceId) ? (systemAssignedIdentity && contains(machineLearningWorkspaceCompute.identity, 'principalId') ? machineLearningWorkspaceCompute.identity.principalId : '') : '' +@sys.description('The principal ID of the system assigned identity.') +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(machineLearningWorkspace.identity, 'principalId') ? machineLearningWorkspace.identity.principalId : '' @sys.description('The location the resource was deployed into.') output location string = machineLearningWorkspaceCompute.location + +// =============== // +// Definitions // +// =============== // + +type managedIdentitiesType = { + @sys.description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @sys.description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? diff --git a/modules/machine-learning-services/workspace/compute/main.json b/modules/machine-learning-services/workspace/compute/main.json index 16e519cbef..c99c3b896e 100644 --- a/modules/machine-learning-services/workspace/compute/main.json +++ b/modules/machine-learning-services/workspace/compute/main.json @@ -1,16 +1,42 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12652944532720556326" + "templateHash": "12092776287732059217" }, "name": "Machine Learning Services Workspaces Computes", "description": "This module deploys a Machine Learning Services Workspaces Compute.\r\n\r\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", "owner": "Azure/module-maintainers" }, + "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + } + }, "parameters": { "machineLearningWorkspaceName": { "type": "string", @@ -121,27 +147,25 @@ "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID." + "description": "Optional. The managed identity definition for this resource." } } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" }, - "resources": [ - { + "resources": { + "machineLearningWorkspace": { + "existing": true, + "type": "Microsoft.MachineLearningServices/workspaces", + "apiVersion": "2022-10-01", + "name": "[parameters('machineLearningWorkspaceName')]" + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -155,7 +179,7 @@ } } }, - { + "machineLearningWorkspaceCompute": { "condition": "[equals(parameters('deployCompute'), true())]", "type": "Microsoft.MachineLearningServices/workspaces/computes", "apiVersion": "2022-10-01", @@ -164,9 +188,12 @@ "tags": "[if(empty(parameters('resourceId')), parameters('tags'), null())]", "sku": "[if(empty(parameters('resourceId')), createObject('name', parameters('sku'), 'tier', parameters('sku')), null())]", "identity": "[if(empty(parameters('resourceId')), variables('identity'), null())]", - "properties": "[union(createObject('description', parameters('description'), 'disableLocalAuth', parameters('disableLocalAuth'), 'computeType', parameters('computeType')), if(not(empty(parameters('resourceId'))), createObject('resourceId', parameters('resourceId')), createObject('computeLocation', parameters('computeLocation'), 'properties', parameters('properties'))))]" + "properties": "[union(createObject('description', parameters('description'), 'disableLocalAuth', parameters('disableLocalAuth'), 'computeType', parameters('computeType')), if(not(empty(parameters('resourceId'))), createObject('resourceId', parameters('resourceId')), createObject('computeLocation', parameters('computeLocation'), 'properties', parameters('properties'))))]", + "dependsOn": [ + "machineLearningWorkspace" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -189,19 +216,19 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { - "description": "The principal ID of the system assigned identity. Is null in case of attaching a compute resource, i.e. when you provide a resource ID." + "description": "The principal ID of the system assigned identity." }, - "value": "[if(empty(parameters('resourceId')), if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.MachineLearningServices/workspaces/computes', parameters('machineLearningWorkspaceName'), parameters('name')), '2022-10-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.MachineLearningServices/workspaces/computes', parameters('machineLearningWorkspaceName'), parameters('name')), '2022-10-01', 'full').identity.principalId, ''), '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('machineLearningWorkspace', '2022-10-01', 'full').identity, 'principalId')), reference('machineLearningWorkspace', '2022-10-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.MachineLearningServices/workspaces/computes', parameters('machineLearningWorkspaceName'), parameters('name')), '2022-10-01', 'full').location]" + "value": "[reference('machineLearningWorkspaceCompute', '2022-10-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/machine-learning-services/workspace/main.bicep b/modules/machine-learning-services/workspace/main.bicep index 797ada84d9..b8595ee7a5 100644 --- a/modules/machine-learning-services/workspace/main.bicep +++ b/modules/machine-learning-services/workspace/main.bicep @@ -56,12 +56,10 @@ param tags object = {} @sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -// Identity -@sys.description('Conditional. Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided.') -param systemAssignedIdentity bool = false - -@sys.description('Conditional. The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false.') -param userAssignedIdentities object = {} +@sys.description('Optional. The managed identity definition for this resource. At least one identity type is required.') +param managedIdentities managedIdentitiesType = { + systemAssigned: true +} // Diagnostic Settings @@ -111,12 +109,12 @@ param publicNetworkAccess string = '' // ================// var enableReferencedModulesTelemetry = false -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : any(null) -} : any(null) +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null +} : null // ================// // Deployments // @@ -198,8 +196,7 @@ module workspace_computes 'compute/main.bicep' = [for compute in computes: { name: compute.name location: compute.location sku: contains(compute, 'sku') ? compute.sku : '' - systemAssignedIdentity: contains(compute, 'systemAssignedIdentity') ? compute.systemAssignedIdentity : false - userAssignedIdentities: contains(compute, 'userAssignedIdentities') ? compute.userAssignedIdentities : {} + managedIdentities: contains(compute, 'managedIdentities') ? compute.managedIdentities : null tags: contains(compute, 'tags') ? compute.tags : {} deployCompute: contains(compute, 'deployCompute') ? compute.deployCompute : true computeLocation: contains(compute, 'computeLocation') ? compute.computeLocation : '' @@ -301,7 +298,7 @@ output resourceGroupName string = resourceGroup().name output name string = workspace.name @sys.description('The principal ID of the system assigned identity.') -output principalId string = (!empty(identity) && contains(identity.type, 'SystemAssigned')) ? workspace.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(workspace.identity, 'principalId') ? workspace.identity.principalId : '' @sys.description('The location the resource was deployed into.') output location string = workspace.location @@ -310,6 +307,14 @@ output location string = workspace.location // Definitions // // =============== // +type managedIdentitiesType = { + @sys.description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @sys.description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +} + type lockType = { @sys.description('Optional. Specify the name of lock.') name: string? diff --git a/modules/machine-learning-services/workspace/main.json b/modules/machine-learning-services/workspace/main.json index cd8fde75c5..e136bfc925 100644 --- a/modules/machine-learning-services/workspace/main.json +++ b/modules/machine-learning-services/workspace/main.json @@ -6,13 +6,35 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9862874616442885683" + "templateHash": "3846104626867448215" }, "name": "Machine Learning Services Workspaces", "description": "This module deploys a Machine Learning Services Workspace.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + } + }, "lockType": { "type": "object", "properties": { @@ -464,18 +486,13 @@ "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Conditional. Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", + "defaultValue": { + "systemAssigned": true + }, "metadata": { - "description": "Conditional. The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false." + "description": "Optional. The managed identity definition for this resource. At least one identity type is required." } }, "diagnosticSettings": { @@ -569,8 +586,8 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "AzureML Compute Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e503ece1-11d0-4e8e-8e2c-7a6c3bf38815')]", "AzureML Data Scientist": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f6c7c914-8db3-469d-8ca1-694a8f32e121')]", @@ -734,8 +751,7 @@ "value": "[parameters('computes')[copyIndex()].location]" }, "sku": "[if(contains(parameters('computes')[copyIndex()], 'sku'), createObject('value', parameters('computes')[copyIndex()].sku), createObject('value', ''))]", - "systemAssignedIdentity": "[if(contains(parameters('computes')[copyIndex()], 'systemAssignedIdentity'), createObject('value', parameters('computes')[copyIndex()].systemAssignedIdentity), createObject('value', false()))]", - "userAssignedIdentities": "[if(contains(parameters('computes')[copyIndex()], 'userAssignedIdentities'), createObject('value', parameters('computes')[copyIndex()].userAssignedIdentities), createObject('value', createObject()))]", + "managedIdentities": "[if(contains(parameters('computes')[copyIndex()], 'managedIdentities'), createObject('value', parameters('computes')[copyIndex()].managedIdentities), createObject('value', null()))]", "tags": "[if(contains(parameters('computes')[copyIndex()], 'tags'), createObject('value', parameters('computes')[copyIndex()].tags), createObject('value', createObject()))]", "deployCompute": "[if(contains(parameters('computes')[copyIndex()], 'deployCompute'), createObject('value', parameters('computes')[copyIndex()].deployCompute), createObject('value', true()))]", "computeLocation": "[if(contains(parameters('computes')[copyIndex()], 'computeLocation'), createObject('value', parameters('computes')[copyIndex()].computeLocation), createObject('value', ''))]", @@ -751,17 +767,43 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12652944532720556326" + "templateHash": "12092776287732059217" }, "name": "Machine Learning Services Workspaces Computes", "description": "This module deploys a Machine Learning Services Workspaces Compute.\r\n\r\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", "owner": "Azure/module-maintainers" }, + "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + } + }, "parameters": { "machineLearningWorkspaceName": { "type": "string", @@ -872,27 +914,25 @@ "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource. Ignored when attaching a compute resource, i.e. when you provide a resource ID." + "description": "Optional. The managed identity definition for this resource." } } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" }, - "resources": [ - { + "resources": { + "machineLearningWorkspace": { + "existing": true, + "type": "Microsoft.MachineLearningServices/workspaces", + "apiVersion": "2022-10-01", + "name": "[parameters('machineLearningWorkspaceName')]" + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -906,7 +946,7 @@ } } }, - { + "machineLearningWorkspaceCompute": { "condition": "[equals(parameters('deployCompute'), true())]", "type": "Microsoft.MachineLearningServices/workspaces/computes", "apiVersion": "2022-10-01", @@ -915,9 +955,12 @@ "tags": "[if(empty(parameters('resourceId')), parameters('tags'), null())]", "sku": "[if(empty(parameters('resourceId')), createObject('name', parameters('sku'), 'tier', parameters('sku')), null())]", "identity": "[if(empty(parameters('resourceId')), variables('identity'), null())]", - "properties": "[union(createObject('description', parameters('description'), 'disableLocalAuth', parameters('disableLocalAuth'), 'computeType', parameters('computeType')), if(not(empty(parameters('resourceId'))), createObject('resourceId', parameters('resourceId')), createObject('computeLocation', parameters('computeLocation'), 'properties', parameters('properties'))))]" + "properties": "[union(createObject('description', parameters('description'), 'disableLocalAuth', parameters('disableLocalAuth'), 'computeType', parameters('computeType')), if(not(empty(parameters('resourceId'))), createObject('resourceId', parameters('resourceId')), createObject('computeLocation', parameters('computeLocation'), 'properties', parameters('properties'))))]", + "dependsOn": [ + "machineLearningWorkspace" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -940,19 +983,19 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { - "description": "The principal ID of the system assigned identity. Is null in case of attaching a compute resource, i.e. when you provide a resource ID." + "description": "The principal ID of the system assigned identity." }, - "value": "[if(empty(parameters('resourceId')), if(and(parameters('systemAssignedIdentity'), contains(reference(resourceId('Microsoft.MachineLearningServices/workspaces/computes', parameters('machineLearningWorkspaceName'), parameters('name')), '2022-10-01', 'full').identity, 'principalId')), reference(resourceId('Microsoft.MachineLearningServices/workspaces/computes', parameters('machineLearningWorkspaceName'), parameters('name')), '2022-10-01', 'full').identity.principalId, ''), '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('machineLearningWorkspace', '2022-10-01', 'full').identity, 'principalId')), reference('machineLearningWorkspace', '2022-10-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.MachineLearningServices/workspaces/computes', parameters('machineLearningWorkspaceName'), parameters('name')), '2022-10-01', 'full').location]" + "value": "[reference('machineLearningWorkspaceCompute', '2022-10-01', 'full').location]" } } } @@ -1536,12 +1579,12 @@ }, "value": "[parameters('name')]" }, - "principalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(not(empty(variables('identity'))), contains(variables('identity').type, 'SystemAssigned')), reference('workspace', '2022-10-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('workspace', '2022-10-01', 'full').identity, 'principalId')), reference('workspace', '2022-10-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/net-app/net-app-account/.test/nfs41/main.test.bicep b/modules/net-app/net-app-account/.test/nfs41/main.test.bicep index c80906d8fd..c58995a201 100644 --- a/modules/net-app/net-app-account/.test/nfs41/main.test.bicep +++ b/modules/net-app/net-app-account/.test/nfs41/main.test.bicep @@ -138,8 +138,10 @@ module testDeployment '../../main.bicep' = { Role: 'DeploymentValidation' ServiceName: 'DeploymentValidation' } - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } } } diff --git a/modules/net-app/net-app-account/README.md b/modules/net-app/net-app-account/README.md index 8f0db1332a..38a316bf45 100644 --- a/modules/net-app/net-app-account/README.md +++ b/modules/net-app/net-app-account/README.md @@ -383,6 +383,11 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { } ] enableDefaultTelemetry: '' + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } roleAssignments: [ { principalId: '' @@ -399,9 +404,6 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { Role: 'DeploymentValidation' ServiceName: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -500,6 +502,13 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { "enableDefaultTelemetry": { "value": "" }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "roleAssignments": { "value": [ { @@ -519,11 +528,6 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { "Role": "DeploymentValidation", "ServiceName": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -554,10 +558,10 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`smbServerNamePrefix`](#parameter-smbservernameprefix) | string | Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes. | | [`tags`](#parameter-tags) | object | Tags for all resources. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `capacityPools` @@ -642,6 +646,24 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: Yes +- Type: array + ### Parameter: `name` The name of the NetApp account. @@ -730,13 +752,6 @@ Tags for all resources. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ## Outputs diff --git a/modules/net-app/net-app-account/main.bicep b/modules/net-app/net-app-account/main.bicep index 92f867153d..ffd5558bf5 100644 --- a/modules/net-app/net-app-account/main.bicep +++ b/modules/net-app/net-app-account/main.bicep @@ -27,8 +27,8 @@ param smbServerNamePrefix string = '' @description('Optional. Capacity pools to create.') param capacityPools array = [] -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType @@ -58,11 +58,11 @@ var activeDirectoryConnectionProperties = [ } ] -var identityType = !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var builtInRoleNames = { @@ -152,6 +152,11 @@ output location string = netAppAccount.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[] +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/net-app/net-app-account/main.json b/modules/net-app/net-app-account/main.json index 72636832be..bba591714a 100644 --- a/modules/net-app/net-app-account/main.json +++ b/modules/net-app/net-app-account/main.json @@ -6,13 +6,28 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6454914933986539170" + "templateHash": "17236803464512744934" }, "name": "Azure NetApp Files", "description": "This module deploys an Azure NetApp File.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -161,11 +176,10 @@ "description": "Optional. Capacity pools to create." } }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "roleAssignments": { @@ -214,8 +228,8 @@ "organizationalUnit": "[if(not(empty(parameters('domainJoinOU'))), parameters('domainJoinOU'), null())]" } ], - "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None')]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", diff --git a/modules/network/application-gateway/.test/common/main.test.bicep b/modules/network/application-gateway/.test/common/main.test.bicep index dd833556e4..8f81d6033f 100644 --- a/modules/network/application-gateway/.test/common/main.test.bicep +++ b/modules/network/application-gateway/.test/common/main.test.bicep @@ -430,8 +430,10 @@ module testDeployment '../../main.bicep' = { } } ] - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } rewriteRuleSets: [ { diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index bea07ec10b..88340aa660 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -238,6 +238,11 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -438,9 +443,6 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } webApplicationFirewallConfiguration: { disabledRuleGroups: [ { @@ -700,6 +702,13 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "privateEndpoints": { "value": [ { @@ -920,11 +929,6 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = "Role": "DeploymentValidation" } }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, "webApplicationFirewallConfiguration": { "value": { "disabledRuleGroups": [ @@ -997,6 +1001,7 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = | [`loadDistributionPolicies`](#parameter-loaddistributionpolicies) | array | Load distribution policies of the application gateway resource. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`privateLinkConfigurations`](#parameter-privatelinkconfigurations) | array | PrivateLink configurations on application gateway. | | [`probes`](#parameter-probes) | array | Probes of the application gateway resource. | @@ -1016,7 +1021,6 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = | [`trustedClientCertificates`](#parameter-trustedclientcertificates) | array | Trusted client certificates of the application gateway resource. | | [`trustedRootCertificates`](#parameter-trustedrootcertificates) | array | Trusted Root certificates of the application gateway resource. | | [`urlPathMaps`](#parameter-urlpathmaps) | array | URL path map of the application gateway resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`webApplicationFirewallConfiguration`](#parameter-webapplicationfirewallconfiguration) | object | Application gateway web application firewall configuration. Should be configured for security reasons. | | [`zones`](#parameter-zones) | array | A list of availability zones denoting where the resource needs to come from. | @@ -1309,6 +1313,24 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: Yes +- Type: array + ### Parameter: `name` Name of the Application Gateway. @@ -1675,13 +1697,6 @@ URL path map of the application gateway resource. - Type: array - Default: `[]` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `webApplicationFirewallConfiguration` Application gateway web application firewall configuration. Should be configured for security reasons. diff --git a/modules/network/application-gateway/main.bicep b/modules/network/application-gateway/main.bicep index 98595f165f..32ab52f5e2 100644 --- a/modules/network/application-gateway/main.bicep +++ b/modules/network/application-gateway/main.bicep @@ -9,8 +9,8 @@ param name string @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Authentication certificates of the application gateway resource.') param authenticationCertificates array = [] @@ -183,11 +183,11 @@ param zones array = [] @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingType -var identityType = !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var enableReferencedModulesTelemetry = false @@ -385,6 +385,11 @@ output location string = applicationGateway.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[] +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/network/application-gateway/main.json b/modules/network/application-gateway/main.json index 7103d784b0..60170cfa02 100644 --- a/modules/network/application-gateway/main.json +++ b/modules/network/application-gateway/main.json @@ -6,13 +6,28 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1471682538744123689" + "templateHash": "9820071049711446778" }, "name": "Network Application Gateways", "description": "This module deploys a Network Application Gateway.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -374,11 +389,10 @@ "description": "Optional. Location for all resources." } }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "authenticationCertificates": { @@ -743,8 +757,8 @@ } }, "variables": { - "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None')]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", diff --git a/modules/network/firewall-policy/README.md b/modules/network/firewall-policy/README.md index 6c127c21e5..4e48c3b55c 100644 --- a/modules/network/firewall-policy/README.md +++ b/modules/network/firewall-policy/README.md @@ -248,6 +248,7 @@ module firewallPolicy 'br:bicep/modules/network.firewall-policy:1.0.0' = { | [`ipAddresses`](#parameter-ipaddresses) | array | List of IP addresses for the ThreatIntel Allowlist. | | [`keyVaultSecretId`](#parameter-keyvaultsecretid) | string | Secret ID of (base-64 encoded unencrypted PFX) Secret or Certificate object stored in KeyVault. | | [`location`](#parameter-location) | string | Location for all resources. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`mode`](#parameter-mode) | string | The configuring of intrusion detection. | | [`privateRanges`](#parameter-privateranges) | array | List of private IP addresses/IP address ranges to not be SNAT. | | [`retentionDays`](#parameter-retentiondays) | int | Number of days the insights should be enabled on the policy. | @@ -257,7 +258,6 @@ module firewallPolicy 'br:bicep/modules/network.firewall-policy:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the Firewall policy resource. | | [`threatIntelMode`](#parameter-threatintelmode) | string | The operation mode for Threat Intel. | | [`tier`](#parameter-tier) | string | Tier of Firewall Policy. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`workspaces`](#parameter-workspaces) | array | List of workspaces for Firewall Policy Insights. | ### Parameter: `allowSqlRedirect` @@ -352,6 +352,24 @@ Location for all resources. - Type: string - Default: `[resourceGroup().location]` +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: Yes +- Type: array + ### Parameter: `mode` The configuring of intrusion detection. @@ -424,13 +442,6 @@ Tier of Firewall Policy. - Default: `'Standard'` - Allowed: `[Premium, Standard]` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `workspaces` List of workspaces for Firewall Policy Insights. diff --git a/modules/network/firewall-policy/main.bicep b/modules/network/firewall-policy/main.bicep index 13da1d1af1..6c4a638446 100644 --- a/modules/network/firewall-policy/main.bicep +++ b/modules/network/firewall-policy/main.bicep @@ -11,8 +11,8 @@ param location string = resourceGroup().location @description('Optional. Tags of the Firewall policy resource.') param tags object = {} -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Resource ID of the base policy.') param basePolicyResourceId string = '' @@ -96,11 +96,11 @@ param enableDefaultTelemetry bool = true @description('Optional. Rule collection groups.') param ruleCollectionGroups array = [] -var identityType = !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var enableReferencedModulesTelemetry = false @@ -198,3 +198,12 @@ output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') output location string = firewallPolicy.location + +// =============== // +// Definitions // +// =============== // + +type managedIdentitiesType = { + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[] +}? diff --git a/modules/network/firewall-policy/main.json b/modules/network/firewall-policy/main.json index 466fff08d7..aa93b198e2 100644 --- a/modules/network/firewall-policy/main.json +++ b/modules/network/firewall-policy/main.json @@ -1,16 +1,34 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18116522930721554549" + "templateHash": "411576668957997252" }, "name": "Firewall Policies", "description": "This module deploys a Firewall Policy.", "owner": "Azure/module-maintainers" }, + "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -32,11 +50,10 @@ "description": "Optional. Tags of the Firewall policy resource." } }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "basePolicyResourceId": { @@ -206,12 +223,12 @@ } }, "variables": { - "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None')]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -225,7 +242,7 @@ } } }, - { + "firewallPolicy": { "type": "Microsoft.Network/firewallPolicies", "apiVersion": "2023-04-01", "name": "[parameters('name')]", @@ -252,7 +269,7 @@ "transportSecurity": "[if(or(not(empty(parameters('keyVaultSecretId'))), not(empty(parameters('certificateName')))), createObject('certificateAuthority', createObject('keyVaultSecretId', if(not(empty(parameters('keyVaultSecretId'))), parameters('keyVaultSecretId'), null()), 'name', if(not(empty(parameters('certificateName'))), parameters('certificateName'), null()))), null())]" } }, - { + "firewallPolicy_ruleCollectionGroups": { "copy": { "name": "firewallPolicy_ruleCollectionGroups", "count": "[length(parameters('ruleCollectionGroups'))]", @@ -382,10 +399,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/firewallPolicies', parameters('name'))]" + "firewallPolicy" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -413,7 +430,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/firewallPolicies', parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('firewallPolicy', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/operational-insights/workspace/.test/adv/main.test.bicep b/modules/operational-insights/workspace/.test/adv/main.test.bicep index e5050aabd4..268d776147 100644 --- a/modules/operational-insights/workspace/.test/adv/main.test.bicep +++ b/modules/operational-insights/workspace/.test/adv/main.test.bicep @@ -295,8 +295,10 @@ module testDeployment '../../main.bicep' = { ] } ] - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/operational-insights/workspace/.test/common/main.test.bicep b/modules/operational-insights/workspace/.test/common/main.test.bicep index e965cb4bcb..607cbbae50 100644 --- a/modules/operational-insights/workspace/.test/common/main.test.bicep +++ b/modules/operational-insights/workspace/.test/common/main.test.bicep @@ -223,7 +223,9 @@ module testDeployment '../../main.bicep' = { Environment: 'Non-Prod' Role: 'DeploymentValidation' } - systemAssignedIdentity: true + managedIdentities: { + systemAssigned: true + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/operational-insights/workspace/README.md b/modules/operational-insights/workspace/README.md index 4975d90de3..7a39d99942 100644 --- a/modules/operational-insights/workspace/README.md +++ b/modules/operational-insights/workspace/README.md @@ -207,6 +207,11 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } publicNetworkAccessForIngestion: 'Disabled' publicNetworkAccessForQuery: 'Disabled' savedSearches: [ @@ -285,9 +290,6 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } useResourcePermissions: true } } @@ -483,6 +485,13 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "publicNetworkAccessForIngestion": { "value": "Disabled" }, @@ -573,11 +582,6 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { "Role": "DeploymentValidation" } }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, "useResourcePermissions": { "value": true } @@ -733,6 +737,9 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + } publicNetworkAccessForIngestion: 'Disabled' publicNetworkAccessForQuery: 'Disabled' roleAssignments: [ @@ -761,7 +768,6 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { ] } ] - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -934,6 +940,11 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, "publicNetworkAccessForIngestion": { "value": "Disabled" }, @@ -972,9 +983,6 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { } ] }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -1070,6 +1078,7 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { | [`linkedServices`](#parameter-linkedservices) | array | List of services to be linked. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. | | [`publicNetworkAccessForIngestion`](#parameter-publicnetworkaccessforingestion) | string | The network access type for accessing Log Analytics ingestion. | | [`publicNetworkAccessForQuery`](#parameter-publicnetworkaccessforquery) | string | The network access type for accessing Log Analytics query. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -1077,10 +1086,8 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { | [`skuCapacityReservationLevel`](#parameter-skucapacityreservationlevel) | int | The capacity reservation level in GB for this workspace, when CapacityReservation sku is selected. Must be in increments of 100 between 100 and 5000. | | [`skuName`](#parameter-skuname) | string | The name of the SKU. | | [`storageInsightsConfigs`](#parameter-storageinsightsconfigs) | array | List of storage accounts to be read by the workspace. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tables`](#parameter-tables) | array | LAW custom tables to be deployed. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`useResourcePermissions`](#parameter-useresourcepermissions) | bool | Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions. | ### Parameter: `dailyQuotaGb` @@ -1295,6 +1302,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` Name of the Log Analytics workspace. @@ -1414,13 +1447,6 @@ List of storage accounts to be read by the workspace. - Type: array - Default: `[]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tables` LAW custom tables to be deployed. @@ -1435,13 +1461,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `useResourcePermissions` Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions. @@ -1459,7 +1478,7 @@ Set to 'true' to use resource or workspace permissions and 'false' (or leave emp | `name` | string | The name of the deployed log analytics workspace. | | `resourceGroupName` | string | The resource group of the deployed log analytics workspace. | | `resourceId` | string | The resource ID of the deployed log analytics workspace. | -| `systemAssignedIdentityPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/operational-insights/workspace/main.bicep b/modules/operational-insights/workspace/main.bicep index 687b0c94bf..6220a5deb5 100644 --- a/modules/operational-insights/workspace/main.bicep +++ b/modules/operational-insights/workspace/main.bicep @@ -73,11 +73,8 @@ param publicNetworkAccessForIngestion string = 'Enabled' ]) param publicNetworkAccessForQuery string = 'Enabled' -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both.') +param managedIdentities managedIdentitiesType @description('Optional. Set to \'true\' to use resource or workspace permissions and \'false\' (or leave empty) to require workspace permissions.') param useResourcePermissions bool = false @@ -102,11 +99,11 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false -var identityType = systemAssignedIdentity ? 'SystemAssigned' : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var builtInRoleNames = { @@ -335,12 +332,20 @@ output logAnalyticsWorkspaceId string = logAnalyticsWorkspace.properties.custome output location string = logAnalyticsWorkspace.location @description('The principal ID of the system assigned identity.') -output systemAssignedIdentityPrincipalId string = systemAssignedIdentity && contains(logAnalyticsWorkspace.identity, 'principalId') ? logAnalyticsWorkspace.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(logAnalyticsWorkspace.identity, 'principalId') ? logAnalyticsWorkspace.identity.principalId : '' // =============== // // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/operational-insights/workspace/main.json b/modules/operational-insights/workspace/main.json index 3bc1884eea..19df45d446 100644 --- a/modules/operational-insights/workspace/main.json +++ b/modules/operational-insights/workspace/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "535028874764214077" + "templateHash": "12796424281221754385" }, "name": "Log Analytics Workspaces", "description": "This module deploys a Log Analytics Workspace.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -346,18 +369,10 @@ "description": "Optional. The network access type for accessing Log Analytics query." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." } }, "useResourcePermissions": { @@ -409,8 +424,8 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", @@ -1862,12 +1877,12 @@ }, "value": "[reference('logAnalyticsWorkspace', '2022-10-01', 'full').location]" }, - "systemAssignedIdentityPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('logAnalyticsWorkspace', '2022-10-01', 'full').identity, 'principalId')), reference('logAnalyticsWorkspace', '2022-10-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('logAnalyticsWorkspace', '2022-10-01', 'full').identity, 'principalId')), reference('logAnalyticsWorkspace', '2022-10-01', 'full').identity.principalId, '')]" } } } \ No newline at end of file diff --git a/modules/purview/account/.test/common/main.test.bicep b/modules/purview/account/.test/common/main.test.bicep index 162aa96a6b..5dfc03d500 100644 --- a/modules/purview/account/.test/common/main.test.bicep +++ b/modules/purview/account/.test/common/main.test.bicep @@ -72,8 +72,10 @@ module testDeployment '../../main.bicep' = { Environment: 'Non-Prod' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } managedResourceGroupName: '${namePrefix}${serviceShort}001-managed-rg' publicNetworkAccess: 'Disabled' diff --git a/modules/purview/account/README.md b/modules/purview/account/README.md index be248ec0f3..152f7ba851 100644 --- a/modules/purview/account/README.md +++ b/modules/purview/account/README.md @@ -96,6 +96,11 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } managedResourceGroupName: 'pvacom001-managed-rg' portalPrivateEndpoints: [ { @@ -152,9 +157,6 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -236,6 +238,13 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "managedResourceGroupName": { "value": "pvacom001-managed-rg" }, @@ -305,11 +314,6 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -389,6 +393,7 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { | [`eventHubPrivateEndpoints`](#parameter-eventhubprivateendpoints) | array | Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'namespace'. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`managedResourceGroupName`](#parameter-managedresourcegroupname) | string | The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-'. | | [`portalPrivateEndpoints`](#parameter-portalprivateendpoints) | array | Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | @@ -396,7 +401,6 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { | [`storageBlobPrivateEndpoints`](#parameter-storageblobprivateendpoints) | array | Configuration details for Purview Managed Storage Account blob private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'blob'. | | [`storageQueuePrivateEndpoints`](#parameter-storagequeueprivateendpoints) | array | Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'queue'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `accountPrivateEndpoints` @@ -568,6 +572,24 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: Yes +- Type: array + ### Parameter: `managedResourceGroupName` The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-'. @@ -685,13 +707,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ## Outputs @@ -705,7 +720,7 @@ The ID(s) to assign to the resource. | `name` | string | The name of the Purview Account. | | `resourceGroupName` | string | The resource group the Purview Account was deployed into. | | `resourceId` | string | The resource ID of the Purview Account. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/purview/account/main.bicep b/modules/purview/account/main.bicep index ad6ce7da95..8410915c30 100644 --- a/modules/purview/account/main.bicep +++ b/modules/purview/account/main.bicep @@ -13,8 +13,8 @@ param location string = resourceGroup().location @description('Optional. Tags of the resource.') param tags object = {} -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is \'managed-rg-\'.') param managedResourceGroupName string = 'managed-rg-${name}' @@ -58,12 +58,12 @@ param lock lockType // Variables // // =========== // -var identityType = !empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null -} : null +var identity = { + type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null +} var enableReferencedModulesTelemetry = false @@ -91,7 +91,7 @@ resource account 'Microsoft.Purview/accounts@2021-07-01' = { name: name location: location tags: tags - identity: any(identity) + identity: identity properties: { cloudConnectors: {} managedResourceGroupName: managedResourceGroupName @@ -293,12 +293,17 @@ output managedStorageAccountId string = account.properties.managedResources.stor output managedEventHubId string = account.properties.managedResources.eventHubNamespace @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = account.identity.principalId +output systemAssignedMIPrincipalId string = contains(account.identity, 'principalId') ? account.identity.principalId : '' // =============== // // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[] +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/purview/account/main.json b/modules/purview/account/main.json index d76b19e9d5..47a49e254a 100644 --- a/modules/purview/account/main.json +++ b/modules/purview/account/main.json @@ -6,13 +6,28 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13668353398980769357" + "templateHash": "18408981482699771035" }, "name": "Purview Accounts", "description": "This module deploys a Purview Account.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -234,11 +249,10 @@ "description": "Optional. Tags of the resource." } }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "managedResourceGroupName": { @@ -322,8 +336,11 @@ } }, "variables": { - "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned')]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": { + "type": "[if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned')]", + "userAssignedIdentities": "[if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())]" + }, "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -3133,12 +3150,12 @@ }, "value": "[reference('account').managedResources.eventHubNamespace]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[reference('account', '2021-07-01', 'full').identity.principalId]" + "value": "[if(contains(reference('account', '2021-07-01', 'full').identity, 'principalId'), reference('account', '2021-07-01', 'full').identity.principalId, '')]" } } } \ No newline at end of file diff --git a/modules/recovery-services/vault/.test/common/main.test.bicep b/modules/recovery-services/vault/.test/common/main.test.bicep index 942b0c01bf..81d25194c7 100644 --- a/modules/recovery-services/vault/.test/common/main.test.bicep +++ b/modules/recovery-services/vault/.test/common/main.test.bicep @@ -330,6 +330,12 @@ module testDeployment '../../main.bicep' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } privateEndpoints: [ { privateDnsZoneResourceIds: [ diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index b30ccb22f9..5258daf120 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -316,6 +316,12 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } monitoringSettings: { azureMonitorAlertSettings: { alertsForAllJobFailures: 'Enabled' @@ -651,6 +657,14 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "monitoringSettings": { "value": { "azureMonitorAlertSettings": { @@ -954,6 +968,7 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`monitoringSettings`](#parameter-monitoringsettings) | object | Monitoring Settings of the vault. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`protectionContainers`](#parameter-protectioncontainers) | array | List of all protection containers. | @@ -963,9 +978,7 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { | [`replicationPolicies`](#parameter-replicationpolicies) | array | List of all replication policies. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`securitySettings`](#parameter-securitysettings) | object | Security Settings of the vault. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the Recovery Service Vault resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `backupConfig` @@ -1144,6 +1157,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `monitoringSettings` Monitoring Settings of the vault. @@ -1436,13 +1475,6 @@ Security Settings of the vault. - Type: object - Default: `{object}` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the Recovery Service Vault resource. @@ -1450,13 +1482,6 @@ Tags of the Recovery Service Vault resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ## Outputs @@ -1466,7 +1491,7 @@ The ID(s) to assign to the resource. | `name` | string | The Name of the recovery services vault. | | `resourceGroupName` | string | The name of the resource group the recovery services vault was created in. | | `resourceId` | string | The resource ID of the recovery services vault. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/recovery-services/vault/main.bicep b/modules/recovery-services/vault/main.bicep index 708723f4f4..623b3ddad7 100644 --- a/modules/recovery-services/vault/main.bicep +++ b/modules/recovery-services/vault/main.bicep @@ -44,11 +44,8 @@ param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Tags of the Recovery Service Vault resource.') param tags object = {} @@ -69,11 +66,11 @@ param securitySettings object = {} ]) param publicNetworkAccess string = 'Disabled' -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var enableReferencedModulesTelemetry = false @@ -293,7 +290,7 @@ output resourceGroupName string = resourceGroup().name output name string = rsv.name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(rsv.identity, 'principalId') ? rsv.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(rsv.identity, 'principalId') ? rsv.identity.principalId : '' @description('The location the resource was deployed into.') output location string = rsv.location @@ -302,6 +299,14 @@ output location string = rsv.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/recovery-services/vault/main.json b/modules/recovery-services/vault/main.json index 6fddf5168d..db634c5922 100644 --- a/modules/recovery-services/vault/main.json +++ b/modules/recovery-services/vault/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15528544750404538266" + "templateHash": "18413268993568593224" }, "name": "Recovery Services Vaults", "description": "This module deploys a Recovery Services Vault.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -451,18 +474,10 @@ "description": "Optional. The lock settings of the service." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "tags": { @@ -505,8 +520,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", @@ -2741,12 +2756,12 @@ }, "value": "[parameters('name')]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('rsv', '2023-01-01', 'full').identity, 'principalId')), reference('rsv', '2023-01-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('rsv', '2023-01-01', 'full').identity, 'principalId')), reference('rsv', '2023-01-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/resources/deployment-script/.test/cli/main.test.bicep b/modules/resources/deployment-script/.test/cli/main.test.bicep index 9c2194b2cc..6f72c40370 100644 --- a/modules/resources/deployment-script/.test/cli/main.test.bicep +++ b/modules/resources/deployment-script/.test/cli/main.test.bicep @@ -58,8 +58,10 @@ module testDeployment '../../main.bicep' = { scriptContent: 'echo \'echo echo echo\'' storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId timeout: 'PT30M' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/resources/deployment-script/.test/ps/main.test.bicep b/modules/resources/deployment-script/.test/ps/main.test.bicep index 00cea68eaf..96ae61a018 100644 --- a/modules/resources/deployment-script/.test/ps/main.test.bicep +++ b/modules/resources/deployment-script/.test/ps/main.test.bicep @@ -62,8 +62,10 @@ module testDeployment '../../main.bicep' = { scriptContent: 'Write-Host \'The cake is a lie!\'' storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId timeout: 'PT30M' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/resources/deployment-script/README.md b/modules/resources/deployment-script/README.md index 35e3486eb6..2d19703a31 100644 --- a/modules/resources/deployment-script/README.md +++ b/modules/resources/deployment-script/README.md @@ -57,6 +57,11 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { ] } kind: 'AzureCLI' + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } retentionInterval: 'P1D' runOnce: false scriptContent: 'echo \'echo echo echo\'' @@ -67,9 +72,6 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { Role: 'DeploymentValidation' } timeout: 'PT30M' - userAssignedIdentities: { - '': {} - } } } ``` @@ -117,6 +119,13 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { "kind": { "value": "AzureCLI" }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "retentionInterval": { "value": "P1D" }, @@ -138,11 +147,6 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { }, "timeout": { "value": "PT30M" - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -172,6 +176,11 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } retentionInterval: 'P1D' runOnce: false scriptContent: 'Write-Host \'The cake is a lie!\'' @@ -182,9 +191,6 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { Role: 'DeploymentValidation' } timeout: 'PT30M' - userAssignedIdentities: { - '': {} - } } } ``` @@ -224,6 +230,13 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "retentionInterval": { "value": "P1D" }, @@ -245,11 +258,6 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { }, "timeout": { "value": "PT30M" - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -281,6 +289,7 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { | [`kind`](#parameter-kind) | string | Type of the script. AzurePowerShell, AzureCLI. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`primaryScriptUri`](#parameter-primaryscripturi) | string | Uri for the external script. This is the entry point for the external script. To run an internal script, use the scriptContent instead. | | [`retentionInterval`](#parameter-retentioninterval) | string | Interval for which the service retains the script resource after it reaches a terminal state. Resource will be deleted when this duration expires. Duration is based on ISO 8601 pattern (for example P7D means one week). | | [`runOnce`](#parameter-runonce) | bool | When set to false, script will run every time the template is deployed. When set to true, the script will only run once. | @@ -289,7 +298,6 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { | [`supportingScriptUris`](#parameter-supportingscripturis) | array | List of supporting files for the external script (defined in primaryScriptUri). Does not work with internal scripts (code defined in scriptContent). | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`timeout`](#parameter-timeout) | string | Maximum allowed script execution time specified in ISO 8601 format. Default value is PT1H - 1 hour; 'PT30M' - 30 minutes; 'P5D' - 5 days; 'P1Y' 1 year. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | **Generated parameters** @@ -396,6 +404,24 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: Yes +- Type: array + ### Parameter: `name` Display name of the script to be run. @@ -458,13 +484,6 @@ Maximum allowed script execution time specified in ISO 8601 format. Default valu - Type: string - Default: `'PT1H'` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ## Outputs diff --git a/modules/resources/deployment-script/main.bicep b/modules/resources/deployment-script/main.bicep index f596af33f9..4e1f4c7062 100644 --- a/modules/resources/deployment-script/main.bicep +++ b/modules/resources/deployment-script/main.bicep @@ -5,8 +5,8 @@ metadata owner = 'Azure/module-maintainers' @description('Required. Display name of the script to be run.') param name string -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Location for all resources.') param location string = resourceGroup().location @@ -79,11 +79,11 @@ var containerSettings = { containerGroupName: containerGroupName } -var identityType = !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var storageAccountSettings = !empty(storageAccountResourceId) ? { @@ -154,6 +154,11 @@ output outputs object = contains(deploymentScript.properties, 'outputs') ? deplo // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[] +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/resources/deployment-script/main.json b/modules/resources/deployment-script/main.json index fc7ac9db4a..d2af767dcd 100644 --- a/modules/resources/deployment-script/main.json +++ b/modules/resources/deployment-script/main.json @@ -6,13 +6,28 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2858511394966028740" + "templateHash": "10287022408270224079" }, "name": "Deployment Scripts", "description": "This module deploys a Deployment Script.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -46,11 +61,10 @@ "description": "Required. Display name of the script to be run." } }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "location": { @@ -199,8 +213,8 @@ "containerSettings": { "containerGroupName": "[parameters('containerGroupName')]" }, - "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None')]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]" + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" }, "resources": { "defaultTelemetry": { diff --git a/modules/search/search-service/.test/common/main.test.bicep b/modules/search/search-service/.test/common/main.test.bicep index 69b3722a94..1190190f6e 100644 --- a/modules/search/search-service/.test/common/main.test.bicep +++ b/modules/search/search-service/.test/common/main.test.bicep @@ -77,7 +77,9 @@ module testDeployment '../../main.bicep' = { hostingMode: 'highDensity' partitionCount: 2 replicaCount: 3 - systemAssignedIdentity: true + managedIdentities: { + systemAssigned: true + } lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index 268380a6de..e116efe345 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -77,6 +77,9 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + } networkRuleSet: { ipRules: [ { @@ -102,7 +105,6 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { } ] sku: 'standard3' - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -170,6 +172,11 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, "networkRuleSet": { "value": { "ipRules": [ @@ -205,9 +212,6 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { "sku": { "value": "standard3" }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -412,6 +416,7 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { | [`hostingMode`](#parameter-hostingmode) | string | Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either 'default' or 'highDensity'. For all other SKUs, this value must be 'default'. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`networkRuleSet`](#parameter-networkruleset) | object | Network specific rules that determine how the Azure Cognitive Search service may be reached. | | [`partitionCount`](#parameter-partitioncount) | int | The number of partitions in the search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For 'standard3' services with hostingMode set to 'highDensity', the allowed values are between 1 and 3. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | @@ -420,7 +425,6 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`sharedPrivateLinkResources`](#parameter-sharedprivatelinkresources) | array | The sharedPrivateLinkResources to create as part of the search Service. | | [`sku`](#parameter-sku) | string | Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags to help categorize the resource in the Azure portal. | ### Parameter: `authOptions` @@ -609,6 +613,24 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + ### Parameter: `name` The name of the Azure Cognitive Search service to create or update. Search service names must only contain lowercase letters, digits or dashes, cannot use dash as the first two or last one characters, cannot contain consecutive dashes, and must be between 2 and 60 characters in length. Search service names must be globally unique since they are part of the service URI (https://.search.windows.net). You cannot change the service name after the service is created. @@ -895,13 +917,6 @@ Defines the SKU of an Azure Cognitive Search Service, which determines price tie - Default: `'standard'` - Allowed: `[basic, free, standard, standard2, standard3, storage_optimized_l1, storage_optimized_l2]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags to help categorize the resource in the Azure portal. @@ -918,6 +933,7 @@ Tags to help categorize the resource in the Azure portal. | `name` | string | The name of the search service. | | `resourceGroupName` | string | The name of the resource group the search service was created in. | | `resourceId` | string | The resource ID of the search service. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/search/search-service/main.bicep b/modules/search/search-service/main.bicep index 063f199ee2..5597e7b853 100644 --- a/modules/search/search-service/main.bicep +++ b/modules/search/search-service/main.bicep @@ -80,8 +80,8 @@ param roleAssignments roleAssignmentType ]) param sku string = 'standard' -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingType @@ -95,10 +95,8 @@ param tags object = {} var enableReferencedModulesTelemetry = false -var identityType = systemAssignedIdentity ? 'SystemAssigned' : 'None' - -var identity = identityType != 'None' ? { - type: identityType +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : null } : null // =============== // @@ -253,6 +251,9 @@ output resourceId string = searchService.id @description('The name of the resource group the search service was created in.') output resourceGroupName string = resourceGroup().name +@description('The principal ID of the system assigned identity.') +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(searchService.identity, 'principalId') ? searchService.identity.principalId : '' + @description('The location the resource was deployed into.') output location string = searchService.location @@ -260,6 +261,11 @@ output location string = searchService.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/search/search-service/main.json b/modules/search/search-service/main.json index c40e5596be..b7467ad1f0 100644 --- a/modules/search/search-service/main.json +++ b/modules/search/search-service/main.json @@ -6,13 +6,26 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "416393199352439530" + "templateHash": "6839264843077014016" }, "name": "Search Services", "description": "This module deploys a Search Service.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -495,11 +508,10 @@ "description": "Optional. Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." + "description": "Optional. The managed identity definition for this resource." } }, "diagnosticSettings": { @@ -518,8 +530,7 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', 'None')]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType')), null())]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", @@ -1347,6 +1358,13 @@ }, "value": "[resourceGroup().name]" }, + "systemAssignedMIPrincipalId": { + "type": "string", + "metadata": { + "description": "The principal ID of the system assigned identity." + }, + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('searchService', '2022-09-01', 'full').identity, 'principalId')), reference('searchService', '2022-09-01', 'full').identity.principalId, '')]" + }, "location": { "type": "string", "metadata": { diff --git a/modules/service-bus/namespace/.test/common/main.test.bicep b/modules/service-bus/namespace/.test/common/main.test.bicep index 02fee0b4ea..b5f4fed0fa 100644 --- a/modules/service-bus/namespace/.test/common/main.test.bicep +++ b/modules/service-bus/namespace/.test/common/main.test.bicep @@ -213,9 +213,11 @@ module testDeployment '../../main.bicep' = { } } ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } disableLocalAuth: true publicNetworkAccess: 'Enabled' diff --git a/modules/service-bus/namespace/.test/encr/main.test.bicep b/modules/service-bus/namespace/.test/encr/main.test.bicep index c88e244f39..e1f3da9f89 100644 --- a/modules/service-bus/namespace/.test/encr/main.test.bicep +++ b/modules/service-bus/namespace/.test/encr/main.test.bicep @@ -100,9 +100,11 @@ module testDeployment '../../main.bicep' = { ] } ] - systemAssignedIdentity: false - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId cMKKeyName: nestedDependencies.outputs.keyName diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 13de5e2461..877ff238b5 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -95,6 +95,12 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } minimumTlsVersion: '1.2' networkRuleSets: { defaultAction: 'Deny' @@ -172,7 +178,6 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { ] skuCapacity: 2 skuName: 'Premium' - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -207,9 +212,6 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { ] } ] - userAssignedIdentities: { - '': {} - } zoneRedundant: true } } @@ -279,6 +281,14 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "minimumTlsVersion": { "value": "1.2" }, @@ -374,9 +384,6 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { "skuName": { "value": "Premium" }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -415,11 +422,6 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { } ] }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, "zoneRedundant": { "value": true } @@ -464,6 +466,12 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { cMKKeyVaultResourceId: '' cMKUserAssignedIdentityResourceId: '' enableDefaultTelemetry: '' + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } networkRuleSets: { defaultAction: 'Deny' ipRules: [ @@ -492,15 +500,11 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { } ] skuName: 'Premium' - systemAssignedIdentity: false tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -553,6 +557,14 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { "enableDefaultTelemetry": { "value": "" }, + "managedIdentities": { + "value": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + } + }, "networkRuleSets": { "value": { "defaultAction": "Deny", @@ -587,20 +599,12 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { "skuName": { "value": "Premium" }, - "systemAssignedIdentity": { - "value": false - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -780,6 +784,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`migrationConfigurations`](#parameter-migrationconfigurations) | object | The migration configuration. | | [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | The minimum TLS version for the cluster to support. | | [`networkRuleSets`](#parameter-networkrulesets) | object | Configure networking options for Premium SKU Service Bus. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | @@ -791,10 +796,8 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`skuCapacity`](#parameter-skucapacity) | int | The specified messaging units for the tier. Only used for Premium Sku tier. | | [`skuName`](#parameter-skuname) | string | Name of this SKU. - Basic, Standard, Premium. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`topics`](#parameter-topics) | array | The topics to create in the service bus namespace. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`zoneRedundant`](#parameter-zoneredundant) | bool | Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. | ### Parameter: `alternateName` @@ -1009,6 +1012,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `migrationConfigurations` The migration configuration. @@ -1318,13 +1347,6 @@ Name of this SKU. - Basic, Standard, Premium. - Default: `'Basic'` - Allowed: `[Basic, Premium, Standard]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -1339,13 +1361,6 @@ The topics to create in the service bus namespace. - Type: array - Default: `[]` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `zoneRedundant` Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. @@ -1362,7 +1377,7 @@ Enabling this property creates a Premium Service Bus Namespace in regions suppor | `name` | string | The name of the deployed service bus namespace. | | `resourceGroupName` | string | The resource group of the deployed service bus namespace. | | `resourceId` | string | The resource ID of the deployed service bus namespace. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/service-bus/namespace/main.bicep b/modules/service-bus/namespace/main.bicep index 87ecd77360..b78edd738f 100644 --- a/modules/service-bus/namespace/main.bicep +++ b/modules/service-bus/namespace/main.bicep @@ -69,11 +69,8 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType @@ -123,11 +120,11 @@ param cMKUserAssignedIdentityResourceId string = '' @description('Optional. Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters.') param requireInfrastructureEncryption bool = true -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var enableReferencedModulesTelemetry = false @@ -393,7 +390,7 @@ output resourceGroupName string = resourceGroup().name output name string = serviceBusNamespace.name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(serviceBusNamespace.identity, 'principalId') ? serviceBusNamespace.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(serviceBusNamespace.identity, 'principalId') ? serviceBusNamespace.identity.principalId : '' @description('The location the resource was deployed into.') output location string = serviceBusNamespace.location @@ -402,6 +399,14 @@ output location string = serviceBusNamespace.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/service-bus/namespace/main.json b/modules/service-bus/namespace/main.json index cc90af1105..5f9e473ae2 100644 --- a/modules/service-bus/namespace/main.json +++ b/modules/service-bus/namespace/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5514287730537410098" + "templateHash": "14764861552700304868" }, "name": "Service Bus Namespaces", "description": "This module deploys a Service Bus Namespace.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -477,18 +500,10 @@ "description": "Optional. The lock settings of the service." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "roleAssignments": { @@ -595,8 +610,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", @@ -2972,12 +2987,12 @@ }, "value": "[parameters('name')]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('serviceBusNamespace', '2022-10-01-preview', 'full').identity, 'principalId')), reference('serviceBusNamespace', '2022-10-01-preview', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('serviceBusNamespace', '2022-10-01-preview', 'full').identity, 'principalId')), reference('serviceBusNamespace', '2022-10-01-preview', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep b/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep index 93a4cde2c8..cc53d47085 100644 --- a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep @@ -107,7 +107,9 @@ module testDeployment '../../main.bicep' = { } ] sku: 'Standard_S1' - systemAssignedIdentity: true + managedIdentities: { + systemAssigned: true + } tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index a1f443b2f3..802630e972 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -58,6 +58,9 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + } networkAcls: { defaultAction: 'Allow' privateEndpoints: [ @@ -103,7 +106,6 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { } ] sku: 'Standard_S1' - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -154,6 +156,11 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, "networkAcls": { "value": { "defaultAction": "Allow", @@ -209,9 +216,6 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { "sku": { "value": "Standard_S1" }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -383,15 +387,14 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | The location for the resource. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. | | [`networkAcls`](#parameter-networkacls) | object | Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`resourceLogConfigurationsToEnable`](#parameter-resourcelogconfigurationstoenable) | array | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`sku`](#parameter-sku) | string | Pricing tier of the resource. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `capacity` @@ -462,6 +465,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` The name of the Web PubSub Service resource. @@ -735,13 +764,6 @@ Pricing tier of the resource. - Default: `'Standard_S1'` - Allowed: `[Free_F1, Standard_S1]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -749,13 +771,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ## Outputs @@ -769,6 +784,7 @@ The ID(s) to assign to the resource. | `resourceGroupName` | string | The Web PubSub resource group. | | `resourceId` | string | The Web PubSub resource ID. | | `serverPort` | int | The Web PubSub serverPort. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/signal-r-service/web-pub-sub/main.bicep b/modules/signal-r-service/web-pub-sub/main.bicep index 49fdc78208..70b93a62d7 100644 --- a/modules/signal-r-service/web-pub-sub/main.bicep +++ b/modules/signal-r-service/web-pub-sub/main.bicep @@ -30,11 +30,8 @@ param capacity int = 1 @description('Optional. Pricing tier of the resource.') param sku string = 'Standard_S1' -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both.') +param managedIdentities managedIdentitiesType @description('Optional. When set as true, connection with AuthType=aad won\'t work.') param disableAadAuth bool = false @@ -69,19 +66,19 @@ param networkAcls object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var enableReferencedModulesTelemetry = false + var resourceLogConfiguration = [for configuration in resourceLogConfigurationsToEnable: { name: configuration enabled: 'true' }] -var identityType = systemAssignedIdentity ? 'SystemAssigned' : !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' - -var enableReferencedModulesTelemetry = false +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null -} +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null +} : null var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') @@ -203,6 +200,9 @@ output publicPort int = webPubSub.properties.publicPort @description('The Web PubSub serverPort.') output serverPort int = webPubSub.properties.serverPort +@description('The principal ID of the system assigned identity.') +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(webPubSub.identity, 'principalId') ? webPubSub.identity.principalId : '' + @description('The location the resource was deployed into.') output location string = webPubSub.location @@ -210,6 +210,14 @@ output location string = webPubSub.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/signal-r-service/web-pub-sub/main.json b/modules/signal-r-service/web-pub-sub/main.json index 224d8e6108..aa1f93b682 100644 --- a/modules/signal-r-service/web-pub-sub/main.json +++ b/modules/signal-r-service/web-pub-sub/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17322937752748327397" + "templateHash": "12261287441324704754" }, "name": "SignalR Web PubSub Services", "description": "This module deploys a SignalR Web PubSub Service.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -311,18 +334,10 @@ "description": "Optional. Pricing tier of the resource." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." } }, "disableAadAuth": { @@ -398,12 +413,9 @@ } } ], - "identityType": "[if(parameters('systemAssignedIdentity'), 'SystemAssigned', if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", "enableReferencedModulesTelemetry": false, - "identity": { - "type": "[variables('identityType')]", - "userAssignedIdentities": "[if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())]" - }, + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", @@ -1098,6 +1110,13 @@ }, "value": "[reference('webPubSub').serverPort]" }, + "systemAssignedMIPrincipalId": { + "type": "string", + "metadata": { + "description": "The principal ID of the system assigned identity." + }, + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('webPubSub', '2021-10-01', 'full').identity, 'principalId')), reference('webPubSub', '2021-10-01', 'full').identity.principalId, '')]" + }, "location": { "type": "string", "metadata": { diff --git a/modules/sql/managed-instance/.test/common/main.test.bicep b/modules/sql/managed-instance/.test/common/main.test.bicep index 64c6288ad0..d5222b8617 100644 --- a/modules/sql/managed-instance/.test/common/main.test.bicep +++ b/modules/sql/managed-instance/.test/common/main.test.bicep @@ -154,11 +154,13 @@ module testDeployment '../../main.bicep' = { skuName: 'GP_Gen5' skuTier: 'GeneralPurpose' storageSizeInGB: 32 - systemAssignedIdentity: true - timezoneId: 'UTC' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } + timezoneId: 'UTC' vCores: 4 vulnerabilityAssessmentsObj: { emailSubscriptionAdmins: true diff --git a/modules/sql/managed-instance/.test/vulnAssm/main.test.bicep b/modules/sql/managed-instance/.test/vulnAssm/main.test.bicep index aecb08b1b7..bbe2806291 100644 --- a/modules/sql/managed-instance/.test/vulnAssm/main.test.bicep +++ b/modules/sql/managed-instance/.test/vulnAssm/main.test.bicep @@ -60,7 +60,9 @@ module testDeployment '../../main.bicep' = { administratorLogin: 'adminUserName' administratorLoginPassword: password subnetId: nestedDependencies.outputs.subnetResourceId - systemAssignedIdentity: true + managedIdentities: { + systemAssigned: true + } securityAlertPoliciesObj: { emailAccountAdmins: true name: 'default' diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index 0c6387413b..aa416f045a 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -113,6 +113,12 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } primaryUserAssignedIdentityId: '' proxyOverride: 'Proxy' publicDataEndpointEnabled: false @@ -132,11 +138,7 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { skuName: 'GP_Gen5' skuTier: 'GeneralPurpose' storageSizeInGB: 32 - systemAssignedIdentity: true timezoneId: 'UTC' - userAssignedIdentities: { - '': {} - } vCores: 4 vulnerabilityAssessmentsObj: { emailSubscriptionAdmins: true @@ -255,6 +257,14 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "primaryUserAssignedIdentityId": { "value": "" }, @@ -292,17 +302,9 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { "storageSizeInGB": { "value": 32 }, - "systemAssignedIdentity": { - "value": true - }, "timezoneId": { "value": "UTC" }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, "vCores": { "value": 4 }, @@ -407,12 +409,14 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { subnetId: '' // Non-required parameters enableDefaultTelemetry: '' + managedIdentities: { + systemAssigned: true + } securityAlertPoliciesObj: { emailAccountAdmins: true name: 'default' state: 'Enabled' } - systemAssignedIdentity: true vulnerabilityAssessmentsObj: { createStorageRoleAssignment: true emailSubscriptionAdmins: true @@ -463,6 +467,11 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { "enableDefaultTelemetry": { "value": "" }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, "securityAlertPoliciesObj": { "value": { "emailAccountAdmins": true, @@ -470,9 +479,6 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { "state": "Enabled" } }, - "systemAssignedIdentity": { - "value": true - }, "vulnerabilityAssessmentsObj": { "value": { "createStorageRoleAssignment": true, @@ -534,6 +540,7 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { | [`licenseType`](#parameter-licensetype) | string | The license type. Possible values are 'LicenseIncluded' (regular price inclusive of a new SQL license) and 'BasePrice' (discounted AHB price for bringing your own SQL licenses). | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`managedInstanceCreateMode`](#parameter-managedinstancecreatemode) | string | Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified. | | [`minimalTlsVersion`](#parameter-minimaltlsversion) | string | Minimal TLS version allowed. | | [`proxyOverride`](#parameter-proxyoverride) | string | Connection type used for connecting to the instance. | @@ -547,10 +554,8 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { | [`skuTier`](#parameter-skutier) | string | The tier or edition of the particular SKU, e.g. Basic, Premium. | | [`sourceManagedInstanceId`](#parameter-sourcemanagedinstanceid) | string | The resource identifier of the source managed instance associated with create operation of this instance. | | [`storageSizeInGB`](#parameter-storagesizeingb) | int | Storage size in GB. Minimum value: 32. Maximum value: 8192. Increments of 32 GB allowed only. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`timezoneId`](#parameter-timezoneid) | string | ID of the timezone. Allowed values are timezones supported by Windows. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`vCores`](#parameter-vcores) | int | The number of vCores. Allowed values: 8, 16, 24, 32, 40, 64, 80. | | [`vulnerabilityAssessmentsObj`](#parameter-vulnerabilityassessmentsobj) | object | The vulnerability assessment configuration. | | [`zoneRedundant`](#parameter-zoneredundant) | bool | Whether or not multi-az is enabled. | @@ -787,6 +792,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `managedInstanceCreateMode` Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified. @@ -963,13 +994,6 @@ The fully qualified resource ID of the subnet on which the SQL managed instance - Required: Yes - Type: string -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -984,13 +1008,6 @@ ID of the timezone. Allowed values are timezones supported by Windows. - Type: string - Default: `'UTC'` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `vCores` The number of vCores. Allowed values: 8, 16, 24, 32, 40, 64, 80. @@ -1021,7 +1038,7 @@ Whether or not multi-az is enabled. | `name` | string | The name of the deployed managed instance. | | `resourceGroupName` | string | The resource group of the deployed managed instance. | | `resourceId` | string | The resource ID of the deployed managed instance. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/sql/managed-instance/main.bicep b/modules/sql/managed-instance/main.bicep index 330edebd43..1b10ecd747 100644 --- a/modules/sql/managed-instance/main.bicep +++ b/modules/sql/managed-instance/main.bicep @@ -101,11 +101,8 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Conditional. The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty.') param primaryUserAssignedIdentityId string = '' @@ -146,11 +143,11 @@ param minimalTlsVersion string = '1.2' ]) param requestedBackupStorageRedundancy string = 'Geo' -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var enableReferencedModulesTelemetry = false @@ -303,7 +300,7 @@ module managedInstance_securityAlertPolicy 'security-alert-policy/main.bicep' = } } -module managedInstance_vulnerabilityAssessment 'vulnerability-assessment/main.bicep' = if (!empty(vulnerabilityAssessmentsObj) && systemAssignedIdentity) { +module managedInstance_vulnerabilityAssessment 'vulnerability-assessment/main.bicep' = if (!empty(vulnerabilityAssessmentsObj) && (managedIdentities.?systemAssigned ?? false)) { name: '${uniqueString(deployment().name, location)}-SqlMi-VulnAssessm' params: { managedInstanceName: managedInstance.name @@ -367,7 +364,7 @@ output resourceId string = managedInstance.id output resourceGroupName string = resourceGroup().name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(managedInstance.identity, 'principalId') ? managedInstance.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(managedInstance.identity, 'principalId') ? managedInstance.identity.principalId : '' @description('The location the resource was deployed into.') output location string = managedInstance.location @@ -376,6 +373,14 @@ output location string = managedInstance.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/sql/managed-instance/main.json b/modules/sql/managed-instance/main.json index 646e61a20a..cee9076a62 100644 --- a/modules/sql/managed-instance/main.json +++ b/modules/sql/managed-instance/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16983144264523357035" + "templateHash": "486965125676503752" }, "name": "SQL Managed Instances", "description": "This module deploys a SQL Managed Instance.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -411,18 +434,10 @@ "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "primaryUserAssignedIdentityId": { @@ -502,8 +517,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -1468,7 +1483,7 @@ ] }, "managedInstance_vulnerabilityAssessment": { - "condition": "[and(not(empty(parameters('vulnerabilityAssessmentsObj'))), parameters('systemAssignedIdentity'))]", + "condition": "[and(not(empty(parameters('vulnerabilityAssessmentsObj'))), coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-SqlMi-VulnAssessm', uniqueString(deployment().name, parameters('location')))]", @@ -2102,12 +2117,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('managedInstance', '2022-05-01-preview', 'full').identity, 'principalId')), reference('managedInstance', '2022-05-01-preview', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('managedInstance', '2022-05-01-preview', 'full').identity, 'principalId')), reference('managedInstance', '2022-05-01-preview', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/sql/server/.test/common/main.test.bicep b/modules/sql/server/.test/common/main.test.bicep index 0655a40b92..e5a989eec6 100644 --- a/modules/sql/server/.test/common/main.test.bicep +++ b/modules/sql/server/.test/common/main.test.bicep @@ -160,9 +160,11 @@ module testDeployment '../../main.bicep' = { uri: nestedDependencies.outputs.keyVaultEncryptionKeyUrl } ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } privateEndpoints: [ { diff --git a/modules/sql/server/.test/vulnAssm/main.test.bicep b/modules/sql/server/.test/vulnAssm/main.test.bicep index 5dd0f342e9..4ee3ba8505 100644 --- a/modules/sql/server/.test/vulnAssm/main.test.bicep +++ b/modules/sql/server/.test/vulnAssm/main.test.bicep @@ -78,9 +78,11 @@ module testDeployment '../../main.bicep' = { emailAccountAdmins: true } ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 5acbefa33c..81fa6667cc 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -185,6 +185,12 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } primaryUserAssignedIdentityId: '' privateEndpoints: [ { @@ -215,15 +221,11 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { state: 'Enabled' } ] - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } virtualNetworkRules: [ { ignoreMissingVnetServiceEndpoint: true @@ -340,6 +342,14 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "primaryUserAssignedIdentityId": { "value": "" }, @@ -380,9 +390,6 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { } ] }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -390,11 +397,6 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { "Role": "DeploymentValidation" } }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, "virtualNetworkRules": { "value": [ { @@ -620,6 +622,12 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { administratorLoginPassword: '' enableDefaultTelemetry: '' location: '' + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } primaryUserAssignedIdentityId: '' securityAlertPolicies: [ { @@ -628,15 +636,11 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { state: 'Enabled' } ] - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } vulnerabilityAssessmentsObj: { createStorageRoleAssignment: true emailSubscriptionAdmins: true @@ -682,6 +686,14 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { "location": { "value": "" }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "primaryUserAssignedIdentityId": { "value": "" }, @@ -694,9 +706,6 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { } ] }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -704,11 +713,6 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { "Role": "DeploymentValidation" } }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, "vulnerabilityAssessmentsObj": { "value": { "createStorageRoleAssignment": true, @@ -760,15 +764,14 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { | [`keys`](#parameter-keys) | array | The keys to configure. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`minimalTlsVersion`](#parameter-minimaltlsversion) | string | Minimal TLS version allowed. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. | | [`restrictOutboundNetworkAccess`](#parameter-restrictoutboundnetworkaccess) | string | Whether or not to restrict outbound network access for this server. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`securityAlertPolicies`](#parameter-securityalertpolicies) | array | The security alert policies to create in the server. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`virtualNetworkRules`](#parameter-virtualnetworkrules) | array | The virtual network rules to create in the server. | | [`vulnerabilityAssessmentsObj`](#parameter-vulnerabilityassessmentsobj) | object | The vulnerability assessment configuration. | @@ -869,6 +872,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `minimalTlsVersion` Minimal TLS version allowed. @@ -1149,13 +1178,6 @@ The security alert policies to create in the server. - Type: array - Default: `[]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -1163,13 +1185,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `virtualNetworkRules` The virtual network rules to create in the server. @@ -1193,7 +1208,7 @@ The vulnerability assessment configuration. | `name` | string | The name of the deployed SQL server. | | `resourceGroupName` | string | The resource group of the deployed SQL server. | | `resourceId` | string | The resource ID of the deployed SQL server. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/sql/server/main.bicep b/modules/sql/server/main.bicep index fa4351217e..50bfad6e00 100644 --- a/modules/sql/server/main.bicep +++ b/modules/sql/server/main.bicep @@ -15,11 +15,8 @@ param location string = resourceGroup().location @description('Required. The name of the server.') param name string -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Conditional. The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty.') param primaryUserAssignedIdentityId string = '' @@ -84,11 +81,11 @@ param publicNetworkAccess string = '' ]) param restrictOutboundNetworkAccess string = '' -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var enableReferencedModulesTelemetry = false @@ -350,7 +347,7 @@ output resourceId string = server.id output resourceGroupName string = resourceGroup().name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(server.identity, 'principalId') ? server.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(server.identity, 'principalId') ? server.identity.principalId : '' @description('The location the resource was deployed into.') output location string = server.location @@ -359,6 +356,14 @@ output location string = server.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/sql/server/main.json b/modules/sql/server/main.json index 15f464c1bd..44de76b732 100644 --- a/modules/sql/server/main.json +++ b/modules/sql/server/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9008744149978786783" + "templateHash": "10315505573708385972" }, "name": "Azure SQL Servers", "description": "This module deploys an Azure SQL Server.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -282,18 +305,10 @@ "description": "Required. The name of the server." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "primaryUserAssignedIdentityId": { @@ -436,8 +451,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -3062,12 +3077,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('server', '2022-05-01-preview', 'full').identity, 'principalId')), reference('server', '2022-05-01-preview', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('server', '2022-05-01-preview', 'full').identity, 'principalId')), reference('server', '2022-05-01-preview', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/storage/storage-account/.test/common/main.test.bicep b/modules/storage/storage-account/.test/common/main.test.bicep index 752c544377..2ca85cdb7f 100644 --- a/modules/storage/storage-account/.test/common/main.test.bicep +++ b/modules/storage/storage-account/.test/common/main.test.bicep @@ -263,9 +263,11 @@ module testDeployment '../../main.bicep' = { ] } sasExpirationPeriod: '180.00:00:00' - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } roleAssignments: [ { diff --git a/modules/storage/storage-account/.test/encr/main.test.bicep b/modules/storage/storage-account/.test/encr/main.test.bicep index acdcccd5d9..8a298cdee5 100644 --- a/modules/storage/storage-account/.test/encr/main.test.bicep +++ b/modules/storage/storage-account/.test/encr/main.test.bicep @@ -93,9 +93,11 @@ module testDeployment '../../main.bicep' = { restorePolicyEnabled: true restorePolicyDays: 8 } - systemAssignedIdentity: false - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId cMKKeyName: nestedDependencies.outputs.keyName diff --git a/modules/storage/storage-account/.test/nfs/main.test.bicep b/modules/storage/storage-account/.test/nfs/main.test.bicep index 180b8abb81..8dbf40c70a 100644 --- a/modules/storage/storage-account/.test/nfs/main.test.bicep +++ b/modules/storage/storage-account/.test/nfs/main.test.bicep @@ -79,9 +79,11 @@ module testDeployment '../../main.bicep' = { } ] } - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } roleAssignments: [ { diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 956cc7475f..e974443c9d 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -185,6 +185,12 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } managementPolicyRules: [ { definition: { @@ -295,7 +301,6 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { ] sasExpirationPeriod: '180.00:00:00' skuName: 'Standard_LRS' - systemAssignedIdentity: true tableServices: { diagnosticSettings: [ { @@ -321,9 +326,6 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -489,6 +491,14 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "managementPolicyRules": { "value": [ { @@ -615,9 +625,6 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "skuName": { "value": "Standard_LRS" }, - "systemAssignedIdentity": { - "value": true - }, "tableServices": { "value": { "diagnosticSettings": [ @@ -646,11 +653,6 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -698,6 +700,12 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { cMKKeyVaultResourceId: '' cMKUserAssignedIdentityResourceId: '' enableDefaultTelemetry: '' + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -714,15 +722,11 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { ] requireInfrastructureEncryption: true skuName: 'Standard_LRS' - systemAssignedIdentity: false tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -782,6 +786,14 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "enableDefaultTelemetry": { "value": "" }, + "managedIdentities": { + "value": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + } + }, "privateEndpoints": { "value": [ { @@ -804,20 +816,12 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "skuName": { "value": "Standard_LRS" }, - "systemAssignedIdentity": { - "value": false - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -920,6 +924,12 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } roleAssignments: [ { principalId: '' @@ -929,15 +939,11 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { ] skuName: 'Premium_LRS' supportsHttpsTrafficOnly: false - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -1000,6 +1006,14 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "roleAssignments": { "value": [ { @@ -1015,20 +1029,12 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "supportsHttpsTrafficOnly": { "value": false }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -1147,6 +1153,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { | [`localUsers`](#parameter-localusers) | array | Local users to deploy for SFTP authentication. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`managementPolicyRules`](#parameter-managementpolicyrules) | array | The Storage Account ManagementPolicies Rules. | | [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | Set the minimum TLS version on request to storage. | | [`networkAcls`](#parameter-networkacls) | object | Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny. | @@ -1158,10 +1165,8 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { | [`sasExpirationPeriod`](#parameter-sasexpirationperiod) | string | The SAS expiration period. DD.HH:MM:SS. | | [`skuName`](#parameter-skuname) | string | Storage Account Sku Name. | | [`supportsHttpsTrafficOnly`](#parameter-supportshttpstrafficonly) | bool | Allows HTTPS traffic only to storage service if sets to true. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tableServices`](#parameter-tableservices) | object | Table service and tables to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `accessTier` @@ -1457,6 +1462,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `managementPolicyRules` The Storage Account ManagementPolicies Rules. @@ -1765,13 +1796,6 @@ Allows HTTPS traffic only to storage service if sets to true. - Type: bool - Default: `True` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tableServices` Table service and tables to create. @@ -1786,13 +1810,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ## Outputs @@ -1803,7 +1820,7 @@ The ID(s) to assign to the resource. | `primaryBlobEndpoint` | string | The primary blob endpoint reference if blob services are deployed. | | `resourceGroupName` | string | The resource group of the deployed storage account. | | `resourceId` | string | The resource ID of the deployed storage account. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/storage/storage-account/main.bicep b/modules/storage/storage-account/main.bicep index e8774101f0..42f8b18c1f 100644 --- a/modules/storage/storage-account/main.bicep +++ b/modules/storage/storage-account/main.bicep @@ -12,11 +12,8 @@ param location string = resourceGroup().location @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @allowed([ 'Storage' @@ -181,10 +178,11 @@ param sasExpirationPeriod string = '' var supportsBlobService = kind == 'BlockBlobStorage' || kind == 'BlobStorage' || kind == 'StorageV2' || kind == 'Storage' var supportsFileService = kind == 'FileStorage' || kind == 'StorageV2' || kind == 'Storage' -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } + +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var enableReferencedModulesTelemetry = false @@ -473,7 +471,7 @@ output resourceGroupName string = resourceGroup().name output primaryBlobEndpoint string = !empty(blobServices) && contains(blobServices, 'containers') ? reference('Microsoft.Storage/storageAccounts/${storageAccount.name}', '2019-04-01').primaryEndpoints.blob : '' @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(storageAccount.identity, 'principalId') ? storageAccount.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(storageAccount.identity, 'principalId') ? storageAccount.identity.principalId : '' @description('The location the resource was deployed into.') output location string = storageAccount.location @@ -482,6 +480,14 @@ output location string = storageAccount.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/storage/storage-account/main.json b/modules/storage/storage-account/main.json index a476db610d..dde38f6c5b 100644 --- a/modules/storage/storage-account/main.json +++ b/modules/storage/storage-account/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15002662159872818227" + "templateHash": "1854017442729323429" }, "name": "Storage Accounts", "description": "This module deploys a Storage Account.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -354,18 +377,10 @@ "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "kind": { @@ -681,8 +696,8 @@ "variables": { "supportsBlobService": "[or(or(or(equals(parameters('kind'), 'BlockBlobStorage'), equals(parameters('kind'), 'BlobStorage')), equals(parameters('kind'), 'StorageV2')), equals(parameters('kind'), 'Storage'))]", "supportsFileService": "[or(or(equals(parameters('kind'), 'FileStorage'), equals(parameters('kind'), 'StorageV2')), equals(parameters('kind'), 'Storage'))]", - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -4092,12 +4107,12 @@ }, "value": "[if(and(not(empty(parameters('blobServices'))), contains(parameters('blobServices'), 'containers')), reference(format('Microsoft.Storage/storageAccounts/{0}', parameters('name')), '2019-04-01').primaryEndpoints.blob, '')]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('storageAccount', '2022-09-01', 'full').identity, 'principalId')), reference('storageAccount', '2022-09-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('storageAccount', '2022-09-01', 'full').identity, 'principalId')), reference('storageAccount', '2022-09-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/web/hosting-environment/.test/asev2/main.test.bicep b/modules/web/hosting-environment/.test/asev2/main.test.bicep index ff34db8bf0..835d050137 100644 --- a/modules/web/hosting-environment/.test/asev2/main.test.bicep +++ b/modules/web/hosting-environment/.test/asev2/main.test.bicep @@ -98,9 +98,11 @@ module testDeployment '../../main.bicep' = { workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId } ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } ipsslAddressCount: 2 kind: 'ASEv2' diff --git a/modules/web/hosting-environment/.test/asev3/main.test.bicep b/modules/web/hosting-environment/.test/asev3/main.test.bicep index 8349a9a8b0..d7045c104e 100644 --- a/modules/web/hosting-environment/.test/asev3/main.test.bicep +++ b/modules/web/hosting-environment/.test/asev3/main.test.bicep @@ -106,9 +106,11 @@ module testDeployment '../../main.bicep' = { workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId } ] - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } customDnsSuffix: 'internal.contoso.com' customDnsSuffixCertificateUrl: nestedDependencies.outputs.certificateSecretUrl diff --git a/modules/web/hosting-environment/README.md b/modules/web/hosting-environment/README.md index 8e8690e35a..e41afff80c 100644 --- a/modules/web/hosting-environment/README.md +++ b/modules/web/hosting-environment/README.md @@ -68,6 +68,12 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } multiSize: 'Standard_D1_V2' roleAssignments: [ { @@ -76,15 +82,11 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - systemAssignedIdentity: true tags: { 'hidden-title': 'This is visible in the resource name' hostingEnvironmentName: 'whasev2001' resourceType: 'App Service Environment' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -146,6 +148,14 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "multiSize": { "value": "Standard_D1_V2" }, @@ -158,20 +168,12 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { } ] }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "hidden-title": "This is visible in the resource name", "hostingEnvironmentName": "whasev2001", "resourceType": "App Service Environment" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -222,6 +224,12 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } remoteDebugEnabled: true roleAssignments: [ { @@ -230,16 +238,12 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - systemAssignedIdentity: true tags: { 'hidden-title': 'This is visible in the resource name' hostingEnvironmentName: 'whasev3001' resourceType: 'App Service Environment' } upgradePreference: 'Late' - userAssignedIdentities: { - '': {} - } } } ``` @@ -316,6 +320,14 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "remoteDebugEnabled": { "value": true }, @@ -328,9 +340,6 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { } ] }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "hidden-title": "This is visible in the resource name", @@ -340,11 +349,6 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { }, "upgradePreference": { "value": "Late" - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -389,13 +393,12 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { | [`kind`](#parameter-kind) | string | Kind of resource. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`multiSize`](#parameter-multisize) | string | Frontend VM size. Cannot be used when kind is set to ASEv3. | | [`remoteDebugEnabled`](#parameter-remotedebugenabled) | bool | Property to enable and disable Remote Debug on ASEv3. Ignored when kind is set to ASEv2. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Resource tags. | | [`upgradePreference`](#parameter-upgradepreference) | string | Specify preference for when and how the planned maintenance is applied. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`userWhitelistedIpRanges`](#parameter-userwhitelistedipranges) | array | User added IP ranges to whitelist on ASE DB. Cannot be used with 'kind' `ASEv3`. | | [`zoneRedundant`](#parameter-zoneredundant) | bool | Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`. | @@ -628,6 +631,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `multiSize` Frontend VM size. Cannot be used when kind is set to ASEv3. @@ -723,13 +752,6 @@ ResourceId for the subnet. - Required: Yes - Type: string -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Resource tags. @@ -745,13 +767,6 @@ Specify preference for when and how the planned maintenance is applied. - Default: `'None'` - Allowed: `[Early, Late, Manual, None]` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `userWhitelistedIpRanges` User added IP ranges to whitelist on ASE DB. Cannot be used with 'kind' `ASEv3`. diff --git a/modules/web/hosting-environment/main.bicep b/modules/web/hosting-environment/main.bicep index da6d56d178..f39bc28623 100644 --- a/modules/web/hosting-environment/main.bicep +++ b/modules/web/hosting-environment/main.bicep @@ -109,11 +109,8 @@ param userWhitelistedIpRanges array = [] @description('Optional. Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`.') param zoneRedundant bool = false -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingType @@ -121,14 +118,15 @@ param diagnosticSettings diagnosticSettingType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') -var enableReferencedModulesTelemetry = false +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : any(null) +var enableReferencedModulesTelemetry = false + var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') @@ -254,6 +252,14 @@ output location string = appServiceEnvironment.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/web/hosting-environment/main.json b/modules/web/hosting-environment/main.json index cd15bf4aab..468a1dd392 100644 --- a/modules/web/hosting-environment/main.json +++ b/modules/web/hosting-environment/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11474223450734881423" + "templateHash": "4072056725724568319" }, "name": "App Service Environments", "description": "This module deploys an App Service Environment.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -393,18 +416,10 @@ "description": "Optional. Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "diagnosticSettings": { @@ -422,9 +437,9 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", diff --git a/modules/web/site/.test/functionAppCommon/main.test.bicep b/modules/web/site/.test/functionAppCommon/main.test.bicep index 2a2af35a66..afc7ec0eec 100644 --- a/modules/web/site/.test/functionAppCommon/main.test.bicep +++ b/modules/web/site/.test/functionAppCommon/main.test.bicep @@ -185,9 +185,11 @@ module testDeployment '../../main.bicep' = { use32BitWorkerProcess: false } storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } hybridConnectionRelays: [ { diff --git a/modules/web/site/.test/webAppCommon/main.test.bicep b/modules/web/site/.test/webAppCommon/main.test.bicep index 6e61619316..e0b0545fc6 100644 --- a/modules/web/site/.test/webAppCommon/main.test.bicep +++ b/modules/web/site/.test/webAppCommon/main.test.bicep @@ -170,9 +170,11 @@ module testDeployment '../../main.bicep' = { } ] } - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } basicPublishingCredentialsPolicies: [ { diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 72c2066fe8..160432f44c 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -151,6 +151,12 @@ module site 'br:bicep/modules/web.site:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -177,10 +183,6 @@ module site 'br:bicep/modules/web.site:1.0.0' = { use32BitWorkerProcess: false } storageAccountResourceId: '' - systemAssignedIdentity: true - userAssignedIdentities: { - '': {} - } } } ``` @@ -319,6 +321,14 @@ module site 'br:bicep/modules/web.site:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "privateEndpoints": { "value": [ { @@ -354,14 +364,6 @@ module site 'br:bicep/modules/web.site:1.0.0' = { }, "storageAccountResourceId": { "value": "" - }, - "systemAssignedIdentity": { - "value": true - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -480,6 +482,12 @@ module site 'br:bicep/modules/web.site:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -563,10 +571,6 @@ module site 'br:bicep/modules/web.site:1.0.0' = { name: 'slot2' } ] - systemAssignedIdentity: true - userAssignedIdentities: { - '': {} - } vnetContentShareEnabled: true vnetImagePullEnabled: true vnetRouteAllEnabled: true @@ -643,6 +647,14 @@ module site 'br:bicep/modules/web.site:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "privateEndpoints": { "value": [ { @@ -738,14 +750,6 @@ module site 'br:bicep/modules/web.site:1.0.0' = { } ] }, - "systemAssignedIdentity": { - "value": true - }, - "userAssignedIdentities": { - "value": { - "": {} - } - }, "vnetContentShareEnabled": { "value": true }, @@ -853,6 +857,7 @@ module site 'br:bicep/modules/web.site:1.0.0' = { | [`keyVaultAccessIdentityResourceId`](#parameter-keyvaultaccessidentityresourceid) | string | The resource ID of the assigned identity to be used to access a key vault with. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`redundancyMode`](#parameter-redundancymode) | string | Site redundancy mode. | @@ -863,9 +868,7 @@ module site 'br:bicep/modules/web.site:1.0.0' = { | [`slots`](#parameter-slots) | array | Configuration for deployment slots for an app. | | [`storageAccountRequired`](#parameter-storageaccountrequired) | bool | Checks if Customer provided storage account is required. | | [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`virtualNetworkSubnetId`](#parameter-virtualnetworksubnetid) | string | Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. | | [`vnetContentShareEnabled`](#parameter-vnetcontentshareenabled) | bool | To enable accessing content over virtual network. | | [`vnetImagePullEnabled`](#parameter-vnetimagepullenabled) | bool | To enable pulling image over Virtual Network. | @@ -1168,6 +1171,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` Name of the site. @@ -1474,13 +1503,6 @@ Required if app of kind functionapp. Resource ID of the storage account to manag - Type: string - Default: `''` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -1488,13 +1510,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `virtualNetworkSubnetId` Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. @@ -1536,7 +1551,7 @@ Virtual Network Route All enabled. This causes all outbound traffic to have Virt | `slotResourceIds` | array | The list of the slot resource ids. | | `slots` | array | The list of the slots. | | `slotSystemAssignedPrincipalIds` | array | The principal ID of the system assigned identity of slots. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/web/site/main.bicep b/modules/web/site/main.bicep index 6e5951ac44..4add5b8016 100644 --- a/modules/web/site/main.bicep +++ b/modules/web/site/main.bicep @@ -30,11 +30,8 @@ param clientAffinityEnabled bool = true @description('Optional. The resource ID of the app service environment to use for this resource.') param appServiceEnvironmentResourceId string = '' -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. The resource ID of the assigned identity to be used to access a key vault with.') param keyVaultAccessIdentityResourceId string = '' @@ -155,11 +152,11 @@ param hybridConnectionRelays array = [] ]) param publicNetworkAccess string = '' -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var enableReferencedModulesTelemetry = false @@ -258,8 +255,7 @@ module app_slots 'slot/main.bicep' = [for (slot, index) in slots: { httpsOnly: contains(slot, 'httpsOnly') ? slot.httpsOnly : httpsOnly appServiceEnvironmentResourceId: !empty(appServiceEnvironmentResourceId) ? appServiceEnvironmentResourceId : '' clientAffinityEnabled: contains(slot, 'clientAffinityEnabled') ? slot.clientAffinityEnabled : clientAffinityEnabled - systemAssignedIdentity: contains(slot, 'systemAssignedIdentity') ? slot.systemAssignedIdentity : systemAssignedIdentity - userAssignedIdentities: contains(slot, 'userAssignedIdentities') ? slot.userAssignedIdentities : userAssignedIdentities + managedIdentities: contains(slot, 'managedIdentities') ? slot.managedIdentities : managedIdentities keyVaultAccessIdentityResourceId: contains(slot, 'keyVaultAccessIdentityResourceId') ? slot.keyVaultAccessIdentityResourceId : keyVaultAccessIdentityResourceId storageAccountRequired: contains(slot, 'storageAccountRequired') ? slot.storageAccountRequired : storageAccountRequired virtualNetworkSubnetId: contains(slot, 'virtualNetworkSubnetId') ? slot.virtualNetworkSubnetId : virtualNetworkSubnetId @@ -402,10 +398,10 @@ output slotResourceIds array = [for (slot, index) in slots: app_slots[index].out output resourceGroupName string = resourceGroup().name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(app.identity, 'principalId') ? app.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(app.identity, 'principalId') ? app.identity.principalId : '' @description('The principal ID of the system assigned identity of slots.') -output slotSystemAssignedPrincipalIds array = [for (slot, index) in slots: app_slots[index].outputs.systemAssignedPrincipalId] +output slotSystemAssignedPrincipalIds array = [for (slot, index) in slots: app_slots[index].outputs.systemAssignedMIPrincipalId] @description('The location the resource was deployed into.') output location string = app.location @@ -417,6 +413,14 @@ output defaultHostname string = app.properties.defaultHostName // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/web/site/main.json b/modules/web/site/main.json index d0366d2083..c313b1d0ce 100644 --- a/modules/web/site/main.json +++ b/modules/web/site/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16589112738321066584" + "templateHash": "7527886527579756889" }, "name": "Web/Function Apps", "description": "This module deploys a Web or Function App.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -414,18 +437,10 @@ "description": "Optional. The resource ID of the app service environment to use for this resource." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "keyVaultAccessIdentityResourceId": { @@ -681,8 +696,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", @@ -1115,8 +1130,7 @@ "httpsOnly": "[if(contains(parameters('slots')[copyIndex()], 'httpsOnly'), createObject('value', parameters('slots')[copyIndex()].httpsOnly), createObject('value', parameters('httpsOnly')))]", "appServiceEnvironmentResourceId": "[if(not(empty(parameters('appServiceEnvironmentResourceId'))), createObject('value', parameters('appServiceEnvironmentResourceId')), createObject('value', ''))]", "clientAffinityEnabled": "[if(contains(parameters('slots')[copyIndex()], 'clientAffinityEnabled'), createObject('value', parameters('slots')[copyIndex()].clientAffinityEnabled), createObject('value', parameters('clientAffinityEnabled')))]", - "systemAssignedIdentity": "[if(contains(parameters('slots')[copyIndex()], 'systemAssignedIdentity'), createObject('value', parameters('slots')[copyIndex()].systemAssignedIdentity), createObject('value', parameters('systemAssignedIdentity')))]", - "userAssignedIdentities": "[if(contains(parameters('slots')[copyIndex()], 'userAssignedIdentities'), createObject('value', parameters('slots')[copyIndex()].userAssignedIdentities), createObject('value', parameters('userAssignedIdentities')))]", + "managedIdentities": "[if(contains(parameters('slots')[copyIndex()], 'managedIdentities'), createObject('value', parameters('slots')[copyIndex()].managedIdentities), createObject('value', parameters('managedIdentities')))]", "keyVaultAccessIdentityResourceId": "[if(contains(parameters('slots')[copyIndex()], 'keyVaultAccessIdentityResourceId'), createObject('value', parameters('slots')[copyIndex()].keyVaultAccessIdentityResourceId), createObject('value', parameters('keyVaultAccessIdentityResourceId')))]", "storageAccountRequired": "[if(contains(parameters('slots')[copyIndex()], 'storageAccountRequired'), createObject('value', parameters('slots')[copyIndex()].storageAccountRequired), createObject('value', parameters('storageAccountRequired')))]", "virtualNetworkSubnetId": "[if(contains(parameters('slots')[copyIndex()], 'virtualNetworkSubnetId'), createObject('value', parameters('slots')[copyIndex()].virtualNetworkSubnetId), createObject('value', parameters('virtualNetworkSubnetId')))]", @@ -1163,13 +1177,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8235549434045732740" + "templateHash": "11996079594340351559" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -1578,18 +1615,10 @@ "description": "Optional. The resource ID of the app service environment to use for this resource." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "keyVaultAccessIdentityResourceId": { @@ -1824,8 +1853,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", @@ -2969,12 +2998,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), if(contains(reference('slot', '2022-09-01', 'full'), 'identity'), contains(reference('slot', '2022-09-01', 'full').identity, 'principalId'), false())), reference('slot', '2022-09-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('slot', '2022-09-01', 'full').identity, 'principalId')), reference('slot', '2022-09-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", @@ -3847,12 +3876,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('app', '2022-09-01', 'full').identity, 'principalId')), reference('app', '2022-09-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('app', '2022-09-01', 'full').identity, 'principalId')), reference('app', '2022-09-01', 'full').identity.principalId, '')]" }, "slotSystemAssignedPrincipalIds": { "type": "array", @@ -3861,7 +3890,7 @@ }, "copy": { "count": "[length(parameters('slots'))]", - "input": "[reference(format('app_slots[{0}]', copyIndex())).outputs.systemAssignedPrincipalId.value]" + "input": "[reference(format('app_slots[{0}]', copyIndex())).outputs.systemAssignedMIPrincipalId.value]" } }, "location": { diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index 2f035b876f..29258b7088 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -64,6 +64,7 @@ This module deploys a Web or Function App Deployment Slot. | [`keyVaultAccessIdentityResourceId`](#parameter-keyvaultaccessidentityresourceid) | string | The resource ID of the assigned identity to be used to access a key vault with. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Allow or block all public traffic. | | [`redundancyMode`](#parameter-redundancymode) | string | Site redundancy mode. | @@ -73,9 +74,7 @@ This module deploys a Web or Function App Deployment Slot. | [`siteConfig`](#parameter-siteconfig) | object | The site config object. | | [`storageAccountRequired`](#parameter-storageaccountrequired) | bool | Checks if Customer provided storage account is required. | | [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`virtualNetworkSubnetId`](#parameter-virtualnetworksubnetid) | string | Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. | | [`vnetContentShareEnabled`](#parameter-vnetcontentshareenabled) | bool | To enable accessing content over virtual network. | | [`vnetImagePullEnabled`](#parameter-vnetimagepullenabled) | bool | To enable pulling image over Virtual Network. | @@ -377,6 +376,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` Name of the slot. @@ -670,13 +695,6 @@ Required if app of kind functionapp. Resource ID of the storage account to manag - Type: string - Default: `''` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -684,13 +702,6 @@ Tags of the resource. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ### Parameter: `virtualNetworkSubnetId` Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. @@ -728,7 +739,7 @@ Virtual Network Route All enabled. This causes all outbound traffic to have Virt | `name` | string | The name of the slot. | | `resourceGroupName` | string | The resource group the slot was deployed into. | | `resourceId` | string | The resource ID of the slot. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/web/site/slot/main.bicep b/modules/web/site/slot/main.bicep index 2a7719afdd..3cb7142811 100644 --- a/modules/web/site/slot/main.bicep +++ b/modules/web/site/slot/main.bicep @@ -33,11 +33,8 @@ param clientAffinityEnabled bool = true @description('Optional. The resource ID of the app service environment to use for this resource.') param appServiceEnvironmentResourceId string = '' -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. The resource ID of the assigned identity to be used to access a key vault with.') param keyVaultAccessIdentityResourceId string = '' @@ -149,11 +146,11 @@ param vnetRouteAllEnabled bool = false @description('Optional. Names of hybrid connection relays to connect app with.') param hybridConnectionRelays array = [] -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var enableReferencedModulesTelemetry = false @@ -340,7 +337,7 @@ output resourceId string = slot.id output resourceGroupName string = resourceGroup().name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && (contains(slot, 'identity') ? contains(slot.identity, 'principalId') : false) ? slot.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(slot.identity, 'principalId') ? slot.identity.principalId : '' @description('The location the resource was deployed into.') output location string = slot.location @@ -349,6 +346,14 @@ output location string = slot.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/web/site/slot/main.json b/modules/web/site/slot/main.json index b8898780c5..6ce2296e50 100644 --- a/modules/web/site/slot/main.json +++ b/modules/web/site/slot/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8235549434045732740" + "templateHash": "11996079594340351559" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -421,18 +444,10 @@ "description": "Optional. The resource ID of the app service environment to use for this resource." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "keyVaultAccessIdentityResourceId": { @@ -667,8 +682,8 @@ } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", @@ -1812,12 +1827,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), if(contains(reference('slot', '2022-09-01', 'full'), 'identity'), contains(reference('slot', '2022-09-01', 'full').identity, 'principalId'), false())), reference('slot', '2022-09-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('slot', '2022-09-01', 'full').identity, 'principalId')), reference('slot', '2022-09-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", diff --git a/modules/web/static-site/.test/common/main.test.bicep b/modules/web/static-site/.test/common/main.test.bicep index cd2de2ac13..4755385208 100644 --- a/modules/web/static-site/.test/common/main.test.bicep +++ b/modules/web/static-site/.test/common/main.test.bicep @@ -83,9 +83,11 @@ module testDeployment '../../main.bicep' = { ] sku: 'Standard' stagingEnvironmentPolicy: 'Enabled' - systemAssignedIdentity: true - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } appSettings: { foo: 'bar' diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index 0f632c9a57..ed4ab98af5 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -68,6 +68,12 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -90,15 +96,11 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { ] sku: 'Standard' stagingEnvironmentPolicy: 'Enabled' - systemAssignedIdentity: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -152,6 +154,14 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "privateEndpoints": { "value": [ { @@ -182,20 +192,12 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { "stagingEnvironmentPolicy": { "value": "Enabled" }, - "systemAssignedIdentity": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -276,6 +278,7 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { | [`linkedBackend`](#parameter-linkedbackend) | object | Object with "resourceId" and "location" of the a user defined function app. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'sku' to be 'Standard'. | | [`provider`](#parameter-provider) | string | The provider that submitted the last deployment to the primary environment of the static site. | | [`repositoryToken`](#parameter-repositorytoken) | securestring | The Personal Access Token for accessing the GitHub repository. | @@ -283,10 +286,8 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`sku`](#parameter-sku) | string | Type of static site to deploy. | | [`stagingEnvironmentPolicy`](#parameter-stagingenvironmentpolicy) | string | State indicating whether staging environments are allowed or not allowed for a static web app. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`templateProperties`](#parameter-templateproperties) | object | Template Options for the static site. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `allowConfigFileUpdates` @@ -386,6 +387,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` Name of the static site. @@ -665,13 +692,6 @@ State indicating whether staging environments are allowed or not allowed for a s - Default: `'Enabled'` - Allowed: `[Disabled, Enabled]` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Tags of the resource. @@ -686,13 +706,6 @@ Template Options for the static site. - Type: object - Default: `{object}` -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{object}` - ## Outputs @@ -703,7 +716,7 @@ The ID(s) to assign to the resource. | `name` | string | The name of the static site. | | `resourceGroupName` | string | The resource group the static site was deployed into. | | `resourceId` | string | The resource ID of the static site. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/web/static-site/main.bicep b/modules/web/static-site/main.bicep index efe8df8ec6..181e771819 100644 --- a/modules/web/static-site/main.bicep +++ b/modules/web/static-site/main.bicep @@ -55,11 +55,8 @@ param repositoryUrl string = '' @description('Optional. The branch name of the GitHub repository.') param branch string = '' -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. The lock settings of the service.') param lock lockType @@ -90,11 +87,11 @@ param customDomains array = [] var enableReferencedModulesTelemetry = false -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var builtInRoleNames = { @@ -238,7 +235,7 @@ output resourceId string = staticSite.id output resourceGroupName string = resourceGroup().name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(staticSite.identity, 'principalId') ? staticSite.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(staticSite.identity, 'principalId') ? staticSite.identity.principalId : '' @description('The location the resource was deployed into.') output location string = staticSite.location @@ -250,6 +247,14 @@ output defaultHostname string = staticSite.properties.defaultHostname // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/web/static-site/main.json b/modules/web/static-site/main.json index b992f8c721..b7423b7aea 100644 --- a/modules/web/static-site/main.json +++ b/modules/web/static-site/main.json @@ -6,13 +6,36 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "631543863258215268" + "templateHash": "332857934206486865" }, "name": "Static Web Apps", "description": "This module deploys a Static Web App.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -354,18 +377,10 @@ "description": "Optional. The branch name of the GitHub repository." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "lock": { @@ -431,8 +446,8 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", @@ -1600,12 +1615,12 @@ }, "value": "[resourceGroup().name]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('staticSite', '2021-03-01', 'full').identity, 'principalId')), reference('staticSite', '2021-03-01', 'full').identity.principalId, '')]" + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('staticSite', '2021-03-01', 'full').identity, 'principalId')), reference('staticSite', '2021-03-01', 'full').identity.principalId, '')]" }, "location": { "type": "string", From 3a3d6d6fe285e34d6fd57e53045ae8a0e0b09506 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Tue, 31 Oct 2023 12:18:42 +0000 Subject: [PATCH 067/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 86 +++++++++++----------- 1 file changed, 43 insertions(+), 43 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index a25d8ce89f..67a0adf1e7 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -15,9 +15,9 @@ This section provides an overview of the library's feature set. | - | - | - | - | - | - | - | - | - | - | - | | 1 | aad

domain-service | [![AAD - DomainServices](https://github.com/Azure/ResourceModules/workflows/AAD%20-%20DomainServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.aad.domainservices.yml) | | | :white_check_mark: | | | | | 251 | | 2 | analysis-services

server | [![AnalysisServices - Servers](https://github.com/Azure/ResourceModules/workflows/AnalysisServices%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.analysisservices.servers.yml) | | | :white_check_mark: | | | | | 170 | -| 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | | | :white_check_mark: | | | | [L1:11, L2:3] | 451 | -| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | | | :white_check_mark: | | | | [L1:1] | 305 | -| 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | | | :white_check_mark: | | | | | 205 | +| 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | | | :white_check_mark: | | | | [L1:11, L2:3] | 455 | +| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | | | :white_check_mark: | | | | [L1:1] | 309 | +| 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | | | :white_check_mark: | | | | | 211 | | 6 | app

job | [![App - Jobs](https://github.com/Azure/ResourceModules/workflows/App%20-%20Jobs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.jobs.yml) | | | :white_check_mark: | | | | | 162 | | 7 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | | | :white_check_mark: | | | | | 163 | | 8 | authorization

lock | [![Authorization - Locks](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20Locks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.locks.yml) | | | | | | | [L1:2] | 62 | @@ -27,44 +27,44 @@ This section provides an overview of the library's feature set. | 12 | authorization

policy-set-definition | [![Authorization - PolicySetDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicySetDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policysetdefinitions.yml) | | | | | | | [L1:2] | 76 | | 13 | authorization

role-assignment | [![Authorization - RoleAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roleassignments.yml) | | | | | | | [L1:3] | 107 | | 14 | authorization

role-definition | [![Authorization - RoleDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roledefinitions.yml) | | | | | | | [L1:3] | 94 | -| 15 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | :white_check_mark: | | | | [L1:6] | 437 | -| 16 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | :white_check_mark: | | | | | 311 | -| 17 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | | | :white_check_mark: | | | | | 312 | +| 15 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | :white_check_mark: | | | | [L1:6] | 441 | +| 16 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | :white_check_mark: | | | | | 317 | +| 17 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | | | :white_check_mark: | | | | | 318 | | 18 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | | | :white_check_mark: | | | | [L1:1] | 268 | | 19 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | | | :white_check_mark: | | | | [L1:6, L2:4] | 220 | -| 20 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | | | :white_check_mark: | | | | | 375 | +| 20 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | | | :white_check_mark: | | | | | 379 | | 21 | compute

availability-set | [![Compute - AvailabilitySets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20AvailabilitySets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.availabilitysets.yml) | | | :white_check_mark: | | | | | 111 | | 22 | compute

disk | [![Compute - Disks](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Disks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.disks.yml) | | | :white_check_mark: | | | | | 218 | -| 23 | compute

disk-encryption-set | [![Compute - DiskEncryptionSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20DiskEncryptionSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.diskencryptionsets.yml) | | | :white_check_mark: | | | | [L1:1] | 162 | +| 23 | compute

disk-encryption-set | [![Compute - DiskEncryptionSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20DiskEncryptionSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.diskencryptionsets.yml) | | | :white_check_mark: | | | | [L1:1] | 168 | | 24 | compute

gallery | [![Compute - Galleries](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Galleries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.galleries.yml) | | | :white_check_mark: | | | | [L1:2] | 155 | | 25 | compute

image | [![Compute - Images](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Images/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.images.yml) | | | :white_check_mark: | | | | | 137 | | 26 | compute

proximity-placement-group | [![Compute - ProximityPlacementGroups](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20ProximityPlacementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.proximityplacementgroups.yml) | | | :white_check_mark: | | | | | 111 | | 27 | compute

ssh-public-key | [![Compute - SshPublicKeys](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20SshPublicKeys/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.sshpublickeys.yml) | | | :white_check_mark: | | | | | 99 | -| 28 | compute

virtual-machine | [![Compute - VirtualMachines](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachines/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | | | :white_check_mark: | | | | [L1:2] | 663 | -| 29 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | | | :white_check_mark: | | | | [L1:1] | 607 | +| 28 | compute

virtual-machine | [![Compute - VirtualMachines](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachines/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | | | :white_check_mark: | | | | [L1:2] | 657 | +| 29 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | | | :white_check_mark: | | | | [L1:1] | 611 | | 30 | consumption

budget | [![Consumption - Budgets](https://github.com/Azure/ResourceModules/workflows/Consumption%20-%20Budgets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.consumption.budgets.yml) | | | | | | | | 92 | -| 31 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | :white_check_mark: | | | | | 163 | -| 32 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | :white_check_mark: | | | | [L1:3] | 430 | -| 33 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | :white_check_mark: | | | | [L1:1] | 664 | -| 34 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | :white_check_mark: | | | | [L1:2, L2:1] | 318 | -| 35 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | | :white_check_mark: | | | | [L1:1] | 156 | -| 36 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | | | :white_check_mark: | | | | | 104 | +| 31 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | :white_check_mark: | | | | | 167 | +| 32 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | :white_check_mark: | | | | [L1:3] | 434 | +| 33 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | :white_check_mark: | | | | [L1:1] | 668 | +| 34 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | :white_check_mark: | | | | [L1:2, L2:1] | 322 | +| 35 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | | :white_check_mark: | | | | [L1:1] | 159 | +| 36 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | | | :white_check_mark: | | | | | 110 | | 37 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | | | :white_check_mark: | | | | | 376 | -| 38 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | | | :white_check_mark: | | | | [L1:3] | 370 | -| 39 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | | | :white_check_mark: | | | | [L1:4] | 364 | +| 38 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | | | :white_check_mark: | | | | [L1:3] | 374 | +| 39 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | | | :white_check_mark: | | | | [L1:4] | 370 | | 40 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | | | :white_check_mark: | | | | [L1:1] | 191 | | 41 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | | | :white_check_mark: | | | | | 281 | | 42 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | | | :white_check_mark: | | | | | 200 | | 43 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | | | :white_check_mark: | | | | | 161 | -| 44 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | | | :white_check_mark: | | | | [L1:6, L2:1] | 295 | +| 44 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | | | :white_check_mark: | | | | [L1:6, L2:1] | 304 | | 45 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | | | :white_check_mark: | | | | [L1:3] | 292 | -| 46 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | | | :white_check_mark: | | | | [L1:3, L2:3] | 400 | +| 46 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | | | :white_check_mark: | | | | [L1:3, L2:3] | 404 | | 47 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | | | :white_check_mark: | | | | [L1:1] | 248 | -| 48 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | | | :white_check_mark: | | | | [L1:1] | 193 | +| 48 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | | | :white_check_mark: | | | | [L1:1] | 197 | | 49 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | | | :white_check_mark: | | | | [L1:1] | 252 | -| 50 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | :white_check_mark: | | | | [L1:4, L2:2] | 397 | -| 51 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | | | :white_check_mark: | | | | | 112 | -| 52 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | | | :white_check_mark: | | | | [L1:3, L2:1] | 198 | +| 50 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | :white_check_mark: | | | | [L1:4, L2:2] | 401 | +| 51 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | | | :white_check_mark: | | | | | 116 | +| 52 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | | | :white_check_mark: | | | | [L1:3, L2:1] | 195 | | 53 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | | | :white_check_mark: | | | | | 115 | | 54 | insights

activity-log-alert | [![Insights - ActivityLogAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActivityLogAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.activitylogalerts.yml) | | | :white_check_mark: | | | | | 104 | | 55 | insights

component | [![Insights - Components](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Components/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.components.yml) | | | :white_check_mark: | | | | | 184 | @@ -78,14 +78,14 @@ This section provides an overview of the library's feature set. | 63 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | | | :white_check_mark: | | | | [L1:3] | 347 | | 64 | kubernetes-configuration

extension | [![KubernetesConfiguration - Extensions](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20Extensions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.extensions.yml) | | | | | | | | 88 | | 65 | kubernetes-configuration

flux-configuration | [![KubernetesConfiguration - FluxConfigurations](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20FluxConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml) | | | | | | | | 71 | -| 66 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | | | :white_check_mark: | | | | | 227 | -| 67 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | | | :white_check_mark: | | | | [L1:1] | 352 | +| 66 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | | | :white_check_mark: | | | | | 231 | +| 67 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | | | :white_check_mark: | | | | [L1:1] | 356 | | 68 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | | | :white_check_mark: | | | | | 136 | | 69 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | | | :white_check_mark: | | | | [L1:1] | 113 | | 70 | managed-services

registration-definition | [![ManagedServices - RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices%20-%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | | | | | | | 67 | | 71 | management

management-group | [![Management - ManagementGroups](https://github.com/Azure/ResourceModules/workflows/Management%20-%20ManagementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml) | | | | | | | | 50 | -| 72 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | | | :white_check_mark: | | | | [L1:1, L2:1] | 147 | -| 73 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | | | :white_check_mark: | | | | | 416 | +| 72 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | | | :white_check_mark: | | | | [L1:1, L2:1] | 151 | +| 73 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | | | :white_check_mark: | | | | | 420 | | 74 | network

application-gateway-web-application-firewall-policy | [![Network - ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGatewayWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 47 | | 75 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | | | :white_check_mark: | | | | | 94 | | 76 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | | | :white_check_mark: | | | :white_check_mark: | | 335 | @@ -97,7 +97,7 @@ This section provides an overview of the library's feature set. | 82 | network

dns-zone | [![Network - Public DnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Public%20DnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnszones.yml) | | | :white_check_mark: | | | | [L1:10] | 248 | | 83 | network

express-route-circuit | [![Network - ExpressRouteCircuits](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteCircuits/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutecircuits.yml) | | | :white_check_mark: | | | | | 228 | | 84 | network

express-route-gateway | [![Network - ExpressRouteGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutegateways.yml) | | | :white_check_mark: | | | | | 117 | -| 85 | network

firewall-policy | [![Network - FirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.firewallpolicies.yml) | | | :white_check_mark: | | | | [L1:1] | 166 | +| 85 | network

firewall-policy | [![Network - FirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.firewallpolicies.yml) | | | :white_check_mark: | | | | [L1:1] | 173 | | 86 | network

front-door | [![Network - Frontdoors](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Frontdoors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoors.yml) | | | :white_check_mark: | | | | | 181 | | 87 | network

front-door-web-application-firewall-policy | [![Network - FrontDoorWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FrontDoorWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 152 | | 88 | network

ip-group | [![Network - IpGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20IpGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ipgroups.yml) | | | :white_check_mark: | | | | | 100 | @@ -122,35 +122,35 @@ This section provides an overview of the library's feature set. | 107 | network

virtual-wan | [![Network - VirtualWans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualWans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualwans.yml) | | | :white_check_mark: | | | | | 112 | | 108 | network

vpn-gateway | [![Network - VPNGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPNGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpngateways.yml) | | | :white_check_mark: | | | | [L1:2] | 114 | | 109 | network

vpn-site | [![Network - VPN Sites](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPN%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpnsites.yml) | | | :white_check_mark: | | | | | 124 | -| 110 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | | | :white_check_mark: | | | | [L1:7] | 344 | +| 110 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | | | :white_check_mark: | | | | [L1:7] | 348 | | 111 | operations-management

solution | [![OperationsManagement - Solutions](https://github.com/Azure/ResourceModules/workflows/OperationsManagement%20-%20Solutions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationsmanagement.solutions.yml) | | | | | | | | 53 | | 112 | policy-insights

remediation | [![PolicyInsights - Remediations](https://github.com/Azure/ResourceModules/workflows/PolicyInsights%20-%20Remediations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.policyinsights.remediations.yml) | | | | | | | [L1:3] | 106 | | 113 | power-bi-dedicated

capacity | [![PowerBiDedicated - Capacities](https://github.com/Azure/ResourceModules/workflows/PowerBiDedicated%20-%20Capacities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.powerbidedicated.capacities.yml) | | | :white_check_mark: | | | | | 133 | -| 114 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | | | :white_check_mark: | | | | | 311 | -| 115 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | | | :white_check_mark: | | | | [L1:7, L2:2, L3:2] | 351 | +| 114 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | | | :white_check_mark: | | | | | 315 | +| 115 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | | | :white_check_mark: | | | | [L1:7, L2:2, L3:2] | 355 | | 116 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | | | :white_check_mark: | | | | [L1:4, L2:2] | 330 | | 117 | resource-graph

query | [![ResourceGraph - Queries](https://github.com/Azure/ResourceModules/workflows/ResourceGraph%20-%20Queries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resourcegraph.queries.yml) | | | :white_check_mark: | | | | | 101 | -| 118 | resources

deployment-script | [![Resources - DeploymentScripts](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | | :white_check_mark: | | | | | 128 | +| 118 | resources

deployment-script | [![Resources - DeploymentScripts](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | | :white_check_mark: | | | | | 132 | | 119 | resources

resource-group | [![Resources - ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | | | :white_check_mark: | | | | [L1:1] | 101 | | 120 | resources

tags | [![Resources - Tags](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20Tags/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.tags.yml) | | | :white_check_mark: | | | | [L1:2] | 54 | -| 121 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | | | :white_check_mark: | | | | [L1:1] | 313 | +| 121 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | | | :white_check_mark: | | | | [L1:1] | 318 | | 122 | security

azure-security-center | [![Security - AzureSecurityCenter](https://github.com/Azure/ResourceModules/workflows/Security%20-%20AzureSecurityCenter/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.security.azuresecuritycenter.yml) | | | | | | | | 221 | -| 123 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | | | :white_check_mark: | | | | [L1:6, L2:2] | 441 | +| 123 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | | | :white_check_mark: | | | | [L1:6, L2:2] | 445 | | 124 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | | | :white_check_mark: | | | | [L1:1] | 312 | | 125 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | | | :white_check_mark: | | | | | 268 | -| 126 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | | | :white_check_mark: | | | | | 238 | -| 127 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | | | :white_check_mark: | | | | [L1:6, L2:3] | 369 | -| 128 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | :white_check_mark: | | | | [L1:8, L2:3] | 376 | -| 129 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | :white_check_mark: | | | | [L1:6, L2:4, L3:1] | 500 | +| 126 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | | | :white_check_mark: | | | | | 244 | +| 127 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | | | :white_check_mark: | | | | [L1:6, L2:3] | 373 | +| 128 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | :white_check_mark: | | | | [L1:8, L2:3] | 380 | +| 129 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | :white_check_mark: | | | | [L1:6, L2:4, L3:1] | 504 | | 130 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | | | :white_check_mark: | | | | | 162 | | 131 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | :white_check_mark: | | | | [L1:3] | 355 | | 132 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | | | :white_check_mark: | | | | | 216 | | 133 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | | | :white_check_mark: | | | | | 118 | -| 134 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | :white_check_mark: | | | | [L1:2] | 258 | +| 134 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | :white_check_mark: | | | | [L1:2] | 262 | | 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | :white_check_mark: | | | | | 194 | -| 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | :white_check_mark: | | | | [L1:5, L2:4, L3:1] | 441 | -| 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | :white_check_mark: | | | | [L1:3] | 271 | -| Sum | | | 0 | 0 | 119 | 0 | 0 | 2 | 240 | 29361 | +| 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | :white_check_mark: | | | | [L1:5, L2:4, L3:1] | 444 | +| 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | :white_check_mark: | | | | [L1:3] | 275 | +| Sum | | | 0 | 0 | 119 | 0 | 0 | 2 | 240 | 29533 | ## Legend From 1602f02dfe33c600bd41a33c7d6c49e846060383 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Tue, 31 Oct 2023 21:37:07 +0100 Subject: [PATCH 068/178] [Modules] Updated tags to AVM standard - Batch 1 (#4159) * First batch * Updated automation account * Attempted fix of split handling in automation account * Updated bicep of vm * Rollack of language server 2 from dev test * Update to latest * JSON update * Added split workaround * Updated tag & rbac handling * Update to latest * Updated api * Updated Automation Account * Adjusted AutoAccount * Undid phantom role assignment change * Update to latest --- modules/aad/domain-service/README.md | 1 - modules/aad/domain-service/main.bicep | 2 +- modules/aad/domain-service/main.json | 4 +- modules/analysis-services/server/README.md | 1 - modules/analysis-services/server/main.bicep | 2 +- modules/analysis-services/server/main.json | 4 +- modules/api-management/service/README.md | 1 - modules/api-management/service/main.bicep | 4 +- modules/api-management/service/main.json | 34 +- .../service/named-value/README.md | 1 - .../service/named-value/main.bicep | 4 +- .../service/named-value/main.json | 26 +- .../configuration-store/README.md | 1 - .../configuration-store/key-value/README.md | 1 - .../configuration-store/key-value/main.bicep | 2 +- .../configuration-store/key-value/main.json | 24 +- .../configuration-store/main.bicep | 4 +- .../configuration-store/main.json | 32 +- modules/app/container-app/README.md | 1 - modules/app/container-app/main.bicep | 2 +- modules/app/container-app/main.json | 4 +- modules/app/managed-environment/README.md | 1 - modules/app/managed-environment/main.bicep | 2 +- modules/app/managed-environment/main.json | 4 +- .../automation/automation-account/README.md | 1 - .../automation/automation-account/main.bicep | 12 +- .../automation/automation-account/main.json | 92 +++-- .../automation-account/module/README.md | 1 - .../automation-account/module/main.bicep | 2 +- .../automation-account/module/main.json | 26 +- .../automation-account/runbook/README.md | 8 +- .../automation-account/runbook/main.bicep | 14 +- .../automation-account/runbook/main.json | 44 ++- modules/batch/batch-account/README.md | 1 - modules/batch/batch-account/main.bicep | 2 +- modules/batch/batch-account/main.json | 4 +- modules/cache/redis-enterprise/README.md | 1 - modules/cache/redis-enterprise/main.bicep | 2 +- modules/cache/redis-enterprise/main.json | 4 +- modules/cache/redis/README.md | 1 - modules/cache/redis/main.bicep | 2 +- modules/cache/redis/main.json | 4 +- modules/cdn/profile/README.md | 1 - modules/cdn/profile/afdEndpoint/README.md | 1 - modules/cdn/profile/afdEndpoint/main.bicep | 2 +- modules/cdn/profile/afdEndpoint/main.json | 31 +- modules/cdn/profile/endpoint/README.md | 1 - modules/cdn/profile/endpoint/main.bicep | 2 +- modules/cdn/profile/endpoint/main.json | 35 +- modules/cdn/profile/main.bicep | 4 +- modules/cdn/profile/main.json | 74 ++-- modules/cognitive-services/account/README.md | 1 - modules/cognitive-services/account/main.bicep | 2 +- modules/cognitive-services/account/main.json | 4 +- modules/compute/availability-set/README.md | 1 - modules/compute/availability-set/main.bicep | 2 +- modules/compute/availability-set/main.json | 4 +- modules/compute/disk-encryption-set/README.md | 1 - .../compute/disk-encryption-set/main.bicep | 2 +- modules/compute/disk-encryption-set/main.json | 4 +- modules/compute/disk/README.md | 1 - modules/compute/disk/main.bicep | 2 +- modules/compute/disk/main.json | 4 +- modules/compute/gallery/README.md | 1 - modules/compute/gallery/application/README.md | 1 - .../compute/gallery/application/main.bicep | 2 +- modules/compute/gallery/application/main.json | 4 +- modules/compute/gallery/image/README.md | 1 - modules/compute/gallery/image/main.bicep | 2 +- modules/compute/gallery/image/main.json | 4 +- modules/compute/gallery/main.bicep | 6 +- modules/compute/gallery/main.json | 20 +- modules/compute/image/README.md | 1 - modules/compute/image/main.bicep | 2 +- modules/compute/image/main.json | 4 +- .../proximity-placement-group/README.md | 1 - .../proximity-placement-group/main.bicep | 2 +- .../proximity-placement-group/main.json | 4 +- modules/compute/ssh-public-key/README.md | 1 - modules/compute/ssh-public-key/main.bicep | 2 +- modules/compute/ssh-public-key/main.json | 4 +- .../virtual-machine-scale-set/README.md | 1 - .../virtual-machine-scale-set/main.bicep | 2 +- .../virtual-machine-scale-set/main.json | 4 +- modules/compute/virtual-machine/README.md | 1 - .../virtual-machine/extension/README.md | 1 - .../virtual-machine/extension/main.bicep | 2 +- .../virtual-machine/extension/main.json | 26 +- modules/compute/virtual-machine/main.bicep | 26 +- modules/compute/virtual-machine/main.json | 362 +++++++++++++----- .../modules/nested_networkInterface.bicep | 29 +- .../container-group/README.md | 1 - .../container-group/main.bicep | 2 +- .../container-group/main.json | 4 +- modules/container-registry/registry/README.md | 1 - .../container-registry/registry/main.bicep | 6 +- modules/container-registry/registry/main.json | 70 ++-- .../registry/replication/README.md | 1 - .../registry/replication/main.bicep | 2 +- .../registry/replication/main.json | 26 +- .../registry/webhook/README.md | 1 - .../registry/webhook/main.bicep | 2 +- .../registry/webhook/main.json | 32 +- .../managed-cluster/README.md | 1 - .../managed-cluster/agent-pool/README.md | 1 - .../managed-cluster/agent-pool/main.bicep | 2 +- .../managed-cluster/agent-pool/main.json | 24 +- .../managed-cluster/main.bicep | 4 +- .../managed-cluster/main.json | 32 +- modules/data-factory/factory/README.md | 1 - modules/data-factory/factory/main.bicep | 2 +- modules/data-factory/factory/main.json | 4 +- .../data-protection/backup-vault/README.md | 1 - .../data-protection/backup-vault/main.bicep | 2 +- .../data-protection/backup-vault/main.json | 4 +- modules/databricks/access-connector/README.md | 1 - .../databricks/access-connector/main.bicep | 2 +- modules/databricks/access-connector/main.json | 4 +- modules/databricks/workspace/README.md | 1 - modules/databricks/workspace/main.bicep | 2 +- modules/databricks/workspace/main.json | 4 +- .../db-for-my-sql/flexible-server/README.md | 1 - .../db-for-my-sql/flexible-server/main.bicep | 2 +- .../db-for-my-sql/flexible-server/main.json | 4 +- .../flexible-server/README.md | 1 - .../flexible-server/main.bicep | 2 +- .../flexible-server/main.json | 4 +- .../application-group/README.md | 1 - .../application-group/main.bicep | 2 +- .../application-group/main.json | 4 +- .../host-pool/README.md | 1 - .../host-pool/main.bicep | 2 +- .../host-pool/main.json | 4 +- .../scaling-plan/README.md | 1 - .../scaling-plan/main.bicep | 2 +- .../scaling-plan/main.json | 4 +- .../workspace/README.md | 1 - .../workspace/main.bicep | 2 +- .../workspace/main.json | 4 +- modules/dev-test-lab/lab/README.md | 1 - .../dev-test-lab/lab/artifactsource/README.md | 1 - .../lab/artifactsource/main.bicep | 2 +- .../dev-test-lab/lab/artifactsource/main.json | 24 +- modules/dev-test-lab/lab/cost/README.md | 1 - modules/dev-test-lab/lab/cost/main.bicep | 2 +- modules/dev-test-lab/lab/cost/main.json | 24 +- modules/dev-test-lab/lab/main.bicep | 14 +- modules/dev-test-lab/lab/main.json | 136 ++++--- .../lab/notificationchannel/README.md | 1 - .../lab/notificationchannel/main.bicep | 2 +- .../lab/notificationchannel/main.json | 24 +- modules/dev-test-lab/lab/schedule/README.md | 1 - modules/dev-test-lab/lab/schedule/main.bicep | 2 +- modules/dev-test-lab/lab/schedule/main.json | 24 +- .../dev-test-lab/lab/virtualnetwork/README.md | 1 - .../lab/virtualnetwork/main.bicep | 2 +- .../dev-test-lab/lab/virtualnetwork/main.json | 24 +- .../digital-twins-instance/README.md | 1 - .../digital-twins-instance/main.bicep | 2 +- .../digital-twins-instance/main.json | 4 +- .../document-db/database-account/README.md | 1 - .../gremlin-database/README.md | 1 - .../gremlin-database/graph/README.md | 1 - .../gremlin-database/graph/main.bicep | 2 +- .../gremlin-database/graph/main.json | 33 +- .../gremlin-database/main.bicep | 2 +- .../gremlin-database/main.json | 37 +- .../document-db/database-account/main.bicep | 2 +- .../document-db/database-account/main.json | 136 +++++-- .../mongodb-database/README.md | 1 - .../mongodb-database/main.bicep | 2 +- .../mongodb-database/main.json | 30 +- .../database-account/sql-database/README.md | 1 - .../sql-database/container/README.md | 1 - .../sql-database/container/main.bicep | 2 +- .../sql-database/container/main.json | 35 +- .../database-account/sql-database/main.bicep | 2 +- .../database-account/sql-database/main.json | 65 +++- modules/event-grid/domain/README.md | 1 - modules/event-grid/domain/main.bicep | 2 +- modules/event-grid/domain/main.json | 4 +- modules/event-grid/system-topic/README.md | 1 - modules/event-grid/system-topic/main.bicep | 2 +- modules/event-grid/system-topic/main.json | 4 +- modules/event-grid/topic/README.md | 1 - modules/event-grid/topic/main.bicep | 2 +- modules/event-grid/topic/main.json | 4 +- modules/event-hub/namespace/README.md | 1 - modules/event-hub/namespace/main.bicep | 2 +- modules/event-hub/namespace/main.json | 4 +- modules/health-bot/health-bot/README.md | 1 - modules/health-bot/health-bot/main.bicep | 2 +- modules/health-bot/health-bot/main.json | 4 +- modules/healthcare-apis/workspace/README.md | 1 - .../workspace/dicomservice/README.md | 1 - .../workspace/dicomservice/main.bicep | 2 +- .../workspace/dicomservice/main.json | 4 +- .../workspace/fhirservice/README.md | 1 - .../workspace/fhirservice/main.bicep | 2 +- .../workspace/fhirservice/main.json | 4 +- .../workspace/iotconnector/README.md | 1 - .../workspace/iotconnector/main.bicep | 2 +- .../workspace/iotconnector/main.json | 4 +- modules/healthcare-apis/workspace/main.bicep | 8 +- modules/healthcare-apis/workspace/main.json | 28 +- 205 files changed, 1366 insertions(+), 734 deletions(-) diff --git a/modules/aad/domain-service/README.md b/modules/aad/domain-service/README.md index f228fda2f2..1e6faab9e8 100644 --- a/modules/aad/domain-service/README.md +++ b/modules/aad/domain-service/README.md @@ -546,7 +546,6 @@ The value is to enable on-premises users to authenticate against managed domain. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `tlsV1` diff --git a/modules/aad/domain-service/main.bicep b/modules/aad/domain-service/main.bicep index 5a05dd6d1e..a8ded242da 100644 --- a/modules/aad/domain-service/main.bicep +++ b/modules/aad/domain-service/main.bicep @@ -119,7 +119,7 @@ param ldaps string = 'Enabled' param diagnosticSettings diagnosticSettingType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/aad/domain-service/main.json b/modules/aad/domain-service/main.json index f3f96a4b68..6e3976bfcc 100644 --- a/modules/aad/domain-service/main.json +++ b/modules/aad/domain-service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3764501671926247856" + "templateHash": "10052117540394396974" }, "name": "Azure Active Directory Domain Services", "description": "This module deploys an Azure Active Directory Domain Services (AADDS).", @@ -390,7 +390,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/analysis-services/server/README.md b/modules/analysis-services/server/README.md index f5f30b2bdb..ded6d13e0a 100644 --- a/modules/analysis-services/server/README.md +++ b/modules/analysis-services/server/README.md @@ -625,7 +625,6 @@ The SKU name of the Azure Analysis Services server to create. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/analysis-services/server/main.bicep b/modules/analysis-services/server/main.bicep index 3bbaeaf07c..ef66dfa060 100644 --- a/modules/analysis-services/server/main.bicep +++ b/modules/analysis-services/server/main.bicep @@ -36,7 +36,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/analysis-services/server/main.json b/modules/analysis-services/server/main.json index ee85f05ff5..3066c30ae2 100644 --- a/modules/analysis-services/server/main.json +++ b/modules/analysis-services/server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7051724089747387450" + "templateHash": "17464709928355207715" }, "name": "Analysis Services Servers", "description": "This module deploys an Analysis Services Server.", @@ -275,7 +275,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index 8a7569241b..411ee60b8f 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -1115,7 +1115,6 @@ Subscriptions. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `virtualNetworkType` diff --git a/modules/api-management/service/main.bicep b/modules/api-management/service/main.bicep index 9d7119f4b8..596354a682 100644 --- a/modules/api-management/service/main.bicep +++ b/modules/api-management/service/main.bicep @@ -75,7 +75,7 @@ param skuCount int = 1 param subnetResourceId string = '' @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only.') @allowed([ @@ -330,7 +330,7 @@ module service_namedValues 'named-value/main.bicep' = [for (namedValue, index) i displayName: namedValue.displayName keyVault: contains(namedValue, 'keyVault') ? namedValue.keyVault : {} name: namedValue.name - tags: contains(namedValue, 'tags') ? namedValue.tags : [] + tags: namedValue.?tags // Note: these are not resource tags secret: contains(namedValue, 'secret') ? namedValue.secret : false value: contains(namedValue, 'value') ? namedValue.value : newGuidValue enableDefaultTelemetry: enableReferencedModulesTelemetry diff --git a/modules/api-management/service/main.json b/modules/api-management/service/main.json index 53e81dd1bd..fa27d9cfdc 100644 --- a/modules/api-management/service/main.json +++ b/modules/api-management/service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3274387832095626640" + "templateHash": "10340171795894114862" }, "name": "API Management Services", "description": "This module deploys an API Management Service.", @@ -383,7 +383,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -2058,7 +2058,9 @@ "name": { "value": "[parameters('namedValues')[copyIndex()].name]" }, - "tags": "[if(contains(parameters('namedValues')[copyIndex()], 'tags'), createObject('value', parameters('namedValues')[copyIndex()].tags), createObject('value', createArray()))]", + "tags": { + "value": "[tryGet(parameters('namedValues')[copyIndex()], 'tags')]" + }, "secret": "[if(contains(parameters('namedValues')[copyIndex()], 'secret'), createObject('value', parameters('namedValues')[copyIndex()].secret), createObject('value', false()))]", "value": "[if(contains(parameters('namedValues')[copyIndex()], 'value'), createObject('value', parameters('namedValues')[copyIndex()].value), createObject('value', parameters('newGuidValue')))]", "enableDefaultTelemetry": { @@ -2067,12 +2069,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3581707708141744852" + "templateHash": "16893893897869493831" }, "name": "API Management Service Named Values", "description": "This module deploys an API Management Service Named Value.", @@ -2113,7 +2116,7 @@ }, "tags": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Tags that when provided can be used to filter the NamedValue list. - string." } @@ -2136,8 +2139,8 @@ "variables": { "keyVaultEmpty": "[empty(parameters('keyVault'))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2151,19 +2154,28 @@ } } }, - { + "service": { + "existing": true, + "type": "Microsoft.ApiManagement/service", + "apiVersion": "2021-08-01", + "name": "[parameters('apiManagementServiceName')]" + }, + "namedValue": { "type": "Microsoft.ApiManagement/service/namedValues", "apiVersion": "2021-08-01", "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", "properties": { - "tags": "[if(not(empty(parameters('tags'))), parameters('tags'), null())]", + "tags": "[parameters('tags')]", "secret": "[parameters('secret')]", "displayName": "[parameters('displayName')]", "value": "[if(variables('keyVaultEmpty'), parameters('value'), null())]", "keyVault": "[if(not(variables('keyVaultEmpty')), parameters('keyVault'), null())]" - } + }, + "dependsOn": [ + "service" + ] } - ], + }, "outputs": { "resourceId": { "type": "string", diff --git a/modules/api-management/service/named-value/README.md b/modules/api-management/service/named-value/README.md index d73832ca82..d82c7edbd3 100644 --- a/modules/api-management/service/named-value/README.md +++ b/modules/api-management/service/named-value/README.md @@ -85,7 +85,6 @@ Determines whether the value is a secret and should be encrypted or not. Default Tags that when provided can be used to filter the NamedValue list. - string. - Required: No - Type: array -- Default: `[]` ### Parameter: `value` diff --git a/modules/api-management/service/named-value/main.bicep b/modules/api-management/service/named-value/main.bicep index d180918e18..87e4c66e5c 100644 --- a/modules/api-management/service/named-value/main.bicep +++ b/modules/api-management/service/named-value/main.bicep @@ -18,7 +18,7 @@ param keyVault object = {} param name string @description('Optional. Tags that when provided can be used to filter the NamedValue list. - string.') -param tags array = [] +param tags array? @description('Optional. Determines whether the value is a secret and should be encrypted or not. Default value is false.') #disable-next-line secure-secrets-in-params // Not a secret @@ -49,7 +49,7 @@ resource namedValue 'Microsoft.ApiManagement/service/namedValues@2021-08-01' = { name: name parent: service properties: { - tags: !empty(tags) ? tags : null + tags: tags secret: secret displayName: displayName value: keyVaultEmpty ? value : null diff --git a/modules/api-management/service/named-value/main.json b/modules/api-management/service/named-value/main.json index f47f644953..9d72a76220 100644 --- a/modules/api-management/service/named-value/main.json +++ b/modules/api-management/service/named-value/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3581707708141744852" + "templateHash": "16893893897869493831" }, "name": "API Management Service Named Values", "description": "This module deploys an API Management Service Named Value.", @@ -46,7 +47,7 @@ }, "tags": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { "description": "Optional. Tags that when provided can be used to filter the NamedValue list. - string." } @@ -69,8 +70,8 @@ "variables": { "keyVaultEmpty": "[empty(parameters('keyVault'))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -84,19 +85,28 @@ } } }, - { + "service": { + "existing": true, + "type": "Microsoft.ApiManagement/service", + "apiVersion": "2021-08-01", + "name": "[parameters('apiManagementServiceName')]" + }, + "namedValue": { "type": "Microsoft.ApiManagement/service/namedValues", "apiVersion": "2021-08-01", "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]", "properties": { - "tags": "[if(not(empty(parameters('tags'))), parameters('tags'), null())]", + "tags": "[parameters('tags')]", "secret": "[parameters('secret')]", "displayName": "[parameters('displayName')]", "value": "[if(variables('keyVaultEmpty'), parameters('value'), null())]", "keyVault": "[if(not(variables('keyVaultEmpty')), parameters('keyVault'), null())]" - } + }, + "dependsOn": [ + "service" + ] } - ], + }, "outputs": { "resourceId": { "type": "string", diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index 7e4babb679..66e086dda0 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -1050,7 +1050,6 @@ The amount of time in days that the configuration store will be retained when it Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/app-configuration/configuration-store/key-value/README.md b/modules/app-configuration/configuration-store/key-value/README.md index 3fb836e1b5..bf6dd94639 100644 --- a/modules/app-configuration/configuration-store/key-value/README.md +++ b/modules/app-configuration/configuration-store/key-value/README.md @@ -69,7 +69,6 @@ Name of the key. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `value` diff --git a/modules/app-configuration/configuration-store/key-value/main.bicep b/modules/app-configuration/configuration-store/key-value/main.bicep index 199bad6726..acc8bbc774 100644 --- a/modules/app-configuration/configuration-store/key-value/main.bicep +++ b/modules/app-configuration/configuration-store/key-value/main.bicep @@ -15,7 +15,7 @@ param appConfigurationName string param contentType string = '' @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') // update all the descriptions param enableDefaultTelemetry bool = true diff --git a/modules/app-configuration/configuration-store/key-value/main.json b/modules/app-configuration/configuration-store/key-value/main.json index 7737b18021..2893f5eb2f 100644 --- a/modules/app-configuration/configuration-store/key-value/main.json +++ b/modules/app-configuration/configuration-store/key-value/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16264229277476024063" + "templateHash": "5336531799585402354" }, "name": "App Configuration Stores Key Values", "description": "This module deploys an App Configuration Store Key Value.", @@ -39,7 +40,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -52,8 +53,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -67,7 +68,13 @@ } } }, - { + "appConfiguration": { + "existing": true, + "type": "Microsoft.AppConfiguration/configurationStores", + "apiVersion": "2023-03-01", + "name": "[parameters('appConfigurationName')]" + }, + "keyValues": { "type": "Microsoft.AppConfiguration/configurationStores/keyValues", "apiVersion": "2023-03-01", "name": "[format('{0}/{1}', parameters('appConfigurationName'), parameters('name'))]", @@ -75,9 +82,12 @@ "contentType": "[parameters('contentType')]", "tags": "[parameters('tags')]", "value": "[parameters('value')]" - } + }, + "dependsOn": [ + "appConfiguration" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/app-configuration/configuration-store/main.bicep b/modules/app-configuration/configuration-store/main.bicep index 605a827075..5d1521e212 100644 --- a/modules/app-configuration/configuration-store/main.bicep +++ b/modules/app-configuration/configuration-store/main.bicep @@ -69,7 +69,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -154,7 +154,7 @@ module configurationStore_keyValues 'key-value/main.bicep' = [for (keyValue, ind name: keyValue.name value: keyValue.value contentType: contains(keyValue, 'contentType') ? keyValue.contentType : '' - tags: contains(keyValue, 'tags') ? keyValue.tags : {} + tags: keyValue.?tags ?? tags enableDefaultTelemetry: enableReferencedModulesTelemetry } }] diff --git a/modules/app-configuration/configuration-store/main.json b/modules/app-configuration/configuration-store/main.json index e5b8f23942..1063e16033 100644 --- a/modules/app-configuration/configuration-store/main.json +++ b/modules/app-configuration/configuration-store/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5839345851698938345" + "templateHash": "6136989204056808614" }, "name": "App Configuration Stores", "description": "This module deploys an App Configuration Store.", @@ -515,7 +515,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -701,19 +701,22 @@ "value": "[parameters('keyValues')[copyIndex()].value]" }, "contentType": "[if(contains(parameters('keyValues')[copyIndex()], 'contentType'), createObject('value', parameters('keyValues')[copyIndex()].contentType), createObject('value', ''))]", - "tags": "[if(contains(parameters('keyValues')[copyIndex()], 'tags'), createObject('value', parameters('keyValues')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('keyValues')[copyIndex()], 'tags'), parameters('tags'))]" + }, "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16264229277476024063" + "templateHash": "5336531799585402354" }, "name": "App Configuration Stores Key Values", "description": "This module deploys an App Configuration Store Key Value.", @@ -747,7 +750,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -760,8 +763,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -775,7 +778,13 @@ } } }, - { + "appConfiguration": { + "existing": true, + "type": "Microsoft.AppConfiguration/configurationStores", + "apiVersion": "2023-03-01", + "name": "[parameters('appConfigurationName')]" + }, + "keyValues": { "type": "Microsoft.AppConfiguration/configurationStores/keyValues", "apiVersion": "2023-03-01", "name": "[format('{0}/{1}', parameters('appConfigurationName'), parameters('name'))]", @@ -783,9 +792,12 @@ "contentType": "[parameters('contentType')]", "tags": "[parameters('tags')]", "value": "[parameters('value')]" - } + }, + "dependsOn": [ + "appConfiguration" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/app/container-app/README.md b/modules/app/container-app/README.md index 4da6b25062..55ed899dc3 100644 --- a/modules/app/container-app/README.md +++ b/modules/app/container-app/README.md @@ -603,7 +603,6 @@ The secrets of the Container App. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `trafficLabel` diff --git a/modules/app/container-app/main.bicep b/modules/app/container-app/main.bicep index 6203e95475..58d88c45dc 100644 --- a/modules/app/container-app/main.bicep +++ b/modules/app/container-app/main.bicep @@ -49,7 +49,7 @@ param environmentId string param lock lockType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Collection of private container registry credentials for containers used by the Container app.') param registries array = [] diff --git a/modules/app/container-app/main.json b/modules/app/container-app/main.json index ee8c7769c7..f94f931610 100644 --- a/modules/app/container-app/main.json +++ b/modules/app/container-app/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18263232031845288996" + "templateHash": "5881378126445701958" }, "name": "Container Apps", "description": "This module deploys a Container App.", @@ -222,7 +222,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/app/managed-environment/README.md b/modules/app/managed-environment/README.md index 9c41524275..5049cc48c6 100644 --- a/modules/app/managed-environment/README.md +++ b/modules/app/managed-environment/README.md @@ -428,7 +428,6 @@ Managed environment SKU. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `workloadProfiles` diff --git a/modules/app/managed-environment/main.bicep b/modules/app/managed-environment/main.bicep index 6e635bbab9..18bc3abed7 100644 --- a/modules/app/managed-environment/main.bicep +++ b/modules/app/managed-environment/main.bicep @@ -12,7 +12,7 @@ param logAnalyticsWorkspaceResourceId string param location string = resourceGroup().location @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType diff --git a/modules/app/managed-environment/main.json b/modules/app/managed-environment/main.json index 706f39cd1e..d8bb5e7173 100644 --- a/modules/app/managed-environment/main.json +++ b/modules/app/managed-environment/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12554616847424518267" + "templateHash": "5686402227763337334" }, "name": "App ManagedEnvironments", "description": "This module deploys an App Managed Environment (also known as a Container App Environment).", @@ -127,7 +127,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index de8dee9816..3d282c8e14 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -1185,7 +1185,6 @@ List of softwareUpdateConfigurations to be created in the automation account. Tags of the Automation Account resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `variables` diff --git a/modules/automation/automation-account/main.bicep b/modules/automation/automation-account/main.bicep index 908b6b3811..c65959f494 100644 --- a/modules/automation/automation-account/main.bicep +++ b/modules/automation/automation-account/main.bicep @@ -78,7 +78,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the Automation Account resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -158,7 +158,7 @@ module automationAccount_modules 'module/main.bicep' = [for (module, index) in m version: module.version uri: module.uri location: location - tags: tags + tags: module.?tags ?? tags enableDefaultTelemetry: enableReferencedModulesTelemetry } }] @@ -188,8 +188,10 @@ module automationAccount_runbooks 'runbook/main.bicep' = [for (runbook, index) i description: contains(runbook, 'description') ? runbook.description : '' uri: contains(runbook, 'uri') ? runbook.uri : '' version: contains(runbook, 'version') ? runbook.version : '' + sasTokenValidityLength: runbook.?sasTokenValidityLength + scriptStorageAccountResourceId: runbook.?scriptStorageAccountResourceId location: location - tags: tags + tags: runbook.?tags ?? tags enableDefaultTelemetry: enableReferencedModulesTelemetry } }] @@ -233,7 +235,7 @@ module automationAccount_linkedService '../../operational-insights/workspace/lin } // This is to support linked services to law in different subscription and resource group than the automation account. // The current scope is used by default if no linked service is intended to be created. - scope: resourceGroup(!empty(linkedWorkspaceResourceId) ? split(linkedWorkspaceResourceId, '/')[2] : subscription().subscriptionId, !empty(linkedWorkspaceResourceId) ? split(linkedWorkspaceResourceId, '/')[4] : resourceGroup().name) + scope: resourceGroup((!empty(linkedWorkspaceResourceId) ? (split((!empty(linkedWorkspaceResourceId) ? linkedWorkspaceResourceId : '//'), '/')[2]) : subscription().subscriptionId), !empty(linkedWorkspaceResourceId) ? (split((!empty(linkedWorkspaceResourceId) ? linkedWorkspaceResourceId : '////'), '/')[4]) : resourceGroup().name) } module automationAccount_solutions '../../operations-management/solution/main.bicep' = [for (gallerySolution, index) in gallerySolutions: if (!empty(linkedWorkspaceResourceId)) { @@ -248,7 +250,7 @@ module automationAccount_solutions '../../operations-management/solution/main.bi } // This is to support solution to law in different subscription and resource group than the automation account. // The current scope is used by default if no linked service is intended to be created. - scope: resourceGroup(!empty(linkedWorkspaceResourceId) ? split(linkedWorkspaceResourceId, '/')[2] : subscription().subscriptionId, !empty(linkedWorkspaceResourceId) ? split(linkedWorkspaceResourceId, '/')[4] : resourceGroup().name) + scope: resourceGroup((!empty(linkedWorkspaceResourceId) ? (split((!empty(linkedWorkspaceResourceId) ? linkedWorkspaceResourceId : '//'), '/')[2]) : subscription().subscriptionId), !empty(linkedWorkspaceResourceId) ? (split((!empty(linkedWorkspaceResourceId) ? linkedWorkspaceResourceId : '////'), '/')[4]) : resourceGroup().name) dependsOn: [ automationAccount_linkedService ] diff --git a/modules/automation/automation-account/main.json b/modules/automation/automation-account/main.json index f6484661e3..9a0246ec97 100644 --- a/modules/automation/automation-account/main.json +++ b/modules/automation/automation-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5962075210200629853" + "templateHash": "9488372689146469635" }, "name": "Automation Accounts", "description": "This module deploys an Azure Automation Account.", @@ -542,7 +542,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the Automation Account resource." } @@ -715,7 +715,7 @@ "value": "[parameters('location')]" }, "tags": { - "value": "[parameters('tags')]" + "value": "[coalesce(tryGet(parameters('modules')[copyIndex()], 'tags'), parameters('tags'))]" }, "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" @@ -723,12 +723,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15709477569881004771" + "templateHash": "18249732142000845439" }, "name": "Automation Account Modules", "description": "This module deploys an Azure Automation Account Module.", @@ -769,7 +770,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the Automation Account resource." } @@ -782,8 +783,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -797,7 +798,13 @@ } } }, - { + "automationAccount": { + "existing": true, + "type": "Microsoft.Automation/automationAccounts", + "apiVersion": "2022-08-08", + "name": "[parameters('automationAccountName')]" + }, + "module": { "type": "Microsoft.Automation/automationAccounts/modules", "apiVersion": "2022-08-08", "name": "[format('{0}/{1}', parameters('automationAccountName'), parameters('name'))]", @@ -808,9 +815,12 @@ "uri": "[if(not(equals(parameters('version'), 'latest')), format('{0}/{1}/{2}', parameters('uri'), parameters('name'), parameters('version')), format('{0}/{1}', parameters('uri'), parameters('name')))]", "version": "[if(not(equals(parameters('version'), 'latest')), parameters('version'), null())]" } - } + }, + "dependsOn": [ + "automationAccount" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -838,7 +848,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Automation/automationAccounts/modules', parameters('automationAccountName'), parameters('name')), '2022-08-08', 'full').location]" + "value": "[reference('module', '2022-08-08', 'full').location]" } } } @@ -1064,11 +1074,17 @@ "description": "[if(contains(parameters('runbooks')[copyIndex()], 'description'), createObject('value', parameters('runbooks')[copyIndex()].description), createObject('value', ''))]", "uri": "[if(contains(parameters('runbooks')[copyIndex()], 'uri'), createObject('value', parameters('runbooks')[copyIndex()].uri), createObject('value', ''))]", "version": "[if(contains(parameters('runbooks')[copyIndex()], 'version'), createObject('value', parameters('runbooks')[copyIndex()].version), createObject('value', ''))]", + "sasTokenValidityLength": { + "value": "[tryGet(parameters('runbooks')[copyIndex()], 'sasTokenValidityLength')]" + }, + "scriptStorageAccountResourceId": { + "value": "[tryGet(parameters('runbooks')[copyIndex()], 'scriptStorageAccountResourceId')]" + }, "location": { "value": "[parameters('location')]" }, "tags": { - "value": "[parameters('tags')]" + "value": "[coalesce(tryGet(parameters('runbooks')[copyIndex()], 'tags'), parameters('tags'))]" }, "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" @@ -1076,12 +1092,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18248893160569507204" + "templateHash": "1833872657708381069" }, "name": "Automation Account Runbooks", "description": "This module deploys an Azure Automation Account Runbook.", @@ -1134,11 +1151,11 @@ "description": "Optional. The version of the runbook content." } }, - "scriptStorageAccountId": { + "scriptStorageAccountResourceId": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { - "description": "Optional. ID of the runbook storage account." + "description": "Optional. Resource Id of the runbook storage account." } }, "baseTime": { @@ -1164,7 +1181,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the Automation Account resource." } @@ -1186,8 +1203,8 @@ "signedProtocol": "https" } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1201,7 +1218,22 @@ } } }, - { + "automationAccount": { + "existing": true, + "type": "Microsoft.Automation/automationAccounts", + "apiVersion": "2022-08-08", + "name": "[parameters('automationAccountName')]" + }, + "storageAccount": { + "condition": "[not(empty(parameters('scriptStorageAccountResourceId')))]", + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2022-09-01", + "subscriptionId": "[split(coalesce(parameters('scriptStorageAccountResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(parameters('scriptStorageAccountResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(parameters('scriptStorageAccountResourceId'), 'dummyVault'), '/'))]" + }, + "runbook": { "type": "Microsoft.Automation/automationAccounts/runbooks", "apiVersion": "2022-08-08", "name": "[format('{0}/{1}', parameters('automationAccountName'), parameters('name'))]", @@ -1210,10 +1242,14 @@ "properties": { "runbookType": "[parameters('type')]", "description": "[parameters('description')]", - "publishContentLink": "[if(not(empty(parameters('uri'))), if(empty(parameters('uri')), null(), createObject('uri', if(not(empty(parameters('uri'))), if(empty(parameters('scriptStorageAccountId')), parameters('uri'), format('{0}?{1}', parameters('uri'), listAccountSas(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('scriptStorageAccountId'), '/')[2], split(parameters('scriptStorageAccountId'), '/')[4]), 'Microsoft.Storage/storageAccounts', last(split(parameters('scriptStorageAccountId'), '/'))), '2021-04-01', variables('accountSasProperties')).accountSasToken)), null()), 'version', if(not(empty(parameters('version'))), parameters('version'), null()))), null())]" - } + "publishContentLink": "[if(not(empty(parameters('uri'))), if(empty(parameters('uri')), null(), createObject('uri', if(not(empty(parameters('uri'))), if(empty(parameters('scriptStorageAccountResourceId')), parameters('uri'), format('{0}?{1}', parameters('uri'), listAccountSas(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(parameters('scriptStorageAccountResourceId'), '//'), '/')[2], split(coalesce(parameters('scriptStorageAccountResourceId'), '////'), '/')[4]), 'Microsoft.Storage/storageAccounts', last(split(coalesce(parameters('scriptStorageAccountResourceId'), 'dummyVault'), '/'))), '2021-04-01', variables('accountSasProperties')).accountSasToken)), null()), 'version', if(not(empty(parameters('version'))), parameters('version'), null()))), null())]" + }, + "dependsOn": [ + "automationAccount", + "storageAccount" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1241,7 +1277,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Automation/automationAccounts/runbooks', parameters('automationAccountName'), parameters('name')), '2022-08-08', 'full').location]" + "value": "[reference('runbook', '2022-08-08', 'full').location]" } } } @@ -1545,8 +1581,8 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-AutoAccount-LinkedService', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[if(not(empty(parameters('linkedWorkspaceResourceId'))), split(parameters('linkedWorkspaceResourceId'), '/')[2], subscription().subscriptionId)]", - "resourceGroup": "[if(not(empty(parameters('linkedWorkspaceResourceId'))), split(parameters('linkedWorkspaceResourceId'), '/')[4], resourceGroup().name)]", + "subscriptionId": "[if(not(empty(parameters('linkedWorkspaceResourceId'))), split(if(not(empty(parameters('linkedWorkspaceResourceId'))), parameters('linkedWorkspaceResourceId'), '//'), '/')[2], subscription().subscriptionId)]", + "resourceGroup": "[if(not(empty(parameters('linkedWorkspaceResourceId'))), split(if(not(empty(parameters('linkedWorkspaceResourceId'))), parameters('linkedWorkspaceResourceId'), '////'), '/')[4], resourceGroup().name)]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -1688,8 +1724,8 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-AutoAccount-Solution-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "subscriptionId": "[if(not(empty(parameters('linkedWorkspaceResourceId'))), split(parameters('linkedWorkspaceResourceId'), '/')[2], subscription().subscriptionId)]", - "resourceGroup": "[if(not(empty(parameters('linkedWorkspaceResourceId'))), split(parameters('linkedWorkspaceResourceId'), '/')[4], resourceGroup().name)]", + "subscriptionId": "[if(not(empty(parameters('linkedWorkspaceResourceId'))), split(if(not(empty(parameters('linkedWorkspaceResourceId'))), parameters('linkedWorkspaceResourceId'), '//'), '/')[2], subscription().subscriptionId)]", + "resourceGroup": "[if(not(empty(parameters('linkedWorkspaceResourceId'))), split(if(not(empty(parameters('linkedWorkspaceResourceId'))), parameters('linkedWorkspaceResourceId'), '////'), '/')[4], resourceGroup().name)]", "properties": { "expressionEvaluationOptions": { "scope": "inner" diff --git a/modules/automation/automation-account/module/README.md b/modules/automation/automation-account/module/README.md index bba5a2892b..71d279aaf2 100644 --- a/modules/automation/automation-account/module/README.md +++ b/modules/automation/automation-account/module/README.md @@ -70,7 +70,6 @@ Name of the Automation Account module. Tags of the Automation Account resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `uri` diff --git a/modules/automation/automation-account/module/main.bicep b/modules/automation/automation-account/module/main.bicep index 1754a19f93..7af6b346bc 100644 --- a/modules/automation/automation-account/module/main.bicep +++ b/modules/automation/automation-account/module/main.bicep @@ -18,7 +18,7 @@ param version string = 'latest' param location string = resourceGroup().location @description('Optional. Tags of the Automation Account resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/automation/automation-account/module/main.json b/modules/automation/automation-account/module/main.json index bf3c18c30b..305926a6eb 100644 --- a/modules/automation/automation-account/module/main.json +++ b/modules/automation/automation-account/module/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15709477569881004771" + "templateHash": "18249732142000845439" }, "name": "Automation Account Modules", "description": "This module deploys an Azure Automation Account Module.", @@ -46,7 +47,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the Automation Account resource." } @@ -59,8 +60,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -74,7 +75,13 @@ } } }, - { + "automationAccount": { + "existing": true, + "type": "Microsoft.Automation/automationAccounts", + "apiVersion": "2022-08-08", + "name": "[parameters('automationAccountName')]" + }, + "module": { "type": "Microsoft.Automation/automationAccounts/modules", "apiVersion": "2022-08-08", "name": "[format('{0}/{1}', parameters('automationAccountName'), parameters('name'))]", @@ -85,9 +92,12 @@ "uri": "[if(not(equals(parameters('version'), 'latest')), format('{0}/{1}/{2}', parameters('uri'), parameters('name'), parameters('version')), format('{0}/{1}', parameters('uri'), parameters('name')))]", "version": "[if(not(equals(parameters('version'), 'latest')), parameters('version'), null())]" } - } + }, + "dependsOn": [ + "automationAccount" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -115,7 +125,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Automation/automationAccounts/modules', parameters('automationAccountName'), parameters('name')), '2022-08-08', 'full').location]" + "value": "[reference('module', '2022-08-08', 'full').location]" } } } \ No newline at end of file diff --git a/modules/automation/automation-account/runbook/README.md b/modules/automation/automation-account/runbook/README.md index 8cb4f7f0c8..7858b8a994 100644 --- a/modules/automation/automation-account/runbook/README.md +++ b/modules/automation/automation-account/runbook/README.md @@ -38,7 +38,7 @@ This module deploys an Azure Automation Account Runbook. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | | [`sasTokenValidityLength`](#parameter-sastokenvaliditylength) | string | SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | -| [`scriptStorageAccountId`](#parameter-scriptstorageaccountid) | string | ID of the runbook storage account. | +| [`scriptStorageAccountResourceId`](#parameter-scriptstorageaccountresourceid) | string | Resource Id of the runbook storage account. | | [`tags`](#parameter-tags) | object | Tags of the Automation Account resource. | | [`uri`](#parameter-uri) | string | The uri of the runbook content. | | [`version`](#parameter-version) | string | The version of the runbook content. | @@ -96,19 +96,17 @@ SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for - Type: string - Default: `'PT8H'` -### Parameter: `scriptStorageAccountId` +### Parameter: `scriptStorageAccountResourceId` -ID of the runbook storage account. +Resource Id of the runbook storage account. - Required: No - Type: string -- Default: `''` ### Parameter: `tags` Tags of the Automation Account resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `type` diff --git a/modules/automation/automation-account/runbook/main.bicep b/modules/automation/automation-account/runbook/main.bicep index 18df96ac91..992643abe4 100644 --- a/modules/automation/automation-account/runbook/main.bicep +++ b/modules/automation/automation-account/runbook/main.bicep @@ -27,8 +27,8 @@ param uri string = '' @sys.description('Optional. The version of the runbook content.') param version string = '' -@sys.description('Optional. ID of the runbook storage account.') -param scriptStorageAccountId string = '' +@sys.description('Optional. Resource Id of the runbook storage account.') +param scriptStorageAccountResourceId string? @sys.description('Generated. Time used as a basis for e.g. the schedule start date.') param baseTime string = utcNow('u') @@ -40,7 +40,7 @@ param sasTokenValidityLength string = 'PT8H' param location string = resourceGroup().location @sys.description('Optional. Tags of the Automation Account resource.') -param tags object = {} +param tags object? @sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -69,13 +69,13 @@ resource automationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' name: automationAccountName } -resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' existing = if (!empty(scriptStorageAccountId)) { - name: last(split(scriptStorageAccountId, '/'))! - scope: resourceGroup(split(scriptStorageAccountId, '/')[2], split(scriptStorageAccountId, '/')[4]) +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' existing = if (!empty(scriptStorageAccountResourceId)) { + name: last(split((scriptStorageAccountResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup(split((scriptStorageAccountResourceId ?? '//'), '/')[2], split((scriptStorageAccountResourceId ?? '////'), '/')[4]) } var publishContentLink = empty(uri) ? null : { - uri: !empty(uri) ? (empty(scriptStorageAccountId) ? uri : '${uri}?${storageAccount.listAccountSas('2021-04-01', accountSasProperties).accountSasToken}') : null + uri: !empty(uri) ? (empty(scriptStorageAccountResourceId) ? uri : '${uri}?${storageAccount.listAccountSas('2021-04-01', accountSasProperties).accountSasToken}') : null version: !empty(version) ? version : null } diff --git a/modules/automation/automation-account/runbook/main.json b/modules/automation/automation-account/runbook/main.json index 3a2f126c75..9d60de1b4d 100644 --- a/modules/automation/automation-account/runbook/main.json +++ b/modules/automation/automation-account/runbook/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18248893160569507204" + "templateHash": "1833872657708381069" }, "name": "Automation Account Runbooks", "description": "This module deploys an Azure Automation Account Runbook.", @@ -58,11 +59,11 @@ "description": "Optional. The version of the runbook content." } }, - "scriptStorageAccountId": { + "scriptStorageAccountResourceId": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { - "description": "Optional. ID of the runbook storage account." + "description": "Optional. Resource Id of the runbook storage account." } }, "baseTime": { @@ -88,7 +89,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the Automation Account resource." } @@ -110,8 +111,8 @@ "signedProtocol": "https" } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -125,7 +126,22 @@ } } }, - { + "automationAccount": { + "existing": true, + "type": "Microsoft.Automation/automationAccounts", + "apiVersion": "2022-08-08", + "name": "[parameters('automationAccountName')]" + }, + "storageAccount": { + "condition": "[not(empty(parameters('scriptStorageAccountResourceId')))]", + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2022-09-01", + "subscriptionId": "[split(coalesce(parameters('scriptStorageAccountResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(parameters('scriptStorageAccountResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(parameters('scriptStorageAccountResourceId'), 'dummyVault'), '/'))]" + }, + "runbook": { "type": "Microsoft.Automation/automationAccounts/runbooks", "apiVersion": "2022-08-08", "name": "[format('{0}/{1}', parameters('automationAccountName'), parameters('name'))]", @@ -134,10 +150,14 @@ "properties": { "runbookType": "[parameters('type')]", "description": "[parameters('description')]", - "publishContentLink": "[if(not(empty(parameters('uri'))), if(empty(parameters('uri')), null(), createObject('uri', if(not(empty(parameters('uri'))), if(empty(parameters('scriptStorageAccountId')), parameters('uri'), format('{0}?{1}', parameters('uri'), listAccountSas(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('scriptStorageAccountId'), '/')[2], split(parameters('scriptStorageAccountId'), '/')[4]), 'Microsoft.Storage/storageAccounts', last(split(parameters('scriptStorageAccountId'), '/'))), '2021-04-01', variables('accountSasProperties')).accountSasToken)), null()), 'version', if(not(empty(parameters('version'))), parameters('version'), null()))), null())]" - } + "publishContentLink": "[if(not(empty(parameters('uri'))), if(empty(parameters('uri')), null(), createObject('uri', if(not(empty(parameters('uri'))), if(empty(parameters('scriptStorageAccountResourceId')), parameters('uri'), format('{0}?{1}', parameters('uri'), listAccountSas(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(parameters('scriptStorageAccountResourceId'), '//'), '/')[2], split(coalesce(parameters('scriptStorageAccountResourceId'), '////'), '/')[4]), 'Microsoft.Storage/storageAccounts', last(split(coalesce(parameters('scriptStorageAccountResourceId'), 'dummyVault'), '/'))), '2021-04-01', variables('accountSasProperties')).accountSasToken)), null()), 'version', if(not(empty(parameters('version'))), parameters('version'), null()))), null())]" + }, + "dependsOn": [ + "automationAccount", + "storageAccount" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -165,7 +185,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Automation/automationAccounts/runbooks', parameters('automationAccountName'), parameters('name')), '2022-08-08', 'full').location]" + "value": "[reference('runbook', '2022-08-08', 'full').location]" } } } \ No newline at end of file diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index 0669214e97..f5faaa5dc8 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -948,7 +948,6 @@ The authentication mode which the Batch service will use to manage the auto-stor Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/batch/batch-account/main.bicep b/modules/batch/batch-account/main.bicep index 4c322f5d36..38306efc50 100644 --- a/modules/batch/batch-account/main.bicep +++ b/modules/batch/batch-account/main.bicep @@ -62,7 +62,7 @@ param diagnosticSettings diagnosticSettingType param lock lockType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType diff --git a/modules/batch/batch-account/main.json b/modules/batch/batch-account/main.json index 704866f515..3e0eebcb72 100644 --- a/modules/batch/batch-account/main.json +++ b/modules/batch/batch-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8921010374521375351" + "templateHash": "8281874211111057324" }, "name": "Batch Accounts", "description": "This module deploys a Batch Account.", @@ -495,7 +495,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index 34dff8de72..a24e471cff 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -856,7 +856,6 @@ The type of Redis Enterprise Cluster to deploy. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `zoneRedundant` diff --git a/modules/cache/redis-enterprise/main.bicep b/modules/cache/redis-enterprise/main.bicep index dbcd72f0b7..ed004ca936 100644 --- a/modules/cache/redis-enterprise/main.bicep +++ b/modules/cache/redis-enterprise/main.bicep @@ -15,7 +15,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @allowed([ '1.0' diff --git a/modules/cache/redis-enterprise/main.json b/modules/cache/redis-enterprise/main.json index f73b1ecc4f..5fc8d2bf7c 100644 --- a/modules/cache/redis-enterprise/main.json +++ b/modules/cache/redis-enterprise/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11394505445953439592" + "templateHash": "2411064933627030246" }, "name": "Redis Cache Enterprise", "description": "This module deploys a Redis Cache Enterprise.", @@ -388,7 +388,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index 580ce90db2..f397a8c197 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -818,7 +818,6 @@ The full resource ID of a subnet in a virtual network to deploy the Redis cache Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `tenantSettings` diff --git a/modules/cache/redis/main.bicep b/modules/cache/redis/main.bicep index f35bce1160..af3b549ba9 100644 --- a/modules/cache/redis/main.bicep +++ b/modules/cache/redis/main.bicep @@ -15,7 +15,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The managed identity definition for this resource.') param managedIdentities managedIdentitiesType diff --git a/modules/cache/redis/main.json b/modules/cache/redis/main.json index 9a1a25ab90..fa2e2fe2d9 100644 --- a/modules/cache/redis/main.json +++ b/modules/cache/redis/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10917457453871237653" + "templateHash": "9496315762768268" }, "name": "Redis Cache", "description": "This module deploys a Redis Cache.", @@ -411,7 +411,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/cdn/profile/README.md b/modules/cdn/profile/README.md index 1212e7e137..818f0ad16a 100644 --- a/modules/cdn/profile/README.md +++ b/modules/cdn/profile/README.md @@ -620,7 +620,6 @@ The pricing tier (defines a CDN provider, feature list and rate) of the CDN prof Endpoint tags. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/cdn/profile/afdEndpoint/README.md b/modules/cdn/profile/afdEndpoint/README.md index 6668c13e76..8ad17d959d 100644 --- a/modules/cdn/profile/afdEndpoint/README.md +++ b/modules/cdn/profile/afdEndpoint/README.md @@ -95,7 +95,6 @@ The list of routes for this AFD Endpoint. The tags of the AFD Endpoint. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/cdn/profile/afdEndpoint/main.bicep b/modules/cdn/profile/afdEndpoint/main.bicep index 83c9d667e0..92a40f407e 100644 --- a/modules/cdn/profile/afdEndpoint/main.bicep +++ b/modules/cdn/profile/afdEndpoint/main.bicep @@ -12,7 +12,7 @@ param profileName string param location string = resourceGroup().location @description('Optional. The tags of the AFD Endpoint.') -param tags object = {} +param tags object? @description('Optional. Indicates the endpoint name reuse scope. The default value is TenantReuse.') @allowed([ diff --git a/modules/cdn/profile/afdEndpoint/main.json b/modules/cdn/profile/afdEndpoint/main.json index e7cc491a6c..9d22cf48e7 100644 --- a/modules/cdn/profile/afdEndpoint/main.json +++ b/modules/cdn/profile/afdEndpoint/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11941850826145778575" + "templateHash": "14944467223785761559" }, "name": "CDN Profiles AFD Endpoints", "description": "This module deploys a CDN Profile AFD Endpoint.", @@ -33,7 +34,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. The tags of the AFD Endpoint." } @@ -80,8 +81,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -95,7 +96,13 @@ } } }, - { + "profile": { + "existing": true, + "type": "Microsoft.Cdn/profiles", + "apiVersion": "2023-05-01", + "name": "[parameters('profileName')]" + }, + "afd_endpoint": { "type": "Microsoft.Cdn/profiles/afdEndpoints", "apiVersion": "2023-05-01", "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", @@ -104,9 +111,12 @@ "properties": { "autoGeneratedDomainNameLabelScope": "[parameters('autoGeneratedDomainNameLabelScope')]", "enabledState": "[parameters('enabledState')]" - } + }, + "dependsOn": [ + "profile" + ] }, - { + "afd_endpoint_route": { "copy": { "name": "afd_endpoint_route", "count": "[length(parameters('routes'))]" @@ -351,10 +361,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Cdn/profiles/afdEndpoints', parameters('profileName'), parameters('name'))]" + "afd_endpoint", + "profile" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -382,7 +393,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Cdn/profiles/afdEndpoints', parameters('profileName'), parameters('name')), '2023-05-01', 'full').location]" + "value": "[reference('afd_endpoint', '2023-05-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/cdn/profile/endpoint/README.md b/modules/cdn/profile/endpoint/README.md index 7681a1e2f8..f1a4da9f0f 100644 --- a/modules/cdn/profile/endpoint/README.md +++ b/modules/cdn/profile/endpoint/README.md @@ -76,7 +76,6 @@ Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/micro Endpoint tags. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/cdn/profile/endpoint/main.bicep b/modules/cdn/profile/endpoint/main.bicep index 1168a8c3b9..c1ec5fe0e9 100644 --- a/modules/cdn/profile/endpoint/main.bicep +++ b/modules/cdn/profile/endpoint/main.bicep @@ -15,7 +15,7 @@ param location string = resourceGroup().location param properties object @description('Optional. Endpoint tags.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/cdn/profile/endpoint/main.json b/modules/cdn/profile/endpoint/main.json index d9184500e2..3c3bd432dc 100644 --- a/modules/cdn/profile/endpoint/main.json +++ b/modules/cdn/profile/endpoint/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "66122595863754952" + "templateHash": "4870857598190177606" }, "name": "CDN Profiles Endpoints", "description": "This module deploys a CDN Profile Endpoint.", @@ -39,7 +40,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Endpoint tags." } @@ -55,8 +56,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -70,15 +71,24 @@ } } }, - { + "profile": { + "existing": true, + "type": "Microsoft.Cdn/profiles", + "apiVersion": "2021-06-01", + "name": "[parameters('profileName')]" + }, + "endpoint": { "type": "Microsoft.Cdn/profiles/endpoints", "apiVersion": "2021-06-01", "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", "location": "[parameters('location')]", "properties": "[parameters('properties')]", - "tags": "[parameters('tags')]" + "tags": "[parameters('tags')]", + "dependsOn": [ + "profile" + ] }, - { + "endpoint_origins": { "copy": { "name": "endpoint_origins", "count": "[length(parameters('properties').origins)]" @@ -278,9 +288,12 @@ } } } - } + }, + "dependsOn": [ + "profile" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -308,14 +321,14 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Cdn/profiles/endpoints', parameters('profileName'), parameters('name')), '2021-06-01', 'full').location]" + "value": "[reference('endpoint', '2021-06-01', 'full').location]" }, "endpointProperties": { "type": "object", "metadata": { "description": "The properties of the endpoint." }, - "value": "[reference(resourceId('Microsoft.Cdn/profiles/endpoints', parameters('profileName'), parameters('name')), '2021-06-01')]" + "value": "[reference('endpoint')]" } } } \ No newline at end of file diff --git a/modules/cdn/profile/main.bicep b/modules/cdn/profile/main.bicep index c8371f87f5..b60ee123cd 100644 --- a/modules/cdn/profile/main.bicep +++ b/modules/cdn/profile/main.bicep @@ -51,7 +51,7 @@ param ruleSets array = [] param afdEndpoints array = [] @description('Optional. Endpoint tags.') -param tags object = {} +param tags object? @description('Optional. The lock settings of the service.') param lock lockType @@ -206,7 +206,7 @@ module profile_afdEndpoint 'afdEndpoint/main.bicep' = [for (afdEndpoint, index) enabledState: contains(afdEndpoint, 'enabledState') ? afdEndpoint.enabledState : 'Enabled' enableDefaultTelemetry: enableReferencedModulesTelemetry routes: contains(afdEndpoint, 'routes') ? afdEndpoint.routes : [] - tags: contains(afdEndpoint, 'tags') ? afdEndpoint.tags : {} + tags: afdEndpoint.?tags ?? tags } }] diff --git a/modules/cdn/profile/main.json b/modules/cdn/profile/main.json index a7c0699e0d..de8d882e50 100644 --- a/modules/cdn/profile/main.json +++ b/modules/cdn/profile/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "31081249188890418" + "templateHash": "2807663755404362270" }, "name": "CDN Profiles", "description": "This module deploys a CDN Profile.", @@ -198,7 +198,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Endpoint tags." } @@ -328,12 +328,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "66122595863754952" + "templateHash": "4870857598190177606" }, "name": "CDN Profiles Endpoints", "description": "This module deploys a CDN Profile Endpoint.", @@ -367,7 +368,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Endpoint tags." } @@ -383,8 +384,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -398,15 +399,24 @@ } } }, - { + "profile": { + "existing": true, + "type": "Microsoft.Cdn/profiles", + "apiVersion": "2021-06-01", + "name": "[parameters('profileName')]" + }, + "endpoint": { "type": "Microsoft.Cdn/profiles/endpoints", "apiVersion": "2021-06-01", "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", "location": "[parameters('location')]", "properties": "[parameters('properties')]", - "tags": "[parameters('tags')]" + "tags": "[parameters('tags')]", + "dependsOn": [ + "profile" + ] }, - { + "endpoint_origins": { "copy": { "name": "endpoint_origins", "count": "[length(parameters('properties').origins)]" @@ -606,9 +616,12 @@ } } } - } + }, + "dependsOn": [ + "profile" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -636,14 +649,14 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Cdn/profiles/endpoints', parameters('profileName'), parameters('name')), '2021-06-01', 'full').location]" + "value": "[reference('endpoint', '2021-06-01', 'full').location]" }, "endpointProperties": { "type": "object", "metadata": { "description": "The properties of the endpoint." }, - "value": "[reference(resourceId('Microsoft.Cdn/profiles/endpoints', parameters('profileName'), parameters('name')), '2021-06-01')]" + "value": "[reference('endpoint')]" } } } @@ -1685,16 +1698,19 @@ "value": "[variables('enableReferencedModulesTelemetry')]" }, "routes": "[if(contains(parameters('afdEndpoints')[copyIndex()], 'routes'), createObject('value', parameters('afdEndpoints')[copyIndex()].routes), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('afdEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('afdEndpoints')[copyIndex()].tags), createObject('value', createObject()))]" + "tags": { + "value": "[coalesce(tryGet(parameters('afdEndpoints')[copyIndex()], 'tags'), parameters('tags'))]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11941850826145778575" + "templateHash": "14944467223785761559" }, "name": "CDN Profiles AFD Endpoints", "description": "This module deploys a CDN Profile AFD Endpoint.", @@ -1722,7 +1738,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. The tags of the AFD Endpoint." } @@ -1769,8 +1785,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1784,7 +1800,13 @@ } } }, - { + "profile": { + "existing": true, + "type": "Microsoft.Cdn/profiles", + "apiVersion": "2023-05-01", + "name": "[parameters('profileName')]" + }, + "afd_endpoint": { "type": "Microsoft.Cdn/profiles/afdEndpoints", "apiVersion": "2023-05-01", "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]", @@ -1793,9 +1815,12 @@ "properties": { "autoGeneratedDomainNameLabelScope": "[parameters('autoGeneratedDomainNameLabelScope')]", "enabledState": "[parameters('enabledState')]" - } + }, + "dependsOn": [ + "profile" + ] }, - { + "afd_endpoint_route": { "copy": { "name": "afd_endpoint_route", "count": "[length(parameters('routes'))]" @@ -2040,10 +2065,11 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Cdn/profiles/afdEndpoints', parameters('profileName'), parameters('name'))]" + "afd_endpoint", + "profile" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2071,7 +2097,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Cdn/profiles/afdEndpoints', parameters('profileName'), parameters('name')), '2023-05-01', 'full').location]" + "value": "[reference('afd_endpoint', '2023-05-01', 'full').location]" } } } diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index e68d966293..fe726037e1 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -1074,7 +1074,6 @@ SKU of the Cognitive Services resource. Use 'Get-AzCognitiveServicesAccountSku' Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `userOwnedStorage` diff --git a/modules/cognitive-services/account/main.bicep b/modules/cognitive-services/account/main.bicep index 395cd07b2e..d610ca257a 100644 --- a/modules/cognitive-services/account/main.bicep +++ b/modules/cognitive-services/account/main.bicep @@ -87,7 +87,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. List of allowed FQDN.') param allowedFqdnList array = [] diff --git a/modules/cognitive-services/account/main.json b/modules/cognitive-services/account/main.json index 8921181da9..edead294ff 100644 --- a/modules/cognitive-services/account/main.json +++ b/modules/cognitive-services/account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12216590154280005113" + "templateHash": "4580837563605630694" }, "name": "Cognitive Services", "description": "This module deploys a Cognitive Service.", @@ -511,7 +511,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/compute/availability-set/README.md b/modules/compute/availability-set/README.md index 0b835022f9..3f66218b6c 100644 --- a/modules/compute/availability-set/README.md +++ b/modules/compute/availability-set/README.md @@ -338,7 +338,6 @@ SKU of the availability set.

- Use 'Aligned' for virtual machines with manage Tags of the availability set resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/compute/availability-set/main.bicep b/modules/compute/availability-set/main.bicep index eb7de3b390..81ac15ab0a 100644 --- a/modules/compute/availability-set/main.bicep +++ b/modules/compute/availability-set/main.bicep @@ -27,7 +27,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the availability set resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/compute/availability-set/main.json b/modules/compute/availability-set/main.json index 36fcd16020..fec33868ce 100644 --- a/modules/compute/availability-set/main.json +++ b/modules/compute/availability-set/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9800465206429537522" + "templateHash": "1732304861308894467" }, "name": "Availability Sets", "description": "This module deploys an Availability Set.", @@ -161,7 +161,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the availability set resource." } diff --git a/modules/compute/disk-encryption-set/README.md b/modules/compute/disk-encryption-set/README.md index c089521965..71674ef593 100644 --- a/modules/compute/disk-encryption-set/README.md +++ b/modules/compute/disk-encryption-set/README.md @@ -445,7 +445,6 @@ Set this flag to true to enable auto-updating of this disk encryption set to the Tags of the disk encryption resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/compute/disk-encryption-set/main.bicep b/modules/compute/disk-encryption-set/main.bicep index d58f341dcb..97ee119695 100644 --- a/modules/compute/disk-encryption-set/main.bicep +++ b/modules/compute/disk-encryption-set/main.bicep @@ -42,7 +42,7 @@ param managedIdentities managedIdentitiesType = { param roleAssignments roleAssignmentType @description('Optional. Tags of the disk encryption resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/compute/disk-encryption-set/main.json b/modules/compute/disk-encryption-set/main.json index bc9dabcebb..ea392d6920 100644 --- a/modules/compute/disk-encryption-set/main.json +++ b/modules/compute/disk-encryption-set/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18120106263067507123" + "templateHash": "8371597260084065156" }, "name": "Disk Encryption Sets", "description": "This module deploys a Disk Encryption Set.", @@ -208,7 +208,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the disk encryption resource." } diff --git a/modules/compute/disk/README.md b/modules/compute/disk/README.md index 69240d24d3..80142db63b 100644 --- a/modules/compute/disk/README.md +++ b/modules/compute/disk/README.md @@ -694,7 +694,6 @@ The resource ID of the storage account containing the blob to import as a disk. Tags of the availability set resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `uploadSizeBytes` diff --git a/modules/compute/disk/main.bicep b/modules/compute/disk/main.bicep index 97763d0072..53c193e794 100644 --- a/modules/compute/disk/main.bicep +++ b/modules/compute/disk/main.bicep @@ -125,7 +125,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the availability set resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/compute/disk/main.json b/modules/compute/disk/main.json index 13b6907981..83bb0e27a3 100644 --- a/modules/compute/disk/main.json +++ b/modules/compute/disk/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11610180604623373886" + "templateHash": "4197028586802526466" }, "name": "Compute Disks", "description": "This module deploys a Compute Disk", @@ -330,7 +330,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the availability set resource." } diff --git a/modules/compute/gallery/README.md b/modules/compute/gallery/README.md index af9c047b55..83e56b75e2 100644 --- a/modules/compute/gallery/README.md +++ b/modules/compute/gallery/README.md @@ -566,7 +566,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags for all resources. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/compute/gallery/application/README.md b/modules/compute/gallery/application/README.md index 1c393f79b8..d49ba7327a 100644 --- a/modules/compute/gallery/application/README.md +++ b/modules/compute/gallery/application/README.md @@ -196,7 +196,6 @@ This property allows you to specify the supported type of the OS that applicatio Tags for all resources. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/compute/gallery/application/main.bicep b/modules/compute/gallery/application/main.bicep index 7ba3361d61..eda8727a21 100644 --- a/modules/compute/gallery/application/main.bicep +++ b/modules/compute/gallery/application/main.bicep @@ -41,7 +41,7 @@ param endOfLifeDate string = '' param roleAssignments roleAssignmentType @sys.description('Optional. Tags for all resources.') -param tags object = {} +param tags object? @sys.description('Optional. A list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application.') param customActions array = [] diff --git a/modules/compute/gallery/application/main.json b/modules/compute/gallery/application/main.json index 31d60925d6..ffc09df846 100644 --- a/modules/compute/gallery/application/main.json +++ b/modules/compute/gallery/application/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13186916483114520290" + "templateHash": "4468420728204112478" }, "name": "Compute Galleries Applications", "description": "This module deploys an Azure Compute Gallery Application.", @@ -162,7 +162,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags for all resources." } diff --git a/modules/compute/gallery/image/README.md b/modules/compute/gallery/image/README.md index 1bba091667..5c489dcbe1 100644 --- a/modules/compute/gallery/image/README.md +++ b/modules/compute/gallery/image/README.md @@ -320,7 +320,6 @@ The name of the gallery Image Definition SKU. Tags for all resources. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/compute/gallery/image/main.bicep b/modules/compute/gallery/image/main.bicep index e9e349d0db..c46910a248 100644 --- a/modules/compute/gallery/image/main.bicep +++ b/modules/compute/gallery/image/main.bicep @@ -120,7 +120,7 @@ param excludedDiskTypes array = [] param roleAssignments roleAssignmentType @sys.description('Optional. Tags for all resources.') -param tags object = {} +param tags object? var builtInRoleNames = { 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') diff --git a/modules/compute/gallery/image/main.json b/modules/compute/gallery/image/main.json index b823bbfc2d..9c37688f70 100644 --- a/modules/compute/gallery/image/main.json +++ b/modules/compute/gallery/image/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13132790244989513026" + "templateHash": "12640831453229356933" }, "name": "Compute Galleries Image Definitions", "description": "This module deploys an Azure Compute Gallery Image Definition.", @@ -305,7 +305,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags for all resources." } diff --git a/modules/compute/gallery/main.bicep b/modules/compute/gallery/main.bicep index 46be75d168..0a284f8096 100644 --- a/modules/compute/gallery/main.bicep +++ b/modules/compute/gallery/main.bicep @@ -25,7 +25,7 @@ param lock lockType param roleAssignments roleAssignmentType @sys.description('Optional. Tags for all resources.') -param tags object = {} +param tags object? @sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -100,7 +100,7 @@ module galleries_applications 'application/main.bicep' = [for (application, inde endOfLifeDate: contains(application, 'endOfLifeDate') ? application.endOfLifeDate : '' roleAssignments: contains(application, 'roleAssignments') ? application.roleAssignments : [] customActions: contains(application, 'customActions') ? application.customActions : [] - tags: contains(application, 'tags') ? application.tags : {} + tags: application.?tags ?? tags enableDefaultTelemetry: enableReferencedModulesTelemetry } }] @@ -132,7 +132,7 @@ module galleries_images 'image/main.bicep' = [for (image, index) in images: { endOfLife: contains(image, 'endOfLife') ? image.endOfLife : '' excludedDiskTypes: contains(image, 'excludedDiskTypes') ? image.excludedDiskTypes : [] roleAssignments: contains(image, 'roleAssignments') ? image.roleAssignments : [] - tags: contains(image, 'tags') ? image.tags : {} + tags: image.?tags ?? tags enableDefaultTelemetry: enableReferencedModulesTelemetry } }] diff --git a/modules/compute/gallery/main.json b/modules/compute/gallery/main.json index 49c768695e..3994fa8cb5 100644 --- a/modules/compute/gallery/main.json +++ b/modules/compute/gallery/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17534490293657424034" + "templateHash": "3058018993104486515" }, "name": "Azure Compute Galleries", "description": "This module deploys an Azure Compute Gallery (formerly known as Shared Image Gallery).", @@ -155,7 +155,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags for all resources." } @@ -269,7 +269,9 @@ "endOfLifeDate": "[if(contains(parameters('applications')[copyIndex()], 'endOfLifeDate'), createObject('value', parameters('applications')[copyIndex()].endOfLifeDate), createObject('value', ''))]", "roleAssignments": "[if(contains(parameters('applications')[copyIndex()], 'roleAssignments'), createObject('value', parameters('applications')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "customActions": "[if(contains(parameters('applications')[copyIndex()], 'customActions'), createObject('value', parameters('applications')[copyIndex()].customActions), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('applications')[copyIndex()], 'tags'), createObject('value', parameters('applications')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('applications')[copyIndex()], 'tags'), parameters('tags'))]" + }, "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } @@ -282,7 +284,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13186916483114520290" + "templateHash": "4468420728204112478" }, "name": "Compute Galleries Applications", "description": "This module deploys an Azure Compute Gallery Application.", @@ -438,7 +440,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags for all resources." } @@ -601,7 +603,9 @@ "endOfLife": "[if(contains(parameters('images')[copyIndex()], 'endOfLife'), createObject('value', parameters('images')[copyIndex()].endOfLife), createObject('value', ''))]", "excludedDiskTypes": "[if(contains(parameters('images')[copyIndex()], 'excludedDiskTypes'), createObject('value', parameters('images')[copyIndex()].excludedDiskTypes), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('images')[copyIndex()], 'roleAssignments'), createObject('value', parameters('images')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('images')[copyIndex()], 'tags'), createObject('value', parameters('images')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('images')[copyIndex()], 'tags'), parameters('tags'))]" + }, "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } @@ -614,7 +618,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13132790244989513026" + "templateHash": "12640831453229356933" }, "name": "Compute Galleries Image Definitions", "description": "This module deploys an Azure Compute Gallery Image Definition.", @@ -913,7 +917,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags for all resources." } diff --git a/modules/compute/image/README.md b/modules/compute/image/README.md index 20977af57d..4d8ffaa7a3 100644 --- a/modules/compute/image/README.md +++ b/modules/compute/image/README.md @@ -352,7 +352,6 @@ The source virtual machine from which Image is created. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `zoneResilient` diff --git a/modules/compute/image/main.bicep b/modules/compute/image/main.bicep index 203a121a09..2fedc3882d 100644 --- a/modules/compute/image/main.bicep +++ b/modules/compute/image/main.bicep @@ -30,7 +30,7 @@ param hyperVGeneration string = 'V1' param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The extended location of the Image.') param extendedLocation object = {} diff --git a/modules/compute/image/main.json b/modules/compute/image/main.json index 2c9b478e60..bcbe6df5a3 100644 --- a/modules/compute/image/main.json +++ b/modules/compute/image/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15652042467625410891" + "templateHash": "9558360786962697877" }, "name": "Images", "description": "This module deploys a Compute Image.", @@ -140,7 +140,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/compute/proximity-placement-group/README.md b/modules/compute/proximity-placement-group/README.md index 44c419f431..e41f19400b 100644 --- a/modules/compute/proximity-placement-group/README.md +++ b/modules/compute/proximity-placement-group/README.md @@ -360,7 +360,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the proximity placement group resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `type` diff --git a/modules/compute/proximity-placement-group/main.bicep b/modules/compute/proximity-placement-group/main.bicep index 363c1885ac..d8c925de6f 100644 --- a/modules/compute/proximity-placement-group/main.bicep +++ b/modules/compute/proximity-placement-group/main.bicep @@ -22,7 +22,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the proximity placement group resource.') -param tags object = {} +param tags object? @description('Optional. Specifies the Availability Zone where virtual machine, virtual machine scale set or availability set associated with the proximity placement group can be created.') param zones array = [] diff --git a/modules/compute/proximity-placement-group/main.json b/modules/compute/proximity-placement-group/main.json index 213b46fea4..36747472f3 100644 --- a/modules/compute/proximity-placement-group/main.json +++ b/modules/compute/proximity-placement-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7967405335324639786" + "templateHash": "11278878938849478552" }, "name": "Proximity Placement Groups", "description": "This module deploys a Proximity Placement Group.", @@ -144,7 +144,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the proximity placement group resource." } diff --git a/modules/compute/ssh-public-key/README.md b/modules/compute/ssh-public-key/README.md index 45ffe72032..054808608c 100644 --- a/modules/compute/ssh-public-key/README.md +++ b/modules/compute/ssh-public-key/README.md @@ -280,7 +280,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the availability set resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/compute/ssh-public-key/main.bicep b/modules/compute/ssh-public-key/main.bicep index e32c99c496..0d5e181de1 100644 --- a/modules/compute/ssh-public-key/main.bicep +++ b/modules/compute/ssh-public-key/main.bicep @@ -20,7 +20,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the availability set resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/compute/ssh-public-key/main.json b/modules/compute/ssh-public-key/main.json index 943b880282..d71da3411e 100644 --- a/modules/compute/ssh-public-key/main.json +++ b/modules/compute/ssh-public-key/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15947534421126412986" + "templateHash": "12563605105819727190" }, "name": "Public SSH Keys", "description": "This module deploys a Public SSH Key.\r\n\r\n> Note: The resource does not auto-generate the key for you.", @@ -140,7 +140,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the availability set resource." } diff --git a/modules/compute/virtual-machine-scale-set/README.md b/modules/compute/virtual-machine-scale-set/README.md index 6835718941..d7421e7061 100644 --- a/modules/compute/virtual-machine-scale-set/README.md +++ b/modules/compute/virtual-machine-scale-set/README.md @@ -1894,7 +1894,6 @@ The SKU size of the VMs. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `timeZone` diff --git a/modules/compute/virtual-machine-scale-set/main.bicep b/modules/compute/virtual-machine-scale-set/main.bicep index cecffd62dd..e7a0a46271 100644 --- a/modules/compute/virtual-machine-scale-set/main.bicep +++ b/modules/compute/virtual-machine-scale-set/main.bicep @@ -235,7 +235,7 @@ param skuCapacity int = 1 param availabilityZones array = [] @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/compute/virtual-machine-scale-set/main.json b/modules/compute/virtual-machine-scale-set/main.json index e6a0a04847..03a37d7d22 100644 --- a/modules/compute/virtual-machine-scale-set/main.json +++ b/modules/compute/virtual-machine-scale-set/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9859921411818274686" + "templateHash": "8263419365447007923" }, "name": "Virtual Machine Scale Sets", "description": "This module deploys a Virtual Machine Scale Set.", @@ -682,7 +682,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/compute/virtual-machine/README.md b/modules/compute/virtual-machine/README.md index 4b20b053d4..879a36149b 100644 --- a/modules/compute/virtual-machine/README.md +++ b/modules/compute/virtual-machine/README.md @@ -2505,7 +2505,6 @@ Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `timeZone` diff --git a/modules/compute/virtual-machine/extension/README.md b/modules/compute/virtual-machine/extension/README.md index 761c7b4d27..89e5dc338f 100644 --- a/modules/compute/virtual-machine/extension/README.md +++ b/modules/compute/virtual-machine/extension/README.md @@ -117,7 +117,6 @@ Indicates whether failures stemming from the extension will be suppressed (Opera Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `type` diff --git a/modules/compute/virtual-machine/extension/main.bicep b/modules/compute/virtual-machine/extension/main.bicep index c8a191f1c9..909805fe1c 100644 --- a/modules/compute/virtual-machine/extension/main.bicep +++ b/modules/compute/virtual-machine/extension/main.bicep @@ -43,7 +43,7 @@ param enableAutomaticUpgrade bool param enableDefaultTelemetry bool = true @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' diff --git a/modules/compute/virtual-machine/extension/main.json b/modules/compute/virtual-machine/extension/main.json index 782a6fa1ff..50534220f0 100644 --- a/modules/compute/virtual-machine/extension/main.json +++ b/modules/compute/virtual-machine/extension/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16166330808348655128" + "templateHash": "9638144716839375831" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -98,14 +99,14 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -119,7 +120,13 @@ } } }, - { + "virtualMachine": { + "existing": true, + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-11-01", + "name": "[parameters('virtualMachineName')]" + }, + "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", @@ -135,9 +142,12 @@ "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", "suppressFailures": "[parameters('supressFailures')]" - } + }, + "dependsOn": [ + "virtualMachine" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -165,7 +175,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/compute/virtual-machine/main.bicep b/modules/compute/virtual-machine/main.bicep index d90fbc7fff..0fa3b644a9 100644 --- a/modules/compute/virtual-machine/main.bicep +++ b/modules/compute/virtual-machine/main.bicep @@ -193,7 +193,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -343,15 +343,15 @@ module vm_nic 'modules/nested_networkInterface.bicep' = [for (nicConfiguration, networkInterfaceName: '${name}${nicConfiguration.nicSuffix}' virtualMachineName: name location: location - tags: tags enableIPForwarding: contains(nicConfiguration, 'enableIPForwarding') ? (!empty(nicConfiguration.enableIPForwarding) ? nicConfiguration.enableIPForwarding : false) : false enableAcceleratedNetworking: contains(nicConfiguration, 'enableAcceleratedNetworking') ? nicConfiguration.enableAcceleratedNetworking : true dnsServers: contains(nicConfiguration, 'dnsServers') ? (!empty(nicConfiguration.dnsServers) ? nicConfiguration.dnsServers : []) : [] networkSecurityGroupResourceId: contains(nicConfiguration, 'networkSecurityGroupResourceId') ? nicConfiguration.networkSecurityGroupResourceId : '' ipConfigurations: nicConfiguration.ipConfigurations - lock: lock + lock: nicConfiguration.?lock ?? lock + tags: nicConfiguration.?tags ?? tags diagnosticSettings: nicConfiguration.?diagnosticSettings - roleAssignments: contains(nicConfiguration, 'roleAssignments') ? (!empty(nicConfiguration.roleAssignments) ? nicConfiguration.roleAssignments : []) : [] + roleAssignments: nicConfiguration.?roleAssignments } }] @@ -472,7 +472,7 @@ module vm_aadJoinExtension 'extension/main.bicep' = if (extensionAadJoinConfig.e autoUpgradeMinorVersion: contains(extensionAadJoinConfig, 'autoUpgradeMinorVersion') ? extensionAadJoinConfig.autoUpgradeMinorVersion : true enableAutomaticUpgrade: contains(extensionAadJoinConfig, 'enableAutomaticUpgrade') ? extensionAadJoinConfig.enableAutomaticUpgrade : false settings: contains(extensionAadJoinConfig, 'settings') ? extensionAadJoinConfig.settings : {} - tags: contains(extensionAadJoinConfig, 'tags') ? extensionAadJoinConfig.tags : {} + tags: extensionAadJoinConfig.?tags ?? tags } } @@ -487,7 +487,7 @@ module vm_domainJoinExtension 'extension/main.bicep' = if (extensionDomainJoinCo autoUpgradeMinorVersion: contains(extensionDomainJoinConfig, 'autoUpgradeMinorVersion') ? extensionDomainJoinConfig.autoUpgradeMinorVersion : true enableAutomaticUpgrade: contains(extensionDomainJoinConfig, 'enableAutomaticUpgrade') ? extensionDomainJoinConfig.enableAutomaticUpgrade : false settings: extensionDomainJoinConfig.settings - tags: contains(extensionDomainJoinConfig, 'tags') ? extensionDomainJoinConfig.tags : {} + tags: extensionDomainJoinConfig.?tags ?? tags protectedSettings: { Password: extensionDomainJoinPassword } @@ -506,7 +506,7 @@ module vm_microsoftAntiMalwareExtension 'extension/main.bicep' = if (extensionAn autoUpgradeMinorVersion: contains(extensionAntiMalwareConfig, 'autoUpgradeMinorVersion') ? extensionAntiMalwareConfig.autoUpgradeMinorVersion : true enableAutomaticUpgrade: contains(extensionAntiMalwareConfig, 'enableAutomaticUpgrade') ? extensionAntiMalwareConfig.enableAutomaticUpgrade : false settings: extensionAntiMalwareConfig.settings - tags: contains(extensionAntiMalwareConfig, 'tags') ? extensionAntiMalwareConfig.tags : {} + tags: extensionAntiMalwareConfig.?tags ?? tags enableDefaultTelemetry: enableReferencedModulesTelemetry } } @@ -529,7 +529,7 @@ module vm_microsoftMonitoringAgentExtension 'extension/main.bicep' = if (extensi settings: { workspaceId: !empty(monitoringWorkspaceId) ? vm_logAnalyticsWorkspace.properties.customerId : '' } - tags: contains(extensionMonitoringAgentConfig, 'tags') ? extensionMonitoringAgentConfig.tags : {} + tags: extensionMonitoringAgentConfig.?tags ?? tags protectedSettings: { workspaceKey: !empty(monitoringWorkspaceId) ? vm_logAnalyticsWorkspace.listKeys().primarySharedKey : '' } @@ -548,7 +548,7 @@ module vm_dependencyAgentExtension 'extension/main.bicep' = if (extensionDepende autoUpgradeMinorVersion: contains(extensionDependencyAgentConfig, 'autoUpgradeMinorVersion') ? extensionDependencyAgentConfig.autoUpgradeMinorVersion : true enableAutomaticUpgrade: contains(extensionDependencyAgentConfig, 'enableAutomaticUpgrade') ? extensionDependencyAgentConfig.enableAutomaticUpgrade : true enableDefaultTelemetry: enableReferencedModulesTelemetry - tags: contains(extensionDependencyAgentConfig, 'tags') ? extensionDependencyAgentConfig.tags : {} + tags: extensionDependencyAgentConfig.?tags ?? tags } } @@ -563,7 +563,7 @@ module vm_networkWatcherAgentExtension 'extension/main.bicep' = if (extensionNet autoUpgradeMinorVersion: contains(extensionNetworkWatcherAgentConfig, 'autoUpgradeMinorVersion') ? extensionNetworkWatcherAgentConfig.autoUpgradeMinorVersion : true enableAutomaticUpgrade: contains(extensionNetworkWatcherAgentConfig, 'enableAutomaticUpgrade') ? extensionNetworkWatcherAgentConfig.enableAutomaticUpgrade : false enableDefaultTelemetry: enableReferencedModulesTelemetry - tags: contains(extensionNetworkWatcherAgentConfig, 'tags') ? extensionNetworkWatcherAgentConfig.tags : {} + tags: extensionNetworkWatcherAgentConfig.?tags ?? tags } } @@ -578,7 +578,7 @@ module vm_desiredStateConfigurationExtension 'extension/main.bicep' = if (extens autoUpgradeMinorVersion: contains(extensionDSCConfig, 'autoUpgradeMinorVersion') ? extensionDSCConfig.autoUpgradeMinorVersion : true enableAutomaticUpgrade: contains(extensionDSCConfig, 'enableAutomaticUpgrade') ? extensionDSCConfig.enableAutomaticUpgrade : false settings: contains(extensionDSCConfig, 'settings') ? extensionDSCConfig.settings : {} - tags: contains(extensionDSCConfig, 'tags') ? extensionDSCConfig.tags : {} + tags: extensionDSCConfig.?tags ?? tags protectedSettings: contains(extensionDSCConfig, 'protectedSettings') ? extensionDSCConfig.protectedSettings : {} enableDefaultTelemetry: enableReferencedModulesTelemetry } @@ -597,7 +597,7 @@ module vm_customScriptExtension 'extension/main.bicep' = if (extensionCustomScri settings: { fileUris: [for fileData in extensionCustomScriptConfig.fileData: contains(fileData, 'storageAccountId') ? '${fileData.uri}?${listAccountSas(fileData.storageAccountId, '2019-04-01', accountSasProperties).accountSasToken}' : fileData.uri] } - tags: contains(extensionCustomScriptConfig, 'tags') ? extensionCustomScriptConfig.tags : {} + tags: extensionCustomScriptConfig.?tags ?? tags protectedSettings: extensionCustomScriptProtectedSetting enableDefaultTelemetry: enableReferencedModulesTelemetry } @@ -618,7 +618,7 @@ module vm_azureDiskEncryptionExtension 'extension/main.bicep' = if (extensionAzu enableAutomaticUpgrade: contains(extensionAzureDiskEncryptionConfig, 'enableAutomaticUpgrade') ? extensionAzureDiskEncryptionConfig.enableAutomaticUpgrade : false forceUpdateTag: contains(extensionAzureDiskEncryptionConfig, 'forceUpdateTag') ? extensionAzureDiskEncryptionConfig.forceUpdateTag : '1.0' settings: extensionAzureDiskEncryptionConfig.settings - tags: contains(extensionAzureDiskEncryptionConfig, 'tags') ? extensionAzureDiskEncryptionConfig.tags : {} + tags: extensionAzureDiskEncryptionConfig.?tags ?? tags enableDefaultTelemetry: enableReferencedModulesTelemetry } dependsOn: [ diff --git a/modules/compute/virtual-machine/main.json b/modules/compute/virtual-machine/main.json index cb4a01ea7c..bc357c1252 100644 --- a/modules/compute/virtual-machine/main.json +++ b/modules/compute/virtual-machine/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10963953838389818589" + "templateHash": "13033892292472228031" }, "name": "Virtual Machines", "description": "This module deploys a Virtual Machine with one or multiple NICs and optionally one or multiple public IPs.", @@ -607,7 +607,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -973,9 +973,6 @@ "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" - }, "enableIPForwarding": "[if(contains(parameters('nicConfigurations')[copyIndex()], 'enableIPForwarding'), if(not(empty(parameters('nicConfigurations')[copyIndex()].enableIPForwarding)), createObject('value', parameters('nicConfigurations')[copyIndex()].enableIPForwarding), createObject('value', false())), createObject('value', false()))]", "enableAcceleratedNetworking": "[if(contains(parameters('nicConfigurations')[copyIndex()], 'enableAcceleratedNetworking'), createObject('value', parameters('nicConfigurations')[copyIndex()].enableAcceleratedNetworking), createObject('value', true()))]", "dnsServers": "[if(contains(parameters('nicConfigurations')[copyIndex()], 'dnsServers'), if(not(empty(parameters('nicConfigurations')[copyIndex()].dnsServers)), createObject('value', parameters('nicConfigurations')[copyIndex()].dnsServers), createObject('value', createArray())), createObject('value', createArray()))]", @@ -984,12 +981,17 @@ "value": "[parameters('nicConfigurations')[copyIndex()].ipConfigurations]" }, "lock": { - "value": "[parameters('lock')]" + "value": "[coalesce(tryGet(parameters('nicConfigurations')[copyIndex()], 'lock'), parameters('lock'))]" + }, + "tags": { + "value": "[coalesce(tryGet(parameters('nicConfigurations')[copyIndex()], 'tags'), parameters('tags'))]" }, "diagnosticSettings": { "value": "[tryGet(parameters('nicConfigurations')[copyIndex()], 'diagnosticSettings')]" }, - "roleAssignments": "[if(contains(parameters('nicConfigurations')[copyIndex()], 'roleAssignments'), if(not(empty(parameters('nicConfigurations')[copyIndex()].roleAssignments)), createObject('value', parameters('nicConfigurations')[copyIndex()].roleAssignments), createObject('value', createArray())), createObject('value', createArray()))]" + "roleAssignments": { + "value": "[tryGet(parameters('nicConfigurations')[copyIndex()], 'roleAssignments')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -999,7 +1001,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17831295506111976442" + "templateHash": "2272323782582357015" } }, "definitions": { @@ -1133,6 +1135,72 @@ } }, "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1146,7 +1214,8 @@ "type": "string" }, "tags": { - "type": "object" + "type": "object", + "nullable": true }, "enableIPForwarding": { "type": "bool", @@ -1180,8 +1249,7 @@ } }, "roleAssignments": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/roleAssignmentType", "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } @@ -1225,7 +1293,7 @@ "skuName": "[if(contains(parameters('ipConfigurations')[copyIndex()], 'skuName'), createObject('value', parameters('ipConfigurations')[copyIndex()].skuName), createObject('value', 'Standard'))]", "skuTier": "[if(contains(parameters('ipConfigurations')[copyIndex()], 'skuTier'), createObject('value', parameters('ipConfigurations')[copyIndex()].skuTier), createObject('value', 'Regional'))]", "tags": { - "value": "[parameters('tags')]" + "value": "[coalesce(tryGet(parameters('ipConfigurations')[copyIndex()], 'tags'), parameters('tags'))]" }, "zones": "[if(contains(parameters('ipConfigurations')[copyIndex()], 'zones'), createObject('value', parameters('ipConfigurations')[copyIndex()].zones), createObject('value', createArray()))]" }, @@ -2265,16 +2333,19 @@ "autoUpgradeMinorVersion": "[if(contains(parameters('extensionAadJoinConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionAadJoinConfig').autoUpgradeMinorVersion), createObject('value', true()))]", "enableAutomaticUpgrade": "[if(contains(parameters('extensionAadJoinConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionAadJoinConfig').enableAutomaticUpgrade), createObject('value', false()))]", "settings": "[if(contains(parameters('extensionAadJoinConfig'), 'settings'), createObject('value', parameters('extensionAadJoinConfig').settings), createObject('value', createObject()))]", - "tags": "[if(contains(parameters('extensionAadJoinConfig'), 'tags'), createObject('value', parameters('extensionAadJoinConfig').tags), createObject('value', createObject()))]" + "tags": { + "value": "[coalesce(tryGet(parameters('extensionAadJoinConfig'), 'tags'), parameters('tags'))]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16166330808348655128" + "templateHash": "9638144716839375831" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -2367,14 +2438,14 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2388,7 +2459,13 @@ } } }, - { + "virtualMachine": { + "existing": true, + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-11-01", + "name": "[parameters('virtualMachineName')]" + }, + "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", @@ -2404,9 +2481,12 @@ "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", "suppressFailures": "[parameters('supressFailures')]" - } + }, + "dependsOn": [ + "virtualMachine" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2434,7 +2514,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -2472,7 +2552,9 @@ "settings": { "value": "[parameters('extensionDomainJoinConfig').settings]" }, - "tags": "[if(contains(parameters('extensionDomainJoinConfig'), 'tags'), createObject('value', parameters('extensionDomainJoinConfig').tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('extensionDomainJoinConfig'), 'tags'), parameters('tags'))]" + }, "protectedSettings": { "value": { "Password": "[parameters('extensionDomainJoinPassword')]" @@ -2484,12 +2566,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16166330808348655128" + "templateHash": "9638144716839375831" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -2582,14 +2665,14 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2603,7 +2686,13 @@ } } }, - { + "virtualMachine": { + "existing": true, + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-11-01", + "name": "[parameters('virtualMachineName')]" + }, + "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", @@ -2619,9 +2708,12 @@ "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", "suppressFailures": "[parameters('supressFailures')]" - } + }, + "dependsOn": [ + "virtualMachine" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2649,7 +2741,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -2687,19 +2779,22 @@ "settings": { "value": "[parameters('extensionAntiMalwareConfig').settings]" }, - "tags": "[if(contains(parameters('extensionAntiMalwareConfig'), 'tags'), createObject('value', parameters('extensionAntiMalwareConfig').tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('extensionAntiMalwareConfig'), 'tags'), parameters('tags'))]" + }, "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16166330808348655128" + "templateHash": "9638144716839375831" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -2792,14 +2887,14 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2813,7 +2908,13 @@ } } }, - { + "virtualMachine": { + "existing": true, + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-11-01", + "name": "[parameters('virtualMachineName')]" + }, + "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", @@ -2829,9 +2930,12 @@ "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", "suppressFailures": "[parameters('supressFailures')]" - } + }, + "dependsOn": [ + "virtualMachine" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2859,7 +2963,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -2897,7 +3001,9 @@ "workspaceId": "[if(not(empty(parameters('monitoringWorkspaceId'))), reference('vm_logAnalyticsWorkspace').customerId, '')]" } }, - "tags": "[if(contains(parameters('extensionMonitoringAgentConfig'), 'tags'), createObject('value', parameters('extensionMonitoringAgentConfig').tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('extensionMonitoringAgentConfig'), 'tags'), parameters('tags'))]" + }, "protectedSettings": { "value": { "workspaceKey": "[if(not(empty(parameters('monitoringWorkspaceId'))), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '//'), '/')[2], split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), '////'), '/')[4]), 'Microsoft.OperationalInsights/workspaces', last(split(if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), 'law'), '/'))), '2021-06-01').primarySharedKey, '')]" @@ -2909,12 +3015,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16166330808348655128" + "templateHash": "9638144716839375831" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -3007,14 +3114,14 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -3028,7 +3135,13 @@ } } }, - { + "virtualMachine": { + "existing": true, + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-11-01", + "name": "[parameters('virtualMachineName')]" + }, + "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", @@ -3044,9 +3157,12 @@ "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", "suppressFailures": "[parameters('supressFailures')]" - } + }, + "dependsOn": [ + "virtualMachine" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -3074,7 +3190,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -3111,16 +3227,19 @@ "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" }, - "tags": "[if(contains(parameters('extensionDependencyAgentConfig'), 'tags'), createObject('value', parameters('extensionDependencyAgentConfig').tags), createObject('value', createObject()))]" + "tags": { + "value": "[coalesce(tryGet(parameters('extensionDependencyAgentConfig'), 'tags'), parameters('tags'))]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16166330808348655128" + "templateHash": "9638144716839375831" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -3213,14 +3332,14 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -3234,7 +3353,13 @@ } } }, - { + "virtualMachine": { + "existing": true, + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-11-01", + "name": "[parameters('virtualMachineName')]" + }, + "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", @@ -3250,9 +3375,12 @@ "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", "suppressFailures": "[parameters('supressFailures')]" - } + }, + "dependsOn": [ + "virtualMachine" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -3280,7 +3408,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -3316,16 +3444,19 @@ "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" }, - "tags": "[if(contains(parameters('extensionNetworkWatcherAgentConfig'), 'tags'), createObject('value', parameters('extensionNetworkWatcherAgentConfig').tags), createObject('value', createObject()))]" + "tags": { + "value": "[coalesce(tryGet(parameters('extensionNetworkWatcherAgentConfig'), 'tags'), parameters('tags'))]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16166330808348655128" + "templateHash": "9638144716839375831" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -3418,14 +3549,14 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -3439,7 +3570,13 @@ } } }, - { + "virtualMachine": { + "existing": true, + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-11-01", + "name": "[parameters('virtualMachineName')]" + }, + "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", @@ -3455,9 +3592,12 @@ "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", "suppressFailures": "[parameters('supressFailures')]" - } + }, + "dependsOn": [ + "virtualMachine" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -3485,7 +3625,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -3521,7 +3661,9 @@ "autoUpgradeMinorVersion": "[if(contains(parameters('extensionDSCConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionDSCConfig').autoUpgradeMinorVersion), createObject('value', true()))]", "enableAutomaticUpgrade": "[if(contains(parameters('extensionDSCConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionDSCConfig').enableAutomaticUpgrade), createObject('value', false()))]", "settings": "[if(contains(parameters('extensionDSCConfig'), 'settings'), createObject('value', parameters('extensionDSCConfig').settings), createObject('value', createObject()))]", - "tags": "[if(contains(parameters('extensionDSCConfig'), 'tags'), createObject('value', parameters('extensionDSCConfig').tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'tags'), parameters('tags'))]" + }, "protectedSettings": "[if(contains(parameters('extensionDSCConfig'), 'protectedSettings'), createObject('value', parameters('extensionDSCConfig').protectedSettings), createObject('value', createObject()))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" @@ -3529,12 +3671,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16166330808348655128" + "templateHash": "9638144716839375831" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -3627,14 +3770,14 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -3648,7 +3791,13 @@ } } }, - { + "virtualMachine": { + "existing": true, + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-11-01", + "name": "[parameters('virtualMachineName')]" + }, + "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", @@ -3664,9 +3813,12 @@ "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", "suppressFailures": "[parameters('supressFailures')]" - } + }, + "dependsOn": [ + "virtualMachine" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -3694,7 +3846,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -3736,7 +3888,9 @@ ] } }, - "tags": "[if(contains(parameters('extensionCustomScriptConfig'), 'tags'), createObject('value', parameters('extensionCustomScriptConfig').tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'tags'), parameters('tags'))]" + }, "protectedSettings": { "value": "[parameters('extensionCustomScriptProtectedSetting')]" }, @@ -3746,12 +3900,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16166330808348655128" + "templateHash": "9638144716839375831" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -3844,14 +3999,14 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -3865,7 +4020,13 @@ } } }, - { + "virtualMachine": { + "existing": true, + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-11-01", + "name": "[parameters('virtualMachineName')]" + }, + "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", @@ -3881,9 +4042,12 @@ "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", "suppressFailures": "[parameters('supressFailures')]" - } + }, + "dependsOn": [ + "virtualMachine" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -3911,7 +4075,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -3949,19 +4113,22 @@ "settings": { "value": "[parameters('extensionAzureDiskEncryptionConfig').settings]" }, - "tags": "[if(contains(parameters('extensionAzureDiskEncryptionConfig'), 'tags'), createObject('value', parameters('extensionAzureDiskEncryptionConfig').tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'tags'), parameters('tags'))]" + }, "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16166330808348655128" + "templateHash": "9638144716839375831" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -4054,14 +4221,14 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -4075,7 +4242,13 @@ } } }, - { + "virtualMachine": { + "existing": true, + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-11-01", + "name": "[parameters('virtualMachineName')]" + }, + "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", @@ -4091,9 +4264,12 @@ "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", "suppressFailures": "[parameters('supressFailures')]" - } + }, + "dependsOn": [ + "virtualMachine" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -4121,7 +4297,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } diff --git a/modules/compute/virtual-machine/modules/nested_networkInterface.bicep b/modules/compute/virtual-machine/modules/nested_networkInterface.bicep index 87ba4a986a..133483d231 100644 --- a/modules/compute/virtual-machine/modules/nested_networkInterface.bicep +++ b/modules/compute/virtual-machine/modules/nested_networkInterface.bicep @@ -1,7 +1,7 @@ param networkInterfaceName string param virtualMachineName string param location string -param tags object +param tags object? param enableIPForwarding bool = false param enableAcceleratedNetworking bool = false param dnsServers array = [] @@ -16,7 +16,7 @@ param lock lockType param diagnosticSettings diagnosticSettingType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] +param roleAssignments roleAssignmentType var enableReferencedModulesTelemetry = false @@ -33,7 +33,7 @@ module networkInterface_publicIPAddresses '../../../network/public-ip-address/ma roleAssignments: contains(ipConfiguration, 'roleAssignments') ? ipConfiguration.roleAssignments : [] skuName: contains(ipConfiguration, 'skuName') ? ipConfiguration.skuName : 'Standard' skuTier: contains(ipConfiguration, 'skuTier') ? ipConfiguration.skuTier : 'Regional' - tags: tags + tags: ipConfiguration.?tags ?? tags zones: contains(ipConfiguration, 'zones') ? ipConfiguration.zones : [] } }] @@ -122,3 +122,26 @@ type diagnosticSettingType = { @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') marketplacePartnerResourceId: string? }[]? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/modules/container-instance/container-group/README.md b/modules/container-instance/container-group/README.md index 21ae59f1f7..aadba485c5 100644 --- a/modules/container-instance/container-group/README.md +++ b/modules/container-instance/container-group/README.md @@ -1025,7 +1025,6 @@ Resource ID of the subnet. Only specify when ipAddressType is Private. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `volumes` diff --git a/modules/container-instance/container-group/main.bicep b/modules/container-instance/container-group/main.bicep index ca4a2b89f7..e2dbd5acf4 100644 --- a/modules/container-instance/container-group/main.bicep +++ b/modules/container-instance/container-group/main.bicep @@ -70,7 +70,7 @@ param lock lockType param managedIdentities managedIdentitiesType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/container-instance/container-group/main.json b/modules/container-instance/container-group/main.json index 5cbac36a8f..9b3e6173ad 100644 --- a/modules/container-instance/container-group/main.json +++ b/modules/container-instance/container-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15669079272755728924" + "templateHash": "15985356083477047348" }, "name": "Container Instances Container Groups", "description": "This module deploys a Container Instance Container Group.", @@ -196,7 +196,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index 562b218164..a0116062d8 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -1155,7 +1155,6 @@ Soft Delete policy status. Default is disabled. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `trustPolicyStatus` diff --git a/modules/container-registry/registry/main.bicep b/modules/container-registry/registry/main.bicep index d936cb3207..bcd5d249c5 100644 --- a/modules/container-registry/registry/main.bicep +++ b/modules/container-registry/registry/main.bicep @@ -123,7 +123,7 @@ param lock lockType param managedIdentities managedIdentitiesType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -258,7 +258,7 @@ module registry_replications 'replication/main.bicep' = [for (replication, index location: replication.location regionEndpointEnabled: contains(replication, 'regionEndpointEnabled') ? replication.regionEndpointEnabled : true zoneRedundancy: contains(replication, 'zoneRedundancy') ? replication.zoneRedundancy : 'Disabled' - tags: contains(replication, 'tags') ? replication.tags : {} + tags: replication.?tags ?? tags enableDefaultTelemetry: enableReferencedModulesTelemetry } }] @@ -292,7 +292,7 @@ module registry_webhooks 'webhook/main.bicep' = [for (webhook, index) in webhook scope: contains(webhook, 'scope') ? webhook.scope : '' status: contains(webhook, 'status') ? webhook.status : 'enabled' serviceUri: webhook.serviceUri - tags: contains(webhook, 'tags') ? webhook.tags : {} + tags: webhook.?tags ?? tags enableDefaultTelemetry: enableReferencedModulesTelemetry } }] diff --git a/modules/container-registry/registry/main.json b/modules/container-registry/registry/main.json index 1a70288241..f7d3b0e0b4 100644 --- a/modules/container-registry/registry/main.json +++ b/modules/container-registry/registry/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5299367951340146796" + "templateHash": "4552885966837623579" }, "name": "Azure Container Registries (ACR)", "description": "This module deploys an Azure Container Registry (ACR).", @@ -597,7 +597,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -848,19 +848,22 @@ }, "regionEndpointEnabled": "[if(contains(parameters('replications')[copyIndex()], 'regionEndpointEnabled'), createObject('value', parameters('replications')[copyIndex()].regionEndpointEnabled), createObject('value', true()))]", "zoneRedundancy": "[if(contains(parameters('replications')[copyIndex()], 'zoneRedundancy'), createObject('value', parameters('replications')[copyIndex()].zoneRedundancy), createObject('value', 'Disabled'))]", - "tags": "[if(contains(parameters('replications')[copyIndex()], 'tags'), createObject('value', parameters('replications')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('replications')[copyIndex()], 'tags'), parameters('tags'))]" + }, "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3105247041693395359" + "templateHash": "12719783741437890545" }, "name": "Azure Container Registry (ACR) Replications", "description": "This module deploys an Azure Container Registry (ACR) Replication.", @@ -888,7 +891,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -919,8 +922,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -934,7 +937,13 @@ } } }, - { + "registry": { + "existing": true, + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2023-06-01-preview", + "name": "[parameters('registryName')]" + }, + "replication": { "type": "Microsoft.ContainerRegistry/registries/replications", "apiVersion": "2023-06-01-preview", "name": "[format('{0}/{1}', parameters('registryName'), parameters('name'))]", @@ -943,9 +952,12 @@ "properties": { "regionEndpointEnabled": "[parameters('regionEndpointEnabled')]", "zoneRedundancy": "[parameters('zoneRedundancy')]" - } + }, + "dependsOn": [ + "registry" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -973,7 +985,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries/replications', parameters('registryName'), parameters('name')), '2023-06-01-preview', 'full').location]" + "value": "[reference('replication', '2023-06-01-preview', 'full').location]" } } } @@ -1147,19 +1159,22 @@ "serviceUri": { "value": "[parameters('webhooks')[copyIndex()].serviceUri]" }, - "tags": "[if(contains(parameters('webhooks')[copyIndex()], 'tags'), createObject('value', parameters('webhooks')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('webhooks')[copyIndex()], 'tags'), parameters('tags'))]" + }, "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6585565654056170037" + "templateHash": "17193481488069435754" }, "name": "Azure Container Registry (ACR) Webhooks", "description": "This module deploys an Azure Container Registry (ACR) Webhook.", @@ -1220,7 +1235,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -1247,8 +1262,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1262,7 +1277,13 @@ } } }, - { + "registry": { + "existing": true, + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2023-06-01-preview", + "name": "[parameters('registryName')]" + }, + "webhook": { "type": "Microsoft.ContainerRegistry/registries/webhooks", "apiVersion": "2023-06-01-preview", "name": "[format('{0}/{1}', parameters('registryName'), parameters('name'))]", @@ -1274,9 +1295,12 @@ "scope": "[parameters('scope')]", "serviceUri": "[parameters('serviceUri')]", "status": "[parameters('status')]" - } + }, + "dependsOn": [ + "registry" + ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -1304,28 +1328,28 @@ "metadata": { "description": "The actions of the webhook." }, - "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries/webhooks', parameters('registryName'), parameters('name')), '2023-06-01-preview').actions]" + "value": "[reference('webhook').actions]" }, "status": { "type": "string", "metadata": { "description": "The status of the webhook." }, - "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries/webhooks', parameters('registryName'), parameters('name')), '2023-06-01-preview').status]" + "value": "[reference('webhook').status]" }, "provistioningState": { "type": "string", "metadata": { "description": "The provisioning state of the webhook." }, - "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries/webhooks', parameters('registryName'), parameters('name')), '2023-06-01-preview').provisioningState]" + "value": "[reference('webhook').provisioningState]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries/webhooks', parameters('registryName'), parameters('name')), '2023-06-01-preview', 'full').location]" + "value": "[reference('webhook', '2023-06-01-preview', 'full').location]" } } } diff --git a/modules/container-registry/registry/replication/README.md b/modules/container-registry/registry/replication/README.md index 186c4b5e69..90104f8954 100644 --- a/modules/container-registry/registry/replication/README.md +++ b/modules/container-registry/registry/replication/README.md @@ -77,7 +77,6 @@ The name of the parent registry. Required if the template is used in a standalon Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `zoneRedundancy` diff --git a/modules/container-registry/registry/replication/main.bicep b/modules/container-registry/registry/replication/main.bicep index e3895d9d97..a382a85fc0 100644 --- a/modules/container-registry/registry/replication/main.bicep +++ b/modules/container-registry/registry/replication/main.bicep @@ -12,7 +12,7 @@ param name string param location string = resourceGroup().location @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Specifies whether the replication regional endpoint is enabled. Requests will not be routed to a replication whose regional endpoint is disabled, however its data will continue to be synced with other replications.') param regionEndpointEnabled bool = true diff --git a/modules/container-registry/registry/replication/main.json b/modules/container-registry/registry/replication/main.json index 4e38206ba4..599a9db03f 100644 --- a/modules/container-registry/registry/replication/main.json +++ b/modules/container-registry/registry/replication/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3105247041693395359" + "templateHash": "12719783741437890545" }, "name": "Azure Container Registry (ACR) Replications", "description": "This module deploys an Azure Container Registry (ACR) Replication.", @@ -33,7 +34,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -64,8 +65,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -79,7 +80,13 @@ } } }, - { + "registry": { + "existing": true, + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2023-06-01-preview", + "name": "[parameters('registryName')]" + }, + "replication": { "type": "Microsoft.ContainerRegistry/registries/replications", "apiVersion": "2023-06-01-preview", "name": "[format('{0}/{1}', parameters('registryName'), parameters('name'))]", @@ -88,9 +95,12 @@ "properties": { "regionEndpointEnabled": "[parameters('regionEndpointEnabled')]", "zoneRedundancy": "[parameters('zoneRedundancy')]" - } + }, + "dependsOn": [ + "registry" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -118,7 +128,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries/replications', parameters('registryName'), parameters('name')), '2023-06-01-preview', 'full').location]" + "value": "[reference('replication', '2023-06-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/container-registry/registry/webhook/README.md b/modules/container-registry/registry/webhook/README.md index a44a03ca55..978954919c 100644 --- a/modules/container-registry/registry/webhook/README.md +++ b/modules/container-registry/registry/webhook/README.md @@ -109,7 +109,6 @@ The status of the webhook at the time the operation was called. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/container-registry/registry/webhook/main.bicep b/modules/container-registry/registry/webhook/main.bicep index 6440840785..c537ad5153 100644 --- a/modules/container-registry/registry/webhook/main.bicep +++ b/modules/container-registry/registry/webhook/main.bicep @@ -33,7 +33,7 @@ param action array = [ param location string = resourceGroup().location @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Custom headers that will be added to the webhook notifications.') param customHeaders object = {} diff --git a/modules/container-registry/registry/webhook/main.json b/modules/container-registry/registry/webhook/main.json index 13ceaa13ed..3d462e11c7 100644 --- a/modules/container-registry/registry/webhook/main.json +++ b/modules/container-registry/registry/webhook/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6585565654056170037" + "templateHash": "17193481488069435754" }, "name": "Azure Container Registry (ACR) Webhooks", "description": "This module deploys an Azure Container Registry (ACR) Webhook.", @@ -66,7 +67,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -93,8 +94,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -108,7 +109,13 @@ } } }, - { + "registry": { + "existing": true, + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2023-06-01-preview", + "name": "[parameters('registryName')]" + }, + "webhook": { "type": "Microsoft.ContainerRegistry/registries/webhooks", "apiVersion": "2023-06-01-preview", "name": "[format('{0}/{1}', parameters('registryName'), parameters('name'))]", @@ -120,9 +127,12 @@ "scope": "[parameters('scope')]", "serviceUri": "[parameters('serviceUri')]", "status": "[parameters('status')]" - } + }, + "dependsOn": [ + "registry" + ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -150,28 +160,28 @@ "metadata": { "description": "The actions of the webhook." }, - "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries/webhooks', parameters('registryName'), parameters('name')), '2023-06-01-preview').actions]" + "value": "[reference('webhook').actions]" }, "status": { "type": "string", "metadata": { "description": "The status of the webhook." }, - "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries/webhooks', parameters('registryName'), parameters('name')), '2023-06-01-preview').status]" + "value": "[reference('webhook').status]" }, "provistioningState": { "type": "string", "metadata": { "description": "The provisioning state of the webhook." }, - "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries/webhooks', parameters('registryName'), parameters('name')), '2023-06-01-preview').provisioningState]" + "value": "[reference('webhook').provisioningState]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries/webhooks', parameters('registryName'), parameters('name')), '2023-06-01-preview', 'full').location]" + "value": "[reference('webhook', '2023-06-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index 0f65581013..b9d850bd99 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -2080,7 +2080,6 @@ The support plan for the Managed Cluster. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `webApplicationRoutingEnabled` diff --git a/modules/container-service/managed-cluster/agent-pool/README.md b/modules/container-service/managed-cluster/agent-pool/README.md index 860074f5aa..c2dda9f91f 100644 --- a/modules/container-service/managed-cluster/agent-pool/README.md +++ b/modules/container-service/managed-cluster/agent-pool/README.md @@ -303,7 +303,6 @@ Possible values are any decimal value greater than zero or -1 which indicates th Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `type` diff --git a/modules/container-service/managed-cluster/agent-pool/main.bicep b/modules/container-service/managed-cluster/agent-pool/main.bicep index f1ea13e08b..aae427dcdc 100644 --- a/modules/container-service/managed-cluster/agent-pool/main.bicep +++ b/modules/container-service/managed-cluster/agent-pool/main.bicep @@ -133,7 +133,7 @@ param scaleSetPriority string = '' param spotMaxPrice int = -1 @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The type of Agent Pool.') param type string = '' diff --git a/modules/container-service/managed-cluster/agent-pool/main.json b/modules/container-service/managed-cluster/agent-pool/main.json index e1b8d0e5e8..878796aeb1 100644 --- a/modules/container-service/managed-cluster/agent-pool/main.json +++ b/modules/container-service/managed-cluster/agent-pool/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14295298572292657386" + "templateHash": "15823498371287518640" }, "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.", @@ -262,7 +263,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -318,8 +319,8 @@ "maxSurge": "[parameters('maxSurge')]" } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -333,7 +334,13 @@ } } }, - { + "managedCluster": { + "existing": true, + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2023-07-02-preview", + "name": "[parameters('managedClusterName')]" + }, + "agentPool": { "type": "Microsoft.ContainerService/managedClusters/agentPools", "apiVersion": "2023-07-02-preview", "name": "[format('{0}/{1}', parameters('managedClusterName'), parameters('name'))]", @@ -372,9 +379,12 @@ "vmSize": "[parameters('vmSize')]", "vnetSubnetID": "[parameters('vnetSubnetId')]", "workloadRuntime": "[parameters('workloadRuntime')]" - } + }, + "dependsOn": [ + "managedCluster" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/container-service/managed-cluster/main.bicep b/modules/container-service/managed-cluster/main.bicep index b9f7f16414..5808b8d313 100644 --- a/modules/container-service/managed-cluster/main.bicep +++ b/modules/container-service/managed-cluster/main.bicep @@ -330,7 +330,7 @@ param roleAssignments roleAssignmentType param lock lockType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The resource ID of the disc encryption set to apply to the cluster. For security reasons, this value should be provided.') param diskEncryptionSetID string = '' @@ -600,7 +600,7 @@ module managedCluster_agentPools 'agent-pool/main.bicep' = [for (agentPool, inde scaleSetEvictionPolicy: contains(agentPool, 'scaleSetEvictionPolicy') ? agentPool.scaleSetEvictionPolicy : 'Delete' scaleSetPriority: contains(agentPool, 'scaleSetPriority') ? agentPool.scaleSetPriority : '' spotMaxPrice: contains(agentPool, 'spotMaxPrice') ? agentPool.spotMaxPrice : -1 - tags: contains(agentPool, 'tags') ? agentPool.tags : {} + tags: agentPool.?tags ?? tags type: contains(agentPool, 'type') ? agentPool.type : '' maxSurge: contains(agentPool, 'maxSurge') ? agentPool.maxSurge : '' vmSize: contains(agentPool, 'vmSize') ? agentPool.vmSize : 'Standard_D2s_v3' diff --git a/modules/container-service/managed-cluster/main.json b/modules/container-service/managed-cluster/main.json index b35df3cf30..552037b85f 100644 --- a/modules/container-service/managed-cluster/main.json +++ b/modules/container-service/managed-cluster/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10186677383934049186" + "templateHash": "15042684995150005891" }, "name": "Azure Kubernetes Service (AKS) Managed Clusters", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", @@ -899,7 +899,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -1266,7 +1266,9 @@ "scaleSetEvictionPolicy": "[if(contains(parameters('agentPools')[copyIndex()], 'scaleSetEvictionPolicy'), createObject('value', parameters('agentPools')[copyIndex()].scaleSetEvictionPolicy), createObject('value', 'Delete'))]", "scaleSetPriority": "[if(contains(parameters('agentPools')[copyIndex()], 'scaleSetPriority'), createObject('value', parameters('agentPools')[copyIndex()].scaleSetPriority), createObject('value', ''))]", "spotMaxPrice": "[if(contains(parameters('agentPools')[copyIndex()], 'spotMaxPrice'), createObject('value', parameters('agentPools')[copyIndex()].spotMaxPrice), createObject('value', -1))]", - "tags": "[if(contains(parameters('agentPools')[copyIndex()], 'tags'), createObject('value', parameters('agentPools')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('agentPools')[copyIndex()], 'tags'), parameters('tags'))]" + }, "type": "[if(contains(parameters('agentPools')[copyIndex()], 'type'), createObject('value', parameters('agentPools')[copyIndex()].type), createObject('value', ''))]", "maxSurge": "[if(contains(parameters('agentPools')[copyIndex()], 'maxSurge'), createObject('value', parameters('agentPools')[copyIndex()].maxSurge), createObject('value', ''))]", "vmSize": "[if(contains(parameters('agentPools')[copyIndex()], 'vmSize'), createObject('value', parameters('agentPools')[copyIndex()].vmSize), createObject('value', 'Standard_D2s_v3'))]", @@ -1278,12 +1280,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14295298572292657386" + "templateHash": "15823498371287518640" }, "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.", @@ -1540,7 +1543,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -1596,8 +1599,8 @@ "maxSurge": "[parameters('maxSurge')]" } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1611,7 +1614,13 @@ } } }, - { + "managedCluster": { + "existing": true, + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2023-07-02-preview", + "name": "[parameters('managedClusterName')]" + }, + "agentPool": { "type": "Microsoft.ContainerService/managedClusters/agentPools", "apiVersion": "2023-07-02-preview", "name": "[format('{0}/{1}', parameters('managedClusterName'), parameters('name'))]", @@ -1650,9 +1659,12 @@ "vmSize": "[parameters('vmSize')]", "vnetSubnetID": "[parameters('vnetSubnetId')]", "workloadRuntime": "[parameters('workloadRuntime')]" - } + }, + "dependsOn": [ + "managedCluster" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index cae941fa39..8b1c5eb5c7 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -931,7 +931,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/data-factory/factory/main.bicep b/modules/data-factory/factory/main.bicep index b8cce9bea8..ef4b508dae 100644 --- a/modules/data-factory/factory/main.bicep +++ b/modules/data-factory/factory/main.bicep @@ -83,7 +83,7 @@ param cMKUserAssignedIdentityResourceId string = '' param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/data-factory/factory/main.json b/modules/data-factory/factory/main.json index 11658501f0..bbb370ff4e 100644 --- a/modules/data-factory/factory/main.json +++ b/modules/data-factory/factory/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4712647299782394769" + "templateHash": "11806238755138054005" }, "name": "Data Factories", "description": "This module deploys a Data Factory.", @@ -560,7 +560,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/data-protection/backup-vault/README.md b/modules/data-protection/backup-vault/README.md index 94825fc794..68efc247f0 100644 --- a/modules/data-protection/backup-vault/README.md +++ b/modules/data-protection/backup-vault/README.md @@ -504,7 +504,6 @@ Security settings for the backup vault. Tags of the Recovery Service Vault resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `type` diff --git a/modules/data-protection/backup-vault/main.bicep b/modules/data-protection/backup-vault/main.bicep index 042be9825e..63aa54ac3d 100644 --- a/modules/data-protection/backup-vault/main.bicep +++ b/modules/data-protection/backup-vault/main.bicep @@ -21,7 +21,7 @@ param lock lockType param managedIdentities managedIdentitiesType @description('Optional. Tags of the Recovery Service Vault resource.') -param tags object = {} +param tags object? @description('Optional. The datastore type to use. ArchiveStore does not support ZoneRedundancy.') @allowed([ diff --git a/modules/data-protection/backup-vault/main.json b/modules/data-protection/backup-vault/main.json index 9db6f483b0..12f17aebcc 100644 --- a/modules/data-protection/backup-vault/main.json +++ b/modules/data-protection/backup-vault/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11392074106571494077" + "templateHash": "8040175372523410173" }, "name": "Data Protection Backup Vaults", "description": "This module deploys a Data Protection Backup Vault.", @@ -159,7 +159,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the Recovery Service Vault resource." } diff --git a/modules/databricks/access-connector/README.md b/modules/databricks/access-connector/README.md index 796b14a8bf..91fdd3ebdd 100644 --- a/modules/databricks/access-connector/README.md +++ b/modules/databricks/access-connector/README.md @@ -347,7 +347,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/databricks/access-connector/main.bicep b/modules/databricks/access-connector/main.bicep index d8ce4aeee9..4f0c6ed5bc 100644 --- a/modules/databricks/access-connector/main.bicep +++ b/modules/databricks/access-connector/main.bicep @@ -6,7 +6,7 @@ metadata owner = 'Azure/module-maintainers' param name string @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Location for all Resources.') param location string = resourceGroup().location diff --git a/modules/databricks/access-connector/main.json b/modules/databricks/access-connector/main.json index 5e8014b2f2..800ffae040 100644 --- a/modules/databricks/access-connector/main.json +++ b/modules/databricks/access-connector/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9757807827728921562" + "templateHash": "11594689977563461718" }, "name": "Azure Databricks Access Connectors", "description": "This module deploys an Azure Databricks Access Connector.", @@ -137,7 +137,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index da7f3e5281..12e776c7f6 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -930,7 +930,6 @@ Storage account SKU name. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `vnetAddressPrefix` diff --git a/modules/databricks/workspace/main.bicep b/modules/databricks/workspace/main.bicep index 7db11dae62..1468f38d16 100644 --- a/modules/databricks/workspace/main.bicep +++ b/modules/databricks/workspace/main.bicep @@ -29,7 +29,7 @@ param diagnosticSettings diagnosticSettingType param lock lockType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/databricks/workspace/main.json b/modules/databricks/workspace/main.json index 50c3564b16..ec49639153 100644 --- a/modules/databricks/workspace/main.json +++ b/modules/databricks/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13163681429252258069" + "templateHash": "19156344202796197" }, "name": "Azure Databricks Workspaces", "description": "This module deploys an Azure Databricks Workspace.", @@ -395,7 +395,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/db-for-my-sql/flexible-server/README.md b/modules/db-for-my-sql/flexible-server/README.md index ac8fa8150a..7d4bbf44bf 100644 --- a/modules/db-for-my-sql/flexible-server/README.md +++ b/modules/db-for-my-sql/flexible-server/README.md @@ -1088,7 +1088,6 @@ Max storage allowed for a server. In all compute tiers, the minimum storage supp Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `tier` diff --git a/modules/db-for-my-sql/flexible-server/main.bicep b/modules/db-for-my-sql/flexible-server/main.bicep index 9df9e895a6..110a710c26 100644 --- a/modules/db-for-my-sql/flexible-server/main.bicep +++ b/modules/db-for-my-sql/flexible-server/main.bicep @@ -12,7 +12,7 @@ param lock lockType param location string = resourceGroup().location @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The administrator login name of a server. Can only be specified when the MySQL server is being created.') param administratorLogin string = '' diff --git a/modules/db-for-my-sql/flexible-server/main.json b/modules/db-for-my-sql/flexible-server/main.json index de8040ea03..45a154ff53 100644 --- a/modules/db-for-my-sql/flexible-server/main.json +++ b/modules/db-for-my-sql/flexible-server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1179455125587700731" + "templateHash": "2940458480347427239" }, "name": "DBforMySQL Flexible Servers", "description": "This module deploys a DBforMySQL Flexible Server.", @@ -248,7 +248,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/db-for-postgre-sql/flexible-server/README.md b/modules/db-for-postgre-sql/flexible-server/README.md index 2e29c62ecd..30db670f19 100644 --- a/modules/db-for-postgre-sql/flexible-server/README.md +++ b/modules/db-for-postgre-sql/flexible-server/README.md @@ -979,7 +979,6 @@ Max storage allowed for a server. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `tenantId` diff --git a/modules/db-for-postgre-sql/flexible-server/main.bicep b/modules/db-for-postgre-sql/flexible-server/main.bicep index 3df7813d86..84bb983ea8 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.bicep +++ b/modules/db-for-postgre-sql/flexible-server/main.bicep @@ -156,7 +156,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/db-for-postgre-sql/flexible-server/main.json b/modules/db-for-postgre-sql/flexible-server/main.json index fb07682a43..74d5498241 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.json +++ b/modules/db-for-postgre-sql/flexible-server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2134307033398708647" + "templateHash": "2281015287111582702" }, "name": "DBforPostgreSQL Flexible Servers", "description": "This module deploys a DBforPostgreSQL Flexible Server.", @@ -502,7 +502,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/desktop-virtualization/application-group/README.md b/modules/desktop-virtualization/application-group/README.md index 985cff6a86..400891b5b2 100644 --- a/modules/desktop-virtualization/application-group/README.md +++ b/modules/desktop-virtualization/application-group/README.md @@ -525,7 +525,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/desktop-virtualization/application-group/main.bicep b/modules/desktop-virtualization/application-group/main.bicep index f1adcbb932..1e18d25925 100644 --- a/modules/desktop-virtualization/application-group/main.bicep +++ b/modules/desktop-virtualization/application-group/main.bicep @@ -35,7 +35,7 @@ param diagnosticSettings diagnosticSettingType param lock lockType @sys.description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/desktop-virtualization/application-group/main.json b/modules/desktop-virtualization/application-group/main.json index 905491e364..bd2466264e 100644 --- a/modules/desktop-virtualization/application-group/main.json +++ b/modules/desktop-virtualization/application-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3165107620977984204" + "templateHash": "14729705419389731754" }, "name": "Azure Virtual Desktop (AVD) Application Groups", "description": "This module deploys an Azure Virtual Desktop (AVD) Application Group.", @@ -258,7 +258,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/desktop-virtualization/host-pool/README.md b/modules/desktop-virtualization/host-pool/README.md index ce070fc3ec..be6dc2e213 100644 --- a/modules/desktop-virtualization/host-pool/README.md +++ b/modules/desktop-virtualization/host-pool/README.md @@ -702,7 +702,6 @@ Enable Start VM on connect to allow users to start the virtual machine from a de Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `tokenValidityLength` diff --git a/modules/desktop-virtualization/host-pool/main.bicep b/modules/desktop-virtualization/host-pool/main.bicep index cb7f44a990..031b3b5b9e 100644 --- a/modules/desktop-virtualization/host-pool/main.bicep +++ b/modules/desktop-virtualization/host-pool/main.bicep @@ -63,7 +63,7 @@ param diagnosticSettings diagnosticSettingType param lock lockType @sys.description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/desktop-virtualization/host-pool/main.json b/modules/desktop-virtualization/host-pool/main.json index b2d0786145..5759d9b41e 100644 --- a/modules/desktop-virtualization/host-pool/main.json +++ b/modules/desktop-virtualization/host-pool/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16828620493021839895" + "templateHash": "2287776590285678937" }, "name": "Azure Virtual Desktop (AVD) Host Pools", "description": "This module deploys an Azure Virtual Desktop (AVD) Host Pool.", @@ -313,7 +313,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/desktop-virtualization/scaling-plan/README.md b/modules/desktop-virtualization/scaling-plan/README.md index 58447da84f..dae9ec2b75 100644 --- a/modules/desktop-virtualization/scaling-plan/README.md +++ b/modules/desktop-virtualization/scaling-plan/README.md @@ -524,7 +524,6 @@ The schedules related to this scaling plan. If no value is provided a default sc Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `timeZone` diff --git a/modules/desktop-virtualization/scaling-plan/main.bicep b/modules/desktop-virtualization/scaling-plan/main.bicep index 34f3f687f3..51d609016c 100644 --- a/modules/desktop-virtualization/scaling-plan/main.bicep +++ b/modules/desktop-virtualization/scaling-plan/main.bicep @@ -73,7 +73,7 @@ param schedules array = [ param hostPoolReferences array = [] @sys.description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @sys.description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingType diff --git a/modules/desktop-virtualization/scaling-plan/main.json b/modules/desktop-virtualization/scaling-plan/main.json index f392334372..16160093bf 100644 --- a/modules/desktop-virtualization/scaling-plan/main.json +++ b/modules/desktop-virtualization/scaling-plan/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9923356797606121055" + "templateHash": "17057413050702654038" }, "name": "Azure Virtual Desktop (AVD) Scaling Plans", "description": "This module deploys an Azure Virtual Desktop (AVD) Scaling Plan.", @@ -276,7 +276,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/desktop-virtualization/workspace/README.md b/modules/desktop-virtualization/workspace/README.md index 6ba2e77ef0..35f5ec4422 100644 --- a/modules/desktop-virtualization/workspace/README.md +++ b/modules/desktop-virtualization/workspace/README.md @@ -463,7 +463,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/desktop-virtualization/workspace/main.bicep b/modules/desktop-virtualization/workspace/main.bicep index a3c050f19b..f566fe1e80 100644 --- a/modules/desktop-virtualization/workspace/main.bicep +++ b/modules/desktop-virtualization/workspace/main.bicep @@ -24,7 +24,7 @@ param diagnosticSettings diagnosticSettingType param lock lockType @sys.description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/desktop-virtualization/workspace/main.json b/modules/desktop-virtualization/workspace/main.json index 27edea5a4f..b05e7c83d5 100644 --- a/modules/desktop-virtualization/workspace/main.json +++ b/modules/desktop-virtualization/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10079774519163544161" + "templateHash": "17022699140829235991" }, "name": "Azure Virtual Desktop (AVD) Workspaces", "description": "This module deploys an Azure Virtual Desktop (AVD) Workspace.", @@ -242,7 +242,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/dev-test-lab/lab/README.md b/modules/dev-test-lab/lab/README.md index af50afe9e9..e506fa7f34 100644 --- a/modules/dev-test-lab/lab/README.md +++ b/modules/dev-test-lab/lab/README.md @@ -956,7 +956,6 @@ The properties of any lab support message associated with this lab. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `virtualnetworks` diff --git a/modules/dev-test-lab/lab/artifactsource/README.md b/modules/dev-test-lab/lab/artifactsource/README.md index 26aa3c0d4f..f2ac68cd9a 100644 --- a/modules/dev-test-lab/lab/artifactsource/README.md +++ b/modules/dev-test-lab/lab/artifactsource/README.md @@ -121,7 +121,6 @@ Indicates if the artifact source is enabled (values: Enabled, Disabled). Default Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `uri` diff --git a/modules/dev-test-lab/lab/artifactsource/main.bicep b/modules/dev-test-lab/lab/artifactsource/main.bicep index c57f78c6b9..e2c5e2f540 100644 --- a/modules/dev-test-lab/lab/artifactsource/main.bicep +++ b/modules/dev-test-lab/lab/artifactsource/main.bicep @@ -11,7 +11,7 @@ param labName string param name string @sys.description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @sys.description('Optional. The artifact source\'s display name. Default is the name of the artifact source.') param displayName string = name diff --git a/modules/dev-test-lab/lab/artifactsource/main.json b/modules/dev-test-lab/lab/artifactsource/main.json index 946b4a505a..734c1e482d 100644 --- a/modules/dev-test-lab/lab/artifactsource/main.json +++ b/modules/dev-test-lab/lab/artifactsource/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4180084937723506143" + "templateHash": "12165020180713564819" }, "name": "DevTest Lab Artifact Sources", "description": "This module deploys a DevTest Lab Artifact Source.\r\n\r\nAn artifact source allows you to create custom artifacts for the VMs in the lab, or use Azure Resource Manager templates to create a custom test environment. You must add a private Git repository for the artifacts or Resource Manager templates that your team creates. The repository can be hosted on GitHub or on Azure DevOps Services.", @@ -26,7 +27,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -104,8 +105,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -119,7 +120,13 @@ } } }, - { + "lab": { + "existing": true, + "type": "Microsoft.DevTestLab/labs", + "apiVersion": "2018-09-15", + "name": "[parameters('labName')]" + }, + "artifactsource": { "type": "Microsoft.DevTestLab/labs/artifactsources", "apiVersion": "2018-09-15", "name": "[format('{0}/{1}', parameters('labName'), parameters('name'))]", @@ -133,9 +140,12 @@ "sourceType": "[if(not(empty(parameters('sourceType'))), parameters('sourceType'), null())]", "status": "[parameters('status')]", "uri": "[parameters('uri')]" - } + }, + "dependsOn": [ + "lab" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/dev-test-lab/lab/cost/README.md b/modules/dev-test-lab/lab/cost/README.md index 69d66fdbc7..51d6302f23 100644 --- a/modules/dev-test-lab/lab/cost/README.md +++ b/modules/dev-test-lab/lab/cost/README.md @@ -107,7 +107,6 @@ Target cost status. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `target` diff --git a/modules/dev-test-lab/lab/cost/main.bicep b/modules/dev-test-lab/lab/cost/main.bicep index a11795399e..c0e7f7cb18 100644 --- a/modules/dev-test-lab/lab/cost/main.bicep +++ b/modules/dev-test-lab/lab/cost/main.bicep @@ -15,7 +15,7 @@ param labName string param cycleType string @sys.description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @sys.description('Conditional. Reporting cycle start date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to "Custom".') param cycleStartDateTime string = '' diff --git a/modules/dev-test-lab/lab/cost/main.json b/modules/dev-test-lab/lab/cost/main.json index 89f70cfd1f..3ec2b33776 100644 --- a/modules/dev-test-lab/lab/cost/main.json +++ b/modules/dev-test-lab/lab/cost/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17587308196408831883" + "templateHash": "12104430168487418019" }, "name": "DevTest Lab Costs", "description": "This module deploys a DevTest Lab Cost.\r\n\r\nManage lab costs by setting a spending target that can be viewed in the Monthly Estimated Cost Trend chart. DevTest Labs can send a notification when spending reaches the specified target threshold.", @@ -30,7 +31,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -192,8 +193,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -207,7 +208,13 @@ } } }, - { + "lab": { + "existing": true, + "type": "Microsoft.DevTestLab/labs", + "apiVersion": "2018-09-15", + "name": "[parameters('labName')]" + }, + "cost": { "type": "Microsoft.DevTestLab/labs/costs", "apiVersion": "2018-09-15", "name": "[format('{0}/{1}', parameters('labName'), 'targetCost')]", @@ -265,9 +272,12 @@ } ] } - } + }, + "dependsOn": [ + "lab" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/dev-test-lab/lab/main.bicep b/modules/dev-test-lab/lab/main.bicep index 2d52f27d29..1b54432e6d 100644 --- a/modules/dev-test-lab/lab/main.bicep +++ b/modules/dev-test-lab/lab/main.bicep @@ -15,7 +15,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The properties of any lab announcement associated with this lab.') param announcement object = {} @@ -188,7 +188,7 @@ module lab_virtualNetworks 'virtualnetwork/main.bicep' = [for (virtualNetwork, i params: { labName: lab.name name: virtualNetwork.name - tags: tags + tags: virtualNetwork.?tags ?? tags externalProviderResourceId: virtualNetwork.externalProviderResourceId description: contains(virtualNetwork, 'description') ? virtualNetwork.description : '' allowedSubnets: contains(virtualNetwork, 'allowedSubnets') ? virtualNetwork.allowedSubnets : [] @@ -202,7 +202,7 @@ module lab_policies 'policyset/policy/main.bicep' = [for (policy, index) in poli params: { labName: lab.name name: policy.name - tags: tags + tags: policy.?tags ?? tags description: contains(policy, 'description') ? policy.description : '' evaluatorType: policy.evaluatorType factData: contains(policy, 'factData') ? policy.factData : '' @@ -218,7 +218,7 @@ module lab_schedules 'schedule/main.bicep' = [for (schedule, index) in schedules params: { labName: lab.name name: schedule.name - tags: tags + tags: schedule.?tags ?? tags taskType: schedule.taskType dailyRecurrence: contains(schedule, 'dailyRecurrence') ? schedule.dailyRecurrence : {} hourlyRecurrence: contains(schedule, 'hourlyRecurrence') ? schedule.hourlyRecurrence : {} @@ -237,7 +237,7 @@ module lab_notificationChannels 'notificationchannel/main.bicep' = [for (notific params: { labName: lab.name name: notificationChannel.name - tags: tags + tags: notificationChannel.?tags ?? tags description: contains(notificationChannel, 'description') ? notificationChannel.description : '' events: notificationChannel.events emailRecipient: contains(notificationChannel, 'emailRecipient') ? notificationChannel.emailRecipient : '' @@ -252,7 +252,7 @@ module lab_artifactSources 'artifactsource/main.bicep' = [for (artifactSource, i params: { labName: lab.name name: artifactSource.name - tags: tags + tags: artifactSource.?tags ?? tags displayName: contains(artifactSource, 'displayName') ? artifactSource.displayName : artifactSource.name branchRef: contains(artifactSource, 'branchRef') ? artifactSource.branchRef : '' folderPath: contains(artifactSource, 'folderPath') ? artifactSource.folderPath : '' @@ -268,7 +268,7 @@ module lab_costs 'cost/main.bicep' = if (!empty(costs)) { name: '${uniqueString(deployment().name, location)}-Lab-Costs' params: { labName: lab.name - tags: tags + tags: costs.?tags ?? tags currencyCode: contains(costs, 'currencyCode') ? costs.currencyCode : 'USD' cycleType: costs.cycleType cycleStartDateTime: contains(costs, 'cycleStartDateTime') ? costs.cycleStartDateTime : '' diff --git a/modules/dev-test-lab/lab/main.json b/modules/dev-test-lab/lab/main.json index 0e566cecde..f7339163ff 100644 --- a/modules/dev-test-lab/lab/main.json +++ b/modules/dev-test-lab/lab/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15532963443565749928" + "templateHash": "14947280208542929227" }, "name": "DevTest Labs", "description": "This module deploys a DevTest Lab.", @@ -148,7 +148,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -464,7 +464,7 @@ "value": "[parameters('virtualnetworks')[copyIndex()].name]" }, "tags": { - "value": "[parameters('tags')]" + "value": "[coalesce(tryGet(parameters('virtualnetworks')[copyIndex()], 'tags'), parameters('tags'))]" }, "externalProviderResourceId": { "value": "[parameters('virtualnetworks')[copyIndex()].externalProviderResourceId]" @@ -478,12 +478,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5213684482874022181" + "templateHash": "8382075673072622254" }, "name": "DevTest Lab Virtual Networks", "description": "This module deploys a DevTest Lab Virtual Network.\r\n\r\nLab virtual machines must be deployed into a virtual network. This resource type allows configuring the virtual network and subnet settings used for the lab virtual machines.", @@ -510,7 +511,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -544,8 +545,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -559,7 +560,13 @@ } } }, - { + "lab": { + "existing": true, + "type": "Microsoft.DevTestLab/labs", + "apiVersion": "2018-09-15", + "name": "[parameters('labName')]" + }, + "virtualNetwork": { "type": "Microsoft.DevTestLab/labs/virtualnetworks", "apiVersion": "2018-09-15", "name": "[format('{0}/{1}', parameters('labName'), parameters('name'))]", @@ -569,9 +576,12 @@ "externalProviderResourceId": "[parameters('externalProviderResourceId')]", "allowedSubnets": "[parameters('allowedSubnets')]", "subnetOverrides": "[parameters('subnetOverrides')]" - } + }, + "dependsOn": [ + "lab" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -622,7 +632,7 @@ "value": "[parameters('policies')[copyIndex()].name]" }, "tags": { - "value": "[parameters('tags')]" + "value": "[coalesce(tryGet(parameters('policies')[copyIndex()], 'tags'), parameters('tags'))]" }, "description": "[if(contains(parameters('policies')[copyIndex()], 'description'), createObject('value', parameters('policies')[copyIndex()].description), createObject('value', ''))]", "evaluatorType": { @@ -827,7 +837,7 @@ "value": "[parameters('schedules')[copyIndex()].name]" }, "tags": { - "value": "[parameters('tags')]" + "value": "[coalesce(tryGet(parameters('schedules')[copyIndex()], 'tags'), parameters('tags'))]" }, "taskType": { "value": "[parameters('schedules')[copyIndex()].taskType]" @@ -846,12 +856,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "853057685884144049" + "templateHash": "10592511541548002212" }, "name": "DevTest Lab Schedules", "description": "This module deploys a DevTest Lab Schedule.\r\n\r\nLab schedules are used to modify the settings for auto-shutdown, auto-start for lab virtual machines.", @@ -886,7 +897,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -963,8 +974,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -978,7 +989,13 @@ } } }, - { + "lab": { + "existing": true, + "type": "Microsoft.DevTestLab/labs", + "apiVersion": "2018-09-15", + "name": "[parameters('labName')]" + }, + "schedule": { "type": "Microsoft.DevTestLab/labs/schedules", "apiVersion": "2018-09-15", "name": "[format('{0}/{1}', parameters('labName'), parameters('name'))]", @@ -992,9 +1009,12 @@ "targetResourceId": "[if(not(empty(parameters('targetResourceId'))), parameters('targetResourceId'), null())]", "timeZoneId": "[parameters('timeZoneId')]", "notificationSettings": "[if(equals(parameters('notificationSettingsStatus'), 'Enabled'), createObject('status', parameters('notificationSettingsStatus'), 'timeInMinutes', parameters('notificationSettingsTimeInMinutes')), createObject())]" - } + }, + "dependsOn": [ + "lab" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1045,7 +1065,7 @@ "value": "[parameters('notificationchannels')[copyIndex()].name]" }, "tags": { - "value": "[parameters('tags')]" + "value": "[coalesce(tryGet(parameters('notificationchannels')[copyIndex()], 'tags'), parameters('tags'))]" }, "description": "[if(contains(parameters('notificationchannels')[copyIndex()], 'description'), createObject('value', parameters('notificationchannels')[copyIndex()].description), createObject('value', ''))]", "events": { @@ -1060,12 +1080,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7575060424945865003" + "templateHash": "5225332129791836269" }, "name": "DevTest Lab Notification Channels", "description": "This module deploys a DevTest Lab Notification Channel.\r\n\r\nNotification channels are used by the schedule resource type in order to send notifications or events to email addresses and/or webhooks.", @@ -1090,7 +1111,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -1138,8 +1159,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1153,7 +1174,13 @@ } } }, - { + "lab": { + "existing": true, + "type": "Microsoft.DevTestLab/labs", + "apiVersion": "2018-09-15", + "name": "[parameters('labName')]" + }, + "notificationChannel": { "type": "Microsoft.DevTestLab/labs/notificationchannels", "apiVersion": "2018-09-15", "name": "[format('{0}/{1}', parameters('labName'), parameters('name'))]", @@ -1164,9 +1191,12 @@ "emailRecipient": "[parameters('emailRecipient')]", "webHookUrl": "[parameters('webHookUrl')]", "notificationLocale": "[parameters('notificationLocale')]" - } + }, + "dependsOn": [ + "lab" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1217,7 +1247,7 @@ "value": "[parameters('artifactsources')[copyIndex()].name]" }, "tags": { - "value": "[parameters('tags')]" + "value": "[coalesce(tryGet(parameters('artifactsources')[copyIndex()], 'tags'), parameters('tags'))]" }, "displayName": "[if(contains(parameters('artifactsources')[copyIndex()], 'displayName'), createObject('value', parameters('artifactsources')[copyIndex()].displayName), createObject('value', parameters('artifactsources')[copyIndex()].name))]", "branchRef": "[if(contains(parameters('artifactsources')[copyIndex()], 'branchRef'), createObject('value', parameters('artifactsources')[copyIndex()].branchRef), createObject('value', ''))]", @@ -1234,12 +1264,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4180084937723506143" + "templateHash": "12165020180713564819" }, "name": "DevTest Lab Artifact Sources", "description": "This module deploys a DevTest Lab Artifact Source.\r\n\r\nAn artifact source allows you to create custom artifacts for the VMs in the lab, or use Azure Resource Manager templates to create a custom test environment. You must add a private Git repository for the artifacts or Resource Manager templates that your team creates. The repository can be hosted on GitHub or on Azure DevOps Services.", @@ -1260,7 +1291,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -1338,8 +1369,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1353,7 +1384,13 @@ } } }, - { + "lab": { + "existing": true, + "type": "Microsoft.DevTestLab/labs", + "apiVersion": "2018-09-15", + "name": "[parameters('labName')]" + }, + "artifactsource": { "type": "Microsoft.DevTestLab/labs/artifactsources", "apiVersion": "2018-09-15", "name": "[format('{0}/{1}', parameters('labName'), parameters('name'))]", @@ -1367,9 +1404,12 @@ "sourceType": "[if(not(empty(parameters('sourceType'))), parameters('sourceType'), null())]", "status": "[parameters('status')]", "uri": "[parameters('uri')]" - } + }, + "dependsOn": [ + "lab" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1414,7 +1454,7 @@ "value": "[parameters('name')]" }, "tags": { - "value": "[parameters('tags')]" + "value": "[coalesce(tryGet(parameters('costs'), 'tags'), parameters('tags'))]" }, "currencyCode": "[if(contains(parameters('costs'), 'currencyCode'), createObject('value', parameters('costs').currencyCode), createObject('value', 'USD'))]", "cycleType": { @@ -1440,12 +1480,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17587308196408831883" + "templateHash": "12104430168487418019" }, "name": "DevTest Lab Costs", "description": "This module deploys a DevTest Lab Cost.\r\n\r\nManage lab costs by setting a spending target that can be viewed in the Monthly Estimated Cost Trend chart. DevTest Labs can send a notification when spending reaches the specified target threshold.", @@ -1470,7 +1511,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -1632,8 +1673,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1647,7 +1688,13 @@ } } }, - { + "lab": { + "existing": true, + "type": "Microsoft.DevTestLab/labs", + "apiVersion": "2018-09-15", + "name": "[parameters('labName')]" + }, + "cost": { "type": "Microsoft.DevTestLab/labs/costs", "apiVersion": "2018-09-15", "name": "[format('{0}/{1}', parameters('labName'), 'targetCost')]", @@ -1705,9 +1752,12 @@ } ] } - } + }, + "dependsOn": [ + "lab" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/dev-test-lab/lab/notificationchannel/README.md b/modules/dev-test-lab/lab/notificationchannel/README.md index d78d419ad8..45abfc2693 100644 --- a/modules/dev-test-lab/lab/notificationchannel/README.md +++ b/modules/dev-test-lab/lab/notificationchannel/README.md @@ -96,7 +96,6 @@ The locale to use when sending a notification (fallback for unsupported language Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `webHookUrl` diff --git a/modules/dev-test-lab/lab/notificationchannel/main.bicep b/modules/dev-test-lab/lab/notificationchannel/main.bicep index 4cf83f60ae..cae5615737 100644 --- a/modules/dev-test-lab/lab/notificationchannel/main.bicep +++ b/modules/dev-test-lab/lab/notificationchannel/main.bicep @@ -15,7 +15,7 @@ param labName string param name string @sys.description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @sys.description('Optional. Description of notification.') param description string = '' diff --git a/modules/dev-test-lab/lab/notificationchannel/main.json b/modules/dev-test-lab/lab/notificationchannel/main.json index 6251464ffc..bfab5a4069 100644 --- a/modules/dev-test-lab/lab/notificationchannel/main.json +++ b/modules/dev-test-lab/lab/notificationchannel/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7575060424945865003" + "templateHash": "5225332129791836269" }, "name": "DevTest Lab Notification Channels", "description": "This module deploys a DevTest Lab Notification Channel.\r\n\r\nNotification channels are used by the schedule resource type in order to send notifications or events to email addresses and/or webhooks.", @@ -30,7 +31,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -78,8 +79,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -93,7 +94,13 @@ } } }, - { + "lab": { + "existing": true, + "type": "Microsoft.DevTestLab/labs", + "apiVersion": "2018-09-15", + "name": "[parameters('labName')]" + }, + "notificationChannel": { "type": "Microsoft.DevTestLab/labs/notificationchannels", "apiVersion": "2018-09-15", "name": "[format('{0}/{1}', parameters('labName'), parameters('name'))]", @@ -104,9 +111,12 @@ "emailRecipient": "[parameters('emailRecipient')]", "webHookUrl": "[parameters('webHookUrl')]", "notificationLocale": "[parameters('notificationLocale')]" - } + }, + "dependsOn": [ + "lab" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/dev-test-lab/lab/schedule/README.md b/modules/dev-test-lab/lab/schedule/README.md index 5d197319c3..293747d728 100644 --- a/modules/dev-test-lab/lab/schedule/README.md +++ b/modules/dev-test-lab/lab/schedule/README.md @@ -109,7 +109,6 @@ The status of the schedule (i.e. Enabled, Disabled). Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `targetResourceId` diff --git a/modules/dev-test-lab/lab/schedule/main.bicep b/modules/dev-test-lab/lab/schedule/main.bicep index a2254c5c5c..7b4df85c7b 100644 --- a/modules/dev-test-lab/lab/schedule/main.bicep +++ b/modules/dev-test-lab/lab/schedule/main.bicep @@ -22,7 +22,7 @@ param name string param taskType string @sys.description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @sys.description('Optional. If the schedule will occur once each day of the week, specify the daily recurrence.') param dailyRecurrence object = {} diff --git a/modules/dev-test-lab/lab/schedule/main.json b/modules/dev-test-lab/lab/schedule/main.json index 96c2fa8537..dbbccd0c7e 100644 --- a/modules/dev-test-lab/lab/schedule/main.json +++ b/modules/dev-test-lab/lab/schedule/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "853057685884144049" + "templateHash": "10592511541548002212" }, "name": "DevTest Lab Schedules", "description": "This module deploys a DevTest Lab Schedule.\r\n\r\nLab schedules are used to modify the settings for auto-shutdown, auto-start for lab virtual machines.", @@ -40,7 +41,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -117,8 +118,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -132,7 +133,13 @@ } } }, - { + "lab": { + "existing": true, + "type": "Microsoft.DevTestLab/labs", + "apiVersion": "2018-09-15", + "name": "[parameters('labName')]" + }, + "schedule": { "type": "Microsoft.DevTestLab/labs/schedules", "apiVersion": "2018-09-15", "name": "[format('{0}/{1}', parameters('labName'), parameters('name'))]", @@ -146,9 +153,12 @@ "targetResourceId": "[if(not(empty(parameters('targetResourceId'))), parameters('targetResourceId'), null())]", "timeZoneId": "[parameters('timeZoneId')]", "notificationSettings": "[if(equals(parameters('notificationSettingsStatus'), 'Enabled'), createObject('status', parameters('notificationSettingsStatus'), 'timeInMinutes', parameters('notificationSettingsTimeInMinutes')), createObject())]" - } + }, + "dependsOn": [ + "lab" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/dev-test-lab/lab/virtualnetwork/README.md b/modules/dev-test-lab/lab/virtualnetwork/README.md index c2eaf8a2bc..494fe14296 100644 --- a/modules/dev-test-lab/lab/virtualnetwork/README.md +++ b/modules/dev-test-lab/lab/virtualnetwork/README.md @@ -93,7 +93,6 @@ The subnet overrides of the virtual network. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/dev-test-lab/lab/virtualnetwork/main.bicep b/modules/dev-test-lab/lab/virtualnetwork/main.bicep index 79ac891df0..c4076627d9 100644 --- a/modules/dev-test-lab/lab/virtualnetwork/main.bicep +++ b/modules/dev-test-lab/lab/virtualnetwork/main.bicep @@ -14,7 +14,7 @@ param name string param externalProviderResourceId string @sys.description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @sys.description('Optional. The description of the virtual network.') param description string = '' diff --git a/modules/dev-test-lab/lab/virtualnetwork/main.json b/modules/dev-test-lab/lab/virtualnetwork/main.json index 71e0cb54e5..0f32f00fd3 100644 --- a/modules/dev-test-lab/lab/virtualnetwork/main.json +++ b/modules/dev-test-lab/lab/virtualnetwork/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5213684482874022181" + "templateHash": "8382075673072622254" }, "name": "DevTest Lab Virtual Networks", "description": "This module deploys a DevTest Lab Virtual Network.\r\n\r\nLab virtual machines must be deployed into a virtual network. This resource type allows configuring the virtual network and subnet settings used for the lab virtual machines.", @@ -32,7 +33,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -66,8 +67,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -81,7 +82,13 @@ } } }, - { + "lab": { + "existing": true, + "type": "Microsoft.DevTestLab/labs", + "apiVersion": "2018-09-15", + "name": "[parameters('labName')]" + }, + "virtualNetwork": { "type": "Microsoft.DevTestLab/labs/virtualnetworks", "apiVersion": "2018-09-15", "name": "[format('{0}/{1}', parameters('labName'), parameters('name'))]", @@ -91,9 +98,12 @@ "externalProviderResourceId": "[parameters('externalProviderResourceId')]", "allowedSubnets": "[parameters('allowedSubnets')]", "subnetOverrides": "[parameters('subnetOverrides')]" - } + }, + "dependsOn": [ + "lab" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index 0c42034c49..dcf0765ad2 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -727,7 +727,6 @@ Enables system assigned managed identity on the resource. Resource tags. - Required: No - Type: object -- Default: `{object}` ### Parameter: `userAssignedIdentities` diff --git a/modules/digital-twins/digital-twins-instance/main.bicep b/modules/digital-twins/digital-twins-instance/main.bicep index b7d3117847..8ff9c75278 100644 --- a/modules/digital-twins/digital-twins-instance/main.bicep +++ b/modules/digital-twins/digital-twins-instance/main.bicep @@ -11,7 +11,7 @@ param name string param location string = resourceGroup().location @description('Optional. Resource tags.') -param tags object = {} +param tags object? @description('Optional. The lock settings of the service.') param lock lockType diff --git a/modules/digital-twins/digital-twins-instance/main.json b/modules/digital-twins/digital-twins-instance/main.json index f7f565c333..d770a0e408 100644 --- a/modules/digital-twins/digital-twins-instance/main.json +++ b/modules/digital-twins/digital-twins-instance/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3851102361558562054" + "templateHash": "12569577248629110844" }, "name": "Digital Twins Instances", "description": "This module deploys an Azure Digital Twins Instance.", @@ -378,7 +378,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Resource tags." } diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index 87ab27ddef..6891ab0f3d 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -1859,7 +1859,6 @@ SQL Databases configurations. Tags of the Database Account resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/document-db/database-account/gremlin-database/README.md b/modules/document-db/database-account/gremlin-database/README.md index 7436326970..da1fb97246 100644 --- a/modules/document-db/database-account/gremlin-database/README.md +++ b/modules/document-db/database-account/gremlin-database/README.md @@ -79,7 +79,6 @@ Name of the Gremlin database. Tags of the Gremlin database resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `throughput` diff --git a/modules/document-db/database-account/gremlin-database/graph/README.md b/modules/document-db/database-account/gremlin-database/graph/README.md index 9bd3196bdc..b682df47c6 100644 --- a/modules/document-db/database-account/gremlin-database/graph/README.md +++ b/modules/document-db/database-account/gremlin-database/graph/README.md @@ -84,7 +84,6 @@ List of paths using which data within the container can be partitioned. Tags of the Gremlin graph resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/document-db/database-account/gremlin-database/graph/main.bicep b/modules/document-db/database-account/gremlin-database/graph/main.bicep index 9606717456..2aa31f8ffb 100644 --- a/modules/document-db/database-account/gremlin-database/graph/main.bicep +++ b/modules/document-db/database-account/gremlin-database/graph/main.bicep @@ -6,7 +6,7 @@ metadata owner = 'Azure/module-maintainers' param name string @description('Optional. Tags of the Gremlin graph resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/document-db/database-account/gremlin-database/graph/main.json b/modules/document-db/database-account/gremlin-database/graph/main.json index ac3ab15bde..140ebcbb80 100644 --- a/modules/document-db/database-account/gremlin-database/graph/main.json +++ b/modules/document-db/database-account/gremlin-database/graph/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18333404401527081455" + "templateHash": "16432474498986701571" }, "name": "DocumentDB Database Accounts Gremlin Databases Graphs", "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.", @@ -20,7 +21,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the Gremlin graph resource." } @@ -59,8 +60,17 @@ } } }, - "resources": [ - { + "resources": { + "databaseAccount::gremlinDatabase": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases", + "apiVersion": "2023-04-15", + "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('gremlinDatabaseName'))]", + "dependsOn": [ + "databaseAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -74,7 +84,13 @@ } } }, - { + "databaseAccount": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2023-04-15", + "name": "[parameters('databaseAccountName')]" + }, + "gremlinGraph": { "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs", "apiVersion": "2023-04-15", "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('gremlinDatabaseName'), parameters('name'))]", @@ -87,9 +103,12 @@ "paths": "[if(not(empty(parameters('partitionKeyPaths'))), parameters('partitionKeyPaths'), null())]" } } - } + }, + "dependsOn": [ + "databaseAccount::gremlinDatabase" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/document-db/database-account/gremlin-database/main.bicep b/modules/document-db/database-account/gremlin-database/main.bicep index bef3ca7288..1c2718c46e 100644 --- a/modules/document-db/database-account/gremlin-database/main.bicep +++ b/modules/document-db/database-account/gremlin-database/main.bicep @@ -6,7 +6,7 @@ metadata owner = 'Azure/module-maintainers' param name string @description('Optional. Tags of the Gremlin database resource.') -param tags object = {} +param tags object? @description('Conditional. The name of the parent Gremlin database. Required if the template is used in a standalone deployment.') param databaseAccountName string diff --git a/modules/document-db/database-account/gremlin-database/main.json b/modules/document-db/database-account/gremlin-database/main.json index aef7829f15..7d513e6420 100644 --- a/modules/document-db/database-account/gremlin-database/main.json +++ b/modules/document-db/database-account/gremlin-database/main.json @@ -46,7 +46,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the Gremlin database resource." } @@ -156,12 +156,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18333404401527081455" + "templateHash": "16432474498986701571" }, "name": "DocumentDB Database Accounts Gremlin Databases Graphs", "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.", @@ -176,7 +177,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the Gremlin graph resource." } @@ -215,8 +216,17 @@ } } }, - "resources": [ - { + "resources": { + "databaseAccount::gremlinDatabase": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases", + "apiVersion": "2023-04-15", + "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('gremlinDatabaseName'))]", + "dependsOn": [ + "databaseAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -230,7 +240,13 @@ } } }, - { + "databaseAccount": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2023-04-15", + "name": "[parameters('databaseAccountName')]" + }, + "gremlinGraph": { "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs", "apiVersion": "2023-04-15", "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('gremlinDatabaseName'), parameters('name'))]", @@ -243,9 +259,12 @@ "paths": "[if(not(empty(parameters('partitionKeyPaths'))), parameters('partitionKeyPaths'), null())]" } } - } + }, + "dependsOn": [ + "databaseAccount::gremlinDatabase" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -299,4 +318,4 @@ "value": "[resourceGroup().name]" } } -} \ No newline at end of file +} diff --git a/modules/document-db/database-account/main.bicep b/modules/document-db/database-account/main.bicep index 3ac93fcc6a..ee19348385 100644 --- a/modules/document-db/database-account/main.bicep +++ b/modules/document-db/database-account/main.bicep @@ -9,7 +9,7 @@ param name string param location string = resourceGroup().location @description('Optional. Tags of the Database Account resource.') -param tags object = {} +param tags object? @description('Optional. The managed identity definition for this resource.') param managedIdentities managedIdentitiesType diff --git a/modules/document-db/database-account/main.json b/modules/document-db/database-account/main.json index 47d04e5c6f..761eb727b6 100644 --- a/modules/document-db/database-account/main.json +++ b/modules/document-db/database-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15206663104495888656" + "templateHash": "13265582198003672508" }, "name": "DocumentDB Database Accounts", "description": "This module deploys a DocumentDB Database Account.", @@ -398,7 +398,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the Database Account resource." } @@ -774,12 +774,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11353697729412779140" + "templateHash": "10948740009827102632" }, "name": "DocumentDB Database Account SQL Databases", "description": "This module deploys a SQL Database in a CosmosDB Account.", @@ -821,7 +822,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the SQL database resource." } @@ -837,8 +838,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -852,7 +853,13 @@ } } }, - { + "databaseAccount": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2023-04-15", + "name": "[parameters('databaseAccountName')]" + }, + "sqlDatabase": { "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases", "apiVersion": "2023-04-15", "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", @@ -861,10 +868,13 @@ "resource": { "id": "[parameters('name')]" }, - "options": "[if(contains(reference(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), '2023-04-15').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', if(equals(parameters('autoscaleSettingsMaxThroughput'), -1), parameters('throughput'), null()), 'autoscaleSettings', if(not(equals(parameters('autoscaleSettingsMaxThroughput'), -1)), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null())))]" - } + "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', if(equals(parameters('autoscaleSettingsMaxThroughput'), -1), parameters('throughput'), null()), 'autoscaleSettings', if(not(equals(parameters('autoscaleSettingsMaxThroughput'), -1)), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null())))]" + }, + "dependsOn": [ + "databaseAccount" + ] }, - { + "container": { "copy": { "name": "container", "count": "[length(parameters('containers'))]" @@ -902,12 +912,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8116399669974678281" + "templateHash": "5628064493958565248" }, "name": "DocumentDB Database Account SQL Database Containers", "description": "This module deploys a SQL Database Container in a CosmosDB Account.", @@ -972,7 +983,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the SQL Database resource." } @@ -1018,8 +1029,17 @@ } } }, - "resources": [ - { + "resources": { + "databaseAccount::sqlDatabase": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases", + "apiVersion": "2023-04-15", + "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('sqlDatabaseName'))]", + "dependsOn": [ + "databaseAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1033,7 +1053,13 @@ } } }, - { + "databaseAccount": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2023-04-15", + "name": "[parameters('databaseAccountName')]" + }, + "container": { "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers", "apiVersion": "2023-04-15", "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('sqlDatabaseName'), parameters('name'))]", @@ -1051,10 +1077,13 @@ }, "uniqueKeyPolicy": "[if(not(empty(parameters('uniqueKeyPolicyKeys'))), createObject('uniqueKeys', parameters('uniqueKeyPolicyKeys')), null())]" }, - "options": "[if(contains(reference(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), '2023-04-15').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', if(equals(parameters('autoscaleSettingsMaxThroughput'), -1), parameters('throughput'), null()), 'autoscaleSettings', if(not(equals(parameters('autoscaleSettingsMaxThroughput'), -1)), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null())))]" - } + "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', if(equals(parameters('autoscaleSettingsMaxThroughput'), -1), parameters('throughput'), null()), 'autoscaleSettings', if(not(equals(parameters('autoscaleSettingsMaxThroughput'), -1)), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null())))]" + }, + "dependsOn": [ + "databaseAccount::sqlDatabase" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1081,10 +1110,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('name'))]" + "sqlDatabase" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1141,12 +1170,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1822071123668929932" + "templateHash": "18265317713061610546" }, "name": "DocumentDB Database Account MongoDB Databases", "description": "This module deploys a MongoDB Database within a CosmosDB Account.", @@ -1181,7 +1211,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -1197,8 +1227,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1212,7 +1242,13 @@ } } }, - { + "databaseAccount": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2023-04-15", + "name": "[parameters('databaseAccountName')]" + }, + "mongodbDatabase": { "type": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases", "apiVersion": "2023-04-15", "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", @@ -1221,10 +1257,13 @@ "resource": { "id": "[parameters('name')]" }, - "options": "[if(contains(reference(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), '2023-04-15').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', parameters('throughput')))]" - } + "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', parameters('throughput')))]" + }, + "dependsOn": [ + "databaseAccount" + ] }, - { + "mongodbDatabase_collections": { "copy": { "name": "mongodbDatabase_collections", "count": "[length(parameters('collections'))]" @@ -1371,10 +1410,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DocumentDB/databaseAccounts/mongodbDatabases', parameters('databaseAccountName'), parameters('name'))]" + "mongodbDatabase" ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1437,7 +1476,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1439508098279696940" + "templateHash": "9027351090124444562" }, "name": "DocumentDB Database Account Gremlin Databases", "description": "This module deploys a Gremlin Database within a CosmosDB Account.", @@ -1477,7 +1516,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the Gremlin database resource." } @@ -1587,12 +1626,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18333404401527081455" + "templateHash": "16432474498986701571" }, "name": "DocumentDB Database Accounts Gremlin Databases Graphs", "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.", @@ -1607,7 +1647,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the Gremlin graph resource." } @@ -1646,8 +1686,17 @@ } } }, - "resources": [ - { + "resources": { + "databaseAccount::gremlinDatabase": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases", + "apiVersion": "2023-04-15", + "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('gremlinDatabaseName'))]", + "dependsOn": [ + "databaseAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -1661,7 +1710,13 @@ } } }, - { + "databaseAccount": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2023-04-15", + "name": "[parameters('databaseAccountName')]" + }, + "gremlinGraph": { "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs", "apiVersion": "2023-04-15", "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('gremlinDatabaseName'), parameters('name'))]", @@ -1674,9 +1729,12 @@ "paths": "[if(not(empty(parameters('partitionKeyPaths'))), parameters('partitionKeyPaths'), null())]" } } - } + }, + "dependsOn": [ + "databaseAccount::gremlinDatabase" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/document-db/database-account/mongodb-database/README.md b/modules/document-db/database-account/mongodb-database/README.md index 93ddb86a7f..330081f50e 100644 --- a/modules/document-db/database-account/mongodb-database/README.md +++ b/modules/document-db/database-account/mongodb-database/README.md @@ -70,7 +70,6 @@ Name of the mongodb database. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `throughput` diff --git a/modules/document-db/database-account/mongodb-database/main.bicep b/modules/document-db/database-account/mongodb-database/main.bicep index 4598238f0d..a66e001038 100644 --- a/modules/document-db/database-account/mongodb-database/main.bicep +++ b/modules/document-db/database-account/mongodb-database/main.bicep @@ -15,7 +15,7 @@ param throughput int = 400 param collections array = [] @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/document-db/database-account/mongodb-database/main.json b/modules/document-db/database-account/mongodb-database/main.json index ac1f8b3634..ea41158c15 100644 --- a/modules/document-db/database-account/mongodb-database/main.json +++ b/modules/document-db/database-account/mongodb-database/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1822071123668929932" + "templateHash": "18265317713061610546" }, "name": "DocumentDB Database Account MongoDB Databases", "description": "This module deploys a MongoDB Database within a CosmosDB Account.", @@ -40,7 +41,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -56,8 +57,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -71,7 +72,13 @@ } } }, - { + "databaseAccount": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2023-04-15", + "name": "[parameters('databaseAccountName')]" + }, + "mongodbDatabase": { "type": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases", "apiVersion": "2023-04-15", "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", @@ -80,10 +87,13 @@ "resource": { "id": "[parameters('name')]" }, - "options": "[if(contains(reference(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), '2023-04-15').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', parameters('throughput')))]" - } + "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', parameters('throughput')))]" + }, + "dependsOn": [ + "databaseAccount" + ] }, - { + "mongodbDatabase_collections": { "copy": { "name": "mongodbDatabase_collections", "count": "[length(parameters('collections'))]" @@ -230,10 +240,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DocumentDB/databaseAccounts/mongodbDatabases', parameters('databaseAccountName'), parameters('name'))]" + "mongodbDatabase" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/document-db/database-account/sql-database/README.md b/modules/document-db/database-account/sql-database/README.md index 83def7fb2b..bb5beed3eb 100644 --- a/modules/document-db/database-account/sql-database/README.md +++ b/modules/document-db/database-account/sql-database/README.md @@ -78,7 +78,6 @@ Name of the SQL database . Tags of the SQL database resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `throughput` diff --git a/modules/document-db/database-account/sql-database/container/README.md b/modules/document-db/database-account/sql-database/container/README.md index a090b1fe3f..a6621174f4 100644 --- a/modules/document-db/database-account/sql-database/container/README.md +++ b/modules/document-db/database-account/sql-database/container/README.md @@ -127,7 +127,6 @@ The name of the parent SQL Database. Required if the template is used in a stand Tags of the SQL Database resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `throughput` diff --git a/modules/document-db/database-account/sql-database/container/main.bicep b/modules/document-db/database-account/sql-database/container/main.bicep index 2219191720..003b8dc007 100644 --- a/modules/document-db/database-account/sql-database/container/main.bicep +++ b/modules/document-db/database-account/sql-database/container/main.bicep @@ -30,7 +30,7 @@ param throughput int = 400 param autoscaleSettingsMaxThroughput int = -1 @description('Optional. Tags of the SQL Database resource.') -param tags object = {} +param tags object? @description('Optional. List of paths using which data within the container can be partitioned.') param paths array = [] diff --git a/modules/document-db/database-account/sql-database/container/main.json b/modules/document-db/database-account/sql-database/container/main.json index 0975283cf0..4f00fe50ef 100644 --- a/modules/document-db/database-account/sql-database/container/main.json +++ b/modules/document-db/database-account/sql-database/container/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8116399669974678281" + "templateHash": "5628064493958565248" }, "name": "DocumentDB Database Account SQL Database Containers", "description": "This module deploys a SQL Database Container in a CosmosDB Account.", @@ -70,7 +71,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the SQL Database resource." } @@ -116,8 +117,17 @@ } } }, - "resources": [ - { + "resources": { + "databaseAccount::sqlDatabase": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases", + "apiVersion": "2023-04-15", + "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('sqlDatabaseName'))]", + "dependsOn": [ + "databaseAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -131,7 +141,13 @@ } } }, - { + "databaseAccount": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2023-04-15", + "name": "[parameters('databaseAccountName')]" + }, + "container": { "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers", "apiVersion": "2023-04-15", "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('sqlDatabaseName'), parameters('name'))]", @@ -149,10 +165,13 @@ }, "uniqueKeyPolicy": "[if(not(empty(parameters('uniqueKeyPolicyKeys'))), createObject('uniqueKeys', parameters('uniqueKeyPolicyKeys')), null())]" }, - "options": "[if(contains(reference(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), '2023-04-15').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', if(equals(parameters('autoscaleSettingsMaxThroughput'), -1), parameters('throughput'), null()), 'autoscaleSettings', if(not(equals(parameters('autoscaleSettingsMaxThroughput'), -1)), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null())))]" - } + "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', if(equals(parameters('autoscaleSettingsMaxThroughput'), -1), parameters('throughput'), null()), 'autoscaleSettings', if(not(equals(parameters('autoscaleSettingsMaxThroughput'), -1)), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null())))]" + }, + "dependsOn": [ + "databaseAccount::sqlDatabase" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/document-db/database-account/sql-database/main.bicep b/modules/document-db/database-account/sql-database/main.bicep index dd4e23c5f6..1d931a726b 100644 --- a/modules/document-db/database-account/sql-database/main.bicep +++ b/modules/document-db/database-account/sql-database/main.bicep @@ -18,7 +18,7 @@ param throughput int = 400 param autoscaleSettingsMaxThroughput int = -1 @description('Optional. Tags of the SQL database resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/document-db/database-account/sql-database/main.json b/modules/document-db/database-account/sql-database/main.json index f077897716..d3c8fefc92 100644 --- a/modules/document-db/database-account/sql-database/main.json +++ b/modules/document-db/database-account/sql-database/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11353697729412779140" + "templateHash": "10948740009827102632" }, "name": "DocumentDB Database Account SQL Databases", "description": "This module deploys a SQL Database in a CosmosDB Account.", @@ -47,7 +48,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the SQL database resource." } @@ -63,8 +64,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -78,7 +79,13 @@ } } }, - { + "databaseAccount": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2023-04-15", + "name": "[parameters('databaseAccountName')]" + }, + "sqlDatabase": { "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases", "apiVersion": "2023-04-15", "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", @@ -87,10 +94,13 @@ "resource": { "id": "[parameters('name')]" }, - "options": "[if(contains(reference(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), '2023-04-15').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', if(equals(parameters('autoscaleSettingsMaxThroughput'), -1), parameters('throughput'), null()), 'autoscaleSettings', if(not(equals(parameters('autoscaleSettingsMaxThroughput'), -1)), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null())))]" - } + "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', if(equals(parameters('autoscaleSettingsMaxThroughput'), -1), parameters('throughput'), null()), 'autoscaleSettings', if(not(equals(parameters('autoscaleSettingsMaxThroughput'), -1)), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null())))]" + }, + "dependsOn": [ + "databaseAccount" + ] }, - { + "container": { "copy": { "name": "container", "count": "[length(parameters('containers'))]" @@ -128,12 +138,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8116399669974678281" + "templateHash": "5628064493958565248" }, "name": "DocumentDB Database Account SQL Database Containers", "description": "This module deploys a SQL Database Container in a CosmosDB Account.", @@ -198,7 +209,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the SQL Database resource." } @@ -244,8 +255,17 @@ } } }, - "resources": [ - { + "resources": { + "databaseAccount::sqlDatabase": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases", + "apiVersion": "2023-04-15", + "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('sqlDatabaseName'))]", + "dependsOn": [ + "databaseAccount" + ] + }, + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -259,7 +279,13 @@ } } }, - { + "databaseAccount": { + "existing": true, + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2023-04-15", + "name": "[parameters('databaseAccountName')]" + }, + "container": { "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers", "apiVersion": "2023-04-15", "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('sqlDatabaseName'), parameters('name'))]", @@ -277,10 +303,13 @@ }, "uniqueKeyPolicy": "[if(not(empty(parameters('uniqueKeyPolicyKeys'))), createObject('uniqueKeys', parameters('uniqueKeyPolicyKeys')), null())]" }, - "options": "[if(contains(reference(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), '2023-04-15').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', if(equals(parameters('autoscaleSettingsMaxThroughput'), -1), parameters('throughput'), null()), 'autoscaleSettings', if(not(equals(parameters('autoscaleSettingsMaxThroughput'), -1)), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null())))]" - } + "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', if(equals(parameters('autoscaleSettingsMaxThroughput'), -1), parameters('throughput'), null()), 'autoscaleSettings', if(not(equals(parameters('autoscaleSettingsMaxThroughput'), -1)), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null())))]" + }, + "dependsOn": [ + "databaseAccount::sqlDatabase" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -307,10 +336,10 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('name'))]" + "sqlDatabase" ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/event-grid/domain/README.md b/modules/event-grid/domain/README.md index 6c71635f0a..c72c581389 100644 --- a/modules/event-grid/domain/README.md +++ b/modules/event-grid/domain/README.md @@ -793,7 +793,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `topics` diff --git a/modules/event-grid/domain/main.bicep b/modules/event-grid/domain/main.bicep index 148f117db7..4e5e97ad29 100644 --- a/modules/event-grid/domain/main.bicep +++ b/modules/event-grid/domain/main.bicep @@ -38,7 +38,7 @@ param roleAssignments roleAssignmentType param lock lockType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/event-grid/domain/main.json b/modules/event-grid/domain/main.json index c0d3e0b923..c605dc1497 100644 --- a/modules/event-grid/domain/main.json +++ b/modules/event-grid/domain/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16715487695261799270" + "templateHash": "18074779137586977163" }, "name": "Event Grid Domains", "description": "This module deploys an Event Grid Domain.", @@ -433,7 +433,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/event-grid/system-topic/README.md b/modules/event-grid/system-topic/README.md index 76aa28f3f5..5b20bf5b6f 100644 --- a/modules/event-grid/system-topic/README.md +++ b/modules/event-grid/system-topic/README.md @@ -567,7 +567,6 @@ Source for the system topic. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `topicType` diff --git a/modules/event-grid/system-topic/main.bicep b/modules/event-grid/system-topic/main.bicep index f851d03ce8..53d77af4ab 100644 --- a/modules/event-grid/system-topic/main.bicep +++ b/modules/event-grid/system-topic/main.bicep @@ -30,7 +30,7 @@ param lock lockType param managedIdentities managedIdentitiesType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/event-grid/system-topic/main.json b/modules/event-grid/system-topic/main.json index 6e084c85bd..fdc007afc1 100644 --- a/modules/event-grid/system-topic/main.json +++ b/modules/event-grid/system-topic/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15694608297739544704" + "templateHash": "8924691213553754613" }, "name": "Event Grid System Topics", "description": "This module deploys an Event Grid System Topic.", @@ -293,7 +293,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index 7eb867998a..363cdc2cc0 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -826,7 +826,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/event-grid/topic/main.bicep b/modules/event-grid/topic/main.bicep index 7e24e9c9fc..4e996d59a5 100644 --- a/modules/event-grid/topic/main.bicep +++ b/modules/event-grid/topic/main.bicep @@ -35,7 +35,7 @@ param roleAssignments roleAssignmentType param lock lockType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/event-grid/topic/main.json b/modules/event-grid/topic/main.json index 7013e9320d..52eebfaa89 100644 --- a/modules/event-grid/topic/main.json +++ b/modules/event-grid/topic/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8337019560033170518" + "templateHash": "17629869517360394667" }, "name": "Event Grid Topics", "description": "This module deploys an Event Grid Topic.", @@ -426,7 +426,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index 01537b304d..ea77988f49 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -1272,7 +1272,6 @@ event hub plan SKU name. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `zoneRedundant` diff --git a/modules/event-hub/namespace/main.bicep b/modules/event-hub/namespace/main.bicep index 57097a54ea..f7ec5002f5 100644 --- a/modules/event-hub/namespace/main.bicep +++ b/modules/event-hub/namespace/main.bicep @@ -102,7 +102,7 @@ param requireInfrastructureEncryption bool = false param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/event-hub/namespace/main.json b/modules/event-hub/namespace/main.json index 6e2eb2d442..ea70a72f71 100644 --- a/modules/event-hub/namespace/main.json +++ b/modules/event-hub/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4102382527672113808" + "templateHash": "14752778402428640491" }, "name": "Event Hub Namespaces", "description": "This module deploys an Event Hub Namespace.", @@ -571,7 +571,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/health-bot/health-bot/README.md b/modules/health-bot/health-bot/README.md index cf5076bc30..363f535857 100644 --- a/modules/health-bot/health-bot/README.md +++ b/modules/health-bot/health-bot/README.md @@ -349,7 +349,6 @@ The name of the Azure Health Bot SKU. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/health-bot/health-bot/main.bicep b/modules/health-bot/health-bot/main.bicep index c18e4aa195..4d5164ac7f 100644 --- a/modules/health-bot/health-bot/main.bicep +++ b/modules/health-bot/health-bot/main.bicep @@ -26,7 +26,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/health-bot/health-bot/main.json b/modules/health-bot/health-bot/main.json index f4ee735e27..fc4be759e6 100644 --- a/modules/health-bot/health-bot/main.json +++ b/modules/health-bot/health-bot/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4815130337915787009" + "templateHash": "9469986313045690324" }, "name": "Azure Health Bots", "description": "This module deploys an Azure Health Bot.", @@ -165,7 +165,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/healthcare-apis/workspace/README.md b/modules/healthcare-apis/workspace/README.md index 4db6d1c6c8..443ba44ef1 100644 --- a/modules/healthcare-apis/workspace/README.md +++ b/modules/healthcare-apis/workspace/README.md @@ -545,7 +545,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/healthcare-apis/workspace/dicomservice/README.md b/modules/healthcare-apis/workspace/dicomservice/README.md index 217bc50b8d..82cdc71170 100644 --- a/modules/healthcare-apis/workspace/dicomservice/README.md +++ b/modules/healthcare-apis/workspace/dicomservice/README.md @@ -285,7 +285,6 @@ Control permission for data plane traffic coming from public networks while priv Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `workspaceName` diff --git a/modules/healthcare-apis/workspace/dicomservice/main.bicep b/modules/healthcare-apis/workspace/dicomservice/main.bicep index 29d0dbcf1f..16112998b7 100644 --- a/modules/healthcare-apis/workspace/dicomservice/main.bicep +++ b/modules/healthcare-apis/workspace/dicomservice/main.bicep @@ -52,7 +52,7 @@ param publicNetworkAccess string = 'Disabled' param managedIdentities managedIdentitiesType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/healthcare-apis/workspace/dicomservice/main.json b/modules/healthcare-apis/workspace/dicomservice/main.json index f9627046e0..f05ffafc1c 100644 --- a/modules/healthcare-apis/workspace/dicomservice/main.json +++ b/modules/healthcare-apis/workspace/dicomservice/main.json @@ -263,7 +263,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -397,4 +397,4 @@ "value": "[reference('dicom', '2022-06-01', 'full').location]" } } -} \ No newline at end of file +} diff --git a/modules/healthcare-apis/workspace/fhirservice/README.md b/modules/healthcare-apis/workspace/fhirservice/README.md index 9ae8dc574e..1c8d86d105 100644 --- a/modules/healthcare-apis/workspace/fhirservice/README.md +++ b/modules/healthcare-apis/workspace/fhirservice/README.md @@ -462,7 +462,6 @@ If the SMART on FHIR proxy is enabled. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `workspaceName` diff --git a/modules/healthcare-apis/workspace/fhirservice/main.bicep b/modules/healthcare-apis/workspace/fhirservice/main.bicep index 69c00a4d6a..68fef37742 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.bicep +++ b/modules/healthcare-apis/workspace/fhirservice/main.bicep @@ -103,7 +103,7 @@ param smartProxyEnabled bool = false param managedIdentities managedIdentitiesType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/healthcare-apis/workspace/fhirservice/main.json b/modules/healthcare-apis/workspace/fhirservice/main.json index 3b995855d7..3e1e52d236 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.json +++ b/modules/healthcare-apis/workspace/fhirservice/main.json @@ -435,7 +435,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -647,4 +647,4 @@ "value": "[parameters('workspaceName')]" } } -} \ No newline at end of file +} diff --git a/modules/healthcare-apis/workspace/iotconnector/README.md b/modules/healthcare-apis/workspace/iotconnector/README.md index 94f9c1bdf3..2da0f7ced5 100644 --- a/modules/healthcare-apis/workspace/iotconnector/README.md +++ b/modules/healthcare-apis/workspace/iotconnector/README.md @@ -275,7 +275,6 @@ The name of the MedTech service. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `workspaceName` diff --git a/modules/healthcare-apis/workspace/iotconnector/main.bicep b/modules/healthcare-apis/workspace/iotconnector/main.bicep index c4d2088098..b5aab3e434 100644 --- a/modules/healthcare-apis/workspace/iotconnector/main.bicep +++ b/modules/healthcare-apis/workspace/iotconnector/main.bicep @@ -40,7 +40,7 @@ param lock lockType param managedIdentities managedIdentitiesType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/healthcare-apis/workspace/iotconnector/main.json b/modules/healthcare-apis/workspace/iotconnector/main.json index 890a2c935e..90607dde65 100644 --- a/modules/healthcare-apis/workspace/iotconnector/main.json +++ b/modules/healthcare-apis/workspace/iotconnector/main.json @@ -245,7 +245,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -566,4 +566,4 @@ "value": "[parameters('workspaceName')]" } } -} \ No newline at end of file +} diff --git a/modules/healthcare-apis/workspace/main.bicep b/modules/healthcare-apis/workspace/main.bicep index 60af91948e..454b86f22e 100644 --- a/modules/healthcare-apis/workspace/main.bicep +++ b/modules/healthcare-apis/workspace/main.bicep @@ -23,7 +23,7 @@ param roleAssignments roleAssignmentType param publicNetworkAccess string = 'Disabled' @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -110,7 +110,7 @@ module workspace_fhirservices 'fhirservice/main.bicep' = [for (fhir, index) in f location: location workspaceName: workspace.name kind: fhir.kind - tags: contains(fhir, 'tags') ? fhir.tags : {} + tags: fhir.?tags ?? tags publicNetworkAccess: contains(fhir, 'publicNetworkAccess') ? fhir.publicNetworkAccess : 'Disabled' managedIdentities: contains(fhir, 'managedIdentities') ? fhir.managedIdentities : null roleAssignments: contains(fhir, 'roleAssignments') ? fhir.roleAssignments : [] @@ -143,7 +143,7 @@ module workspace_dicomservices 'dicomservice/main.bicep' = [for (dicom, index) i name: dicom.name location: location workspaceName: workspace.name - tags: contains(dicom, 'tags') ? dicom.tags : {} + tags: dicom.?tags ?? tags publicNetworkAccess: contains(dicom, 'publicNetworkAccess') ? dicom.publicNetworkAccess : 'Disabled' managedIdentities: contains(dicom, 'managedIdentities') ? dicom.managedIdentities : null corsOrigins: contains(dicom, 'corsOrigins') ? dicom.corsOrigins : [] @@ -163,7 +163,7 @@ module workspace_iotconnector 'iotconnector/main.bicep' = [for (iotConnector, in name: iotConnector.name location: location workspaceName: workspace.name - tags: contains(iotConnector, 'tags') ? iotConnector.tags : {} + tags: iotConnector.?tags ?? tags eventHubName: iotConnector.eventHubName eventHubNamespaceName: iotConnector.eventHubNamespaceName deviceMapping: contains(iotConnector, 'deviceMapping') ? iotConnector.deviceMapping : { diff --git a/modules/healthcare-apis/workspace/main.json b/modules/healthcare-apis/workspace/main.json index 9954e2db58..8502414d02 100644 --- a/modules/healthcare-apis/workspace/main.json +++ b/modules/healthcare-apis/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6558922436832597627" + "templateHash": "9102511166724334580" }, "name": "Healthcare API Workspaces", "description": "This module deploys a Healthcare API Workspace.", @@ -145,7 +145,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -285,7 +285,9 @@ "kind": { "value": "[parameters('fhirservices')[copyIndex()].kind]" }, - "tags": "[if(contains(parameters('fhirservices')[copyIndex()], 'tags'), createObject('value', parameters('fhirservices')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('fhirservices')[copyIndex()], 'tags'), parameters('tags'))]" + }, "publicNetworkAccess": "[if(contains(parameters('fhirservices')[copyIndex()], 'publicNetworkAccess'), createObject('value', parameters('fhirservices')[copyIndex()].publicNetworkAccess), createObject('value', 'Disabled'))]", "managedIdentities": "[if(contains(parameters('fhirservices')[copyIndex()], 'managedIdentities'), createObject('value', parameters('fhirservices')[copyIndex()].managedIdentities), createObject('value', null()))]", "roleAssignments": "[if(contains(parameters('fhirservices')[copyIndex()], 'roleAssignments'), createObject('value', parameters('fhirservices')[copyIndex()].roleAssignments), createObject('value', createArray()))]", @@ -324,7 +326,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14914386228020873144" + "templateHash": "8893393036207321770" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", @@ -753,7 +755,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -994,7 +996,9 @@ "workspaceName": { "value": "[parameters('name')]" }, - "tags": "[if(contains(parameters('dicomservices')[copyIndex()], 'tags'), createObject('value', parameters('dicomservices')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('dicomservices')[copyIndex()], 'tags'), parameters('tags'))]" + }, "publicNetworkAccess": "[if(contains(parameters('dicomservices')[copyIndex()], 'publicNetworkAccess'), createObject('value', parameters('dicomservices')[copyIndex()].publicNetworkAccess), createObject('value', 'Disabled'))]", "managedIdentities": "[if(contains(parameters('dicomservices')[copyIndex()], 'managedIdentities'), createObject('value', parameters('dicomservices')[copyIndex()].managedIdentities), createObject('value', null()))]", "corsOrigins": "[if(contains(parameters('dicomservices')[copyIndex()], 'corsOrigins'), createObject('value', parameters('dicomservices')[copyIndex()].corsOrigins), createObject('value', createArray()))]", @@ -1020,7 +1024,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4165874741118763430" + "templateHash": "10991463946028183992" }, "name": "Healthcare API Workspace DICOM Services", "description": "This module deploys a Healthcare API Workspace DICOM Service.", @@ -1277,7 +1281,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -1440,7 +1444,9 @@ "workspaceName": { "value": "[parameters('name')]" }, - "tags": "[if(contains(parameters('iotconnectors')[copyIndex()], 'tags'), createObject('value', parameters('iotconnectors')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('iotconnectors')[copyIndex()], 'tags'), parameters('tags'))]" + }, "eventHubName": { "value": "[parameters('iotconnectors')[copyIndex()].eventHubName]" }, @@ -1469,7 +1475,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9502385350114367681" + "templateHash": "16117637432944064764" }, "name": "Healthcare API Workspace IoT Connectors", "description": "This module deploys a Healthcare API Workspace IoT Connector.", @@ -1708,7 +1714,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } From b533cbf8586510730a84219c6ec05893a0f55bb6 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Tue, 31 Oct 2023 20:38:02 +0000 Subject: [PATCH 069/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 88 +++++++++++----------- 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 67a0adf1e7..a34661ec87 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -13,13 +13,13 @@ This section provides an overview of the library's feature set. | # | Module | Status | RBAC | Locks | Tags | Diag | PE | PIP | # children | # lines | | - | - | - | - | - | - | - | - | - | - | - | -| 1 | aad

domain-service | [![AAD - DomainServices](https://github.com/Azure/ResourceModules/workflows/AAD%20-%20DomainServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.aad.domainservices.yml) | | | :white_check_mark: | | | | | 251 | -| 2 | analysis-services

server | [![AnalysisServices - Servers](https://github.com/Azure/ResourceModules/workflows/AnalysisServices%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.analysisservices.servers.yml) | | | :white_check_mark: | | | | | 170 | -| 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | | | :white_check_mark: | | | | [L1:11, L2:3] | 455 | -| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | | | :white_check_mark: | | | | [L1:1] | 309 | -| 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | | | :white_check_mark: | | | | | 211 | +| 1 | aad

domain-service | [![AAD - DomainServices](https://github.com/Azure/ResourceModules/workflows/AAD%20-%20DomainServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.aad.domainservices.yml) | | | | | | | | 251 | +| 2 | analysis-services

server | [![AnalysisServices - Servers](https://github.com/Azure/ResourceModules/workflows/AnalysisServices%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.analysisservices.servers.yml) | | | | | | | | 170 | +| 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | | | | | | | [L1:11, L2:3] | 455 | +| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | | | | | | | [L1:1] | 309 | +| 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | | | | | | | | 211 | | 6 | app

job | [![App - Jobs](https://github.com/Azure/ResourceModules/workflows/App%20-%20Jobs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.jobs.yml) | | | :white_check_mark: | | | | | 162 | -| 7 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | | | :white_check_mark: | | | | | 163 | +| 7 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | | | | | | | | 163 | | 8 | authorization

lock | [![Authorization - Locks](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20Locks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.locks.yml) | | | | | | | [L1:2] | 62 | | 9 | authorization

policy-assignment | [![Authorization - PolicyAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policyassignments.yml) | | | | | | | [L1:3] | 143 | | 10 | authorization

policy-definition | [![Authorization - PolicyDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policydefinitions.yml) | | | | | | | [L1:2] | 86 | @@ -27,44 +27,44 @@ This section provides an overview of the library's feature set. | 12 | authorization

policy-set-definition | [![Authorization - PolicySetDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicySetDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policysetdefinitions.yml) | | | | | | | [L1:2] | 76 | | 13 | authorization

role-assignment | [![Authorization - RoleAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roleassignments.yml) | | | | | | | [L1:3] | 107 | | 14 | authorization

role-definition | [![Authorization - RoleDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roledefinitions.yml) | | | | | | | [L1:3] | 94 | -| 15 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | :white_check_mark: | | | | [L1:6] | 441 | -| 16 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | :white_check_mark: | | | | | 317 | -| 17 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | | | :white_check_mark: | | | | | 318 | -| 18 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | | | :white_check_mark: | | | | [L1:1] | 268 | -| 19 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | | | :white_check_mark: | | | | [L1:6, L2:4] | 220 | -| 20 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | | | :white_check_mark: | | | | | 379 | -| 21 | compute

availability-set | [![Compute - AvailabilitySets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20AvailabilitySets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.availabilitysets.yml) | | | :white_check_mark: | | | | | 111 | -| 22 | compute

disk | [![Compute - Disks](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Disks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.disks.yml) | | | :white_check_mark: | | | | | 218 | -| 23 | compute

disk-encryption-set | [![Compute - DiskEncryptionSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20DiskEncryptionSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.diskencryptionsets.yml) | | | :white_check_mark: | | | | [L1:1] | 168 | -| 24 | compute

gallery | [![Compute - Galleries](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Galleries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.galleries.yml) | | | :white_check_mark: | | | | [L1:2] | 155 | -| 25 | compute

image | [![Compute - Images](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Images/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.images.yml) | | | :white_check_mark: | | | | | 137 | -| 26 | compute

proximity-placement-group | [![Compute - ProximityPlacementGroups](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20ProximityPlacementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.proximityplacementgroups.yml) | | | :white_check_mark: | | | | | 111 | -| 27 | compute

ssh-public-key | [![Compute - SshPublicKeys](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20SshPublicKeys/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.sshpublickeys.yml) | | | :white_check_mark: | | | | | 99 | -| 28 | compute

virtual-machine | [![Compute - VirtualMachines](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachines/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | | | :white_check_mark: | | | | [L1:2] | 657 | -| 29 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | | | :white_check_mark: | | | | [L1:1] | 611 | +| 15 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | | | | | [L1:6] | 443 | +| 16 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | | | | | | 317 | +| 17 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | | | | | | | | 318 | +| 18 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | | | | | | | [L1:1] | 268 | +| 19 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | | | | | | | [L1:6, L2:4] | 220 | +| 20 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | | | | | | | | 379 | +| 21 | compute

availability-set | [![Compute - AvailabilitySets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20AvailabilitySets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.availabilitysets.yml) | | | | | | | | 111 | +| 22 | compute

disk | [![Compute - Disks](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Disks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.disks.yml) | | | | | | | | 218 | +| 23 | compute

disk-encryption-set | [![Compute - DiskEncryptionSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20DiskEncryptionSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.diskencryptionsets.yml) | | | | | | | [L1:1] | 168 | +| 24 | compute

gallery | [![Compute - Galleries](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Galleries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.galleries.yml) | | | | | | | [L1:2] | 155 | +| 25 | compute

image | [![Compute - Images](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Images/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.images.yml) | | | | | | | | 137 | +| 26 | compute

proximity-placement-group | [![Compute - ProximityPlacementGroups](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20ProximityPlacementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.proximityplacementgroups.yml) | | | | | | | | 111 | +| 27 | compute

ssh-public-key | [![Compute - SshPublicKeys](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20SshPublicKeys/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.sshpublickeys.yml) | | | | | | | | 99 | +| 28 | compute

virtual-machine | [![Compute - VirtualMachines](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachines/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | | | | | | | [L1:2] | 657 | +| 29 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | | | | | | | [L1:1] | 611 | | 30 | consumption

budget | [![Consumption - Budgets](https://github.com/Azure/ResourceModules/workflows/Consumption%20-%20Budgets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.consumption.budgets.yml) | | | | | | | | 92 | -| 31 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | :white_check_mark: | | | | | 167 | -| 32 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | :white_check_mark: | | | | [L1:3] | 434 | -| 33 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | :white_check_mark: | | | | [L1:1] | 668 | -| 34 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | :white_check_mark: | | | | [L1:2, L2:1] | 322 | -| 35 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | | :white_check_mark: | | | | [L1:1] | 159 | -| 36 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | | | :white_check_mark: | | | | | 110 | -| 37 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | | | :white_check_mark: | | | | | 376 | -| 38 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | | | :white_check_mark: | | | | [L1:3] | 374 | -| 39 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | | | :white_check_mark: | | | | [L1:4] | 370 | -| 40 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | | | :white_check_mark: | | | | [L1:1] | 191 | -| 41 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | | | :white_check_mark: | | | | | 281 | -| 42 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | | | :white_check_mark: | | | | | 200 | -| 43 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | | | :white_check_mark: | | | | | 161 | -| 44 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | | | :white_check_mark: | | | | [L1:6, L2:1] | 304 | -| 45 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | | | :white_check_mark: | | | | [L1:3] | 292 | -| 46 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | | | :white_check_mark: | | | | [L1:3, L2:3] | 404 | -| 47 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | | | :white_check_mark: | | | | [L1:1] | 248 | -| 48 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | | | :white_check_mark: | | | | [L1:1] | 197 | -| 49 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | | | :white_check_mark: | | | | [L1:1] | 252 | -| 50 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | :white_check_mark: | | | | [L1:4, L2:2] | 401 | -| 51 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | | | :white_check_mark: | | | | | 116 | -| 52 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | | | :white_check_mark: | | | | [L1:3, L2:1] | 195 | +| 31 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | | | | | | 167 | +| 32 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | | | | | [L1:3] | 434 | +| 33 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | | | | | [L1:1] | 668 | +| 34 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | | | | | [L1:2, L2:1] | 322 | +| 35 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | | | | | | [L1:1] | 159 | +| 36 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | | | | | | | | 110 | +| 37 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | | | | | | | | 376 | +| 38 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | | | | | | | [L1:3] | 374 | +| 39 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | | | | | | | [L1:4] | 370 | +| 40 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | | | | | | | [L1:1] | 191 | +| 41 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | | | | | | | | 281 | +| 42 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | | | | | | | | 200 | +| 43 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | | | | | | | | 161 | +| 44 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | | | | | | | [L1:6, L2:1] | 304 | +| 45 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | | | | | | | [L1:3] | 292 | +| 46 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | | | | | | | [L1:3, L2:3] | 404 | +| 47 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | | | | | | | [L1:1] | 248 | +| 48 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | | | | | | | [L1:1] | 197 | +| 49 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | | | | | | | [L1:1] | 252 | +| 50 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | | | | | [L1:4, L2:2] | 401 | +| 51 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | | | | | | | | 116 | +| 52 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | | | | | | | [L1:3, L2:1] | 195 | | 53 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | | | :white_check_mark: | | | | | 115 | | 54 | insights

activity-log-alert | [![Insights - ActivityLogAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActivityLogAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.activitylogalerts.yml) | | | :white_check_mark: | | | | | 104 | | 55 | insights

component | [![Insights - Components](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Components/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.components.yml) | | | :white_check_mark: | | | | | 184 | @@ -150,7 +150,7 @@ This section provides an overview of the library's feature set. | 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | :white_check_mark: | | | | | 194 | | 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | :white_check_mark: | | | | [L1:5, L2:4, L3:1] | 444 | | 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | :white_check_mark: | | | | [L1:3] | 275 | -| Sum | | | 0 | 0 | 119 | 0 | 0 | 2 | 240 | 29533 | +| Sum | | | 0 | 0 | 76 | 0 | 0 | 2 | 240 | 29535 | ## Legend From 598f20ff1877c74c76bd903a7ab261ea4a1bd047 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Tue, 31 Oct 2023 21:39:52 +0100 Subject: [PATCH 070/178] [Modules] Updated tags to AVM standard - Batch 2 (#4160) * Second batch * Updated firewall & simplified it * Updated bastion & firewall to default with IP --- modules/insights/action-group/README.md | 1 - modules/insights/action-group/main.bicep | 2 +- modules/insights/action-group/main.json | 4 +- modules/insights/activity-log-alert/README.md | 1 - .../insights/activity-log-alert/main.bicep | 2 +- modules/insights/activity-log-alert/main.json | 4 +- modules/insights/component/README.md | 1 - modules/insights/component/main.bicep | 2 +- modules/insights/component/main.json | 4 +- .../data-collection-endpoint/README.md | 1 - .../data-collection-endpoint/main.bicep | 2 +- .../data-collection-endpoint/main.json | 4 +- .../insights/data-collection-rule/README.md | 1 - .../insights/data-collection-rule/main.bicep | 2 +- .../insights/data-collection-rule/main.json | 4 +- modules/insights/metric-alert/README.md | 1 - modules/insights/metric-alert/main.bicep | 2 +- modules/insights/metric-alert/main.json | 4 +- modules/insights/private-link-scope/README.md | 1 - .../insights/private-link-scope/main.bicep | 2 +- modules/insights/private-link-scope/main.json | 4 +- .../insights/scheduled-query-rule/README.md | 1 - .../insights/scheduled-query-rule/main.bicep | 2 +- .../insights/scheduled-query-rule/main.json | 4 +- modules/key-vault/vault/README.md | 1 - modules/key-vault/vault/key/README.md | 1 - modules/key-vault/vault/key/main.bicep | 2 +- modules/key-vault/vault/key/main.json | 4 +- modules/key-vault/vault/main.bicep | 6 +- modules/key-vault/vault/main.json | 20 ++-- modules/key-vault/vault/secret/README.md | 1 - modules/key-vault/vault/secret/main.bicep | 2 +- modules/key-vault/vault/secret/main.json | 4 +- modules/logic/workflow/README.md | 1 - modules/logic/workflow/main.bicep | 2 +- modules/logic/workflow/main.json | 4 +- .../workspace/README.md | 1 - .../workspace/compute/README.md | 1 - .../workspace/compute/main.bicep | 2 +- .../workspace/compute/main.json | 4 +- .../workspace/main.bicep | 2 +- .../workspace/main.json | 8 +- .../maintenance-configuration/README.md | 1 - .../maintenance-configuration/main.bicep | 2 +- .../maintenance-configuration/main.json | 4 +- .../user-assigned-identity/README.md | 1 - .../user-assigned-identity/main.bicep | 2 +- .../user-assigned-identity/main.json | 4 +- modules/net-app/net-app-account/README.md | 1 - .../net-app-account/capacity-pool/README.md | 1 - .../net-app-account/capacity-pool/main.bicep | 2 +- .../net-app-account/capacity-pool/main.json | 4 +- modules/net-app/net-app-account/main.bicep | 4 +- modules/net-app/net-app-account/main.json | 12 +- .../README.md | 1 - .../main.bicep | 2 +- .../main.json | 15 +-- modules/network/application-gateway/README.md | 1 - .../network/application-gateway/main.bicep | 2 +- modules/network/application-gateway/main.json | 4 +- .../application-security-group/README.md | 1 - .../application-security-group/main.bicep | 2 +- .../application-security-group/main.json | 4 +- modules/network/azure-firewall/README.md | 13 +- modules/network/azure-firewall/main.bicep | 82 +++++-------- modules/network/azure-firewall/main.json | 59 +++------ modules/network/bastion-host/README.md | 13 +- modules/network/bastion-host/main.bicep | 113 +++++------------- modules/network/bastion-host/main.json | 82 +++---------- modules/network/connection/README.md | 1 - modules/network/connection/main.bicep | 2 +- modules/network/connection/main.json | 4 +- .../network/ddos-protection-plan/README.md | 1 - .../network/ddos-protection-plan/main.bicep | 2 +- .../network/ddos-protection-plan/main.json | 4 +- .../network/dns-forwarding-ruleset/README.md | 1 - .../network/dns-forwarding-ruleset/main.bicep | 2 +- .../network/dns-forwarding-ruleset/main.json | 4 +- modules/network/dns-resolver/README.md | 1 - modules/network/dns-resolver/main.bicep | 2 +- modules/network/dns-resolver/main.json | 4 +- modules/network/dns-zone/README.md | 1 - modules/network/dns-zone/main.bicep | 2 +- modules/network/dns-zone/main.json | 4 +- .../network/express-route-circuit/README.md | 1 - .../network/express-route-circuit/main.bicep | 2 +- .../network/express-route-circuit/main.json | 4 +- .../network/express-route-gateway/README.md | 1 - .../network/express-route-gateway/main.bicep | 2 +- .../network/express-route-gateway/main.json | 4 +- modules/network/firewall-policy/README.md | 1 - modules/network/firewall-policy/main.bicep | 2 +- modules/network/firewall-policy/main.json | 4 +- .../README.md | 1 - .../main.bicep | 2 +- .../main.json | 4 +- modules/network/front-door/README.md | 1 - modules/network/front-door/main.bicep | 2 +- modules/network/front-door/main.json | 4 +- modules/network/ip-group/README.md | 1 - modules/network/ip-group/main.bicep | 2 +- modules/network/ip-group/main.json | 4 +- modules/network/load-balancer/README.md | 1 - modules/network/load-balancer/main.bicep | 2 +- modules/network/load-balancer/main.json | 4 +- .../network/local-network-gateway/README.md | 1 - .../network/local-network-gateway/main.bicep | 2 +- .../network/local-network-gateway/main.json | 4 +- modules/network/nat-gateway/README.md | 1 - modules/network/nat-gateway/main.bicep | 2 +- modules/network/nat-gateway/main.json | 8 +- modules/network/network-interface/README.md | 1 - modules/network/network-interface/main.bicep | 2 +- modules/network/network-interface/main.json | 4 +- modules/network/network-manager/README.md | 1 - modules/network/network-manager/main.bicep | 2 +- modules/network/network-manager/main.json | 4 +- .../network/network-security-group/README.md | 1 - .../network/network-security-group/main.bicep | 2 +- .../network/network-security-group/main.json | 4 +- modules/network/network-watcher/README.md | 1 - .../connection-monitor/README.md | 1 - .../connection-monitor/main.bicep | 2 +- .../connection-monitor/main.json | 26 ++-- .../network-watcher/flow-log/README.md | 1 - .../network-watcher/flow-log/main.bicep | 2 +- .../network-watcher/flow-log/main.json | 26 ++-- modules/network/network-watcher/main.bicep | 2 +- modules/network/network-watcher/main.json | 56 ++++++--- modules/network/private-dns-zone/README.md | 1 - modules/network/private-dns-zone/main.bicep | 4 +- modules/network/private-dns-zone/main.json | 34 ++++-- .../virtual-network-link/README.md | 1 - .../virtual-network-link/main.bicep | 2 +- .../virtual-network-link/main.json | 26 ++-- .../network/private-link-service/README.md | 1 - .../network/private-link-service/main.bicep | 2 +- .../network/private-link-service/main.json | 4 +- modules/network/public-ip-address/README.md | 1 - modules/network/public-ip-address/main.bicep | 2 +- modules/network/public-ip-address/main.json | 4 +- modules/network/public-ip-prefix/README.md | 1 - modules/network/public-ip-prefix/main.bicep | 2 +- modules/network/public-ip-prefix/main.json | 4 +- modules/network/route-table/README.md | 1 - modules/network/route-table/main.bicep | 2 +- modules/network/route-table/main.json | 4 +- .../network/service-endpoint-policy/README.md | 1 - .../service-endpoint-policy/main.bicep | 2 +- .../network/service-endpoint-policy/main.json | 4 +- .../network/trafficmanagerprofile/README.md | 1 - .../network/trafficmanagerprofile/main.bicep | 2 +- .../network/trafficmanagerprofile/main.json | 4 +- modules/network/virtual-hub/README.md | 1 - modules/network/virtual-hub/main.bicep | 2 +- modules/network/virtual-hub/main.json | 4 +- .../network/virtual-network-gateway/README.md | 1 - .../virtual-network-gateway/main.bicep | 2 +- .../network/virtual-network-gateway/main.json | 8 +- modules/network/virtual-network/README.md | 1 - modules/network/virtual-network/main.bicep | 2 +- modules/network/virtual-network/main.json | 4 +- modules/network/virtual-wan/README.md | 1 - modules/network/virtual-wan/main.bicep | 2 +- modules/network/virtual-wan/main.json | 4 +- modules/network/vpn-gateway/README.md | 1 - modules/network/vpn-gateway/main.bicep | 2 +- modules/network/vpn-gateway/main.json | 4 +- modules/network/vpn-site/README.md | 1 - modules/network/vpn-site/main.bicep | 2 +- modules/network/vpn-site/main.json | 4 +- 171 files changed, 399 insertions(+), 551 deletions(-) diff --git a/modules/insights/action-group/README.md b/modules/insights/action-group/README.md index 107e2c2fd1..d54f25254b 100644 --- a/modules/insights/action-group/README.md +++ b/modules/insights/action-group/README.md @@ -397,7 +397,6 @@ The list of SMS receivers that are part of this action group. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `voiceReceivers` diff --git a/modules/insights/action-group/main.bicep b/modules/insights/action-group/main.bicep index cc70da7f68..9d339fd670 100644 --- a/modules/insights/action-group/main.bicep +++ b/modules/insights/action-group/main.bicep @@ -45,7 +45,7 @@ param azureFunctionReceivers array = [] param armRoleReceivers array = [] @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/action-group/main.json b/modules/insights/action-group/main.json index 792fd37d16..3d096908ea 100644 --- a/modules/insights/action-group/main.json +++ b/modules/insights/action-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "38103589755829738" + "templateHash": "2140251667223898817" }, "name": "Action Groups", "description": "This module deploys an Action Group.", @@ -178,7 +178,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/insights/activity-log-alert/README.md b/modules/insights/activity-log-alert/README.md index 6fee0f6567..361b57243f 100644 --- a/modules/insights/activity-log-alert/README.md +++ b/modules/insights/activity-log-alert/README.md @@ -339,7 +339,6 @@ The list of resource IDs that this Activity Log Alert is scoped to. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/insights/activity-log-alert/main.bicep b/modules/insights/activity-log-alert/main.bicep index b2abd44709..349e2184db 100644 --- a/modules/insights/activity-log-alert/main.bicep +++ b/modules/insights/activity-log-alert/main.bicep @@ -29,7 +29,7 @@ param conditions array param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/activity-log-alert/main.json b/modules/insights/activity-log-alert/main.json index 011805c14a..e30e649b22 100644 --- a/modules/insights/activity-log-alert/main.json +++ b/modules/insights/activity-log-alert/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16411085736743453279" + "templateHash": "11464845772829048576" }, "name": "Activity Log Alerts", "description": "This module deploys an Activity Log Alert.", @@ -138,7 +138,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/insights/component/README.md b/modules/insights/component/README.md index 166ce61b15..93f098019a 100644 --- a/modules/insights/component/README.md +++ b/modules/insights/component/README.md @@ -471,7 +471,6 @@ Percentage of the data produced by the application being monitored that is being Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `workspaceResourceId` diff --git a/modules/insights/component/main.bicep b/modules/insights/component/main.bicep index e3084ce4ad..5ca3a75e6b 100644 --- a/modules/insights/component/main.bicep +++ b/modules/insights/component/main.bicep @@ -58,7 +58,7 @@ param location string = resourceGroup().location param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/component/main.json b/modules/insights/component/main.json index beb8c0e634..633108ee5b 100644 --- a/modules/insights/component/main.json +++ b/modules/insights/component/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "803183035503673320" + "templateHash": "15854449149260650767" }, "name": "Application Insights", "description": "This component deploys an Application Insights instance.", @@ -281,7 +281,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/insights/data-collection-endpoint/README.md b/modules/insights/data-collection-endpoint/README.md index 19f10616c4..5f791e34bd 100644 --- a/modules/insights/data-collection-endpoint/README.md +++ b/modules/insights/data-collection-endpoint/README.md @@ -328,7 +328,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Resource tags. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/insights/data-collection-endpoint/main.bicep b/modules/insights/data-collection-endpoint/main.bicep index 246b4d305a..6b3fa4325e 100644 --- a/modules/insights/data-collection-endpoint/main.bicep +++ b/modules/insights/data-collection-endpoint/main.bicep @@ -36,7 +36,7 @@ param roleAssignments roleAssignmentType param publicNetworkAccess string = 'Disabled' @description('Optional. Resource tags.') -param tags object = {} +param tags object? var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') diff --git a/modules/insights/data-collection-endpoint/main.json b/modules/insights/data-collection-endpoint/main.json index 8696ca8b76..1b5d39bc42 100644 --- a/modules/insights/data-collection-endpoint/main.json +++ b/modules/insights/data-collection-endpoint/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5064319070805092308" + "templateHash": "8921941475150538433" }, "name": "Data Collection Endpoints", "description": "This module deploys a Data Collection Endpoint.", @@ -162,7 +162,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Resource tags." } diff --git a/modules/insights/data-collection-rule/README.md b/modules/insights/data-collection-rule/README.md index 04dec0ae15..261e51782d 100644 --- a/modules/insights/data-collection-rule/README.md +++ b/modules/insights/data-collection-rule/README.md @@ -1671,7 +1671,6 @@ Declaration of custom streams used in this rule. Resource tags. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/insights/data-collection-rule/main.bicep b/modules/insights/data-collection-rule/main.bicep index ea8f7a0f0d..8e8be03130 100644 --- a/modules/insights/data-collection-rule/main.bicep +++ b/modules/insights/data-collection-rule/main.bicep @@ -47,7 +47,7 @@ param roleAssignments roleAssignmentType param streamDeclarations object = {} @sys.description('Optional. Resource tags.') -param tags object = {} +param tags object? // =============== // // Deployments // diff --git a/modules/insights/data-collection-rule/main.json b/modules/insights/data-collection-rule/main.json index 444a20be3f..09fd72cd0d 100644 --- a/modules/insights/data-collection-rule/main.json +++ b/modules/insights/data-collection-rule/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12929247318394653560" + "templateHash": "2029998281934386338" }, "name": "Data Collection Rules", "description": "This module deploys a Data Collection Rule.", @@ -190,7 +190,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Resource tags." } diff --git a/modules/insights/metric-alert/README.md b/modules/insights/metric-alert/README.md index d218665401..2ff2485b0e 100644 --- a/modules/insights/metric-alert/README.md +++ b/modules/insights/metric-alert/README.md @@ -344,7 +344,6 @@ The severity of the alert. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `targetResourceRegion` diff --git a/modules/insights/metric-alert/main.bicep b/modules/insights/metric-alert/main.bicep index 1c9c7fa2fc..992795ba50 100644 --- a/modules/insights/metric-alert/main.bicep +++ b/modules/insights/metric-alert/main.bicep @@ -79,7 +79,7 @@ param criterias array param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/metric-alert/main.json b/modules/insights/metric-alert/main.json index 596264f7b2..afc031ec18 100644 --- a/modules/insights/metric-alert/main.json +++ b/modules/insights/metric-alert/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12768498740595616170" + "templateHash": "7986480211513146761" }, "name": "Metric Alerts", "description": "This module deploys a Metric Alert.", @@ -216,7 +216,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index 503da87cab..0f6c7ba546 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -512,7 +512,6 @@ Configuration details for Azure Monitor Resources. Resource tags. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/insights/private-link-scope/main.bicep b/modules/insights/private-link-scope/main.bicep index 5d9aa08e33..a21a5f25c8 100644 --- a/modules/insights/private-link-scope/main.bicep +++ b/modules/insights/private-link-scope/main.bicep @@ -22,7 +22,7 @@ param scopedResources array = [] param privateEndpoints privateEndpointType @description('Optional. Resource tags.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/private-link-scope/main.json b/modules/insights/private-link-scope/main.json index f2fa8337c2..63675293c1 100644 --- a/modules/insights/private-link-scope/main.json +++ b/modules/insights/private-link-scope/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9175020405944005574" + "templateHash": "10939592682328481507" }, "name": "Azure Monitor Private Link Scopes", "description": "This module deploys an Azure Monitor Private Link Scope.", @@ -296,7 +296,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Resource tags." } diff --git a/modules/insights/scheduled-query-rule/README.md b/modules/insights/scheduled-query-rule/README.md index c5a4ea3e0a..7a4003acd4 100644 --- a/modules/insights/scheduled-query-rule/README.md +++ b/modules/insights/scheduled-query-rule/README.md @@ -400,7 +400,6 @@ Mute actions for the chosen period of time (in ISO 8601 duration format) after t Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `targetResourceTypes` diff --git a/modules/insights/scheduled-query-rule/main.bicep b/modules/insights/scheduled-query-rule/main.bicep index 226ecce844..27e644b9bb 100644 --- a/modules/insights/scheduled-query-rule/main.bicep +++ b/modules/insights/scheduled-query-rule/main.bicep @@ -65,7 +65,7 @@ param criterias object param suppressForMinutes string = '' @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/scheduled-query-rule/main.json b/modules/insights/scheduled-query-rule/main.json index bfaf29b63b..804da1fac7 100644 --- a/modules/insights/scheduled-query-rule/main.json +++ b/modules/insights/scheduled-query-rule/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12829815846590991969" + "templateHash": "3215598878486027169" }, "name": "Scheduled Query Rules", "description": "This module deploys a Scheduled Query Rule.", @@ -209,7 +209,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index f8759df26f..28af1e5341 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -1269,7 +1269,6 @@ softDelete data retention days. It accepts >=7 and <=90. Resource tags. - Required: No - Type: object -- Default: `{object}` ### Parameter: `vaultSku` diff --git a/modules/key-vault/vault/key/README.md b/modules/key-vault/vault/key/README.md index 1e576869c8..561700f223 100644 --- a/modules/key-vault/vault/key/README.md +++ b/modules/key-vault/vault/key/README.md @@ -198,7 +198,6 @@ Key rotation policy properties object. Resource tags. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/key-vault/vault/key/main.bicep b/modules/key-vault/vault/key/main.bicep index f506bd7937..762341e837 100644 --- a/modules/key-vault/vault/key/main.bicep +++ b/modules/key-vault/vault/key/main.bicep @@ -9,7 +9,7 @@ param keyVaultName string param name string @description('Optional. Resource tags.') -param tags object = {} +param tags object? @description('Optional. Determines whether the object is enabled.') param attributesEnabled bool = true diff --git a/modules/key-vault/vault/key/main.json b/modules/key-vault/vault/key/main.json index 9188cec34a..daadf7027b 100644 --- a/modules/key-vault/vault/key/main.json +++ b/modules/key-vault/vault/key/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15473816229466025012" + "templateHash": "2953672245031093442" }, "name": "Key Vault Keys", "description": "This module deploys a Key Vault Key.", @@ -95,7 +95,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Resource tags." } diff --git a/modules/key-vault/vault/main.bicep b/modules/key-vault/vault/main.bicep index 59a9e4b2d9..178a8067d7 100644 --- a/modules/key-vault/vault/main.bicep +++ b/modules/key-vault/vault/main.bicep @@ -77,7 +77,7 @@ param roleAssignments roleAssignmentType param privateEndpoints privateEndpointType @description('Optional. Resource tags.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -212,7 +212,7 @@ module keyVault_secrets 'secret/main.bicep' = [for (secret, index) in secretList attributesExp: contains(secret, 'attributesExp') ? secret.attributesExp : -1 attributesNbf: contains(secret, 'attributesNbf') ? secret.attributesNbf : -1 contentType: contains(secret, 'contentType') ? secret.contentType : '' - tags: contains(secret, 'tags') ? secret.tags : {} + tags: secret.?tags ?? tags roleAssignments: contains(secret, 'roleAssignments') ? secret.roleAssignments : [] enableDefaultTelemetry: enableReferencedModulesTelemetry } @@ -230,7 +230,7 @@ module keyVault_keys 'key/main.bicep' = [for (key, index) in keys: { keyOps: contains(key, 'keyOps') ? key.keyOps : [] keySize: contains(key, 'keySize') ? key.keySize : -1 kty: contains(key, 'kty') ? key.kty : 'EC' - tags: contains(key, 'tags') ? key.tags : {} + tags: key.?tags ?? tags roleAssignments: contains(key, 'roleAssignments') ? key.roleAssignments : [] enableDefaultTelemetry: enableReferencedModulesTelemetry rotationPolicy: contains(key, 'rotationPolicy') ? key.rotationPolicy : {} diff --git a/modules/key-vault/vault/main.json b/modules/key-vault/vault/main.json index 48077a0533..e36848e797 100644 --- a/modules/key-vault/vault/main.json +++ b/modules/key-vault/vault/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11050704115840799182" + "templateHash": "13347839852828986726" }, "name": "Key Vaults", "description": "This module deploys a Key Vault.", @@ -508,7 +508,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Resource tags." } @@ -802,7 +802,9 @@ "attributesExp": "[if(contains(variables('secretList')[copyIndex()], 'attributesExp'), createObject('value', variables('secretList')[copyIndex()].attributesExp), createObject('value', -1))]", "attributesNbf": "[if(contains(variables('secretList')[copyIndex()], 'attributesNbf'), createObject('value', variables('secretList')[copyIndex()].attributesNbf), createObject('value', -1))]", "contentType": "[if(contains(variables('secretList')[copyIndex()], 'contentType'), createObject('value', variables('secretList')[copyIndex()].contentType), createObject('value', ''))]", - "tags": "[if(contains(variables('secretList')[copyIndex()], 'tags'), createObject('value', variables('secretList')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(variables('secretList')[copyIndex()], 'tags'), parameters('tags'))]" + }, "roleAssignments": "[if(contains(variables('secretList')[copyIndex()], 'roleAssignments'), createObject('value', variables('secretList')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" @@ -816,7 +818,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "829178043317702363" + "templateHash": "3223693327720603920" }, "name": "Key Vault Secrets", "description": "This module deploys a Key Vault Secret.", @@ -905,7 +907,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Resource tags." } @@ -1094,7 +1096,9 @@ "keyOps": "[if(contains(parameters('keys')[copyIndex()], 'keyOps'), createObject('value', parameters('keys')[copyIndex()].keyOps), createObject('value', createArray()))]", "keySize": "[if(contains(parameters('keys')[copyIndex()], 'keySize'), createObject('value', parameters('keys')[copyIndex()].keySize), createObject('value', -1))]", "kty": "[if(contains(parameters('keys')[copyIndex()], 'kty'), createObject('value', parameters('keys')[copyIndex()].kty), createObject('value', 'EC'))]", - "tags": "[if(contains(parameters('keys')[copyIndex()], 'tags'), createObject('value', parameters('keys')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('keys')[copyIndex()], 'tags'), parameters('tags'))]" + }, "roleAssignments": "[if(contains(parameters('keys')[copyIndex()], 'roleAssignments'), createObject('value', parameters('keys')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" @@ -1109,7 +1113,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15473816229466025012" + "templateHash": "2953672245031093442" }, "name": "Key Vault Keys", "description": "This module deploys a Key Vault Key.", @@ -1198,7 +1202,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Resource tags." } diff --git a/modules/key-vault/vault/secret/README.md b/modules/key-vault/vault/secret/README.md index 46608a5240..93ae0de35b 100644 --- a/modules/key-vault/vault/secret/README.md +++ b/modules/key-vault/vault/secret/README.md @@ -163,7 +163,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Resource tags. - Required: No - Type: object -- Default: `{object}` ### Parameter: `value` diff --git a/modules/key-vault/vault/secret/main.bicep b/modules/key-vault/vault/secret/main.bicep index e20b690b6f..a8c2c954d7 100644 --- a/modules/key-vault/vault/secret/main.bicep +++ b/modules/key-vault/vault/secret/main.bicep @@ -9,7 +9,7 @@ param keyVaultName string param name string @description('Optional. Resource tags.') -param tags object = {} +param tags object? @description('Optional. Determines whether the object is enabled.') param attributesEnabled bool = true diff --git a/modules/key-vault/vault/secret/main.json b/modules/key-vault/vault/secret/main.json index 18a714a470..58bf08f760 100644 --- a/modules/key-vault/vault/secret/main.json +++ b/modules/key-vault/vault/secret/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "829178043317702363" + "templateHash": "3223693327720603920" }, "name": "Key Vault Secrets", "description": "This module deploys a Key Vault Secret.", @@ -95,7 +95,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Resource tags." } diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index c1fd8389ad..f1190e77fd 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -571,7 +571,6 @@ The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `triggersAccessControlConfiguration` diff --git a/modules/logic/workflow/main.bicep b/modules/logic/workflow/main.bicep index 42d7ede88b..825fc736ca 100644 --- a/modules/logic/workflow/main.bicep +++ b/modules/logic/workflow/main.bicep @@ -53,7 +53,7 @@ param roleAssignments roleAssignmentType param state string = 'Enabled' @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The access control configuration for invoking workflow triggers.') param triggersAccessControlConfiguration object = {} diff --git a/modules/logic/workflow/main.json b/modules/logic/workflow/main.json index fe4b5ccdc9..da07232a4d 100644 --- a/modules/logic/workflow/main.json +++ b/modules/logic/workflow/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16480420514715732092" + "templateHash": "14033195005173426271" }, "name": "Logic Apps (Workflows)", "description": "This module deploys a Logic App (Workflow).", @@ -338,7 +338,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index 7432a94b53..e5915c0e53 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -1098,7 +1098,6 @@ Specifies the SKU, also referred as 'edition' of the Azure Machine Learning work Resource tags. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/machine-learning-services/workspace/compute/README.md b/modules/machine-learning-services/workspace/compute/README.md index 0e8ebdd101..6970b0eab7 100644 --- a/modules/machine-learning-services/workspace/compute/README.md +++ b/modules/machine-learning-services/workspace/compute/README.md @@ -162,7 +162,6 @@ Specifies the sku, also referred as "edition". Required for creating a compute r Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/machine-learning-services/workspace/compute/main.bicep b/modules/machine-learning-services/workspace/compute/main.bicep index c71f7bc3a0..cb38e22d3e 100644 --- a/modules/machine-learning-services/workspace/compute/main.bicep +++ b/modules/machine-learning-services/workspace/compute/main.bicep @@ -30,7 +30,7 @@ param location string = resourceGroup().location param sku string = '' @sys.description('Optional. Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID.') -param tags object = {} +param tags object? @sys.description('Optional. Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to "false" as long as the compute resource exists.') param deployCompute bool = true diff --git a/modules/machine-learning-services/workspace/compute/main.json b/modules/machine-learning-services/workspace/compute/main.json index c99c3b896e..6926b95f8a 100644 --- a/modules/machine-learning-services/workspace/compute/main.json +++ b/modules/machine-learning-services/workspace/compute/main.json @@ -75,7 +75,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID." } @@ -231,4 +231,4 @@ "value": "[reference('machineLearningWorkspaceCompute', '2022-10-01', 'full').location]" } } -} \ No newline at end of file +} diff --git a/modules/machine-learning-services/workspace/main.bicep b/modules/machine-learning-services/workspace/main.bicep index b8595ee7a5..59ba8665c4 100644 --- a/modules/machine-learning-services/workspace/main.bicep +++ b/modules/machine-learning-services/workspace/main.bicep @@ -51,7 +51,7 @@ param privateEndpoints privateEndpointType param computes array = [] @sys.description('Optional. Resource tags.') -param tags object = {} +param tags object? @sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/machine-learning-services/workspace/main.json b/modules/machine-learning-services/workspace/main.json index e136bfc925..237cec9f6b 100644 --- a/modules/machine-learning-services/workspace/main.json +++ b/modules/machine-learning-services/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3846104626867448215" + "templateHash": "1113315079349561542" }, "name": "Machine Learning Services Workspaces", "description": "This module deploys a Machine Learning Services Workspace.", @@ -474,7 +474,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Resource tags." } @@ -773,7 +773,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12092776287732059217" + "templateHash": "4219662265444129565" }, "name": "Machine Learning Services Workspaces Computes", "description": "This module deploys a Machine Learning Services Workspaces Compute.\r\n\r\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", @@ -842,7 +842,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID." } diff --git a/modules/maintenance/maintenance-configuration/README.md b/modules/maintenance/maintenance-configuration/README.md index c30dd213ec..66a31f66ed 100644 --- a/modules/maintenance/maintenance-configuration/README.md +++ b/modules/maintenance/maintenance-configuration/README.md @@ -410,7 +410,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Gets or sets tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `visibility` diff --git a/modules/maintenance/maintenance-configuration/main.bicep b/modules/maintenance/maintenance-configuration/main.bicep index 7d90624ab9..e7e84e9106 100644 --- a/modules/maintenance/maintenance-configuration/main.bicep +++ b/modules/maintenance/maintenance-configuration/main.bicep @@ -42,7 +42,7 @@ param namespace string = '' param roleAssignments roleAssignmentType @description('Optional. Gets or sets tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Gets or sets the visibility of the configuration. The default value is \'Custom\'.') @allowed([ diff --git a/modules/maintenance/maintenance-configuration/main.json b/modules/maintenance/maintenance-configuration/main.json index 33019922ee..4dc124f346 100644 --- a/modules/maintenance/maintenance-configuration/main.json +++ b/modules/maintenance/maintenance-configuration/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8241237134482664102" + "templateHash": "14384863342174130916" }, "name": "Maintenance Configurations", "description": "This module deploys a Maintenance Configuration.", @@ -176,7 +176,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Gets or sets tags of the resource." } diff --git a/modules/managed-identity/user-assigned-identity/README.md b/modules/managed-identity/user-assigned-identity/README.md index 1779464ca7..c2fdf977aa 100644 --- a/modules/managed-identity/user-assigned-identity/README.md +++ b/modules/managed-identity/user-assigned-identity/README.md @@ -317,7 +317,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/managed-identity/user-assigned-identity/main.bicep b/modules/managed-identity/user-assigned-identity/main.bicep index 1b1a737132..16903d6423 100644 --- a/modules/managed-identity/user-assigned-identity/main.bicep +++ b/modules/managed-identity/user-assigned-identity/main.bicep @@ -18,7 +18,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/managed-identity/user-assigned-identity/main.json b/modules/managed-identity/user-assigned-identity/main.json index 590f927f11..4e8baa2ed8 100644 --- a/modules/managed-identity/user-assigned-identity/main.json +++ b/modules/managed-identity/user-assigned-identity/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10195612761440584932" + "templateHash": "1438876956443234621" }, "name": "User Assigned Identities", "description": "This module deploys a User Assigned Identity.", @@ -141,7 +141,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/net-app/net-app-account/README.md b/modules/net-app/net-app-account/README.md index 38a316bf45..5eeb4f4871 100644 --- a/modules/net-app/net-app-account/README.md +++ b/modules/net-app/net-app-account/README.md @@ -750,7 +750,6 @@ Required if domainName is specified. NetBIOS name of the SMB server. A computer Tags for all resources. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/net-app/net-app-account/capacity-pool/README.md b/modules/net-app/net-app-account/capacity-pool/README.md index f69ec8cc8c..bdeec9f849 100644 --- a/modules/net-app/net-app-account/capacity-pool/README.md +++ b/modules/net-app/net-app-account/capacity-pool/README.md @@ -182,7 +182,6 @@ Provisioned size of the pool (in bytes). Allowed values are in 4TiB chunks (valu Tags for all resources. - Required: No - Type: object -- Default: `{object}` ### Parameter: `volumes` diff --git a/modules/net-app/net-app-account/capacity-pool/main.bicep b/modules/net-app/net-app-account/capacity-pool/main.bicep index c2b88a88d3..8b1910526a 100644 --- a/modules/net-app/net-app-account/capacity-pool/main.bicep +++ b/modules/net-app/net-app-account/capacity-pool/main.bicep @@ -12,7 +12,7 @@ param name string param location string = resourceGroup().location @description('Optional. Tags for all resources.') -param tags object = {} +param tags object? @description('Optional. The pool service level.') @allowed([ diff --git a/modules/net-app/net-app-account/capacity-pool/main.json b/modules/net-app/net-app-account/capacity-pool/main.json index 31a073b294..0582a97c81 100644 --- a/modules/net-app/net-app-account/capacity-pool/main.json +++ b/modules/net-app/net-app-account/capacity-pool/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14242430981421830183" + "templateHash": "5973731463189380166" }, "name": "Azure NetApp Files Capacity Pools", "description": "This module deploys an Azure NetApp Files Capacity Pool.", @@ -102,7 +102,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags for all resources." } diff --git a/modules/net-app/net-app-account/main.bicep b/modules/net-app/net-app-account/main.bicep index ffd5558bf5..4017285445 100644 --- a/modules/net-app/net-app-account/main.bicep +++ b/modules/net-app/net-app-account/main.bicep @@ -40,7 +40,7 @@ param location string = resourceGroup().location param lock lockType @description('Optional. Tags for all resources.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -131,7 +131,7 @@ module netAppAccount_capacityPools 'capacity-pool/main.bicep' = [for (capacityPo coolAccess: contains(capacityPool, 'coolAccess') ? capacityPool.coolAccess : false roleAssignments: contains(capacityPool, 'roleAssignments') ? capacityPool.roleAssignments : [] encryptionType: contains(capacityPool, 'encryptionType') ? capacityPool.encryptionType : 'Single' - tags: contains(capacityPool, 'tags') ? capacityPool.tags : {} + tags: capacityPool.?tags ?? tags enableDefaultTelemetry: enableReferencedModulesTelemetry } }] diff --git a/modules/net-app/net-app-account/main.json b/modules/net-app/net-app-account/main.json index bba591714a..d6885dabd4 100644 --- a/modules/net-app/net-app-account/main.json +++ b/modules/net-app/net-app-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17236803464512744934" + "templateHash": "11827894918755245507" }, "name": "Azure NetApp Files", "description": "This module deploys an Azure NetApp File.", @@ -203,7 +203,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags for all resources." } @@ -332,7 +332,9 @@ "coolAccess": "[if(contains(parameters('capacityPools')[copyIndex()], 'coolAccess'), createObject('value', parameters('capacityPools')[copyIndex()].coolAccess), createObject('value', false()))]", "roleAssignments": "[if(contains(parameters('capacityPools')[copyIndex()], 'roleAssignments'), createObject('value', parameters('capacityPools')[copyIndex()].roleAssignments), createObject('value', createArray()))]", "encryptionType": "[if(contains(parameters('capacityPools')[copyIndex()], 'encryptionType'), createObject('value', parameters('capacityPools')[copyIndex()].encryptionType), createObject('value', 'Single'))]", - "tags": "[if(contains(parameters('capacityPools')[copyIndex()], 'tags'), createObject('value', parameters('capacityPools')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('capacityPools')[copyIndex()], 'tags'), parameters('tags'))]" + }, "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } @@ -345,7 +347,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14242430981421830183" + "templateHash": "5973731463189380166" }, "name": "Azure NetApp Files Capacity Pools", "description": "This module deploys an Azure NetApp Files Capacity Pool.", @@ -441,7 +443,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags for all resources." } diff --git a/modules/network/application-gateway-web-application-firewall-policy/README.md b/modules/network/application-gateway-web-application-firewall-policy/README.md index 97b54c1336..368139a3d1 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/README.md +++ b/modules/network/application-gateway-web-application-firewall-policy/README.md @@ -194,7 +194,6 @@ The PolicySettings for policy. Resource tags. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/network/application-gateway-web-application-firewall-policy/main.bicep b/modules/network/application-gateway-web-application-firewall-policy/main.bicep index d1592bfe16..d59777c07c 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/main.bicep +++ b/modules/network/application-gateway-web-application-firewall-policy/main.bicep @@ -9,7 +9,7 @@ param name string param location string = resourceGroup().location @description('Optional. Resource tags.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/application-gateway-web-application-firewall-policy/main.json b/modules/network/application-gateway-web-application-firewall-policy/main.json index 9c0a3caeb5..160f4e7b60 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/main.json +++ b/modules/network/application-gateway-web-application-firewall-policy/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1301728261383253712" + "templateHash": "5940192377706231381" }, "name": "Application Gateway Web Application Firewall (WAF) Policies", "description": "This module deploys an Application Gateway Web Application Firewall (WAF) Policy.", @@ -27,7 +28,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Resource tags." } @@ -61,8 +62,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -76,7 +77,7 @@ } } }, - { + "applicationGatewayWAFPolicy": { "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies", "apiVersion": "2022-11-01", "name": "[parameters('name')]", @@ -88,7 +89,7 @@ "policySettings": "[parameters('policySettings')]" } } - ], + }, "outputs": { "name": { "type": "string", @@ -116,7 +117,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', parameters('name')), '2022-11-01', 'full').location]" + "value": "[reference('applicationGatewayWAFPolicy', '2022-11-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index 88340aa660..920ca3d003 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -1674,7 +1674,6 @@ SSL profiles of the application gateway resource. Resource tags. - Required: No - Type: object -- Default: `{object}` ### Parameter: `trustedClientCertificates` diff --git a/modules/network/application-gateway/main.bicep b/modules/network/application-gateway/main.bicep index 32ab52f5e2..1eb87c7cb8 100644 --- a/modules/network/application-gateway/main.bicep +++ b/modules/network/application-gateway/main.bicep @@ -199,7 +199,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Resource tags.') -param tags object = {} +param tags object? @description('Optional. Backend settings of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits).') param backendSettingsCollection array = [] diff --git a/modules/network/application-gateway/main.json b/modules/network/application-gateway/main.json index 60170cfa02..6fbae8639c 100644 --- a/modules/network/application-gateway/main.json +++ b/modules/network/application-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9820071049711446778" + "templateHash": "11405752898435177586" }, "name": "Network Application Gateways", "description": "This module deploys a Network Application Gateway.", @@ -722,7 +722,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Resource tags." } diff --git a/modules/network/application-security-group/README.md b/modules/network/application-security-group/README.md index 8dc312de2b..ad28b030eb 100644 --- a/modules/network/application-security-group/README.md +++ b/modules/network/application-security-group/README.md @@ -253,7 +253,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/network/application-security-group/main.bicep b/modules/network/application-security-group/main.bicep index 45732a77c4..3a60c91a26 100644 --- a/modules/network/application-security-group/main.bicep +++ b/modules/network/application-security-group/main.bicep @@ -15,7 +15,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/application-security-group/main.json b/modules/network/application-security-group/main.json index a8c2e42829..f6b82ac527 100644 --- a/modules/network/application-security-group/main.json +++ b/modules/network/application-security-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1514656226322598076" + "templateHash": "5654528138086993351" }, "name": "Application Security Groups (ASG)", "description": "This module deploys an Application Security Group (ASG).", @@ -133,7 +133,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index 8254d064ea..cda3fedb91 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -774,14 +774,13 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`firewallPolicyId`](#parameter-firewallpolicyid) | string | Resource ID of the Firewall Policy that should be attached. | -| [`isCreateDefaultPublicIP`](#parameter-iscreatedefaultpublicip) | bool | Specifies if a Public IP should be created by default if one is not provided. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managementIPAddressObject`](#parameter-managementipaddressobject) | object | Specifies the properties of the Management Public IP to create and be used by Azure Firewall. If it's not provided and managementIPResourceID is empty, a '-mip' suffix will be appended to the Firewall's name. | | [`managementIPResourceID`](#parameter-managementipresourceid) | string | The Management Public IP resource ID to associate to the AzureFirewallManagementSubnet. If empty, then the Management Public IP that is created as part of this module will be applied to the AzureFirewallManagementSubnet. | | [`natRuleCollections`](#parameter-natrulecollections) | array | Collection of NAT rule collections used by Azure Firewall. | | [`networkRuleCollections`](#parameter-networkrulecollections) | array | Collection of network rule collections used by Azure Firewall. | -| [`publicIPAddressObject`](#parameter-publicipaddressobject) | object | Specifies the properties of the Public IP to create and be used by Azure Firewall. If it's not provided and publicIPResourceID is empty, a '-pip' suffix will be appended to the Firewall's name. | +| [`publicIPAddressObject`](#parameter-publicipaddressobject) | object | Specifies the properties of the Public IP to create and be used by the Firewall, if no existing public IP was provided. | | [`publicIPResourceID`](#parameter-publicipresourceid) | string | The Public IP resource ID to associate to the AzureFirewallSubnet. If empty, then the Public IP that is created as part of this module will be applied to the AzureFirewallSubnet. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the Azure Firewall resource. | @@ -946,13 +945,6 @@ IP addresses associated with AzureFirewall. Required if `virtualHubId` is suppli - Type: object - Default: `{object}` -### Parameter: `isCreateDefaultPublicIP` - -Specifies if a Public IP should be created by default if one is not provided. -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `location` Location for all resources. @@ -1023,7 +1015,7 @@ Collection of network rule collections used by Azure Firewall. ### Parameter: `publicIPAddressObject` -Specifies the properties of the Public IP to create and be used by Azure Firewall. If it's not provided and publicIPResourceID is empty, a '-pip' suffix will be appended to the Firewall's name. +Specifies the properties of the Public IP to create and be used by the Firewall, if no existing public IP was provided. - Required: No - Type: object - Default: `{object}` @@ -1108,7 +1100,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the Azure Firewall resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `threatIntelMode` diff --git a/modules/network/azure-firewall/main.bicep b/modules/network/azure-firewall/main.bicep index 2f019d752e..972abf72ac 100644 --- a/modules/network/azure-firewall/main.bicep +++ b/modules/network/azure-firewall/main.bicep @@ -22,11 +22,10 @@ param publicIPResourceID string = '' @description('Optional. This is to add any additional Public IP configurations on top of the Public IP with subnet IP configuration.') param additionalPublicIpConfigurations array = [] -@description('Optional. Specifies if a Public IP should be created by default if one is not provided.') -param isCreateDefaultPublicIP bool = true - -@description('Optional. Specifies the properties of the Public IP to create and be used by Azure Firewall. If it\'s not provided and publicIPResourceID is empty, a \'-pip\' suffix will be appended to the Firewall\'s name.') -param publicIPAddressObject object = {} +@description('Optional. Specifies the properties of the Public IP to create and be used by the Firewall, if no existing public IP was provided.') +param publicIPAddressObject object = { + name: '${name}-pip' +} @description('Optional. The Management Public IP resource ID to associate to the AzureFirewallManagementSubnet. If empty, then the Management Public IP that is created as part of this module will be applied to the AzureFirewallManagementSubnet.') param managementIPResourceID string = '' @@ -80,7 +79,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the Azure Firewall resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -93,7 +92,7 @@ var isCreateDefaultManagementIP = empty(managementIPResourceID) && requiresManag // Prep ipConfigurations object AzureFirewallSubnet for different uses cases: // 1. Use existing Public IP // 2. Use new Public IP created in this module -// 3. Do not use a Public IP if isCreateDefaultPublicIP is false +// 3. Do not use a Public IP if publicIPAddressObject is empty var additionalPublicIpConfigurationsVar = [for ipConfiguration in additionalPublicIpConfigurations: { name: ipConfiguration.name @@ -103,26 +102,19 @@ var additionalPublicIpConfigurationsVar = [for ipConfiguration in additionalPubl } : null } }] -var subnetVar = { - subnet: { - id: '${vNetId}/subnets/AzureFirewallSubnet' // The subnet name must be AzureFirewallSubnet - } -} -var existingPip = { - publicIPAddress: { - id: publicIPResourceID - } -} -var newPip = { - publicIPAddress: (empty(publicIPResourceID) && isCreateDefaultPublicIP) ? { - id: publicIPAddress.outputs.resourceId - } : null -} var ipConfigurations = concat([ { name: !empty(publicIPResourceID) ? last(split(publicIPResourceID, '/')) : publicIPAddress.outputs.name - //Use existing Public IP, new Public IP created in this module, or none if isCreateDefaultPublicIP is false - properties: union(subnetVar, !empty(publicIPResourceID) ? existingPip : {}, (isCreateDefaultPublicIP ? newPip : {})) + properties: union({ + subnet: { + id: '${vNetId}/subnets/AzureFirewallSubnet' // The subnet name must be AzureFirewallSubnet + } + }, (!empty(publicIPResourceID) || !empty(publicIPAddressObject)) ? { + //Use existing Public IP, new Public IP created in this module, or none if neither + publicIPAddress: { + id: !empty(publicIPResourceID) ? publicIPResourceID : publicIPAddress.outputs.resourceId + } + } : {}) } ], additionalPublicIpConfigurationsVar) @@ -131,25 +123,18 @@ var ipConfigurations = concat([ // 1. Use existing Management Public IP // 2. Use new Management Public IP created in this module -var managementSubnetVar = { - subnet: { - id: '${vNetId}/subnets/AzureFirewallManagementSubnet' // The subnet name must be AzureFirewallManagementSubnet for a 'Basic' SKU tier firewall - } -} -var existingMip = { - publicIPAddress: { - id: managementIPResourceID - } -} -var newMip = { - publicIPAddress: empty(managementIPResourceID) && isCreateDefaultManagementIP ? { - id: managementIPAddress.outputs.resourceId - } : null -} var managementIPConfiguration = { name: !empty(managementIPResourceID) ? last(split(managementIPResourceID, '/')) : managementIPAddress.outputs.name - //Use existing Management Public IP, new Management Public IP created in this module, or none if isCreateDefaultManagementIP is false - properties: union(managementSubnetVar, !empty(managementIPResourceID) ? existingMip : {}, (isCreateDefaultManagementIP ? newMip : {})) + properties: union({ + subnet: { + id: '${vNetId}/subnets/AzureFirewallManagementSubnet' // The subnet name must be AzureFirewallManagementSubnet for a 'Basic' SKU tier firewall + } + }, (!empty(publicIPResourceID) || !empty(managementIPAddressObject)) ? { + // Use existing Management Public IP, new Management Public IP created in this module, or none if neither + publicIPAddress: { + id: !empty(managementIPResourceID) ? managementIPResourceID : managementIPAddress.outputs.resourceId + } + } : {}) } // ---------------------------------------------------------------------------- @@ -176,11 +161,10 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -// create a Public IP address if one is not provided and the flag is true -module publicIPAddress '../../network/public-ip-address/main.bicep' = if (empty(publicIPResourceID) && isCreateDefaultPublicIP && azureSkuName == 'AZFW_VNet') { +module publicIPAddress '../../network/public-ip-address/main.bicep' = if (empty(publicIPResourceID) && azureSkuName == 'AZFW_VNet') { name: '${uniqueString(deployment().name, location)}-Firewall-PIP' params: { - name: contains(publicIPAddressObject, 'name') ? (!(empty(publicIPAddressObject.name)) ? publicIPAddressObject.name : '${name}-pip') : '${name}-pip' + name: publicIPAddressObject.name publicIPPrefixResourceId: contains(publicIPAddressObject, 'publicIPPrefixResourceId') ? (!(empty(publicIPAddressObject.publicIPPrefixResourceId)) ? publicIPAddressObject.publicIPPrefixResourceId : '') : '' publicIPAllocationMethod: contains(publicIPAddressObject, 'publicIPAllocationMethod') ? (!(empty(publicIPAddressObject.publicIPAllocationMethod)) ? publicIPAddressObject.publicIPAllocationMethod : 'Static') : 'Static' skuName: contains(publicIPAddressObject, 'skuName') ? (!(empty(publicIPAddressObject.skuName)) ? publicIPAddressObject.skuName : 'Standard') : 'Standard' @@ -189,14 +173,14 @@ module publicIPAddress '../../network/public-ip-address/main.bicep' = if (empty( diagnosticSettings: publicIPAddressObject.?diagnosticSettings location: location lock: lock - tags: tags + tags: publicIPAddressObject.?tags ?? tags zones: zones enableDefaultTelemetry: enableReferencedModulesTelemetry } } // create a Management Public IP address if one is not provided and the flag is true -module managementIPAddress '../../network/public-ip-address/main.bicep' = if (empty(managementIPResourceID) && isCreateDefaultManagementIP && azureSkuName == 'AZFW_VNet') { +module managementIPAddress '../../network/public-ip-address/main.bicep' = if (isCreateDefaultManagementIP && azureSkuName == 'AZFW_VNet') { name: '${uniqueString(deployment().name, location)}-Firewall-MIP' params: { name: contains(managementIPAddressObject, 'name') ? (!(empty(managementIPAddressObject.name)) ? managementIPAddressObject.name : '${name}-mip') : '${name}-mip' @@ -207,7 +191,7 @@ module managementIPAddress '../../network/public-ip-address/main.bicep' = if (em roleAssignments: contains(managementIPAddressObject, 'roleAssignments') ? (!empty(managementIPAddressObject.roleAssignments) ? managementIPAddressObject.roleAssignments : []) : [] diagnosticSettings: managementIPAddressObject.?diagnosticSettings location: location - tags: tags + tags: managementIPAddressObject.?tags ?? tags zones: zones enableDefaultTelemetry: enableReferencedModulesTelemetry } @@ -245,10 +229,6 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2023-04-01' = { id: virtualHubId } : null } - dependsOn: [ - publicIPAddress - managementIPAddress - ] } resource azureFirewall_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { diff --git a/modules/network/azure-firewall/main.json b/modules/network/azure-firewall/main.json index aecc1a207e..786b73a652 100644 --- a/modules/network/azure-firewall/main.json +++ b/modules/network/azure-firewall/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1602793414373969673" + "templateHash": "3800476164049795980" }, "name": "Azure Firewalls", "description": "This module deploys an Azure Firewall.", @@ -251,18 +251,13 @@ "description": "Optional. This is to add any additional Public IP configurations on top of the Public IP with subnet IP configuration." } }, - "isCreateDefaultPublicIP": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Specifies if a Public IP should be created by default if one is not provided." - } - }, "publicIPAddressObject": { "type": "object", - "defaultValue": {}, + "defaultValue": { + "name": "[format('{0}-pip', parameters('name'))]" + }, "metadata": { - "description": "Optional. Specifies the properties of the Public IP to create and be used by Azure Firewall. If it's not provided and publicIPResourceID is empty, a '-pip' suffix will be appended to the Firewall's name." + "description": "Optional. Specifies the properties of the Public IP to create and be used by the Firewall, if no existing public IP was provided." } }, "managementIPResourceID": { @@ -371,7 +366,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the Azure Firewall resource." } @@ -400,26 +395,6 @@ "azureSkuName": "[if(empty(parameters('vNetId')), 'AZFW_Hub', 'AZFW_VNet')]", "requiresManagementIp": "[if(equals(parameters('azureSkuTier'), 'Basic'), true(), false())]", "isCreateDefaultManagementIP": "[and(empty(parameters('managementIPResourceID')), variables('requiresManagementIp'))]", - "subnetVar": { - "subnet": { - "id": "[format('{0}/subnets/AzureFirewallSubnet', parameters('vNetId'))]" - } - }, - "existingPip": { - "publicIPAddress": { - "id": "[parameters('publicIPResourceID')]" - } - }, - "managementSubnetVar": { - "subnet": { - "id": "[format('{0}/subnets/AzureFirewallManagementSubnet', parameters('vNetId'))]" - } - }, - "existingMip": { - "publicIPAddress": { - "id": "[parameters('managementIPResourceID')]" - } - }, "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -451,7 +426,7 @@ "location": "[parameters('location')]", "zones": "[if(equals(length(parameters('zones')), 0), null(), parameters('zones'))]", "tags": "[parameters('tags')]", - "properties": "[if(equals(variables('azureSkuName'), 'AZFW_VNet'), createObject('threatIntelMode', parameters('threatIntelMode'), 'firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'ipConfigurations', concat(createArray(createObject('name', if(not(empty(parameters('publicIPResourceID'))), last(split(parameters('publicIPResourceID'), '/')), reference('publicIPAddress').outputs.name.value), 'properties', union(variables('subnetVar'), if(not(empty(parameters('publicIPResourceID'))), variables('existingPip'), createObject()), if(parameters('isCreateDefaultPublicIP'), createObject('publicIPAddress', if(and(empty(parameters('publicIPResourceID')), parameters('isCreateDefaultPublicIP')), createObject('id', reference('publicIPAddress').outputs.resourceId.value), null())), createObject())))), variables('additionalPublicIpConfigurationsVar')), 'managementIpConfiguration', if(variables('requiresManagementIp'), createObject('name', if(not(empty(parameters('managementIPResourceID'))), last(split(parameters('managementIPResourceID'), '/')), reference('managementIPAddress').outputs.name.value), 'properties', union(variables('managementSubnetVar'), if(not(empty(parameters('managementIPResourceID'))), variables('existingMip'), createObject()), if(variables('isCreateDefaultManagementIP'), createObject('publicIPAddress', if(and(empty(parameters('managementIPResourceID')), variables('isCreateDefaultManagementIP')), createObject('id', reference('managementIPAddress').outputs.resourceId.value), null())), createObject()))), null()), 'sku', createObject('name', variables('azureSkuName'), 'tier', parameters('azureSkuTier')), 'applicationRuleCollections', parameters('applicationRuleCollections'), 'natRuleCollections', parameters('natRuleCollections'), 'networkRuleCollections', parameters('networkRuleCollections')), createObject('firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'sku', createObject('name', variables('azureSkuName'), 'tier', parameters('azureSkuTier')), 'hubIPAddresses', if(not(empty(parameters('hubIPAddresses'))), parameters('hubIPAddresses'), null()), 'virtualHub', if(not(empty(parameters('virtualHubId'))), createObject('id', parameters('virtualHubId')), null())))]", + "properties": "[if(equals(variables('azureSkuName'), 'AZFW_VNet'), createObject('threatIntelMode', parameters('threatIntelMode'), 'firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'ipConfigurations', concat(createArray(createObject('name', if(not(empty(parameters('publicIPResourceID'))), last(split(parameters('publicIPResourceID'), '/')), reference('publicIPAddress').outputs.name.value), 'properties', union(createObject('subnet', createObject('id', format('{0}/subnets/AzureFirewallSubnet', parameters('vNetId')))), if(or(not(empty(parameters('publicIPResourceID'))), not(empty(parameters('publicIPAddressObject')))), createObject('publicIPAddress', createObject('id', if(not(empty(parameters('publicIPResourceID'))), parameters('publicIPResourceID'), reference('publicIPAddress').outputs.resourceId.value))), createObject())))), variables('additionalPublicIpConfigurationsVar')), 'managementIpConfiguration', if(variables('requiresManagementIp'), createObject('name', if(not(empty(parameters('managementIPResourceID'))), last(split(parameters('managementIPResourceID'), '/')), reference('managementIPAddress').outputs.name.value), 'properties', union(createObject('subnet', createObject('id', format('{0}/subnets/AzureFirewallManagementSubnet', parameters('vNetId')))), if(or(not(empty(parameters('publicIPResourceID'))), not(empty(parameters('managementIPAddressObject')))), createObject('publicIPAddress', createObject('id', if(not(empty(parameters('managementIPResourceID'))), parameters('managementIPResourceID'), reference('managementIPAddress').outputs.resourceId.value))), createObject()))), null()), 'sku', createObject('name', variables('azureSkuName'), 'tier', parameters('azureSkuTier')), 'applicationRuleCollections', parameters('applicationRuleCollections'), 'natRuleCollections', parameters('natRuleCollections'), 'networkRuleCollections', parameters('networkRuleCollections')), createObject('firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'sku', createObject('name', variables('azureSkuName'), 'tier', parameters('azureSkuTier')), 'hubIPAddresses', if(not(empty(parameters('hubIPAddresses'))), parameters('hubIPAddresses'), null()), 'virtualHub', if(not(empty(parameters('virtualHubId'))), createObject('id', parameters('virtualHubId')), null())))]", "dependsOn": [ "managementIPAddress", "publicIPAddress" @@ -517,7 +492,7 @@ ] }, "publicIPAddress": { - "condition": "[and(and(empty(parameters('publicIPResourceID')), parameters('isCreateDefaultPublicIP')), equals(variables('azureSkuName'), 'AZFW_VNet'))]", + "condition": "[and(empty(parameters('publicIPResourceID')), equals(variables('azureSkuName'), 'AZFW_VNet'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-Firewall-PIP', uniqueString(deployment().name, parameters('location')))]", @@ -527,7 +502,9 @@ }, "mode": "Incremental", "parameters": { - "name": "[if(contains(parameters('publicIPAddressObject'), 'name'), if(not(empty(parameters('publicIPAddressObject').name)), createObject('value', parameters('publicIPAddressObject').name), createObject('value', format('{0}-pip', parameters('name')))), createObject('value', format('{0}-pip', parameters('name'))))]", + "name": { + "value": "[parameters('publicIPAddressObject').name]" + }, "publicIPPrefixResourceId": "[if(contains(parameters('publicIPAddressObject'), 'publicIPPrefixResourceId'), if(not(empty(parameters('publicIPAddressObject').publicIPPrefixResourceId)), createObject('value', parameters('publicIPAddressObject').publicIPPrefixResourceId), createObject('value', '')), createObject('value', ''))]", "publicIPAllocationMethod": "[if(contains(parameters('publicIPAddressObject'), 'publicIPAllocationMethod'), if(not(empty(parameters('publicIPAddressObject').publicIPAllocationMethod)), createObject('value', parameters('publicIPAddressObject').publicIPAllocationMethod), createObject('value', 'Static')), createObject('value', 'Static'))]", "skuName": "[if(contains(parameters('publicIPAddressObject'), 'skuName'), if(not(empty(parameters('publicIPAddressObject').skuName)), createObject('value', parameters('publicIPAddressObject').skuName), createObject('value', 'Standard')), createObject('value', 'Standard'))]", @@ -543,7 +520,7 @@ "value": "[parameters('lock')]" }, "tags": { - "value": "[parameters('tags')]" + "value": "[coalesce(tryGet(parameters('publicIPAddressObject'), 'tags'), parameters('tags'))]" }, "zones": { "value": "[parameters('zones')]" @@ -560,7 +537,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "968771326214380550" + "templateHash": "18404193892947466906" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -899,7 +876,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -1051,7 +1028,7 @@ } }, "managementIPAddress": { - "condition": "[and(and(empty(parameters('managementIPResourceID')), variables('isCreateDefaultManagementIP')), equals(variables('azureSkuName'), 'AZFW_VNet'))]", + "condition": "[and(variables('isCreateDefaultManagementIP'), equals(variables('azureSkuName'), 'AZFW_VNet'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-Firewall-MIP', uniqueString(deployment().name, parameters('location')))]", @@ -1074,7 +1051,7 @@ "value": "[parameters('location')]" }, "tags": { - "value": "[parameters('tags')]" + "value": "[coalesce(tryGet(parameters('managementIPAddressObject'), 'tags'), parameters('tags'))]" }, "zones": { "value": "[parameters('zones')]" @@ -1091,7 +1068,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "968771326214380550" + "templateHash": "18404193892947466906" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -1430,7 +1407,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index 3ae0c7066a..e0c9205ba4 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -373,10 +373,9 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { | [`enableIpConnect`](#parameter-enableipconnect) | bool | Choose to disable or enable IP Connect. | | [`enableKerberos`](#parameter-enablekerberos) | bool | Choose to disable or enable Kerberos authentication. | | [`enableShareableLink`](#parameter-enableshareablelink) | bool | Choose to disable or enable Shareable Link. | -| [`isCreateDefaultPublicIP`](#parameter-iscreatedefaultpublicip) | bool | Specifies if a Public IP should be created by default if one is not provided. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`publicIPAddressObject`](#parameter-publicipaddressobject) | object | Specifies the properties of the Public IP to create and be used by Azure Bastion. If it's not provided and publicIPAddressResourceId is empty, a '-pip' suffix will be appended to the Bastion's name. | +| [`publicIPAddressObject`](#parameter-publicipaddressobject) | object | Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`scaleUnits`](#parameter-scaleunits) | int | The scale units for the Bastion Host resource. | | [`skuName`](#parameter-skuname) | string | The SKU of this Bastion Host. | @@ -526,13 +525,6 @@ Choose to disable or enable Shareable Link. - Type: bool - Default: `False` -### Parameter: `isCreateDefaultPublicIP` - -Specifies if a Public IP should be created by default if one is not provided. -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `location` Location for all resources. @@ -575,7 +567,7 @@ Name of the Azure Bastion resource. ### Parameter: `publicIPAddressObject` -Specifies the properties of the Public IP to create and be used by Azure Bastion. If it's not provided and publicIPAddressResourceId is empty, a '-pip' suffix will be appended to the Bastion's name. +Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided. - Required: No - Type: object - Default: `{object}` @@ -668,7 +660,6 @@ The SKU of this Bastion Host. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `vNetId` diff --git a/modules/network/bastion-host/main.bicep b/modules/network/bastion-host/main.bicep index 82f6b39350..2761e76455 100644 --- a/modules/network/bastion-host/main.bicep +++ b/modules/network/bastion-host/main.bicep @@ -14,11 +14,10 @@ param vNetId string @description('Optional. The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet.') param bastionSubnetPublicIpResourceId string = '' -@description('Optional. Specifies if a Public IP should be created by default if one is not provided.') -param isCreateDefaultPublicIP bool = true - -@description('Optional. Specifies the properties of the Public IP to create and be used by Azure Bastion. If it\'s not provided and publicIPAddressResourceId is empty, a \'-pip\' suffix will be appended to the Bastion\'s name.') -param publicIPAddressObject object = {} +@description('Optional. Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided.') +param publicIPAddressObject object = { + name: '${name}-pip' +} @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingType @@ -55,41 +54,28 @@ param scaleUnits int = 2 param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var enableTunneling = skuName == 'Standard' ? true : null - -var scaleUnitsVar = skuName == 'Basic' ? 2 : scaleUnits - // ---------------------------------------------------------------------------- // Prep ipConfigurations object AzureBastionSubnet for different uses cases: // 1. Use existing Public IP // 2. Use new Public IP created in this module -// 3. Do not use a Public IP if isCreateDefaultPublicIP is false -var subnetVar = { - subnet: { - id: '${vNetId}/subnets/AzureBastionSubnet' // The subnet name must be AzureBastionSubnet - } -} -var existingPip = { - publicIPAddress: { - id: bastionSubnetPublicIpResourceId - } -} -var newPip = { - publicIPAddress: (empty(bastionSubnetPublicIpResourceId) && isCreateDefaultPublicIP) ? { - id: publicIPAddress.outputs.resourceId - } : null -} - var ipConfigurations = [ { name: 'IpConfAzureBastionSubnet' - //Use existing Public IP, new Public IP created in this module, or none if isCreateDefaultPublicIP is false - properties: union(subnetVar, !empty(bastionSubnetPublicIpResourceId) ? existingPip : {}, (isCreateDefaultPublicIP ? newPip : {})) + properties: union({ + subnet: { + id: '${vNetId}/subnets/AzureBastionSubnet' // The subnet name must be AzureBastionSubnet + } + }, { + //Use existing Public IP, new Public IP created in this module + publicIPAddress: { + id: !empty(bastionSubnetPublicIpResourceId) ? bastionSubnetPublicIpResourceId : publicIPAddress.outputs.resourceId + } + }) } ] @@ -98,48 +84,11 @@ var enableReferencedModulesTelemetry = false // ---------------------------------------------------------------------------- var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Center for SAP solutions administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7') - 'Azure Center for SAP solutions reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b') - 'Azure Center for SAP solutions service role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064') - 'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b') - 'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324') Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'DNS Resolver Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d') - 'DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') - 'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450') - 'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2') - 'Domain Services Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb') - 'LocalNGFirewallAdministrator role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567') - 'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca') - 'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d') - 'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Traffic Manager Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7') 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') } resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (enableDefaultTelemetry) { @@ -154,10 +103,10 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (ena } } -module publicIPAddress '../public-ip-address/main.bicep' = if (empty(bastionSubnetPublicIpResourceId) && isCreateDefaultPublicIP) { +module publicIPAddress '../public-ip-address/main.bicep' = if (empty(bastionSubnetPublicIpResourceId)) { name: '${uniqueString(deployment().name, location)}-Bastion-PIP' params: { - name: contains(publicIPAddressObject, 'name') ? publicIPAddressObject.name : '${name}-pip' + name: publicIPAddressObject.name enableDefaultTelemetry: enableReferencedModulesTelemetry location: location lock: lock @@ -168,25 +117,23 @@ module publicIPAddress '../public-ip-address/main.bicep' = if (empty(bastionSubn roleAssignments: contains(publicIPAddressObject, 'roleAssignments') ? publicIPAddressObject.roleAssignments : [] skuName: contains(publicIPAddressObject, 'skuName') ? publicIPAddressObject.skuName : 'Standard' skuTier: contains(publicIPAddressObject, 'skuTier') ? publicIPAddressObject.skuTier : 'Regional' - tags: tags + tags: publicIPAddressObject.?tags ?? tags zones: contains(publicIPAddressObject, 'zones') ? publicIPAddressObject.zones : [] } } -var bastionpropertiesVar = skuName == 'Standard' ? { - scaleUnits: scaleUnitsVar - ipConfigurations: ipConfigurations - enableTunneling: enableTunneling - disableCopyPaste: disableCopyPaste - enableFileCopy: enableFileCopy - enableIpConnect: enableIpConnect - enableKerberos: enableKerberos - enableShareableLink: enableShareableLink -} : { - scaleUnits: scaleUnitsVar - ipConfigurations: ipConfigurations - enableKerberos: enableKerberos -} +var bastionpropertiesVar = union({ + scaleUnits: skuName == 'Basic' ? 2 : scaleUnits + ipConfigurations: ipConfigurations + enableKerberos: enableKerberos + }, (skuName == 'Standard' ? { + enableTunneling: skuName == 'Standard' + disableCopyPaste: disableCopyPaste + enableFileCopy: enableFileCopy + enableIpConnect: enableIpConnect + enableShareableLink: enableShareableLink + } : {}) +) resource azureBastion 'Microsoft.Network/bastionHosts@2022-11-01' = { name: name diff --git a/modules/network/bastion-host/main.json b/modules/network/bastion-host/main.json index 1c89cc7c02..a5fd8c192b 100644 --- a/modules/network/bastion-host/main.json +++ b/modules/network/bastion-host/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10859343620661687019" + "templateHash": "387274338478290784" }, "name": "Bastion Hosts", "description": "This module deploys a Bastion Host.", @@ -220,18 +220,13 @@ "description": "Optional. The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet." } }, - "isCreateDefaultPublicIP": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Specifies if a Public IP should be created by default if one is not provided." - } - }, "publicIPAddressObject": { "type": "object", - "defaultValue": {}, + "defaultValue": { + "name": "[format('{0}-pip', parameters('name'))]" + }, "metadata": { - "description": "Optional. Specifies the properties of the Public IP to create and be used by Azure Bastion. If it's not provided and publicIPAddressResourceId is empty, a '-pip' suffix will be appended to the Bastion's name." + "description": "Optional. Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided." } }, "diagnosticSettings": { @@ -307,7 +302,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -321,62 +316,13 @@ } }, "variables": { - "enableTunneling": "[if(equals(parameters('skuName'), 'Standard'), true(), null())]", - "scaleUnitsVar": "[if(equals(parameters('skuName'), 'Basic'), 2, parameters('scaleUnits'))]", - "subnetVar": { - "subnet": { - "id": "[format('{0}/subnets/AzureBastionSubnet', parameters('vNetId'))]" - } - }, - "existingPip": { - "publicIPAddress": { - "id": "[parameters('bastionSubnetPublicIpResourceId')]" - } - }, "enableReferencedModulesTelemetry": false, "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" } }, "resources": { @@ -403,7 +349,7 @@ "sku": { "name": "[parameters('skuName')]" }, - "properties": "[if(equals(parameters('skuName'), 'Standard'), createObject('scaleUnits', variables('scaleUnitsVar'), 'ipConfigurations', createArray(createObject('name', 'IpConfAzureBastionSubnet', 'properties', union(variables('subnetVar'), if(not(empty(parameters('bastionSubnetPublicIpResourceId'))), variables('existingPip'), createObject()), if(parameters('isCreateDefaultPublicIP'), createObject('publicIPAddress', if(and(empty(parameters('bastionSubnetPublicIpResourceId')), parameters('isCreateDefaultPublicIP')), createObject('id', reference('publicIPAddress').outputs.resourceId.value), null())), createObject())))), 'enableTunneling', variables('enableTunneling'), 'disableCopyPaste', parameters('disableCopyPaste'), 'enableFileCopy', parameters('enableFileCopy'), 'enableIpConnect', parameters('enableIpConnect'), 'enableKerberos', parameters('enableKerberos'), 'enableShareableLink', parameters('enableShareableLink')), createObject('scaleUnits', variables('scaleUnitsVar'), 'ipConfigurations', createArray(createObject('name', 'IpConfAzureBastionSubnet', 'properties', union(variables('subnetVar'), if(not(empty(parameters('bastionSubnetPublicIpResourceId'))), variables('existingPip'), createObject()), if(parameters('isCreateDefaultPublicIP'), createObject('publicIPAddress', if(and(empty(parameters('bastionSubnetPublicIpResourceId')), parameters('isCreateDefaultPublicIP')), createObject('id', reference('publicIPAddress').outputs.resourceId.value), null())), createObject())))), 'enableKerberos', parameters('enableKerberos')))]", + "properties": "[union(createObject('scaleUnits', if(equals(parameters('skuName'), 'Basic'), 2, parameters('scaleUnits')), 'ipConfigurations', createArray(createObject('name', 'IpConfAzureBastionSubnet', 'properties', union(createObject('subnet', createObject('id', format('{0}/subnets/AzureBastionSubnet', parameters('vNetId')))), createObject('publicIPAddress', createObject('id', if(not(empty(parameters('bastionSubnetPublicIpResourceId'))), parameters('bastionSubnetPublicIpResourceId'), reference('publicIPAddress').outputs.resourceId.value)))))), 'enableKerberos', parameters('enableKerberos')), if(equals(parameters('skuName'), 'Standard'), createObject('enableTunneling', equals(parameters('skuName'), 'Standard'), 'disableCopyPaste', parameters('disableCopyPaste'), 'enableFileCopy', parameters('enableFileCopy'), 'enableIpConnect', parameters('enableIpConnect'), 'enableShareableLink', parameters('enableShareableLink')), createObject()))]", "dependsOn": [ "publicIPAddress" ] @@ -467,7 +413,7 @@ ] }, "publicIPAddress": { - "condition": "[and(empty(parameters('bastionSubnetPublicIpResourceId')), parameters('isCreateDefaultPublicIP'))]", + "condition": "[empty(parameters('bastionSubnetPublicIpResourceId'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-Bastion-PIP', uniqueString(deployment().name, parameters('location')))]", @@ -477,7 +423,9 @@ }, "mode": "Incremental", "parameters": { - "name": "[if(contains(parameters('publicIPAddressObject'), 'name'), createObject('value', parameters('publicIPAddressObject').name), createObject('value', format('{0}-pip', parameters('name'))))]", + "name": { + "value": "[parameters('publicIPAddressObject').name]" + }, "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" }, @@ -497,7 +445,7 @@ "skuName": "[if(contains(parameters('publicIPAddressObject'), 'skuName'), createObject('value', parameters('publicIPAddressObject').skuName), createObject('value', 'Standard'))]", "skuTier": "[if(contains(parameters('publicIPAddressObject'), 'skuTier'), createObject('value', parameters('publicIPAddressObject').skuTier), createObject('value', 'Regional'))]", "tags": { - "value": "[parameters('tags')]" + "value": "[coalesce(tryGet(parameters('publicIPAddressObject'), 'tags'), parameters('tags'))]" }, "zones": "[if(contains(parameters('publicIPAddressObject'), 'zones'), createObject('value', parameters('publicIPAddressObject').zones), createObject('value', createArray()))]" }, @@ -509,7 +457,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "968771326214380550" + "templateHash": "18404193892947466906" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -848,7 +796,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/connection/README.md b/modules/network/connection/README.md index f43ea0a938..cc392ea1ae 100644 --- a/modules/network/connection/README.md +++ b/modules/network/connection/README.md @@ -297,7 +297,6 @@ The weight added to routes learned from this BGP speaker. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `useLocalAzureIpAddress` diff --git a/modules/network/connection/main.bicep b/modules/network/connection/main.bicep index 0cdd0d0a83..9668f3762c 100644 --- a/modules/network/connection/main.bicep +++ b/modules/network/connection/main.bicep @@ -75,7 +75,7 @@ param routingWeight int = -1 param lock lockType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/connection/main.json b/modules/network/connection/main.json index 1166323e83..06b806ec90 100644 --- a/modules/network/connection/main.json +++ b/modules/network/connection/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10325872136554369855" + "templateHash": "12513996667923008520" }, "name": "Virtual Network Gateway Connections", "description": "This module deploys a Virtual Network Gateway Connection.", @@ -171,7 +171,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/ddos-protection-plan/README.md b/modules/network/ddos-protection-plan/README.md index fcb623a87a..c8ba05f4e5 100644 --- a/modules/network/ddos-protection-plan/README.md +++ b/modules/network/ddos-protection-plan/README.md @@ -302,7 +302,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/network/ddos-protection-plan/main.bicep b/modules/network/ddos-protection-plan/main.bicep index 7cb5d14c7b..94e9b8b8d2 100644 --- a/modules/network/ddos-protection-plan/main.bicep +++ b/modules/network/ddos-protection-plan/main.bicep @@ -16,7 +16,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/ddos-protection-plan/main.json b/modules/network/ddos-protection-plan/main.json index eeeab32e03..8aaaa921fd 100644 --- a/modules/network/ddos-protection-plan/main.json +++ b/modules/network/ddos-protection-plan/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4054513314022675341" + "templateHash": "10546222584302877653" }, "name": "DDoS Protection Plans", "description": "This module deploys a DDoS Protection Plan.", @@ -134,7 +134,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/dns-forwarding-ruleset/README.md b/modules/network/dns-forwarding-ruleset/README.md index b846abe7d3..1010b3a887 100644 --- a/modules/network/dns-forwarding-ruleset/README.md +++ b/modules/network/dns-forwarding-ruleset/README.md @@ -374,7 +374,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `vNetLinks` diff --git a/modules/network/dns-forwarding-ruleset/main.bicep b/modules/network/dns-forwarding-ruleset/main.bicep index 83781a4051..08d813c8ac 100644 --- a/modules/network/dns-forwarding-ruleset/main.bicep +++ b/modules/network/dns-forwarding-ruleset/main.bicep @@ -16,7 +16,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Required. The reference to the DNS resolver outbound endpoints that are used to route DNS queries matching the forwarding rules in the ruleset to the target DNS servers.') param dnsResolverOutboundEndpointResourceIds array diff --git a/modules/network/dns-forwarding-ruleset/main.json b/modules/network/dns-forwarding-ruleset/main.json index fc7f737bbb..18a95ff4a7 100644 --- a/modules/network/dns-forwarding-ruleset/main.json +++ b/modules/network/dns-forwarding-ruleset/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6979780770360614224" + "templateHash": "606770546796558268" }, "name": "Dns Forwarding Rulesets", "description": "This template deploys an dns forwarding ruleset.", @@ -134,7 +134,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/dns-resolver/README.md b/modules/network/dns-resolver/README.md index 992d53a5c0..1b22bfc083 100644 --- a/modules/network/dns-resolver/README.md +++ b/modules/network/dns-resolver/README.md @@ -280,7 +280,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `virtualNetworkId` diff --git a/modules/network/dns-resolver/main.bicep b/modules/network/dns-resolver/main.bicep index 59c079f6d7..01824b9031 100644 --- a/modules/network/dns-resolver/main.bicep +++ b/modules/network/dns-resolver/main.bicep @@ -16,7 +16,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Required. ResourceId of the virtual network to attach the Private DNS Resolver to.') param virtualNetworkId string diff --git a/modules/network/dns-resolver/main.json b/modules/network/dns-resolver/main.json index dbedeac136..f865583ec3 100644 --- a/modules/network/dns-resolver/main.json +++ b/modules/network/dns-resolver/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12605363186151510083" + "templateHash": "1368516182536244739" }, "name": "DNS Resolvers", "description": "This module deploys a DNS Resolver.", @@ -134,7 +134,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/dns-zone/README.md b/modules/network/dns-zone/README.md index bf589f09c1..425088daa7 100644 --- a/modules/network/dns-zone/README.md +++ b/modules/network/dns-zone/README.md @@ -701,7 +701,6 @@ Array of SRV records. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `txt` diff --git a/modules/network/dns-zone/main.bicep b/modules/network/dns-zone/main.bicep index 61c03dc82a..4babf6c81c 100644 --- a/modules/network/dns-zone/main.bicep +++ b/modules/network/dns-zone/main.bicep @@ -44,7 +44,7 @@ param location string = 'global' param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The lock settings of the service.') param lock lockType diff --git a/modules/network/dns-zone/main.json b/modules/network/dns-zone/main.json index 735a3f2f26..588848d689 100644 --- a/modules/network/dns-zone/main.json +++ b/modules/network/dns-zone/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1680239342296037315" + "templateHash": "14383961739979857836" }, "name": "Public DNS Zones", "description": "This module deploys a Public DNS zone.", @@ -199,7 +199,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/express-route-circuit/README.md b/modules/network/express-route-circuit/README.md index a31e5f3969..4bd12d9edc 100644 --- a/modules/network/express-route-circuit/README.md +++ b/modules/network/express-route-circuit/README.md @@ -606,7 +606,6 @@ Chosen SKU Tier of ExpressRoute circuit. Choose from Local, Premium or Standard Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `vlanId` diff --git a/modules/network/express-route-circuit/main.bicep b/modules/network/express-route-circuit/main.bicep index e9dbfd0122..15ee9e0804 100644 --- a/modules/network/express-route-circuit/main.bicep +++ b/modules/network/express-route-circuit/main.bicep @@ -79,7 +79,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/express-route-circuit/main.json b/modules/network/express-route-circuit/main.json index f350e468f8..bdcfd8633a 100644 --- a/modules/network/express-route-circuit/main.json +++ b/modules/network/express-route-circuit/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6885952073630597442" + "templateHash": "3204607868859274788" }, "name": "ExpressRoute Circuits", "description": "This module deploys an Express Route Circuit.", @@ -367,7 +367,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/express-route-gateway/README.md b/modules/network/express-route-gateway/README.md index 91a977399f..60d5d55775 100644 --- a/modules/network/express-route-gateway/README.md +++ b/modules/network/express-route-gateway/README.md @@ -349,7 +349,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the Firewall policy resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `virtualHubId` diff --git a/modules/network/express-route-gateway/main.bicep b/modules/network/express-route-gateway/main.bicep index dbb6fef291..91534744a2 100644 --- a/modules/network/express-route-gateway/main.bicep +++ b/modules/network/express-route-gateway/main.bicep @@ -9,7 +9,7 @@ param name string param location string = resourceGroup().location @description('Optional. Tags of the Firewall policy resource.') -param tags object = {} +param tags object? @description('Optional. Configures this gateway to accept traffic from non Virtual WAN networks.') param allowNonVirtualWanTraffic bool = false diff --git a/modules/network/express-route-gateway/main.json b/modules/network/express-route-gateway/main.json index 17e2edaeb5..d2746f5621 100644 --- a/modules/network/express-route-gateway/main.json +++ b/modules/network/express-route-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8352062821101863575" + "templateHash": "14898040937418721724" }, "name": "Express Route Gateways", "description": "This module deploys an Express Route Gateway.", @@ -121,7 +121,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the Firewall policy resource." } diff --git a/modules/network/firewall-policy/README.md b/modules/network/firewall-policy/README.md index 4e48c3b55c..fdc06817f0 100644 --- a/modules/network/firewall-policy/README.md +++ b/modules/network/firewall-policy/README.md @@ -424,7 +424,6 @@ List of specific signatures states. Tags of the Firewall policy resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `threatIntelMode` diff --git a/modules/network/firewall-policy/main.bicep b/modules/network/firewall-policy/main.bicep index 6c4a638446..d6bd78a7ec 100644 --- a/modules/network/firewall-policy/main.bicep +++ b/modules/network/firewall-policy/main.bicep @@ -9,7 +9,7 @@ param name string param location string = resourceGroup().location @description('Optional. Tags of the Firewall policy resource.') -param tags object = {} +param tags object? @description('Optional. The managed identity definition for this resource.') param managedIdentities managedIdentitiesType diff --git a/modules/network/firewall-policy/main.json b/modules/network/firewall-policy/main.json index aa93b198e2..57d929a7eb 100644 --- a/modules/network/firewall-policy/main.json +++ b/modules/network/firewall-policy/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "411576668957997252" + "templateHash": "14139283479148965374" }, "name": "Firewall Policies", "description": "This module deploys a Firewall Policy.", @@ -45,7 +45,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the Firewall policy resource." } diff --git a/modules/network/front-door-web-application-firewall-policy/README.md b/modules/network/front-door-web-application-firewall-policy/README.md index e92ec90d70..81f51e5a93 100644 --- a/modules/network/front-door-web-application-firewall-policy/README.md +++ b/modules/network/front-door-web-application-firewall-policy/README.md @@ -469,7 +469,6 @@ The pricing tier of the WAF profile. Resource tags. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/network/front-door-web-application-firewall-policy/main.bicep b/modules/network/front-door-web-application-firewall-policy/main.bicep index fde3401f7c..9ba8e942e5 100644 --- a/modules/network/front-door-web-application-firewall-policy/main.bicep +++ b/modules/network/front-door-web-application-firewall-policy/main.bicep @@ -18,7 +18,7 @@ param location string = 'global' param sku string = 'Standard_AzureFrontDoor' @description('Optional. Resource tags.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/front-door-web-application-firewall-policy/main.json b/modules/network/front-door-web-application-firewall-policy/main.json index 037bc87efb..ab41c5bfa9 100644 --- a/modules/network/front-door-web-application-firewall-policy/main.json +++ b/modules/network/front-door-web-application-firewall-policy/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16196358261363679288" + "templateHash": "17032186144877035425" }, "name": "Front Door Web Application Firewall (WAF) Policies", "description": "This module deploys a Front Door Web Application Firewall (WAF) Policy.", @@ -134,7 +134,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Resource tags." } diff --git a/modules/network/front-door/README.md b/modules/network/front-door/README.md index 8bbd416cfb..4513ff0e12 100644 --- a/modules/network/front-door/README.md +++ b/modules/network/front-door/README.md @@ -846,7 +846,6 @@ Certificate name check time of the frontdoor resource. Resource tags. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/network/front-door/main.bicep b/modules/network/front-door/main.bicep index 5421adb3bb..f733e394ef 100644 --- a/modules/network/front-door/main.bicep +++ b/modules/network/front-door/main.bicep @@ -17,7 +17,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Resource tags.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/front-door/main.json b/modules/network/front-door/main.json index 5c73c7964c..633202d39a 100644 --- a/modules/network/front-door/main.json +++ b/modules/network/front-door/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10762765497515321420" + "templateHash": "2830838705545746095" }, "name": "Azure Front Doors", "description": "This module deploys an Azure Front Door.", @@ -241,7 +241,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Resource tags." } diff --git a/modules/network/ip-group/README.md b/modules/network/ip-group/README.md index c81eb57f92..343b00bb29 100644 --- a/modules/network/ip-group/README.md +++ b/modules/network/ip-group/README.md @@ -320,7 +320,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Resource tags. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/network/ip-group/main.bicep b/modules/network/ip-group/main.bicep index 7443bef583..ae0ca58c7d 100644 --- a/modules/network/ip-group/main.bicep +++ b/modules/network/ip-group/main.bicep @@ -19,7 +19,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Resource tags.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/ip-group/main.json b/modules/network/ip-group/main.json index 347b80b7b6..e9dc0c6cbc 100644 --- a/modules/network/ip-group/main.json +++ b/modules/network/ip-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17427239082953045444" + "templateHash": "9765196609767428090" }, "name": "IP Groups", "description": "This module deploys an IP Group.", @@ -141,7 +141,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Resource tags." } diff --git a/modules/network/load-balancer/README.md b/modules/network/load-balancer/README.md index 22214ac791..f372102f21 100644 --- a/modules/network/load-balancer/README.md +++ b/modules/network/load-balancer/README.md @@ -892,7 +892,6 @@ Name of a load balancer SKU. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/network/load-balancer/main.bicep b/modules/network/load-balancer/main.bicep index adf7d97ea2..13908c3b92 100644 --- a/modules/network/load-balancer/main.bicep +++ b/modules/network/load-balancer/main.bicep @@ -38,7 +38,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/load-balancer/main.json b/modules/network/load-balancer/main.json index 2c4512b1ec..d58ef9dcc6 100644 --- a/modules/network/load-balancer/main.json +++ b/modules/network/load-balancer/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2560193995826273246" + "templateHash": "15804132676777658588" }, "name": "Load Balancers", "description": "This module deploys a Load Balancer.", @@ -258,7 +258,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/local-network-gateway/README.md b/modules/network/local-network-gateway/README.md index 6c65ef5a66..6dd6bd4da7 100644 --- a/modules/network/local-network-gateway/README.md +++ b/modules/network/local-network-gateway/README.md @@ -380,7 +380,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/network/local-network-gateway/main.bicep b/modules/network/local-network-gateway/main.bicep index d097fff9d7..9b0a6ff32a 100644 --- a/modules/network/local-network-gateway/main.bicep +++ b/modules/network/local-network-gateway/main.bicep @@ -31,7 +31,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/local-network-gateway/main.json b/modules/network/local-network-gateway/main.json index b3b121662c..f11208ec19 100644 --- a/modules/network/local-network-gateway/main.json +++ b/modules/network/local-network-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17118988135887784728" + "templateHash": "9834860024329832524" }, "name": "Local Network Gateways", "description": "This module deploys a Local Network Gateway.", @@ -167,7 +167,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/nat-gateway/README.md b/modules/network/nat-gateway/README.md index 26057347be..9db81cfc91 100644 --- a/modules/network/nat-gateway/README.md +++ b/modules/network/nat-gateway/README.md @@ -432,7 +432,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags for the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `zones` diff --git a/modules/network/nat-gateway/main.bicep b/modules/network/nat-gateway/main.bicep index 82b04b94a0..601fd71819 100644 --- a/modules/network/nat-gateway/main.bicep +++ b/modules/network/nat-gateway/main.bicep @@ -39,7 +39,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags for the resource.') -param tags object = {} +param tags object? @description('Optional. The diagnostic settings of the Public IP.') param publicIpDiagnosticSettings diagnosticSettingType diff --git a/modules/network/nat-gateway/main.json b/modules/network/nat-gateway/main.json index f44ad2173c..fbb649e498 100644 --- a/modules/network/nat-gateway/main.json +++ b/modules/network/nat-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18393412325289801618" + "templateHash": "6841733296045395553" }, "name": "NAT Gateways", "description": "This module deploys a NAT Gateway.", @@ -295,7 +295,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags for the resource." } @@ -466,7 +466,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "968771326214380550" + "templateHash": "18404193892947466906" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -805,7 +805,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/network-interface/README.md b/modules/network/network-interface/README.md index 678d9fd744..469e4b7aee 100644 --- a/modules/network/network-interface/README.md +++ b/modules/network/network-interface/README.md @@ -552,7 +552,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/network/network-interface/main.bicep b/modules/network/network-interface/main.bicep index 257ea044cc..0b25219983 100644 --- a/modules/network/network-interface/main.bicep +++ b/modules/network/network-interface/main.bicep @@ -9,7 +9,7 @@ param name string param location string = resourceGroup().location @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/network-interface/main.json b/modules/network/network-interface/main.json index 71af44d442..9ece338c5f 100644 --- a/modules/network/network-interface/main.json +++ b/modules/network/network-interface/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8812824728238881787" + "templateHash": "6506615823435977032" }, "name": "Network Interface", "description": "This module deploys a Network Interface.", @@ -201,7 +201,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/network-manager/README.md b/modules/network/network-manager/README.md index 138f67d217..7f7d82f383 100644 --- a/modules/network/network-manager/README.md +++ b/modules/network/network-manager/README.md @@ -684,7 +684,6 @@ Security Admin Configurations, Rule Collections and Rules to create for the netw Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/network/network-manager/main.bicep b/modules/network/network-manager/main.bicep index 45f5df3133..55507d68ee 100644 --- a/modules/network/network-manager/main.bicep +++ b/modules/network/network-manager/main.bicep @@ -17,7 +17,7 @@ param lock lockType param roleAssignments roleAssignmentType @sys.description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @maxLength(500) @sys.description('Optional. A description of the network manager.') diff --git a/modules/network/network-manager/main.json b/modules/network/network-manager/main.json index 1f38af5d1e..28bf192614 100644 --- a/modules/network/network-manager/main.json +++ b/modules/network/network-manager/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13647410280137569380" + "templateHash": "11982582623966534114" }, "name": "Network Managers", "description": "This module deploys a Network Manager.", @@ -135,7 +135,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/network-security-group/README.md b/modules/network/network-security-group/README.md index 3c7254faa2..3aa65e8ff8 100644 --- a/modules/network/network-security-group/README.md +++ b/modules/network/network-security-group/README.md @@ -566,7 +566,6 @@ Array of Security Rules to deploy to the Network Security Group. When not provid Tags of the NSG resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/network/network-security-group/main.bicep b/modules/network/network-security-group/main.bicep index c0a0f46dd4..df34e44b6c 100644 --- a/modules/network/network-security-group/main.bicep +++ b/modules/network/network-security-group/main.bicep @@ -24,7 +24,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the NSG resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/network-security-group/main.json b/modules/network/network-security-group/main.json index ec731a585b..04902fe9a1 100644 --- a/modules/network/network-security-group/main.json +++ b/modules/network/network-security-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6212040398427711437" + "templateHash": "16143869939725478184" }, "name": "Network Security Groups", "description": "This module deploys a Network security Group (NSG).", @@ -241,7 +241,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the NSG resource." } diff --git a/modules/network/network-watcher/README.md b/modules/network/network-watcher/README.md index fdd4d5f38e..90da9a7ec3 100644 --- a/modules/network/network-watcher/README.md +++ b/modules/network/network-watcher/README.md @@ -444,7 +444,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/network/network-watcher/connection-monitor/README.md b/modules/network/network-watcher/connection-monitor/README.md index efd44e1102..313167cd95 100644 --- a/modules/network/network-watcher/connection-monitor/README.md +++ b/modules/network/network-watcher/connection-monitor/README.md @@ -75,7 +75,6 @@ Name of the network watcher resource. Must be in the resource group where the Fl Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `testConfigurations` diff --git a/modules/network/network-watcher/connection-monitor/main.bicep b/modules/network/network-watcher/connection-monitor/main.bicep index c150269b10..536db29611 100644 --- a/modules/network/network-watcher/connection-monitor/main.bicep +++ b/modules/network/network-watcher/connection-monitor/main.bicep @@ -9,7 +9,7 @@ param networkWatcherName string = 'NetworkWatcher_${resourceGroup().location}' param name string @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Location for all resources.') param location string = resourceGroup().location diff --git a/modules/network/network-watcher/connection-monitor/main.json b/modules/network/network-watcher/connection-monitor/main.json index c7df0ada6e..81a437ce7e 100644 --- a/modules/network/network-watcher/connection-monitor/main.json +++ b/modules/network/network-watcher/connection-monitor/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11763235795280157018" + "templateHash": "3258279638384899203" }, "name": "Network Watchers Connection Monitors", "description": "This module deploys a Network Watcher Connection Monitor.", @@ -27,7 +28,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -78,8 +79,8 @@ "variables": { "outputs": "[if(not(empty(parameters('workspaceResourceId'))), createArray(createObject('type', 'Workspace', 'workspaceSettings', createObject('workspaceResourceId', parameters('workspaceResourceId')))), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -93,7 +94,13 @@ } } }, - { + "networkWatcher": { + "existing": true, + "type": "Microsoft.Network/networkWatchers", + "apiVersion": "2023-04-01", + "name": "[parameters('networkWatcherName')]" + }, + "connectionMonitor": { "type": "Microsoft.Network/networkWatchers/connectionMonitors", "apiVersion": "2023-04-01", "name": "[format('{0}/{1}', parameters('networkWatcherName'), parameters('name'))]", @@ -104,9 +111,12 @@ "testConfigurations": "[parameters('testConfigurations')]", "testGroups": "[parameters('testGroups')]", "outputs": "[variables('outputs')]" - } + }, + "dependsOn": [ + "networkWatcher" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -134,7 +144,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/networkWatchers/connectionMonitors', parameters('networkWatcherName'), parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('connectionMonitor', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/network-watcher/flow-log/README.md b/modules/network/network-watcher/flow-log/README.md index 1afef915fc..f9b2dddaf0 100644 --- a/modules/network/network-watcher/flow-log/README.md +++ b/modules/network/network-watcher/flow-log/README.md @@ -101,7 +101,6 @@ Resource ID of the diagnostic storage account. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `targetResourceId` diff --git a/modules/network/network-watcher/flow-log/main.bicep b/modules/network/network-watcher/flow-log/main.bicep index 11ab0bfa85..b1bbb833a5 100644 --- a/modules/network/network-watcher/flow-log/main.bicep +++ b/modules/network/network-watcher/flow-log/main.bicep @@ -10,7 +10,7 @@ param networkWatcherName string = 'NetworkWatcher_${resourceGroup().location}' param name string = '${last(split(targetResourceId, '/'))}-${split(targetResourceId, '/')[4]}-flowlog' @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Location for all resources.') param location string = resourceGroup().location diff --git a/modules/network/network-watcher/flow-log/main.json b/modules/network/network-watcher/flow-log/main.json index 0d737f5dce..c7d365f80c 100644 --- a/modules/network/network-watcher/flow-log/main.json +++ b/modules/network/network-watcher/flow-log/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17949647288095694070" + "templateHash": "7397123180177309349" }, "name": "NSG Flow Logs", "description": "This module controls the Network Security Group Flow Logs and analytics settings.\r\n**Note: this module must be run on the Resource Group where Network Watcher is deployed**", @@ -28,7 +29,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -108,8 +109,8 @@ "variables": { "flowAnalyticsConfiguration": "[if(and(not(empty(parameters('workspaceResourceId'))), equals(parameters('enabled'), true())), createObject('networkWatcherFlowAnalyticsConfiguration', createObject('enabled', true(), 'workspaceResourceId', parameters('workspaceResourceId'), 'trafficAnalyticsInterval', parameters('trafficAnalyticsInterval'))), createObject('networkWatcherFlowAnalyticsConfiguration', createObject('enabled', false())))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -123,7 +124,13 @@ } } }, - { + "networkWatcher": { + "existing": true, + "type": "Microsoft.Network/networkWatchers", + "apiVersion": "2023-04-01", + "name": "[parameters('networkWatcherName')]" + }, + "flowLog": { "type": "Microsoft.Network/networkWatchers/flowLogs", "apiVersion": "2023-04-01", "name": "[format('{0}/{1}', parameters('networkWatcherName'), parameters('name'))]", @@ -142,9 +149,12 @@ "version": "[parameters('formatVersion')]" }, "flowAnalyticsConfiguration": "[variables('flowAnalyticsConfiguration')]" - } + }, + "dependsOn": [ + "networkWatcher" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -172,7 +182,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/networkWatchers/flowLogs', parameters('networkWatcherName'), parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('flowLog', '2023-04-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/network-watcher/main.bicep b/modules/network/network-watcher/main.bicep index a20af3f5e0..4ca2b00db7 100644 --- a/modules/network/network-watcher/main.bicep +++ b/modules/network/network-watcher/main.bicep @@ -22,7 +22,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/network-watcher/main.json b/modules/network/network-watcher/main.json index 6fb1e7c468..85e335cbac 100644 --- a/modules/network/network-watcher/main.json +++ b/modules/network/network-watcher/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13987242665374495916" + "templateHash": "768801903323165380" }, "name": "Network Watchers", "description": "This module deploys a Network Watcher.", @@ -149,7 +149,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -262,12 +262,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11763235795280157018" + "templateHash": "3258279638384899203" }, "name": "Network Watchers Connection Monitors", "description": "This module deploys a Network Watcher Connection Monitor.", @@ -289,7 +290,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -340,8 +341,8 @@ "variables": { "outputs": "[if(not(empty(parameters('workspaceResourceId'))), createArray(createObject('type', 'Workspace', 'workspaceSettings', createObject('workspaceResourceId', parameters('workspaceResourceId')))), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -355,7 +356,13 @@ } } }, - { + "networkWatcher": { + "existing": true, + "type": "Microsoft.Network/networkWatchers", + "apiVersion": "2023-04-01", + "name": "[parameters('networkWatcherName')]" + }, + "connectionMonitor": { "type": "Microsoft.Network/networkWatchers/connectionMonitors", "apiVersion": "2023-04-01", "name": "[format('{0}/{1}', parameters('networkWatcherName'), parameters('name'))]", @@ -366,9 +373,12 @@ "testConfigurations": "[parameters('testConfigurations')]", "testGroups": "[parameters('testGroups')]", "outputs": "[variables('outputs')]" - } + }, + "dependsOn": [ + "networkWatcher" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -396,7 +406,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/networkWatchers/connectionMonitors', parameters('networkWatcherName'), parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('connectionMonitor', '2023-04-01', 'full').location]" } } } @@ -441,12 +451,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17949647288095694070" + "templateHash": "7397123180177309349" }, "name": "NSG Flow Logs", "description": "This module controls the Network Security Group Flow Logs and analytics settings.\r\n**Note: this module must be run on the Resource Group where Network Watcher is deployed**", @@ -469,7 +480,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -549,8 +560,8 @@ "variables": { "flowAnalyticsConfiguration": "[if(and(not(empty(parameters('workspaceResourceId'))), equals(parameters('enabled'), true())), createObject('networkWatcherFlowAnalyticsConfiguration', createObject('enabled', true(), 'workspaceResourceId', parameters('workspaceResourceId'), 'trafficAnalyticsInterval', parameters('trafficAnalyticsInterval'))), createObject('networkWatcherFlowAnalyticsConfiguration', createObject('enabled', false())))]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -564,7 +575,13 @@ } } }, - { + "networkWatcher": { + "existing": true, + "type": "Microsoft.Network/networkWatchers", + "apiVersion": "2023-04-01", + "name": "[parameters('networkWatcherName')]" + }, + "flowLog": { "type": "Microsoft.Network/networkWatchers/flowLogs", "apiVersion": "2023-04-01", "name": "[format('{0}/{1}', parameters('networkWatcherName'), parameters('name'))]", @@ -583,9 +600,12 @@ "version": "[parameters('formatVersion')]" }, "flowAnalyticsConfiguration": "[variables('flowAnalyticsConfiguration')]" - } + }, + "dependsOn": [ + "networkWatcher" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -613,7 +633,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/networkWatchers/flowLogs', parameters('networkWatcherName'), parameters('name')), '2023-04-01', 'full').location]" + "value": "[reference('flowLog', '2023-04-01', 'full').location]" } } } diff --git a/modules/network/private-dns-zone/README.md b/modules/network/private-dns-zone/README.md index 0191518ff6..f225228a70 100644 --- a/modules/network/private-dns-zone/README.md +++ b/modules/network/private-dns-zone/README.md @@ -691,7 +691,6 @@ Array of SRV records. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `txt` diff --git a/modules/network/private-dns-zone/main.bicep b/modules/network/private-dns-zone/main.bicep index 4054c86be0..818c516dd5 100644 --- a/modules/network/private-dns-zone/main.bicep +++ b/modules/network/private-dns-zone/main.bicep @@ -39,7 +39,7 @@ param location string = 'global' param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The lock settings of the service.') param lock lockType @@ -193,7 +193,7 @@ module privateDnsZone_virtualNetworkLinks 'virtual-network-link/main.bicep' = [f virtualNetworkResourceId: virtualNetworkLink.virtualNetworkResourceId location: contains(virtualNetworkLink, 'location') ? virtualNetworkLink.location : 'global' registrationEnabled: contains(virtualNetworkLink, 'registrationEnabled') ? virtualNetworkLink.registrationEnabled : false - tags: contains(virtualNetworkLink, 'tags') ? virtualNetworkLink.tags : {} + tags: virtualNetworkLink.?tags ?? tags enableDefaultTelemetry: enableReferencedModulesTelemetry } }] diff --git a/modules/network/private-dns-zone/main.json b/modules/network/private-dns-zone/main.json index 0dbb326495..88f780099a 100644 --- a/modules/network/private-dns-zone/main.json +++ b/modules/network/private-dns-zone/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18339813658426001901" + "templateHash": "3388913792473865283" }, "name": "Private DNS Zones", "description": "This module deploys a Private DNS zone.", @@ -190,7 +190,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -2378,19 +2378,22 @@ }, "location": "[if(contains(parameters('virtualNetworkLinks')[copyIndex()], 'location'), createObject('value', parameters('virtualNetworkLinks')[copyIndex()].location), createObject('value', 'global'))]", "registrationEnabled": "[if(contains(parameters('virtualNetworkLinks')[copyIndex()], 'registrationEnabled'), createObject('value', parameters('virtualNetworkLinks')[copyIndex()].registrationEnabled), createObject('value', false()))]", - "tags": "[if(contains(parameters('virtualNetworkLinks')[copyIndex()], 'tags'), createObject('value', parameters('virtualNetworkLinks')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('virtualNetworkLinks')[copyIndex()], 'tags'), parameters('tags'))]" + }, "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12342244725180262876" + "templateHash": "14262386012436592269" }, "name": "Private DNS Zone Virtual Network Link", "description": "This module deploys a Private DNS Zone Virtual Network Link.", @@ -2419,7 +2422,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -2445,8 +2448,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -2460,7 +2463,13 @@ } } }, - { + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "virtualNetworkLink": { "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -2471,9 +2480,12 @@ "virtualNetwork": { "id": "[parameters('virtualNetworkResourceId')]" } - } + }, + "dependsOn": [ + "privateDnsZone" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -2501,7 +2513,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateDnsZones/virtualNetworkLinks', parameters('privateDnsZoneName'), parameters('name')), '2020-06-01', 'full').location]" + "value": "[reference('virtualNetworkLink', '2020-06-01', 'full').location]" } } } diff --git a/modules/network/private-dns-zone/virtual-network-link/README.md b/modules/network/private-dns-zone/virtual-network-link/README.md index b745342815..b83d22b41d 100644 --- a/modules/network/private-dns-zone/virtual-network-link/README.md +++ b/modules/network/private-dns-zone/virtual-network-link/README.md @@ -78,7 +78,6 @@ Is auto-registration of virtual machine records in the virtual network in the Pr Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `virtualNetworkResourceId` diff --git a/modules/network/private-dns-zone/virtual-network-link/main.bicep b/modules/network/private-dns-zone/virtual-network-link/main.bicep index afd20ce63d..0885bf3952 100644 --- a/modules/network/private-dns-zone/virtual-network-link/main.bicep +++ b/modules/network/private-dns-zone/virtual-network-link/main.bicep @@ -12,7 +12,7 @@ param name string = '${last(split(virtualNetworkResourceId, '/'))}-vnetlink' param location string = 'global' @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Is auto-registration of virtual machine records in the virtual network in the Private DNS zone enabled?.') param registrationEnabled bool = false diff --git a/modules/network/private-dns-zone/virtual-network-link/main.json b/modules/network/private-dns-zone/virtual-network-link/main.json index 51d922b079..10f3e34f7e 100644 --- a/modules/network/private-dns-zone/virtual-network-link/main.json +++ b/modules/network/private-dns-zone/virtual-network-link/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12342244725180262876" + "templateHash": "14262386012436592269" }, "name": "Private DNS Zone Virtual Network Link", "description": "This module deploys a Private DNS Zone Virtual Network Link.", @@ -34,7 +35,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -60,8 +61,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +76,13 @@ } } }, - { + "privateDnsZone": { + "existing": true, + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]" + }, + "virtualNetworkLink": { "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", @@ -86,9 +93,12 @@ "virtualNetwork": { "id": "[parameters('virtualNetworkResourceId')]" } - } + }, + "dependsOn": [ + "privateDnsZone" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -116,7 +126,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Network/privateDnsZones/virtualNetworkLinks', parameters('privateDnsZoneName'), parameters('name')), '2020-06-01', 'full').location]" + "value": "[reference('virtualNetworkLink', '2020-06-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/network/private-link-service/README.md b/modules/network/private-link-service/README.md index 6ff4cb081d..a9dbe52c17 100644 --- a/modules/network/private-link-service/README.md +++ b/modules/network/private-link-service/README.md @@ -462,7 +462,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object -- Default: `{object}` ### Parameter: `visibility` diff --git a/modules/network/private-link-service/main.bicep b/modules/network/private-link-service/main.bicep index b964c1d180..4691ab09c6 100644 --- a/modules/network/private-link-service/main.bicep +++ b/modules/network/private-link-service/main.bicep @@ -12,7 +12,7 @@ param location string = resourceGroup().location param lock lockType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') -param tags object = {} +param tags object? @description('Optional. The extended location of the load balancer.') param extendedLocation object = {} diff --git a/modules/network/private-link-service/main.json b/modules/network/private-link-service/main.json index 3ecea13bbf..1a1d8491cc 100644 --- a/modules/network/private-link-service/main.json +++ b/modules/network/private-link-service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14019322744522497377" + "templateHash": "3379360327986898312" }, "name": "Private Link Services", "description": "This module deploys a Private Link Service.", @@ -127,7 +127,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } diff --git a/modules/network/public-ip-address/README.md b/modules/network/public-ip-address/README.md index 3c7c63293d..4f3ad77e59 100644 --- a/modules/network/public-ip-address/README.md +++ b/modules/network/public-ip-address/README.md @@ -549,7 +549,6 @@ Tier of a public IP address SKU. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `zones` diff --git a/modules/network/public-ip-address/main.bicep b/modules/network/public-ip-address/main.bicep index 16eacf4f4d..f907565f45 100644 --- a/modules/network/public-ip-address/main.bicep +++ b/modules/network/public-ip-address/main.bicep @@ -74,7 +74,7 @@ param roleAssignments roleAssignmentType param enableDefaultTelemetry bool = true @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') diff --git a/modules/network/public-ip-address/main.json b/modules/network/public-ip-address/main.json index f1bc72b6c8..70133688a7 100644 --- a/modules/network/public-ip-address/main.json +++ b/modules/network/public-ip-address/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "968771326214380550" + "templateHash": "18404193892947466906" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -345,7 +345,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/public-ip-prefix/README.md b/modules/network/public-ip-prefix/README.md index c38f10e3a0..b4f5ab4c19 100644 --- a/modules/network/public-ip-prefix/README.md +++ b/modules/network/public-ip-prefix/README.md @@ -325,7 +325,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/network/public-ip-prefix/main.bicep b/modules/network/public-ip-prefix/main.bicep index 23c2c7b056..067b299025 100644 --- a/modules/network/public-ip-prefix/main.bicep +++ b/modules/network/public-ip-prefix/main.bicep @@ -21,7 +21,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The customIpPrefix that this prefix is associated with. A custom IP address prefix is a contiguous range of IP addresses owned by an external customer and provisioned into a subscription. When a custom IP prefix is in Provisioned, Commissioning, or Commissioned state, a linked public IP prefix can be created. Either as a subset of the custom IP prefix range or the entire range.') param customIPPrefix object = {} diff --git a/modules/network/public-ip-prefix/main.json b/modules/network/public-ip-prefix/main.json index 25e8f2aff0..8245998e85 100644 --- a/modules/network/public-ip-prefix/main.json +++ b/modules/network/public-ip-prefix/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17531002451033298883" + "templateHash": "12289116883631984029" }, "name": "Public IP Prefixes", "description": "This module deploys a Public IP Prefix.", @@ -142,7 +142,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/route-table/README.md b/modules/network/route-table/README.md index 9af978eec2..c72d3efdd9 100644 --- a/modules/network/route-table/README.md +++ b/modules/network/route-table/README.md @@ -340,7 +340,6 @@ An Array of Routes to be established within the hub route table. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/network/route-table/main.bicep b/modules/network/route-table/main.bicep index ff4eb5bb3a..8a416fcc21 100644 --- a/modules/network/route-table/main.bicep +++ b/modules/network/route-table/main.bicep @@ -21,7 +21,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/route-table/main.json b/modules/network/route-table/main.json index 2bb3a3f95a..8563735479 100644 --- a/modules/network/route-table/main.json +++ b/modules/network/route-table/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15729767550329872027" + "templateHash": "16231060934698023931" }, "name": "Route Tables", "description": "This module deploys a User Defined Route Table (UDR).", @@ -147,7 +147,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/service-endpoint-policy/README.md b/modules/network/service-endpoint-policy/README.md index 9865933bc5..84bbf928c5 100644 --- a/modules/network/service-endpoint-policy/README.md +++ b/modules/network/service-endpoint-policy/README.md @@ -354,7 +354,6 @@ An Array of service endpoint policy definitions. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/network/service-endpoint-policy/main.bicep b/modules/network/service-endpoint-policy/main.bicep index fe50a768e4..09d59d58a5 100644 --- a/modules/network/service-endpoint-policy/main.bicep +++ b/modules/network/service-endpoint-policy/main.bicep @@ -24,7 +24,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/service-endpoint-policy/main.json b/modules/network/service-endpoint-policy/main.json index c1fbae80ab..0d1e589b59 100644 --- a/modules/network/service-endpoint-policy/main.json +++ b/modules/network/service-endpoint-policy/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "379140032937405547" + "templateHash": "10435227051484673475" }, "name": "Service Endpoint Policies", "description": "This module deploys a Service Endpoint Policy.", @@ -154,7 +154,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/trafficmanagerprofile/README.md b/modules/network/trafficmanagerprofile/README.md index 2149dec13e..90a4577d8b 100644 --- a/modules/network/trafficmanagerprofile/README.md +++ b/modules/network/trafficmanagerprofile/README.md @@ -493,7 +493,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Resource tags. - Required: No - Type: object -- Default: `{object}` ### Parameter: `trafficRoutingMethod` diff --git a/modules/network/trafficmanagerprofile/main.bicep b/modules/network/trafficmanagerprofile/main.bicep index e793655737..fb034877ba 100644 --- a/modules/network/trafficmanagerprofile/main.bicep +++ b/modules/network/trafficmanagerprofile/main.bicep @@ -60,7 +60,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Resource tags.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/trafficmanagerprofile/main.json b/modules/network/trafficmanagerprofile/main.json index 3f5118b0a4..5fb51da587 100644 --- a/modules/network/trafficmanagerprofile/main.json +++ b/modules/network/trafficmanagerprofile/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2562804839446709562" + "templateHash": "10183539121866982078" }, "name": "Traffic Manager Profiles", "description": "This module deploys a Traffic Manager Profile.", @@ -314,7 +314,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Resource tags." } diff --git a/modules/network/virtual-hub/README.md b/modules/network/virtual-hub/README.md index 8196fcc635..8524210391 100644 --- a/modules/network/virtual-hub/README.md +++ b/modules/network/virtual-hub/README.md @@ -385,7 +385,6 @@ The sku of this VirtualHub. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `virtualHubRouteTableV2s` diff --git a/modules/network/virtual-hub/main.bicep b/modules/network/virtual-hub/main.bicep index 8c18bacd2e..eabe51ce79 100644 --- a/modules/network/virtual-hub/main.bicep +++ b/modules/network/virtual-hub/main.bicep @@ -10,7 +10,7 @@ param name string param location string = resourceGroup().location @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Required. Address-prefix for this VirtualHub.') param addressPrefix string diff --git a/modules/network/virtual-hub/main.json b/modules/network/virtual-hub/main.json index b5d004bbf0..718814eff9 100644 --- a/modules/network/virtual-hub/main.json +++ b/modules/network/virtual-hub/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18370273919471051889" + "templateHash": "11534311815660563241" }, "name": "Virtual Hubs", "description": "This module deploys a Virtual Hub.\r\nIf you are planning to deploy a Secure Virtual Hub (with an Azure Firewall integrated), please refer to the Azure Firewall module.", @@ -55,7 +55,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/virtual-network-gateway/README.md b/modules/network/virtual-network-gateway/README.md index ead289847f..763d5b9fb3 100644 --- a/modules/network/virtual-network-gateway/README.md +++ b/modules/network/virtual-network-gateway/README.md @@ -1140,7 +1140,6 @@ The SKU of the Gateway. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `vNetResourceId` diff --git a/modules/network/virtual-network-gateway/main.bicep b/modules/network/virtual-network-gateway/main.bicep index 4e6e0563c0..6977268079 100644 --- a/modules/network/virtual-network-gateway/main.bicep +++ b/modules/network/virtual-network-gateway/main.bicep @@ -125,7 +125,7 @@ param roleAssignments roleAssignmentType param lock lockType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/virtual-network-gateway/main.json b/modules/network/virtual-network-gateway/main.json index 091094caf3..eaa29a2c28 100644 --- a/modules/network/virtual-network-gateway/main.json +++ b/modules/network/virtual-network-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12621713101290509053" + "templateHash": "10499044138923307873" }, "name": "Virtual Network Gateways", "description": "This module deploys a Virtual Network Gateway.", @@ -448,7 +448,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -657,7 +657,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "968771326214380550" + "templateHash": "18404193892947466906" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -996,7 +996,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/virtual-network/README.md b/modules/network/virtual-network/README.md index 27ac904abb..6ae0427141 100644 --- a/modules/network/virtual-network/README.md +++ b/modules/network/virtual-network/README.md @@ -731,7 +731,6 @@ An Array of subnets to deploy to the Virtual Network. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `vnetEncryption` diff --git a/modules/network/virtual-network/main.bicep b/modules/network/virtual-network/main.bicep index 7bfff1e7f2..9e46d65ae8 100644 --- a/modules/network/virtual-network/main.bicep +++ b/modules/network/virtual-network/main.bicep @@ -47,7 +47,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/virtual-network/main.json b/modules/network/virtual-network/main.json index 970f28780d..767bf3b948 100644 --- a/modules/network/virtual-network/main.json +++ b/modules/network/virtual-network/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4487813661219607743" + "templateHash": "17994966106128873660" }, "name": "Virtual Networks", "description": "This module deploys a Virtual Network (vNet).", @@ -305,7 +305,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/virtual-wan/README.md b/modules/network/virtual-wan/README.md index 78d5f5ebf7..4a43dbc3ca 100644 --- a/modules/network/virtual-wan/README.md +++ b/modules/network/virtual-wan/README.md @@ -343,7 +343,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `type` diff --git a/modules/network/virtual-wan/main.bicep b/modules/network/virtual-wan/main.bicep index 12bdd5defc..b3d6f04fbe 100644 --- a/modules/network/virtual-wan/main.bicep +++ b/modules/network/virtual-wan/main.bicep @@ -28,7 +28,7 @@ param disableVpnEncryption bool = false param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/virtual-wan/main.json b/modules/network/virtual-wan/main.json index 92b46f097e..c359e2792f 100644 --- a/modules/network/virtual-wan/main.json +++ b/modules/network/virtual-wan/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10009504626840542150" + "templateHash": "16118078360254929709" }, "name": "Virtual WANs", "description": "This module deploys a Virtual WAN.", @@ -159,7 +159,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/vpn-gateway/README.md b/modules/network/vpn-gateway/README.md index 5328158034..c9b7d5e440 100644 --- a/modules/network/vpn-gateway/README.md +++ b/modules/network/vpn-gateway/README.md @@ -338,7 +338,6 @@ List of all the NAT Rules to associate with the gateway. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `virtualHubResourceId` diff --git a/modules/network/vpn-gateway/main.bicep b/modules/network/vpn-gateway/main.bicep index 748199118f..98d2495329 100644 --- a/modules/network/vpn-gateway/main.bicep +++ b/modules/network/vpn-gateway/main.bicep @@ -30,7 +30,7 @@ param isRoutingPreferenceInternet bool = false param vpnGatewayScaleUnit int = 2 @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The lock settings of the service.') param lock lockType diff --git a/modules/network/vpn-gateway/main.json b/modules/network/vpn-gateway/main.json index 553c9b6c38..bd6b9d0262 100644 --- a/modules/network/vpn-gateway/main.json +++ b/modules/network/vpn-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18343688551152828699" + "templateHash": "1887977315027479771" }, "name": "VPN Gateways", "description": "This module deploys a VPN Gateway.", @@ -103,7 +103,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/network/vpn-site/README.md b/modules/network/vpn-site/README.md index 59e4d270e4..13a2a17025 100644 --- a/modules/network/vpn-site/README.md +++ b/modules/network/vpn-site/README.md @@ -464,7 +464,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `virtualWanId` diff --git a/modules/network/vpn-site/main.bicep b/modules/network/vpn-site/main.bicep index 860a2fab72..a43605ce50 100644 --- a/modules/network/vpn-site/main.bicep +++ b/modules/network/vpn-site/main.bicep @@ -12,7 +12,7 @@ param virtualWanId string param location string = resourceGroup().location @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Conditional. An array of IP address ranges that can be used by subnets of the virtual network. Required if no bgpProperties or VPNSiteLinks are configured.') param addressPrefixes array = [] diff --git a/modules/network/vpn-site/main.json b/modules/network/vpn-site/main.json index fe722b1c34..486e0953cf 100644 --- a/modules/network/vpn-site/main.json +++ b/modules/network/vpn-site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6363080366806288405" + "templateHash": "9467816521347210128" }, "name": "VPN Sites", "description": "This module deploys a VPN Site.", @@ -127,7 +127,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } From 522bfbcf868fb1053321fc03c19363031eff7642 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Tue, 31 Oct 2023 21:40:18 +0100 Subject: [PATCH 071/178] [Modules] Updated tags to AVM standard - Batch 3 (#4161) * Third batch * Updated tags --- .../operational-insights/workspace/README.md | 1 - .../workspace/data-source/README.md | 1 - .../workspace/data-source/main.bicep | 2 +- .../workspace/data-source/main.json | 24 ++++-- .../workspace/linked-service/README.md | 1 - .../workspace/linked-service/main.bicep | 2 +- .../workspace/linked-service/main.json | 24 ++++-- .../operational-insights/workspace/main.bicep | 2 +- .../operational-insights/workspace/main.json | 83 ++++++++++++++----- .../storage-insight-config/README.md | 1 - .../storage-insight-config/main.bicep | 2 +- .../storage-insight-config/main.json | 31 +++++-- modules/power-bi-dedicated/capacity/README.md | 1 - .../power-bi-dedicated/capacity/main.bicep | 2 +- modules/power-bi-dedicated/capacity/main.json | 4 +- modules/purview/account/README.md | 1 - modules/purview/account/main.bicep | 12 +-- modules/purview/account/main.json | 24 ++++-- modules/recovery-services/vault/README.md | 1 - modules/recovery-services/vault/main.bicep | 2 +- modules/recovery-services/vault/main.json | 4 +- modules/relay/namespace/README.md | 1 - modules/relay/namespace/main.bicep | 2 +- modules/relay/namespace/main.json | 4 +- modules/resource-graph/query/README.md | 1 - modules/resource-graph/query/main.bicep | 2 +- modules/resource-graph/query/main.json | 4 +- modules/resources/deployment-script/README.md | 1 - .../resources/deployment-script/main.bicep | 2 +- modules/resources/deployment-script/main.json | 4 +- modules/resources/resource-group/README.md | 1 - modules/resources/resource-group/main.bicep | 2 +- modules/resources/resource-group/main.json | 4 +- modules/resources/tags/README.md | 1 - modules/resources/tags/main.bicep | 2 +- modules/resources/tags/main.json | 71 ++++++++-------- .../tags/resource-group/.bicep/readTags.bicep | 2 +- .../resources/tags/resource-group/README.md | 1 - .../resources/tags/resource-group/main.bicep | 6 +- .../resources/tags/resource-group/main.json | 25 +++--- .../tags/subscription/.bicep/readTags.bicep | 2 +- modules/resources/tags/subscription/README.md | 1 - .../resources/tags/subscription/main.bicep | 6 +- modules/resources/tags/subscription/main.json | 25 +++--- modules/search/search-service/README.md | 1 - modules/search/search-service/main.bicep | 2 +- modules/search/search-service/main.json | 4 +- modules/service-bus/namespace/README.md | 1 - modules/service-bus/namespace/main.bicep | 2 +- modules/service-bus/namespace/main.json | 4 +- modules/service-fabric/cluster/README.md | 1 - .../cluster/application-type/README.md | 1 - .../cluster/application-type/main.bicep | 2 +- .../cluster/application-type/main.json | 24 ++++-- modules/service-fabric/cluster/main.bicep | 4 +- modules/service-fabric/cluster/main.json | 32 ++++--- modules/signal-r-service/signal-r/README.md | 1 - modules/signal-r-service/signal-r/main.bicep | 2 +- modules/signal-r-service/signal-r/main.json | 4 +- .../signal-r-service/web-pub-sub/README.md | 1 - .../signal-r-service/web-pub-sub/main.bicep | 2 +- .../signal-r-service/web-pub-sub/main.json | 4 +- modules/sql/managed-instance/README.md | 1 - .../sql/managed-instance/database/README.md | 1 - .../sql/managed-instance/database/main.bicep | 2 +- .../sql/managed-instance/database/main.json | 4 +- modules/sql/managed-instance/main.bicep | 4 +- modules/sql/managed-instance/main.json | 12 +-- modules/sql/server/README.md | 1 - modules/sql/server/database/README.md | 1 - modules/sql/server/database/main.bicep | 2 +- modules/sql/server/database/main.json | 4 +- modules/sql/server/elastic-pool/README.md | 1 - modules/sql/server/elastic-pool/main.bicep | 2 +- modules/sql/server/elastic-pool/main.json | 26 ++++-- modules/sql/server/main.bicep | 6 +- modules/sql/server/main.json | 42 ++++++---- modules/storage/storage-account/README.md | 1 - modules/storage/storage-account/main.bicep | 2 +- modules/storage/storage-account/main.json | 4 +- modules/synapse/private-link-hub/README.md | 1 - modules/synapse/private-link-hub/main.bicep | 2 +- modules/synapse/private-link-hub/main.json | 4 +- modules/synapse/workspace/README.md | 1 - modules/synapse/workspace/main.bicep | 2 +- modules/synapse/workspace/main.json | 4 +- .../image-template/README.md | 1 - .../image-template/main.bicep | 2 +- .../image-template/main.json | 4 +- modules/web/connection/README.md | 1 - modules/web/connection/main.bicep | 2 +- modules/web/connection/main.json | 4 +- modules/web/hosting-environment/README.md | 1 - modules/web/hosting-environment/main.bicep | 2 +- modules/web/hosting-environment/main.json | 4 +- modules/web/serverfarm/README.md | 1 - modules/web/serverfarm/main.bicep | 2 +- modules/web/serverfarm/main.json | 4 +- modules/web/site/README.md | 1 - modules/web/site/main.bicep | 6 +- modules/web/site/main.json | 14 ++-- modules/web/site/slot/README.md | 1 - modules/web/site/slot/main.bicep | 2 +- modules/web/site/slot/main.json | 4 +- modules/web/static-site/README.md | 1 - modules/web/static-site/main.bicep | 2 +- modules/web/static-site/main.json | 4 +- 107 files changed, 392 insertions(+), 288 deletions(-) diff --git a/modules/operational-insights/workspace/README.md b/modules/operational-insights/workspace/README.md index 7a39d99942..48f25812c4 100644 --- a/modules/operational-insights/workspace/README.md +++ b/modules/operational-insights/workspace/README.md @@ -1459,7 +1459,6 @@ LAW custom tables to be deployed. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `useResourcePermissions` diff --git a/modules/operational-insights/workspace/data-source/README.md b/modules/operational-insights/workspace/data-source/README.md index 80b966ff99..73c7fb8958 100644 --- a/modules/operational-insights/workspace/data-source/README.md +++ b/modules/operational-insights/workspace/data-source/README.md @@ -157,7 +157,6 @@ Severities to configure when kind is LinuxSyslog. Tags to configure in the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/operational-insights/workspace/data-source/main.bicep b/modules/operational-insights/workspace/data-source/main.bicep index 0f2f9ad625..7322f62ece 100644 --- a/modules/operational-insights/workspace/data-source/main.bicep +++ b/modules/operational-insights/workspace/data-source/main.bicep @@ -22,7 +22,7 @@ param name string param kind string = 'AzureActivityLog' @description('Optional. Tags to configure in the resource.') -param tags object = {} +param tags object? @description('Optional. Resource ID of the resource to be linked.') param linkedResourceId string = '' diff --git a/modules/operational-insights/workspace/data-source/main.json b/modules/operational-insights/workspace/data-source/main.json index 93d5aef582..4bc4f80e43 100644 --- a/modules/operational-insights/workspace/data-source/main.json +++ b/modules/operational-insights/workspace/data-source/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7994060758159745935" + "templateHash": "13903182753870680383" }, "name": "Log Analytics Workspace Datasources", "description": "This module deploys a Log Analytics Workspace Data Source.", @@ -43,7 +44,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to configure in the resource." } @@ -133,8 +134,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -148,7 +149,13 @@ } } }, - { + "workspace": { + "existing": true, + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2022-10-01", + "name": "[parameters('logAnalyticsWorkspaceName')]" + }, + "dataSource": { "type": "Microsoft.OperationalInsights/workspaces/dataSources", "apiVersion": "2020-08-01", "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", @@ -166,9 +173,12 @@ "syslogName": "[if(and(not(empty(parameters('kind'))), equals(parameters('kind'), 'LinuxSyslog')), parameters('syslogName'), null())]", "syslogSeverities": "[if(and(not(empty(parameters('kind'))), or(equals(parameters('kind'), 'LinuxSyslog'), equals(parameters('kind'), 'LinuxPerformanceObject'))), parameters('syslogSeverities'), null())]", "performanceCounters": "[if(and(not(empty(parameters('kind'))), equals(parameters('kind'), 'LinuxPerformanceObject')), parameters('performanceCounters'), null())]" - } + }, + "dependsOn": [ + "workspace" + ] } - ], + }, "outputs": { "resourceId": { "type": "string", diff --git a/modules/operational-insights/workspace/linked-service/README.md b/modules/operational-insights/workspace/linked-service/README.md index a05b704e17..c30872ecce 100644 --- a/modules/operational-insights/workspace/linked-service/README.md +++ b/modules/operational-insights/workspace/linked-service/README.md @@ -69,7 +69,6 @@ The resource ID of the resource that will be linked to the workspace. This shoul Tags to configure in the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `writeAccessResourceId` diff --git a/modules/operational-insights/workspace/linked-service/main.bicep b/modules/operational-insights/workspace/linked-service/main.bicep index b0bc3c505c..88fdc6283a 100644 --- a/modules/operational-insights/workspace/linked-service/main.bicep +++ b/modules/operational-insights/workspace/linked-service/main.bicep @@ -15,7 +15,7 @@ param resourceId string = '' param writeAccessResourceId string = '' @description('Optional. Tags to configure in the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/operational-insights/workspace/linked-service/main.json b/modules/operational-insights/workspace/linked-service/main.json index e0de836475..ca4bdb12b7 100644 --- a/modules/operational-insights/workspace/linked-service/main.json +++ b/modules/operational-insights/workspace/linked-service/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15022791045507209174" + "templateHash": "9970744617970664745" }, "name": "Log Analytics Workspace Linked Services", "description": "This module deploys a Log Analytics Workspace Linked Service.", @@ -40,7 +41,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to configure in the resource." } @@ -53,8 +54,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -68,7 +69,13 @@ } } }, - { + "workspace": { + "existing": true, + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2022-10-01", + "name": "[parameters('logAnalyticsWorkspaceName')]" + }, + "linkedService": { "type": "Microsoft.OperationalInsights/workspaces/linkedServices", "apiVersion": "2020-08-01", "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", @@ -76,9 +83,12 @@ "properties": { "resourceId": "[parameters('resourceId')]", "writeAccessResourceId": "[if(empty(parameters('writeAccessResourceId')), null(), parameters('writeAccessResourceId'))]" - } + }, + "dependsOn": [ + "workspace" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/operational-insights/workspace/main.bicep b/modules/operational-insights/workspace/main.bicep index 6220a5deb5..437e5c9730 100644 --- a/modules/operational-insights/workspace/main.bicep +++ b/modules/operational-insights/workspace/main.bicep @@ -92,7 +92,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/operational-insights/workspace/main.json b/modules/operational-insights/workspace/main.json index 19df45d446..cce483eb5c 100644 --- a/modules/operational-insights/workspace/main.json +++ b/modules/operational-insights/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12796424281221754385" + "templateHash": "1028542190363116097" }, "name": "Log Analytics Workspaces", "description": "This module deploys a Log Analytics Workspace.", @@ -409,7 +409,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -567,12 +567,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6643427484780531502" + "templateHash": "13014071648331654478" }, "name": "Log Analytics Workspace Storage Insight Configs", "description": "This module deploys a Log Analytics Workspace Storage Insight Config.", @@ -614,7 +615,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to configure in the resource." } @@ -627,8 +628,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -642,7 +643,19 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2022-09-01", + "name": "[last(split(parameters('storageAccountResourceId'), '/'))]" + }, + "workspace": { + "existing": true, + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2022-10-01", + "name": "[parameters('logAnalyticsWorkspaceName')]" + }, + "storageinsightconfig": { "type": "Microsoft.OperationalInsights/workspaces/storageInsightConfigs", "apiVersion": "2020-08-01", "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", @@ -654,9 +667,13 @@ "id": "[parameters('storageAccountResourceId')]", "key": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), '2022-09-01').keys[0].value]" } - } + }, + "dependsOn": [ + "storageAccount", + "workspace" + ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -714,12 +731,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15022791045507209174" + "templateHash": "9970744617970664745" }, "name": "Log Analytics Workspace Linked Services", "description": "This module deploys a Log Analytics Workspace Linked Service.", @@ -754,7 +772,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to configure in the resource." } @@ -767,8 +785,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -782,7 +800,13 @@ } } }, - { + "workspace": { + "existing": true, + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2022-10-01", + "name": "[parameters('logAnalyticsWorkspaceName')]" + }, + "linkedService": { "type": "Microsoft.OperationalInsights/workspaces/linkedServices", "apiVersion": "2020-08-01", "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", @@ -790,9 +814,12 @@ "properties": { "resourceId": "[parameters('resourceId')]", "writeAccessResourceId": "[if(empty(parameters('writeAccessResourceId')), null(), parameters('writeAccessResourceId'))]" - } + }, + "dependsOn": [ + "workspace" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1314,12 +1341,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7994060758159745935" + "templateHash": "13903182753870680383" }, "name": "Log Analytics Workspace Datasources", "description": "This module deploys a Log Analytics Workspace Data Source.", @@ -1357,7 +1385,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to configure in the resource." } @@ -1447,8 +1475,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1462,7 +1490,13 @@ } } }, - { + "workspace": { + "existing": true, + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2022-10-01", + "name": "[parameters('logAnalyticsWorkspaceName')]" + }, + "dataSource": { "type": "Microsoft.OperationalInsights/workspaces/dataSources", "apiVersion": "2020-08-01", "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", @@ -1480,9 +1514,12 @@ "syslogName": "[if(and(not(empty(parameters('kind'))), equals(parameters('kind'), 'LinuxSyslog')), parameters('syslogName'), null())]", "syslogSeverities": "[if(and(not(empty(parameters('kind'))), or(equals(parameters('kind'), 'LinuxSyslog'), equals(parameters('kind'), 'LinuxPerformanceObject'))), parameters('syslogSeverities'), null())]", "performanceCounters": "[if(and(not(empty(parameters('kind'))), equals(parameters('kind'), 'LinuxPerformanceObject')), parameters('performanceCounters'), null())]" - } + }, + "dependsOn": [ + "workspace" + ] } - ], + }, "outputs": { "resourceId": { "type": "string", diff --git a/modules/operational-insights/workspace/storage-insight-config/README.md b/modules/operational-insights/workspace/storage-insight-config/README.md index 4d77ca61f1..1e589388ee 100644 --- a/modules/operational-insights/workspace/storage-insight-config/README.md +++ b/modules/operational-insights/workspace/storage-insight-config/README.md @@ -84,7 +84,6 @@ The names of the Azure tables that the workspace should read. Tags to configure in the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/operational-insights/workspace/storage-insight-config/main.bicep b/modules/operational-insights/workspace/storage-insight-config/main.bicep index 7e5d85c362..5e6a2d236f 100644 --- a/modules/operational-insights/workspace/storage-insight-config/main.bicep +++ b/modules/operational-insights/workspace/storage-insight-config/main.bicep @@ -18,7 +18,7 @@ param containers array = [] param tables array = [] @description('Optional. Tags to configure in the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/operational-insights/workspace/storage-insight-config/main.json b/modules/operational-insights/workspace/storage-insight-config/main.json index d5e4378634..d3b44b1f6d 100644 --- a/modules/operational-insights/workspace/storage-insight-config/main.json +++ b/modules/operational-insights/workspace/storage-insight-config/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6643427484780531502" + "templateHash": "13014071648331654478" }, "name": "Log Analytics Workspace Storage Insight Configs", "description": "This module deploys a Log Analytics Workspace Storage Insight Config.", @@ -47,7 +48,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to configure in the resource." } @@ -60,8 +61,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -75,7 +76,19 @@ } } }, - { + "storageAccount": { + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2022-09-01", + "name": "[last(split(parameters('storageAccountResourceId'), '/'))]" + }, + "workspace": { + "existing": true, + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2022-10-01", + "name": "[parameters('logAnalyticsWorkspaceName')]" + }, + "storageinsightconfig": { "type": "Microsoft.OperationalInsights/workspaces/storageInsightConfigs", "apiVersion": "2020-08-01", "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", @@ -87,9 +100,13 @@ "id": "[parameters('storageAccountResourceId')]", "key": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), '2022-09-01').keys[0].value]" } - } + }, + "dependsOn": [ + "storageAccount", + "workspace" + ] } - ], + }, "outputs": { "resourceId": { "type": "string", diff --git a/modules/power-bi-dedicated/capacity/README.md b/modules/power-bi-dedicated/capacity/README.md index 20ee5d05cf..b014f55a63 100644 --- a/modules/power-bi-dedicated/capacity/README.md +++ b/modules/power-bi-dedicated/capacity/README.md @@ -367,7 +367,6 @@ SkuCapacity of the resource. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/power-bi-dedicated/capacity/main.bicep b/modules/power-bi-dedicated/capacity/main.bicep index 2628ce35b9..d9124fb750 100644 --- a/modules/power-bi-dedicated/capacity/main.bicep +++ b/modules/power-bi-dedicated/capacity/main.bicep @@ -12,7 +12,7 @@ param location string = resourceGroup().location param enableDefaultTelemetry bool = true @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Required. SkuCapacity of the resource.') param skuCapacity int diff --git a/modules/power-bi-dedicated/capacity/main.json b/modules/power-bi-dedicated/capacity/main.json index d99608fce2..70c6e02ca8 100644 --- a/modules/power-bi-dedicated/capacity/main.json +++ b/modules/power-bi-dedicated/capacity/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14932984418951732668" + "templateHash": "5834334564189406991" }, "name": "Power BI Dedicated Capacities", "description": "This module deploys a Power BI Dedicated Capacity.", @@ -128,7 +128,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/purview/account/README.md b/modules/purview/account/README.md index 152f7ba851..005541e314 100644 --- a/modules/purview/account/README.md +++ b/modules/purview/account/README.md @@ -705,7 +705,6 @@ Configuration details for Purview Managed Storage Account queue private endpoint Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/purview/account/main.bicep b/modules/purview/account/main.bicep index 8410915c30..ee9cf3a810 100644 --- a/modules/purview/account/main.bicep +++ b/modules/purview/account/main.bicep @@ -11,7 +11,7 @@ param name string param location string = resourceGroup().location @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The managed identity definition for this resource.') param managedIdentities managedIdentitiesType @@ -149,7 +149,7 @@ module account_privateEndpoints '../../network/private-endpoint/main.bicep' = [f privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + tags: privateEndpoint.?tags ?? tags manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] @@ -173,7 +173,7 @@ module portal_privateEndpoints '../../network/private-endpoint/main.bicep' = [fo privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + tags: privateEndpoint.?tags ?? tags manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] @@ -197,7 +197,7 @@ module blob_privateEndpoints '../../network/private-endpoint/main.bicep' = [for privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + tags: privateEndpoint.?tags ?? tags manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] @@ -221,7 +221,7 @@ module queue_privateEndpoints '../../network/private-endpoint/main.bicep' = [for privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + tags: privateEndpoint.?tags ?? tags manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] @@ -245,7 +245,7 @@ module eventHub_privateEndpoints '../../network/private-endpoint/main.bicep' = [ privateDnsZoneGroupName: contains(privateEndpoint, 'privateDnsZoneGroupName') ? privateEndpoint.privateDnsZoneGroupName : 'default' privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : [] roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + tags: privateEndpoint.?tags ?? tags manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] diff --git a/modules/purview/account/main.json b/modules/purview/account/main.json index 47a49e254a..52549f6f1f 100644 --- a/modules/purview/account/main.json +++ b/modules/purview/account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18408981482699771035" + "templateHash": "1750298366145145282" }, "name": "Purview Accounts", "description": "This module deploys a Purview Account.", @@ -244,7 +244,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -475,7 +475,9 @@ "privateDnsZoneGroupName": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('accountPrivateEndpoints')[copyIndex()], 'tags'), parameters('tags'))]" + }, "manualPrivateLinkServiceConnections": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('accountPrivateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('accountPrivateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", @@ -1006,7 +1008,9 @@ "privateDnsZoneGroupName": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('portalPrivateEndpoints')[copyIndex()], 'tags'), parameters('tags'))]" + }, "manualPrivateLinkServiceConnections": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('portalPrivateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('portalPrivateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", @@ -1537,7 +1541,9 @@ "privateDnsZoneGroupName": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'tags'), parameters('tags'))]" + }, "manualPrivateLinkServiceConnections": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('storageBlobPrivateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('storageBlobPrivateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", @@ -2068,7 +2074,9 @@ "privateDnsZoneGroupName": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'tags'), parameters('tags'))]" + }, "manualPrivateLinkServiceConnections": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('storageQueuePrivateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('storageQueuePrivateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", @@ -2599,7 +2607,9 @@ "privateDnsZoneGroupName": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'privateDnsZoneGroupName'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].privateDnsZoneGroupName), createObject('value', 'default'))]", "privateDnsZoneResourceIds": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'privateDnsZoneResourceIds'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].privateDnsZoneResourceIds), createObject('value', createArray()))]", "roleAssignments": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'roleAssignments'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].roleAssignments), createObject('value', createArray()))]", - "tags": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'tags'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('eventHubPrivateEndpoints')[copyIndex()], 'tags'), parameters('tags'))]" + }, "manualPrivateLinkServiceConnections": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'manualPrivateLinkServiceConnections'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].manualPrivateLinkServiceConnections), createObject('value', createArray()))]", "customDnsConfigs": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'customDnsConfigs'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].customDnsConfigs), createObject('value', createArray()))]", "ipConfigurations": "[if(contains(parameters('eventHubPrivateEndpoints')[copyIndex()], 'ipConfigurations'), createObject('value', parameters('eventHubPrivateEndpoints')[copyIndex()].ipConfigurations), createObject('value', createArray()))]", diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index 5258daf120..3d02aec005 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -1480,7 +1480,6 @@ Security Settings of the vault. Tags of the Recovery Service Vault resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/recovery-services/vault/main.bicep b/modules/recovery-services/vault/main.bicep index 623b3ddad7..16168ce0ba 100644 --- a/modules/recovery-services/vault/main.bicep +++ b/modules/recovery-services/vault/main.bicep @@ -48,7 +48,7 @@ param lock lockType param managedIdentities managedIdentitiesType @description('Optional. Tags of the Recovery Service Vault resource.') -param tags object = {} +param tags object? @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointType diff --git a/modules/recovery-services/vault/main.json b/modules/recovery-services/vault/main.json index db634c5922..a2d52cb3e7 100644 --- a/modules/recovery-services/vault/main.json +++ b/modules/recovery-services/vault/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18413268993568593224" + "templateHash": "17885378476178029351" }, "name": "Recovery Services Vaults", "description": "This module deploys a Recovery Services Vault.", @@ -482,7 +482,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the Recovery Service Vault resource." } diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index 83d2b108d5..8bec8c2e9e 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -922,7 +922,6 @@ Name of this SKU. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `wcfRelays` diff --git a/modules/relay/namespace/main.bicep b/modules/relay/namespace/main.bicep index e05491e6b0..301d7d956d 100644 --- a/modules/relay/namespace/main.bicep +++ b/modules/relay/namespace/main.bicep @@ -44,7 +44,7 @@ param privateEndpoints privateEndpointType param networkRuleSets object = {} @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/relay/namespace/main.json b/modules/relay/namespace/main.json index 086bffddff..8fbf5d13f5 100644 --- a/modules/relay/namespace/main.json +++ b/modules/relay/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14407783319631235509" + "templateHash": "17919201326260317269" }, "name": "Relay Namespaces", "description": "This module deploys a Relay Namespace", @@ -435,7 +435,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/resource-graph/query/README.md b/modules/resource-graph/query/README.md index cf85d54dc9..d471c82a90 100644 --- a/modules/resource-graph/query/README.md +++ b/modules/resource-graph/query/README.md @@ -329,7 +329,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/resource-graph/query/main.bicep b/modules/resource-graph/query/main.bicep index 74e28c0da7..4cceeecad1 100644 --- a/modules/resource-graph/query/main.bicep +++ b/modules/resource-graph/query/main.bicep @@ -15,7 +15,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/resource-graph/query/main.json b/modules/resource-graph/query/main.json index a23a1f4fb6..a14e8eb9f3 100644 --- a/modules/resource-graph/query/main.json +++ b/modules/resource-graph/query/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9628193183606818689" + "templateHash": "4571822405516608040" }, "name": "Resource Graph Queries", "description": "This module deploys a Resource Graph Query.", @@ -133,7 +133,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/resources/deployment-script/README.md b/modules/resources/deployment-script/README.md index 2d19703a31..4623399942 100644 --- a/modules/resources/deployment-script/README.md +++ b/modules/resources/deployment-script/README.md @@ -475,7 +475,6 @@ List of supporting files for the external script (defined in primaryScriptUri). Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `timeout` diff --git a/modules/resources/deployment-script/main.bicep b/modules/resources/deployment-script/main.bicep index 4e1f4c7062..9ef0aa5700 100644 --- a/modules/resources/deployment-script/main.bicep +++ b/modules/resources/deployment-script/main.bicep @@ -70,7 +70,7 @@ param baseTime string = utcNow('yyyy-MM-dd-HH-mm-ss') param lock lockType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/resources/deployment-script/main.json b/modules/resources/deployment-script/main.json index d2af767dcd..920ea4b51e 100644 --- a/modules/resources/deployment-script/main.json +++ b/modules/resources/deployment-script/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10287022408270224079" + "templateHash": "5648029581364828548" }, "name": "Deployment Scripts", "description": "This module deploys a Deployment Script.", @@ -196,7 +196,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/resources/resource-group/README.md b/modules/resources/resource-group/README.md index 71e3445bf0..ed5414c1bc 100644 --- a/modules/resources/resource-group/README.md +++ b/modules/resources/resource-group/README.md @@ -310,7 +310,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the storage account resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/resources/resource-group/main.bicep b/modules/resources/resource-group/main.bicep index 5818b3143b..0c6c874c06 100644 --- a/modules/resources/resource-group/main.bicep +++ b/modules/resources/resource-group/main.bicep @@ -17,7 +17,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the storage account resource.') -param tags object = {} +param tags object? @description('Optional. The ID of the resource that manages this resource group.') param managedBy string = '' diff --git a/modules/resources/resource-group/main.json b/modules/resources/resource-group/main.json index 58106d57bc..5ef95ffd33 100644 --- a/modules/resources/resource-group/main.json +++ b/modules/resources/resource-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8742176141262908442" + "templateHash": "3152878379095233308" }, "name": "Resource Groups", "description": "This module deploys a Resource Group.", @@ -133,7 +133,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the storage account resource." } diff --git a/modules/resources/tags/README.md b/modules/resources/tags/README.md index 9135bfb176..c65be02ed4 100644 --- a/modules/resources/tags/README.md +++ b/modules/resources/tags/README.md @@ -232,7 +232,6 @@ Subscription ID of the subscription to assign the tags to. If no Resource Group Tags for the resource group. If not provided, removes existing tags. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/resources/tags/main.bicep b/modules/resources/tags/main.bicep index 83234e59f5..3d3abf0ce7 100644 --- a/modules/resources/tags/main.bicep +++ b/modules/resources/tags/main.bicep @@ -5,7 +5,7 @@ metadata owner = 'Azure/module-maintainers' targetScope = 'subscription' @description('Optional. Tags for the resource group. If not provided, removes existing tags.') -param tags object = {} +param tags object? @description('Optional. Instead of overwriting the existing tags, combine them with the new tags.') param onlyUpdate bool = false diff --git a/modules/resources/tags/main.json b/modules/resources/tags/main.json index 85a73c4674..1e82fc6871 100644 --- a/modules/resources/tags/main.json +++ b/modules/resources/tags/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17959459334247355830" + "templateHash": "17437787787716832327" }, "name": "Resources Tags", "description": "This module deploys a Resource Tag at a Subscription or Resource Group scope.", @@ -14,7 +15,7 @@ "parameters": { "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags for the resource group. If not provided, removes existing tags." } @@ -58,8 +59,8 @@ "variables": { "enableReferencedModulesTelemetry": false }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -74,7 +75,7 @@ } } }, - { + "tags_sub": { "condition": "[and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -101,12 +102,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17975356792950377604" + "templateHash": "6739306478169191405" }, "name": "Resources Tags Subscription Scope", "description": "This module deploys a Resource Tag on a Subscription scope.", @@ -115,7 +117,7 @@ "parameters": { "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags for the resource group. If not provided, removes existing tags." } @@ -142,8 +144,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -158,18 +160,18 @@ } } }, - { + "tag": { "type": "Microsoft.Resources/tags", "apiVersion": "2021-04-01", "name": "default", "properties": { - "tags": "[if(parameters('onlyUpdate'), union(reference(subscriptionResourceId('Microsoft.Resources/deployments', format('{0}-ReadTags', deployment().name)), '2022-09-01').outputs.existingTags.value, parameters('tags')), parameters('tags'))]" + "tags": "[if(parameters('onlyUpdate'), union(reference('readTags').outputs.existingTags.value, coalesce(parameters('tags'), createObject())), parameters('tags'))]" }, "dependsOn": [ - "[subscriptionResourceId('Microsoft.Resources/deployments', format('{0}-ReadTags', deployment().name))]" + "readTags" ] }, - { + "readTags": { "condition": "[parameters('onlyUpdate')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -187,7 +189,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18269006446765776342" + "templateHash": "9833962804635676625" } }, "parameters": { @@ -206,13 +208,13 @@ "metadata": { "description": "Tags currently applied to the subscription level." }, - "value": "[if(contains(reference(subscriptionResourceId('Microsoft.Resources/tags', parameters('name')), '2021-04-01'), 'tags'), reference(subscriptionResourceId('Microsoft.Resources/tags', parameters('name')), '2021-04-01').tags, createObject())]" + "value": "[coalesce(tryGet(reference(subscriptionResourceId('Microsoft.Resources/tags', parameters('name')), '2021-04-01'), 'tags'), reference(subscriptionResourceId('Microsoft.Resources/tags', parameters('name')), '2021-04-01', 'full'))]" } } } } } - ], + }, "outputs": { "name": { "type": "string", @@ -226,7 +228,7 @@ "metadata": { "description": "The applied tags." }, - "value": "[if(parameters('onlyUpdate'), union(reference(subscriptionResourceId('Microsoft.Resources/deployments', format('{0}-ReadTags', deployment().name)), '2022-09-01').outputs.existingTags.value, parameters('tags')), parameters('tags'))]" + "value": "[coalesce(if(parameters('onlyUpdate'), union(reference('readTags').outputs.existingTags.value, coalesce(parameters('tags'), createObject())), parameters('tags')), createObject())]" }, "resourceId": { "type": "string", @@ -239,7 +241,7 @@ } } }, - { + "tags_rg": { "condition": "[and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -263,12 +265,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8701740381622545052" + "templateHash": "15660323099140717252" }, "name": "Resources Tags Resource Group", "description": "This module deploys a Resource Tag on a Resource Group scope.", @@ -277,7 +280,7 @@ "parameters": { "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags for the resource group. If not provided, removes existing tags." } @@ -297,8 +300,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -312,18 +315,18 @@ } } }, - { + "tag": { "type": "Microsoft.Resources/tags", "apiVersion": "2021-04-01", "name": "default", "properties": { - "tags": "[if(parameters('onlyUpdate'), union(reference(resourceId('Microsoft.Resources/deployments', format('{0}-ReadTags', deployment().name)), '2022-09-01').outputs.existingTags.value, parameters('tags')), parameters('tags'))]" + "tags": "[if(parameters('onlyUpdate'), union(reference('readTags').outputs.existingTags.value, coalesce(parameters('tags'), createObject())), parameters('tags'))]" }, "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', format('{0}-ReadTags', deployment().name))]" + "readTags" ] }, - { + "readTags": { "condition": "[parameters('onlyUpdate')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -340,7 +343,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8737749583083645128" + "templateHash": "4088100020210156530" } }, "parameters": { @@ -359,13 +362,13 @@ "metadata": { "description": "Tags currently applied to the subscription level." }, - "value": "[if(contains(reference(resourceId('Microsoft.Resources/tags', parameters('name')), '2019-10-01'), 'tags'), reference(resourceId('Microsoft.Resources/tags', parameters('name')), '2019-10-01').tags, createObject())]" + "value": "[coalesce(tryGet(reference(resourceId('Microsoft.Resources/tags', parameters('name')), '2019-10-01'), 'tags'), createObject())]" } } } } } - ], + }, "outputs": { "name": { "type": "string", @@ -393,34 +396,34 @@ "metadata": { "description": "The applied tags." }, - "value": "[if(parameters('onlyUpdate'), union(reference(resourceId('Microsoft.Resources/deployments', format('{0}-ReadTags', deployment().name)), '2022-09-01').outputs.existingTags.value, parameters('tags')), parameters('tags'))]" + "value": "[reference('tag').tags]" } } } } } - ], + }, "outputs": { "name": { "type": "string", "metadata": { "description": "The name of the tags resource." }, - "value": "[if(and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId')))), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-Tags-RG', deployment().name)), '2022-09-01').outputs.name.value, reference(subscriptionResourceId('Microsoft.Resources/deployments', format('{0}-Tags-Sub', deployment().name)), '2022-09-01').outputs.name.value)]" + "value": "[if(and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId')))), reference('tags_rg').outputs.name.value, reference('tags_sub').outputs.name.value)]" }, "tags": { "type": "object", "metadata": { "description": "The applied tags." }, - "value": "[if(and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId')))), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-Tags-RG', deployment().name)), '2022-09-01').outputs.tags.value, reference(subscriptionResourceId('Microsoft.Resources/deployments', format('{0}-Tags-Sub', deployment().name)), '2022-09-01').outputs.tags.value)]" + "value": "[if(and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId')))), reference('tags_rg').outputs.tags.value, reference('tags_sub').outputs.tags.value)]" }, "resourceId": { "type": "string", "metadata": { "description": "The resource ID of the applied tags." }, - "value": "[if(and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId')))), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-Tags-RG', deployment().name)), '2022-09-01').outputs.resourceId.value, reference(subscriptionResourceId('Microsoft.Resources/deployments', format('{0}-Tags-Sub', deployment().name)), '2022-09-01').outputs.resourceId.value)]" + "value": "[if(and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId')))), reference('tags_rg').outputs.resourceId.value, reference('tags_sub').outputs.resourceId.value)]" } } } \ No newline at end of file diff --git a/modules/resources/tags/resource-group/.bicep/readTags.bicep b/modules/resources/tags/resource-group/.bicep/readTags.bicep index f189f85bac..e397d43574 100644 --- a/modules/resources/tags/resource-group/.bicep/readTags.bicep +++ b/modules/resources/tags/resource-group/.bicep/readTags.bicep @@ -6,4 +6,4 @@ resource tags 'Microsoft.Resources/tags@2019-10-01' existing = { } @description('Tags currently applied to the subscription level.') -output existingTags object = contains(tags.properties, 'tags') ? tags.properties.tags : {} +output existingTags object = tags.properties.?tags ?? {} diff --git a/modules/resources/tags/resource-group/README.md b/modules/resources/tags/resource-group/README.md index 678fc74561..a89c83c006 100644 --- a/modules/resources/tags/resource-group/README.md +++ b/modules/resources/tags/resource-group/README.md @@ -44,7 +44,6 @@ Instead of overwriting the existing tags, combine them with the new tags. Tags for the resource group. If not provided, removes existing tags. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/resources/tags/resource-group/main.bicep b/modules/resources/tags/resource-group/main.bicep index 16b6c9d1b5..aaf9058459 100644 --- a/modules/resources/tags/resource-group/main.bicep +++ b/modules/resources/tags/resource-group/main.bicep @@ -3,7 +3,7 @@ metadata description = 'This module deploys a Resource Tag on a Resource Group s metadata owner = 'Azure/module-maintainers' @description('Optional. Tags for the resource group. If not provided, removes existing tags.') -param tags object = {} +param tags object? @description('Optional. Instead of overwriting the existing tags, combine them with the new tags.') param onlyUpdate bool = false @@ -27,7 +27,7 @@ module readTags '.bicep/readTags.bicep' = if (onlyUpdate) { name: '${deployment().name}-ReadTags' } -var newTags = (onlyUpdate) ? union(readTags.outputs.existingTags, tags) : tags +var newTags = onlyUpdate ? union(readTags.outputs.existingTags, (tags ?? {})) : tags resource tag 'Microsoft.Resources/tags@2021-04-01' = { name: 'default' @@ -46,4 +46,4 @@ output resourceId string = tag.id output resourceGroupName string = resourceGroup().name @description('The applied tags.') -output tags object = newTags +output tags object = tag.properties.tags diff --git a/modules/resources/tags/resource-group/main.json b/modules/resources/tags/resource-group/main.json index 8e1a7b8b39..2cae75d417 100644 --- a/modules/resources/tags/resource-group/main.json +++ b/modules/resources/tags/resource-group/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8701740381622545052" + "templateHash": "15660323099140717252" }, "name": "Resources Tags Resource Group", "description": "This module deploys a Resource Tag on a Resource Group scope.", @@ -14,7 +15,7 @@ "parameters": { "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags for the resource group. If not provided, removes existing tags." } @@ -34,8 +35,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -49,18 +50,18 @@ } } }, - { + "tag": { "type": "Microsoft.Resources/tags", "apiVersion": "2021-04-01", "name": "default", "properties": { - "tags": "[if(parameters('onlyUpdate'), union(reference(resourceId('Microsoft.Resources/deployments', format('{0}-ReadTags', deployment().name)), '2022-09-01').outputs.existingTags.value, parameters('tags')), parameters('tags'))]" + "tags": "[if(parameters('onlyUpdate'), union(reference('readTags').outputs.existingTags.value, coalesce(parameters('tags'), createObject())), parameters('tags'))]" }, "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', format('{0}-ReadTags', deployment().name))]" + "readTags" ] }, - { + "readTags": { "condition": "[parameters('onlyUpdate')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -77,7 +78,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8737749583083645128" + "templateHash": "4088100020210156530" } }, "parameters": { @@ -96,13 +97,13 @@ "metadata": { "description": "Tags currently applied to the subscription level." }, - "value": "[if(contains(reference(resourceId('Microsoft.Resources/tags', parameters('name')), '2019-10-01'), 'tags'), reference(resourceId('Microsoft.Resources/tags', parameters('name')), '2019-10-01').tags, createObject())]" + "value": "[coalesce(tryGet(reference(resourceId('Microsoft.Resources/tags', parameters('name')), '2019-10-01'), 'tags'), createObject())]" } } } } } - ], + }, "outputs": { "name": { "type": "string", @@ -130,7 +131,7 @@ "metadata": { "description": "The applied tags." }, - "value": "[if(parameters('onlyUpdate'), union(reference(resourceId('Microsoft.Resources/deployments', format('{0}-ReadTags', deployment().name)), '2022-09-01').outputs.existingTags.value, parameters('tags')), parameters('tags'))]" + "value": "[reference('tag').tags]" } } } \ No newline at end of file diff --git a/modules/resources/tags/subscription/.bicep/readTags.bicep b/modules/resources/tags/subscription/.bicep/readTags.bicep index ab581cdea1..06dcc91dac 100644 --- a/modules/resources/tags/subscription/.bicep/readTags.bicep +++ b/modules/resources/tags/subscription/.bicep/readTags.bicep @@ -8,4 +8,4 @@ resource tags 'Microsoft.Resources/tags@2021-04-01' existing = { } @description('Tags currently applied to the subscription level.') -output existingTags object = contains(tags.properties, 'tags') ? tags.properties.tags : {} +output existingTags object = tags.properties.?tags ?? tags diff --git a/modules/resources/tags/subscription/README.md b/modules/resources/tags/subscription/README.md index 48c7d355a0..352c754d72 100644 --- a/modules/resources/tags/subscription/README.md +++ b/modules/resources/tags/subscription/README.md @@ -52,7 +52,6 @@ Instead of overwriting the existing tags, combine them with the new tags. Tags for the resource group. If not provided, removes existing tags. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/resources/tags/subscription/main.bicep b/modules/resources/tags/subscription/main.bicep index 1b4a51b471..a7eb069208 100644 --- a/modules/resources/tags/subscription/main.bicep +++ b/modules/resources/tags/subscription/main.bicep @@ -5,7 +5,7 @@ metadata owner = 'Azure/module-maintainers' targetScope = 'subscription' @description('Optional. Tags for the resource group. If not provided, removes existing tags.') -param tags object = {} +param tags object? @description('Optional. Instead of overwriting the existing tags, combine them with the new tags.') param onlyUpdate bool = false @@ -33,7 +33,7 @@ module readTags '.bicep/readTags.bicep' = if (onlyUpdate) { name: '${deployment().name}-ReadTags' } -var newTags = (onlyUpdate) ? union(readTags.outputs.existingTags, tags) : tags +var newTags = (onlyUpdate) ? union(readTags.outputs.existingTags, (tags ?? {})) : tags resource tag 'Microsoft.Resources/tags@2021-04-01' = { name: 'default' @@ -46,7 +46,7 @@ resource tag 'Microsoft.Resources/tags@2021-04-01' = { output name string = tag.name @description('The applied tags.') -output tags object = newTags +output tags object = newTags ?? {} @description('The resource ID of the applied tags.') output resourceId string = tag.id diff --git a/modules/resources/tags/subscription/main.json b/modules/resources/tags/subscription/main.json index 467d62828b..6640264a96 100644 --- a/modules/resources/tags/subscription/main.json +++ b/modules/resources/tags/subscription/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17975356792950377604" + "templateHash": "6739306478169191405" }, "name": "Resources Tags Subscription Scope", "description": "This module deploys a Resource Tag on a Subscription scope.", @@ -14,7 +15,7 @@ "parameters": { "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags for the resource group. If not provided, removes existing tags." } @@ -41,8 +42,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -57,18 +58,18 @@ } } }, - { + "tag": { "type": "Microsoft.Resources/tags", "apiVersion": "2021-04-01", "name": "default", "properties": { - "tags": "[if(parameters('onlyUpdate'), union(reference(subscriptionResourceId('Microsoft.Resources/deployments', format('{0}-ReadTags', deployment().name)), '2022-09-01').outputs.existingTags.value, parameters('tags')), parameters('tags'))]" + "tags": "[if(parameters('onlyUpdate'), union(reference('readTags').outputs.existingTags.value, coalesce(parameters('tags'), createObject())), parameters('tags'))]" }, "dependsOn": [ - "[subscriptionResourceId('Microsoft.Resources/deployments', format('{0}-ReadTags', deployment().name))]" + "readTags" ] }, - { + "readTags": { "condition": "[parameters('onlyUpdate')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -86,7 +87,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18269006446765776342" + "templateHash": "9833962804635676625" } }, "parameters": { @@ -105,13 +106,13 @@ "metadata": { "description": "Tags currently applied to the subscription level." }, - "value": "[if(contains(reference(subscriptionResourceId('Microsoft.Resources/tags', parameters('name')), '2021-04-01'), 'tags'), reference(subscriptionResourceId('Microsoft.Resources/tags', parameters('name')), '2021-04-01').tags, createObject())]" + "value": "[coalesce(tryGet(reference(subscriptionResourceId('Microsoft.Resources/tags', parameters('name')), '2021-04-01'), 'tags'), reference(subscriptionResourceId('Microsoft.Resources/tags', parameters('name')), '2021-04-01', 'full'))]" } } } } } - ], + }, "outputs": { "name": { "type": "string", @@ -125,7 +126,7 @@ "metadata": { "description": "The applied tags." }, - "value": "[if(parameters('onlyUpdate'), union(reference(subscriptionResourceId('Microsoft.Resources/deployments', format('{0}-ReadTags', deployment().name)), '2022-09-01').outputs.existingTags.value, parameters('tags')), parameters('tags'))]" + "value": "[coalesce(if(parameters('onlyUpdate'), union(reference('readTags').outputs.existingTags.value, coalesce(parameters('tags'), createObject())), parameters('tags')), createObject())]" }, "resourceId": { "type": "string", diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index e116efe345..ca85fa4f71 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -922,7 +922,6 @@ Defines the SKU of an Azure Cognitive Search Service, which determines price tie Tags to help categorize the resource in the Azure portal. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/search/search-service/main.bicep b/modules/search/search-service/main.bicep index 5597e7b853..004714ae74 100644 --- a/modules/search/search-service/main.bicep +++ b/modules/search/search-service/main.bicep @@ -87,7 +87,7 @@ param managedIdentities managedIdentitiesType param diagnosticSettings diagnosticSettingType @description('Optional. Tags to help categorize the resource in the Azure portal.') -param tags object = {} +param tags object? // ============= // // Variables // diff --git a/modules/search/search-service/main.json b/modules/search/search-service/main.json index b7467ad1f0..895ff66987 100644 --- a/modules/search/search-service/main.json +++ b/modules/search/search-service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6839264843077014016" + "templateHash": "16977539745468752400" }, "name": "Search Services", "description": "This module deploys a Search Service.", @@ -522,7 +522,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags to help categorize the resource in the Azure portal." } diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 877ff238b5..a000e89570 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -1352,7 +1352,6 @@ Name of this SKU. - Basic, Standard, Premium. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `topics` diff --git a/modules/service-bus/namespace/main.bicep b/modules/service-bus/namespace/main.bicep index b78edd738f..da8dd5b8bf 100644 --- a/modules/service-bus/namespace/main.bicep +++ b/modules/service-bus/namespace/main.bicep @@ -94,7 +94,7 @@ param networkRuleSets object = {} param disableLocalAuth bool = true @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/service-bus/namespace/main.json b/modules/service-bus/namespace/main.json index 5f9e473ae2..eb70f4dfeb 100644 --- a/modules/service-bus/namespace/main.json +++ b/modules/service-bus/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14764861552700304868" + "templateHash": "18136363667820640336" }, "name": "Service Bus Namespaces", "description": "This module deploys a Service Bus Namespace.", @@ -547,7 +547,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/service-fabric/cluster/README.md b/modules/service-fabric/cluster/README.md index 4a9a11977f..c572b02a48 100644 --- a/modules/service-fabric/cluster/README.md +++ b/modules/service-fabric/cluster/README.md @@ -956,7 +956,6 @@ This property controls the logical grouping of VMs in upgrade domains (UDs). Thi Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `upgradeDescription` diff --git a/modules/service-fabric/cluster/application-type/README.md b/modules/service-fabric/cluster/application-type/README.md index 1fd40f7308..41f0879037 100644 --- a/modules/service-fabric/cluster/application-type/README.md +++ b/modules/service-fabric/cluster/application-type/README.md @@ -56,7 +56,6 @@ The name of the parent Service Fabric cluster. Required if the template is used Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/service-fabric/cluster/application-type/main.bicep b/modules/service-fabric/cluster/application-type/main.bicep index 128fda8663..e630244a60 100644 --- a/modules/service-fabric/cluster/application-type/main.bicep +++ b/modules/service-fabric/cluster/application-type/main.bicep @@ -9,7 +9,7 @@ param serviceFabricClusterName string param name string = 'defaultApplicationType' @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/service-fabric/cluster/application-type/main.json b/modules/service-fabric/cluster/application-type/main.json index ed0f9dfa6d..89edee625a 100644 --- a/modules/service-fabric/cluster/application-type/main.json +++ b/modules/service-fabric/cluster/application-type/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3441501457466891361" + "templateHash": "16143571289588705380" }, "name": "Service Fabric Cluster Application Types", "description": "This module deploys a Service Fabric Cluster Application Type.", @@ -27,7 +28,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -40,8 +41,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -55,13 +56,22 @@ } } }, - { + "serviceFabricCluster": { + "existing": true, + "type": "Microsoft.ServiceFabric/clusters", + "apiVersion": "2021-06-01", + "name": "[parameters('serviceFabricClusterName')]" + }, + "applicationTypes": { "type": "Microsoft.ServiceFabric/clusters/applicationTypes", "apiVersion": "2021-06-01", "name": "[format('{0}/{1}', parameters('serviceFabricClusterName'), parameters('name'))]", - "tags": "[parameters('tags')]" + "tags": "[parameters('tags')]", + "dependsOn": [ + "serviceFabricCluster" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/service-fabric/cluster/main.bicep b/modules/service-fabric/cluster/main.bicep index cea7afb8f7..929b22eb40 100644 --- a/modules/service-fabric/cluster/main.bicep +++ b/modules/service-fabric/cluster/main.bicep @@ -9,7 +9,7 @@ param name string param location string = resourceGroup().location @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The lock settings of the service.') param lock lockType @@ -317,7 +317,7 @@ module serviceFabricCluster_applicationTypes 'application-type/main.bicep' = [fo params: { name: applicationType.name serviceFabricClusterName: serviceFabricCluster.name - tags: contains(applicationType, 'tags') ? applicationType.tags : {} + tags: applicationType.?tags ?? tags enableDefaultTelemetry: enableReferencedModulesTelemetry } }] diff --git a/modules/service-fabric/cluster/main.json b/modules/service-fabric/cluster/main.json index 7a59bc1f37..ac97598011 100644 --- a/modules/service-fabric/cluster/main.json +++ b/modules/service-fabric/cluster/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16595935702067786987" + "templateHash": "4163996962220385017" }, "name": "Service Fabric Clusters", "description": "This module deploys a Service Fabric Cluster.", @@ -121,7 +121,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -545,19 +545,22 @@ "serviceFabricClusterName": { "value": "[parameters('name')]" }, - "tags": "[if(contains(parameters('applicationTypes')[copyIndex()], 'tags'), createObject('value', parameters('applicationTypes')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('applicationTypes')[copyIndex()], 'tags'), parameters('tags'))]" + }, "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3441501457466891361" + "templateHash": "16143571289588705380" }, "name": "Service Fabric Cluster Application Types", "description": "This module deploys a Service Fabric Cluster Application Type.", @@ -579,7 +582,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -592,8 +595,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -607,13 +610,22 @@ } } }, - { + "serviceFabricCluster": { + "existing": true, + "type": "Microsoft.ServiceFabric/clusters", + "apiVersion": "2021-06-01", + "name": "[parameters('serviceFabricClusterName')]" + }, + "applicationTypes": { "type": "Microsoft.ServiceFabric/clusters/applicationTypes", "apiVersion": "2021-06-01", "name": "[format('{0}/{1}', parameters('serviceFabricClusterName'), parameters('name'))]", - "tags": "[parameters('tags')]" + "tags": "[parameters('tags')]", + "dependsOn": [ + "serviceFabricCluster" + ] } - ], + }, "outputs": { "name": { "type": "string", diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index ff3c273afd..4a59945bf2 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -681,7 +681,6 @@ The SKU of the service. The tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `upstreamTemplatesToEnable` diff --git a/modules/signal-r-service/signal-r/main.bicep b/modules/signal-r-service/signal-r/main.bicep index 385295b8f2..23f6aaca41 100644 --- a/modules/signal-r-service/signal-r/main.bicep +++ b/modules/signal-r-service/signal-r/main.bicep @@ -31,7 +31,7 @@ param sku string = 'Standard_S1' param capacity int = 1 @description('Optional. The tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The allowed origin settings of the resource.') param allowedOrigins array = [ diff --git a/modules/signal-r-service/signal-r/main.json b/modules/signal-r-service/signal-r/main.json index bf43fef7a7..a842ad77f2 100644 --- a/modules/signal-r-service/signal-r/main.json +++ b/modules/signal-r-service/signal-r/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4290982066037624920" + "templateHash": "1214561796520796276" }, "name": "SignalR Service SignalR", "description": "This module deploys a SignalR Service SignalR.", @@ -304,7 +304,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. The tags of the resource." } diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index 802630e972..c4aa82598c 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -769,7 +769,6 @@ Pricing tier of the resource. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/signal-r-service/web-pub-sub/main.bicep b/modules/signal-r-service/web-pub-sub/main.bicep index 70b93a62d7..93a0247790 100644 --- a/modules/signal-r-service/web-pub-sub/main.bicep +++ b/modules/signal-r-service/web-pub-sub/main.bicep @@ -18,7 +18,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The unit count of the resource. 1 by default.') param capacity int = 1 diff --git a/modules/signal-r-service/web-pub-sub/main.json b/modules/signal-r-service/web-pub-sub/main.json index aa1f93b682..9decb0dc2e 100644 --- a/modules/signal-r-service/web-pub-sub/main.json +++ b/modules/signal-r-service/web-pub-sub/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12261287441324704754" + "templateHash": "12680610655362641595" }, "name": "SignalR Web PubSub Services", "description": "This module deploys a SignalR Web PubSub Service.", @@ -311,7 +311,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index aa416f045a..332f0dcb64 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -999,7 +999,6 @@ The fully qualified resource ID of the subnet on which the SQL managed instance Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `timezoneId` diff --git a/modules/sql/managed-instance/database/README.md b/modules/sql/managed-instance/database/README.md index 886dac15da..ce3569342e 100644 --- a/modules/sql/managed-instance/database/README.md +++ b/modules/sql/managed-instance/database/README.md @@ -293,7 +293,6 @@ Specifies the uri of the storage container where backups for this restore are st Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/sql/managed-instance/database/main.bicep b/modules/sql/managed-instance/database/main.bicep index 5bd0e8cf7b..897d60d2fd 100644 --- a/modules/sql/managed-instance/database/main.bicep +++ b/modules/sql/managed-instance/database/main.bicep @@ -61,7 +61,7 @@ param backupShortTermRetentionPoliciesObj object = {} param backupLongTermRetentionPoliciesObj object = {} @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/sql/managed-instance/database/main.json b/modules/sql/managed-instance/database/main.json index db4a4d2966..a2638dea38 100644 --- a/modules/sql/managed-instance/database/main.json +++ b/modules/sql/managed-instance/database/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11809118815295815977" + "templateHash": "8385261968552186747" }, "name": "SQL Managed Instance Databases", "description": "This module deploys a SQL Managed Instance Database.", @@ -252,7 +252,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/sql/managed-instance/main.bicep b/modules/sql/managed-instance/main.bicep index 1b10ecd747..27a246ada0 100644 --- a/modules/sql/managed-instance/main.bicep +++ b/modules/sql/managed-instance/main.bicep @@ -96,7 +96,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -282,7 +282,7 @@ module managedInstance_databases 'database/main.bicep' = [for (database, index) sourceDatabaseId: contains(database, 'sourceDatabaseId') ? database.sourceDatabaseId : '' storageContainerSasToken: contains(database, 'storageContainerSasToken') ? database.storageContainerSasToken : '' storageContainerUri: contains(database, 'storageContainerUri') ? database.storageContainerUri : '' - tags: contains(database, 'tags') ? database.tags : {} + tags: database.?tags ?? tags backupShortTermRetentionPoliciesObj: contains(database, 'backupShortTermRetentionPolicies') ? database.backupShortTermRetentionPolicies : {} backupLongTermRetentionPoliciesObj: contains(database, 'backupLongTermRetentionPolicies') ? database.backupLongTermRetentionPolicies : {} enableDefaultTelemetry: enableReferencedModulesTelemetry diff --git a/modules/sql/managed-instance/main.json b/modules/sql/managed-instance/main.json index cee9076a62..c1884f0c02 100644 --- a/modules/sql/managed-instance/main.json +++ b/modules/sql/managed-instance/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "486965125676503752" + "templateHash": "12495888352047670800" }, "name": "SQL Managed Instances", "description": "This module deploys a SQL Managed Instance.", @@ -422,7 +422,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -683,7 +683,9 @@ "sourceDatabaseId": "[if(contains(parameters('databases')[copyIndex()], 'sourceDatabaseId'), createObject('value', parameters('databases')[copyIndex()].sourceDatabaseId), createObject('value', ''))]", "storageContainerSasToken": "[if(contains(parameters('databases')[copyIndex()], 'storageContainerSasToken'), createObject('value', parameters('databases')[copyIndex()].storageContainerSasToken), createObject('value', ''))]", "storageContainerUri": "[if(contains(parameters('databases')[copyIndex()], 'storageContainerUri'), createObject('value', parameters('databases')[copyIndex()].storageContainerUri), createObject('value', ''))]", - "tags": "[if(contains(parameters('databases')[copyIndex()], 'tags'), createObject('value', parameters('databases')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('databases')[copyIndex()], 'tags'), parameters('tags'))]" + }, "backupShortTermRetentionPoliciesObj": "[if(contains(parameters('databases')[copyIndex()], 'backupShortTermRetentionPolicies'), createObject('value', parameters('databases')[copyIndex()].backupShortTermRetentionPolicies), createObject('value', createObject()))]", "backupLongTermRetentionPoliciesObj": "[if(contains(parameters('databases')[copyIndex()], 'backupLongTermRetentionPolicies'), createObject('value', parameters('databases')[copyIndex()].backupLongTermRetentionPolicies), createObject('value', createObject()))]", "enableDefaultTelemetry": { @@ -698,7 +700,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11809118815295815977" + "templateHash": "8385261968552186747" }, "name": "SQL Managed Instance Databases", "description": "This module deploys a SQL Managed Instance Database.", @@ -944,7 +946,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 81fa6667cc..da79dd63a3 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -1183,7 +1183,6 @@ The security alert policies to create in the server. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `virtualNetworkRules` diff --git a/modules/sql/server/database/README.md b/modules/sql/server/database/README.md index a5f07c4b92..588563b5fb 100644 --- a/modules/sql/server/database/README.md +++ b/modules/sql/server/database/README.md @@ -392,7 +392,6 @@ Resource ID of database if createMode set to Copy, Secondary, PointInTimeRestore Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `zoneRedundant` diff --git a/modules/sql/server/database/main.bicep b/modules/sql/server/database/main.bicep index 789fd60793..f1943a2c02 100644 --- a/modules/sql/server/database/main.bicep +++ b/modules/sql/server/database/main.bicep @@ -63,7 +63,7 @@ param minCapacity string = '' param autoPauseDelay int = 0 @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The resource ID of the elastic pool containing this database.') param elasticPoolId string = '' diff --git a/modules/sql/server/database/main.json b/modules/sql/server/database/main.json index c8043872b1..f7e79bc48c 100644 --- a/modules/sql/server/database/main.json +++ b/modules/sql/server/database/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7566326750370718720" + "templateHash": "17297721819291768897" }, "name": "SQL Server Database", "description": "This module deploys an Azure SQL Server Database.", @@ -249,7 +249,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/sql/server/elastic-pool/README.md b/modules/sql/server/elastic-pool/README.md index 8cbfe4e622..c979ff564a 100644 --- a/modules/sql/server/elastic-pool/README.md +++ b/modules/sql/server/elastic-pool/README.md @@ -150,7 +150,6 @@ The tier or edition of the particular SKU, e.g. Basic, Premium. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `zoneRedundant` diff --git a/modules/sql/server/elastic-pool/main.bicep b/modules/sql/server/elastic-pool/main.bicep index 0a1246a96d..4269c2e8d1 100644 --- a/modules/sql/server/elastic-pool/main.bicep +++ b/modules/sql/server/elastic-pool/main.bicep @@ -9,7 +9,7 @@ param name string param serverName string @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Location for all resources.') param location string = resourceGroup().location diff --git a/modules/sql/server/elastic-pool/main.json b/modules/sql/server/elastic-pool/main.json index d530033524..dd9e5202b8 100644 --- a/modules/sql/server/elastic-pool/main.json +++ b/modules/sql/server/elastic-pool/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2069769222124842536" + "templateHash": "9388916155534343976" }, "name": "SQL Server Elastic Pool", "description": "This module deploys an Azure SQL Server Elastic Pool.", @@ -26,7 +27,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -127,8 +128,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -142,7 +143,13 @@ } } }, - { + "server": { + "existing": true, + "type": "Microsoft.Sql/servers", + "apiVersion": "2022-05-01-preview", + "name": "[parameters('serverName')]" + }, + "elasticPool": { "type": "Microsoft.Sql/servers/elasticPools", "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", @@ -164,9 +171,12 @@ "maxCapacity": "[parameters('databaseMaxCapacity')]" }, "zoneRedundant": "[parameters('zoneRedundant')]" - } + }, + "dependsOn": [ + "server" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -194,7 +204,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Sql/servers/elasticPools', parameters('serverName'), parameters('name')), '2022-05-01-preview', 'full').location]" + "value": "[reference('elasticPool', '2022-05-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/sql/server/main.bicep b/modules/sql/server/main.bicep index 50bfad6e00..fa6063ee6e 100644 --- a/modules/sql/server/main.bicep +++ b/modules/sql/server/main.bicep @@ -28,7 +28,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -193,7 +193,7 @@ module server_databases 'database/main.bicep' = [for (database, index) in databa readScale: contains(database, 'readScale') ? database.readScale : 'Disabled' requestedBackupStorageRedundancy: contains(database, 'requestedBackupStorageRedundancy') ? database.requestedBackupStorageRedundancy : '' sampleName: contains(database, 'sampleName') ? database.sampleName : '' - tags: contains(database, 'tags') ? database.tags : {} + tags: database.?tags ?? tags zoneRedundant: contains(database, 'zoneRedundant') ? database.zoneRedundant : false elasticPoolId: contains(database, 'elasticPoolId') ? database.elasticPoolId : '' enableDefaultTelemetry: enableReferencedModulesTelemetry @@ -228,7 +228,7 @@ module server_elasticPools 'elastic-pool/main.bicep' = [for (elasticPool, index) zoneRedundant: contains(elasticPool, 'zoneRedundant') ? elasticPool.zoneRedundant : false enableDefaultTelemetry: enableReferencedModulesTelemetry location: location - tags: contains(elasticPool, 'tags') ? elasticPool.tags : {} + tags: elasticPool.?tags ?? tags } }] diff --git a/modules/sql/server/main.json b/modules/sql/server/main.json index 44de76b732..286074e2f6 100644 --- a/modules/sql/server/main.json +++ b/modules/sql/server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10315505573708385972" + "templateHash": "4565599506408192920" }, "name": "Azure SQL Servers", "description": "This module deploys an Azure SQL Server.", @@ -332,7 +332,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -580,7 +580,9 @@ "readScale": "[if(contains(parameters('databases')[copyIndex()], 'readScale'), createObject('value', parameters('databases')[copyIndex()].readScale), createObject('value', 'Disabled'))]", "requestedBackupStorageRedundancy": "[if(contains(parameters('databases')[copyIndex()], 'requestedBackupStorageRedundancy'), createObject('value', parameters('databases')[copyIndex()].requestedBackupStorageRedundancy), createObject('value', ''))]", "sampleName": "[if(contains(parameters('databases')[copyIndex()], 'sampleName'), createObject('value', parameters('databases')[copyIndex()].sampleName), createObject('value', ''))]", - "tags": "[if(contains(parameters('databases')[copyIndex()], 'tags'), createObject('value', parameters('databases')[copyIndex()].tags), createObject('value', createObject()))]", + "tags": { + "value": "[coalesce(tryGet(parameters('databases')[copyIndex()], 'tags'), parameters('tags'))]" + }, "zoneRedundant": "[if(contains(parameters('databases')[copyIndex()], 'zoneRedundant'), createObject('value', parameters('databases')[copyIndex()].zoneRedundant), createObject('value', false()))]", "elasticPoolId": "[if(contains(parameters('databases')[copyIndex()], 'elasticPoolId'), createObject('value', parameters('databases')[copyIndex()].elasticPoolId), createObject('value', ''))]", "enableDefaultTelemetry": { @@ -602,7 +604,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7566326750370718720" + "templateHash": "17297721819291768897" }, "name": "SQL Server Database", "description": "This module deploys an Azure SQL Server Database.", @@ -845,7 +847,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -1378,16 +1380,19 @@ "location": { "value": "[parameters('location')]" }, - "tags": "[if(contains(parameters('elasticPools')[copyIndex()], 'tags'), createObject('value', parameters('elasticPools')[copyIndex()].tags), createObject('value', createObject()))]" + "tags": { + "value": "[coalesce(tryGet(parameters('elasticPools')[copyIndex()], 'tags'), parameters('tags'))]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2069769222124842536" + "templateHash": "9388916155534343976" }, "name": "SQL Server Elastic Pool", "description": "This module deploys an Azure SQL Server Elastic Pool.", @@ -1408,7 +1413,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -1509,8 +1514,8 @@ } } }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1524,7 +1529,13 @@ } } }, - { + "server": { + "existing": true, + "type": "Microsoft.Sql/servers", + "apiVersion": "2022-05-01-preview", + "name": "[parameters('serverName')]" + }, + "elasticPool": { "type": "Microsoft.Sql/servers/elasticPools", "apiVersion": "2022-05-01-preview", "name": "[format('{0}/{1}', parameters('serverName'), parameters('name'))]", @@ -1546,9 +1557,12 @@ "maxCapacity": "[parameters('databaseMaxCapacity')]" }, "zoneRedundant": "[parameters('zoneRedundant')]" - } + }, + "dependsOn": [ + "server" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1576,7 +1590,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.Sql/servers/elasticPools', parameters('serverName'), parameters('name')), '2022-05-01-preview', 'full').location]" + "value": "[reference('elasticPool', '2022-05-01-preview', 'full').location]" } } } diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index e974443c9d..3d53bcb9fd 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -1808,7 +1808,6 @@ Table service and tables to create. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/storage/storage-account/main.bicep b/modules/storage/storage-account/main.bicep index 42f8b18c1f..8dbf5b6599 100644 --- a/modules/storage/storage-account/main.bicep +++ b/modules/storage/storage-account/main.bicep @@ -136,7 +136,7 @@ param diagnosticSettings diagnosticSettingType param lock lockType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/storage/storage-account/main.json b/modules/storage/storage-account/main.json index dde38f6c5b..3b1c5cfd2e 100644 --- a/modules/storage/storage-account/main.json +++ b/modules/storage/storage-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1854017442729323429" + "templateHash": "8645368819124015994" }, "name": "Storage Accounts", "description": "This module deploys a Storage Account.", @@ -614,7 +614,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/synapse/private-link-hub/README.md b/modules/synapse/private-link-hub/README.md index 2a0b0cff04..fc6c154677 100644 --- a/modules/synapse/private-link-hub/README.md +++ b/modules/synapse/private-link-hub/README.md @@ -513,7 +513,6 @@ Required. The name of the role to assign. If it cannot be found you can specify Tags of the resource. - Required: No - Type: object -- Default: `{object}` ## Outputs diff --git a/modules/synapse/private-link-hub/main.bicep b/modules/synapse/private-link-hub/main.bicep index 003f53a1dd..703fe86f23 100644 --- a/modules/synapse/private-link-hub/main.bicep +++ b/modules/synapse/private-link-hub/main.bicep @@ -9,7 +9,7 @@ param name string param location string = resourceGroup().location @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. The lock settings of the service.') param lock lockType diff --git a/modules/synapse/private-link-hub/main.json b/modules/synapse/private-link-hub/main.json index 4fab3419d1..a69dbc2793 100644 --- a/modules/synapse/private-link-hub/main.json +++ b/modules/synapse/private-link-hub/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13462616099297553465" + "templateHash": "684659786245480339" }, "name": "Azure Synapse Analytics", "description": "This module deploys an Azure Synapse Analytics (Private Link Hub).", @@ -269,7 +269,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index 150314f8d8..da6f7bd74d 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -1094,7 +1094,6 @@ Password for administrator access to the workspace's SQL pools. If you don't pro Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `userAssignedIdentities` diff --git a/modules/synapse/workspace/main.bicep b/modules/synapse/workspace/main.bicep index d7d099043e..68ff4b3558 100644 --- a/modules/synapse/workspace/main.bicep +++ b/modules/synapse/workspace/main.bicep @@ -11,7 +11,7 @@ param name string param location string = resourceGroup().location @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable or Disable AzureADOnlyAuthentication on All Workspace sub-resource.') param azureADOnlyAuthentication bool = false diff --git a/modules/synapse/workspace/main.json b/modules/synapse/workspace/main.json index fb713390f4..7f66fe19ae 100644 --- a/modules/synapse/workspace/main.json +++ b/modules/synapse/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11476274375435948845" + "templateHash": "1529722820399903843" }, "name": "Synapse Workspaces", "description": "This module deploys a Synapse Workspace.", @@ -358,7 +358,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/virtual-machine-images/image-template/README.md b/modules/virtual-machine-images/image-template/README.md index 40fab0d762..b8eaf937ae 100644 --- a/modules/virtual-machine-images/image-template/README.md +++ b/modules/virtual-machine-images/image-template/README.md @@ -544,7 +544,6 @@ Resource ID of an already existing subnet, e.g.: /subscriptions/ Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `unManagedImageName` diff --git a/modules/virtual-machine-images/image-template/main.bicep b/modules/virtual-machine-images/image-template/main.bicep index 7f0d3b2a07..c3def8cd69 100644 --- a/modules/virtual-machine-images/image-template/main.bicep +++ b/modules/virtual-machine-images/image-template/main.bicep @@ -69,7 +69,7 @@ param stagingResourceGroup string = '' param lock lockType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Generated. Do not provide a value! This date value is used to generate a unique image template name.') param baseTime string = utcNow('yyyy-MM-dd-HH-mm-ss') diff --git a/modules/virtual-machine-images/image-template/main.json b/modules/virtual-machine-images/image-template/main.json index 873da1becd..db5fe986d1 100644 --- a/modules/virtual-machine-images/image-template/main.json +++ b/modules/virtual-machine-images/image-template/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13895680092104029246" + "templateHash": "11391151747567689793" }, "name": "Virtual Machine Image Templates", "description": "This module deploys a Virtual Machine Image Template that can be consumed by Azure Image Builder (AIB).", @@ -249,7 +249,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/web/connection/README.md b/modules/web/connection/README.md index bd1c83f539..9c3e5d2bb1 100644 --- a/modules/web/connection/README.md +++ b/modules/web/connection/README.md @@ -313,7 +313,6 @@ Status of the connection. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `testLinks` diff --git a/modules/web/connection/main.bicep b/modules/web/connection/main.bicep index db24458661..bfa55bc54f 100644 --- a/modules/web/connection/main.bicep +++ b/modules/web/connection/main.bicep @@ -38,7 +38,7 @@ param statuses array = [] param lock lockType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Links to test the API connection.') param testLinks array = [] diff --git a/modules/web/connection/main.json b/modules/web/connection/main.json index fa79bdb08e..dab170f63e 100644 --- a/modules/web/connection/main.json +++ b/modules/web/connection/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1935169026150435990" + "templateHash": "11837763267512511834" }, "name": "API Connections", "description": "This module deploys an Azure API Connection.", @@ -181,7 +181,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/web/hosting-environment/README.md b/modules/web/hosting-environment/README.md index e41afff80c..0a55538ca4 100644 --- a/modules/web/hosting-environment/README.md +++ b/modules/web/hosting-environment/README.md @@ -757,7 +757,6 @@ ResourceId for the subnet. Resource tags. - Required: No - Type: object -- Default: `{object}` ### Parameter: `upgradePreference` diff --git a/modules/web/hosting-environment/main.bicep b/modules/web/hosting-environment/main.bicep index f39bc28623..a6a4c565b2 100644 --- a/modules/web/hosting-environment/main.bicep +++ b/modules/web/hosting-environment/main.bicep @@ -16,7 +16,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Resource tags.') -param tags object = {} +param tags object? @allowed([ 'ASEv2' diff --git a/modules/web/hosting-environment/main.json b/modules/web/hosting-environment/main.json index 468a1dd392..b1d6749b4f 100644 --- a/modules/web/hosting-environment/main.json +++ b/modules/web/hosting-environment/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4072056725724568319" + "templateHash": "12800539837694740755" }, "name": "App Service Environments", "description": "This module deploys an App Service Environment.", @@ -245,7 +245,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Resource tags." } diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index a8de74f584..0e8f31571a 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -445,7 +445,6 @@ Defines the name, tier, size, family and capacity of the App Service Plan. Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `targetWorkerCount` diff --git a/modules/web/serverfarm/main.bicep b/modules/web/serverfarm/main.bicep index 6beca161de..856f2cc3cd 100644 --- a/modules/web/serverfarm/main.bicep +++ b/modules/web/serverfarm/main.bicep @@ -59,7 +59,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/web/serverfarm/main.json b/modules/web/serverfarm/main.json index d02adee91d..53eec7f0dd 100644 --- a/modules/web/serverfarm/main.json +++ b/modules/web/serverfarm/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3543793483023585730" + "templateHash": "14824797980620937555" }, "name": "App Service Plans", "description": "This module deploys an App Service Plan.", @@ -289,7 +289,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 160432f44c..4a1fef0403 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -1508,7 +1508,6 @@ Required if app of kind functionapp. Resource ID of the storage account to manag Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `virtualNetworkSubnetId` diff --git a/modules/web/site/main.bicep b/modules/web/site/main.bicep index 4add5b8016..49f99a9ebb 100644 --- a/modules/web/site/main.bicep +++ b/modules/web/site/main.bicep @@ -82,7 +82,7 @@ param privateEndpoints privateEndpointType param slots array = [] @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -268,9 +268,9 @@ module app_slots 'slot/main.bicep' = [for (slot, index) in slots: { diagnosticSettings: slot.?diagnosticSettings roleAssignments: contains(slot, 'roleAssignments') ? slot.roleAssignments : roleAssignments appSettingsKeyValuePairs: contains(slot, 'appSettingsKeyValuePairs') ? slot.appSettingsKeyValuePairs : appSettingsKeyValuePairs - lock: contains(slot, 'lock') ? slot.lock : lock + lock: slot.?lock ?? lock privateEndpoints: contains(slot, 'privateEndpoints') ? slot.privateEndpoints : privateEndpoints - tags: tags + tags: slot.?tags ?? tags clientCertEnabled: contains(slot, 'clientCertEnabled') ? slot.clientCertEnabled : false clientCertExclusionPaths: contains(slot, 'clientCertExclusionPaths') ? slot.clientCertExclusionPaths : '' clientCertMode: contains(slot, 'clientCertMode') ? slot.clientCertMode : 'Optional' diff --git a/modules/web/site/main.json b/modules/web/site/main.json index c313b1d0ce..9ccef83733 100644 --- a/modules/web/site/main.json +++ b/modules/web/site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7527886527579756889" + "templateHash": "16422154168736567404" }, "name": "Web/Function Apps", "description": "This module deploys a Web or Function App.", @@ -555,7 +555,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -1147,10 +1147,12 @@ }, "roleAssignments": "[if(contains(parameters('slots')[copyIndex()], 'roleAssignments'), createObject('value', parameters('slots')[copyIndex()].roleAssignments), createObject('value', parameters('roleAssignments')))]", "appSettingsKeyValuePairs": "[if(contains(parameters('slots')[copyIndex()], 'appSettingsKeyValuePairs'), createObject('value', parameters('slots')[copyIndex()].appSettingsKeyValuePairs), createObject('value', parameters('appSettingsKeyValuePairs')))]", - "lock": "[if(contains(parameters('slots')[copyIndex()], 'lock'), createObject('value', parameters('slots')[copyIndex()].lock), createObject('value', parameters('lock')))]", + "lock": { + "value": "[coalesce(tryGet(parameters('slots')[copyIndex()], 'lock'), parameters('lock'))]" + }, "privateEndpoints": "[if(contains(parameters('slots')[copyIndex()], 'privateEndpoints'), createObject('value', parameters('slots')[copyIndex()].privateEndpoints), createObject('value', parameters('privateEndpoints')))]", "tags": { - "value": "[parameters('tags')]" + "value": "[coalesce(tryGet(parameters('slots')[copyIndex()], 'tags'), parameters('tags'))]" }, "clientCertEnabled": "[if(contains(parameters('slots')[copyIndex()], 'clientCertEnabled'), createObject('value', parameters('slots')[copyIndex()].clientCertEnabled), createObject('value', false()))]", "clientCertExclusionPaths": "[if(contains(parameters('slots')[copyIndex()], 'clientCertExclusionPaths'), createObject('value', parameters('slots')[copyIndex()].clientCertExclusionPaths), createObject('value', ''))]", @@ -1177,7 +1179,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11996079594340351559" + "templateHash": "2776575331575111691" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -1698,7 +1700,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index 29258b7088..5f79c8d56f 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -700,7 +700,6 @@ Required if app of kind functionapp. Resource ID of the storage account to manag Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `virtualNetworkSubnetId` diff --git a/modules/web/site/slot/main.bicep b/modules/web/site/slot/main.bicep index 3cb7142811..6909c7040f 100644 --- a/modules/web/site/slot/main.bicep +++ b/modules/web/site/slot/main.bicep @@ -70,7 +70,7 @@ param lock lockType param privateEndpoints privateEndpointType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/web/site/slot/main.json b/modules/web/site/slot/main.json index 6ce2296e50..a0dd2e433f 100644 --- a/modules/web/site/slot/main.json +++ b/modules/web/site/slot/main.json @@ -527,7 +527,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -1842,4 +1842,4 @@ "value": "[reference('slot', '2022-09-01', 'full').location]" } } -} \ No newline at end of file +} diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index ed4ab98af5..0cc50ab558 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -697,7 +697,6 @@ State indicating whether staging environments are allowed or not allowed for a s Tags of the resource. - Required: No - Type: object -- Default: `{object}` ### Parameter: `templateProperties` diff --git a/modules/web/static-site/main.bicep b/modules/web/static-site/main.bicep index 181e771819..160cdf3082 100644 --- a/modules/web/static-site/main.bicep +++ b/modules/web/static-site/main.bicep @@ -65,7 +65,7 @@ param lock lockType param privateEndpoints privateEndpointType @description('Optional. Tags of the resource.') -param tags object = {} +param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/web/static-site/main.json b/modules/web/static-site/main.json index b7423b7aea..b56be52ddb 100644 --- a/modules/web/static-site/main.json +++ b/modules/web/static-site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "332857934206486865" + "templateHash": "17501728288699973579" }, "name": "Static Web Apps", "description": "This module deploys a Static Web App.", @@ -397,7 +397,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } From 7f27d8037f9b1c0d914ea86a5447a2dd9d44e3a9 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Tue, 31 Oct 2023 20:40:48 +0000 Subject: [PATCH 072/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 102 ++++++++++----------- 1 file changed, 51 insertions(+), 51 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index a34661ec87..875cf457ac 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -65,63 +65,63 @@ This section provides an overview of the library's feature set. | 50 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | | | | | [L1:4, L2:2] | 401 | | 51 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | | | | | | | | 116 | | 52 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | | | | | | | [L1:3, L2:1] | 195 | -| 53 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | | | :white_check_mark: | | | | | 115 | -| 54 | insights

activity-log-alert | [![Insights - ActivityLogAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActivityLogAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.activitylogalerts.yml) | | | :white_check_mark: | | | | | 104 | -| 55 | insights

component | [![Insights - Components](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Components/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.components.yml) | | | :white_check_mark: | | | | | 184 | -| 56 | insights

data-collection-endpoint | [![Insights - DataCollectionEndpoints](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionendpoints.yml) | | | :white_check_mark: | | | | | 120 | -| 57 | insights

data-collection-rule | [![Insights - DataCollectionRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionrules.yml) | | | :white_check_mark: | | | | | 129 | +| 53 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | | | | | | | | 115 | +| 54 | insights

activity-log-alert | [![Insights - ActivityLogAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActivityLogAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.activitylogalerts.yml) | | | | | | | | 104 | +| 55 | insights

component | [![Insights - Components](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Components/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.components.yml) | | | | | | | | 184 | +| 56 | insights

data-collection-endpoint | [![Insights - DataCollectionEndpoints](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionendpoints.yml) | | | | | | | | 120 | +| 57 | insights

data-collection-rule | [![Insights - DataCollectionRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionrules.yml) | | | | | | | | 129 | | 58 | insights

diagnostic-setting | [![Insights - DiagnosticSettings](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DiagnosticSettings/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.diagnosticsettings.yml) | | | | | | | | 91 | -| 59 | insights

metric-alert | [![Insights - MetricAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20MetricAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.metricalerts.yml) | | | :white_check_mark: | | | | | 152 | -| 60 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | | | :white_check_mark: | | | | [L1:1] | 172 | -| 61 | insights

scheduled-query-rule | [![Insights - ScheduledQueryRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ScheduledQueryRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml) | | | :white_check_mark: | | | | | 136 | +| 59 | insights

metric-alert | [![Insights - MetricAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20MetricAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.metricalerts.yml) | | | | | | | | 152 | +| 60 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | | | | | | | [L1:1] | 172 | +| 61 | insights

scheduled-query-rule | [![Insights - ScheduledQueryRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ScheduledQueryRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml) | | | | | | | | 136 | | 62 | insights

webtest | [![Insights - Web Tests](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Web%20Tests/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.webtests.yml) | | | | | | | | 152 | -| 63 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | | | :white_check_mark: | | | | [L1:3] | 347 | +| 63 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | | | | | | | [L1:3] | 347 | | 64 | kubernetes-configuration

extension | [![KubernetesConfiguration - Extensions](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20Extensions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.extensions.yml) | | | | | | | | 88 | | 65 | kubernetes-configuration

flux-configuration | [![KubernetesConfiguration - FluxConfigurations](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20FluxConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml) | | | | | | | | 71 | -| 66 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | | | :white_check_mark: | | | | | 231 | -| 67 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | | | :white_check_mark: | | | | [L1:1] | 356 | -| 68 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | | | :white_check_mark: | | | | | 136 | -| 69 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | | | :white_check_mark: | | | | [L1:1] | 113 | +| 66 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | | | | | | | | 231 | +| 67 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | | | | | | | [L1:1] | 356 | +| 68 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | | | | | | | | 136 | +| 69 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | | | | | | | [L1:1] | 113 | | 70 | managed-services

registration-definition | [![ManagedServices - RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices%20-%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | | | | | | | 67 | | 71 | management

management-group | [![Management - ManagementGroups](https://github.com/Azure/ResourceModules/workflows/Management%20-%20ManagementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml) | | | | | | | | 50 | -| 72 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | | | :white_check_mark: | | | | [L1:1, L2:1] | 151 | -| 73 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | | | :white_check_mark: | | | | | 420 | -| 74 | network

application-gateway-web-application-firewall-policy | [![Network - ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGatewayWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 47 | -| 75 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | | | :white_check_mark: | | | | | 94 | -| 76 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | | | :white_check_mark: | | | :white_check_mark: | | 335 | -| 77 | network

bastion-host | [![Network - BastionHosts](https://github.com/Azure/ResourceModules/workflows/Network%20-%20BastionHosts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.bastionhosts.yml) | | | :white_check_mark: | | | :white_check_mark: | | 268 | -| 78 | network

connection | [![Network - Connections](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.connections.yml) | | | :white_check_mark: | | | | | 147 | -| 79 | network

ddos-protection-plan | [![Network - DdosProtectionPlans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DdosProtectionPlans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ddosprotectionplans.yml) | | | :white_check_mark: | | | | | 95 | -| 80 | network

dns-forwarding-ruleset | [![Network - DNS Forwarding Rulesets](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Forwarding%20Rulesets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsforwardingrulesets.yml) | | | :white_check_mark: | | | | [L1:2] | 126 | -| 81 | network

dns-resolver | [![Network - DNS Resolvers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Resolvers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsresolvers.yml) | | | :white_check_mark: | | | | | 137 | -| 82 | network

dns-zone | [![Network - Public DnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Public%20DnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnszones.yml) | | | :white_check_mark: | | | | [L1:10] | 248 | -| 83 | network

express-route-circuit | [![Network - ExpressRouteCircuits](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteCircuits/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutecircuits.yml) | | | :white_check_mark: | | | | | 228 | -| 84 | network

express-route-gateway | [![Network - ExpressRouteGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutegateways.yml) | | | :white_check_mark: | | | | | 117 | -| 85 | network

firewall-policy | [![Network - FirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.firewallpolicies.yml) | | | :white_check_mark: | | | | [L1:1] | 173 | -| 86 | network

front-door | [![Network - Frontdoors](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Frontdoors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoors.yml) | | | :white_check_mark: | | | | | 181 | -| 87 | network

front-door-web-application-firewall-policy | [![Network - FrontDoorWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FrontDoorWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml) | | | :white_check_mark: | | | | | 152 | -| 88 | network

ip-group | [![Network - IpGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20IpGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ipgroups.yml) | | | :white_check_mark: | | | | | 100 | -| 89 | network

load-balancer | [![Network - LoadBalancers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LoadBalancers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.loadbalancers.yml) | | | :white_check_mark: | | | | [L1:2] | 272 | -| 90 | network

local-network-gateway | [![Network - LocalNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LocalNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.localnetworkgateways.yml) | | | :white_check_mark: | | | | | 120 | -| 91 | network

nat-gateway | [![Network - NatGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NatGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.natgateways.yml) | | | :white_check_mark: | | | | | 181 | -| 92 | network

network-interface | [![Network - NetworkInterfaces](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkInterfaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkinterfaces.yml) | | | :white_check_mark: | | | | | 198 | -| 93 | network

network-manager | [![Network - Network Managers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Network%20Managers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkmanagers.yml) | | | :white_check_mark: | | | | [L1:4, L2:2, L3:1] | 165 | -| 94 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | | | :white_check_mark: | | | | [L1:1] | 188 | -| 95 | network

network-watcher | [![Network - NetworkWatchers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkWatchers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatchers.yml) | | | :white_check_mark: | | | | [L1:2] | 129 | -| 96 | network

private-dns-zone | [![Network - PrivateDnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateDnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | | | :white_check_mark: | | | | [L1:9] | 226 | +| 72 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | | | | | | | [L1:1, L2:1] | 151 | +| 73 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | | | | | | | | 420 | +| 74 | network

application-gateway-web-application-firewall-policy | [![Network - ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGatewayWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml) | | | | | | | | 47 | +| 75 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | | | | | | | | 94 | +| 76 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | | | | | | :white_check_mark: | | 316 | +| 77 | network

bastion-host | [![Network - BastionHosts](https://github.com/Azure/ResourceModules/workflows/Network%20-%20BastionHosts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.bastionhosts.yml) | | | | | | :white_check_mark: | | 219 | +| 78 | network

connection | [![Network - Connections](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.connections.yml) | | | | | | | | 147 | +| 79 | network

ddos-protection-plan | [![Network - DdosProtectionPlans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DdosProtectionPlans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ddosprotectionplans.yml) | | | | | | | | 95 | +| 80 | network

dns-forwarding-ruleset | [![Network - DNS Forwarding Rulesets](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Forwarding%20Rulesets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsforwardingrulesets.yml) | | | | | | | [L1:2] | 126 | +| 81 | network

dns-resolver | [![Network - DNS Resolvers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Resolvers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsresolvers.yml) | | | | | | | | 137 | +| 82 | network

dns-zone | [![Network - Public DnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Public%20DnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnszones.yml) | | | | | | | [L1:10] | 248 | +| 83 | network

express-route-circuit | [![Network - ExpressRouteCircuits](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteCircuits/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutecircuits.yml) | | | | | | | | 228 | +| 84 | network

express-route-gateway | [![Network - ExpressRouteGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutegateways.yml) | | | | | | | | 117 | +| 85 | network

firewall-policy | [![Network - FirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.firewallpolicies.yml) | | | | | | | [L1:1] | 173 | +| 86 | network

front-door | [![Network - Frontdoors](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Frontdoors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoors.yml) | | | | | | | | 181 | +| 87 | network

front-door-web-application-firewall-policy | [![Network - FrontDoorWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FrontDoorWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml) | | | | | | | | 152 | +| 88 | network

ip-group | [![Network - IpGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20IpGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ipgroups.yml) | | | | | | | | 100 | +| 89 | network

load-balancer | [![Network - LoadBalancers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LoadBalancers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.loadbalancers.yml) | | | | | | | [L1:2] | 272 | +| 90 | network

local-network-gateway | [![Network - LocalNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LocalNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.localnetworkgateways.yml) | | | | | | | | 120 | +| 91 | network

nat-gateway | [![Network - NatGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NatGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.natgateways.yml) | | | | | | | | 181 | +| 92 | network

network-interface | [![Network - NetworkInterfaces](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkInterfaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkinterfaces.yml) | | | | | | | | 198 | +| 93 | network

network-manager | [![Network - Network Managers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Network%20Managers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkmanagers.yml) | | | | | | | [L1:4, L2:2, L3:1] | 165 | +| 94 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | | | | | | | [L1:1] | 188 | +| 95 | network

network-watcher | [![Network - NetworkWatchers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkWatchers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatchers.yml) | | | | | | | [L1:2] | 129 | +| 96 | network

private-dns-zone | [![Network - PrivateDnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateDnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | | | | | | | [L1:9] | 226 | | 97 | network

private-endpoint | [![Network - PrivateEndpoints](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privateendpoints.yml) | | | | | | | [L1:1] | 149 | -| 98 | network

private-link-service | [![Network - PrivateLinkServices](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateLinkServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatelinkservices.yml) | | | :white_check_mark: | | | | | 121 | -| 99 | network

public-ip-address | [![Network - PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | | | :white_check_mark: | | | | | 214 | -| 100 | network

public-ip-prefix | [![Network - PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | | | :white_check_mark: | | | | | 109 | -| 101 | network

route-table | [![Network - RouteTables](https://github.com/Azure/ResourceModules/workflows/Network%20-%20RouteTables/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.routetables.yml) | | | :white_check_mark: | | | | | 102 | -| 102 | network

service-endpoint-policy | [![Network - ServiceEndpointPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ServiceEndpointPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.serviceendpointpolicies.yml) | | | :white_check_mark: | | | | | 105 | -| 103 | network

trafficmanagerprofile | [![Network - TrafficManagerProfiles](https://github.com/Azure/ResourceModules/workflows/Network%20-%20TrafficManagerProfiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml) | | | :white_check_mark: | | | | | 195 | -| 104 | network

virtual-hub | [![Network - VirtualHubs](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualhubs.yml) | | | :white_check_mark: | | | | [L1:2] | 151 | -| 105 | network

virtual-network | [![Network - VirtualNetworks](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | | | :white_check_mark: | | | | [L1:2] | 276 | -| 106 | network

virtual-network-gateway | [![Network - VirtualNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworkgateways.yml) | | | :white_check_mark: | | | | [L1:1] | 403 | -| 107 | network

virtual-wan | [![Network - VirtualWans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualWans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualwans.yml) | | | :white_check_mark: | | | | | 112 | -| 108 | network

vpn-gateway | [![Network - VPNGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPNGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpngateways.yml) | | | :white_check_mark: | | | | [L1:2] | 114 | -| 109 | network

vpn-site | [![Network - VPN Sites](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPN%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpnsites.yml) | | | :white_check_mark: | | | | | 124 | +| 98 | network

private-link-service | [![Network - PrivateLinkServices](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateLinkServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatelinkservices.yml) | | | | | | | | 121 | +| 99 | network

public-ip-address | [![Network - PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | | | | | | | | 214 | +| 100 | network

public-ip-prefix | [![Network - PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | | | | | | | | 109 | +| 101 | network

route-table | [![Network - RouteTables](https://github.com/Azure/ResourceModules/workflows/Network%20-%20RouteTables/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.routetables.yml) | | | | | | | | 102 | +| 102 | network

service-endpoint-policy | [![Network - ServiceEndpointPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ServiceEndpointPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.serviceendpointpolicies.yml) | | | | | | | | 105 | +| 103 | network

trafficmanagerprofile | [![Network - TrafficManagerProfiles](https://github.com/Azure/ResourceModules/workflows/Network%20-%20TrafficManagerProfiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml) | | | | | | | | 195 | +| 104 | network

virtual-hub | [![Network - VirtualHubs](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualhubs.yml) | | | | | | | [L1:2] | 151 | +| 105 | network

virtual-network | [![Network - VirtualNetworks](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | | | | | | | [L1:2] | 276 | +| 106 | network

virtual-network-gateway | [![Network - VirtualNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworkgateways.yml) | | | | | | | [L1:1] | 403 | +| 107 | network

virtual-wan | [![Network - VirtualWans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualWans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualwans.yml) | | | | | | | | 112 | +| 108 | network

vpn-gateway | [![Network - VPNGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPNGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpngateways.yml) | | | | | | | [L1:2] | 114 | +| 109 | network

vpn-site | [![Network - VPN Sites](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPN%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpnsites.yml) | | | | | | | | 124 | | 110 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | | | :white_check_mark: | | | | [L1:7] | 348 | | 111 | operations-management

solution | [![OperationsManagement - Solutions](https://github.com/Azure/ResourceModules/workflows/OperationsManagement%20-%20Solutions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationsmanagement.solutions.yml) | | | | | | | | 53 | | 112 | policy-insights

remediation | [![PolicyInsights - Remediations](https://github.com/Azure/ResourceModules/workflows/PolicyInsights%20-%20Remediations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.policyinsights.remediations.yml) | | | | | | | [L1:3] | 106 | @@ -150,7 +150,7 @@ This section provides an overview of the library's feature set. | 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | :white_check_mark: | | | | | 194 | | 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | :white_check_mark: | | | | [L1:5, L2:4, L3:1] | 444 | | 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | :white_check_mark: | | | | [L1:3] | 275 | -| Sum | | | 0 | 0 | 76 | 0 | 0 | 2 | 240 | 29535 | +| Sum | | | 0 | 0 | 26 | 0 | 0 | 2 | 240 | 29467 | ## Legend From 64e62f007802bda69e17305bc9ed741f4f213d7d Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Tue, 31 Oct 2023 22:42:54 +0100 Subject: [PATCH 073/178] [Fixes] Fixed incorrect UDT required identification & updated allowed & default value handling (#4168) * Updated API Management module * Updated Container App module * Updating Configuration Store module (ongoing) * Updated Configuration Store module * Updated Automation Account module * Comment headers formatted * Readme/ARM for first four modules * Updated Batch Account module * Fixed parameter descriptions * Updated Readme and ARM * Updated Redis Cache module * Container App - Fixed parameter descriptions * Updated Cognitive Services module * Updated VMSS module * Updated Container Group module * Updated Container Registry module * Updated Data Factory module * Updated Event Grid / System Topic module * Updated EventHub Namespace module * [Modules] Resolved conflicts (#4129) * [Modules] Migrated batch [1/4] to AVM RBAC (#4125) * Updated first badge of templates (readmes pending) * Update to latest * Compiled templates * Compiled templates * Compiled first few readmes * Updated test files * Updated readmes * Reduced roles * Updated templates * Rollback different branches' changes * Updated nic & pip * Fixed test file * Refreshed vm * Push updated Readme file(s) * Updated templates * Updated templates --------- Co-authored-by: CARMLPipelinePrincipal * Clean-up, some fixes * Removed Azure Firewall changes from branch * Update API common test file * Update API common test file2 * Updated Recovery Services Vault module * Updated ServiceBus Namespace module * Updated SQL Managed Instance module * Updated SQL Server module * Updated Static Website module * Updated Web Site module * Updated website slot readme/arm * Redis Cache - Testing with two identities * Configuration Store module - Testing with two identities * Updated Signal-R WebPub Sub module * Updated Barch module to support only one type of identity * Updated AKS module * Updated Databricks Access Connector module * Updated Disk Encryption Set module * Updated Search Service module * Updated Backup Vault module * Updated Firewall Policy module * Updated MySQL Flexible server module * MySQL Flexible server module - namePrefix reset * Updated Health Bot module * Updated NetApp Account module * Updated App Gateway module * Updated Deployment Script module * Updated PostgreSQL Flexible Server module * Fixed description of userAssignedResourcesIds * Updated Storage Account module * Updated Web Hosting Environment module * Updated Log Analytics Workspace module * Updated Logic Workflow module * Updated ML Workspace module * Updated ML Workspace Compute module * Updated Cosmos DB module * Updated VM module * Updated Digital Twins module * Updated Healthcare APIs module * Updated DevTest Lab module * Updated PurView Account module * Fixed Digital Twins missing references * Fixed DevTest Lab formattedManagementIdentities ref * Purview fix * Purview fix 2 * Purview updated ARM * SQL MI fix * SQL MI updated ARM * SQL MI removed new output * Small fixes * Fixed SQL Server module * DigitalTwins - fixed params * Digital Twins - reset to main * mySQL - updated param description * postgreSQL - updated param description * mySQL - updated conditional param description * postgreSQL - updated conditional param description * Updated param description for "one identity only" modules * Update to latest * Updated Allowed & Default value handling, etc. * Rollback of unrelated changes * Updated readmes * Small formatting --------- Co-authored-by: Kris Baranek Co-authored-by: CARMLPipelinePrincipal --- modules/aad/domain-service/README.md | 97 ++++- modules/analysis-services/server/README.md | 14 +- modules/api-management/service/README.md | 32 +- .../service/api-version-set/README.md | 2 +- modules/api-management/service/api/README.md | 49 ++- .../service/api/policy/README.md | 10 +- .../service/authorization-server/README.md | 21 +- .../api-management/service/backend/README.md | 14 +- .../service/identity-provider/README.md | 12 +- .../service/named-value/README.md | 2 +- .../api-management/service/policy/README.md | 10 +- .../service/portalsetting/README.md | 11 +- .../configuration-store/README.md | 25 +- modules/app/container-app/README.md | 22 +- modules/app/job/README.md | 19 +- modules/app/managed-environment/README.md | 8 +- modules/authorization/lock/README.md | 8 +- .../lock/resource-group/README.md | 8 +- .../authorization/lock/subscription/README.md | 8 +- .../authorization/policy-assignment/README.md | 21 +- .../management-group/README.md | 21 +- .../resource-group/README.md | 21 +- .../policy-assignment/subscription/README.md | 21 +- .../authorization/policy-definition/README.md | 16 +- .../management-group/README.md | 16 +- .../policy-definition/subscription/README.md | 16 +- .../authorization/policy-exemption/README.md | 19 +- .../management-group/README.md | 19 +- .../policy-exemption/resource-group/README.md | 19 +- .../policy-exemption/subscription/README.md | 19 +- .../policy-set-definition/README.md | 4 +- .../management-group/README.md | 4 +- .../subscription/README.md | 4 +- .../authorization/role-assignment/README.md | 19 +- .../authorization/role-assignment/main.json | 33 +- .../management-group/README.md | 19 +- .../management-group/main.json | 403 +---------------- .../role-assignment/resource-group/README.md | 19 +- .../role-assignment/resource-group/main.json | 404 +----------------- .../role-assignment/subscription/README.md | 19 +- .../role-assignment/subscription/main.json | 404 +----------------- .../automation/automation-account/README.md | 17 +- .../automation-account/job-schedule/README.md | 2 +- .../automation/automation-account/main.json | 26 +- .../automation-account/runbook/README.md | 11 +- .../automation-account/schedule/README.md | 14 +- .../software-update-configuration/README.md | 123 +++++- modules/batch/batch-account/README.md | 42 +- modules/cache/redis-enterprise/README.md | 22 +- .../cache/redis-enterprise/database/README.md | 51 ++- modules/cache/redis/README.md | 52 ++- modules/cdn/profile/README.md | 21 +- modules/cdn/profile/afdEndpoint/README.md | 18 +- .../cdn/profile/afdEndpoint/route/README.md | 43 +- modules/cdn/profile/customdomain/README.md | 18 +- modules/cdn/profile/origingroup/README.md | 10 +- .../cdn/profile/origingroup/origin/README.md | 10 +- modules/cdn/profile/ruleset/rule/README.md | 8 +- modules/cdn/profile/secret/README.md | 10 +- modules/cognitive-services/account/README.md | 64 ++- modules/compute/disk-encryption-set/README.md | 16 +- modules/compute/disk/README.md | 72 +++- modules/compute/gallery/application/README.md | 8 +- modules/compute/gallery/image/README.md | 51 ++- modules/compute/image/README.md | 10 +- .../proximity-placement-group/README.md | 12 +- .../virtual-machine-scale-set/README.md | 107 ++++- .../extension/README.md | 4 +- modules/compute/virtual-machine/README.md | 134 +++++- .../virtual-machine/extension/README.md | 4 +- modules/compute/virtual-machine/main.json | 12 +- modules/consumption/budget/README.md | 31 +- .../container-group/README.md | 36 +- modules/container-registry/registry/README.md | 90 +++- .../registry/replication/README.md | 8 +- .../registry/webhook/README.md | 21 +- .../managed-cluster/README.md | 132 +++++- .../managed-cluster/agent-pool/README.md | 68 ++- modules/data-factory/factory/README.md | 11 +- .../factory/integration-runtime/README.md | 10 +- .../data-protection/backup-vault/README.md | 30 +- .../backup-vault/backup-policy/README.md | 2 +- modules/databricks/workspace/README.md | 25 +- .../db-for-my-sql/flexible-server/README.md | 98 ++++- .../flexible-server/README.md | 91 +++- .../flexible-server/administrator/README.md | 10 +- .../application-group/README.md | 8 +- .../application-group/application/README.md | 9 +- .../host-pool/README.md | 89 +++- .../scaling-plan/README.md | 51 ++- modules/dev-test-lab/lab/README.md | 57 ++- .../dev-test-lab/lab/artifactsource/README.md | 18 +- modules/dev-test-lab/lab/cost/README.md | 96 ++++- .../lab/notificationchannel/README.md | 8 +- .../lab/policyset/policy/README.md | 34 +- modules/dev-test-lab/lab/schedule/README.md | 38 +- .../digital-twins-instance/README.md | 17 +- .../endpoint--event-hub/README.md | 8 +- .../endpoint--service-bus/README.md | 8 +- .../document-db/database-account/README.md | 65 ++- .../gremlin-database/graph/README.md | 2 +- .../gremlin-database/main.json | 4 +- .../sql-database/container/README.md | 13 +- modules/event-grid/domain/README.md | 9 +- .../system-topic/event-subscription/README.md | 20 +- modules/event-grid/topic/README.md | 9 +- .../topic/event-subscription/README.md | 20 +- modules/event-hub/namespace/README.md | 46 +- .../namespace/authorization-rule/README.md | 9 +- .../event-hub/namespace/eventhub/README.md | 54 ++- .../eventhub/authorization-rule/README.md | 9 +- .../namespace/network-rule-set/README.md | 16 +- modules/health-bot/health-bot/README.md | 9 +- modules/healthcare-apis/workspace/README.md | 8 +- .../workspace/dicomservice/README.md | 20 +- .../workspace/dicomservice/main.json | 4 +- .../workspace/fhirservice/README.md | 39 +- .../workspace/fhirservice/main.json | 4 +- .../workspace/iotconnector/README.md | 10 +- .../iotconnector/fhirdestination/README.md | 16 +- .../workspace/iotconnector/main.json | 4 +- modules/insights/activity-log-alert/README.md | 7 +- modules/insights/component/README.md | 39 +- .../data-collection-endpoint/README.md | 16 +- .../insights/data-collection-rule/README.md | 10 +- modules/insights/diagnostic-setting/README.md | 9 +- modules/insights/metric-alert/README.md | 52 ++- .../insights/scheduled-query-rule/README.md | 19 +- modules/insights/webtest/README.md | 34 +- modules/key-vault/vault/README.md | 21 +- modules/key-vault/vault/key/README.md | 35 +- .../extension/README.md | 4 +- .../flux-configuration/README.md | 24 +- modules/logic/workflow/README.md | 38 +- .../workspace/README.md | 29 +- .../workspace/compute/README.md | 29 +- .../workspace/compute/main.json | 4 +- .../maintenance-configuration/README.md | 27 +- .../net-app-account/capacity-pool/README.md | 26 +- .../capacity-pool/volume/README.md | 10 +- .../README.md | 4 +- modules/network/application-gateway/README.md | 88 +++- modules/network/azure-firewall/README.md | 38 +- modules/network/bastion-host/README.md | 15 +- modules/network/connection/README.md | 47 +- .../forwarding-rule/README.md | 10 +- modules/network/dns-zone/a/README.md | 2 +- modules/network/dns-zone/aaaa/README.md | 2 +- modules/network/dns-zone/caa/README.md | 2 +- modules/network/dns-zone/cname/README.md | 4 +- modules/network/dns-zone/mx/README.md | 2 +- modules/network/dns-zone/ns/README.md | 2 +- modules/network/dns-zone/ptr/README.md | 2 +- modules/network/dns-zone/soa/README.md | 4 +- modules/network/dns-zone/srv/README.md | 2 +- modules/network/dns-zone/txt/README.md | 2 +- .../network/express-route-circuit/README.md | 25 +- modules/network/firewall-policy/README.md | 34 +- .../README.md | 62 ++- modules/network/load-balancer/README.md | 8 +- .../backend-address-pool/README.md | 9 +- .../load-balancer/inbound-nat-rule/README.md | 9 +- modules/network/network-interface/README.md | 20 +- .../connectivity-configuration/README.md | 24 +- .../security-admin-configuration/README.md | 16 +- .../rule-collection/rule/README.md | 29 +- .../security-rule/README.md | 28 +- .../network-watcher/flow-log/README.md | 16 +- modules/network/private-dns-zone/a/README.md | 2 +- .../network/private-dns-zone/aaaa/README.md | 2 +- .../network/private-dns-zone/cname/README.md | 4 +- modules/network/private-dns-zone/mx/README.md | 2 +- .../network/private-dns-zone/ptr/README.md | 2 +- .../network/private-dns-zone/soa/README.md | 4 +- .../network/private-dns-zone/srv/README.md | 2 +- .../network/private-dns-zone/txt/README.md | 2 +- .../network/private-link-service/README.md | 6 +- modules/network/public-ip-address/README.md | 43 +- modules/network/public-ip-prefix/README.md | 2 +- .../network/trafficmanagerprofile/README.md | 37 +- modules/network/virtual-hub/README.md | 18 +- .../hub-virtual-network-connection/README.md | 2 +- .../network/virtual-network-gateway/README.md | 50 ++- .../nat-rule/README.md | 18 +- modules/network/virtual-network/README.md | 8 +- .../network/virtual-network/subnet/README.md | 18 +- modules/network/virtual-wan/README.md | 8 +- modules/network/vpn-gateway/README.md | 2 +- .../network/vpn-gateway/nat-rule/README.md | 18 +- .../vpn-gateway/vpn-connection/README.md | 10 +- modules/network/vpn-site/README.md | 6 +- .../operational-insights/workspace/README.md | 30 +- .../workspace/data-export/README.md | 2 +- .../workspace/data-source/README.md | 14 +- .../linked-storage-account/README.md | 10 +- .../workspace/table/README.md | 14 +- modules/policy-insights/remediation/README.md | 8 +- .../remediation/management-group/README.md | 8 +- .../remediation/resource-group/README.md | 8 +- .../remediation/subscription/README.md | 8 +- modules/power-bi-dedicated/capacity/README.md | 29 +- modules/purview/account/README.md | 9 +- modules/recovery-services/vault/README.md | 18 +- .../vault/backup-config/README.md | 44 +- .../protection-container/README.md | 32 +- .../protected-item/README.md | 16 +- .../vault/backup-storage-config/README.md | 10 +- .../vault/replication-alert-setting/README.md | 8 +- .../vault/replication-policy/README.md | 8 +- modules/relay/namespace/README.md | 23 +- .../namespace/authorization-rule/README.md | 9 +- .../namespace/hybrid-connection/README.md | 26 +- .../authorization-rule/README.md | 9 +- .../namespace/network-rule-set/README.md | 16 +- modules/relay/namespace/wcf-relay/README.md | 34 +- .../wcf-relay/authorization-rule/README.md | 9 +- modules/resources/deployment-script/README.md | 19 +- modules/search/search-service/README.md | 42 +- .../security/azure-security-center/README.md | 118 ++++- modules/service-bus/namespace/README.md | 60 ++- .../namespace/authorization-rule/README.md | 9 +- .../namespace/network-rule-set/README.md | 16 +- modules/service-bus/namespace/queue/README.md | 31 +- .../queue/authorization-rule/README.md | 9 +- modules/service-bus/namespace/topic/README.md | 31 +- .../topic/authorization-rule/README.md | 9 +- modules/service-fabric/cluster/README.md | 68 ++- modules/signal-r-service/signal-r/README.md | 81 +++- .../signal-r-service/web-pub-sub/README.md | 35 +- modules/sql/managed-instance/README.md | 61 ++- .../sql/managed-instance/database/README.md | 15 +- .../encryption-protector/README.md | 8 +- modules/sql/managed-instance/key/README.md | 8 +- .../security-alert-policy/README.md | 8 +- modules/sql/server/README.md | 33 +- modules/sql/server/database/README.md | 45 +- modules/sql/server/elastic-pool/README.md | 8 +- .../sql/server/encryption-protector/README.md | 8 +- modules/sql/server/key/README.md | 8 +- .../server/security-alert-policy/README.md | 8 +- modules/storage/storage-account/README.md | 90 +++- .../blob-service/container/README.md | 13 +- .../storage-account/file-service/README.md | 10 +- .../file-service/share/README.md | 27 +- .../queue-service/queue/README.md | 2 +- modules/synapse/workspace/README.md | 12 +- .../workspace/integration-runtime/README.md | 10 +- .../image-template/README.md | 8 +- modules/web/connection/README.md | 8 +- modules/web/hosting-environment/README.md | 55 ++- modules/web/serverfarm/README.md | 20 +- modules/web/site/README.md | 48 ++- .../README.md | 8 +- .../web/site/config--appsettings/README.md | 13 +- .../web/site/config--authsettingsv2/README.md | 11 +- modules/web/site/slot/README.md | 48 ++- .../site/slot/config--appsettings/README.md | 13 +- .../slot/config--authsettingsv2/README.md | 11 +- modules/web/site/slot/main.json | 4 +- modules/web/static-site/README.md | 36 +- modules/web/static-site/config/README.md | 8 +- .../sharedScripts/Set-ModuleReadMe.ps1 | 102 +++-- 262 files changed, 5218 insertions(+), 2082 deletions(-) diff --git a/modules/aad/domain-service/README.md b/modules/aad/domain-service/README.md index 1e6faab9e8..b93dc2af43 100644 --- a/modules/aad/domain-service/README.md +++ b/modules/aad/domain-service/README.md @@ -309,7 +309,13 @@ The value is to provide domain configuration type. - Required: No - Type: string - Default: `'FullySynced'` -- Allowed: `[FullySynced, ResourceTrusting]` +- Allowed: + ```Bicep + [ + 'FullySynced' + 'ResourceTrusting' + ] + ``` ### Parameter: `domainName` @@ -330,7 +336,13 @@ The value is to enable the Secure LDAP for external services of Azure ADDS Servi - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `filteredSync` @@ -345,7 +357,13 @@ The value is to enable to provide a protected channel between the Kerberos clien - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `kerberosRc4Encryption` @@ -353,7 +371,13 @@ The value is to enable Kerberos requests that use RC4 encryption. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `ldaps` @@ -361,7 +385,13 @@ A flag to determine whether or not Secure LDAP is enabled or disabled. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `location` @@ -410,7 +440,13 @@ The value is to notify the DC Admins. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `notifyGlobalAdmins` @@ -418,7 +454,13 @@ The value is to notify the Global Admins. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `ntlmV1` @@ -426,7 +468,13 @@ The value is to enable clients making request using NTLM v1. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `pfxCertificate` @@ -523,7 +571,14 @@ The name of the SKU specific to Azure ADDS Services. - Required: No - Type: string - Default: `'Standard'` -- Allowed: `[Enterprise, Premium, Standard]` +- Allowed: + ```Bicep + [ + 'Enterprise' + 'Premium' + 'Standard' + ] + ``` ### Parameter: `syncNtlmPasswords` @@ -531,7 +586,13 @@ The value is to enable synchronized users to use NTLM authentication. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `syncOnPremPasswords` @@ -539,7 +600,13 @@ The value is to enable on-premises users to authenticate against managed domain. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `tags` @@ -553,7 +620,13 @@ The value is to enable clients making request using TLSv1. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ## Outputs diff --git a/modules/analysis-services/server/README.md b/modules/analysis-services/server/README.md index ded6d13e0a..7fa90cf6f9 100644 --- a/modules/analysis-services/server/README.md +++ b/modules/analysis-services/server/README.md @@ -496,7 +496,19 @@ Enable telemetry via a Globally Unique Identifier (GUID). The inbound firewall rules to define on the server. If not specified, firewall is disabled. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enablePowerBIService: true + firewallRules: [ + { + firewallRuleName: 'AllowFromAll' + rangeEnd: '255.255.255.255' + rangeStart: '0.0.0.0' + } + ] + } + ``` ### Parameter: `location` diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index 411ee60b8f..596879a4b5 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -698,7 +698,7 @@ API Version Sets. Authorization servers. - Required: No - Type: secureObject -- Default: `{object}` +- Default: `{}` ### Parameter: `backends` @@ -726,7 +726,7 @@ List of Certificates that need to be installed in the API Management service. Ma Custom properties of the API Management service. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `diagnosticSettings` @@ -1086,7 +1086,16 @@ The pricing tier of this API Management service. - Required: No - Type: string - Default: `'Developer'` -- Allowed: `[Basic, Consumption, Developer, Premium, Standard]` +- Allowed: + ```Bicep + [ + 'Basic' + 'Consumption' + 'Developer' + 'Premium' + 'Standard' + ] + ``` ### Parameter: `skuCount` @@ -1094,7 +1103,13 @@ The instance size of this API Management service. - Required: No - Type: int - Default: `1` -- Allowed: `[1, 2]` +- Allowed: + ```Bicep + [ + 1 + 2 + ] + ``` ### Parameter: `subnetResourceId` @@ -1122,7 +1137,14 @@ The type of VPN in which API Management service needs to be configured in. None - Required: No - Type: string - Default: `'None'` -- Allowed: `[External, Internal, None]` +- Allowed: + ```Bicep + [ + 'External' + 'Internal' + 'None' + ] + ``` ### Parameter: `zones` diff --git a/modules/api-management/service/api-version-set/README.md b/modules/api-management/service/api-version-set/README.md index 3be54ecd44..15300dd5bf 100644 --- a/modules/api-management/service/api-version-set/README.md +++ b/modules/api-management/service/api-version-set/README.md @@ -56,7 +56,7 @@ API Version set name. API Version set properties. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ## Outputs diff --git a/modules/api-management/service/api/README.md b/modules/api-management/service/api/README.md index a9cd300c66..a746976978 100644 --- a/modules/api-management/service/api/README.md +++ b/modules/api-management/service/api/README.md @@ -90,7 +90,15 @@ Type of API to create. * http creates a REST API * soap creates a SOAP pass-thro - Required: No - Type: string - Default: `'http'` -- Allowed: `[graphql, http, soap, websocket]` +- Allowed: + ```Bicep + [ + 'graphql' + 'http' + 'soap' + 'websocket' + ] + ``` ### Parameter: `apiVersion` @@ -118,7 +126,7 @@ Indicates the Version identifier of the API version set. Collection of authentication settings included into this API. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `displayName` @@ -139,7 +147,21 @@ Format of the Content in which the API is getting imported. - Required: No - Type: string - Default: `'openapi'` -- Allowed: `[openapi, openapi-link, openapi+json, openapi+json-link, swagger-json, swagger-link-json, wadl-link-json, wadl-xml, wsdl, wsdl-link]` +- Allowed: + ```Bicep + [ + 'openapi' + 'openapi-link' + 'openapi+json' + 'openapi+json-link' + 'swagger-json' + 'swagger-link-json' + 'wadl-link-json' + 'wadl-xml' + 'wsdl' + 'wsdl-link' + ] + ``` ### Parameter: `isCurrent` @@ -172,7 +194,12 @@ Array of Policies to apply to the Service API. Describes on which protocols the operations in this API can be invoked. - HTTP or HTTPS. - Required: No - Type: array -- Default: `[https]` +- Default: + ```Bicep + [ + 'https' + ] + ``` ### Parameter: `serviceUrl` @@ -193,7 +220,7 @@ API identifier of the source API. Protocols over which API is made available. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `subscriptionRequired` @@ -208,7 +235,15 @@ Type of API. - Required: No - Type: string - Default: `'http'` -- Allowed: `[graphql, http, soap, websocket]` +- Allowed: + ```Bicep + [ + 'graphql' + 'http' + 'soap' + 'websocket' + ] + ``` ### Parameter: `value` @@ -222,7 +257,7 @@ Content value when Importing an API. Criteria to limit import of WSDL to a subset of the document. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ## Outputs diff --git a/modules/api-management/service/api/policy/README.md b/modules/api-management/service/api/policy/README.md index 969678d876..da2b69af2c 100644 --- a/modules/api-management/service/api/policy/README.md +++ b/modules/api-management/service/api/policy/README.md @@ -63,7 +63,15 @@ Format of the policyContent. - Required: No - Type: string - Default: `'xml'` -- Allowed: `[rawxml, rawxml-link, xml, xml-link]` +- Allowed: + ```Bicep + [ + 'rawxml' + 'rawxml-link' + 'xml' + 'xml-link' + ] + ``` ### Parameter: `name` diff --git a/modules/api-management/service/authorization-server/README.md b/modules/api-management/service/authorization-server/README.md index f10abac911..9f9569411e 100644 --- a/modules/api-management/service/authorization-server/README.md +++ b/modules/api-management/service/authorization-server/README.md @@ -67,21 +67,36 @@ OAuth authorization endpoint. See - If this value is not spec - Required: No - Type: string - Default: `''` -- Allowed: `['', V1, V2]` +- Allowed: + ```Bicep + [ + '' + 'V1' + 'V2' + ] + ``` ### Parameter: `isAcceleratedNetworkSupported` @@ -116,7 +123,13 @@ The image supports accelerated networking.

Accelerated networking enables sin - Required: No - Type: string - Default: `'false'` -- Allowed: `[false, true]` +- Allowed: + ```Bicep + [ + 'false' + 'true' + ] + ``` ### Parameter: `isHibernateSupported` @@ -124,7 +137,13 @@ The image will support hibernation. - Required: No - Type: string - Default: `'false'` -- Allowed: `[false, true]` +- Allowed: + ```Bicep + [ + 'false' + 'true' + ] + ``` ### Parameter: `location` @@ -180,7 +199,13 @@ This property allows the user to specify whether the virtual machines created un - Required: No - Type: string - Default: `'Generalized'` -- Allowed: `[Generalized, Specialized]` +- Allowed: + ```Bicep + [ + 'Generalized' + 'Specialized' + ] + ``` ### Parameter: `osType` @@ -188,7 +213,13 @@ OS type of the image to be created. - Required: No - Type: string - Default: `'Windows'` -- Allowed: `[Linux, Windows]` +- Allowed: + ```Bicep + [ + 'Linux' + 'Windows' + ] + ``` ### Parameter: `planName` @@ -306,7 +337,15 @@ The security type of the image. Requires a hyperVGeneration V2. - Required: No - Type: string - Default: `'Standard'` -- Allowed: `[ConfidentialVM, ConfidentialVMSupported, Standard, TrustedLaunch]` +- Allowed: + ```Bicep + [ + 'ConfidentialVM' + 'ConfidentialVMSupported' + 'Standard' + 'TrustedLaunch' + ] + ``` ### Parameter: `sku` diff --git a/modules/compute/image/README.md b/modules/compute/image/README.md index 4d8ffaa7a3..4bbb50b4f4 100644 --- a/modules/compute/image/README.md +++ b/modules/compute/image/README.md @@ -204,7 +204,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The extended location of the Image. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `hyperVGeneration` @@ -257,7 +257,13 @@ The OS State. For managed images, use Generalized. - Required: No - Type: string - Default: `'Generalized'` -- Allowed: `[Generalized, Specialized]` +- Allowed: + ```Bicep + [ + 'Generalized' + 'Specialized' + ] + ``` ### Parameter: `osType` diff --git a/modules/compute/proximity-placement-group/README.md b/modules/compute/proximity-placement-group/README.md index e41f19400b..dbc8c0751f 100644 --- a/modules/compute/proximity-placement-group/README.md +++ b/modules/compute/proximity-placement-group/README.md @@ -231,7 +231,7 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro Describes colocation status of the Proximity Placement Group. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `enableDefaultTelemetry` @@ -245,7 +245,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). Specifies the user intent of the proximity placement group. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `location` @@ -367,7 +367,13 @@ Specifies the type of the proximity placement group. - Required: No - Type: string - Default: `'Standard'` -- Allowed: `[Standard, Ultra]` +- Allowed: + ```Bicep + [ + 'Standard' + 'Ultra' + ] + ``` ### Parameter: `zones` diff --git a/modules/compute/virtual-machine-scale-set/README.md b/modules/compute/virtual-machine-scale-set/README.md index d7421e7061..b67aef92a5 100644 --- a/modules/compute/virtual-machine-scale-set/README.md +++ b/modules/compute/virtual-machine-scale-set/README.md @@ -1510,35 +1510,61 @@ This property can be used by user in the request to enable or disable the Host E The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabled: false + } + ``` ### Parameter: `extensionAzureDiskEncryptionConfig` The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabled: false + } + ``` ### Parameter: `extensionCustomScriptConfig` The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabled: false + fileData: [] + } + ``` ### Parameter: `extensionDependencyAgentConfig` The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabled: false + } + ``` ### Parameter: `extensionDomainJoinConfig` The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabled: false + } + ``` ### Parameter: `extensionDomainJoinPassword` @@ -1552,21 +1578,36 @@ Required if name is specified. Password of the user specified in user parameter. The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabled: false + } + ``` ### Parameter: `extensionMonitoringAgentConfig` The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabled: false + } + ``` ### Parameter: `extensionNetworkWatcherAgentConfig` The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabled: false + } + ``` ### Parameter: `gracePeriod` @@ -1587,7 +1628,14 @@ Specifies that the image or disk that is being used was licensed on-premises. Th - Required: No - Type: string - Default: `''` -- Allowed: `['', Windows_Client, Windows_Server]` +- Allowed: + ```Bicep + [ + '' + 'Windows_Client' + 'Windows_Server' + ] + ``` ### Parameter: `location` @@ -1708,7 +1756,13 @@ Specifies the OS disk. For security reasons, it is recommended to specify DiskEn The chosen OS type. - Required: Yes - Type: string -- Allowed: `[Linux, Windows]` +- Allowed: + ```Bicep + [ + 'Linux' + 'Windows' + ] + ``` ### Parameter: `overprovision` @@ -1729,7 +1783,7 @@ The wait time between completing the update for all virtual machines in one batc Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `provisionVMAgent` @@ -1832,7 +1886,14 @@ SAS token validity length to use to download files from storage accounts. Usage: Specifies the scale-in policy that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled-in. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + rules: [ + 'Default' + ] + } + ``` ### Parameter: `scaleSetFaultDomain` @@ -1846,7 +1907,7 @@ Fault Domain count for each placement group. Specifies Scheduled Event related configurations. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `secrets` @@ -1915,7 +1976,14 @@ Specifies the mode of an upgrade to virtual machines in the scale set.' Manual - - Required: No - Type: string - Default: `'Manual'` -- Allowed: `[Automatic, Manual, Rolling]` +- Allowed: + ```Bicep + [ + 'Automatic' + 'Manual' + 'Rolling' + ] + ``` ### Parameter: `vmNamePrefix` @@ -1930,7 +1998,14 @@ Specifies the priority for the virtual machine. - Required: No - Type: string - Default: `'Regular'` -- Allowed: `[Low, Regular, Spot]` +- Allowed: + ```Bicep + [ + 'Low' + 'Regular' + 'Spot' + ] + ``` ### Parameter: `vTpmEnabled` @@ -1944,7 +2019,7 @@ Specifies whether vTPM should be enabled on the virtual machine scale set. This Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `zoneBalance` diff --git a/modules/compute/virtual-machine-scale-set/extension/README.md b/modules/compute/virtual-machine-scale-set/extension/README.md index 462a5b3111..468af0d8f6 100644 --- a/modules/compute/virtual-machine-scale-set/extension/README.md +++ b/modules/compute/virtual-machine-scale-set/extension/README.md @@ -81,7 +81,7 @@ The name of the virtual machine scale set extension. Any object that contains the extension specific protected settings. - Required: No - Type: secureObject -- Default: `{object}` +- Default: `{}` ### Parameter: `publisher` @@ -94,7 +94,7 @@ The name of the extension handler publisher. Any object that contains the extension specific settings. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `supressFailures` diff --git a/modules/compute/virtual-machine/README.md b/modules/compute/virtual-machine/README.md index 879a36149b..bda155d259 100644 --- a/modules/compute/virtual-machine/README.md +++ b/modules/compute/virtual-machine/README.md @@ -2039,7 +2039,15 @@ If set to 1, 2 or 3, the availability zone for all VMs is hardcoded to that valu - Required: No - Type: int - Default: `0` -- Allowed: `[0, 1, 2, 3]` +- Allowed: + ```Bicep + [ + 0 + 1 + 2 + 3 + ] + ``` ### Parameter: `backupPolicyName` @@ -2110,7 +2118,14 @@ The configuration profile of automanage. - Required: No - Type: string - Default: `''` -- Allowed: `['', /providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest, /providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction]` +- Allowed: + ```Bicep + [ + '' + '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest' + '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' + ] + ``` ### Parameter: `customData` @@ -2173,49 +2188,80 @@ This property can be used by user in the request to enable or disable the Host E The configuration for the [AAD Join] extension. Must at least contain the ["enabled": true] property to be executed. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabled: false + } + ``` ### Parameter: `extensionAntiMalwareConfig` The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabled: false + } + ``` ### Parameter: `extensionAzureDiskEncryptionConfig` The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabled: false + } + ``` ### Parameter: `extensionCustomScriptConfig` The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabled: false + fileData: [] + } + ``` ### Parameter: `extensionCustomScriptProtectedSetting` Any object that contains the extension specific protected settings. - Required: No - Type: secureObject -- Default: `{object}` +- Default: `{}` ### Parameter: `extensionDependencyAgentConfig` The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabled: false + } + ``` ### Parameter: `extensionDomainJoinConfig` The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabled: false + } + ``` ### Parameter: `extensionDomainJoinPassword` @@ -2229,21 +2275,36 @@ Required if name is specified. Password of the user specified in user parameter. The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabled: false + } + ``` ### Parameter: `extensionMonitoringAgentConfig` The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabled: false + } + ``` ### Parameter: `extensionNetworkWatcherAgentConfig` The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabled: false + } + ``` ### Parameter: `imageReference` @@ -2257,7 +2318,14 @@ Specifies that the image or disk that is being used was licensed on-premises. Th - Required: No - Type: string - Default: `''` -- Allowed: `['', Windows_Client, Windows_Server]` +- Allowed: + ```Bicep + [ + '' + 'Windows_Client' + 'Windows_Server' + ] + ``` ### Parameter: `location` @@ -2357,7 +2425,13 @@ Specifies the OS disk. For security reasons, it is recommended to specify DiskEn The chosen OS type. - Required: Yes - Type: string -- Allowed: `[Linux, Windows]` +- Allowed: + ```Bicep + [ + 'Linux' + 'Windows' + ] + ``` ### Parameter: `patchAssessmentMode` @@ -2365,7 +2439,13 @@ VM guest patching assessment mode. Set it to 'AutomaticByPlatform' to enable aut - Required: No - Type: string - Default: `'ImageDefault'` -- Allowed: `[AutomaticByPlatform, ImageDefault]` +- Allowed: + ```Bicep + [ + 'AutomaticByPlatform' + 'ImageDefault' + ] + ``` ### Parameter: `patchMode` @@ -2373,14 +2453,23 @@ VM guest patching orchestration mode. 'AutomaticByOS' & 'Manual' are for Windows - Required: No - Type: string - Default: `''` -- Allowed: `['', AutomaticByOS, AutomaticByPlatform, ImageDefault, Manual]` +- Allowed: + ```Bicep + [ + '' + 'AutomaticByOS' + 'AutomaticByPlatform' + 'ImageDefault' + 'Manual' + ] + ``` ### Parameter: `plan` Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `priority` @@ -2388,7 +2477,14 @@ Specifies the priority for the virtual machine. - Required: No - Type: string - Default: `'Regular'` -- Allowed: `[Low, Regular, Spot]` +- Allowed: + ```Bicep + [ + 'Low' + 'Regular' + 'Spot' + ] + ``` ### Parameter: `provisionVMAgent` @@ -2538,7 +2634,7 @@ Specifies whether vTPM should be enabled on the virtual machine. This parameter Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ## Outputs diff --git a/modules/compute/virtual-machine/extension/README.md b/modules/compute/virtual-machine/extension/README.md index 89e5dc338f..447f83aed0 100644 --- a/modules/compute/virtual-machine/extension/README.md +++ b/modules/compute/virtual-machine/extension/README.md @@ -90,7 +90,7 @@ The name of the virtual machine extension. Any object that contains the extension specific protected settings. - Required: No - Type: secureObject -- Default: `{object}` +- Default: `{}` ### Parameter: `publisher` @@ -103,7 +103,7 @@ The name of the extension handler publisher. Any object that contains the extension specific settings. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `supressFailures` diff --git a/modules/compute/virtual-machine/main.json b/modules/compute/virtual-machine/main.json index bc357c1252..2fd9016b0e 100644 --- a/modules/compute/virtual-machine/main.json +++ b/modules/compute/virtual-machine/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13033892292472228031" + "templateHash": "6920007226521594959" }, "name": "Virtual Machines", "description": "This module deploys a Virtual Machine with one or multiple NICs and optionally one or multiple public IPs.", @@ -1001,7 +1001,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2272323782582357015" + "templateHash": "10482660512843717253" } }, "definitions": { @@ -1305,7 +1305,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "968771326214380550" + "templateHash": "18404193892947466906" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -1644,7 +1644,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } @@ -1850,7 +1850,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8812824728238881787" + "templateHash": "6506615823435977032" }, "name": "Network Interface", "description": "This module deploys a Network Interface.", @@ -2045,7 +2045,7 @@ }, "tags": { "type": "object", - "defaultValue": {}, + "nullable": true, "metadata": { "description": "Optional. Tags of the resource." } diff --git a/modules/consumption/budget/README.md b/modules/consumption/budget/README.md index bd08b6d387..fe87cf897b 100644 --- a/modules/consumption/budget/README.md +++ b/modules/consumption/budget/README.md @@ -212,7 +212,13 @@ The category of the budget, whether the budget tracks cost or usage. - Required: No - Type: string - Default: `'Cost'` -- Allowed: `[Cost, Usage]` +- Allowed: + ```Bicep + [ + 'Cost' + 'Usage' + ] + ``` ### Parameter: `contactEmails` @@ -261,7 +267,17 @@ The time covered by a budget. Tracking of the amount will be reset based on the - Required: No - Type: string - Default: `'Monthly'` -- Allowed: `[Annually, BillingAnnual, BillingMonth, BillingQuarter, Monthly, Quarterly]` +- Allowed: + ```Bicep + [ + 'Annually' + 'BillingAnnual' + 'BillingMonth' + 'BillingQuarter' + 'Monthly' + 'Quarterly' + ] + ``` ### Parameter: `startDate` @@ -275,7 +291,16 @@ The start date for the budget. Start date should be the first day of the month a Percent thresholds of budget for when to get a notification. Can be up to 5 thresholds, where each must be between 1 and 1000. - Required: No - Type: array -- Default: `[50, 75, 90, 100, 110]` +- Default: + ```Bicep + [ + 50 + 75 + 90 + 100 + 110 + ] + ``` ## Outputs diff --git a/modules/container-instance/container-group/README.md b/modules/container-instance/container-group/README.md index aadba485c5..f5d59c9161 100644 --- a/modules/container-instance/container-group/README.md +++ b/modules/container-instance/container-group/README.md @@ -831,7 +831,16 @@ Specify level of protection of the domain name label. - Required: No - Type: string - Default: `'TenantReuse'` -- Allowed: `[Noreuse, ResourceGroupReuse, SubscriptionReuse, TenantReuse, Unsecure]` +- Allowed: + ```Bicep + [ + 'Noreuse' + 'ResourceGroupReuse' + 'SubscriptionReuse' + 'TenantReuse' + 'Unsecure' + ] + ``` ### Parameter: `cMKKeyName` @@ -922,7 +931,13 @@ Specifies if the IP is exposed to the public internet or private VNET. - Public - Required: No - Type: string - Default: `'Public'` -- Allowed: `[Private, Public]` +- Allowed: + ```Bicep + [ + 'Private' + 'Public' + ] + ``` ### Parameter: `location` @@ -1003,7 +1018,14 @@ Restart policy for all containers within the container group. - Always: Always r - Required: No - Type: string - Default: `'Always'` -- Allowed: `[Always, Never, OnFailure]` +- Allowed: + ```Bicep + [ + 'Always' + 'Never' + 'OnFailure' + ] + ``` ### Parameter: `sku` @@ -1011,7 +1033,13 @@ The container group SKU. - Required: No - Type: string - Default: `'Standard'` -- Allowed: `[Dedicated, Standard]` +- Allowed: + ```Bicep + [ + 'Dedicated' + 'Standard' + ] + ``` ### Parameter: `subnetId` diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index a0116062d8..27720aff64 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -583,7 +583,14 @@ Tier of your Azure container registry. - Required: No - Type: string - Default: `'Basic'` -- Allowed: `[Basic, Premium, Standard]` +- Allowed: + ```Bicep + [ + 'Basic' + 'Premium' + 'Standard' + ] + ``` ### Parameter: `anonymousPullEnabled` @@ -598,7 +605,13 @@ The value that indicates whether the policy for using ARM audience token for a c - Required: No - Type: string - Default: `'enabled'` -- Allowed: `[disabled, enabled]` +- Allowed: + ```Bicep + [ + 'disabled' + 'enabled' + ] + ``` ### Parameter: `cacheRules` @@ -770,7 +783,13 @@ The value that indicates whether the export policy is enabled or not. - Required: No - Type: string - Default: `'disabled'` -- Allowed: `[disabled, enabled]` +- Allowed: + ```Bicep + [ + 'disabled' + 'enabled' + ] + ``` ### Parameter: `location` @@ -844,7 +863,13 @@ Whether to allow trusted Azure services to access a network restricted registry. - Required: No - Type: string - Default: `'AzureServices'` -- Allowed: `[AzureServices, None]` +- Allowed: + ```Bicep + [ + 'AzureServices' + 'None' + ] + ``` ### Parameter: `networkRuleSetDefaultAction` @@ -852,7 +877,13 @@ The default action of allow or deny when no other rules match. - Required: No - Type: string - Default: `'Deny'` -- Allowed: `[Allow, Deny]` +- Allowed: + ```Bicep + [ + 'Allow' + 'Deny' + ] + ``` ### Parameter: `networkRuleSetIpRules` @@ -1035,7 +1066,14 @@ Whether or not public network access is allowed for this resource. For security - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `quarantinePolicyStatus` @@ -1043,7 +1081,13 @@ The value that indicates whether the quarantine policy is enabled or not. - Required: No - Type: string - Default: `'disabled'` -- Allowed: `[disabled, enabled]` +- Allowed: + ```Bicep + [ + 'disabled' + 'enabled' + ] + ``` ### Parameter: `replications` @@ -1065,7 +1109,13 @@ The value that indicates whether the retention policy is enabled or not. - Required: No - Type: string - Default: `'enabled'` -- Allowed: `[disabled, enabled]` +- Allowed: + ```Bicep + [ + 'disabled' + 'enabled' + ] + ``` ### Parameter: `roleAssignments` @@ -1148,7 +1198,13 @@ Soft Delete policy status. Default is disabled. - Required: No - Type: string - Default: `'disabled'` -- Allowed: `[disabled, enabled]` +- Allowed: + ```Bicep + [ + 'disabled' + 'enabled' + ] + ``` ### Parameter: `tags` @@ -1162,7 +1218,13 @@ The value that indicates whether the trust policy is enabled or not. - Required: No - Type: string - Default: `'disabled'` -- Allowed: `[disabled, enabled]` +- Allowed: + ```Bicep + [ + 'disabled' + 'enabled' + ] + ``` ### Parameter: `webhooks` @@ -1177,7 +1239,13 @@ Whether or not zone redundancy is enabled for this container registry. - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ## Outputs diff --git a/modules/container-registry/registry/replication/README.md b/modules/container-registry/registry/replication/README.md index 90104f8954..1dbe5d559c 100644 --- a/modules/container-registry/registry/replication/README.md +++ b/modules/container-registry/registry/replication/README.md @@ -84,7 +84,13 @@ Whether or not zone redundancy is enabled for this container registry. - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ## Outputs diff --git a/modules/container-registry/registry/webhook/README.md b/modules/container-registry/registry/webhook/README.md index 978954919c..380e28389e 100644 --- a/modules/container-registry/registry/webhook/README.md +++ b/modules/container-registry/registry/webhook/README.md @@ -47,14 +47,23 @@ This module deploys an Azure Container Registry (ACR) Webhook. The list of actions that trigger the webhook to post notifications. - Required: No - Type: array -- Default: `[chart_delete, chart_push, delete, push, quarantine]` +- Default: + ```Bicep + [ + 'chart_delete' + 'chart_push' + 'delete' + 'push' + 'quarantine' + ] + ``` ### Parameter: `customHeaders` Custom headers that will be added to the webhook notifications. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `enableDefaultTelemetry` @@ -102,7 +111,13 @@ The status of the webhook at the time the operation was called. - Required: No - Type: string - Default: `'enabled'` -- Allowed: `[disabled, enabled]` +- Allowed: + ```Bicep + [ + 'disabled' + 'enabled' + ] + ``` ### Parameter: `tags` diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index b9d850bd99..f77784354b 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -1300,7 +1300,7 @@ Define one or more secondary/additional agent pools. Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `appGatewayResourceId` @@ -1322,7 +1322,13 @@ Specifies the balance of similar node groups for the auto-scaler of the AKS clus - Required: No - Type: string - Default: `'false'` -- Allowed: `[false, true]` +- Allowed: + ```Bicep + [ + 'false' + 'true' + ] + ``` ### Parameter: `autoScalerProfileExpander` @@ -1330,7 +1336,15 @@ Specifies the expand strategy for the auto-scaler of the AKS cluster. - Required: No - Type: string - Default: `'random'` -- Allowed: `[least-waste, most-pods, priority, random]` +- Allowed: + ```Bicep + [ + 'least-waste' + 'most-pods' + 'priority' + 'random' + ] + ``` ### Parameter: `autoScalerProfileMaxEmptyBulkDelete` @@ -1422,7 +1436,13 @@ Specifies if nodes with local storage should be skipped for the auto-scaler of t - Required: No - Type: string - Default: `'true'` -- Allowed: `[false, true]` +- Allowed: + ```Bicep + [ + 'false' + 'true' + ] + ``` ### Parameter: `autoScalerProfileSkipNodesWithSystemPods` @@ -1430,7 +1450,13 @@ Specifies if nodes with system pods should be skipped for the auto-scaler of the - Required: No - Type: string - Default: `'true'` -- Allowed: `[false, true]` +- Allowed: + ```Bicep + [ + 'false' + 'true' + ] + ``` ### Parameter: `autoScalerProfileUtilizationThreshold` @@ -1445,7 +1471,17 @@ Auto-upgrade channel on the AKS cluster. - Required: No - Type: string - Default: `''` -- Allowed: `['', node-image, none, patch, rapid, stable]` +- Allowed: + ```Bicep + [ + '' + 'node-image' + 'none' + 'patch' + 'rapid' + 'stable' + ] + ``` ### Parameter: `azurePolicyEnabled` @@ -1687,7 +1723,13 @@ Specifies whether the KeyvaultSecretsProvider add-on uses secret rotation. - Required: No - Type: string - Default: `'false'` -- Allowed: `[false, true]` +- Allowed: + ```Bicep + [ + 'false' + 'true' + ] + ``` ### Parameter: `enableStorageProfileBlobCSIDriver` @@ -1729,14 +1771,14 @@ Whether to enable Workload Identity. Requires OIDC issuer profile to be enabled. Configuration settings that are sensitive, as name-value pairs for configuring this extension. - Required: No - Type: secureObject -- Default: `{object}` +- Default: `{}` ### Parameter: `fluxExtension` Settings and configurations for the flux extension. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `httpApplicationRoutingEnabled` @@ -1750,14 +1792,14 @@ Specifies whether the httpApplicationRouting add-on is enabled or not. Configurations for provisioning the cluster with HTTP proxy servers. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `identityProfile` Identities associated with the cluster. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `ingressApplicationGatewayEnabled` @@ -1786,7 +1828,13 @@ Specifies the sku of the load balancer used by the virtual machine scale sets us - Required: No - Type: string - Default: `'standard'` -- Allowed: `[basic, standard]` +- Allowed: + ```Bicep + [ + 'basic' + 'standard' + ] + ``` ### Parameter: `location` @@ -1874,7 +1922,14 @@ Network dataplane used in the Kubernetes cluster. Not compatible with kubenet ne - Required: No - Type: string - Default: `''` -- Allowed: `['', azure, cilium]` +- Allowed: + ```Bicep + [ + '' + 'azure' + 'cilium' + ] + ``` ### Parameter: `networkPlugin` @@ -1882,7 +1937,14 @@ Specifies the network plugin used for building Kubernetes network. - Required: No - Type: string - Default: `''` -- Allowed: `['', azure, kubenet]` +- Allowed: + ```Bicep + [ + '' + 'azure' + 'kubenet' + ] + ``` ### Parameter: `networkPluginMode` @@ -1890,7 +1952,13 @@ Network plugin mode used for building the Kubernetes network. Not compatible wit - Required: No - Type: string - Default: `''` -- Allowed: `['', overlay]` +- Allowed: + ```Bicep + [ + '' + 'overlay' + ] + ``` ### Parameter: `networkPolicy` @@ -1898,7 +1966,14 @@ Specifies the network policy used for building Kubernetes network. - calico or a - Required: No - Type: string - Default: `''` -- Allowed: `['', azure, calico]` +- Allowed: + ```Bicep + [ + '' + 'azure' + 'calico' + ] + ``` ### Parameter: `nodeResourceGroup` @@ -1927,7 +2002,13 @@ Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting - Required: No - Type: string - Default: `'loadBalancer'` -- Allowed: `[loadBalancer, userDefinedRouting]` +- Allowed: + ```Bicep + [ + 'loadBalancer' + 'userDefinedRouting' + ] + ``` ### Parameter: `podCidr` @@ -2058,7 +2139,14 @@ Tier of a managed cluster SKU. - Free or Standard. - Required: No - Type: string - Default: `'Free'` -- Allowed: `[Free, Premium, Standard]` +- Allowed: + ```Bicep + [ + 'Free' + 'Premium' + 'Standard' + ] + ``` ### Parameter: `sshPublicKey` @@ -2073,7 +2161,13 @@ The support plan for the Managed Cluster. - Required: No - Type: string - Default: `'KubernetesOfficial'` -- Allowed: `[AKSLongTermSupport, KubernetesOfficial]` +- Allowed: + ```Bicep + [ + 'AKSLongTermSupport' + 'KubernetesOfficial' + ] + ``` ### Parameter: `tags` diff --git a/modules/container-service/managed-cluster/agent-pool/README.md b/modules/container-service/managed-cluster/agent-pool/README.md index c2dda9f91f..ea2052f582 100644 --- a/modules/container-service/managed-cluster/agent-pool/README.md +++ b/modules/container-service/managed-cluster/agent-pool/README.md @@ -131,7 +131,17 @@ GPUInstanceProfile to be used to specify GPU MIG instance profile for supported - Required: No - Type: string - Default: `''` -- Allowed: `['', MIG1g, MIG2g, MIG3g, MIG4g, MIG7g]` +- Allowed: + ```Bicep + [ + '' + 'MIG1g' + 'MIG2g' + 'MIG3g' + 'MIG4g' + 'MIG7g' + ] + ``` ### Parameter: `kubeletDiskType` @@ -192,7 +202,7 @@ Name of the agent pool. The node labels to be persisted across all nodes in agent pool. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `nodePublicIpPrefixId` @@ -228,7 +238,14 @@ The default is "Ephemeral" if the VM supports it and has a cache disk larger tha - Required: No - Type: string - Default: `''` -- Allowed: `['', Ephemeral, Managed]` +- Allowed: + ```Bicep + [ + '' + 'Ephemeral' + 'Managed' + ] + ``` ### Parameter: `osSku` @@ -236,7 +253,17 @@ Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is - Required: No - Type: string - Default: `''` -- Allowed: `['', AzureLinux, CBLMariner, Ubuntu, Windows2019, Windows2022]` +- Allowed: + ```Bicep + [ + '' + 'AzureLinux' + 'CBLMariner' + 'Ubuntu' + 'Windows2019' + 'Windows2022' + ] + ``` ### Parameter: `osType` @@ -244,7 +271,13 @@ The operating system type. The default is Linux. - Required: No - Type: string - Default: `'Linux'` -- Allowed: `[Linux, Windows]` +- Allowed: + ```Bicep + [ + 'Linux' + 'Windows' + ] + ``` ### Parameter: `podSubnetId` @@ -266,7 +299,13 @@ Describes how VMs are added to or removed from Agent Pools. See billing states ( - Required: No - Type: string - Default: `'Delete'` -- Allowed: `[Deallocate, Delete]` +- Allowed: + ```Bicep + [ + 'Deallocate' + 'Delete' + ] + ``` ### Parameter: `scaleSetEvictionPolicy` @@ -274,7 +313,13 @@ The eviction policy specifies what to do with the VM when it is evicted. The def - Required: No - Type: string - Default: `'Delete'` -- Allowed: `[Deallocate, Delete]` +- Allowed: + ```Bicep + [ + 'Deallocate' + 'Delete' + ] + ``` ### Parameter: `scaleSetPriority` @@ -282,7 +327,14 @@ The Virtual Machine Scale Set priority. - Required: No - Type: string - Default: `''` -- Allowed: `['', Regular, Spot]` +- Allowed: + ```Bicep + [ + '' + 'Regular' + 'Spot' + ] + ``` ### Parameter: `sourceResourceId` diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index 8b1c5eb5c7..8c0c5003d4 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -593,7 +593,7 @@ The root folder path name. Default is '/'. List of Global Parameters for the factory. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `integrationRuntimes` @@ -856,7 +856,14 @@ Whether or not public network access is allowed for this resource. For security - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `roleAssignments` diff --git a/modules/data-factory/factory/integration-runtime/README.md b/modules/data-factory/factory/integration-runtime/README.md index 27111ad237..0e9de57341 100644 --- a/modules/data-factory/factory/integration-runtime/README.md +++ b/modules/data-factory/factory/integration-runtime/README.md @@ -70,14 +70,20 @@ The name of the Integration Runtime. The type of Integration Runtime. - Required: Yes - Type: string -- Allowed: `[Managed, SelfHosted]` +- Allowed: + ```Bicep + [ + 'Managed' + 'SelfHosted' + ] + ``` ### Parameter: `typeProperties` Integration Runtime type properties. Required if type is "Managed". - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ## Outputs diff --git a/modules/data-protection/backup-vault/README.md b/modules/data-protection/backup-vault/README.md index 68efc247f0..8784320e19 100644 --- a/modules/data-protection/backup-vault/README.md +++ b/modules/data-protection/backup-vault/README.md @@ -335,7 +335,13 @@ Settings for Azure Monitor based alerts for job failures. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `backupPolicies` @@ -350,7 +356,14 @@ The datastore type to use. ArchiveStore does not support ZoneRedundancy. - Required: No - Type: string - Default: `'VaultStore'` -- Allowed: `[ArchiveStore, OperationalStore, VaultStore]` +- Allowed: + ```Bicep + [ + 'ArchiveStore' + 'OperationalStore' + 'VaultStore' + ] + ``` ### Parameter: `enableDefaultTelemetry` @@ -364,7 +377,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). Feature settings for the backup vault. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `location` @@ -497,7 +510,7 @@ Required. The name of the role to assign. If it cannot be found you can specify Security settings for the backup vault. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `tags` @@ -511,7 +524,14 @@ The vault redundancy level to use. - Required: No - Type: string - Default: `'GeoRedundant'` -- Allowed: `[GeoRedundant, LocallyRedundant, ZoneRedundant]` +- Allowed: + ```Bicep + [ + 'GeoRedundant' + 'LocallyRedundant' + 'ZoneRedundant' + ] + ``` ## Outputs diff --git a/modules/data-protection/backup-vault/backup-policy/README.md b/modules/data-protection/backup-vault/backup-policy/README.md index 169a76f3d5..07cfc9da89 100644 --- a/modules/data-protection/backup-vault/backup-policy/README.md +++ b/modules/data-protection/backup-vault/backup-policy/README.md @@ -57,7 +57,7 @@ The name of the backup policy. The properties of the backup policy. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ## Outputs diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index 12e776c7f6..402bcdc57f 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -818,7 +818,13 @@ Name of the Public IP for No Public IP workspace with managed vNet. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `requiredNsgRules` @@ -826,7 +832,13 @@ Gets or sets a value indicating whether data plane (clusters) to control plane c - Required: No - Type: string - Default: `'AllRules'` -- Allowed: `[AllRules, NoAzureDatabricksRules]` +- Allowed: + ```Bicep + [ + 'AllRules' + 'NoAzureDatabricksRules' + ] + ``` ### Parameter: `requireInfrastructureEncryption` @@ -909,7 +921,14 @@ The pricing tier of workspace. - Required: No - Type: string - Default: `'premium'` -- Allowed: `[premium, standard, trial]` +- Allowed: + ```Bicep + [ + 'premium' + 'standard' + 'trial' + ] + ``` ### Parameter: `storageAccountName` diff --git a/modules/db-for-my-sql/flexible-server/README.md b/modules/db-for-my-sql/flexible-server/README.md index 7d4bbf44bf..fbc748a98e 100644 --- a/modules/db-for-my-sql/flexible-server/README.md +++ b/modules/db-for-my-sql/flexible-server/README.md @@ -652,7 +652,15 @@ Availability zone information of the server. Default will have no preference set - Required: No - Type: string - Default: `''` -- Allowed: `['', 1, 2, 3]` +- Allowed: + ```Bicep + [ + '' + '1' + '2' + '3' + ] + ``` ### Parameter: `backupRetentionDays` @@ -695,7 +703,15 @@ The mode to create a new MySQL server. - Required: No - Type: string - Default: `'Default'` -- Allowed: `[Default, GeoRestore, PointInTimeRestore, Replica]` +- Allowed: + ```Bicep + [ + 'Default' + 'GeoRestore' + 'PointInTimeRestore' + 'Replica' + ] + ``` ### Parameter: `databases` @@ -874,7 +890,13 @@ A value indicating whether Geo-Redundant backup is enabled on the server. If "En - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `highAvailability` @@ -882,7 +904,14 @@ The mode for High Availability (HA). It is not supported for the Burstable prici - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, SameZone, ZoneRedundant]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'SameZone' + 'ZoneRedundant' + ] + ``` ### Parameter: `location` @@ -923,7 +952,7 @@ Optional. Specify the name of lock. Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `managedIdentities` @@ -962,7 +991,14 @@ The replication role. - Required: No - Type: string - Default: `'None'` -- Allowed: `[None, Replica, Source]` +- Allowed: + ```Bicep + [ + 'None' + 'Replica' + 'Source' + ] + ``` ### Parameter: `restorePointInTime` @@ -1058,7 +1094,13 @@ Enable Storage Auto Grow or not. Storage auto-growth prevents a server from runn - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `storageAutoIoScaling` @@ -1066,7 +1108,13 @@ Enable IO Auto Scaling or not. The server scales IOPs up or down automatically d - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `storageIOPS` @@ -1081,7 +1129,22 @@ Max storage allowed for a server. In all compute tiers, the minimum storage supp - Required: No - Type: int - Default: `64` -- Allowed: `[20, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384]` +- Allowed: + ```Bicep + [ + 20 + 32 + 64 + 128 + 256 + 512 + 1024 + 2048 + 4096 + 8192 + 16384 + ] + ``` ### Parameter: `tags` @@ -1094,7 +1157,14 @@ Tags of the resource. The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3". - Required: Yes - Type: string -- Allowed: `[Burstable, GeneralPurpose, MemoryOptimized]` +- Allowed: + ```Bicep + [ + 'Burstable' + 'GeneralPurpose' + 'MemoryOptimized' + ] + ``` ### Parameter: `version` @@ -1102,7 +1172,13 @@ MySQL Server version. - Required: No - Type: string - Default: `'5.7'` -- Allowed: `[5.7, 8.0.21]` +- Allowed: + ```Bicep + [ + '5.7' + '8.0.21' + ] + ``` ## Outputs diff --git a/modules/db-for-postgre-sql/flexible-server/README.md b/modules/db-for-postgre-sql/flexible-server/README.md index 30db670f19..157b30d978 100644 --- a/modules/db-for-postgre-sql/flexible-server/README.md +++ b/modules/db-for-postgre-sql/flexible-server/README.md @@ -558,7 +558,13 @@ If Enabled, Azure Active Directory authentication is enabled. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `administratorLogin` @@ -587,7 +593,15 @@ Availability zone information of the server. Default will have no preference set - Required: No - Type: string - Default: `''` -- Allowed: `['', 1, 2, 3]` +- Allowed: + ```Bicep + [ + '' + '1' + '2' + '3' + ] + ``` ### Parameter: `backupRetentionDays` @@ -637,7 +651,15 @@ The mode to create a new PostgreSQL server. - Required: No - Type: string - Default: `'Default'` -- Allowed: `[Create, Default, PointInTimeRestore, Update]` +- Allowed: + ```Bicep + [ + 'Create' + 'Default' + 'PointInTimeRestore' + 'Update' + ] + ``` ### Parameter: `databases` @@ -788,7 +810,13 @@ A value indicating whether Geo-Redundant backup is enabled on the server. Should - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `highAvailability` @@ -796,7 +824,14 @@ The mode for high availability. - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, SameZone, ZoneRedundant]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'SameZone' + 'ZoneRedundant' + ] + ``` ### Parameter: `location` @@ -837,7 +872,7 @@ Optional. Specify the name of lock. Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `managedIdentities` @@ -869,7 +904,13 @@ If Enabled, password authentication is enabled. - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `pointInTimeUTC` @@ -972,7 +1013,21 @@ Max storage allowed for a server. - Required: No - Type: int - Default: `32` -- Allowed: `[32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384]` +- Allowed: + ```Bicep + [ + 32 + 64 + 128 + 256 + 512 + 1024 + 2048 + 4096 + 8192 + 16384 + ] + ``` ### Parameter: `tags` @@ -992,7 +1047,14 @@ Tenant id of the server. The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3". - Required: Yes - Type: string -- Allowed: `[Burstable, GeneralPurpose, MemoryOptimized]` +- Allowed: + ```Bicep + [ + 'Burstable' + 'GeneralPurpose' + 'MemoryOptimized' + ] + ``` ### Parameter: `version` @@ -1000,7 +1062,16 @@ PostgreSQL Server version. - Required: No - Type: string - Default: `'15'` -- Allowed: `[11, 12, 13, 14, 15]` +- Allowed: + ```Bicep + [ + '11' + '12' + '13' + '14' + '15' + ] + ``` ## Outputs diff --git a/modules/db-for-postgre-sql/flexible-server/administrator/README.md b/modules/db-for-postgre-sql/flexible-server/administrator/README.md index 64e08316bd..3c95a48a9c 100644 --- a/modules/db-for-postgre-sql/flexible-server/administrator/README.md +++ b/modules/db-for-postgre-sql/flexible-server/administrator/README.md @@ -76,7 +76,15 @@ Active Directory administrator principal name. The principal type used to represent the type of Active Directory Administrator. - Required: Yes - Type: string -- Allowed: `[Group, ServicePrincipal, Unknown, User]` +- Allowed: + ```Bicep + [ + 'Group' + 'ServicePrincipal' + 'Unknown' + 'User' + ] + ``` ### Parameter: `tenantId` diff --git a/modules/desktop-virtualization/application-group/README.md b/modules/desktop-virtualization/application-group/README.md index 400891b5b2..7e86196f3e 100644 --- a/modules/desktop-virtualization/application-group/README.md +++ b/modules/desktop-virtualization/application-group/README.md @@ -281,7 +281,13 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro The type of the Application Group to be created. Allowed values: RemoteApp or Desktop. - Required: Yes - Type: string -- Allowed: `[Desktop, RemoteApp]` +- Allowed: + ```Bicep + [ + 'Desktop' + 'RemoteApp' + ] + ``` ### Parameter: `applications` diff --git a/modules/desktop-virtualization/application-group/application/README.md b/modules/desktop-virtualization/application-group/application/README.md index cc46be1fbe..61b2562dac 100644 --- a/modules/desktop-virtualization/application-group/application/README.md +++ b/modules/desktop-virtualization/application-group/application/README.md @@ -62,7 +62,14 @@ Specifies whether this published application can be launched with command-line a - Required: No - Type: string - Default: `'DoNotAllow'` -- Allowed: `[Allow, DoNotAllow, Require]` +- Allowed: + ```Bicep + [ + 'Allow' + 'DoNotAllow' + 'Require' + ] + ``` ### Parameter: `description` diff --git a/modules/desktop-virtualization/host-pool/README.md b/modules/desktop-virtualization/host-pool/README.md index be6dc2e213..03ed873f95 100644 --- a/modules/desktop-virtualization/host-pool/README.md +++ b/modules/desktop-virtualization/host-pool/README.md @@ -339,7 +339,15 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { The session host configuration for updating agent, monitoring agent, and stack component. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + maintenanceWindows: '[parameters(\'agentUpdateMaintenanceWindows\')]' + maintenanceWindowTimeZone: '[parameters(\'agentUpdateMaintenanceWindowTimeZone\')]' + type: '[parameters(\'agentUpdateType\')]' + useSessionHostLocalTime: '[parameters(\'agentUpdateUseSessionHostLocalTime\')]' + } + ``` ### Parameter: `agentUpdateMaintenanceWindowDayOfWeek` @@ -347,7 +355,18 @@ Update day for scheduled agent updates. - Required: No - Type: string - Default: `'Sunday'` -- Allowed: `[Friday, Monday, Saturday, Sunday, Thursday, Tuesday, Wednesday]` +- Allowed: + ```Bicep + [ + 'Friday' + 'Monday' + 'Saturday' + 'Sunday' + 'Thursday' + 'Tuesday' + 'Wednesday' + ] + ``` ### Parameter: `agentUpdateMaintenanceWindowHour` @@ -361,7 +380,15 @@ Update hour for scheduled agent updates. List of maintenance windows for scheduled agent updates. - Required: No - Type: array -- Default: `[System.Management.Automation.OrderedHashtable]` +- Default: + ```Bicep + [ + { + dayOfWeek: '[parameters(\'agentUpdateMaintenanceWindowDayOfWeek\')]' + hour: '[parameters(\'agentUpdateMaintenanceWindowHour\')]' + } + ] + ``` ### Parameter: `agentUpdateMaintenanceWindowTimeZone` @@ -376,7 +403,13 @@ Enable scheduled agent updates, Default means agent updates will automatically b - Required: No - Type: string - Default: `'Default'` -- Allowed: `[Default, Scheduled]` +- Allowed: + ```Bicep + [ + 'Default' + 'Scheduled' + ] + ``` ### Parameter: `agentUpdateUseSessionHostLocalTime` @@ -521,7 +554,14 @@ Type of load balancer algorithm. - Required: No - Type: string - Default: `'BreadthFirst'` -- Allowed: `[BreadthFirst, DepthFirst, Persistent]` +- Allowed: + ```Bicep + [ + 'BreadthFirst' + 'DepthFirst' + 'Persistent' + ] + ``` ### Parameter: `location` @@ -576,7 +616,14 @@ Set the type of assignment for a Personal Host Pool type. - Required: No - Type: string - Default: `''` -- Allowed: `['', Automatic, Direct]` +- Allowed: + ```Bicep + [ + '' + 'Automatic' + 'Direct' + ] + ``` ### Parameter: `preferredAppGroupType` @@ -584,7 +631,14 @@ The type of preferred application group type, default to Desktop Application Gro - Required: No - Type: string - Default: `'Desktop'` -- Allowed: `[Desktop, None, RailApplications]` +- Allowed: + ```Bicep + [ + 'Desktop' + 'None' + 'RailApplications' + ] + ``` ### Parameter: `ring` @@ -688,7 +742,16 @@ The type of single sign on Secret Type. - Required: No - Type: string - Default: `''` -- Allowed: `['', Certificate, CertificateInKeyVault, SharedKey, SharedKeyInKeyVault]` +- Allowed: + ```Bicep + [ + '' + 'Certificate' + 'CertificateInKeyVault' + 'SharedKey' + 'SharedKeyInKeyVault' + ] + ``` ### Parameter: `startVMOnConnect` @@ -716,7 +779,13 @@ Set this parameter to Personal if you would like to enable Persistent Desktop ex - Required: No - Type: string - Default: `'Pooled'` -- Allowed: `[Personal, Pooled]` +- Allowed: + ```Bicep + [ + 'Personal' + 'Pooled' + ] + ``` ### Parameter: `validationEnvironment` @@ -730,7 +799,7 @@ Validation host pools allows you to test service changes before they are deploye The necessary information for adding more VMs to this Host Pool. The object is converted to an in-line string when handed over to the resource deployment, since that only takes strings. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ## Outputs diff --git a/modules/desktop-virtualization/scaling-plan/README.md b/modules/desktop-virtualization/scaling-plan/README.md index dae9ec2b75..032df11696 100644 --- a/modules/desktop-virtualization/scaling-plan/README.md +++ b/modules/desktop-virtualization/scaling-plan/README.md @@ -429,7 +429,12 @@ The type of hostpool where this scaling plan should be applied. - Required: No - Type: string - Default: `'Pooled'` -- Allowed: `[Pooled]` +- Allowed: + ```Bicep + [ + 'Pooled' + ] + ``` ### Parameter: `location` @@ -517,7 +522,49 @@ Required. The name of the role to assign. If it cannot be found you can specify The schedules related to this scaling plan. If no value is provided a default schedule will be provided. - Required: No - Type: array -- Default: `[System.Management.Automation.OrderedHashtable]` +- Default: + ```Bicep + [ + { + daysOfWeek: [ + 'Friday' + 'Monday' + 'Thursday' + 'Tuesday' + 'Wednesday' + ] + name: 'weekdays_schedule' + offPeakLoadBalancingAlgorithm: 'DepthFirst' + offPeakStartTime: { + hour: 20 + minute: 0 + } + peakLoadBalancingAlgorithm: 'DepthFirst' + peakStartTime: { + hour: 9 + minute: 0 + } + rampDownCapacityThresholdPct: 90 + rampDownForceLogoffUsers: true + rampDownLoadBalancingAlgorithm: 'DepthFirst' + rampDownMinimumHostsPct: 10 + rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' + rampDownStartTime: { + hour: 18 + minute: 0 + } + rampDownStopHostsWhen: 'ZeroSessions' + rampDownWaitTimeMinutes: 30 + rampUpCapacityThresholdPct: 60 + rampUpLoadBalancingAlgorithm: 'DepthFirst' + rampUpMinimumHostsPct: 20 + rampUpStartTime: { + hour: 7 + minute: 0 + } + } + ] + ``` ### Parameter: `tags` diff --git a/modules/dev-test-lab/lab/README.md b/modules/dev-test-lab/lab/README.md index e506fa7f34..be1f1cc67e 100644 --- a/modules/dev-test-lab/lab/README.md +++ b/modules/dev-test-lab/lab/README.md @@ -677,7 +677,7 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { The properties of any lab announcement associated with this lab. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `artifactsources` @@ -699,14 +699,20 @@ Enable browser connect on virtual machines if the lab's VNETs have configured Az - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `costs` Costs to create for the lab. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `disableAutoUpgradeCseMinorVersion` @@ -735,7 +741,13 @@ Specify how OS and data disks created as part of the lab are encrypted. - Required: No - Type: string - Default: `'EncryptionAtRestWithPlatformKey'` -- Allowed: `[EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformKey]` +- Allowed: + ```Bicep + [ + 'EncryptionAtRestWithCustomerKey' + 'EncryptionAtRestWithPlatformKey' + ] + ``` ### Parameter: `environmentPermission` @@ -743,14 +755,20 @@ The access rights to be granted to the user when provisioning an environment. - Required: No - Type: string - Default: `'Reader'` -- Allowed: `[Contributor, Reader]` +- Allowed: + ```Bicep + [ + 'Contributor' + 'Reader' + ] + ``` ### Parameter: `extendedProperties` Extended properties of the lab used for experimental features. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `isolateLabResources` @@ -758,7 +776,13 @@ Enable lab resources isolation from the public internet. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `labStorageType` @@ -766,7 +790,14 @@ Type of storage used by the lab. It can be either Premium or Standard. - Required: No - Type: string - Default: `'Premium'` -- Allowed: `[Premium, Standard, StandardSSD]` +- Allowed: + ```Bicep + [ + 'Premium' + 'Standard' + 'StandardSSD' + ] + ``` ### Parameter: `location` @@ -867,7 +898,13 @@ The setting to enable usage of premium data disks. When its value is "Enabled", - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `roleAssignments` @@ -949,7 +986,7 @@ Schedules to create for the lab. The properties of any lab support message associated with this lab. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `tags` diff --git a/modules/dev-test-lab/lab/artifactsource/README.md b/modules/dev-test-lab/lab/artifactsource/README.md index f2ac68cd9a..596527ee0d 100644 --- a/modules/dev-test-lab/lab/artifactsource/README.md +++ b/modules/dev-test-lab/lab/artifactsource/README.md @@ -106,7 +106,15 @@ The artifact source's type. - Required: No - Type: string - Default: `''` -- Allowed: `['', GitHub, StorageAccount, VsoGit]` +- Allowed: + ```Bicep + [ + '' + 'GitHub' + 'StorageAccount' + 'VsoGit' + ] + ``` ### Parameter: `status` @@ -114,7 +122,13 @@ Indicates if the artifact source is enabled (values: Enabled, Disabled). Default - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `tags` diff --git a/modules/dev-test-lab/lab/cost/README.md b/modules/dev-test-lab/lab/cost/README.md index 51d6302f23..7d50b0542b 100644 --- a/modules/dev-test-lab/lab/cost/README.md +++ b/modules/dev-test-lab/lab/cost/README.md @@ -79,7 +79,13 @@ Reporting cycle start date in the zulu time format (e.g. 2023-12-01T00:00:00.000 Reporting cycle type. - Required: Yes - Type: string -- Allowed: `[CalendarMonth, Custom]` +- Allowed: + ```Bicep + [ + 'CalendarMonth' + 'Custom' + ] + ``` ### Parameter: `enableDefaultTelemetry` @@ -100,7 +106,13 @@ Target cost status. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `tags` @@ -121,7 +133,13 @@ Target Cost threshold at 100% display on chart. Indicates whether this threshold - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `thresholdValue100SendNotificationWhenExceeded` @@ -129,7 +147,13 @@ Target cost threshold at 100% send notification when exceeded. Indicates whether - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `thresholdValue125DisplayOnChart` @@ -137,7 +161,13 @@ Target Cost threshold at 125% display on chart. Indicates whether this threshold - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `thresholdValue125SendNotificationWhenExceeded` @@ -145,7 +175,13 @@ Target cost threshold at 125% send notification when exceeded. Indicates whether - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `thresholdValue25DisplayOnChart` @@ -153,7 +189,13 @@ Target Cost threshold at 25% display on chart. Indicates whether this threshold - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `thresholdValue25SendNotificationWhenExceeded` @@ -161,7 +203,13 @@ Target cost threshold at 25% send notification when exceeded. Indicates whether - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `thresholdValue50DisplayOnChart` @@ -169,7 +217,13 @@ Target Cost threshold at 50% display on chart. Indicates whether this threshold - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `thresholdValue50SendNotificationWhenExceeded` @@ -177,7 +231,13 @@ Target cost threshold at 50% send notification when exceeded. Indicates whether - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `thresholdValue75DisplayOnChart` @@ -185,7 +245,13 @@ Target Cost threshold at 75% display on chart. Indicates whether this threshold - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `thresholdValue75SendNotificationWhenExceeded` @@ -193,7 +259,13 @@ Target cost threshold at 75% send notification when exceeded. Indicates whether - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ## Outputs diff --git a/modules/dev-test-lab/lab/notificationchannel/README.md b/modules/dev-test-lab/lab/notificationchannel/README.md index 45abfc2693..026f51995a 100644 --- a/modules/dev-test-lab/lab/notificationchannel/README.md +++ b/modules/dev-test-lab/lab/notificationchannel/README.md @@ -82,7 +82,13 @@ The name of the parent lab. Required if the template is used in a standalone dep The name of the notification channel. - Required: Yes - Type: string -- Allowed: `[autoShutdown, costThreshold]` +- Allowed: + ```Bicep + [ + 'autoShutdown' + 'costThreshold' + ] + ``` ### Parameter: `notificationLocale` diff --git a/modules/dev-test-lab/lab/policyset/policy/README.md b/modules/dev-test-lab/lab/policyset/policy/README.md index cc9746dea5..21a43a924c 100644 --- a/modules/dev-test-lab/lab/policyset/policy/README.md +++ b/modules/dev-test-lab/lab/policyset/policy/README.md @@ -64,7 +64,13 @@ Enable telemetry via a Globally Unique Identifier (GUID). The evaluator type of the policy (i.e. AllowedValuesPolicy, MaxValuePolicy). - Required: Yes - Type: string -- Allowed: `[AllowedValuesPolicy, MaxValuePolicy]` +- Allowed: + ```Bicep + [ + 'AllowedValuesPolicy' + 'MaxValuePolicy' + ] + ``` ### Parameter: `factData` @@ -78,7 +84,21 @@ The fact data of the policy. The fact name of the policy. - Required: Yes - Type: string -- Allowed: `[EnvironmentTemplate, GalleryImage, LabPremiumVmCount, LabTargetCost, LabVmCount, LabVmSize, ScheduleEditPermission, UserOwnedLabPremiumVmCount, UserOwnedLabVmCount, UserOwnedLabVmCountInSubnet]` +- Allowed: + ```Bicep + [ + 'EnvironmentTemplate' + 'GalleryImage' + 'LabPremiumVmCount' + 'LabTargetCost' + 'LabVmCount' + 'LabVmSize' + 'ScheduleEditPermission' + 'UserOwnedLabPremiumVmCount' + 'UserOwnedLabVmCount' + 'UserOwnedLabVmCountInSubnet' + ] + ``` ### Parameter: `labName` @@ -105,14 +125,20 @@ The status of the policy. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `tags` Tags of the resource. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `threshold` diff --git a/modules/dev-test-lab/lab/schedule/README.md b/modules/dev-test-lab/lab/schedule/README.md index 293747d728..35c6ea868e 100644 --- a/modules/dev-test-lab/lab/schedule/README.md +++ b/modules/dev-test-lab/lab/schedule/README.md @@ -52,7 +52,7 @@ Lab schedules are used to modify the settings for auto-shutdown, auto-start for If the schedule will occur once each day of the week, specify the daily recurrence. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `enableDefaultTelemetry` @@ -66,7 +66,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). If the schedule will occur multiple times a day, specify the hourly recurrence. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `labName` @@ -79,7 +79,13 @@ The name of the parent lab. Required if the template is used in a standalone dep The name of the schedule. - Required: Yes - Type: string -- Allowed: `[LabVmAutoStart, LabVmsShutdown]` +- Allowed: + ```Bicep + [ + 'LabVmAutoStart' + 'LabVmsShutdown' + ] + ``` ### Parameter: `notificationSettingsStatus` @@ -87,7 +93,13 @@ If notifications are enabled for this schedule (i.e. Enabled, Disabled). - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `notificationSettingsTimeInMinutes` @@ -102,7 +114,13 @@ The status of the schedule (i.e. Enabled, Disabled). - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `tags` @@ -122,7 +140,13 @@ The resource ID to which the schedule belongs. The task type of the schedule (e.g. LabVmsShutdownTask, LabVmsStartupTask). - Required: Yes - Type: string -- Allowed: `[LabVmsShutdownTask, LabVmsStartupTask]` +- Allowed: + ```Bicep + [ + 'LabVmsShutdownTask' + 'LabVmsStartupTask' + ] + ``` ### Parameter: `timeZoneId` @@ -136,7 +160,7 @@ The time zone ID (e.g. Pacific Standard time). If the schedule will occur only some days of the week, specify the weekly recurrence. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ## Outputs diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index dcf0765ad2..8b7a1480d9 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -415,14 +415,14 @@ Enable telemetry via the Customer Usage Attribution ID (GUID). Event Grid Endpoint. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `eventHubEndpoint` Event Hub Endpoint. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `location` @@ -638,7 +638,14 @@ Whether or not public network access is allowed for this resource. For security - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `roleAssignments` @@ -713,7 +720,7 @@ Required. The name of the role to assign. If it cannot be found you can specify Service Bus Endpoint. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `systemAssignedIdentity` @@ -733,7 +740,7 @@ Resource tags. The ID(s) to assign to the resource. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ## Outputs diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md index ea2990793c..0dd7790d4e 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md +++ b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md @@ -45,7 +45,13 @@ Specifies the authentication type being used for connecting to the endpoint. If - Required: No - Type: string - Default: `'IdentityBased'` -- Allowed: `[IdentityBased, KeyBased]` +- Allowed: + ```Bicep + [ + 'IdentityBased' + 'KeyBased' + ] + ``` ### Parameter: `connectionStringPrimaryKey` diff --git a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md index eeae357cd9..fd96f9cd28 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md +++ b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md @@ -45,7 +45,13 @@ Specifies the authentication type being used for connecting to the endpoint. If - Required: No - Type: string - Default: `'IdentityBased'` -- Allowed: `[IdentityBased, KeyBased]` +- Allowed: + ```Bicep + [ + 'IdentityBased' + 'KeyBased' + ] + ``` ### Parameter: `deadLetterSecret` diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index 6891ab0f3d..de51a3b003 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -1325,7 +1325,13 @@ Configuration values for continuous mode backup. - Required: No - Type: string - Default: `'Continuous30Days'` -- Allowed: `[Continuous30Days, Continuous7Days]` +- Allowed: + ```Bicep + [ + 'Continuous30Days' + 'Continuous7Days' + ] + ``` ### Parameter: `backupPolicyType` @@ -1333,7 +1339,13 @@ Describes the mode of backups. - Required: No - Type: string - Default: `'Continuous'` -- Allowed: `[Continuous, Periodic]` +- Allowed: + ```Bicep + [ + 'Continuous' + 'Periodic' + ] + ``` ### Parameter: `backupRetentionIntervalInHours` @@ -1348,7 +1360,14 @@ Enum to indicate type of backup residency. Only applies to periodic backup type. - Required: No - Type: string - Default: `'Local'` -- Allowed: `[Geo, Local, Zone]` +- Allowed: + ```Bicep + [ + 'Geo' + 'Local' + 'Zone' + ] + ``` ### Parameter: `capabilitiesToAdd` @@ -1356,7 +1375,17 @@ List of Cosmos DB capabilities for the account. - Required: No - Type: array - Default: `[]` -- Allowed: `[DisableRateLimitingResponses, EnableCassandra, EnableGremlin, EnableMongo, EnableServerless, EnableTable]` +- Allowed: + ```Bicep + [ + 'DisableRateLimitingResponses' + 'EnableCassandra' + 'EnableGremlin' + 'EnableMongo' + 'EnableServerless' + 'EnableTable' + ] + ``` ### Parameter: `databaseAccountOfferType` @@ -1364,7 +1393,12 @@ The offer type for the Cosmos DB database account. - Required: No - Type: string - Default: `'Standard'` -- Allowed: `[Standard]` +- Allowed: + ```Bicep + [ + 'Standard' + ] + ``` ### Parameter: `defaultConsistencyLevel` @@ -1372,7 +1406,16 @@ The default consistency level of the Cosmos DB account. - Required: No - Type: string - Default: `'Session'` -- Allowed: `[BoundedStaleness, ConsistentPrefix, Eventual, Session, Strong]` +- Allowed: + ```Bicep + [ + 'BoundedStaleness' + 'ConsistentPrefix' + 'Eventual' + 'Session' + 'Strong' + ] + ``` ### Parameter: `diagnosticSettings` @@ -1845,7 +1888,15 @@ Specifies the MongoDB server version to use. - Required: No - Type: string - Default: `'4.2'` -- Allowed: `[3.2, 3.6, 4.0, 4.2]` +- Allowed: + ```Bicep + [ + '3.2' + '3.6' + '4.0' + '4.2' + ] + ``` ### Parameter: `sqlDatabases` diff --git a/modules/document-db/database-account/gremlin-database/graph/README.md b/modules/document-db/database-account/gremlin-database/graph/README.md index b682df47c6..6e358a9bfe 100644 --- a/modules/document-db/database-account/gremlin-database/graph/README.md +++ b/modules/document-db/database-account/gremlin-database/graph/README.md @@ -64,7 +64,7 @@ The name of the parent Gremlin Database. Required if the template is used in a s Indexing policy of the graph. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` diff --git a/modules/document-db/database-account/gremlin-database/main.json b/modules/document-db/database-account/gremlin-database/main.json index 7d513e6420..6210f39a32 100644 --- a/modules/document-db/database-account/gremlin-database/main.json +++ b/modules/document-db/database-account/gremlin-database/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1439508098279696940" + "templateHash": "9027351090124444562" }, "name": "DocumentDB Database Account Gremlin Databases", "description": "This module deploys a Gremlin Database within a CosmosDB Account.", @@ -318,4 +318,4 @@ "value": "[resourceGroup().name]" } } -} +} \ No newline at end of file diff --git a/modules/document-db/database-account/sql-database/container/README.md b/modules/document-db/database-account/sql-database/container/README.md index a6621174f4..cc46af3c67 100644 --- a/modules/document-db/database-account/sql-database/container/README.md +++ b/modules/document-db/database-account/sql-database/container/README.md @@ -66,7 +66,7 @@ Specifies the Autoscale settings and represents maximum throughput, the resource The conflict resolution policy for the container. Conflicts and conflict resolution policies are applicable if the Azure Cosmos DB account is configured with multiple write regions. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `databaseAccountName` @@ -93,7 +93,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). Indexing policy of the container. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `kind` @@ -101,7 +101,14 @@ Indicates the kind of algorithm used for partitioning. - Required: No - Type: string - Default: `'Hash'` -- Allowed: `[Hash, MultiHash, Range]` +- Allowed: + ```Bicep + [ + 'Hash' + 'MultiHash' + 'Range' + ] + ``` ### Parameter: `name` diff --git a/modules/event-grid/domain/README.md b/modules/event-grid/domain/README.md index c72c581389..636322d154 100644 --- a/modules/event-grid/domain/README.md +++ b/modules/event-grid/domain/README.md @@ -718,7 +718,14 @@ Whether or not public network access is allowed for this resource. For security - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `roleAssignments` diff --git a/modules/event-grid/system-topic/event-subscription/README.md b/modules/event-grid/system-topic/event-subscription/README.md index d488702524..f8c63e5e22 100644 --- a/modules/event-grid/system-topic/event-subscription/README.md +++ b/modules/event-grid/system-topic/event-subscription/README.md @@ -45,21 +45,21 @@ This module deploys an Event Grid System Topic Event Subscription. Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information). - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `deadLetterWithResourceIdentity` Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information). - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `deliveryWithResourceIdentity` Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information). - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `destination` @@ -80,7 +80,15 @@ The event delivery schema for the event subscription. - Required: No - Type: string - Default: `'EventGridSchema'` -- Allowed: `[CloudEventSchemaV1_0, CustomInputSchema, EventGridEvent, EventGridSchema]` +- Allowed: + ```Bicep + [ + 'CloudEventSchemaV1_0' + 'CustomInputSchema' + 'EventGridEvent' + 'EventGridSchema' + ] + ``` ### Parameter: `expirationTimeUtc` @@ -94,7 +102,7 @@ The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTH The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information). - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `labels` @@ -121,7 +129,7 @@ The name of the Event Subscription. The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `systemTopicName` diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index 363cdc2cc0..8f7c1adab0 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -751,7 +751,14 @@ Whether or not public network access is allowed for this resource. For security - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `roleAssignments` diff --git a/modules/event-grid/topic/event-subscription/README.md b/modules/event-grid/topic/event-subscription/README.md index ddfd871622..5ca0bc97ca 100644 --- a/modules/event-grid/topic/event-subscription/README.md +++ b/modules/event-grid/topic/event-subscription/README.md @@ -45,21 +45,21 @@ This module deploys an Event Grid Topic Event Subscription. Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information). - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `deadLetterWithResourceIdentity` Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information). - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `deliveryWithResourceIdentity` Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information). - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `destination` @@ -80,7 +80,15 @@ The event delivery schema for the event subscription. - Required: No - Type: string - Default: `'EventGridSchema'` -- Allowed: `[CloudEventSchemaV1_0, CustomInputSchema, EventGridEvent, EventGridSchema]` +- Allowed: + ```Bicep + [ + 'CloudEventSchemaV1_0' + 'CustomInputSchema' + 'EventGridEvent' + 'EventGridSchema' + ] + ``` ### Parameter: `expirationTimeUtc` @@ -94,7 +102,7 @@ The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTH The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information). - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `labels` @@ -121,7 +129,7 @@ The name of the Event Subscription. The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `topicName` diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index ea77988f49..bb1a32227b 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -726,7 +726,19 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { Authorization Rules for the Event Hub namespace. - Required: No - Type: array -- Default: `[System.Management.Automation.OrderedHashtable]` +- Default: + ```Bicep + [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + ] + ``` ### Parameter: `cMKKeyName` @@ -883,7 +895,7 @@ This property disables SAS authentication for the Event Hubs namespace. The disaster recovery config for this namespace. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `enableDefaultTelemetry` @@ -986,7 +998,14 @@ The minimum TLS version for the cluster to support. - Required: No - Type: string - Default: `'1.2'` -- Allowed: `[1.0, 1.1, 1.2]` +- Allowed: + ```Bicep + [ + '1.0' + '1.1' + '1.2' + ] + ``` ### Parameter: `name` @@ -999,7 +1018,7 @@ The name of the event hub namespace. Configure networking options. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `privateEndpoints` @@ -1175,7 +1194,15 @@ Whether or not public network access is allowed for this resource. For security - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled, SecuredByPerimeter]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + 'SecuredByPerimeter' + ] + ``` ### Parameter: `requireInfrastructureEncryption` @@ -1265,7 +1292,14 @@ event hub plan SKU name. - Required: No - Type: string - Default: `'Standard'` -- Allowed: `[Basic, Premium, Standard]` +- Allowed: + ```Bicep + [ + 'Basic' + 'Premium' + 'Standard' + ] + ``` ### Parameter: `tags` diff --git a/modules/event-hub/namespace/authorization-rule/README.md b/modules/event-hub/namespace/authorization-rule/README.md index bbc74cf9cc..dfb4d84591 100644 --- a/modules/event-hub/namespace/authorization-rule/README.md +++ b/modules/event-hub/namespace/authorization-rule/README.md @@ -61,7 +61,14 @@ The rights associated with the rule. - Required: No - Type: array - Default: `[]` -- Allowed: `[Listen, Manage, Send]` +- Allowed: + ```Bicep + [ + 'Listen' + 'Manage' + 'Send' + ] + ``` ## Outputs diff --git a/modules/event-hub/namespace/eventhub/README.md b/modules/event-hub/namespace/eventhub/README.md index 600b84c374..c07d8cf98d 100644 --- a/modules/event-hub/namespace/eventhub/README.md +++ b/modules/event-hub/namespace/eventhub/README.md @@ -63,7 +63,19 @@ This module deploys an Event Hub Namespace Event Hub. Authorization Rules for the event hub. - Required: No - Type: array -- Default: `[System.Management.Automation.OrderedHashtable]` +- Default: + ```Bicep + [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + ] + ``` ### Parameter: `captureDescriptionDestinationArchiveNameFormat` @@ -106,7 +118,13 @@ Enumerates the possible values for the encoding format of capture description. N - Required: No - Type: string - Default: `'Avro'` -- Allowed: `[Avro, AvroDeflate]` +- Allowed: + ```Bicep + [ + 'Avro' + 'AvroDeflate' + ] + ``` ### Parameter: `captureDescriptionIntervalInSeconds` @@ -134,7 +152,14 @@ A value that indicates whether to Skip Empty Archives. The consumer groups to create in this event hub instance. - Required: No - Type: array -- Default: `[System.Management.Automation.OrderedHashtable]` +- Default: + ```Bicep + [ + { + name: '$Default' + } + ] + ``` ### Parameter: `enableDefaultTelemetry` @@ -202,7 +227,13 @@ Retention cleanup policy. Enumerates the possible values for cleanup policy. - Required: No - Type: string - Default: `'Delete'` -- Allowed: `[Compact, Delete]` +- Allowed: + ```Bicep + [ + 'Compact' + 'Delete' + ] + ``` ### Parameter: `retentionDescriptionRetentionTimeInHours` @@ -292,7 +323,20 @@ Enumerates the possible values for the status of the Event Hub. - Required: No - Type: string - Default: `'Active'` -- Allowed: `[Active, Creating, Deleting, Disabled, ReceiveDisabled, Renaming, Restoring, SendDisabled, Unknown]` +- Allowed: + ```Bicep + [ + 'Active' + 'Creating' + 'Deleting' + 'Disabled' + 'ReceiveDisabled' + 'Renaming' + 'Restoring' + 'SendDisabled' + 'Unknown' + ] + ``` ## Outputs diff --git a/modules/event-hub/namespace/eventhub/authorization-rule/README.md b/modules/event-hub/namespace/eventhub/authorization-rule/README.md index 5abe5dafa8..4880cabcbd 100644 --- a/modules/event-hub/namespace/eventhub/authorization-rule/README.md +++ b/modules/event-hub/namespace/eventhub/authorization-rule/README.md @@ -68,7 +68,14 @@ The rights associated with the rule. - Required: No - Type: array - Default: `[]` -- Allowed: `[Listen, Manage, Send]` +- Allowed: + ```Bicep + [ + 'Listen' + 'Manage' + 'Send' + ] + ``` ## Outputs diff --git a/modules/event-hub/namespace/network-rule-set/README.md b/modules/event-hub/namespace/network-rule-set/README.md index a0ac082d1c..ff9c6bb262 100644 --- a/modules/event-hub/namespace/network-rule-set/README.md +++ b/modules/event-hub/namespace/network-rule-set/README.md @@ -40,7 +40,13 @@ Default Action for Network Rule Set. Default is "Allow". It will not be set if p - Required: No - Type: string - Default: `'Allow'` -- Allowed: `[Allow, Deny]` +- Allowed: + ```Bicep + [ + 'Allow' + 'Deny' + ] + ``` ### Parameter: `enableDefaultTelemetry` @@ -68,7 +74,13 @@ This determines if traffic is allowed over public network. Default is "Enabled". - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `trustedServiceAccessEnabled` diff --git a/modules/health-bot/health-bot/README.md b/modules/health-bot/health-bot/README.md index 363f535857..3ba7ed1140 100644 --- a/modules/health-bot/health-bot/README.md +++ b/modules/health-bot/health-bot/README.md @@ -342,7 +342,14 @@ Required. The name of the role to assign. If it cannot be found you can specify The name of the Azure Health Bot SKU. - Required: Yes - Type: string -- Allowed: `[C0, F0, S1]` +- Allowed: + ```Bicep + [ + 'C0' + 'F0' + 'S1' + ] + ``` ### Parameter: `tags` diff --git a/modules/healthcare-apis/workspace/README.md b/modules/healthcare-apis/workspace/README.md index 443ba44ef1..3c1d11f2db 100644 --- a/modules/healthcare-apis/workspace/README.md +++ b/modules/healthcare-apis/workspace/README.md @@ -470,7 +470,13 @@ Control permission for data plane traffic coming from public networks while priv - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `roleAssignments` diff --git a/modules/healthcare-apis/workspace/dicomservice/README.md b/modules/healthcare-apis/workspace/dicomservice/README.md index 82cdc71170..f8c690b4c1 100644 --- a/modules/healthcare-apis/workspace/dicomservice/README.md +++ b/modules/healthcare-apis/workspace/dicomservice/README.md @@ -75,7 +75,17 @@ Specify the allowed HTTP methods. - Required: No - Type: array - Default: `[]` -- Allowed: `[DELETE, GET, OPTIONS, PATCH, POST, PUT]` +- Allowed: + ```Bicep + [ + 'DELETE' + 'GET' + 'OPTIONS' + 'PATCH' + 'POST' + 'PUT' + ] + ``` ### Parameter: `corsOrigins` @@ -278,7 +288,13 @@ Control permission for data plane traffic coming from public networks while priv - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `tags` diff --git a/modules/healthcare-apis/workspace/dicomservice/main.json b/modules/healthcare-apis/workspace/dicomservice/main.json index f05ffafc1c..a0bbc93dad 100644 --- a/modules/healthcare-apis/workspace/dicomservice/main.json +++ b/modules/healthcare-apis/workspace/dicomservice/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4165874741118763430" + "templateHash": "10991463946028183992" }, "name": "Healthcare API Workspace DICOM Services", "description": "This module deploys a Healthcare API Workspace DICOM Service.", @@ -397,4 +397,4 @@ "value": "[reference('dicom', '2022-06-01', 'full').location]" } } -} +} \ No newline at end of file diff --git a/modules/healthcare-apis/workspace/fhirservice/README.md b/modules/healthcare-apis/workspace/fhirservice/README.md index 1c8d86d105..703c240ab8 100644 --- a/modules/healthcare-apis/workspace/fhirservice/README.md +++ b/modules/healthcare-apis/workspace/fhirservice/README.md @@ -126,7 +126,17 @@ Specify the allowed HTTP methods. - Required: No - Type: array - Default: `[]` -- Allowed: `[DELETE, GET, OPTIONS, PATCH, POST, PUT]` +- Allowed: + ```Bicep + [ + 'DELETE' + 'GET' + 'OPTIONS' + 'PATCH' + 'POST' + 'PUT' + ] + ``` ### Parameter: `corsOrigins` @@ -291,7 +301,13 @@ The kind of the service. Defaults to R4. - Required: No - Type: string - Default: `'fhir-R4'` -- Allowed: `[fhir-R4, fhir-Stu3]` +- Allowed: + ```Bicep + [ + 'fhir-R4' + 'fhir-Stu3' + ] + ``` ### Parameter: `location` @@ -365,14 +381,20 @@ Control permission for data plane traffic coming from public networks while priv - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `resourceVersionOverrides` A list of FHIR Resources and their version policy overrides. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `resourceVersionPolicy` @@ -380,7 +402,14 @@ The default value for tracking history across all resources. - Required: No - Type: string - Default: `'versioned'` -- Allowed: `[no-version, versioned, versioned-update]` +- Allowed: + ```Bicep + [ + 'no-version' + 'versioned' + 'versioned-update' + ] + ``` ### Parameter: `roleAssignments` diff --git a/modules/healthcare-apis/workspace/fhirservice/main.json b/modules/healthcare-apis/workspace/fhirservice/main.json index 3e1e52d236..b435adb5bb 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.json +++ b/modules/healthcare-apis/workspace/fhirservice/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14914386228020873144" + "templateHash": "8893393036207321770" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", @@ -647,4 +647,4 @@ "value": "[parameters('workspaceName')]" } } -} +} \ No newline at end of file diff --git a/modules/healthcare-apis/workspace/iotconnector/README.md b/modules/healthcare-apis/workspace/iotconnector/README.md index 2da0f7ced5..26ff9a5f3f 100644 --- a/modules/healthcare-apis/workspace/iotconnector/README.md +++ b/modules/healthcare-apis/workspace/iotconnector/README.md @@ -61,7 +61,13 @@ Consumer group of the event hub to connected to. The mapping JSON that determines how incoming device data is normalized. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + template: [] + templateType: 'CollectionContent' + } + ``` ### Parameter: `diagnosticSettings` @@ -202,7 +208,7 @@ Namespace of the Event Hub to connect to. FHIR Destination. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `location` diff --git a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md b/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md index 16df71b996..3e561c8be8 100644 --- a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md +++ b/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md @@ -46,7 +46,13 @@ This module deploys a Healthcare API Workspace IoT Connector FHIR Destination. The mapping JSON that determines how normalized data is converted to FHIR Observations. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + template: [] + templateType: 'CollectionFhir' + } + ``` ### Parameter: `enableDefaultTelemetry` @@ -86,7 +92,13 @@ Determines how resource identity is resolved on the destination. - Required: No - Type: string - Default: `'Lookup'` -- Allowed: `[Create, Lookup]` +- Allowed: + ```Bicep + [ + 'Create' + 'Lookup' + ] + ``` ### Parameter: `workspaceName` diff --git a/modules/healthcare-apis/workspace/iotconnector/main.json b/modules/healthcare-apis/workspace/iotconnector/main.json index 90607dde65..ef71ca1131 100644 --- a/modules/healthcare-apis/workspace/iotconnector/main.json +++ b/modules/healthcare-apis/workspace/iotconnector/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9502385350114367681" + "templateHash": "16117637432944064764" }, "name": "Healthcare API Workspace IoT Connectors", "description": "This module deploys a Healthcare API Workspace IoT Connector.", @@ -566,4 +566,4 @@ "value": "[parameters('workspaceName')]" } } -} +} \ No newline at end of file diff --git a/modules/insights/activity-log-alert/README.md b/modules/insights/activity-log-alert/README.md index 361b57243f..7ea6985434 100644 --- a/modules/insights/activity-log-alert/README.md +++ b/modules/insights/activity-log-alert/README.md @@ -332,7 +332,12 @@ Required. The name of the role to assign. If it cannot be found you can specify The list of resource IDs that this Activity Log Alert is scoped to. - Required: No - Type: array -- Default: `[[subscription().id]]` +- Default: + ```Bicep + [ + '[subscription().id]' + ] + ``` ### Parameter: `tags` diff --git a/modules/insights/component/README.md b/modules/insights/component/README.md index 93f098019a..e0aa1d9ff6 100644 --- a/modules/insights/component/README.md +++ b/modules/insights/component/README.md @@ -223,7 +223,13 @@ Application type. - Required: No - Type: string - Default: `'web'` -- Allowed: `[other, web]` +- Allowed: + ```Bicep + [ + 'other' + 'web' + ] + ``` ### Parameter: `diagnosticSettings` @@ -373,7 +379,13 @@ The network access type for accessing Application Insights ingestion. - Enabled - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `publicNetworkAccessForQuery` @@ -381,7 +393,13 @@ The network access type for accessing Application Insights query. - Enabled or D - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `retentionInDays` @@ -389,7 +407,20 @@ Retention period in days. - Required: No - Type: int - Default: `365` -- Allowed: `[30, 60, 90, 120, 180, 270, 365, 550, 730]` +- Allowed: + ```Bicep + [ + 30 + 60 + 90 + 120 + 180 + 270 + 365 + 550 + 730 + ] + ``` ### Parameter: `roleAssignments` diff --git a/modules/insights/data-collection-endpoint/README.md b/modules/insights/data-collection-endpoint/README.md index 5f791e34bd..d7c991c56c 100644 --- a/modules/insights/data-collection-endpoint/README.md +++ b/modules/insights/data-collection-endpoint/README.md @@ -205,7 +205,13 @@ The kind of the resource. - Required: No - Type: string - Default: `'Linux'` -- Allowed: `[Linux, Windows]` +- Allowed: + ```Bicep + [ + 'Linux' + 'Windows' + ] + ``` ### Parameter: `location` @@ -253,7 +259,13 @@ The configuration to set whether network access from public internet to the endp - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `roleAssignments` diff --git a/modules/insights/data-collection-rule/README.md b/modules/insights/data-collection-rule/README.md index 261e51782d..37edcaf1f4 100644 --- a/modules/insights/data-collection-rule/README.md +++ b/modules/insights/data-collection-rule/README.md @@ -1549,7 +1549,13 @@ The kind of the resource. - Required: No - Type: string - Default: `'Linux'` -- Allowed: `[Linux, Windows]` +- Allowed: + ```Bicep + [ + 'Linux' + 'Windows' + ] + ``` ### Parameter: `location` @@ -1664,7 +1670,7 @@ Required. The name of the role to assign. If it cannot be found you can specify Declaration of custom streams used in this rule. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `tags` diff --git a/modules/insights/diagnostic-setting/README.md b/modules/insights/diagnostic-setting/README.md index fd196a7ed3..7ef93aebbb 100644 --- a/modules/insights/diagnostic-setting/README.md +++ b/modules/insights/diagnostic-setting/README.md @@ -149,7 +149,14 @@ A string indicating whether the export to Log Analytics should use the default d - Required: No - Type: string - Default: `''` -- Allowed: `['', AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + '' + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `logCategoriesAndGroups` diff --git a/modules/insights/metric-alert/README.md b/modules/insights/metric-alert/README.md index 2ff2485b0e..3ad1b77aac 100644 --- a/modules/insights/metric-alert/README.md +++ b/modules/insights/metric-alert/README.md @@ -199,7 +199,14 @@ Maps to the 'odata.type' field. Specifies the type of the alert criteria. - Required: No - Type: string - Default: `'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria'` -- Allowed: `[Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria, Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria, Microsoft.Azure.Monitor.WebtestLocationAvailabilityCriteria]` +- Allowed: + ```Bicep + [ + 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' + 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' + 'Microsoft.Azure.Monitor.WebtestLocationAvailabilityCriteria' + ] + ``` ### Parameter: `alertDescription` @@ -241,7 +248,16 @@ how often the metric alert is evaluated represented in ISO 8601 duration format. - Required: No - Type: string - Default: `'PT5M'` -- Allowed: `[PT15M, PT1H, PT1M, PT30M, PT5M]` +- Allowed: + ```Bicep + [ + 'PT15M' + 'PT1H' + 'PT1M' + 'PT30M' + 'PT5M' + ] + ``` ### Parameter: `location` @@ -329,7 +345,12 @@ Required. The name of the role to assign. If it cannot be found you can specify the list of resource IDs that this metric alert is scoped to. - Required: No - Type: array -- Default: `[[subscription().id]]` +- Default: + ```Bicep + [ + '[subscription().id]' + ] + ``` ### Parameter: `severity` @@ -337,7 +358,16 @@ The severity of the alert. - Required: No - Type: int - Default: `3` -- Allowed: `[0, 1, 2, 3, 4]` +- Allowed: + ```Bicep + [ + 0 + 1 + 2 + 3 + 4 + ] + ``` ### Parameter: `tags` @@ -365,7 +395,19 @@ the period of time (in ISO 8601 duration format) that is used to monitor alert a - Required: No - Type: string - Default: `'PT15M'` -- Allowed: `[P1D, PT12H, PT15M, PT1H, PT1M, PT30M, PT5M, PT6H]` +- Allowed: + ```Bicep + [ + 'P1D' + 'PT12H' + 'PT15M' + 'PT1H' + 'PT1M' + 'PT30M' + 'PT5M' + 'PT6H' + ] + ``` ## Outputs diff --git a/modules/insights/scheduled-query-rule/README.md b/modules/insights/scheduled-query-rule/README.md index 7a4003acd4..f81174bdb5 100644 --- a/modules/insights/scheduled-query-rule/README.md +++ b/modules/insights/scheduled-query-rule/README.md @@ -277,7 +277,13 @@ Indicates the type of scheduled query rule. - Required: No - Type: string - Default: `'LogAlert'` -- Allowed: `[LogAlert, LogToMetric]` +- Allowed: + ```Bicep + [ + 'LogAlert' + 'LogToMetric' + ] + ``` ### Parameter: `location` @@ -379,7 +385,16 @@ Severity of the alert. Should be an integer between [0-4]. Value of 0 is severes - Required: No - Type: int - Default: `3` -- Allowed: `[0, 1, 2, 3, 4]` +- Allowed: + ```Bicep + [ + 0 + 1 + 2 + 3 + 4 + ] + ``` ### Parameter: `skipQueryValidation` diff --git a/modules/insights/webtest/README.md b/modules/insights/webtest/README.md index c0fb2f99fe..9c53d80ad2 100644 --- a/modules/insights/webtest/README.md +++ b/modules/insights/webtest/README.md @@ -235,7 +235,7 @@ module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { An XML configuration specification for a WebTest. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `description` @@ -271,7 +271,14 @@ The kind of WebTest that this web test watches. - Required: No - Type: string - Default: `'standard'` -- Allowed: `[multistep, ping, standard]` +- Allowed: + ```Bicep + [ + 'multistep' + 'ping' + 'standard' + ] + ``` ### Parameter: `location` @@ -285,7 +292,26 @@ Location for all Resources. List of where to physically run the tests from to give global coverage for accessibility of your application. - Required: No - Type: array -- Default: `[System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable]` +- Default: + ```Bicep + [ + { + Id: 'us-il-ch1-azr' + } + { + Id: 'us-fl-mia-edge' + } + { + Id: 'latam-br-gru-edge' + } + { + Id: 'apac-sg-sin-azr' + } + { + Id: 'emea-nl-ams-azr' + } + ] + ``` ### Parameter: `lock` @@ -426,7 +452,7 @@ Seconds until this WebTest will timeout and fail. The collection of validation rule properties. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `webTestName` diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 28af1e5341..5645f22dd2 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -1004,7 +1004,7 @@ Name of the Key Vault. Must be globally unique. Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `privateEndpoints` @@ -1180,7 +1180,14 @@ Whether or not public network access is allowed for this resource. For security - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `roleAssignments` @@ -1255,7 +1262,7 @@ Required. The name of the role to assign. If it cannot be found you can specify All secrets to create. - Required: No - Type: secureObject -- Default: `{object}` +- Default: `{}` ### Parameter: `softDeleteRetentionInDays` @@ -1276,7 +1283,13 @@ Specifies the SKU for the vault. - Required: No - Type: string - Default: `'premium'` -- Allowed: `[premium, standard]` +- Allowed: + ```Bicep + [ + 'premium' + 'standard' + ] + ``` ## Outputs diff --git a/modules/key-vault/vault/key/README.md b/modules/key-vault/vault/key/README.md index 561700f223..9a4617afd2 100644 --- a/modules/key-vault/vault/key/README.md +++ b/modules/key-vault/vault/key/README.md @@ -74,7 +74,15 @@ The elliptic curve name. - Required: No - Type: string - Default: `'P-256'` -- Allowed: `[P-256, P-256K, P-384, P-521]` +- Allowed: + ```Bicep + [ + 'P-256' + 'P-256K' + 'P-384' + 'P-521' + ] + ``` ### Parameter: `enableDefaultTelemetry` @@ -89,7 +97,18 @@ Array of JsonWebKeyOperation. - Required: No - Type: array - Default: `[]` -- Allowed: `[decrypt, encrypt, import, sign, unwrapKey, verify, wrapKey]` +- Allowed: + ```Bicep + [ + 'decrypt' + 'encrypt' + 'import' + 'sign' + 'unwrapKey' + 'verify' + 'wrapKey' + ] + ``` ### Parameter: `keySize` @@ -110,7 +129,15 @@ The type of the key. - Required: No - Type: string - Default: `'EC'` -- Allowed: `[EC, EC-HSM, RSA, RSA-HSM]` +- Allowed: + ```Bicep + [ + 'EC' + 'EC-HSM' + 'RSA' + 'RSA-HSM' + ] + ``` ### Parameter: `name` @@ -191,7 +218,7 @@ Required. The name of the role to assign. If it cannot be found you can specify Key rotation policy properties object. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `tags` diff --git a/modules/kubernetes-configuration/extension/README.md b/modules/kubernetes-configuration/extension/README.md index b084bf2dd2..31bd67803a 100644 --- a/modules/kubernetes-configuration/extension/README.md +++ b/modules/kubernetes-configuration/extension/README.md @@ -244,14 +244,14 @@ The name of the AKS cluster that should be configured. Configuration settings that are sensitive, as name-value pairs for configuring this extension. - Required: No - Type: secureObject -- Default: `{object}` +- Default: `{}` ### Parameter: `configurationSettings` Configuration settings, as name-value pairs for configuring this extension. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/kubernetes-configuration/flux-configuration/README.md b/modules/kubernetes-configuration/flux-configuration/README.md index 4920286fde..ac523aecce 100644 --- a/modules/kubernetes-configuration/flux-configuration/README.md +++ b/modules/kubernetes-configuration/flux-configuration/README.md @@ -242,7 +242,7 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu Parameters to reconcile to the GitRepository source kind type. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `clusterName` @@ -255,7 +255,7 @@ The name of the AKS cluster that should be configured. Key-value pairs of protected configuration settings for the configuration. - Required: No - Type: secureObject -- Default: `{object}` +- Default: `{}` ### Parameter: `enableDefaultTelemetry` @@ -269,14 +269,14 @@ Enable telemetry via a Globally Unique Identifier (GUID). Parameters to reconcile to the GitRepository source kind type. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `kustomizations` Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `location` @@ -302,14 +302,26 @@ The namespace to which this configuration is installed to. Maximum of 253 lower Scope at which the configuration will be installed. - Required: Yes - Type: string -- Allowed: `[cluster, namespace]` +- Allowed: + ```Bicep + [ + 'cluster' + 'namespace' + ] + ``` ### Parameter: `sourceKind` Source Kind to pull the configuration data from. - Required: Yes - Type: string -- Allowed: `[Bucket, GitRepository]` +- Allowed: + ```Bicep + [ + 'Bucket' + 'GitRepository' + ] + ``` ### Parameter: `suspend` diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index f1190e77fd..b60f3509e9 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -265,28 +265,28 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { The access control configuration for workflow actions. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `connectorEndpointsConfiguration` The endpoints configuration: Access endpoint and outgoing IP addresses for the connector. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `contentsAccessControlConfiguration` The access control configuration for accessing workflow run contents. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `definitionParameters` Parameters for the definition template. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `diagnosticSettings` @@ -415,7 +415,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The integration account. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `integrationServiceEnvironmentResourceId` @@ -564,7 +564,17 @@ The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Completed, Deleted, Disabled, Enabled, NotSpecified, Suspended]` +- Allowed: + ```Bicep + [ + 'Completed' + 'Deleted' + 'Disabled' + 'Enabled' + 'NotSpecified' + 'Suspended' + ] + ``` ### Parameter: `tags` @@ -577,56 +587,56 @@ Tags of the resource. The access control configuration for invoking workflow triggers. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `workflowActions` The definitions for one or more actions to execute at workflow runtime. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `workflowEndpointsConfiguration` The endpoints configuration: Access endpoint and outgoing IP addresses for the workflow. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `workflowManagementAccessControlConfiguration` The access control configuration for workflow management. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `workflowOutputs` The definitions for the outputs to return from a workflow run. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `workflowParameters` The definitions for one or more parameters that pass the values to use at your logic app's runtime. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `workflowStaticResults` The definitions for one or more static results returned by actions as mock outputs when static results are enabled on those actions. In each action definition, the runtimeConfiguration.staticResult.name attribute references the corresponding definition inside staticResults. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `workflowTriggers` The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ## Outputs diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index e5915c0e53..8bb70f240e 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -792,8 +792,14 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. At least one identity type is required. -- Required: Yes +- Required: No - Type: object +- Default: + ```Bicep + { + systemAssigned: true + } + ``` | Name | Required | Type | Description | @@ -1002,7 +1008,14 @@ Whether or not public network access is allowed for this resource. For security - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `roleAssignments` @@ -1077,7 +1090,7 @@ Required. The name of the role to assign. If it cannot be found you can specify The service managed resource settings. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `sharedPrivateLinkResources` @@ -1091,7 +1104,15 @@ The list of shared private link resources in this workspace. Specifies the SKU, also referred as 'edition' of the Azure Machine Learning workspace. - Required: Yes - Type: string -- Allowed: `[Basic, Free, Premium, Standard]` +- Allowed: + ```Bicep + [ + 'Basic' + 'Free' + 'Premium' + 'Standard' + ] + ``` ### Parameter: `tags` diff --git a/modules/machine-learning-services/workspace/compute/README.md b/modules/machine-learning-services/workspace/compute/README.md index 6970b0eab7..a25e4d7226 100644 --- a/modules/machine-learning-services/workspace/compute/README.md +++ b/modules/machine-learning-services/workspace/compute/README.md @@ -60,7 +60,21 @@ Location for the underlying compute. Ignored when attaching a compute resource, Set the object type. - Required: Yes - Type: string -- Allowed: `[AKS, AmlCompute, ComputeInstance, Databricks, DataFactory, DataLakeAnalytics, HDInsight, Kubernetes, SynapseSpark, VirtualMachine]` +- Allowed: + ```Bicep + [ + 'AKS' + 'AmlCompute' + 'ComputeInstance' + 'Databricks' + 'DataFactory' + 'DataLakeAnalytics' + 'HDInsight' + 'Kubernetes' + 'SynapseSpark' + 'VirtualMachine' + ] + ``` ### Parameter: `deployCompute` @@ -140,7 +154,7 @@ Name of the compute. The properties of the compute. Will be ignored in case "resourceId" is set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `resourceId` @@ -155,7 +169,16 @@ Specifies the sku, also referred as "edition". Required for creating a compute r - Required: No - Type: string - Default: `''` -- Allowed: `['', Basic, Free, Premium, Standard]` +- Allowed: + ```Bicep + [ + '' + 'Basic' + 'Free' + 'Premium' + 'Standard' + ] + ``` ### Parameter: `tags` diff --git a/modules/machine-learning-services/workspace/compute/main.json b/modules/machine-learning-services/workspace/compute/main.json index 6926b95f8a..185b53e091 100644 --- a/modules/machine-learning-services/workspace/compute/main.json +++ b/modules/machine-learning-services/workspace/compute/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12092776287732059217" + "templateHash": "4219662265444129565" }, "name": "Machine Learning Services Workspaces Computes", "description": "This module deploys a Machine Learning Services Workspaces Compute.\r\n\r\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", @@ -231,4 +231,4 @@ "value": "[reference('machineLearningWorkspaceCompute', '2022-10-01', 'full').location]" } } -} +} \ No newline at end of file diff --git a/modules/maintenance/maintenance-configuration/README.md b/modules/maintenance/maintenance-configuration/README.md index 66a31f66ed..ddce26921e 100644 --- a/modules/maintenance/maintenance-configuration/README.md +++ b/modules/maintenance/maintenance-configuration/README.md @@ -266,14 +266,14 @@ Enable telemetry via a Globally Unique Identifier (GUID). Gets or sets extensionProperties of the maintenanceConfiguration. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `installPatches` Configuration settings for VM guest patching with Azure Update Manager. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `location` @@ -315,14 +315,24 @@ Gets or sets maintenanceScope of the configuration. - Required: No - Type: string - Default: `'Host'` -- Allowed: `[Extension, Host, InGuestPatch, OSImage, SQLDB, SQLManagedInstance]` +- Allowed: + ```Bicep + [ + 'Extension' + 'Host' + 'InGuestPatch' + 'OSImage' + 'SQLDB' + 'SQLManagedInstance' + ] + ``` ### Parameter: `maintenanceWindow` Definition of a MaintenanceWindow. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` @@ -417,7 +427,14 @@ Gets or sets the visibility of the configuration. The default value is 'Custom'. - Required: No - Type: string - Default: `''` -- Allowed: `['', Custom, Public]` +- Allowed: + ```Bicep + [ + '' + 'Custom' + 'Public' + ] + ``` ## Outputs diff --git a/modules/net-app/net-app-account/capacity-pool/README.md b/modules/net-app/net-app-account/capacity-pool/README.md index bdeec9f849..376ed58ced 100644 --- a/modules/net-app/net-app-account/capacity-pool/README.md +++ b/modules/net-app/net-app-account/capacity-pool/README.md @@ -66,7 +66,13 @@ Encryption type of the capacity pool, set encryption type for data at rest for t - Required: No - Type: string - Default: `'Single'` -- Allowed: `[Double, Single]` +- Allowed: + ```Bicep + [ + 'Double' + 'Single' + ] + ``` ### Parameter: `location` @@ -93,7 +99,13 @@ The qos type of the pool. - Required: No - Type: string - Default: `'Auto'` -- Allowed: `[Auto, Manual]` +- Allowed: + ```Bicep + [ + 'Auto' + 'Manual' + ] + ``` ### Parameter: `roleAssignments` @@ -169,7 +181,15 @@ The pool service level. - Required: No - Type: string - Default: `'Standard'` -- Allowed: `[Premium, Standard, StandardZRS, Ultra]` +- Allowed: + ```Bicep + [ + 'Premium' + 'Standard' + 'StandardZRS' + 'Ultra' + ] + ``` ### Parameter: `size` diff --git a/modules/net-app/net-app-account/capacity-pool/volume/README.md b/modules/net-app/net-app-account/capacity-pool/volume/README.md index 9e060fc9af..ebfb90556a 100644 --- a/modules/net-app/net-app-account/capacity-pool/volume/README.md +++ b/modules/net-app/net-app-account/capacity-pool/volume/README.md @@ -172,7 +172,15 @@ The pool service level. Must match the one of the parent capacity pool. - Required: No - Type: string - Default: `'Standard'` -- Allowed: `[Premium, Standard, StandardZRS, Ultra]` +- Allowed: + ```Bicep + [ + 'Premium' + 'Standard' + 'StandardZRS' + 'Ultra' + ] + ``` ### Parameter: `subnetResourceId` diff --git a/modules/network/application-gateway-web-application-firewall-policy/README.md b/modules/network/application-gateway-web-application-firewall-policy/README.md index 368139a3d1..5aedf8a85a 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/README.md +++ b/modules/network/application-gateway-web-application-firewall-policy/README.md @@ -174,7 +174,7 @@ Location for all resources. Describes the managedRules structure. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` @@ -187,7 +187,7 @@ Name of the Application Gateway WAF policy. The PolicySettings for policy. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `tags` diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index 920ca3d003..f429cc90cb 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -1621,7 +1621,18 @@ The name of the SKU for the Application Gateway. - Required: No - Type: string - Default: `'WAF_Medium'` -- Allowed: `[Standard_Large, Standard_Medium, Standard_Small, Standard_v2, WAF_Large, WAF_Medium, WAF_v2]` +- Allowed: + ```Bicep + [ + 'Standard_Large' + 'Standard_Medium' + 'Standard_Small' + 'Standard_v2' + 'WAF_Large' + 'WAF_Medium' + 'WAF_v2' + ] + ``` ### Parameter: `sslCertificates` @@ -1635,8 +1646,46 @@ SSL certificates of the application gateway resource. Ssl cipher suites to be enabled in the specified order to application gateway. - Required: No - Type: array -- Default: `[TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]` -- Allowed: `[TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384]` +- Default: + ```Bicep + [ + 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' + 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' + ] + ``` +- Allowed: + ```Bicep + [ + 'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA' + 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA' + 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256' + 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA' + 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256' + 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' + 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256' + 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' + 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384' + 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA' + 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' + 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256' + 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' + 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384' + 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384' + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA' + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' + 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA' + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384' + 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' + 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' + 'TLS_RSA_WITH_AES_128_CBC_SHA' + 'TLS_RSA_WITH_AES_128_CBC_SHA256' + 'TLS_RSA_WITH_AES_128_GCM_SHA256' + 'TLS_RSA_WITH_AES_256_CBC_SHA' + 'TLS_RSA_WITH_AES_256_CBC_SHA256' + 'TLS_RSA_WITH_AES_256_GCM_SHA384' + ] + ``` ### Parameter: `sslPolicyMinProtocolVersion` @@ -1644,7 +1693,15 @@ Ssl protocol enums. - Required: No - Type: string - Default: `'TLSv1_2'` -- Allowed: `[TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3]` +- Allowed: + ```Bicep + [ + 'TLSv1_0' + 'TLSv1_1' + 'TLSv1_2' + 'TLSv1_3' + ] + ``` ### Parameter: `sslPolicyName` @@ -1652,7 +1709,17 @@ Ssl predefined policy name enums. - Required: No - Type: string - Default: `''` -- Allowed: `['', AppGwSslPolicy20150501, AppGwSslPolicy20170401, AppGwSslPolicy20170401S, AppGwSslPolicy20220101, AppGwSslPolicy20220101S]` +- Allowed: + ```Bicep + [ + '' + 'AppGwSslPolicy20150501' + 'AppGwSslPolicy20170401' + 'AppGwSslPolicy20170401S' + 'AppGwSslPolicy20220101' + 'AppGwSslPolicy20220101S' + ] + ``` ### Parameter: `sslPolicyType` @@ -1660,7 +1727,14 @@ Type of Ssl Policy. - Required: No - Type: string - Default: `'Custom'` -- Allowed: `[Custom, CustomV2, Predefined]` +- Allowed: + ```Bicep + [ + 'Custom' + 'CustomV2' + 'Predefined' + ] + ``` ### Parameter: `sslProfiles` @@ -1701,7 +1775,7 @@ URL path map of the application gateway resource. Application gateway web application firewall configuration. Should be configured for security reasons. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `zones` diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index cda3fedb91..c58b8068b9 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -807,7 +807,14 @@ Tier of an Azure Firewall. - Required: No - Type: string - Default: `'Standard'` -- Allowed: `[Basic, Premium, Standard]` +- Allowed: + ```Bicep + [ + 'Basic' + 'Premium' + 'Standard' + ] + ``` ### Parameter: `diagnosticSettings` @@ -943,7 +950,7 @@ Resource ID of the Firewall Policy that should be attached. IP addresses associated with AzureFirewall. Required if `virtualHubId` is supplied. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `location` @@ -984,7 +991,7 @@ Optional. Specify the name of lock. Specifies the properties of the Management Public IP to create and be used by Azure Firewall. If it's not provided and managementIPResourceID is empty, a '-mip' suffix will be appended to the Firewall's name. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `managementIPResourceID` @@ -1018,7 +1025,12 @@ Collection of network rule collections used by Azure Firewall. Specifies the properties of the Public IP to create and be used by the Firewall, if no existing public IP was provided. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + name: '[format(\'{0}-pip\' parameters(\'name\'))]' + } + ``` ### Parameter: `publicIPResourceID` @@ -1107,7 +1119,14 @@ The operation mode for Threat Intel. - Required: No - Type: string - Default: `'Deny'` -- Allowed: `[Alert, Deny, Off]` +- Allowed: + ```Bicep + [ + 'Alert' + 'Deny' + 'Off' + ] + ``` ### Parameter: `virtualHubId` @@ -1128,7 +1147,14 @@ Shared services Virtual Network resource ID. The virtual network ID containing A Zone numbers e.g. 1,2,3. - Required: No - Type: array -- Default: `[1, 2, 3]` +- Default: + ```Bicep + [ + '1' + '2' + '3' + ] + ``` ## Outputs diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index e0c9205ba4..625f27b070 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -570,7 +570,12 @@ Name of the Azure Bastion resource. Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + name: '[format(\'{0}-pip\' parameters(\'name\'))]' + } + ``` ### Parameter: `roleAssignments` @@ -653,7 +658,13 @@ The SKU of this Bastion Host. - Required: No - Type: string - Default: `'Basic'` -- Allowed: `[Basic, Standard]` +- Allowed: + ```Bicep + [ + 'Basic' + 'Standard' + ] + ``` ### Parameter: `tags` diff --git a/modules/network/connection/README.md b/modules/network/connection/README.md index cc392ea1ae..d8f8169acb 100644 --- a/modules/network/connection/README.md +++ b/modules/network/connection/README.md @@ -171,7 +171,14 @@ The connection connectionMode for this connection. Available for IPSec connectio - Required: No - Type: string - Default: `'Default'` -- Allowed: `[Default, InitiatorOnly, ResponderOnly]` +- Allowed: + ```Bicep + [ + 'Default' + 'InitiatorOnly' + 'ResponderOnly' + ] + ``` ### Parameter: `connectionProtocol` @@ -179,7 +186,13 @@ Connection connectionProtocol used for this connection. Available for IPSec conn - Required: No - Type: string - Default: `'IKEv2'` -- Allowed: `[IKEv1, IKEv2]` +- Allowed: + ```Bicep + [ + 'IKEv1' + 'IKEv2' + ] + ``` ### Parameter: `connectionType` @@ -187,14 +200,34 @@ Gateway connection connectionType. - Required: No - Type: string - Default: `'IPsec'` -- Allowed: `[ExpressRoute, IPsec, Vnet2Vnet, VPNClient]` +- Allowed: + ```Bicep + [ + 'ExpressRoute' + 'IPsec' + 'Vnet2Vnet' + 'VPNClient' + ] + ``` ### Parameter: `customIPSecPolicy` The IPSec Policies to be considered by this connection. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + dhGroup: '' + ikeEncryption: '' + ikeIntegrity: '' + ipsecEncryption: '' + ipsecIntegrity: '' + pfsGroup: '' + saDataSizeKilobytes: 0 + saLifeTimeSeconds: 0 + } + ``` ### Parameter: `dpdTimeoutSeconds` @@ -236,7 +269,7 @@ Bypass ExpressRoute Gateway for data forwarding. Only available when connection The local network gateway. Used for connection type [IPsec]. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `location` @@ -283,7 +316,7 @@ Remote connection name. The remote peer. Used for connection connectionType [ExpressRoute]. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `routingWeight` @@ -323,7 +356,7 @@ The primary Virtual Network Gateway. The remote Virtual Network Gateway. Used for connection connectionType [Vnet2Vnet]. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `vpnSharedKey` diff --git a/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md b/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md index 7f9b46b23d..39dd2043dd 100644 --- a/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md +++ b/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md @@ -65,7 +65,13 @@ The state of forwarding rule. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `location` @@ -79,7 +85,7 @@ Location for all resources. Metadata attached to the forwarding rule. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` diff --git a/modules/network/dns-zone/a/README.md b/modules/network/dns-zone/a/README.md index 8f6ad2bc21..222006ccc6 100644 --- a/modules/network/dns-zone/a/README.md +++ b/modules/network/dns-zone/a/README.md @@ -66,7 +66,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` diff --git a/modules/network/dns-zone/aaaa/README.md b/modules/network/dns-zone/aaaa/README.md index 75adf53933..fb0bcad96e 100644 --- a/modules/network/dns-zone/aaaa/README.md +++ b/modules/network/dns-zone/aaaa/README.md @@ -66,7 +66,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` diff --git a/modules/network/dns-zone/caa/README.md b/modules/network/dns-zone/caa/README.md index 29980a362d..bd705d06a7 100644 --- a/modules/network/dns-zone/caa/README.md +++ b/modules/network/dns-zone/caa/README.md @@ -65,7 +65,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` diff --git a/modules/network/dns-zone/cname/README.md b/modules/network/dns-zone/cname/README.md index 2f06be8f3a..063728513a 100644 --- a/modules/network/dns-zone/cname/README.md +++ b/modules/network/dns-zone/cname/README.md @@ -46,7 +46,7 @@ This module deploys a Public DNS Zone CNAME record. A CNAME record. Cannot be used in conjuction with the "targetResource" property. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `dnsZoneName` @@ -66,7 +66,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` diff --git a/modules/network/dns-zone/mx/README.md b/modules/network/dns-zone/mx/README.md index a2f9f80afd..7aaa4e37fe 100644 --- a/modules/network/dns-zone/mx/README.md +++ b/modules/network/dns-zone/mx/README.md @@ -58,7 +58,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `mxRecords` diff --git a/modules/network/dns-zone/ns/README.md b/modules/network/dns-zone/ns/README.md index 8a48a9ed9e..4330bd1fd0 100644 --- a/modules/network/dns-zone/ns/README.md +++ b/modules/network/dns-zone/ns/README.md @@ -58,7 +58,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` diff --git a/modules/network/dns-zone/ptr/README.md b/modules/network/dns-zone/ptr/README.md index fb72f7e423..6609c1ff35 100644 --- a/modules/network/dns-zone/ptr/README.md +++ b/modules/network/dns-zone/ptr/README.md @@ -58,7 +58,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` diff --git a/modules/network/dns-zone/soa/README.md b/modules/network/dns-zone/soa/README.md index a9c838ea26..155270e1da 100644 --- a/modules/network/dns-zone/soa/README.md +++ b/modules/network/dns-zone/soa/README.md @@ -58,7 +58,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` @@ -139,7 +139,7 @@ Required. The name of the role to assign. If it cannot be found you can specify A SOA record. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `ttl` diff --git a/modules/network/dns-zone/srv/README.md b/modules/network/dns-zone/srv/README.md index 32dd9091a8..0143e63e5d 100644 --- a/modules/network/dns-zone/srv/README.md +++ b/modules/network/dns-zone/srv/README.md @@ -58,7 +58,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` diff --git a/modules/network/dns-zone/txt/README.md b/modules/network/dns-zone/txt/README.md index bfc46bccd2..35897fbd07 100644 --- a/modules/network/dns-zone/txt/README.md +++ b/modules/network/dns-zone/txt/README.md @@ -58,7 +58,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` diff --git a/modules/network/express-route-circuit/README.md b/modules/network/express-route-circuit/README.md index 4bd12d9edc..3372a9e824 100644 --- a/modules/network/express-route-circuit/README.md +++ b/modules/network/express-route-circuit/README.md @@ -488,7 +488,13 @@ BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPe - Required: No - Type: string - Default: `'AzurePrivatePeering'` -- Allowed: `[AzurePrivatePeering, MicrosoftPeering]` +- Allowed: + ```Bicep + [ + 'AzurePrivatePeering' + 'MicrosoftPeering' + ] + ``` ### Parameter: `primaryPeerAddressPrefix` @@ -591,7 +597,13 @@ Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedD - Required: No - Type: string - Default: `'MeteredData'` -- Allowed: `[MeteredData, UnlimitedData]` +- Allowed: + ```Bicep + [ + 'MeteredData' + 'UnlimitedData' + ] + ``` ### Parameter: `skuTier` @@ -599,7 +611,14 @@ Chosen SKU Tier of ExpressRoute circuit. Choose from Local, Premium or Standard - Required: No - Type: string - Default: `'Standard'` -- Allowed: `[Local, Premium, Standard]` +- Allowed: + ```Bicep + [ + 'Local' + 'Premium' + 'Standard' + ] + ``` ### Parameter: `tags` diff --git a/modules/network/firewall-policy/README.md b/modules/network/firewall-policy/README.md index fdc06817f0..8c99b839b8 100644 --- a/modules/network/firewall-policy/README.md +++ b/modules/network/firewall-policy/README.md @@ -273,7 +273,13 @@ The operation mode for automatically learning private ranges to not be SNAT. - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `basePolicyResourceId` @@ -376,7 +382,14 @@ The configuring of intrusion detection. - Required: No - Type: string - Default: `'Off'` -- Allowed: `[Alert, Deny, Off]` +- Allowed: + ```Bicep + [ + 'Alert' + 'Deny' + 'Off' + ] + ``` ### Parameter: `name` @@ -431,7 +444,14 @@ The operation mode for Threat Intel. - Required: No - Type: string - Default: `'Off'` -- Allowed: `[Alert, Deny, Off]` +- Allowed: + ```Bicep + [ + 'Alert' + 'Deny' + 'Off' + ] + ``` ### Parameter: `tier` @@ -439,7 +459,13 @@ Tier of Firewall Policy. - Required: No - Type: string - Default: `'Standard'` -- Allowed: `[Premium, Standard]` +- Allowed: + ```Bicep + [ + 'Premium' + 'Standard' + ] + ``` ### Parameter: `workspaces` diff --git a/modules/network/front-door-web-application-firewall-policy/README.md b/modules/network/front-door-web-application-firewall-policy/README.md index 81f51e5a93..09ab8eda51 100644 --- a/modules/network/front-door-web-application-firewall-policy/README.md +++ b/modules/network/front-door-web-application-firewall-policy/README.md @@ -325,7 +325,30 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo The custom rules inside the policy. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + rules: [ + { + action: 'Block' + enabledState: 'Enabled' + matchConditions: [ + { + matchValue: [ + 'ZZ' + ] + matchVariable: 'RemoteAddr' + negateCondition: true + operator: 'GeoMatch' + } + ] + name: 'ApplyGeoFilter' + priority: 100 + ruleType: 'MatchRule' + } + ] + } + ``` ### Parameter: `enableDefaultTelemetry` @@ -373,7 +396,26 @@ Optional. Specify the name of lock. Describes the managedRules structure. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + managedRuleSets: [ + { + exclusions: [] + ruleGroupOverrides: [] + ruleSetAction: 'Block' + ruleSetType: 'Microsoft_DefaultRuleSet' + ruleSetVersion: '2.1' + } + { + exclusions: [] + ruleGroupOverrides: [] + ruleSetType: 'Microsoft_BotManagerRuleSet' + ruleSetVersion: '1.0' + } + ] + } + ``` ### Parameter: `name` @@ -386,7 +428,13 @@ Name of the Front Door WAF policy. The PolicySettings for policy. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + enabledState: 'Enabled' + mode: 'Prevention' + } + ``` ### Parameter: `roleAssignments` @@ -462,7 +510,13 @@ The pricing tier of the WAF profile. - Required: No - Type: string - Default: `'Standard_AzureFrontDoor'` -- Allowed: `[Premium_AzureFrontDoor, Standard_AzureFrontDoor]` +- Allowed: + ```Bicep + [ + 'Premium_AzureFrontDoor' + 'Standard_AzureFrontDoor' + ] + ``` ### Parameter: `tags` diff --git a/modules/network/load-balancer/README.md b/modules/network/load-balancer/README.md index f372102f21..f6c2ff8e44 100644 --- a/modules/network/load-balancer/README.md +++ b/modules/network/load-balancer/README.md @@ -885,7 +885,13 @@ Name of a load balancer SKU. - Required: No - Type: string - Default: `'Standard'` -- Allowed: `[Basic, Standard]` +- Allowed: + ```Bicep + [ + 'Basic' + 'Standard' + ] + ``` ### Parameter: `tags` diff --git a/modules/network/load-balancer/backend-address-pool/README.md b/modules/network/load-balancer/backend-address-pool/README.md index 99b752c0a9..98c95d3b23 100644 --- a/modules/network/load-balancer/backend-address-pool/README.md +++ b/modules/network/load-balancer/backend-address-pool/README.md @@ -78,7 +78,14 @@ Backend address synchronous mode for the backend pool. - Required: No - Type: string - Default: `''` -- Allowed: `['', Automatic, Manual]` +- Allowed: + ```Bicep + [ + '' + 'Automatic' + 'Manual' + ] + ``` ### Parameter: `tunnelInterfaces` diff --git a/modules/network/load-balancer/inbound-nat-rule/README.md b/modules/network/load-balancer/inbound-nat-rule/README.md index 012c32a79f..5cd6e7873d 100644 --- a/modules/network/load-balancer/inbound-nat-rule/README.md +++ b/modules/network/load-balancer/inbound-nat-rule/README.md @@ -131,7 +131,14 @@ The transport protocol for the endpoint. - Required: No - Type: string - Default: `'Tcp'` -- Allowed: `[All, Tcp, Udp]` +- Allowed: + ```Bicep + [ + 'All' + 'Tcp' + 'Udp' + ] + ``` ## Outputs diff --git a/modules/network/network-interface/README.md b/modules/network/network-interface/README.md index 469e4b7aee..2827d18f97 100644 --- a/modules/network/network-interface/README.md +++ b/modules/network/network-interface/README.md @@ -294,7 +294,14 @@ Auxiliary mode of Network Interface resource. Not all regions are enabled for Au - Required: No - Type: string - Default: `'None'` -- Allowed: `[Floating, MaxConnections, None]` +- Allowed: + ```Bicep + [ + 'Floating' + 'MaxConnections' + 'None' + ] + ``` ### Parameter: `auxiliarySku` @@ -302,7 +309,16 @@ Auxiliary sku of Network Interface resource. Not all regions are enabled for Aux - Required: No - Type: string - Default: `'None'` -- Allowed: `[A1, A2, A4, A8, None]` +- Allowed: + ```Bicep + [ + 'A1' + 'A2' + 'A4' + 'A8' + 'None' + ] + ``` ### Parameter: `diagnosticSettings` diff --git a/modules/network/network-manager/connectivity-configuration/README.md b/modules/network/network-manager/connectivity-configuration/README.md index cf5ff24e23..82d0de0287 100644 --- a/modules/network/network-manager/connectivity-configuration/README.md +++ b/modules/network/network-manager/connectivity-configuration/README.md @@ -54,7 +54,13 @@ Network Groups for the configuration. Connectivity topology type. - Required: Yes - Type: string -- Allowed: `[HubAndSpoke, Mesh]` +- Allowed: + ```Bicep + [ + 'HubAndSpoke' + 'Mesh' + ] + ``` ### Parameter: `deleteExistingPeering` @@ -62,7 +68,13 @@ Flag if need to remove current existing peerings. If set to "True", all peerings - Required: No - Type: string - Default: `'False'` -- Allowed: `[False, True]` +- Allowed: + ```Bicep + [ + 'False' + 'True' + ] + ``` ### Parameter: `description` @@ -91,7 +103,13 @@ Flag if global mesh is supported. By default, mesh connectivity is applied to vi - Required: No - Type: string - Default: `'False'` -- Allowed: `[False, True]` +- Allowed: + ```Bicep + [ + 'False' + 'True' + ] + ``` ### Parameter: `name` diff --git a/modules/network/network-manager/security-admin-configuration/README.md b/modules/network/network-manager/security-admin-configuration/README.md index c6cb473a8a..e49e0a6867 100644 --- a/modules/network/network-manager/security-admin-configuration/README.md +++ b/modules/network/network-manager/security-admin-configuration/README.md @@ -46,8 +46,20 @@ A security admin configuration contains a set of rule collections. Each rule col Enum list of network intent policy based services. - Required: No - Type: array -- Default: `[None]` -- Allowed: `[All, AllowRulesOnly, None]` +- Default: + ```Bicep + [ + 'None' + ] + ``` +- Allowed: + ```Bicep + [ + 'All' + 'AllowRulesOnly' + 'None' + ] + ``` ### Parameter: `description` diff --git a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/README.md b/modules/network/network-manager/security-admin-configuration/rule-collection/rule/README.md index 6f0eb7a62f..dfb454ced3 100644 --- a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/README.md +++ b/modules/network/network-manager/security-admin-configuration/rule-collection/rule/README.md @@ -52,7 +52,14 @@ A security admin configuration contains a set of rule collections. Each rule col Indicates the access allowed for this particular rule. "Allow" means traffic matching this rule will be allowed. "Deny" means traffic matching this rule will be blocked. "AlwaysAllow" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs. - Required: Yes - Type: string -- Allowed: `[Allow, AlwaysAllow, Deny]` +- Allowed: + ```Bicep + [ + 'Allow' + 'AlwaysAllow' + 'Deny' + ] + ``` ### Parameter: `description` @@ -80,7 +87,13 @@ The destnations filter can be an IP Address or a service tag. Each filter contai Indicates if the traffic matched against the rule in inbound or outbound. - Required: Yes - Type: string -- Allowed: `[Inbound, Outbound]` +- Allowed: + ```Bicep + [ + 'Inbound' + 'Outbound' + ] + ``` ### Parameter: `enableDefaultTelemetry` @@ -112,7 +125,17 @@ The priority of the rule. The value can be between 1 and 4096. The priority numb Network protocol this rule applies to. - Required: Yes - Type: string -- Allowed: `[Ah, Any, Esp, Icmp, Tcp, Udp]` +- Allowed: + ```Bicep + [ + 'Ah' + 'Any' + 'Esp' + 'Icmp' + 'Tcp' + 'Udp' + ] + ``` ### Parameter: `ruleCollectionName` diff --git a/modules/network/network-security-group/security-rule/README.md b/modules/network/network-security-group/security-rule/README.md index bac421ca53..98658edd16 100644 --- a/modules/network/network-security-group/security-rule/README.md +++ b/modules/network/network-security-group/security-rule/README.md @@ -56,7 +56,13 @@ Whether network traffic is allowed or denied. - Required: No - Type: string - Default: `'Deny'` -- Allowed: `[Allow, Deny]` +- Allowed: + ```Bicep + [ + 'Allow' + 'Deny' + ] + ``` ### Parameter: `description` @@ -105,7 +111,13 @@ The destination port ranges. The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. - Required: Yes - Type: string -- Allowed: `[Inbound, Outbound]` +- Allowed: + ```Bicep + [ + 'Inbound' + 'Outbound' + ] + ``` ### Parameter: `enableDefaultTelemetry` @@ -137,7 +149,17 @@ The priority of the rule. The value can be between 100 and 4096. The priority nu Network protocol this rule applies to. - Required: Yes - Type: string -- Allowed: `[*, Ah, Esp, Icmp, Tcp, Udp]` +- Allowed: + ```Bicep + [ + '*' + 'Ah' + 'Esp' + 'Icmp' + 'Tcp' + 'Udp' + ] + ``` ### Parameter: `sourceAddressPrefix` diff --git a/modules/network/network-watcher/flow-log/README.md b/modules/network/network-watcher/flow-log/README.md index f9b2dddaf0..512cbc68db 100644 --- a/modules/network/network-watcher/flow-log/README.md +++ b/modules/network/network-watcher/flow-log/README.md @@ -60,7 +60,13 @@ The flow log format version. - Required: No - Type: int - Default: `2` -- Allowed: `[1, 2]` +- Allowed: + ```Bicep + [ + 1 + 2 + ] + ``` ### Parameter: `location` @@ -114,7 +120,13 @@ The interval in minutes which would decide how frequently TA service should do f - Required: No - Type: int - Default: `60` -- Allowed: `[10, 60]` +- Allowed: + ```Bicep + [ + 10 + 60 + ] + ``` ### Parameter: `workspaceResourceId` diff --git a/modules/network/private-dns-zone/a/README.md b/modules/network/private-dns-zone/a/README.md index e7413b50ac..9c8802653e 100644 --- a/modules/network/private-dns-zone/a/README.md +++ b/modules/network/private-dns-zone/a/README.md @@ -59,7 +59,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` diff --git a/modules/network/private-dns-zone/aaaa/README.md b/modules/network/private-dns-zone/aaaa/README.md index fecf313e79..d825a7c1c4 100644 --- a/modules/network/private-dns-zone/aaaa/README.md +++ b/modules/network/private-dns-zone/aaaa/README.md @@ -59,7 +59,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` diff --git a/modules/network/private-dns-zone/cname/README.md b/modules/network/private-dns-zone/cname/README.md index a22ac7e936..0a2e3b151b 100644 --- a/modules/network/private-dns-zone/cname/README.md +++ b/modules/network/private-dns-zone/cname/README.md @@ -45,7 +45,7 @@ This module deploys a Private DNS Zone CNAME record. A CNAME record. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `enableDefaultTelemetry` @@ -59,7 +59,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` diff --git a/modules/network/private-dns-zone/mx/README.md b/modules/network/private-dns-zone/mx/README.md index 86277ddc26..f8ec7f7dfa 100644 --- a/modules/network/private-dns-zone/mx/README.md +++ b/modules/network/private-dns-zone/mx/README.md @@ -52,7 +52,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `mxRecords` diff --git a/modules/network/private-dns-zone/ptr/README.md b/modules/network/private-dns-zone/ptr/README.md index 0aac5aedb4..58f270d3c3 100644 --- a/modules/network/private-dns-zone/ptr/README.md +++ b/modules/network/private-dns-zone/ptr/README.md @@ -52,7 +52,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` diff --git a/modules/network/private-dns-zone/soa/README.md b/modules/network/private-dns-zone/soa/README.md index 253483e9db..827a5007c3 100644 --- a/modules/network/private-dns-zone/soa/README.md +++ b/modules/network/private-dns-zone/soa/README.md @@ -52,7 +52,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` @@ -139,7 +139,7 @@ Required. The name of the role to assign. If it cannot be found you can specify A SOA record. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `ttl` diff --git a/modules/network/private-dns-zone/srv/README.md b/modules/network/private-dns-zone/srv/README.md index d216712172..650c311142 100644 --- a/modules/network/private-dns-zone/srv/README.md +++ b/modules/network/private-dns-zone/srv/README.md @@ -52,7 +52,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` diff --git a/modules/network/private-dns-zone/txt/README.md b/modules/network/private-dns-zone/txt/README.md index 78aaaf1497..600c4871f0 100644 --- a/modules/network/private-dns-zone/txt/README.md +++ b/modules/network/private-dns-zone/txt/README.md @@ -52,7 +52,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The metadata attached to the record set. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` diff --git a/modules/network/private-link-service/README.md b/modules/network/private-link-service/README.md index a9dbe52c17..0255a52263 100644 --- a/modules/network/private-link-service/README.md +++ b/modules/network/private-link-service/README.md @@ -305,7 +305,7 @@ module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' The auto-approval list of the private link service. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `enableDefaultTelemetry` @@ -326,7 +326,7 @@ Lets the service provider use tcp proxy v2 to retrieve connection information ab The extended location of the load balancer. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `fqdns` @@ -468,7 +468,7 @@ Tags to be applied on all resources/resource groups in this deployment. Controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control (Azure RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ## Outputs diff --git a/modules/network/public-ip-address/README.md b/modules/network/public-ip-address/README.md index 4f3ad77e59..8d6d6c6221 100644 --- a/modules/network/public-ip-address/README.md +++ b/modules/network/public-ip-address/README.md @@ -374,7 +374,16 @@ The domain name label scope. If a domain name label and a domain name label scop - Required: No - Type: string - Default: `''` -- Allowed: `['', NoReuse, ResourceGroupReuse, SubscriptionReuse, TenantReuse]` +- Allowed: + ```Bicep + [ + '' + 'NoReuse' + 'ResourceGroupReuse' + 'SubscriptionReuse' + 'TenantReuse' + ] + ``` ### Parameter: `enableDefaultTelemetry` @@ -436,7 +445,13 @@ IP address version. - Required: No - Type: string - Default: `'IPv4'` -- Allowed: `[IPv4, IPv6]` +- Allowed: + ```Bicep + [ + 'IPv4' + 'IPv6' + ] + ``` ### Parameter: `publicIPAllocationMethod` @@ -444,7 +459,13 @@ The public IP address allocation method. - Required: No - Type: string - Default: `'Static'` -- Allowed: `[Dynamic, Static]` +- Allowed: + ```Bicep + [ + 'Dynamic' + 'Static' + ] + ``` ### Parameter: `publicIPPrefixResourceId` @@ -534,7 +555,13 @@ Name of a public IP address SKU. - Required: No - Type: string - Default: `'Standard'` -- Allowed: `[Basic, Standard]` +- Allowed: + ```Bicep + [ + 'Basic' + 'Standard' + ] + ``` ### Parameter: `skuTier` @@ -542,7 +569,13 @@ Tier of a public IP address SKU. - Required: No - Type: string - Default: `'Regional'` -- Allowed: `[Global, Regional]` +- Allowed: + ```Bicep + [ + 'Global' + 'Regional' + ] + ``` ### Parameter: `tags` diff --git a/modules/network/public-ip-prefix/README.md b/modules/network/public-ip-prefix/README.md index b4f5ab4c19..b9575104a9 100644 --- a/modules/network/public-ip-prefix/README.md +++ b/modules/network/public-ip-prefix/README.md @@ -197,7 +197,7 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { The customIpPrefix that this prefix is associated with. A custom IP address prefix is a contiguous range of IP addresses owned by an external customer and provisioned into a subscription. When a custom IP prefix is in Provisioned, Commissioning, or Commissioned state, a linked public IP prefix can be created. Either as a subset of the custom IP prefix range or the entire range. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/network/trafficmanagerprofile/README.md b/modules/network/trafficmanagerprofile/README.md index 90a4577d8b..e1247c8513 100644 --- a/modules/network/trafficmanagerprofile/README.md +++ b/modules/network/trafficmanagerprofile/README.md @@ -398,7 +398,14 @@ Maximum number of endpoints to be returned for MultiValue routing type. The endpoint monitoring settings of the Traffic Manager profile. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + path: '/' + port: '80' + protocol: 'http' + } + ``` ### Parameter: `name` @@ -412,7 +419,13 @@ The status of the Traffic Manager profile. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `relativeName` @@ -500,7 +513,17 @@ The traffic routing method of the Traffic Manager profile. - Required: No - Type: string - Default: `'Performance'` -- Allowed: `[Geographic, MultiValue, Performance, Priority, Subnet, Weighted]` +- Allowed: + ```Bicep + [ + 'Geographic' + 'MultiValue' + 'Performance' + 'Priority' + 'Subnet' + 'Weighted' + ] + ``` ### Parameter: `trafficViewEnrollmentStatus` @@ -508,7 +531,13 @@ Indicates whether Traffic View is 'Enabled' or 'Disabled' for the Traffic Manage - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `ttl` diff --git a/modules/network/virtual-hub/README.md b/modules/network/virtual-hub/README.md index 8524210391..9d543ddf8f 100644 --- a/modules/network/virtual-hub/README.md +++ b/modules/network/virtual-hub/README.md @@ -349,7 +349,15 @@ The preferred routing gateway types. - Required: No - Type: string - Default: `''` -- Allowed: `['', ExpressRoute, None, VpnGateway]` +- Allowed: + ```Bicep + [ + '' + 'ExpressRoute' + 'None' + 'VpnGateway' + ] + ``` ### Parameter: `routeTableRoutes` @@ -378,7 +386,13 @@ The sku of this VirtualHub. - Required: No - Type: string - Default: `'Standard'` -- Allowed: `[Basic, Standard]` +- Allowed: + ```Bicep + [ + 'Basic' + 'Standard' + ] + ``` ### Parameter: `tags` diff --git a/modules/network/virtual-hub/hub-virtual-network-connection/README.md b/modules/network/virtual-hub/hub-virtual-network-connection/README.md index 91988c38ee..f591dc99f6 100644 --- a/modules/network/virtual-hub/hub-virtual-network-connection/README.md +++ b/modules/network/virtual-hub/hub-virtual-network-connection/README.md @@ -69,7 +69,7 @@ Resource ID of the virtual network to link to. Routing Configuration indicating the associated and propagated route tables for this connection. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `virtualHubName` diff --git a/modules/network/virtual-network-gateway/README.md b/modules/network/virtual-network-gateway/README.md index 763d5b9fb3..c43561c8b2 100644 --- a/modules/network/virtual-network-gateway/README.md +++ b/modules/network/virtual-network-gateway/README.md @@ -882,7 +882,13 @@ Specifies the name of the Public IP used by the Virtual Network Gateway. If it's Specifies the gateway type. E.g. VPN, ExpressRoute. - Required: Yes - Type: string -- Allowed: `[ExpressRoute, Vpn]` +- Allowed: + ```Bicep + [ + 'ExpressRoute' + 'Vpn' + ] + ``` ### Parameter: `location` @@ -1133,7 +1139,28 @@ Required. The name of the role to assign. If it cannot be found you can specify The SKU of the Gateway. - Required: Yes - Type: string -- Allowed: `[Basic, ErGw1AZ, ErGw2AZ, ErGw3AZ, HighPerformance, Standard, UltraPerformance, VpnGw1, VpnGw1AZ, VpnGw2, VpnGw2AZ, VpnGw3, VpnGw3AZ, VpnGw4, VpnGw4AZ, VpnGw5, VpnGw5AZ]` +- Allowed: + ```Bicep + [ + 'Basic' + 'ErGw1AZ' + 'ErGw2AZ' + 'ErGw3AZ' + 'HighPerformance' + 'Standard' + 'UltraPerformance' + 'VpnGw1' + 'VpnGw1AZ' + 'VpnGw2' + 'VpnGw2AZ' + 'VpnGw3' + 'VpnGw3AZ' + 'VpnGw4' + 'VpnGw4AZ' + 'VpnGw5' + 'VpnGw5AZ' + ] + ``` ### Parameter: `tags` @@ -1152,7 +1179,7 @@ Virtual Network resource ID. Configuration for AAD Authentication for P2S Tunnel Type, Cannot be configured if clientRootCertData is provided. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `vpnClientAddressPoolPrefix` @@ -1167,7 +1194,14 @@ The generation for this VirtualNetworkGateway. Must be None if virtualNetworkGat - Required: No - Type: string - Default: `'None'` -- Allowed: `[Generation1, Generation2, None]` +- Allowed: + ```Bicep + [ + 'Generation1' + 'Generation2' + 'None' + ] + ``` ### Parameter: `vpnType` @@ -1175,7 +1209,13 @@ Specifies the VPN type. - Required: No - Type: string - Default: `'RouteBased'` -- Allowed: `[PolicyBased, RouteBased]` +- Allowed: + ```Bicep + [ + 'PolicyBased' + 'RouteBased' + ] + ``` ## Outputs diff --git a/modules/network/virtual-network-gateway/nat-rule/README.md b/modules/network/virtual-network-gateway/nat-rule/README.md index 9bb8945e60..854cb64616 100644 --- a/modules/network/virtual-network-gateway/nat-rule/README.md +++ b/modules/network/virtual-network-gateway/nat-rule/README.md @@ -74,7 +74,14 @@ The type of NAT rule for Virtual Network NAT. IngressSnat mode (also known as In - Required: No - Type: string - Default: `''` -- Allowed: `['', EgressSnat, IngressSnat]` +- Allowed: + ```Bicep + [ + '' + 'EgressSnat' + 'IngressSnat' + ] + ``` ### Parameter: `name` @@ -88,7 +95,14 @@ The type of NAT rule for Virtual Network NAT. Static one-to-one NAT establishes - Required: No - Type: string - Default: `''` -- Allowed: `['', Dynamic, Static]` +- Allowed: + ```Bicep + [ + '' + 'Dynamic' + 'Static' + ] + ``` ### Parameter: `virtualNetworkGatewayName` diff --git a/modules/network/virtual-network/README.md b/modules/network/virtual-network/README.md index 6ae0427141..c001ac80f3 100644 --- a/modules/network/virtual-network/README.md +++ b/modules/network/virtual-network/README.md @@ -745,7 +745,13 @@ If the encrypted VNet allows VM that does not support encryption. Can only be us - Required: No - Type: string - Default: `'AllowUnencrypted'` -- Allowed: `[AllowUnencrypted, DropUnencrypted]` +- Allowed: + ```Bicep + [ + 'AllowUnencrypted' + 'DropUnencrypted' + ] + ``` ## Outputs diff --git a/modules/network/virtual-network/subnet/README.md b/modules/network/virtual-network/subnet/README.md index b499e44cee..21a6956f67 100644 --- a/modules/network/virtual-network/subnet/README.md +++ b/modules/network/virtual-network/subnet/README.md @@ -117,7 +117,14 @@ enable or disable apply network policies on private endpoint in the subnet. - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `privateLinkServiceNetworkPolicies` @@ -125,7 +132,14 @@ enable or disable apply network policies on private link service in the subnet. - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `roleAssignments` diff --git a/modules/network/virtual-wan/README.md b/modules/network/virtual-wan/README.md index 4a43dbc3ca..1d107f2932 100644 --- a/modules/network/virtual-wan/README.md +++ b/modules/network/virtual-wan/README.md @@ -350,7 +350,13 @@ The type of the Virtual WAN. - Required: No - Type: string - Default: `'Standard'` -- Allowed: `[Basic, Standard]` +- Allowed: + ```Bicep + [ + 'Basic' + 'Standard' + ] + ``` ## Outputs diff --git a/modules/network/vpn-gateway/README.md b/modules/network/vpn-gateway/README.md index c9b7d5e440..8ad433891d 100644 --- a/modules/network/vpn-gateway/README.md +++ b/modules/network/vpn-gateway/README.md @@ -263,7 +263,7 @@ module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = { BGP settings details. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `enableBgpRouteTranslationForNat` diff --git a/modules/network/vpn-gateway/nat-rule/README.md b/modules/network/vpn-gateway/nat-rule/README.md index 8ce3c4b7a9..a14fb65749 100644 --- a/modules/network/vpn-gateway/nat-rule/README.md +++ b/modules/network/vpn-gateway/nat-rule/README.md @@ -74,7 +74,14 @@ The type of NAT rule for VPN NAT. IngressSnat mode (also known as Ingress Source - Required: No - Type: string - Default: `''` -- Allowed: `['', EgressSnat, IngressSnat]` +- Allowed: + ```Bicep + [ + '' + 'EgressSnat' + 'IngressSnat' + ] + ``` ### Parameter: `name` @@ -88,7 +95,14 @@ The type of NAT rule for VPN NAT. Static one-to-one NAT establishes a one-to-one - Required: No - Type: string - Default: `''` -- Allowed: `['', Dynamic, Static]` +- Allowed: + ```Bicep + [ + '' + 'Dynamic' + 'Static' + ] + ``` ### Parameter: `vpnGatewayName` diff --git a/modules/network/vpn-gateway/vpn-connection/README.md b/modules/network/vpn-gateway/vpn-connection/README.md index 76988787ad..d533488822 100644 --- a/modules/network/vpn-gateway/vpn-connection/README.md +++ b/modules/network/vpn-gateway/vpn-connection/README.md @@ -110,7 +110,7 @@ Reference to a VPN site to link to. Routing configuration indicating the associated and propagated route tables for this connection. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `routingWeight` @@ -153,7 +153,13 @@ Gateway connection protocol. - Required: No - Type: string - Default: `'IKEv2'` -- Allowed: `[IKEv1, IKEv2]` +- Allowed: + ```Bicep + [ + 'IKEv1' + 'IKEv2' + ] + ``` ### Parameter: `vpnGatewayName` diff --git a/modules/network/vpn-site/README.md b/modules/network/vpn-site/README.md index 13a2a17025..b6da21771a 100644 --- a/modules/network/vpn-site/README.md +++ b/modules/network/vpn-site/README.md @@ -314,14 +314,14 @@ An array of IP address ranges that can be used by subnets of the virtual network BGP settings details. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. Required if no addressPrefixes or VPNSiteLinks are configured. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `deviceProperties` List of properties of the device. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `enableDefaultTelemetry` @@ -389,7 +389,7 @@ Name of the VPN Site. The Office365 breakout policy. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `roleAssignments` diff --git a/modules/operational-insights/workspace/README.md b/modules/operational-insights/workspace/README.md index 48f25812c4..02c536f329 100644 --- a/modules/operational-insights/workspace/README.md +++ b/modules/operational-insights/workspace/README.md @@ -1340,7 +1340,13 @@ The network access type for accessing Log Analytics ingestion. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `publicNetworkAccessForQuery` @@ -1348,7 +1354,13 @@ The network access type for accessing Log Analytics query. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `roleAssignments` @@ -1438,7 +1450,19 @@ The name of the SKU. - Required: No - Type: string - Default: `'PerGB2018'` -- Allowed: `[CapacityReservation, Free, LACluster, PerGB2018, PerNode, Premium, Standalone, Standard]` +- Allowed: + ```Bicep + [ + 'CapacityReservation' + 'Free' + 'LACluster' + 'PerGB2018' + 'PerNode' + 'Premium' + 'Standalone' + 'Standard' + ] + ``` ### Parameter: `storageInsightsConfigs` diff --git a/modules/operational-insights/workspace/data-export/README.md b/modules/operational-insights/workspace/data-export/README.md index 74a748b284..71d77ffb7f 100644 --- a/modules/operational-insights/workspace/data-export/README.md +++ b/modules/operational-insights/workspace/data-export/README.md @@ -43,7 +43,7 @@ This module deploys a Log Analytics Workspace Data Export. Destination properties. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `enable` diff --git a/modules/operational-insights/workspace/data-source/README.md b/modules/operational-insights/workspace/data-source/README.md index 73c7fb8958..99c4331190 100644 --- a/modules/operational-insights/workspace/data-source/README.md +++ b/modules/operational-insights/workspace/data-source/README.md @@ -96,7 +96,19 @@ The kind of the DataSource. - Required: No - Type: string - Default: `'AzureActivityLog'` -- Allowed: `[AzureActivityLog, IISLogs, LinuxPerformanceCollection, LinuxPerformanceObject, LinuxSyslog, LinuxSyslogCollection, WindowsEvent, WindowsPerformanceCounter]` +- Allowed: + ```Bicep + [ + 'AzureActivityLog' + 'IISLogs' + 'LinuxPerformanceCollection' + 'LinuxPerformanceObject' + 'LinuxSyslog' + 'LinuxSyslogCollection' + 'WindowsEvent' + 'WindowsPerformanceCounter' + ] + ``` ### Parameter: `linkedResourceId` diff --git a/modules/operational-insights/workspace/linked-storage-account/README.md b/modules/operational-insights/workspace/linked-storage-account/README.md index c29ee8ed40..97a318c405 100644 --- a/modules/operational-insights/workspace/linked-storage-account/README.md +++ b/modules/operational-insights/workspace/linked-storage-account/README.md @@ -54,7 +54,15 @@ The name of the parent Log Analytics workspace. Required if the template is used Name of the link. - Required: Yes - Type: string -- Allowed: `[Alerts, AzureWatson, CustomLogs, Query]` +- Allowed: + ```Bicep + [ + 'Alerts' + 'AzureWatson' + 'CustomLogs' + 'Query' + ] + ``` ### Parameter: `resourceId` diff --git a/modules/operational-insights/workspace/table/README.md b/modules/operational-insights/workspace/table/README.md index d3d75c4af5..eb3e62a8d1 100644 --- a/modules/operational-insights/workspace/table/README.md +++ b/modules/operational-insights/workspace/table/README.md @@ -60,14 +60,20 @@ Instruct the system how to handle and charge the logs ingested to this table. - Required: No - Type: string - Default: `'Analytics'` -- Allowed: `[Analytics, Basic]` +- Allowed: + ```Bicep + [ + 'Analytics' + 'Basic' + ] + ``` ### Parameter: `restoredLogs` Restore parameters. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `retentionInDays` @@ -81,14 +87,14 @@ The table retention in days, between 4 and 730. Setting this property to -1 will Table's schema. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `searchResults` Parameters of the search job that initiated this table. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `totalRetentionInDays` diff --git a/modules/policy-insights/remediation/README.md b/modules/policy-insights/remediation/README.md index 58d11035d5..1140dd6368 100644 --- a/modules/policy-insights/remediation/README.md +++ b/modules/policy-insights/remediation/README.md @@ -522,7 +522,13 @@ The way resources to remediate are discovered. Defaults to ExistingNonCompliant - Required: No - Type: string - Default: `'ExistingNonCompliant'` -- Allowed: `[ExistingNonCompliant, ReEvaluateCompliance]` +- Allowed: + ```Bicep + [ + 'ExistingNonCompliant' + 'ReEvaluateCompliance' + ] + ``` ### Parameter: `resourceGroupName` diff --git a/modules/policy-insights/remediation/management-group/README.md b/modules/policy-insights/remediation/management-group/README.md index f7bb79c449..f93cf15102 100644 --- a/modules/policy-insights/remediation/management-group/README.md +++ b/modules/policy-insights/remediation/management-group/README.md @@ -104,7 +104,13 @@ The way resources to remediate are discovered. Defaults to ExistingNonCompliant - Required: No - Type: string - Default: `'ExistingNonCompliant'` -- Allowed: `[ExistingNonCompliant, ReEvaluateCompliance]` +- Allowed: + ```Bicep + [ + 'ExistingNonCompliant' + 'ReEvaluateCompliance' + ] + ``` ## Outputs diff --git a/modules/policy-insights/remediation/resource-group/README.md b/modules/policy-insights/remediation/resource-group/README.md index a354a06627..4878811b31 100644 --- a/modules/policy-insights/remediation/resource-group/README.md +++ b/modules/policy-insights/remediation/resource-group/README.md @@ -104,7 +104,13 @@ The way resources to remediate are discovered. Defaults to ExistingNonCompliant - Required: No - Type: string - Default: `'ExistingNonCompliant'` -- Allowed: `[ExistingNonCompliant, ReEvaluateCompliance]` +- Allowed: + ```Bicep + [ + 'ExistingNonCompliant' + 'ReEvaluateCompliance' + ] + ``` ## Outputs diff --git a/modules/policy-insights/remediation/subscription/README.md b/modules/policy-insights/remediation/subscription/README.md index 0ed9328e97..b121a0f8d5 100644 --- a/modules/policy-insights/remediation/subscription/README.md +++ b/modules/policy-insights/remediation/subscription/README.md @@ -104,7 +104,13 @@ The way resources to remediate are discovered. Defaults to ExistingNonCompliant - Required: No - Type: string - Default: `'ExistingNonCompliant'` -- Allowed: `[ExistingNonCompliant, ReEvaluateCompliance]` +- Allowed: + ```Bicep + [ + 'ExistingNonCompliant' + 'ReEvaluateCompliance' + ] + ``` ## Outputs diff --git a/modules/power-bi-dedicated/capacity/README.md b/modules/power-bi-dedicated/capacity/README.md index b014f55a63..b70a3883f6 100644 --- a/modules/power-bi-dedicated/capacity/README.md +++ b/modules/power-bi-dedicated/capacity/README.md @@ -264,7 +264,13 @@ Mode of the resource. - Required: No - Type: string - Default: `'Gen2'` -- Allowed: `[Gen1, Gen2]` +- Allowed: + ```Bicep + [ + 'Gen1' + 'Gen2' + ] + ``` ### Parameter: `name` @@ -352,7 +358,17 @@ SkuCapacity of the resource. - Required: No - Type: string - Default: `'A1'` -- Allowed: `[A1, A2, A3, A4, A5, A6]` +- Allowed: + ```Bicep + [ + 'A1' + 'A2' + 'A3' + 'A4' + 'A5' + 'A6' + ] + ``` ### Parameter: `skuTier` @@ -360,7 +376,14 @@ SkuCapacity of the resource. - Required: No - Type: string - Default: `'PBIE_Azure'` -- Allowed: `[AutoPremiumHost, PBIE_Azure, Premium]` +- Allowed: + ```Bicep + [ + 'AutoPremiumHost' + 'PBIE_Azure' + 'Premium' + ] + ``` ### Parameter: `tags` diff --git a/modules/purview/account/README.md b/modules/purview/account/README.md index 005541e314..7d2d34a463 100644 --- a/modules/purview/account/README.md +++ b/modules/purview/account/README.md @@ -616,7 +616,14 @@ Whether or not public network access is allowed for this resource. For security - Required: No - Type: string - Default: `'NotSpecified'` -- Allowed: `[Disabled, Enabled, NotSpecified]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + 'NotSpecified' + ] + ``` ### Parameter: `roleAssignments` diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index 3d02aec005..fe12831915 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -985,7 +985,7 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { The backup configuration. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `backupPolicies` @@ -999,7 +999,7 @@ List of all backup policies. The storage configuration for the Azure Recovery Service Vault. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `diagnosticSettings` @@ -1188,7 +1188,7 @@ Optional. The resource ID(s) to assign to the resource. Monitoring Settings of the vault. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` @@ -1377,14 +1377,20 @@ Whether or not public network access is allowed for this resource. For security - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `replicationAlertSettings` Replication alert settings. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `replicationFabrics` @@ -1473,7 +1479,7 @@ Required. The name of the role to assign. If it cannot be found you can specify Security Settings of the vault. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `tags` diff --git a/modules/recovery-services/vault/backup-config/README.md b/modules/recovery-services/vault/backup-config/README.md index 5ce1b92970..aec1ccbf4b 100644 --- a/modules/recovery-services/vault/backup-config/README.md +++ b/modules/recovery-services/vault/backup-config/README.md @@ -50,7 +50,13 @@ Enable this setting to protect hybrid backups against accidental deletes and add - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `isSoftDeleteFeatureStateEditable` @@ -85,7 +91,13 @@ Enable this setting to protect backup data for Azure VM, SQL Server in Azure VM - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `storageModelType` @@ -93,7 +105,15 @@ Storage type. - Required: No - Type: string - Default: `'GeoRedundant'` -- Allowed: `[GeoRedundant, LocallyRedundant, ReadAccessGeoZoneRedundant, ZoneRedundant]` +- Allowed: + ```Bicep + [ + 'GeoRedundant' + 'LocallyRedundant' + 'ReadAccessGeoZoneRedundant' + 'ZoneRedundant' + ] + ``` ### Parameter: `storageType` @@ -101,7 +121,15 @@ Storage type. - Required: No - Type: string - Default: `'GeoRedundant'` -- Allowed: `[GeoRedundant, LocallyRedundant, ReadAccessGeoZoneRedundant, ZoneRedundant]` +- Allowed: + ```Bicep + [ + 'GeoRedundant' + 'LocallyRedundant' + 'ReadAccessGeoZoneRedundant' + 'ZoneRedundant' + ] + ``` ### Parameter: `storageTypeState` @@ -109,7 +137,13 @@ Once a machine is registered against a resource, the storageTypeState is always - Required: No - Type: string - Default: `'Locked'` -- Allowed: `[Locked, Unlocked]` +- Allowed: + ```Bicep + [ + 'Locked' + 'Unlocked' + ] + ``` ## Outputs diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/README.md b/modules/recovery-services/vault/backup-fabric/protection-container/README.md index 0c7bbeeb33..98712cd47b 100644 --- a/modules/recovery-services/vault/backup-fabric/protection-container/README.md +++ b/modules/recovery-services/vault/backup-fabric/protection-container/README.md @@ -48,7 +48,21 @@ Backup management type to execute the current Protection Container job. - Required: No - Type: string - Default: `''` -- Allowed: `['', AzureBackupServer, AzureIaasVM, AzureSql, AzureStorage, AzureWorkload, DefaultBackup, DPM, Invalid, MAB]` +- Allowed: + ```Bicep + [ + '' + 'AzureBackupServer' + 'AzureIaasVM' + 'AzureSql' + 'AzureStorage' + 'AzureWorkload' + 'DefaultBackup' + 'DPM' + 'Invalid' + 'MAB' + ] + ``` ### Parameter: `containerType` @@ -56,7 +70,21 @@ Type of the container. - Required: No - Type: string - Default: `''` -- Allowed: `['', AzureBackupServerContainer, AzureSqlContainer, GenericContainer, Microsoft.ClassicCompute/virtualMachines, Microsoft.Compute/virtualMachines, SQLAGWorkLoadContainer, StorageContainer, VMAppContainer, Windows]` +- Allowed: + ```Bicep + [ + '' + 'AzureBackupServerContainer' + 'AzureSqlContainer' + 'GenericContainer' + 'Microsoft.ClassicCompute/virtualMachines' + 'Microsoft.Compute/virtualMachines' + 'SQLAGWorkLoadContainer' + 'StorageContainer' + 'VMAppContainer' + 'Windows' + ] + ``` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/README.md b/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/README.md index 64cd46a689..2c15bf89ea 100644 --- a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/README.md +++ b/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/README.md @@ -71,7 +71,21 @@ ID of the backup policy with which this item is backed up. The backup item type. - Required: Yes - Type: string -- Allowed: `[AzureFileShareProtectedItem, AzureVmWorkloadSAPAseDatabase, AzureVmWorkloadSAPHanaDatabase, AzureVmWorkloadSQLDatabase, DPMProtectedItem, GenericProtectedItem, MabFileFolderProtectedItem, Microsoft.ClassicCompute/virtualMachines, Microsoft.Compute/virtualMachines, Microsoft.Sql/servers/databases]` +- Allowed: + ```Bicep + [ + 'AzureFileShareProtectedItem' + 'AzureVmWorkloadSAPAseDatabase' + 'AzureVmWorkloadSAPHanaDatabase' + 'AzureVmWorkloadSQLDatabase' + 'DPMProtectedItem' + 'GenericProtectedItem' + 'MabFileFolderProtectedItem' + 'Microsoft.ClassicCompute/virtualMachines' + 'Microsoft.Compute/virtualMachines' + 'Microsoft.Sql/servers/databases' + ] + ``` ### Parameter: `protectionContainerName` diff --git a/modules/recovery-services/vault/backup-storage-config/README.md b/modules/recovery-services/vault/backup-storage-config/README.md index 44c5b030b3..e049b9e89d 100644 --- a/modules/recovery-services/vault/backup-storage-config/README.md +++ b/modules/recovery-services/vault/backup-storage-config/README.md @@ -65,7 +65,15 @@ Change Vault Storage Type (Works if vault has not registered any backup instance - Required: No - Type: string - Default: `'GeoRedundant'` -- Allowed: `[GeoRedundant, LocallyRedundant, ReadAccessGeoZoneRedundant, ZoneRedundant]` +- Allowed: + ```Bicep + [ + 'GeoRedundant' + 'LocallyRedundant' + 'ReadAccessGeoZoneRedundant' + 'ZoneRedundant' + ] + ``` ## Outputs diff --git a/modules/recovery-services/vault/replication-alert-setting/README.md b/modules/recovery-services/vault/replication-alert-setting/README.md index c756a3ce98..d0067568b8 100644 --- a/modules/recovery-services/vault/replication-alert-setting/README.md +++ b/modules/recovery-services/vault/replication-alert-setting/README.md @@ -73,7 +73,13 @@ The value indicating whether to send email to subscription administrator. - Required: No - Type: string - Default: `'Send'` -- Allowed: `[DoNotSend, Send]` +- Allowed: + ```Bicep + [ + 'DoNotSend' + 'Send' + ] + ``` ## Outputs diff --git a/modules/recovery-services/vault/replication-policy/README.md b/modules/recovery-services/vault/replication-policy/README.md index 81a72c1aa8..5a36589e2b 100644 --- a/modules/recovery-services/vault/replication-policy/README.md +++ b/modules/recovery-services/vault/replication-policy/README.md @@ -68,7 +68,13 @@ A value indicating whether multi-VM sync has to be enabled. - Required: No - Type: string - Default: `'Enable'` -- Allowed: `[Disable, Enable]` +- Allowed: + ```Bicep + [ + 'Disable' + 'Enable' + ] + ``` ### Parameter: `name` diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index 8bec8c2e9e..d4cf7ea214 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -495,7 +495,19 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { Authorization Rules for the Relay namespace. - Required: No - Type: array -- Default: `[System.Management.Automation.OrderedHashtable]` +- Default: + ```Bicep + [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + ] + ``` ### Parameter: `diagnosticSettings` @@ -671,7 +683,7 @@ Name of the Relay Namespace. Configure networking options for Relay. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `privateEndpoints` @@ -915,7 +927,12 @@ Name of this SKU. - Required: No - Type: string - Default: `'Standard'` -- Allowed: `[Standard]` +- Allowed: + ```Bicep + [ + 'Standard' + ] + ``` ### Parameter: `tags` diff --git a/modules/relay/namespace/authorization-rule/README.md b/modules/relay/namespace/authorization-rule/README.md index c66fadfdbe..468bfb15dc 100644 --- a/modules/relay/namespace/authorization-rule/README.md +++ b/modules/relay/namespace/authorization-rule/README.md @@ -61,7 +61,14 @@ The rights associated with the rule. - Required: No - Type: array - Default: `[]` -- Allowed: `[Listen, Manage, Send]` +- Allowed: + ```Bicep + [ + 'Listen' + 'Manage' + 'Send' + ] + ``` ## Outputs diff --git a/modules/relay/namespace/hybrid-connection/README.md b/modules/relay/namespace/hybrid-connection/README.md index bc08a7c81c..b243f4adc7 100644 --- a/modules/relay/namespace/hybrid-connection/README.md +++ b/modules/relay/namespace/hybrid-connection/README.md @@ -48,7 +48,31 @@ This module deploys a Relay Namespace Hybrid Connection. Authorization Rules for the Relay Hybrid Connection. - Required: No - Type: array -- Default: `[System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable]` +- Default: + ```Bicep + [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'defaultListener' + rights: [ + 'Listen' + ] + } + { + name: 'defaultSender' + rights: [ + 'Send' + ] + } + ] + ``` ### Parameter: `enableDefaultTelemetry` diff --git a/modules/relay/namespace/hybrid-connection/authorization-rule/README.md b/modules/relay/namespace/hybrid-connection/authorization-rule/README.md index 38f6f986a1..369f7fd917 100644 --- a/modules/relay/namespace/hybrid-connection/authorization-rule/README.md +++ b/modules/relay/namespace/hybrid-connection/authorization-rule/README.md @@ -68,7 +68,14 @@ The rights associated with the rule. - Required: No - Type: array - Default: `[]` -- Allowed: `[Listen, Manage, Send]` +- Allowed: + ```Bicep + [ + 'Listen' + 'Manage' + 'Send' + ] + ``` ## Outputs diff --git a/modules/relay/namespace/network-rule-set/README.md b/modules/relay/namespace/network-rule-set/README.md index 999a9f0bd2..6e4c2dcf28 100644 --- a/modules/relay/namespace/network-rule-set/README.md +++ b/modules/relay/namespace/network-rule-set/README.md @@ -38,7 +38,13 @@ Default Action for Network Rule Set. Default is "Allow". It will not be set if p - Required: No - Type: string - Default: `'Allow'` -- Allowed: `[Allow, Deny]` +- Allowed: + ```Bicep + [ + 'Allow' + 'Deny' + ] + ``` ### Parameter: `enableDefaultTelemetry` @@ -66,7 +72,13 @@ This determines if traffic is allowed over public network. Default is "Enabled". - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ## Outputs diff --git a/modules/relay/namespace/wcf-relay/README.md b/modules/relay/namespace/wcf-relay/README.md index 05e08fa254..d79d0ecc46 100644 --- a/modules/relay/namespace/wcf-relay/README.md +++ b/modules/relay/namespace/wcf-relay/README.md @@ -50,7 +50,31 @@ This module deploys a Relay Namespace WCF Relay. Authorization Rules for the WCF Relay. - Required: No - Type: array -- Default: `[System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable, System.Management.Automation.OrderedHashtable]` +- Default: + ```Bicep + [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'defaultListener' + rights: [ + 'Listen' + ] + } + { + name: 'defaultSender' + rights: [ + 'Send' + ] + } + ] + ``` ### Parameter: `enableDefaultTelemetry` @@ -103,7 +127,13 @@ The name of the parent Relay Namespace for the WCF Relay. Required if the templa Type of WCF Relay. - Required: Yes - Type: string -- Allowed: `[Http, NetTcp]` +- Allowed: + ```Bicep + [ + 'Http' + 'NetTcp' + ] + ``` ### Parameter: `requiresClientAuthorization` diff --git a/modules/relay/namespace/wcf-relay/authorization-rule/README.md b/modules/relay/namespace/wcf-relay/authorization-rule/README.md index 4fbcc69f86..0cd03c7520 100644 --- a/modules/relay/namespace/wcf-relay/authorization-rule/README.md +++ b/modules/relay/namespace/wcf-relay/authorization-rule/README.md @@ -62,7 +62,14 @@ The rights associated with the rule. - Required: No - Type: array - Default: `[]` -- Allowed: `[Listen, Manage, Send]` +- Allowed: + ```Bicep + [ + 'Listen' + 'Manage' + 'Send' + ] + ``` ### Parameter: `wcfRelayName` diff --git a/modules/resources/deployment-script/README.md b/modules/resources/deployment-script/README.md index 4623399942..858feffb91 100644 --- a/modules/resources/deployment-script/README.md +++ b/modules/resources/deployment-script/README.md @@ -339,7 +339,14 @@ The clean up preference when the script execution gets in a terminal state. Spec - Required: No - Type: string - Default: `'Always'` -- Allowed: `[Always, OnExpiration, OnSuccess]` +- Allowed: + ```Bicep + [ + 'Always' + 'OnExpiration' + 'OnSuccess' + ] + ``` ### Parameter: `containerGroupName` @@ -360,7 +367,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The environment variables to pass over to the script. The list is passed as an object with a key name "secureList" and the value is the list of environment variables (array). The list must have a 'name' and a 'value' or a 'secretValue' property for each object. - Required: No - Type: secureObject -- Default: `{object}` +- Default: `{}` ### Parameter: `kind` @@ -368,7 +375,13 @@ Type of the script. AzurePowerShell, AzureCLI. - Required: No - Type: string - Default: `'AzurePowerShell'` -- Allowed: `[AzureCLI, AzurePowerShell]` +- Allowed: + ```Bicep + [ + 'AzureCLI' + 'AzurePowerShell' + ] + ``` ### Parameter: `location` diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index ca85fa4f71..c7adce3abd 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -432,7 +432,7 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { Defines the options for how the data plane API of a Search service authenticates requests. Must remain an empty object {} if 'disableLocalAuth' is set to true. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `cmkEnforcement` @@ -440,7 +440,14 @@ Describes a policy that determines how resources within the search service are t - Required: No - Type: string - Default: `'Unspecified'` -- Allowed: `[Disabled, Enabled, Unspecified]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + 'Unspecified' + ] + ``` ### Parameter: `diagnosticSettings` @@ -577,7 +584,13 @@ Applicable only for the standard3 SKU. You can set this property to enable up to - Required: No - Type: string - Default: `'default'` -- Allowed: `[default, highDensity]` +- Allowed: + ```Bicep + [ + 'default' + 'highDensity' + ] + ``` ### Parameter: `location` @@ -642,7 +655,7 @@ The name of the Azure Cognitive Search service to create or update. Search servi Network specific rules that determine how the Azure Cognitive Search service may be reached. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `partitionCount` @@ -825,7 +838,13 @@ This value can be set to 'enabled' to avoid breaking changes on existing custome - Required: No - Type: string - Default: `'enabled'` -- Allowed: `[disabled, enabled]` +- Allowed: + ```Bicep + [ + 'disabled' + 'enabled' + ] + ``` ### Parameter: `replicaCount` @@ -915,7 +934,18 @@ Defines the SKU of an Azure Cognitive Search Service, which determines price tie - Required: No - Type: string - Default: `'standard'` -- Allowed: `[basic, free, standard, standard2, standard3, storage_optimized_l1, storage_optimized_l2]` +- Allowed: + ```Bicep + [ + 'basic' + 'free' + 'standard' + 'standard2' + 'standard3' + 'storage_optimized_l1' + 'storage_optimized_l2' + ] + ``` ### Parameter: `tags` diff --git a/modules/security/azure-security-center/README.md b/modules/security/azure-security-center/README.md index 9c0167a1ef..042f824136 100644 --- a/modules/security/azure-security-center/README.md +++ b/modules/security/azure-security-center/README.md @@ -133,7 +133,13 @@ The pricing tier value for AppServices. Azure Security Center is provided in two - Required: No - Type: string - Default: `'Free'` -- Allowed: `[Free, Standard]` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` ### Parameter: `armPricingTier` @@ -141,7 +147,13 @@ The pricing tier value for ARM. Azure Security Center is provided in two pricing - Required: No - Type: string - Default: `'Free'` -- Allowed: `[Free, Standard]` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` ### Parameter: `autoProvision` @@ -149,7 +161,13 @@ Describes what kind of security agent provisioning action to take. - On or Off. - Required: No - Type: string - Default: `'On'` -- Allowed: `[Off, On]` +- Allowed: + ```Bicep + [ + 'Off' + 'On' + ] + ``` ### Parameter: `containerRegistryPricingTier` @@ -157,7 +175,13 @@ The pricing tier value for ContainerRegistry. Azure Security Center is provided - Required: No - Type: string - Default: `'Free'` -- Allowed: `[Free, Standard]` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` ### Parameter: `containersTier` @@ -165,7 +189,13 @@ The pricing tier value for containers. Azure Security Center is provided in two - Required: No - Type: string - Default: `'Free'` -- Allowed: `[Free, Standard]` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` ### Parameter: `cosmosDbsTier` @@ -173,14 +203,20 @@ The pricing tier value for CosmosDbs. Azure Security Center is provided in two p - Required: No - Type: string - Default: `'Free'` -- Allowed: `[Free, Standard]` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` ### Parameter: `deviceSecurityGroupProperties` Device Security group data. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `dnsPricingTier` @@ -188,7 +224,13 @@ The pricing tier value for DNS. Azure Security Center is provided in two pricing - Required: No - Type: string - Default: `'Free'` -- Allowed: `[Free, Standard]` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` ### Parameter: `enableDefaultTelemetry` @@ -202,7 +244,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). Security Solution data. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `keyVaultsPricingTier` @@ -210,7 +252,13 @@ The pricing tier value for KeyVaults. Azure Security Center is provided in two p - Required: No - Type: string - Default: `'Free'` -- Allowed: `[Free, Standard]` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` ### Parameter: `kubernetesServicePricingTier` @@ -218,7 +266,13 @@ The pricing tier value for KubernetesService. Azure Security Center is provided - Required: No - Type: string - Default: `'Free'` -- Allowed: `[Free, Standard]` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` ### Parameter: `location` @@ -233,7 +287,13 @@ The pricing tier value for OpenSourceRelationalDatabases. Azure Security Center - Required: No - Type: string - Default: `'Free'` -- Allowed: `[Free, Standard]` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` ### Parameter: `scope` @@ -246,7 +306,7 @@ All the VMs in this scope will send their security data to the mentioned workspa Security contact data. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `sqlServersPricingTier` @@ -254,7 +314,13 @@ The pricing tier value for SqlServers. Azure Security Center is provided in two - Required: No - Type: string - Default: `'Free'` -- Allowed: `[Free, Standard]` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` ### Parameter: `sqlServerVirtualMachinesPricingTier` @@ -262,7 +328,13 @@ The pricing tier value for SqlServerVirtualMachines. Azure Security Center is pr - Required: No - Type: string - Default: `'Free'` -- Allowed: `[Free, Standard]` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` ### Parameter: `storageAccountsPricingTier` @@ -270,7 +342,13 @@ The pricing tier value for StorageAccounts. Azure Security Center is provided in - Required: No - Type: string - Default: `'Free'` -- Allowed: `[Free, Standard]` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` ### Parameter: `virtualMachinesPricingTier` @@ -278,7 +356,13 @@ The pricing tier value for VMs. Azure Security Center is provided in two pricing - Required: No - Type: string - Default: `'Free'` -- Allowed: `[Free, Standard]` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` ### Parameter: `workspaceId` diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index a000e89570..2aaebcf0c7 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -812,7 +812,19 @@ Alternate name for namespace. Authorization Rules for the Service Bus namespace. - Required: No - Type: array -- Default: `[System.Management.Automation.OrderedHashtable]` +- Default: + ```Bicep + [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + ] + ``` ### Parameter: `cMKKeyName` @@ -969,7 +981,7 @@ This property disables SAS authentication for the Service Bus namespace. The disaster recovery configuration. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `enableDefaultTelemetry` @@ -1043,7 +1055,7 @@ Optional. The resource ID(s) to assign to the resource. The migration configuration. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `minimumTlsVersion` @@ -1051,7 +1063,14 @@ The minimum TLS version for the cluster to support. - Required: No - Type: string - Default: `'1.2'` -- Allowed: `[1.0, 1.1, 1.2]` +- Allowed: + ```Bicep + [ + '1.0' + '1.1' + '1.2' + ] + ``` ### Parameter: `name` @@ -1064,7 +1083,7 @@ Name of the Service Bus Namespace. Configure networking options for Premium SKU Service Bus. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `premiumMessagingPartitions` @@ -1247,7 +1266,15 @@ Whether or not public network access is allowed for this resource. For security - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled, SecuredByPerimeter]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + 'SecuredByPerimeter' + ] + ``` ### Parameter: `queues` @@ -1337,7 +1364,17 @@ The specified messaging units for the tier. Only used for Premium Sku tier. - Required: No - Type: int - Default: `1` -- Allowed: `[1, 2, 4, 8, 16, 32]` +- Allowed: + ```Bicep + [ + 1 + 2 + 4 + 8 + 16 + 32 + ] + ``` ### Parameter: `skuName` @@ -1345,7 +1382,14 @@ Name of this SKU. - Basic, Standard, Premium. - Required: No - Type: string - Default: `'Basic'` -- Allowed: `[Basic, Premium, Standard]` +- Allowed: + ```Bicep + [ + 'Basic' + 'Premium' + 'Standard' + ] + ``` ### Parameter: `tags` diff --git a/modules/service-bus/namespace/authorization-rule/README.md b/modules/service-bus/namespace/authorization-rule/README.md index b4bec73526..6596ebe9bf 100644 --- a/modules/service-bus/namespace/authorization-rule/README.md +++ b/modules/service-bus/namespace/authorization-rule/README.md @@ -61,7 +61,14 @@ The rights associated with the rule. - Required: No - Type: array - Default: `[]` -- Allowed: `[Listen, Manage, Send]` +- Allowed: + ```Bicep + [ + 'Listen' + 'Manage' + 'Send' + ] + ``` ## Outputs diff --git a/modules/service-bus/namespace/network-rule-set/README.md b/modules/service-bus/namespace/network-rule-set/README.md index e24150422b..86f7241c3b 100644 --- a/modules/service-bus/namespace/network-rule-set/README.md +++ b/modules/service-bus/namespace/network-rule-set/README.md @@ -40,7 +40,13 @@ Default Action for Network Rule Set. Default is "Allow". It will not be set if p - Required: No - Type: string - Default: `'Allow'` -- Allowed: `[Allow, Deny]` +- Allowed: + ```Bicep + [ + 'Allow' + 'Deny' + ] + ``` ### Parameter: `enableDefaultTelemetry` @@ -68,7 +74,13 @@ This determines if traffic is allowed over public network. Default is "Enabled". - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `trustedServiceAccessEnabled` diff --git a/modules/service-bus/namespace/queue/README.md b/modules/service-bus/namespace/queue/README.md index c7a0916536..a99b09cfd8 100644 --- a/modules/service-bus/namespace/queue/README.md +++ b/modules/service-bus/namespace/queue/README.md @@ -62,7 +62,21 @@ This module deploys a Service Bus Namespace Queue. Authorization Rules for the Service Bus Queue. - Required: No - Type: array -- Default: `[System.Management.Automation.OrderedHashtable]` +- Default: + ```Bicep + [ + { + name: 'RootManageSharedAccessKey' + properties: { + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + } + ] + ``` ### Parameter: `autoDeleteOnIdle` @@ -289,7 +303,20 @@ Enumerates the possible values for the status of a messaging entity. - Active, D - Required: No - Type: string - Default: `'Active'` -- Allowed: `[Active, Creating, Deleting, Disabled, ReceiveDisabled, Renaming, Restoring, SendDisabled, Unknown]` +- Allowed: + ```Bicep + [ + 'Active' + 'Creating' + 'Deleting' + 'Disabled' + 'ReceiveDisabled' + 'Renaming' + 'Restoring' + 'SendDisabled' + 'Unknown' + ] + ``` ## Outputs diff --git a/modules/service-bus/namespace/queue/authorization-rule/README.md b/modules/service-bus/namespace/queue/authorization-rule/README.md index 953b3a3459..c607332987 100644 --- a/modules/service-bus/namespace/queue/authorization-rule/README.md +++ b/modules/service-bus/namespace/queue/authorization-rule/README.md @@ -68,7 +68,14 @@ The rights associated with the rule. - Required: No - Type: array - Default: `[]` -- Allowed: `[Listen, Manage, Send]` +- Allowed: + ```Bicep + [ + 'Listen' + 'Manage' + 'Send' + ] + ``` ## Outputs diff --git a/modules/service-bus/namespace/topic/README.md b/modules/service-bus/namespace/topic/README.md index 17d9eba79b..0e2bfa7837 100644 --- a/modules/service-bus/namespace/topic/README.md +++ b/modules/service-bus/namespace/topic/README.md @@ -57,7 +57,21 @@ This module deploys a Service Bus Namespace Topic. Authorization Rules for the Service Bus Topic. - Required: No - Type: array -- Default: `[System.Management.Automation.OrderedHashtable]` +- Default: + ```Bicep + [ + { + name: 'RootManageSharedAccessKey' + properties: { + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + } + ] + ``` ### Parameter: `autoDeleteOnIdle` @@ -242,7 +256,20 @@ Enumerates the possible values for the status of a messaging entity. - Active, D - Required: No - Type: string - Default: `'Active'` -- Allowed: `[Active, Creating, Deleting, Disabled, ReceiveDisabled, Renaming, Restoring, SendDisabled, Unknown]` +- Allowed: + ```Bicep + [ + 'Active' + 'Creating' + 'Deleting' + 'Disabled' + 'ReceiveDisabled' + 'Renaming' + 'Restoring' + 'SendDisabled' + 'Unknown' + ] + ``` ### Parameter: `supportOrdering` diff --git a/modules/service-bus/namespace/topic/authorization-rule/README.md b/modules/service-bus/namespace/topic/authorization-rule/README.md index ec255bfbe3..583c624576 100644 --- a/modules/service-bus/namespace/topic/authorization-rule/README.md +++ b/modules/service-bus/namespace/topic/authorization-rule/README.md @@ -62,7 +62,14 @@ The rights associated with the rule. - Required: No - Type: array - Default: `[]` -- Allowed: `[Listen, Manage, Send]` +- Allowed: + ```Bicep + [ + 'Listen' + 'Manage' + 'Send' + ] + ``` ### Parameter: `topicName` diff --git a/modules/service-fabric/cluster/README.md b/modules/service-fabric/cluster/README.md index c572b02a48..4f8ed6b890 100644 --- a/modules/service-fabric/cluster/README.md +++ b/modules/service-fabric/cluster/README.md @@ -702,7 +702,15 @@ The list of add-on features to enable in the cluster. - Required: No - Type: array - Default: `[]` -- Allowed: `[BackupRestoreService, DnsService, RepairManager, ResourceMonitorService]` +- Allowed: + ```Bicep + [ + 'BackupRestoreService' + 'DnsService' + 'RepairManager' + 'ResourceMonitorService' + ] + ``` ### Parameter: `applicationTypes` @@ -716,21 +724,21 @@ Array of Service Fabric cluster application types. The settings to enable AAD authentication on the cluster. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `certificate` Describes the certificate details like thumbprint of the primary certificate, thumbprint of the secondary certificate and the local certificate store location. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `certificateCommonNames` Describes a list of server certificates referenced by common name that are used to secure the cluster. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `clientCertificateCommonNames` @@ -758,7 +766,7 @@ The Service Fabric runtime version of the cluster. This property can only by set The storage account information for storing Service Fabric diagnostic logs. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `enableDefaultTelemetry` @@ -859,21 +867,30 @@ Indicates a list of notification channels for cluster events. The reliability level sets the replica set size of system services. Learn about ReliabilityLevel (https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-capacity). - None - Run the System services with a target replica set count of 1. This should only be used for test clusters. - Bronze - Run the System services with a target replica set count of 3. This should only be used for test clusters. - Silver - Run the System services with a target replica set count of 5. - Gold - Run the System services with a target replica set count of 7. - Platinum - Run the System services with a target replica set count of 9. - Required: Yes - Type: string -- Allowed: `[Bronze, Gold, None, Platinum, Silver]` +- Allowed: + ```Bicep + [ + 'Bronze' + 'Gold' + 'None' + 'Platinum' + 'Silver' + ] + ``` ### Parameter: `reverseProxyCertificate` Describes the certificate details. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `reverseProxyCertificateCommonNames` Describes a list of server certificates referenced by common name that are used to secure the cluster. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `roleAssignments` @@ -949,7 +966,13 @@ This property controls the logical grouping of VMs in upgrade domains (UDs). Thi - Required: No - Type: string - Default: `'Hierarchical'` -- Allowed: `[Hierarchical, Parallel]` +- Allowed: + ```Bicep + [ + 'Hierarchical' + 'Parallel' + ] + ``` ### Parameter: `tags` @@ -962,7 +985,7 @@ Tags of the resource. Describes the policy used when upgrading the cluster. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `upgradeMode` @@ -970,7 +993,13 @@ The upgrade mode of the cluster when new Service Fabric runtime version is avail - Required: No - Type: string - Default: `'Automatic'` -- Allowed: `[Automatic, Manual]` +- Allowed: + ```Bicep + [ + 'Automatic' + 'Manual' + ] + ``` ### Parameter: `upgradePauseEndTimestampUtc` @@ -992,7 +1021,14 @@ Indicates when new cluster runtime version upgrades will be applied after they a - Required: No - Type: string - Default: `'Wave0'` -- Allowed: `[Wave0, Wave1, Wave2]` +- Allowed: + ```Bicep + [ + 'Wave0' + 'Wave1' + 'Wave2' + ] + ``` ### Parameter: `vmImage` @@ -1007,7 +1043,13 @@ This property defines the upgrade mode for the virtual machine scale set, it is - Required: No - Type: string - Default: `'Hierarchical'` -- Allowed: `[Hierarchical, Parallel]` +- Allowed: + ```Bicep + [ + 'Hierarchical' + 'Parallel' + ] + ``` ### Parameter: `waveUpgradePaused` diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index 4a59945bf2..aae17d50ed 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -309,7 +309,12 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { The allowed origin settings of the resource. - Required: No - Type: array -- Default: `[*]` +- Default: + ```Bicep + [ + '*' + ] + ``` ### Parameter: `capacity` @@ -351,7 +356,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). The features settings of the resource, `ServiceMode` is the only required feature. See https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/signalr?pivots=deployment-language-bicep#signalrfeature for more information. - Required: No - Type: array -- Default: `[System.Management.Automation.OrderedHashtable]` +- Default: + ```Bicep + [ + { + flag: 'ServiceMode' + value: 'Serverless' + } + ] + ``` ### Parameter: `kind` @@ -359,15 +372,33 @@ The kind of the service. - Required: No - Type: string - Default: `'SignalR'` -- Allowed: `[RawWebSockets, SignalR]` +- Allowed: + ```Bicep + [ + 'RawWebSockets' + 'SignalR' + ] + ``` ### Parameter: `liveTraceCatagoriesToEnable` Control permission for data plane traffic coming from public networks while private endpoint is enabled. - Required: No - Type: array -- Default: `[ConnectivityLogs, MessagingLogs]` -- Allowed: `[ConnectivityLogs, MessagingLogs]` +- Default: + ```Bicep + [ + 'ConnectivityLogs' + 'MessagingLogs' + ] + ``` +- Allowed: + ```Bicep + [ + 'ConnectivityLogs' + 'MessagingLogs' + ] + ``` ### Parameter: `location` @@ -414,7 +445,7 @@ The name of the SignalR Service resource. Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `privateEndpoints` @@ -590,15 +621,34 @@ Whether or not public network access is allowed for this resource. For security - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `resourceLogConfigurationsToEnable` Control permission for data plane traffic coming from public networks while private endpoint is enabled. - Required: No - Type: array -- Default: `[ConnectivityLogs, MessagingLogs]` -- Allowed: `[ConnectivityLogs, MessagingLogs]` +- Default: + ```Bicep + [ + 'ConnectivityLogs' + 'MessagingLogs' + ] + ``` +- Allowed: + ```Bicep + [ + 'ConnectivityLogs' + 'MessagingLogs' + ] + ``` ### Parameter: `roleAssignments` @@ -674,7 +724,18 @@ The SKU of the service. - Required: No - Type: string - Default: `'Standard_S1'` -- Allowed: `[Free_F1, Premium_P1, Premium_P2, Premium_P3, Standard_S1, Standard_S2, Standard_S3]` +- Allowed: + ```Bicep + [ + 'Free_F1' + 'Premium_P1' + 'Premium_P2' + 'Premium_P3' + 'Standard_S1' + 'Standard_S2' + 'Standard_S3' + ] + ``` ### Parameter: `tags` diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index c4aa82598c..63e9aa3529 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -502,7 +502,7 @@ The name of the Web PubSub Service resource. Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `privateEndpoints` @@ -678,15 +678,34 @@ Whether or not public network access is allowed for this resource. For security - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `resourceLogConfigurationsToEnable` Control permission for data plane traffic coming from public networks while private endpoint is enabled. - Required: No - Type: array -- Default: `[ConnectivityLogs, MessagingLogs]` -- Allowed: `[ConnectivityLogs, MessagingLogs]` +- Default: + ```Bicep + [ + 'ConnectivityLogs' + 'MessagingLogs' + ] + ``` +- Allowed: + ```Bicep + [ + 'ConnectivityLogs' + 'MessagingLogs' + ] + ``` ### Parameter: `roleAssignments` @@ -762,7 +781,13 @@ Pricing tier of the resource. - Required: No - Type: string - Default: `'Standard_S1'` -- Allowed: `[Free_F1, Standard_S1]` +- Allowed: + ```Bicep + [ + 'Free_F1' + 'Standard_S1' + ] + ``` ### Parameter: `tags` diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index 332f0dcb64..d7edde8263 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -577,7 +577,7 @@ The password given to the admin user. The administrator configuration. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `collation` @@ -727,7 +727,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The encryption protection configuration. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `hardwareFamily` @@ -756,7 +756,13 @@ The license type. Possible values are 'LicenseIncluded' (regular price inclusive - Required: No - Type: string - Default: `'LicenseIncluded'` -- Allowed: `[BasePrice, LicenseIncluded]` +- Allowed: + ```Bicep + [ + 'BasePrice' + 'LicenseIncluded' + ] + ``` ### Parameter: `location` @@ -824,7 +830,13 @@ Specifies the mode of database creation. Default: Regular instance creation. Res - Required: No - Type: string - Default: `'Default'` -- Allowed: `[Default, PointInTimeRestore]` +- Allowed: + ```Bicep + [ + 'Default' + 'PointInTimeRestore' + ] + ``` ### Parameter: `minimalTlsVersion` @@ -832,7 +844,15 @@ Minimal TLS version allowed. - Required: No - Type: string - Default: `'1.2'` -- Allowed: `[1.0, 1.1, 1.2, None]` +- Allowed: + ```Bicep + [ + '1.0' + '1.1' + '1.2' + 'None' + ] + ``` ### Parameter: `name` @@ -853,7 +873,14 @@ Connection type used for connecting to the instance. - Required: No - Type: string - Default: `'Proxy'` -- Allowed: `[Default, Proxy, Redirect]` +- Allowed: + ```Bicep + [ + 'Default' + 'Proxy' + 'Redirect' + ] + ``` ### Parameter: `publicDataEndpointEnabled` @@ -868,7 +895,15 @@ The storage account type used to store backups for this database. - Required: No - Type: string - Default: `'Geo'` -- Allowed: `[Geo, GeoZone, Local, Zone]` +- Allowed: + ```Bicep + [ + 'Geo' + 'GeoZone' + 'Local' + 'Zone' + ] + ``` ### Parameter: `restorePointInTime` @@ -950,7 +985,7 @@ Required. The name of the role to assign. If it cannot be found you can specify The security alert policy configuration. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `servicePrincipal` @@ -958,7 +993,13 @@ Service principal type. If using AD Authentication and applying Admin, must be s - Required: No - Type: string - Default: `'None'` -- Allowed: `[None, SystemAssigned]` +- Allowed: + ```Bicep + [ + 'None' + 'SystemAssigned' + ] + ``` ### Parameter: `skuName` @@ -1019,7 +1060,7 @@ The number of vCores. Allowed values: 8, 16, 24, 32, 40, 64, 80. The vulnerability assessment configuration. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `zoneRedundant` diff --git a/modules/sql/managed-instance/database/README.md b/modules/sql/managed-instance/database/README.md index ce3569342e..12e6fb4709 100644 --- a/modules/sql/managed-instance/database/README.md +++ b/modules/sql/managed-instance/database/README.md @@ -60,14 +60,14 @@ This module deploys a SQL Managed Instance Database. The configuration for the backup long term retention policy definition. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `backupShortTermRetentionPoliciesObj` The configuration for the backup short term retention policy definition. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `catalogCollation` @@ -89,7 +89,16 @@ Managed database create mode. PointInTimeRestore: Create a database by restoring - Required: No - Type: string - Default: `'Default'` -- Allowed: `[Default, PointInTimeRestore, Recovery, RestoreExternalBackup, RestoreLongTermRetentionBackup]` +- Allowed: + ```Bicep + [ + 'Default' + 'PointInTimeRestore' + 'Recovery' + 'RestoreExternalBackup' + 'RestoreLongTermRetentionBackup' + ] + ``` ### Parameter: `diagnosticSettings` diff --git a/modules/sql/managed-instance/encryption-protector/README.md b/modules/sql/managed-instance/encryption-protector/README.md index 2b4cd9b2f6..13cdbd792b 100644 --- a/modules/sql/managed-instance/encryption-protector/README.md +++ b/modules/sql/managed-instance/encryption-protector/README.md @@ -69,7 +69,13 @@ The encryption protector type like "ServiceManaged", "AzureKeyVault". - Required: No - Type: string - Default: `'ServiceManaged'` -- Allowed: `[AzureKeyVault, ServiceManaged]` +- Allowed: + ```Bicep + [ + 'AzureKeyVault' + 'ServiceManaged' + ] + ``` ## Outputs diff --git a/modules/sql/managed-instance/key/README.md b/modules/sql/managed-instance/key/README.md index d820e021e8..327b954416 100644 --- a/modules/sql/managed-instance/key/README.md +++ b/modules/sql/managed-instance/key/README.md @@ -62,7 +62,13 @@ The encryption protector type like "ServiceManaged", "AzureKeyVault". - Required: No - Type: string - Default: `'ServiceManaged'` -- Allowed: `[AzureKeyVault, ServiceManaged]` +- Allowed: + ```Bicep + [ + 'AzureKeyVault' + 'ServiceManaged' + ] + ``` ### Parameter: `uri` diff --git a/modules/sql/managed-instance/security-alert-policy/README.md b/modules/sql/managed-instance/security-alert-policy/README.md index 5d5bf9b072..436ccd6b78 100644 --- a/modules/sql/managed-instance/security-alert-policy/README.md +++ b/modules/sql/managed-instance/security-alert-policy/README.md @@ -69,7 +69,13 @@ Enables advanced data security features, like recuring vulnerability assesment s - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ## Outputs diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index da79dd63a3..239660e8da 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -794,7 +794,7 @@ The administrator login password. Required if no `administrators` object for AAD The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `databases` @@ -822,7 +822,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). The encryption protection configuration. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `firewallRules` @@ -904,7 +904,14 @@ Minimal TLS version allowed. - Required: No - Type: string - Default: `'1.2'` -- Allowed: `[1.0, 1.1, 1.2]` +- Allowed: + ```Bicep + [ + '1.0' + '1.1' + '1.2' + ] + ``` ### Parameter: `name` @@ -1093,7 +1100,14 @@ Whether or not public network access is allowed for this resource. For security - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `restrictOutboundNetworkAccess` @@ -1101,7 +1115,14 @@ Whether or not to restrict outbound network access for this server. - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `roleAssignments` @@ -1196,7 +1217,7 @@ The virtual network rules to create in the server. The vulnerability assessment configuration. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ## Outputs diff --git a/modules/sql/server/database/README.md b/modules/sql/server/database/README.md index 588563b5fb..4909365a8f 100644 --- a/modules/sql/server/database/README.md +++ b/modules/sql/server/database/README.md @@ -79,14 +79,14 @@ Time in minutes after which database is automatically paused. A value of -1 mean The long term backup retention policy to create for the database. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `backupShortTermRetentionPolicy` The short term backup retention policy to create for the database. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `collation` @@ -101,7 +101,19 @@ Specifies the mode of database creation. - Required: No - Type: string - Default: `'Default'` -- Allowed: `[Copy, Default, OnlineSecondary, PointInTimeRestore, Recovery, Restore, RestoreLongTermRetentionBackup, Secondary]` +- Allowed: + ```Bicep + [ + 'Copy' + 'Default' + 'OnlineSecondary' + 'PointInTimeRestore' + 'Recovery' + 'Restore' + 'RestoreLongTermRetentionBackup' + 'Secondary' + ] + ``` ### Parameter: `diagnosticSettings` @@ -293,7 +305,14 @@ Type of enclave requested on the database i.e. Default or VBS enclaves. - Required: No - Type: string - Default: `''` -- Allowed: `['', Default, VBS]` +- Allowed: + ```Bicep + [ + '' + 'Default' + 'VBS' + ] + ``` ### Parameter: `readScale` @@ -301,7 +320,13 @@ The state of read-only routing. - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `recoveryServicesRecoveryPointResourceId` @@ -316,7 +341,15 @@ The storage account type to be used to store backups for this database. - Required: No - Type: string - Default: `''` -- Allowed: `['', Geo, Local, Zone]` +- Allowed: + ```Bicep + [ + '' + 'Geo' + 'Local' + 'Zone' + ] + ``` ### Parameter: `restorePointInTime` diff --git a/modules/sql/server/elastic-pool/README.md b/modules/sql/server/elastic-pool/README.md index c979ff564a..f4489258fb 100644 --- a/modules/sql/server/elastic-pool/README.md +++ b/modules/sql/server/elastic-pool/README.md @@ -82,7 +82,13 @@ The license type to apply for this elastic pool. - Required: No - Type: string - Default: `'LicenseIncluded'` -- Allowed: `[BasePrice, LicenseIncluded]` +- Allowed: + ```Bicep + [ + 'BasePrice' + 'LicenseIncluded' + ] + ``` ### Parameter: `location` diff --git a/modules/sql/server/encryption-protector/README.md b/modules/sql/server/encryption-protector/README.md index 1b0d3b9083..241d32d52d 100644 --- a/modules/sql/server/encryption-protector/README.md +++ b/modules/sql/server/encryption-protector/README.md @@ -63,7 +63,13 @@ The encryption protector type. - Required: No - Type: string - Default: `'ServiceManaged'` -- Allowed: `[AzureKeyVault, ServiceManaged]` +- Allowed: + ```Bicep + [ + 'AzureKeyVault' + 'ServiceManaged' + ] + ``` ### Parameter: `sqlServerName` diff --git a/modules/sql/server/key/README.md b/modules/sql/server/key/README.md index b5f44125a5..778972e853 100644 --- a/modules/sql/server/key/README.md +++ b/modules/sql/server/key/README.md @@ -56,7 +56,13 @@ The encryption protector type like "ServiceManaged", "AzureKeyVault". - Required: No - Type: string - Default: `'ServiceManaged'` -- Allowed: `[AzureKeyVault, ServiceManaged]` +- Allowed: + ```Bicep + [ + 'AzureKeyVault' + 'ServiceManaged' + ] + ``` ### Parameter: `serverName` diff --git a/modules/sql/server/security-alert-policy/README.md b/modules/sql/server/security-alert-policy/README.md index aea40673ca..208dc6904b 100644 --- a/modules/sql/server/security-alert-policy/README.md +++ b/modules/sql/server/security-alert-policy/README.md @@ -95,7 +95,13 @@ Specifies the state of the policy, whether it is enabled or disabled or a policy - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `storageAccountAccessKey` diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 3d53bcb9fd..856962bbaf 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -1174,7 +1174,14 @@ Required if the Storage Account kind is set to BlobStorage. The access tier is u - Required: No - Type: string - Default: `'Hot'` -- Allowed: `[Cool, Hot, Premium]` +- Allowed: + ```Bicep + [ + 'Cool' + 'Hot' + 'Premium' + ] + ``` ### Parameter: `allowBlobPublicAccess` @@ -1196,7 +1203,14 @@ Restrict copy to and from Storage Accounts within an AAD tenant or with Private - Required: No - Type: string - Default: `''` -- Allowed: `['', AAD, PrivateLink]` +- Allowed: + ```Bicep + [ + '' + 'AAD' + 'PrivateLink' + ] + ``` ### Parameter: `allowSharedKeyAccess` @@ -1210,14 +1224,14 @@ Indicates whether the storage account permits requests to be authorized with the Provides the identity based authentication settings for Azure Files. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `blobServices` Blob service and containers to deploy. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `cMKKeyName` @@ -1361,7 +1375,14 @@ Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a - Required: No - Type: string - Default: `''` -- Allowed: `['', AzureDnsZone, Standard]` +- Allowed: + ```Bicep + [ + '' + 'AzureDnsZone' + 'Standard' + ] + ``` ### Parameter: `enableDefaultTelemetry` @@ -1396,7 +1417,7 @@ If true, enables Secure File Transfer Protocol for the storage account. Requires File service and shares to deploy. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `isLocalUserEnabled` @@ -1411,7 +1432,16 @@ Type of Storage Account to create. - Required: No - Type: string - Default: `'StorageV2'` -- Allowed: `[BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2]` +- Allowed: + ```Bicep + [ + 'BlobStorage' + 'BlockBlobStorage' + 'FileStorage' + 'Storage' + 'StorageV2' + ] + ``` ### Parameter: `largeFileSharesState` @@ -1419,7 +1449,13 @@ Allow large file shares if sets to 'Enabled'. It cannot be disabled once it is e - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `localUsers` @@ -1501,7 +1537,14 @@ Set the minimum TLS version on request to storage. - Required: No - Type: string - Default: `'TLS1_2'` -- Allowed: `[TLS1_0, TLS1_1, TLS1_2]` +- Allowed: + ```Bicep + [ + 'TLS1_0' + 'TLS1_1' + 'TLS1_2' + ] + ``` ### Parameter: `name` @@ -1514,7 +1557,7 @@ Name of the Storage Account. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `privateEndpoints` @@ -1690,14 +1733,21 @@ Whether or not public network access is allowed for this resource. For security - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `queueServices` Queue service and queues to create. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `requireInfrastructureEncryption` @@ -1787,7 +1837,19 @@ Storage Account Sku Name. - Required: No - Type: string - Default: `'Standard_GRS'` -- Allowed: `[Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS]` +- Allowed: + ```Bicep + [ + 'Premium_LRS' + 'Premium_ZRS' + 'Standard_GRS' + 'Standard_GZRS' + 'Standard_LRS' + 'Standard_RAGRS' + 'Standard_RAGZRS' + 'Standard_ZRS' + ] + ``` ### Parameter: `supportsHttpsTrafficOnly` @@ -1801,7 +1863,7 @@ Allows HTTPS traffic only to storage service if sets to true. Table service and tables to create. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `tags` diff --git a/modules/storage/storage-account/blob-service/container/README.md b/modules/storage/storage-account/blob-service/container/README.md index 117c034ea7..edaa79f02b 100644 --- a/modules/storage/storage-account/blob-service/container/README.md +++ b/modules/storage/storage-account/blob-service/container/README.md @@ -94,7 +94,7 @@ Name of the immutable policy. Configure immutability policy. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `immutableStorageWithVersioningEnabled` @@ -108,7 +108,7 @@ This is an immutable property, when set to true it enables object level immutabi A name-value pair to associate with the container as metadata. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` @@ -122,7 +122,14 @@ Specifies whether data in the container may be accessed publicly and the level o - Required: No - Type: string - Default: `'None'` -- Allowed: `[Blob, Container, None]` +- Allowed: + ```Bicep + [ + 'Blob' + 'Container' + 'None' + ] + ``` ### Parameter: `roleAssignments` diff --git a/modules/storage/storage-account/file-service/README.md b/modules/storage/storage-account/file-service/README.md index 34a25b6076..115e31eaf4 100644 --- a/modules/storage/storage-account/file-service/README.md +++ b/modules/storage/storage-account/file-service/README.md @@ -171,14 +171,20 @@ The name of the file service. Protocol settings for file service. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `shareDeleteRetentionPolicy` The service properties for soft delete. - Required: No - Type: object -- Default: `{object}` +- Default: + ```Bicep + { + days: 7 + enabled: true + } + ``` ### Parameter: `shares` diff --git a/modules/storage/storage-account/file-service/share/README.md b/modules/storage/storage-account/file-service/share/README.md index 932885db95..7ca6ac07bd 100644 --- a/modules/storage/storage-account/file-service/share/README.md +++ b/modules/storage/storage-account/file-service/share/README.md @@ -48,7 +48,15 @@ Access tier for specific share. Required if the Storage Account kind is set to F - Required: No - Type: string - Default: `'TransactionOptimized'` -- Allowed: `[Cool, Hot, Premium, TransactionOptimized]` +- Allowed: + ```Bicep + [ + 'Cool' + 'Hot' + 'Premium' + 'TransactionOptimized' + ] + ``` ### Parameter: `enableDefaultTelemetry` @@ -63,7 +71,13 @@ The authentication protocol that is used for the file share. Can only be specifi - Required: No - Type: string - Default: `'SMB'` -- Allowed: `[NFS, SMB]` +- Allowed: + ```Bicep + [ + 'NFS' + 'SMB' + ] + ``` ### Parameter: `fileServicesName` @@ -152,7 +166,14 @@ Permissions for NFS file shares are enforced by the client OS rather than the Az - Required: No - Type: string - Default: `'NoRootSquash'` -- Allowed: `[AllSquash, NoRootSquash, RootSquash]` +- Allowed: + ```Bicep + [ + 'AllSquash' + 'NoRootSquash' + 'RootSquash' + ] + ``` ### Parameter: `shareQuota` diff --git a/modules/storage/storage-account/queue-service/queue/README.md b/modules/storage/storage-account/queue-service/queue/README.md index 94bba1bc19..80f73fb29e 100644 --- a/modules/storage/storage-account/queue-service/queue/README.md +++ b/modules/storage/storage-account/queue-service/queue/README.md @@ -50,7 +50,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). A name-value pair that represents queue metadata. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `name` diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index da6f7bd74d..57e6c09409 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -999,7 +999,13 @@ Enable or Disable public network access to workspace. - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `purviewResourceID` @@ -1100,14 +1106,14 @@ Tags of the resource. The ID(s) to assign to the resource. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `workspaceRepositoryConfiguration` Git integration settings. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ## Outputs diff --git a/modules/synapse/workspace/integration-runtime/README.md b/modules/synapse/workspace/integration-runtime/README.md index 584577e12b..11fb0c65fe 100644 --- a/modules/synapse/workspace/integration-runtime/README.md +++ b/modules/synapse/workspace/integration-runtime/README.md @@ -55,14 +55,20 @@ The name of the Integration Runtime. The type of Integration Runtime. - Required: Yes - Type: string -- Allowed: `[Managed, SelfHosted]` +- Allowed: + ```Bicep + [ + 'Managed' + 'SelfHosted' + ] + ``` ### Parameter: `typeProperties` Integration Runtime type properties. Required if type is "Managed". - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `workspaceName` diff --git a/modules/virtual-machine-images/image-template/README.md b/modules/virtual-machine-images/image-template/README.md index b8eaf937ae..eb1f5bfbfb 100644 --- a/modules/virtual-machine-images/image-template/README.md +++ b/modules/virtual-machine-images/image-template/README.md @@ -530,7 +530,13 @@ Storage account type to be used to store the image in the Azure Compute Gallery. - Required: No - Type: string - Default: `'Standard_LRS'` -- Allowed: `[Standard_LRS, Standard_ZRS]` +- Allowed: + ```Bicep + [ + 'Standard_LRS' + 'Standard_ZRS' + ] + ``` ### Parameter: `subnetId` diff --git a/modules/web/connection/README.md b/modules/web/connection/README.md index 9c3e5d2bb1..d993463be0 100644 --- a/modules/web/connection/README.md +++ b/modules/web/connection/README.md @@ -157,14 +157,14 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = { Specific values for some API connections. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `customParameterValues` Customized parameter values for specific connections. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `displayName` @@ -224,14 +224,14 @@ Connection name for connection. Example: 'azureblob' when using blobs. It can c Dictionary of nonsecret parameter values. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `parameterValues` Connection strings or access keys for connection. Example: 'accountName' and 'accessKey' when using blobs. It can change depending on the resource. - Required: No - Type: secureObject -- Default: `{object}` +- Default: `{}` ### Parameter: `roleAssignments` diff --git a/modules/web/hosting-environment/README.md b/modules/web/hosting-environment/README.md index 0a55538ca4..306a671493 100644 --- a/modules/web/hosting-environment/README.md +++ b/modules/web/hosting-environment/README.md @@ -414,7 +414,15 @@ Property to enable and disable new private endpoint connection creation on ASE. Custom settings for changing the behavior of the App Service Environment. - Required: No - Type: array -- Default: `[System.Management.Automation.OrderedHashtable]` +- Default: + ```Bicep + [ + { + name: 'DisableTls1.0' + value: '1' + } + ] + ``` ### Parameter: `customDnsSuffix` @@ -580,7 +588,15 @@ Specifies which endpoints to serve internally in the Virtual Network for the App - Required: No - Type: string - Default: `'None'` -- Allowed: `[None, Publishing, Web, Web, Publishing]` +- Allowed: + ```Bicep + [ + 'None' + 'Publishing' + 'Web' + 'Web Publishing' + ] + ``` ### Parameter: `ipsslAddressCount` @@ -595,7 +611,13 @@ Kind of resource. - Required: No - Type: string - Default: `'ASEv3'` -- Allowed: `[ASEv2, ASEv3]` +- Allowed: + ```Bicep + [ + 'ASEv2' + 'ASEv3' + ] + ``` ### Parameter: `location` @@ -663,7 +685,22 @@ Frontend VM size. Cannot be used when kind is set to ASEv3. - Required: No - Type: string - Default: `''` -- Allowed: `['', ExtraLarge, Large, Medium, Standard_D1_V2, Standard_D2, Standard_D2_V2, Standard_D3, Standard_D3_V2, Standard_D4, Standard_D4_V2]` +- Allowed: + ```Bicep + [ + '' + 'ExtraLarge' + 'Large' + 'Medium' + 'Standard_D1_V2' + 'Standard_D2' + 'Standard_D2_V2' + 'Standard_D3' + 'Standard_D3_V2' + 'Standard_D4' + 'Standard_D4_V2' + ] + ``` ### Parameter: `name` @@ -764,7 +801,15 @@ Specify preference for when and how the planned maintenance is applied. - Required: No - Type: string - Default: `'None'` -- Allowed: `[Early, Late, Manual, None]` +- Allowed: + ```Bicep + [ + 'Early' + 'Late' + 'Manual' + 'None' + ] + ``` ### Parameter: `userWhitelistedIpRanges` diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index 0e8f31571a..1f13295b37 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -303,7 +303,16 @@ Kind of server OS. - Required: No - Type: string - Default: `'Windows'` -- Allowed: `[App, Elastic, FunctionApp, Linux, Windows]` +- Allowed: + ```Bicep + [ + 'App' + 'Elastic' + 'FunctionApp' + 'Linux' + 'Windows' + ] + ``` ### Parameter: `location` @@ -459,7 +468,14 @@ The instance size of the hosting plan (small, medium, or large). - Required: No - Type: int - Default: `0` -- Allowed: `[0, 1, 2]` +- Allowed: + ```Bicep + [ + 0 + 1 + 2 + ] + ``` ### Parameter: `workerTierName` diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 4a1fef0403..8cabfb7b27 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -893,14 +893,14 @@ The resource ID of the app service environment to use for this resource. The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `authSettingV2Configuration` The auth settings V2 configuration. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `basicPublishingCredentialsPolicies` @@ -936,14 +936,21 @@ This composes with ClientCertEnabled setting.

- ClientCertEnabled: false mean - Required: No - Type: string - Default: `'Optional'` -- Allowed: `[Optional, OptionalInteractiveUser, Required]` +- Allowed: + ```Bicep + [ + 'Optional' + 'OptionalInteractiveUser' + 'Required' + ] + ``` ### Parameter: `cloningInfo` If specified during app creation, the app is cloned from a source app. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `containerSize` @@ -1135,7 +1142,16 @@ The resource ID of the assigned identity to be used to access a key vault with. Type of site to deploy. - Required: Yes - Type: string -- Allowed: `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` +- Allowed: + ```Bicep + [ + 'app' + 'functionapp' + 'functionapplinux' + 'functionappworkflowapp' + 'functionappworkflowapplinux' + ] + ``` ### Parameter: `location` @@ -1377,7 +1393,14 @@ Whether or not public network access is allowed for this resource. For security - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `redundancyMode` @@ -1385,7 +1408,16 @@ Site redundancy mode. - Required: No - Type: string - Default: `'None'` -- Allowed: `[ActiveActive, Failover, GeoRedundant, Manual, None]` +- Allowed: + ```Bicep + [ + 'ActiveActive' + 'Failover' + 'GeoRedundant' + 'Manual' + 'None' + ] + ``` ### Parameter: `roleAssignments` @@ -1480,7 +1512,7 @@ For function apps. If true the app settings "AzureWebJobsDashboard" will be set. The site config object. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `slots` diff --git a/modules/web/site/basic-publishing-credentials-policy/README.md b/modules/web/site/basic-publishing-credentials-policy/README.md index e6cfbc594b..59fe52102c 100644 --- a/modules/web/site/basic-publishing-credentials-policy/README.md +++ b/modules/web/site/basic-publishing-credentials-policy/README.md @@ -55,7 +55,13 @@ Location for all Resources. The name of the resource. - Required: Yes - Type: string -- Allowed: `[ftp, scm]` +- Allowed: + ```Bicep + [ + 'ftp' + 'scm' + ] + ``` ### Parameter: `webAppName` diff --git a/modules/web/site/config--appsettings/README.md b/modules/web/site/config--appsettings/README.md index 2e08ed883c..3b93bb02ce 100644 --- a/modules/web/site/config--appsettings/README.md +++ b/modules/web/site/config--appsettings/README.md @@ -58,7 +58,7 @@ The name of the parent site resource. Required if the template is used in a stan The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `enableDefaultTelemetry` @@ -72,7 +72,16 @@ Enable telemetry via a Globally Unique Identifier (GUID). Type of site to deploy. - Required: Yes - Type: string -- Allowed: `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` +- Allowed: + ```Bicep + [ + 'app' + 'functionapp' + 'functionapplinux' + 'functionappworkflowapp' + 'functionappworkflowapplinux' + ] + ``` ### Parameter: `setAzureWebJobsDashboard` diff --git a/modules/web/site/config--authsettingsv2/README.md b/modules/web/site/config--authsettingsv2/README.md index 345ad28201..da797e6048 100644 --- a/modules/web/site/config--authsettingsv2/README.md +++ b/modules/web/site/config--authsettingsv2/README.md @@ -60,7 +60,16 @@ Enable telemetry via a Globally Unique Identifier (GUID). Type of site to deploy. - Required: Yes - Type: string -- Allowed: `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` +- Allowed: + ```Bicep + [ + 'app' + 'functionapp' + 'functionapplinux' + 'functionappworkflowapp' + 'functionappworkflowapplinux' + ] + ``` ## Outputs diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index 5f79c8d56f..1769b4cec1 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -105,14 +105,14 @@ The resource ID of the app service environment to use for this resource. The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `authSettingV2Configuration` The auth settings V2 configuration. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `clientAffinityEnabled` @@ -141,14 +141,21 @@ This composes with ClientCertEnabled setting.

- ClientCertEnabled: false mean - Required: No - Type: string - Default: `'Optional'` -- Allowed: `[Optional, OptionalInteractiveUser, Required]` +- Allowed: + ```Bicep + [ + 'Optional' + 'OptionalInteractiveUser' + 'Required' + ] + ``` ### Parameter: `cloningInfo` If specified during app creation, the app is cloned from a source app. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `containerSize` @@ -340,7 +347,16 @@ The resource ID of the assigned identity to be used to access a key vault with. Type of slot to deploy. - Required: Yes - Type: string -- Allowed: `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` +- Allowed: + ```Bicep + [ + 'app' + 'functionapp' + 'functionapplinux' + 'functionappworkflowapp' + 'functionappworkflowapplinux' + ] + ``` ### Parameter: `location` @@ -582,7 +598,14 @@ Allow or block all public traffic. - Required: No - Type: string - Default: `''` -- Allowed: `['', Disabled, Enabled]` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `redundancyMode` @@ -590,7 +613,16 @@ Site redundancy mode. - Required: No - Type: string - Default: `'None'` -- Allowed: `[ActiveActive, Failover, GeoRedundant, Manual, None]` +- Allowed: + ```Bicep + [ + 'ActiveActive' + 'Failover' + 'GeoRedundant' + 'Manual' + 'None' + ] + ``` ### Parameter: `roleAssignments` @@ -679,7 +711,7 @@ For function apps. If true the app settings "AzureWebJobsDashboard" will be set. The site config object. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `storageAccountRequired` diff --git a/modules/web/site/slot/config--appsettings/README.md b/modules/web/site/slot/config--appsettings/README.md index 4301a04146..ffdebce0c4 100644 --- a/modules/web/site/slot/config--appsettings/README.md +++ b/modules/web/site/slot/config--appsettings/README.md @@ -59,7 +59,7 @@ The name of the parent site resource. Required if the template is used in a stan The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `enableDefaultTelemetry` @@ -73,7 +73,16 @@ Enable telemetry via the Customer Usage Attribution ID (GUID). Type of slot to deploy. - Required: Yes - Type: string -- Allowed: `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` +- Allowed: + ```Bicep + [ + 'app' + 'functionapp' + 'functionapplinux' + 'functionappworkflowapp' + 'functionappworkflowapplinux' + ] + ``` ### Parameter: `setAzureWebJobsDashboard` diff --git a/modules/web/site/slot/config--authsettingsv2/README.md b/modules/web/site/slot/config--authsettingsv2/README.md index f2620b132c..2d99aeaef9 100644 --- a/modules/web/site/slot/config--authsettingsv2/README.md +++ b/modules/web/site/slot/config--authsettingsv2/README.md @@ -61,7 +61,16 @@ Enable telemetry via the Customer Usage Attribution ID (GUID). Type of slot to deploy. - Required: Yes - Type: string -- Allowed: `[app, functionapp, functionapp,linux, functionapp,workflowapp, functionapp,workflowapp,linux]` +- Allowed: + ```Bicep + [ + 'app' + 'functionapp' + 'functionapplinux' + 'functionappworkflowapp' + 'functionappworkflowapplinux' + ] + ``` ### Parameter: `slotName` diff --git a/modules/web/site/slot/main.json b/modules/web/site/slot/main.json index a0dd2e433f..a5e671ef73 100644 --- a/modules/web/site/slot/main.json +++ b/modules/web/site/slot/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11996079594340351559" + "templateHash": "2776575331575111691" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -1842,4 +1842,4 @@ "value": "[reference('slot', '2022-09-01', 'full').location]" } } -} +} \ No newline at end of file diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index 0cc50ab558..c499a7a46a 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -301,7 +301,7 @@ False if config file is locked for this static web app; otherwise, true. Static site app settings. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `branch` @@ -315,7 +315,7 @@ The branch name of the GitHub repository. Build properties for the static site. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `customDomains` @@ -337,21 +337,29 @@ State indicating the status of the enterprise grade CDN serving traffic to the s - Required: No - Type: string - Default: `'Disabled'` -- Allowed: `[Disabled, Disabling, Enabled, Enabling]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Disabling' + 'Enabled' + 'Enabling' + ] + ``` ### Parameter: `functionAppSettings` Function app settings. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `linkedBackend` Object with "resourceId" and "location" of the a user defined function app. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ### Parameter: `location` @@ -682,7 +690,13 @@ Type of static site to deploy. - Required: No - Type: string - Default: `'Free'` -- Allowed: `[Free, Standard]` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` ### Parameter: `stagingEnvironmentPolicy` @@ -690,7 +704,13 @@ State indicating whether staging environments are allowed or not allowed for a s - Required: No - Type: string - Default: `'Enabled'` -- Allowed: `[Disabled, Enabled]` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `tags` @@ -703,7 +723,7 @@ Tags of the resource. Template Options for the static site. - Required: No - Type: object -- Default: `{object}` +- Default: `{}` ## Outputs diff --git a/modules/web/static-site/config/README.md b/modules/web/static-site/config/README.md index ac76bb3933..e17e11da76 100644 --- a/modules/web/static-site/config/README.md +++ b/modules/web/static-site/config/README.md @@ -49,7 +49,13 @@ Enable telemetry via a Globally Unique Identifier (GUID). Type of settings to apply. - Required: Yes - Type: string -- Allowed: `[appsettings, functionappsettings]` +- Allowed: + ```Bicep + [ + 'appsettings' + 'functionappsettings' + ] + ``` ### Parameter: `location` diff --git a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 index fb9fdbfd9f..5d80020522 100644 --- a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 +++ b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 @@ -226,39 +226,64 @@ function Set-ParametersSection { # 3. Add individual parameters foreach ($parameter in $categoryParameters) { + + $isRequired = Get-IsParameterRequired -TemplateFileContent $TemplateFileContent -Parameter $parameter + + # Default values + if ($parameter.defaultValue -is [array]) { + if ($parameter.defaultValue.count -eq 0) { + $defaultValue = '[]' + } else { + $bicepJSONDefaultParameterObject = @{ $parameter.name = ($parameter.defaultValue ?? @()) } # Wrapping on object to work with formatted Bicep script + $bicepRawformattedDefault = ConvertTo-FormattedBicep -JSONParameters $bicepJSONDefaultParameterObject + $leadingSpacesToTrim = ($bicepRawformattedDefault -match '^(\s+).+') ? $matches[1].Length : 0 + $bicepCleanedFormattedDefault = $bicepRawformattedDefault -replace ('{0}: ' -f $parameter.name) # Unwrapping the object + $defaultValue = $bicepCleanedFormattedDefault -split '\n' | ForEach-Object { $_ -replace "^\s{$leadingSpacesToTrim}" } # Removing excess leading spaces + } + } elseif ($parameter.defaultValue -is [hashtable]) { + if ($parameter.defaultValue.count -eq 0) { + $defaultValue = '{}' + } else { + $bicepDefaultValue = ConvertTo-FormattedBicep -JSONParameters $parameter.defaultValue + $defaultValue = "{`n$bicepDefaultValue`n}" + } + } elseif ($parameter.defaultValue -is [string] -and ($parameter.defaultValue -notmatch '\[\w+\(.*\).*\]')) { + $defaultValue = '''' + $parameter.defaultValue + '''' + } else { + $defaultValue = $parameter.defaultValue + } + # User defined type if ($null -eq $parameter.type -and $parameter.ContainsKey('$ref')) { $identifier = Split-Path $parameter.'$ref' -Leaf $definition = $TemplateFileContent.definitions[$identifier] - $type = $definition['type'] - $isRequired = (-not $definition['nullable']) - $defaultValue = $null $rawAllowedValues = $definition['allowedValues'] } else { $type = $parameter.type - - if ($parameter.defaultValue -is [array]) { - $defaultValue = '[{0}]' -f (($parameter.defaultValue | Sort-Object) -join ', ') - } elseif ($parameter.defaultValue -is [hashtable]) { - $defaultValue = '{object}' - } elseif ($parameter.defaultValue -is [string] -and ($parameter.defaultValue -notmatch '\[\w+\(.*\).*\]')) { - $defaultValue = '''' + $parameter.defaultValue + '''' - } else { - $defaultValue = $parameter.defaultValue - } - - $isRequired = Get-IsParameterRequired -TemplateFileContent $TemplateFileContent -Parameter $parameter $rawAllowedValues = $parameter.allowedValues } + # Allowed values + if ($rawAllowedValues -is [array]) { + $bicepJSONAllowedParameterObject = @{ $parameter.name = ($rawAllowedValues ?? @()) } # Wrapping on object to work with formatted Bicep script + $bicepRawformattedAllowed = ConvertTo-FormattedBicep -JSONParameters $bicepJSONAllowedParameterObject + $leadingSpacesToTrim = ($bicepRawformattedAllowed -match '^(\s+).+') ? $matches[1].Length : 0 + $bicepCleanedFormattedAllowed = $bicepRawformattedAllowed -replace ('{0}: ' -f $parameter.name) # Unwrapping the object + $allowedValues = $bicepCleanedFormattedAllowed -split '\n' | ForEach-Object { $_ -replace "^\s{$leadingSpacesToTrim}" } # Removing excess leading spaces + } elseif ($rawAllowedValues -is [hashtable]) { + $bicepAllowedValues = ConvertTo-FormattedBicep -JSONParameters $rawAllowedValues + $allowedValues = "{`n$bicepAllowedValues`n}" + } else { + $allowedValues = $rawAllowedValues + } + # Prepare the links to local headers $paramHeader = '### Parameter: `{0}`' -f $parameter.name $paramIdentifier = ('#{0}' -f $paramHeader.TrimStart('#').Trim().ToLower()) -replace '[:|`]' -replace ' ', '-' # Add external single quotes to all default values of type string except for those using functions $description = $parameter.metadata.description.Replace("`r`n", '

').Replace("`n", '

') - $allowedValues = ($rawAllowedValues -is [array]) ? ('[{0}]' -f (($rawAllowedValues | Sort-Object) -join ', ')) : (($rawAllowedValues -is [hashtable]) ? '{object}' : $rawAllowedValues) # Further, replace all "empty string" default values with actual visible quotes if ([regex]::Match($allowedValues, '^(\[\s*,.+)|(\[.+,\s*,)|(.+,\s*\])$').Captures.Count -gt 0) { $allowedValues = $allowedValues -replace '\[\s*,', "[''," -replace ',\s*,', ", ''," -replace ',\s*\]', ", '']" @@ -269,6 +294,36 @@ function Set-ParametersSection { $description = $description.substring("$category. ".Length) $newSectionContent += ('| [`{0}`]({1}) | {2} | {3} |' -f $parameter.name, $paramIdentifier, $type, $description) + if (-not [String]::IsNullOrEmpty($defaultValue)) { + if (($defaultValue -split '\n').count -eq 1) { + $formattedDefaultValue = '- Default: `{0}`' -f $defaultValue + } else { + $formattedDefaultValue = @( + '- Default:', + ' ```Bicep', + ($defaultValue -split '\n' | ForEach-Object { " $_" } | Out-String).TrimEnd(), + ' ```' + ) + } + } else { + $formattedDefaultValue = $null + } + + if (-not [String]::IsNullOrEmpty($allowedValues)) { + if (($allowedValues -split '\n').count -eq 1) { + $formattedAllowedValues = '- Default: `{0}`' -f $allowedValues + } else { + $formattedAllowedValues = @( + '- Allowed:', + ' ```Bicep', + ($allowedValues -split '\n' | Where-Object { -not [String]::IsNullOrEmpty($_) } | ForEach-Object { " $_" } | Out-String).TrimEnd(), + ' ```' + ) + } + } else { + $formattedAllowedValues = $null + } + $parameterList += @{ $paramIdentifier = @( $paramHeader, @@ -276,8 +331,8 @@ function Set-ParametersSection { $description, ('- Required: {0}' -f ($isRequired ? 'Yes' : 'No')), ('- Type: {0}' -f $type), - ((-not [String]::IsNullOrEmpty($defaultValue)) ? ('- Default: `{0}`' -f $defaultValue) : $null), - ((-not [String]::IsNullOrEmpty($allowedValues)) ? ('- Allowed: `{0}`' -f $allowedValues) : $null), + ((-not [String]::IsNullOrEmpty($formattedDefaultValue)) ? $formattedDefaultValue : $null), + ((-not [String]::IsNullOrEmpty($formattedAllowedValues)) ? $formattedAllowedValues : $null), '', (($parameterUsageContentMap.Keys -contains $parameter.name) ? $parameterUsageContentMap[$parameter.name] : $null) ) | Where-Object { $null -ne $_ } @@ -582,8 +637,8 @@ Add type comments to given bicep params string, using one required parameter 'na name: 'carml' // Non-required parameters lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' + kind: 'CanNotDelete' + name: 'myCustomLockName' } ' #> @@ -660,8 +715,8 @@ Order the given JSON object alphabetically. Would result into: @{ name: 'carml' lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' + kind: 'CanNotDelete' + name: 'myCustomLockName' } } #> @@ -1562,7 +1617,6 @@ function Set-ModuleReadMe { . (Join-Path $PSScriptRoot 'helper' 'ConvertTo-OrderedHashtable.ps1') . (Join-Path (Split-Path $PSScriptRoot -Parent) 'resourcePublish' 'Get-PrivateRegistryRepositoryName.ps1') - # Check template & make full path $TemplateFilePath = Resolve-Path -Path $TemplateFilePath -ErrorAction Stop @@ -1711,7 +1765,7 @@ function Set-ModuleReadMe { Write-Verbose "File [$ReadMeFilePath] updated" -Verbose } else { if ($PSCmdlet.ShouldProcess("File in path [$ReadMeFilePath]", 'Create')) { - $null = New-Item -Path $ReadMeFilePath -Value $readMeFileContent -Force + $null = New-Item -Path $ReadMeFilePath -Value ($readMeFileContent | Out-String) -Force } Write-Verbose "File [$ReadMeFilePath] created" -Verbose } From 29750a2d35cf02dba48aa2c7dbc4916ac3725f4f Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Tue, 31 Oct 2023 21:44:05 +0000 Subject: [PATCH 074/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 52 +++++++++++----------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 875cf457ac..b7919c2559 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -122,35 +122,35 @@ This section provides an overview of the library's feature set. | 107 | network

virtual-wan | [![Network - VirtualWans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualWans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualwans.yml) | | | | | | | | 112 | | 108 | network

vpn-gateway | [![Network - VPNGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPNGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpngateways.yml) | | | | | | | [L1:2] | 114 | | 109 | network

vpn-site | [![Network - VPN Sites](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPN%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpnsites.yml) | | | | | | | | 124 | -| 110 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | | | :white_check_mark: | | | | [L1:7] | 348 | +| 110 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | | | | | | | [L1:7] | 348 | | 111 | operations-management

solution | [![OperationsManagement - Solutions](https://github.com/Azure/ResourceModules/workflows/OperationsManagement%20-%20Solutions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationsmanagement.solutions.yml) | | | | | | | | 53 | | 112 | policy-insights

remediation | [![PolicyInsights - Remediations](https://github.com/Azure/ResourceModules/workflows/PolicyInsights%20-%20Remediations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.policyinsights.remediations.yml) | | | | | | | [L1:3] | 106 | -| 113 | power-bi-dedicated

capacity | [![PowerBiDedicated - Capacities](https://github.com/Azure/ResourceModules/workflows/PowerBiDedicated%20-%20Capacities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.powerbidedicated.capacities.yml) | | | :white_check_mark: | | | | | 133 | -| 114 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | | | :white_check_mark: | | | | | 315 | -| 115 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | | | :white_check_mark: | | | | [L1:7, L2:2, L3:2] | 355 | -| 116 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | | | :white_check_mark: | | | | [L1:4, L2:2] | 330 | -| 117 | resource-graph

query | [![ResourceGraph - Queries](https://github.com/Azure/ResourceModules/workflows/ResourceGraph%20-%20Queries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resourcegraph.queries.yml) | | | :white_check_mark: | | | | | 101 | -| 118 | resources

deployment-script | [![Resources - DeploymentScripts](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | | :white_check_mark: | | | | | 132 | -| 119 | resources

resource-group | [![Resources - ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | | | :white_check_mark: | | | | [L1:1] | 101 | -| 120 | resources

tags | [![Resources - Tags](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20Tags/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.tags.yml) | | | :white_check_mark: | | | | [L1:2] | 54 | -| 121 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | | | :white_check_mark: | | | | [L1:1] | 318 | +| 113 | power-bi-dedicated

capacity | [![PowerBiDedicated - Capacities](https://github.com/Azure/ResourceModules/workflows/PowerBiDedicated%20-%20Capacities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.powerbidedicated.capacities.yml) | | | | | | | | 133 | +| 114 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | | | | | | | | 315 | +| 115 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | | | | | | | [L1:7, L2:2, L3:2] | 355 | +| 116 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | | | | | | | [L1:4, L2:2] | 330 | +| 117 | resource-graph

query | [![ResourceGraph - Queries](https://github.com/Azure/ResourceModules/workflows/ResourceGraph%20-%20Queries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resourcegraph.queries.yml) | | | | | | | | 101 | +| 118 | resources

deployment-script | [![Resources - DeploymentScripts](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | | | | | | | 132 | +| 119 | resources

resource-group | [![Resources - ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | | | | | | | [L1:1] | 101 | +| 120 | resources

tags | [![Resources - Tags](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20Tags/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.tags.yml) | | | | | | | [L1:2] | 54 | +| 121 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | | | | | | | [L1:1] | 318 | | 122 | security

azure-security-center | [![Security - AzureSecurityCenter](https://github.com/Azure/ResourceModules/workflows/Security%20-%20AzureSecurityCenter/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.security.azuresecuritycenter.yml) | | | | | | | | 221 | -| 123 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | | | :white_check_mark: | | | | [L1:6, L2:2] | 445 | -| 124 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | | | :white_check_mark: | | | | [L1:1] | 312 | -| 125 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | | | :white_check_mark: | | | | | 268 | -| 126 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | | | :white_check_mark: | | | | | 244 | -| 127 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | | | :white_check_mark: | | | | [L1:6, L2:3] | 373 | -| 128 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | :white_check_mark: | | | | [L1:8, L2:3] | 380 | -| 129 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | :white_check_mark: | | | | [L1:6, L2:4, L3:1] | 504 | -| 130 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | | | :white_check_mark: | | | | | 162 | -| 131 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | :white_check_mark: | | | | [L1:3] | 355 | -| 132 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | | | :white_check_mark: | | | | | 216 | -| 133 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | | | :white_check_mark: | | | | | 118 | -| 134 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | :white_check_mark: | | | | [L1:2] | 262 | -| 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | :white_check_mark: | | | | | 194 | -| 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | :white_check_mark: | | | | [L1:5, L2:4, L3:1] | 444 | -| 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | :white_check_mark: | | | | [L1:3] | 275 | -| Sum | | | 0 | 0 | 26 | 0 | 0 | 2 | 240 | 29467 | +| 123 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | | | | | | | [L1:6, L2:2] | 445 | +| 124 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | | | | | | | [L1:1] | 312 | +| 125 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | | | | | | | | 268 | +| 126 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | | | | | | | | 244 | +| 127 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | | | | | | | [L1:6, L2:3] | 373 | +| 128 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | | | | | [L1:8, L2:3] | 380 | +| 129 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | | | | | [L1:6, L2:4, L3:1] | 504 | +| 130 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | | | | | | | | 162 | +| 131 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | | | | | [L1:3] | 355 | +| 132 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | | | | | | | | 216 | +| 133 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | | | | | | | | 118 | +| 134 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | | | | | [L1:2] | 262 | +| 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | | 194 | +| 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:5, L2:4, L3:1] | 444 | +| 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:3] | 275 | +| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 240 | 29467 | ## Legend From ea4e34dc39f5013d3edd15d6cd5d18329c01467a Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Tue, 31 Oct 2023 23:59:17 +0100 Subject: [PATCH 075/178] Updated the way the NAT GW handles pip (#4158) * Updated the way the NAT GW handles pip * Updated triggers * Added location * Updated NATGW Prefix sku * Update to latest * Update dependencies.bicep * Update to latest * Update to latest * Update to latest * Update to latest * Update to latest * Update to latest * Update modules/network/nat-gateway/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --------- Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- .../ms.network.natgateways.yml | 1 + .github/workflows/ms.network.natgateways.yml | 1 + .../nat-gateway/.test/common/main.test.bicep | 33 +- .../.test/prefixCombined/dependencies.bicep | 30 + .../.test/prefixCombined/main.test.bicep | 107 ++++ modules/network/nat-gateway/README.md | 359 +++++++----- modules/network/nat-gateway/main.bicep | 94 +-- modules/network/nat-gateway/main.json | 549 +++++++++++++++--- .../modules/formatResourceId.bicep | 6 + 9 files changed, 908 insertions(+), 272 deletions(-) create mode 100644 modules/network/nat-gateway/.test/prefixCombined/dependencies.bicep create mode 100644 modules/network/nat-gateway/.test/prefixCombined/main.test.bicep create mode 100644 modules/network/nat-gateway/modules/formatResourceId.bicep diff --git a/.azuredevops/modulePipelines/ms.network.natgateways.yml b/.azuredevops/modulePipelines/ms.network.natgateways.yml index 382fc5e406..8f8ac26448 100644 --- a/.azuredevops/modulePipelines/ms.network.natgateways.yml +++ b/.azuredevops/modulePipelines/ms.network.natgateways.yml @@ -29,6 +29,7 @@ trigger: include: - '/modules/network/nat-gateway/*' - '/modules/network/public-ip-address/*' + - '/modules/network/public-ip-prefix/*' - '/.azuredevops/modulePipelines/ms.network.natgateways.yml' - '/.azuredevops/pipelineTemplates/*.yml' - '/utilities/pipelines/*' diff --git a/.github/workflows/ms.network.natgateways.yml b/.github/workflows/ms.network.natgateways.yml index 837d2c23be..7cbb0c2281 100644 --- a/.github/workflows/ms.network.natgateways.yml +++ b/.github/workflows/ms.network.natgateways.yml @@ -29,6 +29,7 @@ on: paths: - 'modules/network/nat-gateway/**' - 'modules/network/public-ip-address/**' + - 'modules/network/public-ip-prefix/**' - '.github/actions/templates/**' - '.github/workflows/template.module.yml' - '.github/workflows/ms.network.natgateways.yml' diff --git a/modules/network/nat-gateway/.test/common/main.test.bicep b/modules/network/nat-gateway/.test/common/main.test.bicep index c4b3aa7ae9..b4e844cece 100644 --- a/modules/network/nat-gateway/.test/common/main.test.bicep +++ b/modules/network/nat-gateway/.test/common/main.test.bicep @@ -70,7 +70,38 @@ module testDeployment '../../main.bicep' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - natGatewayPublicIpAddress: true + publicIPAddressObjects: [ + { + name: '${namePrefix}${serviceShort}001-pip' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + skuTier: 'Regional' + zones: [ + '1' + '2' + '3' + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + } + ] roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/network/nat-gateway/.test/prefixCombined/dependencies.bicep b/modules/network/nat-gateway/.test/prefixCombined/dependencies.bicep new file mode 100644 index 0000000000..d6562f9465 --- /dev/null +++ b/modules/network/nat-gateway/.test/prefixCombined/dependencies.bicep @@ -0,0 +1,30 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Public IP Prefix to create.') +param publicIPPrefixName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource publicIpPrefix 'Microsoft.Network/publicIPPrefixes@2023-05-01' = { + name: publicIPPrefixName + location: location + sku: { + name: 'Standard' + } + properties: { + prefixLength: 30 + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Public IP Prefix.') +output publicIpPrefixResourceId string = publicIpPrefix.id diff --git a/modules/network/nat-gateway/.test/prefixCombined/main.test.bicep b/modules/network/nat-gateway/.test/prefixCombined/main.test.bicep new file mode 100644 index 0000000000..1d98171653 --- /dev/null +++ b/modules/network/nat-gateway/.test/prefixCombined/main.test.bicep @@ -0,0 +1,107 @@ +targetScope = 'subscription' + +metadata name = 'Combine a generated and provided Public IP Prefix' +metadata description = 'This example shows how you can provide a Public IP Prefix to the module, while also generating one in the module.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.natgateways-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nngcprx' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + publicIPPrefixName: 'dep-${namePrefix}-pippre-${serviceShort}' + location: location + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicIPPrefixResourceIds: [ + nestedDependencies.outputs.publicIpPrefixResourceId + ] + publicIPPrefixObjects: [ + { + name: '${namePrefix}${serviceShort}001-pippre' + prefixLength: 30 + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'CustomTag' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/nat-gateway/README.md b/modules/network/nat-gateway/README.md index 9db81cfc91..13c664715f 100644 --- a/modules/network/nat-gateway/README.md +++ b/modules/network/nat-gateway/README.md @@ -19,6 +19,7 @@ This module deploys a NAT Gateway. | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/natGateways` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/natGateways) | | `Microsoft.Network/publicIPAddresses` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/publicIPAddresses) | +| `Microsoft.Network/publicIPPrefixes` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/publicIPPrefixes) | ## Usage examples @@ -29,6 +30,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.nat-gateway:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [Combine a generated and provided Public IP Prefix](#example-2-combine-a-generated-and-provided-public-ip-prefix) ### Example 1: _Using large parameter set_ @@ -51,7 +53,38 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - natGatewayPublicIpAddress: true + publicIPAddressObjects: [ + { + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + name: 'nngcom001-pip' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuTier: 'Regional' + zones: [ + '1' + '2' + '3' + ] + } + ] roleAssignments: [ { principalId: '' @@ -94,8 +127,167 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { "name": "myCustomLockName" } }, - "natGatewayPublicIpAddress": { - "value": true + "publicIPAddressObjects": { + "value": [ + { + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "name": "nngcom001-pip", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "skuTier": "Regional", + "zones": [ + "1", + "2", + "3" + ] + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +

+

+ +### Example 2: _Combine a generated and provided Public IP Prefix_ + +This example shows how you can provide a Public IP Prefix to the module, while also generating one in the module. + + +

+ +via Bicep module + +```bicep +module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nngcprx' + params: { + // Required parameters + name: 'nngcprx001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicIPPrefixObjects: [ + { + name: 'nngcprx001-pippre' + prefixLength: 30 + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + 'hidden-title': 'CustomTag' + } + } + ] + publicIPPrefixResourceIds: [ + '' + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nngcprx001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "publicIPPrefixObjects": { + "value": [ + { + "name": "nngcprx001-pippre", + "prefixLength": 30, + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "tags": { + "hidden-title": "CustomTag" + } + } + ] + }, + "publicIPPrefixResourceIds": { + "value": [ + "" + ] }, "roleAssignments": { "value": [ @@ -133,28 +325,18 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | -| [`domainNameLabel`](#parameter-domainnamelabel) | string | DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`idleTimeoutInMinutes`](#parameter-idletimeoutinminutes) | int | The idle timeout of the NAT gateway. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`natGatewayPipName`](#parameter-natgatewaypipname) | string | Specifies the name of the Public IP used by the NAT Gateway. If it's not provided, a '-pip' suffix will be appended to the Bastion's name. | -| [`natGatewayPublicIpAddress`](#parameter-natgatewaypublicipaddress) | bool | Use to have a new Public IP Address created for the NAT Gateway. | -| [`publicIpAddresses`](#parameter-publicipaddresses) | array | Existing Public IP Address resource names to use for the NAT Gateway. | -| [`publicIpDiagnosticSettings`](#parameter-publicipdiagnosticsettings) | array | The diagnostic settings of the Public IP. | -| [`publicIpPrefixes`](#parameter-publicipprefixes) | array | Existing Public IP Prefixes resource names to use for the NAT Gateway. | -| [`publicIPPrefixResourceId`](#parameter-publicipprefixresourceid) | string | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | +| [`publicIPAddressObjects`](#parameter-publicipaddressobjects) | array | Specifies the properties of the Public IPs to create and be used by the NAT Gateway. | +| [`publicIPPrefixObjects`](#parameter-publicipprefixobjects) | array | Specifies the properties of the Public IP Prefixes to create and be used by the NAT Gateway. | +| [`publicIPPrefixResourceIds`](#parameter-publicipprefixresourceids) | array | Existing Public IP Prefixes resource IDs to use for the NAT Gateway. | +| [`publicIpResourceIds`](#parameter-publicipresourceids) | array | Existing Public IP Address resource IDs to use for the NAT Gateway. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags for the resource. | | [`zones`](#parameter-zones) | array | A list of availability zones denoting the zone in which Nat Gateway should be deployed. | -### Parameter: `domainNameLabel` - -DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com. -- Required: No -- Type: string -- Default: `''` - ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). @@ -209,156 +391,32 @@ Name of the Azure Bastion resource. - Required: Yes - Type: string -### Parameter: `natGatewayPipName` - -Specifies the name of the Public IP used by the NAT Gateway. If it's not provided, a '-pip' suffix will be appended to the Bastion's name. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `natGatewayPublicIpAddress` - -Use to have a new Public IP Address created for the NAT Gateway. -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `publicIpAddresses` +### Parameter: `publicIPAddressObjects` -Existing Public IP Address resource names to use for the NAT Gateway. +Specifies the properties of the Public IPs to create and be used by the NAT Gateway. - Required: No - Type: array -- Default: `[]` -### Parameter: `publicIpDiagnosticSettings` +### Parameter: `publicIPPrefixObjects` -The diagnostic settings of the Public IP. +Specifies the properties of the Public IP Prefixes to create and be used by the NAT Gateway. - Required: No - Type: array +### Parameter: `publicIPPrefixResourceIds` -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-publicipdiagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-publicipdiagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-publicipdiagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-publicipdiagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-publicipdiagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-publicipdiagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-publicipdiagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-publicipdiagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-publicipdiagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `publicIpDiagnosticSettings.eventHubAuthorizationRuleResourceId` - -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - -- Required: No -- Type: string - -### Parameter: `publicIpDiagnosticSettings.eventHubName` - -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `publicIpDiagnosticSettings.logAnalyticsDestinationType` - -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - -- Required: No -- Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` - -### Parameter: `publicIpDiagnosticSettings.logCategoriesAndGroups` - -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - +Existing Public IP Prefixes resource IDs to use for the NAT Gateway. - Required: No - Type: array +- Default: `[]` -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-publicipdiagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-publicipdiagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `publicIpDiagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `publicIpDiagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - -### Parameter: `publicIpDiagnosticSettings.marketplacePartnerResourceId` - -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - -- Required: No -- Type: string - -### Parameter: `publicIpDiagnosticSettings.metricCategories` - -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-publicipdiagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `publicIpDiagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - -### Parameter: `publicIpDiagnosticSettings.name` - -Optional. The name of diagnostic setting. - -- Required: No -- Type: string - -### Parameter: `publicIpDiagnosticSettings.storageAccountResourceId` - -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `publicIpDiagnosticSettings.workspaceResourceId` - -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - -- Required: No -- Type: string - -### Parameter: `publicIpPrefixes` +### Parameter: `publicIpResourceIds` -Existing Public IP Prefixes resource names to use for the NAT Gateway. +Existing Public IP Address resource IDs to use for the NAT Gateway. - Required: No - Type: array - Default: `[]` -### Parameter: `publicIPPrefixResourceId` - -Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. -- Required: No -- Type: string -- Default: `''` - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. @@ -457,3 +515,4 @@ This section gives you an overview of all local-referenced module files (i.e., o | Reference | Type | | :-- | :-- | | `modules/network/public-ip-address` | Local reference | +| `modules/network/public-ip-prefix` | Local reference | diff --git a/modules/network/nat-gateway/main.bicep b/modules/network/nat-gateway/main.bicep index 601fd71819..566fc8757d 100644 --- a/modules/network/nat-gateway/main.bicep +++ b/modules/network/nat-gateway/main.bicep @@ -8,23 +8,17 @@ param name string @description('Optional. The idle timeout of the NAT gateway.') param idleTimeoutInMinutes int = 5 -@description('Optional. Use to have a new Public IP Address created for the NAT Gateway.') -param natGatewayPublicIpAddress bool = false +@description('Optional. Existing Public IP Address resource IDs to use for the NAT Gateway.') +param publicIpResourceIds array = [] -@description('Optional. Specifies the name of the Public IP used by the NAT Gateway. If it\'s not provided, a \'-pip\' suffix will be appended to the Bastion\'s name.') -param natGatewayPipName string = '' +@description('Optional. Existing Public IP Prefixes resource IDs to use for the NAT Gateway.') +param publicIPPrefixResourceIds array = [] -@description('Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix.') -param publicIPPrefixResourceId string = '' +@description('Optional. Specifies the properties of the Public IPs to create and be used by the NAT Gateway.') +param publicIPAddressObjects array? -@description('Optional. DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com.') -param domainNameLabel string = '' - -@description('Optional. Existing Public IP Address resource names to use for the NAT Gateway.') -param publicIpAddresses array = [] - -@description('Optional. Existing Public IP Prefixes resource names to use for the NAT Gateway.') -param publicIpPrefixes array = [] +@description('Optional. Specifies the properties of the Public IP Prefixes to create and be used by the NAT Gateway.') +param publicIPPrefixObjects array? @description('Optional. A list of availability zones denoting the zone in which Nat Gateway should be deployed.') param zones array = [] @@ -41,20 +35,9 @@ param roleAssignments roleAssignmentType @description('Optional. Tags for the resource.') param tags object? -@description('Optional. The diagnostic settings of the Public IP.') -param publicIpDiagnosticSettings diagnosticSettingType - @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var publicIPPrefixResourceIds = [for publicIpPrefix in publicIpPrefixes: { - id: az.resourceId('Microsoft.Network/publicIPPrefixes', publicIpPrefix) -}] - -var publicIPAddressResourceIds = [for publicIpAddress in publicIpAddresses: { - id: az.resourceId('Microsoft.Network/publicIPAddresses', publicIpAddress) -}] - var enableReferencedModulesTelemetry = false var builtInRoleNames = { @@ -78,26 +61,52 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -// PUBLIC IP -// ========= -module publicIPAddress '../public-ip-address/main.bicep' = if (natGatewayPublicIpAddress) { - name: '${uniqueString(deployment().name, location)}-NatGateway-PIP' +module publicIPAddresses '../public-ip-address/main.bicep' = [for (publicIPAddressObject, index) in (publicIPAddressObjects ?? []): { + name: '${uniqueString(deployment().name, location)}-NatGw-PIP-${index}' params: { - name: !empty(natGatewayPipName) ? natGatewayPipName : '${name}-pip' - diagnosticSettings: publicIpDiagnosticSettings - domainNameLabel: domainNameLabel + name: contains(publicIPAddressObject, 'name') ? publicIPAddressObject.name : '${name}-pip' enableDefaultTelemetry: enableReferencedModulesTelemetry location: location - lock: lock + lock: publicIPAddressObject.?lock ?? lock + diagnosticSettings: publicIPAddressObject.?diagnosticSettings + publicIPAddressVersion: contains(publicIPAddressObject, 'publicIPAddressVersion') ? publicIPAddressObject.publicIPAddressVersion : 'IPv4' publicIPAllocationMethod: 'Static' - publicIPPrefixResourceId: publicIPPrefixResourceId - tags: tags + publicIPPrefixResourceId: contains(publicIPAddressObject, 'publicIPPrefixResourceId') ? publicIPAddressObject.publicIPPrefixResourceId : '' + roleAssignments: contains(publicIPAddressObject, 'roleAssignments') ? publicIPAddressObject.roleAssignments : [] skuName: 'Standard' - zones: [ - '1' - '2' - '3' - ] + skuTier: contains(publicIPAddressObject, 'skuTier') ? publicIPAddressObject.skuTier : 'Regional' + tags: publicIPAddressObject.?tags ?? tags + zones: contains(publicIPAddressObject, 'zones') ? publicIPAddressObject.zones : [] + } +}] + +module formattedPublicIpResourceIds 'modules/formatResourceId.bicep' = { + name: 'formattedPublicIpResourceIds' + params: { + generatedResourceIds: [for (obj, index) in (publicIPAddressObjects ?? []): publicIPAddresses[index].outputs.resourceId] + providedResourceIds: publicIpResourceIds + } +} + +module publicIPPrefixes '../public-ip-prefix/main.bicep' = [for (publicIPPrefixObject, index) in (publicIPPrefixObjects ?? []): { + name: '${uniqueString(deployment().name, location)}-NatGw-Prefix-PIP-${index}' + params: { + name: contains(publicIPPrefixObject, 'name') ? publicIPPrefixObject.name : '${name}-pip' + enableDefaultTelemetry: enableReferencedModulesTelemetry + location: location + lock: publicIPPrefixObject.?lock ?? lock + prefixLength: publicIPPrefixObject.prefixLength + customIPPrefix: publicIPPrefixObject.?customIPPrefix + roleAssignments: publicIPPrefixObject.?roleAssignments + tags: publicIPPrefixObject.?tags ?? tags + } +}] +module formattedPublicIpPrefixResourceIds 'modules/formatResourceId.bicep' = { + name: 'formattedPublicIpPrefixResourceIds' + params: { + generatedResourceIds: [for (obj, index) in (publicIPPrefixObjects ?? []): publicIPPrefixes[index].outputs.resourceId] + providedResourceIds: publicIPPrefixResourceIds + } } @@ -112,11 +121,10 @@ resource natGateway 'Microsoft.Network/natGateways@2023-04-01' = { } properties: { idleTimeoutInMinutes: idleTimeoutInMinutes - publicIpPrefixes: publicIPPrefixResourceIds - publicIpAddresses: publicIPAddressResourceIds + publicIpPrefixes: formattedPublicIpPrefixResourceIds.outputs.formattedResourceIds + publicIpAddresses: formattedPublicIpResourceIds.outputs.formattedResourceIds } zones: zones - dependsOn: [ publicIPAddress ] } resource natGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { diff --git a/modules/network/nat-gateway/main.json b/modules/network/nat-gateway/main.json index fbb649e498..9bc6c9a1c5 100644 --- a/modules/network/nat-gateway/main.json +++ b/modules/network/nat-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6841733296045395553" + "templateHash": "11905897400304782014" }, "name": "NAT Gateways", "description": "This module deploys a NAT Gateway.", @@ -225,46 +225,32 @@ "description": "Optional. The idle timeout of the NAT gateway." } }, - "natGatewayPublicIpAddress": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Use to have a new Public IP Address created for the NAT Gateway." - } - }, - "natGatewayPipName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the name of the Public IP used by the NAT Gateway. If it's not provided, a '-pip' suffix will be appended to the Bastion's name." - } - }, - "publicIPPrefixResourceId": { - "type": "string", - "defaultValue": "", + "publicIpResourceIds": { + "type": "array", + "defaultValue": [], "metadata": { - "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." + "description": "Optional. Existing Public IP Address resource IDs to use for the NAT Gateway." } }, - "domainNameLabel": { - "type": "string", - "defaultValue": "", + "publicIPPrefixResourceIds": { + "type": "array", + "defaultValue": [], "metadata": { - "description": "Optional. DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com." + "description": "Optional. Existing Public IP Prefixes resource IDs to use for the NAT Gateway." } }, - "publicIpAddresses": { + "publicIPAddressObjects": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { - "description": "Optional. Existing Public IP Address resource names to use for the NAT Gateway." + "description": "Optional. Specifies the properties of the Public IPs to create and be used by the NAT Gateway." } }, - "publicIpPrefixes": { + "publicIPPrefixObjects": { "type": "array", - "defaultValue": [], + "nullable": true, "metadata": { - "description": "Optional. Existing Public IP Prefixes resource names to use for the NAT Gateway." + "description": "Optional. Specifies the properties of the Public IP Prefixes to create and be used by the NAT Gateway." } }, "zones": { @@ -300,12 +286,6 @@ "description": "Optional. Tags for the resource." } }, - "publicIpDiagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the Public IP." - } - }, "enableDefaultTelemetry": { "type": "bool", "defaultValue": true, @@ -315,22 +295,6 @@ } }, "variables": { - "copy": [ - { - "name": "publicIPPrefixResourceIds", - "count": "[length(parameters('publicIpPrefixes'))]", - "input": { - "id": "[resourceId('Microsoft.Network/publicIPPrefixes', parameters('publicIpPrefixes')[copyIndex('publicIPPrefixResourceIds')])]" - } - }, - { - "name": "publicIPAddressResourceIds", - "count": "[length(parameters('publicIpAddresses'))]", - "input": { - "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpAddresses')[copyIndex('publicIPAddressResourceIds')])]" - } - } - ], "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -367,12 +331,13 @@ }, "properties": { "idleTimeoutInMinutes": "[parameters('idleTimeoutInMinutes')]", - "publicIpPrefixes": "[variables('publicIPPrefixResourceIds')]", - "publicIpAddresses": "[variables('publicIPAddressResourceIds')]" + "publicIpPrefixes": "[reference('formattedPublicIpPrefixResourceIds').outputs.formattedResourceIds.value]", + "publicIpAddresses": "[reference('formattedPublicIpResourceIds').outputs.formattedResourceIds.value]" }, "zones": "[parameters('zones')]", "dependsOn": [ - "publicIPAddress" + "formattedPublicIpPrefixResourceIds", + "formattedPublicIpResourceIds" ] }, "natGateway_lock": { @@ -411,24 +376,21 @@ "natGateway" ] }, - "publicIPAddress": { - "condition": "[parameters('natGatewayPublicIpAddress')]", + "publicIPAddresses": { + "copy": { + "name": "publicIPAddresses", + "count": "[length(coalesce(parameters('publicIPAddressObjects'), createArray()))]" + }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-NatGateway-PIP', uniqueString(deployment().name, parameters('location')))]", + "name": "[format('{0}-NatGw-PIP-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "name": "[if(not(empty(parameters('natGatewayPipName'))), createObject('value', parameters('natGatewayPipName')), createObject('value', format('{0}-pip', parameters('name'))))]", - "diagnosticSettings": { - "value": "[parameters('publicIpDiagnosticSettings')]" - }, - "domainNameLabel": { - "value": "[parameters('domainNameLabel')]" - }, + "name": "[if(contains(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'name'), createObject('value', coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()].name), createObject('value', format('{0}-pip', parameters('name'))))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" }, @@ -436,27 +398,25 @@ "value": "[parameters('location')]" }, "lock": { - "value": "[parameters('lock')]" + "value": "[coalesce(tryGet(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "diagnosticSettings": { + "value": "[tryGet(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'diagnosticSettings')]" }, + "publicIPAddressVersion": "[if(contains(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'publicIPAddressVersion'), createObject('value', coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()].publicIPAddressVersion), createObject('value', 'IPv4'))]", "publicIPAllocationMethod": { "value": "Static" }, - "publicIPPrefixResourceId": { - "value": "[parameters('publicIPPrefixResourceId')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, + "publicIPPrefixResourceId": "[if(contains(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'publicIPPrefixResourceId'), createObject('value', coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()].publicIPPrefixResourceId), createObject('value', ''))]", + "roleAssignments": "[if(contains(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'roleAssignments'), createObject('value', coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()].roleAssignments), createObject('value', createArray()))]", "skuName": { "value": "Standard" }, - "zones": { - "value": [ - "1", - "2", - "3" - ] - } + "skuTier": "[if(contains(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'skuTier'), createObject('value', coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()].skuTier), createObject('value', 'Regional'))]", + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "zones": "[if(contains(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'zones'), createObject('value', coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()].zones), createObject('value', createArray()))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -955,6 +915,439 @@ } } } + }, + "formattedPublicIpResourceIds": { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "formattedPublicIpResourceIds", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "generatedResourceIds": { + "copy": [ + { + "name": "value", + "count": "[length(coalesce(parameters('publicIPAddressObjects'), createArray()))]", + "input": "[reference(format('publicIPAddresses[{0}]', copyIndex('value'))).outputs.resourceId.value]" + } + ] + }, + "providedResourceIds": { + "value": "[parameters('publicIpResourceIds')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "311381109175947078" + } + }, + "parameters": { + "generatedResourceIds": { + "type": "array", + "defaultValue": [] + }, + "providedResourceIds": { + "type": "array", + "defaultValue": [] + } + }, + "resources": [], + "outputs": { + "formattedResourceIds": { + "type": "array", + "copy": { + "count": "[length(concat(parameters('generatedResourceIds'), parameters('providedResourceIds')))]", + "input": { + "id": "[concat(parameters('generatedResourceIds'), parameters('providedResourceIds'))[copyIndex()]]" + } + } + } + } + } + }, + "dependsOn": [ + "publicIPAddresses" + ] + }, + "publicIPPrefixes": { + "copy": { + "name": "publicIPPrefixes", + "count": "[length(coalesce(parameters('publicIPPrefixObjects'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-NatGw-Prefix-PIP-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": "[if(contains(coalesce(parameters('publicIPPrefixObjects'), createArray())[copyIndex()], 'name'), createObject('value', coalesce(parameters('publicIPPrefixObjects'), createArray())[copyIndex()].name), createObject('value', format('{0}-pip', parameters('name'))))]", + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "lock": { + "value": "[coalesce(tryGet(coalesce(parameters('publicIPPrefixObjects'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + }, + "prefixLength": { + "value": "[coalesce(parameters('publicIPPrefixObjects'), createArray())[copyIndex()].prefixLength]" + }, + "customIPPrefix": { + "value": "[tryGet(coalesce(parameters('publicIPPrefixObjects'), createArray())[copyIndex()], 'customIPPrefix')]" + }, + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('publicIPPrefixObjects'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('publicIPPrefixObjects'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "12289116883631984029" + }, + "name": "Public IP Prefixes", + "description": "This module deploys a Public IP Prefix.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Required. Name of the Public IP Prefix." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "prefixLength": { + "type": "int", + "minValue": 28, + "maxValue": 31, + "metadata": { + "description": "Required. Length of the Public IP Prefix." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. The lock settings of the service." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "customIPPrefix": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The customIpPrefix that this prefix is associated with. A custom IP address prefix is a contiguous range of IP addresses owned by an external customer and provisioned into a subscription. When a custom IP prefix is in Provisioned, Commissioning, or Commissioned state, a linked public IP prefix can be created. Either as a subset of the custom IP prefix range or the entire range." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "defaultTelemetry": { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + "publicIpPrefix": { + "type": "Microsoft.Network/publicIPPrefixes", + "apiVersion": "2023-04-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "Standard" + }, + "properties": { + "customIPPrefix": "[if(not(empty(parameters('customIPPrefix'))), parameters('customIPPrefix'), null())]", + "publicIPAddressVersion": "IPv4", + "prefixLength": "[parameters('prefixLength')]" + } + }, + "publicIpPrefix_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.Network/publicIPPrefixes/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + }, + "dependsOn": [ + "publicIpPrefix" + ] + }, + "publicIpPrefix_roleAssignments": { + "copy": { + "name": "publicIpPrefix_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/publicIPPrefixes/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/publicIPPrefixes', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "publicIpPrefix" + ] + } + }, + "outputs": { + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the public IP prefix." + }, + "value": "[resourceId('Microsoft.Network/publicIPPrefixes', parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the public IP prefix was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the public IP prefix." + }, + "value": "[parameters('name')]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference('publicIpPrefix', '2023-04-01', 'full').location]" + } + } + } + } + }, + "formattedPublicIpPrefixResourceIds": { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "formattedPublicIpPrefixResourceIds", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "generatedResourceIds": { + "copy": [ + { + "name": "value", + "count": "[length(coalesce(parameters('publicIPPrefixObjects'), createArray()))]", + "input": "[reference(format('publicIPPrefixes[{0}]', copyIndex('value'))).outputs.resourceId.value]" + } + ] + }, + "providedResourceIds": { + "value": "[parameters('publicIPPrefixResourceIds')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "311381109175947078" + } + }, + "parameters": { + "generatedResourceIds": { + "type": "array", + "defaultValue": [] + }, + "providedResourceIds": { + "type": "array", + "defaultValue": [] + } + }, + "resources": [], + "outputs": { + "formattedResourceIds": { + "type": "array", + "copy": { + "count": "[length(concat(parameters('generatedResourceIds'), parameters('providedResourceIds')))]", + "input": { + "id": "[concat(parameters('generatedResourceIds'), parameters('providedResourceIds'))[copyIndex()]]" + } + } + } + } + } + }, + "dependsOn": [ + "publicIPPrefixes" + ] } }, "outputs": { diff --git a/modules/network/nat-gateway/modules/formatResourceId.bicep b/modules/network/nat-gateway/modules/formatResourceId.bicep new file mode 100644 index 0000000000..b4aa1ad772 --- /dev/null +++ b/modules/network/nat-gateway/modules/formatResourceId.bicep @@ -0,0 +1,6 @@ +param generatedResourceIds array = [] +param providedResourceIds array = [] + +output formattedResourceIds array = [for resourceId in concat(generatedResourceIds, providedResourceIds): { + id: resourceId +}] From e30d766ad320e6ffad065f18f0aff14fd6b09b4a Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Tue, 31 Oct 2023 23:00:06 +0000 Subject: [PATCH 076/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index b7919c2559..3202938379 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -103,7 +103,7 @@ This section provides an overview of the library's feature set. | 88 | network

ip-group | [![Network - IpGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20IpGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ipgroups.yml) | | | | | | | | 100 | | 89 | network

load-balancer | [![Network - LoadBalancers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LoadBalancers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.loadbalancers.yml) | | | | | | | [L1:2] | 272 | | 90 | network

local-network-gateway | [![Network - LocalNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LocalNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.localnetworkgateways.yml) | | | | | | | | 120 | -| 91 | network

nat-gateway | [![Network - NatGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NatGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.natgateways.yml) | | | | | | | | 181 | +| 91 | network

nat-gateway | [![Network - NatGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NatGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.natgateways.yml) | | | | | | | [L1:1] | 191 | | 92 | network

network-interface | [![Network - NetworkInterfaces](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkInterfaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkinterfaces.yml) | | | | | | | | 198 | | 93 | network

network-manager | [![Network - Network Managers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Network%20Managers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkmanagers.yml) | | | | | | | [L1:4, L2:2, L3:1] | 165 | | 94 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | | | | | | | [L1:1] | 188 | @@ -150,7 +150,7 @@ This section provides an overview of the library's feature set. | 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | | 194 | | 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:5, L2:4, L3:1] | 444 | | 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:3] | 275 | -| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 240 | 29467 | +| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 241 | 29477 | ## Legend From 227791d5e87223cac382fe2c34433e4d150920f2 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 2 Nov 2023 09:21:10 +1300 Subject: [PATCH 077/178] [Modules] Private Endpoint User Defined Type Bug (ipConfigurations and customDnsConfigs) (#4167) --- .../configuration-store/README.md | 32 +- .../configuration-store/main.bicep | 19 +- .../configuration-store/main.json | 121 +++++- .../automation/automation-account/README.md | 32 +- .../automation/automation-account/main.bicep | 19 +- .../automation/automation-account/main.json | 121 +++++- modules/batch/batch-account/README.md | 32 +- modules/batch/batch-account/main.bicep | 19 +- modules/batch/batch-account/main.json | 121 +++++- modules/cache/redis-enterprise/README.md | 32 +- modules/cache/redis-enterprise/main.bicep | 19 +- modules/cache/redis-enterprise/main.json | 121 +++++- modules/cache/redis/README.md | 32 +- modules/cache/redis/main.bicep | 19 +- modules/cache/redis/main.json | 121 +++++- modules/cognitive-services/account/README.md | 32 +- modules/cognitive-services/account/main.bicep | 19 +- modules/cognitive-services/account/main.json | 121 +++++- modules/container-registry/registry/README.md | 32 +- .../container-registry/registry/main.bicep | 19 +- modules/container-registry/registry/main.json | 121 +++++- modules/data-factory/factory/README.md | 32 +- modules/data-factory/factory/main.bicep | 19 +- modules/data-factory/factory/main.json | 121 +++++- modules/databricks/workspace/README.md | 32 +- modules/databricks/workspace/main.bicep | 19 +- modules/databricks/workspace/main.json | 121 +++++- .../digital-twins-instance/README.md | 32 +- .../digital-twins-instance/main.bicep | 19 +- .../digital-twins-instance/main.json | 121 +++++- .../document-db/database-account/README.md | 32 +- .../document-db/database-account/main.bicep | 19 +- .../document-db/database-account/main.json | 121 +++++- modules/event-grid/domain/README.md | 32 +- modules/event-grid/domain/main.bicep | 19 +- modules/event-grid/domain/main.json | 121 +++++- modules/event-grid/topic/README.md | 32 +- modules/event-grid/topic/main.bicep | 19 +- modules/event-grid/topic/main.json | 121 +++++- modules/event-hub/namespace/README.md | 32 +- modules/event-hub/namespace/main.bicep | 19 +- modules/event-hub/namespace/main.json | 121 +++++- modules/insights/private-link-scope/README.md | 32 +- .../insights/private-link-scope/main.bicep | 19 +- modules/insights/private-link-scope/main.json | 121 +++++- .../key-vault/vault/.test/pe/main.test.bicep | 18 + modules/key-vault/vault/README.md | 68 +++- modules/key-vault/vault/main.bicep | 19 +- modules/key-vault/vault/main.json | 121 +++++- .../workspace/README.md | 16 +- .../workspace/main.bicep | 8 +- .../workspace/main.json | 96 ++++- modules/network/application-gateway/README.md | 32 +- .../network/application-gateway/main.bicep | 19 +- modules/network/application-gateway/main.json | 121 +++++- .../.test/common/main.test.bicep | 8 + modules/network/private-endpoint/README.md | 58 +++ modules/network/private-endpoint/main.bicep | 31 +- modules/network/private-endpoint/main.json | 73 +++- modules/purview/account/main.json | 367 +++++++++++++++++- modules/recovery-services/vault/README.md | 32 +- modules/recovery-services/vault/main.bicep | 19 +- modules/recovery-services/vault/main.json | 121 +++++- modules/relay/namespace/README.md | 32 +- modules/relay/namespace/main.bicep | 19 +- modules/relay/namespace/main.json | 121 +++++- modules/search/search-service/README.md | 32 +- modules/search/search-service/main.bicep | 19 +- modules/search/search-service/main.json | 121 +++++- modules/service-bus/namespace/README.md | 32 +- modules/service-bus/namespace/main.bicep | 19 +- modules/service-bus/namespace/main.json | 121 +++++- modules/signal-r-service/signal-r/README.md | 32 +- modules/signal-r-service/signal-r/main.bicep | 19 +- modules/signal-r-service/signal-r/main.json | 121 +++++- .../signal-r-service/web-pub-sub/README.md | 32 +- .../signal-r-service/web-pub-sub/main.bicep | 19 +- .../signal-r-service/web-pub-sub/main.json | 121 +++++- modules/sql/server/README.md | 32 +- modules/sql/server/main.bicep | 19 +- modules/sql/server/main.json | 121 +++++- modules/storage/storage-account/README.md | 32 +- modules/storage/storage-account/main.bicep | 19 +- modules/storage/storage-account/main.json | 121 +++++- modules/synapse/private-link-hub/README.md | 32 +- modules/synapse/private-link-hub/main.bicep | 19 +- modules/synapse/private-link-hub/main.json | 121 +++++- modules/synapse/workspace/README.md | 32 +- modules/synapse/workspace/main.bicep | 19 +- modules/synapse/workspace/main.json | 121 +++++- modules/web/site/README.md | 32 +- modules/web/site/main.bicep | 19 +- modules/web/site/main.json | 242 ++++++++++-- modules/web/site/slot/README.md | 32 +- modules/web/site/slot/main.bicep | 19 +- modules/web/site/slot/main.json | 121 +++++- modules/web/static-site/README.md | 32 +- modules/web/static-site/main.bicep | 19 +- modules/web/static-site/main.json | 121 +++++- 99 files changed, 4930 insertions(+), 1062 deletions(-) diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index d03eb95d57..5ad6d20623 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -833,14 +833,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -868,26 +874,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/app-configuration/configuration-store/main.bicep b/modules/app-configuration/configuration-store/main.bicep index 5d1521e212..54abbcefaa 100644 --- a/modules/app-configuration/configuration-store/main.bicep +++ b/modules/app-configuration/configuration-store/main.bicep @@ -311,16 +311,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/app-configuration/configuration-store/main.json b/modules/app-configuration/configuration-store/main.json index 1063e16033..ca7d97bad1 100644 --- a/modules/app-configuration/configuration-store/main.json +++ b/modules/app-configuration/configuration-store/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6136989204056808614" + "templateHash": "14821162059319342865" }, "name": "App Configuration Stores", "description": "This module deploys an App Configuration Store.", @@ -183,12 +183,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -204,16 +210,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -900,7 +926,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -997,6 +1023,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1033,7 +1124,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -1086,7 +1177,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1153,7 +1244,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index b43abe1289..82ca64d9a4 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -948,14 +948,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -983,26 +989,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/automation/automation-account/main.bicep b/modules/automation/automation-account/main.bicep index c65959f494..1f5fc86dad 100644 --- a/modules/automation/automation-account/main.bicep +++ b/modules/automation/automation-account/main.bicep @@ -455,16 +455,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/automation/automation-account/main.json b/modules/automation/automation-account/main.json index 16af89f8b9..0a2a91c660 100644 --- a/modules/automation/automation-account/main.json +++ b/modules/automation/automation-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14935357028056674724" + "templateHash": "7186571646898746589" }, "name": "Automation Accounts", "description": "This module deploys an Azure Automation Account.", @@ -182,12 +182,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -203,16 +209,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -2448,7 +2474,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2545,6 +2571,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -2581,7 +2672,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -2634,7 +2725,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -2701,7 +2792,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index 10407c5c7d..2714264c03 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -738,14 +738,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -773,26 +779,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/batch/batch-account/main.bicep b/modules/batch/batch-account/main.bicep index 38306efc50..dc5bad992d 100644 --- a/modules/batch/batch-account/main.bicep +++ b/modules/batch/batch-account/main.bicep @@ -321,16 +321,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/batch/batch-account/main.json b/modules/batch/batch-account/main.json index 3e0eebcb72..e44f57e23f 100644 --- a/modules/batch/batch-account/main.json +++ b/modules/batch/batch-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8281874211111057324" + "templateHash": "4335449072974068086" }, "name": "Batch Accounts", "description": "This module deploys a Batch Account.", @@ -183,12 +183,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -204,16 +210,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -763,7 +789,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -860,6 +886,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -896,7 +987,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -949,7 +1040,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1016,7 +1107,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index 8343cc8262..27838446ca 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -655,14 +655,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -690,26 +696,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/cache/redis-enterprise/main.bicep b/modules/cache/redis-enterprise/main.bicep index ed004ca936..3e0d3f4b72 100644 --- a/modules/cache/redis-enterprise/main.bicep +++ b/modules/cache/redis-enterprise/main.bicep @@ -257,16 +257,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/cache/redis-enterprise/main.json b/modules/cache/redis-enterprise/main.json index 5fc8d2bf7c..440a5b45e5 100644 --- a/modules/cache/redis-enterprise/main.json +++ b/modules/cache/redis-enterprise/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2411064933627030246" + "templateHash": "10802158443173953602" }, "name": "Redis Cache Enterprise", "description": "This module deploys a Redis Cache Enterprise.", @@ -160,12 +160,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -181,16 +187,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -868,7 +894,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -965,6 +991,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1001,7 +1092,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -1054,7 +1145,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1121,7 +1212,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index 9f468d7f98..340e8ae943 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -570,14 +570,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -605,26 +611,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/cache/redis/main.bicep b/modules/cache/redis/main.bicep index af3b549ba9..edcb269196 100644 --- a/modules/cache/redis/main.bicep +++ b/modules/cache/redis/main.bicep @@ -324,16 +324,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/cache/redis/main.json b/modules/cache/redis/main.json index fa2e2fe2d9..4d5ef453b0 100644 --- a/modules/cache/redis/main.json +++ b/modules/cache/redis/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "9496315762768268" + "templateHash": "14680360433148567844" }, "name": "Redis Cache", "description": "This module deploys a Redis Cache.", @@ -183,12 +183,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -204,16 +210,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -766,7 +792,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -863,6 +889,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -899,7 +990,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -952,7 +1043,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1019,7 +1110,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index 4d85e5be23..3ee839e1e7 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -870,14 +870,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -905,26 +911,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/cognitive-services/account/main.bicep b/modules/cognitive-services/account/main.bicep index d610ca257a..2e1586eec9 100644 --- a/modules/cognitive-services/account/main.bicep +++ b/modules/cognitive-services/account/main.bicep @@ -387,16 +387,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/cognitive-services/account/main.json b/modules/cognitive-services/account/main.json index edead294ff..7921180ab2 100644 --- a/modules/cognitive-services/account/main.json +++ b/modules/cognitive-services/account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4580837563605630694" + "templateHash": "17007188729160940142" }, "name": "Cognitive Services", "description": "This module deploys a Cognitive Service.", @@ -183,12 +183,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -204,16 +210,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -851,7 +877,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -948,6 +974,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -984,7 +1075,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -1037,7 +1128,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1104,7 +1195,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index 27720aff64..85c2a389ff 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -933,14 +933,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -968,26 +974,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/container-registry/registry/main.bicep b/modules/container-registry/registry/main.bicep index bcd5d249c5..e5fe2166d4 100644 --- a/modules/container-registry/registry/main.bicep +++ b/modules/container-registry/registry/main.bicep @@ -452,16 +452,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/container-registry/registry/main.json b/modules/container-registry/registry/main.json index f7d3b0e0b4..6470bbd3ca 100644 --- a/modules/container-registry/registry/main.json +++ b/modules/container-registry/registry/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4552885966837623579" + "templateHash": "14688875704864672455" }, "name": "Azure Container Registries (ACR)", "description": "This module deploys an Azure Container Registry (ACR).", @@ -183,12 +183,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -204,16 +210,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -1431,7 +1457,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1528,6 +1554,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1564,7 +1655,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -1617,7 +1708,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1684,7 +1775,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index 8c0c5003d4..6a29414c72 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -723,14 +723,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -758,26 +764,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/data-factory/factory/main.bicep b/modules/data-factory/factory/main.bicep index ef4b508dae..381ed4e1db 100644 --- a/modules/data-factory/factory/main.bicep +++ b/modules/data-factory/factory/main.bicep @@ -330,16 +330,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/data-factory/factory/main.json b/modules/data-factory/factory/main.json index bbb370ff4e..aa193cadf8 100644 --- a/modules/data-factory/factory/main.json +++ b/modules/data-factory/factory/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11806238755138054005" + "templateHash": "1415884638599377742" }, "name": "Data Factories", "description": "This module deploys a Data Factory.", @@ -183,12 +183,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -204,16 +210,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -1169,7 +1195,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1266,6 +1292,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1302,7 +1393,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -1355,7 +1446,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1422,7 +1513,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index 402bcdc57f..5faf2f642c 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -678,14 +678,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -713,26 +719,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/databricks/workspace/main.bicep b/modules/databricks/workspace/main.bicep index 1468f38d16..d0f262ea88 100644 --- a/modules/databricks/workspace/main.bicep +++ b/modules/databricks/workspace/main.bicep @@ -391,16 +391,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/databricks/workspace/main.json b/modules/databricks/workspace/main.json index ec49639153..69e194ad09 100644 --- a/modules/databricks/workspace/main.json +++ b/modules/databricks/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "19156344202796197" + "templateHash": "1354063990980525308" }, "name": "Azure Databricks Workspaces", "description": "This module deploys an Azure Databricks Workspace.", @@ -160,12 +160,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -181,16 +187,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -802,7 +828,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -899,6 +925,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -935,7 +1026,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -988,7 +1079,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1055,7 +1146,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index 8b7a1480d9..6994d24ecb 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -505,14 +505,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -540,26 +546,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/digital-twins/digital-twins-instance/main.bicep b/modules/digital-twins/digital-twins-instance/main.bicep index 8ff9c75278..6db0117957 100644 --- a/modules/digital-twins/digital-twins-instance/main.bicep +++ b/modules/digital-twins/digital-twins-instance/main.bicep @@ -285,16 +285,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/digital-twins/digital-twins-instance/main.json b/modules/digital-twins/digital-twins-instance/main.json index d770a0e408..166bf7d6ff 100644 --- a/modules/digital-twins/digital-twins-instance/main.json +++ b/modules/digital-twins/digital-twins-instance/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12569577248629110844" + "templateHash": "4900944127202083879" }, "name": "Digital Twins Instances", "description": "This module deploys an Azure Digital Twins Instance.", @@ -160,12 +160,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -181,16 +187,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -1167,7 +1193,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1264,6 +1290,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1300,7 +1391,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -1353,7 +1444,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1420,7 +1511,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index de51a3b003..4acd72bad8 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -1687,14 +1687,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -1722,26 +1728,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/document-db/database-account/main.bicep b/modules/document-db/database-account/main.bicep index ee19348385..0920e0acfa 100644 --- a/modules/document-db/database-account/main.bicep +++ b/modules/document-db/database-account/main.bicep @@ -417,16 +417,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/document-db/database-account/main.json b/modules/document-db/database-account/main.json index 761eb727b6..3ada7183a7 100644 --- a/modules/document-db/database-account/main.json +++ b/modules/document-db/database-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13265582198003672508" + "templateHash": "5728902559638159959" }, "name": "DocumentDB Database Accounts", "description": "This module deploys a DocumentDB Database Account.", @@ -182,12 +182,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -203,16 +209,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -1867,7 +1893,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1964,6 +1990,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -2000,7 +2091,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -2053,7 +2144,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -2120,7 +2211,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/event-grid/domain/README.md b/modules/event-grid/domain/README.md index 636322d154..aa3844ddc3 100644 --- a/modules/event-grid/domain/README.md +++ b/modules/event-grid/domain/README.md @@ -585,14 +585,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -620,26 +626,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/event-grid/domain/main.bicep b/modules/event-grid/domain/main.bicep index 4e5e97ad29..4652a9ba5c 100644 --- a/modules/event-grid/domain/main.bicep +++ b/modules/event-grid/domain/main.bicep @@ -235,16 +235,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/event-grid/domain/main.json b/modules/event-grid/domain/main.json index c605dc1497..f5177ce8ca 100644 --- a/modules/event-grid/domain/main.json +++ b/modules/event-grid/domain/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18074779137586977163" + "templateHash": "1947450144883968914" }, "name": "Event Grid Domains", "description": "This module deploys an Event Grid Domain.", @@ -160,12 +160,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -181,16 +187,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -745,7 +771,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -842,6 +868,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -878,7 +969,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -931,7 +1022,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -998,7 +1089,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index 8f7c1adab0..4160d34110 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -618,14 +618,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -653,26 +659,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/event-grid/topic/main.bicep b/modules/event-grid/topic/main.bicep index 4e996d59a5..9f249e8028 100644 --- a/modules/event-grid/topic/main.bicep +++ b/modules/event-grid/topic/main.bicep @@ -237,16 +237,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/event-grid/topic/main.json b/modules/event-grid/topic/main.json index 52eebfaa89..79653c975b 100644 --- a/modules/event-grid/topic/main.json +++ b/modules/event-grid/topic/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17629869517360394667" + "templateHash": "17269173170243707502" }, "name": "Event Grid Topics", "description": "This module deploys an Event Grid Topic.", @@ -160,12 +160,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -181,16 +187,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -822,7 +848,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -919,6 +945,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -955,7 +1046,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -1008,7 +1099,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1075,7 +1166,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index bb1a32227b..c4ceb8149a 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -1061,14 +1061,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -1096,26 +1102,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/event-hub/namespace/main.bicep b/modules/event-hub/namespace/main.bicep index f7ec5002f5..bc4eb48806 100644 --- a/modules/event-hub/namespace/main.bicep +++ b/modules/event-hub/namespace/main.bicep @@ -413,16 +413,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/event-hub/namespace/main.json b/modules/event-hub/namespace/main.json index ea70a72f71..eebb91f004 100644 --- a/modules/event-hub/namespace/main.json +++ b/modules/event-hub/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14752778402428640491" + "templateHash": "6601963948564613336" }, "name": "Event Hub Namespaces", "description": "This module deploys an Event Hub Namespace.", @@ -183,12 +183,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -204,16 +210,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -1963,7 +1989,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2060,6 +2086,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -2096,7 +2187,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -2149,7 +2240,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -2216,7 +2307,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index 0f6c7ba546..e17d4049a3 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -305,14 +305,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -340,26 +346,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/insights/private-link-scope/main.bicep b/modules/insights/private-link-scope/main.bicep index a21a5f25c8..608103ca13 100644 --- a/modules/insights/private-link-scope/main.bicep +++ b/modules/insights/private-link-scope/main.bicep @@ -181,16 +181,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/insights/private-link-scope/main.json b/modules/insights/private-link-scope/main.json index 63675293c1..78639b2628 100644 --- a/modules/insights/private-link-scope/main.json +++ b/modules/insights/private-link-scope/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10939592682328481507" + "templateHash": "17458207121236197041" }, "name": "Azure Monitor Private Link Scopes", "description": "This module deploys an Azure Monitor Private Link Scope.", @@ -160,12 +160,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -181,16 +187,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -573,7 +599,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -670,6 +696,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -706,7 +797,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -759,7 +850,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -826,7 +917,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/key-vault/vault/.test/pe/main.test.bicep b/modules/key-vault/vault/.test/pe/main.test.bicep index bfa8636faa..31787cf5d0 100644 --- a/modules/key-vault/vault/.test/pe/main.test.bicep +++ b/modules/key-vault/vault/.test/pe/main.test.bicep @@ -103,6 +103,24 @@ module testDeployment '../../main.bicep' = { name: 'dep-${namePrefix}-pe-${serviceShort}' service: 'vault' subnetResourceId: nestedDependencies.outputs.subnetResourceId + ipConfigurations: [ + { + name: 'myIPconfig' + properties: { + groupId: 'vault' + memberName: 'default' + privateIPAddress: '10.0.0.10' + } + } + ] + customDnsConfigs: [ + { + fqdn: 'abc.keyvault.com' + ipAddresses: [ + '10.0.0.10' + ] + } + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 5645f22dd2..06c82b8121 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -627,6 +627,24 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { } privateEndpoints: [ { + customDnsConfigs: [ + { + fqdn: 'abc.keyvault.com' + ipAddresses: [ + '10.0.0.10' + ] + } + ] + ipConfigurations: [ + { + name: 'myIPconfig' + properties: { + groupId: 'vault' + memberName: 'default' + privateIPAddress: '10.0.0.10' + } + } + ] name: 'dep-pe-kvvpe' privateDnsZoneResourceIds: [ '' @@ -711,6 +729,24 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { "privateEndpoints": { "value": [ { + "customDnsConfigs": [ + { + "fqdn": "abc.keyvault.com", + "ipAddresses": [ + "10.0.0.10" + ] + } + ], + "ipConfigurations": [ + { + "name": "myIPconfig", + "properties": { + "groupId": "vault", + "memberName": "default", + "privateIPAddress": "10.0.0.10" + } + } + ], "name": "dep-pe-kvvpe", "privateDnsZoneResourceIds": [ "" @@ -1047,14 +1083,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -1082,26 +1124,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/key-vault/vault/main.bicep b/modules/key-vault/vault/main.bicep index 178a8067d7..1917a0e8ec 100644 --- a/modules/key-vault/vault/main.bicep +++ b/modules/key-vault/vault/main.bicep @@ -349,16 +349,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/key-vault/vault/main.json b/modules/key-vault/vault/main.json index e36848e797..f074992132 100644 --- a/modules/key-vault/vault/main.json +++ b/modules/key-vault/vault/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13347839852828986726" + "templateHash": "3329640314478719515" }, "name": "Key Vaults", "description": "This module deploys a Key Vault.", @@ -160,12 +160,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -181,16 +187,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -1483,7 +1509,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1580,6 +1606,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1616,7 +1707,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -1669,7 +1760,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1736,7 +1827,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index 8bb70f240e..a9c2927fb7 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -910,26 +910,16 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | | [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | - -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | | ### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/machine-learning-services/workspace/main.bicep b/modules/machine-learning-services/workspace/main.bicep index 59ba8665c4..61a0422c1d 100644 --- a/modules/machine-learning-services/workspace/main.bicep +++ b/modules/machine-learning-services/workspace/main.bicep @@ -374,9 +374,11 @@ type privateEndpointType = { @sys.description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { name: string - groupId: string - memberName: string - privateIpAddress: string + properties: { + groupId: string + memberName: string + privateIPAddress: string + } }[]? @sys.description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/machine-learning-services/workspace/main.json b/modules/machine-learning-services/workspace/main.json index 237cec9f6b..03013e4d23 100644 --- a/modules/machine-learning-services/workspace/main.json +++ b/modules/machine-learning-services/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1113315079349561542" + "templateHash": "8299613323505664553" }, "name": "Machine Learning Services Workspaces", "description": "This module deploys a Machine Learning Services Workspace.", @@ -205,14 +205,19 @@ "name": { "type": "string" }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" - }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string" + }, + "memberName": { + "type": "string" + }, + "privateIPAddress": { + "type": "string" + } + } } } }, @@ -1078,7 +1083,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1175,6 +1180,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1211,7 +1281,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -1264,7 +1334,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1331,7 +1401,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index f429cc90cb..7e83ee7762 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -1378,14 +1378,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -1413,26 +1419,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/network/application-gateway/main.bicep b/modules/network/application-gateway/main.bicep index 1eb87c7cb8..c789cca2f4 100644 --- a/modules/network/application-gateway/main.bicep +++ b/modules/network/application-gateway/main.bicep @@ -442,16 +442,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/network/application-gateway/main.json b/modules/network/application-gateway/main.json index 6fbae8639c..8c35bd62ee 100644 --- a/modules/network/application-gateway/main.json +++ b/modules/network/application-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11405752898435177586" + "templateHash": "7630119371655185477" }, "name": "Network Application Gateways", "description": "This module deploys a Network Application Gateway.", @@ -174,12 +174,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -195,16 +201,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -925,7 +951,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1022,6 +1048,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1058,7 +1149,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -1111,7 +1202,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1178,7 +1269,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/network/private-endpoint/.test/common/main.test.bicep b/modules/network/private-endpoint/.test/common/main.test.bicep index a5f036c296..3728621b84 100644 --- a/modules/network/private-endpoint/.test/common/main.test.bicep +++ b/modules/network/private-endpoint/.test/common/main.test.bicep @@ -84,6 +84,14 @@ module testDeployment '../../main.bicep' = { } } ] + customDnsConfigs: [ + { + fqdn: 'abc.keyvault.com' + ipAddresses: [ + '10.0.0.10' + ] + } + ] customNetworkInterfaceName: '${namePrefix}${serviceShort}001nic' applicationSecurityGroupResourceIds: [ nestedDependencies.outputs.applicationSecurityGroupResourceId diff --git a/modules/network/private-endpoint/README.md b/modules/network/private-endpoint/README.md index c9dfacedfe..56b8d770c6 100644 --- a/modules/network/private-endpoint/README.md +++ b/modules/network/private-endpoint/README.md @@ -56,6 +56,14 @@ module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { applicationSecurityGroupResourceIds: [ '' ] + customDnsConfigs: [ + { + fqdn: 'abc.keyvault.com' + ipAddresses: [ + '10.0.0.10' + ] + } + ] customNetworkInterfaceName: 'npecom001nic' enableDefaultTelemetry: '' ipConfigurations: [ @@ -124,6 +132,16 @@ module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { "" ] }, + "customDnsConfigs": { + "value": [ + { + "fqdn": "abc.keyvault.com", + "ipAddresses": [ + "10.0.0.10" + ] + } + ] + }, "customNetworkInterfaceName": { "value": "npecom001nic" }, @@ -281,6 +299,26 @@ Custom DNS configurations. - Required: No - Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`fqdn`](#parameter-customdnsconfigsfqdn) | Yes | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-customdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | + +### Parameter: `customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + +- Required: Yes +- Type: string + +### Parameter: `customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + +- Required: Yes +- Type: array + ### Parameter: `customNetworkInterfaceName` The custom name of the network interface attached to the private endpoint. @@ -306,6 +344,26 @@ A list of IP configurations of the private endpoint. This will be used to map to - Required: No - Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`name`](#parameter-ipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-ipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | + +### Parameter: `ipConfigurations.name` + +Required. The name of the resource that is unique within a resource group. + +- Required: Yes +- Type: string + +### Parameter: `ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + +- Required: Yes +- Type: object + ### Parameter: `location` Location for all Resources. diff --git a/modules/network/private-endpoint/main.bicep b/modules/network/private-endpoint/main.bicep index f5df07a07b..be29744cd6 100644 --- a/modules/network/private-endpoint/main.bicep +++ b/modules/network/private-endpoint/main.bicep @@ -18,7 +18,7 @@ param applicationSecurityGroupResourceIds array? param customNetworkInterfaceName string? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') -param ipConfigurations array? +param ipConfigurations ipConfigurationsType? @description('Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to.') param groupIds array @@ -42,7 +42,7 @@ param roleAssignments roleAssignmentType param tags object? @description('Optional. Custom DNS configurations.') -param customDnsConfigs array? +param customDnsConfigs customDnsConfigType? @description('Optional. Manual PrivateLink Service Connections.') param manualPrivateLinkServiceConnections array? @@ -85,7 +85,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = { applicationSecurityGroups: [for applicationSecurityGroupResourceId in (applicationSecurityGroupResourceIds ?? []): { id: applicationSecurityGroupResourceId }] - customDnsConfigs: customDnsConfigs ?? [] + customDnsConfigs: customDnsConfigs customNetworkInterfaceName: customNetworkInterfaceName ?? '' ipConfigurations: ipConfigurations ?? [] manualPrivateLinkServiceConnections: manualPrivateLinkServiceConnections ?? [] @@ -183,3 +183,28 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type ipConfigurationsType = { + @description('Required. The name of the resource that is unique within a resource group.') + name: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } +}[]? + +type customDnsConfigType = { + @description('Required. Fqdn that resolves to private endpoint ip address.') + fqdn: string + + @description('Required. A list of private ip addresses of the private endpoint.') + ipAddresses: string[] +}[]? diff --git a/modules/network/private-endpoint/main.json b/modules/network/private-endpoint/main.json index a4b1899571..9b9e3e9991 100644 --- a/modules/network/private-endpoint/main.json +++ b/modules/network/private-endpoint/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -103,6 +103,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -139,7 +204,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -192,7 +257,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -259,7 +324,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/purview/account/main.json b/modules/purview/account/main.json index 52549f6f1f..6a680ef25a 100644 --- a/modules/purview/account/main.json +++ b/modules/purview/account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1750298366145145282" + "templateHash": "16148547066067055796" }, "name": "Purview Accounts", "description": "This module deploys a Purview Account.", @@ -492,7 +492,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -589,6 +589,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -625,7 +690,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -678,7 +743,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -745,7 +810,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", @@ -1025,7 +1090,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1122,6 +1187,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1158,7 +1288,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -1211,7 +1341,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1278,7 +1408,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", @@ -1558,7 +1688,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1655,6 +1785,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1691,7 +1886,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -1744,7 +1939,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1811,7 +2006,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", @@ -2091,7 +2286,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2188,6 +2383,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -2224,7 +2484,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -2277,7 +2537,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -2344,7 +2604,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", @@ -2624,7 +2884,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2721,6 +2981,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -2757,7 +3082,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -2810,7 +3135,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -2877,7 +3202,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index fe12831915..d7783e35d4 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -1237,14 +1237,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -1272,26 +1278,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/recovery-services/vault/main.bicep b/modules/recovery-services/vault/main.bicep index 16168ce0ba..4c2854b7be 100644 --- a/modules/recovery-services/vault/main.bicep +++ b/modules/recovery-services/vault/main.bicep @@ -359,16 +359,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/recovery-services/vault/main.json b/modules/recovery-services/vault/main.json index a2d52cb3e7..f4abe4bc08 100644 --- a/modules/recovery-services/vault/main.json +++ b/modules/recovery-services/vault/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17885378476178029351" + "templateHash": "13132437763223032101" }, "name": "Recovery Services Vaults", "description": "This module deploys a Recovery Services Vault.", @@ -183,12 +183,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -204,16 +210,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -2255,7 +2281,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2352,6 +2378,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -2388,7 +2479,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -2441,7 +2532,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -2508,7 +2599,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index d4cf7ea214..9b74d98e40 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -726,14 +726,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -761,26 +767,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/relay/namespace/main.bicep b/modules/relay/namespace/main.bicep index 301d7d956d..44102bc7d9 100644 --- a/modules/relay/namespace/main.bicep +++ b/modules/relay/namespace/main.bicep @@ -320,16 +320,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/relay/namespace/main.json b/modules/relay/namespace/main.json index 8fbf5d13f5..5a8cbf13bf 100644 --- a/modules/relay/namespace/main.json +++ b/modules/relay/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17919201326260317269" + "templateHash": "16883030415068323871" }, "name": "Relay Namespaces", "description": "This module deploys a Relay Namespace", @@ -160,12 +160,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -181,16 +187,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -1834,7 +1860,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1931,6 +1957,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1967,7 +2058,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -2020,7 +2111,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -2087,7 +2178,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index c7adce3abd..418ef12836 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -705,14 +705,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -740,26 +746,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/search/search-service/main.bicep b/modules/search/search-service/main.bicep index 004714ae74..4806de883c 100644 --- a/modules/search/search-service/main.bicep +++ b/modules/search/search-service/main.bicep @@ -318,16 +318,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/search/search-service/main.json b/modules/search/search-service/main.json index 895ff66987..9d48759634 100644 --- a/modules/search/search-service/main.json +++ b/modules/search/search-service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16977539745468752400" + "templateHash": "14644923243501961437" }, "name": "Search Services", "description": "This module deploys a Search Service.", @@ -173,12 +173,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -194,16 +200,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -712,7 +738,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -809,6 +835,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -845,7 +936,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -898,7 +989,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -965,7 +1056,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 2aaebcf0c7..31dd9b5520 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -1133,14 +1133,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -1168,26 +1174,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/service-bus/namespace/main.bicep b/modules/service-bus/namespace/main.bicep index da8dd5b8bf..ad86360a7d 100644 --- a/modules/service-bus/namespace/main.bicep +++ b/modules/service-bus/namespace/main.bicep @@ -459,16 +459,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/service-bus/namespace/main.json b/modules/service-bus/namespace/main.json index eb70f4dfeb..dcf89241ef 100644 --- a/modules/service-bus/namespace/main.json +++ b/modules/service-bus/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "18136363667820640336" + "templateHash": "17643203096817666176" }, "name": "Service Bus Namespaces", "description": "This module deploys a Service Bus Namespace.", @@ -183,12 +183,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -204,16 +210,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -2486,7 +2512,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2583,6 +2609,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -2619,7 +2710,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -2672,7 +2763,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -2739,7 +2830,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index aae17d50ed..9f30391a84 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -488,14 +488,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -523,26 +529,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/signal-r-service/signal-r/main.bicep b/modules/signal-r-service/signal-r/main.bicep index 23f6aaca41..bb0bf8acab 100644 --- a/modules/signal-r-service/signal-r/main.bicep +++ b/modules/signal-r-service/signal-r/main.bicep @@ -290,16 +290,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/signal-r-service/signal-r/main.json b/modules/signal-r-service/signal-r/main.json index a842ad77f2..f9728a1078 100644 --- a/modules/signal-r-service/signal-r/main.json +++ b/modules/signal-r-service/signal-r/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1214561796520796276" + "templateHash": "14653714394608163039" }, "name": "SignalR Service SignalR", "description": "This module deploys a SignalR Service SignalR.", @@ -160,12 +160,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -181,16 +187,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -622,7 +648,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -719,6 +745,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -755,7 +846,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -808,7 +899,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -875,7 +966,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index 63e9aa3529..c43ff344a2 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -545,14 +545,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -580,26 +586,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/signal-r-service/web-pub-sub/main.bicep b/modules/signal-r-service/web-pub-sub/main.bicep index 93a0247790..2bc0931bec 100644 --- a/modules/signal-r-service/web-pub-sub/main.bicep +++ b/modules/signal-r-service/web-pub-sub/main.bicep @@ -270,16 +270,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/signal-r-service/web-pub-sub/main.json b/modules/signal-r-service/web-pub-sub/main.json index 9decb0dc2e..cef0813fb3 100644 --- a/modules/signal-r-service/web-pub-sub/main.json +++ b/modules/signal-r-service/web-pub-sub/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12680610655362641595" + "templateHash": "9907983186275243362" }, "name": "SignalR Web PubSub Services", "description": "This module deploys a SignalR Web PubSub Service.", @@ -183,12 +183,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -204,16 +210,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -581,7 +607,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -678,6 +704,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -714,7 +805,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -767,7 +858,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -834,7 +925,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 239660e8da..61cb2e2366 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -967,14 +967,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -1002,26 +1008,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/sql/server/main.bicep b/modules/sql/server/main.bicep index fa6063ee6e..512607268e 100644 --- a/modules/sql/server/main.bicep +++ b/modules/sql/server/main.bicep @@ -416,16 +416,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/sql/server/main.json b/modules/sql/server/main.json index 286074e2f6..3e8afbccff 100644 --- a/modules/sql/server/main.json +++ b/modules/sql/server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "4565599506408192920" + "templateHash": "9390814497684000194" }, "name": "Azure SQL Servers", "description": "This module deploys an Azure SQL Server.", @@ -183,12 +183,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -204,16 +210,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -1672,7 +1698,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1769,6 +1795,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1805,7 +1896,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -1858,7 +1949,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1925,7 +2016,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 856962bbaf..5413d63959 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -1600,14 +1600,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -1635,26 +1641,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/storage/storage-account/main.bicep b/modules/storage/storage-account/main.bicep index 8dbf5b6599..0bdcd02d3a 100644 --- a/modules/storage/storage-account/main.bicep +++ b/modules/storage/storage-account/main.bicep @@ -540,16 +540,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/storage/storage-account/main.json b/modules/storage/storage-account/main.json index 3b1c5cfd2e..91ade8e95f 100644 --- a/modules/storage/storage-account/main.json +++ b/modules/storage/storage-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8645368819124015994" + "templateHash": "12032978716554990629" }, "name": "Storage Accounts", "description": "This module deploys a Storage Account.", @@ -182,12 +182,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -203,16 +209,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -934,7 +960,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1031,6 +1057,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1067,7 +1158,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -1120,7 +1211,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1187,7 +1278,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/synapse/private-link-hub/README.md b/modules/synapse/private-link-hub/README.md index fc6c154677..5b93aa7a33 100644 --- a/modules/synapse/private-link-hub/README.md +++ b/modules/synapse/private-link-hub/README.md @@ -313,14 +313,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -348,26 +354,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/synapse/private-link-hub/main.bicep b/modules/synapse/private-link-hub/main.bicep index 703fe86f23..8329852e52 100644 --- a/modules/synapse/private-link-hub/main.bicep +++ b/modules/synapse/private-link-hub/main.bicep @@ -169,16 +169,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/synapse/private-link-hub/main.json b/modules/synapse/private-link-hub/main.json index a69dbc2793..d58383f3f8 100644 --- a/modules/synapse/private-link-hub/main.json +++ b/modules/synapse/private-link-hub/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "684659786245480339" + "templateHash": "9045040601435756592" }, "name": "Azure Synapse Analytics", "description": "This module deploys an Azure Synapse Analytics (Private Link Hub).", @@ -159,12 +159,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -180,16 +186,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -441,7 +467,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -538,6 +564,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -574,7 +665,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -627,7 +718,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -694,7 +785,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index 57e6c09409..03be99bf42 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -866,14 +866,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -901,26 +907,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/synapse/workspace/main.bicep b/modules/synapse/workspace/main.bicep index 68ff4b3558..5b2eac3596 100644 --- a/modules/synapse/workspace/main.bicep +++ b/modules/synapse/workspace/main.bicep @@ -374,16 +374,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/synapse/workspace/main.json b/modules/synapse/workspace/main.json index 7f66fe19ae..6a13d3b652 100644 --- a/modules/synapse/workspace/main.json +++ b/modules/synapse/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1529722820399903843" + "templateHash": "15444302507528482650" }, "name": "Synapse Workspaces", "description": "This module deploys a Synapse Workspace.", @@ -159,12 +159,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -180,16 +186,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -1116,7 +1142,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1213,6 +1239,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1249,7 +1340,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -1302,7 +1393,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1369,7 +1460,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 8cabfb7b27..72196fd504 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -1260,14 +1260,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -1295,26 +1301,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/web/site/main.bicep b/modules/web/site/main.bicep index 49f99a9ebb..b2ac05d214 100644 --- a/modules/web/site/main.bicep +++ b/modules/web/site/main.bicep @@ -473,16 +473,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/web/site/main.json b/modules/web/site/main.json index 9ccef83733..72f1e89be2 100644 --- a/modules/web/site/main.json +++ b/modules/web/site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16422154168736567404" + "templateHash": "3962832552855663187" }, "name": "Web/Function Apps", "description": "This module deploys a Web or Function App.", @@ -183,12 +183,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -204,16 +210,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -1179,7 +1205,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2776575331575111691" + "templateHash": "842322474793993092" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -1356,12 +1382,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -1377,16 +1409,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -2499,7 +2551,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2596,6 +2648,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -2632,7 +2749,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -2685,7 +2802,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -2752,7 +2869,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", @@ -3357,7 +3474,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -3454,6 +3571,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -3490,7 +3672,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -3543,7 +3725,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -3610,7 +3792,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index 1769b4cec1..58f9042431 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -465,14 +465,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -500,26 +506,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/web/site/slot/main.bicep b/modules/web/site/slot/main.bicep index 6909c7040f..e3366e3150 100644 --- a/modules/web/site/slot/main.bicep +++ b/modules/web/site/slot/main.bicep @@ -406,16 +406,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/web/site/slot/main.json b/modules/web/site/slot/main.json index a5e671ef73..8a8395995a 100644 --- a/modules/web/site/slot/main.json +++ b/modules/web/site/slot/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2776575331575111691" + "templateHash": "842322474793993092" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -183,12 +183,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -204,16 +210,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -1326,7 +1352,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1423,6 +1449,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1459,7 +1550,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -1512,7 +1603,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1579,7 +1670,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index c499a7a46a..ad975c5f2f 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -468,14 +468,20 @@ Optional. Custom DNS configurations. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | ### Parameter: `privateEndpoints.customDnsConfigs.fqdn` + +Required. Fqdn that resolves to private endpoint ip address. + - Required: No - Type: string ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` + +Required. A list of private ip addresses of the private endpoint. + - Required: Yes - Type: array @@ -503,26 +509,22 @@ Optional. A list of IP configurations of the private endpoint. This will be used | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationsgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationsmembername) | Yes | string | | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`privateIpAddress`](#parameter-privateendpointsipconfigurationsprivateipaddress) | Yes | string | | +| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | -### Parameter: `privateEndpoints.ipConfigurations.groupId` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.ipConfigurations.name` -### Parameter: `privateEndpoints.ipConfigurations.memberName` -- Required: Yes -- Type: string +Required. The name of the resource that is unique within a resource group. -### Parameter: `privateEndpoints.ipConfigurations.name` - Required: Yes - Type: string -### Parameter: `privateEndpoints.ipConfigurations.privateIpAddress` +### Parameter: `privateEndpoints.ipConfigurations.properties` + +Required. Properties of private endpoint IP configurations. + - Required: Yes -- Type: string +- Type: object ### Parameter: `privateEndpoints.location` diff --git a/modules/web/static-site/main.bicep b/modules/web/static-site/main.bicep index 160cdf3082..990e85fc4a 100644 --- a/modules/web/static-site/main.bicep +++ b/modules/web/static-site/main.bicep @@ -307,16 +307,29 @@ type privateEndpointType = { @description('Optional. Custom DNS configurations.') customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint ip address.') fqdn: string? + + @description('Required. A list of private ip addresses of the private endpoint.') ipAddresses: string[] }[]? @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') name: string - groupId: string - memberName: string - privateIpAddress: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private ip address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } }[]? @description('Optional. Application security groups in which the private endpoint IP configuration is included.') diff --git a/modules/web/static-site/main.json b/modules/web/static-site/main.json index b56be52ddb..e42e784d34 100644 --- a/modules/web/static-site/main.json +++ b/modules/web/static-site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17501728288699973579" + "templateHash": "2662580552466474915" }, "name": "Static Web Apps", "description": "This module deploys a Static Web App.", @@ -183,12 +183,18 @@ "properties": { "fqdn": { "type": "string", - "nullable": true + "nullable": true, + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } }, "ipAddresses": { "type": "array", "items": { "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." } } } @@ -204,16 +210,36 @@ "type": "object", "properties": { "name": { - "type": "string" - }, - "groupId": { - "type": "string" - }, - "memberName": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } }, - "privateIpAddress": { - "type": "string" + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } } } }, @@ -1114,7 +1140,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "16178508232344722616" + "templateHash": "12078057657290521609" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1211,6 +1237,71 @@ } }, "nullable": true + }, + "ipConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private ip address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + } + }, + "nullable": true + }, + "customDnsConfigType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "metadata": { + "description": "Required. Fqdn that resolves to private endpoint ip address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private ip addresses of the private endpoint." + } + } + } + }, + "nullable": true } }, "parameters": { @@ -1247,7 +1338,7 @@ } }, "ipConfigurations": { - "type": "array", + "$ref": "#/definitions/ipConfigurationsType", "nullable": true, "metadata": { "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." @@ -1300,7 +1391,7 @@ } }, "customDnsConfigs": { - "type": "array", + "$ref": "#/definitions/customDnsConfigType", "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." @@ -1367,7 +1458,7 @@ } } ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", From 8252c32e8b5a251f429fad97c8c2ba8b552c81cf Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Wed, 1 Nov 2023 20:22:03 +0000 Subject: [PATCH 078/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 64 +++++++++++----------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 3202938379..f41b098cbb 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -16,7 +16,7 @@ This section provides an overview of the library's feature set. | 1 | aad

domain-service | [![AAD - DomainServices](https://github.com/Azure/ResourceModules/workflows/AAD%20-%20DomainServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.aad.domainservices.yml) | | | | | | | | 251 | | 2 | analysis-services

server | [![AnalysisServices - Servers](https://github.com/Azure/ResourceModules/workflows/AnalysisServices%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.analysisservices.servers.yml) | | | | | | | | 170 | | 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | | | | | | | [L1:11, L2:3] | 455 | -| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | | | | | | | [L1:1] | 309 | +| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | | | | | | | [L1:1] | 318 | | 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | | | | | | | | 211 | | 6 | app

job | [![App - Jobs](https://github.com/Azure/ResourceModules/workflows/App%20-%20Jobs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.jobs.yml) | | | :white_check_mark: | | | | | 162 | | 7 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | | | | | | | | 163 | @@ -27,12 +27,12 @@ This section provides an overview of the library's feature set. | 12 | authorization

policy-set-definition | [![Authorization - PolicySetDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicySetDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policysetdefinitions.yml) | | | | | | | [L1:2] | 76 | | 13 | authorization

role-assignment | [![Authorization - RoleAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roleassignments.yml) | | | | | | | [L1:3] | 107 | | 14 | authorization

role-definition | [![Authorization - RoleDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roledefinitions.yml) | | | | | | | [L1:3] | 94 | -| 15 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | | | | | [L1:6] | 443 | -| 16 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | | | | | | 317 | -| 17 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | | | | | | | | 318 | -| 18 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | | | | | | | [L1:1] | 268 | +| 15 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | | | | | [L1:6] | 452 | +| 16 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | | | | | | 326 | +| 17 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | | | | | | | | 327 | +| 18 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | | | | | | | [L1:1] | 277 | | 19 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | | | | | | | [L1:6, L2:4] | 220 | -| 20 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | | | | | | | | 379 | +| 20 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | | | | | | | | 388 | | 21 | compute

availability-set | [![Compute - AvailabilitySets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20AvailabilitySets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.availabilitysets.yml) | | | | | | | | 111 | | 22 | compute

disk | [![Compute - Disks](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Disks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.disks.yml) | | | | | | | | 218 | | 23 | compute

disk-encryption-set | [![Compute - DiskEncryptionSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20DiskEncryptionSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.diskencryptionsets.yml) | | | | | | | [L1:1] | 168 | @@ -44,12 +44,12 @@ This section provides an overview of the library's feature set. | 29 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | | | | | | | [L1:1] | 611 | | 30 | consumption

budget | [![Consumption - Budgets](https://github.com/Azure/ResourceModules/workflows/Consumption%20-%20Budgets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.consumption.budgets.yml) | | | | | | | | 92 | | 31 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | | | | | | 167 | -| 32 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | | | | | [L1:3] | 434 | +| 32 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | | | | | [L1:3] | 443 | | 33 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | | | | | [L1:1] | 668 | -| 34 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | | | | | [L1:2, L2:1] | 322 | +| 34 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | | | | | [L1:2, L2:1] | 331 | | 35 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | | | | | | [L1:1] | 159 | | 36 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | | | | | | | | 110 | -| 37 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | | | | | | | | 376 | +| 37 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | | | | | | | | 385 | | 38 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | | | | | | | [L1:3] | 374 | | 39 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | | | | | | | [L1:4] | 370 | | 40 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | | | | | | | [L1:1] | 191 | @@ -57,12 +57,12 @@ This section provides an overview of the library's feature set. | 42 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | | | | | | | | 200 | | 43 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | | | | | | | | 161 | | 44 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | | | | | | | [L1:6, L2:1] | 304 | -| 45 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | | | | | | | [L1:3] | 292 | -| 46 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | | | | | | | [L1:3, L2:3] | 404 | -| 47 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | | | | | | | [L1:1] | 248 | +| 45 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | | | | | | | [L1:3] | 301 | +| 46 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | | | | | | | [L1:3, L2:3] | 413 | +| 47 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | | | | | | | [L1:1] | 257 | | 48 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | | | | | | | [L1:1] | 197 | -| 49 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | | | | | | | [L1:1] | 252 | -| 50 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | | | | | [L1:4, L2:2] | 401 | +| 49 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | | | | | | | [L1:1] | 261 | +| 50 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | | | | | [L1:4, L2:2] | 410 | | 51 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | | | | | | | | 116 | | 52 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | | | | | | | [L1:3, L2:1] | 195 | | 53 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | | | | | | | | 115 | @@ -72,20 +72,20 @@ This section provides an overview of the library's feature set. | 57 | insights

data-collection-rule | [![Insights - DataCollectionRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionrules.yml) | | | | | | | | 129 | | 58 | insights

diagnostic-setting | [![Insights - DiagnosticSettings](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DiagnosticSettings/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.diagnosticsettings.yml) | | | | | | | | 91 | | 59 | insights

metric-alert | [![Insights - MetricAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20MetricAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.metricalerts.yml) | | | | | | | | 152 | -| 60 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | | | | | | | [L1:1] | 172 | +| 60 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | | | | | | | [L1:1] | 181 | | 61 | insights

scheduled-query-rule | [![Insights - ScheduledQueryRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ScheduledQueryRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml) | | | | | | | | 136 | | 62 | insights

webtest | [![Insights - Web Tests](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Web%20Tests/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.webtests.yml) | | | | | | | | 152 | -| 63 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | | | | | | | [L1:3] | 347 | +| 63 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | | | | | | | [L1:3] | 356 | | 64 | kubernetes-configuration

extension | [![KubernetesConfiguration - Extensions](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20Extensions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.extensions.yml) | | | | | | | | 88 | | 65 | kubernetes-configuration

flux-configuration | [![KubernetesConfiguration - FluxConfigurations](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20FluxConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml) | | | | | | | | 71 | | 66 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | | | | | | | | 231 | -| 67 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | | | | | | | [L1:1] | 356 | +| 67 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | | | | | | | [L1:1] | 358 | | 68 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | | | | | | | | 136 | | 69 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | | | | | | | [L1:1] | 113 | | 70 | managed-services

registration-definition | [![ManagedServices - RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices%20-%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | | | | | | | 67 | | 71 | management

management-group | [![Management - ManagementGroups](https://github.com/Azure/ResourceModules/workflows/Management%20-%20ManagementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml) | | | | | | | | 50 | | 72 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | | | | | | | [L1:1, L2:1] | 151 | -| 73 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | | | | | | | | 420 | +| 73 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | | | | | | | | 429 | | 74 | network

application-gateway-web-application-firewall-policy | [![Network - ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGatewayWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml) | | | | | | | | 47 | | 75 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | | | | | | | | 94 | | 76 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | | | | | | :white_check_mark: | | 316 | @@ -109,7 +109,7 @@ This section provides an overview of the library's feature set. | 94 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | | | | | | | [L1:1] | 188 | | 95 | network

network-watcher | [![Network - NetworkWatchers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkWatchers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatchers.yml) | | | | | | | [L1:2] | 129 | | 96 | network

private-dns-zone | [![Network - PrivateDnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateDnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | | | | | | | [L1:9] | 226 | -| 97 | network

private-endpoint | [![Network - PrivateEndpoints](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privateendpoints.yml) | | | | | | | [L1:1] | 149 | +| 97 | network

private-endpoint | [![Network - PrivateEndpoints](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privateendpoints.yml) | | | | | | | [L1:1] | 168 | | 98 | network

private-link-service | [![Network - PrivateLinkServices](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateLinkServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatelinkservices.yml) | | | | | | | | 121 | | 99 | network

public-ip-address | [![Network - PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | | | | | | | | 214 | | 100 | network

public-ip-prefix | [![Network - PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | | | | | | | | 109 | @@ -127,30 +127,30 @@ This section provides an overview of the library's feature set. | 112 | policy-insights

remediation | [![PolicyInsights - Remediations](https://github.com/Azure/ResourceModules/workflows/PolicyInsights%20-%20Remediations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.policyinsights.remediations.yml) | | | | | | | [L1:3] | 106 | | 113 | power-bi-dedicated

capacity | [![PowerBiDedicated - Capacities](https://github.com/Azure/ResourceModules/workflows/PowerBiDedicated%20-%20Capacities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.powerbidedicated.capacities.yml) | | | | | | | | 133 | | 114 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | | | | | | | | 315 | -| 115 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | | | | | | | [L1:7, L2:2, L3:2] | 355 | -| 116 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | | | | | | | [L1:4, L2:2] | 330 | +| 115 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | | | | | | | [L1:7, L2:2, L3:2] | 364 | +| 116 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | | | | | | | [L1:4, L2:2] | 339 | | 117 | resource-graph

query | [![ResourceGraph - Queries](https://github.com/Azure/ResourceModules/workflows/ResourceGraph%20-%20Queries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resourcegraph.queries.yml) | | | | | | | | 101 | | 118 | resources

deployment-script | [![Resources - DeploymentScripts](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | | | | | | | 132 | | 119 | resources

resource-group | [![Resources - ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | | | | | | | [L1:1] | 101 | | 120 | resources

tags | [![Resources - Tags](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20Tags/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.tags.yml) | | | | | | | [L1:2] | 54 | -| 121 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | | | | | | | [L1:1] | 318 | +| 121 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | | | | | | | [L1:1] | 327 | | 122 | security

azure-security-center | [![Security - AzureSecurityCenter](https://github.com/Azure/ResourceModules/workflows/Security%20-%20AzureSecurityCenter/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.security.azuresecuritycenter.yml) | | | | | | | | 221 | -| 123 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | | | | | | | [L1:6, L2:2] | 445 | +| 123 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | | | | | | | [L1:6, L2:2] | 454 | | 124 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | | | | | | | [L1:1] | 312 | -| 125 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | | | | | | | | 268 | -| 126 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | | | | | | | | 244 | +| 125 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | | | | | | | | 277 | +| 126 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | | | | | | | | 253 | | 127 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | | | | | | | [L1:6, L2:3] | 373 | -| 128 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | | | | | [L1:8, L2:3] | 380 | -| 129 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | | | | | [L1:6, L2:4, L3:1] | 504 | -| 130 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | | | | | | | | 162 | -| 131 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | | | | | [L1:3] | 355 | +| 128 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | | | | | [L1:8, L2:3] | 389 | +| 129 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | | | | | [L1:6, L2:4, L3:1] | 513 | +| 130 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | | | | | | | | 171 | +| 131 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | | | | | [L1:3] | 364 | | 132 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | | | | | | | | 216 | | 133 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | | | | | | | | 118 | | 134 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | | | | | [L1:2] | 262 | | 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | | 194 | -| 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:5, L2:4, L3:1] | 444 | -| 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:3] | 275 | -| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 241 | 29477 | +| 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:5, L2:4, L3:1] | 453 | +| 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:3] | 284 | +| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 241 | 29759 | ## Legend From a52ab4238476edeb1bafd2d1901d6ca2e9fa085f Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 1 Nov 2023 22:40:25 +0100 Subject: [PATCH 079/178] [Utilities] Enabled expansion of child properties in ReadME (#4175) * Update to latest * Regenerated docs --- .../configuration-store/README.md | 28 +++++++++++++++++++ .../automation/automation-account/README.md | 28 +++++++++++++++++++ modules/batch/batch-account/README.md | 28 +++++++++++++++++++ modules/cache/redis-enterprise/README.md | 28 +++++++++++++++++++ modules/cache/redis/README.md | 28 +++++++++++++++++++ modules/cognitive-services/account/README.md | 28 +++++++++++++++++++ modules/container-registry/registry/README.md | 28 +++++++++++++++++++ modules/data-factory/factory/README.md | 28 +++++++++++++++++++ modules/databricks/workspace/README.md | 28 +++++++++++++++++++ .../digital-twins-instance/README.md | 28 +++++++++++++++++++ .../document-db/database-account/README.md | 28 +++++++++++++++++++ modules/event-grid/domain/README.md | 28 +++++++++++++++++++ modules/event-grid/topic/README.md | 28 +++++++++++++++++++ modules/event-hub/namespace/README.md | 28 +++++++++++++++++++ modules/insights/private-link-scope/README.md | 28 +++++++++++++++++++ modules/key-vault/vault/README.md | 28 +++++++++++++++++++ .../workspace/README.md | 19 +++++++++++++ modules/network/application-gateway/README.md | 28 +++++++++++++++++++ modules/network/private-endpoint/README.md | 28 +++++++++++++++++++ modules/recovery-services/vault/README.md | 28 +++++++++++++++++++ modules/relay/namespace/README.md | 28 +++++++++++++++++++ modules/search/search-service/README.md | 28 +++++++++++++++++++ modules/service-bus/namespace/README.md | 28 +++++++++++++++++++ modules/signal-r-service/signal-r/README.md | 28 +++++++++++++++++++ .../signal-r-service/web-pub-sub/README.md | 28 +++++++++++++++++++ modules/sql/server/README.md | 28 +++++++++++++++++++ modules/storage/storage-account/README.md | 28 +++++++++++++++++++ modules/synapse/private-link-hub/README.md | 28 +++++++++++++++++++ modules/synapse/workspace/README.md | 28 +++++++++++++++++++ modules/web/site/README.md | 28 +++++++++++++++++++ modules/web/site/slot/README.md | 28 +++++++++++++++++++ modules/web/static-site/README.md | 28 +++++++++++++++++++ .../sharedScripts/Set-ModuleReadMe.ps1 | 3 ++ 33 files changed, 890 insertions(+) diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index 5ad6d20623..cb805dd2ec 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -891,6 +891,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index 82ca64d9a4..26fb4ade02 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -1006,6 +1006,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index 2714264c03..968d2b7b7b 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -796,6 +796,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index 27838446ca..eb95ab1946 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -713,6 +713,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index 340e8ae943..ec7076e7cc 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -628,6 +628,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index 3ee839e1e7..88f881fde6 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -928,6 +928,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index 85c2a389ff..4f7663a06d 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -991,6 +991,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index 6a29414c72..c65c7a02e6 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -781,6 +781,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index 5faf2f642c..bcf15863ba 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -736,6 +736,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index 6994d24ecb..7f256381d1 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -563,6 +563,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index 4acd72bad8..aa4a162a2c 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -1745,6 +1745,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/event-grid/domain/README.md b/modules/event-grid/domain/README.md index aa3844ddc3..bf1d4cbf98 100644 --- a/modules/event-grid/domain/README.md +++ b/modules/event-grid/domain/README.md @@ -643,6 +643,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index 4160d34110..b030a3e3fb 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -676,6 +676,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index c4ceb8149a..b231ea9619 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -1119,6 +1119,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index e17d4049a3..1b6bf1ad3b 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -363,6 +363,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 06c82b8121..86286a9daa 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -1141,6 +1141,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index a9c2927fb7..3dc1a08e10 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -921,6 +921,25 @@ Optional. A list of IP configurations of the private endpoint. This will be used - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index 7e83ee7762..537f6059d0 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -1436,6 +1436,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/network/private-endpoint/README.md b/modules/network/private-endpoint/README.md index 56b8d770c6..c051e314b3 100644 --- a/modules/network/private-endpoint/README.md +++ b/modules/network/private-endpoint/README.md @@ -364,6 +364,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-ipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-ipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-ipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `location` Location for all Resources. diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index d7783e35d4..dbc5f018a3 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -1295,6 +1295,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index 9b74d98e40..8266783dca 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -784,6 +784,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index 418ef12836..80e140f944 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -763,6 +763,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 31dd9b5520..76336df69c 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -1191,6 +1191,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index 9f30391a84..e7156a5cbe 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -546,6 +546,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index c43ff344a2..c0d2652156 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -603,6 +603,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 61cb2e2366..57fbcd7a99 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -1025,6 +1025,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 5413d63959..b1cece3b7a 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -1658,6 +1658,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/synapse/private-link-hub/README.md b/modules/synapse/private-link-hub/README.md index 5b93aa7a33..ab5d11e2d5 100644 --- a/modules/synapse/private-link-hub/README.md +++ b/modules/synapse/private-link-hub/README.md @@ -371,6 +371,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index 03be99bf42..d51d7c2797 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -924,6 +924,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 72196fd504..201862080b 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -1318,6 +1318,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index 58f9042431..e929296684 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -523,6 +523,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index ad975c5f2f..cc22765503 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -526,6 +526,34 @@ Required. Properties of private endpoint IP configurations. - Required: Yes - Type: object +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | +| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | +| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | + +### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` + +Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` + +Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` + +Required. A private ip address obtained from the private endpoint's subnet. + +- Required: Yes +- Type: string + + ### Parameter: `privateEndpoints.location` diff --git a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 index 5d80020522..404fdf259c 100644 --- a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 +++ b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 @@ -446,6 +446,9 @@ function Set-DefinitionSection { if ($parameterValue.ContainsKey('items') -and $parameterValue['items'].ContainsKey('properties')) { $childProperties = $parameterValue['items']['properties'] $listSectionContent += Set-DefinitionSection -TemplateFileContent $TemplateFileContent -Properties $childProperties -ParentName $paramIdentifier -ParentIdentifierLink $paramIdentifierLink + } elseif ($parameterValue.type -eq 'object' -and $parameterValue['properties']) { + $childProperties = $parameterValue['properties'] + $listSectionContent += Set-DefinitionSection -TemplateFileContent $TemplateFileContent -Properties $childProperties -ParentName $paramIdentifier -ParentIdentifierLink $paramIdentifierLink } } From 249fbc4a5660a641916295bb60e2afdac182650e Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 1 Nov 2023 23:20:31 +0100 Subject: [PATCH 080/178] [Modules] Updated CMK to AVM specs (#4173) * Updated CMK for templates * Updated test case * Updated test case * Regenerated files --- .../.test/encr/main.test.bicep | 8 +- .../configuration-store/README.md | 94 +++++---- .../configuration-store/main.bicep | 49 +++-- .../configuration-store/main.json | 90 +++++---- .../.test/encr/main.test.bicep | 8 +- .../automation/automation-account/README.md | 72 ++++--- .../automation/automation-account/main.bicep | 54 +++-- .../automation/automation-account/main.json | 94 +++++---- .../.test/encr/main.test.bicep | 8 +- .../container-group/README.md | 79 ++++---- .../container-group/main.bicep | 50 +++-- .../container-group/main.json | 94 +++++---- .../registry/.test/encr/main.test.bicep | 8 +- modules/container-registry/registry/README.md | 72 ++++--- .../container-registry/registry/main.bicep | 49 +++-- modules/container-registry/registry/main.json | 90 +++++---- .../factory/.test/common/main.test.bicep | 8 +- modules/data-factory/factory/README.md | 72 ++++--- modules/data-factory/factory/main.bicep | 54 +++-- modules/data-factory/factory/main.json | 98 ++++++--- .../workspace/.test/common/main.test.bicep | 14 +- modules/databricks/workspace/README.md | 141 ++++++++----- modules/databricks/workspace/main.bicep | 94 +++++---- modules/databricks/workspace/main.json | 176 +++++++++------- .../.test/public/main.test.bicep | 16 +- .../db-for-my-sql/flexible-server/README.md | 190 ++++++++++-------- .../db-for-my-sql/flexible-server/main.bicep | 82 ++++---- .../db-for-my-sql/flexible-server/main.json | 157 ++++++++------- .../.test/public/main.test.bicep | 8 +- .../flexible-server/README.md | 99 +++++---- .../flexible-server/main.bicep | 48 +++-- .../flexible-server/main.json | 93 +++++---- .../namespace/.test/encr/main.test.bicep | 8 +- modules/event-hub/namespace/README.md | 72 ++++--- modules/event-hub/namespace/main.bicep | 52 +++-- modules/event-hub/namespace/main.json | 94 +++++---- .../workspace/.test/encr/main.test.bicep | 8 +- .../workspace/README.md | 77 ++++--- .../workspace/main.bicep | 52 +++-- .../workspace/main.json | 94 +++++---- .../namespace/.test/encr/main.test.bicep | 8 +- modules/service-bus/namespace/README.md | 72 ++++--- modules/service-bus/namespace/main.bicep | 52 +++-- modules/service-bus/namespace/main.json | 94 +++++---- .../.test/encr/main.test.bicep | 8 +- modules/storage/storage-account/README.md | 81 ++++---- modules/storage/storage-account/main.bicep | 56 ++++-- modules/storage/storage-account/main.json | 104 ++++++---- .../workspace/.test/encrwsai/main.test.bicep | 8 +- .../workspace/.test/encrwuai/main.test.bicep | 9 +- modules/synapse/workspace/README.md | 110 +++++----- modules/synapse/workspace/key/README.md | 5 +- modules/synapse/workspace/key/main.bicep | 14 +- modules/synapse/workspace/key/main.json | 7 +- modules/synapse/workspace/main.bicep | 75 ++++--- modules/synapse/workspace/main.json | 119 ++++++----- 56 files changed, 2047 insertions(+), 1501 deletions(-) diff --git a/modules/app-configuration/configuration-store/.test/encr/main.test.bicep b/modules/app-configuration/configuration-store/.test/encr/main.test.bicep index 51e9ff0202..a0e639988a 100644 --- a/modules/app-configuration/configuration-store/.test/encr/main.test.bicep +++ b/modules/app-configuration/configuration-store/.test/encr/main.test.bicep @@ -90,8 +90,10 @@ module testDeployment '../../main.bicep' = { Environment: 'Non-Prod' Role: 'DeploymentValidation' } - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKKeyName: nestedDependencies.outputs.keyName - cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + customerManagedKey: { + keyName: nestedDependencies.outputs.keyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + } } } diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index cb805dd2ec..b7cd4a7c0d 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -224,10 +224,12 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor // Required parameters name: 'accencr001' // Non-required parameters - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUserAssignedIdentityResourceId: '' createMode: 'Default' + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } disableLocalAuth: false enableDefaultTelemetry: '' enablePurgeProtection: false @@ -284,18 +286,16 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor "value": "accencr001" }, // Non-required parameters - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "" - }, "createMode": { "value": "Default" }, + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } + }, "disableLocalAuth": { "value": false }, @@ -512,20 +512,12 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor | :-- | :-- | :-- | | [`name`](#parameter-name) | string | Name of the Azure App Configuration. | -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty. | -| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty. | - **Optional parameters** | Parameter | Type | Description | | :-- | :-- | :-- | -| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | -| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | [`createMode`](#parameter-createmode) | string | Indicates whether the configuration store need to be recovered. | +| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Disables all authentication methods other than AAD authentication. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | @@ -541,47 +533,61 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor | [`softDeleteRetentionInDays`](#parameter-softdeleteretentionindays) | int | The amount of time in days that the configuration store will be retained when it is soft deleted. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -### Parameter: `cMKKeyName` +### Parameter: `createMode` -The name of the customer managed key to use for encryption. +Indicates whether the configuration store need to be recovered. - Required: No - Type: string -- Default: `''` +- Default: `'Default'` +- Allowed: + ```Bicep + [ + 'Default' + 'Recover' + ] + ``` -### Parameter: `cMKKeyVaultResourceId` +### Parameter: `customerManagedKey` -The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty. +The customer managed key definition. - Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | + +### Parameter: `customerManagedKey.keyName` + +Required. The name of the customer managed key to use for encryption. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKKeyVersion` +### Parameter: `customerManagedKey.keyVaultResourceId` -The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. -- Required: No +Required. The resource ID of a key vault to reference a customer managed key for encryption from. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKUserAssignedIdentityResourceId` +### Parameter: `customerManagedKey.keyVersion` + +Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. -User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty. - Required: No - Type: string -- Default: `''` -### Parameter: `createMode` +### Parameter: `customerManagedKey.userAssignedIdentityResourceId` + +Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. -Indicates whether the configuration store need to be recovered. - Required: No - Type: string -- Default: `'Default'` -- Allowed: - ```Bicep - [ - 'Default' - 'Recover' - ] - ``` ### Parameter: `diagnosticSettings` diff --git a/modules/app-configuration/configuration-store/main.bicep b/modules/app-configuration/configuration-store/main.bicep index 54abbcefaa..4b902c8093 100644 --- a/modules/app-configuration/configuration-store/main.bicep +++ b/modules/app-configuration/configuration-store/main.bicep @@ -44,17 +44,8 @@ param publicNetworkAccess string = '' @maxValue(7) param softDeleteRetentionInDays int = 1 -@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty.') -param cMKKeyVaultResourceId string = '' - -@description('Optional. The name of the customer managed key to use for encryption.') -param cMKKeyName string = '' - -@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') -param cMKKeyVersion string = '' - -@description('Conditional. User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty.') -param cMKUserAssignedIdentityResourceId string = '' +@description('Optional. The customer managed key definition.') +param customerManagedKey customerManagedKeyType @description('Optional. All Key / Values to create. Requires local authentication to be enabled.') param keyValues array = [] @@ -110,18 +101,18 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! - scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { + name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { - name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { + name: customerManagedKey.?keyName ?? 'dummyKey' } } -resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { - name: last(split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : 'dummyMsi'), '/'))! - scope: resourceGroup(split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : '//'), '/')[2], split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : '////'), '/')[4]) +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { + name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) + scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) } resource configurationStore 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = { @@ -136,10 +127,10 @@ resource configurationStore 'Microsoft.AppConfiguration/configurationStores@2023 createMode: createMode disableLocalAuth: disableLocalAuth enablePurgeProtection: sku == 'Free' ? false : enablePurgeProtection - encryption: !empty(cMKKeyName) ? { + encryption: !empty(customerManagedKey) ? { keyVaultProperties: { - keyIdentifier: !empty(cMKKeyVersion) ? '${cMKKeyVault::cMKKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion - identityClientId: cMKUserAssignedIdentity.properties.clientId + keyIdentifier: !empty(customerManagedKey.?keyVersion ?? '') ? '${cMKKeyVault::cMKKey.properties.keyUri}/${customerManagedKey!.keyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion + identityClientId: !empty(customerManagedKey.?userAssignedIdentityResourceId ?? '') ? cMKUserAssignedIdentity.properties.clientId : null } } : null publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : null @@ -395,3 +386,17 @@ type diagnosticSettingType = { @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') marketplacePartnerResourceId: string? }[]? + +type customerManagedKeyType = { + @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') + keyVaultResourceId: string + + @description('Required. The name of the customer managed key to use for encryption.') + keyName: string + + @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') + keyVersion: string? + + @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') + userAssignedIdentityResourceId: string? +}? diff --git a/modules/app-configuration/configuration-store/main.json b/modules/app-configuration/configuration-store/main.json index ca7d97bad1..d56245e7bf 100644 --- a/modules/app-configuration/configuration-store/main.json +++ b/modules/app-configuration/configuration-store/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14821162059319342865" + "templateHash": "4494236567093935129" }, "name": "App Configuration Stores", "description": "This module deploys an App Configuration Store.", @@ -407,6 +407,38 @@ } }, "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." + } + } + }, + "nullable": true } }, "parameters": { @@ -486,32 +518,10 @@ "description": "Optional. The amount of time in days that the configuration store will be retained when it is soft deleted." } }, - "cMKKeyVaultResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \"cMKKeyName\" is not empty." - } - }, - "cMKKeyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the customer managed key to use for encryption." - } - }, - "cMKKeyVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used." - } - }, - "cMKUserAssignedIdentityResourceId": { - "type": "string", - "defaultValue": "", + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", "metadata": { - "description": "Conditional. User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if \"cMKKeyName\" is not empty." + "description": "Optional. The customer managed key definition." } }, "keyValues": { @@ -578,13 +588,13 @@ }, "resources": { "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", "existing": true, "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2023-02-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", "dependsOn": [ "cMKKeyVault" ] @@ -604,22 +614,22 @@ } }, "cMKKeyVault": { - "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", "existing": true, "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" }, "cMKUserAssignedIdentity": { - "condition": "[not(empty(parameters('cMKUserAssignedIdentityResourceId')))]", + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", "existing": true, "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2023-01-31", - "subscriptionId": "[split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" }, "configurationStore": { "type": "Microsoft.AppConfiguration/configurationStores", @@ -635,7 +645,7 @@ "createMode": "[parameters('createMode')]", "disableLocalAuth": "[parameters('disableLocalAuth')]", "enablePurgeProtection": "[if(equals(parameters('sku'), 'Free'), false(), parameters('enablePurgeProtection'))]", - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keyVaultProperties', createObject('keyIdentifier', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('cMKKeyVersion')), reference('cMKKeyVault::cMKKey').keyUriWithVersion), 'identityClientId', reference('cMKUserAssignedIdentity').clientId)), null())]", + "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('keyVaultProperties', createObject('keyIdentifier', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), reference('cMKKeyVault::cMKKey').keyUriWithVersion), 'identityClientId', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), ''))), reference('cMKUserAssignedIdentity').clientId, null()))), null())]", "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), null())]", "softDeleteRetentionInDays": "[if(equals(parameters('sku'), 'Free'), 0, parameters('softDeleteRetentionInDays'))]" }, diff --git a/modules/automation/automation-account/.test/encr/main.test.bicep b/modules/automation/automation-account/.test/encr/main.test.bicep index 389ca3eae8..f417d2261d 100644 --- a/modules/automation/automation-account/.test/encr/main.test.bicep +++ b/modules/automation/automation-account/.test/encr/main.test.bicep @@ -54,9 +54,11 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - cMKKeyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + customerManagedKey: { + keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + } managedIdentities: { userAssignedResourcesIds: [ nestedDependencies.outputs.managedIdentityResourceId diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index 26fb4ade02..a2f5f9fd1f 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -510,9 +510,11 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' // Required parameters name: 'aaencr001' // Non-required parameters - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUserAssignedIdentityResourceId: '' + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } enableDefaultTelemetry: '' managedIdentities: { userAssignedResourcesIds: [ @@ -540,14 +542,12 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' "value": "aaencr001" }, // Non-required parameters - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "" + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } }, "enableDefaultTelemetry": { "value": "" @@ -623,19 +623,11 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' | :-- | :-- | :-- | | [`name`](#parameter-name) | string | Name of the Automation Account. | -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | -| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | - **Optional parameters** | Parameter | Type | Description | | :-- | :-- | :-- | -| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | -| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Disable local authentication profile used within the resource. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | @@ -656,33 +648,47 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' | [`tags`](#parameter-tags) | object | Tags of the Automation Account resource. | | [`variables`](#parameter-variables) | array | List of variables to be created in the automation account. | -### Parameter: `cMKKeyName` +### Parameter: `customerManagedKey` -The name of the customer managed key to use for encryption. +The customer managed key definition. - Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | + +### Parameter: `customerManagedKey.keyName` + +Required. The name of the customer managed key to use for encryption. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKKeyVaultResourceId` +### Parameter: `customerManagedKey.keyVaultResourceId` -The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. -- Required: No +Required. The resource ID of a key vault to reference a customer managed key for encryption from. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKKeyVersion` +### Parameter: `customerManagedKey.keyVersion` + +Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. -The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. - Required: No - Type: string -- Default: `''` -### Parameter: `cMKUserAssignedIdentityResourceId` +### Parameter: `customerManagedKey.userAssignedIdentityResourceId` + +Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. -User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. - Required: No - Type: string -- Default: `''` ### Parameter: `diagnosticSettings` diff --git a/modules/automation/automation-account/main.bicep b/modules/automation/automation-account/main.bicep index 1f5fc86dad..69820ae56d 100644 --- a/modules/automation/automation-account/main.bicep +++ b/modules/automation/automation-account/main.bicep @@ -15,17 +15,8 @@ param location string = resourceGroup().location ]) param skuName string = 'Basic' -@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') -param cMKKeyVaultResourceId string = '' - -@description('Optional. The name of the customer managed key to use for encryption.') -param cMKKeyName string = '' - -@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKKeyName\' is not empty.') -param cMKUserAssignedIdentityResourceId string = '' - -@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') -param cMKKeyVersion string = '' +@description('Optional. The customer managed key definition.') +param customerManagedKey customerManagedKeyType @description('Optional. List of modules to be created in the automation account.') param modules array = [] @@ -116,15 +107,20 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! - scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { + name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { - name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { + name: customerManagedKey.?keyName ?? 'dummyKey' } } +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { + name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) + scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) +} + resource automationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' = { name: name location: location @@ -134,15 +130,15 @@ resource automationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' sku: { name: skuName } - encryption: !empty(cMKKeyName) ? { + encryption: !empty(customerManagedKey) ? { keySource: 'Microsoft.KeyVault' - identity: { - userAssignedIdentity: cMKUserAssignedIdentityResourceId - } + identity: !empty(customerManagedKey.?userAssignedIdentityResourceId) ? { + userAssignedIdentity: cMKUserAssignedIdentity.id + } : null keyVaultProperties: { - keyName: cMKKeyName + keyName: customerManagedKey!.keyName keyVaultUri: cMKKeyVault.properties.vaultUri - keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) + keyVersion: !empty(customerManagedKey.?keyVersion ?? '') ? customerManagedKey!.keyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) } } : null publicNetworkAccess: !empty(publicNetworkAccess) ? (publicNetworkAccess == 'Disabled' ? false : true) : (!empty(privateEndpoints) ? false : null) @@ -539,3 +535,17 @@ type diagnosticSettingType = { @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') marketplacePartnerResourceId: string? }[]? + +type customerManagedKeyType = { + @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') + keyVaultResourceId: string + + @description('Required. The name of the customer managed key to use for encryption.') + keyName: string + + @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') + keyVersion: string? + + @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') + userAssignedIdentityResourceId: string? +}? diff --git a/modules/automation/automation-account/main.json b/modules/automation/automation-account/main.json index 0a2a91c660..09e14c3e3b 100644 --- a/modules/automation/automation-account/main.json +++ b/modules/automation/automation-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7186571646898746589" + "templateHash": "11493438009443560879" }, "name": "Automation Accounts", "description": "This module deploys an Azure Automation Account.", @@ -406,6 +406,38 @@ } }, "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." + } + } + }, + "nullable": true } }, "parameters": { @@ -433,32 +465,10 @@ "description": "Optional. SKU name of the account." } }, - "cMKKeyVaultResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty." - } - }, - "cMKKeyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the customer managed key to use for encryption." - } - }, - "cMKUserAssignedIdentityResourceId": { - "type": "string", - "defaultValue": "", + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", "metadata": { - "description": "Conditional. User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty." - } - }, - "cMKKeyVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used." + "description": "Optional. The customer managed key definition." } }, "modules": { @@ -599,13 +609,13 @@ }, "resources": { "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", "existing": true, "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2023-02-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", "dependsOn": [ "cMKKeyVault" ] @@ -625,13 +635,22 @@ } }, "cMKKeyVault": { - "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", "existing": true, "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKUserAssignedIdentity": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" }, "automationAccount": { "type": "Microsoft.Automation/automationAccounts", @@ -644,12 +663,13 @@ "sku": { "name": "[parameters('skuName')]" }, - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'identity', createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), 'keyVaultProperties', createObject('keyName', parameters('cMKKeyName'), 'keyVaultUri', reference('cMKKeyVault').vaultUri, 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), null())]", + "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('keySource', 'Microsoft.KeyVault', 'identity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null()), 'keyVaultProperties', createObject('keyName', parameters('customerManagedKey').keyName, 'keyVaultUri', reference('cMKKeyVault').vaultUri, 'keyVersion', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), parameters('customerManagedKey').keyVersion, last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), null())]", "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), if(equals(parameters('publicNetworkAccess'), 'Disabled'), false(), true()), if(not(empty(parameters('privateEndpoints'))), false(), null()))]", "disableLocalAuth": "[parameters('disableLocalAuth')]" }, "dependsOn": [ - "cMKKeyVault" + "cMKKeyVault", + "cMKUserAssignedIdentity" ] }, "automationAccount_lock": { diff --git a/modules/container-instance/container-group/.test/encr/main.test.bicep b/modules/container-instance/container-group/.test/encr/main.test.bicep index ade6cdb091..df9bcfd467 100644 --- a/modules/container-instance/container-group/.test/encr/main.test.bicep +++ b/modules/container-instance/container-group/.test/encr/main.test.bicep @@ -120,9 +120,11 @@ module testDeployment '../../main.bicep' = { nestedDependencies.outputs.managedIdentityResourceId ] } - cMKKeyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + customerManagedKey: { + keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + } tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/container-instance/container-group/README.md b/modules/container-instance/container-group/README.md index f5d59c9161..342a9f3fc0 100644 --- a/modules/container-instance/container-group/README.md +++ b/modules/container-instance/container-group/README.md @@ -290,9 +290,11 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 ] name: 'cicgenc001' // Non-required parameters - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUserAssignedIdentityResourceId: '' + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } enableDefaultTelemetry: '' ipAddressPorts: [ { @@ -388,14 +390,12 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 "value": "cicgenc001" }, // Non-required parameters - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "" + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } }, "enableDefaultTelemetry": { "value": "" @@ -797,7 +797,6 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 | Parameter | Type | Description | | :-- | :-- | :-- | -| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | | [`ipAddressPorts`](#parameter-ipaddressports) | array | Ports to open on the public IP address. Must include all ports assigned on container level. Required if `ipAddressType` is set to `public`. | **Optional parameters** @@ -805,9 +804,7 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 | Parameter | Type | Description | | :-- | :-- | :-- | | [`autoGeneratedDomainNameLabelScope`](#parameter-autogenerateddomainnamelabelscope) | string | Specify level of protection of the domain name label. | -| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | -| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | | [`dnsNameLabel`](#parameter-dnsnamelabel) | string | The Dns name label for the resource. | | [`dnsNameServers`](#parameter-dnsnameservers) | array | List of dns servers used by the containers for lookups. | | [`dnsSearchDomains`](#parameter-dnssearchdomains) | string | DNS search domain which will be appended to each DNS lookup. | @@ -842,39 +839,53 @@ Specify level of protection of the domain name label. ] ``` -### Parameter: `cMKKeyName` +### Parameter: `containers` -The name of the customer managed key to use for encryption. -- Required: No -- Type: string -- Default: `''` +The containers and their respective config within the container group. +- Required: Yes +- Type: array -### Parameter: `cMKKeyVaultResourceId` +### Parameter: `customerManagedKey` -The resource ID of a key vault to reference a customer managed key for encryption from. +The customer managed key definition. - Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | + +### Parameter: `customerManagedKey.keyName` + +Required. The name of the customer managed key to use for encryption. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKKeyVersion` +### Parameter: `customerManagedKey.keyVaultResourceId` -The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. -- Required: No +Required. The resource ID of a key vault to reference a customer managed key for encryption from. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKUserAssignedIdentityResourceId` +### Parameter: `customerManagedKey.keyVersion` + +Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. -User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. - Required: No - Type: string -- Default: `''` -### Parameter: `containers` +### Parameter: `customerManagedKey.userAssignedIdentityResourceId` -The containers and their respective config within the container group. -- Required: Yes -- Type: array +Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. + +- Required: No +- Type: string ### Parameter: `dnsNameLabel` diff --git a/modules/container-instance/container-group/main.bicep b/modules/container-instance/container-group/main.bicep index e2dbd5acf4..07bf526131 100644 --- a/modules/container-instance/container-group/main.bicep +++ b/modules/container-instance/container-group/main.bicep @@ -82,17 +82,8 @@ param enableDefaultTelemetry bool = true ]) param sku string = 'Standard' -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') -param cMKKeyVaultResourceId string = '' - -@description('Optional. The name of the customer managed key to use for encryption.') -param cMKKeyName string = '' - -@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') -param cMKKeyVersion string = '' - -@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKKeyName\' is not empty.') -param cMKUserAssignedIdentityResourceId string = '' +@description('Optional. The customer managed key definition.') +param customerManagedKey customerManagedKeyType var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } @@ -113,15 +104,20 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! - scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { + name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { - name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { + name: customerManagedKey.?keyName ?? 'dummyKey' } } +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { + name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) + scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) +} + resource containergroup 'Microsoft.ContainerInstance/containerGroups@2022-09-01' = { name: name location: location @@ -129,10 +125,10 @@ resource containergroup 'Microsoft.ContainerInstance/containerGroups@2022-09-01' tags: tags properties: union({ containers: containers - encryptionProperties: !empty(cMKKeyName) ? { - identity: cMKUserAssignedIdentityResourceId - keyName: cMKKeyName - keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) + encryptionProperties: !empty(customerManagedKey) ? { + identity: !empty(customerManagedKey.?userAssignedIdentityResourceId ?? '') ? cMKUserAssignedIdentity.id : null + keyName: customerManagedKey!.keyName + keyVersion: !empty(customerManagedKey.?keyVersion ?? '') ? customerManagedKey!.keyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) vaultBaseUrl: cMKKeyVault.properties.vaultUri } : null imageRegistryCredentials: imageRegistryCredentials @@ -206,3 +202,17 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type customerManagedKeyType = { + @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') + keyVaultResourceId: string + + @description('Required. The name of the customer managed key to use for encryption.') + keyName: string + + @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') + keyVersion: string? + + @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') + userAssignedIdentityResourceId: string? +}? diff --git a/modules/container-instance/container-group/main.json b/modules/container-instance/container-group/main.json index 9b3e6173ad..3738d8b870 100644 --- a/modules/container-instance/container-group/main.json +++ b/modules/container-instance/container-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15985356083477047348" + "templateHash": "9232184615208401604" }, "name": "Container Instances Container Groups", "description": "This module deploys a Container Instance Container Group.", @@ -60,6 +60,38 @@ } }, "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." + } + } + }, + "nullable": true } }, "parameters": { @@ -219,32 +251,10 @@ "description": "Optional. The container group SKU." } }, - "cMKKeyVaultResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "cMKKeyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the customer managed key to use for encryption." - } - }, - "cMKKeyVersion": { - "type": "string", - "defaultValue": "", + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used." - } - }, - "cMKUserAssignedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty." + "description": "Optional. The customer managed key definition." } } }, @@ -254,13 +264,13 @@ }, "resources": { "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", "existing": true, "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2023-02-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", "dependsOn": [ "cMKKeyVault" ] @@ -280,13 +290,22 @@ } }, "cMKKeyVault": { - "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", "existing": true, "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKUserAssignedIdentity": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" }, "containergroup": { "type": "Microsoft.ContainerInstance/containerGroups", @@ -295,9 +314,10 @@ "location": "[parameters('location')]", "identity": "[variables('identity')]", "tags": "[parameters('tags')]", - "properties": "[union(createObject('containers', parameters('containers'), 'encryptionProperties', if(not(empty(parameters('cMKKeyName'))), createObject('identity', parameters('cMKUserAssignedIdentityResourceId'), 'keyName', parameters('cMKKeyName'), 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))), 'vaultBaseUrl', reference('cMKKeyVault').vaultUri), null()), 'imageRegistryCredentials', parameters('imageRegistryCredentials'), 'initContainers', parameters('initContainers'), 'restartPolicy', parameters('restartPolicy'), 'osType', parameters('osType'), 'ipAddress', createObject('type', parameters('ipAddressType'), 'autoGeneratedDomainNameLabelScope', if(not(empty(parameters('dnsNameServers'))), parameters('autoGeneratedDomainNameLabelScope'), null()), 'dnsNameLabel', parameters('dnsNameLabel'), 'ports', parameters('ipAddressPorts')), 'sku', parameters('sku'), 'subnetIds', if(not(empty(parameters('subnetId'))), createArray(createObject('id', parameters('subnetId'))), null()), 'volumes', parameters('volumes')), if(not(empty(parameters('dnsNameServers'))), createObject('dnsConfig', createObject('nameServers', parameters('dnsNameServers'), 'searchDomains', parameters('dnsSearchDomains'))), createObject()))]", + "properties": "[union(createObject('containers', parameters('containers'), 'encryptionProperties', if(not(empty(parameters('customerManagedKey'))), createObject('identity', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), ''))), extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))), null()), 'keyName', parameters('customerManagedKey').keyName, 'keyVersion', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), parameters('customerManagedKey').keyVersion, last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))), 'vaultBaseUrl', reference('cMKKeyVault').vaultUri), null()), 'imageRegistryCredentials', parameters('imageRegistryCredentials'), 'initContainers', parameters('initContainers'), 'restartPolicy', parameters('restartPolicy'), 'osType', parameters('osType'), 'ipAddress', createObject('type', parameters('ipAddressType'), 'autoGeneratedDomainNameLabelScope', if(not(empty(parameters('dnsNameServers'))), parameters('autoGeneratedDomainNameLabelScope'), null()), 'dnsNameLabel', parameters('dnsNameLabel'), 'ports', parameters('ipAddressPorts')), 'sku', parameters('sku'), 'subnetIds', if(not(empty(parameters('subnetId'))), createArray(createObject('id', parameters('subnetId'))), null()), 'volumes', parameters('volumes')), if(not(empty(parameters('dnsNameServers'))), createObject('dnsConfig', createObject('nameServers', parameters('dnsNameServers'), 'searchDomains', parameters('dnsSearchDomains'))), createObject()))]", "dependsOn": [ - "cMKKeyVault" + "cMKKeyVault", + "cMKUserAssignedIdentity" ] }, "containergroup_lock": { diff --git a/modules/container-registry/registry/.test/encr/main.test.bicep b/modules/container-registry/registry/.test/encr/main.test.bicep index 6865689145..0e804e410a 100644 --- a/modules/container-registry/registry/.test/encr/main.test.bicep +++ b/modules/container-registry/registry/.test/encr/main.test.bicep @@ -56,9 +56,11 @@ module testDeployment '../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' acrSku: 'Premium' - cMKKeyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + customerManagedKey: { + keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + } publicNetworkAccess: 'Disabled' managedIdentities: { userAssignedResourcesIds: [ diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index 4f7663a06d..15270996f2 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -307,9 +307,11 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { name: 'crrencr001' // Non-required parameters acrSku: 'Premium' - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUserAssignedIdentityResourceId: '' + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } enableDefaultTelemetry: '' managedIdentities: { userAssignedResourcesIds: [ @@ -346,14 +348,12 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { "acrSku": { "value": "Premium" }, - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "" + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } }, "enableDefaultTelemetry": { "value": "" @@ -528,12 +528,6 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { | :-- | :-- | :-- | | [`name`](#parameter-name) | string | Name of your Azure container registry. | -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Note, CMK requires the 'acrSku' to be 'Premium'. Required if 'cMKKeyName' is not empty. | - **Optional parameters** | Parameter | Type | Description | @@ -543,9 +537,7 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { | [`anonymousPullEnabled`](#parameter-anonymouspullenabled) | bool | Enables registry-wide pull from unauthenticated clients. It's in preview and available in the Standard and Premium service tiers. | | [`azureADAuthenticationAsArmPolicyStatus`](#parameter-azureadauthenticationasarmpolicystatus) | string | The value that indicates whether the policy for using ARM audience token for a container registr is enabled or not. Default is enabled. | | [`cacheRules`](#parameter-cacherules) | array | Array of Cache Rules. Note: This is a preview feature ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache#cache-for-acr-preview)). | -| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. Note, CMK requires the 'acrSku' to be 'Premium'. | -| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Note, CMK requires the 'acrSku' to be 'Premium'. | -| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | | [`dataEndpointEnabled`](#parameter-dataendpointenabled) | bool | Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access. Note, requires the 'acrSku' to be 'Premium'. | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | @@ -620,33 +612,47 @@ Array of Cache Rules. Note: This is a preview feature ([ref](https://learn.micro - Type: array - Default: `[]` -### Parameter: `cMKKeyName` +### Parameter: `customerManagedKey` -The name of the customer managed key to use for encryption. Note, CMK requires the 'acrSku' to be 'Premium'. +The customer managed key definition. - Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | + +### Parameter: `customerManagedKey.keyName` + +Required. The name of the customer managed key to use for encryption. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKKeyVaultResourceId` +### Parameter: `customerManagedKey.keyVaultResourceId` -The resource ID of a key vault to reference a customer managed key for encryption from. Note, CMK requires the 'acrSku' to be 'Premium'. -- Required: No +Required. The resource ID of a key vault to reference a customer managed key for encryption from. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKKeyVersion` +### Parameter: `customerManagedKey.keyVersion` + +Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. -The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. - Required: No - Type: string -- Default: `''` -### Parameter: `cMKUserAssignedIdentityResourceId` +### Parameter: `customerManagedKey.userAssignedIdentityResourceId` + +Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. -User assigned identity to use when fetching the customer managed key. Note, CMK requires the 'acrSku' to be 'Premium'. Required if 'cMKKeyName' is not empty. - Required: No - Type: string -- Default: `''` ### Parameter: `dataEndpointEnabled` diff --git a/modules/container-registry/registry/main.bicep b/modules/container-registry/registry/main.bicep index e5fe2166d4..57b8409f5c 100644 --- a/modules/container-registry/registry/main.bicep +++ b/modules/container-registry/registry/main.bicep @@ -134,17 +134,8 @@ param diagnosticSettings diagnosticSettingType @description('Optional. Enables registry-wide pull from unauthenticated clients. It\'s in preview and available in the Standard and Premium service tiers.') param anonymousPullEnabled bool = false -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from. Note, CMK requires the \'acrSku\' to be \'Premium\'.') -param cMKKeyVaultResourceId string = '' - -@description('Optional. The name of the customer managed key to use for encryption. Note, CMK requires the \'acrSku\' to be \'Premium\'.') -param cMKKeyName string = '' - -@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') -param cMKKeyVersion string = '' - -@description('Conditional. User assigned identity to use when fetching the customer managed key. Note, CMK requires the \'acrSku\' to be \'Premium\'. Required if \'cMKKeyName\' is not empty.') -param cMKUserAssignedIdentityResourceId string = '' +@description('Optional. The customer managed key definition.') +param customerManagedKey customerManagedKeyType @description('Optional. Array of Cache Rules. Note: This is a preview feature ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache#cache-for-acr-preview)).') param cacheRules array = [] @@ -184,18 +175,18 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! - scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { + name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { - name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { + name: customerManagedKey.?keyName ?? 'dummyKey' } } -resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { - name: last(split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : 'dummyMsi'), '/'))! - scope: resourceGroup(split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : '//'), '/')[2], split((!empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : '////'), '/')[4]) +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { + name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) + scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) } resource registry 'Microsoft.ContainerRegistry/registries@2023-06-01-preview' = { @@ -209,11 +200,11 @@ resource registry 'Microsoft.ContainerRegistry/registries@2023-06-01-preview' = properties: { anonymousPullEnabled: anonymousPullEnabled adminUserEnabled: acrAdminUserEnabled - encryption: !empty(cMKKeyName) ? { + encryption: !empty(customerManagedKey) ? { status: 'enabled' keyVaultProperties: { - identity: cMKUserAssignedIdentity.properties.clientId - keyIdentifier: !empty(cMKKeyVersion) ? '${cMKKeyVault::cMKKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion + identity: !empty(customerManagedKey.?userAssignedIdentityResourceId ?? '') ? cMKUserAssignedIdentity.properties.clientId : null + keyIdentifier: !empty(customerManagedKey.?keyVersion ?? '') ? '${cMKKeyVault::cMKKey.properties.keyUri}/${customerManagedKey!.keyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion } } : null policies: { @@ -536,3 +527,17 @@ type diagnosticSettingType = { @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') marketplacePartnerResourceId: string? }[]? + +type customerManagedKeyType = { + @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') + keyVaultResourceId: string + + @description('Required. The name of the customer managed key to use for encryption.') + keyName: string + + @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') + keyVersion: string? + + @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') + userAssignedIdentityResourceId: string? +}? diff --git a/modules/container-registry/registry/main.json b/modules/container-registry/registry/main.json index 6470bbd3ca..9d58201220 100644 --- a/modules/container-registry/registry/main.json +++ b/modules/container-registry/registry/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14688875704864672455" + "templateHash": "1853795110758917166" }, "name": "Azure Container Registries (ACR)", "description": "This module deploys an Azure Container Registry (ACR).", @@ -407,6 +407,38 @@ } }, "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." + } + } + }, + "nullable": true } }, "parameters": { @@ -648,32 +680,10 @@ "description": "Optional. Enables registry-wide pull from unauthenticated clients. It's in preview and available in the Standard and Premium service tiers." } }, - "cMKKeyVaultResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of a key vault to reference a customer managed key for encryption from. Note, CMK requires the 'acrSku' to be 'Premium'." - } - }, - "cMKKeyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the customer managed key to use for encryption. Note, CMK requires the 'acrSku' to be 'Premium'." - } - }, - "cMKKeyVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used." - } - }, - "cMKUserAssignedIdentityResourceId": { - "type": "string", - "defaultValue": "", + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", "metadata": { - "description": "Conditional. User assigned identity to use when fetching the customer managed key. Note, CMK requires the 'acrSku' to be 'Premium'. Required if 'cMKKeyName' is not empty." + "description": "Optional. The customer managed key definition." } }, "cacheRules": { @@ -704,13 +714,13 @@ }, "resources": { "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", "existing": true, "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2023-02-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", "dependsOn": [ "cMKKeyVault" ] @@ -730,22 +740,22 @@ } }, "cMKKeyVault": { - "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", "existing": true, "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" }, "cMKUserAssignedIdentity": { - "condition": "[not(empty(parameters('cMKUserAssignedIdentityResourceId')))]", + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", "existing": true, "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2023-01-31", - "subscriptionId": "[split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" }, "registry": { "type": "Microsoft.ContainerRegistry/registries", @@ -760,7 +770,7 @@ "properties": { "anonymousPullEnabled": "[parameters('anonymousPullEnabled')]", "adminUserEnabled": "[parameters('acrAdminUserEnabled')]", - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('status', 'enabled', 'keyVaultProperties', createObject('identity', reference('cMKUserAssignedIdentity').clientId, 'keyIdentifier', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('cMKKeyVersion')), reference('cMKKeyVault::cMKKey').keyUriWithVersion))), null())]", + "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('status', 'enabled', 'keyVaultProperties', createObject('identity', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), ''))), reference('cMKUserAssignedIdentity').clientId, null()), 'keyIdentifier', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), reference('cMKKeyVault::cMKKey').keyUriWithVersion))), null())]", "policies": { "azureADAuthenticationAsArmPolicy": { "status": "[parameters('azureADAuthenticationAsArmPolicyStatus')]" diff --git a/modules/data-factory/factory/.test/common/main.test.bicep b/modules/data-factory/factory/.test/common/main.test.bicep index 84cd092e7e..2c9eacb8ec 100644 --- a/modules/data-factory/factory/.test/common/main.test.bicep +++ b/modules/data-factory/factory/.test/common/main.test.bicep @@ -69,9 +69,11 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - cMKKeyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + customerManagedKey: { + keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + } diagnosticSettings: [ { name: 'customSetting' diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index c65c7a02e6..b01bb04610 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -52,9 +52,11 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { // Required parameters name: 'dffcom001' // Non-required parameters - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUserAssignedIdentityResourceId: '' + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } diagnosticSettings: [ { eventHubAuthorizationRuleResourceId: '' @@ -159,14 +161,12 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { "value": "dffcom001" }, // Non-required parameters - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "" + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } }, "diagnosticSettings": { "value": [ @@ -339,19 +339,11 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { | :-- | :-- | :-- | | [`name`](#parameter-name) | string | The name of the Azure Factory to create. | -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | -| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | - **Optional parameters** | Parameter | Type | Description | | :-- | :-- | :-- | -| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | -| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`gitAccountName`](#parameter-gitaccountname) | string | The account name. | @@ -375,33 +367,47 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -### Parameter: `cMKKeyName` +### Parameter: `customerManagedKey` -The name of the customer managed key to use for encryption. +The customer managed key definition. - Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | + +### Parameter: `customerManagedKey.keyName` + +Required. The name of the customer managed key to use for encryption. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKKeyVaultResourceId` +### Parameter: `customerManagedKey.keyVaultResourceId` -The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. -- Required: No +Required. The resource ID of a key vault to reference a customer managed key for encryption from. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKKeyVersion` +### Parameter: `customerManagedKey.keyVersion` + +Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. -The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. - Required: No - Type: string -- Default: `''` -### Parameter: `cMKUserAssignedIdentityResourceId` +### Parameter: `customerManagedKey.userAssignedIdentityResourceId` + +Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. -User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. - Required: No - Type: string -- Default: `''` ### Parameter: `diagnosticSettings` diff --git a/modules/data-factory/factory/main.bicep b/modules/data-factory/factory/main.bicep index 381ed4e1db..810d6c0200 100644 --- a/modules/data-factory/factory/main.bicep +++ b/modules/data-factory/factory/main.bicep @@ -67,17 +67,8 @@ param managedIdentities managedIdentitiesType @description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointType -@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') -param cMKKeyVaultResourceId string = '' - -@description('Optional. The name of the customer managed key to use for encryption.') -param cMKKeyName string = '' - -@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') -param cMKKeyVersion string = '' - -@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKKeyName\' is not empty.') -param cMKUserAssignedIdentityResourceId string = '' +@description('Optional. The customer managed key definition.') +param customerManagedKey customerManagedKeyType @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments roleAssignmentType @@ -106,9 +97,18 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! - scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { + name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) + + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { + name: customerManagedKey.?keyName ?? 'dummyKey' + } +} + +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { + name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) + scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) } resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { @@ -142,12 +142,12 @@ resource dataFactory 'Microsoft.DataFactory/factories@2018-06-01' = { } : {}), {}) globalParameters: !empty(globalParameters) ? globalParameters : null publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null) - encryption: !empty(cMKKeyName) ? { - identity: { - userAssignedIdentity: cMKUserAssignedIdentityResourceId - } - keyName: cMKKeyName - keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : null + encryption: !empty(customerManagedKey) ? { + identity: !empty(customerManagedKey.?userAssignedIdentityResourceId) ? { + userAssignedIdentity: cMKUserAssignedIdentity.id + } : null + keyName: customerManagedKey!.keyName + keyVersion: !empty(customerManagedKey.?keyVersion ?? '') ? customerManagedKey!.keyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) vaultBaseUrl: cMKKeyVault.properties.vaultUri } : null } @@ -414,3 +414,17 @@ type diagnosticSettingType = { @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') marketplacePartnerResourceId: string? }[]? + +type customerManagedKeyType = { + @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') + keyVaultResourceId: string + + @description('Required. The name of the customer managed key to use for encryption.') + keyName: string + + @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') + keyVersion: string? + + @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') + userAssignedIdentityResourceId: string? +}? diff --git a/modules/data-factory/factory/main.json b/modules/data-factory/factory/main.json index aa193cadf8..448f9f9614 100644 --- a/modules/data-factory/factory/main.json +++ b/modules/data-factory/factory/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1415884638599377742" + "templateHash": "12379082331445276558" }, "name": "Data Factories", "description": "This module deploys a Data Factory.", @@ -407,6 +407,38 @@ } }, "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." + } + } + }, + "nullable": true } }, "parameters": { @@ -550,32 +582,10 @@ "description": "Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } }, - "cMKKeyVaultResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty." - } - }, - "cMKKeyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the customer managed key to use for encryption." - } - }, - "cMKKeyVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used." - } - }, - "cMKUserAssignedIdentityResourceId": { - "type": "string", - "defaultValue": "", + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", "metadata": { - "description": "Conditional. User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty." + "description": "Optional. The customer managed key definition." } }, "roleAssignments": { @@ -613,14 +623,35 @@ } }, "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, "cMKKeyVault": { - "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", "existing": true, "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKUserAssignedIdentity": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" }, "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -647,10 +678,11 @@ "repoConfiguration": "[if(bool(parameters('gitConfigureLater')), null(), union(createObject('type', parameters('gitRepoType'), 'hostName', parameters('gitHostName'), 'accountName', parameters('gitAccountName'), 'repositoryName', parameters('gitRepositoryName'), 'collaborationBranch', parameters('gitCollaborationBranch'), 'rootFolder', parameters('gitRootFolder'), 'disablePublish', parameters('gitDisablePublish')), if(equals(parameters('gitRepoType'), 'FactoryVSTSConfiguration'), createObject('projectName', parameters('gitProjectName')), createObject()), createObject()))]", "globalParameters": "[if(not(empty(parameters('globalParameters'))), parameters('globalParameters'), null())]", "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(not(empty(parameters('privateEndpoints'))), 'Disabled', null()))]", - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('identity', createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), 'keyName', parameters('cMKKeyName'), 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), null()), 'vaultBaseUrl', reference('cMKKeyVault').vaultUri), null())]" + "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('identity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null()), 'keyName', parameters('customerManagedKey').keyName, 'keyVersion', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), parameters('customerManagedKey').keyVersion, last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))), 'vaultBaseUrl', reference('cMKKeyVault').vaultUri), null())]" }, "dependsOn": [ - "cMKKeyVault" + "cMKKeyVault", + "cMKUserAssignedIdentity" ] }, "dataFactory_lock": { diff --git a/modules/databricks/workspace/.test/common/main.test.bicep b/modules/databricks/workspace/.test/common/main.test.bicep index 93003db078..e331c84dec 100644 --- a/modules/databricks/workspace/.test/common/main.test.bicep +++ b/modules/databricks/workspace/.test/common/main.test.bicep @@ -112,11 +112,15 @@ module testDeployment '../../main.bicep' = { Environment: 'Non-Prod' Role: 'DeploymentValidation' } - cMKManagedServicesKeyName: nestedDependencies.outputs.keyVaultKeyName - cMKManagedServicesKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKManagedDisksKeyName: nestedDependencies.outputs.keyVaultDiskKeyName - cMKManagedDisksKeyVaultResourceId: nestedDependencies.outputs.keyVaultDiskResourceId - cMKManagedDisksKeyRotationToLatestKeyVersionEnabled: true + customerManagedKey: { + keyName: nestedDependencies.outputs.keyVaultKeyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + } + customerManagedKeyManagedDisk: { + keyName: nestedDependencies.outputs.keyVaultDiskKeyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultDiskResourceId + rotationToLatestKeyVersionEnabled: true + } storageAccountName: 'sa${namePrefix}${serviceShort}001' storageAccountSkuName: 'Standard_ZRS' publicIpName: 'nat-gw-public-ip' diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index bcf15863ba..3fed69efc9 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -50,11 +50,15 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { name: 'dwcom001' // Non-required parameters amlWorkspaceResourceId: '' - cMKManagedDisksKeyName: '' - cMKManagedDisksKeyRotationToLatestKeyVersionEnabled: true - cMKManagedDisksKeyVaultResourceId: '' - cMKManagedServicesKeyName: '' - cMKManagedServicesKeyVaultResourceId: '' + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + } + customerManagedKeyManagedDisk: { + keyName: '' + keyVaultResourceId: '' + rotationToLatestKeyVersionEnabled: true + } customPrivateSubnetName: '' customPublicSubnetName: '' customVirtualNetworkResourceId: '' @@ -143,20 +147,18 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { "amlWorkspaceResourceId": { "value": "" }, - "cMKManagedDisksKeyName": { - "value": "" - }, - "cMKManagedDisksKeyRotationToLatestKeyVersionEnabled": { - "value": true - }, - "cMKManagedDisksKeyVaultResourceId": { - "value": "" - }, - "cMKManagedServicesKeyName": { - "value": "" + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "" + } }, - "cMKManagedServicesKeyVaultResourceId": { - "value": "" + "customerManagedKeyManagedDisk": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "rotationToLatestKeyVersionEnabled": true + } }, "customPrivateSubnetName": { "value": "" @@ -334,23 +336,13 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { | :-- | :-- | :-- | | [`name`](#parameter-name) | string | The name of the Azure Databricks workspace to create. | -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`cMKManagedDisksKeyVaultResourceId`](#parameter-cmkmanageddiskskeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | -| [`cMKManagedServicesKeyVaultResourceId`](#parameter-cmkmanagedserviceskeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | - **Optional parameters** | Parameter | Type | Description | | :-- | :-- | :-- | | [`amlWorkspaceResourceId`](#parameter-amlworkspaceresourceid) | string | The resource ID of a Azure Machine Learning workspace to link with Databricks workspace. | -| [`cMKManagedDisksKeyName`](#parameter-cmkmanageddiskskeyname) | string | The name of the customer managed key to use for encryption. | -| [`cMKManagedDisksKeyRotationToLatestKeyVersionEnabled`](#parameter-cmkmanageddiskskeyrotationtolatestkeyversionenabled) | bool | Enable Auto Rotation of Key. | -| [`cMKManagedDisksKeyVersion`](#parameter-cmkmanageddiskskeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| [`cMKManagedServicesKeyName`](#parameter-cmkmanagedserviceskeyname) | string | The name of the customer managed key to use for encryption. | -| [`cMKManagedServicesKeyVersion`](#parameter-cmkmanagedserviceskeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition to use for the managed service. | +| [`customerManagedKeyManagedDisk`](#parameter-customermanagedkeymanageddisk) | object | The customer managed key definition to use for the managed disk. | | [`customPrivateSubnetName`](#parameter-customprivatesubnetname) | string | The name of the Private Subnet within the Virtual Network. | | [`customPublicSubnetName`](#parameter-custompublicsubnetname) | string | The name of a Public Subnet within the Virtual Network. | | [`customVirtualNetworkResourceId`](#parameter-customvirtualnetworkresourceid) | string | The resource ID of a Virtual Network where this Databricks Cluster should be created. | @@ -383,54 +375,97 @@ The resource ID of a Azure Machine Learning workspace to link with Databricks wo - Type: string - Default: `''` -### Parameter: `cMKManagedDisksKeyName` +### Parameter: `customerManagedKey` -The name of the customer managed key to use for encryption. +The customer managed key definition to use for the managed service. - Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | + +### Parameter: `customerManagedKey.keyName` + +Required. The name of the customer managed key to use for encryption. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKManagedDisksKeyRotationToLatestKeyVersionEnabled` +### Parameter: `customerManagedKey.keyVaultResourceId` -Enable Auto Rotation of Key. -- Required: No -- Type: bool -- Default: `True` +Required. The resource ID of a key vault to reference a customer managed key for encryption from. + +- Required: Yes +- Type: string + +### Parameter: `customerManagedKey.keyVersion` -### Parameter: `cMKManagedDisksKeyVaultResourceId` +Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. -The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. - Required: No - Type: string -- Default: `''` -### Parameter: `cMKManagedDisksKeyVersion` +### Parameter: `customerManagedKey.userAssignedIdentityResourceId` + +Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. -The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. - Required: No - Type: string -- Default: `''` -### Parameter: `cMKManagedServicesKeyName` +### Parameter: `customerManagedKeyManagedDisk` -The name of the customer managed key to use for encryption. +The customer managed key definition to use for the managed disk. - Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`keyName`](#parameter-customermanagedkeymanageddiskkeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeymanageddiskkeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`keyVersion`](#parameter-customermanagedkeymanageddiskkeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`rotationToLatestKeyVersionEnabled`](#parameter-customermanagedkeymanageddiskrotationtolatestkeyversionenabled) | No | bool | Optional. Indicate whether the latest key version should be automatically used for Managed Disk Encryption. Enabled by default. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeymanageddiskuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | + +### Parameter: `customerManagedKeyManagedDisk.keyName` + +Required. The name of the customer managed key to use for encryption. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKManagedServicesKeyVaultResourceId` +### Parameter: `customerManagedKeyManagedDisk.keyVaultResourceId` + +Required. The resource ID of a key vault to reference a customer managed key for encryption from. + +- Required: Yes +- Type: string + +### Parameter: `customerManagedKeyManagedDisk.keyVersion` + +Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. -The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. - Required: No - Type: string -- Default: `''` -### Parameter: `cMKManagedServicesKeyVersion` +### Parameter: `customerManagedKeyManagedDisk.rotationToLatestKeyVersionEnabled` + +Optional. Indicate whether the latest key version should be automatically used for Managed Disk Encryption. Enabled by default. + +- Required: No +- Type: bool + +### Parameter: `customerManagedKeyManagedDisk.userAssignedIdentityResourceId` + +Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. -The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. - Required: No - Type: string -- Default: `''` ### Parameter: `customPrivateSubnetName` diff --git a/modules/databricks/workspace/main.bicep b/modules/databricks/workspace/main.bicep index d0f262ea88..3689a37f95 100644 --- a/modules/databricks/workspace/main.bicep +++ b/modules/databricks/workspace/main.bicep @@ -49,26 +49,11 @@ param customPublicSubnetName string = '' @description('Optional. Disable Public IP.') param disablePublicIp bool = false -@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') -param cMKManagedServicesKeyVaultResourceId string = '' +@description('Optional. The customer managed key definition to use for the managed service.') +param customerManagedKey customerManagedKeyType -@description('Optional. The name of the customer managed key to use for encryption.') -param cMKManagedServicesKeyName string = '' - -@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') -param cMKManagedServicesKeyVersion string = '' - -@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') -param cMKManagedDisksKeyVaultResourceId string = '' - -@description('Optional. The name of the customer managed key to use for encryption.') -param cMKManagedDisksKeyName string = '' - -@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') -param cMKManagedDisksKeyVersion string = '' - -@description('Optional. Enable Auto Rotation of Key.') -param cMKManagedDisksKeyRotationToLatestKeyVersionEnabled bool = true +@description('Optional. The customer managed key definition to use for the managed disk.') +param customerManagedKeyManagedDisk customerManagedKeyManagedDiskType @description('Optional. Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP).') param loadBalancerBackendPoolName string = '' @@ -136,21 +121,21 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource cMKManagedDisksKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKManagedDisksKeyVaultResourceId)) { - name: last(split((!empty(cMKManagedDisksKeyVaultResourceId) ? cMKManagedDisksKeyVaultResourceId : 'dummyVault'), '/'))! - scope: resourceGroup(split((!empty(cMKManagedDisksKeyVaultResourceId) ? cMKManagedDisksKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKManagedDisksKeyVaultResourceId) ? cMKManagedDisksKeyVaultResourceId : '////'), '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { + name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - resource cMKKeyDisk 'keys@2023-02-01' existing = if (!empty(cMKManagedDisksKeyName)) { - name: !empty(cMKManagedDisksKeyName) ? cMKManagedDisksKeyName : 'dummyKey' + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { + name: customerManagedKey.?keyName ?? 'dummyKey' } } -resource cMKManagedServicesKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKManagedServicesKeyVaultResourceId)) { - name: last(split((!empty(cMKManagedServicesKeyVaultResourceId) ? cMKManagedServicesKeyVaultResourceId : 'dummyVault'), '/'))! - scope: resourceGroup(split((!empty(cMKManagedServicesKeyVaultResourceId) ? cMKManagedServicesKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKManagedServicesKeyVaultResourceId) ? cMKManagedServicesKeyVaultResourceId : '////'), '/')[4]) +resource cMKManagedDiskKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKeyManagedDisk.?keyVaultResourceId)) { + name: last(split((customerManagedKeyManagedDisk.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup(split((customerManagedKeyManagedDisk.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKeyManagedDisk.?keyVaultResourceId ?? '////'), '/')[4]) - resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKManagedServicesKeyName)) { - name: !empty(cMKManagedServicesKeyName) ? cMKManagedServicesKeyName : 'dummyKey' + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKeyManagedDisk.?keyVaultResourceId) && !empty(customerManagedKeyManagedDisk.?keyName)) { + name: customerManagedKeyManagedDisk.?keyName ?? 'dummyKey' } } @@ -232,24 +217,24 @@ resource workspace 'Microsoft.Databricks/workspaces@2023-02-01' = { } : {}) publicNetworkAccess: publicNetworkAccess requiredNsgRules: requiredNsgRules - encryption: !empty(cMKManagedServicesKeyName) || !empty(cMKManagedServicesKeyName) ? { + encryption: !empty(customerManagedKey) || !empty(customerManagedKeyManagedDisk) ? { entities: { - managedServices: !empty(cMKManagedServicesKeyName) ? { + managedServices: !empty(customerManagedKey) ? { keySource: 'Microsoft.Keyvault' keyVaultProperties: { - keyVaultUri: cMKManagedServicesKeyVault.properties.vaultUri - keyName: cMKManagedServicesKeyName - keyVersion: !empty(cMKManagedServicesKeyVersion) ? cMKManagedServicesKeyVersion : last(split(cMKManagedServicesKeyVault::cMKKey.properties.keyUriWithVersion, '/')) + keyVaultUri: cMKKeyVault.properties.vaultUri + keyName: customerManagedKey!.keyName + keyVersion: !empty(customerManagedKey.?keyVersion ?? '') ? customerManagedKey!.keyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) } } : null - managedDisk: !empty(cMKManagedDisksKeyName) ? { + managedDisk: !empty(customerManagedKeyManagedDisk) ? { keySource: 'Microsoft.Keyvault' keyVaultProperties: { - keyVaultUri: cMKManagedDisksKeyVault.properties.vaultUri - keyName: cMKManagedDisksKeyName - keyVersion: !empty(cMKManagedDisksKeyVersion) ? cMKManagedDisksKeyVersion : last(split(cMKManagedDisksKeyVault::cMKKeyDisk.properties.keyUriWithVersion, '/')) + keyVaultUri: cMKManagedDiskKeyVault.properties.vaultUri + keyName: customerManagedKeyManagedDisk!.keyName + keyVersion: !empty(customerManagedKeyManagedDisk.?keyVersion ?? '') ? customerManagedKeyManagedDisk!.keyVersion : last(split(cMKManagedDiskKeyVault::cMKKey.properties.keyUriWithVersion, '/')) } - rotationToLatestKeyVersionEnabled: cMKManagedDisksKeyRotationToLatestKeyVersionEnabled + rotationToLatestKeyVersionEnabled: customerManagedKeyManagedDisk.?rotationToLatestKeyVersionEnabled ?? true } : null } } : null @@ -469,3 +454,34 @@ type diagnosticSettingType = { @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') marketplacePartnerResourceId: string? }[]? + +type customerManagedKeyType = { + @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') + keyVaultResourceId: string + + @description('Required. The name of the customer managed key to use for encryption.') + keyName: string + + @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') + keyVersion: string? + + @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') + userAssignedIdentityResourceId: string? +}? + +type customerManagedKeyManagedDiskType = { + @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') + keyVaultResourceId: string + + @description('Required. The name of the customer managed key to use for encryption.') + keyName: string + + @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') + keyVersion: string? + + @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') + userAssignedIdentityResourceId: string? + + @description('Optional. Indicate whether the latest key version should be automatically used for Managed Disk Encryption. Enabled by default.') + rotationToLatestKeyVersionEnabled: bool? +}? diff --git a/modules/databricks/workspace/main.json b/modules/databricks/workspace/main.json index 69e194ad09..e6dcbd3bd4 100644 --- a/modules/databricks/workspace/main.json +++ b/modules/databricks/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1354063990980525308" + "templateHash": "3160595622135122462" }, "name": "Azure Databricks Workspaces", "description": "This module deploys an Azure Databricks Workspace.", @@ -366,6 +366,77 @@ } }, "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." + } + } + }, + "nullable": true + }, + "customerManagedKeyManagedDiskType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." + } + }, + "rotationToLatestKeyVersionEnabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Indicate whether the latest key version should be automatically used for Managed Disk Encryption. Enabled by default." + } + } + }, + "nullable": true } }, "parameters": { @@ -468,53 +539,16 @@ "description": "Optional. Disable Public IP." } }, - "cMKManagedServicesKeyVaultResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty." - } - }, - "cMKManagedServicesKeyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the customer managed key to use for encryption." - } - }, - "cMKManagedServicesKeyVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used." - } - }, - "cMKManagedDisksKeyVaultResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty." - } - }, - "cMKManagedDisksKeyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the customer managed key to use for encryption." - } - }, - "cMKManagedDisksKeyVersion": { - "type": "string", - "defaultValue": "", + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used." + "description": "Optional. The customer managed key definition to use for the managed service." } }, - "cMKManagedDisksKeyRotationToLatestKeyVersionEnabled": { - "type": "bool", - "defaultValue": true, + "customerManagedKeyManagedDisk": { + "$ref": "#/definitions/customerManagedKeyManagedDiskType", "metadata": { - "description": "Optional. Enable Auto Rotation of Key." + "description": "Optional. The customer managed key definition to use for the managed disk." } }, "loadBalancerBackendPoolName": { @@ -620,28 +654,28 @@ } }, "resources": { - "cMKManagedDisksKeyVault::cMKKeyDisk": { - "condition": "[and(not(empty(parameters('cMKManagedDisksKeyVaultResourceId'))), not(empty(parameters('cMKManagedDisksKeyName'))))]", + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", "existing": true, "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2023-02-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKManagedDisksKeyVaultResourceId'))), parameters('cMKManagedDisksKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKManagedDisksKeyVaultResourceId'))), parameters('cMKManagedDisksKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKManagedDisksKeyVaultResourceId'))), parameters('cMKManagedDisksKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKManagedDisksKeyName'))), parameters('cMKManagedDisksKeyName'), 'dummyKey'))]", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", "dependsOn": [ - "cMKManagedDisksKeyVault" + "cMKKeyVault" ] }, - "cMKManagedServicesKeyVault::cMKKey": { - "condition": "[and(not(empty(parameters('cMKManagedServicesKeyVaultResourceId'))), not(empty(parameters('cMKManagedServicesKeyName'))))]", + "cMKManagedDiskKeyVault::cMKKey": { + "condition": "[and(not(empty(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyName')))))]", "existing": true, "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2023-02-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKManagedServicesKeyVaultResourceId'))), parameters('cMKManagedServicesKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKManagedServicesKeyVaultResourceId'))), parameters('cMKManagedServicesKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKManagedServicesKeyVaultResourceId'))), parameters('cMKManagedServicesKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKManagedServicesKeyName'))), parameters('cMKManagedServicesKeyName'), 'dummyKey'))]", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyName'), 'dummyKey'))]", "dependsOn": [ - "cMKManagedServicesKeyVault" + "cMKManagedDiskKeyVault" ] }, "defaultTelemetry": { @@ -658,23 +692,23 @@ } } }, - "cMKManagedDisksKeyVault": { - "condition": "[not(empty(parameters('cMKManagedDisksKeyVaultResourceId')))]", + "cMKKeyVault": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", "existing": true, "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKManagedDisksKeyVaultResourceId'))), parameters('cMKManagedDisksKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKManagedDisksKeyVaultResourceId'))), parameters('cMKManagedDisksKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKManagedDisksKeyVaultResourceId'))), parameters('cMKManagedDisksKeyVaultResourceId'), 'dummyVault'), '/'))]" + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" }, - "cMKManagedServicesKeyVault": { - "condition": "[not(empty(parameters('cMKManagedServicesKeyVaultResourceId')))]", + "cMKManagedDiskKeyVault": { + "condition": "[not(empty(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId')))]", "existing": true, "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKManagedServicesKeyVaultResourceId'))), parameters('cMKManagedServicesKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKManagedServicesKeyVaultResourceId'))), parameters('cMKManagedServicesKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKManagedServicesKeyVaultResourceId'))), parameters('cMKManagedServicesKeyVaultResourceId'), 'dummyVault'), '/'))]" + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" }, "workspace": { "type": "Microsoft.Databricks/workspaces", @@ -690,11 +724,11 @@ "parameters": "[union(createObject('enableNoPublicIp', createObject('value', parameters('disablePublicIp')), 'prepareEncryption', createObject('value', parameters('prepareEncryption')), 'vnetAddressPrefix', createObject('value', parameters('vnetAddressPrefix')), 'requireInfrastructureEncryption', createObject('value', parameters('requireInfrastructureEncryption'))), if(not(empty(parameters('customVirtualNetworkResourceId'))), createObject('customVirtualNetworkId', createObject('value', parameters('customVirtualNetworkResourceId'))), createObject()), if(not(empty(parameters('amlWorkspaceResourceId'))), createObject('amlWorkspaceId', createObject('value', parameters('amlWorkspaceResourceId'))), createObject()), if(not(empty(parameters('customPrivateSubnetName'))), createObject('customPrivateSubnetName', createObject('value', parameters('customPrivateSubnetName'))), createObject()), if(not(empty(parameters('customPublicSubnetName'))), createObject('customPublicSubnetName', createObject('value', parameters('customPublicSubnetName'))), createObject()), if(not(empty(parameters('loadBalancerBackendPoolName'))), createObject('loadBalancerBackendPoolName', createObject('value', parameters('loadBalancerBackendPoolName'))), createObject()), if(not(empty(parameters('loadBalancerResourceId'))), createObject('loadBalancerId', createObject('value', parameters('loadBalancerResourceId'))), createObject()), if(not(empty(parameters('natGatewayName'))), createObject('natGatewayName', createObject('value', parameters('natGatewayName'))), createObject()), if(not(empty(parameters('publicIpName'))), createObject('publicIpName', createObject('value', parameters('publicIpName'))), createObject()), if(not(empty(parameters('storageAccountName'))), createObject('storageAccountName', createObject('value', parameters('storageAccountName'))), createObject()), if(not(empty(parameters('storageAccountSkuName'))), createObject('storageAccountSkuName', createObject('value', parameters('storageAccountSkuName'))), createObject()))]", "publicNetworkAccess": "[parameters('publicNetworkAccess')]", "requiredNsgRules": "[parameters('requiredNsgRules')]", - "encryption": "[if(or(not(empty(parameters('cMKManagedServicesKeyName'))), not(empty(parameters('cMKManagedServicesKeyName')))), createObject('entities', createObject('managedServices', if(not(empty(parameters('cMKManagedServicesKeyName'))), createObject('keySource', 'Microsoft.Keyvault', 'keyVaultProperties', createObject('keyVaultUri', reference('cMKManagedServicesKeyVault').vaultUri, 'keyName', parameters('cMKManagedServicesKeyName'), 'keyVersion', if(not(empty(parameters('cMKManagedServicesKeyVersion'))), parameters('cMKManagedServicesKeyVersion'), last(split(reference('cMKManagedServicesKeyVault::cMKKey').keyUriWithVersion, '/'))))), null()), 'managedDisk', if(not(empty(parameters('cMKManagedDisksKeyName'))), createObject('keySource', 'Microsoft.Keyvault', 'keyVaultProperties', createObject('keyVaultUri', reference('cMKManagedDisksKeyVault').vaultUri, 'keyName', parameters('cMKManagedDisksKeyName'), 'keyVersion', if(not(empty(parameters('cMKManagedDisksKeyVersion'))), parameters('cMKManagedDisksKeyVersion'), last(split(reference('cMKManagedDisksKeyVault::cMKKeyDisk').keyUriWithVersion, '/')))), 'rotationToLatestKeyVersionEnabled', parameters('cMKManagedDisksKeyRotationToLatestKeyVersionEnabled')), null()))), null())]" + "encryption": "[if(or(not(empty(parameters('customerManagedKey'))), not(empty(parameters('customerManagedKeyManagedDisk')))), createObject('entities', createObject('managedServices', if(not(empty(parameters('customerManagedKey'))), createObject('keySource', 'Microsoft.Keyvault', 'keyVaultProperties', createObject('keyVaultUri', reference('cMKKeyVault').vaultUri, 'keyName', parameters('customerManagedKey').keyName, 'keyVersion', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), parameters('customerManagedKey').keyVersion, last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), null()), 'managedDisk', if(not(empty(parameters('customerManagedKeyManagedDisk'))), createObject('keySource', 'Microsoft.Keyvault', 'keyVaultProperties', createObject('keyVaultUri', reference('cMKManagedDiskKeyVault').vaultUri, 'keyName', parameters('customerManagedKeyManagedDisk').keyName, 'keyVersion', if(not(empty(coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'keyVersion'), ''))), parameters('customerManagedKeyManagedDisk').keyVersion, last(split(reference('cMKManagedDiskKeyVault::cMKKey').keyUriWithVersion, '/')))), 'rotationToLatestKeyVersionEnabled', coalesce(tryGet(parameters('customerManagedKeyManagedDisk'), 'rotationToLatestKeyVersionEnabled'), true())), null()))), null())]" }, "dependsOn": [ - "cMKManagedDisksKeyVault", - "cMKManagedServicesKeyVault" + "cMKKeyVault", + "cMKManagedDiskKeyVault" ] }, "workspace_lock": { diff --git a/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep b/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep index 04f9296d26..2dac6609f6 100644 --- a/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep @@ -143,13 +143,17 @@ module testDeployment '../../main.bicep' = { highAvailability: 'SameZone' storageAutoGrow: 'Enabled' version: '8.0.21' - cMKKeyVaultResourceId: nestedDependencies2.outputs.keyVaultResourceId - cMKKeyName: nestedDependencies2.outputs.keyName - cMKUserAssignedIdentityResourceId: nestedDependencies2.outputs.managedIdentityResourceId + customerManagedKey: { + keyName: nestedDependencies2.outputs.keyName + keyVaultResourceId: nestedDependencies2.outputs.keyVaultResourceId + userAssignedIdentityResourceId: nestedDependencies2.outputs.managedIdentityResourceId + } geoRedundantBackup: 'Enabled' - geoBackupCMKKeyVaultResourceId: nestedDependencies2.outputs.geoBackupKeyVaultResourceId - geoBackupCMKKeyName: nestedDependencies2.outputs.geoBackupKeyName - geoBackupCMKUserAssignedIdentityResourceId: nestedDependencies2.outputs.geoBackupManagedIdentityResourceId + customerManagedKeyGeo: { + keyName: nestedDependencies2.outputs.geoBackupKeyName + keyVaultResourceId: nestedDependencies2.outputs.geoBackupKeyVaultResourceId + userAssignedIdentityResourceId: nestedDependencies2.outputs.geoBackupManagedIdentityResourceId + } managedIdentities: { userAssignedResourcesIds: [ nestedDependencies2.outputs.managedIdentityResourceId diff --git a/modules/db-for-my-sql/flexible-server/README.md b/modules/db-for-my-sql/flexible-server/README.md index fbc748a98e..e9c8cf81f8 100644 --- a/modules/db-for-my-sql/flexible-server/README.md +++ b/modules/db-for-my-sql/flexible-server/README.md @@ -322,9 +322,16 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { administratorLoginPassword: '' availabilityZone: '1' backupRetentionDays: 20 - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUserAssignedIdentityResourceId: '' + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } + customerManagedKeyGeo: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } databases: [ { name: 'testdb1' @@ -367,9 +374,6 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { startIpAddress: '100.100.100.1' } ] - geoBackupCMKKeyName: '' - geoBackupCMKKeyVaultResourceId: '' - geoBackupCMKUserAssignedIdentityResourceId: '' geoRedundantBackup: 'Enabled' highAvailability: 'SameZone' location: '' @@ -439,14 +443,19 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { "backupRetentionDays": { "value": 20 }, - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } }, - "cMKUserAssignedIdentityResourceId": { - "value": "" + "customerManagedKeyGeo": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } }, "databases": { "value": [ @@ -498,15 +507,6 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { } ] }, - "geoBackupCMKKeyName": { - "value": "" - }, - "geoBackupCMKKeyVaultResourceId": { - "value": "" - }, - "geoBackupCMKUserAssignedIdentityResourceId": { - "value": "" - }, "geoRedundantBackup": { "value": "Enabled" }, @@ -583,11 +583,7 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | -| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty. | -| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty. | -| [`geoBackupCMKKeyVaultResourceId`](#parameter-geobackupcmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty and geoRedundantBackup is "Enabled". | -| [`geoBackupCMKUserAssignedIdentityResourceId`](#parameter-geobackupcmkuserassignedidentityresourceid) | string | Geo backup user identity resource ID as identity cant cross region, need identity in same region as geo backup. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty and geoRedundantBackup is "Enabled". | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Required if 'cMKKeyName' is not empty. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Required if 'customerManagedKey' is not empty. | | [`privateDnsZoneResourceId`](#parameter-privatednszoneresourceid) | string | Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access". Required if "delegatedSubnetResourceId" is used and the Private DNS Zone name must end with mysql.database.azure.com in order to be linked to the MySQL Flexible Server. | | [`restorePointInTime`](#parameter-restorepointintime) | string | Restore point creation time (ISO8601 format), specifying the time to restore from. Required if "createMode" is set to "PointInTimeRestore". | | [`sourceServerResourceId`](#parameter-sourceserverresourceid) | string | The source MySQL server ID. Required if "createMode" is set to "PointInTimeRestore". | @@ -602,16 +598,14 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { | [`administrators`](#parameter-administrators) | array | The Azure AD administrators when AAD authentication enabled. | | [`availabilityZone`](#parameter-availabilityzone) | string | Availability zone information of the server. Default will have no preference set. | | [`backupRetentionDays`](#parameter-backupretentiondays) | int | Backup retention days for the server. | -| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | -| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | [`createMode`](#parameter-createmode) | string | The mode to create a new MySQL server. | +| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition to use for the managed service. | +| [`customerManagedKeyGeo`](#parameter-customermanagedkeygeo) | object | The customer managed key definition to use when geoRedundantBackup is "Enabled". | | [`databases`](#parameter-databases) | array | The databases to create in the server. | | [`delegatedSubnetResourceId`](#parameter-delegatedsubnetresourceid) | string | Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. Delegation must be enabled on the subnet for MySQL Flexible Servers and subnet CIDR size is /29. | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`firewallRules`](#parameter-firewallrules) | array | The firewall rules to create in the MySQL flexible server. | -| [`geoBackupCMKKeyName`](#parameter-geobackupcmkkeyname) | string | The name of the customer managed key to use for encryption when geoRedundantBackup is "Enabled". | -| [`geoBackupCMKKeyVersion`](#parameter-geobackupcmkkeyversion) | string | The version of the customer managed key to reference for encryption when geoRedundantBackup is "Enabled". If not provided, the latest key version is used. | | [`geoRedundantBackup`](#parameter-georedundantbackup) | string | A value indicating whether Geo-Redundant backup is enabled on the server. If "Enabled" and "cMKKeyName" is not empty, then "geoBackupCMKKeyVaultResourceId" and "cMKUserAssignedIdentityResourceId" are also required. | | [`highAvailability`](#parameter-highavailability) | string | The mode for High Availability (HA). It is not supported for the Burstable pricing tier and Zone redundant HA can only be set during server provisioning. | | [`location`](#parameter-location) | string | Location for all resources. | @@ -669,49 +663,105 @@ Backup retention days for the server. - Type: int - Default: `7` -### Parameter: `cMKKeyName` +### Parameter: `createMode` -The name of the customer managed key to use for encryption. +The mode to create a new MySQL server. - Required: No - Type: string -- Default: `''` +- Default: `'Default'` +- Allowed: + ```Bicep + [ + 'Default' + 'GeoRestore' + 'PointInTimeRestore' + 'Replica' + ] + ``` -### Parameter: `cMKKeyVaultResourceId` +### Parameter: `customerManagedKey` -The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty. +The customer managed key definition to use for the managed service. - Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | Yes | string | Required. User assigned identity to use when fetching the customer managed key. | + +### Parameter: `customerManagedKey.keyName` + +Required. The name of the customer managed key to use for encryption. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKKeyVersion` +### Parameter: `customerManagedKey.keyVaultResourceId` + +Required. The resource ID of a key vault to reference a customer managed key for encryption from. + +- Required: Yes +- Type: string + +### Parameter: `customerManagedKey.keyVersion` + +Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. -The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. - Required: No - Type: string -- Default: `''` -### Parameter: `cMKUserAssignedIdentityResourceId` +### Parameter: `customerManagedKey.userAssignedIdentityResourceId` + +Required. User assigned identity to use when fetching the customer managed key. + +- Required: Yes +- Type: string + +### Parameter: `customerManagedKeyGeo` -User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty. +The customer managed key definition to use when geoRedundantBackup is "Enabled". - Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`keyName`](#parameter-customermanagedkeygeokeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeygeokeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`keyVersion`](#parameter-customermanagedkeygeokeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeygeouserassignedidentityresourceid) | Yes | string | Required. User assigned identity to use when fetching the customer managed key. | + +### Parameter: `customerManagedKeyGeo.keyName` + +Required. The name of the customer managed key to use for encryption. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `createMode` +### Parameter: `customerManagedKeyGeo.keyVaultResourceId` + +Required. The resource ID of a key vault to reference a customer managed key for encryption from. + +- Required: Yes +- Type: string + +### Parameter: `customerManagedKeyGeo.keyVersion` + +Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. -The mode to create a new MySQL server. - Required: No - Type: string -- Default: `'Default'` -- Allowed: - ```Bicep - [ - 'Default' - 'GeoRestore' - 'PointInTimeRestore' - 'Replica' - ] - ``` + +### Parameter: `customerManagedKeyGeo.userAssignedIdentityResourceId` + +Required. User assigned identity to use when fetching the customer managed key. + +- Required: Yes +- Type: string ### Parameter: `databases` @@ -856,34 +906,6 @@ The firewall rules to create in the MySQL flexible server. - Type: array - Default: `[]` -### Parameter: `geoBackupCMKKeyName` - -The name of the customer managed key to use for encryption when geoRedundantBackup is "Enabled". -- Required: No -- Type: string -- Default: `''` - -### Parameter: `geoBackupCMKKeyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty and geoRedundantBackup is "Enabled". -- Required: No -- Type: string -- Default: `''` - -### Parameter: `geoBackupCMKKeyVersion` - -The version of the customer managed key to reference for encryption when geoRedundantBackup is "Enabled". If not provided, the latest key version is used. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `geoBackupCMKUserAssignedIdentityResourceId` - -Geo backup user identity resource ID as identity cant cross region, need identity in same region as geo backup. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty and geoRedundantBackup is "Enabled". -- Required: No -- Type: string -- Default: `''` - ### Parameter: `geoRedundantBackup` A value indicating whether Geo-Redundant backup is enabled on the server. If "Enabled" and "cMKKeyName" is not empty, then "geoBackupCMKKeyVaultResourceId" and "cMKUserAssignedIdentityResourceId" are also required. @@ -956,7 +978,7 @@ Properties for the maintenence window. If provided, "customWindow" property must ### Parameter: `managedIdentities` -The managed identity definition for this resource. Required if 'cMKKeyName' is not empty. +The managed identity definition for this resource. Required if 'customerManagedKey' is not empty. - Required: No - Type: object diff --git a/modules/db-for-my-sql/flexible-server/main.bicep b/modules/db-for-my-sql/flexible-server/main.bicep index 110a710c26..26fabc722a 100644 --- a/modules/db-for-my-sql/flexible-server/main.bicep +++ b/modules/db-for-my-sql/flexible-server/main.bicep @@ -65,32 +65,14 @@ param geoRedundantBackup string = 'Disabled' @description('Optional. The mode to create a new MySQL server.') param createMode string = 'Default' -@description('Conditional. The managed identity definition for this resource. Required if \'cMKKeyName\' is not empty.') +@description('Conditional. The managed identity definition for this resource. Required if \'customerManagedKey\' is not empty.') param managedIdentities managedIdentitiesType -@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty.') -param cMKKeyVaultResourceId string = '' +@description('Optional. The customer managed key definition to use for the managed service.') +param customerManagedKey customerManagedKeyType -@description('Optional. The name of the customer managed key to use for encryption.') -param cMKKeyName string = '' - -@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') -param cMKKeyVersion string = '' - -@description('Conditional. User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty.') -param cMKUserAssignedIdentityResourceId string = '' - -@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty and geoRedundantBackup is "Enabled".') -param geoBackupCMKKeyVaultResourceId string = '' - -@description('Optional. The name of the customer managed key to use for encryption when geoRedundantBackup is "Enabled".') -param geoBackupCMKKeyName string = '' - -@description('Optional. The version of the customer managed key to reference for encryption when geoRedundantBackup is "Enabled". If not provided, the latest key version is used.') -param geoBackupCMKKeyVersion string = '' - -@description('Conditional. Geo backup user identity resource ID as identity cant cross region, need identity in same region as geo backup. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty and geoRedundantBackup is "Enabled".') -param geoBackupCMKUserAssignedIdentityResourceId string = '' +@description('Optional. The customer managed key definition to use when geoRedundantBackup is "Enabled".') +param customerManagedKeyGeo customerManagedKeyType @allowed([ 'Disabled' @@ -210,24 +192,34 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (ena } } -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! - scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { + name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { - name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { + name: customerManagedKey.?keyName ?? 'dummyKey' } } -resource geoBackupCMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(geoBackupCMKKeyVaultResourceId)) { - name: last(split((!empty(geoBackupCMKKeyVaultResourceId) ? geoBackupCMKKeyVaultResourceId : 'dummyVault'), '/'))! - scope: resourceGroup(split((!empty(geoBackupCMKKeyVaultResourceId) ? geoBackupCMKKeyVaultResourceId : '//'), '/')[2], split((!empty(geoBackupCMKKeyVaultResourceId) ? geoBackupCMKKeyVaultResourceId : '////'), '/')[4]) +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { + name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) + scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) +} + +resource cMKGeoKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKeyGeo.?keyVaultResourceId)) { + name: last(split((customerManagedKeyGeo.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup(split((customerManagedKeyGeo.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKeyGeo.?keyVaultResourceId ?? '////'), '/')[4]) - resource geoBackupCMKKey 'keys@2023-02-01' existing = if (!empty(geoBackupCMKKeyName)) { - name: !empty(geoBackupCMKKeyName) ? geoBackupCMKKeyName : 'dummyKey' + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKeyGeo.?keyVaultResourceId) && !empty(customerManagedKeyGeo.?keyName)) { + name: customerManagedKeyGeo.?keyName ?? 'dummyKey' } } +resource cMKGeoUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKeyGeo.?userAssignedIdentityResourceId)) { + name: last(split(customerManagedKeyGeo.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) + scope: resourceGroup(split((customerManagedKeyGeo.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKeyGeo.?userAssignedIdentityResourceId ?? '////'), '/')[4]) +} + resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2022-09-30-preview' = { name: name location: location @@ -246,12 +238,12 @@ resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2022-09-30-preview geoRedundantBackup: geoRedundantBackup } createMode: createMode - dataEncryption: !empty(cMKKeyName) ? { + dataEncryption: !empty(customerManagedKey) ? { type: 'AzureKeyVault' - geoBackupKeyURI: geoRedundantBackup == 'Enabled' ? (!empty(geoBackupCMKKeyVersion) ? '${geoBackupCMKKeyVault::geoBackupCMKKey.properties.keyUri}/${geoBackupCMKKeyVersion}' : geoBackupCMKKeyVault::geoBackupCMKKey.properties.keyUriWithVersion) : null - geoBackupUserAssignedIdentityId: geoRedundantBackup == 'Enabled' ? geoBackupCMKUserAssignedIdentityResourceId : null - primaryKeyURI: !empty(cMKKeyVersion) ? '${cMKKeyVault::cMKKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion - primaryUserAssignedIdentityId: cMKUserAssignedIdentityResourceId + geoBackupKeyURI: geoRedundantBackup == 'Enabled' ? (!empty(customerManagedKeyGeo.?keyVersion ?? '') ? '${cMKGeoKeyVault::cMKKey.properties.keyUri}/${customerManagedKeyGeo!.keyVersion}' : cMKGeoKeyVault::cMKKey.properties.keyUriWithVersion) : null + geoBackupUserAssignedIdentityId: geoRedundantBackup == 'Enabled' ? cMKGeoUserAssignedIdentity.id : null + primaryKeyURI: !empty(customerManagedKey.?keyVersion ?? '') ? '${cMKKeyVault::cMKKey.properties.keyUri}/${customerManagedKey!.keyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion + primaryUserAssignedIdentityId: cMKUserAssignedIdentity.id } : null highAvailability: { mode: highAvailability @@ -451,3 +443,17 @@ type diagnosticSettingType = { @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') marketplacePartnerResourceId: string? }[]? + +type customerManagedKeyType = { + @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') + keyVaultResourceId: string + + @description('Required. The name of the customer managed key to use for encryption.') + keyName: string + + @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') + keyVersion: string? + + @description('Required. User assigned identity to use when fetching the customer managed key.') + userAssignedIdentityResourceId: string +}? diff --git a/modules/db-for-my-sql/flexible-server/main.json b/modules/db-for-my-sql/flexible-server/main.json index 45a154ff53..db1a78328e 100644 --- a/modules/db-for-my-sql/flexible-server/main.json +++ b/modules/db-for-my-sql/flexible-server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2940458480347427239" + "templateHash": "6288349663504591009" }, "name": "DBforMySQL Flexible Servers", "description": "This module deploys a DBforMySQL Flexible Server.", @@ -224,6 +224,37 @@ } }, "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "metadata": { + "description": "Required. User assigned identity to use when fetching the customer managed key." + } + } + }, + "nullable": true } }, "parameters": { @@ -340,63 +371,19 @@ "managedIdentities": { "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Conditional. The managed identity definition for this resource. Required if 'cMKKeyName' is not empty." - } - }, - "cMKKeyVaultResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \"cMKKeyName\" is not empty." - } - }, - "cMKKeyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the customer managed key to use for encryption." - } - }, - "cMKKeyVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used." - } - }, - "cMKUserAssignedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if \"cMKKeyName\" is not empty." + "description": "Conditional. The managed identity definition for this resource. Required if 'customerManagedKey' is not empty." } }, - "geoBackupCMKKeyVaultResourceId": { - "type": "string", - "defaultValue": "", + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", "metadata": { - "description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \"cMKKeyName\" is not empty and geoRedundantBackup is \"Enabled\"." + "description": "Optional. The customer managed key definition to use for the managed service." } }, - "geoBackupCMKKeyName": { - "type": "string", - "defaultValue": "", + "customerManagedKeyGeo": { + "$ref": "#/definitions/customerManagedKeyType", "metadata": { - "description": "Optional. The name of the customer managed key to use for encryption when geoRedundantBackup is \"Enabled\"." - } - }, - "geoBackupCMKKeyVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption when geoRedundantBackup is \"Enabled\". If not provided, the latest key version is used." - } - }, - "geoBackupCMKUserAssignedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Geo backup user identity resource ID as identity cant cross region, need identity in same region as geo backup. The identity should have key usage permissions on the Key Vault Key. Required if \"cMKKeyName\" is not empty and geoRedundantBackup is \"Enabled\"." + "description": "Optional. The customer managed key definition to use when geoRedundantBackup is \"Enabled\"." } }, "highAvailability": { @@ -569,27 +556,27 @@ }, "resources": { "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", "existing": true, "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2023-02-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", "dependsOn": [ "cMKKeyVault" ] }, - "geoBackupCMKKeyVault::geoBackupCMKKey": { - "condition": "[and(not(empty(parameters('geoBackupCMKKeyVaultResourceId'))), not(empty(parameters('geoBackupCMKKeyName'))))]", + "cMKGeoKeyVault::cMKKey": { + "condition": "[and(not(empty(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKeyGeo'), 'keyName')))))]", "existing": true, "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2023-02-01", - "subscriptionId": "[split(if(not(empty(parameters('geoBackupCMKKeyVaultResourceId'))), parameters('geoBackupCMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('geoBackupCMKKeyVaultResourceId'))), parameters('geoBackupCMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('geoBackupCMKKeyVaultResourceId'))), parameters('geoBackupCMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('geoBackupCMKKeyName'))), parameters('geoBackupCMKKeyName'), 'dummyKey'))]", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyName'), 'dummyKey'))]", "dependsOn": [ - "geoBackupCMKKeyVault" + "cMKGeoKeyVault" ] }, "defaultTelemetry": { @@ -607,22 +594,40 @@ } }, "cMKKeyVault": { - "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", "existing": true, "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKUserAssignedIdentity": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" }, - "geoBackupCMKKeyVault": { - "condition": "[not(empty(parameters('geoBackupCMKKeyVaultResourceId')))]", + "cMKGeoKeyVault": { + "condition": "[not(empty(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId')))]", "existing": true, "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(if(not(empty(parameters('geoBackupCMKKeyVaultResourceId'))), parameters('geoBackupCMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('geoBackupCMKKeyVaultResourceId'))), parameters('geoBackupCMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('geoBackupCMKKeyVaultResourceId'))), parameters('geoBackupCMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKGeoUserAssignedIdentity": { + "condition": "[not(empty(tryGet(parameters('customerManagedKeyGeo'), 'userAssignedIdentityResourceId')))]", + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" }, "flexibleServer": { "type": "Microsoft.DBforMySQL/flexibleServers", @@ -644,7 +649,7 @@ "geoRedundantBackup": "[parameters('geoRedundantBackup')]" }, "createMode": "[parameters('createMode')]", - "dataEncryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('type', 'AzureKeyVault', 'geoBackupKeyURI', if(equals(parameters('geoRedundantBackup'), 'Enabled'), if(not(empty(parameters('geoBackupCMKKeyVersion'))), format('{0}/{1}', reference('geoBackupCMKKeyVault::geoBackupCMKKey').keyUri, parameters('geoBackupCMKKeyVersion')), reference('geoBackupCMKKeyVault::geoBackupCMKKey').keyUriWithVersion), null()), 'geoBackupUserAssignedIdentityId', if(equals(parameters('geoRedundantBackup'), 'Enabled'), parameters('geoBackupCMKUserAssignedIdentityResourceId'), null()), 'primaryKeyURI', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('cMKKeyVersion')), reference('cMKKeyVault::cMKKey').keyUriWithVersion), 'primaryUserAssignedIdentityId', parameters('cMKUserAssignedIdentityResourceId')), null())]", + "dataEncryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('type', 'AzureKeyVault', 'geoBackupKeyURI', if(equals(parameters('geoRedundantBackup'), 'Enabled'), if(not(empty(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKGeoKeyVault::cMKKey').keyUri, parameters('customerManagedKeyGeo').keyVersion), reference('cMKGeoKeyVault::cMKKey').keyUriWithVersion), null()), 'geoBackupUserAssignedIdentityId', if(equals(parameters('geoRedundantBackup'), 'Enabled'), extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))), null()), 'primaryKeyURI', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), reference('cMKKeyVault::cMKKey').keyUriWithVersion), 'primaryUserAssignedIdentityId', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null())]", "highAvailability": { "mode": "[parameters('highAvailability')]", "standbyAvailabilityZone": "[if(equals(parameters('highAvailability'), 'SameZone'), parameters('availabilityZone'), null())]" @@ -663,8 +668,10 @@ "version": "[parameters('version')]" }, "dependsOn": [ + "cMKGeoKeyVault", + "cMKGeoUserAssignedIdentity", "cMKKeyVault", - "geoBackupCMKKeyVault" + "cMKUserAssignedIdentity" ] }, "flexibleServer_lock": { diff --git a/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep index 86320c6f6d..3cbc9ecdbc 100644 --- a/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep +++ b/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep @@ -132,9 +132,11 @@ module testDeployment '../../main.bicep' = { location: location storageSizeGB: 1024 version: '14' - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKKeyName: nestedDependencies.outputs.keyName - cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + customerManagedKey: { + keyName: nestedDependencies.outputs.keyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + } managedIdentities: { userAssignedResourcesIds: [ nestedDependencies.outputs.managedIdentityResourceId diff --git a/modules/db-for-postgre-sql/flexible-server/README.md b/modules/db-for-postgre-sql/flexible-server/README.md index 157b30d978..8c9700bf38 100644 --- a/modules/db-for-postgre-sql/flexible-server/README.md +++ b/modules/db-for-postgre-sql/flexible-server/README.md @@ -286,9 +286,6 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 ] availabilityZone: '1' backupRetentionDays: 20 - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUserAssignedIdentityResourceId: '' configurations: [ { name: 'log_min_messages' @@ -296,6 +293,11 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 value: 'INFO' } ] + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } databases: [ { charset: 'UTF8' @@ -395,15 +397,6 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 "backupRetentionDays": { "value": 20 }, - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "" - }, "configurations": { "value": [ { @@ -413,6 +406,13 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 } ] }, + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } + }, "databases": { "value": [ { @@ -514,8 +514,6 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 | Parameter | Type | Description | | :-- | :-- | :-- | -| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | -| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if 'cMKKeyName' is not empty. | | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Required if 'cMKKeyName' is not empty. | | [`pointInTimeUTC`](#parameter-pointintimeutc) | string | Required if "createMode" is set to "PointInTimeRestore". | | [`sourceServerResourceId`](#parameter-sourceserverresourceid) | string | Required if "createMode" is set to "PointInTimeRestore". | @@ -530,10 +528,9 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 | [`administrators`](#parameter-administrators) | array | The Azure AD administrators when AAD authentication enabled. | | [`availabilityZone`](#parameter-availabilityzone) | string | Availability zone information of the server. Default will have no preference set. | | [`backupRetentionDays`](#parameter-backupretentiondays) | int | Backup retention days for the server. | -| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | -| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | [`configurations`](#parameter-configurations) | array | The configurations to create in the server. | | [`createMode`](#parameter-createmode) | string | The mode to create a new PostgreSQL server. | +| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | | [`databases`](#parameter-databases) | array | The databases to create in the server. | | [`delegatedSubnetResourceId`](#parameter-delegatedsubnetresourceid) | string | Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | @@ -610,34 +607,6 @@ Backup retention days for the server. - Type: int - Default: `7` -### Parameter: `cMKKeyName` - -The name of the customer managed key to use for encryption. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `cMKKeyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `cMKKeyVersion` - -The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `cMKUserAssignedIdentityResourceId` - -User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if 'cMKKeyName' is not empty. -- Required: No -- Type: string -- Default: `''` - ### Parameter: `configurations` The configurations to create in the server. @@ -661,6 +630,48 @@ The mode to create a new PostgreSQL server. ] ``` +### Parameter: `customerManagedKey` + +The customer managed key definition. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | Yes | string | Required. User assigned identity to use when fetching the customer managed key. | + +### Parameter: `customerManagedKey.keyName` + +Required. The name of the customer managed key to use for encryption. + +- Required: Yes +- Type: string + +### Parameter: `customerManagedKey.keyVaultResourceId` + +Required. The resource ID of a key vault to reference a customer managed key for encryption from. + +- Required: Yes +- Type: string + +### Parameter: `customerManagedKey.keyVersion` + +Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. + +- Required: No +- Type: string + +### Parameter: `customerManagedKey.userAssignedIdentityResourceId` + +Required. User assigned identity to use when fetching the customer managed key. + +- Required: Yes +- Type: string + ### Parameter: `databases` The databases to create in the server. diff --git a/modules/db-for-postgre-sql/flexible-server/main.bicep b/modules/db-for-postgre-sql/flexible-server/main.bicep index 84bb983ea8..e8457897dd 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.bicep +++ b/modules/db-for-postgre-sql/flexible-server/main.bicep @@ -113,17 +113,8 @@ param createMode string = 'Default' @description('Conditional. The managed identity definition for this resource. Required if \'cMKKeyName\' is not empty.') param managedIdentities managedIdentitiesType -@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') -param cMKKeyVaultResourceId string = '' - -@description('Optional. The name of the customer managed key to use for encryption.') -param cMKKeyName string = '' - -@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') -param cMKKeyVersion string = '' - -@description('Conditional. User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if \'cMKKeyName\' is not empty.') -param cMKUserAssignedIdentityResourceId string = '' +@description('Optional. The customer managed key definition.') +param customerManagedKey customerManagedKeyType @description('Optional. Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled".') param maintenanceWindow object = {} @@ -193,15 +184,20 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! - scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { + name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { - name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { + name: customerManagedKey.?keyName ?? 'dummyKey' } } +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { + name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) + scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) +} + resource flexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = { name: name location: location @@ -225,9 +221,9 @@ resource flexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = geoRedundantBackup: geoRedundantBackup } createMode: createMode - dataEncryption: !empty(cMKKeyName) ? { - primaryKeyURI: !empty(cMKKeyVersion) ? '${cMKKeyVault::cMKKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion - primaryUserAssignedIdentityId: cMKUserAssignedIdentityResourceId + dataEncryption: !empty(customerManagedKey) ? { + primaryKeyURI: !empty(customerManagedKey.?keyVersion ?? '') ? '${cMKKeyVault::cMKKey.properties.keyUri}/${customerManagedKey!.keyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion + primaryUserAssignedIdentityId: cMKUserAssignedIdentity.id type: 'AzureKeyVault' } : null highAvailability: { @@ -442,3 +438,17 @@ type diagnosticSettingType = { @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') marketplacePartnerResourceId: string? }[]? + +type customerManagedKeyType = { + @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') + keyVaultResourceId: string + + @description('Required. The name of the customer managed key to use for encryption.') + keyName: string + + @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') + keyVersion: string? + + @description('Required. User assigned identity to use when fetching the customer managed key.') + userAssignedIdentityResourceId: string +}? diff --git a/modules/db-for-postgre-sql/flexible-server/main.json b/modules/db-for-postgre-sql/flexible-server/main.json index 74d5498241..f6629db5f8 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.json +++ b/modules/db-for-postgre-sql/flexible-server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "2281015287111582702" + "templateHash": "4208024557828977061" }, "name": "DBforPostgreSQL Flexible Servers", "description": "This module deploys a DBforPostgreSQL Flexible Server.", @@ -224,6 +224,37 @@ } }, "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "metadata": { + "description": "Required. User assigned identity to use when fetching the customer managed key." + } + } + }, + "nullable": true } }, "parameters": { @@ -404,32 +435,10 @@ "description": "Conditional. The managed identity definition for this resource. Required if 'cMKKeyName' is not empty." } }, - "cMKKeyVaultResourceId": { - "type": "string", - "defaultValue": "", + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", "metadata": { - "description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty." - } - }, - "cMKKeyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the customer managed key to use for encryption." - } - }, - "cMKKeyVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used." - } - }, - "cMKUserAssignedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if 'cMKKeyName' is not empty." + "description": "Optional. The customer managed key definition." } }, "maintenanceWindow": { @@ -535,13 +544,13 @@ }, "resources": { "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", "existing": true, "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2023-02-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", "dependsOn": [ "cMKKeyVault" ] @@ -561,13 +570,22 @@ } }, "cMKKeyVault": { - "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", "existing": true, "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKUserAssignedIdentity": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" }, "flexibleServer": { "type": "Microsoft.DBforPostgreSQL/flexibleServers", @@ -594,7 +612,7 @@ "geoRedundantBackup": "[parameters('geoRedundantBackup')]" }, "createMode": "[parameters('createMode')]", - "dataEncryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('primaryKeyURI', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('cMKKeyVersion')), reference('cMKKeyVault::cMKKey').keyUriWithVersion), 'primaryUserAssignedIdentityId', parameters('cMKUserAssignedIdentityResourceId'), 'type', 'AzureKeyVault'), null())]", + "dataEncryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('primaryKeyURI', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), reference('cMKKeyVault::cMKKey').keyUriWithVersion), 'primaryUserAssignedIdentityId', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))), 'type', 'AzureKeyVault'), null())]", "highAvailability": { "mode": "[parameters('highAvailability')]", "standbyAvailabilityZone": "[if(equals(parameters('highAvailability'), 'SameZone'), parameters('availabilityZone'), null())]" @@ -609,7 +627,8 @@ "version": "[parameters('version')]" }, "dependsOn": [ - "cMKKeyVault" + "cMKKeyVault", + "cMKUserAssignedIdentity" ] }, "flexibleServer_lock": { diff --git a/modules/event-hub/namespace/.test/encr/main.test.bicep b/modules/event-hub/namespace/.test/encr/main.test.bicep index ce45fd552e..b81e59b56c 100644 --- a/modules/event-hub/namespace/.test/encr/main.test.bicep +++ b/modules/event-hub/namespace/.test/encr/main.test.bicep @@ -68,9 +68,11 @@ module testDeployment '../../main.bicep' = { nestedDependencies.outputs.managedIdentityResourceId ] } - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKKeyName: nestedDependencies.outputs.keyName - cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + customerManagedKey: { + keyName: nestedDependencies.outputs.keyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + } requireInfrastructureEncryption: true } } diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index b231ea9619..1329fdd23e 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -449,9 +449,11 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { // Required parameters name: 'ehnenc001' // Non-required parameters - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUserAssignedIdentityResourceId: '' + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } enableDefaultTelemetry: '' managedIdentities: { systemAssigned: false @@ -488,14 +490,12 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "value": "ehnenc001" }, // Non-required parameters - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "" + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } }, "enableDefaultTelemetry": { "value": "" @@ -685,20 +685,12 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { | :-- | :-- | :-- | | [`name`](#parameter-name) | string | The name of the event hub namespace. | -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty. | -| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty. | - **Optional parameters** | Parameter | Type | Description | | :-- | :-- | :-- | | [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the Event Hub namespace. | -| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. Customer-managed key encryption at rest is only available for namespaces of premium SKU or namespaces created in a Dedicated Cluster. | -| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableLocalAuth`](#parameter-disablelocalauth) | bool | This property disables SAS authentication for the Event Hubs namespace. | | [`disasterRecoveryConfig`](#parameter-disasterrecoveryconfig) | object | The disaster recovery config for this namespace. | @@ -740,33 +732,47 @@ Authorization Rules for the Event Hub namespace. ] ``` -### Parameter: `cMKKeyName` +### Parameter: `customerManagedKey` -The name of the customer managed key to use for encryption. Customer-managed key encryption at rest is only available for namespaces of premium SKU or namespaces created in a Dedicated Cluster. +The customer managed key definition. - Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | + +### Parameter: `customerManagedKey.keyName` + +Required. The name of the customer managed key to use for encryption. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKKeyVaultResourceId` +### Parameter: `customerManagedKey.keyVaultResourceId` -The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty. -- Required: No +Required. The resource ID of a key vault to reference a customer managed key for encryption from. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKKeyVersion` +### Parameter: `customerManagedKey.keyVersion` + +Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. -The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. - Required: No - Type: string -- Default: `''` -### Parameter: `cMKUserAssignedIdentityResourceId` +### Parameter: `customerManagedKey.userAssignedIdentityResourceId` + +Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. -User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty. - Required: No - Type: string -- Default: `''` ### Parameter: `diagnosticSettings` diff --git a/modules/event-hub/namespace/main.bicep b/modules/event-hub/namespace/main.bicep index bc4eb48806..03215a757f 100644 --- a/modules/event-hub/namespace/main.bicep +++ b/modules/event-hub/namespace/main.bicep @@ -83,17 +83,8 @@ param lock lockType @description('Optional. The managed identity definition for this resource.') param managedIdentities managedIdentitiesType -@description('Optional. The name of the customer managed key to use for encryption. Customer-managed key encryption at rest is only available for namespaces of premium SKU or namespaces created in a Dedicated Cluster.') -param cMKKeyName string = '' - -@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if "cMKKeyName" is not empty.') -param cMKKeyVaultResourceId string = '' - -@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') -param cMKKeyVersion string = '' - -@description('Conditional. User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if "cMKKeyName" is not empty.') -param cMKUserAssignedIdentityResourceId string = '' +@description('Optional. The customer managed key definition.') +param customerManagedKey customerManagedKeyType @description('Optional. Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters.') param requireInfrastructureEncryption bool = false @@ -135,15 +126,20 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! - scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { + name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { - name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { + name: customerManagedKey.?keyName ?? 'dummyKey' } } +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { + name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) + scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -168,16 +164,16 @@ resource eventHubNamespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' = } properties: { disableLocalAuth: disableLocalAuth - encryption: !empty(cMKKeyName) ? { + encryption: !empty(customerManagedKey) ? { keySource: 'Microsoft.KeyVault' keyVaultProperties: [ { - identity: !empty(cMKUserAssignedIdentityResourceId) ? { - userAssignedIdentity: cMKUserAssignedIdentityResourceId + identity: !empty(customerManagedKey.?userAssignedIdentityResourceId) ? { + userAssignedIdentity: cMKUserAssignedIdentity.id } : null - keyName: cMKKeyName + keyName: customerManagedKey!.keyName keyVaultUri: cMKKeyVault.properties.vaultUri - keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) + keyVersion: !empty(customerManagedKey.?keyVersion ?? '') ? customerManagedKey!.keyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) } ] requireInfrastructureEncryption: requireInfrastructureEncryption @@ -497,3 +493,17 @@ type diagnosticSettingType = { @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') marketplacePartnerResourceId: string? }[]? + +type customerManagedKeyType = { + @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') + keyVaultResourceId: string + + @description('Required. The name of the customer managed key to use for encryption.') + keyName: string + + @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') + keyVersion: string? + + @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') + userAssignedIdentityResourceId: string? +}? diff --git a/modules/event-hub/namespace/main.json b/modules/event-hub/namespace/main.json index eebb91f004..77fb4e08c5 100644 --- a/modules/event-hub/namespace/main.json +++ b/modules/event-hub/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "6601963948564613336" + "templateHash": "14574780137698539874" }, "name": "Event Hub Namespaces", "description": "This module deploys an Event Hub Namespace.", @@ -407,6 +407,38 @@ } }, "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." + } + } + }, + "nullable": true } }, "parameters": { @@ -554,32 +586,10 @@ "description": "Optional. The managed identity definition for this resource." } }, - "cMKKeyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the customer managed key to use for encryption. Customer-managed key encryption at rest is only available for namespaces of premium SKU or namespaces created in a Dedicated Cluster." - } - }, - "cMKKeyVaultResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \"cMKKeyName\" is not empty." - } - }, - "cMKKeyVersion": { - "type": "string", - "defaultValue": "", + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used." - } - }, - "cMKUserAssignedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. User assigned identity to use when fetching the customer managed key. The identity should have key usage permissions on the Key Vault Key. Required if \"cMKKeyName\" is not empty." + "description": "Optional. The customer managed key definition." } }, "requireInfrastructureEncryption": { @@ -642,25 +652,34 @@ }, "resources": { "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", "existing": true, "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2023-02-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", "dependsOn": [ "cMKKeyVault" ] }, "cMKKeyVault": { - "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", "existing": true, "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKUserAssignedIdentity": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" }, "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -690,7 +709,7 @@ }, "properties": { "disableLocalAuth": "[parameters('disableLocalAuth')]", - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createArray(createObject('identity', if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), null()), 'keyName', parameters('cMKKeyName'), 'keyVaultUri', reference('cMKKeyVault').vaultUri, 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), 'requireInfrastructureEncryption', parameters('requireInfrastructureEncryption')), null())]", + "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createArray(createObject('identity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null()), 'keyName', parameters('customerManagedKey').keyName, 'keyVaultUri', reference('cMKKeyVault').vaultUri, 'keyVersion', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), parameters('customerManagedKey').keyVersion, last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), 'requireInfrastructureEncryption', parameters('requireInfrastructureEncryption')), null())]", "isAutoInflateEnabled": "[parameters('isAutoInflateEnabled')]", "kafkaEnabled": "[parameters('kafkaEnabled')]", "maximumThroughputUnits": "[variables('maximumThroughputUnitsVar')]", @@ -699,7 +718,8 @@ "zoneRedundant": "[parameters('zoneRedundant')]" }, "dependsOn": [ - "cMKKeyVault" + "cMKKeyVault", + "cMKUserAssignedIdentity" ] }, "eventHubNamespace_roleAssignments": { diff --git a/modules/machine-learning-services/workspace/.test/encr/main.test.bicep b/modules/machine-learning-services/workspace/.test/encr/main.test.bicep index 495c4a1b1e..784f07e453 100644 --- a/modules/machine-learning-services/workspace/.test/encr/main.test.bicep +++ b/modules/machine-learning-services/workspace/.test/encr/main.test.bicep @@ -61,9 +61,11 @@ module testDeployment '../../main.bicep' = { associatedKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId associatedStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId sku: 'Basic' - cMKKeyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + customerManagedKey: { + keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + } primaryUserAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId privateEndpoints: [ { diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index 3dc1a08e10..c52e09855d 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -304,9 +304,11 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = name: 'mlswecr001' sku: 'Basic' // Non-required parameters - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUserAssignedIdentityResourceId: '' + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } enableDefaultTelemetry: '' managedIdentities: { systemAssigned: false @@ -367,14 +369,12 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "value": "Basic" }, // Non-required parameters - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "" + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } }, "enableDefaultTelemetry": { "value": "" @@ -509,7 +509,6 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = | Parameter | Type | Description | | :-- | :-- | :-- | -| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | | [`primaryUserAssignedIdentity`](#parameter-primaryuserassignedidentity) | string | The user assigned identity resource ID that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. | **Optional parameters** @@ -518,10 +517,8 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = | :-- | :-- | :-- | | [`allowPublicAccessWhenBehindVnet`](#parameter-allowpublicaccesswhenbehindvnet) | bool | The flag to indicate whether to allow public access when behind VNet. | | [`associatedContainerRegistryResourceId`](#parameter-associatedcontainerregistryresourceid) | string | The resource ID of the associated Container Registry. | -| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | -| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | | [`computes`](#parameter-computes) | array | Computes to create respectively attach to the workspace. | +| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | | [`description`](#parameter-description) | string | The description of this workspace. | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`discoveryUrl`](#parameter-discoveryurl) | string | URL for the discovery service to identify regional endpoints for machine learning experimentation services. | @@ -570,40 +567,54 @@ The resource ID of the associated Storage Account. - Required: Yes - Type: string -### Parameter: `cMKKeyName` +### Parameter: `computes` -The name of the customer managed key to use for encryption. +Computes to create respectively attach to the workspace. - Required: No -- Type: string -- Default: `''` +- Type: array +- Default: `[]` -### Parameter: `cMKKeyVaultResourceId` +### Parameter: `customerManagedKey` -The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. +The customer managed key definition. - Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | + +### Parameter: `customerManagedKey.keyName` + +Required. The name of the customer managed key to use for encryption. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKKeyVersion` +### Parameter: `customerManagedKey.keyVaultResourceId` -The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. -- Required: No +Required. The resource ID of a key vault to reference a customer managed key for encryption from. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKUserAssignedIdentityResourceId` +### Parameter: `customerManagedKey.keyVersion` + +Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. -User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. - Required: No - Type: string -- Default: `''` -### Parameter: `computes` +### Parameter: `customerManagedKey.userAssignedIdentityResourceId` + +Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. -Computes to create respectively attach to the workspace. - Required: No -- Type: array -- Default: `[]` +- Type: string ### Parameter: `description` diff --git a/modules/machine-learning-services/workspace/main.bicep b/modules/machine-learning-services/workspace/main.bicep index 61a0422c1d..8225693123 100644 --- a/modules/machine-learning-services/workspace/main.bicep +++ b/modules/machine-learning-services/workspace/main.bicep @@ -72,17 +72,8 @@ param description string = '' @sys.description('Optional. URL for the discovery service to identify regional endpoints for machine learning experimentation services.') param discoveryUrl string = '' -@sys.description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') -param cMKKeyVaultResourceId string = '' - -@sys.description('Optional. The name of the customer managed key to use for encryption.') -param cMKKeyName string = '' - -@sys.description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') -param cMKKeyVersion string = '' - -@sys.description('Optional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first.') -param cMKUserAssignedIdentityResourceId string = '' +@sys.description('Optional. The customer managed key definition.') +param customerManagedKey customerManagedKeyType @sys.description('Optional. The compute name for image build.') param imageBuildCompute string = '' @@ -143,15 +134,20 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! - scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { + name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { - name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { + name: customerManagedKey.?keyName ?? 'dummyKey' } } +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { + name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) + scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) +} + resource workspace 'Microsoft.MachineLearningServices/workspaces@2022-10-01' = { name: name location: location @@ -171,14 +167,14 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2022-10-01' = { allowPublicAccessWhenBehindVnet: allowPublicAccessWhenBehindVnet description: description discoveryUrl: discoveryUrl - encryption: !empty(cMKKeyName) ? { + encryption: !empty(customerManagedKey) ? { status: 'Enabled' - identity: !empty(cMKUserAssignedIdentityResourceId) ? { - userAssignedIdentity: cMKUserAssignedIdentityResourceId + identity: !empty(customerManagedKey.?userAssignedIdentityResourceId) ? { + userAssignedIdentity: cMKUserAssignedIdentity.id } : null keyVaultProperties: { - keyVaultArmId: cMKKeyVaultResourceId - keyIdentifier: !empty(cMKKeyVersion) ? '${cMKKeyVault::cMKKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion + keyVaultArmId: cMKKeyVault.id + keyIdentifier: !empty(customerManagedKey.?keyVersion ?? '') ? '${cMKKeyVault::cMKKey.properties.keyUri}/${customerManagedKey!.keyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion } } : null imageBuildCompute: imageBuildCompute @@ -440,3 +436,17 @@ type diagnosticSettingType = { @sys.description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') marketplacePartnerResourceId: string? }[]? + +type customerManagedKeyType = { + @sys.description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') + keyVaultResourceId: string + + @sys.description('Required. The name of the customer managed key to use for encryption.') + keyName: string + + @sys.description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') + keyVersion: string? + + @sys.description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') + userAssignedIdentityResourceId: string? +}? diff --git a/modules/machine-learning-services/workspace/main.json b/modules/machine-learning-services/workspace/main.json index 03013e4d23..d31ece6308 100644 --- a/modules/machine-learning-services/workspace/main.json +++ b/modules/machine-learning-services/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "8299613323505664553" + "templateHash": "308162699302204935" }, "name": "Machine Learning Services Workspaces", "description": "This module deploys a Machine Learning Services Workspace.", @@ -385,6 +385,38 @@ } }, "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." + } + } + }, + "nullable": true } }, "parameters": { @@ -520,32 +552,10 @@ "description": "Optional. URL for the discovery service to identify regional endpoints for machine learning experimentation services." } }, - "cMKKeyVaultResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty." - } - }, - "cMKKeyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the customer managed key to use for encryption." - } - }, - "cMKKeyVersion": { - "type": "string", - "defaultValue": "", + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used." - } - }, - "cMKUserAssignedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first." + "description": "Optional. The customer managed key definition." } }, "imageBuildCompute": { @@ -607,13 +617,13 @@ }, "resources": { "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", "existing": true, "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2023-02-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", "dependsOn": [ "cMKKeyVault" ] @@ -633,13 +643,22 @@ } }, "cMKKeyVault": { - "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", "existing": true, "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKUserAssignedIdentity": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" }, "workspace": { "type": "Microsoft.MachineLearningServices/workspaces", @@ -662,7 +681,7 @@ "allowPublicAccessWhenBehindVnet": "[parameters('allowPublicAccessWhenBehindVnet')]", "description": "[parameters('description')]", "discoveryUrl": "[parameters('discoveryUrl')]", - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('status', 'Enabled', 'identity', if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), null()), 'keyVaultProperties', createObject('keyVaultArmId', parameters('cMKKeyVaultResourceId'), 'keyIdentifier', if(not(empty(parameters('cMKKeyVersion'))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('cMKKeyVersion')), reference('cMKKeyVault::cMKKey').keyUriWithVersion))), null())]", + "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('status', 'Enabled', 'identity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null()), 'keyVaultProperties', createObject('keyVaultArmId', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))), 'keyIdentifier', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), reference('cMKKeyVault::cMKKey').keyUriWithVersion))), null())]", "imageBuildCompute": "[parameters('imageBuildCompute')]", "primaryUserAssignedIdentity": "[parameters('primaryUserAssignedIdentity')]", "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(not(empty(parameters('privateEndpoints'))), 'Disabled', 'Enabled'))]", @@ -670,7 +689,8 @@ "sharedPrivateLinkResources": "[parameters('sharedPrivateLinkResources')]" }, "dependsOn": [ - "cMKKeyVault" + "cMKKeyVault", + "cMKUserAssignedIdentity" ] }, "workspace_lock": { diff --git a/modules/service-bus/namespace/.test/encr/main.test.bicep b/modules/service-bus/namespace/.test/encr/main.test.bicep index e1f3da9f89..961376bee9 100644 --- a/modules/service-bus/namespace/.test/encr/main.test.bicep +++ b/modules/service-bus/namespace/.test/encr/main.test.bicep @@ -106,9 +106,11 @@ module testDeployment '../../main.bicep' = { nestedDependencies.outputs.managedIdentityResourceId ] } - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKKeyName: nestedDependencies.outputs.keyName - cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + customerManagedKey: { + keyName: nestedDependencies.outputs.keyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + } tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 76336df69c..bd23507761 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -462,9 +462,11 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { ] } ] - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUserAssignedIdentityResourceId: '' + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } enableDefaultTelemetry: '' managedIdentities: { systemAssigned: false @@ -545,14 +547,12 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { } ] }, - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "" + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } }, "enableDefaultTelemetry": { "value": "" @@ -763,21 +763,13 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { | :-- | :-- | :-- | | [`name`](#parameter-name) | string | Name of the Service Bus Namespace. | -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | - **Optional parameters** | Parameter | Type | Description | | :-- | :-- | :-- | | [`alternateName`](#parameter-alternatename) | string | Alternate name for namespace. | | [`authorizationRules`](#parameter-authorizationrules) | array | Authorization Rules for the Service Bus namespace. | -| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key. | -| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | -| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. | +| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableLocalAuth`](#parameter-disablelocalauth) | bool | This property disables SAS authentication for the Service Bus namespace. | | [`disasterRecoveryConfigs`](#parameter-disasterrecoveryconfigs) | object | The disaster recovery configuration. | @@ -826,33 +818,47 @@ Authorization Rules for the Service Bus namespace. ] ``` -### Parameter: `cMKKeyName` +### Parameter: `customerManagedKey` -The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key. +The customer managed key definition. - Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | + +### Parameter: `customerManagedKey.keyName` + +Required. The name of the customer managed key to use for encryption. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKKeyVaultResourceId` +### Parameter: `customerManagedKey.keyVaultResourceId` -The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. -- Required: No +Required. The resource ID of a key vault to reference a customer managed key for encryption from. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKKeyVersion` +### Parameter: `customerManagedKey.keyVersion` + +Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. -The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. - Required: No - Type: string -- Default: `''` -### Parameter: `cMKUserAssignedIdentityResourceId` +### Parameter: `customerManagedKey.userAssignedIdentityResourceId` + +Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. -User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. - Required: No - Type: string -- Default: `''` ### Parameter: `diagnosticSettings` diff --git a/modules/service-bus/namespace/main.bicep b/modules/service-bus/namespace/main.bicep index ad86360a7d..612cabf621 100644 --- a/modules/service-bus/namespace/main.bicep +++ b/modules/service-bus/namespace/main.bicep @@ -105,17 +105,8 @@ param queues array = [] @description('Optional. The topics to create in the service bus namespace.') param topics array = [] -@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') -param cMKKeyVaultResourceId string = '' - -@description('Optional. The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key.') -param cMKKeyName string = '' - -@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') -param cMKKeyVersion string = '' - -@description('Optional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first.') -param cMKUserAssignedIdentityResourceId string = '' +@description('Optional. The customer managed key definition.') +param customerManagedKey customerManagedKeyType @description('Optional. Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters.') param requireInfrastructureEncryption bool = true @@ -152,15 +143,20 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! - scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { + name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { - name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { + name: customerManagedKey.?keyName ?? 'dummyKey' } } +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { + name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) + scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) +} + resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = { name: name location: location @@ -177,16 +173,16 @@ resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview zoneRedundant: zoneRedundant disableLocalAuth: disableLocalAuth premiumMessagingPartitions: skuName == 'Premium' ? premiumMessagingPartitions : 0 - encryption: !empty(cMKKeyName) ? { + encryption: !empty(customerManagedKey) ? { keySource: 'Microsoft.KeyVault' keyVaultProperties: [ { - identity: !empty(cMKUserAssignedIdentityResourceId) ? { - userAssignedIdentity: cMKUserAssignedIdentityResourceId + identity: !empty(customerManagedKey.?userAssignedIdentityResourceId) ? { + userAssignedIdentity: cMKUserAssignedIdentity.id } : null - keyName: cMKKeyName + keyName: customerManagedKey!.keyName keyVaultUri: cMKKeyVault.properties.vaultUri - keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) + keyVersion: !empty(customerManagedKey.?keyVersion ?? '') ? customerManagedKey!.keyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) } ] requireInfrastructureEncryption: requireInfrastructureEncryption @@ -543,3 +539,17 @@ type diagnosticSettingType = { @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') marketplacePartnerResourceId: string? }[]? + +type customerManagedKeyType = { + @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') + keyVaultResourceId: string + + @description('Required. The name of the customer managed key to use for encryption.') + keyName: string + + @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') + keyVersion: string? + + @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') + userAssignedIdentityResourceId: string? +}? diff --git a/modules/service-bus/namespace/main.json b/modules/service-bus/namespace/main.json index dcf89241ef..eaf0ce5f14 100644 --- a/modules/service-bus/namespace/main.json +++ b/modules/service-bus/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17643203096817666176" + "templateHash": "17171509116984372740" }, "name": "Service Bus Namespaces", "description": "This module deploys a Service Bus Namespace.", @@ -407,6 +407,38 @@ } }, "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." + } + } + }, + "nullable": true } }, "parameters": { @@ -599,32 +631,10 @@ "description": "Optional. The topics to create in the service bus namespace." } }, - "cMKKeyVaultResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty." - } - }, - "cMKKeyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key." - } - }, - "cMKKeyVersion": { - "type": "string", - "defaultValue": "", + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used." - } - }, - "cMKUserAssignedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first." + "description": "Optional. The customer managed key definition." } }, "requireInfrastructureEncryption": { @@ -652,13 +662,13 @@ }, "resources": { "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", "existing": true, "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2023-02-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", "dependsOn": [ "cMKKeyVault" ] @@ -678,13 +688,22 @@ } }, "cMKKeyVault": { - "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", "existing": true, "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKUserAssignedIdentity": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" }, "serviceBusNamespace": { "type": "Microsoft.ServiceBus/namespaces", @@ -704,10 +723,11 @@ "zoneRedundant": "[parameters('zoneRedundant')]", "disableLocalAuth": "[parameters('disableLocalAuth')]", "premiumMessagingPartitions": "[if(equals(parameters('skuName'), 'Premium'), parameters('premiumMessagingPartitions'), 0)]", - "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createArray(createObject('identity', if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), null()), 'keyName', parameters('cMKKeyName'), 'keyVaultUri', reference('cMKKeyVault').vaultUri, 'keyVersion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), 'requireInfrastructureEncryption', parameters('requireInfrastructureEncryption')), null())]" + "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createArray(createObject('identity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null()), 'keyName', parameters('customerManagedKey').keyName, 'keyVaultUri', reference('cMKKeyVault').vaultUri, 'keyVersion', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), parameters('customerManagedKey').keyVersion, last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), 'requireInfrastructureEncryption', parameters('requireInfrastructureEncryption')), null())]" }, "dependsOn": [ - "cMKKeyVault" + "cMKKeyVault", + "cMKUserAssignedIdentity" ] }, "serviceBusNamespace_lock": { diff --git a/modules/storage/storage-account/.test/encr/main.test.bicep b/modules/storage/storage-account/.test/encr/main.test.bicep index 8a298cdee5..9dc1ac8fc8 100644 --- a/modules/storage/storage-account/.test/encr/main.test.bicep +++ b/modules/storage/storage-account/.test/encr/main.test.bicep @@ -99,9 +99,11 @@ module testDeployment '../../main.bicep' = { nestedDependencies.outputs.managedIdentityResourceId ] } - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKKeyName: nestedDependencies.outputs.keyName - cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + customerManagedKey: { + keyName: nestedDependencies.outputs.keyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + } tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index b1cece3b7a..01647f91e5 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -696,9 +696,11 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { restorePolicyDays: 8 restorePolicyEnabled: true } - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUserAssignedIdentityResourceId: '' + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } enableDefaultTelemetry: '' managedIdentities: { systemAssigned: false @@ -774,14 +776,12 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "restorePolicyEnabled": true } }, - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "" + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } }, "enableDefaultTelemetry": { "value": "" @@ -1122,8 +1122,6 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { | Parameter | Type | Description | | :-- | :-- | :-- | | [`accessTier`](#parameter-accesstier) | string | Required if the Storage Account kind is set to BlobStorage. The access tier is used for billing. The "Premium" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type. | -| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | -| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | | [`enableHierarchicalNamespace`](#parameter-enablehierarchicalnamespace) | bool | If true, enables Hierarchical Namespace for the storage account. Required if enableSftp or enableNfsV3 is set to true. | **Optional parameters** @@ -1136,10 +1134,9 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { | [`allowSharedKeyAccess`](#parameter-allowsharedkeyaccess) | bool | Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true. | | [`azureFilesIdentityBasedAuthentication`](#parameter-azurefilesidentitybasedauthentication) | object | Provides the identity based authentication settings for Azure Files. | | [`blobServices`](#parameter-blobservices) | object | Blob service and containers to deploy. | -| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. | -| [`cMKKeyVersion`](#parameter-cmkkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, latest is used. | | [`customDomainName`](#parameter-customdomainname) | string | Sets the custom domain name assigned to the storage account. Name is the CNAME source. | | [`customDomainUseSubDomainName`](#parameter-customdomainusesubdomainname) | bool | Indicates whether indirect CName validation is enabled. This should only be set on updates. | +| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | | [`defaultToOAuthAuthentication`](#parameter-defaulttooauthauthentication) | bool | A boolean flag which indicates whether the default authentication is OAuth or not. | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`dnsEndpointType`](#parameter-dnsendpointtype) | string | Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier. | @@ -1233,47 +1230,61 @@ Blob service and containers to deploy. - Type: object - Default: `{}` -### Parameter: `cMKKeyName` +### Parameter: `customDomainName` -The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. +Sets the custom domain name assigned to the storage account. Name is the CNAME source. - Required: No - Type: string - Default: `''` -### Parameter: `cMKKeyVaultResourceId` +### Parameter: `customDomainUseSubDomainName` -The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. +Indicates whether indirect CName validation is enabled. This should only be set on updates. - Required: No -- Type: string -- Default: `''` +- Type: bool +- Default: `False` -### Parameter: `cMKKeyVersion` +### Parameter: `customerManagedKey` -The version of the customer managed key to reference for encryption. If not provided, latest is used. +The customer managed key definition. - Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | + +### Parameter: `customerManagedKey.keyName` + +Required. The name of the customer managed key to use for encryption. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKUserAssignedIdentityResourceId` +### Parameter: `customerManagedKey.keyVaultResourceId` -User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. -- Required: No +Required. The resource ID of a key vault to reference a customer managed key for encryption from. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `customDomainName` +### Parameter: `customerManagedKey.keyVersion` + +Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. -Sets the custom domain name assigned to the storage account. Name is the CNAME source. - Required: No - Type: string -- Default: `''` -### Parameter: `customDomainUseSubDomainName` +### Parameter: `customerManagedKey.userAssignedIdentityResourceId` + +Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. -Indicates whether indirect CName validation is enabled. This should only be set on updates. - Required: No -- Type: bool -- Default: `False` +- Type: string ### Parameter: `defaultToOAuthAuthentication` diff --git a/modules/storage/storage-account/main.bicep b/modules/storage/storage-account/main.bicep index 0bdcd02d3a..606556391a 100644 --- a/modules/storage/storage-account/main.bicep +++ b/modules/storage/storage-account/main.bicep @@ -160,17 +160,8 @@ param publicNetworkAccess string = '' @description('Optional. Allows HTTPS traffic only to storage service if sets to true.') param supportsHttpsTrafficOnly bool = true -@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') -param cMKKeyVaultResourceId string = '' - -@description('Optional. The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter \'systemAssignedIdentity\' enabled.') -param cMKKeyName string = '' - -@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKKeyName\' is not empty.') -param cMKUserAssignedIdentityResourceId string = '' - -@description('Optional. The version of the customer managed key to reference for encryption. If not provided, latest is used.') -param cMKKeyVersion string = '' +@description('Optional. The customer managed key definition.') +param customerManagedKey customerManagedKeyType @description('Optional. The SAS expiration period. DD.HH:MM:SS.') param sasExpirationPeriod string = '' @@ -224,9 +215,18 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! - scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { + name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) + + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { + name: customerManagedKey.?keyName ?? 'dummyKey' + } +} + +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { + name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) + scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) } resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { @@ -250,7 +250,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { dnsEndpointType: !empty(dnsEndpointType) ? dnsEndpointType : null isLocalUserEnabled: isLocalUserEnabled encryption: { - keySource: !empty(cMKKeyName) ? 'Microsoft.Keyvault' : 'Microsoft.Storage' + keySource: !empty(customerManagedKey) ? 'Microsoft.Keyvault' : 'Microsoft.Storage' services: { blob: supportsBlobService ? { enabled: true @@ -266,13 +266,13 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { } } requireInfrastructureEncryption: kind != 'Storage' ? requireInfrastructureEncryption : null - keyvaultproperties: !empty(cMKKeyName) ? { - keyname: cMKKeyName - keyvaulturi: keyVault.properties.vaultUri - keyversion: !empty(cMKKeyVersion) ? cMKKeyVersion : null + keyvaultproperties: !empty(customerManagedKey) ? { + keyname: customerManagedKey!.keyName + keyvaulturi: cMKKeyVault.properties.vaultUri + keyversion: !empty(customerManagedKey.?keyVersion ?? '') ? customerManagedKey!.keyVersion : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) } : null - identity: !empty(cMKKeyName) ? { - userAssignedIdentity: cMKUserAssignedIdentityResourceId + identity: !empty(customerManagedKey.?userAssignedIdentityResourceId) ? { + userAssignedIdentity: cMKUserAssignedIdentity.id } : null } accessTier: kind != 'Storage' ? accessTier : null @@ -615,3 +615,17 @@ type diagnosticSettingType = { @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') marketplacePartnerResourceId: string? }[]? + +type customerManagedKeyType = { + @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') + keyVaultResourceId: string + + @description('Required. The name of the customer managed key to use for encryption.') + keyName: string + + @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') + keyVersion: string? + + @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') + userAssignedIdentityResourceId: string? +}? diff --git a/modules/storage/storage-account/main.json b/modules/storage/storage-account/main.json index 91ade8e95f..ec2df4dff2 100644 --- a/modules/storage/storage-account/main.json +++ b/modules/storage/storage-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "12032978716554990629" + "templateHash": "3909379204431877149" }, "name": "Storage Accounts", "description": "This module deploys a Storage Account.", @@ -380,6 +380,38 @@ } }, "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." + } + } + }, + "nullable": true } }, "parameters": { @@ -683,32 +715,10 @@ "description": "Optional. Allows HTTPS traffic only to storage service if sets to true." } }, - "cMKKeyVaultResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty." - } - }, - "cMKKeyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled." - } - }, - "cMKUserAssignedIdentityResourceId": { - "type": "string", - "defaultValue": "", + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", "metadata": { - "description": "Conditional. User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty." - } - }, - "cMKKeyVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, latest is used." + "description": "Optional. The customer managed key definition." } }, "sasExpirationPeriod": { @@ -751,6 +761,18 @@ } }, "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", @@ -765,14 +787,23 @@ } } }, - "keyVault": { - "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "cMKKeyVault": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", "existing": true, "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKUserAssignedIdentity": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" }, "storageAccount": { "type": "Microsoft.Storage/storageAccounts", @@ -797,7 +828,7 @@ "dnsEndpointType": "[if(not(empty(parameters('dnsEndpointType'))), parameters('dnsEndpointType'), null())]", "isLocalUserEnabled": "[parameters('isLocalUserEnabled')]", "encryption": { - "keySource": "[if(not(empty(parameters('cMKKeyName'))), 'Microsoft.Keyvault', 'Microsoft.Storage')]", + "keySource": "[if(not(empty(parameters('customerManagedKey'))), 'Microsoft.Keyvault', 'Microsoft.Storage')]", "services": { "blob": "[if(variables('supportsBlobService'), createObject('enabled', true()), null())]", "file": "[if(variables('supportsFileService'), createObject('enabled', true()), null())]", @@ -809,8 +840,8 @@ } }, "requireInfrastructureEncryption": "[if(not(equals(parameters('kind'), 'Storage')), parameters('requireInfrastructureEncryption'), null())]", - "keyvaultproperties": "[if(not(empty(parameters('cMKKeyName'))), createObject('keyname', parameters('cMKKeyName'), 'keyvaulturi', reference('keyVault').vaultUri, 'keyversion', if(not(empty(parameters('cMKKeyVersion'))), parameters('cMKKeyVersion'), null())), null())]", - "identity": "[if(not(empty(parameters('cMKKeyName'))), createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), null())]" + "keyvaultproperties": "[if(not(empty(parameters('customerManagedKey'))), createObject('keyname', parameters('customerManagedKey').keyName, 'keyvaulturi', reference('cMKKeyVault').vaultUri, 'keyversion', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), parameters('customerManagedKey').keyVersion, last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/')))), null())]", + "identity": "[if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null())]" }, "accessTier": "[if(not(equals(parameters('kind'), 'Storage')), parameters('accessTier'), null())]", "sasPolicy": "[if(not(empty(parameters('sasExpirationPeriod'))), createObject('expirationAction', 'Log', 'sasExpirationPeriod', parameters('sasExpirationPeriod')), null())]", @@ -826,7 +857,8 @@ "azureFilesIdentityBasedAuthentication": "[if(not(empty(parameters('azureFilesIdentityBasedAuthentication'))), parameters('azureFilesIdentityBasedAuthentication'), null())]" }, "dependsOn": [ - "keyVault" + "cMKKeyVault", + "cMKUserAssignedIdentity" ] }, "storageAccount_diagnosticSettings": { diff --git a/modules/synapse/workspace/.test/encrwsai/main.test.bicep b/modules/synapse/workspace/.test/encrwsai/main.test.bicep index 31ef9e1a20..4c019dad24 100644 --- a/modules/synapse/workspace/.test/encrwsai/main.test.bicep +++ b/modules/synapse/workspace/.test/encrwsai/main.test.bicep @@ -56,10 +56,10 @@ module testDeployment '../../main.bicep' = { defaultDataLakeStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId defaultDataLakeStorageFilesystem: nestedDependencies.outputs.storageContainerName sqlAdministratorLogin: 'synwsadmin' - encryption: true - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKKeyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - cMKUseSystemAssignedIdentity: true + customerManagedKey: { + keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + } encryptionActivateWorkspace: true enableDefaultTelemetry: enableDefaultTelemetry } diff --git a/modules/synapse/workspace/.test/encrwuai/main.test.bicep b/modules/synapse/workspace/.test/encrwuai/main.test.bicep index 85911c61ec..f9da575edc 100644 --- a/modules/synapse/workspace/.test/encrwuai/main.test.bicep +++ b/modules/synapse/workspace/.test/encrwuai/main.test.bicep @@ -57,10 +57,11 @@ module testDeployment '../../main.bicep' = { defaultDataLakeStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId defaultDataLakeStorageFilesystem: nestedDependencies.outputs.storageContainerName sqlAdministratorLogin: 'synwsadmin' - encryption: true - cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - cMKKeyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + customerManagedKey: { + keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + } tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index d51d7c2797..903f30470b 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -226,11 +226,11 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { name: 'swensa001' sqlAdministratorLogin: 'synwsadmin' // Non-required parameters - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUseSystemAssignedIdentity: true + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + } enableDefaultTelemetry: '' - encryption: true encryptionActivateWorkspace: true } } @@ -262,21 +262,15 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "value": "synwsadmin" }, // Non-required parameters - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "cMKUseSystemAssignedIdentity": { - "value": true + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "" + } }, "enableDefaultTelemetry": { "value": "" }, - "encryption": { - "value": true - }, "encryptionActivateWorkspace": { "value": true } @@ -303,11 +297,12 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { name: 'swenua001' sqlAdministratorLogin: 'synwsadmin' // Non-required parameters - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUserAssignedIdentityResourceId: '' + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } enableDefaultTelemetry: '' - encryption: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -343,21 +338,16 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "value": "synwsadmin" }, // Non-required parameters - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "" + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } }, "enableDefaultTelemetry": { "value": "" }, - "encryption": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -529,25 +519,16 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { | [`name`](#parameter-name) | string | The name of the Synapse Workspace. | | [`sqlAdministratorLogin`](#parameter-sqladministratorlogin) | string | Login for administrator access to the workspace's SQL pools. | -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`cMKKeyVaultResourceId`](#parameter-cmkkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | - **Optional parameters** | Parameter | Type | Description | | :-- | :-- | :-- | | [`allowedAadTenantIdsForLinking`](#parameter-allowedaadtenantidsforlinking) | array | Allowed AAD Tenant IDs For Linking. | | [`azureADOnlyAuthentication`](#parameter-azureadonlyauthentication) | bool | Enable or Disable AzureADOnlyAuthentication on All Workspace sub-resource. | -| [`cMKKeyName`](#parameter-cmkkeyname) | string | The name of the customer managed key to use for encryption. | -| [`cMKUserAssignedIdentityResourceId`](#parameter-cmkuserassignedidentityresourceid) | string | The ID of User Assigned Managed identity that will be used to access your customer-managed key stored in key vault. | -| [`cMKUseSystemAssignedIdentity`](#parameter-cmkusesystemassignedidentity) | bool | Use System Assigned Managed identity that will be used to access your customer-managed key stored in key vault. | +| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | | [`defaultDataLakeStorageCreateManagedPrivateEndpoint`](#parameter-defaultdatalakestoragecreatemanagedprivateendpoint) | bool | Create managed private endpoint to the default storage account or not. If Yes is selected, a managed private endpoint connection request is sent to the workspace's primary Data Lake Storage Gen2 account for Spark pools to access data. This must be approved by an owner of the storage account. | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`encryption`](#parameter-encryption) | bool | Double encryption using a customer-managed key. | | [`encryptionActivateWorkspace`](#parameter-encryptionactivateworkspace) | bool | Activate workspace by adding the system managed identity in the KeyVault containing the customer managed key and activating the workspace. | | [`initialWorkspaceAdminObjectID`](#parameter-initialworkspaceadminobjectid) | string | AAD object ID of initial workspace admin. | | [`integrationRuntimes`](#parameter-integrationruntimes) | array | The Integration Runtimes to create. | @@ -580,33 +561,47 @@ Enable or Disable AzureADOnlyAuthentication on All Workspace sub-resource. - Type: bool - Default: `False` -### Parameter: `cMKKeyName` +### Parameter: `customerManagedKey` -The name of the customer managed key to use for encryption. +The customer managed key definition. - Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | + +### Parameter: `customerManagedKey.keyName` + +Required. The name of the customer managed key to use for encryption. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKKeyVaultResourceId` +### Parameter: `customerManagedKey.keyVaultResourceId` -The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. -- Required: No +Required. The resource ID of a key vault to reference a customer managed key for encryption from. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `cMKUserAssignedIdentityResourceId` +### Parameter: `customerManagedKey.keyVersion` + +Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. -The ID of User Assigned Managed identity that will be used to access your customer-managed key stored in key vault. - Required: No - Type: string -- Default: `''` -### Parameter: `cMKUseSystemAssignedIdentity` +### Parameter: `customerManagedKey.userAssignedIdentityResourceId` + +Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. -Use System Assigned Managed identity that will be used to access your customer-managed key stored in key vault. - Required: No -- Type: bool -- Default: `False` +- Type: string ### Parameter: `defaultDataLakeStorageAccountResourceId` @@ -729,13 +724,6 @@ Enable telemetry via a Globally Unique Identifier (GUID). - Type: bool - Default: `True` -### Parameter: `encryption` - -Double encryption using a customer-managed key. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `encryptionActivateWorkspace` Activate workspace by adding the system managed identity in the KeyVault containing the customer managed key and activating the workspace. diff --git a/modules/synapse/workspace/key/README.md b/modules/synapse/workspace/key/README.md index 59e663a007..2221af30c0 100644 --- a/modules/synapse/workspace/key/README.md +++ b/modules/synapse/workspace/key/README.md @@ -22,6 +22,7 @@ This module deploys a Synapse Workspaces Key. | Parameter | Type | Description | | :-- | :-- | :-- | | [`isActiveCMK`](#parameter-isactivecmk) | bool | Used to activate the workspace after a customer managed key is provided. | +| [`keyVaultResourceId`](#parameter-keyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | | [`name`](#parameter-name) | string | Encryption key name. | **Conditional parameters** @@ -35,7 +36,6 @@ This module deploys a Synapse Workspaces Key. | Parameter | Type | Description | | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`keyVaultResourceId`](#parameter-keyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | | [`location`](#parameter-location) | string | The geo-location where the resource lives. | ### Parameter: `enableDefaultTelemetry` @@ -54,9 +54,8 @@ Used to activate the workspace after a customer managed key is provided. ### Parameter: `keyVaultResourceId` The resource ID of a key vault to reference a customer managed key for encryption from. -- Required: No +- Required: Yes - Type: string -- Default: `''` ### Parameter: `location` diff --git a/modules/synapse/workspace/key/main.bicep b/modules/synapse/workspace/key/main.bicep index 7fd1bd0543..7ae64222fc 100644 --- a/modules/synapse/workspace/key/main.bicep +++ b/modules/synapse/workspace/key/main.bicep @@ -14,15 +14,19 @@ param location string = resourceGroup().location @description('Required. Used to activate the workspace after a customer managed key is provided.') param isActiveCMK bool -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') -param keyVaultResourceId string = '' +@description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') +param keyVaultResourceId string @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2022-07-01' existing = if (!empty(keyVaultResourceId)) { - name: '${last(split(keyVaultResourceId, '/'))}/${name}' +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = { + name: last(split(keyVaultResourceId, '/')) scope: resourceGroup(split(keyVaultResourceId, '/')[2], split(keyVaultResourceId, '/')[4]) + + resource cMKKey 'keys@2023-02-01' existing = { + name: name + } } resource workspace 'Microsoft.Synapse/workspaces@2021-06-01' existing = { @@ -34,7 +38,7 @@ resource key 'Microsoft.Synapse/workspaces/keys@2021-06-01' = { parent: workspace properties: { isActiveCMK: isActiveCMK - keyVaultUrl: cMKKeyVaultKey.properties.keyUri + keyVaultUrl: cMKKeyVault::cMKKey.properties.keyUri } } diff --git a/modules/synapse/workspace/key/main.json b/modules/synapse/workspace/key/main.json index 7000d1e035..938863a640 100644 --- a/modules/synapse/workspace/key/main.json +++ b/modules/synapse/workspace/key/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14713531383006172248" + "templateHash": "5952844918734432483" }, "name": "Synapse Workspaces Keys", "description": "This module deploys a Synapse Workspaces Key.", @@ -39,9 +39,8 @@ }, "keyVaultResourceId": { "type": "string", - "defaultValue": "", "metadata": { - "description": "Optional. The resource ID of a key vault to reference a customer managed key for encryption from." + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." } }, "enableDefaultTelemetry": { @@ -59,7 +58,7 @@ "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", "properties": { "isActiveCMK": "[parameters('isActiveCMK')]", - "keyVaultUrl": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('keyVaultResourceId'), '/')[2], split(parameters('keyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('keyVaultResourceId'), '/')), parameters('name')), '/')[0], split(format('{0}/{1}', last(split(parameters('keyVaultResourceId'), '/')), parameters('name')), '/')[1]), '2022-07-01').keyUri]" + "keyVaultUrl": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('keyVaultResourceId'), '/')[2], split(parameters('keyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', last(split(parameters('keyVaultResourceId'), '/')), parameters('name')), '2023-02-01').keyUri]" } }, { diff --git a/modules/synapse/workspace/main.bicep b/modules/synapse/workspace/main.bicep index 5b2eac3596..3eaad04764 100644 --- a/modules/synapse/workspace/main.bicep +++ b/modules/synapse/workspace/main.bicep @@ -28,20 +28,8 @@ param defaultDataLakeStorageFilesystem string @description('Optional. Create managed private endpoint to the default storage account or not. If Yes is selected, a managed private endpoint connection request is sent to the workspace\'s primary Data Lake Storage Gen2 account for Spark pools to access data. This must be approved by an owner of the storage account.') param defaultDataLakeStorageCreateManagedPrivateEndpoint bool = false -@description('Optional. Double encryption using a customer-managed key.') -param encryption bool = false - -@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') -param cMKKeyVaultResourceId string = '' - -@description('Optional. The name of the customer managed key to use for encryption.') -param cMKKeyName string = '' - -@description('Optional. Use System Assigned Managed identity that will be used to access your customer-managed key stored in key vault.') -param cMKUseSystemAssignedIdentity bool = false - -@description('Optional. The ID of User Assigned Managed identity that will be used to access your customer-managed key stored in key vault.') -param cMKUserAssignedIdentityResourceId string = '' +@description('Optional. The customer managed key definition.') +param customerManagedKey customerManagedKeyType @description('Optional. Activate workspace by adding the system managed identity in the KeyVault containing the customer managed key and activating the workspace.') param encryptionActivateWorkspace bool = false @@ -104,8 +92,8 @@ param privateEndpoints privateEndpointType param diagnosticSettings diagnosticSettingType // Variables -var userAssignedIdentitiesUnion = union(userAssignedIdentities, !empty(cMKUserAssignedIdentityResourceId) ? { - '${cMKUserAssignedIdentityResourceId}': {} +var userAssignedIdentitiesUnion = union(userAssignedIdentities, !empty(customerManagedKey.?userAssignedIdentityResourceId ?? []) ? { + '${customerManagedKey!.userAssignedIdentityResourceId}': {} } : {}) var identityType = !empty(userAssignedIdentitiesUnion) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' @@ -126,15 +114,20 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : 'dummyVault'), '/'))! - scope: resourceGroup(split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '//'), '/')[2], split((!empty(cMKKeyVaultResourceId) ? cMKKeyVaultResourceId : '////'), '/')[4]) +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { + name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) - resource cMKKey 'keys@2023-02-01' existing = if (!empty(cMKKeyName)) { - name: !empty(cMKKeyName) ? cMKKeyName : 'dummyKey' + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { + name: customerManagedKey.?keyName ?? 'dummyKey' } } +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { + name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) + scope: resourceGroup(split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4]) +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -163,15 +156,21 @@ resource workspace 'Microsoft.Synapse/workspaces@2021-06-01' = { filesystem: defaultDataLakeStorageFilesystem createManagedPrivateEndpoint: managedVirtualNetwork ? defaultDataLakeStorageCreateManagedPrivateEndpoint : null } - encryption: encryption ? { + encryption: !empty(customerManagedKey) ? { cmk: { - kekIdentity: { - userAssignedIdentity: !empty(cMKUserAssignedIdentityResourceId) ? cMKUserAssignedIdentityResourceId : null - useSystemAssignedIdentity: cMKUseSystemAssignedIdentity + kekIdentity: !empty(customerManagedKey.?userAssignedIdentityResourceId) ? { + userAssignedIdentity: cMKUserAssignedIdentity.id + } : { + useSystemAssignedIdentity: empty(customerManagedKey.?userAssignedIdentityResourceId) } + + identity: !empty(customerManagedKey.?userAssignedIdentityResourceId) ? { + userAssignedIdentity: cMKUserAssignedIdentity.id + } : null + key: { keyVaultUrl: cMKKeyVault::cMKKey.properties.keyUri - name: cMKKeyName + name: customerManagedKey!.keyName } } } : null @@ -210,19 +209,19 @@ module workspace_cmk_rbac 'modules/nested_cmkRbac.bicep' = if (encryptionActivat name: '${workspace.name}-cmk-rbac' params: { workspaceIndentityPrincipalId: workspace.identity.principalId - keyvaultName: !empty(cMKKeyVaultResourceId) ? cMKKeyVault.name : '' - usesRbacAuthorization: !empty(cMKKeyVaultResourceId) ? cMKKeyVault.properties.enableRbacAuthorization : true + keyvaultName: !empty(customerManagedKey.?keyVaultResourceId) ? cMKKeyVault.name : '' + usesRbacAuthorization: !empty(customerManagedKey.?keyVaultResourceId) ? cMKKeyVault.properties.enableRbacAuthorization : true } - scope: encryptionActivateWorkspace ? resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) : resourceGroup() + scope: encryptionActivateWorkspace ? resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) : resourceGroup() } // - Workspace encryption - Activate Workspace module workspace_key 'key/main.bicep' = if (encryptionActivateWorkspace) { name: '${workspace.name}-cmk-activation' params: { - name: cMKKeyName + name: customerManagedKey!.keyName isActiveCMK: true - keyVaultResourceId: cMKKeyVaultResourceId + keyVaultResourceId: cMKKeyVault.id workspaceName: workspace.name } dependsOn: [ @@ -452,3 +451,17 @@ type diagnosticSettingType = { @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') marketplacePartnerResourceId: string? }[]? + +type customerManagedKeyType = { + @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') + keyVaultResourceId: string + + @description('Required. The name of the customer managed key to use for encryption.') + keyName: string + + @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') + keyVersion: string? + + @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') + userAssignedIdentityResourceId: string? +}? diff --git a/modules/synapse/workspace/main.json b/modules/synapse/workspace/main.json index 6a13d3b652..e96aed1c93 100644 --- a/modules/synapse/workspace/main.json +++ b/modules/synapse/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15444302507528482650" + "templateHash": "2450269560530411916" }, "name": "Synapse Workspaces", "description": "This module deploys a Synapse Workspace.", @@ -365,6 +365,38 @@ } }, "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." + } + } + }, + "nullable": true } }, "parameters": { @@ -422,39 +454,10 @@ "description": "Optional. Create managed private endpoint to the default storage account or not. If Yes is selected, a managed private endpoint connection request is sent to the workspace's primary Data Lake Storage Gen2 account for Spark pools to access data. This must be approved by an owner of the storage account." } }, - "encryption": { - "type": "bool", - "defaultValue": false, + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", "metadata": { - "description": "Optional. Double encryption using a customer-managed key." - } - }, - "cMKKeyVaultResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty." - } - }, - "cMKKeyName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name of the customer managed key to use for encryption." - } - }, - "cMKUseSystemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Use System Assigned Managed identity that will be used to access your customer-managed key stored in key vault." - } - }, - "cMKUserAssignedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The ID of User Assigned Managed identity that will be used to access your customer-managed key stored in key vault." + "description": "Optional. The customer managed key definition." } }, "encryptionActivateWorkspace": { @@ -585,7 +588,7 @@ } }, "variables": { - "userAssignedIdentitiesUnion": "[union(parameters('userAssignedIdentities'), if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), createObject(format('{0}', parameters('cMKUserAssignedIdentityResourceId')), createObject()), createObject()))]", + "userAssignedIdentitiesUnion": "[union(parameters('userAssignedIdentities'), if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), createArray()))), createObject(format('{0}', parameters('customerManagedKey').userAssignedIdentityResourceId), createObject()), createObject()))]", "identityType": "[if(not(empty(variables('userAssignedIdentitiesUnion'))), 'SystemAssigned,UserAssigned', 'SystemAssigned')]", "identity": { "type": "[variables('identityType')]", @@ -603,25 +606,34 @@ }, "resources": { "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(parameters('cMKKeyVaultResourceId'))), not(empty(parameters('cMKKeyName'))))]", + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", "existing": true, "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2023-02-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/')), if(not(empty(parameters('cMKKeyName'))), parameters('cMKKeyName'), 'dummyKey'))]", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", "dependsOn": [ "cMKKeyVault" ] }, "cMKKeyVault": { - "condition": "[not(empty(parameters('cMKKeyVaultResourceId')))]", + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", "existing": true, "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "subscriptionId": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))]" + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKUserAssignedIdentity": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" }, "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", @@ -653,7 +665,7 @@ "filesystem": "[parameters('defaultDataLakeStorageFilesystem')]", "createManagedPrivateEndpoint": "[if(parameters('managedVirtualNetwork'), parameters('defaultDataLakeStorageCreateManagedPrivateEndpoint'), null())]" }, - "encryption": "[if(parameters('encryption'), createObject('cmk', createObject('kekIdentity', createObject('userAssignedIdentity', if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), parameters('cMKUserAssignedIdentityResourceId'), null()), 'useSystemAssignedIdentity', parameters('cMKUseSystemAssignedIdentity')), 'key', createObject('keyVaultUrl', reference('cMKKeyVault::cMKKey').keyUri, 'name', parameters('cMKKeyName')))), null())]", + "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('cmk', createObject('kekIdentity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), createObject('useSystemAssignedIdentity', empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))), 'identity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null()), 'key', createObject('keyVaultUrl', reference('cMKKeyVault::cMKKey').keyUri, 'name', parameters('customerManagedKey').keyName))), null())]", "managedResourceGroupName": "[if(not(empty(parameters('managedResourceGroupName'))), parameters('managedResourceGroupName'), null())]", "managedVirtualNetwork": "[if(parameters('managedVirtualNetwork'), 'default', null())]", "managedVirtualNetworkSettings": "[if(parameters('managedVirtualNetwork'), createObject('allowedAadTenantIdsForLinking', parameters('allowedAadTenantIdsForLinking'), 'linkedAccessCheckOnTargetResource', parameters('linkedAccessCheckOnTargetResource'), 'preventDataExfiltration', parameters('preventDataExfiltration')), null())]", @@ -664,7 +676,8 @@ "workspaceRepositoryConfiguration": "[parameters('workspaceRepositoryConfiguration')]" }, "dependsOn": [ - "cMKKeyVault" + "cMKKeyVault", + "cMKUserAssignedIdentity" ] }, "workspace_lock": { @@ -869,8 +882,8 @@ "workspaceIndentityPrincipalId": { "value": "[reference('workspace', '2021-06-01', 'full').identity.principalId]" }, - "keyvaultName": "[if(not(empty(parameters('cMKKeyVaultResourceId'))), createObject('value', last(split(if(not(empty(parameters('cMKKeyVaultResourceId'))), parameters('cMKKeyVaultResourceId'), 'dummyVault'), '/'))), createObject('value', ''))]", - "usesRbacAuthorization": "[if(not(empty(parameters('cMKKeyVaultResourceId'))), createObject('value', reference('cMKKeyVault').enableRbacAuthorization), createObject('value', true()))]" + "keyvaultName": "[if(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), createObject('value', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))), createObject('value', ''))]", + "usesRbacAuthorization": "[if(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), createObject('value', reference('cMKKeyVault').enableRbacAuthorization), createObject('value', true()))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -948,13 +961,13 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[parameters('cMKKeyName')]" + "value": "[parameters('customerManagedKey').keyName]" }, "isActiveCMK": { "value": true }, "keyVaultResourceId": { - "value": "[parameters('cMKKeyVaultResourceId')]" + "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')))]" }, "workspaceName": { "value": "[parameters('name')]" @@ -967,7 +980,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14713531383006172248" + "templateHash": "5952844918734432483" }, "name": "Synapse Workspaces Keys", "description": "This module deploys a Synapse Workspaces Key.", @@ -1001,9 +1014,8 @@ }, "keyVaultResourceId": { "type": "string", - "defaultValue": "", "metadata": { - "description": "Optional. The resource ID of a key vault to reference a customer managed key for encryption from." + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." } }, "enableDefaultTelemetry": { @@ -1021,7 +1033,7 @@ "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", "properties": { "isActiveCMK": "[parameters('isActiveCMK')]", - "keyVaultUrl": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('keyVaultResourceId'), '/')[2], split(parameters('keyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', split(format('{0}/{1}', last(split(parameters('keyVaultResourceId'), '/')), parameters('name')), '/')[0], split(format('{0}/{1}', last(split(parameters('keyVaultResourceId'), '/')), parameters('name')), '/')[1]), '2022-07-01').keyUri]" + "keyVaultUrl": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('keyVaultResourceId'), '/')[2], split(parameters('keyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults/keys', last(split(parameters('keyVaultResourceId'), '/')), parameters('name')), '2023-02-01').keyUri]" } }, { @@ -1065,6 +1077,7 @@ } }, "dependsOn": [ + "cMKKeyVault", "workspace", "workspace_cmk_rbac" ] From 1e83dd75ae504499c4ae113220179bf4decc0d61 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Wed, 1 Nov 2023 22:21:18 +0000 Subject: [PATCH 081/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 28 +++++++++++----------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index f41b098cbb..e4560b1fe9 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -16,7 +16,7 @@ This section provides an overview of the library's feature set. | 1 | aad

domain-service | [![AAD - DomainServices](https://github.com/Azure/ResourceModules/workflows/AAD%20-%20DomainServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.aad.domainservices.yml) | | | | | | | | 251 | | 2 | analysis-services

server | [![AnalysisServices - Servers](https://github.com/Azure/ResourceModules/workflows/AnalysisServices%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.analysisservices.servers.yml) | | | | | | | | 170 | | 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | | | | | | | [L1:11, L2:3] | 455 | -| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | | | | | | | [L1:1] | 318 | +| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | | | | | | | [L1:1] | 322 | | 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | | | | | | | | 211 | | 6 | app

job | [![App - Jobs](https://github.com/Azure/ResourceModules/workflows/App%20-%20Jobs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.jobs.yml) | | | :white_check_mark: | | | | | 162 | | 7 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | | | | | | | | 163 | @@ -27,7 +27,7 @@ This section provides an overview of the library's feature set. | 12 | authorization

policy-set-definition | [![Authorization - PolicySetDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicySetDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policysetdefinitions.yml) | | | | | | | [L1:2] | 76 | | 13 | authorization

role-assignment | [![Authorization - RoleAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roleassignments.yml) | | | | | | | [L1:3] | 107 | | 14 | authorization

role-definition | [![Authorization - RoleDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roledefinitions.yml) | | | | | | | [L1:3] | 94 | -| 15 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | | | | | [L1:6] | 452 | +| 15 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | | | | | [L1:6] | 460 | | 16 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | | | | | | 326 | | 17 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | | | | | | | | 327 | | 18 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | | | | | | | [L1:1] | 277 | @@ -43,15 +43,15 @@ This section provides an overview of the library's feature set. | 28 | compute

virtual-machine | [![Compute - VirtualMachines](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachines/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | | | | | | | [L1:2] | 657 | | 29 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | | | | | | | [L1:1] | 611 | | 30 | consumption

budget | [![Consumption - Budgets](https://github.com/Azure/ResourceModules/workflows/Consumption%20-%20Budgets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.consumption.budgets.yml) | | | | | | | | 92 | -| 31 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | | | | | | 167 | -| 32 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | | | | | [L1:3] | 443 | +| 31 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | | | | | | 175 | +| 32 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | | | | | [L1:3] | 447 | | 33 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | | | | | [L1:1] | 668 | -| 34 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | | | | | [L1:2, L2:1] | 331 | +| 34 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | | | | | [L1:2, L2:1] | 342 | | 35 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | | | | | | [L1:1] | 159 | | 36 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | | | | | | | | 110 | -| 37 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | | | | | | | | 385 | -| 38 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | | | | | | | [L1:3] | 374 | -| 39 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | | | | | | | [L1:4] | 370 | +| 37 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | | | | | | | | 397 | +| 38 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | | | | | | | [L1:3] | 380 | +| 39 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | | | | | | | [L1:4] | 378 | | 40 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | | | | | | | [L1:1] | 191 | | 41 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | | | | | | | | 281 | | 42 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | | | | | | | | 200 | @@ -62,7 +62,7 @@ This section provides an overview of the library's feature set. | 47 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | | | | | | | [L1:1] | 257 | | 48 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | | | | | | | [L1:1] | 197 | | 49 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | | | | | | | [L1:1] | 261 | -| 50 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | | | | | [L1:4, L2:2] | 410 | +| 50 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | | | | | [L1:4, L2:2] | 418 | | 51 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | | | | | | | | 116 | | 52 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | | | | | | | [L1:3, L2:1] | 195 | | 53 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | | | | | | | | 115 | @@ -79,7 +79,7 @@ This section provides an overview of the library's feature set. | 64 | kubernetes-configuration

extension | [![KubernetesConfiguration - Extensions](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20Extensions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.extensions.yml) | | | | | | | | 88 | | 65 | kubernetes-configuration

flux-configuration | [![KubernetesConfiguration - FluxConfigurations](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20FluxConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml) | | | | | | | | 71 | | 66 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | | | | | | | | 231 | -| 67 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | | | | | | | [L1:1] | 358 | +| 67 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | | | | | | | [L1:1] | 366 | | 68 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | | | | | | | | 136 | | 69 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | | | | | | | [L1:1] | 113 | | 70 | managed-services

registration-definition | [![ManagedServices - RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices%20-%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | | | | | | | 67 | @@ -135,22 +135,22 @@ This section provides an overview of the library's feature set. | 120 | resources

tags | [![Resources - Tags](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20Tags/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.tags.yml) | | | | | | | [L1:2] | 54 | | 121 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | | | | | | | [L1:1] | 327 | | 122 | security

azure-security-center | [![Security - AzureSecurityCenter](https://github.com/Azure/ResourceModules/workflows/Security%20-%20AzureSecurityCenter/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.security.azuresecuritycenter.yml) | | | | | | | | 221 | -| 123 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | | | | | | | [L1:6, L2:2] | 454 | +| 123 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | | | | | | | [L1:6, L2:2] | 462 | | 124 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | | | | | | | [L1:1] | 312 | | 125 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | | | | | | | | 277 | | 126 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | | | | | | | | 253 | | 127 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | | | | | | | [L1:6, L2:3] | 373 | | 128 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | | | | | [L1:8, L2:3] | 389 | -| 129 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | | | | | [L1:6, L2:4, L3:1] | 513 | +| 129 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | | | | | [L1:6, L2:4, L3:1] | 524 | | 130 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | | | | | | | | 171 | -| 131 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | | | | | [L1:3] | 364 | +| 131 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | | | | | [L1:3] | 374 | | 132 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | | | | | | | | 216 | | 133 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | | | | | | | | 118 | | 134 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | | | | | [L1:2] | 262 | | 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | | 194 | | 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:5, L2:4, L3:1] | 453 | | 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:3] | 284 | -| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 241 | 29759 | +| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 241 | 29865 | ## Legend From 14f4db32ca56aa205d5444a761c2672b563979d7 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 2 Nov 2023 12:04:03 +1300 Subject: [PATCH 082/178] [Modules] Updated Redis Cache Enterprise Logging (#4176) --- modules/cache/redis-enterprise/README.md | 28 ---------------------- modules/cache/redis-enterprise/main.bicep | 15 ------------ modules/cache/redis-enterprise/main.json | 29 +---------------------- 3 files changed, 1 insertion(+), 71 deletions(-) diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index eb95ab1946..adcf1a6345 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -449,7 +449,6 @@ The diagnostic settings of the service. | [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | | [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | | [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | | [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | @@ -478,33 +477,6 @@ Optional. A string indicating whether the export to Log Analytics should use the - Type: string - Allowed: `[AzureDiagnostics, Dedicated]` -### Parameter: `diagnosticSettings.logCategoriesAndGroups` - -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - -- Required: No -- Type: array - -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. diff --git a/modules/cache/redis-enterprise/main.bicep b/modules/cache/redis-enterprise/main.bicep index 3e0d3f4b72..609e546bf8 100644 --- a/modules/cache/redis-enterprise/main.bicep +++ b/modules/cache/redis-enterprise/main.bicep @@ -117,12 +117,6 @@ resource redisEnterprise_diagnosticSettings 'Microsoft.Insights/diagnosticSettin enabled: true } ] - logs: diagnosticSetting.?logCategoriesAndGroups ?? [ - { - categoryGroup: 'AllLogs' - enabled: true - } - ] marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType } @@ -308,15 +302,6 @@ type diagnosticSettingType = { @description('Optional. The name of diagnostic setting.') name: string? - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to \'AllLogs\' to collect all logs.') - categoryGroup: string? - }[]? - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') metricCategories: { @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to \'AllMetrics\' to collect all metrics.') diff --git a/modules/cache/redis-enterprise/main.json b/modules/cache/redis-enterprise/main.json index 440a5b45e5..c18ec7b248 100644 --- a/modules/cache/redis-enterprise/main.json +++ b/modules/cache/redis-enterprise/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "10802158443173953602" + "templateHash": "12509329417393938084" }, "name": "Redis Cache Enterprise", "description": "This module deploys a Redis Cache Enterprise.", @@ -291,32 +291,6 @@ "description": "Optional. The name of diagnostic setting." } }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, "metricCategories": { "type": "array", "items": { @@ -559,7 +533,6 @@ "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, From 3d15ccece9fbfedd598d99ee5e53ca40ba90d1b2 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Wed, 1 Nov 2023 23:04:53 +0000 Subject: [PATCH 083/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index e4560b1fe9..e8f34f0833 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -30,7 +30,7 @@ This section provides an overview of the library's feature set. | 15 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | | | | | [L1:6] | 460 | | 16 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | | | | | | 326 | | 17 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | | | | | | | | 327 | -| 18 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | | | | | | | [L1:1] | 277 | +| 18 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | | | | | | | [L1:1] | 264 | | 19 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | | | | | | | [L1:6, L2:4] | 220 | | 20 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | | | | | | | | 388 | | 21 | compute

availability-set | [![Compute - AvailabilitySets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20AvailabilitySets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.availabilitysets.yml) | | | | | | | | 111 | @@ -150,7 +150,7 @@ This section provides an overview of the library's feature set. | 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | | 194 | | 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:5, L2:4, L3:1] | 453 | | 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:3] | 284 | -| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 241 | 29865 | +| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 241 | 29852 | ## Legend From 6913d1475739f69c9b002f98a55ef75955bb4508 Mon Sep 17 00:00:00 2001 From: Erika Gressi <56914614+eriqua@users.noreply.github.com> Date: Sat, 4 Nov 2023 13:32:59 +0100 Subject: [PATCH 084/178] [Modules] Update test folder structure (#4181) * test 2 moduoles * tests folder * Update Get-ModuleTestFileList.ps1 * Update module.tests.ps1 * e2e folder * rename tests * ref shared scripts * ref shared templates * ref module from main.test.bicep * authorization namespace * policy-insignts namespace --- docs/wiki/The library - Module design.md | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 2 +- .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../server/{.test => tests/e2e}/common/dependencies.bicep | 0 .../server/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../server/{.test => tests/e2e}/max/dependencies.bicep | 0 .../server/{.test => tests/e2e}/max/main.test.bicep | 4 ++-- .../server/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../service/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../service/{.test => tests/e2e}/max/dependencies.bicep | 0 .../service/{.test => tests/e2e}/max/main.test.bicep | 4 ++-- .../service/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/encr/dependencies.bicep | 0 .../{.test => tests/e2e}/encr/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/pe/dependencies.bicep | 0 .../{.test => tests/e2e}/pe/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../job/{.test => tests/e2e}/common/dependencies.bicep | 0 .../app/job/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../app/job/{.test => tests/e2e}/min/dependencies.bicep | 0 modules/app/job/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../lock/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/mg.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/mg.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/rg.common/dependencies.bicep | 0 .../{.test => tests/e2e}/rg.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/rg.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/sub.common/dependencies.bicep | 0 .../{.test => tests/e2e}/sub.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/sub.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/mg.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/mg.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/sub.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/sub.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/mg.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/mg.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/rg.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/rg.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/sub.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/sub.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/mg.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/mg.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/sub.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/sub.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/mg.common/dependencies.bicep | 0 .../e2e}/mg.common/interim.dependencies.bicep | 0 .../{.test => tests/e2e}/mg.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/mg.min/dependencies.bicep | 0 .../e2e}/mg.min/interim.dependencies.bicep | 0 .../{.test => tests/e2e}/mg.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/rg.common/dependencies.bicep | 0 .../{.test => tests/e2e}/rg.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/rg.min/dependencies.bicep | 0 .../{.test => tests/e2e}/rg.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/sub.common/dependencies.bicep | 0 .../{.test => tests/e2e}/sub.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/sub.min/dependencies.bicep | 0 .../{.test => tests/e2e}/sub.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/mg.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/mg.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/rg.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/rg.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/sub.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/sub.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/encr/dependencies.bicep | 0 .../{.test => tests/e2e}/encr/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/encr/dependencies.bicep | 0 .../{.test => tests/e2e}/encr/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/geo/dependencies.bicep | 0 .../{.test => tests/e2e}/geo/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../redis/{.test => tests/e2e}/common/dependencies.bicep | 0 .../redis/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../cache/redis/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../profile/{.test => tests/e2e}/afd/dependencies.bicep | 0 .../cdn/profile/{.test => tests/e2e}/afd/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../profile/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../account/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../account/{.test => tests/e2e}/encr/dependencies.bicep | 0 .../account/{.test => tests/e2e}/encr/main.test.bicep | 2 +- .../account/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/speech/dependencies.bicep | 0 .../account/{.test => tests/e2e}/speech/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../e2e}/accessPolicies/dependencies.bicep | 0 .../{.test => tests/e2e}/accessPolicies/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../disk/{.test => tests/e2e}/common/dependencies.bicep | 0 .../disk/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../disk/{.test => tests/e2e}/image/dependencies.bicep | 0 .../disk/{.test => tests/e2e}/image/main.test.bicep | 2 +- .../disk/{.test => tests/e2e}/import/dependencies.bicep | 4 ++-- .../{.test => tests/e2e}/import/dependencies_rbac.bicep | 0 .../disk/{.test => tests/e2e}/import/main.test.bicep | 2 +- .../compute/disk/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../gallery/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../gallery/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../image/{.test => tests/e2e}/common/dependencies.bicep | 4 ++-- .../{.test => tests/e2e}/common/dependencies_rbac.bicep | 0 .../image/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 2 +- .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/linux.min/dependencies.bicep | 2 +- .../{.test => tests/e2e}/linux.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/linux.ssecmk/dependencies.bicep | 2 +- .../{.test => tests/e2e}/linux.ssecmk/main.test.bicep | 2 +- .../{.test => tests/e2e}/linux/dependencies.bicep | 4 ++-- .../{.test => tests/e2e}/linux/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/windows.min/dependencies.bicep | 0 .../{.test => tests/e2e}/windows.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/windows/dependencies.bicep | 2 +- .../{.test => tests/e2e}/windows/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/linux.atmg/dependencies.bicep | 2 +- .../{.test => tests/e2e}/linux.atmg/main.test.bicep | 2 +- .../{.test => tests/e2e}/linux.min/dependencies.bicep | 2 +- .../{.test => tests/e2e}/linux.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/linux/dependencies.bicep | 4 ++-- .../{.test => tests/e2e}/linux/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/windows.atmg/dependencies.bicep | 0 .../{.test => tests/e2e}/windows.atmg/main.test.bicep | 2 +- .../{.test => tests/e2e}/windows.min/dependencies.bicep | 0 .../{.test => tests/e2e}/windows.min/main.test.bicep | 2 +- .../e2e}/windows.ssecmk/dependencies.bicep | 0 .../{.test => tests/e2e}/windows.ssecmk/main.test.bicep | 2 +- .../{.test => tests/e2e}/windows/dependencies.bicep | 2 +- .../{.test => tests/e2e}/windows/main.test.bicep | 4 ++-- .../budget/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../budget/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/encr/dependencies.bicep | 0 .../{.test => tests/e2e}/encr/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/private/dependencies.bicep | 0 .../{.test => tests/e2e}/private/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 2 +- .../registry/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../registry/{.test => tests/e2e}/encr/dependencies.bicep | 0 .../registry/{.test => tests/e2e}/encr/main.test.bicep | 2 +- .../registry/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../registry/{.test => tests/e2e}/pe/dependencies.bicep | 0 .../registry/{.test => tests/e2e}/pe/main.test.bicep | 2 +- .../{.test => tests/e2e}/azure/dependencies.bicep | 0 .../{.test => tests/e2e}/azure/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/kubenet/dependencies.bicep | 0 .../{.test => tests/e2e}/kubenet/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/priv/dependencies.bicep | 0 .../{.test => tests/e2e}/priv/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../factory/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../factory/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../backup-vault/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../workspace/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../workspace/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/private/dependencies.bicep | 0 .../{.test => tests/e2e}/private/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/public/dependencies1.bicep | 2 +- .../{.test => tests/e2e}/public/dependencies2.bicep | 0 .../{.test => tests/e2e}/public/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/private/dependencies.bicep | 0 .../{.test => tests/e2e}/private/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/public/dependencies.bicep | 0 .../{.test => tests/e2e}/public/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../host-pool/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../host-pool/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../scaling-plan/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../workspace/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../workspace/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../lab/{.test => tests/e2e}/common/dependencies.bicep | 0 .../lab/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../lab/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../mongodb => tests/e2e/gremlindb}/dependencies.bicep | 2 +- .../{.test => tests/e2e}/gremlindb/main.test.bicep | 4 ++-- .../{.test/plain => tests/e2e/mongodb}/dependencies.bicep | 2 +- .../{.test => tests/e2e}/mongodb/main.test.bicep | 4 ++-- .../gremlindb => tests/e2e/plain}/dependencies.bicep | 2 +- .../{.test => tests/e2e}/plain/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/sqldb/dependencies.bicep | 2 +- .../{.test => tests/e2e}/sqldb/main.test.bicep | 4 ++-- .../domain/{.test => tests/e2e}/common/dependencies.bicep | 0 .../domain/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../domain/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../domain/{.test => tests/e2e}/pe/dependencies.bicep | 0 .../domain/{.test => tests/e2e}/pe/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../system-topic/{.test => tests/e2e}/min/main.test.bicep | 4 ++-- .../topic/{.test => tests/e2e}/common/dependencies.bicep | 0 .../topic/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../topic/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../topic/{.test => tests/e2e}/pe/dependencies.bicep | 0 .../topic/{.test => tests/e2e}/pe/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../namespace/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/encr/dependencies.bicep | 0 .../namespace/{.test => tests/e2e}/encr/main.test.bicep | 2 +- .../namespace/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../namespace/{.test => tests/e2e}/pe/dependencies.bicep | 0 .../namespace/{.test => tests/e2e}/pe/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../health-bot/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../workspace/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../workspace/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../action-group/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../component/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../component/{.test => tests/e2e}/min/dependencies.bicep | 0 .../component/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/customadv/dependencies.bicep | 0 .../{.test => tests/e2e}/customadv/main.test.bicep | 2 +- .../{.test => tests/e2e}/custombasic/dependencies.bicep | 0 .../{.test => tests/e2e}/custombasic/main.test.bicep | 2 +- .../{.test => tests/e2e}/customiis/dependencies.bicep | 0 .../{.test => tests/e2e}/customiis/main.test.bicep | 2 +- .../{.test => tests/e2e}/linux/dependencies.bicep | 0 .../{.test => tests/e2e}/linux/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/windows/dependencies.bicep | 0 .../{.test => tests/e2e}/windows/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../webtest/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../webtest/{.test => tests/e2e}/min/dependencies.bicep | 0 .../webtest/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../e2e}/accesspolicies/dependencies.bicep | 0 .../{.test => tests/e2e}/accesspolicies/main.test.bicep | 4 ++-- .../vault/{.test => tests/e2e}/common/dependencies.bicep | 0 .../vault/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../vault/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../vault/{.test => tests/e2e}/pe/dependencies.bicep | 0 .../vault/{.test => tests/e2e}/pe/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../extension/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../extension/{.test => tests/e2e}/min/dependencies.bicep | 0 .../extension/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../workflow/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../workspace/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/encr/dependencies.bicep | 0 .../workspace/{.test => tests/e2e}/encr/main.test.bicep | 2 +- .../workspace/{.test => tests/e2e}/min/dependencies.bicep | 0 .../workspace/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/rg/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/nfs3/dependencies.bicep | 0 .../{.test => tests/e2e}/nfs3/main.test.bicep | 2 +- .../{.test => tests/e2e}/nfs41/dependencies.bicep | 0 .../{.test => tests/e2e}/nfs41/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 4 ++-- .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/addpip/dependencies.bicep | 0 .../{.test => tests/e2e}/addpip/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/custompip/dependencies.bicep | 0 .../{.test => tests/e2e}/custompip/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/hubcommon/dependencies.bicep | 0 .../{.test => tests/e2e}/hubcommon/main.test.bicep | 2 +- .../{.test => tests/e2e}/hubmin/dependencies.bicep | 0 .../{.test => tests/e2e}/hubmin/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/custompip/dependencies.bicep | 0 .../{.test => tests/e2e}/custompip/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../bastion-host/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/vnet2vnet/dependencies.bicep | 0 .../{.test => tests/e2e}/vnet2vnet/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../dns-zone/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../dns-zone/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../front-door/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../ip-group/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../ip-group/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/internal/dependencies.bicep | 0 .../{.test => tests/e2e}/internal/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../e2e}/prefixCombined/dependencies.bicep | 0 .../{.test => tests/e2e}/prefixCombined/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../route-table/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../virtual-hub/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/aadvpn/dependencies.bicep | 0 .../{.test => tests/e2e}/aadvpn/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/expressRoute/dependencies.bicep | 0 .../{.test => tests/e2e}/expressRoute/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/vpn/dependencies.bicep | 0 .../{.test => tests/e2e}/vpn/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/vnetPeering/dependencies.bicep | 0 .../{.test => tests/e2e}/vnetPeering/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../virtual-wan/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../vpn-gateway/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../vpn-site/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../vpn-site/{.test => tests/e2e}/min/dependencies.bicep | 0 .../vpn-site/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../workspace/{.test => tests/e2e}/adv/dependencies.bicep | 0 .../workspace/{.test => tests/e2e}/adv/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../workspace/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../workspace/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../solution/{.test => tests/e2e}/min/dependencies.bicep | 0 .../solution/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../solution/{.test => tests/e2e}/ms/dependencies.bicep | 0 .../solution/{.test => tests/e2e}/ms/main.test.bicep | 2 +- .../{.test => tests/e2e}/nonms/dependencies.bicep | 0 .../solution/{.test => tests/e2e}/nonms/main.test.bicep | 2 +- .../{.test => tests/e2e}/mg.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/mg.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/rg.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/rg.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/sub.common/main.test.bicep | 2 +- .../{.test => tests/e2e}/sub.min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../capacity/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../capacity/{.test => tests/e2e}/min/dependencies.bicep | 0 .../capacity/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../account/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../account/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../vault/{.test => tests/e2e}/common/dependencies.bicep | 0 .../vault/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../vault/{.test => tests/e2e}/dr/main.test.bicep | 2 +- .../vault/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../namespace/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../namespace/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../namespace/{.test => tests/e2e}/pe/dependencies.bicep | 0 .../namespace/{.test => tests/e2e}/pe/main.test.bicep | 2 +- .../query/{.test => tests/e2e}/common/dependencies.bicep | 0 .../query/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../query/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/cli/dependencies.bicep | 0 .../{.test => tests/e2e}/cli/main.test.bicep | 2 +- .../{.test => tests/e2e}/ps/dependencies.bicep | 0 .../{.test => tests/e2e}/ps/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../tags/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../tags/{.test => tests/e2e}/rg/main.test.bicep | 2 +- .../tags/{.test => tests/e2e}/sub/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/pe/dependencies.bicep | 0 .../{.test => tests/e2e}/pe/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../namespace/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/encr/dependencies.bicep | 0 .../namespace/{.test => tests/e2e}/encr/main.test.bicep | 2 +- .../namespace/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../namespace/{.test => tests/e2e}/pe/dependencies.bicep | 0 .../namespace/{.test => tests/e2e}/pe/main.test.bicep | 2 +- .../cluster/{.test => tests/e2e}/cert/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../cluster/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../cluster/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../signal-r/{.test => tests/e2e}/common/main.test.bicep | 2 +- .../signal-r/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../web-pub-sub/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/pe/dependencies.bicep | 0 .../web-pub-sub/{.test => tests/e2e}/pe/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/vulnAssm/dependencies.bicep | 0 .../{.test => tests/e2e}/vulnAssm/main.test.bicep | 2 +- .../server/{.test => tests/e2e}/admin/dependencies.bicep | 0 .../sql/server/{.test => tests/e2e}/admin/main.test.bicep | 2 +- .../server/{.test => tests/e2e}/common/dependencies.bicep | 0 .../server/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../sql/server/{.test => tests/e2e}/pe/dependencies.bicep | 0 .../sql/server/{.test => tests/e2e}/pe/main.test.bicep | 2 +- .../{.test => tests/e2e}/secondary/dependencies.bicep | 0 .../server/{.test => tests/e2e}/secondary/main.test.bicep | 2 +- .../{.test => tests/e2e}/vulnAssm/dependencies.bicep | 0 .../server/{.test => tests/e2e}/vulnAssm/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/encr/dependencies.bicep | 0 .../{.test => tests/e2e}/encr/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/nfs/dependencies.bicep | 0 .../{.test => tests/e2e}/nfs/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/v1/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../workspace/{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/encrwsai/dependencies.bicep | 0 .../{.test => tests/e2e}/encrwsai/main.test.bicep | 2 +- .../{.test => tests/e2e}/encrwuai/dependencies.bicep | 0 .../{.test => tests/e2e}/encrwuai/main.test.bicep | 2 +- .../{.test => tests/e2e}/managedvnet/dependencies.bicep | 0 .../{.test => tests/e2e}/managedvnet/main.test.bicep | 2 +- .../workspace/{.test => tests/e2e}/min/dependencies.bicep | 0 .../workspace/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/min/dependencies.bicep | 0 .../{.test => tests/e2e}/min/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../{.test => tests/e2e}/asev2/dependencies.bicep | 0 .../{.test => tests/e2e}/asev2/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/asev3/dependencies.bicep | 2 +- .../{.test => tests/e2e}/asev3/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 4 ++-- .../e2e}/functionAppCommon/dependencies.bicep | 0 .../e2e}/functionAppCommon/main.test.bicep | 4 ++-- .../e2e}/functionAppMin/dependencies.bicep | 0 .../{.test => tests/e2e}/functionAppMin/main.test.bicep | 2 +- .../{.test => tests/e2e}/webAppCommon/dependencies.bicep | 0 .../{.test => tests/e2e}/webAppCommon/main.test.bicep | 4 ++-- .../{.test => tests/e2e}/webAppMin/dependencies.bicep | 0 .../site/{.test => tests/e2e}/webAppMin/main.test.bicep | 2 +- .../{.test => tests/e2e}/common/dependencies.bicep | 0 .../{.test => tests/e2e}/common/main.test.bicep | 2 +- .../static-site/{.test => tests/e2e}/min/main.test.bicep | 2 +- .../pipelines/sharedScripts/Get-ModuleTestFileList.ps1 | 8 +++----- utilities/pipelines/staticValidation/module.tests.ps1 | 2 +- 595 files changed, 464 insertions(+), 466 deletions(-) rename modules/aad/domain-service/{.test => tests/e2e}/common/dependencies.bicep (96%) rename modules/aad/domain-service/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/analysis-services/server/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/analysis-services/server/{.test => tests/e2e}/common/main.test.bicep (95%) rename modules/analysis-services/server/{.test => tests/e2e}/max/dependencies.bicep (100%) rename modules/analysis-services/server/{.test => tests/e2e}/max/main.test.bicep (95%) rename modules/analysis-services/server/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/api-management/service/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/api-management/service/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/api-management/service/{.test => tests/e2e}/max/dependencies.bicep (100%) rename modules/api-management/service/{.test => tests/e2e}/max/main.test.bicep (97%) rename modules/api-management/service/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/app-configuration/configuration-store/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/app-configuration/configuration-store/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/app-configuration/configuration-store/{.test => tests/e2e}/encr/dependencies.bicep (100%) rename modules/app-configuration/configuration-store/{.test => tests/e2e}/encr/main.test.bicep (98%) rename modules/app-configuration/configuration-store/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/app-configuration/configuration-store/{.test => tests/e2e}/pe/dependencies.bicep (100%) rename modules/app-configuration/configuration-store/{.test => tests/e2e}/pe/main.test.bicep (97%) rename modules/app/container-app/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/app/container-app/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/app/container-app/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/app/container-app/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/app/job/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/app/job/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/app/job/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/app/job/{.test => tests/e2e}/min/main.test.bicep (98%) rename modules/app/managed-environment/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/app/managed-environment/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/app/managed-environment/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/app/managed-environment/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/authorization/lock/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/authorization/policy-assignment/{.test => tests/e2e}/mg.common/main.test.bicep (98%) rename modules/authorization/policy-assignment/{.test => tests/e2e}/mg.min/main.test.bicep (95%) rename modules/authorization/policy-assignment/{.test => tests/e2e}/rg.common/dependencies.bicep (100%) rename modules/authorization/policy-assignment/{.test => tests/e2e}/rg.common/main.test.bicep (98%) rename modules/authorization/policy-assignment/{.test => tests/e2e}/rg.min/main.test.bicep (96%) rename modules/authorization/policy-assignment/{.test => tests/e2e}/sub.common/dependencies.bicep (100%) rename modules/authorization/policy-assignment/{.test => tests/e2e}/sub.common/main.test.bicep (98%) rename modules/authorization/policy-assignment/{.test => tests/e2e}/sub.min/main.test.bicep (94%) rename modules/authorization/policy-definition/{.test => tests/e2e}/mg.common/main.test.bicep (97%) rename modules/authorization/policy-definition/{.test => tests/e2e}/mg.min/main.test.bicep (94%) rename modules/authorization/policy-definition/{.test => tests/e2e}/sub.common/main.test.bicep (97%) rename modules/authorization/policy-definition/{.test => tests/e2e}/sub.min/main.test.bicep (94%) rename modules/authorization/policy-exemption/{.test => tests/e2e}/mg.common/main.test.bicep (97%) rename modules/authorization/policy-exemption/{.test => tests/e2e}/mg.min/main.test.bicep (95%) rename modules/authorization/policy-exemption/{.test => tests/e2e}/rg.common/main.test.bicep (98%) rename modules/authorization/policy-exemption/{.test => tests/e2e}/rg.min/main.test.bicep (96%) rename modules/authorization/policy-exemption/{.test => tests/e2e}/sub.common/main.test.bicep (97%) rename modules/authorization/policy-exemption/{.test => tests/e2e}/sub.min/main.test.bicep (95%) rename modules/authorization/policy-set-definition/{.test => tests/e2e}/mg.common/main.test.bicep (96%) rename modules/authorization/policy-set-definition/{.test => tests/e2e}/mg.min/main.test.bicep (94%) rename modules/authorization/policy-set-definition/{.test => tests/e2e}/sub.common/main.test.bicep (97%) rename modules/authorization/policy-set-definition/{.test => tests/e2e}/sub.min/main.test.bicep (94%) rename modules/authorization/role-assignment/{.test => tests/e2e}/mg.common/dependencies.bicep (100%) rename modules/authorization/role-assignment/{.test => tests/e2e}/mg.common/interim.dependencies.bicep (100%) rename modules/authorization/role-assignment/{.test => tests/e2e}/mg.common/main.test.bicep (96%) rename modules/authorization/role-assignment/{.test => tests/e2e}/mg.min/dependencies.bicep (100%) rename modules/authorization/role-assignment/{.test => tests/e2e}/mg.min/interim.dependencies.bicep (100%) rename modules/authorization/role-assignment/{.test => tests/e2e}/mg.min/main.test.bicep (96%) rename modules/authorization/role-assignment/{.test => tests/e2e}/rg.common/dependencies.bicep (100%) rename modules/authorization/role-assignment/{.test => tests/e2e}/rg.common/main.test.bicep (96%) rename modules/authorization/role-assignment/{.test => tests/e2e}/rg.min/dependencies.bicep (100%) rename modules/authorization/role-assignment/{.test => tests/e2e}/rg.min/main.test.bicep (96%) rename modules/authorization/role-assignment/{.test => tests/e2e}/sub.common/dependencies.bicep (100%) rename modules/authorization/role-assignment/{.test => tests/e2e}/sub.common/main.test.bicep (96%) rename modules/authorization/role-assignment/{.test => tests/e2e}/sub.min/dependencies.bicep (100%) rename modules/authorization/role-assignment/{.test => tests/e2e}/sub.min/main.test.bicep (96%) rename modules/authorization/role-definition/{.test => tests/e2e}/mg.common/main.test.bicep (94%) rename modules/authorization/role-definition/{.test => tests/e2e}/mg.min/main.test.bicep (93%) rename modules/authorization/role-definition/{.test => tests/e2e}/rg.common/main.test.bicep (96%) rename modules/authorization/role-definition/{.test => tests/e2e}/rg.min/main.test.bicep (95%) rename modules/authorization/role-definition/{.test => tests/e2e}/sub.common/main.test.bicep (95%) rename modules/authorization/role-definition/{.test => tests/e2e}/sub.min/main.test.bicep (93%) rename modules/automation/automation-account/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/automation/automation-account/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/automation/automation-account/{.test => tests/e2e}/encr/dependencies.bicep (100%) rename modules/automation/automation-account/{.test => tests/e2e}/encr/main.test.bicep (97%) rename modules/automation/automation-account/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/batch/batch-account/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/batch/batch-account/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/batch/batch-account/{.test => tests/e2e}/encr/dependencies.bicep (100%) rename modules/batch/batch-account/{.test => tests/e2e}/encr/main.test.bicep (98%) rename modules/batch/batch-account/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/batch/batch-account/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/cache/redis-enterprise/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/cache/redis-enterprise/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/cache/redis-enterprise/{.test => tests/e2e}/geo/dependencies.bicep (100%) rename modules/cache/redis-enterprise/{.test => tests/e2e}/geo/main.test.bicep (98%) rename modules/cache/redis-enterprise/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/cache/redis/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/cache/redis/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/cache/redis/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/cdn/profile/{.test => tests/e2e}/afd/dependencies.bicep (100%) rename modules/cdn/profile/{.test => tests/e2e}/afd/main.test.bicep (98%) rename modules/cdn/profile/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/cdn/profile/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/cognitive-services/account/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/cognitive-services/account/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/cognitive-services/account/{.test => tests/e2e}/encr/dependencies.bicep (100%) rename modules/cognitive-services/account/{.test => tests/e2e}/encr/main.test.bicep (98%) rename modules/cognitive-services/account/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/cognitive-services/account/{.test => tests/e2e}/speech/dependencies.bicep (100%) rename modules/cognitive-services/account/{.test => tests/e2e}/speech/main.test.bicep (98%) rename modules/compute/availability-set/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/compute/availability-set/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/compute/availability-set/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/compute/disk-encryption-set/{.test => tests/e2e}/accessPolicies/dependencies.bicep (100%) rename modules/compute/disk-encryption-set/{.test => tests/e2e}/accessPolicies/main.test.bicep (98%) rename modules/compute/disk-encryption-set/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/compute/disk-encryption-set/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/compute/disk/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/compute/disk/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/compute/disk/{.test => tests/e2e}/image/dependencies.bicep (100%) rename modules/compute/disk/{.test => tests/e2e}/image/main.test.bicep (97%) rename modules/compute/disk/{.test => tests/e2e}/import/dependencies.bicep (95%) rename modules/compute/disk/{.test => tests/e2e}/import/dependencies_rbac.bicep (100%) rename modules/compute/disk/{.test => tests/e2e}/import/main.test.bicep (98%) rename modules/compute/disk/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/compute/gallery/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/compute/gallery/{.test => tests/e2e}/common/main.test.bicep (99%) rename modules/compute/gallery/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/compute/image/{.test => tests/e2e}/common/dependencies.bicep (97%) rename modules/compute/image/{.test => tests/e2e}/common/dependencies_rbac.bicep (100%) rename modules/compute/image/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/compute/proximity-placement-group/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/compute/proximity-placement-group/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/compute/proximity-placement-group/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/compute/ssh-public-key/{.test => tests/e2e}/common/dependencies.bicep (96%) rename modules/compute/ssh-public-key/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/compute/ssh-public-key/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/compute/virtual-machine-scale-set/{.test => tests/e2e}/linux.min/dependencies.bicep (96%) rename modules/compute/virtual-machine-scale-set/{.test => tests/e2e}/linux.min/main.test.bicep (98%) rename modules/compute/virtual-machine-scale-set/{.test => tests/e2e}/linux.ssecmk/dependencies.bicep (98%) rename modules/compute/virtual-machine-scale-set/{.test => tests/e2e}/linux.ssecmk/main.test.bicep (98%) rename modules/compute/virtual-machine-scale-set/{.test => tests/e2e}/linux/dependencies.bicep (97%) rename modules/compute/virtual-machine-scale-set/{.test => tests/e2e}/linux/main.test.bicep (97%) rename modules/compute/virtual-machine-scale-set/{.test => tests/e2e}/windows.min/dependencies.bicep (100%) rename modules/compute/virtual-machine-scale-set/{.test => tests/e2e}/windows.min/main.test.bicep (98%) rename modules/compute/virtual-machine-scale-set/{.test => tests/e2e}/windows/dependencies.bicep (98%) rename modules/compute/virtual-machine-scale-set/{.test => tests/e2e}/windows/main.test.bicep (97%) rename modules/compute/virtual-machine/{.test => tests/e2e}/linux.atmg/dependencies.bicep (96%) rename modules/compute/virtual-machine/{.test => tests/e2e}/linux.atmg/main.test.bicep (98%) rename modules/compute/virtual-machine/{.test => tests/e2e}/linux.min/dependencies.bicep (96%) rename modules/compute/virtual-machine/{.test => tests/e2e}/linux.min/main.test.bicep (98%) rename modules/compute/virtual-machine/{.test => tests/e2e}/linux/dependencies.bicep (98%) rename modules/compute/virtual-machine/{.test => tests/e2e}/linux/main.test.bicep (98%) rename modules/compute/virtual-machine/{.test => tests/e2e}/windows.atmg/dependencies.bicep (100%) rename modules/compute/virtual-machine/{.test => tests/e2e}/windows.atmg/main.test.bicep (98%) rename modules/compute/virtual-machine/{.test => tests/e2e}/windows.min/dependencies.bicep (100%) rename modules/compute/virtual-machine/{.test => tests/e2e}/windows.min/main.test.bicep (97%) rename modules/compute/virtual-machine/{.test => tests/e2e}/windows.ssecmk/dependencies.bicep (100%) rename modules/compute/virtual-machine/{.test => tests/e2e}/windows.ssecmk/main.test.bicep (98%) rename modules/compute/virtual-machine/{.test => tests/e2e}/windows/dependencies.bicep (99%) rename modules/compute/virtual-machine/{.test => tests/e2e}/windows/main.test.bicep (98%) rename modules/consumption/budget/{.test => tests/e2e}/common/main.test.bicep (95%) rename modules/consumption/budget/{.test => tests/e2e}/min/main.test.bicep (95%) rename modules/container-instance/container-group/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/container-instance/container-group/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/container-instance/container-group/{.test => tests/e2e}/encr/dependencies.bicep (100%) rename modules/container-instance/container-group/{.test => tests/e2e}/encr/main.test.bicep (98%) rename modules/container-instance/container-group/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/container-instance/container-group/{.test => tests/e2e}/private/dependencies.bicep (100%) rename modules/container-instance/container-group/{.test => tests/e2e}/private/main.test.bicep (98%) rename modules/container-registry/registry/{.test => tests/e2e}/common/dependencies.bicep (97%) rename modules/container-registry/registry/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/container-registry/registry/{.test => tests/e2e}/encr/dependencies.bicep (100%) rename modules/container-registry/registry/{.test => tests/e2e}/encr/main.test.bicep (98%) rename modules/container-registry/registry/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/container-registry/registry/{.test => tests/e2e}/pe/dependencies.bicep (100%) rename modules/container-registry/registry/{.test => tests/e2e}/pe/main.test.bicep (97%) rename modules/container-service/managed-cluster/{.test => tests/e2e}/azure/dependencies.bicep (100%) rename modules/container-service/managed-cluster/{.test => tests/e2e}/azure/main.test.bicep (98%) rename modules/container-service/managed-cluster/{.test => tests/e2e}/kubenet/dependencies.bicep (100%) rename modules/container-service/managed-cluster/{.test => tests/e2e}/kubenet/main.test.bicep (96%) rename modules/container-service/managed-cluster/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/container-service/managed-cluster/{.test => tests/e2e}/priv/dependencies.bicep (100%) rename modules/container-service/managed-cluster/{.test => tests/e2e}/priv/main.test.bicep (97%) rename modules/data-factory/factory/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/data-factory/factory/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/data-factory/factory/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/data-protection/backup-vault/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/data-protection/backup-vault/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/data-protection/backup-vault/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/databricks/access-connector/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/databricks/access-connector/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/databricks/access-connector/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/databricks/workspace/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/databricks/workspace/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/databricks/workspace/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/db-for-my-sql/flexible-server/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/db-for-my-sql/flexible-server/{.test => tests/e2e}/private/dependencies.bicep (100%) rename modules/db-for-my-sql/flexible-server/{.test => tests/e2e}/private/main.test.bicep (96%) rename modules/db-for-my-sql/flexible-server/{.test => tests/e2e}/public/dependencies1.bicep (94%) rename modules/db-for-my-sql/flexible-server/{.test => tests/e2e}/public/dependencies2.bicep (100%) rename modules/db-for-my-sql/flexible-server/{.test => tests/e2e}/public/main.test.bicep (97%) rename modules/db-for-postgre-sql/flexible-server/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/db-for-postgre-sql/flexible-server/{.test => tests/e2e}/private/dependencies.bicep (100%) rename modules/db-for-postgre-sql/flexible-server/{.test => tests/e2e}/private/main.test.bicep (96%) rename modules/db-for-postgre-sql/flexible-server/{.test => tests/e2e}/public/dependencies.bicep (100%) rename modules/db-for-postgre-sql/flexible-server/{.test => tests/e2e}/public/main.test.bicep (96%) rename modules/desktop-virtualization/application-group/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/desktop-virtualization/application-group/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/desktop-virtualization/application-group/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/desktop-virtualization/application-group/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/desktop-virtualization/host-pool/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/desktop-virtualization/host-pool/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/desktop-virtualization/host-pool/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/desktop-virtualization/scaling-plan/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/desktop-virtualization/scaling-plan/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/desktop-virtualization/scaling-plan/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/desktop-virtualization/workspace/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/desktop-virtualization/workspace/{.test => tests/e2e}/common/main.test.bicep (95%) rename modules/desktop-virtualization/workspace/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/dev-test-lab/lab/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/dev-test-lab/lab/{.test => tests/e2e}/common/main.test.bicep (99%) rename modules/dev-test-lab/lab/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/digital-twins/digital-twins-instance/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/digital-twins/digital-twins-instance/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/digital-twins/digital-twins-instance/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/document-db/database-account/{.test/mongodb => tests/e2e/gremlindb}/dependencies.bicep (94%) rename modules/document-db/database-account/{.test => tests/e2e}/gremlindb/main.test.bicep (96%) rename modules/document-db/database-account/{.test/plain => tests/e2e/mongodb}/dependencies.bicep (94%) rename modules/document-db/database-account/{.test => tests/e2e}/mongodb/main.test.bicep (98%) rename modules/document-db/database-account/{.test/gremlindb => tests/e2e/plain}/dependencies.bicep (94%) rename modules/document-db/database-account/{.test => tests/e2e}/plain/main.test.bicep (95%) rename modules/document-db/database-account/{.test => tests/e2e}/sqldb/dependencies.bicep (97%) rename modules/document-db/database-account/{.test => tests/e2e}/sqldb/main.test.bicep (97%) rename modules/event-grid/domain/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/event-grid/domain/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/event-grid/domain/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/event-grid/domain/{.test => tests/e2e}/pe/dependencies.bicep (100%) rename modules/event-grid/domain/{.test => tests/e2e}/pe/main.test.bicep (97%) rename modules/event-grid/system-topic/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/event-grid/system-topic/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/event-grid/system-topic/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/event-grid/system-topic/{.test => tests/e2e}/min/main.test.bicep (93%) rename modules/event-grid/topic/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/event-grid/topic/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/event-grid/topic/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/event-grid/topic/{.test => tests/e2e}/pe/dependencies.bicep (100%) rename modules/event-grid/topic/{.test => tests/e2e}/pe/main.test.bicep (97%) rename modules/event-hub/namespace/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/event-hub/namespace/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/event-hub/namespace/{.test => tests/e2e}/encr/dependencies.bicep (100%) rename modules/event-hub/namespace/{.test => tests/e2e}/encr/main.test.bicep (98%) rename modules/event-hub/namespace/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/event-hub/namespace/{.test => tests/e2e}/pe/dependencies.bicep (100%) rename modules/event-hub/namespace/{.test => tests/e2e}/pe/main.test.bicep (97%) rename modules/health-bot/health-bot/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/health-bot/health-bot/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/health-bot/health-bot/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/healthcare-apis/workspace/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/healthcare-apis/workspace/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/healthcare-apis/workspace/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/insights/action-group/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/insights/action-group/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/insights/action-group/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/insights/activity-log-alert/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/insights/activity-log-alert/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/insights/component/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/insights/component/{.test => tests/e2e}/common/main.test.bicep (95%) rename modules/insights/component/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/insights/component/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/insights/data-collection-endpoint/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/insights/data-collection-endpoint/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/insights/data-collection-endpoint/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/insights/data-collection-rule/{.test => tests/e2e}/customadv/dependencies.bicep (100%) rename modules/insights/data-collection-rule/{.test => tests/e2e}/customadv/main.test.bicep (98%) rename modules/insights/data-collection-rule/{.test => tests/e2e}/custombasic/dependencies.bicep (100%) rename modules/insights/data-collection-rule/{.test => tests/e2e}/custombasic/main.test.bicep (98%) rename modules/insights/data-collection-rule/{.test => tests/e2e}/customiis/dependencies.bicep (100%) rename modules/insights/data-collection-rule/{.test => tests/e2e}/customiis/main.test.bicep (98%) rename modules/insights/data-collection-rule/{.test => tests/e2e}/linux/dependencies.bicep (100%) rename modules/insights/data-collection-rule/{.test => tests/e2e}/linux/main.test.bicep (99%) rename modules/insights/data-collection-rule/{.test => tests/e2e}/min/main.test.bicep (98%) rename modules/insights/data-collection-rule/{.test => tests/e2e}/windows/dependencies.bicep (100%) rename modules/insights/data-collection-rule/{.test => tests/e2e}/windows/main.test.bicep (99%) rename modules/insights/diagnostic-setting/{.test => tests/e2e}/common/main.test.bicep (94%) rename modules/insights/metric-alert/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/insights/metric-alert/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/insights/private-link-scope/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/insights/private-link-scope/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/insights/private-link-scope/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/insights/scheduled-query-rule/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/insights/scheduled-query-rule/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/insights/webtest/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/insights/webtest/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/insights/webtest/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/insights/webtest/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/key-vault/vault/{.test => tests/e2e}/accesspolicies/dependencies.bicep (100%) rename modules/key-vault/vault/{.test => tests/e2e}/accesspolicies/main.test.bicep (96%) rename modules/key-vault/vault/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/key-vault/vault/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/key-vault/vault/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/key-vault/vault/{.test => tests/e2e}/pe/dependencies.bicep (100%) rename modules/key-vault/vault/{.test => tests/e2e}/pe/main.test.bicep (96%) rename modules/kubernetes-configuration/extension/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/kubernetes-configuration/extension/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/kubernetes-configuration/extension/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/kubernetes-configuration/extension/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/kubernetes-configuration/flux-configuration/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/kubernetes-configuration/flux-configuration/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/kubernetes-configuration/flux-configuration/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/kubernetes-configuration/flux-configuration/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/logic/workflow/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/logic/workflow/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/machine-learning-services/workspace/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/machine-learning-services/workspace/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/machine-learning-services/workspace/{.test => tests/e2e}/encr/dependencies.bicep (100%) rename modules/machine-learning-services/workspace/{.test => tests/e2e}/encr/main.test.bicep (98%) rename modules/machine-learning-services/workspace/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/machine-learning-services/workspace/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/maintenance/maintenance-configuration/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/maintenance/maintenance-configuration/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/maintenance/maintenance-configuration/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/managed-identity/user-assigned-identity/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/managed-identity/user-assigned-identity/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/managed-identity/user-assigned-identity/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/managed-services/registration-definition/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/managed-services/registration-definition/{.test => tests/e2e}/rg/main.test.bicep (97%) rename modules/management/management-group/{.test => tests/e2e}/common/main.test.bicep (95%) rename modules/management/management-group/{.test => tests/e2e}/min/main.test.bicep (94%) rename modules/net-app/net-app-account/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/net-app/net-app-account/{.test => tests/e2e}/nfs3/dependencies.bicep (100%) rename modules/net-app/net-app-account/{.test => tests/e2e}/nfs3/main.test.bicep (98%) rename modules/net-app/net-app-account/{.test => tests/e2e}/nfs41/dependencies.bicep (100%) rename modules/net-app/net-app-account/{.test => tests/e2e}/nfs41/main.test.bicep (98%) rename modules/network/application-gateway-web-application-firewall-policy/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/network/application-gateway/{.test => tests/e2e}/common/dependencies.bicep (97%) rename modules/network/application-gateway/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/network/application-security-group/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/application-security-group/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/network/azure-firewall/{.test => tests/e2e}/addpip/dependencies.bicep (100%) rename modules/network/azure-firewall/{.test => tests/e2e}/addpip/main.test.bicep (98%) rename modules/network/azure-firewall/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/azure-firewall/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/network/azure-firewall/{.test => tests/e2e}/custompip/dependencies.bicep (100%) rename modules/network/azure-firewall/{.test => tests/e2e}/custompip/main.test.bicep (95%) rename modules/network/azure-firewall/{.test => tests/e2e}/hubcommon/dependencies.bicep (100%) rename modules/network/azure-firewall/{.test => tests/e2e}/hubcommon/main.test.bicep (97%) rename modules/network/azure-firewall/{.test => tests/e2e}/hubmin/dependencies.bicep (100%) rename modules/network/azure-firewall/{.test => tests/e2e}/hubmin/main.test.bicep (97%) rename modules/network/azure-firewall/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/network/azure-firewall/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/network/bastion-host/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/bastion-host/{.test => tests/e2e}/common/main.test.bicep (95%) rename modules/network/bastion-host/{.test => tests/e2e}/custompip/dependencies.bicep (100%) rename modules/network/bastion-host/{.test => tests/e2e}/custompip/main.test.bicep (95%) rename modules/network/bastion-host/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/network/bastion-host/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/network/connection/{.test => tests/e2e}/vnet2vnet/dependencies.bicep (100%) rename modules/network/connection/{.test => tests/e2e}/vnet2vnet/main.test.bicep (98%) rename modules/network/ddos-protection-plan/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/ddos-protection-plan/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/network/ddos-protection-plan/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/network/dns-forwarding-ruleset/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/dns-forwarding-ruleset/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/network/dns-forwarding-ruleset/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/network/dns-forwarding-ruleset/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/network/dns-resolver/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/dns-resolver/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/network/dns-zone/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/dns-zone/{.test => tests/e2e}/common/main.test.bicep (99%) rename modules/network/dns-zone/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/network/express-route-circuit/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/express-route-circuit/{.test => tests/e2e}/common/main.test.bicep (95%) rename modules/network/express-route-circuit/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/network/express-route-gateway/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/express-route-gateway/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/network/express-route-gateway/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/network/express-route-gateway/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/network/firewall-policy/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/network/firewall-policy/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/network/front-door-web-application-firewall-policy/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/front-door-web-application-firewall-policy/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/network/front-door-web-application-firewall-policy/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/network/front-door/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/front-door/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/network/front-door/{.test => tests/e2e}/min/main.test.bicep (98%) rename modules/network/ip-group/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/ip-group/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/network/ip-group/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/network/load-balancer/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/load-balancer/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/network/load-balancer/{.test => tests/e2e}/internal/dependencies.bicep (100%) rename modules/network/load-balancer/{.test => tests/e2e}/internal/main.test.bicep (96%) rename modules/network/load-balancer/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/network/load-balancer/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/network/local-network-gateway/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/local-network-gateway/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/network/local-network-gateway/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/network/nat-gateway/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/nat-gateway/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/network/nat-gateway/{.test => tests/e2e}/prefixCombined/dependencies.bicep (100%) rename modules/network/nat-gateway/{.test => tests/e2e}/prefixCombined/main.test.bicep (95%) rename modules/network/network-interface/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/network-interface/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/network/network-interface/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/network/network-interface/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/network/network-manager/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/network-manager/{.test => tests/e2e}/common/main.test.bicep (99%) rename modules/network/network-security-group/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/network-security-group/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/network/network-security-group/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/network/network-watcher/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/network-watcher/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/network/network-watcher/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/network/private-dns-zone/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/private-dns-zone/{.test => tests/e2e}/common/main.test.bicep (99%) rename modules/network/private-dns-zone/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/network/private-endpoint/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/private-endpoint/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/network/private-endpoint/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/network/private-endpoint/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/network/private-link-service/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/private-link-service/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/network/private-link-service/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/network/private-link-service/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/network/public-ip-address/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/public-ip-address/{.test => tests/e2e}/common/main.test.bicep (95%) rename modules/network/public-ip-address/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/network/public-ip-prefix/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/public-ip-prefix/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/network/public-ip-prefix/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/network/route-table/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/route-table/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/network/route-table/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/network/service-endpoint-policy/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/service-endpoint-policy/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/network/service-endpoint-policy/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/network/trafficmanagerprofile/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/trafficmanagerprofile/{.test => tests/e2e}/common/main.test.bicep (95%) rename modules/network/trafficmanagerprofile/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/network/virtual-hub/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/virtual-hub/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/network/virtual-hub/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/network/virtual-hub/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/network/virtual-network-gateway/{.test => tests/e2e}/aadvpn/dependencies.bicep (100%) rename modules/network/virtual-network-gateway/{.test => tests/e2e}/aadvpn/main.test.bicep (96%) rename modules/network/virtual-network-gateway/{.test => tests/e2e}/expressRoute/dependencies.bicep (100%) rename modules/network/virtual-network-gateway/{.test => tests/e2e}/expressRoute/main.test.bicep (95%) rename modules/network/virtual-network-gateway/{.test => tests/e2e}/vpn/dependencies.bicep (100%) rename modules/network/virtual-network-gateway/{.test => tests/e2e}/vpn/main.test.bicep (96%) rename modules/network/virtual-network/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/virtual-network/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/network/virtual-network/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/network/virtual-network/{.test => tests/e2e}/vnetPeering/dependencies.bicep (100%) rename modules/network/virtual-network/{.test => tests/e2e}/vnetPeering/main.test.bicep (97%) rename modules/network/virtual-wan/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/virtual-wan/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/network/virtual-wan/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/network/vpn-gateway/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/vpn-gateway/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/network/vpn-gateway/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/network/vpn-gateway/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/network/vpn-site/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/network/vpn-site/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/network/vpn-site/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/network/vpn-site/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/operational-insights/workspace/{.test => tests/e2e}/adv/dependencies.bicep (100%) rename modules/operational-insights/workspace/{.test => tests/e2e}/adv/main.test.bicep (98%) rename modules/operational-insights/workspace/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/operational-insights/workspace/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/operational-insights/workspace/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/operations-management/solution/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/operations-management/solution/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/operations-management/solution/{.test => tests/e2e}/ms/dependencies.bicep (100%) rename modules/operations-management/solution/{.test => tests/e2e}/ms/main.test.bicep (97%) rename modules/operations-management/solution/{.test => tests/e2e}/nonms/dependencies.bicep (100%) rename modules/operations-management/solution/{.test => tests/e2e}/nonms/main.test.bicep (97%) rename modules/policy-insights/remediation/{.test => tests/e2e}/mg.common/main.test.bicep (97%) rename modules/policy-insights/remediation/{.test => tests/e2e}/mg.min/main.test.bicep (95%) rename modules/policy-insights/remediation/{.test => tests/e2e}/rg.common/main.test.bicep (97%) rename modules/policy-insights/remediation/{.test => tests/e2e}/rg.min/main.test.bicep (96%) rename modules/policy-insights/remediation/{.test => tests/e2e}/sub.common/main.test.bicep (97%) rename modules/policy-insights/remediation/{.test => tests/e2e}/sub.min/main.test.bicep (95%) rename modules/power-bi-dedicated/capacity/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/power-bi-dedicated/capacity/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/power-bi-dedicated/capacity/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/power-bi-dedicated/capacity/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/purview/account/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/purview/account/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/purview/account/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/recovery-services/vault/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/recovery-services/vault/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/recovery-services/vault/{.test => tests/e2e}/dr/main.test.bicep (98%) rename modules/recovery-services/vault/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/relay/namespace/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/relay/namespace/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/relay/namespace/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/relay/namespace/{.test => tests/e2e}/pe/dependencies.bicep (100%) rename modules/relay/namespace/{.test => tests/e2e}/pe/main.test.bicep (97%) rename modules/resource-graph/query/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/resource-graph/query/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/resource-graph/query/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/resources/deployment-script/{.test => tests/e2e}/cli/dependencies.bicep (100%) rename modules/resources/deployment-script/{.test => tests/e2e}/cli/main.test.bicep (98%) rename modules/resources/deployment-script/{.test => tests/e2e}/ps/dependencies.bicep (100%) rename modules/resources/deployment-script/{.test => tests/e2e}/ps/main.test.bicep (97%) rename modules/resources/resource-group/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/resources/resource-group/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/resources/resource-group/{.test => tests/e2e}/min/main.test.bicep (94%) rename modules/resources/tags/{.test => tests/e2e}/min/main.test.bicep (93%) rename modules/resources/tags/{.test => tests/e2e}/rg/main.test.bicep (96%) rename modules/resources/tags/{.test => tests/e2e}/sub/main.test.bicep (93%) rename modules/search/search-service/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/search/search-service/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/search/search-service/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/search/search-service/{.test => tests/e2e}/pe/dependencies.bicep (100%) rename modules/search/search-service/{.test => tests/e2e}/pe/main.test.bicep (98%) rename modules/security/azure-security-center/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/security/azure-security-center/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/service-bus/namespace/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/service-bus/namespace/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/service-bus/namespace/{.test => tests/e2e}/encr/dependencies.bicep (100%) rename modules/service-bus/namespace/{.test => tests/e2e}/encr/main.test.bicep (98%) rename modules/service-bus/namespace/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/service-bus/namespace/{.test => tests/e2e}/pe/dependencies.bicep (100%) rename modules/service-bus/namespace/{.test => tests/e2e}/pe/main.test.bicep (97%) rename modules/service-fabric/cluster/{.test => tests/e2e}/cert/main.test.bicep (97%) rename modules/service-fabric/cluster/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/service-fabric/cluster/{.test => tests/e2e}/common/main.test.bicep (99%) rename modules/service-fabric/cluster/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/signal-r-service/signal-r/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/signal-r-service/signal-r/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/signal-r-service/signal-r/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/signal-r-service/web-pub-sub/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/signal-r-service/web-pub-sub/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/signal-r-service/web-pub-sub/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/signal-r-service/web-pub-sub/{.test => tests/e2e}/pe/dependencies.bicep (100%) rename modules/signal-r-service/web-pub-sub/{.test => tests/e2e}/pe/main.test.bicep (97%) rename modules/sql/managed-instance/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/sql/managed-instance/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/sql/managed-instance/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/sql/managed-instance/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/sql/managed-instance/{.test => tests/e2e}/vulnAssm/dependencies.bicep (100%) rename modules/sql/managed-instance/{.test => tests/e2e}/vulnAssm/main.test.bicep (98%) rename modules/sql/server/{.test => tests/e2e}/admin/dependencies.bicep (100%) rename modules/sql/server/{.test => tests/e2e}/admin/main.test.bicep (97%) rename modules/sql/server/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/sql/server/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/sql/server/{.test => tests/e2e}/pe/dependencies.bicep (100%) rename modules/sql/server/{.test => tests/e2e}/pe/main.test.bicep (97%) rename modules/sql/server/{.test => tests/e2e}/secondary/dependencies.bicep (100%) rename modules/sql/server/{.test => tests/e2e}/secondary/main.test.bicep (97%) rename modules/sql/server/{.test => tests/e2e}/vulnAssm/dependencies.bicep (100%) rename modules/sql/server/{.test => tests/e2e}/vulnAssm/main.test.bicep (98%) rename modules/storage/storage-account/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/storage/storage-account/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/storage/storage-account/{.test => tests/e2e}/encr/dependencies.bicep (100%) rename modules/storage/storage-account/{.test => tests/e2e}/encr/main.test.bicep (98%) rename modules/storage/storage-account/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/storage/storage-account/{.test => tests/e2e}/nfs/dependencies.bicep (100%) rename modules/storage/storage-account/{.test => tests/e2e}/nfs/main.test.bicep (95%) rename modules/storage/storage-account/{.test => tests/e2e}/v1/main.test.bicep (96%) rename modules/synapse/private-link-hub/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/synapse/private-link-hub/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/synapse/private-link-hub/{.test => tests/e2e}/min/main.test.bicep (96%) rename modules/synapse/workspace/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/synapse/workspace/{.test => tests/e2e}/common/main.test.bicep (96%) rename modules/synapse/workspace/{.test => tests/e2e}/encrwsai/dependencies.bicep (100%) rename modules/synapse/workspace/{.test => tests/e2e}/encrwsai/main.test.bicep (97%) rename modules/synapse/workspace/{.test => tests/e2e}/encrwuai/dependencies.bicep (100%) rename modules/synapse/workspace/{.test => tests/e2e}/encrwuai/main.test.bicep (98%) rename modules/synapse/workspace/{.test => tests/e2e}/managedvnet/dependencies.bicep (100%) rename modules/synapse/workspace/{.test => tests/e2e}/managedvnet/main.test.bicep (97%) rename modules/synapse/workspace/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/synapse/workspace/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/virtual-machine-images/image-template/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/virtual-machine-images/image-template/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/virtual-machine-images/image-template/{.test => tests/e2e}/min/dependencies.bicep (100%) rename modules/virtual-machine-images/image-template/{.test => tests/e2e}/min/main.test.bicep (97%) rename modules/web/connection/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/web/connection/{.test => tests/e2e}/common/main.test.bicep (97%) rename modules/web/hosting-environment/{.test => tests/e2e}/asev2/dependencies.bicep (100%) rename modules/web/hosting-environment/{.test => tests/e2e}/asev2/main.test.bicep (95%) rename modules/web/hosting-environment/{.test => tests/e2e}/asev3/dependencies.bicep (97%) rename modules/web/hosting-environment/{.test => tests/e2e}/asev3/main.test.bicep (96%) rename modules/web/serverfarm/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/web/serverfarm/{.test => tests/e2e}/common/main.test.bicep (95%) rename modules/web/site/{.test => tests/e2e}/functionAppCommon/dependencies.bicep (100%) rename modules/web/site/{.test => tests/e2e}/functionAppCommon/main.test.bicep (97%) rename modules/web/site/{.test => tests/e2e}/functionAppMin/dependencies.bicep (100%) rename modules/web/site/{.test => tests/e2e}/functionAppMin/main.test.bicep (97%) rename modules/web/site/{.test => tests/e2e}/webAppCommon/dependencies.bicep (100%) rename modules/web/site/{.test => tests/e2e}/webAppCommon/main.test.bicep (97%) rename modules/web/site/{.test => tests/e2e}/webAppMin/dependencies.bicep (100%) rename modules/web/site/{.test => tests/e2e}/webAppMin/main.test.bicep (97%) rename modules/web/static-site/{.test => tests/e2e}/common/dependencies.bicep (100%) rename modules/web/static-site/{.test => tests/e2e}/common/main.test.bicep (98%) rename modules/web/static-site/{.test => tests/e2e}/min/main.test.bicep (96%) diff --git a/docs/wiki/The library - Module design.md b/docs/wiki/The library - Module design.md index b3c95193c2..573c6549dc 100644 --- a/docs/wiki/The library - Module design.md +++ b/docs/wiki/The library - Module design.md @@ -629,7 +629,7 @@ Dependency file (`dependencies.bicep`) guidelines: > :scroll: [Example of test using purge protected Key Vault dependency](https://github.com/Azure/ResourceModules/tree/main/modules/batch/batch-account/.test/encr) - - If you need a Deployment Script to set additional non-template resources up (for example certificates/files, etc.), we recommend to store it as a file in the shared `modules/.shared/.scripts` folder and load it using the template function `loadTextContent()` (for example: `scriptContent: loadTextContent('../../../../.shared/.scripts/New-SSHKey.ps1')`). This approach makes it easier to test & validate the logic and further allows reusing the same logic across multiple test cases. + - If you need a Deployment Script to set additional non-template resources up (for example certificates/files, etc.), we recommend to store it as a file in the shared `modules/.shared/.scripts` folder and load it using the template function `loadTextContent()` (for example: `scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1')`). This approach makes it easier to test & validate the logic and further allows reusing the same logic across multiple test cases. # Telemetry diff --git a/modules/aad/domain-service/.test/common/dependencies.bicep b/modules/aad/domain-service/tests/e2e/common/dependencies.bicep similarity index 96% rename from modules/aad/domain-service/.test/common/dependencies.bicep rename to modules/aad/domain-service/tests/e2e/common/dependencies.bicep index 8a704f3be0..0767cf436a 100644 --- a/modules/aad/domain-service/.test/common/dependencies.bicep +++ b/modules/aad/domain-service/tests/e2e/common/dependencies.bicep @@ -84,7 +84,7 @@ resource certDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' azPowerShellVersion: '3.0' retentionInterval: 'P1D' arguments: ' -KeyVaultName "${keyVault.name}" -ResourceGroupName "${resourceGroup().name}" -CertPWSecretName "${certPWSecretName}" -CertSecretName "${certSecretName}"' - scriptContent: loadTextContent('../../../../.shared/.scripts/Set-PfxCertificateInKeyVault.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-PfxCertificateInKeyVault.ps1') } } diff --git a/modules/aad/domain-service/.test/common/main.test.bicep b/modules/aad/domain-service/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/aad/domain-service/.test/common/main.test.bicep rename to modules/aad/domain-service/tests/e2e/common/main.test.bicep index 59577a7f74..147548bc20 100644 --- a/modules/aad/domain-service/.test/common/main.test.bicep +++ b/modules/aad/domain-service/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -68,7 +68,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = { scope: resourceGroup } -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/analysis-services/server/.test/common/dependencies.bicep b/modules/analysis-services/server/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/analysis-services/server/.test/common/dependencies.bicep rename to modules/analysis-services/server/tests/e2e/common/dependencies.bicep diff --git a/modules/analysis-services/server/.test/common/main.test.bicep b/modules/analysis-services/server/tests/e2e/common/main.test.bicep similarity index 95% rename from modules/analysis-services/server/.test/common/main.test.bicep rename to modules/analysis-services/server/tests/e2e/common/main.test.bicep index cbe024449b..f90426c6a4 100644 --- a/modules/analysis-services/server/.test/common/main.test.bicep +++ b/modules/analysis-services/server/tests/e2e/common/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -60,7 +60,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/analysis-services/server/.test/max/dependencies.bicep b/modules/analysis-services/server/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/analysis-services/server/.test/max/dependencies.bicep rename to modules/analysis-services/server/tests/e2e/max/dependencies.bicep diff --git a/modules/analysis-services/server/.test/max/main.test.bicep b/modules/analysis-services/server/tests/e2e/max/main.test.bicep similarity index 95% rename from modules/analysis-services/server/.test/max/main.test.bicep rename to modules/analysis-services/server/tests/e2e/max/main.test.bicep index 37ef2b9a70..41b6b1dcd0 100644 --- a/modules/analysis-services/server/.test/max/main.test.bicep +++ b/modules/analysis-services/server/tests/e2e/max/main.test.bicep @@ -41,7 +41,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -57,7 +57,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: az.resourceGroup(resourceGroupName) name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/analysis-services/server/.test/min/main.test.bicep b/modules/analysis-services/server/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/analysis-services/server/.test/min/main.test.bicep rename to modules/analysis-services/server/tests/e2e/min/main.test.bicep index 2c00bf27fd..195a66ec25 100644 --- a/modules/analysis-services/server/.test/min/main.test.bicep +++ b/modules/analysis-services/server/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/api-management/service/.test/common/dependencies.bicep b/modules/api-management/service/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/api-management/service/.test/common/dependencies.bicep rename to modules/api-management/service/tests/e2e/common/dependencies.bicep diff --git a/modules/api-management/service/.test/common/main.test.bicep b/modules/api-management/service/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/api-management/service/.test/common/main.test.bicep rename to modules/api-management/service/tests/e2e/common/main.test.bicep index b2435a08bf..36998d40bd 100644 --- a/modules/api-management/service/.test/common/main.test.bicep +++ b/modules/api-management/service/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/api-management/service/.test/max/dependencies.bicep b/modules/api-management/service/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/api-management/service/.test/max/dependencies.bicep rename to modules/api-management/service/tests/e2e/max/dependencies.bicep diff --git a/modules/api-management/service/.test/max/main.test.bicep b/modules/api-management/service/tests/e2e/max/main.test.bicep similarity index 97% rename from modules/api-management/service/.test/max/main.test.bicep rename to modules/api-management/service/tests/e2e/max/main.test.bicep index 4311cd5ebb..75ed04fb5a 100644 --- a/modules/api-management/service/.test/max/main.test.bicep +++ b/modules/api-management/service/tests/e2e/max/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -61,7 +61,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/api-management/service/.test/min/main.test.bicep b/modules/api-management/service/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/api-management/service/.test/min/main.test.bicep rename to modules/api-management/service/tests/e2e/min/main.test.bicep index 0f6785d024..1e18f22439 100644 --- a/modules/api-management/service/.test/min/main.test.bicep +++ b/modules/api-management/service/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/app-configuration/configuration-store/.test/common/dependencies.bicep b/modules/app-configuration/configuration-store/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/app-configuration/configuration-store/.test/common/dependencies.bicep rename to modules/app-configuration/configuration-store/tests/e2e/common/dependencies.bicep diff --git a/modules/app-configuration/configuration-store/.test/common/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/app-configuration/configuration-store/.test/common/main.test.bicep rename to modules/app-configuration/configuration-store/tests/e2e/common/main.test.bicep index 53df736af2..c78f7c1c25 100644 --- a/modules/app-configuration/configuration-store/.test/common/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/common/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -60,7 +60,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/app-configuration/configuration-store/.test/encr/dependencies.bicep b/modules/app-configuration/configuration-store/tests/e2e/encr/dependencies.bicep similarity index 100% rename from modules/app-configuration/configuration-store/.test/encr/dependencies.bicep rename to modules/app-configuration/configuration-store/tests/e2e/encr/dependencies.bicep diff --git a/modules/app-configuration/configuration-store/.test/encr/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep similarity index 98% rename from modules/app-configuration/configuration-store/.test/encr/main.test.bicep rename to modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep index a0e639988a..fbe976165f 100644 --- a/modules/app-configuration/configuration-store/.test/encr/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/app-configuration/configuration-store/.test/min/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/app-configuration/configuration-store/.test/min/main.test.bicep rename to modules/app-configuration/configuration-store/tests/e2e/min/main.test.bicep index 05c1075df5..c791402a8d 100644 --- a/modules/app-configuration/configuration-store/.test/min/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/app-configuration/configuration-store/.test/pe/dependencies.bicep b/modules/app-configuration/configuration-store/tests/e2e/pe/dependencies.bicep similarity index 100% rename from modules/app-configuration/configuration-store/.test/pe/dependencies.bicep rename to modules/app-configuration/configuration-store/tests/e2e/pe/dependencies.bicep diff --git a/modules/app-configuration/configuration-store/.test/pe/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/pe/main.test.bicep similarity index 97% rename from modules/app-configuration/configuration-store/.test/pe/main.test.bicep rename to modules/app-configuration/configuration-store/tests/e2e/pe/main.test.bicep index 8b5d2ee82c..a8367ca982 100644 --- a/modules/app-configuration/configuration-store/.test/pe/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/pe/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/app/container-app/.test/common/dependencies.bicep b/modules/app/container-app/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/app/container-app/.test/common/dependencies.bicep rename to modules/app/container-app/tests/e2e/common/dependencies.bicep diff --git a/modules/app/container-app/.test/common/main.test.bicep b/modules/app/container-app/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/app/container-app/.test/common/main.test.bicep rename to modules/app/container-app/tests/e2e/common/main.test.bicep index 70db0d5eef..9d5a65c93b 100644 --- a/modules/app/container-app/.test/common/main.test.bicep +++ b/modules/app/container-app/tests/e2e/common/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/app/container-app/.test/min/dependencies.bicep b/modules/app/container-app/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/app/container-app/.test/min/dependencies.bicep rename to modules/app/container-app/tests/e2e/min/dependencies.bicep diff --git a/modules/app/container-app/.test/min/main.test.bicep b/modules/app/container-app/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/app/container-app/.test/min/main.test.bicep rename to modules/app/container-app/tests/e2e/min/main.test.bicep index ac2621ddef..33c8893ba4 100644 --- a/modules/app/container-app/.test/min/main.test.bicep +++ b/modules/app/container-app/tests/e2e/min/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/app/job/.test/common/dependencies.bicep b/modules/app/job/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/app/job/.test/common/dependencies.bicep rename to modules/app/job/tests/e2e/common/dependencies.bicep diff --git a/modules/app/job/.test/common/main.test.bicep b/modules/app/job/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/app/job/.test/common/main.test.bicep rename to modules/app/job/tests/e2e/common/main.test.bicep index 5d608f7db8..2ec0467680 100644 --- a/modules/app/job/.test/common/main.test.bicep +++ b/modules/app/job/tests/e2e/common/main.test.bicep @@ -49,7 +49,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/app/job/.test/min/dependencies.bicep b/modules/app/job/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/app/job/.test/min/dependencies.bicep rename to modules/app/job/tests/e2e/min/dependencies.bicep diff --git a/modules/app/job/.test/min/main.test.bicep b/modules/app/job/tests/e2e/min/main.test.bicep similarity index 98% rename from modules/app/job/.test/min/main.test.bicep rename to modules/app/job/tests/e2e/min/main.test.bicep index b1e06bbb23..d09eaa87c6 100644 --- a/modules/app/job/.test/min/main.test.bicep +++ b/modules/app/job/tests/e2e/min/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/app/managed-environment/.test/common/dependencies.bicep b/modules/app/managed-environment/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/app/managed-environment/.test/common/dependencies.bicep rename to modules/app/managed-environment/tests/e2e/common/dependencies.bicep diff --git a/modules/app/managed-environment/.test/common/main.test.bicep b/modules/app/managed-environment/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/app/managed-environment/.test/common/main.test.bicep rename to modules/app/managed-environment/tests/e2e/common/main.test.bicep index cd936f208c..16b5f39842 100644 --- a/modules/app/managed-environment/.test/common/main.test.bicep +++ b/modules/app/managed-environment/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/app/managed-environment/.test/min/dependencies.bicep b/modules/app/managed-environment/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/app/managed-environment/.test/min/dependencies.bicep rename to modules/app/managed-environment/tests/e2e/min/dependencies.bicep diff --git a/modules/app/managed-environment/.test/min/main.test.bicep b/modules/app/managed-environment/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/app/managed-environment/.test/min/main.test.bicep rename to modules/app/managed-environment/tests/e2e/min/main.test.bicep index 63e784e123..89142b2b49 100644 --- a/modules/app/managed-environment/.test/min/main.test.bicep +++ b/modules/app/managed-environment/tests/e2e/min/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/authorization/lock/.test/common/main.test.bicep b/modules/authorization/lock/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/authorization/lock/.test/common/main.test.bicep rename to modules/authorization/lock/tests/e2e/common/main.test.bicep index 69c8663433..177e5f5000 100644 --- a/modules/authorization/lock/.test/common/main.test.bicep +++ b/modules/authorization/lock/tests/e2e/common/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/policy-assignment/.test/mg.common/main.test.bicep b/modules/authorization/policy-assignment/tests/e2e/mg.common/main.test.bicep similarity index 98% rename from modules/authorization/policy-assignment/.test/mg.common/main.test.bicep rename to modules/authorization/policy-assignment/tests/e2e/mg.common/main.test.bicep index 41534b09c2..95285f90ac 100644 --- a/modules/authorization/policy-assignment/.test/mg.common/main.test.bicep +++ b/modules/authorization/policy-assignment/tests/e2e/mg.common/main.test.bicep @@ -20,7 +20,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/policy-assignment/.test/mg.min/main.test.bicep b/modules/authorization/policy-assignment/tests/e2e/mg.min/main.test.bicep similarity index 95% rename from modules/authorization/policy-assignment/.test/mg.min/main.test.bicep rename to modules/authorization/policy-assignment/tests/e2e/mg.min/main.test.bicep index 52ec70dc45..d0d00c55f3 100644 --- a/modules/authorization/policy-assignment/.test/mg.min/main.test.bicep +++ b/modules/authorization/policy-assignment/tests/e2e/mg.min/main.test.bicep @@ -17,7 +17,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/policy-assignment/.test/rg.common/dependencies.bicep b/modules/authorization/policy-assignment/tests/e2e/rg.common/dependencies.bicep similarity index 100% rename from modules/authorization/policy-assignment/.test/rg.common/dependencies.bicep rename to modules/authorization/policy-assignment/tests/e2e/rg.common/dependencies.bicep diff --git a/modules/authorization/policy-assignment/.test/rg.common/main.test.bicep b/modules/authorization/policy-assignment/tests/e2e/rg.common/main.test.bicep similarity index 98% rename from modules/authorization/policy-assignment/.test/rg.common/main.test.bicep rename to modules/authorization/policy-assignment/tests/e2e/rg.common/main.test.bicep index e32a642345..3c64f5e2c1 100644 --- a/modules/authorization/policy-assignment/.test/rg.common/main.test.bicep +++ b/modules/authorization/policy-assignment/tests/e2e/rg.common/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../resource-group/main.bicep' = { +module testDeployment '../../../resource-group/main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/authorization/policy-assignment/.test/rg.min/main.test.bicep b/modules/authorization/policy-assignment/tests/e2e/rg.min/main.test.bicep similarity index 96% rename from modules/authorization/policy-assignment/.test/rg.min/main.test.bicep rename to modules/authorization/policy-assignment/tests/e2e/rg.min/main.test.bicep index f84a97178a..2953f4aace 100644 --- a/modules/authorization/policy-assignment/.test/rg.min/main.test.bicep +++ b/modules/authorization/policy-assignment/tests/e2e/rg.min/main.test.bicep @@ -35,7 +35,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../resource-group/main.bicep' = { +module testDeployment '../../../resource-group/main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/authorization/policy-assignment/.test/sub.common/dependencies.bicep b/modules/authorization/policy-assignment/tests/e2e/sub.common/dependencies.bicep similarity index 100% rename from modules/authorization/policy-assignment/.test/sub.common/dependencies.bicep rename to modules/authorization/policy-assignment/tests/e2e/sub.common/dependencies.bicep diff --git a/modules/authorization/policy-assignment/.test/sub.common/main.test.bicep b/modules/authorization/policy-assignment/tests/e2e/sub.common/main.test.bicep similarity index 98% rename from modules/authorization/policy-assignment/.test/sub.common/main.test.bicep rename to modules/authorization/policy-assignment/tests/e2e/sub.common/main.test.bicep index 5ac56a6167..cb3c088c6c 100644 --- a/modules/authorization/policy-assignment/.test/sub.common/main.test.bicep +++ b/modules/authorization/policy-assignment/tests/e2e/sub.common/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../subscription/main.bicep' = { +module testDeployment '../../../subscription/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/policy-assignment/.test/sub.min/main.test.bicep b/modules/authorization/policy-assignment/tests/e2e/sub.min/main.test.bicep similarity index 94% rename from modules/authorization/policy-assignment/.test/sub.min/main.test.bicep rename to modules/authorization/policy-assignment/tests/e2e/sub.min/main.test.bicep index 3713ee147a..d9039eca58 100644 --- a/modules/authorization/policy-assignment/.test/sub.min/main.test.bicep +++ b/modules/authorization/policy-assignment/tests/e2e/sub.min/main.test.bicep @@ -17,7 +17,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../subscription/main.bicep' = { +module testDeployment '../../../subscription/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/policy-definition/.test/mg.common/main.test.bicep b/modules/authorization/policy-definition/tests/e2e/mg.common/main.test.bicep similarity index 97% rename from modules/authorization/policy-definition/.test/mg.common/main.test.bicep rename to modules/authorization/policy-definition/tests/e2e/mg.common/main.test.bicep index f6f17baa93..df669b50c3 100644 --- a/modules/authorization/policy-definition/.test/mg.common/main.test.bicep +++ b/modules/authorization/policy-definition/tests/e2e/mg.common/main.test.bicep @@ -17,7 +17,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../management-group/main.bicep' = { +module testDeployment '../../../management-group/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/policy-definition/.test/mg.min/main.test.bicep b/modules/authorization/policy-definition/tests/e2e/mg.min/main.test.bicep similarity index 94% rename from modules/authorization/policy-definition/.test/mg.min/main.test.bicep rename to modules/authorization/policy-definition/tests/e2e/mg.min/main.test.bicep index c9ca91e9a3..26408738b1 100644 --- a/modules/authorization/policy-definition/.test/mg.min/main.test.bicep +++ b/modules/authorization/policy-definition/tests/e2e/mg.min/main.test.bicep @@ -17,7 +17,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../management-group/main.bicep' = { +module testDeployment '../../../management-group/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/policy-definition/.test/sub.common/main.test.bicep b/modules/authorization/policy-definition/tests/e2e/sub.common/main.test.bicep similarity index 97% rename from modules/authorization/policy-definition/.test/sub.common/main.test.bicep rename to modules/authorization/policy-definition/tests/e2e/sub.common/main.test.bicep index 40f5feaa19..735058877b 100644 --- a/modules/authorization/policy-definition/.test/sub.common/main.test.bicep +++ b/modules/authorization/policy-definition/tests/e2e/sub.common/main.test.bicep @@ -17,7 +17,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../subscription/main.bicep' = { +module testDeployment '../../../subscription/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/policy-definition/.test/sub.min/main.test.bicep b/modules/authorization/policy-definition/tests/e2e/sub.min/main.test.bicep similarity index 94% rename from modules/authorization/policy-definition/.test/sub.min/main.test.bicep rename to modules/authorization/policy-definition/tests/e2e/sub.min/main.test.bicep index 75854be68d..8e0f2c8c48 100644 --- a/modules/authorization/policy-definition/.test/sub.min/main.test.bicep +++ b/modules/authorization/policy-definition/tests/e2e/sub.min/main.test.bicep @@ -17,7 +17,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../subscription/main.bicep' = { +module testDeployment '../../../subscription/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/policy-exemption/.test/mg.common/main.test.bicep b/modules/authorization/policy-exemption/tests/e2e/mg.common/main.test.bicep similarity index 97% rename from modules/authorization/policy-exemption/.test/mg.common/main.test.bicep rename to modules/authorization/policy-exemption/tests/e2e/mg.common/main.test.bicep index 30ce7cd012..4832fa018c 100644 --- a/modules/authorization/policy-exemption/.test/mg.common/main.test.bicep +++ b/modules/authorization/policy-exemption/tests/e2e/mg.common/main.test.bicep @@ -81,7 +81,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2021-06- // Test Execution // // ============== // -module testDeployment '../../management-group/main.bicep' = { +module testDeployment '../../../management-group/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/policy-exemption/.test/mg.min/main.test.bicep b/modules/authorization/policy-exemption/tests/e2e/mg.min/main.test.bicep similarity index 95% rename from modules/authorization/policy-exemption/.test/mg.min/main.test.bicep rename to modules/authorization/policy-exemption/tests/e2e/mg.min/main.test.bicep index 05067f1656..d34ab40cdb 100644 --- a/modules/authorization/policy-exemption/.test/mg.min/main.test.bicep +++ b/modules/authorization/policy-exemption/tests/e2e/mg.min/main.test.bicep @@ -35,7 +35,7 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' // Test Execution // // ============== // -module testDeployment '../../management-group/main.bicep' = { +module testDeployment '../../../management-group/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/policy-exemption/.test/rg.common/main.test.bicep b/modules/authorization/policy-exemption/tests/e2e/rg.common/main.test.bicep similarity index 98% rename from modules/authorization/policy-exemption/.test/rg.common/main.test.bicep rename to modules/authorization/policy-exemption/tests/e2e/rg.common/main.test.bicep index af4faa0c25..650cefa0b3 100644 --- a/modules/authorization/policy-exemption/.test/rg.common/main.test.bicep +++ b/modules/authorization/policy-exemption/tests/e2e/rg.common/main.test.bicep @@ -89,7 +89,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2021-06- // Test Execution // // ============== // -module testDeployment '../../resource-group/main.bicep' = { +module testDeployment '../../../resource-group/main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/authorization/policy-exemption/.test/rg.min/main.test.bicep b/modules/authorization/policy-exemption/tests/e2e/rg.min/main.test.bicep similarity index 96% rename from modules/authorization/policy-exemption/.test/rg.min/main.test.bicep rename to modules/authorization/policy-exemption/tests/e2e/rg.min/main.test.bicep index 9f2269817c..49828f611d 100644 --- a/modules/authorization/policy-exemption/.test/rg.min/main.test.bicep +++ b/modules/authorization/policy-exemption/tests/e2e/rg.min/main.test.bicep @@ -44,7 +44,7 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' // Test Execution // // ============== // -module testDeployment '../../resource-group/main.bicep' = { +module testDeployment '../../../resource-group/main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/authorization/policy-exemption/.test/sub.common/main.test.bicep b/modules/authorization/policy-exemption/tests/e2e/sub.common/main.test.bicep similarity index 97% rename from modules/authorization/policy-exemption/.test/sub.common/main.test.bicep rename to modules/authorization/policy-exemption/tests/e2e/sub.common/main.test.bicep index 8f51cf6dc9..ac0f4d16eb 100644 --- a/modules/authorization/policy-exemption/.test/sub.common/main.test.bicep +++ b/modules/authorization/policy-exemption/tests/e2e/sub.common/main.test.bicep @@ -80,7 +80,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2021-06- // Test Execution // // ============== // -module testDeployment '../../subscription/main.bicep' = { +module testDeployment '../../../subscription/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/policy-exemption/.test/sub.min/main.test.bicep b/modules/authorization/policy-exemption/tests/e2e/sub.min/main.test.bicep similarity index 95% rename from modules/authorization/policy-exemption/.test/sub.min/main.test.bicep rename to modules/authorization/policy-exemption/tests/e2e/sub.min/main.test.bicep index fdc51ea925..c3a5b57b44 100644 --- a/modules/authorization/policy-exemption/.test/sub.min/main.test.bicep +++ b/modules/authorization/policy-exemption/tests/e2e/sub.min/main.test.bicep @@ -35,7 +35,7 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' // Test Execution // // ============== // -module testDeployment '../../subscription/main.bicep' = { +module testDeployment '../../../subscription/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/policy-set-definition/.test/mg.common/main.test.bicep b/modules/authorization/policy-set-definition/tests/e2e/mg.common/main.test.bicep similarity index 96% rename from modules/authorization/policy-set-definition/.test/mg.common/main.test.bicep rename to modules/authorization/policy-set-definition/tests/e2e/mg.common/main.test.bicep index 7836687bb8..0f5653cc1f 100644 --- a/modules/authorization/policy-set-definition/.test/mg.common/main.test.bicep +++ b/modules/authorization/policy-set-definition/tests/e2e/mg.common/main.test.bicep @@ -17,7 +17,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../management-group/main.bicep' = { +module testDeployment '../../../management-group/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/policy-set-definition/.test/mg.min/main.test.bicep b/modules/authorization/policy-set-definition/tests/e2e/mg.min/main.test.bicep similarity index 94% rename from modules/authorization/policy-set-definition/.test/mg.min/main.test.bicep rename to modules/authorization/policy-set-definition/tests/e2e/mg.min/main.test.bicep index 1f84c6e7a8..8ad45325f9 100644 --- a/modules/authorization/policy-set-definition/.test/mg.min/main.test.bicep +++ b/modules/authorization/policy-set-definition/tests/e2e/mg.min/main.test.bicep @@ -17,7 +17,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../management-group/main.bicep' = { +module testDeployment '../../../management-group/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/policy-set-definition/.test/sub.common/main.test.bicep b/modules/authorization/policy-set-definition/tests/e2e/sub.common/main.test.bicep similarity index 97% rename from modules/authorization/policy-set-definition/.test/sub.common/main.test.bicep rename to modules/authorization/policy-set-definition/tests/e2e/sub.common/main.test.bicep index c685542166..dfe66dba51 100644 --- a/modules/authorization/policy-set-definition/.test/sub.common/main.test.bicep +++ b/modules/authorization/policy-set-definition/tests/e2e/sub.common/main.test.bicep @@ -17,7 +17,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../subscription/main.bicep' = { +module testDeployment '../../../subscription/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/policy-set-definition/.test/sub.min/main.test.bicep b/modules/authorization/policy-set-definition/tests/e2e/sub.min/main.test.bicep similarity index 94% rename from modules/authorization/policy-set-definition/.test/sub.min/main.test.bicep rename to modules/authorization/policy-set-definition/tests/e2e/sub.min/main.test.bicep index 2e246457e9..9057a849b5 100644 --- a/modules/authorization/policy-set-definition/.test/sub.min/main.test.bicep +++ b/modules/authorization/policy-set-definition/tests/e2e/sub.min/main.test.bicep @@ -17,7 +17,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../subscription/main.bicep' = { +module testDeployment '../../../subscription/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/role-assignment/.test/mg.common/dependencies.bicep b/modules/authorization/role-assignment/tests/e2e/mg.common/dependencies.bicep similarity index 100% rename from modules/authorization/role-assignment/.test/mg.common/dependencies.bicep rename to modules/authorization/role-assignment/tests/e2e/mg.common/dependencies.bicep diff --git a/modules/authorization/role-assignment/.test/mg.common/interim.dependencies.bicep b/modules/authorization/role-assignment/tests/e2e/mg.common/interim.dependencies.bicep similarity index 100% rename from modules/authorization/role-assignment/.test/mg.common/interim.dependencies.bicep rename to modules/authorization/role-assignment/tests/e2e/mg.common/interim.dependencies.bicep diff --git a/modules/authorization/role-assignment/.test/mg.common/main.test.bicep b/modules/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep similarity index 96% rename from modules/authorization/role-assignment/.test/mg.common/main.test.bicep rename to modules/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep index 7e87bc88b2..336f3cd4bd 100644 --- a/modules/authorization/role-assignment/.test/mg.common/main.test.bicep +++ b/modules/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep @@ -40,7 +40,7 @@ module nestedDependencies 'interim.dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../management-group/main.bicep' = { +module testDeployment '../../../management-group/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/role-assignment/.test/mg.min/dependencies.bicep b/modules/authorization/role-assignment/tests/e2e/mg.min/dependencies.bicep similarity index 100% rename from modules/authorization/role-assignment/.test/mg.min/dependencies.bicep rename to modules/authorization/role-assignment/tests/e2e/mg.min/dependencies.bicep diff --git a/modules/authorization/role-assignment/.test/mg.min/interim.dependencies.bicep b/modules/authorization/role-assignment/tests/e2e/mg.min/interim.dependencies.bicep similarity index 100% rename from modules/authorization/role-assignment/.test/mg.min/interim.dependencies.bicep rename to modules/authorization/role-assignment/tests/e2e/mg.min/interim.dependencies.bicep diff --git a/modules/authorization/role-assignment/.test/mg.min/main.test.bicep b/modules/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep similarity index 96% rename from modules/authorization/role-assignment/.test/mg.min/main.test.bicep rename to modules/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep index 96d88fc845..62cc16085c 100644 --- a/modules/authorization/role-assignment/.test/mg.min/main.test.bicep +++ b/modules/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep @@ -40,7 +40,7 @@ module nestedDependencies 'interim.dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../management-group/main.bicep' = { +module testDeployment '../../../management-group/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/role-assignment/.test/rg.common/dependencies.bicep b/modules/authorization/role-assignment/tests/e2e/rg.common/dependencies.bicep similarity index 100% rename from modules/authorization/role-assignment/.test/rg.common/dependencies.bicep rename to modules/authorization/role-assignment/tests/e2e/rg.common/dependencies.bicep diff --git a/modules/authorization/role-assignment/.test/rg.common/main.test.bicep b/modules/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep similarity index 96% rename from modules/authorization/role-assignment/.test/rg.common/main.test.bicep rename to modules/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep index 57afbad937..c4a6b7ea07 100644 --- a/modules/authorization/role-assignment/.test/rg.common/main.test.bicep +++ b/modules/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../resource-group/main.bicep' = { +module testDeployment '../../../resource-group/main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/authorization/role-assignment/.test/rg.min/dependencies.bicep b/modules/authorization/role-assignment/tests/e2e/rg.min/dependencies.bicep similarity index 100% rename from modules/authorization/role-assignment/.test/rg.min/dependencies.bicep rename to modules/authorization/role-assignment/tests/e2e/rg.min/dependencies.bicep diff --git a/modules/authorization/role-assignment/.test/rg.min/main.test.bicep b/modules/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep similarity index 96% rename from modules/authorization/role-assignment/.test/rg.min/main.test.bicep rename to modules/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep index 62cdccccac..ca2f37a9ab 100644 --- a/modules/authorization/role-assignment/.test/rg.min/main.test.bicep +++ b/modules/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../resource-group/main.bicep' = { +module testDeployment '../../../resource-group/main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/authorization/role-assignment/.test/sub.common/dependencies.bicep b/modules/authorization/role-assignment/tests/e2e/sub.common/dependencies.bicep similarity index 100% rename from modules/authorization/role-assignment/.test/sub.common/dependencies.bicep rename to modules/authorization/role-assignment/tests/e2e/sub.common/dependencies.bicep diff --git a/modules/authorization/role-assignment/.test/sub.common/main.test.bicep b/modules/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep similarity index 96% rename from modules/authorization/role-assignment/.test/sub.common/main.test.bicep rename to modules/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep index 96f2dede38..77a6b7883c 100644 --- a/modules/authorization/role-assignment/.test/sub.common/main.test.bicep +++ b/modules/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../subscription/main.bicep' = { +module testDeployment '../../../subscription/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/role-assignment/.test/sub.min/dependencies.bicep b/modules/authorization/role-assignment/tests/e2e/sub.min/dependencies.bicep similarity index 100% rename from modules/authorization/role-assignment/.test/sub.min/dependencies.bicep rename to modules/authorization/role-assignment/tests/e2e/sub.min/dependencies.bicep diff --git a/modules/authorization/role-assignment/.test/sub.min/main.test.bicep b/modules/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep similarity index 96% rename from modules/authorization/role-assignment/.test/sub.min/main.test.bicep rename to modules/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep index 20fc2149a8..90242be1d0 100644 --- a/modules/authorization/role-assignment/.test/sub.min/main.test.bicep +++ b/modules/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../subscription/main.bicep' = { +module testDeployment '../../../subscription/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/role-definition/.test/mg.common/main.test.bicep b/modules/authorization/role-definition/tests/e2e/mg.common/main.test.bicep similarity index 94% rename from modules/authorization/role-definition/.test/mg.common/main.test.bicep rename to modules/authorization/role-definition/tests/e2e/mg.common/main.test.bicep index a8e253f92d..4a11b95b59 100644 --- a/modules/authorization/role-definition/.test/mg.common/main.test.bicep +++ b/modules/authorization/role-definition/tests/e2e/mg.common/main.test.bicep @@ -17,7 +17,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../management-group/main.bicep' = { +module testDeployment '../../../management-group/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/role-definition/.test/mg.min/main.test.bicep b/modules/authorization/role-definition/tests/e2e/mg.min/main.test.bicep similarity index 93% rename from modules/authorization/role-definition/.test/mg.min/main.test.bicep rename to modules/authorization/role-definition/tests/e2e/mg.min/main.test.bicep index 88900f3816..67848fd6db 100644 --- a/modules/authorization/role-definition/.test/mg.min/main.test.bicep +++ b/modules/authorization/role-definition/tests/e2e/mg.min/main.test.bicep @@ -17,7 +17,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../management-group/main.bicep' = { +module testDeployment '../../../management-group/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/role-definition/.test/rg.common/main.test.bicep b/modules/authorization/role-definition/tests/e2e/rg.common/main.test.bicep similarity index 96% rename from modules/authorization/role-definition/.test/rg.common/main.test.bicep rename to modules/authorization/role-definition/tests/e2e/rg.common/main.test.bicep index 56f0ddfaa3..b4f16419dc 100644 --- a/modules/authorization/role-definition/.test/rg.common/main.test.bicep +++ b/modules/authorization/role-definition/tests/e2e/rg.common/main.test.bicep @@ -35,7 +35,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../resource-group/main.bicep' = { +module testDeployment '../../../resource-group/main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/authorization/role-definition/.test/rg.min/main.test.bicep b/modules/authorization/role-definition/tests/e2e/rg.min/main.test.bicep similarity index 95% rename from modules/authorization/role-definition/.test/rg.min/main.test.bicep rename to modules/authorization/role-definition/tests/e2e/rg.min/main.test.bicep index 63ce946cc0..632a73d713 100644 --- a/modules/authorization/role-definition/.test/rg.min/main.test.bicep +++ b/modules/authorization/role-definition/tests/e2e/rg.min/main.test.bicep @@ -35,7 +35,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../resource-group/main.bicep' = { +module testDeployment '../../../resource-group/main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/authorization/role-definition/.test/sub.common/main.test.bicep b/modules/authorization/role-definition/tests/e2e/sub.common/main.test.bicep similarity index 95% rename from modules/authorization/role-definition/.test/sub.common/main.test.bicep rename to modules/authorization/role-definition/tests/e2e/sub.common/main.test.bicep index d047b4a37d..9e7bdf1096 100644 --- a/modules/authorization/role-definition/.test/sub.common/main.test.bicep +++ b/modules/authorization/role-definition/tests/e2e/sub.common/main.test.bicep @@ -17,7 +17,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../subscription/main.bicep' = { +module testDeployment '../../../subscription/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/authorization/role-definition/.test/sub.min/main.test.bicep b/modules/authorization/role-definition/tests/e2e/sub.min/main.test.bicep similarity index 93% rename from modules/authorization/role-definition/.test/sub.min/main.test.bicep rename to modules/authorization/role-definition/tests/e2e/sub.min/main.test.bicep index b91931fef3..e03ba0142c 100644 --- a/modules/authorization/role-definition/.test/sub.min/main.test.bicep +++ b/modules/authorization/role-definition/tests/e2e/sub.min/main.test.bicep @@ -17,7 +17,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../subscription/main.bicep' = { +module testDeployment '../../../subscription/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/automation/automation-account/.test/common/dependencies.bicep b/modules/automation/automation-account/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/automation/automation-account/.test/common/dependencies.bicep rename to modules/automation/automation-account/tests/e2e/common/dependencies.bicep diff --git a/modules/automation/automation-account/.test/common/main.test.bicep b/modules/automation/automation-account/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/automation/automation-account/.test/common/main.test.bicep rename to modules/automation/automation-account/tests/e2e/common/main.test.bicep index 38861ec093..e21d40167d 100644 --- a/modules/automation/automation-account/.test/common/main.test.bicep +++ b/modules/automation/automation-account/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -62,7 +62,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/automation/automation-account/.test/encr/dependencies.bicep b/modules/automation/automation-account/tests/e2e/encr/dependencies.bicep similarity index 100% rename from modules/automation/automation-account/.test/encr/dependencies.bicep rename to modules/automation/automation-account/tests/e2e/encr/dependencies.bicep diff --git a/modules/automation/automation-account/.test/encr/main.test.bicep b/modules/automation/automation-account/tests/e2e/encr/main.test.bicep similarity index 97% rename from modules/automation/automation-account/.test/encr/main.test.bicep rename to modules/automation/automation-account/tests/e2e/encr/main.test.bicep index f417d2261d..4c72655f49 100644 --- a/modules/automation/automation-account/.test/encr/main.test.bicep +++ b/modules/automation/automation-account/tests/e2e/encr/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/automation/automation-account/.test/min/main.test.bicep b/modules/automation/automation-account/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/automation/automation-account/.test/min/main.test.bicep rename to modules/automation/automation-account/tests/e2e/min/main.test.bicep index 775f93260b..1c536702fe 100644 --- a/modules/automation/automation-account/.test/min/main.test.bicep +++ b/modules/automation/automation-account/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/batch/batch-account/.test/common/dependencies.bicep b/modules/batch/batch-account/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/batch/batch-account/.test/common/dependencies.bicep rename to modules/batch/batch-account/tests/e2e/common/dependencies.bicep diff --git a/modules/batch/batch-account/.test/common/main.test.bicep b/modules/batch/batch-account/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/batch/batch-account/.test/common/main.test.bicep rename to modules/batch/batch-account/tests/e2e/common/main.test.bicep index 8187f404f6..0da35a50a1 100644 --- a/modules/batch/batch-account/.test/common/main.test.bicep +++ b/modules/batch/batch-account/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -62,7 +62,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/batch/batch-account/.test/encr/dependencies.bicep b/modules/batch/batch-account/tests/e2e/encr/dependencies.bicep similarity index 100% rename from modules/batch/batch-account/.test/encr/dependencies.bicep rename to modules/batch/batch-account/tests/e2e/encr/dependencies.bicep diff --git a/modules/batch/batch-account/.test/encr/main.test.bicep b/modules/batch/batch-account/tests/e2e/encr/main.test.bicep similarity index 98% rename from modules/batch/batch-account/.test/encr/main.test.bicep rename to modules/batch/batch-account/tests/e2e/encr/main.test.bicep index c3ae0ef1cc..a50db3f7d6 100644 --- a/modules/batch/batch-account/.test/encr/main.test.bicep +++ b/modules/batch/batch-account/tests/e2e/encr/main.test.bicep @@ -50,7 +50,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/batch/batch-account/.test/min/dependencies.bicep b/modules/batch/batch-account/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/batch/batch-account/.test/min/dependencies.bicep rename to modules/batch/batch-account/tests/e2e/min/dependencies.bicep diff --git a/modules/batch/batch-account/.test/min/main.test.bicep b/modules/batch/batch-account/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/batch/batch-account/.test/min/main.test.bicep rename to modules/batch/batch-account/tests/e2e/min/main.test.bicep index 4e9f4bd0f4..dedd65a96c 100644 --- a/modules/batch/batch-account/.test/min/main.test.bicep +++ b/modules/batch/batch-account/tests/e2e/min/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/cache/redis-enterprise/.test/common/dependencies.bicep b/modules/cache/redis-enterprise/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/cache/redis-enterprise/.test/common/dependencies.bicep rename to modules/cache/redis-enterprise/tests/e2e/common/dependencies.bicep diff --git a/modules/cache/redis-enterprise/.test/common/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/cache/redis-enterprise/.test/common/main.test.bicep rename to modules/cache/redis-enterprise/tests/e2e/common/main.test.bicep index ec7d8af260..ee1edf7edf 100644 --- a/modules/cache/redis-enterprise/.test/common/main.test.bicep +++ b/modules/cache/redis-enterprise/tests/e2e/common/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -61,7 +61,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/cache/redis-enterprise/.test/geo/dependencies.bicep b/modules/cache/redis-enterprise/tests/e2e/geo/dependencies.bicep similarity index 100% rename from modules/cache/redis-enterprise/.test/geo/dependencies.bicep rename to modules/cache/redis-enterprise/tests/e2e/geo/dependencies.bicep diff --git a/modules/cache/redis-enterprise/.test/geo/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/geo/main.test.bicep similarity index 98% rename from modules/cache/redis-enterprise/.test/geo/main.test.bicep rename to modules/cache/redis-enterprise/tests/e2e/geo/main.test.bicep index 6bf434e55f..f91f72b254 100644 --- a/modules/cache/redis-enterprise/.test/geo/main.test.bicep +++ b/modules/cache/redis-enterprise/tests/e2e/geo/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { var redisCacheEnterpriseName = '${namePrefix}${serviceShort}001' var redisCacheEnterpriseExpectedResourceID = '${resourceGroup.id}/providers/Microsoft.Cache/redisEnterprise/${redisCacheEnterpriseName}' -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/cache/redis-enterprise/.test/min/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/cache/redis-enterprise/.test/min/main.test.bicep rename to modules/cache/redis-enterprise/tests/e2e/min/main.test.bicep index 768b4cb167..5ac671c1b6 100644 --- a/modules/cache/redis-enterprise/.test/min/main.test.bicep +++ b/modules/cache/redis-enterprise/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/cache/redis/.test/common/dependencies.bicep b/modules/cache/redis/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/cache/redis/.test/common/dependencies.bicep rename to modules/cache/redis/tests/e2e/common/dependencies.bicep diff --git a/modules/cache/redis/.test/common/main.test.bicep b/modules/cache/redis/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/cache/redis/.test/common/main.test.bicep rename to modules/cache/redis/tests/e2e/common/main.test.bicep index eba4aadbe5..75f0cb1f22 100644 --- a/modules/cache/redis/.test/common/main.test.bicep +++ b/modules/cache/redis/tests/e2e/common/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -61,7 +61,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/cache/redis/.test/min/main.test.bicep b/modules/cache/redis/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/cache/redis/.test/min/main.test.bicep rename to modules/cache/redis/tests/e2e/min/main.test.bicep index f2bdf186e7..4c8ef85da3 100644 --- a/modules/cache/redis/.test/min/main.test.bicep +++ b/modules/cache/redis/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/cdn/profile/.test/afd/dependencies.bicep b/modules/cdn/profile/tests/e2e/afd/dependencies.bicep similarity index 100% rename from modules/cdn/profile/.test/afd/dependencies.bicep rename to modules/cdn/profile/tests/e2e/afd/dependencies.bicep diff --git a/modules/cdn/profile/.test/afd/main.test.bicep b/modules/cdn/profile/tests/e2e/afd/main.test.bicep similarity index 98% rename from modules/cdn/profile/.test/afd/main.test.bicep rename to modules/cdn/profile/tests/e2e/afd/main.test.bicep index 516f35298a..391920c781 100644 --- a/modules/cdn/profile/.test/afd/main.test.bicep +++ b/modules/cdn/profile/tests/e2e/afd/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/cdn/profile/.test/common/dependencies.bicep b/modules/cdn/profile/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/cdn/profile/.test/common/dependencies.bicep rename to modules/cdn/profile/tests/e2e/common/dependencies.bicep diff --git a/modules/cdn/profile/.test/common/main.test.bicep b/modules/cdn/profile/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/cdn/profile/.test/common/main.test.bicep rename to modules/cdn/profile/tests/e2e/common/main.test.bicep index 1d6b703c01..9185beffba 100644 --- a/modules/cdn/profile/.test/common/main.test.bicep +++ b/modules/cdn/profile/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/cognitive-services/account/.test/common/dependencies.bicep b/modules/cognitive-services/account/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/cognitive-services/account/.test/common/dependencies.bicep rename to modules/cognitive-services/account/tests/e2e/common/dependencies.bicep diff --git a/modules/cognitive-services/account/.test/common/main.test.bicep b/modules/cognitive-services/account/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/cognitive-services/account/.test/common/main.test.bicep rename to modules/cognitive-services/account/tests/e2e/common/main.test.bicep index a4c6701e77..0820e443b1 100644 --- a/modules/cognitive-services/account/.test/common/main.test.bicep +++ b/modules/cognitive-services/account/tests/e2e/common/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -61,7 +61,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/cognitive-services/account/.test/encr/dependencies.bicep b/modules/cognitive-services/account/tests/e2e/encr/dependencies.bicep similarity index 100% rename from modules/cognitive-services/account/.test/encr/dependencies.bicep rename to modules/cognitive-services/account/tests/e2e/encr/dependencies.bicep diff --git a/modules/cognitive-services/account/.test/encr/main.test.bicep b/modules/cognitive-services/account/tests/e2e/encr/main.test.bicep similarity index 98% rename from modules/cognitive-services/account/.test/encr/main.test.bicep rename to modules/cognitive-services/account/tests/e2e/encr/main.test.bicep index 442d5c02fb..aa2163900a 100644 --- a/modules/cognitive-services/account/.test/encr/main.test.bicep +++ b/modules/cognitive-services/account/tests/e2e/encr/main.test.bicep @@ -49,7 +49,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/cognitive-services/account/.test/min/main.test.bicep b/modules/cognitive-services/account/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/cognitive-services/account/.test/min/main.test.bicep rename to modules/cognitive-services/account/tests/e2e/min/main.test.bicep index 82892d7e39..e597ad984c 100644 --- a/modules/cognitive-services/account/.test/min/main.test.bicep +++ b/modules/cognitive-services/account/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/cognitive-services/account/.test/speech/dependencies.bicep b/modules/cognitive-services/account/tests/e2e/speech/dependencies.bicep similarity index 100% rename from modules/cognitive-services/account/.test/speech/dependencies.bicep rename to modules/cognitive-services/account/tests/e2e/speech/dependencies.bicep diff --git a/modules/cognitive-services/account/.test/speech/main.test.bicep b/modules/cognitive-services/account/tests/e2e/speech/main.test.bicep similarity index 98% rename from modules/cognitive-services/account/.test/speech/main.test.bicep rename to modules/cognitive-services/account/tests/e2e/speech/main.test.bicep index d131eefbec..0ec0c858c4 100644 --- a/modules/cognitive-services/account/.test/speech/main.test.bicep +++ b/modules/cognitive-services/account/tests/e2e/speech/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/availability-set/.test/common/dependencies.bicep b/modules/compute/availability-set/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/compute/availability-set/.test/common/dependencies.bicep rename to modules/compute/availability-set/tests/e2e/common/dependencies.bicep diff --git a/modules/compute/availability-set/.test/common/main.test.bicep b/modules/compute/availability-set/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/compute/availability-set/.test/common/main.test.bicep rename to modules/compute/availability-set/tests/e2e/common/main.test.bicep index 17f56e1c0f..16687f42ea 100644 --- a/modules/compute/availability-set/.test/common/main.test.bicep +++ b/modules/compute/availability-set/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/availability-set/.test/min/main.test.bicep b/modules/compute/availability-set/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/compute/availability-set/.test/min/main.test.bicep rename to modules/compute/availability-set/tests/e2e/min/main.test.bicep index 0881b94536..d2e69aba00 100644 --- a/modules/compute/availability-set/.test/min/main.test.bicep +++ b/modules/compute/availability-set/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/disk-encryption-set/.test/accessPolicies/dependencies.bicep b/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/dependencies.bicep similarity index 100% rename from modules/compute/disk-encryption-set/.test/accessPolicies/dependencies.bicep rename to modules/compute/disk-encryption-set/tests/e2e/accessPolicies/dependencies.bicep diff --git a/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep similarity index 98% rename from modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep rename to modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep index be6f6c5b35..7baafd495c 100644 --- a/modules/compute/disk-encryption-set/.test/accessPolicies/main.test.bicep +++ b/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/disk-encryption-set/.test/common/dependencies.bicep b/modules/compute/disk-encryption-set/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/compute/disk-encryption-set/.test/common/dependencies.bicep rename to modules/compute/disk-encryption-set/tests/e2e/common/dependencies.bicep diff --git a/modules/compute/disk-encryption-set/.test/common/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/compute/disk-encryption-set/.test/common/main.test.bicep rename to modules/compute/disk-encryption-set/tests/e2e/common/main.test.bicep index f1dbf22a72..608b7921c7 100644 --- a/modules/compute/disk-encryption-set/.test/common/main.test.bicep +++ b/modules/compute/disk-encryption-set/tests/e2e/common/main.test.bicep @@ -51,7 +51,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/disk/.test/common/dependencies.bicep b/modules/compute/disk/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/compute/disk/.test/common/dependencies.bicep rename to modules/compute/disk/tests/e2e/common/dependencies.bicep diff --git a/modules/compute/disk/.test/common/main.test.bicep b/modules/compute/disk/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/compute/disk/.test/common/main.test.bicep rename to modules/compute/disk/tests/e2e/common/main.test.bicep index 7a5b019c2d..ecbf2ab2d9 100644 --- a/modules/compute/disk/.test/common/main.test.bicep +++ b/modules/compute/disk/tests/e2e/common/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/disk/.test/image/dependencies.bicep b/modules/compute/disk/tests/e2e/image/dependencies.bicep similarity index 100% rename from modules/compute/disk/.test/image/dependencies.bicep rename to modules/compute/disk/tests/e2e/image/dependencies.bicep diff --git a/modules/compute/disk/.test/image/main.test.bicep b/modules/compute/disk/tests/e2e/image/main.test.bicep similarity index 97% rename from modules/compute/disk/.test/image/main.test.bicep rename to modules/compute/disk/tests/e2e/image/main.test.bicep index 3038d1b07b..27dd941489 100644 --- a/modules/compute/disk/.test/image/main.test.bicep +++ b/modules/compute/disk/tests/e2e/image/main.test.bicep @@ -42,7 +42,7 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/disk/.test/import/dependencies.bicep b/modules/compute/disk/tests/e2e/import/dependencies.bicep similarity index 95% rename from modules/compute/disk/.test/import/dependencies.bicep rename to modules/compute/disk/tests/e2e/import/dependencies.bicep index ceb6c9f6db..aa2912f2ec 100644 --- a/modules/compute/disk/.test/import/dependencies.bicep +++ b/modules/compute/disk/tests/e2e/import/dependencies.bicep @@ -108,7 +108,7 @@ resource triggerImageDeploymentScript 'Microsoft.Resources/deploymentScripts@202 azPowerShellVersion: '8.0' retentionInterval: 'P1D' arguments: '-ImageTemplateName \\"${imageTemplate.name}\\" -ImageTemplateResourceGroup \\"${resourceGroup().name}\\"' - scriptContent: loadTextContent('../../../../.shared/.scripts/Start-ImageTemplate.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/Start-ImageTemplate.ps1') cleanupPreference: 'OnSuccess' forceUpdateTag: baseTime } @@ -132,7 +132,7 @@ resource copyVhdDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10- azPowerShellVersion: '8.0' retentionInterval: 'P1D' arguments: '-ImageTemplateName \\"${imageTemplate.name}\\" -ImageTemplateResourceGroup \\"${resourceGroup().name}\\" -DestinationStorageAccountName \\"${storageAccount.name}\\" -VhdName \\"${imageTemplateNamePrefix}\\" -WaitForComplete' - scriptContent: loadTextContent('../../../../.shared/.scripts/Copy-VhdToStorageAccount.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/Copy-VhdToStorageAccount.ps1') cleanupPreference: 'OnSuccess' forceUpdateTag: baseTime } diff --git a/modules/compute/disk/.test/import/dependencies_rbac.bicep b/modules/compute/disk/tests/e2e/import/dependencies_rbac.bicep similarity index 100% rename from modules/compute/disk/.test/import/dependencies_rbac.bicep rename to modules/compute/disk/tests/e2e/import/dependencies_rbac.bicep diff --git a/modules/compute/disk/.test/import/main.test.bicep b/modules/compute/disk/tests/e2e/import/main.test.bicep similarity index 98% rename from modules/compute/disk/.test/import/main.test.bicep rename to modules/compute/disk/tests/e2e/import/main.test.bicep index 7acdeafcbe..d3f891d57f 100644 --- a/modules/compute/disk/.test/import/main.test.bicep +++ b/modules/compute/disk/tests/e2e/import/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/disk/.test/min/main.test.bicep b/modules/compute/disk/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/compute/disk/.test/min/main.test.bicep rename to modules/compute/disk/tests/e2e/min/main.test.bicep index 00ddc7f8c9..68c1b85ac6 100644 --- a/modules/compute/disk/.test/min/main.test.bicep +++ b/modules/compute/disk/tests/e2e/min/main.test.bicep @@ -37,7 +37,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/gallery/.test/common/dependencies.bicep b/modules/compute/gallery/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/compute/gallery/.test/common/dependencies.bicep rename to modules/compute/gallery/tests/e2e/common/dependencies.bicep diff --git a/modules/compute/gallery/.test/common/main.test.bicep b/modules/compute/gallery/tests/e2e/common/main.test.bicep similarity index 99% rename from modules/compute/gallery/.test/common/main.test.bicep rename to modules/compute/gallery/tests/e2e/common/main.test.bicep index ca9db82385..063c8b4719 100644 --- a/modules/compute/gallery/.test/common/main.test.bicep +++ b/modules/compute/gallery/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/gallery/.test/min/main.test.bicep b/modules/compute/gallery/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/compute/gallery/.test/min/main.test.bicep rename to modules/compute/gallery/tests/e2e/min/main.test.bicep index 86f8f257b5..690725cdd9 100644 --- a/modules/compute/gallery/.test/min/main.test.bicep +++ b/modules/compute/gallery/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/image/.test/common/dependencies.bicep b/modules/compute/image/tests/e2e/common/dependencies.bicep similarity index 97% rename from modules/compute/image/.test/common/dependencies.bicep rename to modules/compute/image/tests/e2e/common/dependencies.bicep index 94c7ebd169..2a31d8730b 100644 --- a/modules/compute/image/.test/common/dependencies.bicep +++ b/modules/compute/image/tests/e2e/common/dependencies.bicep @@ -115,7 +115,7 @@ resource triggerImageDeploymentScript 'Microsoft.Resources/deploymentScripts@202 azPowerShellVersion: '8.0' retentionInterval: 'P1D' arguments: '-ImageTemplateName \\"${imageTemplate.name}\\" -ImageTemplateResourceGroup \\"${resourceGroup().name}\\"' - scriptContent: loadTextContent('../../../../.shared/.scripts/Start-ImageTemplate.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/Start-ImageTemplate.ps1') cleanupPreference: 'OnSuccess' forceUpdateTag: baseTime } @@ -139,7 +139,7 @@ resource copyVhdDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10- azPowerShellVersion: '8.0' retentionInterval: 'P1D' arguments: '-ImageTemplateName \\"${imageTemplate.name}\\" -ImageTemplateResourceGroup \\"${resourceGroup().name}\\" -DestinationStorageAccountName \\"${storageAccount.name}\\" -VhdName \\"${imageTemplateNamePrefix}\\" -WaitForComplete' - scriptContent: loadTextContent('../../../../.shared/.scripts/Copy-VhdToStorageAccount.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/Copy-VhdToStorageAccount.ps1') cleanupPreference: 'OnSuccess' forceUpdateTag: baseTime } diff --git a/modules/compute/image/.test/common/dependencies_rbac.bicep b/modules/compute/image/tests/e2e/common/dependencies_rbac.bicep similarity index 100% rename from modules/compute/image/.test/common/dependencies_rbac.bicep rename to modules/compute/image/tests/e2e/common/dependencies_rbac.bicep diff --git a/modules/compute/image/.test/common/main.test.bicep b/modules/compute/image/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/compute/image/.test/common/main.test.bicep rename to modules/compute/image/tests/e2e/common/main.test.bicep index edb30dddbc..8d1d8cea78 100644 --- a/modules/compute/image/.test/common/main.test.bicep +++ b/modules/compute/image/tests/e2e/common/main.test.bicep @@ -55,7 +55,7 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/proximity-placement-group/.test/common/dependencies.bicep b/modules/compute/proximity-placement-group/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/compute/proximity-placement-group/.test/common/dependencies.bicep rename to modules/compute/proximity-placement-group/tests/e2e/common/dependencies.bicep diff --git a/modules/compute/proximity-placement-group/.test/common/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/compute/proximity-placement-group/.test/common/main.test.bicep rename to modules/compute/proximity-placement-group/tests/e2e/common/main.test.bicep index a4dcb9881d..0256dec55a 100644 --- a/modules/compute/proximity-placement-group/.test/common/main.test.bicep +++ b/modules/compute/proximity-placement-group/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/proximity-placement-group/.test/min/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/compute/proximity-placement-group/.test/min/main.test.bicep rename to modules/compute/proximity-placement-group/tests/e2e/min/main.test.bicep index 1805333d13..47ce68a6d6 100644 --- a/modules/compute/proximity-placement-group/.test/min/main.test.bicep +++ b/modules/compute/proximity-placement-group/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/ssh-public-key/.test/common/dependencies.bicep b/modules/compute/ssh-public-key/tests/e2e/common/dependencies.bicep similarity index 96% rename from modules/compute/ssh-public-key/.test/common/dependencies.bicep rename to modules/compute/ssh-public-key/tests/e2e/common/dependencies.bicep index 4fba7f9e81..13a584595b 100644 --- a/modules/compute/ssh-public-key/.test/common/dependencies.bicep +++ b/modules/compute/ssh-public-key/tests/e2e/common/dependencies.bicep @@ -42,7 +42,7 @@ resource createPubKeyScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = azPowerShellVersion: '8.0' retentionInterval: 'P1D' arguments: '-ResourceGroupName ${resourceGroup().name} -SSHKeyName ${sshKeyName}' - scriptContent: loadTextContent('../../../../.shared/.scripts/New-SSHKey.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1') cleanupPreference: 'OnExpiration' forceUpdateTag: utcValue } diff --git a/modules/compute/ssh-public-key/.test/common/main.test.bicep b/modules/compute/ssh-public-key/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/compute/ssh-public-key/.test/common/main.test.bicep rename to modules/compute/ssh-public-key/tests/e2e/common/main.test.bicep index f40946b0cf..420a4d9f6d 100644 --- a/modules/compute/ssh-public-key/.test/common/main.test.bicep +++ b/modules/compute/ssh-public-key/tests/e2e/common/main.test.bicep @@ -49,7 +49,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/ssh-public-key/.test/min/main.test.bicep b/modules/compute/ssh-public-key/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/compute/ssh-public-key/.test/min/main.test.bicep rename to modules/compute/ssh-public-key/tests/e2e/min/main.test.bicep index 02a014853b..a44d0b7d0c 100644 --- a/modules/compute/ssh-public-key/.test/min/main.test.bicep +++ b/modules/compute/ssh-public-key/tests/e2e/min/main.test.bicep @@ -37,7 +37,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/virtual-machine-scale-set/.test/linux.min/dependencies.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/dependencies.bicep similarity index 96% rename from modules/compute/virtual-machine-scale-set/.test/linux.min/dependencies.bicep rename to modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/dependencies.bicep index 16cf8889d8..b302bdc0c9 100644 --- a/modules/compute/virtual-machine-scale-set/.test/linux.min/dependencies.bicep +++ b/modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/dependencies.bicep @@ -64,7 +64,7 @@ resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' azPowerShellVersion: '9.0' retentionInterval: 'P1D' arguments: '-SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"' - scriptContent: loadTextContent('../../../../.shared/.scripts/New-SSHKey.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1') } dependsOn: [ msiRGContrRoleAssignment diff --git a/modules/compute/virtual-machine-scale-set/.test/linux.min/main.test.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/main.test.bicep similarity index 98% rename from modules/compute/virtual-machine-scale-set/.test/linux.min/main.test.bicep rename to modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/main.test.bicep index 3e94abd26d..110a696ad0 100644 --- a/modules/compute/virtual-machine-scale-set/.test/linux.min/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/virtual-machine-scale-set/.test/linux.ssecmk/dependencies.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/dependencies.bicep similarity index 98% rename from modules/compute/virtual-machine-scale-set/.test/linux.ssecmk/dependencies.bicep rename to modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/dependencies.bicep index a328f1decc..db780eec3b 100644 --- a/modules/compute/virtual-machine-scale-set/.test/linux.ssecmk/dependencies.bicep +++ b/modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/dependencies.bicep @@ -123,7 +123,7 @@ resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' azPowerShellVersion: '9.0' retentionInterval: 'P1D' arguments: '-SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"' - scriptContent: loadTextContent('../../../../.shared/.scripts/New-SSHKey.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1') } dependsOn: [ msiRGContrRoleAssignment diff --git a/modules/compute/virtual-machine-scale-set/.test/linux.ssecmk/main.test.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep similarity index 98% rename from modules/compute/virtual-machine-scale-set/.test/linux.ssecmk/main.test.bicep rename to modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep index e78d392469..a574e6b411 100644 --- a/modules/compute/virtual-machine-scale-set/.test/linux.ssecmk/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep @@ -52,7 +52,7 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/virtual-machine-scale-set/.test/linux/dependencies.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/linux/dependencies.bicep similarity index 97% rename from modules/compute/virtual-machine-scale-set/.test/linux/dependencies.bicep rename to modules/compute/virtual-machine-scale-set/tests/e2e/linux/dependencies.bicep index 037c0420ca..556eb44538 100644 --- a/modules/compute/virtual-machine-scale-set/.test/linux/dependencies.bicep +++ b/modules/compute/virtual-machine-scale-set/tests/e2e/linux/dependencies.bicep @@ -126,7 +126,7 @@ resource storageUpload 'Microsoft.Resources/deploymentScripts@2020-10-01' = { azPowerShellVersion: '9.0' retentionInterval: 'P1D' arguments: '-StorageAccountName "${storageAccount.name}" -ResourceGroupName "${resourceGroup().name}" -ContainerName "${storageAccount::blobService::container.name}" -FileName "${storageAccountCSEFileName}"' - scriptContent: loadTextContent('../../../../.shared/.scripts/Set-BlobContent.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-BlobContent.ps1') } dependsOn: [ msiRGContrRoleAssignment @@ -147,7 +147,7 @@ resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' azPowerShellVersion: '9.0' retentionInterval: 'P1D' arguments: '-SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"' - scriptContent: loadTextContent('../../../../.shared/.scripts/New-SSHKey.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1') } dependsOn: [ msiRGContrRoleAssignment diff --git a/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/linux/main.test.bicep similarity index 97% rename from modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep rename to modules/compute/virtual-machine-scale-set/tests/e2e/linux/main.test.bicep index 76e6e02285..3ba0990f66 100644 --- a/modules/compute/virtual-machine-scale-set/.test/linux/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/tests/e2e/linux/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -63,7 +63,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/virtual-machine-scale-set/.test/windows.min/dependencies.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/windows.min/dependencies.bicep similarity index 100% rename from modules/compute/virtual-machine-scale-set/.test/windows.min/dependencies.bicep rename to modules/compute/virtual-machine-scale-set/tests/e2e/windows.min/dependencies.bicep diff --git a/modules/compute/virtual-machine-scale-set/.test/windows.min/main.test.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/windows.min/main.test.bicep similarity index 98% rename from modules/compute/virtual-machine-scale-set/.test/windows.min/main.test.bicep rename to modules/compute/virtual-machine-scale-set/tests/e2e/windows.min/main.test.bicep index 9beeb880a2..6afe0758de 100644 --- a/modules/compute/virtual-machine-scale-set/.test/windows.min/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/tests/e2e/windows.min/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/virtual-machine-scale-set/.test/windows/dependencies.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/windows/dependencies.bicep similarity index 98% rename from modules/compute/virtual-machine-scale-set/.test/windows/dependencies.bicep rename to modules/compute/virtual-machine-scale-set/tests/e2e/windows/dependencies.bicep index 756b22af61..b205e4d85c 100644 --- a/modules/compute/virtual-machine-scale-set/.test/windows/dependencies.bicep +++ b/modules/compute/virtual-machine-scale-set/tests/e2e/windows/dependencies.bicep @@ -123,7 +123,7 @@ resource storageUpload 'Microsoft.Resources/deploymentScripts@2020-10-01' = { azPowerShellVersion: '9.0' retentionInterval: 'P1D' arguments: '-StorageAccountName "${storageAccount.name}" -ResourceGroupName "${resourceGroup().name}" -ContainerName "${storageAccount::blobService::container.name}" -FileName "${storageAccountCSEFileName}"' - scriptContent: loadTextContent('../../../../.shared/.scripts/Set-BlobContent.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-BlobContent.ps1') } dependsOn: [ msiRGContrRoleAssignment diff --git a/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/windows/main.test.bicep similarity index 97% rename from modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep rename to modules/compute/virtual-machine-scale-set/tests/e2e/windows/main.test.bicep index 705d245b20..2269ee9558 100644 --- a/modules/compute/virtual-machine-scale-set/.test/windows/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/tests/e2e/windows/main.test.bicep @@ -50,7 +50,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -66,7 +66,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/virtual-machine/.test/linux.atmg/dependencies.bicep b/modules/compute/virtual-machine/tests/e2e/linux.atmg/dependencies.bicep similarity index 96% rename from modules/compute/virtual-machine/.test/linux.atmg/dependencies.bicep rename to modules/compute/virtual-machine/tests/e2e/linux.atmg/dependencies.bicep index 567643dfac..d8b2e100e0 100644 --- a/modules/compute/virtual-machine/.test/linux.atmg/dependencies.bicep +++ b/modules/compute/virtual-machine/tests/e2e/linux.atmg/dependencies.bicep @@ -64,7 +64,7 @@ resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' azPowerShellVersion: '9.0' retentionInterval: 'P1D' arguments: ' -SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"' - scriptContent: loadTextContent('../../../../.shared/.scripts/New-SSHKey.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1') } dependsOn: [ msiRGContrRoleAssignment diff --git a/modules/compute/virtual-machine/.test/linux.atmg/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/linux.atmg/main.test.bicep similarity index 98% rename from modules/compute/virtual-machine/.test/linux.atmg/main.test.bicep rename to modules/compute/virtual-machine/tests/e2e/linux.atmg/main.test.bicep index 5bb0690a4e..4e53732a23 100644 --- a/modules/compute/virtual-machine/.test/linux.atmg/main.test.bicep +++ b/modules/compute/virtual-machine/tests/e2e/linux.atmg/main.test.bicep @@ -52,7 +52,7 @@ module nestedDependencies 'dependencies.bicep' = { // scope: resourceGroup // } -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/virtual-machine/.test/linux.min/dependencies.bicep b/modules/compute/virtual-machine/tests/e2e/linux.min/dependencies.bicep similarity index 96% rename from modules/compute/virtual-machine/.test/linux.min/dependencies.bicep rename to modules/compute/virtual-machine/tests/e2e/linux.min/dependencies.bicep index 7bf89c0cdc..c88f2b1230 100644 --- a/modules/compute/virtual-machine/.test/linux.min/dependencies.bicep +++ b/modules/compute/virtual-machine/tests/e2e/linux.min/dependencies.bicep @@ -64,7 +64,7 @@ resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' azPowerShellVersion: '9.0' retentionInterval: 'P1D' arguments: '-SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"' - scriptContent: loadTextContent('../../../../.shared/.scripts/New-SSHKey.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1') } dependsOn: [ msiRGContrRoleAssignment diff --git a/modules/compute/virtual-machine/.test/linux.min/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/linux.min/main.test.bicep similarity index 98% rename from modules/compute/virtual-machine/.test/linux.min/main.test.bicep rename to modules/compute/virtual-machine/tests/e2e/linux.min/main.test.bicep index 6b00f10652..4c3fffb43d 100644 --- a/modules/compute/virtual-machine/.test/linux.min/main.test.bicep +++ b/modules/compute/virtual-machine/tests/e2e/linux.min/main.test.bicep @@ -52,7 +52,7 @@ module nestedDependencies 'dependencies.bicep' = { // scope: resourceGroup // } -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/virtual-machine/.test/linux/dependencies.bicep b/modules/compute/virtual-machine/tests/e2e/linux/dependencies.bicep similarity index 98% rename from modules/compute/virtual-machine/.test/linux/dependencies.bicep rename to modules/compute/virtual-machine/tests/e2e/linux/dependencies.bicep index b1e78465cf..4dbd74b07b 100644 --- a/modules/compute/virtual-machine/.test/linux/dependencies.bicep +++ b/modules/compute/virtual-machine/tests/e2e/linux/dependencies.bicep @@ -255,7 +255,7 @@ resource storageUpload 'Microsoft.Resources/deploymentScripts@2020-10-01' = { azPowerShellVersion: '9.0' retentionInterval: 'P1D' arguments: '-StorageAccountName "${storageAccount.name}" -ResourceGroupName "${resourceGroup().name}" -ContainerName "${storageAccount::blobService::container.name}" -FileName "${storageAccountCSEFileName}"' - scriptContent: loadTextContent('../../../../.shared/.scripts/Set-BlobContent.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-BlobContent.ps1') } dependsOn: [ msiRGContrRoleAssignment @@ -276,7 +276,7 @@ resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' azPowerShellVersion: '9.0' retentionInterval: 'P1D' arguments: '-SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"' - scriptContent: loadTextContent('../../../../.shared/.scripts/New-SSHKey.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1') } dependsOn: [ msiRGContrRoleAssignment diff --git a/modules/compute/virtual-machine/.test/linux/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep similarity index 98% rename from modules/compute/virtual-machine/.test/linux/main.test.bicep rename to modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep index 7832d8e74d..1e0d29b188 100644 --- a/modules/compute/virtual-machine/.test/linux/main.test.bicep +++ b/modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep @@ -51,7 +51,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -67,7 +67,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/virtual-machine/.test/windows.atmg/dependencies.bicep b/modules/compute/virtual-machine/tests/e2e/windows.atmg/dependencies.bicep similarity index 100% rename from modules/compute/virtual-machine/.test/windows.atmg/dependencies.bicep rename to modules/compute/virtual-machine/tests/e2e/windows.atmg/dependencies.bicep diff --git a/modules/compute/virtual-machine/.test/windows.atmg/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/windows.atmg/main.test.bicep similarity index 98% rename from modules/compute/virtual-machine/.test/windows.atmg/main.test.bicep rename to modules/compute/virtual-machine/tests/e2e/windows.atmg/main.test.bicep index ccee52176b..b1314bce14 100644 --- a/modules/compute/virtual-machine/.test/windows.atmg/main.test.bicep +++ b/modules/compute/virtual-machine/tests/e2e/windows.atmg/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/virtual-machine/.test/windows.min/dependencies.bicep b/modules/compute/virtual-machine/tests/e2e/windows.min/dependencies.bicep similarity index 100% rename from modules/compute/virtual-machine/.test/windows.min/dependencies.bicep rename to modules/compute/virtual-machine/tests/e2e/windows.min/dependencies.bicep diff --git a/modules/compute/virtual-machine/.test/windows.min/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/windows.min/main.test.bicep similarity index 97% rename from modules/compute/virtual-machine/.test/windows.min/main.test.bicep rename to modules/compute/virtual-machine/tests/e2e/windows.min/main.test.bicep index 0d2a846d66..68c34d8494 100644 --- a/modules/compute/virtual-machine/.test/windows.min/main.test.bicep +++ b/modules/compute/virtual-machine/tests/e2e/windows.min/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/virtual-machine/.test/windows.ssecmk/dependencies.bicep b/modules/compute/virtual-machine/tests/e2e/windows.ssecmk/dependencies.bicep similarity index 100% rename from modules/compute/virtual-machine/.test/windows.ssecmk/dependencies.bicep rename to modules/compute/virtual-machine/tests/e2e/windows.ssecmk/dependencies.bicep diff --git a/modules/compute/virtual-machine/.test/windows.ssecmk/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/windows.ssecmk/main.test.bicep similarity index 98% rename from modules/compute/virtual-machine/.test/windows.ssecmk/main.test.bicep rename to modules/compute/virtual-machine/tests/e2e/windows.ssecmk/main.test.bicep index d20da897b7..ff7c06d244 100644 --- a/modules/compute/virtual-machine/.test/windows.ssecmk/main.test.bicep +++ b/modules/compute/virtual-machine/tests/e2e/windows.ssecmk/main.test.bicep @@ -53,7 +53,7 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/compute/virtual-machine/.test/windows/dependencies.bicep b/modules/compute/virtual-machine/tests/e2e/windows/dependencies.bicep similarity index 99% rename from modules/compute/virtual-machine/.test/windows/dependencies.bicep rename to modules/compute/virtual-machine/tests/e2e/windows/dependencies.bicep index 22df299a8e..6a1f5fcc13 100644 --- a/modules/compute/virtual-machine/.test/windows/dependencies.bicep +++ b/modules/compute/virtual-machine/tests/e2e/windows/dependencies.bicep @@ -252,7 +252,7 @@ resource storageUpload 'Microsoft.Resources/deploymentScripts@2020-10-01' = { azPowerShellVersion: '9.0' retentionInterval: 'P1D' arguments: '-StorageAccountName "${storageAccount.name}" -ResourceGroupName "${resourceGroup().name}" -ContainerName "${storageAccount::blobService::container.name}" -FileName "${storageAccountCSEFileName}"' - scriptContent: loadTextContent('../../../../.shared/.scripts/Set-BlobContent.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-BlobContent.ps1') } dependsOn: [ msiRGContrRoleAssignment diff --git a/modules/compute/virtual-machine/.test/windows/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep similarity index 98% rename from modules/compute/virtual-machine/.test/windows/main.test.bicep rename to modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep index 4d171f578e..795e801f7e 100644 --- a/modules/compute/virtual-machine/.test/windows/main.test.bicep +++ b/modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep @@ -54,7 +54,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -70,7 +70,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/consumption/budget/.test/common/main.test.bicep b/modules/consumption/budget/tests/e2e/common/main.test.bicep similarity index 95% rename from modules/consumption/budget/.test/common/main.test.bicep rename to modules/consumption/budget/tests/e2e/common/main.test.bicep index 7668018aae..a696b0b40e 100644 --- a/modules/consumption/budget/.test/common/main.test.bicep +++ b/modules/consumption/budget/tests/e2e/common/main.test.bicep @@ -20,7 +20,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/consumption/budget/.test/min/main.test.bicep b/modules/consumption/budget/tests/e2e/min/main.test.bicep similarity index 95% rename from modules/consumption/budget/.test/min/main.test.bicep rename to modules/consumption/budget/tests/e2e/min/main.test.bicep index a76b439216..e9d47202bb 100644 --- a/modules/consumption/budget/.test/min/main.test.bicep +++ b/modules/consumption/budget/tests/e2e/min/main.test.bicep @@ -20,7 +20,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/container-instance/container-group/.test/common/dependencies.bicep b/modules/container-instance/container-group/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/container-instance/container-group/.test/common/dependencies.bicep rename to modules/container-instance/container-group/tests/e2e/common/dependencies.bicep diff --git a/modules/container-instance/container-group/.test/common/main.test.bicep b/modules/container-instance/container-group/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/container-instance/container-group/.test/common/main.test.bicep rename to modules/container-instance/container-group/tests/e2e/common/main.test.bicep index 6ba2e16a9d..6aa1e5adc8 100644 --- a/modules/container-instance/container-group/.test/common/main.test.bicep +++ b/modules/container-instance/container-group/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/container-instance/container-group/.test/encr/dependencies.bicep b/modules/container-instance/container-group/tests/e2e/encr/dependencies.bicep similarity index 100% rename from modules/container-instance/container-group/.test/encr/dependencies.bicep rename to modules/container-instance/container-group/tests/e2e/encr/dependencies.bicep diff --git a/modules/container-instance/container-group/.test/encr/main.test.bicep b/modules/container-instance/container-group/tests/e2e/encr/main.test.bicep similarity index 98% rename from modules/container-instance/container-group/.test/encr/main.test.bicep rename to modules/container-instance/container-group/tests/e2e/encr/main.test.bicep index df9bcfd467..2417490304 100644 --- a/modules/container-instance/container-group/.test/encr/main.test.bicep +++ b/modules/container-instance/container-group/tests/e2e/encr/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/container-instance/container-group/.test/min/main.test.bicep b/modules/container-instance/container-group/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/container-instance/container-group/.test/min/main.test.bicep rename to modules/container-instance/container-group/tests/e2e/min/main.test.bicep index 55144600d3..e498caa1d5 100644 --- a/modules/container-instance/container-group/.test/min/main.test.bicep +++ b/modules/container-instance/container-group/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/container-instance/container-group/.test/private/dependencies.bicep b/modules/container-instance/container-group/tests/e2e/private/dependencies.bicep similarity index 100% rename from modules/container-instance/container-group/.test/private/dependencies.bicep rename to modules/container-instance/container-group/tests/e2e/private/dependencies.bicep diff --git a/modules/container-instance/container-group/.test/private/main.test.bicep b/modules/container-instance/container-group/tests/e2e/private/main.test.bicep similarity index 98% rename from modules/container-instance/container-group/.test/private/main.test.bicep rename to modules/container-instance/container-group/tests/e2e/private/main.test.bicep index 8ca06b9dae..56ed91d9c9 100644 --- a/modules/container-instance/container-group/.test/private/main.test.bicep +++ b/modules/container-instance/container-group/tests/e2e/private/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/container-registry/registry/.test/common/dependencies.bicep b/modules/container-registry/registry/tests/e2e/common/dependencies.bicep similarity index 97% rename from modules/container-registry/registry/.test/common/dependencies.bicep rename to modules/container-registry/registry/tests/e2e/common/dependencies.bicep index acb54c6443..4e89a810a0 100644 --- a/modules/container-registry/registry/.test/common/dependencies.bicep +++ b/modules/container-registry/registry/tests/e2e/common/dependencies.bicep @@ -76,7 +76,7 @@ resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01 azPowerShellVersion: '8.0' retentionInterval: 'P1D' arguments: '-Location \\"${location}\\"' - scriptContent: loadTextContent('../../../../.shared/.scripts/Get-PairedRegion.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/Get-PairedRegion.ps1') } dependsOn: [ roleAssignment diff --git a/modules/container-registry/registry/.test/common/main.test.bicep b/modules/container-registry/registry/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/container-registry/registry/.test/common/main.test.bicep rename to modules/container-registry/registry/tests/e2e/common/main.test.bicep index ff37a24ff3..6dc873af77 100644 --- a/modules/container-registry/registry/.test/common/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/common/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -64,7 +64,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/container-registry/registry/.test/encr/dependencies.bicep b/modules/container-registry/registry/tests/e2e/encr/dependencies.bicep similarity index 100% rename from modules/container-registry/registry/.test/encr/dependencies.bicep rename to modules/container-registry/registry/tests/e2e/encr/dependencies.bicep diff --git a/modules/container-registry/registry/.test/encr/main.test.bicep b/modules/container-registry/registry/tests/e2e/encr/main.test.bicep similarity index 98% rename from modules/container-registry/registry/.test/encr/main.test.bicep rename to modules/container-registry/registry/tests/e2e/encr/main.test.bicep index 0e804e410a..9c93b863b2 100644 --- a/modules/container-registry/registry/.test/encr/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/encr/main.test.bicep @@ -49,7 +49,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/container-registry/registry/.test/min/main.test.bicep b/modules/container-registry/registry/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/container-registry/registry/.test/min/main.test.bicep rename to modules/container-registry/registry/tests/e2e/min/main.test.bicep index 3d4f3030e4..4646019d7f 100644 --- a/modules/container-registry/registry/.test/min/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/container-registry/registry/.test/pe/dependencies.bicep b/modules/container-registry/registry/tests/e2e/pe/dependencies.bicep similarity index 100% rename from modules/container-registry/registry/.test/pe/dependencies.bicep rename to modules/container-registry/registry/tests/e2e/pe/dependencies.bicep diff --git a/modules/container-registry/registry/.test/pe/main.test.bicep b/modules/container-registry/registry/tests/e2e/pe/main.test.bicep similarity index 97% rename from modules/container-registry/registry/.test/pe/main.test.bicep rename to modules/container-registry/registry/tests/e2e/pe/main.test.bicep index f3f4cf3339..e114baa09b 100644 --- a/modules/container-registry/registry/.test/pe/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/pe/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/container-service/managed-cluster/.test/azure/dependencies.bicep b/modules/container-service/managed-cluster/tests/e2e/azure/dependencies.bicep similarity index 100% rename from modules/container-service/managed-cluster/.test/azure/dependencies.bicep rename to modules/container-service/managed-cluster/tests/e2e/azure/dependencies.bicep diff --git a/modules/container-service/managed-cluster/.test/azure/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep similarity index 98% rename from modules/container-service/managed-cluster/.test/azure/main.test.bicep rename to modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep index f1d65fbe4b..51b7cf66bd 100644 --- a/modules/container-service/managed-cluster/.test/azure/main.test.bicep +++ b/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep @@ -52,7 +52,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -68,7 +68,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/container-service/managed-cluster/.test/kubenet/dependencies.bicep b/modules/container-service/managed-cluster/tests/e2e/kubenet/dependencies.bicep similarity index 100% rename from modules/container-service/managed-cluster/.test/kubenet/dependencies.bicep rename to modules/container-service/managed-cluster/tests/e2e/kubenet/dependencies.bicep diff --git a/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep similarity index 96% rename from modules/container-service/managed-cluster/.test/kubenet/main.test.bicep rename to modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep index e0881cd6d5..9183f19294 100644 --- a/modules/container-service/managed-cluster/.test/kubenet/main.test.bicep +++ b/modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep @@ -42,7 +42,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -58,7 +58,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/container-service/managed-cluster/.test/min/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/container-service/managed-cluster/.test/min/main.test.bicep rename to modules/container-service/managed-cluster/tests/e2e/min/main.test.bicep index dc349e269b..833719b5e2 100644 --- a/modules/container-service/managed-cluster/.test/min/main.test.bicep +++ b/modules/container-service/managed-cluster/tests/e2e/min/main.test.bicep @@ -34,7 +34,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { location: location } -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/container-service/managed-cluster/.test/priv/dependencies.bicep b/modules/container-service/managed-cluster/tests/e2e/priv/dependencies.bicep similarity index 100% rename from modules/container-service/managed-cluster/.test/priv/dependencies.bicep rename to modules/container-service/managed-cluster/tests/e2e/priv/dependencies.bicep diff --git a/modules/container-service/managed-cluster/.test/priv/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/priv/main.test.bicep similarity index 97% rename from modules/container-service/managed-cluster/.test/priv/main.test.bicep rename to modules/container-service/managed-cluster/tests/e2e/priv/main.test.bicep index 90f3de3f7d..46d56ddb63 100644 --- a/modules/container-service/managed-cluster/.test/priv/main.test.bicep +++ b/modules/container-service/managed-cluster/tests/e2e/priv/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -59,7 +59,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/data-factory/factory/.test/common/dependencies.bicep b/modules/data-factory/factory/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/data-factory/factory/.test/common/dependencies.bicep rename to modules/data-factory/factory/tests/e2e/common/dependencies.bicep diff --git a/modules/data-factory/factory/.test/common/main.test.bicep b/modules/data-factory/factory/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/data-factory/factory/.test/common/main.test.bicep rename to modules/data-factory/factory/tests/e2e/common/main.test.bicep index 2c9eacb8ec..b88833eb68 100644 --- a/modules/data-factory/factory/.test/common/main.test.bicep +++ b/modules/data-factory/factory/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -63,7 +63,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/data-factory/factory/.test/min/main.test.bicep b/modules/data-factory/factory/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/data-factory/factory/.test/min/main.test.bicep rename to modules/data-factory/factory/tests/e2e/min/main.test.bicep index b182ddfc97..a6d55d1d70 100644 --- a/modules/data-factory/factory/.test/min/main.test.bicep +++ b/modules/data-factory/factory/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/data-protection/backup-vault/.test/common/dependencies.bicep b/modules/data-protection/backup-vault/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/data-protection/backup-vault/.test/common/dependencies.bicep rename to modules/data-protection/backup-vault/tests/e2e/common/dependencies.bicep diff --git a/modules/data-protection/backup-vault/.test/common/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/data-protection/backup-vault/.test/common/main.test.bicep rename to modules/data-protection/backup-vault/tests/e2e/common/main.test.bicep index 5a9de2cea8..83f702d49a 100644 --- a/modules/data-protection/backup-vault/.test/common/main.test.bicep +++ b/modules/data-protection/backup-vault/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/data-protection/backup-vault/.test/min/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/data-protection/backup-vault/.test/min/main.test.bicep rename to modules/data-protection/backup-vault/tests/e2e/min/main.test.bicep index 28e222baca..c28874ad47 100644 --- a/modules/data-protection/backup-vault/.test/min/main.test.bicep +++ b/modules/data-protection/backup-vault/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/databricks/access-connector/.test/common/dependencies.bicep b/modules/databricks/access-connector/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/databricks/access-connector/.test/common/dependencies.bicep rename to modules/databricks/access-connector/tests/e2e/common/dependencies.bicep diff --git a/modules/databricks/access-connector/.test/common/main.test.bicep b/modules/databricks/access-connector/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/databricks/access-connector/.test/common/main.test.bicep rename to modules/databricks/access-connector/tests/e2e/common/main.test.bicep index c4d988caa7..e6714e44e1 100644 --- a/modules/databricks/access-connector/.test/common/main.test.bicep +++ b/modules/databricks/access-connector/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/databricks/access-connector/.test/min/main.test.bicep b/modules/databricks/access-connector/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/databricks/access-connector/.test/min/main.test.bicep rename to modules/databricks/access-connector/tests/e2e/min/main.test.bicep index b353cb47c5..815fc5ca3d 100644 --- a/modules/databricks/access-connector/.test/min/main.test.bicep +++ b/modules/databricks/access-connector/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/databricks/workspace/.test/common/dependencies.bicep b/modules/databricks/workspace/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/databricks/workspace/.test/common/dependencies.bicep rename to modules/databricks/workspace/tests/e2e/common/dependencies.bicep diff --git a/modules/databricks/workspace/.test/common/main.test.bicep b/modules/databricks/workspace/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/databricks/workspace/.test/common/main.test.bicep rename to modules/databricks/workspace/tests/e2e/common/main.test.bicep index e331c84dec..02851de992 100644 --- a/modules/databricks/workspace/.test/common/main.test.bicep +++ b/modules/databricks/workspace/tests/e2e/common/main.test.bicep @@ -56,7 +56,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -72,7 +72,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/databricks/workspace/.test/min/main.test.bicep b/modules/databricks/workspace/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/databricks/workspace/.test/min/main.test.bicep rename to modules/databricks/workspace/tests/e2e/min/main.test.bicep index 1ee4cd5c32..9735d40a22 100644 --- a/modules/databricks/workspace/.test/min/main.test.bicep +++ b/modules/databricks/workspace/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/db-for-my-sql/flexible-server/.test/min/main.test.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/db-for-my-sql/flexible-server/.test/min/main.test.bicep rename to modules/db-for-my-sql/flexible-server/tests/e2e/min/main.test.bicep index 55d2de2958..b127e422f4 100644 --- a/modules/db-for-my-sql/flexible-server/.test/min/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/tests/e2e/min/main.test.bicep @@ -42,7 +42,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/db-for-my-sql/flexible-server/.test/private/dependencies.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/private/dependencies.bicep similarity index 100% rename from modules/db-for-my-sql/flexible-server/.test/private/dependencies.bicep rename to modules/db-for-my-sql/flexible-server/tests/e2e/private/dependencies.bicep diff --git a/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep similarity index 96% rename from modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep rename to modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep index 13819511a9..27819b80b1 100644 --- a/modules/db-for-my-sql/flexible-server/.test/private/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -62,7 +62,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/db-for-my-sql/flexible-server/.test/public/dependencies1.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/public/dependencies1.bicep similarity index 94% rename from modules/db-for-my-sql/flexible-server/.test/public/dependencies1.bicep rename to modules/db-for-my-sql/flexible-server/tests/e2e/public/dependencies1.bicep index 0daa2a8db4..82fbab799d 100644 --- a/modules/db-for-my-sql/flexible-server/.test/public/dependencies1.bicep +++ b/modules/db-for-my-sql/flexible-server/tests/e2e/public/dependencies1.bicep @@ -35,7 +35,7 @@ resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01 azPowerShellVersion: '8.0' retentionInterval: 'P1D' arguments: '-Location \\"${location}\\"' - scriptContent: loadTextContent('../../../../.shared/.scripts/Get-PairedRegion.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/Get-PairedRegion.ps1') } dependsOn: [ roleAssignment diff --git a/modules/db-for-my-sql/flexible-server/.test/public/dependencies2.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/public/dependencies2.bicep similarity index 100% rename from modules/db-for-my-sql/flexible-server/.test/public/dependencies2.bicep rename to modules/db-for-my-sql/flexible-server/tests/e2e/public/dependencies2.bicep diff --git a/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/public/main.test.bicep similarity index 97% rename from modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep rename to modules/db-for-my-sql/flexible-server/tests/e2e/public/main.test.bicep index 2dac6609f6..affcf5e126 100644 --- a/modules/db-for-my-sql/flexible-server/.test/public/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/tests/e2e/public/main.test.bicep @@ -64,7 +64,7 @@ module nestedDependencies2 'dependencies2.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -80,7 +80,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/db-for-postgre-sql/flexible-server/.test/min/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/db-for-postgre-sql/flexible-server/.test/min/main.test.bicep rename to modules/db-for-postgre-sql/flexible-server/tests/e2e/min/main.test.bicep index 6257b66663..bac3973754 100644 --- a/modules/db-for-postgre-sql/flexible-server/.test/min/main.test.bicep +++ b/modules/db-for-postgre-sql/flexible-server/tests/e2e/min/main.test.bicep @@ -42,7 +42,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/db-for-postgre-sql/flexible-server/.test/private/dependencies.bicep b/modules/db-for-postgre-sql/flexible-server/tests/e2e/private/dependencies.bicep similarity index 100% rename from modules/db-for-postgre-sql/flexible-server/.test/private/dependencies.bicep rename to modules/db-for-postgre-sql/flexible-server/tests/e2e/private/dependencies.bicep diff --git a/modules/db-for-postgre-sql/flexible-server/.test/private/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/tests/e2e/private/main.test.bicep similarity index 96% rename from modules/db-for-postgre-sql/flexible-server/.test/private/main.test.bicep rename to modules/db-for-postgre-sql/flexible-server/tests/e2e/private/main.test.bicep index da9f902b2a..eb5a7ba144 100644 --- a/modules/db-for-postgre-sql/flexible-server/.test/private/main.test.bicep +++ b/modules/db-for-postgre-sql/flexible-server/tests/e2e/private/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -62,7 +62,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/db-for-postgre-sql/flexible-server/.test/public/dependencies.bicep b/modules/db-for-postgre-sql/flexible-server/tests/e2e/public/dependencies.bicep similarity index 100% rename from modules/db-for-postgre-sql/flexible-server/.test/public/dependencies.bicep rename to modules/db-for-postgre-sql/flexible-server/tests/e2e/public/dependencies.bicep diff --git a/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/tests/e2e/public/main.test.bicep similarity index 96% rename from modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep rename to modules/db-for-postgre-sql/flexible-server/tests/e2e/public/main.test.bicep index 3cbc9ecdbc..ac74978518 100644 --- a/modules/db-for-postgre-sql/flexible-server/.test/public/main.test.bicep +++ b/modules/db-for-postgre-sql/flexible-server/tests/e2e/public/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -62,7 +62,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/desktop-virtualization/application-group/.test/common/dependencies.bicep b/modules/desktop-virtualization/application-group/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/desktop-virtualization/application-group/.test/common/dependencies.bicep rename to modules/desktop-virtualization/application-group/tests/e2e/common/dependencies.bicep diff --git a/modules/desktop-virtualization/application-group/.test/common/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/desktop-virtualization/application-group/.test/common/main.test.bicep rename to modules/desktop-virtualization/application-group/tests/e2e/common/main.test.bicep index 682d39b734..65fd94ed94 100644 --- a/modules/desktop-virtualization/application-group/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/application-group/tests/e2e/common/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -61,7 +61,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/desktop-virtualization/application-group/.test/min/dependencies.bicep b/modules/desktop-virtualization/application-group/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/desktop-virtualization/application-group/.test/min/dependencies.bicep rename to modules/desktop-virtualization/application-group/tests/e2e/min/dependencies.bicep diff --git a/modules/desktop-virtualization/application-group/.test/min/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/desktop-virtualization/application-group/.test/min/main.test.bicep rename to modules/desktop-virtualization/application-group/tests/e2e/min/main.test.bicep index dc7a01bd2d..0dcced5bab 100644 --- a/modules/desktop-virtualization/application-group/.test/min/main.test.bicep +++ b/modules/desktop-virtualization/application-group/tests/e2e/min/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/desktop-virtualization/host-pool/.test/common/dependencies.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/desktop-virtualization/host-pool/.test/common/dependencies.bicep rename to modules/desktop-virtualization/host-pool/tests/e2e/common/dependencies.bicep diff --git a/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/desktop-virtualization/host-pool/.test/common/main.test.bicep rename to modules/desktop-virtualization/host-pool/tests/e2e/common/main.test.bicep index 674d905c5c..85d73e62df 100644 --- a/modules/desktop-virtualization/host-pool/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/tests/e2e/common/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -60,7 +60,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/desktop-virtualization/host-pool/.test/min/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/desktop-virtualization/host-pool/.test/min/main.test.bicep rename to modules/desktop-virtualization/host-pool/tests/e2e/min/main.test.bicep index 2f46ec4302..0675dbe11e 100644 --- a/modules/desktop-virtualization/host-pool/.test/min/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/desktop-virtualization/scaling-plan/.test/common/dependencies.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/desktop-virtualization/scaling-plan/.test/common/dependencies.bicep rename to modules/desktop-virtualization/scaling-plan/tests/e2e/common/dependencies.bicep diff --git a/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep rename to modules/desktop-virtualization/scaling-plan/tests/e2e/common/main.test.bicep index e0e472ce62..105ce03868 100644 --- a/modules/desktop-virtualization/scaling-plan/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/tests/e2e/common/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -60,7 +60,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/desktop-virtualization/scaling-plan/.test/min/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/desktop-virtualization/scaling-plan/.test/min/main.test.bicep rename to modules/desktop-virtualization/scaling-plan/tests/e2e/min/main.test.bicep index edfaf01186..1ded6e5b55 100644 --- a/modules/desktop-virtualization/scaling-plan/.test/min/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/desktop-virtualization/workspace/.test/common/dependencies.bicep b/modules/desktop-virtualization/workspace/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/desktop-virtualization/workspace/.test/common/dependencies.bicep rename to modules/desktop-virtualization/workspace/tests/e2e/common/dependencies.bicep diff --git a/modules/desktop-virtualization/workspace/.test/common/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/common/main.test.bicep similarity index 95% rename from modules/desktop-virtualization/workspace/.test/common/main.test.bicep rename to modules/desktop-virtualization/workspace/tests/e2e/common/main.test.bicep index 72fe51a213..c79a1fa0ae 100644 --- a/modules/desktop-virtualization/workspace/.test/common/main.test.bicep +++ b/modules/desktop-virtualization/workspace/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -62,7 +62,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/desktop-virtualization/workspace/.test/min/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/desktop-virtualization/workspace/.test/min/main.test.bicep rename to modules/desktop-virtualization/workspace/tests/e2e/min/main.test.bicep index 478c8a8f34..7fc5df6c67 100644 --- a/modules/desktop-virtualization/workspace/.test/min/main.test.bicep +++ b/modules/desktop-virtualization/workspace/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/dev-test-lab/lab/.test/common/dependencies.bicep b/modules/dev-test-lab/lab/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/dev-test-lab/lab/.test/common/dependencies.bicep rename to modules/dev-test-lab/lab/tests/e2e/common/dependencies.bicep diff --git a/modules/dev-test-lab/lab/.test/common/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/common/main.test.bicep similarity index 99% rename from modules/dev-test-lab/lab/.test/common/main.test.bicep rename to modules/dev-test-lab/lab/tests/e2e/common/main.test.bicep index a6a84a65bf..149d0cf464 100644 --- a/modules/dev-test-lab/lab/.test/common/main.test.bicep +++ b/modules/dev-test-lab/lab/tests/e2e/common/main.test.bicep @@ -54,7 +54,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/dev-test-lab/lab/.test/min/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/dev-test-lab/lab/.test/min/main.test.bicep rename to modules/dev-test-lab/lab/tests/e2e/min/main.test.bicep index d78c982d07..b74a10c49c 100644 --- a/modules/dev-test-lab/lab/.test/min/main.test.bicep +++ b/modules/dev-test-lab/lab/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/digital-twins/digital-twins-instance/.test/common/dependencies.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/digital-twins/digital-twins-instance/.test/common/dependencies.bicep rename to modules/digital-twins/digital-twins-instance/tests/e2e/common/dependencies.bicep diff --git a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep rename to modules/digital-twins/digital-twins-instance/tests/e2e/common/main.test.bicep index e6281b2d8d..73bf091495 100644 --- a/modules/digital-twins/digital-twins-instance/.test/common/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/common/main.test.bicep @@ -49,7 +49,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -65,7 +65,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/digital-twins/digital-twins-instance/.test/min/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/digital-twins/digital-twins-instance/.test/min/main.test.bicep rename to modules/digital-twins/digital-twins-instance/tests/e2e/min/main.test.bicep index 7d9b327dc3..4c2c58a0a8 100644 --- a/modules/digital-twins/digital-twins-instance/.test/min/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/document-db/database-account/.test/mongodb/dependencies.bicep b/modules/document-db/database-account/tests/e2e/gremlindb/dependencies.bicep similarity index 94% rename from modules/document-db/database-account/.test/mongodb/dependencies.bicep rename to modules/document-db/database-account/tests/e2e/gremlindb/dependencies.bicep index 76d19a4b2d..f92185e3e8 100644 --- a/modules/document-db/database-account/.test/mongodb/dependencies.bicep +++ b/modules/document-db/database-account/tests/e2e/gremlindb/dependencies.bicep @@ -35,7 +35,7 @@ resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01 azPowerShellVersion: '8.0' retentionInterval: 'P1D' arguments: '-Location \\"${location}\\"' - scriptContent: loadTextContent('../../../../.shared/.scripts/Get-PairedRegion.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/Get-PairedRegion.ps1') } dependsOn: [ roleAssignment diff --git a/modules/document-db/database-account/.test/gremlindb/main.test.bicep b/modules/document-db/database-account/tests/e2e/gremlindb/main.test.bicep similarity index 96% rename from modules/document-db/database-account/.test/gremlindb/main.test.bicep rename to modules/document-db/database-account/tests/e2e/gremlindb/main.test.bicep index f1120061d4..44f12410b3 100644 --- a/modules/document-db/database-account/.test/gremlindb/main.test.bicep +++ b/modules/document-db/database-account/tests/e2e/gremlindb/main.test.bicep @@ -42,7 +42,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -58,7 +58,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/document-db/database-account/.test/plain/dependencies.bicep b/modules/document-db/database-account/tests/e2e/mongodb/dependencies.bicep similarity index 94% rename from modules/document-db/database-account/.test/plain/dependencies.bicep rename to modules/document-db/database-account/tests/e2e/mongodb/dependencies.bicep index 76d19a4b2d..f92185e3e8 100644 --- a/modules/document-db/database-account/.test/plain/dependencies.bicep +++ b/modules/document-db/database-account/tests/e2e/mongodb/dependencies.bicep @@ -35,7 +35,7 @@ resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01 azPowerShellVersion: '8.0' retentionInterval: 'P1D' arguments: '-Location \\"${location}\\"' - scriptContent: loadTextContent('../../../../.shared/.scripts/Get-PairedRegion.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/Get-PairedRegion.ps1') } dependsOn: [ roleAssignment diff --git a/modules/document-db/database-account/.test/mongodb/main.test.bicep b/modules/document-db/database-account/tests/e2e/mongodb/main.test.bicep similarity index 98% rename from modules/document-db/database-account/.test/mongodb/main.test.bicep rename to modules/document-db/database-account/tests/e2e/mongodb/main.test.bicep index e554588b54..ddb9ac1a75 100644 --- a/modules/document-db/database-account/.test/mongodb/main.test.bicep +++ b/modules/document-db/database-account/tests/e2e/mongodb/main.test.bicep @@ -42,7 +42,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -58,7 +58,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/document-db/database-account/.test/gremlindb/dependencies.bicep b/modules/document-db/database-account/tests/e2e/plain/dependencies.bicep similarity index 94% rename from modules/document-db/database-account/.test/gremlindb/dependencies.bicep rename to modules/document-db/database-account/tests/e2e/plain/dependencies.bicep index 76d19a4b2d..f92185e3e8 100644 --- a/modules/document-db/database-account/.test/gremlindb/dependencies.bicep +++ b/modules/document-db/database-account/tests/e2e/plain/dependencies.bicep @@ -35,7 +35,7 @@ resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01 azPowerShellVersion: '8.0' retentionInterval: 'P1D' arguments: '-Location \\"${location}\\"' - scriptContent: loadTextContent('../../../../.shared/.scripts/Get-PairedRegion.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/Get-PairedRegion.ps1') } dependsOn: [ roleAssignment diff --git a/modules/document-db/database-account/.test/plain/main.test.bicep b/modules/document-db/database-account/tests/e2e/plain/main.test.bicep similarity index 95% rename from modules/document-db/database-account/.test/plain/main.test.bicep rename to modules/document-db/database-account/tests/e2e/plain/main.test.bicep index ceb6b2fecb..c8dbd06e37 100644 --- a/modules/document-db/database-account/.test/plain/main.test.bicep +++ b/modules/document-db/database-account/tests/e2e/plain/main.test.bicep @@ -42,7 +42,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -58,7 +58,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/document-db/database-account/.test/sqldb/dependencies.bicep b/modules/document-db/database-account/tests/e2e/sqldb/dependencies.bicep similarity index 97% rename from modules/document-db/database-account/.test/sqldb/dependencies.bicep rename to modules/document-db/database-account/tests/e2e/sqldb/dependencies.bicep index c3dd593b88..61dec739a6 100644 --- a/modules/document-db/database-account/.test/sqldb/dependencies.bicep +++ b/modules/document-db/database-account/tests/e2e/sqldb/dependencies.bicep @@ -76,7 +76,7 @@ resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01 azPowerShellVersion: '8.0' retentionInterval: 'P1D' arguments: '-Location \\"${location}\\"' - scriptContent: loadTextContent('../../../../.shared/.scripts/Get-PairedRegion.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/Get-PairedRegion.ps1') } dependsOn: [ roleAssignment diff --git a/modules/document-db/database-account/.test/sqldb/main.test.bicep b/modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep similarity index 97% rename from modules/document-db/database-account/.test/sqldb/main.test.bicep rename to modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep index 2f9254da17..eb14ddcb9b 100644 --- a/modules/document-db/database-account/.test/sqldb/main.test.bicep +++ b/modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -59,7 +59,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/event-grid/domain/.test/common/dependencies.bicep b/modules/event-grid/domain/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/event-grid/domain/.test/common/dependencies.bicep rename to modules/event-grid/domain/tests/e2e/common/dependencies.bicep diff --git a/modules/event-grid/domain/.test/common/main.test.bicep b/modules/event-grid/domain/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/event-grid/domain/.test/common/main.test.bicep rename to modules/event-grid/domain/tests/e2e/common/main.test.bicep index a6fc193fae..f96b8aba01 100644 --- a/modules/event-grid/domain/.test/common/main.test.bicep +++ b/modules/event-grid/domain/tests/e2e/common/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -61,7 +61,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/event-grid/domain/.test/min/main.test.bicep b/modules/event-grid/domain/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/event-grid/domain/.test/min/main.test.bicep rename to modules/event-grid/domain/tests/e2e/min/main.test.bicep index a531c4d003..e2d9be8663 100644 --- a/modules/event-grid/domain/.test/min/main.test.bicep +++ b/modules/event-grid/domain/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/event-grid/domain/.test/pe/dependencies.bicep b/modules/event-grid/domain/tests/e2e/pe/dependencies.bicep similarity index 100% rename from modules/event-grid/domain/.test/pe/dependencies.bicep rename to modules/event-grid/domain/tests/e2e/pe/dependencies.bicep diff --git a/modules/event-grid/domain/.test/pe/main.test.bicep b/modules/event-grid/domain/tests/e2e/pe/main.test.bicep similarity index 97% rename from modules/event-grid/domain/.test/pe/main.test.bicep rename to modules/event-grid/domain/tests/e2e/pe/main.test.bicep index 43c759532a..ddaa562218 100644 --- a/modules/event-grid/domain/.test/pe/main.test.bicep +++ b/modules/event-grid/domain/tests/e2e/pe/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/event-grid/system-topic/.test/common/dependencies.bicep b/modules/event-grid/system-topic/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/event-grid/system-topic/.test/common/dependencies.bicep rename to modules/event-grid/system-topic/tests/e2e/common/dependencies.bicep diff --git a/modules/event-grid/system-topic/.test/common/main.test.bicep b/modules/event-grid/system-topic/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/event-grid/system-topic/.test/common/main.test.bicep rename to modules/event-grid/system-topic/tests/e2e/common/main.test.bicep index 72a3551ad0..a6b9312e35 100644 --- a/modules/event-grid/system-topic/.test/common/main.test.bicep +++ b/modules/event-grid/system-topic/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -62,7 +62,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/event-grid/system-topic/.test/min/dependencies.bicep b/modules/event-grid/system-topic/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/event-grid/system-topic/.test/min/dependencies.bicep rename to modules/event-grid/system-topic/tests/e2e/min/dependencies.bicep diff --git a/modules/event-grid/system-topic/.test/min/main.test.bicep b/modules/event-grid/system-topic/tests/e2e/min/main.test.bicep similarity index 93% rename from modules/event-grid/system-topic/.test/min/main.test.bicep rename to modules/event-grid/system-topic/tests/e2e/min/main.test.bicep index c8767d484b..8bfe4a7feb 100644 --- a/modules/event-grid/system-topic/.test/min/main.test.bicep +++ b/modules/event-grid/system-topic/tests/e2e/min/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -60,7 +60,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/event-grid/topic/.test/common/dependencies.bicep b/modules/event-grid/topic/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/event-grid/topic/.test/common/dependencies.bicep rename to modules/event-grid/topic/tests/e2e/common/dependencies.bicep diff --git a/modules/event-grid/topic/.test/common/main.test.bicep b/modules/event-grid/topic/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/event-grid/topic/.test/common/main.test.bicep rename to modules/event-grid/topic/tests/e2e/common/main.test.bicep index 94d94440b7..8027740ab5 100644 --- a/modules/event-grid/topic/.test/common/main.test.bicep +++ b/modules/event-grid/topic/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -63,7 +63,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/event-grid/topic/.test/min/main.test.bicep b/modules/event-grid/topic/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/event-grid/topic/.test/min/main.test.bicep rename to modules/event-grid/topic/tests/e2e/min/main.test.bicep index f8ec16cb64..89a79f1097 100644 --- a/modules/event-grid/topic/.test/min/main.test.bicep +++ b/modules/event-grid/topic/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/event-grid/topic/.test/pe/dependencies.bicep b/modules/event-grid/topic/tests/e2e/pe/dependencies.bicep similarity index 100% rename from modules/event-grid/topic/.test/pe/dependencies.bicep rename to modules/event-grid/topic/tests/e2e/pe/dependencies.bicep diff --git a/modules/event-grid/topic/.test/pe/main.test.bicep b/modules/event-grid/topic/tests/e2e/pe/main.test.bicep similarity index 97% rename from modules/event-grid/topic/.test/pe/main.test.bicep rename to modules/event-grid/topic/tests/e2e/pe/main.test.bicep index a70b97b936..99f3160297 100644 --- a/modules/event-grid/topic/.test/pe/main.test.bicep +++ b/modules/event-grid/topic/tests/e2e/pe/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/event-hub/namespace/.test/common/dependencies.bicep b/modules/event-hub/namespace/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/event-hub/namespace/.test/common/dependencies.bicep rename to modules/event-hub/namespace/tests/e2e/common/dependencies.bicep diff --git a/modules/event-hub/namespace/.test/common/main.test.bicep b/modules/event-hub/namespace/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/event-hub/namespace/.test/common/main.test.bicep rename to modules/event-hub/namespace/tests/e2e/common/main.test.bicep index b276b1734f..869463f5a9 100644 --- a/modules/event-hub/namespace/.test/common/main.test.bicep +++ b/modules/event-hub/namespace/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -62,7 +62,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/event-hub/namespace/.test/encr/dependencies.bicep b/modules/event-hub/namespace/tests/e2e/encr/dependencies.bicep similarity index 100% rename from modules/event-hub/namespace/.test/encr/dependencies.bicep rename to modules/event-hub/namespace/tests/e2e/encr/dependencies.bicep diff --git a/modules/event-hub/namespace/.test/encr/main.test.bicep b/modules/event-hub/namespace/tests/e2e/encr/main.test.bicep similarity index 98% rename from modules/event-hub/namespace/.test/encr/main.test.bicep rename to modules/event-hub/namespace/tests/e2e/encr/main.test.bicep index b81e59b56c..a7a3e24d64 100644 --- a/modules/event-hub/namespace/.test/encr/main.test.bicep +++ b/modules/event-hub/namespace/tests/e2e/encr/main.test.bicep @@ -49,7 +49,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/event-hub/namespace/.test/min/main.test.bicep b/modules/event-hub/namespace/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/event-hub/namespace/.test/min/main.test.bicep rename to modules/event-hub/namespace/tests/e2e/min/main.test.bicep index 5b731169d3..424ca90ffe 100644 --- a/modules/event-hub/namespace/.test/min/main.test.bicep +++ b/modules/event-hub/namespace/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/event-hub/namespace/.test/pe/dependencies.bicep b/modules/event-hub/namespace/tests/e2e/pe/dependencies.bicep similarity index 100% rename from modules/event-hub/namespace/.test/pe/dependencies.bicep rename to modules/event-hub/namespace/tests/e2e/pe/dependencies.bicep diff --git a/modules/event-hub/namespace/.test/pe/main.test.bicep b/modules/event-hub/namespace/tests/e2e/pe/main.test.bicep similarity index 97% rename from modules/event-hub/namespace/.test/pe/main.test.bicep rename to modules/event-hub/namespace/tests/e2e/pe/main.test.bicep index 69b842c06e..e55e3faf2f 100644 --- a/modules/event-hub/namespace/.test/pe/main.test.bicep +++ b/modules/event-hub/namespace/tests/e2e/pe/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/health-bot/health-bot/.test/common/dependencies.bicep b/modules/health-bot/health-bot/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/health-bot/health-bot/.test/common/dependencies.bicep rename to modules/health-bot/health-bot/tests/e2e/common/dependencies.bicep diff --git a/modules/health-bot/health-bot/.test/common/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/health-bot/health-bot/.test/common/main.test.bicep rename to modules/health-bot/health-bot/tests/e2e/common/main.test.bicep index 36623909f7..04f770a16c 100644 --- a/modules/health-bot/health-bot/.test/common/main.test.bicep +++ b/modules/health-bot/health-bot/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/health-bot/health-bot/.test/min/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/health-bot/health-bot/.test/min/main.test.bicep rename to modules/health-bot/health-bot/tests/e2e/min/main.test.bicep index 29b0984187..827853ed5b 100644 --- a/modules/health-bot/health-bot/.test/min/main.test.bicep +++ b/modules/health-bot/health-bot/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/healthcare-apis/workspace/.test/common/dependencies.bicep b/modules/healthcare-apis/workspace/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/healthcare-apis/workspace/.test/common/dependencies.bicep rename to modules/healthcare-apis/workspace/tests/e2e/common/dependencies.bicep diff --git a/modules/healthcare-apis/workspace/.test/common/main.test.bicep b/modules/healthcare-apis/workspace/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/healthcare-apis/workspace/.test/common/main.test.bicep rename to modules/healthcare-apis/workspace/tests/e2e/common/main.test.bicep index fcb3fac8fe..b3ee36aeea 100644 --- a/modules/healthcare-apis/workspace/.test/common/main.test.bicep +++ b/modules/healthcare-apis/workspace/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -62,7 +62,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/healthcare-apis/workspace/.test/min/main.test.bicep b/modules/healthcare-apis/workspace/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/healthcare-apis/workspace/.test/min/main.test.bicep rename to modules/healthcare-apis/workspace/tests/e2e/min/main.test.bicep index cc3b068314..4eb6a8dc85 100644 --- a/modules/healthcare-apis/workspace/.test/min/main.test.bicep +++ b/modules/healthcare-apis/workspace/tests/e2e/min/main.test.bicep @@ -37,7 +37,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/insights/action-group/.test/common/dependencies.bicep b/modules/insights/action-group/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/insights/action-group/.test/common/dependencies.bicep rename to modules/insights/action-group/tests/e2e/common/dependencies.bicep diff --git a/modules/insights/action-group/.test/common/main.test.bicep b/modules/insights/action-group/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/insights/action-group/.test/common/main.test.bicep rename to modules/insights/action-group/tests/e2e/common/main.test.bicep index 3e80b2db1b..094aef5dfd 100644 --- a/modules/insights/action-group/.test/common/main.test.bicep +++ b/modules/insights/action-group/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/insights/action-group/.test/min/main.test.bicep b/modules/insights/action-group/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/insights/action-group/.test/min/main.test.bicep rename to modules/insights/action-group/tests/e2e/min/main.test.bicep index 51ccd12b5c..5ef4c9a8ef 100644 --- a/modules/insights/action-group/.test/min/main.test.bicep +++ b/modules/insights/action-group/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/insights/activity-log-alert/.test/common/dependencies.bicep b/modules/insights/activity-log-alert/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/insights/activity-log-alert/.test/common/dependencies.bicep rename to modules/insights/activity-log-alert/tests/e2e/common/dependencies.bicep diff --git a/modules/insights/activity-log-alert/.test/common/main.test.bicep b/modules/insights/activity-log-alert/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/insights/activity-log-alert/.test/common/main.test.bicep rename to modules/insights/activity-log-alert/tests/e2e/common/main.test.bicep index 6810340316..75d80ea8b0 100644 --- a/modules/insights/activity-log-alert/.test/common/main.test.bicep +++ b/modules/insights/activity-log-alert/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/insights/component/.test/common/dependencies.bicep b/modules/insights/component/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/insights/component/.test/common/dependencies.bicep rename to modules/insights/component/tests/e2e/common/dependencies.bicep diff --git a/modules/insights/component/.test/common/main.test.bicep b/modules/insights/component/tests/e2e/common/main.test.bicep similarity index 95% rename from modules/insights/component/.test/common/main.test.bicep rename to modules/insights/component/tests/e2e/common/main.test.bicep index 979bd07090..c268fb2bff 100644 --- a/modules/insights/component/.test/common/main.test.bicep +++ b/modules/insights/component/tests/e2e/common/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -60,7 +60,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/insights/component/.test/min/dependencies.bicep b/modules/insights/component/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/insights/component/.test/min/dependencies.bicep rename to modules/insights/component/tests/e2e/min/dependencies.bicep diff --git a/modules/insights/component/.test/min/main.test.bicep b/modules/insights/component/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/insights/component/.test/min/main.test.bicep rename to modules/insights/component/tests/e2e/min/main.test.bicep index 15a5d43c53..0e4fe18e1f 100644 --- a/modules/insights/component/.test/min/main.test.bicep +++ b/modules/insights/component/tests/e2e/min/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/insights/data-collection-endpoint/.test/common/dependencies.bicep b/modules/insights/data-collection-endpoint/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/insights/data-collection-endpoint/.test/common/dependencies.bicep rename to modules/insights/data-collection-endpoint/tests/e2e/common/dependencies.bicep diff --git a/modules/insights/data-collection-endpoint/.test/common/main.test.bicep b/modules/insights/data-collection-endpoint/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/insights/data-collection-endpoint/.test/common/main.test.bicep rename to modules/insights/data-collection-endpoint/tests/e2e/common/main.test.bicep index d4518f92ad..048ae857f8 100644 --- a/modules/insights/data-collection-endpoint/.test/common/main.test.bicep +++ b/modules/insights/data-collection-endpoint/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module resourceGroupResources 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/insights/data-collection-endpoint/.test/min/main.test.bicep b/modules/insights/data-collection-endpoint/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/insights/data-collection-endpoint/.test/min/main.test.bicep rename to modules/insights/data-collection-endpoint/tests/e2e/min/main.test.bicep index 39a8e35586..296447c846 100644 --- a/modules/insights/data-collection-endpoint/.test/min/main.test.bicep +++ b/modules/insights/data-collection-endpoint/tests/e2e/min/main.test.bicep @@ -37,7 +37,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/insights/data-collection-rule/.test/customadv/dependencies.bicep b/modules/insights/data-collection-rule/tests/e2e/customadv/dependencies.bicep similarity index 100% rename from modules/insights/data-collection-rule/.test/customadv/dependencies.bicep rename to modules/insights/data-collection-rule/tests/e2e/customadv/dependencies.bicep diff --git a/modules/insights/data-collection-rule/.test/customadv/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/customadv/main.test.bicep similarity index 98% rename from modules/insights/data-collection-rule/.test/customadv/main.test.bicep rename to modules/insights/data-collection-rule/tests/e2e/customadv/main.test.bicep index 4006013380..2e2f2a7d14 100644 --- a/modules/insights/data-collection-rule/.test/customadv/main.test.bicep +++ b/modules/insights/data-collection-rule/tests/e2e/customadv/main.test.bicep @@ -45,7 +45,7 @@ module resourceGroupResources 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/insights/data-collection-rule/.test/custombasic/dependencies.bicep b/modules/insights/data-collection-rule/tests/e2e/custombasic/dependencies.bicep similarity index 100% rename from modules/insights/data-collection-rule/.test/custombasic/dependencies.bicep rename to modules/insights/data-collection-rule/tests/e2e/custombasic/dependencies.bicep diff --git a/modules/insights/data-collection-rule/.test/custombasic/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/custombasic/main.test.bicep similarity index 98% rename from modules/insights/data-collection-rule/.test/custombasic/main.test.bicep rename to modules/insights/data-collection-rule/tests/e2e/custombasic/main.test.bicep index a9cccb78d0..b0ae869187 100644 --- a/modules/insights/data-collection-rule/.test/custombasic/main.test.bicep +++ b/modules/insights/data-collection-rule/tests/e2e/custombasic/main.test.bicep @@ -45,7 +45,7 @@ module resourceGroupResources 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/insights/data-collection-rule/.test/customiis/dependencies.bicep b/modules/insights/data-collection-rule/tests/e2e/customiis/dependencies.bicep similarity index 100% rename from modules/insights/data-collection-rule/.test/customiis/dependencies.bicep rename to modules/insights/data-collection-rule/tests/e2e/customiis/dependencies.bicep diff --git a/modules/insights/data-collection-rule/.test/customiis/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/customiis/main.test.bicep similarity index 98% rename from modules/insights/data-collection-rule/.test/customiis/main.test.bicep rename to modules/insights/data-collection-rule/tests/e2e/customiis/main.test.bicep index 5b6ddb4d3d..d157de08b6 100644 --- a/modules/insights/data-collection-rule/.test/customiis/main.test.bicep +++ b/modules/insights/data-collection-rule/tests/e2e/customiis/main.test.bicep @@ -45,7 +45,7 @@ module resourceGroupResources 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/insights/data-collection-rule/.test/linux/dependencies.bicep b/modules/insights/data-collection-rule/tests/e2e/linux/dependencies.bicep similarity index 100% rename from modules/insights/data-collection-rule/.test/linux/dependencies.bicep rename to modules/insights/data-collection-rule/tests/e2e/linux/dependencies.bicep diff --git a/modules/insights/data-collection-rule/.test/linux/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/linux/main.test.bicep similarity index 99% rename from modules/insights/data-collection-rule/.test/linux/main.test.bicep rename to modules/insights/data-collection-rule/tests/e2e/linux/main.test.bicep index 30b9856a25..5b5664ffe9 100644 --- a/modules/insights/data-collection-rule/.test/linux/main.test.bicep +++ b/modules/insights/data-collection-rule/tests/e2e/linux/main.test.bicep @@ -44,7 +44,7 @@ module resourceGroupResources 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/insights/data-collection-rule/.test/min/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/min/main.test.bicep similarity index 98% rename from modules/insights/data-collection-rule/.test/min/main.test.bicep rename to modules/insights/data-collection-rule/tests/e2e/min/main.test.bicep index 01cff01377..9ba5932555 100644 --- a/modules/insights/data-collection-rule/.test/min/main.test.bicep +++ b/modules/insights/data-collection-rule/tests/e2e/min/main.test.bicep @@ -37,7 +37,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/insights/data-collection-rule/.test/windows/dependencies.bicep b/modules/insights/data-collection-rule/tests/e2e/windows/dependencies.bicep similarity index 100% rename from modules/insights/data-collection-rule/.test/windows/dependencies.bicep rename to modules/insights/data-collection-rule/tests/e2e/windows/dependencies.bicep diff --git a/modules/insights/data-collection-rule/.test/windows/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/windows/main.test.bicep similarity index 99% rename from modules/insights/data-collection-rule/.test/windows/main.test.bicep rename to modules/insights/data-collection-rule/tests/e2e/windows/main.test.bicep index ba4727637a..9d2ee0f182 100644 --- a/modules/insights/data-collection-rule/.test/windows/main.test.bicep +++ b/modules/insights/data-collection-rule/tests/e2e/windows/main.test.bicep @@ -44,7 +44,7 @@ module resourceGroupResources 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/insights/diagnostic-setting/.test/common/main.test.bicep b/modules/insights/diagnostic-setting/tests/e2e/common/main.test.bicep similarity index 94% rename from modules/insights/diagnostic-setting/.test/common/main.test.bicep rename to modules/insights/diagnostic-setting/tests/e2e/common/main.test.bicep index dad01e9f0e..3452965065 100644 --- a/modules/insights/diagnostic-setting/.test/common/main.test.bicep +++ b/modules/insights/diagnostic-setting/tests/e2e/common/main.test.bicep @@ -36,7 +36,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -52,7 +52,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/insights/metric-alert/.test/common/dependencies.bicep b/modules/insights/metric-alert/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/insights/metric-alert/.test/common/dependencies.bicep rename to modules/insights/metric-alert/tests/e2e/common/dependencies.bicep diff --git a/modules/insights/metric-alert/.test/common/main.test.bicep b/modules/insights/metric-alert/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/insights/metric-alert/.test/common/main.test.bicep rename to modules/insights/metric-alert/tests/e2e/common/main.test.bicep index c8711dd79a..c692d0a28b 100644 --- a/modules/insights/metric-alert/.test/common/main.test.bicep +++ b/modules/insights/metric-alert/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/insights/private-link-scope/.test/common/dependencies.bicep b/modules/insights/private-link-scope/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/insights/private-link-scope/.test/common/dependencies.bicep rename to modules/insights/private-link-scope/tests/e2e/common/dependencies.bicep diff --git a/modules/insights/private-link-scope/.test/common/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/insights/private-link-scope/.test/common/main.test.bicep rename to modules/insights/private-link-scope/tests/e2e/common/main.test.bicep index 1622c7b7a0..fe7ba8f897 100644 --- a/modules/insights/private-link-scope/.test/common/main.test.bicep +++ b/modules/insights/private-link-scope/tests/e2e/common/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/insights/private-link-scope/.test/min/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/insights/private-link-scope/.test/min/main.test.bicep rename to modules/insights/private-link-scope/tests/e2e/min/main.test.bicep index a9a01570d3..2ed54c7791 100644 --- a/modules/insights/private-link-scope/.test/min/main.test.bicep +++ b/modules/insights/private-link-scope/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/insights/scheduled-query-rule/.test/common/dependencies.bicep b/modules/insights/scheduled-query-rule/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/insights/scheduled-query-rule/.test/common/dependencies.bicep rename to modules/insights/scheduled-query-rule/tests/e2e/common/dependencies.bicep diff --git a/modules/insights/scheduled-query-rule/.test/common/main.test.bicep b/modules/insights/scheduled-query-rule/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/insights/scheduled-query-rule/.test/common/main.test.bicep rename to modules/insights/scheduled-query-rule/tests/e2e/common/main.test.bicep index ece99e7a5d..ce46d28cf7 100644 --- a/modules/insights/scheduled-query-rule/.test/common/main.test.bicep +++ b/modules/insights/scheduled-query-rule/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/insights/webtest/.test/common/dependencies.bicep b/modules/insights/webtest/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/insights/webtest/.test/common/dependencies.bicep rename to modules/insights/webtest/tests/e2e/common/dependencies.bicep diff --git a/modules/insights/webtest/.test/common/main.test.bicep b/modules/insights/webtest/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/insights/webtest/.test/common/main.test.bicep rename to modules/insights/webtest/tests/e2e/common/main.test.bicep index ec14cb0b5c..a40b41c1e6 100644 --- a/modules/insights/webtest/.test/common/main.test.bicep +++ b/modules/insights/webtest/tests/e2e/common/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/insights/webtest/.test/min/dependencies.bicep b/modules/insights/webtest/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/insights/webtest/.test/min/dependencies.bicep rename to modules/insights/webtest/tests/e2e/min/dependencies.bicep diff --git a/modules/insights/webtest/.test/min/main.test.bicep b/modules/insights/webtest/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/insights/webtest/.test/min/main.test.bicep rename to modules/insights/webtest/tests/e2e/min/main.test.bicep index 7a0273b7e4..99e6969ed2 100644 --- a/modules/insights/webtest/.test/min/main.test.bicep +++ b/modules/insights/webtest/tests/e2e/min/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/key-vault/vault/.test/accesspolicies/dependencies.bicep b/modules/key-vault/vault/tests/e2e/accesspolicies/dependencies.bicep similarity index 100% rename from modules/key-vault/vault/.test/accesspolicies/dependencies.bicep rename to modules/key-vault/vault/tests/e2e/accesspolicies/dependencies.bicep diff --git a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep b/modules/key-vault/vault/tests/e2e/accesspolicies/main.test.bicep similarity index 96% rename from modules/key-vault/vault/.test/accesspolicies/main.test.bicep rename to modules/key-vault/vault/tests/e2e/accesspolicies/main.test.bicep index 605b5ab57e..12e509a459 100644 --- a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep +++ b/modules/key-vault/vault/tests/e2e/accesspolicies/main.test.bicep @@ -42,7 +42,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -58,7 +58,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/key-vault/vault/.test/common/dependencies.bicep b/modules/key-vault/vault/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/key-vault/vault/.test/common/dependencies.bicep rename to modules/key-vault/vault/tests/e2e/common/dependencies.bicep diff --git a/modules/key-vault/vault/.test/common/main.test.bicep b/modules/key-vault/vault/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/key-vault/vault/.test/common/main.test.bicep rename to modules/key-vault/vault/tests/e2e/common/main.test.bicep index 56b1e03459..9ac36ee683 100644 --- a/modules/key-vault/vault/.test/common/main.test.bicep +++ b/modules/key-vault/vault/tests/e2e/common/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -61,7 +61,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/key-vault/vault/.test/min/main.test.bicep b/modules/key-vault/vault/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/key-vault/vault/.test/min/main.test.bicep rename to modules/key-vault/vault/tests/e2e/min/main.test.bicep index 0e27563ae4..351273f306 100644 --- a/modules/key-vault/vault/.test/min/main.test.bicep +++ b/modules/key-vault/vault/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/key-vault/vault/.test/pe/dependencies.bicep b/modules/key-vault/vault/tests/e2e/pe/dependencies.bicep similarity index 100% rename from modules/key-vault/vault/.test/pe/dependencies.bicep rename to modules/key-vault/vault/tests/e2e/pe/dependencies.bicep diff --git a/modules/key-vault/vault/.test/pe/main.test.bicep b/modules/key-vault/vault/tests/e2e/pe/main.test.bicep similarity index 96% rename from modules/key-vault/vault/.test/pe/main.test.bicep rename to modules/key-vault/vault/tests/e2e/pe/main.test.bicep index 31787cf5d0..b1d0f9c89f 100644 --- a/modules/key-vault/vault/.test/pe/main.test.bicep +++ b/modules/key-vault/vault/tests/e2e/pe/main.test.bicep @@ -41,7 +41,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -57,7 +57,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/kubernetes-configuration/extension/.test/common/dependencies.bicep b/modules/kubernetes-configuration/extension/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/kubernetes-configuration/extension/.test/common/dependencies.bicep rename to modules/kubernetes-configuration/extension/tests/e2e/common/dependencies.bicep diff --git a/modules/kubernetes-configuration/extension/.test/common/main.test.bicep b/modules/kubernetes-configuration/extension/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/kubernetes-configuration/extension/.test/common/main.test.bicep rename to modules/kubernetes-configuration/extension/tests/e2e/common/main.test.bicep index 1d954e3c6a..18a74931cd 100644 --- a/modules/kubernetes-configuration/extension/.test/common/main.test.bicep +++ b/modules/kubernetes-configuration/extension/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/kubernetes-configuration/extension/.test/min/dependencies.bicep b/modules/kubernetes-configuration/extension/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/kubernetes-configuration/extension/.test/min/dependencies.bicep rename to modules/kubernetes-configuration/extension/tests/e2e/min/dependencies.bicep diff --git a/modules/kubernetes-configuration/extension/.test/min/main.test.bicep b/modules/kubernetes-configuration/extension/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/kubernetes-configuration/extension/.test/min/main.test.bicep rename to modules/kubernetes-configuration/extension/tests/e2e/min/main.test.bicep index 96b7926186..e423f75456 100644 --- a/modules/kubernetes-configuration/extension/.test/min/main.test.bicep +++ b/modules/kubernetes-configuration/extension/tests/e2e/min/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/kubernetes-configuration/flux-configuration/.test/common/dependencies.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/kubernetes-configuration/flux-configuration/.test/common/dependencies.bicep rename to modules/kubernetes-configuration/flux-configuration/tests/e2e/common/dependencies.bicep diff --git a/modules/kubernetes-configuration/flux-configuration/.test/common/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/kubernetes-configuration/flux-configuration/.test/common/main.test.bicep rename to modules/kubernetes-configuration/flux-configuration/tests/e2e/common/main.test.bicep index 4f1883372b..356c8be9f9 100644 --- a/modules/kubernetes-configuration/flux-configuration/.test/common/main.test.bicep +++ b/modules/kubernetes-configuration/flux-configuration/tests/e2e/common/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/kubernetes-configuration/flux-configuration/.test/min/dependencies.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/kubernetes-configuration/flux-configuration/.test/min/dependencies.bicep rename to modules/kubernetes-configuration/flux-configuration/tests/e2e/min/dependencies.bicep diff --git a/modules/kubernetes-configuration/flux-configuration/.test/min/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/kubernetes-configuration/flux-configuration/.test/min/main.test.bicep rename to modules/kubernetes-configuration/flux-configuration/tests/e2e/min/main.test.bicep index f7f5c7191b..2e22479c4a 100644 --- a/modules/kubernetes-configuration/flux-configuration/.test/min/main.test.bicep +++ b/modules/kubernetes-configuration/flux-configuration/tests/e2e/min/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/logic/workflow/.test/common/dependencies.bicep b/modules/logic/workflow/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/logic/workflow/.test/common/dependencies.bicep rename to modules/logic/workflow/tests/e2e/common/dependencies.bicep diff --git a/modules/logic/workflow/.test/common/main.test.bicep b/modules/logic/workflow/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/logic/workflow/.test/common/main.test.bicep rename to modules/logic/workflow/tests/e2e/common/main.test.bicep index f41202d4d8..62b7f8b0fb 100644 --- a/modules/logic/workflow/.test/common/main.test.bicep +++ b/modules/logic/workflow/tests/e2e/common/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -60,7 +60,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/machine-learning-services/workspace/.test/common/dependencies.bicep b/modules/machine-learning-services/workspace/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/machine-learning-services/workspace/.test/common/dependencies.bicep rename to modules/machine-learning-services/workspace/tests/e2e/common/dependencies.bicep diff --git a/modules/machine-learning-services/workspace/.test/common/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/machine-learning-services/workspace/.test/common/main.test.bicep rename to modules/machine-learning-services/workspace/tests/e2e/common/main.test.bicep index fa544e14f4..73b10cd0a9 100644 --- a/modules/machine-learning-services/workspace/.test/common/main.test.bicep +++ b/modules/machine-learning-services/workspace/tests/e2e/common/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -64,7 +64,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/machine-learning-services/workspace/.test/encr/dependencies.bicep b/modules/machine-learning-services/workspace/tests/e2e/encr/dependencies.bicep similarity index 100% rename from modules/machine-learning-services/workspace/.test/encr/dependencies.bicep rename to modules/machine-learning-services/workspace/tests/e2e/encr/dependencies.bicep diff --git a/modules/machine-learning-services/workspace/.test/encr/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/encr/main.test.bicep similarity index 98% rename from modules/machine-learning-services/workspace/.test/encr/main.test.bicep rename to modules/machine-learning-services/workspace/tests/e2e/encr/main.test.bicep index 784f07e453..42a9e51c69 100644 --- a/modules/machine-learning-services/workspace/.test/encr/main.test.bicep +++ b/modules/machine-learning-services/workspace/tests/e2e/encr/main.test.bicep @@ -51,7 +51,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/machine-learning-services/workspace/.test/min/dependencies.bicep b/modules/machine-learning-services/workspace/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/machine-learning-services/workspace/.test/min/dependencies.bicep rename to modules/machine-learning-services/workspace/tests/e2e/min/dependencies.bicep diff --git a/modules/machine-learning-services/workspace/.test/min/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/machine-learning-services/workspace/.test/min/main.test.bicep rename to modules/machine-learning-services/workspace/tests/e2e/min/main.test.bicep index 94dc5beaab..4ad340de5c 100644 --- a/modules/machine-learning-services/workspace/.test/min/main.test.bicep +++ b/modules/machine-learning-services/workspace/tests/e2e/min/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/maintenance/maintenance-configuration/.test/common/dependencies.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/maintenance/maintenance-configuration/.test/common/dependencies.bicep rename to modules/maintenance/maintenance-configuration/tests/e2e/common/dependencies.bicep diff --git a/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/maintenance/maintenance-configuration/.test/common/main.test.bicep rename to modules/maintenance/maintenance-configuration/tests/e2e/common/main.test.bicep index 41ea585f30..fb851eaaad 100644 --- a/modules/maintenance/maintenance-configuration/.test/common/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/maintenance/maintenance-configuration/.test/min/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/maintenance/maintenance-configuration/.test/min/main.test.bicep rename to modules/maintenance/maintenance-configuration/tests/e2e/min/main.test.bicep index f23eada34d..fd4155b517 100644 --- a/modules/maintenance/maintenance-configuration/.test/min/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/managed-identity/user-assigned-identity/.test/common/dependencies.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/managed-identity/user-assigned-identity/.test/common/dependencies.bicep rename to modules/managed-identity/user-assigned-identity/tests/e2e/common/dependencies.bicep diff --git a/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep rename to modules/managed-identity/user-assigned-identity/tests/e2e/common/main.test.bicep index a382b213a5..52feac412b 100644 --- a/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/managed-identity/user-assigned-identity/.test/min/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/managed-identity/user-assigned-identity/.test/min/main.test.bicep rename to modules/managed-identity/user-assigned-identity/tests/e2e/min/main.test.bicep index d7da3a5c01..d0cb243b1f 100644 --- a/modules/managed-identity/user-assigned-identity/.test/min/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/managed-services/registration-definition/.test/common/main.test.bicep b/modules/managed-services/registration-definition/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/managed-services/registration-definition/.test/common/main.test.bicep rename to modules/managed-services/registration-definition/tests/e2e/common/main.test.bicep index 854fe9a70d..b67dda3414 100644 --- a/modules/managed-services/registration-definition/.test/common/main.test.bicep +++ b/modules/managed-services/registration-definition/tests/e2e/common/main.test.bicep @@ -20,7 +20,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/managed-services/registration-definition/.test/rg/main.test.bicep b/modules/managed-services/registration-definition/tests/e2e/rg/main.test.bicep similarity index 97% rename from modules/managed-services/registration-definition/.test/rg/main.test.bicep rename to modules/managed-services/registration-definition/tests/e2e/rg/main.test.bicep index e6d5fe9145..8de69a8b4b 100644 --- a/modules/managed-services/registration-definition/.test/rg/main.test.bicep +++ b/modules/managed-services/registration-definition/tests/e2e/rg/main.test.bicep @@ -35,7 +35,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/management/management-group/.test/common/main.test.bicep b/modules/management/management-group/tests/e2e/common/main.test.bicep similarity index 95% rename from modules/management/management-group/.test/common/main.test.bicep rename to modules/management/management-group/tests/e2e/common/main.test.bicep index 65122a5c04..f3102c6bd1 100644 --- a/modules/management/management-group/.test/common/main.test.bicep +++ b/modules/management/management-group/tests/e2e/common/main.test.bicep @@ -20,7 +20,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/management/management-group/.test/min/main.test.bicep b/modules/management/management-group/tests/e2e/min/main.test.bicep similarity index 94% rename from modules/management/management-group/.test/min/main.test.bicep rename to modules/management/management-group/tests/e2e/min/main.test.bicep index 471cd8cc08..bacde932d6 100644 --- a/modules/management/management-group/.test/min/main.test.bicep +++ b/modules/management/management-group/tests/e2e/min/main.test.bicep @@ -20,7 +20,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/net-app/net-app-account/.test/min/main.test.bicep b/modules/net-app/net-app-account/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/net-app/net-app-account/.test/min/main.test.bicep rename to modules/net-app/net-app-account/tests/e2e/min/main.test.bicep index 8c3ceb52c3..5a4111f482 100644 --- a/modules/net-app/net-app-account/.test/min/main.test.bicep +++ b/modules/net-app/net-app-account/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/net-app/net-app-account/.test/nfs3/dependencies.bicep b/modules/net-app/net-app-account/tests/e2e/nfs3/dependencies.bicep similarity index 100% rename from modules/net-app/net-app-account/.test/nfs3/dependencies.bicep rename to modules/net-app/net-app-account/tests/e2e/nfs3/dependencies.bicep diff --git a/modules/net-app/net-app-account/.test/nfs3/main.test.bicep b/modules/net-app/net-app-account/tests/e2e/nfs3/main.test.bicep similarity index 98% rename from modules/net-app/net-app-account/.test/nfs3/main.test.bicep rename to modules/net-app/net-app-account/tests/e2e/nfs3/main.test.bicep index c1105a2b17..e1a7ed7917 100644 --- a/modules/net-app/net-app-account/.test/nfs3/main.test.bicep +++ b/modules/net-app/net-app-account/tests/e2e/nfs3/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/net-app/net-app-account/.test/nfs41/dependencies.bicep b/modules/net-app/net-app-account/tests/e2e/nfs41/dependencies.bicep similarity index 100% rename from modules/net-app/net-app-account/.test/nfs41/dependencies.bicep rename to modules/net-app/net-app-account/tests/e2e/nfs41/dependencies.bicep diff --git a/modules/net-app/net-app-account/.test/nfs41/main.test.bicep b/modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep similarity index 98% rename from modules/net-app/net-app-account/.test/nfs41/main.test.bicep rename to modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep index c58995a201..f07c76bf7b 100644 --- a/modules/net-app/net-app-account/.test/nfs41/main.test.bicep +++ b/modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/application-gateway-web-application-firewall-policy/.test/common/main.test.bicep b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/network/application-gateway-web-application-firewall-policy/.test/common/main.test.bicep rename to modules/network/application-gateway-web-application-firewall-policy/tests/e2e/common/main.test.bicep index 0c7f1fe7f3..840235eeab 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/.test/common/main.test.bicep +++ b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/common/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/application-gateway/.test/common/dependencies.bicep b/modules/network/application-gateway/tests/e2e/common/dependencies.bicep similarity index 97% rename from modules/network/application-gateway/.test/common/dependencies.bicep rename to modules/network/application-gateway/tests/e2e/common/dependencies.bicep index e2389b486b..2de1a81653 100644 --- a/modules/network/application-gateway/.test/common/dependencies.bicep +++ b/modules/network/application-gateway/tests/e2e/common/dependencies.bicep @@ -36,7 +36,7 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { } { name: 'privateLinkSubnet' - properties:{ + properties: { addressPrefix: cidrSubnet(addressPrefix, 24, 1) privateLinkServiceNetworkPolicies: 'Disabled' } @@ -120,7 +120,7 @@ resource certDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' azPowerShellVersion: '8.0' retentionInterval: 'P1D' arguments: '-KeyVaultName "${keyVault.name}" -CertName "applicationGatewaySslCertificate"' - scriptContent: loadTextContent('../../../../.shared/.scripts/Set-CertificateInKeyVault.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-CertificateInKeyVault.ps1') } } diff --git a/modules/network/application-gateway/.test/common/main.test.bicep b/modules/network/application-gateway/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/network/application-gateway/.test/common/main.test.bicep rename to modules/network/application-gateway/tests/e2e/common/main.test.bicep index 8f81d6033f..0887af87a0 100644 --- a/modules/network/application-gateway/.test/common/main.test.bicep +++ b/modules/network/application-gateway/tests/e2e/common/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -66,7 +66,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende var appGWName = '${namePrefix}${serviceShort}001' var appGWExpectedResourceID = '${resourceGroup.id}/providers/Microsoft.Network/applicationGateways/${appGWName}' -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/application-security-group/.test/common/dependencies.bicep b/modules/network/application-security-group/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/application-security-group/.test/common/dependencies.bicep rename to modules/network/application-security-group/tests/e2e/common/dependencies.bicep diff --git a/modules/network/application-security-group/.test/common/main.test.bicep b/modules/network/application-security-group/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/network/application-security-group/.test/common/main.test.bicep rename to modules/network/application-security-group/tests/e2e/common/main.test.bicep index 70aeed0b0d..f359964862 100644 --- a/modules/network/application-security-group/.test/common/main.test.bicep +++ b/modules/network/application-security-group/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/azure-firewall/.test/addpip/dependencies.bicep b/modules/network/azure-firewall/tests/e2e/addpip/dependencies.bicep similarity index 100% rename from modules/network/azure-firewall/.test/addpip/dependencies.bicep rename to modules/network/azure-firewall/tests/e2e/addpip/dependencies.bicep diff --git a/modules/network/azure-firewall/.test/addpip/main.test.bicep b/modules/network/azure-firewall/tests/e2e/addpip/main.test.bicep similarity index 98% rename from modules/network/azure-firewall/.test/addpip/main.test.bicep rename to modules/network/azure-firewall/tests/e2e/addpip/main.test.bicep index f2a115cb3b..373c6489e0 100644 --- a/modules/network/azure-firewall/.test/addpip/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/addpip/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/azure-firewall/.test/common/dependencies.bicep b/modules/network/azure-firewall/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/azure-firewall/.test/common/dependencies.bicep rename to modules/network/azure-firewall/tests/e2e/common/dependencies.bicep diff --git a/modules/network/azure-firewall/.test/common/main.test.bicep b/modules/network/azure-firewall/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/network/azure-firewall/.test/common/main.test.bicep rename to modules/network/azure-firewall/tests/e2e/common/main.test.bicep index 219cdea813..f3df185bc3 100644 --- a/modules/network/azure-firewall/.test/common/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -62,7 +62,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/azure-firewall/.test/custompip/dependencies.bicep b/modules/network/azure-firewall/tests/e2e/custompip/dependencies.bicep similarity index 100% rename from modules/network/azure-firewall/.test/custompip/dependencies.bicep rename to modules/network/azure-firewall/tests/e2e/custompip/dependencies.bicep diff --git a/modules/network/azure-firewall/.test/custompip/main.test.bicep b/modules/network/azure-firewall/tests/e2e/custompip/main.test.bicep similarity index 95% rename from modules/network/azure-firewall/.test/custompip/main.test.bicep rename to modules/network/azure-firewall/tests/e2e/custompip/main.test.bicep index 29cd591ce0..0632d591fb 100644 --- a/modules/network/azure-firewall/.test/custompip/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/custompip/main.test.bicep @@ -42,7 +42,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -58,7 +58,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/azure-firewall/.test/hubcommon/dependencies.bicep b/modules/network/azure-firewall/tests/e2e/hubcommon/dependencies.bicep similarity index 100% rename from modules/network/azure-firewall/.test/hubcommon/dependencies.bicep rename to modules/network/azure-firewall/tests/e2e/hubcommon/dependencies.bicep diff --git a/modules/network/azure-firewall/.test/hubcommon/main.test.bicep b/modules/network/azure-firewall/tests/e2e/hubcommon/main.test.bicep similarity index 97% rename from modules/network/azure-firewall/.test/hubcommon/main.test.bicep rename to modules/network/azure-firewall/tests/e2e/hubcommon/main.test.bicep index 24f9abf6d4..aeba7abd0e 100644 --- a/modules/network/azure-firewall/.test/hubcommon/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/hubcommon/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/azure-firewall/.test/hubmin/dependencies.bicep b/modules/network/azure-firewall/tests/e2e/hubmin/dependencies.bicep similarity index 100% rename from modules/network/azure-firewall/.test/hubmin/dependencies.bicep rename to modules/network/azure-firewall/tests/e2e/hubmin/dependencies.bicep diff --git a/modules/network/azure-firewall/.test/hubmin/main.test.bicep b/modules/network/azure-firewall/tests/e2e/hubmin/main.test.bicep similarity index 97% rename from modules/network/azure-firewall/.test/hubmin/main.test.bicep rename to modules/network/azure-firewall/tests/e2e/hubmin/main.test.bicep index 85056db679..362ff67a62 100644 --- a/modules/network/azure-firewall/.test/hubmin/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/hubmin/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/azure-firewall/.test/min/dependencies.bicep b/modules/network/azure-firewall/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/network/azure-firewall/.test/min/dependencies.bicep rename to modules/network/azure-firewall/tests/e2e/min/dependencies.bicep diff --git a/modules/network/azure-firewall/.test/min/main.test.bicep b/modules/network/azure-firewall/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/network/azure-firewall/.test/min/main.test.bicep rename to modules/network/azure-firewall/tests/e2e/min/main.test.bicep index c0d9f84edc..9d5c870954 100644 --- a/modules/network/azure-firewall/.test/min/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/min/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/bastion-host/.test/common/dependencies.bicep b/modules/network/bastion-host/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/bastion-host/.test/common/dependencies.bicep rename to modules/network/bastion-host/tests/e2e/common/dependencies.bicep diff --git a/modules/network/bastion-host/.test/common/main.test.bicep b/modules/network/bastion-host/tests/e2e/common/main.test.bicep similarity index 95% rename from modules/network/bastion-host/.test/common/main.test.bicep rename to modules/network/bastion-host/tests/e2e/common/main.test.bicep index 6f6a202a2b..7fe1474be5 100644 --- a/modules/network/bastion-host/.test/common/main.test.bicep +++ b/modules/network/bastion-host/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -62,7 +62,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/bastion-host/.test/custompip/dependencies.bicep b/modules/network/bastion-host/tests/e2e/custompip/dependencies.bicep similarity index 100% rename from modules/network/bastion-host/.test/custompip/dependencies.bicep rename to modules/network/bastion-host/tests/e2e/custompip/dependencies.bicep diff --git a/modules/network/bastion-host/.test/custompip/main.test.bicep b/modules/network/bastion-host/tests/e2e/custompip/main.test.bicep similarity index 95% rename from modules/network/bastion-host/.test/custompip/main.test.bicep rename to modules/network/bastion-host/tests/e2e/custompip/main.test.bicep index 3ac4bb92df..500158ac2b 100644 --- a/modules/network/bastion-host/.test/custompip/main.test.bicep +++ b/modules/network/bastion-host/tests/e2e/custompip/main.test.bicep @@ -42,7 +42,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -58,7 +58,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/bastion-host/.test/min/dependencies.bicep b/modules/network/bastion-host/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/network/bastion-host/.test/min/dependencies.bicep rename to modules/network/bastion-host/tests/e2e/min/dependencies.bicep diff --git a/modules/network/bastion-host/.test/min/main.test.bicep b/modules/network/bastion-host/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/network/bastion-host/.test/min/main.test.bicep rename to modules/network/bastion-host/tests/e2e/min/main.test.bicep index 0c178876f0..e150c3dd41 100644 --- a/modules/network/bastion-host/.test/min/main.test.bicep +++ b/modules/network/bastion-host/tests/e2e/min/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/connection/.test/vnet2vnet/dependencies.bicep b/modules/network/connection/tests/e2e/vnet2vnet/dependencies.bicep similarity index 100% rename from modules/network/connection/.test/vnet2vnet/dependencies.bicep rename to modules/network/connection/tests/e2e/vnet2vnet/dependencies.bicep diff --git a/modules/network/connection/.test/vnet2vnet/main.test.bicep b/modules/network/connection/tests/e2e/vnet2vnet/main.test.bicep similarity index 98% rename from modules/network/connection/.test/vnet2vnet/main.test.bicep rename to modules/network/connection/tests/e2e/vnet2vnet/main.test.bicep index 4a3da829cf..7512784f5f 100644 --- a/modules/network/connection/.test/vnet2vnet/main.test.bicep +++ b/modules/network/connection/tests/e2e/vnet2vnet/main.test.bicep @@ -52,7 +52,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/ddos-protection-plan/.test/common/dependencies.bicep b/modules/network/ddos-protection-plan/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/ddos-protection-plan/.test/common/dependencies.bicep rename to modules/network/ddos-protection-plan/tests/e2e/common/dependencies.bicep diff --git a/modules/network/ddos-protection-plan/.test/common/main.test.bicep b/modules/network/ddos-protection-plan/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/network/ddos-protection-plan/.test/common/main.test.bicep rename to modules/network/ddos-protection-plan/tests/e2e/common/main.test.bicep index 8324e7f8dc..2c1359047b 100644 --- a/modules/network/ddos-protection-plan/.test/common/main.test.bicep +++ b/modules/network/ddos-protection-plan/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/ddos-protection-plan/.test/min/main.test.bicep b/modules/network/ddos-protection-plan/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/network/ddos-protection-plan/.test/min/main.test.bicep rename to modules/network/ddos-protection-plan/tests/e2e/min/main.test.bicep index ca85cb56f0..1d0010eb9c 100644 --- a/modules/network/ddos-protection-plan/.test/min/main.test.bicep +++ b/modules/network/ddos-protection-plan/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/dns-forwarding-ruleset/.test/common/dependencies.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/dns-forwarding-ruleset/.test/common/dependencies.bicep rename to modules/network/dns-forwarding-ruleset/tests/e2e/common/dependencies.bicep diff --git a/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep rename to modules/network/dns-forwarding-ruleset/tests/e2e/common/main.test.bicep index b8cc208e18..913a1ce9c5 100644 --- a/modules/network/dns-forwarding-ruleset/.test/common/main.test.bicep +++ b/modules/network/dns-forwarding-ruleset/tests/e2e/common/main.test.bicep @@ -49,7 +49,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/dns-forwarding-ruleset/.test/min/dependencies.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/network/dns-forwarding-ruleset/.test/min/dependencies.bicep rename to modules/network/dns-forwarding-ruleset/tests/e2e/min/dependencies.bicep diff --git a/modules/network/dns-forwarding-ruleset/.test/min/main.test.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/network/dns-forwarding-ruleset/.test/min/main.test.bicep rename to modules/network/dns-forwarding-ruleset/tests/e2e/min/main.test.bicep index ed1fc457c5..c43583ba3e 100644 --- a/modules/network/dns-forwarding-ruleset/.test/min/main.test.bicep +++ b/modules/network/dns-forwarding-ruleset/tests/e2e/min/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/dns-resolver/.test/common/dependencies.bicep b/modules/network/dns-resolver/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/dns-resolver/.test/common/dependencies.bicep rename to modules/network/dns-resolver/tests/e2e/common/dependencies.bicep diff --git a/modules/network/dns-resolver/.test/common/main.test.bicep b/modules/network/dns-resolver/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/network/dns-resolver/.test/common/main.test.bicep rename to modules/network/dns-resolver/tests/e2e/common/main.test.bicep index b7c060dd2f..d9faf2551d 100644 --- a/modules/network/dns-resolver/.test/common/main.test.bicep +++ b/modules/network/dns-resolver/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/dns-zone/.test/common/dependencies.bicep b/modules/network/dns-zone/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/dns-zone/.test/common/dependencies.bicep rename to modules/network/dns-zone/tests/e2e/common/dependencies.bicep diff --git a/modules/network/dns-zone/.test/common/main.test.bicep b/modules/network/dns-zone/tests/e2e/common/main.test.bicep similarity index 99% rename from modules/network/dns-zone/.test/common/main.test.bicep rename to modules/network/dns-zone/tests/e2e/common/main.test.bicep index d7a20bd945..3e055fc5de 100644 --- a/modules/network/dns-zone/.test/common/main.test.bicep +++ b/modules/network/dns-zone/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/dns-zone/.test/min/main.test.bicep b/modules/network/dns-zone/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/network/dns-zone/.test/min/main.test.bicep rename to modules/network/dns-zone/tests/e2e/min/main.test.bicep index 3e13b00238..169bf08e48 100644 --- a/modules/network/dns-zone/.test/min/main.test.bicep +++ b/modules/network/dns-zone/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/express-route-circuit/.test/common/dependencies.bicep b/modules/network/express-route-circuit/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/express-route-circuit/.test/common/dependencies.bicep rename to modules/network/express-route-circuit/tests/e2e/common/dependencies.bicep diff --git a/modules/network/express-route-circuit/.test/common/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/common/main.test.bicep similarity index 95% rename from modules/network/express-route-circuit/.test/common/main.test.bicep rename to modules/network/express-route-circuit/tests/e2e/common/main.test.bicep index a1203ca39b..c53f6dd157 100644 --- a/modules/network/express-route-circuit/.test/common/main.test.bicep +++ b/modules/network/express-route-circuit/tests/e2e/common/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -60,7 +60,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/express-route-circuit/.test/min/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/network/express-route-circuit/.test/min/main.test.bicep rename to modules/network/express-route-circuit/tests/e2e/min/main.test.bicep index 6bc6b2b580..c6bc88b5d7 100644 --- a/modules/network/express-route-circuit/.test/min/main.test.bicep +++ b/modules/network/express-route-circuit/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/express-route-gateway/.test/common/dependencies.bicep b/modules/network/express-route-gateway/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/express-route-gateway/.test/common/dependencies.bicep rename to modules/network/express-route-gateway/tests/e2e/common/dependencies.bicep diff --git a/modules/network/express-route-gateway/.test/common/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/network/express-route-gateway/.test/common/main.test.bicep rename to modules/network/express-route-gateway/tests/e2e/common/main.test.bicep index cb8e6e36f5..e029342eaf 100644 --- a/modules/network/express-route-gateway/.test/common/main.test.bicep +++ b/modules/network/express-route-gateway/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/express-route-gateway/.test/min/dependencies.bicep b/modules/network/express-route-gateway/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/network/express-route-gateway/.test/min/dependencies.bicep rename to modules/network/express-route-gateway/tests/e2e/min/dependencies.bicep diff --git a/modules/network/express-route-gateway/.test/min/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/network/express-route-gateway/.test/min/main.test.bicep rename to modules/network/express-route-gateway/tests/e2e/min/main.test.bicep index 49b5c52596..e60a1ef9ca 100644 --- a/modules/network/express-route-gateway/.test/min/main.test.bicep +++ b/modules/network/express-route-gateway/tests/e2e/min/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/firewall-policy/.test/common/main.test.bicep b/modules/network/firewall-policy/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/network/firewall-policy/.test/common/main.test.bicep rename to modules/network/firewall-policy/tests/e2e/common/main.test.bicep index f3447f4ce4..8d9b770926 100644 --- a/modules/network/firewall-policy/.test/common/main.test.bicep +++ b/modules/network/firewall-policy/tests/e2e/common/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/firewall-policy/.test/min/main.test.bicep b/modules/network/firewall-policy/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/network/firewall-policy/.test/min/main.test.bicep rename to modules/network/firewall-policy/tests/e2e/min/main.test.bicep index e5ce72720a..94f9f074c1 100644 --- a/modules/network/firewall-policy/.test/min/main.test.bicep +++ b/modules/network/firewall-policy/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/front-door-web-application-firewall-policy/.test/common/dependencies.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/front-door-web-application-firewall-policy/.test/common/dependencies.bicep rename to modules/network/front-door-web-application-firewall-policy/tests/e2e/common/dependencies.bicep diff --git a/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep rename to modules/network/front-door-web-application-firewall-policy/tests/e2e/common/main.test.bicep index 6cbf4d59eb..4018c29860 100644 --- a/modules/network/front-door-web-application-firewall-policy/.test/common/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/front-door-web-application-firewall-policy/.test/min/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/network/front-door-web-application-firewall-policy/.test/min/main.test.bicep rename to modules/network/front-door-web-application-firewall-policy/tests/e2e/min/main.test.bicep index 833631084c..779069f9bd 100644 --- a/modules/network/front-door-web-application-firewall-policy/.test/min/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/front-door/.test/common/dependencies.bicep b/modules/network/front-door/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/front-door/.test/common/dependencies.bicep rename to modules/network/front-door/tests/e2e/common/dependencies.bicep diff --git a/modules/network/front-door/.test/common/main.test.bicep b/modules/network/front-door/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/network/front-door/.test/common/main.test.bicep rename to modules/network/front-door/tests/e2e/common/main.test.bicep index 279bf41640..0aee4231e3 100644 --- a/modules/network/front-door/.test/common/main.test.bicep +++ b/modules/network/front-door/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // var resourceName = '${namePrefix}${serviceShort}001' -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/front-door/.test/min/main.test.bicep b/modules/network/front-door/tests/e2e/min/main.test.bicep similarity index 98% rename from modules/network/front-door/.test/min/main.test.bicep rename to modules/network/front-door/tests/e2e/min/main.test.bicep index 347cd6dbd1..ab263c6aaf 100644 --- a/modules/network/front-door/.test/min/main.test.bicep +++ b/modules/network/front-door/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // var resourceName = '${namePrefix}${serviceShort}001' -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/ip-group/.test/common/dependencies.bicep b/modules/network/ip-group/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/ip-group/.test/common/dependencies.bicep rename to modules/network/ip-group/tests/e2e/common/dependencies.bicep diff --git a/modules/network/ip-group/.test/common/main.test.bicep b/modules/network/ip-group/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/network/ip-group/.test/common/main.test.bicep rename to modules/network/ip-group/tests/e2e/common/main.test.bicep index 90aee1fac5..0b461e847f 100644 --- a/modules/network/ip-group/.test/common/main.test.bicep +++ b/modules/network/ip-group/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/ip-group/.test/min/main.test.bicep b/modules/network/ip-group/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/network/ip-group/.test/min/main.test.bicep rename to modules/network/ip-group/tests/e2e/min/main.test.bicep index e9bc5c3f60..9139a8b6b1 100644 --- a/modules/network/ip-group/.test/min/main.test.bicep +++ b/modules/network/ip-group/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/load-balancer/.test/common/dependencies.bicep b/modules/network/load-balancer/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/load-balancer/.test/common/dependencies.bicep rename to modules/network/load-balancer/tests/e2e/common/dependencies.bicep diff --git a/modules/network/load-balancer/.test/common/main.test.bicep b/modules/network/load-balancer/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/network/load-balancer/.test/common/main.test.bicep rename to modules/network/load-balancer/tests/e2e/common/main.test.bicep index fe358e8a25..b9098d6e39 100644 --- a/modules/network/load-balancer/.test/common/main.test.bicep +++ b/modules/network/load-balancer/tests/e2e/common/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -61,7 +61,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/load-balancer/.test/internal/dependencies.bicep b/modules/network/load-balancer/tests/e2e/internal/dependencies.bicep similarity index 100% rename from modules/network/load-balancer/.test/internal/dependencies.bicep rename to modules/network/load-balancer/tests/e2e/internal/dependencies.bicep diff --git a/modules/network/load-balancer/.test/internal/main.test.bicep b/modules/network/load-balancer/tests/e2e/internal/main.test.bicep similarity index 96% rename from modules/network/load-balancer/.test/internal/main.test.bicep rename to modules/network/load-balancer/tests/e2e/internal/main.test.bicep index fd8248a0ed..26784c8eb8 100644 --- a/modules/network/load-balancer/.test/internal/main.test.bicep +++ b/modules/network/load-balancer/tests/e2e/internal/main.test.bicep @@ -42,7 +42,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -58,7 +58,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/load-balancer/.test/min/dependencies.bicep b/modules/network/load-balancer/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/network/load-balancer/.test/min/dependencies.bicep rename to modules/network/load-balancer/tests/e2e/min/dependencies.bicep diff --git a/modules/network/load-balancer/.test/min/main.test.bicep b/modules/network/load-balancer/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/network/load-balancer/.test/min/main.test.bicep rename to modules/network/load-balancer/tests/e2e/min/main.test.bicep index d5d20d4d72..412f7617c4 100644 --- a/modules/network/load-balancer/.test/min/main.test.bicep +++ b/modules/network/load-balancer/tests/e2e/min/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/local-network-gateway/.test/common/dependencies.bicep b/modules/network/local-network-gateway/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/local-network-gateway/.test/common/dependencies.bicep rename to modules/network/local-network-gateway/tests/e2e/common/dependencies.bicep diff --git a/modules/network/local-network-gateway/.test/common/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/network/local-network-gateway/.test/common/main.test.bicep rename to modules/network/local-network-gateway/tests/e2e/common/main.test.bicep index 9b40213f0b..896cfd3547 100644 --- a/modules/network/local-network-gateway/.test/common/main.test.bicep +++ b/modules/network/local-network-gateway/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/local-network-gateway/.test/min/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/network/local-network-gateway/.test/min/main.test.bicep rename to modules/network/local-network-gateway/tests/e2e/min/main.test.bicep index 738c5439e1..ab43e878e1 100644 --- a/modules/network/local-network-gateway/.test/min/main.test.bicep +++ b/modules/network/local-network-gateway/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/nat-gateway/.test/common/dependencies.bicep b/modules/network/nat-gateway/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/nat-gateway/.test/common/dependencies.bicep rename to modules/network/nat-gateway/tests/e2e/common/dependencies.bicep diff --git a/modules/network/nat-gateway/.test/common/main.test.bicep b/modules/network/nat-gateway/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/network/nat-gateway/.test/common/main.test.bicep rename to modules/network/nat-gateway/tests/e2e/common/main.test.bicep index b4e844cece..eda394593d 100644 --- a/modules/network/nat-gateway/.test/common/main.test.bicep +++ b/modules/network/nat-gateway/tests/e2e/common/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -60,7 +60,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/nat-gateway/.test/prefixCombined/dependencies.bicep b/modules/network/nat-gateway/tests/e2e/prefixCombined/dependencies.bicep similarity index 100% rename from modules/network/nat-gateway/.test/prefixCombined/dependencies.bicep rename to modules/network/nat-gateway/tests/e2e/prefixCombined/dependencies.bicep diff --git a/modules/network/nat-gateway/.test/prefixCombined/main.test.bicep b/modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep similarity index 95% rename from modules/network/nat-gateway/.test/prefixCombined/main.test.bicep rename to modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep index 1d98171653..13de1ef352 100644 --- a/modules/network/nat-gateway/.test/prefixCombined/main.test.bicep +++ b/modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -62,7 +62,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/network-interface/.test/common/dependencies.bicep b/modules/network/network-interface/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/network-interface/.test/common/dependencies.bicep rename to modules/network/network-interface/tests/e2e/common/dependencies.bicep diff --git a/modules/network/network-interface/.test/common/main.test.bicep b/modules/network/network-interface/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/network/network-interface/.test/common/main.test.bicep rename to modules/network/network-interface/tests/e2e/common/main.test.bicep index c5c0039691..e3db0da6eb 100644 --- a/modules/network/network-interface/.test/common/main.test.bicep +++ b/modules/network/network-interface/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -63,7 +63,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/network-interface/.test/min/dependencies.bicep b/modules/network/network-interface/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/network/network-interface/.test/min/dependencies.bicep rename to modules/network/network-interface/tests/e2e/min/dependencies.bicep diff --git a/modules/network/network-interface/.test/min/main.test.bicep b/modules/network/network-interface/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/network/network-interface/.test/min/main.test.bicep rename to modules/network/network-interface/tests/e2e/min/main.test.bicep index a5d77cf3cb..3ba824eace 100644 --- a/modules/network/network-interface/.test/min/main.test.bicep +++ b/modules/network/network-interface/tests/e2e/min/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/network-manager/.test/common/dependencies.bicep b/modules/network/network-manager/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/network-manager/.test/common/dependencies.bicep rename to modules/network/network-manager/tests/e2e/common/dependencies.bicep diff --git a/modules/network/network-manager/.test/common/main.test.bicep b/modules/network/network-manager/tests/e2e/common/main.test.bicep similarity index 99% rename from modules/network/network-manager/.test/common/main.test.bicep rename to modules/network/network-manager/tests/e2e/common/main.test.bicep index b1376229e6..47dfe8e4c3 100644 --- a/modules/network/network-manager/.test/common/main.test.bicep +++ b/modules/network/network-manager/tests/e2e/common/main.test.bicep @@ -53,7 +53,7 @@ module nestedDependencies 'dependencies.bicep' = { var networkManagerName = '${namePrefix}${serviceShort}001' var networkManagerExpecetedResourceID = '${resourceGroup.id}/providers/Microsoft.Network/networkManagers/${networkManagerName}' -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/network-security-group/.test/common/dependencies.bicep b/modules/network/network-security-group/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/network-security-group/.test/common/dependencies.bicep rename to modules/network/network-security-group/tests/e2e/common/dependencies.bicep diff --git a/modules/network/network-security-group/.test/common/main.test.bicep b/modules/network/network-security-group/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/network/network-security-group/.test/common/main.test.bicep rename to modules/network/network-security-group/tests/e2e/common/main.test.bicep index 6f4d0ca1e1..f0d32175ee 100644 --- a/modules/network/network-security-group/.test/common/main.test.bicep +++ b/modules/network/network-security-group/tests/e2e/common/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -61,7 +61,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/network-security-group/.test/min/main.test.bicep b/modules/network/network-security-group/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/network/network-security-group/.test/min/main.test.bicep rename to modules/network/network-security-group/tests/e2e/min/main.test.bicep index 5408cedcc5..0e74b84bbe 100644 --- a/modules/network/network-security-group/.test/min/main.test.bicep +++ b/modules/network/network-security-group/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/network-watcher/.test/common/dependencies.bicep b/modules/network/network-watcher/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/network-watcher/.test/common/dependencies.bicep rename to modules/network/network-watcher/tests/e2e/common/dependencies.bicep diff --git a/modules/network/network-watcher/.test/common/main.test.bicep b/modules/network/network-watcher/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/network/network-watcher/.test/common/main.test.bicep rename to modules/network/network-watcher/tests/e2e/common/main.test.bicep index 9730732a54..c990c50782 100644 --- a/modules/network/network-watcher/.test/common/main.test.bicep +++ b/modules/network/network-watcher/tests/e2e/common/main.test.bicep @@ -49,7 +49,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -66,7 +66,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // ============== // #disable-next-line no-hardcoded-location // Disabled as the default RG & location are created in always one location, but each test has to deploy into a different one var testLocation = 'westeurope' -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, testLocation)}-test-${serviceShort}' params: { diff --git a/modules/network/network-watcher/.test/min/main.test.bicep b/modules/network/network-watcher/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/network/network-watcher/.test/min/main.test.bicep rename to modules/network/network-watcher/tests/e2e/min/main.test.bicep index 026f230ae4..73452b204c 100644 --- a/modules/network/network-watcher/.test/min/main.test.bicep +++ b/modules/network/network-watcher/tests/e2e/min/main.test.bicep @@ -36,7 +36,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // ============== // #disable-next-line no-hardcoded-location // Disabled as the default RG & location are created in always one location, but each test has to deploy into a different one var testLocation = 'northeurope' -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, testLocation)}-test-${serviceShort}' params: { diff --git a/modules/network/private-dns-zone/.test/common/dependencies.bicep b/modules/network/private-dns-zone/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/private-dns-zone/.test/common/dependencies.bicep rename to modules/network/private-dns-zone/tests/e2e/common/dependencies.bicep diff --git a/modules/network/private-dns-zone/.test/common/main.test.bicep b/modules/network/private-dns-zone/tests/e2e/common/main.test.bicep similarity index 99% rename from modules/network/private-dns-zone/.test/common/main.test.bicep rename to modules/network/private-dns-zone/tests/e2e/common/main.test.bicep index 96d913639a..5e616bcc70 100644 --- a/modules/network/private-dns-zone/.test/common/main.test.bicep +++ b/modules/network/private-dns-zone/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/private-dns-zone/.test/min/main.test.bicep b/modules/network/private-dns-zone/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/network/private-dns-zone/.test/min/main.test.bicep rename to modules/network/private-dns-zone/tests/e2e/min/main.test.bicep index 0426b7b5d0..ac3e057214 100644 --- a/modules/network/private-dns-zone/.test/min/main.test.bicep +++ b/modules/network/private-dns-zone/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/private-endpoint/.test/common/dependencies.bicep b/modules/network/private-endpoint/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/private-endpoint/.test/common/dependencies.bicep rename to modules/network/private-endpoint/tests/e2e/common/dependencies.bicep diff --git a/modules/network/private-endpoint/.test/common/main.test.bicep b/modules/network/private-endpoint/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/network/private-endpoint/.test/common/main.test.bicep rename to modules/network/private-endpoint/tests/e2e/common/main.test.bicep index 3728621b84..7904b19335 100644 --- a/modules/network/private-endpoint/.test/common/main.test.bicep +++ b/modules/network/private-endpoint/tests/e2e/common/main.test.bicep @@ -49,7 +49,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/private-endpoint/.test/min/dependencies.bicep b/modules/network/private-endpoint/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/network/private-endpoint/.test/min/dependencies.bicep rename to modules/network/private-endpoint/tests/e2e/min/dependencies.bicep diff --git a/modules/network/private-endpoint/.test/min/main.test.bicep b/modules/network/private-endpoint/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/network/private-endpoint/.test/min/main.test.bicep rename to modules/network/private-endpoint/tests/e2e/min/main.test.bicep index 95f011a2b2..c2f9894353 100644 --- a/modules/network/private-endpoint/.test/min/main.test.bicep +++ b/modules/network/private-endpoint/tests/e2e/min/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/private-link-service/.test/common/dependencies.bicep b/modules/network/private-link-service/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/private-link-service/.test/common/dependencies.bicep rename to modules/network/private-link-service/tests/e2e/common/dependencies.bicep diff --git a/modules/network/private-link-service/.test/common/main.test.bicep b/modules/network/private-link-service/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/network/private-link-service/.test/common/main.test.bicep rename to modules/network/private-link-service/tests/e2e/common/main.test.bicep index ba974b6e46..dee87a5b50 100644 --- a/modules/network/private-link-service/.test/common/main.test.bicep +++ b/modules/network/private-link-service/tests/e2e/common/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/private-link-service/.test/min/dependencies.bicep b/modules/network/private-link-service/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/network/private-link-service/.test/min/dependencies.bicep rename to modules/network/private-link-service/tests/e2e/min/dependencies.bicep diff --git a/modules/network/private-link-service/.test/min/main.test.bicep b/modules/network/private-link-service/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/network/private-link-service/.test/min/main.test.bicep rename to modules/network/private-link-service/tests/e2e/min/main.test.bicep index d7e063e3d4..6ecb49281d 100644 --- a/modules/network/private-link-service/.test/min/main.test.bicep +++ b/modules/network/private-link-service/tests/e2e/min/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/public-ip-address/.test/common/dependencies.bicep b/modules/network/public-ip-address/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/public-ip-address/.test/common/dependencies.bicep rename to modules/network/public-ip-address/tests/e2e/common/dependencies.bicep diff --git a/modules/network/public-ip-address/.test/common/main.test.bicep b/modules/network/public-ip-address/tests/e2e/common/main.test.bicep similarity index 95% rename from modules/network/public-ip-address/.test/common/main.test.bicep rename to modules/network/public-ip-address/tests/e2e/common/main.test.bicep index ac137bfc39..80217831e3 100644 --- a/modules/network/public-ip-address/.test/common/main.test.bicep +++ b/modules/network/public-ip-address/tests/e2e/common/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -60,7 +60,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/public-ip-address/.test/min/main.test.bicep b/modules/network/public-ip-address/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/network/public-ip-address/.test/min/main.test.bicep rename to modules/network/public-ip-address/tests/e2e/min/main.test.bicep index b759ba4dda..8b2bad4c9a 100644 --- a/modules/network/public-ip-address/.test/min/main.test.bicep +++ b/modules/network/public-ip-address/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/public-ip-prefix/.test/common/dependencies.bicep b/modules/network/public-ip-prefix/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/public-ip-prefix/.test/common/dependencies.bicep rename to modules/network/public-ip-prefix/tests/e2e/common/dependencies.bicep diff --git a/modules/network/public-ip-prefix/.test/common/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/network/public-ip-prefix/.test/common/main.test.bicep rename to modules/network/public-ip-prefix/tests/e2e/common/main.test.bicep index 60824222df..de01104fcb 100644 --- a/modules/network/public-ip-prefix/.test/common/main.test.bicep +++ b/modules/network/public-ip-prefix/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/public-ip-prefix/.test/min/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/network/public-ip-prefix/.test/min/main.test.bicep rename to modules/network/public-ip-prefix/tests/e2e/min/main.test.bicep index 979dc0e0af..5b412000e6 100644 --- a/modules/network/public-ip-prefix/.test/min/main.test.bicep +++ b/modules/network/public-ip-prefix/tests/e2e/min/main.test.bicep @@ -37,7 +37,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/route-table/.test/common/dependencies.bicep b/modules/network/route-table/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/route-table/.test/common/dependencies.bicep rename to modules/network/route-table/tests/e2e/common/dependencies.bicep diff --git a/modules/network/route-table/.test/common/main.test.bicep b/modules/network/route-table/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/network/route-table/.test/common/main.test.bicep rename to modules/network/route-table/tests/e2e/common/main.test.bicep index 956148cbd0..9c832803bc 100644 --- a/modules/network/route-table/.test/common/main.test.bicep +++ b/modules/network/route-table/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/route-table/.test/min/main.test.bicep b/modules/network/route-table/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/network/route-table/.test/min/main.test.bicep rename to modules/network/route-table/tests/e2e/min/main.test.bicep index a5b93df8a8..8a237dfdcf 100644 --- a/modules/network/route-table/.test/min/main.test.bicep +++ b/modules/network/route-table/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/service-endpoint-policy/.test/common/dependencies.bicep b/modules/network/service-endpoint-policy/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/service-endpoint-policy/.test/common/dependencies.bicep rename to modules/network/service-endpoint-policy/tests/e2e/common/dependencies.bicep diff --git a/modules/network/service-endpoint-policy/.test/common/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/network/service-endpoint-policy/.test/common/main.test.bicep rename to modules/network/service-endpoint-policy/tests/e2e/common/main.test.bicep index 0dca71cf41..935e76388f 100644 --- a/modules/network/service-endpoint-policy/.test/common/main.test.bicep +++ b/modules/network/service-endpoint-policy/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/service-endpoint-policy/.test/min/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/network/service-endpoint-policy/.test/min/main.test.bicep rename to modules/network/service-endpoint-policy/tests/e2e/min/main.test.bicep index 154fe68b53..70ff126389 100644 --- a/modules/network/service-endpoint-policy/.test/min/main.test.bicep +++ b/modules/network/service-endpoint-policy/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/trafficmanagerprofile/.test/common/dependencies.bicep b/modules/network/trafficmanagerprofile/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/trafficmanagerprofile/.test/common/dependencies.bicep rename to modules/network/trafficmanagerprofile/tests/e2e/common/dependencies.bicep diff --git a/modules/network/trafficmanagerprofile/.test/common/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/common/main.test.bicep similarity index 95% rename from modules/network/trafficmanagerprofile/.test/common/main.test.bicep rename to modules/network/trafficmanagerprofile/tests/e2e/common/main.test.bicep index b66ca6b816..5b858058da 100644 --- a/modules/network/trafficmanagerprofile/.test/common/main.test.bicep +++ b/modules/network/trafficmanagerprofile/tests/e2e/common/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -60,7 +60,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // var resourceName = '${namePrefix}${serviceShort}001' -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/trafficmanagerprofile/.test/min/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/network/trafficmanagerprofile/.test/min/main.test.bicep rename to modules/network/trafficmanagerprofile/tests/e2e/min/main.test.bicep index 78292ead79..9f2602f94f 100644 --- a/modules/network/trafficmanagerprofile/.test/min/main.test.bicep +++ b/modules/network/trafficmanagerprofile/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // var resourceName = '${namePrefix}${serviceShort}001' -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/virtual-hub/.test/common/dependencies.bicep b/modules/network/virtual-hub/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/virtual-hub/.test/common/dependencies.bicep rename to modules/network/virtual-hub/tests/e2e/common/dependencies.bicep diff --git a/modules/network/virtual-hub/.test/common/main.test.bicep b/modules/network/virtual-hub/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/network/virtual-hub/.test/common/main.test.bicep rename to modules/network/virtual-hub/tests/e2e/common/main.test.bicep index 3686e52eb7..9c2433cc84 100644 --- a/modules/network/virtual-hub/.test/common/main.test.bicep +++ b/modules/network/virtual-hub/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/virtual-hub/.test/min/dependencies.bicep b/modules/network/virtual-hub/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/network/virtual-hub/.test/min/dependencies.bicep rename to modules/network/virtual-hub/tests/e2e/min/dependencies.bicep diff --git a/modules/network/virtual-hub/.test/min/main.test.bicep b/modules/network/virtual-hub/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/network/virtual-hub/.test/min/main.test.bicep rename to modules/network/virtual-hub/tests/e2e/min/main.test.bicep index be7e2a2955..1e6bb24c21 100644 --- a/modules/network/virtual-hub/.test/min/main.test.bicep +++ b/modules/network/virtual-hub/tests/e2e/min/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/virtual-network-gateway/.test/aadvpn/dependencies.bicep b/modules/network/virtual-network-gateway/tests/e2e/aadvpn/dependencies.bicep similarity index 100% rename from modules/network/virtual-network-gateway/.test/aadvpn/dependencies.bicep rename to modules/network/virtual-network-gateway/tests/e2e/aadvpn/dependencies.bicep diff --git a/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep b/modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep similarity index 96% rename from modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep rename to modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep index 678babb170..3c9305aa5b 100644 --- a/modules/network/virtual-network-gateway/.test/aadvpn/main.test.bicep +++ b/modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep @@ -42,7 +42,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -58,7 +58,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/virtual-network-gateway/.test/expressRoute/dependencies.bicep b/modules/network/virtual-network-gateway/tests/e2e/expressRoute/dependencies.bicep similarity index 100% rename from modules/network/virtual-network-gateway/.test/expressRoute/dependencies.bicep rename to modules/network/virtual-network-gateway/tests/e2e/expressRoute/dependencies.bicep diff --git a/modules/network/virtual-network-gateway/.test/expressRoute/main.test.bicep b/modules/network/virtual-network-gateway/tests/e2e/expressRoute/main.test.bicep similarity index 95% rename from modules/network/virtual-network-gateway/.test/expressRoute/main.test.bicep rename to modules/network/virtual-network-gateway/tests/e2e/expressRoute/main.test.bicep index c65475e33c..9a22c3afa9 100644 --- a/modules/network/virtual-network-gateway/.test/expressRoute/main.test.bicep +++ b/modules/network/virtual-network-gateway/tests/e2e/expressRoute/main.test.bicep @@ -42,7 +42,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -58,7 +58,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/virtual-network-gateway/.test/vpn/dependencies.bicep b/modules/network/virtual-network-gateway/tests/e2e/vpn/dependencies.bicep similarity index 100% rename from modules/network/virtual-network-gateway/.test/vpn/dependencies.bicep rename to modules/network/virtual-network-gateway/tests/e2e/vpn/dependencies.bicep diff --git a/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep b/modules/network/virtual-network-gateway/tests/e2e/vpn/main.test.bicep similarity index 96% rename from modules/network/virtual-network-gateway/.test/vpn/main.test.bicep rename to modules/network/virtual-network-gateway/tests/e2e/vpn/main.test.bicep index 85b6eca68f..903303e2af 100644 --- a/modules/network/virtual-network-gateway/.test/vpn/main.test.bicep +++ b/modules/network/virtual-network-gateway/tests/e2e/vpn/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -59,7 +59,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/virtual-network/.test/common/dependencies.bicep b/modules/network/virtual-network/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/virtual-network/.test/common/dependencies.bicep rename to modules/network/virtual-network/tests/e2e/common/dependencies.bicep diff --git a/modules/network/virtual-network/.test/common/main.test.bicep b/modules/network/virtual-network/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/network/virtual-network/.test/common/main.test.bicep rename to modules/network/virtual-network/tests/e2e/common/main.test.bicep index 57bdda036d..d3384de2e9 100644 --- a/modules/network/virtual-network/.test/common/main.test.bicep +++ b/modules/network/virtual-network/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -63,7 +63,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // ============== // var addressPrefix = '10.0.0.0/16' -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/virtual-network/.test/min/main.test.bicep b/modules/network/virtual-network/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/network/virtual-network/.test/min/main.test.bicep rename to modules/network/virtual-network/tests/e2e/min/main.test.bicep index 5d77b3ccee..80ad958cf8 100644 --- a/modules/network/virtual-network/.test/min/main.test.bicep +++ b/modules/network/virtual-network/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/virtual-network/.test/vnetPeering/dependencies.bicep b/modules/network/virtual-network/tests/e2e/vnetPeering/dependencies.bicep similarity index 100% rename from modules/network/virtual-network/.test/vnetPeering/dependencies.bicep rename to modules/network/virtual-network/tests/e2e/vnetPeering/dependencies.bicep diff --git a/modules/network/virtual-network/.test/vnetPeering/main.test.bicep b/modules/network/virtual-network/tests/e2e/vnetPeering/main.test.bicep similarity index 97% rename from modules/network/virtual-network/.test/vnetPeering/main.test.bicep rename to modules/network/virtual-network/tests/e2e/vnetPeering/main.test.bicep index 34df29c754..ba786f42f1 100644 --- a/modules/network/virtual-network/.test/vnetPeering/main.test.bicep +++ b/modules/network/virtual-network/tests/e2e/vnetPeering/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/virtual-wan/.test/common/dependencies.bicep b/modules/network/virtual-wan/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/virtual-wan/.test/common/dependencies.bicep rename to modules/network/virtual-wan/tests/e2e/common/dependencies.bicep diff --git a/modules/network/virtual-wan/.test/common/main.test.bicep b/modules/network/virtual-wan/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/network/virtual-wan/.test/common/main.test.bicep rename to modules/network/virtual-wan/tests/e2e/common/main.test.bicep index 6f47c362b4..d9554d26d8 100644 --- a/modules/network/virtual-wan/.test/common/main.test.bicep +++ b/modules/network/virtual-wan/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/virtual-wan/.test/min/main.test.bicep b/modules/network/virtual-wan/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/network/virtual-wan/.test/min/main.test.bicep rename to modules/network/virtual-wan/tests/e2e/min/main.test.bicep index da77dcc8fc..9b861faa22 100644 --- a/modules/network/virtual-wan/.test/min/main.test.bicep +++ b/modules/network/virtual-wan/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/vpn-gateway/.test/common/dependencies.bicep b/modules/network/vpn-gateway/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/vpn-gateway/.test/common/dependencies.bicep rename to modules/network/vpn-gateway/tests/e2e/common/dependencies.bicep diff --git a/modules/network/vpn-gateway/.test/common/main.test.bicep b/modules/network/vpn-gateway/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/network/vpn-gateway/.test/common/main.test.bicep rename to modules/network/vpn-gateway/tests/e2e/common/main.test.bicep index 857d52c3a2..2d221b3379 100644 --- a/modules/network/vpn-gateway/.test/common/main.test.bicep +++ b/modules/network/vpn-gateway/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/vpn-gateway/.test/min/dependencies.bicep b/modules/network/vpn-gateway/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/network/vpn-gateway/.test/min/dependencies.bicep rename to modules/network/vpn-gateway/tests/e2e/min/dependencies.bicep diff --git a/modules/network/vpn-gateway/.test/min/main.test.bicep b/modules/network/vpn-gateway/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/network/vpn-gateway/.test/min/main.test.bicep rename to modules/network/vpn-gateway/tests/e2e/min/main.test.bicep index 959c3c8182..e79cff0f46 100644 --- a/modules/network/vpn-gateway/.test/min/main.test.bicep +++ b/modules/network/vpn-gateway/tests/e2e/min/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/vpn-site/.test/common/dependencies.bicep b/modules/network/vpn-site/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/network/vpn-site/.test/common/dependencies.bicep rename to modules/network/vpn-site/tests/e2e/common/dependencies.bicep diff --git a/modules/network/vpn-site/.test/common/main.test.bicep b/modules/network/vpn-site/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/network/vpn-site/.test/common/main.test.bicep rename to modules/network/vpn-site/tests/e2e/common/main.test.bicep index 3e40997a52..e7fdd0967f 100644 --- a/modules/network/vpn-site/.test/common/main.test.bicep +++ b/modules/network/vpn-site/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/network/vpn-site/.test/min/dependencies.bicep b/modules/network/vpn-site/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/network/vpn-site/.test/min/dependencies.bicep rename to modules/network/vpn-site/tests/e2e/min/dependencies.bicep diff --git a/modules/network/vpn-site/.test/min/main.test.bicep b/modules/network/vpn-site/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/network/vpn-site/.test/min/main.test.bicep rename to modules/network/vpn-site/tests/e2e/min/main.test.bicep index e452f365d1..2c805b566b 100644 --- a/modules/network/vpn-site/.test/min/main.test.bicep +++ b/modules/network/vpn-site/tests/e2e/min/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/operational-insights/workspace/.test/adv/dependencies.bicep b/modules/operational-insights/workspace/tests/e2e/adv/dependencies.bicep similarity index 100% rename from modules/operational-insights/workspace/.test/adv/dependencies.bicep rename to modules/operational-insights/workspace/tests/e2e/adv/dependencies.bicep diff --git a/modules/operational-insights/workspace/.test/adv/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/adv/main.test.bicep similarity index 98% rename from modules/operational-insights/workspace/.test/adv/main.test.bicep rename to modules/operational-insights/workspace/tests/e2e/adv/main.test.bicep index 268d776147..04e0f54a59 100644 --- a/modules/operational-insights/workspace/.test/adv/main.test.bicep +++ b/modules/operational-insights/workspace/tests/e2e/adv/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -61,7 +61,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/operational-insights/workspace/.test/common/dependencies.bicep b/modules/operational-insights/workspace/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/operational-insights/workspace/.test/common/dependencies.bicep rename to modules/operational-insights/workspace/tests/e2e/common/dependencies.bicep diff --git a/modules/operational-insights/workspace/.test/common/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/operational-insights/workspace/.test/common/main.test.bicep rename to modules/operational-insights/workspace/tests/e2e/common/main.test.bicep index 607cbbae50..1cf9da26fa 100644 --- a/modules/operational-insights/workspace/.test/common/main.test.bicep +++ b/modules/operational-insights/workspace/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -62,7 +62,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/operational-insights/workspace/.test/min/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/operational-insights/workspace/.test/min/main.test.bicep rename to modules/operational-insights/workspace/tests/e2e/min/main.test.bicep index efb01b22ac..ad410db22f 100644 --- a/modules/operational-insights/workspace/.test/min/main.test.bicep +++ b/modules/operational-insights/workspace/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/operations-management/solution/.test/min/dependencies.bicep b/modules/operations-management/solution/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/operations-management/solution/.test/min/dependencies.bicep rename to modules/operations-management/solution/tests/e2e/min/dependencies.bicep diff --git a/modules/operations-management/solution/.test/min/main.test.bicep b/modules/operations-management/solution/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/operations-management/solution/.test/min/main.test.bicep rename to modules/operations-management/solution/tests/e2e/min/main.test.bicep index b59040e411..a82c4e54f3 100644 --- a/modules/operations-management/solution/.test/min/main.test.bicep +++ b/modules/operations-management/solution/tests/e2e/min/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/operations-management/solution/.test/ms/dependencies.bicep b/modules/operations-management/solution/tests/e2e/ms/dependencies.bicep similarity index 100% rename from modules/operations-management/solution/.test/ms/dependencies.bicep rename to modules/operations-management/solution/tests/e2e/ms/dependencies.bicep diff --git a/modules/operations-management/solution/.test/ms/main.test.bicep b/modules/operations-management/solution/tests/e2e/ms/main.test.bicep similarity index 97% rename from modules/operations-management/solution/.test/ms/main.test.bicep rename to modules/operations-management/solution/tests/e2e/ms/main.test.bicep index a055a0c15a..e3e03cbeec 100644 --- a/modules/operations-management/solution/.test/ms/main.test.bicep +++ b/modules/operations-management/solution/tests/e2e/ms/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/operations-management/solution/.test/nonms/dependencies.bicep b/modules/operations-management/solution/tests/e2e/nonms/dependencies.bicep similarity index 100% rename from modules/operations-management/solution/.test/nonms/dependencies.bicep rename to modules/operations-management/solution/tests/e2e/nonms/dependencies.bicep diff --git a/modules/operations-management/solution/.test/nonms/main.test.bicep b/modules/operations-management/solution/tests/e2e/nonms/main.test.bicep similarity index 97% rename from modules/operations-management/solution/.test/nonms/main.test.bicep rename to modules/operations-management/solution/tests/e2e/nonms/main.test.bicep index e3e4e9d126..39178e0f71 100644 --- a/modules/operations-management/solution/.test/nonms/main.test.bicep +++ b/modules/operations-management/solution/tests/e2e/nonms/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/policy-insights/remediation/.test/mg.common/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/mg.common/main.test.bicep similarity index 97% rename from modules/policy-insights/remediation/.test/mg.common/main.test.bicep rename to modules/policy-insights/remediation/tests/e2e/mg.common/main.test.bicep index 49917865b8..ec5905b87e 100644 --- a/modules/policy-insights/remediation/.test/mg.common/main.test.bicep +++ b/modules/policy-insights/remediation/tests/e2e/mg.common/main.test.bicep @@ -80,7 +80,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2021-06- // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../management-group/main.bicep' = { name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/policy-insights/remediation/.test/mg.min/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/mg.min/main.test.bicep similarity index 95% rename from modules/policy-insights/remediation/.test/mg.min/main.test.bicep rename to modules/policy-insights/remediation/tests/e2e/mg.min/main.test.bicep index 9a1a8606b8..2fa5bd5533 100644 --- a/modules/policy-insights/remediation/.test/mg.min/main.test.bicep +++ b/modules/policy-insights/remediation/tests/e2e/mg.min/main.test.bicep @@ -35,7 +35,7 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' // Test Execution // // ============== // -module testDeployment '../../management-group/main.bicep' = { +module testDeployment '../../../management-group/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/policy-insights/remediation/.test/rg.common/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/rg.common/main.test.bicep similarity index 97% rename from modules/policy-insights/remediation/.test/rg.common/main.test.bicep rename to modules/policy-insights/remediation/tests/e2e/rg.common/main.test.bicep index 7052879293..932adf9c48 100644 --- a/modules/policy-insights/remediation/.test/rg.common/main.test.bicep +++ b/modules/policy-insights/remediation/tests/e2e/rg.common/main.test.bicep @@ -89,7 +89,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2021-06- // Test Execution // // ============== // -module testDeployment '../../resource-group/main.bicep' = { +module testDeployment '../../../resource-group/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' scope: resourceGroup params: { diff --git a/modules/policy-insights/remediation/.test/rg.min/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/rg.min/main.test.bicep similarity index 96% rename from modules/policy-insights/remediation/.test/rg.min/main.test.bicep rename to modules/policy-insights/remediation/tests/e2e/rg.min/main.test.bicep index 8d80250f13..86d6da3d11 100644 --- a/modules/policy-insights/remediation/.test/rg.min/main.test.bicep +++ b/modules/policy-insights/remediation/tests/e2e/rg.min/main.test.bicep @@ -44,7 +44,7 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' // Test Execution // // ============== // -module testDeployment '../../resource-group/main.bicep' = { +module testDeployment '../../../resource-group/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' scope: resourceGroup params: { diff --git a/modules/policy-insights/remediation/.test/sub.common/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/sub.common/main.test.bicep similarity index 97% rename from modules/policy-insights/remediation/.test/sub.common/main.test.bicep rename to modules/policy-insights/remediation/tests/e2e/sub.common/main.test.bicep index 967baf0775..d884f232c9 100644 --- a/modules/policy-insights/remediation/.test/sub.common/main.test.bicep +++ b/modules/policy-insights/remediation/tests/e2e/sub.common/main.test.bicep @@ -80,7 +80,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2021-06- // Test Execution // // ============== // -module testDeployment '../../subscription/main.bicep' = { +module testDeployment '../../../subscription/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/policy-insights/remediation/.test/sub.min/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/sub.min/main.test.bicep similarity index 95% rename from modules/policy-insights/remediation/.test/sub.min/main.test.bicep rename to modules/policy-insights/remediation/tests/e2e/sub.min/main.test.bicep index 8bfbe9d9d1..cc3ef9248f 100644 --- a/modules/policy-insights/remediation/.test/sub.min/main.test.bicep +++ b/modules/policy-insights/remediation/tests/e2e/sub.min/main.test.bicep @@ -35,7 +35,7 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' // Test Execution // // ============== // -module testDeployment '../../subscription/main.bicep' = { +module testDeployment '../../../subscription/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/power-bi-dedicated/capacity/.test/common/dependencies.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/power-bi-dedicated/capacity/.test/common/dependencies.bicep rename to modules/power-bi-dedicated/capacity/tests/e2e/common/dependencies.bicep diff --git a/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/power-bi-dedicated/capacity/.test/common/main.test.bicep rename to modules/power-bi-dedicated/capacity/tests/e2e/common/main.test.bicep index 67bba9fa1b..ac0f2e2e69 100644 --- a/modules/power-bi-dedicated/capacity/.test/common/main.test.bicep +++ b/modules/power-bi-dedicated/capacity/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/power-bi-dedicated/capacity/.test/min/dependencies.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/power-bi-dedicated/capacity/.test/min/dependencies.bicep rename to modules/power-bi-dedicated/capacity/tests/e2e/min/dependencies.bicep diff --git a/modules/power-bi-dedicated/capacity/.test/min/main.test.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/power-bi-dedicated/capacity/.test/min/main.test.bicep rename to modules/power-bi-dedicated/capacity/tests/e2e/min/main.test.bicep index 3cbc57c794..7325d2ed89 100644 --- a/modules/power-bi-dedicated/capacity/.test/min/main.test.bicep +++ b/modules/power-bi-dedicated/capacity/tests/e2e/min/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/purview/account/.test/common/dependencies.bicep b/modules/purview/account/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/purview/account/.test/common/dependencies.bicep rename to modules/purview/account/tests/e2e/common/dependencies.bicep diff --git a/modules/purview/account/.test/common/main.test.bicep b/modules/purview/account/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/purview/account/.test/common/main.test.bicep rename to modules/purview/account/tests/e2e/common/main.test.bicep index 5dfc03d500..91aac7a244 100644 --- a/modules/purview/account/.test/common/main.test.bicep +++ b/modules/purview/account/tests/e2e/common/main.test.bicep @@ -44,7 +44,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -61,7 +61,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/purview/account/.test/min/main.test.bicep b/modules/purview/account/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/purview/account/.test/min/main.test.bicep rename to modules/purview/account/tests/e2e/min/main.test.bicep index 085922c251..b1205ff888 100644 --- a/modules/purview/account/.test/min/main.test.bicep +++ b/modules/purview/account/tests/e2e/min/main.test.bicep @@ -37,7 +37,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/recovery-services/vault/.test/common/dependencies.bicep b/modules/recovery-services/vault/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/recovery-services/vault/.test/common/dependencies.bicep rename to modules/recovery-services/vault/tests/e2e/common/dependencies.bicep diff --git a/modules/recovery-services/vault/.test/common/main.test.bicep b/modules/recovery-services/vault/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/recovery-services/vault/.test/common/main.test.bicep rename to modules/recovery-services/vault/tests/e2e/common/main.test.bicep index 81d25194c7..5e424fda60 100644 --- a/modules/recovery-services/vault/.test/common/main.test.bicep +++ b/modules/recovery-services/vault/tests/e2e/common/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -61,7 +61,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/recovery-services/vault/.test/dr/main.test.bicep b/modules/recovery-services/vault/tests/e2e/dr/main.test.bicep similarity index 98% rename from modules/recovery-services/vault/.test/dr/main.test.bicep rename to modules/recovery-services/vault/tests/e2e/dr/main.test.bicep index ab0df3f202..d2af04c07f 100644 --- a/modules/recovery-services/vault/.test/dr/main.test.bicep +++ b/modules/recovery-services/vault/tests/e2e/dr/main.test.bicep @@ -35,7 +35,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // var rsvName = '${namePrefix}${serviceShort}001' -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/recovery-services/vault/.test/min/main.test.bicep b/modules/recovery-services/vault/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/recovery-services/vault/.test/min/main.test.bicep rename to modules/recovery-services/vault/tests/e2e/min/main.test.bicep index 84b52bfe7b..e64705c7a3 100644 --- a/modules/recovery-services/vault/.test/min/main.test.bicep +++ b/modules/recovery-services/vault/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/relay/namespace/.test/common/dependencies.bicep b/modules/relay/namespace/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/relay/namespace/.test/common/dependencies.bicep rename to modules/relay/namespace/tests/e2e/common/dependencies.bicep diff --git a/modules/relay/namespace/.test/common/main.test.bicep b/modules/relay/namespace/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/relay/namespace/.test/common/main.test.bicep rename to modules/relay/namespace/tests/e2e/common/main.test.bicep index 42d99dfca1..1145ec162b 100644 --- a/modules/relay/namespace/.test/common/main.test.bicep +++ b/modules/relay/namespace/tests/e2e/common/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -61,7 +61,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/relay/namespace/.test/min/main.test.bicep b/modules/relay/namespace/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/relay/namespace/.test/min/main.test.bicep rename to modules/relay/namespace/tests/e2e/min/main.test.bicep index b58e52706a..689248719f 100644 --- a/modules/relay/namespace/.test/min/main.test.bicep +++ b/modules/relay/namespace/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/relay/namespace/.test/pe/dependencies.bicep b/modules/relay/namespace/tests/e2e/pe/dependencies.bicep similarity index 100% rename from modules/relay/namespace/.test/pe/dependencies.bicep rename to modules/relay/namespace/tests/e2e/pe/dependencies.bicep diff --git a/modules/relay/namespace/.test/pe/main.test.bicep b/modules/relay/namespace/tests/e2e/pe/main.test.bicep similarity index 97% rename from modules/relay/namespace/.test/pe/main.test.bicep rename to modules/relay/namespace/tests/e2e/pe/main.test.bicep index c982c0e55d..dd1352106e 100644 --- a/modules/relay/namespace/.test/pe/main.test.bicep +++ b/modules/relay/namespace/tests/e2e/pe/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/resource-graph/query/.test/common/dependencies.bicep b/modules/resource-graph/query/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/resource-graph/query/.test/common/dependencies.bicep rename to modules/resource-graph/query/tests/e2e/common/dependencies.bicep diff --git a/modules/resource-graph/query/.test/common/main.test.bicep b/modules/resource-graph/query/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/resource-graph/query/.test/common/main.test.bicep rename to modules/resource-graph/query/tests/e2e/common/main.test.bicep index 88223c9385..5ba6722c2e 100644 --- a/modules/resource-graph/query/.test/common/main.test.bicep +++ b/modules/resource-graph/query/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/resource-graph/query/.test/min/main.test.bicep b/modules/resource-graph/query/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/resource-graph/query/.test/min/main.test.bicep rename to modules/resource-graph/query/tests/e2e/min/main.test.bicep index 662a8d6a1b..da7b4e92f2 100644 --- a/modules/resource-graph/query/.test/min/main.test.bicep +++ b/modules/resource-graph/query/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/resources/deployment-script/.test/cli/dependencies.bicep b/modules/resources/deployment-script/tests/e2e/cli/dependencies.bicep similarity index 100% rename from modules/resources/deployment-script/.test/cli/dependencies.bicep rename to modules/resources/deployment-script/tests/e2e/cli/dependencies.bicep diff --git a/modules/resources/deployment-script/.test/cli/main.test.bicep b/modules/resources/deployment-script/tests/e2e/cli/main.test.bicep similarity index 98% rename from modules/resources/deployment-script/.test/cli/main.test.bicep rename to modules/resources/deployment-script/tests/e2e/cli/main.test.bicep index 6f72c40370..0de3a4dec5 100644 --- a/modules/resources/deployment-script/.test/cli/main.test.bicep +++ b/modules/resources/deployment-script/tests/e2e/cli/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/resources/deployment-script/.test/ps/dependencies.bicep b/modules/resources/deployment-script/tests/e2e/ps/dependencies.bicep similarity index 100% rename from modules/resources/deployment-script/.test/ps/dependencies.bicep rename to modules/resources/deployment-script/tests/e2e/ps/dependencies.bicep diff --git a/modules/resources/deployment-script/.test/ps/main.test.bicep b/modules/resources/deployment-script/tests/e2e/ps/main.test.bicep similarity index 97% rename from modules/resources/deployment-script/.test/ps/main.test.bicep rename to modules/resources/deployment-script/tests/e2e/ps/main.test.bicep index 96ae61a018..058b6ed59b 100644 --- a/modules/resources/deployment-script/.test/ps/main.test.bicep +++ b/modules/resources/deployment-script/tests/e2e/ps/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/resources/resource-group/.test/common/dependencies.bicep b/modules/resources/resource-group/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/resources/resource-group/.test/common/dependencies.bicep rename to modules/resources/resource-group/tests/e2e/common/dependencies.bicep diff --git a/modules/resources/resource-group/.test/common/main.test.bicep b/modules/resources/resource-group/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/resources/resource-group/.test/common/main.test.bicep rename to modules/resources/resource-group/tests/e2e/common/main.test.bicep index 00f3ec65a3..d18688107c 100644 --- a/modules/resources/resource-group/.test/common/main.test.bicep +++ b/modules/resources/resource-group/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/resources/resource-group/.test/min/main.test.bicep b/modules/resources/resource-group/tests/e2e/min/main.test.bicep similarity index 94% rename from modules/resources/resource-group/.test/min/main.test.bicep rename to modules/resources/resource-group/tests/e2e/min/main.test.bicep index 04d75955c0..22dbdd1d67 100644 --- a/modules/resources/resource-group/.test/min/main.test.bicep +++ b/modules/resources/resource-group/tests/e2e/min/main.test.bicep @@ -20,7 +20,7 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/resources/tags/.test/min/main.test.bicep b/modules/resources/tags/tests/e2e/min/main.test.bicep similarity index 93% rename from modules/resources/tags/.test/min/main.test.bicep rename to modules/resources/tags/tests/e2e/min/main.test.bicep index 4afd22e26f..ab0a7599eb 100644 --- a/modules/resources/tags/.test/min/main.test.bicep +++ b/modules/resources/tags/tests/e2e/min/main.test.bicep @@ -17,7 +17,7 @@ param enableDefaultTelemetry bool = true // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/resources/tags/.test/rg/main.test.bicep b/modules/resources/tags/tests/e2e/rg/main.test.bicep similarity index 96% rename from modules/resources/tags/.test/rg/main.test.bicep rename to modules/resources/tags/tests/e2e/rg/main.test.bicep index ef95040057..0f08a5a281 100644 --- a/modules/resources/tags/.test/rg/main.test.bicep +++ b/modules/resources/tags/tests/e2e/rg/main.test.bicep @@ -35,7 +35,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/resources/tags/.test/sub/main.test.bicep b/modules/resources/tags/tests/e2e/sub/main.test.bicep similarity index 93% rename from modules/resources/tags/.test/sub/main.test.bicep rename to modules/resources/tags/tests/e2e/sub/main.test.bicep index 97394e4660..92c029e810 100644 --- a/modules/resources/tags/.test/sub/main.test.bicep +++ b/modules/resources/tags/tests/e2e/sub/main.test.bicep @@ -14,7 +14,7 @@ param enableDefaultTelemetry bool = true // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { onlyUpdate: true diff --git a/modules/search/search-service/.test/common/dependencies.bicep b/modules/search/search-service/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/search/search-service/.test/common/dependencies.bicep rename to modules/search/search-service/tests/e2e/common/dependencies.bicep diff --git a/modules/search/search-service/.test/common/main.test.bicep b/modules/search/search-service/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/search/search-service/.test/common/main.test.bicep rename to modules/search/search-service/tests/e2e/common/main.test.bicep index 1190190f6e..9e32c070da 100644 --- a/modules/search/search-service/.test/common/main.test.bicep +++ b/modules/search/search-service/tests/e2e/common/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -60,7 +60,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/search/search-service/.test/min/main.test.bicep b/modules/search/search-service/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/search/search-service/.test/min/main.test.bicep rename to modules/search/search-service/tests/e2e/min/main.test.bicep index 3383746985..a09caf4e8e 100644 --- a/modules/search/search-service/.test/min/main.test.bicep +++ b/modules/search/search-service/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/search/search-service/.test/pe/dependencies.bicep b/modules/search/search-service/tests/e2e/pe/dependencies.bicep similarity index 100% rename from modules/search/search-service/.test/pe/dependencies.bicep rename to modules/search/search-service/tests/e2e/pe/dependencies.bicep diff --git a/modules/search/search-service/.test/pe/main.test.bicep b/modules/search/search-service/tests/e2e/pe/main.test.bicep similarity index 98% rename from modules/search/search-service/.test/pe/main.test.bicep rename to modules/search/search-service/tests/e2e/pe/main.test.bicep index 7fe335da8f..c18f872e76 100644 --- a/modules/search/search-service/.test/pe/main.test.bicep +++ b/modules/search/search-service/tests/e2e/pe/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/security/azure-security-center/.test/common/dependencies.bicep b/modules/security/azure-security-center/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/security/azure-security-center/.test/common/dependencies.bicep rename to modules/security/azure-security-center/tests/e2e/common/dependencies.bicep diff --git a/modules/security/azure-security-center/.test/common/main.test.bicep b/modules/security/azure-security-center/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/security/azure-security-center/.test/common/main.test.bicep rename to modules/security/azure-security-center/tests/e2e/common/main.test.bicep index e3621cd32f..da098c4a01 100644 --- a/modules/security/azure-security-center/.test/common/main.test.bicep +++ b/modules/security/azure-security-center/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry diff --git a/modules/service-bus/namespace/.test/common/dependencies.bicep b/modules/service-bus/namespace/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/service-bus/namespace/.test/common/dependencies.bicep rename to modules/service-bus/namespace/tests/e2e/common/dependencies.bicep diff --git a/modules/service-bus/namespace/.test/common/main.test.bicep b/modules/service-bus/namespace/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/service-bus/namespace/.test/common/main.test.bicep rename to modules/service-bus/namespace/tests/e2e/common/main.test.bicep index b5f4fed0fa..0cd5115423 100644 --- a/modules/service-bus/namespace/.test/common/main.test.bicep +++ b/modules/service-bus/namespace/tests/e2e/common/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -61,7 +61,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/service-bus/namespace/.test/encr/dependencies.bicep b/modules/service-bus/namespace/tests/e2e/encr/dependencies.bicep similarity index 100% rename from modules/service-bus/namespace/.test/encr/dependencies.bicep rename to modules/service-bus/namespace/tests/e2e/encr/dependencies.bicep diff --git a/modules/service-bus/namespace/.test/encr/main.test.bicep b/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep similarity index 98% rename from modules/service-bus/namespace/.test/encr/main.test.bicep rename to modules/service-bus/namespace/tests/e2e/encr/main.test.bicep index 961376bee9..f0e1671e0f 100644 --- a/modules/service-bus/namespace/.test/encr/main.test.bicep +++ b/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep @@ -49,7 +49,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/service-bus/namespace/.test/min/main.test.bicep b/modules/service-bus/namespace/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/service-bus/namespace/.test/min/main.test.bicep rename to modules/service-bus/namespace/tests/e2e/min/main.test.bicep index b11f92b41e..f799f08ce9 100644 --- a/modules/service-bus/namespace/.test/min/main.test.bicep +++ b/modules/service-bus/namespace/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/service-bus/namespace/.test/pe/dependencies.bicep b/modules/service-bus/namespace/tests/e2e/pe/dependencies.bicep similarity index 100% rename from modules/service-bus/namespace/.test/pe/dependencies.bicep rename to modules/service-bus/namespace/tests/e2e/pe/dependencies.bicep diff --git a/modules/service-bus/namespace/.test/pe/main.test.bicep b/modules/service-bus/namespace/tests/e2e/pe/main.test.bicep similarity index 97% rename from modules/service-bus/namespace/.test/pe/main.test.bicep rename to modules/service-bus/namespace/tests/e2e/pe/main.test.bicep index 90ad3f25ee..43e7f9de51 100644 --- a/modules/service-bus/namespace/.test/pe/main.test.bicep +++ b/modules/service-bus/namespace/tests/e2e/pe/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/service-fabric/cluster/.test/cert/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/cert/main.test.bicep similarity index 97% rename from modules/service-fabric/cluster/.test/cert/main.test.bicep rename to modules/service-fabric/cluster/tests/e2e/cert/main.test.bicep index edd7a2d36a..b8f681a7e3 100644 --- a/modules/service-fabric/cluster/.test/cert/main.test.bicep +++ b/modules/service-fabric/cluster/tests/e2e/cert/main.test.bicep @@ -35,7 +35,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/service-fabric/cluster/.test/common/dependencies.bicep b/modules/service-fabric/cluster/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/service-fabric/cluster/.test/common/dependencies.bicep rename to modules/service-fabric/cluster/tests/e2e/common/dependencies.bicep diff --git a/modules/service-fabric/cluster/.test/common/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/common/main.test.bicep similarity index 99% rename from modules/service-fabric/cluster/.test/common/main.test.bicep rename to modules/service-fabric/cluster/tests/e2e/common/main.test.bicep index 2484550321..5bd1688211 100644 --- a/modules/service-fabric/cluster/.test/common/main.test.bicep +++ b/modules/service-fabric/cluster/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/service-fabric/cluster/.test/min/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/service-fabric/cluster/.test/min/main.test.bicep rename to modules/service-fabric/cluster/tests/e2e/min/main.test.bicep index 49d19006fd..abc24b2ed3 100644 --- a/modules/service-fabric/cluster/.test/min/main.test.bicep +++ b/modules/service-fabric/cluster/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/signal-r-service/signal-r/.test/common/dependencies.bicep b/modules/signal-r-service/signal-r/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/signal-r-service/signal-r/.test/common/dependencies.bicep rename to modules/signal-r-service/signal-r/tests/e2e/common/dependencies.bicep diff --git a/modules/signal-r-service/signal-r/.test/common/main.test.bicep b/modules/signal-r-service/signal-r/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/signal-r-service/signal-r/.test/common/main.test.bicep rename to modules/signal-r-service/signal-r/tests/e2e/common/main.test.bicep index ce4fae589c..df27118a70 100644 --- a/modules/signal-r-service/signal-r/.test/common/main.test.bicep +++ b/modules/signal-r-service/signal-r/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/signal-r-service/signal-r/.test/min/main.test.bicep b/modules/signal-r-service/signal-r/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/signal-r-service/signal-r/.test/min/main.test.bicep rename to modules/signal-r-service/signal-r/tests/e2e/min/main.test.bicep index b8d61468f3..3796aa1068 100644 --- a/modules/signal-r-service/signal-r/.test/min/main.test.bicep +++ b/modules/signal-r-service/signal-r/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { diff --git a/modules/signal-r-service/web-pub-sub/.test/common/dependencies.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/signal-r-service/web-pub-sub/.test/common/dependencies.bicep rename to modules/signal-r-service/web-pub-sub/tests/e2e/common/dependencies.bicep diff --git a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep rename to modules/signal-r-service/web-pub-sub/tests/e2e/common/main.test.bicep index cc53d47085..9839ae68aa 100644 --- a/modules/signal-r-service/web-pub-sub/.test/common/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/tests/e2e/common/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/signal-r-service/web-pub-sub/.test/min/main.test.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/signal-r-service/web-pub-sub/.test/min/main.test.bicep rename to modules/signal-r-service/web-pub-sub/tests/e2e/min/main.test.bicep index ac0f2990f4..a888017c1b 100644 --- a/modules/signal-r-service/web-pub-sub/.test/min/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/signal-r-service/web-pub-sub/.test/pe/dependencies.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/pe/dependencies.bicep similarity index 100% rename from modules/signal-r-service/web-pub-sub/.test/pe/dependencies.bicep rename to modules/signal-r-service/web-pub-sub/tests/e2e/pe/dependencies.bicep diff --git a/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/pe/main.test.bicep similarity index 97% rename from modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep rename to modules/signal-r-service/web-pub-sub/tests/e2e/pe/main.test.bicep index 7a565e6ea8..25c2a4dfb3 100644 --- a/modules/signal-r-service/web-pub-sub/.test/pe/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/tests/e2e/pe/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/sql/managed-instance/.test/common/dependencies.bicep b/modules/sql/managed-instance/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/sql/managed-instance/.test/common/dependencies.bicep rename to modules/sql/managed-instance/tests/e2e/common/dependencies.bicep diff --git a/modules/sql/managed-instance/.test/common/main.test.bicep b/modules/sql/managed-instance/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/sql/managed-instance/.test/common/main.test.bicep rename to modules/sql/managed-instance/tests/e2e/common/main.test.bicep index d5222b8617..40bb06b60a 100644 --- a/modules/sql/managed-instance/.test/common/main.test.bicep +++ b/modules/sql/managed-instance/tests/e2e/common/main.test.bicep @@ -57,7 +57,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -73,7 +73,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/sql/managed-instance/.test/min/dependencies.bicep b/modules/sql/managed-instance/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/sql/managed-instance/.test/min/dependencies.bicep rename to modules/sql/managed-instance/tests/e2e/min/dependencies.bicep diff --git a/modules/sql/managed-instance/.test/min/main.test.bicep b/modules/sql/managed-instance/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/sql/managed-instance/.test/min/main.test.bicep rename to modules/sql/managed-instance/tests/e2e/min/main.test.bicep index a9d1d45a88..9074fdeaf7 100644 --- a/modules/sql/managed-instance/.test/min/main.test.bicep +++ b/modules/sql/managed-instance/tests/e2e/min/main.test.bicep @@ -53,7 +53,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/sql/managed-instance/.test/vulnAssm/dependencies.bicep b/modules/sql/managed-instance/tests/e2e/vulnAssm/dependencies.bicep similarity index 100% rename from modules/sql/managed-instance/.test/vulnAssm/dependencies.bicep rename to modules/sql/managed-instance/tests/e2e/vulnAssm/dependencies.bicep diff --git a/modules/sql/managed-instance/.test/vulnAssm/main.test.bicep b/modules/sql/managed-instance/tests/e2e/vulnAssm/main.test.bicep similarity index 98% rename from modules/sql/managed-instance/.test/vulnAssm/main.test.bicep rename to modules/sql/managed-instance/tests/e2e/vulnAssm/main.test.bicep index bbe2806291..e6bb8787ca 100644 --- a/modules/sql/managed-instance/.test/vulnAssm/main.test.bicep +++ b/modules/sql/managed-instance/tests/e2e/vulnAssm/main.test.bicep @@ -51,7 +51,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/sql/server/.test/admin/dependencies.bicep b/modules/sql/server/tests/e2e/admin/dependencies.bicep similarity index 100% rename from modules/sql/server/.test/admin/dependencies.bicep rename to modules/sql/server/tests/e2e/admin/dependencies.bicep diff --git a/modules/sql/server/.test/admin/main.test.bicep b/modules/sql/server/tests/e2e/admin/main.test.bicep similarity index 97% rename from modules/sql/server/.test/admin/main.test.bicep rename to modules/sql/server/tests/e2e/admin/main.test.bicep index 72d7db6de4..94c27ed0d9 100644 --- a/modules/sql/server/.test/admin/main.test.bicep +++ b/modules/sql/server/tests/e2e/admin/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/sql/server/.test/common/dependencies.bicep b/modules/sql/server/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/sql/server/.test/common/dependencies.bicep rename to modules/sql/server/tests/e2e/common/dependencies.bicep diff --git a/modules/sql/server/.test/common/main.test.bicep b/modules/sql/server/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/sql/server/.test/common/main.test.bicep rename to modules/sql/server/tests/e2e/common/main.test.bicep index e5a989eec6..0c871563b6 100644 --- a/modules/sql/server/.test/common/main.test.bicep +++ b/modules/sql/server/tests/e2e/common/main.test.bicep @@ -51,7 +51,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -67,7 +67,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/sql/server/.test/pe/dependencies.bicep b/modules/sql/server/tests/e2e/pe/dependencies.bicep similarity index 100% rename from modules/sql/server/.test/pe/dependencies.bicep rename to modules/sql/server/tests/e2e/pe/dependencies.bicep diff --git a/modules/sql/server/.test/pe/main.test.bicep b/modules/sql/server/tests/e2e/pe/main.test.bicep similarity index 97% rename from modules/sql/server/.test/pe/main.test.bicep rename to modules/sql/server/tests/e2e/pe/main.test.bicep index 13c246150b..9881236cfa 100644 --- a/modules/sql/server/.test/pe/main.test.bicep +++ b/modules/sql/server/tests/e2e/pe/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/sql/server/.test/secondary/dependencies.bicep b/modules/sql/server/tests/e2e/secondary/dependencies.bicep similarity index 100% rename from modules/sql/server/.test/secondary/dependencies.bicep rename to modules/sql/server/tests/e2e/secondary/dependencies.bicep diff --git a/modules/sql/server/.test/secondary/main.test.bicep b/modules/sql/server/tests/e2e/secondary/main.test.bicep similarity index 97% rename from modules/sql/server/.test/secondary/main.test.bicep rename to modules/sql/server/tests/e2e/secondary/main.test.bicep index c88c13fcef..b5caa622c3 100644 --- a/modules/sql/server/.test/secondary/main.test.bicep +++ b/modules/sql/server/tests/e2e/secondary/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/sql/server/.test/vulnAssm/dependencies.bicep b/modules/sql/server/tests/e2e/vulnAssm/dependencies.bicep similarity index 100% rename from modules/sql/server/.test/vulnAssm/dependencies.bicep rename to modules/sql/server/tests/e2e/vulnAssm/dependencies.bicep diff --git a/modules/sql/server/.test/vulnAssm/main.test.bicep b/modules/sql/server/tests/e2e/vulnAssm/main.test.bicep similarity index 98% rename from modules/sql/server/.test/vulnAssm/main.test.bicep rename to modules/sql/server/tests/e2e/vulnAssm/main.test.bicep index 4ee3ba8505..1586facf7d 100644 --- a/modules/sql/server/.test/vulnAssm/main.test.bicep +++ b/modules/sql/server/tests/e2e/vulnAssm/main.test.bicep @@ -49,7 +49,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/storage/storage-account/.test/common/dependencies.bicep b/modules/storage/storage-account/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/storage/storage-account/.test/common/dependencies.bicep rename to modules/storage/storage-account/tests/e2e/common/dependencies.bicep diff --git a/modules/storage/storage-account/.test/common/main.test.bicep b/modules/storage/storage-account/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/storage/storage-account/.test/common/main.test.bicep rename to modules/storage/storage-account/tests/e2e/common/main.test.bicep index 2ca85cdb7f..202de04d91 100644 --- a/modules/storage/storage-account/.test/common/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/common/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -61,7 +61,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/storage/storage-account/.test/encr/dependencies.bicep b/modules/storage/storage-account/tests/e2e/encr/dependencies.bicep similarity index 100% rename from modules/storage/storage-account/.test/encr/dependencies.bicep rename to modules/storage/storage-account/tests/e2e/encr/dependencies.bicep diff --git a/modules/storage/storage-account/.test/encr/main.test.bicep b/modules/storage/storage-account/tests/e2e/encr/main.test.bicep similarity index 98% rename from modules/storage/storage-account/.test/encr/main.test.bicep rename to modules/storage/storage-account/tests/e2e/encr/main.test.bicep index 9dc1ac8fc8..c4c76b8e9d 100644 --- a/modules/storage/storage-account/.test/encr/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/encr/main.test.bicep @@ -49,7 +49,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/storage/storage-account/.test/min/main.test.bicep b/modules/storage/storage-account/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/storage/storage-account/.test/min/main.test.bicep rename to modules/storage/storage-account/tests/e2e/min/main.test.bicep index 24b565b8b6..c5340263c1 100644 --- a/modules/storage/storage-account/.test/min/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/storage/storage-account/.test/nfs/dependencies.bicep b/modules/storage/storage-account/tests/e2e/nfs/dependencies.bicep similarity index 100% rename from modules/storage/storage-account/.test/nfs/dependencies.bicep rename to modules/storage/storage-account/tests/e2e/nfs/dependencies.bicep diff --git a/modules/storage/storage-account/.test/nfs/main.test.bicep b/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep similarity index 95% rename from modules/storage/storage-account/.test/nfs/main.test.bicep rename to modules/storage/storage-account/tests/e2e/nfs/main.test.bicep index 8dbf40c70a..7670f0c068 100644 --- a/modules/storage/storage-account/.test/nfs/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep @@ -41,7 +41,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -57,7 +57,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/storage/storage-account/.test/v1/main.test.bicep b/modules/storage/storage-account/tests/e2e/v1/main.test.bicep similarity index 96% rename from modules/storage/storage-account/.test/v1/main.test.bicep rename to modules/storage/storage-account/tests/e2e/v1/main.test.bicep index 554750255f..aa1670b9c6 100644 --- a/modules/storage/storage-account/.test/v1/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/v1/main.test.bicep @@ -35,7 +35,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/synapse/private-link-hub/.test/common/dependencies.bicep b/modules/synapse/private-link-hub/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/synapse/private-link-hub/.test/common/dependencies.bicep rename to modules/synapse/private-link-hub/tests/e2e/common/dependencies.bicep diff --git a/modules/synapse/private-link-hub/.test/common/main.test.bicep b/modules/synapse/private-link-hub/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/synapse/private-link-hub/.test/common/main.test.bicep rename to modules/synapse/private-link-hub/tests/e2e/common/main.test.bicep index 7b553d1f14..36f8efcc7d 100644 --- a/modules/synapse/private-link-hub/.test/common/main.test.bicep +++ b/modules/synapse/private-link-hub/tests/e2e/common/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/synapse/private-link-hub/.test/min/main.test.bicep b/modules/synapse/private-link-hub/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/synapse/private-link-hub/.test/min/main.test.bicep rename to modules/synapse/private-link-hub/tests/e2e/min/main.test.bicep index 8256ac8c67..7ea78ed31d 100644 --- a/modules/synapse/private-link-hub/.test/min/main.test.bicep +++ b/modules/synapse/private-link-hub/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/synapse/workspace/.test/common/dependencies.bicep b/modules/synapse/workspace/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/synapse/workspace/.test/common/dependencies.bicep rename to modules/synapse/workspace/tests/e2e/common/dependencies.bicep diff --git a/modules/synapse/workspace/.test/common/main.test.bicep b/modules/synapse/workspace/tests/e2e/common/main.test.bicep similarity index 96% rename from modules/synapse/workspace/.test/common/main.test.bicep rename to modules/synapse/workspace/tests/e2e/common/main.test.bicep index 9cbb04d190..6c4567c98c 100644 --- a/modules/synapse/workspace/.test/common/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -62,7 +62,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/synapse/workspace/.test/encrwsai/dependencies.bicep b/modules/synapse/workspace/tests/e2e/encrwsai/dependencies.bicep similarity index 100% rename from modules/synapse/workspace/.test/encrwsai/dependencies.bicep rename to modules/synapse/workspace/tests/e2e/encrwsai/dependencies.bicep diff --git a/modules/synapse/workspace/.test/encrwsai/main.test.bicep b/modules/synapse/workspace/tests/e2e/encrwsai/main.test.bicep similarity index 97% rename from modules/synapse/workspace/.test/encrwsai/main.test.bicep rename to modules/synapse/workspace/tests/e2e/encrwsai/main.test.bicep index 4c019dad24..48e6c94103 100644 --- a/modules/synapse/workspace/.test/encrwsai/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/encrwsai/main.test.bicep @@ -48,7 +48,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/synapse/workspace/.test/encrwuai/dependencies.bicep b/modules/synapse/workspace/tests/e2e/encrwuai/dependencies.bicep similarity index 100% rename from modules/synapse/workspace/.test/encrwuai/dependencies.bicep rename to modules/synapse/workspace/tests/e2e/encrwuai/dependencies.bicep diff --git a/modules/synapse/workspace/.test/encrwuai/main.test.bicep b/modules/synapse/workspace/tests/e2e/encrwuai/main.test.bicep similarity index 98% rename from modules/synapse/workspace/.test/encrwuai/main.test.bicep rename to modules/synapse/workspace/tests/e2e/encrwuai/main.test.bicep index f9da575edc..6049baaf1e 100644 --- a/modules/synapse/workspace/.test/encrwuai/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/encrwuai/main.test.bicep @@ -49,7 +49,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/synapse/workspace/.test/managedvnet/dependencies.bicep b/modules/synapse/workspace/tests/e2e/managedvnet/dependencies.bicep similarity index 100% rename from modules/synapse/workspace/.test/managedvnet/dependencies.bicep rename to modules/synapse/workspace/tests/e2e/managedvnet/dependencies.bicep diff --git a/modules/synapse/workspace/.test/managedvnet/main.test.bicep b/modules/synapse/workspace/tests/e2e/managedvnet/main.test.bicep similarity index 97% rename from modules/synapse/workspace/.test/managedvnet/main.test.bicep rename to modules/synapse/workspace/tests/e2e/managedvnet/main.test.bicep index c057f7e2e6..8b1a2bb851 100644 --- a/modules/synapse/workspace/.test/managedvnet/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/managedvnet/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/synapse/workspace/.test/min/dependencies.bicep b/modules/synapse/workspace/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/synapse/workspace/.test/min/dependencies.bicep rename to modules/synapse/workspace/tests/e2e/min/dependencies.bicep diff --git a/modules/synapse/workspace/.test/min/main.test.bicep b/modules/synapse/workspace/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/synapse/workspace/.test/min/main.test.bicep rename to modules/synapse/workspace/tests/e2e/min/main.test.bicep index 66e9c02a88..0597e80b28 100644 --- a/modules/synapse/workspace/.test/min/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/min/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/virtual-machine-images/image-template/.test/common/dependencies.bicep b/modules/virtual-machine-images/image-template/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/virtual-machine-images/image-template/.test/common/dependencies.bicep rename to modules/virtual-machine-images/image-template/tests/e2e/common/dependencies.bicep diff --git a/modules/virtual-machine-images/image-template/.test/common/main.test.bicep b/modules/virtual-machine-images/image-template/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/virtual-machine-images/image-template/.test/common/main.test.bicep rename to modules/virtual-machine-images/image-template/tests/e2e/common/main.test.bicep index f70aa4df55..fe5eecd0a2 100644 --- a/modules/virtual-machine-images/image-template/.test/common/main.test.bicep +++ b/modules/virtual-machine-images/image-template/tests/e2e/common/main.test.bicep @@ -65,7 +65,7 @@ resource msi_managedIdentityOperatorRoleAssignment 'Microsoft.Authorization/role // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/virtual-machine-images/image-template/.test/min/dependencies.bicep b/modules/virtual-machine-images/image-template/tests/e2e/min/dependencies.bicep similarity index 100% rename from modules/virtual-machine-images/image-template/.test/min/dependencies.bicep rename to modules/virtual-machine-images/image-template/tests/e2e/min/dependencies.bicep diff --git a/modules/virtual-machine-images/image-template/.test/min/main.test.bicep b/modules/virtual-machine-images/image-template/tests/e2e/min/main.test.bicep similarity index 97% rename from modules/virtual-machine-images/image-template/.test/min/main.test.bicep rename to modules/virtual-machine-images/image-template/tests/e2e/min/main.test.bicep index ed5cb3f858..ea6acdfabf 100644 --- a/modules/virtual-machine-images/image-template/.test/min/main.test.bicep +++ b/modules/virtual-machine-images/image-template/tests/e2e/min/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/web/connection/.test/common/dependencies.bicep b/modules/web/connection/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/web/connection/.test/common/dependencies.bicep rename to modules/web/connection/tests/e2e/common/dependencies.bicep diff --git a/modules/web/connection/.test/common/main.test.bicep b/modules/web/connection/tests/e2e/common/main.test.bicep similarity index 97% rename from modules/web/connection/.test/common/main.test.bicep rename to modules/web/connection/tests/e2e/common/main.test.bicep index dd8de8af36..5975399c38 100644 --- a/modules/web/connection/.test/common/main.test.bicep +++ b/modules/web/connection/tests/e2e/common/main.test.bicep @@ -46,7 +46,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/web/hosting-environment/.test/asev2/dependencies.bicep b/modules/web/hosting-environment/tests/e2e/asev2/dependencies.bicep similarity index 100% rename from modules/web/hosting-environment/.test/asev2/dependencies.bicep rename to modules/web/hosting-environment/tests/e2e/asev2/dependencies.bicep diff --git a/modules/web/hosting-environment/.test/asev2/main.test.bicep b/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep similarity index 95% rename from modules/web/hosting-environment/.test/asev2/main.test.bicep rename to modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep index 835d050137..d86885ab6b 100644 --- a/modules/web/hosting-environment/.test/asev2/main.test.bicep +++ b/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -59,7 +59,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/web/hosting-environment/.test/asev3/dependencies.bicep b/modules/web/hosting-environment/tests/e2e/asev3/dependencies.bicep similarity index 97% rename from modules/web/hosting-environment/.test/asev3/dependencies.bicep rename to modules/web/hosting-environment/tests/e2e/asev3/dependencies.bicep index 457eb4b012..eedd2e4e78 100644 --- a/modules/web/hosting-environment/.test/asev3/dependencies.bicep +++ b/modules/web/hosting-environment/tests/e2e/asev3/dependencies.bicep @@ -118,7 +118,7 @@ resource certDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' azPowerShellVersion: '8.0' retentionInterval: 'P1D' arguments: '-KeyVaultName "${keyVault.name}" -CertName "asev3certificate" -CertSubjectName "CN=*.internal.contoso.com"' - scriptContent: loadTextContent('../../../../.shared/.scripts/Set-CertificateInKeyVault.ps1') + scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-CertificateInKeyVault.ps1') } } diff --git a/modules/web/hosting-environment/.test/asev3/main.test.bicep b/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep similarity index 96% rename from modules/web/hosting-environment/.test/asev3/main.test.bicep rename to modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep index d7045c104e..52203b7f2f 100644 --- a/modules/web/hosting-environment/.test/asev3/main.test.bicep +++ b/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -61,7 +61,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/web/serverfarm/.test/common/dependencies.bicep b/modules/web/serverfarm/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/web/serverfarm/.test/common/dependencies.bicep rename to modules/web/serverfarm/tests/e2e/common/dependencies.bicep diff --git a/modules/web/serverfarm/.test/common/main.test.bicep b/modules/web/serverfarm/tests/e2e/common/main.test.bicep similarity index 95% rename from modules/web/serverfarm/.test/common/main.test.bicep rename to modules/web/serverfarm/tests/e2e/common/main.test.bicep index 38af3a47f8..2eca5fc775 100644 --- a/modules/web/serverfarm/.test/common/main.test.bicep +++ b/modules/web/serverfarm/tests/e2e/common/main.test.bicep @@ -44,7 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -60,7 +60,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/web/site/.test/functionAppCommon/dependencies.bicep b/modules/web/site/tests/e2e/functionAppCommon/dependencies.bicep similarity index 100% rename from modules/web/site/.test/functionAppCommon/dependencies.bicep rename to modules/web/site/tests/e2e/functionAppCommon/dependencies.bicep diff --git a/modules/web/site/.test/functionAppCommon/main.test.bicep b/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep similarity index 97% rename from modules/web/site/.test/functionAppCommon/main.test.bicep rename to modules/web/site/tests/e2e/functionAppCommon/main.test.bicep index afc7ec0eec..9219cb3ccf 100644 --- a/modules/web/site/.test/functionAppCommon/main.test.bicep +++ b/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep @@ -47,7 +47,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -63,7 +63,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // Test Execution // // ============== // // For the below test case, please consider the guidelines described here: https://github.com/Azure/ResourceModules/wiki/Getting%20started%20-%20Scenario%202%20Onboard%20module%20library%20and%20CI%20environment#microsoftwebsites -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/web/site/.test/functionAppMin/dependencies.bicep b/modules/web/site/tests/e2e/functionAppMin/dependencies.bicep similarity index 100% rename from modules/web/site/.test/functionAppMin/dependencies.bicep rename to modules/web/site/tests/e2e/functionAppMin/dependencies.bicep diff --git a/modules/web/site/.test/functionAppMin/main.test.bicep b/modules/web/site/tests/e2e/functionAppMin/main.test.bicep similarity index 97% rename from modules/web/site/.test/functionAppMin/main.test.bicep rename to modules/web/site/tests/e2e/functionAppMin/main.test.bicep index 9fe64f0fdc..29a416992c 100644 --- a/modules/web/site/.test/functionAppMin/main.test.bicep +++ b/modules/web/site/tests/e2e/functionAppMin/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/web/site/.test/webAppCommon/dependencies.bicep b/modules/web/site/tests/e2e/webAppCommon/dependencies.bicep similarity index 100% rename from modules/web/site/.test/webAppCommon/dependencies.bicep rename to modules/web/site/tests/e2e/webAppCommon/dependencies.bicep diff --git a/modules/web/site/.test/webAppCommon/main.test.bicep b/modules/web/site/tests/e2e/webAppCommon/main.test.bicep similarity index 97% rename from modules/web/site/.test/webAppCommon/main.test.bicep rename to modules/web/site/tests/e2e/webAppCommon/main.test.bicep index e0b0545fc6..ddf1838032 100644 --- a/modules/web/site/.test/webAppCommon/main.test.bicep +++ b/modules/web/site/tests/e2e/webAppCommon/main.test.bicep @@ -45,7 +45,7 @@ module nestedDependencies 'dependencies.bicep' = { // Diagnostics // =========== -module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { @@ -60,7 +60,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende // ============== // // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/web/site/.test/webAppMin/dependencies.bicep b/modules/web/site/tests/e2e/webAppMin/dependencies.bicep similarity index 100% rename from modules/web/site/.test/webAppMin/dependencies.bicep rename to modules/web/site/tests/e2e/webAppMin/dependencies.bicep diff --git a/modules/web/site/.test/webAppMin/main.test.bicep b/modules/web/site/tests/e2e/webAppMin/main.test.bicep similarity index 97% rename from modules/web/site/.test/webAppMin/main.test.bicep rename to modules/web/site/tests/e2e/webAppMin/main.test.bicep index 1446d9d389..38c74f798e 100644 --- a/modules/web/site/.test/webAppMin/main.test.bicep +++ b/modules/web/site/tests/e2e/webAppMin/main.test.bicep @@ -43,7 +43,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/web/static-site/.test/common/dependencies.bicep b/modules/web/static-site/tests/e2e/common/dependencies.bicep similarity index 100% rename from modules/web/static-site/.test/common/dependencies.bicep rename to modules/web/static-site/tests/e2e/common/dependencies.bicep diff --git a/modules/web/static-site/.test/common/main.test.bicep b/modules/web/static-site/tests/e2e/common/main.test.bicep similarity index 98% rename from modules/web/static-site/.test/common/main.test.bicep rename to modules/web/static-site/tests/e2e/common/main.test.bicep index 4755385208..3e5f43bb03 100644 --- a/modules/web/static-site/.test/common/main.test.bicep +++ b/modules/web/static-site/tests/e2e/common/main.test.bicep @@ -49,7 +49,7 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/modules/web/static-site/.test/min/main.test.bicep b/modules/web/static-site/tests/e2e/min/main.test.bicep similarity index 96% rename from modules/web/static-site/.test/min/main.test.bicep rename to modules/web/static-site/tests/e2e/min/main.test.bicep index 9f31a0d7a0..97845e594d 100644 --- a/modules/web/static-site/.test/min/main.test.bicep +++ b/modules/web/static-site/tests/e2e/min/main.test.bicep @@ -38,7 +38,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { diff --git a/utilities/pipelines/sharedScripts/Get-ModuleTestFileList.ps1 b/utilities/pipelines/sharedScripts/Get-ModuleTestFileList.ps1 index e0cbac542b..7fb5b13699 100644 --- a/utilities/pipelines/sharedScripts/Get-ModuleTestFileList.ps1 +++ b/utilities/pipelines/sharedScripts/Get-ModuleTestFileList.ps1 @@ -18,7 +18,7 @@ Optional. The pattern of test files to search for. For example '*.json' .EXAMPLE Get-ModuleTestFileList -ModulePath 'C:\ResourceModules\modules\compute\virtual-machine' -Returns the relative file paths of all test files of the virtual-machine module in the default test folder ('.test'). +Returns the relative file paths of all test files of the virtual-machine module in the default test folder ('tests'). .EXAMPLE Get-ModuleTestFileList -ModulePath 'C:\ResourceModules\modules\compute\virtual-machine' -SearchFolder 'parameters' @@ -33,7 +33,7 @@ function Get-ModuleTestFileList { [string] $ModulePath, [Parameter(Mandatory = $false)] - [string] $SearchFolder = '.test', + [string] $SearchFolder = 'tests', [Parameter(Mandatory = $false)] [string[]] $TestFilePattern = @('*.json', 'main.test.bicep') @@ -41,9 +41,7 @@ function Get-ModuleTestFileList { $deploymentTests = @() if (Test-Path (Join-Path $ModulePath $SearchFolder)) { - $deploymentTests += (Get-ChildItem -Path (Join-Path $ModulePath $SearchFolder) -Recurse -Include $TestFilePattern -File).FullName | Where-Object { - $_ -ne (Join-Path (Join-Path $ModulePath $SearchFolder) 'main.test.bicep') # Excluding PBR test file - } + $deploymentTests += (Get-ChildItem -Path (Join-Path $ModulePath $SearchFolder) -Recurse -Include $TestFilePattern -File).FullName } if (-not $deploymentTests) { diff --git a/utilities/pipelines/staticValidation/module.tests.ps1 b/utilities/pipelines/staticValidation/module.tests.ps1 index 59805a7a6d..3e8ff1fe2e 100644 --- a/utilities/pipelines/staticValidation/module.tests.ps1 +++ b/utilities/pipelines/staticValidation/module.tests.ps1 @@ -81,7 +81,7 @@ Describe 'File/folder tests' -Tag 'Modules' { [string] $moduleFolderPath ) - $pathExisting = Test-Path (Join-Path -Path $moduleFolderPath '.test') + $pathExisting = Test-Path (Join-Path -Path $moduleFolderPath 'tests') $pathExisting | Should -Be $true } From ff6b1e71e8793bc39ba90f44789569ef96ac7d29 Mon Sep 17 00:00:00 2001 From: Erika Gressi <56914614+eriqua@users.noreply.github.com> Date: Sat, 4 Nov 2023 20:22:42 +0100 Subject: [PATCH 085/178] [Modules] Rename min test to defaults (#4184) * defaults * readmes --- modules/analysis-services/server/README.md | 102 +++---- .../e2e/{min => defaults}/main.test.bicep | 0 modules/api-management/service/README.md | 118 ++++---- .../e2e/{min => defaults}/main.test.bicep | 0 .../configuration-store/README.md | 102 +++---- .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../automation/automation-account/README.md | 74 ++--- .../e2e/{min => defaults}/main.test.bicep | 0 modules/batch/batch-account/README.md | 110 +++---- .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 modules/cache/redis-enterprise/README.md | 102 +++---- .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 modules/cognitive-services/account/README.md | 98 +++---- .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 modules/compute/disk/README.md | 122 ++++---- .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../container-group/README.md | 214 +++++++------- .../e2e/{min => defaults}/main.test.bicep | 0 modules/container-registry/registry/README.md | 102 +++---- .../e2e/{min => defaults}/main.test.bicep | 0 .../managed-cluster/README.md | 154 +++++----- .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 modules/event-hub/namespace/README.md | 102 +++---- .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../insights/data-collection-rule/README.md | 274 +++++++++--------- .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../workspace/README.md | 150 +++++----- .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 modules/network/azure-firewall/README.md | 104 +++---- .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 modules/network/load-balancer/README.md | 130 ++++----- .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 modules/recovery-services/vault/README.md | 102 +++---- .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 modules/service-bus/namespace/README.md | 102 +++---- .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 modules/storage/storage-account/README.md | 110 +++---- .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 modules/synapse/workspace/README.md | 132 ++++----- .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/dependencies.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 .../e2e/{min => defaults}/main.test.bicep | 0 148 files changed, 1252 insertions(+), 1252 deletions(-) rename modules/analysis-services/server/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/api-management/service/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/app-configuration/configuration-store/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/app/container-app/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/app/container-app/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/app/job/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/app/job/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/app/managed-environment/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/app/managed-environment/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/automation/automation-account/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/batch/batch-account/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/batch/batch-account/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/cache/redis-enterprise/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/cache/redis/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/cognitive-services/account/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/compute/availability-set/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/compute/disk/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/compute/gallery/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/compute/proximity-placement-group/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/compute/ssh-public-key/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/consumption/budget/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/container-instance/container-group/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/container-registry/registry/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/container-service/managed-cluster/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/data-factory/factory/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/data-protection/backup-vault/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/databricks/access-connector/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/databricks/workspace/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/db-for-my-sql/flexible-server/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/db-for-postgre-sql/flexible-server/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/desktop-virtualization/application-group/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/desktop-virtualization/application-group/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/desktop-virtualization/host-pool/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/desktop-virtualization/scaling-plan/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/desktop-virtualization/workspace/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/dev-test-lab/lab/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/digital-twins/digital-twins-instance/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/event-grid/domain/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/event-grid/system-topic/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/event-grid/system-topic/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/event-grid/topic/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/event-hub/namespace/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/health-bot/health-bot/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/healthcare-apis/workspace/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/insights/action-group/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/insights/component/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/insights/component/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/insights/data-collection-endpoint/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/insights/data-collection-rule/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/insights/private-link-scope/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/insights/webtest/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/insights/webtest/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/key-vault/vault/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/kubernetes-configuration/extension/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/kubernetes-configuration/extension/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/kubernetes-configuration/flux-configuration/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/kubernetes-configuration/flux-configuration/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/machine-learning-services/workspace/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/machine-learning-services/workspace/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/maintenance/maintenance-configuration/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/managed-identity/user-assigned-identity/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/management/management-group/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/net-app/net-app-account/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/azure-firewall/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/network/azure-firewall/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/bastion-host/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/network/bastion-host/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/ddos-protection-plan/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/dns-forwarding-ruleset/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/network/dns-forwarding-ruleset/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/dns-zone/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/express-route-circuit/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/express-route-gateway/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/network/express-route-gateway/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/firewall-policy/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/front-door-web-application-firewall-policy/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/front-door/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/ip-group/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/load-balancer/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/network/load-balancer/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/local-network-gateway/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/network-interface/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/network/network-interface/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/network-security-group/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/network-watcher/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/private-dns-zone/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/private-endpoint/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/network/private-endpoint/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/private-link-service/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/network/private-link-service/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/public-ip-address/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/public-ip-prefix/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/route-table/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/service-endpoint-policy/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/trafficmanagerprofile/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/virtual-hub/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/network/virtual-hub/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/virtual-network/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/virtual-wan/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/vpn-gateway/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/network/vpn-gateway/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/network/vpn-site/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/network/vpn-site/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/operational-insights/workspace/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/operations-management/solution/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/operations-management/solution/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/power-bi-dedicated/capacity/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/power-bi-dedicated/capacity/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/purview/account/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/recovery-services/vault/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/relay/namespace/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/resource-graph/query/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/resources/resource-group/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/resources/tags/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/search/search-service/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/service-bus/namespace/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/service-fabric/cluster/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/signal-r-service/signal-r/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/signal-r-service/web-pub-sub/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/sql/managed-instance/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/sql/managed-instance/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/storage/storage-account/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/synapse/private-link-hub/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/synapse/workspace/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/synapse/workspace/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/virtual-machine-images/image-template/tests/e2e/{min => defaults}/dependencies.bicep (100%) rename modules/virtual-machine-images/image-template/tests/e2e/{min => defaults}/main.test.bicep (100%) rename modules/web/static-site/tests/e2e/{min => defaults}/main.test.bicep (100%) diff --git a/modules/analysis-services/server/README.md b/modules/analysis-services/server/README.md index 7fa90cf6f9..67343bda2a 100644 --- a/modules/analysis-services/server/README.md +++ b/modules/analysis-services/server/README.md @@ -28,8 +28,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/analysis-services.server:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Max](#example-2-max) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Max](#example-3-max) ### Example 1: _Using large parameter set_ @@ -151,7 +151,55 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = {

-### Example 2: _Max_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module server 'br:bicep/modules/analysis-services.server:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-assmin' + params: { + // Required parameters + name: 'assmin' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "assmin" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 3: _Max_

@@ -298,54 +346,6 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = {

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module server 'br:bicep/modules/analysis-services.server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-assmin' - params: { - // Required parameters - name: 'assmin' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "assmin" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/analysis-services/server/tests/e2e/min/main.test.bicep b/modules/analysis-services/server/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/analysis-services/server/tests/e2e/min/main.test.bicep rename to modules/analysis-services/server/tests/e2e/defaults/main.test.bicep diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index 596879a4b5..dda735bb01 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -43,8 +43,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/api-management.service:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Max](#example-2-max) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Max](#example-3-max) ### Example 1: _Using large parameter set_ @@ -200,7 +200,63 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = {

-### Example 2: _Max_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module service 'br:bicep/modules/api-management.service:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-apismin' + params: { + // Required parameters + name: 'apismin001' + publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' + publisherName: 'az-amorg-x-001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "apismin001" + }, + "publisherEmail": { + "value": "apimgmt-noreply@mail.windowsazure.com" + }, + "publisherName": { + "value": "az-amorg-x-001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 3: _Max_

@@ -567,62 +623,6 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = {

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module service 'br:bicep/modules/api-management.service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-apismin' - params: { - // Required parameters - name: 'apismin001' - publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' - publisherName: 'az-amorg-x-001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apismin001" - }, - "publisherEmail": { - "value": "apimgmt-noreply@mail.windowsazure.com" - }, - "publisherName": { - "value": "az-amorg-x-001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/api-management/service/tests/e2e/min/main.test.bicep b/modules/api-management/service/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/api-management/service/tests/e2e/min/main.test.bicep rename to modules/api-management/service/tests/e2e/defaults/main.test.bicep diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index b7cd4a7c0d..46f091b2d9 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -31,8 +31,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/app-configuration.configuration-store:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Encr](#example-2-encr) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Encr](#example-3-encr) - [Pe](#example-4-pe) ### Example 1: _Using large parameter set_ @@ -211,7 +211,55 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor

-### Example 2: _Encr_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module configurationStore 'br:bicep/modules/app-configuration.configuration-store:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-accmin' + params: { + // Required parameters + name: 'accmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "accmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 3: _Encr_

@@ -354,54 +402,6 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module configurationStore 'br:bicep/modules/app-configuration.configuration-store:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-accmin' - params: { - // Required parameters - name: 'accmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "accmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ### Example 4: _Pe_

diff --git a/modules/app-configuration/configuration-store/tests/e2e/min/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/app-configuration/configuration-store/tests/e2e/min/main.test.bicep rename to modules/app-configuration/configuration-store/tests/e2e/defaults/main.test.bicep diff --git a/modules/app/container-app/tests/e2e/min/dependencies.bicep b/modules/app/container-app/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/app/container-app/tests/e2e/min/dependencies.bicep rename to modules/app/container-app/tests/e2e/defaults/dependencies.bicep diff --git a/modules/app/container-app/tests/e2e/min/main.test.bicep b/modules/app/container-app/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/app/container-app/tests/e2e/min/main.test.bicep rename to modules/app/container-app/tests/e2e/defaults/main.test.bicep diff --git a/modules/app/job/tests/e2e/min/dependencies.bicep b/modules/app/job/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/app/job/tests/e2e/min/dependencies.bicep rename to modules/app/job/tests/e2e/defaults/dependencies.bicep diff --git a/modules/app/job/tests/e2e/min/main.test.bicep b/modules/app/job/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/app/job/tests/e2e/min/main.test.bicep rename to modules/app/job/tests/e2e/defaults/main.test.bicep diff --git a/modules/app/managed-environment/tests/e2e/min/dependencies.bicep b/modules/app/managed-environment/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/app/managed-environment/tests/e2e/min/dependencies.bicep rename to modules/app/managed-environment/tests/e2e/defaults/dependencies.bicep diff --git a/modules/app/managed-environment/tests/e2e/min/main.test.bicep b/modules/app/managed-environment/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/app/managed-environment/tests/e2e/min/main.test.bicep rename to modules/app/managed-environment/tests/e2e/defaults/main.test.bicep diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index a2f5f9fd1f..b5b6e86e68 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -38,8 +38,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/automation.automation-account:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Encr](#example-2-encr) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Encr](#example-3-encr) ### Example 1: _Using large parameter set_ @@ -497,7 +497,10 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0'

-### Example 2: _Encr_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +

@@ -505,22 +508,12 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' ```bicep module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-aaencr' + name: '${uniqueString(deployment().name, location)}-test-aamin' params: { // Required parameters - name: 'aaencr001' + name: 'aamin001' // Non-required parameters - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } enableDefaultTelemetry: '' - managedIdentities: { - userAssignedResourcesIds: [ - '' - ] - } } } ``` @@ -539,25 +532,11 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' "parameters": { // Required parameters "name": { - "value": "aaencr001" + "value": "aamin001" }, // Non-required parameters - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, "enableDefaultTelemetry": { "value": "" - }, - "managedIdentities": { - "value": { - "userAssignedResourcesIds": [ - "" - ] - } } } } @@ -566,10 +545,7 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0'

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - +### Example 3: _Encr_

@@ -577,12 +553,22 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-aamin' + name: '${uniqueString(deployment().name, location)}-test-aaencr' params: { // Required parameters - name: 'aamin001' + name: 'aaencr001' // Non-required parameters + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } enableDefaultTelemetry: '' + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } } } ``` @@ -601,11 +587,25 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' "parameters": { // Required parameters "name": { - "value": "aamin001" + "value": "aaencr001" }, // Non-required parameters + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } + }, "enableDefaultTelemetry": { "value": "" + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } } } } diff --git a/modules/automation/automation-account/tests/e2e/min/main.test.bicep b/modules/automation/automation-account/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/automation/automation-account/tests/e2e/min/main.test.bicep rename to modules/automation/automation-account/tests/e2e/defaults/main.test.bicep diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index 968d2b7b7b..45497741ab 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -32,8 +32,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/batch.batch-account:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Encr](#example-2-encr) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Encr](#example-3-encr) ### Example 1: _Using large parameter set_ @@ -217,7 +217,59 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = {

-### Example 2: _Encr_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-bbamin' + params: { + // Required parameters + name: 'bbamin001' + storageAccountId: '' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "bbamin001" + }, + "storageAccountId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 3: _Encr_

@@ -340,58 +392,6 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = {

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-bbamin' - params: { - // Required parameters - name: 'bbamin001' - storageAccountId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "bbamin001" - }, - "storageAccountId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/batch/batch-account/tests/e2e/min/dependencies.bicep b/modules/batch/batch-account/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/batch/batch-account/tests/e2e/min/dependencies.bicep rename to modules/batch/batch-account/tests/e2e/defaults/dependencies.bicep diff --git a/modules/batch/batch-account/tests/e2e/min/main.test.bicep b/modules/batch/batch-account/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/batch/batch-account/tests/e2e/min/main.test.bicep rename to modules/batch/batch-account/tests/e2e/defaults/main.test.bicep diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index adcf1a6345..9dd72d458e 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -31,8 +31,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/cache.redis-enterprise:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Geo](#example-2-geo) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Geo](#example-3-geo) ### Example 1: _Using large parameter set_ @@ -228,7 +228,55 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = {

-### Example 2: _Geo_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cremin' + params: { + // Required parameters + name: 'cremin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "cremin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 3: _Geo_

@@ -349,54 +397,6 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = {

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cremin' - params: { - // Required parameters - name: 'cremin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cremin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/cache/redis-enterprise/tests/e2e/min/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/cache/redis-enterprise/tests/e2e/min/main.test.bicep rename to modules/cache/redis-enterprise/tests/e2e/defaults/main.test.bicep diff --git a/modules/cache/redis/tests/e2e/min/main.test.bicep b/modules/cache/redis/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/cache/redis/tests/e2e/min/main.test.bicep rename to modules/cache/redis/tests/e2e/defaults/main.test.bicep diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index 88f881fde6..66a4163847 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -33,8 +33,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/cognitive-services.account:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Encr](#example-2-encr) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Encr](#example-3-encr) - [Speech](#example-4-speech) ### Example 1: _Using large parameter set_ @@ -237,7 +237,10 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = {

-### Example 2: _Encr_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +

@@ -245,24 +248,13 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { ```bicep module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-csaencr' + name: '${uniqueString(deployment().name, location)}-test-csamin' params: { // Required parameters kind: 'SpeechServices' - name: 'csaencr001' + name: 'csamin001' // Non-required parameters - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUserAssignedIdentityResourceId: '' enableDefaultTelemetry: '' - managedIdentities: { - userAssignedResourcesIds: [ - '' - ] - } - publicNetworkAccess: 'Enabled' - restrictOutboundNetworkAccess: false - sku: 'S0' } } ``` @@ -284,36 +276,11 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { "value": "SpeechServices" }, "name": { - "value": "csaencr001" + "value": "csamin001" }, // Non-required parameters - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "" - }, "enableDefaultTelemetry": { "value": "" - }, - "managedIdentities": { - "value": { - "userAssignedResourcesIds": [ - "" - ] - } - }, - "publicNetworkAccess": { - "value": "Enabled" - }, - "restrictOutboundNetworkAccess": { - "value": false - }, - "sku": { - "value": "S0" } } } @@ -322,10 +289,7 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = {

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - +### Example 3: _Encr_

@@ -333,13 +297,24 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-csamin' + name: '${uniqueString(deployment().name, location)}-test-csaencr' params: { // Required parameters kind: 'SpeechServices' - name: 'csamin001' + name: 'csaencr001' // Non-required parameters + cMKKeyName: '' + cMKKeyVaultResourceId: '' + cMKUserAssignedIdentityResourceId: '' enableDefaultTelemetry: '' + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + publicNetworkAccess: 'Enabled' + restrictOutboundNetworkAccess: false + sku: 'S0' } } ``` @@ -361,11 +336,36 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { "value": "SpeechServices" }, "name": { - "value": "csamin001" + "value": "csaencr001" }, // Non-required parameters + "cMKKeyName": { + "value": "" + }, + "cMKKeyVaultResourceId": { + "value": "" + }, + "cMKUserAssignedIdentityResourceId": { + "value": "" + }, "enableDefaultTelemetry": { "value": "" + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "publicNetworkAccess": { + "value": "Enabled" + }, + "restrictOutboundNetworkAccess": { + "value": false + }, + "sku": { + "value": "S0" } } } diff --git a/modules/cognitive-services/account/tests/e2e/min/main.test.bicep b/modules/cognitive-services/account/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/cognitive-services/account/tests/e2e/min/main.test.bicep rename to modules/cognitive-services/account/tests/e2e/defaults/main.test.bicep diff --git a/modules/compute/availability-set/tests/e2e/min/main.test.bicep b/modules/compute/availability-set/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/compute/availability-set/tests/e2e/min/main.test.bicep rename to modules/compute/availability-set/tests/e2e/defaults/main.test.bicep diff --git a/modules/compute/disk/README.md b/modules/compute/disk/README.md index d1acd93b46..11eec29dec 100644 --- a/modules/compute/disk/README.md +++ b/modules/compute/disk/README.md @@ -27,9 +27,9 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.disk:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Image](#example-2-image) -- [Import](#example-3-import) -- [Using only defaults](#example-4-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Image](#example-3-image) +- [Import](#example-4-import) ### Example 1: _Using large parameter set_ @@ -145,7 +145,63 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = {

-### Example 2: _Image_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module disk 'br:bicep/modules/compute.disk:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cdmin' + params: { + // Required parameters + name: 'cdmin001' + sku: 'Standard_LRS' + // Non-required parameters + diskSizeGB: 1 + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "cdmin001" + }, + "sku": { + "value": "Standard_LRS" + }, + // Non-required parameters + "diskSizeGB": { + "value": 1 + }, + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 3: _Image_

@@ -230,7 +286,7 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = {

-### Example 3: _Import_ +### Example 4: _Import_

@@ -319,62 +375,6 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = {

-### Example 4: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module disk 'br:bicep/modules/compute.disk:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdmin' - params: { - // Required parameters - name: 'cdmin001' - sku: 'Standard_LRS' - // Non-required parameters - diskSizeGB: 1 - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cdmin001" - }, - "sku": { - "value": "Standard_LRS" - }, - // Non-required parameters - "diskSizeGB": { - "value": 1 - }, - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/compute/disk/tests/e2e/min/main.test.bicep b/modules/compute/disk/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/compute/disk/tests/e2e/min/main.test.bicep rename to modules/compute/disk/tests/e2e/defaults/main.test.bicep diff --git a/modules/compute/gallery/tests/e2e/min/main.test.bicep b/modules/compute/gallery/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/compute/gallery/tests/e2e/min/main.test.bicep rename to modules/compute/gallery/tests/e2e/defaults/main.test.bicep diff --git a/modules/compute/proximity-placement-group/tests/e2e/min/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/compute/proximity-placement-group/tests/e2e/min/main.test.bicep rename to modules/compute/proximity-placement-group/tests/e2e/defaults/main.test.bicep diff --git a/modules/compute/ssh-public-key/tests/e2e/min/main.test.bicep b/modules/compute/ssh-public-key/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/compute/ssh-public-key/tests/e2e/min/main.test.bicep rename to modules/compute/ssh-public-key/tests/e2e/defaults/main.test.bicep diff --git a/modules/consumption/budget/tests/e2e/min/main.test.bicep b/modules/consumption/budget/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/consumption/budget/tests/e2e/min/main.test.bicep rename to modules/consumption/budget/tests/e2e/defaults/main.test.bicep diff --git a/modules/container-instance/container-group/README.md b/modules/container-instance/container-group/README.md index 342a9f3fc0..124aa25f20 100644 --- a/modules/container-instance/container-group/README.md +++ b/modules/container-instance/container-group/README.md @@ -27,8 +27,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/container-instance.container-group:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Encr](#example-2-encr) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Encr](#example-3-encr) - [Private](#example-4-private) ### Example 1: _Using large parameter set_ @@ -231,7 +231,111 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0

-### Example 2: _Encr_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cicgmin' + params: { + // Required parameters + containers: [ + { + name: 'az-aci-x-001' + properties: { + image: 'mcr.microsoft.com/azuredocs/aci-helloworld' + ports: [ + { + port: '443' + protocol: 'Tcp' + } + ] + resources: { + requests: { + cpu: 2 + memoryInGB: 2 + } + } + } + } + ] + name: 'cicgmin001' + // Non-required parameters + enableDefaultTelemetry: '' + ipAddressPorts: [ + { + port: 443 + protocol: 'Tcp' + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "containers": { + "value": [ + { + "name": "az-aci-x-001", + "properties": { + "image": "mcr.microsoft.com/azuredocs/aci-helloworld", + "ports": [ + { + "port": "443", + "protocol": "Tcp" + } + ], + "resources": { + "requests": { + "cpu": 2, + "memoryInGB": 2 + } + } + } + } + ] + }, + "name": { + "value": "cicgmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "ipAddressPorts": { + "value": [ + { + "port": 443, + "protocol": "Tcp" + } + ] + } + } +} +``` + +
+

+ +### Example 3: _Encr_

@@ -440,110 +544,6 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cicgmin' - params: { - // Required parameters - containers: [ - { - name: 'az-aci-x-001' - properties: { - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '443' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - ] - name: 'cicgmin001' - // Non-required parameters - enableDefaultTelemetry: '' - ipAddressPorts: [ - { - port: 443 - protocol: 'Tcp' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "containers": { - "value": [ - { - "name": "az-aci-x-001", - "properties": { - "image": "mcr.microsoft.com/azuredocs/aci-helloworld", - "ports": [ - { - "port": "443", - "protocol": "Tcp" - } - ], - "resources": { - "requests": { - "cpu": 2, - "memoryInGB": 2 - } - } - } - } - ] - }, - "name": { - "value": "cicgmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "ipAddressPorts": { - "value": [ - { - "port": 443, - "protocol": "Tcp" - } - ] - } - } -} -``` - -
-

- ### Example 4: _Private_

diff --git a/modules/container-instance/container-group/tests/e2e/min/main.test.bicep b/modules/container-instance/container-group/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/container-instance/container-group/tests/e2e/min/main.test.bicep rename to modules/container-instance/container-group/tests/e2e/defaults/main.test.bicep diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index 15270996f2..4568b1acee 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -33,8 +33,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/container-registry.registry:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Encr](#example-2-encr) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Encr](#example-3-encr) - [Pe](#example-4-pe) ### Example 1: _Using large parameter set_ @@ -293,7 +293,55 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = {

-### Example 2: _Encr_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-crrmin' + params: { + // Required parameters + name: 'crrmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "crrmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 3: _Encr_

@@ -382,54 +430,6 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = {

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-crrmin' - params: { - // Required parameters - name: 'crrmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "crrmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ### Example 4: _Pe_

diff --git a/modules/container-registry/registry/tests/e2e/min/main.test.bicep b/modules/container-registry/registry/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/container-registry/registry/tests/e2e/min/main.test.bicep rename to modules/container-registry/registry/tests/e2e/defaults/main.test.bicep diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index f77784354b..f2de8470fa 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -32,8 +32,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/container-service.managed-cluster:1.0.0`. - [Azure](#example-1-azure) -- [Kubenet](#example-2-kubenet) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Kubenet](#example-3-kubenet) - [Priv](#example-4-priv) ### Example 1: _Azure_ @@ -507,7 +507,81 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0'

-### Example 2: _Kubenet_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-csmmin' + params: { + // Required parameters + name: 'csmmin001' + primaryAgentPoolProfile: [ + { + count: 1 + mode: 'System' + name: 'systempool' + vmSize: 'Standard_DS2_v2' + } + ] + // Non-required parameters + enableDefaultTelemetry: '' + managedIdentities: { + systemAssigned: true + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "csmmin001" + }, + "primaryAgentPoolProfile": { + "value": [ + { + "count": 1, + "mode": "System", + "name": "systempool", + "vmSize": "Standard_DS2_v2" + } + ] + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + } + } +} +``` + +
+

+ +### Example 3: _Kubenet_

@@ -770,80 +844,6 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0'

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-csmmin' - params: { - // Required parameters - name: 'csmmin001' - primaryAgentPoolProfile: [ - { - count: 1 - mode: 'System' - name: 'systempool' - vmSize: 'Standard_DS2_v2' - } - ] - // Non-required parameters - enableDefaultTelemetry: '' - managedIdentities: { - systemAssigned: true - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "csmmin001" - }, - "primaryAgentPoolProfile": { - "value": [ - { - "count": 1, - "mode": "System", - "name": "systempool", - "vmSize": "Standard_DS2_v2" - } - ] - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - } - } -} -``` - -
-

- ### Example 4: _Priv_

diff --git a/modules/container-service/managed-cluster/tests/e2e/min/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/container-service/managed-cluster/tests/e2e/min/main.test.bicep rename to modules/container-service/managed-cluster/tests/e2e/defaults/main.test.bicep diff --git a/modules/data-factory/factory/tests/e2e/min/main.test.bicep b/modules/data-factory/factory/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/data-factory/factory/tests/e2e/min/main.test.bicep rename to modules/data-factory/factory/tests/e2e/defaults/main.test.bicep diff --git a/modules/data-protection/backup-vault/tests/e2e/min/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/data-protection/backup-vault/tests/e2e/min/main.test.bicep rename to modules/data-protection/backup-vault/tests/e2e/defaults/main.test.bicep diff --git a/modules/databricks/access-connector/tests/e2e/min/main.test.bicep b/modules/databricks/access-connector/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/databricks/access-connector/tests/e2e/min/main.test.bicep rename to modules/databricks/access-connector/tests/e2e/defaults/main.test.bicep diff --git a/modules/databricks/workspace/tests/e2e/min/main.test.bicep b/modules/databricks/workspace/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/databricks/workspace/tests/e2e/min/main.test.bicep rename to modules/databricks/workspace/tests/e2e/defaults/main.test.bicep diff --git a/modules/db-for-my-sql/flexible-server/tests/e2e/min/main.test.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/db-for-my-sql/flexible-server/tests/e2e/min/main.test.bicep rename to modules/db-for-my-sql/flexible-server/tests/e2e/defaults/main.test.bicep diff --git a/modules/db-for-postgre-sql/flexible-server/tests/e2e/min/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/db-for-postgre-sql/flexible-server/tests/e2e/min/main.test.bicep rename to modules/db-for-postgre-sql/flexible-server/tests/e2e/defaults/main.test.bicep diff --git a/modules/desktop-virtualization/application-group/tests/e2e/min/dependencies.bicep b/modules/desktop-virtualization/application-group/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/desktop-virtualization/application-group/tests/e2e/min/dependencies.bicep rename to modules/desktop-virtualization/application-group/tests/e2e/defaults/dependencies.bicep diff --git a/modules/desktop-virtualization/application-group/tests/e2e/min/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/desktop-virtualization/application-group/tests/e2e/min/main.test.bicep rename to modules/desktop-virtualization/application-group/tests/e2e/defaults/main.test.bicep diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/min/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/desktop-virtualization/host-pool/tests/e2e/min/main.test.bicep rename to modules/desktop-virtualization/host-pool/tests/e2e/defaults/main.test.bicep diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/min/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/desktop-virtualization/scaling-plan/tests/e2e/min/main.test.bicep rename to modules/desktop-virtualization/scaling-plan/tests/e2e/defaults/main.test.bicep diff --git a/modules/desktop-virtualization/workspace/tests/e2e/min/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/desktop-virtualization/workspace/tests/e2e/min/main.test.bicep rename to modules/desktop-virtualization/workspace/tests/e2e/defaults/main.test.bicep diff --git a/modules/dev-test-lab/lab/tests/e2e/min/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/dev-test-lab/lab/tests/e2e/min/main.test.bicep rename to modules/dev-test-lab/lab/tests/e2e/defaults/main.test.bicep diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/min/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/digital-twins/digital-twins-instance/tests/e2e/min/main.test.bicep rename to modules/digital-twins/digital-twins-instance/tests/e2e/defaults/main.test.bicep diff --git a/modules/event-grid/domain/tests/e2e/min/main.test.bicep b/modules/event-grid/domain/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/event-grid/domain/tests/e2e/min/main.test.bicep rename to modules/event-grid/domain/tests/e2e/defaults/main.test.bicep diff --git a/modules/event-grid/system-topic/tests/e2e/min/dependencies.bicep b/modules/event-grid/system-topic/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/event-grid/system-topic/tests/e2e/min/dependencies.bicep rename to modules/event-grid/system-topic/tests/e2e/defaults/dependencies.bicep diff --git a/modules/event-grid/system-topic/tests/e2e/min/main.test.bicep b/modules/event-grid/system-topic/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/event-grid/system-topic/tests/e2e/min/main.test.bicep rename to modules/event-grid/system-topic/tests/e2e/defaults/main.test.bicep diff --git a/modules/event-grid/topic/tests/e2e/min/main.test.bicep b/modules/event-grid/topic/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/event-grid/topic/tests/e2e/min/main.test.bicep rename to modules/event-grid/topic/tests/e2e/defaults/main.test.bicep diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index 1329fdd23e..6db9b87e84 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -36,8 +36,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/event-hub.namespace:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Encr](#example-2-encr) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Encr](#example-3-encr) - [Pe](#example-4-pe) ### Example 1: _Using large parameter set_ @@ -436,7 +436,55 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = {

-### Example 2: _Encr_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ehnmin' + params: { + // Required parameters + name: 'ehnmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ehnmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 3: _Encr_

@@ -531,54 +579,6 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = {

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ehnmin' - params: { - // Required parameters - name: 'ehnmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ehnmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ### Example 4: _Pe_

diff --git a/modules/event-hub/namespace/tests/e2e/min/main.test.bicep b/modules/event-hub/namespace/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/event-hub/namespace/tests/e2e/min/main.test.bicep rename to modules/event-hub/namespace/tests/e2e/defaults/main.test.bicep diff --git a/modules/health-bot/health-bot/tests/e2e/min/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/health-bot/health-bot/tests/e2e/min/main.test.bicep rename to modules/health-bot/health-bot/tests/e2e/defaults/main.test.bicep diff --git a/modules/healthcare-apis/workspace/tests/e2e/min/main.test.bicep b/modules/healthcare-apis/workspace/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/healthcare-apis/workspace/tests/e2e/min/main.test.bicep rename to modules/healthcare-apis/workspace/tests/e2e/defaults/main.test.bicep diff --git a/modules/insights/action-group/tests/e2e/min/main.test.bicep b/modules/insights/action-group/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/insights/action-group/tests/e2e/min/main.test.bicep rename to modules/insights/action-group/tests/e2e/defaults/main.test.bicep diff --git a/modules/insights/component/tests/e2e/min/dependencies.bicep b/modules/insights/component/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/insights/component/tests/e2e/min/dependencies.bicep rename to modules/insights/component/tests/e2e/defaults/dependencies.bicep diff --git a/modules/insights/component/tests/e2e/min/main.test.bicep b/modules/insights/component/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/insights/component/tests/e2e/min/main.test.bicep rename to modules/insights/component/tests/e2e/defaults/main.test.bicep diff --git a/modules/insights/data-collection-endpoint/tests/e2e/min/main.test.bicep b/modules/insights/data-collection-endpoint/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/insights/data-collection-endpoint/tests/e2e/min/main.test.bicep rename to modules/insights/data-collection-endpoint/tests/e2e/defaults/main.test.bicep diff --git a/modules/insights/data-collection-rule/README.md b/modules/insights/data-collection-rule/README.md index 37edcaf1f4..d28c4145c7 100644 --- a/modules/insights/data-collection-rule/README.md +++ b/modules/insights/data-collection-rule/README.md @@ -29,8 +29,8 @@ The following section provides usage examples for the module, which were used to - [Customadv](#example-1-customadv) - [Custombasic](#example-2-custombasic) - [Customiis](#example-3-customiis) -- [Linux](#example-4-linux) -- [Using only defaults](#example-5-using-only-defaults) +- [Using only defaults](#example-4-using-only-defaults) +- [Linux](#example-5-linux) - [Windows](#example-6-windows) ### Example 1: _Customadv_ @@ -654,7 +654,141 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0'

-### Example 4: _Linux_ +### Example 4: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-idcrmin' + params: { + // Required parameters + dataFlows: [ + { + destinations: [ + 'azureMonitorMetrics-default' + ] + streams: [ + 'Microsoft-InsightsMetrics' + ] + } + ] + dataSources: { + performanceCounters: [ + { + counterSpecifiers: [ + '\\Process(_Total)\\Handle Count' + '\\Process(_Total)\\Thread Count' + '\\Processor Information(_Total)\\% Privileged Time' + '\\Processor Information(_Total)\\% Processor Time' + '\\Processor Information(_Total)\\% User Time' + '\\Processor Information(_Total)\\Processor Frequency' + '\\System\\Context Switches/sec' + '\\System\\Processes' + '\\System\\Processor Queue Length' + '\\System\\System Up Time' + ] + name: 'perfCounterDataSource60' + samplingFrequencyInSeconds: 60 + streams: [ + 'Microsoft-InsightsMetrics' + ] + } + ] + } + destinations: { + azureMonitorMetrics: { + name: 'azureMonitorMetrics-default' + } + } + name: 'idcrmin001' + // Non-required parameters + enableDefaultTelemetry: '' + kind: 'Windows' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "dataFlows": { + "value": [ + { + "destinations": [ + "azureMonitorMetrics-default" + ], + "streams": [ + "Microsoft-InsightsMetrics" + ] + } + ] + }, + "dataSources": { + "value": { + "performanceCounters": [ + { + "counterSpecifiers": [ + "\\Process(_Total)\\Handle Count", + "\\Process(_Total)\\Thread Count", + "\\Processor Information(_Total)\\% Privileged Time", + "\\Processor Information(_Total)\\% Processor Time", + "\\Processor Information(_Total)\\% User Time", + "\\Processor Information(_Total)\\Processor Frequency", + "\\System\\Context Switches/sec", + "\\System\\Processes", + "\\System\\Processor Queue Length", + "\\System\\System Up Time" + ], + "name": "perfCounterDataSource60", + "samplingFrequencyInSeconds": 60, + "streams": [ + "Microsoft-InsightsMetrics" + ] + } + ] + } + }, + "destinations": { + "value": { + "azureMonitorMetrics": { + "name": "azureMonitorMetrics-default" + } + } + }, + "name": { + "value": "idcrmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "kind": { + "value": "Windows" + } + } +} +``` + +
+

+ +### Example 5: _Linux_

@@ -1045,140 +1179,6 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0'

-### Example 5: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-idcrmin' - params: { - // Required parameters - dataFlows: [ - { - destinations: [ - 'azureMonitorMetrics-default' - ] - streams: [ - 'Microsoft-InsightsMetrics' - ] - } - ] - dataSources: { - performanceCounters: [ - { - counterSpecifiers: [ - '\\Process(_Total)\\Handle Count' - '\\Process(_Total)\\Thread Count' - '\\Processor Information(_Total)\\% Privileged Time' - '\\Processor Information(_Total)\\% Processor Time' - '\\Processor Information(_Total)\\% User Time' - '\\Processor Information(_Total)\\Processor Frequency' - '\\System\\Context Switches/sec' - '\\System\\Processes' - '\\System\\Processor Queue Length' - '\\System\\System Up Time' - ] - name: 'perfCounterDataSource60' - samplingFrequencyInSeconds: 60 - streams: [ - 'Microsoft-InsightsMetrics' - ] - } - ] - } - destinations: { - azureMonitorMetrics: { - name: 'azureMonitorMetrics-default' - } - } - name: 'idcrmin001' - // Non-required parameters - enableDefaultTelemetry: '' - kind: 'Windows' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "dataFlows": { - "value": [ - { - "destinations": [ - "azureMonitorMetrics-default" - ], - "streams": [ - "Microsoft-InsightsMetrics" - ] - } - ] - }, - "dataSources": { - "value": { - "performanceCounters": [ - { - "counterSpecifiers": [ - "\\Process(_Total)\\Handle Count", - "\\Process(_Total)\\Thread Count", - "\\Processor Information(_Total)\\% Privileged Time", - "\\Processor Information(_Total)\\% Processor Time", - "\\Processor Information(_Total)\\% User Time", - "\\Processor Information(_Total)\\Processor Frequency", - "\\System\\Context Switches/sec", - "\\System\\Processes", - "\\System\\Processor Queue Length", - "\\System\\System Up Time" - ], - "name": "perfCounterDataSource60", - "samplingFrequencyInSeconds": 60, - "streams": [ - "Microsoft-InsightsMetrics" - ] - } - ] - } - }, - "destinations": { - "value": { - "azureMonitorMetrics": { - "name": "azureMonitorMetrics-default" - } - } - }, - "name": { - "value": "idcrmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "kind": { - "value": "Windows" - } - } -} -``` - -
-

- ### Example 6: _Windows_

diff --git a/modules/insights/data-collection-rule/tests/e2e/min/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/insights/data-collection-rule/tests/e2e/min/main.test.bicep rename to modules/insights/data-collection-rule/tests/e2e/defaults/main.test.bicep diff --git a/modules/insights/private-link-scope/tests/e2e/min/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/insights/private-link-scope/tests/e2e/min/main.test.bicep rename to modules/insights/private-link-scope/tests/e2e/defaults/main.test.bicep diff --git a/modules/insights/webtest/tests/e2e/min/dependencies.bicep b/modules/insights/webtest/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/insights/webtest/tests/e2e/min/dependencies.bicep rename to modules/insights/webtest/tests/e2e/defaults/dependencies.bicep diff --git a/modules/insights/webtest/tests/e2e/min/main.test.bicep b/modules/insights/webtest/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/insights/webtest/tests/e2e/min/main.test.bicep rename to modules/insights/webtest/tests/e2e/defaults/main.test.bicep diff --git a/modules/key-vault/vault/tests/e2e/min/main.test.bicep b/modules/key-vault/vault/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/key-vault/vault/tests/e2e/min/main.test.bicep rename to modules/key-vault/vault/tests/e2e/defaults/main.test.bicep diff --git a/modules/kubernetes-configuration/extension/tests/e2e/min/dependencies.bicep b/modules/kubernetes-configuration/extension/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/kubernetes-configuration/extension/tests/e2e/min/dependencies.bicep rename to modules/kubernetes-configuration/extension/tests/e2e/defaults/dependencies.bicep diff --git a/modules/kubernetes-configuration/extension/tests/e2e/min/main.test.bicep b/modules/kubernetes-configuration/extension/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/kubernetes-configuration/extension/tests/e2e/min/main.test.bicep rename to modules/kubernetes-configuration/extension/tests/e2e/defaults/main.test.bicep diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/min/dependencies.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/kubernetes-configuration/flux-configuration/tests/e2e/min/dependencies.bicep rename to modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/dependencies.bicep diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/min/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/kubernetes-configuration/flux-configuration/tests/e2e/min/main.test.bicep rename to modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/main.test.bicep diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index c52e09855d..614646f1ef 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -32,8 +32,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/machine-learning-services.workspace:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Encr](#example-2-encr) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Encr](#example-3-encr) ### Example 1: _Using large parameter set_ @@ -287,7 +287,79 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' =

-### Example 2: _Encr_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-mlswmin' + params: { + // Required parameters + associatedApplicationInsightsResourceId: '' + associatedKeyVaultResourceId: '' + associatedStorageAccountResourceId: '' + name: 'mlswmin001' + sku: 'Basic' + // Non-required parameters + enableDefaultTelemetry: '' + managedIdentities: { + systemAssigned: true + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "associatedApplicationInsightsResourceId": { + "value": "" + }, + "associatedKeyVaultResourceId": { + "value": "" + }, + "associatedStorageAccountResourceId": { + "value": "" + }, + "name": { + "value": "mlswmin001" + }, + "sku": { + "value": "Basic" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + } + } +} +``` + +
+

+ +### Example 3: _Encr_

@@ -420,78 +492,6 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' =

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mlswmin' - params: { - // Required parameters - associatedApplicationInsightsResourceId: '' - associatedKeyVaultResourceId: '' - associatedStorageAccountResourceId: '' - name: 'mlswmin001' - sku: 'Basic' - // Non-required parameters - enableDefaultTelemetry: '' - managedIdentities: { - systemAssigned: true - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "associatedApplicationInsightsResourceId": { - "value": "" - }, - "associatedKeyVaultResourceId": { - "value": "" - }, - "associatedStorageAccountResourceId": { - "value": "" - }, - "name": { - "value": "mlswmin001" - }, - "sku": { - "value": "Basic" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/machine-learning-services/workspace/tests/e2e/min/dependencies.bicep b/modules/machine-learning-services/workspace/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/machine-learning-services/workspace/tests/e2e/min/dependencies.bicep rename to modules/machine-learning-services/workspace/tests/e2e/defaults/dependencies.bicep diff --git a/modules/machine-learning-services/workspace/tests/e2e/min/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/machine-learning-services/workspace/tests/e2e/min/main.test.bicep rename to modules/machine-learning-services/workspace/tests/e2e/defaults/main.test.bicep diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/min/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/maintenance/maintenance-configuration/tests/e2e/min/main.test.bicep rename to modules/maintenance/maintenance-configuration/tests/e2e/defaults/main.test.bicep diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/min/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/managed-identity/user-assigned-identity/tests/e2e/min/main.test.bicep rename to modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep diff --git a/modules/management/management-group/tests/e2e/min/main.test.bicep b/modules/management/management-group/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/management/management-group/tests/e2e/min/main.test.bicep rename to modules/management/management-group/tests/e2e/defaults/main.test.bicep diff --git a/modules/net-app/net-app-account/tests/e2e/min/main.test.bicep b/modules/net-app/net-app-account/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/net-app/net-app-account/tests/e2e/min/main.test.bicep rename to modules/net-app/net-app-account/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index c58b8068b9..f5d0409b80 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -31,9 +31,9 @@ The following section provides usage examples for the module, which were used to - [Addpip](#example-1-addpip) - [Using large parameter set](#example-2-using-large-parameter-set) - [Custompip](#example-3-custompip) -- [Hubcommon](#example-4-hubcommon) -- [Hubmin](#example-5-hubmin) -- [Using only defaults](#example-6-using-only-defaults) +- [Using only defaults](#example-4-using-only-defaults) +- [Hubcommon](#example-5-hubcommon) +- [Hubmin](#example-6-hubmin) ### Example 1: _Addpip_ @@ -557,7 +557,10 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = {

-### Example 4: _Hubcommon_ +### Example 4: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +

@@ -565,24 +568,13 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { ```bicep module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nafhubcom' + name: '${uniqueString(deployment().name, location)}-test-nafmin' params: { // Required parameters - name: 'nafhubcom001' + name: 'nafmin001' // Non-required parameters enableDefaultTelemetry: '' - firewallPolicyId: '' - hubIPAddresses: { - publicIPs: { - count: 1 - } - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - virtualHubId: '' + vNetId: '' } } ``` @@ -601,31 +593,14 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "nafhubcom001" + "value": "nafmin001" }, // Non-required parameters "enableDefaultTelemetry": { "value": "" }, - "firewallPolicyId": { - "value": "" - }, - "hubIPAddresses": { - "value": { - "publicIPs": { - "count": 1 - } - } - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "virtualHubId": { - "value": "" + "vNetId": { + "value": "" } } } @@ -634,7 +609,7 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = {

-### Example 5: _Hubmin_ +### Example 5: _Hubcommon_

@@ -642,17 +617,23 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { ```bicep module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nafhubmin' + name: '${uniqueString(deployment().name, location)}-test-nafhubcom' params: { // Required parameters - name: 'nafhubmin001' + name: 'nafhubcom001' // Non-required parameters enableDefaultTelemetry: '' + firewallPolicyId: '' hubIPAddresses: { publicIPs: { count: 1 } } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } virtualHubId: '' } } @@ -672,12 +653,15 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "nafhubmin001" + "value": "nafhubcom001" }, // Non-required parameters "enableDefaultTelemetry": { "value": "" }, + "firewallPolicyId": { + "value": "" + }, "hubIPAddresses": { "value": { "publicIPs": { @@ -685,6 +669,13 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { } } }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, "virtualHubId": { "value": "" } @@ -695,10 +686,7 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = {

-### Example 6: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - +### Example 6: _Hubmin_

@@ -706,13 +694,18 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nafmin' + name: '${uniqueString(deployment().name, location)}-test-nafhubmin' params: { // Required parameters - name: 'nafmin001' + name: 'nafhubmin001' // Non-required parameters enableDefaultTelemetry: '' - vNetId: '' + hubIPAddresses: { + publicIPs: { + count: 1 + } + } + virtualHubId: '' } } ``` @@ -731,14 +724,21 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "nafmin001" + "value": "nafhubmin001" }, // Non-required parameters "enableDefaultTelemetry": { "value": "" }, - "vNetId": { - "value": "" + "hubIPAddresses": { + "value": { + "publicIPs": { + "count": 1 + } + } + }, + "virtualHubId": { + "value": "" } } } diff --git a/modules/network/azure-firewall/tests/e2e/min/dependencies.bicep b/modules/network/azure-firewall/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/network/azure-firewall/tests/e2e/min/dependencies.bicep rename to modules/network/azure-firewall/tests/e2e/defaults/dependencies.bicep diff --git a/modules/network/azure-firewall/tests/e2e/min/main.test.bicep b/modules/network/azure-firewall/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/azure-firewall/tests/e2e/min/main.test.bicep rename to modules/network/azure-firewall/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/bastion-host/tests/e2e/min/dependencies.bicep b/modules/network/bastion-host/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/network/bastion-host/tests/e2e/min/dependencies.bicep rename to modules/network/bastion-host/tests/e2e/defaults/dependencies.bicep diff --git a/modules/network/bastion-host/tests/e2e/min/main.test.bicep b/modules/network/bastion-host/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/bastion-host/tests/e2e/min/main.test.bicep rename to modules/network/bastion-host/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/ddos-protection-plan/tests/e2e/min/main.test.bicep b/modules/network/ddos-protection-plan/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/ddos-protection-plan/tests/e2e/min/main.test.bicep rename to modules/network/ddos-protection-plan/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/min/dependencies.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/network/dns-forwarding-ruleset/tests/e2e/min/dependencies.bicep rename to modules/network/dns-forwarding-ruleset/tests/e2e/defaults/dependencies.bicep diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/min/main.test.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/dns-forwarding-ruleset/tests/e2e/min/main.test.bicep rename to modules/network/dns-forwarding-ruleset/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/dns-zone/tests/e2e/min/main.test.bicep b/modules/network/dns-zone/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/dns-zone/tests/e2e/min/main.test.bicep rename to modules/network/dns-zone/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/express-route-circuit/tests/e2e/min/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/express-route-circuit/tests/e2e/min/main.test.bicep rename to modules/network/express-route-circuit/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/express-route-gateway/tests/e2e/min/dependencies.bicep b/modules/network/express-route-gateway/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/network/express-route-gateway/tests/e2e/min/dependencies.bicep rename to modules/network/express-route-gateway/tests/e2e/defaults/dependencies.bicep diff --git a/modules/network/express-route-gateway/tests/e2e/min/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/express-route-gateway/tests/e2e/min/main.test.bicep rename to modules/network/express-route-gateway/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/firewall-policy/tests/e2e/min/main.test.bicep b/modules/network/firewall-policy/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/firewall-policy/tests/e2e/min/main.test.bicep rename to modules/network/firewall-policy/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/min/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/front-door-web-application-firewall-policy/tests/e2e/min/main.test.bicep rename to modules/network/front-door-web-application-firewall-policy/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/front-door/tests/e2e/min/main.test.bicep b/modules/network/front-door/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/front-door/tests/e2e/min/main.test.bicep rename to modules/network/front-door/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/ip-group/tests/e2e/min/main.test.bicep b/modules/network/ip-group/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/ip-group/tests/e2e/min/main.test.bicep rename to modules/network/ip-group/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/load-balancer/README.md b/modules/network/load-balancer/README.md index f6c2ff8e44..21fc7daf46 100644 --- a/modules/network/load-balancer/README.md +++ b/modules/network/load-balancer/README.md @@ -31,8 +31,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.load-balancer:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Internal](#example-2-internal) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Internal](#example-3-internal) ### Example 1: _Using large parameter set_ @@ -322,7 +322,69 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = {

-### Example 2: _Internal_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nlbmin' + params: { + // Required parameters + frontendIPConfigurations: [ + { + name: 'publicIPConfig1' + publicIPAddressId: '' + } + ] + name: 'nlbmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "frontendIPConfigurations": { + "value": [ + { + "name": "publicIPConfig1", + "publicIPAddressId": "" + } + ] + }, + "name": { + "value": "nlbmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 3: _Internal_

@@ -547,68 +609,6 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = {

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nlbmin' - params: { - // Required parameters - frontendIPConfigurations: [ - { - name: 'publicIPConfig1' - publicIPAddressId: '' - } - ] - name: 'nlbmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "frontendIPConfigurations": { - "value": [ - { - "name": "publicIPConfig1", - "publicIPAddressId": "" - } - ] - }, - "name": { - "value": "nlbmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/load-balancer/tests/e2e/min/dependencies.bicep b/modules/network/load-balancer/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/network/load-balancer/tests/e2e/min/dependencies.bicep rename to modules/network/load-balancer/tests/e2e/defaults/dependencies.bicep diff --git a/modules/network/load-balancer/tests/e2e/min/main.test.bicep b/modules/network/load-balancer/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/load-balancer/tests/e2e/min/main.test.bicep rename to modules/network/load-balancer/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/local-network-gateway/tests/e2e/min/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/local-network-gateway/tests/e2e/min/main.test.bicep rename to modules/network/local-network-gateway/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/network-interface/tests/e2e/min/dependencies.bicep b/modules/network/network-interface/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/network/network-interface/tests/e2e/min/dependencies.bicep rename to modules/network/network-interface/tests/e2e/defaults/dependencies.bicep diff --git a/modules/network/network-interface/tests/e2e/min/main.test.bicep b/modules/network/network-interface/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/network-interface/tests/e2e/min/main.test.bicep rename to modules/network/network-interface/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/network-security-group/tests/e2e/min/main.test.bicep b/modules/network/network-security-group/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/network-security-group/tests/e2e/min/main.test.bicep rename to modules/network/network-security-group/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/network-watcher/tests/e2e/min/main.test.bicep b/modules/network/network-watcher/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/network-watcher/tests/e2e/min/main.test.bicep rename to modules/network/network-watcher/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/private-dns-zone/tests/e2e/min/main.test.bicep b/modules/network/private-dns-zone/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/private-dns-zone/tests/e2e/min/main.test.bicep rename to modules/network/private-dns-zone/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/private-endpoint/tests/e2e/min/dependencies.bicep b/modules/network/private-endpoint/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/network/private-endpoint/tests/e2e/min/dependencies.bicep rename to modules/network/private-endpoint/tests/e2e/defaults/dependencies.bicep diff --git a/modules/network/private-endpoint/tests/e2e/min/main.test.bicep b/modules/network/private-endpoint/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/private-endpoint/tests/e2e/min/main.test.bicep rename to modules/network/private-endpoint/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/private-link-service/tests/e2e/min/dependencies.bicep b/modules/network/private-link-service/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/network/private-link-service/tests/e2e/min/dependencies.bicep rename to modules/network/private-link-service/tests/e2e/defaults/dependencies.bicep diff --git a/modules/network/private-link-service/tests/e2e/min/main.test.bicep b/modules/network/private-link-service/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/private-link-service/tests/e2e/min/main.test.bicep rename to modules/network/private-link-service/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/public-ip-address/tests/e2e/min/main.test.bicep b/modules/network/public-ip-address/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/public-ip-address/tests/e2e/min/main.test.bicep rename to modules/network/public-ip-address/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/public-ip-prefix/tests/e2e/min/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/public-ip-prefix/tests/e2e/min/main.test.bicep rename to modules/network/public-ip-prefix/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/route-table/tests/e2e/min/main.test.bicep b/modules/network/route-table/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/route-table/tests/e2e/min/main.test.bicep rename to modules/network/route-table/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/service-endpoint-policy/tests/e2e/min/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/service-endpoint-policy/tests/e2e/min/main.test.bicep rename to modules/network/service-endpoint-policy/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/trafficmanagerprofile/tests/e2e/min/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/trafficmanagerprofile/tests/e2e/min/main.test.bicep rename to modules/network/trafficmanagerprofile/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/virtual-hub/tests/e2e/min/dependencies.bicep b/modules/network/virtual-hub/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/network/virtual-hub/tests/e2e/min/dependencies.bicep rename to modules/network/virtual-hub/tests/e2e/defaults/dependencies.bicep diff --git a/modules/network/virtual-hub/tests/e2e/min/main.test.bicep b/modules/network/virtual-hub/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/virtual-hub/tests/e2e/min/main.test.bicep rename to modules/network/virtual-hub/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/virtual-network/tests/e2e/min/main.test.bicep b/modules/network/virtual-network/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/virtual-network/tests/e2e/min/main.test.bicep rename to modules/network/virtual-network/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/virtual-wan/tests/e2e/min/main.test.bicep b/modules/network/virtual-wan/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/virtual-wan/tests/e2e/min/main.test.bicep rename to modules/network/virtual-wan/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/vpn-gateway/tests/e2e/min/dependencies.bicep b/modules/network/vpn-gateway/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/network/vpn-gateway/tests/e2e/min/dependencies.bicep rename to modules/network/vpn-gateway/tests/e2e/defaults/dependencies.bicep diff --git a/modules/network/vpn-gateway/tests/e2e/min/main.test.bicep b/modules/network/vpn-gateway/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/vpn-gateway/tests/e2e/min/main.test.bicep rename to modules/network/vpn-gateway/tests/e2e/defaults/main.test.bicep diff --git a/modules/network/vpn-site/tests/e2e/min/dependencies.bicep b/modules/network/vpn-site/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/network/vpn-site/tests/e2e/min/dependencies.bicep rename to modules/network/vpn-site/tests/e2e/defaults/dependencies.bicep diff --git a/modules/network/vpn-site/tests/e2e/min/main.test.bicep b/modules/network/vpn-site/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/network/vpn-site/tests/e2e/min/main.test.bicep rename to modules/network/vpn-site/tests/e2e/defaults/main.test.bicep diff --git a/modules/operational-insights/workspace/tests/e2e/min/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/operational-insights/workspace/tests/e2e/min/main.test.bicep rename to modules/operational-insights/workspace/tests/e2e/defaults/main.test.bicep diff --git a/modules/operations-management/solution/tests/e2e/min/dependencies.bicep b/modules/operations-management/solution/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/operations-management/solution/tests/e2e/min/dependencies.bicep rename to modules/operations-management/solution/tests/e2e/defaults/dependencies.bicep diff --git a/modules/operations-management/solution/tests/e2e/min/main.test.bicep b/modules/operations-management/solution/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/operations-management/solution/tests/e2e/min/main.test.bicep rename to modules/operations-management/solution/tests/e2e/defaults/main.test.bicep diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/min/dependencies.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/power-bi-dedicated/capacity/tests/e2e/min/dependencies.bicep rename to modules/power-bi-dedicated/capacity/tests/e2e/defaults/dependencies.bicep diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/min/main.test.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/power-bi-dedicated/capacity/tests/e2e/min/main.test.bicep rename to modules/power-bi-dedicated/capacity/tests/e2e/defaults/main.test.bicep diff --git a/modules/purview/account/tests/e2e/min/main.test.bicep b/modules/purview/account/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/purview/account/tests/e2e/min/main.test.bicep rename to modules/purview/account/tests/e2e/defaults/main.test.bicep diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index dbc5f018a3..1cf6b13205 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -40,8 +40,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/recovery-services.vault:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Dr](#example-2-dr) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Dr](#example-3-dr) ### Example 1: _Using large parameter set_ @@ -729,7 +729,55 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = {

-### Example 2: _Dr_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-rsvmin' + params: { + // Required parameters + name: 'rsvmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "rsvmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 3: _Dr_

@@ -900,54 +948,6 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = {

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rsvmin' - params: { - // Required parameters - name: 'rsvmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rsvmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/recovery-services/vault/tests/e2e/min/main.test.bicep b/modules/recovery-services/vault/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/recovery-services/vault/tests/e2e/min/main.test.bicep rename to modules/recovery-services/vault/tests/e2e/defaults/main.test.bicep diff --git a/modules/relay/namespace/tests/e2e/min/main.test.bicep b/modules/relay/namespace/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/relay/namespace/tests/e2e/min/main.test.bicep rename to modules/relay/namespace/tests/e2e/defaults/main.test.bicep diff --git a/modules/resource-graph/query/tests/e2e/min/main.test.bicep b/modules/resource-graph/query/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/resource-graph/query/tests/e2e/min/main.test.bicep rename to modules/resource-graph/query/tests/e2e/defaults/main.test.bicep diff --git a/modules/resources/resource-group/tests/e2e/min/main.test.bicep b/modules/resources/resource-group/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/resources/resource-group/tests/e2e/min/main.test.bicep rename to modules/resources/resource-group/tests/e2e/defaults/main.test.bicep diff --git a/modules/resources/tags/tests/e2e/min/main.test.bicep b/modules/resources/tags/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/resources/tags/tests/e2e/min/main.test.bicep rename to modules/resources/tags/tests/e2e/defaults/main.test.bicep diff --git a/modules/search/search-service/tests/e2e/min/main.test.bicep b/modules/search/search-service/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/search/search-service/tests/e2e/min/main.test.bicep rename to modules/search/search-service/tests/e2e/defaults/main.test.bicep diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index bd23507761..924bde7a97 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -38,8 +38,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/service-bus.namespace:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Encr](#example-2-encr) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Encr](#example-3-encr) - [Pe](#example-4-pe) ### Example 1: _Using large parameter set_ @@ -432,7 +432,55 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = {

-### Example 2: _Encr_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-sbnmin' + params: { + // Required parameters + name: 'sbnmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "sbnmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 3: _Encr_

@@ -613,54 +661,6 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = {

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sbnmin' - params: { - // Required parameters - name: 'sbnmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sbnmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ### Example 4: _Pe_

diff --git a/modules/service-bus/namespace/tests/e2e/min/main.test.bicep b/modules/service-bus/namespace/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/service-bus/namespace/tests/e2e/min/main.test.bicep rename to modules/service-bus/namespace/tests/e2e/defaults/main.test.bicep diff --git a/modules/service-fabric/cluster/tests/e2e/min/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/service-fabric/cluster/tests/e2e/min/main.test.bicep rename to modules/service-fabric/cluster/tests/e2e/defaults/main.test.bicep diff --git a/modules/signal-r-service/signal-r/tests/e2e/min/main.test.bicep b/modules/signal-r-service/signal-r/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/signal-r-service/signal-r/tests/e2e/min/main.test.bicep rename to modules/signal-r-service/signal-r/tests/e2e/defaults/main.test.bicep diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/min/main.test.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/signal-r-service/web-pub-sub/tests/e2e/min/main.test.bicep rename to modules/signal-r-service/web-pub-sub/tests/e2e/defaults/main.test.bicep diff --git a/modules/sql/managed-instance/tests/e2e/min/dependencies.bicep b/modules/sql/managed-instance/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/sql/managed-instance/tests/e2e/min/dependencies.bicep rename to modules/sql/managed-instance/tests/e2e/defaults/dependencies.bicep diff --git a/modules/sql/managed-instance/tests/e2e/min/main.test.bicep b/modules/sql/managed-instance/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/sql/managed-instance/tests/e2e/min/main.test.bicep rename to modules/sql/managed-instance/tests/e2e/defaults/main.test.bicep diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 01647f91e5..87e05dea85 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -42,8 +42,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/storage.storage-account:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Encr](#example-2-encr) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Encr](#example-3-encr) - [Nfs](#example-4-nfs) - [V1](#example-5-v1) @@ -661,7 +661,59 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = {

-### Example 2: _Encr_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ssamin' + params: { + // Required parameters + name: 'ssamin001' + // Non-required parameters + allowBlobPublicAccess: false + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ssamin001" + }, + // Non-required parameters + "allowBlobPublicAccess": { + "value": false + }, + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 3: _Encr_

@@ -830,58 +882,6 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = {

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ssamin' - params: { - // Required parameters - name: 'ssamin001' - // Non-required parameters - allowBlobPublicAccess: false - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ssamin001" - }, - // Non-required parameters - "allowBlobPublicAccess": { - "value": false - }, - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ### Example 4: _Nfs_

diff --git a/modules/storage/storage-account/tests/e2e/min/main.test.bicep b/modules/storage/storage-account/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/storage/storage-account/tests/e2e/min/main.test.bicep rename to modules/storage/storage-account/tests/e2e/defaults/main.test.bicep diff --git a/modules/synapse/private-link-hub/tests/e2e/min/main.test.bicep b/modules/synapse/private-link-hub/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/synapse/private-link-hub/tests/e2e/min/main.test.bicep rename to modules/synapse/private-link-hub/tests/e2e/defaults/main.test.bicep diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index 903f30470b..3b067e5ac2 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -33,10 +33,10 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/synapse.workspace:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) -- [Encrwsai](#example-2-encrwsai) -- [Encrwuai](#example-3-encrwuai) -- [Managedvnet](#example-4-managedvnet) -- [Using only defaults](#example-5-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Encrwsai](#example-3-encrwsai) +- [Encrwuai](#example-4-encrwuai) +- [Managedvnet](#example-5-managedvnet) ### Example 1: _Using large parameter set_ @@ -210,7 +210,10 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = {

-### Example 2: _Encrwsai_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. +

@@ -218,20 +221,15 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { ```bicep module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-swensa' + name: '${uniqueString(deployment().name, location)}-test-swmin' params: { // Required parameters defaultDataLakeStorageAccountResourceId: '' defaultDataLakeStorageFilesystem: '' - name: 'swensa001' + name: 'swmin001' sqlAdministratorLogin: 'synwsadmin' // Non-required parameters - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - } enableDefaultTelemetry: '' - encryptionActivateWorkspace: true } } ``` @@ -256,23 +254,14 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "value": "" }, "name": { - "value": "swensa001" + "value": "swmin001" }, "sqlAdministratorLogin": { "value": "synwsadmin" }, // Non-required parameters - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "" - } - }, "enableDefaultTelemetry": { "value": "" - }, - "encryptionActivateWorkspace": { - "value": true } } } @@ -281,7 +270,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = {

-### Example 3: _Encrwuai_ +### Example 3: _Encrwsai_

@@ -289,25 +278,20 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { ```bicep module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-swenua' + name: '${uniqueString(deployment().name, location)}-test-swensa' params: { // Required parameters defaultDataLakeStorageAccountResourceId: '' defaultDataLakeStorageFilesystem: '' - name: 'swenua001' + name: 'swensa001' sqlAdministratorLogin: 'synwsadmin' // Non-required parameters customerManagedKey: { keyName: '' keyVaultResourceId: '' - userAssignedIdentityResourceId: '' } enableDefaultTelemetry: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } + encryptionActivateWorkspace: true } } ``` @@ -332,7 +316,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "value": "" }, "name": { - "value": "swenua001" + "value": "swensa001" }, "sqlAdministratorLogin": { "value": "synwsadmin" @@ -341,19 +325,14 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "customerManagedKey": { "value": { "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" + "keyVaultResourceId": "" } }, "enableDefaultTelemetry": { "value": "" }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } + "encryptionActivateWorkspace": { + "value": true } } } @@ -362,7 +341,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = {

-### Example 4: _Managedvnet_ +### Example 4: _Encrwuai_

@@ -370,20 +349,20 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { ```bicep module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-swmanv' + name: '${uniqueString(deployment().name, location)}-test-swenua' params: { // Required parameters defaultDataLakeStorageAccountResourceId: '' defaultDataLakeStorageFilesystem: '' - name: 'swmanv001' + name: 'swenua001' sqlAdministratorLogin: 'synwsadmin' // Non-required parameters - allowedAadTenantIdsForLinking: [ - '' - ] + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } enableDefaultTelemetry: '' - managedVirtualNetwork: true - preventDataExfiltration: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -413,26 +392,22 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "value": "" }, "name": { - "value": "swmanv001" + "value": "swenua001" }, "sqlAdministratorLogin": { "value": "synwsadmin" }, // Non-required parameters - "allowedAadTenantIdsForLinking": { - "value": [ - "" - ] + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } }, "enableDefaultTelemetry": { "value": "" }, - "managedVirtualNetwork": { - "value": true - }, - "preventDataExfiltration": { - "value": true - }, "tags": { "value": { "Environment": "Non-Prod", @@ -447,10 +422,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = {

-### Example 5: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - +### Example 5: _Managedvnet_

@@ -458,15 +430,25 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-swmin' + name: '${uniqueString(deployment().name, location)}-test-swmanv' params: { // Required parameters defaultDataLakeStorageAccountResourceId: '' defaultDataLakeStorageFilesystem: '' - name: 'swmin001' + name: 'swmanv001' sqlAdministratorLogin: 'synwsadmin' // Non-required parameters + allowedAadTenantIdsForLinking: [ + '' + ] enableDefaultTelemetry: '' + managedVirtualNetwork: true + preventDataExfiltration: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } } } ``` @@ -491,14 +473,32 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "value": "" }, "name": { - "value": "swmin001" + "value": "swmanv001" }, "sqlAdministratorLogin": { "value": "synwsadmin" }, // Non-required parameters + "allowedAadTenantIdsForLinking": { + "value": [ + "" + ] + }, "enableDefaultTelemetry": { "value": "" + }, + "managedVirtualNetwork": { + "value": true + }, + "preventDataExfiltration": { + "value": true + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } } } } diff --git a/modules/synapse/workspace/tests/e2e/min/dependencies.bicep b/modules/synapse/workspace/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/synapse/workspace/tests/e2e/min/dependencies.bicep rename to modules/synapse/workspace/tests/e2e/defaults/dependencies.bicep diff --git a/modules/synapse/workspace/tests/e2e/min/main.test.bicep b/modules/synapse/workspace/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/synapse/workspace/tests/e2e/min/main.test.bicep rename to modules/synapse/workspace/tests/e2e/defaults/main.test.bicep diff --git a/modules/virtual-machine-images/image-template/tests/e2e/min/dependencies.bicep b/modules/virtual-machine-images/image-template/tests/e2e/defaults/dependencies.bicep similarity index 100% rename from modules/virtual-machine-images/image-template/tests/e2e/min/dependencies.bicep rename to modules/virtual-machine-images/image-template/tests/e2e/defaults/dependencies.bicep diff --git a/modules/virtual-machine-images/image-template/tests/e2e/min/main.test.bicep b/modules/virtual-machine-images/image-template/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/virtual-machine-images/image-template/tests/e2e/min/main.test.bicep rename to modules/virtual-machine-images/image-template/tests/e2e/defaults/main.test.bicep diff --git a/modules/web/static-site/tests/e2e/min/main.test.bicep b/modules/web/static-site/tests/e2e/defaults/main.test.bicep similarity index 100% rename from modules/web/static-site/tests/e2e/min/main.test.bicep rename to modules/web/static-site/tests/e2e/defaults/main.test.bicep From 5410766cd0b49c68c7bb20b144671030102d9bf3 Mon Sep 17 00:00:00 2001 From: Erika Gressi <56914614+eriqua@users.noreply.github.com> Date: Sat, 4 Nov 2023 20:48:14 +0100 Subject: [PATCH 086/178] [Modules] Remove max test from apim and analysis services (#4188) * defaults * readmes * merge max and common --- modules/analysis-services/server/README.md | 190 +++---------- .../server/tests/e2e/common/main.test.bicep | 19 ++ .../server/tests/e2e/max/dependencies.bicep | 13 - .../server/tests/e2e/max/main.test.bicep | 112 -------- modules/api-management/service/README.md | 266 ++++-------------- .../tests/e2e/common/dependencies.bicep | 3 + .../service/tests/e2e/common/main.test.bicep | 124 +++++++- .../service/tests/e2e/max/dependencies.bicep | 16 -- .../service/tests/e2e/max/main.test.bicep | 216 -------------- 9 files changed, 242 insertions(+), 717 deletions(-) delete mode 100644 modules/analysis-services/server/tests/e2e/max/dependencies.bicep delete mode 100644 modules/analysis-services/server/tests/e2e/max/main.test.bicep delete mode 100644 modules/api-management/service/tests/e2e/max/dependencies.bicep delete mode 100644 modules/api-management/service/tests/e2e/max/main.test.bicep diff --git a/modules/analysis-services/server/README.md b/modules/analysis-services/server/README.md index 67343bda2a..803b3e6e39 100644 --- a/modules/analysis-services/server/README.md +++ b/modules/analysis-services/server/README.md @@ -29,7 +29,6 @@ The following section provides usage examples for the module, which were used to - [Using large parameter set](#example-1-using-large-parameter-set) - [Using only defaults](#example-2-using-only-defaults) -- [Max](#example-3-max) ### Example 1: _Using large parameter set_ @@ -51,6 +50,14 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { { eventHubAuthorizationRuleResourceId: '' eventHubName: '' + logCategoriesAndGroups: [ + { + category: 'Engine' + } + { + category: 'Service' + } + ] metricCategories: [ { category: 'AllMetrics' @@ -62,6 +69,16 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { } ] enableDefaultTelemetry: '' + firewallSettings: { + enablePowerBIService: true + firewallRules: [ + { + firewallRuleName: 'AllowFromAll' + rangeEnd: '255.255.255.255' + rangeStart: '0.0.0.0' + } + ] + } lock: { kind: 'CanNotDelete' name: 'myCustomLockName' @@ -73,6 +90,7 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] + skuCapacity: 1 skuName: 'S0' tags: { Environment: 'Non-Prod' @@ -105,6 +123,14 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { { "eventHubAuthorizationRuleResourceId": "", "eventHubName": "", + "logCategoriesAndGroups": [ + { + "category": "Engine" + }, + { + "category": "Service" + } + ], "metricCategories": [ { "category": "AllMetrics" @@ -119,6 +145,18 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { "enableDefaultTelemetry": { "value": "" }, + "firewallSettings": { + "value": { + "enablePowerBIService": true, + "firewallRules": [ + { + "firewallRuleName": "AllowFromAll", + "rangeEnd": "255.255.255.255", + "rangeStart": "0.0.0.0" + } + ] + } + }, "lock": { "value": { "kind": "CanNotDelete", @@ -134,6 +172,9 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { } ] }, + "skuCapacity": { + "value": 1 + }, "skuName": { "value": "S0" }, @@ -199,153 +240,6 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = {

-### Example 3: _Max_ - -

- -via Bicep module - -```bicep -module server 'br:bicep/modules/analysis-services.server:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-assmax' - params: { - // Required parameters - name: 'assmax' - // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - logCategoriesAndGroups: [ - { - category: 'Engine' - } - { - category: 'Service' - } - ] - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - enableDefaultTelemetry: '' - firewallSettings: { - enablePowerBIService: true - firewallRules: [ - { - firewallRuleName: 'AllowFromAll' - rangeEnd: '255.255.255.255' - rangeStart: '0.0.0.0' - } - ] - } - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - skuCapacity: 1 - skuName: 'S0' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "assmax" - }, - // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "logCategoriesAndGroups": [ - { - "category": "Engine" - }, - { - "category": "Service" - } - ], - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "firewallSettings": { - "value": { - "enablePowerBIService": true, - "firewallRules": [ - { - "firewallRuleName": "AllowFromAll", - "rangeEnd": "255.255.255.255", - "rangeStart": "0.0.0.0" - } - ] - } - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "skuCapacity": { - "value": 1 - }, - "skuName": { - "value": "S0" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/analysis-services/server/tests/e2e/common/main.test.bicep b/modules/analysis-services/server/tests/e2e/common/main.test.bicep index f90426c6a4..c73e5c64c5 100644 --- a/modules/analysis-services/server/tests/e2e/common/main.test.bicep +++ b/modules/analysis-services/server/tests/e2e/common/main.test.bicep @@ -71,6 +71,17 @@ module testDeployment '../../../main.bicep' = { name: 'myCustomLockName' } skuName: 'S0' + skuCapacity: 1 + firewallSettings: { + firewallRules: [ + { + firewallRuleName: 'AllowFromAll' + rangeStart: '0.0.0.0' + rangeEnd: '255.255.255.255' + } + ] + enablePowerBIService: true + } roleAssignments: [ { roleDefinitionIdOrName: 'Reader' @@ -86,6 +97,14 @@ module testDeployment '../../../main.bicep' = { category: 'AllMetrics' } ] + logCategoriesAndGroups: [ + { + category: 'Engine' + } + { + category: 'Service' + } + ] eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId diff --git a/modules/analysis-services/server/tests/e2e/max/dependencies.bicep b/modules/analysis-services/server/tests/e2e/max/dependencies.bicep deleted file mode 100644 index 29b9641692..0000000000 --- a/modules/analysis-services/server/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/analysis-services/server/tests/e2e/max/main.test.bicep b/modules/analysis-services/server/tests/e2e/max/main.test.bicep deleted file mode 100644 index 41b6b1dcd0..0000000000 --- a/modules/analysis-services/server/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,112 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-analysisservices.servers-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'assmax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: az.resourceGroup(resourceGroupName) - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - skuName: 'S0' - skuCapacity: 1 - firewallSettings: { - firewallRules: [ - { - firewallRuleName: 'AllowFromAll' - rangeStart: '0.0.0.0' - rangeEnd: '255.255.255.255' - } - ] - enablePowerBIService: true - } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - logCategoriesAndGroups: [ - { - category: 'Engine' - } - { - category: 'Service' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - } -} diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index dda735bb01..7a7e701100 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -44,7 +44,6 @@ The following section provides usage examples for the module, which were used to - [Using large parameter set](#example-1-using-large-parameter-set) - [Using only defaults](#example-2-using-only-defaults) -- [Max](#example-3-max) ### Example 1: _Using large parameter set_ @@ -64,213 +63,6 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' publisherName: 'az-amorg-x-001' // Non-required parameters - enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - } - policies: [ - { - format: 'xml' - value: ' ' - } - ] - portalsettings: [ - { - name: 'signin' - properties: { - enabled: false - } - } - { - name: 'signup' - properties: { - enabled: false - termsOfService: { - consentRequired: false - enabled: false - } - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -

-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apiscom001" - }, - "publisherEmail": { - "value": "apimgmt-noreply@mail.windowsazure.com" - }, - "publisherName": { - "value": "az-amorg-x-001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "policies": { - "value": [ - { - "format": "xml", - "value": " " - } - ] - }, - "portalsettings": { - "value": [ - { - "name": "signin", - "properties": { - "enabled": false - } - }, - { - "name": "signup", - "properties": { - "enabled": false, - "termsOfService": { - "consentRequired": false, - "enabled": false - } - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module service 'br:bicep/modules/api-management.service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-apismin' - params: { - // Required parameters - name: 'apismin001' - publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' - publisherName: 'az-amorg-x-001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apismin001" - }, - "publisherEmail": { - "value": "apimgmt-noreply@mail.windowsazure.com" - }, - "publisherName": { - "value": "az-amorg-x-001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Max_ - -

- -via Bicep module - -```bicep -module service 'br:bicep/modules/api-management.service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-apismax' - params: { - // Required parameters - name: 'apismax001' - publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' - publisherName: 'az-amorg-x-001' - // Non-required parameters apis: [ { apiVersionSet: { @@ -432,7 +224,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "apismax001" + "value": "apiscom001" }, "publisherEmail": { "value": "apimgmt-noreply@mail.windowsazure.com" @@ -623,6 +415,62 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = {

+### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module service 'br:bicep/modules/api-management.service:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-apismin' + params: { + // Required parameters + name: 'apismin001' + publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' + publisherName: 'az-amorg-x-001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "apismin001" + }, + "publisherEmail": { + "value": "apimgmt-noreply@mail.windowsazure.com" + }, + "publisherName": { + "value": "az-amorg-x-001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/api-management/service/tests/e2e/common/dependencies.bicep b/modules/api-management/service/tests/e2e/common/dependencies.bicep index 29b9641692..bd63a95634 100644 --- a/modules/api-management/service/tests/e2e/common/dependencies.bicep +++ b/modules/api-management/service/tests/e2e/common/dependencies.bicep @@ -11,3 +11,6 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018- @description('The principal ID of the created managed identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/api-management/service/tests/e2e/common/main.test.bicep b/modules/api-management/service/tests/e2e/common/main.test.bicep index 36998d40bd..80806744ef 100644 --- a/modules/api-management/service/tests/e2e/common/main.test.bicep +++ b/modules/api-management/service/tests/e2e/common/main.test.bicep @@ -23,6 +23,10 @@ param enableDefaultTelemetry bool = true @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '[[namePrefix]]' +@description('Optional. The secret to leverage for authorization server authentication.') +@secure() +param customSecret string = newGuid() + // ============ // // Dependencies // // ============ // @@ -42,6 +46,20 @@ module nestedDependencies 'dependencies.bicep' = { } } +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + // ============== // // Test Execution // // ============== // @@ -54,10 +72,84 @@ module testDeployment '../../../main.bicep' = { name: '${namePrefix}${serviceShort}001' publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' publisherName: '${namePrefix}-az-amorg-x-001' + apis: [ + { + apiVersionSet: { + name: 'echo-version-set' + properties: { + description: 'echo-version-set' + displayName: 'echo-version-set' + versioningScheme: 'Segment' + } + } + displayName: 'Echo API' + name: 'echo-api' + path: 'echo' + serviceUrl: 'http://echoapi.cloudapp.net/api' + } + ] + authorizationServers: { + secureList: [ + { + authorizationEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/authorize' + clientId: 'apimclientid' + clientSecret: customSecret + clientRegistrationEndpoint: 'http://localhost' + grantTypes: [ + 'authorizationCode' + ] + name: 'AuthServer1' + tokenEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/token' + } + ] + } + backends: [ + { + name: 'backend' + tls: { + validateCertificateChain: false + validateCertificateName: false + } + url: 'http://echoapi.cloudapp.net/api' + } + ] + caches: [ + { + connectionString: 'connectionstringtest' + name: 'westeurope' + useFromLocation: 'westeurope' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + identityProviders: [ + { + name: 'aadProvider' + } + ] lock: { kind: 'CanNotDelete' name: 'myCustomLockName' } + namedValues: [ + { + displayName: 'apimkey' + name: 'apimkey' + secret: true + } + ] policies: [ { format: 'xml' @@ -82,9 +174,23 @@ module testDeployment '../../../main.bicep' = { } } ] - managedIdentities: { - systemAssigned: true - } + products: [ + { + apis: [ + { + name: 'echo-api' + } + ] + approvalRequired: false + groups: [ + { + name: 'developers' + } + ] + name: 'Starter' + subscriptionRequired: false + } + ] roleAssignments: [ { roleDefinitionIdOrName: 'Reader' @@ -92,6 +198,18 @@ module testDeployment '../../../main.bicep' = { principalType: 'ServicePrincipal' } ] + subscriptions: [ + { + name: 'testArmSubscriptionAllApis' + scope: '/apis' + } + ] + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/api-management/service/tests/e2e/max/dependencies.bicep b/modules/api-management/service/tests/e2e/max/dependencies.bicep deleted file mode 100644 index bd63a95634..0000000000 --- a/modules/api-management/service/tests/e2e/max/dependencies.bicep +++ /dev/null @@ -1,16 +0,0 @@ -@description('Required. The name of the managed identity to create.') -param managedIdentityName string - -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created managed identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/api-management/service/tests/e2e/max/main.test.bicep b/modules/api-management/service/tests/e2e/max/main.test.bicep deleted file mode 100644 index 75ed04fb5a..0000000000 --- a/modules/api-management/service/tests/e2e/max/main.test.bicep +++ /dev/null @@ -1,216 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-apimanagement.service-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apismax' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' - -@description('Optional. The secret to leverage for authorization server authentication.') -@secure() -param customSecret string = newGuid() - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: location - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '${namePrefix}${serviceShort}001' - publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' - publisherName: '${namePrefix}-az-amorg-x-001' - apis: [ - { - apiVersionSet: { - name: 'echo-version-set' - properties: { - description: 'echo-version-set' - displayName: 'echo-version-set' - versioningScheme: 'Segment' - } - } - displayName: 'Echo API' - name: 'echo-api' - path: 'echo' - serviceUrl: 'http://echoapi.cloudapp.net/api' - } - ] - authorizationServers: { - secureList: [ - { - authorizationEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/authorize' - clientId: 'apimclientid' - clientSecret: customSecret - clientRegistrationEndpoint: 'http://localhost' - grantTypes: [ - 'authorizationCode' - ] - name: 'AuthServer1' - tokenEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/token' - } - ] - } - backends: [ - { - name: 'backend' - tls: { - validateCertificateChain: false - validateCertificateName: false - } - url: 'http://echoapi.cloudapp.net/api' - } - ] - caches: [ - { - connectionString: 'connectionstringtest' - name: 'westeurope' - useFromLocation: 'westeurope' - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] - identityProviders: [ - { - name: 'aadProvider' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - namedValues: [ - { - displayName: 'apimkey' - name: 'apimkey' - secret: true - } - ] - policies: [ - { - format: 'xml' - value: ' ' - } - ] - portalsettings: [ - { - name: 'signin' - properties: { - enabled: false - } - } - { - name: 'signup' - properties: { - enabled: false - termsOfService: { - consentRequired: false - enabled: false - } - } - } - ] - products: [ - { - apis: [ - { - name: 'echo-api' - } - ] - approvalRequired: false - groups: [ - { - name: 'developers' - } - ] - name: 'Starter' - subscriptionRequired: false - } - ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - subscriptions: [ - { - name: 'testArmSubscriptionAllApis' - scope: '/apis' - } - ] - managedIdentities: { - systemAssigned: true - userAssignedResourcesIds: [ - nestedDependencies.outputs.managedIdentityResourceId - ] - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} From 3f8955dea8118ede93ad9885cbf875f659d65f1e Mon Sep 17 00:00:00 2001 From: Erika Gressi <56914614+eriqua@users.noreply.github.com> Date: Sun, 5 Nov 2023 00:57:19 +0100 Subject: [PATCH 087/178] [Modules] Rename common test to max (#4190) * rename folders * serviceshort * readme --- modules/aad/domain-service/README.md | 6 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/analysis-services/server/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/api-management/service/README.md | 124 ++-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../configuration-store/README.md | 220 +++--- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/app/container-app/README.md | 172 ++--- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/app/job/README.md | 216 +++--- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/app/managed-environment/README.md | 112 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/authorization/lock/README.md | 2 +- .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../automation/automation-account/README.md | 248 +++---- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/batch/batch-account/README.md | 292 ++++---- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/cache/redis-enterprise/README.md | 352 ++++----- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/cache/redis/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/cdn/profile/README.md | 6 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/cognitive-services/account/README.md | 288 ++++---- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/compute/availability-set/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/compute/disk-encryption-set/README.md | 6 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/compute/disk/README.md | 216 +++--- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/compute/gallery/README.md | 116 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/compute/image/README.md | 6 +- .../e2e/{common => max}/dependencies.bicep | 0 .../{common => max}/dependencies_rbac.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../proximity-placement-group/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/compute/ssh-public-key/README.md | 32 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/consumption/budget/README.md | 56 +- .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../container-group/README.md | 252 +++---- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/container-registry/registry/README.md | 288 ++++---- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/data-factory/factory/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../data-protection/backup-vault/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/databricks/access-connector/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/databricks/workspace/README.md | 112 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../application-group/README.md | 124 ++-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../host-pool/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../scaling-plan/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../workspace/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/dev-test-lab/lab/README.md | 112 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../digital-twins-instance/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/event-grid/domain/README.md | 112 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/event-grid/system-topic/README.md | 128 ++-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/event-grid/topic/README.md | 112 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/event-hub/namespace/README.md | 300 ++++---- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/health-bot/health-bot/README.md | 116 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/healthcare-apis/workspace/README.md | 132 ++-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/insights/action-group/README.md | 120 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/insights/activity-log-alert/README.md | 6 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/insights/component/README.md | 116 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../data-collection-endpoint/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/insights/diagnostic-setting/README.md | 6 +- .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/insights/metric-alert/README.md | 6 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/insights/private-link-scope/README.md | 106 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../insights/scheduled-query-rule/README.md | 6 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/insights/webtest/README.md | 84 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/key-vault/vault/README.md | 116 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../extension/README.md | 124 ++-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../flux-configuration/README.md | 68 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/logic/workflow/README.md | 6 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../workspace/README.md | 424 +++++------ .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../maintenance-configuration/README.md | 112 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../user-assigned-identity/README.md | 96 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../registration-definition/README.md | 6 +- .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/management/management-group/README.md | 40 +- .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../README.md | 6 +- .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/application-gateway/README.md | 2 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../application-security-group/README.md | 6 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/azure-firewall/README.md | 698 +++++++++--------- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/bastion-host/README.md | 286 +++---- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../network/ddos-protection-plan/README.md | 100 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../network/dns-forwarding-ruleset/README.md | 124 ++-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/dns-resolver/README.md | 6 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/dns-zone/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../network/express-route-circuit/README.md | 132 ++-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../network/express-route-gateway/README.md | 112 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/firewall-policy/README.md | 108 +-- .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/front-door/README.md | 144 ++-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/ip-group/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/load-balancer/README.md | 396 +++++----- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../network/local-network-gateway/README.md | 116 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/nat-gateway/README.md | 10 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/network-interface/README.md | 136 ++-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/network-manager/README.md | 2 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../network/network-security-group/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/network-watcher/README.md | 104 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/private-dns-zone/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/private-endpoint/README.md | 144 ++-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../network/private-link-service/README.md | 188 ++--- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/public-ip-address/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/public-ip-prefix/README.md | 100 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/route-table/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../network/service-endpoint-policy/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../network/trafficmanagerprofile/README.md | 112 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/virtual-hub/README.md | 124 ++-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/virtual-network/README.md | 124 ++-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/virtual-wan/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/vpn-gateway/README.md | 116 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/network/vpn-site/README.md | 144 ++-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../operational-insights/workspace/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/power-bi-dedicated/capacity/README.md | 100 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/purview/account/README.md | 120 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/recovery-services/vault/README.md | 452 ++++++------ .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/relay/namespace/README.md | 116 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/resource-graph/query/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/resources/resource-group/README.md | 100 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/search/search-service/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../security/azure-security-center/README.md | 2 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/service-bus/namespace/README.md | 480 ++++++------ .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/service-fabric/cluster/README.md | 204 ++--- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/signal-r-service/signal-r/README.md | 112 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../signal-r-service/web-pub-sub/README.md | 112 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/sql/managed-instance/README.md | 136 ++-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/sql/server/README.md | 14 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/storage/storage-account/README.md | 460 ++++++------ .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/synapse/private-link-hub/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/synapse/workspace/README.md | 342 ++++----- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- .../image-template/README.md | 200 ++--- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/web/connection/README.md | 2 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/web/serverfarm/README.md | 6 +- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- modules/web/static-site/README.md | 108 +-- .../e2e/{common => max}/dependencies.bicep | 0 .../tests/e2e/{common => max}/main.test.bicep | 2 +- 339 files changed, 7618 insertions(+), 7618 deletions(-) rename modules/aad/domain-service/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/aad/domain-service/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/analysis-services/server/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/analysis-services/server/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/api-management/service/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/api-management/service/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/app-configuration/configuration-store/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/app-configuration/configuration-store/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/app/container-app/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/app/container-app/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/app/job/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/app/job/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/app/managed-environment/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/app/managed-environment/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/authorization/lock/tests/e2e/{common => max}/main.test.bicep (97%) rename modules/automation/automation-account/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/automation/automation-account/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/batch/batch-account/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/batch/batch-account/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/cache/redis-enterprise/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/cache/redis-enterprise/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/cache/redis/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/cache/redis/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/cdn/profile/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/cdn/profile/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/cognitive-services/account/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/cognitive-services/account/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/compute/availability-set/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/compute/availability-set/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/compute/disk-encryption-set/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/compute/disk-encryption-set/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/compute/disk/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/compute/disk/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/compute/gallery/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/compute/gallery/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/compute/image/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/compute/image/tests/e2e/{common => max}/dependencies_rbac.bicep (100%) rename modules/compute/image/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/compute/proximity-placement-group/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/compute/proximity-placement-group/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/compute/ssh-public-key/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/compute/ssh-public-key/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/consumption/budget/tests/e2e/{common => max}/main.test.bicep (96%) rename modules/container-instance/container-group/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/container-instance/container-group/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/container-registry/registry/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/container-registry/registry/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/data-factory/factory/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/data-factory/factory/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/data-protection/backup-vault/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/data-protection/backup-vault/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/databricks/access-connector/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/databricks/access-connector/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/databricks/workspace/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/databricks/workspace/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/desktop-virtualization/application-group/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/desktop-virtualization/application-group/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/desktop-virtualization/host-pool/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/desktop-virtualization/host-pool/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/desktop-virtualization/scaling-plan/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/desktop-virtualization/scaling-plan/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/desktop-virtualization/workspace/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/desktop-virtualization/workspace/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/dev-test-lab/lab/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/dev-test-lab/lab/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/digital-twins/digital-twins-instance/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/digital-twins/digital-twins-instance/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/event-grid/domain/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/event-grid/domain/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/event-grid/system-topic/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/event-grid/system-topic/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/event-grid/topic/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/event-grid/topic/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/event-hub/namespace/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/event-hub/namespace/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/health-bot/health-bot/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/health-bot/health-bot/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/healthcare-apis/workspace/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/healthcare-apis/workspace/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/insights/action-group/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/insights/action-group/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/insights/activity-log-alert/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/insights/activity-log-alert/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/insights/component/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/insights/component/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/insights/data-collection-endpoint/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/insights/data-collection-endpoint/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/insights/diagnostic-setting/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/insights/metric-alert/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/insights/metric-alert/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/insights/private-link-scope/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/insights/private-link-scope/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/insights/scheduled-query-rule/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/insights/scheduled-query-rule/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/insights/webtest/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/insights/webtest/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/key-vault/vault/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/key-vault/vault/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/kubernetes-configuration/extension/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/kubernetes-configuration/extension/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/kubernetes-configuration/flux-configuration/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/kubernetes-configuration/flux-configuration/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/logic/workflow/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/logic/workflow/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/machine-learning-services/workspace/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/machine-learning-services/workspace/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/maintenance/maintenance-configuration/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/maintenance/maintenance-configuration/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/managed-identity/user-assigned-identity/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/managed-identity/user-assigned-identity/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/managed-services/registration-definition/tests/e2e/{common => max}/main.test.bicep (97%) rename modules/management/management-group/tests/e2e/{common => max}/main.test.bicep (96%) rename modules/network/application-gateway-web-application-firewall-policy/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/application-gateway/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/application-gateway/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/network/application-security-group/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/application-security-group/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/azure-firewall/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/azure-firewall/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/network/bastion-host/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/bastion-host/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/ddos-protection-plan/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/ddos-protection-plan/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/dns-forwarding-ruleset/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/dns-forwarding-ruleset/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/dns-resolver/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/dns-resolver/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/dns-zone/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/dns-zone/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/network/express-route-circuit/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/express-route-circuit/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/express-route-gateway/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/express-route-gateway/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/firewall-policy/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/front-door-web-application-firewall-policy/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/front-door-web-application-firewall-policy/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/front-door/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/front-door/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/network/ip-group/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/ip-group/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/load-balancer/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/load-balancer/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/network/local-network-gateway/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/local-network-gateway/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/nat-gateway/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/nat-gateway/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/network/network-interface/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/network-interface/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/network/network-manager/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/network-manager/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/network/network-security-group/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/network-security-group/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/network/network-watcher/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/network-watcher/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/network/private-dns-zone/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/private-dns-zone/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/network/private-endpoint/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/private-endpoint/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/private-link-service/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/private-link-service/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/public-ip-address/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/public-ip-address/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/public-ip-prefix/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/public-ip-prefix/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/route-table/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/route-table/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/service-endpoint-policy/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/service-endpoint-policy/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/trafficmanagerprofile/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/trafficmanagerprofile/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/virtual-hub/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/virtual-hub/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/virtual-network/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/virtual-network/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/network/virtual-wan/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/virtual-wan/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/vpn-gateway/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/vpn-gateway/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/network/vpn-site/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/network/vpn-site/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/operational-insights/workspace/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/operational-insights/workspace/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/power-bi-dedicated/capacity/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/power-bi-dedicated/capacity/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/purview/account/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/purview/account/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/recovery-services/vault/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/recovery-services/vault/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/relay/namespace/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/relay/namespace/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/resource-graph/query/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/resource-graph/query/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/resources/resource-group/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/resources/resource-group/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/search/search-service/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/search/search-service/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/security/azure-security-center/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/security/azure-security-center/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/service-bus/namespace/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/service-bus/namespace/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/service-fabric/cluster/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/service-fabric/cluster/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/signal-r-service/signal-r/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/signal-r-service/signal-r/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/signal-r-service/web-pub-sub/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/signal-r-service/web-pub-sub/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/sql/managed-instance/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/sql/managed-instance/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/sql/server/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/sql/server/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/storage/storage-account/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/storage/storage-account/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/synapse/private-link-hub/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/synapse/private-link-hub/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/synapse/workspace/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/synapse/workspace/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/virtual-machine-images/image-template/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/virtual-machine-images/image-template/tests/e2e/{common => max}/main.test.bicep (99%) rename modules/web/connection/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/web/connection/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/web/serverfarm/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/web/serverfarm/tests/e2e/{common => max}/main.test.bicep (98%) rename modules/web/static-site/tests/e2e/{common => max}/dependencies.bicep (100%) rename modules/web/static-site/tests/e2e/{common => max}/main.test.bicep (98%) diff --git a/modules/aad/domain-service/README.md b/modules/aad/domain-service/README.md index b93dc2af43..1330a6f5ec 100644 --- a/modules/aad/domain-service/README.md +++ b/modules/aad/domain-service/README.md @@ -41,7 +41,7 @@ This instance deploys the module with most of its features enabled. ```bicep module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-aaddscom' + name: '${uniqueString(deployment().name, location)}-test-aaddsmax' params: { // Required parameters domainName: 'onmicrosoft.com' @@ -63,7 +63,7 @@ module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - name: 'aaddscom001' + name: 'aaddsmax001' pfxCertificate: '' pfxCertificatePassword: '' replicaSets: [ @@ -125,7 +125,7 @@ module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = { } }, "name": { - "value": "aaddscom001" + "value": "aaddsmax001" }, "pfxCertificate": { "value": "" diff --git a/modules/aad/domain-service/tests/e2e/common/dependencies.bicep b/modules/aad/domain-service/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/aad/domain-service/tests/e2e/common/dependencies.bicep rename to modules/aad/domain-service/tests/e2e/max/dependencies.bicep diff --git a/modules/aad/domain-service/tests/e2e/common/main.test.bicep b/modules/aad/domain-service/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/aad/domain-service/tests/e2e/common/main.test.bicep rename to modules/aad/domain-service/tests/e2e/max/main.test.bicep index 147548bc20..57a8a8aae6 100644 --- a/modules/aad/domain-service/tests/e2e/common/main.test.bicep +++ b/modules/aad/domain-service/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-aad.domainservices-${service param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'aaddscom' +param serviceShort string = 'aaddsmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/analysis-services/server/README.md b/modules/analysis-services/server/README.md index 803b3e6e39..73d7a21652 100644 --- a/modules/analysis-services/server/README.md +++ b/modules/analysis-services/server/README.md @@ -27,10 +27,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/analysis-services.server:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module server 'br:bicep/modules/analysis-services.server:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-assmin' + params: { + // Required parameters + name: 'assmin' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "assmin" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -41,10 +89,10 @@ This instance deploys the module with most of its features enabled. ```bicep module server 'br:bicep/modules/analysis-services.server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-asscom' + name: '${uniqueString(deployment().name, location)}-test-assmax' params: { // Required parameters - name: 'asscom' + name: 'assmax' // Non-required parameters diagnosticSettings: [ { @@ -115,7 +163,7 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "asscom" + "value": "assmax" }, // Non-required parameters "diagnosticSettings": { @@ -192,54 +240,6 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module server 'br:bicep/modules/analysis-services.server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-assmin' - params: { - // Required parameters - name: 'assmin' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "assmin" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/analysis-services/server/tests/e2e/common/dependencies.bicep b/modules/analysis-services/server/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/analysis-services/server/tests/e2e/common/dependencies.bicep rename to modules/analysis-services/server/tests/e2e/max/dependencies.bicep diff --git a/modules/analysis-services/server/tests/e2e/common/main.test.bicep b/modules/analysis-services/server/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/analysis-services/server/tests/e2e/common/main.test.bicep rename to modules/analysis-services/server/tests/e2e/max/main.test.bicep index c73e5c64c5..05de9c3d73 100644 --- a/modules/analysis-services/server/tests/e2e/common/main.test.bicep +++ b/modules/analysis-services/server/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-analysisservices.servers-${s param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'asscom' +param serviceShort string = 'assmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index 7a7e701100..49ae4a583a 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -42,10 +42,66 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/api-management.service:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module service 'br:bicep/modules/api-management.service:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-apismin' + params: { + // Required parameters + name: 'apismin001' + publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' + publisherName: 'az-amorg-x-001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "apismin001" + }, + "publisherEmail": { + "value": "apimgmt-noreply@mail.windowsazure.com" + }, + "publisherName": { + "value": "az-amorg-x-001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -56,10 +112,10 @@ This instance deploys the module with most of its features enabled. ```bicep module service 'br:bicep/modules/api-management.service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-apiscom' + name: '${uniqueString(deployment().name, location)}-test-apismax' params: { // Required parameters - name: 'apiscom001' + name: 'apismax001' publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' publisherName: 'az-amorg-x-001' // Non-required parameters @@ -224,7 +280,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "apiscom001" + "value": "apismax001" }, "publisherEmail": { "value": "apimgmt-noreply@mail.windowsazure.com" @@ -415,62 +471,6 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module service 'br:bicep/modules/api-management.service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-apismin' - params: { - // Required parameters - name: 'apismin001' - publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' - publisherName: 'az-amorg-x-001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apismin001" - }, - "publisherEmail": { - "value": "apimgmt-noreply@mail.windowsazure.com" - }, - "publisherName": { - "value": "az-amorg-x-001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/api-management/service/tests/e2e/common/dependencies.bicep b/modules/api-management/service/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/api-management/service/tests/e2e/common/dependencies.bicep rename to modules/api-management/service/tests/e2e/max/dependencies.bicep diff --git a/modules/api-management/service/tests/e2e/common/main.test.bicep b/modules/api-management/service/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/api-management/service/tests/e2e/common/main.test.bicep rename to modules/api-management/service/tests/e2e/max/main.test.bicep index 80806744ef..c1918b4ef4 100644 --- a/modules/api-management/service/tests/e2e/common/main.test.bicep +++ b/modules/api-management/service/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-apimanagement.service-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apiscom' +param serviceShort string = 'apismax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index 46f091b2d9..e057fc4288 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -30,14 +30,14 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/app-configuration.configuration-store:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) -- [Encr](#example-3-encr) +- [Using only defaults](#example-1-using-only-defaults) +- [Encr](#example-2-encr) +- [Using large parameter set](#example-3-using-large-parameter-set) - [Pe](#example-4-pe) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.

@@ -46,26 +46,62 @@ This instance deploys the module with most of its features enabled. ```bicep module configurationStore 'br:bicep/modules/app-configuration.configuration-store:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-acccom' + name: '${uniqueString(deployment().name, location)}-test-accmin' params: { // Required parameters - name: 'acccom001' + name: 'accmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "accmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Encr_ + +

+ +via Bicep module + +```bicep +module configurationStore 'br:bicep/modules/app-configuration.configuration-store:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-accencr' + params: { + // Required parameters + name: 'accencr001' // Non-required parameters createMode: 'Default' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } disableLocalAuth: false enableDefaultTelemetry: '' enablePurgeProtection: false @@ -83,12 +119,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor value: 'valueName' } ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } managedIdentities: { - systemAssigned: true userAssignedResourcesIds: [ '' ] @@ -124,27 +155,18 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor "parameters": { // Required parameters "name": { - "value": "acccom001" + "value": "accencr001" }, // Non-required parameters "createMode": { "value": "Default" }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } }, "disableLocalAuth": { "value": false @@ -171,15 +193,8 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor } ] }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, "managedIdentities": { "value": { - "systemAssigned": true, "userAssignedResourcesIds": [ "" ] @@ -211,55 +226,10 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor

-### Example 2: _Using only defaults_ +### Example 3: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module configurationStore 'br:bicep/modules/app-configuration.configuration-store:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-accmin' - params: { - // Required parameters - name: 'accmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "accmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

+This instance deploys the module with most of its features enabled. -### Example 3: _Encr_

@@ -267,17 +237,26 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor ```bicep module configurationStore 'br:bicep/modules/app-configuration.configuration-store:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-accencr' + name: '${uniqueString(deployment().name, location)}-test-accmax' params: { // Required parameters - name: 'accencr001' + name: 'accmax001' // Non-required parameters createMode: 'Default' - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] disableLocalAuth: false enableDefaultTelemetry: '' enablePurgeProtection: false @@ -295,7 +274,12 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor value: 'valueName' } ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } managedIdentities: { + systemAssigned: true userAssignedResourcesIds: [ '' ] @@ -331,18 +315,27 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor "parameters": { // Required parameters "name": { - "value": "accencr001" + "value": "accmax001" }, // Non-required parameters "createMode": { "value": "Default" }, - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "disableLocalAuth": { "value": false @@ -369,8 +362,15 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor } ] }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, "managedIdentities": { "value": { + "systemAssigned": true, "userAssignedResourcesIds": [ "" ] diff --git a/modules/app-configuration/configuration-store/tests/e2e/common/dependencies.bicep b/modules/app-configuration/configuration-store/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/app-configuration/configuration-store/tests/e2e/common/dependencies.bicep rename to modules/app-configuration/configuration-store/tests/e2e/max/dependencies.bicep diff --git a/modules/app-configuration/configuration-store/tests/e2e/common/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/app-configuration/configuration-store/tests/e2e/common/main.test.bicep rename to modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep index c78f7c1c25..a87462b588 100644 --- a/modules/app-configuration/configuration-store/tests/e2e/common/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-appconfiguration.configurati param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'acccom' +param serviceShort string = 'accmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/app/container-app/README.md b/modules/app/container-app/README.md index e821376408..56ef31b6d4 100644 --- a/modules/app/container-app/README.md +++ b/modules/app/container-app/README.md @@ -26,12 +26,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/app.container-app:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.
@@ -40,30 +40,13 @@ This instance deploys the module with most of its features enabled. ```bicep module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mcappcom' + name: '${uniqueString(deployment().name, location)}-test-mcappmin' params: { // Required parameters containers: [ { image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' name: 'simple-hello-world-container' - probes: [ - { - httpGet: { - httpHeaders: [ - { - name: 'Custom-Header' - value: 'Awesome' - } - ] - path: '/health' - port: 8080 - } - initialDelaySeconds: 3 - periodSeconds: 3 - type: 'Liveness' - } - ] resources: { cpu: '' memory: '0.5Gi' @@ -71,27 +54,10 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { } ] environmentId: '' - name: 'mcappcom001' + name: 'mcappmin001' // Non-required parameters enableDefaultTelemetry: '' location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - userAssignedResourcesIds: [ - '' - ] - } - secrets: { - secureList: [ - { - name: 'customtest' - value: '' - } - ] - } tags: { Env: 'test' 'hidden-title': 'This is visible in the resource name' @@ -118,23 +84,6 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { { "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", "name": "simple-hello-world-container", - "probes": [ - { - "httpGet": { - "httpHeaders": [ - { - "name": "Custom-Header", - "value": "Awesome" - } - ], - "path": "/health", - "port": 8080 - }, - "initialDelaySeconds": 3, - "periodSeconds": 3, - "type": "Liveness" - } - ], "resources": { "cpu": "", "memory": "0.5Gi" @@ -146,7 +95,7 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { "value": "" }, "name": { - "value": "mcappcom001" + "value": "mcappmin001" }, // Non-required parameters "enableDefaultTelemetry": { @@ -155,29 +104,6 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { "location": { "value": "" }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "userAssignedResourcesIds": [ - "" - ] - } - }, - "secrets": { - "value": { - "secureList": [ - { - "name": "customtest", - "value": "" - } - ] - } - }, "tags": { "value": { "Env": "test", @@ -191,9 +117,9 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = {

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -202,13 +128,30 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mcappmin' + name: '${uniqueString(deployment().name, location)}-test-mcappmax' params: { // Required parameters containers: [ { image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' name: 'simple-hello-world-container' + probes: [ + { + httpGet: { + httpHeaders: [ + { + name: 'Custom-Header' + value: 'Awesome' + } + ] + path: '/health' + port: 8080 + } + initialDelaySeconds: 3 + periodSeconds: 3 + type: 'Liveness' + } + ] resources: { cpu: '' memory: '0.5Gi' @@ -216,10 +159,27 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { } ] environmentId: '' - name: 'mcappmin001' + name: 'mcappmax001' // Non-required parameters enableDefaultTelemetry: '' location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + secrets: { + secureList: [ + { + name: 'customtest' + value: '' + } + ] + } tags: { Env: 'test' 'hidden-title': 'This is visible in the resource name' @@ -246,6 +206,23 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { { "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", "name": "simple-hello-world-container", + "probes": [ + { + "httpGet": { + "httpHeaders": [ + { + "name": "Custom-Header", + "value": "Awesome" + } + ], + "path": "/health", + "port": 8080 + }, + "initialDelaySeconds": 3, + "periodSeconds": 3, + "type": "Liveness" + } + ], "resources": { "cpu": "", "memory": "0.5Gi" @@ -257,7 +234,7 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { "value": "" }, "name": { - "value": "mcappmin001" + "value": "mcappmax001" }, // Non-required parameters "enableDefaultTelemetry": { @@ -266,6 +243,29 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { "location": { "value": "" }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "secrets": { + "value": { + "secureList": [ + { + "name": "customtest", + "value": "" + } + ] + } + }, "tags": { "value": { "Env": "test", diff --git a/modules/app/container-app/tests/e2e/common/dependencies.bicep b/modules/app/container-app/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/app/container-app/tests/e2e/common/dependencies.bicep rename to modules/app/container-app/tests/e2e/max/dependencies.bicep diff --git a/modules/app/container-app/tests/e2e/common/main.test.bicep b/modules/app/container-app/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/app/container-app/tests/e2e/common/main.test.bicep rename to modules/app/container-app/tests/e2e/max/main.test.bicep index 9d5a65c93b..68cd3514ae 100644 --- a/modules/app/container-app/tests/e2e/common/main.test.bicep +++ b/modules/app/container-app/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-app.containerApps-${serviceS param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mcappcom' +param serviceShort string = 'mcappmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/app/job/README.md b/modules/app/job/README.md index 5575de3afb..c5d025fad6 100644 --- a/modules/app/job/README.md +++ b/modules/app/job/README.md @@ -26,12 +26,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/app.job:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.
@@ -40,30 +40,13 @@ This instance deploys the module with most of its features enabled. ```bicep module job 'br:bicep/modules/app.job:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ajcom' + name: '${uniqueString(deployment().name, location)}-test-ajmin' params: { // Required parameters containers: [ { image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' name: 'simple-hello-world-container' - probes: [ - { - httpGet: { - httpHeaders: [ - { - name: 'Custom-Header' - value: 'Awesome' - } - ] - path: '/health' - port: 8080 - } - initialDelaySeconds: 3 - periodSeconds: 3 - type: 'Liveness' - } - ] resources: { cpu: '' memory: '0.5Gi' @@ -71,45 +54,19 @@ module job 'br:bicep/modules/app.job:1.0.0' = { } ] environmentId: '' - name: 'ajcom001' + name: 'ajmin001' triggerType: 'Manual' // Non-required parameters enableDefaultTelemetry: '' location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourcesIds: [ - '' - ] - } manualTriggerConfig: { parallelism: 1 replicaCompletionCount: 1 } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'ContainerApp Reader' - } - ] - secrets: { - secureList: [ - { - name: 'customtest' - value: '' - } - ] - } tags: { Env: 'test' 'hidden-title': 'This is visible in the resource name' } - workloadProfileName: '' } } ``` @@ -132,23 +89,6 @@ module job 'br:bicep/modules/app.job:1.0.0' = { { "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", "name": "simple-hello-world-container", - "probes": [ - { - "httpGet": { - "httpHeaders": [ - { - "name": "Custom-Header", - "value": "Awesome" - } - ], - "path": "/health", - "port": 8080 - }, - "initialDelaySeconds": 3, - "periodSeconds": 3, - "type": "Liveness" - } - ], "resources": { "cpu": "", "memory": "0.5Gi" @@ -160,7 +100,7 @@ module job 'br:bicep/modules/app.job:1.0.0' = { "value": "" }, "name": { - "value": "ajcom001" + "value": "ajmin001" }, "triggerType": { "value": "Manual" @@ -172,53 +112,17 @@ module job 'br:bicep/modules/app.job:1.0.0' = { "location": { "value": "" }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourcesIds": [ - "" - ] - } - }, "manualTriggerConfig": { "value": { "parallelism": 1, "replicaCompletionCount": 1 } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "ContainerApp Reader" - } - ] - }, - "secrets": { - "value": { - "secureList": [ - { - "name": "customtest", - "value": "" - } - ] - } - }, "tags": { "value": { "Env": "test", "hidden-title": "This is visible in the resource name" } - }, - "workloadProfileName": { - "value": "" } } } @@ -227,9 +131,9 @@ module job 'br:bicep/modules/app.job:1.0.0' = {

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -238,13 +142,30 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module job 'br:bicep/modules/app.job:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ajmin' + name: '${uniqueString(deployment().name, location)}-test-ajmax' params: { // Required parameters containers: [ { image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' name: 'simple-hello-world-container' + probes: [ + { + httpGet: { + httpHeaders: [ + { + name: 'Custom-Header' + value: 'Awesome' + } + ] + path: '/health' + port: 8080 + } + initialDelaySeconds: 3 + periodSeconds: 3 + type: 'Liveness' + } + ] resources: { cpu: '' memory: '0.5Gi' @@ -252,19 +173,45 @@ module job 'br:bicep/modules/app.job:1.0.0' = { } ] environmentId: '' - name: 'ajmin001' + name: 'ajmax001' triggerType: 'Manual' // Non-required parameters enableDefaultTelemetry: '' location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } manualTriggerConfig: { parallelism: 1 replicaCompletionCount: 1 } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'ContainerApp Reader' + } + ] + secrets: { + secureList: [ + { + name: 'customtest' + value: '' + } + ] + } tags: { Env: 'test' 'hidden-title': 'This is visible in the resource name' } + workloadProfileName: '' } } ``` @@ -287,6 +234,23 @@ module job 'br:bicep/modules/app.job:1.0.0' = { { "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", "name": "simple-hello-world-container", + "probes": [ + { + "httpGet": { + "httpHeaders": [ + { + "name": "Custom-Header", + "value": "Awesome" + } + ], + "path": "/health", + "port": 8080 + }, + "initialDelaySeconds": 3, + "periodSeconds": 3, + "type": "Liveness" + } + ], "resources": { "cpu": "", "memory": "0.5Gi" @@ -298,7 +262,7 @@ module job 'br:bicep/modules/app.job:1.0.0' = { "value": "" }, "name": { - "value": "ajmin001" + "value": "ajmax001" }, "triggerType": { "value": "Manual" @@ -310,17 +274,53 @@ module job 'br:bicep/modules/app.job:1.0.0' = { "location": { "value": "" }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "manualTriggerConfig": { "value": { "parallelism": 1, "replicaCompletionCount": 1 } }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "ContainerApp Reader" + } + ] + }, + "secrets": { + "value": { + "secureList": [ + { + "name": "customtest", + "value": "" + } + ] + } + }, "tags": { "value": { "Env": "test", "hidden-title": "This is visible in the resource name" } + }, + "workloadProfileName": { + "value": "" } } } diff --git a/modules/app/job/tests/e2e/common/dependencies.bicep b/modules/app/job/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/app/job/tests/e2e/common/dependencies.bicep rename to modules/app/job/tests/e2e/max/dependencies.bicep diff --git a/modules/app/job/tests/e2e/common/main.test.bicep b/modules/app/job/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/app/job/tests/e2e/common/main.test.bicep rename to modules/app/job/tests/e2e/max/main.test.bicep index 2ec0467680..ad0bd71925 100644 --- a/modules/app/job/tests/e2e/common/main.test.bicep +++ b/modules/app/job/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-app.job-${serviceShort}-rg' param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ajcom' +param serviceShort string = 'ajmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/app/managed-environment/README.md b/modules/app/managed-environment/README.md index e1b11db691..40ec6dfd7e 100644 --- a/modules/app/managed-environment/README.md +++ b/modules/app/managed-environment/README.md @@ -26,10 +26,60 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/app.managed-environment:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-amemin' + params: { + // Required parameters + enableDefaultTelemetry: '' + logAnalyticsWorkspaceResourceId: '' + name: 'amemin001' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "" + }, + "name": { + "value": "amemin001" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -40,12 +90,12 @@ This instance deploys the module with most of its features enabled. ```bicep module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-amecom' + name: '${uniqueString(deployment().name, location)}-test-amemax' params: { // Required parameters enableDefaultTelemetry: '' logAnalyticsWorkspaceResourceId: '' - name: 'amecom001' + name: 'amemax001' // Non-required parameters dockerBridgeCidr: '172.16.0.1/28' infrastructureSubnetId: '' @@ -86,7 +136,7 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { "value": "" }, "name": { - "value": "amecom001" + "value": "amemax001" }, // Non-required parameters "dockerBridgeCidr": { @@ -129,56 +179,6 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-amemin' - params: { - // Required parameters - enableDefaultTelemetry: '' - logAnalyticsWorkspaceResourceId: '' - name: 'amemin001' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "logAnalyticsWorkspaceResourceId": { - "value": "" - }, - "name": { - "value": "amemin001" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/app/managed-environment/tests/e2e/common/dependencies.bicep b/modules/app/managed-environment/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/app/managed-environment/tests/e2e/common/dependencies.bicep rename to modules/app/managed-environment/tests/e2e/max/dependencies.bicep diff --git a/modules/app/managed-environment/tests/e2e/common/main.test.bicep b/modules/app/managed-environment/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/app/managed-environment/tests/e2e/common/main.test.bicep rename to modules/app/managed-environment/tests/e2e/max/main.test.bicep index 16b5f39842..1843a5b3ce 100644 --- a/modules/app/managed-environment/tests/e2e/common/main.test.bicep +++ b/modules/app/managed-environment/tests/e2e/max/main.test.bicep @@ -14,7 +14,7 @@ param resourceGroupName string = 'dep-${namePrefix}-app.managedenvironments-${se param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'amecom' +param serviceShort string = 'amemax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/authorization/lock/README.md b/modules/authorization/lock/README.md index 2eb75ecad3..5d3f67c3e0 100644 --- a/modules/authorization/lock/README.md +++ b/modules/authorization/lock/README.md @@ -37,7 +37,7 @@ This instance deploys the module with most of its features enabled. ```bicep module lock 'br:bicep/modules/authorization.lock:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-alcom' + name: '${uniqueString(deployment().name, location)}-test-almax' params: { // Required parameters level: 'CanNotDelete' diff --git a/modules/authorization/lock/tests/e2e/common/main.test.bicep b/modules/authorization/lock/tests/e2e/max/main.test.bicep similarity index 97% rename from modules/authorization/lock/tests/e2e/common/main.test.bicep rename to modules/authorization/lock/tests/e2e/max/main.test.bicep index 177e5f5000..b0a46425c0 100644 --- a/modules/authorization/lock/tests/e2e/common/main.test.bicep +++ b/modules/authorization/lock/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-authorization.locks-${servic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'alcom' +param serviceShort string = 'almax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index b5b6e86e68..49340e030c 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -37,11 +37,128 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/automation.automation-account:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) -- [Encr](#example-3-encr) +- [Using only defaults](#example-1-using-only-defaults) +- [Encr](#example-2-encr) +- [Using large parameter set](#example-3-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-aamin' + params: { + // Required parameters + name: 'aamin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "aamin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Encr_ + +

+ +via Bicep module + +```bicep +module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-aaencr' + params: { + // Required parameters + name: 'aaencr001' + // Non-required parameters + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } + enableDefaultTelemetry: '' + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "aaencr001" + }, + // Non-required parameters + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + } + } +} +``` + +
+

+ +### Example 3: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -52,10 +169,10 @@ This instance deploys the module with most of its features enabled. ```bicep module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-aacom' + name: '${uniqueString(deployment().name, location)}-test-aamax' params: { // Required parameters - name: 'aacom001' + name: 'aamax001' // Non-required parameters diagnosticSettings: [ { @@ -265,7 +382,7 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' "parameters": { // Required parameters "name": { - "value": "aacom001" + "value": "aamax001" }, // Non-required parameters "diagnosticSettings": { @@ -497,123 +614,6 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0'

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-aamin' - params: { - // Required parameters - name: 'aamin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "aamin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Encr_ - -

- -via Bicep module - -```bicep -module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-aaencr' - params: { - // Required parameters - name: 'aaencr001' - // Non-required parameters - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - enableDefaultTelemetry: '' - managedIdentities: { - userAssignedResourcesIds: [ - '' - ] - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "aaencr001" - }, - // Non-required parameters - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "userAssignedResourcesIds": [ - "" - ] - } - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/automation/automation-account/tests/e2e/common/dependencies.bicep b/modules/automation/automation-account/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/automation/automation-account/tests/e2e/common/dependencies.bicep rename to modules/automation/automation-account/tests/e2e/max/dependencies.bicep diff --git a/modules/automation/automation-account/tests/e2e/common/main.test.bicep b/modules/automation/automation-account/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/automation/automation-account/tests/e2e/common/main.test.bicep rename to modules/automation/automation-account/tests/e2e/max/main.test.bicep index e21d40167d..f0984bd8c6 100644 --- a/modules/automation/automation-account/tests/e2e/common/main.test.bicep +++ b/modules/automation/automation-account/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-automation.account-${service param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'aacom' +param serviceShort string = 'aamax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index 45497741ab..3a1c9b5e7f 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -31,13 +31,13 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/batch.batch-account:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) -- [Encr](#example-3-encr) +- [Using only defaults](#example-1-using-only-defaults) +- [Encr](#example-2-encr) +- [Using large parameter set](#example-3-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.

@@ -46,33 +46,68 @@ This instance deploys the module with most of its features enabled. ```bicep module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-bbacom' + name: '${uniqueString(deployment().name, location)}-test-bbamin' params: { // Required parameters - name: 'bbacom001' + name: 'bbamin001' storageAccountId: '' // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "bbamin001" + }, + "storageAccountId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" } + } +} +``` + +
+

+ +### Example 2: _Encr_ + +

+ +via Bicep module + +```bicep +module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-bbaencr' + params: { + // Required parameters + name: 'bbaencr001' + storageAccountId: '' + // Non-required parameters + cMKKeyName: '' + cMKKeyVaultResourceId: '' + enableDefaultTelemetry: '' managedIdentities: { - systemAssigned: true + userAssignedResourcesIds: [ + '' + ] } poolAllocationMode: 'BatchService' privateEndpoints: [ @@ -80,13 +115,7 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] + service: 'batchAccount' subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -95,13 +124,6 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] storageAccessIdentity: '' storageAuthenticationMode: 'BatchAccountManagedIdentity' tags: { @@ -127,40 +149,26 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "bbacom001" + "value": "bbaencr001" }, "storageAccountId": { "value": "" }, // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] + "cMKKeyName": { + "value": "" + }, + "cMKKeyVaultResourceId": { + "value": "" }, "enableDefaultTelemetry": { "value": "" }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, "managedIdentities": { "value": { - "systemAssigned": true + "userAssignedResourcesIds": [ + "" + ] } }, "poolAllocationMode": { @@ -172,13 +180,7 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ], + "service": "batchAccount", "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -188,15 +190,6 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "storageAccessIdentity": { "value": "" }, @@ -217,9 +210,9 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = {

-### Example 2: _Using only defaults_ +### Example 3: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -228,68 +221,33 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-bbamin' + name: '${uniqueString(deployment().name, location)}-test-bbamax' params: { // Required parameters - name: 'bbamin001' + name: 'bbamax001' storageAccountId: '' // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "bbamin001" - }, - "storageAccountId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' } - } -} -``` - -
-

- -### Example 3: _Encr_ - -

- -via Bicep module - -```bicep -module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-bbaencr' - params: { - // Required parameters - name: 'bbaencr001' - storageAccountId: '' - // Non-required parameters - cMKKeyName: '' - cMKKeyVaultResourceId: '' - enableDefaultTelemetry: '' managedIdentities: { - userAssignedResourcesIds: [ - '' - ] + systemAssigned: true } poolAllocationMode: 'BatchService' privateEndpoints: [ @@ -297,7 +255,13 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { privateDnsZoneResourceIds: [ '' ] - service: 'batchAccount' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] subnetResourceId: '' tags: { Environment: 'Non-Prod' @@ -306,6 +270,13 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { } } ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] storageAccessIdentity: '' storageAuthenticationMode: 'BatchAccountManagedIdentity' tags: { @@ -331,26 +302,40 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "bbaencr001" + "value": "bbamax001" }, "storageAccountId": { "value": "" }, // Non-required parameters - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] }, "enableDefaultTelemetry": { "value": "" }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ - "" - ] + "systemAssigned": true } }, "poolAllocationMode": { @@ -362,7 +347,13 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { "privateDnsZoneResourceIds": [ "" ], - "service": "batchAccount", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], "subnetResourceId": "", "tags": { "Environment": "Non-Prod", @@ -372,6 +363,15 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { } ] }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, "storageAccessIdentity": { "value": "" }, diff --git a/modules/batch/batch-account/tests/e2e/common/dependencies.bicep b/modules/batch/batch-account/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/batch/batch-account/tests/e2e/common/dependencies.bicep rename to modules/batch/batch-account/tests/e2e/max/dependencies.bicep diff --git a/modules/batch/batch-account/tests/e2e/common/main.test.bicep b/modules/batch/batch-account/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/batch/batch-account/tests/e2e/common/main.test.bicep rename to modules/batch/batch-account/tests/e2e/max/main.test.bicep index 0da35a50a1..87a36e6670 100644 --- a/modules/batch/batch-account/tests/e2e/common/main.test.bicep +++ b/modules/batch/batch-account/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-batch.batchaccounts-${servic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'bbacom' +param serviceShort string = 'bbamax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index 9dd72d458e..50eaf4f856 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -30,11 +30,180 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/cache.redis-enterprise:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) -- [Geo](#example-3-geo) +- [Using only defaults](#example-1-using-only-defaults) +- [Geo](#example-2-geo) +- [Using large parameter set](#example-3-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cremin' + params: { + // Required parameters + name: 'cremin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "cremin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Geo_ + +

+ +via Bicep module + +```bicep +module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cregeo' + params: { + // Required parameters + name: '' + // Non-required parameters + capacity: 2 + databases: [ + { + clusteringPolicy: 'EnterpriseCluster' + evictionPolicy: 'NoEviction' + geoReplication: { + groupNickname: '' + linkedDatabases: [ + { + id: '' + } + { + id: '' + } + ] + } + modules: [ + { + name: 'RediSearch' + } + { + name: 'RedisJSON' + } + ] + persistenceAofEnabled: false + persistenceRdbEnabled: false + port: 10000 + } + ] + enableDefaultTelemetry: '' + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'Redis Cache Enterprise' + } + zoneRedundant: true + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "" + }, + // Non-required parameters + "capacity": { + "value": 2 + }, + "databases": { + "value": [ + { + "clusteringPolicy": "EnterpriseCluster", + "evictionPolicy": "NoEviction", + "geoReplication": { + "groupNickname": "", + "linkedDatabases": [ + { + "id": "" + }, + { + "id": "" + } + ] + }, + "modules": [ + { + "name": "RediSearch" + }, + { + "name": "RedisJSON" + } + ], + "persistenceAofEnabled": false, + "persistenceRdbEnabled": false, + "port": 10000 + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "tags": { + "value": { + "hidden-title": "This is visible in the resource name", + "resourceType": "Redis Cache Enterprise" + } + }, + "zoneRedundant": { + "value": true + } + } +} +``` + +
+

+ +### Example 3: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -45,10 +214,10 @@ This instance deploys the module with most of its features enabled. ```bicep module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-crecom' + name: '${uniqueString(deployment().name, location)}-test-cremax' params: { // Required parameters - name: 'crecom001' + name: 'cremax001' // Non-required parameters capacity: 2 databases: [ @@ -133,7 +302,7 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "crecom001" + "value": "cremax001" }, // Non-required parameters "capacity": { @@ -228,175 +397,6 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cremin' - params: { - // Required parameters - name: 'cremin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cremin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Geo_ - -

- -via Bicep module - -```bicep -module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cregeo' - params: { - // Required parameters - name: '' - // Non-required parameters - capacity: 2 - databases: [ - { - clusteringPolicy: 'EnterpriseCluster' - evictionPolicy: 'NoEviction' - geoReplication: { - groupNickname: '' - linkedDatabases: [ - { - id: '' - } - { - id: '' - } - ] - } - modules: [ - { - name: 'RediSearch' - } - { - name: 'RedisJSON' - } - ] - persistenceAofEnabled: false - persistenceRdbEnabled: false - port: 10000 - } - ] - enableDefaultTelemetry: '' - tags: { - 'hidden-title': 'This is visible in the resource name' - resourceType: 'Redis Cache Enterprise' - } - zoneRedundant: true - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "" - }, - // Non-required parameters - "capacity": { - "value": 2 - }, - "databases": { - "value": [ - { - "clusteringPolicy": "EnterpriseCluster", - "evictionPolicy": "NoEviction", - "geoReplication": { - "groupNickname": "", - "linkedDatabases": [ - { - "id": "" - }, - { - "id": "" - } - ] - }, - "modules": [ - { - "name": "RediSearch" - }, - { - "name": "RedisJSON" - } - ], - "persistenceAofEnabled": false, - "persistenceRdbEnabled": false, - "port": 10000 - } - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "tags": { - "value": { - "hidden-title": "This is visible in the resource name", - "resourceType": "Redis Cache Enterprise" - } - }, - "zoneRedundant": { - "value": true - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/cache/redis-enterprise/tests/e2e/common/dependencies.bicep b/modules/cache/redis-enterprise/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/cache/redis-enterprise/tests/e2e/common/dependencies.bicep rename to modules/cache/redis-enterprise/tests/e2e/max/dependencies.bicep diff --git a/modules/cache/redis-enterprise/tests/e2e/common/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/cache/redis-enterprise/tests/e2e/common/main.test.bicep rename to modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep index ee1edf7edf..ce2540744f 100644 --- a/modules/cache/redis-enterprise/tests/e2e/common/main.test.bicep +++ b/modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-cache.redisenterprise-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crecom' +param serviceShort string = 'cremax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index ec7076e7cc..6c833b7a8a 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -30,10 +30,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/cache.redis:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module redis 'br:bicep/modules/cache.redis:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-crmin' + params: { + // Required parameters + name: 'crmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "crmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -44,10 +92,10 @@ This instance deploys the module with most of its features enabled. ```bicep module redis 'br:bicep/modules/cache.redis:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-crcom' + name: '${uniqueString(deployment().name, location)}-test-crmax' params: { // Required parameters - name: 'crcom001' + name: 'crmax001' // Non-required parameters capacity: 2 diagnosticSettings: [ @@ -121,7 +169,7 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "crcom001" + "value": "crmax001" }, // Non-required parameters "capacity": { @@ -215,54 +263,6 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module redis 'br:bicep/modules/cache.redis:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-crmin' - params: { - // Required parameters - name: 'crmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "crmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/cache/redis/tests/e2e/common/dependencies.bicep b/modules/cache/redis/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/cache/redis/tests/e2e/common/dependencies.bicep rename to modules/cache/redis/tests/e2e/max/dependencies.bicep diff --git a/modules/cache/redis/tests/e2e/common/main.test.bicep b/modules/cache/redis/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/cache/redis/tests/e2e/common/main.test.bicep rename to modules/cache/redis/tests/e2e/max/main.test.bicep index 75f0cb1f22..5162295ff3 100644 --- a/modules/cache/redis/tests/e2e/common/main.test.bicep +++ b/modules/cache/redis/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-cache.redis-${serviceShort}- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crcom' +param serviceShort string = 'crmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/cdn/profile/README.md b/modules/cdn/profile/README.md index b6fb4eb69e..41fd0159bf 100644 --- a/modules/cdn/profile/README.md +++ b/modules/cdn/profile/README.md @@ -267,10 +267,10 @@ This instance deploys the module with most of its features enabled. ```bicep module profile 'br:bicep/modules/cdn.profile:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdnpcom' + name: '${uniqueString(deployment().name, location)}-test-cdnpmax' params: { // Required parameters - name: 'dep-test-cdnpcom' + name: 'dep-test-cdnpmax' sku: 'Standard_Verizon' // Non-required parameters enableDefaultTelemetry: '' @@ -335,7 +335,7 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "dep-test-cdnpcom" + "value": "dep-test-cdnpmax" }, "sku": { "value": "Standard_Verizon" diff --git a/modules/cdn/profile/tests/e2e/common/dependencies.bicep b/modules/cdn/profile/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/cdn/profile/tests/e2e/common/dependencies.bicep rename to modules/cdn/profile/tests/e2e/max/dependencies.bicep diff --git a/modules/cdn/profile/tests/e2e/common/main.test.bicep b/modules/cdn/profile/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/cdn/profile/tests/e2e/common/main.test.bicep rename to modules/cdn/profile/tests/e2e/max/main.test.bicep index 9185beffba..5298d3dc2c 100644 --- a/modules/cdn/profile/tests/e2e/common/main.test.bicep +++ b/modules/cdn/profile/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-cdn.profiles-${serviceShort} param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdnpcom' +param serviceShort string = 'cdnpmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index 66a4163847..26626e96c2 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -32,12 +32,149 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/cognitive-services.account:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) -- [Encr](#example-3-encr) +- [Using only defaults](#example-1-using-only-defaults) +- [Encr](#example-2-encr) +- [Using large parameter set](#example-3-using-large-parameter-set) - [Speech](#example-4-speech) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-csamin' + params: { + // Required parameters + kind: 'SpeechServices' + name: 'csamin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "kind": { + "value": "SpeechServices" + }, + "name": { + "value": "csamin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Encr_ + +

+ +via Bicep module + +```bicep +module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-csaencr' + params: { + // Required parameters + kind: 'SpeechServices' + name: 'csaencr001' + // Non-required parameters + cMKKeyName: '' + cMKKeyVaultResourceId: '' + cMKUserAssignedIdentityResourceId: '' + enableDefaultTelemetry: '' + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + publicNetworkAccess: 'Enabled' + restrictOutboundNetworkAccess: false + sku: 'S0' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "kind": { + "value": "SpeechServices" + }, + "name": { + "value": "csaencr001" + }, + // Non-required parameters + "cMKKeyName": { + "value": "" + }, + "cMKKeyVaultResourceId": { + "value": "" + }, + "cMKUserAssignedIdentityResourceId": { + "value": "" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "publicNetworkAccess": { + "value": "Enabled" + }, + "restrictOutboundNetworkAccess": { + "value": false + }, + "sku": { + "value": "S0" + } + } +} +``` + +
+

+ +### Example 3: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -48,11 +185,11 @@ This instance deploys the module with most of its features enabled. ```bicep module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-csacom' + name: '${uniqueString(deployment().name, location)}-test-csamax' params: { // Required parameters kind: 'Face' - name: 'csacom001' + name: 'csamax001' // Non-required parameters customSubDomainName: 'xdomain' diagnosticSettings: [ @@ -141,7 +278,7 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { "value": "Face" }, "name": { - "value": "csacom001" + "value": "csamax001" }, // Non-required parameters "customSubDomainName": { @@ -237,143 +374,6 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-csamin' - params: { - // Required parameters - kind: 'SpeechServices' - name: 'csamin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "kind": { - "value": "SpeechServices" - }, - "name": { - "value": "csamin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Encr_ - -

- -via Bicep module - -```bicep -module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-csaencr' - params: { - // Required parameters - kind: 'SpeechServices' - name: 'csaencr001' - // Non-required parameters - cMKKeyName: '' - cMKKeyVaultResourceId: '' - cMKUserAssignedIdentityResourceId: '' - enableDefaultTelemetry: '' - managedIdentities: { - userAssignedResourcesIds: [ - '' - ] - } - publicNetworkAccess: 'Enabled' - restrictOutboundNetworkAccess: false - sku: 'S0' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "kind": { - "value": "SpeechServices" - }, - "name": { - "value": "csaencr001" - }, - // Non-required parameters - "cMKKeyName": { - "value": "" - }, - "cMKKeyVaultResourceId": { - "value": "" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "userAssignedResourcesIds": [ - "" - ] - } - }, - "publicNetworkAccess": { - "value": "Enabled" - }, - "restrictOutboundNetworkAccess": { - "value": false - }, - "sku": { - "value": "S0" - } - } -} -``` - -
-

- ### Example 4: _Speech_

diff --git a/modules/cognitive-services/account/tests/e2e/common/dependencies.bicep b/modules/cognitive-services/account/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/cognitive-services/account/tests/e2e/common/dependencies.bicep rename to modules/cognitive-services/account/tests/e2e/max/dependencies.bicep diff --git a/modules/cognitive-services/account/tests/e2e/common/main.test.bicep b/modules/cognitive-services/account/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/cognitive-services/account/tests/e2e/common/main.test.bicep rename to modules/cognitive-services/account/tests/e2e/max/main.test.bicep index 0820e443b1..f548446c6c 100644 --- a/modules/cognitive-services/account/tests/e2e/common/main.test.bicep +++ b/modules/cognitive-services/account/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-cognitiveservices.accounts-$ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'csacom' +param serviceShort string = 'csamax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/compute/availability-set/README.md b/modules/compute/availability-set/README.md index 3f66218b6c..e2d646e9bf 100644 --- a/modules/compute/availability-set/README.md +++ b/modules/compute/availability-set/README.md @@ -26,12 +26,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.availability-set:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.
@@ -40,29 +40,12 @@ This instance deploys the module with most of its features enabled. ```bicep module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cascom' + name: '${uniqueString(deployment().name, location)}-test-casmin' params: { // Required parameters - name: 'cascom001' + name: 'casmin001' // Non-required parameters enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - proximityPlacementGroupResourceId: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } } ``` @@ -81,36 +64,11 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "cascom001" + "value": "casmin001" }, // Non-required parameters "enableDefaultTelemetry": { "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "proximityPlacementGroupResourceId": { - "value": "" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } } } @@ -119,9 +77,9 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = {

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -130,12 +88,29 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-casmin' + name: '${uniqueString(deployment().name, location)}-test-casmax' params: { // Required parameters - name: 'casmin001' + name: 'casmax001' // Non-required parameters enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + proximityPlacementGroupResourceId: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } } } ``` @@ -154,11 +129,36 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "casmin001" + "value": "casmax001" }, // Non-required parameters "enableDefaultTelemetry": { "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "proximityPlacementGroupResourceId": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } } } } diff --git a/modules/compute/availability-set/tests/e2e/common/dependencies.bicep b/modules/compute/availability-set/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/compute/availability-set/tests/e2e/common/dependencies.bicep rename to modules/compute/availability-set/tests/e2e/max/dependencies.bicep diff --git a/modules/compute/availability-set/tests/e2e/common/main.test.bicep b/modules/compute/availability-set/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/compute/availability-set/tests/e2e/common/main.test.bicep rename to modules/compute/availability-set/tests/e2e/max/main.test.bicep index 16687f42ea..c05e914de3 100644 --- a/modules/compute/availability-set/tests/e2e/common/main.test.bicep +++ b/modules/compute/availability-set/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-compute.availabilitysets-${s param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cascom' +param serviceShort string = 'casmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/compute/disk-encryption-set/README.md b/modules/compute/disk-encryption-set/README.md index 8352867f9e..c3d9e9d920 100644 --- a/modules/compute/disk-encryption-set/README.md +++ b/modules/compute/disk-encryption-set/README.md @@ -137,12 +137,12 @@ This instance deploys the module with most of its features enabled. ```bicep module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdescom' + name: '${uniqueString(deployment().name, location)}-test-cdesmax' params: { // Required parameters keyName: '' keyVaultResourceId: '' - name: 'cdescom001' + name: 'cdesmax001' // Non-required parameters enableDefaultTelemetry: '' lock: { @@ -190,7 +190,7 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = "value": "" }, "name": { - "value": "cdescom001" + "value": "cdesmax001" }, // Non-required parameters "enableDefaultTelemetry": { diff --git a/modules/compute/disk-encryption-set/tests/e2e/common/dependencies.bicep b/modules/compute/disk-encryption-set/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/compute/disk-encryption-set/tests/e2e/common/dependencies.bicep rename to modules/compute/disk-encryption-set/tests/e2e/max/dependencies.bicep diff --git a/modules/compute/disk-encryption-set/tests/e2e/common/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/compute/disk-encryption-set/tests/e2e/common/main.test.bicep rename to modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep index 608b7921c7..d854daacec 100644 --- a/modules/compute/disk-encryption-set/tests/e2e/common/main.test.bicep +++ b/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-compute.diskencryptionsets-$ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdescom' +param serviceShort string = 'cdesmax' @description('Generated. Used as a basis for unique resource names.') param baseTime string = utcNow('u') diff --git a/modules/compute/disk/README.md b/modules/compute/disk/README.md index 11eec29dec..53656e6a71 100644 --- a/modules/compute/disk/README.md +++ b/modules/compute/disk/README.md @@ -26,14 +26,14 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.disk:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) -- [Image](#example-3-image) -- [Import](#example-4-import) +- [Using only defaults](#example-1-using-only-defaults) +- [Image](#example-2-image) +- [Import](#example-3-import) +- [Using large parameter set](#example-4-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.
@@ -42,35 +42,14 @@ This instance deploys the module with most of its features enabled. ```bicep module disk 'br:bicep/modules/compute.disk:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdcom' + name: '${uniqueString(deployment().name, location)}-test-cdmin' params: { // Required parameters - name: 'cdcom001' - sku: 'UltraSSD_LRS' + name: 'cdmin001' + sku: 'Standard_LRS' // Non-required parameters - diskIOPSReadWrite: 500 - diskMBpsReadWrite: 60 - diskSizeGB: 128 + diskSizeGB: 1 enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - logicalSectorSize: 512 - osType: 'Windows' - publicNetworkAccess: 'Enabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } } ``` @@ -89,54 +68,17 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "cdcom001" + "value": "cdmin001" }, "sku": { - "value": "UltraSSD_LRS" + "value": "Standard_LRS" }, // Non-required parameters - "diskIOPSReadWrite": { - "value": 500 - }, - "diskMBpsReadWrite": { - "value": 60 - }, "diskSizeGB": { - "value": 128 + "value": 1 }, "enableDefaultTelemetry": { "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "logicalSectorSize": { - "value": 512 - }, - "osType": { - "value": "Windows" - }, - "publicNetworkAccess": { - "value": "Enabled" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } } } @@ -145,10 +87,7 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - +### Example 2: _Image_

@@ -156,14 +95,27 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module disk 'br:bicep/modules/compute.disk:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdmin' + name: '${uniqueString(deployment().name, location)}-test-cdimg' params: { // Required parameters - name: 'cdmin001' + name: 'cdimg001' sku: 'Standard_LRS' // Non-required parameters - diskSizeGB: 1 + createOption: 'FromImage' enableDefaultTelemetry: '' + imageReferenceId: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } } } ``` @@ -182,17 +134,36 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "cdmin001" + "value": "cdimg001" }, "sku": { "value": "Standard_LRS" }, // Non-required parameters - "diskSizeGB": { - "value": 1 + "createOption": { + "value": "FromImage" }, "enableDefaultTelemetry": { "value": "" + }, + "imageReferenceId": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } } } } @@ -201,7 +172,7 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = {

-### Example 3: _Image_ +### Example 3: _Import_

@@ -209,15 +180,14 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { ```bicep module disk 'br:bicep/modules/compute.disk:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdimg' + name: '${uniqueString(deployment().name, location)}-test-cdimp' params: { // Required parameters - name: 'cdimg001' + name: 'cdimp001' sku: 'Standard_LRS' // Non-required parameters - createOption: 'FromImage' + createOption: 'Import' enableDefaultTelemetry: '' - imageReferenceId: '' roleAssignments: [ { principalId: '' @@ -225,6 +195,8 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] + sourceUri: '' + storageAccountId: '' tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -248,21 +220,18 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "cdimg001" + "value": "cdimp001" }, "sku": { "value": "Standard_LRS" }, // Non-required parameters "createOption": { - "value": "FromImage" + "value": "Import" }, "enableDefaultTelemetry": { "value": "" }, - "imageReferenceId": { - "value": "" - }, "roleAssignments": { "value": [ { @@ -272,6 +241,12 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { } ] }, + "sourceUri": { + "value": "" + }, + "storageAccountId": { + "value": "" + }, "tags": { "value": { "Environment": "Non-Prod", @@ -286,7 +261,10 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = {

-### Example 4: _Import_ +### Example 4: _Using large parameter set_ + +This instance deploys the module with most of its features enabled. +

@@ -294,14 +272,23 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { ```bicep module disk 'br:bicep/modules/compute.disk:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cdimp' + name: '${uniqueString(deployment().name, location)}-test-cdmax' params: { // Required parameters - name: 'cdimp001' - sku: 'Standard_LRS' + name: 'cdmax001' + sku: 'UltraSSD_LRS' // Non-required parameters - createOption: 'Import' + diskIOPSReadWrite: 500 + diskMBpsReadWrite: 60 + diskSizeGB: 128 enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + logicalSectorSize: 512 + osType: 'Windows' + publicNetworkAccess: 'Enabled' roleAssignments: [ { principalId: '' @@ -309,8 +296,6 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - sourceUri: '' - storageAccountId: '' tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -334,18 +319,39 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "cdimp001" + "value": "cdmax001" }, "sku": { - "value": "Standard_LRS" + "value": "UltraSSD_LRS" }, // Non-required parameters - "createOption": { - "value": "Import" + "diskIOPSReadWrite": { + "value": 500 + }, + "diskMBpsReadWrite": { + "value": 60 + }, + "diskSizeGB": { + "value": 128 }, "enableDefaultTelemetry": { "value": "" }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "logicalSectorSize": { + "value": 512 + }, + "osType": { + "value": "Windows" + }, + "publicNetworkAccess": { + "value": "Enabled" + }, "roleAssignments": { "value": [ { @@ -355,12 +361,6 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { } ] }, - "sourceUri": { - "value": "" - }, - "storageAccountId": { - "value": "" - }, "tags": { "value": { "Environment": "Non-Prod", diff --git a/modules/compute/disk/tests/e2e/common/dependencies.bicep b/modules/compute/disk/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/compute/disk/tests/e2e/common/dependencies.bicep rename to modules/compute/disk/tests/e2e/max/dependencies.bicep diff --git a/modules/compute/disk/tests/e2e/common/main.test.bicep b/modules/compute/disk/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/compute/disk/tests/e2e/common/main.test.bicep rename to modules/compute/disk/tests/e2e/max/main.test.bicep index ecbf2ab2d9..7916ad9f61 100644 --- a/modules/compute/disk/tests/e2e/common/main.test.bicep +++ b/modules/compute/disk/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShor param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdcom' +param serviceShort string = 'cdmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/compute/gallery/README.md b/modules/compute/gallery/README.md index 83e56b75e2..4f370dfd3b 100644 --- a/modules/compute/gallery/README.md +++ b/modules/compute/gallery/README.md @@ -28,10 +28,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.gallery:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cgmin' + params: { + // Required parameters + name: 'cgmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "cgmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -42,17 +90,17 @@ This instance deploys the module with most of its features enabled. ```bicep module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cgcom' + name: '${uniqueString(deployment().name, location)}-test-cgmax' params: { // Required parameters - name: 'cgcom001' + name: 'cgmax001' // Non-required parameters applications: [ { - name: 'cgcom-appd-001' + name: 'cgmax-appd-001' } { - name: 'cgcom-appd-002' + name: 'cgmax-appd-002' roleAssignments: [ { principalId: '' @@ -199,16 +247,16 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "cgcom001" + "value": "cgmax001" }, // Non-required parameters "applications": { "value": [ { - "name": "cgcom-appd-001" + "name": "cgmax-appd-001" }, { - "name": "cgcom-appd-002", + "name": "cgmax-appd-002", "roleAssignments": [ { "principalId": "", @@ -355,54 +403,6 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cgmin' - params: { - // Required parameters - name: 'cgmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cgmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/compute/gallery/tests/e2e/common/dependencies.bicep b/modules/compute/gallery/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/compute/gallery/tests/e2e/common/dependencies.bicep rename to modules/compute/gallery/tests/e2e/max/dependencies.bicep diff --git a/modules/compute/gallery/tests/e2e/common/main.test.bicep b/modules/compute/gallery/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/compute/gallery/tests/e2e/common/main.test.bicep rename to modules/compute/gallery/tests/e2e/max/main.test.bicep index 063c8b4719..a93ee28315 100644 --- a/modules/compute/gallery/tests/e2e/common/main.test.bicep +++ b/modules/compute/gallery/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-compute.galleries-${serviceS param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cgcom' +param serviceShort string = 'cgmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/compute/image/README.md b/modules/compute/image/README.md index 4bbb50b4f4..6c22d0ff2d 100644 --- a/modules/compute/image/README.md +++ b/modules/compute/image/README.md @@ -38,10 +38,10 @@ This instance deploys the module with most of its features enabled. ```bicep module image 'br:bicep/modules/compute.image:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cicom' + name: '${uniqueString(deployment().name, location)}-test-cimax' params: { // Required parameters - name: 'cicom001' + name: 'cimax001' osAccountType: 'Premium_LRS' osDiskBlobUri: '' osDiskCaching: 'ReadWrite' @@ -83,7 +83,7 @@ module image 'br:bicep/modules/compute.image:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "cicom001" + "value": "cimax001" }, "osAccountType": { "value": "Premium_LRS" diff --git a/modules/compute/image/tests/e2e/common/dependencies.bicep b/modules/compute/image/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/compute/image/tests/e2e/common/dependencies.bicep rename to modules/compute/image/tests/e2e/max/dependencies.bicep diff --git a/modules/compute/image/tests/e2e/common/dependencies_rbac.bicep b/modules/compute/image/tests/e2e/max/dependencies_rbac.bicep similarity index 100% rename from modules/compute/image/tests/e2e/common/dependencies_rbac.bicep rename to modules/compute/image/tests/e2e/max/dependencies_rbac.bicep diff --git a/modules/compute/image/tests/e2e/common/main.test.bicep b/modules/compute/image/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/compute/image/tests/e2e/common/main.test.bicep rename to modules/compute/image/tests/e2e/max/main.test.bicep index 8d1d8cea78..7b5bd31348 100644 --- a/modules/compute/image/tests/e2e/common/main.test.bicep +++ b/modules/compute/image/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShor param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cicom' +param serviceShort string = 'cimax' @description('Generated. Used as a basis for unique resource names.') param baseTime string = utcNow('u') diff --git a/modules/compute/proximity-placement-group/README.md b/modules/compute/proximity-placement-group/README.md index dbc8c0751f..821a6a502e 100644 --- a/modules/compute/proximity-placement-group/README.md +++ b/modules/compute/proximity-placement-group/README.md @@ -26,10 +26,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.proximity-placement-group:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cppgmin' + params: { + // Required parameters + name: 'cppgmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "cppgmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -40,10 +88,10 @@ This instance deploys the module with most of its features enabled. ```bicep module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cppgcom' + name: '${uniqueString(deployment().name, location)}-test-cppgmax' params: { // Required parameters - name: 'cppgcom001' + name: 'cppgmax001' // Non-required parameters colocationStatus: { code: 'ColocationStatus/Aligned' @@ -96,7 +144,7 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro "parameters": { // Required parameters "name": { - "value": "cppgcom001" + "value": "cppgmax001" }, // Non-required parameters "colocationStatus": { @@ -155,54 +203,6 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cppgmin' - params: { - // Required parameters - name: 'cppgmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "cppgmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/compute/proximity-placement-group/tests/e2e/common/dependencies.bicep b/modules/compute/proximity-placement-group/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/compute/proximity-placement-group/tests/e2e/common/dependencies.bicep rename to modules/compute/proximity-placement-group/tests/e2e/max/dependencies.bicep diff --git a/modules/compute/proximity-placement-group/tests/e2e/common/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/compute/proximity-placement-group/tests/e2e/common/main.test.bicep rename to modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep index 0256dec55a..93f79eb2fe 100644 --- a/modules/compute/proximity-placement-group/tests/e2e/common/main.test.bicep +++ b/modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-compute.proximityplacementgr param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cppgcom' +param serviceShort string = 'cppgmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/compute/ssh-public-key/README.md b/modules/compute/ssh-public-key/README.md index 054808608c..fcc48b1abe 100644 --- a/modules/compute/ssh-public-key/README.md +++ b/modules/compute/ssh-public-key/README.md @@ -30,12 +30,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.ssh-public-key:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.

@@ -44,13 +44,12 @@ This instance deploys the module with most of its features enabled. ```bicep module sshPublicKey 'br:bicep/modules/compute.ssh-public-key:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cspkcom' + name: '${uniqueString(deployment().name, location)}-test-cspkmin' params: { // Required parameters - name: 'sshkey-cspkcom001' + name: 'cspkmin001' // Non-required parameters enableDefaultTelemetry: '' - publicKey: '' } } ``` @@ -69,14 +68,11 @@ module sshPublicKey 'br:bicep/modules/compute.ssh-public-key:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "sshkey-cspkcom001" + "value": "cspkmin001" }, // Non-required parameters "enableDefaultTelemetry": { "value": "" - }, - "publicKey": { - "value": "" } } } @@ -85,9 +81,9 @@ module sshPublicKey 'br:bicep/modules/compute.ssh-public-key:1.0.0' = {

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -96,12 +92,13 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module sshPublicKey 'br:bicep/modules/compute.ssh-public-key:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cspkmin' + name: '${uniqueString(deployment().name, location)}-test-cspkmax' params: { // Required parameters - name: 'cspkmin001' + name: 'sshkey-cspkmax001' // Non-required parameters enableDefaultTelemetry: '' + publicKey: '' } } ``` @@ -120,11 +117,14 @@ module sshPublicKey 'br:bicep/modules/compute.ssh-public-key:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "cspkmin001" + "value": "sshkey-cspkmax001" }, // Non-required parameters "enableDefaultTelemetry": { "value": "" + }, + "publicKey": { + "value": "" } } } diff --git a/modules/compute/ssh-public-key/tests/e2e/common/dependencies.bicep b/modules/compute/ssh-public-key/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/compute/ssh-public-key/tests/e2e/common/dependencies.bicep rename to modules/compute/ssh-public-key/tests/e2e/max/dependencies.bicep diff --git a/modules/compute/ssh-public-key/tests/e2e/common/main.test.bicep b/modules/compute/ssh-public-key/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/compute/ssh-public-key/tests/e2e/common/main.test.bicep rename to modules/compute/ssh-public-key/tests/e2e/max/main.test.bicep index 420a4d9f6d..a35550fe1c 100644 --- a/modules/compute/ssh-public-key/tests/e2e/common/main.test.bicep +++ b/modules/compute/ssh-public-key/tests/e2e/max/main.test.bicep @@ -16,7 +16,7 @@ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') @maxLength(7) -param serviceShort string = 'cspkcom' +param serviceShort string = 'cspkmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/consumption/budget/README.md b/modules/consumption/budget/README.md index fe87cf897b..44cad18b76 100644 --- a/modules/consumption/budget/README.md +++ b/modules/consumption/budget/README.md @@ -24,12 +24,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/consumption.budget:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.
@@ -38,23 +38,16 @@ This instance deploys the module with most of its features enabled. ```bicep module budget 'br:bicep/modules/consumption.budget:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-cbcom' + name: '${uniqueString(deployment().name)}-test-cbmin' params: { // Required parameters amount: 500 - name: 'cbcom001' + name: 'cbmin001' // Non-required parameters contactEmails: [ 'dummy@contoso.com' ] enableDefaultTelemetry: '' - thresholds: [ - 50 - 75 - 90 - 100 - 110 - ] } } ``` @@ -76,7 +69,7 @@ module budget 'br:bicep/modules/consumption.budget:1.0.0' = { "value": 500 }, "name": { - "value": "cbcom001" + "value": "cbmin001" }, // Non-required parameters "contactEmails": { @@ -86,15 +79,6 @@ module budget 'br:bicep/modules/consumption.budget:1.0.0' = { }, "enableDefaultTelemetry": { "value": "" - }, - "thresholds": { - "value": [ - 50, - 75, - 90, - 100, - 110 - ] } } } @@ -103,9 +87,9 @@ module budget 'br:bicep/modules/consumption.budget:1.0.0' = {

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -114,16 +98,23 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module budget 'br:bicep/modules/consumption.budget:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-cbmin' + name: '${uniqueString(deployment().name)}-test-cbmax' params: { // Required parameters amount: 500 - name: 'cbmin001' + name: 'cbmax001' // Non-required parameters contactEmails: [ 'dummy@contoso.com' ] enableDefaultTelemetry: '' + thresholds: [ + 50 + 75 + 90 + 100 + 110 + ] } } ``` @@ -145,7 +136,7 @@ module budget 'br:bicep/modules/consumption.budget:1.0.0' = { "value": 500 }, "name": { - "value": "cbmin001" + "value": "cbmax001" }, // Non-required parameters "contactEmails": { @@ -155,6 +146,15 @@ module budget 'br:bicep/modules/consumption.budget:1.0.0' = { }, "enableDefaultTelemetry": { "value": "" + }, + "thresholds": { + "value": [ + 50, + 75, + 90, + 100, + 110 + ] } } } diff --git a/modules/consumption/budget/tests/e2e/common/main.test.bicep b/modules/consumption/budget/tests/e2e/max/main.test.bicep similarity index 96% rename from modules/consumption/budget/tests/e2e/common/main.test.bicep rename to modules/consumption/budget/tests/e2e/max/main.test.bicep index a696b0b40e..691655f30f 100644 --- a/modules/consumption/budget/tests/e2e/common/main.test.bicep +++ b/modules/consumption/budget/tests/e2e/max/main.test.bicep @@ -8,7 +8,7 @@ metadata description = 'This instance deploys the module with most of its featur // ========== // @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cbcom' +param serviceShort string = 'cbmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/container-instance/container-group/README.md b/modules/container-instance/container-group/README.md index 124aa25f20..7918b1c8a2 100644 --- a/modules/container-instance/container-group/README.md +++ b/modules/container-instance/container-group/README.md @@ -26,14 +26,14 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/container-instance.container-group:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) -- [Encr](#example-3-encr) +- [Using only defaults](#example-1-using-only-defaults) +- [Encr](#example-2-encr) +- [Using large parameter set](#example-3-using-large-parameter-set) - [Private](#example-4-private) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.
@@ -42,7 +42,108 @@ This instance deploys the module with most of its features enabled. ```bicep module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cicgcom' + name: '${uniqueString(deployment().name, location)}-test-cicgmin' + params: { + // Required parameters + containers: [ + { + name: 'az-aci-x-001' + properties: { + image: 'mcr.microsoft.com/azuredocs/aci-helloworld' + ports: [ + { + port: '443' + protocol: 'Tcp' + } + ] + resources: { + requests: { + cpu: 2 + memoryInGB: 2 + } + } + } + } + ] + name: 'cicgmin001' + // Non-required parameters + enableDefaultTelemetry: '' + ipAddressPorts: [ + { + port: 443 + protocol: 'Tcp' + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "containers": { + "value": [ + { + "name": "az-aci-x-001", + "properties": { + "image": "mcr.microsoft.com/azuredocs/aci-helloworld", + "ports": [ + { + "port": "443", + "protocol": "Tcp" + } + ], + "resources": { + "requests": { + "cpu": 2, + "memoryInGB": 2 + } + } + } + } + ] + }, + "name": { + "value": "cicgmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "ipAddressPorts": { + "value": [ + { + "port": 443, + "protocol": "Tcp" + } + ] + } + } +} +``` + +
+

+ +### Example 2: _Encr_ + +

+ +via Bicep module + +```bicep +module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cicgenc' params: { // Required parameters containers: [ @@ -91,8 +192,13 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 } } ] - name: 'cicgcom001' + name: 'cicgenc001' // Non-required parameters + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } enableDefaultTelemetry: '' ipAddressPorts: [ { @@ -185,9 +291,16 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 ] }, "name": { - "value": "cicgcom001" + "value": "cicgenc001" }, // Non-required parameters + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } + }, "enableDefaultTelemetry": { "value": "" }, @@ -231,111 +344,10 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0

-### Example 2: _Using only defaults_ +### Example 3: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cicgmin' - params: { - // Required parameters - containers: [ - { - name: 'az-aci-x-001' - properties: { - image: 'mcr.microsoft.com/azuredocs/aci-helloworld' - ports: [ - { - port: '443' - protocol: 'Tcp' - } - ] - resources: { - requests: { - cpu: 2 - memoryInGB: 2 - } - } - } - } - ] - name: 'cicgmin001' - // Non-required parameters - enableDefaultTelemetry: '' - ipAddressPorts: [ - { - port: 443 - protocol: 'Tcp' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "containers": { - "value": [ - { - "name": "az-aci-x-001", - "properties": { - "image": "mcr.microsoft.com/azuredocs/aci-helloworld", - "ports": [ - { - "port": "443", - "protocol": "Tcp" - } - ], - "resources": { - "requests": { - "cpu": 2, - "memoryInGB": 2 - } - } - } - } - ] - }, - "name": { - "value": "cicgmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "ipAddressPorts": { - "value": [ - { - "port": 443, - "protocol": "Tcp" - } - ] - } - } -} -``` - -
-

+This instance deploys the module with most of its features enabled. -### Example 3: _Encr_

@@ -343,7 +355,7 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 ```bicep module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cicgenc' + name: '${uniqueString(deployment().name, location)}-test-cicgmax' params: { // Required parameters containers: [ @@ -392,13 +404,8 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 } } ] - name: 'cicgenc001' + name: 'cicgmax001' // Non-required parameters - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } enableDefaultTelemetry: '' ipAddressPorts: [ { @@ -491,16 +498,9 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 ] }, "name": { - "value": "cicgenc001" + "value": "cicgmax001" }, // Non-required parameters - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, "enableDefaultTelemetry": { "value": "" }, diff --git a/modules/container-instance/container-group/tests/e2e/common/dependencies.bicep b/modules/container-instance/container-group/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/container-instance/container-group/tests/e2e/common/dependencies.bicep rename to modules/container-instance/container-group/tests/e2e/max/dependencies.bicep diff --git a/modules/container-instance/container-group/tests/e2e/common/main.test.bicep b/modules/container-instance/container-group/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/container-instance/container-group/tests/e2e/common/main.test.bicep rename to modules/container-instance/container-group/tests/e2e/max/main.test.bicep index 6aa1e5adc8..d98a8c184b 100644 --- a/modules/container-instance/container-group/tests/e2e/common/main.test.bicep +++ b/modules/container-instance/container-group/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-containerinstance.containerg param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cicgcom' +param serviceShort string = 'cicgmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index 4568b1acee..940cac8fae 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -32,12 +32,149 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/container-registry.registry:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) -- [Encr](#example-3-encr) +- [Using only defaults](#example-1-using-only-defaults) +- [Encr](#example-2-encr) +- [Using large parameter set](#example-3-using-large-parameter-set) - [Pe](#example-4-pe) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-crrmin' + params: { + // Required parameters + name: 'crrmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "crrmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Encr_ + +

+ +via Bicep module + +```bicep +module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-crrencr' + params: { + // Required parameters + name: 'crrencr001' + // Non-required parameters + acrSku: 'Premium' + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } + enableDefaultTelemetry: '' + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + publicNetworkAccess: 'Disabled' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "crrencr001" + }, + // Non-required parameters + "acrSku": { + "value": "Premium" + }, + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "publicNetworkAccess": { + "value": "Disabled" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ +### Example 3: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -48,10 +185,10 @@ This instance deploys the module with most of its features enabled. ```bicep module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-crrcom' + name: '${uniqueString(deployment().name, location)}-test-crrmax' params: { // Required parameters - name: 'crrcom001' + name: 'crrmax001' // Non-required parameters acrAdminUserEnabled: false acrSku: 'Premium' @@ -158,7 +295,7 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "crrcom001" + "value": "crrmax001" }, // Non-required parameters "acrAdminUserEnabled": { @@ -293,143 +430,6 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-crrmin' - params: { - // Required parameters - name: 'crrmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "crrmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Encr_ - -

- -via Bicep module - -```bicep -module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-crrencr' - params: { - // Required parameters - name: 'crrencr001' - // Non-required parameters - acrSku: 'Premium' - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - enableDefaultTelemetry: '' - managedIdentities: { - userAssignedResourcesIds: [ - '' - ] - } - publicNetworkAccess: 'Disabled' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "crrencr001" - }, - // Non-required parameters - "acrSku": { - "value": "Premium" - }, - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "userAssignedResourcesIds": [ - "" - ] - } - }, - "publicNetworkAccess": { - "value": "Disabled" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- ### Example 4: _Pe_

diff --git a/modules/container-registry/registry/tests/e2e/common/dependencies.bicep b/modules/container-registry/registry/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/container-registry/registry/tests/e2e/common/dependencies.bicep rename to modules/container-registry/registry/tests/e2e/max/dependencies.bicep diff --git a/modules/container-registry/registry/tests/e2e/common/main.test.bicep b/modules/container-registry/registry/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/container-registry/registry/tests/e2e/common/main.test.bicep rename to modules/container-registry/registry/tests/e2e/max/main.test.bicep index 6dc873af77..5a9631cb3d 100644 --- a/modules/container-registry/registry/tests/e2e/common/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-containerregistry.registries param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crrcom' +param serviceShort string = 'crrmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index b01bb04610..4df25ff5d9 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -33,10 +33,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/data-factory.factory:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dffmin' + params: { + // Required parameters + name: 'dffmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dffmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -47,10 +95,10 @@ This instance deploys the module with most of its features enabled. ```bicep module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dffcom' + name: '${uniqueString(deployment().name, location)}-test-dffmax' params: { // Required parameters - name: 'dffcom001' + name: 'dffmax001' // Non-required parameters customerManagedKey: { keyName: '' @@ -158,7 +206,7 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "dffcom001" + "value": "dffmax001" }, // Non-required parameters "customerManagedKey": { @@ -282,54 +330,6 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dffmin' - params: { - // Required parameters - name: 'dffmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dffmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/data-factory/factory/tests/e2e/common/dependencies.bicep b/modules/data-factory/factory/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/data-factory/factory/tests/e2e/common/dependencies.bicep rename to modules/data-factory/factory/tests/e2e/max/dependencies.bicep diff --git a/modules/data-factory/factory/tests/e2e/common/main.test.bicep b/modules/data-factory/factory/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/data-factory/factory/tests/e2e/common/main.test.bicep rename to modules/data-factory/factory/tests/e2e/max/main.test.bicep index b88833eb68..8e8dd7f0ad 100644 --- a/modules/data-factory/factory/tests/e2e/common/main.test.bicep +++ b/modules/data-factory/factory/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-datafactory.factories-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dffcom' +param serviceShort string = 'dffmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/data-protection/backup-vault/README.md b/modules/data-protection/backup-vault/README.md index 8784320e19..200b51d6bc 100644 --- a/modules/data-protection/backup-vault/README.md +++ b/modules/data-protection/backup-vault/README.md @@ -28,10 +28,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/data-protection.backup-vault:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dpbvmin' + params: { + // Required parameters + name: 'dpbvmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dpbvmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -42,10 +90,10 @@ This instance deploys the module with most of its features enabled. ```bicep module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dpbvcom' + name: '${uniqueString(deployment().name, location)}-test-dpbvmax' params: { // Required parameters - name: 'dpbvcom001' + name: 'dpbvmax001' // Non-required parameters azureMonitorAlertSettingsAlertsForAllJobFailures: 'Disabled' backupPolicies: [ @@ -148,7 +196,7 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "dpbvcom001" + "value": "dpbvmax001" }, // Non-required parameters "azureMonitorAlertSettingsAlertsForAllJobFailures": { @@ -255,54 +303,6 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dpbvmin' - params: { - // Required parameters - name: 'dpbvmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dpbvmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/data-protection/backup-vault/tests/e2e/common/dependencies.bicep b/modules/data-protection/backup-vault/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/data-protection/backup-vault/tests/e2e/common/dependencies.bicep rename to modules/data-protection/backup-vault/tests/e2e/max/dependencies.bicep diff --git a/modules/data-protection/backup-vault/tests/e2e/common/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/data-protection/backup-vault/tests/e2e/common/main.test.bicep rename to modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep index 83f702d49a..9a85777eb1 100644 --- a/modules/data-protection/backup-vault/tests/e2e/common/main.test.bicep +++ b/modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-dataprotection.backupvaults- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dpbvcom' +param serviceShort string = 'dpbvmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/databricks/access-connector/README.md b/modules/databricks/access-connector/README.md index 91fdd3ebdd..ad53643158 100644 --- a/modules/databricks/access-connector/README.md +++ b/modules/databricks/access-connector/README.md @@ -26,10 +26,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/databricks.access-connector:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dacmin' + params: { + // Required parameters + name: 'dacmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dacmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -40,10 +88,10 @@ This instance deploys the module with most of its features enabled. ```bicep module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-daccom' + name: '${uniqueString(deployment().name, location)}-test-dacmax' params: { // Required parameters - name: 'daccom001' + name: 'dacmax001' // Non-required parameters enableDefaultTelemetry: '' location: '' @@ -87,7 +135,7 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "daccom001" + "value": "dacmax001" }, // Non-required parameters "enableDefaultTelemetry": { @@ -133,54 +181,6 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dacmin' - params: { - // Required parameters - name: 'dacmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dacmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/databricks/access-connector/tests/e2e/common/dependencies.bicep b/modules/databricks/access-connector/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/databricks/access-connector/tests/e2e/common/dependencies.bicep rename to modules/databricks/access-connector/tests/e2e/max/dependencies.bicep diff --git a/modules/databricks/access-connector/tests/e2e/common/main.test.bicep b/modules/databricks/access-connector/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/databricks/access-connector/tests/e2e/common/main.test.bicep rename to modules/databricks/access-connector/tests/e2e/max/main.test.bicep index e6714e44e1..d67edfcaff 100644 --- a/modules/databricks/access-connector/tests/e2e/common/main.test.bicep +++ b/modules/databricks/access-connector/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-databricks.accessconnectors- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'daccom' +param serviceShort string = 'dacmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index 3fed69efc9..512cd9bc26 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -30,10 +30,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/databricks.workspace:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dwmin' + params: { + // Required parameters + name: 'dwmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dwmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -44,10 +92,10 @@ This instance deploys the module with most of its features enabled. ```bicep module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dwcom' + name: '${uniqueString(deployment().name, location)}-test-dwmax' params: { // Required parameters - name: 'dwcom001' + name: 'dwmax001' // Non-required parameters amlWorkspaceResourceId: '' customerManagedKey: { @@ -115,7 +163,7 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { } ] skuName: 'premium' - storageAccountName: 'sadwcom001' + storageAccountName: 'sadwmax001' storageAccountSkuName: 'Standard_ZRS' tags: { Environment: 'Non-Prod' @@ -141,7 +189,7 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "dwcom001" + "value": "dwmax001" }, // Non-required parameters "amlWorkspaceResourceId": { @@ -257,7 +305,7 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { "value": "premium" }, "storageAccountName": { - "value": "sadwcom001" + "value": "sadwmax001" }, "storageAccountSkuName": { "value": "Standard_ZRS" @@ -279,54 +327,6 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dwmin' - params: { - // Required parameters - name: 'dwmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dwmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/databricks/workspace/tests/e2e/common/dependencies.bicep b/modules/databricks/workspace/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/databricks/workspace/tests/e2e/common/dependencies.bicep rename to modules/databricks/workspace/tests/e2e/max/dependencies.bicep diff --git a/modules/databricks/workspace/tests/e2e/common/main.test.bicep b/modules/databricks/workspace/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/databricks/workspace/tests/e2e/common/main.test.bicep rename to modules/databricks/workspace/tests/e2e/max/main.test.bicep index 02851de992..cbf4a382c1 100644 --- a/modules/databricks/workspace/tests/e2e/common/main.test.bicep +++ b/modules/databricks/workspace/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-databricks.workspaces-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dwcom' +param serviceShort string = 'dwmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/desktop-virtualization/application-group/README.md b/modules/desktop-virtualization/application-group/README.md index 7e86196f3e..83aa677d85 100644 --- a/modules/desktop-virtualization/application-group/README.md +++ b/modules/desktop-virtualization/application-group/README.md @@ -28,10 +28,66 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/desktop-virtualization.application-group:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module applicationGroup 'br:bicep/modules/desktop-virtualization.application-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dvagmin' + params: { + // Required parameters + applicationGroupType: 'RemoteApp' + hostpoolName: '' + name: 'dvagmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "applicationGroupType": { + "value": "RemoteApp" + }, + "hostpoolName": { + "value": "" + }, + "name": { + "value": "dvagmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -42,12 +98,12 @@ This instance deploys the module with most of its features enabled. ```bicep module applicationGroup 'br:bicep/modules/desktop-virtualization.application-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvagcom' + name: '${uniqueString(deployment().name, location)}-test-dvagmax' params: { // Required parameters applicationGroupType: 'RemoteApp' hostpoolName: '' - name: 'dvagcom001' + name: 'dvagmax001' // Non-required parameters applications: [ { @@ -120,7 +176,7 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro "value": "" }, "name": { - "value": "dvagcom001" + "value": "dvagmax001" }, // Non-required parameters "applications": { @@ -195,62 +251,6 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module applicationGroup 'br:bicep/modules/desktop-virtualization.application-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvagmin' - params: { - // Required parameters - applicationGroupType: 'RemoteApp' - hostpoolName: '' - name: 'dvagmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "applicationGroupType": { - "value": "RemoteApp" - }, - "hostpoolName": { - "value": "" - }, - "name": { - "value": "dvagmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/desktop-virtualization/application-group/tests/e2e/common/dependencies.bicep b/modules/desktop-virtualization/application-group/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/desktop-virtualization/application-group/tests/e2e/common/dependencies.bicep rename to modules/desktop-virtualization/application-group/tests/e2e/max/dependencies.bicep diff --git a/modules/desktop-virtualization/application-group/tests/e2e/common/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/desktop-virtualization/application-group/tests/e2e/common/main.test.bicep rename to modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep index 65fd94ed94..115ba77ed7 100644 --- a/modules/desktop-virtualization/application-group/tests/e2e/common/main.test.bicep +++ b/modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.applic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvagcom' +param serviceShort string = 'dvagmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/desktop-virtualization/host-pool/README.md b/modules/desktop-virtualization/host-pool/README.md index 03ed873f95..cc5703c6ab 100644 --- a/modules/desktop-virtualization/host-pool/README.md +++ b/modules/desktop-virtualization/host-pool/README.md @@ -27,10 +27,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/desktop-virtualization.host-pool:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dvhpmin' + params: { + // Required parameters + name: 'dvhpmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dvhpmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -41,10 +89,10 @@ This instance deploys the module with most of its features enabled. ```bicep module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvhpcom' + name: '${uniqueString(deployment().name, location)}-test-dvhpmax' params: { // Required parameters - name: 'dvhpcom001' + name: 'dvhpmax001' // Non-required parameters agentUpdate: { maintenanceWindows: [ @@ -130,7 +178,7 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "dvhpcom001" + "value": "dvhpmax001" }, // Non-required parameters "agentUpdate": { @@ -236,54 +284,6 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvhpmin' - params: { - // Required parameters - name: 'dvhpmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dvhpmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/common/dependencies.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/desktop-virtualization/host-pool/tests/e2e/common/dependencies.bicep rename to modules/desktop-virtualization/host-pool/tests/e2e/max/dependencies.bicep diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/common/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/desktop-virtualization/host-pool/tests/e2e/common/main.test.bicep rename to modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep index 85d73e62df..d48cbdcade 100644 --- a/modules/desktop-virtualization/host-pool/tests/e2e/common/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.hostpo param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvhpcom' +param serviceShort string = 'dvhpmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/desktop-virtualization/scaling-plan/README.md b/modules/desktop-virtualization/scaling-plan/README.md index 032df11696..0983c6dbbc 100644 --- a/modules/desktop-virtualization/scaling-plan/README.md +++ b/modules/desktop-virtualization/scaling-plan/README.md @@ -26,10 +26,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dvspmin' + params: { + // Required parameters + name: 'dvspmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dvspmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -40,10 +88,10 @@ This instance deploys the module with most of its features enabled. ```bicep module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvspcom' + name: '${uniqueString(deployment().name, location)}-test-dvspmax' params: { // Required parameters - name: 'dvspcom001' + name: 'dvspmax001' // Non-required parameters description: 'My Scaling Plan Description' diagnosticSettings: [ @@ -128,7 +176,7 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' "parameters": { // Required parameters "name": { - "value": "dvspcom001" + "value": "dvspmax001" }, // Non-required parameters "description": { @@ -219,54 +267,6 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0'

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvspmin' - params: { - // Required parameters - name: 'dvspmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dvspmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/common/dependencies.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/desktop-virtualization/scaling-plan/tests/e2e/common/dependencies.bicep rename to modules/desktop-virtualization/scaling-plan/tests/e2e/max/dependencies.bicep diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/common/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/desktop-virtualization/scaling-plan/tests/e2e/common/main.test.bicep rename to modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep index 105ce03868..b8426b2533 100644 --- a/modules/desktop-virtualization/scaling-plan/tests/e2e/common/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.scalin param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvspcom' +param serviceShort string = 'dvspmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/desktop-virtualization/workspace/README.md b/modules/desktop-virtualization/workspace/README.md index 35f5ec4422..2fab487621 100644 --- a/modules/desktop-virtualization/workspace/README.md +++ b/modules/desktop-virtualization/workspace/README.md @@ -27,10 +27,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/desktop-virtualization.workspace:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dvwmin' + params: { + // Required parameters + name: 'dvwmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dvwmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -41,10 +89,10 @@ This instance deploys the module with most of its features enabled. ```bicep module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvwcom' + name: '${uniqueString(deployment().name, location)}-test-dvwmax' params: { // Required parameters - name: 'dvwcom001' + name: 'dvwmax001' // Non-required parameters appGroupResourceIds: [ '' @@ -96,7 +144,7 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "dvwcom001" + "value": "dvwmax001" }, // Non-required parameters "appGroupResourceIds": { @@ -156,54 +204,6 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dvwmin' - params: { - // Required parameters - name: 'dvwmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dvwmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/desktop-virtualization/workspace/tests/e2e/common/dependencies.bicep b/modules/desktop-virtualization/workspace/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/desktop-virtualization/workspace/tests/e2e/common/dependencies.bicep rename to modules/desktop-virtualization/workspace/tests/e2e/max/dependencies.bicep diff --git a/modules/desktop-virtualization/workspace/tests/e2e/common/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/desktop-virtualization/workspace/tests/e2e/common/main.test.bicep rename to modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep index c79a1fa0ae..565fbfe6a8 100644 --- a/modules/desktop-virtualization/workspace/tests/e2e/common/main.test.bicep +++ b/modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.worksp param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvwcom' +param serviceShort string = 'dvwmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/dev-test-lab/lab/README.md b/modules/dev-test-lab/lab/README.md index be1f1cc67e..b7b777f88b 100644 --- a/modules/dev-test-lab/lab/README.md +++ b/modules/dev-test-lab/lab/README.md @@ -32,10 +32,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/dev-test-lab.lab:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dtllmin' + params: { + // Required parameters + name: 'dtllmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dtllmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -46,10 +94,10 @@ This instance deploys the module with most of its features enabled. ```bicep module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dtllcom' + name: '${uniqueString(deployment().name, location)}-test-dtllmax' params: { // Required parameters - name: 'dtllcom001' + name: 'dtllmax001' // Non-required parameters announcement: { enabled: 'Enabled' @@ -236,7 +284,7 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { } tags: { 'hidden-title': 'This is visible in the resource name' - labName: 'dtllcom001' + labName: 'dtllmax001' resourceType: 'DevTest Lab' } virtualnetworks: [ @@ -292,7 +340,7 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "dtllcom001" + "value": "dtllmax001" }, // Non-required parameters "announcement": { @@ -527,7 +575,7 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { "tags": { "value": { "hidden-title": "This is visible in the resource name", - "labName": "dtllcom001", + "labName": "dtllmax001", "resourceType": "DevTest Lab" } }, @@ -577,54 +625,6 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dtllmin' - params: { - // Required parameters - name: 'dtllmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dtllmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/dev-test-lab/lab/tests/e2e/common/dependencies.bicep b/modules/dev-test-lab/lab/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/dev-test-lab/lab/tests/e2e/common/dependencies.bicep rename to modules/dev-test-lab/lab/tests/e2e/max/dependencies.bicep diff --git a/modules/dev-test-lab/lab/tests/e2e/common/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/dev-test-lab/lab/tests/e2e/common/main.test.bicep rename to modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep index 149d0cf464..302920b17e 100644 --- a/modules/dev-test-lab/lab/tests/e2e/common/main.test.bicep +++ b/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-devtestlab.labs-${serviceSho param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dtllcom' +param serviceShort string = 'dtllmax' @description('Generated. Used as a basis for unique resource names.') param baseTime string = utcNow('u') diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index 7f256381d1..bed016932f 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -30,10 +30,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/digital-twins.digital-twins-instance:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instance:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dtdtimin' + params: { + // Required parameters + name: 'dtdtimin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dtdtimin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -44,10 +92,10 @@ This instance deploys the module with most of its features enabled. ```bicep module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instance:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dtdticom' + name: '${uniqueString(deployment().name, location)}-test-dtdtimax' params: { // Required parameters - name: 'dtdticom001' + name: 'dtdtimax001' // Non-required parameters diagnosticSettings: [ { @@ -125,7 +173,7 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "parameters": { // Required parameters "name": { - "value": "dtdticom001" + "value": "dtdtimax001" }, // Non-required parameters "diagnosticSettings": { @@ -213,54 +261,6 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instance:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-dtdtimin' - params: { - // Required parameters - name: 'dtdtimin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "dtdtimin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/common/dependencies.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/digital-twins/digital-twins-instance/tests/e2e/common/dependencies.bicep rename to modules/digital-twins/digital-twins-instance/tests/e2e/max/dependencies.bicep diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/common/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/digital-twins/digital-twins-instance/tests/e2e/common/main.test.bicep rename to modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep index 73bf091495..6b1f42d08a 100644 --- a/modules/digital-twins/digital-twins-instance/tests/e2e/common/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-digitaltwins.digitaltwinsins param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dtdticom' +param serviceShort string = 'dtdtimax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/event-grid/domain/README.md b/modules/event-grid/domain/README.md index bf1d4cbf98..be9e32e179 100644 --- a/modules/event-grid/domain/README.md +++ b/modules/event-grid/domain/README.md @@ -30,11 +30,59 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/event-grid.domain:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) - [Pe](#example-3-pe) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-egdmin' + params: { + // Required parameters + name: 'egdmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "egdmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -45,10 +93,10 @@ This instance deploys the module with most of its features enabled. ```bicep module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-egdcom' + name: '${uniqueString(deployment().name, location)}-test-egdmax' params: { // Required parameters - name: 'egdcom001' + name: 'egdmax001' // Non-required parameters diagnosticSettings: [ { @@ -102,7 +150,7 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { Role: 'DeploymentValidation' } topics: [ - 'topic-egdcom001' + 'topic-egdmax001' ] } } @@ -122,7 +170,7 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "egdcom001" + "value": "egdmax001" }, // Non-required parameters "diagnosticSettings": { @@ -192,7 +240,7 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { }, "topics": { "value": [ - "topic-egdcom001" + "topic-egdmax001" ] } } @@ -202,54 +250,6 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-egdmin' - params: { - // Required parameters - name: 'egdmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "egdmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ### Example 3: _Pe_

diff --git a/modules/event-grid/domain/tests/e2e/common/dependencies.bicep b/modules/event-grid/domain/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/event-grid/domain/tests/e2e/common/dependencies.bicep rename to modules/event-grid/domain/tests/e2e/max/dependencies.bicep diff --git a/modules/event-grid/domain/tests/e2e/common/main.test.bicep b/modules/event-grid/domain/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/event-grid/domain/tests/e2e/common/main.test.bicep rename to modules/event-grid/domain/tests/e2e/max/main.test.bicep index f96b8aba01..de3be09b26 100644 --- a/modules/event-grid/domain/tests/e2e/common/main.test.bicep +++ b/modules/event-grid/domain/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-eventgrid.domains-${serviceS param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'egdcom' +param serviceShort string = 'egdmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/event-grid/system-topic/README.md b/modules/event-grid/system-topic/README.md index 5b20bf5b6f..526c04d4a7 100644 --- a/modules/event-grid/system-topic/README.md +++ b/modules/event-grid/system-topic/README.md @@ -28,10 +28,66 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/event-grid.system-topic:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-egstmin' + params: { + // Required parameters + name: 'egstmin001' + source: '' + topicType: 'Microsoft.Storage.StorageAccounts' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "egstmin001" + }, + "source": { + "value": "" + }, + "topicType": { + "value": "Microsoft.Storage.StorageAccounts" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -42,10 +98,10 @@ This instance deploys the module with most of its features enabled. ```bicep module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-egstcom' + name: '${uniqueString(deployment().name, location)}-test-egstmax' params: { // Required parameters - name: 'egstcom001' + name: 'egstmax001' source: '' topicType: 'Microsoft.Storage.StorageAccounts' // Non-required parameters @@ -81,7 +137,7 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { enableAdvancedFilteringOnArrays: true isSubjectCaseSensitive: false } - name: 'egstcom001' + name: 'egstmax001' retryPolicy: { eventTimeToLive: '120' maxDeliveryAttempts: 10 @@ -125,7 +181,7 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "egstcom001" + "value": "egstmax001" }, "source": { "value": "" @@ -171,7 +227,7 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { "enableAdvancedFilteringOnArrays": true, "isSubjectCaseSensitive": false }, - "name": "egstcom001", + "name": "egstmax001", "retryPolicy": { "eventTimeToLive": "120", "maxDeliveryAttempts": 10 @@ -213,62 +269,6 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-egstmin' - params: { - // Required parameters - name: 'egstmin001' - source: '' - topicType: 'Microsoft.Storage.StorageAccounts' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "egstmin001" - }, - "source": { - "value": "" - }, - "topicType": { - "value": "Microsoft.Storage.StorageAccounts" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/event-grid/system-topic/tests/e2e/common/dependencies.bicep b/modules/event-grid/system-topic/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/event-grid/system-topic/tests/e2e/common/dependencies.bicep rename to modules/event-grid/system-topic/tests/e2e/max/dependencies.bicep diff --git a/modules/event-grid/system-topic/tests/e2e/common/main.test.bicep b/modules/event-grid/system-topic/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/event-grid/system-topic/tests/e2e/common/main.test.bicep rename to modules/event-grid/system-topic/tests/e2e/max/main.test.bicep index a6b9312e35..a1fe7d4bf5 100644 --- a/modules/event-grid/system-topic/tests/e2e/common/main.test.bicep +++ b/modules/event-grid/system-topic/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-eventgrid.systemtopics-${ser param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'egstcom' +param serviceShort string = 'egstmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index b030a3e3fb..8ae1c9ebdf 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -30,11 +30,59 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/event-grid.topic:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) - [Pe](#example-3-pe) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-egtmin' + params: { + // Required parameters + name: 'egtmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "egtmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -45,10 +93,10 @@ This instance deploys the module with most of its features enabled. ```bicep module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-egtcom' + name: '${uniqueString(deployment().name, location)}-test-egtmax' params: { // Required parameters - name: 'egtcom001' + name: 'egtmax001' // Non-required parameters diagnosticSettings: [ { @@ -82,7 +130,7 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { enableAdvancedFilteringOnArrays: true isSubjectCaseSensitive: false } - name: 'egtcom001' + name: 'egtmax001' retryPolicy: { eventTimeToLive: '120' maxDeliveryAttempts: 10 @@ -143,7 +191,7 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "egtcom001" + "value": "egtmax001" }, // Non-required parameters "diagnosticSettings": { @@ -183,7 +231,7 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { "enableAdvancedFilteringOnArrays": true, "isSubjectCaseSensitive": false }, - "name": "egtcom001", + "name": "egtmax001", "retryPolicy": { "eventTimeToLive": "120", "maxDeliveryAttempts": 10 @@ -244,54 +292,6 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-egtmin' - params: { - // Required parameters - name: 'egtmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "egtmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ### Example 3: _Pe_

diff --git a/modules/event-grid/topic/tests/e2e/common/dependencies.bicep b/modules/event-grid/topic/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/event-grid/topic/tests/e2e/common/dependencies.bicep rename to modules/event-grid/topic/tests/e2e/max/dependencies.bicep diff --git a/modules/event-grid/topic/tests/e2e/common/main.test.bicep b/modules/event-grid/topic/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/event-grid/topic/tests/e2e/common/main.test.bicep rename to modules/event-grid/topic/tests/e2e/max/main.test.bicep index 8027740ab5..3ca8f6121e 100644 --- a/modules/event-grid/topic/tests/e2e/common/main.test.bicep +++ b/modules/event-grid/topic/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-eventgrid.topics-${serviceSh param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'egtcom' +param serviceShort string = 'egtmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index 6db9b87e84..11384fca9e 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -35,12 +35,155 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/event-hub.namespace:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) -- [Encr](#example-3-encr) +- [Using only defaults](#example-1-using-only-defaults) +- [Encr](#example-2-encr) +- [Using large parameter set](#example-3-using-large-parameter-set) - [Pe](#example-4-pe) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ehnmin' + params: { + // Required parameters + name: 'ehnmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ehnmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Encr_ + +

+ +via Bicep module + +```bicep +module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ehnenc' + params: { + // Required parameters + name: 'ehnenc001' + // Non-required parameters + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } + enableDefaultTelemetry: '' + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } + publicNetworkAccess: 'SecuredByPerimeter' + requireInfrastructureEncryption: true + skuName: 'Premium' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ehnenc001" + }, + // Non-required parameters + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "managedIdentities": { + "value": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "publicNetworkAccess": { + "value": "SecuredByPerimeter" + }, + "requireInfrastructureEncryption": { + "value": true + }, + "skuName": { + "value": "Premium" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ +### Example 3: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -51,10 +194,10 @@ This instance deploys the module with most of its features enabled. ```bicep module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ehncom' + name: '${uniqueString(deployment().name, location)}-test-ehnmax' params: { // Required parameters - name: 'ehncom001' + name: 'ehnmax001' // Non-required parameters authorizationRules: [ { @@ -231,7 +374,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "ehncom001" + "value": "ehnmax001" }, // Non-required parameters "authorizationRules": { @@ -436,149 +579,6 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ehnmin' - params: { - // Required parameters - name: 'ehnmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ehnmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Encr_ - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ehnenc' - params: { - // Required parameters - name: 'ehnenc001' - // Non-required parameters - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - enableDefaultTelemetry: '' - managedIdentities: { - systemAssigned: false - userAssignedResourcesIds: [ - '' - ] - } - publicNetworkAccess: 'SecuredByPerimeter' - requireInfrastructureEncryption: true - skuName: 'Premium' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ehnenc001" - }, - // Non-required parameters - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": false, - "userAssignedResourcesIds": [ - "" - ] - } - }, - "publicNetworkAccess": { - "value": "SecuredByPerimeter" - }, - "requireInfrastructureEncryption": { - "value": true - }, - "skuName": { - "value": "Premium" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- ### Example 4: _Pe_

diff --git a/modules/event-hub/namespace/tests/e2e/common/dependencies.bicep b/modules/event-hub/namespace/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/event-hub/namespace/tests/e2e/common/dependencies.bicep rename to modules/event-hub/namespace/tests/e2e/max/dependencies.bicep diff --git a/modules/event-hub/namespace/tests/e2e/common/main.test.bicep b/modules/event-hub/namespace/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/event-hub/namespace/tests/e2e/common/main.test.bicep rename to modules/event-hub/namespace/tests/e2e/max/main.test.bicep index 869463f5a9..edfc8d7534 100644 --- a/modules/event-hub/namespace/tests/e2e/common/main.test.bicep +++ b/modules/event-hub/namespace/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-eventhub.namespaces-${servic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ehncom' +param serviceShort string = 'ehnmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/health-bot/health-bot/README.md b/modules/health-bot/health-bot/README.md index 3ba7ed1140..794c1f2f31 100644 --- a/modules/health-bot/health-bot/README.md +++ b/modules/health-bot/health-bot/README.md @@ -26,10 +26,62 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/health-bot.health-bot:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-hbhbmin' + params: { + // Required parameters + name: 'hbhbmin001' + sku: 'F0' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "hbhbmin001" + }, + "sku": { + "value": "F0" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -40,10 +92,10 @@ This instance deploys the module with most of its features enabled. ```bicep module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-hbhbcom' + name: '${uniqueString(deployment().name, location)}-test-hbhbmax' params: { // Required parameters - name: 'hbhbcom001' + name: 'hbhbmax001' sku: 'F0' // Non-required parameters enableDefaultTelemetry: '' @@ -86,7 +138,7 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "hbhbcom001" + "value": "hbhbmax001" }, "sku": { "value": "F0" @@ -131,58 +183,6 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-hbhbmin' - params: { - // Required parameters - name: 'hbhbmin001' - sku: 'F0' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "hbhbmin001" - }, - "sku": { - "value": "F0" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/health-bot/health-bot/tests/e2e/common/dependencies.bicep b/modules/health-bot/health-bot/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/health-bot/health-bot/tests/e2e/common/dependencies.bicep rename to modules/health-bot/health-bot/tests/e2e/max/dependencies.bicep diff --git a/modules/health-bot/health-bot/tests/e2e/common/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/health-bot/health-bot/tests/e2e/common/main.test.bicep rename to modules/health-bot/health-bot/tests/e2e/max/main.test.bicep index 04f770a16c..5f1fafa9ee 100644 --- a/modules/health-bot/health-bot/tests/e2e/common/main.test.bicep +++ b/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-healthbot.healthbots-${servi param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'hbhbcom' +param serviceShort string = 'hbhbmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/healthcare-apis/workspace/README.md b/modules/healthcare-apis/workspace/README.md index 3c1d11f2db..75580c51f9 100644 --- a/modules/healthcare-apis/workspace/README.md +++ b/modules/healthcare-apis/workspace/README.md @@ -32,10 +32,66 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/healthcare-apis.workspace:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-hawmin' + params: { + // Required parameters + name: 'hawmin001' + // Non-required parameters + enableDefaultTelemetry: '' + location: '' + publicNetworkAccess: 'Enabled' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "hawmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "publicNetworkAccess": { + "value": "Enabled" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -46,10 +102,10 @@ This instance deploys the module with most of its features enabled. ```bicep module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-hawcom' + name: '${uniqueString(deployment().name)}-test-hawmax' params: { // Required parameters - name: 'hawcom001' + name: 'hawmax001' // Non-required parameters dicomservices: [ { @@ -88,7 +144,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { } name: 'az-dicom-x-001' publicNetworkAccess: 'Enabled' - workspaceName: 'hawcom001' + workspaceName: 'hawmax001' } ] enableDefaultTelemetry: '' @@ -141,7 +197,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { } ] smartProxyEnabled: false - workspaceName: 'hawcom001' + workspaceName: 'hawmax001' } ] location: '' @@ -180,7 +236,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "hawcom001" + "value": "hawmax001" }, // Non-required parameters "dicomservices": { @@ -221,7 +277,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { }, "name": "az-dicom-x-001", "publicNetworkAccess": "Enabled", - "workspaceName": "hawcom001" + "workspaceName": "hawmax001" } ] }, @@ -278,7 +334,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { } ], "smartProxyEnabled": false, - "workspaceName": "hawcom001" + "workspaceName": "hawmax001" } ] }, @@ -317,62 +373,6 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-hawmin' - params: { - // Required parameters - name: 'hawmin001' - // Non-required parameters - enableDefaultTelemetry: '' - location: '' - publicNetworkAccess: 'Enabled' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "hawmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "publicNetworkAccess": { - "value": "Enabled" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/healthcare-apis/workspace/tests/e2e/common/dependencies.bicep b/modules/healthcare-apis/workspace/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/healthcare-apis/workspace/tests/e2e/common/dependencies.bicep rename to modules/healthcare-apis/workspace/tests/e2e/max/dependencies.bicep diff --git a/modules/healthcare-apis/workspace/tests/e2e/common/main.test.bicep b/modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/healthcare-apis/workspace/tests/e2e/common/main.test.bicep rename to modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep index b3ee36aeea..5e4f905ce5 100644 --- a/modules/healthcare-apis/workspace/tests/e2e/common/main.test.bicep +++ b/modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep @@ -14,7 +14,7 @@ param resourceGroupName string = 'dep-${namePrefix}-healthcareapis.workspaces-${ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'hawcom' +param serviceShort string = 'hawmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/action-group/README.md b/modules/insights/action-group/README.md index d54f25254b..d0edf08b29 100644 --- a/modules/insights/action-group/README.md +++ b/modules/insights/action-group/README.md @@ -28,10 +28,62 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.action-group:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module actionGroup 'br:bicep/modules/insights.action-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-iagmin' + params: { + // Required parameters + groupShortName: 'agiagmin001' + name: 'iagmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "groupShortName": { + "value": "agiagmin001" + }, + "name": { + "value": "iagmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -42,11 +94,11 @@ This instance deploys the module with most of its features enabled. ```bicep module actionGroup 'br:bicep/modules/insights.action-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-iagcom' + name: '${uniqueString(deployment().name, location)}-test-iagmax' params: { // Required parameters - groupShortName: 'agiagcom001' - name: 'iagcom001' + groupShortName: 'agiagmax001' + name: 'iagmax001' // Non-required parameters emailReceivers: [ { @@ -98,10 +150,10 @@ module actionGroup 'br:bicep/modules/insights.action-group:1.0.0' = { "parameters": { // Required parameters "groupShortName": { - "value": "agiagcom001" + "value": "agiagmax001" }, "name": { - "value": "iagcom001" + "value": "iagmax001" }, // Non-required parameters "emailReceivers": { @@ -153,58 +205,6 @@ module actionGroup 'br:bicep/modules/insights.action-group:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module actionGroup 'br:bicep/modules/insights.action-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-iagmin' - params: { - // Required parameters - groupShortName: 'agiagmin001' - name: 'iagmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "groupShortName": { - "value": "agiagmin001" - }, - "name": { - "value": "iagmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/insights/action-group/tests/e2e/common/dependencies.bicep b/modules/insights/action-group/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/insights/action-group/tests/e2e/common/dependencies.bicep rename to modules/insights/action-group/tests/e2e/max/dependencies.bicep diff --git a/modules/insights/action-group/tests/e2e/common/main.test.bicep b/modules/insights/action-group/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/insights/action-group/tests/e2e/common/main.test.bicep rename to modules/insights/action-group/tests/e2e/max/main.test.bicep index 094aef5dfd..7a156298a2 100644 --- a/modules/insights/action-group/tests/e2e/common/main.test.bicep +++ b/modules/insights/action-group/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.actiongroups-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'iagcom' +param serviceShort string = 'iagmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/activity-log-alert/README.md b/modules/insights/activity-log-alert/README.md index 7ea6985434..5af0e285e5 100644 --- a/modules/insights/activity-log-alert/README.md +++ b/modules/insights/activity-log-alert/README.md @@ -38,7 +38,7 @@ This instance deploys the module with most of its features enabled. ```bicep module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ialacom' + name: '${uniqueString(deployment().name, location)}-test-ialamax' params: { // Required parameters conditions: [ @@ -73,7 +73,7 @@ module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { field: 'properties.impactedServices[*].ImpactedRegions[*].RegionName' } ] - name: 'ialacom001' + name: 'ialamax001' // Non-required parameters actions: [ { @@ -148,7 +148,7 @@ module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { ] }, "name": { - "value": "ialacom001" + "value": "ialamax001" }, // Non-required parameters "actions": { diff --git a/modules/insights/activity-log-alert/tests/e2e/common/dependencies.bicep b/modules/insights/activity-log-alert/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/insights/activity-log-alert/tests/e2e/common/dependencies.bicep rename to modules/insights/activity-log-alert/tests/e2e/max/dependencies.bicep diff --git a/modules/insights/activity-log-alert/tests/e2e/common/main.test.bicep b/modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/insights/activity-log-alert/tests/e2e/common/main.test.bicep rename to modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep index 75d80ea8b0..74452e4c5f 100644 --- a/modules/insights/activity-log-alert/tests/e2e/common/main.test.bicep +++ b/modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.activityLogAlerts-$ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ialacom' +param serviceShort string = 'ialamax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/component/README.md b/modules/insights/component/README.md index e0aa1d9ff6..7bbf106053 100644 --- a/modules/insights/component/README.md +++ b/modules/insights/component/README.md @@ -26,10 +26,62 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.component:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module component 'br:bicep/modules/insights.component:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-icmin' + params: { + // Required parameters + name: 'icmin001' + workspaceResourceId: '' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "icmin001" + }, + "workspaceResourceId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -40,10 +92,10 @@ This instance deploys the module with most of its features enabled. ```bicep module component 'br:bicep/modules/insights.component:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-iccom' + name: '${uniqueString(deployment().name, location)}-test-icmax' params: { // Required parameters - name: 'iccom001' + name: 'icmax001' workspaceResourceId: '' // Non-required parameters diagnosticSettings: [ @@ -91,7 +143,7 @@ module component 'br:bicep/modules/insights.component:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "iccom001" + "value": "icmax001" }, "workspaceResourceId": { "value": "" @@ -139,58 +191,6 @@ module component 'br:bicep/modules/insights.component:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module component 'br:bicep/modules/insights.component:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-icmin' - params: { - // Required parameters - name: 'icmin001' - workspaceResourceId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "icmin001" - }, - "workspaceResourceId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/insights/component/tests/e2e/common/dependencies.bicep b/modules/insights/component/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/insights/component/tests/e2e/common/dependencies.bicep rename to modules/insights/component/tests/e2e/max/dependencies.bicep diff --git a/modules/insights/component/tests/e2e/common/main.test.bicep b/modules/insights/component/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/insights/component/tests/e2e/common/main.test.bicep rename to modules/insights/component/tests/e2e/max/main.test.bicep index c268fb2bff..e272985a9c 100644 --- a/modules/insights/component/tests/e2e/common/main.test.bicep +++ b/modules/insights/component/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.components-${servic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'iccom' +param serviceShort string = 'icmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/data-collection-endpoint/README.md b/modules/insights/data-collection-endpoint/README.md index d7c991c56c..9713158d2b 100644 --- a/modules/insights/data-collection-endpoint/README.md +++ b/modules/insights/data-collection-endpoint/README.md @@ -26,10 +26,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.data-collection-endpoint:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoint:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-idcemin' + params: { + // Required parameters + name: 'idcemin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "idcemin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -40,10 +88,10 @@ This instance deploys the module with most of its features enabled. ```bicep module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoint:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-idcecom' + name: '${uniqueString(deployment().name)}-test-idcemax' params: { // Required parameters - name: 'idcecom001' + name: 'idcemax001' // Non-required parameters enableDefaultTelemetry: '' kind: 'Windows' @@ -82,7 +130,7 @@ module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoin "parameters": { // Required parameters "name": { - "value": "idcecom001" + "value": "idcemax001" }, // Non-required parameters "enableDefaultTelemetry": { @@ -123,54 +171,6 @@ module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoin

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoint:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-idcemin' - params: { - // Required parameters - name: 'idcemin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "idcemin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/insights/data-collection-endpoint/tests/e2e/common/dependencies.bicep b/modules/insights/data-collection-endpoint/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/insights/data-collection-endpoint/tests/e2e/common/dependencies.bicep rename to modules/insights/data-collection-endpoint/tests/e2e/max/dependencies.bicep diff --git a/modules/insights/data-collection-endpoint/tests/e2e/common/main.test.bicep b/modules/insights/data-collection-endpoint/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/insights/data-collection-endpoint/tests/e2e/common/main.test.bicep rename to modules/insights/data-collection-endpoint/tests/e2e/max/main.test.bicep index 048ae857f8..0bcea4cb4a 100644 --- a/modules/insights/data-collection-endpoint/tests/e2e/common/main.test.bicep +++ b/modules/insights/data-collection-endpoint/tests/e2e/max/main.test.bicep @@ -14,7 +14,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionEndpo param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'idcecom' +param serviceShort string = 'idcemax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/diagnostic-setting/README.md b/modules/insights/diagnostic-setting/README.md index 7ef93aebbb..a0353d69b1 100644 --- a/modules/insights/diagnostic-setting/README.md +++ b/modules/insights/diagnostic-setting/README.md @@ -37,7 +37,7 @@ This instance deploys the module with most of its features enabled. ```bicep module diagnosticSetting 'br:bicep/modules/insights.diagnostic-setting:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-idscom' + name: '${uniqueString(deployment().name, location)}-test-idsmax' params: { enableDefaultTelemetry: '' eventHubAuthorizationRuleResourceId: '' @@ -47,7 +47,7 @@ module diagnosticSetting 'br:bicep/modules/insights.diagnostic-setting:1.0.0' = category: 'AllMetrics' } ] - name: 'idscom001' + name: 'idsmax001' storageAccountResourceId: '' workspaceResourceId: '' } @@ -83,7 +83,7 @@ module diagnosticSetting 'br:bicep/modules/insights.diagnostic-setting:1.0.0' = ] }, "name": { - "value": "idscom001" + "value": "idsmax001" }, "storageAccountResourceId": { "value": "" diff --git a/modules/insights/diagnostic-setting/tests/e2e/common/main.test.bicep b/modules/insights/diagnostic-setting/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/insights/diagnostic-setting/tests/e2e/common/main.test.bicep rename to modules/insights/diagnostic-setting/tests/e2e/max/main.test.bicep index 3452965065..b26c05e269 100644 --- a/modules/insights/diagnostic-setting/tests/e2e/common/main.test.bicep +++ b/modules/insights/diagnostic-setting/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.diagnosticsettings- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'idscom' +param serviceShort string = 'idsmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/metric-alert/README.md b/modules/insights/metric-alert/README.md index 3ad1b77aac..a213c126aa 100644 --- a/modules/insights/metric-alert/README.md +++ b/modules/insights/metric-alert/README.md @@ -38,7 +38,7 @@ This instance deploys the module with most of its features enabled. ```bicep module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-imacom' + name: '${uniqueString(deployment().name, location)}-test-imamax' params: { // Required parameters criterias: [ @@ -52,7 +52,7 @@ module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { timeAggregation: 'Average' } ] - name: 'imacom001' + name: 'imamax001' // Non-required parameters actions: [ '' @@ -105,7 +105,7 @@ module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { ] }, "name": { - "value": "imacom001" + "value": "imamax001" }, // Non-required parameters "actions": { diff --git a/modules/insights/metric-alert/tests/e2e/common/dependencies.bicep b/modules/insights/metric-alert/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/insights/metric-alert/tests/e2e/common/dependencies.bicep rename to modules/insights/metric-alert/tests/e2e/max/dependencies.bicep diff --git a/modules/insights/metric-alert/tests/e2e/common/main.test.bicep b/modules/insights/metric-alert/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/insights/metric-alert/tests/e2e/common/main.test.bicep rename to modules/insights/metric-alert/tests/e2e/max/main.test.bicep index c692d0a28b..f9cc7d5482 100644 --- a/modules/insights/metric-alert/tests/e2e/common/main.test.bicep +++ b/modules/insights/metric-alert/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.metricalerts-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'imacom' +param serviceShort string = 'imamax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index 1b6bf1ad3b..57e6b05caa 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -29,10 +29,57 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.private-link-scope:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep + name: '${uniqueString(deployment().name, location)}-test-iplsmin' + params: { + // Required parameters + name: 'iplsmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "iplsmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -42,10 +89,10 @@ This instance deploys the module with most of its features enabled.

via Bicep module ```bicep - name: '${uniqueString(deployment().name, location)}-test-iplscom' + name: '${uniqueString(deployment().name, location)}-test-iplsmax' params: { // Required parameters - name: 'iplscom001' + name: 'iplsmax001' // Non-required parameters enableDefaultTelemetry: '' privateEndpoints: [ @@ -97,7 +144,7 @@ This instance deploys the module with most of its features enabled. "parameters": { // Required parameters "name": { - "value": "iplscom001" + "value": "iplsmax001" }, // Non-required parameters "enableDefaultTelemetry": { @@ -149,53 +196,6 @@ This instance deploys the module with most of its features enabled.

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep - name: '${uniqueString(deployment().name, location)}-test-iplsmin' - params: { - // Required parameters - name: 'iplsmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "iplsmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/insights/private-link-scope/tests/e2e/common/dependencies.bicep b/modules/insights/private-link-scope/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/insights/private-link-scope/tests/e2e/common/dependencies.bicep rename to modules/insights/private-link-scope/tests/e2e/max/dependencies.bicep diff --git a/modules/insights/private-link-scope/tests/e2e/common/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/insights/private-link-scope/tests/e2e/common/main.test.bicep rename to modules/insights/private-link-scope/tests/e2e/max/main.test.bicep index fe7ba8f897..6b92ace5e2 100644 --- a/modules/insights/private-link-scope/tests/e2e/common/main.test.bicep +++ b/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.privatelinkscopes-$ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'iplscom' +param serviceShort string = 'iplsmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/scheduled-query-rule/README.md b/modules/insights/scheduled-query-rule/README.md index f81174bdb5..b84ede93c0 100644 --- a/modules/insights/scheduled-query-rule/README.md +++ b/modules/insights/scheduled-query-rule/README.md @@ -38,7 +38,7 @@ This instance deploys the module with most of its features enabled. ```bicep module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-isqrcom' + name: '${uniqueString(deployment().name, location)}-test-isqrmax' params: { // Required parameters criterias: { @@ -68,7 +68,7 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' } ] } - name: 'isqrcom001' + name: 'isqrmax001' scopes: [ '' ] @@ -139,7 +139,7 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' } }, "name": { - "value": "isqrcom001" + "value": "isqrmax001" }, "scopes": { "value": [ diff --git a/modules/insights/scheduled-query-rule/tests/e2e/common/dependencies.bicep b/modules/insights/scheduled-query-rule/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/insights/scheduled-query-rule/tests/e2e/common/dependencies.bicep rename to modules/insights/scheduled-query-rule/tests/e2e/max/dependencies.bicep diff --git a/modules/insights/scheduled-query-rule/tests/e2e/common/main.test.bicep b/modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/insights/scheduled-query-rule/tests/e2e/common/main.test.bicep rename to modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep index ce46d28cf7..d8bc06cf5e 100644 --- a/modules/insights/scheduled-query-rule/tests/e2e/common/main.test.bicep +++ b/modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.scheduledqueryrules param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'isqrcom' +param serviceShort string = 'isqrmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/webtest/README.md b/modules/insights/webtest/README.md index 9c53d80ad2..9d2e805c8a 100644 --- a/modules/insights/webtest/README.md +++ b/modules/insights/webtest/README.md @@ -26,12 +26,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.webtest:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.

@@ -40,10 +40,10 @@ This instance deploys the module with most of its features enabled. ```bicep module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-iwtcom' + name: '${uniqueString(deployment().name, location)}-test-iwtmin' params: { // Required parameters - name: 'iwtcom001' + name: 'iwtmin001' request: { HttpVerb: 'GET' RequestUrl: 'https://learn.microsoft.com/en-us/' @@ -52,19 +52,9 @@ module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { 'hidden-link:${nestedDependencies.outputs.appInsightResourceId}': 'Resource' 'hidden-title': 'This is visible in the resource name' } - webTestName: 'wt$iwtcom001' + webTestName: 'wt$iwtmin001' // Non-required parameters enableDefaultTelemetry: '' - locations: [ - { - Id: 'emea-nl-ams-azr' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - syntheticMonitorId: 'iwtcom001' } } ``` @@ -83,7 +73,7 @@ module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "iwtcom001" + "value": "iwtmin001" }, "request": { "value": { @@ -98,27 +88,11 @@ module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { } }, "webTestName": { - "value": "wt$iwtcom001" + "value": "wt$iwtmin001" }, // Non-required parameters "enableDefaultTelemetry": { "value": "" - }, - "locations": { - "value": [ - { - "Id": "emea-nl-ams-azr" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "syntheticMonitorId": { - "value": "iwtcom001" } } } @@ -127,9 +101,9 @@ module webtest 'br:bicep/modules/insights.webtest:1.0.0' = {

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -138,10 +112,10 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-iwtmin' + name: '${uniqueString(deployment().name, location)}-test-iwtmax' params: { // Required parameters - name: 'iwtmin001' + name: 'iwtmax001' request: { HttpVerb: 'GET' RequestUrl: 'https://learn.microsoft.com/en-us/' @@ -150,9 +124,19 @@ module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { 'hidden-link:${nestedDependencies.outputs.appInsightResourceId}': 'Resource' 'hidden-title': 'This is visible in the resource name' } - webTestName: 'wt$iwtmin001' + webTestName: 'wt$iwtmax001' // Non-required parameters enableDefaultTelemetry: '' + locations: [ + { + Id: 'emea-nl-ams-azr' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + syntheticMonitorId: 'iwtmax001' } } ``` @@ -171,7 +155,7 @@ module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "iwtmin001" + "value": "iwtmax001" }, "request": { "value": { @@ -186,11 +170,27 @@ module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { } }, "webTestName": { - "value": "wt$iwtmin001" + "value": "wt$iwtmax001" }, // Non-required parameters "enableDefaultTelemetry": { "value": "" + }, + "locations": { + "value": [ + { + "Id": "emea-nl-ams-azr" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "syntheticMonitorId": { + "value": "iwtmax001" } } } diff --git a/modules/insights/webtest/tests/e2e/common/dependencies.bicep b/modules/insights/webtest/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/insights/webtest/tests/e2e/common/dependencies.bicep rename to modules/insights/webtest/tests/e2e/max/dependencies.bicep diff --git a/modules/insights/webtest/tests/e2e/common/main.test.bicep b/modules/insights/webtest/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/insights/webtest/tests/e2e/common/main.test.bicep rename to modules/insights/webtest/tests/e2e/max/main.test.bicep index a40b41c1e6..1a552a552b 100644 --- a/modules/insights/webtest/tests/e2e/common/main.test.bicep +++ b/modules/insights/webtest/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.webtests-${serviceS param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'iwtcom' +param serviceShort string = 'iwtmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 86286a9daa..2072456778 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -35,8 +35,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/key-vault.vault:1.0.0`. - [Accesspolicies](#example-1-accesspolicies) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Using large parameter set](#example-3-using-large-parameter-set) - [Pe](#example-4-pe) ### Example 1: _Accesspolicies_ @@ -226,7 +226,59 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = {

-### Example 2: _Using large parameter set_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-kvvmin' + params: { + // Required parameters + name: 'kvvmin002' + // Non-required parameters + enableDefaultTelemetry: '' + enablePurgeProtection: false + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "kvvmin002" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "enablePurgeProtection": { + "value": false + } + } +} +``` + +
+

+ +### Example 3: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -237,10 +289,10 @@ This instance deploys the module with most of its features enabled. ```bicep module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-kvvcom' + name: '${uniqueString(deployment().name, location)}-test-kvvmax' params: { // Required parameters - name: 'kvvcom002' + name: 'kvvmax002' // Non-required parameters diagnosticSettings: [ { @@ -377,7 +429,7 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "kvvcom002" + "value": "kvvmax002" }, "diagnosticSettings": { "value": [ @@ -528,58 +580,6 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = {

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-kvvmin' - params: { - // Required parameters - name: 'kvvmin002' - // Non-required parameters - enableDefaultTelemetry: '' - enablePurgeProtection: false - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "kvvmin002" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "enablePurgeProtection": { - "value": false - } - } -} -``` - -
-

- ### Example 4: _Pe_

diff --git a/modules/key-vault/vault/tests/e2e/common/dependencies.bicep b/modules/key-vault/vault/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/key-vault/vault/tests/e2e/common/dependencies.bicep rename to modules/key-vault/vault/tests/e2e/max/dependencies.bicep diff --git a/modules/key-vault/vault/tests/e2e/common/main.test.bicep b/modules/key-vault/vault/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/key-vault/vault/tests/e2e/common/main.test.bicep rename to modules/key-vault/vault/tests/e2e/max/main.test.bicep index 9ac36ee683..16392f9744 100644 --- a/modules/key-vault/vault/tests/e2e/common/main.test.bicep +++ b/modules/key-vault/vault/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-keyvault.vaults-${serviceSho param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kvvcom' +param serviceShort string = 'kvvmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/kubernetes-configuration/extension/README.md b/modules/kubernetes-configuration/extension/README.md index 31bd67803a..34c51d8bc7 100644 --- a/modules/kubernetes-configuration/extension/README.md +++ b/modules/kubernetes-configuration/extension/README.md @@ -27,12 +27,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/kubernetes-configuration.extension:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.
@@ -41,38 +41,16 @@ This instance deploys the module with most of its features enabled. ```bicep module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-kcecom' + name: '${uniqueString(deployment().name, location)}-test-kcemin' params: { // Required parameters clusterName: '' extensionType: 'microsoft.flux' - name: 'kcecom001' + name: 'kcemin001' // Non-required parameters - configurationSettings: { - 'image-automation-controller.enabled': 'false' - 'image-reflector-controller.enabled': 'false' - 'kustomize-controller.enabled': 'true' - 'notification-controller.enabled': 'false' - 'source-controller.enabled': 'true' - } enableDefaultTelemetry: '' - fluxConfigurations: [ - { - gitRepository: { - repositoryRef: { - branch: 'main' - } - sshKnownHosts: '' - syncIntervalInSeconds: 300 - timeoutInSeconds: 180 - url: 'https://github.com/mspnp/aks-baseline' - } - namespace: 'flux-system' - } - ] releaseNamespace: 'flux-system' releaseTrain: 'Stable' - version: '0.5.2' } } ``` @@ -97,45 +75,17 @@ module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = { "value": "microsoft.flux" }, "name": { - "value": "kcecom001" + "value": "kcemin001" }, // Non-required parameters - "configurationSettings": { - "value": { - "image-automation-controller.enabled": "false", - "image-reflector-controller.enabled": "false", - "kustomize-controller.enabled": "true", - "notification-controller.enabled": "false", - "source-controller.enabled": "true" - } - }, "enableDefaultTelemetry": { "value": "" }, - "fluxConfigurations": { - "value": [ - { - "gitRepository": { - "repositoryRef": { - "branch": "main" - }, - "sshKnownHosts": "", - "syncIntervalInSeconds": 300, - "timeoutInSeconds": 180, - "url": "https://github.com/mspnp/aks-baseline" - }, - "namespace": "flux-system" - } - ] - }, "releaseNamespace": { "value": "flux-system" }, "releaseTrain": { "value": "Stable" - }, - "version": { - "value": "0.5.2" } } } @@ -144,9 +94,9 @@ module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = {

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -155,16 +105,38 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-kcemin' + name: '${uniqueString(deployment().name, location)}-test-kcemax' params: { // Required parameters clusterName: '' extensionType: 'microsoft.flux' - name: 'kcemin001' + name: 'kcemax001' // Non-required parameters + configurationSettings: { + 'image-automation-controller.enabled': 'false' + 'image-reflector-controller.enabled': 'false' + 'kustomize-controller.enabled': 'true' + 'notification-controller.enabled': 'false' + 'source-controller.enabled': 'true' + } enableDefaultTelemetry: '' + fluxConfigurations: [ + { + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/mspnp/aks-baseline' + } + namespace: 'flux-system' + } + ] releaseNamespace: 'flux-system' releaseTrain: 'Stable' + version: '0.5.2' } } ``` @@ -189,17 +161,45 @@ module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = { "value": "microsoft.flux" }, "name": { - "value": "kcemin001" + "value": "kcemax001" }, // Non-required parameters + "configurationSettings": { + "value": { + "image-automation-controller.enabled": "false", + "image-reflector-controller.enabled": "false", + "kustomize-controller.enabled": "true", + "notification-controller.enabled": "false", + "source-controller.enabled": "true" + } + }, "enableDefaultTelemetry": { "value": "" }, + "fluxConfigurations": { + "value": [ + { + "gitRepository": { + "repositoryRef": { + "branch": "main" + }, + "sshKnownHosts": "", + "syncIntervalInSeconds": 300, + "timeoutInSeconds": 180, + "url": "https://github.com/mspnp/aks-baseline" + }, + "namespace": "flux-system" + } + ] + }, "releaseNamespace": { "value": "flux-system" }, "releaseTrain": { "value": "Stable" + }, + "version": { + "value": "0.5.2" } } } diff --git a/modules/kubernetes-configuration/extension/tests/e2e/common/dependencies.bicep b/modules/kubernetes-configuration/extension/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/kubernetes-configuration/extension/tests/e2e/common/dependencies.bicep rename to modules/kubernetes-configuration/extension/tests/e2e/max/dependencies.bicep diff --git a/modules/kubernetes-configuration/extension/tests/e2e/common/main.test.bicep b/modules/kubernetes-configuration/extension/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/kubernetes-configuration/extension/tests/e2e/common/main.test.bicep rename to modules/kubernetes-configuration/extension/tests/e2e/max/main.test.bicep index 18a74931cd..c371a3c0d2 100644 --- a/modules/kubernetes-configuration/extension/tests/e2e/common/main.test.bicep +++ b/modules/kubernetes-configuration/extension/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.exte param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kcecom' +param serviceShort string = 'kcemax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/kubernetes-configuration/flux-configuration/README.md b/modules/kubernetes-configuration/flux-configuration/README.md index ac523aecce..22030b57cc 100644 --- a/modules/kubernetes-configuration/flux-configuration/README.md +++ b/modules/kubernetes-configuration/flux-configuration/README.md @@ -27,12 +27,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/kubernetes-configuration.flux-configuration:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.
@@ -41,11 +41,11 @@ This instance deploys the module with most of its features enabled. ```bicep module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configuration:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-kcfccom' + name: '${uniqueString(deployment().name, location)}-test-kcfcmin' params: { // Required parameters clusterName: '' - name: 'kcfccom001' + name: 'kcfcmin001' namespace: 'flux-system' sourceKind: 'GitRepository' // Non-required parameters @@ -59,16 +59,6 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu timeoutInSeconds: 180 url: 'https://github.com/mspnp/aks-baseline' } - kustomizations: { - unified: { - dependsOn: [] - force: false - path: './cluster-manifests' - prune: true - syncIntervalInSeconds: 300 - timeoutInSeconds: 300 - } - } } } ``` @@ -90,7 +80,7 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu "value": "" }, "name": { - "value": "kcfccom001" + "value": "kcfcmin001" }, "namespace": { "value": "flux-system" @@ -112,18 +102,6 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu "timeoutInSeconds": 180, "url": "https://github.com/mspnp/aks-baseline" } - }, - "kustomizations": { - "value": { - "unified": { - "dependsOn": [], - "force": false, - "path": "./cluster-manifests", - "prune": true, - "syncIntervalInSeconds": 300, - "timeoutInSeconds": 300 - } - } } } } @@ -132,9 +110,9 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -143,11 +121,11 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configuration:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-kcfcmin' + name: '${uniqueString(deployment().name, location)}-test-kcfcmax' params: { // Required parameters clusterName: '' - name: 'kcfcmin001' + name: 'kcfcmax001' namespace: 'flux-system' sourceKind: 'GitRepository' // Non-required parameters @@ -161,6 +139,16 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu timeoutInSeconds: 180 url: 'https://github.com/mspnp/aks-baseline' } + kustomizations: { + unified: { + dependsOn: [] + force: false + path: './cluster-manifests' + prune: true + syncIntervalInSeconds: 300 + timeoutInSeconds: 300 + } + } } } ``` @@ -182,7 +170,7 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu "value": "" }, "name": { - "value": "kcfcmin001" + "value": "kcfcmax001" }, "namespace": { "value": "flux-system" @@ -204,6 +192,18 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu "timeoutInSeconds": 180, "url": "https://github.com/mspnp/aks-baseline" } + }, + "kustomizations": { + "value": { + "unified": { + "dependsOn": [], + "force": false, + "path": "./cluster-manifests", + "prune": true, + "syncIntervalInSeconds": 300, + "timeoutInSeconds": 300 + } + } } } } diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/common/dependencies.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/kubernetes-configuration/flux-configuration/tests/e2e/common/dependencies.bicep rename to modules/kubernetes-configuration/flux-configuration/tests/e2e/max/dependencies.bicep diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/common/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/kubernetes-configuration/flux-configuration/tests/e2e/common/main.test.bicep rename to modules/kubernetes-configuration/flux-configuration/tests/e2e/max/main.test.bicep index 356c8be9f9..9a9c757de1 100644 --- a/modules/kubernetes-configuration/flux-configuration/tests/e2e/common/main.test.bicep +++ b/modules/kubernetes-configuration/flux-configuration/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.flux param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kcfccom' +param serviceShort string = 'kcfcmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index b60f3509e9..ab3cbde145 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -41,10 +41,10 @@ This instance deploys the module with most of its features enabled. ```bicep module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-lwcom' + name: '${uniqueString(deployment().name, location)}-test-lwmax' params: { // Required parameters - name: 'lwcom001' + name: 'lwmax001' // Non-required parameters diagnosticSettings: [ { @@ -131,7 +131,7 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "lwcom001" + "value": "lwmax001" }, // Non-required parameters "diagnosticSettings": { diff --git a/modules/logic/workflow/tests/e2e/common/dependencies.bicep b/modules/logic/workflow/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/logic/workflow/tests/e2e/common/dependencies.bicep rename to modules/logic/workflow/tests/e2e/max/dependencies.bicep diff --git a/modules/logic/workflow/tests/e2e/common/main.test.bicep b/modules/logic/workflow/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/logic/workflow/tests/e2e/common/main.test.bicep rename to modules/logic/workflow/tests/e2e/max/main.test.bicep index 62b7f8b0fb..5ab05e3420 100644 --- a/modules/logic/workflow/tests/e2e/common/main.test.bicep +++ b/modules/logic/workflow/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-logic.workflows-${serviceSho param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'lwcom' +param serviceShort string = 'lwmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index 614646f1ef..e40a7da849 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -31,11 +31,216 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/machine-learning-services.workspace:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) -- [Encr](#example-3-encr) +- [Using only defaults](#example-1-using-only-defaults) +- [Encr](#example-2-encr) +- [Using large parameter set](#example-3-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-mlswmin' + params: { + // Required parameters + associatedApplicationInsightsResourceId: '' + associatedKeyVaultResourceId: '' + associatedStorageAccountResourceId: '' + name: 'mlswmin001' + sku: 'Basic' + // Non-required parameters + enableDefaultTelemetry: '' + managedIdentities: { + systemAssigned: true + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "associatedApplicationInsightsResourceId": { + "value": "" + }, + "associatedKeyVaultResourceId": { + "value": "" + }, + "associatedStorageAccountResourceId": { + "value": "" + }, + "name": { + "value": "mlswmin001" + }, + "sku": { + "value": "Basic" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + } + } +} +``` + +
+

+ +### Example 2: _Encr_ + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-mlswecr' + params: { + // Required parameters + associatedApplicationInsightsResourceId: '' + associatedKeyVaultResourceId: '' + associatedStorageAccountResourceId: '' + name: 'mlswecr001' + sku: 'Basic' + // Non-required parameters + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } + enableDefaultTelemetry: '' + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } + primaryUserAssignedIdentity: '' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'amlworkspace' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "associatedApplicationInsightsResourceId": { + "value": "" + }, + "associatedKeyVaultResourceId": { + "value": "" + }, + "associatedStorageAccountResourceId": { + "value": "" + }, + "name": { + "value": "mlswecr001" + }, + "sku": { + "value": "Basic" + }, + // Non-required parameters + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "managedIdentities": { + "value": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "primaryUserAssignedIdentity": { + "value": "" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "amlworkspace", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ +### Example 3: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -46,13 +251,13 @@ This instance deploys the module with most of its features enabled. ```bicep module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mlswcom' + name: '${uniqueString(deployment().name, location)}-test-mlswmax' params: { // Required parameters associatedApplicationInsightsResourceId: '' associatedKeyVaultResourceId: '' associatedStorageAccountResourceId: '' - name: 'mlswcom001' + name: 'mlswmax001' sku: 'Premium' // Non-required parameters computes: [ @@ -166,7 +371,7 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "value": "" }, "name": { - "value": "mlswcom001" + "value": "mlswmax001" }, "sku": { "value": "Premium" @@ -287,211 +492,6 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' =

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mlswmin' - params: { - // Required parameters - associatedApplicationInsightsResourceId: '' - associatedKeyVaultResourceId: '' - associatedStorageAccountResourceId: '' - name: 'mlswmin001' - sku: 'Basic' - // Non-required parameters - enableDefaultTelemetry: '' - managedIdentities: { - systemAssigned: true - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "associatedApplicationInsightsResourceId": { - "value": "" - }, - "associatedKeyVaultResourceId": { - "value": "" - }, - "associatedStorageAccountResourceId": { - "value": "" - }, - "name": { - "value": "mlswmin001" - }, - "sku": { - "value": "Basic" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - } - } -} -``` - -
-

- -### Example 3: _Encr_ - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mlswecr' - params: { - // Required parameters - associatedApplicationInsightsResourceId: '' - associatedKeyVaultResourceId: '' - associatedStorageAccountResourceId: '' - name: 'mlswecr001' - sku: 'Basic' - // Non-required parameters - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - enableDefaultTelemetry: '' - managedIdentities: { - systemAssigned: false - userAssignedResourcesIds: [ - '' - ] - } - primaryUserAssignedIdentity: '' - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'amlworkspace' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "associatedApplicationInsightsResourceId": { - "value": "" - }, - "associatedKeyVaultResourceId": { - "value": "" - }, - "associatedStorageAccountResourceId": { - "value": "" - }, - "name": { - "value": "mlswecr001" - }, - "sku": { - "value": "Basic" - }, - // Non-required parameters - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": false, - "userAssignedResourcesIds": [ - "" - ] - } - }, - "primaryUserAssignedIdentity": { - "value": "" - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "amlworkspace", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/machine-learning-services/workspace/tests/e2e/common/dependencies.bicep b/modules/machine-learning-services/workspace/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/machine-learning-services/workspace/tests/e2e/common/dependencies.bicep rename to modules/machine-learning-services/workspace/tests/e2e/max/dependencies.bicep diff --git a/modules/machine-learning-services/workspace/tests/e2e/common/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/machine-learning-services/workspace/tests/e2e/common/main.test.bicep rename to modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep index 73b10cd0a9..ba4a782be3 100644 --- a/modules/machine-learning-services/workspace/tests/e2e/common/main.test.bicep +++ b/modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-machinelearningservices.work param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mlswcom' +param serviceShort string = 'mlswmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/maintenance/maintenance-configuration/README.md b/modules/maintenance/maintenance-configuration/README.md index ddce26921e..187dac5dc9 100644 --- a/modules/maintenance/maintenance-configuration/README.md +++ b/modules/maintenance/maintenance-configuration/README.md @@ -26,10 +26,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/maintenance.maintenance-configuration:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-configuration:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-mmcmin' + params: { + // Required parameters + name: 'mmcmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "mmcmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -40,10 +88,10 @@ This instance deploys the module with most of its features enabled. ```bicep module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-configuration:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mmccom' + name: '${uniqueString(deployment().name, location)}-test-mmcmax' params: { // Required parameters - name: 'mmccom001' + name: 'mmcmax001' // Non-required parameters enableDefaultTelemetry: '' extensionProperties: { @@ -76,7 +124,7 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config startDateTime: '2022-12-31 13:00' timeZone: 'W. Europe Standard Time' } - namespace: 'mmccomns' + namespace: 'mmcmaxns' roleAssignments: [ { principalId: '' @@ -108,7 +156,7 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config "parameters": { // Required parameters "name": { - "value": "mmccom001" + "value": "mmcmax001" }, // Non-required parameters "enableDefaultTelemetry": { @@ -153,7 +201,7 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config } }, "namespace": { - "value": "mmccomns" + "value": "mmcmaxns" }, "roleAssignments": { "value": [ @@ -181,54 +229,6 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-configuration:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-mmcmin' - params: { - // Required parameters - name: 'mmcmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "mmcmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/common/dependencies.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/maintenance/maintenance-configuration/tests/e2e/common/dependencies.bicep rename to modules/maintenance/maintenance-configuration/tests/e2e/max/dependencies.bicep diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/common/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/maintenance/maintenance-configuration/tests/e2e/common/main.test.bicep rename to modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep index fb851eaaad..980dcf5100 100644 --- a/modules/maintenance/maintenance-configuration/tests/e2e/common/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-maintenance.maintenanceconfi param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mmccom' +param serviceShort string = 'mmcmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/managed-identity/user-assigned-identity/README.md b/modules/managed-identity/user-assigned-identity/README.md index c2fdf977aa..d76e767ebe 100644 --- a/modules/managed-identity/user-assigned-identity/README.md +++ b/modules/managed-identity/user-assigned-identity/README.md @@ -27,10 +27,50 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/managed-identity.user-assigned-identity:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-identity:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-miuaimin' + params: { + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -41,7 +81,7 @@ This instance deploys the module with most of its features enabled. ```bicep module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-identity:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-miuaicom' + name: '${uniqueString(deployment().name, location)}-test-miuaimax' params: { enableDefaultTelemetry: '' federatedIdentityCredentials: [ @@ -50,7 +90,7 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide 'api://AzureADTokenExchange' ] issuer: '' - name: 'test-fed-cred-miuaicom-001' + name: 'test-fed-cred-miuaimax-001' subject: 'system:serviceaccount:default:workload-identity-sa' } ] @@ -58,7 +98,7 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide kind: 'CanNotDelete' name: 'myCustomLockName' } - name: 'miuaicom001' + name: 'miuaimax001' roleAssignments: [ { principalId: '' @@ -97,7 +137,7 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide "api://AzureADTokenExchange" ], "issuer": "", - "name": "test-fed-cred-miuaicom-001", + "name": "test-fed-cred-miuaimax-001", "subject": "system:serviceaccount:default:workload-identity-sa" } ] @@ -109,7 +149,7 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide } }, "name": { - "value": "miuaicom001" + "value": "miuaimax001" }, "roleAssignments": { "value": [ @@ -134,46 +174,6 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-identity:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-miuaimin' - params: { - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/common/dependencies.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/managed-identity/user-assigned-identity/tests/e2e/common/dependencies.bicep rename to modules/managed-identity/user-assigned-identity/tests/e2e/max/dependencies.bicep diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/common/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/managed-identity/user-assigned-identity/tests/e2e/common/main.test.bicep rename to modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep index 52feac412b..bd4e76dc48 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/common/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-managedidentity.userassigned param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'miuaicom' +param serviceShort string = 'miuaimax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/managed-services/registration-definition/README.md b/modules/managed-services/registration-definition/README.md index 23aac725b0..472774ac03 100644 --- a/modules/managed-services/registration-definition/README.md +++ b/modules/managed-services/registration-definition/README.md @@ -44,7 +44,7 @@ This instance deploys the module with most of its features enabled. ```bicep module registrationDefinition 'br:bicep/modules/managed-services.registration-definition:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-msrdcom' + name: '${uniqueString(deployment().name)}-test-msrdmax' params: { // Required parameters authorizations: [ @@ -65,7 +65,7 @@ module registrationDefinition 'br:bicep/modules/managed-services.registration-de } ] managedByTenantId: '<< SET YOUR TENANT ID HERE >>' - name: 'Component Validation - msrdcom Subscription assignment' + name: 'Component Validation - msrdmax Subscription assignment' registrationDescription: 'Managed by Lighthouse' // Non-required parameters enableDefaultTelemetry: '' @@ -109,7 +109,7 @@ module registrationDefinition 'br:bicep/modules/managed-services.registration-de "value": "<< SET YOUR TENANT ID HERE >>" }, "name": { - "value": "Component Validation - msrdcom Subscription assignment" + "value": "Component Validation - msrdmax Subscription assignment" }, "registrationDescription": { "value": "Managed by Lighthouse" diff --git a/modules/managed-services/registration-definition/tests/e2e/common/main.test.bicep b/modules/managed-services/registration-definition/tests/e2e/max/main.test.bicep similarity index 97% rename from modules/managed-services/registration-definition/tests/e2e/common/main.test.bicep rename to modules/managed-services/registration-definition/tests/e2e/max/main.test.bicep index b67dda3414..09e848751a 100644 --- a/modules/managed-services/registration-definition/tests/e2e/common/main.test.bicep +++ b/modules/managed-services/registration-definition/tests/e2e/max/main.test.bicep @@ -8,7 +8,7 @@ metadata description = 'This instance deploys the module with most of its featur // ========== // @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'msrdcom' +param serviceShort string = 'msrdmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/management/management-group/README.md b/modules/management/management-group/README.md index cba016ed6e..38c1b4d408 100644 --- a/modules/management/management-group/README.md +++ b/modules/management/management-group/README.md @@ -29,12 +29,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/management.management-group:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.

@@ -43,14 +43,12 @@ This instance deploys the module with most of its features enabled. ```bicep module managementGroup 'br:bicep/modules/management.management-group:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-mmgcom' + name: '${uniqueString(deployment().name)}-test-mmgmin' params: { // Required parameters - name: 'mmgcom001' + name: 'mmgmin001' // Non-required parameters - displayName: 'Test MG' enableDefaultTelemetry: '' - parentId: '' } } ``` @@ -69,17 +67,11 @@ module managementGroup 'br:bicep/modules/management.management-group:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "mmgcom001" + "value": "mmgmin001" }, // Non-required parameters - "displayName": { - "value": "Test MG" - }, "enableDefaultTelemetry": { "value": "" - }, - "parentId": { - "value": "" } } } @@ -88,9 +80,9 @@ module managementGroup 'br:bicep/modules/management.management-group:1.0.0' = {

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -99,12 +91,14 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module managementGroup 'br:bicep/modules/management.management-group:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-mmgmin' + name: '${uniqueString(deployment().name)}-test-mmgmax' params: { // Required parameters - name: 'mmgmin001' + name: 'mmgmax001' // Non-required parameters + displayName: 'Test MG' enableDefaultTelemetry: '' + parentId: '' } } ``` @@ -123,11 +117,17 @@ module managementGroup 'br:bicep/modules/management.management-group:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "mmgmin001" + "value": "mmgmax001" }, // Non-required parameters + "displayName": { + "value": "Test MG" + }, "enableDefaultTelemetry": { "value": "" + }, + "parentId": { + "value": "" } } } diff --git a/modules/management/management-group/tests/e2e/common/main.test.bicep b/modules/management/management-group/tests/e2e/max/main.test.bicep similarity index 96% rename from modules/management/management-group/tests/e2e/common/main.test.bicep rename to modules/management/management-group/tests/e2e/max/main.test.bicep index f3102c6bd1..41256aa624 100644 --- a/modules/management/management-group/tests/e2e/common/main.test.bicep +++ b/modules/management/management-group/tests/e2e/max/main.test.bicep @@ -8,7 +8,7 @@ metadata description = 'This instance deploys the module with most of its featur // ========== // @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mmgcom' +param serviceShort string = 'mmgmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/application-gateway-web-application-firewall-policy/README.md b/modules/network/application-gateway-web-application-firewall-policy/README.md index 5aedf8a85a..feb78de452 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/README.md +++ b/modules/network/application-gateway-web-application-firewall-policy/README.md @@ -37,10 +37,10 @@ This instance deploys the module with most of its features enabled. ```bicep module applicationGatewayWebApplicationFirewallPolicy 'br:bicep/modules/network.application-gateway-web-application-firewall-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nagwafpcom' + name: '${uniqueString(deployment().name, location)}-test-nagwafpmax' params: { // Required parameters - name: 'nagwafpcom001' + name: 'nagwafpmax001' // Non-required parameters enableDefaultTelemetry: '' managedRules: { @@ -85,7 +85,7 @@ module applicationGatewayWebApplicationFirewallPolicy 'br:bicep/modules/network. "parameters": { // Required parameters "name": { - "value": "nagwafpcom001" + "value": "nagwafpmax001" }, // Non-required parameters "enableDefaultTelemetry": { diff --git a/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/common/main.test.bicep b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/application-gateway-web-application-firewall-policy/tests/e2e/common/main.test.bicep rename to modules/network/application-gateway-web-application-firewall-policy/tests/e2e/max/main.test.bicep index 840235eeab..a06afa8f68 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/common/main.test.bicep +++ b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.applicationGatewayWe param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nagwafpcom' +param serviceShort string = 'nagwafpmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index 537f6059d0..853769d2f6 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -42,7 +42,7 @@ This instance deploys the module with most of its features enabled. ```bicep module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nagcom' + name: '${uniqueString(deployment().name, location)}-test-nagmax' params: { // Required parameters name: '' diff --git a/modules/network/application-gateway/tests/e2e/common/dependencies.bicep b/modules/network/application-gateway/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/application-gateway/tests/e2e/common/dependencies.bicep rename to modules/network/application-gateway/tests/e2e/max/dependencies.bicep diff --git a/modules/network/application-gateway/tests/e2e/common/main.test.bicep b/modules/network/application-gateway/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/network/application-gateway/tests/e2e/common/main.test.bicep rename to modules/network/application-gateway/tests/e2e/max/main.test.bicep index 0887af87a0..9359135a3f 100644 --- a/modules/network/application-gateway/tests/e2e/common/main.test.bicep +++ b/modules/network/application-gateway/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.applicationgateways- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nagcom' +param serviceShort string = 'nagmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/application-security-group/README.md b/modules/network/application-security-group/README.md index ad28b030eb..37e573fa66 100644 --- a/modules/network/application-security-group/README.md +++ b/modules/network/application-security-group/README.md @@ -39,10 +39,10 @@ This instance deploys the module with most of its features enabled. ```bicep module applicationSecurityGroup 'br:bicep/modules/network.application-security-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nasgcom' + name: '${uniqueString(deployment().name, location)}-test-nasgmax' params: { // Required parameters - name: 'nasgcom001' + name: 'nasgmax001' // Non-required parameters enableDefaultTelemetry: '' lock: { @@ -79,7 +79,7 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g "parameters": { // Required parameters "name": { - "value": "nasgcom001" + "value": "nasgmax001" }, // Non-required parameters "enableDefaultTelemetry": { diff --git a/modules/network/application-security-group/tests/e2e/common/dependencies.bicep b/modules/network/application-security-group/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/application-security-group/tests/e2e/common/dependencies.bicep rename to modules/network/application-security-group/tests/e2e/max/dependencies.bicep diff --git a/modules/network/application-security-group/tests/e2e/common/main.test.bicep b/modules/network/application-security-group/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/application-security-group/tests/e2e/common/main.test.bicep rename to modules/network/application-security-group/tests/e2e/max/main.test.bicep index f359964862..338980479c 100644 --- a/modules/network/application-security-group/tests/e2e/common/main.test.bicep +++ b/modules/network/application-security-group/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.applicationsecurityg param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nasgcom' +param serviceShort string = 'nasgmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index f5d0409b80..2f41e39161 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -29,11 +29,11 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.azure-firewall:1.0.0`. - [Addpip](#example-1-addpip) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [Custompip](#example-3-custompip) -- [Using only defaults](#example-4-using-only-defaults) -- [Hubcommon](#example-5-hubcommon) -- [Hubmin](#example-6-hubmin) +- [Custompip](#example-2-custompip) +- [Using only defaults](#example-3-using-only-defaults) +- [Hubcommon](#example-4-hubcommon) +- [Hubmin](#example-5-hubmin) +- [Using large parameter set](#example-6-using-large-parameter-set) ### Example 1: _Addpip_ @@ -136,10 +136,7 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = {

-### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - +### Example 2: _Custompip_

@@ -147,130 +144,46 @@ This instance deploys the module with most of its features enabled. ```bicep module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nafcom' + name: '${uniqueString(deployment().name, location)}-test-nafcstpip' params: { // Required parameters - name: 'nafcom001' + name: 'nafcstpip001' // Non-required parameters - applicationRuleCollections: [ - { - name: 'allow-app-rules' - properties: { - action: { - type: 'allow' - } - priority: 100 - rules: [ - { - fqdnTags: [ - 'AppServiceEnvironment' - 'WindowsUpdate' - ] - name: 'allow-ase-tags' - protocols: [ - { - port: '80' - protocolType: 'HTTP' - } - { - port: '443' - protocolType: 'HTTPS' - } - ] - sourceAddresses: [ - '*' - ] - } - { - name: 'allow-ase-management' - protocols: [ - { - port: '80' - protocolType: 'HTTP' - } - { - port: '443' - protocolType: 'HTTPS' - } - ] - sourceAddresses: [ - '*' - ] - targetFqdns: [ - 'bing.com' - ] - } - ] - } - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - networkRuleCollections: [ - { - name: 'allow-network-rules' - properties: { - action: { - type: 'allow' - } - priority: 100 - rules: [ + publicIPAddressObject: { + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ { - destinationAddresses: [ - '*' - ] - destinationPorts: [ - '12000' - '123' - ] - name: 'allow-ntp' - protocols: [ - 'Any' - ] - sourceAddresses: [ - '*' - ] + category: 'AllMetrics' } ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' } - } - ] - publicIPResourceID: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] + ] + name: 'new-pip-nafcstpip' + publicIPAllocationMethod: 'Static' + publicIPPrefixResourceId: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuName: 'Standard' + skuTier: 'Regional' + } tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } vNetId: '' - zones: [ - '1' - '2' - '3' - ] } } ``` @@ -289,241 +202,26 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "nafcom001" + "value": "nafcstpip001" }, // Non-required parameters - "applicationRuleCollections": { - "value": [ - { - "name": "allow-app-rules", - "properties": { - "action": { - "type": "allow" - }, - "priority": 100, - "rules": [ - { - "fqdnTags": [ - "AppServiceEnvironment", - "WindowsUpdate" - ], - "name": "allow-ase-tags", - "protocols": [ - { - "port": "80", - "protocolType": "HTTP" - }, - { - "port": "443", - "protocolType": "HTTPS" - } - ], - "sourceAddresses": [ - "*" - ] - }, - { - "name": "allow-ase-management", - "protocols": [ - { - "port": "80", - "protocolType": "HTTP" - }, - { - "port": "443", - "protocolType": "HTTPS" - } - ], - "sourceAddresses": [ - "*" - ], - "targetFqdns": [ - "bing.com" - ] - } - ] - } - } - ] - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, "enableDefaultTelemetry": { "value": "" }, - "lock": { + "publicIPAddressObject": { "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "networkRuleCollections": { - "value": [ - { - "name": "allow-network-rules", - "properties": { - "action": { - "type": "allow" - }, - "priority": 100, - "rules": [ + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ { - "destinationAddresses": [ - "*" - ], - "destinationPorts": [ - "12000", - "123" - ], - "name": "allow-ntp", - "protocols": [ - "Any" - ], - "sourceAddresses": [ - "*" - ] + "category": "AllMetrics" } - ] - } - } - ] - }, - "publicIPResourceID": { - "value": "" - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "vNetId": { - "value": "" - }, - "zones": { - "value": [ - "1", - "2", - "3" - ] - } - } -} -``` - -
-

- -### Example 3: _Custompip_ - -

- -via Bicep module - -```bicep -module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nafcstpip' - params: { - // Required parameters - name: 'nafcstpip001' - // Non-required parameters - enableDefaultTelemetry: '' - publicIPAddressObject: { - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - name: 'new-pip-nafcstpip' - publicIPAllocationMethod: 'Static' - publicIPPrefixResourceId: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - skuName: 'Standard' - skuTier: 'Regional' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - vNetId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nafcstpip001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "publicIPAddressObject": { - "value": { - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" } ], "name": "new-pip-nafcstpip", @@ -557,7 +255,7 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = {

-### Example 4: _Using only defaults_ +### Example 3: _Using only defaults_ This instance deploys the module with the minimum set of required parameters. @@ -609,7 +307,7 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = {

-### Example 5: _Hubcommon_ +### Example 4: _Hubcommon_

@@ -686,7 +384,7 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = {

-### Example 6: _Hubmin_ +### Example 5: _Hubmin_

@@ -747,6 +445,308 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = {

+### Example 6: _Using large parameter set_ + +This instance deploys the module with most of its features enabled. + + +

+ +via Bicep module + +```bicep +module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nafmax' + params: { + // Required parameters + name: 'nafmax001' + // Non-required parameters + applicationRuleCollections: [ + { + name: 'allow-app-rules' + properties: { + action: { + type: 'allow' + } + priority: 100 + rules: [ + { + fqdnTags: [ + 'AppServiceEnvironment' + 'WindowsUpdate' + ] + name: 'allow-ase-tags' + protocols: [ + { + port: '80' + protocolType: 'HTTP' + } + { + port: '443' + protocolType: 'HTTPS' + } + ] + sourceAddresses: [ + '*' + ] + } + { + name: 'allow-ase-management' + protocols: [ + { + port: '80' + protocolType: 'HTTP' + } + { + port: '443' + protocolType: 'HTTPS' + } + ] + sourceAddresses: [ + '*' + ] + targetFqdns: [ + 'bing.com' + ] + } + ] + } + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkRuleCollections: [ + { + name: 'allow-network-rules' + properties: { + action: { + type: 'allow' + } + priority: 100 + rules: [ + { + destinationAddresses: [ + '*' + ] + destinationPorts: [ + '12000' + '123' + ] + name: 'allow-ntp' + protocols: [ + 'Any' + ] + sourceAddresses: [ + '*' + ] + } + ] + } + } + ] + publicIPResourceID: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + vNetId: '' + zones: [ + '1' + '2' + '3' + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nafmax001" + }, + // Non-required parameters + "applicationRuleCollections": { + "value": [ + { + "name": "allow-app-rules", + "properties": { + "action": { + "type": "allow" + }, + "priority": 100, + "rules": [ + { + "fqdnTags": [ + "AppServiceEnvironment", + "WindowsUpdate" + ], + "name": "allow-ase-tags", + "protocols": [ + { + "port": "80", + "protocolType": "HTTP" + }, + { + "port": "443", + "protocolType": "HTTPS" + } + ], + "sourceAddresses": [ + "*" + ] + }, + { + "name": "allow-ase-management", + "protocols": [ + { + "port": "80", + "protocolType": "HTTP" + }, + { + "port": "443", + "protocolType": "HTTPS" + } + ], + "sourceAddresses": [ + "*" + ], + "targetFqdns": [ + "bing.com" + ] + } + ] + } + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "networkRuleCollections": { + "value": [ + { + "name": "allow-network-rules", + "properties": { + "action": { + "type": "allow" + }, + "priority": 100, + "rules": [ + { + "destinationAddresses": [ + "*" + ], + "destinationPorts": [ + "12000", + "123" + ], + "name": "allow-ntp", + "protocols": [ + "Any" + ], + "sourceAddresses": [ + "*" + ] + } + ] + } + } + ] + }, + "publicIPResourceID": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "vNetId": { + "value": "" + }, + "zones": { + "value": [ + "1", + "2", + "3" + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/azure-firewall/tests/e2e/common/dependencies.bicep b/modules/network/azure-firewall/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/azure-firewall/tests/e2e/common/dependencies.bicep rename to modules/network/azure-firewall/tests/e2e/max/dependencies.bicep diff --git a/modules/network/azure-firewall/tests/e2e/common/main.test.bicep b/modules/network/azure-firewall/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/network/azure-firewall/tests/e2e/common/main.test.bicep rename to modules/network/azure-firewall/tests/e2e/max/main.test.bicep index f3df185bc3..654c2e950c 100644 --- a/modules/network/azure-firewall/tests/e2e/common/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.azurefirewalls-${ser param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nafcom' +param serviceShort string = 'nafmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index 625f27b070..06e8704806 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -28,149 +28,11 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.bastion-host:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Custompip](#example-2-custompip) -- [Using only defaults](#example-3-using-only-defaults) +- [Custompip](#example-1-custompip) +- [Using only defaults](#example-2-using-only-defaults) +- [Using large parameter set](#example-3-using-large-parameter-set) -### Example 1: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nbhcom' - params: { - // Required parameters - name: 'nbhcom001' - vNetId: '' - // Non-required parameters - bastionSubnetPublicIpResourceId: '' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - disableCopyPaste: true - enableDefaultTelemetry: '' - enableFileCopy: false - enableIpConnect: false - enableShareableLink: false - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - scaleUnits: 4 - skuName: 'Standard' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nbhcom001" - }, - "vNetId": { - "value": "" - }, - // Non-required parameters - "bastionSubnetPublicIpResourceId": { - "value": "" - }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, - "disableCopyPaste": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "enableFileCopy": { - "value": false - }, - "enableIpConnect": { - "value": false - }, - "enableShareableLink": { - "value": false - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "scaleUnits": { - "value": 4 - }, - "skuName": { - "value": "Standard" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- -### Example 2: _Custompip_ +### Example 1: _Custompip_

@@ -299,7 +161,7 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = {

-### Example 3: _Using only defaults_ +### Example 2: _Using only defaults_ This instance deploys the module with the minimum set of required parameters. @@ -351,6 +213,144 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = {

+### Example 3: _Using large parameter set_ + +This instance deploys the module with most of its features enabled. + + +

+ +via Bicep module + +```bicep +module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nbhmax' + params: { + // Required parameters + name: 'nbhmax001' + vNetId: '' + // Non-required parameters + bastionSubnetPublicIpResourceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + disableCopyPaste: true + enableDefaultTelemetry: '' + enableFileCopy: false + enableIpConnect: false + enableShareableLink: false + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + scaleUnits: 4 + skuName: 'Standard' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nbhmax001" + }, + "vNetId": { + "value": "" + }, + // Non-required parameters + "bastionSubnetPublicIpResourceId": { + "value": "" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "disableCopyPaste": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enableFileCopy": { + "value": false + }, + "enableIpConnect": { + "value": false + }, + "enableShareableLink": { + "value": false + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "scaleUnits": { + "value": 4 + }, + "skuName": { + "value": "Standard" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/bastion-host/tests/e2e/common/dependencies.bicep b/modules/network/bastion-host/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/bastion-host/tests/e2e/common/dependencies.bicep rename to modules/network/bastion-host/tests/e2e/max/dependencies.bicep diff --git a/modules/network/bastion-host/tests/e2e/common/main.test.bicep b/modules/network/bastion-host/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/bastion-host/tests/e2e/common/main.test.bicep rename to modules/network/bastion-host/tests/e2e/max/main.test.bicep index 7fe1474be5..c601028796 100644 --- a/modules/network/bastion-host/tests/e2e/common/main.test.bicep +++ b/modules/network/bastion-host/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.bastionhosts-${servi param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nbhcom' +param serviceShort string = 'nbhmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/ddos-protection-plan/README.md b/modules/network/ddos-protection-plan/README.md index c8ba05f4e5..1ccac70c5a 100644 --- a/modules/network/ddos-protection-plan/README.md +++ b/modules/network/ddos-protection-plan/README.md @@ -26,12 +26,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.ddos-protection-plan:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.

@@ -40,28 +40,12 @@ This instance deploys the module with most of its features enabled. ```bicep module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndppcom' + name: '${uniqueString(deployment().name, location)}-test-ndppmin' params: { // Required parameters - name: 'ndppcom001' + name: 'ndppmin001' // Non-required parameters enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } } ``` @@ -80,33 +64,11 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' "parameters": { // Required parameters "name": { - "value": "ndppcom001" + "value": "ndppmin001" }, // Non-required parameters "enableDefaultTelemetry": { "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } } } @@ -115,9 +77,9 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0'

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -126,12 +88,28 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndppmin' + name: '${uniqueString(deployment().name, location)}-test-ndppmax' params: { // Required parameters - name: 'ndppmin001' + name: 'ndppmax001' // Non-required parameters enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } } } ``` @@ -150,11 +128,33 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' "parameters": { // Required parameters "name": { - "value": "ndppmin001" + "value": "ndppmax001" }, // Non-required parameters "enableDefaultTelemetry": { "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } } } } diff --git a/modules/network/ddos-protection-plan/tests/e2e/common/dependencies.bicep b/modules/network/ddos-protection-plan/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/ddos-protection-plan/tests/e2e/common/dependencies.bicep rename to modules/network/ddos-protection-plan/tests/e2e/max/dependencies.bicep diff --git a/modules/network/ddos-protection-plan/tests/e2e/common/main.test.bicep b/modules/network/ddos-protection-plan/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/ddos-protection-plan/tests/e2e/common/main.test.bicep rename to modules/network/ddos-protection-plan/tests/e2e/max/main.test.bicep index 2c1359047b..5ef4541d51 100644 --- a/modules/network/ddos-protection-plan/tests/e2e/common/main.test.bicep +++ b/modules/network/ddos-protection-plan/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.ddosprotectionplans- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndppcom' +param serviceShort string = 'ndppmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/dns-forwarding-ruleset/README.md b/modules/network/dns-forwarding-ruleset/README.md index 1010b3a887..43d21c8605 100644 --- a/modules/network/dns-forwarding-ruleset/README.md +++ b/modules/network/dns-forwarding-ruleset/README.md @@ -30,10 +30,66 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.dns-forwarding-ruleset:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ndfrsmin' + params: { + // Required parameters + dnsResolverOutboundEndpointResourceIds: [ + '' + ] + name: 'ndfrsmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "dnsResolverOutboundEndpointResourceIds": { + "value": [ + "" + ] + }, + "name": { + "value": "ndfrsmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -44,13 +100,13 @@ This instance deploys the module with most of its features enabled. ```bicep module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndfrscom' + name: '${uniqueString(deployment().name, location)}-test-ndfrsmax' params: { // Required parameters dnsResolverOutboundEndpointResourceIds: [ '' ] - name: 'ndfrscom001' + name: 'ndfrsmax001' // Non-required parameters enableDefaultTelemetry: '' forwardingRules: [ @@ -108,7 +164,7 @@ module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0 ] }, "name": { - "value": "ndfrscom001" + "value": "ndfrsmax001" }, // Non-required parameters "enableDefaultTelemetry": { @@ -163,62 +219,6 @@ module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndfrsmin' - params: { - // Required parameters - dnsResolverOutboundEndpointResourceIds: [ - '' - ] - name: 'ndfrsmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "dnsResolverOutboundEndpointResourceIds": { - "value": [ - "" - ] - }, - "name": { - "value": "ndfrsmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/common/dependencies.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/dns-forwarding-ruleset/tests/e2e/common/dependencies.bicep rename to modules/network/dns-forwarding-ruleset/tests/e2e/max/dependencies.bicep diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/common/main.test.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/dns-forwarding-ruleset/tests/e2e/common/main.test.bicep rename to modules/network/dns-forwarding-ruleset/tests/e2e/max/main.test.bicep index 913a1ce9c5..62b410d4e1 100644 --- a/modules/network/dns-forwarding-ruleset/tests/e2e/common/main.test.bicep +++ b/modules/network/dns-forwarding-ruleset/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.dnsForwardingRuleset param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndfrscom' +param serviceShort string = 'ndfrsmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/dns-resolver/README.md b/modules/network/dns-resolver/README.md index 1b22bfc083..99f030c8b2 100644 --- a/modules/network/dns-resolver/README.md +++ b/modules/network/dns-resolver/README.md @@ -43,10 +43,10 @@ This instance deploys the module with most of its features enabled. ```bicep module dnsResolver 'br:bicep/modules/network.dns-resolver:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndrcom' + name: '${uniqueString(deployment().name, location)}-test-ndrmax' params: { // Required parameters - name: 'ndrcom001' + name: 'ndrmax001' virtualNetworkId: '' // Non-required parameters enableDefaultTelemetry: '' @@ -85,7 +85,7 @@ module dnsResolver 'br:bicep/modules/network.dns-resolver:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "ndrcom001" + "value": "ndrmax001" }, "virtualNetworkId": { "value": "" diff --git a/modules/network/dns-resolver/tests/e2e/common/dependencies.bicep b/modules/network/dns-resolver/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/dns-resolver/tests/e2e/common/dependencies.bicep rename to modules/network/dns-resolver/tests/e2e/max/dependencies.bicep diff --git a/modules/network/dns-resolver/tests/e2e/common/main.test.bicep b/modules/network/dns-resolver/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/dns-resolver/tests/e2e/common/main.test.bicep rename to modules/network/dns-resolver/tests/e2e/max/main.test.bicep index d9faf2551d..a15b78dbf0 100644 --- a/modules/network/dns-resolver/tests/e2e/common/main.test.bicep +++ b/modules/network/dns-resolver/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.dnsResolvers-${servi param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndrcom' +param serviceShort string = 'ndrmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/dns-zone/README.md b/modules/network/dns-zone/README.md index 425088daa7..23651a2aa3 100644 --- a/modules/network/dns-zone/README.md +++ b/modules/network/dns-zone/README.md @@ -38,10 +38,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.dns-zone:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ndzmin' + params: { + // Required parameters + name: 'ndzmin001.com' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ndzmin001.com" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -52,10 +100,10 @@ This instance deploys the module with most of its features enabled. ```bicep module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndzcom' + name: '${uniqueString(deployment().name, location)}-test-ndzmax' params: { // Required parameters - name: 'ndzcom001.com' + name: 'ndzmax001.com' // Non-required parameters a: [ { @@ -241,7 +289,7 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "ndzcom001.com" + "value": "ndzmax001.com" }, // Non-required parameters "a": { @@ -441,54 +489,6 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ndzmin' - params: { - // Required parameters - name: 'ndzmin001.com' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ndzmin001.com" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/dns-zone/tests/e2e/common/dependencies.bicep b/modules/network/dns-zone/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/dns-zone/tests/e2e/common/dependencies.bicep rename to modules/network/dns-zone/tests/e2e/max/dependencies.bicep diff --git a/modules/network/dns-zone/tests/e2e/common/main.test.bicep b/modules/network/dns-zone/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/network/dns-zone/tests/e2e/common/main.test.bicep rename to modules/network/dns-zone/tests/e2e/max/main.test.bicep index 3e055fc5de..f1ec3b4b4a 100644 --- a/modules/network/dns-zone/tests/e2e/common/main.test.bicep +++ b/modules/network/dns-zone/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.dnszones-${serviceSh param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndzcom' +param serviceShort string = 'ndzmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/express-route-circuit/README.md b/modules/network/express-route-circuit/README.md index 3372a9e824..125ba3bbb9 100644 --- a/modules/network/express-route-circuit/README.md +++ b/modules/network/express-route-circuit/README.md @@ -27,10 +27,70 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.express-route-circuit:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nercmin' + params: { + // Required parameters + bandwidthInMbps: 50 + name: 'nercmin001' + peeringLocation: 'Amsterdam' + serviceProviderName: 'Equinix' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "bandwidthInMbps": { + "value": 50 + }, + "name": { + "value": "nercmin001" + }, + "peeringLocation": { + "value": "Amsterdam" + }, + "serviceProviderName": { + "value": "Equinix" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -41,11 +101,11 @@ This instance deploys the module with most of its features enabled. ```bicep module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nerccom' + name: '${uniqueString(deployment().name, location)}-test-nercmax' params: { // Required parameters bandwidthInMbps: 50 - name: 'nerccom001' + name: 'nercmax001' peeringLocation: 'Amsterdam' serviceProviderName: 'Equinix' // Non-required parameters @@ -104,7 +164,7 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 "value": 50 }, "name": { - "value": "nerccom001" + "value": "nercmax001" }, "peeringLocation": { "value": "Amsterdam" @@ -170,66 +230,6 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nercmin' - params: { - // Required parameters - bandwidthInMbps: 50 - name: 'nercmin001' - peeringLocation: 'Amsterdam' - serviceProviderName: 'Equinix' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "bandwidthInMbps": { - "value": 50 - }, - "name": { - "value": "nercmin001" - }, - "peeringLocation": { - "value": "Amsterdam" - }, - "serviceProviderName": { - "value": "Equinix" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/express-route-circuit/tests/e2e/common/dependencies.bicep b/modules/network/express-route-circuit/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/express-route-circuit/tests/e2e/common/dependencies.bicep rename to modules/network/express-route-circuit/tests/e2e/max/dependencies.bicep diff --git a/modules/network/express-route-circuit/tests/e2e/common/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/express-route-circuit/tests/e2e/common/main.test.bicep rename to modules/network/express-route-circuit/tests/e2e/max/main.test.bicep index c53f6dd157..3243abdb14 100644 --- a/modules/network/express-route-circuit/tests/e2e/common/main.test.bicep +++ b/modules/network/express-route-circuit/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.expressroutecircuits param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nerccom' +param serviceShort string = 'nercmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/express-route-gateway/README.md b/modules/network/express-route-gateway/README.md index 60d5d55775..f396c96058 100644 --- a/modules/network/express-route-gateway/README.md +++ b/modules/network/express-route-gateway/README.md @@ -26,12 +26,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.express-route-gateway:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.

@@ -40,30 +40,13 @@ This instance deploys the module with most of its features enabled. ```bicep module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nergcom' + name: '${uniqueString(deployment().name, location)}-test-nergmin' params: { // Required parameters - name: 'nergcom001' + name: 'nergmin001' virtualHubId: '' // Non-required parameters - autoScaleConfigurationBoundsMax: 3 - autoScaleConfigurationBoundsMin: 2 enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - hello: 'world' - 'hidden-title': 'This is visible in the resource name' - } } } ``` @@ -82,41 +65,14 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 "parameters": { // Required parameters "name": { - "value": "nergcom001" + "value": "nergmin001" }, "virtualHubId": { "value": "" }, // Non-required parameters - "autoScaleConfigurationBoundsMax": { - "value": 3 - }, - "autoScaleConfigurationBoundsMin": { - "value": 2 - }, "enableDefaultTelemetry": { "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "hello": "world", - "hidden-title": "This is visible in the resource name" - } } } } @@ -125,9 +81,9 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -136,13 +92,30 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nergmin' + name: '${uniqueString(deployment().name, location)}-test-nergmax' params: { // Required parameters - name: 'nergmin001' + name: 'nergmax001' virtualHubId: '' // Non-required parameters + autoScaleConfigurationBoundsMax: 3 + autoScaleConfigurationBoundsMin: 2 enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + hello: 'world' + 'hidden-title': 'This is visible in the resource name' + } } } ``` @@ -161,14 +134,41 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 "parameters": { // Required parameters "name": { - "value": "nergmin001" + "value": "nergmax001" }, "virtualHubId": { "value": "" }, // Non-required parameters + "autoScaleConfigurationBoundsMax": { + "value": 3 + }, + "autoScaleConfigurationBoundsMin": { + "value": 2 + }, "enableDefaultTelemetry": { "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "hello": "world", + "hidden-title": "This is visible in the resource name" + } } } } diff --git a/modules/network/express-route-gateway/tests/e2e/common/dependencies.bicep b/modules/network/express-route-gateway/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/express-route-gateway/tests/e2e/common/dependencies.bicep rename to modules/network/express-route-gateway/tests/e2e/max/dependencies.bicep diff --git a/modules/network/express-route-gateway/tests/e2e/common/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/express-route-gateway/tests/e2e/common/main.test.bicep rename to modules/network/express-route-gateway/tests/e2e/max/main.test.bicep index e029342eaf..1578837962 100644 --- a/modules/network/express-route-gateway/tests/e2e/common/main.test.bicep +++ b/modules/network/express-route-gateway/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.expressRouteGateway- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nergcom' +param serviceShort string = 'nergmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/firewall-policy/README.md b/modules/network/firewall-policy/README.md index 8c99b839b8..1cf5307503 100644 --- a/modules/network/firewall-policy/README.md +++ b/modules/network/firewall-policy/README.md @@ -25,10 +25,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.firewall-policy:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module firewallPolicy 'br:bicep/modules/network.firewall-policy:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nfpmin' + params: { + // Required parameters + name: 'nfpmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nfpmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -39,10 +87,10 @@ This instance deploys the module with most of its features enabled. ```bicep module firewallPolicy 'br:bicep/modules/network.firewall-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nfpcom' + name: '${uniqueString(deployment().name, location)}-test-nfpmax' params: { // Required parameters - name: 'nfpcom001' + name: 'nfpmax001' // Non-required parameters allowSqlRedirect: true autoLearnPrivateRanges: 'Enabled' @@ -108,7 +156,7 @@ module firewallPolicy 'br:bicep/modules/network.firewall-policy:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "nfpcom001" + "value": "nfpmax001" }, // Non-required parameters "allowSqlRedirect": { @@ -174,54 +222,6 @@ module firewallPolicy 'br:bicep/modules/network.firewall-policy:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module firewallPolicy 'br:bicep/modules/network.firewall-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nfpmin' - params: { - // Required parameters - name: 'nfpmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nfpmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/firewall-policy/tests/e2e/common/main.test.bicep b/modules/network/firewall-policy/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/firewall-policy/tests/e2e/common/main.test.bicep rename to modules/network/firewall-policy/tests/e2e/max/main.test.bicep index 8d9b770926..880b8de836 100644 --- a/modules/network/firewall-policy/tests/e2e/common/main.test.bicep +++ b/modules/network/firewall-policy/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.firewallpolicies-${s param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nfpcom' +param serviceShort string = 'nfpmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/front-door-web-application-firewall-policy/README.md b/modules/network/front-door-web-application-firewall-policy/README.md index 09ab8eda51..c12d09f3bf 100644 --- a/modules/network/front-door-web-application-firewall-policy/README.md +++ b/modules/network/front-door-web-application-firewall-policy/README.md @@ -26,10 +26,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.front-door-web-application-firewall-policy:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-door-web-application-firewall-policy:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nagwafpmin' + params: { + // Required parameters + name: 'nagwafpmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nagwafpmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -40,10 +88,10 @@ This instance deploys the module with most of its features enabled. ```bicep module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-door-web-application-firewall-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nagwafpcom' + name: '${uniqueString(deployment().name, location)}-test-nagwafpmax' params: { // Required parameters - name: 'nagwafpcom001' + name: 'nagwafpmax001' // Non-required parameters customRules: { rules: [ @@ -143,7 +191,7 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo "parameters": { // Required parameters "name": { - "value": "nagwafpcom001" + "value": "nagwafpmax001" }, // Non-required parameters "customRules": { @@ -249,54 +297,6 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-door-web-application-firewall-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nagwafpmin' - params: { - // Required parameters - name: 'nagwafpmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nagwafpmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/common/dependencies.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/front-door-web-application-firewall-policy/tests/e2e/common/dependencies.bicep rename to modules/network/front-door-web-application-firewall-policy/tests/e2e/max/dependencies.bicep diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/common/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/front-door-web-application-firewall-policy/tests/e2e/common/main.test.bicep rename to modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep index 4018c29860..7bce666da5 100644 --- a/modules/network/front-door-web-application-firewall-policy/tests/e2e/common/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.frontdoorWebApplicat param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nagwafpcom' +param serviceShort string = 'nagwafpmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/front-door/README.md b/modules/network/front-door/README.md index 4513ff0e12..02f47b80bd 100644 --- a/modules/network/front-door/README.md +++ b/modules/network/front-door/README.md @@ -27,12 +27,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.front-door:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.

@@ -41,7 +41,7 @@ This instance deploys the module with most of its features enabled. ```bicep module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nfdcom' + name: '${uniqueString(deployment().name, location)}-test-nfdmin' params: { // Required parameters backendPools: [ @@ -56,10 +56,6 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { httpPort: 80 httpsPort: 443 priority: 1 - privateLinkAlias: '' - privateLinkApprovalMessage: '' - privateLinkLocation: '' - privateLinkResourceId: '' weight: 50 } ] @@ -86,8 +82,6 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { { name: 'heathProbe' properties: { - enabledState: '' - healthProbeMethod: '' intervalInSeconds: 60 path: '/' protocol: 'Https' @@ -110,7 +104,6 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { name: 'routingRule' properties: { acceptedProtocols: [ - 'Http' 'Https' ] enabledState: 'Enabled' @@ -127,31 +120,12 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { backendPool: { id: '' } - forwardingProtocol: 'MatchRequest' } } } ] // Non-required parameters enableDefaultTelemetry: '' - enforceCertificateNameCheck: 'Disabled' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - sendRecvTimeoutSeconds: 10 - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } } ``` @@ -182,10 +156,6 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { "httpPort": 80, "httpsPort": 443, "priority": 1, - "privateLinkAlias": "", - "privateLinkApprovalMessage": "", - "privateLinkLocation": "", - "privateLinkResourceId": "", "weight": 50 } ], @@ -216,8 +186,6 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { { "name": "heathProbe", "properties": { - "enabledState": "", - "healthProbeMethod": "", "intervalInSeconds": 60, "path": "/", "protocol": "Https" @@ -246,7 +214,6 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { "name": "routingRule", "properties": { "acceptedProtocols": [ - "Http", "Https" ], "enabledState": "Enabled", @@ -262,8 +229,7 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { "@odata.type": "#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration", "backendPool": { "id": "" - }, - "forwardingProtocol": "MatchRequest" + } } } } @@ -272,34 +238,6 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { // Non-required parameters "enableDefaultTelemetry": { "value": "" - }, - "enforceCertificateNameCheck": { - "value": "Disabled" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "sendRecvTimeoutSeconds": { - "value": 10 - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } } } @@ -308,9 +246,9 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = {

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -319,7 +257,7 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nfdmin' + name: '${uniqueString(deployment().name, location)}-test-nfdmax' params: { // Required parameters backendPools: [ @@ -334,6 +272,10 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { httpPort: 80 httpsPort: 443 priority: 1 + privateLinkAlias: '' + privateLinkApprovalMessage: '' + privateLinkLocation: '' + privateLinkResourceId: '' weight: 50 } ] @@ -360,6 +302,8 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { { name: 'heathProbe' properties: { + enabledState: '' + healthProbeMethod: '' intervalInSeconds: 60 path: '/' protocol: 'Https' @@ -382,6 +326,7 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { name: 'routingRule' properties: { acceptedProtocols: [ + 'Http' 'Https' ] enabledState: 'Enabled' @@ -398,12 +343,31 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { backendPool: { id: '' } + forwardingProtocol: 'MatchRequest' } } } ] // Non-required parameters enableDefaultTelemetry: '' + enforceCertificateNameCheck: 'Disabled' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sendRecvTimeoutSeconds: 10 + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } } } ``` @@ -434,6 +398,10 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { "httpPort": 80, "httpsPort": 443, "priority": 1, + "privateLinkAlias": "", + "privateLinkApprovalMessage": "", + "privateLinkLocation": "", + "privateLinkResourceId": "", "weight": 50 } ], @@ -464,6 +432,8 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { { "name": "heathProbe", "properties": { + "enabledState": "", + "healthProbeMethod": "", "intervalInSeconds": 60, "path": "/", "protocol": "Https" @@ -492,6 +462,7 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { "name": "routingRule", "properties": { "acceptedProtocols": [ + "Http", "Https" ], "enabledState": "Enabled", @@ -507,7 +478,8 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { "@odata.type": "#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration", "backendPool": { "id": "" - } + }, + "forwardingProtocol": "MatchRequest" } } } @@ -516,6 +488,34 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { // Non-required parameters "enableDefaultTelemetry": { "value": "" + }, + "enforceCertificateNameCheck": { + "value": "Disabled" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sendRecvTimeoutSeconds": { + "value": 10 + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } } } } diff --git a/modules/network/front-door/tests/e2e/common/dependencies.bicep b/modules/network/front-door/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/front-door/tests/e2e/common/dependencies.bicep rename to modules/network/front-door/tests/e2e/max/dependencies.bicep diff --git a/modules/network/front-door/tests/e2e/common/main.test.bicep b/modules/network/front-door/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/network/front-door/tests/e2e/common/main.test.bicep rename to modules/network/front-door/tests/e2e/max/main.test.bicep index 0aee4231e3..bb77bb9c3e 100644 --- a/modules/network/front-door/tests/e2e/common/main.test.bicep +++ b/modules/network/front-door/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.frontdoors-${service param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nfdcom' +param serviceShort string = 'nfdmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/ip-group/README.md b/modules/network/ip-group/README.md index 343b00bb29..36b3fe51fa 100644 --- a/modules/network/ip-group/README.md +++ b/modules/network/ip-group/README.md @@ -26,10 +26,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.ip-group:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nigmin' + params: { + // Required parameters + name: 'nigmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nigmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -40,10 +88,10 @@ This instance deploys the module with most of its features enabled. ```bicep module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nigcom' + name: '${uniqueString(deployment().name, location)}-test-nigmax' params: { // Required parameters - name: 'nigcom001' + name: 'nigmax001' // Non-required parameters enableDefaultTelemetry: '' ipAddresses: [ @@ -84,7 +132,7 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "nigcom001" + "value": "nigmax001" }, // Non-required parameters "enableDefaultTelemetry": { @@ -125,54 +173,6 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nigmin' - params: { - // Required parameters - name: 'nigmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nigmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/ip-group/tests/e2e/common/dependencies.bicep b/modules/network/ip-group/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/ip-group/tests/e2e/common/dependencies.bicep rename to modules/network/ip-group/tests/e2e/max/dependencies.bicep diff --git a/modules/network/ip-group/tests/e2e/common/main.test.bicep b/modules/network/ip-group/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/ip-group/tests/e2e/common/main.test.bicep rename to modules/network/ip-group/tests/e2e/max/main.test.bicep index 0b461e847f..568ddb0caa 100644 --- a/modules/network/ip-group/tests/e2e/common/main.test.bicep +++ b/modules/network/ip-group/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.ipgroups-${serviceSh param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nigcom' +param serviceShort string = 'nigmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/load-balancer/README.md b/modules/network/load-balancer/README.md index 21fc7daf46..b747882d68 100644 --- a/modules/network/load-balancer/README.md +++ b/modules/network/load-balancer/README.md @@ -30,13 +30,13 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.load-balancer:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) -- [Internal](#example-3-internal) +- [Using only defaults](#example-1-using-only-defaults) +- [Internal](#example-2-internal) +- [Using large parameter set](#example-3-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.

@@ -45,7 +45,7 @@ This instance deploys the module with most of its features enabled. ```bicep module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nlbcom' + name: '${uniqueString(deployment().name, location)}-test-nlbmin' params: { // Required parameters frontendIPConfigurations: [ @@ -54,14 +54,70 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { publicIPAddressId: '' } ] - name: 'nlbcom001' + name: 'nlbmin001' // Non-required parameters - backendAddressPools: [ + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "frontendIPConfigurations": { + "value": [ + { + "name": "publicIPConfig1", + "publicIPAddressId": "" + } + ] + }, + "name": { + "value": "nlbmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Internal_ + +

+ +via Bicep module + +```bicep +module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nlbint' + params: { + // Required parameters + frontendIPConfigurations: [ { - name: 'backendAddressPool1' + name: 'privateIPConfig1' + subnetId: '' } + ] + name: 'nlbint001' + // Non-required parameters + backendAddressPools: [ { - name: 'backendAddressPool2' + name: 'servers' } ] diagnosticSettings: [ @@ -84,7 +140,7 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { backendPort: 443 enableFloatingIP: false enableTcpReset: false - frontendIPConfigurationName: 'publicIPConfig1' + frontendIPConfigurationName: 'privateIPConfig1' frontendPort: 443 idleTimeoutInMinutes: 4 name: 'inboundNatRule1' @@ -92,62 +148,35 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { } { backendPort: 3389 - frontendIPConfigurationName: 'publicIPConfig1' + frontendIPConfigurationName: 'privateIPConfig1' frontendPort: 3389 name: 'inboundNatRule2' } ] loadBalancingRules: [ { - backendAddressPoolName: 'backendAddressPool1' - backendPort: 80 + backendAddressPoolName: 'servers' + backendPort: 0 disableOutboundSnat: true - enableFloatingIP: false + enableFloatingIP: true enableTcpReset: false - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 80 - idleTimeoutInMinutes: 5 + frontendIPConfigurationName: 'privateIPConfig1' + frontendPort: 0 + idleTimeoutInMinutes: 4 loadDistribution: 'Default' - name: 'publicIPLBRule1' + name: 'privateIPLBRule1' probeName: 'probe1' - protocol: 'Tcp' - } - { - backendAddressPoolName: 'backendAddressPool2' - backendPort: 8080 - frontendIPConfigurationName: 'publicIPConfig1' - frontendPort: 8080 - loadDistribution: 'Default' - name: 'publicIPLBRule2' - probeName: 'probe2' - } - ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - outboundRules: [ - { - allocatedOutboundPorts: 63984 - backendAddressPoolName: 'backendAddressPool1' - frontendIPConfigurationName: 'publicIPConfig1' - name: 'outboundRule1' + protocol: 'All' } ] probes: [ { - intervalInSeconds: 10 + intervalInSeconds: 5 name: 'probe1' - numberOfProbes: 5 - port: 80 + numberOfProbes: 2 + port: '62000' protocol: 'Tcp' } - { - name: 'probe2' - port: 443 - protocol: 'Https' - requestPath: '/' - } ] roleAssignments: [ { @@ -156,6 +185,7 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] + skuName: 'Standard' tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -181,22 +211,19 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { "frontendIPConfigurations": { "value": [ { - "name": "publicIPConfig1", - "publicIPAddressId": "" + "name": "privateIPConfig1", + "subnetId": "" } ] }, "name": { - "value": "nlbcom001" + "value": "nlbint001" }, // Non-required parameters "backendAddressPools": { "value": [ { - "name": "backendAddressPool1" - }, - { - "name": "backendAddressPool2" + "name": "servers" } ] }, @@ -225,7 +252,7 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { "backendPort": 443, "enableFloatingIP": false, "enableTcpReset": false, - "frontendIPConfigurationName": "publicIPConfig1", + "frontendIPConfigurationName": "privateIPConfig1", "frontendPort": 443, "idleTimeoutInMinutes": 4, "name": "inboundNatRule1", @@ -233,7 +260,7 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { }, { "backendPort": 3389, - "frontendIPConfigurationName": "publicIPConfig1", + "frontendIPConfigurationName": "privateIPConfig1", "frontendPort": 3389, "name": "inboundNatRule2" } @@ -242,60 +269,29 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { "loadBalancingRules": { "value": [ { - "backendAddressPoolName": "backendAddressPool1", - "backendPort": 80, + "backendAddressPoolName": "servers", + "backendPort": 0, "disableOutboundSnat": true, - "enableFloatingIP": false, + "enableFloatingIP": true, "enableTcpReset": false, - "frontendIPConfigurationName": "publicIPConfig1", - "frontendPort": 80, - "idleTimeoutInMinutes": 5, + "frontendIPConfigurationName": "privateIPConfig1", + "frontendPort": 0, + "idleTimeoutInMinutes": 4, "loadDistribution": "Default", - "name": "publicIPLBRule1", + "name": "privateIPLBRule1", "probeName": "probe1", - "protocol": "Tcp" - }, - { - "backendAddressPoolName": "backendAddressPool2", - "backendPort": 8080, - "frontendIPConfigurationName": "publicIPConfig1", - "frontendPort": 8080, - "loadDistribution": "Default", - "name": "publicIPLBRule2", - "probeName": "probe2" - } - ] - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "outboundRules": { - "value": [ - { - "allocatedOutboundPorts": 63984, - "backendAddressPoolName": "backendAddressPool1", - "frontendIPConfigurationName": "publicIPConfig1", - "name": "outboundRule1" + "protocol": "All" } ] }, "probes": { "value": [ { - "intervalInSeconds": 10, + "intervalInSeconds": 5, "name": "probe1", - "numberOfProbes": 5, - "port": 80, + "numberOfProbes": 2, + "port": "62000", "protocol": "Tcp" - }, - { - "name": "probe2", - "port": 443, - "protocol": "Https", - "requestPath": "/" } ] }, @@ -308,6 +304,9 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { } ] }, + "skuName": { + "value": "Standard" + }, "tags": { "value": { "Environment": "Non-Prod", @@ -322,9 +321,9 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = {

-### Example 2: _Using only defaults_ +### Example 3: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -333,7 +332,7 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nlbmin' + name: '${uniqueString(deployment().name, location)}-test-nlbmax' params: { // Required parameters frontendIPConfigurations: [ @@ -342,70 +341,14 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { publicIPAddressId: '' } ] - name: 'nlbmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "frontendIPConfigurations": { - "value": [ - { - "name": "publicIPConfig1", - "publicIPAddressId": "" - } - ] - }, - "name": { - "value": "nlbmin001" - }, + name: 'nlbmax001' // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Internal_ - -

- -via Bicep module - -```bicep -module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nlbint' - params: { - // Required parameters - frontendIPConfigurations: [ + backendAddressPools: [ { - name: 'privateIPConfig1' - subnetId: '' + name: 'backendAddressPool1' } - ] - name: 'nlbint001' - // Non-required parameters - backendAddressPools: [ { - name: 'servers' + name: 'backendAddressPool2' } ] diagnosticSettings: [ @@ -428,7 +371,7 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { backendPort: 443 enableFloatingIP: false enableTcpReset: false - frontendIPConfigurationName: 'privateIPConfig1' + frontendIPConfigurationName: 'publicIPConfig1' frontendPort: 443 idleTimeoutInMinutes: 4 name: 'inboundNatRule1' @@ -436,35 +379,62 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { } { backendPort: 3389 - frontendIPConfigurationName: 'privateIPConfig1' + frontendIPConfigurationName: 'publicIPConfig1' frontendPort: 3389 name: 'inboundNatRule2' } ] loadBalancingRules: [ { - backendAddressPoolName: 'servers' - backendPort: 0 + backendAddressPoolName: 'backendAddressPool1' + backendPort: 80 disableOutboundSnat: true - enableFloatingIP: true + enableFloatingIP: false enableTcpReset: false - frontendIPConfigurationName: 'privateIPConfig1' - frontendPort: 0 - idleTimeoutInMinutes: 4 + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 80 + idleTimeoutInMinutes: 5 loadDistribution: 'Default' - name: 'privateIPLBRule1' + name: 'publicIPLBRule1' probeName: 'probe1' - protocol: 'All' + protocol: 'Tcp' + } + { + backendAddressPoolName: 'backendAddressPool2' + backendPort: 8080 + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 8080 + loadDistribution: 'Default' + name: 'publicIPLBRule2' + probeName: 'probe2' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + outboundRules: [ + { + allocatedOutboundPorts: 63984 + backendAddressPoolName: 'backendAddressPool1' + frontendIPConfigurationName: 'publicIPConfig1' + name: 'outboundRule1' } ] probes: [ { - intervalInSeconds: 5 + intervalInSeconds: 10 name: 'probe1' - numberOfProbes: 2 - port: '62000' + numberOfProbes: 5 + port: 80 protocol: 'Tcp' } + { + name: 'probe2' + port: 443 + protocol: 'Https' + requestPath: '/' + } ] roleAssignments: [ { @@ -473,7 +443,6 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - skuName: 'Standard' tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -499,19 +468,22 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { "frontendIPConfigurations": { "value": [ { - "name": "privateIPConfig1", - "subnetId": "" + "name": "publicIPConfig1", + "publicIPAddressId": "" } ] }, "name": { - "value": "nlbint001" + "value": "nlbmax001" }, // Non-required parameters "backendAddressPools": { "value": [ { - "name": "servers" + "name": "backendAddressPool1" + }, + { + "name": "backendAddressPool2" } ] }, @@ -540,7 +512,7 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { "backendPort": 443, "enableFloatingIP": false, "enableTcpReset": false, - "frontendIPConfigurationName": "privateIPConfig1", + "frontendIPConfigurationName": "publicIPConfig1", "frontendPort": 443, "idleTimeoutInMinutes": 4, "name": "inboundNatRule1", @@ -548,7 +520,7 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { }, { "backendPort": 3389, - "frontendIPConfigurationName": "privateIPConfig1", + "frontendIPConfigurationName": "publicIPConfig1", "frontendPort": 3389, "name": "inboundNatRule2" } @@ -557,29 +529,60 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { "loadBalancingRules": { "value": [ { - "backendAddressPoolName": "servers", - "backendPort": 0, + "backendAddressPoolName": "backendAddressPool1", + "backendPort": 80, "disableOutboundSnat": true, - "enableFloatingIP": true, + "enableFloatingIP": false, "enableTcpReset": false, - "frontendIPConfigurationName": "privateIPConfig1", - "frontendPort": 0, - "idleTimeoutInMinutes": 4, + "frontendIPConfigurationName": "publicIPConfig1", + "frontendPort": 80, + "idleTimeoutInMinutes": 5, "loadDistribution": "Default", - "name": "privateIPLBRule1", + "name": "publicIPLBRule1", "probeName": "probe1", - "protocol": "All" + "protocol": "Tcp" + }, + { + "backendAddressPoolName": "backendAddressPool2", + "backendPort": 8080, + "frontendIPConfigurationName": "publicIPConfig1", + "frontendPort": 8080, + "loadDistribution": "Default", + "name": "publicIPLBRule2", + "probeName": "probe2" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "outboundRules": { + "value": [ + { + "allocatedOutboundPorts": 63984, + "backendAddressPoolName": "backendAddressPool1", + "frontendIPConfigurationName": "publicIPConfig1", + "name": "outboundRule1" } ] }, "probes": { "value": [ { - "intervalInSeconds": 5, + "intervalInSeconds": 10, "name": "probe1", - "numberOfProbes": 2, - "port": "62000", + "numberOfProbes": 5, + "port": 80, "protocol": "Tcp" + }, + { + "name": "probe2", + "port": 443, + "protocol": "Https", + "requestPath": "/" } ] }, @@ -592,9 +595,6 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { } ] }, - "skuName": { - "value": "Standard" - }, "tags": { "value": { "Environment": "Non-Prod", diff --git a/modules/network/load-balancer/tests/e2e/common/dependencies.bicep b/modules/network/load-balancer/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/load-balancer/tests/e2e/common/dependencies.bicep rename to modules/network/load-balancer/tests/e2e/max/dependencies.bicep diff --git a/modules/network/load-balancer/tests/e2e/common/main.test.bicep b/modules/network/load-balancer/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/network/load-balancer/tests/e2e/common/main.test.bicep rename to modules/network/load-balancer/tests/e2e/max/main.test.bicep index b9098d6e39..9d7f2ac2d5 100644 --- a/modules/network/load-balancer/tests/e2e/common/main.test.bicep +++ b/modules/network/load-balancer/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.loadbalancers-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nlbcom' +param serviceShort string = 'nlbmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/local-network-gateway/README.md b/modules/network/local-network-gateway/README.md index 6dd6bd4da7..cc2167d281 100644 --- a/modules/network/local-network-gateway/README.md +++ b/modules/network/local-network-gateway/README.md @@ -26,12 +26,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.local-network-gateway:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.
@@ -40,34 +40,16 @@ This instance deploys the module with most of its features enabled. ```bicep module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nlngcom' + name: '${uniqueString(deployment().name, location)}-test-nlngmin' params: { // Required parameters localAddressPrefixes: [ '192.168.1.0/24' ] localGatewayPublicIpAddress: '8.8.8.8' - name: 'nlngcom001' + name: 'nlngmin001' // Non-required parameters enableDefaultTelemetry: '' - localAsn: '65123' - localBgpPeeringAddress: '192.168.1.5' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } } ``` @@ -94,39 +76,11 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 "value": "8.8.8.8" }, "name": { - "value": "nlngcom001" + "value": "nlngmin001" }, // Non-required parameters "enableDefaultTelemetry": { "value": "" - }, - "localAsn": { - "value": "65123" - }, - "localBgpPeeringAddress": { - "value": "192.168.1.5" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } } } @@ -135,9 +89,9 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -146,16 +100,34 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nlngmin' + name: '${uniqueString(deployment().name, location)}-test-nlngmax' params: { // Required parameters localAddressPrefixes: [ '192.168.1.0/24' ] localGatewayPublicIpAddress: '8.8.8.8' - name: 'nlngmin001' + name: 'nlngmax001' // Non-required parameters enableDefaultTelemetry: '' + localAsn: '65123' + localBgpPeeringAddress: '192.168.1.5' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } } } ``` @@ -182,11 +154,39 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 "value": "8.8.8.8" }, "name": { - "value": "nlngmin001" + "value": "nlngmax001" }, // Non-required parameters "enableDefaultTelemetry": { "value": "" + }, + "localAsn": { + "value": "65123" + }, + "localBgpPeeringAddress": { + "value": "192.168.1.5" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } } } } diff --git a/modules/network/local-network-gateway/tests/e2e/common/dependencies.bicep b/modules/network/local-network-gateway/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/local-network-gateway/tests/e2e/common/dependencies.bicep rename to modules/network/local-network-gateway/tests/e2e/max/dependencies.bicep diff --git a/modules/network/local-network-gateway/tests/e2e/common/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/local-network-gateway/tests/e2e/common/main.test.bicep rename to modules/network/local-network-gateway/tests/e2e/max/main.test.bicep index 896cfd3547..c320c4dba1 100644 --- a/modules/network/local-network-gateway/tests/e2e/common/main.test.bicep +++ b/modules/network/local-network-gateway/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.localnetworkgateways param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nlngcom' +param serviceShort string = 'nlngmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/nat-gateway/README.md b/modules/network/nat-gateway/README.md index 13c664715f..d848af2b74 100644 --- a/modules/network/nat-gateway/README.md +++ b/modules/network/nat-gateway/README.md @@ -43,10 +43,10 @@ This instance deploys the module with most of its features enabled. ```bicep module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nngcom' + name: '${uniqueString(deployment().name, location)}-test-nngmax' params: { // Required parameters - name: 'nngcom001' + name: 'nngmax001' // Non-required parameters enableDefaultTelemetry: '' lock: { @@ -69,7 +69,7 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { workspaceResourceId: '' } ] - name: 'nngcom001-pip' + name: 'nngmax001-pip' roleAssignments: [ { principalId: '' @@ -115,7 +115,7 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "nngcom001" + "value": "nngmax001" }, // Non-required parameters "enableDefaultTelemetry": { @@ -144,7 +144,7 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { "workspaceResourceId": "" } ], - "name": "nngcom001-pip", + "name": "nngmax001-pip", "roleAssignments": [ { "principalId": "", diff --git a/modules/network/nat-gateway/tests/e2e/common/dependencies.bicep b/modules/network/nat-gateway/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/nat-gateway/tests/e2e/common/dependencies.bicep rename to modules/network/nat-gateway/tests/e2e/max/dependencies.bicep diff --git a/modules/network/nat-gateway/tests/e2e/common/main.test.bicep b/modules/network/nat-gateway/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/network/nat-gateway/tests/e2e/common/main.test.bicep rename to modules/network/nat-gateway/tests/e2e/max/main.test.bicep index eda394593d..36cd281d6e 100644 --- a/modules/network/nat-gateway/tests/e2e/common/main.test.bicep +++ b/modules/network/nat-gateway/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.natgateways-${servic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nngcom' +param serviceShort string = 'nngmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/network-interface/README.md b/modules/network/network-interface/README.md index 2827d18f97..95f9eb34e1 100644 --- a/modules/network/network-interface/README.md +++ b/modules/network/network-interface/README.md @@ -29,10 +29,72 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.network-interface:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nnimin' + params: { + // Required parameters + ipConfigurations: [ + { + name: 'ipconfig01' + subnetResourceId: '' + } + ] + name: 'nnimin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "ipConfigurations": { + "value": [ + { + "name": "ipconfig01", + "subnetResourceId": "" + } + ] + }, + "name": { + "value": "nnimin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -43,7 +105,7 @@ This instance deploys the module with most of its features enabled. ```bicep module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nnicom' + name: '${uniqueString(deployment().name, location)}-test-nnimax' params: { // Required parameters ipConfigurations: [ @@ -70,7 +132,7 @@ module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { subnetResourceId: '' } ] - name: 'nnicom001' + name: 'nnimax001' // Non-required parameters diagnosticSettings: [ { @@ -147,7 +209,7 @@ module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { ] }, "name": { - "value": "nnicom001" + "value": "nnimax001" }, // Non-required parameters "diagnosticSettings": { @@ -198,68 +260,6 @@ module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nnimin' - params: { - // Required parameters - ipConfigurations: [ - { - name: 'ipconfig01' - subnetResourceId: '' - } - ] - name: 'nnimin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "ipConfigurations": { - "value": [ - { - "name": "ipconfig01", - "subnetResourceId": "" - } - ] - }, - "name": { - "value": "nnimin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/network-interface/tests/e2e/common/dependencies.bicep b/modules/network/network-interface/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/network-interface/tests/e2e/common/dependencies.bicep rename to modules/network/network-interface/tests/e2e/max/dependencies.bicep diff --git a/modules/network/network-interface/tests/e2e/common/main.test.bicep b/modules/network/network-interface/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/network/network-interface/tests/e2e/common/main.test.bicep rename to modules/network/network-interface/tests/e2e/max/main.test.bicep index e3db0da6eb..586661dbc4 100644 --- a/modules/network/network-interface/tests/e2e/common/main.test.bicep +++ b/modules/network/network-interface/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.networkinterfaces-${ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnicom' +param serviceShort string = 'nnimax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/network-manager/README.md b/modules/network/network-manager/README.md index 7f7d82f383..4870ad088b 100644 --- a/modules/network/network-manager/README.md +++ b/modules/network/network-manager/README.md @@ -47,7 +47,7 @@ This instance deploys the module with most of its features enabled. ```bicep module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nnmcom' + name: '${uniqueString(deployment().name, location)}-test-nnmmax' params: { // Required parameters name: '' diff --git a/modules/network/network-manager/tests/e2e/common/dependencies.bicep b/modules/network/network-manager/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/network-manager/tests/e2e/common/dependencies.bicep rename to modules/network/network-manager/tests/e2e/max/dependencies.bicep diff --git a/modules/network/network-manager/tests/e2e/common/main.test.bicep b/modules/network/network-manager/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/network/network-manager/tests/e2e/common/main.test.bicep rename to modules/network/network-manager/tests/e2e/max/main.test.bicep index 47dfe8e4c3..a1cb6fb4f6 100644 --- a/modules/network/network-manager/tests/e2e/common/main.test.bicep +++ b/modules/network/network-manager/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.networkmanagers-${se param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnmcom' +param serviceShort string = 'nnmmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/network-security-group/README.md b/modules/network/network-security-group/README.md index 3aa65e8ff8..f5802ad688 100644 --- a/modules/network/network-security-group/README.md +++ b/modules/network/network-security-group/README.md @@ -28,10 +28,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.network-security-group:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nnsgmin' + params: { + // Required parameters + name: 'nnsgmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nnsgmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -42,10 +90,10 @@ This instance deploys the module with most of its features enabled. ```bicep module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nnsgcom' + name: '${uniqueString(deployment().name, location)}-test-nnsgmax' params: { // Required parameters - name: 'nnsgcom001' + name: 'nnsgmax001' // Non-required parameters diagnosticSettings: [ { @@ -155,7 +203,7 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 "parameters": { // Required parameters "name": { - "value": "nnsgcom001" + "value": "nnsgmax001" }, // Non-required parameters "diagnosticSettings": { @@ -267,54 +315,6 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nnsgmin' - params: { - // Required parameters - name: 'nnsgmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nnsgmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/network-security-group/tests/e2e/common/dependencies.bicep b/modules/network/network-security-group/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/network-security-group/tests/e2e/common/dependencies.bicep rename to modules/network/network-security-group/tests/e2e/max/dependencies.bicep diff --git a/modules/network/network-security-group/tests/e2e/common/main.test.bicep b/modules/network/network-security-group/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/network/network-security-group/tests/e2e/common/main.test.bicep rename to modules/network/network-security-group/tests/e2e/max/main.test.bicep index f0d32175ee..ba20a64fbc 100644 --- a/modules/network/network-security-group/tests/e2e/common/main.test.bicep +++ b/modules/network/network-security-group/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.networksecuritygroup param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnsgcom' +param serviceShort string = 'nnsgmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/network-watcher/README.md b/modules/network/network-watcher/README.md index 90da9a7ec3..ede8d1e3a8 100644 --- a/modules/network/network-watcher/README.md +++ b/modules/network/network-watcher/README.md @@ -28,10 +28,54 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.network-watcher:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { + name: '${uniqueString(deployment().name, testLocation)}-test-nnwmin' + params: { + enableDefaultTelemetry: '' + location: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -42,7 +86,7 @@ This instance deploys the module with most of its features enabled. ```bicep module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { - name: '${uniqueString(deployment().name, testLocation)}-test-nnwcom' + name: '${uniqueString(deployment().name, testLocation)}-test-nnwmax' params: { connectionMonitors: [ { @@ -58,7 +102,7 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { type: 'ExternalAddress' } ] - name: 'nnwcom-cm-001' + name: 'nnwmax-cm-001' testConfigurations: [ { httpConfiguration: { @@ -106,7 +150,7 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { } { formatVersion: 1 - name: 'nnwcom-fl-001' + name: 'nnwmax-fl-001' retentionInDays: 8 storageId: '' targetResourceId: '' @@ -159,7 +203,7 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { "type": "ExternalAddress" } ], - "name": "nnwcom-cm-001", + "name": "nnwmax-cm-001", "testConfigurations": [ { "httpConfiguration": { @@ -211,7 +255,7 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { }, { "formatVersion": 1, - "name": "nnwcom-fl-001", + "name": "nnwmax-fl-001", "retentionInDays": 8, "storageId": "", "targetResourceId": "", @@ -249,50 +293,6 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { - name: '${uniqueString(deployment().name, testLocation)}-test-nnwmin' - params: { - enableDefaultTelemetry: '' - location: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/network-watcher/tests/e2e/common/dependencies.bicep b/modules/network/network-watcher/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/network-watcher/tests/e2e/common/dependencies.bicep rename to modules/network/network-watcher/tests/e2e/max/dependencies.bicep diff --git a/modules/network/network-watcher/tests/e2e/common/main.test.bicep b/modules/network/network-watcher/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/network/network-watcher/tests/e2e/common/main.test.bicep rename to modules/network/network-watcher/tests/e2e/max/main.test.bicep index c990c50782..d4dcd43292 100644 --- a/modules/network/network-watcher/tests/e2e/common/main.test.bicep +++ b/modules/network/network-watcher/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'NetworkWatcherRG' // Note, this is the default param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnwcom' +param serviceShort string = 'nnwmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/private-dns-zone/README.md b/modules/network/private-dns-zone/README.md index f225228a70..ceb0935638 100644 --- a/modules/network/private-dns-zone/README.md +++ b/modules/network/private-dns-zone/README.md @@ -37,10 +37,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.private-dns-zone:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-npdzmin' + params: { + // Required parameters + name: 'npdzmin001.com' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "npdzmin001.com" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -51,10 +99,10 @@ This instance deploys the module with most of its features enabled. ```bicep module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npdzcom' + name: '${uniqueString(deployment().name, location)}-test-npdzmax' params: { // Required parameters - name: 'npdzcom001.com' + name: 'npdzmax001.com' // Non-required parameters a: [ { @@ -242,7 +290,7 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "npdzcom001.com" + "value": "npdzmax001.com" }, // Non-required parameters "a": { @@ -446,54 +494,6 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npdzmin' - params: { - // Required parameters - name: 'npdzmin001.com' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "npdzmin001.com" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/private-dns-zone/tests/e2e/common/dependencies.bicep b/modules/network/private-dns-zone/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/private-dns-zone/tests/e2e/common/dependencies.bicep rename to modules/network/private-dns-zone/tests/e2e/max/dependencies.bicep diff --git a/modules/network/private-dns-zone/tests/e2e/common/main.test.bicep b/modules/network/private-dns-zone/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/network/private-dns-zone/tests/e2e/common/main.test.bicep rename to modules/network/private-dns-zone/tests/e2e/max/main.test.bicep index 5e616bcc70..d62a97edb9 100644 --- a/modules/network/private-dns-zone/tests/e2e/common/main.test.bicep +++ b/modules/network/private-dns-zone/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.privatednszones-${se param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npdzcom' +param serviceShort string = 'npdzmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/private-endpoint/README.md b/modules/network/private-endpoint/README.md index c051e314b3..e23c6bb6b9 100644 --- a/modules/network/private-endpoint/README.md +++ b/modules/network/private-endpoint/README.md @@ -29,10 +29,74 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.private-endpoint:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-npemin' + params: { + // Required parameters + groupIds: [ + 'vault' + ] + name: 'npemin001' + serviceResourceId: '' + subnetResourceId: '' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "groupIds": { + "value": [ + "vault" + ] + }, + "name": { + "value": "npemin001" + }, + "serviceResourceId": { + "value": "" + }, + "subnetResourceId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -43,13 +107,13 @@ This instance deploys the module with most of its features enabled. ```bicep module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npecom' + name: '${uniqueString(deployment().name, location)}-test-npemax' params: { // Required parameters groupIds: [ 'vault' ] - name: 'npecom001' + name: 'npemax001' serviceResourceId: '' subnetResourceId: '' // Non-required parameters @@ -64,7 +128,7 @@ module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { ] } ] - customNetworkInterfaceName: 'npecom001nic' + customNetworkInterfaceName: 'npemax001nic' enableDefaultTelemetry: '' ipConfigurations: [ { @@ -118,7 +182,7 @@ module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { ] }, "name": { - "value": "npecom001" + "value": "npemax001" }, "serviceResourceId": { "value": "" @@ -143,7 +207,7 @@ module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { ] }, "customNetworkInterfaceName": { - "value": "npecom001nic" + "value": "npemax001nic" }, "enableDefaultTelemetry": { "value": "" @@ -194,70 +258,6 @@ module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npemin' - params: { - // Required parameters - groupIds: [ - 'vault' - ] - name: 'npemin001' - serviceResourceId: '' - subnetResourceId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "groupIds": { - "value": [ - "vault" - ] - }, - "name": { - "value": "npemin001" - }, - "serviceResourceId": { - "value": "" - }, - "subnetResourceId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/private-endpoint/tests/e2e/common/dependencies.bicep b/modules/network/private-endpoint/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/private-endpoint/tests/e2e/common/dependencies.bicep rename to modules/network/private-endpoint/tests/e2e/max/dependencies.bicep diff --git a/modules/network/private-endpoint/tests/e2e/common/main.test.bicep b/modules/network/private-endpoint/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/private-endpoint/tests/e2e/common/main.test.bicep rename to modules/network/private-endpoint/tests/e2e/max/main.test.bicep index 7904b19335..dcb523c227 100644 --- a/modules/network/private-endpoint/tests/e2e/common/main.test.bicep +++ b/modules/network/private-endpoint/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.privateendpoints-${s param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npecom' +param serviceShort string = 'npemax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/private-link-service/README.md b/modules/network/private-link-service/README.md index 0255a52263..45f9b300e1 100644 --- a/modules/network/private-link-service/README.md +++ b/modules/network/private-link-service/README.md @@ -27,10 +27,92 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.private-link-service:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nplsmin' + params: { + // Required parameters + name: 'nplsmin001' + // Non-required parameters + enableDefaultTelemetry: '' + ipConfigurations: [ + { + name: 'nplsmin01' + properties: { + subnet: { + id: '' + } + } + } + ] + loadBalancerFrontendIpConfigurations: [ + { + id: '' + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nplsmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "ipConfigurations": { + "value": [ + { + "name": "nplsmin01", + "properties": { + "subnet": { + "id": "" + } + } + } + ] + }, + "loadBalancerFrontendIpConfigurations": { + "value": [ + { + "id": "" + } + ] + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -41,10 +123,10 @@ This instance deploys the module with most of its features enabled. ```bicep module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nplscom' + name: '${uniqueString(deployment().name, location)}-test-nplsmax' params: { // Required parameters - name: 'nplscom001' + name: 'nplsmax001' // Non-required parameters autoApproval: { subscriptions: [ @@ -54,12 +136,12 @@ module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' enableDefaultTelemetry: '' enableProxyProtocol: true fqdns: [ - 'nplscom.plsfqdn01.azure.privatelinkservice' - 'nplscom.plsfqdn02.azure.privatelinkservice' + 'nplsmax.plsfqdn01.azure.privatelinkservice' + 'nplsmax.plsfqdn02.azure.privatelinkservice' ] ipConfigurations: [ { - name: 'nplscom01' + name: 'nplsmax01' properties: { primary: true privateIPAllocationMethod: 'Dynamic' @@ -113,7 +195,7 @@ module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' "parameters": { // Required parameters "name": { - "value": "nplscom001" + "value": "nplsmax001" }, // Non-required parameters "autoApproval": { @@ -131,14 +213,14 @@ module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' }, "fqdns": { "value": [ - "nplscom.plsfqdn01.azure.privatelinkservice", - "nplscom.plsfqdn02.azure.privatelinkservice" + "nplsmax.plsfqdn01.azure.privatelinkservice", + "nplsmax.plsfqdn02.azure.privatelinkservice" ] }, "ipConfigurations": { "value": [ { - "name": "nplscom01", + "name": "nplsmax01", "properties": { "primary": true, "privateIPAllocationMethod": "Dynamic", @@ -192,88 +274,6 @@ module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0'

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nplsmin' - params: { - // Required parameters - name: 'nplsmin001' - // Non-required parameters - enableDefaultTelemetry: '' - ipConfigurations: [ - { - name: 'nplsmin01' - properties: { - subnet: { - id: '' - } - } - } - ] - loadBalancerFrontendIpConfigurations: [ - { - id: '' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nplsmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "ipConfigurations": { - "value": [ - { - "name": "nplsmin01", - "properties": { - "subnet": { - "id": "" - } - } - } - ] - }, - "loadBalancerFrontendIpConfigurations": { - "value": [ - { - "id": "" - } - ] - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/private-link-service/tests/e2e/common/dependencies.bicep b/modules/network/private-link-service/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/private-link-service/tests/e2e/common/dependencies.bicep rename to modules/network/private-link-service/tests/e2e/max/dependencies.bicep diff --git a/modules/network/private-link-service/tests/e2e/common/main.test.bicep b/modules/network/private-link-service/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/private-link-service/tests/e2e/common/main.test.bicep rename to modules/network/private-link-service/tests/e2e/max/main.test.bicep index dee87a5b50..8333f18672 100644 --- a/modules/network/private-link-service/tests/e2e/common/main.test.bicep +++ b/modules/network/private-link-service/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.privatelinkservices- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nplscom' +param serviceShort string = 'nplsmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/public-ip-address/README.md b/modules/network/public-ip-address/README.md index 8d6d6c6221..a1e26a8374 100644 --- a/modules/network/public-ip-address/README.md +++ b/modules/network/public-ip-address/README.md @@ -29,10 +29,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.public-ip-address:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-npiamin' + params: { + // Required parameters + name: 'npiamin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "npiamin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -43,10 +91,10 @@ This instance deploys the module with most of its features enabled. ```bicep module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npiacom' + name: '${uniqueString(deployment().name, location)}-test-npiamax' params: { // Required parameters - name: 'npiacom001' + name: 'npiamax001' // Non-required parameters diagnosticSettings: [ { @@ -104,7 +152,7 @@ module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "npiacom001" + "value": "npiamax001" }, // Non-required parameters "diagnosticSettings": { @@ -168,54 +216,6 @@ module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npiamin' - params: { - // Required parameters - name: 'npiamin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "npiamin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/public-ip-address/tests/e2e/common/dependencies.bicep b/modules/network/public-ip-address/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/public-ip-address/tests/e2e/common/dependencies.bicep rename to modules/network/public-ip-address/tests/e2e/max/dependencies.bicep diff --git a/modules/network/public-ip-address/tests/e2e/common/main.test.bicep b/modules/network/public-ip-address/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/public-ip-address/tests/e2e/common/main.test.bicep rename to modules/network/public-ip-address/tests/e2e/max/main.test.bicep index 80217831e3..aed225af85 100644 --- a/modules/network/public-ip-address/tests/e2e/common/main.test.bicep +++ b/modules/network/public-ip-address/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.publicipaddresses-${ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npiacom' +param serviceShort string = 'npiamax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/public-ip-prefix/README.md b/modules/network/public-ip-prefix/README.md index b9575104a9..efd58740b9 100644 --- a/modules/network/public-ip-prefix/README.md +++ b/modules/network/public-ip-prefix/README.md @@ -26,12 +26,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.public-ip-prefix:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.

@@ -40,29 +40,13 @@ This instance deploys the module with most of its features enabled. ```bicep module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npipcom' + name: '${uniqueString(deployment().name, location)}-test-npipmin' params: { // Required parameters - name: 'npipcom001' + name: 'npipmin001' prefixLength: 28 // Non-required parameters enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } } ``` @@ -81,7 +65,7 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "npipcom001" + "value": "npipmin001" }, "prefixLength": { "value": 28 @@ -89,28 +73,6 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { // Non-required parameters "enableDefaultTelemetry": { "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } } } @@ -119,9 +81,9 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = {

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -130,13 +92,29 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-npipmin' + name: '${uniqueString(deployment().name, location)}-test-npipmax' params: { // Required parameters - name: 'npipmin001' + name: 'npipmax001' prefixLength: 28 // Non-required parameters enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } } } ``` @@ -155,7 +133,7 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "npipmin001" + "value": "npipmax001" }, "prefixLength": { "value": 28 @@ -163,6 +141,28 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { // Non-required parameters "enableDefaultTelemetry": { "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } } } } diff --git a/modules/network/public-ip-prefix/tests/e2e/common/dependencies.bicep b/modules/network/public-ip-prefix/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/public-ip-prefix/tests/e2e/common/dependencies.bicep rename to modules/network/public-ip-prefix/tests/e2e/max/dependencies.bicep diff --git a/modules/network/public-ip-prefix/tests/e2e/common/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/public-ip-prefix/tests/e2e/common/main.test.bicep rename to modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep index de01104fcb..8e6d167811 100644 --- a/modules/network/public-ip-prefix/tests/e2e/common/main.test.bicep +++ b/modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.publicipprefixes-${s param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npipcom' +param serviceShort string = 'npipmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/route-table/README.md b/modules/network/route-table/README.md index c72d3efdd9..3187ab66e4 100644 --- a/modules/network/route-table/README.md +++ b/modules/network/route-table/README.md @@ -26,10 +26,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.route-table:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module routeTable 'br:bicep/modules/network.route-table:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nrtmin' + params: { + // Required parameters + name: 'nrtmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nrtmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -40,10 +88,10 @@ This instance deploys the module with most of its features enabled. ```bicep module routeTable 'br:bicep/modules/network.route-table:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nrtcom' + name: '${uniqueString(deployment().name, location)}-test-nrtmax' params: { // Required parameters - name: 'nrtcom001' + name: 'nrtmax001' // Non-required parameters enableDefaultTelemetry: '' lock: { @@ -90,7 +138,7 @@ module routeTable 'br:bicep/modules/network.route-table:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "nrtcom001" + "value": "nrtmax001" }, // Non-required parameters "enableDefaultTelemetry": { @@ -137,54 +185,6 @@ module routeTable 'br:bicep/modules/network.route-table:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module routeTable 'br:bicep/modules/network.route-table:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nrtmin' - params: { - // Required parameters - name: 'nrtmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nrtmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/route-table/tests/e2e/common/dependencies.bicep b/modules/network/route-table/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/route-table/tests/e2e/common/dependencies.bicep rename to modules/network/route-table/tests/e2e/max/dependencies.bicep diff --git a/modules/network/route-table/tests/e2e/common/main.test.bicep b/modules/network/route-table/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/route-table/tests/e2e/common/main.test.bicep rename to modules/network/route-table/tests/e2e/max/main.test.bicep index 9c832803bc..591f42c921 100644 --- a/modules/network/route-table/tests/e2e/common/main.test.bicep +++ b/modules/network/route-table/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.routetables-${servic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nrtcom' +param serviceShort string = 'nrtmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/service-endpoint-policy/README.md b/modules/network/service-endpoint-policy/README.md index 84bbf928c5..c97f6b3a41 100644 --- a/modules/network/service-endpoint-policy/README.md +++ b/modules/network/service-endpoint-policy/README.md @@ -26,10 +26,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.service-endpoint-policy:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nsnpmin' + params: { + // Required parameters + name: 'nsnpmin-001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nsnpmin-001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -40,10 +88,10 @@ This instance deploys the module with most of its features enabled. ```bicep module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nsnpcom' + name: '${uniqueString(deployment().name, location)}-test-nsnpmax' params: { // Required parameters - name: 'nsnpcom-001' + name: 'nsnpmax-001' // Non-required parameters enableDefaultTelemetry: '' lock: { @@ -93,7 +141,7 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1 "parameters": { // Required parameters "name": { - "value": "nsnpcom-001" + "value": "nsnpmax-001" }, // Non-required parameters "enableDefaultTelemetry": { @@ -143,54 +191,6 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nsnpmin' - params: { - // Required parameters - name: 'nsnpmin-001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nsnpmin-001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/service-endpoint-policy/tests/e2e/common/dependencies.bicep b/modules/network/service-endpoint-policy/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/service-endpoint-policy/tests/e2e/common/dependencies.bicep rename to modules/network/service-endpoint-policy/tests/e2e/max/dependencies.bicep diff --git a/modules/network/service-endpoint-policy/tests/e2e/common/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/service-endpoint-policy/tests/e2e/common/main.test.bicep rename to modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep index 935e76388f..383bd64097 100644 --- a/modules/network/service-endpoint-policy/tests/e2e/common/main.test.bicep +++ b/modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.serviceendpointpolic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nsnpcom' +param serviceShort string = 'nsnpmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/trafficmanagerprofile/README.md b/modules/network/trafficmanagerprofile/README.md index e1247c8513..07d77ebdb1 100644 --- a/modules/network/trafficmanagerprofile/README.md +++ b/modules/network/trafficmanagerprofile/README.md @@ -28,10 +28,62 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.trafficmanagerprofile:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ntmpmin' + params: { + // Required parameters + name: '' + relativeName: '' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "" + }, + "relativeName": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -42,7 +94,7 @@ This instance deploys the module with most of its features enabled. ```bicep module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ntmpcom' + name: '${uniqueString(deployment().name, location)}-test-ntmpmax' params: { // Required parameters name: '' @@ -151,58 +203,6 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ntmpmin' - params: { - // Required parameters - name: '' - relativeName: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "" - }, - "relativeName": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/trafficmanagerprofile/tests/e2e/common/dependencies.bicep b/modules/network/trafficmanagerprofile/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/trafficmanagerprofile/tests/e2e/common/dependencies.bicep rename to modules/network/trafficmanagerprofile/tests/e2e/max/dependencies.bicep diff --git a/modules/network/trafficmanagerprofile/tests/e2e/common/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/trafficmanagerprofile/tests/e2e/common/main.test.bicep rename to modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep index 5b858058da..e33f38cf77 100644 --- a/modules/network/trafficmanagerprofile/tests/e2e/common/main.test.bicep +++ b/modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.trafficmanagerprofil param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ntmpcom' +param serviceShort string = 'ntmpmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/virtual-hub/README.md b/modules/network/virtual-hub/README.md index 9d543ddf8f..794271f0ac 100644 --- a/modules/network/virtual-hub/README.md +++ b/modules/network/virtual-hub/README.md @@ -28,10 +28,66 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.virtual-hub:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nvhmin' + params: { + // Required parameters + addressPrefix: '10.0.0.0/16' + name: 'nvhmin' + virtualWanId: '' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "addressPrefix": { + "value": "10.0.0.0/16" + }, + "name": { + "value": "nvhmin" + }, + "virtualWanId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -42,11 +98,11 @@ This instance deploys the module with most of its features enabled. ```bicep module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvhcom' + name: '${uniqueString(deployment().name, location)}-test-nvhmax' params: { // Required parameters addressPrefix: '10.1.0.0/16' - name: 'nvhcom' + name: 'nvhmax' virtualWanId: '' // Non-required parameters enableDefaultTelemetry: '' @@ -106,7 +162,7 @@ module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = { "value": "10.1.0.0/16" }, "name": { - "value": "nvhcom" + "value": "nvhmax" }, "virtualWanId": { "value": "" @@ -165,62 +221,6 @@ module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvhmin' - params: { - // Required parameters - addressPrefix: '10.0.0.0/16' - name: 'nvhmin' - virtualWanId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "addressPrefix": { - "value": "10.0.0.0/16" - }, - "name": { - "value": "nvhmin" - }, - "virtualWanId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/virtual-hub/tests/e2e/common/dependencies.bicep b/modules/network/virtual-hub/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/virtual-hub/tests/e2e/common/dependencies.bicep rename to modules/network/virtual-hub/tests/e2e/max/dependencies.bicep diff --git a/modules/network/virtual-hub/tests/e2e/common/main.test.bicep b/modules/network/virtual-hub/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/virtual-hub/tests/e2e/common/main.test.bicep rename to modules/network/virtual-hub/tests/e2e/max/main.test.bicep index 9c2433cc84..40bfcc913c 100644 --- a/modules/network/virtual-hub/tests/e2e/common/main.test.bicep +++ b/modules/network/virtual-hub/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.virtualHub-${service param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvhcom' +param serviceShort string = 'nvhmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/virtual-network/README.md b/modules/network/virtual-network/README.md index c001ac80f3..07083c6cf7 100644 --- a/modules/network/virtual-network/README.md +++ b/modules/network/virtual-network/README.md @@ -30,11 +30,67 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.virtual-network:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) - [Vnetpeering](#example-3-vnetpeering) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nvnmin' + params: { + // Required parameters + addressPrefixes: [ + '10.0.0.0/16' + ] + name: 'nvnmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "addressPrefixes": { + "value": [ + "10.0.0.0/16" + ] + }, + "name": { + "value": "nvnmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -45,13 +101,13 @@ This instance deploys the module with most of its features enabled. ```bicep module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvncom' + name: '${uniqueString(deployment().name, location)}-test-nvnmax' params: { // Required parameters addressPrefixes: [ '' ] - name: 'nvncom001' + name: 'nvnmax001' // Non-required parameters diagnosticSettings: [ { @@ -157,7 +213,7 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { ] }, "name": { - "value": "nvncom001" + "value": "nvnmax001" }, // Non-required parameters "diagnosticSettings": { @@ -264,62 +320,6 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvnmin' - params: { - // Required parameters - addressPrefixes: [ - '10.0.0.0/16' - ] - name: 'nvnmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "addressPrefixes": { - "value": [ - "10.0.0.0/16" - ] - }, - "name": { - "value": "nvnmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ### Example 3: _Vnetpeering_

diff --git a/modules/network/virtual-network/tests/e2e/common/dependencies.bicep b/modules/network/virtual-network/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/virtual-network/tests/e2e/common/dependencies.bicep rename to modules/network/virtual-network/tests/e2e/max/dependencies.bicep diff --git a/modules/network/virtual-network/tests/e2e/common/main.test.bicep b/modules/network/virtual-network/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/network/virtual-network/tests/e2e/common/main.test.bicep rename to modules/network/virtual-network/tests/e2e/max/main.test.bicep index d3384de2e9..5a84c91f10 100644 --- a/modules/network/virtual-network/tests/e2e/common/main.test.bicep +++ b/modules/network/virtual-network/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.virtualnetworks-${se param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvncom' +param serviceShort string = 'nvnmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/virtual-wan/README.md b/modules/network/virtual-wan/README.md index 1d107f2932..2837b5d97c 100644 --- a/modules/network/virtual-wan/README.md +++ b/modules/network/virtual-wan/README.md @@ -26,10 +26,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.virtual-wan:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nvwmin' + params: { + // Required parameters + name: 'nvwmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nvwmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -40,10 +88,10 @@ This instance deploys the module with most of its features enabled. ```bicep module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvwcom' + name: '${uniqueString(deployment().name, location)}-test-nvwmax' params: { // Required parameters - name: 'nvwcom001' + name: 'nvwmax001' // Non-required parameters allowBranchToBranchTraffic: true allowVnetToVnetTraffic: true @@ -84,7 +132,7 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "nvwcom001" + "value": "nvwmax001" }, // Non-required parameters "allowBranchToBranchTraffic": { @@ -131,54 +179,6 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvwmin' - params: { - // Required parameters - name: 'nvwmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nvwmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/virtual-wan/tests/e2e/common/dependencies.bicep b/modules/network/virtual-wan/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/virtual-wan/tests/e2e/common/dependencies.bicep rename to modules/network/virtual-wan/tests/e2e/max/dependencies.bicep diff --git a/modules/network/virtual-wan/tests/e2e/common/main.test.bicep b/modules/network/virtual-wan/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/virtual-wan/tests/e2e/common/main.test.bicep rename to modules/network/virtual-wan/tests/e2e/max/main.test.bicep index d9554d26d8..d0dd150785 100644 --- a/modules/network/virtual-wan/tests/e2e/common/main.test.bicep +++ b/modules/network/virtual-wan/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.virtualwans-${servic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvwcom' +param serviceShort string = 'nvwmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/vpn-gateway/README.md b/modules/network/vpn-gateway/README.md index 8ad433891d..e8936ad31c 100644 --- a/modules/network/vpn-gateway/README.md +++ b/modules/network/vpn-gateway/README.md @@ -28,10 +28,62 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.vpn-gateway:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nvgmin' + params: { + // Required parameters + name: 'nvgmin001' + virtualHubResourceId: '' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nvgmin001" + }, + "virtualHubResourceId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -42,10 +94,10 @@ This instance deploys the module with most of its features enabled. ```bicep module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvgcom' + name: '${uniqueString(deployment().name, location)}-test-nvgmax' params: { // Required parameters - name: 'nvgcom001' + name: 'nvgmax001' virtualHubResourceId: '' // Non-required parameters bgpSettings: { @@ -111,7 +163,7 @@ module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "nvgcom001" + "value": "nvgmax001" }, "virtualHubResourceId": { "value": "" @@ -181,58 +233,6 @@ module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvgmin' - params: { - // Required parameters - name: 'nvgmin001' - virtualHubResourceId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nvgmin001" - }, - "virtualHubResourceId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/vpn-gateway/tests/e2e/common/dependencies.bicep b/modules/network/vpn-gateway/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/vpn-gateway/tests/e2e/common/dependencies.bicep rename to modules/network/vpn-gateway/tests/e2e/max/dependencies.bicep diff --git a/modules/network/vpn-gateway/tests/e2e/common/main.test.bicep b/modules/network/vpn-gateway/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/vpn-gateway/tests/e2e/common/main.test.bicep rename to modules/network/vpn-gateway/tests/e2e/max/main.test.bicep index 2d221b3379..798de44466 100644 --- a/modules/network/vpn-gateway/tests/e2e/common/main.test.bicep +++ b/modules/network/vpn-gateway/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.vpngateways-${servic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvgcom' +param serviceShort string = 'nvgmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/vpn-site/README.md b/modules/network/vpn-site/README.md index b6da21771a..949d02fd41 100644 --- a/modules/network/vpn-site/README.md +++ b/modules/network/vpn-site/README.md @@ -27,10 +27,74 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.vpn-site:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nvsmin' + params: { + // Required parameters + name: 'nvsmin' + virtualWanId: '' + // Non-required parameters + addressPrefixes: [ + '10.0.0.0/16' + ] + enableDefaultTelemetry: '' + ipAddress: '1.2.3.4' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nvsmin" + }, + "virtualWanId": { + "value": "" + }, + // Non-required parameters + "addressPrefixes": { + "value": [ + "10.0.0.0/16" + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "ipAddress": { + "value": "1.2.3.4" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -41,10 +105,10 @@ This instance deploys the module with most of its features enabled. ```bicep module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvscom' + name: '${uniqueString(deployment().name, location)}-test-nvsmax' params: { // Required parameters - name: 'nvscom' + name: 'nvsmax' virtualWanId: '' // Non-required parameters deviceProperties: { @@ -76,7 +140,7 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { } vpnSiteLinks: [ { - name: 'vSite-nvscom' + name: 'vSite-nvsmax' properties: { bgpProperties: { asn: 65010 @@ -122,7 +186,7 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "nvscom" + "value": "nvsmax" }, "virtualWanId": { "value": "" @@ -170,7 +234,7 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { "vpnSiteLinks": { "value": [ { - "name": "vSite-nvscom", + "name": "vSite-nvsmax", "properties": { "bgpProperties": { "asn": 65010, @@ -206,70 +270,6 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-nvsmin' - params: { - // Required parameters - name: 'nvsmin' - virtualWanId: '' - // Non-required parameters - addressPrefixes: [ - '10.0.0.0/16' - ] - enableDefaultTelemetry: '' - ipAddress: '1.2.3.4' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "nvsmin" - }, - "virtualWanId": { - "value": "" - }, - // Non-required parameters - "addressPrefixes": { - "value": [ - "10.0.0.0/16" - ] - }, - "enableDefaultTelemetry": { - "value": "" - }, - "ipAddress": { - "value": "1.2.3.4" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/network/vpn-site/tests/e2e/common/dependencies.bicep b/modules/network/vpn-site/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/network/vpn-site/tests/e2e/common/dependencies.bicep rename to modules/network/vpn-site/tests/e2e/max/dependencies.bicep diff --git a/modules/network/vpn-site/tests/e2e/common/main.test.bicep b/modules/network/vpn-site/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/network/vpn-site/tests/e2e/common/main.test.bicep rename to modules/network/vpn-site/tests/e2e/max/main.test.bicep index e7fdd0967f..8f0bab6726 100644 --- a/modules/network/vpn-site/tests/e2e/common/main.test.bicep +++ b/modules/network/vpn-site/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.vpnSites-${serviceSh param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvscom' +param serviceShort string = 'nvsmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/operational-insights/workspace/README.md b/modules/operational-insights/workspace/README.md index 02c536f329..cac8424e47 100644 --- a/modules/operational-insights/workspace/README.md +++ b/modules/operational-insights/workspace/README.md @@ -36,8 +36,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/operational-insights.workspace:1.0.0`. - [Adv](#example-1-adv) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Using large parameter set](#example-3-using-large-parameter-set) ### Example 1: _Adv_ @@ -592,7 +592,55 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = {

-### Example 2: _Using large parameter set_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-oiwmin' + params: { + // Required parameters + name: 'oiwmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "oiwmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 3: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -603,10 +651,10 @@ This instance deploys the module with most of its features enabled. ```bicep module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-oiwcom' + name: '${uniqueString(deployment().name, location)}-test-oiwmax' params: { // Required parameters - name: 'oiwcom001' + name: 'oiwmax001' // Non-required parameters dailyQuotaGb: 10 dataSources: [ @@ -792,7 +840,7 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "oiwcom001" + "value": "oiwmax001" }, // Non-required parameters "dailyQuotaGb": { @@ -1000,54 +1048,6 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = {

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-oiwmin' - params: { - // Required parameters - name: 'oiwmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "oiwmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/operational-insights/workspace/tests/e2e/common/dependencies.bicep b/modules/operational-insights/workspace/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/operational-insights/workspace/tests/e2e/common/dependencies.bicep rename to modules/operational-insights/workspace/tests/e2e/max/dependencies.bicep diff --git a/modules/operational-insights/workspace/tests/e2e/common/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/operational-insights/workspace/tests/e2e/common/main.test.bicep rename to modules/operational-insights/workspace/tests/e2e/max/main.test.bicep index 1cf9da26fa..a3d86cf782 100644 --- a/modules/operational-insights/workspace/tests/e2e/common/main.test.bicep +++ b/modules/operational-insights/workspace/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-operationalinsights.workspac param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'oiwcom' +param serviceShort string = 'oiwmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/power-bi-dedicated/capacity/README.md b/modules/power-bi-dedicated/capacity/README.md index b70a3883f6..4e238f87bd 100644 --- a/modules/power-bi-dedicated/capacity/README.md +++ b/modules/power-bi-dedicated/capacity/README.md @@ -26,12 +26,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/power-bi-dedicated.capacity:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.

@@ -40,32 +40,16 @@ This instance deploys the module with most of its features enabled. ```bicep module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-pbdcapcom' + name: '${uniqueString(deployment().name, location)}-test-pbdcapmin' params: { // Required parameters members: [ '' ] - name: 'pbdcapcom001' + name: 'pbdcapmin001' skuCapacity: 1 // Non-required parameters enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } } ``` @@ -89,7 +73,7 @@ module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { ] }, "name": { - "value": "pbdcapcom001" + "value": "pbdcapmin001" }, "skuCapacity": { "value": 1 @@ -97,28 +81,6 @@ module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { // Non-required parameters "enableDefaultTelemetry": { "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } } } @@ -127,9 +89,9 @@ module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = {

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -138,16 +100,32 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-pbdcapmin' + name: '${uniqueString(deployment().name, location)}-test-pbdcapmax' params: { // Required parameters members: [ '' ] - name: 'pbdcapmin001' + name: 'pbdcapmax001' skuCapacity: 1 // Non-required parameters enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } } } ``` @@ -171,7 +149,7 @@ module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { ] }, "name": { - "value": "pbdcapmin001" + "value": "pbdcapmax001" }, "skuCapacity": { "value": 1 @@ -179,6 +157,28 @@ module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { // Non-required parameters "enableDefaultTelemetry": { "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } } } } diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/common/dependencies.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/power-bi-dedicated/capacity/tests/e2e/common/dependencies.bicep rename to modules/power-bi-dedicated/capacity/tests/e2e/max/dependencies.bicep diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/common/main.test.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/power-bi-dedicated/capacity/tests/e2e/common/main.test.bicep rename to modules/power-bi-dedicated/capacity/tests/e2e/max/main.test.bicep index ac0f2e2e69..fac442cdfe 100644 --- a/modules/power-bi-dedicated/capacity/tests/e2e/common/main.test.bicep +++ b/modules/power-bi-dedicated/capacity/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-powerbidedicated.capacities- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pbdcapcom' +param serviceShort string = 'pbdcapmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/purview/account/README.md b/modules/purview/account/README.md index 7d2d34a463..0110965dca 100644 --- a/modules/purview/account/README.md +++ b/modules/purview/account/README.md @@ -29,10 +29,62 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/purview.account:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module account 'br:bicep/modules/purview.account:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-pvamin' + params: { + // Required parameters + name: 'pvamin001' + // Non-required parameters + enableDefaultTelemetry: '' + managedResourceGroupName: 'pvamin001-managed-rg' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "pvamin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "managedResourceGroupName": { + "value": "pvamin001-managed-rg" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -43,10 +95,10 @@ This instance deploys the module with most of its features enabled. ```bicep module account 'br:bicep/modules/purview.account:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-pvacom' + name: '${uniqueString(deployment().name)}-test-pvamax' params: { // Required parameters - name: 'pvacom001' + name: 'pvamax001' // Non-required parameters accountPrivateEndpoints: [ { @@ -101,7 +153,7 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { '' ] } - managedResourceGroupName: 'pvacom001-managed-rg' + managedResourceGroupName: 'pvamax001-managed-rg' portalPrivateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -175,7 +227,7 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "pvacom001" + "value": "pvamax001" }, // Non-required parameters "accountPrivateEndpoints": { @@ -246,7 +298,7 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { } }, "managedResourceGroupName": { - "value": "pvacom001-managed-rg" + "value": "pvamax001-managed-rg" }, "portalPrivateEndpoints": { "value": [ @@ -322,58 +374,6 @@ module account 'br:bicep/modules/purview.account:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module account 'br:bicep/modules/purview.account:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-pvamin' - params: { - // Required parameters - name: 'pvamin001' - // Non-required parameters - enableDefaultTelemetry: '' - managedResourceGroupName: 'pvamin001-managed-rg' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "pvamin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "managedResourceGroupName": { - "value": "pvamin001-managed-rg" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/purview/account/tests/e2e/common/dependencies.bicep b/modules/purview/account/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/purview/account/tests/e2e/common/dependencies.bicep rename to modules/purview/account/tests/e2e/max/dependencies.bicep diff --git a/modules/purview/account/tests/e2e/common/main.test.bicep b/modules/purview/account/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/purview/account/tests/e2e/common/main.test.bicep rename to modules/purview/account/tests/e2e/max/main.test.bicep index 91aac7a244..aa24c189e1 100644 --- a/modules/purview/account/tests/e2e/common/main.test.bicep +++ b/modules/purview/account/tests/e2e/max/main.test.bicep @@ -14,7 +14,7 @@ param resourceGroupName string = 'dep-${namePrefix}-purview-${serviceShort}-rg' param location string = 'eastus' // Only available in selected locations: eastus, eastus2, southcentralus, westcentralus, westus, westus2, westus3 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pvacom' +param serviceShort string = 'pvamax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index 1cf6b13205..0f801f9e45 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -39,11 +39,230 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/recovery-services.vault:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) -- [Dr](#example-3-dr) +- [Using only defaults](#example-1-using-only-defaults) +- [Dr](#example-2-dr) +- [Using large parameter set](#example-3-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-rsvmin' + params: { + // Required parameters + name: 'rsvmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "rsvmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Dr_ + +

+ +via Bicep module + +```bicep +module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-rsvdr' + params: { + // Required parameters + name: '' + // Non-required parameters + enableDefaultTelemetry: '' + replicationFabrics: [ + { + location: 'NorthEurope' + replicationContainers: [ + { + name: 'ne-container1' + replicationContainerMappings: [ + { + policyName: 'Default_values' + targetContainerName: 'pluto' + targetProtectionContainerId: '' + } + ] + } + { + name: 'ne-container2' + replicationContainerMappings: [ + { + policyName: 'Default_values' + targetContainerFabricName: 'WE-2' + targetContainerName: 'we-container1' + } + ] + } + ] + } + { + location: 'WestEurope' + name: 'WE-2' + replicationContainers: [ + { + name: 'we-container1' + replicationContainerMappings: [ + { + policyName: 'Default_values' + targetContainerFabricName: 'NorthEurope' + targetContainerName: 'ne-container2' + } + ] + } + ] + } + ] + replicationPolicies: [ + { + name: 'Default_values' + } + { + appConsistentFrequencyInMinutes: 240 + crashConsistentFrequencyInMinutes: 7 + multiVmSyncStatus: 'Disable' + name: 'Custom_values' + recoveryPointHistory: 2880 + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "replicationFabrics": { + "value": [ + { + "location": "NorthEurope", + "replicationContainers": [ + { + "name": "ne-container1", + "replicationContainerMappings": [ + { + "policyName": "Default_values", + "targetContainerName": "pluto", + "targetProtectionContainerId": "" + } + ] + }, + { + "name": "ne-container2", + "replicationContainerMappings": [ + { + "policyName": "Default_values", + "targetContainerFabricName": "WE-2", + "targetContainerName": "we-container1" + } + ] + } + ] + }, + { + "location": "WestEurope", + "name": "WE-2", + "replicationContainers": [ + { + "name": "we-container1", + "replicationContainerMappings": [ + { + "policyName": "Default_values", + "targetContainerFabricName": "NorthEurope", + "targetContainerName": "ne-container2" + } + ] + } + ] + } + ] + }, + "replicationPolicies": { + "value": [ + { + "name": "Default_values" + }, + { + "appConsistentFrequencyInMinutes": 240, + "crashConsistentFrequencyInMinutes": 7, + "multiVmSyncStatus": "Disable", + "name": "Custom_values", + "recoveryPointHistory": 2880 + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ +### Example 3: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -54,10 +273,10 @@ This instance deploys the module with most of its features enabled. ```bicep module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rsvcom' + name: '${uniqueString(deployment().name, location)}-test-rsvmax' params: { // Required parameters - name: 'rsvcom001' + name: 'rsvmax001' // Non-required parameters backupConfig: { enhancedSecurityState: 'Disabled' @@ -385,7 +604,7 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "rsvcom001" + "value": "rsvmax001" }, // Non-required parameters "backupConfig": { @@ -729,225 +948,6 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rsvmin' - params: { - // Required parameters - name: 'rsvmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rsvmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Dr_ - -

- -via Bicep module - -```bicep -module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rsvdr' - params: { - // Required parameters - name: '' - // Non-required parameters - enableDefaultTelemetry: '' - replicationFabrics: [ - { - location: 'NorthEurope' - replicationContainers: [ - { - name: 'ne-container1' - replicationContainerMappings: [ - { - policyName: 'Default_values' - targetContainerName: 'pluto' - targetProtectionContainerId: '' - } - ] - } - { - name: 'ne-container2' - replicationContainerMappings: [ - { - policyName: 'Default_values' - targetContainerFabricName: 'WE-2' - targetContainerName: 'we-container1' - } - ] - } - ] - } - { - location: 'WestEurope' - name: 'WE-2' - replicationContainers: [ - { - name: 'we-container1' - replicationContainerMappings: [ - { - policyName: 'Default_values' - targetContainerFabricName: 'NorthEurope' - targetContainerName: 'ne-container2' - } - ] - } - ] - } - ] - replicationPolicies: [ - { - name: 'Default_values' - } - { - appConsistentFrequencyInMinutes: 240 - crashConsistentFrequencyInMinutes: 7 - multiVmSyncStatus: 'Disable' - name: 'Custom_values' - recoveryPointHistory: 2880 - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "replicationFabrics": { - "value": [ - { - "location": "NorthEurope", - "replicationContainers": [ - { - "name": "ne-container1", - "replicationContainerMappings": [ - { - "policyName": "Default_values", - "targetContainerName": "pluto", - "targetProtectionContainerId": "" - } - ] - }, - { - "name": "ne-container2", - "replicationContainerMappings": [ - { - "policyName": "Default_values", - "targetContainerFabricName": "WE-2", - "targetContainerName": "we-container1" - } - ] - } - ] - }, - { - "location": "WestEurope", - "name": "WE-2", - "replicationContainers": [ - { - "name": "we-container1", - "replicationContainerMappings": [ - { - "policyName": "Default_values", - "targetContainerFabricName": "NorthEurope", - "targetContainerName": "ne-container2" - } - ] - } - ] - } - ] - }, - "replicationPolicies": { - "value": [ - { - "name": "Default_values" - }, - { - "appConsistentFrequencyInMinutes": 240, - "crashConsistentFrequencyInMinutes": 7, - "multiVmSyncStatus": "Disable", - "name": "Custom_values", - "recoveryPointHistory": 2880 - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/recovery-services/vault/tests/e2e/common/dependencies.bicep b/modules/recovery-services/vault/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/recovery-services/vault/tests/e2e/common/dependencies.bicep rename to modules/recovery-services/vault/tests/e2e/max/dependencies.bicep diff --git a/modules/recovery-services/vault/tests/e2e/common/main.test.bicep b/modules/recovery-services/vault/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/recovery-services/vault/tests/e2e/common/main.test.bicep rename to modules/recovery-services/vault/tests/e2e/max/main.test.bicep index 5e424fda60..5184d05b9b 100644 --- a/modules/recovery-services/vault/tests/e2e/common/main.test.bicep +++ b/modules/recovery-services/vault/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-recoveryservices.vaults-${se param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rsvcom' +param serviceShort string = 'rsvmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index 8266783dca..f7f4a331ec 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -35,11 +35,59 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/relay.namespace:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) - [Pe](#example-3-pe) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-rnmin' + params: { + // Required parameters + name: 'rnmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "rnmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -50,10 +98,10 @@ This instance deploys the module with most of its features enabled. ```bicep module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rncom' + name: '${uniqueString(deployment().name, location)}-test-rnmax' params: { // Required parameters - name: 'rncom001' + name: 'rnmax001' // Non-required parameters authorizationRules: [ { @@ -89,7 +137,7 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { enableDefaultTelemetry: '' hybridConnections: [ { - name: 'rncomhc001' + name: 'rnmaxhc001' roleAssignments: [ { principalId: '' @@ -155,7 +203,7 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { } wcfRelays: [ { - name: 'rncomwcf001' + name: 'rnmaxwcf001' relayType: 'NetTcp' roleAssignments: [ { @@ -184,7 +232,7 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "rncom001" + "value": "rnmax001" }, // Non-required parameters "authorizationRules": { @@ -228,7 +276,7 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { "hybridConnections": { "value": [ { - "name": "rncomhc001", + "name": "rnmaxhc001", "roleAssignments": [ { "principalId": "", @@ -308,7 +356,7 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { "wcfRelays": { "value": [ { - "name": "rncomwcf001", + "name": "rnmaxwcf001", "relayType": "NetTcp", "roleAssignments": [ { @@ -327,54 +375,6 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rnmin' - params: { - // Required parameters - name: 'rnmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "rnmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ### Example 3: _Pe_

diff --git a/modules/relay/namespace/tests/e2e/common/dependencies.bicep b/modules/relay/namespace/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/relay/namespace/tests/e2e/common/dependencies.bicep rename to modules/relay/namespace/tests/e2e/max/dependencies.bicep diff --git a/modules/relay/namespace/tests/e2e/common/main.test.bicep b/modules/relay/namespace/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/relay/namespace/tests/e2e/common/main.test.bicep rename to modules/relay/namespace/tests/e2e/max/main.test.bicep index 1145ec162b..d438ec09ec 100644 --- a/modules/relay/namespace/tests/e2e/common/main.test.bicep +++ b/modules/relay/namespace/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-relay.namespaces-${serviceSh param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rncom' +param serviceShort string = 'rnmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/resource-graph/query/README.md b/modules/resource-graph/query/README.md index d471c82a90..b0a81c470e 100644 --- a/modules/resource-graph/query/README.md +++ b/modules/resource-graph/query/README.md @@ -26,12 +26,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/resource-graph.query:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.
@@ -40,30 +40,13 @@ This instance deploys the module with most of its features enabled. ```bicep module query 'br:bicep/modules/resource-graph.query:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rgqcom' + name: '${uniqueString(deployment().name, location)}-test-rgqmin' params: { // Required parameters - name: 'rgqcom001' + name: 'rgqmin001' query: 'resources | take 10' // Non-required parameters enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - queryDescription: 'An example query to list first 10 resources in the subscription.' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } } ``` @@ -82,7 +65,7 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "rgqcom001" + "value": "rgqmin001" }, "query": { "value": "resources | take 10" @@ -90,31 +73,6 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { // Non-required parameters "enableDefaultTelemetry": { "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "queryDescription": { - "value": "An example query to list first 10 resources in the subscription." - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } } } @@ -123,9 +81,9 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = {

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -134,13 +92,30 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module query 'br:bicep/modules/resource-graph.query:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rgqmin' + name: '${uniqueString(deployment().name, location)}-test-rgqmax' params: { // Required parameters - name: 'rgqmin001' + name: 'rgqmax001' query: 'resources | take 10' // Non-required parameters enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + queryDescription: 'An example query to list first 10 resources in the subscription.' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } } } ``` @@ -159,7 +134,7 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "rgqmin001" + "value": "rgqmax001" }, "query": { "value": "resources | take 10" @@ -167,6 +142,31 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { // Non-required parameters "enableDefaultTelemetry": { "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "queryDescription": { + "value": "An example query to list first 10 resources in the subscription." + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } } } } diff --git a/modules/resource-graph/query/tests/e2e/common/dependencies.bicep b/modules/resource-graph/query/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/resource-graph/query/tests/e2e/common/dependencies.bicep rename to modules/resource-graph/query/tests/e2e/max/dependencies.bicep diff --git a/modules/resource-graph/query/tests/e2e/common/main.test.bicep b/modules/resource-graph/query/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/resource-graph/query/tests/e2e/common/main.test.bicep rename to modules/resource-graph/query/tests/e2e/max/main.test.bicep index 5ba6722c2e..8ff4e69568 100644 --- a/modules/resource-graph/query/tests/e2e/common/main.test.bicep +++ b/modules/resource-graph/query/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-resourcegraph.queries-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rgqcom' +param serviceShort string = 'rgqmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/resources/resource-group/README.md b/modules/resources/resource-group/README.md index ed5414c1bc..e80ab43762 100644 --- a/modules/resources/resource-group/README.md +++ b/modules/resources/resource-group/README.md @@ -26,12 +26,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/resources.resource-group:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.
@@ -40,28 +40,12 @@ This instance deploys the module with most of its features enabled. ```bicep module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-rrgcom' + name: '${uniqueString(deployment().name)}-test-rrgmin' params: { // Required parameters - name: 'rrgcom001' + name: 'rrgmin001' // Non-required parameters enableDefaultTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } } ``` @@ -80,33 +64,11 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "rrgcom001" + "value": "rrgmin001" }, // Non-required parameters "enableDefaultTelemetry": { "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } } } @@ -115,9 +77,9 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = {

-### Example 2: _Using only defaults_ +### Example 2: _Using large parameter set_ -This instance deploys the module with the minimum set of required parameters. +This instance deploys the module with most of its features enabled.

@@ -126,12 +88,28 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-rrgmin' + name: '${uniqueString(deployment().name, location)}-test-rrgmax' params: { // Required parameters - name: 'rrgmin001' + name: 'rrgmax001' // Non-required parameters enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } } } ``` @@ -150,11 +128,33 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "rrgmin001" + "value": "rrgmax001" }, // Non-required parameters "enableDefaultTelemetry": { "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } } } } diff --git a/modules/resources/resource-group/tests/e2e/common/dependencies.bicep b/modules/resources/resource-group/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/resources/resource-group/tests/e2e/common/dependencies.bicep rename to modules/resources/resource-group/tests/e2e/max/dependencies.bicep diff --git a/modules/resources/resource-group/tests/e2e/common/main.test.bicep b/modules/resources/resource-group/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/resources/resource-group/tests/e2e/common/main.test.bicep rename to modules/resources/resource-group/tests/e2e/max/main.test.bicep index d18688107c..91f263f885 100644 --- a/modules/resources/resource-group/tests/e2e/common/main.test.bicep +++ b/modules/resources/resource-group/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-resources.resourcegroups-${s param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rrgcom' +param serviceShort string = 'rrgmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index 80e140f944..3a6fe2f628 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -30,11 +30,59 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/search.search-service:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) - [Pe](#example-3-pe) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module searchService 'br:bicep/modules/search.search-service:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-sssmin' + params: { + // Required parameters + name: 'sssmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "sssmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -45,10 +93,10 @@ This instance deploys the module with most of its features enabled. ```bicep module searchService 'br:bicep/modules/search.search-service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ssscom' + name: '${uniqueString(deployment().name, location)}-test-sssmax' params: { // Required parameters - name: 'ssscom001' + name: 'sssmax001' // Non-required parameters authOptions: { aadOrApiKey: { @@ -128,7 +176,7 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "ssscom001" + "value": "sssmax001" }, // Non-required parameters "authOptions": { @@ -226,54 +274,6 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module searchService 'br:bicep/modules/search.search-service:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sssmin' - params: { - // Required parameters - name: 'sssmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sssmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ### Example 3: _Pe_

diff --git a/modules/search/search-service/tests/e2e/common/dependencies.bicep b/modules/search/search-service/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/search/search-service/tests/e2e/common/dependencies.bicep rename to modules/search/search-service/tests/e2e/max/dependencies.bicep diff --git a/modules/search/search-service/tests/e2e/common/main.test.bicep b/modules/search/search-service/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/search/search-service/tests/e2e/common/main.test.bicep rename to modules/search/search-service/tests/e2e/max/main.test.bicep index 9e32c070da..90a01b9be8 100644 --- a/modules/search/search-service/tests/e2e/common/main.test.bicep +++ b/modules/search/search-service/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-search.searchservices-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ssscom' +param serviceShort string = 'sssmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/security/azure-security-center/README.md b/modules/security/azure-security-center/README.md index 042f824136..ea0247aee2 100644 --- a/modules/security/azure-security-center/README.md +++ b/modules/security/azure-security-center/README.md @@ -42,7 +42,7 @@ This instance deploys the module with most of its features enabled. ```bicep module azureSecurityCenter 'br:bicep/modules/security.azure-security-center:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sasccom' + name: '${uniqueString(deployment().name, location)}-test-sascmax' params: { // Required parameters workspaceId: '' diff --git a/modules/security/azure-security-center/tests/e2e/common/dependencies.bicep b/modules/security/azure-security-center/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/security/azure-security-center/tests/e2e/common/dependencies.bicep rename to modules/security/azure-security-center/tests/e2e/max/dependencies.bicep diff --git a/modules/security/azure-security-center/tests/e2e/common/main.test.bicep b/modules/security/azure-security-center/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/security/azure-security-center/tests/e2e/common/main.test.bicep rename to modules/security/azure-security-center/tests/e2e/max/main.test.bicep index da098c4a01..1118563116 100644 --- a/modules/security/azure-security-center/tests/e2e/common/main.test.bicep +++ b/modules/security/azure-security-center/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-security.azureSecurityCenter param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sasccom' +param serviceShort string = 'sascmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 924bde7a97..60aef288fd 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -37,12 +37,241 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/service-bus.namespace:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) -- [Encr](#example-3-encr) +- [Using only defaults](#example-1-using-only-defaults) +- [Encr](#example-2-encr) +- [Using large parameter set](#example-3-using-large-parameter-set) - [Pe](#example-4-pe) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-sbnmin' + params: { + // Required parameters + name: 'sbnmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "sbnmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Encr_ + +

+ +via Bicep module + +```bicep +module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-sbnencr' + params: { + // Required parameters + name: 'sbnencr001' + // Non-required parameters + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } + enableDefaultTelemetry: '' + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } + networkRuleSets: { + defaultAction: 'Deny' + ipRules: [ + { + action: 'Allow' + ipMask: '10.0.1.0/32' + } + { + action: 'Allow' + ipMask: '10.0.2.0/32' + } + ] + trustedServiceAccessEnabled: true + virtualNetworkRules: [ + { + ignoreMissingVnetServiceEndpoint: true + subnetResourceId: '' + } + ] + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuName: 'Premium' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "sbnencr001" + }, + // Non-required parameters + "authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "rights": [ + "Listen", + "Manage", + "Send" + ] + }, + { + "name": "AnotherKey", + "rights": [ + "Listen", + "Send" + ] + } + ] + }, + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "managedIdentities": { + "value": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "networkRuleSets": { + "value": { + "defaultAction": "Deny", + "ipRules": [ + { + "action": "Allow", + "ipMask": "10.0.1.0/32" + }, + { + "action": "Allow", + "ipMask": "10.0.2.0/32" + } + ], + "trustedServiceAccessEnabled": true, + "virtualNetworkRules": [ + { + "ignoreMissingVnetServiceEndpoint": true, + "subnetResourceId": "" + } + ] + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "skuName": { + "value": "Premium" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ +### Example 3: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -53,10 +282,10 @@ This instance deploys the module with most of its features enabled. ```bicep module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sbncom' + name: '${uniqueString(deployment().name, location)}-test-sbnmax' params: { // Required parameters - name: 'sbncom001' + name: 'sbnmax001' // Non-required parameters authorizationRules: [ { @@ -159,7 +388,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { ] autoDeleteOnIdle: 'PT5M' maxMessageSizeInKilobytes: 2048 - name: 'sbncomq001' + name: 'sbnmaxq001' roleAssignments: [ { principalId: '' @@ -202,7 +431,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { ] } ] - name: 'sbncomt001' + name: 'sbnmaxt001' roleAssignments: [ { principalId: '' @@ -231,7 +460,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "sbncom001" + "value": "sbnmax001" }, // Non-required parameters "authorizationRules": { @@ -358,7 +587,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { ], "autoDeleteOnIdle": "PT5M", "maxMessageSizeInKilobytes": 2048, - "name": "sbncomq001", + "name": "sbnmaxq001", "roleAssignments": [ { "principalId": "", @@ -411,7 +640,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { ] } ], - "name": "sbncomt001", + "name": "sbnmaxt001", "roleAssignments": [ { "principalId": "", @@ -432,235 +661,6 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sbnmin' - params: { - // Required parameters - name: 'sbnmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sbnmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Encr_ - -

- -via Bicep module - -```bicep -module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sbnencr' - params: { - // Required parameters - name: 'sbnencr001' - // Non-required parameters - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - { - name: 'AnotherKey' - rights: [ - 'Listen' - 'Send' - ] - } - ] - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - enableDefaultTelemetry: '' - managedIdentities: { - systemAssigned: false - userAssignedResourcesIds: [ - '' - ] - } - networkRuleSets: { - defaultAction: 'Deny' - ipRules: [ - { - action: 'Allow' - ipMask: '10.0.1.0/32' - } - { - action: 'Allow' - ipMask: '10.0.2.0/32' - } - ] - trustedServiceAccessEnabled: true - virtualNetworkRules: [ - { - ignoreMissingVnetServiceEndpoint: true - subnetResourceId: '' - } - ] - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - skuName: 'Premium' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "sbnencr001" - }, - // Non-required parameters - "authorizationRules": { - "value": [ - { - "name": "RootManageSharedAccessKey", - "rights": [ - "Listen", - "Manage", - "Send" - ] - }, - { - "name": "AnotherKey", - "rights": [ - "Listen", - "Send" - ] - } - ] - }, - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": false, - "userAssignedResourcesIds": [ - "" - ] - } - }, - "networkRuleSets": { - "value": { - "defaultAction": "Deny", - "ipRules": [ - { - "action": "Allow", - "ipMask": "10.0.1.0/32" - }, - { - "action": "Allow", - "ipMask": "10.0.2.0/32" - } - ], - "trustedServiceAccessEnabled": true, - "virtualNetworkRules": [ - { - "ignoreMissingVnetServiceEndpoint": true, - "subnetResourceId": "" - } - ] - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "skuName": { - "value": "Premium" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- ### Example 4: _Pe_

diff --git a/modules/service-bus/namespace/tests/e2e/common/dependencies.bicep b/modules/service-bus/namespace/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/service-bus/namespace/tests/e2e/common/dependencies.bicep rename to modules/service-bus/namespace/tests/e2e/max/dependencies.bicep diff --git a/modules/service-bus/namespace/tests/e2e/common/main.test.bicep b/modules/service-bus/namespace/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/service-bus/namespace/tests/e2e/common/main.test.bicep rename to modules/service-bus/namespace/tests/e2e/max/main.test.bicep index 0cd5115423..617b5a4832 100644 --- a/modules/service-bus/namespace/tests/e2e/common/main.test.bicep +++ b/modules/service-bus/namespace/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-servicebus.namespaces-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sbncom' +param serviceShort string = 'sbnmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/service-fabric/cluster/README.md b/modules/service-fabric/cluster/README.md index 4f8ed6b890..ff6dbe1f65 100644 --- a/modules/service-fabric/cluster/README.md +++ b/modules/service-fabric/cluster/README.md @@ -29,8 +29,8 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/service-fabric.cluster:1.0.0`. - [Cert](#example-1-cert) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [Using only defaults](#example-3-using-only-defaults) +- [Using only defaults](#example-2-using-only-defaults) +- [Using large parameter set](#example-3-using-large-parameter-set) ### Example 1: _Cert_ @@ -143,7 +143,99 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = {

-### Example 2: _Using large parameter set_ +### Example 2: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-sfcmin' + params: { + // Required parameters + managementEndpoint: 'https://sfcmin001.westeurope.cloudapp.azure.com:19080' + name: 'sfcmin001' + nodeTypes: [ + { + applicationPorts: { + endPort: 30000 + startPort: 20000 + } + clientConnectionEndpointPort: 19000 + durabilityLevel: 'Bronze' + ephemeralPorts: { + endPort: 65534 + startPort: 49152 + } + httpGatewayEndpointPort: 19080 + isPrimary: true + name: 'Node01' + } + ] + reliabilityLevel: 'None' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "managementEndpoint": { + "value": "https://sfcmin001.westeurope.cloudapp.azure.com:19080" + }, + "name": { + "value": "sfcmin001" + }, + "nodeTypes": { + "value": [ + { + "applicationPorts": { + "endPort": 30000, + "startPort": 20000 + }, + "clientConnectionEndpointPort": 19000, + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": 65534, + "startPort": 49152 + }, + "httpGatewayEndpointPort": 19080, + "isPrimary": true, + "name": "Node01" + } + ] + }, + "reliabilityLevel": { + "value": "None" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 3: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -154,11 +246,11 @@ This instance deploys the module with most of its features enabled. ```bicep module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sfccom' + name: '${uniqueString(deployment().name, location)}-test-sfcmax' params: { // Required parameters - managementEndpoint: 'https://sfccom001.westeurope.cloudapp.azure.com:19080' - name: 'sfccom001' + managementEndpoint: 'https://sfcmax001.westeurope.cloudapp.azure.com:19080' + name: 'sfcmax001' nodeTypes: [ { applicationPorts: { @@ -302,7 +394,7 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { } ] tags: { - clusterName: 'sfccom001' + clusterName: 'sfcmax001' 'hidden-title': 'This is visible in the resource name' resourceType: 'Service Fabric' } @@ -343,10 +435,10 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { "parameters": { // Required parameters "managementEndpoint": { - "value": "https://sfccom001.westeurope.cloudapp.azure.com:19080" + "value": "https://sfcmax001.westeurope.cloudapp.azure.com:19080" }, "name": { - "value": "sfccom001" + "value": "sfcmax001" }, "nodeTypes": { "value": [ @@ -522,7 +614,7 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { }, "tags": { "value": { - "clusterName": "sfccom001", + "clusterName": "sfcmax001", "hidden-title": "This is visible in the resource name", "resourceType": "Service Fabric" } @@ -557,98 +649,6 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = {

-### Example 3: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sfcmin' - params: { - // Required parameters - managementEndpoint: 'https://sfcmin001.westeurope.cloudapp.azure.com:19080' - name: 'sfcmin001' - nodeTypes: [ - { - applicationPorts: { - endPort: 30000 - startPort: 20000 - } - clientConnectionEndpointPort: 19000 - durabilityLevel: 'Bronze' - ephemeralPorts: { - endPort: 65534 - startPort: 49152 - } - httpGatewayEndpointPort: 19080 - isPrimary: true - name: 'Node01' - } - ] - reliabilityLevel: 'None' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "managementEndpoint": { - "value": "https://sfcmin001.westeurope.cloudapp.azure.com:19080" - }, - "name": { - "value": "sfcmin001" - }, - "nodeTypes": { - "value": [ - { - "applicationPorts": { - "endPort": 30000, - "startPort": 20000 - }, - "clientConnectionEndpointPort": 19000, - "durabilityLevel": "Bronze", - "ephemeralPorts": { - "endPort": 65534, - "startPort": 49152 - }, - "httpGatewayEndpointPort": 19080, - "isPrimary": true, - "name": "Node01" - } - ] - }, - "reliabilityLevel": { - "value": "None" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/service-fabric/cluster/tests/e2e/common/dependencies.bicep b/modules/service-fabric/cluster/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/service-fabric/cluster/tests/e2e/common/dependencies.bicep rename to modules/service-fabric/cluster/tests/e2e/max/dependencies.bicep diff --git a/modules/service-fabric/cluster/tests/e2e/common/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/service-fabric/cluster/tests/e2e/common/main.test.bicep rename to modules/service-fabric/cluster/tests/e2e/max/main.test.bicep index 5bd1688211..c566919098 100644 --- a/modules/service-fabric/cluster/tests/e2e/common/main.test.bicep +++ b/modules/service-fabric/cluster/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-servicefabric.clusters-${ser param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sfccom' +param serviceShort string = 'sfcmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index e7156a5cbe..8a20ce6637 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -28,10 +28,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/signal-r-service.signal-r:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-srsdrmin' + params: { + // Required parameters + name: 'srsdrmin-001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "srsdrmin-001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -42,10 +90,10 @@ This instance deploys the module with most of its features enabled. ```bicep module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-srssrcom' + name: '${uniqueString(deployment().name)}-test-srssrmax' params: { // Required parameters - name: 'srssrcom-001' + name: 'srssrmax-001' // Non-required parameters capacity: 2 clientCertEnabled: false @@ -67,7 +115,7 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { 'ServerConnection' 'Trace' ] - name: 'pe-srssrcom-001' + name: 'pe-srssrmax-001' } ] publicNetwork: { @@ -125,7 +173,7 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "srssrcom-001" + "value": "srssrmax-001" }, // Non-required parameters "capacity": { @@ -165,7 +213,7 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { "ServerConnection", "Trace" ], - "name": "pe-srssrcom-001" + "name": "pe-srssrmax-001" } ], "publicNetwork": { @@ -223,54 +271,6 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-srsdrmin' - params: { - // Required parameters - name: 'srsdrmin-001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "srsdrmin-001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/signal-r-service/signal-r/tests/e2e/common/dependencies.bicep b/modules/signal-r-service/signal-r/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/signal-r-service/signal-r/tests/e2e/common/dependencies.bicep rename to modules/signal-r-service/signal-r/tests/e2e/max/dependencies.bicep diff --git a/modules/signal-r-service/signal-r/tests/e2e/common/main.test.bicep b/modules/signal-r-service/signal-r/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/signal-r-service/signal-r/tests/e2e/common/main.test.bicep rename to modules/signal-r-service/signal-r/tests/e2e/max/main.test.bicep index df27118a70..751e1286fd 100644 --- a/modules/signal-r-service/signal-r/tests/e2e/common/main.test.bicep +++ b/modules/signal-r-service/signal-r/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-signalrservice.signalr-${ser param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'srssrcom' +param serviceShort string = 'srssrmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index c0d2652156..de04a9437c 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -28,11 +28,59 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/signal-r-service.web-pub-sub:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) - [Pe](#example-3-pe) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-srswpsmin' + params: { + // Required parameters + name: 'srswpsmin-001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "srswpsmin-001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -43,10 +91,10 @@ This instance deploys the module with most of its features enabled. ```bicep module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-srswpscom' + name: '${uniqueString(deployment().name, location)}-test-srswpsmax' params: { // Required parameters - name: 'srswpscom-001' + name: 'srswpsmax-001' // Non-required parameters capacity: 2 clientCertEnabled: false @@ -70,7 +118,7 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { 'ServerConnection' 'Trace' ] - name: 'pe-srswpscom-001' + name: 'pe-srswpsmax-001' } ] publicNetwork: { @@ -129,7 +177,7 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "srswpscom-001" + "value": "srswpsmax-001" }, // Non-required parameters "capacity": { @@ -171,7 +219,7 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { "ServerConnection", "Trace" ], - "name": "pe-srswpscom-001" + "name": "pe-srswpsmax-001" } ], "publicNetwork": { @@ -230,54 +278,6 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-srswpsmin' - params: { - // Required parameters - name: 'srswpsmin-001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "srswpsmin-001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ### Example 3: _Pe_

diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/common/dependencies.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/signal-r-service/web-pub-sub/tests/e2e/common/dependencies.bicep rename to modules/signal-r-service/web-pub-sub/tests/e2e/max/dependencies.bicep diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/common/main.test.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/signal-r-service/web-pub-sub/tests/e2e/common/main.test.bicep rename to modules/signal-r-service/web-pub-sub/tests/e2e/max/main.test.bicep index 9839ae68aa..007c6f0032 100644 --- a/modules/signal-r-service/web-pub-sub/tests/e2e/common/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-signalrservice.webpubsub-${s param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'srswpscom' +param serviceShort string = 'srswpsmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index d7edde8263..14c4696753 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -36,11 +36,71 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/sql.managed-instance:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) - [Vulnassm](#example-3-vulnassm) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-sqlmimin' + params: { + // Required parameters + administratorLogin: 'adminUserName' + administratorLoginPassword: '' + name: 'sqlmimin' + subnetId: '' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "administratorLogin": { + "value": "adminUserName" + }, + "administratorLoginPassword": { + "value": "" + }, + "name": { + "value": "sqlmimin" + }, + "subnetId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -51,12 +111,12 @@ This instance deploys the module with most of its features enabled. ```bicep module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sqlmicom' + name: '${uniqueString(deployment().name, location)}-test-sqlmimax' params: { // Required parameters administratorLogin: 'adminUserName' administratorLoginPassword: '' - name: 'sqlmicom' + name: 'sqlmimax' subnetId: '' // Non-required parameters collation: 'SQL_Latin1_General_CP1_CI_AS' @@ -77,7 +137,7 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { workspaceResourceId: '' } ] - name: 'sqlmicom-db-001' + name: 'sqlmimax-db-001' } ] diagnosticSettings: [ @@ -178,7 +238,7 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { "value": "" }, "name": { - "value": "sqlmicom" + "value": "sqlmimax" }, "subnetId": { "value": "" @@ -204,7 +264,7 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { "workspaceResourceId": "" } ], - "name": "sqlmicom-db-001" + "name": "sqlmimax-db-001" } ] }, @@ -332,66 +392,6 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sqlmimin' - params: { - // Required parameters - administratorLogin: 'adminUserName' - administratorLoginPassword: '' - name: 'sqlmimin' - subnetId: '' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "administratorLogin": { - "value": "adminUserName" - }, - "administratorLoginPassword": { - "value": "" - }, - "name": { - "value": "sqlmimin" - }, - "subnetId": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ### Example 3: _Vulnassm_

diff --git a/modules/sql/managed-instance/tests/e2e/common/dependencies.bicep b/modules/sql/managed-instance/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/sql/managed-instance/tests/e2e/common/dependencies.bicep rename to modules/sql/managed-instance/tests/e2e/max/dependencies.bicep diff --git a/modules/sql/managed-instance/tests/e2e/common/main.test.bicep b/modules/sql/managed-instance/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/sql/managed-instance/tests/e2e/common/main.test.bicep rename to modules/sql/managed-instance/tests/e2e/max/main.test.bicep index 40bb06b60a..401b4c47a9 100644 --- a/modules/sql/managed-instance/tests/e2e/common/main.test.bicep +++ b/modules/sql/managed-instance/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-sql.managedinstances-${servi param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sqlmicom' +param serviceShort string = 'sqlmimax' @description('Generated. Used as a basis for unique resource names.') param baseTime string = utcNow('u') diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 57fbcd7a99..329f0f3f82 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -118,10 +118,10 @@ This instance deploys the module with most of its features enabled. ```bicep module server 'br:bicep/modules/sql.server:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-sqlscom' + name: '${uniqueString(deployment().name, location)}-test-sqlsmax' params: { // Required parameters - name: 'sqlscom' + name: 'sqlsmax' // Non-required parameters administratorLogin: 'adminUserName' administratorLoginPassword: '' @@ -151,7 +151,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { } licenseType: 'LicenseIncluded' maxSizeBytes: 34359738368 - name: 'sqlscomdb-001' + name: 'sqlsmaxdb-001' skuName: 'ElasticPool' skuTier: 'GeneralPurpose' } @@ -159,7 +159,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { elasticPools: [ { maintenanceConfigurationId: '' - name: 'sqlscom-ep-001' + name: 'sqlsmax-ep-001' skuCapacity: 10 skuName: 'GP_Gen5' skuTier: 'GeneralPurpose' @@ -260,7 +260,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "sqlscom" + "value": "sqlsmax" }, "administratorLogin": { "value": "adminUserName" @@ -295,7 +295,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { }, "licenseType": "LicenseIncluded", "maxSizeBytes": 34359738368, - "name": "sqlscomdb-001", + "name": "sqlsmaxdb-001", "skuName": "ElasticPool", "skuTier": "GeneralPurpose" } @@ -305,7 +305,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { "value": [ { "maintenanceConfigurationId": "", - "name": "sqlscom-ep-001", + "name": "sqlsmax-ep-001", "skuCapacity": 10, "skuName": "GP_Gen5", "skuTier": "GeneralPurpose" diff --git a/modules/sql/server/tests/e2e/common/dependencies.bicep b/modules/sql/server/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/sql/server/tests/e2e/common/dependencies.bicep rename to modules/sql/server/tests/e2e/max/dependencies.bicep diff --git a/modules/sql/server/tests/e2e/common/main.test.bicep b/modules/sql/server/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/sql/server/tests/e2e/common/main.test.bicep rename to modules/sql/server/tests/e2e/max/main.test.bicep index 0c871563b6..bea350e17c 100644 --- a/modules/sql/server/tests/e2e/common/main.test.bicep +++ b/modules/sql/server/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-sql.servers-${serviceShort}- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sqlscom' +param serviceShort string = 'sqlsmax' @description('Optional. The password to leverage for the login.') @secure() diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 87e05dea85..137e38dee2 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -41,13 +41,234 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/storage.storage-account:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) -- [Encr](#example-3-encr) +- [Using only defaults](#example-1-using-only-defaults) +- [Encr](#example-2-encr) +- [Using large parameter set](#example-3-using-large-parameter-set) - [Nfs](#example-4-nfs) - [V1](#example-5-v1) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ssamin' + params: { + // Required parameters + name: 'ssamin001' + // Non-required parameters + allowBlobPublicAccess: false + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ssamin001" + }, + // Non-required parameters + "allowBlobPublicAccess": { + "value": false + }, + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Encr_ + +

+ +via Bicep module + +```bicep +module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ssaencr' + params: { + // Required parameters + name: 'ssaencr001' + // Non-required parameters + allowBlobPublicAccess: false + blobServices: { + automaticSnapshotPolicyEnabled: true + changeFeedEnabled: true + changeFeedRetentionInDays: 10 + containerDeleteRetentionPolicyAllowPermanentDelete: true + containerDeleteRetentionPolicyDays: 10 + containerDeleteRetentionPolicyEnabled: true + containers: [ + { + name: 'container' + publicAccess: 'None' + } + ] + defaultServiceVersion: '2008-10-27' + deleteRetentionPolicyDays: 9 + deleteRetentionPolicyEnabled: true + isVersioningEnabled: true + lastAccessTimeTrackingPolicyEnable: true + restorePolicyDays: 8 + restorePolicyEnabled: true + } + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } + enableDefaultTelemetry: '' + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'blob' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + requireInfrastructureEncryption: true + skuName: 'Standard_LRS' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ssaencr001" + }, + // Non-required parameters + "allowBlobPublicAccess": { + "value": false + }, + "blobServices": { + "value": { + "automaticSnapshotPolicyEnabled": true, + "changeFeedEnabled": true, + "changeFeedRetentionInDays": 10, + "containerDeleteRetentionPolicyAllowPermanentDelete": true, + "containerDeleteRetentionPolicyDays": 10, + "containerDeleteRetentionPolicyEnabled": true, + "containers": [ + { + "name": "container", + "publicAccess": "None" + } + ], + "defaultServiceVersion": "2008-10-27", + "deleteRetentionPolicyDays": 9, + "deleteRetentionPolicyEnabled": true, + "isVersioningEnabled": true, + "lastAccessTimeTrackingPolicyEnable": true, + "restorePolicyDays": 8, + "restorePolicyEnabled": true + } + }, + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "managedIdentities": { + "value": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "blob", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "requireInfrastructureEncryption": { + "value": true + }, + "skuName": { + "value": "Standard_LRS" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ +### Example 3: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -58,10 +279,10 @@ This instance deploys the module with most of its features enabled. ```bicep module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ssacom' + name: '${uniqueString(deployment().name, location)}-test-ssamax' params: { // Required parameters - name: 'ssacom001' + name: 'ssamax001' // Non-required parameters allowBlobPublicAccess: false blobServices: { @@ -178,7 +399,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { service: 'blob' } ] - storageAccountName: 'ssacom001' + storageAccountName: 'ssamax001' } ] lock: { @@ -344,7 +565,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "ssacom001" + "value": "ssamax001" }, // Non-required parameters "allowBlobPublicAccess": { @@ -481,7 +702,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "service": "blob" } ], - "storageAccountName": "ssacom001" + "storageAccountName": "ssamax001" } ] }, @@ -661,227 +882,6 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ssamin' - params: { - // Required parameters - name: 'ssamin001' - // Non-required parameters - allowBlobPublicAccess: false - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ssamin001" - }, - // Non-required parameters - "allowBlobPublicAccess": { - "value": false - }, - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _Encr_ - -

- -via Bicep module - -```bicep -module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ssaencr' - params: { - // Required parameters - name: 'ssaencr001' - // Non-required parameters - allowBlobPublicAccess: false - blobServices: { - automaticSnapshotPolicyEnabled: true - changeFeedEnabled: true - changeFeedRetentionInDays: 10 - containerDeleteRetentionPolicyAllowPermanentDelete: true - containerDeleteRetentionPolicyDays: 10 - containerDeleteRetentionPolicyEnabled: true - containers: [ - { - name: 'container' - publicAccess: 'None' - } - ] - defaultServiceVersion: '2008-10-27' - deleteRetentionPolicyDays: 9 - deleteRetentionPolicyEnabled: true - isVersioningEnabled: true - lastAccessTimeTrackingPolicyEnable: true - restorePolicyDays: 8 - restorePolicyEnabled: true - } - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } - enableDefaultTelemetry: '' - managedIdentities: { - systemAssigned: false - userAssignedResourcesIds: [ - '' - ] - } - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'blob' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - requireInfrastructureEncryption: true - skuName: 'Standard_LRS' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "ssaencr001" - }, - // Non-required parameters - "allowBlobPublicAccess": { - "value": false - }, - "blobServices": { - "value": { - "automaticSnapshotPolicyEnabled": true, - "changeFeedEnabled": true, - "changeFeedRetentionInDays": 10, - "containerDeleteRetentionPolicyAllowPermanentDelete": true, - "containerDeleteRetentionPolicyDays": 10, - "containerDeleteRetentionPolicyEnabled": true, - "containers": [ - { - "name": "container", - "publicAccess": "None" - } - ], - "defaultServiceVersion": "2008-10-27", - "deleteRetentionPolicyDays": 9, - "deleteRetentionPolicyEnabled": true, - "isVersioningEnabled": true, - "lastAccessTimeTrackingPolicyEnable": true, - "restorePolicyDays": 8, - "restorePolicyEnabled": true - } - }, - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } - }, - "enableDefaultTelemetry": { - "value": "" - }, - "managedIdentities": { - "value": { - "systemAssigned": false, - "userAssignedResourcesIds": [ - "" - ] - } - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "blob", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "requireInfrastructureEncryption": { - "value": true - }, - "skuName": { - "value": "Standard_LRS" - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

- ### Example 4: _Nfs_

diff --git a/modules/storage/storage-account/tests/e2e/common/dependencies.bicep b/modules/storage/storage-account/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/storage/storage-account/tests/e2e/common/dependencies.bicep rename to modules/storage/storage-account/tests/e2e/max/dependencies.bicep diff --git a/modules/storage/storage-account/tests/e2e/common/main.test.bicep b/modules/storage/storage-account/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/storage/storage-account/tests/e2e/common/main.test.bicep rename to modules/storage/storage-account/tests/e2e/max/main.test.bicep index 202de04d91..60b068d260 100644 --- a/modules/storage/storage-account/tests/e2e/common/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-storage.storageaccounts-${se param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ssacom' +param serviceShort string = 'ssamax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/synapse/private-link-hub/README.md b/modules/synapse/private-link-hub/README.md index ab5d11e2d5..6e5a8a801c 100644 --- a/modules/synapse/private-link-hub/README.md +++ b/modules/synapse/private-link-hub/README.md @@ -28,10 +28,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/synapse.private-link-hub:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-splhmin' + params: { + // Required parameters + name: 'splhmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "splhmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -42,10 +90,10 @@ This instance deploys the module with most of its features enabled. ```bicep module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-splhcom' + name: '${uniqueString(deployment().name, location)}-test-splhmax' params: { // Required parameters - name: 'splhcom001' + name: 'splhmax001' // Non-required parameters enableDefaultTelemetry: '' lock: { @@ -101,7 +149,7 @@ module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "splhcom001" + "value": "splhmax001" }, // Non-required parameters "enableDefaultTelemetry": { @@ -157,54 +205,6 @@ module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-splhmin' - params: { - // Required parameters - name: 'splhmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "splhmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/synapse/private-link-hub/tests/e2e/common/dependencies.bicep b/modules/synapse/private-link-hub/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/synapse/private-link-hub/tests/e2e/common/dependencies.bicep rename to modules/synapse/private-link-hub/tests/e2e/max/dependencies.bicep diff --git a/modules/synapse/private-link-hub/tests/e2e/common/main.test.bicep b/modules/synapse/private-link-hub/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/synapse/private-link-hub/tests/e2e/common/main.test.bicep rename to modules/synapse/private-link-hub/tests/e2e/max/main.test.bicep index 36f8efcc7d..5f1dc18c70 100644 --- a/modules/synapse/private-link-hub/tests/e2e/common/main.test.bicep +++ b/modules/synapse/private-link-hub/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-synapse.privatelinkhubs-${se param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'splhcom' +param serviceShort string = 'splhmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index 3b067e5ac2..d00edcb815 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -32,15 +32,15 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/synapse.workspace:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) -- [Encrwsai](#example-3-encrwsai) -- [Encrwuai](#example-4-encrwuai) -- [Managedvnet](#example-5-managedvnet) +- [Using only defaults](#example-1-using-only-defaults) +- [Encrwsai](#example-2-encrwsai) +- [Encrwuai](#example-3-encrwuai) +- [Managedvnet](#example-4-managedvnet) +- [Using large parameter set](#example-5-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ -This instance deploys the module with most of its features enabled. +This instance deploys the module with the minimum set of required parameters.

@@ -49,64 +49,15 @@ This instance deploys the module with most of its features enabled. ```bicep module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-swcom' + name: '${uniqueString(deployment().name, location)}-test-swmin' params: { // Required parameters defaultDataLakeStorageAccountResourceId: '' defaultDataLakeStorageFilesystem: '' - name: 'swcom001' + name: 'swmin001' sqlAdministratorLogin: 'synwsadmin' // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - logCategoriesAndGroups: [ - { - category: 'SynapseRbacOperations' - } - { - category: 'SynapseLinkEvent' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] enableDefaultTelemetry: '' - initialWorkspaceAdminObjectID: '' - integrationRuntimes: [ - { - name: 'shir01' - type: 'SelfHosted' - } - ] - managedVirtualNetwork: true - privateEndpoints: [ - { - privateDnsZoneResourceIds: [ - '' - ] - service: 'SQL' - subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - userAssignedIdentities: { - '': {} - } } } ``` @@ -131,77 +82,14 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "value": "" }, "name": { - "value": "swcom001" + "value": "swmin001" }, "sqlAdministratorLogin": { "value": "synwsadmin" }, // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "logCategoriesAndGroups": [ - { - "category": "SynapseRbacOperations" - }, - { - "category": "SynapseLinkEvent" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, "enableDefaultTelemetry": { "value": "" - }, - "initialWorkspaceAdminObjectID": { - "value": "" - }, - "integrationRuntimes": { - "value": [ - { - "name": "shir01", - "type": "SelfHosted" - } - ] - }, - "managedVirtualNetwork": { - "value": true - }, - "privateEndpoints": { - "value": [ - { - "privateDnsZoneResourceIds": [ - "" - ], - "service": "SQL", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -210,10 +98,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - +### Example 2: _Encrwsai_

@@ -221,15 +106,20 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-swmin' + name: '${uniqueString(deployment().name, location)}-test-swensa' params: { // Required parameters defaultDataLakeStorageAccountResourceId: '' defaultDataLakeStorageFilesystem: '' - name: 'swmin001' + name: 'swensa001' sqlAdministratorLogin: 'synwsadmin' // Non-required parameters + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + } enableDefaultTelemetry: '' + encryptionActivateWorkspace: true } } ``` @@ -254,14 +144,23 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "value": "" }, "name": { - "value": "swmin001" + "value": "swensa001" }, "sqlAdministratorLogin": { "value": "synwsadmin" }, // Non-required parameters + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "" + } + }, "enableDefaultTelemetry": { "value": "" + }, + "encryptionActivateWorkspace": { + "value": true } } } @@ -270,7 +169,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = {

-### Example 3: _Encrwsai_ +### Example 3: _Encrwuai_

@@ -278,20 +177,25 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { ```bicep module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-swensa' + name: '${uniqueString(deployment().name, location)}-test-swenua' params: { // Required parameters defaultDataLakeStorageAccountResourceId: '' defaultDataLakeStorageFilesystem: '' - name: 'swensa001' + name: 'swenua001' sqlAdministratorLogin: 'synwsadmin' // Non-required parameters customerManagedKey: { keyName: '' keyVaultResourceId: '' + userAssignedIdentityResourceId: '' } enableDefaultTelemetry: '' - encryptionActivateWorkspace: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } } } ``` @@ -316,7 +220,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "value": "" }, "name": { - "value": "swensa001" + "value": "swenua001" }, "sqlAdministratorLogin": { "value": "synwsadmin" @@ -325,14 +229,19 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "customerManagedKey": { "value": { "keyName": "", - "keyVaultResourceId": "" + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" } }, "enableDefaultTelemetry": { "value": "" }, - "encryptionActivateWorkspace": { - "value": true + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } } } } @@ -341,7 +250,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = {

-### Example 4: _Encrwuai_ +### Example 4: _Managedvnet_

@@ -349,20 +258,20 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { ```bicep module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-swenua' + name: '${uniqueString(deployment().name, location)}-test-swmanv' params: { // Required parameters defaultDataLakeStorageAccountResourceId: '' defaultDataLakeStorageFilesystem: '' - name: 'swenua001' + name: 'swmanv001' sqlAdministratorLogin: 'synwsadmin' // Non-required parameters - customerManagedKey: { - keyName: '' - keyVaultResourceId: '' - userAssignedIdentityResourceId: '' - } + allowedAadTenantIdsForLinking: [ + '' + ] enableDefaultTelemetry: '' + managedVirtualNetwork: true + preventDataExfiltration: true tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -392,22 +301,26 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "value": "" }, "name": { - "value": "swenua001" + "value": "swmanv001" }, "sqlAdministratorLogin": { "value": "synwsadmin" }, // Non-required parameters - "customerManagedKey": { - "value": { - "keyName": "", - "keyVaultResourceId": "", - "userAssignedIdentityResourceId": "" - } + "allowedAadTenantIdsForLinking": { + "value": [ + "" + ] }, "enableDefaultTelemetry": { "value": "" }, + "managedVirtualNetwork": { + "value": true + }, + "preventDataExfiltration": { + "value": true + }, "tags": { "value": { "Environment": "Non-Prod", @@ -422,7 +335,10 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = {

-### Example 5: _Managedvnet_ +### Example 5: _Using large parameter set_ + +This instance deploys the module with most of its features enabled. +

@@ -430,24 +346,63 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { ```bicep module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-swmanv' + name: '${uniqueString(deployment().name, location)}-test-swmax' params: { // Required parameters defaultDataLakeStorageAccountResourceId: '' defaultDataLakeStorageFilesystem: '' - name: 'swmanv001' + name: 'swmax001' sqlAdministratorLogin: 'synwsadmin' // Non-required parameters - allowedAadTenantIdsForLinking: [ - '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + logCategoriesAndGroups: [ + { + category: 'SynapseRbacOperations' + } + { + category: 'SynapseLinkEvent' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } ] enableDefaultTelemetry: '' + initialWorkspaceAdminObjectID: '' + integrationRuntimes: [ + { + name: 'shir01' + type: 'SelfHosted' + } + ] managedVirtualNetwork: true - preventDataExfiltration: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'SQL' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + userAssignedIdentities: { + '': {} } } } @@ -473,31 +428,76 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "value": "" }, "name": { - "value": "swmanv001" + "value": "swmax001" }, "sqlAdministratorLogin": { "value": "synwsadmin" }, // Non-required parameters - "allowedAadTenantIdsForLinking": { + "diagnosticSettings": { "value": [ - "" + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "logCategoriesAndGroups": [ + { + "category": "SynapseRbacOperations" + }, + { + "category": "SynapseLinkEvent" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } ] }, "enableDefaultTelemetry": { "value": "" }, + "initialWorkspaceAdminObjectID": { + "value": "" + }, + "integrationRuntimes": { + "value": [ + { + "name": "shir01", + "type": "SelfHosted" + } + ] + }, "managedVirtualNetwork": { "value": true }, - "preventDataExfiltration": { - "value": true + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "SQL", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] }, - "tags": { + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "userAssignedIdentities": { "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" + "": {} } } } diff --git a/modules/synapse/workspace/tests/e2e/common/dependencies.bicep b/modules/synapse/workspace/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/synapse/workspace/tests/e2e/common/dependencies.bicep rename to modules/synapse/workspace/tests/e2e/max/dependencies.bicep diff --git a/modules/synapse/workspace/tests/e2e/common/main.test.bicep b/modules/synapse/workspace/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/synapse/workspace/tests/e2e/common/main.test.bicep rename to modules/synapse/workspace/tests/e2e/max/main.test.bicep index 6c4567c98c..70526bbe29 100644 --- a/modules/synapse/workspace/tests/e2e/common/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-synapse.workspaces-${service param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'swcom' +param serviceShort string = 'swmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/virtual-machine-images/image-template/README.md b/modules/virtual-machine-images/image-template/README.md index eb1f5bfbfb..d5d30e9144 100644 --- a/modules/virtual-machine-images/image-template/README.md +++ b/modules/virtual-machine-images/image-template/README.md @@ -27,10 +27,100 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/virtual-machine-images.image-template:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-vmiitmin' + params: { + // Required parameters + customizationSteps: [ + { + restartTimeout: '30m' + type: 'WindowsRestart' + } + ] + imageSource: { + offer: 'Windows-10' + publisher: 'MicrosoftWindowsDesktop' + sku: 'win10-22h2-ent' + type: 'PlatformImage' + version: 'latest' + } + name: 'vmiitmin001' + userMsiName: '' + // Non-required parameters + enableDefaultTelemetry: '' + managedImageName: 'mi-vmiitmin-001' + userMsiResourceGroup: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "customizationSteps": { + "value": [ + { + "restartTimeout": "30m", + "type": "WindowsRestart" + } + ] + }, + "imageSource": { + "value": { + "offer": "Windows-10", + "publisher": "MicrosoftWindowsDesktop", + "sku": "win10-22h2-ent", + "type": "PlatformImage", + "version": "latest" + } + }, + "name": { + "value": "vmiitmin001" + }, + "userMsiName": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "managedImageName": { + "value": "mi-vmiitmin-001" + }, + "userMsiResourceGroup": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -41,7 +131,7 @@ This instance deploys the module with most of its features enabled. ```bicep module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-vmiitcom' + name: '${uniqueString(deployment().name, location)}-test-vmiitmax' params: { // Required parameters customizationSteps: [ @@ -57,7 +147,7 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 type: 'PlatformImage' version: 'latest' } - name: 'vmiitcom001' + name: 'vmiitmax001' userMsiName: '' // Non-required parameters buildTimeoutInMinutes: 60 @@ -67,7 +157,7 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 kind: 'CanNotDelete' name: 'myCustomLockName' } - managedImageName: 'mi-vmiitcom-001' + managedImageName: 'mi-vmiitmax-001' osDiskSizeGB: 127 roleAssignments: [ { @@ -85,7 +175,7 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - unManagedImageName: 'umi-vmiitcom-001' + unManagedImageName: 'umi-vmiitmax-001' userAssignedIdentities: [ '' ] @@ -126,7 +216,7 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 } }, "name": { - "value": "vmiitcom001" + "value": "vmiitmax001" }, "userMsiName": { "value": "" @@ -148,7 +238,7 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 } }, "managedImageName": { - "value": "mi-vmiitcom-001" + "value": "mi-vmiitmax-001" }, "osDiskSizeGB": { "value": 127 @@ -182,7 +272,7 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 } }, "unManagedImageName": { - "value": "umi-vmiitcom-001" + "value": "umi-vmiitmax-001" }, "userAssignedIdentities": { "value": [ @@ -202,96 +292,6 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-vmiitmin' - params: { - // Required parameters - customizationSteps: [ - { - restartTimeout: '30m' - type: 'WindowsRestart' - } - ] - imageSource: { - offer: 'Windows-10' - publisher: 'MicrosoftWindowsDesktop' - sku: 'win10-22h2-ent' - type: 'PlatformImage' - version: 'latest' - } - name: 'vmiitmin001' - userMsiName: '' - // Non-required parameters - enableDefaultTelemetry: '' - managedImageName: 'mi-vmiitmin-001' - userMsiResourceGroup: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "customizationSteps": { - "value": [ - { - "restartTimeout": "30m", - "type": "WindowsRestart" - } - ] - }, - "imageSource": { - "value": { - "offer": "Windows-10", - "publisher": "MicrosoftWindowsDesktop", - "sku": "win10-22h2-ent", - "type": "PlatformImage", - "version": "latest" - } - }, - "name": { - "value": "vmiitmin001" - }, - "userMsiName": { - "value": "" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "managedImageName": { - "value": "mi-vmiitmin-001" - }, - "userMsiResourceGroup": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/virtual-machine-images/image-template/tests/e2e/common/dependencies.bicep b/modules/virtual-machine-images/image-template/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/virtual-machine-images/image-template/tests/e2e/common/dependencies.bicep rename to modules/virtual-machine-images/image-template/tests/e2e/max/dependencies.bicep diff --git a/modules/virtual-machine-images/image-template/tests/e2e/common/main.test.bicep b/modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep similarity index 99% rename from modules/virtual-machine-images/image-template/tests/e2e/common/main.test.bicep rename to modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep index fe5eecd0a2..254fadcce6 100644 --- a/modules/virtual-machine-images/image-template/tests/e2e/common/main.test.bicep +++ b/modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-virtualmachineimages.imagete param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'vmiitcom' +param serviceShort string = 'vmiitmax' @description('Optional. The version of the Azure Compute Gallery Image Definition to be added.') param sigImageVersion string = utcNow('yyyy.MM.dd') diff --git a/modules/web/connection/README.md b/modules/web/connection/README.md index d993463be0..bdb9491881 100644 --- a/modules/web/connection/README.md +++ b/modules/web/connection/README.md @@ -39,7 +39,7 @@ This instance deploys the module with most of its features enabled. ```bicep module connection 'br:bicep/modules/web.connection:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-wccom' + name: '${uniqueString(deployment().name, location)}-test-wcmax' params: { // Required parameters displayName: 'azuremonitorlogs' diff --git a/modules/web/connection/tests/e2e/common/dependencies.bicep b/modules/web/connection/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/web/connection/tests/e2e/common/dependencies.bicep rename to modules/web/connection/tests/e2e/max/dependencies.bicep diff --git a/modules/web/connection/tests/e2e/common/main.test.bicep b/modules/web/connection/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/web/connection/tests/e2e/common/main.test.bicep rename to modules/web/connection/tests/e2e/max/main.test.bicep index 5975399c38..185384cf04 100644 --- a/modules/web/connection/tests/e2e/common/main.test.bicep +++ b/modules/web/connection/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-web.connections-${serviceSho param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'wccom' +param serviceShort string = 'wcmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index 1f13295b37..4dc832d2b9 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -40,10 +40,10 @@ This instance deploys the module with most of its features enabled. ```bicep module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-wsfcom' + name: '${uniqueString(deployment().name, location)}-test-wsfmax' params: { // Required parameters - name: 'wsfcom001' + name: 'wsfmax001' sku: { capacity: '1' family: 'S' @@ -101,7 +101,7 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "wsfcom001" + "value": "wsfmax001" }, "sku": { "value": { diff --git a/modules/web/serverfarm/tests/e2e/common/dependencies.bicep b/modules/web/serverfarm/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/web/serverfarm/tests/e2e/common/dependencies.bicep rename to modules/web/serverfarm/tests/e2e/max/dependencies.bicep diff --git a/modules/web/serverfarm/tests/e2e/common/main.test.bicep b/modules/web/serverfarm/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/web/serverfarm/tests/e2e/common/main.test.bicep rename to modules/web/serverfarm/tests/e2e/max/main.test.bicep index 2eca5fc775..ab5b234c99 100644 --- a/modules/web/serverfarm/tests/e2e/common/main.test.bicep +++ b/modules/web/serverfarm/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-web.serverfarms-${serviceSho param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'wsfcom' +param serviceShort string = 'wsfmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index cc22765503..ebd2b09d90 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -31,10 +31,58 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/web.static-site:1.0.0`. -- [Using large parameter set](#example-1-using-large-parameter-set) -- [Using only defaults](#example-2-using-only-defaults) +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) -### Example 1: _Using large parameter set_ +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-wssmin' + params: { + // Required parameters + name: 'wssmin001' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "wssmin001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -45,10 +93,10 @@ This instance deploys the module with most of its features enabled. ```bicep module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-wsscom' + name: '${uniqueString(deployment().name, location)}-test-wssmax' params: { // Required parameters - name: 'wsscom001' + name: 'wssmax001' // Non-required parameters allowConfigFileUpdates: true appSettings: { @@ -119,7 +167,7 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { "parameters": { // Required parameters "name": { - "value": "wsscom001" + "value": "wssmax001" }, // Non-required parameters "allowConfigFileUpdates": { @@ -206,54 +254,6 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = {

-### Example 2: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-wssmin' - params: { - // Required parameters - name: 'wssmin001' - // Non-required parameters - enableDefaultTelemetry: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "wssmin001" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - } - } -} -``` - -
-

- ## Parameters diff --git a/modules/web/static-site/tests/e2e/common/dependencies.bicep b/modules/web/static-site/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/web/static-site/tests/e2e/common/dependencies.bicep rename to modules/web/static-site/tests/e2e/max/dependencies.bicep diff --git a/modules/web/static-site/tests/e2e/common/main.test.bicep b/modules/web/static-site/tests/e2e/max/main.test.bicep similarity index 98% rename from modules/web/static-site/tests/e2e/common/main.test.bicep rename to modules/web/static-site/tests/e2e/max/main.test.bicep index 3e5f43bb03..0a800c70a2 100644 --- a/modules/web/static-site/tests/e2e/common/main.test.bicep +++ b/modules/web/static-site/tests/e2e/max/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-web.staticsites-${serviceSho param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'wsscom' +param serviceShort string = 'wssmax' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true From 874e27809038cbfd96becfdbf1b4649a85f3a2a4 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 5 Nov 2023 12:06:32 +0000 Subject: [PATCH 088/178] Push updated API Specs file --- utilities/src/apiSpecsList.json | 1353 ++++++++++++++++++++++--------- 1 file changed, 953 insertions(+), 400 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index c2f6a20e57..309df8f051 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -2276,7 +2276,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "locations/checkNameAvailability": [ "2020-07-01", @@ -2294,7 +2295,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "locations/operationResults": [ "2020-07-01", @@ -2312,7 +2314,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "locations/operationStatus": [ "2020-07-01", @@ -2330,7 +2333,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "operations": [ "2020-07-01", @@ -2348,7 +2352,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "runtimeVersions": [ "2020-07-01", @@ -2364,7 +2369,8 @@ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Spring": [ "2020-07-01", @@ -2756,6 +2762,14 @@ "2023-11-01-preview" ] }, + "Microsoft.AppSecurity": { + "operationStatuses": [ + "2023-02-06-preview" + ], + "policies": [ + "2023-02-06-preview" + ] + }, "Microsoft.ArcNetworking": { "arcNwLoadBalancers": [ "2023-07-01-preview" @@ -2920,7 +2934,7 @@ "2018-07-01", "2022-04-01" ], - "policyassignments": [ + "policyAssignments": [ "2015-10-01-preview", "2015-11-01", "2016-04-01", @@ -2938,7 +2952,7 @@ "2022-06-01", "2023-04-01" ], - "policydefinitions": [ + "policyDefinitions": [ "2015-10-01-preview", "2015-11-01", "2016-04-01", @@ -3164,13 +3178,15 @@ "2015-10-31", "2019-06-01", "2020-01-13-preview", - "2022-08-08" + "2022-08-08", + "2023-05-15-preview" ], "automationAccounts/compilationjobs": [ "2015-10-31", "2018-01-15", "2019-06-01", - "2020-01-13-preview" + "2020-01-13-preview", + "2023-05-15-preview" ], "automationAccounts/configurations": [ "2015-01-01-preview", @@ -3187,19 +3203,22 @@ "2015-10-31", "2019-06-01", "2020-01-13-preview", - "2022-08-08" + "2022-08-08", + "2023-05-15-preview" ], "automationAccounts/connectionTypes": [ "2015-10-31", "2019-06-01", "2020-01-13-preview", - "2022-08-08" + "2022-08-08", + "2023-05-15-preview" ], "automationAccounts/credentials": [ "2015-10-31", "2019-06-01", "2020-01-13-preview", - "2022-08-08" + "2022-08-08", + "2023-05-15-preview" ], "automationAccounts/hybridRunbookWorkerGroups": [ "2015-01-01-preview", @@ -3235,20 +3254,23 @@ "2015-10-31", "2019-06-01", "2020-01-13-preview", - "2022-08-08" + "2022-08-08", + "2023-05-15-preview" ], "automationAccounts/modules": [ "2015-10-31", "2019-06-01", "2020-01-13-preview", - "2022-08-08" + "2022-08-08", + "2023-05-15-preview" ], "automationAccounts/nodeConfigurations": [ "2015-10-31", "2018-01-15", "2019-06-01", "2020-01-13-preview", - "2022-08-08" + "2022-08-08", + "2023-05-15-preview" ], "automationAccounts/privateEndpointConnectionProxies": [ "2020-01-13-preview", @@ -3269,10 +3291,12 @@ "2018-06-30", "2019-06-01", "2020-01-13-preview", - "2022-08-08" + "2022-08-08", + "2023-05-15-preview" ], "automationAccounts/python3Packages": [ - "2022-08-08" + "2022-08-08", + "2023-05-15-preview" ], "automationAccounts/runbooks": [ "2015-01-01-preview", @@ -3289,13 +3313,21 @@ "2015-10-31", "2018-06-30", "2019-06-01", - "2022-08-08" + "2022-08-08", + "2023-05-15-preview" + ], + "automationAccounts/runtimeEnvironments": [ + "2023-05-15-preview" + ], + "automationAccounts/runtimeEnvironments/packages": [ + "2023-05-15-preview" ], "automationAccounts/schedules": [ "2015-10-31", "2019-06-01", "2020-01-13-preview", - "2022-08-08" + "2022-08-08", + "2023-05-15-preview" ], "automationAccounts/softwareUpdateConfigurationMachineRuns": [ "2017-05-15-preview", @@ -3327,24 +3359,28 @@ "2017-05-15-preview", "2019-06-01", "2020-01-13-preview", - "2022-08-08" + "2022-08-08", + "2023-05-15-preview" ], "automationAccounts/sourceControls/sourceControlSyncJobs": [ "2017-05-15-preview", "2019-06-01", "2020-01-13-preview", - "2022-08-08" + "2022-08-08", + "2023-05-15-preview" ], "automationAccounts/variables": [ "2015-10-31", "2019-06-01", "2020-01-13-preview", - "2022-08-08" + "2022-08-08", + "2023-05-15-preview" ], "automationAccounts/watchers": [ "2015-10-31", "2019-06-01", - "2020-01-13-preview" + "2020-01-13-preview", + "2023-05-15-preview" ], "automationAccounts/webhooks": [ "2015-01-01-preview", @@ -3650,7 +3686,8 @@ "2021-04-01", "2021-04-01-preview", "2022-03-01-preview", - "2023-01-18-preview" + "2023-01-18-preview", + "2023-05-17-preview" ], "b2ctenants": [ "2016-02-10-privatepreview", @@ -3671,14 +3708,16 @@ ], "ciamDirectories": [ "2022-03-01-preview", - "2023-01-18-preview" + "2023-01-18-preview", + "2023-05-17-preview" ], "guestUsages": [ "2020-05-01-preview", "2021-04-01", "2021-04-01-preview", "2022-03-01-preview", - "2023-01-18-preview" + "2023-01-18-preview", + "2023-05-17-preview" ], "operations": [ "2016-02-10-privatepreview", @@ -3798,7 +3837,8 @@ "2021-08-10-privatepreview" ], "dstsApplications": [ - "2021-08-10-privatepreview" + "2021-08-10-privatepreview", + "2023-08-22-preview" ], "dstsServiceAccounts": [ "2021-08-10-privatepreview" @@ -3988,7 +4028,8 @@ "2023-02-01", "2023-03-01", "2023-06-01", - "2023-08-01" + "2023-08-01", + "2023-08-01-preview" ], "clusters/arcSettings": [ "2021-01-01-preview", @@ -4004,7 +4045,8 @@ "2023-02-01", "2023-03-01", "2023-06-01", - "2023-08-01" + "2023-08-01", + "2023-08-01-preview" ], "clusters/arcSettings/extensions": [ "2021-01-01-preview", @@ -4020,7 +4062,11 @@ "2023-02-01", "2023-03-01", "2023-06-01", - "2023-08-01" + "2023-08-01", + "2023-08-01-preview" + ], + "clusters/deploymentSettings": [ + "2023-08-01-preview" ], "clusters/offers": [ "2022-04-01-preview" @@ -4042,7 +4088,8 @@ "2023-02-01", "2023-03-01", "2023-06-01", - "2023-08-01" + "2023-08-01", + "2023-08-01-preview" ], "clusters/updates/updateRuns": [ "2022-08-01-preview", @@ -4052,7 +4099,8 @@ "2023-02-01", "2023-03-01", "2023-06-01", - "2023-08-01" + "2023-08-01", + "2023-08-01-preview" ], "clusters/updateSummaries": [ "2022-08-01-preview", @@ -4062,7 +4110,11 @@ "2023-02-01", "2023-03-01", "2023-06-01", - "2023-08-01" + "2023-08-01", + "2023-08-01-preview" + ], + "edgeDevices": [ + "2023-08-01-preview" ], "galleryImages": [ "2020-11-01-preview", @@ -5491,7 +5543,7 @@ "2022-09-15", "2023-09-15-preview" ], - "botServices/Connections": [ + "botServices/connections": [ "2017-12-01", "2018-07-12", "2020-06-02", @@ -5505,7 +5557,8 @@ "2021-03-01", "2021-05-01-preview", "2022-06-15-preview", - "2022-09-15" + "2022-09-15", + "2023-09-15-preview" ], "botServices/privateEndpointConnections": [ "2021-03-01", @@ -5518,7 +5571,8 @@ "2021-03-01", "2021-05-01-preview", "2022-06-15-preview", - "2022-09-15" + "2022-09-15", + "2023-09-15-preview" ], "checkNameAvailability": [ "2017-12-01", @@ -5527,7 +5581,8 @@ "2021-03-01", "2021-05-01-preview", "2022-06-15-preview", - "2022-09-15" + "2022-09-15", + "2023-09-15-preview" ], "enterpriseChannels": [ "2018-07-12" @@ -5536,7 +5591,8 @@ "2021-03-01", "2021-05-01-preview", "2022-06-15-preview", - "2022-09-15" + "2022-09-15", + "2023-09-15-preview" ], "listAuthServiceProviders": [ "2017-12-01", @@ -5545,11 +5601,13 @@ "2021-03-01", "2021-05-01-preview", "2022-06-15-preview", - "2022-09-15" + "2022-09-15", + "2023-09-15-preview" ], "listQnAMakerEndpointKeys": [ "2022-06-15-preview", - "2022-09-15" + "2022-09-15", + "2023-09-15-preview" ], "locations": [ "2017-12-01", @@ -5558,7 +5616,8 @@ "2021-03-01", "2021-05-01-preview", "2022-06-15-preview", - "2022-09-15" + "2022-09-15", + "2023-09-15-preview" ], "locations/notifyNetworkSecurityPerimeterUpdatesAvailable": [ "2017-12-01", @@ -5567,13 +5626,15 @@ "2021-03-01", "2021-05-01-preview", "2022-06-15-preview", - "2022-09-15" + "2022-09-15", + "2023-09-15-preview" ], "operationResults": [ "2021-03-01", "2021-05-01-preview", "2022-06-15-preview", - "2022-09-15" + "2022-09-15", + "2023-09-15-preview" ], "operations": [ "2017-12-01", @@ -5582,7 +5643,8 @@ "2021-03-01", "2021-05-01-preview", "2022-06-15-preview", - "2022-09-15" + "2022-09-15", + "2023-09-15-preview" ] }, "Microsoft.Cache": { @@ -5713,7 +5775,7 @@ "2023-07-01", "2023-10-01-preview" ], - "redis": [ + "Redis": [ "2014-04-01", "2014-04-01-preview", "2015-03-01", @@ -5759,7 +5821,7 @@ "2023-05-01-preview", "2023-08-01" ], - "redis/firewallRules": [ + "Redis/firewallRules": [ "2016-04-01", "2017-02-01", "2017-10-01", @@ -5788,7 +5850,7 @@ "2023-05-01-preview", "2023-08-01" ], - "redis/patchSchedules": [ + "Redis/patchSchedules": [ "2016-04-01", "2017-02-01", "2017-10-01", @@ -6389,7 +6451,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "CdnWebApplicationFirewallManagedRuleSets": [ "2019-06-15-preview", @@ -6400,9 +6463,10 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], - "cdnWebApplicationFirewallPolicies": [ + "CdnWebApplicationFirewallPolicies": [ "2019-06-15", "2019-06-15-preview", "2020-03-31", @@ -6413,7 +6477,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "checkEndpointNameAvailability": [ "2021-06-01", @@ -6421,7 +6486,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "checkNameAvailability": [ "2015-06-01", @@ -6441,7 +6507,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "checkResourceUsage": [ "2016-10-02", @@ -6459,7 +6526,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "edgenodes": [ "2015-06-01", @@ -6479,14 +6547,16 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "migrate": [ "2022-05-01-preview", "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operationresults": [ "2015-06-01", @@ -6506,7 +6576,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operationresults/cdnwebapplicationfirewallpolicyresults": [ "2019-06-15-preview", @@ -6517,7 +6588,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operationresults/profileresults": [ "2015-06-01", @@ -6537,7 +6609,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operationresults/profileresults/afdendpointresults": [ "2020-09-01", @@ -6546,7 +6619,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operationresults/profileresults/afdendpointresults/routeresults": [ "2020-09-01", @@ -6555,7 +6629,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operationresults/profileresults/customdomainresults": [ "2020-09-01", @@ -6564,7 +6639,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operationresults/profileresults/endpointresults": [ "2015-06-01", @@ -6584,7 +6660,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operationresults/profileresults/endpointresults/customdomainresults": [ "2015-06-01", @@ -6604,7 +6681,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operationresults/profileresults/endpointresults/origingroupresults": [ "2019-12-31", @@ -6616,7 +6694,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operationresults/profileresults/endpointresults/originresults": [ "2015-06-01", @@ -6636,7 +6715,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operationresults/profileresults/origingroupresults": [ "2020-09-01", @@ -6645,7 +6725,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operationresults/profileresults/origingroupresults/originresults": [ "2020-09-01", @@ -6654,7 +6735,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operationresults/profileresults/policyresults": [ "2022-01-01-preview", @@ -6662,7 +6744,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operationresults/profileresults/rulesetresults": [ "2020-09-01", @@ -6671,7 +6754,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operationresults/profileresults/rulesetresults/ruleresults": [ "2020-09-01", @@ -6680,7 +6764,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operationresults/profileresults/secretresults": [ "2020-09-01", @@ -6689,7 +6774,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operationresults/profileresults/securitypolicyresults": [ "2020-09-01", @@ -6698,7 +6784,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "operations": [ "2015-06-01", @@ -6718,7 +6805,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "profiles": [ "2015-06-01", @@ -6739,7 +6827,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "profiles/afdEndpoints": [ "2020-09-01", @@ -6748,7 +6837,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "profiles/afdEndpoints/routes": [ "2020-09-01", @@ -6757,7 +6847,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "profiles/customDomains": [ "2020-09-01", @@ -6766,7 +6857,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "profiles/endpoints": [ "2015-06-01", @@ -6787,7 +6879,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "profiles/endpoints/customDomains": [ "2015-06-01", @@ -6808,7 +6901,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "profiles/endpoints/originGroups": [ "2019-12-31", @@ -6820,7 +6914,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "profiles/endpoints/origins": [ "2015-06-01", @@ -6840,17 +6935,20 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "profiles/keyGroups": [ - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "profiles/networkpolicies": [ "2022-05-01-preview", "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "profiles/originGroups": [ "2020-09-01", @@ -6859,7 +6957,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "profiles/originGroups/origins": [ "2020-09-01", @@ -6868,7 +6967,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "profiles/policies": [ "2022-01-01-preview" @@ -6880,7 +6980,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "profiles/ruleSets/rules": [ "2020-09-01", @@ -6889,7 +6990,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "profiles/secrets": [ "2020-09-01", @@ -6898,7 +7000,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "profiles/securityPolicies": [ "2020-09-01", @@ -6907,7 +7010,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "validateProbe": [ "2017-04-02", @@ -6924,7 +7028,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ], "validateSecret": [ "2020-09-01", @@ -6933,7 +7038,8 @@ "2022-11-01-preview", "2023-02-01-preview", "2023-05-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2024-01-01-preview" ] }, "Microsoft.CertificateRegistration": { @@ -7041,15 +7147,18 @@ "2023-04-01-preview", "2023-04-15-preview", "2023-09-01-preview", - "2023-10-27-preview" + "2023-10-27-preview", + "2023-11-01" ], "locations/operationResults": [ "2023-09-01-preview", - "2023-10-27-preview" + "2023-10-27-preview", + "2023-11-01" ], "locations/operationStatuses": [ "2023-09-01-preview", - "2023-10-27-preview" + "2023-10-27-preview", + "2023-11-01" ], "locations/targetTypes": [ "2021-09-15-preview", @@ -7058,7 +7167,8 @@ "2023-04-01-preview", "2023-04-15-preview", "2023-09-01-preview", - "2023-10-27-preview" + "2023-10-27-preview", + "2023-11-01" ], "operations": [ "2021-07-01-preview", @@ -7070,7 +7180,8 @@ "2023-04-01-preview", "2023-04-15-preview", "2023-09-01-preview", - "2023-10-27-preview" + "2023-10-27-preview", + "2023-11-01" ], "privateAccesses": [ "2023-10-27-preview" @@ -7930,7 +8041,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "capacityReservationGroups": [ "2020-06-01", @@ -7943,7 +8055,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "capacityReservationGroups/capacityReservations": [ "2020-06-01", @@ -7956,7 +8069,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "cloudServices": [ "2020-10-01-preview", @@ -8137,7 +8251,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "hostGroups/hosts": [ "2018-10-01", @@ -8154,7 +8269,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "images": [ "2016-04-30-preview", @@ -8177,7 +8293,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "locations": [ "2015-05-01-preview", @@ -8203,7 +8320,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "locations/artifactPublishers": [ "2017-10-15-preview" @@ -8262,7 +8380,8 @@ "2022-11-01", "2023-03-01", "2023-07-01", - "2023-07-03" + "2023-07-03", + "2023-09-01" ], "locations/csoperations": [ "2020-10-01-preview", @@ -8307,7 +8426,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "locations/edgeZones/publishers": [ "2020-12-01", @@ -8319,7 +8439,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "locations/edgeZones/vmimages": [ "2020-12-01", @@ -8331,7 +8452,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "locations/galleries": [ "2018-06-01", @@ -8365,7 +8487,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "locations/operations": [ "2015-05-01-preview", @@ -8392,7 +8515,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "locations/publishers": [ "2015-05-01-preview", @@ -8423,7 +8547,8 @@ "2022-11-01", "2023-03-01", "2023-07-01", - "2023-07-03" + "2023-07-03", + "2023-09-01" ], "locations/recommendations": [ "2021-07-01", @@ -8432,7 +8557,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "locations/runCommands": [ "2017-03-30", @@ -8453,7 +8579,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "locations/sharedGalleries": [ "2015-05-01-preview", @@ -8484,7 +8611,8 @@ "2022-11-01", "2023-03-01", "2023-07-01", - "2023-07-03" + "2023-07-03", + "2023-09-01" ], "locations/spotEvictionRates": [ "2020-06-01", @@ -8497,7 +8625,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "locations/spotPriceHistory": [ "2020-06-01", @@ -8510,7 +8639,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "locations/usages": [ "2015-05-01-preview", @@ -8536,7 +8666,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "locations/virtualMachines": [ "2016-08-30", @@ -8558,7 +8689,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "locations/virtualMachineScaleSets": [ "2016-08-30", @@ -8580,7 +8712,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "locations/vmSizes": [ "2015-05-01-preview", @@ -8606,7 +8739,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "operations": [ "2015-05-01-preview", @@ -8631,7 +8765,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "proximityPlacementGroups": [ "2018-04-01", @@ -8650,7 +8785,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "restorePointCollections": [ "2017-03-30", @@ -8671,7 +8807,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "restorePointCollections/restorePoints": [ "2017-03-30", @@ -8692,7 +8829,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "restorePointCollections/restorePoints/diskRestorePoints": [ "2020-09-30", @@ -8744,7 +8882,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "virtualMachines": [ "2015-05-01-preview", @@ -8770,7 +8909,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "virtualMachines/extensions": [ "2015-05-01-preview", @@ -8796,7 +8936,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "virtualMachines/metricDefinitions": [ "2014-04-01" @@ -8813,7 +8954,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "virtualMachines/VMApplications": [ "2021-07-01", @@ -8822,7 +8964,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "virtualMachineScaleSets": [ "2015-05-01-preview", @@ -8849,7 +8992,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "virtualMachineScaleSets/applications": [ "2021-07-01", @@ -8858,7 +9002,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "virtualMachineScaleSets/disks": [ "2016-04-30-preview", @@ -8906,7 +9051,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "virtualMachineScaleSets/networkInterfaces": [ "2015-05-01-preview", @@ -8935,7 +9081,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "virtualMachineScaleSets/publicIPAddresses": [ "2017-03-30", @@ -8956,7 +9103,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "virtualMachineScaleSets/virtualmachines": [ "2015-05-01-preview", @@ -8983,7 +9131,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "virtualMachineScaleSets/virtualMachines/extensions": [ "2015-05-01-preview", @@ -9010,7 +9159,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "virtualMachineScaleSets/virtualMachines/networkInterfaces": [ "2015-05-01-preview", @@ -9039,7 +9189,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ], "virtualMachineScaleSets/virtualMachines/runCommands": [ "2020-06-01", @@ -9137,7 +9288,8 @@ "2022-10-07-preview", "2023-02-09-preview", "2023-07-11-preview", - "2023-08-22" + "2023-08-22", + "2023-10-03-preview" ], "checkNameAvailability": [ "2020-03-01", @@ -9150,7 +9302,8 @@ "2022-10-07-preview", "2023-02-09-preview", "2023-07-11-preview", - "2023-08-22" + "2023-08-22", + "2023-10-03-preview" ], "locations": [ "2020-03-01", @@ -9163,7 +9316,8 @@ "2022-10-07-preview", "2023-02-09-preview", "2023-07-11-preview", - "2023-08-22" + "2023-08-22", + "2023-10-03-preview" ], "locations/OperationStatuses": [ "2020-03-01", @@ -9176,7 +9330,8 @@ "2022-10-07-preview", "2023-02-09-preview", "2023-07-11-preview", - "2023-08-22" + "2023-08-22", + "2023-10-03-preview" ], "operations": [ "2020-03-01", @@ -9189,7 +9344,8 @@ "2022-10-07-preview", "2023-02-09-preview", "2023-07-11-preview", - "2023-08-22" + "2023-08-22", + "2023-10-03-preview" ], "organizations": [ "2020-03-01", @@ -9202,12 +9358,14 @@ "2022-10-07-preview", "2023-02-09-preview", "2023-07-11-preview", - "2023-08-22" + "2023-08-22", + "2023-10-03-preview" ], "organizations/access": [ "2023-02-09-preview", "2023-07-11-preview", - "2023-08-22" + "2023-08-22", + "2023-10-03-preview" ], "validations": [ "2021-03-01-preview", @@ -9218,7 +9376,8 @@ "2022-10-07-preview", "2023-02-09-preview", "2023-07-11-preview", - "2023-08-22" + "2023-08-22", + "2023-10-03-preview" ] }, "Microsoft.ConnectedCache": { @@ -9230,30 +9389,37 @@ "2021-09-15-preview" ], "enterpriseMccCustomers": [ - "2023-04-01-preview" + "2023-04-01-preview", + "2023-05-01-preview" ], "enterpriseMccCustomers/enterpriseMccCacheNodes": [ - "2023-04-01-preview" + "2023-04-01-preview", + "2023-05-01-preview" ], "ispCustomers": [ "2022-03-21-preview", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-05-01-preview" ], - "ispCustomers/ispcachenodes": [ + "ispCustomers/ispCacheNodes": [ "2022-03-21-preview", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-05-01-preview" ], "locations": [ "2022-03-21-preview", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-05-01-preview" ], "locations/operationstatuses": [ "2022-03-21-preview", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-05-01-preview" ], "Operations": [ "2022-03-21-preview", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-05-01-preview" ], "registeredSubscriptions": [ "2022-03-21-preview", @@ -10126,7 +10292,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/agentPools": [ "2019-06-01-preview" @@ -10147,7 +10314,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/connectedRegistries": [ "2020-11-01-preview", @@ -10157,7 +10325,8 @@ "2022-02-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/connectedRegistries/deactivate": [ "2020-11-01-preview", @@ -10173,7 +10342,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/eventGridFilters": [ "2017-10-01", @@ -10190,7 +10360,8 @@ "2022-02-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/generateCredentials": [ "2019-05-01-preview", @@ -10230,7 +10401,8 @@ "2022-02-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/listBuildSourceUploadUrl": [ "2018-09-01", @@ -10275,11 +10447,13 @@ ], "registries/packages/archives": [ "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/packages/archives/versions": [ "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/pipelineRuns": [ "2019-12-01-preview", @@ -10290,7 +10464,8 @@ "2022-02-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/privateEndpointConnectionProxies": [ "2019-12-01-preview", @@ -10332,7 +10507,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/privateLinkResources": [ "2019-12-01-preview", @@ -10380,7 +10556,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/runs": [ "2018-09-01", @@ -10413,7 +10590,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/taskRuns": [ "2019-06-01-preview" @@ -10442,7 +10620,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/updatePolicies": [ "2017-10-01" @@ -10462,7 +10641,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/webhooks/getCallbackConfig": [ "2017-10-01", @@ -10576,7 +10756,8 @@ "locations/guardrailsVersions": [ "2023-07-02-preview", "2023-08-02-preview", - "2023-09-02-preview" + "2023-09-02-preview", + "2023-10-02-preview" ], "locations/kubernetesVersions": [ "2023-03-01", @@ -10592,7 +10773,9 @@ "2023-08-01", "2023-08-02-preview", "2023-09-01", - "2023-09-02-preview" + "2023-09-02-preview", + "2023-10-01", + "2023-10-02-preview" ], "locations/notifyNetworkSecurityPerimeterUpdatesAvailable": [ "2022-03-01", @@ -10610,7 +10793,8 @@ "2023-06-02-preview", "2023-07-02-preview", "2023-08-02-preview", - "2023-09-02-preview" + "2023-09-02-preview", + "2023-10-02-preview" ], "locations/operationresults": [ "2016-03-30", @@ -10675,7 +10859,9 @@ "2023-08-01", "2023-08-02-preview", "2023-09-01", - "2023-09-02-preview" + "2023-09-02-preview", + "2023-10-01", + "2023-10-02-preview" ], "locations/operations": [ "2016-03-30", @@ -10740,7 +10926,9 @@ "2023-08-01", "2023-08-02-preview", "2023-09-01", - "2023-09-02-preview" + "2023-09-02-preview", + "2023-10-01", + "2023-10-02-preview" ], "locations/orchestrators": [ "2017-09-30", @@ -10802,7 +10990,9 @@ "2023-08-01", "2023-08-02-preview", "2023-09-01", - "2023-09-02-preview" + "2023-09-02-preview", + "2023-10-01", + "2023-10-02-preview" ], "locations/osOptions": [ "2021-03-01", @@ -10848,7 +11038,9 @@ "2023-08-01", "2023-08-02-preview", "2023-09-01", - "2023-09-02-preview" + "2023-09-02-preview", + "2023-10-01", + "2023-10-02-preview" ], "locations/usages": [ "2023-10-01", @@ -10919,7 +11111,9 @@ "2023-08-01", "2023-08-02-preview", "2023-09-01", - "2023-09-02-preview" + "2023-09-02-preview", + "2023-10-01", + "2023-10-02-preview" ], "managedClusters/agentPools": [ "2019-02-01", @@ -11029,7 +11223,9 @@ "2023-08-01", "2023-08-02-preview", "2023-09-01", - "2023-09-02-preview" + "2023-09-02-preview", + "2023-10-01", + "2023-10-02-preview" ], "managedClusters/maintenanceConfigurations": [ "2020-12-01", @@ -11174,7 +11370,8 @@ "2023-06-02-preview", "2023-07-02-preview", "2023-08-02-preview", - "2023-09-02-preview" + "2023-09-02-preview", + "2023-10-02-preview" ], "openShiftManagedClusters": [ "2018-09-30-preview", @@ -11250,7 +11447,9 @@ "2023-08-01", "2023-08-02-preview", "2023-09-01", - "2023-09-02-preview" + "2023-09-02-preview", + "2023-10-01", + "2023-10-02-preview" ], "snapshots": [ "2021-08-01", @@ -11295,7 +11494,9 @@ "2023-08-01", "2023-08-02-preview", "2023-09-01", - "2023-09-02-preview" + "2023-09-02-preview", + "2023-10-01", + "2023-10-02-preview" ] }, "Microsoft.ContainerStorage": { @@ -11447,6 +11648,7 @@ "2022-10-01", "2023-03-01", "2023-04-01-preview", + "2023-07-01-preview", "2023-08-01", "2023-09-01" ], @@ -11894,6 +12096,7 @@ "2022-05-01-preview", "2022-08-01", "2022-10-01-preview", + "2023-09-01", "2023-10-01-preview" ], "grafana": [ @@ -11901,22 +12104,26 @@ "2022-05-01-preview", "2022-08-01", "2022-10-01-preview", + "2023-09-01", "2023-10-01-preview" ], "grafana/managedPrivateEndpoints": [ "2022-10-01-preview", + "2023-09-01", "2023-10-01-preview" ], "grafana/privateEndpointConnections": [ "2022-05-01-preview", "2022-08-01", "2022-10-01-preview", + "2023-09-01", "2023-10-01-preview" ], "grafana/privateLinkResources": [ "2022-05-01-preview", "2022-08-01", "2022-10-01-preview", + "2023-09-01", "2023-10-01-preview" ], "locations": [ @@ -11924,6 +12131,7 @@ "2022-05-01-preview", "2022-08-01", "2022-10-01-preview", + "2023-09-01", "2023-10-01-preview" ], "locations/checkNameAvailability": [ @@ -11931,6 +12139,7 @@ "2022-05-01-preview", "2022-08-01", "2022-10-01-preview", + "2023-09-01", "2023-10-01-preview" ], "locations/operationStatuses": [ @@ -11938,6 +12147,7 @@ "2022-05-01-preview", "2022-08-01", "2022-10-01-preview", + "2023-09-01", "2023-10-01-preview" ], "operations": [ @@ -11945,6 +12155,7 @@ "2022-05-01-preview", "2022-08-01", "2022-10-01-preview", + "2023-09-01", "2023-10-01-preview" ] }, @@ -12421,6 +12632,8 @@ "2023-09-15-preview" ], "operations": [ + "2018-03-01", + "2018-03-15", "2018-04-01", "2021-04-01-preview", "2022-04-01-preview", @@ -12505,7 +12718,8 @@ "2022-06-01", "2022-08-01", "2023-01-01", - "2023-07-07" + "2023-07-07", + "2023-10-20" ], "locations": [ "2020-02-01-preview", @@ -12513,7 +12727,8 @@ "2022-06-01", "2022-08-01", "2023-01-01", - "2023-07-07" + "2023-07-07", + "2023-10-20" ], "locations/operationStatuses": [ "2020-02-01-preview", @@ -12521,7 +12736,8 @@ "2022-06-01", "2022-08-01", "2023-01-01", - "2023-07-07" + "2023-07-07", + "2023-10-20" ], "monitors": [ "2020-02-01-preview", @@ -12529,7 +12745,8 @@ "2022-06-01", "2022-08-01", "2023-01-01", - "2023-07-07" + "2023-07-07", + "2023-10-20" ], "monitors/getDefaultKey": [ "2020-02-01-preview", @@ -12537,7 +12754,8 @@ "2022-06-01", "2022-08-01", "2023-01-01", - "2023-07-07" + "2023-07-07", + "2023-10-20" ], "monitors/listApiKeys": [ "2020-02-01-preview", @@ -12545,7 +12763,8 @@ "2022-06-01", "2022-08-01", "2023-01-01", - "2023-07-07" + "2023-07-07", + "2023-10-20" ], "monitors/listHosts": [ "2020-02-01-preview", @@ -12553,7 +12772,8 @@ "2022-06-01", "2022-08-01", "2023-01-01", - "2023-07-07" + "2023-07-07", + "2023-10-20" ], "monitors/listLinkedResources": [ "2020-02-01-preview", @@ -12561,7 +12781,8 @@ "2022-06-01", "2022-08-01", "2023-01-01", - "2023-07-07" + "2023-07-07", + "2023-10-20" ], "monitors/listMonitoredResources": [ "2020-02-01-preview", @@ -12569,7 +12790,8 @@ "2022-06-01", "2022-08-01", "2023-01-01", - "2023-07-07" + "2023-07-07", + "2023-10-20" ], "monitors/monitoredSubscriptions": [ "2020-02-01-preview", @@ -12577,7 +12799,8 @@ "2022-06-01", "2022-08-01", "2023-01-01", - "2023-07-07" + "2023-07-07", + "2023-10-20" ], "monitors/refreshSetPasswordLink": [ "2020-02-01-preview", @@ -12585,7 +12808,8 @@ "2022-06-01", "2022-08-01", "2023-01-01", - "2023-07-07" + "2023-07-07", + "2023-10-20" ], "monitors/setDefaultKey": [ "2020-02-01-preview", @@ -12593,7 +12817,8 @@ "2022-06-01", "2022-08-01", "2023-01-01", - "2023-07-07" + "2023-07-07", + "2023-10-20" ], "monitors/singleSignOnConfigurations": [ "2020-02-01-preview", @@ -12601,7 +12826,8 @@ "2022-06-01", "2022-08-01", "2023-01-01", - "2023-07-07" + "2023-07-07", + "2023-10-20" ], "monitors/tagRules": [ "2020-02-01-preview", @@ -12609,7 +12835,8 @@ "2022-06-01", "2022-08-01", "2023-01-01", - "2023-07-07" + "2023-07-07", + "2023-10-20" ], "operations": [ "2020-02-01-preview", @@ -12617,7 +12844,8 @@ "2022-06-01", "2022-08-01", "2023-01-01", - "2023-07-07" + "2023-07-07", + "2023-10-20" ], "registeredSubscriptions": [ "2020-02-01-preview", @@ -12625,11 +12853,13 @@ "2022-06-01", "2022-08-01", "2023-01-01", - "2023-07-07" + "2023-07-07", + "2023-10-20" ], "subscriptionStatuses": [ "2023-01-01", - "2023-07-07" + "2023-07-07", + "2023-10-20" ] }, "Microsoft.DataFactory": { @@ -12976,7 +13206,8 @@ "2022-10-01-preview", "2022-11-01-preview", "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "backupVaults": [ "2020-01-01-alpha", @@ -12999,7 +13230,8 @@ "2023-01-01", "2023-04-01-preview", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "backupVaults/backupInstances": [ "2021-01-01", @@ -13021,7 +13253,8 @@ "2023-01-01", "2023-04-01-preview", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "backupVaults/backupPolicies": [ "2021-01-01", @@ -13043,7 +13276,8 @@ "2023-01-01", "2023-04-01-preview", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "backupVaults/backupResourceGuardProxies": [ "2022-09-01-preview", @@ -13052,7 +13286,8 @@ "2023-01-01", "2023-04-01-preview", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "locations": [ "2020-01-01-alpha", @@ -13074,7 +13309,8 @@ "2023-01-01", "2023-04-01-preview", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "locations/checkFeatureSupport": [ "2020-01-01-alpha", @@ -13096,7 +13332,8 @@ "2023-01-01", "2023-04-01-preview", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "locations/checkNameAvailability": [ "2020-01-01-alpha", @@ -13118,23 +13355,28 @@ "2023-01-01", "2023-04-01-preview", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "locations/crossRegionRestore": [ "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "locations/fetchCrossRegionRestoreJob": [ "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "locations/fetchCrossRegionRestoreJobs": [ "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "locations/fetchSecondaryRecoveryPoints": [ "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "locations/operationResults": [ "2020-01-01-alpha", @@ -13156,7 +13398,8 @@ "2023-01-01", "2023-04-01-preview", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "locations/operationStatus": [ "2020-01-01-alpha", @@ -13178,11 +13421,13 @@ "2023-01-01", "2023-04-01-preview", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "locations/validateCrossRegionRestore": [ "2023-04-01-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "operations": [ "2020-01-01-alpha", @@ -13204,7 +13449,8 @@ "2023-01-01", "2023-04-01-preview", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ], "resourceGuards": [ "2021-02-01-preview", @@ -13224,7 +13470,8 @@ "2023-01-01", "2023-04-01-preview", "2023-05-01", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-08-01-preview" ] }, "Microsoft.DataReplication": { @@ -13550,7 +13797,8 @@ "2022-09-30-preview", "2022-09-30-privatepreview", "2023-06-01-preview", - "2023-06-30" + "2023-06-30", + "2023-10-01-preview" ], "flexibleServers/administrators": [ "2021-12-01-preview", @@ -13756,7 +14004,7 @@ "2017-12-01-preview", "2018-06-01-privatepreview" ], - "servers/Administrators": [ + "servers/administrators": [ "2017-12-01", "2017-12-01-preview", "2018-06-01-privatepreview" @@ -13894,7 +14142,11 @@ "flexibleServers/administrators": [ "2022-03-08-preview", "2022-12-01", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-06-01-preview" + ], + "flexibleServers/advancedThreatProtectionSettings": [ + "2023-06-01-preview" ], "flexibleServers/configurations": [ "2021-06-01", @@ -13903,7 +14155,8 @@ "2022-01-20-preview", "2022-03-08-preview", "2022-12-01", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-06-01-preview" ], "flexibleServers/databases": [ "2020-11-05-preview", @@ -13912,7 +14165,8 @@ "2022-01-20-preview", "2022-03-08-preview", "2022-12-01", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-06-01-preview" ], "flexibleServers/firewallRules": [ "2020-02-14-preview", @@ -13924,7 +14178,8 @@ "2022-01-20-preview", "2022-03-08-preview", "2022-12-01", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-06-01-preview" ], "flexibleServers/keys": [ "2020-02-14-privatepreview" @@ -13932,18 +14187,23 @@ "flexibleServers/migrations": [ "2021-06-15-privatepreview", "2022-05-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-06-01-preview" ], "flexibleServers/privateEndpointConnectionProxies": [ "2022-06-01-privatepreview", "2023-01-01-privatepreview" ], "flexibleServers/privateEndpointConnections": [ - "2023-01-01-privatepreview" + "2023-01-01-privatepreview", + "2023-06-01-preview" ], "flexibleServers/privateLinkResources": [ "2023-01-01-privatepreview" ], + "flexibleServers/virtualendpoints": [ + "2023-06-01-preview" + ], "getPrivateDnsZoneSuffix": [], "locations": [ "2017-12-01", @@ -14238,7 +14498,7 @@ ] }, "Microsoft.DesktopVirtualization": { - "appattachpackages": [ + "appAttachPackages": [ "2022-09-01-privatepreview", "2022-09-09", "2022-10-14-preview", @@ -14429,7 +14689,8 @@ "2022-04-01-preview", "2022-10-14-preview", "2023-07-07-preview", - "2023-09-05" + "2023-09-05", + "2023-10-04-preview" ], "hostpools/sessionhosts": [ "2019-01-23-preview", @@ -14588,14 +14849,16 @@ ], "scalingPlans/personalSchedules": [ "2023-07-07-preview", - "2023-09-05" + "2023-09-05", + "2023-10-04-preview" ], "scalingPlans/pooledSchedules": [ "2022-04-01-preview", "2022-09-09", "2022-10-14-preview", "2023-07-07-preview", - "2023-09-05" + "2023-09-05", + "2023-10-04-preview" ], "workspaces": [ "2019-01-23-preview", @@ -14633,7 +14896,8 @@ "2022-04-01-preview", "2022-10-14-preview", "2023-07-07-preview", - "2023-09-05" + "2023-09-05", + "2023-10-04-preview" ] }, "Microsoft.DevAI": { @@ -17700,7 +17964,8 @@ "2021-10-15-preview", "2021-12-01", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "domains": [ "2018-09-15-preview", @@ -17714,12 +17979,14 @@ "2021-10-15-preview", "2021-12-01", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "domains/eventSubscriptions": [ "2021-10-15-preview", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "domains/topics": [ "2018-09-15-preview", @@ -17733,12 +18000,14 @@ "2021-10-15-preview", "2021-12-01", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "domains/topics/eventSubscriptions": [ "2021-10-15-preview", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "eventSubscriptions": [ "2017-06-15-preview", @@ -17757,7 +18026,8 @@ "2021-10-15-preview", "2021-12-01", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "extensionTopics": [ "2017-06-15-preview", @@ -17874,28 +18144,36 @@ "2023-06-01-preview" ], "namespaces": [ - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "namespaces/caCertificates": [ - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "namespaces/clientGroups": [ - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "namespaces/clients": [ - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "namespaces/permissionBindings": [ - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "namespaces/topics": [ - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "namespaces/topics/eventSubscriptions": [ - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "namespaces/topicSpaces": [ - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "operationResults": [ "2017-06-15-preview", @@ -17956,11 +18234,13 @@ "partnerConfigurations": [ "2021-10-15-preview", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "partnerDestinations": [ "2021-10-15-preview", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "partnerNamespaces": [ "2020-04-01-preview", @@ -17968,12 +18248,14 @@ "2021-06-01-preview", "2021-10-15-preview", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "partnerNamespaces/channels": [ "2021-10-15-preview", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "partnerNamespaces/eventChannels": [ "2020-04-01-preview", @@ -17988,7 +18270,8 @@ "2021-06-01-preview", "2021-10-15-preview", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "partnerTopics": [ "2020-04-01-preview", @@ -17996,7 +18279,8 @@ "2021-06-01-preview", "2021-10-15-preview", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "partnerTopics/eventSubscriptions": [ "2020-04-01-preview", @@ -18004,7 +18288,8 @@ "2021-06-01-preview", "2021-10-15-preview", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "systemTopics": [ "2020-04-01-preview", @@ -18013,7 +18298,8 @@ "2021-10-15-preview", "2021-12-01", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "systemTopics/eventSubscriptions": [ "2020-04-01-preview", @@ -18022,7 +18308,8 @@ "2021-10-15-preview", "2021-12-01", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "topics": [ "2017-06-15-preview", @@ -18041,12 +18328,14 @@ "2021-10-15-preview", "2021-12-01", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "topics/eventSubscriptions": [ "2021-10-15-preview", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "topicTypes": [ "2017-06-15-preview", @@ -18167,7 +18456,7 @@ "2022-10-01-preview", "2023-01-01-preview" ], - "namespaces/authorizationRules": [ + "namespaces/AuthorizationRules": [ "2014-09-01", "2015-08-01", "2017-04-01", @@ -18704,7 +18993,8 @@ "2022-05-15", "2022-06-01", "2022-12-01", - "2023-02-28" + "2023-02-28", + "2023-09-06" ], "locations": [ "2018-08-20-preview", @@ -18718,7 +19008,8 @@ "2022-05-15", "2022-06-01", "2022-12-01", - "2023-02-28" + "2023-02-28", + "2023-09-06" ], "locations/operationresults": [ "2018-08-20-preview", @@ -18733,7 +19024,8 @@ "2022-05-15", "2022-06-01", "2022-12-01", - "2023-02-28" + "2023-02-28", + "2023-09-06" ], "operations": [ "2018-08-20-preview", @@ -18747,7 +19039,8 @@ "2022-05-15", "2022-06-01", "2022-12-01", - "2023-02-28" + "2023-02-28", + "2023-09-06" ], "services": [ "2018-08-20-preview", @@ -18763,6 +19056,7 @@ "2022-10-01-preview", "2022-12-01", "2023-02-28", + "2023-09-06", "2023-10-15-preview" ], "services/iomtconnectors": [ @@ -18783,6 +19077,7 @@ "2022-06-01", "2022-12-01", "2023-02-28", + "2023-09-06", "2023-10-15-preview" ], "services/privateEndpointConnections": [ @@ -18796,6 +19091,7 @@ "2022-10-01-preview", "2022-12-01", "2023-02-28", + "2023-09-06", "2023-10-15-preview" ], "services/privateLinkResources": [ @@ -18807,6 +19103,7 @@ "2022-06-01", "2022-12-01", "2023-02-28", + "2023-09-06", "2023-10-15-preview" ], "validateMedtechMappings": [ @@ -18821,6 +19118,7 @@ "2022-10-01-preview", "2022-12-01", "2023-02-28", + "2023-09-06", "2023-10-15-preview" ], "workspaces/analyticsconnectors": [ @@ -18835,6 +19133,7 @@ "2022-10-01-preview", "2022-12-01", "2023-02-28", + "2023-09-06", "2023-10-15-preview" ], "workspaces/eventGridFilters": [ @@ -18843,7 +19142,8 @@ "2022-05-15", "2022-06-01", "2022-12-01", - "2023-02-28" + "2023-02-28", + "2023-09-06" ], "workspaces/fhirservices": [ "2021-06-01-preview", @@ -18853,7 +19153,8 @@ "2022-06-01", "2022-10-01-preview", "2022-12-01", - "2023-02-28" + "2023-02-28", + "2023-09-06" ], "workspaces/iotconnectors": [ "2021-06-01-preview", @@ -18863,7 +19164,8 @@ "2022-06-01", "2022-10-01-preview", "2022-12-01", - "2023-02-28" + "2023-02-28", + "2023-09-06" ], "workspaces/iotconnectors/fhirdestinations": [ "2021-06-01-preview", @@ -18873,7 +19175,8 @@ "2022-06-01", "2022-10-01-preview", "2022-12-01", - "2023-02-28" + "2023-02-28", + "2023-09-06" ], "workspaces/privateEndpointConnectionProxies": [ "2021-11-01", @@ -18882,6 +19185,7 @@ "2022-06-01", "2022-12-01", "2023-02-28", + "2023-09-06", "2023-10-15-preview" ], "workspaces/privateEndpointConnections": [ @@ -18892,6 +19196,7 @@ "2022-10-01-preview", "2022-12-01", "2023-02-28", + "2023-09-06", "2023-10-15-preview" ], "workspaces/privateLinkResources": [ @@ -18901,6 +19206,7 @@ "2022-06-01", "2022-12-01", "2023-02-28", + "2023-09-06", "2023-10-15-preview" ] }, @@ -19486,7 +19792,8 @@ ], "networkFunctions/components": [ "2022-09-01-preview", - "2023-01-01" + "2023-01-01", + "2023-09-01" ], "networkFunctionVendors": [ "2020-01-01-preview", @@ -19513,6 +19820,12 @@ "2023-01-01", "2023-09-01" ], + "publishers/artifactstores/artifacts": [ + "2023-09-01" + ], + "publishers/artifactstores/artifactversions": [ + "2023-09-01" + ], "publishers/configurationGroupSchemas": [ "2023-09-01" ], @@ -19571,7 +19884,7 @@ "2016-05-01" ] }, - "microsoft.insights": { + "Microsoft.Insights": { "actionGroups": [ "2017-03-01-preview", "2017-04-01", @@ -20177,6 +20490,66 @@ "2023-02-08-preview" ] }, + "Microsoft.IoTOperationsDataProcessor": { + "instances": [ + "2023-10-04-preview" + ], + "instances/datasets": [ + "2023-10-04-preview" + ], + "instances/pipelines": [ + "2023-10-04-preview" + ] + }, + "Microsoft.IoTOperationsMQ": { + "mq": [ + "2023-10-04-preview" + ], + "mq/broker": [ + "2023-10-04-preview" + ], + "mq/broker/authentication": [ + "2023-10-04-preview" + ], + "mq/broker/authorization": [ + "2023-10-04-preview" + ], + "mq/broker/listener": [ + "2023-10-04-preview" + ], + "mq/dataLakeConnector": [ + "2023-10-04-preview" + ], + "mq/dataLakeConnector/topicMap": [ + "2023-10-04-preview" + ], + "mq/diagnosticService": [ + "2023-10-04-preview" + ], + "mq/kafkaConnector": [ + "2023-10-04-preview" + ], + "mq/kafkaConnector/topicMap": [ + "2023-10-04-preview" + ], + "mq/mqttBridgeConnector": [ + "2023-10-04-preview" + ], + "mq/mqttBridgeConnector/topicMap": [ + "2023-10-04-preview" + ] + }, + "Microsoft.IoTOperationsOrchestrator": { + "instances": [ + "2023-10-04-preview" + ], + "solutions": [ + "2023-10-04-preview" + ], + "targets": [ + "2023-10-04-preview" + ] + }, "Microsoft.IoTSecurity": { "alertTypes": [ "2021-07-01-preview" @@ -20588,7 +20961,8 @@ "2021-04-01-preview", "2021-10-01", "2022-05-01-preview", - "2022-10-01-preview" + "2022-10-01-preview", + "2023-11-01-preview" ], "locations/operationStatuses": [ "2020-01-01-preview", @@ -20596,7 +20970,8 @@ "2021-04-01-preview", "2021-10-01", "2022-05-01-preview", - "2022-10-01-preview" + "2022-10-01-preview", + "2023-11-01-preview" ], "Operations": [ "2019-09-01-privatepreview", @@ -20606,7 +20981,8 @@ "2021-04-01-preview", "2021-10-01", "2022-05-01-preview", - "2022-10-01-preview" + "2022-10-01-preview", + "2023-11-01-preview" ], "registeredSubscriptions": [ "2020-01-01-preview", @@ -20614,7 +20990,8 @@ "2021-04-01-preview", "2021-10-01", "2022-05-01-preview", - "2022-10-01-preview" + "2022-10-01-preview", + "2023-11-01-preview" ] }, "Microsoft.KubernetesConfiguration": { @@ -21144,6 +21521,9 @@ "2018-07-01-preview", "2019-05-01" ], + "locations/generateCopilotResponse": [ + "2022-09-01-preview" + ], "locations/validateWorkflowExport": [ "2022-09-01-preview" ], @@ -21166,7 +21546,8 @@ "2016-10-01", "2017-07-01", "2018-07-01-preview", - "2019-05-01" + "2019-05-01", + "2022-09-01-preview" ], "workflows": [ "2015-02-01-preview", @@ -23412,7 +23793,7 @@ "2019-10-01", "2023-03-15" ], - "assessmentprojects/privateEndpointConnections": [ + "assessmentProjects/privateEndpointConnections": [ "2019-10-01", "2023-03-15" ], @@ -23841,7 +24222,9 @@ "2023-03-01", "2023-03-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "locations/checkFilePathAvailability": [ "2017-08-15", @@ -23878,7 +24261,9 @@ "2023-03-01", "2023-03-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "locations/CheckInventory": [ "2021-08-01", @@ -23896,7 +24281,9 @@ "2023-03-01", "2023-03-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "locations/checkNameAvailability": [ "2017-08-15", @@ -23933,7 +24320,9 @@ "2023-03-01", "2023-03-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "locations/checkQuotaAvailability": [ "2020-06-01", @@ -23960,7 +24349,9 @@ "2023-03-01", "2023-03-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "locations/operationResults": [ "2017-08-15", @@ -23999,7 +24390,9 @@ "2023-03-01", "2023-03-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "locations/queryNetworkSiblingSet": [ "2021-12-01-preview", @@ -24010,7 +24403,9 @@ "2023-03-01", "2023-03-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "locations/QuotaLimits": [ "2021-06-01", @@ -24028,7 +24423,9 @@ "2023-03-01", "2023-03-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "locations/regionInfo": [ "2021-04-01-preview", @@ -24040,10 +24437,14 @@ "2023-03-01", "2023-03-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "locations/regionInfos": [ - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "locations/updateNetworkSiblingSet": [ "2021-12-01-preview", @@ -24054,7 +24455,9 @@ "2023-03-01", "2023-03-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "netAppAccounts": [ "2017-08-15", @@ -24092,7 +24495,9 @@ "2023-03-01", "2023-03-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "netAppAccounts/backupPolicies": [ "2020-05-01", @@ -24159,7 +24564,9 @@ "2023-03-01", "2023-03-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "netAppAccounts/capacityPools/volumes": [ "2017-08-15", @@ -24199,7 +24606,9 @@ "2023-03-01", "2023-03-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "netAppAccounts/capacityPools/volumes/backups": [ "2020-05-01", @@ -24266,7 +24675,9 @@ "2023-03-01", "2023-03-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "netAppAccounts/capacityPools/volumes/subvolumes": [ "2021-10-01", @@ -24314,7 +24725,9 @@ "2023-03-01", "2023-03-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "netAppAccounts/volumeGroups": [ "2021-02-01", @@ -24334,7 +24747,9 @@ "2023-03-01", "2023-03-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "operations": [ "2017-08-15", @@ -24374,7 +24789,9 @@ "2023-03-01", "2023-03-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01", + "2023-07-01-preview" ] }, "Microsoft.Network": { @@ -29470,7 +29887,7 @@ "2023-04-01", "2023-05-01" ], - "virtualnetworkgateways": [ + "virtualNetworkGateways": [ "2014-12-01-preview", "2015-05-01-preview", "2015-06-15", @@ -29548,7 +29965,7 @@ "2023-04-01", "2023-05-01" ], - "virtualnetworks": [ + "virtualNetworks": [ "2014-12-01-preview", "2015-05-01-preview", "2015-06-15", @@ -29655,7 +30072,7 @@ "virtualNetworks/privateDnsZoneLinks": [ "2020-06-01" ], - "virtualnetworks/subnets": [ + "virtualNetworks/subnets": [ "2015-05-01-preview", "2015-06-15", "2016-03-30", @@ -30258,18 +30675,15 @@ "2023-07-01" ], "locations": [ - "2022-12-12-preview", "2023-05-01-preview", "2023-07-01", "2023-10-01-preview" ], "locations/operationStatuses": [ - "2022-12-12-preview", "2023-05-01-preview", "2023-07-01" ], "operations": [ - "2022-12-12-preview", "2023-05-01-preview", "2023-07-01", "2023-10-01-preview" @@ -30280,12 +30694,10 @@ "2023-07-01" ], "rackSkus": [ - "2022-12-12-preview", "2023-05-01-preview", "2023-07-01" ], "registeredSubscriptions": [ - "2022-12-12-preview", "2023-05-01-preview", "2023-07-01", "2023-10-01-preview" @@ -30388,7 +30800,8 @@ "2016-03-01", "2017-04-01", "2020-01-01-preview", - "2023-01-01-preview" + "2023-01-01-preview", + "2023-09-01" ], "namespaces": [ "2014-09-01", @@ -30398,7 +30811,7 @@ "2023-01-01-preview", "2023-09-01" ], - "namespaces/authorizationRules": [ + "namespaces/AuthorizationRules": [ "2014-09-01", "2016-03-01", "2017-04-01", @@ -30413,7 +30826,7 @@ "2023-01-01-preview", "2023-09-01" ], - "namespaces/notificationHubs/authorizationRules": [ + "namespaces/notificationHubs/AuthorizationRules": [ "2014-09-01", "2016-03-01", "2017-04-01", @@ -30429,7 +30842,8 @@ "2016-03-01", "2017-04-01", "2020-01-01-preview", - "2023-01-01-preview" + "2023-01-01-preview", + "2023-09-01" ] }, "Microsoft.Nutanix": { @@ -30525,6 +30939,7 @@ "2020-07-10", "2020-08-01-preview", "2020-09-09-preview", + "2020-10-10-preview", "2022-10-27", "2023-06-06" ], @@ -31984,7 +32399,8 @@ "2022-10-01", "2023-01-01", "2023-02-01", - "2023-04-01" + "2023-04-01", + "2023-06-01" ], "vaults/backupEncryptionConfigs": [ "2020-10-01", @@ -32010,7 +32426,8 @@ "2022-10-01", "2023-01-01", "2023-02-01", - "2023-04-01" + "2023-04-01", + "2023-06-01" ], "vaults/backupFabrics/backupProtectionIntent": [ "2017-07-01", @@ -32034,7 +32451,8 @@ "2022-10-01", "2023-01-01", "2023-02-01", - "2023-04-01" + "2023-04-01", + "2023-06-01" ], "vaults/backupFabrics/protectionContainers": [ "2016-12-01", @@ -32061,7 +32479,8 @@ "2022-10-01", "2023-01-01", "2023-02-01", - "2023-04-01" + "2023-04-01", + "2023-06-01" ], "vaults/backupFabrics/protectionContainers/protectedItems": [ "2016-06-01", @@ -32090,7 +32509,8 @@ "2022-10-01", "2023-01-01", "2023-02-01", - "2023-04-01" + "2023-04-01", + "2023-06-01" ], "vaults/backupPolicies": [ "2016-06-01", @@ -32119,7 +32539,8 @@ "2022-10-01", "2023-01-01", "2023-02-01", - "2023-04-01" + "2023-04-01", + "2023-06-01" ], "vaults/backupResourceGuardProxies": [ "2021-02-01-preview", @@ -32137,7 +32558,8 @@ "2022-10-01", "2023-01-01", "2023-02-01", - "2023-04-01" + "2023-04-01", + "2023-06-01" ], "vaults/backupstorageconfig": [ "2016-12-01", @@ -32159,7 +32581,8 @@ "2023-01-01", "2023-01-15", "2023-02-01", - "2023-04-01" + "2023-04-01", + "2023-06-01" ], "vaults/certificates": [ "2016-06-01", @@ -32242,7 +32665,8 @@ "2022-10-01", "2023-01-01", "2023-02-01", - "2023-04-01" + "2023-04-01", + "2023-06-01" ], "vaults/replicationAlertSettings": [ "2016-08-10", @@ -42960,7 +43384,9 @@ "2023-05-15-preview", "2023-06-01-preview", "2023-08-01-preview", - "2023-08-15-preview" + "2023-08-15-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "locations/operationstatuses": [ "2020-12-16-preview", @@ -42980,7 +43406,9 @@ "2023-05-15-preview", "2023-06-01-preview", "2023-08-01-preview", - "2023-08-15-preview" + "2023-08-15-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "operations": [ "2020-12-16-preview", @@ -43000,7 +43428,9 @@ "2023-05-15-preview", "2023-06-01-preview", "2023-08-01-preview", - "2023-08-15-preview" + "2023-08-15-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "skus": [ "2020-12-16-preview", @@ -43020,7 +43450,9 @@ "2023-05-15-preview", "2023-06-01-preview", "2023-08-01-preview", - "2023-08-15-preview" + "2023-08-15-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts": [ "2020-12-16-preview", @@ -43033,19 +43465,25 @@ "2022-12-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/actionRequests": [ "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/availableInplaceUpgradeOSs": [ "2022-11-01-preview", "2022-12-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/availableOSs": [ "2020-12-16-preview", @@ -43058,7 +43496,15 @@ "2022-12-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" + ], + "testBaseAccounts/chatSessions": [ + "2023-11-01-preview" + ], + "testBaseAccounts/credentials": [ + "2023-11-01-preview" ], "testBaseAccounts/customerEvents": [ "2020-12-16-preview", @@ -43071,16 +43517,22 @@ "2022-12-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/customImages": [ - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/draftPackages": [ "2022-12-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/emailEvents": [ "2020-12-16-preview", @@ -43093,7 +43545,9 @@ "2022-12-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/featureUpdateSupportedOses": [ "2022-08-01-preview", @@ -43101,14 +43555,18 @@ "2022-12-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/firstPartyApps": [ "2022-11-01-preview", "2022-12-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/flightingRings": [ "2020-12-16-preview", @@ -43121,18 +43579,30 @@ "2022-12-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" + ], + "testBaseAccounts/freeHourBalances": [ + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/galleryApps": [ "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/galleryApps/galleryAppSkus": [ "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/imageDefinitions": [ - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/packages": [ "2020-12-16-preview", @@ -43145,7 +43615,9 @@ "2022-12-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/packages/favoriteProcesses": [ "2020-12-16-preview", @@ -43158,7 +43630,9 @@ "2022-12-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/packages/osUpdates": [ "2020-12-16-preview", @@ -43171,7 +43645,9 @@ "2022-12-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/packages/testResults": [ "2020-12-16-preview", @@ -43184,7 +43660,9 @@ "2022-12-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/packages/testResults/analysisResults": [ "2020-12-16-preview", @@ -43197,7 +43675,9 @@ "2022-12-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/testSummaries": [ "2020-12-16-preview", @@ -43210,7 +43690,9 @@ "2022-12-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/testTypes": [ "2020-12-16-preview", @@ -43223,7 +43705,9 @@ "2022-12-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/usages": [ "2020-12-16-preview", @@ -43236,10 +43720,14 @@ "2022-12-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ], "testBaseAccounts/vhds": [ - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" ] }, "Microsoft.TimeSeriesInsights": { @@ -43482,7 +43970,8 @@ "communicationsGateways": [ "2022-12-01-preview", "2023-01-31", - "2023-04-03" + "2023-04-03", + "2023-09-01" ], "communicationsGateways/contacts": [ "2022-12-01-preview" @@ -43490,7 +43979,8 @@ "communicationsGateways/testLines": [ "2022-12-01-preview", "2023-01-31", - "2023-04-03" + "2023-04-03", + "2023-09-01" ], "locations": [ "2023-01-31", @@ -43582,7 +44072,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "billingMeters": [ "2014-04-01", @@ -43609,7 +44100,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "certificates": [ "2014-04-01", @@ -43636,7 +44128,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "checkNameAvailability": [ "2014-04-01", @@ -43663,7 +44156,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "connectionGateways": [ "2015-08-01-preview", @@ -43711,7 +44205,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "deletedSites": [ "2014-04-01", @@ -43737,7 +44232,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "deploymentLocations": [ "2014-04-01", @@ -43763,7 +44259,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "freeTrialStaticWebApps": [ "2022-09-01" @@ -43776,7 +44273,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "generateGithubAccessTokenForAppserviceCLI": [ "2020-09-01", @@ -43787,7 +44285,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "georegions": [ "2014-04-01", @@ -43813,7 +44312,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "hostingEnvironments": [ "2014-04-01", @@ -43844,7 +44344,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "hostingEnvironments/configurations": [ "2020-12-01", @@ -43884,7 +44385,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "hostingEnvironments/multiRolePools": [ "2014-04-01", @@ -43913,7 +44415,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "hostingEnvironments/privateEndpointConnections": [ "2020-12-01", @@ -43951,7 +44454,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "ishostingenvironmentnameavailable": [ "2014-04-01", @@ -43977,7 +44481,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "ishostnameavailable": [ "2014-04-01", @@ -44003,7 +44508,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "isusernameavailable": [ "2014-04-01", @@ -44029,7 +44535,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "kubeEnvironments": [ "2021-01-01", @@ -44059,7 +44566,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "locations": [ "2015-08-01-preview", @@ -44103,7 +44611,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "locations/deleteVirtualNetworkOrSubnets": [ "2014-04-01", @@ -44132,7 +44641,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "locations/extractApiDefinitionFromWsdl": [ "2015-08-01-preview", @@ -44147,7 +44657,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "locations/getNetworkPolicies": [ "2016-08-01", @@ -44162,7 +44673,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "locations/listWsdlInterfaces": [ "2015-08-01-preview", @@ -44192,7 +44704,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "locations/operations": [ "2016-08-01", @@ -44210,7 +44723,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "locations/previewStaticSiteWorkflowFile": [ "2019-08-01", @@ -44224,7 +44738,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "locations/runtimes": [ "2015-08-01-preview", @@ -44258,7 +44773,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "locations/webAppStacks": [ "2020-10-01", @@ -44268,7 +44784,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "managedHostingEnvironments": [ "2015-08-01" @@ -44297,7 +44814,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "publishingCredentials": [ "2015-08-01" @@ -44326,7 +44844,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "recommendations": [ "2014-04-01", @@ -44352,7 +44871,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "resourceHealthMetadata": [ "2014-04-01", @@ -44378,7 +44898,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "runtimes": [ "2014-04-01", @@ -44403,7 +44924,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "serverfarms": [ "2014-04-01", @@ -44431,7 +44953,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "serverFarms/eventGridFilters": [ "2014-04-01", @@ -44459,7 +44982,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "serverFarms/firstPartyApps": [ "2014-04-01", @@ -44487,7 +45011,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "serverFarms/firstPartyApps/keyVaultSettings": [ "2014-04-01", @@ -44515,7 +45040,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "serverfarms/virtualNetworkConnections/gateways": [ "2015-08-01", @@ -44579,7 +45105,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/backups": [ "2015-08-01", @@ -44678,7 +45205,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/extensions": [ "2016-08-01", @@ -44761,7 +45289,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/hybridconnection": [ "2015-08-01", @@ -44852,7 +45381,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/premieraddons": [ "2015-04-01", @@ -44874,7 +45404,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/privateAccess": [ "2018-02-01", @@ -44965,7 +45496,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/backups": [ "2015-08-01", @@ -45059,7 +45591,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/extensions": [ "2016-08-01", @@ -45142,7 +45675,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/hybridconnection": [ "2015-08-01", @@ -45217,7 +45751,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/premieraddons": [ "2015-08-01", @@ -45424,7 +45959,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "staticSites": [ "2019-08-01", @@ -45438,7 +45974,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "staticSites/basicAuth": [ "2022-09-01" @@ -45455,7 +45992,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "staticSites/builds/config": [ "2019-08-01", @@ -45482,7 +46020,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "staticSites/builds/linkedBackends": [ "2019-08-01", @@ -45496,7 +46035,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "staticSites/builds/userProvidedFunctionApps": [ "2020-12-01", @@ -45505,7 +46045,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "staticSites/config": [ "2019-08-01", @@ -45545,7 +46086,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "staticSites/linkedBackends": [ "2019-08-01", @@ -45559,7 +46101,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "staticSites/privateEndpointConnections": [ "2020-12-01", @@ -45577,7 +46120,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "validate": [ "2014-04-01", @@ -45603,7 +46147,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "verifyHostingEnvironmentVnet": [ "2014-04-01", @@ -45629,7 +46174,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "webAppStacks": [ "2020-10-01", @@ -45639,7 +46185,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "workerApps": [ "2020-12-01", @@ -45720,7 +46267,8 @@ "Locations/sapVirtualInstanceMetadata": [ "2021-12-01-preview", "2022-11-01-preview", - "2023-04-01" + "2023-04-01", + "2023-10-01-preview" ], "monitors": [ "2021-12-01-preview", @@ -45983,19 +46531,24 @@ }, "SolarWinds.Observability": { "checkNameAvailability": [ - "2023-01-01-preview" + "2023-01-01-preview", + "2023-08-23-preview" ], "locations": [ - "2023-01-01-preview" + "2023-01-01-preview", + "2023-08-23-preview" ], "locations/operationStatuses": [ - "2023-01-01-preview" + "2023-01-01-preview", + "2023-08-23-preview" ], "operations": [ - "2023-01-01-preview" + "2023-01-01-preview", + "2023-08-23-preview" ], "registeredSubscriptions": [ - "2023-01-01-preview" + "2023-01-01-preview", + "2023-08-23-preview" ] }, "Wandisco.Fusion": { From e4d4ed0482d75fc0509db5fe4a49b99b2b7d453d Mon Sep 17 00:00:00 2001 From: Erika Gressi <56914614+eriqua@users.noreply.github.com> Date: Tue, 7 Nov 2023 07:12:01 +0100 Subject: [PATCH 089/178] [Modules] Added waf-aligned test (#4193) * waf folders * waf serviceshort * waf metadata * waf readme --- modules/aad/domain-service/README.md | 129 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 104 ++ .../tests/e2e/waf-aligned/main.test.bicep | 109 ++ modules/analysis-services/server/README.md | 163 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 120 +++ modules/api-management/service/README.md | 371 +++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 16 + .../tests/e2e/waf-aligned/main.test.bicep | 219 ++++ .../configuration-store/README.md | 177 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 16 + .../tests/e2e/waf-aligned/main.test.bicep | 124 +++ modules/app/container-app/README.md | 163 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 28 + .../tests/e2e/waf-aligned/main.test.bicep | 109 ++ modules/app/job/README.md | 199 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 40 + .../job/tests/e2e/waf-aligned/main.test.bicep | 124 +++ modules/app/managed-environment/README.md | 101 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 51 + .../tests/e2e/waf-aligned/main.test.bicep | 72 ++ modules/authorization/lock/README.md | 57 ++ .../tests/e2e/waf-aligned/main.test.bicep | 49 + .../automation/automation-account/README.md | 457 +++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 90 ++ .../tests/e2e/waf-aligned/main.test.bicep | 261 +++++ modules/batch/batch-account/README.md | 183 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 78 ++ .../tests/e2e/waf-aligned/main.test.bicep | 129 +++ modules/cache/redis-enterprise/README.md | 195 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 60 ++ .../tests/e2e/waf-aligned/main.test.bicep | 135 +++ modules/cache/redis/README.md | 183 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 60 ++ .../tests/e2e/waf-aligned/main.test.bicep | 121 +++ modules/cdn/profile/README.md | 149 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 38 + .../tests/e2e/waf-aligned/main.test.bicep | 101 ++ modules/cognitive-services/account/README.md | 201 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 68 ++ .../tests/e2e/waf-aligned/main.test.bicep | 137 +++ modules/compute/availability-set/README.md | 91 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 24 + .../tests/e2e/waf-aligned/main.test.bicep | 74 ++ modules/compute/disk-encryption-set/README.md | 107 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 51 + .../tests/e2e/waf-aligned/main.test.bicep | 84 ++ modules/compute/disk/README.md | 115 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 78 ++ modules/compute/gallery/README.md | 325 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 189 ++++ modules/compute/image/README.md | 113 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 218 ++++ .../e2e/waf-aligned/dependencies_rbac.bicep | 16 + .../tests/e2e/waf-aligned/main.test.bicep | 86 ++ .../proximity-placement-group/README.md | 127 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 88 ++ modules/compute/ssh-public-key/README.md | 53 + .../tests/e2e/waf-aligned/dependencies.bicep | 61 ++ .../tests/e2e/waf-aligned/main.test.bicep | 60 ++ modules/consumption/budget/README.md | 77 ++ .../tests/e2e/waf-aligned/main.test.bicep | 40 + .../container-group/README.md | 201 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 127 +++ modules/container-registry/registry/README.md | 257 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 99 ++ .../tests/e2e/waf-aligned/main.test.bicep | 160 +++ modules/data-factory/factory/README.md | 247 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 135 +++ .../tests/e2e/waf-aligned/main.test.bicep | 161 +++ .../data-protection/backup-vault/README.md | 225 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 16 + .../tests/e2e/waf-aligned/main.test.bicep | 138 +++ modules/databricks/access-connector/README.md | 105 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 16 + .../tests/e2e/waf-aligned/main.test.bicep | 79 ++ modules/databricks/workspace/README.md | 247 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 368 +++++++ .../tests/e2e/waf-aligned/main.test.bicep | 156 +++ .../application-group/README.md | 165 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 29 + .../tests/e2e/waf-aligned/main.test.bicep | 119 +++ .../host-pool/README.md | 207 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 135 +++ .../scaling-plan/README.md | 191 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 133 +++ .../workspace/README.md | 127 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 41 + .../tests/e2e/waf-aligned/main.test.bicep | 103 ++ modules/dev-test-lab/lab/README.md | 543 ++++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 134 +++ .../lab/tests/e2e/waf-aligned/main.test.bicep | 286 ++++++ .../digital-twins-instance/README.md | 181 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 162 +++ .../tests/e2e/waf-aligned/main.test.bicep | 132 +++ modules/event-grid/domain/README.md | 169 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 60 ++ .../tests/e2e/waf-aligned/main.test.bicep | 124 +++ modules/event-grid/system-topic/README.md | 183 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 42 + .../tests/e2e/waf-aligned/main.test.bicep | 129 +++ modules/event-grid/topic/README.md | 211 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 89 ++ .../tests/e2e/waf-aligned/main.test.bicep | 145 +++ modules/event-hub/namespace/README.md | 397 ++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 83 ++ .../tests/e2e/waf-aligned/main.test.bicep | 228 +++++ modules/health-bot/health-bot/README.md | 103 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 16 + .../tests/e2e/waf-aligned/main.test.bicep | 78 ++ modules/healthcare-apis/workspace/README.md | 283 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 74 ++ .../tests/e2e/waf-aligned/main.test.bicep | 169 ++++ modules/insights/action-group/README.md | 123 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 88 ++ modules/insights/activity-log-alert/README.md | 163 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 28 + .../tests/e2e/waf-aligned/main.test.bicep | 109 ++ modules/insights/component/README.md | 111 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 97 ++ .../data-collection-endpoint/README.md | 95 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 74 ++ modules/insights/diagnostic-setting/README.md | 73 ++ .../tests/e2e/waf-aligned/main.test.bicep | 70 ++ modules/insights/metric-alert/README.md | 125 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 29 + .../tests/e2e/waf-aligned/main.test.bicep | 87 ++ modules/insights/private-link-scope/README.md | 118 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 71 ++ .../tests/e2e/waf-aligned/main.test.bicep | 89 ++ .../insights/scheduled-query-rule/README.md | 165 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 24 + .../tests/e2e/waf-aligned/main.test.bicep | 105 ++ modules/insights/webtest/README.md | 99 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 26 + .../tests/e2e/waf-aligned/main.test.bicep | 77 ++ modules/key-vault/vault/README.md | 303 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 65 ++ .../tests/e2e/waf-aligned/main.test.bicep | 189 ++++ .../extension/README.md | 115 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 32 + .../tests/e2e/waf-aligned/main.test.bicep | 84 ++ .../flux-configuration/README.md | 103 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 49 + .../tests/e2e/waf-aligned/main.test.bicep | 81 ++ modules/logic/workflow/README.md | 195 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 16 + .../tests/e2e/waf-aligned/main.test.bicep | 136 +++ .../workspace/README.md | 253 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 134 +++ .../tests/e2e/waf-aligned/main.test.bicep | 162 +++ .../maintenance-configuration/README.md | 153 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 101 ++ .../user-assigned-identity/README.md | 105 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 82 ++ .../registration-definition/README.md | 93 ++ .../tests/e2e/waf-aligned/main.test.bicep | 48 + modules/management/management-group/README.md | 57 ++ .../tests/e2e/waf-aligned/main.test.bicep | 31 + .../README.md | 103 ++ .../tests/e2e/waf-aligned/main.test.bicep | 72 ++ modules/network/application-gateway/README.md | 935 ++++++++++++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 146 +++ .../tests/e2e/waf-aligned/main.test.bicep | 498 ++++++++++ .../application-security-group/README.md | 87 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 72 ++ modules/network/azure-firewall/README.md | 303 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 64 ++ .../tests/e2e/waf-aligned/main.test.bicep | 190 ++++ modules/network/bastion-host/README.md | 139 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 59 ++ .../tests/e2e/waf-aligned/main.test.bicep | 105 ++ .../network/ddos-protection-plan/README.md | 87 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 72 ++ .../network/dns-forwarding-ruleset/README.md | 131 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 81 ++ .../tests/e2e/waf-aligned/main.test.bicep | 94 ++ modules/network/dns-resolver/README.md | 93 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 42 + .../tests/e2e/waf-aligned/main.test.bicep | 75 ++ modules/network/dns-zone/README.md | 401 ++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 37 + .../tests/e2e/waf-aligned/main.test.bicep | 222 +++++ .../network/express-route-circuit/README.md | 141 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 106 ++ .../network/express-route-gateway/README.md | 97 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 38 + .../tests/e2e/waf-aligned/main.test.bicep | 75 ++ modules/network/firewall-policy/README.md | 147 +++ .../tests/e2e/waf-aligned/main.test.bicep | 93 ++ .../README.md | 221 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 135 +++ modules/network/front-door/README.md | 279 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 161 +++ modules/network/ip-group/README.md | 97 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 76 ++ modules/network/load-balancer/README.md | 289 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 36 + .../tests/e2e/waf-aligned/main.test.bicep | 181 ++++ .../network/local-network-gateway/README.md | 107 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 78 ++ modules/network/nat-gateway/README.md | 153 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 118 +++ modules/network/network-interface/README.md | 167 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 113 +++ .../tests/e2e/waf-aligned/main.test.bicep | 127 +++ modules/network/network-manager/README.md | 451 +++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 96 ++ .../tests/e2e/waf-aligned/main.test.bicep | 255 +++++ .../network/network-security-group/README.md | 237 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 24 + .../tests/e2e/waf-aligned/main.test.bicep | 160 +++ modules/network/network-watcher/README.md | 219 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 144 +++ .../tests/e2e/waf-aligned/main.test.bicep | 158 +++ modules/network/private-dns-zone/README.md | 407 ++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 41 + .../tests/e2e/waf-aligned/main.test.bicep | 224 +++++ modules/network/private-endpoint/README.md | 163 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 95 ++ .../tests/e2e/waf-aligned/main.test.bicep | 105 ++ .../network/private-link-service/README.md | 163 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 68 ++ .../tests/e2e/waf-aligned/main.test.bicep | 106 ++ modules/network/public-ip-address/README.md | 137 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 107 ++ modules/network/public-ip-prefix/README.md | 91 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 73 ++ modules/network/route-table/README.md | 109 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 82 ++ .../network/service-endpoint-policy/README.md | 115 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 85 ++ .../network/trafficmanagerprofile/README.md | 121 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 101 ++ modules/network/virtual-hub/README.md | 135 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 42 + .../tests/e2e/waf-aligned/main.test.bicep | 94 ++ modules/network/virtual-network/README.md | 231 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 35 + .../tests/e2e/waf-aligned/main.test.bicep | 156 +++ modules/network/virtual-wan/README.md | 103 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 76 ++ modules/network/vpn-gateway/README.md | 151 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 49 + .../tests/e2e/waf-aligned/main.test.bicep | 102 ++ modules/network/vpn-site/README.md | 177 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 24 + .../tests/e2e/waf-aligned/main.test.bicep | 114 +++ .../operational-insights/workspace/README.md | 409 ++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 47 + .../tests/e2e/waf-aligned/main.test.bicep | 237 +++++ modules/power-bi-dedicated/capacity/README.md | 99 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 76 ++ modules/purview/account/README.md | 291 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 73 ++ .../tests/e2e/waf-aligned/main.test.bicep | 179 ++++ modules/recovery-services/vault/README.md | 687 +++++++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 63 ++ .../tests/e2e/waf-aligned/main.test.bicep | 378 +++++++ modules/relay/namespace/README.md | 289 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 60 ++ .../tests/e2e/waf-aligned/main.test.bicep | 181 ++++ modules/resource-graph/query/README.md | 95 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 74 ++ modules/resources/resource-group/README.md | 87 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 17 + .../tests/e2e/waf-aligned/main.test.bicep | 71 ++ modules/search/search-service/README.md | 193 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 129 +++ .../security/azure-security-center/README.md | 63 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 62 ++ modules/service-bus/namespace/README.md | 391 ++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 63 ++ .../tests/e2e/waf-aligned/main.test.bicep | 226 +++++ modules/service-fabric/cluster/README.md | 415 ++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 31 + .../tests/e2e/waf-aligned/main.test.bicep | 225 +++++ modules/signal-r-service/signal-r/README.md | 193 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 62 ++ .../tests/e2e/waf-aligned/main.test.bicep | 117 +++ .../signal-r-service/web-pub-sub/README.md | 199 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 62 ++ .../tests/e2e/waf-aligned/main.test.bicep | 119 +++ modules/sql/managed-instance/README.md | 293 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 350 +++++++ .../tests/e2e/waf-aligned/main.test.bicep | 181 ++++ modules/sql/server/README.md | 319 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 111 +++ .../tests/e2e/waf-aligned/main.test.bicep | 197 ++++ modules/storage/storage-account/README.md | 615 ++++++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 68 ++ .../tests/e2e/waf-aligned/main.test.bicep | 333 +++++++ modules/synapse/private-link-hub/README.md | 127 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 74 ++ .../tests/e2e/waf-aligned/main.test.bicep | 93 ++ modules/synapse/workspace/README.md | 173 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 92 ++ .../tests/e2e/waf-aligned/main.test.bicep | 124 +++ .../image-template/README.md | 173 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 99 ++ .../tests/e2e/waf-aligned/main.test.bicep | 119 +++ modules/web/connection/README.md | 99 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 77 ++ modules/web/serverfarm/README.md | 133 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 107 ++ modules/web/static-site/README.md | 173 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 94 ++ .../tests/e2e/waf-aligned/main.test.bicep | 109 ++ 339 files changed, 43386 insertions(+) create mode 100644 modules/aad/domain-service/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/analysis-services/server/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/api-management/service/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/app-configuration/configuration-store/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/app/container-app/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/app/job/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/app/job/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/app/managed-environment/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/automation/automation-account/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/batch/batch-account/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/cache/redis-enterprise/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/cache/redis/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/cdn/profile/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/cognitive-services/account/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/compute/availability-set/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/compute/disk-encryption-set/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/compute/disk/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/compute/gallery/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/compute/image/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/compute/image/tests/e2e/waf-aligned/dependencies_rbac.bicep create mode 100644 modules/compute/image/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/compute/proximity-placement-group/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/compute/ssh-public-key/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/container-instance/container-group/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/container-registry/registry/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/data-factory/factory/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/data-protection/backup-vault/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/databricks/access-connector/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/databricks/workspace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/dev-test-lab/lab/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/event-grid/domain/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/event-grid/system-topic/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/event-grid/topic/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/event-hub/namespace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/health-bot/health-bot/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/healthcare-apis/workspace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/action-group/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/activity-log-alert/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/component/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/insights/component/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/metric-alert/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/private-link-scope/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/webtest/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/key-vault/vault/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/logic/workflow/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/machine-learning-services/workspace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/application-gateway/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/application-security-group/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/azure-firewall/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/bastion-host/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/ddos-protection-plan/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/dns-resolver/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/dns-zone/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/express-route-circuit/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/front-door/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/ip-group/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/load-balancer/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/local-network-gateway/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/nat-gateway/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/network-interface/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/network-manager/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/network-security-group/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/network-watcher/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/private-dns-zone/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/private-endpoint/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/private-link-service/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/public-ip-address/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/public-ip-prefix/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/route-table/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/service-endpoint-policy/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/virtual-hub/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/virtual-network/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/virtual-wan/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/vpn-gateway/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/vpn-site/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/operational-insights/workspace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/purview/account/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/purview/account/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/recovery-services/vault/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/relay/namespace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/resource-graph/query/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/resources/resource-group/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/search/search-service/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/security/azure-security-center/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/service-bus/namespace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/service-fabric/cluster/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/signal-r-service/signal-r/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/sql/managed-instance/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/sql/server/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/sql/server/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/storage/storage-account/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/synapse/private-link-hub/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/synapse/workspace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/web/connection/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/web/connection/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/web/serverfarm/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/web/static-site/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep diff --git a/modules/aad/domain-service/README.md b/modules/aad/domain-service/README.md index 1330a6f5ec..673231c2f7 100644 --- a/modules/aad/domain-service/README.md +++ b/modules/aad/domain-service/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/aad.domain-service:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -158,6 +159,134 @@ module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-aaddswaf' + params: { + // Required parameters + domainName: 'onmicrosoft.com' + // Non-required parameters + additionalRecipients: [ + '@noreply.github.com' + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + name: 'aaddswaf001' + pfxCertificate: '' + pfxCertificatePassword: '' + replicaSets: [ + { + location: 'WestEurope' + subnetId: '' + } + ] + sku: 'Standard' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "domainName": { + "value": "onmicrosoft.com" + }, + // Non-required parameters + "additionalRecipients": { + "value": [ + "@noreply.github.com" + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "name": { + "value": "aaddswaf001" + }, + "pfxCertificate": { + "value": "" + }, + "pfxCertificatePassword": { + "value": "" + }, + "replicaSets": { + "value": [ + { + "location": "WestEurope", + "subnetId": "" + } + ] + }, + "sku": { + "value": "Standard" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/aad/domain-service/tests/e2e/waf-aligned/dependencies.bicep b/modules/aad/domain-service/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..0767cf436a --- /dev/null +++ b/modules/aad/domain-service/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,104 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Deployment Script to create for the Certificate generation.') +param certDeploymentScriptName string + +var certPWSecretName = 'pfxCertificatePassword' +var certSecretName = 'pfxBase64Certificate' +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${managedIdentity.name}-KeyVault-Admin-RoleAssignment') + scope: keyVault + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') // Key Vault Administrator + principalType: 'ServicePrincipal' + } +} + +resource certDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { + name: certDeploymentScriptName + location: location + kind: 'AzurePowerShell' + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + azPowerShellVersion: '3.0' + retentionInterval: 'P1D' + arguments: ' -KeyVaultName "${keyVault.name}" -ResourceGroupName "${resourceGroup().name}" -CertPWSecretName "${certPWSecretName}" -CertSecretName "${certSecretName}"' + scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-PfxCertificateInKeyVault.ps1') + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The name of the certification password secret.') +output certPWSecretName string = certPWSecretName + +@description('The name of the certification secret.') +output certSecretName string = certSecretName + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep b/modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..605f339c95 --- /dev/null +++ b/modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,109 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-aad.domainservices-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'aaddswaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + certDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = { + name: last(split(nestedDependencies.outputs.keyVaultResourceId, '/')) + scope: resourceGroup +} + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + domainName: '${namePrefix}.onmicrosoft.com' + additionalRecipients: [ + '${namePrefix}@noreply.github.com' + ] + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + pfxCertificate: keyVault.getSecret(nestedDependencies.outputs.certSecretName) + pfxCertificatePassword: keyVault.getSecret(nestedDependencies.outputs.certPWSecretName) + replicaSets: [ + { + location: 'WestEurope' + subnetId: nestedDependencies.outputs.subnetResourceId + } + ] + sku: 'Standard' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/analysis-services/server/README.md b/modules/analysis-services/server/README.md index 73d7a21652..c35c2a2be3 100644 --- a/modules/analysis-services/server/README.md +++ b/modules/analysis-services/server/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -240,6 +241,168 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module server 'br:bicep/modules/analysis-services.server:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-asswaf' + params: { + // Required parameters + name: 'asswaf' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + logCategoriesAndGroups: [ + { + category: 'Engine' + } + { + category: 'Service' + } + ] + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + firewallSettings: { + enablePowerBIService: true + firewallRules: [ + { + firewallRuleName: 'AllowFromAll' + rangeEnd: '255.255.255.255' + rangeStart: '0.0.0.0' + } + ] + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuCapacity: 1 + skuName: 'S0' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "asswaf" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "logCategoriesAndGroups": [ + { + "category": "Engine" + }, + { + "category": "Service" + } + ], + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "firewallSettings": { + "value": { + "enablePowerBIService": true, + "firewallRules": [ + { + "firewallRuleName": "AllowFromAll", + "rangeEnd": "255.255.255.255", + "rangeStart": "0.0.0.0" + } + ] + } + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "skuCapacity": { + "value": 1 + }, + "skuName": { + "value": "S0" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/analysis-services/server/tests/e2e/waf-aligned/dependencies.bicep b/modules/analysis-services/server/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..29b9641692 --- /dev/null +++ b/modules/analysis-services/server/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created managed identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep b/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..7d160d3715 --- /dev/null +++ b/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,120 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-analysisservices.servers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'asswaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + skuName: 'S0' + skuCapacity: 1 + firewallSettings: { + firewallRules: [ + { + firewallRuleName: 'AllowFromAll' + rangeStart: '0.0.0.0' + rangeEnd: '255.255.255.255' + } + ] + enablePowerBIService: true + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + logCategoriesAndGroups: [ + { + category: 'Engine' + } + { + category: 'Service' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index 49ae4a583a..64ee78c465 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -44,6 +44,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -471,6 +472,376 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module service 'br:bicep/modules/api-management.service:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-apiswaf' + params: { + // Required parameters + name: 'apiswaf001' + publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' + publisherName: 'az-amorg-x-001' + // Non-required parameters + apis: [ + { + apiVersionSet: { + name: 'echo-version-set' + properties: { + description: 'echo-version-set' + displayName: 'echo-version-set' + versioningScheme: 'Segment' + } + } + displayName: 'Echo API' + name: 'echo-api' + path: 'echo' + serviceUrl: 'http://echoapi.cloudapp.net/api' + } + ] + authorizationServers: { + secureList: [ + { + authorizationEndpoint: '' + clientId: 'apimclientid' + clientRegistrationEndpoint: 'http://localhost' + clientSecret: '' + grantTypes: [ + 'authorizationCode' + ] + name: 'AuthServer1' + tokenEndpoint: '' + } + ] + } + backends: [ + { + name: 'backend' + tls: { + validateCertificateChain: false + validateCertificateName: false + } + url: 'http://echoapi.cloudapp.net/api' + } + ] + caches: [ + { + connectionString: 'connectionstringtest' + name: 'westeurope' + useFromLocation: 'westeurope' + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + identityProviders: [ + { + name: 'aadProvider' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + namedValues: [ + { + displayName: 'apimkey' + name: 'apimkey' + secret: true + } + ] + policies: [ + { + format: 'xml' + value: ' ' + } + ] + portalsettings: [ + { + name: 'signin' + properties: { + enabled: false + } + } + { + name: 'signup' + properties: { + enabled: false + termsOfService: { + consentRequired: false + enabled: false + } + } + } + ] + products: [ + { + apis: [ + { + name: 'echo-api' + } + ] + approvalRequired: false + groups: [ + { + name: 'developers' + } + ] + name: 'Starter' + subscriptionRequired: false + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + subscriptions: [ + { + name: 'testArmSubscriptionAllApis' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "apiswaf001" + }, + "publisherEmail": { + "value": "apimgmt-noreply@mail.windowsazure.com" + }, + "publisherName": { + "value": "az-amorg-x-001" + }, + // Non-required parameters + "apis": { + "value": [ + { + "apiVersionSet": { + "name": "echo-version-set", + "properties": { + "description": "echo-version-set", + "displayName": "echo-version-set", + "versioningScheme": "Segment" + } + }, + "displayName": "Echo API", + "name": "echo-api", + "path": "echo", + "serviceUrl": "http://echoapi.cloudapp.net/api" + } + ] + }, + "authorizationServers": { + "value": { + "secureList": [ + { + "authorizationEndpoint": "", + "clientId": "apimclientid", + "clientRegistrationEndpoint": "http://localhost", + "clientSecret": "", + "grantTypes": [ + "authorizationCode" + ], + "name": "AuthServer1", + "tokenEndpoint": "" + } + ] + } + }, + "backends": { + "value": [ + { + "name": "backend", + "tls": { + "validateCertificateChain": false, + "validateCertificateName": false + }, + "url": "http://echoapi.cloudapp.net/api" + } + ] + }, + "caches": { + "value": [ + { + "connectionString": "connectionstringtest", + "name": "westeurope", + "useFromLocation": "westeurope" + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "identityProviders": { + "value": [ + { + "name": "aadProvider" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "namedValues": { + "value": [ + { + "displayName": "apimkey", + "name": "apimkey", + "secret": true + } + ] + }, + "policies": { + "value": [ + { + "format": "xml", + "value": " " + } + ] + }, + "portalsettings": { + "value": [ + { + "name": "signin", + "properties": { + "enabled": false + } + }, + { + "name": "signup", + "properties": { + "enabled": false, + "termsOfService": { + "consentRequired": false, + "enabled": false + } + } + } + ] + }, + "products": { + "value": [ + { + "apis": [ + { + "name": "echo-api" + } + ], + "approvalRequired": false, + "groups": [ + { + "name": "developers" + } + ], + "name": "Starter", + "subscriptionRequired": false + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "subscriptions": { + "value": [ + { + "name": "testArmSubscriptionAllApis" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/api-management/service/tests/e2e/waf-aligned/dependencies.bicep b/modules/api-management/service/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..bd63a95634 --- /dev/null +++ b/modules/api-management/service/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,16 @@ +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created managed identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep b/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..e6246837b8 --- /dev/null +++ b/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,219 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-apimanagement.service-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'apiswaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +@description('Optional. The secret to leverage for authorization server authentication.') +@secure() +param customSecret string = newGuid() + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' + publisherName: '${namePrefix}-az-amorg-x-001' + apis: [ + { + apiVersionSet: { + name: 'echo-version-set' + properties: { + description: 'echo-version-set' + displayName: 'echo-version-set' + versioningScheme: 'Segment' + } + } + displayName: 'Echo API' + name: 'echo-api' + path: 'echo' + serviceUrl: 'http://echoapi.cloudapp.net/api' + } + ] + authorizationServers: { + secureList: [ + { + authorizationEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/authorize' + clientId: 'apimclientid' + clientSecret: customSecret + clientRegistrationEndpoint: 'http://localhost' + grantTypes: [ + 'authorizationCode' + ] + name: 'AuthServer1' + tokenEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/token' + } + ] + } + backends: [ + { + name: 'backend' + tls: { + validateCertificateChain: false + validateCertificateName: false + } + url: 'http://echoapi.cloudapp.net/api' + } + ] + caches: [ + { + connectionString: 'connectionstringtest' + name: 'westeurope' + useFromLocation: 'westeurope' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + identityProviders: [ + { + name: 'aadProvider' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + namedValues: [ + { + displayName: 'apimkey' + name: 'apimkey' + secret: true + } + ] + policies: [ + { + format: 'xml' + value: ' ' + } + ] + portalsettings: [ + { + name: 'signin' + properties: { + enabled: false + } + } + { + name: 'signup' + properties: { + enabled: false + termsOfService: { + consentRequired: false + enabled: false + } + } + } + ] + products: [ + { + apis: [ + { + name: 'echo-api' + } + ] + approvalRequired: false + groups: [ + { + name: 'developers' + } + ] + name: 'Starter' + subscriptionRequired: false + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + subscriptions: [ + { + name: 'testArmSubscriptionAllApis' + scope: '/apis' + } + ] + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index e057fc4288..83006ae973 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -34,6 +34,7 @@ The following section provides usage examples for the module, which were used to - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) - [Pe](#example-4-pe) +- [WAF-aligned](#example-5-waf-aligned) ### Example 1: _Using only defaults_ @@ -503,6 +504,182 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor

+### Example 5: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module configurationStore 'br:bicep/modules/app-configuration.configuration-store:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-accwaf' + params: { + // Required parameters + name: 'accwaf001' + // Non-required parameters + createMode: 'Default' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + disableLocalAuth: false + enableDefaultTelemetry: '' + enablePurgeProtection: false + keyValues: [ + { + contentType: 'contentType' + name: 'keyName' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + value: 'valueName' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + softDeleteRetentionInDays: 1 + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "accwaf001" + }, + // Non-required parameters + "createMode": { + "value": "Default" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "disableLocalAuth": { + "value": false + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enablePurgeProtection": { + "value": false + }, + "keyValues": { + "value": [ + { + "contentType": "contentType", + "name": "keyName", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "value": "valueName" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "softDeleteRetentionInDays": { + "value": 1 + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/dependencies.bicep b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..bd63a95634 --- /dev/null +++ b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,16 @@ +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created managed identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..22770e01be --- /dev/null +++ b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,124 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-appconfiguration.configurationstores-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'accwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + createMode: 'Default' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + disableLocalAuth: false + enablePurgeProtection: false + keyValues: [ + { + contentType: 'contentType' + name: 'keyName' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + value: 'valueName' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + softDeleteRetentionInDays: 1 + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/app/container-app/README.md b/modules/app/container-app/README.md index 56ef31b6d4..c6ad339911 100644 --- a/modules/app/container-app/README.md +++ b/modules/app/container-app/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -279,6 +280,168 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-mcappwaf' + params: { + // Required parameters + containers: [ + { + image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' + name: 'simple-hello-world-container' + probes: [ + { + httpGet: { + httpHeaders: [ + { + name: 'Custom-Header' + value: 'Awesome' + } + ] + path: '/health' + port: 8080 + } + initialDelaySeconds: 3 + periodSeconds: 3 + type: 'Liveness' + } + ] + resources: { + cpu: '' + memory: '0.5Gi' + } + } + ] + environmentId: '' + name: 'mcappwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + secrets: { + secureList: [ + { + name: 'customtest' + value: '' + } + ] + } + tags: { + Env: 'test' + 'hidden-title': 'This is visible in the resource name' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "containers": { + "value": [ + { + "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", + "name": "simple-hello-world-container", + "probes": [ + { + "httpGet": { + "httpHeaders": [ + { + "name": "Custom-Header", + "value": "Awesome" + } + ], + "path": "/health", + "port": 8080 + }, + "initialDelaySeconds": 3, + "periodSeconds": 3, + "type": "Liveness" + } + ], + "resources": { + "cpu": "", + "memory": "0.5Gi" + } + } + ] + }, + "environmentId": { + "value": "" + }, + "name": { + "value": "mcappwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "secrets": { + "value": { + "secureList": [ + { + "name": "customtest", + "value": "" + } + ] + } + }, + "tags": { + "value": { + "Env": "test", + "hidden-title": "This is visible in the resource name" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/app/container-app/tests/e2e/waf-aligned/dependencies.bicep b/modules/app/container-app/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a6700c9d60 --- /dev/null +++ b/modules/app/container-app/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,28 @@ +@description('Required. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Environment for Container Apps to create.') +param managedEnvironmentName string + +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +resource managedEnvironment 'Microsoft.App/managedEnvironments@2022-10-01' = { + name: managedEnvironmentName + location: location + sku: { + name: 'Consumption' + } + properties: {} +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Managed Environment.') +output managedEnvironmentResourceId string = managedEnvironment.id diff --git a/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep b/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..baa721dd00 --- /dev/null +++ b/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,109 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-app.containerApps-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'mcappwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + location: location + managedEnvironmentName: 'dep-${namePrefix}-menv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + tags: { + 'hidden-title': 'This is visible in the resource name' + Env: 'test' + } + enableDefaultTelemetry: enableDefaultTelemetry + environmentId: nestedDependencies.outputs.managedEnvironmentResourceId + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + secrets: { + secureList: [ + { + name: 'customtest' + value: guid(deployment().name) + } + ] + } + containers: [ + { + name: 'simple-hello-world-container' + image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' + resources: { + // workaround as 'float' values are not supported in Bicep, yet the resource providers expects them. Related issue: https://github.com/Azure/bicep/issues/1386 + cpu: json('0.25') + memory: '0.5Gi' + } + probes: [ + { + type: 'Liveness' + httpGet: { + path: '/health' + port: 8080 + httpHeaders: [ + { + name: 'Custom-Header' + value: 'Awesome' + } + ] + } + initialDelaySeconds: 3 + periodSeconds: 3 + } + ] + } + ] + } +} diff --git a/modules/app/job/README.md b/modules/app/job/README.md index c5d025fad6..042067b52b 100644 --- a/modules/app/job/README.md +++ b/modules/app/job/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -329,6 +330,204 @@ module job 'br:bicep/modules/app.job:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module job 'br:bicep/modules/app.job:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ajwaf' + params: { + // Required parameters + containers: [ + { + image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' + name: 'simple-hello-world-container' + probes: [ + { + httpGet: { + httpHeaders: [ + { + name: 'Custom-Header' + value: 'Awesome' + } + ] + path: '/health' + port: 8080 + } + initialDelaySeconds: 3 + periodSeconds: 3 + type: 'Liveness' + } + ] + resources: { + cpu: '' + memory: '0.5Gi' + } + } + ] + environmentId: '' + name: 'ajwaf001' + triggerType: 'Manual' + // Non-required parameters + enableDefaultTelemetry: '' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + manualTriggerConfig: { + parallelism: 1 + replicaCompletionCount: 1 + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'ContainerApp Reader' + } + ] + secrets: { + secureList: [ + { + name: 'customtest' + value: '' + } + ] + } + tags: { + Env: 'test' + 'hidden-title': 'This is visible in the resource name' + } + workloadProfileName: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "containers": { + "value": [ + { + "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", + "name": "simple-hello-world-container", + "probes": [ + { + "httpGet": { + "httpHeaders": [ + { + "name": "Custom-Header", + "value": "Awesome" + } + ], + "path": "/health", + "port": 8080 + }, + "initialDelaySeconds": 3, + "periodSeconds": 3, + "type": "Liveness" + } + ], + "resources": { + "cpu": "", + "memory": "0.5Gi" + } + } + ] + }, + "environmentId": { + "value": "" + }, + "name": { + "value": "ajwaf001" + }, + "triggerType": { + "value": "Manual" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "manualTriggerConfig": { + "value": { + "parallelism": 1, + "replicaCompletionCount": 1 + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "ContainerApp Reader" + } + ] + }, + "secrets": { + "value": { + "secureList": [ + { + "name": "customtest", + "value": "" + } + ] + } + }, + "tags": { + "value": { + "Env": "test", + "hidden-title": "This is visible in the resource name" + } + }, + "workloadProfileName": { + "value": "" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/app/job/tests/e2e/waf-aligned/dependencies.bicep b/modules/app/job/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..b03d4aca93 --- /dev/null +++ b/modules/app/job/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,40 @@ +@description('Required. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Environment for Container Apps to create.') +param managedEnvironmentName string + +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Required. The name of the workload profile to create.') +param workloadProfileName string + +resource managedEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' = { + name: managedEnvironmentName + location: location + properties: { + workloadProfiles: [ + { + name: workloadProfileName + workloadProfileType: 'D4' + maximumCount: 1 + minimumCount: 1 + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Managed Environment.') +output managedEnvironmentResourceId string = managedEnvironment.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/app/job/tests/e2e/waf-aligned/main.test.bicep b/modules/app/job/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..267c39bb21 --- /dev/null +++ b/modules/app/job/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,124 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-app.job-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ajwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + location: location + managedEnvironmentName: 'dep-${namePrefix}-menv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + workloadProfileName: serviceShort + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + tags: { + 'hidden-title': 'This is visible in the resource name' + Env: 'test' + } + enableDefaultTelemetry: enableDefaultTelemetry + environmentId: nestedDependencies.outputs.managedEnvironmentResourceId + workloadProfileName: serviceShort + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + secrets: { + secureList: [ + { + name: 'customtest' + value: guid(deployment().name) + } + ] + } + triggerType: 'Manual' + manualTriggerConfig: { + replicaCompletionCount: 1 + parallelism: 1 + } + containers: [ + { + name: 'simple-hello-world-container' + image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' + resources: { + // workaround as 'float' values are not supported in Bicep, yet the resource providers expects them. Related issue: https://github.com/Azure/bicep/issues/1386 + cpu: json('0.25') + memory: '0.5Gi' + } + probes: [ + { + type: 'Liveness' + httpGet: { + path: '/health' + port: 8080 + httpHeaders: [ + { + name: 'Custom-Header' + value: 'Awesome' + } + ] + } + initialDelaySeconds: 3 + periodSeconds: 3 + } + ] + } + ] + roleAssignments: [ + { + principalId: nestedDependencies.outputs.managedIdentityResourceId + roleDefinitionIdOrName: 'ContainerApp Reader' + principalType: 'ServicePrincipal' + } + ] + } +} diff --git a/modules/app/managed-environment/README.md b/modules/app/managed-environment/README.md index 40ec6dfd7e..d222427925 100644 --- a/modules/app/managed-environment/README.md +++ b/modules/app/managed-environment/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -179,6 +180,106 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-amewaf' + params: { + // Required parameters + enableDefaultTelemetry: '' + logAnalyticsWorkspaceResourceId: '' + name: 'amewaf001' + // Non-required parameters + dockerBridgeCidr: '172.16.0.1/28' + infrastructureSubnetId: '' + internal: true + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + platformReservedCidr: '172.17.17.0/24' + platformReservedDnsIP: '172.17.17.17' + skuName: 'Consumption' + tags: { + Env: 'test' + 'hidden-title': 'This is visible in the resource name' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "" + }, + "name": { + "value": "amewaf001" + }, + // Non-required parameters + "dockerBridgeCidr": { + "value": "172.16.0.1/28" + }, + "infrastructureSubnetId": { + "value": "" + }, + "internal": { + "value": true + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "platformReservedCidr": { + "value": "172.17.17.0/24" + }, + "platformReservedDnsIP": { + "value": "172.17.17.17" + }, + "skuName": { + "value": "Consumption" + }, + "tags": { + "value": { + "Env": "test", + "hidden-title": "This is visible in the resource name" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/app/managed-environment/tests/e2e/waf-aligned/dependencies.bicep b/modules/app/managed-environment/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..f61380acc4 --- /dev/null +++ b/modules/app/managed-environment/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,51 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Log Analytics Workspace to create.') +param logAnalyticsWorkspaceName string + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +var addressPrefix = '10.0.0.0/16' + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = { + name: logAnalyticsWorkspaceName + location: location + properties: any({ + retentionInDays: 30 + features: { + searchVersion: 1 + } + sku: { + name: 'PerGB2018' + } + }) +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } + +} + +@description('The resource ID of the created Log Analytics Workspace.') +output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id diff --git a/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep b/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..49d64c4d2c --- /dev/null +++ b/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,72 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-app.managedenvironments-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'amewaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + logAnalyticsWorkspaceResourceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId + location: location + skuName: 'Consumption' + internal: true + dockerBridgeCidr: '172.16.0.1/28' + platformReservedCidr: '172.17.17.0/24' + platformReservedDnsIP: '172.17.17.17' + infrastructureSubnetId: nestedDependencies.outputs.subnetResourceId + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Env: 'test' + } + } +} diff --git a/modules/authorization/lock/README.md b/modules/authorization/lock/README.md index 5d3f67c3e0..7e2543aee3 100644 --- a/modules/authorization/lock/README.md +++ b/modules/authorization/lock/README.md @@ -25,6 +25,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/authorization.lock:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -82,6 +83,62 @@ module lock 'br:bicep/modules/authorization.lock:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module lock 'br:bicep/modules/authorization.lock:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-alwaf' + params: { + // Required parameters + level: 'CanNotDelete' + // Non-required parameters + enableDefaultTelemetry: '' + resourceGroupName: '' + subscriptionId: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "level": { + "value": "CanNotDelete" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "resourceGroupName": { + "value": "" + }, + "subscriptionId": { + "value": "" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep b/modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..0ed75a7621 --- /dev/null +++ b/modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,49 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-authorization.locks-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'alwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + level: 'CanNotDelete' + resourceGroupName: resourceGroup.name + subscriptionId: subscription().subscriptionId + } +} diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index 49340e030c..42e498b90a 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -40,6 +40,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -614,6 +615,462 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0'

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-aawaf' + params: { + // Required parameters + name: 'aawaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + disableLocalAuth: true + enableDefaultTelemetry: '' + gallerySolutions: [ + { + name: 'Updates' + product: 'OMSGallery' + publisher: 'Microsoft' + } + ] + jobSchedules: [ + { + runbookName: 'TestRunbook' + scheduleName: 'TestSchedule' + } + ] + linkedWorkspaceResourceId: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + modules: [ + { + name: 'PSWindowsUpdate' + uri: 'https://www.powershellgallery.com/api/v2/package' + version: 'latest' + } + ] + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'Webhook' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'DSCAndHybridWorker' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + runbooks: [ + { + description: 'Test runbook' + name: 'TestRunbook' + type: 'PowerShell' + uri: 'https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/scripts/AzureAutomationTutorial.ps1' + version: '1.0.0.0' + } + ] + schedules: [ + { + advancedSchedule: {} + expiryTime: '9999-12-31T13:00' + frequency: 'Hour' + interval: 12 + name: 'TestSchedule' + startTime: '' + timeZone: 'Europe/Berlin' + } + ] + softwareUpdateConfigurations: [ + { + excludeUpdates: [ + '123456' + ] + frequency: 'Month' + includeUpdates: [ + '654321' + ] + interval: 1 + maintenanceWindow: 'PT4H' + monthlyOccurrences: [ + { + day: 'Friday' + occurrence: 3 + } + ] + name: 'Windows_ZeroDay' + operatingSystem: 'Windows' + rebootSetting: 'IfRequired' + scopeByTags: { + Update: [ + 'Automatic-Wave1' + ] + } + startTime: '22:00' + updateClassifications: [ + 'Critical' + 'Definition' + 'FeaturePack' + 'Security' + 'ServicePack' + 'Tools' + 'UpdateRollup' + 'Updates' + ] + } + { + excludeUpdates: [ + 'icacls' + ] + frequency: 'OneTime' + includeUpdates: [ + 'kernel' + ] + maintenanceWindow: 'PT4H' + name: 'Linux_ZeroDay' + operatingSystem: 'Linux' + rebootSetting: 'IfRequired' + startTime: '22:00' + updateClassifications: [ + 'Critical' + 'Other' + 'Security' + ] + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + variables: [ + { + description: 'TestStringDescription' + name: 'TestString' + value: '\'TestString\'' + } + { + description: 'TestIntegerDescription' + name: 'TestInteger' + value: '500' + } + { + description: 'TestBooleanDescription' + name: 'TestBoolean' + value: 'false' + } + { + description: 'TestDateTimeDescription' + isEncrypted: false + name: 'TestDateTime' + value: '\'\\/Date(1637934042656)\\/\'' + } + { + description: 'TestEncryptedDescription' + name: 'TestEncryptedVariable' + value: '\'TestEncryptedValue\'' + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "aawaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "disableLocalAuth": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "gallerySolutions": { + "value": [ + { + "name": "Updates", + "product": "OMSGallery", + "publisher": "Microsoft" + } + ] + }, + "jobSchedules": { + "value": [ + { + "runbookName": "TestRunbook", + "scheduleName": "TestSchedule" + } + ] + }, + "linkedWorkspaceResourceId": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "modules": { + "value": [ + { + "name": "PSWindowsUpdate", + "uri": "https://www.powershellgallery.com/api/v2/package", + "version": "latest" + } + ] + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "Webhook", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "DSCAndHybridWorker", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "runbooks": { + "value": [ + { + "description": "Test runbook", + "name": "TestRunbook", + "type": "PowerShell", + "uri": "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/scripts/AzureAutomationTutorial.ps1", + "version": "1.0.0.0" + } + ] + }, + "schedules": { + "value": [ + { + "advancedSchedule": {}, + "expiryTime": "9999-12-31T13:00", + "frequency": "Hour", + "interval": 12, + "name": "TestSchedule", + "startTime": "", + "timeZone": "Europe/Berlin" + } + ] + }, + "softwareUpdateConfigurations": { + "value": [ + { + "excludeUpdates": [ + "123456" + ], + "frequency": "Month", + "includeUpdates": [ + "654321" + ], + "interval": 1, + "maintenanceWindow": "PT4H", + "monthlyOccurrences": [ + { + "day": "Friday", + "occurrence": 3 + } + ], + "name": "Windows_ZeroDay", + "operatingSystem": "Windows", + "rebootSetting": "IfRequired", + "scopeByTags": { + "Update": [ + "Automatic-Wave1" + ] + }, + "startTime": "22:00", + "updateClassifications": [ + "Critical", + "Definition", + "FeaturePack", + "Security", + "ServicePack", + "Tools", + "UpdateRollup", + "Updates" + ] + }, + { + "excludeUpdates": [ + "icacls" + ], + "frequency": "OneTime", + "includeUpdates": [ + "kernel" + ], + "maintenanceWindow": "PT4H", + "name": "Linux_ZeroDay", + "operatingSystem": "Linux", + "rebootSetting": "IfRequired", + "startTime": "22:00", + "updateClassifications": [ + "Critical", + "Other", + "Security" + ] + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "variables": { + "value": [ + { + "description": "TestStringDescription", + "name": "TestString", + "value": "\"TestString\"" + }, + { + "description": "TestIntegerDescription", + "name": "TestInteger", + "value": "500" + }, + { + "description": "TestBooleanDescription", + "name": "TestBoolean", + "value": "false" + }, + { + "description": "TestDateTimeDescription", + "isEncrypted": false, + "name": "TestDateTime", + "value": "\"\\/Date(1637934042656)\\/\"" + }, + { + "description": "TestEncryptedDescription", + "name": "TestEncryptedVariable", + "value": "\"TestEncryptedValue\"" + } + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/automation/automation-account/tests/e2e/waf-aligned/dependencies.bicep b/modules/automation/automation-account/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..3a979dc83b --- /dev/null +++ b/modules/automation/automation-account/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,90 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.azure-automation.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The URL of the created Key Vault.') +output keyVaultUrl string = keyVault.properties.vaultUri + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep b/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..ebff0d4bc1 --- /dev/null +++ b/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,261 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-automation.account-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'aawaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + gallerySolutions: [ + { + name: 'Updates' + product: 'OMSGallery' + publisher: 'Microsoft' + } + ] + jobSchedules: [ + { + runbookName: 'TestRunbook' + scheduleName: 'TestSchedule' + } + ] + disableLocalAuth: true + linkedWorkspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + modules: [ + { + name: 'PSWindowsUpdate' + uri: 'https://www.powershellgallery.com/api/v2/package' + version: 'latest' + } + ] + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'Webhook' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'DSCAndHybridWorker' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + runbooks: [ + { + description: 'Test runbook' + name: 'TestRunbook' + type: 'PowerShell' + uri: 'https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/scripts/AzureAutomationTutorial.ps1' + version: '1.0.0.0' + } + ] + schedules: [ + { + advancedSchedule: {} + expiryTime: '9999-12-31T13:00' + frequency: 'Hour' + interval: 12 + name: 'TestSchedule' + startTime: '' + timeZone: 'Europe/Berlin' + } + ] + softwareUpdateConfigurations: [ + { + excludeUpdates: [ + '123456' + ] + frequency: 'Month' + includeUpdates: [ + '654321' + ] + interval: 1 + maintenanceWindow: 'PT4H' + monthlyOccurrences: [ + { + day: 'Friday' + occurrence: 3 + } + ] + name: 'Windows_ZeroDay' + operatingSystem: 'Windows' + rebootSetting: 'IfRequired' + scopeByTags: { + Update: [ + 'Automatic-Wave1' + ] + } + startTime: '22:00' + updateClassifications: [ + 'Critical' + 'Definition' + 'FeaturePack' + 'Security' + 'ServicePack' + 'Tools' + 'UpdateRollup' + 'Updates' + ] + } + { + excludeUpdates: [ + 'icacls' + ] + frequency: 'OneTime' + includeUpdates: [ + 'kernel' + ] + maintenanceWindow: 'PT4H' + name: 'Linux_ZeroDay' + operatingSystem: 'Linux' + rebootSetting: 'IfRequired' + startTime: '22:00' + updateClassifications: [ + 'Critical' + 'Other' + 'Security' + ] + } + ] + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + variables: [ + { + description: 'TestStringDescription' + name: 'TestString' + value: '\'TestString\'' + } + { + description: 'TestIntegerDescription' + name: 'TestInteger' + value: '500' + } + { + description: 'TestBooleanDescription' + name: 'TestBoolean' + value: 'false' + } + { + description: 'TestDateTimeDescription' + isEncrypted: false + name: 'TestDateTime' + value: '\'\\/Date(1637934042656)\\/\'' + } + { + description: 'TestEncryptedDescription' + name: 'TestEncryptedVariable' + value: '\'TestEncryptedValue\'' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index 3a1c9b5e7f..2d71887df9 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -34,6 +34,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -392,6 +393,188 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-bbawaf' + params: { + // Required parameters + name: 'bbawaf001' + storageAccountId: '' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + } + poolAllocationMode: 'BatchService' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + storageAccessIdentity: '' + storageAuthenticationMode: 'BatchAccountManagedIdentity' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "bbawaf001" + }, + "storageAccountId": { + "value": "" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, + "poolAllocationMode": { + "value": "BatchService" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "storageAccessIdentity": { + "value": "" + }, + "storageAuthenticationMode": { + "value": "BatchAccountManagedIdentity" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/batch/batch-account/tests/e2e/waf-aligned/dependencies.bicep b/modules/batch/batch-account/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..462e8a5f27 --- /dev/null +++ b/modules/batch/batch-account/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,78 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +var addressPrefix = '10.0.0.0/16' + +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.batch.azure.com' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Virtual Network Subnet.') +output storageAccountResourceId string = storageAccount.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep b/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..20fbc393af --- /dev/null +++ b/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,129 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-batch.batchaccounts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'bbawaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + storageAccountName: 'dep${namePrefix}st${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + storageAccountId: nestedDependencies.outputs.storageAccountResourceId + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + poolAllocationMode: 'BatchService' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + privateEndpoints: [ + { + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + storageAccessIdentity: nestedDependencies.outputs.managedIdentityResourceId + storageAuthenticationMode: 'BatchAccountManagedIdentity' + managedIdentities: { + systemAssigned: true + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index 50eaf4f856..0c37755f50 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -33,6 +33,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Geo](#example-2-geo) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -397,6 +398,200 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-crewaf' + params: { + // Required parameters + name: 'crewaf001' + // Non-required parameters + capacity: 2 + databases: [ + { + clusteringPolicy: 'EnterpriseCluster' + evictionPolicy: 'AllKeysLFU' + modules: [ + { + name: 'RedisBloom' + } + { + args: 'RETENTION_POLICY 20' + name: 'RedisTimeSeries' + } + ] + persistenceAofEnabled: true + persistenceAofFrequency: '1s' + persistenceRdbEnabled: false + port: 10000 + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + minimumTlsVersion: '1.2' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'Redis Cache Enterprise' + } + zoneRedundant: true + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "crewaf001" + }, + // Non-required parameters + "capacity": { + "value": 2 + }, + "databases": { + "value": [ + { + "clusteringPolicy": "EnterpriseCluster", + "evictionPolicy": "AllKeysLFU", + "modules": [ + { + "name": "RedisBloom" + }, + { + "args": "RETENTION_POLICY 20", + "name": "RedisTimeSeries" + } + ], + "persistenceAofEnabled": true, + "persistenceAofFrequency": "1s", + "persistenceRdbEnabled": false, + "port": 10000 + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "minimumTlsVersion": { + "value": "1.2" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "hidden-title": "This is visible in the resource name", + "resourceType": "Redis Cache Enterprise" + } + }, + "zoneRedundant": { + "value": true + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/dependencies.bicep b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..59ae30a575 --- /dev/null +++ b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,60 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.redisenterprise.cache.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..cd0e90a7d9 --- /dev/null +++ b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,135 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-cache.redisenterprise-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'crewaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + capacity: 2 + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + minimumTlsVersion: '1.2' + zoneRedundant: true + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + databases: [ + { + clusteringPolicy: 'EnterpriseCluster' + evictionPolicy: 'AllKeysLFU' + modules: [ + { + name: 'RedisBloom' + } + { + name: 'RedisTimeSeries' + args: 'RETENTION_POLICY 20' + } + ] + persistenceAofEnabled: true + persistenceAofFrequency: '1s' + persistenceRdbEnabled: false + port: 10000 + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'Redis Cache Enterprise' + } + } +} diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index 6c833b7a8a..500c93fa81 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -32,6 +32,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -263,6 +264,188 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module redis 'br:bicep/modules/cache.redis:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-crwaf' + params: { + // Required parameters + name: 'crwaf001' + // Non-required parameters + capacity: 2 + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + enableNonSslPort: true + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + minimumTlsVersion: '1.2' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + publicNetworkAccess: 'Enabled' + redisVersion: '6' + shardCount: 1 + skuName: 'Premium' + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'Redis Cache' + } + zoneRedundant: true + zones: [ + 1 + 2 + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "crwaf001" + }, + // Non-required parameters + "capacity": { + "value": 2 + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enableNonSslPort": { + "value": true + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "minimumTlsVersion": { + "value": "1.2" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "publicNetworkAccess": { + "value": "Enabled" + }, + "redisVersion": { + "value": "6" + }, + "shardCount": { + "value": 1 + }, + "skuName": { + "value": "Premium" + }, + "tags": { + "value": { + "hidden-title": "This is visible in the resource name", + "resourceType": "Redis Cache" + } + }, + "zoneRedundant": { + "value": true + }, + "zones": { + "value": [ + 1, + 2 + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/cache/redis/tests/e2e/waf-aligned/dependencies.bicep b/modules/cache/redis/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..8218e0c1ad --- /dev/null +++ b/modules/cache/redis/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,60 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.redis.cache.windows.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep b/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..814b68ace3 --- /dev/null +++ b/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,121 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-cache.redis-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'crwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + capacity: 2 + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + enableNonSslPort: true + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + minimumTlsVersion: '1.2' + zoneRedundant: true + zones: [ 1, 2 ] + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + publicNetworkAccess: 'Enabled' + redisVersion: '6' + shardCount: 1 + skuName: 'Premium' + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'Redis Cache' + } + } +} diff --git a/modules/cdn/profile/README.md b/modules/cdn/profile/README.md index 41fd0159bf..47cbe6ed82 100644 --- a/modules/cdn/profile/README.md +++ b/modules/cdn/profile/README.md @@ -38,6 +38,7 @@ The following section provides usage examples for the module, which were used to - [Afd](#example-1-afd) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Afd_ @@ -404,6 +405,154 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module profile 'br:bicep/modules/cdn.profile:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cdnpwaf' + params: { + // Required parameters + name: 'dep-test-cdnpwaf' + sku: 'Standard_Verizon' + // Non-required parameters + enableDefaultTelemetry: '' + endpointProperties: { + contentTypesToCompress: [ + 'application/javascript' + 'application/json' + 'application/x-javascript' + 'application/xml' + 'text/css' + 'text/html' + 'text/javascript' + 'text/plain' + ] + geoFilters: [] + isCompressionEnabled: true + isHttpAllowed: true + isHttpsAllowed: true + originGroups: [] + originHostHeader: '' + origins: [ + { + name: 'dep-cdn-endpoint01' + properties: { + enabled: true + hostName: '' + httpPort: 80 + httpsPort: 443 + } + } + ] + queryStringCachingBehavior: 'IgnoreQueryString' + } + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + originResponseTimeoutSeconds: 60 + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dep-test-cdnpwaf" + }, + "sku": { + "value": "Standard_Verizon" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "endpointProperties": { + "value": { + "contentTypesToCompress": [ + "application/javascript", + "application/json", + "application/x-javascript", + "application/xml", + "text/css", + "text/html", + "text/javascript", + "text/plain" + ], + "geoFilters": [], + "isCompressionEnabled": true, + "isHttpAllowed": true, + "isHttpsAllowed": true, + "originGroups": [], + "originHostHeader": "", + "origins": [ + { + "name": "dep-cdn-endpoint01", + "properties": { + "enabled": true, + "hostName": "", + "httpPort": 80, + "httpsPort": 443 + } + } + ], + "queryStringCachingBehavior": "IgnoreQueryString" + } + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "originResponseTimeoutSeconds": { + "value": 60 + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/cdn/profile/tests/e2e/waf-aligned/dependencies.bicep b/modules/cdn/profile/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..7ca387035b --- /dev/null +++ b/modules/cdn/profile/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,38 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' + properties: { + allowBlobPublicAccess: false + networkAcls: { + defaultAction: 'Deny' + bypass: 'AzureServices' + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id + +@description('The name of the created Storage Account.') +output storageAccountName string = storageAccount.name + +@description('The resource ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep b/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..8df82c8a93 --- /dev/null +++ b/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,101 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-cdn.profiles-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdnpwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + storageAccountName: 'dep${namePrefix}cdnstore${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: 'dep-${namePrefix}-test-${serviceShort}' + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + originResponseTimeoutSeconds: 60 + sku: 'Standard_Verizon' + enableDefaultTelemetry: enableDefaultTelemetry + endpointProperties: { + originHostHeader: '${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}' + contentTypesToCompress: [ + 'text/plain' + 'text/html' + 'text/css' + 'text/javascript' + 'application/x-javascript' + 'application/javascript' + 'application/json' + 'application/xml' + ] + isCompressionEnabled: true + isHttpAllowed: true + isHttpsAllowed: true + queryStringCachingBehavior: 'IgnoreQueryString' + origins: [ + { + name: 'dep-${namePrefix}-cdn-endpoint01' + properties: { + hostName: '${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}' + httpPort: 80 + httpsPort: 443 + enabled: true + } + } + ] + originGroups: [] + geoFilters: [] + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } +} diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index 26626e96c2..4244365e44 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -36,6 +36,7 @@ The following section provides usage examples for the module, which were used to - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) - [Speech](#example-4-speech) +- [WAF-aligned](#example-5-waf-aligned) ### Example 1: _Using only defaults_ @@ -487,6 +488,206 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = {

+### Example 5: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-csawaf' + params: { + // Required parameters + kind: 'Face' + name: 'csawaf001' + // Non-required parameters + customSubDomainName: 'xdomain' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + networkAcls: { + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: '' + ignoreMissingVnetServiceEndpoint: false + } + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: 'S0' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "kind": { + "value": "Face" + }, + "name": { + "value": "csawaf001" + }, + // Non-required parameters + "customSubDomainName": { + "value": "xdomain" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "networkAcls": { + "value": { + "defaultAction": "Deny", + "ipRules": [ + { + "value": "40.74.28.0/23" + } + ], + "virtualNetworkRules": [ + { + "id": "", + "ignoreMissingVnetServiceEndpoint": false + } + ] + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sku": { + "value": "S0" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/cognitive-services/account/tests/e2e/waf-aligned/dependencies.bicep b/modules/cognitive-services/account/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..129b6f6579 --- /dev/null +++ b/modules/cognitive-services/account/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,68 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + serviceEndpoints: [ + { + service: 'Microsoft.CognitiveServices' + } + ] + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.cognitiveservices.azure.com' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep b/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..6db604335b --- /dev/null +++ b/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,137 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-cognitiveservices.accounts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'csawaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + kind: 'Face' + customSubDomainName: '${namePrefix}xdomain' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkAcls: { + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: nestedDependencies.outputs.subnetResourceId + ignoreMissingVnetServiceEndpoint: false + } + ] + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: 'S0' + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/availability-set/README.md b/modules/compute/availability-set/README.md index e2d646e9bf..b78be7385e 100644 --- a/modules/compute/availability-set/README.md +++ b/modules/compute/availability-set/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -167,6 +168,96 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-caswaf' + params: { + // Required parameters + name: 'caswaf001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + proximityPlacementGroupResourceId: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "caswaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "proximityPlacementGroupResourceId": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/compute/availability-set/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/availability-set/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..2c78999e90 --- /dev/null +++ b/modules/compute/availability-set/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,24 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Proximity Placement Group to create.') +param proximityPlacementGroupName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource proximityPlacementGroup 'Microsoft.Compute/proximityPlacementGroups@2022-03-01' = { + name: proximityPlacementGroupName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Proximity Placement Group.') +output proximityPlacementGroupResourceId string = proximityPlacementGroup.id diff --git a/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..01bac9f002 --- /dev/null +++ b/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,74 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.availabilitysets-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'caswaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/disk-encryption-set/README.md b/modules/compute/disk-encryption-set/README.md index c3d9e9d920..b9590d9b21 100644 --- a/modules/compute/disk-encryption-set/README.md +++ b/modules/compute/disk-encryption-set/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Accesspolicies](#example-1-accesspolicies) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Accesspolicies_ @@ -232,6 +233,112 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' =

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cdeswaf' + params: { + // Required parameters + keyName: '' + keyVaultResourceId: '' + name: 'cdeswaf001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "keyName": { + "value": "" + }, + "keyVaultResourceId": { + "value": "" + }, + "name": { + "value": "cdeswaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..62321ebe98 --- /dev/null +++ b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,51 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: true // Required by disk encryption set + softDeleteRetentionInDays: 7 + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'keyEncryptionKey' + properties: { + kty: 'RSA' + } + } +} + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The name of the created encryption key.') +output keyName string = keyVault::key.name + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..e5354c3489 --- /dev/null +++ b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,84 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.diskencryptionsets-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdeswaf' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + keyName: nestedDependencies.outputs.keyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/disk/README.md b/modules/compute/disk/README.md index 53656e6a71..a2b245fd26 100644 --- a/modules/compute/disk/README.md +++ b/modules/compute/disk/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Image](#example-2-image) - [Import](#example-3-import) - [Using large parameter set](#example-4-using-large-parameter-set) +- [WAF-aligned](#example-5-waf-aligned) ### Example 1: _Using only defaults_ @@ -375,6 +376,120 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = {

+### Example 5: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module disk 'br:bicep/modules/compute.disk:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cdwaf' + params: { + // Required parameters + name: 'cdwaf001' + sku: 'UltraSSD_LRS' + // Non-required parameters + diskIOPSReadWrite: 500 + diskMBpsReadWrite: 60 + diskSizeGB: 128 + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + logicalSectorSize: 512 + osType: 'Windows' + publicNetworkAccess: 'Enabled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "cdwaf001" + }, + "sku": { + "value": "UltraSSD_LRS" + }, + // Non-required parameters + "diskIOPSReadWrite": { + "value": 500 + }, + "diskMBpsReadWrite": { + "value": 60 + }, + "diskSizeGB": { + "value": 128 + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "logicalSectorSize": { + "value": 512 + }, + "osType": { + "value": "Windows" + }, + "publicNetworkAccess": { + "value": "Enabled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/compute/disk/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/disk/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..616cf219fe --- /dev/null +++ b/modules/compute/disk/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created managed identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..95bd0f5d73 --- /dev/null +++ b/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,78 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}001' + sku: 'UltraSSD_LRS' + diskIOPSReadWrite: 500 + diskMBpsReadWrite: 60 + diskSizeGB: 128 + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + logicalSectorSize: 512 + osType: 'Windows' + publicNetworkAccess: 'Enabled' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/gallery/README.md b/modules/compute/gallery/README.md index 4f370dfd3b..5d352f0fb3 100644 --- a/modules/compute/gallery/README.md +++ b/modules/compute/gallery/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -403,6 +404,330 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cgwaf' + params: { + // Required parameters + name: 'cgwaf001' + // Non-required parameters + applications: [ + { + name: 'cgwaf-appd-001' + } + { + name: 'cgwaf-appd-002' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + supportedOSType: 'Windows' + } + ] + enableDefaultTelemetry: '' + images: [ + { + name: 'az-imgd-ws-001' + } + { + hyperVGeneration: 'V1' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: 'az-imgd-ws-002' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: '2022-datacenter-azure-edition' + } + { + hyperVGeneration: 'V2' + isHibernateSupported: 'true' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: 'az-imgd-ws-003' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: '2022-datacenter-azure-edition-hibernate' + } + { + hyperVGeneration: 'V2' + isAcceleratedNetworkSupported: 'true' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: 'az-imgd-ws-004' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: '2022-datacenter-azure-edition-accnet' + } + { + hyperVGeneration: 'V2' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 4 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: 'az-imgd-wdtl-002' + offer: 'WindowsDesktop' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsDesktop' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + securityType: 'TrustedLaunch' + sku: 'Win11-21H2' + } + { + hyperVGeneration: 'V2' + maxRecommendedMemory: 32 + maxRecommendedvCPUs: 4 + minRecommendedMemory: 4 + minRecommendedvCPUs: 1 + name: 'az-imgd-us-001' + offer: '0001-com-ubuntu-server-focal' + osState: 'Generalized' + osType: 'Linux' + publisher: 'canonical' + sku: '20_04-lts-gen2' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "cgwaf001" + }, + // Non-required parameters + "applications": { + "value": [ + { + "name": "cgwaf-appd-001" + }, + { + "name": "cgwaf-appd-002", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "supportedOSType": "Windows" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "images": { + "value": [ + { + "name": "az-imgd-ws-001" + }, + { + "hyperVGeneration": "V1", + "maxRecommendedMemory": 16, + "maxRecommendedvCPUs": 8, + "minRecommendedMemory": 4, + "minRecommendedvCPUs": 2, + "name": "az-imgd-ws-002", + "offer": "WindowsServer", + "osState": "Generalized", + "osType": "Windows", + "publisher": "MicrosoftWindowsServer", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "sku": "2022-datacenter-azure-edition" + }, + { + "hyperVGeneration": "V2", + "isHibernateSupported": "true", + "maxRecommendedMemory": 16, + "maxRecommendedvCPUs": 8, + "minRecommendedMemory": 4, + "minRecommendedvCPUs": 2, + "name": "az-imgd-ws-003", + "offer": "WindowsServer", + "osState": "Generalized", + "osType": "Windows", + "publisher": "MicrosoftWindowsServer", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "sku": "2022-datacenter-azure-edition-hibernate" + }, + { + "hyperVGeneration": "V2", + "isAcceleratedNetworkSupported": "true", + "maxRecommendedMemory": 16, + "maxRecommendedvCPUs": 8, + "minRecommendedMemory": 4, + "minRecommendedvCPUs": 2, + "name": "az-imgd-ws-004", + "offer": "WindowsServer", + "osState": "Generalized", + "osType": "Windows", + "publisher": "MicrosoftWindowsServer", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "sku": "2022-datacenter-azure-edition-accnet" + }, + { + "hyperVGeneration": "V2", + "maxRecommendedMemory": 16, + "maxRecommendedvCPUs": 4, + "minRecommendedMemory": 4, + "minRecommendedvCPUs": 2, + "name": "az-imgd-wdtl-002", + "offer": "WindowsDesktop", + "osState": "Generalized", + "osType": "Windows", + "publisher": "MicrosoftWindowsDesktop", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "securityType": "TrustedLaunch", + "sku": "Win11-21H2" + }, + { + "hyperVGeneration": "V2", + "maxRecommendedMemory": 32, + "maxRecommendedvCPUs": 4, + "minRecommendedMemory": 4, + "minRecommendedvCPUs": 1, + "name": "az-imgd-us-001", + "offer": "0001-com-ubuntu-server-focal", + "osState": "Generalized", + "osType": "Linux", + "publisher": "canonical", + "sku": "20_04-lts-gen2" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/compute/gallery/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/gallery/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/compute/gallery/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..755e9e49c5 --- /dev/null +++ b/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,189 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.galleries-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cgwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + applications: [ + { + name: '${namePrefix}-${serviceShort}-appd-001' + } + { + name: '${namePrefix}-${serviceShort}-appd-002' + supportedOSType: 'Windows' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } + ] + images: [ + { + name: '${namePrefix}-az-imgd-ws-001' + } + { + hyperVGeneration: 'V1' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: '${namePrefix}-az-imgd-ws-002' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: '2022-datacenter-azure-edition' + } + { + hyperVGeneration: 'V2' + isHibernateSupported: 'true' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: '${namePrefix}-az-imgd-ws-003' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: '2022-datacenter-azure-edition-hibernate' + } + { + hyperVGeneration: 'V2' + isAcceleratedNetworkSupported: 'true' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: '${namePrefix}-az-imgd-ws-004' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: '2022-datacenter-azure-edition-accnet' + } + { + hyperVGeneration: 'V2' + securityType: 'TrustedLaunch' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 4 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: '${namePrefix}-az-imgd-wdtl-002' + offer: 'WindowsDesktop' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsDesktop' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: 'Win11-21H2' + } + { + hyperVGeneration: 'V2' + maxRecommendedMemory: 32 + maxRecommendedvCPUs: 4 + minRecommendedMemory: 4 + minRecommendedvCPUs: 1 + name: '${namePrefix}-az-imgd-us-001' + offer: '0001-com-ubuntu-server-focal' + osState: 'Generalized' + osType: 'Linux' + publisher: 'canonical' + sku: '20_04-lts-gen2' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/image/README.md b/modules/compute/image/README.md index 6c22d0ff2d..f642c6f3c1 100644 --- a/modules/compute/image/README.md +++ b/modules/compute/image/README.md @@ -26,6 +26,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.image:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -139,6 +140,118 @@ module image 'br:bicep/modules/compute.image:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module image 'br:bicep/modules/compute.image:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ciwaf' + params: { + // Required parameters + name: 'ciwaf001' + osAccountType: 'Premium_LRS' + osDiskBlobUri: '' + osDiskCaching: 'ReadWrite' + osType: 'Windows' + // Non-required parameters + diskEncryptionSetResourceId: '' + diskSizeGB: 128 + enableDefaultTelemetry: '' + hyperVGeneration: 'V1' + osState: 'Generalized' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + tagA: 'You\'re it' + tagB: 'Player' + } + zoneResilient: true + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ciwaf001" + }, + "osAccountType": { + "value": "Premium_LRS" + }, + "osDiskBlobUri": { + "value": "" + }, + "osDiskCaching": { + "value": "ReadWrite" + }, + "osType": { + "value": "Windows" + }, + // Non-required parameters + "diskEncryptionSetResourceId": { + "value": "" + }, + "diskSizeGB": { + "value": 128 + }, + "enableDefaultTelemetry": { + "value": "" + }, + "hyperVGeneration": { + "value": "V1" + }, + "osState": { + "value": "Generalized" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "hidden-title": "This is visible in the resource name", + "tagA": "You\"re it", + "tagB": "Player" + } + }, + "zoneResilient": { + "value": true + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/compute/image/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/image/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..2a31d8730b --- /dev/null +++ b/modules/compute/image/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,218 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Storage Account to create and to copy the VHD into.') +param storageAccountName string + +@description('Required. The name of the Disk Encryption Set to create.') +param diskEncryptionSetName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name prefix of the Image Template to create.') +param imageTemplateNamePrefix string + +@description('Generated. Do not provide a value! This date value is used to generate a unique image template name.') +param baseTime string = utcNow('yyyy-MM-dd-HH-mm-ss') + +@description('Required. The name of the Deployment Script to create for triggering the image creation.') +param triggerImageDeploymentScriptName string + +@description('Required. The name of the Deployment Script to copy the VHD to a destination storage account.') +param copyVhdDeploymentScriptName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { + name: storageAccountName + location: location + kind: 'StorageV2' + sku: { + name: 'Standard_LRS' + } + properties: { + allowBlobPublicAccess: false + } + resource blobServices 'blobServices@2022-09-01' = { + name: 'default' + resource container 'containers@2022-09-01' = { + name: 'vhds' + properties: { + publicAccess: 'None' + } + } + } +} + +module roleAssignment 'dependencies_rbac.bicep' = { + name: '${deployment().name}-MSI-roleAssignment' + scope: subscription() + params: { + managedIdentityPrincipalId: managedIdentity.properties.principalId + managedIdentityResourceId: managedIdentity.id + } +} + +// Deploy image template +resource imageTemplate 'Microsoft.VirtualMachineImages/imageTemplates@2022-02-14' = { + #disable-next-line use-stable-resource-identifiers + name: '${imageTemplateNamePrefix}-${baseTime}' + location: location + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + buildTimeoutInMinutes: 0 + vmProfile: { + vmSize: 'Standard_D2s_v3' + osDiskSizeGB: 127 + } + source: { + type: 'PlatformImage' + publisher: 'MicrosoftWindowsDesktop' + offer: 'Windows-11' + sku: 'win11-21h2-avd' + version: 'latest' + } + distribute: [ + { + type: 'VHD' + runOutputName: '${imageTemplateNamePrefix}-VHD' + artifactTags: {} + } + ] + customize: [ + { + restartTimeout: '30m' + type: 'WindowsRestart' + } + ] + } +} + +// Trigger VHD creation +resource triggerImageDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { + name: triggerImageDeploymentScriptName + location: location + kind: 'AzurePowerShell' + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + azPowerShellVersion: '8.0' + retentionInterval: 'P1D' + arguments: '-ImageTemplateName \\"${imageTemplate.name}\\" -ImageTemplateResourceGroup \\"${resourceGroup().name}\\"' + scriptContent: loadTextContent('../../../../../.shared/.scripts/Start-ImageTemplate.ps1') + cleanupPreference: 'OnSuccess' + forceUpdateTag: baseTime + } + dependsOn: [ + roleAssignment + ] +} + +// Copy VHD to destination storage account +resource copyVhdDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { + name: copyVhdDeploymentScriptName + location: location + kind: 'AzurePowerShell' + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + azPowerShellVersion: '8.0' + retentionInterval: 'P1D' + arguments: '-ImageTemplateName \\"${imageTemplate.name}\\" -ImageTemplateResourceGroup \\"${resourceGroup().name}\\" -DestinationStorageAccountName \\"${storageAccount.name}\\" -VhdName \\"${imageTemplateNamePrefix}\\" -WaitForComplete' + scriptContent: loadTextContent('../../../../../.shared/.scripts/Copy-VhdToStorageAccount.ps1') + cleanupPreference: 'OnSuccess' + forceUpdateTag: baseTime + } + dependsOn: [ triggerImageDeploymentScript ] +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: true // Required for encrption to work + softDeleteRetentionInDays: 7 + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'encryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') + scope: keyVault::key + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User + principalType: 'ServicePrincipal' + } +} + +resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2022-07-02' = { + name: diskEncryptionSetName + location: location + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + activeKey: { + sourceVault: { + id: keyVault.id + } + keyUrl: keyVault::key.properties.keyUriWithVersion + } + encryptionType: 'EncryptionAtRestWithCustomerKey' + } + dependsOn: [ + keyPermissions + ] +} + +@description('The URI of the created VHD.') +output vhdUri string = 'https://${storageAccount.name}.blob.${environment().suffixes.storage}/vhds/${imageTemplateNamePrefix}.vhd' + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Disk Encryption Set.') +output diskEncryptionSetResourceId string = diskEncryptionSet.id diff --git a/modules/compute/image/tests/e2e/waf-aligned/dependencies_rbac.bicep b/modules/compute/image/tests/e2e/waf-aligned/dependencies_rbac.bicep new file mode 100644 index 0000000000..cdca1b63bd --- /dev/null +++ b/modules/compute/image/tests/e2e/waf-aligned/dependencies_rbac.bicep @@ -0,0 +1,16 @@ +targetScope = 'subscription' + +@description('Required. The resource ID of the created Managed Identity.') +param managedIdentityResourceId string + +@description('Required. The principal ID of the created Managed Identity.') +param managedIdentityPrincipalId string + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(subscription().subscriptionId, 'Contributor', managedIdentityResourceId) + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor + principalId: managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } +} diff --git a/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..83e55ae5ed --- /dev/null +++ b/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,86 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ciwaf' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}01' + imageTemplateNamePrefix: 'dep-${namePrefix}-imgt-${serviceShort}' + triggerImageDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-triggerImageTemplate' + copyVhdDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-copyVhdToStorage' + } +} + +// ============== // +// Test Execution // +// ============== // +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + osAccountType: 'Premium_LRS' + osDiskBlobUri: nestedDependencies.outputs.vhdUri + osDiskCaching: 'ReadWrite' + osType: 'Windows' + hyperVGeneration: 'V1' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + zoneResilient: true + diskEncryptionSetResourceId: nestedDependencies.outputs.diskEncryptionSetResourceId + osState: 'Generalized' + diskSizeGB: 128 + tags: { + 'hidden-title': 'This is visible in the resource name' + tagA: 'You\'re it' + tagB: 'Player' + } + } +} diff --git a/modules/compute/proximity-placement-group/README.md b/modules/compute/proximity-placement-group/README.md index 821a6a502e..a5861c05f9 100644 --- a/modules/compute/proximity-placement-group/README.md +++ b/modules/compute/proximity-placement-group/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -203,6 +204,132 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cppgwaf' + params: { + // Required parameters + name: 'cppgwaf001' + // Non-required parameters + colocationStatus: { + code: 'ColocationStatus/Aligned' + displayStatus: 'Aligned' + level: 'Info' + message: 'I\'m a default error message' + } + enableDefaultTelemetry: '' + intent: { + vmSizes: [ + 'Standard_B1ms' + 'Standard_B4ms' + ] + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + TagA: 'Would you kindly...' + TagB: 'Tags for sale' + } + type: 'Standard' + zones: [ + '1' + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "cppgwaf001" + }, + // Non-required parameters + "colocationStatus": { + "value": { + "code": "ColocationStatus/Aligned", + "displayStatus": "Aligned", + "level": "Info", + "message": "I\"m a default error message" + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "intent": { + "value": { + "vmSizes": [ + "Standard_B1ms", + "Standard_B4ms" + ] + } + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "hidden-title": "This is visible in the resource name", + "TagA": "Would you kindly...", + "TagB": "Tags for sale" + } + }, + "type": { + "value": "Standard" + }, + "zones": { + "value": [ + "1" + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..d58853a01e --- /dev/null +++ b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,88 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.proximityplacementgroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cppgwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + zones: [ + '1' + ] + type: 'Standard' + tags: { + 'hidden-title': 'This is visible in the resource name' + TagA: 'Would you kindly...' + TagB: 'Tags for sale' + } + colocationStatus: { + code: 'ColocationStatus/Aligned' + displayStatus: 'Aligned' + level: 'Info' + message: 'I\'m a default error message' + } + intent: { + vmSizes: [ + 'Standard_B1ms' + 'Standard_B4ms' + ] + } + } +} diff --git a/modules/compute/ssh-public-key/README.md b/modules/compute/ssh-public-key/README.md index fcc48b1abe..096bdf0a7f 100644 --- a/modules/compute/ssh-public-key/README.md +++ b/modules/compute/ssh-public-key/README.md @@ -32,6 +32,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -133,6 +134,58 @@ module sshPublicKey 'br:bicep/modules/compute.ssh-public-key:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module sshPublicKey 'br:bicep/modules/compute.ssh-public-key:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cspkwaf' + params: { + // Required parameters + name: 'sshkey-cspkwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + publicKey: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "sshkey-cspkwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "publicKey": { + "value": "" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/compute/ssh-public-key/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/ssh-public-key/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..13a584595b --- /dev/null +++ b/modules/compute/ssh-public-key/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,61 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Optional. Name of the Deployment Script that creates the SSH Public Key.') +param generateSshPubKeyScriptName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. Name of the temporary SSH Public Key to create for test.') +param sshKeyName string + +@description('Optional. Do not provide a value. Used to force the deployment script to rerun on every redeployment.') +param utcValue string = utcNow() + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +// required for the deployment script to create a new temporary ssh public key object +resource msi_ContributorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(resourceGroup().id, 'ManagedIdentityContributor', '[[namePrefix]]') + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor + principalId: managedIdentity.properties.principalId + principalType: 'ServicePrincipal' + } +} + +resource createPubKeyScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { + name: generateSshPubKeyScriptName + location: location + kind: 'AzurePowerShell' + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + azPowerShellVersion: '8.0' + retentionInterval: 'P1D' + arguments: '-ResourceGroupName ${resourceGroup().name} -SSHKeyName ${sshKeyName}' + scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1') + cleanupPreference: 'OnExpiration' + forceUpdateTag: utcValue + } + dependsOn: [ + msi_ContributorRoleAssignment + ] +} + +@description('The public key to be added to the SSH Public Key resource.') +output publicKey string = createPubKeyScript.properties.outputs.publicKey + +@description('The resource ID of the managed Identity') +output managedIdentityId string = managedIdentity.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..e432ba94de --- /dev/null +++ b/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,60 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.sshPublicKeys-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +@maxLength(7) +param serviceShort string = 'cspkwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + generateSshPubKeyScriptName: 'dep-${namePrefix}-ds-${serviceShort}-generateSshPubKey' + sshKeyName: 'dep-${namePrefix}-ssh-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-sshkey-${serviceShort}001' + publicKey: nestedDependencies.outputs.publicKey + } +} diff --git a/modules/consumption/budget/README.md b/modules/consumption/budget/README.md index 44cad18b76..748abdf07f 100644 --- a/modules/consumption/budget/README.md +++ b/modules/consumption/budget/README.md @@ -26,6 +26,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -163,6 +164,82 @@ module budget 'br:bicep/modules/consumption.budget:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module budget 'br:bicep/modules/consumption.budget:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-cbwaf' + params: { + // Required parameters + amount: 500 + name: 'cbwaf001' + // Non-required parameters + contactEmails: [ + 'dummy@contoso.com' + ] + enableDefaultTelemetry: '' + thresholds: [ + 50 + 75 + 90 + 100 + 110 + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "amount": { + "value": 500 + }, + "name": { + "value": "cbwaf001" + }, + // Non-required parameters + "contactEmails": { + "value": [ + "dummy@contoso.com" + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "thresholds": { + "value": [ + 50, + 75, + 90, + 100, + 110 + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep b/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..ec51e97926 --- /dev/null +++ b/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,40 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cbwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + amount: 500 + contactEmails: [ + 'dummy@contoso.com' + ] + thresholds: [ + 50 + 75 + 90 + 100 + 110 + ] + } +} diff --git a/modules/container-instance/container-group/README.md b/modules/container-instance/container-group/README.md index 7918b1c8a2..447234e1d2 100644 --- a/modules/container-instance/container-group/README.md +++ b/modules/container-instance/container-group/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) - [Private](#example-4-private) +- [WAF-aligned](#example-5-waf-aligned) ### Example 1: _Using only defaults_ @@ -783,6 +784,206 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0

+### Example 5: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cicgwaf' + params: { + // Required parameters + containers: [ + { + name: 'az-aci-x-001' + properties: { + command: [] + environmentVariables: [] + image: 'mcr.microsoft.com/azuredocs/aci-helloworld' + ports: [ + { + port: '80' + protocol: 'Tcp' + } + { + port: '443' + protocol: 'Tcp' + } + ] + resources: { + requests: { + cpu: 2 + memoryInGB: 2 + } + } + } + } + { + name: 'az-aci-x-002' + properties: { + command: [] + environmentVariables: [] + image: 'mcr.microsoft.com/azuredocs/aci-helloworld' + ports: [ + { + port: '8080' + protocol: 'Tcp' + } + ] + resources: { + requests: { + cpu: 2 + memoryInGB: 2 + } + } + } + } + ] + name: 'cicgwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + ipAddressPorts: [ + { + port: 80 + protocol: 'Tcp' + } + { + port: 443 + protocol: 'Tcp' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "containers": { + "value": [ + { + "name": "az-aci-x-001", + "properties": { + "command": [], + "environmentVariables": [], + "image": "mcr.microsoft.com/azuredocs/aci-helloworld", + "ports": [ + { + "port": "80", + "protocol": "Tcp" + }, + { + "port": "443", + "protocol": "Tcp" + } + ], + "resources": { + "requests": { + "cpu": 2, + "memoryInGB": 2 + } + } + } + }, + { + "name": "az-aci-x-002", + "properties": { + "command": [], + "environmentVariables": [], + "image": "mcr.microsoft.com/azuredocs/aci-helloworld", + "ports": [ + { + "port": "8080", + "protocol": "Tcp" + } + ], + "resources": { + "requests": { + "cpu": 2, + "memoryInGB": 2 + } + } + } + } + ] + }, + "name": { + "value": "cicgwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "ipAddressPorts": { + "value": [ + { + "port": 80, + "protocol": "Tcp" + }, + { + "port": 443, + "protocol": "Tcp" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/container-instance/container-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/container-instance/container-group/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..66dc10c2f2 --- /dev/null +++ b/modules/container-instance/container-group/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created managed identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep b/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..389ed3cfc7 --- /dev/null +++ b/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,127 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-containerinstance.containergroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cicgwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + containers: [ + { + name: '${namePrefix}-az-aci-x-001' + properties: { + command: [] + environmentVariables: [] + image: 'mcr.microsoft.com/azuredocs/aci-helloworld' + ports: [ + { + port: '80' + protocol: 'Tcp' + } + { + port: '443' + protocol: 'Tcp' + } + ] + resources: { + requests: { + cpu: 2 + memoryInGB: 2 + } + } + } + } + { + name: '${namePrefix}-az-aci-x-002' + properties: { + command: [] + environmentVariables: [] + image: 'mcr.microsoft.com/azuredocs/aci-helloworld' + ports: [ + { + port: '8080' + protocol: 'Tcp' + } + ] + resources: { + requests: { + cpu: 2 + memoryInGB: 2 + } + } + } + } + ] + ipAddressPorts: [ + { + protocol: 'Tcp' + port: 80 + } + { + protocol: 'Tcp' + port: 443 + } + ] + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index 940cac8fae..ecb4f44dc9 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -36,6 +36,7 @@ The following section provides usage examples for the module, which were used to - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) - [Pe](#example-4-pe) +- [WAF-aligned](#example-5-waf-aligned) ### Example 1: _Using only defaults_ @@ -519,6 +520,262 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = {

+### Example 5: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-crrwaf' + params: { + // Required parameters + name: 'crrwaf001' + // Non-required parameters + acrAdminUserEnabled: false + acrSku: 'Premium' + azureADAuthenticationAsArmPolicyStatus: 'enabled' + cacheRules: [ + { + name: 'customRule' + sourceRepository: 'docker.io/library/hello-world' + targetRepository: 'cached-docker-hub/hello-world' + } + { + sourceRepository: 'docker.io/library/hello-world' + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + exportPolicyStatus: 'enabled' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + networkRuleSetIpRules: [ + { + action: 'Allow' + value: '40.74.28.0/23' + } + ] + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'registry' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + quarantinePolicyStatus: 'enabled' + replications: [ + { + location: '' + name: '' + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + softDeletePolicyDays: 7 + softDeletePolicyStatus: 'disabled' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + trustPolicyStatus: 'enabled' + webhooks: [ + { + name: 'acrx001webhook' + serviceUri: 'https://www.contoso.com/webhook' + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "crrwaf001" + }, + // Non-required parameters + "acrAdminUserEnabled": { + "value": false + }, + "acrSku": { + "value": "Premium" + }, + "azureADAuthenticationAsArmPolicyStatus": { + "value": "enabled" + }, + "cacheRules": { + "value": [ + { + "name": "customRule", + "sourceRepository": "docker.io/library/hello-world", + "targetRepository": "cached-docker-hub/hello-world" + }, + { + "sourceRepository": "docker.io/library/hello-world" + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "exportPolicyStatus": { + "value": "enabled" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "networkRuleSetIpRules": { + "value": [ + { + "action": "Allow", + "value": "40.74.28.0/23" + } + ] + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "registry", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "quarantinePolicyStatus": { + "value": "enabled" + }, + "replications": { + "value": [ + { + "location": "", + "name": "" + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "softDeletePolicyDays": { + "value": 7 + }, + "softDeletePolicyStatus": { + "value": "disabled" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "trustPolicyStatus": { + "value": "enabled" + }, + "webhooks": { + "value": [ + { + "name": "acrx001webhook", + "serviceUri": "https://www.contoso.com/webhook" + } + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/container-registry/registry/tests/e2e/waf-aligned/dependencies.bicep b/modules/container-registry/registry/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..4e89a810a0 --- /dev/null +++ b/modules/container-registry/registry/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,99 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Deployment Script to create to get the paired region name.') +param pairedRegionScriptName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink${environment().suffixes.acrLoginServer}' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${location}-${managedIdentity.id}-Reader-RoleAssignment') + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') // Reader + principalType: 'ServicePrincipal' + } +} + +resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { + name: pairedRegionScriptName + location: location + kind: 'AzurePowerShell' + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + azPowerShellVersion: '8.0' + retentionInterval: 'P1D' + arguments: '-Location \\"${location}\\"' + scriptContent: loadTextContent('../../../../../.shared/.scripts/Get-PairedRegion.ps1') + } + dependsOn: [ + roleAssignment + ] +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The name of the paired region.') +output pairedRegionName string = getPairedRegionScript.properties.outputs.pairedRegionName diff --git a/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep b/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..c2373864c7 --- /dev/null +++ b/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,160 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-containerregistry.registries-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'crrwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + location: location + managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + acrAdminUserEnabled: false + acrSku: 'Premium' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + exportPolicyStatus: 'enabled' + azureADAuthenticationAsArmPolicyStatus: 'enabled' + softDeletePolicyStatus: 'disabled' + softDeletePolicyDays: 7 + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + service: 'registry' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + networkRuleSetIpRules: [ + { + action: 'Allow' + value: '40.74.28.0/23' + } + ] + quarantinePolicyStatus: 'enabled' + replications: [ + { + location: nestedDependencies.outputs.pairedRegionName + name: nestedDependencies.outputs.pairedRegionName + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + trustPolicyStatus: 'enabled' + cacheRules: [ + { + name: 'customRule' + sourceRepository: 'docker.io/library/hello-world' + targetRepository: 'cached-docker-hub/hello-world' + } + { + sourceRepository: 'docker.io/library/hello-world' + } + ] + webhooks: [ + { + name: '${namePrefix}acrx001webhook' + serviceUri: 'https://www.contoso.com/webhook' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index 4df25ff5d9..371644a9d8 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -35,6 +35,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -330,6 +331,252 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dffwaf' + params: { + // Required parameters + name: 'dffwaf001' + // Non-required parameters + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + gitConfigureLater: true + globalParameters: { + testParameter1: { + type: 'String' + value: 'testValue1' + } + } + integrationRuntimes: [ + { + managedVirtualNetworkName: 'default' + name: 'AutoResolveIntegrationRuntime' + type: 'Managed' + typeProperties: { + computeProperties: { + location: 'AutoResolve' + } + } + } + { + name: 'TestRuntime' + type: 'SelfHosted' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + managedPrivateEndpoints: [ + { + fqdns: [ + '' + ] + groupId: 'blob' + name: '' + privateLinkResourceId: '' + } + ] + managedVirtualNetworkName: 'default' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + application: 'CARML' + 'hidden-title': 'This is visible in the resource name' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dffwaf001" + }, + // Non-required parameters + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "gitConfigureLater": { + "value": true + }, + "globalParameters": { + "value": { + "testParameter1": { + "type": "String", + "value": "testValue1" + } + } + }, + "integrationRuntimes": { + "value": [ + { + "managedVirtualNetworkName": "default", + "name": "AutoResolveIntegrationRuntime", + "type": "Managed", + "typeProperties": { + "computeProperties": { + "location": "AutoResolve" + } + } + }, + { + "name": "TestRuntime", + "type": "SelfHosted" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "managedPrivateEndpoints": { + "value": [ + { + "fqdns": [ + "" + ], + "groupId": "blob", + "name": "", + "privateLinkResourceId": "" + } + ] + }, + "managedVirtualNetworkName": { + "value": "default" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "application": "CARML", + "hidden-title": "This is visible in the resource name" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/data-factory/factory/tests/e2e/waf-aligned/dependencies.bicep b/modules/data-factory/factory/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a6ab43ad7a --- /dev/null +++ b/modules/data-factory/factory/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,135 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.datafactory.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetworkName}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'encryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-KeyVault-Key-Read-RoleAssignment') + scope: keyVault::key + properties: { + principalId: managedIdentity.properties.principalId + // Key Vault Crypto User + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') + principalType: 'ServicePrincipal' + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { + name: storageAccountName + location: location + kind: 'StorageV2' + sku: { + name: 'Standard_LRS' + } + properties: { + allowBlobPublicAccess: false + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The URL of the created Key Vault.') +output keyVaultUrl string = keyVault.properties.vaultUri + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The name of the created Key Vault Encryption Key.') +output keyVaultEncryptionKeyName string = keyVault::key.name + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id + +@description('The name of the created Storage Account.') +output storageAccountName string = storageAccount.name + +@description('The Blob Endpoint of the created Storage Account.') +output storageAccountBlobEndpoint string = storageAccount.properties.primaryEndpoints.blob diff --git a/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep b/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..8c332672b1 --- /dev/null +++ b/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,161 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-datafactory.factories-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dffwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}st${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + customerManagedKey: { + keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + } + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + gitConfigureLater: true + globalParameters: { + testParameter1: { + type: 'String' + value: 'testValue1' + } + } + integrationRuntimes: [ + { + managedVirtualNetworkName: 'default' + name: 'AutoResolveIntegrationRuntime' + type: 'Managed' + typeProperties: { + computeProperties: { + location: 'AutoResolve' + } + } + } + + { + name: 'TestRuntime' + type: 'SelfHosted' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedPrivateEndpoints: [ + { + fqdns: [ + nestedDependencies.outputs.storageAccountBlobEndpoint + ] + groupId: 'blob' + name: '${nestedDependencies.outputs.storageAccountName}-managed-privateEndpoint' + privateLinkResourceId: nestedDependencies.outputs.storageAccountResourceId + } + ] + managedVirtualNetworkName: 'default' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + application: 'CARML' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/data-protection/backup-vault/README.md b/modules/data-protection/backup-vault/README.md index 200b51d6bc..a7771b8b43 100644 --- a/modules/data-protection/backup-vault/README.md +++ b/modules/data-protection/backup-vault/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -303,6 +304,230 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dpbvwaf' + params: { + // Required parameters + name: 'dpbvwaf001' + // Non-required parameters + azureMonitorAlertSettingsAlertsForAllJobFailures: 'Disabled' + backupPolicies: [ + { + name: 'DefaultPolicy' + properties: { + datasourceTypes: [ + 'Microsoft.Compute/disks' + ] + objectType: 'BackupPolicy' + policyRules: [ + { + backupParameters: { + backupType: 'Incremental' + objectType: 'AzureBackupParams' + } + dataStore: { + dataStoreType: 'OperationalStore' + objectType: 'DataStoreInfoBase' + } + name: 'BackupDaily' + objectType: 'AzureBackupRule' + trigger: { + objectType: 'ScheduleBasedTriggerContext' + schedule: { + repeatingTimeIntervals: [ + 'R/2022-05-31T23:30:00+01:00/P1D' + ] + timeZone: 'W. Europe Standard Time' + } + taggingCriteria: [ + { + isDefault: true + taggingPriority: 99 + tagInfo: { + id: 'Default_' + tagName: 'Default' + } + } + ] + } + } + { + isDefault: true + lifecycles: [ + { + deleteAfter: { + duration: 'P7D' + objectType: 'AbsoluteDeleteOption' + } + sourceDataStore: { + dataStoreType: 'OperationalStore' + objectType: 'DataStoreInfoBase' + } + targetDataStoreCopySettings: [] + } + ] + name: 'Default' + objectType: 'AzureRetentionRule' + } + ] + } + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dpbvwaf001" + }, + // Non-required parameters + "azureMonitorAlertSettingsAlertsForAllJobFailures": { + "value": "Disabled" + }, + "backupPolicies": { + "value": [ + { + "name": "DefaultPolicy", + "properties": { + "datasourceTypes": [ + "Microsoft.Compute/disks" + ], + "objectType": "BackupPolicy", + "policyRules": [ + { + "backupParameters": { + "backupType": "Incremental", + "objectType": "AzureBackupParams" + }, + "dataStore": { + "dataStoreType": "OperationalStore", + "objectType": "DataStoreInfoBase" + }, + "name": "BackupDaily", + "objectType": "AzureBackupRule", + "trigger": { + "objectType": "ScheduleBasedTriggerContext", + "schedule": { + "repeatingTimeIntervals": [ + "R/2022-05-31T23:30:00+01:00/P1D" + ], + "timeZone": "W. Europe Standard Time" + }, + "taggingCriteria": [ + { + "isDefault": true, + "taggingPriority": 99, + "tagInfo": { + "id": "Default_", + "tagName": "Default" + } + } + ] + } + }, + { + "isDefault": true, + "lifecycles": [ + { + "deleteAfter": { + "duration": "P7D", + "objectType": "AbsoluteDeleteOption" + }, + "sourceDataStore": { + "dataStoreType": "OperationalStore", + "objectType": "DataStoreInfoBase" + }, + "targetDataStoreCopySettings": [] + } + ], + "name": "Default", + "objectType": "AzureRetentionRule" + } + ] + } + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/dependencies.bicep b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..0f0755a6f4 --- /dev/null +++ b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,16 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..ef8e13b397 --- /dev/null +++ b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,138 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-dataprotection.backupvaults-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dpbvwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + azureMonitorAlertSettingsAlertsForAllJobFailures: 'Disabled' + managedIdentities: { + systemAssigned: true + } + backupPolicies: [ + { + name: 'DefaultPolicy' + properties: { + datasourceTypes: [ + 'Microsoft.Compute/disks' + ] + objectType: 'BackupPolicy' + policyRules: [ + { + backupParameters: { + backupType: 'Incremental' + objectType: 'AzureBackupParams' + } + dataStore: { + dataStoreType: 'OperationalStore' + objectType: 'DataStoreInfoBase' + } + name: 'BackupDaily' + objectType: 'AzureBackupRule' + trigger: { + objectType: 'ScheduleBasedTriggerContext' + schedule: { + repeatingTimeIntervals: [ + 'R/2022-05-31T23:30:00+01:00/P1D' + ] + timeZone: 'W. Europe Standard Time' + } + taggingCriteria: [ + { + isDefault: true + taggingPriority: 99 + tagInfo: { + id: 'Default_' + tagName: 'Default' + } + } + ] + } + } + { + isDefault: true + lifecycles: [ + { + deleteAfter: { + duration: 'P7D' + objectType: 'AbsoluteDeleteOption' + } + sourceDataStore: { + dataStoreType: 'OperationalStore' + objectType: 'DataStoreInfoBase' + } + targetDataStoreCopySettings: [] + } + ] + name: 'Default' + objectType: 'AzureRetentionRule' + } + ] + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/databricks/access-connector/README.md b/modules/databricks/access-connector/README.md index ad53643158..cc8cb19003 100644 --- a/modules/databricks/access-connector/README.md +++ b/modules/databricks/access-connector/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -181,6 +182,110 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dacwaf' + params: { + // Required parameters + name: 'dacwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dacwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/databricks/access-connector/tests/e2e/waf-aligned/dependencies.bicep b/modules/databricks/access-connector/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..b20bc53e8f --- /dev/null +++ b/modules/databricks/access-connector/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,16 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep b/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..e61783c03c --- /dev/null +++ b/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,79 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-databricks.accessconnectors-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dacwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + location: resourceGroup.location + } +} diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index 512cd9bc26..fcb2e26a86 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -32,6 +32,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -327,6 +328,252 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dwwaf' + params: { + // Required parameters + name: 'dwwaf001' + // Non-required parameters + amlWorkspaceResourceId: '' + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + } + customerManagedKeyManagedDisk: { + keyName: '' + keyVaultResourceId: '' + rotationToLatestKeyVersionEnabled: true + } + customPrivateSubnetName: '' + customPublicSubnetName: '' + customVirtualNetworkResourceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + logCategoriesAndGroups: [ + { + category: 'jobs' + } + { + category: 'notebook' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + disablePublicIp: true + enableDefaultTelemetry: '' + loadBalancerBackendPoolName: '' + loadBalancerResourceId: '' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedResourceGroupResourceId: '' + natGatewayName: 'nat-gateway' + prepareEncryption: true + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + publicIpName: 'nat-gw-public-ip' + publicNetworkAccess: 'Disabled' + requiredNsgRules: 'NoAzureDatabricksRules' + requireInfrastructureEncryption: true + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuName: 'premium' + storageAccountName: 'sadwwaf001' + storageAccountSkuName: 'Standard_ZRS' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + vnetAddressPrefix: '10.100' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dwwaf001" + }, + // Non-required parameters + "amlWorkspaceResourceId": { + "value": "" + }, + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "" + } + }, + "customerManagedKeyManagedDisk": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "rotationToLatestKeyVersionEnabled": true + } + }, + "customPrivateSubnetName": { + "value": "" + }, + "customPublicSubnetName": { + "value": "" + }, + "customVirtualNetworkResourceId": { + "value": "" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "logCategoriesAndGroups": [ + { + "category": "jobs" + }, + { + "category": "notebook" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "disablePublicIp": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "loadBalancerBackendPoolName": { + "value": "" + }, + "loadBalancerResourceId": { + "value": "" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedResourceGroupResourceId": { + "value": "" + }, + "natGatewayName": { + "value": "nat-gateway" + }, + "prepareEncryption": { + "value": true + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "Role": "DeploymentValidation" + } + } + ] + }, + "publicIpName": { + "value": "nat-gw-public-ip" + }, + "publicNetworkAccess": { + "value": "Disabled" + }, + "requiredNsgRules": { + "value": "NoAzureDatabricksRules" + }, + "requireInfrastructureEncryption": { + "value": true + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "skuName": { + "value": "premium" + }, + "storageAccountName": { + "value": "sadwwaf001" + }, + "storageAccountSkuName": { + "value": "Standard_ZRS" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "vnetAddressPrefix": { + "value": "10.100" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/databricks/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/databricks/workspace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..4c074d6ae8 --- /dev/null +++ b/modules/databricks/workspace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,368 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Key Vault for Disk Encryption to create.') +param keyVaultDiskName string + +@description('Required. The name of the Azure Machine Learning Workspace to create.') +param amlWorkspaceName string + +@description('Required. The name of the Load Balancer to create.') +param loadBalancerName string + +@description('Required. The name of the Network Security Group to create.') +param networkSecurityGroupName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Required. The name of the Application Insights Instanec to create.') +param applicationInsightsName string + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +var addressPrefix = '10.0.0.0/16' + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: true // Required by batch account + softDeleteRetentionInDays: 7 + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'keyEncryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource keyVaultDisk 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultDiskName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: true // Required by batch account + softDeleteRetentionInDays: 7 + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'keyEncryptionKeyDisk' + properties: { + kty: 'RSA' + } + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Key-Vault-Crypto-User-RoleAssignment') + scope: keyVault::key + properties: { + principalId: '5167ea7a-355a-466f-ae8b-8ea60f718b35' // AzureDatabricks Enterprise Application Object Id + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User + principalType: 'ServicePrincipal' + } +} + +resource amlPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-Key-Vault-Contributor') + scope: keyVault + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor + principalType: 'ServicePrincipal' + } +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_ZRS' + } + kind: 'StorageV2' + properties: {} +} + +resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = { + name: applicationInsightsName + location: location + kind: 'web' + properties: { + Application_Type: 'web' + } +} + +resource machineLearningWorkspace 'Microsoft.MachineLearningServices/workspaces@2023-04-01' = { + name: amlWorkspaceName + location: location + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + storageAccount: storageAccount.id + keyVault: keyVault.id + applicationInsights: applicationInsights.id + primaryUserAssignedIdentity: managedIdentity.id + } +} + +resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' = { + name: loadBalancerName + location: location + properties: { + backendAddressPools: [ + { + name: 'default' + } + ] + frontendIPConfigurations: [ + { + name: 'privateIPConfig1' + properties: { + subnet: { + id: virtualNetwork.properties.subnets[0].id + } + } + } + ] + } +} + +resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { + name: networkSecurityGroupName + location: location + properties: { + securityRules: [ + { + name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-inbound' + properties: { + description: 'Required for worker nodes communication within a cluster.' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + sourceAddressPrefix: 'VirtualNetwork' + destinationAddressPrefix: 'VirtualNetwork' + access: 'Allow' + priority: 100 + direction: 'Inbound' + } + } + { + name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp' + properties: { + description: 'Required for workers communication with Databricks Webapp.' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '443' + sourceAddressPrefix: 'VirtualNetwork' + destinationAddressPrefix: 'AzureDatabricks' + access: 'Allow' + priority: 100 + direction: 'Outbound' + } + } + { + name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql' + properties: { + description: 'Required for workers communication with Azure SQL services.' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '3306' + sourceAddressPrefix: 'VirtualNetwork' + destinationAddressPrefix: 'Sql' + access: 'Allow' + priority: 101 + direction: 'Outbound' + } + } + { + name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage' + properties: { + description: 'Required for workers communication with Azure Storage services.' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '443' + sourceAddressPrefix: 'VirtualNetwork' + destinationAddressPrefix: 'Storage' + access: 'Allow' + priority: 102 + direction: 'Outbound' + } + } + { + name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound' + properties: { + description: 'Required for worker nodes communication within a cluster.' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + sourceAddressPrefix: 'VirtualNetwork' + destinationAddressPrefix: 'VirtualNetwork' + access: 'Allow' + priority: 103 + direction: 'Outbound' + } + } + { + name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub' + properties: { + description: 'Required for worker communication with Azure Eventhub services.' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '9093' + sourceAddressPrefix: 'VirtualNetwork' + destinationAddressPrefix: 'EventHub' + access: 'Allow' + priority: 104 + direction: 'Outbound' + } + } + ] + } +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 20, 0) + } + } + { + name: 'custom-public-subnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 20, 1) + networkSecurityGroup: { + id: networkSecurityGroup.id + } + delegations: [ + { + name: 'databricksDelegation' + properties: { + serviceName: 'Microsoft.Databricks/workspaces' + } + } + ] + } + } + { + name: 'custom-private-subnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 20, 2) + networkSecurityGroup: { + id: networkSecurityGroup.id + } + delegations: [ + { + name: 'databricksDelegation' + properties: { + serviceName: 'Microsoft.Databricks/workspaces' + } + } + ] + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.azuredatabricks.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +@description('The resource ID of the created Virtual Network Default Subnet.') +output defaultSubnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The name of the created Virtual Network Public Subnet.') +output customPublicSubnetName string = virtualNetwork.properties.subnets[1].name + +@description('The name of the created Virtual Network Private Subnet.') +output customPrivateSubnetName string = virtualNetwork.properties.subnets[2].name + +@description('The resource ID of the created Virtual Network.') +output virtualNetworkResourceId string = virtualNetwork.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Azure Machine Learning Workspace.') +output machineLearningWorkspaceResourceId string = machineLearningWorkspace.id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The resource ID of the created Disk Key Vault.') +output keyVaultDiskResourceId string = keyVaultDisk.id + +@description('The resource ID of the created Load Balancer.') +output loadBalancerResourceId string = loadBalancer.id + +@description('The name of the created Load Balancer Backend Pool.') +output loadBalancerBackendPoolName string = loadBalancer.properties.backendAddressPools[0].name + +@description('The name of the created Key Vault encryption key.') +output keyVaultKeyName string = keyVault::key.name + +@description('The name of the created Key Vault Disk encryption key.') +output keyVaultDiskKeyName string = keyVaultDisk::key.name + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..4f74e4d560 --- /dev/null +++ b/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,156 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-databricks.workspaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dwwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + amlWorkspaceName: 'dep-${namePrefix}-aml-${serviceShort}' + applicationInsightsName: 'dep-${namePrefix}-appi-${serviceShort}' + loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + keyVaultDiskName: 'dep-${namePrefix}-kve-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + logCategoriesAndGroups: [ + { + category: 'jobs' + } + { + category: 'notebook' + + } + ] + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + customerManagedKey: { + keyName: nestedDependencies.outputs.keyVaultKeyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + } + customerManagedKeyManagedDisk: { + keyName: nestedDependencies.outputs.keyVaultDiskKeyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultDiskResourceId + rotationToLatestKeyVersionEnabled: true + } + storageAccountName: 'sa${namePrefix}${serviceShort}001' + storageAccountSkuName: 'Standard_ZRS' + publicIpName: 'nat-gw-public-ip' + natGatewayName: 'nat-gateway' + prepareEncryption: true + requiredNsgRules: 'NoAzureDatabricksRules' + skuName: 'premium' + amlWorkspaceResourceId: nestedDependencies.outputs.machineLearningWorkspaceResourceId + customPrivateSubnetName: nestedDependencies.outputs.customPrivateSubnetName + customPublicSubnetName: nestedDependencies.outputs.customPublicSubnetName + publicNetworkAccess: 'Disabled' + disablePublicIp: true + loadBalancerResourceId: nestedDependencies.outputs.loadBalancerResourceId + loadBalancerBackendPoolName: nestedDependencies.outputs.loadBalancerBackendPoolName + customVirtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.defaultSubnetResourceId + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + managedResourceGroupResourceId: '${subscription().id}/resourceGroups/rg-${resourceGroupName}-managed' + requireInfrastructureEncryption: true + vnetAddressPrefix: '10.100' + location: resourceGroup.location + } +} diff --git a/modules/desktop-virtualization/application-group/README.md b/modules/desktop-virtualization/application-group/README.md index 83aa677d85..22947a3ef1 100644 --- a/modules/desktop-virtualization/application-group/README.md +++ b/modules/desktop-virtualization/application-group/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -251,6 +252,170 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module applicationGroup 'br:bicep/modules/desktop-virtualization.application-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dvagwaf' + params: { + // Required parameters + applicationGroupType: 'RemoteApp' + hostpoolName: '' + name: 'dvagwaf001' + // Non-required parameters + applications: [ + { + commandLineArguments: '' + commandLineSetting: 'DoNotAllow' + description: 'Notepad by ARM template' + filePath: 'C:\\Windows\\System32\\notepad.exe' + friendlyName: 'Notepad' + iconIndex: 0 + iconPath: 'C:\\Windows\\System32\\notepad.exe' + name: 'notepad' + showInPortal: true + } + { + filePath: 'C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe' + friendlyName: 'Wordpad' + name: 'wordpad' + } + ] + description: 'This is my first Remote Applications bundle' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + friendlyName: 'Remote Applications 1' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "applicationGroupType": { + "value": "RemoteApp" + }, + "hostpoolName": { + "value": "" + }, + "name": { + "value": "dvagwaf001" + }, + // Non-required parameters + "applications": { + "value": [ + { + "commandLineArguments": "", + "commandLineSetting": "DoNotAllow", + "description": "Notepad by ARM template", + "filePath": "C:\\Windows\\System32\\notepad.exe", + "friendlyName": "Notepad", + "iconIndex": 0, + "iconPath": "C:\\Windows\\System32\\notepad.exe", + "name": "notepad", + "showInPortal": true + }, + { + "filePath": "C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe", + "friendlyName": "Wordpad", + "name": "wordpad" + } + ] + }, + "description": { + "value": "This is my first Remote Applications bundle" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "friendlyName": { + "value": "Remote Applications 1" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..41ca94022b --- /dev/null +++ b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,29 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Host Pool to create.') +param hostPoolName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource hostPool 'Microsoft.DesktopVirtualization/hostPools@2022-09-09' = { + name: hostPoolName + location: location + properties: { + hostPoolType: 'Pooled' + loadBalancerType: 'BreadthFirst' + preferredAppGroupType: 'Desktop' + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The name of the created Host Pool.') +output hostPoolName string = hostPool.name diff --git a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..eb507bfeaf --- /dev/null +++ b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,119 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.applicationgroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dvagwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + hostPoolName: 'dep-${namePrefix}-hp-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + applicationGroupType: 'RemoteApp' + hostpoolName: nestedDependencies.outputs.hostPoolName + applications: [ + { + commandLineArguments: '' + commandLineSetting: 'DoNotAllow' + description: 'Notepad by ARM template' + filePath: 'C:\\Windows\\System32\\notepad.exe' + friendlyName: 'Notepad' + iconIndex: 0 + iconPath: 'C:\\Windows\\System32\\notepad.exe' + name: 'notepad' + showInPortal: true + } + { + filePath: 'C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe' + friendlyName: 'Wordpad' + name: 'wordpad' + } + ] + description: 'This is my first Remote Applications bundle' + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + friendlyName: 'Remote Applications 1' + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/desktop-virtualization/host-pool/README.md b/modules/desktop-virtualization/host-pool/README.md index cc5703c6ab..37af321393 100644 --- a/modules/desktop-virtualization/host-pool/README.md +++ b/modules/desktop-virtualization/host-pool/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -284,6 +285,212 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dvhpwaf' + params: { + // Required parameters + name: 'dvhpwaf001' + // Non-required parameters + agentUpdate: { + maintenanceWindows: [ + { + dayOfWeek: 'Friday' + hour: 7 + } + { + dayOfWeek: 'Saturday' + hour: 8 + } + ] + maintenanceWindowTimeZone: 'Alaskan Standard Time' + type: 'Scheduled' + useSessionHostLocalTime: false + } + customRdpProperty: 'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;' + description: 'My first AVD Host Pool' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + friendlyName: 'AVDv2' + loadBalancerType: 'BreadthFirst' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + maxSessionLimit: 99999 + personalDesktopAssignmentType: 'Automatic' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + type: 'Pooled' + vmTemplate: { + customImageId: '' + domain: 'domainname.onmicrosoft.com' + galleryImageOffer: 'office-365' + galleryImagePublisher: 'microsoftwindowsdesktop' + galleryImageSKU: '20h1-evd-o365pp' + imageType: 'Gallery' + imageUri: '' + namePrefix: 'avdv2' + osDiskType: 'StandardSSD_LRS' + useManagedDisks: true + vmSize: { + cores: 2 + id: 'Standard_D2s_v3' + ram: 8 + } + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dvhpwaf001" + }, + // Non-required parameters + "agentUpdate": { + "value": { + "maintenanceWindows": [ + { + "dayOfWeek": "Friday", + "hour": 7 + }, + { + "dayOfWeek": "Saturday", + "hour": 8 + } + ], + "maintenanceWindowTimeZone": "Alaskan Standard Time", + "type": "Scheduled", + "useSessionHostLocalTime": false + } + }, + "customRdpProperty": { + "value": "audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;" + }, + "description": { + "value": "My first AVD Host Pool" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "friendlyName": { + "value": "AVDv2" + }, + "loadBalancerType": { + "value": "BreadthFirst" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "maxSessionLimit": { + "value": 99999 + }, + "personalDesktopAssignmentType": { + "value": "Automatic" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "type": { + "value": "Pooled" + }, + "vmTemplate": { + "value": { + "customImageId": "", + "domain": "domainname.onmicrosoft.com", + "galleryImageOffer": "office-365", + "galleryImagePublisher": "microsoftwindowsdesktop", + "galleryImageSKU": "20h1-evd-o365pp", + "imageType": "Gallery", + "imageUri": "", + "namePrefix": "avdv2", + "osDiskType": "StandardSSD_LRS", + "useManagedDisks": true, + "vmSize": { + "cores": 2, + "id": "Standard_D2s_v3", + "ram": 8 + } + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/dependencies.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..6499c1f67f --- /dev/null +++ b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,135 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.hostpools-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dvhpwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + customRdpProperty: 'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;' + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + description: 'My first AVD Host Pool' + friendlyName: 'AVDv2' + type: 'Pooled' + loadBalancerType: 'BreadthFirst' + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + maxSessionLimit: 99999 + personalDesktopAssignmentType: 'Automatic' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + vmTemplate: { + customImageId: null + domain: 'domainname.onmicrosoft.com' + galleryImageOffer: 'office-365' + galleryImagePublisher: 'microsoftwindowsdesktop' + galleryImageSKU: '20h1-evd-o365pp' + imageType: 'Gallery' + imageUri: null + namePrefix: 'avdv2' + osDiskType: 'StandardSSD_LRS' + useManagedDisks: true + vmSize: { + cores: 2 + id: 'Standard_D2s_v3' + ram: 8 + } + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + agentUpdate: { + type: 'Scheduled' + useSessionHostLocalTime: false + maintenanceWindowTimeZone: 'Alaskan Standard Time' + maintenanceWindows: [ + { + hour: 7 + dayOfWeek: 'Friday' + } + { + hour: 8 + dayOfWeek: 'Saturday' + } + ] + } + } +} diff --git a/modules/desktop-virtualization/scaling-plan/README.md b/modules/desktop-virtualization/scaling-plan/README.md index 0983c6dbbc..96f2d667e4 100644 --- a/modules/desktop-virtualization/scaling-plan/README.md +++ b/modules/desktop-virtualization/scaling-plan/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -267,6 +268,196 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0'

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dvspwaf' + params: { + // Required parameters + name: 'dvspwaf001' + // Non-required parameters + description: 'My Scaling Plan Description' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + friendlyName: 'My Scaling Plan' + hostPoolType: 'Pooled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + schedules: [ + { + daysOfWeek: [ + 'Friday' + 'Monday' + 'Thursday' + 'Tuesday' + 'Wednesday' + ] + name: 'weekdays_schedule' + offPeakLoadBalancingAlgorithm: 'DepthFirst' + offPeakStartTime: { + hour: 20 + minute: 0 + } + peakLoadBalancingAlgorithm: 'DepthFirst' + peakStartTime: { + hour: 9 + minute: 0 + } + rampDownCapacityThresholdPct: 90 + rampDownForceLogoffUsers: true + rampDownLoadBalancingAlgorithm: 'DepthFirst' + rampDownMinimumHostsPct: 10 + rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' + rampDownStartTime: { + hour: 18 + minute: 0 + } + rampDownStopHostsWhen: 'ZeroSessions' + rampDownWaitTimeMinutes: 30 + rampUpCapacityThresholdPct: 60 + rampUpLoadBalancingAlgorithm: 'DepthFirst' + rampUpMinimumHostsPct: 20 + rampUpStartTime: { + hour: 7 + minute: 0 + } + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dvspwaf001" + }, + // Non-required parameters + "description": { + "value": "My Scaling Plan Description" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "friendlyName": { + "value": "My Scaling Plan" + }, + "hostPoolType": { + "value": "Pooled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "schedules": { + "value": [ + { + "daysOfWeek": [ + "Friday", + "Monday", + "Thursday", + "Tuesday", + "Wednesday" + ], + "name": "weekdays_schedule", + "offPeakLoadBalancingAlgorithm": "DepthFirst", + "offPeakStartTime": { + "hour": 20, + "minute": 0 + }, + "peakLoadBalancingAlgorithm": "DepthFirst", + "peakStartTime": { + "hour": 9, + "minute": 0 + }, + "rampDownCapacityThresholdPct": 90, + "rampDownForceLogoffUsers": true, + "rampDownLoadBalancingAlgorithm": "DepthFirst", + "rampDownMinimumHostsPct": 10, + "rampDownNotificationMessage": "You will be logged off in 30 min. Make sure to save your work.", + "rampDownStartTime": { + "hour": 18, + "minute": 0 + }, + "rampDownStopHostsWhen": "ZeroSessions", + "rampDownWaitTimeMinutes": 30, + "rampUpCapacityThresholdPct": 60, + "rampUpLoadBalancingAlgorithm": "DepthFirst", + "rampUpMinimumHostsPct": 20, + "rampUpStartTime": { + "hour": 7, + "minute": 0 + } + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/dependencies.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..0c02e7560e --- /dev/null +++ b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,133 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.scalingplans-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dvspwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + hostPoolType: 'Pooled' + friendlyName: 'My Scaling Plan' + description: 'My Scaling Plan Description' + schedules: [ { + rampUpStartTime: { + hour: 7 + minute: 0 + } + peakStartTime: { + hour: 9 + minute: 0 + } + rampDownStartTime: { + hour: 18 + minute: 0 + } + offPeakStartTime: { + hour: 20 + minute: 0 + } + name: 'weekdays_schedule' + daysOfWeek: [ + 'Monday' + 'Tuesday' + 'Wednesday' + 'Thursday' + 'Friday' + ] + rampUpLoadBalancingAlgorithm: 'DepthFirst' + rampUpMinimumHostsPct: 20 + rampUpCapacityThresholdPct: 60 + peakLoadBalancingAlgorithm: 'DepthFirst' + rampDownLoadBalancingAlgorithm: 'DepthFirst' + rampDownMinimumHostsPct: 10 + rampDownCapacityThresholdPct: 90 + rampDownForceLogoffUsers: true + rampDownWaitTimeMinutes: 30 + rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' + rampDownStopHostsWhen: 'ZeroSessions' + offPeakLoadBalancingAlgorithm: 'DepthFirst' + } + ] + } +} diff --git a/modules/desktop-virtualization/workspace/README.md b/modules/desktop-virtualization/workspace/README.md index 2fab487621..641cdb7674 100644 --- a/modules/desktop-virtualization/workspace/README.md +++ b/modules/desktop-virtualization/workspace/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -204,6 +205,132 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dvwwaf' + params: { + // Required parameters + name: 'dvwwaf001' + // Non-required parameters + appGroupResourceIds: [ + '' + ] + description: 'This is my first AVD Workspace' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + friendlyName: 'My first AVD Workspace' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dvwwaf001" + }, + // Non-required parameters + "appGroupResourceIds": { + "value": [ + "" + ] + }, + "description": { + "value": "This is my first AVD Workspace" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "friendlyName": { + "value": "My first AVD Workspace" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..8e753087b2 --- /dev/null +++ b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,41 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Application Group to create.') +param applicationGroupName string + +@description('Required. The name of the Host Pool to create.') +param hostPoolName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource hostPool 'Microsoft.DesktopVirtualization/hostPools@2022-09-09' = { + name: hostPoolName + location: location + properties: { + hostPoolType: 'Pooled' + loadBalancerType: 'BreadthFirst' + preferredAppGroupType: 'Desktop' + } +} + +resource applicationGroup 'Microsoft.DesktopVirtualization/applicationGroups@2022-09-09' = { + name: applicationGroupName + location: location + properties: { + applicationGroupType: 'Desktop' + hostPoolArmPath: hostPool.id + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Application Group.') +output applicationGroupResourceId string = applicationGroup.id diff --git a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..e6907c5ee2 --- /dev/null +++ b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,103 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.workspaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dvwwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + applicationGroupName: 'dep-${namePrefix}-appGroup-${serviceShort}' + hostPoolName: 'dep-${namePrefix}-hp-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + appGroupResourceIds: [ + nestedDependencies.outputs.applicationGroupResourceId + ] + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + description: 'This is my first AVD Workspace' + friendlyName: 'My first AVD Workspace' + } +} diff --git a/modules/dev-test-lab/lab/README.md b/modules/dev-test-lab/lab/README.md index b7b777f88b..f4444676bb 100644 --- a/modules/dev-test-lab/lab/README.md +++ b/modules/dev-test-lab/lab/README.md @@ -34,6 +34,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -625,6 +626,548 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dtllwaf' + params: { + // Required parameters + name: 'dtllwaf001' + // Non-required parameters + announcement: { + enabled: 'Enabled' + expirationDate: '2025-12-30T13:00:00Z' + markdown: 'DevTest Lab announcement text.
New line. It also supports Markdown' + title: 'DevTest announcement title' + } + artifactsources: [ + { + branchRef: 'master' + displayName: 'Public Artifact Repo' + folderPath: '/Artifacts' + name: 'Public Repo' + sourceType: 'GitHub' + status: 'Disabled' + uri: 'https://github.com/Azure/azure-devtestlab.git' + } + { + armTemplateFolderPath: '/Environments' + branchRef: 'master' + displayName: 'Public Environment Repo' + name: 'Public Environment Repo' + sourceType: 'GitHub' + status: 'Disabled' + uri: 'https://github.com/Azure/azure-devtestlab.git' + } + ] + artifactsStorageAccount: '' + browserConnect: 'Enabled' + costs: { + cycleType: 'CalendarMonth' + status: 'Enabled' + target: 450 + thresholdValue100DisplayOnChart: 'Enabled' + thresholdValue100SendNotificationWhenExceeded: 'Enabled' + } + disableAutoUpgradeCseMinorVersion: true + enableDefaultTelemetry: '' + encryptionDiskEncryptionSetId: '' + encryptionType: 'EncryptionAtRestWithCustomerKey' + environmentPermission: 'Contributor' + extendedProperties: { + RdpConnectionType: '7' + } + isolateLabResources: 'Enabled' + labStorageType: 'Premium' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + managementIdentitiesResourceIds: [ + '' + ] + notificationchannels: [ + { + description: 'Integration configured for auto-shutdown' + emailRecipient: 'mail@contosodtlmail.com' + events: [ + { + eventName: 'AutoShutdown' + } + ] + name: 'autoShutdown' + notificationLocale: 'en' + webHookUrl: 'https://webhook.contosotest.com' + } + { + events: [ + { + eventName: 'Cost' + } + ] + name: 'costThreshold' + webHookUrl: 'https://webhook.contosotest.com' + } + ] + policies: [ + { + evaluatorType: 'MaxValuePolicy' + factData: '' + factName: 'UserOwnedLabVmCountInSubnet' + name: '' + threshold: '1' + } + { + evaluatorType: 'MaxValuePolicy' + factName: 'UserOwnedLabVmCount' + name: 'MaxVmsAllowedPerUser' + threshold: '2' + } + { + evaluatorType: 'MaxValuePolicy' + factName: 'UserOwnedLabPremiumVmCount' + name: 'MaxPremiumVmsAllowedPerUser' + status: 'Disabled' + threshold: '1' + } + { + evaluatorType: 'MaxValuePolicy' + factName: 'LabVmCount' + name: 'MaxVmsAllowedPerLab' + threshold: '3' + } + { + evaluatorType: 'MaxValuePolicy' + factName: 'LabPremiumVmCount' + name: 'MaxPremiumVmsAllowedPerLab' + threshold: '2' + } + { + evaluatorType: 'AllowedValuesPolicy' + factData: '' + factName: 'LabVmSize' + name: 'AllowedVmSizesInLab' + status: 'Enabled' + threshold: '' + } + { + evaluatorType: 'AllowedValuesPolicy' + factName: 'ScheduleEditPermission' + name: 'ScheduleEditPermission' + threshold: '' + } + { + evaluatorType: 'AllowedValuesPolicy' + factName: 'GalleryImage' + name: 'GalleryImage' + threshold: '' + } + { + description: 'Public Environment Policy' + evaluatorType: 'AllowedValuesPolicy' + factName: 'EnvironmentTemplate' + name: 'EnvironmentTemplate' + threshold: '' + } + ] + premiumDataDisks: 'Enabled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + schedules: [ + { + dailyRecurrence: { + time: '0000' + } + name: 'LabVmsShutdown' + notificationSettingsStatus: 'Enabled' + notificationSettingsTimeInMinutes: 30 + status: 'Enabled' + taskType: 'LabVmsShutdownTask' + timeZoneId: 'AUS Eastern Standard Time' + } + { + name: 'LabVmAutoStart' + status: 'Enabled' + taskType: 'LabVmsStartupTask' + timeZoneId: 'AUS Eastern Standard Time' + weeklyRecurrence: { + time: '0700' + weekdays: [ + 'Friday' + 'Monday' + 'Thursday' + 'Tuesday' + 'Wednesday' + ] + } + } + ] + support: { + enabled: 'Enabled' + markdown: 'DevTest Lab support text.
New line. It also supports Markdown' + } + tags: { + 'hidden-title': 'This is visible in the resource name' + labName: 'dtllwaf001' + resourceType: 'DevTest Lab' + } + virtualnetworks: [ + { + allowedSubnets: [ + { + allowPublicIp: 'Allow' + labSubnetName: '' + resourceId: '' + } + ] + description: 'lab virtual network description' + externalProviderResourceId: '' + name: '' + subnetOverrides: [ + { + labSubnetName: '' + resourceId: '' + sharedPublicIpAddressConfiguration: { + allowedPorts: [ + { + backendPort: 3389 + transportProtocol: 'Tcp' + } + { + backendPort: 22 + transportProtocol: 'Tcp' + } + ] + } + useInVmCreationPermission: 'Allow' + usePublicIpAddressPermission: 'Allow' + } + ] + } + ] + vmCreationResourceGroupId: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dtllwaf001" + }, + // Non-required parameters + "announcement": { + "value": { + "enabled": "Enabled", + "expirationDate": "2025-12-30T13:00:00Z", + "markdown": "DevTest Lab announcement text.
New line. It also supports Markdown", + "title": "DevTest announcement title" + } + }, + "artifactsources": { + "value": [ + { + "branchRef": "master", + "displayName": "Public Artifact Repo", + "folderPath": "/Artifacts", + "name": "Public Repo", + "sourceType": "GitHub", + "status": "Disabled", + "uri": "https://github.com/Azure/azure-devtestlab.git" + }, + { + "armTemplateFolderPath": "/Environments", + "branchRef": "master", + "displayName": "Public Environment Repo", + "name": "Public Environment Repo", + "sourceType": "GitHub", + "status": "Disabled", + "uri": "https://github.com/Azure/azure-devtestlab.git" + } + ] + }, + "artifactsStorageAccount": { + "value": "" + }, + "browserConnect": { + "value": "Enabled" + }, + "costs": { + "value": { + "cycleType": "CalendarMonth", + "status": "Enabled", + "target": 450, + "thresholdValue100DisplayOnChart": "Enabled", + "thresholdValue100SendNotificationWhenExceeded": "Enabled" + } + }, + "disableAutoUpgradeCseMinorVersion": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "encryptionDiskEncryptionSetId": { + "value": "" + }, + "encryptionType": { + "value": "EncryptionAtRestWithCustomerKey" + }, + "environmentPermission": { + "value": "Contributor" + }, + "extendedProperties": { + "value": { + "RdpConnectionType": "7" + } + }, + "isolateLabResources": { + "value": "Enabled" + }, + "labStorageType": { + "value": "Premium" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "managementIdentitiesResourceIds": { + "value": [ + "" + ] + }, + "notificationchannels": { + "value": [ + { + "description": "Integration configured for auto-shutdown", + "emailRecipient": "mail@contosodtlmail.com", + "events": [ + { + "eventName": "AutoShutdown" + } + ], + "name": "autoShutdown", + "notificationLocale": "en", + "webHookUrl": "https://webhook.contosotest.com" + }, + { + "events": [ + { + "eventName": "Cost" + } + ], + "name": "costThreshold", + "webHookUrl": "https://webhook.contosotest.com" + } + ] + }, + "policies": { + "value": [ + { + "evaluatorType": "MaxValuePolicy", + "factData": "", + "factName": "UserOwnedLabVmCountInSubnet", + "name": "", + "threshold": "1" + }, + { + "evaluatorType": "MaxValuePolicy", + "factName": "UserOwnedLabVmCount", + "name": "MaxVmsAllowedPerUser", + "threshold": "2" + }, + { + "evaluatorType": "MaxValuePolicy", + "factName": "UserOwnedLabPremiumVmCount", + "name": "MaxPremiumVmsAllowedPerUser", + "status": "Disabled", + "threshold": "1" + }, + { + "evaluatorType": "MaxValuePolicy", + "factName": "LabVmCount", + "name": "MaxVmsAllowedPerLab", + "threshold": "3" + }, + { + "evaluatorType": "MaxValuePolicy", + "factName": "LabPremiumVmCount", + "name": "MaxPremiumVmsAllowedPerLab", + "threshold": "2" + }, + { + "evaluatorType": "AllowedValuesPolicy", + "factData": "", + "factName": "LabVmSize", + "name": "AllowedVmSizesInLab", + "status": "Enabled", + "threshold": "" + }, + { + "evaluatorType": "AllowedValuesPolicy", + "factName": "ScheduleEditPermission", + "name": "ScheduleEditPermission", + "threshold": "" + }, + { + "evaluatorType": "AllowedValuesPolicy", + "factName": "GalleryImage", + "name": "GalleryImage", + "threshold": "" + }, + { + "description": "Public Environment Policy", + "evaluatorType": "AllowedValuesPolicy", + "factName": "EnvironmentTemplate", + "name": "EnvironmentTemplate", + "threshold": "" + } + ] + }, + "premiumDataDisks": { + "value": "Enabled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "schedules": { + "value": [ + { + "dailyRecurrence": { + "time": "0000" + }, + "name": "LabVmsShutdown", + "notificationSettingsStatus": "Enabled", + "notificationSettingsTimeInMinutes": 30, + "status": "Enabled", + "taskType": "LabVmsShutdownTask", + "timeZoneId": "AUS Eastern Standard Time" + }, + { + "name": "LabVmAutoStart", + "status": "Enabled", + "taskType": "LabVmsStartupTask", + "timeZoneId": "AUS Eastern Standard Time", + "weeklyRecurrence": { + "time": "0700", + "weekdays": [ + "Friday", + "Monday", + "Thursday", + "Tuesday", + "Wednesday" + ] + } + } + ] + }, + "support": { + "value": { + "enabled": "Enabled", + "markdown": "DevTest Lab support text.
New line. It also supports Markdown" + } + }, + "tags": { + "value": { + "hidden-title": "This is visible in the resource name", + "labName": "dtllwaf001", + "resourceType": "DevTest Lab" + } + }, + "virtualnetworks": { + "value": [ + { + "allowedSubnets": [ + { + "allowPublicIp": "Allow", + "labSubnetName": "", + "resourceId": "" + } + ], + "description": "lab virtual network description", + "externalProviderResourceId": "", + "name": "", + "subnetOverrides": [ + { + "labSubnetName": "", + "resourceId": "", + "sharedPublicIpAddressConfiguration": { + "allowedPorts": [ + { + "backendPort": 3389, + "transportProtocol": "Tcp" + }, + { + "backendPort": 22, + "transportProtocol": "Tcp" + } + ] + }, + "useInVmCreationPermission": "Allow", + "usePublicIpAddressPermission": "Allow" + } + ] + } + ] + }, + "vmCreationResourceGroupId": { + "value": "" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/dependencies.bicep b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..10d28c8ae6 --- /dev/null +++ b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,134 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Disk Encryption Set to create.') +param diskEncryptionSetName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +var addressPrefix = '10.0.0.0/16' + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: true // Required for encrption to work + softDeleteRetentionInDays: 7 + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'encryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { + name: diskEncryptionSetName + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + activeKey: { + sourceVault: { + id: keyVault.id + } + keyUrl: keyVault::key.properties.keyUriWithVersion + } + encryptionType: 'EncryptionAtRestWithCustomerKey' + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault.id}-${location}-${diskEncryptionSet.id}-KeyVault-Key-Read-RoleAssignment') + scope: keyVault + properties: { + principalId: diskEncryptionSet.identity.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User + principalType: 'ServicePrincipal' + } +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { + name: storageAccountName + location: location + kind: 'StorageV2' + sku: { + name: 'Standard_LRS' + } + properties: { + allowBlobPublicAccess: false + publicNetworkAccess: 'Disabled' + } +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +@description('The name of the created Virtual Network.') +output virtualNetworkName string = virtualNetwork.name + +@description('The resource ID of the created Virtual Network.') +output virtualNetworkResourceId string = virtualNetwork.id + +@description('The name of the created Virtual Network Subnet.') +output subnetName string = virtualNetwork.properties.subnets[0].name + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Disk Encryption Set.') +output diskEncryptionSetResourceId string = diskEncryptionSet.id + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id diff --git a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..5c1f2064a6 --- /dev/null +++ b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,286 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-devtestlab.labs-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dtllwaf' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + location: resourceGroup.location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'DevTest Lab' + labName: '${namePrefix}${serviceShort}001' + } + announcement: { + enabled: 'Enabled' + expirationDate: '2025-12-30T13:00:00.000Z' + markdown: 'DevTest Lab announcement text.
New line. It also supports Markdown' + title: 'DevTest announcement title' + } + environmentPermission: 'Contributor' + extendedProperties: { + RdpConnectionType: '7' + } + labStorageType: 'Premium' + artifactsStorageAccount: nestedDependencies.outputs.storageAccountResourceId + premiumDataDisks: 'Enabled' + support: { + enabled: 'Enabled' + markdown: 'DevTest Lab support text.
New line. It also supports Markdown' + } + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + managementIdentitiesResourceIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + vmCreationResourceGroupId: resourceGroup.id + browserConnect: 'Enabled' + disableAutoUpgradeCseMinorVersion: true + isolateLabResources: 'Enabled' + encryptionType: 'EncryptionAtRestWithCustomerKey' + encryptionDiskEncryptionSetId: nestedDependencies.outputs.diskEncryptionSetResourceId + virtualnetworks: [ + { + name: nestedDependencies.outputs.virtualNetworkName + externalProviderResourceId: nestedDependencies.outputs.virtualNetworkResourceId + description: 'lab virtual network description' + allowedSubnets: [ + { + labSubnetName: nestedDependencies.outputs.subnetName + resourceId: nestedDependencies.outputs.subnetResourceId + allowPublicIp: 'Allow' + } + ] + subnetOverrides: [ + { + labSubnetName: nestedDependencies.outputs.subnetName + resourceId: nestedDependencies.outputs.subnetResourceId + useInVmCreationPermission: 'Allow' + usePublicIpAddressPermission: 'Allow' + sharedPublicIpAddressConfiguration: { + allowedPorts: [ + { + transportProtocol: 'Tcp' + backendPort: 3389 + } + { + transportProtocol: 'Tcp' + backendPort: 22 + } + ] + } + } + ] + } + ] + policies: [ + { + name: nestedDependencies.outputs.subnetName + evaluatorType: 'MaxValuePolicy' + factData: nestedDependencies.outputs.subnetResourceId + factName: 'UserOwnedLabVmCountInSubnet' + threshold: '1' + } + { + name: 'MaxVmsAllowedPerUser' + evaluatorType: 'MaxValuePolicy' + factName: 'UserOwnedLabVmCount' + threshold: '2' + } + { + name: 'MaxPremiumVmsAllowedPerUser' + evaluatorType: 'MaxValuePolicy' + factName: 'UserOwnedLabPremiumVmCount' + status: 'Disabled' + threshold: '1' + } + { + name: 'MaxVmsAllowedPerLab' + evaluatorType: 'MaxValuePolicy' + factName: 'LabVmCount' + threshold: '3' + } + { + name: 'MaxPremiumVmsAllowedPerLab' + evaluatorType: 'MaxValuePolicy' + factName: 'LabPremiumVmCount' + threshold: '2' + } + { + name: 'AllowedVmSizesInLab' + evaluatorType: 'AllowedValuesPolicy' + factData: '' + factName: 'LabVmSize' + threshold: ' ${string('["Basic_A0","Basic_A1"]')}' + status: 'Enabled' + } + { + name: 'ScheduleEditPermission' + evaluatorType: 'AllowedValuesPolicy' + factName: 'ScheduleEditPermission' + threshold: ' ${string('["None","Modify"]')}' + } + { + name: 'GalleryImage' + evaluatorType: 'AllowedValuesPolicy' + factName: 'GalleryImage' + threshold: ' ${string('["{\\"offer\\":\\"WindowsServer\\",\\"publisher\\":\\"MicrosoftWindowsServer\\",\\"sku\\":\\"2019-Datacenter-smalldisk\\",\\"osType\\":\\"Windows\\",\\"version\\":\\"latest\\"}","{\\"offer\\":\\"WindowsServer\\",\\"publisher\\":\\"MicrosoftWindowsServer\\",\\"sku\\":\\"2022-datacenter-smalldisk\\",\\"osType\\":\\"Windows\\",\\"version\\":\\"latest\\"}"]')}' + } + { + name: 'EnvironmentTemplate' + description: 'Public Environment Policy' + evaluatorType: 'AllowedValuesPolicy' + factName: 'EnvironmentTemplate' + threshold: ' ${string('[""]')}' + } + ] + schedules: [ + { + name: 'LabVmsShutdown' + taskType: 'LabVmsShutdownTask' + status: 'Enabled' + timeZoneId: 'AUS Eastern Standard Time' + dailyRecurrence: { + time: '0000' + } + notificationSettingsStatus: 'Enabled' + notificationSettingsTimeInMinutes: 30 + } + { + name: 'LabVmAutoStart' + taskType: 'LabVmsStartupTask' + status: 'Enabled' + timeZoneId: 'AUS Eastern Standard Time' + weeklyRecurrence: { + time: '0700' + weekdays: [ + 'Monday' + 'Tuesday' + 'Wednesday' + 'Thursday' + 'Friday' + ] + } + } + ] + notificationchannels: [ + { + name: 'autoShutdown' + description: 'Integration configured for auto-shutdown' + events: [ + { + eventName: 'AutoShutdown' + } + ] + emailRecipient: 'mail@contosodtlmail.com' + webHookUrl: 'https://webhook.contosotest.com' + notificationLocale: 'en' + } + { + name: 'costThreshold' + events: [ + { + eventName: 'Cost' + } + ] + webHookUrl: 'https://webhook.contosotest.com' + } + ] + artifactsources: [ + { + name: 'Public Repo' + displayName: 'Public Artifact Repo' + status: 'Disabled' + uri: 'https://github.com/Azure/azure-devtestlab.git' + sourceType: 'GitHub' + branchRef: 'master' + folderPath: '/Artifacts' + } + { + name: 'Public Environment Repo' + displayName: 'Public Environment Repo' + status: 'Disabled' + uri: 'https://github.com/Azure/azure-devtestlab.git' + sourceType: 'GitHub' + branchRef: 'master' + armTemplateFolderPath: '/Environments' + } + ] + costs: { + status: 'Enabled' + cycleType: 'CalendarMonth' + target: 450 + thresholdValue100DisplayOnChart: 'Enabled' + thresholdValue100SendNotificationWhenExceeded: 'Enabled' + } + } +} diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index bed016932f..574c196c63 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -32,6 +32,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -261,6 +262,186 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instance:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dtdtiwaf' + params: { + // Required parameters + name: 'dtdtiwaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + eventGridEndpoint: { + eventGridDomainId: '' + topicEndpoint: '' + } + eventHubEndpoint: { + authenticationType: 'IdentityBased' + endpointUri: '' + entityPath: '' + userAssignedIdentity: '' + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + serviceBusEndpoint: { + authenticationType: 'IdentityBased' + endpointUri: '' + entityPath: '' + userAssignedIdentity: '' + } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + userAssignedIdentities: { + '': {} + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dtdtiwaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "eventGridEndpoint": { + "value": { + "eventGridDomainId": "", + "topicEndpoint": "" + } + }, + "eventHubEndpoint": { + "value": { + "authenticationType": "IdentityBased", + "endpointUri": "", + "entityPath": "", + "userAssignedIdentity": "" + } + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "" + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "serviceBusEndpoint": { + "value": { + "authenticationType": "IdentityBased", + "endpointUri": "", + "entityPath": "", + "userAssignedIdentity": "" + } + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "userAssignedIdentities": { + "value": { + "": {} + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/dependencies.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..87c0cf8a6f --- /dev/null +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,162 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Event Hub Namespace to create.') +param eventHubNamespaceName string + +@description('Required. The name of the Event Hub to create.') +param eventHubName string + +@description('Required. Service Bus name') +param serviceBusName string + +@description('Required. Event Grid Domain name.') +param eventGridDomainName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + serviceEndpoints: [ + { + service: 'Microsoft.KeyVault' + } + ] + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.digitaltwins.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource eventHubNamespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' = { + name: eventHubNamespaceName + location: location + properties: { + zoneRedundant: false + isAutoInflateEnabled: false + maximumThroughputUnits: 0 + } + + resource eventHub 'eventhubs@2022-10-01-preview' = { + name: eventHubName + } +} + +resource serviceBus 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = { + name: serviceBusName + location: location + properties: { + zoneRedundant: false + } + + resource topic 'topics@2022-10-01-preview' = { + name: 'topic' + } +} + +resource eventGridDomain 'Microsoft.EventGrid/domains@2022-06-15' = { + name: eventGridDomainName + location: location + properties: { + disableLocalAuth: false + } + + resource topic 'topics@2022-06-15' = { + name: 'topic' + } +} + +resource eventHubNamespaceRbacAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(managedIdentity.id, 'evhrbacAssignment') + scope: eventHubNamespace + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975') //Azure Event Hubs Data Sender + principalId: managedIdentity.properties.principalId + principalType: 'ServicePrincipal' + } +} + +resource serviceBusRbacAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(managedIdentity.id, 'sbrbacAssignment') + scope: serviceBus + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39') //Azure Service Bus Data Sender + principalId: managedIdentity.properties.principalId + principalType: 'ServicePrincipal' + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalResourceId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The name of the Event Hub Namespace.') +output eventhubNamespaceName string = eventHubNamespace.name + +@description('The resource ID of the created Event Hub Namespace.') +output eventHubResourceId string = eventHubNamespace::eventHub.id + +@description('The name of the Event Hub.') +output eventhubName string = eventHubNamespace::eventHub.name + +@description('The name of the Service Bus Namespace.') +output serviceBusName string = serviceBus.name + +@description('The name of the Service Bus Topic.') +output serviceBusTopicName string = serviceBus::topic.name + +@description('The Event Grid endpoint uri.') +output eventGridEndpoint string = eventGridDomain.properties.endpoint + +@description('The resource ID of the created Event Grid Topic.') +output eventGridTopicResourceId string = eventGridDomain::topic.id + +@description('The resource ID of the created Event Grid Domain.') +output eventGridDomainResourceId string = eventGridDomain.id + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..2c2f2e28ca --- /dev/null +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,132 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-digitaltwins.digitaltwinsinstances-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dtdtiwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + eventHubName: 'dt-${uniqueString(serviceShort)}-evh-01' + eventHubNamespaceName: 'dt-${uniqueString(serviceShort)}-evhns-01' + serviceBusName: 'dt-${uniqueString(serviceShort)}-sb-01' + eventGridDomainName: 'dt-${uniqueString(serviceShort)}-evg-01' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${uniqueString(serviceShort)}-evh-01' + eventHubNamespaceName: 'dep-${uniqueString(serviceShort)}-evh-01' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + eventHubEndpoint: { + authenticationType: 'IdentityBased' + endpointUri: 'sb://${nestedDependencies.outputs.eventhubNamespaceName}.servicebus.windows.net/' + entityPath: nestedDependencies.outputs.eventhubName + userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + } + serviceBusEndpoint: { + authenticationType: 'IdentityBased' + endpointUri: 'sb://${nestedDependencies.outputs.serviceBusName}.servicebus.windows.net/' + entityPath: nestedDependencies.outputs.serviceBusTopicName + userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + } + eventGridEndpoint: { + eventGridDomainId: nestedDependencies.outputs.eventGridDomainResourceId + topicEndpoint: nestedDependencies.outputs.eventGridEndpoint + } + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalResourceId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/event-grid/domain/README.md b/modules/event-grid/domain/README.md index be9e32e179..38f46a6a77 100644 --- a/modules/event-grid/domain/README.md +++ b/modules/event-grid/domain/README.md @@ -33,6 +33,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) - [Pe](#example-3-pe) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -335,6 +336,174 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-egdwaf' + params: { + // Required parameters + name: 'egdwaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + inboundIpRules: [ + { + action: 'Allow' + ipMask: '40.74.28.0/23' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'domain' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + topics: [ + 'topic-egdwaf001' + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "egdwaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "inboundIpRules": { + "value": [ + { + "action": "Allow", + "ipMask": "40.74.28.0/23" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "domain", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "topics": { + "value": [ + "topic-egdwaf001" + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/event-grid/domain/tests/e2e/waf-aligned/dependencies.bicep b/modules/event-grid/domain/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..8ba0c35f61 --- /dev/null +++ b/modules/event-grid/domain/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,60 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.eventgrid.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..bdb9c0b651 --- /dev/null +++ b/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,124 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-eventgrid.domains-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'egdwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + inboundIpRules: [ + { + action: 'Allow' + ipMask: '40.74.28.0/23' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'domain' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + topics: [ + '${namePrefix}-topic-${serviceShort}001' + ] + } +} diff --git a/modules/event-grid/system-topic/README.md b/modules/event-grid/system-topic/README.md index 526c04d4a7..e46107cf3b 100644 --- a/modules/event-grid/system-topic/README.md +++ b/modules/event-grid/system-topic/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -269,6 +270,188 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-egstwaf' + params: { + // Required parameters + name: 'egstwaf001' + source: '' + topicType: 'Microsoft.Storage.StorageAccounts' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + eventSubscriptions: [ + { + destination: { + endpointType: 'StorageQueue' + properties: { + queueMessageTimeToLiveInSeconds: 86400 + queueName: '' + resourceId: '' + } + } + enableDefaultTelemetry: '' + eventDeliverySchema: 'CloudEventSchemaV1_0' + expirationTimeUtc: '2099-01-01T11:00:21.715Z' + filter: { + enableAdvancedFilteringOnArrays: true + isSubjectCaseSensitive: false + } + name: 'egstwaf001' + retryPolicy: { + eventTimeToLive: '120' + maxDeliveryAttempts: 10 + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "egstwaf001" + }, + "source": { + "value": "" + }, + "topicType": { + "value": "Microsoft.Storage.StorageAccounts" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "eventSubscriptions": { + "value": [ + { + "destination": { + "endpointType": "StorageQueue", + "properties": { + "queueMessageTimeToLiveInSeconds": 86400, + "queueName": "", + "resourceId": "" + } + }, + "enableDefaultTelemetry": "", + "eventDeliverySchema": "CloudEventSchemaV1_0", + "expirationTimeUtc": "2099-01-01T11:00:21.715Z", + "filter": { + "enableAdvancedFilteringOnArrays": true, + "isSubjectCaseSensitive": false + }, + "name": "egstwaf001", + "retryPolicy": { + "eventTimeToLive": "120", + "maxDeliveryAttempts": 10 + } + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/event-grid/system-topic/tests/e2e/waf-aligned/dependencies.bicep b/modules/event-grid/system-topic/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..9b192272d4 --- /dev/null +++ b/modules/event-grid/system-topic/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,42 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Required. The name of the Storage Queue to create.') +param storageQueueName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' + + resource queueService 'queueServices@2022-09-01' = { + name: 'default' + + resource queue 'queues@2022-09-01' = { + name: storageQueueName + } + } +} + +@description('The name of the created Storage Account Queue.') +output queueName string = storageAccount::queueService::queue.name + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id diff --git a/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..0ca8feb5b6 --- /dev/null +++ b/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,129 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-eventgrid.systemtopics-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'egstwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + storageQueueName: 'dep${namePrefix}sq${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + source: nestedDependencies.outputs.storageAccountResourceId + topicType: 'Microsoft.Storage.StorageAccounts' + eventSubscriptions: [ { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + expirationTimeUtc: '2099-01-01T11:00:21.715Z' + filter: { + isSubjectCaseSensitive: false + enableAdvancedFilteringOnArrays: true + } + retryPolicy: { + maxDeliveryAttempts: 10 + eventTimeToLive: '120' + } + eventDeliverySchema: 'CloudEventSchemaV1_0' + destination: { + endpointType: 'StorageQueue' + properties: { + resourceId: nestedDependencies.outputs.storageAccountResourceId + queueMessageTimeToLiveInSeconds: 86400 + queueName: nestedDependencies.outputs.queueName + } + } + } ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index 8ae1c9ebdf..a00df258c6 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -33,6 +33,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) - [Pe](#example-3-pe) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -377,6 +378,216 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-egtwaf' + params: { + // Required parameters + name: 'egtwaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + eventSubscriptions: [ + { + destination: { + endpointType: 'StorageQueue' + properties: { + queueMessageTimeToLiveInSeconds: 86400 + queueName: '' + resourceId: '' + } + } + enableDefaultTelemetry: '' + eventDeliverySchema: 'CloudEventSchemaV1_0' + expirationTimeUtc: '2099-01-01T11:00:21.715Z' + filter: { + enableAdvancedFilteringOnArrays: true + isSubjectCaseSensitive: false + } + name: 'egtwaf001' + retryPolicy: { + eventTimeToLive: '120' + maxDeliveryAttempts: 10 + } + } + ] + inboundIpRules: [ + { + action: 'Allow' + ipMask: '40.74.28.0/23' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'topic' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "egtwaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "eventSubscriptions": { + "value": [ + { + "destination": { + "endpointType": "StorageQueue", + "properties": { + "queueMessageTimeToLiveInSeconds": 86400, + "queueName": "", + "resourceId": "" + } + }, + "enableDefaultTelemetry": "", + "eventDeliverySchema": "CloudEventSchemaV1_0", + "expirationTimeUtc": "2099-01-01T11:00:21.715Z", + "filter": { + "enableAdvancedFilteringOnArrays": true, + "isSubjectCaseSensitive": false + }, + "name": "egtwaf001", + "retryPolicy": { + "eventTimeToLive": "120", + "maxDeliveryAttempts": 10 + } + } + ] + }, + "inboundIpRules": { + "value": [ + { + "action": "Allow", + "ipMask": "40.74.28.0/23" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "topic", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/event-grid/topic/tests/e2e/waf-aligned/dependencies.bicep b/modules/event-grid/topic/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..448380e27d --- /dev/null +++ b/modules/event-grid/topic/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,89 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Required. The name of the Storage Queue to create.') +param storageQueueName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.eventgrid.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' + + resource queueService 'queueServices@2022-09-01' = { + name: 'default' + + resource queue 'queues@2022-09-01' = { + name: storageQueueName + } + } +} + +@description('The name of the created Storage Account Queue.') +output queueName string = storageAccount::queueService::queue.name + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id diff --git a/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..d093b9d5b8 --- /dev/null +++ b/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,145 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-eventgrid.topics-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'egtwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + storageQueueName: 'dep${namePrefix}sq${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + eventSubscriptions: [ { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + expirationTimeUtc: '2099-01-01T11:00:21.715Z' + filter: { + isSubjectCaseSensitive: false + enableAdvancedFilteringOnArrays: true + } + retryPolicy: { + maxDeliveryAttempts: 10 + eventTimeToLive: '120' + } + eventDeliverySchema: 'CloudEventSchemaV1_0' + destination: { + endpointType: 'StorageQueue' + properties: { + resourceId: nestedDependencies.outputs.storageAccountResourceId + queueMessageTimeToLiveInSeconds: 86400 + queueName: nestedDependencies.outputs.queueName + } + } + } ] + inboundIpRules: [ + { + action: 'Allow' + ipMask: '40.74.28.0/23' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'topic' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index 11384fca9e..c9fd2a30dd 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -39,6 +39,7 @@ The following section provides usage examples for the module, which were used to - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) - [Pe](#example-4-pe) +- [WAF-aligned](#example-5-waf-aligned) ### Example 1: _Using only defaults_ @@ -676,6 +677,402 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = {

+### Example 5: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ehnwaf' + params: { + // Required parameters + name: 'ehnwaf001' + // Non-required parameters + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'SendListenAccess' + rights: [ + 'Listen' + 'Send' + ] + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + disableLocalAuth: true + enableDefaultTelemetry: '' + eventhubs: [ + { + name: 'az-evh-x-001' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + { + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'SendListenAccess' + rights: [ + 'Listen' + 'Send' + ] + } + ] + captureDescriptionDestinationArchiveNameFormat: '{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}' + captureDescriptionDestinationBlobContainer: 'eventhub' + captureDescriptionDestinationName: 'EventHubArchive.AzureBlockBlob' + captureDescriptionDestinationStorageAccountResourceId: '' + captureDescriptionEnabled: true + captureDescriptionEncoding: 'Avro' + captureDescriptionIntervalInSeconds: 300 + captureDescriptionSizeLimitInBytes: 314572800 + captureDescriptionSkipEmptyArchives: true + consumergroups: [ + { + name: 'custom' + userMetadata: 'customMetadata' + } + ] + messageRetentionInDays: 1 + name: 'az-evh-x-002' + partitionCount: 2 + retentionDescriptionCleanupPolicy: 'Delete' + retentionDescriptionRetentionTimeInHours: 3 + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + status: 'Active' + } + { + name: 'az-evh-x-003' + retentionDescriptionCleanupPolicy: 'Compact' + retentionDescriptionTombstoneRetentionTimeInHours: 24 + } + ] + isAutoInflateEnabled: true + kafkaEnabled: true + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + maximumThroughputUnits: 4 + minimumTlsVersion: '1.2' + networkRuleSets: { + defaultAction: 'Deny' + ipRules: [ + { + action: 'Allow' + ipMask: '10.10.10.10' + } + ] + trustedServiceAccessEnabled: false + virtualNetworkRules: [ + { + ignoreMissingVnetServiceEndpoint: true + subnetResourceId: '' + } + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'namespace' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + publicNetworkAccess: 'Disabled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuCapacity: 2 + skuName: 'Standard' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + zoneRedundant: true + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ehnwaf001" + }, + // Non-required parameters + "authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "rights": [ + "Listen", + "Manage", + "Send" + ] + }, + { + "name": "SendListenAccess", + "rights": [ + "Listen", + "Send" + ] + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "disableLocalAuth": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "eventhubs": { + "value": [ + { + "name": "az-evh-x-001", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + { + "authorizationRules": [ + { + "name": "RootManageSharedAccessKey", + "rights": [ + "Listen", + "Manage", + "Send" + ] + }, + { + "name": "SendListenAccess", + "rights": [ + "Listen", + "Send" + ] + } + ], + "captureDescriptionDestinationArchiveNameFormat": "{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}", + "captureDescriptionDestinationBlobContainer": "eventhub", + "captureDescriptionDestinationName": "EventHubArchive.AzureBlockBlob", + "captureDescriptionDestinationStorageAccountResourceId": "", + "captureDescriptionEnabled": true, + "captureDescriptionEncoding": "Avro", + "captureDescriptionIntervalInSeconds": 300, + "captureDescriptionSizeLimitInBytes": 314572800, + "captureDescriptionSkipEmptyArchives": true, + "consumergroups": [ + { + "name": "custom", + "userMetadata": "customMetadata" + } + ], + "messageRetentionInDays": 1, + "name": "az-evh-x-002", + "partitionCount": 2, + "retentionDescriptionCleanupPolicy": "Delete", + "retentionDescriptionRetentionTimeInHours": 3, + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "status": "Active" + }, + { + "name": "az-evh-x-003", + "retentionDescriptionCleanupPolicy": "Compact", + "retentionDescriptionTombstoneRetentionTimeInHours": 24 + } + ] + }, + "isAutoInflateEnabled": { + "value": true + }, + "kafkaEnabled": { + "value": true + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "maximumThroughputUnits": { + "value": 4 + }, + "minimumTlsVersion": { + "value": "1.2" + }, + "networkRuleSets": { + "value": { + "defaultAction": "Deny", + "ipRules": [ + { + "action": "Allow", + "ipMask": "10.10.10.10" + } + ], + "trustedServiceAccessEnabled": false, + "virtualNetworkRules": [ + { + "ignoreMissingVnetServiceEndpoint": true, + "subnetResourceId": "" + } + ] + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "namespace", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "publicNetworkAccess": { + "value": "Disabled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "skuCapacity": { + "value": 2 + }, + "skuName": { + "value": "Standard" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "zoneRedundant": { + "value": true + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/event-hub/namespace/tests/e2e/waf-aligned/dependencies.bicep b/modules/event-hub/namespace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..6bc7e40df9 --- /dev/null +++ b/modules/event-hub/namespace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,83 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + serviceEndpoints: [ + { + service: 'Microsoft.EventHub' + } + ] + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.servicebus.windows.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id diff --git a/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..53ec10b8b5 --- /dev/null +++ b/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,228 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-eventhub.namespaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ehnwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + zoneRedundant: true + skuName: 'Standard' + skuCapacity: 2 + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'SendListenAccess' + rights: [ + 'Listen' + 'Send' + ] + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + eventhubs: [ + { + name: '${namePrefix}-az-evh-x-001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } + { + name: '${namePrefix}-az-evh-x-002' + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'SendListenAccess' + rights: [ + 'Listen' + 'Send' + ] + } + ] + captureDescriptionDestinationArchiveNameFormat: '{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}' + captureDescriptionDestinationBlobContainer: 'eventhub' + captureDescriptionDestinationName: 'EventHubArchive.AzureBlockBlob' + captureDescriptionDestinationStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId + captureDescriptionEnabled: true + captureDescriptionEncoding: 'Avro' + captureDescriptionIntervalInSeconds: 300 + captureDescriptionSizeLimitInBytes: 314572800 + captureDescriptionSkipEmptyArchives: true + consumergroups: [ + { + name: 'custom' + userMetadata: 'customMetadata' + } + ] + messageRetentionInDays: 1 + partitionCount: 2 + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + status: 'Active' + retentionDescriptionCleanupPolicy: 'Delete' + retentionDescriptionRetentionTimeInHours: 3 + } + { + name: '${namePrefix}-az-evh-x-003' + retentionDescriptionCleanupPolicy: 'Compact' + retentionDescriptionTombstoneRetentionTimeInHours: 24 + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkRuleSets: { + defaultAction: 'Deny' + ipRules: [ + { + action: 'Allow' + ipMask: '10.10.10.10' + } + ] + trustedServiceAccessEnabled: false + virtualNetworkRules: [ + { + ignoreMissingVnetServiceEndpoint: true + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'namespace' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + kafkaEnabled: true + disableLocalAuth: true + isAutoInflateEnabled: true + minimumTlsVersion: '1.2' + maximumThroughputUnits: 4 + publicNetworkAccess: 'Disabled' + } +} diff --git a/modules/health-bot/health-bot/README.md b/modules/health-bot/health-bot/README.md index 794c1f2f31..5d2aacf68b 100644 --- a/modules/health-bot/health-bot/README.md +++ b/modules/health-bot/health-bot/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -183,6 +184,108 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-hbhbwaf' + params: { + // Required parameters + name: 'hbhbwaf001' + sku: 'F0' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "hbhbwaf001" + }, + "sku": { + "value": "F0" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/health-bot/health-bot/tests/e2e/waf-aligned/dependencies.bicep b/modules/health-bot/health-bot/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..539240be2b --- /dev/null +++ b/modules/health-bot/health-bot/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,16 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..798f69c2f9 --- /dev/null +++ b/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,78 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-healthbot.healthbots-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'hbhbwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + sku: 'F0' + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + } +} diff --git a/modules/healthcare-apis/workspace/README.md b/modules/healthcare-apis/workspace/README.md index 75580c51f9..5c58fab11a 100644 --- a/modules/healthcare-apis/workspace/README.md +++ b/modules/healthcare-apis/workspace/README.md @@ -34,6 +34,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -373,6 +374,288 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-hawwaf' + params: { + // Required parameters + name: 'hawwaf001' + // Non-required parameters + dicomservices: [ + { + corsAllowCredentials: false + corsHeaders: [ + '*' + ] + corsMaxAge: 600 + corsMethods: [ + 'GET' + ] + corsOrigins: [ + '*' + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + location: '' + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } + name: 'az-dicom-x-001' + publicNetworkAccess: 'Enabled' + workspaceName: 'hawwaf001' + } + ] + enableDefaultTelemetry: '' + fhirservices: [ + { + corsAllowCredentials: false + corsHeaders: [ + '*' + ] + corsMaxAge: 600 + corsMethods: [ + 'GET' + ] + corsOrigins: [ + '*' + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + importEnabled: false + initialImportMode: false + kind: 'fhir-R4' + location: '' + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } + name: 'az-fhir-x-001' + publicNetworkAccess: 'Enabled' + resourceVersionPolicy: 'versioned' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' + } + ] + smartProxyEnabled: false + workspaceName: 'hawwaf001' + } + ] + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicNetworkAccess: 'Enabled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "hawwaf001" + }, + // Non-required parameters + "dicomservices": { + "value": [ + { + "corsAllowCredentials": false, + "corsHeaders": [ + "*" + ], + "corsMaxAge": 600, + "corsMethods": [ + "GET" + ], + "corsOrigins": [ + "*" + ], + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "enableDefaultTelemetry": "", + "location": "", + "managedIdentities": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + }, + "name": "az-dicom-x-001", + "publicNetworkAccess": "Enabled", + "workspaceName": "hawwaf001" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "fhirservices": { + "value": [ + { + "corsAllowCredentials": false, + "corsHeaders": [ + "*" + ], + "corsMaxAge": 600, + "corsMethods": [ + "GET" + ], + "corsOrigins": [ + "*" + ], + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "enableDefaultTelemetry": "", + "importEnabled": false, + "initialImportMode": false, + "kind": "fhir-R4", + "location": "", + "managedIdentities": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + }, + "name": "az-fhir-x-001", + "publicNetworkAccess": "Enabled", + "resourceVersionPolicy": "versioned", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" + } + ], + "smartProxyEnabled": false, + "workspaceName": "hawwaf001" + } + ] + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "publicNetworkAccess": { + "value": "Enabled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..96f9aff771 --- /dev/null +++ b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,74 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Event Hub Namespace to create.') +param eventHubNamespaceName string + +@description('Required. The name of the Event Hub consumer group to create.') +param eventHubConsumerGroupName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' +} + +resource ehns 'Microsoft.EventHub/namespaces@2022-01-01-preview' = { + name: eventHubNamespaceName + location: location + sku: { + name: 'Standard' + tier: 'Standard' + capacity: 1 + } + properties: { + zoneRedundant: false + isAutoInflateEnabled: false + } + + resource eventhub 'eventhubs@2022-01-01-preview' = { + name: '${eventHubNamespaceName}-hub' + properties: { + messageRetentionInDays: 1 + partitionCount: 1 + } + + resource consumergroup 'consumergroups@2022-01-01-preview' = { + name: eventHubConsumerGroupName + } + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id + +@description('The resource ID of the created Event Hub Namespace.') +output eventHubNamespaceResourceId string = ehns.id + +@description('The name of the created Event Hub Namespace.') +output eventHubNamespaceName string = ehns.name + +@description('The resource ID of the created Event Hub.') +output eventHubResourceId string = ehns::eventhub.id + +@description('The name of the created Event Hub.') +output eventHubName string = ehns::eventhub.name diff --git a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..bad448e7e7 --- /dev/null +++ b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,169 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-healthcareapis.workspaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'hawwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + eventHubConsumerGroupName: '${namePrefix}-az-iomt-x-001' + eventHubNamespaceName: 'dep-${namePrefix}-ehns-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + location: location + publicNetworkAccess: 'Enabled' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + fhirservices: [ + { + name: '${namePrefix}-az-fhir-x-001' + kind: 'fhir-R4' + workspaceName: '${namePrefix}${serviceShort}001' + corsOrigins: [ '*' ] + corsHeaders: [ '*' ] + corsMethods: [ 'GET' ] + corsMaxAge: 600 + corsAllowCredentials: false + location: location + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + publicNetworkAccess: 'Enabled' + resourceVersionPolicy: 'versioned' + smartProxyEnabled: false + enableDefaultTelemetry: enableDefaultTelemetry + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + importEnabled: false + initialImportMode: false + roleAssignments: [ + { + roleDefinitionIdOrName: resourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd') + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } + ] + dicomservices: [ + { + name: '${namePrefix}-az-dicom-x-001' + workspaceName: '${namePrefix}${serviceShort}001' + corsOrigins: [ '*' ] + corsHeaders: [ '*' ] + corsMethods: [ 'GET' ] + corsMaxAge: 600 + corsAllowCredentials: false + location: location + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + publicNetworkAccess: 'Enabled' + enableDefaultTelemetry: enableDefaultTelemetry + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/insights/action-group/README.md b/modules/insights/action-group/README.md index d0edf08b29..36196c3663 100644 --- a/modules/insights/action-group/README.md +++ b/modules/insights/action-group/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -205,6 +206,128 @@ module actionGroup 'br:bicep/modules/insights.action-group:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module actionGroup 'br:bicep/modules/insights.action-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-iagwaf' + params: { + // Required parameters + groupShortName: 'agiagwaf001' + name: 'iagwaf001' + // Non-required parameters + emailReceivers: [ + { + emailAddress: 'test.user@testcompany.com' + name: 'TestUser_-EmailAction-' + useCommonAlertSchema: true + } + { + emailAddress: 'test.user2@testcompany.com' + name: 'TestUser2' + useCommonAlertSchema: true + } + ] + enableDefaultTelemetry: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + smsReceivers: [ + { + countryCode: '1' + name: 'TestUser_-SMSAction-' + phoneNumber: '2345678901' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "groupShortName": { + "value": "agiagwaf001" + }, + "name": { + "value": "iagwaf001" + }, + // Non-required parameters + "emailReceivers": { + "value": [ + { + "emailAddress": "test.user@testcompany.com", + "name": "TestUser_-EmailAction-", + "useCommonAlertSchema": true + }, + { + "emailAddress": "test.user2@testcompany.com", + "name": "TestUser2", + "useCommonAlertSchema": true + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "smsReceivers": { + "value": [ + { + "countryCode": "1", + "name": "TestUser_-SMSAction-", + "phoneNumber": "2345678901" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/action-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/action-group/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/insights/action-group/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..6059b1d2fd --- /dev/null +++ b/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,88 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.actiongroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'iagwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + groupShortName: 'ag${serviceShort}001' + emailReceivers: [ + { + emailAddress: 'test.user@testcompany.com' + name: 'TestUser_-EmailAction-' + useCommonAlertSchema: true + } + { + emailAddress: 'test.user2@testcompany.com' + name: 'TestUser2' + useCommonAlertSchema: true + } + ] + smsReceivers: [ + { + countryCode: '1' + name: 'TestUser_-SMSAction-' + phoneNumber: '2345678901' + } + ] + roleAssignments: [ + { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Reader' + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/insights/activity-log-alert/README.md b/modules/insights/activity-log-alert/README.md index 5af0e285e5..09d6045d46 100644 --- a/modules/insights/activity-log-alert/README.md +++ b/modules/insights/activity-log-alert/README.md @@ -26,6 +26,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.activity-log-alert:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -189,6 +190,168 @@ module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ialawaf' + params: { + // Required parameters + conditions: [ + { + equals: 'ServiceHealth' + field: 'category' + } + { + anyOf: [ + { + equals: 'Incident' + field: 'properties.incidentType' + } + { + equals: 'Maintenance' + field: 'properties.incidentType' + } + ] + } + { + containsAny: [ + 'Action Groups' + 'Activity Logs & Alerts' + ] + field: 'properties.impactedServices[*].ServiceName' + } + { + containsAny: [ + 'Global' + 'West Europe' + ] + field: 'properties.impactedServices[*].ImpactedRegions[*].RegionName' + } + ] + name: 'ialawaf001' + // Non-required parameters + actions: [ + { + actionGroupId: '' + } + ] + enableDefaultTelemetry: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + scopes: [ + '' + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "conditions": { + "value": [ + { + "equals": "ServiceHealth", + "field": "category" + }, + { + "anyOf": [ + { + "equals": "Incident", + "field": "properties.incidentType" + }, + { + "equals": "Maintenance", + "field": "properties.incidentType" + } + ] + }, + { + "containsAny": [ + "Action Groups", + "Activity Logs & Alerts" + ], + "field": "properties.impactedServices[*].ServiceName" + }, + { + "containsAny": [ + "Global", + "West Europe" + ], + "field": "properties.impactedServices[*].ImpactedRegions[*].RegionName" + } + ] + }, + "name": { + "value": "ialawaf001" + }, + // Non-required parameters + "actions": { + "value": [ + { + "actionGroupId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "scopes": { + "value": [ + "" + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..f031089363 --- /dev/null +++ b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,28 @@ +@description('Required. The name of the Action Group to create.') +param actionGroupName string + +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource actionGroup 'Microsoft.Insights/actionGroups@2022-06-01' = { + name: actionGroupName + location: 'global' + properties: { + groupShortName: substring(replace(actionGroupName, '-', ''), 0, 11) + enabled: true + } +} + +@description('The resource ID of the created Action Group.') +output actionGroupResourceId string = actionGroup.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..e44bab24e9 --- /dev/null +++ b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,109 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.activityLogAlerts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ialawaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + actionGroupName: 'dep-${namePrefix}-ag-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + conditions: [ + { + field: 'category' + equals: 'ServiceHealth' + } + { + anyOf: [ + { + field: 'properties.incidentType' + equals: 'Incident' + } + { + field: 'properties.incidentType' + equals: 'Maintenance' + } + ] + } + { + field: 'properties.impactedServices[*].ServiceName' + containsAny: [ + 'Action Groups' + 'Activity Logs & Alerts' + ] + } + { + field: 'properties.impactedServices[*].ImpactedRegions[*].RegionName' + containsAny: [ + 'West Europe' + 'Global' + ] + } + ] + actions: [ + { + actionGroupId: nestedDependencies.outputs.actionGroupResourceId + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + scopes: [ + subscription().id + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/insights/component/README.md b/modules/insights/component/README.md index 7bbf106053..d3ae5f6d37 100644 --- a/modules/insights/component/README.md +++ b/modules/insights/component/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -191,6 +192,116 @@ module component 'br:bicep/modules/insights.component:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module component 'br:bicep/modules/insights.component:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-icwaf' + params: { + // Required parameters + name: 'icwaf001' + workspaceResourceId: '' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "icwaf001" + }, + "workspaceResourceId": { + "value": "" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/component/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/component/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/insights/component/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..19788dc94b --- /dev/null +++ b/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,97 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.components-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'icwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/insights/data-collection-endpoint/README.md b/modules/insights/data-collection-endpoint/README.md index 9713158d2b..d6ae7ac41e 100644 --- a/modules/insights/data-collection-endpoint/README.md +++ b/modules/insights/data-collection-endpoint/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -171,6 +172,100 @@ module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoin

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoint:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-idcewaf' + params: { + // Required parameters + name: 'idcewaf001' + // Non-required parameters + enableDefaultTelemetry: '' + kind: 'Windows' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicNetworkAccess: 'Enabled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + kind: 'Windows' + resourceType: 'Data Collection Rules' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "idcewaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "kind": { + "value": "Windows" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "publicNetworkAccess": { + "value": "Enabled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "hidden-title": "This is visible in the resource name", + "kind": "Windows", + "resourceType": "Data Collection Rules" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..d16e1031b1 --- /dev/null +++ b/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created managed identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..e587afcd6a --- /dev/null +++ b/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,74 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionEndpoints-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'idcewaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module resourceGroupResources 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + publicNetworkAccess: 'Enabled' + kind: 'Windows' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: resourceGroupResources.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'Data Collection Rules' + kind: 'Windows' + } + } +} diff --git a/modules/insights/diagnostic-setting/README.md b/modules/insights/diagnostic-setting/README.md index a0353d69b1..acfb26a890 100644 --- a/modules/insights/diagnostic-setting/README.md +++ b/modules/insights/diagnostic-setting/README.md @@ -25,6 +25,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.diagnostic-setting:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -98,6 +99,78 @@ module diagnosticSetting 'br:bicep/modules/insights.diagnostic-setting:1.0.0' =

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module diagnosticSetting 'br:bicep/modules/insights.diagnostic-setting:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-idswaf' + params: { + enableDefaultTelemetry: '' + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'idswaf001' + storageAccountResourceId: '' + workspaceResourceId: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enableDefaultTelemetry": { + "value": "" + }, + "eventHubAuthorizationRuleResourceId": { + "value": "" + }, + "eventHubName": { + "value": "" + }, + "metricCategories": { + "value": [ + { + "category": "AllMetrics" + } + ] + }, + "name": { + "value": "idswaf001" + }, + "storageAccountResourceId": { + "value": "" + }, + "workspaceResourceId": { + "value": "" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..7836a24eed --- /dev/null +++ b/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,70 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.diagnosticsettings-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'idswaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } +} diff --git a/modules/insights/metric-alert/README.md b/modules/insights/metric-alert/README.md index a213c126aa..2a8c4ddd54 100644 --- a/modules/insights/metric-alert/README.md +++ b/modules/insights/metric-alert/README.md @@ -26,6 +26,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.metric-alert:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -151,6 +152,130 @@ module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-imawaf' + params: { + // Required parameters + criterias: [ + { + criterionType: 'StaticThresholdCriterion' + metricName: 'Percentage CPU' + metricNamespace: 'microsoft.compute/virtualmachines' + name: 'HighCPU' + operator: 'GreaterThan' + threshold: '90' + timeAggregation: 'Average' + } + ] + name: 'imawaf001' + // Non-required parameters + actions: [ + '' + ] + alertCriteriaType: 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' + enableDefaultTelemetry: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + targetResourceRegion: 'westeurope' + targetResourceType: 'microsoft.compute/virtualmachines' + windowSize: 'PT15M' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "criterias": { + "value": [ + { + "criterionType": "StaticThresholdCriterion", + "metricName": "Percentage CPU", + "metricNamespace": "microsoft.compute/virtualmachines", + "name": "HighCPU", + "operator": "GreaterThan", + "threshold": "90", + "timeAggregation": "Average" + } + ] + }, + "name": { + "value": "imawaf001" + }, + // Non-required parameters + "actions": { + "value": [ + "" + ] + }, + "alertCriteriaType": { + "value": "Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "targetResourceRegion": { + "value": "westeurope" + }, + "targetResourceType": { + "value": "microsoft.compute/virtualmachines" + }, + "windowSize": { + "value": "PT15M" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/metric-alert/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/metric-alert/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..eb23eca835 --- /dev/null +++ b/modules/insights/metric-alert/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,29 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Action Group to create.') +param actionGroupName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource actionGroup 'Microsoft.Insights/actionGroups@2022-06-01' = { + name: actionGroupName + location: 'global' + + properties: { + enabled: true + groupShortName: substring(actionGroupName, 0, 11) + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Action Group.') +output actionGroupResourceId string = actionGroup.id diff --git a/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..ee7bf8abbd --- /dev/null +++ b/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,87 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.metricalerts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'imawaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + actionGroupName: 'dep-${namePrefix}-ag-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + criterias: [ + { + criterionType: 'StaticThresholdCriterion' + metricName: 'Percentage CPU' + metricNamespace: 'microsoft.compute/virtualmachines' + name: 'HighCPU' + operator: 'GreaterThan' + threshold: '90' + timeAggregation: 'Average' + } + ] + actions: [ + nestedDependencies.outputs.actionGroupResourceId + ] + alertCriteriaType: 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + targetResourceRegion: 'westeurope' + targetResourceType: 'microsoft.compute/virtualmachines' + windowSize: 'PT15M' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index 57e6b05caa..847be38edc 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -196,6 +197,123 @@ This instance deploys the module with most of its features enabled.

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep + name: '${uniqueString(deployment().name, location)}-test-iplswaf' + params: { + // Required parameters + name: 'iplswaf001' + // Non-required parameters + enableDefaultTelemetry: '' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + scopedResources: [ + { + linkedResourceId: '' + name: 'scoped1' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "iplswaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "scopedResources": { + "value": [ + { + "linkedResourceId": "", + "name": "scoped1" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/private-link-scope/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/private-link-scope/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..e09c9b5a0c --- /dev/null +++ b/modules/insights/private-link-scope/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,71 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Log Analytics Workspace to create.') +param logAnalyticsWorkspaceName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.monitor.azure.com' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = { + name: logAnalyticsWorkspaceName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Log Analytics Workspace.') +output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..bda1d61e70 --- /dev/null +++ b/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,89 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.privatelinkscopes-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'iplswaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-la-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + scopedResources: [ + { + name: 'scoped1' + linkedResourceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/insights/scheduled-query-rule/README.md b/modules/insights/scheduled-query-rule/README.md index b84ede93c0..c243ee7cbb 100644 --- a/modules/insights/scheduled-query-rule/README.md +++ b/modules/insights/scheduled-query-rule/README.md @@ -26,6 +26,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.scheduled-query-rule:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -191,6 +192,170 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0'

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-isqrwaf' + params: { + // Required parameters + criterias: { + allOf: [ + { + dimensions: [ + { + name: 'Computer' + operator: 'Include' + values: [ + '*' + ] + } + { + name: 'InstanceName' + operator: 'Include' + values: [ + '*' + ] + } + ] + metricMeasureColumn: 'AggregatedValue' + operator: 'GreaterThan' + query: 'Perf | where ObjectName == \'LogicalDisk\' | where CounterName == \'% Free Space\' | where InstanceName <> \'HarddiskVolume1\' and InstanceName <> \'_Total\' | summarize AggregatedValue = min(CounterValue) by Computer InstanceName bin(TimeGenerated5m)' + threshold: 0 + timeAggregation: 'Average' + } + ] + } + name: 'isqrwaf001' + scopes: [ + '' + ] + // Non-required parameters + alertDescription: 'My sample Alert' + autoMitigate: false + enableDefaultTelemetry: '' + evaluationFrequency: 'PT5M' + queryTimeRange: 'PT5M' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + suppressForMinutes: 'PT5M' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + windowSize: 'PT5M' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "criterias": { + "value": { + "allOf": [ + { + "dimensions": [ + { + "name": "Computer", + "operator": "Include", + "values": [ + "*" + ] + }, + { + "name": "InstanceName", + "operator": "Include", + "values": [ + "*" + ] + } + ], + "metricMeasureColumn": "AggregatedValue", + "operator": "GreaterThan", + "query": "Perf | where ObjectName == \"LogicalDisk\" | where CounterName == \"% Free Space\" | where InstanceName <> \"HarddiskVolume1\" and InstanceName <> \"_Total\" | summarize AggregatedValue = min(CounterValue) by Computer, InstanceName, bin(TimeGenerated,5m)", + "threshold": 0, + "timeAggregation": "Average" + } + ] + } + }, + "name": { + "value": "isqrwaf001" + }, + "scopes": { + "value": [ + "" + ] + }, + // Non-required parameters + "alertDescription": { + "value": "My sample Alert" + }, + "autoMitigate": { + "value": false + }, + "enableDefaultTelemetry": { + "value": "" + }, + "evaluationFrequency": { + "value": "PT5M" + }, + "queryTimeRange": { + "value": "PT5M" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "suppressForMinutes": { + "value": "PT5M" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "windowSize": { + "value": "PT5M" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..9e9a8f2510 --- /dev/null +++ b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,24 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Log Analytics Workspace to create.') +param logAnalyticsWorkspaceName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { + name: logAnalyticsWorkspaceName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Log Analytics Workspace.') +output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..6c924009a5 --- /dev/null +++ b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,105 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.scheduledqueryrules-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'isqrwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + alertDescription: 'My sample Alert' + autoMitigate: false + criterias: { + allOf: [ + { + dimensions: [ + { + name: 'Computer' + operator: 'Include' + values: [ + '*' + ] + } + { + name: 'InstanceName' + operator: 'Include' + values: [ + '*' + ] + } + ] + metricMeasureColumn: 'AggregatedValue' + operator: 'GreaterThan' + query: 'Perf | where ObjectName == "LogicalDisk" | where CounterName == "% Free Space" | where InstanceName <> "HarddiskVolume1" and InstanceName <> "_Total" | summarize AggregatedValue = min(CounterValue) by Computer, InstanceName, bin(TimeGenerated,5m)' + threshold: 0 + timeAggregation: 'Average' + } + ] + } + evaluationFrequency: 'PT5M' + queryTimeRange: 'PT5M' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + scopes: [ + nestedDependencies.outputs.logAnalyticsWorkspaceResourceId + ] + suppressForMinutes: 'PT5M' + windowSize: 'PT5M' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/insights/webtest/README.md b/modules/insights/webtest/README.md index 9d2e805c8a..3f532543ca 100644 --- a/modules/insights/webtest/README.md +++ b/modules/insights/webtest/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -199,6 +200,104 @@ module webtest 'br:bicep/modules/insights.webtest:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-iwtwaf' + params: { + // Required parameters + name: 'iwtwaf001' + request: { + HttpVerb: 'GET' + RequestUrl: 'https://learn.microsoft.com/en-us/' + } + tags: { + 'hidden-link:${nestedDependencies.outputs.appInsightResourceId}': 'Resource' + 'hidden-title': 'This is visible in the resource name' + } + webTestName: 'wt$iwtwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + locations: [ + { + Id: 'emea-nl-ams-azr' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + syntheticMonitorId: 'iwtwaf001' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "iwtwaf001" + }, + "request": { + "value": { + "HttpVerb": "GET", + "RequestUrl": "https://learn.microsoft.com/en-us/" + } + }, + "tags": { + "value": { + "hidden-link:${nestedDependencies.outputs.appInsightResourceId}": "Resource", + "hidden-title": "This is visible in the resource name" + } + }, + "webTestName": { + "value": "wt$iwtwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "locations": { + "value": [ + { + "Id": "emea-nl-ams-azr" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "syntheticMonitorId": { + "value": "iwtwaf001" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/webtest/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/webtest/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..79e003515d --- /dev/null +++ b/modules/insights/webtest/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,26 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Log Analytics Workspace to create.') +param appInsightName string + +@description('Required. The name of the Log Analytics Workspace to create.') +param logAnalyticsWorkspaceName string + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { + name: logAnalyticsWorkspaceName + location: location +} + +resource appInsight 'Microsoft.Insights/components@2020-02-02' = { + name: appInsightName + location: location + kind: 'web' + properties: { + Application_Type: 'web' + WorkspaceResourceId: logAnalyticsWorkspace.id + } +} + +@description('The resource ID of the created Log Analytics Workspace.') +output appInsightResourceId string = appInsight.id diff --git a/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..0fcdae082d --- /dev/null +++ b/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,77 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.webtests-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'iwtwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + appInsightName: 'dep-${namePrefix}-appi-${serviceShort}' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + tags: { + 'hidden-title': 'This is visible in the resource name' + 'hidden-link:${nestedDependencies.outputs.appInsightResourceId}': 'Resource' + } + enableDefaultTelemetry: enableDefaultTelemetry + webTestName: 'wt${namePrefix}$${serviceShort}001' + syntheticMonitorId: '${namePrefix}${serviceShort}001' + locations: [ + { + Id: 'emea-nl-ams-azr' + } + ] + request: { + RequestUrl: 'https://learn.microsoft.com/en-us/' + HttpVerb: 'GET' + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + } +} diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 2072456778..155324660e 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -38,6 +38,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-2-using-only-defaults) - [Using large parameter set](#example-3-using-large-parameter-set) - [Pe](#example-4-pe) +- [WAF-aligned](#example-5-waf-aligned) ### Example 1: _Accesspolicies_ @@ -775,6 +776,308 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = {

+### Example 5: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-kvvwaf' + params: { + // Required parameters + name: 'kvvwaf002' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + enablePurgeProtection: false + enableRbacAuthorization: true + keys: [ + { + attributesExp: 1725109032 + attributesNbf: 10000 + name: 'keyName' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + rotationPolicy: { + attributes: { + expiryTime: 'P2Y' + } + lifetimeActions: [ + { + action: { + type: 'Rotate' + } + trigger: { + timeBeforeExpiry: 'P2M' + } + } + { + action: { + type: 'Notify' + } + trigger: { + timeBeforeExpiry: 'P30D' + } + } + ] + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: '' + ignoreMissingVnetServiceEndpoint: false + } + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'vault' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + secrets: { + secureList: [ + { + attributesExp: 1702648632 + attributesNbf: 10000 + contentType: 'Something' + name: 'secretName' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + value: 'secretValue' + } + ] + } + softDeleteRetentionInDays: 7 + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "kvvwaf002" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enablePurgeProtection": { + "value": false + }, + "enableRbacAuthorization": { + "value": true + }, + "keys": { + "value": [ + { + "attributesExp": 1725109032, + "attributesNbf": 10000, + "name": "keyName", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "rotationPolicy": { + "attributes": { + "expiryTime": "P2Y" + }, + "lifetimeActions": [ + { + "action": { + "type": "Rotate" + }, + "trigger": { + "timeBeforeExpiry": "P2M" + } + }, + { + "action": { + "type": "Notify" + }, + "trigger": { + "timeBeforeExpiry": "P30D" + } + } + ] + } + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "networkAcls": { + "value": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "ipRules": [ + { + "value": "40.74.28.0/23" + } + ], + "virtualNetworkRules": [ + { + "id": "", + "ignoreMissingVnetServiceEndpoint": false + } + ] + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "vault", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "secrets": { + "value": { + "secureList": [ + { + "attributesExp": 1702648632, + "attributesNbf": 10000, + "contentType": "Something", + "name": "secretName", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "value": "secretValue" + } + ] + } + }, + "softDeleteRetentionInDays": { + "value": 7 + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/key-vault/vault/tests/e2e/waf-aligned/dependencies.bicep b/modules/key-vault/vault/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..6c3754d07f --- /dev/null +++ b/modules/key-vault/vault/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,65 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + serviceEndpoints: [ + { + service: 'Microsoft.KeyVault' + } + ] + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.vaultcore.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep b/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..edca2e6418 --- /dev/null +++ b/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,189 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-keyvault.vaults-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'kvvwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}002' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + // Only for testing purposes + enablePurgeProtection: false + enableRbacAuthorization: true + keys: [ + { + attributesExp: 1725109032 + attributesNbf: 10000 + name: 'keyName' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + rotationPolicy: { + attributes: { + expiryTime: 'P2Y' + } + lifetimeActions: [ + { + trigger: { + timeBeforeExpiry: 'P2M' + } + action: { + type: 'Rotate' + } + } + { + trigger: { + timeBeforeExpiry: 'P30D' + } + action: { + type: 'Notify' + } + } + ] + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: nestedDependencies.outputs.subnetResourceId + ignoreMissingVnetServiceEndpoint: false + } + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'vault' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + secrets: { + secureList: [ + { + attributesExp: 1702648632 + attributesNbf: 10000 + contentType: 'Something' + name: 'secretName' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + value: 'secretValue' + } + ] + } + softDeleteRetentionInDays: 7 + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/kubernetes-configuration/extension/README.md b/modules/kubernetes-configuration/extension/README.md index 34c51d8bc7..9019bb4998 100644 --- a/modules/kubernetes-configuration/extension/README.md +++ b/modules/kubernetes-configuration/extension/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -208,6 +209,120 @@ module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-kcewaf' + params: { + // Required parameters + clusterName: '' + extensionType: 'microsoft.flux' + name: 'kcewaf001' + // Non-required parameters + configurationSettings: { + 'image-automation-controller.enabled': 'false' + 'image-reflector-controller.enabled': 'false' + 'kustomize-controller.enabled': 'true' + 'notification-controller.enabled': 'false' + 'source-controller.enabled': 'true' + } + enableDefaultTelemetry: '' + fluxConfigurations: [ + { + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/mspnp/aks-baseline' + } + namespace: 'flux-system' + } + ] + releaseNamespace: 'flux-system' + releaseTrain: 'Stable' + version: '0.5.2' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "clusterName": { + "value": "" + }, + "extensionType": { + "value": "microsoft.flux" + }, + "name": { + "value": "kcewaf001" + }, + // Non-required parameters + "configurationSettings": { + "value": { + "image-automation-controller.enabled": "false", + "image-reflector-controller.enabled": "false", + "kustomize-controller.enabled": "true", + "notification-controller.enabled": "false", + "source-controller.enabled": "true" + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "fluxConfigurations": { + "value": [ + { + "gitRepository": { + "repositoryRef": { + "branch": "main" + }, + "sshKnownHosts": "", + "syncIntervalInSeconds": 300, + "timeoutInSeconds": 180, + "url": "https://github.com/mspnp/aks-baseline" + }, + "namespace": "flux-system" + } + ] + }, + "releaseNamespace": { + "value": "flux-system" + }, + "releaseTrain": { + "value": "Stable" + }, + "version": { + "value": "0.5.2" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/dependencies.bicep b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..0169763539 --- /dev/null +++ b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,32 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the AKS cluster to create.') +param clusterName string + +@description('Required. The name of the AKS cluster nodes resource group to create.') +param clusterNodeResourceGroupName string + +resource cluster 'Microsoft.ContainerService/managedClusters@2022-07-01' = { + name: clusterName + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + dnsPrefix: clusterName + nodeResourceGroup: clusterNodeResourceGroupName + agentPoolProfiles: [ + { + name: 'agentpool' + count: 1 + vmSize: 'Standard_DS2_v2' + osType: 'Linux' + mode: 'System' + } + ] + } +} + +@description('The name of the created AKS cluster.') +output clusterName string = cluster.name diff --git a/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..bfcc8c9102 --- /dev/null +++ b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,84 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.extensions-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'kcewaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + clusterName: 'dep-${namePrefix}-aks-${serviceShort}' + clusterNodeResourceGroupName: 'nodes-${resourceGroupName}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + clusterName: nestedDependencies.outputs.clusterName + extensionType: 'microsoft.flux' + configurationSettings: { + 'image-automation-controller.enabled': 'false' + 'image-reflector-controller.enabled': 'false' + 'kustomize-controller.enabled': 'true' + 'notification-controller.enabled': 'false' + 'source-controller.enabled': 'true' + } + releaseNamespace: 'flux-system' + releaseTrain: 'Stable' + version: '0.5.2' + fluxConfigurations: [ + { + namespace: 'flux-system' + scope: 'cluster' + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/mspnp/aks-baseline' + } + } + ] + } +} diff --git a/modules/kubernetes-configuration/flux-configuration/README.md b/modules/kubernetes-configuration/flux-configuration/README.md index 22030b57cc..31ff175b92 100644 --- a/modules/kubernetes-configuration/flux-configuration/README.md +++ b/modules/kubernetes-configuration/flux-configuration/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -212,6 +213,108 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configuration:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-kcfcwaf' + params: { + // Required parameters + clusterName: '' + name: 'kcfcwaf001' + namespace: 'flux-system' + sourceKind: 'GitRepository' + // Non-required parameters + enableDefaultTelemetry: '' + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/mspnp/aks-baseline' + } + kustomizations: { + unified: { + dependsOn: [] + force: false + path: './cluster-manifests' + prune: true + syncIntervalInSeconds: 300 + timeoutInSeconds: 300 + } + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "clusterName": { + "value": "" + }, + "name": { + "value": "kcfcwaf001" + }, + "namespace": { + "value": "flux-system" + }, + "sourceKind": { + "value": "GitRepository" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "gitRepository": { + "value": { + "repositoryRef": { + "branch": "main" + }, + "sshKnownHosts": "", + "syncIntervalInSeconds": 300, + "timeoutInSeconds": 180, + "url": "https://github.com/mspnp/aks-baseline" + } + }, + "kustomizations": { + "value": { + "unified": { + "dependsOn": [], + "force": false, + "path": "./cluster-manifests", + "prune": true, + "syncIntervalInSeconds": 300, + "timeoutInSeconds": 300 + } + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/dependencies.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..0bf942bbd1 --- /dev/null +++ b/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,49 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the AKS cluster to create.') +param clusterName string + +@description('Required. The name of the AKS cluster extension to create.') +param clusterExtensionName string + +@description('Required. The name of the AKS cluster nodes resource group to create.') +param clusterNodeResourceGroupName string + +resource cluster 'Microsoft.ContainerService/managedClusters@2022-07-01' = { + name: clusterName + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + dnsPrefix: clusterName + nodeResourceGroup: clusterNodeResourceGroupName + agentPoolProfiles: [ + { + name: 'agentpool' + count: 1 + vmSize: 'Standard_DS2_v2' + osType: 'Linux' + mode: 'System' + } + ] + } +} + +resource extension 'Microsoft.KubernetesConfiguration/extensions@2022-03-01' = { + scope: cluster + name: clusterExtensionName + properties: { + extensionType: 'microsoft.flux' + releaseTrain: 'Stable' + scope: { + cluster: { + releaseNamespace: 'flux-system' + } + } + } +} + +@description('The name of the created AKS cluster.') +output clusterName string = cluster.name diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..900a2585ff --- /dev/null +++ b/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,81 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.fluxconfigurations-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'kcfcwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + clusterName: 'dep-${namePrefix}-aks-${serviceShort}' + clusterExtensionName: '${namePrefix}${serviceShort}001' + clusterNodeResourceGroupName: 'nodes-${resourceGroupName}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + clusterName: nestedDependencies.outputs.clusterName + namespace: 'flux-system' + scope: 'cluster' + sourceKind: 'GitRepository' + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/mspnp/aks-baseline' + } + kustomizations: { + unified: { + dependsOn: [] + force: false + path: './cluster-manifests' + prune: true + syncIntervalInSeconds: 300 + timeoutInSeconds: 300 + } + } + } +} diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index ab3cbde145..9febb50863 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/logic.workflow:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -224,6 +225,200 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-lwwaf' + params: { + // Required parameters + name: 'lwwaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + workflowActions: { + HTTP: { + inputs: { + body: { + BeginPeakTime: '' + EndPeakTime: '' + HostPoolName: '' + LAWorkspaceName: '' + LimitSecondsToForceLogOffUser: '' + LogOffMessageBody: '' + LogOffMessageTitle: '' + MinimumNumberOfRDSH: 1 + ResourceGroupName: '' + SessionThresholdPerCPU: 1 + UtcOffset: '' + } + method: 'POST' + uri: 'https://testStringForValidation.com' + } + type: 'Http' + } + } + workflowTriggers: { + Recurrence: { + recurrence: { + frequency: 'Minute' + interval: 15 + } + type: 'Recurrence' + } + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "lwwaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "workflowActions": { + "value": { + "HTTP": { + "inputs": { + "body": { + "BeginPeakTime": "", + "EndPeakTime": "", + "HostPoolName": "", + "LAWorkspaceName": "", + "LimitSecondsToForceLogOffUser": "", + "LogOffMessageBody": "", + "LogOffMessageTitle": "", + "MinimumNumberOfRDSH": 1, + "ResourceGroupName": "", + "SessionThresholdPerCPU": 1, + "UtcOffset": "" + }, + "method": "POST", + "uri": "https://testStringForValidation.com" + }, + "type": "Http" + } + } + }, + "workflowTriggers": { + "value": { + "Recurrence": { + "recurrence": { + "frequency": "Minute", + "interval": 15 + }, + "type": "Recurrence" + } + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/logic/workflow/tests/e2e/waf-aligned/dependencies.bicep b/modules/logic/workflow/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..0f0755a6f4 --- /dev/null +++ b/modules/logic/workflow/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,16 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep b/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..d2a5747507 --- /dev/null +++ b/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,136 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-logic.workflows-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'lwwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + workflowActions: { + HTTP: { + inputs: { + body: { + BeginPeakTime: '' + EndPeakTime: '' + HostPoolName: '' + LAWorkspaceName: '' + LimitSecondsToForceLogOffUser: '' + LogOffMessageBody: '' + LogOffMessageTitle: '' + MinimumNumberOfRDSH: 1 + ResourceGroupName: '' + SessionThresholdPerCPU: 1 + UtcOffset: '' + } + method: 'POST' + uri: 'https://testStringForValidation.com' + } + type: 'Http' + } + } + workflowTriggers: { + Recurrence: { + recurrence: { + frequency: 'Minute' + interval: 15 + } + type: 'Recurrence' + } + } + } +} diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index e40a7da849..73ef5e3ceb 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -34,6 +34,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -492,6 +493,258 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' =

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-mlswwaf' + params: { + // Required parameters + associatedApplicationInsightsResourceId: '' + associatedKeyVaultResourceId: '' + associatedStorageAccountResourceId: '' + name: 'mlswwaf001' + sku: 'Premium' + // Non-required parameters + computes: [ + { + computeLocation: 'westeurope' + computeType: 'AmlCompute' + description: 'Default CPU Cluster' + disableLocalAuth: false + location: 'westeurope' + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } + name: 'DefaultCPU' + properties: { + enableNodePublicIp: true + isolatedNetwork: false + osType: 'Linux' + remoteLoginPortPublicAccess: 'Disabled' + scaleSettings: { + maxNodeCount: 3 + minNodeCount: 0 + nodeIdleTimeBeforeScaleDown: 'PT5M' + } + vmPriority: 'Dedicated' + vmSize: 'STANDARD_DS11_V2' + } + sku: 'Basic' + } + ] + description: 'The cake is a lie.' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + discoveryUrl: 'http://example.com' + enableDefaultTelemetry: '' + imageBuildCompute: 'testcompute' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } + primaryUserAssignedIdentity: '' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "associatedApplicationInsightsResourceId": { + "value": "" + }, + "associatedKeyVaultResourceId": { + "value": "" + }, + "associatedStorageAccountResourceId": { + "value": "" + }, + "name": { + "value": "mlswwaf001" + }, + "sku": { + "value": "Premium" + }, + // Non-required parameters + "computes": { + "value": [ + { + "computeLocation": "westeurope", + "computeType": "AmlCompute", + "description": "Default CPU Cluster", + "disableLocalAuth": false, + "location": "westeurope", + "managedIdentities": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + }, + "name": "DefaultCPU", + "properties": { + "enableNodePublicIp": true, + "isolatedNetwork": false, + "osType": "Linux", + "remoteLoginPortPublicAccess": "Disabled", + "scaleSettings": { + "maxNodeCount": 3, + "minNodeCount": 0, + "nodeIdleTimeBeforeScaleDown": "PT5M" + }, + "vmPriority": "Dedicated", + "vmSize": "STANDARD_DS11_V2" + }, + "sku": "Basic" + } + ] + }, + "description": { + "value": "The cake is a lie." + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "discoveryUrl": { + "value": "http://example.com" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "imageBuildCompute": { + "value": "testcompute" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "primaryUserAssignedIdentity": { + "value": "" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..4f7b46494d --- /dev/null +++ b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,134 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Application Insights instance to create.') +param applicationInsightsName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource keyVaultServicePermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-KeyVault-Contributor-RoleAssignment') + scope: keyVault + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor + principalType: 'ServicePrincipal' + } +} +resource keyVaultDataPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-KeyVault-Data-Admin-RoleAssignment') + scope: keyVault + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') // Key Vault Administrator + principalType: 'ServicePrincipal' + } +} + +resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = { + name: applicationInsightsName + location: location + kind: '' + properties: {} +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.api.azureml.ms' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Application Insights instance.') +output applicationInsightsResourceId string = applicationInsights.id + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..2c0000e5e5 --- /dev/null +++ b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,162 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-machinelearningservices.workspaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'mlswwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + applicationInsightsName: 'dep-${namePrefix}-appi-${serviceShort}' + storageAccountName: 'dep${namePrefix}st${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + associatedApplicationInsightsResourceId: nestedDependencies.outputs.applicationInsightsResourceId + associatedKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + associatedStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId + sku: 'Premium' + computes: [ + { + computeLocation: 'westeurope' + computeType: 'AmlCompute' + description: 'Default CPU Cluster' + disableLocalAuth: false + location: 'westeurope' + name: 'DefaultCPU' + properties: { + enableNodePublicIp: true + isolatedNetwork: false + osType: 'Linux' + remoteLoginPortPublicAccess: 'Disabled' + scaleSettings: { + maxNodeCount: 3 + minNodeCount: 0 + nodeIdleTimeBeforeScaleDown: 'PT5M' + } + vmPriority: 'Dedicated' + vmSize: 'STANDARD_DS11_V2' + } + sku: 'Basic' + // Must be false if `primaryUserAssignedIdentity` is provided + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + } + ] + description: 'The cake is a lie.' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + discoveryUrl: 'http://example.com' + imageBuildCompute: 'testcompute' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + primaryUserAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + privateEndpoints: [ + { + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/maintenance/maintenance-configuration/README.md b/modules/maintenance/maintenance-configuration/README.md index 187dac5dc9..208ba523f4 100644 --- a/modules/maintenance/maintenance-configuration/README.md +++ b/modules/maintenance/maintenance-configuration/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -229,6 +230,158 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-configuration:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-mmcwaf' + params: { + // Required parameters + name: 'mmcwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + extensionProperties: { + InGuestPatchMode: 'User' + } + installPatches: { + linuxParameters: { + classificationsToInclude: '' + packageNameMasksToExclude: '' + packageNameMasksToInclude: '' + } + rebootSetting: 'IfRequired' + windowsParameters: { + classificationsToInclude: [ + 'Critical' + 'Security' + ] + kbNumbersToExclude: '' + kbNumbersToInclude: '' + } + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + maintenanceWindow: { + duration: '03:00' + expirationDateTime: '9999-12-31 23:59:59' + recurEvery: 'Day' + startDateTime: '2022-12-31 13:00' + timeZone: 'W. Europe Standard Time' + } + namespace: 'mmcwafns' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + visibility: 'Custom' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "mmcwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "extensionProperties": { + "value": { + "InGuestPatchMode": "User" + } + }, + "installPatches": { + "value": { + "linuxParameters": { + "classificationsToInclude": "", + "packageNameMasksToExclude": "", + "packageNameMasksToInclude": "" + }, + "rebootSetting": "IfRequired", + "windowsParameters": { + "classificationsToInclude": [ + "Critical", + "Security" + ], + "kbNumbersToExclude": "", + "kbNumbersToInclude": "" + } + } + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "maintenanceWindow": { + "value": { + "duration": "03:00", + "expirationDateTime": "9999-12-31 23:59:59", + "recurEvery": "Day", + "startDateTime": "2022-12-31 13:00", + "timeZone": "W. Europe Standard Time" + } + }, + "namespace": { + "value": "mmcwafns" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "visibility": { + "value": "Custom" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/dependencies.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..467bb46bba --- /dev/null +++ b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,101 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-maintenance.maintenanceconfigurations-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'mmcwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + extensionProperties: { + InGuestPatchMode: 'User' + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + maintenanceScope: 'InGuestPatch' + maintenanceWindow: { + duration: '03:00' + expirationDateTime: '9999-12-31 23:59:59' + recurEvery: 'Day' + startDateTime: '2022-12-31 13:00' + timeZone: 'W. Europe Standard Time' + } + namespace: '${serviceShort}ns' + visibility: 'Custom' + installPatches: { + linuxParameters: { + classificationsToInclude: null + packageNameMasksToExclude: null + packageNameMasksToInclude: null + } + rebootSetting: 'IfRequired' + windowsParameters: { + classificationsToInclude: [ + 'Critical' + 'Security' + ] + kbNumbersToExclude: null + kbNumbersToInclude: null + } + } + } +} diff --git a/modules/managed-identity/user-assigned-identity/README.md b/modules/managed-identity/user-assigned-identity/README.md index d76e767ebe..c2e921ae09 100644 --- a/modules/managed-identity/user-assigned-identity/README.md +++ b/modules/managed-identity/user-assigned-identity/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -174,6 +175,110 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-identity:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-miuaiwaf' + params: { + enableDefaultTelemetry: '' + federatedIdentityCredentials: [ + { + audiences: [ + 'api://AzureADTokenExchange' + ] + issuer: '' + name: 'test-fed-cred-miuaiwaf-001' + subject: 'system:serviceaccount:default:workload-identity-sa' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + name: 'miuaiwaf001' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enableDefaultTelemetry": { + "value": "" + }, + "federatedIdentityCredentials": { + "value": [ + { + "audiences": [ + "api://AzureADTokenExchange" + ], + "issuer": "", + "name": "test-fed-cred-miuaiwaf-001", + "subject": "system:serviceaccount:default:workload-identity-sa" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "name": { + "value": "miuaiwaf001" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/dependencies.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..fababf8321 --- /dev/null +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,82 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-managedidentity.userassignedidentities-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'miuaiwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + federatedIdentityCredentials: [ + { + name: 'test-fed-cred-${serviceShort}-001' + audiences: [ + 'api://AzureADTokenExchange' + ] + issuer: 'https://contoso.com/${subscription().tenantId}/${guid(deployment().name)}/' + subject: 'system:serviceaccount:default:workload-identity-sa' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/managed-services/registration-definition/README.md b/modules/managed-services/registration-definition/README.md index 472774ac03..759632f268 100644 --- a/modules/managed-services/registration-definition/README.md +++ b/modules/managed-services/registration-definition/README.md @@ -32,6 +32,7 @@ The following section provides usage examples for the module, which were used to - [Using large parameter set](#example-1-using-large-parameter-set) - [Rg](#example-2-rg) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using large parameter set_ @@ -218,6 +219,98 @@ module registrationDefinition 'br:bicep/modules/managed-services.registration-de

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module registrationDefinition 'br:bicep/modules/managed-services.registration-definition:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-msrdwaf' + params: { + // Required parameters + authorizations: [ + { + principalId: '<< SET YOUR PRINCIPAL ID 1 HERE >>' + principalIdDisplayName: 'ResourceModules-Reader' + roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' + } + { + principalId: '<< SET YOUR PRINCIPAL ID 2 HERE >>' + principalIdDisplayName: 'ResourceModules-Contributor' + roleDefinitionId: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '<< SET YOUR PRINCIPAL ID 3 HERE >>' + principalIdDisplayName: 'ResourceModules-LHManagement' + roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' + } + ] + managedByTenantId: '<< SET YOUR TENANT ID HERE >>' + name: 'Component Validation - msrdwaf Subscription assignment' + registrationDescription: 'Managed by Lighthouse' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "authorizations": { + "value": [ + { + "principalId": "<< SET YOUR PRINCIPAL ID 1 HERE >>", + "principalIdDisplayName": "ResourceModules-Reader", + "roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7" + }, + { + "principalId": "<< SET YOUR PRINCIPAL ID 2 HERE >>", + "principalIdDisplayName": "ResourceModules-Contributor", + "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "<< SET YOUR PRINCIPAL ID 3 HERE >>", + "principalIdDisplayName": "ResourceModules-LHManagement", + "roleDefinitionId": "91c1777a-f3dc-4fae-b103-61d183457e46" + } + ] + }, + "managedByTenantId": { + "value": "<< SET YOUR TENANT ID HERE >>" + }, + "name": { + "value": "Component Validation - msrdwaf Subscription assignment" + }, + "registrationDescription": { + "value": "Managed by Lighthouse" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep b/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..553e1b72b9 --- /dev/null +++ b/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,48 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'msrdwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: 'Component Validation - ${namePrefix}${serviceShort} Subscription assignment' + authorizations: [ + { + principalId: '<< SET YOUR PRINCIPAL ID 1 HERE >>' + principalIdDisplayName: 'ResourceModules-Reader' + roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' + } + { + principalId: '<< SET YOUR PRINCIPAL ID 2 HERE >>' + principalIdDisplayName: 'ResourceModules-Contributor' + roleDefinitionId: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '<< SET YOUR PRINCIPAL ID 3 HERE >>' + principalIdDisplayName: 'ResourceModules-LHManagement' + roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' + } + ] + managedByTenantId: '<< SET YOUR TENANT ID HERE >>' + registrationDescription: 'Managed by Lighthouse' + } +} diff --git a/modules/management/management-group/README.md b/modules/management/management-group/README.md index 38c1b4d408..d5e7a66097 100644 --- a/modules/management/management-group/README.md +++ b/modules/management/management-group/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -136,6 +137,62 @@ module managementGroup 'br:bicep/modules/management.management-group:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module managementGroup 'br:bicep/modules/management.management-group:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-mmgwaf' + params: { + // Required parameters + name: 'mmgwaf001' + // Non-required parameters + displayName: 'Test MG' + enableDefaultTelemetry: '' + parentId: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "mmgwaf001" + }, + // Non-required parameters + "displayName": { + "value": "Test MG" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "parentId": { + "value": "" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep b/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..8ccb083802 --- /dev/null +++ b/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,31 @@ +targetScope = 'managementGroup' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'mmgwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + displayName: 'Test MG' + parentId: last(split(managementGroup().id, '/')) + } +} diff --git a/modules/network/application-gateway-web-application-firewall-policy/README.md b/modules/network/application-gateway-web-application-firewall-policy/README.md index feb78de452..9b9ea51250 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/README.md +++ b/modules/network/application-gateway-web-application-firewall-policy/README.md @@ -25,6 +25,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.application-gateway-web-application-firewall-policy:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -128,6 +129,108 @@ module applicationGatewayWebApplicationFirewallPolicy 'br:bicep/modules/network.

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module applicationGatewayWebApplicationFirewallPolicy 'br:bicep/modules/network.application-gateway-web-application-firewall-policy:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nagwafpwaf' + params: { + // Required parameters + name: 'nagwafpwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + managedRules: { + managedRuleSets: [ + { + ruleGroupOverrides: [] + ruleSetType: 'OWASP' + ruleSetVersion: '3.2' + } + { + ruleGroupOverrides: [] + ruleSetType: 'Microsoft_BotManagerRuleSet' + ruleSetVersion: '0.1' + } + ] + } + policySettings: { + fileUploadLimitInMb: 10 + mode: 'Prevention' + state: 'Enabled' + } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nagwafpwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "managedRules": { + "value": { + "managedRuleSets": [ + { + "ruleGroupOverrides": [], + "ruleSetType": "OWASP", + "ruleSetVersion": "3.2" + }, + { + "ruleGroupOverrides": [], + "ruleSetType": "Microsoft_BotManagerRuleSet", + "ruleSetVersion": "0.1" + } + ] + } + }, + "policySettings": { + "value": { + "fileUploadLimitInMb": 10, + "mode": "Prevention", + "state": "Enabled" + } + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..0629a475af --- /dev/null +++ b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,72 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.applicationGatewayWebApplicationFirewallPolicies-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nagwafpwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + policySettings: { + fileUploadLimitInMb: 10 + state: 'Enabled' + mode: 'Prevention' + } + managedRules: { + managedRuleSets: [ + { + ruleSetType: 'OWASP' + ruleSetVersion: '3.2' + ruleGroupOverrides: [] + } + { + ruleSetType: 'Microsoft_BotManagerRuleSet' + ruleSetVersion: '0.1' + ruleGroupOverrides: [] + } + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index 853769d2f6..0a7a5b8a1f 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.application-gateway:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -965,6 +966,940 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' =

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nagwaf' + params: { + // Required parameters + name: '' + // Non-required parameters + backendAddressPools: [ + { + name: 'appServiceBackendPool' + properties: { + backendAddresses: [ + { + fqdn: 'aghapp.azurewebsites.net' + } + ] + } + } + { + name: 'privateVmBackendPool' + properties: { + backendAddresses: [ + { + ipAddress: '10.0.0.4' + } + ] + } + } + ] + backendHttpSettingsCollection: [ + { + name: 'appServiceBackendHttpsSetting' + properties: { + cookieBasedAffinity: 'Disabled' + pickHostNameFromBackendAddress: true + port: 443 + protocol: 'Https' + requestTimeout: 30 + } + } + { + name: 'privateVmHttpSetting' + properties: { + cookieBasedAffinity: 'Disabled' + pickHostNameFromBackendAddress: false + port: 80 + probe: { + id: '' + } + protocol: 'Http' + requestTimeout: 30 + } + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + enableHttp2: true + frontendIPConfigurations: [ + { + name: 'private' + properties: { + privateIPAddress: '10.0.0.20' + privateIPAllocationMethod: 'Static' + subnet: { + id: '' + } + } + } + { + name: 'public' + properties: { + privateIPAllocationMethod: 'Dynamic' + privateLinkConfiguration: { + id: '' + } + publicIPAddress: { + id: '' + } + } + } + ] + frontendPorts: [ + { + name: 'port443' + properties: { + port: 443 + } + } + { + name: 'port4433' + properties: { + port: 4433 + } + } + { + name: 'port80' + properties: { + port: 80 + } + } + { + name: 'port8080' + properties: { + port: 8080 + } + } + ] + gatewayIPConfigurations: [ + { + name: 'apw-ip-configuration' + properties: { + subnet: { + id: '' + } + } + } + ] + httpListeners: [ + { + name: 'public443' + properties: { + frontendIPConfiguration: { + id: '' + } + frontendPort: { + id: '' + } + hostNames: [] + protocol: 'https' + requireServerNameIndication: false + sslCertificate: { + id: '' + } + } + } + { + name: 'private4433' + properties: { + frontendIPConfiguration: { + id: '' + } + frontendPort: { + id: '' + } + hostNames: [] + protocol: 'https' + requireServerNameIndication: false + sslCertificate: { + id: '' + } + } + } + { + name: 'httpRedirect80' + properties: { + frontendIPConfiguration: { + id: '' + } + frontendPort: { + id: '' + } + hostNames: [] + protocol: 'Http' + requireServerNameIndication: false + } + } + { + name: 'httpRedirect8080' + properties: { + frontendIPConfiguration: { + id: '' + } + frontendPort: { + id: '' + } + hostNames: [] + protocol: 'Http' + requireServerNameIndication: false + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'public' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + privateLinkConfigurations: [ + { + id: '' + name: 'pvtlink01' + properties: { + ipConfigurations: [ + { + id: '' + name: 'privateLinkIpConfig1' + properties: { + primary: false + privateIPAllocationMethod: 'Dynamic' + subnet: { + id: '' + } + } + } + ] + } + } + ] + probes: [ + { + name: 'privateVmHttpSettingProbe' + properties: { + host: '10.0.0.4' + interval: 60 + match: { + statusCodes: [ + '200' + '401' + ] + } + minServers: 3 + path: '/' + pickHostNameFromBackendHttpSettings: false + protocol: 'Http' + timeout: 15 + unhealthyThreshold: 5 + } + } + ] + redirectConfigurations: [ + { + name: 'httpRedirect80' + properties: { + includePath: true + includeQueryString: true + redirectType: 'Permanent' + requestRoutingRules: [ + { + id: '' + } + ] + targetListener: { + id: '' + } + } + } + { + name: 'httpRedirect8080' + properties: { + includePath: true + includeQueryString: true + redirectType: 'Permanent' + requestRoutingRules: [ + { + id: '' + } + ] + targetListener: { + id: '' + } + } + } + ] + requestRoutingRules: [ + { + name: 'public443-appServiceBackendHttpsSetting-appServiceBackendHttpsSetting' + properties: { + backendAddressPool: { + id: '' + } + backendHttpSettings: { + id: '' + } + httpListener: { + id: '' + } + priority: 200 + ruleType: 'Basic' + } + } + { + name: 'private4433-privateVmHttpSetting-privateVmHttpSetting' + properties: { + backendAddressPool: { + id: '' + } + backendHttpSettings: { + id: '' + } + httpListener: { + id: '' + } + priority: 250 + ruleType: 'Basic' + } + } + { + name: 'httpRedirect80-public443' + properties: { + httpListener: { + id: '' + } + priority: 300 + redirectConfiguration: { + id: '' + } + ruleType: 'Basic' + } + } + { + name: 'httpRedirect8080-private4433' + properties: { + httpListener: { + id: '' + } + priority: 350 + redirectConfiguration: { + id: '' + } + rewriteRuleSet: { + id: '' + } + ruleType: 'Basic' + } + } + ] + rewriteRuleSets: [ + { + id: '' + name: 'customRewrite' + properties: { + rewriteRules: [ + { + actionSet: { + requestHeaderConfigurations: [ + { + headerName: 'Content-Type' + headerValue: 'JSON' + } + { + headerName: 'someheader' + } + ] + responseHeaderConfigurations: [] + } + conditions: [] + name: 'NewRewrite' + ruleSequence: 100 + } + ] + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: 'WAF_v2' + sslCertificates: [ + { + name: 'az-apgw-x-001-ssl-certificate' + properties: { + keyVaultSecretId: '' + } + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + webApplicationFirewallConfiguration: { + disabledRuleGroups: [ + { + ruleGroupName: 'Known-CVEs' + } + { + ruleGroupName: 'REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION' + } + { + ruleGroupName: 'REQUEST-941-APPLICATION-ATTACK-XSS' + } + ] + enabled: true + exclusions: [ + { + matchVariable: 'RequestHeaderNames' + selector: 'hola' + selectorMatchOperator: 'StartsWith' + } + ] + fileUploadLimitInMb: 100 + firewallMode: 'Detection' + maxRequestBodySizeInKb: 128 + requestBodyCheck: true + ruleSetType: 'OWASP' + ruleSetVersion: '3.0' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "" + }, + // Non-required parameters + "backendAddressPools": { + "value": [ + { + "name": "appServiceBackendPool", + "properties": { + "backendAddresses": [ + { + "fqdn": "aghapp.azurewebsites.net" + } + ] + } + }, + { + "name": "privateVmBackendPool", + "properties": { + "backendAddresses": [ + { + "ipAddress": "10.0.0.4" + } + ] + } + } + ] + }, + "backendHttpSettingsCollection": { + "value": [ + { + "name": "appServiceBackendHttpsSetting", + "properties": { + "cookieBasedAffinity": "Disabled", + "pickHostNameFromBackendAddress": true, + "port": 443, + "protocol": "Https", + "requestTimeout": 30 + } + }, + { + "name": "privateVmHttpSetting", + "properties": { + "cookieBasedAffinity": "Disabled", + "pickHostNameFromBackendAddress": false, + "port": 80, + "probe": { + "id": "" + }, + "protocol": "Http", + "requestTimeout": 30 + } + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enableHttp2": { + "value": true + }, + "frontendIPConfigurations": { + "value": [ + { + "name": "private", + "properties": { + "privateIPAddress": "10.0.0.20", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "" + } + } + }, + { + "name": "public", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "privateLinkConfiguration": { + "id": "" + }, + "publicIPAddress": { + "id": "" + } + } + } + ] + }, + "frontendPorts": { + "value": [ + { + "name": "port443", + "properties": { + "port": 443 + } + }, + { + "name": "port4433", + "properties": { + "port": 4433 + } + }, + { + "name": "port80", + "properties": { + "port": 80 + } + }, + { + "name": "port8080", + "properties": { + "port": 8080 + } + } + ] + }, + "gatewayIPConfigurations": { + "value": [ + { + "name": "apw-ip-configuration", + "properties": { + "subnet": { + "id": "" + } + } + } + ] + }, + "httpListeners": { + "value": [ + { + "name": "public443", + "properties": { + "frontendIPConfiguration": { + "id": "" + }, + "frontendPort": { + "id": "" + }, + "hostNames": [], + "protocol": "https", + "requireServerNameIndication": false, + "sslCertificate": { + "id": "" + } + } + }, + { + "name": "private4433", + "properties": { + "frontendIPConfiguration": { + "id": "" + }, + "frontendPort": { + "id": "" + }, + "hostNames": [], + "protocol": "https", + "requireServerNameIndication": false, + "sslCertificate": { + "id": "" + } + } + }, + { + "name": "httpRedirect80", + "properties": { + "frontendIPConfiguration": { + "id": "" + }, + "frontendPort": { + "id": "" + }, + "hostNames": [], + "protocol": "Http", + "requireServerNameIndication": false + } + }, + { + "name": "httpRedirect8080", + "properties": { + "frontendIPConfiguration": { + "id": "" + }, + "frontendPort": { + "id": "" + }, + "hostNames": [], + "protocol": "Http", + "requireServerNameIndication": false + } + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "public", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "Role": "DeploymentValidation" + } + } + ] + }, + "privateLinkConfigurations": { + "value": [ + { + "id": "", + "name": "pvtlink01", + "properties": { + "ipConfigurations": [ + { + "id": "", + "name": "privateLinkIpConfig1", + "properties": { + "primary": false, + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "" + } + } + } + ] + } + } + ] + }, + "probes": { + "value": [ + { + "name": "privateVmHttpSettingProbe", + "properties": { + "host": "10.0.0.4", + "interval": 60, + "match": { + "statusCodes": [ + "200", + "401" + ] + }, + "minServers": 3, + "path": "/", + "pickHostNameFromBackendHttpSettings": false, + "protocol": "Http", + "timeout": 15, + "unhealthyThreshold": 5 + } + } + ] + }, + "redirectConfigurations": { + "value": [ + { + "name": "httpRedirect80", + "properties": { + "includePath": true, + "includeQueryString": true, + "redirectType": "Permanent", + "requestRoutingRules": [ + { + "id": "" + } + ], + "targetListener": { + "id": "" + } + } + }, + { + "name": "httpRedirect8080", + "properties": { + "includePath": true, + "includeQueryString": true, + "redirectType": "Permanent", + "requestRoutingRules": [ + { + "id": "" + } + ], + "targetListener": { + "id": "" + } + } + } + ] + }, + "requestRoutingRules": { + "value": [ + { + "name": "public443-appServiceBackendHttpsSetting-appServiceBackendHttpsSetting", + "properties": { + "backendAddressPool": { + "id": "" + }, + "backendHttpSettings": { + "id": "" + }, + "httpListener": { + "id": "" + }, + "priority": 200, + "ruleType": "Basic" + } + }, + { + "name": "private4433-privateVmHttpSetting-privateVmHttpSetting", + "properties": { + "backendAddressPool": { + "id": "" + }, + "backendHttpSettings": { + "id": "" + }, + "httpListener": { + "id": "" + }, + "priority": 250, + "ruleType": "Basic" + } + }, + { + "name": "httpRedirect80-public443", + "properties": { + "httpListener": { + "id": "" + }, + "priority": 300, + "redirectConfiguration": { + "id": "" + }, + "ruleType": "Basic" + } + }, + { + "name": "httpRedirect8080-private4433", + "properties": { + "httpListener": { + "id": "" + }, + "priority": 350, + "redirectConfiguration": { + "id": "" + }, + "rewriteRuleSet": { + "id": "" + }, + "ruleType": "Basic" + } + } + ] + }, + "rewriteRuleSets": { + "value": [ + { + "id": "", + "name": "customRewrite", + "properties": { + "rewriteRules": [ + { + "actionSet": { + "requestHeaderConfigurations": [ + { + "headerName": "Content-Type", + "headerValue": "JSON" + }, + { + "headerName": "someheader" + } + ], + "responseHeaderConfigurations": [] + }, + "conditions": [], + "name": "NewRewrite", + "ruleSequence": 100 + } + ] + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sku": { + "value": "WAF_v2" + }, + "sslCertificates": { + "value": [ + { + "name": "az-apgw-x-001-ssl-certificate", + "properties": { + "keyVaultSecretId": "" + } + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "webApplicationFirewallConfiguration": { + "value": { + "disabledRuleGroups": [ + { + "ruleGroupName": "Known-CVEs" + }, + { + "ruleGroupName": "REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" + }, + { + "ruleGroupName": "REQUEST-941-APPLICATION-ATTACK-XSS" + } + ], + "enabled": true, + "exclusions": [ + { + "matchVariable": "RequestHeaderNames", + "selector": "hola", + "selectorMatchOperator": "StartsWith" + } + ], + "fileUploadLimitInMb": 100, + "firewallMode": "Detection", + "maxRequestBodySizeInKb": 128, + "requestBodyCheck": true, + "ruleSetType": "OWASP", + "ruleSetVersion": "3.0" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/application-gateway/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/application-gateway/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..2de1a81653 --- /dev/null +++ b/modules/network/application-gateway/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,146 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Public IP to create.') +param publicIPName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Deployment Script to create for the Certificate generation.') +param certDeploymentScriptName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 24, 0) + } + } + { + name: 'privateLinkSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 24, 1) + privateLinkServiceNetworkPolicies: 'Disabled' + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.appgateway.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { + name: publicIPName + location: location + sku: { + name: 'Standard' + tier: 'Regional' + } + properties: { + publicIPAllocationMethod: 'Static' + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${managedIdentity.name}-KeyVault-Admin-RoleAssignment') + scope: keyVault + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') // Key Vault Administrator + principalType: 'ServicePrincipal' + } +} + +resource certDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { + name: certDeploymentScriptName + location: location + kind: 'AzurePowerShell' + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + azPowerShellVersion: '8.0' + retentionInterval: 'P1D' + arguments: '-KeyVaultName "${keyVault.name}" -CertName "applicationGatewaySslCertificate"' + scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-CertificateInKeyVault.ps1') + } +} + +@description('The resource ID of the created Virtual Network default subnet.') +output defaultSubnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Virtual Network private link subnet.') +output privateLinkSubnetResourceId string = virtualNetwork.properties.subnets[1].id + +@description('The resource ID of the created Public IP.') +output publicIPResourceId string = publicIP.id + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The URL of the created certificate.') +output certificateSecretUrl string = certDeploymentScript.properties.outputs.secretUrl + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..43b1c3d630 --- /dev/null +++ b/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,498 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.applicationgateways-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nagwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + certDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +var appGWName = '${namePrefix}${serviceShort}001' +var appGWExpectedResourceID = '${resourceGroup.id}/providers/Microsoft.Network/applicationGateways/${appGWName}' +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: appGWName + backendAddressPools: [ + { + name: 'appServiceBackendPool' + properties: { + backendAddresses: [ + { + fqdn: 'aghapp.azurewebsites.net' + } + ] + } + } + { + name: 'privateVmBackendPool' + properties: { + backendAddresses: [ + { + ipAddress: '10.0.0.4' + } + ] + } + } + ] + backendHttpSettingsCollection: [ + { + name: 'appServiceBackendHttpsSetting' + properties: { + cookieBasedAffinity: 'Disabled' + pickHostNameFromBackendAddress: true + port: 443 + protocol: 'Https' + requestTimeout: 30 + } + } + { + name: 'privateVmHttpSetting' + properties: { + cookieBasedAffinity: 'Disabled' + pickHostNameFromBackendAddress: false + port: 80 + probe: { + id: '${appGWExpectedResourceID}/probes/privateVmHttpSettingProbe' + } + protocol: 'Http' + requestTimeout: 30 + } + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + enableHttp2: true + privateLinkConfigurations: [ + { + name: 'pvtlink01' + id: '${appGWExpectedResourceID}/privateLinkConfigurations/pvtlink01' + properties: { + ipConfigurations: [ + { + name: 'privateLinkIpConfig1' + id: '${appGWExpectedResourceID}/privateLinkConfigurations/pvtlink01/ipConfigurations/privateLinkIpConfig1' + properties: { + privateIPAllocationMethod: 'Dynamic' + primary: false + subnet: { + id: nestedDependencies.outputs.privateLinkSubnetResourceId + } + } + } + ] + } + } + ] + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'public' + subnetResourceId: nestedDependencies.outputs.privateLinkSubnetResourceId + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + frontendIPConfigurations: [ + { + name: 'private' + properties: { + privateIPAddress: '10.0.0.20' + privateIPAllocationMethod: 'Static' + subnet: { + id: nestedDependencies.outputs.defaultSubnetResourceId + } + } + } + { + name: 'public' + properties: { + privateIPAllocationMethod: 'Dynamic' + publicIPAddress: { + id: nestedDependencies.outputs.publicIPResourceId + } + privateLinkConfiguration: { + id: '${appGWExpectedResourceID}/privateLinkConfigurations/pvtlink01' + } + } + } + ] + frontendPorts: [ + { + name: 'port443' + properties: { + port: 443 + } + } + { + name: 'port4433' + properties: { + port: 4433 + } + } + { + name: 'port80' + properties: { + port: 80 + } + } + { + name: 'port8080' + properties: { + port: 8080 + } + } + ] + gatewayIPConfigurations: [ + { + name: 'apw-ip-configuration' + properties: { + subnet: { + id: nestedDependencies.outputs.defaultSubnetResourceId + } + } + } + ] + httpListeners: [ + { + name: 'public443' + properties: { + frontendIPConfiguration: { + id: '${appGWExpectedResourceID}/frontendIPConfigurations/public' + } + frontendPort: { + id: '${appGWExpectedResourceID}/frontendPorts/port443' + } + hostNames: [] + protocol: 'https' + requireServerNameIndication: false + sslCertificate: { + id: '${appGWExpectedResourceID}/sslCertificates/${namePrefix}-az-apgw-x-001-ssl-certificate' + } + } + } + { + name: 'private4433' + properties: { + frontendIPConfiguration: { + id: '${appGWExpectedResourceID}/frontendIPConfigurations/private' + } + frontendPort: { + id: '${appGWExpectedResourceID}/frontendPorts/port4433' + } + hostNames: [] + protocol: 'https' + requireServerNameIndication: false + sslCertificate: { + id: '${appGWExpectedResourceID}/sslCertificates/${namePrefix}-az-apgw-x-001-ssl-certificate' + } + } + } + { + name: 'httpRedirect80' + properties: { + frontendIPConfiguration: { + id: '${appGWExpectedResourceID}/frontendIPConfigurations/public' + } + frontendPort: { + id: '${appGWExpectedResourceID}/frontendPorts/port80' + } + hostNames: [] + protocol: 'Http' + requireServerNameIndication: false + } + } + { + name: 'httpRedirect8080' + properties: { + frontendIPConfiguration: { + id: '${appGWExpectedResourceID}/frontendIPConfigurations/private' + } + frontendPort: { + id: '${appGWExpectedResourceID}/frontendPorts/port8080' + } + hostNames: [] + protocol: 'Http' + requireServerNameIndication: false + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + probes: [ + { + name: 'privateVmHttpSettingProbe' + properties: { + host: '10.0.0.4' + interval: 60 + match: { + statusCodes: [ + '200' + '401' + ] + } + minServers: 3 + path: '/' + pickHostNameFromBackendHttpSettings: false + protocol: 'Http' + timeout: 15 + unhealthyThreshold: 5 + } + } + ] + redirectConfigurations: [ + { + name: 'httpRedirect80' + properties: { + includePath: true + includeQueryString: true + redirectType: 'Permanent' + requestRoutingRules: [ + { + id: '${appGWExpectedResourceID}/requestRoutingRules/httpRedirect80-public443' + } + ] + targetListener: { + id: '${appGWExpectedResourceID}/httpListeners/public443' + } + } + } + { + name: 'httpRedirect8080' + properties: { + includePath: true + includeQueryString: true + redirectType: 'Permanent' + requestRoutingRules: [ + { + id: '${appGWExpectedResourceID}/requestRoutingRules/httpRedirect8080-private4433' + } + ] + targetListener: { + id: '${appGWExpectedResourceID}/httpListeners/private4433' + } + } + } + ] + requestRoutingRules: [ + { + name: 'public443-appServiceBackendHttpsSetting-appServiceBackendHttpsSetting' + properties: { + backendAddressPool: { + id: '${appGWExpectedResourceID}/backendAddressPools/appServiceBackendPool' + } + backendHttpSettings: { + id: '${appGWExpectedResourceID}/backendHttpSettingsCollection/appServiceBackendHttpsSetting' + } + httpListener: { + id: '${appGWExpectedResourceID}/httpListeners/public443' + } + priority: 200 + ruleType: 'Basic' + } + } + { + name: 'private4433-privateVmHttpSetting-privateVmHttpSetting' + properties: { + backendAddressPool: { + id: '${appGWExpectedResourceID}/backendAddressPools/privateVmBackendPool' + } + backendHttpSettings: { + id: '${appGWExpectedResourceID}/backendHttpSettingsCollection/privateVmHttpSetting' + } + httpListener: { + id: '${appGWExpectedResourceID}/httpListeners/private4433' + } + priority: 250 + ruleType: 'Basic' + } + } + { + name: 'httpRedirect80-public443' + properties: { + httpListener: { + id: '${appGWExpectedResourceID}/httpListeners/httpRedirect80' + } + priority: 300 + redirectConfiguration: { + id: '${appGWExpectedResourceID}/redirectConfigurations/httpRedirect80' + } + ruleType: 'Basic' + } + } + { + name: 'httpRedirect8080-private4433' + properties: { + httpListener: { + id: '${appGWExpectedResourceID}/httpListeners/httpRedirect8080' + } + priority: 350 + redirectConfiguration: { + id: '${appGWExpectedResourceID}/redirectConfigurations/httpRedirect8080' + } + ruleType: 'Basic' + rewriteRuleSet: { + id: '${appGWExpectedResourceID}/rewriteRuleSets/customRewrite' + } + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: 'WAF_v2' + sslCertificates: [ + { + name: '${namePrefix}-az-apgw-x-001-ssl-certificate' + properties: { + keyVaultSecretId: nestedDependencies.outputs.certificateSecretUrl + } + } + ] + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + rewriteRuleSets: [ + { + name: 'customRewrite' + id: '${appGWExpectedResourceID}/rewriteRuleSets/customRewrite' + properties: { + rewriteRules: [ + { + ruleSequence: 100 + conditions: [] + name: 'NewRewrite' + actionSet: { + requestHeaderConfigurations: [ + { + headerName: 'Content-Type' + headerValue: 'JSON' + } + { + headerName: 'someheader' + } + ] + responseHeaderConfigurations: [] + } + } + ] + } + } + ] + webApplicationFirewallConfiguration: { + enabled: true + fileUploadLimitInMb: 100 + firewallMode: 'Detection' + maxRequestBodySizeInKb: 128 + requestBodyCheck: true + ruleSetType: 'OWASP' + ruleSetVersion: '3.0' + disabledRuleGroups: [ + { + ruleGroupName: 'Known-CVEs' + } + { + ruleGroupName: 'REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION' + } + { + ruleGroupName: 'REQUEST-941-APPLICATION-ATTACK-XSS' + } + ] + exclusions: [ + { + matchVariable: 'RequestHeaderNames' + selectorMatchOperator: 'StartsWith' + selector: 'hola' + } + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/application-security-group/README.md b/modules/network/application-security-group/README.md index 37e573fa66..362a0f108d 100644 --- a/modules/network/application-security-group/README.md +++ b/modules/network/application-security-group/README.md @@ -27,6 +27,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.application-security-group:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -114,6 +115,92 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module applicationSecurityGroup 'br:bicep/modules/network.application-security-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nasgwaf' + params: { + // Required parameters + name: 'nasgwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nasgwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/application-security-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/application-security-group/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/application-security-group/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..052a71f7b1 --- /dev/null +++ b/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,72 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.applicationsecuritygroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nasgwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index 2f41e39161..1a29630003 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -34,6 +34,7 @@ The following section provides usage examples for the module, which were used to - [Hubcommon](#example-4-hubcommon) - [Hubmin](#example-5-hubmin) - [Using large parameter set](#example-6-using-large-parameter-set) +- [WAF-aligned](#example-7-waf-aligned) ### Example 1: _Addpip_ @@ -747,6 +748,308 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = {

+### Example 7: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nafwaf' + params: { + // Required parameters + name: 'nafwaf001' + // Non-required parameters + applicationRuleCollections: [ + { + name: 'allow-app-rules' + properties: { + action: { + type: 'allow' + } + priority: 100 + rules: [ + { + fqdnTags: [ + 'AppServiceEnvironment' + 'WindowsUpdate' + ] + name: 'allow-ase-tags' + protocols: [ + { + port: '80' + protocolType: 'HTTP' + } + { + port: '443' + protocolType: 'HTTPS' + } + ] + sourceAddresses: [ + '*' + ] + } + { + name: 'allow-ase-management' + protocols: [ + { + port: '80' + protocolType: 'HTTP' + } + { + port: '443' + protocolType: 'HTTPS' + } + ] + sourceAddresses: [ + '*' + ] + targetFqdns: [ + 'bing.com' + ] + } + ] + } + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkRuleCollections: [ + { + name: 'allow-network-rules' + properties: { + action: { + type: 'allow' + } + priority: 100 + rules: [ + { + destinationAddresses: [ + '*' + ] + destinationPorts: [ + '12000' + '123' + ] + name: 'allow-ntp' + protocols: [ + 'Any' + ] + sourceAddresses: [ + '*' + ] + } + ] + } + } + ] + publicIPResourceID: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + vNetId: '' + zones: [ + '1' + '2' + '3' + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nafwaf001" + }, + // Non-required parameters + "applicationRuleCollections": { + "value": [ + { + "name": "allow-app-rules", + "properties": { + "action": { + "type": "allow" + }, + "priority": 100, + "rules": [ + { + "fqdnTags": [ + "AppServiceEnvironment", + "WindowsUpdate" + ], + "name": "allow-ase-tags", + "protocols": [ + { + "port": "80", + "protocolType": "HTTP" + }, + { + "port": "443", + "protocolType": "HTTPS" + } + ], + "sourceAddresses": [ + "*" + ] + }, + { + "name": "allow-ase-management", + "protocols": [ + { + "port": "80", + "protocolType": "HTTP" + }, + { + "port": "443", + "protocolType": "HTTPS" + } + ], + "sourceAddresses": [ + "*" + ], + "targetFqdns": [ + "bing.com" + ] + } + ] + } + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "networkRuleCollections": { + "value": [ + { + "name": "allow-network-rules", + "properties": { + "action": { + "type": "allow" + }, + "priority": 100, + "rules": [ + { + "destinationAddresses": [ + "*" + ], + "destinationPorts": [ + "12000", + "123" + ], + "name": "allow-ntp", + "protocols": [ + "Any" + ], + "sourceAddresses": [ + "*" + ] + } + ] + } + } + ] + }, + "publicIPResourceID": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "vNetId": { + "value": "" + }, + "zones": { + "value": [ + "1", + "2", + "3" + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/azure-firewall/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/azure-firewall/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..de9bfec4ea --- /dev/null +++ b/modules/network/azure-firewall/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,64 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Public IP to create.') +param publicIPName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'AzureFirewallSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { + name: publicIPName + location: location + sku: { + name: 'Standard' + tier: 'Regional' + } + properties: { + publicIPAllocationMethod: 'Static' + } + zones: [ + '1' + '2' + '3' + ] +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network.') +output virtualNetworkResourceId string = virtualNetwork.id + +@description('The resource ID of the created Public IP.') +output publicIPResourceId string = publicIP.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep b/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..beb7ff6624 --- /dev/null +++ b/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,190 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.azurefirewalls-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nafwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + vNetId: nestedDependencies.outputs.virtualNetworkResourceId + applicationRuleCollections: [ + { + name: 'allow-app-rules' + properties: { + action: { + type: 'allow' + } + priority: 100 + rules: [ + { + fqdnTags: [ + 'AppServiceEnvironment' + 'WindowsUpdate' + ] + name: 'allow-ase-tags' + protocols: [ + { + port: '80' + protocolType: 'HTTP' + } + { + port: '443' + protocolType: 'HTTPS' + } + ] + sourceAddresses: [ + '*' + ] + } + { + name: 'allow-ase-management' + protocols: [ + { + port: '80' + protocolType: 'HTTP' + } + { + port: '443' + protocolType: 'HTTPS' + } + ] + sourceAddresses: [ + '*' + ] + targetFqdns: [ + 'bing.com' + ] + } + ] + } + } + ] + publicIPResourceID: nestedDependencies.outputs.publicIPResourceId + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkRuleCollections: [ + { + name: 'allow-network-rules' + properties: { + action: { + type: 'allow' + } + priority: 100 + rules: [ + { + destinationAddresses: [ + '*' + ] + destinationPorts: [ + '12000' + '123' + ] + name: 'allow-ntp' + protocols: [ + 'Any' + ] + sourceAddresses: [ + '*' + ] + } + ] + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + zones: [ + '1' + '2' + '3' + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index 06e8704806..5524340559 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Custompip](#example-1-custompip) - [Using only defaults](#example-2-using-only-defaults) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Custompip_ @@ -351,6 +352,144 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nbhwaf' + params: { + // Required parameters + name: 'nbhwaf001' + vNetId: '' + // Non-required parameters + bastionSubnetPublicIpResourceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + disableCopyPaste: true + enableDefaultTelemetry: '' + enableFileCopy: false + enableIpConnect: false + enableShareableLink: false + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + scaleUnits: 4 + skuName: 'Standard' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nbhwaf001" + }, + "vNetId": { + "value": "" + }, + // Non-required parameters + "bastionSubnetPublicIpResourceId": { + "value": "" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "disableCopyPaste": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enableFileCopy": { + "value": false + }, + "enableIpConnect": { + "value": false + }, + "enableShareableLink": { + "value": false + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "scaleUnits": { + "value": 4 + }, + "skuName": { + "value": "Standard" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/bastion-host/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/bastion-host/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..c25af5e3e7 --- /dev/null +++ b/modules/network/bastion-host/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,59 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Public IP to create.') +param publicIPName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'AzureBastionSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { + name: publicIPName + location: location + sku: { + name: 'Standard' + tier: 'Regional' + } + properties: { + publicIPAllocationMethod: 'Static' + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network.') +output virtualNetworkResourceId string = virtualNetwork.id + +@description('The resource ID of the created Public IP.') +output publicIPResourceId string = publicIP.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep b/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..30d7f82891 --- /dev/null +++ b/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,105 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.bastionhosts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nbhwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + vNetId: nestedDependencies.outputs.virtualNetworkResourceId + bastionSubnetPublicIpResourceId: nestedDependencies.outputs.publicIPResourceId + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + disableCopyPaste: true + enableFileCopy: false + enableIpConnect: false + enableShareableLink: false + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + scaleUnits: 4 + skuName: 'Standard' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/ddos-protection-plan/README.md b/modules/network/ddos-protection-plan/README.md index 1ccac70c5a..0a82054e08 100644 --- a/modules/network/ddos-protection-plan/README.md +++ b/modules/network/ddos-protection-plan/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -163,6 +164,92 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0'

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ndppwaf' + params: { + // Required parameters + name: 'ndppwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ndppwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..8bdf24f0bd --- /dev/null +++ b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,72 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.ddosprotectionplans-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ndppwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/dns-forwarding-ruleset/README.md b/modules/network/dns-forwarding-ruleset/README.md index 43d21c8605..7f80e40e75 100644 --- a/modules/network/dns-forwarding-ruleset/README.md +++ b/modules/network/dns-forwarding-ruleset/README.md @@ -32,6 +32,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -219,6 +220,136 @@ module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ndfrswaf' + params: { + // Required parameters + dnsResolverOutboundEndpointResourceIds: [ + '' + ] + name: 'ndfrswaf001' + // Non-required parameters + enableDefaultTelemetry: '' + forwardingRules: [ + { + domainName: 'contoso.' + forwardingRuleState: 'Enabled' + name: 'rule1' + targetDnsServers: [ + { + ipAddress: '192.168.0.1' + port: '53' + } + ] + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + vNetLinks: [ + '' + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "dnsResolverOutboundEndpointResourceIds": { + "value": [ + "" + ] + }, + "name": { + "value": "ndfrswaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "forwardingRules": { + "value": [ + { + "domainName": "contoso.", + "forwardingRuleState": "Enabled", + "name": "rule1", + "targetDnsServers": [ + { + "ipAddress": "192.168.0.1", + "port": "53" + } + ] + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "vNetLinks": { + "value": [ + "" + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..d1fb3445ee --- /dev/null +++ b/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,81 @@ +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the DNS Resolver to create.') +param dnsResolverName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: map(range(0, 2), i => { + name: 'subnet-${i}' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 25, i) + delegations: [ + { + name: 'dnsdel' + properties: { + serviceName: 'Microsoft.Network/dnsResolvers' + } + } + ] + } + }) + } +} + +resource dnsResolver 'Microsoft.Network/dnsResolvers@2022-07-01' = { + name: dnsResolverName + location: location + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + + } +} + +resource outboundEndpoints 'Microsoft.Network/dnsResolvers/outboundEndpoints@2022-07-01' = { + name: 'pdnsout' + location: location + parent: dnsResolver + properties: { + subnet: { + id: virtualNetwork.properties.subnets[1].id + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network.') +output virtualNetworkResourceId string = virtualNetwork.id + +@description('The resource ID of the created inbound endpoint Virtual Network Subnet.') +output subnetResourceId_dnsIn string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created outbound endpoint Virtual Network Subnet.') +output subnetResourceId_dnsOut string = virtualNetwork.properties.subnets[1].id + +@description('The resource ID of the created DNS Resolver.') +output dnsResolverOutboundEndpointsId string = outboundEndpoints.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..d6dfab9955 --- /dev/null +++ b/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,94 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.dnsForwardingRuleset-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ndfrswaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + dnsResolverName: 'dep-${namePrefix}-ndr-${serviceShort}' + location: location + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + dnsResolverOutboundEndpointResourceIds: [ + nestedDependencies.outputs.dnsResolverOutboundEndpointsId + ] + vNetLinks: [ + nestedDependencies.outputs.virtualNetworkResourceId + ] + forwardingRules: [ + { + name: 'rule1' + forwardingRuleState: 'Enabled' + domainName: 'contoso.' + targetDnsServers: [ + { + ipAddress: '192.168.0.1' + port: '53' + } + ] + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/dns-resolver/README.md b/modules/network/dns-resolver/README.md index 99f030c8b2..9dd23b73e9 100644 --- a/modules/network/dns-resolver/README.md +++ b/modules/network/dns-resolver/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.dns-resolver:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -124,6 +125,98 @@ module dnsResolver 'br:bicep/modules/network.dns-resolver:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module dnsResolver 'br:bicep/modules/network.dns-resolver:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ndrwaf' + params: { + // Required parameters + name: 'ndrwaf001' + virtualNetworkId: '' + // Non-required parameters + enableDefaultTelemetry: '' + inboundEndpoints: [ + { + name: 'az-pdnsin-x-001' + subnetId: '' + } + ] + outboundEndpoints: [ + { + name: 'az-pdnsout-x-001' + subnetId: '' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ndrwaf001" + }, + "virtualNetworkId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "inboundEndpoints": { + "value": [ + { + "name": "az-pdnsin-x-001", + "subnetId": "" + } + ] + }, + "outboundEndpoints": { + "value": [ + { + "name": "az-pdnsout-x-001", + "subnetId": "" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/dns-resolver/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/dns-resolver/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..7a174f0fc2 --- /dev/null +++ b/modules/network/dns-resolver/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,42 @@ +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: map(range(0, 2), i => { + name: 'subnet-${i}' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 25, i) + delegations: [ + { + name: 'dnsdel' + properties: { + serviceName: 'Microsoft.Network/dnsResolvers' + } + } + ] + } + }) + } +} + +@description('The resource ID of the created Virtual Network.') +output virtualNetworkId string = virtualNetwork.id + +@description('The resource ID of the created inbound endpoint Virtual Network Subnet.') +output subnetResourceId_dnsIn string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created outbound endpoint Virtual Network Subnet.') +output subnetResourceId_dnsOut string = virtualNetwork.properties.subnets[1].id diff --git a/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..8748710b28 --- /dev/null +++ b/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,75 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.dnsResolvers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ndrwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + virtualNetworkId: nestedDependencies.outputs.virtualNetworkId + inboundEndpoints: [ + { + name: '${namePrefix}-az-pdnsin-x-001' + subnetId: nestedDependencies.outputs.subnetResourceId_dnsIn + } + ] + outboundEndpoints: [ + { + name: '${namePrefix}-az-pdnsout-x-001' + subnetId: nestedDependencies.outputs.subnetResourceId_dnsOut + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/dns-zone/README.md b/modules/network/dns-zone/README.md index 23651a2aa3..003e5548ed 100644 --- a/modules/network/dns-zone/README.md +++ b/modules/network/dns-zone/README.md @@ -40,6 +40,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -489,6 +490,406 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ndzwaf' + params: { + // Required parameters + name: 'ndzwaf001.com' + // Non-required parameters + a: [ + { + aRecords: [ + { + ipv4Address: '10.240.4.4' + } + ] + name: 'A_10.240.4.4' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + } + ] + aaaa: [ + { + aaaaRecords: [ + { + ipv6Address: '2001:0db8:85a3:0000:0000:8a2e:0370:7334' + } + ] + name: 'AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334' + ttl: 3600 + } + ] + cname: [ + { + cnameRecord: { + cname: 'test' + } + name: 'CNAME_test' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + } + { + name: 'CNAME_aliasRecordSet' + targetResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + mx: [ + { + mxRecords: [ + { + exchange: 'contoso.com' + preference: 100 + } + ] + name: 'MX_contoso' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + } + ] + ptr: [ + { + name: 'PTR_contoso' + ptrRecords: [ + { + ptrdname: 'contoso.com' + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + soa: [ + { + name: '@' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + soaRecord: { + email: 'azuredns-hostmaster.microsoft.com' + expireTime: 2419200 + host: 'ns1-04.azure-dns.com.' + minimumTtl: 300 + refreshTime: 3600 + retryTime: 300 + serialNumber: '1' + } + ttl: 3600 + } + ] + srv: [ + { + name: 'SRV_contoso' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + srvRecords: [ + { + port: 9332 + priority: 0 + target: 'test.contoso.com' + weight: 0 + } + ] + ttl: 3600 + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + txt: [ + { + name: 'TXT_test' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + txtRecords: [ + { + value: [ + 'test' + ] + } + ] + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ndzwaf001.com" + }, + // Non-required parameters + "a": { + "value": [ + { + "aRecords": [ + { + "ipv4Address": "10.240.4.4" + } + ], + "name": "A_10.240.4.4", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600 + } + ] + }, + "aaaa": { + "value": [ + { + "aaaaRecords": [ + { + "ipv6Address": "2001:0db8:85a3:0000:0000:8a2e:0370:7334" + } + ], + "name": "AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334", + "ttl": 3600 + } + ] + }, + "cname": { + "value": [ + { + "cnameRecord": { + "cname": "test" + }, + "name": "CNAME_test", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600 + }, + { + "name": "CNAME_aliasRecordSet", + "targetResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "mx": { + "value": [ + { + "mxRecords": [ + { + "exchange": "contoso.com", + "preference": 100 + } + ], + "name": "MX_contoso", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600 + } + ] + }, + "ptr": { + "value": [ + { + "name": "PTR_contoso", + "ptrRecords": [ + { + "ptrdname": "contoso.com" + } + ], + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600 + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "soa": { + "value": [ + { + "name": "@", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "soaRecord": { + "email": "azuredns-hostmaster.microsoft.com", + "expireTime": 2419200, + "host": "ns1-04.azure-dns.com.", + "minimumTtl": 300, + "refreshTime": 3600, + "retryTime": 300, + "serialNumber": "1" + }, + "ttl": 3600 + } + ] + }, + "srv": { + "value": [ + { + "name": "SRV_contoso", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "srvRecords": [ + { + "port": 9332, + "priority": 0, + "target": "test.contoso.com", + "weight": 0 + } + ], + "ttl": 3600 + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "txt": { + "value": [ + { + "name": "TXT_test", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600, + "txtRecords": [ + { + "value": [ + "test" + ] + } + ] + } + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/dns-zone/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/dns-zone/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..22bd417624 --- /dev/null +++ b/modules/network/dns-zone/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,37 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Traffic Manager Profile to create.') +param trafficManagerProfileName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource trafficManagerProfile 'Microsoft.Network/trafficmanagerprofiles@2022-04-01-preview' = { + name: trafficManagerProfileName + location: 'global' + properties: { + trafficRoutingMethod: 'Performance' + maxReturn: 0 + dnsConfig: { + relativeName: trafficManagerProfileName + ttl: 60 + } + monitorConfig: { + protocol: 'HTTP' + port: 80 + path: '/' + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Traffic Manager Profile.') +output trafficManagerProfileResourceId string = trafficManagerProfile.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..6e754253e1 --- /dev/null +++ b/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,222 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.dnszones-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ndzwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + trafficManagerProfileName: 'dep-${namePrefix}-tmp-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001.com' + a: [ + { + aRecords: [ + { + ipv4Address: '10.240.4.4' + } + ] + name: 'A_10.240.4.4' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + } + ] + aaaa: [ + { + aaaaRecords: [ + { + ipv6Address: '2001:0db8:85a3:0000:0000:8a2e:0370:7334' + } + ] + name: 'AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334' + ttl: 3600 + } + ] + cname: [ + { + cnameRecord: { + cname: 'test' + } + name: 'CNAME_test' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + } + { + name: 'CNAME_aliasRecordSet' + targetResourceId: nestedDependencies.outputs.trafficManagerProfileResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + mx: [ + { + mxRecords: [ + { + exchange: 'contoso.com' + preference: 100 + } + ] + name: 'MX_contoso' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + } + ] + ptr: [ + { + name: 'PTR_contoso' + ptrRecords: [ + { + ptrdname: 'contoso.com' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + soa: [ + { + name: '@' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + soaRecord: { + email: 'azuredns-hostmaster.microsoft.com' + expireTime: 2419200 + host: 'ns1-04.azure-dns.com.' + minimumTtl: 300 + refreshTime: 3600 + retryTime: 300 + serialNumber: '1' + } + ttl: 3600 + } + ] + srv: [ + { + name: 'SRV_contoso' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + srvRecords: [ + { + port: 9332 + priority: 0 + target: 'test.contoso.com' + weight: 0 + } + ] + ttl: 3600 + } + ] + txt: [ + { + name: 'TXT_test' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + txtRecords: [ + { + value: [ + 'test' + ] + } + ] + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/express-route-circuit/README.md b/modules/network/express-route-circuit/README.md index 125ba3bbb9..1a35356326 100644 --- a/modules/network/express-route-circuit/README.md +++ b/modules/network/express-route-circuit/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -230,6 +231,146 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nercwaf' + params: { + // Required parameters + bandwidthInMbps: 50 + name: 'nercwaf001' + peeringLocation: 'Amsterdam' + serviceProviderName: 'Equinix' + // Non-required parameters + allowClassicOperations: true + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuFamily: 'MeteredData' + skuTier: 'Standard' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "bandwidthInMbps": { + "value": 50 + }, + "name": { + "value": "nercwaf001" + }, + "peeringLocation": { + "value": "Amsterdam" + }, + "serviceProviderName": { + "value": "Equinix" + }, + // Non-required parameters + "allowClassicOperations": { + "value": true + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "skuFamily": { + "value": "MeteredData" + }, + "skuTier": { + "value": "Standard" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/express-route-circuit/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/express-route-circuit/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/express-route-circuit/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..a7c2a372a3 --- /dev/null +++ b/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,106 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.expressroutecircuits-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nercwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + bandwidthInMbps: 50 + peeringLocation: 'Amsterdam' + serviceProviderName: 'Equinix' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + skuFamily: 'MeteredData' + skuTier: 'Standard' + allowClassicOperations: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/express-route-gateway/README.md b/modules/network/express-route-gateway/README.md index f396c96058..1804fe9a3f 100644 --- a/modules/network/express-route-gateway/README.md +++ b/modules/network/express-route-gateway/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -177,6 +178,102 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nergwaf' + params: { + // Required parameters + name: 'nergwaf001' + virtualHubId: '' + // Non-required parameters + autoScaleConfigurationBoundsMax: 3 + autoScaleConfigurationBoundsMin: 2 + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + hello: 'world' + 'hidden-title': 'This is visible in the resource name' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nergwaf001" + }, + "virtualHubId": { + "value": "" + }, + // Non-required parameters + "autoScaleConfigurationBoundsMax": { + "value": 3 + }, + "autoScaleConfigurationBoundsMin": { + "value": 2 + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "hello": "world", + "hidden-title": "This is visible in the resource name" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..acaa3b4df8 --- /dev/null +++ b/modules/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,38 @@ +@description('Required. The name of the virtual WAN to create.') +param virtualWANName string + +@description('Required. The name of the virtual Hub to create.') +param virtualHubName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { + name: virtualWANName + location: location +} + +resource virtualHub 'Microsoft.Network/virtualHubs@2023-04-01' = { + name: virtualHubName + location: location + properties: { + addressPrefix: '10.0.0.0/16' + virtualWan: { + id: virtualWan.id + } + } +} + +@description('The resource ID of the created Virtual Hub.') +output virtualHubResourceId string = virtualHub.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..3c237372da --- /dev/null +++ b/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,75 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.expressRouteGateway-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nergwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualWANName: 'dep-${namePrefix}-vwan-${serviceShort}' + virtualHubName: 'dep-${namePrefix}-hub-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + tags: { + 'hidden-title': 'This is visible in the resource name' + hello: 'world' + } + autoScaleConfigurationBoundsMin: 2 + autoScaleConfigurationBoundsMax: 3 + virtualHubId: nestedDependencies.outputs.virtualHubResourceId + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } +} diff --git a/modules/network/firewall-policy/README.md b/modules/network/firewall-policy/README.md index 1cf5307503..c2a13a1d20 100644 --- a/modules/network/firewall-policy/README.md +++ b/modules/network/firewall-policy/README.md @@ -27,6 +27,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -222,6 +223,152 @@ module firewallPolicy 'br:bicep/modules/network.firewall-policy:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module firewallPolicy 'br:bicep/modules/network.firewall-policy:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nfpwaf' + params: { + // Required parameters + name: 'nfpwaf001' + // Non-required parameters + allowSqlRedirect: true + autoLearnPrivateRanges: 'Enabled' + enableDefaultTelemetry: '' + ruleCollectionGroups: [ + { + name: 'rule-001' + priority: 5000 + ruleCollections: [ + { + action: { + type: 'Allow' + } + name: 'collection002' + priority: 5555 + ruleCollectionType: 'FirewallPolicyFilterRuleCollection' + rules: [ + { + destinationAddresses: [ + '*' + ] + destinationFqdns: [] + destinationIpGroups: [] + destinationPorts: [ + '80' + ] + ipProtocols: [ + 'TCP' + 'UDP' + ] + name: 'rule002' + ruleType: 'NetworkRule' + sourceAddresses: [ + '*' + ] + sourceIpGroups: [] + } + ] + } + ] + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nfpwaf001" + }, + // Non-required parameters + "allowSqlRedirect": { + "value": true + }, + "autoLearnPrivateRanges": { + "value": "Enabled" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "ruleCollectionGroups": { + "value": [ + { + "name": "rule-001", + "priority": 5000, + "ruleCollections": [ + { + "action": { + "type": "Allow" + }, + "name": "collection002", + "priority": 5555, + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "rules": [ + { + "destinationAddresses": [ + "*" + ], + "destinationFqdns": [], + "destinationIpGroups": [], + "destinationPorts": [ + "80" + ], + "ipProtocols": [ + "TCP", + "UDP" + ], + "name": "rule002", + "ruleType": "NetworkRule", + "sourceAddresses": [ + "*" + ], + "sourceIpGroups": [] + } + ] + } + ] + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..2c496ca64e --- /dev/null +++ b/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,93 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.firewallpolicies-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nfpwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + ruleCollectionGroups: [ + { + name: '${namePrefix}-rule-001' + priority: 5000 + ruleCollections: [ + { + action: { + type: 'Allow' + } + name: 'collection002' + priority: 5555 + ruleCollectionType: 'FirewallPolicyFilterRuleCollection' + rules: [ + { + destinationAddresses: [ + '*' + ] + destinationFqdns: [] + destinationIpGroups: [] + destinationPorts: [ + '80' + ] + ipProtocols: [ + 'TCP' + 'UDP' + ] + name: 'rule002' + ruleType: 'NetworkRule' + sourceAddresses: [ + '*' + ] + sourceIpGroups: [] + } + ] + } + ] + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + allowSqlRedirect: true + autoLearnPrivateRanges: 'Enabled' + } +} diff --git a/modules/network/front-door-web-application-firewall-policy/README.md b/modules/network/front-door-web-application-firewall-policy/README.md index c12d09f3bf..45170239e9 100644 --- a/modules/network/front-door-web-application-firewall-policy/README.md +++ b/modules/network/front-door-web-application-firewall-policy/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -297,6 +298,226 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-door-web-application-firewall-policy:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nagwafpwaf' + params: { + // Required parameters + name: 'nagwafpwaf001' + // Non-required parameters + customRules: { + rules: [ + { + action: 'Block' + enabledState: 'Enabled' + matchConditions: [ + { + matchValue: [ + 'CH' + ] + matchVariable: 'RemoteAddr' + negateCondition: false + operator: 'GeoMatch' + selector: '' + transforms: [] + } + { + matchValue: [ + 'windows' + ] + matchVariable: 'RequestHeader' + negateCondition: false + operator: 'Contains' + selector: 'UserAgent' + transforms: [] + } + { + matchValue: [ + '?>' + '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedRules: { + managedRuleSets: [ + { + ruleSetType: 'Microsoft_BotManagerRuleSet' + ruleSetVersion: '1.0' + } + ] + } + policySettings: { + customBlockResponseBody: 'PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==' + customBlockResponseStatusCode: 200 + mode: 'Prevention' + redirectUrl: 'http://www.bing.com' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: 'Premium_AzureFrontDoor' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nagwafpwaf001" + }, + // Non-required parameters + "customRules": { + "value": { + "rules": [ + { + "action": "Block", + "enabledState": "Enabled", + "matchConditions": [ + { + "matchValue": [ + "CH" + ], + "matchVariable": "RemoteAddr", + "negateCondition": false, + "operator": "GeoMatch", + "selector": "", + "transforms": [] + }, + { + "matchValue": [ + "windows" + ], + "matchVariable": "RequestHeader", + "negateCondition": false, + "operator": "Contains", + "selector": "UserAgent", + "transforms": [] + }, + { + "matchValue": [ + "?>", + "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedRules": { + "value": { + "managedRuleSets": [ + { + "ruleSetType": "Microsoft_BotManagerRuleSet", + "ruleSetVersion": "1.0" + } + ] + } + }, + "policySettings": { + "value": { + "customBlockResponseBody": "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==", + "customBlockResponseStatusCode": 200, + "mode": "Prevention", + "redirectUrl": "http://www.bing.com" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sku": { + "value": "Premium_AzureFrontDoor" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..7b3d4e8fb0 --- /dev/null +++ b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..f7f4e7fad3 --- /dev/null +++ b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,135 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.frontdoorWebApplicationFirewallPolicies-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nagwafpwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + sku: 'Premium_AzureFrontDoor' + policySettings: { + mode: 'Prevention' + redirectUrl: 'http://www.bing.com' + customBlockResponseStatusCode: 200 + customBlockResponseBody: 'PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==' + } + customRules: { + rules: [ + { + name: 'CustomRule1' + priority: 2 + enabledState: 'Enabled' + action: 'Block' + ruleType: 'MatchRule' + rateLimitDurationInMinutes: 1 + rateLimitThreshold: 10 + matchConditions: [ + { + matchVariable: 'RemoteAddr' + selector: null + operator: 'GeoMatch' + negateCondition: false + transforms: [] + matchValue: [ + 'CH' + ] + } + { + matchVariable: 'RequestHeader' + selector: 'UserAgent' + operator: 'Contains' + negateCondition: false + transforms: [] + matchValue: [ + 'windows' + ] + } + { + matchVariable: 'QueryString' + operator: 'Contains' + negateCondition: false + transforms: [ + 'UrlDecode' + 'Lowercase' + ] + matchValue: [ + '' + ] + } + ] + } + ] + } + managedRules: { + managedRuleSets: [ + { + ruleSetType: 'Microsoft_BotManagerRuleSet' + ruleSetVersion: '1.0' + } + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } +} diff --git a/modules/network/front-door/README.md b/modules/network/front-door/README.md index 02f47b80bd..75bd27f5d6 100644 --- a/modules/network/front-door/README.md +++ b/modules/network/front-door/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -524,6 +525,284 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nfdwaf' + params: { + // Required parameters + backendPools: [ + { + name: 'backendPool' + properties: { + backends: [ + { + address: 'biceptest.local' + backendHostHeader: 'backendAddress' + enabledState: 'Enabled' + httpPort: 80 + httpsPort: 443 + priority: 1 + privateLinkAlias: '' + privateLinkApprovalMessage: '' + privateLinkLocation: '' + privateLinkResourceId: '' + weight: 50 + } + ] + HealthProbeSettings: { + id: '' + } + LoadBalancingSettings: { + id: '' + } + } + } + ] + frontendEndpoints: [ + { + name: 'frontEnd' + properties: { + hostName: '' + sessionAffinityEnabledState: 'Disabled' + sessionAffinityTtlSeconds: 60 + } + } + ] + healthProbeSettings: [ + { + name: 'heathProbe' + properties: { + enabledState: '' + healthProbeMethod: '' + intervalInSeconds: 60 + path: '/' + protocol: 'Https' + } + } + ] + loadBalancingSettings: [ + { + name: 'loadBalancer' + properties: { + additionalLatencyMilliseconds: 0 + sampleSize: 50 + successfulSamplesRequired: 1 + } + } + ] + name: '' + routingRules: [ + { + name: 'routingRule' + properties: { + acceptedProtocols: [ + 'Http' + 'Https' + ] + enabledState: 'Enabled' + frontendEndpoints: [ + { + id: '' + } + ] + patternsToMatch: [ + '/*' + ] + routeConfiguration: { + '@odata.type': '#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration' + backendPool: { + id: '' + } + forwardingProtocol: 'MatchRequest' + } + } + } + ] + // Non-required parameters + enableDefaultTelemetry: '' + enforceCertificateNameCheck: 'Disabled' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sendRecvTimeoutSeconds: 10 + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "backendPools": { + "value": [ + { + "name": "backendPool", + "properties": { + "backends": [ + { + "address": "biceptest.local", + "backendHostHeader": "backendAddress", + "enabledState": "Enabled", + "httpPort": 80, + "httpsPort": 443, + "priority": 1, + "privateLinkAlias": "", + "privateLinkApprovalMessage": "", + "privateLinkLocation": "", + "privateLinkResourceId": "", + "weight": 50 + } + ], + "HealthProbeSettings": { + "id": "" + }, + "LoadBalancingSettings": { + "id": "" + } + } + } + ] + }, + "frontendEndpoints": { + "value": [ + { + "name": "frontEnd", + "properties": { + "hostName": "", + "sessionAffinityEnabledState": "Disabled", + "sessionAffinityTtlSeconds": 60 + } + } + ] + }, + "healthProbeSettings": { + "value": [ + { + "name": "heathProbe", + "properties": { + "enabledState": "", + "healthProbeMethod": "", + "intervalInSeconds": 60, + "path": "/", + "protocol": "Https" + } + } + ] + }, + "loadBalancingSettings": { + "value": [ + { + "name": "loadBalancer", + "properties": { + "additionalLatencyMilliseconds": 0, + "sampleSize": 50, + "successfulSamplesRequired": 1 + } + } + ] + }, + "name": { + "value": "" + }, + "routingRules": { + "value": [ + { + "name": "routingRule", + "properties": { + "acceptedProtocols": [ + "Http", + "Https" + ], + "enabledState": "Enabled", + "frontendEndpoints": [ + { + "id": "" + } + ], + "patternsToMatch": [ + "/*" + ], + "routeConfiguration": { + "@odata.type": "#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration", + "backendPool": { + "id": "" + }, + "forwardingProtocol": "MatchRequest" + } + } + } + ] + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "enforceCertificateNameCheck": { + "value": "Disabled" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sendRecvTimeoutSeconds": { + "value": 10 + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/front-door/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/front-door/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/front-door/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep b/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..7767577465 --- /dev/null +++ b/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,161 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.frontdoors-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nfdwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // +var resourceName = '${namePrefix}${serviceShort}001' +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: resourceName + backendPools: [ + { + name: 'backendPool' + properties: { + backends: [ + { + address: 'biceptest.local' + backendHostHeader: 'backendAddress' + enabledState: 'Enabled' + httpPort: 80 + httpsPort: 443 + priority: 1 + privateLinkAlias: '' + privateLinkApprovalMessage: '' + privateLinkLocation: '' + privateLinkResourceId: '' + weight: 50 + } + ] + HealthProbeSettings: { + id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/HealthProbeSettings/heathProbe' + } + LoadBalancingSettings: { + id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/LoadBalancingSettings/loadBalancer' + } + } + } + ] + enforceCertificateNameCheck: 'Disabled' + frontendEndpoints: [ + { + name: 'frontEnd' + properties: { + hostName: '${resourceName}.${environment().suffixes.azureFrontDoorEndpointSuffix}' + sessionAffinityEnabledState: 'Disabled' + sessionAffinityTtlSeconds: 60 + } + } + ] + healthProbeSettings: [ + { + name: 'heathProbe' + properties: { + enabledState: '' + healthProbeMethod: '' + intervalInSeconds: 60 + path: '/' + protocol: 'Https' + } + } + ] + loadBalancingSettings: [ + { + name: 'loadBalancer' + properties: { + additionalLatencyMilliseconds: 0 + sampleSize: 50 + successfulSamplesRequired: 1 + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + routingRules: [ + { + name: 'routingRule' + properties: { + acceptedProtocols: [ + 'Http' + 'Https' + ] + enabledState: 'Enabled' + frontendEndpoints: [ + { + id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/FrontendEndpoints/frontEnd' + } + ] + patternsToMatch: [ + '/*' + ] + routeConfiguration: { + '@odata.type': '#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration' + backendPool: { + id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/BackendPools/backendPool' + } + forwardingProtocol: 'MatchRequest' + } + } + } + ] + sendRecvTimeoutSeconds: 10 + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/ip-group/README.md b/modules/network/ip-group/README.md index 36b3fe51fa..d9706dfeb2 100644 --- a/modules/network/ip-group/README.md +++ b/modules/network/ip-group/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -173,6 +174,102 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nigwaf' + params: { + // Required parameters + name: 'nigwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + ipAddresses: [ + '10.0.0.1' + '10.0.0.2' + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nigwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "ipAddresses": { + "value": [ + "10.0.0.1", + "10.0.0.2" + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/ip-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/ip-group/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/ip-group/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..124d1cdf86 --- /dev/null +++ b/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,76 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.ipgroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nigwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + ipAddresses: [ + '10.0.0.1' + '10.0.0.2' + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/load-balancer/README.md b/modules/network/load-balancer/README.md index b747882d68..cb030c747e 100644 --- a/modules/network/load-balancer/README.md +++ b/modules/network/load-balancer/README.md @@ -33,6 +33,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Internal](#example-2-internal) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -609,6 +610,294 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nlbwaf' + params: { + // Required parameters + frontendIPConfigurations: [ + { + name: 'publicIPConfig1' + publicIPAddressId: '' + } + ] + name: 'nlbwaf001' + // Non-required parameters + backendAddressPools: [ + { + name: 'backendAddressPool1' + } + { + name: 'backendAddressPool2' + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + inboundNatRules: [ + { + backendPort: 443 + enableFloatingIP: false + enableTcpReset: false + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 443 + idleTimeoutInMinutes: 4 + name: 'inboundNatRule1' + protocol: 'Tcp' + } + { + backendPort: 3389 + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 3389 + name: 'inboundNatRule2' + } + ] + loadBalancingRules: [ + { + backendAddressPoolName: 'backendAddressPool1' + backendPort: 80 + disableOutboundSnat: true + enableFloatingIP: false + enableTcpReset: false + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 80 + idleTimeoutInMinutes: 5 + loadDistribution: 'Default' + name: 'publicIPLBRule1' + probeName: 'probe1' + protocol: 'Tcp' + } + { + backendAddressPoolName: 'backendAddressPool2' + backendPort: 8080 + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 8080 + loadDistribution: 'Default' + name: 'publicIPLBRule2' + probeName: 'probe2' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + outboundRules: [ + { + allocatedOutboundPorts: 63984 + backendAddressPoolName: 'backendAddressPool1' + frontendIPConfigurationName: 'publicIPConfig1' + name: 'outboundRule1' + } + ] + probes: [ + { + intervalInSeconds: 10 + name: 'probe1' + numberOfProbes: 5 + port: 80 + protocol: 'Tcp' + } + { + name: 'probe2' + port: 443 + protocol: 'Https' + requestPath: '/' + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "frontendIPConfigurations": { + "value": [ + { + "name": "publicIPConfig1", + "publicIPAddressId": "" + } + ] + }, + "name": { + "value": "nlbwaf001" + }, + // Non-required parameters + "backendAddressPools": { + "value": [ + { + "name": "backendAddressPool1" + }, + { + "name": "backendAddressPool2" + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "inboundNatRules": { + "value": [ + { + "backendPort": 443, + "enableFloatingIP": false, + "enableTcpReset": false, + "frontendIPConfigurationName": "publicIPConfig1", + "frontendPort": 443, + "idleTimeoutInMinutes": 4, + "name": "inboundNatRule1", + "protocol": "Tcp" + }, + { + "backendPort": 3389, + "frontendIPConfigurationName": "publicIPConfig1", + "frontendPort": 3389, + "name": "inboundNatRule2" + } + ] + }, + "loadBalancingRules": { + "value": [ + { + "backendAddressPoolName": "backendAddressPool1", + "backendPort": 80, + "disableOutboundSnat": true, + "enableFloatingIP": false, + "enableTcpReset": false, + "frontendIPConfigurationName": "publicIPConfig1", + "frontendPort": 80, + "idleTimeoutInMinutes": 5, + "loadDistribution": "Default", + "name": "publicIPLBRule1", + "probeName": "probe1", + "protocol": "Tcp" + }, + { + "backendAddressPoolName": "backendAddressPool2", + "backendPort": 8080, + "frontendIPConfigurationName": "publicIPConfig1", + "frontendPort": 8080, + "loadDistribution": "Default", + "name": "publicIPLBRule2", + "probeName": "probe2" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "outboundRules": { + "value": [ + { + "allocatedOutboundPorts": 63984, + "backendAddressPoolName": "backendAddressPool1", + "frontendIPConfigurationName": "publicIPConfig1", + "name": "outboundRule1" + } + ] + }, + "probes": { + "value": [ + { + "intervalInSeconds": 10, + "name": "probe1", + "numberOfProbes": 5, + "port": 80, + "protocol": "Tcp" + }, + { + "name": "probe2", + "port": 443, + "protocol": "Https", + "requestPath": "/" + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/load-balancer/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/load-balancer/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..c54f364b82 --- /dev/null +++ b/modules/network/load-balancer/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,36 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Public IP to create.') +param publicIPName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { + name: publicIPName + location: location + sku: { + name: 'Standard' + tier: 'Regional' + } + properties: { + publicIPAllocationMethod: 'Static' + } + zones: [ + '1' + '2' + '3' + ] +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Public IP.') +output publicIPResourceId string = publicIP.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep b/modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..f0a9319226 --- /dev/null +++ b/modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,181 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.loadbalancers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nlbwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + frontendIPConfigurations: [ + { + name: 'publicIPConfig1' + publicIPAddressId: nestedDependencies.outputs.publicIPResourceId + } + ] + backendAddressPools: [ + { + name: 'backendAddressPool1' + } + { + name: 'backendAddressPool2' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + inboundNatRules: [ + { + backendPort: 443 + enableFloatingIP: false + enableTcpReset: false + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 443 + idleTimeoutInMinutes: 4 + name: 'inboundNatRule1' + protocol: 'Tcp' + } + { + backendPort: 3389 + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 3389 + name: 'inboundNatRule2' + } + ] + loadBalancingRules: [ + { + backendAddressPoolName: 'backendAddressPool1' + backendPort: 80 + disableOutboundSnat: true + enableFloatingIP: false + enableTcpReset: false + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 80 + idleTimeoutInMinutes: 5 + loadDistribution: 'Default' + name: 'publicIPLBRule1' + probeName: 'probe1' + protocol: 'Tcp' + } + { + backendAddressPoolName: 'backendAddressPool2' + backendPort: 8080 + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 8080 + loadDistribution: 'Default' + name: 'publicIPLBRule2' + probeName: 'probe2' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + outboundRules: [ + { + allocatedOutboundPorts: 63984 + backendAddressPoolName: 'backendAddressPool1' + frontendIPConfigurationName: 'publicIPConfig1' + name: 'outboundRule1' + } + ] + probes: [ + { + intervalInSeconds: 10 + name: 'probe1' + numberOfProbes: 5 + port: 80 + protocol: 'Tcp' + } + { + name: 'probe2' + port: 443 + protocol: 'Https' + requestPath: '/' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/local-network-gateway/README.md b/modules/network/local-network-gateway/README.md index cc2167d281..2b5cac74a2 100644 --- a/modules/network/local-network-gateway/README.md +++ b/modules/network/local-network-gateway/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -195,6 +196,112 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nlngwaf' + params: { + // Required parameters + localAddressPrefixes: [ + '192.168.1.0/24' + ] + localGatewayPublicIpAddress: '8.8.8.8' + name: 'nlngwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + localAsn: '65123' + localBgpPeeringAddress: '192.168.1.5' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "localAddressPrefixes": { + "value": [ + "192.168.1.0/24" + ] + }, + "localGatewayPublicIpAddress": { + "value": "8.8.8.8" + }, + "name": { + "value": "nlngwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "localAsn": { + "value": "65123" + }, + "localBgpPeeringAddress": { + "value": "192.168.1.5" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/local-network-gateway/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/local-network-gateway/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/local-network-gateway/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..e47e0f4ebc --- /dev/null +++ b/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,78 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.localnetworkgateways-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nlngwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + localAddressPrefixes: [ + '192.168.1.0/24' + ] + localGatewayPublicIpAddress: '8.8.8.8' + localAsn: '65123' + localBgpPeeringAddress: '192.168.1.5' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/nat-gateway/README.md b/modules/network/nat-gateway/README.md index d848af2b74..b764e57c4d 100644 --- a/modules/network/nat-gateway/README.md +++ b/modules/network/nat-gateway/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Using large parameter set](#example-1-using-large-parameter-set) - [Combine a generated and provided Public IP Prefix](#example-2-combine-a-generated-and-provided-public-ip-prefix) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using large parameter set_ @@ -312,6 +313,158 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nngwaf' + params: { + // Required parameters + name: 'nngwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicIPAddressObjects: [ + { + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + name: 'nngwaf001-pip' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuTier: 'Regional' + zones: [ + '1' + '2' + '3' + ] + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nngwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "publicIPAddressObjects": { + "value": [ + { + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "name": "nngwaf001-pip", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "skuTier": "Regional", + "zones": [ + "1", + "2", + "3" + ] + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/nat-gateway/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/nat-gateway/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/nat-gateway/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..024f35b432 --- /dev/null +++ b/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,118 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.natgateways-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nngwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicIPAddressObjects: [ + { + name: '${namePrefix}${serviceShort}001-pip' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + skuTier: 'Regional' + zones: [ + '1' + '2' + '3' + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/network-interface/README.md b/modules/network/network-interface/README.md index 95f9eb34e1..0efe82db56 100644 --- a/modules/network/network-interface/README.md +++ b/modules/network/network-interface/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -260,6 +261,172 @@ module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nniwaf' + params: { + // Required parameters + ipConfigurations: [ + { + applicationSecurityGroups: [ + { + id: '' + } + ] + loadBalancerBackendAddressPools: [ + { + id: '' + } + ] + name: 'ipconfig01' + subnetResourceId: '' + } + { + applicationSecurityGroups: [ + { + id: '' + } + ] + subnetResourceId: '' + } + ] + name: 'nniwaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "ipConfigurations": { + "value": [ + { + "applicationSecurityGroups": [ + { + "id": "" + } + ], + "loadBalancerBackendAddressPools": [ + { + "id": "" + } + ], + "name": "ipconfig01", + "subnetResourceId": "" + }, + { + "applicationSecurityGroups": [ + { + "id": "" + } + ], + "subnetResourceId": "" + } + ] + }, + "name": { + "value": "nniwaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/network-interface/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/network-interface/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..b3a10d32f6 --- /dev/null +++ b/modules/network/network-interface/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,113 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Application Security Group to create.') +param applicationSecurityGroupName string + +@description('Required. The name of the Load Balancer Backend Address Pool to create.') +param loadBalancerName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2023-04-01' = { + name: applicationSecurityGroupName + location: location +} + +resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' = { + name: loadBalancerName + location: location + sku: { + name: 'Standard' + } + + properties: { + frontendIPConfigurations: [ + { + name: 'privateIPConfig1' + properties: { + subnet: { + id: virtualNetwork.properties.subnets[0].id + } + } + } + ] + } + + resource backendPool 'backendAddressPools@2022-01-01' = { + name: 'default' + } +} + +resource inboundNatRule 'Microsoft.Network/loadBalancers/inboundNatRules@2023-04-01' = { + name: 'inboundNatRule1' + properties: { + frontendPort: 443 + backendPort: 443 + enableFloatingIP: false + enableTcpReset: false + frontendIPConfiguration: { + id: loadBalancer.properties.frontendIPConfigurations[0].id + } + idleTimeoutInMinutes: 4 + protocol: 'Tcp' + } + parent: loadBalancer +} + +resource inboundNatRule2 'Microsoft.Network/loadBalancers/inboundNatRules@2023-04-01' = { + name: 'inboundNatRule2' + properties: { + frontendPort: 3389 + backendPort: 3389 + frontendIPConfiguration: { + id: loadBalancer.properties.frontendIPConfigurations[0].id + } + idleTimeoutInMinutes: 4 + protocol: 'Tcp' + } + parent: loadBalancer +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Application Security Group.') +output applicationSecurityGroupResourceId string = applicationSecurityGroup.id + +@description('The resource ID of the created Load Balancer Backend Pool Name.') +output loadBalancerBackendPoolResourceId string = loadBalancer::backendPool.id diff --git a/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..218c13495c --- /dev/null +++ b/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,127 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.networkinterfaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nniwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' + loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + ipConfigurations: [ + { + applicationSecurityGroups: [ + { + id: nestedDependencies.outputs.applicationSecurityGroupResourceId + } + ] + loadBalancerBackendAddressPools: [ + { + id: nestedDependencies.outputs.loadBalancerBackendPoolResourceId + } + ] + name: 'ipconfig01' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + { + subnetResourceId: nestedDependencies.outputs.subnetResourceId + applicationSecurityGroups: [ + { + id: nestedDependencies.outputs.applicationSecurityGroupResourceId + } + ] + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/network-manager/README.md b/modules/network/network-manager/README.md index 4870ad088b..896d0bd79c 100644 --- a/modules/network/network-manager/README.md +++ b/modules/network/network-manager/README.md @@ -35,6 +35,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.network-manager:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -486,6 +487,456 @@ module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nnmwaf' + params: { + // Required parameters + name: '' + networkManagerScopeAccesses: [ + 'Connectivity' + 'SecurityAdmin' + ] + networkManagerScopes: { + subscriptions: [ + '' + ] + } + // Non-required parameters + connectivityConfigurations: [ + { + appliesToGroups: [ + { + groupConnectivity: 'None' + isGlobal: 'False' + networkGroupId: '' + useHubGateway: 'False' + } + ] + connectivityTopology: 'HubAndSpoke' + deleteExistingPeering: 'True' + description: 'hubSpokeConnectivity description' + hubs: [ + { + resourceId: '' + resourceType: 'Microsoft.Network/virtualNetworks' + } + ] + isGlobal: 'True' + name: 'hubSpokeConnectivity' + } + { + appliesToGroups: [ + { + groupConnectivity: 'None' + isGlobal: 'False' + networkGroupId: '' + useHubGateway: 'False' + } + ] + connectivityTopology: 'Mesh' + deleteExistingPeering: 'True' + description: 'MeshConnectivity description' + isGlobal: 'True' + name: 'MeshConnectivity' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkGroups: [ + { + description: 'network-group-spokes description' + name: 'network-group-spokes' + staticMembers: [ + { + name: 'virtualNetworkSpoke1' + resourceId: '' + } + { + name: 'virtualNetworkSpoke2' + resourceId: '' + } + ] + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + scopeConnections: [ + { + description: 'description of the scope connection' + name: 'scope-connection-test' + resourceId: '' + tenantid: '' + } + ] + securityAdminConfigurations: [ + { + applyOnNetworkIntentPolicyBasedServices: [ + 'AllowRulesOnly' + ] + description: 'description of the security admin config' + name: 'test-security-admin-config' + ruleCollections: [ + { + appliesToGroups: [ + { + networkGroupId: '' + } + ] + description: 'test-rule-collection-description' + name: 'test-rule-collection-1' + rules: [ + { + access: 'Allow' + description: 'test-inbound-allow-rule-1-description' + direction: 'Inbound' + name: 'test-inbound-allow-rule-1' + priority: 150 + protocol: 'Tcp' + } + { + access: 'Deny' + description: 'test-outbound-deny-rule-2-description' + direction: 'Outbound' + name: 'test-outbound-deny-rule-2' + priority: 200 + protocol: 'Tcp' + sourcePortRanges: [ + '442-445' + '80' + ] + sources: [ + { + addressPrefix: 'AppService.WestEurope' + addressPrefixType: 'ServiceTag' + } + ] + } + ] + } + { + appliesToGroups: [ + { + networkGroupId: '' + } + ] + description: 'test-rule-collection-description' + name: 'test-rule-collection-2' + rules: [ + { + access: 'Allow' + description: 'test-inbound-allow-rule-3-description' + destinationPortRanges: [ + '442-445' + '80' + ] + destinations: [ + { + addressPrefix: '192.168.20.20' + addressPrefixType: 'IPPrefix' + } + ] + direction: 'Inbound' + name: 'test-inbound-allow-rule-3' + priority: 250 + protocol: 'Tcp' + } + { + access: 'Allow' + description: 'test-inbound-allow-rule-4-description' + destinations: [ + { + addressPrefix: '172.16.0.0/24' + addressPrefixType: 'IPPrefix' + } + { + addressPrefix: '172.16.1.0/24' + addressPrefixType: 'IPPrefix' + } + ] + direction: 'Inbound' + name: 'test-inbound-allow-rule-4' + priority: 260 + protocol: 'Tcp' + sources: [ + { + addressPrefix: '10.0.0.0/24' + addressPrefixType: 'IPPrefix' + } + { + addressPrefix: '100.100.100.100' + addressPrefixType: 'IPPrefix' + } + ] + } + ] + } + ] + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "" + }, + "networkManagerScopeAccesses": { + "value": [ + "Connectivity", + "SecurityAdmin" + ] + }, + "networkManagerScopes": { + "value": { + "subscriptions": [ + "" + ] + } + }, + // Non-required parameters + "connectivityConfigurations": { + "value": [ + { + "appliesToGroups": [ + { + "groupConnectivity": "None", + "isGlobal": "False", + "networkGroupId": "", + "useHubGateway": "False" + } + ], + "connectivityTopology": "HubAndSpoke", + "deleteExistingPeering": "True", + "description": "hubSpokeConnectivity description", + "hubs": [ + { + "resourceId": "", + "resourceType": "Microsoft.Network/virtualNetworks" + } + ], + "isGlobal": "True", + "name": "hubSpokeConnectivity" + }, + { + "appliesToGroups": [ + { + "groupConnectivity": "None", + "isGlobal": "False", + "networkGroupId": "", + "useHubGateway": "False" + } + ], + "connectivityTopology": "Mesh", + "deleteExistingPeering": "True", + "description": "MeshConnectivity description", + "isGlobal": "True", + "name": "MeshConnectivity" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "networkGroups": { + "value": [ + { + "description": "network-group-spokes description", + "name": "network-group-spokes", + "staticMembers": [ + { + "name": "virtualNetworkSpoke1", + "resourceId": "" + }, + { + "name": "virtualNetworkSpoke2", + "resourceId": "" + } + ] + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "scopeConnections": { + "value": [ + { + "description": "description of the scope connection", + "name": "scope-connection-test", + "resourceId": "", + "tenantid": "" + } + ] + }, + "securityAdminConfigurations": { + "value": [ + { + "applyOnNetworkIntentPolicyBasedServices": [ + "AllowRulesOnly" + ], + "description": "description of the security admin config", + "name": "test-security-admin-config", + "ruleCollections": [ + { + "appliesToGroups": [ + { + "networkGroupId": "" + } + ], + "description": "test-rule-collection-description", + "name": "test-rule-collection-1", + "rules": [ + { + "access": "Allow", + "description": "test-inbound-allow-rule-1-description", + "direction": "Inbound", + "name": "test-inbound-allow-rule-1", + "priority": 150, + "protocol": "Tcp" + }, + { + "access": "Deny", + "description": "test-outbound-deny-rule-2-description", + "direction": "Outbound", + "name": "test-outbound-deny-rule-2", + "priority": 200, + "protocol": "Tcp", + "sourcePortRanges": [ + "442-445", + "80" + ], + "sources": [ + { + "addressPrefix": "AppService.WestEurope", + "addressPrefixType": "ServiceTag" + } + ] + } + ] + }, + { + "appliesToGroups": [ + { + "networkGroupId": "" + } + ], + "description": "test-rule-collection-description", + "name": "test-rule-collection-2", + "rules": [ + { + "access": "Allow", + "description": "test-inbound-allow-rule-3-description", + "destinationPortRanges": [ + "442-445", + "80" + ], + "destinations": [ + { + "addressPrefix": "192.168.20.20", + "addressPrefixType": "IPPrefix" + } + ], + "direction": "Inbound", + "name": "test-inbound-allow-rule-3", + "priority": 250, + "protocol": "Tcp" + }, + { + "access": "Allow", + "description": "test-inbound-allow-rule-4-description", + "destinations": [ + { + "addressPrefix": "172.16.0.0/24", + "addressPrefixType": "IPPrefix" + }, + { + "addressPrefix": "172.16.1.0/24", + "addressPrefixType": "IPPrefix" + } + ], + "direction": "Inbound", + "name": "test-inbound-allow-rule-4", + "priority": 260, + "protocol": "Tcp", + "sources": [ + { + "addressPrefix": "10.0.0.0/24", + "addressPrefixType": "IPPrefix" + }, + { + "addressPrefix": "100.100.100.100", + "addressPrefixType": "IPPrefix" + } + ] + } + ] + } + ] + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/network-manager/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/network-manager/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..501a5a13c0 --- /dev/null +++ b/modules/network/network-manager/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,96 @@ +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Hub Virtual Network to create.') +param virtualNetworkHubName string + +@description('Required. The name of the Spoke 1 Virtual Network to create.') +param virtualNetworkSpoke1Name string + +@description('Required. The name of the Spoke 2 Virtual Network to create.') +param virtualNetworkSpoke2Name string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: managedIdentityName + location: location +} + +var addressPrefixHub = '10.0.0.0/16' +var addressPrefixSpoke1 = '172.16.0.0/12' +var addressPrefixSpoke2 = '192.168.0.0/16' +var subnetName = 'defaultSubnet' + +resource virtualNetworkHub 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkHubName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefixHub + ] + } + subnets: [ + { + name: subnetName + properties: { + addressPrefix: addressPrefixHub + } + } + ] + } +} + +resource virtualNetworkSpoke1 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkSpoke1Name + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefixSpoke1 + ] + } + subnets: [ + { + name: subnetName + properties: { + addressPrefix: addressPrefixSpoke1 + } + } + ] + } +} + +resource virtualNetworkSpoke2 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkSpoke2Name + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefixSpoke2 + ] + } + subnets: [ + { + name: subnetName + properties: { + addressPrefix: addressPrefixSpoke2 + } + } + ] + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Hub Virtual Network.') +output virtualNetworkHubId string = virtualNetworkHub.id + +@description('The resource ID of the created Spoke 1 Virtual Network.') +output virtualNetworkSpoke1Id string = virtualNetworkSpoke1.id + +@description('The resource ID of the created Spoke 2 Virtual Network.') +output virtualNetworkSpoke2Id string = virtualNetworkSpoke2.id diff --git a/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..0b70f2b7b8 --- /dev/null +++ b/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,255 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.networkmanagers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nnmwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + virtualNetworkHubName: 'dep-${namePrefix}-vnetHub-${serviceShort}' + virtualNetworkSpoke1Name: 'dep-${namePrefix}-vnetSpoke1-${serviceShort}' + virtualNetworkSpoke2Name: 'dep-${namePrefix}-vnetSpoke2-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +var networkManagerName = '${namePrefix}${serviceShort}001' +var networkManagerExpecetedResourceID = '${resourceGroup.id}/providers/Microsoft.Network/networkManagers/${networkManagerName}' + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: networkManagerName + enableDefaultTelemetry: enableDefaultTelemetry + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + networkManagerScopeAccesses: [ + 'Connectivity' + 'SecurityAdmin' + ] + networkManagerScopes: { + subscriptions: [ + subscription().id + ] + } + networkGroups: [ + { + name: 'network-group-spokes' + description: 'network-group-spokes description' + staticMembers: [ + { + name: 'virtualNetworkSpoke1' + resourceId: nestedDependencies.outputs.virtualNetworkSpoke1Id + } + { + name: 'virtualNetworkSpoke2' + resourceId: nestedDependencies.outputs.virtualNetworkSpoke2Id + } + ] + } + ] + connectivityConfigurations: [ + { + name: 'hubSpokeConnectivity' + description: 'hubSpokeConnectivity description' + connectivityTopology: 'HubAndSpoke' + hubs: [ + { + resourceId: nestedDependencies.outputs.virtualNetworkHubId + resourceType: 'Microsoft.Network/virtualNetworks' + } + ] + deleteExistingPeering: 'True' + isGlobal: 'True' + appliesToGroups: [ + { + networkGroupId: '${networkManagerExpecetedResourceID}/networkGroups/network-group-spokes' + useHubGateway: 'False' + groupConnectivity: 'None' + isGlobal: 'False' + } + ] + } + { + name: 'MeshConnectivity' + description: 'MeshConnectivity description' + connectivityTopology: 'Mesh' + deleteExistingPeering: 'True' + isGlobal: 'True' + appliesToGroups: [ + { + networkGroupId: '${networkManagerExpecetedResourceID}/networkGroups/network-group-spokes' + useHubGateway: 'False' + groupConnectivity: 'None' + isGlobal: 'False' + } + ] + } + ] + scopeConnections: [ + { + name: 'scope-connection-test' + description: 'description of the scope connection' + resourceId: subscription().id + tenantid: tenant().tenantId + } + ] + securityAdminConfigurations: [ + { + name: 'test-security-admin-config' + description: 'description of the security admin config' + applyOnNetworkIntentPolicyBasedServices: [ + 'AllowRulesOnly' + ] + ruleCollections: [ + { + name: 'test-rule-collection-1' + description: 'test-rule-collection-description' + appliesToGroups: [ + { + networkGroupId: '${networkManagerExpecetedResourceID}/networkGroups/network-group-spokes' + } + ] + rules: [ + { + name: 'test-inbound-allow-rule-1' + description: 'test-inbound-allow-rule-1-description' + access: 'Allow' + direction: 'Inbound' + priority: 150 + protocol: 'Tcp' + } + { + name: 'test-outbound-deny-rule-2' + description: 'test-outbound-deny-rule-2-description' + access: 'Deny' + direction: 'Outbound' + priority: 200 + protocol: 'Tcp' + sourcePortRanges: [ + '80' + '442-445' + ] + sources: [ + { + addressPrefix: 'AppService.WestEurope' + addressPrefixType: 'ServiceTag' + } + ] + } + ] + } + { + name: 'test-rule-collection-2' + description: 'test-rule-collection-description' + appliesToGroups: [ + { + networkGroupId: '${networkManagerExpecetedResourceID}/networkGroups/network-group-spokes' + } + ] + rules: [ + { + name: 'test-inbound-allow-rule-3' + description: 'test-inbound-allow-rule-3-description' + access: 'Allow' + direction: 'Inbound' + destinationPortRanges: [ + '80' + '442-445' + ] + destinations: [ + { + addressPrefix: '192.168.20.20' + addressPrefixType: 'IPPrefix' + } + ] + priority: 250 + protocol: 'Tcp' + } + { + name: 'test-inbound-allow-rule-4' + description: 'test-inbound-allow-rule-4-description' + access: 'Allow' + direction: 'Inbound' + sources: [ + { + addressPrefix: '10.0.0.0/24' + addressPrefixType: 'IPPrefix' + } + { + addressPrefix: '100.100.100.100' + addressPrefixType: 'IPPrefix' + } + ] + destinations: [ + { + addressPrefix: '172.16.0.0/24' + addressPrefixType: 'IPPrefix' + } + { + addressPrefix: '172.16.1.0/24' + addressPrefixType: 'IPPrefix' + } + ] + priority: 260 + protocol: 'Tcp' + } + ] + } + ] + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/network-security-group/README.md b/modules/network/network-security-group/README.md index f5802ad688..416644df15 100644 --- a/modules/network/network-security-group/README.md +++ b/modules/network/network-security-group/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -315,6 +316,242 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nnsgwaf' + params: { + // Required parameters + name: 'nnsgwaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + securityRules: [ + { + name: 'Specific' + properties: { + access: 'Allow' + description: 'Tests specific IPs and ports' + destinationAddressPrefix: '*' + destinationPortRange: '8080' + direction: 'Inbound' + priority: 100 + protocol: '*' + sourceAddressPrefix: '*' + sourcePortRange: '*' + } + } + { + name: 'Ranges' + properties: { + access: 'Allow' + description: 'Tests Ranges' + destinationAddressPrefixes: [ + '10.2.0.0/16' + '10.3.0.0/16' + ] + destinationPortRanges: [ + '90' + '91' + ] + direction: 'Inbound' + priority: 101 + protocol: '*' + sourceAddressPrefixes: [ + '10.0.0.0/16' + '10.1.0.0/16' + ] + sourcePortRanges: [ + '80' + '81' + ] + } + } + { + name: 'Port_8082' + properties: { + access: 'Allow' + description: 'Allow inbound access on TCP 8082' + destinationApplicationSecurityGroups: [ + { + id: '' + } + ] + destinationPortRange: '8082' + direction: 'Inbound' + priority: 102 + protocol: '*' + sourceApplicationSecurityGroups: [ + { + id: '' + } + ] + sourcePortRange: '*' + } + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nnsgwaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "securityRules": { + "value": [ + { + "name": "Specific", + "properties": { + "access": "Allow", + "description": "Tests specific IPs and ports", + "destinationAddressPrefix": "*", + "destinationPortRange": "8080", + "direction": "Inbound", + "priority": 100, + "protocol": "*", + "sourceAddressPrefix": "*", + "sourcePortRange": "*" + } + }, + { + "name": "Ranges", + "properties": { + "access": "Allow", + "description": "Tests Ranges", + "destinationAddressPrefixes": [ + "10.2.0.0/16", + "10.3.0.0/16" + ], + "destinationPortRanges": [ + "90", + "91" + ], + "direction": "Inbound", + "priority": 101, + "protocol": "*", + "sourceAddressPrefixes": [ + "10.0.0.0/16", + "10.1.0.0/16" + ], + "sourcePortRanges": [ + "80", + "81" + ] + } + }, + { + "name": "Port_8082", + "properties": { + "access": "Allow", + "description": "Allow inbound access on TCP 8082", + "destinationApplicationSecurityGroups": [ + { + "id": "" + } + ], + "destinationPortRange": "8082", + "direction": "Inbound", + "priority": 102, + "protocol": "*", + "sourceApplicationSecurityGroups": [ + { + "id": "" + } + ], + "sourcePortRange": "*" + } + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/network-security-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/network-security-group/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..951c71af97 --- /dev/null +++ b/modules/network/network-security-group/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,24 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Application Security Group to create.') +param applicationSecurityGroupName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2023-04-01' = { + name: applicationSecurityGroupName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Application Security Group.') +output applicationSecurityGroupResourceId string = applicationSecurityGroup.id diff --git a/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..7c9ac93549 --- /dev/null +++ b/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,160 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.networksecuritygroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nnsgwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + securityRules: [ + { + name: 'Specific' + properties: { + access: 'Allow' + description: 'Tests specific IPs and ports' + destinationAddressPrefix: '*' + destinationPortRange: '8080' + direction: 'Inbound' + priority: 100 + protocol: '*' + sourceAddressPrefix: '*' + sourcePortRange: '*' + } + } + { + name: 'Ranges' + properties: { + access: 'Allow' + description: 'Tests Ranges' + destinationAddressPrefixes: [ + '10.2.0.0/16' + '10.3.0.0/16' + ] + destinationPortRanges: [ + '90' + '91' + ] + direction: 'Inbound' + priority: 101 + protocol: '*' + sourceAddressPrefixes: [ + '10.0.0.0/16' + '10.1.0.0/16' + ] + sourcePortRanges: [ + '80' + '81' + ] + } + } + { + name: 'Port_8082' + properties: { + access: 'Allow' + description: 'Allow inbound access on TCP 8082' + destinationApplicationSecurityGroups: [ + { + id: nestedDependencies.outputs.applicationSecurityGroupResourceId + } + ] + destinationPortRange: '8082' + direction: 'Inbound' + priority: 102 + protocol: '*' + sourceApplicationSecurityGroups: [ + { + id: nestedDependencies.outputs.applicationSecurityGroupResourceId + } + ] + sourcePortRange: '*' + } + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/network-watcher/README.md b/modules/network/network-watcher/README.md index ede8d1e3a8..a9c59a060f 100644 --- a/modules/network/network-watcher/README.md +++ b/modules/network/network-watcher/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -293,6 +294,224 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { + name: '${uniqueString(deployment().name, testLocation)}-test-nnwwaf' + params: { + connectionMonitors: [ + { + endpoints: [ + { + name: '' + resourceId: '' + type: 'AzureVM' + } + { + address: 'www.bing.com' + name: 'Bing' + type: 'ExternalAddress' + } + ] + name: 'nnwwaf-cm-001' + testConfigurations: [ + { + httpConfiguration: { + method: 'Get' + port: 80 + preferHTTPS: false + requestHeaders: [] + validStatusCodeRanges: [ + '200' + ] + } + name: 'HTTP Bing Test' + protocol: 'Http' + successThreshold: { + checksFailedPercent: 5 + roundTripTimeMs: 100 + } + testFrequencySec: 30 + } + ] + testGroups: [ + { + destinations: [ + 'Bing' + ] + disable: false + name: 'test-http-Bing' + sources: [ + 'subnet-001(${resourceGroup.name})' + ] + testConfigurations: [ + 'HTTP Bing Test' + ] + } + ] + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + flowLogs: [ + { + enabled: false + storageId: '' + targetResourceId: '' + } + { + formatVersion: 1 + name: 'nnwwaf-fl-001' + retentionInDays: 8 + storageId: '' + targetResourceId: '' + trafficAnalyticsInterval: 10 + workspaceResourceId: '' + } + ] + location: '' + name: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "connectionMonitors": { + "value": [ + { + "endpoints": [ + { + "name": "", + "resourceId": "", + "type": "AzureVM" + }, + { + "address": "www.bing.com", + "name": "Bing", + "type": "ExternalAddress" + } + ], + "name": "nnwwaf-cm-001", + "testConfigurations": [ + { + "httpConfiguration": { + "method": "Get", + "port": 80, + "preferHTTPS": false, + "requestHeaders": [], + "validStatusCodeRanges": [ + "200" + ] + }, + "name": "HTTP Bing Test", + "protocol": "Http", + "successThreshold": { + "checksFailedPercent": 5, + "roundTripTimeMs": 100 + }, + "testFrequencySec": 30 + } + ], + "testGroups": [ + { + "destinations": [ + "Bing" + ], + "disable": false, + "name": "test-http-Bing", + "sources": [ + "subnet-001(${resourceGroup.name})" + ], + "testConfigurations": [ + "HTTP Bing Test" + ] + } + ], + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "flowLogs": { + "value": [ + { + "enabled": false, + "storageId": "", + "targetResourceId": "" + }, + { + "formatVersion": 1, + "name": "nnwwaf-fl-001", + "retentionInDays": 8, + "storageId": "", + "targetResourceId": "", + "trafficAnalyticsInterval": 10, + "workspaceResourceId": "" + } + ] + }, + "location": { + "value": "" + }, + "name": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/network-watcher/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/network-watcher/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..c20f841f30 --- /dev/null +++ b/modules/network/network-watcher/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,144 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the first Network Security Group to create.') +param firstNetworkSecurityGroupName string + +@description('Required. The name of the second Network Security Group to create.') +param secondNetworkSecurityGroupName string + +@description('Required. The name of the Virtual Machine to create.') +param virtualMachineName string + +@description('Optional. The password to leverage for the VM login.') +@secure() +param password string = newGuid() + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource firstNetworkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { + name: firstNetworkSecurityGroupName + location: location +} + +resource secondNetworkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { + name: secondNetworkSecurityGroupName + location: location +} + +resource networkInterface 'Microsoft.Network/networkInterfaces@2023-04-01' = { + name: '${virtualMachineName}-nic' + location: location + properties: { + ipConfigurations: [ + { + name: 'ipconfig01' + properties: { + subnet: { + id: virtualNetwork.properties.subnets[0].id + } + } + } + ] + } +} + +resource virtualMachine 'Microsoft.Compute/virtualMachines@2022-08-01' = { + name: virtualMachineName + location: location + properties: { + networkProfile: { + networkInterfaces: [ + { + id: networkInterface.id + properties: { + deleteOption: 'Delete' + primary: true + } + } + ] + } + storageProfile: { + imageReference: { + publisher: 'Canonical' + offer: '0001-com-ubuntu-server-jammy' + sku: '22_04-lts-gen2' + version: 'latest' + } + osDisk: { + deleteOption: 'Delete' + createOption: 'FromImage' + } + } + hardwareProfile: { + vmSize: 'Standard_B1ms' + } + osProfile: { + adminUsername: '${virtualMachineName}cake' + adminPassword: password + computerName: virtualMachineName + linuxConfiguration: { + disablePasswordAuthentication: false + } + } + } +} + +resource extension 'Microsoft.Compute/virtualMachines/extensions@2021-07-01' = { + name: 'NetworkWatcherAgent' + parent: virtualMachine + location: location + properties: { + publisher: 'Microsoft.Azure.NetworkWatcher' + type: 'NetworkWatcherAgentLinux' + typeHandlerVersion: '1.4' + autoUpgradeMinorVersion: true + enableAutomaticUpgrade: false + settings: {} + protectedSettings: {} + suppressFailures: false + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Virtual Machine.') +output virtualMachineResourceId string = virtualMachine.id + +@description('The resource ID of the first created Network Security Group.') +output firstNetworkSecurityGroupResourceId string = firstNetworkSecurityGroup.id + +@description('The resource ID of the second created Network Security Group.') +output secondNetworkSecurityGroupResourceId string = secondNetworkSecurityGroup.id diff --git a/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..730c05be9e --- /dev/null +++ b/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,158 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'NetworkWatcherRG' // Note, this is the default NetworkWatcher resource group. Do not change. + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nnwwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + firstNetworkSecurityGroupName: 'dep-${namePrefix}-nsg-1-${serviceShort}' + secondNetworkSecurityGroupName: 'dep-${namePrefix}-nsg-2-${serviceShort}' + virtualMachineName: 'dep-${namePrefix}-vm-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + location: location + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // +#disable-next-line no-hardcoded-location // Disabled as the default RG & location are created in always one location, but each test has to deploy into a different one +var testLocation = 'westeurope' +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, testLocation)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: 'NetworkWatcher_${testLocation}' + location: testLocation + connectionMonitors: [ + { + name: '${namePrefix}-${serviceShort}-cm-001' + endpoints: [ + { + name: '${namePrefix}-subnet-001(${resourceGroup.name})' + resourceId: nestedDependencies.outputs.virtualMachineResourceId + type: 'AzureVM' + } + { + address: 'www.bing.com' + name: 'Bing' + type: 'ExternalAddress' + } + ] + testConfigurations: [ + { + httpConfiguration: { + method: 'Get' + port: 80 + preferHTTPS: false + requestHeaders: [] + validStatusCodeRanges: [ + '200' + ] + } + name: 'HTTP Bing Test' + protocol: 'Http' + successThreshold: { + checksFailedPercent: 5 + roundTripTimeMs: 100 + } + testFrequencySec: 30 + } + ] + testGroups: [ + { + destinations: [ + 'Bing' + ] + disable: false + name: 'test-http-Bing' + sources: [ + '${namePrefix}-subnet-001(${resourceGroup.name})' + ] + testConfigurations: [ + 'HTTP Bing Test' + ] + } + ] + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + flowLogs: [ + { + enabled: false + storageId: diagnosticDependencies.outputs.storageAccountResourceId + targetResourceId: nestedDependencies.outputs.firstNetworkSecurityGroupResourceId + } + { + formatVersion: 1 + name: '${namePrefix}-${serviceShort}-fl-001' + retentionInDays: 8 + storageId: diagnosticDependencies.outputs.storageAccountResourceId + targetResourceId: nestedDependencies.outputs.secondNetworkSecurityGroupResourceId + trafficAnalyticsInterval: 10 + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/private-dns-zone/README.md b/modules/network/private-dns-zone/README.md index ceb0935638..714eea7f96 100644 --- a/modules/network/private-dns-zone/README.md +++ b/modules/network/private-dns-zone/README.md @@ -39,6 +39,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -494,6 +495,412 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-npdzwaf' + params: { + // Required parameters + name: 'npdzwaf001.com' + // Non-required parameters + a: [ + { + aRecords: [ + { + ipv4Address: '10.240.4.4' + } + ] + name: 'A_10.240.4.4' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + } + ] + aaaa: [ + { + aaaaRecords: [ + { + ipv6Address: '2001:0db8:85a3:0000:0000:8a2e:0370:7334' + } + ] + name: 'AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334' + ttl: 3600 + } + ] + cname: [ + { + cnameRecord: { + cname: 'test' + } + name: 'CNAME_test' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + mx: [ + { + mxRecords: [ + { + exchange: 'contoso.com' + preference: 100 + } + ] + name: 'MX_contoso' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + } + ] + ptr: [ + { + name: 'PTR_contoso' + ptrRecords: [ + { + ptrdname: 'contoso.com' + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + soa: [ + { + name: '@' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + soaRecord: { + email: 'azureprivatedns-host.microsoft.com' + expireTime: 2419200 + host: 'azureprivatedns.net' + minimumTtl: 10 + refreshTime: 3600 + retryTime: 300 + serialNumber: '1' + } + ttl: 3600 + } + ] + srv: [ + { + name: 'SRV_contoso' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + srvRecords: [ + { + port: 9332 + priority: 0 + target: 'test.contoso.com' + weight: 0 + } + ] + ttl: 3600 + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + txt: [ + { + name: 'TXT_test' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + txtRecords: [ + { + value: [ + 'test' + ] + } + ] + } + ] + virtualNetworkLinks: [ + { + registrationEnabled: true + virtualNetworkResourceId: '' + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "npdzwaf001.com" + }, + // Non-required parameters + "a": { + "value": [ + { + "aRecords": [ + { + "ipv4Address": "10.240.4.4" + } + ], + "name": "A_10.240.4.4", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600 + } + ] + }, + "aaaa": { + "value": [ + { + "aaaaRecords": [ + { + "ipv6Address": "2001:0db8:85a3:0000:0000:8a2e:0370:7334" + } + ], + "name": "AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334", + "ttl": 3600 + } + ] + }, + "cname": { + "value": [ + { + "cnameRecord": { + "cname": "test" + }, + "name": "CNAME_test", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600 + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "mx": { + "value": [ + { + "mxRecords": [ + { + "exchange": "contoso.com", + "preference": 100 + } + ], + "name": "MX_contoso", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600 + } + ] + }, + "ptr": { + "value": [ + { + "name": "PTR_contoso", + "ptrRecords": [ + { + "ptrdname": "contoso.com" + } + ], + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600 + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "soa": { + "value": [ + { + "name": "@", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "soaRecord": { + "email": "azureprivatedns-host.microsoft.com", + "expireTime": 2419200, + "host": "azureprivatedns.net", + "minimumTtl": 10, + "refreshTime": 3600, + "retryTime": 300, + "serialNumber": "1" + }, + "ttl": 3600 + } + ] + }, + "srv": { + "value": [ + { + "name": "SRV_contoso", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "srvRecords": [ + { + "port": 9332, + "priority": 0, + "target": "test.contoso.com", + "weight": 0 + } + ], + "ttl": 3600 + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "txt": { + "value": [ + { + "name": "TXT_test", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600, + "txtRecords": [ + { + "value": [ + "test" + ] + } + ] + } + ] + }, + "virtualNetworkLinks": { + "value": [ + { + "registrationEnabled": true, + "virtualNetworkResourceId": "" + } + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/private-dns-zone/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/private-dns-zone/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..f4ff1fbf54 --- /dev/null +++ b/modules/network/private-dns-zone/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,41 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network.') +output virtualNetworkResourceId string = virtualNetwork.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..116e5bb75b --- /dev/null +++ b/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,224 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.privatednszones-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'npdzwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001.com' + a: [ + { + aRecords: [ + { + ipv4Address: '10.240.4.4' + } + ] + name: 'A_10.240.4.4' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + } + ] + aaaa: [ + { + aaaaRecords: [ + { + ipv6Address: '2001:0db8:85a3:0000:0000:8a2e:0370:7334' + } + ] + name: 'AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334' + ttl: 3600 + } + ] + cname: [ + { + cnameRecord: { + cname: 'test' + } + name: 'CNAME_test' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + mx: [ + { + mxRecords: [ + { + exchange: 'contoso.com' + preference: 100 + } + ] + name: 'MX_contoso' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + } + ] + ptr: [ + { + name: 'PTR_contoso' + ptrRecords: [ + { + ptrdname: 'contoso.com' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + soa: [ + { + name: '@' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + soaRecord: { + email: 'azureprivatedns-host.microsoft.com' + expireTime: 2419200 + host: 'azureprivatedns.net' + minimumTtl: 10 + refreshTime: 3600 + retryTime: 300 + serialNumber: '1' + } + ttl: 3600 + } + ] + srv: [ + { + name: 'SRV_contoso' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + srvRecords: [ + { + port: 9332 + priority: 0 + target: 'test.contoso.com' + weight: 0 + } + ] + ttl: 3600 + } + ] + txt: [ + { + name: 'TXT_test' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + txtRecords: [ + { + value: [ + 'test' + ] + } + ] + } + ] + virtualNetworkLinks: [ + { + registrationEnabled: true + virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/private-endpoint/README.md b/modules/network/private-endpoint/README.md index e23c6bb6b9..866ff9fecc 100644 --- a/modules/network/private-endpoint/README.md +++ b/modules/network/private-endpoint/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -258,6 +259,168 @@ module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-npewaf' + params: { + // Required parameters + groupIds: [ + 'vault' + ] + name: 'npewaf001' + serviceResourceId: '' + subnetResourceId: '' + // Non-required parameters + applicationSecurityGroupResourceIds: [ + '' + ] + customDnsConfigs: [ + { + fqdn: 'abc.keyvault.com' + ipAddresses: [ + '10.0.0.10' + ] + } + ] + customNetworkInterfaceName: 'npewaf001nic' + enableDefaultTelemetry: '' + ipConfigurations: [ + { + name: 'myIPconfig' + properties: { + groupId: 'vault' + memberName: 'default' + privateIPAddress: '10.0.0.10' + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateDnsZoneResourceIds: [ + '' + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "groupIds": { + "value": [ + "vault" + ] + }, + "name": { + "value": "npewaf001" + }, + "serviceResourceId": { + "value": "" + }, + "subnetResourceId": { + "value": "" + }, + // Non-required parameters + "applicationSecurityGroupResourceIds": { + "value": [ + "" + ] + }, + "customDnsConfigs": { + "value": [ + { + "fqdn": "abc.keyvault.com", + "ipAddresses": [ + "10.0.0.10" + ] + } + ] + }, + "customNetworkInterfaceName": { + "value": "npewaf001nic" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "ipConfigurations": { + "value": [ + { + "name": "myIPconfig", + "properties": { + "groupId": "vault", + "memberName": "default", + "privateIPAddress": "10.0.0.10" + } + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "privateDnsZoneResourceIds": { + "value": [ + "" + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/private-endpoint/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/private-endpoint/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a4bc9dabca --- /dev/null +++ b/modules/network/private-endpoint/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,95 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Application Security Group to create.') +param applicationSecurityGroupName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } +} + +resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2023-04-01' = { + name: applicationSecurityGroupName + location: location +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.vaultcore.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Application Security Group.') +output applicationSecurityGroupResourceId string = applicationSecurityGroup.id diff --git a/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..4e7c2b4c1f --- /dev/null +++ b/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,105 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.privateendpoints-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'npewaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + groupIds: [ + 'vault' + ] + serviceResourceId: nestedDependencies.outputs.keyVaultResourceId + subnetResourceId: nestedDependencies.outputs.subnetResourceId + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ipConfigurations: [ + { + name: 'myIPconfig' + properties: { + groupId: 'vault' + memberName: 'default' + privateIPAddress: '10.0.0.10' + } + } + ] + customDnsConfigs: [ + { + fqdn: 'abc.keyvault.com' + ipAddresses: [ + '10.0.0.10' + ] + } + ] + customNetworkInterfaceName: '${namePrefix}${serviceShort}001nic' + applicationSecurityGroupResourceIds: [ + nestedDependencies.outputs.applicationSecurityGroupResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/private-link-service/README.md b/modules/network/private-link-service/README.md index 45f9b300e1..a2ba040a35 100644 --- a/modules/network/private-link-service/README.md +++ b/modules/network/private-link-service/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -274,6 +275,168 @@ module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0'

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nplswaf' + params: { + // Required parameters + name: 'nplswaf001' + // Non-required parameters + autoApproval: { + subscriptions: [ + '*' + ] + } + enableDefaultTelemetry: '' + enableProxyProtocol: true + fqdns: [ + 'nplswaf.plsfqdn01.azure.privatelinkservice' + 'nplswaf.plsfqdn02.azure.privatelinkservice' + ] + ipConfigurations: [ + { + name: 'nplswaf01' + properties: { + primary: true + privateIPAllocationMethod: 'Dynamic' + subnet: { + id: '' + } + } + } + ] + loadBalancerFrontendIpConfigurations: [ + { + id: '' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + visibility: { + subscriptions: [ + '' + ] + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nplswaf001" + }, + // Non-required parameters + "autoApproval": { + "value": { + "subscriptions": [ + "*" + ] + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enableProxyProtocol": { + "value": true + }, + "fqdns": { + "value": [ + "nplswaf.plsfqdn01.azure.privatelinkservice", + "nplswaf.plsfqdn02.azure.privatelinkservice" + ] + }, + "ipConfigurations": { + "value": [ + { + "name": "nplswaf01", + "properties": { + "primary": true, + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "" + } + } + } + ] + }, + "loadBalancerFrontendIpConfigurations": { + "value": [ + { + "id": "" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "visibility": { + "value": { + "subscriptions": [ + "" + ] + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/private-link-service/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/private-link-service/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..1031dd4830 --- /dev/null +++ b/modules/network/private-link-service/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,68 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Load Balancer to create.') +param loadBalancerName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + privateLinkServiceNetworkPolicies: 'Disabled' + } + } + ] + } +} + +resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' = { + name: loadBalancerName + location: location + sku: { + name: 'Standard' + } + properties: { + frontendIPConfigurations: [ + { + name: 'frontendIPConfiguration' + properties: { + subnet: { + id: virtualNetwork.properties.subnets[0].id + } + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Load Balancer Frontend IP Configuration.') +output loadBalancerFrontendIpConfigurationResourceId string = loadBalancer.properties.frontendIPConfigurations[0].id diff --git a/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..c327e89f13 --- /dev/null +++ b/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,106 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.privatelinkservices-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nplswaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + ipConfigurations: [ + { + name: '${serviceShort}01' + properties: { + primary: true + privateIPAllocationMethod: 'Dynamic' + subnet: { + id: nestedDependencies.outputs.subnetResourceId + } + } + } + ] + loadBalancerFrontendIpConfigurations: [ + { + id: nestedDependencies.outputs.loadBalancerFrontendIpConfigurationResourceId + } + ] + autoApproval: { + subscriptions: [ + '*' + ] + } + visibility: { + subscriptions: [ + subscription().subscriptionId + ] + } + enableProxyProtocol: true + fqdns: [ + '${serviceShort}.plsfqdn01.azure.privatelinkservice' + '${serviceShort}.plsfqdn02.azure.privatelinkservice' + ] + roleAssignments: [ + { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Reader' + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/public-ip-address/README.md b/modules/network/public-ip-address/README.md index a1e26a8374..cfe71b8195 100644 --- a/modules/network/public-ip-address/README.md +++ b/modules/network/public-ip-address/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -216,6 +217,142 @@ module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-npiawaf' + params: { + // Required parameters + name: 'npiawaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicIPAllocationMethod: 'Static' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuName: 'Standard' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + zones: [ + '1' + '2' + '3' + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "npiawaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "publicIPAllocationMethod": { + "value": "Static" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "skuName": { + "value": "Standard" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "zones": { + "value": [ + "1", + "2", + "3" + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/public-ip-address/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/public-ip-address/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/public-ip-address/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep b/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..61d5598c0e --- /dev/null +++ b/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,107 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.publicipaddresses-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'npiawaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicIPAllocationMethod: 'Static' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + skuName: 'Standard' + zones: [ + '1' + '2' + '3' + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/public-ip-prefix/README.md b/modules/network/public-ip-prefix/README.md index efd58740b9..315a9026fd 100644 --- a/modules/network/public-ip-prefix/README.md +++ b/modules/network/public-ip-prefix/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -171,6 +172,96 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-npipwaf' + params: { + // Required parameters + name: 'npipwaf001' + prefixLength: 28 + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "npipwaf001" + }, + "prefixLength": { + "value": 28 + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..298ddcbc5d --- /dev/null +++ b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,73 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.publicipprefixes-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'npipwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + prefixLength: 28 + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/route-table/README.md b/modules/network/route-table/README.md index 3187ab66e4..f5c8ab94de 100644 --- a/modules/network/route-table/README.md +++ b/modules/network/route-table/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -185,6 +186,114 @@ module routeTable 'br:bicep/modules/network.route-table:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module routeTable 'br:bicep/modules/network.route-table:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nrtwaf' + params: { + // Required parameters + name: 'nrtwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + routes: [ + { + name: 'default' + properties: { + addressPrefix: '0.0.0.0/0' + nextHopIpAddress: '172.16.0.20' + nextHopType: 'VirtualAppliance' + } + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nrtwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "routes": { + "value": [ + { + "name": "default", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopIpAddress": "172.16.0.20", + "nextHopType": "VirtualAppliance" + } + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/route-table/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/route-table/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/route-table/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep b/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..83c92c0105 --- /dev/null +++ b/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,82 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.routetables-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nrtwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + routes: [ + { + name: 'default' + properties: { + addressPrefix: '0.0.0.0/0' + nextHopIpAddress: '172.16.0.20' + nextHopType: 'VirtualAppliance' + } + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/service-endpoint-policy/README.md b/modules/network/service-endpoint-policy/README.md index c97f6b3a41..e8797a413c 100644 --- a/modules/network/service-endpoint-policy/README.md +++ b/modules/network/service-endpoint-policy/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -191,6 +192,120 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nsnpwaf' + params: { + // Required parameters + name: 'nsnpwaf-001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + serviceEndpointPolicyDefinitions: [ + { + name: 'Storage.ServiceEndpoint' + properties: { + description: 'Allow Microsoft.Storage' + service: 'Microsoft.Storage' + serviceResources: [ + '' + ] + } + type: 'Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nsnpwaf-001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "serviceEndpointPolicyDefinitions": { + "value": [ + { + "name": "Storage.ServiceEndpoint", + "properties": { + "description": "Allow Microsoft.Storage", + "service": "Microsoft.Storage", + "serviceResources": [ + "" + ] + }, + "type": "Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..f2a407ed2a --- /dev/null +++ b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,85 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.serviceendpointpolicies-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nsnpwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}-001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + serviceEndpointPolicyDefinitions: [ + { + name: 'Storage.ServiceEndpoint' + properties: { + service: 'Microsoft.Storage' + description: 'Allow Microsoft.Storage' + serviceResources: [ + subscription().id + ] + } + type: 'Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions' + } + ] + } +} diff --git a/modules/network/trafficmanagerprofile/README.md b/modules/network/trafficmanagerprofile/README.md index 07d77ebdb1..01f22925a2 100644 --- a/modules/network/trafficmanagerprofile/README.md +++ b/modules/network/trafficmanagerprofile/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -203,6 +204,126 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ntmpwaf' + params: { + // Required parameters + name: '' + relativeName: '' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "" + }, + "relativeName": { + "value": "" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..a1a7cb5738 --- /dev/null +++ b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,101 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.trafficmanagerprofiles-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ntmpwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // +var resourceName = '${namePrefix}${serviceShort}001' +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: resourceName + relativeName: resourceName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/virtual-hub/README.md b/modules/network/virtual-hub/README.md index 794271f0ac..c4c25d0839 100644 --- a/modules/network/virtual-hub/README.md +++ b/modules/network/virtual-hub/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -221,6 +222,140 @@ module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nvhwaf' + params: { + // Required parameters + addressPrefix: '10.1.0.0/16' + name: 'nvhwaf' + virtualWanId: '' + // Non-required parameters + enableDefaultTelemetry: '' + hubRouteTables: [ + { + name: 'routeTable1' + } + ] + hubVirtualNetworkConnections: [ + { + name: 'connection1' + remoteVirtualNetworkId: '' + routingConfiguration: { + associatedRouteTable: { + id: '' + } + propagatedRouteTables: { + ids: [ + { + id: '' + } + ] + labels: [ + 'none' + ] + } + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "addressPrefix": { + "value": "10.1.0.0/16" + }, + "name": { + "value": "nvhwaf" + }, + "virtualWanId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "hubRouteTables": { + "value": [ + { + "name": "routeTable1" + } + ] + }, + "hubVirtualNetworkConnections": { + "value": [ + { + "name": "connection1", + "remoteVirtualNetworkId": "", + "routingConfiguration": { + "associatedRouteTable": { + "id": "" + }, + "propagatedRouteTables": { + "ids": [ + { + "id": "" + } + ], + "labels": [ + "none" + ] + } + } + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/virtual-hub/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/virtual-hub/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..9c4af5313d --- /dev/null +++ b/modules/network/virtual-hub/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,42 @@ +@description('Required. The name of the Virtual WAN to create.') +param virtualWANName string + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +var addressPrefix = '10.0.0.0/16' + +resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { + name: virtualWANName + location: location +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +@description('The resource ID of the created Virtual WAN.') +output virtualWWANResourceId string = virtualWan.id + +@description('The resource ID of the created Virtual Network.') +output virtualNetworkResourceId string = virtualNetwork.id diff --git a/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..8ca1b21cbd --- /dev/null +++ b/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,94 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.virtualHub-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nvhwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualWANName: 'dep-${namePrefix}-vw-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + addressPrefix: '10.1.0.0/16' + virtualWanId: nestedDependencies.outputs.virtualWWANResourceId + hubRouteTables: [ + { + name: 'routeTable1' + } + ] + hubVirtualNetworkConnections: [ + { + name: 'connection1' + remoteVirtualNetworkId: nestedDependencies.outputs.virtualNetworkResourceId + routingConfiguration: { + associatedRouteTable: { + id: '${resourceGroup.id}/providers/Microsoft.Network/virtualHubs/${namePrefix}-${serviceShort}/hubRouteTables/routeTable1' + } + propagatedRouteTables: { + ids: [ + { + id: '${resourceGroup.id}/providers/Microsoft.Network/virtualHubs/${namePrefix}-${serviceShort}/hubRouteTables/routeTable1' + } + ] + labels: [ + 'none' + ] + } + } + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/virtual-network/README.md b/modules/network/virtual-network/README.md index 07083c6cf7..8f8acb2d0d 100644 --- a/modules/network/virtual-network/README.md +++ b/modules/network/virtual-network/README.md @@ -33,6 +33,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) - [Vnetpeering](#example-3-vnetpeering) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -427,6 +428,236 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nvnwaf' + params: { + // Required parameters + addressPrefixes: [ + '' + ] + name: 'nvnwaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + dnsServers: [ + '10.0.1.4' + '10.0.1.5' + ] + enableDefaultTelemetry: '' + flowTimeoutInMinutes: 20 + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + subnets: [ + { + addressPrefix: '' + name: 'GatewaySubnet' + } + { + addressPrefix: '' + name: 'az-subnet-x-001' + networkSecurityGroupId: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + routeTableId: '' + serviceEndpoints: [ + { + service: 'Microsoft.Storage' + } + { + service: 'Microsoft.Sql' + } + ] + } + { + addressPrefix: '' + delegations: [ + { + name: 'netappDel' + properties: { + serviceName: 'Microsoft.Netapp/volumes' + } + } + ] + name: 'az-subnet-x-002' + } + { + addressPrefix: '' + name: 'az-subnet-x-003' + privateEndpointNetworkPolicies: 'Disabled' + privateLinkServiceNetworkPolicies: 'Enabled' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "addressPrefixes": { + "value": [ + "" + ] + }, + "name": { + "value": "nvnwaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "dnsServers": { + "value": [ + "10.0.1.4", + "10.0.1.5" + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "flowTimeoutInMinutes": { + "value": 20 + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "subnets": { + "value": [ + { + "addressPrefix": "", + "name": "GatewaySubnet" + }, + { + "addressPrefix": "", + "name": "az-subnet-x-001", + "networkSecurityGroupId": "", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "routeTableId": "", + "serviceEndpoints": [ + { + "service": "Microsoft.Storage" + }, + { + "service": "Microsoft.Sql" + } + ] + }, + { + "addressPrefix": "", + "delegations": [ + { + "name": "netappDel", + "properties": { + "serviceName": "Microsoft.Netapp/volumes" + } + } + ], + "name": "az-subnet-x-002" + }, + { + "addressPrefix": "", + "name": "az-subnet-x-003", + "privateEndpointNetworkPolicies": "Disabled", + "privateLinkServiceNetworkPolicies": "Enabled" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/virtual-network/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/virtual-network/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..065c08da1e --- /dev/null +++ b/modules/network/virtual-network/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,35 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Route Table to create.') +param routeTableName string + +@description('Required. The name of the Network Security Group to create.') +param networkSecurityGroupName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource routeTable 'Microsoft.Network/routeTables@2023-04-01' = { + name: routeTableName + location: location +} + +resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { + name: networkSecurityGroupName + location: location +} + +@description('The resource ID of the created Route Table.') +output routeTableResourceId string = routeTable.id + +@description('The resource ID of the created Network Security Group.') +output networkSecurityGroupResourceId string = networkSecurityGroup.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..58a38a9530 --- /dev/null +++ b/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,156 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.virtualnetworks-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nvnwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + routeTableName: 'dep-${namePrefix}-rt-${serviceShort}' + networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +var addressPrefix = '10.0.0.0/16' +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + addressPrefixes: [ + addressPrefix + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + dnsServers: [ + '10.0.1.4' + '10.0.1.5' + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + flowTimeoutInMinutes: 20 + subnets: [ + { + addressPrefix: cidrSubnet(addressPrefix, 24, 0) + name: 'GatewaySubnet' + } + { + addressPrefix: cidrSubnet(addressPrefix, 24, 1) + name: '${namePrefix}-az-subnet-x-001' + networkSecurityGroupId: nestedDependencies.outputs.networkSecurityGroupResourceId + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + routeTableId: nestedDependencies.outputs.routeTableResourceId + serviceEndpoints: [ + { + service: 'Microsoft.Storage' + } + { + service: 'Microsoft.Sql' + } + ] + } + { + addressPrefix: cidrSubnet(addressPrefix, 24, 2) + delegations: [ + { + name: 'netappDel' + properties: { + serviceName: 'Microsoft.Netapp/volumes' + } + } + ] + name: '${namePrefix}-az-subnet-x-002' + } + { + addressPrefix: cidrSubnet(addressPrefix, 24, 3) + name: '${namePrefix}-az-subnet-x-003' + privateEndpointNetworkPolicies: 'Disabled' + privateLinkServiceNetworkPolicies: 'Enabled' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/virtual-wan/README.md b/modules/network/virtual-wan/README.md index 2837b5d97c..63d33bf1aa 100644 --- a/modules/network/virtual-wan/README.md +++ b/modules/network/virtual-wan/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -179,6 +180,108 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nvwwaf' + params: { + // Required parameters + name: 'nvwwaf001' + // Non-required parameters + allowBranchToBranchTraffic: true + allowVnetToVnetTraffic: true + disableVpnEncryption: true + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + type: 'Basic' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nvwwaf001" + }, + // Non-required parameters + "allowBranchToBranchTraffic": { + "value": true + }, + "allowVnetToVnetTraffic": { + "value": true + }, + "disableVpnEncryption": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "type": { + "value": "Basic" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/virtual-wan/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/virtual-wan/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/virtual-wan/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..748fcbeaac --- /dev/null +++ b/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,76 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.virtualwans-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nvwwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + allowBranchToBranchTraffic: true + allowVnetToVnetTraffic: true + disableVpnEncryption: true + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + type: 'Basic' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/vpn-gateway/README.md b/modules/network/vpn-gateway/README.md index e8936ad31c..ae23f37365 100644 --- a/modules/network/vpn-gateway/README.md +++ b/modules/network/vpn-gateway/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -233,6 +234,156 @@ module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nvgwaf' + params: { + // Required parameters + name: 'nvgwaf001' + virtualHubResourceId: '' + // Non-required parameters + bgpSettings: { + asn: 65515 + peerWeight: 0 + } + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + natRules: [ + { + externalMappings: [ + { + addressSpace: '192.168.21.0/24' + } + ] + internalMappings: [ + { + addressSpace: '10.4.0.0/24' + } + ] + mode: 'EgressSnat' + name: 'natRule1' + type: 'Static' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + vpnConnections: [ + { + connectionBandwidth: 100 + enableBgp: false + enableInternetSecurity: true + enableRateLimiting: false + name: '' + remoteVpnSiteResourceId: '' + routingWeight: 0 + useLocalAzureIpAddress: false + usePolicyBasedTrafficSelectors: false + vpnConnectionProtocolType: 'IKEv2' + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nvgwaf001" + }, + "virtualHubResourceId": { + "value": "" + }, + // Non-required parameters + "bgpSettings": { + "value": { + "asn": 65515, + "peerWeight": 0 + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "natRules": { + "value": [ + { + "externalMappings": [ + { + "addressSpace": "192.168.21.0/24" + } + ], + "internalMappings": [ + { + "addressSpace": "10.4.0.0/24" + } + ], + "mode": "EgressSnat", + "name": "natRule1", + "type": "Static" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "vpnConnections": { + "value": [ + { + "connectionBandwidth": 100, + "enableBgp": false, + "enableInternetSecurity": true, + "enableRateLimiting": false, + "name": "", + "remoteVpnSiteResourceId": "", + "routingWeight": 0, + "useLocalAzureIpAddress": false, + "usePolicyBasedTrafficSelectors": false, + "vpnConnectionProtocolType": "IKEv2" + } + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/vpn-gateway/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/vpn-gateway/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a15b268388 --- /dev/null +++ b/modules/network/vpn-gateway/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,49 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Optional. The name of the Virtual Hub to create.') +param virtualHubName string + +@description('Optional. The name of the VPN Site to create.') +param vpnSiteName string + +@description('Required. The name of the virtual WAN to create.') +param virtualWANName string + +resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { + name: virtualWANName + location: location +} + +resource virtualHub 'Microsoft.Network/virtualHubs@2022-01-01' = { + name: virtualHubName + location: location + properties: { + virtualWan: { + id: virtualWan.id + } + addressPrefix: '10.0.0.0/24' + } +} + +resource vpnSite 'Microsoft.Network/vpnSites@2023-04-01' = { + name: vpnSiteName + location: location + properties: { + virtualWan: { + id: virtualWan.id + } + addressSpace: { + addressPrefixes: [ + '10.1.0.0/16' + ] + } + ipAddress: '10.1.0.0' + } +} + +@description('The resource ID of the created Virtual Hub.') +output virtualHubResourceId string = virtualHub.id + +@description('The resource ID of the created VPN site.') +output vpnSiteResourceId string = vpnSite.id diff --git a/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..7d7999ab09 --- /dev/null +++ b/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,102 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.vpngateways-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nvgwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualHubName: 'dep-${namePrefix}-vh-${serviceShort}' + virtualWANName: 'dep-${namePrefix}-vw-${serviceShort}' + vpnSiteName: 'dep-${namePrefix}-vs-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + virtualHubResourceId: nestedDependencies.outputs.virtualHubResourceId + bgpSettings: { + asn: 65515 + peerWeight: 0 + } + vpnConnections: [ + { + connectionBandwidth: 100 + enableBgp: false + name: 'Connection-${last(split(nestedDependencies.outputs.vpnSiteResourceId, '/'))}' + remoteVpnSiteResourceId: nestedDependencies.outputs.vpnSiteResourceId + enableInternetSecurity: true + vpnConnectionProtocolType: 'IKEv2' + enableRateLimiting: false + useLocalAzureIpAddress: false + usePolicyBasedTrafficSelectors: false + routingWeight: 0 + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + natRules: [ + { + externalMappings: [ + { + addressSpace: '192.168.21.0/24' + } + ] + internalMappings: [ + { + addressSpace: '10.4.0.0/24' + } + ] + mode: 'EgressSnat' + name: 'natRule1' + type: 'Static' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/vpn-site/README.md b/modules/network/vpn-site/README.md index 949d02fd41..0db53524cd 100644 --- a/modules/network/vpn-site/README.md +++ b/modules/network/vpn-site/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -270,6 +271,182 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nvswaf' + params: { + // Required parameters + name: 'nvswaf' + virtualWanId: '' + // Non-required parameters + deviceProperties: { + linkSpeedInMbps: 0 + } + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + o365Policy: { + breakOutCategories: { + allow: true + default: true + optimize: true + } + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + tagA: 'valueA' + tagB: 'valueB' + } + vpnSiteLinks: [ + { + name: 'vSite-nvswaf' + properties: { + bgpProperties: { + asn: 65010 + bgpPeeringAddress: '1.1.1.1' + } + ipAddress: '1.2.3.4' + linkProperties: { + linkProviderName: 'contoso' + linkSpeedInMbps: 5 + } + } + } + { + name: 'Link1' + properties: { + bgpProperties: { + asn: 65020 + bgpPeeringAddress: '192.168.1.0' + } + ipAddress: '2.2.2.2' + linkProperties: { + linkProviderName: 'contoso' + linkSpeedInMbps: 5 + } + } + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nvswaf" + }, + "virtualWanId": { + "value": "" + }, + // Non-required parameters + "deviceProperties": { + "value": { + "linkSpeedInMbps": 0 + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "o365Policy": { + "value": { + "breakOutCategories": { + "allow": true, + "default": true, + "optimize": true + } + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "hidden-title": "This is visible in the resource name", + "tagA": "valueA", + "tagB": "valueB" + } + }, + "vpnSiteLinks": { + "value": [ + { + "name": "vSite-nvswaf", + "properties": { + "bgpProperties": { + "asn": 65010, + "bgpPeeringAddress": "1.1.1.1" + }, + "ipAddress": "1.2.3.4", + "linkProperties": { + "linkProviderName": "contoso", + "linkSpeedInMbps": 5 + } + } + }, + { + "name": "Link1", + "properties": { + "bgpProperties": { + "asn": 65020, + "bgpPeeringAddress": "192.168.1.0" + }, + "ipAddress": "2.2.2.2", + "linkProperties": { + "linkProviderName": "contoso", + "linkSpeedInMbps": 5 + } + } + } + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/vpn-site/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/vpn-site/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..8e2694c27f --- /dev/null +++ b/modules/network/vpn-site/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,24 @@ +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Required. The name of the virtual WAN to create.') +param virtualWANName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { + name: virtualWANName + location: location +} + +@description('The principal ID of the created managed identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Virtual WAN.') +output virtualWWANResourceId string = virtualWan.id diff --git a/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep b/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..66ea85793c --- /dev/null +++ b/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,114 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.vpnSites-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nvswaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + virtualWANName: 'dep-${namePrefix}-vw-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}' + virtualWanId: nestedDependencies.outputs.virtualWWANResourceId + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + tags: { + 'hidden-title': 'This is visible in the resource name' + tagA: 'valueA' + tagB: 'valueB' + } + deviceProperties: { + linkSpeedInMbps: 0 + } + vpnSiteLinks: [ + { + name: '${namePrefix}-vSite-${serviceShort}' + properties: { + bgpProperties: { + asn: 65010 + bgpPeeringAddress: '1.1.1.1' + } + ipAddress: '1.2.3.4' + linkProperties: { + linkProviderName: 'contoso' + linkSpeedInMbps: 5 + } + } + } + { + name: 'Link1' + properties: { + bgpProperties: { + asn: 65020 + bgpPeeringAddress: '192.168.1.0' + } + ipAddress: '2.2.2.2' + linkProperties: { + linkProviderName: 'contoso' + linkSpeedInMbps: 5 + } + } + } + ] + o365Policy: { + breakOutCategories: { + optimize: true + allow: true + default: true + } + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } +} diff --git a/modules/operational-insights/workspace/README.md b/modules/operational-insights/workspace/README.md index cac8424e47..ec2727000b 100644 --- a/modules/operational-insights/workspace/README.md +++ b/modules/operational-insights/workspace/README.md @@ -38,6 +38,7 @@ The following section provides usage examples for the module, which were used to - [Adv](#example-1-adv) - [Using only defaults](#example-2-using-only-defaults) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Adv_ @@ -1048,6 +1049,414 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-oiwwaf' + params: { + // Required parameters + name: 'oiwwaf001' + // Non-required parameters + dailyQuotaGb: 10 + dataSources: [ + { + eventLogName: 'Application' + eventTypes: [ + { + eventType: 'Error' + } + { + eventType: 'Warning' + } + { + eventType: 'Information' + } + ] + kind: 'WindowsEvent' + name: 'applicationEvent' + } + { + counterName: '% Processor Time' + instanceName: '*' + intervalSeconds: 60 + kind: 'WindowsPerformanceCounter' + name: 'windowsPerfCounter1' + objectName: 'Processor' + } + { + kind: 'IISLogs' + name: 'sampleIISLog1' + state: 'OnPremiseEnabled' + } + { + kind: 'LinuxSyslog' + name: 'sampleSyslog1' + syslogName: 'kern' + syslogSeverities: [ + { + severity: 'emerg' + } + { + severity: 'alert' + } + { + severity: 'crit' + } + { + severity: 'err' + } + { + severity: 'warning' + } + ] + } + { + kind: 'LinuxSyslogCollection' + name: 'sampleSyslogCollection1' + state: 'Enabled' + } + { + instanceName: '*' + intervalSeconds: 10 + kind: 'LinuxPerformanceObject' + name: 'sampleLinuxPerf1' + objectName: 'Logical Disk' + syslogSeverities: [ + { + counterName: '% Used Inodes' + } + { + counterName: 'Free Megabytes' + } + { + counterName: '% Used Space' + } + { + counterName: 'Disk Transfers/sec' + } + { + counterName: 'Disk Reads/sec' + } + { + counterName: 'Disk Writes/sec' + } + ] + } + { + kind: 'LinuxPerformanceCollection' + name: 'sampleLinuxPerfCollection1' + state: 'Enabled' + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + gallerySolutions: [ + { + name: 'AzureAutomation' + product: 'OMSGallery' + publisher: 'Microsoft' + } + ] + linkedServices: [ + { + name: 'Automation' + resourceId: '' + } + ] + linkedStorageAccounts: [ + { + name: 'Query' + resourceId: '' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + } + publicNetworkAccessForIngestion: 'Disabled' + publicNetworkAccessForQuery: 'Disabled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + savedSearches: [ + { + category: 'VDC Saved Searches' + displayName: 'VMSS Instance Count2' + name: 'VMSSQueries' + query: 'Event | where Source == ServiceFabricNodeBootstrapAgent | summarize AggregatedValue = count() by Computer' + } + ] + storageInsightsConfigs: [ + { + storageAccountResourceId: '' + tables: [ + 'LinuxsyslogVer2v0' + 'WADETWEventTable' + 'WADServiceFabric*EventTable' + 'WADWindowsEventLogsTable' + ] + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + useResourcePermissions: true + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "oiwwaf001" + }, + // Non-required parameters + "dailyQuotaGb": { + "value": 10 + }, + "dataSources": { + "value": [ + { + "eventLogName": "Application", + "eventTypes": [ + { + "eventType": "Error" + }, + { + "eventType": "Warning" + }, + { + "eventType": "Information" + } + ], + "kind": "WindowsEvent", + "name": "applicationEvent" + }, + { + "counterName": "% Processor Time", + "instanceName": "*", + "intervalSeconds": 60, + "kind": "WindowsPerformanceCounter", + "name": "windowsPerfCounter1", + "objectName": "Processor" + }, + { + "kind": "IISLogs", + "name": "sampleIISLog1", + "state": "OnPremiseEnabled" + }, + { + "kind": "LinuxSyslog", + "name": "sampleSyslog1", + "syslogName": "kern", + "syslogSeverities": [ + { + "severity": "emerg" + }, + { + "severity": "alert" + }, + { + "severity": "crit" + }, + { + "severity": "err" + }, + { + "severity": "warning" + } + ] + }, + { + "kind": "LinuxSyslogCollection", + "name": "sampleSyslogCollection1", + "state": "Enabled" + }, + { + "instanceName": "*", + "intervalSeconds": 10, + "kind": "LinuxPerformanceObject", + "name": "sampleLinuxPerf1", + "objectName": "Logical Disk", + "syslogSeverities": [ + { + "counterName": "% Used Inodes" + }, + { + "counterName": "Free Megabytes" + }, + { + "counterName": "% Used Space" + }, + { + "counterName": "Disk Transfers/sec" + }, + { + "counterName": "Disk Reads/sec" + }, + { + "counterName": "Disk Writes/sec" + } + ] + }, + { + "kind": "LinuxPerformanceCollection", + "name": "sampleLinuxPerfCollection1", + "state": "Enabled" + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "gallerySolutions": { + "value": [ + { + "name": "AzureAutomation", + "product": "OMSGallery", + "publisher": "Microsoft" + } + ] + }, + "linkedServices": { + "value": [ + { + "name": "Automation", + "resourceId": "" + } + ] + }, + "linkedStorageAccounts": { + "value": [ + { + "name": "Query", + "resourceId": "" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, + "publicNetworkAccessForIngestion": { + "value": "Disabled" + }, + "publicNetworkAccessForQuery": { + "value": "Disabled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "savedSearches": { + "value": [ + { + "category": "VDC Saved Searches", + "displayName": "VMSS Instance Count2", + "name": "VMSSQueries", + "query": "Event | where Source == ServiceFabricNodeBootstrapAgent | summarize AggregatedValue = count() by Computer" + } + ] + }, + "storageInsightsConfigs": { + "value": [ + { + "storageAccountResourceId": "", + "tables": [ + "LinuxsyslogVer2v0", + "WADETWEventTable", + "WADServiceFabric*EventTable", + "WADWindowsEventLogsTable" + ] + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "useResourcePermissions": { + "value": true + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/operational-insights/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/operational-insights/workspace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..8f83c0d9a1 --- /dev/null +++ b/modules/operational-insights/workspace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,47 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Required. The name of the Automation Account to create.') +param automationAccountName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' +} + +resource automationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' = { + name: automationAccountName + location: location + properties: { + sku: { + name: 'Basic' + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id + +@description('The resource ID of the created Automation Account.') +output automationAccountResourceId string = automationAccount.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..92f24e5733 --- /dev/null +++ b/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,237 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-operationalinsights.workspaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'oiwwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + automationAccountName: 'dep-${namePrefix}-auto-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + dailyQuotaGb: 10 + dataSources: [ + { + eventLogName: 'Application' + eventTypes: [ + { + eventType: 'Error' + } + { + eventType: 'Warning' + } + { + eventType: 'Information' + } + ] + kind: 'WindowsEvent' + name: 'applicationEvent' + } + { + counterName: '% Processor Time' + instanceName: '*' + intervalSeconds: 60 + kind: 'WindowsPerformanceCounter' + name: 'windowsPerfCounter1' + objectName: 'Processor' + } + { + kind: 'IISLogs' + name: 'sampleIISLog1' + state: 'OnPremiseEnabled' + } + { + kind: 'LinuxSyslog' + name: 'sampleSyslog1' + syslogName: 'kern' + syslogSeverities: [ + { + severity: 'emerg' + } + { + severity: 'alert' + } + { + severity: 'crit' + } + { + severity: 'err' + } + { + severity: 'warning' + } + ] + } + { + kind: 'LinuxSyslogCollection' + name: 'sampleSyslogCollection1' + state: 'Enabled' + } + { + instanceName: '*' + intervalSeconds: 10 + kind: 'LinuxPerformanceObject' + name: 'sampleLinuxPerf1' + objectName: 'Logical Disk' + syslogSeverities: [ + { + counterName: '% Used Inodes' + } + { + counterName: 'Free Megabytes' + } + { + counterName: '% Used Space' + } + { + counterName: 'Disk Transfers/sec' + } + { + counterName: 'Disk Reads/sec' + } + { + counterName: 'Disk Writes/sec' + } + ] + } + { + kind: 'LinuxPerformanceCollection' + name: 'sampleLinuxPerfCollection1' + state: 'Enabled' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + gallerySolutions: [ + { + name: 'AzureAutomation' + product: 'OMSGallery' + publisher: 'Microsoft' + } + ] + linkedServices: [ + { + name: 'Automation' + resourceId: nestedDependencies.outputs.automationAccountResourceId + } + ] + linkedStorageAccounts: [ + { + name: 'Query' + resourceId: nestedDependencies.outputs.storageAccountResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicNetworkAccessForIngestion: 'Disabled' + publicNetworkAccessForQuery: 'Disabled' + savedSearches: [ + { + category: 'VDC Saved Searches' + displayName: 'VMSS Instance Count2' + name: 'VMSSQueries' + query: 'Event | where Source == ServiceFabricNodeBootstrapAgent | summarize AggregatedValue = count() by Computer' + } + ] + storageInsightsConfigs: [ + { + storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId + tables: [ + 'LinuxsyslogVer2v0' + 'WADETWEventTable' + 'WADServiceFabric*EventTable' + 'WADWindowsEventLogsTable' + ] + } + ] + useResourcePermissions: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + managedIdentities: { + systemAssigned: true + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } +} diff --git a/modules/power-bi-dedicated/capacity/README.md b/modules/power-bi-dedicated/capacity/README.md index 4e238f87bd..93a0348544 100644 --- a/modules/power-bi-dedicated/capacity/README.md +++ b/modules/power-bi-dedicated/capacity/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -187,6 +188,104 @@ module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-pbdcapwaf' + params: { + // Required parameters + members: [ + '' + ] + name: 'pbdcapwaf001' + skuCapacity: 1 + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "members": { + "value": [ + "" + ] + }, + "name": { + "value": "pbdcapwaf001" + }, + "skuCapacity": { + "value": 1 + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/dependencies.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..204d4c8d00 --- /dev/null +++ b/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,76 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-powerbidedicated.capacities-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'pbdcapwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + skuCapacity: 1 + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + members: [ + nestedDependencies.outputs.managedIdentityPrincipalId + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/purview/account/README.md b/modules/purview/account/README.md index 0110965dca..bf1e13c412 100644 --- a/modules/purview/account/README.md +++ b/modules/purview/account/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -374,6 +375,296 @@ module account 'br:bicep/modules/purview.account:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module account 'br:bicep/modules/purview.account:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-pvawaf' + params: { + // Required parameters + name: 'pvawaf001' + // Non-required parameters + accountPrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'account' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + eventHubPrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'namespace' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + managedResourceGroupName: 'pvawaf001-managed-rg' + portalPrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'portal' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + publicNetworkAccess: 'Disabled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + storageBlobPrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'blob' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + storageQueuePrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'queue' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "pvawaf001" + }, + // Non-required parameters + "accountPrivateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "account", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "eventHubPrivateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "namespace", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "managedResourceGroupName": { + "value": "pvawaf001-managed-rg" + }, + "portalPrivateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "portal", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "publicNetworkAccess": { + "value": "Disabled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "storageBlobPrivateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "blob", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "storageQueuePrivateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "queue", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/purview/account/tests/e2e/waf-aligned/dependencies.bicep b/modules/purview/account/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..1edeb81930 --- /dev/null +++ b/modules/purview/account/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,73 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +var privateDNSZoneNames = [ + 'privatelink.purview.azure.com' + 'privatelink.purviewstudio.azure.com' + 'privatelink.blob.${environment().suffixes.storage}' + 'privatelink.queue.${environment().suffixes.storage}' + 'privatelink.servicebus.windows.net' +] + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@batchSize(1) +resource privateDNSZones 'Microsoft.Network/privateDnsZones@2020-06-01' = [for privateDNSZone in privateDNSZoneNames: { + name: privateDNSZone + location: 'global' +}] + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS Zone for Purview Account.') +output purviewAccountPrivateDNSResourceId string = privateDNSZones[0].id + +@description('The resource ID of the created Private DNS Zone for Purview Portal.') +output purviewPortalPrivateDNSResourceId string = privateDNSZones[1].id + +@description('The resource ID of the created Private DNS Zone for Storage Account Blob.') +output storageBlobPrivateDNSResourceId string = privateDNSZones[2].id + +@description('The resource ID of the created Private DNS Zone for Storage Account Queue.') +output storageQueuePrivateDNSResourceId string = privateDNSZones[3].id + +@description('The resource ID of the created Private DNS Zone for Event Hub Namespace.') +output eventHubPrivateDNSResourceId string = privateDNSZones[4].id diff --git a/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep b/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..1fc2ee5e43 --- /dev/null +++ b/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,179 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-purview-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = 'eastus' // Only available in selected locations: eastus, eastus2, southcentralus, westcentralus, westus, westus2, westus3 + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'pvawaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' + location: location + + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + location: location + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + managedResourceGroupName: '${namePrefix}${serviceShort}001-managed-rg' + publicNetworkAccess: 'Disabled' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + accountPrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.purviewAccountPrivateDNSResourceId + ] + service: 'account' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + portalPrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.purviewPortalPrivateDNSResourceId + ] + service: 'portal' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + storageBlobPrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.storageBlobPrivateDNSResourceId + ] + service: 'blob' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + storageQueuePrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.storageQueuePrivateDNSResourceId + ] + service: 'queue' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + eventHubPrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.eventHubPrivateDNSResourceId + ] + service: 'namespace' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + enableDefaultTelemetry: enableDefaultTelemetry + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + } +} diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index 0f801f9e45..6543c19403 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -42,6 +42,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Dr](#example-2-dr) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -948,6 +949,692 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-rsvwaf' + params: { + // Required parameters + name: 'rsvwaf001' + // Non-required parameters + backupConfig: { + enhancedSecurityState: 'Disabled' + softDeleteFeatureState: 'Disabled' + } + backupPolicies: [ + { + name: 'VMpolicy' + properties: { + backupManagementType: 'AzureIaasVM' + instantRPDetails: {} + instantRpRetentionRangeInDays: 2 + protectedItemsCount: 0 + retentionPolicy: { + dailySchedule: { + retentionDuration: { + count: 180 + durationType: 'Days' + } + retentionTimes: [ + '2019-11-07T07:00:00Z' + ] + } + monthlySchedule: { + retentionDuration: { + count: 60 + durationType: 'Months' + } + retentionScheduleFormatType: 'Weekly' + retentionScheduleWeekly: { + daysOfTheWeek: [ + 'Sunday' + ] + weeksOfTheMonth: [ + 'First' + ] + } + retentionTimes: [ + '2019-11-07T07:00:00Z' + ] + } + retentionPolicyType: 'LongTermRetentionPolicy' + weeklySchedule: { + daysOfTheWeek: [ + 'Sunday' + ] + retentionDuration: { + count: 12 + durationType: 'Weeks' + } + retentionTimes: [ + '2019-11-07T07:00:00Z' + ] + } + yearlySchedule: { + monthsOfYear: [ + 'January' + ] + retentionDuration: { + count: 10 + durationType: 'Years' + } + retentionScheduleFormatType: 'Weekly' + retentionScheduleWeekly: { + daysOfTheWeek: [ + 'Sunday' + ] + weeksOfTheMonth: [ + 'First' + ] + } + retentionTimes: [ + '2019-11-07T07:00:00Z' + ] + } + } + schedulePolicy: { + schedulePolicyType: 'SimpleSchedulePolicy' + scheduleRunFrequency: 'Daily' + scheduleRunTimes: [ + '2019-11-07T07:00:00Z' + ] + scheduleWeeklyFrequency: 0 + } + timeZone: 'UTC' + } + } + { + name: 'sqlpolicy' + properties: { + backupManagementType: 'AzureWorkload' + protectedItemsCount: 0 + settings: { + isCompression: true + issqlcompression: true + timeZone: 'UTC' + } + subProtectionPolicy: [ + { + policyType: 'Full' + retentionPolicy: { + monthlySchedule: { + retentionDuration: { + count: 60 + durationType: 'Months' + } + retentionScheduleFormatType: 'Weekly' + retentionScheduleWeekly: { + daysOfTheWeek: [ + 'Sunday' + ] + weeksOfTheMonth: [ + 'First' + ] + } + retentionTimes: [ + '2019-11-07T22:00:00Z' + ] + } + retentionPolicyType: 'LongTermRetentionPolicy' + weeklySchedule: { + daysOfTheWeek: [ + 'Sunday' + ] + retentionDuration: { + count: 104 + durationType: 'Weeks' + } + retentionTimes: [ + '2019-11-07T22:00:00Z' + ] + } + yearlySchedule: { + monthsOfYear: [ + 'January' + ] + retentionDuration: { + count: 10 + durationType: 'Years' + } + retentionScheduleFormatType: 'Weekly' + retentionScheduleWeekly: { + daysOfTheWeek: [ + 'Sunday' + ] + weeksOfTheMonth: [ + 'First' + ] + } + retentionTimes: [ + '2019-11-07T22:00:00Z' + ] + } + } + schedulePolicy: { + schedulePolicyType: 'SimpleSchedulePolicy' + scheduleRunDays: [ + 'Sunday' + ] + scheduleRunFrequency: 'Weekly' + scheduleRunTimes: [ + '2019-11-07T22:00:00Z' + ] + scheduleWeeklyFrequency: 0 + } + } + { + policyType: 'Differential' + retentionPolicy: { + retentionDuration: { + count: 30 + durationType: 'Days' + } + retentionPolicyType: 'SimpleRetentionPolicy' + } + schedulePolicy: { + schedulePolicyType: 'SimpleSchedulePolicy' + scheduleRunDays: [ + 'Monday' + ] + scheduleRunFrequency: 'Weekly' + scheduleRunTimes: [ + '2017-03-07T02:00:00Z' + ] + scheduleWeeklyFrequency: 0 + } + } + { + policyType: 'Log' + retentionPolicy: { + retentionDuration: { + count: 15 + durationType: 'Days' + } + retentionPolicyType: 'SimpleRetentionPolicy' + } + schedulePolicy: { + scheduleFrequencyInMins: 120 + schedulePolicyType: 'LogSchedulePolicy' + } + } + ] + workLoadType: 'SQLDataBase' + } + } + { + name: 'filesharepolicy' + properties: { + backupManagementType: 'AzureStorage' + protectedItemsCount: 0 + retentionPolicy: { + dailySchedule: { + retentionDuration: { + count: 30 + durationType: 'Days' + } + retentionTimes: [ + '2019-11-07T04:30:00Z' + ] + } + retentionPolicyType: 'LongTermRetentionPolicy' + } + schedulePolicy: { + schedulePolicyType: 'SimpleSchedulePolicy' + scheduleRunFrequency: 'Daily' + scheduleRunTimes: [ + '2019-11-07T04:30:00Z' + ] + scheduleWeeklyFrequency: 0 + } + timeZone: 'UTC' + workloadType: 'AzureFileShare' + } + } + ] + backupStorageConfig: { + crossRegionRestoreFlag: true + storageModelType: 'GeoRedundant' + } + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + monitoringSettings: { + azureMonitorAlertSettings: { + alertsForAllJobFailures: 'Enabled' + } + classicAlertSettings: { + alertsForCriticalOperations: 'Enabled' + } + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + replicationAlertSettings: { + customEmailAddresses: [ + 'test.user@testcompany.com' + ] + locale: 'en-US' + sendToOwners: 'Send' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + securitySettings: { + immutabilitySettings: { + state: 'Unlocked' + } + } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "rsvwaf001" + }, + // Non-required parameters + "backupConfig": { + "value": { + "enhancedSecurityState": "Disabled", + "softDeleteFeatureState": "Disabled" + } + }, + "backupPolicies": { + "value": [ + { + "name": "VMpolicy", + "properties": { + "backupManagementType": "AzureIaasVM", + "instantRPDetails": {}, + "instantRpRetentionRangeInDays": 2, + "protectedItemsCount": 0, + "retentionPolicy": { + "dailySchedule": { + "retentionDuration": { + "count": 180, + "durationType": "Days" + }, + "retentionTimes": [ + "2019-11-07T07:00:00Z" + ] + }, + "monthlySchedule": { + "retentionDuration": { + "count": 60, + "durationType": "Months" + }, + "retentionScheduleFormatType": "Weekly", + "retentionScheduleWeekly": { + "daysOfTheWeek": [ + "Sunday" + ], + "weeksOfTheMonth": [ + "First" + ] + }, + "retentionTimes": [ + "2019-11-07T07:00:00Z" + ] + }, + "retentionPolicyType": "LongTermRetentionPolicy", + "weeklySchedule": { + "daysOfTheWeek": [ + "Sunday" + ], + "retentionDuration": { + "count": 12, + "durationType": "Weeks" + }, + "retentionTimes": [ + "2019-11-07T07:00:00Z" + ] + }, + "yearlySchedule": { + "monthsOfYear": [ + "January" + ], + "retentionDuration": { + "count": 10, + "durationType": "Years" + }, + "retentionScheduleFormatType": "Weekly", + "retentionScheduleWeekly": { + "daysOfTheWeek": [ + "Sunday" + ], + "weeksOfTheMonth": [ + "First" + ] + }, + "retentionTimes": [ + "2019-11-07T07:00:00Z" + ] + } + }, + "schedulePolicy": { + "schedulePolicyType": "SimpleSchedulePolicy", + "scheduleRunFrequency": "Daily", + "scheduleRunTimes": [ + "2019-11-07T07:00:00Z" + ], + "scheduleWeeklyFrequency": 0 + }, + "timeZone": "UTC" + } + }, + { + "name": "sqlpolicy", + "properties": { + "backupManagementType": "AzureWorkload", + "protectedItemsCount": 0, + "settings": { + "isCompression": true, + "issqlcompression": true, + "timeZone": "UTC" + }, + "subProtectionPolicy": [ + { + "policyType": "Full", + "retentionPolicy": { + "monthlySchedule": { + "retentionDuration": { + "count": 60, + "durationType": "Months" + }, + "retentionScheduleFormatType": "Weekly", + "retentionScheduleWeekly": { + "daysOfTheWeek": [ + "Sunday" + ], + "weeksOfTheMonth": [ + "First" + ] + }, + "retentionTimes": [ + "2019-11-07T22:00:00Z" + ] + }, + "retentionPolicyType": "LongTermRetentionPolicy", + "weeklySchedule": { + "daysOfTheWeek": [ + "Sunday" + ], + "retentionDuration": { + "count": 104, + "durationType": "Weeks" + }, + "retentionTimes": [ + "2019-11-07T22:00:00Z" + ] + }, + "yearlySchedule": { + "monthsOfYear": [ + "January" + ], + "retentionDuration": { + "count": 10, + "durationType": "Years" + }, + "retentionScheduleFormatType": "Weekly", + "retentionScheduleWeekly": { + "daysOfTheWeek": [ + "Sunday" + ], + "weeksOfTheMonth": [ + "First" + ] + }, + "retentionTimes": [ + "2019-11-07T22:00:00Z" + ] + } + }, + "schedulePolicy": { + "schedulePolicyType": "SimpleSchedulePolicy", + "scheduleRunDays": [ + "Sunday" + ], + "scheduleRunFrequency": "Weekly", + "scheduleRunTimes": [ + "2019-11-07T22:00:00Z" + ], + "scheduleWeeklyFrequency": 0 + } + }, + { + "policyType": "Differential", + "retentionPolicy": { + "retentionDuration": { + "count": 30, + "durationType": "Days" + }, + "retentionPolicyType": "SimpleRetentionPolicy" + }, + "schedulePolicy": { + "schedulePolicyType": "SimpleSchedulePolicy", + "scheduleRunDays": [ + "Monday" + ], + "scheduleRunFrequency": "Weekly", + "scheduleRunTimes": [ + "2017-03-07T02:00:00Z" + ], + "scheduleWeeklyFrequency": 0 + } + }, + { + "policyType": "Log", + "retentionPolicy": { + "retentionDuration": { + "count": 15, + "durationType": "Days" + }, + "retentionPolicyType": "SimpleRetentionPolicy" + }, + "schedulePolicy": { + "scheduleFrequencyInMins": 120, + "schedulePolicyType": "LogSchedulePolicy" + } + } + ], + "workLoadType": "SQLDataBase" + } + }, + { + "name": "filesharepolicy", + "properties": { + "backupManagementType": "AzureStorage", + "protectedItemsCount": 0, + "retentionPolicy": { + "dailySchedule": { + "retentionDuration": { + "count": 30, + "durationType": "Days" + }, + "retentionTimes": [ + "2019-11-07T04:30:00Z" + ] + }, + "retentionPolicyType": "LongTermRetentionPolicy" + }, + "schedulePolicy": { + "schedulePolicyType": "SimpleSchedulePolicy", + "scheduleRunFrequency": "Daily", + "scheduleRunTimes": [ + "2019-11-07T04:30:00Z" + ], + "scheduleWeeklyFrequency": 0 + }, + "timeZone": "UTC", + "workloadType": "AzureFileShare" + } + } + ] + }, + "backupStorageConfig": { + "value": { + "crossRegionRestoreFlag": true, + "storageModelType": "GeoRedundant" + } + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "monitoringSettings": { + "value": { + "azureMonitorAlertSettings": { + "alertsForAllJobFailures": "Enabled" + }, + "classicAlertSettings": { + "alertsForCriticalOperations": "Enabled" + } + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "replicationAlertSettings": { + "value": { + "customEmailAddresses": [ + "test.user@testcompany.com" + ], + "locale": "en-US", + "sendToOwners": "Send" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "securitySettings": { + "value": { + "immutabilitySettings": { + "state": "Unlocked" + } + } + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/recovery-services/vault/tests/e2e/waf-aligned/dependencies.bicep b/modules/recovery-services/vault/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..12b8653f54 --- /dev/null +++ b/modules/recovery-services/vault/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,63 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.siterecovery.windowsazure.com' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep b/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..c61f06f157 --- /dev/null +++ b/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,378 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-recoveryservices.vaults-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'rsvwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + backupConfig: { + enhancedSecurityState: 'Disabled' + softDeleteFeatureState: 'Disabled' + } + backupPolicies: [ + { + name: 'VMpolicy' + properties: { + backupManagementType: 'AzureIaasVM' + instantRPDetails: {} + instantRpRetentionRangeInDays: 2 + protectedItemsCount: 0 + retentionPolicy: { + dailySchedule: { + retentionDuration: { + count: 180 + durationType: 'Days' + } + retentionTimes: [ + '2019-11-07T07:00:00Z' + ] + } + monthlySchedule: { + retentionDuration: { + count: 60 + durationType: 'Months' + } + retentionScheduleFormatType: 'Weekly' + retentionScheduleWeekly: { + daysOfTheWeek: [ + 'Sunday' + ] + weeksOfTheMonth: [ + 'First' + ] + } + retentionTimes: [ + '2019-11-07T07:00:00Z' + ] + } + retentionPolicyType: 'LongTermRetentionPolicy' + weeklySchedule: { + daysOfTheWeek: [ + 'Sunday' + ] + retentionDuration: { + count: 12 + durationType: 'Weeks' + } + retentionTimes: [ + '2019-11-07T07:00:00Z' + ] + } + yearlySchedule: { + monthsOfYear: [ + 'January' + ] + retentionDuration: { + count: 10 + durationType: 'Years' + } + retentionScheduleFormatType: 'Weekly' + retentionScheduleWeekly: { + daysOfTheWeek: [ + 'Sunday' + ] + weeksOfTheMonth: [ + 'First' + ] + } + retentionTimes: [ + '2019-11-07T07:00:00Z' + ] + } + } + schedulePolicy: { + schedulePolicyType: 'SimpleSchedulePolicy' + scheduleRunFrequency: 'Daily' + scheduleRunTimes: [ + '2019-11-07T07:00:00Z' + ] + scheduleWeeklyFrequency: 0 + } + timeZone: 'UTC' + } + } + { + name: 'sqlpolicy' + properties: { + backupManagementType: 'AzureWorkload' + protectedItemsCount: 0 + settings: { + isCompression: true + issqlcompression: true + timeZone: 'UTC' + } + subProtectionPolicy: [ + { + policyType: 'Full' + retentionPolicy: { + monthlySchedule: { + retentionDuration: { + count: 60 + durationType: 'Months' + } + retentionScheduleFormatType: 'Weekly' + retentionScheduleWeekly: { + daysOfTheWeek: [ + 'Sunday' + ] + weeksOfTheMonth: [ + 'First' + ] + } + retentionTimes: [ + '2019-11-07T22:00:00Z' + ] + } + retentionPolicyType: 'LongTermRetentionPolicy' + weeklySchedule: { + daysOfTheWeek: [ + 'Sunday' + ] + retentionDuration: { + count: 104 + durationType: 'Weeks' + } + retentionTimes: [ + '2019-11-07T22:00:00Z' + ] + } + yearlySchedule: { + monthsOfYear: [ + 'January' + ] + retentionDuration: { + count: 10 + durationType: 'Years' + } + retentionScheduleFormatType: 'Weekly' + retentionScheduleWeekly: { + daysOfTheWeek: [ + 'Sunday' + ] + weeksOfTheMonth: [ + 'First' + ] + } + retentionTimes: [ + '2019-11-07T22:00:00Z' + ] + } + } + schedulePolicy: { + schedulePolicyType: 'SimpleSchedulePolicy' + scheduleRunDays: [ + 'Sunday' + ] + scheduleRunFrequency: 'Weekly' + scheduleRunTimes: [ + '2019-11-07T22:00:00Z' + ] + scheduleWeeklyFrequency: 0 + } + } + { + policyType: 'Differential' + retentionPolicy: { + retentionDuration: { + count: 30 + durationType: 'Days' + } + retentionPolicyType: 'SimpleRetentionPolicy' + } + schedulePolicy: { + schedulePolicyType: 'SimpleSchedulePolicy' + scheduleRunDays: [ + 'Monday' + ] + scheduleRunFrequency: 'Weekly' + scheduleRunTimes: [ + '2017-03-07T02:00:00Z' + ] + scheduleWeeklyFrequency: 0 + } + } + { + policyType: 'Log' + retentionPolicy: { + retentionDuration: { + count: 15 + durationType: 'Days' + } + retentionPolicyType: 'SimpleRetentionPolicy' + } + schedulePolicy: { + scheduleFrequencyInMins: 120 + schedulePolicyType: 'LogSchedulePolicy' + } + } + ] + workLoadType: 'SQLDataBase' + } + } + { + name: 'filesharepolicy' + properties: { + backupManagementType: 'AzureStorage' + protectedItemsCount: 0 + retentionPolicy: { + dailySchedule: { + retentionDuration: { + count: 30 + durationType: 'Days' + } + retentionTimes: [ + '2019-11-07T04:30:00Z' + ] + } + retentionPolicyType: 'LongTermRetentionPolicy' + } + schedulePolicy: { + schedulePolicyType: 'SimpleSchedulePolicy' + scheduleRunFrequency: 'Daily' + scheduleRunTimes: [ + '2019-11-07T04:30:00Z' + ] + scheduleWeeklyFrequency: 0 + } + timeZone: 'UTC' + workloadType: 'AzureFileShare' + } + } + ] + backupStorageConfig: { + crossRegionRestoreFlag: true + storageModelType: 'GeoRedundant' + } + replicationAlertSettings: { + customEmailAddresses: [ + 'test.user@testcompany.com' + ] + locale: 'en-US' + sendToOwners: 'Send' + } + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + monitoringSettings: { + azureMonitorAlertSettings: { + alertsForAllJobFailures: 'Enabled' + } + classicAlertSettings: { + alertsForCriticalOperations: 'Enabled' + } + } + securitySettings: { + immutabilitySettings: { + state: 'Unlocked' + } + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index f7f4a331ec..0e0ec1776b 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -38,6 +38,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) - [Pe](#example-3-pe) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -464,6 +465,294 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-rnwaf' + params: { + // Required parameters + name: 'rnwaf001' + // Non-required parameters + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + hybridConnections: [ + { + name: 'rnwafhc001' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + userMetadata: '[{\'key\':\'endpoint\'\'value\':\'db-server.constoso.com:1433\'}]' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkRuleSets: { + defaultAction: 'Deny' + ipRules: [ + { + action: 'Allow' + ipMask: '10.0.1.0/32' + } + { + action: 'Allow' + ipMask: '10.0.2.0/32' + } + ] + trustedServiceAccessEnabled: true + virtualNetworkRules: [ + { + subnet: { + id: '' + ignoreMissingVnetServiceEndpoint: true + } + } + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'namespace' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuName: 'Standard' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + wcfRelays: [ + { + name: 'rnwafwcf001' + relayType: 'NetTcp' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "rnwaf001" + }, + // Non-required parameters + "authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "rights": [ + "Listen", + "Manage", + "Send" + ] + }, + { + "name": "AnotherKey", + "rights": [ + "Listen", + "Send" + ] + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "hybridConnections": { + "value": [ + { + "name": "rnwafhc001", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "userMetadata": "[{\"key\":\"endpoint\",\"value\":\"db-server.constoso.com:1433\"}]" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "networkRuleSets": { + "value": { + "defaultAction": "Deny", + "ipRules": [ + { + "action": "Allow", + "ipMask": "10.0.1.0/32" + }, + { + "action": "Allow", + "ipMask": "10.0.2.0/32" + } + ], + "trustedServiceAccessEnabled": true, + "virtualNetworkRules": [ + { + "subnet": { + "id": "", + "ignoreMissingVnetServiceEndpoint": true + } + } + ] + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "namespace", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "skuName": { + "value": "Standard" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "wcfRelays": { + "value": [ + { + "name": "rnwafwcf001", + "relayType": "NetTcp", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + } + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/relay/namespace/tests/e2e/waf-aligned/dependencies.bicep b/modules/relay/namespace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..cf1b2ab392 --- /dev/null +++ b/modules/relay/namespace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,60 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.servicebus.windows.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..2e3268af07 --- /dev/null +++ b/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,181 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-relay.namespaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'rnwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + skuName: 'Standard' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + networkRuleSets: { + defaultAction: 'Deny' + trustedServiceAccessEnabled: true + virtualNetworkRules: [ + { + subnet: { + ignoreMissingVnetServiceEndpoint: true + id: nestedDependencies.outputs.subnetResourceId + } + } + ] + ipRules: [ + { + ipMask: '10.0.1.0/32' + action: 'Allow' + } + { + ipMask: '10.0.2.0/32' + action: 'Allow' + } + ] + } + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + hybridConnections: [ + { + name: '${namePrefix}${serviceShort}hc001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + userMetadata: '[{"key":"endpoint","value":"db-server.constoso.com:1433"}]' + } + ] + wcfRelays: [ + { + name: '${namePrefix}${serviceShort}wcf001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + relayType: 'NetTcp' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + privateEndpoints: [ + { + service: 'namespace' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + } +} diff --git a/modules/resource-graph/query/README.md b/modules/resource-graph/query/README.md index b0a81c470e..b9d4187d55 100644 --- a/modules/resource-graph/query/README.md +++ b/modules/resource-graph/query/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -175,6 +176,100 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module query 'br:bicep/modules/resource-graph.query:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-rgqwaf' + params: { + // Required parameters + name: 'rgqwaf001' + query: 'resources | take 10' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + queryDescription: 'An example query to list first 10 resources in the subscription.' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "rgqwaf001" + }, + "query": { + "value": "resources | take 10" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "queryDescription": { + "value": "An example query to list first 10 resources in the subscription." + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/resource-graph/query/tests/e2e/waf-aligned/dependencies.bicep b/modules/resource-graph/query/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/resource-graph/query/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep b/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..5858166d43 --- /dev/null +++ b/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,74 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-resourcegraph.queries-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'rgqwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + query: 'resources | take 10' + queryDescription: 'An example query to list first 10 resources in the subscription.' + } +} diff --git a/modules/resources/resource-group/README.md b/modules/resources/resource-group/README.md index e80ab43762..6e0fab2365 100644 --- a/modules/resources/resource-group/README.md +++ b/modules/resources/resource-group/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -163,6 +164,92 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-rrgwaf' + params: { + // Required parameters + name: 'rrgwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "rrgwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/resources/resource-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/resources/resource-group/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..8d9be85388 --- /dev/null +++ b/modules/resources/resource-group/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,17 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep b/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..d5e6d7df88 --- /dev/null +++ b/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,71 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-resources.resourcegroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'rrgwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index 3a6fe2f628..94d3e8eeff 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -33,6 +33,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) - [Pe](#example-3-pe) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -395,6 +396,198 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module searchService 'br:bicep/modules/search.search-service:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ssswaf' + params: { + // Required parameters + name: 'ssswaf001' + // Non-required parameters + authOptions: { + aadOrApiKey: { + aadAuthFailureMode: 'http401WithBearerChallenge' + } + } + cmkEnforcement: 'Enabled' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + disableLocalAuth: false + enableDefaultTelemetry: '' + hostingMode: 'highDensity' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + } + networkRuleSet: { + ipRules: [ + { + value: '40.74.28.0/23' + } + { + value: '87.147.204.13' + } + ] + } + partitionCount: 2 + replicaCount: 3 + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Search Service Contributor' + } + ] + sku: 'standard3' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ssswaf001" + }, + // Non-required parameters + "authOptions": { + "value": { + "aadOrApiKey": { + "aadAuthFailureMode": "http401WithBearerChallenge" + } + } + }, + "cmkEnforcement": { + "value": "Enabled" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "disableLocalAuth": { + "value": false + }, + "enableDefaultTelemetry": { + "value": "" + }, + "hostingMode": { + "value": "highDensity" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, + "networkRuleSet": { + "value": { + "ipRules": [ + { + "value": "40.74.28.0/23" + }, + { + "value": "87.147.204.13" + } + ] + } + }, + "partitionCount": { + "value": 2 + }, + "replicaCount": { + "value": 3 + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Search Service Contributor" + } + ] + }, + "sku": { + "value": "standard3" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/search/search-service/tests/e2e/waf-aligned/dependencies.bicep b/modules/search/search-service/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..8413dfd20e --- /dev/null +++ b/modules/search/search-service/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep b/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..c01e840d45 --- /dev/null +++ b/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,129 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-search.searchservices-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ssswaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + sku: 'standard3' + cmkEnforcement: 'Enabled' + disableLocalAuth: false + authOptions: { + aadOrApiKey: { + aadAuthFailureMode: 'http401WithBearerChallenge' + } + } + hostingMode: 'highDensity' + partitionCount: 2 + replicaCount: 3 + managedIdentities: { + systemAssigned: true + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'Search Service Contributor' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + networkRuleSet: { + ipRules: [ + { + value: '40.74.28.0/23' + } + { + value: '87.147.204.13' + } + ] + } + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/security/azure-security-center/README.md b/modules/security/azure-security-center/README.md index ea0247aee2..f3a67e036f 100644 --- a/modules/security/azure-security-center/README.md +++ b/modules/security/azure-security-center/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/security.azure-security-center:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -93,6 +94,68 @@ module azureSecurityCenter 'br:bicep/modules/security.azure-security-center:1.0.

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module azureSecurityCenter 'br:bicep/modules/security.azure-security-center:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-sascwaf' + params: { + // Required parameters + workspaceId: '' + // Non-required parameters + enableDefaultTelemetry: '' + securityContactProperties: { + alertNotifications: 'Off' + alertsToAdmins: 'Off' + email: 'foo@contoso.com' + phone: '+12345678' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "workspaceId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "securityContactProperties": { + "value": { + "alertNotifications": "Off", + "alertsToAdmins": "Off", + "email": "foo@contoso.com", + "phone": "+12345678" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/security/azure-security-center/tests/e2e/waf-aligned/dependencies.bicep b/modules/security/azure-security-center/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..cc24476629 --- /dev/null +++ b/modules/security/azure-security-center/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Log Analytics Workspace to create.') +param logAnalyticsWorkspaceName string + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { + name: logAnalyticsWorkspaceName + location: location +} + +@description('The resource ID of the created Log Analytics Workspace.') +output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep b/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..1bb6ec0985 --- /dev/null +++ b/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,62 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-security.azureSecurityCenter-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sascwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + scope: '/subscriptions/${subscription().subscriptionId}' + workspaceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId + securityContactProperties: { + alertNotifications: 'Off' + alertsToAdmins: 'Off' + email: 'foo@contoso.com' + phone: '+12345678' + } + } +} diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 60aef288fd..db6e405643 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -41,6 +41,7 @@ The following section provides usage examples for the module, which were used to - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) - [Pe](#example-4-pe) +- [WAF-aligned](#example-5-waf-aligned) ### Example 1: _Using only defaults_ @@ -754,6 +755,396 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = {

+### Example 5: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-sbnwaf' + params: { + // Required parameters + name: 'sbnwaf001' + // Non-required parameters + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + disableLocalAuth: true + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + minimumTlsVersion: '1.2' + networkRuleSets: { + defaultAction: 'Deny' + ipRules: [ + { + action: 'Allow' + ipMask: '10.0.1.0/32' + } + { + action: 'Allow' + ipMask: '10.0.2.0/32' + } + ] + trustedServiceAccessEnabled: true + virtualNetworkRules: [ + { + ignoreMissingVnetServiceEndpoint: true + subnetResourceId: '' + } + ] + } + premiumMessagingPartitions: 1 + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'namespace' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + publicNetworkAccess: 'Enabled' + queues: [ + { + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + autoDeleteOnIdle: 'PT5M' + maxMessageSizeInKilobytes: 2048 + name: 'sbnwafq001' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuCapacity: 2 + skuName: 'Premium' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + topics: [ + { + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + name: 'sbnwaft001' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + ] + zoneRedundant: true + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "sbnwaf001" + }, + // Non-required parameters + "authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "rights": [ + "Listen", + "Manage", + "Send" + ] + }, + { + "name": "AnotherKey", + "rights": [ + "Listen", + "Send" + ] + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "disableLocalAuth": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "minimumTlsVersion": { + "value": "1.2" + }, + "networkRuleSets": { + "value": { + "defaultAction": "Deny", + "ipRules": [ + { + "action": "Allow", + "ipMask": "10.0.1.0/32" + }, + { + "action": "Allow", + "ipMask": "10.0.2.0/32" + } + ], + "trustedServiceAccessEnabled": true, + "virtualNetworkRules": [ + { + "ignoreMissingVnetServiceEndpoint": true, + "subnetResourceId": "" + } + ] + } + }, + "premiumMessagingPartitions": { + "value": 1 + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "namespace", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "publicNetworkAccess": { + "value": "Enabled" + }, + "queues": { + "value": [ + { + "authorizationRules": [ + { + "name": "RootManageSharedAccessKey", + "rights": [ + "Listen", + "Manage", + "Send" + ] + }, + { + "name": "AnotherKey", + "rights": [ + "Listen", + "Send" + ] + } + ], + "autoDeleteOnIdle": "PT5M", + "maxMessageSizeInKilobytes": 2048, + "name": "sbnwafq001", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "skuCapacity": { + "value": 2 + }, + "skuName": { + "value": "Premium" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "topics": { + "value": [ + { + "authorizationRules": [ + { + "name": "RootManageSharedAccessKey", + "rights": [ + "Listen", + "Manage", + "Send" + ] + }, + { + "name": "AnotherKey", + "rights": [ + "Listen", + "Send" + ] + } + ], + "name": "sbnwaft001", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + } + ] + }, + "zoneRedundant": { + "value": true + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/service-bus/namespace/tests/e2e/waf-aligned/dependencies.bicep b/modules/service-bus/namespace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..07a2e7878c --- /dev/null +++ b/modules/service-bus/namespace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,63 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.servicebus.windows.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..2d7aac3873 --- /dev/null +++ b/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,226 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-servicebus.namespaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sbnwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + skuName: 'Premium' + skuCapacity: 2 + premiumMessagingPartitions: 1 + zoneRedundant: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + networkRuleSets: { + defaultAction: 'Deny' + trustedServiceAccessEnabled: true + virtualNetworkRules: [ + { + ignoreMissingVnetServiceEndpoint: true + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + ] + ipRules: [ + { + ipMask: '10.0.1.0/32' + action: 'Allow' + } + { + ipMask: '10.0.2.0/32' + action: 'Allow' + } + ] + } + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + queues: [ + { + name: '${namePrefix}${serviceShort}q001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + autoDeleteOnIdle: 'PT5M' + maxMessageSizeInKilobytes: 2048 + } + ] + topics: [ + { + name: '${namePrefix}${serviceShort}t001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + privateEndpoints: [ + { + service: 'namespace' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + disableLocalAuth: true + publicNetworkAccess: 'Enabled' + minimumTlsVersion: '1.2' + } +} diff --git a/modules/service-fabric/cluster/README.md b/modules/service-fabric/cluster/README.md index ff6dbe1f65..e24432c80e 100644 --- a/modules/service-fabric/cluster/README.md +++ b/modules/service-fabric/cluster/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Cert](#example-1-cert) - [Using only defaults](#example-2-using-only-defaults) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Cert_ @@ -649,6 +650,420 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-sfcwaf' + params: { + // Required parameters + managementEndpoint: 'https://sfcwaf001.westeurope.cloudapp.azure.com:19080' + name: 'sfcwaf001' + nodeTypes: [ + { + applicationPorts: { + endPort: 30000 + startPort: 20000 + } + clientConnectionEndpointPort: 19000 + durabilityLevel: 'Silver' + ephemeralPorts: { + endPort: 65534 + startPort: 49152 + } + httpGatewayEndpointPort: 19080 + isPrimary: true + isStateless: false + multipleAvailabilityZones: false + name: 'Node01' + placementProperties: {} + reverseProxyEndpointPort: '' + vmInstanceCount: 5 + } + { + applicationPorts: { + endPort: 30000 + startPort: 20000 + } + clientConnectionEndpointPort: 19000 + durabilityLevel: 'Bronze' + ephemeralPorts: { + endPort: 64000 + httpGatewayEndpointPort: 19007 + isPrimary: true + name: 'Node02' + startPort: 49000 + vmInstanceCount: 5 + } + } + ] + reliabilityLevel: 'Silver' + // Non-required parameters + addOnFeatures: [ + 'BackupRestoreService' + 'DnsService' + 'RepairManager' + 'ResourceMonitorService' + ] + applicationTypes: [ + { + name: 'WordCount' + } + ] + azureActiveDirectory: { + clientApplication: '' + clusterApplication: 'cf33fea8-b30f-424f-ab73-c48d99e0b222' + tenantId: '' + } + certificateCommonNames: { + commonNames: [ + { + certificateCommonName: 'certcommon' + certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' + } + ] + x509StoreName: '' + } + clientCertificateCommonNames: [ + { + certificateCommonName: 'clientcommoncert1' + certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' + isAdmin: false + } + { + certificateCommonName: 'clientcommoncert2' + certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC131' + isAdmin: false + } + ] + clientCertificateThumbprints: [ + { + certificateThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' + isAdmin: false + } + { + certificateThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC131' + isAdmin: false + } + ] + diagnosticsStorageAccountConfig: { + blobEndpoint: '' + protectedAccountKeyName: 'StorageAccountKey1' + queueEndpoint: '' + storageAccountName: '' + tableEndpoint: '' + } + enableDefaultTelemetry: '' + fabricSettings: [ + { + name: 'Security' + parameters: [ + { + name: 'ClusterProtectionLevel' + value: 'EncryptAndSign' + } + ] + } + { + name: 'UpgradeService' + parameters: [ + { + name: 'AppPollIntervalInSeconds' + value: '60' + } + ] + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + maxUnusedVersionsToKeep: 2 + notifications: [ + { + isEnabled: true + notificationCategory: 'WaveProgress' + notificationLevel: 'Critical' + notificationTargets: [ + { + notificationChannel: 'EmailUser' + receivers: [ + 'SomeReceiver' + ] + } + ] + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + clusterName: 'sfcwaf001' + 'hidden-title': 'This is visible in the resource name' + resourceType: 'Service Fabric' + } + upgradeDescription: { + deltaHealthPolicy: { + maxPercentDeltaUnhealthyApplications: 0 + maxPercentDeltaUnhealthyNodes: 0 + maxPercentUpgradeDomainDeltaUnhealthyNodes: 0 + } + forceRestart: false + healthCheckRetryTimeout: '00:45:00' + healthCheckStableDuration: '00:01:00' + healthCheckWaitDuration: '00:00:30' + healthPolicy: { + maxPercentUnhealthyApplications: 0 + maxPercentUnhealthyNodes: 0 + } + upgradeDomainTimeout: '02:00:00' + upgradeReplicaSetCheckTimeout: '1.00:00:00' + upgradeTimeout: '02:00:00' + } + vmImage: 'Linux' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "managementEndpoint": { + "value": "https://sfcwaf001.westeurope.cloudapp.azure.com:19080" + }, + "name": { + "value": "sfcwaf001" + }, + "nodeTypes": { + "value": [ + { + "applicationPorts": { + "endPort": 30000, + "startPort": 20000 + }, + "clientConnectionEndpointPort": 19000, + "durabilityLevel": "Silver", + "ephemeralPorts": { + "endPort": 65534, + "startPort": 49152 + }, + "httpGatewayEndpointPort": 19080, + "isPrimary": true, + "isStateless": false, + "multipleAvailabilityZones": false, + "name": "Node01", + "placementProperties": {}, + "reverseProxyEndpointPort": "", + "vmInstanceCount": 5 + }, + { + "applicationPorts": { + "endPort": 30000, + "startPort": 20000 + }, + "clientConnectionEndpointPort": 19000, + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": 64000, + "httpGatewayEndpointPort": 19007, + "isPrimary": true, + "name": "Node02", + "startPort": 49000, + "vmInstanceCount": 5 + } + } + ] + }, + "reliabilityLevel": { + "value": "Silver" + }, + // Non-required parameters + "addOnFeatures": { + "value": [ + "BackupRestoreService", + "DnsService", + "RepairManager", + "ResourceMonitorService" + ] + }, + "applicationTypes": { + "value": [ + { + "name": "WordCount" + } + ] + }, + "azureActiveDirectory": { + "value": { + "clientApplication": "", + "clusterApplication": "cf33fea8-b30f-424f-ab73-c48d99e0b222", + "tenantId": "" + } + }, + "certificateCommonNames": { + "value": { + "commonNames": [ + { + "certificateCommonName": "certcommon", + "certificateIssuerThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC130" + } + ], + "x509StoreName": "" + } + }, + "clientCertificateCommonNames": { + "value": [ + { + "certificateCommonName": "clientcommoncert1", + "certificateIssuerThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC130", + "isAdmin": false + }, + { + "certificateCommonName": "clientcommoncert2", + "certificateIssuerThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC131", + "isAdmin": false + } + ] + }, + "clientCertificateThumbprints": { + "value": [ + { + "certificateThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC130", + "isAdmin": false + }, + { + "certificateThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC131", + "isAdmin": false + } + ] + }, + "diagnosticsStorageAccountConfig": { + "value": { + "blobEndpoint": "", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "", + "storageAccountName": "", + "tableEndpoint": "" + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "fabricSettings": { + "value": [ + { + "name": "Security", + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "EncryptAndSign" + } + ] + }, + { + "name": "UpgradeService", + "parameters": [ + { + "name": "AppPollIntervalInSeconds", + "value": "60" + } + ] + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "maxUnusedVersionsToKeep": { + "value": 2 + }, + "notifications": { + "value": [ + { + "isEnabled": true, + "notificationCategory": "WaveProgress", + "notificationLevel": "Critical", + "notificationTargets": [ + { + "notificationChannel": "EmailUser", + "receivers": [ + "SomeReceiver" + ] + } + ] + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "clusterName": "sfcwaf001", + "hidden-title": "This is visible in the resource name", + "resourceType": "Service Fabric" + } + }, + "upgradeDescription": { + "value": { + "deltaHealthPolicy": { + "maxPercentDeltaUnhealthyApplications": 0, + "maxPercentDeltaUnhealthyNodes": 0, + "maxPercentUpgradeDomainDeltaUnhealthyNodes": 0 + }, + "forceRestart": false, + "healthCheckRetryTimeout": "00:45:00", + "healthCheckStableDuration": "00:01:00", + "healthCheckWaitDuration": "00:00:30", + "healthPolicy": { + "maxPercentUnhealthyApplications": 0, + "maxPercentUnhealthyNodes": 0 + }, + "upgradeDomainTimeout": "02:00:00", + "upgradeReplicaSetCheckTimeout": "1.00:00:00", + "upgradeTimeout": "02:00:00" + } + }, + "vmImage": { + "value": "Linux" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/service-fabric/cluster/tests/e2e/waf-aligned/dependencies.bicep b/modules/service-fabric/cluster/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..3cf8c25ddd --- /dev/null +++ b/modules/service-fabric/cluster/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,31 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the storage account to create.') +param storageAccountName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { + name: storageAccountName + location: location + kind: 'StorageV2' + sku: { + name: 'Standard_LRS' + } + properties: { + allowBlobPublicAccess: false + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The name of the created Storage Account.') +output storageAccountName string = storageAccount.name diff --git a/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..6b1ad668cc --- /dev/null +++ b/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,225 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-servicefabric.clusters-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sfcwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'Service Fabric' + clusterName: '${namePrefix}${serviceShort}001' + } + addOnFeatures: [ + 'RepairManager' + 'DnsService' + 'BackupRestoreService' + 'ResourceMonitorService' + ] + maxUnusedVersionsToKeep: 2 + azureActiveDirectory: { + clientApplication: nestedDependencies.outputs.managedIdentityPrincipalId + clusterApplication: 'cf33fea8-b30f-424f-ab73-c48d99e0b222' + tenantId: tenant().tenantId + } + certificateCommonNames: { + commonNames: [ + { + certificateCommonName: 'certcommon' + certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' + } + ] + x509StoreName: '' + } + clientCertificateCommonNames: [ + { + certificateCommonName: 'clientcommoncert1' + certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' + isAdmin: false + } + { + certificateCommonName: 'clientcommoncert2' + certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC131' + isAdmin: false + } + ] + clientCertificateThumbprints: [ + { + certificateThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' + isAdmin: false + } + { + certificateThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC131' + isAdmin: false + } + ] + diagnosticsStorageAccountConfig: { + blobEndpoint: 'https://${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}/' + protectedAccountKeyName: 'StorageAccountKey1' + queueEndpoint: 'https://${nestedDependencies.outputs.storageAccountName}.queue.${environment().suffixes.storage}/' + storageAccountName: nestedDependencies.outputs.storageAccountName + tableEndpoint: 'https://${nestedDependencies.outputs.storageAccountName}.table.${environment().suffixes.storage}/' + } + fabricSettings: [ + { + name: 'Security' + parameters: [ + { + name: 'ClusterProtectionLevel' + value: 'EncryptAndSign' + } + ] + } + { + name: 'UpgradeService' + parameters: [ + { + name: 'AppPollIntervalInSeconds' + value: '60' + } + ] + } + ] + managementEndpoint: 'https://${namePrefix}${serviceShort}001.westeurope.cloudapp.azure.com:19080' + reliabilityLevel: 'Silver' + nodeTypes: [ + { + applicationPorts: { + endPort: 30000 + startPort: 20000 + } + clientConnectionEndpointPort: 19000 + durabilityLevel: 'Silver' + ephemeralPorts: { + endPort: 65534 + startPort: 49152 + } + httpGatewayEndpointPort: 19080 + isPrimary: true + name: 'Node01' + + isStateless: false + multipleAvailabilityZones: false + + placementProperties: {} + reverseProxyEndpointPort: '' + vmInstanceCount: 5 + } + { + applicationPorts: { + endPort: 30000 + startPort: 20000 + } + clientConnectionEndpointPort: 19000 + durabilityLevel: 'Bronze' + ephemeralPorts: { + endPort: 64000 + startPort: 49000 + httpGatewayEndpointPort: 19007 + isPrimary: true + name: 'Node02' + vmInstanceCount: 5 + } + } + ] + notifications: [ + { + isEnabled: true + notificationCategory: 'WaveProgress' + notificationLevel: 'Critical' + notificationTargets: [ + { + notificationChannel: 'EmailUser' + receivers: [ + 'SomeReceiver' + ] + } + ] + } + ] + upgradeDescription: { + forceRestart: false + upgradeReplicaSetCheckTimeout: '1.00:00:00' + healthCheckWaitDuration: '00:00:30' + healthCheckStableDuration: '00:01:00' + healthCheckRetryTimeout: '00:45:00' + upgradeTimeout: '02:00:00' + upgradeDomainTimeout: '02:00:00' + healthPolicy: { + maxPercentUnhealthyNodes: 0 + maxPercentUnhealthyApplications: 0 + } + deltaHealthPolicy: { + maxPercentDeltaUnhealthyNodes: 0 + maxPercentUpgradeDomainDeltaUnhealthyNodes: 0 + maxPercentDeltaUnhealthyApplications: 0 + } + + } + vmImage: 'Linux' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + applicationTypes: [ + { + name: 'WordCount' // not idempotent + } + ] + } +} diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index 8a20ce6637..0650ea90d4 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -271,6 +272,198 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-srssrwaf' + params: { + // Required parameters + name: 'srssrwaf-001' + // Non-required parameters + capacity: 2 + clientCertEnabled: false + disableAadAuth: false + disableLocalAuth: true + enableDefaultTelemetry: '' + kind: 'SignalR' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkAcls: { + defaultAction: 'Allow' + privateEndpoints: [ + { + allow: [] + deny: [ + 'ServerConnection' + 'Trace' + ] + name: 'pe-srssrwaf-001' + } + ] + publicNetwork: { + allow: [] + deny: [ + 'RESTAPI' + 'Trace' + ] + } + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + resourceLogConfigurationsToEnable: [ + 'ConnectivityLogs' + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: 'Standard_S1' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "srssrwaf-001" + }, + // Non-required parameters + "capacity": { + "value": 2 + }, + "clientCertEnabled": { + "value": false + }, + "disableAadAuth": { + "value": false + }, + "disableLocalAuth": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "kind": { + "value": "SignalR" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "networkAcls": { + "value": { + "defaultAction": "Allow", + "privateEndpoints": [ + { + "allow": [], + "deny": [ + "ServerConnection", + "Trace" + ], + "name": "pe-srssrwaf-001" + } + ], + "publicNetwork": { + "allow": [], + "deny": [ + "RESTAPI", + "Trace" + ] + } + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "resourceLogConfigurationsToEnable": { + "value": [ + "ConnectivityLogs" + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sku": { + "value": "Standard_S1" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/dependencies.bicep b/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..3f02e7b5ad --- /dev/null +++ b/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,62 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + privateEndpointNetworkPolicies: 'Disabled' + privateLinkServiceNetworkPolicies: 'Enabled' + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.service.signalr.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep b/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..5c88da4283 --- /dev/null +++ b/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,117 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-signalrservice.signalr-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'srssrwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}-001' + capacity: 2 + clientCertEnabled: false + disableAadAuth: false + disableLocalAuth: true + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + kind: 'SignalR' + networkAcls: { + defaultAction: 'Allow' + privateEndpoints: [ + { + allow: [] + deny: [ + 'ServerConnection' + 'Trace' + ] + name: 'pe-${namePrefix}-${serviceShort}-001' + + } + ] + publicNetwork: { + allow: [] + deny: [ + 'RESTAPI' + 'Trace' + ] + } + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + resourceLogConfigurationsToEnable: [ + 'ConnectivityLogs' + ] + roleAssignments: [ + { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Reader' + principalType: 'ServicePrincipal' + } + ] + sku: 'Standard_S1' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index de04a9437c..80d94432be 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) - [Pe](#example-3-pe) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -367,6 +368,204 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-srswpswaf' + params: { + // Required parameters + name: 'srswpswaf-001' + // Non-required parameters + capacity: 2 + clientCertEnabled: false + disableAadAuth: false + disableLocalAuth: true + enableDefaultTelemetry: '' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + } + networkAcls: { + defaultAction: 'Allow' + privateEndpoints: [ + { + allow: [] + deny: [ + 'ServerConnection' + 'Trace' + ] + name: 'pe-srswpswaf-001' + } + ] + publicNetwork: { + allow: [] + deny: [ + 'RESTAPI' + 'Trace' + ] + } + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'webpubsub' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + resourceLogConfigurationsToEnable: [ + 'ConnectivityLogs' + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: 'Standard_S1' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "srswpswaf-001" + }, + // Non-required parameters + "capacity": { + "value": 2 + }, + "clientCertEnabled": { + "value": false + }, + "disableAadAuth": { + "value": false + }, + "disableLocalAuth": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, + "networkAcls": { + "value": { + "defaultAction": "Allow", + "privateEndpoints": [ + { + "allow": [], + "deny": [ + "ServerConnection", + "Trace" + ], + "name": "pe-srswpswaf-001" + } + ], + "publicNetwork": { + "allow": [], + "deny": [ + "RESTAPI", + "Trace" + ] + } + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "webpubsub", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "resourceLogConfigurationsToEnable": { + "value": [ + "ConnectivityLogs" + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sku": { + "value": "Standard_S1" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/dependencies.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..53f60ba74f --- /dev/null +++ b/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,62 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + privateEndpointNetworkPolicies: 'Disabled' + privateLinkServiceNetworkPolicies: 'Enabled' + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.webpubsub.azure.com' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..2391c085b0 --- /dev/null +++ b/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,119 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-signalrservice.webpubsub-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'srswpswaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}-001' + capacity: 2 + clientCertEnabled: false + disableAadAuth: false + disableLocalAuth: true + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkAcls: { + defaultAction: 'Allow' + privateEndpoints: [ + { + allow: [] + deny: [ + 'ServerConnection' + 'Trace' + ] + name: 'pe-${namePrefix}-${serviceShort}-001' + } + ] + publicNetwork: { + allow: [] + deny: [ + 'RESTAPI' + 'Trace' + ] + } + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'webpubsub' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + resourceLogConfigurationsToEnable: [ + 'ConnectivityLogs' + ] + roleAssignments: [ + { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Reader' + principalType: 'ServicePrincipal' + } + ] + sku: 'Standard_S1' + managedIdentities: { + systemAssigned: true + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index 14c4696753..c16e126709 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -39,6 +39,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) - [Vulnassm](#example-3-vulnassm) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -505,6 +506,298 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-sqlmiwaf' + params: { + // Required parameters + administratorLogin: 'adminUserName' + administratorLoginPassword: '' + name: 'sqlmiwaf' + subnetId: '' + // Non-required parameters + collation: 'SQL_Latin1_General_CP1_CI_AS' + databases: [ + { + backupLongTermRetentionPolicies: { + name: 'default' + } + backupShortTermRetentionPolicies: { + name: 'default' + } + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + name: 'sqlmiwaf-db-001' + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + dnsZonePartner: '' + enableDefaultTelemetry: '' + encryptionProtectorObj: { + serverKeyName: '' + serverKeyType: 'AzureKeyVault' + } + hardwareFamily: 'Gen5' + keys: [ + { + name: '' + serverKeyType: 'AzureKeyVault' + uri: '' + } + ] + licenseType: 'LicenseIncluded' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + primaryUserAssignedIdentityId: '' + proxyOverride: 'Proxy' + publicDataEndpointEnabled: false + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + securityAlertPoliciesObj: { + emailAccountAdmins: true + name: 'default' + state: 'Enabled' + } + servicePrincipal: 'SystemAssigned' + skuName: 'GP_Gen5' + skuTier: 'GeneralPurpose' + storageSizeInGB: 32 + timezoneId: 'UTC' + vCores: 4 + vulnerabilityAssessmentsObj: { + emailSubscriptionAdmins: true + name: 'default' + recurringScansEmails: [ + 'test1@contoso.com' + 'test2@contoso.com' + ] + recurringScansIsEnabled: true + storageAccountResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "administratorLogin": { + "value": "adminUserName" + }, + "administratorLoginPassword": { + "value": "" + }, + "name": { + "value": "sqlmiwaf" + }, + "subnetId": { + "value": "" + }, + "collation": { + "value": "SQL_Latin1_General_CP1_CI_AS" + }, + "databases": { + "value": [ + { + "backupLongTermRetentionPolicies": { + "name": "default" + }, + "backupShortTermRetentionPolicies": { + "name": "default" + }, + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "name": "sqlmiwaf-db-001" + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "dnsZonePartner": { + "value": "" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "encryptionProtectorObj": { + "value": { + "serverKeyName": "", + "serverKeyType": "AzureKeyVault" + } + }, + "hardwareFamily": { + "value": "Gen5" + }, + "keys": { + "value": [ + { + "name": "", + "serverKeyType": "AzureKeyVault", + "uri": "" + } + ] + }, + "licenseType": { + "value": "LicenseIncluded" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "primaryUserAssignedIdentityId": { + "value": "" + }, + "proxyOverride": { + "value": "Proxy" + }, + "publicDataEndpointEnabled": { + "value": false + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "securityAlertPoliciesObj": { + "value": { + "emailAccountAdmins": true, + "name": "default", + "state": "Enabled" + } + }, + "servicePrincipal": { + "value": "SystemAssigned" + }, + "skuName": { + "value": "GP_Gen5" + }, + "skuTier": { + "value": "GeneralPurpose" + }, + "storageSizeInGB": { + "value": 32 + }, + "timezoneId": { + "value": "UTC" + }, + "vCores": { + "value": 4 + }, + "vulnerabilityAssessmentsObj": { + "value": { + "emailSubscriptionAdmins": true, + "name": "default", + "recurringScansEmails": [ + "test1@contoso.com", + "test2@contoso.com" + ], + "recurringScansIsEnabled": true, + "storageAccountResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/sql/managed-instance/tests/e2e/waf-aligned/dependencies.bicep b/modules/sql/managed-instance/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..c4e9dfd575 --- /dev/null +++ b/modules/sql/managed-instance/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,350 @@ +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Network Security Group to create.') +param networkSecurityGroupName string + +@description('Required. The name of the Route Table to create.') +param routeTableName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +var addressPrefix = '10.0.0.0/16' +var addressPrefixString = replace(replace(addressPrefix, '.', '-'), '/', '-') + +resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { + name: networkSecurityGroupName + location: location + properties: { + securityRules: [ + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-sqlmgmt-in-${addressPrefixString}-v10' + properties: { + description: 'Allow MI provisioning Control Plane Deployment and Authentication Service' + protocol: 'Tcp' + sourcePortRange: '*' + sourceAddressPrefix: 'SqlManagement' + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 100 + direction: 'Inbound' + destinationPortRanges: [ + '9000' + '9003' + '1438' + '1440' + '1452' + ] + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-corpsaw-in-${addressPrefixString}-v10' + properties: { + description: 'Allow MI Supportability' + protocol: 'Tcp' + sourcePortRange: '*' + sourceAddressPrefix: 'CorpNetSaw' + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 101 + direction: 'Inbound' + destinationPortRanges: [ + '9000' + '9003' + '1440' + ] + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-corppublic-in-${addressPrefixString}-v10' + properties: { + description: 'Allow MI Supportability through Corpnet ranges' + protocol: 'Tcp' + sourcePortRange: '*' + sourceAddressPrefix: 'CorpNetPublic' + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 102 + direction: 'Inbound' + destinationPortRanges: [ + '9000' + '9003' + ] + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-healthprobe-in-${addressPrefixString}-v10' + properties: { + description: 'Allow Azure Load Balancer inbound traffic' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + sourceAddressPrefix: 'AzureLoadBalancer' + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 103 + direction: 'Inbound' + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-internal-in-${addressPrefixString}-v10' + properties: { + description: 'Allow MI internal inbound traffic' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + sourceAddressPrefix: addressPrefix + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 104 + direction: 'Inbound' + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-services-out-${addressPrefixString}-v10' + properties: { + description: 'Allow MI services outbound traffic over https' + protocol: 'Tcp' + sourcePortRange: '*' + sourceAddressPrefix: addressPrefix + destinationAddressPrefix: 'AzureCloud' + access: 'Allow' + priority: 100 + direction: 'Outbound' + destinationPortRanges: [ + '443' + '12000' + ] + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-internal-out-${addressPrefixString}-v10' + properties: { + description: 'Allow MI internal outbound traffic' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + sourceAddressPrefix: addressPrefix + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 101 + direction: 'Outbound' + } + } + ] + } +} + +resource routeTable 'Microsoft.Network/routeTables@2023-04-01' = { + name: routeTableName + location: location + properties: { + disableBgpRoutePropagation: false + routes: [ + { + name: 'Microsoft.Sql-managedInstances_UseOnly_subnet-${addressPrefixString}-to-vnetlocal' + properties: { + addressPrefix: addressPrefix + nextHopType: 'VnetLocal' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage' + properties: { + addressPrefix: 'Storage' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-SqlManagement' + properties: { + addressPrefix: 'SqlManagement' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureMonitor' + properties: { + addressPrefix: 'AzureMonitor' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-CorpNetSaw' + properties: { + addressPrefix: 'CorpNetSaw' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-CorpNetPublic' + properties: { + addressPrefix: 'CorpNetPublic' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureActiveDirectory' + properties: { + addressPrefix: 'AzureActiveDirectory' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureCloud.westeurope' + properties: { + addressPrefix: 'AzureCloud.westeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureCloud.northeurope' + properties: { + addressPrefix: 'AzureCloud.northeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.westeurope' + properties: { + addressPrefix: 'Storage.westeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.northeurope' + properties: { + addressPrefix: 'Storage.northeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-EventHub.westeurope' + properties: { + addressPrefix: 'EventHub.westeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-EventHub.northeurope' + properties: { + addressPrefix: 'EventHub.northeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + ] + } +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'ManagedInstance' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + routeTable: { + id: routeTable.id + } + networkSecurityGroup: { + id: networkSecurityGroup.id + } + delegations: [ + { + name: 'managedInstanceDelegation' + properties: { + serviceName: 'Microsoft.Sql/managedInstances' + } + } + ] + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: true + softDeleteRetentionInDays: 7 + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'keyEncryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') + scope: keyVault::key + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User + principalType: 'ServicePrincipal' + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The URL of the created Key Vault Encryption Key.') +output keyVaultEncryptionKeyUrl string = keyVault::key.properties.keyUriWithVersion + +@description('The name of the created Key Vault Encryption Key.') +output keyVaultKeyName string = keyVault::key.name + +@description('The name of the created Key Vault.') +output keyVaultName string = keyVault.name diff --git a/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..c5846900f8 --- /dev/null +++ b/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,181 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-sql.managedinstances-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sqlmiwaf' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. The password to leverage for the login.') +@secure() +param password string = newGuid() + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep${namePrefix}kv${serviceShort}${substring(uniqueString(baseTime), 0, 3)}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' + routeTableName: 'dep-${namePrefix}-rt-${serviceShort}' + location: location + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}' + administratorLogin: 'adminUserName' + administratorLoginPassword: password + subnetId: nestedDependencies.outputs.subnetResourceId + collation: 'SQL_Latin1_General_CP1_CI_AS' + databases: [ + { + backupLongTermRetentionPolicies: { + name: 'default' + } + backupShortTermRetentionPolicies: { + name: 'default' + } + name: '${namePrefix}-${serviceShort}-db-001' + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + dnsZonePartner: '' + encryptionProtectorObj: { + serverKeyName: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' + serverKeyType: 'AzureKeyVault' + } + hardwareFamily: 'Gen5' + keys: [ + { + name: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' + serverKeyType: 'AzureKeyVault' + uri: nestedDependencies.outputs.keyVaultEncryptionKeyUrl + } + ] + licenseType: 'LicenseIncluded' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + primaryUserAssignedIdentityId: nestedDependencies.outputs.managedIdentityResourceId + proxyOverride: 'Proxy' + publicDataEndpointEnabled: false + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + securityAlertPoliciesObj: { + emailAccountAdmins: true + name: 'default' + state: 'Enabled' + } + servicePrincipal: 'SystemAssigned' + skuName: 'GP_Gen5' + skuTier: 'GeneralPurpose' + storageSizeInGB: 32 + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + timezoneId: 'UTC' + vCores: 4 + vulnerabilityAssessmentsObj: { + emailSubscriptionAdmins: true + name: 'default' + recurringScansEmails: [ + 'test1@contoso.com' + 'test2@contoso.com' + ] + recurringScansIsEnabled: true + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + } +} diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 329f0f3f82..95b1c24ad9 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -45,6 +45,7 @@ The following section provides usage examples for the module, which were used to - [Pe](#example-3-pe) - [Secondary](#example-4-secondary) - [Vulnassm](#example-5-vulnassm) +- [WAF-aligned](#example-6-waf-aligned) ### Example 1: _Admin_ @@ -734,6 +735,324 @@ module server 'br:bicep/modules/sql.server:1.0.0' = {

+### Example 6: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module server 'br:bicep/modules/sql.server:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-sqlswaf' + params: { + // Required parameters + name: 'sqlswaf' + // Non-required parameters + administratorLogin: 'adminUserName' + administratorLoginPassword: '' + databases: [ + { + backupLongTermRetentionPolicy: { + monthlyRetention: 'P6M' + } + backupShortTermRetentionPolicy: { + retentionDays: 14 + } + capacity: 0 + collation: 'SQL_Latin1_General_CP1_CI_AS' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + elasticPoolId: '' + encryptionProtectorObj: { + serverKeyName: '' + serverKeyType: 'AzureKeyVault' + } + licenseType: 'LicenseIncluded' + maxSizeBytes: 34359738368 + name: 'sqlswafdb-001' + skuName: 'ElasticPool' + skuTier: 'GeneralPurpose' + } + ] + elasticPools: [ + { + maintenanceConfigurationId: '' + name: 'sqlswaf-ep-001' + skuCapacity: 10 + skuName: 'GP_Gen5' + skuTier: 'GeneralPurpose' + } + ] + enableDefaultTelemetry: '' + firewallRules: [ + { + endIpAddress: '0.0.0.0' + name: 'AllowAllWindowsAzureIps' + startIpAddress: '0.0.0.0' + } + ] + keys: [ + { + name: '' + serverKeyType: 'AzureKeyVault' + uri: '' + } + ] + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + primaryUserAssignedIdentityId: '' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'sqlServer' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + restrictOutboundNetworkAccess: 'Disabled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + securityAlertPolicies: [ + { + emailAccountAdmins: true + name: 'Default' + state: 'Enabled' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + virtualNetworkRules: [ + { + ignoreMissingVnetServiceEndpoint: true + name: 'newVnetRule1' + virtualNetworkSubnetId: '' + } + ] + vulnerabilityAssessmentsObj: { + emailSubscriptionAdmins: true + name: 'default' + recurringScansEmails: [ + 'test1@contoso.com' + 'test2@contoso.com' + ] + recurringScansIsEnabled: true + storageAccountResourceId: '' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "sqlswaf" + }, + "administratorLogin": { + "value": "adminUserName" + }, + "administratorLoginPassword": { + "value": "" + }, + "databases": { + "value": [ + { + "backupLongTermRetentionPolicy": { + "monthlyRetention": "P6M" + }, + "backupShortTermRetentionPolicy": { + "retentionDays": 14 + }, + "capacity": 0, + "collation": "SQL_Latin1_General_CP1_CI_AS", + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "elasticPoolId": "", + "encryptionProtectorObj": { + "serverKeyName": "", + "serverKeyType": "AzureKeyVault" + }, + "licenseType": "LicenseIncluded", + "maxSizeBytes": 34359738368, + "name": "sqlswafdb-001", + "skuName": "ElasticPool", + "skuTier": "GeneralPurpose" + } + ] + }, + "elasticPools": { + "value": [ + { + "maintenanceConfigurationId": "", + "name": "sqlswaf-ep-001", + "skuCapacity": 10, + "skuName": "GP_Gen5", + "skuTier": "GeneralPurpose" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "firewallRules": { + "value": [ + { + "endIpAddress": "0.0.0.0", + "name": "AllowAllWindowsAzureIps", + "startIpAddress": "0.0.0.0" + } + ] + }, + "keys": { + "value": [ + { + "name": "", + "serverKeyType": "AzureKeyVault", + "uri": "" + } + ] + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "primaryUserAssignedIdentityId": { + "value": "" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "sqlServer", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "restrictOutboundNetworkAccess": { + "value": "Disabled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "securityAlertPolicies": { + "value": [ + { + "emailAccountAdmins": true, + "name": "Default", + "state": "Enabled" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "virtualNetworkRules": { + "value": [ + { + "ignoreMissingVnetServiceEndpoint": true, + "name": "newVnetRule1", + "virtualNetworkSubnetId": "" + } + ] + }, + "vulnerabilityAssessmentsObj": { + "value": { + "emailSubscriptionAdmins": true, + "name": "default", + "recurringScansEmails": [ + "test1@contoso.com", + "test2@contoso.com" + ], + "recurringScansIsEnabled": true, + "storageAccountResourceId": "" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/sql/server/tests/e2e/waf-aligned/dependencies.bicep b/modules/sql/server/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..5f68856202 --- /dev/null +++ b/modules/sql/server/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,111 @@ +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +var addressPrefix = '10.0.0.0/16' + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: map(range(0, 2), i => { + name: 'subnet-${i}' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 24, i) + } + }) + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink${environment().suffixes.sqlServerHostname}' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'keyEncryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Vault-Crypto-Service-Encryption-User-RoleAssignment') + scope: keyVault::key + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User + principalType: 'ServicePrincipal' + } +} + +@description('The principal ID of the created managed identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created managed identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created virtual network subnet for a Private Endpoint.') +output privateEndpointSubnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created virtual network subnet for a Service Endpoint.') +output serviceEndpointSubnetResourceId string = virtualNetwork.properties.subnets[1].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The URL of the created Key Vault Encryption Key.') +output keyVaultEncryptionKeyUrl string = keyVault::key.properties.keyUriWithVersion + +@description('The name of the created Key Vault Encryption Key.') +output keyVaultKeyName string = keyVault::key.name + +@description('The name of the created Key Vault.') +output keyVaultName string = keyVault.name diff --git a/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..c9e7ee69cf --- /dev/null +++ b/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,197 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-sql.servers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sqlswaf' + +@description('Optional. The password to leverage for the login.') +@secure() +param password string = newGuid() + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + location: location + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + primaryUserAssignedIdentityId: nestedDependencies.outputs.managedIdentityResourceId + administratorLogin: 'adminUserName' + administratorLoginPassword: password + location: location + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + vulnerabilityAssessmentsObj: { + name: 'default' + emailSubscriptionAdmins: true + recurringScansIsEnabled: true + recurringScansEmails: [ + 'test1@contoso.com' + 'test2@contoso.com' + ] + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + } + elasticPools: [ + { + name: '${namePrefix}-${serviceShort}-ep-001' + skuName: 'GP_Gen5' + skuTier: 'GeneralPurpose' + skuCapacity: 10 + // Pre-existing 'public' configuration + maintenanceConfigurationId: '${subscription().id}/providers/Microsoft.Maintenance/publicMaintenanceConfigurations/SQL_${location}_DB_1' + } + ] + databases: [ + { + name: '${namePrefix}-${serviceShort}db-001' + collation: 'SQL_Latin1_General_CP1_CI_AS' + skuTier: 'GeneralPurpose' + skuName: 'ElasticPool' + capacity: 0 + maxSizeBytes: 34359738368 + licenseType: 'LicenseIncluded' + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + elasticPoolId: '${resourceGroup.id}/providers/Microsoft.Sql/servers/${namePrefix}-${serviceShort}/elasticPools/${namePrefix}-${serviceShort}-ep-001' + encryptionProtectorObj: { + serverKeyType: 'AzureKeyVault' + serverKeyName: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' + } + backupShortTermRetentionPolicy: { + retentionDays: 14 + } + backupLongTermRetentionPolicy: { + monthlyRetention: 'P6M' + } + } + ] + firewallRules: [ + { + name: 'AllowAllWindowsAzureIps' + endIpAddress: '0.0.0.0' + startIpAddress: '0.0.0.0' + } + ] + securityAlertPolicies: [ + { + name: 'Default' + state: 'Enabled' + emailAccountAdmins: true + } + ] + keys: [ + { + name: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' + serverKeyType: 'AzureKeyVault' + uri: nestedDependencies.outputs.keyVaultEncryptionKeyUrl + } + ] + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + privateEndpoints: [ + { + subnetResourceId: nestedDependencies.outputs.privateEndpointSubnetResourceId + service: 'sqlServer' + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + virtualNetworkRules: [ + { + ignoreMissingVnetServiceEndpoint: true + name: 'newVnetRule1' + virtualNetworkSubnetId: nestedDependencies.outputs.serviceEndpointSubnetResourceId + } + ] + restrictOutboundNetworkAccess: 'Disabled' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 137e38dee2..4add2e1cc2 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -46,6 +46,7 @@ The following section provides usage examples for the module, which were used to - [Using large parameter set](#example-3-using-large-parameter-set) - [Nfs](#example-4-nfs) - [V1](#example-5-v1) +- [WAF-aligned](#example-6-waf-aligned) ### Example 1: _Using only defaults_ @@ -1108,6 +1109,620 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = {

+### Example 6: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ssawaf' + params: { + // Required parameters + name: 'ssawaf001' + // Non-required parameters + allowBlobPublicAccess: false + blobServices: { + automaticSnapshotPolicyEnabled: true + containerDeleteRetentionPolicyDays: 10 + containerDeleteRetentionPolicyEnabled: true + containers: [ + { + enableNfsV3AllSquash: true + enableNfsV3RootSquash: true + name: 'avdscripts' + publicAccess: 'None' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + { + allowProtectedAppendWrites: false + enableWORM: true + metadata: { + testKey: 'testValue' + } + name: 'archivecontainer' + publicAccess: 'None' + WORMRetention: 666 + } + ] + deleteRetentionPolicyDays: 9 + deleteRetentionPolicyEnabled: true + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + lastAccessTimeTrackingPolicyEnabled: true + } + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + enableHierarchicalNamespace: true + enableNfsV3: true + enableSftp: true + fileServices: { + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + shares: [ + { + accessTier: 'Hot' + name: 'avdprofiles' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + shareQuota: 5120 + } + { + name: 'avdprofiles2' + shareQuota: 102400 + } + ] + } + largeFileSharesState: 'Enabled' + localUsers: [ + { + hasSharedKey: false + hasSshKey: true + hasSshPassword: false + homeDirectory: 'avdscripts' + name: 'testuser' + permissionScopes: [ + { + permissions: 'r' + resourceName: 'avdscripts' + service: 'blob' + } + ] + storageAccountName: 'ssawaf001' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + managementPolicyRules: [ + { + definition: { + actions: { + baseBlob: { + delete: { + daysAfterModificationGreaterThan: 30 + } + tierToCool: { + daysAfterLastAccessTimeGreaterThan: 5 + } + } + } + filters: { + blobIndexMatch: [ + { + name: 'BlobIndex' + op: '==' + value: '1' + } + ] + blobTypes: [ + 'blockBlob' + ] + prefixMatch: [ + 'sample-container/log' + ] + } + } + enabled: true + name: 'FirstRule' + type: 'Lifecycle' + } + ] + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: [ + { + action: 'Allow' + value: '1.1.1.1' + } + ] + virtualNetworkRules: [ + { + action: 'Allow' + id: '' + } + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'blob' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + queueServices: { + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + queues: [ + { + metadata: { + key1: 'value1' + key2: 'value2' + } + name: 'queue1' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + { + metadata: {} + name: 'queue2' + } + ] + } + requireInfrastructureEncryption: true + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sasExpirationPeriod: '180.00:00:00' + skuName: 'Standard_LRS' + tableServices: { + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + tables: [ + 'table1' + 'table2' + ] + } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ssawaf001" + }, + // Non-required parameters + "allowBlobPublicAccess": { + "value": false + }, + "blobServices": { + "value": { + "automaticSnapshotPolicyEnabled": true, + "containerDeleteRetentionPolicyDays": 10, + "containerDeleteRetentionPolicyEnabled": true, + "containers": [ + { + "enableNfsV3AllSquash": true, + "enableNfsV3RootSquash": true, + "name": "avdscripts", + "publicAccess": "None", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + { + "allowProtectedAppendWrites": false, + "enableWORM": true, + "metadata": { + "testKey": "testValue" + }, + "name": "archivecontainer", + "publicAccess": "None", + "WORMRetention": 666 + } + ], + "deleteRetentionPolicyDays": 9, + "deleteRetentionPolicyEnabled": true, + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "lastAccessTimeTrackingPolicyEnabled": true + } + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enableHierarchicalNamespace": { + "value": true + }, + "enableNfsV3": { + "value": true + }, + "enableSftp": { + "value": true + }, + "fileServices": { + "value": { + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "shares": [ + { + "accessTier": "Hot", + "name": "avdprofiles", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "shareQuota": 5120 + }, + { + "name": "avdprofiles2", + "shareQuota": 102400 + } + ] + } + }, + "largeFileSharesState": { + "value": "Enabled" + }, + "localUsers": { + "value": [ + { + "hasSharedKey": false, + "hasSshKey": true, + "hasSshPassword": false, + "homeDirectory": "avdscripts", + "name": "testuser", + "permissionScopes": [ + { + "permissions": "r", + "resourceName": "avdscripts", + "service": "blob" + } + ], + "storageAccountName": "ssawaf001" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "managementPolicyRules": { + "value": [ + { + "definition": { + "actions": { + "baseBlob": { + "delete": { + "daysAfterModificationGreaterThan": 30 + }, + "tierToCool": { + "daysAfterLastAccessTimeGreaterThan": 5 + } + } + }, + "filters": { + "blobIndexMatch": [ + { + "name": "BlobIndex", + "op": "==", + "value": "1" + } + ], + "blobTypes": [ + "blockBlob" + ], + "prefixMatch": [ + "sample-container/log" + ] + } + }, + "enabled": true, + "name": "FirstRule", + "type": "Lifecycle" + } + ] + }, + "networkAcls": { + "value": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "ipRules": [ + { + "action": "Allow", + "value": "1.1.1.1" + } + ], + "virtualNetworkRules": [ + { + "action": "Allow", + "id": "" + } + ] + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "blob", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "queueServices": { + "value": { + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "queues": [ + { + "metadata": { + "key1": "value1", + "key2": "value2" + }, + "name": "queue1", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + { + "metadata": {}, + "name": "queue2" + } + ] + } + }, + "requireInfrastructureEncryption": { + "value": true + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sasExpirationPeriod": { + "value": "180.00:00:00" + }, + "skuName": { + "value": "Standard_LRS" + }, + "tableServices": { + "value": { + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "tables": [ + "table1", + "table2" + ] + } + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/storage/storage-account/tests/e2e/waf-aligned/dependencies.bicep b/modules/storage/storage-account/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..b7cff8b3d2 --- /dev/null +++ b/modules/storage/storage-account/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,68 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + serviceEndpoints: [ + { + service: 'Microsoft.Storage' + } + ] + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.blob.${environment().suffixes.storage}' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep b/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..0c03921624 --- /dev/null +++ b/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,333 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-storage.storageaccounts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ssawaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + skuName: 'Standard_LRS' + allowBlobPublicAccess: false + requireInfrastructureEncryption: true + largeFileSharesState: 'Enabled' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + enableHierarchicalNamespace: true + enableSftp: true + enableNfsV3: true + privateEndpoints: [ + { + service: 'blob' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + virtualNetworkRules: [ + { + action: 'Allow' + id: nestedDependencies.outputs.subnetResourceId + } + ] + ipRules: [ + { + action: 'Allow' + value: '1.1.1.1' + } + ] + } + localUsers: [ + { + storageAccountName: '${namePrefix}${serviceShort}001' + name: 'testuser' + hasSharedKey: false + hasSshKey: true + hasSshPassword: false + homeDirectory: 'avdscripts' + permissionScopes: [ + { + permissions: 'r' + service: 'blob' + resourceName: 'avdscripts' + } + ] + } + ] + blobServices: { + lastAccessTimeTrackingPolicyEnabled: true + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + containers: [ + { + name: 'avdscripts' + enableNfsV3AllSquash: true + enableNfsV3RootSquash: true + publicAccess: 'None' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } + { + name: 'archivecontainer' + publicAccess: 'None' + metadata: { + testKey: 'testValue' + } + enableWORM: true + WORMRetention: 666 + allowProtectedAppendWrites: false + } + ] + automaticSnapshotPolicyEnabled: true + containerDeleteRetentionPolicyEnabled: true + containerDeleteRetentionPolicyDays: 10 + deleteRetentionPolicyEnabled: true + deleteRetentionPolicyDays: 9 + } + fileServices: { + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + shares: [ + { + name: 'avdprofiles' + accessTier: 'Hot' + shareQuota: 5120 + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } + { + name: 'avdprofiles2' + shareQuota: 102400 + } + ] + } + tableServices: { + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + tables: [ + 'table1' + 'table2' + ] + } + queueServices: { + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + queues: [ + { + name: 'queue1' + metadata: { + key1: 'value1' + key2: 'value2' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } + { + name: 'queue2' + metadata: {} + } + ] + } + sasExpirationPeriod: '180.00:00:00' + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + managementPolicyRules: [ + { + enabled: true + name: 'FirstRule' + type: 'Lifecycle' + definition: { + actions: { + baseBlob: { + delete: { + daysAfterModificationGreaterThan: 30 + } + tierToCool: { + daysAfterLastAccessTimeGreaterThan: 5 + } + } + } + filters: { + blobIndexMatch: [ + { + name: 'BlobIndex' + op: '==' + value: '1' + } + ] + blobTypes: [ + 'blockBlob' + ] + prefixMatch: [ + 'sample-container/log' + ] + } + } + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/synapse/private-link-hub/README.md b/modules/synapse/private-link-hub/README.md index 6e5a8a801c..c023d34f2e 100644 --- a/modules/synapse/private-link-hub/README.md +++ b/modules/synapse/private-link-hub/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -205,6 +206,132 @@ module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-splhwaf' + params: { + // Required parameters + name: 'splhwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'Web' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "splhwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "Web", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/synapse/private-link-hub/tests/e2e/waf-aligned/dependencies.bicep b/modules/synapse/private-link-hub/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..d7ca02fccb --- /dev/null +++ b/modules/synapse/private-link-hub/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,74 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Network Security Group to create.') +param networkSecurityGroupName string + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { + name: networkSecurityGroupName + location: location + properties: {} +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + networkSecurityGroup: { + id: networkSecurityGroup.id + } + privateEndpointNetworkPolicies: 'Disabled' + privateLinkServiceNetworkPolicies: 'Enabled' + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.azuresynapse.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep b/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..c5b50dbbd7 --- /dev/null +++ b/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,93 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-synapse.privatelinkhubs-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'splhwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'Web' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index d00edcb815..879cf28301 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -37,6 +37,7 @@ The following section provides usage examples for the module, which were used to - [Encrwuai](#example-3-encrwuai) - [Managedvnet](#example-4-managedvnet) - [Using large parameter set](#example-5-using-large-parameter-set) +- [WAF-aligned](#example-6-waf-aligned) ### Example 1: _Using only defaults_ @@ -507,6 +508,178 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = {

+### Example 6: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-swwaf' + params: { + // Required parameters + defaultDataLakeStorageAccountResourceId: '' + defaultDataLakeStorageFilesystem: '' + name: 'swwaf001' + sqlAdministratorLogin: 'synwsadmin' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + logCategoriesAndGroups: [ + { + category: 'SynapseRbacOperations' + } + { + category: 'SynapseLinkEvent' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + initialWorkspaceAdminObjectID: '' + integrationRuntimes: [ + { + name: 'shir01' + type: 'SelfHosted' + } + ] + managedVirtualNetwork: true + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'SQL' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + userAssignedIdentities: { + '': {} + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "defaultDataLakeStorageAccountResourceId": { + "value": "" + }, + "defaultDataLakeStorageFilesystem": { + "value": "" + }, + "name": { + "value": "swwaf001" + }, + "sqlAdministratorLogin": { + "value": "synwsadmin" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "logCategoriesAndGroups": [ + { + "category": "SynapseRbacOperations" + }, + { + "category": "SynapseLinkEvent" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "initialWorkspaceAdminObjectID": { + "value": "" + }, + "integrationRuntimes": { + "value": [ + { + "name": "shir01", + "type": "SelfHosted" + } + ] + }, + "managedVirtualNetwork": { + "value": true + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "SQL", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "userAssignedIdentities": { + "value": { + "": {} + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/synapse/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/synapse/workspace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..52da267176 --- /dev/null +++ b/modules/synapse/workspace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,92 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +var addressPrefix = '10.0.0.0/16' + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.sql.azuresynapse.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetworkName}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' + properties: { + isHnsEnabled: true + } + + resource blobService 'blobServices@2022-09-01' = { + name: 'default' + + resource container 'containers@2022-09-01' = { + name: 'synapsews' + } + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id + +@description('The name of the created container.') +output storageContainerName string = storageAccount::blobService::container.name diff --git a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..cd02520ced --- /dev/null +++ b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,124 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-synapse.workspaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'swwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}01' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + location: location + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + defaultDataLakeStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId + defaultDataLakeStorageFilesystem: nestedDependencies.outputs.storageContainerName + sqlAdministratorLogin: 'synwsadmin' + initialWorkspaceAdminObjectID: nestedDependencies.outputs.managedIdentityPrincipalId + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + privateEndpoints: [ + { + subnetResourceId: nestedDependencies.outputs.subnetResourceId + service: 'SQL' + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + managedVirtualNetwork: true + integrationRuntimes: [ + { + type: 'SelfHosted' + name: 'shir01' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + logCategoriesAndGroups: [ + { + category: 'SynapseRbacOperations' + } + { + category: 'SynapseLinkEvent' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + enableDefaultTelemetry: enableDefaultTelemetry + } +} diff --git a/modules/virtual-machine-images/image-template/README.md b/modules/virtual-machine-images/image-template/README.md index d5d30e9144..d58507d074 100644 --- a/modules/virtual-machine-images/image-template/README.md +++ b/modules/virtual-machine-images/image-template/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -292,6 +293,178 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-vmiitwaf' + params: { + // Required parameters + customizationSteps: [ + { + restartTimeout: '10m' + type: 'WindowsRestart' + } + ] + imageSource: { + offer: 'Windows-11' + publisher: 'MicrosoftWindowsDesktop' + sku: 'win11-22h2-avd' + type: 'PlatformImage' + version: 'latest' + } + name: 'vmiitwaf001' + userMsiName: '' + // Non-required parameters + buildTimeoutInMinutes: 60 + enableDefaultTelemetry: '' + imageReplicationRegions: [] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedImageName: 'mi-vmiitwaf-001' + osDiskSizeGB: 127 + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sigImageDefinitionId: '' + sigImageVersion: '' + stagingResourceGroup: '' + subnetId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + unManagedImageName: 'umi-vmiitwaf-001' + userAssignedIdentities: [ + '' + ] + userMsiResourceGroup: '' + vmSize: 'Standard_D2s_v3' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "customizationSteps": { + "value": [ + { + "restartTimeout": "10m", + "type": "WindowsRestart" + } + ] + }, + "imageSource": { + "value": { + "offer": "Windows-11", + "publisher": "MicrosoftWindowsDesktop", + "sku": "win11-22h2-avd", + "type": "PlatformImage", + "version": "latest" + } + }, + "name": { + "value": "vmiitwaf001" + }, + "userMsiName": { + "value": "" + }, + // Non-required parameters + "buildTimeoutInMinutes": { + "value": 60 + }, + "enableDefaultTelemetry": { + "value": "" + }, + "imageReplicationRegions": { + "value": [] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedImageName": { + "value": "mi-vmiitwaf-001" + }, + "osDiskSizeGB": { + "value": 127 + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sigImageDefinitionId": { + "value": "" + }, + "sigImageVersion": { + "value": "" + }, + "stagingResourceGroup": { + "value": "" + }, + "subnetId": { + "value": "" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "unManagedImageName": { + "value": "umi-vmiitwaf-001" + }, + "userAssignedIdentities": { + "value": [ + "" + ] + }, + "userMsiResourceGroup": { + "value": "" + }, + "vmSize": { + "value": "Standard_D2s_v3" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/dependencies.bicep b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..ec4e08c2d4 --- /dev/null +++ b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,99 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Shared Image Gallery to create.') +param galleryName string + +@description('Required. The name of the Image Definition to create in the Shared Image Gallery.') +param sigImageDefinitionName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Optional. The name of the Virtual Network to create.') +param virtualNetworkName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +var addressPrefix = '10.0.0.0/16' + +resource gallery 'Microsoft.Compute/galleries@2022-03-03' = { + name: galleryName + location: location + properties: {} +} + +resource galleryImageDefinition 'Microsoft.Compute/galleries/images@2022-03-03' = { + name: sigImageDefinitionName + location: location + parent: gallery + properties: { + architecture: 'x64' + hyperVGeneration: 'V2' + identifier: { + offer: 'Windows-11' + publisher: 'MicrosoftWindowsDesktop' + sku: 'Win11-AVD-g2' + } + osState: 'Generalized' + osType: 'Windows' + recommended: { + memory: { + max: 16 + min: 4 + } + vCPUs: { + max: 8 + min: 2 + } + } + } +} + +resource msi_contibutorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(resourceGroup().id, 'Contributor', '[[namePrefix]]') + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor + principalId: managedIdentity.properties.principalId + principalType: 'ServicePrincipal' + } +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + privateLinkServiceNetworkPolicies: 'Disabled' + } + } + ] + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The name of the created Managed Identity.') +output managedIdentityName string = managedIdentity.name + +@description('The resource ID of the created Image Definition.') +output sigImageDefinitionId string = galleryImageDefinition.id + +@description('The subnet resource id of the defaultSubnet of the created Virtual Network.') +output subnetId string = '${virtualNetwork.id}/subnets/defaultSubnet' diff --git a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..7e2e523fee --- /dev/null +++ b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,119 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-virtualmachineimages.imagetemplates-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'vmiitwaf' + +@description('Optional. The version of the Azure Compute Gallery Image Definition to be added.') +param sigImageVersion string = utcNow('yyyy.MM.dd') + +@description('Optional. The staging resource group name in the same location and subscription as the image template. Must not exist.') +param stagingResourceGroupName string = 'ms.virtualmachineimages.imagetemplates-${serviceShort}-staging-rg' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + sigImageDefinitionName: 'dep-${namePrefix}-imgd-${serviceShort}' + galleryName: 'dep${namePrefix}sig${serviceShort}' + virtualNetworkName: 'dep${namePrefix}-vnet-${serviceShort}' + } +} + +// required for the Azure Image Builder service to assign the list of User Assigned Identities to the Build VM. +resource msi_managedIdentityOperatorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(subscription().id, 'ManagedIdentityContributor', '${namePrefix}') + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') // Managed Identity Operator + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + customizationSteps: [ + { + restartTimeout: '10m' + type: 'WindowsRestart' + } + ] + imageSource: { + offer: 'Windows-11' + publisher: 'MicrosoftWindowsDesktop' + sku: 'win11-22h2-avd' + type: 'PlatformImage' + version: 'latest' + } + buildTimeoutInMinutes: 60 + imageReplicationRegions: [] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedImageName: '${namePrefix}-mi-${serviceShort}-001' + osDiskSizeGB: 127 + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sigImageDefinitionId: nestedDependencies.outputs.sigImageDefinitionId + sigImageVersion: sigImageVersion + subnetId: nestedDependencies.outputs.subnetId + stagingResourceGroup: '${subscription().id}/resourcegroups/${stagingResourceGroupName}' + unManagedImageName: '${namePrefix}-umi-${serviceShort}-001' + userAssignedIdentities: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + userMsiName: nestedDependencies.outputs.managedIdentityName + userMsiResourceGroup: resourceGroupName + vmSize: 'Standard_D2s_v3' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/web/connection/README.md b/modules/web/connection/README.md index bdb9491881..682936b91b 100644 --- a/modules/web/connection/README.md +++ b/modules/web/connection/README.md @@ -27,6 +27,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/web.connection:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -126,6 +127,104 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module connection 'br:bicep/modules/web.connection:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-wcwaf' + params: { + // Required parameters + displayName: 'azuremonitorlogs' + name: 'azuremonitor' + // Non-required parameters + api: { + id: '' + } + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "displayName": { + "value": "azuremonitorlogs" + }, + "name": { + "value": "azuremonitor" + }, + // Non-required parameters + "api": { + "value": { + "id": "" + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/web/connection/tests/e2e/waf-aligned/dependencies.bicep b/modules/web/connection/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/web/connection/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep b/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..acc6afbcd9 --- /dev/null +++ b/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,77 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-web.connections-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'wcwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + displayName: 'azuremonitorlogs' + name: 'azuremonitor' + api: { + id: '${subscription().id}/providers/Microsoft.Web/locations/westeurope/managedApis/azuremonitorlogs' + + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index 4dc832d2b9..0f9579209f 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/web.serverfarm:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -161,6 +162,138 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-wsfwaf' + params: { + // Required parameters + name: 'wsfwaf001' + sku: { + capacity: '1' + family: 'S' + name: 'S1' + size: 'S1' + tier: 'Standard' + } + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "wsfwaf001" + }, + "sku": { + "value": { + "capacity": "1", + "family": "S", + "name": "S1", + "size": "S1", + "tier": "Standard" + } + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/web/serverfarm/tests/e2e/waf-aligned/dependencies.bicep b/modules/web/serverfarm/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/web/serverfarm/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep b/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..b6be6a4df6 --- /dev/null +++ b/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,107 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-web.serverfarms-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'wsfwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + sku: { + capacity: '1' + family: 'S' + name: 'S1' + size: 'S1' + tier: 'Standard' + } + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index ebd2b09d90..98a80f18d6 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -33,6 +33,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -254,6 +255,178 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-wsswaf' + params: { + // Required parameters + name: 'wsswaf001' + // Non-required parameters + allowConfigFileUpdates: true + appSettings: { + foo: 'bar' + setting: 1 + } + enableDefaultTelemetry: '' + enterpriseGradeCdnStatus: 'Disabled' + functionAppSettings: { + foo: 'bar' + setting: 1 + } + linkedBackend: { + resourceId: '' + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: 'Standard' + stagingEnvironmentPolicy: 'Enabled' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "wsswaf001" + }, + // Non-required parameters + "allowConfigFileUpdates": { + "value": true + }, + "appSettings": { + "value": { + "foo": "bar", + "setting": 1 + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enterpriseGradeCdnStatus": { + "value": "Disabled" + }, + "functionAppSettings": { + "value": { + "foo": "bar", + "setting": 1 + } + }, + "linkedBackend": { + "value": { + "resourceId": "" + } + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sku": { + "value": "Standard" + }, + "stagingEnvironmentPolicy": { + "value": "Enabled" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/web/static-site/tests/e2e/waf-aligned/dependencies.bicep b/modules/web/static-site/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..7939cfd2d2 --- /dev/null +++ b/modules/web/static-site/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,94 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Function App to create.') +param siteName string + +@description('Required. The name of the Server Farm to create.') +param serverFarmName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.azurestaticapps.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource serverFarm 'Microsoft.Web/serverfarms@2022-03-01' = { + name: serverFarmName + location: location + sku: { + name: 'S1' + tier: 'Standard' + size: 'S1' + family: 'S' + capacity: 1 + } + properties: {} +} + +resource functionApp 'Microsoft.Web/sites@2022-03-01' = { + name: siteName + location: location + kind: 'functionapp' + properties: { + serverFarmId: serverFarm.id + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Function App.') +output siteResourceId string = functionApp.id diff --git a/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep b/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..0b1be9250e --- /dev/null +++ b/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,109 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-web.staticsites-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'wsswaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + siteName: 'dep-${namePrefix}-fa-${serviceShort}' + serverFarmName: 'dep-${namePrefix}-sf-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + allowConfigFileUpdates: true + enterpriseGradeCdnStatus: 'Disabled' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: 'Standard' + stagingEnvironmentPolicy: 'Enabled' + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + appSettings: { + foo: 'bar' + setting: 1 + } + functionAppSettings: { + foo: 'bar' + setting: 1 + } + linkedBackend: { + resourceId: nestedDependencies.outputs.siteResourceId + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} From ac8fd22ed4d4a3e30a6fe35d047daaaea54e4a2e Mon Sep 17 00:00:00 2001 From: Nate Arnold Date: Fri, 10 Nov 2023 11:35:46 -0700 Subject: [PATCH 090/178] Moved module to AVM - closes #4044 (#4203) * Moved module to AVM * Updated README --- modules/network/load-balancer/MOVED-TO-AVM.MD | 1 + modules/network/load-balancer/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/network/load-balancer/MOVED-TO-AVM.MD diff --git a/modules/network/load-balancer/MOVED-TO-AVM.MD b/modules/network/load-balancer/MOVED-TO-AVM.MD new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/network/load-balancer/MOVED-TO-AVM.MD @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/load-balancer/README.md b/modules/network/load-balancer/README.md index cb030c747e..1da31adc09 100644 --- a/modules/network/load-balancer/README.md +++ b/modules/network/load-balancer/README.md @@ -1,5 +1,7 @@ # Load Balancers `[Microsoft.Network/loadBalancers]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Load Balancer. ## Navigation From 2621a2a37b126fb9a7ed166f68cf2704fc9cd642 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sat, 11 Nov 2023 14:02:28 +1100 Subject: [PATCH 091/178] [Modules] Fix website publishing cred policy (#4202) * update Web Site Basic Publishing Cred Policies * fix ARM json template * update website arm template * Update modules/web/site/basic-publishing-credentials-policy/main.bicep Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> * update parameter description --------- Co-authored-by: Tao Yang Co-authored-by: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> --- modules/web/site/README.md | 26 ++++++++ .../README.md | 8 +++ .../main.bicep | 5 +- .../main.json | 13 +++- modules/web/site/main.json | 61 +++++++++++-------- .../e2e/functionAppCommon/main.test.bicep | 10 +++ .../tests/e2e/webAppCommon/main.test.bicep | 2 + 7 files changed, 94 insertions(+), 31 deletions(-) diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 201862080b..01f8e38e34 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -125,6 +125,16 @@ module site 'br:bicep/modules/web.site:1.0.0' = { runtimeVersion: '~1' } } + basicPublishingCredentialsPolicies: [ + { + allow: false + name: 'ftp' + } + { + allow: false + name: 'scm' + } + ] diagnosticSettings: [ { eventHubAuthorizationRuleResourceId: '' @@ -285,6 +295,18 @@ module site 'br:bicep/modules/web.site:1.0.0' = { } } }, + "basicPublishingCredentialsPolicies": { + "value": [ + { + "allow": false, + "name": "ftp" + }, + { + "allow": false, + "name": "scm" + } + ] + }, "diagnosticSettings": { "value": [ { @@ -450,9 +472,11 @@ module site 'br:bicep/modules/web.site:1.0.0' = { // Non-required parameters basicPublishingCredentialsPolicies: [ { + allow: true name: 'ftp' } { + allow: true name: 'scm' } ] @@ -604,9 +628,11 @@ module site 'br:bicep/modules/web.site:1.0.0' = { "basicPublishingCredentialsPolicies": { "value": [ { + "allow": true, "name": "ftp" }, { + "allow": true, "name": "scm" } ] diff --git a/modules/web/site/basic-publishing-credentials-policy/README.md b/modules/web/site/basic-publishing-credentials-policy/README.md index 59fe52102c..a442531e1e 100644 --- a/modules/web/site/basic-publishing-credentials-policy/README.md +++ b/modules/web/site/basic-publishing-credentials-policy/README.md @@ -33,9 +33,17 @@ This module deploys a Web Site Basic Publishing Credentials Policy. | Parameter | Type | Description | | :-- | :-- | :-- | +| [`allow`](#parameter-allow) | bool | Set to true to enable or false to disable a publishing method. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all Resources. | +### Parameter: `allow` + +Set to true to enable or false to disable a publishing method. +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). diff --git a/modules/web/site/basic-publishing-credentials-policy/main.bicep b/modules/web/site/basic-publishing-credentials-policy/main.bicep index c30cc79dc4..dd55286295 100644 --- a/modules/web/site/basic-publishing-credentials-policy/main.bicep +++ b/modules/web/site/basic-publishing-credentials-policy/main.bicep @@ -9,6 +9,9 @@ metadata owner = 'Azure/module-maintainers' ]) param name string +@sys.description('Optional. Set to true to enable or false to disable a publishing method.') +param allow bool = true + @sys.description('Conditional. The name of the parent web site. Required if the template is used in a standalone deployment.') param webAppName string @@ -39,7 +42,7 @@ resource basicPublishingCredentialsPolicy 'Microsoft.Web/sites/basicPublishingCr location: location parent: webApp properties: { - allow: true + allow: allow } } diff --git a/modules/web/site/basic-publishing-credentials-policy/main.json b/modules/web/site/basic-publishing-credentials-policy/main.json index fb7d1f7388..2c3ec469f0 100644 --- a/modules/web/site/basic-publishing-credentials-policy/main.json +++ b/modules/web/site/basic-publishing-credentials-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5305729672150633375" + "version": "0.23.1.45101", + "templateHash": "12054216906297236281" }, "name": "Web Site Basic Publishing Credentials Policies", "description": "This module deploys a Web Site Basic Publishing Credentials Policy.", @@ -22,6 +22,13 @@ "description": "Required. The name of the resource." } }, + "allow": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Set to true to enable or false to disable a publishing method." + } + }, "webAppName": { "type": "string", "metadata": { @@ -64,7 +71,7 @@ "name": "[format('{0}/{1}', parameters('webAppName'), parameters('name'))]", "location": "[parameters('location')]", "properties": { - "allow": true + "allow": "[parameters('allow')]" } } ], diff --git a/modules/web/site/main.json b/modules/web/site/main.json index 72f1e89be2..4358ab448c 100644 --- a/modules/web/site/main.json +++ b/modules/web/site/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3962832552855663187" + "version": "0.23.1.45101", + "templateHash": "18196957481129520546" }, "name": "Web/Function Apps", "description": "This module deploys a Web or Function App.", @@ -884,8 +884,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12140652943143922490" + "version": "0.23.1.45101", + "templateHash": "12410494471478708764" }, "name": "Site App Settings", "description": "This module deploys a Site App Setting.", @@ -1029,8 +1029,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1120403064106188130" + "version": "0.23.1.45101", + "templateHash": "15667145082226037238" }, "name": "Site Auth Settings V2 Config", "description": "This module deploys a Site Auth Settings V2 Configuration.", @@ -1204,8 +1204,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "842322474793993092" + "version": "0.23.1.45101", + "templateHash": "17728495950787678705" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -2080,8 +2080,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13223616826795830599" + "version": "0.23.1.45101", + "templateHash": "10562313393461278954" }, "name": "Site Slot App Settings", "description": "This module deploys a Site Slot App Setting.", @@ -2235,8 +2235,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16157844933162881953" + "version": "0.23.1.45101", + "templateHash": "13215271953171449159" }, "name": "Site Slot Auth Settings V2 Config", "description": "This module deploys a Site Auth Settings V2 Configuration.", @@ -2369,8 +2369,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11888981629758921842" + "version": "0.23.1.45101", + "templateHash": "299894459930368764" }, "name": "Web/Function Apps Slot Hybrid Connection Relay", "description": "This module deploys a Site Slot Hybrid Connection Namespace Relay.", @@ -2550,8 +2550,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2953,8 +2953,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -3168,8 +3168,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5305729672150633375" + "version": "0.23.1.45101", + "templateHash": "12265634131995953652" }, "name": "Web Site Basic Publishing Credentials Policies", "description": "This module deploys a Web Site Basic Publishing Credentials Policy.", @@ -3186,6 +3186,13 @@ "description": "Required. The name of the resource." } }, + "allow": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Set to true to allow access to or false to diable a publishing method." + } + }, "webAppName": { "type": "string", "metadata": { @@ -3228,7 +3235,7 @@ "name": "[format('{0}/{1}', parameters('webAppName'), parameters('name'))]", "location": "[parameters('location')]", "properties": { - "allow": true + "allow": "[parameters('allow')]" } } ], @@ -3299,8 +3306,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10458383238656360850" + "version": "0.23.1.45101", + "templateHash": "14574905385050050440" }, "name": "Web/Function Apps Hybrid Connection Relay", "description": "This module deploys a Site Hybrid Connection Namespace Relay.", @@ -3473,8 +3480,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -3876,8 +3883,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep b/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep index 9219cb3ccf..aa00720f81 100644 --- a/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep +++ b/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep @@ -140,6 +140,16 @@ module testDeployment '../../../main.bicep' = { runtimeVersion: '~1' } } + basicPublishingCredentialsPolicies: [ + { + name: 'ftp' + allow: false + } + { + name: 'scm' + allow: false + } + ] diagnosticSettings: [ { name: 'customSetting' diff --git a/modules/web/site/tests/e2e/webAppCommon/main.test.bicep b/modules/web/site/tests/e2e/webAppCommon/main.test.bicep index ddf1838032..93c0fbb5e8 100644 --- a/modules/web/site/tests/e2e/webAppCommon/main.test.bicep +++ b/modules/web/site/tests/e2e/webAppCommon/main.test.bicep @@ -179,9 +179,11 @@ module testDeployment '../../../main.bicep' = { basicPublishingCredentialsPolicies: [ { name: 'ftp' + allow: true } { name: 'scm' + allow: true } ] From d3964bc87c93c98fe4c94c2babb59c774504a4e9 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sat, 11 Nov 2023 03:03:07 +0000 Subject: [PATCH 092/178] Push updated Readme file(s) --- README.md | 12 +- docs/wiki/The library - Module overview.md | 276 ++++++++++----------- 2 files changed, 144 insertions(+), 144 deletions(-) diff --git a/README.md b/README.md index 2508382277..44acccd038 100644 --- a/README.md +++ b/README.md @@ -48,15 +48,15 @@ The CI environment supports both ARM and Bicep and can be leveraged using GitHub | | [managedEnvironments](https://github.com/Azure/ResourceModules/tree/main/modules/app/managed-environment) | [App ManagedEnvironments](https://github.com/Azure/ResourceModules/tree/main/modules/app/managed-environment) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.AppConfiguration` | [configurationStores](https://github.com/Azure/ResourceModules/tree/main/modules/app-configuration/configuration-store) | [App Configuration Stores](https://github.com/Azure/ResourceModules/tree/main/modules/app-configuration/configuration-store) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.Authorization` | [locks](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/lock) | [Authorization Locks (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/lock) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [policyassignments](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-assignment) | [Policy Assignments (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-assignment) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [policydefinitions](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-definition) | [Policy Definitions (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-definition) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| | [policyAssignments](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-assignment) | [Policy Assignments (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-assignment) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| | [policyDefinitions](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-definition) | [Policy Definitions (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-definition) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [policyExemptions](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-exemption) | [Policy Exemptions (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-exemption) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [policySetDefinitions](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-set-definition) | [Policy Set Definitions (Initiatives) (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-set-definition) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [roleAssignments](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/role-assignment) | [Role Assignments (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/role-assignment) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [roleDefinitions](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/role-definition) | [Role Definitions (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/role-definition) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.Automation` | [automationAccounts](https://github.com/Azure/ResourceModules/tree/main/modules/automation/automation-account) | [Automation Accounts](https://github.com/Azure/ResourceModules/tree/main/modules/automation/automation-account) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.Batch` | [batchAccounts](https://github.com/Azure/ResourceModules/tree/main/modules/batch/batch-account) | [Batch Accounts](https://github.com/Azure/ResourceModules/tree/main/modules/batch/batch-account) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Cache` | [redis](https://github.com/Azure/ResourceModules/tree/main/modules/cache/redis) | [Redis Cache](https://github.com/Azure/ResourceModules/tree/main/modules/cache/redis) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| `Microsoft.Cache` | [Redis](https://github.com/Azure/ResourceModules/tree/main/modules/cache/redis) | [Redis Cache](https://github.com/Azure/ResourceModules/tree/main/modules/cache/redis) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [redisEnterprise](https://github.com/Azure/ResourceModules/tree/main/modules/cache/redis-enterprise) | [Redis Cache Enterprise](https://github.com/Azure/ResourceModules/tree/main/modules/cache/redis-enterprise) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.Cdn` | [profiles](https://github.com/Azure/ResourceModules/tree/main/modules/cdn/profile) | [CDN Profiles](https://github.com/Azure/ResourceModules/tree/main/modules/cdn/profile) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.CognitiveServices` | [accounts](https://github.com/Azure/ResourceModules/tree/main/modules/cognitive-services/account) | [Cognitive Services](https://github.com/Azure/ResourceModules/tree/main/modules/cognitive-services/account) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | @@ -92,7 +92,7 @@ The CI environment supports both ARM and Bicep and can be leveraged using GitHub | `Microsoft.EventHub` | [namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/event-hub/namespace) | [Event Hub Namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/event-hub/namespace) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.HealthBot` | [healthBots](https://github.com/Azure/ResourceModules/tree/main/modules/health-bot/health-bot) | [Azure Health Bots](https://github.com/Azure/ResourceModules/tree/main/modules/health-bot/health-bot) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.HealthcareApis` | [workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/healthcare-apis/workspace) | [Healthcare API Workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/healthcare-apis/workspace) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `microsoft.insights` | [actionGroups](https://github.com/Azure/ResourceModules/tree/main/modules/insights/action-group) | [Action Groups](https://github.com/Azure/ResourceModules/tree/main/modules/insights/action-group) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| `Microsoft.Insights` | [actionGroups](https://github.com/Azure/ResourceModules/tree/main/modules/insights/action-group) | [Action Groups](https://github.com/Azure/ResourceModules/tree/main/modules/insights/action-group) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [activityLogAlerts](https://github.com/Azure/ResourceModules/tree/main/modules/insights/activity-log-alert) | [Activity Log Alerts](https://github.com/Azure/ResourceModules/tree/main/modules/insights/activity-log-alert) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [components](https://github.com/Azure/ResourceModules/tree/main/modules/insights/component) | [Application Insights](https://github.com/Azure/ResourceModules/tree/main/modules/insights/component) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [dataCollectionEndpoints](https://github.com/Azure/ResourceModules/tree/main/modules/insights/data-collection-endpoint) | [Data Collection Endpoints](https://github.com/Azure/ResourceModules/tree/main/modules/insights/data-collection-endpoint) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | @@ -144,8 +144,8 @@ The CI environment supports both ARM and Bicep and can be leveraged using GitHub | | [serviceEndpointPolicies](https://github.com/Azure/ResourceModules/tree/main/modules/network/service-endpoint-policy) | [Service Endpoint Policies](https://github.com/Azure/ResourceModules/tree/main/modules/network/service-endpoint-policy) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [trafficmanagerprofiles](https://github.com/Azure/ResourceModules/tree/main/modules/network/trafficmanagerprofile) | [Traffic Manager Profiles](https://github.com/Azure/ResourceModules/tree/main/modules/network/trafficmanagerprofile) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [virtualHubs](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-hub) | [Virtual Hubs](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-hub) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [virtualnetworks](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network) | [Virtual Networks](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [virtualnetworkgateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network-gateway) | [Virtual Network Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network-gateway) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| | [virtualNetworks](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network) | [Virtual Networks](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| | [virtualNetworkGateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network-gateway) | [Virtual Network Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network-gateway) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [virtualWans](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-wan) | [Virtual WANs](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-wan) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [vpnGateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/vpn-gateway) | [VPN Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/vpn-gateway) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [vpnSites](https://github.com/Azure/ResourceModules/tree/main/modules/network/vpn-site) | [VPN Sites](https://github.com/Azure/ResourceModules/tree/main/modules/network/vpn-site) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index e8f34f0833..f3ec1e5d0e 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -13,144 +13,144 @@ This section provides an overview of the library's feature set. | # | Module | Status | RBAC | Locks | Tags | Diag | PE | PIP | # children | # lines | | - | - | - | - | - | - | - | - | - | - | - | -| 1 | aad

domain-service | [![AAD - DomainServices](https://github.com/Azure/ResourceModules/workflows/AAD%20-%20DomainServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.aad.domainservices.yml) | | | | | | | | 251 | -| 2 | analysis-services

server | [![AnalysisServices - Servers](https://github.com/Azure/ResourceModules/workflows/AnalysisServices%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.analysisservices.servers.yml) | | | | | | | | 170 | -| 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | | | | | | | [L1:11, L2:3] | 455 | -| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | | | | | | | [L1:1] | 322 | -| 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | | | | | | | | 211 | -| 6 | app

job | [![App - Jobs](https://github.com/Azure/ResourceModules/workflows/App%20-%20Jobs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.jobs.yml) | | | :white_check_mark: | | | | | 162 | -| 7 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | | | | | | | | 163 | -| 8 | authorization

lock | [![Authorization - Locks](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20Locks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.locks.yml) | | | | | | | [L1:2] | 62 | -| 9 | authorization

policy-assignment | [![Authorization - PolicyAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policyassignments.yml) | | | | | | | [L1:3] | 143 | -| 10 | authorization

policy-definition | [![Authorization - PolicyDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policydefinitions.yml) | | | | | | | [L1:2] | 86 | -| 11 | authorization

policy-exemption | [![Authorization - PolicyExemptions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyExemptions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policyexemptions.yml) | | | | | | | [L1:3] | 114 | -| 12 | authorization

policy-set-definition | [![Authorization - PolicySetDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicySetDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policysetdefinitions.yml) | | | | | | | [L1:2] | 76 | -| 13 | authorization

role-assignment | [![Authorization - RoleAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roleassignments.yml) | | | | | | | [L1:3] | 107 | -| 14 | authorization

role-definition | [![Authorization - RoleDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roledefinitions.yml) | | | | | | | [L1:3] | 94 | -| 15 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | | | | | [L1:6] | 460 | -| 16 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | | | | | | 326 | -| 17 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | | | | | | | | 327 | -| 18 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | | | | | | | [L1:1] | 264 | -| 19 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | | | | | | | [L1:6, L2:4] | 220 | -| 20 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | | | | | | | | 388 | -| 21 | compute

availability-set | [![Compute - AvailabilitySets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20AvailabilitySets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.availabilitysets.yml) | | | | | | | | 111 | -| 22 | compute

disk | [![Compute - Disks](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Disks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.disks.yml) | | | | | | | | 218 | -| 23 | compute

disk-encryption-set | [![Compute - DiskEncryptionSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20DiskEncryptionSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.diskencryptionsets.yml) | | | | | | | [L1:1] | 168 | -| 24 | compute

gallery | [![Compute - Galleries](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Galleries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.galleries.yml) | | | | | | | [L1:2] | 155 | -| 25 | compute

image | [![Compute - Images](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Images/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.images.yml) | | | | | | | | 137 | -| 26 | compute

proximity-placement-group | [![Compute - ProximityPlacementGroups](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20ProximityPlacementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.proximityplacementgroups.yml) | | | | | | | | 111 | -| 27 | compute

ssh-public-key | [![Compute - SshPublicKeys](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20SshPublicKeys/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.sshpublickeys.yml) | | | | | | | | 99 | -| 28 | compute

virtual-machine | [![Compute - VirtualMachines](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachines/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | | | | | | | [L1:2] | 657 | -| 29 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | | | | | | | [L1:1] | 611 | -| 30 | consumption

budget | [![Consumption - Budgets](https://github.com/Azure/ResourceModules/workflows/Consumption%20-%20Budgets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.consumption.budgets.yml) | | | | | | | | 92 | -| 31 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | | | | | | 175 | -| 32 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | | | | | [L1:3] | 447 | -| 33 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | | | | | [L1:1] | 668 | -| 34 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | | | | | [L1:2, L2:1] | 342 | -| 35 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | | | | | | [L1:1] | 159 | -| 36 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | | | | | | | | 110 | -| 37 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | | | | | | | | 397 | -| 38 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | | | | | | | [L1:3] | 380 | -| 39 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | | | | | | | [L1:4] | 378 | -| 40 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | | | | | | | [L1:1] | 191 | -| 41 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | | | | | | | | 281 | -| 42 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | | | | | | | | 200 | -| 43 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | | | | | | | | 161 | -| 44 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | | | | | | | [L1:6, L2:1] | 304 | -| 45 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | | | | | | | [L1:3] | 301 | -| 46 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | | | | | | | [L1:3, L2:3] | 413 | -| 47 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | | | | | | | [L1:1] | 257 | -| 48 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | | | | | | | [L1:1] | 197 | -| 49 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | | | | | | | [L1:1] | 261 | -| 50 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | | | | | [L1:4, L2:2] | 418 | -| 51 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | | | | | | | | 116 | -| 52 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | | | | | | | [L1:3, L2:1] | 195 | -| 53 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | | | | | | | | 115 | -| 54 | insights

activity-log-alert | [![Insights - ActivityLogAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActivityLogAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.activitylogalerts.yml) | | | | | | | | 104 | -| 55 | insights

component | [![Insights - Components](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Components/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.components.yml) | | | | | | | | 184 | -| 56 | insights

data-collection-endpoint | [![Insights - DataCollectionEndpoints](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionendpoints.yml) | | | | | | | | 120 | -| 57 | insights

data-collection-rule | [![Insights - DataCollectionRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionrules.yml) | | | | | | | | 129 | -| 58 | insights

diagnostic-setting | [![Insights - DiagnosticSettings](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DiagnosticSettings/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.diagnosticsettings.yml) | | | | | | | | 91 | -| 59 | insights

metric-alert | [![Insights - MetricAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20MetricAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.metricalerts.yml) | | | | | | | | 152 | -| 60 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | | | | | | | [L1:1] | 181 | -| 61 | insights

scheduled-query-rule | [![Insights - ScheduledQueryRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ScheduledQueryRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml) | | | | | | | | 136 | -| 62 | insights

webtest | [![Insights - Web Tests](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Web%20Tests/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.webtests.yml) | | | | | | | | 152 | -| 63 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | | | | | | | [L1:3] | 356 | -| 64 | kubernetes-configuration

extension | [![KubernetesConfiguration - Extensions](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20Extensions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.extensions.yml) | | | | | | | | 88 | -| 65 | kubernetes-configuration

flux-configuration | [![KubernetesConfiguration - FluxConfigurations](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20FluxConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml) | | | | | | | | 71 | -| 66 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | | | | | | | | 231 | -| 67 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | | | | | | | [L1:1] | 366 | -| 68 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | | | | | | | | 136 | -| 69 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | | | | | | | [L1:1] | 113 | -| 70 | managed-services

registration-definition | [![ManagedServices - RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices%20-%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | | | | | | | 67 | -| 71 | management

management-group | [![Management - ManagementGroups](https://github.com/Azure/ResourceModules/workflows/Management%20-%20ManagementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml) | | | | | | | | 50 | -| 72 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | | | | | | | [L1:1, L2:1] | 151 | -| 73 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | | | | | | | | 429 | -| 74 | network

application-gateway-web-application-firewall-policy | [![Network - ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGatewayWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml) | | | | | | | | 47 | -| 75 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | | | | | | | | 94 | -| 76 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | | | | | | :white_check_mark: | | 316 | -| 77 | network

bastion-host | [![Network - BastionHosts](https://github.com/Azure/ResourceModules/workflows/Network%20-%20BastionHosts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.bastionhosts.yml) | | | | | | :white_check_mark: | | 219 | -| 78 | network

connection | [![Network - Connections](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.connections.yml) | | | | | | | | 147 | -| 79 | network

ddos-protection-plan | [![Network - DdosProtectionPlans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DdosProtectionPlans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ddosprotectionplans.yml) | | | | | | | | 95 | -| 80 | network

dns-forwarding-ruleset | [![Network - DNS Forwarding Rulesets](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Forwarding%20Rulesets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsforwardingrulesets.yml) | | | | | | | [L1:2] | 126 | -| 81 | network

dns-resolver | [![Network - DNS Resolvers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Resolvers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsresolvers.yml) | | | | | | | | 137 | -| 82 | network

dns-zone | [![Network - Public DnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Public%20DnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnszones.yml) | | | | | | | [L1:10] | 248 | -| 83 | network

express-route-circuit | [![Network - ExpressRouteCircuits](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteCircuits/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutecircuits.yml) | | | | | | | | 228 | -| 84 | network

express-route-gateway | [![Network - ExpressRouteGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutegateways.yml) | | | | | | | | 117 | -| 85 | network

firewall-policy | [![Network - FirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.firewallpolicies.yml) | | | | | | | [L1:1] | 173 | -| 86 | network

front-door | [![Network - Frontdoors](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Frontdoors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoors.yml) | | | | | | | | 181 | -| 87 | network

front-door-web-application-firewall-policy | [![Network - FrontDoorWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FrontDoorWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml) | | | | | | | | 152 | -| 88 | network

ip-group | [![Network - IpGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20IpGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ipgroups.yml) | | | | | | | | 100 | -| 89 | network

load-balancer | [![Network - LoadBalancers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LoadBalancers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.loadbalancers.yml) | | | | | | | [L1:2] | 272 | -| 90 | network

local-network-gateway | [![Network - LocalNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LocalNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.localnetworkgateways.yml) | | | | | | | | 120 | -| 91 | network

nat-gateway | [![Network - NatGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NatGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.natgateways.yml) | | | | | | | [L1:1] | 191 | -| 92 | network

network-interface | [![Network - NetworkInterfaces](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkInterfaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkinterfaces.yml) | | | | | | | | 198 | -| 93 | network

network-manager | [![Network - Network Managers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Network%20Managers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkmanagers.yml) | | | | | | | [L1:4, L2:2, L3:1] | 165 | -| 94 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | | | | | | | [L1:1] | 188 | -| 95 | network

network-watcher | [![Network - NetworkWatchers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkWatchers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatchers.yml) | | | | | | | [L1:2] | 129 | -| 96 | network

private-dns-zone | [![Network - PrivateDnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateDnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | | | | | | | [L1:9] | 226 | -| 97 | network

private-endpoint | [![Network - PrivateEndpoints](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privateendpoints.yml) | | | | | | | [L1:1] | 168 | -| 98 | network

private-link-service | [![Network - PrivateLinkServices](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateLinkServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatelinkservices.yml) | | | | | | | | 121 | -| 99 | network

public-ip-address | [![Network - PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | | | | | | | | 214 | -| 100 | network

public-ip-prefix | [![Network - PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | | | | | | | | 109 | -| 101 | network

route-table | [![Network - RouteTables](https://github.com/Azure/ResourceModules/workflows/Network%20-%20RouteTables/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.routetables.yml) | | | | | | | | 102 | -| 102 | network

service-endpoint-policy | [![Network - ServiceEndpointPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ServiceEndpointPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.serviceendpointpolicies.yml) | | | | | | | | 105 | -| 103 | network

trafficmanagerprofile | [![Network - TrafficManagerProfiles](https://github.com/Azure/ResourceModules/workflows/Network%20-%20TrafficManagerProfiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml) | | | | | | | | 195 | -| 104 | network

virtual-hub | [![Network - VirtualHubs](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualhubs.yml) | | | | | | | [L1:2] | 151 | -| 105 | network

virtual-network | [![Network - VirtualNetworks](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | | | | | | | [L1:2] | 276 | -| 106 | network

virtual-network-gateway | [![Network - VirtualNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworkgateways.yml) | | | | | | | [L1:1] | 403 | -| 107 | network

virtual-wan | [![Network - VirtualWans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualWans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualwans.yml) | | | | | | | | 112 | -| 108 | network

vpn-gateway | [![Network - VPNGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPNGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpngateways.yml) | | | | | | | [L1:2] | 114 | -| 109 | network

vpn-site | [![Network - VPN Sites](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPN%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpnsites.yml) | | | | | | | | 124 | -| 110 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | | | | | | | [L1:7] | 348 | -| 111 | operations-management

solution | [![OperationsManagement - Solutions](https://github.com/Azure/ResourceModules/workflows/OperationsManagement%20-%20Solutions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationsmanagement.solutions.yml) | | | | | | | | 53 | -| 112 | policy-insights

remediation | [![PolicyInsights - Remediations](https://github.com/Azure/ResourceModules/workflows/PolicyInsights%20-%20Remediations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.policyinsights.remediations.yml) | | | | | | | [L1:3] | 106 | -| 113 | power-bi-dedicated

capacity | [![PowerBiDedicated - Capacities](https://github.com/Azure/ResourceModules/workflows/PowerBiDedicated%20-%20Capacities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.powerbidedicated.capacities.yml) | | | | | | | | 133 | -| 114 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | | | | | | | | 315 | -| 115 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | | | | | | | [L1:7, L2:2, L3:2] | 364 | -| 116 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | | | | | | | [L1:4, L2:2] | 339 | -| 117 | resource-graph

query | [![ResourceGraph - Queries](https://github.com/Azure/ResourceModules/workflows/ResourceGraph%20-%20Queries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resourcegraph.queries.yml) | | | | | | | | 101 | -| 118 | resources

deployment-script | [![Resources - DeploymentScripts](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | | | | | | | 132 | -| 119 | resources

resource-group | [![Resources - ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | | | | | | | [L1:1] | 101 | -| 120 | resources

tags | [![Resources - Tags](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20Tags/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.tags.yml) | | | | | | | [L1:2] | 54 | -| 121 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | | | | | | | [L1:1] | 327 | -| 122 | security

azure-security-center | [![Security - AzureSecurityCenter](https://github.com/Azure/ResourceModules/workflows/Security%20-%20AzureSecurityCenter/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.security.azuresecuritycenter.yml) | | | | | | | | 221 | -| 123 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | | | | | | | [L1:6, L2:2] | 462 | -| 124 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | | | | | | | [L1:1] | 312 | -| 125 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | | | | | | | | 277 | -| 126 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | | | | | | | | 253 | -| 127 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | | | | | | | [L1:6, L2:3] | 373 | -| 128 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | | | | | [L1:8, L2:3] | 389 | -| 129 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | | | | | [L1:6, L2:4, L3:1] | 524 | -| 130 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | | | | | | | | 171 | -| 131 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | | | | | [L1:3] | 374 | -| 132 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | | | | | | | | 216 | -| 133 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | | | | | | | | 118 | -| 134 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | | | | | [L1:2] | 262 | -| 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | | 194 | -| 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:5, L2:4, L3:1] | 453 | -| 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:3] | 284 | -| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 241 | 29852 | +| 1 | aad

domain-service | [![AAD - DomainServices](https://github.com/Azure/ResourceModules/workflows/AAD%20-%20DomainServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.aad.domainservices.yml) | | | | | | | [L1:1, L2:1, L3:2] | 251 | +| 2 | analysis-services

server | [![AnalysisServices - Servers](https://github.com/Azure/ResourceModules/workflows/AnalysisServices%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.analysisservices.servers.yml) | | | | | | | [L1:1, L2:1, L3:3] | 170 | +| 3 | api-management

service | [![ApiManagement - Service](https://github.com/Azure/ResourceModules/workflows/ApiManagement%20-%20Service/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.apimanagement.service.yml) | | | | | | | [L1:12, L2:4, L3:3] | 455 | +| 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | | | | | | | [L1:2, L2:1, L3:5] | 322 | +| 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | | | | | | | [L1:1, L2:1, L3:3] | 211 | +| 6 | app

job | [![App - Jobs](https://github.com/Azure/ResourceModules/workflows/App%20-%20Jobs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.jobs.yml) | | | :white_check_mark: | | | | [L1:1, L2:1, L3:3] | 162 | +| 7 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | | | | | | | [L1:1, L2:1, L3:3] | 163 | +| 8 | authorization

lock | [![Authorization - Locks](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20Locks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.locks.yml) | | | | | | | [L1:3, L2:1, L3:2] | 62 | +| 9 | authorization

policy-assignment | [![Authorization - PolicyAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policyassignments.yml) | | | | | | | [L1:4, L2:1, L3:6] | 143 | +| 10 | authorization

policy-definition | [![Authorization - PolicyDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policydefinitions.yml) | | | | | | | [L1:3, L2:1, L3:4] | 86 | +| 11 | authorization

policy-exemption | [![Authorization - PolicyExemptions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyExemptions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policyexemptions.yml) | | | | | | | [L1:4, L2:1, L3:6] | 114 | +| 12 | authorization

policy-set-definition | [![Authorization - PolicySetDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicySetDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policysetdefinitions.yml) | | | | | | | [L1:3, L2:1, L3:4] | 76 | +| 13 | authorization

role-assignment | [![Authorization - RoleAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roleassignments.yml) | | | | | | | [L1:4, L2:1, L3:6] | 107 | +| 14 | authorization

role-definition | [![Authorization - RoleDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20RoleDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.roledefinitions.yml) | | | | | | | [L1:4, L2:1, L3:6] | 94 | +| 15 | automation

automation-account | [![Automation - AutomationAccounts](https://github.com/Azure/ResourceModules/workflows/Automation%20-%20AutomationAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.automation.automationaccounts.yml) | | | | | | | [L1:7, L2:1, L3:4] | 460 | +| 16 | batch

batch-account | [![Batch - BatchAccounts](https://github.com/Azure/ResourceModules/workflows/Batch%20-%20BatchAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.batch.batchaccounts.yml) | | | | | | | [L1:1, L2:1, L3:4] | 326 | +| 17 | cache

redis | [![Cache - Redis](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redis.yml) | | | | | | | [L1:1, L2:1, L3:3] | 327 | +| 18 | cache

redis-enterprise | [![Cache - Redis Enterprise](https://github.com/Azure/ResourceModules/workflows/Cache%20-%20Redis%20Enterprise/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cache.redisenterprise.yml) | | | | | | | [L1:2, L2:1, L3:4] | 264 | +| 19 | cdn

profile | [![CDN - Profiles](https://github.com/Azure/ResourceModules/workflows/CDN%20-%20Profiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cdn.profiles.yml) | | | | | | | [L1:7, L2:5, L3:3] | 220 | +| 20 | cognitive-services

account | [![CognitiveServices - Accounts](https://github.com/Azure/ResourceModules/workflows/CognitiveServices%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.cognitiveservices.accounts.yml) | | | | | | | [L1:1, L2:1, L3:5] | 388 | +| 21 | compute

availability-set | [![Compute - AvailabilitySets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20AvailabilitySets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.availabilitysets.yml) | | | | | | | [L1:1, L2:1, L3:3] | 111 | +| 22 | compute

disk | [![Compute - Disks](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Disks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.disks.yml) | | | | | | | [L1:1, L2:1, L3:5] | 218 | +| 23 | compute

disk-encryption-set | [![Compute - DiskEncryptionSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20DiskEncryptionSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.diskencryptionsets.yml) | | | | | | | [L1:2, L2:1, L3:3] | 168 | +| 24 | compute

gallery | [![Compute - Galleries](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Galleries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.galleries.yml) | | | | | | | [L1:3, L2:1, L3:3] | 155 | +| 25 | compute

image | [![Compute - Images](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20Images/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.images.yml) | | | | | | | [L1:1, L2:1, L3:2] | 137 | +| 26 | compute

proximity-placement-group | [![Compute - ProximityPlacementGroups](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20ProximityPlacementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.proximityplacementgroups.yml) | | | | | | | [L1:1, L2:1, L3:3] | 111 | +| 27 | compute

ssh-public-key | [![Compute - SshPublicKeys](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20SshPublicKeys/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.sshpublickeys.yml) | | | | | | | [L1:1, L2:1, L3:3] | 99 | +| 28 | compute

virtual-machine | [![Compute - VirtualMachines](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachines/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | | | | | | | [L1:3, L2:1, L3:7] | 657 | +| 29 | compute

virtual-machine-scale-set | [![Compute - VirtualMachineScaleSets](https://github.com/Azure/ResourceModules/workflows/Compute%20-%20VirtualMachineScaleSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | | | | | | | [L1:2, L2:1, L3:5] | 611 | +| 30 | consumption

budget | [![Consumption - Budgets](https://github.com/Azure/ResourceModules/workflows/Consumption%20-%20Budgets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.consumption.budgets.yml) | | | | | | | [L1:1, L2:1, L3:3] | 92 | +| 31 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | | | | | [L1:1, L2:1, L3:5] | 175 | +| 32 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | | | | | [L1:4, L2:1, L3:5] | 447 | +| 33 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | | | | | [L1:2, L2:1, L3:4] | 668 | +| 34 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | | | | | [L1:3, L2:2, L3:3] | 342 | +| 35 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | | | | | | [L1:2, L2:1, L3:3] | 159 | +| 36 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | | | | | | | [L1:1, L2:1, L3:3] | 110 | +| 37 | databricks

workspace | [![Databricks - Workspaces](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | | | | | | | [L1:1, L2:1, L3:3] | 397 | +| 38 | db-for-my-sql

flexible-server | [![DbForMySQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForMySQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbformysql.flexibleservers.yml) | | | | | | | [L1:4, L2:1, L3:3] | 380 | +| 39 | db-for-postgre-sql

flexible-server | [![DbForPostgreSQL - FlexibleServers](https://github.com/Azure/ResourceModules/workflows/DbForPostgreSQL%20-%20FlexibleServers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dbforpostgresql.flexibleservers.yml) | | | | | | | [L1:5, L2:1, L3:3] | 378 | +| 40 | desktop-virtualization

application-group | [![DesktopVirtualization - ApplicationGroups](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20ApplicationGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.applicationgroups.yml) | | | | | | | [L1:2, L2:1, L3:3] | 191 | +| 41 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | | | | | | | [L1:1, L2:1, L3:3] | 281 | +| 42 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | | | | | | | [L1:1, L2:1, L3:3] | 200 | +| 43 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | | | | | | | [L1:1, L2:1, L3:3] | 161 | +| 44 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | | | | | | | [L1:7, L2:2, L3:3] | 304 | +| 45 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | | | | | | | [L1:4, L2:1, L3:3] | 301 | +| 46 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | | | | | | | [L1:4, L2:4, L3:4] | 413 | +| 47 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | | | | | | | [L1:2, L2:1, L3:4] | 257 | +| 48 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | | | | | | | [L1:2, L2:1, L3:3] | 197 | +| 49 | event-grid

topic | [![EventGrid - Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.topics.yml) | | | | | | | [L1:2, L2:1, L3:4] | 261 | +| 50 | event-hub

namespace | [![EventHub - Namespaces](https://github.com/Azure/ResourceModules/workflows/EventHub%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventhub.namespaces.yml) | | | | | | | [L1:5, L2:3, L3:5] | 418 | +| 51 | health-bot

health-bot | [![HealthBot - HealthBots](https://github.com/Azure/ResourceModules/workflows/HealthBot%20-%20HealthBots/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | | | | | | | [L1:1, L2:1, L3:3] | 116 | +| 52 | healthcare-apis

workspace | [![HealthcareApis - Workspaces](https://github.com/Azure/ResourceModules/workflows/HealthcareApis%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthcareapis.workspaces.yml) | | | | | | | [L1:4, L2:2, L3:3] | 195 | +| 53 | insights

action-group | [![Insights - ActionGroups](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActionGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.actiongroups.yml) | | | | | | | [L1:1, L2:1, L3:3] | 115 | +| 54 | insights

activity-log-alert | [![Insights - ActivityLogAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ActivityLogAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.activitylogalerts.yml) | | | | | | | [L1:1, L2:1, L3:2] | 104 | +| 55 | insights

component | [![Insights - Components](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Components/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.components.yml) | | | | | | | [L1:1, L2:1, L3:3] | 184 | +| 56 | insights

data-collection-endpoint | [![Insights - DataCollectionEndpoints](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionendpoints.yml) | | | | | | | [L1:1, L2:1, L3:3] | 120 | +| 57 | insights

data-collection-rule | [![Insights - DataCollectionRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionrules.yml) | | | | | | | [L1:1, L2:1, L3:6] | 129 | +| 58 | insights

diagnostic-setting | [![Insights - DiagnosticSettings](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DiagnosticSettings/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.diagnosticsettings.yml) | | | | | | | [L1:1, L2:1, L3:2] | 91 | +| 59 | insights

metric-alert | [![Insights - MetricAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20MetricAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.metricalerts.yml) | | | | | | | [L1:1, L2:1, L3:2] | 152 | +| 60 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | | | | | | | [L1:2, L2:1, L3:3] | 181 | +| 61 | insights

scheduled-query-rule | [![Insights - ScheduledQueryRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ScheduledQueryRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml) | | | | | | | [L1:1, L2:1, L3:2] | 136 | +| 62 | insights

webtest | [![Insights - Web Tests](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Web%20Tests/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.webtests.yml) | | | | | | | [L1:1, L2:1, L3:3] | 152 | +| 63 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | | | | | | | [L1:4, L2:1, L3:5] | 356 | +| 64 | kubernetes-configuration

extension | [![KubernetesConfiguration - Extensions](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20Extensions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.extensions.yml) | | | | | | | [L1:1, L2:1, L3:3] | 88 | +| 65 | kubernetes-configuration

flux-configuration | [![KubernetesConfiguration - FluxConfigurations](https://github.com/Azure/ResourceModules/workflows/KubernetesConfiguration%20-%20FluxConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml) | | | | | | | [L1:1, L2:1, L3:3] | 71 | +| 66 | logic

workflow | [![Logic - Workflows](https://github.com/Azure/ResourceModules/workflows/Logic%20-%20Workflows/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | | | | | | | [L1:1, L2:1, L3:2] | 231 | +| 67 | machine-learning-services

workspace | [![MachineLearningServices - Workspaces](https://github.com/Azure/ResourceModules/workflows/MachineLearningServices%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | | | | | | | [L1:2, L2:1, L3:4] | 366 | +| 68 | maintenance

maintenance-configuration | [![Maintenance - MaintenanceConfigurations](https://github.com/Azure/ResourceModules/workflows/Maintenance%20-%20MaintenanceConfigurations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.maintenance.maintenanceconfigurations.yml) | | | | | | | [L1:1, L2:1, L3:3] | 136 | +| 69 | managed-identity

user-assigned-identity | [![ManagedIdentity - UserAssignedIdentities](https://github.com/Azure/ResourceModules/workflows/ManagedIdentity%20-%20UserAssignedIdentities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | | | | | | | [L1:2, L2:1, L3:3] | 113 | +| 70 | managed-services

registration-definition | [![ManagedServices - RegistrationDefinitions](https://github.com/Azure/ResourceModules/workflows/ManagedServices%20-%20RegistrationDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | | | | | | | [L1:1, L2:1, L3:3] | 67 | +| 71 | management

management-group | [![Management - ManagementGroups](https://github.com/Azure/ResourceModules/workflows/Management%20-%20ManagementGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml) | | | | | | | [L1:1, L2:1, L3:3] | 50 | +| 72 | net-app

net-app-account | [![NetApp - NetAppAccounts](https://github.com/Azure/ResourceModules/workflows/NetApp%20-%20NetAppAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | | | | | | | [L1:2, L2:2, L3:3] | 151 | +| 73 | network

application-gateway | [![Network - ApplicationGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | | | | | | | [L1:1, L2:1, L3:2] | 429 | +| 74 | network

application-gateway-web-application-firewall-policy | [![Network - ApplicationGatewayWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationGatewayWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml) | | | | | | | [L1:1, L2:1, L3:2] | 47 | +| 75 | network

application-security-group | [![Network - ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ApplicationSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | | | | | | | [L1:1, L2:1, L3:2] | 94 | +| 76 | network

azure-firewall | [![Network - AzureFirewalls](https://github.com/Azure/ResourceModules/workflows/Network%20-%20AzureFirewalls/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | | | | | | :white_check_mark: | [L1:1, L2:1, L3:7] | 316 | +| 77 | network

bastion-host | [![Network - BastionHosts](https://github.com/Azure/ResourceModules/workflows/Network%20-%20BastionHosts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.bastionhosts.yml) | | | | | | :white_check_mark: | [L1:1, L2:1, L3:4] | 219 | +| 78 | network

connection | [![Network - Connections](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.connections.yml) | | | | | | | [L1:1, L2:1, L3:1] | 147 | +| 79 | network

ddos-protection-plan | [![Network - DdosProtectionPlans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DdosProtectionPlans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ddosprotectionplans.yml) | | | | | | | [L1:1, L2:1, L3:3] | 95 | +| 80 | network

dns-forwarding-ruleset | [![Network - DNS Forwarding Rulesets](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Forwarding%20Rulesets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsforwardingrulesets.yml) | | | | | | | [L1:3, L2:1, L3:3] | 126 | +| 81 | network

dns-resolver | [![Network - DNS Resolvers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20DNS%20Resolvers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnsresolvers.yml) | | | | | | | [L1:1, L2:1, L3:2] | 137 | +| 82 | network

dns-zone | [![Network - Public DnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Public%20DnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.dnszones.yml) | | | | | | | [L1:11, L2:1, L3:3] | 248 | +| 83 | network

express-route-circuit | [![Network - ExpressRouteCircuits](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteCircuits/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutecircuits.yml) | | | | | | | [L1:1, L2:1, L3:3] | 228 | +| 84 | network

express-route-gateway | [![Network - ExpressRouteGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ExpressRouteGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.expressroutegateways.yml) | | | | | | | [L1:1, L2:1, L3:3] | 117 | +| 85 | network

firewall-policy | [![Network - FirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.firewallpolicies.yml) | | | | | | | [L1:2, L2:1, L3:3] | 173 | +| 86 | network

front-door | [![Network - Frontdoors](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Frontdoors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoors.yml) | | | | | | | [L1:1, L2:1, L3:3] | 181 | +| 87 | network

front-door-web-application-firewall-policy | [![Network - FrontDoorWebApplicationFirewallPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20FrontDoorWebApplicationFirewallPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml) | | | | | | | [L1:1, L2:1, L3:3] | 152 | +| 88 | network

ip-group | [![Network - IpGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20IpGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ipgroups.yml) | | | | | | | [L1:1, L2:1, L3:3] | 100 | +| 89 | network

load-balancer | [![Network - LoadBalancers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LoadBalancers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.loadbalancers.yml) | | | | | | | [L1:3, L2:1, L3:4] | 272 | +| 90 | network

local-network-gateway | [![Network - LocalNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20LocalNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.localnetworkgateways.yml) | | | | | | | [L1:1, L2:1, L3:3] | 120 | +| 91 | network

nat-gateway | [![Network - NatGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NatGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.natgateways.yml) | | | | | | | [L1:2, L2:1, L3:3] | 191 | +| 92 | network

network-interface | [![Network - NetworkInterfaces](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkInterfaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkinterfaces.yml) | | | | | | | [L1:1, L2:1, L3:3] | 198 | +| 93 | network

network-manager | [![Network - Network Managers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20Network%20Managers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkmanagers.yml) | | | | | | | [L1:5, L2:3, L3:3] | 165 | +| 94 | network

network-security-group | [![Network - NetworkSecurityGroups](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | | | | | | | [L1:2, L2:1, L3:3] | 188 | +| 95 | network

network-watcher | [![Network - NetworkWatchers](https://github.com/Azure/ResourceModules/workflows/Network%20-%20NetworkWatchers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatchers.yml) | | | | | | | [L1:3, L2:1, L3:3] | 129 | +| 96 | network

private-dns-zone | [![Network - PrivateDnsZones](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateDnsZones/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | | | | | | | [L1:10, L2:1, L3:3] | 226 | +| 97 | network

private-endpoint | [![Network - PrivateEndpoints](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateEndpoints/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privateendpoints.yml) | | | | | | | [L1:2, L2:1, L3:3] | 168 | +| 98 | network

private-link-service | [![Network - PrivateLinkServices](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PrivateLinkServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatelinkservices.yml) | | | | | | | [L1:1, L2:1, L3:3] | 121 | +| 99 | network

public-ip-address | [![Network - PublicIpAddresses](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpAddresses/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | | | | | | | [L1:1, L2:1, L3:3] | 214 | +| 100 | network

public-ip-prefix | [![Network - PublicIpPrefixes](https://github.com/Azure/ResourceModules/workflows/Network%20-%20PublicIpPrefixes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | | | | | | | [L1:1, L2:1, L3:3] | 109 | +| 101 | network

route-table | [![Network - RouteTables](https://github.com/Azure/ResourceModules/workflows/Network%20-%20RouteTables/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.routetables.yml) | | | | | | | [L1:1, L2:1, L3:3] | 102 | +| 102 | network

service-endpoint-policy | [![Network - ServiceEndpointPolicies](https://github.com/Azure/ResourceModules/workflows/Network%20-%20ServiceEndpointPolicies/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.serviceendpointpolicies.yml) | | | | | | | [L1:1, L2:1, L3:3] | 105 | +| 103 | network

trafficmanagerprofile | [![Network - TrafficManagerProfiles](https://github.com/Azure/ResourceModules/workflows/Network%20-%20TrafficManagerProfiles/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml) | | | | | | | [L1:1, L2:1, L3:3] | 195 | +| 104 | network

virtual-hub | [![Network - VirtualHubs](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualhubs.yml) | | | | | | | [L1:3, L2:1, L3:3] | 151 | +| 105 | network

virtual-network | [![Network - VirtualNetworks](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | | | | | | | [L1:3, L2:1, L3:4] | 276 | +| 106 | network

virtual-network-gateway | [![Network - VirtualNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworkgateways.yml) | | | | | | | [L1:2, L2:1, L3:3] | 403 | +| 107 | network

virtual-wan | [![Network - VirtualWans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualWans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualwans.yml) | | | | | | | [L1:1, L2:1, L3:3] | 112 | +| 108 | network

vpn-gateway | [![Network - VPNGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPNGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpngateways.yml) | | | | | | | [L1:3, L2:1, L3:3] | 114 | +| 109 | network

vpn-site | [![Network - VPN Sites](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPN%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpnsites.yml) | | | | | | | [L1:1, L2:1, L3:3] | 124 | +| 110 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | | | | | | | [L1:8, L2:1, L3:4] | 348 | +| 111 | operations-management

solution | [![OperationsManagement - Solutions](https://github.com/Azure/ResourceModules/workflows/OperationsManagement%20-%20Solutions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationsmanagement.solutions.yml) | | | | | | | [L1:1, L2:1, L3:3] | 53 | +| 112 | policy-insights

remediation | [![PolicyInsights - Remediations](https://github.com/Azure/ResourceModules/workflows/PolicyInsights%20-%20Remediations/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.policyinsights.remediations.yml) | | | | | | | [L1:4, L2:1, L3:6] | 106 | +| 113 | power-bi-dedicated

capacity | [![PowerBiDedicated - Capacities](https://github.com/Azure/ResourceModules/workflows/PowerBiDedicated%20-%20Capacities/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.powerbidedicated.capacities.yml) | | | | | | | [L1:1, L2:1, L3:3] | 133 | +| 114 | purview

account | [![Purview - Accounts](https://github.com/Azure/ResourceModules/workflows/Purview%20-%20Accounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.purview.accounts.yml) | | | | | | | [L1:1, L2:1, L3:3] | 315 | +| 115 | recovery-services

vault | [![RecoveryServices - Vaults](https://github.com/Azure/ResourceModules/workflows/RecoveryServices%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.recoveryservices.vaults.yml) | | | | | | | [L1:8, L2:3, L3:6] | 364 | +| 116 | relay

namespace | [![Relay - Namespaces](https://github.com/Azure/ResourceModules/workflows/Relay%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.relay.namespaces.yml) | | | | | | | [L1:5, L2:3, L3:4] | 339 | +| 117 | resource-graph

query | [![ResourceGraph - Queries](https://github.com/Azure/ResourceModules/workflows/ResourceGraph%20-%20Queries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resourcegraph.queries.yml) | | | | | | | [L1:1, L2:1, L3:3] | 101 | +| 118 | resources

deployment-script | [![Resources - DeploymentScripts](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | | | | | | [L1:1, L2:1, L3:2] | 132 | +| 119 | resources

resource-group | [![Resources - ResourceGroups](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20ResourceGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.resourcegroups.yml) | | | | | | | [L1:2, L2:1, L3:3] | 101 | +| 120 | resources

tags | [![Resources - Tags](https://github.com/Azure/ResourceModules/workflows/Resources%20-%20Tags/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.tags.yml) | | | | | | | [L1:3, L2:1, L3:3] | 54 | +| 121 | search

search-service | [![Search - SearchServices](https://github.com/Azure/ResourceModules/workflows/Search%20-%20SearchServices/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.search.searchservices.yml) | | | | | | | [L1:2, L2:1, L3:4] | 327 | +| 122 | security

azure-security-center | [![Security - AzureSecurityCenter](https://github.com/Azure/ResourceModules/workflows/Security%20-%20AzureSecurityCenter/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.security.azuresecuritycenter.yml) | | | | | | | [L1:1, L2:1, L3:2] | 221 | +| 123 | service-bus

namespace | [![ServiceBus - Namespaces](https://github.com/Azure/ResourceModules/workflows/ServiceBus%20-%20Namespaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicebus.namespaces.yml) | | | | | | | [L1:7, L2:3, L3:5] | 462 | +| 124 | service-fabric

cluster | [![ServiceFabric - Clusters](https://github.com/Azure/ResourceModules/workflows/ServiceFabric%20-%20Clusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.servicefabric.clusters.yml) | | | | | | | [L1:2, L2:1, L3:4] | 312 | +| 125 | signal-r-service

signal-r | [![SignalRService - SignalR](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20SignalR/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.signalr.yml) | | | | | | | [L1:1, L2:1, L3:3] | 277 | +| 126 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | | | | | | | [L1:1, L2:1, L3:4] | 253 | +| 127 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | | | | | | | [L1:7, L2:4, L3:4] | 373 | +| 128 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | | | | | [L1:9, L2:4, L3:6] | 389 | +| 129 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | | | | | [L1:7, L2:5, L3:7] | 524 | +| 130 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | | | | | | | [L1:1, L2:1, L3:3] | 171 | +| 131 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | | | | | [L1:4, L2:1, L3:6] | 374 | +| 132 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | | | | | | | [L1:1, L2:1, L3:3] | 216 | +| 133 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | | | | | | | [L1:1, L2:1, L3:2] | 118 | +| 134 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | | | | | [L1:3, L2:1, L3:2] | 262 | +| 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | [L1:1, L2:1, L3:2] | 194 | +| 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:6, L2:5, L3:5] | 453 | +| 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:4, L2:1, L3:3] | 284 | +| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 980 | 29852 | ## Legend From 9da4cb8d48cf6d894d8dfd9369a74ba5b56ffeb9 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 12 Nov 2023 12:05:54 +0000 Subject: [PATCH 093/178] Push updated API Specs file --- utilities/src/apiSpecsList.json | 1155 ++++++++++++++++++++++--------- 1 file changed, 828 insertions(+), 327 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index 309df8f051..52d7783dee 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -1830,13 +1830,20 @@ ] }, "Microsoft.App": { + "builders": [ + "2023-08-01-preview" + ], + "builders/builds": [ + "2023-08-01-preview" + ], "connectedEnvironments": [ "2022-06-01-preview", "2022-10-01", "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "connectedEnvironments/certificates": [ "2022-06-01-preview", @@ -1844,7 +1851,8 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "connectedEnvironments/daprComponents": [ "2022-06-01-preview", @@ -1852,7 +1860,8 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "connectedEnvironments/storages": [ "2022-06-01-preview", @@ -1860,7 +1869,8 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "containerApps": [ "2022-01-01-preview", @@ -1870,7 +1880,8 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "containerApps/authConfigs": [ "2022-01-01-preview", @@ -1880,7 +1891,11 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" + ], + "containerApps/resiliencyPolicies": [ + "2023-08-01-preview" ], "containerApps/sourcecontrols": [ "2022-01-01-preview", @@ -1890,16 +1905,19 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "getCustomDomainVerificationId": [ - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "jobs": [ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "locations": [ "2022-03-01", @@ -1908,7 +1926,8 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "locations/availableManagedEnvironmentsWorkloadProfileTypes": [ "2022-06-01-preview", @@ -1916,7 +1935,8 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "locations/billingMeters": [ "2022-06-01-preview", @@ -1924,7 +1944,8 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "locations/connectedEnvironmentOperationResults": [ "2022-06-01-preview", @@ -1932,7 +1953,8 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "locations/connectedEnvironmentOperationStatuses": [ "2022-06-01-preview", @@ -1940,7 +1962,8 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "locations/containerappOperationResults": [ "2022-03-01", @@ -1949,7 +1972,8 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "locations/containerappOperationStatuses": [ "2022-03-01", @@ -1958,25 +1982,29 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "locations/containerappsjobOperationResults": [ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "locations/containerappsjobOperationStatuses": [ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "locations/managedCertificateOperationStatuses": [ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "locations/managedEnvironmentOperationResults": [ "2022-03-01", @@ -1985,7 +2013,8 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "locations/managedEnvironmentOperationStatuses": [ "2022-03-01", @@ -1994,7 +2023,14 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" + ], + "locations/OperationResults": [ + "2023-08-01-preview" + ], + "locations/OperationStatuses": [ + "2023-08-01-preview" ], "locations/sourceControlOperationResults": [ "2022-03-01", @@ -2003,7 +2039,8 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "locations/sourceControlOperationStatuses": [ "2022-03-01", @@ -2012,10 +2049,12 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "locations/usages": [ - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "managedEnvironments": [ "2022-01-01-preview", @@ -2025,7 +2064,8 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "managedEnvironments/certificates": [ "2022-01-01-preview", @@ -2035,7 +2075,8 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "managedEnvironments/daprComponents": [ "2022-01-01-preview", @@ -2045,13 +2086,21 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" + ], + "managedEnvironments/daprComponents/resiliencyPolicies": [ + "2023-08-01-preview" + ], + "managedEnvironments/daprSubscriptions": [ + "2023-08-01-preview" ], "managedEnvironments/managedCertificates": [ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "managedEnvironments/storages": [ "2022-01-01-preview", @@ -2061,7 +2110,8 @@ "2022-11-01-preview", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ], "operations": [ "2022-03-01", @@ -2071,7 +2121,8 @@ "2023-02-01", "2023-04-01-preview", "2023-05-01", - "2023-05-02-preview" + "2023-05-02-preview", + "2023-08-01-preview" ] }, "Microsoft.AppAssessment": { @@ -3160,7 +3211,8 @@ "2022-01-31", "2022-02-22", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/agentRegistrationInformation": [ "2015-01-01-preview", @@ -3172,14 +3224,16 @@ "2020-01-13-preview", "2021-04-01", "2021-06-22", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/certificates": [ "2015-10-31", "2019-06-01", "2020-01-13-preview", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/compilationjobs": [ "2015-10-31", @@ -3197,28 +3251,32 @@ "2019-06-01", "2020-01-13-preview", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/connections": [ "2015-10-31", "2019-06-01", "2020-01-13-preview", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/connectionTypes": [ "2015-10-31", "2019-06-01", "2020-01-13-preview", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/credentials": [ "2015-10-31", "2019-06-01", "2020-01-13-preview", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/hybridRunbookWorkerGroups": [ "2015-01-01-preview", @@ -3232,12 +3290,14 @@ "2021-06-22", "2022-02-22", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/hybridRunbookWorkerGroups/hybridRunbookWorkers": [ "2021-06-22", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/jobs": [ "2015-01-01-preview", @@ -3248,21 +3308,24 @@ "2019-06-01", "2020-01-13-preview", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/jobSchedules": [ "2015-10-31", "2019-06-01", "2020-01-13-preview", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/modules": [ "2015-10-31", "2019-06-01", "2020-01-13-preview", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/nodeConfigurations": [ "2015-10-31", @@ -3270,33 +3333,42 @@ "2019-06-01", "2020-01-13-preview", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" + ], + "automationAccounts/powerShell72Modules": [ + "2023-11-01" ], "automationAccounts/privateEndpointConnectionProxies": [ "2020-01-13-preview", "2021-06-22", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/privateEndpointConnections": [ "2020-01-13-preview", "2021-06-22", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/privateLinkResources": [ "2020-01-13-preview", "2021-06-22", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/python2Packages": [ "2018-06-30", "2019-06-01", "2020-01-13-preview", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/python3Packages": [ "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/runbooks": [ "2015-01-01-preview", @@ -3307,14 +3379,16 @@ "2019-06-01", "2020-01-13-preview", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/runbooks/draft": [ "2015-10-31", "2018-06-30", "2019-06-01", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/runtimeEnvironments": [ "2023-05-15-preview" @@ -3327,7 +3401,8 @@ "2019-06-01", "2020-01-13-preview", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/softwareUpdateConfigurationMachineRuns": [ "2017-05-15-preview", @@ -3336,7 +3411,8 @@ "2019-06-01", "2020-01-13-preview", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/softwareUpdateConfigurationRuns": [ "2017-05-15-preview", @@ -3345,7 +3421,8 @@ "2019-06-01", "2020-01-13-preview", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/softwareUpdateConfigurations": [ "2017-05-15-preview", @@ -3353,28 +3430,32 @@ "2018-06-30", "2019-06-01", "2020-01-13-preview", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/sourceControls": [ "2017-05-15-preview", "2019-06-01", "2020-01-13-preview", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/sourceControls/sourceControlSyncJobs": [ "2017-05-15-preview", "2019-06-01", "2020-01-13-preview", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/variables": [ "2015-10-31", "2019-06-01", "2020-01-13-preview", "2022-08-08", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "automationAccounts/watchers": [ "2015-10-31", @@ -3388,11 +3469,13 @@ "2017-05-15-preview", "2018-01-15", "2018-06-30", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "deletedAutomationAccounts": [ "2022-01-31", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ], "operations": [ "2015-01-01-preview", @@ -3402,7 +3485,8 @@ "2018-06-30", "2019-06-01", "2020-01-13-preview", - "2023-05-15-preview" + "2023-05-15-preview", + "2023-11-01" ] }, "Microsoft.AutonomousDevelopmentPlatform": { @@ -3452,20 +3536,6 @@ "2022-02-01-privatepreview" ] }, - "Microsoft.AutonomousSystems": { - "operations": [ - "2020-05-01-preview" - ], - "workspaces": [ - "2020-05-01-preview" - ], - "workspaces/operationresults": [ - "2020-05-01-preview" - ], - "workspaces/validateCreateRequest": [ - "2020-05-01-preview" - ] - }, "Microsoft.AVS": { "locations": [ "2020-03-20", @@ -3740,12 +3810,16 @@ "2021-11-01", "2022-03-01-preview", "2022-06-15-preview", - "2023-01-15-preview" + "2023-01-15-preview", + "2023-05-16-preview", + "2023-09-01-preview" ], "dataControllers/activeDirectoryConnectors": [ "2022-03-01-preview", "2022-06-15-preview", - "2023-01-15-preview" + "2023-01-15-preview", + "2023-05-16-preview", + "2023-09-01-preview" ], "Locations": [ "2021-07-01-preview", @@ -3755,7 +3829,8 @@ "2022-06-15-preview", "2023-01-15-preview", "2023-05-16-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Locations/OperationStatuses": [ "2021-07-01-preview", @@ -3765,7 +3840,8 @@ "2022-06-15-preview", "2023-01-15-preview", "2023-05-16-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "Operations": [ "2021-07-01-preview", @@ -3775,14 +3851,17 @@ "2022-06-15-preview", "2023-01-15-preview", "2023-05-16-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "postgresInstances": [ "2021-06-01-preview", "2021-07-01-preview", "2022-03-01-preview", "2022-06-15-preview", - "2023-01-15-preview" + "2023-01-15-preview", + "2023-05-16-preview", + "2023-09-01-preview" ], "sqlManagedInstances": [ "2021-06-01-preview", @@ -3791,10 +3870,14 @@ "2021-11-01", "2022-03-01-preview", "2022-06-15-preview", - "2023-01-15-preview" + "2023-01-15-preview", + "2023-05-16-preview", + "2023-09-01-preview" ], "sqlManagedInstances/failoverGroups": [ - "2023-01-15-preview" + "2023-01-15-preview", + "2023-05-16-preview", + "2023-09-01-preview" ], "sqlServerInstances": [ "2021-06-01-preview", @@ -4147,7 +4230,7 @@ "2023-08-01-preview", "2023-09-01-preview" ], - "locations/operationStatuses": [ + "locations/operationstatuses": [ "2020-10-01", "2021-01-01-preview", "2021-07-01-preview", @@ -4218,7 +4301,8 @@ "2023-02-01", "2023-03-01", "2023-06-01", - "2023-08-01" + "2023-08-01", + "2023-08-01-preview" ], "storageContainers": [ "2021-09-01-preview", @@ -5920,7 +6004,8 @@ "2023-03-01-preview", "2023-07-01", "2023-08-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01" ], "redisEnterprise/databases": [ "2020-04-01-preview", @@ -5933,7 +6018,8 @@ "2023-03-01-preview", "2023-07-01", "2023-08-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01" ], "RedisEnterprise/privateEndpointConnectionProxies": [ "2020-04-01-preview", @@ -5982,7 +6068,8 @@ "2023-03-01-preview", "2023-07-01", "2023-08-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01" ], "RedisEnterprise/privateEndpointConnections/operationresults": [ "2020-04-01-preview", @@ -7056,7 +7143,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "certificateOrders/certificates": [ "2015-08-01", @@ -7071,7 +7159,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "operations": [ "2015-08-01", @@ -7086,7 +7175,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "validateCertificateRegistrationInformation": [ "2015-08-01", @@ -7101,7 +7191,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ] }, "Microsoft.ChangeAnalysis": { @@ -7924,6 +8015,7 @@ "2022-10-01-preview", "2023-03-01-preview", "2023-03-31", + "2023-04-01", "2023-04-01-preview" ], "communicationServices": [ @@ -7984,6 +8076,7 @@ "2022-10-01-preview", "2023-03-01-preview", "2023-03-31", + "2023-04-01", "2023-04-01-preview" ], "locations/operationStatuses": [ @@ -7994,6 +8087,7 @@ "2022-10-01-preview", "2023-03-01-preview", "2023-03-31", + "2023-04-01", "2023-04-01-preview" ], "operations": [ @@ -8004,6 +8098,7 @@ "2022-10-01-preview", "2023-03-01-preview", "2023-03-31", + "2023-04-01", "2023-04-01-preview" ], "registeredSubscriptions": [ @@ -8013,9 +8108,15 @@ "2022-10-01-preview", "2023-03-01-preview", "2023-03-31", + "2023-04-01", "2023-04-01-preview" ] }, + "Microsoft.Community": { + "communityTrainings": [ + "2023-11-01" + ] + }, "Microsoft.Compute": { "availabilitySets": [ "2015-05-01-preview", @@ -10218,7 +10319,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "locations": [ "2017-10-01", @@ -10235,7 +10337,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "locations/deleteVirtualNetworkOrSubnets": [ "2017-10-01", @@ -10256,7 +10359,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "operations": [ "2017-03-01", @@ -10273,7 +10377,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries": [ "2016-06-27-preview", @@ -10336,7 +10441,8 @@ "2022-02-01-preview", "2023-01-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/credentialSets": [ "2023-01-01-preview", @@ -10374,7 +10480,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/importImage": [ "2017-10-01", @@ -10390,7 +10497,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/importPipelines": [ "2019-12-01-preview", @@ -10424,7 +10532,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/listPolicies": [ "2017-10-01" @@ -10443,7 +10552,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/packages/archives": [ "2023-06-01-preview", @@ -10479,7 +10589,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/privateEndpointConnectionProxies/validate": [ "2019-12-01-preview", @@ -10493,7 +10604,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/privateEndpointConnections": [ "2019-12-01-preview", @@ -10522,7 +10634,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/regenerateCredential": [ "2017-03-01", @@ -10539,7 +10652,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/replications": [ "2017-06-01-preview", @@ -10658,7 +10772,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/webhooks/listEvents": [ "2017-10-01", @@ -10674,7 +10789,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "registries/webhooks/ping": [ "2017-10-01", @@ -10690,7 +10806,8 @@ "2023-01-01-preview", "2023-06-01-preview", "2023-07-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ] }, "Microsoft.ContainerRegistry.Admin": { @@ -11176,7 +11293,8 @@ "2023-08-01", "2023-08-02-preview", "2023-09-01", - "2023-09-02-preview" + "2023-09-02-preview", + "2023-10-01" ], "ManagedClusters/eventGridFilters": [ "2021-02-01", @@ -11274,7 +11392,8 @@ "2023-08-01", "2023-08-02-preview", "2023-09-01", - "2023-09-02-preview" + "2023-09-02-preview", + "2023-10-01" ], "managedClusters/privateEndpointConnections": [ "2020-06-01", @@ -11327,7 +11446,8 @@ "2023-08-01", "2023-08-02-preview", "2023-09-01", - "2023-09-02-preview" + "2023-09-02-preview", + "2023-10-01" ], "managedClusters/trustedAccessRoleBindings": [ "2022-04-02-preview", @@ -11348,7 +11468,8 @@ "2023-07-02-preview", "2023-08-02-preview", "2023-09-01", - "2023-09-02-preview" + "2023-09-02-preview", + "2023-10-01" ], "managedclustersnapshots": [ "2022-02-02-preview", @@ -13231,6 +13352,7 @@ "2023-04-01-preview", "2023-05-01", "2023-06-01-preview", + "2023-08-01", "2023-08-01-preview" ], "backupVaults/backupInstances": [ @@ -13254,6 +13376,7 @@ "2023-04-01-preview", "2023-05-01", "2023-06-01-preview", + "2023-08-01", "2023-08-01-preview" ], "backupVaults/backupPolicies": [ @@ -13277,6 +13400,7 @@ "2023-04-01-preview", "2023-05-01", "2023-06-01-preview", + "2023-08-01", "2023-08-01-preview" ], "backupVaults/backupResourceGuardProxies": [ @@ -13287,6 +13411,7 @@ "2023-04-01-preview", "2023-05-01", "2023-06-01-preview", + "2023-08-01", "2023-08-01-preview" ], "locations": [ @@ -13471,6 +13596,7 @@ "2023-04-01-preview", "2023-05-01", "2023-06-01-preview", + "2023-08-01", "2023-08-01-preview" ] }, @@ -13859,7 +13985,8 @@ "2022-09-30-preview", "2022-09-30-privatepreview", "2023-06-01-preview", - "2023-06-30" + "2023-06-30", + "2023-10-01-preview" ], "locations": [ "2017-12-01", @@ -13886,11 +14013,13 @@ "2022-09-30-preview", "2022-09-30-privatepreview", "2023-06-01-preview", - "2023-06-30" + "2023-06-30", + "2023-10-01-preview" ], "locations/capabilitySets": [ "2023-06-01-preview", - "2023-06-30" + "2023-06-30", + "2023-10-01-preview" ], "locations/checkNameAvailability": [ "2021-05-01", @@ -13902,7 +14031,8 @@ "2022-09-30-preview", "2022-09-30-privatepreview", "2023-06-01-preview", - "2023-06-30" + "2023-06-30", + "2023-10-01-preview" ], "locations/checkVirtualNetworkSubnetUsage": [ "2020-07-01-preview", @@ -13916,7 +14046,8 @@ "2022-09-30-preview", "2022-09-30-privatepreview", "2023-06-01-preview", - "2023-06-30" + "2023-06-30", + "2023-10-01-preview" ], "locations/listMigrations": [ "2022-01-01", @@ -13924,7 +14055,8 @@ "2022-09-30-preview", "2022-09-30-privatepreview", "2023-06-01-preview", - "2023-06-30" + "2023-06-30", + "2023-10-01-preview" ], "locations/operationResults": [], "locations/performanceTiers": [ @@ -13983,7 +14115,8 @@ "2022-09-30-preview", "2022-09-30-privatepreview", "2023-06-01-preview", - "2023-06-30" + "2023-06-30", + "2023-10-01-preview" ], "operations": [ "2017-12-01", @@ -13997,7 +14130,8 @@ "2022-09-30-preview", "2022-09-30-privatepreview", "2023-06-01-preview", - "2023-06-30" + "2023-06-30", + "2023-10-01-preview" ], "servers": [ "2017-12-01", @@ -14816,7 +14950,8 @@ "2023-05-18-privatepreview", "2023-07-07-preview", "2023-09-05", - "2023-10-04-preview" + "2023-10-04-preview", + "2023-10-09-privatepreview" ], "scalingPlans": [ "2019-01-23-preview", @@ -15252,6 +15387,33 @@ ], "assets": [ "2023-11-01-preview" + ], + "locations": [ + "2022-05-21-preview", + "2023-06-21-preview", + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview", + "2023-11-01-preview" + ], + "locations/operationStatuses": [ + "2023-11-01-preview" + ], + "operations": [ + "2022-05-21-preview", + "2023-06-21-preview", + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview", + "2023-11-01-preview" + ], + "operationStatuses": [ + "2022-05-21-preview", + "2023-06-21-preview", + "2023-08-01-preview", + "2023-09-01-preview", + "2023-10-01-preview", + "2023-11-01-preview" ] }, "Microsoft.Devices": { @@ -15753,6 +15915,11 @@ "2020-07-13-preview" ] }, + "Microsoft.DevOpsInfrastructure": { + "pools": [ + "2023-10-30-preview" + ] + }, "Microsoft.DevSpaces": { "controllers": [ "2019-04-01" @@ -17531,7 +17698,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "domains": [ "2015-02-01", @@ -17548,7 +17716,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "domains/domainOwnershipIdentifiers": [ "2015-02-01", @@ -17564,12 +17733,14 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "domains/transferOut": [ "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "generateSsoRequest": [ "2015-02-01", @@ -17585,7 +17756,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "listDomainRecommendations": [ "2015-02-01", @@ -17601,7 +17773,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "operations": [ "2015-02-01", @@ -17617,7 +17790,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "topLevelDomains": [ "2015-02-01", @@ -17633,7 +17807,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "validateDomainRegistrationInformation": [ "2015-02-01", @@ -17649,7 +17824,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ] }, "Microsoft.Dynamics365FraudProtection": { @@ -17677,13 +17853,29 @@ "Microsoft.EdgeManagement": { "locations": [ "2023-09-01-preview" + ], + "operations": [ + "2023-09-01-preview" ] }, - "Microsoft.EdgeMarketPlace": { + "Microsoft.EdgeMarketplace": { + "locations": [ + "2023-08-01-preview" + ], + "locations/operationStatuses": [ + "2023-08-01-preview" + ], + "offers": [ + "2023-08-01-preview" + ], "operations": [ "2023-04-01-preview", "2023-06-01-preview", - "2023-08-01" + "2023-08-01", + "2023-08-01-preview" + ], + "publishers": [ + "2023-08-01-preview" ] }, "Microsoft.EdgeOrder": { @@ -18046,7 +18238,8 @@ "2021-10-15-preview", "2021-12-01", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "locations": [ "2017-06-15-preview", @@ -18065,7 +18258,8 @@ "2021-10-15-preview", "2021-12-01", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "locations/eventSubscriptions": [ "2017-06-15-preview", @@ -18084,7 +18278,8 @@ "2021-10-15-preview", "2021-12-01", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "locations/operationResults": [ "2017-06-15-preview", @@ -18103,7 +18298,8 @@ "2021-10-15-preview", "2021-12-01", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "locations/operationsStatus": [ "2017-06-15-preview", @@ -18122,7 +18318,8 @@ "2021-10-15-preview", "2021-12-01", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "locations/topicTypes": [ "2017-06-15-preview", @@ -18141,7 +18338,8 @@ "2021-10-15-preview", "2021-12-01", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "namespaces": [ "2023-06-01-preview", @@ -18192,7 +18390,8 @@ "2021-10-15-preview", "2021-12-01", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "operations": [ "2017-06-15-preview", @@ -18229,7 +18428,8 @@ "2021-10-15-preview", "2021-12-01", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "partnerConfigurations": [ "2021-10-15-preview", @@ -18354,12 +18554,14 @@ "2021-10-15-preview", "2021-12-01", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ], "verifiedPartners": [ "2021-10-15-preview", "2022-06-15", - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-15-preview" ] }, "Microsoft.EventHub": { @@ -18631,22 +18833,28 @@ }, "Microsoft.Fabric": { "capacities": [ - "2022-07-01-preview" + "2022-07-01-preview", + "2023-11-01" ], "locations": [ - "2022-07-01-preview" + "2022-07-01-preview", + "2023-11-01" ], "locations/checkNameAvailability": [ - "2022-07-01-preview" + "2022-07-01-preview", + "2023-11-01" ], "locations/operationresults": [ - "2022-07-01-preview" + "2022-07-01-preview", + "2023-11-01" ], "locations/operationstatuses": [ - "2022-07-01-preview" + "2022-07-01-preview", + "2023-11-01" ], "operations": [ - "2022-07-01-preview" + "2022-07-01-preview", + "2023-11-01" ] }, "Microsoft.Fabric.Admin": { @@ -18994,7 +19202,11 @@ "2022-06-01", "2022-12-01", "2023-02-28", - "2023-09-06" + "2023-06-01-preview", + "2023-09-06", + "2023-10-15-preview", + "2023-11-01", + "2023-11-01-preview" ], "locations": [ "2018-08-20-preview", @@ -19009,7 +19221,11 @@ "2022-06-01", "2022-12-01", "2023-02-28", - "2023-09-06" + "2023-06-01-preview", + "2023-09-06", + "2023-10-15-preview", + "2023-11-01", + "2023-11-01-preview" ], "locations/operationresults": [ "2018-08-20-preview", @@ -19025,7 +19241,11 @@ "2022-06-01", "2022-12-01", "2023-02-28", - "2023-09-06" + "2023-06-01-preview", + "2023-09-06", + "2023-10-15-preview", + "2023-11-01", + "2023-11-01-preview" ], "operations": [ "2018-08-20-preview", @@ -19040,7 +19260,11 @@ "2022-06-01", "2022-12-01", "2023-02-28", - "2023-09-06" + "2023-06-01-preview", + "2023-09-06", + "2023-10-15-preview", + "2023-11-01", + "2023-11-01-preview" ], "services": [ "2018-08-20-preview", @@ -19056,8 +19280,11 @@ "2022-10-01-preview", "2022-12-01", "2023-02-28", + "2023-06-01-preview", "2023-09-06", - "2023-10-15-preview" + "2023-10-15-preview", + "2023-11-01", + "2023-11-01-preview" ], "services/iomtconnectors": [ "2020-05-01-preview" @@ -19077,8 +19304,11 @@ "2022-06-01", "2022-12-01", "2023-02-28", + "2023-06-01-preview", "2023-09-06", - "2023-10-15-preview" + "2023-10-15-preview", + "2023-11-01", + "2023-11-01-preview" ], "services/privateEndpointConnections": [ "2020-03-30", @@ -19091,8 +19321,11 @@ "2022-10-01-preview", "2022-12-01", "2023-02-28", + "2023-06-01-preview", "2023-09-06", - "2023-10-15-preview" + "2023-10-15-preview", + "2023-11-01", + "2023-11-01-preview" ], "services/privateLinkResources": [ "2020-03-30", @@ -19103,8 +19336,11 @@ "2022-06-01", "2022-12-01", "2023-02-28", + "2023-06-01-preview", "2023-09-06", - "2023-10-15-preview" + "2023-10-15-preview", + "2023-11-01", + "2023-11-01-preview" ], "validateMedtechMappings": [ "2022-01-31-preview" @@ -19118,8 +19354,11 @@ "2022-10-01-preview", "2022-12-01", "2023-02-28", + "2023-06-01-preview", "2023-09-06", - "2023-10-15-preview" + "2023-10-15-preview", + "2023-11-01", + "2023-11-01-preview" ], "workspaces/analyticsconnectors": [ "2022-10-01-preview" @@ -19133,8 +19372,11 @@ "2022-10-01-preview", "2022-12-01", "2023-02-28", + "2023-06-01-preview", "2023-09-06", - "2023-10-15-preview" + "2023-10-15-preview", + "2023-11-01", + "2023-11-01-preview" ], "workspaces/eventGridFilters": [ "2021-11-01", @@ -19143,7 +19385,11 @@ "2022-06-01", "2022-12-01", "2023-02-28", - "2023-09-06" + "2023-06-01-preview", + "2023-09-06", + "2023-10-15-preview", + "2023-11-01", + "2023-11-01-preview" ], "workspaces/fhirservices": [ "2021-06-01-preview", @@ -19154,7 +19400,11 @@ "2022-10-01-preview", "2022-12-01", "2023-02-28", - "2023-09-06" + "2023-06-01-preview", + "2023-09-06", + "2023-10-15-preview", + "2023-11-01", + "2023-11-01-preview" ], "workspaces/iotconnectors": [ "2021-06-01-preview", @@ -19165,7 +19415,11 @@ "2022-10-01-preview", "2022-12-01", "2023-02-28", - "2023-09-06" + "2023-06-01-preview", + "2023-09-06", + "2023-10-15-preview", + "2023-11-01", + "2023-11-01-preview" ], "workspaces/iotconnectors/fhirdestinations": [ "2021-06-01-preview", @@ -19176,7 +19430,11 @@ "2022-10-01-preview", "2022-12-01", "2023-02-28", - "2023-09-06" + "2023-06-01-preview", + "2023-09-06", + "2023-10-15-preview", + "2023-11-01", + "2023-11-01-preview" ], "workspaces/privateEndpointConnectionProxies": [ "2021-11-01", @@ -19185,8 +19443,11 @@ "2022-06-01", "2022-12-01", "2023-02-28", + "2023-06-01-preview", "2023-09-06", - "2023-10-15-preview" + "2023-10-15-preview", + "2023-11-01", + "2023-11-01-preview" ], "workspaces/privateEndpointConnections": [ "2021-11-01", @@ -19196,8 +19457,11 @@ "2022-10-01-preview", "2022-12-01", "2023-02-28", + "2023-06-01-preview", "2023-09-06", - "2023-10-15-preview" + "2023-10-15-preview", + "2023-11-01", + "2023-11-01-preview" ], "workspaces/privateLinkResources": [ "2021-11-01", @@ -19206,8 +19470,11 @@ "2022-06-01", "2022-12-01", "2023-02-28", + "2023-06-01-preview", "2023-09-06", - "2023-10-15-preview" + "2023-10-15-preview", + "2023-11-01", + "2023-11-01-preview" ] }, "Microsoft.HealthDataAIServices": { @@ -19280,7 +19547,8 @@ }, "Microsoft.HybridCompute": { "licenses": [ - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "locations": [ "2019-08-02-preview", @@ -19304,7 +19572,8 @@ "2022-12-27-preview", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "locations/operationResults": [ "2019-08-02-preview", @@ -19328,7 +19597,8 @@ "2022-12-27-preview", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "locations/operationStatus": [ "2019-08-02-preview", @@ -19352,7 +19622,8 @@ "2022-12-27-preview", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "locations/privateLinkScopes": [ "2021-01-28-preview", @@ -19370,7 +19641,8 @@ "2022-12-27-preview", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "locations/publishers": [ "2022-08-11-preview", @@ -19379,7 +19651,8 @@ "2022-12-27-preview", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "locations/publishers/extensionTypes": [ "2022-08-11-preview", @@ -19388,7 +19661,8 @@ "2022-12-27-preview", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "locations/publishers/extensionTypes/versions": [ "2022-08-11-preview", @@ -19397,7 +19671,8 @@ "2022-12-27-preview", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "locations/updateCenterOperationResults": [ "2020-08-15-preview", @@ -19416,7 +19691,8 @@ "2022-12-27-preview", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "machines": [ "2019-03-18", @@ -19443,7 +19719,8 @@ "2022-12-27-preview", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "machines/assessPatches": [ "2020-08-15-preview", @@ -19462,7 +19739,8 @@ "2022-12-27-preview", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "machines/extensions": [ "2019-08-02", @@ -19487,13 +19765,15 @@ "2022-12-27-preview", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "machines/hybridIdentityMetadata": [ "2022-12-27", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "machines/installPatches": [ "2020-08-15-preview", @@ -19512,10 +19792,12 @@ "2022-12-27-preview", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "machines/licenseProfiles": [ - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "machines/privateLinkScopes": [ "2021-01-28-preview", @@ -19533,7 +19815,13 @@ "2022-12-27-preview", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" + ], + "machines/runcommands": [ + "2023-04-25-preview", + "2023-06-20-preview", + "2023-10-03-preview" ], "operations": [ "2019-03-18-preview", @@ -19558,22 +19846,26 @@ "2022-12-27-preview", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "osType": [ "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "osType/agentVersions": [ "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "osType/agentVersions/latest": [ "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "privateLinkScopes": [ "2020-08-15-preview", @@ -19592,7 +19884,11 @@ "2022-12-27-preview", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" + ], + "privateLinkScopes/networkSecurityPerimeterAssociationProxies": [ + "2023-10-03-preview" ], "privateLinkScopes/privateEndpointConnectionProxies": [ "2020-08-15-preview", @@ -19611,7 +19907,8 @@ "2022-12-27-preview", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "privateLinkScopes/privateEndpointConnections": [ "2020-08-15-preview", @@ -19630,13 +19927,15 @@ "2022-12-27-preview", "2023-03-15-preview", "2023-04-25-preview", - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ], "privateLinkScopes/scopedResources": [ "2020-08-15-preview" ], "validateLicense": [ - "2023-06-20-preview" + "2023-06-20-preview", + "2023-10-03-preview" ] }, "Microsoft.HybridConnectivity": { @@ -20260,7 +20559,8 @@ "2017-12-01-preview", "2018-01-01", "2021-05-01", - "2022-04-01-preview" + "2022-04-01-preview", + "2023-10-01" ], "metricNamespaces": [ "2017-12-01-preview" @@ -20273,7 +20573,8 @@ "2017-12-01-preview", "2018-01-01", "2019-07-01", - "2021-05-01" + "2021-05-01", + "2023-10-01" ], "migratealertrules": [ "2018-03-01" @@ -20499,9 +20800,24 @@ ], "instances/pipelines": [ "2023-10-04-preview" + ], + "locations": [ + "2023-10-04-preview" + ], + "locations/operationStatuses": [ + "2023-10-04-preview" + ], + "operations": [ + "2023-10-04-preview" ] }, "Microsoft.IoTOperationsMQ": { + "Locations": [ + "2023-10-04-preview" + ], + "Locations/OperationStatuses": [ + "2023-10-04-preview" + ], "mq": [ "2023-10-04-preview" ], @@ -20537,12 +20853,24 @@ ], "mq/mqttBridgeConnector/topicMap": [ "2023-10-04-preview" + ], + "Operations": [ + "2023-10-04-preview" ] }, "Microsoft.IoTOperationsOrchestrator": { "instances": [ "2023-10-04-preview" ], + "locations": [ + "2023-10-04-preview" + ], + "locations/operationStatuses": [ + "2023-10-04-preview" + ], + "operations": [ + "2023-10-04-preview" + ], "solutions": [ "2023-10-04-preview" ], @@ -22946,9 +23274,6 @@ ], "Locations/OperationStatuses": [ "2023-02-01-preview" - ], - "managedstorageclass": [ - "2023-02-01-preview" ] }, "Microsoft.Management": { @@ -23457,11 +23782,8 @@ "2018-07-01", "2020-05-01", "2021-05-01", - "2021-05-01-preview", - "2021-05-01-privatepreview", "2021-06-01", "2021-11-01", - "2021-11-01-preview", "2023-01-01" ], "locations/checkNameAvailability": [ @@ -23471,11 +23793,8 @@ "2018-07-01", "2020-05-01", "2021-05-01", - "2021-05-01-preview", - "2021-05-01-privatepreview", "2021-06-01", "2021-11-01", - "2021-11-01-preview", "2023-01-01" ], "locations/mediaServicesOperationResults": [ @@ -23502,12 +23821,6 @@ "2021-11-01", "2023-01-01" ], - "locations/videoAnalyzerOperationResults": [ - "2021-11-01-preview" - ], - "locations/videoAnalyzerOperationStatuses": [ - "2021-11-01-preview" - ], "mediaservices": [ "2015-04-01", "2015-10-01", @@ -23555,6 +23868,16 @@ "2022-08-01", "2023-01-01" ], + "mediaservices/assets/tracks/operationResults": [ + "2021-11-01", + "2022-08-01", + "2023-01-01" + ], + "mediaservices/assets/tracks/operationstatuses": [ + "2021-11-01", + "2022-08-01", + "2023-01-01" + ], "mediaServices/contentKeyPolicies": [ "2018-03-30-preview", "2018-06-01-preview", @@ -23602,6 +23925,28 @@ "2022-08-01", "2022-11-01" ], + "mediaservices/liveevents/liveoutputs/operationlocations": [ + "2018-03-30-preview", + "2018-06-01-preview", + "2018-07-01", + "2019-05-01-preview", + "2020-05-01", + "2021-06-01", + "2021-11-01", + "2022-08-01", + "2022-11-01" + ], + "mediaservices/liveevents/operationlocations": [ + "2018-03-30-preview", + "2018-06-01-preview", + "2018-07-01", + "2019-05-01-preview", + "2020-05-01", + "2021-06-01", + "2021-11-01", + "2022-08-01", + "2022-11-01" + ], "mediaservices/liveOutputOperations": [ "2018-03-30-preview", "2018-06-01-preview", @@ -23660,6 +24005,17 @@ "2022-08-01", "2022-11-01" ], + "mediaservices/streamingendpoints/operationlocations": [ + "2018-03-30-preview", + "2018-06-01-preview", + "2018-07-01", + "2019-05-01-preview", + "2020-05-01", + "2021-06-01", + "2021-11-01", + "2022-08-01", + "2022-11-01" + ], "mediaServices/streamingLocators": [ "2018-03-30-preview", "2018-06-01-preview", @@ -23714,16 +24070,12 @@ "2018-07-01", "2020-05-01", "2021-05-01", - "2021-05-01-preview", - "2021-05-01-privatepreview", "2021-06-01", "2021-11-01", - "2021-11-01-preview", "2023-01-01" ], "videoAnalyzers": [ "2021-05-01-preview", - "2021-05-01-privatepreview", "2021-11-01-preview" ], "videoAnalyzers/accessPolicies": [ @@ -24174,10 +24526,6 @@ "2021-06-03-preview", "2023-04-03" ], - "locations/operationStatuses": [ - "2021-06-03-preview", - "2023-04-03" - ], "operations": [ "2021-06-01-preview", "2021-06-03-preview", @@ -24185,6 +24533,17 @@ "2023-04-03" ] }, + "Microsoft.MySQLDiscovery": { + "locations": [ + "2023-09-30-preview" + ], + "locations/operationStatuses": [ + "2023-09-30-preview" + ], + "operations": [ + "2023-09-30-preview" + ] + }, "Microsoft.NetApp": { "locations": [ "2017-08-15", @@ -25091,7 +25450,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "ApplicationGatewayWebApplicationFirewallPolicies": [ "2018-12-01", @@ -25522,7 +25882,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "customIpPrefixes": [ "2020-06-01", @@ -25576,7 +25937,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "ddosProtectionPlans": [ "2018-02-01", @@ -25952,7 +26314,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "expressRouteCircuits/peerings": [ "2015-05-01-preview", @@ -26002,7 +26365,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "expressRouteCircuits/peerings/connections": [ "2018-02-01", @@ -26039,7 +26403,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "expressRouteCrossConnections": [ "2018-02-01", @@ -26076,7 +26441,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "expressRouteCrossConnections/peerings": [ "2018-02-01", @@ -26113,7 +26479,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "expressRouteGateways": [ "2018-08-01", @@ -26185,7 +26552,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "ExpressRoutePorts": [ "2018-07-01", @@ -26236,7 +26604,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "expressRoutePortsLocations": [ "2018-08-01", @@ -26392,7 +26761,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "firewallPolicies/ruleGroups": [ "2019-06-01", @@ -26414,7 +26784,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "frontdoorOperationResults": [ "2018-08-01", @@ -26659,7 +27030,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "loadBalancers/inboundNatRules": [ "2017-06-01", @@ -26702,7 +27074,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "localNetworkGateways": [ "2014-12-01-preview", @@ -28156,7 +28529,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "networkManagerConnections": [ "2021-05-01-preview", @@ -28203,7 +28577,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "networkManagers/networkGroups": [ "2021-02-01-preview", @@ -28217,7 +28592,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "networkManagers/networkGroups/staticMembers": [ "2021-05-01-preview", @@ -28230,7 +28606,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "networkManagers/scopeConnections": [ "2021-05-01-preview", @@ -28243,7 +28620,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "networkManagers/securityAdminConfigurations": [ "2021-02-01-preview", @@ -28257,7 +28635,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "networkManagers/securityAdminConfigurations/ruleCollections": [ "2021-02-01-preview", @@ -28271,7 +28650,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "networkManagers/securityAdminConfigurations/ruleCollections/rules": [ "2021-02-01-preview", @@ -28285,7 +28665,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "networkManagers/securityUserConfigurations": [ "2021-02-01-preview", @@ -28459,7 +28840,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "networkSecurityPerimeters": [ "2021-02-01-preview", @@ -28532,13 +28914,11 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "networkVirtualAppliances/networkVirtualApplianceConnections": [ - "2022-11-01", - "2023-02-01", - "2023-04-01", - "2023-05-01" + "2023-06-01" ], "networkVirtualAppliances/virtualApplianceSites": [ "2020-05-01", @@ -28557,7 +28937,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "networkVirtualApplianceSkus": [ "2020-03-01", @@ -28792,7 +29173,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "networkWatchers/pingMeshes": [ "2017-09-01", @@ -29101,7 +29483,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "privateEndpoints/privateLinkServiceProxies": [ "2019-02-01", @@ -29203,7 +29586,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "publicIPAddresses": [ "2014-12-01-preview", @@ -29419,7 +29803,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "routeTables": [ "2014-12-01-preview", @@ -29533,7 +29918,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "securityPartnerProviders": [ "2020-01-01", @@ -29640,7 +30026,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "trafficManagerGeographicHierarchies": [ "2017-03-01", @@ -29782,7 +30169,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "virtualHubs/hubRouteTables": [ "2020-04-01", @@ -29802,7 +30190,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "virtualHubs/hubVirtualNetworkConnections": [ "2020-05-01", @@ -29821,7 +30210,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "virtualHubs/ipConfigurations": [ "2020-05-01", @@ -29840,7 +30230,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "virtualHubs/routeMaps": [ "2022-05-01", @@ -29849,7 +30240,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "virtualHubs/routeTables": [ "2019-09-01", @@ -29873,7 +30265,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "virtualHubs/routingIntent": [ "2021-05-01", @@ -29885,7 +30278,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "virtualNetworkGateways": [ "2014-12-01-preview", @@ -29963,7 +30357,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "virtualNetworks": [ "2014-12-01-preview", @@ -30120,7 +30515,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "virtualNetworks/taggedTrafficConsumers": [ "2014-12-01-preview", @@ -30231,7 +30627,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "virtualNetworkTaps": [ "2018-08-01", @@ -30330,7 +30727,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "virtualWans": [ "2017-09-01", @@ -30454,7 +30852,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "vpnGateways/vpnConnections": [ "2018-04-01", @@ -30490,7 +30889,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "vpnServerConfigurations": [ "2019-08-01", @@ -30532,7 +30932,8 @@ "2022-11-01", "2023-02-01", "2023-04-01", - "2023-05-01" + "2023-05-01", + "2023-06-01" ], "vpnSites": [ "2017-09-01", @@ -31763,6 +32164,26 @@ "2023-07-01-preview" ] }, + "Microsoft.ProgrammableConnectivity": { + "Gateways": [ + "2023-11-01-preview" + ], + "Locations": [ + "2023-11-01-preview" + ], + "Locations/OperationStatuses": [ + "2023-11-01-preview" + ], + "OpenApiGatewayOfferings": [ + "2023-11-01-preview" + ], + "OpenApiGateways": [ + "2023-11-01-preview" + ], + "Operations": [ + "2023-11-01-preview" + ] + }, "Microsoft.ProviderHub": { "availableAccounts": [ "2019-02-01-preview", @@ -34588,7 +35009,8 @@ ], "securityContacts": [ "2017-08-01-preview", - "2020-01-01-preview" + "2020-01-01-preview", + "2023-12-01-preview" ], "securitySolutions": [ "2015-06-01-preview", @@ -36236,7 +36658,8 @@ "2023-02-01-preview", "2023-03-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "locations/managedClusterOperationResults": [ "2020-01-01-preview", @@ -36252,7 +36675,8 @@ "2023-02-01-preview", "2023-03-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "locations/managedClusterOperations": [ "2020-01-01-preview", @@ -36268,7 +36692,8 @@ "2023-02-01-preview", "2023-03-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "locations/managedClusterVersions": [ "2020-01-01-preview", @@ -36284,7 +36709,8 @@ "2023-02-01-preview", "2023-03-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "locations/managedUnsupportedVMSizes": [ "2020-01-01-preview", @@ -36300,7 +36726,8 @@ "2023-02-01-preview", "2023-03-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "locations/operationResults": [ "2016-03-01", @@ -36383,7 +36810,8 @@ "2023-02-01-preview", "2023-03-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "managedclusters/applications": [ "2021-01-01-preview", @@ -36399,7 +36827,8 @@ "2023-02-01-preview", "2023-03-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "managedclusters/applications/services": [ "2021-01-01-preview", @@ -36415,7 +36844,8 @@ "2023-02-01-preview", "2023-03-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "managedclusters/applicationTypes": [ "2021-01-01-preview", @@ -36431,7 +36861,8 @@ "2023-02-01-preview", "2023-03-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "managedclusters/applicationTypes/versions": [ "2021-01-01-preview", @@ -36447,7 +36878,8 @@ "2023-02-01-preview", "2023-03-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "managedClusters/nodeTypes": [ "2020-01-01-preview", @@ -36464,7 +36896,8 @@ "2023-02-01-preview", "2023-03-01-preview", "2023-07-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "operations": [ "2016-03-01", @@ -43349,6 +43782,9 @@ ] }, "Microsoft.Syntex": { + "accounts": [ + "2023-01-04-preview" + ], "documentProcessors": [ "2022-09-15-preview" ], @@ -44173,7 +44609,8 @@ "containerApps": [ "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "csrs": [ "2015-08-01" @@ -44354,7 +44791,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "hostingEnvironments/eventGridFilters": [ "2014-04-01", @@ -44425,7 +44863,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "hostingEnvironments/workerPools": [ "2014-04-01", @@ -44544,7 +44983,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "listSitesAssignedToHostName": [ "2015-02-01", @@ -45057,7 +45497,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "serverfarms/virtualNetworkConnections/routes": [ "2015-08-01", @@ -45073,7 +45514,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites": [ "2014-04-01", @@ -45123,7 +45565,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/config": [ "2015-08-01", @@ -45140,7 +45583,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/deployments": [ "2015-08-01", @@ -45157,7 +45601,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/domainOwnershipIdentifiers": [ "2016-08-01", @@ -45173,7 +45618,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/eventGridFilters": [ "2014-04-01", @@ -45222,7 +45668,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/functions": [ "2016-08-01", @@ -45238,7 +45685,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/functions/keys": [ "2018-02-01", @@ -45252,7 +45700,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/host/{keyType}": [ "2018-02-01", @@ -45266,7 +45715,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/hostNameBindings": [ "2015-02-01", @@ -45307,7 +45757,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/hybridConnectionNamespaces/relays": [ "2016-08-01", @@ -45323,7 +45774,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/instances/deployments": [ "2015-08-01" @@ -45342,7 +45794,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/migrate": [ "2016-08-01", @@ -45358,7 +45811,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/networkConfig": [ "2015-02-01", @@ -45420,7 +45874,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/privateEndpointConnections": [ "2019-08-01", @@ -45433,7 +45888,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/publicCertificates": [ "2016-08-01", @@ -45449,7 +45905,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/siteextensions": [ "2016-08-01", @@ -45465,7 +45922,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots": [ "2014-04-01", @@ -45510,7 +45968,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/config": [ "2015-08-01", @@ -45527,7 +45986,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/deployments": [ "2015-08-01", @@ -45544,7 +46004,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/domainOwnershipIdentifiers": [ "2016-08-01", @@ -45560,7 +46021,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/eventGridFilters": [ "2014-04-01", @@ -45608,7 +46070,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/functions": [ "2016-08-01", @@ -45624,7 +46087,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/functions/keys": [ "2018-02-01", @@ -45638,7 +46102,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/host/{keyType}": [ "2018-02-01", @@ -45652,7 +46117,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/hostNameBindings": [ "2015-02-01", @@ -45693,7 +46159,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/hybridConnectionNamespaces/relays": [ "2016-08-01", @@ -45709,7 +46176,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/instances/deployments": [ "2015-08-01" @@ -45728,7 +46196,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/networkConfig": [ "2015-02-01", @@ -45769,7 +46238,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/privateAccess": [ "2018-02-01", @@ -45784,7 +46254,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/privateEndpointConnections": [ "2020-12-01", @@ -45793,7 +46264,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/publicCertificates": [ "2016-08-01", @@ -45809,7 +46281,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/siteextensions": [ "2016-08-01", @@ -45825,7 +46298,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/snapshots": [ "2015-08-01" @@ -45845,7 +46319,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/virtualNetworkConnections": [ "2015-08-01", @@ -45862,7 +46337,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/slots/virtualNetworkConnections/gateways": [ "2015-08-01", @@ -45879,7 +46355,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/snapshots": [ "2015-08-01" @@ -45899,7 +46376,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/virtualNetworkConnections": [ "2015-08-01", @@ -45916,7 +46394,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sites/virtualNetworkConnections/gateways": [ "2015-08-01", @@ -45933,7 +46412,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "sourcecontrols": [ "2014-04-01", @@ -45978,7 +46458,8 @@ "2023-01-01" ], "staticSites/basicAuth": [ - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "staticSites/builds": [ "2019-08-01", @@ -46006,7 +46487,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "staticSites/builds/databaseConnections": [ "2019-08-01", @@ -46059,7 +46541,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "staticSites/customDomains": [ "2019-08-01", @@ -46072,7 +46555,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "staticSites/databaseConnections": [ "2019-08-01", @@ -46111,7 +46595,8 @@ "2021-02-01", "2021-03-01", "2022-03-01", - "2022-09-01" + "2022-09-01", + "2023-01-01" ], "staticSites/userProvidedFunctionApps": [ "2020-12-01", @@ -46273,16 +46758,19 @@ "monitors": [ "2021-12-01-preview", "2022-11-01-preview", - "2023-04-01" + "2023-04-01", + "2023-10-01-preview" ], "monitors/providerInstances": [ "2021-12-01-preview", "2022-11-01-preview", - "2023-04-01" + "2023-04-01", + "2023-10-01-preview" ], "monitors/sapLandscapeMonitor": [ "2022-11-01-preview", - "2023-04-01" + "2023-04-01", + "2023-10-01-preview" ], "Operations": [ "2021-12-01-preview", @@ -46406,16 +46894,19 @@ "checkNameAvailability": [ "2022-08-29", "2022-08-29-preview", + "2023-09-01", "2023-09-01-preview" ], "firewalls": [ "2022-08-29", "2022-08-29-preview", + "2023-09-01", "2023-09-01-preview" ], "firewalls/statuses": [ "2022-08-29", "2022-08-29-preview", + "2023-09-01", "2023-09-01-preview" ], "globalRulestacks": [ @@ -46445,50 +46936,60 @@ "localRulestacks": [ "2022-08-29", "2022-08-29-preview", + "2023-09-01", "2023-09-01-preview" ], "localRulestacks/certificates": [ "2022-08-29", "2022-08-29-preview", + "2023-09-01", "2023-09-01-preview" ], "localRulestacks/fqdnlists": [ "2022-08-29", "2022-08-29-preview", + "2023-09-01", "2023-09-01-preview" ], "localRulestacks/localRules": [ "2022-08-29", "2022-08-29-preview", + "2023-09-01", "2023-09-01-preview" ], "localRulestacks/prefixlists": [ "2022-08-29", "2022-08-29-preview", + "2023-09-01", "2023-09-01-preview" ], "locations": [ "2022-08-29", "2022-08-29-preview", + "2023-09-01", "2023-09-01-preview", "2023-10-10-preview" ], "Locations/operationStatuses": [ "2022-08-29", "2022-08-29-preview", + "2023-09-01", "2023-09-01-preview", "2023-10-10-preview" ], "operations": [ "2022-08-29", "2022-08-29-preview", + "2023-09-01", "2023-09-01-preview", "2023-10-10-preview" ], "registeredSubscriptions": [ "2022-08-29", "2022-08-29-preview", - "2023-09-01-preview" + "2023-09-01", + "2023-09-01-preview", + "2023-10-10-preview" ] }, "Qumulo.Storage": { From a25fe096c06240f6a39ba9cf3827fd644337076b Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sun, 12 Nov 2023 17:55:14 +0100 Subject: [PATCH 094/178] Removed redundant null values from UDT as per AVM (#4208) --- modules/aad/domain-service/main.bicep | 4 ++-- modules/analysis-services/server/main.bicep | 4 ++-- modules/api-management/service/main.bicep | 4 ++-- modules/app-configuration/configuration-store/main.bicep | 4 ++-- modules/app/container-app/main.bicep | 2 +- modules/app/job/main.bicep | 2 +- modules/app/managed-environment/main.bicep | 2 +- modules/automation/automation-account/main.bicep | 4 ++-- modules/batch/batch-account/main.bicep | 4 ++-- modules/cache/redis-enterprise/main.bicep | 4 ++-- modules/cache/redis/main.bicep | 4 ++-- modules/cdn/profile/main.bicep | 2 +- modules/cognitive-services/account/main.bicep | 4 ++-- modules/compute/availability-set/main.bicep | 2 +- modules/compute/disk-encryption-set/main.bicep | 2 +- modules/compute/disk/main.bicep | 2 +- modules/compute/gallery/application/main.bicep | 2 +- modules/compute/gallery/image/main.bicep | 2 +- modules/compute/gallery/main.bicep | 2 +- modules/compute/image/main.bicep | 2 +- modules/compute/proximity-placement-group/main.bicep | 2 +- modules/compute/ssh-public-key/main.bicep | 2 +- modules/compute/virtual-machine-scale-set/main.bicep | 4 ++-- modules/compute/virtual-machine/main.bicep | 4 ++-- .../virtual-machine/modules/nested_networkInterface.bicep | 4 ++-- modules/container-registry/registry/main.bicep | 4 ++-- modules/container-service/managed-cluster/main.bicep | 4 ++-- modules/data-factory/factory/main.bicep | 4 ++-- modules/data-protection/backup-vault/main.bicep | 2 +- modules/databricks/access-connector/main.bicep | 2 +- modules/databricks/workspace/main.bicep | 4 ++-- modules/db-for-my-sql/flexible-server/main.bicep | 4 ++-- modules/db-for-postgre-sql/flexible-server/main.bicep | 4 ++-- modules/desktop-virtualization/application-group/main.bicep | 4 ++-- modules/desktop-virtualization/host-pool/main.bicep | 4 ++-- modules/desktop-virtualization/scaling-plan/main.bicep | 4 ++-- modules/desktop-virtualization/workspace/main.bicep | 4 ++-- modules/dev-test-lab/lab/main.bicep | 2 +- modules/digital-twins/digital-twins-instance/main.bicep | 4 ++-- modules/document-db/database-account/main.bicep | 4 ++-- modules/event-grid/domain/main.bicep | 4 ++-- modules/event-grid/system-topic/main.bicep | 4 ++-- modules/event-grid/topic/main.bicep | 4 ++-- modules/event-hub/namespace/eventhub/main.bicep | 2 +- modules/event-hub/namespace/main.bicep | 4 ++-- modules/health-bot/health-bot/main.bicep | 2 +- modules/healthcare-apis/workspace/dicomservice/main.bicep | 2 +- modules/healthcare-apis/workspace/fhirservice/main.bicep | 4 ++-- modules/healthcare-apis/workspace/iotconnector/main.bicep | 2 +- modules/healthcare-apis/workspace/main.bicep | 2 +- modules/insights/action-group/main.bicep | 2 +- modules/insights/activity-log-alert/main.bicep | 2 +- modules/insights/component/main.bicep | 4 ++-- modules/insights/data-collection-endpoint/main.bicep | 2 +- modules/insights/data-collection-rule/main.bicep | 2 +- modules/insights/metric-alert/main.bicep | 2 +- modules/insights/private-link-scope/main.bicep | 2 +- modules/insights/scheduled-query-rule/main.bicep | 2 +- modules/insights/webtest/main.bicep | 2 +- modules/key-vault/vault/key/main.bicep | 2 +- modules/key-vault/vault/main.bicep | 4 ++-- modules/key-vault/vault/secret/main.bicep | 2 +- modules/logic/workflow/main.bicep | 4 ++-- modules/machine-learning-services/workspace/main.bicep | 4 ++-- modules/maintenance/maintenance-configuration/main.bicep | 2 +- modules/managed-identity/user-assigned-identity/main.bicep | 2 +- modules/net-app/net-app-account/capacity-pool/main.bicep | 2 +- .../net-app/net-app-account/capacity-pool/volume/main.bicep | 2 +- modules/net-app/net-app-account/main.bicep | 2 +- modules/network/application-gateway/main.bicep | 4 ++-- modules/network/application-security-group/main.bicep | 2 +- modules/network/azure-firewall/main.bicep | 4 ++-- modules/network/bastion-host/main.bicep | 4 ++-- modules/network/ddos-protection-plan/main.bicep | 2 +- modules/network/dns-forwarding-ruleset/main.bicep | 2 +- modules/network/dns-resolver/main.bicep | 2 +- modules/network/dns-zone/a/main.bicep | 2 +- modules/network/dns-zone/aaaa/main.bicep | 2 +- modules/network/dns-zone/caa/main.bicep | 2 +- modules/network/dns-zone/cname/main.bicep | 2 +- modules/network/dns-zone/main.bicep | 2 +- modules/network/dns-zone/mx/main.bicep | 2 +- modules/network/dns-zone/ns/main.bicep | 2 +- modules/network/dns-zone/ptr/main.bicep | 2 +- modules/network/dns-zone/soa/main.bicep | 2 +- modules/network/dns-zone/srv/main.bicep | 2 +- modules/network/dns-zone/txt/main.bicep | 2 +- modules/network/express-route-circuit/main.bicep | 4 ++-- modules/network/express-route-gateway/main.bicep | 2 +- .../front-door-web-application-firewall-policy/main.bicep | 2 +- modules/network/front-door/main.bicep | 4 ++-- modules/network/ip-group/main.bicep | 2 +- modules/network/load-balancer/main.bicep | 4 ++-- modules/network/local-network-gateway/main.bicep | 2 +- modules/network/nat-gateway/main.bicep | 4 ++-- modules/network/network-interface/main.bicep | 4 ++-- modules/network/network-manager/main.bicep | 2 +- modules/network/network-security-group/main.bicep | 4 ++-- modules/network/network-watcher/main.bicep | 2 +- modules/network/private-dns-zone/a/main.bicep | 2 +- modules/network/private-dns-zone/aaaa/main.bicep | 2 +- modules/network/private-dns-zone/cname/main.bicep | 2 +- modules/network/private-dns-zone/main.bicep | 2 +- modules/network/private-dns-zone/mx/main.bicep | 2 +- modules/network/private-dns-zone/ptr/main.bicep | 2 +- modules/network/private-dns-zone/soa/main.bicep | 2 +- modules/network/private-dns-zone/srv/main.bicep | 2 +- modules/network/private-dns-zone/txt/main.bicep | 2 +- modules/network/private-endpoint/main.bicep | 2 +- modules/network/private-link-service/main.bicep | 2 +- modules/network/public-ip-address/main.bicep | 4 ++-- modules/network/public-ip-prefix/main.bicep | 2 +- modules/network/route-table/main.bicep | 2 +- modules/network/service-endpoint-policy/main.bicep | 2 +- modules/network/trafficmanagerprofile/main.bicep | 4 ++-- modules/network/virtual-network-gateway/main.bicep | 4 ++-- modules/network/virtual-network/main.bicep | 4 ++-- modules/network/virtual-network/subnet/main.bicep | 2 +- modules/network/virtual-wan/main.bicep | 2 +- modules/network/vpn-site/main.bicep | 2 +- modules/operational-insights/workspace/main.bicep | 4 ++-- modules/power-bi-dedicated/capacity/main.bicep | 2 +- modules/purview/account/main.bicep | 4 ++-- modules/recovery-services/vault/main.bicep | 4 ++-- modules/relay/namespace/hybrid-connection/main.bicep | 2 +- modules/relay/namespace/main.bicep | 4 ++-- modules/relay/namespace/wcf-relay/main.bicep | 2 +- modules/resource-graph/query/main.bicep | 2 +- modules/resources/resource-group/main.bicep | 2 +- modules/search/search-service/main.bicep | 4 ++-- modules/service-bus/namespace/main.bicep | 4 ++-- modules/service-bus/namespace/queue/main.bicep | 2 +- modules/service-bus/namespace/topic/main.bicep | 2 +- modules/service-fabric/cluster/main.bicep | 2 +- modules/signal-r-service/signal-r/main.bicep | 2 +- modules/signal-r-service/web-pub-sub/main.bicep | 2 +- modules/sql/managed-instance/database/main.bicep | 2 +- modules/sql/managed-instance/main.bicep | 4 ++-- modules/sql/server/database/main.bicep | 2 +- modules/sql/server/main.bicep | 2 +- .../storage/storage-account/blob-service/container/main.bicep | 2 +- modules/storage/storage-account/blob-service/main.bicep | 2 +- modules/storage/storage-account/file-service/main.bicep | 2 +- modules/storage/storage-account/file-service/share/main.bicep | 2 +- modules/storage/storage-account/main.bicep | 4 ++-- modules/storage/storage-account/queue-service/main.bicep | 2 +- .../storage/storage-account/queue-service/queue/main.bicep | 2 +- modules/storage/storage-account/table-service/main.bicep | 2 +- modules/synapse/private-link-hub/main.bicep | 2 +- modules/synapse/workspace/main.bicep | 4 ++-- modules/virtual-machine-images/image-template/main.bicep | 2 +- modules/web/connection/main.bicep | 2 +- modules/web/hosting-environment/main.bicep | 4 ++-- modules/web/serverfarm/main.bicep | 4 ++-- modules/web/site/main.bicep | 4 ++-- modules/web/site/slot/main.bicep | 4 ++-- modules/web/static-site/main.bicep | 2 +- 157 files changed, 216 insertions(+), 216 deletions(-) diff --git a/modules/aad/domain-service/main.bicep b/modules/aad/domain-service/main.bicep index a8ded242da..206efc45d4 100644 --- a/modules/aad/domain-service/main.bicep +++ b/modules/aad/domain-service/main.bicep @@ -256,7 +256,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -285,7 +285,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/analysis-services/server/main.bicep b/modules/analysis-services/server/main.bicep index ef66dfa060..c0e59767e5 100644 --- a/modules/analysis-services/server/main.bicep +++ b/modules/analysis-services/server/main.bicep @@ -155,7 +155,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -190,7 +190,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/api-management/service/main.bicep b/modules/api-management/service/main.bicep index 596354a682..fa0858ccb7 100644 --- a/modules/api-management/service/main.bicep +++ b/modules/api-management/service/main.bicep @@ -484,7 +484,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -519,7 +519,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/app-configuration/configuration-store/main.bicep b/modules/app-configuration/configuration-store/main.bicep index 4b902c8093..b70e5fcbb6 100644 --- a/modules/app-configuration/configuration-store/main.bicep +++ b/modules/app-configuration/configuration-store/main.bicep @@ -266,7 +266,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -369,7 +369,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/app/container-app/main.bicep b/modules/app/container-app/main.bicep index 58d88c45dc..9a98840334 100644 --- a/modules/app/container-app/main.bicep +++ b/modules/app/container-app/main.bicep @@ -251,7 +251,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/app/job/main.bicep b/modules/app/job/main.bicep index 75b067268c..fa8916e80d 100644 --- a/modules/app/job/main.bicep +++ b/modules/app/job/main.bicep @@ -181,7 +181,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/app/managed-environment/main.bicep b/modules/app/managed-environment/main.bicep index 18bc3abed7..12fc9772c4 100644 --- a/modules/app/managed-environment/main.bicep +++ b/modules/app/managed-environment/main.bicep @@ -187,7 +187,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/automation/automation-account/main.bicep b/modules/automation/automation-account/main.bicep index 69820ae56d..a9f989b9ba 100644 --- a/modules/automation/automation-account/main.bicep +++ b/modules/automation/automation-account/main.bicep @@ -415,7 +415,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -518,7 +518,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/batch/batch-account/main.bicep b/modules/batch/batch-account/main.bicep index dc5bad992d..2e71ac72f5 100644 --- a/modules/batch/batch-account/main.bicep +++ b/modules/batch/batch-account/main.bicep @@ -285,7 +285,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -388,7 +388,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/cache/redis-enterprise/main.bicep b/modules/cache/redis-enterprise/main.bicep index 609e546bf8..1be629fba1 100644 --- a/modules/cache/redis-enterprise/main.bicep +++ b/modules/cache/redis-enterprise/main.bicep @@ -215,7 +215,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -309,7 +309,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/cache/redis/main.bicep b/modules/cache/redis/main.bicep index edcb269196..e1c36e16c3 100644 --- a/modules/cache/redis/main.bicep +++ b/modules/cache/redis/main.bicep @@ -288,7 +288,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -391,7 +391,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/cdn/profile/main.bicep b/modules/cdn/profile/main.bicep index b60ee123cd..30ce9173c1 100644 --- a/modules/cdn/profile/main.bicep +++ b/modules/cdn/profile/main.bicep @@ -245,7 +245,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/cognitive-services/account/main.bicep b/modules/cognitive-services/account/main.bicep index 2e1586eec9..d9787e57f4 100644 --- a/modules/cognitive-services/account/main.bicep +++ b/modules/cognitive-services/account/main.bicep @@ -351,7 +351,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -454,7 +454,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/compute/availability-set/main.bicep b/modules/compute/availability-set/main.bicep index 81ac15ab0a..d48a10bd65 100644 --- a/modules/compute/availability-set/main.bicep +++ b/modules/compute/availability-set/main.bicep @@ -124,7 +124,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/compute/disk-encryption-set/main.bicep b/modules/compute/disk-encryption-set/main.bicep index 97ee119695..bc9aa12888 100644 --- a/modules/compute/disk-encryption-set/main.bicep +++ b/modules/compute/disk-encryption-set/main.bicep @@ -194,7 +194,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/compute/disk/main.bicep b/modules/compute/disk/main.bicep index 53c193e794..b81bda894c 100644 --- a/modules/compute/disk/main.bicep +++ b/modules/compute/disk/main.bicep @@ -248,7 +248,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/compute/gallery/application/main.bicep b/modules/compute/gallery/application/main.bicep index eda8727a21..f1cf6372c2 100644 --- a/modules/compute/gallery/application/main.bicep +++ b/modules/compute/gallery/application/main.bicep @@ -124,7 +124,7 @@ type roleAssignmentType = { principalId: string @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @sys.description('Optional. The description of the role assignment.') description: string? diff --git a/modules/compute/gallery/image/main.bicep b/modules/compute/gallery/image/main.bicep index c46910a248..3f5a724b3c 100644 --- a/modules/compute/gallery/image/main.bicep +++ b/modules/compute/gallery/image/main.bicep @@ -247,7 +247,7 @@ type roleAssignmentType = { principalId: string @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @sys.description('Optional. The description of the role assignment.') description: string? diff --git a/modules/compute/gallery/main.bicep b/modules/compute/gallery/main.bicep index 0a284f8096..5d9a951fa4 100644 --- a/modules/compute/gallery/main.bicep +++ b/modules/compute/gallery/main.bicep @@ -169,7 +169,7 @@ type roleAssignmentType = { principalId: string @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @sys.description('Optional. The description of the role assignment.') description: string? diff --git a/modules/compute/image/main.bicep b/modules/compute/image/main.bicep index 2fedc3882d..f83ef220ab 100644 --- a/modules/compute/image/main.bicep +++ b/modules/compute/image/main.bicep @@ -154,7 +154,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/compute/proximity-placement-group/main.bicep b/modules/compute/proximity-placement-group/main.bicep index d8c925de6f..f2f76a2216 100644 --- a/modules/compute/proximity-placement-group/main.bicep +++ b/modules/compute/proximity-placement-group/main.bicep @@ -123,7 +123,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/compute/ssh-public-key/main.bicep b/modules/compute/ssh-public-key/main.bicep index 0d5e181de1..42728721ff 100644 --- a/modules/compute/ssh-public-key/main.bicep +++ b/modules/compute/ssh-public-key/main.bicep @@ -109,7 +109,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/compute/virtual-machine-scale-set/main.bicep b/modules/compute/virtual-machine-scale-set/main.bicep index e7a0a46271..729b03a4d6 100644 --- a/modules/compute/virtual-machine-scale-set/main.bicep +++ b/modules/compute/virtual-machine-scale-set/main.bicep @@ -681,7 +681,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -707,7 +707,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/compute/virtual-machine/main.bicep b/modules/compute/virtual-machine/main.bicep index 0fa3b644a9..b7b7bf73f7 100644 --- a/modules/compute/virtual-machine/main.bicep +++ b/modules/compute/virtual-machine/main.bicep @@ -717,7 +717,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -752,7 +752,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/compute/virtual-machine/modules/nested_networkInterface.bicep b/modules/compute/virtual-machine/modules/nested_networkInterface.bicep index 133483d231..3126ee1dfb 100644 --- a/modules/compute/virtual-machine/modules/nested_networkInterface.bicep +++ b/modules/compute/virtual-machine/modules/nested_networkInterface.bicep @@ -105,7 +105,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? @@ -131,7 +131,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/container-registry/registry/main.bicep b/modules/container-registry/registry/main.bicep index 57b8409f5c..e3caf83543 100644 --- a/modules/container-registry/registry/main.bicep +++ b/modules/container-registry/registry/main.bicep @@ -407,7 +407,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -510,7 +510,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/container-service/managed-cluster/main.bicep b/modules/container-service/managed-cluster/main.bicep index 5808b8d313..aa3216df86 100644 --- a/modules/container-service/managed-cluster/main.bicep +++ b/modules/container-service/managed-cluster/main.bicep @@ -754,7 +754,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -789,7 +789,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/data-factory/factory/main.bicep b/modules/data-factory/factory/main.bicep index 810d6c0200..b4349faede 100644 --- a/modules/data-factory/factory/main.bicep +++ b/modules/data-factory/factory/main.bicep @@ -294,7 +294,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -397,7 +397,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/data-protection/backup-vault/main.bicep b/modules/data-protection/backup-vault/main.bicep index 63aa54ac3d..942fbcfb34 100644 --- a/modules/data-protection/backup-vault/main.bicep +++ b/modules/data-protection/backup-vault/main.bicep @@ -179,7 +179,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/databricks/access-connector/main.bicep b/modules/databricks/access-connector/main.bicep index 4f0c6ed5bc..fb3f08ef21 100644 --- a/modules/databricks/access-connector/main.bicep +++ b/modules/databricks/access-connector/main.bicep @@ -124,7 +124,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/databricks/workspace/main.bicep b/modules/databricks/workspace/main.bicep index 3689a37f95..524ab6c616 100644 --- a/modules/databricks/workspace/main.bicep +++ b/modules/databricks/workspace/main.bicep @@ -340,7 +340,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -437,7 +437,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/db-for-my-sql/flexible-server/main.bicep b/modules/db-for-my-sql/flexible-server/main.bicep index 26fabc722a..7175e8e5d5 100644 --- a/modules/db-for-my-sql/flexible-server/main.bicep +++ b/modules/db-for-my-sql/flexible-server/main.bicep @@ -391,7 +391,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -426,7 +426,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/db-for-postgre-sql/flexible-server/main.bicep b/modules/db-for-postgre-sql/flexible-server/main.bicep index e8457897dd..1645d32791 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.bicep +++ b/modules/db-for-postgre-sql/flexible-server/main.bicep @@ -386,7 +386,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -421,7 +421,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/desktop-virtualization/application-group/main.bicep b/modules/desktop-virtualization/application-group/main.bicep index 1e18d25925..390e74da2f 100644 --- a/modules/desktop-virtualization/application-group/main.bicep +++ b/modules/desktop-virtualization/application-group/main.bicep @@ -186,7 +186,7 @@ type roleAssignmentType = { principalId: string @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @sys.description('Optional. The description of the role assignment.') description: string? @@ -215,7 +215,7 @@ type diagnosticSettingType = { }[]? @sys.description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @sys.description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/desktop-virtualization/host-pool/main.bicep b/modules/desktop-virtualization/host-pool/main.bicep index 031b3b5b9e..228901fa8d 100644 --- a/modules/desktop-virtualization/host-pool/main.bicep +++ b/modules/desktop-virtualization/host-pool/main.bicep @@ -295,7 +295,7 @@ type roleAssignmentType = { principalId: string @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @sys.description('Optional. The description of the role assignment.') description: string? @@ -324,7 +324,7 @@ type diagnosticSettingType = { }[]? @sys.description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @sys.description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/desktop-virtualization/scaling-plan/main.bicep b/modules/desktop-virtualization/scaling-plan/main.bicep index 51d609016c..1f9734fb0a 100644 --- a/modules/desktop-virtualization/scaling-plan/main.bicep +++ b/modules/desktop-virtualization/scaling-plan/main.bicep @@ -189,7 +189,7 @@ type roleAssignmentType = { principalId: string @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @sys.description('Optional. The description of the role assignment.') description: string? @@ -218,7 +218,7 @@ type diagnosticSettingType = { }[]? @sys.description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @sys.description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/desktop-virtualization/workspace/main.bicep b/modules/desktop-virtualization/workspace/main.bicep index f566fe1e80..36963fc0af 100644 --- a/modules/desktop-virtualization/workspace/main.bicep +++ b/modules/desktop-virtualization/workspace/main.bicep @@ -151,7 +151,7 @@ type roleAssignmentType = { principalId: string @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @sys.description('Optional. The description of the role assignment.') description: string? @@ -180,7 +180,7 @@ type diagnosticSettingType = { }[]? @sys.description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @sys.description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/dev-test-lab/lab/main.bicep b/modules/dev-test-lab/lab/main.bicep index 1b54432e6d..c50c60e192 100644 --- a/modules/dev-test-lab/lab/main.bicep +++ b/modules/dev-test-lab/lab/main.bicep @@ -349,7 +349,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/digital-twins/digital-twins-instance/main.bicep b/modules/digital-twins/digital-twins-instance/main.bicep index 6db0117957..39749fa29a 100644 --- a/modules/digital-twins/digital-twins-instance/main.bicep +++ b/modules/digital-twins/digital-twins-instance/main.bicep @@ -249,7 +249,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -352,7 +352,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/document-db/database-account/main.bicep b/modules/document-db/database-account/main.bicep index 0920e0acfa..020db1ee9a 100644 --- a/modules/document-db/database-account/main.bicep +++ b/modules/document-db/database-account/main.bicep @@ -381,7 +381,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -484,7 +484,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/event-grid/domain/main.bicep b/modules/event-grid/domain/main.bicep index 4652a9ba5c..5177d56cf2 100644 --- a/modules/event-grid/domain/main.bicep +++ b/modules/event-grid/domain/main.bicep @@ -199,7 +199,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -302,7 +302,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/event-grid/system-topic/main.bicep b/modules/event-grid/system-topic/main.bicep index 53d77af4ab..c50e27ec8c 100644 --- a/modules/event-grid/system-topic/main.bicep +++ b/modules/event-grid/system-topic/main.bicep @@ -189,7 +189,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -224,7 +224,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/event-grid/topic/main.bicep b/modules/event-grid/topic/main.bicep index 9f249e8028..440efefed8 100644 --- a/modules/event-grid/topic/main.bicep +++ b/modules/event-grid/topic/main.bicep @@ -201,7 +201,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -304,7 +304,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/event-hub/namespace/eventhub/main.bicep b/modules/event-hub/namespace/eventhub/main.bicep index 466bc57c36..3c35bc5d6a 100644 --- a/modules/event-hub/namespace/eventhub/main.bicep +++ b/modules/event-hub/namespace/eventhub/main.bicep @@ -253,7 +253,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/event-hub/namespace/main.bicep b/modules/event-hub/namespace/main.bicep index 03215a757f..8b741c99ca 100644 --- a/modules/event-hub/namespace/main.bicep +++ b/modules/event-hub/namespace/main.bicep @@ -373,7 +373,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -476,7 +476,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/health-bot/health-bot/main.bicep b/modules/health-bot/health-bot/main.bicep index 4d5164ac7f..1413b01d36 100644 --- a/modules/health-bot/health-bot/main.bicep +++ b/modules/health-bot/health-bot/main.bicep @@ -129,7 +129,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/healthcare-apis/workspace/dicomservice/main.bicep b/modules/healthcare-apis/workspace/dicomservice/main.bicep index 16112998b7..2d4da12b7d 100644 --- a/modules/healthcare-apis/workspace/dicomservice/main.bicep +++ b/modules/healthcare-apis/workspace/dicomservice/main.bicep @@ -191,7 +191,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/healthcare-apis/workspace/fhirservice/main.bicep b/modules/healthcare-apis/workspace/fhirservice/main.bicep index 68fef37742..824391deaa 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.bicep +++ b/modules/healthcare-apis/workspace/fhirservice/main.bicep @@ -293,7 +293,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -328,7 +328,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/healthcare-apis/workspace/iotconnector/main.bicep b/modules/healthcare-apis/workspace/iotconnector/main.bicep index b5aab3e434..f50c6d9c64 100644 --- a/modules/healthcare-apis/workspace/iotconnector/main.bicep +++ b/modules/healthcare-apis/workspace/iotconnector/main.bicep @@ -201,7 +201,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/healthcare-apis/workspace/main.bicep b/modules/healthcare-apis/workspace/main.bicep index 454b86f22e..dae1a76439 100644 --- a/modules/healthcare-apis/workspace/main.bicep +++ b/modules/healthcare-apis/workspace/main.bicep @@ -211,7 +211,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/insights/action-group/main.bicep b/modules/insights/action-group/main.bicep index 9d339fd670..bca49be2f7 100644 --- a/modules/insights/action-group/main.bicep +++ b/modules/insights/action-group/main.bicep @@ -130,7 +130,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/insights/activity-log-alert/main.bicep b/modules/insights/activity-log-alert/main.bicep index 349e2184db..98263ac6db 100644 --- a/modules/insights/activity-log-alert/main.bicep +++ b/modules/insights/activity-log-alert/main.bicep @@ -113,7 +113,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/insights/component/main.bicep b/modules/insights/component/main.bicep index 5ca3a75e6b..801e9eb20a 100644 --- a/modules/insights/component/main.bicep +++ b/modules/insights/component/main.bicep @@ -169,7 +169,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -204,7 +204,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/insights/data-collection-endpoint/main.bicep b/modules/insights/data-collection-endpoint/main.bicep index 6b3fa4325e..e6e65306b7 100644 --- a/modules/insights/data-collection-endpoint/main.bicep +++ b/modules/insights/data-collection-endpoint/main.bicep @@ -133,7 +133,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/insights/data-collection-rule/main.bicep b/modules/insights/data-collection-rule/main.bicep index 8e8be03130..14cb3af5b9 100644 --- a/modules/insights/data-collection-rule/main.bicep +++ b/modules/insights/data-collection-rule/main.bicep @@ -147,7 +147,7 @@ type roleAssignmentType = { principalId: string @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @sys.description('Optional. The description of the role assignment.') description: string? diff --git a/modules/insights/metric-alert/main.bicep b/modules/insights/metric-alert/main.bicep index 992795ba50..3dad0cc566 100644 --- a/modules/insights/metric-alert/main.bicep +++ b/modules/insights/metric-alert/main.bicep @@ -168,7 +168,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/insights/private-link-scope/main.bicep b/modules/insights/private-link-scope/main.bicep index 608103ca13..1a4c327c37 100644 --- a/modules/insights/private-link-scope/main.bicep +++ b/modules/insights/private-link-scope/main.bicep @@ -145,7 +145,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/insights/scheduled-query-rule/main.bicep b/modules/insights/scheduled-query-rule/main.bicep index 27e644b9bb..2d4ac0bd58 100644 --- a/modules/insights/scheduled-query-rule/main.bicep +++ b/modules/insights/scheduled-query-rule/main.bicep @@ -153,7 +153,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/insights/webtest/main.bicep b/modules/insights/webtest/main.bicep index 543f21664c..7f464360ba 100644 --- a/modules/insights/webtest/main.bicep +++ b/modules/insights/webtest/main.bicep @@ -172,7 +172,7 @@ type roleAssignmentType = { principalId: string @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @sys.description('Optional. The description of the role assignment.') description: string? diff --git a/modules/key-vault/vault/key/main.bicep b/modules/key-vault/vault/key/main.bicep index 762341e837..21a15d15f2 100644 --- a/modules/key-vault/vault/key/main.bicep +++ b/modules/key-vault/vault/key/main.bicep @@ -147,7 +147,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/key-vault/vault/main.bicep b/modules/key-vault/vault/main.bicep index 1917a0e8ec..f26fb09a52 100644 --- a/modules/key-vault/vault/main.bicep +++ b/modules/key-vault/vault/main.bicep @@ -313,7 +313,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -416,7 +416,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/key-vault/vault/secret/main.bicep b/modules/key-vault/vault/secret/main.bicep index a8c2c954d7..c58f6f645b 100644 --- a/modules/key-vault/vault/secret/main.bicep +++ b/modules/key-vault/vault/secret/main.bicep @@ -117,7 +117,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/logic/workflow/main.bicep b/modules/logic/workflow/main.bicep index 825fc736ca..1255b34450 100644 --- a/modules/logic/workflow/main.bicep +++ b/modules/logic/workflow/main.bicep @@ -235,7 +235,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -270,7 +270,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/machine-learning-services/workspace/main.bicep b/modules/machine-learning-services/workspace/main.bicep index 8225693123..7580478dc4 100644 --- a/modules/machine-learning-services/workspace/main.bicep +++ b/modules/machine-learning-services/workspace/main.bicep @@ -327,7 +327,7 @@ type roleAssignmentType = { principalId: string @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @sys.description('Optional. The description of the role assignment.') description: string? @@ -419,7 +419,7 @@ type diagnosticSettingType = { }[]? @sys.description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @sys.description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/maintenance/maintenance-configuration/main.bicep b/modules/maintenance/maintenance-configuration/main.bicep index e7e84e9106..d3cf44d377 100644 --- a/modules/maintenance/maintenance-configuration/main.bicep +++ b/modules/maintenance/maintenance-configuration/main.bicep @@ -153,7 +153,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/managed-identity/user-assigned-identity/main.bicep b/modules/managed-identity/user-assigned-identity/main.bicep index 16903d6423..ff35c43d96 100644 --- a/modules/managed-identity/user-assigned-identity/main.bicep +++ b/modules/managed-identity/user-assigned-identity/main.bicep @@ -126,7 +126,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/net-app/net-app-account/capacity-pool/main.bicep b/modules/net-app/net-app-account/capacity-pool/main.bicep index 8b1910526a..654d1e8af8 100644 --- a/modules/net-app/net-app-account/capacity-pool/main.bicep +++ b/modules/net-app/net-app-account/capacity-pool/main.bicep @@ -148,7 +148,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/net-app/net-app-account/capacity-pool/volume/main.bicep b/modules/net-app/net-app-account/capacity-pool/volume/main.bicep index 317947161f..71e47b1ad4 100644 --- a/modules/net-app/net-app-account/capacity-pool/volume/main.bicep +++ b/modules/net-app/net-app-account/capacity-pool/volume/main.bicep @@ -125,7 +125,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/net-app/net-app-account/main.bicep b/modules/net-app/net-app-account/main.bicep index 4017285445..406a2cf99c 100644 --- a/modules/net-app/net-app-account/main.bicep +++ b/modules/net-app/net-app-account/main.bicep @@ -173,7 +173,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/application-gateway/main.bicep b/modules/network/application-gateway/main.bicep index c789cca2f4..2b76bfc065 100644 --- a/modules/network/application-gateway/main.bicep +++ b/modules/network/application-gateway/main.bicep @@ -406,7 +406,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -509,7 +509,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/network/application-security-group/main.bicep b/modules/network/application-security-group/main.bicep index 3a60c91a26..55bacf2d7e 100644 --- a/modules/network/application-security-group/main.bicep +++ b/modules/network/application-security-group/main.bicep @@ -102,7 +102,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/azure-firewall/main.bicep b/modules/network/azure-firewall/main.bicep index 972abf72ac..d6e785f395 100644 --- a/modules/network/azure-firewall/main.bicep +++ b/modules/network/azure-firewall/main.bicep @@ -327,7 +327,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -362,7 +362,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/network/bastion-host/main.bicep b/modules/network/bastion-host/main.bicep index 2761e76455..8877a5af1d 100644 --- a/modules/network/bastion-host/main.bicep +++ b/modules/network/bastion-host/main.bicep @@ -222,7 +222,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -251,7 +251,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/network/ddos-protection-plan/main.bicep b/modules/network/ddos-protection-plan/main.bicep index 94e9b8b8d2..71111c0e8f 100644 --- a/modules/network/ddos-protection-plan/main.bicep +++ b/modules/network/ddos-protection-plan/main.bicep @@ -103,7 +103,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/dns-forwarding-ruleset/main.bicep b/modules/network/dns-forwarding-ruleset/main.bicep index 08d813c8ac..d54a554eed 100644 --- a/modules/network/dns-forwarding-ruleset/main.bicep +++ b/modules/network/dns-forwarding-ruleset/main.bicep @@ -139,7 +139,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/dns-resolver/main.bicep b/modules/network/dns-resolver/main.bicep index 01824b9031..b733320a97 100644 --- a/modules/network/dns-resolver/main.bicep +++ b/modules/network/dns-resolver/main.bicep @@ -150,7 +150,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/dns-zone/a/main.bicep b/modules/network/dns-zone/a/main.bicep index 458ec8ad2a..8f75c9d10e 100644 --- a/modules/network/dns-zone/a/main.bicep +++ b/modules/network/dns-zone/a/main.bicep @@ -103,7 +103,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/dns-zone/aaaa/main.bicep b/modules/network/dns-zone/aaaa/main.bicep index 8156688cdd..a0d88a4f60 100644 --- a/modules/network/dns-zone/aaaa/main.bicep +++ b/modules/network/dns-zone/aaaa/main.bicep @@ -103,7 +103,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/dns-zone/caa/main.bicep b/modules/network/dns-zone/caa/main.bicep index 789edca66f..5456341ee7 100644 --- a/modules/network/dns-zone/caa/main.bicep +++ b/modules/network/dns-zone/caa/main.bicep @@ -97,7 +97,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/dns-zone/cname/main.bicep b/modules/network/dns-zone/cname/main.bicep index 251924db52..db68c48d7f 100644 --- a/modules/network/dns-zone/cname/main.bicep +++ b/modules/network/dns-zone/cname/main.bicep @@ -103,7 +103,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/dns-zone/main.bicep b/modules/network/dns-zone/main.bicep index 4babf6c81c..c5b7880355 100644 --- a/modules/network/dns-zone/main.bicep +++ b/modules/network/dns-zone/main.bicep @@ -277,7 +277,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/dns-zone/mx/main.bicep b/modules/network/dns-zone/mx/main.bicep index 6814f1c3a1..710a244cd3 100644 --- a/modules/network/dns-zone/mx/main.bicep +++ b/modules/network/dns-zone/mx/main.bicep @@ -97,7 +97,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/dns-zone/ns/main.bicep b/modules/network/dns-zone/ns/main.bicep index 3964d72597..a3a98d5302 100644 --- a/modules/network/dns-zone/ns/main.bicep +++ b/modules/network/dns-zone/ns/main.bicep @@ -97,7 +97,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/dns-zone/ptr/main.bicep b/modules/network/dns-zone/ptr/main.bicep index ed72b8e283..3363462440 100644 --- a/modules/network/dns-zone/ptr/main.bicep +++ b/modules/network/dns-zone/ptr/main.bicep @@ -97,7 +97,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/dns-zone/soa/main.bicep b/modules/network/dns-zone/soa/main.bicep index 64b31163cc..6a7fbe7acf 100644 --- a/modules/network/dns-zone/soa/main.bicep +++ b/modules/network/dns-zone/soa/main.bicep @@ -97,7 +97,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/dns-zone/srv/main.bicep b/modules/network/dns-zone/srv/main.bicep index 87d1466c0d..c56b257c59 100644 --- a/modules/network/dns-zone/srv/main.bicep +++ b/modules/network/dns-zone/srv/main.bicep @@ -97,7 +97,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/dns-zone/txt/main.bicep b/modules/network/dns-zone/txt/main.bicep index 0a3b81aabb..f2ceb2c1ac 100644 --- a/modules/network/dns-zone/txt/main.bicep +++ b/modules/network/dns-zone/txt/main.bicep @@ -97,7 +97,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/express-route-circuit/main.bicep b/modules/network/express-route-circuit/main.bicep index 15ee9e0804..8318922213 100644 --- a/modules/network/express-route-circuit/main.bicep +++ b/modules/network/express-route-circuit/main.bicep @@ -228,7 +228,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -263,7 +263,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/network/express-route-gateway/main.bicep b/modules/network/express-route-gateway/main.bicep index 91534744a2..811d433d11 100644 --- a/modules/network/express-route-gateway/main.bicep +++ b/modules/network/express-route-gateway/main.bicep @@ -130,7 +130,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/front-door-web-application-firewall-policy/main.bicep b/modules/network/front-door-web-application-firewall-policy/main.bicep index 9ba8e942e5..2cf41330a7 100644 --- a/modules/network/front-door-web-application-firewall-policy/main.bicep +++ b/modules/network/front-door-web-application-firewall-policy/main.bicep @@ -164,7 +164,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/front-door/main.bicep b/modules/network/front-door/main.bicep index f733e394ef..f9cc41e08a 100644 --- a/modules/network/front-door/main.bicep +++ b/modules/network/front-door/main.bicep @@ -171,7 +171,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -206,7 +206,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/network/ip-group/main.bicep b/modules/network/ip-group/main.bicep index ae0ca58c7d..3e14ba223f 100644 --- a/modules/network/ip-group/main.bicep +++ b/modules/network/ip-group/main.bicep @@ -109,7 +109,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/load-balancer/main.bicep b/modules/network/load-balancer/main.bicep index 13908c3b92..c3d1c82794 100644 --- a/modules/network/load-balancer/main.bicep +++ b/modules/network/load-balancer/main.bicep @@ -277,7 +277,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -303,7 +303,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/network/local-network-gateway/main.bicep b/modules/network/local-network-gateway/main.bicep index 9b0a6ff32a..766ac4eb10 100644 --- a/modules/network/local-network-gateway/main.bicep +++ b/modules/network/local-network-gateway/main.bicep @@ -135,7 +135,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/nat-gateway/main.bicep b/modules/network/nat-gateway/main.bicep index 566fc8757d..b3aab1a660 100644 --- a/modules/network/nat-gateway/main.bicep +++ b/modules/network/nat-gateway/main.bicep @@ -182,7 +182,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -217,7 +217,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/network/network-interface/main.bicep b/modules/network/network-interface/main.bicep index 0b25219983..069ad203c6 100644 --- a/modules/network/network-interface/main.bicep +++ b/modules/network/network-interface/main.bicep @@ -195,7 +195,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -221,7 +221,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/network/network-manager/main.bicep b/modules/network/network-manager/main.bicep index 55507d68ee..4fc57260bd 100644 --- a/modules/network/network-manager/main.bicep +++ b/modules/network/network-manager/main.bicep @@ -185,7 +185,7 @@ type roleAssignmentType = { principalId: string @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @sys.description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/network-security-group/main.bicep b/modules/network/network-security-group/main.bicep index df34e44b6c..83928e9024 100644 --- a/modules/network/network-security-group/main.bicep +++ b/modules/network/network-security-group/main.bicep @@ -179,7 +179,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -208,7 +208,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/network/network-watcher/main.bicep b/modules/network/network-watcher/main.bicep index 4ca2b00db7..6ee4903f61 100644 --- a/modules/network/network-watcher/main.bicep +++ b/modules/network/network-watcher/main.bicep @@ -142,7 +142,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/private-dns-zone/a/main.bicep b/modules/network/private-dns-zone/a/main.bicep index 103ed79f76..14ed4d1909 100644 --- a/modules/network/private-dns-zone/a/main.bicep +++ b/modules/network/private-dns-zone/a/main.bicep @@ -97,7 +97,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/private-dns-zone/aaaa/main.bicep b/modules/network/private-dns-zone/aaaa/main.bicep index 6e1c76213b..d36d381db7 100644 --- a/modules/network/private-dns-zone/aaaa/main.bicep +++ b/modules/network/private-dns-zone/aaaa/main.bicep @@ -97,7 +97,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/private-dns-zone/cname/main.bicep b/modules/network/private-dns-zone/cname/main.bicep index cd53e7ee37..10ca076674 100644 --- a/modules/network/private-dns-zone/cname/main.bicep +++ b/modules/network/private-dns-zone/cname/main.bicep @@ -97,7 +97,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/private-dns-zone/main.bicep b/modules/network/private-dns-zone/main.bicep index 818c516dd5..e1ee451d5a 100644 --- a/modules/network/private-dns-zone/main.bicep +++ b/modules/network/private-dns-zone/main.bicep @@ -253,7 +253,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/private-dns-zone/mx/main.bicep b/modules/network/private-dns-zone/mx/main.bicep index b98ddcd479..1937467d66 100644 --- a/modules/network/private-dns-zone/mx/main.bicep +++ b/modules/network/private-dns-zone/mx/main.bicep @@ -97,7 +97,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/private-dns-zone/ptr/main.bicep b/modules/network/private-dns-zone/ptr/main.bicep index 60c40c86c6..2b4094fee9 100644 --- a/modules/network/private-dns-zone/ptr/main.bicep +++ b/modules/network/private-dns-zone/ptr/main.bicep @@ -97,7 +97,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/private-dns-zone/soa/main.bicep b/modules/network/private-dns-zone/soa/main.bicep index 74f46f53c7..5661f96a86 100644 --- a/modules/network/private-dns-zone/soa/main.bicep +++ b/modules/network/private-dns-zone/soa/main.bicep @@ -97,7 +97,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/private-dns-zone/srv/main.bicep b/modules/network/private-dns-zone/srv/main.bicep index 7857e20730..aa5a1a95e1 100644 --- a/modules/network/private-dns-zone/srv/main.bicep +++ b/modules/network/private-dns-zone/srv/main.bicep @@ -97,7 +97,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/private-dns-zone/txt/main.bicep b/modules/network/private-dns-zone/txt/main.bicep index cc07200f18..afbe9ae0f9 100644 --- a/modules/network/private-dns-zone/txt/main.bicep +++ b/modules/network/private-dns-zone/txt/main.bicep @@ -97,7 +97,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/private-endpoint/main.bicep b/modules/network/private-endpoint/main.bicep index be29744cd6..1c5e1df2d1 100644 --- a/modules/network/private-endpoint/main.bicep +++ b/modules/network/private-endpoint/main.bicep @@ -161,7 +161,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/private-link-service/main.bicep b/modules/network/private-link-service/main.bicep index 4691ab09c6..6146a225bf 100644 --- a/modules/network/private-link-service/main.bicep +++ b/modules/network/private-link-service/main.bicep @@ -136,7 +136,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/public-ip-address/main.bicep b/modules/network/public-ip-address/main.bicep index f907565f45..46fd1decb2 100644 --- a/modules/network/public-ip-address/main.bicep +++ b/modules/network/public-ip-address/main.bicep @@ -207,7 +207,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -242,7 +242,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/network/public-ip-prefix/main.bicep b/modules/network/public-ip-prefix/main.bicep index 067b299025..5261690b6d 100644 --- a/modules/network/public-ip-prefix/main.bicep +++ b/modules/network/public-ip-prefix/main.bicep @@ -119,7 +119,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/route-table/main.bicep b/modules/network/route-table/main.bicep index 8a416fcc21..3db1e9d17f 100644 --- a/modules/network/route-table/main.bicep +++ b/modules/network/route-table/main.bicep @@ -112,7 +112,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/service-endpoint-policy/main.bicep b/modules/network/service-endpoint-policy/main.bicep index 09d59d58a5..c0183b63f9 100644 --- a/modules/network/service-endpoint-policy/main.bicep +++ b/modules/network/service-endpoint-policy/main.bicep @@ -116,7 +116,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/trafficmanagerprofile/main.bicep b/modules/network/trafficmanagerprofile/main.bicep index fb034877ba..66238ec4dd 100644 --- a/modules/network/trafficmanagerprofile/main.bicep +++ b/modules/network/trafficmanagerprofile/main.bicep @@ -183,7 +183,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -218,7 +218,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/network/virtual-network-gateway/main.bicep b/modules/network/virtual-network-gateway/main.bicep index 6977268079..b561f87fac 100644 --- a/modules/network/virtual-network-gateway/main.bicep +++ b/modules/network/virtual-network-gateway/main.bicep @@ -423,7 +423,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -458,7 +458,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/network/virtual-network/main.bicep b/modules/network/virtual-network/main.bicep index 9e46d65ae8..0a4003d1e5 100644 --- a/modules/network/virtual-network/main.bicep +++ b/modules/network/virtual-network/main.bicep @@ -275,7 +275,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -310,7 +310,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/network/virtual-network/subnet/main.bicep b/modules/network/virtual-network/subnet/main.bicep index a6ae7b85b1..5f0fadf82e 100644 --- a/modules/network/virtual-network/subnet/main.bicep +++ b/modules/network/virtual-network/subnet/main.bicep @@ -150,7 +150,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/virtual-wan/main.bicep b/modules/network/virtual-wan/main.bicep index b3d6f04fbe..6d3f3fe0b0 100644 --- a/modules/network/virtual-wan/main.bicep +++ b/modules/network/virtual-wan/main.bicep @@ -124,7 +124,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/network/vpn-site/main.bicep b/modules/network/vpn-site/main.bicep index a43605ce50..cb5c422359 100644 --- a/modules/network/vpn-site/main.bicep +++ b/modules/network/vpn-site/main.bicep @@ -140,7 +140,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/operational-insights/workspace/main.bicep b/modules/operational-insights/workspace/main.bicep index 437e5c9730..b113cca2ef 100644 --- a/modules/operational-insights/workspace/main.bicep +++ b/modules/operational-insights/workspace/main.bicep @@ -362,7 +362,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -397,7 +397,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/power-bi-dedicated/capacity/main.bicep b/modules/power-bi-dedicated/capacity/main.bicep index d9124fb750..c155245138 100644 --- a/modules/power-bi-dedicated/capacity/main.bicep +++ b/modules/power-bi-dedicated/capacity/main.bicep @@ -146,7 +146,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/purview/account/main.bicep b/modules/purview/account/main.bicep index ee9cf3a810..a28e08ac68 100644 --- a/modules/purview/account/main.bicep +++ b/modules/purview/account/main.bicep @@ -320,7 +320,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -355,7 +355,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/recovery-services/vault/main.bicep b/modules/recovery-services/vault/main.bicep index 4c2854b7be..8d7e59d2c8 100644 --- a/modules/recovery-services/vault/main.bicep +++ b/modules/recovery-services/vault/main.bicep @@ -323,7 +323,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -426,7 +426,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/relay/namespace/hybrid-connection/main.bicep b/modules/relay/namespace/hybrid-connection/main.bicep index 0ba09b0cec..26c75f7734 100644 --- a/modules/relay/namespace/hybrid-connection/main.bicep +++ b/modules/relay/namespace/hybrid-connection/main.bicep @@ -152,7 +152,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/relay/namespace/main.bicep b/modules/relay/namespace/main.bicep index 44102bc7d9..6f02fe6c2f 100644 --- a/modules/relay/namespace/main.bicep +++ b/modules/relay/namespace/main.bicep @@ -284,7 +284,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -387,7 +387,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/relay/namespace/wcf-relay/main.bicep b/modules/relay/namespace/wcf-relay/main.bicep index 0840630c10..b550e525f9 100644 --- a/modules/relay/namespace/wcf-relay/main.bicep +++ b/modules/relay/namespace/wcf-relay/main.bicep @@ -164,7 +164,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/resource-graph/query/main.bicep b/modules/resource-graph/query/main.bicep index 4cceeecad1..e4e5472ea4 100644 --- a/modules/resource-graph/query/main.bicep +++ b/modules/resource-graph/query/main.bicep @@ -111,7 +111,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/resources/resource-group/main.bicep b/modules/resources/resource-group/main.bicep index 0c6c874c06..b4d65b905a 100644 --- a/modules/resources/resource-group/main.bicep +++ b/modules/resources/resource-group/main.bicep @@ -110,7 +110,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/search/search-service/main.bicep b/modules/search/search-service/main.bicep index 4806de883c..8f044e1609 100644 --- a/modules/search/search-service/main.bicep +++ b/modules/search/search-service/main.bicep @@ -282,7 +282,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -385,7 +385,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/service-bus/namespace/main.bicep b/modules/service-bus/namespace/main.bicep index 612cabf621..0d89d80fcd 100644 --- a/modules/service-bus/namespace/main.bicep +++ b/modules/service-bus/namespace/main.bicep @@ -419,7 +419,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -522,7 +522,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/service-bus/namespace/queue/main.bicep b/modules/service-bus/namespace/queue/main.bicep index 025c199199..a4ab68d0ba 100644 --- a/modules/service-bus/namespace/queue/main.bicep +++ b/modules/service-bus/namespace/queue/main.bicep @@ -209,7 +209,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/service-bus/namespace/topic/main.bicep b/modules/service-bus/namespace/topic/main.bicep index 37e7d88fc2..7aba25aa34 100644 --- a/modules/service-bus/namespace/topic/main.bicep +++ b/modules/service-bus/namespace/topic/main.bicep @@ -189,7 +189,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/service-fabric/cluster/main.bicep b/modules/service-fabric/cluster/main.bicep index 929b22eb40..86f0780b18 100644 --- a/modules/service-fabric/cluster/main.bicep +++ b/modules/service-fabric/cluster/main.bicep @@ -357,7 +357,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/signal-r-service/signal-r/main.bicep b/modules/signal-r-service/signal-r/main.bicep index bb0bf8acab..59510d3f23 100644 --- a/modules/signal-r-service/signal-r/main.bicep +++ b/modules/signal-r-service/signal-r/main.bicep @@ -254,7 +254,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/signal-r-service/web-pub-sub/main.bicep b/modules/signal-r-service/web-pub-sub/main.bicep index 2bc0931bec..498399f795 100644 --- a/modules/signal-r-service/web-pub-sub/main.bicep +++ b/modules/signal-r-service/web-pub-sub/main.bicep @@ -234,7 +234,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/sql/managed-instance/database/main.bicep b/modules/sql/managed-instance/database/main.bicep index 897d60d2fd..d48ab2e7e9 100644 --- a/modules/sql/managed-instance/database/main.bicep +++ b/modules/sql/managed-instance/database/main.bicep @@ -194,7 +194,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/sql/managed-instance/main.bicep b/modules/sql/managed-instance/main.bicep index 27a246ada0..92575bb945 100644 --- a/modules/sql/managed-instance/main.bicep +++ b/modules/sql/managed-instance/main.bicep @@ -397,7 +397,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -432,7 +432,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/sql/server/database/main.bicep b/modules/sql/server/database/main.bicep index f1943a2c02..606a2a7151 100644 --- a/modules/sql/server/database/main.bicep +++ b/modules/sql/server/database/main.bicep @@ -264,7 +264,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/sql/server/main.bicep b/modules/sql/server/main.bicep index 512607268e..8c0e156126 100644 --- a/modules/sql/server/main.bicep +++ b/modules/sql/server/main.bicep @@ -380,7 +380,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/storage/storage-account/blob-service/container/main.bicep b/modules/storage/storage-account/blob-service/container/main.bicep index ea6fe48136..7326ed40c4 100644 --- a/modules/storage/storage-account/blob-service/container/main.bicep +++ b/modules/storage/storage-account/blob-service/container/main.bicep @@ -156,7 +156,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/storage/storage-account/blob-service/main.bicep b/modules/storage/storage-account/blob-service/main.bicep index 26a94e3b66..21f02d6049 100644 --- a/modules/storage/storage-account/blob-service/main.bicep +++ b/modules/storage/storage-account/blob-service/main.bicep @@ -200,7 +200,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/storage/storage-account/file-service/main.bicep b/modules/storage/storage-account/file-service/main.bicep index 040c3f2583..78cd4e4df7 100644 --- a/modules/storage/storage-account/file-service/main.bicep +++ b/modules/storage/storage-account/file-service/main.bicep @@ -129,7 +129,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/storage/storage-account/file-service/share/main.bicep b/modules/storage/storage-account/file-service/share/main.bicep index 1bf50b97a8..656058fb92 100644 --- a/modules/storage/storage-account/file-service/share/main.bicep +++ b/modules/storage/storage-account/file-service/share/main.bicep @@ -135,7 +135,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/storage/storage-account/main.bicep b/modules/storage/storage-account/main.bicep index 606556391a..c28a23f64e 100644 --- a/modules/storage/storage-account/main.bicep +++ b/modules/storage/storage-account/main.bicep @@ -504,7 +504,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -598,7 +598,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/storage/storage-account/queue-service/main.bicep b/modules/storage/storage-account/queue-service/main.bicep index 680a52c332..6bd363d8fb 100644 --- a/modules/storage/storage-account/queue-service/main.bicep +++ b/modules/storage/storage-account/queue-service/main.bicep @@ -111,7 +111,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/storage/storage-account/queue-service/queue/main.bicep b/modules/storage/storage-account/queue-service/queue/main.bicep index 33dcb6732a..bb2ee92dcd 100644 --- a/modules/storage/storage-account/queue-service/queue/main.bicep +++ b/modules/storage/storage-account/queue-service/queue/main.bicep @@ -105,7 +105,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/storage/storage-account/table-service/main.bicep b/modules/storage/storage-account/table-service/main.bicep index 3780974090..c200aa9314 100644 --- a/modules/storage/storage-account/table-service/main.bicep +++ b/modules/storage/storage-account/table-service/main.bicep @@ -109,7 +109,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/synapse/private-link-hub/main.bicep b/modules/synapse/private-link-hub/main.bicep index 8329852e52..63beeebac2 100644 --- a/modules/synapse/private-link-hub/main.bicep +++ b/modules/synapse/private-link-hub/main.bicep @@ -133,7 +133,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/synapse/workspace/main.bicep b/modules/synapse/workspace/main.bicep index 3eaad04764..a73a3c42f8 100644 --- a/modules/synapse/workspace/main.bicep +++ b/modules/synapse/workspace/main.bicep @@ -337,7 +337,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -434,7 +434,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/virtual-machine-images/image-template/main.bicep b/modules/virtual-machine-images/image-template/main.bicep index c3def8cd69..fe3615ab8a 100644 --- a/modules/virtual-machine-images/image-template/main.bicep +++ b/modules/virtual-machine-images/image-template/main.bicep @@ -246,7 +246,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/web/connection/main.bicep b/modules/web/connection/main.bicep index bfa55bc54f..96bb44f427 100644 --- a/modules/web/connection/main.bicep +++ b/modules/web/connection/main.bicep @@ -133,7 +133,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? diff --git a/modules/web/hosting-environment/main.bicep b/modules/web/hosting-environment/main.bicep index a6a4c565b2..e072a5031d 100644 --- a/modules/web/hosting-environment/main.bicep +++ b/modules/web/hosting-environment/main.bicep @@ -276,7 +276,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -305,7 +305,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/web/serverfarm/main.bicep b/modules/web/serverfarm/main.bicep index 856f2cc3cd..f8985d59b1 100644 --- a/modules/web/serverfarm/main.bicep +++ b/modules/web/serverfarm/main.bicep @@ -193,7 +193,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -219,7 +219,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/web/site/main.bicep b/modules/web/site/main.bicep index b2ac05d214..e6b77ab84f 100644 --- a/modules/web/site/main.bicep +++ b/modules/web/site/main.bicep @@ -437,7 +437,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -540,7 +540,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/web/site/slot/main.bicep b/modules/web/site/slot/main.bicep index e3366e3150..18f9139fec 100644 --- a/modules/web/site/slot/main.bicep +++ b/modules/web/site/slot/main.bicep @@ -370,7 +370,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? @@ -473,7 +473,7 @@ type diagnosticSettingType = { }[]? @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)? + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') workspaceResourceId: string? diff --git a/modules/web/static-site/main.bicep b/modules/web/static-site/main.bicep index 990e85fc4a..0446884227 100644 --- a/modules/web/static-site/main.bicep +++ b/modules/web/static-site/main.bicep @@ -271,7 +271,7 @@ type roleAssignmentType = { principalId: string @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)? + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? @description('Optional. The description of the role assignment.') description: string? From e3ca3d15cc67cfe6d35c2577a6048da2292b14ee Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 13 Nov 2023 16:25:22 +1100 Subject: [PATCH 095/178] [Modules] New Child Module for Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies (#4215) * add website slot basic pub cred policy * update * update * update * update * update * update * update * update --------- Co-authored-by: Tao Yang --- modules/web/site/README.md | 45 ++++- modules/web/site/main.bicep | 4 +- modules/web/site/main.json | 167 +++++++++++++++- modules/web/site/slot/README.md | 9 + .../README.md | 99 ++++++++++ .../main.bicep | 66 +++++++ .../main.json | 114 +++++++++++ .../version.json | 7 + modules/web/site/slot/main.bicep | 13 ++ modules/web/site/slot/main.json | 179 ++++++++++++++++-- .../tests/e2e/webAppCommon/main.test.bicep | 22 ++- 11 files changed, 701 insertions(+), 24 deletions(-) create mode 100644 modules/web/site/slot/basic-publishing-credentials-policy/README.md create mode 100644 modules/web/site/slot/basic-publishing-credentials-policy/main.bicep create mode 100644 modules/web/site/slot/basic-publishing-credentials-policy/main.json create mode 100644 modules/web/site/slot/basic-publishing-credentials-policy/version.json diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 01f8e38e34..491ed806e0 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -25,6 +25,7 @@ This module deploys a Web or Function App. | `Microsoft.Web/sites/config` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | | `Microsoft.Web/sites/hybridConnectionNamespaces/relays` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-09-01/sites/hybridConnectionNamespaces/relays) | | `Microsoft.Web/sites/slots` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-09-01/sites/slots) | +| `Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | | `Microsoft.Web/sites/slots/config` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | | `Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-09-01/sites/slots/hybridConnectionNamespaces/relays) | @@ -472,11 +473,11 @@ module site 'br:bicep/modules/web.site:1.0.0' = { // Non-required parameters basicPublishingCredentialsPolicies: [ { - allow: true + allow: false name: 'ftp' } { - allow: true + allow: false name: 'scm' } ] @@ -545,6 +546,16 @@ module site 'br:bicep/modules/web.site:1.0.0' = { } slots: [ { + basicPublishingCredentialsPolicies: [ + { + allow: false + name: 'ftp' + } + { + allow: false + name: 'scm' + } + ] diagnosticSettings: [ { eventHubAuthorizationRuleResourceId: '' @@ -592,6 +603,14 @@ module site 'br:bicep/modules/web.site:1.0.0' = { } } { + basicPublishingCredentialsPolicies: [ + { + name: 'ftp' + } + { + name: 'scm' + } + ] name: 'slot2' } ] @@ -628,11 +647,11 @@ module site 'br:bicep/modules/web.site:1.0.0' = { "basicPublishingCredentialsPolicies": { "value": [ { - "allow": true, + "allow": false, "name": "ftp" }, { - "allow": true, + "allow": false, "name": "scm" } ] @@ -725,6 +744,16 @@ module site 'br:bicep/modules/web.site:1.0.0' = { "slots": { "value": [ { + "basicPublishingCredentialsPolicies": [ + { + "allow": false, + "name": "ftp" + }, + { + "allow": false, + "name": "scm" + } + ], "diagnosticSettings": [ { "eventHubAuthorizationRuleResourceId": "", @@ -772,6 +801,14 @@ module site 'br:bicep/modules/web.site:1.0.0' = { } }, { + "basicPublishingCredentialsPolicies": [ + { + "name": "ftp" + }, + { + "name": "scm" + } + ], "name": "slot2" } ] diff --git a/modules/web/site/main.bicep b/modules/web/site/main.bicep index e6b77ab84f..6803c41fc8 100644 --- a/modules/web/site/main.bicep +++ b/modules/web/site/main.bicep @@ -268,6 +268,7 @@ module app_slots 'slot/main.bicep' = [for (slot, index) in slots: { diagnosticSettings: slot.?diagnosticSettings roleAssignments: contains(slot, 'roleAssignments') ? slot.roleAssignments : roleAssignments appSettingsKeyValuePairs: contains(slot, 'appSettingsKeyValuePairs') ? slot.appSettingsKeyValuePairs : appSettingsKeyValuePairs + basicPublishingCredentialsPolicies: contains(slot, 'basicPublishingCredentialsPolicies') ? slot.basicPublishingCredentialsPolicies : basicPublishingCredentialsPolicies lock: slot.?lock ?? lock privateEndpoints: contains(slot, 'privateEndpoints') ? slot.privateEndpoints : privateEndpoints tags: slot.?tags ?? tags @@ -291,10 +292,11 @@ module app_slots 'slot/main.bicep' = [for (slot, index) in slots: { }] module app_basicPublishingCredentialsPolicies 'basic-publishing-credentials-policy/main.bicep' = [for (basicPublishingCredentialsPolicy, index) in basicPublishingCredentialsPolicies: { - name: '${uniqueString(deployment().name, location)}-Site-Publis-Cred-${index}' + name: '${uniqueString(deployment().name, location)}-Site-Publish-Cred-${index}' params: { webAppName: app.name name: basicPublishingCredentialsPolicy.name + allow: contains(basicPublishingCredentialsPolicy, 'allow') ? basicPublishingCredentialsPolicy.allow : null enableDefaultTelemetry: enableReferencedModulesTelemetry } }] diff --git a/modules/web/site/main.json b/modules/web/site/main.json index 4358ab448c..45a572bcb1 100644 --- a/modules/web/site/main.json +++ b/modules/web/site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18196957481129520546" + "templateHash": "8496123525886789404" }, "name": "Web/Function Apps", "description": "This module deploys a Web or Function App.", @@ -1173,6 +1173,7 @@ }, "roleAssignments": "[if(contains(parameters('slots')[copyIndex()], 'roleAssignments'), createObject('value', parameters('slots')[copyIndex()].roleAssignments), createObject('value', parameters('roleAssignments')))]", "appSettingsKeyValuePairs": "[if(contains(parameters('slots')[copyIndex()], 'appSettingsKeyValuePairs'), createObject('value', parameters('slots')[copyIndex()].appSettingsKeyValuePairs), createObject('value', parameters('appSettingsKeyValuePairs')))]", + "basicPublishingCredentialsPolicies": "[if(contains(parameters('slots')[copyIndex()], 'basicPublishingCredentialsPolicies'), createObject('value', parameters('slots')[copyIndex()].basicPublishingCredentialsPolicies), createObject('value', parameters('basicPublishingCredentialsPolicies')))]", "lock": { "value": "[coalesce(tryGet(parameters('slots')[copyIndex()], 'lock'), parameters('lock'))]" }, @@ -1205,7 +1206,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17728495950787678705" + "templateHash": "8611977667171476388" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -1877,6 +1878,13 @@ "description": "Optional. Site redundancy mode." } }, + "basicPublishingCredentialsPolicies": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The site publishing credential policy names which are associated with the site slot." + } + }, "vnetContentShareEnabled": { "type": "bool", "defaultValue": false, @@ -2335,6 +2343,154 @@ "slot" ] }, + "slot_basicPublishingCredentialsPolicies": { + "copy": { + "name": "slot_basicPublishingCredentialsPolicies", + "count": "[length(parameters('basicPublishingCredentialsPolicies'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Slot-Publish-Cred-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "appName": { + "value": "[parameters('appName')]" + }, + "slotName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[parameters('basicPublishingCredentialsPolicies')[copyIndex()].name]" + }, + "allow": "[if(contains(parameters('basicPublishingCredentialsPolicies')[copyIndex()], 'allow'), createObject('value', parameters('basicPublishingCredentialsPolicies')[copyIndex()].allow), createObject('value', null()))]", + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "9260112433322771379" + }, + "name": "Web Site Slot Basic Publishing Credentials Policies", + "description": "This module deploys a Web Site Slot Basic Publishing Credentials Policy.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "allowedValues": [ + "scm", + "ftp" + ], + "metadata": { + "description": "Required. The name of the resource." + } + }, + "allow": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Set to true to enable or false to disable a publishing method." + } + }, + "appName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent web site. Required if the template is used in a standalone deployment." + } + }, + "slotName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent web site slot. Required if the template is used in a standalone deployment." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies", + "apiVersion": "2022-09-01", + "name": "[format('{0}/{1}/{2}', parameters('appName'), parameters('slotName'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "allow": "[parameters('allow')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the basic publishing credential policy." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the basic publishing credential policy." + }, + "value": "[resourceId('Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies', parameters('appName'), parameters('slotName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the basic publishing credential policy was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference(resourceId('Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies', parameters('appName'), parameters('slotName'), parameters('name')), '2022-09-01', 'full').location]" + } + } + } + }, + "dependsOn": [ + "app", + "slot" + ] + }, "slot_hybridConnectionRelays": { "copy": { "name": "slot_hybridConnectionRelays", @@ -3145,7 +3301,7 @@ }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-Site-Publis-Cred-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-Site-Publish-Cred-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -3158,6 +3314,7 @@ "name": { "value": "[parameters('basicPublishingCredentialsPolicies')[copyIndex()].name]" }, + "allow": "[if(contains(parameters('basicPublishingCredentialsPolicies')[copyIndex()], 'allow'), createObject('value', parameters('basicPublishingCredentialsPolicies')[copyIndex()].allow), createObject('value', null()))]", "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" } @@ -3169,7 +3326,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "12265634131995953652" + "templateHash": "12054216906297236281" }, "name": "Web Site Basic Publishing Credentials Policies", "description": "This module deploys a Web Site Basic Publishing Credentials Policy.", @@ -3190,7 +3347,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Set to true to allow access to or false to diable a publishing method." + "description": "Optional. Set to true to enable or false to disable a publishing method." } }, "webAppName": { diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index e929296684..3512cb4d8f 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -20,6 +20,7 @@ This module deploys a Web or Function App Deployment Slot. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | | `Microsoft.Web/sites/slots` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-09-01/sites/slots) | +| `Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | | `Microsoft.Web/sites/slots/config` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | | `Microsoft.Web/sites/slots/hybridConnectionNamespaces/relays` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/2022-09-01/sites/slots/hybridConnectionNamespaces/relays) | @@ -46,6 +47,7 @@ This module deploys a Web or Function App Deployment Slot. | [`appServiceEnvironmentResourceId`](#parameter-appserviceenvironmentresourceid) | string | The resource ID of the app service environment to use for this resource. | | [`appSettingsKeyValuePairs`](#parameter-appsettingskeyvaluepairs) | object | The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. | | [`authSettingV2Configuration`](#parameter-authsettingv2configuration) | object | The auth settings V2 configuration. | +| [`basicPublishingCredentialsPolicies`](#parameter-basicpublishingcredentialspolicies) | array | The site publishing credential policy names which are associated with the site slot. | | [`clientAffinityEnabled`](#parameter-clientaffinityenabled) | bool | If client affinity is enabled. | | [`clientCertEnabled`](#parameter-clientcertenabled) | bool | To enable client certificate authentication (TLS mutual authentication). | | [`clientCertExclusionPaths`](#parameter-clientcertexclusionpaths) | string | Client certificate authentication comma-separated exclusion paths. | @@ -114,6 +116,13 @@ The auth settings V2 configuration. - Type: object - Default: `{}` +### Parameter: `basicPublishingCredentialsPolicies` + +The site publishing credential policy names which are associated with the site slot. +- Required: No +- Type: array +- Default: `[]` + ### Parameter: `clientAffinityEnabled` If client affinity is enabled. diff --git a/modules/web/site/slot/basic-publishing-credentials-policy/README.md b/modules/web/site/slot/basic-publishing-credentials-policy/README.md new file mode 100644 index 0000000000..47e7844cd8 --- /dev/null +++ b/modules/web/site/slot/basic-publishing-credentials-policy/README.md @@ -0,0 +1,99 @@ +# Web Site Slot Basic Publishing Credentials Policies `[Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies]` + +This module deploys a Web Site Slot Basic Publishing Credentials Policy. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/sites) | + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the resource. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`appName`](#parameter-appname) | string | The name of the parent web site. Required if the template is used in a standalone deployment. | +| [`slotName`](#parameter-slotname) | string | The name of the parent web site slot. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allow`](#parameter-allow) | bool | Set to true to enable or false to disable a publishing method. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location for all Resources. | + +### Parameter: `allow` + +Set to true to enable or false to disable a publishing method. +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `appName` + +The name of the parent web site. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `name` + +The name of the resource. +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'ftp' + 'scm' + ] + ``` + +### Parameter: `slotName` + +The name of the parent web site slot. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the basic publishing credential policy. | +| `resourceGroupName` | string | The name of the resource group the basic publishing credential policy was deployed into. | +| `resourceId` | string | The resource ID of the basic publishing credential policy. | + +## Cross-referenced modules + +_None_ diff --git a/modules/web/site/slot/basic-publishing-credentials-policy/main.bicep b/modules/web/site/slot/basic-publishing-credentials-policy/main.bicep new file mode 100644 index 0000000000..303b1d9e70 --- /dev/null +++ b/modules/web/site/slot/basic-publishing-credentials-policy/main.bicep @@ -0,0 +1,66 @@ +metadata name = 'Web Site Slot Basic Publishing Credentials Policies' +metadata description = 'This module deploys a Web Site Slot Basic Publishing Credentials Policy.' +metadata owner = 'Azure/module-maintainers' + +@sys.description('Required. The name of the resource.') +@allowed([ + 'scm' + 'ftp' +]) +param name string + +@sys.description('Optional. Set to true to enable or false to disable a publishing method.') +param allow bool = true + +@sys.description('Conditional. The name of the parent web site. Required if the template is used in a standalone deployment.') +param appName string + +@sys.description('Conditional. The name of the parent web site slot. Required if the template is used in a standalone deployment.') +param slotName string + +@description('Optional. Location for all Resources.') +param location string = resourceGroup().location + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource app 'Microsoft.Web/sites@2022-09-01' existing = { + name: appName + + resource slot 'slots' existing = { + name: slotName + } +} + +resource basicPublishingCredentialsPolicy 'Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies@2022-09-01' = { + name: name + location: location + parent: app::slot + properties: { + allow: allow + } +} + +@sys.description('The name of the basic publishing credential policy.') +output name string = basicPublishingCredentialsPolicy.name + +@sys.description('The resource ID of the basic publishing credential policy.') +output resourceId string = basicPublishingCredentialsPolicy.id + +@sys.description('The name of the resource group the basic publishing credential policy was deployed into.') +output resourceGroupName string = resourceGroup().name + +@sys.description('The location the resource was deployed into.') +output location string = basicPublishingCredentialsPolicy.location diff --git a/modules/web/site/slot/basic-publishing-credentials-policy/main.json b/modules/web/site/slot/basic-publishing-credentials-policy/main.json new file mode 100644 index 0000000000..f658a67a56 --- /dev/null +++ b/modules/web/site/slot/basic-publishing-credentials-policy/main.json @@ -0,0 +1,114 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "9260112433322771379" + }, + "name": "Web Site Slot Basic Publishing Credentials Policies", + "description": "This module deploys a Web Site Slot Basic Publishing Credentials Policy.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "allowedValues": [ + "scm", + "ftp" + ], + "metadata": { + "description": "Required. The name of the resource." + } + }, + "allow": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Set to true to enable or false to disable a publishing method." + } + }, + "appName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent web site. Required if the template is used in a standalone deployment." + } + }, + "slotName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent web site slot. Required if the template is used in a standalone deployment." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies", + "apiVersion": "2022-09-01", + "name": "[format('{0}/{1}/{2}', parameters('appName'), parameters('slotName'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "allow": "[parameters('allow')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the basic publishing credential policy." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the basic publishing credential policy." + }, + "value": "[resourceId('Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies', parameters('appName'), parameters('slotName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the basic publishing credential policy was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference(resourceId('Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies', parameters('appName'), parameters('slotName'), parameters('name')), '2022-09-01', 'full').location]" + } + } +} \ No newline at end of file diff --git a/modules/web/site/slot/basic-publishing-credentials-policy/version.json b/modules/web/site/slot/basic-publishing-credentials-policy/version.json new file mode 100644 index 0000000000..7fa401bdf7 --- /dev/null +++ b/modules/web/site/slot/basic-publishing-credentials-policy/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": [ + "./main.json" + ] +} diff --git a/modules/web/site/slot/main.bicep b/modules/web/site/slot/main.bicep index 18f9139fec..77347145fc 100644 --- a/modules/web/site/slot/main.bicep +++ b/modules/web/site/slot/main.bicep @@ -134,6 +134,9 @@ param publicNetworkAccess string = '' ]) param redundancyMode string = 'None' +@description('Optional. The site publishing credential policy names which are associated with the site slot.') +param basicPublishingCredentialsPolicies array = [] + @description('Optional. To enable accessing content over virtual network.') param vnetContentShareEnabled bool = false @@ -243,6 +246,16 @@ module slot_authsettingsv2 'config--authsettingsv2/main.bicep' = if (!empty(auth } } +module slot_basicPublishingCredentialsPolicies 'basic-publishing-credentials-policy/main.bicep' = [for (basicPublishingCredentialsPolicy, index) in basicPublishingCredentialsPolicies: { + name: '${uniqueString(deployment().name, location)}-Slot-Publish-Cred-${index}' + params: { + appName: app.name + slotName: slot.name + name: basicPublishingCredentialsPolicy.name + allow: contains(basicPublishingCredentialsPolicy, 'allow') ? basicPublishingCredentialsPolicy.allow : null + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] module slot_hybridConnectionRelays 'hybrid-connection-namespace/relay/main.bicep' = [for (hybridConnectionRelay, index) in hybridConnectionRelays: { name: '${uniqueString(deployment().name, location)}-Slot-HybridConnectionRelay-${index}' params: { diff --git a/modules/web/site/slot/main.json b/modules/web/site/slot/main.json index 8a8395995a..712b88882b 100644 --- a/modules/web/site/slot/main.json +++ b/modules/web/site/slot/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "842322474793993092" + "version": "0.23.1.45101", + "templateHash": "8611977667171476388" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -678,6 +678,13 @@ "description": "Optional. Site redundancy mode." } }, + "basicPublishingCredentialsPolicies": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The site publishing credential policy names which are associated with the site slot." + } + }, "vnetContentShareEnabled": { "type": "bool", "defaultValue": false, @@ -881,8 +888,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13223616826795830599" + "version": "0.23.1.45101", + "templateHash": "10562313393461278954" }, "name": "Site Slot App Settings", "description": "This module deploys a Site Slot App Setting.", @@ -1036,8 +1043,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16157844933162881953" + "version": "0.23.1.45101", + "templateHash": "13215271953171449159" }, "name": "Site Slot Auth Settings V2 Config", "description": "This module deploys a Site Auth Settings V2 Configuration.", @@ -1136,6 +1143,154 @@ "slot" ] }, + "slot_basicPublishingCredentialsPolicies": { + "copy": { + "name": "slot_basicPublishingCredentialsPolicies", + "count": "[length(parameters('basicPublishingCredentialsPolicies'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Slot-Publish-Cred-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "appName": { + "value": "[parameters('appName')]" + }, + "slotName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[parameters('basicPublishingCredentialsPolicies')[copyIndex()].name]" + }, + "allow": "[if(contains(parameters('basicPublishingCredentialsPolicies')[copyIndex()], 'allow'), createObject('value', parameters('basicPublishingCredentialsPolicies')[copyIndex()].allow), createObject('value', null()))]", + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "9260112433322771379" + }, + "name": "Web Site Slot Basic Publishing Credentials Policies", + "description": "This module deploys a Web Site Slot Basic Publishing Credentials Policy.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "allowedValues": [ + "scm", + "ftp" + ], + "metadata": { + "description": "Required. The name of the resource." + } + }, + "allow": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Set to true to enable or false to disable a publishing method." + } + }, + "appName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent web site. Required if the template is used in a standalone deployment." + } + }, + "slotName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent web site slot. Required if the template is used in a standalone deployment." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies", + "apiVersion": "2022-09-01", + "name": "[format('{0}/{1}/{2}', parameters('appName'), parameters('slotName'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "allow": "[parameters('allow')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the basic publishing credential policy." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the basic publishing credential policy." + }, + "value": "[resourceId('Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies', parameters('appName'), parameters('slotName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the basic publishing credential policy was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference(resourceId('Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies', parameters('appName'), parameters('slotName'), parameters('name')), '2022-09-01', 'full').location]" + } + } + } + }, + "dependsOn": [ + "app", + "slot" + ] + }, "slot_hybridConnectionRelays": { "copy": { "name": "slot_hybridConnectionRelays", @@ -1170,8 +1325,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11888981629758921842" + "version": "0.23.1.45101", + "templateHash": "299894459930368764" }, "name": "Web/Function Apps Slot Hybrid Connection Relay", "description": "This module deploys a Site Slot Hybrid Connection Namespace Relay.", @@ -1351,8 +1506,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1754,8 +1909,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/web/site/tests/e2e/webAppCommon/main.test.bicep b/modules/web/site/tests/e2e/webAppCommon/main.test.bicep index 93c0fbb5e8..d474772265 100644 --- a/modules/web/site/tests/e2e/webAppCommon/main.test.bicep +++ b/modules/web/site/tests/e2e/webAppCommon/main.test.bicep @@ -114,6 +114,16 @@ module testDeployment '../../../main.bicep' = { } } ] + basicPublishingCredentialsPolicies: [ + { + name: 'ftp' + allow: false + } + { + name: 'scm' + allow: false + } + ] roleAssignments: [ { roleDefinitionIdOrName: 'Reader' @@ -139,6 +149,14 @@ module testDeployment '../../../main.bicep' = { } { name: 'slot2' + basicPublishingCredentialsPolicies: [ + { + name: 'ftp' + } + { + name: 'scm' + } + ] } ] privateEndpoints: [ @@ -179,11 +197,11 @@ module testDeployment '../../../main.bicep' = { basicPublishingCredentialsPolicies: [ { name: 'ftp' - allow: true + allow: false } { name: 'scm' - allow: true + allow: false } ] From ef17f22b94f9a207f417c8b52b1cde1a3d9984d0 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Mon, 13 Nov 2023 05:25:59 +0000 Subject: [PATCH 096/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index f3ec1e5d0e..9f961c1815 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -148,9 +148,9 @@ This section provides an overview of the library's feature set. | 133 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | | | | | | | [L1:1, L2:1, L3:2] | 118 | | 134 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | | | | | [L1:3, L2:1, L3:2] | 262 | | 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | [L1:1, L2:1, L3:2] | 194 | -| 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:6, L2:5, L3:5] | 453 | +| 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:6, L2:6, L3:5] | 455 | | 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:4, L2:1, L3:3] | 284 | -| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 980 | 29852 | +| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29854 | ## Legend From 016643a837ac3353bacad20c2bbf47f716eca714 Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Tue, 14 Nov 2023 00:39:32 +0100 Subject: [PATCH 097/178] Added MOVED-TO-AVM.md for `operational-insights/workspace` module (#4200) * Added MOVED-TO-AVM.md * Updated readme --- modules/operational-insights/workspace/MOVED-TO-AVM.md | 1 + modules/operational-insights/workspace/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/operational-insights/workspace/MOVED-TO-AVM.md diff --git a/modules/operational-insights/workspace/MOVED-TO-AVM.md b/modules/operational-insights/workspace/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/operational-insights/workspace/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/operational-insights/workspace/README.md b/modules/operational-insights/workspace/README.md index ec2727000b..1829009535 100644 --- a/modules/operational-insights/workspace/README.md +++ b/modules/operational-insights/workspace/README.md @@ -1,5 +1,7 @@ # Log Analytics Workspaces `[Microsoft.OperationalInsights/workspaces]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Log Analytics Workspace. ## Navigation From 060bcc85e59dc6d312451fb251bb3c72cab5a2d4 Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Tue, 14 Nov 2023 00:39:53 +0100 Subject: [PATCH 098/178] Added MOVED-TO-AVM.md (#4199) --- modules/operations-management/solution/MOVED-TO-AVM.md | 1 + modules/operations-management/solution/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/operations-management/solution/MOVED-TO-AVM.md diff --git a/modules/operations-management/solution/MOVED-TO-AVM.md b/modules/operations-management/solution/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/operations-management/solution/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/operations-management/solution/README.md b/modules/operations-management/solution/README.md index d40752a387..6927388c0e 100644 --- a/modules/operations-management/solution/README.md +++ b/modules/operations-management/solution/README.md @@ -1,5 +1,7 @@ # Operations Management Solutions `[Microsoft.OperationsManagement/solutions]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys an Operations Management Solution. ## Navigation From a5bdf330b05badb0ffa6b320b1f090aafdea2f91 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 14 Nov 2023 21:37:12 +1100 Subject: [PATCH 099/178] [Bug Fix] Remove kind parameter from App Service Plan `web/serverfarm` module (#4242) --- modules/web/serverfarm/README.md | 18 ------------------ modules/web/serverfarm/main.bicep | 11 ----------- modules/web/serverfarm/main.json | 19 ++----------------- 3 files changed, 2 insertions(+), 46 deletions(-) diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index 0f9579209f..9e93d77498 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -317,7 +317,6 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { | [`appServiceEnvironmentId`](#parameter-appserviceenvironmentid) | string | The Resource ID of the App Service Environment to use for the App Service Plan. | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`kind`](#parameter-kind) | string | Kind of server OS. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maximumElasticWorkerCount`](#parameter-maximumelasticworkercount) | int | Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan. | @@ -430,23 +429,6 @@ Enable telemetry via a Globally Unique Identifier (GUID). - Type: bool - Default: `True` -### Parameter: `kind` - -Kind of server OS. -- Required: No -- Type: string -- Default: `'Windows'` -- Allowed: - ```Bicep - [ - 'App' - 'Elastic' - 'FunctionApp' - 'Linux' - 'Windows' - ] - ``` - ### Parameter: `location` Location for all resources. diff --git a/modules/web/serverfarm/main.bicep b/modules/web/serverfarm/main.bicep index f8985d59b1..d5bc0cd954 100644 --- a/modules/web/serverfarm/main.bicep +++ b/modules/web/serverfarm/main.bicep @@ -16,16 +16,6 @@ param sku object @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. Kind of server OS.') -@allowed([ - 'App' - 'Elastic' - 'FunctionApp' - 'Windows' - 'Linux' -]) -param kind string = 'Windows' - @description('Conditional. Defaults to false when creating Windows/app App Service Plan. Required if creating a Linux App Service Plan and must be set to true.') param reserved bool = false @@ -97,7 +87,6 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena resource appServicePlan 'Microsoft.Web/serverfarms@2022-09-01' = { name: name - kind: kind location: location tags: tags sku: sku diff --git a/modules/web/serverfarm/main.json b/modules/web/serverfarm/main.json index 53eec7f0dd..74be015ae5 100644 --- a/modules/web/serverfarm/main.json +++ b/modules/web/serverfarm/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14824797980620937555" + "version": "0.23.1.45101", + "templateHash": "10832175948195959384" }, "name": "App Service Plans", "description": "This module deploys an App Service Plan.", @@ -207,20 +207,6 @@ "description": "Optional. Location for all resources." } }, - "kind": { - "type": "string", - "defaultValue": "Windows", - "allowedValues": [ - "App", - "Elastic", - "FunctionApp", - "Windows", - "Linux" - ], - "metadata": { - "description": "Optional. Kind of server OS." - } - }, "reserved": { "type": "bool", "defaultValue": false, @@ -345,7 +331,6 @@ "type": "Microsoft.Web/serverfarms", "apiVersion": "2022-09-01", "name": "[parameters('name')]", - "kind": "[parameters('kind')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "sku": "[parameters('sku')]", From 199a3c322f23236558fe8b7fca98a89b2f56975e Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Tue, 14 Nov 2023 10:37:57 +0000 Subject: [PATCH 100/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 9f961c1815..8f2ed86bd1 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -147,10 +147,10 @@ This section provides an overview of the library's feature set. | 132 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | | | | | | | [L1:1, L2:1, L3:3] | 216 | | 133 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | | | | | | | [L1:1, L2:1, L3:2] | 118 | | 134 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | | | | | [L1:3, L2:1, L3:2] | 262 | -| 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | [L1:1, L2:1, L3:2] | 194 | +| 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | [L1:1, L2:1, L3:2] | 184 | | 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:6, L2:6, L3:5] | 455 | | 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:4, L2:1, L3:3] | 284 | -| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29854 | +| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29844 | ## Legend From f265ed15669218d2222a58c5a7e9771917394399 Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Tue, 14 Nov 2023 14:07:45 +0100 Subject: [PATCH 101/178] [Modules] Updated identities to UDT as per AVM specs - Batch 2 (#4240) * Wiki update - systemAssignedMIPrincipalId output * Dev Test Lab - removed redundant output * Web Site - aligned slotSystemAssignedMIPrincipalIds output name * Upated ditital twins module * Digital twins - updated readme and arm of child modules * Digital twins - fixed identities of the endpoints * Digital twins - ARM Update * Restored original settingy.yml * Upated Synapse Workspace module * Digital Twins: added systemAssignedMIPrincipalId output and corresponding test --- docs/wiki/The library - Module design.md | 2 +- modules/dev-test-lab/lab/README.md | 1 - modules/dev-test-lab/lab/main.bicep | 3 - modules/dev-test-lab/lab/main.json | 35 ++-- .../digital-twins-instance/README.md | 118 +++++++---- .../endpoint--event-grid/main.json | 4 +- .../endpoint--event-hub/README.md | 35 ++-- .../endpoint--event-hub/main.bicep | 27 ++- .../endpoint--event-hub/main.json | 63 ++++-- .../endpoint--service-bus/README.md | 43 ++-- .../endpoint--service-bus/main.bicep | 27 ++- .../endpoint--service-bus/main.json | 63 ++++-- .../digital-twins-instance/main.bicep | 32 +-- .../digital-twins-instance/main.json | 196 ++++++++++++------ .../tests/e2e/max/main.test.bicep | 15 +- .../tests/e2e/waf-aligned/main.test.bicep | 14 +- modules/synapse/workspace/README.md | 69 +++--- modules/synapse/workspace/main.bicep | 24 ++- modules/synapse/workspace/main.json | 57 +++-- .../workspace/tests/e2e/max/main.test.bicep | 6 +- .../tests/e2e/waf-aligned/main.test.bicep | 6 +- modules/web/site/README.md | 2 +- modules/web/site/main.bicep | 2 +- modules/web/site/main.json | 4 +- 24 files changed, 543 insertions(+), 305 deletions(-) diff --git a/docs/wiki/The library - Module design.md b/docs/wiki/The library - Module design.md index 573c6549dc..a9a4e9fcd2 100644 --- a/docs/wiki/The library - Module design.md +++ b/docs/wiki/The library - Module design.md @@ -563,7 +563,7 @@ While exceptions might be needed, the following guidance should be followed as m - `name` - `resourceId` - `resourceGroupName` for modules that are deployed at resource group scope - - `systemAssignedPrincipalId` for all modules that support managed identities + - `systemAssignedMIPrincipalId` for all modules that support system-assigned managed identities - `location` for all modules where the primary resource has a location property - Add a `@description('...')` annotation with meaningful description to each output. diff --git a/modules/dev-test-lab/lab/README.md b/modules/dev-test-lab/lab/README.md index f4444676bb..58c5cc1fd6 100644 --- a/modules/dev-test-lab/lab/README.md +++ b/modules/dev-test-lab/lab/README.md @@ -1561,7 +1561,6 @@ Resource Group allocation for virtual machines. If left empty, virtual machines | `resourceGroupName` | string | The resource group the lab was deployed into. | | `resourceId` | string | The resource ID of the lab. | | `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | | `uniqueIdentifier` | string | The unique identifier for the lab. Used to track tags that the lab applies to each resource that it creates. | ## Cross-referenced modules diff --git a/modules/dev-test-lab/lab/main.bicep b/modules/dev-test-lab/lab/main.bicep index c50c60e192..f3d45514be 100644 --- a/modules/dev-test-lab/lab/main.bicep +++ b/modules/dev-test-lab/lab/main.bicep @@ -303,9 +303,6 @@ resource lab_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01 scope: lab }] -@description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = lab.identity.principalId - @description('The unique identifier for the lab. Used to track tags that the lab applies to each resource that it creates.') output uniqueIdentifier string = lab.properties.uniqueIdentifier diff --git a/modules/dev-test-lab/lab/main.json b/modules/dev-test-lab/lab/main.json index f7339163ff..efdce8eafa 100644 --- a/modules/dev-test-lab/lab/main.json +++ b/modules/dev-test-lab/lab/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14947280208542929227" + "version": "0.23.1.45101", + "templateHash": "16810111400681874654" }, "name": "DevTest Labs", "description": "This module deploys a DevTest Lab.", @@ -483,8 +483,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8382075673072622254" + "version": "0.23.1.45101", + "templateHash": "15407797032940609921" }, "name": "DevTest Lab Virtual Networks", "description": "This module deploys a DevTest Lab Virtual Network.\r\n\r\nLab virtual machines must be deployed into a virtual network. This resource type allows configuring the virtual network and subnet settings used for the lab virtual machines.", @@ -656,8 +656,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7402281637422771358" + "version": "0.23.1.45101", + "templateHash": "9914622679648067397" }, "name": "DevTest Lab Policy Sets Policies", "description": "This module deploys a DevTest Lab Policy Sets Policy.\r\n\r\nDevTest lab policies are used to modify the lab settings such as only allowing certain VM Size SKUs, marketplace image types, number of VMs allowed per user and other settings.", @@ -861,8 +861,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10592511541548002212" + "version": "0.23.1.45101", + "templateHash": "12981849767656574818" }, "name": "DevTest Lab Schedules", "description": "This module deploys a DevTest Lab Schedule.\r\n\r\nLab schedules are used to modify the settings for auto-shutdown, auto-start for lab virtual machines.", @@ -1085,8 +1085,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5225332129791836269" + "version": "0.23.1.45101", + "templateHash": "18307130406875558192" }, "name": "DevTest Lab Notification Channels", "description": "This module deploys a DevTest Lab Notification Channel.\r\n\r\nNotification channels are used by the schedule resource type in order to send notifications or events to email addresses and/or webhooks.", @@ -1269,8 +1269,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12165020180713564819" + "version": "0.23.1.45101", + "templateHash": "2347337632859394324" }, "name": "DevTest Lab Artifact Sources", "description": "This module deploys a DevTest Lab Artifact Source.\r\n\r\nAn artifact source allows you to create custom artifacts for the VMs in the lab, or use Azure Resource Manager templates to create a custom test environment. You must add a private Git repository for the artifacts or Resource Manager templates that your team creates. The repository can be hosted on GitHub or on Azure DevOps Services.", @@ -1485,8 +1485,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12104430168487418019" + "version": "0.23.1.45101", + "templateHash": "12516166788941938286" }, "name": "DevTest Lab Costs", "description": "This module deploys a DevTest Lab Cost.\r\n\r\nManage lab costs by setting a spending target that can be viewed in the Monthly Estimated Cost Trend chart. DevTest Labs can send a notification when spending reaches the specified target threshold.", @@ -1789,13 +1789,6 @@ } }, "outputs": { - "systemAssignedPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[reference('lab', '2018-10-15-preview', 'full').identity.principalId]" - }, "uniqueIdentifier": { "type": "string", "metadata": { diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index 574c196c63..0f43ecff33 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -121,12 +121,20 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan authenticationType: 'IdentityBased' endpointUri: '' entityPath: '' - userAssignedIdentity: '' + managedIdentities: { + userAssignedResourceId: '' + } } lock: { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -146,16 +154,15 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan authenticationType: 'IdentityBased' endpointUri: '' entityPath: '' - userAssignedIdentity: '' + managedIdentities: { + userAssignedResourceId: '' + } } tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -207,7 +214,9 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "authenticationType": "IdentityBased", "endpointUri": "", "entityPath": "", - "userAssignedIdentity": "" + "managedIdentities": { + "userAssignedResourceId": "" + } } }, "lock": { @@ -216,6 +225,14 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "privateEndpoints": { "value": [ { @@ -240,7 +257,9 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "authenticationType": "IdentityBased", "endpointUri": "", "entityPath": "", - "userAssignedIdentity": "" + "managedIdentities": { + "userAssignedResourceId": "" + } } }, "tags": { @@ -249,11 +268,6 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -301,12 +315,19 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan authenticationType: 'IdentityBased' endpointUri: '' entityPath: '' - userAssignedIdentity: '' + managedIdentities: { + userAssignedResourceId: '' + } } lock: { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -326,16 +347,15 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan authenticationType: 'IdentityBased' endpointUri: '' entityPath: '' - userAssignedIdentity: '' + managedIdentities: { + userAssignedResourceId: '' + } } tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -387,7 +407,9 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "authenticationType": "IdentityBased", "endpointUri": "", "entityPath": "", - "userAssignedIdentity": "" + "managedIdentities": { + "userAssignedResourceId": "" + } } }, "lock": { @@ -396,6 +418,13 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "privateEndpoints": { "value": [ { @@ -420,7 +449,9 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "authenticationType": "IdentityBased", "endpointUri": "", "entityPath": "", - "userAssignedIdentity": "" + "managedIdentities": { + "userAssignedResourceId": "" + } } }, "tags": { @@ -429,11 +460,6 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -461,13 +487,12 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan | [`eventHubEndpoint`](#parameter-eventhubendpoint) | object | Event Hub Endpoint. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`serviceBusEndpoint`](#parameter-servicebusendpoint) | object | Service Bus Endpoint. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Resource tags. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `diagnosticSettings` @@ -639,6 +664,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` The name of the Digital Twin Instance. @@ -933,26 +984,12 @@ Service Bus Endpoint. - Type: object - Default: `{}` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Resource tags. - Required: No - Type: object -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{}` - ## Outputs @@ -963,6 +1000,7 @@ The ID(s) to assign to the resource. | `name` | string | The name of the Digital Twins Instance. | | `resourceGroupName` | string | The name of the resource group the resource was created in. | | `resourceId` | string | The resource ID of the Digital Twins Instance. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.json b/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.json index 27b52f1b55..8490ff9e8a 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.json +++ b/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15429197908359098698" + "version": "0.23.1.45101", + "templateHash": "17503518990299492663" }, "name": "Digital Twins Instance Event Grid Endpoints", "description": "This module deploys a Digital Twins Instance Event Grid Endpoint.", diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md index 0dd7790d4e..1101a6dfdb 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md +++ b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md @@ -35,9 +35,8 @@ This module deploys a Digital Twins Instance EventHub Endpoint. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`endpointUri`](#parameter-endpointuri) | string | The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://' (i.e. sb://xyz.servicebus.windows.net). | | [`entityPath`](#parameter-entitypath) | string | The EventHub name in the EventHub namespace for identity-based authentication. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`name`](#parameter-name) | string | The name of the Digital Twin Endpoint. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedIdentity`](#parameter-userassignedidentity) | string | The ID to assign to the resource. | ### Parameter: `authenticationType` @@ -108,26 +107,38 @@ The EventHub name in the EventHub namespace for identity-based authentication. - Type: string - Default: `''` -### Parameter: `name` +### Parameter: `managedIdentities` -The name of the Digital Twin Endpoint. +The managed identity definition for this resource. - Required: No -- Type: string -- Default: `'EventHubEndpoint'` +- Type: object -### Parameter: `systemAssignedIdentity` -Enables system assigned managed identity on the resource. +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourceId`](#parameter-managedidentitiesuserassignedresourceid) | No | string | Optional. The resource ID to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + - Required: No - Type: bool -- Default: `False` -### Parameter: `userAssignedIdentity` +### Parameter: `managedIdentities.userAssignedResourceId` + +Optional. The resource ID to assign to the resource. -The ID to assign to the resource. - Required: No - Type: string -- Default: `''` + +### Parameter: `name` + +The name of the Digital Twin Endpoint. +- Required: No +- Type: string +- Default: `'EventHubEndpoint'` ## Outputs diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep index bde961d9e6..44a269cc2b 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep +++ b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep @@ -39,17 +39,12 @@ param endpointUri string = '' @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType -@description('Optional. The ID to assign to the resource.') -param userAssignedIdentity string = '' - -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentity) ? 'SystemAssigned, UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentity) ? 'UserAssigned' : 'None') - -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentity: !empty(userAssignedIdentity) ? userAssignedIdentity : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceId ?? '') ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceId ?? '') ? 'UserAssigned' : null) + userAssignedIdentity: !empty(managedIdentities.?userAssignedResourceId) ? managedIdentities.?userAssignedResourceId : null } : null resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { @@ -92,3 +87,15 @@ output resourceGroupName string = resourceGroup().name @description('The name of the Endpoint.') output name string = endpoint.name + +// =============== // +// Definitions // +// =============== // + +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID to assign to the resource.') + userAssignedResourceId: string? +}? diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.json b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.json index 3ef4af7bb3..d0299e46f1 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.json +++ b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.json @@ -1,16 +1,39 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1200386987193874100" + "version": "0.23.1.45101", + "templateHash": "3646158227862088931" }, "name": "Digital Twins Instance EventHub Endpoint", "description": "This module deploys a Digital Twins Instance EventHub Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The resource ID to assign to the resource." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -85,27 +108,18 @@ "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentity": { - "type": "string", - "defaultValue": "", + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentity'))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentity'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentity', if(not(empty(parameters('userAssignedIdentity'))), parameters('userAssignedIdentity'), null())), null())]" + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', if(not(empty(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'))), tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -119,7 +133,13 @@ } } }, - { + "digitalTwinsInstance": { + "existing": true, + "type": "Microsoft.DigitalTwins/digitalTwinsInstances", + "apiVersion": "2023-01-31", + "name": "[parameters('digitalTwinInstanceName')]" + }, + "endpoint": { "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", "apiVersion": "2023-01-31", "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", @@ -133,9 +153,12 @@ "endpointUri": "[parameters('endpointUri')]", "entityPath": "[parameters('entityPath')]", "identity": "[variables('identity')]" - } + }, + "dependsOn": [ + "digitalTwinsInstance" + ] } - ], + }, "outputs": { "resourceId": { "type": "string", diff --git a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md index fd96f9cd28..c9e29b7746 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md +++ b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md @@ -34,10 +34,9 @@ This module deploys a Digital Twins Instance ServiceBus Endpoint. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`endpointUri`](#parameter-endpointuri) | string | The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://' (e.g. sb://xyz.servicebus.windows.net). | | [`entityPath`](#parameter-entitypath) | string | The ServiceBus Topic name for identity-based authentication. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`name`](#parameter-name) | string | The name of the Digital Twin Endpoint. | | [`secondaryConnectionString`](#parameter-secondaryconnectionstring) | securestring | SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedIdentity`](#parameter-userassignedidentity) | string | The ID to assign to the resource. | ### Parameter: `authenticationType` @@ -94,6 +93,32 @@ The ServiceBus Topic name for identity-based authentication. - Type: string - Default: `''` +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourceId`](#parameter-managedidentitiesuserassignedresourceid) | No | string | Optional. The resource ID to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourceId` + +Optional. The resource ID to assign to the resource. + +- Required: No +- Type: string + ### Parameter: `name` The name of the Digital Twin Endpoint. @@ -115,20 +140,6 @@ SecondaryConnectionString of the endpoint for key-based authentication. Will be - Type: securestring - Default: `''` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `userAssignedIdentity` - -The ID to assign to the resource. -- Required: No -- Type: string -- Default: `''` - ## Outputs diff --git a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep index 25e6eb0ae7..633cc7ec3d 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep +++ b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep @@ -39,17 +39,12 @@ param secondaryConnectionString string = '' @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType -@description('Optional. The ID to assign to the resource.') -param userAssignedIdentity string = '' - -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentity) ? 'SystemAssigned, UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentity) ? 'UserAssigned' : 'None') - -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentity: !empty(userAssignedIdentity) ? userAssignedIdentity : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceId ?? '') ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceId ?? '') ? 'UserAssigned' : null) + userAssignedIdentity: !empty(managedIdentities.?userAssignedResourceId) ? managedIdentities.?userAssignedResourceId : null } : null resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { @@ -92,3 +87,15 @@ output resourceGroupName string = resourceGroup().name @description('The name of the Endpoint.') output name string = endpoint.name + +// =============== // +// Definitions // +// =============== // + +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID to assign to the resource.') + userAssignedResourceId: string? +}? diff --git a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.json b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.json index 31056e282d..6cd452bec3 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.json +++ b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.json @@ -1,16 +1,39 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2168121049050485718" + "version": "0.23.1.45101", + "templateHash": "13121115050219114278" }, "name": "Digital Twins Instance ServiceBus Endpoint", "description": "This module deploys a Digital Twins Instance ServiceBus Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The resource ID to assign to the resource." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -85,27 +108,18 @@ "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentity": { - "type": "string", - "defaultValue": "", + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentity'))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentity'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentity', if(not(empty(parameters('userAssignedIdentity'))), parameters('userAssignedIdentity'), null())), null())]" + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', if(not(empty(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'))), tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -119,7 +133,13 @@ } } }, - { + "digitalTwinsInstance": { + "existing": true, + "type": "Microsoft.DigitalTwins/digitalTwinsInstances", + "apiVersion": "2023-01-31", + "name": "[parameters('digitalTwinInstanceName')]" + }, + "endpoint": { "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", "apiVersion": "2023-01-31", "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", @@ -133,9 +153,12 @@ "primaryConnectionString": "[parameters('primaryConnectionString')]", "secondaryConnectionString": "[parameters('secondaryConnectionString')]", "identity": "[variables('identity')]" - } + }, + "dependsOn": [ + "digitalTwinsInstance" + ] } - ], + }, "outputs": { "resourceId": { "type": "string", diff --git a/modules/digital-twins/digital-twins-instance/main.bicep b/modules/digital-twins/digital-twins-instance/main.bicep index 39749fa29a..a05501f0ff 100644 --- a/modules/digital-twins/digital-twins-instance/main.bicep +++ b/modules/digital-twins/digital-twins-instance/main.bicep @@ -16,11 +16,8 @@ param tags object? @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Event Hub Endpoint.') param eventHubEndpoint object = {} @@ -53,11 +50,11 @@ param roleAssignments roleAssignmentType var enableReferencedModulesTelemetry = false -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned, UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var builtInRoleNames = { @@ -105,8 +102,7 @@ module digitalTwinsInstance_eventHubEndpoint 'endpoint--event-hub/main.bicep' = endpointUri: contains(eventHubEndpoint, 'endpointUri') ? eventHubEndpoint.endpointUri : '' entityPath: contains(eventHubEndpoint, 'entityPath') ? eventHubEndpoint.entityPath : '' enableDefaultTelemetry: enableReferencedModulesTelemetry - systemAssignedIdentity: contains(eventHubEndpoint, 'systemAssignedIdentity') ? eventHubEndpoint.systemAssignedIdentity : false - userAssignedIdentity: contains(eventHubEndpoint, 'userAssignedIdentity') ? eventHubEndpoint.userAssignedIdentity : {} + managedIdentities: contains(eventHubEndpoint, 'managedIdentities') ? eventHubEndpoint.managedIdentities : {} } } @@ -136,8 +132,7 @@ module digitalTwinsInstance_serviceBusEndpoint 'endpoint--service-bus/main.bicep primaryConnectionString: contains(serviceBusEndpoint, 'primaryConnectionString') ? serviceBusEndpoint.primaryConnectionString : '' secondaryConnectionString: contains(serviceBusEndpoint, 'secondaryConnectionString') ? serviceBusEndpoint.secondaryConnectionString : '' enableDefaultTelemetry: enableReferencedModulesTelemetry - systemAssignedIdentity: contains(eventHubEndpoint, 'systemAssignedIdentity') ? eventHubEndpoint.systemAssignedIdentity : false - userAssignedIdentity: contains(eventHubEndpoint, 'userAssignedIdentity') ? eventHubEndpoint.userAssignedIdentity : {} + managedIdentities: contains(serviceBusEndpoint, 'managedIdentities') ? serviceBusEndpoint.managedIdentities : {} } } @@ -229,10 +224,21 @@ output hostname string = digitalTwinsInstance.properties.hostName @description('The location the resource was deployed into.') output location string = digitalTwinsInstance.location +@description('The principal ID of the system assigned identity.') +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(digitalTwinsInstance.identity, 'principalId') ? digitalTwinsInstance.identity.principalId : '' + // =============== // // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/digital-twins/digital-twins-instance/main.json b/modules/digital-twins/digital-twins-instance/main.json index 166bf7d6ff..5653591407 100644 --- a/modules/digital-twins/digital-twins-instance/main.json +++ b/modules/digital-twins/digital-twins-instance/main.json @@ -5,14 +5,37 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4900944127202083879" + "version": "0.23.1.45101", + "templateHash": "7414042721706079453" }, "name": "Digital Twins Instances", "description": "This module deploys an Azure Digital Twins Instance.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -415,18 +438,10 @@ "description": "Optional. The lock settings of the service." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "eventHubEndpoint": { @@ -490,8 +505,8 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Azure Digital Twins Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", "Azure Digital Twins Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", @@ -612,22 +627,44 @@ "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" }, - "systemAssignedIdentity": "[if(contains(parameters('eventHubEndpoint'), 'systemAssignedIdentity'), createObject('value', parameters('eventHubEndpoint').systemAssignedIdentity), createObject('value', false()))]", - "userAssignedIdentity": "[if(contains(parameters('eventHubEndpoint'), 'userAssignedIdentity'), createObject('value', parameters('eventHubEndpoint').userAssignedIdentity), createObject('value', createObject()))]" + "managedIdentities": "[if(contains(parameters('eventHubEndpoint'), 'managedIdentities'), createObject('value', parameters('eventHubEndpoint').managedIdentities), createObject('value', createObject()))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1200386987193874100" + "version": "0.23.1.45101", + "templateHash": "3646158227862088931" }, "name": "Digital Twins Instance EventHub Endpoint", "description": "This module deploys a Digital Twins Instance EventHub Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The resource ID to assign to the resource." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -702,27 +739,18 @@ "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentity": { - "type": "string", - "defaultValue": "", + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentity'))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentity'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentity', if(not(empty(parameters('userAssignedIdentity'))), parameters('userAssignedIdentity'), null())), null())]" + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', if(not(empty(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'))), tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -736,7 +764,13 @@ } } }, - { + "digitalTwinsInstance": { + "existing": true, + "type": "Microsoft.DigitalTwins/digitalTwinsInstances", + "apiVersion": "2023-01-31", + "name": "[parameters('digitalTwinInstanceName')]" + }, + "endpoint": { "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", "apiVersion": "2023-01-31", "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", @@ -750,9 +784,12 @@ "endpointUri": "[parameters('endpointUri')]", "entityPath": "[parameters('entityPath')]", "identity": "[variables('identity')]" - } + }, + "dependsOn": [ + "digitalTwinsInstance" + ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -811,8 +848,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15429197908359098698" + "version": "0.23.1.45101", + "templateHash": "17503518990299492663" }, "name": "Digital Twins Instance Event Grid Endpoints", "description": "This module deploys a Digital Twins Instance Event Grid Endpoint.", @@ -950,22 +987,44 @@ "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" }, - "systemAssignedIdentity": "[if(contains(parameters('eventHubEndpoint'), 'systemAssignedIdentity'), createObject('value', parameters('eventHubEndpoint').systemAssignedIdentity), createObject('value', false()))]", - "userAssignedIdentity": "[if(contains(parameters('eventHubEndpoint'), 'userAssignedIdentity'), createObject('value', parameters('eventHubEndpoint').userAssignedIdentity), createObject('value', createObject()))]" + "managedIdentities": "[if(contains(parameters('serviceBusEndpoint'), 'managedIdentities'), createObject('value', parameters('serviceBusEndpoint').managedIdentities), createObject('value', createObject()))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2168121049050485718" + "version": "0.23.1.45101", + "templateHash": "13121115050219114278" }, "name": "Digital Twins Instance ServiceBus Endpoint", "description": "This module deploys a Digital Twins Instance ServiceBus Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The resource ID to assign to the resource." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1040,27 +1099,18 @@ "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentity": { - "type": "string", - "defaultValue": "", + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentity'))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentity'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentity', if(not(empty(parameters('userAssignedIdentity'))), parameters('userAssignedIdentity'), null())), null())]" + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', if(not(empty(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'))), tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1074,7 +1124,13 @@ } } }, - { + "digitalTwinsInstance": { + "existing": true, + "type": "Microsoft.DigitalTwins/digitalTwinsInstances", + "apiVersion": "2023-01-31", + "name": "[parameters('digitalTwinInstanceName')]" + }, + "endpoint": { "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", "apiVersion": "2023-01-31", "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", @@ -1088,9 +1144,12 @@ "primaryConnectionString": "[parameters('primaryConnectionString')]", "secondaryConnectionString": "[parameters('secondaryConnectionString')]", "identity": "[variables('identity')]" - } + }, + "dependsOn": [ + "digitalTwinsInstance" + ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -1192,8 +1251,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1595,8 +1654,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1772,6 +1831,13 @@ "description": "The location the resource was deployed into." }, "value": "[reference('digitalTwinsInstance', '2023-01-31', 'full').location]" + }, + "systemAssignedMIPrincipalId": { + "type": "string", + "metadata": { + "description": "The principal ID of the system assigned identity." + }, + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('digitalTwinsInstance', '2023-01-31', 'full').identity, 'principalId')), reference('digitalTwinsInstance', '2023-01-31', 'full').identity.principalId, '')]" } } } \ No newline at end of file diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep index 6b1f42d08a..2a577e3e87 100644 --- a/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep @@ -73,13 +73,17 @@ module testDeployment '../../../main.bicep' = { authenticationType: 'IdentityBased' endpointUri: 'sb://${nestedDependencies.outputs.eventhubNamespaceName}.servicebus.windows.net/' entityPath: nestedDependencies.outputs.eventhubName - userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + managedIdentities: { + userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId + } } serviceBusEndpoint: { authenticationType: 'IdentityBased' endpointUri: 'sb://${nestedDependencies.outputs.serviceBusName}.servicebus.windows.net/' entityPath: nestedDependencies.outputs.serviceBusTopicName - userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + managedIdentities: { + userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId + } } eventGridEndpoint: { eventGridDomainId: nestedDependencies.outputs.eventGridDomainResourceId @@ -87,8 +91,11 @@ module testDeployment '../../../main.bicep' = { } enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } diagnosticSettings: [ { diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep index 2c2f2e28ca..2043807414 100644 --- a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep @@ -73,13 +73,17 @@ module testDeployment '../../../main.bicep' = { authenticationType: 'IdentityBased' endpointUri: 'sb://${nestedDependencies.outputs.eventhubNamespaceName}.servicebus.windows.net/' entityPath: nestedDependencies.outputs.eventhubName - userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + managedIdentities: { + userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId + } } serviceBusEndpoint: { authenticationType: 'IdentityBased' endpointUri: 'sb://${nestedDependencies.outputs.serviceBusName}.servicebus.windows.net/' entityPath: nestedDependencies.outputs.serviceBusTopicName - userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + managedIdentities: { + userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId + } } eventGridEndpoint: { eventGridDomainId: nestedDependencies.outputs.eventGridDomainResourceId @@ -87,8 +91,10 @@ module testDeployment '../../../main.bicep' = { } enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } diagnosticSettings: [ { diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index 879cf28301..4b5f6948f4 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -380,6 +380,11 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { type: 'SelfHosted' } ] + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } managedVirtualNetwork: true privateEndpoints: [ { @@ -402,9 +407,6 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - userAssignedIdentities: { - '': {} - } } } ``` @@ -468,6 +470,13 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { } ] }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "managedVirtualNetwork": { "value": true }, @@ -495,11 +504,6 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "roleDefinitionIdOrName": "Reader" } ] - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -552,6 +556,11 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { type: 'SelfHosted' } ] + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } managedVirtualNetwork: true privateEndpoints: [ { @@ -574,9 +583,6 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - userAssignedIdentities: { - '': {} - } } } ``` @@ -640,6 +646,13 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { } ] }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "managedVirtualNetwork": { "value": true }, @@ -667,11 +680,6 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "roleDefinitionIdOrName": "Reader" } ] - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -708,6 +716,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { | [`linkedAccessCheckOnTargetResource`](#parameter-linkedaccesscheckontargetresource) | bool | Linked Access Check On Target Resource. | | [`location`](#parameter-location) | string | The geo-location where the resource lives. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`managedResourceGroupName`](#parameter-managedresourcegroupname) | string | Workspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.'. | | [`managedVirtualNetwork`](#parameter-managedvirtualnetwork) | bool | Enable this to ensure that connection from your workspace to your data sources use Azure Private Links. You can create managed private endpoints to your data sources. | | [`preventDataExfiltration`](#parameter-preventdataexfiltration) | bool | Prevent Data Exfiltration. | @@ -717,7 +726,6 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`sqlAdministratorLoginPassword`](#parameter-sqladministratorloginpassword) | string | Password for administrator access to the workspace's SQL pools. If you don't provide a password, one will be automatically generated. You can change the password later. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`workspaceRepositoryConfiguration`](#parameter-workspacerepositoryconfiguration) | object | Git integration settings. | ### Parameter: `allowedAadTenantIdsForLinking` @@ -959,6 +967,24 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: Yes +- Type: array + ### Parameter: `managedResourceGroupName` Workspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.'. @@ -1292,13 +1318,6 @@ Tags of the resource. - Required: No - Type: object -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{}` - ### Parameter: `workspaceRepositoryConfiguration` Git integration settings. @@ -1316,7 +1335,7 @@ Git integration settings. | `name` | string | The name of the deployed Synapse Workspace. | | `resourceGroupName` | string | The resource group of the deployed Synapse Workspace. | | `resourceID` | string | The resource ID of the deployed Synapse Workspace. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/synapse/workspace/main.bicep b/modules/synapse/workspace/main.bicep index a73a3c42f8..360fe2834f 100644 --- a/modules/synapse/workspace/main.bicep +++ b/modules/synapse/workspace/main.bicep @@ -76,8 +76,8 @@ param sqlAdministratorLoginPassword string = '' @description('Optional. Git integration settings.') param workspaceRepositoryConfiguration object = {} -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. The lock settings of the service.') param lock lockType @@ -92,15 +92,16 @@ param privateEndpoints privateEndpointType param diagnosticSettings diagnosticSettingType // Variables -var userAssignedIdentitiesUnion = union(userAssignedIdentities, !empty(customerManagedKey.?userAssignedIdentityResourceId ?? []) ? { - '${customerManagedKey!.userAssignedIdentityResourceId}': {} - } : {}) -var identityType = !empty(userAssignedIdentitiesUnion) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' +var cmkUserAssignedIdentityAsArray = !empty(customerManagedKey.?userAssignedIdentityResourceId ?? []) ? [ customerManagedKey.?userAssignedIdentityResourceId ] : [] + +var userAssignedIdentitiesUnion = !empty(managedIdentities) ? union(managedIdentities.?userAssignedResourcesIds ?? [], cmkUserAssignedIdentityAsArray) : cmkUserAssignedIdentityAsArray + +var formattedUserAssignedIdentities = reduce(map((userAssignedIdentitiesUnion ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentitiesUnion) ? userAssignedIdentitiesUnion : null + type: !empty(userAssignedIdentitiesUnion) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } var enableReferencedModulesTelemetry = false @@ -312,7 +313,7 @@ output resourceGroupName string = resourceGroup().name output connectivityEndpoints object = workspace.properties.connectivityEndpoints @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = contains(workspace.identity, 'principalId') ? workspace.identity.principalId : '' +output systemAssignedMIPrincipalId string = contains(workspace.identity, 'principalId') ? workspace.identity.principalId : '' @description('The location the resource was deployed into.') output location string = workspace.location @@ -321,6 +322,11 @@ output location string = workspace.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[] +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/synapse/workspace/main.json b/modules/synapse/workspace/main.json index e96aed1c93..c2c4f5d7d7 100644 --- a/modules/synapse/workspace/main.json +++ b/modules/synapse/workspace/main.json @@ -5,14 +5,29 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2450269560530411916" + "version": "0.23.1.45101", + "templateHash": "17402441205082083392" }, "name": "Synapse Workspaces", "description": "This module deploys a Synapse Workspace.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -555,11 +570,10 @@ "description": "Optional. Git integration settings." } }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "lock": { @@ -588,11 +602,12 @@ } }, "variables": { - "userAssignedIdentitiesUnion": "[union(parameters('userAssignedIdentities'), if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), createArray()))), createObject(format('{0}', parameters('customerManagedKey').userAssignedIdentityResourceId), createObject()), createObject()))]", - "identityType": "[if(not(empty(variables('userAssignedIdentitiesUnion'))), 'SystemAssigned,UserAssigned', 'SystemAssigned')]", + "cmkUserAssignedIdentityAsArray": "[if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), createArray()))), createArray(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')), createArray())]", + "userAssignedIdentitiesUnion": "[if(not(empty(parameters('managedIdentities'))), union(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), variables('cmkUserAssignedIdentityAsArray')), variables('cmkUserAssignedIdentityAsArray'))]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(variables('userAssignedIdentitiesUnion'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", "identity": { - "type": "[variables('identityType')]", - "userAssignedIdentities": "[if(not(empty(variables('userAssignedIdentitiesUnion'))), variables('userAssignedIdentitiesUnion'), null())]" + "type": "[if(not(empty(variables('userAssignedIdentitiesUnion'))), 'SystemAssigned,UserAssigned', 'SystemAssigned')]", + "userAssignedIdentities": "[if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())]" }, "enableReferencedModulesTelemetry": false, "builtInRoleNames": { @@ -772,8 +787,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3121962670071772951" + "version": "0.23.1.45101", + "templateHash": "15433128731134325120" }, "name": "Synapse Workspace Integration Runtimes", "description": "This module deploys a Synapse Workspace Integration Runtime.", @@ -891,8 +906,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7188161900918132964" + "version": "0.23.1.45101", + "templateHash": "1182711601328740781" } }, "parameters": { @@ -979,8 +994,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5952844918734432483" + "version": "0.23.1.45101", + "templateHash": "17878422697036938783" }, "name": "Synapse Workspaces Keys", "description": "This module deploys a Synapse Workspaces Key.", @@ -1154,8 +1169,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1557,8 +1572,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1728,7 +1743,7 @@ }, "value": "[reference('workspace').connectivityEndpoints]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." diff --git a/modules/synapse/workspace/tests/e2e/max/main.test.bicep b/modules/synapse/workspace/tests/e2e/max/main.test.bicep index 70526bbe29..a3fcfac98d 100644 --- a/modules/synapse/workspace/tests/e2e/max/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/max/main.test.bicep @@ -71,8 +71,10 @@ module testDeployment '../../../main.bicep' = { defaultDataLakeStorageFilesystem: nestedDependencies.outputs.storageContainerName sqlAdministratorLogin: 'synwsadmin' initialWorkspaceAdminObjectID: nestedDependencies.outputs.managedIdentityPrincipalId - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } roleAssignments: [ { diff --git a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep index cd02520ced..4a2f8236fc 100644 --- a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -71,8 +71,10 @@ module testDeployment '../../../main.bicep' = { defaultDataLakeStorageFilesystem: nestedDependencies.outputs.storageContainerName sqlAdministratorLogin: 'synwsadmin' initialWorkspaceAdminObjectID: nestedDependencies.outputs.managedIdentityPrincipalId - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } roleAssignments: [ { diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 491ed806e0..bebdd69f18 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -1674,7 +1674,7 @@ Virtual Network Route All enabled. This causes all outbound traffic to have Virt | `resourceId` | string | The resource ID of the site. | | `slotResourceIds` | array | The list of the slot resource ids. | | `slots` | array | The list of the slots. | -| `slotSystemAssignedPrincipalIds` | array | The principal ID of the system assigned identity of slots. | +| `slotSystemAssignedMIPrincipalIds` | array | The principal ID of the system assigned identity of slots. | | `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/web/site/main.bicep b/modules/web/site/main.bicep index 6803c41fc8..f2c02e7356 100644 --- a/modules/web/site/main.bicep +++ b/modules/web/site/main.bicep @@ -403,7 +403,7 @@ output resourceGroupName string = resourceGroup().name output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(app.identity, 'principalId') ? app.identity.principalId : '' @description('The principal ID of the system assigned identity of slots.') -output slotSystemAssignedPrincipalIds array = [for (slot, index) in slots: app_slots[index].outputs.systemAssignedMIPrincipalId] +output slotSystemAssignedMIPrincipalIds array = [for (slot, index) in slots: app_slots[index].outputs.systemAssignedMIPrincipalId] @description('The location the resource was deployed into.') output location string = app.location diff --git a/modules/web/site/main.json b/modules/web/site/main.json index 45a572bcb1..40e10f96f9 100644 --- a/modules/web/site/main.json +++ b/modules/web/site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8496123525886789404" + "templateHash": "5943221871747072299" }, "name": "Web/Function Apps", "description": "This module deploys a Web or Function App.", @@ -4231,7 +4231,7 @@ }, "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('app', '2022-09-01', 'full').identity, 'principalId')), reference('app', '2022-09-01', 'full').identity.principalId, '')]" }, - "slotSystemAssignedPrincipalIds": { + "slotSystemAssignedMIPrincipalIds": { "type": "array", "metadata": { "description": "The principal ID of the system assigned identity of slots." From c5f2b8f774fe55321d4c036b0e126fb20dec81dd Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Tue, 14 Nov 2023 13:08:26 +0000 Subject: [PATCH 102/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 8f2ed86bd1..4547dc7d89 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -56,8 +56,8 @@ This section provides an overview of the library's feature set. | 41 | desktop-virtualization

host-pool | [![DesktopVirtualization - HostPools](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20HostPools/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.hostpools.yml) | | | | | | | [L1:1, L2:1, L3:3] | 281 | | 42 | desktop-virtualization

scaling-plan | [![DesktopVirtualization - Scalingplans](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Scalingplans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.scalingplans.yml) | | | | | | | [L1:1, L2:1, L3:3] | 200 | | 43 | desktop-virtualization

workspace | [![DesktopVirtualization - Workspaces](https://github.com/Azure/ResourceModules/workflows/DesktopVirtualization%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.desktopvirtualization.workspaces.yml) | | | | | | | [L1:1, L2:1, L3:3] | 161 | -| 44 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | | | | | | | [L1:7, L2:2, L3:3] | 304 | -| 45 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | | | | | | | [L1:4, L2:1, L3:3] | 301 | +| 44 | dev-test-lab

lab | [![DevTestLab - Labs](https://github.com/Azure/ResourceModules/workflows/DevTestLab%20-%20Labs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.devtestlab.labs.yml) | | | | | | | [L1:7, L2:2, L3:3] | 302 | +| 45 | digital-twins

digital-twins-instance | [![DigitalTwins - DigitalTwinsInstances](https://github.com/Azure/ResourceModules/workflows/DigitalTwins%20-%20DigitalTwinsInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.digitaltwins.digitaltwinsinstances.yml) | | | | | | | [L1:4, L2:1, L3:3] | 305 | | 46 | document-db

database-account | [![DocumentDB - DatabaseAccounts](https://github.com/Azure/ResourceModules/workflows/DocumentDB%20-%20DatabaseAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.documentdb.databaseaccounts.yml) | | | | | | | [L1:4, L2:4, L3:4] | 413 | | 47 | event-grid

domain | [![EventGrid - Domains](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20Domains/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.domains.yml) | | | | | | | [L1:2, L2:1, L3:4] | 257 | | 48 | event-grid

system-topic | [![EventGrid - System Topics](https://github.com/Azure/ResourceModules/workflows/EventGrid%20-%20System%20Topics/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.eventgrid.systemtopics.yml) | | | | | | | [L1:2, L2:1, L3:3] | 197 | @@ -143,14 +143,14 @@ This section provides an overview of the library's feature set. | 128 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | | | | | [L1:9, L2:4, L3:6] | 389 | | 129 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | | | | | [L1:7, L2:5, L3:7] | 524 | | 130 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | | | | | | | [L1:1, L2:1, L3:3] | 171 | -| 131 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | | | | | [L1:4, L2:1, L3:6] | 374 | +| 131 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | | | | | [L1:4, L2:1, L3:6] | 377 | | 132 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | | | | | | | [L1:1, L2:1, L3:3] | 216 | | 133 | web

connection | [![Web - Connections](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Connections/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.connections.yml) | | | | | | | [L1:1, L2:1, L3:2] | 118 | | 134 | web

hosting-environment | [![Web - HostingEnvironments](https://github.com/Azure/ResourceModules/workflows/Web%20-%20HostingEnvironments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.hostingenvironments.yml) | | | | | | | [L1:3, L2:1, L3:2] | 262 | | 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | [L1:1, L2:1, L3:2] | 184 | | 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:6, L2:6, L3:5] | 455 | | 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:4, L2:1, L3:3] | 284 | -| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29844 | +| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29849 | ## Legend From 774188d491f13ab07fd8793d2c63aa970186ef3f Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Tue, 14 Nov 2023 17:22:31 +0100 Subject: [PATCH 103/178] [Modules] Removed excess s from MI UDT definition (#4243) * Removed excess s from MI UDT definition * app/job module - fixed identity output name * Removed excess s from MI UDT definition - part 2 --- modules/api-management/service/README.md | 12 ++-- modules/api-management/service/main.bicep | 6 +- modules/api-management/service/main.json | 66 +++++++++---------- .../service/tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../configuration-store/README.md | 16 ++--- .../configuration-store/main.bicep | 6 +- .../configuration-store/main.json | 22 +++---- .../tests/e2e/encr/main.test.bicep | 2 +- .../tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/app/container-app/README.md | 12 ++-- modules/app/container-app/main.bicep | 6 +- modules/app/container-app/main.json | 10 +-- .../tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/app/job/README.md | 14 ++-- modules/app/job/main.bicep | 8 +-- modules/app/job/main.json | 12 ++-- modules/app/job/tests/e2e/max/main.test.bicep | 2 +- .../job/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../automation/automation-account/README.md | 16 ++--- .../automation/automation-account/main.bicep | 6 +- .../automation/automation-account/main.json | 50 +++++++------- .../tests/e2e/encr/main.test.bicep | 2 +- .../tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/batch/batch-account/README.md | 8 +-- modules/batch/batch-account/main.bicep | 6 +- modules/batch/batch-account/main.json | 18 ++--- .../tests/e2e/encr/main.test.bicep | 2 +- modules/cache/redis/README.md | 12 ++-- modules/cache/redis/main.bicep | 6 +- modules/cache/redis/main.json | 18 ++--- .../cache/redis/tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/cognitive-services/account/README.md | 20 +++--- modules/cognitive-services/account/main.bicep | 6 +- modules/cognitive-services/account/main.json | 18 ++--- .../account/tests/e2e/encr/main.test.bicep | 2 +- .../account/tests/e2e/max/main.test.bicep | 2 +- .../account/tests/e2e/speech/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/compute/disk-encryption-set/README.md | 16 ++--- .../compute/disk-encryption-set/main.bicep | 8 +-- modules/compute/disk-encryption-set/main.json | 26 ++++---- .../tests/e2e/accessPolicies/main.test.bicep | 2 +- .../tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../virtual-machine-scale-set/README.md | 12 ++-- .../virtual-machine-scale-set/main.bicep | 6 +- .../virtual-machine-scale-set/main.json | 42 ++++++------ .../tests/e2e/linux/main.test.bicep | 2 +- .../tests/e2e/windows/main.test.bicep | 2 +- modules/compute/virtual-machine/README.md | 12 ++-- modules/compute/virtual-machine/main.bicep | 6 +- modules/compute/virtual-machine/main.json | 62 ++++++++--------- .../tests/e2e/linux/main.test.bicep | 2 +- .../tests/e2e/windows/main.test.bicep | 2 +- .../container-group/README.md | 20 +++--- .../container-group/main.bicep | 6 +- .../container-group/main.json | 10 +-- .../tests/e2e/encr/main.test.bicep | 2 +- .../tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/private/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/container-registry/registry/README.md | 16 ++--- .../container-registry/registry/main.bicep | 6 +- modules/container-registry/registry/main.json | 30 ++++----- .../registry/tests/e2e/encr/main.test.bicep | 2 +- .../registry/tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../managed-cluster/README.md | 16 ++--- .../managed-cluster/main.bicep | 6 +- .../managed-cluster/main.json | 22 +++---- .../tests/e2e/azure/main.test.bicep | 2 +- .../tests/e2e/kubenet/main.test.bicep | 2 +- .../tests/e2e/priv/main.test.bicep | 2 +- modules/data-factory/factory/README.md | 12 ++-- modules/data-factory/factory/main.bicep | 6 +- modules/data-factory/factory/main.json | 30 ++++----- .../factory/tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/databricks/access-connector/README.md | 12 ++-- .../databricks/access-connector/main.bicep | 6 +- modules/databricks/access-connector/main.json | 10 +-- .../tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../db-for-my-sql/flexible-server/README.md | 12 ++-- .../db-for-my-sql/flexible-server/main.bicep | 6 +- .../db-for-my-sql/flexible-server/main.json | 22 +++---- .../tests/e2e/private/main.test.bicep | 2 +- .../tests/e2e/public/main.test.bicep | 2 +- .../flexible-server/README.md | 8 +-- .../flexible-server/main.bicep | 6 +- .../flexible-server/main.json | 26 ++++---- .../tests/e2e/public/main.test.bicep | 2 +- modules/dev-test-lab/lab/README.md | 12 ++-- modules/dev-test-lab/lab/main.bicep | 6 +- modules/dev-test-lab/lab/main.json | 8 +-- .../lab/tests/e2e/max/main.test.bicep | 2 +- .../lab/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../digital-twins-instance/README.md | 12 ++-- .../digital-twins-instance/main.bicep | 6 +- .../digital-twins-instance/main.json | 8 +-- .../tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../document-db/database-account/README.md | 8 +-- .../gremlin-database/main.bicep | 2 +- .../gremlin-database/main.json | 10 +-- .../document-db/database-account/main.bicep | 6 +- .../document-db/database-account/main.json | 44 ++++++------- .../tests/e2e/sqldb/main.test.bicep | 2 +- modules/event-grid/system-topic/README.md | 4 +- modules/event-grid/system-topic/main.bicep | 6 +- modules/event-grid/system-topic/main.json | 14 ++-- modules/event-hub/namespace/README.md | 16 ++--- modules/event-hub/namespace/main.bicep | 6 +- modules/event-hub/namespace/main.json | 42 ++++++------ .../namespace/tests/e2e/encr/main.test.bicep | 2 +- .../namespace/tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/health-bot/health-bot/README.md | 12 ++-- modules/health-bot/health-bot/main.bicep | 6 +- modules/health-bot/health-bot/main.json | 10 +-- .../health-bot/tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/healthcare-apis/workspace/README.md | 16 ++--- .../workspace/dicomservice/README.md | 4 +- .../workspace/dicomservice/main.bicep | 6 +- .../workspace/dicomservice/main.json | 10 +-- .../workspace/fhirservice/README.md | 4 +- .../workspace/fhirservice/main.bicep | 6 +- .../workspace/fhirservice/main.json | 10 +-- .../workspace/iotconnector/README.md | 4 +- .../workspace/iotconnector/main.bicep | 6 +- .../workspace/iotconnector/main.json | 14 ++-- modules/healthcare-apis/workspace/main.json | 38 +++++------ .../workspace/tests/e2e/max/main.test.bicep | 4 +- .../tests/e2e/waf-aligned/main.test.bicep | 4 +- modules/logic/workflow/README.md | 12 ++-- modules/logic/workflow/main.bicep | 6 +- modules/logic/workflow/main.json | 10 +-- .../workflow/tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../workspace/README.md | 24 +++---- .../workspace/compute/README.md | 4 +- .../workspace/compute/main.bicep | 6 +- .../workspace/compute/main.json | 10 +-- .../workspace/main.bicep | 6 +- .../workspace/main.json | 28 ++++---- .../workspace/tests/e2e/encr/main.test.bicep | 2 +- .../workspace/tests/e2e/max/main.test.bicep | 4 +- .../tests/e2e/waf-aligned/main.test.bicep | 4 +- modules/net-app/net-app-account/README.md | 8 +-- modules/net-app/net-app-account/main.bicep | 6 +- modules/net-app/net-app-account/main.json | 18 ++--- .../tests/e2e/nfs41/main.test.bicep | 2 +- modules/network/application-gateway/README.md | 12 ++-- .../network/application-gateway/main.bicep | 6 +- modules/network/application-gateway/main.json | 18 ++--- .../tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/network/firewall-policy/README.md | 4 +- modules/network/firewall-policy/main.bicep | 6 +- modules/network/firewall-policy/main.json | 14 ++-- .../operational-insights/workspace/README.md | 8 +-- .../operational-insights/workspace/main.bicep | 6 +- .../operational-insights/workspace/main.json | 42 ++++++------ .../workspace/tests/e2e/adv/main.test.bicep | 2 +- modules/purview/account/README.md | 12 ++-- modules/purview/account/main.bicep | 6 +- modules/purview/account/main.json | 50 +++++++------- .../account/tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/recovery-services/vault/README.md | 12 ++-- modules/recovery-services/vault/main.bicep | 6 +- modules/recovery-services/vault/main.json | 58 ++++++++-------- .../vault/tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/resources/deployment-script/README.md | 12 ++-- .../resources/deployment-script/main.bicep | 6 +- modules/resources/deployment-script/main.json | 10 +-- .../tests/e2e/cli/main.test.bicep | 2 +- .../tests/e2e/ps/main.test.bicep | 2 +- modules/service-bus/namespace/README.md | 16 ++--- modules/service-bus/namespace/main.bicep | 6 +- modules/service-bus/namespace/main.json | 50 +++++++------- .../namespace/tests/e2e/encr/main.test.bicep | 2 +- .../namespace/tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../signal-r-service/web-pub-sub/README.md | 4 +- .../signal-r-service/web-pub-sub/main.bicep | 6 +- .../signal-r-service/web-pub-sub/main.json | 18 ++--- modules/sql/managed-instance/README.md | 12 ++-- modules/sql/managed-instance/main.bicep | 6 +- modules/sql/managed-instance/main.json | 46 ++++++------- .../tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/sql/server/README.md | 16 ++--- modules/sql/server/main.bicep | 6 +- modules/sql/server/main.json | 62 ++++++++--------- .../sql/server/tests/e2e/max/main.test.bicep | 2 +- .../server/tests/e2e/vulnAssm/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/storage/storage-account/README.md | 20 +++--- modules/storage/storage-account/main.bicep | 6 +- modules/storage/storage-account/main.json | 62 ++++++++--------- .../tests/e2e/encr/main.test.bicep | 2 +- .../tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/nfs/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/synapse/workspace/README.md | 12 ++-- modules/synapse/workspace/main.bicep | 4 +- modules/synapse/workspace/main.json | 6 +- .../workspace/tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/web/hosting-environment/README.md | 12 ++-- modules/web/hosting-environment/main.bicep | 6 +- modules/web/hosting-environment/main.json | 18 ++--- .../tests/e2e/asev2/main.test.bicep | 2 +- .../tests/e2e/asev3/main.test.bicep | 2 +- modules/web/site/README.md | 12 ++-- modules/web/site/main.bicep | 6 +- modules/web/site/main.json | 16 ++--- modules/web/site/slot/README.md | 4 +- modules/web/site/slot/main.bicep | 6 +- modules/web/site/slot/main.json | 8 +-- .../e2e/functionAppCommon/main.test.bicep | 2 +- .../tests/e2e/webAppCommon/main.test.bicep | 2 +- modules/web/static-site/README.md | 12 ++-- modules/web/static-site/main.bicep | 6 +- modules/web/static-site/main.json | 34 +++++----- .../static-site/tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- 235 files changed, 1160 insertions(+), 1160 deletions(-) diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index 64ee78c465..aa9604ceea 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -194,7 +194,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -381,7 +381,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -564,7 +564,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -751,7 +751,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1141,7 +1141,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -1150,7 +1150,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/api-management/service/main.bicep b/modules/api-management/service/main.bicep index fa0858ccb7..c71fd923f4 100644 --- a/modules/api-management/service/main.bicep +++ b/modules/api-management/service/main.bicep @@ -132,10 +132,10 @@ var enableReferencedModulesTelemetry = false var authorizationServerList = !empty(authorizationServers) ? authorizationServers.secureList : [] -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -465,7 +465,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/api-management/service/main.json b/modules/api-management/service/main.json index fa27d9cfdc..4331c55f43 100644 --- a/modules/api-management/service/main.json +++ b/modules/api-management/service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10340171795894114862" + "version": "0.23.1.45101", + "templateHash": "12034021056308380039" }, "name": "API Management Services", "description": "This module deploys an API Management Service.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -501,8 +501,8 @@ "variables": { "enableReferencedModulesTelemetry": false, "authorizationServerList": "[if(not(empty(parameters('authorizationServers'))), parameters('authorizationServers').secureList, createArray())]", - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "API Management Developer Portal Content Editor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c031e6a8-4391-4de0-8d69-4706a7ed3729')]", "API Management Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", @@ -672,8 +672,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17340528539230351720" + "version": "0.23.1.45101", + "templateHash": "11512052528068634292" }, "name": "API Management Service APIs", "description": "This module deploys an API Management Service API.", @@ -952,8 +952,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14571499926134179860" + "version": "0.23.1.45101", + "templateHash": "17230254380289042348" }, "name": "API Management Service APIs Policies", "description": "This module deploys an API Management Service API Policy.", @@ -1122,8 +1122,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12233980723609740158" + "version": "0.23.1.45101", + "templateHash": "16962621369738378491" }, "name": "API Management Service API Version Sets", "description": "This module deploys an API Management Service API Version Set.", @@ -1262,8 +1262,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7988688467600216709" + "version": "0.23.1.45101", + "templateHash": "4791396269511004286" }, "name": "API Management Service Authorization Servers", "description": "This module deploys an API Management Service Authorization Server.", @@ -1510,8 +1510,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3713166604792624713" + "version": "0.23.1.45101", + "templateHash": "14371393063475773678" }, "name": "API Management Service Backends", "description": "This module deploys an API Management Service Backend.", @@ -1704,8 +1704,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4933923478377534151" + "version": "0.23.1.45101", + "templateHash": "10312358305910336044" }, "name": "API Management Service Caches", "description": "This module deploys an API Management Service Cache.", @@ -1855,8 +1855,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13822474427587974385" + "version": "0.23.1.45101", + "templateHash": "13036858747462562466" }, "name": "API Management Service Identity Providers", "description": "This module deploys an API Management Service Identity Provider.", @@ -2074,8 +2074,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16893893897869493831" + "version": "0.23.1.45101", + "templateHash": "14872932654104188944" }, "name": "API Management Service Named Values", "description": "This module deploys an API Management Service Named Value.", @@ -2236,8 +2236,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1124223085084988655" + "version": "0.23.1.45101", + "templateHash": "12676245745541867340" }, "name": "API Management Service Portal Settings", "description": "This module deploys an API Management Service Portal Setting.", @@ -2359,8 +2359,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3650757020022888901" + "version": "0.23.1.45101", + "templateHash": "16586961527396343119" }, "name": "API Management Service Policies", "description": "This module deploys an API Management Service Policy.", @@ -2499,8 +2499,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2758822676627115160" + "version": "0.23.1.45101", + "templateHash": "8527180272588578376" }, "name": "API Management Service Products", "description": "This module deploys an API Management Service Product.", @@ -2648,8 +2648,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16488730655399972556" + "version": "0.23.1.45101", + "templateHash": "17352324470715058273" }, "name": "API Management Service Products APIs", "description": "This module deploys an API Management Service Product API.", @@ -2762,8 +2762,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14085709622188800883" + "version": "0.23.1.45101", + "templateHash": "16541523008963717147" }, "name": "API Management Service Products Groups", "description": "This module deploys an API Management Service Product Group.", @@ -2928,8 +2928,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10733141744485121232" + "version": "0.23.1.45101", + "templateHash": "15367144313924447449" }, "name": "API Management Service Subscriptions", "description": "This module deploys an API Management Service Subscription.", diff --git a/modules/api-management/service/tests/e2e/max/main.test.bicep b/modules/api-management/service/tests/e2e/max/main.test.bicep index c1918b4ef4..8d75bc8e6d 100644 --- a/modules/api-management/service/tests/e2e/max/main.test.bicep +++ b/modules/api-management/service/tests/e2e/max/main.test.bicep @@ -206,7 +206,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep b/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep index e6246837b8..310b608f75 100644 --- a/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep @@ -206,7 +206,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index 83006ae973..1913e261cd 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -121,7 +121,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor } ] managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -196,7 +196,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -281,7 +281,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -372,7 +372,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -558,7 +558,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -649,7 +649,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -953,7 +953,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -962,7 +962,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/app-configuration/configuration-store/main.bicep b/modules/app-configuration/configuration-store/main.bicep index b70e5fcbb6..68dd210d37 100644 --- a/modules/app-configuration/configuration-store/main.bicep +++ b/modules/app-configuration/configuration-store/main.bicep @@ -70,10 +70,10 @@ param privateEndpoints privateEndpointType var enableReferencedModulesTelemetry = false -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -247,7 +247,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/app-configuration/configuration-store/main.json b/modules/app-configuration/configuration-store/main.json index d56245e7bf..f3f2d4fd17 100644 --- a/modules/app-configuration/configuration-store/main.json +++ b/modules/app-configuration/configuration-store/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4494236567093935129" + "version": "0.23.1.45101", + "templateHash": "75945570727927214" }, "name": "App Configuration Stores", "description": "This module deploys an App Configuration Store.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -572,8 +572,8 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", "App Compliance Automation Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ffc6bbe0-e443-4c3b-bf54-26581bb2f78e')]", @@ -751,8 +751,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5336531799585402354" + "version": "0.23.1.45101", + "templateHash": "11370563001494590361" }, "name": "App Configuration Stores Key Values", "description": "This module deploys an App Configuration Store Key Value.", @@ -935,8 +935,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1338,8 +1338,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep index fbe976165f..7123d01c60 100644 --- a/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep @@ -81,7 +81,7 @@ module testDeployment '../../../main.bicep' = { ] softDeleteRetentionInDays: 1 managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep index a87462b588..10c4c6090c 100644 --- a/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep @@ -111,7 +111,7 @@ module testDeployment '../../../main.bicep' = { softDeleteRetentionInDays: 1 managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep index 22770e01be..abfee358a1 100644 --- a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep @@ -111,7 +111,7 @@ module testDeployment '../../../main.bicep' = { softDeleteRetentionInDays: 1 managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/app/container-app/README.md b/modules/app/container-app/README.md index c6ad339911..a5789ffb6c 100644 --- a/modules/app/container-app/README.md +++ b/modules/app/container-app/README.md @@ -169,7 +169,7 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -252,7 +252,7 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -331,7 +331,7 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -414,7 +414,7 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -636,7 +636,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -645,7 +645,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/app/container-app/main.bicep b/modules/app/container-app/main.bicep index 9a98840334..2ba53033af 100644 --- a/modules/app/container-app/main.bicep +++ b/modules/app/container-app/main.bicep @@ -111,10 +111,10 @@ param workloadProfileType string = '' var secretList = !empty(secrets) ? secrets.secureList : [] -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -232,7 +232,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/app/container-app/main.json b/modules/app/container-app/main.json index f94f931610..3e89b56a68 100644 --- a/modules/app/container-app/main.json +++ b/modules/app/container-app/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5881378126445701958" + "version": "0.23.1.45101", + "templateHash": "3901132801605374235" }, "name": "Container Apps", "description": "This module deploys a Container App.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -360,8 +360,8 @@ }, "variables": { "secretList": "[if(not(empty(parameters('secrets'))), parameters('secrets').secureList, createArray())]", - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", diff --git a/modules/app/container-app/tests/e2e/max/main.test.bicep b/modules/app/container-app/tests/e2e/max/main.test.bicep index 68cd3514ae..5cf01b4bac 100644 --- a/modules/app/container-app/tests/e2e/max/main.test.bicep +++ b/modules/app/container-app/tests/e2e/max/main.test.bicep @@ -65,7 +65,7 @@ module testDeployment '../../../main.bicep' = { name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep b/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep index baa721dd00..c8b15d8184 100644 --- a/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep @@ -65,7 +65,7 @@ module testDeployment '../../../main.bicep' = { name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/app/job/README.md b/modules/app/job/README.md index 042067b52b..9b55693da6 100644 --- a/modules/app/job/README.md +++ b/modules/app/job/README.md @@ -185,7 +185,7 @@ module job 'br:bicep/modules/app.job:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -284,7 +284,7 @@ module job 'br:bicep/modules/app.job:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -383,7 +383,7 @@ module job 'br:bicep/modules/app.job:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -482,7 +482,7 @@ module job 'br:bicep/modules/app.job:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -638,7 +638,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | ### Parameter: `managedIdentities.systemAssigned` @@ -647,7 +647,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. @@ -814,7 +814,7 @@ The name of the workload profile to use. | `name` | string | The name of the Container App Job. | | `resourceGroupName` | string | The name of the resource group the Container App Job was deployed into. | | `resourceId` | string | The resource ID of the Container App Job. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/app/job/main.bicep b/modules/app/job/main.bicep index fa8916e80d..ee9795e632 100644 --- a/modules/app/job/main.bicep +++ b/modules/app/job/main.bicep @@ -70,9 +70,9 @@ param triggerType string var secretList = !empty(secrets) ? secrets.secureList : [] -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -159,7 +159,7 @@ output name string = containerAppJob.name output location string = containerAppJob.location @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(containerAppJob.identity, 'principalId') ? containerAppJob.identity.principalId : '' +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(containerAppJob.identity, 'principalId') ? containerAppJob.identity.principalId : '' // =============== // // Definitions // @@ -201,5 +201,5 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? diff --git a/modules/app/job/main.json b/modules/app/job/main.json index fa8d8beed1..47a3c78d1e 100644 --- a/modules/app/job/main.json +++ b/modules/app/job/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3431886018605625039" + "version": "0.23.1.45101", + "templateHash": "1177002150217044728" }, "name": "Container App Jobs", "description": "This module deploys a Container App Job.", @@ -114,7 +114,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -270,8 +270,8 @@ }, "variables": { "secretList": "[if(not(empty(parameters('secrets'))), parameters('secrets').secureList, createArray())]", - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -389,7 +389,7 @@ }, "value": "[reference('containerAppJob', '2023-05-01', 'full').location]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." diff --git a/modules/app/job/tests/e2e/max/main.test.bicep b/modules/app/job/tests/e2e/max/main.test.bicep index ad0bd71925..b31091a7c4 100644 --- a/modules/app/job/tests/e2e/max/main.test.bicep +++ b/modules/app/job/tests/e2e/max/main.test.bicep @@ -68,7 +68,7 @@ module testDeployment '../../../main.bicep' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/app/job/tests/e2e/waf-aligned/main.test.bicep b/modules/app/job/tests/e2e/waf-aligned/main.test.bicep index 267c39bb21..ffe896743e 100644 --- a/modules/app/job/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app/job/tests/e2e/waf-aligned/main.test.bicep @@ -68,7 +68,7 @@ module testDeployment '../../../main.bicep' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index 42e498b90a..11b5cc06c2 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -110,7 +110,7 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' } enableDefaultTelemetry: '' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -147,7 +147,7 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -211,7 +211,7 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -437,7 +437,7 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -667,7 +667,7 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -893,7 +893,7 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1341,7 +1341,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -1350,7 +1350,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/automation/automation-account/main.bicep b/modules/automation/automation-account/main.bicep index a9f989b9ba..c7c66989e5 100644 --- a/modules/automation/automation-account/main.bicep +++ b/modules/automation/automation-account/main.bicep @@ -76,10 +76,10 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -396,7 +396,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/automation/automation-account/main.json b/modules/automation/automation-account/main.json index 09e14c3e3b..db9ba071f1 100644 --- a/modules/automation/automation-account/main.json +++ b/modules/automation/automation-account/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11493438009443560879" + "version": "0.23.1.45101", + "templateHash": "3971272162822794152" }, "name": "Automation Accounts", "description": "This module deploys an Azure Automation Account.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -593,8 +593,8 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Automation Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867')]", "Automation Job Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", @@ -774,8 +774,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18249732142000845439" + "version": "0.23.1.45101", + "templateHash": "6971821068699927304" }, "name": "Automation Account Modules", "description": "This module deploys an Azure Automation Account Module.", @@ -940,8 +940,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4119330639685982378" + "version": "0.23.1.45101", + "templateHash": "3941184452068098954" }, "name": "Automation Account Schedules", "description": "This module deploys an Azure Automation Account Schedule.", @@ -1143,8 +1143,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1833872657708381069" + "version": "0.23.1.45101", + "templateHash": "3054091660106074138" }, "name": "Automation Account Runbooks", "description": "This module deploys an Azure Automation Account Runbook.", @@ -1367,8 +1367,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7560418296837405700" + "version": "0.23.1.45101", + "templateHash": "7940366869013991296" }, "name": "Automation Account Job Schedules", "description": "This module deploys an Azure Automation Account Job Schedule.", @@ -1519,8 +1519,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17400819380217562013" + "version": "0.23.1.45101", + "templateHash": "13399277967950966124" }, "name": "Automation Account Variables", "description": "This module deploys an Azure Automation Account Variable.", @@ -1658,8 +1658,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9970744617970664745" + "version": "0.23.1.45101", + "templateHash": "4319942183601642190" }, "name": "Log Analytics Workspace Linked Services", "description": "This module deploys a Log Analytics Workspace Linked Service.", @@ -1809,8 +1809,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2318608107759137473" + "version": "0.23.1.45101", + "templateHash": "6590935071601965866" }, "name": "Operations Management Solutions", "description": "This module deploys an Operations Management Solution.", @@ -1995,8 +1995,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10775503419002427646" + "version": "0.23.1.45101", + "templateHash": "17152541334253964982" }, "name": "Automation Account Software Update Configurations", "description": "This module deploys an Azure Automation Account Software Update Configuration.", @@ -2493,8 +2493,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2896,8 +2896,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/automation/automation-account/tests/e2e/encr/main.test.bicep b/modules/automation/automation-account/tests/e2e/encr/main.test.bicep index 4c72655f49..75915b6fa6 100644 --- a/modules/automation/automation-account/tests/e2e/encr/main.test.bicep +++ b/modules/automation/automation-account/tests/e2e/encr/main.test.bicep @@ -60,7 +60,7 @@ module testDeployment '../../../main.bicep' = { userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/automation/automation-account/tests/e2e/max/main.test.bicep b/modules/automation/automation-account/tests/e2e/max/main.test.bicep index f0984bd8c6..54c6631523 100644 --- a/modules/automation/automation-account/tests/e2e/max/main.test.bicep +++ b/modules/automation/automation-account/tests/e2e/max/main.test.bicep @@ -220,7 +220,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep b/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep index ebff0d4bc1..e75ac961a6 100644 --- a/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep @@ -220,7 +220,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index 2d71887df9..74b8f009b7 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -106,7 +106,7 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { cMKKeyVaultResourceId: '' enableDefaultTelemetry: '' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -167,7 +167,7 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -823,7 +823,7 @@ The managed identity definition for this resource. Only one type of identity is | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -832,7 +832,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/batch/batch-account/main.bicep b/modules/batch/batch-account/main.bicep index 2e71ac72f5..476a5045a1 100644 --- a/modules/batch/batch-account/main.bicep +++ b/modules/batch/batch-account/main.bicep @@ -87,10 +87,10 @@ param cMKKeyVersion string = '' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -266,7 +266,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/batch/batch-account/main.json b/modules/batch/batch-account/main.json index e44f57e23f..963156fc27 100644 --- a/modules/batch/batch-account/main.json +++ b/modules/batch/batch-account/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4335449072974068086" + "version": "0.23.1.45101", + "templateHash": "12136628607007085448" }, "name": "Batch Accounts", "description": "This module deploys a Batch Account.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -584,8 +584,8 @@ } } ], - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "nodeIdentityReference": "[if(not(empty(parameters('storageAccessIdentity'))), createObject('resourceId', if(not(empty(parameters('storageAccessIdentity'))), parameters('storageAccessIdentity'), null())), null())]", "autoStorageConfig": { "authenticationMode": "[parameters('storageAuthenticationMode')]", @@ -788,8 +788,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1191,8 +1191,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/batch/batch-account/tests/e2e/encr/main.test.bicep b/modules/batch/batch-account/tests/e2e/encr/main.test.bicep index a50db3f7d6..dd115ebda3 100644 --- a/modules/batch/batch-account/tests/e2e/encr/main.test.bicep +++ b/modules/batch/batch-account/tests/e2e/encr/main.test.bicep @@ -77,7 +77,7 @@ module testDeployment '../../../main.bicep' = { storageAccessIdentity: nestedDependencies.outputs.managedIdentityResourceId storageAuthenticationMode: 'BatchAccountManagedIdentity' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index 500c93fa81..45e6ec422f 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -121,7 +121,7 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -207,7 +207,7 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -303,7 +303,7 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -389,7 +389,7 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -675,7 +675,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -684,7 +684,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/cache/redis/main.bicep b/modules/cache/redis/main.bicep index e1c36e16c3..bb1d2191e5 100644 --- a/modules/cache/redis/main.bicep +++ b/modules/cache/redis/main.bicep @@ -107,10 +107,10 @@ param enableDefaultTelemetry bool = true var availabilityZones = skuName == 'Premium' ? zoneRedundant ? !empty(zones) ? zones : pickZones('Microsoft.Cache', 'redis', location, 3) : [] : [] -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -269,7 +269,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/cache/redis/main.json b/modules/cache/redis/main.json index 4d5ef453b0..f05edb97ec 100644 --- a/modules/cache/redis/main.json +++ b/modules/cache/redis/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14680360433148567844" + "version": "0.23.1.45101", + "templateHash": "7671125906841819197" }, "name": "Redis Cache", "description": "This module deploys a Redis Cache.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -606,8 +606,8 @@ }, "variables": { "availabilityZones": "[if(equals(parameters('skuName'), 'Premium'), if(parameters('zoneRedundant'), if(not(empty(parameters('zones'))), parameters('zones'), pickZones('Microsoft.Cache', 'redis', parameters('location'), 3)), createArray()), createArray())]", - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -791,8 +791,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1194,8 +1194,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/cache/redis/tests/e2e/max/main.test.bicep b/modules/cache/redis/tests/e2e/max/main.test.bicep index 5162295ff3..dd1a06da7d 100644 --- a/modules/cache/redis/tests/e2e/max/main.test.bicep +++ b/modules/cache/redis/tests/e2e/max/main.test.bicep @@ -109,7 +109,7 @@ module testDeployment '../../../main.bicep' = { skuName: 'Premium' managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep b/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep index 814b68ace3..01f1338b3d 100644 --- a/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep @@ -109,7 +109,7 @@ module testDeployment '../../../main.bicep' = { skuName: 'Premium' managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index 4244365e44..5a6f311874 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -109,7 +109,7 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { cMKUserAssignedIdentityResourceId: '' enableDefaultTelemetry: '' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -154,7 +154,7 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -214,7 +214,7 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -313,7 +313,7 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -393,7 +393,7 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { enableDefaultTelemetry: '' managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -450,7 +450,7 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -527,7 +527,7 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -626,7 +626,7 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -994,7 +994,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | ### Parameter: `managedIdentities.systemAssigned` @@ -1003,7 +1003,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. diff --git a/modules/cognitive-services/account/main.bicep b/modules/cognitive-services/account/main.bicep index d9787e57f4..be906d33de 100644 --- a/modules/cognitive-services/account/main.bicep +++ b/modules/cognitive-services/account/main.bicep @@ -130,10 +130,10 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -332,7 +332,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/cognitive-services/account/main.json b/modules/cognitive-services/account/main.json index 7921180ab2..ec1c5362ac 100644 --- a/modules/cognitive-services/account/main.json +++ b/modules/cognitive-services/account/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17007188729160940142" + "version": "0.23.1.45101", + "templateHash": "7313430754429497718" }, "name": "Cognitive Services", "description": "This module deploys a Cognitive Service.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -636,8 +636,8 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Cognitive Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", "Cognitive Services Custom Vision Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", @@ -876,8 +876,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1279,8 +1279,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/cognitive-services/account/tests/e2e/encr/main.test.bicep b/modules/cognitive-services/account/tests/e2e/encr/main.test.bicep index aa2163900a..fb88edd7bf 100644 --- a/modules/cognitive-services/account/tests/e2e/encr/main.test.bicep +++ b/modules/cognitive-services/account/tests/e2e/encr/main.test.bicep @@ -62,7 +62,7 @@ module testDeployment '../../../main.bicep' = { publicNetworkAccess: 'Enabled' sku: 'S0' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/cognitive-services/account/tests/e2e/max/main.test.bicep b/modules/cognitive-services/account/tests/e2e/max/main.test.bicep index f548446c6c..bec580c028 100644 --- a/modules/cognitive-services/account/tests/e2e/max/main.test.bicep +++ b/modules/cognitive-services/account/tests/e2e/max/main.test.bicep @@ -111,7 +111,7 @@ module testDeployment '../../../main.bicep' = { sku: 'S0' managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/cognitive-services/account/tests/e2e/speech/main.test.bicep b/modules/cognitive-services/account/tests/e2e/speech/main.test.bicep index 0ec0c858c4..b3e7aad9a6 100644 --- a/modules/cognitive-services/account/tests/e2e/speech/main.test.bicep +++ b/modules/cognitive-services/account/tests/e2e/speech/main.test.bicep @@ -68,7 +68,7 @@ module testDeployment '../../../main.bicep' = { sku: 'S0' managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep b/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep index 6db604335b..f296bb09ed 100644 --- a/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep @@ -111,7 +111,7 @@ module testDeployment '../../../main.bicep' = { sku: 'S0' managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/compute/disk-encryption-set/README.md b/modules/compute/disk-encryption-set/README.md index b9590d9b21..024684795c 100644 --- a/modules/compute/disk-encryption-set/README.md +++ b/modules/compute/disk-encryption-set/README.md @@ -50,7 +50,7 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = enableDefaultTelemetry: '' managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -99,7 +99,7 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -151,7 +151,7 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -205,7 +205,7 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -257,7 +257,7 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -311,7 +311,7 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -462,7 +462,7 @@ The managed identity definition for this resource. At least one identity type is | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -471,7 +471,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/compute/disk-encryption-set/main.bicep b/modules/compute/disk-encryption-set/main.bicep index bc9aa12888..0a96eb063a 100644 --- a/modules/compute/disk-encryption-set/main.bicep +++ b/modules/compute/disk-encryption-set/main.bicep @@ -47,10 +47,10 @@ param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -90,7 +90,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = { } // Note: This is only enabled for user-assigned identities as the service's system-assigned identity isn't available during its initial deployment -module keyVaultPermissions 'modules/nested_keyVaultPermissions.bicep' = [for (userAssignedIdentityResourceId, index) in (managedIdentities.?userAssignedResourcesIds ?? []): { +module keyVaultPermissions 'modules/nested_keyVaultPermissions.bicep' = [for (userAssignedIdentityResourceId, index) in (managedIdentities.?userAssignedResourceIds ?? []): { name: '${uniqueString(deployment().name, location)}-DiskEncrSet-KVPermissions-${index}' params: { keyName: keyName @@ -175,7 +175,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? } type lockType = { diff --git a/modules/compute/disk-encryption-set/main.json b/modules/compute/disk-encryption-set/main.json index ea392d6920..d55eee6014 100644 --- a/modules/compute/disk-encryption-set/main.json +++ b/modules/compute/disk-encryption-set/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8371597260084065156" + "version": "0.23.1.45101", + "templateHash": "2310785535465824906" }, "name": "Disk Encryption Sets", "description": "This module deploys a Disk Encryption Set.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -222,8 +222,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]", @@ -333,7 +333,7 @@ "keyVaultPermissions": { "copy": { "name": "keyVaultPermissions", - "count": "[length(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()))]" + "count": "[length(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -353,7 +353,7 @@ "value": "[parameters('keyVaultResourceId')]" }, "userAssignedIdentityResourceId": { - "value": "[coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray())[copyIndex()]]" + "value": "[coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray())[copyIndex()]]" }, "rbacAuthorizationEnabled": { "value": "[reference('keyVault').enableRbacAuthorization]" @@ -365,8 +365,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17441180682016270247" + "version": "0.23.1.45101", + "templateHash": "6347916704864142763" } }, "parameters": { @@ -441,8 +441,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7398650593557443106" + "version": "0.23.1.45101", + "templateHash": "2571756615431841166" } }, "parameters": { @@ -513,8 +513,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2131300650084383528" + "version": "0.23.1.45101", + "templateHash": "5636934877550105255" }, "name": "Key Vault Access Policies", "description": "This module deploys a Key Vault Access Policy.", diff --git a/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep index 7baafd495c..3cb8cb71b8 100644 --- a/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep +++ b/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep @@ -65,7 +65,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep index d854daacec..c492dab2a1 100644 --- a/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep +++ b/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep @@ -71,7 +71,7 @@ module testDeployment '../../../main.bicep' = { } ] managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep index e5354c3489..0e4721f1be 100644 --- a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep @@ -71,7 +71,7 @@ module testDeployment '../../../main.bicep' = { } ] managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/compute/virtual-machine-scale-set/README.md b/modules/compute/virtual-machine-scale-set/README.md index b67aef92a5..05c8624341 100644 --- a/modules/compute/virtual-machine-scale-set/README.md +++ b/modules/compute/virtual-machine-scale-set/README.md @@ -143,7 +143,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -338,7 +338,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -837,7 +837,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -1023,7 +1023,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1681,7 +1681,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -1690,7 +1690,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/compute/virtual-machine-scale-set/main.bicep b/modules/compute/virtual-machine-scale-set/main.bicep index 729b03a4d6..977ec6753f 100644 --- a/modules/compute/virtual-machine-scale-set/main.bicep +++ b/modules/compute/virtual-machine-scale-set/main.bicep @@ -287,10 +287,10 @@ var accountSasProperties = { signedProtocol: 'https' } -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -662,7 +662,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/compute/virtual-machine-scale-set/main.json b/modules/compute/virtual-machine-scale-set/main.json index 03a37d7d22..1bde1e509e 100644 --- a/modules/compute/virtual-machine-scale-set/main.json +++ b/modules/compute/virtual-machine-scale-set/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8263419365447007923" + "version": "0.23.1.45101", + "templateHash": "13725426990469147977" }, "name": "Virtual Machine Scale Sets", "description": "This module deploys a Virtual Machine Scale Set.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -757,8 +757,8 @@ "signedResourceTypes": "o", "signedProtocol": "https" }, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -1030,8 +1030,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5906561479759498703" + "version": "0.23.1.45101", + "templateHash": "7901509432352717969" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -1216,8 +1216,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5906561479759498703" + "version": "0.23.1.45101", + "templateHash": "7901509432352717969" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -1407,8 +1407,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5906561479759498703" + "version": "0.23.1.45101", + "templateHash": "7901509432352717969" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -1589,8 +1589,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5906561479759498703" + "version": "0.23.1.45101", + "templateHash": "7901509432352717969" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -1770,8 +1770,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5906561479759498703" + "version": "0.23.1.45101", + "templateHash": "7901509432352717969" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -1955,8 +1955,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5906561479759498703" + "version": "0.23.1.45101", + "templateHash": "7901509432352717969" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -2146,8 +2146,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5906561479759498703" + "version": "0.23.1.45101", + "templateHash": "7901509432352717969" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -2332,8 +2332,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5906561479759498703" + "version": "0.23.1.45101", + "templateHash": "7901509432352717969" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", diff --git a/modules/compute/virtual-machine-scale-set/tests/e2e/linux/main.test.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/linux/main.test.bicep index 3ba0990f66..4a3c0e1ac2 100644 --- a/modules/compute/virtual-machine-scale-set/tests/e2e/linux/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/tests/e2e/linux/main.test.bicep @@ -193,7 +193,7 @@ module testDeployment '../../../main.bicep' = { skuCapacity: 1 managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/compute/virtual-machine-scale-set/tests/e2e/windows/main.test.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/windows/main.test.bicep index 2269ee9558..530b0c79fd 100644 --- a/modules/compute/virtual-machine-scale-set/tests/e2e/windows/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/tests/e2e/windows/main.test.bicep @@ -189,7 +189,7 @@ module testDeployment '../../../main.bicep' = { skuCapacity: 1 managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/compute/virtual-machine/README.md b/modules/compute/virtual-machine/README.md index bda155d259..dfe8bb4ccc 100644 --- a/modules/compute/virtual-machine/README.md +++ b/modules/compute/virtual-machine/README.md @@ -254,7 +254,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -551,7 +551,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1152,7 +1152,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -1469,7 +1469,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -2371,7 +2371,7 @@ The managed identity definition for this resource. The system-assigned managed i | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -2380,7 +2380,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/compute/virtual-machine/main.bicep b/modules/compute/virtual-machine/main.bicep index b7b7bf73f7..a8660a203e 100644 --- a/modules/compute/virtual-machine/main.bicep +++ b/modules/compute/virtual-machine/main.bicep @@ -294,11 +294,11 @@ var accountSasProperties = { signedProtocol: 'https' } -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } // If AADJoin Extension is enabled then we automatically enable SystemAssigned (required by AADJoin), otherwise we follow the usual logic. var identity = !empty(managedIdentities) ? { - type: (extensionAadJoinConfig.enabled ? true : (managedIdentities.?systemAssigned ?? false)) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (extensionAadJoinConfig.enabled ? true : (managedIdentities.?systemAssigned ?? false)) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -698,7 +698,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/compute/virtual-machine/main.json b/modules/compute/virtual-machine/main.json index 2fd9016b0e..601f4cfe90 100644 --- a/modules/compute/virtual-machine/main.json +++ b/modules/compute/virtual-machine/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6920007226521594959" + "version": "0.23.1.45101", + "templateHash": "10032149803242831111" }, "name": "Virtual Machines", "description": "This module deploys a Virtual Machine with one or multiple NICs and optionally one or multiple public IPs.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -757,8 +757,8 @@ "signedResourceTypes": "o", "signedProtocol": "https" }, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(if(parameters('extensionAadJoinConfig').enabled, true(), coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false())), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(if(parameters('extensionAadJoinConfig').enabled, true(), coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false())), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -1000,8 +1000,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10482660512843717253" + "version": "0.23.1.45101", + "templateHash": "10451257297733630828" } }, "definitions": { @@ -1304,8 +1304,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18404193892947466906" + "version": "0.23.1.45101", + "templateHash": "15536304828480480757" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -1849,8 +1849,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6506615823435977032" + "version": "0.23.1.45101", + "templateHash": "2750011165297287068" }, "name": "Network Interface", "description": "This module deploys a Network Interface.", @@ -2344,8 +2344,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9638144716839375831" + "version": "0.23.1.45101", + "templateHash": "5421737065579119324" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -2571,8 +2571,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9638144716839375831" + "version": "0.23.1.45101", + "templateHash": "5421737065579119324" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -2793,8 +2793,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9638144716839375831" + "version": "0.23.1.45101", + "templateHash": "5421737065579119324" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -3020,8 +3020,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9638144716839375831" + "version": "0.23.1.45101", + "templateHash": "5421737065579119324" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -3238,8 +3238,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9638144716839375831" + "version": "0.23.1.45101", + "templateHash": "5421737065579119324" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -3455,8 +3455,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9638144716839375831" + "version": "0.23.1.45101", + "templateHash": "5421737065579119324" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -3676,8 +3676,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9638144716839375831" + "version": "0.23.1.45101", + "templateHash": "5421737065579119324" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -3905,8 +3905,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9638144716839375831" + "version": "0.23.1.45101", + "templateHash": "5421737065579119324" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -4127,8 +4127,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9638144716839375831" + "version": "0.23.1.45101", + "templateHash": "5421737065579119324" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", @@ -4348,8 +4348,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7148492251760573310" + "version": "0.23.1.45101", + "templateHash": "9921011786088905122" }, "name": "Recovery Service Vaults Protection Container Protected Item", "description": "This module deploys a Recovery Services Vault Protection Container Protected Item.", diff --git a/modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep index 1e0d29b188..a0562afb0a 100644 --- a/modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep +++ b/modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep @@ -288,7 +288,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep index 795e801f7e..e095862d0d 100644 --- a/modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep +++ b/modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep @@ -309,7 +309,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/container-instance/container-group/README.md b/modules/container-instance/container-group/README.md index 447234e1d2..7c696de967 100644 --- a/modules/container-instance/container-group/README.md +++ b/modules/container-instance/container-group/README.md @@ -217,7 +217,7 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -326,7 +326,7 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -424,7 +424,7 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -526,7 +526,7 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -632,7 +632,7 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -754,7 +754,7 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -863,7 +863,7 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -965,7 +965,7 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1195,7 +1195,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -1204,7 +1204,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/container-instance/container-group/main.bicep b/modules/container-instance/container-group/main.bicep index 07bf526131..bb632fbba5 100644 --- a/modules/container-instance/container-group/main.bicep +++ b/modules/container-instance/container-group/main.bicep @@ -85,10 +85,10 @@ param sku string = 'Standard' @description('Optional. The customer managed key definition.') param customerManagedKey customerManagedKeyType -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -192,7 +192,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/container-instance/container-group/main.json b/modules/container-instance/container-group/main.json index 3738d8b870..d62ed5361c 100644 --- a/modules/container-instance/container-group/main.json +++ b/modules/container-instance/container-group/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9232184615208401604" + "version": "0.23.1.45101", + "templateHash": "943190617690035013" }, "name": "Container Instances Container Groups", "description": "This module deploys a Container Instance Container Group.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -259,8 +259,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" }, "resources": { "cMKKeyVault::cMKKey": { diff --git a/modules/container-instance/container-group/tests/e2e/encr/main.test.bicep b/modules/container-instance/container-group/tests/e2e/encr/main.test.bicep index 2417490304..23cf139d30 100644 --- a/modules/container-instance/container-group/tests/e2e/encr/main.test.bicep +++ b/modules/container-instance/container-group/tests/e2e/encr/main.test.bicep @@ -116,7 +116,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/container-instance/container-group/tests/e2e/max/main.test.bicep b/modules/container-instance/container-group/tests/e2e/max/main.test.bicep index d98a8c184b..e9bf469ed4 100644 --- a/modules/container-instance/container-group/tests/e2e/max/main.test.bicep +++ b/modules/container-instance/container-group/tests/e2e/max/main.test.bicep @@ -114,7 +114,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/container-instance/container-group/tests/e2e/private/main.test.bicep b/modules/container-instance/container-group/tests/e2e/private/main.test.bicep index 56ed91d9c9..ab02133f2c 100644 --- a/modules/container-instance/container-group/tests/e2e/private/main.test.bicep +++ b/modules/container-instance/container-group/tests/e2e/private/main.test.bicep @@ -130,7 +130,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep b/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep index 389ed3cfc7..df26aba037 100644 --- a/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep @@ -114,7 +114,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index ecb4f44dc9..9d068e56b9 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -107,7 +107,7 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { } enableDefaultTelemetry: '' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -153,7 +153,7 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -226,7 +226,7 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -351,7 +351,7 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -571,7 +571,7 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -696,7 +696,7 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1098,7 +1098,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -1107,7 +1107,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/container-registry/registry/main.bicep b/modules/container-registry/registry/main.bicep index e3caf83543..adb6b45d84 100644 --- a/modules/container-registry/registry/main.bicep +++ b/modules/container-registry/registry/main.bicep @@ -140,10 +140,10 @@ param customerManagedKey customerManagedKeyType @description('Optional. Array of Cache Rules. Note: This is a preview feature ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache#cache-for-acr-preview)).') param cacheRules array = [] -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -388,7 +388,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/container-registry/registry/main.json b/modules/container-registry/registry/main.json index 9d58201220..40951db6fa 100644 --- a/modules/container-registry/registry/main.json +++ b/modules/container-registry/registry/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1853795110758917166" + "version": "0.23.1.45101", + "templateHash": "601165591390231173" }, "name": "Azure Container Registries (ACR)", "description": "This module deploys an Azure Container Registry (ACR).", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -695,8 +695,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "AcrDelete": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", @@ -898,8 +898,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12719783741437890545" + "version": "0.23.1.45101", + "templateHash": "17278738816613868587" }, "name": "Azure Container Registry (ACR) Replications", "description": "This module deploys an Azure Container Registry (ACR) Replication.", @@ -1063,8 +1063,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6694265508496204217" + "version": "0.23.1.45101", + "templateHash": "9350283035071510554" }, "name": "Container Registries Cache", "description": "Cache for Azure Container Registry (Preview) feature allows users to cache container images in a private container registry. Cache for ACR, is a preview feature available in Basic, Standard, and Premium service tiers ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache)).", @@ -1209,8 +1209,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17193481488069435754" + "version": "0.23.1.45101", + "templateHash": "4878566967080590991" }, "name": "Azure Container Registry (ACR) Webhooks", "description": "This module deploys an Azure Container Registry (ACR) Webhook.", @@ -1466,8 +1466,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1869,8 +1869,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/container-registry/registry/tests/e2e/encr/main.test.bicep b/modules/container-registry/registry/tests/e2e/encr/main.test.bicep index 9c93b863b2..0c7c616942 100644 --- a/modules/container-registry/registry/tests/e2e/encr/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/encr/main.test.bicep @@ -63,7 +63,7 @@ module testDeployment '../../../main.bicep' = { } publicNetworkAccess: 'Disabled' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/container-registry/registry/tests/e2e/max/main.test.bicep b/modules/container-registry/registry/tests/e2e/max/main.test.bicep index 5a9631cb3d..d2fafba4fa 100644 --- a/modules/container-registry/registry/tests/e2e/max/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/max/main.test.bicep @@ -130,7 +130,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep b/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep index c2373864c7..828f69d3d4 100644 --- a/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep @@ -130,7 +130,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index f2de8470fa..aaf0d56ddb 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -215,7 +215,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -461,7 +461,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -680,7 +680,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' ] enableDefaultTelemetry: '' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -813,7 +813,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -947,7 +947,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' enableDefaultTelemetry: '' enablePrivateCluster: true managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -1084,7 +1084,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1880,7 +1880,7 @@ The managed identity definition for this resource. Only one type of identity is | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -1889,7 +1889,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/container-service/managed-cluster/main.bicep b/modules/container-service/managed-cluster/main.bicep index aa3216df86..efb5974f2d 100644 --- a/modules/container-service/managed-cluster/main.bicep +++ b/modules/container-service/managed-cluster/main.bicep @@ -348,10 +348,10 @@ param httpProxyConfig object = {} @description('Optional. Identities associated with the cluster.') param identityProfile object = {} -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -735,7 +735,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/container-service/managed-cluster/main.json b/modules/container-service/managed-cluster/main.json index 552037b85f..55eb6b6a7c 100644 --- a/modules/container-service/managed-cluster/main.json +++ b/modules/container-service/managed-cluster/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15042684995150005891" + "version": "0.23.1.45101", + "templateHash": "10758692765653328788" }, "name": "Azure Kubernetes Service (AKS) Managed Clusters", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -941,8 +941,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "linuxProfile": { "adminUsername": "[parameters('adminUsername')]", "ssh": { @@ -1285,8 +1285,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15823498371287518640" + "version": "0.23.1.45101", + "templateHash": "13811832596066396545" }, "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.", @@ -1737,8 +1737,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5002606439705018990" + "version": "0.23.1.45101", + "templateHash": "18265527122738367400" }, "name": "Kubernetes Configuration Extensions", "description": "This module deploys a Kubernetes Configuration Extension.", @@ -1900,8 +1900,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6686104224333946371" + "version": "0.23.1.45101", + "templateHash": "8985718648814286209" }, "name": "Kubernetes Configuration Flux Configurations", "description": "This module deploys a Kubernetes Configuration Flux Configuration.", diff --git a/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep index 51b7cf66bd..7776f4752f 100644 --- a/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep +++ b/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep @@ -175,7 +175,7 @@ module testDeployment '../../../main.bicep' = { enableStorageProfileFileCSIDriver: true enableStorageProfileSnapshotController: true managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep index 9183f19294..9c91011d20 100644 --- a/modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep +++ b/modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep @@ -157,7 +157,7 @@ module testDeployment '../../../main.bicep' = { } ] managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/container-service/managed-cluster/tests/e2e/priv/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/priv/main.test.bicep index 46d56ddb63..8d911c5cc9 100644 --- a/modules/container-service/managed-cluster/tests/e2e/priv/main.test.bicep +++ b/modules/container-service/managed-cluster/tests/e2e/priv/main.test.bicep @@ -158,7 +158,7 @@ module testDeployment '../../../main.bicep' = { ] privateDNSZone: nestedDependencies.outputs.privateDnsZoneResourceId managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index 371644a9d8..400baf8e89 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -150,7 +150,7 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -274,7 +274,7 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -396,7 +396,7 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -520,7 +520,7 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -899,7 +899,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -908,7 +908,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/data-factory/factory/main.bicep b/modules/data-factory/factory/main.bicep index b4349faede..d6c26ec855 100644 --- a/modules/data-factory/factory/main.bicep +++ b/modules/data-factory/factory/main.bicep @@ -79,10 +79,10 @@ param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -275,7 +275,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/data-factory/factory/main.json b/modules/data-factory/factory/main.json index 448f9f9614..e57d5fc9a6 100644 --- a/modules/data-factory/factory/main.json +++ b/modules/data-factory/factory/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12379082331445276558" + "version": "0.23.1.45101", + "templateHash": "1174493614082908540" }, "name": "Data Factories", "description": "This module deploys a Data Factory.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -610,8 +610,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -774,8 +774,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14273608975905052502" + "version": "0.23.1.45101", + "templateHash": "7086724603457879213" }, "name": "Data Factory Managed Virtual Networks", "description": "This module deploys a Data Factory Managed Virtual Network.", @@ -875,8 +875,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1490870890954327678" + "version": "0.23.1.45101", + "templateHash": "6951739479886220769" }, "name": "Data Factory Managed Virtual Network Managed PrivateEndpoints", "description": "This module deploys a Data Factory Managed Virtual Network Managed Private Endpoint.", @@ -1044,8 +1044,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2407789138740487733" + "version": "0.23.1.45101", + "templateHash": "10377382264693749693" }, "name": "Data Factory Integration RunTimes", "description": "This module deploys a Data Factory Managed or Self-Hosted Integration Runtime.", @@ -1226,8 +1226,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1629,8 +1629,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/data-factory/factory/tests/e2e/max/main.test.bicep b/modules/data-factory/factory/tests/e2e/max/main.test.bicep index 8e8dd7f0ad..d368bd8df3 100644 --- a/modules/data-factory/factory/tests/e2e/max/main.test.bicep +++ b/modules/data-factory/factory/tests/e2e/max/main.test.bicep @@ -148,7 +148,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep b/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep index 8c332672b1..6c9392de17 100644 --- a/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep @@ -148,7 +148,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/databricks/access-connector/README.md b/modules/databricks/access-connector/README.md index cc8cb19003..56b4202f0c 100644 --- a/modules/databricks/access-connector/README.md +++ b/modules/databricks/access-connector/README.md @@ -102,7 +102,7 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -154,7 +154,7 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -206,7 +206,7 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -258,7 +258,7 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -357,7 +357,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -366,7 +366,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/databricks/access-connector/main.bicep b/modules/databricks/access-connector/main.bicep index fb3f08ef21..6a680d39ce 100644 --- a/modules/databricks/access-connector/main.bicep +++ b/modules/databricks/access-connector/main.bicep @@ -23,10 +23,10 @@ param managedIdentities managedIdentitiesType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -105,7 +105,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/databricks/access-connector/main.json b/modules/databricks/access-connector/main.json index 800ffae040..fbb23e6cc8 100644 --- a/modules/databricks/access-connector/main.json +++ b/modules/databricks/access-connector/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11594689977563461718" + "version": "0.23.1.45101", + "templateHash": "6639727250601518153" }, "name": "Azure Databricks Access Connectors", "description": "This module deploys an Azure Databricks Access Connector.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -176,8 +176,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", diff --git a/modules/databricks/access-connector/tests/e2e/max/main.test.bicep b/modules/databricks/access-connector/tests/e2e/max/main.test.bicep index d67edfcaff..667656739f 100644 --- a/modules/databricks/access-connector/tests/e2e/max/main.test.bicep +++ b/modules/databricks/access-connector/tests/e2e/max/main.test.bicep @@ -58,7 +58,7 @@ module testDeployment '../../../main.bicep' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep b/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep index e61783c03c..0ae1572003 100644 --- a/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep @@ -58,7 +58,7 @@ module testDeployment '../../../main.bicep' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/db-for-my-sql/flexible-server/README.md b/modules/db-for-my-sql/flexible-server/README.md index e9c8cf81f8..e23b4de351 100644 --- a/modules/db-for-my-sql/flexible-server/README.md +++ b/modules/db-for-my-sql/flexible-server/README.md @@ -151,7 +151,7 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -260,7 +260,7 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -382,7 +382,7 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' '' ] @@ -524,7 +524,7 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "", "" ] @@ -985,9 +985,9 @@ The managed identity definition for this resource. Required if 'customerManagedK | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/db-for-my-sql/flexible-server/main.bicep b/modules/db-for-my-sql/flexible-server/main.bicep index 7175e8e5d5..dc99f1c7e9 100644 --- a/modules/db-for-my-sql/flexible-server/main.bicep +++ b/modules/db-for-my-sql/flexible-server/main.bicep @@ -162,10 +162,10 @@ param diagnosticSettings diagnosticSettingType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null + type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -372,7 +372,7 @@ output location string = flexibleServer.location type managedIdentitiesType = { @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[] + userAssignedResourceIds: string[] }? type lockType = { diff --git a/modules/db-for-my-sql/flexible-server/main.json b/modules/db-for-my-sql/flexible-server/main.json index db1a78328e..a4ccada7bc 100644 --- a/modules/db-for-my-sql/flexible-server/main.json +++ b/modules/db-for-my-sql/flexible-server/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6288349663504591009" + "version": "0.23.1.45101", + "templateHash": "4826973555855760872" }, "name": "DBforMySQL Flexible Servers", "description": "This module deploys a DBforMySQL Flexible Server.", @@ -16,7 +16,7 @@ "managedIdentitiesType": { "type": "object", "properties": { - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -542,8 +542,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -765,8 +765,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16649222900362138505" + "version": "0.23.1.45101", + "templateHash": "7585808247826533259" }, "name": "DBforMySQL Flexible Server Databases", "description": "This module deploys a DBforMySQL Flexible Server Database.", @@ -904,8 +904,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12840531816938690352" + "version": "0.23.1.45101", + "templateHash": "9889972221731602451" }, "name": "DBforMySQL Flexible Server Firewall Rules", "description": "This module deploys a DBforMySQL Flexible Server Firewall Rule.", @@ -1032,8 +1032,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16367563858411209197" + "version": "0.23.1.45101", + "templateHash": "8863151548145849170" }, "name": "DBforMySQL Flexible Server Administrators", "description": "This module deploys a DBforMySQL Flexible Server Administrator.", diff --git a/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep index 27819b80b1..1127a1dec0 100644 --- a/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep @@ -104,7 +104,7 @@ module testDeployment '../../../main.bicep' = { highAvailability: 'SameZone' storageAutoGrow: 'Enabled' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/db-for-my-sql/flexible-server/tests/e2e/public/main.test.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/public/main.test.bicep index affcf5e126..10bb4f7a91 100644 --- a/modules/db-for-my-sql/flexible-server/tests/e2e/public/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/tests/e2e/public/main.test.bicep @@ -155,7 +155,7 @@ module testDeployment '../../../main.bicep' = { userAssignedIdentityResourceId: nestedDependencies2.outputs.geoBackupManagedIdentityResourceId } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies2.outputs.managedIdentityResourceId nestedDependencies2.outputs.geoBackupManagedIdentityResourceId ] diff --git a/modules/db-for-postgre-sql/flexible-server/README.md b/modules/db-for-postgre-sql/flexible-server/README.md index 8c9700bf38..bfa29ed68f 100644 --- a/modules/db-for-postgre-sql/flexible-server/README.md +++ b/modules/db-for-postgre-sql/flexible-server/README.md @@ -344,7 +344,7 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 highAvailability: 'SameZone' location: '' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -474,7 +474,7 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -894,9 +894,9 @@ The managed identity definition for this resource. Required if 'cMKKeyName' is n | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/db-for-postgre-sql/flexible-server/main.bicep b/modules/db-for-postgre-sql/flexible-server/main.bicep index 1645d32791..e1731b412a 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.bicep +++ b/modules/db-for-postgre-sql/flexible-server/main.bicep @@ -155,10 +155,10 @@ param enableDefaultTelemetry bool = true @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingType -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null + type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -367,7 +367,7 @@ output location string = flexibleServer.location type managedIdentitiesType = { @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[] + userAssignedResourceIds: string[] }? type lockType = { diff --git a/modules/db-for-postgre-sql/flexible-server/main.json b/modules/db-for-postgre-sql/flexible-server/main.json index f6629db5f8..6a905a8e17 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.json +++ b/modules/db-for-postgre-sql/flexible-server/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4208024557828977061" + "version": "0.23.1.45101", + "templateHash": "13706520211272319877" }, "name": "DBforPostgreSQL Flexible Servers", "description": "This module deploys a DBforPostgreSQL Flexible Server.", @@ -16,7 +16,7 @@ "managedIdentitiesType": { "type": "object", "properties": { - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -531,8 +531,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -722,8 +722,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15866259518448635553" + "version": "0.23.1.45101", + "templateHash": "16111012435403700897" }, "name": "DBforPostgreSQL Flexible Server Databases", "description": "This module deploys a DBforPostgreSQL Flexible Server Database.", @@ -861,8 +861,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13418631602887252631" + "version": "0.23.1.45101", + "templateHash": "12680201884935036782" }, "name": "DBforPostgreSQL Flexible Server Firewall Rules", "description": "This module deploys a DBforPostgreSQL Flexible Server Firewall Rule.", @@ -990,8 +990,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12961146168624492771" + "version": "0.23.1.45101", + "templateHash": "16469307943232243904" }, "name": "DBforPostgreSQL Flexible Server Configurations", "description": "This module deploys a DBforPostgreSQL Flexible Server Configuration.", @@ -1128,8 +1128,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3514176123135146796" + "version": "0.23.1.45101", + "templateHash": "13863840477045657155" }, "name": "DBforPostgreSQL Flexible Server Administrators", "description": "This module deploys a DBforPostgreSQL Flexible Server Administrator.", diff --git a/modules/db-for-postgre-sql/flexible-server/tests/e2e/public/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/tests/e2e/public/main.test.bicep index ac74978518..44bf5e7628 100644 --- a/modules/db-for-postgre-sql/flexible-server/tests/e2e/public/main.test.bicep +++ b/modules/db-for-postgre-sql/flexible-server/tests/e2e/public/main.test.bicep @@ -138,7 +138,7 @@ module testDeployment '../../../main.bicep' = { userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/dev-test-lab/lab/README.md b/modules/dev-test-lab/lab/README.md index 58c5cc1fd6..6970eecd5d 100644 --- a/modules/dev-test-lab/lab/README.md +++ b/modules/dev-test-lab/lab/README.md @@ -151,7 +151,7 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -426,7 +426,7 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -693,7 +693,7 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -968,7 +968,7 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1385,9 +1385,9 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/dev-test-lab/lab/main.bicep b/modules/dev-test-lab/lab/main.bicep index f3d45514be..784eb271af 100644 --- a/modules/dev-test-lab/lab/main.bicep +++ b/modules/dev-test-lab/lab/main.bicep @@ -116,10 +116,10 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' + type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : any(null) @@ -327,7 +327,7 @@ output location string = lab.location type managedIdentitiesType = { @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[] + userAssignedResourceIds: string[] }? type lockType = { diff --git a/modules/dev-test-lab/lab/main.json b/modules/dev-test-lab/lab/main.json index efdce8eafa..049a0fad52 100644 --- a/modules/dev-test-lab/lab/main.json +++ b/modules/dev-test-lab/lab/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "16810111400681874654" + "templateHash": "10325694451607731112" }, "name": "DevTest Labs", "description": "This module deploys a DevTest Lab.", @@ -16,7 +16,7 @@ "managedIdentitiesType": { "type": "object", "properties": { - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -351,8 +351,8 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "formattedManagementIdentities": "[if(not(empty(parameters('managementIdentitiesResourceIds'))), reduce(map(coalesce(parameters('managementIdentitiesResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next')))), createObject())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", diff --git a/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep index 302920b17e..f6b24c2177 100644 --- a/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep +++ b/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep @@ -95,7 +95,7 @@ module testDeployment '../../../main.bicep' = { markdown: 'DevTest Lab support text.
New line. It also supports Markdown' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep index 5c1f2064a6..007e45fbaf 100644 --- a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep @@ -95,7 +95,7 @@ module testDeployment '../../../main.bicep' = { markdown: 'DevTest Lab support text.
New line. It also supports Markdown' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index 0f43ecff33..a972da2410 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -131,7 +131,7 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -228,7 +228,7 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -324,7 +324,7 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -420,7 +420,7 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -674,7 +674,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -683,7 +683,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/digital-twins/digital-twins-instance/main.bicep b/modules/digital-twins/digital-twins-instance/main.bicep index a05501f0ff..435fbefba7 100644 --- a/modules/digital-twins/digital-twins-instance/main.bicep +++ b/modules/digital-twins/digital-twins-instance/main.bicep @@ -50,10 +50,10 @@ param roleAssignments roleAssignmentType var enableReferencedModulesTelemetry = false -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -236,7 +236,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/digital-twins/digital-twins-instance/main.json b/modules/digital-twins/digital-twins-instance/main.json index 5653591407..6906b63c09 100644 --- a/modules/digital-twins/digital-twins-instance/main.json +++ b/modules/digital-twins/digital-twins-instance/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "7414042721706079453" + "templateHash": "8178960412871211847" }, "name": "Digital Twins Instances", "description": "This module deploys an Azure Digital Twins Instance.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -505,8 +505,8 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Azure Digital Twins Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", "Azure Digital Twins Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep index 2a577e3e87..c42182b8df 100644 --- a/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep @@ -93,7 +93,7 @@ module testDeployment '../../../main.bicep' = { name: '${namePrefix}${serviceShort}001' managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep index 2043807414..0df8c2735a 100644 --- a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep @@ -92,7 +92,7 @@ module testDeployment '../../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index aa4a162a2c..2c1640c6c2 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -979,7 +979,7 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { enableDefaultTelemetry: '' location: '' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -1144,7 +1144,7 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1603,7 +1603,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -1612,7 +1612,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/document-db/database-account/gremlin-database/main.bicep b/modules/document-db/database-account/gremlin-database/main.bicep index 1c2718c46e..98cbbdb001 100644 --- a/modules/document-db/database-account/gremlin-database/main.bicep +++ b/modules/document-db/database-account/gremlin-database/main.bicep @@ -90,5 +90,5 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? diff --git a/modules/document-db/database-account/gremlin-database/main.json b/modules/document-db/database-account/gremlin-database/main.json index 6210f39a32..7d63c31282 100644 --- a/modules/document-db/database-account/gremlin-database/main.json +++ b/modules/document-db/database-account/gremlin-database/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9027351090124444562" + "version": "0.23.1.45101", + "templateHash": "8314710518368415809" }, "name": "DocumentDB Database Account Gremlin Databases", "description": "This module deploys a Gremlin Database within a CosmosDB Account.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -161,8 +161,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16432474498986701571" + "version": "0.23.1.45101", + "templateHash": "4035784770059836359" }, "name": "DocumentDB Database Accounts Gremlin Databases Graphs", "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.", diff --git a/modules/document-db/database-account/main.bicep b/modules/document-db/database-account/main.bicep index 020db1ee9a..c59540db7f 100644 --- a/modules/document-db/database-account/main.bicep +++ b/modules/document-db/database-account/main.bicep @@ -125,10 +125,10 @@ param backupStorageRedundancy string = 'Local' @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointType -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -362,7 +362,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/document-db/database-account/main.json b/modules/document-db/database-account/main.json index 3ada7183a7..5f9de4eea6 100644 --- a/modules/document-db/database-account/main.json +++ b/modules/document-db/database-account/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5728902559638159959" + "version": "0.23.1.45101", + "templateHash": "6369048122051620701" }, "name": "DocumentDB Database Accounts", "description": "This module deploys a DocumentDB Database Account.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -649,8 +649,8 @@ } } ], - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "consistencyPolicy": { "Eventual": { "defaultConsistencyLevel": "Eventual" @@ -805,8 +805,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10948740009827102632" + "version": "0.23.1.45101", + "templateHash": "5236608683863945170" }, "name": "DocumentDB Database Account SQL Databases", "description": "This module deploys a SQL Database in a CosmosDB Account.", @@ -943,8 +943,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5628064493958565248" + "version": "0.23.1.45101", + "templateHash": "7712060799698135624" }, "name": "DocumentDB Database Account SQL Database Containers", "description": "This module deploys a SQL Database Container in a CosmosDB Account.", @@ -1201,8 +1201,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18265317713061610546" + "version": "0.23.1.45101", + "templateHash": "10909630292111406683" }, "name": "DocumentDB Database Account MongoDB Databases", "description": "This module deploys a MongoDB Database within a CosmosDB Account.", @@ -1328,8 +1328,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14573428332905458641" + "version": "0.23.1.45101", + "templateHash": "2460347721734751381" }, "name": "DocumentDB Database Account MongoDB Database Collections", "description": "This module deploys a MongoDB Database Collection.", @@ -1501,8 +1501,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9027351090124444562" + "version": "0.23.1.45101", + "templateHash": "8314710518368415809" }, "name": "DocumentDB Database Account Gremlin Databases", "description": "This module deploys a Gremlin Database within a CosmosDB Account.", @@ -1519,7 +1519,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -1657,8 +1657,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16432474498986701571" + "version": "0.23.1.45101", + "templateHash": "4035784770059836359" }, "name": "DocumentDB Database Accounts Gremlin Databases Graphs", "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.", @@ -1892,8 +1892,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2295,8 +2295,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep b/modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep index eb14ddcb9b..aacecc5a6c 100644 --- a/modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep +++ b/modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep @@ -190,7 +190,7 @@ module testDeployment '../../../main.bicep' = { } ] managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/event-grid/system-topic/README.md b/modules/event-grid/system-topic/README.md index e46107cf3b..c484cc32a3 100644 --- a/modules/event-grid/system-topic/README.md +++ b/modules/event-grid/system-topic/README.md @@ -649,7 +649,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -658,7 +658,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/event-grid/system-topic/main.bicep b/modules/event-grid/system-topic/main.bicep index c50e27ec8c..97b33065d9 100644 --- a/modules/event-grid/system-topic/main.bicep +++ b/modules/event-grid/system-topic/main.bicep @@ -35,10 +35,10 @@ param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -170,7 +170,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/event-grid/system-topic/main.json b/modules/event-grid/system-topic/main.json index fdc007afc1..9983061e2e 100644 --- a/modules/event-grid/system-topic/main.json +++ b/modules/event-grid/system-topic/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8924691213553754613" + "version": "0.23.1.45101", + "templateHash": "1660436981093999896" }, "name": "Event Grid System Topics", "description": "This module deploys an Event Grid System Topic.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -307,8 +307,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "EventGrid Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de')]", @@ -447,8 +447,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10392297144322720436" + "version": "0.23.1.45101", + "templateHash": "15173790856574805238" }, "name": "Event Grid System Topic Event Subscriptions", "description": "This module deploys an Event Grid System Topic Event Subscription.", diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index c9fd2a30dd..3fb31b9d56 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -110,7 +110,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { enableDefaultTelemetry: '' managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -156,7 +156,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": false, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -305,7 +305,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -500,7 +500,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -798,7 +798,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -993,7 +993,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1372,7 +1372,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -1381,7 +1381,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/event-hub/namespace/main.bicep b/modules/event-hub/namespace/main.bicep index 8b741c99ca..d2d61ec7e5 100644 --- a/modules/event-hub/namespace/main.bicep +++ b/modules/event-hub/namespace/main.bicep @@ -106,10 +106,10 @@ param disasterRecoveryConfig object = {} var maximumThroughputUnitsVar = !isAutoInflateEnabled ? 0 : maximumThroughputUnits -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -354,7 +354,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/event-hub/namespace/main.json b/modules/event-hub/namespace/main.json index 77fb4e08c5..b9126fb393 100644 --- a/modules/event-hub/namespace/main.json +++ b/modules/event-hub/namespace/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14574780137698539874" + "version": "0.23.1.45101", + "templateHash": "8197964729486546650" }, "name": "Event Hub Namespaces", "description": "This module deploys an Event Hub Namespace.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -636,8 +636,8 @@ }, "variables": { "maximumThroughputUnitsVar": "[if(not(parameters('isAutoInflateEnabled')), 0, parameters('maximumThroughputUnits'))]", - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Azure Event Hubs Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", @@ -812,8 +812,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3063860457313937367" + "version": "0.23.1.45101", + "templateHash": "7668723234672576868" }, "name": "Event Hub Namespace Authorization Rule", "description": "This module deploys an Event Hub Namespace Authorization Rule.", @@ -933,8 +933,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7624585689136088815" + "version": "0.23.1.45101", + "templateHash": "7231520764645220131" }, "name": "Event Hub Namespace Disaster Recovery Configs", "description": "This module deploys an Event Hub Namespace Disaster Recovery Config.", @@ -1073,8 +1073,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5933888781308133415" + "version": "0.23.1.45101", + "templateHash": "303986499638328151" }, "name": "Event Hub Namespace Event Hubs", "description": "This module deploys an Event Hub Namespace Event Hub.", @@ -1509,8 +1509,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3522913919009222120" + "version": "0.23.1.45101", + "templateHash": "7142673381100704232" }, "name": "Event Hub Namespace Event Hub Consumer Groups", "description": "This module deploys an Event Hub Namespace Event Hub Consumer Group.", @@ -1637,8 +1637,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12245634232079362340" + "version": "0.23.1.45101", + "templateHash": "4935957739850887741" }, "name": "Event Hub Namespace Event Hub Authorization Rules", "description": "This module deploys an Event Hub Namespace Event Hub Authorization Rule.", @@ -1802,8 +1802,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2605359643798084834" + "version": "0.23.1.45101", + "templateHash": "7843391232136950856" }, "name": "Event Hub Namespace Network Rule Sets", "description": "This module deploys an Event Hub Namespace Network Rule Set.", @@ -2008,8 +2008,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2411,8 +2411,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/event-hub/namespace/tests/e2e/encr/main.test.bicep b/modules/event-hub/namespace/tests/e2e/encr/main.test.bicep index a7a3e24d64..56749b440d 100644 --- a/modules/event-hub/namespace/tests/e2e/encr/main.test.bicep +++ b/modules/event-hub/namespace/tests/e2e/encr/main.test.bicep @@ -64,7 +64,7 @@ module testDeployment '../../../main.bicep' = { skuName: 'Premium' managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/event-hub/namespace/tests/e2e/max/main.test.bicep b/modules/event-hub/namespace/tests/e2e/max/main.test.bicep index edfc8d7534..488b5ffd14 100644 --- a/modules/event-hub/namespace/tests/e2e/max/main.test.bicep +++ b/modules/event-hub/namespace/tests/e2e/max/main.test.bicep @@ -209,7 +209,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep index 53ec10b8b5..cc44ed4bea 100644 --- a/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -209,7 +209,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/health-bot/health-bot/README.md b/modules/health-bot/health-bot/README.md index 5d2aacf68b..79237275b6 100644 --- a/modules/health-bot/health-bot/README.md +++ b/modules/health-bot/health-bot/README.md @@ -105,7 +105,7 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -156,7 +156,7 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -207,7 +207,7 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -258,7 +258,7 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -357,9 +357,9 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/health-bot/health-bot/main.bicep b/modules/health-bot/health-bot/main.bicep index 1413b01d36..a871850e71 100644 --- a/modules/health-bot/health-bot/main.bicep +++ b/modules/health-bot/health-bot/main.bicep @@ -31,10 +31,10 @@ param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null + type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -110,7 +110,7 @@ output location string = healthBot.location type managedIdentitiesType = { @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[] + userAssignedResourceIds: string[] }? type lockType = { diff --git a/modules/health-bot/health-bot/main.json b/modules/health-bot/health-bot/main.json index fc4be759e6..407ce75492 100644 --- a/modules/health-bot/health-bot/main.json +++ b/modules/health-bot/health-bot/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9469986313045690324" + "version": "0.23.1.45101", + "templateHash": "8223277098210162532" }, "name": "Azure Health Bots", "description": "This module deploys an Azure Health Bot.", @@ -16,7 +16,7 @@ "managedIdentitiesType": { "type": "object", "properties": { - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -179,8 +179,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", diff --git a/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep index 5f1fafa9ee..61725e95d4 100644 --- a/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep +++ b/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep @@ -70,7 +70,7 @@ module testDeployment '../../../main.bicep' = { } sku: 'F0' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep index 798f69c2f9..1943545c52 100644 --- a/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep @@ -70,7 +70,7 @@ module testDeployment '../../../main.bicep' = { } sku: 'F0' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/healthcare-apis/workspace/README.md b/modules/healthcare-apis/workspace/README.md index 5c58fab11a..157be90d8f 100644 --- a/modules/healthcare-apis/workspace/README.md +++ b/modules/healthcare-apis/workspace/README.md @@ -139,7 +139,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { location: '' managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -183,7 +183,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { location: '' managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -272,7 +272,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { "location": "", "managedIdentities": { "systemAssigned": false, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] }, @@ -320,7 +320,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { "location": "", "managedIdentities": { "systemAssigned": false, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] }, @@ -421,7 +421,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { location: '' managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -465,7 +465,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { location: '' managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -554,7 +554,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { "location": "", "managedIdentities": { "systemAssigned": false, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] }, @@ -602,7 +602,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { "location": "", "managedIdentities": { "systemAssigned": false, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] }, diff --git a/modules/healthcare-apis/workspace/dicomservice/README.md b/modules/healthcare-apis/workspace/dicomservice/README.md index f8c690b4c1..c90f58ca21 100644 --- a/modules/healthcare-apis/workspace/dicomservice/README.md +++ b/modules/healthcare-apis/workspace/dicomservice/README.md @@ -260,7 +260,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -269,7 +269,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/healthcare-apis/workspace/dicomservice/main.bicep b/modules/healthcare-apis/workspace/dicomservice/main.bicep index 2d4da12b7d..ab6af14e3d 100644 --- a/modules/healthcare-apis/workspace/dicomservice/main.bicep +++ b/modules/healthcare-apis/workspace/dicomservice/main.bicep @@ -57,10 +57,10 @@ param tags object? @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -160,7 +160,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/healthcare-apis/workspace/dicomservice/main.json b/modules/healthcare-apis/workspace/dicomservice/main.json index a0bbc93dad..a2a2bbc78b 100644 --- a/modules/healthcare-apis/workspace/dicomservice/main.json +++ b/modules/healthcare-apis/workspace/dicomservice/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10991463946028183992" + "version": "0.23.1.45101", + "templateHash": "4829507560537153518" }, "name": "Healthcare API Workspace DICOM Services", "description": "This module deploys a Healthcare API Workspace DICOM Service.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -277,8 +277,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" }, "resources": { "defaultTelemetry": { diff --git a/modules/healthcare-apis/workspace/fhirservice/README.md b/modules/healthcare-apis/workspace/fhirservice/README.md index 703c240ab8..812564b302 100644 --- a/modules/healthcare-apis/workspace/fhirservice/README.md +++ b/modules/healthcare-apis/workspace/fhirservice/README.md @@ -353,7 +353,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -362,7 +362,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/healthcare-apis/workspace/fhirservice/main.bicep b/modules/healthcare-apis/workspace/fhirservice/main.bicep index 824391deaa..57d17573b7 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.bicep +++ b/modules/healthcare-apis/workspace/fhirservice/main.bicep @@ -108,10 +108,10 @@ param tags object? @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -274,7 +274,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/healthcare-apis/workspace/fhirservice/main.json b/modules/healthcare-apis/workspace/fhirservice/main.json index b435adb5bb..fce246a502 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.json +++ b/modules/healthcare-apis/workspace/fhirservice/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8893393036207321770" + "version": "0.23.1.45101", + "templateHash": "2224237744308505065" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -458,8 +458,8 @@ } } ], - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "exportConfiguration": { "storageAccountName": "[parameters('exportStorageAccountName')]" }, diff --git a/modules/healthcare-apis/workspace/iotconnector/README.md b/modules/healthcare-apis/workspace/iotconnector/README.md index 26ff9a5f3f..9b64e6e344 100644 --- a/modules/healthcare-apis/workspace/iotconnector/README.md +++ b/modules/healthcare-apis/workspace/iotconnector/README.md @@ -254,7 +254,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -263,7 +263,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/healthcare-apis/workspace/iotconnector/main.bicep b/modules/healthcare-apis/workspace/iotconnector/main.bicep index f50c6d9c64..f4f3e8cb8f 100644 --- a/modules/healthcare-apis/workspace/iotconnector/main.bicep +++ b/modules/healthcare-apis/workspace/iotconnector/main.bicep @@ -45,10 +45,10 @@ param tags object? @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -170,7 +170,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/healthcare-apis/workspace/iotconnector/main.json b/modules/healthcare-apis/workspace/iotconnector/main.json index ef71ca1131..62c864b848 100644 --- a/modules/healthcare-apis/workspace/iotconnector/main.json +++ b/modules/healthcare-apis/workspace/iotconnector/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16117637432944064764" + "version": "0.23.1.45101", + "templateHash": "15635348365399723785" }, "name": "Healthcare API Workspace IoT Connectors", "description": "This module deploys a Healthcare API Workspace IoT Connector.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -259,8 +259,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, "resources": { @@ -380,8 +380,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10973515077627017376" + "version": "0.23.1.45101", + "templateHash": "6245123463457389463" }, "name": "Healthcare API Workspace IoT Connector FHIR Destinations", "description": "This module deploys a Healthcare API Workspace IoT Connector FHIR Destination.", diff --git a/modules/healthcare-apis/workspace/main.json b/modules/healthcare-apis/workspace/main.json index 8502414d02..ea29fb1d3f 100644 --- a/modules/healthcare-apis/workspace/main.json +++ b/modules/healthcare-apis/workspace/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9102511166724334580" + "version": "0.23.1.45101", + "templateHash": "293789912767761082" }, "name": "Healthcare API Workspaces", "description": "This module deploys a Healthcare API Workspace.", @@ -325,8 +325,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8893393036207321770" + "version": "0.23.1.45101", + "templateHash": "2224237744308505065" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", @@ -343,7 +343,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -778,8 +778,8 @@ } } ], - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "exportConfiguration": { "storageAccountName": "[parameters('exportStorageAccountName')]" }, @@ -1023,8 +1023,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10991463946028183992" + "version": "0.23.1.45101", + "templateHash": "4829507560537153518" }, "name": "Healthcare API Workspace DICOM Services", "description": "This module deploys a Healthcare API Workspace DICOM Service.", @@ -1041,7 +1041,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -1295,8 +1295,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" }, "resources": { "defaultTelemetry": { @@ -1474,8 +1474,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16117637432944064764" + "version": "0.23.1.45101", + "templateHash": "15635348365399723785" }, "name": "Healthcare API Workspace IoT Connectors", "description": "This module deploys a Healthcare API Workspace IoT Connector.", @@ -1492,7 +1492,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -1728,8 +1728,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, "resources": { @@ -1849,8 +1849,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10973515077627017376" + "version": "0.23.1.45101", + "templateHash": "6245123463457389463" }, "name": "Healthcare API Workspace IoT Connector FHIR Destinations", "description": "This module deploys a Healthcare API Workspace IoT Connector FHIR Destination.", diff --git a/modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep b/modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep index 5e4f905ce5..d60b106eae 100644 --- a/modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep +++ b/modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep @@ -105,7 +105,7 @@ module testDeployment '../../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } @@ -148,7 +148,7 @@ module testDeployment '../../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } } diff --git a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep index bad448e7e7..cf7c124a03 100644 --- a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -105,7 +105,7 @@ module testDeployment '../../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } @@ -148,7 +148,7 @@ module testDeployment '../../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } } diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index 9febb50863..74d4fc9b57 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -67,7 +67,7 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -162,7 +162,7 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -261,7 +261,7 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -356,7 +356,7 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -663,7 +663,7 @@ The managed identity definition for this resource. Only one type of identity is | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -672,7 +672,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/logic/workflow/main.bicep b/modules/logic/workflow/main.bicep index 1255b34450..3dca15ac0c 100644 --- a/modules/logic/workflow/main.bicep +++ b/modules/logic/workflow/main.bicep @@ -79,10 +79,10 @@ param workflowStaticResults object = {} @description('Optional. The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer.') param workflowTriggers object = {} -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -216,7 +216,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/logic/workflow/main.json b/modules/logic/workflow/main.json index da07232a4d..6f34991d72 100644 --- a/modules/logic/workflow/main.json +++ b/modules/logic/workflow/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14033195005173426271" + "version": "0.23.1.45101", + "templateHash": "8579742468489559790" }, "name": "Logic Apps (Workflows)", "description": "This module deploys a Logic App (Workflow).", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -401,8 +401,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Logic App Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", diff --git a/modules/logic/workflow/tests/e2e/max/main.test.bicep b/modules/logic/workflow/tests/e2e/max/main.test.bicep index 5ab05e3420..81012eb04d 100644 --- a/modules/logic/workflow/tests/e2e/max/main.test.bicep +++ b/modules/logic/workflow/tests/e2e/max/main.test.bicep @@ -92,7 +92,7 @@ module testDeployment '../../../main.bicep' = { } ] managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep b/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep index d2a5747507..ae9bd6c098 100644 --- a/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep @@ -92,7 +92,7 @@ module testDeployment '../../../main.bicep' = { } ] managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index 73ef5e3ceb..4f79f5409d 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -133,7 +133,7 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = enableDefaultTelemetry: '' managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -203,7 +203,7 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "managedIdentities": { "value": { "systemAssigned": false, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -270,7 +270,7 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = location: 'westeurope' managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -315,7 +315,7 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = } managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -388,7 +388,7 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "location": "westeurope", "managedIdentities": { "systemAssigned": false, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] }, @@ -447,7 +447,7 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "managedIdentities": { "value": { "systemAssigned": false, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -522,7 +522,7 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = location: 'westeurope' managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -567,7 +567,7 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = } managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -640,7 +640,7 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "location": "westeurope", "managedIdentities": { "systemAssigned": false, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] }, @@ -699,7 +699,7 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = "managedIdentities": { "value": { "systemAssigned": false, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1069,7 +1069,7 @@ The managed identity definition for this resource. At least one identity type is | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -1078,7 +1078,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/machine-learning-services/workspace/compute/README.md b/modules/machine-learning-services/workspace/compute/README.md index a25e4d7226..4f7dd172eb 100644 --- a/modules/machine-learning-services/workspace/compute/README.md +++ b/modules/machine-learning-services/workspace/compute/README.md @@ -127,7 +127,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -136,7 +136,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/machine-learning-services/workspace/compute/main.bicep b/modules/machine-learning-services/workspace/compute/main.bicep index cb38e22d3e..c59f29ba7c 100644 --- a/modules/machine-learning-services/workspace/compute/main.bicep +++ b/modules/machine-learning-services/workspace/compute/main.bicep @@ -75,10 +75,10 @@ param managedIdentities managedIdentitiesType // Variables // // ================// -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -154,5 +154,5 @@ type managedIdentitiesType = { systemAssigned: bool? @sys.description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? diff --git a/modules/machine-learning-services/workspace/compute/main.json b/modules/machine-learning-services/workspace/compute/main.json index 185b53e091..37b32fb8a0 100644 --- a/modules/machine-learning-services/workspace/compute/main.json +++ b/modules/machine-learning-services/workspace/compute/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4219662265444129565" + "version": "0.23.1.45101", + "templateHash": "15942233592020548593" }, "name": "Machine Learning Services Workspaces Computes", "description": "This module deploys a Machine Learning Services Workspaces Compute.\r\n\r\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -155,8 +155,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" }, "resources": { "machineLearningWorkspace": { diff --git a/modules/machine-learning-services/workspace/main.bicep b/modules/machine-learning-services/workspace/main.bicep index 7580478dc4..6fd6b14e6f 100644 --- a/modules/machine-learning-services/workspace/main.bicep +++ b/modules/machine-learning-services/workspace/main.bicep @@ -100,10 +100,10 @@ param publicNetworkAccess string = '' // ================// var enableReferencedModulesTelemetry = false -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -308,7 +308,7 @@ type managedIdentitiesType = { systemAssigned: bool? @sys.description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? } type lockType = { diff --git a/modules/machine-learning-services/workspace/main.json b/modules/machine-learning-services/workspace/main.json index d31ece6308..beecae4279 100644 --- a/modules/machine-learning-services/workspace/main.json +++ b/modules/machine-learning-services/workspace/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "308162699302204935" + "version": "0.23.1.45101", + "templateHash": "14893819276831488808" }, "name": "Machine Learning Services Workspaces", "description": "This module deploys a Machine Learning Services Workspace.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -601,8 +601,8 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "AzureML Compute Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e503ece1-11d0-4e8e-8e2c-7a6c3bf38815')]", "AzureML Data Scientist": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f6c7c914-8db3-469d-8ca1-694a8f32e121')]", @@ -797,8 +797,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4219662265444129565" + "version": "0.23.1.45101", + "templateHash": "15942233592020548593" }, "name": "Machine Learning Services Workspaces Computes", "description": "This module deploys a Machine Learning Services Workspaces Compute.\r\n\r\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", @@ -815,7 +815,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -947,8 +947,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" }, "resources": { "machineLearningWorkspace": { @@ -1102,8 +1102,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1505,8 +1505,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/machine-learning-services/workspace/tests/e2e/encr/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/encr/main.test.bicep index 42a9e51c69..43af630b14 100644 --- a/modules/machine-learning-services/workspace/tests/e2e/encr/main.test.bicep +++ b/modules/machine-learning-services/workspace/tests/e2e/encr/main.test.bicep @@ -84,7 +84,7 @@ module testDeployment '../../../main.bicep' = { // systemAssigned must be false if `primaryUserAssignedIdentity` is provided managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep index ba4a782be3..ed13d35628 100644 --- a/modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep +++ b/modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep @@ -99,7 +99,7 @@ module testDeployment '../../../main.bicep' = { // Must be false if `primaryUserAssignedIdentity` is provided managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } @@ -149,7 +149,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep index 2c0000e5e5..21ded20172 100644 --- a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -99,7 +99,7 @@ module testDeployment '../../../main.bicep' = { // Must be false if `primaryUserAssignedIdentity` is provided managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } @@ -149,7 +149,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/net-app/net-app-account/README.md b/modules/net-app/net-app-account/README.md index 5eeb4f4871..f80c9ca0cf 100644 --- a/modules/net-app/net-app-account/README.md +++ b/modules/net-app/net-app-account/README.md @@ -384,7 +384,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { ] enableDefaultTelemetry: '' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -504,7 +504,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -655,9 +655,9 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/net-app/net-app-account/main.bicep b/modules/net-app/net-app-account/main.bicep index 406a2cf99c..cdb0ed0768 100644 --- a/modules/net-app/net-app-account/main.bicep +++ b/modules/net-app/net-app-account/main.bicep @@ -58,10 +58,10 @@ var activeDirectoryConnectionProperties = [ } ] -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null + type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -154,7 +154,7 @@ output location string = netAppAccount.location type managedIdentitiesType = { @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[] + userAssignedResourceIds: string[] }? type lockType = { diff --git a/modules/net-app/net-app-account/main.json b/modules/net-app/net-app-account/main.json index d6885dabd4..71e7b63ee3 100644 --- a/modules/net-app/net-app-account/main.json +++ b/modules/net-app/net-app-account/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11827894918755245507" + "version": "0.23.1.45101", + "templateHash": "14030600332300784655" }, "name": "Azure NetApp Files", "description": "This module deploys an Azure NetApp File.", @@ -16,7 +16,7 @@ "managedIdentitiesType": { "type": "object", "properties": { - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -228,8 +228,8 @@ "organizationalUnit": "[if(not(empty(parameters('domainJoinOU'))), parameters('domainJoinOU'), null())]" } ], - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", @@ -346,8 +346,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5973731463189380166" + "version": "0.23.1.45101", + "templateHash": "1846961475837822728" }, "name": "Azure NetApp Files Capacity Pools", "description": "This module deploys an Azure NetApp Files Capacity Pool.", @@ -639,8 +639,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15651177191996280153" + "version": "0.23.1.45101", + "templateHash": "3333217353540724741" }, "name": "Azure NetApp Files Capacity Pool Volumes", "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", diff --git a/modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep b/modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep index f07c76bf7b..4b8bc76afa 100644 --- a/modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep +++ b/modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep @@ -139,7 +139,7 @@ module testDeployment '../../../main.bicep' = { ServiceName: 'DeploymentValidation' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index 0a7a5b8a1f..e337338c52 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -240,7 +240,7 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -705,7 +705,7 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1174,7 +1174,7 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -1639,7 +1639,7 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -2257,9 +2257,9 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/network/application-gateway/main.bicep b/modules/network/application-gateway/main.bicep index 2b76bfc065..99e2acb087 100644 --- a/modules/network/application-gateway/main.bicep +++ b/modules/network/application-gateway/main.bicep @@ -183,10 +183,10 @@ param zones array = [] @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingType -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null + type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -387,7 +387,7 @@ output location string = applicationGateway.location type managedIdentitiesType = { @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[] + userAssignedResourceIds: string[] }? type lockType = { diff --git a/modules/network/application-gateway/main.json b/modules/network/application-gateway/main.json index 8c35bd62ee..0c9f3e9049 100644 --- a/modules/network/application-gateway/main.json +++ b/modules/network/application-gateway/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7630119371655185477" + "version": "0.23.1.45101", + "templateHash": "17602945870289276113" }, "name": "Network Application Gateways", "description": "This module deploys a Network Application Gateway.", @@ -16,7 +16,7 @@ "managedIdentitiesType": { "type": "object", "properties": { - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -783,8 +783,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -950,8 +950,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1353,8 +1353,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/network/application-gateway/tests/e2e/max/main.test.bicep b/modules/network/application-gateway/tests/e2e/max/main.test.bicep index 9359135a3f..a43632ad5d 100644 --- a/modules/network/application-gateway/tests/e2e/max/main.test.bicep +++ b/modules/network/application-gateway/tests/e2e/max/main.test.bicep @@ -431,7 +431,7 @@ module testDeployment '../../../main.bicep' = { } ] managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep index 43b1c3d630..d86f1bc749 100644 --- a/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -431,7 +431,7 @@ module testDeployment '../../../main.bicep' = { } ] managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/network/firewall-policy/README.md b/modules/network/firewall-policy/README.md index c2a13a1d20..3b9ff291c6 100644 --- a/modules/network/firewall-policy/README.md +++ b/modules/network/firewall-policy/README.md @@ -514,9 +514,9 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/network/firewall-policy/main.bicep b/modules/network/firewall-policy/main.bicep index d6bd78a7ec..e48075cb6c 100644 --- a/modules/network/firewall-policy/main.bicep +++ b/modules/network/firewall-policy/main.bicep @@ -96,10 +96,10 @@ param enableDefaultTelemetry bool = true @description('Optional. Rule collection groups.') param ruleCollectionGroups array = [] -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null + type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -205,5 +205,5 @@ output location string = firewallPolicy.location type managedIdentitiesType = { @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[] + userAssignedResourceIds: string[] }? diff --git a/modules/network/firewall-policy/main.json b/modules/network/firewall-policy/main.json index 57d929a7eb..36679e536d 100644 --- a/modules/network/firewall-policy/main.json +++ b/modules/network/firewall-policy/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14139283479148965374" + "version": "0.23.1.45101", + "templateHash": "10730945025240444473" }, "name": "Firewall Policies", "description": "This module deploys a Firewall Policy.", @@ -16,7 +16,7 @@ "managedIdentitiesType": { "type": "object", "properties": { - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -223,8 +223,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false }, "resources": { @@ -307,8 +307,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13617778659554817427" + "version": "0.23.1.45101", + "templateHash": "18100190658467124638" }, "name": "Firewall Policy Rule Collection Groups", "description": "This module deploys a Firewall Policy Rule Collection Group.", diff --git a/modules/operational-insights/workspace/README.md b/modules/operational-insights/workspace/README.md index 1829009535..cced023771 100644 --- a/modules/operational-insights/workspace/README.md +++ b/modules/operational-insights/workspace/README.md @@ -211,7 +211,7 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -490,7 +490,7 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1723,7 +1723,7 @@ The managed identity definition for this resource. Only one type of identity is | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -1732,7 +1732,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/operational-insights/workspace/main.bicep b/modules/operational-insights/workspace/main.bicep index b113cca2ef..83935efb70 100644 --- a/modules/operational-insights/workspace/main.bicep +++ b/modules/operational-insights/workspace/main.bicep @@ -99,10 +99,10 @@ param enableDefaultTelemetry bool = true var enableReferencedModulesTelemetry = false -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -343,7 +343,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/operational-insights/workspace/main.json b/modules/operational-insights/workspace/main.json index cce483eb5c..1fba3d4959 100644 --- a/modules/operational-insights/workspace/main.json +++ b/modules/operational-insights/workspace/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1028542190363116097" + "version": "0.23.1.45101", + "templateHash": "15740533173068263805" }, "name": "Log Analytics Workspaces", "description": "This module deploys a Log Analytics Workspace.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -424,8 +424,8 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", @@ -572,8 +572,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13014071648331654478" + "version": "0.23.1.45101", + "templateHash": "9008031661126171508" }, "name": "Log Analytics Workspace Storage Insight Configs", "description": "This module deploys a Log Analytics Workspace Storage Insight Config.", @@ -736,8 +736,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9970744617970664745" + "version": "0.23.1.45101", + "templateHash": "4319942183601642190" }, "name": "Log Analytics Workspace Linked Services", "description": "This module deploys a Log Analytics Workspace Linked Service.", @@ -882,8 +882,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2117697022066188694" + "version": "0.23.1.45101", + "templateHash": "9016006615324724877" }, "name": "Log Analytics Workspace Linked Storage Accounts", "description": "This module deploys a Log Analytics Workspace Linked Storage Account.", @@ -1020,8 +1020,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12667331360871593591" + "version": "0.23.1.45101", + "templateHash": "8110791564584546252" }, "name": "Log Analytics Workspace Saved Searches", "description": "This module deploys a Log Analytics Workspace Saved Search.", @@ -1195,8 +1195,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7753879701724594327" + "version": "0.23.1.45101", + "templateHash": "17342339934568813477" }, "name": "Log Analytics Workspace Data Exports", "description": "This module deploys a Log Analytics Workspace Data Export.", @@ -1346,8 +1346,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13903182753870680383" + "version": "0.23.1.45101", + "templateHash": "16555972198709151465" }, "name": "Log Analytics Workspace Datasources", "description": "This module deploys a Log Analytics Workspace Data Source.", @@ -1585,8 +1585,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9983426146462646968" + "version": "0.23.1.45101", + "templateHash": "10977258600449669407" }, "name": "Log Analytics Workspace Tables", "description": "This module deploys a Log Analytics Workspace Table.", @@ -1757,8 +1757,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2318608107759137473" + "version": "0.23.1.45101", + "templateHash": "6590935071601965866" }, "name": "Operations Management Solutions", "description": "This module deploys an Operations Management Solution.", diff --git a/modules/operational-insights/workspace/tests/e2e/adv/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/adv/main.test.bicep index 04e0f54a59..4a24bd7146 100644 --- a/modules/operational-insights/workspace/tests/e2e/adv/main.test.bicep +++ b/modules/operational-insights/workspace/tests/e2e/adv/main.test.bicep @@ -296,7 +296,7 @@ module testDeployment '../../../main.bicep' = { } ] managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/purview/account/README.md b/modules/purview/account/README.md index bf1e13c412..570df77615 100644 --- a/modules/purview/account/README.md +++ b/modules/purview/account/README.md @@ -150,7 +150,7 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -293,7 +293,7 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -440,7 +440,7 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -583,7 +583,7 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -872,9 +872,9 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/purview/account/main.bicep b/modules/purview/account/main.bicep index a28e08ac68..73cd7a3c1e 100644 --- a/modules/purview/account/main.bicep +++ b/modules/purview/account/main.bicep @@ -58,10 +58,10 @@ param lock lockType // Variables // // =========== // -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = { - type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' + type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } @@ -301,7 +301,7 @@ output systemAssignedMIPrincipalId string = contains(account.identity, 'principa type managedIdentitiesType = { @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[] + userAssignedResourceIds: string[] }? type lockType = { diff --git a/modules/purview/account/main.json b/modules/purview/account/main.json index 6a680ef25a..169ab57dbd 100644 --- a/modules/purview/account/main.json +++ b/modules/purview/account/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16148547066067055796" + "version": "0.23.1.45101", + "templateHash": "11685222895702986348" }, "name": "Purview Accounts", "description": "This module deploys a Purview Account.", @@ -16,7 +16,7 @@ "managedIdentitiesType": { "type": "object", "properties": { - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -336,9 +336,9 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", "identity": { - "type": "[if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned')]", + "type": "[if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned')]", "userAssignedIdentities": "[if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())]" }, "enableReferencedModulesTelemetry": false, @@ -491,8 +491,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -894,8 +894,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1089,8 +1089,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1492,8 +1492,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1687,8 +1687,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2090,8 +2090,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -2285,8 +2285,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2688,8 +2688,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -2883,8 +2883,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -3286,8 +3286,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/purview/account/tests/e2e/max/main.test.bicep b/modules/purview/account/tests/e2e/max/main.test.bicep index aa24c189e1..3b5c5bc8cc 100644 --- a/modules/purview/account/tests/e2e/max/main.test.bicep +++ b/modules/purview/account/tests/e2e/max/main.test.bicep @@ -73,7 +73,7 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep b/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep index 1fc2ee5e43..baec657dba 100644 --- a/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep @@ -73,7 +73,7 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index 6543c19403..ee3cf09b77 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -538,7 +538,7 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -880,7 +880,7 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1224,7 +1224,7 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -1566,7 +1566,7 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1854,7 +1854,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -1863,7 +1863,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/recovery-services/vault/main.bicep b/modules/recovery-services/vault/main.bicep index 8d7e59d2c8..ec25f0ce5d 100644 --- a/modules/recovery-services/vault/main.bicep +++ b/modules/recovery-services/vault/main.bicep @@ -66,10 +66,10 @@ param securitySettings object = {} ]) param publicNetworkAccess string = 'Disabled' -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -304,7 +304,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/recovery-services/vault/main.json b/modules/recovery-services/vault/main.json index f4abe4bc08..ba9780ebf9 100644 --- a/modules/recovery-services/vault/main.json +++ b/modules/recovery-services/vault/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13132437763223032101" + "version": "0.23.1.45101", + "templateHash": "7312689804634982287" }, "name": "Recovery Services Vaults", "description": "This module deploys a Recovery Services Vault.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -546,8 +546,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", @@ -686,8 +686,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4084364932296928832" + "version": "0.23.1.45101", + "templateHash": "18045555589113818401" }, "name": "Recovery Services Vault Replication Fabrics", "description": "This module deploys a Replication Fabric for Azure to Azure disaster recovery scenario of Azure Site Recovery.\r\n\r\n> Note: this module currently support only the `instanceType: 'Azure'` scenario.", @@ -792,8 +792,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12428378308583074618" + "version": "0.23.1.45101", + "templateHash": "3783488076539662325" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Containers", "description": "This module deploys a Recovery Services Vault Replication Protection Container.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", @@ -902,8 +902,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13312155038829056102" + "version": "0.23.1.45101", + "templateHash": "14373191902278145406" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings", "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", @@ -1135,8 +1135,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4881591174035362600" + "version": "0.23.1.45101", + "templateHash": "5176653698082479064" }, "name": "Recovery Services Vault Replication Policies", "description": "This module deploys a Recovery Services Vault Replication Policy for Disaster Recovery scenario.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", @@ -1284,8 +1284,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11669127714287855633" + "version": "0.23.1.45101", + "templateHash": "9499262871851480671" }, "name": "Recovery Services Vault Backup Storage Config", "description": "This module deploys a Recovery Service Vault Backup Storage Configuration.", @@ -1433,8 +1433,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2599343254432362849" + "version": "0.23.1.45101", + "templateHash": "13622946234752234891" }, "name": "Recovery Services Vault Protection Container", "description": "This module deploys a Recovery Services Vault Protection Container.", @@ -1601,8 +1601,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7148492251760573310" + "version": "0.23.1.45101", + "templateHash": "9921011786088905122" }, "name": "Recovery Service Vaults Protection Container Protected Item", "description": "This module deploys a Recovery Services Vault Protection Container Protected Item.", @@ -1791,8 +1791,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5026084694620767555" + "version": "0.23.1.45101", + "templateHash": "4289896830796340565" }, "name": "Recovery Services Vault Backup Policies", "description": "This module deploys a Recovery Services Vault Backup Policy.", @@ -1908,8 +1908,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7310792683713567656" + "version": "0.23.1.45101", + "templateHash": "12267998063539265813" }, "name": "Recovery Services Vault Backup Config", "description": "This module deploys a Recovery Services Vault Backup Config.", @@ -2099,8 +2099,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "326959657687879671" + "version": "0.23.1.45101", + "templateHash": "9038487209624086059" }, "name": "Recovery Services Vault Replication Alert Settings", "description": "This module deploys a Recovery Services Vault Replication Alert Settings.", @@ -2280,8 +2280,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2683,8 +2683,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/recovery-services/vault/tests/e2e/max/main.test.bicep b/modules/recovery-services/vault/tests/e2e/max/main.test.bicep index 5184d05b9b..0e6e7d9c6b 100644 --- a/modules/recovery-services/vault/tests/e2e/max/main.test.bicep +++ b/modules/recovery-services/vault/tests/e2e/max/main.test.bicep @@ -332,7 +332,7 @@ module testDeployment '../../../main.bicep' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep b/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep index c61f06f157..caa2881cae 100644 --- a/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep @@ -332,7 +332,7 @@ module testDeployment '../../../main.bicep' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/resources/deployment-script/README.md b/modules/resources/deployment-script/README.md index 858feffb91..c29d1ede15 100644 --- a/modules/resources/deployment-script/README.md +++ b/modules/resources/deployment-script/README.md @@ -58,7 +58,7 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { } kind: 'AzureCLI' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -121,7 +121,7 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -177,7 +177,7 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { name: 'myCustomLockName' } managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -232,7 +232,7 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -426,9 +426,9 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/resources/deployment-script/main.bicep b/modules/resources/deployment-script/main.bicep index 9ef0aa5700..6b4c04b8ab 100644 --- a/modules/resources/deployment-script/main.bicep +++ b/modules/resources/deployment-script/main.bicep @@ -79,10 +79,10 @@ var containerSettings = { containerGroupName: containerGroupName } -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null + type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -156,7 +156,7 @@ output outputs object = contains(deploymentScript.properties, 'outputs') ? deplo type managedIdentitiesType = { @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[] + userAssignedResourceIds: string[] }? type lockType = { diff --git a/modules/resources/deployment-script/main.json b/modules/resources/deployment-script/main.json index 920ea4b51e..f72b45ddf1 100644 --- a/modules/resources/deployment-script/main.json +++ b/modules/resources/deployment-script/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5648029581364828548" + "version": "0.23.1.45101", + "templateHash": "2886955369347843451" }, "name": "Deployment Scripts", "description": "This module deploys a Deployment Script.", @@ -16,7 +16,7 @@ "managedIdentitiesType": { "type": "object", "properties": { - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -213,8 +213,8 @@ "containerSettings": { "containerGroupName": "[parameters('containerGroupName')]" }, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" }, "resources": { "defaultTelemetry": { diff --git a/modules/resources/deployment-script/tests/e2e/cli/main.test.bicep b/modules/resources/deployment-script/tests/e2e/cli/main.test.bicep index 0de3a4dec5..2fa991c027 100644 --- a/modules/resources/deployment-script/tests/e2e/cli/main.test.bicep +++ b/modules/resources/deployment-script/tests/e2e/cli/main.test.bicep @@ -59,7 +59,7 @@ module testDeployment '../../../main.bicep' = { storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId timeout: 'PT30M' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/resources/deployment-script/tests/e2e/ps/main.test.bicep b/modules/resources/deployment-script/tests/e2e/ps/main.test.bicep index 058b6ed59b..ea56ef4c68 100644 --- a/modules/resources/deployment-script/tests/e2e/ps/main.test.bicep +++ b/modules/resources/deployment-script/tests/e2e/ps/main.test.bicep @@ -63,7 +63,7 @@ module testDeployment '../../../main.bicep' = { storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId timeout: 'PT30M' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index db6e405643..09d052abaf 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -129,7 +129,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { enableDefaultTelemetry: '' managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -219,7 +219,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": false, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -327,7 +327,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -514,7 +514,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -810,7 +810,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -997,7 +997,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1431,7 +1431,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -1440,7 +1440,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/service-bus/namespace/main.bicep b/modules/service-bus/namespace/main.bicep index 0d89d80fcd..4daedd1379 100644 --- a/modules/service-bus/namespace/main.bicep +++ b/modules/service-bus/namespace/main.bicep @@ -111,10 +111,10 @@ param customerManagedKey customerManagedKeyType @description('Optional. Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters.') param requireInfrastructureEncryption bool = true -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -400,7 +400,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/service-bus/namespace/main.json b/modules/service-bus/namespace/main.json index eaf0ce5f14..d24d8680d9 100644 --- a/modules/service-bus/namespace/main.json +++ b/modules/service-bus/namespace/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17171509116984372740" + "version": "0.23.1.45101", + "templateHash": "11924265008092294292" }, "name": "Service Bus Namespaces", "description": "This module deploys a Service Bus Namespace.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -646,8 +646,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]", @@ -820,8 +820,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4747986299110708591" + "version": "0.23.1.45101", + "templateHash": "1264227897820313372" }, "name": "Service Bus Namespace Authorization Rules", "description": "This module deploys a Service Bus Namespace Authorization Rule.", @@ -942,8 +942,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3706608794197885431" + "version": "0.23.1.45101", + "templateHash": "10655153602613161335" }, "name": "Service Bus Namespace Disaster Recovery Configs", "description": "This module deploys a Service Bus Namespace Disaster Recovery Config", @@ -1071,8 +1071,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11329412672781710568" + "version": "0.23.1.45101", + "templateHash": "5089878909119216074" }, "name": "Service Bus Namespace Migration Configuration", "description": "This module deploys a Service Bus Namespace Migration Configuration.", @@ -1190,8 +1190,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "533952694982260366" + "version": "0.23.1.45101", + "templateHash": "13436940198974346018" }, "name": "Service Bus Namespace Network Rule Sets", "description": "This module deploys a ServiceBus Namespace Network Rule Set.", @@ -1378,8 +1378,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7820306070042751113" + "version": "0.23.1.45101", + "templateHash": "16361123354606932948" }, "name": "Service Bus Namespace Queue", "description": "This module deploys a Service Bus Namespace Queue.", @@ -1786,8 +1786,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4578845431207793137" + "version": "0.23.1.45101", + "templateHash": "17590031156732651952" }, "name": "Service Bus Namespace Queue Authorization Rules", "description": "This module deploys a Service Bus Namespace Queue Authorization Rule.", @@ -1962,8 +1962,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14755107204839231715" + "version": "0.23.1.45101", + "templateHash": "17834121031858727476" }, "name": "Service Bus Namespace Topic", "description": "This module deploys a Service Bus Namespace Topic.", @@ -2330,8 +2330,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3590235297575239025" + "version": "0.23.1.45101", + "templateHash": "1333107238814449885" }, "name": "Service Bus Namespace Topic Authorization Rules", "description": "This module deploys a Service Bus Namespace Topic Authorization Rule.", @@ -2531,8 +2531,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2934,8 +2934,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep b/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep index f0e1671e0f..a0efd3185a 100644 --- a/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep +++ b/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep @@ -102,7 +102,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/service-bus/namespace/tests/e2e/max/main.test.bicep b/modules/service-bus/namespace/tests/e2e/max/main.test.bicep index 617b5a4832..13dd2c55f1 100644 --- a/modules/service-bus/namespace/tests/e2e/max/main.test.bicep +++ b/modules/service-bus/namespace/tests/e2e/max/main.test.bicep @@ -215,7 +215,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep index 2d7aac3873..c1cca11abf 100644 --- a/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -215,7 +215,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index 80d94432be..93c9eff877 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -674,7 +674,7 @@ The managed identity definition for this resource. Only one type of identity is | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -683,7 +683,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/signal-r-service/web-pub-sub/main.bicep b/modules/signal-r-service/web-pub-sub/main.bicep index 498399f795..141b8dbb59 100644 --- a/modules/signal-r-service/web-pub-sub/main.bicep +++ b/modules/signal-r-service/web-pub-sub/main.bicep @@ -73,10 +73,10 @@ var resourceLogConfiguration = [for configuration in resourceLogConfigurationsTo enabled: 'true' }] -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -215,7 +215,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/signal-r-service/web-pub-sub/main.json b/modules/signal-r-service/web-pub-sub/main.json index cef0813fb3..1eb5855175 100644 --- a/modules/signal-r-service/web-pub-sub/main.json +++ b/modules/signal-r-service/web-pub-sub/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9907983186275243362" + "version": "0.23.1.45101", + "templateHash": "10050729733452360096" }, "name": "SignalR Web PubSub Services", "description": "This module deploys a SignalR Web PubSub Service.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -440,8 +440,8 @@ } ], "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", @@ -606,8 +606,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1009,8 +1009,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index c16e126709..68e213b0e0 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -176,7 +176,7 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -321,7 +321,7 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -581,7 +581,7 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -726,7 +726,7 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1101,7 +1101,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -1110,7 +1110,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/sql/managed-instance/main.bicep b/modules/sql/managed-instance/main.bicep index 92575bb945..71e9246b15 100644 --- a/modules/sql/managed-instance/main.bicep +++ b/modules/sql/managed-instance/main.bicep @@ -143,10 +143,10 @@ param minimalTlsVersion string = '1.2' ]) param requestedBackupStorageRedundancy string = 'Geo' -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -378,7 +378,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/sql/managed-instance/main.json b/modules/sql/managed-instance/main.json index c1884f0c02..89f34c4545 100644 --- a/modules/sql/managed-instance/main.json +++ b/modules/sql/managed-instance/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12495888352047670800" + "version": "0.23.1.45101", + "templateHash": "7480252808079342861" }, "name": "SQL Managed Instances", "description": "This module deploys a SQL Managed Instance.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -517,8 +517,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -699,8 +699,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8385261968552186747" + "version": "0.23.1.45101", + "templateHash": "4106645650177315472" }, "name": "SQL Managed Instance Databases", "description": "This module deploys a SQL Managed Instance Database.", @@ -1072,8 +1072,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1444574199601154138" + "version": "0.23.1.45101", + "templateHash": "11209046177276627049" }, "name": "SQL Managed Instance Database Backup Short-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Short-Term Retention Policy.", @@ -1200,8 +1200,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10571563219835680436" + "version": "0.23.1.45101", + "templateHash": "16019450329698749532" }, "name": "SQL Managed Instance Database Backup Long-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Long-Term Retention Policy.", @@ -1384,8 +1384,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "73480634697264424" + "version": "0.23.1.45101", + "templateHash": "5872425656575904293" }, "name": "SQL Managed Instance Security Alert Policies", "description": "This module deploys a SQL Managed Instance Security Alert Policy.", @@ -1519,8 +1519,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5582620280313265167" + "version": "0.23.1.45101", + "templateHash": "8033336711737173681" }, "name": "SQL Managed Instance Vulnerability Assessments", "description": "This module deploys a SQL Managed Instance Vulnerability Assessment.", @@ -1642,8 +1642,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9210546972730714858" + "version": "0.23.1.45101", + "templateHash": "11127995627829971090" } }, "parameters": { @@ -1733,8 +1733,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7006376985801799255" + "version": "0.23.1.45101", + "templateHash": "7581585600933737681" }, "name": "SQL Managed Instance Keys", "description": "This module deploys a SQL Managed Instance Key.", @@ -1866,8 +1866,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "368930923603337685" + "version": "0.23.1.45101", + "templateHash": "16033269094870106735" }, "name": "SQL Managed Instance Encryption Protector", "description": "This module deploys a SQL Managed Instance Encryption Protector.", @@ -1999,8 +1999,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11038010290222457255" + "version": "0.23.1.45101", + "templateHash": "13377515851590815602" }, "name": "SQL Managed Instances Administrator", "description": "This module deploys a SQL Managed Instance Administrator.", diff --git a/modules/sql/managed-instance/tests/e2e/max/main.test.bicep b/modules/sql/managed-instance/tests/e2e/max/main.test.bicep index 401b4c47a9..d44e051516 100644 --- a/modules/sql/managed-instance/tests/e2e/max/main.test.bicep +++ b/modules/sql/managed-instance/tests/e2e/max/main.test.bicep @@ -156,7 +156,7 @@ module testDeployment '../../../main.bicep' = { storageSizeInGB: 32 managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep index c5846900f8..f808cd9a5c 100644 --- a/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep @@ -156,7 +156,7 @@ module testDeployment '../../../main.bicep' = { storageSizeInGB: 32 managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 95b1c24ad9..d8d6740394 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -188,7 +188,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -346,7 +346,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -625,7 +625,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { location: '' managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -690,7 +690,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -815,7 +815,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -973,7 +973,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1201,7 +1201,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -1210,7 +1210,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/sql/server/main.bicep b/modules/sql/server/main.bicep index 8c0e156126..10704ba9fa 100644 --- a/modules/sql/server/main.bicep +++ b/modules/sql/server/main.bicep @@ -81,10 +81,10 @@ param publicNetworkAccess string = '' ]) param restrictOutboundNetworkAccess string = '' -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -361,7 +361,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/sql/server/main.json b/modules/sql/server/main.json index 3e8afbccff..87256e1cb5 100644 --- a/modules/sql/server/main.json +++ b/modules/sql/server/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9390814497684000194" + "version": "0.23.1.45101", + "templateHash": "17532070601905880257" }, "name": "Azure SQL Servers", "description": "This module deploys an Azure SQL Server.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -477,8 +477,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -629,8 +629,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17297721819291768897" + "version": "0.23.1.45101", + "templateHash": "4314496383428784436" }, "name": "SQL Server Database", "description": "This module deploys an Azure SQL Server Database.", @@ -1096,8 +1096,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11274542290979624142" + "version": "0.23.1.45101", + "templateHash": "16957286289914102707" }, "name": "Azure SQL Server Database Short Term Backup Retention Policies", "description": "This module deploys an Azure SQL Server Database Short-Term Backup Retention Policy.", @@ -1219,8 +1219,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8422402072460240545" + "version": "0.23.1.45101", + "templateHash": "6078887169611486577" }, "name": "SQL Server Database Long Term Backup Retention Policies", "description": "This module deploys an Azure SQL Server Database Long-Term Backup Retention Policy.", @@ -1417,8 +1417,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9388916155534343976" + "version": "0.23.1.45101", + "templateHash": "2462504606421092214" }, "name": "SQL Server Elastic Pool", "description": "This module deploys an Azure SQL Server Elastic Pool.", @@ -1697,8 +1697,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2100,8 +2100,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -2273,8 +2273,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17045860485834879442" + "version": "0.23.1.45101", + "templateHash": "6791289458860590076" }, "name": "Azure SQL Server Firewall Rule", "description": "This module deploys an Azure SQL Server Firewall Rule.", @@ -2403,8 +2403,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "938348054010287381" + "version": "0.23.1.45101", + "templateHash": "8445811621384772574" }, "name": "Azure SQL Server Virtual Network Rules", "description": "This module deploys an Azure SQL Server Virtual Network Rule.", @@ -2535,8 +2535,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6325803563225314820" + "version": "0.23.1.45101", + "templateHash": "15800765189083682209" }, "name": "Azure SQL Server Security Alert Policies", "description": "This module deploys an Azure SQL Server Security Alert Policy.", @@ -2710,8 +2710,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1780388510504326565" + "version": "0.23.1.45101", + "templateHash": "2867406426882642505" }, "name": "Azure SQL Server Vulnerability Assessments", "description": "This module deploys an Azure SQL Server Vulnerability Assessment.", @@ -2833,8 +2833,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9210546972730714858" + "version": "0.23.1.45101", + "templateHash": "11127995627829971090" } }, "parameters": { @@ -2924,8 +2924,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11118825836661698100" + "version": "0.23.1.45101", + "templateHash": "11306919877164146196" }, "name": "Azure SQL Server Keys", "description": "This module deploys an Azure SQL Server Key.", @@ -3057,8 +3057,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17224807912051676418" + "version": "0.23.1.45101", + "templateHash": "17270982128022391504" }, "name": "Azure SQL Server Encryption Protector", "description": "This module deploys an Azure SQL Server Encryption Protector.", diff --git a/modules/sql/server/tests/e2e/max/main.test.bicep b/modules/sql/server/tests/e2e/max/main.test.bicep index bea350e17c..444ad3b6cb 100644 --- a/modules/sql/server/tests/e2e/max/main.test.bicep +++ b/modules/sql/server/tests/e2e/max/main.test.bicep @@ -162,7 +162,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/sql/server/tests/e2e/vulnAssm/main.test.bicep b/modules/sql/server/tests/e2e/vulnAssm/main.test.bicep index 1586facf7d..3826a0afad 100644 --- a/modules/sql/server/tests/e2e/vulnAssm/main.test.bicep +++ b/modules/sql/server/tests/e2e/vulnAssm/main.test.bicep @@ -80,7 +80,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep index c9e7ee69cf..0f034211bc 100644 --- a/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep @@ -162,7 +162,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 4add2e1cc2..0356684d3c 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -143,7 +143,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { enableDefaultTelemetry: '' managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -228,7 +228,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": false, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -409,7 +409,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -716,7 +716,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -927,7 +927,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -1010,7 +1010,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1249,7 +1249,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -1556,7 +1556,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -2134,7 +2134,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -2143,7 +2143,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/storage/storage-account/main.bicep b/modules/storage/storage-account/main.bicep index c28a23f64e..5c567942e0 100644 --- a/modules/storage/storage-account/main.bicep +++ b/modules/storage/storage-account/main.bicep @@ -169,10 +169,10 @@ param sasExpirationPeriod string = '' var supportsBlobService = kind == 'BlockBlobStorage' || kind == 'BlobStorage' || kind == 'StorageV2' || kind == 'Storage' var supportsFileService = kind == 'FileStorage' || kind == 'StorageV2' || kind == 'Storage' -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -485,7 +485,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/storage/storage-account/main.json b/modules/storage/storage-account/main.json index ec2df4dff2..10bde8951b 100644 --- a/modules/storage/storage-account/main.json +++ b/modules/storage/storage-account/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3909379204431877149" + "version": "0.23.1.45101", + "templateHash": "12303802246802299756" }, "name": "Storage Accounts", "description": "This module deploys a Storage Account.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -732,8 +732,8 @@ "variables": { "supportsBlobService": "[or(or(or(equals(parameters('kind'), 'BlockBlobStorage'), equals(parameters('kind'), 'BlobStorage')), equals(parameters('kind'), 'StorageV2')), equals(parameters('kind'), 'Storage'))]", "supportsFileService": "[or(or(equals(parameters('kind'), 'FileStorage'), equals(parameters('kind'), 'StorageV2')), equals(parameters('kind'), 'Storage'))]", - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -991,8 +991,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1394,8 +1394,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1562,8 +1562,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7686888659208772167" + "version": "0.23.1.45101", + "templateHash": "9776092818963506976" }, "name": "Storage Account Management Policies", "description": "This module deploys a Storage Account Management Policy.", @@ -1690,8 +1690,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17857562856314258952" + "version": "0.23.1.45101", + "templateHash": "11792662730124549359" }, "name": "Storage Account Local Users", "description": "This module deploys a Storage Account Local User, which is used for SFTP authentication.", @@ -1860,8 +1860,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3026533312164325767" + "version": "0.23.1.45101", + "templateHash": "2468823120254808431" }, "name": "Storage Account blob Services", "description": "This module deploys a Storage Account Blob Service.", @@ -2243,8 +2243,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15140230336138320985" + "version": "0.23.1.45101", + "templateHash": "11413707823135400961" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", @@ -2540,8 +2540,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5294108325383402237" + "version": "0.23.1.45101", + "templateHash": "11642031800707172818" }, "name": "Storage Account Blob Container Immutability Policies", "description": "This module deploys a Storage Account Blob Container Immutability Policy.", @@ -2737,8 +2737,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5811848536316127521" + "version": "0.23.1.45101", + "templateHash": "6280006322501716234" }, "name": "Storage Account File Share Services", "description": "This module deploys a Storage Account File Share Service.", @@ -3003,8 +3003,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6928373168012003070" + "version": "0.23.1.45101", + "templateHash": "15538733704323873805" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", @@ -3338,8 +3338,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6394050552796909716" + "version": "0.23.1.45101", + "templateHash": "1159938655127712786" }, "name": "Storage Account Queue Services", "description": "This module deploys a Storage Account Queue Service.", @@ -3572,8 +3572,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13802487373528262992" + "version": "0.23.1.45101", + "templateHash": "6271299191275064402" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", @@ -3860,8 +3860,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15951116507662113563" + "version": "0.23.1.45101", + "templateHash": "4505205701529964174" }, "name": "Storage Account Table Services", "description": "This module deploys a Storage Account Table Service.", @@ -4091,8 +4091,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2215203998686662901" + "version": "0.23.1.45101", + "templateHash": "10703796356093627612" }, "name": "Storage Account Table", "description": "This module deploys a Storage Account Table.", diff --git a/modules/storage/storage-account/tests/e2e/encr/main.test.bicep b/modules/storage/storage-account/tests/e2e/encr/main.test.bicep index c4c76b8e9d..6ba6f40652 100644 --- a/modules/storage/storage-account/tests/e2e/encr/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/encr/main.test.bicep @@ -95,7 +95,7 @@ module testDeployment '../../../main.bicep' = { } managedIdentities: { systemAssigned: false - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/storage/storage-account/tests/e2e/max/main.test.bicep b/modules/storage/storage-account/tests/e2e/max/main.test.bicep index 60b068d260..e3efd2b824 100644 --- a/modules/storage/storage-account/tests/e2e/max/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/max/main.test.bicep @@ -265,7 +265,7 @@ module testDeployment '../../../main.bicep' = { sasExpirationPeriod: '180.00:00:00' managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep b/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep index 7670f0c068..c2454760b3 100644 --- a/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep @@ -81,7 +81,7 @@ module testDeployment '../../../main.bicep' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep b/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep index 0c03921624..354699f427 100644 --- a/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep @@ -265,7 +265,7 @@ module testDeployment '../../../main.bicep' = { sasExpirationPeriod: '180.00:00:00' managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index 4b5f6948f4..cc322cb201 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -381,7 +381,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { } ] managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -472,7 +472,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -557,7 +557,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { } ] managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -648,7 +648,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { }, "managedIdentities": { "value": { - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -976,9 +976,9 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/synapse/workspace/main.bicep b/modules/synapse/workspace/main.bicep index 360fe2834f..8f3a6081b1 100644 --- a/modules/synapse/workspace/main.bicep +++ b/modules/synapse/workspace/main.bicep @@ -95,7 +95,7 @@ param diagnosticSettings diagnosticSettingType var cmkUserAssignedIdentityAsArray = !empty(customerManagedKey.?userAssignedIdentityResourceId ?? []) ? [ customerManagedKey.?userAssignedIdentityResourceId ] : [] -var userAssignedIdentitiesUnion = !empty(managedIdentities) ? union(managedIdentities.?userAssignedResourcesIds ?? [], cmkUserAssignedIdentityAsArray) : cmkUserAssignedIdentityAsArray +var userAssignedIdentitiesUnion = !empty(managedIdentities) ? union(managedIdentities.?userAssignedResourceIds ?? [], cmkUserAssignedIdentityAsArray) : cmkUserAssignedIdentityAsArray var formattedUserAssignedIdentities = reduce(map((userAssignedIdentitiesUnion ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } @@ -324,7 +324,7 @@ output location string = workspace.location type managedIdentitiesType = { @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[] + userAssignedResourceIds: string[] }? type lockType = { diff --git a/modules/synapse/workspace/main.json b/modules/synapse/workspace/main.json index c2c4f5d7d7..921607a393 100644 --- a/modules/synapse/workspace/main.json +++ b/modules/synapse/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17402441205082083392" + "templateHash": "15054643166708760026" }, "name": "Synapse Workspaces", "description": "This module deploys a Synapse Workspace.", @@ -16,7 +16,7 @@ "managedIdentitiesType": { "type": "object", "properties": { - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -603,7 +603,7 @@ }, "variables": { "cmkUserAssignedIdentityAsArray": "[if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), createArray()))), createArray(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')), createArray())]", - "userAssignedIdentitiesUnion": "[if(not(empty(parameters('managedIdentities'))), union(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), variables('cmkUserAssignedIdentityAsArray')), variables('cmkUserAssignedIdentityAsArray'))]", + "userAssignedIdentitiesUnion": "[if(not(empty(parameters('managedIdentities'))), union(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), variables('cmkUserAssignedIdentityAsArray')), variables('cmkUserAssignedIdentityAsArray'))]", "formattedUserAssignedIdentities": "[reduce(map(coalesce(variables('userAssignedIdentitiesUnion'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", "identity": { "type": "[if(not(empty(variables('userAssignedIdentitiesUnion'))), 'SystemAssigned,UserAssigned', 'SystemAssigned')]", diff --git a/modules/synapse/workspace/tests/e2e/max/main.test.bicep b/modules/synapse/workspace/tests/e2e/max/main.test.bicep index a3fcfac98d..5767ce3c3e 100644 --- a/modules/synapse/workspace/tests/e2e/max/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/max/main.test.bicep @@ -72,7 +72,7 @@ module testDeployment '../../../main.bicep' = { sqlAdministratorLogin: 'synwsadmin' initialWorkspaceAdminObjectID: nestedDependencies.outputs.managedIdentityPrincipalId managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep index 4a2f8236fc..a3969a051f 100644 --- a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -72,7 +72,7 @@ module testDeployment '../../../main.bicep' = { sqlAdministratorLogin: 'synwsadmin' initialWorkspaceAdminObjectID: nestedDependencies.outputs.managedIdentityPrincipalId managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/web/hosting-environment/README.md b/modules/web/hosting-environment/README.md index 306a671493..734fd524e6 100644 --- a/modules/web/hosting-environment/README.md +++ b/modules/web/hosting-environment/README.md @@ -70,7 +70,7 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -151,7 +151,7 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -226,7 +226,7 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -323,7 +323,7 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -663,7 +663,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -672,7 +672,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/web/hosting-environment/main.bicep b/modules/web/hosting-environment/main.bicep index e072a5031d..9088e0474d 100644 --- a/modules/web/hosting-environment/main.bicep +++ b/modules/web/hosting-environment/main.bicep @@ -118,10 +118,10 @@ param diagnosticSettings diagnosticSettingType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : any(null) @@ -257,7 +257,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/web/hosting-environment/main.json b/modules/web/hosting-environment/main.json index b1d6749b4f..b53284c51d 100644 --- a/modules/web/hosting-environment/main.json +++ b/modules/web/hosting-environment/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12800539837694740755" + "version": "0.23.1.45101", + "templateHash": "10962869599499139784" }, "name": "App Service Environments", "description": "This module deploys an App Service Environment.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -437,8 +437,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", @@ -582,8 +582,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5725974299523715311" + "version": "0.23.1.45101", + "templateHash": "545140399885435174" }, "name": "Hosting Environment Network Configuration", "description": "This module deploys a Hosting Environment Network Configuration.", @@ -721,8 +721,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10660520916707434118" + "version": "0.23.1.45101", + "templateHash": "2088750160033594355" }, "name": "Hosting Environment Custom DNS Suffix Configuration", "description": "This module deploys a Hosting Environment Custom DNS Suffix Configuration.", diff --git a/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep b/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep index d86885ab6b..f6f0553f80 100644 --- a/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep +++ b/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep @@ -100,7 +100,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep b/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep index 52203b7f2f..a2a66f610e 100644 --- a/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep +++ b/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep @@ -108,7 +108,7 @@ module testDeployment '../../../main.bicep' = { ] managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/web/site/README.md b/modules/web/site/README.md index bebdd69f18..8722de026a 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -164,7 +164,7 @@ module site 'br:bicep/modules/web.site:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -347,7 +347,7 @@ module site 'br:bicep/modules/web.site:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -509,7 +509,7 @@ module site 'br:bicep/modules/web.site:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -695,7 +695,7 @@ module site 'br:bicep/modules/web.site:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -1260,7 +1260,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -1269,7 +1269,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/web/site/main.bicep b/modules/web/site/main.bicep index f2c02e7356..6440c271b1 100644 --- a/modules/web/site/main.bicep +++ b/modules/web/site/main.bicep @@ -152,10 +152,10 @@ param hybridConnectionRelays array = [] ]) param publicNetworkAccess string = '' -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -420,7 +420,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/web/site/main.json b/modules/web/site/main.json index 40e10f96f9..27cc961134 100644 --- a/modules/web/site/main.json +++ b/modules/web/site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "5943221871747072299" + "templateHash": "8821774728735377657" }, "name": "Web/Function Apps", "description": "This module deploys a Web or Function App.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -722,8 +722,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", @@ -1206,7 +1206,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8611977667171476388" + "templateHash": "3288853087979845666" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -1223,7 +1223,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -1915,8 +1915,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index 3512cb4d8f..952f9bec31 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -411,7 +411,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -420,7 +420,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/web/site/slot/main.bicep b/modules/web/site/slot/main.bicep index 77347145fc..49722f7eef 100644 --- a/modules/web/site/slot/main.bicep +++ b/modules/web/site/slot/main.bicep @@ -149,10 +149,10 @@ param vnetRouteAllEnabled bool = false @description('Optional. Names of hybrid connection relays to connect app with.') param hybridConnectionRelays array = [] -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -364,7 +364,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/web/site/slot/main.json b/modules/web/site/slot/main.json index 712b88882b..efe7f4d81a 100644 --- a/modules/web/site/slot/main.json +++ b/modules/web/site/slot/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8611977667171476388" + "templateHash": "3288853087979845666" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -715,8 +715,8 @@ } }, "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "App Compliance Automation Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')]", diff --git a/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep b/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep index aa00720f81..2235080536 100644 --- a/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep +++ b/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep @@ -197,7 +197,7 @@ module testDeployment '../../../main.bicep' = { storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/web/site/tests/e2e/webAppCommon/main.test.bicep b/modules/web/site/tests/e2e/webAppCommon/main.test.bicep index d474772265..459c7fa8f8 100644 --- a/modules/web/site/tests/e2e/webAppCommon/main.test.bicep +++ b/modules/web/site/tests/e2e/webAppCommon/main.test.bicep @@ -190,7 +190,7 @@ module testDeployment '../../../main.bicep' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index 98a80f18d6..6eaa86c579 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -119,7 +119,7 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -206,7 +206,7 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -291,7 +291,7 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { } managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ '' ] } @@ -378,7 +378,7 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { "managedIdentities": { "value": { "systemAssigned": true, - "userAssignedResourcesIds": [ + "userAssignedResourceIds": [ "" ] } @@ -578,7 +578,7 @@ The managed identity definition for this resource. | Name | Required | Type | Description | | :-- | :-- | :--| :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` @@ -587,7 +587,7 @@ Optional. Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `managedIdentities.userAssignedResourcesIds` +### Parameter: `managedIdentities.userAssignedResourceIds` Optional. The resource ID(s) to assign to the resource. diff --git a/modules/web/static-site/main.bicep b/modules/web/static-site/main.bicep index 0446884227..6ca47ca5ec 100644 --- a/modules/web/static-site/main.bicep +++ b/modules/web/static-site/main.bicep @@ -87,10 +87,10 @@ param customDomains array = [] var enableReferencedModulesTelemetry = false -var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { - type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null) userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null @@ -252,7 +252,7 @@ type managedIdentitiesType = { systemAssigned: bool? @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourcesIds: string[]? + userAssignedResourceIds: string[]? }? type lockType = { diff --git a/modules/web/static-site/main.json b/modules/web/static-site/main.json index e42e784d34..fc659eef34 100644 --- a/modules/web/static-site/main.json +++ b/modules/web/static-site/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2662580552466474915" + "version": "0.23.1.45101", + "templateHash": "12660101708954592641" }, "name": "Static Web Apps", "description": "This module deploys a Static Web App.", @@ -23,7 +23,7 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourcesIds": { + "userAssignedResourceIds": { "type": "array", "items": { "type": "string" @@ -472,8 +472,8 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", @@ -586,8 +586,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13553590806488370796" + "version": "0.23.1.45101", + "templateHash": "2577415583443518856" }, "name": "Static Web App Site Linked Backends", "description": "This module deploys a Custom Function App into a Static Web App Site using the Linked Backends property.", @@ -719,8 +719,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8340850851413090940" + "version": "0.23.1.45101", + "templateHash": "2145280265348211589" }, "name": "Static Web App Site Config", "description": "This module deploys a Static Web App Site Config.", @@ -845,8 +845,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8340850851413090940" + "version": "0.23.1.45101", + "templateHash": "2145280265348211589" }, "name": "Static Web App Site Config", "description": "This module deploys a Static Web App Site Config.", @@ -972,8 +972,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13208835708722733896" + "version": "0.23.1.45101", + "templateHash": "10034836397316444891" }, "name": "Static Web App Site Custom Domains", "description": "This module deploys a Static Web App Site Custom Domain.", @@ -1139,8 +1139,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1542,8 +1542,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/web/static-site/tests/e2e/max/main.test.bicep b/modules/web/static-site/tests/e2e/max/main.test.bicep index 0a800c70a2..82d89e7b30 100644 --- a/modules/web/static-site/tests/e2e/max/main.test.bicep +++ b/modules/web/static-site/tests/e2e/max/main.test.bicep @@ -85,7 +85,7 @@ module testDeployment '../../../main.bicep' = { stagingEnvironmentPolicy: 'Enabled' managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } diff --git a/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep b/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep index 0b1be9250e..fc075909dd 100644 --- a/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep @@ -85,7 +85,7 @@ module testDeployment '../../../main.bicep' = { stagingEnvironmentPolicy: 'Enabled' managedIdentities: { systemAssigned: true - userAssignedResourcesIds: [ + userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId ] } From 76507efc5d0a84f2e087990f97f84caaa8ba5a5e Mon Sep 17 00:00:00 2001 From: Luke Snoddy <37806411+lsnoddy@users.noreply.github.com> Date: Tue, 14 Nov 2023 20:54:18 +0000 Subject: [PATCH 104/178] Added MOVED-TO-AVM files (#4204) * Updated settings * Updated settings * Updated settings * Updated version * test * test * test * Updated settings file * Add MOVED-TO-AVM files * revert settings.yml changes --- modules/logic/workflow/MOVED-TO-AVM.md | 1 + modules/logic/workflow/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/logic/workflow/MOVED-TO-AVM.md diff --git a/modules/logic/workflow/MOVED-TO-AVM.md b/modules/logic/workflow/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/logic/workflow/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index 74d4fc9b57..a8dec6b147 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -1,5 +1,7 @@ # Logic Apps (Workflows) `[Microsoft.Logic/workflows]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Logic App (Workflow). ## Navigation From 5bbbcbbe0e1d1e4426572625816b472586937bbe Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Wed, 15 Nov 2023 21:22:44 +0100 Subject: [PATCH 105/178] Search Service - fixed version file schema (#4247) --- .../shared-private-link-resource/version.json | 7 +++++-- modules/search/search-service/version.json | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/modules/search/search-service/shared-private-link-resource/version.json b/modules/search/search-service/shared-private-link-resource/version.json index 41f66cc990..7fa401bdf7 100644 --- a/modules/search/search-service/shared-private-link-resource/version.json +++ b/modules/search/search-service/shared-private-link-resource/version.json @@ -1,4 +1,7 @@ { - "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.1" + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": [ + "./main.json" + ] } diff --git a/modules/search/search-service/version.json b/modules/search/search-service/version.json index 41f66cc990..7fa401bdf7 100644 --- a/modules/search/search-service/version.json +++ b/modules/search/search-service/version.json @@ -1,4 +1,7 @@ { - "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.1" + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": [ + "./main.json" + ] } From 18997fde3e69cf802a2ae37905c1b578d8ae9733 Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Wed, 15 Nov 2023 21:54:57 +0100 Subject: [PATCH 106/178] Added MOVED-TO-AVM (#4248) --- modules/insights/diagnostic-setting/MOVED-TO-AVM.md | 1 + modules/insights/diagnostic-setting/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/insights/diagnostic-setting/MOVED-TO-AVM.md diff --git a/modules/insights/diagnostic-setting/MOVED-TO-AVM.md b/modules/insights/diagnostic-setting/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/insights/diagnostic-setting/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/diagnostic-setting/README.md b/modules/insights/diagnostic-setting/README.md index acfb26a890..db7021624f 100644 --- a/modules/insights/diagnostic-setting/README.md +++ b/modules/insights/diagnostic-setting/README.md @@ -1,5 +1,7 @@ # Diagnostic Settings (Activity Logs) for Azure Subscriptions `[Microsoft.Insights/diagnosticSettings]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Subscription wide export of the Activity Log. ## Navigation From 7df5517da4d3742e94c90229bd1f46958368ef63 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sat, 18 Nov 2023 18:40:37 +0100 Subject: [PATCH 107/178] [Modules] Follow-Up-To: Added Azure Key Vault key management service settings to Security profile (#4252) * [Modules] Added Azure Key Vault key management service settings to Security profile (#4251) * Initial commit * Update readme * add Enable KMS in Azure test * Remove accidently added blank line * Update readme * Rebuild main.json * Add KMS test back in * Update readme and generate main.json --------- Co-authored-by: Asad Arif * Updated format to common cmk interface * Updaed api tests * Update to latest --------- Co-authored-by: aadev1 <39670555+aadev1@users.noreply.github.com> Co-authored-by: Asad Arif --- .../managed-cluster/README.md | 56 +++++++++++++++ .../managed-cluster/agent-pool/main.json | 4 +- .../managed-cluster/main.bicep | 32 +++++++++ .../managed-cluster/main.json | 70 ++++++++++++++++++- .../tests/e2e/azure/dependencies.bicep | 39 +++++++++-- .../tests/e2e/azure/main.test.bicep | 11 ++- .../tests/e2e/priv/dependencies.bicep | 16 +++-- .../tests/e2e/priv/main.test.bicep | 4 +- .../staticValidation/module.tests.ps1 | 23 +++--- 9 files changed, 224 insertions(+), 31 deletions(-) diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index aaf0d56ddb..fe444ca1da 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -124,6 +124,11 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' } ] autoUpgradeProfileUpgradeChannel: 'stable' + customerManagedKey: { + keyName: '' + keyVaultNetworkAccess: 'Public' + keyVaultResourceId: '' + } diagnosticSettings: [ { eventHubAuthorizationRuleResourceId: '' @@ -339,6 +344,13 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' "autoUpgradeProfileUpgradeChannel": { "value": "stable" }, + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultNetworkAccess": "Public", + "keyVaultResourceId": "" + } + }, "diagnosticSettings": { "value": [ { @@ -1167,6 +1179,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' | [`autoUpgradeProfileUpgradeChannel`](#parameter-autoupgradeprofileupgradechannel) | string | Auto-upgrade channel on the AKS cluster. | | [`azurePolicyEnabled`](#parameter-azurepolicyenabled) | bool | Specifies whether the azurepolicy add-on is enabled or not. For security reasons, this setting should be enabled. | | [`azurePolicyVersion`](#parameter-azurepolicyversion) | string | Specifies the azure policy version to use. | +| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableLocalAccounts`](#parameter-disablelocalaccounts) | bool | If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. | | [`disableRunCommand`](#parameter-disableruncommand) | bool | Whether to disable run command for the cluster or not. | @@ -1497,6 +1510,49 @@ Specifies the azure policy version to use. - Type: string - Default: `'v2'` +### Parameter: `customerManagedKey` + +The customer managed key definition. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | +| [`keyVaultNetworkAccess`](#parameter-customermanagedkeykeyvaultnetworkaccess) | Yes | string | Required. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | + +### Parameter: `customerManagedKey.keyName` + +Required. The name of the customer managed key to use for encryption. + +- Required: Yes +- Type: string + +### Parameter: `customerManagedKey.keyVaultNetworkAccess` + +Required. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public. + +- Required: Yes +- Type: string +- Allowed: `[Private, Public]` + +### Parameter: `customerManagedKey.keyVaultResourceId` + +Required. The resource ID of a key vault to reference a customer managed key for encryption from. + +- Required: Yes +- Type: string + +### Parameter: `customerManagedKey.keyVersion` + +Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. + +- Required: No +- Type: string + ### Parameter: `diagnosticSettings` The diagnostic settings of the service. diff --git a/modules/container-service/managed-cluster/agent-pool/main.json b/modules/container-service/managed-cluster/agent-pool/main.json index 878796aeb1..cf0f53629b 100644 --- a/modules/container-service/managed-cluster/agent-pool/main.json +++ b/modules/container-service/managed-cluster/agent-pool/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15823498371287518640" + "version": "0.23.1.45101", + "templateHash": "13811832596066396545" }, "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.", diff --git a/modules/container-service/managed-cluster/main.bicep b/modules/container-service/managed-cluster/main.bicep index efb5974f2d..304a5c48e6 100644 --- a/modules/container-service/managed-cluster/main.bicep +++ b/modules/container-service/managed-cluster/main.bicep @@ -348,6 +348,18 @@ param httpProxyConfig object = {} @description('Optional. Identities associated with the cluster.') param identityProfile object = {} +@description('Optional. The customer managed key definition.') +param customerManagedKey customerManagedKeyType + +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { + name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) + + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { + name: customerManagedKey.?keyName ?? 'dummyKey' + } +} + var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = !empty(managedIdentities) ? { @@ -539,6 +551,12 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2023-07-02-p userAssignedIdentityExceptions: podIdentityProfileUserAssignedIdentityExceptions } securityProfile: { + azureKeyVaultKms: !empty(customerManagedKey) ? { + enabled: true + keyId: !empty(customerManagedKey.?keyVersion ?? '') ? '${cMKKeyVault::cMKKey.properties.keyUri}/${customerManagedKey!.keyVersion}' : cMKKeyVault::cMKKey.properties.keyUriWithVersion + keyVaultNetworkAccess: customerManagedKey!.keyVaultNetworkAccess + keyVaultResourceId: customerManagedKey!.keyVaultNetworkAccess == 'Private' ? cMKKeyVault.id : null + } : null defender: enableAzureDefender ? { securityMonitoring: { enabled: enableAzureDefender @@ -806,3 +824,17 @@ type diagnosticSettingType = { @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') marketplacePartnerResourceId: string? }[]? + +type customerManagedKeyType = { + @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') + keyVaultResourceId: string + + @description('Required. The name of the customer managed key to use for encryption.') + keyName: string + + @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') + keyVersion: string? + + @description('Required. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public.') + keyVaultNetworkAccess: ('Private' | 'Public') +}? diff --git a/modules/container-service/managed-cluster/main.json b/modules/container-service/managed-cluster/main.json index 55eb6b6a7c..e6da45a8e2 100644 --- a/modules/container-service/managed-cluster/main.json +++ b/modules/container-service/managed-cluster/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10758692765653328788" + "templateHash": "4013697482173328246" }, "name": "Azure Kubernetes Service (AKS) Managed Clusters", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", @@ -232,6 +232,41 @@ } }, "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "keyVaultNetworkAccess": { + "type": "string", + "allowedValues": [ + "Private", + "Public" + ], + "metadata": { + "description": "Required. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public." + } + } + }, + "nullable": true } }, "parameters": { @@ -938,6 +973,12 @@ "metadata": { "description": "Optional. Identities associated with the cluster." } + }, + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", + "metadata": { + "description": "Optional. The customer managed key definition." + } } }, "variables": { @@ -983,6 +1024,27 @@ } }, "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, + "cMKKeyVault": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" + }, "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", @@ -1116,6 +1178,7 @@ "userAssignedIdentityExceptions": "[parameters('podIdentityProfileUserAssignedIdentityExceptions')]" }, "securityProfile": { + "azureKeyVaultKms": "[if(not(empty(parameters('customerManagedKey'))), createObject('enabled', true(), 'keyId', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), reference('cMKKeyVault::cMKKey').keyUriWithVersion), 'keyVaultNetworkAccess', parameters('customerManagedKey').keyVaultNetworkAccess, 'keyVaultResourceId', if(equals(parameters('customerManagedKey').keyVaultNetworkAccess, 'Private'), extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))), null())), null())]", "defender": "[if(parameters('enableAzureDefender'), createObject('securityMonitoring', createObject('enabled', parameters('enableAzureDefender')), 'logAnalyticsWorkspaceResourceId', if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), null())), null())]", "workloadIdentity": "[if(parameters('enableWorkloadIdentity'), createObject('enabled', parameters('enableWorkloadIdentity')), null())]" }, @@ -1134,7 +1197,10 @@ } }, "supportPlan": "[parameters('supportPlan')]" - } + }, + "dependsOn": [ + "cMKKeyVault" + ] }, "managedCluster_lock": { "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", diff --git a/modules/container-service/managed-cluster/tests/e2e/azure/dependencies.bicep b/modules/container-service/managed-cluster/tests/e2e/azure/dependencies.bicep index 1cdf9b765a..40834512ba 100644 --- a/modules/container-service/managed-cluster/tests/e2e/azure/dependencies.bicep +++ b/modules/container-service/managed-cluster/tests/e2e/azure/dependencies.bicep @@ -79,6 +79,13 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-11-01' = { kty: 'RSA' } } + + resource kmskey 'keys@2022-07-01' = { + name: 'kmsEncryptionKey' + properties: { + kty: 'RSA' + } + } } resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2022-07-02' = { @@ -98,6 +105,16 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2022-07-02' = { } } +resource keyPermissionsKeyVaultCryptoUser 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-KeyVault-Crypto-User-RoleAssignment') + scope: keyVault + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // KeyVault-Crypto-User + principalType: 'ServicePrincipal' + } +} + resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-KeyVault-Key-Read-RoleAssignment') scope: keyVault @@ -113,13 +130,6 @@ resource proximityPlacementGroup 'Microsoft.Compute/proximityPlacementGroups@202 location: location } -@description('The resource ID of the created Virtual Network Subnet.') -output subnetResourceIds array = [ - virtualNetwork.properties.subnets[0].id - virtualNetwork.properties.subnets[1].id - virtualNetwork.properties.subnets[2].id -] - resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' = { name: dnsZoneName location: 'global' @@ -160,3 +170,18 @@ output dnsZoneResourceId string = dnsZone.id @description('The resource ID of the created Log Analytics Workspace.') output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The name of the Key Vault Encryption Key.') +output keyVaultEncryptionKeyName string = keyVault::key.name + +@description('The resource ID of the created Virtual Network System Agent Pool Subnet.') +output systemPoolSubnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Virtual Network Agent Pool 1 Subnet.') +output agentPool1SubnetResourceId string = virtualNetwork.properties.subnets[1].id + +@description('The resource ID of the created Virtual Network Agent Pool 2 Subnet.') +output agentPool2SubnetResourceId string = virtualNetwork.properties.subnets[2].id diff --git a/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep index 7776f4752f..32f8c42ed3 100644 --- a/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep +++ b/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep @@ -92,7 +92,7 @@ module testDeployment '../../../main.bicep' = { storageProfile: 'ManagedDisks' type: 'VirtualMachineScaleSets' vmSize: 'Standard_DS2_v2' - vnetSubnetID: nestedDependencies.outputs.subnetResourceIds[0] + vnetSubnetID: nestedDependencies.outputs.systemPoolSubnetResourceId } ] agentPools: [ @@ -119,7 +119,7 @@ module testDeployment '../../../main.bicep' = { storageProfile: 'ManagedDisks' type: 'VirtualMachineScaleSets' vmSize: 'Standard_DS2_v2' - vnetSubnetID: nestedDependencies.outputs.subnetResourceIds[1] + vnetSubnetID: nestedDependencies.outputs.agentPool1SubnetResourceId proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId } { @@ -145,7 +145,7 @@ module testDeployment '../../../main.bicep' = { storageProfile: 'ManagedDisks' type: 'VirtualMachineScaleSets' vmSize: 'Standard_DS2_v2' - vnetSubnetID: nestedDependencies.outputs.subnetResourceIds[2] + vnetSubnetID: nestedDependencies.outputs.agentPool2SubnetResourceId } ] autoUpgradeProfileUpgradeChannel: 'stable' @@ -189,6 +189,11 @@ module testDeployment '../../../main.bicep' = { enableAzureDefender: true enableKeyvaultSecretsProvider: true enablePodSecurityPolicy: false + customerManagedKey: { + keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName + keyVaultNetworkAccess: 'Public' + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + } lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/container-service/managed-cluster/tests/e2e/priv/dependencies.bicep b/modules/container-service/managed-cluster/tests/e2e/priv/dependencies.bicep index b74bb113ac..3a7d3e9d62 100644 --- a/modules/container-service/managed-cluster/tests/e2e/priv/dependencies.bicep +++ b/modules/container-service/managed-cluster/tests/e2e/priv/dependencies.bicep @@ -31,14 +31,12 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { addressPrefix ] } - subnets: [ - { - name: 'defaultSubnet' + subnets: map(range(0, 2), i => { + name: 'subnet-${i}' properties: { - addressPrefix: cidrSubnet(addressPrefix, 16, 0) + addressPrefix: cidrSubnet(addressPrefix, 24, i) } - } - ] + }) } } @@ -85,3 +83,9 @@ output privateDnsZoneResourceId string = privateDnsZone.id @description('The resource ID of the VirtualNetwork created.') output vNetResourceId string = virtualNetwork.id + +@description('The resource ID of the created Virtual Network System Agent Pool Subnet.') +output systemPoolSubnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Virtual Network Agent Pool 1 Subnet.') +output agentPoolSubnetResourceId string = virtualNetwork.properties.subnets[1].id diff --git a/modules/container-service/managed-cluster/tests/e2e/priv/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/priv/main.test.bicep index 8d911c5cc9..078372cab4 100644 --- a/modules/container-service/managed-cluster/tests/e2e/priv/main.test.bicep +++ b/modules/container-service/managed-cluster/tests/e2e/priv/main.test.bicep @@ -84,7 +84,7 @@ module testDeployment '../../../main.bicep' = { storageProfile: 'ManagedDisks' type: 'VirtualMachineScaleSets' vmSize: 'Standard_DS2_v2' - vnetSubnetID: '${nestedDependencies.outputs.vNetResourceId}/subnets/defaultSubnet' + vnetSubnetID: nestedDependencies.outputs.systemPoolSubnetResourceId } ] agentPools: [ @@ -111,7 +111,7 @@ module testDeployment '../../../main.bicep' = { storageProfile: 'ManagedDisks' type: 'VirtualMachineScaleSets' vmSize: 'Standard_DS2_v2' - vnetSubnetID: '${nestedDependencies.outputs.vNetResourceId}/subnets/defaultSubnet' + vnetSubnetID: nestedDependencies.outputs.agentPoolSubnetResourceId } { availabilityZones: [ diff --git a/utilities/pipelines/staticValidation/module.tests.ps1 b/utilities/pipelines/staticValidation/module.tests.ps1 index 3e8ff1fe2e..f608f5f24b 100644 --- a/utilities/pipelines/staticValidation/module.tests.ps1 +++ b/utilities/pipelines/staticValidation/module.tests.ps1 @@ -1156,7 +1156,7 @@ Describe 'API version tests' -Tag 'ApiCheck' { return } - $ApiVersions = Get-Content -Path $apiSpecsFilePath -Raw | ConvertFrom-Json + $ApiVersions = Get-Content -Path $apiSpecsFilePath -Raw | ConvertFrom-Json -AsHashtable foreach ($moduleFolderPath in $moduleFolderPaths) { $moduleFolderName = $moduleFolderPath.Replace('\', '/').Split('/modules/')[1] @@ -1200,7 +1200,7 @@ Describe 'API version tests' -Tag 'ApiCheck' { { $PSItem -like '*diagnosticsettings*' } { $testCases += @{ moduleName = $moduleFolderName - resourceType = 'diagnosticsettings' + resourceType = 'diagnosticSettings' ProviderNamespace = 'Microsoft.Insights' TargetApi = $resource.ApiVersion AvailableApiVersions = $ApiVersions @@ -1222,7 +1222,7 @@ Describe 'API version tests' -Tag 'ApiCheck' { { $PSItem -like '*roleAssignments' } { $testCases += @{ moduleName = $moduleFolderName - resourceType = 'roleassignments' + resourceType = 'roleAssignments' ProviderNamespace = 'Microsoft.Authorization' TargetApi = $resource.ApiVersion AvailableApiVersions = $ApiVersions @@ -1264,16 +1264,16 @@ Describe 'API version tests' -Tag 'ApiCheck' { [string] $ResourceType, [string] $TargetApi, [string] $ProviderNamespace, - [PSCustomObject] $AvailableApiVersions, + [hashtable] $AvailableApiVersions, [bool] $AllowPreviewVersionsInAPITests ) - if (-not (($AvailableApiVersions | Get-Member -Type NoteProperty).Name -contains $ProviderNamespace)) { + if ($AvailableApiVersions.Keys -notcontains $ProviderNamespace) { Write-Warning "[API Test] The Provider Namespace [$ProviderNamespace] is missing in your Azure API versions file. Please consider updating it and if it is still missing to open an issue in the 'AzureAPICrawler' PowerShell module's GitHub repository." Set-ItResult -Skipped -Because "The Azure API version file is missing the Provider Namespace [$ProviderNamespace]." return } - if (-not (($AvailableApiVersions.$ProviderNamespace | Get-Member -Type NoteProperty).Name -contains $ResourceType)) { + if ($AvailableApiVersions.$ProviderNamespace.Keys -notcontains $ResourceType) { Write-Warning "[API Test] The Provider Namespace [$ProviderNamespace] is missing the Resource Type [$ResourceType] in your API versions file. Please consider updating it and if it is still missing to open an issue in the 'AzureAPICrawler' PowerShell module's GitHub repository." Set-ItResult -Skipped -Because "The Azure API version file is missing the Resource Type [$ResourceType] for Provider Namespace [$ProviderNamespace]." return @@ -1297,10 +1297,15 @@ Describe 'API version tests' -Tag 'ApiCheck' { } $approvedApiVersions = $approvedApiVersions | Sort-Object -Unique -Descending - $approvedApiVersions | Should -Contain $TargetApi - # Provide a warning if an API version is second to next to expire. - if ($approvedApiVersions -contains $TargetApi) { + if ($approvedApiVersions -notcontains $TargetApi) { + # Using a warning now instead of an error, as we don't want to block PRs for this. + Write-Warning ("The used API version [$TargetApi] is not one of the most recent 5 versions. Please consider upgrading to one of the following: {0}" -f $approvedApiVersions -join ', ') + + # The original failed test was + # $approvedApiVersions | Should -Contain $TargetApi + } else { + # Provide a warning if an API version is second to next to expire. $indexOfVersion = $approvedApiVersions.IndexOf($TargetApi) # Example From 033260fceb578802b95d781893d4d3c34bfda703 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sat, 18 Nov 2023 17:41:44 +0000 Subject: [PATCH 108/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 4547dc7d89..7c28791b22 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -45,7 +45,7 @@ This section provides an overview of the library's feature set. | 30 | consumption

budget | [![Consumption - Budgets](https://github.com/Azure/ResourceModules/workflows/Consumption%20-%20Budgets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.consumption.budgets.yml) | | | | | | | [L1:1, L2:1, L3:3] | 92 | | 31 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | | | | | [L1:1, L2:1, L3:5] | 175 | | 32 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | | | | | [L1:4, L2:1, L3:5] | 447 | -| 33 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | | | | | [L1:2, L2:1, L3:4] | 668 | +| 33 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | | | | | [L1:2, L2:1, L3:4] | 693 | | 34 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | | | | | [L1:3, L2:2, L3:3] | 342 | | 35 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | | | | | | [L1:2, L2:1, L3:3] | 159 | | 36 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | | | | | | | [L1:1, L2:1, L3:3] | 110 | @@ -150,7 +150,7 @@ This section provides an overview of the library's feature set. | 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | [L1:1, L2:1, L3:2] | 184 | | 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:6, L2:6, L3:5] | 455 | | 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:4, L2:1, L3:3] | 284 | -| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29849 | +| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29874 | ## Legend From d38096fcf46218acfca74bb3109f30ab52275f07 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sat, 18 Nov 2023 18:51:41 +0100 Subject: [PATCH 109/178] [Modules] Added itempotency to tests [1/5] (#4210) * Updated test cases of batch 1 * Updated test templates * Update to latest * Undid non-working changes * Refreshed json --- modules/analysis-services/server/main.json | 4 +- .../server/tests/e2e/defaults/main.test.bicep | 7 +-- .../server/tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../service/tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/encr/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/pe/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/app/managed-environment/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/encr/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/encr/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/cache/redis-enterprise/main.json | 16 +++---- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/geo/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/cdn/profile/main.json | 44 +++++++++---------- .../cdn/profile/tests/e2e/afd/main.test.bicep | 7 +-- .../cdn/profile/tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../account/tests/e2e/encr/main.test.bicep | 7 +-- .../account/tests/e2e/max/main.test.bicep | 7 +-- .../account/tests/e2e/speech/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/compute/availability-set/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../tests/e2e/accessPolicies/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/compute/disk/main.json | 4 +- .../disk/tests/e2e/defaults/main.test.bicep | 7 +-- .../disk/tests/e2e/image/main.test.bicep | 7 +-- .../disk/tests/e2e/import/main.test.bicep | 7 +-- .../disk/tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/compute/gallery/main.json | 12 ++--- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../gallery/tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/compute/image/main.json | 4 +- .../image/tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../proximity-placement-group/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/compute/ssh-public-key/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../tests/e2e/linux.min/main.test.bicep | 7 +-- .../tests/e2e/linux.ssecmk/main.test.bicep | 7 +-- .../tests/e2e/linux/main.test.bicep | 7 +-- .../tests/e2e/windows.min/main.test.bicep | 7 +-- .../tests/e2e/windows/main.test.bicep | 7 +-- modules/consumption/budget/main.json | 4 +- .../budget/tests/e2e/defaults/main.test.bicep | 7 +-- .../budget/tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/encr/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/private/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../registry/tests/e2e/encr/main.test.bicep | 7 +-- .../registry/tests/e2e/max/main.test.bicep | 7 +-- .../registry/tests/e2e/pe/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- 88 files changed, 360 insertions(+), 283 deletions(-) diff --git a/modules/analysis-services/server/main.json b/modules/analysis-services/server/main.json index 3066c30ae2..cb62fdcfee 100644 --- a/modules/analysis-services/server/main.json +++ b/modules/analysis-services/server/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17464709928355207715" + "version": "0.23.1.45101", + "templateHash": "11444956126966610005" }, "name": "Analysis Services Servers", "description": "This module deploys an Analysis Services Server.", diff --git a/modules/analysis-services/server/tests/e2e/defaults/main.test.bicep b/modules/analysis-services/server/tests/e2e/defaults/main.test.bicep index 195a66ec25..d068d9795e 100644 --- a/modules/analysis-services/server/tests/e2e/defaults/main.test.bicep +++ b/modules/analysis-services/server/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}' } -} +}] diff --git a/modules/analysis-services/server/tests/e2e/max/main.test.bicep b/modules/analysis-services/server/tests/e2e/max/main.test.bicep index 05de9c3d73..95d51e6ea4 100644 --- a/modules/analysis-services/server/tests/e2e/max/main.test.bicep +++ b/modules/analysis-services/server/tests/e2e/max/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}' @@ -117,4 +118,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep b/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep index 7d160d3715..e5705e2cbf 100644 --- a/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}' @@ -117,4 +118,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/api-management/service/tests/e2e/defaults/main.test.bicep b/modules/api-management/service/tests/e2e/defaults/main.test.bicep index 1e18f22439..693a2e0673 100644 --- a/modules/api-management/service/tests/e2e/defaults/main.test.bicep +++ b/modules/api-management/service/tests/e2e/defaults/main.test.bicep @@ -38,13 +38,14 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' publisherName: '${namePrefix}-az-amorg-x-001' } -} +}] diff --git a/modules/api-management/service/tests/e2e/max/main.test.bicep b/modules/api-management/service/tests/e2e/max/main.test.bicep index 8d75bc8e6d..609d61a44b 100644 --- a/modules/api-management/service/tests/e2e/max/main.test.bicep +++ b/modules/api-management/service/tests/e2e/max/main.test.bicep @@ -64,9 +64,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -216,4 +217,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep b/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep index 310b608f75..a722f02c9d 100644 --- a/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep @@ -64,9 +64,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -216,4 +217,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/app-configuration/configuration-store/tests/e2e/defaults/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/defaults/main.test.bicep index c791402a8d..895734bd01 100644 --- a/modules/app-configuration/configuration-store/tests/e2e/defaults/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep index 7123d01c60..df73c1e7d6 100644 --- a/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -96,4 +97,4 @@ module testDeployment '../../../main.bicep' = { userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId } } -} +}] diff --git a/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep index 10c4c6090c..f3f76a3b95 100644 --- a/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -121,4 +122,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/app-configuration/configuration-store/tests/e2e/pe/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/pe/main.test.bicep index a8367ca982..59ca3034ed 100644 --- a/modules/app-configuration/configuration-store/tests/e2e/pe/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/pe/main.test.bicep @@ -43,9 +43,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -74,4 +75,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep index abfee358a1..d5aa0ab214 100644 --- a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -121,4 +122,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/app/container-app/tests/e2e/defaults/main.test.bicep b/modules/app/container-app/tests/e2e/defaults/main.test.bicep index 33c8893ba4..b00bf36743 100644 --- a/modules/app/container-app/tests/e2e/defaults/main.test.bicep +++ b/modules/app/container-app/tests/e2e/defaults/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' tags: { @@ -71,4 +72,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/app/container-app/tests/e2e/max/main.test.bicep b/modules/app/container-app/tests/e2e/max/main.test.bicep index 5cf01b4bac..a9397c8777 100644 --- a/modules/app/container-app/tests/e2e/max/main.test.bicep +++ b/modules/app/container-app/tests/e2e/max/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' tags: { @@ -106,4 +107,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep b/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep index c8b15d8184..f7be7ad1bc 100644 --- a/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' tags: { @@ -106,4 +107,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/app/managed-environment/main.json b/modules/app/managed-environment/main.json index d8bb5e7173..cd7af31c94 100644 --- a/modules/app/managed-environment/main.json +++ b/modules/app/managed-environment/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5686402227763337334" + "version": "0.23.1.45101", + "templateHash": "17510800738142190994" }, "name": "App ManagedEnvironments", "description": "This module deploys an App Managed Environment (also known as a Container App Environment).", diff --git a/modules/app/managed-environment/tests/e2e/defaults/main.test.bicep b/modules/app/managed-environment/tests/e2e/defaults/main.test.bicep index 89142b2b49..40a1ae5178 100644 --- a/modules/app/managed-environment/tests/e2e/defaults/main.test.bicep +++ b/modules/app/managed-environment/tests/e2e/defaults/main.test.bicep @@ -45,12 +45,13 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' logAnalyticsWorkspaceResourceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId } -} +}] diff --git a/modules/app/managed-environment/tests/e2e/max/main.test.bicep b/modules/app/managed-environment/tests/e2e/max/main.test.bicep index 1843a5b3ce..7eecb1c599 100644 --- a/modules/app/managed-environment/tests/e2e/max/main.test.bicep +++ b/modules/app/managed-environment/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -69,4 +70,4 @@ module testDeployment '../../../main.bicep' = { Env: 'test' } } -} +}] diff --git a/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep b/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep index 49d64c4d2c..f7416ce8ed 100644 --- a/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -69,4 +70,4 @@ module testDeployment '../../../main.bicep' = { Env: 'test' } } -} +}] diff --git a/modules/automation/automation-account/tests/e2e/defaults/main.test.bicep b/modules/automation/automation-account/tests/e2e/defaults/main.test.bicep index 1c536702fe..2e93cc9a4a 100644 --- a/modules/automation/automation-account/tests/e2e/defaults/main.test.bicep +++ b/modules/automation/automation-account/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/automation/automation-account/tests/e2e/encr/main.test.bicep b/modules/automation/automation-account/tests/e2e/encr/main.test.bicep index 75915b6fa6..ec8c934c0d 100644 --- a/modules/automation/automation-account/tests/e2e/encr/main.test.bicep +++ b/modules/automation/automation-account/tests/e2e/encr/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -65,4 +66,4 @@ module testDeployment '../../../main.bicep' = { ] } } -} +}] diff --git a/modules/automation/automation-account/tests/e2e/max/main.test.bicep b/modules/automation/automation-account/tests/e2e/max/main.test.bicep index 54c6631523..4a97bffb39 100644 --- a/modules/automation/automation-account/tests/e2e/max/main.test.bicep +++ b/modules/automation/automation-account/tests/e2e/max/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -258,4 +259,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep b/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep index e75ac961a6..f024413f06 100644 --- a/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -258,4 +259,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/batch/batch-account/tests/e2e/defaults/main.test.bicep b/modules/batch/batch-account/tests/e2e/defaults/main.test.bicep index dedd65a96c..aa138f8c7d 100644 --- a/modules/batch/batch-account/tests/e2e/defaults/main.test.bicep +++ b/modules/batch/batch-account/tests/e2e/defaults/main.test.bicep @@ -46,12 +46,13 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' storageAccountId: nestedDependencies.outputs.storageAccountResourceId } -} +}] diff --git a/modules/batch/batch-account/tests/e2e/encr/main.test.bicep b/modules/batch/batch-account/tests/e2e/encr/main.test.bicep index dd115ebda3..f32f9a7655 100644 --- a/modules/batch/batch-account/tests/e2e/encr/main.test.bicep +++ b/modules/batch/batch-account/tests/e2e/encr/main.test.bicep @@ -50,9 +50,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -87,4 +88,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/batch/batch-account/tests/e2e/max/main.test.bicep b/modules/batch/batch-account/tests/e2e/max/main.test.bicep index 87a36e6670..64ae401f0e 100644 --- a/modules/batch/batch-account/tests/e2e/max/main.test.bicep +++ b/modules/batch/batch-account/tests/e2e/max/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -126,4 +127,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep b/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep index 20fbc393af..d4edb44cb9 100644 --- a/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -126,4 +127,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/cache/redis-enterprise/main.json b/modules/cache/redis-enterprise/main.json index c18ec7b248..27f647f9e5 100644 --- a/modules/cache/redis-enterprise/main.json +++ b/modules/cache/redis-enterprise/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12509329417393938084" + "version": "0.23.1.45101", + "templateHash": "9202709558148407604" }, "name": "Redis Cache Enterprise", "description": "This module deploys a Redis Cache Enterprise.", @@ -602,8 +602,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8155705065039005753" + "version": "0.23.1.45101", + "templateHash": "2473493174520406257" }, "name": "Redis Cache Enterprise Databases", "description": "This module deploys a Redis Cache Enterprise Database.", @@ -866,8 +866,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1269,8 +1269,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/cache/redis-enterprise/tests/e2e/defaults/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/defaults/main.test.bicep index 5ac671c1b6..667f64420a 100644 --- a/modules/cache/redis-enterprise/tests/e2e/defaults/main.test.bicep +++ b/modules/cache/redis-enterprise/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/cache/redis-enterprise/tests/e2e/geo/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/geo/main.test.bicep index f91f72b254..5d09f89094 100644 --- a/modules/cache/redis-enterprise/tests/e2e/geo/main.test.bicep +++ b/modules/cache/redis-enterprise/tests/e2e/geo/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { var redisCacheEnterpriseName = '${namePrefix}${serviceShort}001' var redisCacheEnterpriseExpectedResourceID = '${resourceGroup.id}/providers/Microsoft.Cache/redisEnterprise/${redisCacheEnterpriseName}' -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: redisCacheEnterpriseName @@ -87,4 +88,4 @@ module testDeployment '../../../main.bicep' = { resourceType: 'Redis Cache Enterprise' } } -} +}] diff --git a/modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep index ce2540744f..11967b6582 100644 --- a/modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep +++ b/modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -132,4 +133,4 @@ module testDeployment '../../../main.bicep' = { resourceType: 'Redis Cache Enterprise' } } -} +}] diff --git a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep index cd0e90a7d9..e11f40719a 100644 --- a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -132,4 +133,4 @@ module testDeployment '../../../main.bicep' = { resourceType: 'Redis Cache Enterprise' } } -} +}] diff --git a/modules/cdn/profile/main.json b/modules/cdn/profile/main.json index de8d882e50..e8a03d38c8 100644 --- a/modules/cdn/profile/main.json +++ b/modules/cdn/profile/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2807663755404362270" + "version": "0.23.1.45101", + "templateHash": "17584746093289526242" }, "name": "CDN Profiles", "description": "This module deploys a CDN Profile.", @@ -333,8 +333,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4870857598190177606" + "version": "0.23.1.45101", + "templateHash": "15779750813347176502" }, "name": "CDN Profiles Endpoints", "description": "This module deploys a CDN Profile Endpoint.", @@ -463,8 +463,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5759722302271159823" + "version": "0.23.1.45101", + "templateHash": "7311789591820295360" }, "name": "CDN Profiles Endpoints Origins", "description": "This module deploys a CDN Profile Endpoint Origin.", @@ -706,8 +706,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10634340039151667854" + "version": "0.23.1.45101", + "templateHash": "7448367317152547669" }, "name": "CDN Profiles Secret", "description": "This module deploys a CDN Profile Secret.", @@ -869,8 +869,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1547160911539181378" + "version": "0.23.1.45101", + "templateHash": "16926903089536842323" }, "name": "CDN Profiles Custom Domains", "description": "This module deploys a CDN Profile Custom Domains.", @@ -1053,8 +1053,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5730470112775090005" + "version": "0.23.1.45101", + "templateHash": "11717674362000061520" }, "name": "CDN Profiles Origin Group", "description": "This module deploys a CDN Profile Origin Group.", @@ -1192,8 +1192,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6401260748375374430" + "version": "0.23.1.45101", + "templateHash": "6315538909881747607" }, "name": "CDN Profiles Origin", "description": "This module deploys a CDN Profile Origin.", @@ -1423,8 +1423,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2165712570349315066" + "version": "0.23.1.45101", + "templateHash": "14060531422180532953" }, "name": "CDN Profiles Rule Sets", "description": "This module deploys a CDN Profile rule set.", @@ -1522,8 +1522,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17627422900186578144" + "version": "0.23.1.45101", + "templateHash": "7170380293485699276" }, "name": "CDN Profiles Rules", "description": "This module deploys a CDN Profile rule.", @@ -1709,8 +1709,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14944467223785761559" + "version": "0.23.1.45101", + "templateHash": "10217508381442897285" }, "name": "CDN Profiles AFD Endpoints", "description": "This module deploys a CDN Profile AFD Endpoint.", @@ -1864,8 +1864,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13253134886056545686" + "version": "0.23.1.45101", + "templateHash": "6429015991033675991" }, "name": "CDN Profiles AFD Endpoint Route", "description": "This module deploys a CDN Profile AFD Endpoint route.", diff --git a/modules/cdn/profile/tests/e2e/afd/main.test.bicep b/modules/cdn/profile/tests/e2e/afd/main.test.bicep index 391920c781..9d3e21d539 100644 --- a/modules/cdn/profile/tests/e2e/afd/main.test.bicep +++ b/modules/cdn/profile/tests/e2e/afd/main.test.bicep @@ -44,9 +44,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: 'dep-${namePrefix}-test-${serviceShort}' location: 'global' @@ -128,4 +129,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/cdn/profile/tests/e2e/max/main.test.bicep b/modules/cdn/profile/tests/e2e/max/main.test.bicep index 5298d3dc2c..fb18eefa09 100644 --- a/modules/cdn/profile/tests/e2e/max/main.test.bicep +++ b/modules/cdn/profile/tests/e2e/max/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: 'dep-${namePrefix}-test-${serviceShort}' location: location @@ -98,4 +99,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep b/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep index 8df82c8a93..00e2285b20 100644 --- a/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: 'dep-${namePrefix}-test-${serviceShort}' location: location @@ -98,4 +99,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/cognitive-services/account/tests/e2e/defaults/main.test.bicep b/modules/cognitive-services/account/tests/e2e/defaults/main.test.bicep index e597ad984c..0f682f11ba 100644 --- a/modules/cognitive-services/account/tests/e2e/defaults/main.test.bicep +++ b/modules/cognitive-services/account/tests/e2e/defaults/main.test.bicep @@ -38,12 +38,13 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' kind: 'SpeechServices' } -} +}] diff --git a/modules/cognitive-services/account/tests/e2e/encr/main.test.bicep b/modules/cognitive-services/account/tests/e2e/encr/main.test.bicep index fb88edd7bf..8b7c4e6608 100644 --- a/modules/cognitive-services/account/tests/e2e/encr/main.test.bicep +++ b/modules/cognitive-services/account/tests/e2e/encr/main.test.bicep @@ -49,9 +49,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -68,4 +69,4 @@ module testDeployment '../../../main.bicep' = { } restrictOutboundNetworkAccess: false } -} +}] diff --git a/modules/cognitive-services/account/tests/e2e/max/main.test.bicep b/modules/cognitive-services/account/tests/e2e/max/main.test.bicep index bec580c028..5652d77380 100644 --- a/modules/cognitive-services/account/tests/e2e/max/main.test.bicep +++ b/modules/cognitive-services/account/tests/e2e/max/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -134,4 +135,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/cognitive-services/account/tests/e2e/speech/main.test.bicep b/modules/cognitive-services/account/tests/e2e/speech/main.test.bicep index b3e7aad9a6..8c2a992585 100644 --- a/modules/cognitive-services/account/tests/e2e/speech/main.test.bicep +++ b/modules/cognitive-services/account/tests/e2e/speech/main.test.bicep @@ -43,9 +43,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -78,4 +79,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep b/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep index f296bb09ed..06069401e4 100644 --- a/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -134,4 +135,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/compute/availability-set/main.json b/modules/compute/availability-set/main.json index fec33868ce..b95d3d6e5b 100644 --- a/modules/compute/availability-set/main.json +++ b/modules/compute/availability-set/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1732304861308894467" + "version": "0.23.1.45101", + "templateHash": "10273034762819706688" }, "name": "Availability Sets", "description": "This module deploys an Availability Set.", diff --git a/modules/compute/availability-set/tests/e2e/defaults/main.test.bicep b/modules/compute/availability-set/tests/e2e/defaults/main.test.bicep index d2e69aba00..ba54d3f25e 100644 --- a/modules/compute/availability-set/tests/e2e/defaults/main.test.bicep +++ b/modules/compute/availability-set/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/compute/availability-set/tests/e2e/max/main.test.bicep b/modules/compute/availability-set/tests/e2e/max/main.test.bicep index c05e914de3..1241842e7b 100644 --- a/modules/compute/availability-set/tests/e2e/max/main.test.bicep +++ b/modules/compute/availability-set/tests/e2e/max/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -71,4 +72,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep index 01bac9f002..7a305c8119 100644 --- a/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -71,4 +72,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep index 3cb8cb71b8..f494661b94 100644 --- a/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep +++ b/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -75,4 +76,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep index c492dab2a1..b71ed7a6ec 100644 --- a/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep +++ b/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep @@ -51,9 +51,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -81,4 +82,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep index 0e4721f1be..c49b0266d2 100644 --- a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep @@ -51,9 +51,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -81,4 +82,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/compute/disk/main.json b/modules/compute/disk/main.json index 83bb0e27a3..efff55288f 100644 --- a/modules/compute/disk/main.json +++ b/modules/compute/disk/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4197028586802526466" + "version": "0.23.1.45101", + "templateHash": "13415296044159532527" }, "name": "Compute Disks", "description": "This module deploys a Compute Disk", diff --git a/modules/compute/disk/tests/e2e/defaults/main.test.bicep b/modules/compute/disk/tests/e2e/defaults/main.test.bicep index 68c1b85ac6..95b44f7771 100644 --- a/modules/compute/disk/tests/e2e/defaults/main.test.bicep +++ b/modules/compute/disk/tests/e2e/defaults/main.test.bicep @@ -37,13 +37,14 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}001' sku: 'Standard_LRS' diskSizeGB: 1 } -} +}] diff --git a/modules/compute/disk/tests/e2e/image/main.test.bicep b/modules/compute/disk/tests/e2e/image/main.test.bicep index 27dd941489..7b49045a5d 100644 --- a/modules/compute/disk/tests/e2e/image/main.test.bicep +++ b/modules/compute/disk/tests/e2e/image/main.test.bicep @@ -42,9 +42,10 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}001' @@ -64,4 +65,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/compute/disk/tests/e2e/import/main.test.bicep b/modules/compute/disk/tests/e2e/import/main.test.bicep index d3f891d57f..e343bbfbdc 100644 --- a/modules/compute/disk/tests/e2e/import/main.test.bicep +++ b/modules/compute/disk/tests/e2e/import/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}001' @@ -69,4 +70,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/compute/disk/tests/e2e/max/main.test.bicep b/modules/compute/disk/tests/e2e/max/main.test.bicep index 7916ad9f61..cd544f46b9 100644 --- a/modules/compute/disk/tests/e2e/max/main.test.bicep +++ b/modules/compute/disk/tests/e2e/max/main.test.bicep @@ -45,9 +45,10 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}001' @@ -75,4 +76,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep index 95bd0f5d73..0b70c6e0b5 100644 --- a/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep @@ -45,9 +45,10 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}001' @@ -75,4 +76,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/compute/gallery/main.json b/modules/compute/gallery/main.json index 3994fa8cb5..988b6b53a7 100644 --- a/modules/compute/gallery/main.json +++ b/modules/compute/gallery/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3058018993104486515" + "version": "0.23.1.45101", + "templateHash": "8907363611903070816" }, "name": "Azure Compute Galleries", "description": "This module deploys an Azure Compute Gallery (formerly known as Shared Image Gallery).", @@ -283,8 +283,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4468420728204112478" + "version": "0.23.1.45101", + "templateHash": "8232745966352037801" }, "name": "Compute Galleries Applications", "description": "This module deploys an Azure Compute Gallery Application.", @@ -617,8 +617,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12640831453229356933" + "version": "0.23.1.45101", + "templateHash": "3383509605637851908" }, "name": "Compute Galleries Image Definitions", "description": "This module deploys an Azure Compute Gallery Image Definition.", diff --git a/modules/compute/gallery/tests/e2e/defaults/main.test.bicep b/modules/compute/gallery/tests/e2e/defaults/main.test.bicep index 690725cdd9..f7a09d997c 100644 --- a/modules/compute/gallery/tests/e2e/defaults/main.test.bicep +++ b/modules/compute/gallery/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/compute/gallery/tests/e2e/max/main.test.bicep b/modules/compute/gallery/tests/e2e/max/main.test.bicep index a93ee28315..efc7e9a946 100644 --- a/modules/compute/gallery/tests/e2e/max/main.test.bicep +++ b/modules/compute/gallery/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -186,4 +187,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep index 755e9e49c5..c519821e4f 100644 --- a/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -186,4 +187,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/compute/image/main.json b/modules/compute/image/main.json index bcbe6df5a3..d559e8bc9b 100644 --- a/modules/compute/image/main.json +++ b/modules/compute/image/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9558360786962697877" + "version": "0.23.1.45101", + "templateHash": "18345867974770384550" }, "name": "Images", "description": "This module deploys a Compute Image.", diff --git a/modules/compute/image/tests/e2e/max/main.test.bicep b/modules/compute/image/tests/e2e/max/main.test.bicep index 7b5bd31348..e4da6461c2 100644 --- a/modules/compute/image/tests/e2e/max/main.test.bicep +++ b/modules/compute/image/tests/e2e/max/main.test.bicep @@ -55,9 +55,10 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -83,4 +84,4 @@ module testDeployment '../../../main.bicep' = { tagB: 'Player' } } -} +}] diff --git a/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep index 83e55ae5ed..8403077e92 100644 --- a/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep @@ -55,9 +55,10 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -83,4 +84,4 @@ module testDeployment '../../../main.bicep' = { tagB: 'Player' } } -} +}] diff --git a/modules/compute/proximity-placement-group/main.json b/modules/compute/proximity-placement-group/main.json index 36747472f3..cf403363a2 100644 --- a/modules/compute/proximity-placement-group/main.json +++ b/modules/compute/proximity-placement-group/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11278878938849478552" + "version": "0.23.1.45101", + "templateHash": "2277527270184526895" }, "name": "Proximity Placement Groups", "description": "This module deploys a Proximity Placement Group.", diff --git a/modules/compute/proximity-placement-group/tests/e2e/defaults/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/defaults/main.test.bicep index 47ce68a6d6..9ac35b31d9 100644 --- a/modules/compute/proximity-placement-group/tests/e2e/defaults/main.test.bicep +++ b/modules/compute/proximity-placement-group/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep index 93f79eb2fe..c996b25ec1 100644 --- a/modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep +++ b/modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -85,4 +86,4 @@ module testDeployment '../../../main.bicep' = { ] } } -} +}] diff --git a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep index d58853a01e..498ccb1f1d 100644 --- a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -85,4 +86,4 @@ module testDeployment '../../../main.bicep' = { ] } } -} +}] diff --git a/modules/compute/ssh-public-key/main.json b/modules/compute/ssh-public-key/main.json index d71da3411e..bf19a6c816 100644 --- a/modules/compute/ssh-public-key/main.json +++ b/modules/compute/ssh-public-key/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12563605105819727190" + "version": "0.23.1.45101", + "templateHash": "5802465844150331034" }, "name": "Public SSH Keys", "description": "This module deploys a Public SSH Key.\r\n\r\n> Note: The resource does not auto-generate the key for you.", diff --git a/modules/compute/ssh-public-key/tests/e2e/defaults/main.test.bicep b/modules/compute/ssh-public-key/tests/e2e/defaults/main.test.bicep index a44d0b7d0c..c0e78b3fd3 100644 --- a/modules/compute/ssh-public-key/tests/e2e/defaults/main.test.bicep +++ b/modules/compute/ssh-public-key/tests/e2e/defaults/main.test.bicep @@ -37,11 +37,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}001' } -} +}] diff --git a/modules/compute/ssh-public-key/tests/e2e/max/main.test.bicep b/modules/compute/ssh-public-key/tests/e2e/max/main.test.bicep index a35550fe1c..5913288f41 100644 --- a/modules/compute/ssh-public-key/tests/e2e/max/main.test.bicep +++ b/modules/compute/ssh-public-key/tests/e2e/max/main.test.bicep @@ -49,12 +49,13 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-sshkey-${serviceShort}001' publicKey: nestedDependencies.outputs.publicKey } -} +}] diff --git a/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep index e432ba94de..38825503d4 100644 --- a/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep @@ -49,12 +49,13 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-sshkey-${serviceShort}001' publicKey: nestedDependencies.outputs.publicKey } -} +}] diff --git a/modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/main.test.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/main.test.bicep index 110a696ad0..7878e685a0 100644 --- a/modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/tests/e2e/linux.min/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -91,4 +92,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep index a574e6b411..ac90b7dd77 100644 --- a/modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep @@ -52,9 +52,10 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry location: location @@ -119,4 +120,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/compute/virtual-machine-scale-set/tests/e2e/linux/main.test.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/linux/main.test.bicep index 4a3c0e1ac2..d11c193a6e 100644 --- a/modules/compute/virtual-machine-scale-set/tests/e2e/linux/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/tests/e2e/linux/main.test.bicep @@ -63,9 +63,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -206,4 +207,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/compute/virtual-machine-scale-set/tests/e2e/windows.min/main.test.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/windows.min/main.test.bicep index 6afe0758de..e9eca80fae 100644 --- a/modules/compute/virtual-machine-scale-set/tests/e2e/windows.min/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/tests/e2e/windows.min/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -86,4 +87,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/compute/virtual-machine-scale-set/tests/e2e/windows/main.test.bicep b/modules/compute/virtual-machine-scale-set/tests/e2e/windows/main.test.bicep index 530b0c79fd..e1c8c527ea 100644 --- a/modules/compute/virtual-machine-scale-set/tests/e2e/windows/main.test.bicep +++ b/modules/compute/virtual-machine-scale-set/tests/e2e/windows/main.test.bicep @@ -66,9 +66,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -202,4 +203,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/consumption/budget/main.json b/modules/consumption/budget/main.json index a65a1bbfe8..31a5523934 100644 --- a/modules/consumption/budget/main.json +++ b/modules/consumption/budget/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2760526032764483110" + "version": "0.23.1.45101", + "templateHash": "10861664842554589267" }, "name": "Consumption Budgets", "description": "This module deploys a Consumption Budget for Subscriptions.", diff --git a/modules/consumption/budget/tests/e2e/defaults/main.test.bicep b/modules/consumption/budget/tests/e2e/defaults/main.test.bicep index e9d47202bb..44789640d2 100644 --- a/modules/consumption/budget/tests/e2e/defaults/main.test.bicep +++ b/modules/consumption/budget/tests/e2e/defaults/main.test.bicep @@ -20,8 +20,9 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -30,4 +31,4 @@ module testDeployment '../../../main.bicep' = { 'dummy@contoso.com' ] } -} +}] diff --git a/modules/consumption/budget/tests/e2e/max/main.test.bicep b/modules/consumption/budget/tests/e2e/max/main.test.bicep index 691655f30f..15fa49855c 100644 --- a/modules/consumption/budget/tests/e2e/max/main.test.bicep +++ b/modules/consumption/budget/tests/e2e/max/main.test.bicep @@ -20,8 +20,9 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -37,4 +38,4 @@ module testDeployment '../../../main.bicep' = { 110 ] } -} +}] diff --git a/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep b/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep index ec51e97926..0d2260e7d8 100644 --- a/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep @@ -20,8 +20,9 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -37,4 +38,4 @@ module testDeployment '../../../main.bicep' = { 110 ] } -} +}] diff --git a/modules/container-instance/container-group/tests/e2e/defaults/main.test.bicep b/modules/container-instance/container-group/tests/e2e/defaults/main.test.bicep index e498caa1d5..d8bb8445fd 100644 --- a/modules/container-instance/container-group/tests/e2e/defaults/main.test.bicep +++ b/modules/container-instance/container-group/tests/e2e/defaults/main.test.bicep @@ -38,9 +38,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -71,4 +72,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/container-instance/container-group/tests/e2e/encr/main.test.bicep b/modules/container-instance/container-group/tests/e2e/encr/main.test.bicep index 23cf139d30..661a32df6f 100644 --- a/modules/container-instance/container-group/tests/e2e/encr/main.test.bicep +++ b/modules/container-instance/container-group/tests/e2e/encr/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -131,4 +132,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/container-instance/container-group/tests/e2e/max/main.test.bicep b/modules/container-instance/container-group/tests/e2e/max/main.test.bicep index e9bf469ed4..cf13c2ed38 100644 --- a/modules/container-instance/container-group/tests/e2e/max/main.test.bicep +++ b/modules/container-instance/container-group/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -124,4 +125,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/container-instance/container-group/tests/e2e/private/main.test.bicep b/modules/container-instance/container-group/tests/e2e/private/main.test.bicep index ab02133f2c..31b7606b89 100644 --- a/modules/container-instance/container-group/tests/e2e/private/main.test.bicep +++ b/modules/container-instance/container-group/tests/e2e/private/main.test.bicep @@ -44,9 +44,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -140,4 +141,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep b/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep index df26aba037..cba1ba2b00 100644 --- a/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -124,4 +125,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/container-registry/registry/tests/e2e/defaults/main.test.bicep b/modules/container-registry/registry/tests/e2e/defaults/main.test.bicep index 4646019d7f..648869f165 100644 --- a/modules/container-registry/registry/tests/e2e/defaults/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/container-registry/registry/tests/e2e/encr/main.test.bicep b/modules/container-registry/registry/tests/e2e/encr/main.test.bicep index 0c7c616942..b24ad4c628 100644 --- a/modules/container-registry/registry/tests/e2e/encr/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/encr/main.test.bicep @@ -49,9 +49,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -73,4 +74,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/container-registry/registry/tests/e2e/max/main.test.bicep b/modules/container-registry/registry/tests/e2e/max/main.test.bicep index d2fafba4fa..d846a7b696 100644 --- a/modules/container-registry/registry/tests/e2e/max/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/max/main.test.bicep @@ -64,9 +64,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -157,4 +158,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/container-registry/registry/tests/e2e/pe/main.test.bicep b/modules/container-registry/registry/tests/e2e/pe/main.test.bicep index e114baa09b..ead4de2de4 100644 --- a/modules/container-registry/registry/tests/e2e/pe/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/pe/main.test.bicep @@ -43,9 +43,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -69,4 +70,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep b/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep index 828f69d3d4..f0bf4552b3 100644 --- a/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep @@ -64,9 +64,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -157,4 +158,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] From 5e17d9972d17e6246691c5a12f103f598c8ea133 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sat, 18 Nov 2023 19:00:50 +0100 Subject: [PATCH 110/178] [Modules] Added itempotency to tests [2/5] (#4211) * Update to latest * Updated tests * Update to latest * Rollback of diverse changes * Refresh templates --- .../factory/tests/e2e/defaults/main.test.bicep | 7 ++++--- .../factory/tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- modules/data-protection/backup-vault/main.json | 8 ++++---- .../tests/e2e/defaults/main.test.bicep | 7 ++++--- .../backup-vault/tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- .../tests/e2e/defaults/main.test.bicep | 7 ++++--- .../tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- modules/databricks/workspace/main.json | 12 ++++++------ .../workspace/tests/e2e/defaults/main.test.bicep | 7 ++++--- .../workspace/tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- .../tests/e2e/defaults/main.test.bicep | 7 ++++--- .../tests/e2e/private/main.test.bicep | 7 ++++--- .../tests/e2e/public/main.test.bicep | 7 ++++--- .../tests/e2e/defaults/main.test.bicep | 7 ++++--- .../tests/e2e/private/main.test.bicep | 7 ++++--- .../tests/e2e/public/main.test.bicep | 7 ++++--- .../application-group/main.json | 8 ++++---- .../tests/e2e/defaults/main.test.bicep | 7 ++++--- .../tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- .../desktop-virtualization/host-pool/main.json | 4 ++-- .../host-pool/tests/e2e/defaults/main.test.bicep | 7 ++++--- .../host-pool/tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- .../scaling-plan/main.json | 4 ++-- .../tests/e2e/defaults/main.test.bicep | 7 ++++--- .../scaling-plan/tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- .../desktop-virtualization/workspace/main.json | 4 ++-- .../workspace/tests/e2e/defaults/main.test.bicep | 7 ++++--- .../workspace/tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- .../lab/tests/e2e/defaults/main.test.bicep | 7 ++++--- .../lab/tests/e2e/max/main.test.bicep | 7 ++++--- .../lab/tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- .../tests/e2e/defaults/main.test.bicep | 7 ++++--- .../tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- modules/event-grid/domain/main.json | 16 ++++++++-------- .../domain/tests/e2e/defaults/main.test.bicep | 7 ++++--- .../domain/tests/e2e/max/main.test.bicep | 7 ++++--- .../domain/tests/e2e/pe/main.test.bicep | 7 ++++--- .../domain/tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- .../tests/e2e/defaults/main.test.bicep | 7 ++++--- .../system-topic/tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- modules/event-grid/topic/main.json | 16 ++++++++-------- .../topic/tests/e2e/defaults/main.test.bicep | 7 ++++--- .../topic/tests/e2e/max/main.test.bicep | 7 ++++--- .../topic/tests/e2e/pe/main.test.bicep | 7 ++++--- .../topic/tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- .../tests/e2e/defaults/main.test.bicep | 7 ++++--- .../health-bot/tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- modules/insights/action-group/main.json | 4 ++-- .../tests/e2e/defaults/main.test.bicep | 7 ++++--- .../action-group/tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- modules/insights/activity-log-alert/main.json | 4 ++-- .../tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- modules/insights/component/main.json | 4 ++-- .../component/tests/e2e/defaults/main.test.bicep | 7 ++++--- .../component/tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- .../insights/data-collection-endpoint/README.md | 6 +++--- .../insights/data-collection-endpoint/main.json | 4 ++-- .../tests/e2e/defaults/main.test.bicep | 7 ++++--- .../tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- modules/insights/data-collection-rule/README.md | 12 ++++++------ modules/insights/data-collection-rule/main.json | 4 ++-- .../tests/e2e/customadv/main.test.bicep | 7 ++++--- .../tests/e2e/custombasic/main.test.bicep | 7 ++++--- .../tests/e2e/customiis/main.test.bicep | 7 ++++--- .../tests/e2e/defaults/main.test.bicep | 7 ++++--- .../tests/e2e/linux/main.test.bicep | 7 ++++--- .../tests/e2e/windows/main.test.bicep | 7 ++++--- modules/insights/diagnostic-setting/main.json | 4 ++-- .../tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- modules/insights/metric-alert/main.json | 4 ++-- .../metric-alert/tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- modules/insights/private-link-scope/main.json | 16 ++++++++-------- .../tests/e2e/defaults/main.test.bicep | 7 ++++--- .../tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- modules/insights/scheduled-query-rule/main.json | 4 ++-- .../tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- modules/insights/webtest/main.json | 4 ++-- .../webtest/tests/e2e/defaults/main.test.bicep | 7 ++++--- .../webtest/tests/e2e/max/main.test.bicep | 7 ++++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++++--- 99 files changed, 387 insertions(+), 308 deletions(-) diff --git a/modules/data-factory/factory/tests/e2e/defaults/main.test.bicep b/modules/data-factory/factory/tests/e2e/defaults/main.test.bicep index a6d55d1d70..f4ffda85f6 100644 --- a/modules/data-factory/factory/tests/e2e/defaults/main.test.bicep +++ b/modules/data-factory/factory/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/data-factory/factory/tests/e2e/max/main.test.bicep b/modules/data-factory/factory/tests/e2e/max/main.test.bicep index d368bd8df3..a04cfe8f10 100644 --- a/modules/data-factory/factory/tests/e2e/max/main.test.bicep +++ b/modules/data-factory/factory/tests/e2e/max/main.test.bicep @@ -63,9 +63,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -158,4 +159,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep b/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep index 6c9392de17..28b941a4e4 100644 --- a/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep @@ -63,9 +63,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -158,4 +159,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/data-protection/backup-vault/main.json b/modules/data-protection/backup-vault/main.json index 12f17aebcc..8b0c13673f 100644 --- a/modules/data-protection/backup-vault/main.json +++ b/modules/data-protection/backup-vault/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8040175372523410173" + "version": "0.23.1.45101", + "templateHash": "8279564580875716128" }, "name": "Data Protection Backup Vaults", "description": "This module deploys a Data Protection Backup Vault.", @@ -342,8 +342,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4068293382331739919" + "version": "0.23.1.45101", + "templateHash": "3378438498887899064" }, "name": "Data Protection Backup Vault Backup Policies", "description": "This module deploys a Data Protection Backup Vault Backup Policy.", diff --git a/modules/data-protection/backup-vault/tests/e2e/defaults/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/defaults/main.test.bicep index c28874ad47..eb6dd485a2 100644 --- a/modules/data-protection/backup-vault/tests/e2e/defaults/main.test.bicep +++ b/modules/data-protection/backup-vault/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep index 9a85777eb1..4d25b7b7c4 100644 --- a/modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep +++ b/modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -135,4 +136,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep index ef8e13b397..8d44a80490 100644 --- a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -135,4 +136,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/databricks/access-connector/tests/e2e/defaults/main.test.bicep b/modules/databricks/access-connector/tests/e2e/defaults/main.test.bicep index 815fc5ca3d..17bf07d2fc 100644 --- a/modules/databricks/access-connector/tests/e2e/defaults/main.test.bicep +++ b/modules/databricks/access-connector/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/databricks/access-connector/tests/e2e/max/main.test.bicep b/modules/databricks/access-connector/tests/e2e/max/main.test.bicep index 667656739f..268b24f056 100644 --- a/modules/databricks/access-connector/tests/e2e/max/main.test.bicep +++ b/modules/databricks/access-connector/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -76,4 +77,4 @@ module testDeployment '../../../main.bicep' = { } location: resourceGroup.location } -} +}] diff --git a/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep b/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep index 0ae1572003..bf7405d2c9 100644 --- a/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -76,4 +77,4 @@ module testDeployment '../../../main.bicep' = { } location: resourceGroup.location } -} +}] diff --git a/modules/databricks/workspace/main.json b/modules/databricks/workspace/main.json index e6dcbd3bd4..390fcb0f0c 100644 --- a/modules/databricks/workspace/main.json +++ b/modules/databricks/workspace/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3160595622135122462" + "version": "0.23.1.45101", + "templateHash": "450554632364437388" }, "name": "Azure Databricks Workspaces", "description": "This module deploys an Azure Databricks Workspace.", @@ -861,8 +861,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1264,8 +1264,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/databricks/workspace/tests/e2e/defaults/main.test.bicep b/modules/databricks/workspace/tests/e2e/defaults/main.test.bicep index 9735d40a22..8c3002937e 100644 --- a/modules/databricks/workspace/tests/e2e/defaults/main.test.bicep +++ b/modules/databricks/workspace/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/databricks/workspace/tests/e2e/max/main.test.bicep b/modules/databricks/workspace/tests/e2e/max/main.test.bicep index cbf4a382c1..00f1d84997 100644 --- a/modules/databricks/workspace/tests/e2e/max/main.test.bicep +++ b/modules/databricks/workspace/tests/e2e/max/main.test.bicep @@ -72,9 +72,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -153,4 +154,4 @@ module testDeployment '../../../main.bicep' = { vnetAddressPrefix: '10.100' location: resourceGroup.location } -} +}] diff --git a/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep index 4f74e4d560..537323ad34 100644 --- a/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -72,9 +72,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -153,4 +154,4 @@ module testDeployment '../../../main.bicep' = { vnetAddressPrefix: '10.100' location: resourceGroup.location } -} +}] diff --git a/modules/db-for-my-sql/flexible-server/tests/e2e/defaults/main.test.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/defaults/main.test.bicep index b127e422f4..60b6289226 100644 --- a/modules/db-for-my-sql/flexible-server/tests/e2e/defaults/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/tests/e2e/defaults/main.test.bicep @@ -42,9 +42,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -53,4 +54,4 @@ module testDeployment '../../../main.bicep' = { skuName: 'Standard_B1ms' tier: 'Burstable' } -} +}] diff --git a/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep index 1127a1dec0..e5203d967c 100644 --- a/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -130,4 +131,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/db-for-my-sql/flexible-server/tests/e2e/public/main.test.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/public/main.test.bicep index 10bb4f7a91..7f522933c1 100644 --- a/modules/db-for-my-sql/flexible-server/tests/e2e/public/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/tests/e2e/public/main.test.bicep @@ -80,9 +80,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -175,4 +176,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/db-for-postgre-sql/flexible-server/tests/e2e/defaults/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/tests/e2e/defaults/main.test.bicep index bac3973754..f3177dd795 100644 --- a/modules/db-for-postgre-sql/flexible-server/tests/e2e/defaults/main.test.bicep +++ b/modules/db-for-postgre-sql/flexible-server/tests/e2e/defaults/main.test.bicep @@ -42,9 +42,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -53,4 +54,4 @@ module testDeployment '../../../main.bicep' = { skuName: 'Standard_B2s' tier: 'Burstable' } -} +}] diff --git a/modules/db-for-postgre-sql/flexible-server/tests/e2e/private/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/tests/e2e/private/main.test.bicep index eb5a7ba144..fcc65d67d8 100644 --- a/modules/db-for-postgre-sql/flexible-server/tests/e2e/private/main.test.bicep +++ b/modules/db-for-postgre-sql/flexible-server/tests/e2e/private/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -117,4 +118,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/db-for-postgre-sql/flexible-server/tests/e2e/public/main.test.bicep b/modules/db-for-postgre-sql/flexible-server/tests/e2e/public/main.test.bicep index 44bf5e7628..26bda3bd05 100644 --- a/modules/db-for-postgre-sql/flexible-server/tests/e2e/public/main.test.bicep +++ b/modules/db-for-postgre-sql/flexible-server/tests/e2e/public/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -148,4 +149,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/desktop-virtualization/application-group/main.json b/modules/desktop-virtualization/application-group/main.json index bd2466264e..50f7154d0c 100644 --- a/modules/desktop-virtualization/application-group/main.json +++ b/modules/desktop-virtualization/application-group/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14729705419389731754" + "version": "0.23.1.45101", + "templateHash": "10392643216669479103" }, "name": "Azure Virtual Desktop (AVD) Application Groups", "description": "This module deploys an Azure Virtual Desktop (AVD) Application Group.", @@ -437,8 +437,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10616827856455579307" + "version": "0.23.1.45101", + "templateHash": "14264026920797711856" }, "name": "Azure Virtual Desktop (AVD) Application Group Applications", "description": "This module deploys an Azure Virtual Desktop (AVD) Application Group Application.", diff --git a/modules/desktop-virtualization/application-group/tests/e2e/defaults/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/defaults/main.test.bicep index 0dcced5bab..54746b0764 100644 --- a/modules/desktop-virtualization/application-group/tests/e2e/defaults/main.test.bicep +++ b/modules/desktop-virtualization/application-group/tests/e2e/defaults/main.test.bicep @@ -46,13 +46,14 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' applicationGroupType: 'RemoteApp' hostpoolName: nestedDependencies.outputs.hostPoolName } -} +}] diff --git a/modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep index 115ba77ed7..49d1fc5088 100644 --- a/modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep +++ b/modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -116,4 +117,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep index eb507bfeaf..a5bb068c02 100644 --- a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -116,4 +117,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/desktop-virtualization/host-pool/main.json b/modules/desktop-virtualization/host-pool/main.json index 5759d9b41e..9d02aba679 100644 --- a/modules/desktop-virtualization/host-pool/main.json +++ b/modules/desktop-virtualization/host-pool/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2287776590285678937" + "version": "0.23.1.45101", + "templateHash": "14800561756618420199" }, "name": "Azure Virtual Desktop (AVD) Host Pools", "description": "This module deploys an Azure Virtual Desktop (AVD) Host Pool.", diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/defaults/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/defaults/main.test.bicep index 0675dbe11e..fc3402a8a1 100644 --- a/modules/desktop-virtualization/host-pool/tests/e2e/defaults/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep index d48cbdcade..b014dcfb07 100644 --- a/modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -132,4 +133,4 @@ module testDeployment '../../../main.bicep' = { ] } } -} +}] diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep index 6499c1f67f..eb8918d929 100644 --- a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -132,4 +133,4 @@ module testDeployment '../../../main.bicep' = { ] } } -} +}] diff --git a/modules/desktop-virtualization/scaling-plan/main.json b/modules/desktop-virtualization/scaling-plan/main.json index 16160093bf..aee281bcd0 100644 --- a/modules/desktop-virtualization/scaling-plan/main.json +++ b/modules/desktop-virtualization/scaling-plan/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17057413050702654038" + "version": "0.23.1.45101", + "templateHash": "16044277949435808798" }, "name": "Azure Virtual Desktop (AVD) Scaling Plans", "description": "This module deploys an Azure Virtual Desktop (AVD) Scaling Plan.", diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/defaults/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/defaults/main.test.bicep index 1ded6e5b55..160a5f13a3 100644 --- a/modules/desktop-virtualization/scaling-plan/tests/e2e/defaults/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep index b8426b2533..9f93f1cae3 100644 --- a/modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -130,4 +131,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep index 0c02e7560e..4e2ea6cc47 100644 --- a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -130,4 +131,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/desktop-virtualization/workspace/main.json b/modules/desktop-virtualization/workspace/main.json index b05e7c83d5..3f354c8932 100644 --- a/modules/desktop-virtualization/workspace/main.json +++ b/modules/desktop-virtualization/workspace/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17022699140829235991" + "version": "0.23.1.45101", + "templateHash": "2244374453334498480" }, "name": "Azure Virtual Desktop (AVD) Workspaces", "description": "This module deploys an Azure Virtual Desktop (AVD) Workspace.", diff --git a/modules/desktop-virtualization/workspace/tests/e2e/defaults/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/defaults/main.test.bicep index 7fc5df6c67..3eb2840ed1 100644 --- a/modules/desktop-virtualization/workspace/tests/e2e/defaults/main.test.bicep +++ b/modules/desktop-virtualization/workspace/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep index 565fbfe6a8..92de7edff9 100644 --- a/modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep +++ b/modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -100,4 +101,4 @@ module testDeployment '../../../main.bicep' = { description: 'This is my first AVD Workspace' friendlyName: 'My first AVD Workspace' } -} +}] diff --git a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep index e6907c5ee2..4de3839aa1 100644 --- a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -100,4 +101,4 @@ module testDeployment '../../../main.bicep' = { description: 'This is my first AVD Workspace' friendlyName: 'My first AVD Workspace' } -} +}] diff --git a/modules/dev-test-lab/lab/tests/e2e/defaults/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/defaults/main.test.bicep index b74a10c49c..9a583e7a24 100644 --- a/modules/dev-test-lab/lab/tests/e2e/defaults/main.test.bicep +++ b/modules/dev-test-lab/lab/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' enableDefaultTelemetry: enableDefaultTelemetry } -} +}] diff --git a/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep index f6b24c2177..c93e8c1ec2 100644 --- a/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep +++ b/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep @@ -54,9 +54,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -283,4 +284,4 @@ module testDeployment '../../../main.bicep' = { thresholdValue100SendNotificationWhenExceeded: 'Enabled' } } -} +}] diff --git a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep index 007e45fbaf..2fe087e82c 100644 --- a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep @@ -54,9 +54,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -283,4 +284,4 @@ module testDeployment '../../../main.bicep' = { thresholdValue100SendNotificationWhenExceeded: 'Enabled' } } -} +}] diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/defaults/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/defaults/main.test.bicep index 4c2c58a0a8..e62a489683 100644 --- a/modules/digital-twins/digital-twins-instance/tests/e2e/defaults/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep index c42182b8df..1b35dd6068 100644 --- a/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep @@ -65,9 +65,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { eventHubEndpoint: { authenticationType: 'IdentityBased' @@ -136,4 +137,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep index 0df8c2735a..98f7a003e8 100644 --- a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep @@ -65,9 +65,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { eventHubEndpoint: { authenticationType: 'IdentityBased' @@ -135,4 +136,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/event-grid/domain/main.json b/modules/event-grid/domain/main.json index f5177ce8ca..3ad0a4b95a 100644 --- a/modules/event-grid/domain/main.json +++ b/modules/event-grid/domain/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1947450144883968914" + "version": "0.23.1.45101", + "templateHash": "12691133216908716098" }, "name": "Event Grid Domains", "description": "This module deploys an Event Grid Domain.", @@ -613,8 +613,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13108601447016690436" + "version": "0.23.1.45101", + "templateHash": "13344838042263797685" }, "name": "Event Grid Domain Topics", "description": "This module deploys an Event Grid Domain Topic.", @@ -770,8 +770,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1173,8 +1173,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/event-grid/domain/tests/e2e/defaults/main.test.bicep b/modules/event-grid/domain/tests/e2e/defaults/main.test.bicep index e2d9be8663..69015ce3e4 100644 --- a/modules/event-grid/domain/tests/e2e/defaults/main.test.bicep +++ b/modules/event-grid/domain/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/event-grid/domain/tests/e2e/max/main.test.bicep b/modules/event-grid/domain/tests/e2e/max/main.test.bicep index de3be09b26..3be06cfaf7 100644 --- a/modules/event-grid/domain/tests/e2e/max/main.test.bicep +++ b/modules/event-grid/domain/tests/e2e/max/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -121,4 +122,4 @@ module testDeployment '../../../main.bicep' = { '${namePrefix}-topic-${serviceShort}001' ] } -} +}] diff --git a/modules/event-grid/domain/tests/e2e/pe/main.test.bicep b/modules/event-grid/domain/tests/e2e/pe/main.test.bicep index ddaa562218..98d8709f03 100644 --- a/modules/event-grid/domain/tests/e2e/pe/main.test.bicep +++ b/modules/event-grid/domain/tests/e2e/pe/main.test.bicep @@ -43,9 +43,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -68,4 +69,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep index bdb9c0b651..d65df56405 100644 --- a/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -121,4 +122,4 @@ module testDeployment '../../../main.bicep' = { '${namePrefix}-topic-${serviceShort}001' ] } -} +}] diff --git a/modules/event-grid/system-topic/tests/e2e/defaults/main.test.bicep b/modules/event-grid/system-topic/tests/e2e/defaults/main.test.bicep index 8bfe4a7feb..ab3814500c 100644 --- a/modules/event-grid/system-topic/tests/e2e/defaults/main.test.bicep +++ b/modules/event-grid/system-topic/tests/e2e/defaults/main.test.bicep @@ -60,13 +60,14 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' source: nestedDependencies.outputs.storageAccountResourceId topicType: 'Microsoft.Storage.StorageAccounts' } -} +}] diff --git a/modules/event-grid/system-topic/tests/e2e/max/main.test.bicep b/modules/event-grid/system-topic/tests/e2e/max/main.test.bicep index a1fe7d4bf5..cdcc6727cb 100644 --- a/modules/event-grid/system-topic/tests/e2e/max/main.test.bicep +++ b/modules/event-grid/system-topic/tests/e2e/max/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -126,4 +127,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep index 0ca8feb5b6..943ee3a929 100644 --- a/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -126,4 +127,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/event-grid/topic/main.json b/modules/event-grid/topic/main.json index 79653c975b..2b5559ee2a 100644 --- a/modules/event-grid/topic/main.json +++ b/modules/event-grid/topic/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17269173170243707502" + "version": "0.23.1.45101", + "templateHash": "12820080478660459397" }, "name": "Event Grid Topics", "description": "This module deploys an Event Grid Topic.", @@ -604,8 +604,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2222106647839764321" + "version": "0.23.1.45101", + "templateHash": "19673224192591950" }, "name": "EventGrid Topic Event Subscriptions", "description": "This module deploys an Event Grid Topic Event Subscription.", @@ -847,8 +847,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1250,8 +1250,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/event-grid/topic/tests/e2e/defaults/main.test.bicep b/modules/event-grid/topic/tests/e2e/defaults/main.test.bicep index 89a79f1097..29f7356f10 100644 --- a/modules/event-grid/topic/tests/e2e/defaults/main.test.bicep +++ b/modules/event-grid/topic/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/event-grid/topic/tests/e2e/max/main.test.bicep b/modules/event-grid/topic/tests/e2e/max/main.test.bicep index 3ca8f6121e..bba0f24999 100644 --- a/modules/event-grid/topic/tests/e2e/max/main.test.bicep +++ b/modules/event-grid/topic/tests/e2e/max/main.test.bicep @@ -63,9 +63,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -142,4 +143,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/event-grid/topic/tests/e2e/pe/main.test.bicep b/modules/event-grid/topic/tests/e2e/pe/main.test.bicep index 99f3160297..e2244c60d7 100644 --- a/modules/event-grid/topic/tests/e2e/pe/main.test.bicep +++ b/modules/event-grid/topic/tests/e2e/pe/main.test.bicep @@ -43,9 +43,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -68,4 +69,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep index d093b9d5b8..10a11dab1b 100644 --- a/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep @@ -63,9 +63,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -142,4 +143,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/health-bot/health-bot/tests/e2e/defaults/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/defaults/main.test.bicep index 827853ed5b..f2b46c90a3 100644 --- a/modules/health-bot/health-bot/tests/e2e/defaults/main.test.bicep +++ b/modules/health-bot/health-bot/tests/e2e/defaults/main.test.bicep @@ -38,12 +38,13 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' sku: 'F0' } -} +}] diff --git a/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep index 61725e95d4..95e2fb3513 100644 --- a/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep +++ b/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -75,4 +76,4 @@ module testDeployment '../../../main.bicep' = { ] } } -} +}] diff --git a/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep index 1943545c52..db64640a07 100644 --- a/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -75,4 +76,4 @@ module testDeployment '../../../main.bicep' = { ] } } -} +}] diff --git a/modules/insights/action-group/main.json b/modules/insights/action-group/main.json index 3d096908ea..ac749fc55c 100644 --- a/modules/insights/action-group/main.json +++ b/modules/insights/action-group/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2140251667223898817" + "version": "0.23.1.45101", + "templateHash": "17468299355631227280" }, "name": "Action Groups", "description": "This module deploys an Action Group.", diff --git a/modules/insights/action-group/tests/e2e/defaults/main.test.bicep b/modules/insights/action-group/tests/e2e/defaults/main.test.bicep index 5ef4c9a8ef..019b31bb3b 100644 --- a/modules/insights/action-group/tests/e2e/defaults/main.test.bicep +++ b/modules/insights/action-group/tests/e2e/defaults/main.test.bicep @@ -38,12 +38,13 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' groupShortName: 'ag${serviceShort}001' } -} +}] diff --git a/modules/insights/action-group/tests/e2e/max/main.test.bicep b/modules/insights/action-group/tests/e2e/max/main.test.bicep index 7a156298a2..55291588f1 100644 --- a/modules/insights/action-group/tests/e2e/max/main.test.bicep +++ b/modules/insights/action-group/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -85,4 +86,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep index 6059b1d2fd..33b5630927 100644 --- a/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -85,4 +86,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/insights/activity-log-alert/main.json b/modules/insights/activity-log-alert/main.json index e30e649b22..34e3b67f45 100644 --- a/modules/insights/activity-log-alert/main.json +++ b/modules/insights/activity-log-alert/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11464845772829048576" + "version": "0.23.1.45101", + "templateHash": "367673046450488883" }, "name": "Activity Log Alerts", "description": "This module deploys an Activity Log Alert.", diff --git a/modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep b/modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep index 74452e4c5f..f0b393e71e 100644 --- a/modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep +++ b/modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -106,4 +107,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep index e44bab24e9..4d12202f85 100644 --- a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -106,4 +107,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/insights/component/main.json b/modules/insights/component/main.json index 633108ee5b..8e8789fea1 100644 --- a/modules/insights/component/main.json +++ b/modules/insights/component/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15854449149260650767" + "version": "0.23.1.45101", + "templateHash": "16117162182230487170" }, "name": "Application Insights", "description": "This component deploys an Application Insights instance.", diff --git a/modules/insights/component/tests/e2e/defaults/main.test.bicep b/modules/insights/component/tests/e2e/defaults/main.test.bicep index 0e4fe18e1f..2c505a853f 100644 --- a/modules/insights/component/tests/e2e/defaults/main.test.bicep +++ b/modules/insights/component/tests/e2e/defaults/main.test.bicep @@ -46,12 +46,13 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' workspaceResourceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId } -} +}] diff --git a/modules/insights/component/tests/e2e/max/main.test.bicep b/modules/insights/component/tests/e2e/max/main.test.bicep index e272985a9c..69e8998fab 100644 --- a/modules/insights/component/tests/e2e/max/main.test.bicep +++ b/modules/insights/component/tests/e2e/max/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -94,4 +95,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep index 19788dc94b..e1940171ae 100644 --- a/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -94,4 +95,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/insights/data-collection-endpoint/README.md b/modules/insights/data-collection-endpoint/README.md index d6ae7ac41e..4b38911013 100644 --- a/modules/insights/data-collection-endpoint/README.md +++ b/modules/insights/data-collection-endpoint/README.md @@ -41,7 +41,7 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoint:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-idcemin' + name: '${uniqueString(deployment().name, location)}-test-idcemin' params: { // Required parameters name: 'idcemin001' @@ -89,7 +89,7 @@ This instance deploys the module with most of its features enabled. ```bicep module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoint:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-idcemax' + name: '${uniqueString(deployment().name, location)}-test-idcemax' params: { // Required parameters name: 'idcemax001' @@ -183,7 +183,7 @@ This instance deploys the module in alignment with the best-practices of the Azu ```bicep module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoint:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-idcewaf' + name: '${uniqueString(deployment().name, location)}-test-idcewaf' params: { // Required parameters name: 'idcewaf001' diff --git a/modules/insights/data-collection-endpoint/main.json b/modules/insights/data-collection-endpoint/main.json index 1b5d39bc42..99cde4054c 100644 --- a/modules/insights/data-collection-endpoint/main.json +++ b/modules/insights/data-collection-endpoint/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8921941475150538433" + "version": "0.23.1.45101", + "templateHash": "13482359133825530422" }, "name": "Data Collection Endpoints", "description": "This module deploys a Data Collection Endpoint.", diff --git a/modules/insights/data-collection-endpoint/tests/e2e/defaults/main.test.bicep b/modules/insights/data-collection-endpoint/tests/e2e/defaults/main.test.bicep index 296447c846..9d0759239d 100644 --- a/modules/insights/data-collection-endpoint/tests/e2e/defaults/main.test.bicep +++ b/modules/insights/data-collection-endpoint/tests/e2e/defaults/main.test.bicep @@ -37,11 +37,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/insights/data-collection-endpoint/tests/e2e/max/main.test.bicep b/modules/insights/data-collection-endpoint/tests/e2e/max/main.test.bicep index 0bcea4cb4a..3cc4c9c606 100644 --- a/modules/insights/data-collection-endpoint/tests/e2e/max/main.test.bicep +++ b/modules/insights/data-collection-endpoint/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module resourceGroupResources 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -71,4 +72,4 @@ module testDeployment '../../../main.bicep' = { kind: 'Windows' } } -} +}] diff --git a/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep index e587afcd6a..db4a6e31a0 100644 --- a/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module resourceGroupResources 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -71,4 +72,4 @@ module testDeployment '../../../main.bicep' = { kind: 'Windows' } } -} +}] diff --git a/modules/insights/data-collection-rule/README.md b/modules/insights/data-collection-rule/README.md index d28c4145c7..176e51eab6 100644 --- a/modules/insights/data-collection-rule/README.md +++ b/modules/insights/data-collection-rule/README.md @@ -41,7 +41,7 @@ The following section provides usage examples for the module, which were used to ```bicep module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-idcrcusadv' + name: '${uniqueString(deployment().name, location)}-test-idcrcusadv' params: { // Required parameters dataFlows: [ @@ -284,7 +284,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' ```bicep module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-idcrcusbas' + name: '${uniqueString(deployment().name, location)}-test-idcrcusbas' params: { // Required parameters dataFlows: [ @@ -495,7 +495,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' ```bicep module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-idcrcusiis' + name: '${uniqueString(deployment().name, location)}-test-idcrcusiis' params: { // Required parameters dataFlows: [ @@ -665,7 +665,7 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-idcrmin' + name: '${uniqueString(deployment().name, location)}-test-idcrmin' params: { // Required parameters dataFlows: [ @@ -796,7 +796,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' ```bicep module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-idcrlin' + name: '${uniqueString(deployment().name, location)}-test-idcrlin' params: { // Required parameters dataFlows: [ @@ -1187,7 +1187,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' ```bicep module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-idcrwin' + name: '${uniqueString(deployment().name, location)}-test-idcrwin' params: { // Required parameters dataFlows: [ diff --git a/modules/insights/data-collection-rule/main.json b/modules/insights/data-collection-rule/main.json index 09fd72cd0d..465b252587 100644 --- a/modules/insights/data-collection-rule/main.json +++ b/modules/insights/data-collection-rule/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2029998281934386338" + "version": "0.23.1.45101", + "templateHash": "9197823813224298423" }, "name": "Data Collection Rules", "description": "This module deploys a Data Collection Rule.", diff --git a/modules/insights/data-collection-rule/tests/e2e/customadv/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/customadv/main.test.bicep index 2e2f2a7d14..df94e99d0e 100644 --- a/modules/insights/data-collection-rule/tests/e2e/customadv/main.test.bicep +++ b/modules/insights/data-collection-rule/tests/e2e/customadv/main.test.bicep @@ -45,9 +45,10 @@ module resourceGroupResources 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' dataCollectionEndpointId: resourceGroupResources.outputs.dataCollectionEndpointResourceId @@ -141,4 +142,4 @@ module testDeployment '../../../main.bicep' = { kind: 'Windows' } } -} +}] diff --git a/modules/insights/data-collection-rule/tests/e2e/custombasic/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/custombasic/main.test.bicep index b0ae869187..b044a95732 100644 --- a/modules/insights/data-collection-rule/tests/e2e/custombasic/main.test.bicep +++ b/modules/insights/data-collection-rule/tests/e2e/custombasic/main.test.bicep @@ -45,9 +45,10 @@ module resourceGroupResources 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' dataCollectionEndpointId: resourceGroupResources.outputs.dataCollectionEndpointResourceId @@ -125,4 +126,4 @@ module testDeployment '../../../main.bicep' = { kind: 'Windows' } } -} +}] diff --git a/modules/insights/data-collection-rule/tests/e2e/customiis/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/customiis/main.test.bicep index d157de08b6..16bc3e3382 100644 --- a/modules/insights/data-collection-rule/tests/e2e/customiis/main.test.bicep +++ b/modules/insights/data-collection-rule/tests/e2e/customiis/main.test.bicep @@ -45,9 +45,10 @@ module resourceGroupResources 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' dataCollectionEndpointId: resourceGroupResources.outputs.dataCollectionEndpointResourceId @@ -104,4 +105,4 @@ module testDeployment '../../../main.bicep' = { kind: 'Windows' } } -} +}] diff --git a/modules/insights/data-collection-rule/tests/e2e/defaults/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/defaults/main.test.bicep index 9ba5932555..0328438f44 100644 --- a/modules/insights/data-collection-rule/tests/e2e/defaults/main.test.bicep +++ b/modules/insights/data-collection-rule/tests/e2e/defaults/main.test.bicep @@ -37,9 +37,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' dataSources: { @@ -83,4 +84,4 @@ module testDeployment '../../../main.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry kind: 'Windows' } -} +}] diff --git a/modules/insights/data-collection-rule/tests/e2e/linux/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/linux/main.test.bicep index 5b5664ffe9..8a213a0651 100644 --- a/modules/insights/data-collection-rule/tests/e2e/linux/main.test.bicep +++ b/modules/insights/data-collection-rule/tests/e2e/linux/main.test.bicep @@ -44,9 +44,10 @@ module resourceGroupResources 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' description: 'Collecting Linux-specific performance counters and Linux Syslog' @@ -217,4 +218,4 @@ module testDeployment '../../../main.bicep' = { kind: 'Linux' } } -} +}] diff --git a/modules/insights/data-collection-rule/tests/e2e/windows/main.test.bicep b/modules/insights/data-collection-rule/tests/e2e/windows/main.test.bicep index 9d2ee0f182..5831e1db12 100644 --- a/modules/insights/data-collection-rule/tests/e2e/windows/main.test.bicep +++ b/modules/insights/data-collection-rule/tests/e2e/windows/main.test.bicep @@ -44,9 +44,10 @@ module resourceGroupResources 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' description: 'Collecting Windows-specific performance counters and Windows Event Logs' @@ -171,4 +172,4 @@ module testDeployment '../../../main.bicep' = { kind: 'Windows' } } -} +}] diff --git a/modules/insights/diagnostic-setting/main.json b/modules/insights/diagnostic-setting/main.json index 4ae15a0838..15e8e5876f 100644 --- a/modules/insights/diagnostic-setting/main.json +++ b/modules/insights/diagnostic-setting/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18398206698301331030" + "version": "0.23.1.45101", + "templateHash": "14463307770250978710" }, "name": "Diagnostic Settings (Activity Logs) for Azure Subscriptions", "description": "This module deploys a Subscription wide export of the Activity Log.", diff --git a/modules/insights/diagnostic-setting/tests/e2e/max/main.test.bicep b/modules/insights/diagnostic-setting/tests/e2e/max/main.test.bicep index b26c05e269..82001d753f 100644 --- a/modules/insights/diagnostic-setting/tests/e2e/max/main.test.bicep +++ b/modules/insights/diagnostic-setting/tests/e2e/max/main.test.bicep @@ -52,8 +52,9 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -67,4 +68,4 @@ module testDeployment '../../../main.bicep' = { storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId } -} +}] diff --git a/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep index 7836a24eed..a84b3f82bc 100644 --- a/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep @@ -52,8 +52,9 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -67,4 +68,4 @@ module testDeployment '../../../main.bicep' = { storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId } -} +}] diff --git a/modules/insights/metric-alert/main.json b/modules/insights/metric-alert/main.json index afc031ec18..2db2abd469 100644 --- a/modules/insights/metric-alert/main.json +++ b/modules/insights/metric-alert/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7986480211513146761" + "version": "0.23.1.45101", + "templateHash": "5346116636281635704" }, "name": "Metric Alerts", "description": "This module deploys a Metric Alert.", diff --git a/modules/insights/metric-alert/tests/e2e/max/main.test.bicep b/modules/insights/metric-alert/tests/e2e/max/main.test.bicep index f9cc7d5482..aff5f631ca 100644 --- a/modules/insights/metric-alert/tests/e2e/max/main.test.bicep +++ b/modules/insights/metric-alert/tests/e2e/max/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -84,4 +85,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep index ee7bf8abbd..edad7e8898 100644 --- a/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -84,4 +85,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/insights/private-link-scope/main.json b/modules/insights/private-link-scope/main.json index 78639b2628..36e1148e6e 100644 --- a/modules/insights/private-link-scope/main.json +++ b/modules/insights/private-link-scope/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17458207121236197041" + "version": "0.23.1.45101", + "templateHash": "2298112212939244874" }, "name": "Azure Monitor Private Link Scopes", "description": "This module deploys an Azure Monitor Private Link Scope.", @@ -437,8 +437,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13415430389319270642" + "version": "0.23.1.45101", + "templateHash": "6728675477102381760" }, "name": "Private Link Scope Scoped Resources", "description": "This module deploys a Private Link Scope Scoped Resource.", @@ -598,8 +598,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1001,8 +1001,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/insights/private-link-scope/tests/e2e/defaults/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/defaults/main.test.bicep index 2ed54c7791..33740e555d 100644 --- a/modules/insights/private-link-scope/tests/e2e/defaults/main.test.bicep +++ b/modules/insights/private-link-scope/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep index 6b92ace5e2..dc9ca75fdc 100644 --- a/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep +++ b/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -86,4 +87,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep index bda1d61e70..c18ef415f3 100644 --- a/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -86,4 +87,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/insights/scheduled-query-rule/main.json b/modules/insights/scheduled-query-rule/main.json index 804da1fac7..031154f77b 100644 --- a/modules/insights/scheduled-query-rule/main.json +++ b/modules/insights/scheduled-query-rule/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3215598878486027169" + "version": "0.23.1.45101", + "templateHash": "13321854191011496877" }, "name": "Scheduled Query Rules", "description": "This module deploys a Scheduled Query Rule.", diff --git a/modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep b/modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep index d8bc06cf5e..703927ec7c 100644 --- a/modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep +++ b/modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -102,4 +103,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep index 6c924009a5..3690a19042 100644 --- a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -102,4 +103,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/insights/webtest/main.json b/modules/insights/webtest/main.json index 31d4a00dd5..332045650c 100644 --- a/modules/insights/webtest/main.json +++ b/modules/insights/webtest/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15753684775174621493" + "version": "0.23.1.45101", + "templateHash": "8858444279583976442" }, "name": "Web Tests", "description": "This module deploys a Web Test.", diff --git a/modules/insights/webtest/tests/e2e/defaults/main.test.bicep b/modules/insights/webtest/tests/e2e/defaults/main.test.bicep index 99e6969ed2..a8c77a7505 100644 --- a/modules/insights/webtest/tests/e2e/defaults/main.test.bicep +++ b/modules/insights/webtest/tests/e2e/defaults/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' tags: { @@ -64,4 +65,4 @@ module testDeployment '../../../main.bicep' = { HttpVerb: 'GET' } } -} +}] diff --git a/modules/insights/webtest/tests/e2e/max/main.test.bicep b/modules/insights/webtest/tests/e2e/max/main.test.bicep index 1a552a552b..6821002ea8 100644 --- a/modules/insights/webtest/tests/e2e/max/main.test.bicep +++ b/modules/insights/webtest/tests/e2e/max/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' tags: { @@ -74,4 +75,4 @@ module testDeployment '../../../main.bicep' = { name: 'myCustomLockName' } } -} +}] diff --git a/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep index 0fcdae082d..8674910b4f 100644 --- a/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' tags: { @@ -74,4 +75,4 @@ module testDeployment '../../../main.bicep' = { name: 'myCustomLockName' } } -} +}] From d6a3486374c9a4d2a2eaecaed3f82dfebe4ab596 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sat, 18 Nov 2023 19:03:42 +0100 Subject: [PATCH 111/178] [Modules] Added itempotency to tests [3/5] (#4212) * Updated batch 3 * Update to latest * Refreshed templates --- modules/key-vault/vault/main.json | 24 +++++++++---------- .../tests/e2e/accesspolicies/main.test.bicep | 7 +++--- .../vault/tests/e2e/defaults/main.test.bicep | 7 +++--- .../vault/tests/e2e/max/main.test.bicep | 7 +++--- .../vault/tests/e2e/pe/main.test.bicep | 7 +++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 +++--- .../extension/main.json | 8 +++---- .../tests/e2e/defaults/main.test.bicep | 7 +++--- .../extension/tests/e2e/max/main.test.bicep | 7 +++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 +++--- .../flux-configuration/main.json | 4 ++-- .../tests/e2e/defaults/main.test.bicep | 7 +++--- .../tests/e2e/max/main.test.bicep | 7 +++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 +++--- .../workflow/tests/e2e/max/main.test.bicep | 7 +++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 +++--- .../maintenance-configuration/main.json | 4 ++-- .../tests/e2e/defaults/main.test.bicep | 7 +++--- .../tests/e2e/max/main.test.bicep | 7 +++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 +++--- .../user-assigned-identity/main.json | 8 +++---- .../tests/e2e/defaults/main.test.bicep | 7 +++--- .../tests/e2e/max/main.test.bicep | 7 +++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 +++--- .../registration-definition/main.json | 8 +++---- .../tests/e2e/max/main.test.bicep | 7 +++--- .../tests/e2e/rg/main.test.bicep | 7 +++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 +++--- modules/management/management-group/main.json | 4 ++-- .../tests/e2e/defaults/main.test.bicep | 7 +++--- .../tests/e2e/max/main.test.bicep | 7 +++--- .../tests/e2e/waf-aligned/main.test.bicep | 7 +++--- 32 files changed, 130 insertions(+), 105 deletions(-) diff --git a/modules/key-vault/vault/main.json b/modules/key-vault/vault/main.json index f074992132..49af2cfca8 100644 --- a/modules/key-vault/vault/main.json +++ b/modules/key-vault/vault/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3329640314478719515" + "version": "0.23.1.45101", + "templateHash": "4234651984682220679" }, "name": "Key Vaults", "description": "This module deploys a Key Vault.", @@ -705,8 +705,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2131300650084383528" + "version": "0.23.1.45101", + "templateHash": "5636934877550105255" }, "name": "Key Vault Access Policies", "description": "This module deploys a Key Vault Access Policy.", @@ -843,8 +843,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3223693327720603920" + "version": "0.23.1.45101", + "templateHash": "14408031654729406286" }, "name": "Key Vault Secrets", "description": "This module deploys a Key Vault Secret.", @@ -1138,8 +1138,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2953672245031093442" + "version": "0.23.1.45101", + "templateHash": "6556101606252284471" }, "name": "Key Vault Keys", "description": "This module deploys a Key Vault Key.", @@ -1508,8 +1508,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1911,8 +1911,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/key-vault/vault/tests/e2e/accesspolicies/main.test.bicep b/modules/key-vault/vault/tests/e2e/accesspolicies/main.test.bicep index 12e509a459..78e0646b07 100644 --- a/modules/key-vault/vault/tests/e2e/accesspolicies/main.test.bicep +++ b/modules/key-vault/vault/tests/e2e/accesspolicies/main.test.bicep @@ -58,9 +58,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}002' @@ -131,4 +132,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/key-vault/vault/tests/e2e/defaults/main.test.bicep b/modules/key-vault/vault/tests/e2e/defaults/main.test.bicep index 351273f306..05bd9adc84 100644 --- a/modules/key-vault/vault/tests/e2e/defaults/main.test.bicep +++ b/modules/key-vault/vault/tests/e2e/defaults/main.test.bicep @@ -38,13 +38,14 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}002' // Only for testing purposes enablePurgeProtection: false } -} +}] diff --git a/modules/key-vault/vault/tests/e2e/max/main.test.bicep b/modules/key-vault/vault/tests/e2e/max/main.test.bicep index 16392f9744..e2df0ea2cd 100644 --- a/modules/key-vault/vault/tests/e2e/max/main.test.bicep +++ b/modules/key-vault/vault/tests/e2e/max/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}002' @@ -186,4 +187,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/key-vault/vault/tests/e2e/pe/main.test.bicep b/modules/key-vault/vault/tests/e2e/pe/main.test.bicep index b1d0f9c89f..ec942371bb 100644 --- a/modules/key-vault/vault/tests/e2e/pe/main.test.bicep +++ b/modules/key-vault/vault/tests/e2e/pe/main.test.bicep @@ -57,9 +57,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -134,4 +135,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep b/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep index edca2e6418..6e41928c3f 100644 --- a/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}002' @@ -186,4 +187,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/kubernetes-configuration/extension/main.json b/modules/kubernetes-configuration/extension/main.json index f72a9dcfba..adb39135d7 100644 --- a/modules/kubernetes-configuration/extension/main.json +++ b/modules/kubernetes-configuration/extension/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5002606439705018990" + "version": "0.23.1.45101", + "templateHash": "18265527122738367400" }, "name": "Kubernetes Configuration Extensions", "description": "This module deploys a Kubernetes Configuration Extension.", @@ -167,8 +167,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6686104224333946371" + "version": "0.23.1.45101", + "templateHash": "8985718648814286209" }, "name": "Kubernetes Configuration Flux Configurations", "description": "This module deploys a Kubernetes Configuration Flux Configuration.", diff --git a/modules/kubernetes-configuration/extension/tests/e2e/defaults/main.test.bicep b/modules/kubernetes-configuration/extension/tests/e2e/defaults/main.test.bicep index e423f75456..87d6cd850b 100644 --- a/modules/kubernetes-configuration/extension/tests/e2e/defaults/main.test.bicep +++ b/modules/kubernetes-configuration/extension/tests/e2e/defaults/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -58,4 +59,4 @@ module testDeployment '../../../main.bicep' = { releaseNamespace: 'flux-system' releaseTrain: 'Stable' } -} +}] diff --git a/modules/kubernetes-configuration/extension/tests/e2e/max/main.test.bicep b/modules/kubernetes-configuration/extension/tests/e2e/max/main.test.bicep index c371a3c0d2..2e89b688c5 100644 --- a/modules/kubernetes-configuration/extension/tests/e2e/max/main.test.bicep +++ b/modules/kubernetes-configuration/extension/tests/e2e/max/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -81,4 +82,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep index bfcc8c9102..c4d96b2b40 100644 --- a/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -81,4 +82,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/kubernetes-configuration/flux-configuration/main.json b/modules/kubernetes-configuration/flux-configuration/main.json index 252df520e1..31cd5d44ab 100644 --- a/modules/kubernetes-configuration/flux-configuration/main.json +++ b/modules/kubernetes-configuration/flux-configuration/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6686104224333946371" + "version": "0.23.1.45101", + "templateHash": "8985718648814286209" }, "name": "Kubernetes Configuration Flux Configurations", "description": "This module deploys a Kubernetes Configuration Flux Configuration.", diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/main.test.bicep index 2e22479c4a..1e633b5bd0 100644 --- a/modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/main.test.bicep +++ b/modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -68,4 +69,4 @@ module testDeployment '../../../main.bicep' = { url: 'https://github.com/mspnp/aks-baseline' } } -} +}] diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/max/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/max/main.test.bicep index 9a9c757de1..fbc4aa7069 100644 --- a/modules/kubernetes-configuration/flux-configuration/tests/e2e/max/main.test.bicep +++ b/modules/kubernetes-configuration/flux-configuration/tests/e2e/max/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -78,4 +79,4 @@ module testDeployment '../../../main.bicep' = { } } } -} +}] diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep index 900a2585ff..858b74642f 100644 --- a/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -78,4 +79,4 @@ module testDeployment '../../../main.bicep' = { } } } -} +}] diff --git a/modules/logic/workflow/tests/e2e/max/main.test.bicep b/modules/logic/workflow/tests/e2e/max/main.test.bicep index 81012eb04d..108fd11c93 100644 --- a/modules/logic/workflow/tests/e2e/max/main.test.bicep +++ b/modules/logic/workflow/tests/e2e/max/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -133,4 +134,4 @@ module testDeployment '../../../main.bicep' = { } } } -} +}] diff --git a/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep b/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep index ae9bd6c098..315241f110 100644 --- a/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -133,4 +134,4 @@ module testDeployment '../../../main.bicep' = { } } } -} +}] diff --git a/modules/maintenance/maintenance-configuration/main.json b/modules/maintenance/maintenance-configuration/main.json index 4dc124f346..783f5211ae 100644 --- a/modules/maintenance/maintenance-configuration/main.json +++ b/modules/maintenance/maintenance-configuration/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14384863342174130916" + "version": "0.23.1.45101", + "templateHash": "17577108209638713488" }, "name": "Maintenance Configurations", "description": "This module deploys a Maintenance Configuration.", diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/defaults/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/defaults/main.test.bicep index fd4155b517..b12067c411 100644 --- a/modules/maintenance/maintenance-configuration/tests/e2e/defaults/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep index 980dcf5100..27067531c7 100644 --- a/modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -98,4 +99,4 @@ module testDeployment '../../../main.bicep' = { } } } -} +}] diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep index 467bb46bba..69183f0070 100644 --- a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -98,4 +99,4 @@ module testDeployment '../../../main.bicep' = { } } } -} +}] diff --git a/modules/managed-identity/user-assigned-identity/main.json b/modules/managed-identity/user-assigned-identity/main.json index 4e8baa2ed8..c4e94ee69a 100644 --- a/modules/managed-identity/user-assigned-identity/main.json +++ b/modules/managed-identity/user-assigned-identity/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1438876956443234621" + "version": "0.23.1.45101", + "templateHash": "5498176834182987595" }, "name": "User Assigned Identities", "description": "This module deploys a User Assigned Identity.", @@ -263,8 +263,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15026838206978058830" + "version": "0.23.1.45101", + "templateHash": "16507829721467583096" }, "name": "User Assigned Identity Federated Identity Credential", "description": "This module deploys a User Assigned Identity Federated Identity Credential.", diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep index d0cb243b1f..fba55f1303 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep @@ -38,10 +38,11 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry } -} +}] diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep index bd4e76dc48..1f0bb1dc8e 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -79,4 +80,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep index fababf8321..f2ab92ca67 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -79,4 +80,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/managed-services/registration-definition/main.json b/modules/managed-services/registration-definition/main.json index 2940047230..09d2985143 100644 --- a/modules/managed-services/registration-definition/main.json +++ b/modules/managed-services/registration-definition/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18225216426535356338" + "version": "0.23.1.45101", + "templateHash": "16560417041249407404" }, "name": "Registration Definitions", "description": "This module deploys a `Registration Definition` and a `Registration Assignment` (often referred to as 'Lighthouse' or 'resource delegation')\r\non subscription or resource group scopes. This type of delegation is very similar to role assignments but here the principal that is\r\nassigned a role is in a remote/managing Azure Active Directory tenant. The templates are run towards the tenant where\r\nthe Azure resources you want to delegate access to are, providing 'authorizations' (aka. access delegation) to principals in a\r\nremote/managing tenant.", @@ -125,8 +125,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3494089951098103079" + "version": "0.23.1.45101", + "templateHash": "3802628714549364686" } }, "parameters": { diff --git a/modules/managed-services/registration-definition/tests/e2e/max/main.test.bicep b/modules/managed-services/registration-definition/tests/e2e/max/main.test.bicep index 09e848751a..703eb9a46e 100644 --- a/modules/managed-services/registration-definition/tests/e2e/max/main.test.bicep +++ b/modules/managed-services/registration-definition/tests/e2e/max/main.test.bicep @@ -20,8 +20,9 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: 'Component Validation - ${namePrefix}${serviceShort} Subscription assignment' @@ -45,4 +46,4 @@ module testDeployment '../../../main.bicep' = { managedByTenantId: '<< SET YOUR TENANT ID HERE >>' registrationDescription: 'Managed by Lighthouse' } -} +}] diff --git a/modules/managed-services/registration-definition/tests/e2e/rg/main.test.bicep b/modules/managed-services/registration-definition/tests/e2e/rg/main.test.bicep index 8de69a8b4b..f3407db0d1 100644 --- a/modules/managed-services/registration-definition/tests/e2e/rg/main.test.bicep +++ b/modules/managed-services/registration-definition/tests/e2e/rg/main.test.bicep @@ -35,8 +35,9 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: 'Component Validation - ${namePrefix}${serviceShort} Resource group assignment' @@ -61,4 +62,4 @@ module testDeployment '../../../main.bicep' = { registrationDescription: 'Managed by Lighthouse' resourceGroupName: resourceGroup.name } -} +}] diff --git a/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep b/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep index 553e1b72b9..f28e22d49b 100644 --- a/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep @@ -20,8 +20,9 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: 'Component Validation - ${namePrefix}${serviceShort} Subscription assignment' @@ -45,4 +46,4 @@ module testDeployment '../../../main.bicep' = { managedByTenantId: '<< SET YOUR TENANT ID HERE >>' registrationDescription: 'Managed by Lighthouse' } -} +}] diff --git a/modules/management/management-group/main.json b/modules/management/management-group/main.json index 728fe73364..387fccb26a 100644 --- a/modules/management/management-group/main.json +++ b/modules/management/management-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10015491334460357572" + "version": "0.23.1.45101", + "templateHash": "8382659886206939676" }, "name": "Management Groups", "description": "This template will prepare the management group structure based on the provided parameter.\r\n\r\nThis module has some known **limitations**:\r\n- It's not possible to change the display name of the root management group (the one that has the tenant GUID as ID)\r\n- It can't manage the Root (/) management group", diff --git a/modules/management/management-group/tests/e2e/defaults/main.test.bicep b/modules/management/management-group/tests/e2e/defaults/main.test.bicep index bacde932d6..14872bf2d3 100644 --- a/modules/management/management-group/tests/e2e/defaults/main.test.bicep +++ b/modules/management/management-group/tests/e2e/defaults/main.test.bicep @@ -20,10 +20,11 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/management/management-group/tests/e2e/max/main.test.bicep b/modules/management/management-group/tests/e2e/max/main.test.bicep index 41256aa624..c47632027d 100644 --- a/modules/management/management-group/tests/e2e/max/main.test.bicep +++ b/modules/management/management-group/tests/e2e/max/main.test.bicep @@ -20,12 +20,13 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' displayName: 'Test MG' parentId: last(split(managementGroup().id, '/')) } -} +}] diff --git a/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep b/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep index 8ccb083802..93652e6765 100644 --- a/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep @@ -20,12 +20,13 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' displayName: 'Test MG' parentId: last(split(managementGroup().id, '/')) } -} +}] From fed1f3356b72cc42f6fe24095c7ae82bf9558585 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sat, 18 Nov 2023 19:05:00 +0100 Subject: [PATCH 112/178] [Modules] Added itempotency to tests [4/5] (#4213) * Updated batch 4 * Refreshed NW * Test update to vnet * Update to latest * Refreshed templates * Update to latest --- .../main.json | 4 +- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../application-security-group/main.json | 4 +- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/azure-firewall/main.json | 12 ++--- .../tests/e2e/addpip/main.test.bicep | 7 +-- .../tests/e2e/custompip/main.test.bicep | 7 +-- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/hubcommon/main.test.bicep | 7 +-- .../tests/e2e/hubmin/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/bastion-host/main.json | 8 ++-- .../tests/e2e/custompip/main.test.bicep | 7 +-- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/connection/main.json | 4 +- .../tests/e2e/vnet2vnet/main.test.bicep | 7 +-- .../network/dns-forwarding-ruleset/main.json | 12 ++--- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/dns-resolver/main.json | 4 +- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/dns-zone/main.json | 44 +++++++++---------- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../dns-zone/tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../network/express-route-circuit/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../network/express-route-gateway/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/front-door/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../front-door/tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/ip-group/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../ip-group/tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../network/local-network-gateway/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/nat-gateway/main.json | 20 ++++----- .../nat-gateway/tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/prefixCombined/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/network-interface/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/network-manager/main.json | 32 +++++++------- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../network/network-security-group/main.json | 8 ++-- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/network-watcher/README.md | 6 +-- modules/network/network-watcher/main.json | 12 ++--- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/private-dns-zone/main.json | 40 ++++++++--------- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/private-endpoint/main.json | 8 ++-- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../network/private-link-service/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/public-ip-address/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/public-ip-prefix/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/route-table/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../route-table/tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../network/service-endpoint-policy/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../network/trafficmanagerprofile/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/virtual-hub/main.json | 12 ++--- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../virtual-hub/tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- .../network/virtual-network-gateway/main.json | 12 ++--- .../tests/e2e/aadvpn/main.test.bicep | 7 +-- .../tests/e2e/expressRoute/main.test.bicep | 7 +-- .../tests/e2e/vpn/main.test.bicep | 7 +-- modules/network/virtual-wan/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../virtual-wan/tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/vpn-gateway/main.json | 12 ++--- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../vpn-gateway/tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- modules/network/vpn-site/main.json | 4 +- .../tests/e2e/defaults/main.test.bicep | 7 +-- .../vpn-site/tests/e2e/max/main.test.bicep | 7 +-- .../tests/e2e/waf-aligned/main.test.bicep | 7 +-- 133 files changed, 557 insertions(+), 457 deletions(-) diff --git a/modules/network/application-gateway-web-application-firewall-policy/main.json b/modules/network/application-gateway-web-application-firewall-policy/main.json index 160f4e7b60..3d860d9883 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/main.json +++ b/modules/network/application-gateway-web-application-firewall-policy/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5940192377706231381" + "version": "0.23.1.45101", + "templateHash": "2444407542563544390" }, "name": "Application Gateway Web Application Firewall (WAF) Policies", "description": "This module deploys an Application Gateway Web Application Firewall (WAF) Policy.", diff --git a/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/max/main.test.bicep b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/max/main.test.bicep index a06afa8f68..6d6e62eff2 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/max/main.test.bicep +++ b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/max/main.test.bicep @@ -38,9 +38,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -69,4 +70,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep index 0629a475af..5ef5d817c3 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep @@ -38,9 +38,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -69,4 +70,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/application-gateway/tests/e2e/max/main.test.bicep b/modules/network/application-gateway/tests/e2e/max/main.test.bicep index a43632ad5d..895da7a68c 100644 --- a/modules/network/application-gateway/tests/e2e/max/main.test.bicep +++ b/modules/network/application-gateway/tests/e2e/max/main.test.bicep @@ -66,9 +66,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe var appGWName = '${namePrefix}${serviceShort}001' var appGWExpectedResourceID = '${resourceGroup.id}/providers/Microsoft.Network/applicationGateways/${appGWName}' -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: appGWName @@ -495,4 +496,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep index d86f1bc749..52253dd7c9 100644 --- a/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -66,9 +66,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe var appGWName = '${namePrefix}${serviceShort}001' var appGWExpectedResourceID = '${resourceGroup.id}/providers/Microsoft.Network/applicationGateways/${appGWName}' -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: appGWName @@ -495,4 +496,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/application-security-group/main.json b/modules/network/application-security-group/main.json index f6b82ac527..81e7562d2c 100644 --- a/modules/network/application-security-group/main.json +++ b/modules/network/application-security-group/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5654528138086993351" + "version": "0.23.1.45101", + "templateHash": "4261949823005751944" }, "name": "Application Security Groups (ASG)", "description": "This module deploys an Application Security Group (ASG).", diff --git a/modules/network/application-security-group/tests/e2e/max/main.test.bicep b/modules/network/application-security-group/tests/e2e/max/main.test.bicep index 338980479c..1c6db275ed 100644 --- a/modules/network/application-security-group/tests/e2e/max/main.test.bicep +++ b/modules/network/application-security-group/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -69,4 +70,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep index 052a71f7b1..37d595cd4f 100644 --- a/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -69,4 +70,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/azure-firewall/main.json b/modules/network/azure-firewall/main.json index 786b73a652..7d62269841 100644 --- a/modules/network/azure-firewall/main.json +++ b/modules/network/azure-firewall/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3800476164049795980" + "version": "0.23.1.45101", + "templateHash": "13795244529737704006" }, "name": "Azure Firewalls", "description": "This module deploys an Azure Firewall.", @@ -536,8 +536,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18404193892947466906" + "version": "0.23.1.45101", + "templateHash": "15536304828480480757" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -1067,8 +1067,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18404193892947466906" + "version": "0.23.1.45101", + "templateHash": "15536304828480480757" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", diff --git a/modules/network/azure-firewall/tests/e2e/addpip/main.test.bicep b/modules/network/azure-firewall/tests/e2e/addpip/main.test.bicep index 373c6489e0..61b216c4a3 100644 --- a/modules/network/azure-firewall/tests/e2e/addpip/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/addpip/main.test.bicep @@ -45,9 +45,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -75,4 +76,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/azure-firewall/tests/e2e/custompip/main.test.bicep b/modules/network/azure-firewall/tests/e2e/custompip/main.test.bicep index 0632d591fb..37fb6178bc 100644 --- a/modules/network/azure-firewall/tests/e2e/custompip/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/custompip/main.test.bicep @@ -58,9 +58,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -99,4 +100,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/azure-firewall/tests/e2e/defaults/main.test.bicep b/modules/network/azure-firewall/tests/e2e/defaults/main.test.bicep index 9d5c870954..7530eeedd1 100644 --- a/modules/network/azure-firewall/tests/e2e/defaults/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/defaults/main.test.bicep @@ -46,12 +46,13 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' vNetId: nestedDependencies.outputs.virtualNetworkResourceId } -} +}] diff --git a/modules/network/azure-firewall/tests/e2e/hubcommon/main.test.bicep b/modules/network/azure-firewall/tests/e2e/hubcommon/main.test.bicep index aeba7abd0e..5870bd2081 100644 --- a/modules/network/azure-firewall/tests/e2e/hubcommon/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/hubcommon/main.test.bicep @@ -45,9 +45,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -64,4 +65,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/azure-firewall/tests/e2e/hubmin/main.test.bicep b/modules/network/azure-firewall/tests/e2e/hubmin/main.test.bicep index 362ff67a62..dd3dd67364 100644 --- a/modules/network/azure-firewall/tests/e2e/hubmin/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/hubmin/main.test.bicep @@ -44,9 +44,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -57,4 +58,4 @@ module testDeployment '../../../main.bicep' = { } } } -} +}] diff --git a/modules/network/azure-firewall/tests/e2e/max/main.test.bicep b/modules/network/azure-firewall/tests/e2e/max/main.test.bicep index 654c2e950c..22a9bd66d0 100644 --- a/modules/network/azure-firewall/tests/e2e/max/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/max/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -187,4 +188,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep b/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep index beb7ff6624..eb3d525802 100644 --- a/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -187,4 +188,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/bastion-host/main.json b/modules/network/bastion-host/main.json index a5fd8c192b..e767ea151b 100644 --- a/modules/network/bastion-host/main.json +++ b/modules/network/bastion-host/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "387274338478290784" + "version": "0.23.1.45101", + "templateHash": "18247198571712055537" }, "name": "Bastion Hosts", "description": "This module deploys a Bastion Host.", @@ -456,8 +456,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18404193892947466906" + "version": "0.23.1.45101", + "templateHash": "15536304828480480757" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", diff --git a/modules/network/bastion-host/tests/e2e/custompip/main.test.bicep b/modules/network/bastion-host/tests/e2e/custompip/main.test.bicep index 500158ac2b..0db344d679 100644 --- a/modules/network/bastion-host/tests/e2e/custompip/main.test.bicep +++ b/modules/network/bastion-host/tests/e2e/custompip/main.test.bicep @@ -58,9 +58,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -104,4 +105,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/bastion-host/tests/e2e/defaults/main.test.bicep b/modules/network/bastion-host/tests/e2e/defaults/main.test.bicep index e150c3dd41..dd96e2e579 100644 --- a/modules/network/bastion-host/tests/e2e/defaults/main.test.bicep +++ b/modules/network/bastion-host/tests/e2e/defaults/main.test.bicep @@ -46,12 +46,13 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' vNetId: nestedDependencies.outputs.virtualNetworkResourceId } -} +}] diff --git a/modules/network/bastion-host/tests/e2e/max/main.test.bicep b/modules/network/bastion-host/tests/e2e/max/main.test.bicep index c601028796..2623cdb0d2 100644 --- a/modules/network/bastion-host/tests/e2e/max/main.test.bicep +++ b/modules/network/bastion-host/tests/e2e/max/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -102,4 +103,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep b/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep index 30d7f82891..c94cc48d12 100644 --- a/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -102,4 +103,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/connection/main.json b/modules/network/connection/main.json index 06b806ec90..9c15afa676 100644 --- a/modules/network/connection/main.json +++ b/modules/network/connection/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12513996667923008520" + "version": "0.23.1.45101", + "templateHash": "13101983309900723680" }, "name": "Virtual Network Gateway Connections", "description": "This module deploys a Virtual Network Gateway Connection.", diff --git a/modules/network/connection/tests/e2e/vnet2vnet/main.test.bicep b/modules/network/connection/tests/e2e/vnet2vnet/main.test.bicep index 7512784f5f..5ead06960a 100644 --- a/modules/network/connection/tests/e2e/vnet2vnet/main.test.bicep +++ b/modules/network/connection/tests/e2e/vnet2vnet/main.test.bicep @@ -52,9 +52,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -77,4 +78,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/dns-forwarding-ruleset/main.json b/modules/network/dns-forwarding-ruleset/main.json index 18a95ff4a7..438e3ce462 100644 --- a/modules/network/dns-forwarding-ruleset/main.json +++ b/modules/network/dns-forwarding-ruleset/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "606770546796558268" + "version": "0.23.1.45101", + "templateHash": "6102897897413870050" }, "name": "Dns Forwarding Rulesets", "description": "This template deploys an dns forwarding ruleset.", @@ -285,8 +285,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14481617304679147684" + "version": "0.23.1.45101", + "templateHash": "15853222260858972029" }, "name": "Dns Forwarding Rulesets Forwarding Rules", "description": "This template deploys Forwarding Rule in a Dns Forwarding Ruleset.", @@ -432,8 +432,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13868433916800604215" + "version": "0.23.1.45101", + "templateHash": "10716706455477062359" }, "name": "Dns Forwarding Rulesets Virtual Network Links", "description": "This template deploys Virtual Network Link in a Dns Forwarding Ruleset.", diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/defaults/main.test.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/defaults/main.test.bicep index c43583ba3e..fa68f8b9b4 100644 --- a/modules/network/dns-forwarding-ruleset/tests/e2e/defaults/main.test.bicep +++ b/modules/network/dns-forwarding-ruleset/tests/e2e/defaults/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -58,4 +59,4 @@ module testDeployment '../../../main.bicep' = { nestedDependencies.outputs.dnsResolverOutboundEndpointsResourceId ] } -} +}] diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/max/main.test.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/max/main.test.bicep index 62b410d4e1..58a5b8b7cd 100644 --- a/modules/network/dns-forwarding-ruleset/tests/e2e/max/main.test.bicep +++ b/modules/network/dns-forwarding-ruleset/tests/e2e/max/main.test.bicep @@ -49,9 +49,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -91,4 +92,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep index d6dfab9955..37eca099f6 100644 --- a/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep @@ -49,9 +49,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -91,4 +92,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/dns-resolver/main.json b/modules/network/dns-resolver/main.json index f865583ec3..95fa4fc6e0 100644 --- a/modules/network/dns-resolver/main.json +++ b/modules/network/dns-resolver/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1368516182536244739" + "version": "0.23.1.45101", + "templateHash": "5702313837113326877" }, "name": "DNS Resolvers", "description": "This module deploys a DNS Resolver.", diff --git a/modules/network/dns-resolver/tests/e2e/max/main.test.bicep b/modules/network/dns-resolver/tests/e2e/max/main.test.bicep index a15b78dbf0..563c9295ba 100644 --- a/modules/network/dns-resolver/tests/e2e/max/main.test.bicep +++ b/modules/network/dns-resolver/tests/e2e/max/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -72,4 +73,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep index 8748710b28..972297e6cf 100644 --- a/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -72,4 +73,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/dns-zone/main.json b/modules/network/dns-zone/main.json index 588848d689..73ab825aba 100644 --- a/modules/network/dns-zone/main.json +++ b/modules/network/dns-zone/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14383961739979857836" + "version": "0.23.1.45101", + "templateHash": "192131081135137851" }, "name": "Public DNS Zones", "description": "This module deploys a Public DNS zone.", @@ -331,8 +331,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10974837461645436691" + "version": "0.23.1.45101", + "templateHash": "9611074560358227947" }, "name": "Public DNS Zone A record", "description": "This module deploys a Public DNS Zone A record.", @@ -599,8 +599,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11266429358803831455" + "version": "0.23.1.45101", + "templateHash": "14864971256419465724" }, "name": "Public DNS Zone AAAA record", "description": "This module deploys a Public DNS Zone AAAA record.", @@ -867,8 +867,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13232609782269052972" + "version": "0.23.1.45101", + "templateHash": "1267823163217140681" }, "name": "Public DNS Zone CNAME record", "description": "This module deploys a Public DNS Zone CNAME record.", @@ -1134,8 +1134,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17336929917389994115" + "version": "0.23.1.45101", + "templateHash": "334963919740395938" }, "name": "Public DNS Zone CAA record", "description": "This module deploys a Public DNS Zone CAA record.", @@ -1393,8 +1393,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16614736782890395121" + "version": "0.23.1.45101", + "templateHash": "913365561266018486" }, "name": "Public DNS Zone MX record", "description": "This module deploys a Public DNS Zone MX record.", @@ -1652,8 +1652,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10360566575253611568" + "version": "0.23.1.45101", + "templateHash": "14921767837432456957" }, "name": "Public DNS Zone NS record", "description": "This module deploys a Public DNS Zone NS record.", @@ -1911,8 +1911,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "694884293764156099" + "version": "0.23.1.45101", + "templateHash": "1781674036442480125" }, "name": "Public DNS Zone PTR record", "description": "This module deploys a Public DNS Zone PTR record.", @@ -2170,8 +2170,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10526329700400149290" + "version": "0.23.1.45101", + "templateHash": "15508005336915398346" }, "name": "Public DNS Zone SOA record", "description": "This module deploys a Public DNS Zone SOA record.", @@ -2429,8 +2429,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2773338273433722142" + "version": "0.23.1.45101", + "templateHash": "12022158765353146053" }, "name": "Public DNS Zone SRV record", "description": "This module deploys a Public DNS Zone SRV record.", @@ -2688,8 +2688,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8314659933691992641" + "version": "0.23.1.45101", + "templateHash": "12802491396062490027" }, "name": "Public DNS Zone TXT record", "description": "This module deploys a Public DNS Zone TXT record.", diff --git a/modules/network/dns-zone/tests/e2e/defaults/main.test.bicep b/modules/network/dns-zone/tests/e2e/defaults/main.test.bicep index 169bf08e48..2f820dd353 100644 --- a/modules/network/dns-zone/tests/e2e/defaults/main.test.bicep +++ b/modules/network/dns-zone/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001.com' } -} +}] diff --git a/modules/network/dns-zone/tests/e2e/max/main.test.bicep b/modules/network/dns-zone/tests/e2e/max/main.test.bicep index f1ec3b4b4a..3e016759eb 100644 --- a/modules/network/dns-zone/tests/e2e/max/main.test.bicep +++ b/modules/network/dns-zone/tests/e2e/max/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001.com' @@ -219,4 +220,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep index 6e754253e1..a1b86c65e9 100644 --- a/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001.com' @@ -219,4 +220,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/express-route-circuit/main.json b/modules/network/express-route-circuit/main.json index bdcfd8633a..482950e671 100644 --- a/modules/network/express-route-circuit/main.json +++ b/modules/network/express-route-circuit/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3204607868859274788" + "version": "0.23.1.45101", + "templateHash": "6315579544397323393" }, "name": "ExpressRoute Circuits", "description": "This module deploys an Express Route Circuit.", diff --git a/modules/network/express-route-circuit/tests/e2e/defaults/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/defaults/main.test.bicep index c6bc88b5d7..1296f33399 100644 --- a/modules/network/express-route-circuit/tests/e2e/defaults/main.test.bicep +++ b/modules/network/express-route-circuit/tests/e2e/defaults/main.test.bicep @@ -38,9 +38,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -48,4 +49,4 @@ module testDeployment '../../../main.bicep' = { peeringLocation: 'Amsterdam' serviceProviderName: 'Equinix' } -} +}] diff --git a/modules/network/express-route-circuit/tests/e2e/max/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/max/main.test.bicep index 3243abdb14..015786939d 100644 --- a/modules/network/express-route-circuit/tests/e2e/max/main.test.bicep +++ b/modules/network/express-route-circuit/tests/e2e/max/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -103,4 +104,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep index a7c2a372a3..d3509c0c8d 100644 --- a/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -103,4 +104,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/express-route-gateway/main.json b/modules/network/express-route-gateway/main.json index d2746f5621..6be627532b 100644 --- a/modules/network/express-route-gateway/main.json +++ b/modules/network/express-route-gateway/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14898040937418721724" + "version": "0.23.1.45101", + "templateHash": "13411012748796915951" }, "name": "Express Route Gateways", "description": "This module deploys an Express Route Gateway.", diff --git a/modules/network/express-route-gateway/tests/e2e/defaults/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/defaults/main.test.bicep index e60a1ef9ca..d9a40783f7 100644 --- a/modules/network/express-route-gateway/tests/e2e/defaults/main.test.bicep +++ b/modules/network/express-route-gateway/tests/e2e/defaults/main.test.bicep @@ -46,13 +46,14 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' virtualHubId: nestedDependencies.outputs.virtualHubResourceId } -} +}] diff --git a/modules/network/express-route-gateway/tests/e2e/max/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/max/main.test.bicep index 1578837962..42867d94f4 100644 --- a/modules/network/express-route-gateway/tests/e2e/max/main.test.bicep +++ b/modules/network/express-route-gateway/tests/e2e/max/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -72,4 +73,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep index 3c237372da..e95b805cb0 100644 --- a/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -72,4 +73,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/network/firewall-policy/tests/e2e/defaults/main.test.bicep b/modules/network/firewall-policy/tests/e2e/defaults/main.test.bicep index 94f9f074c1..510a9cc539 100644 --- a/modules/network/firewall-policy/tests/e2e/defaults/main.test.bicep +++ b/modules/network/firewall-policy/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/network/firewall-policy/tests/e2e/max/main.test.bicep b/modules/network/firewall-policy/tests/e2e/max/main.test.bicep index 880b8de836..733806d96f 100644 --- a/modules/network/firewall-policy/tests/e2e/max/main.test.bicep +++ b/modules/network/firewall-policy/tests/e2e/max/main.test.bicep @@ -38,9 +38,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -90,4 +91,4 @@ module testDeployment '../../../main.bicep' = { allowSqlRedirect: true autoLearnPrivateRanges: 'Enabled' } -} +}] diff --git a/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep index 2c496ca64e..9d4a296941 100644 --- a/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep @@ -38,9 +38,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -90,4 +91,4 @@ module testDeployment '../../../main.bicep' = { allowSqlRedirect: true autoLearnPrivateRanges: 'Enabled' } -} +}] diff --git a/modules/network/front-door-web-application-firewall-policy/main.json b/modules/network/front-door-web-application-firewall-policy/main.json index ab41c5bfa9..deff6d2c90 100644 --- a/modules/network/front-door-web-application-firewall-policy/main.json +++ b/modules/network/front-door-web-application-firewall-policy/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17032186144877035425" + "version": "0.23.1.45101", + "templateHash": "4704133430078422281" }, "name": "Front Door Web Application Firewall (WAF) Policies", "description": "This module deploys a Front Door Web Application Firewall (WAF) Policy.", diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/defaults/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/defaults/main.test.bicep index 779069f9bd..bf7f841060 100644 --- a/modules/network/front-door-web-application-firewall-policy/tests/e2e/defaults/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep index 7bce666da5..835ce7f757 100644 --- a/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -132,4 +133,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep index f7f4e7fad3..4248cdace9 100644 --- a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -132,4 +133,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/network/front-door/main.json b/modules/network/front-door/main.json index 633202d39a..3b20f006ef 100644 --- a/modules/network/front-door/main.json +++ b/modules/network/front-door/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2830838705545746095" + "version": "0.23.1.45101", + "templateHash": "18065323177030790685" }, "name": "Azure Front Doors", "description": "This module deploys an Azure Front Door.", diff --git a/modules/network/front-door/tests/e2e/defaults/main.test.bicep b/modules/network/front-door/tests/e2e/defaults/main.test.bicep index ab263c6aaf..6af3d2e506 100644 --- a/modules/network/front-door/tests/e2e/defaults/main.test.bicep +++ b/modules/network/front-door/tests/e2e/defaults/main.test.bicep @@ -38,9 +38,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // var resourceName = '${namePrefix}${serviceShort}001' -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: resourceName @@ -124,4 +125,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/network/front-door/tests/e2e/max/main.test.bicep b/modules/network/front-door/tests/e2e/max/main.test.bicep index bb77bb9c3e..c94b99aa79 100644 --- a/modules/network/front-door/tests/e2e/max/main.test.bicep +++ b/modules/network/front-door/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // var resourceName = '${namePrefix}${serviceShort}001' -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: resourceName @@ -158,4 +159,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep b/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep index 7767577465..93650d477c 100644 --- a/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // var resourceName = '${namePrefix}${serviceShort}001' -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: resourceName @@ -158,4 +159,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/ip-group/main.json b/modules/network/ip-group/main.json index e9dc0c6cbc..f286f1deb9 100644 --- a/modules/network/ip-group/main.json +++ b/modules/network/ip-group/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9765196609767428090" + "version": "0.23.1.45101", + "templateHash": "16568387528687642838" }, "name": "IP Groups", "description": "This module deploys an IP Group.", diff --git a/modules/network/ip-group/tests/e2e/defaults/main.test.bicep b/modules/network/ip-group/tests/e2e/defaults/main.test.bicep index 9139a8b6b1..9511792159 100644 --- a/modules/network/ip-group/tests/e2e/defaults/main.test.bicep +++ b/modules/network/ip-group/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/network/ip-group/tests/e2e/max/main.test.bicep b/modules/network/ip-group/tests/e2e/max/main.test.bicep index 568ddb0caa..5e9c862414 100644 --- a/modules/network/ip-group/tests/e2e/max/main.test.bicep +++ b/modules/network/ip-group/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -73,4 +74,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep index 124d1cdf86..6636c832de 100644 --- a/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -73,4 +74,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/local-network-gateway/main.json b/modules/network/local-network-gateway/main.json index f11208ec19..da3cea4c2d 100644 --- a/modules/network/local-network-gateway/main.json +++ b/modules/network/local-network-gateway/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9834860024329832524" + "version": "0.23.1.45101", + "templateHash": "18232422639786183281" }, "name": "Local Network Gateways", "description": "This module deploys a Local Network Gateway.", diff --git a/modules/network/local-network-gateway/tests/e2e/defaults/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/defaults/main.test.bicep index ab43e878e1..1265fabb0d 100644 --- a/modules/network/local-network-gateway/tests/e2e/defaults/main.test.bicep +++ b/modules/network/local-network-gateway/tests/e2e/defaults/main.test.bicep @@ -38,9 +38,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -49,4 +50,4 @@ module testDeployment '../../../main.bicep' = { ] localGatewayPublicIpAddress: '8.8.8.8' } -} +}] diff --git a/modules/network/local-network-gateway/tests/e2e/max/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/max/main.test.bicep index c320c4dba1..93352e6ce5 100644 --- a/modules/network/local-network-gateway/tests/e2e/max/main.test.bicep +++ b/modules/network/local-network-gateway/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -75,4 +76,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep index e47e0f4ebc..4c3d7522ce 100644 --- a/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -75,4 +76,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/nat-gateway/main.json b/modules/network/nat-gateway/main.json index 9bc6c9a1c5..496bdfff0a 100644 --- a/modules/network/nat-gateway/main.json +++ b/modules/network/nat-gateway/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11905897400304782014" + "version": "0.23.1.45101", + "templateHash": "9381387795158980533" }, "name": "NAT Gateways", "description": "This module deploys a NAT Gateway.", @@ -425,8 +425,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18404193892947466906" + "version": "0.23.1.45101", + "templateHash": "15536304828480480757" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -945,8 +945,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "311381109175947078" + "version": "0.23.1.45101", + "templateHash": "16528829671778949522" } }, "parameters": { @@ -1021,8 +1021,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12289116883631984029" + "version": "0.23.1.45101", + "templateHash": "9244193973447540175" }, "name": "Public IP Prefixes", "description": "This module deploys a Public IP Prefix.", @@ -1317,8 +1317,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "311381109175947078" + "version": "0.23.1.45101", + "templateHash": "16528829671778949522" } }, "parameters": { diff --git a/modules/network/nat-gateway/tests/e2e/max/main.test.bicep b/modules/network/nat-gateway/tests/e2e/max/main.test.bicep index 36cd281d6e..7fc011d550 100644 --- a/modules/network/nat-gateway/tests/e2e/max/main.test.bicep +++ b/modules/network/nat-gateway/tests/e2e/max/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -115,4 +116,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep b/modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep index 13de1ef352..d874324327 100644 --- a/modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep +++ b/modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -104,4 +105,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep index 024f35b432..9f155e50f0 100644 --- a/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -115,4 +116,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/network-interface/main.json b/modules/network/network-interface/main.json index 9ece338c5f..03cd427c05 100644 --- a/modules/network/network-interface/main.json +++ b/modules/network/network-interface/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6506615823435977032" + "version": "0.23.1.45101", + "templateHash": "2750011165297287068" }, "name": "Network Interface", "description": "This module deploys a Network Interface.", diff --git a/modules/network/network-interface/tests/e2e/defaults/main.test.bicep b/modules/network/network-interface/tests/e2e/defaults/main.test.bicep index 3ba824eace..00d24eea4b 100644 --- a/modules/network/network-interface/tests/e2e/defaults/main.test.bicep +++ b/modules/network/network-interface/tests/e2e/defaults/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -59,4 +60,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/network/network-interface/tests/e2e/max/main.test.bicep b/modules/network/network-interface/tests/e2e/max/main.test.bicep index 586661dbc4..02129671ef 100644 --- a/modules/network/network-interface/tests/e2e/max/main.test.bicep +++ b/modules/network/network-interface/tests/e2e/max/main.test.bicep @@ -63,9 +63,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -124,4 +125,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep index 218c13495c..fe4128d347 100644 --- a/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep @@ -63,9 +63,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -124,4 +125,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/network-manager/main.json b/modules/network/network-manager/main.json index 28bf192614..24d0104710 100644 --- a/modules/network/network-manager/main.json +++ b/modules/network/network-manager/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11982582623966534114" + "version": "0.23.1.45101", + "templateHash": "7208377569507005040" }, "name": "Network Managers", "description": "This module deploys a Network Manager.", @@ -302,8 +302,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15734624931109113465" + "version": "0.23.1.45101", + "templateHash": "3787957853488500608" }, "name": "Network Manager Network Groups", "description": "This module deploys a Network Manager Network Group.\r\nA network group is a collection of same-type network resources that you can associate with network manager configurations. You can add same-type network resources after you create the network group.", @@ -408,8 +408,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13400290933908034947" + "version": "0.23.1.45101", + "templateHash": "6119539562042886994" }, "name": "Network Manager Network Group Static Members", "description": "This module deploys a Network Manager Network Group Static Member.\r\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", @@ -571,8 +571,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5280310149581848411" + "version": "0.23.1.45101", + "templateHash": "16434535140284685195" }, "name": "Network Manager Connectivity Configurations", "description": "This module deploys a Network Manager Connectivity Configuration.\r\nConnectivity configurations define hub-and-spoke or mesh topologies applied to one or more network groups.", @@ -750,8 +750,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9309301917607746358" + "version": "0.23.1.45101", + "templateHash": "5036358037363252898" }, "name": "Network Manager Scope Connections", "description": "This module deploys a Network Manager Scope Connection.\r\nCreate a cross-tenant connection to manage a resource from another tenant.", @@ -889,8 +889,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14740794033127814314" + "version": "0.23.1.45101", + "templateHash": "11083461428572717010" }, "name": "Network Manager Security Admin Configurations", "description": "This module deploys an Network Manager Security Admin Configuration.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", @@ -1011,8 +1011,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11695176114935586913" + "version": "0.23.1.45101", + "templateHash": "17187717862116828818" }, "name": "Network Manager Security Admin Configuration Rule Collections", "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", @@ -1146,8 +1146,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8150493920671936292" + "version": "0.23.1.45101", + "templateHash": "144106033297451553" }, "name": "Network Manager Security Admin Configuration Rule Collection Rules", "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", diff --git a/modules/network/network-manager/tests/e2e/max/main.test.bicep b/modules/network/network-manager/tests/e2e/max/main.test.bicep index a1cb6fb4f6..1fb6b04824 100644 --- a/modules/network/network-manager/tests/e2e/max/main.test.bicep +++ b/modules/network/network-manager/tests/e2e/max/main.test.bicep @@ -53,9 +53,10 @@ module nestedDependencies 'dependencies.bicep' = { var networkManagerName = '${namePrefix}${serviceShort}001' var networkManagerExpecetedResourceID = '${resourceGroup.id}/providers/Microsoft.Network/networkManagers/${networkManagerName}' -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: networkManagerName enableDefaultTelemetry: enableDefaultTelemetry @@ -252,4 +253,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep index 0b70f2b7b8..1d94d18ba7 100644 --- a/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep @@ -53,9 +53,10 @@ module nestedDependencies 'dependencies.bicep' = { var networkManagerName = '${namePrefix}${serviceShort}001' var networkManagerExpecetedResourceID = '${resourceGroup.id}/providers/Microsoft.Network/networkManagers/${networkManagerName}' -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: networkManagerName enableDefaultTelemetry: enableDefaultTelemetry @@ -252,4 +253,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/network-security-group/main.json b/modules/network/network-security-group/main.json index 04902fe9a1..5a078217ce 100644 --- a/modules/network/network-security-group/main.json +++ b/modules/network/network-security-group/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16143869939725478184" + "version": "0.23.1.45101", + "templateHash": "750109442263573618" }, "name": "Network Security Groups", "description": "This module deploys a Network security Group (NSG).", @@ -427,8 +427,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "820939823450891186" + "version": "0.23.1.45101", + "templateHash": "5230356401692373453" }, "name": "Network Security Group (NSG) Security Rules", "description": "This module deploys a Network Security Group (NSG) Security Rule.", diff --git a/modules/network/network-security-group/tests/e2e/defaults/main.test.bicep b/modules/network/network-security-group/tests/e2e/defaults/main.test.bicep index 0e74b84bbe..e3113e43e2 100644 --- a/modules/network/network-security-group/tests/e2e/defaults/main.test.bicep +++ b/modules/network/network-security-group/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/network/network-security-group/tests/e2e/max/main.test.bicep b/modules/network/network-security-group/tests/e2e/max/main.test.bicep index ba20a64fbc..24664977f4 100644 --- a/modules/network/network-security-group/tests/e2e/max/main.test.bicep +++ b/modules/network/network-security-group/tests/e2e/max/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -157,4 +158,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep index 7c9ac93549..0a6ccc8de6 100644 --- a/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -157,4 +158,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/network-watcher/README.md b/modules/network/network-watcher/README.md index a9c59a060f..84b24a7db1 100644 --- a/modules/network/network-watcher/README.md +++ b/modules/network/network-watcher/README.md @@ -43,7 +43,7 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { - name: '${uniqueString(deployment().name, testLocation)}-test-nnwmin' + name: '${uniqueString(deployment().name, location)}-test-nnwmin' params: { enableDefaultTelemetry: '' location: '' @@ -87,7 +87,7 @@ This instance deploys the module with most of its features enabled. ```bicep module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { - name: '${uniqueString(deployment().name, testLocation)}-test-nnwmax' + name: '${uniqueString(deployment().name, location)}-test-nnwmax' params: { connectionMonitors: [ { @@ -305,7 +305,7 @@ This instance deploys the module in alignment with the best-practices of the Azu ```bicep module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { - name: '${uniqueString(deployment().name, testLocation)}-test-nnwwaf' + name: '${uniqueString(deployment().name, location)}-test-nnwwaf' params: { connectionMonitors: [ { diff --git a/modules/network/network-watcher/main.json b/modules/network/network-watcher/main.json index 85e335cbac..af0b8f4ed7 100644 --- a/modules/network/network-watcher/main.json +++ b/modules/network/network-watcher/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "768801903323165380" + "version": "0.23.1.45101", + "templateHash": "16212234798998363097" }, "name": "Network Watchers", "description": "This module deploys a Network Watcher.", @@ -267,8 +267,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3258279638384899203" + "version": "0.23.1.45101", + "templateHash": "15782320161408670286" }, "name": "Network Watchers Connection Monitors", "description": "This module deploys a Network Watcher Connection Monitor.", @@ -456,8 +456,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7397123180177309349" + "version": "0.23.1.45101", + "templateHash": "13019883939201211211" }, "name": "NSG Flow Logs", "description": "This module controls the Network Security Group Flow Logs and analytics settings.\r\n**Note: this module must be run on the Resource Group where Network Watcher is deployed**", diff --git a/modules/network/network-watcher/tests/e2e/defaults/main.test.bicep b/modules/network/network-watcher/tests/e2e/defaults/main.test.bicep index 73452b204c..c05b464bdb 100644 --- a/modules/network/network-watcher/tests/e2e/defaults/main.test.bicep +++ b/modules/network/network-watcher/tests/e2e/defaults/main.test.bicep @@ -36,12 +36,13 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // ============== // #disable-next-line no-hardcoded-location // Disabled as the default RG & location are created in always one location, but each test has to deploy into a different one var testLocation = 'northeurope' -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, testLocation)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry // Note: This value is not required and only set to enable testing location: testLocation } -} +}] diff --git a/modules/network/network-watcher/tests/e2e/max/main.test.bicep b/modules/network/network-watcher/tests/e2e/max/main.test.bicep index d4dcd43292..578321530e 100644 --- a/modules/network/network-watcher/tests/e2e/max/main.test.bicep +++ b/modules/network/network-watcher/tests/e2e/max/main.test.bicep @@ -66,9 +66,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // ============== // #disable-next-line no-hardcoded-location // Disabled as the default RG & location are created in always one location, but each test has to deploy into a different one var testLocation = 'westeurope' -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, testLocation)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: 'NetworkWatcher_${testLocation}' @@ -155,4 +156,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep index 730c05be9e..b940f74c67 100644 --- a/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep @@ -66,9 +66,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // ============== // #disable-next-line no-hardcoded-location // Disabled as the default RG & location are created in always one location, but each test has to deploy into a different one var testLocation = 'westeurope' -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, testLocation)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: 'NetworkWatcher_${testLocation}' @@ -155,4 +156,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/private-dns-zone/main.json b/modules/network/private-dns-zone/main.json index 88f780099a..105ede90f1 100644 --- a/modules/network/private-dns-zone/main.json +++ b/modules/network/private-dns-zone/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3388913792473865283" + "version": "0.23.1.45101", + "templateHash": "9913746381155072618" }, "name": "Private DNS Zones", "description": "This module deploys a Private DNS zone.", @@ -318,8 +318,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12900025093691887371" + "version": "0.23.1.45101", + "templateHash": "3949185236374936253" }, "name": "Private DNS Zone A record", "description": "This module deploys a Private DNS Zone A record.", @@ -577,8 +577,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4724178141308652025" + "version": "0.23.1.45101", + "templateHash": "18254437762408001216" }, "name": "Private DNS Zone AAAA record", "description": "This module deploys a Private DNS Zone AAAA record.", @@ -836,8 +836,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14332603634620066077" + "version": "0.23.1.45101", + "templateHash": "5688376231538421822" }, "name": "Private DNS Zone CNAME record", "description": "This module deploys a Private DNS Zone CNAME record.", @@ -1095,8 +1095,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13915386259037819236" + "version": "0.23.1.45101", + "templateHash": "6121652824910092918" }, "name": "Private DNS Zone MX record", "description": "This module deploys a Private DNS Zone MX record.", @@ -1354,8 +1354,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8103973730749015801" + "version": "0.23.1.45101", + "templateHash": "13755349248029897715" }, "name": "Private DNS Zone PTR record", "description": "This module deploys a Private DNS Zone PTR record.", @@ -1613,8 +1613,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11066047807464279527" + "version": "0.23.1.45101", + "templateHash": "17071167904833492436" }, "name": "Private DNS Zone SOA record", "description": "This module deploys a Private DNS Zone SOA record.", @@ -1872,8 +1872,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6734977459689095702" + "version": "0.23.1.45101", + "templateHash": "11637594462630888096" }, "name": "Private DNS Zone SRV record", "description": "This module deploys a Private DNS Zone SRV record.", @@ -2131,8 +2131,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15093956155477786576" + "version": "0.23.1.45101", + "templateHash": "61165308790737358" }, "name": "Private DNS Zone TXT record", "description": "This module deploys a Private DNS Zone TXT record.", @@ -2392,8 +2392,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14262386012436592269" + "version": "0.23.1.45101", + "templateHash": "2575181024828080198" }, "name": "Private DNS Zone Virtual Network Link", "description": "This module deploys a Private DNS Zone Virtual Network Link.", diff --git a/modules/network/private-dns-zone/tests/e2e/defaults/main.test.bicep b/modules/network/private-dns-zone/tests/e2e/defaults/main.test.bicep index ac3e057214..9302e41bcf 100644 --- a/modules/network/private-dns-zone/tests/e2e/defaults/main.test.bicep +++ b/modules/network/private-dns-zone/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001.com' } -} +}] diff --git a/modules/network/private-dns-zone/tests/e2e/max/main.test.bicep b/modules/network/private-dns-zone/tests/e2e/max/main.test.bicep index d62a97edb9..8e28928ada 100644 --- a/modules/network/private-dns-zone/tests/e2e/max/main.test.bicep +++ b/modules/network/private-dns-zone/tests/e2e/max/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001.com' @@ -221,4 +222,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep index 116e5bb75b..591d3e4e8d 100644 --- a/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001.com' @@ -221,4 +222,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/private-endpoint/main.json b/modules/network/private-endpoint/main.json index 9b9e3e9991..2d73f7ad0f 100644 --- a/modules/network/private-endpoint/main.json +++ b/modules/network/private-endpoint/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -408,8 +408,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/network/private-endpoint/tests/e2e/defaults/main.test.bicep b/modules/network/private-endpoint/tests/e2e/defaults/main.test.bicep index c2f9894353..51389d4e03 100644 --- a/modules/network/private-endpoint/tests/e2e/defaults/main.test.bicep +++ b/modules/network/private-endpoint/tests/e2e/defaults/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -59,4 +60,4 @@ module testDeployment '../../../main.bicep' = { serviceResourceId: nestedDependencies.outputs.keyVaultResourceId subnetResourceId: nestedDependencies.outputs.subnetResourceId } -} +}] diff --git a/modules/network/private-endpoint/tests/e2e/max/main.test.bicep b/modules/network/private-endpoint/tests/e2e/max/main.test.bicep index dcb523c227..0812571d74 100644 --- a/modules/network/private-endpoint/tests/e2e/max/main.test.bicep +++ b/modules/network/private-endpoint/tests/e2e/max/main.test.bicep @@ -49,9 +49,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -102,4 +103,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep index 4e7c2b4c1f..72e2c7f377 100644 --- a/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep @@ -49,9 +49,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -102,4 +103,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/private-link-service/main.json b/modules/network/private-link-service/main.json index 1a1d8491cc..2b7574b6aa 100644 --- a/modules/network/private-link-service/main.json +++ b/modules/network/private-link-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3379360327986898312" + "version": "0.23.1.45101", + "templateHash": "1799801226722953083" }, "name": "Private Link Services", "description": "This module deploys a Private Link Service.", diff --git a/modules/network/private-link-service/tests/e2e/defaults/main.test.bicep b/modules/network/private-link-service/tests/e2e/defaults/main.test.bicep index 6ecb49281d..c6a012f831 100644 --- a/modules/network/private-link-service/tests/e2e/defaults/main.test.bicep +++ b/modules/network/private-link-service/tests/e2e/defaults/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -69,4 +70,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/network/private-link-service/tests/e2e/max/main.test.bicep b/modules/network/private-link-service/tests/e2e/max/main.test.bicep index 8333f18672..1fc85cda3b 100644 --- a/modules/network/private-link-service/tests/e2e/max/main.test.bicep +++ b/modules/network/private-link-service/tests/e2e/max/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -103,4 +104,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep index c327e89f13..cc74016e1e 100644 --- a/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -103,4 +104,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/public-ip-address/main.json b/modules/network/public-ip-address/main.json index 70133688a7..1f444a3ba0 100644 --- a/modules/network/public-ip-address/main.json +++ b/modules/network/public-ip-address/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18404193892947466906" + "version": "0.23.1.45101", + "templateHash": "15536304828480480757" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", diff --git a/modules/network/public-ip-address/tests/e2e/defaults/main.test.bicep b/modules/network/public-ip-address/tests/e2e/defaults/main.test.bicep index 8b2bad4c9a..c4f1e366fd 100644 --- a/modules/network/public-ip-address/tests/e2e/defaults/main.test.bicep +++ b/modules/network/public-ip-address/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/network/public-ip-address/tests/e2e/max/main.test.bicep b/modules/network/public-ip-address/tests/e2e/max/main.test.bicep index aed225af85..7ce46d663b 100644 --- a/modules/network/public-ip-address/tests/e2e/max/main.test.bicep +++ b/modules/network/public-ip-address/tests/e2e/max/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -104,4 +105,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep b/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep index 61d5598c0e..5e16ba63ef 100644 --- a/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -104,4 +105,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/public-ip-prefix/main.json b/modules/network/public-ip-prefix/main.json index 8245998e85..d327e41009 100644 --- a/modules/network/public-ip-prefix/main.json +++ b/modules/network/public-ip-prefix/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12289116883631984029" + "version": "0.23.1.45101", + "templateHash": "9244193973447540175" }, "name": "Public IP Prefixes", "description": "This module deploys a Public IP Prefix.", diff --git a/modules/network/public-ip-prefix/tests/e2e/defaults/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/defaults/main.test.bicep index 5b412000e6..520214d9be 100644 --- a/modules/network/public-ip-prefix/tests/e2e/defaults/main.test.bicep +++ b/modules/network/public-ip-prefix/tests/e2e/defaults/main.test.bicep @@ -37,12 +37,13 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' prefixLength: 28 } -} +}] diff --git a/modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep index 8e6d167811..2a0444770e 100644 --- a/modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep +++ b/modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -70,4 +71,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep index 298ddcbc5d..cc31fc6d98 100644 --- a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -70,4 +71,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/route-table/main.json b/modules/network/route-table/main.json index 8563735479..d3838e6b03 100644 --- a/modules/network/route-table/main.json +++ b/modules/network/route-table/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16231060934698023931" + "version": "0.23.1.45101", + "templateHash": "17284213437442846894" }, "name": "Route Tables", "description": "This module deploys a User Defined Route Table (UDR).", diff --git a/modules/network/route-table/tests/e2e/defaults/main.test.bicep b/modules/network/route-table/tests/e2e/defaults/main.test.bicep index 8a237dfdcf..bc7617bb87 100644 --- a/modules/network/route-table/tests/e2e/defaults/main.test.bicep +++ b/modules/network/route-table/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/network/route-table/tests/e2e/max/main.test.bicep b/modules/network/route-table/tests/e2e/max/main.test.bicep index 591f42c921..f611d8c177 100644 --- a/modules/network/route-table/tests/e2e/max/main.test.bicep +++ b/modules/network/route-table/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -79,4 +80,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep b/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep index 83c92c0105..6edf7269f8 100644 --- a/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -79,4 +80,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/service-endpoint-policy/main.json b/modules/network/service-endpoint-policy/main.json index 0d1e589b59..0901fb297c 100644 --- a/modules/network/service-endpoint-policy/main.json +++ b/modules/network/service-endpoint-policy/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10435227051484673475" + "version": "0.23.1.45101", + "templateHash": "8576779256610363047" }, "name": "Service Endpoint Policies", "description": "This module deploys a Service Endpoint Policy.", diff --git a/modules/network/service-endpoint-policy/tests/e2e/defaults/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/defaults/main.test.bicep index 70ff126389..56ed8c03d5 100644 --- a/modules/network/service-endpoint-policy/tests/e2e/defaults/main.test.bicep +++ b/modules/network/service-endpoint-policy/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}-001' } -} +}] diff --git a/modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep index 383bd64097..8ad3addf74 100644 --- a/modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep +++ b/modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}-001' @@ -82,4 +83,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep index f2a407ed2a..ab52288ff9 100644 --- a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}-001' @@ -82,4 +83,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/network/trafficmanagerprofile/main.json b/modules/network/trafficmanagerprofile/main.json index 5fb51da587..b70a6f3e81 100644 --- a/modules/network/trafficmanagerprofile/main.json +++ b/modules/network/trafficmanagerprofile/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10183539121866982078" + "version": "0.23.1.45101", + "templateHash": "11095049412788663057" }, "name": "Traffic Manager Profiles", "description": "This module deploys a Traffic Manager Profile.", diff --git a/modules/network/trafficmanagerprofile/tests/e2e/defaults/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/defaults/main.test.bicep index 9f2602f94f..a8e21d17c1 100644 --- a/modules/network/trafficmanagerprofile/tests/e2e/defaults/main.test.bicep +++ b/modules/network/trafficmanagerprofile/tests/e2e/defaults/main.test.bicep @@ -38,12 +38,13 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // var resourceName = '${namePrefix}${serviceShort}001' -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: resourceName relativeName: resourceName } -} +}] diff --git a/modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep index e33f38cf77..b937b8d2af 100644 --- a/modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep +++ b/modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // var resourceName = '${namePrefix}${serviceShort}001' -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: resourceName @@ -98,4 +99,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep index a1a7cb5738..bddc3fdf32 100644 --- a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // var resourceName = '${namePrefix}${serviceShort}001' -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: resourceName @@ -98,4 +99,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/virtual-hub/main.json b/modules/network/virtual-hub/main.json index 718814eff9..acbcfb5ce7 100644 --- a/modules/network/virtual-hub/main.json +++ b/modules/network/virtual-hub/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11534311815660563241" + "version": "0.23.1.45101", + "templateHash": "3410935905412487886" }, "name": "Virtual Hubs", "description": "This module deploys a Virtual Hub.\r\nIf you are planning to deploy a Secure Virtual Hub (with an Azure Firewall integrated), please refer to the Azure Firewall module.", @@ -283,8 +283,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16158603795616593379" + "version": "0.23.1.45101", + "templateHash": "14379005468048197578" }, "name": "Virtual Hub Route Tables", "description": "This module deploys a Virtual Hub Route Table.", @@ -414,8 +414,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16334618854228578572" + "version": "0.23.1.45101", + "templateHash": "1891918102977675989" }, "name": "Virtual Hub Virtual Network Connections", "description": "This module deploys a Virtual Hub Virtual Network Connection.", diff --git a/modules/network/virtual-hub/tests/e2e/defaults/main.test.bicep b/modules/network/virtual-hub/tests/e2e/defaults/main.test.bicep index 1e6bb24c21..584c74324e 100644 --- a/modules/network/virtual-hub/tests/e2e/defaults/main.test.bicep +++ b/modules/network/virtual-hub/tests/e2e/defaults/main.test.bicep @@ -46,13 +46,14 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' addressPrefix: '10.0.0.0/16' virtualWanId: nestedDependencies.outputs.virtualWWANResourceId } -} +}] diff --git a/modules/network/virtual-hub/tests/e2e/max/main.test.bicep b/modules/network/virtual-hub/tests/e2e/max/main.test.bicep index 40bfcc913c..b8ffb6fc70 100644 --- a/modules/network/virtual-hub/tests/e2e/max/main.test.bicep +++ b/modules/network/virtual-hub/tests/e2e/max/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' @@ -91,4 +92,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep index 8ca1b21cbd..befed0daa5 100644 --- a/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' @@ -91,4 +92,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/virtual-network-gateway/main.json b/modules/network/virtual-network-gateway/main.json index eaa29a2c28..6ed43a2056 100644 --- a/modules/network/virtual-network-gateway/main.json +++ b/modules/network/virtual-network-gateway/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10499044138923307873" + "version": "0.23.1.45101", + "templateHash": "2357059360379446061" }, "name": "Virtual Network Gateways", "description": "This module deploys a Virtual Network Gateway.", @@ -656,8 +656,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18404193892947466906" + "version": "0.23.1.45101", + "templateHash": "15536304828480480757" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address.", @@ -1182,8 +1182,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14778714560462406442" + "version": "0.23.1.45101", + "templateHash": "10871428827476692387" }, "name": "VPN Gateway NAT Rules", "description": "This module deploys a Virtual Network Gateway NAT Rule.", diff --git a/modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep b/modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep index 3c9305aa5b..95dfbe06d2 100644 --- a/modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep +++ b/modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep @@ -58,9 +58,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -120,4 +121,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/virtual-network-gateway/tests/e2e/expressRoute/main.test.bicep b/modules/network/virtual-network-gateway/tests/e2e/expressRoute/main.test.bicep index 9a22c3afa9..272b39ce1f 100644 --- a/modules/network/virtual-network-gateway/tests/e2e/expressRoute/main.test.bicep +++ b/modules/network/virtual-network-gateway/tests/e2e/expressRoute/main.test.bicep @@ -58,9 +58,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -107,4 +108,4 @@ module testDeployment '../../../main.bicep' = { '3' ] } -} +}] diff --git a/modules/network/virtual-network-gateway/tests/e2e/vpn/main.test.bicep b/modules/network/virtual-network-gateway/tests/e2e/vpn/main.test.bicep index 903303e2af..3f983e947f 100644 --- a/modules/network/virtual-network-gateway/tests/e2e/vpn/main.test.bicep +++ b/modules/network/virtual-network-gateway/tests/e2e/vpn/main.test.bicep @@ -59,9 +59,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -149,4 +150,4 @@ module testDeployment '../../../main.bicep' = { ] enableBgpRouteTranslationForNat: true } -} +}] diff --git a/modules/network/virtual-wan/main.json b/modules/network/virtual-wan/main.json index c359e2792f..73f79cbc33 100644 --- a/modules/network/virtual-wan/main.json +++ b/modules/network/virtual-wan/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16118078360254929709" + "version": "0.23.1.45101", + "templateHash": "4189892179924911704" }, "name": "Virtual WANs", "description": "This module deploys a Virtual WAN.", diff --git a/modules/network/virtual-wan/tests/e2e/defaults/main.test.bicep b/modules/network/virtual-wan/tests/e2e/defaults/main.test.bicep index 9b861faa22..85f5f16915 100644 --- a/modules/network/virtual-wan/tests/e2e/defaults/main.test.bicep +++ b/modules/network/virtual-wan/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/network/virtual-wan/tests/e2e/max/main.test.bicep b/modules/network/virtual-wan/tests/e2e/max/main.test.bicep index d0dd150785..3642b75961 100644 --- a/modules/network/virtual-wan/tests/e2e/max/main.test.bicep +++ b/modules/network/virtual-wan/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -73,4 +74,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep index 748fcbeaac..290a115237 100644 --- a/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -73,4 +74,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/vpn-gateway/main.json b/modules/network/vpn-gateway/main.json index bd6b9d0262..aefc4f89d9 100644 --- a/modules/network/vpn-gateway/main.json +++ b/modules/network/vpn-gateway/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1887977315027479771" + "version": "0.23.1.45101", + "templateHash": "8700890331432111745" }, "name": "VPN Gateways", "description": "This module deploys a VPN Gateway.", @@ -205,8 +205,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4165642550711844737" + "version": "0.23.1.45101", + "templateHash": "2150556463317760652" }, "name": "VPN Gateway NAT Rules", "description": "This module deploys a VPN Gateway NAT Rule.", @@ -379,8 +379,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13660788048333105050" + "version": "0.23.1.45101", + "templateHash": "6383697389251029881" }, "name": "VPN Gateway VPN Connections", "description": "This module deploys a VPN Gateway VPN Connection.", diff --git a/modules/network/vpn-gateway/tests/e2e/defaults/main.test.bicep b/modules/network/vpn-gateway/tests/e2e/defaults/main.test.bicep index e79cff0f46..49411aaf37 100644 --- a/modules/network/vpn-gateway/tests/e2e/defaults/main.test.bicep +++ b/modules/network/vpn-gateway/tests/e2e/defaults/main.test.bicep @@ -47,12 +47,13 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' virtualHubResourceId: nestedDependencies.outputs.virtualHubResourceId } -} +}] diff --git a/modules/network/vpn-gateway/tests/e2e/max/main.test.bicep b/modules/network/vpn-gateway/tests/e2e/max/main.test.bicep index 798de44466..14d39aec03 100644 --- a/modules/network/vpn-gateway/tests/e2e/max/main.test.bicep +++ b/modules/network/vpn-gateway/tests/e2e/max/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -99,4 +100,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep index 7d7999ab09..96e00bdab5 100644 --- a/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -99,4 +100,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/network/vpn-site/main.json b/modules/network/vpn-site/main.json index 486e0953cf..0a32dfa9f5 100644 --- a/modules/network/vpn-site/main.json +++ b/modules/network/vpn-site/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9467816521347210128" + "version": "0.23.1.45101", + "templateHash": "12353107767353318428" }, "name": "VPN Sites", "description": "This module deploys a VPN Site.", diff --git a/modules/network/vpn-site/tests/e2e/defaults/main.test.bicep b/modules/network/vpn-site/tests/e2e/defaults/main.test.bicep index 2c805b566b..e765763573 100644 --- a/modules/network/vpn-site/tests/e2e/defaults/main.test.bicep +++ b/modules/network/vpn-site/tests/e2e/defaults/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' @@ -58,4 +59,4 @@ module testDeployment '../../../main.bicep' = { ] ipAddress: '1.2.3.4' } -} +}] diff --git a/modules/network/vpn-site/tests/e2e/max/main.test.bicep b/modules/network/vpn-site/tests/e2e/max/main.test.bicep index 8f0bab6726..629bdd1bd9 100644 --- a/modules/network/vpn-site/tests/e2e/max/main.test.bicep +++ b/modules/network/vpn-site/tests/e2e/max/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' @@ -111,4 +112,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep b/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep index 66ea85793c..62ed03a40d 100644 --- a/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' @@ -111,4 +112,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] From 0dbb4ec0eeb385987fa4841c6f8787263a5254a7 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sat, 18 Nov 2023 19:05:44 +0100 Subject: [PATCH 113/178] [Modules] Added itempotency to tests [5/5] (#4214) * Updated batch 5 * Update to latest * Refreshed outdated template * Missing refresh * Refrehsed readme * Refrehsed readme * Update to latest --- .../workspace/tests/e2e/adv/main.test.bicep | 7 ++-- .../tests/e2e/defaults/main.test.bicep | 7 ++-- .../workspace/tests/e2e/max/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- .../operations-management/solution/main.json | 4 +-- .../tests/e2e/defaults/main.test.bicep | 7 ++-- .../solution/tests/e2e/ms/main.test.bicep | 7 ++-- .../solution/tests/e2e/nonms/main.test.bicep | 7 ++-- modules/policy-insights/remediation/README.md | 10 +++--- modules/policy-insights/remediation/main.json | 16 ++++----- .../tests/e2e/mg.common/main.test.bicep | 7 ++-- .../tests/e2e/mg.min/main.test.bicep | 7 ++-- .../tests/e2e/rg.common/main.test.bicep | 7 ++-- .../tests/e2e/rg.min/main.test.bicep | 7 ++-- .../tests/e2e/sub.common/main.test.bicep | 7 ++-- .../tests/e2e/sub.min/main.test.bicep | 7 ++-- modules/power-bi-dedicated/capacity/main.json | 4 +-- .../tests/e2e/defaults/main.test.bicep | 7 ++-- .../capacity/tests/e2e/max/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- modules/purview/account/README.md | 6 ++-- .../tests/e2e/defaults/main.test.bicep | 7 ++-- .../account/tests/e2e/max/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- .../vault/tests/e2e/defaults/main.test.bicep | 7 ++-- .../vault/tests/e2e/dr/main.test.bicep | 7 ++-- .../vault/tests/e2e/max/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- modules/relay/namespace/main.json | 36 +++++++++---------- .../tests/e2e/defaults/main.test.bicep | 7 ++-- .../namespace/tests/e2e/max/main.test.bicep | 7 ++-- .../namespace/tests/e2e/pe/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- modules/resource-graph/query/main.json | 4 +-- .../query/tests/e2e/defaults/main.test.bicep | 7 ++-- .../query/tests/e2e/max/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- .../tests/e2e/cli/main.test.bicep | 7 ++-- .../tests/e2e/ps/main.test.bicep | 7 ++-- modules/resources/resource-group/main.json | 8 ++--- .../tests/e2e/defaults/main.test.bicep | 7 ++-- .../tests/e2e/max/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- modules/search/search-service/main.json | 16 ++++----- .../tests/e2e/defaults/main.test.bicep | 7 ++-- .../tests/e2e/max/main.test.bicep | 7 ++-- .../tests/e2e/pe/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- .../security/azure-security-center/main.json | 8 ++--- .../tests/e2e/max/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- .../tests/e2e/defaults/main.test.bicep | 7 ++-- .../namespace/tests/e2e/encr/main.test.bicep | 7 ++-- .../namespace/tests/e2e/max/main.test.bicep | 7 ++-- .../namespace/tests/e2e/pe/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- modules/service-fabric/cluster/main.json | 8 ++--- .../cluster/tests/e2e/cert/main.test.bicep | 7 ++-- .../tests/e2e/defaults/main.test.bicep | 7 ++-- .../cluster/tests/e2e/max/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- modules/signal-r-service/signal-r/README.md | 6 ++-- modules/signal-r-service/signal-r/main.json | 12 +++---- .../tests/e2e/defaults/main.test.bicep | 7 ++-- .../signal-r/tests/e2e/max/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- .../tests/e2e/defaults/main.test.bicep | 7 ++-- .../web-pub-sub/tests/e2e/max/main.test.bicep | 7 ++-- .../web-pub-sub/tests/e2e/pe/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- .../tests/e2e/defaults/main.test.bicep | 7 ++-- .../tests/e2e/max/main.test.bicep | 7 ++-- .../tests/e2e/vulnAssm/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- .../server/tests/e2e/admin/main.test.bicep | 7 ++-- .../sql/server/tests/e2e/max/main.test.bicep | 7 ++-- .../sql/server/tests/e2e/pe/main.test.bicep | 7 ++-- .../tests/e2e/secondary/main.test.bicep | 7 ++-- .../server/tests/e2e/vulnAssm/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- .../tests/e2e/defaults/main.test.bicep | 7 ++-- .../tests/e2e/encr/main.test.bicep | 7 ++-- .../tests/e2e/max/main.test.bicep | 7 ++-- .../tests/e2e/nfs/main.test.bicep | 7 ++-- .../tests/e2e/v1/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- modules/synapse/private-link-hub/main.json | 12 +++---- .../tests/e2e/defaults/main.test.bicep | 7 ++-- .../tests/e2e/max/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- .../tests/e2e/defaults/main.test.bicep | 7 ++-- .../tests/e2e/encrwsai/main.test.bicep | 7 ++-- .../tests/e2e/encrwuai/main.test.bicep | 7 ++-- .../tests/e2e/managedvnet/main.test.bicep | 7 ++-- .../workspace/tests/e2e/max/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- modules/web/connection/main.json | 4 +-- .../connection/tests/e2e/max/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- .../tests/e2e/asev2/main.test.bicep | 7 ++-- .../tests/e2e/asev3/main.test.bicep | 7 ++-- .../serverfarm/tests/e2e/max/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- .../e2e/functionAppCommon/main.test.bicep | 7 ++-- .../tests/e2e/functionAppMin/main.test.bicep | 7 ++-- .../tests/e2e/webAppCommon/main.test.bicep | 7 ++-- .../site/tests/e2e/webAppMin/main.test.bicep | 7 ++-- .../tests/e2e/defaults/main.test.bicep | 7 ++-- .../static-site/tests/e2e/max/main.test.bicep | 7 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 7 ++-- 110 files changed, 457 insertions(+), 362 deletions(-) diff --git a/modules/operational-insights/workspace/tests/e2e/adv/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/adv/main.test.bicep index 4a24bd7146..af8c5e2b55 100644 --- a/modules/operational-insights/workspace/tests/e2e/adv/main.test.bicep +++ b/modules/operational-insights/workspace/tests/e2e/adv/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -306,4 +307,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/operational-insights/workspace/tests/e2e/defaults/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/defaults/main.test.bicep index ad410db22f..90b6203eee 100644 --- a/modules/operational-insights/workspace/tests/e2e/defaults/main.test.bicep +++ b/modules/operational-insights/workspace/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/operational-insights/workspace/tests/e2e/max/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/max/main.test.bicep index a3d86cf782..ad7165b0c2 100644 --- a/modules/operational-insights/workspace/tests/e2e/max/main.test.bicep +++ b/modules/operational-insights/workspace/tests/e2e/max/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -234,4 +235,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep index 92f24e5733..e523244e4a 100644 --- a/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -234,4 +235,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/operations-management/solution/main.json b/modules/operations-management/solution/main.json index a2c344b5ad..523630f0ec 100644 --- a/modules/operations-management/solution/main.json +++ b/modules/operations-management/solution/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2318608107759137473" + "version": "0.23.1.45101", + "templateHash": "6590935071601965866" }, "name": "Operations Management Solutions", "description": "This module deploys an Operations Management Solution.", diff --git a/modules/operations-management/solution/tests/e2e/defaults/main.test.bicep b/modules/operations-management/solution/tests/e2e/defaults/main.test.bicep index a82c4e54f3..c3e69fd0ab 100644 --- a/modules/operations-management/solution/tests/e2e/defaults/main.test.bicep +++ b/modules/operations-management/solution/tests/e2e/defaults/main.test.bicep @@ -46,12 +46,13 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: 'Updates' logAnalyticsWorkspaceName: nestedDependencies.outputs.logAnalyticsWorkspaceName } -} +}] diff --git a/modules/operations-management/solution/tests/e2e/ms/main.test.bicep b/modules/operations-management/solution/tests/e2e/ms/main.test.bicep index e3e03cbeec..1751e570b0 100644 --- a/modules/operations-management/solution/tests/e2e/ms/main.test.bicep +++ b/modules/operations-management/solution/tests/e2e/ms/main.test.bicep @@ -43,9 +43,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: 'AzureAutomation' @@ -53,4 +54,4 @@ module testDeployment '../../../main.bicep' = { product: 'OMSGallery' publisher: 'Microsoft' } -} +}] diff --git a/modules/operations-management/solution/tests/e2e/nonms/main.test.bicep b/modules/operations-management/solution/tests/e2e/nonms/main.test.bicep index 39178e0f71..1ddf6bddf8 100644 --- a/modules/operations-management/solution/tests/e2e/nonms/main.test.bicep +++ b/modules/operations-management/solution/tests/e2e/nonms/main.test.bicep @@ -43,9 +43,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -53,4 +54,4 @@ module testDeployment '../../../main.bicep' = { product: 'nonmsTestSolutionProduct' publisher: 'nonmsTestSolutionPublisher' } -} +}] diff --git a/modules/policy-insights/remediation/README.md b/modules/policy-insights/remediation/README.md index 1140dd6368..c22cb0aede 100644 --- a/modules/policy-insights/remediation/README.md +++ b/modules/policy-insights/remediation/README.md @@ -121,7 +121,7 @@ module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { ```bicep module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-pirmgmin' + name: '${uniqueString(deployment().name, location)}-test-pirmgmin' params: { // Required parameters name: 'pirmgmin001' @@ -170,7 +170,7 @@ module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { ```bicep module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-pirrgcom' + name: '${uniqueString(deployment().name, location)}-test-pirrgcom' params: { // Required parameters name: 'pirrgcom001' @@ -251,7 +251,7 @@ module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { ```bicep module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-pirrgmin' + name: '${uniqueString(deployment().name, location)}-test-pirrgmin' params: { // Required parameters name: 'pirrgmin001' @@ -300,7 +300,7 @@ module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { ```bicep module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-pirsubcom' + name: '${uniqueString(deployment().name, location)}-test-pirsubcom' params: { // Required parameters name: 'pirsubcom001' @@ -381,7 +381,7 @@ module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { ```bicep module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-pirsubmin' + name: '${uniqueString(deployment().name, location)}-test-pirsubmin' params: { // Required parameters name: 'pirsubmin001' diff --git a/modules/policy-insights/remediation/main.json b/modules/policy-insights/remediation/main.json index cc27386cb2..4d0779c55a 100644 --- a/modules/policy-insights/remediation/main.json +++ b/modules/policy-insights/remediation/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4742101117506662139" + "version": "0.23.1.45101", + "templateHash": "9716129657217536595" }, "name": "Policy Insights Remediations", "description": "This module deploys a Policy Insights Remediation.", @@ -179,8 +179,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9807832589850582654" + "version": "0.23.1.45101", + "templateHash": "11915278545941211218" }, "name": "Policy Insights Remediations (Management Group scope)", "description": "This module deploys a Policy Insights Remediation on a Management Group scope.", @@ -375,8 +375,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8491362450892267233" + "version": "0.23.1.45101", + "templateHash": "15638854500024270747" }, "name": "Policy Insights Remediations (Subscription scope)", "description": "This module deploys a Policy Insights Remediation on a Subscription scope.", @@ -571,8 +571,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1603868954809777625" + "version": "0.23.1.45101", + "templateHash": "6808524543119403982" }, "name": "Policy Insights Remediations (Resource Group scope)", "description": "This module deploys a Policy Insights Remediation on a Resource Group scope.", diff --git a/modules/policy-insights/remediation/tests/e2e/mg.common/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/mg.common/main.test.bicep index ec5905b87e..b34f003368 100644 --- a/modules/policy-insights/remediation/tests/e2e/mg.common/main.test.bicep +++ b/modules/policy-insights/remediation/tests/e2e/mg.common/main.test.bicep @@ -80,8 +80,9 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2021-06- // Test Execution // // ============== // -module testDeployment '../../../management-group/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../management-group/main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -96,4 +97,4 @@ module testDeployment '../../../management-group/main.bicep' = { parallelDeployments: 1 failureThresholdPercentage: '0.5' } -} +}] diff --git a/modules/policy-insights/remediation/tests/e2e/mg.min/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/mg.min/main.test.bicep index 2fa5bd5533..89336edd4a 100644 --- a/modules/policy-insights/remediation/tests/e2e/mg.min/main.test.bicep +++ b/modules/policy-insights/remediation/tests/e2e/mg.min/main.test.bicep @@ -35,11 +35,12 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' // Test Execution // // ============== // -module testDeployment '../../../management-group/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../management-group/main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' policyAssignmentId: policyAssignment.id } -} +}] diff --git a/modules/policy-insights/remediation/tests/e2e/rg.common/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/rg.common/main.test.bicep index 932adf9c48..ad8934beac 100644 --- a/modules/policy-insights/remediation/tests/e2e/rg.common/main.test.bicep +++ b/modules/policy-insights/remediation/tests/e2e/rg.common/main.test.bicep @@ -89,9 +89,10 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2021-06- // Test Execution // // ============== // -module testDeployment '../../../resource-group/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../resource-group/main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -106,4 +107,4 @@ module testDeployment '../../../resource-group/main.bicep' = { parallelDeployments: 1 failureThresholdPercentage: '0.5' } -} +}] diff --git a/modules/policy-insights/remediation/tests/e2e/rg.min/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/rg.min/main.test.bicep index 86d6da3d11..f176a984d7 100644 --- a/modules/policy-insights/remediation/tests/e2e/rg.min/main.test.bicep +++ b/modules/policy-insights/remediation/tests/e2e/rg.min/main.test.bicep @@ -44,12 +44,13 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' // Test Execution // // ============== // -module testDeployment '../../../resource-group/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../resource-group/main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' policyAssignmentId: policyAssignment.id } -} +}] diff --git a/modules/policy-insights/remediation/tests/e2e/sub.common/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/sub.common/main.test.bicep index d884f232c9..5ee1cd36da 100644 --- a/modules/policy-insights/remediation/tests/e2e/sub.common/main.test.bicep +++ b/modules/policy-insights/remediation/tests/e2e/sub.common/main.test.bicep @@ -80,8 +80,9 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2021-06- // Test Execution // // ============== // -module testDeployment '../../../subscription/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../subscription/main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -96,4 +97,4 @@ module testDeployment '../../../subscription/main.bicep' = { parallelDeployments: 1 failureThresholdPercentage: '0.5' } -} +}] diff --git a/modules/policy-insights/remediation/tests/e2e/sub.min/main.test.bicep b/modules/policy-insights/remediation/tests/e2e/sub.min/main.test.bicep index cc3ef9248f..7cd844eda5 100644 --- a/modules/policy-insights/remediation/tests/e2e/sub.min/main.test.bicep +++ b/modules/policy-insights/remediation/tests/e2e/sub.min/main.test.bicep @@ -35,11 +35,12 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' // Test Execution // // ============== // -module testDeployment '../../../subscription/main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../subscription/main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' policyAssignmentId: policyAssignment.id } -} +}] diff --git a/modules/power-bi-dedicated/capacity/main.json b/modules/power-bi-dedicated/capacity/main.json index 70c6e02ca8..edbff72051 100644 --- a/modules/power-bi-dedicated/capacity/main.json +++ b/modules/power-bi-dedicated/capacity/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5834334564189406991" + "version": "0.23.1.45101", + "templateHash": "14660488048974784902" }, "name": "Power BI Dedicated Capacities", "description": "This module deploys a Power BI Dedicated Capacity.", diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/defaults/main.test.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/defaults/main.test.bicep index 7325d2ed89..f8c3d8627e 100644 --- a/modules/power-bi-dedicated/capacity/tests/e2e/defaults/main.test.bicep +++ b/modules/power-bi-dedicated/capacity/tests/e2e/defaults/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -57,4 +58,4 @@ module testDeployment '../../../main.bicep' = { nestedDependencies.outputs.managedIdentityPrincipalId ] } -} +}] diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/max/main.test.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/max/main.test.bicep index fac442cdfe..c6fe16963e 100644 --- a/modules/power-bi-dedicated/capacity/tests/e2e/max/main.test.bicep +++ b/modules/power-bi-dedicated/capacity/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -73,4 +74,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep index 204d4c8d00..de6e04a1b0 100644 --- a/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -73,4 +74,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/purview/account/README.md b/modules/purview/account/README.md index 570df77615..2ef08134de 100644 --- a/modules/purview/account/README.md +++ b/modules/purview/account/README.md @@ -44,7 +44,7 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module account 'br:bicep/modules/purview.account:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-pvamin' + name: '${uniqueString(deployment().name, location)}-test-pvamin' params: { // Required parameters name: 'pvamin001' @@ -96,7 +96,7 @@ This instance deploys the module with most of its features enabled. ```bicep module account 'br:bicep/modules/purview.account:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-pvamax' + name: '${uniqueString(deployment().name, location)}-test-pvamax' params: { // Required parameters name: 'pvamax001' @@ -386,7 +386,7 @@ This instance deploys the module in alignment with the best-practices of the Azu ```bicep module account 'br:bicep/modules/purview.account:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-pvawaf' + name: '${uniqueString(deployment().name, location)}-test-pvawaf' params: { // Required parameters name: 'pvawaf001' diff --git a/modules/purview/account/tests/e2e/defaults/main.test.bicep b/modules/purview/account/tests/e2e/defaults/main.test.bicep index b1205ff888..78ad70351f 100644 --- a/modules/purview/account/tests/e2e/defaults/main.test.bicep +++ b/modules/purview/account/tests/e2e/defaults/main.test.bicep @@ -37,12 +37,13 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { name: '${namePrefix}${serviceShort}001' managedResourceGroupName: '${namePrefix}${serviceShort}001-managed-rg' enableDefaultTelemetry: enableDefaultTelemetry } -} +}] diff --git a/modules/purview/account/tests/e2e/max/main.test.bicep b/modules/purview/account/tests/e2e/max/main.test.bicep index 3b5c5bc8cc..576acece67 100644 --- a/modules/purview/account/tests/e2e/max/main.test.bicep +++ b/modules/purview/account/tests/e2e/max/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { name: '${namePrefix}${serviceShort}001' location: location @@ -176,4 +177,4 @@ module testDeployment '../../../main.bicep' = { name: 'myCustomLockName' } } -} +}] diff --git a/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep b/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep index baec657dba..f58261b0a9 100644 --- a/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { name: '${namePrefix}${serviceShort}001' location: location @@ -176,4 +177,4 @@ module testDeployment '../../../main.bicep' = { name: 'myCustomLockName' } } -} +}] diff --git a/modules/recovery-services/vault/tests/e2e/defaults/main.test.bicep b/modules/recovery-services/vault/tests/e2e/defaults/main.test.bicep index e64705c7a3..8b9f40bfcb 100644 --- a/modules/recovery-services/vault/tests/e2e/defaults/main.test.bicep +++ b/modules/recovery-services/vault/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/recovery-services/vault/tests/e2e/dr/main.test.bicep b/modules/recovery-services/vault/tests/e2e/dr/main.test.bicep index d2af04c07f..c76d0f632e 100644 --- a/modules/recovery-services/vault/tests/e2e/dr/main.test.bicep +++ b/modules/recovery-services/vault/tests/e2e/dr/main.test.bicep @@ -35,9 +35,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // var rsvName = '${namePrefix}${serviceShort}001' -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: rsvName @@ -102,4 +103,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/recovery-services/vault/tests/e2e/max/main.test.bicep b/modules/recovery-services/vault/tests/e2e/max/main.test.bicep index 0e6e7d9c6b..a95ea0b468 100644 --- a/modules/recovery-services/vault/tests/e2e/max/main.test.bicep +++ b/modules/recovery-services/vault/tests/e2e/max/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -375,4 +376,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep b/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep index caa2881cae..67c8e9c39b 100644 --- a/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -375,4 +376,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/relay/namespace/main.json b/modules/relay/namespace/main.json index 5a8cbf13bf..d8b196fe7e 100644 --- a/modules/relay/namespace/main.json +++ b/modules/relay/namespace/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16883030415068323871" + "version": "0.23.1.45101", + "templateHash": "2022191670394485396" }, "name": "Relay Namespaces", "description": "This module deploys a Relay Namespace", @@ -617,8 +617,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8947023489504947393" + "version": "0.23.1.45101", + "templateHash": "6991913570355678944" }, "name": "Relay Namespace Authorization Rules", "description": "This module deploys a Relay Namespace Authorization Rule.", @@ -739,8 +739,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4617716666405561945" + "version": "0.23.1.45101", + "templateHash": "11855121384015754907" }, "name": "Relay Namespace Network Rules Sets", "description": "This module deploys a Relay Namespace Network Rule Set.", @@ -883,8 +883,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7588969568395991504" + "version": "0.23.1.45101", + "templateHash": "4576720448388714998" }, "name": "Relay Namespace Hybrid Connections", "description": "This module deploys a Relay Namespace Hybrid Connection.", @@ -1177,8 +1177,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2105813068659609285" + "version": "0.23.1.45101", + "templateHash": "8614944991526016585" }, "name": "Hybrid Connection Authorization Rules", "description": "This module deploys a Hybrid Connection Authorization Rule.", @@ -1344,8 +1344,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2747029204512692072" + "version": "0.23.1.45101", + "templateHash": "7252195436240071963" }, "name": "Relay Namespace WCF Relays", "description": "This module deploys a Relay Namespace WCF Relay.", @@ -1658,8 +1658,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9905508445063497603" + "version": "0.23.1.45101", + "templateHash": "5333168181360876794" }, "name": "WCF Relay Authorization Rules", "description": "This module deploys a WCF Relay Authorization Rule.", @@ -1859,8 +1859,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -2262,8 +2262,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/relay/namespace/tests/e2e/defaults/main.test.bicep b/modules/relay/namespace/tests/e2e/defaults/main.test.bicep index 689248719f..c35d68e568 100644 --- a/modules/relay/namespace/tests/e2e/defaults/main.test.bicep +++ b/modules/relay/namespace/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/relay/namespace/tests/e2e/max/main.test.bicep b/modules/relay/namespace/tests/e2e/max/main.test.bicep index d438ec09ec..9615d7ad26 100644 --- a/modules/relay/namespace/tests/e2e/max/main.test.bicep +++ b/modules/relay/namespace/tests/e2e/max/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -178,4 +179,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/relay/namespace/tests/e2e/pe/main.test.bicep b/modules/relay/namespace/tests/e2e/pe/main.test.bicep index dd1352106e..cc38c87c6f 100644 --- a/modules/relay/namespace/tests/e2e/pe/main.test.bicep +++ b/modules/relay/namespace/tests/e2e/pe/main.test.bicep @@ -43,9 +43,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -69,4 +70,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep index 2e3268af07..b8527deec2 100644 --- a/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -178,4 +179,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/resource-graph/query/main.json b/modules/resource-graph/query/main.json index a14e8eb9f3..74b82c908c 100644 --- a/modules/resource-graph/query/main.json +++ b/modules/resource-graph/query/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4571822405516608040" + "version": "0.23.1.45101", + "templateHash": "8296730698201438039" }, "name": "Resource Graph Queries", "description": "This module deploys a Resource Graph Query.", diff --git a/modules/resource-graph/query/tests/e2e/defaults/main.test.bicep b/modules/resource-graph/query/tests/e2e/defaults/main.test.bicep index da7b4e92f2..8a0db8fccb 100644 --- a/modules/resource-graph/query/tests/e2e/defaults/main.test.bicep +++ b/modules/resource-graph/query/tests/e2e/defaults/main.test.bicep @@ -38,12 +38,13 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' query: 'resources | take 10' } -} +}] diff --git a/modules/resource-graph/query/tests/e2e/max/main.test.bicep b/modules/resource-graph/query/tests/e2e/max/main.test.bicep index 8ff4e69568..25ac98145e 100644 --- a/modules/resource-graph/query/tests/e2e/max/main.test.bicep +++ b/modules/resource-graph/query/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -71,4 +72,4 @@ module testDeployment '../../../main.bicep' = { query: 'resources | take 10' queryDescription: 'An example query to list first 10 resources in the subscription.' } -} +}] diff --git a/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep b/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep index 5858166d43..1209174e7c 100644 --- a/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -71,4 +72,4 @@ module testDeployment '../../../main.bicep' = { query: 'resources | take 10' queryDescription: 'An example query to list first 10 resources in the subscription.' } -} +}] diff --git a/modules/resources/deployment-script/tests/e2e/cli/main.test.bicep b/modules/resources/deployment-script/tests/e2e/cli/main.test.bicep index 2fa991c027..5f9fba41ac 100644 --- a/modules/resources/deployment-script/tests/e2e/cli/main.test.bicep +++ b/modules/resources/deployment-script/tests/e2e/cli/main.test.bicep @@ -44,9 +44,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -81,4 +82,4 @@ module testDeployment '../../../main.bicep' = { ] } } -} +}] diff --git a/modules/resources/deployment-script/tests/e2e/ps/main.test.bicep b/modules/resources/deployment-script/tests/e2e/ps/main.test.bicep index ea56ef4c68..2734b239f0 100644 --- a/modules/resources/deployment-script/tests/e2e/ps/main.test.bicep +++ b/modules/resources/deployment-script/tests/e2e/ps/main.test.bicep @@ -44,9 +44,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -73,4 +74,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/resources/resource-group/main.json b/modules/resources/resource-group/main.json index 5ef95ffd33..245ce057e8 100644 --- a/modules/resources/resource-group/main.json +++ b/modules/resources/resource-group/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3152878379095233308" + "version": "0.23.1.45101", + "templateHash": "3578190975032336788" }, "name": "Resource Groups", "description": "This module deploys a Resource Group.", @@ -239,8 +239,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17703781580329850458" + "version": "0.23.1.45101", + "templateHash": "3720705918360023027" } }, "definitions": { diff --git a/modules/resources/resource-group/tests/e2e/defaults/main.test.bicep b/modules/resources/resource-group/tests/e2e/defaults/main.test.bicep index 22dbdd1d67..a36b5e90cc 100644 --- a/modules/resources/resource-group/tests/e2e/defaults/main.test.bicep +++ b/modules/resources/resource-group/tests/e2e/defaults/main.test.bicep @@ -20,10 +20,11 @@ param namePrefix string = '[[namePrefix]]' // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/resources/resource-group/tests/e2e/max/main.test.bicep b/modules/resources/resource-group/tests/e2e/max/main.test.bicep index 91f263f885..a110f2a5f4 100644 --- a/modules/resources/resource-group/tests/e2e/max/main.test.bicep +++ b/modules/resources/resource-group/tests/e2e/max/main.test.bicep @@ -46,8 +46,9 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -68,4 +69,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep b/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep index d5e6d7df88..5818c0052f 100644 --- a/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep @@ -46,8 +46,9 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -68,4 +69,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/search/search-service/main.json b/modules/search/search-service/main.json index 9d48759634..023f3f582e 100644 --- a/modules/search/search-service/main.json +++ b/modules/search/search-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14644923243501961437" + "version": "0.23.1.45101", + "templateHash": "8225370298861272581" }, "name": "Search Services", "description": "This module deploys a Search Service.", @@ -737,8 +737,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1140,8 +1140,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1317,8 +1317,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13590696020139320386" + "version": "0.23.1.45101", + "templateHash": "15235633206826642766" }, "name": "Search Services Private Link Resources", "description": "This module deploys a Search Service Private Link Resource.", diff --git a/modules/search/search-service/tests/e2e/defaults/main.test.bicep b/modules/search/search-service/tests/e2e/defaults/main.test.bicep index a09caf4e8e..c655c3d657 100644 --- a/modules/search/search-service/tests/e2e/defaults/main.test.bicep +++ b/modules/search/search-service/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/search/search-service/tests/e2e/max/main.test.bicep b/modules/search/search-service/tests/e2e/max/main.test.bicep index 90a01b9be8..2edbeb312f 100644 --- a/modules/search/search-service/tests/e2e/max/main.test.bicep +++ b/modules/search/search-service/tests/e2e/max/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -126,4 +127,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/search/search-service/tests/e2e/pe/main.test.bicep b/modules/search/search-service/tests/e2e/pe/main.test.bicep index c18f872e76..2cd4bd7d52 100644 --- a/modules/search/search-service/tests/e2e/pe/main.test.bicep +++ b/modules/search/search-service/tests/e2e/pe/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -88,4 +89,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep b/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep index c01e840d45..e5968a4f01 100644 --- a/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -126,4 +127,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/security/azure-security-center/main.json b/modules/security/azure-security-center/main.json index 757ee94252..c59f3bd7e9 100644 --- a/modules/security/azure-security-center/main.json +++ b/modules/security/azure-security-center/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6628258573559470770" + "version": "0.23.1.45101", + "templateHash": "9701989179534275854" }, "name": "Azure Security Center (Defender for Cloud)", "description": "This module deploys an Azure Security Center (Defender for Cloud) Configuration.", @@ -366,8 +366,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15519935694361963633" + "version": "0.23.1.45101", + "templateHash": "17940871522867244658" } }, "parameters": { diff --git a/modules/security/azure-security-center/tests/e2e/max/main.test.bicep b/modules/security/azure-security-center/tests/e2e/max/main.test.bicep index 1118563116..e76028a93a 100644 --- a/modules/security/azure-security-center/tests/e2e/max/main.test.bicep +++ b/modules/security/azure-security-center/tests/e2e/max/main.test.bicep @@ -46,8 +46,9 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry scope: '/subscriptions/${subscription().subscriptionId}' @@ -59,4 +60,4 @@ module testDeployment '../../../main.bicep' = { phone: '+12345678' } } -} +}] diff --git a/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep b/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep index 1bb6ec0985..1e6b326548 100644 --- a/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep @@ -46,8 +46,9 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry scope: '/subscriptions/${subscription().subscriptionId}' @@ -59,4 +60,4 @@ module testDeployment '../../../main.bicep' = { phone: '+12345678' } } -} +}] diff --git a/modules/service-bus/namespace/tests/e2e/defaults/main.test.bicep b/modules/service-bus/namespace/tests/e2e/defaults/main.test.bicep index f799f08ce9..39c9f7941e 100644 --- a/modules/service-bus/namespace/tests/e2e/defaults/main.test.bicep +++ b/modules/service-bus/namespace/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep b/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep index a0efd3185a..745b38b64b 100644 --- a/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep +++ b/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep @@ -49,9 +49,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -117,4 +118,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/service-bus/namespace/tests/e2e/max/main.test.bicep b/modules/service-bus/namespace/tests/e2e/max/main.test.bicep index 13dd2c55f1..4e64786e88 100644 --- a/modules/service-bus/namespace/tests/e2e/max/main.test.bicep +++ b/modules/service-bus/namespace/tests/e2e/max/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -223,4 +224,4 @@ module testDeployment '../../../main.bicep' = { publicNetworkAccess: 'Enabled' minimumTlsVersion: '1.2' } -} +}] diff --git a/modules/service-bus/namespace/tests/e2e/pe/main.test.bicep b/modules/service-bus/namespace/tests/e2e/pe/main.test.bicep index 43e7f9de51..ebc7250257 100644 --- a/modules/service-bus/namespace/tests/e2e/pe/main.test.bicep +++ b/modules/service-bus/namespace/tests/e2e/pe/main.test.bicep @@ -43,9 +43,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -70,4 +71,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep index c1cca11abf..d61b0ddb60 100644 --- a/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -223,4 +224,4 @@ module testDeployment '../../../main.bicep' = { publicNetworkAccess: 'Enabled' minimumTlsVersion: '1.2' } -} +}] diff --git a/modules/service-fabric/cluster/main.json b/modules/service-fabric/cluster/main.json index ac97598011..5295769ffa 100644 --- a/modules/service-fabric/cluster/main.json +++ b/modules/service-fabric/cluster/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4163996962220385017" + "version": "0.23.1.45101", + "templateHash": "18205764020383874033" }, "name": "Service Fabric Clusters", "description": "This module deploys a Service Fabric Cluster.", @@ -559,8 +559,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16143571289588705380" + "version": "0.23.1.45101", + "templateHash": "4810595833725093386" }, "name": "Service Fabric Cluster Application Types", "description": "This module deploys a Service Fabric Cluster Application Type.", diff --git a/modules/service-fabric/cluster/tests/e2e/cert/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/cert/main.test.bicep index b8f681a7e3..abdbb40a0c 100644 --- a/modules/service-fabric/cluster/tests/e2e/cert/main.test.bicep +++ b/modules/service-fabric/cluster/tests/e2e/cert/main.test.bicep @@ -35,9 +35,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -70,4 +71,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/service-fabric/cluster/tests/e2e/defaults/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/defaults/main.test.bicep index abc24b2ed3..8a543b9681 100644 --- a/modules/service-fabric/cluster/tests/e2e/defaults/main.test.bicep +++ b/modules/service-fabric/cluster/tests/e2e/defaults/main.test.bicep @@ -38,9 +38,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -65,4 +66,4 @@ module testDeployment '../../../main.bicep' = { ] } -} +}] diff --git a/modules/service-fabric/cluster/tests/e2e/max/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/max/main.test.bicep index c566919098..ed86853a2b 100644 --- a/modules/service-fabric/cluster/tests/e2e/max/main.test.bicep +++ b/modules/service-fabric/cluster/tests/e2e/max/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -222,4 +223,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep index 6b1ad668cc..e54b21fd94 100644 --- a/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -222,4 +223,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index 0650ea90d4..88a6f92780 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -43,7 +43,7 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-srsdrmin' + name: '${uniqueString(deployment().name, location)}-test-srsdrmin' params: { // Required parameters name: 'srsdrmin-001' @@ -91,7 +91,7 @@ This instance deploys the module with most of its features enabled. ```bicep module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-srssrmax' + name: '${uniqueString(deployment().name, location)}-test-srssrmax' params: { // Required parameters name: 'srssrmax-001' @@ -283,7 +283,7 @@ This instance deploys the module in alignment with the best-practices of the Azu ```bicep module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { - name: '${uniqueString(deployment().name)}-test-srssrwaf' + name: '${uniqueString(deployment().name, location)}-test-srssrwaf' params: { // Required parameters name: 'srssrwaf-001' diff --git a/modules/signal-r-service/signal-r/main.json b/modules/signal-r-service/signal-r/main.json index f9728a1078..11fb90c5b6 100644 --- a/modules/signal-r-service/signal-r/main.json +++ b/modules/signal-r-service/signal-r/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14653714394608163039" + "version": "0.23.1.45101", + "templateHash": "2894209744845511778" }, "name": "SignalR Service SignalR", "description": "This module deploys a SignalR Service SignalR.", @@ -647,8 +647,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1050,8 +1050,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/signal-r-service/signal-r/tests/e2e/defaults/main.test.bicep b/modules/signal-r-service/signal-r/tests/e2e/defaults/main.test.bicep index 3796aa1068..91c816bddf 100644 --- a/modules/signal-r-service/signal-r/tests/e2e/defaults/main.test.bicep +++ b/modules/signal-r-service/signal-r/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}-001' } -} +}] diff --git a/modules/signal-r-service/signal-r/tests/e2e/max/main.test.bicep b/modules/signal-r-service/signal-r/tests/e2e/max/main.test.bicep index 751e1286fd..701bca066f 100644 --- a/modules/signal-r-service/signal-r/tests/e2e/max/main.test.bicep +++ b/modules/signal-r-service/signal-r/tests/e2e/max/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}-001' @@ -114,4 +115,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep b/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep index 5c88da4283..c07a791bbf 100644 --- a/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}-001' @@ -114,4 +115,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/defaults/main.test.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/defaults/main.test.bicep index a888017c1b..4e72d5a97b 100644 --- a/modules/signal-r-service/web-pub-sub/tests/e2e/defaults/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}-001' } -} +}] diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/max/main.test.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/max/main.test.bicep index 007c6f0032..7c9c967f3a 100644 --- a/modules/signal-r-service/web-pub-sub/tests/e2e/max/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/tests/e2e/max/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}-001' @@ -116,4 +117,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/pe/main.test.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/pe/main.test.bicep index 25c2a4dfb3..0483d13826 100644 --- a/modules/signal-r-service/web-pub-sub/tests/e2e/pe/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/tests/e2e/pe/main.test.bicep @@ -43,9 +43,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}-001' @@ -69,4 +70,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep index 2391c085b0..03b8af5643 100644 --- a/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}-001' @@ -116,4 +117,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/sql/managed-instance/tests/e2e/defaults/main.test.bicep b/modules/sql/managed-instance/tests/e2e/defaults/main.test.bicep index 9074fdeaf7..80ccb391bc 100644 --- a/modules/sql/managed-instance/tests/e2e/defaults/main.test.bicep +++ b/modules/sql/managed-instance/tests/e2e/defaults/main.test.bicep @@ -53,9 +53,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' @@ -63,4 +64,4 @@ module testDeployment '../../../main.bicep' = { administratorLoginPassword: password subnetId: nestedDependencies.outputs.subnetResourceId } -} +}] diff --git a/modules/sql/managed-instance/tests/e2e/max/main.test.bicep b/modules/sql/managed-instance/tests/e2e/max/main.test.bicep index d44e051516..6fd22ed422 100644 --- a/modules/sql/managed-instance/tests/e2e/max/main.test.bicep +++ b/modules/sql/managed-instance/tests/e2e/max/main.test.bicep @@ -73,9 +73,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' @@ -178,4 +179,4 @@ module testDeployment '../../../main.bicep' = { } } } -} +}] diff --git a/modules/sql/managed-instance/tests/e2e/vulnAssm/main.test.bicep b/modules/sql/managed-instance/tests/e2e/vulnAssm/main.test.bicep index e6bb8787ca..b93e5f73ec 100644 --- a/modules/sql/managed-instance/tests/e2e/vulnAssm/main.test.bicep +++ b/modules/sql/managed-instance/tests/e2e/vulnAssm/main.test.bicep @@ -51,9 +51,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' @@ -86,4 +87,4 @@ module testDeployment '../../../main.bicep' = { } } } -} +}] diff --git a/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep index f808cd9a5c..1627c8cc0c 100644 --- a/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep @@ -73,9 +73,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' @@ -178,4 +179,4 @@ module testDeployment '../../../main.bicep' = { } } } -} +}] diff --git a/modules/sql/server/tests/e2e/admin/main.test.bicep b/modules/sql/server/tests/e2e/admin/main.test.bicep index 94c27ed0d9..9a30d64ae7 100644 --- a/modules/sql/server/tests/e2e/admin/main.test.bicep +++ b/modules/sql/server/tests/e2e/admin/main.test.bicep @@ -43,9 +43,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' @@ -57,4 +58,4 @@ module testDeployment '../../../main.bicep' = { tenantId: tenant().tenantId } } -} +}] diff --git a/modules/sql/server/tests/e2e/max/main.test.bicep b/modules/sql/server/tests/e2e/max/main.test.bicep index 444ad3b6cb..4de18a90ed 100644 --- a/modules/sql/server/tests/e2e/max/main.test.bicep +++ b/modules/sql/server/tests/e2e/max/main.test.bicep @@ -67,9 +67,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' @@ -194,4 +195,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/sql/server/tests/e2e/pe/main.test.bicep b/modules/sql/server/tests/e2e/pe/main.test.bicep index 9881236cfa..069d4f0e80 100644 --- a/modules/sql/server/tests/e2e/pe/main.test.bicep +++ b/modules/sql/server/tests/e2e/pe/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' @@ -75,4 +76,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/sql/server/tests/e2e/secondary/main.test.bicep b/modules/sql/server/tests/e2e/secondary/main.test.bicep index b5caa622c3..96bef59aa8 100644 --- a/modules/sql/server/tests/e2e/secondary/main.test.bicep +++ b/modules/sql/server/tests/e2e/secondary/main.test.bicep @@ -47,9 +47,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}-sec' @@ -71,4 +72,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/sql/server/tests/e2e/vulnAssm/main.test.bicep b/modules/sql/server/tests/e2e/vulnAssm/main.test.bicep index 3826a0afad..9b105db908 100644 --- a/modules/sql/server/tests/e2e/vulnAssm/main.test.bicep +++ b/modules/sql/server/tests/e2e/vulnAssm/main.test.bicep @@ -49,9 +49,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' @@ -90,4 +91,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep index 0f034211bc..298ab514b7 100644 --- a/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep @@ -67,9 +67,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}-${serviceShort}' @@ -194,4 +195,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/storage/storage-account/tests/e2e/defaults/main.test.bicep b/modules/storage/storage-account/tests/e2e/defaults/main.test.bicep index c5340263c1..1a754ad2b7 100644 --- a/modules/storage/storage-account/tests/e2e/defaults/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/defaults/main.test.bicep @@ -38,12 +38,13 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' allowBlobPublicAccess: false } -} +}] diff --git a/modules/storage/storage-account/tests/e2e/encr/main.test.bicep b/modules/storage/storage-account/tests/e2e/encr/main.test.bicep index 6ba6f40652..eb5638b6a1 100644 --- a/modules/storage/storage-account/tests/e2e/encr/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/encr/main.test.bicep @@ -49,9 +49,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -110,4 +111,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/storage/storage-account/tests/e2e/max/main.test.bicep b/modules/storage/storage-account/tests/e2e/max/main.test.bicep index e3efd2b824..db2803d5f3 100644 --- a/modules/storage/storage-account/tests/e2e/max/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/max/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -330,4 +331,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep b/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep index c2454760b3..4c3fb2ad5a 100644 --- a/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep @@ -57,9 +57,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -112,4 +113,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/storage/storage-account/tests/e2e/v1/main.test.bicep b/modules/storage/storage-account/tests/e2e/v1/main.test.bicep index aa1670b9c6..057738ca6a 100644 --- a/modules/storage/storage-account/tests/e2e/v1/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/v1/main.test.bicep @@ -35,9 +35,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -49,4 +50,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep b/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep index 354699f427..cd06ed1f80 100644 --- a/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -330,4 +331,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/synapse/private-link-hub/main.json b/modules/synapse/private-link-hub/main.json index d58383f3f8..08bd584f4e 100644 --- a/modules/synapse/private-link-hub/main.json +++ b/modules/synapse/private-link-hub/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9045040601435756592" + "version": "0.23.1.45101", + "templateHash": "13641263936979099332" }, "name": "Azure Synapse Analytics", "description": "This module deploys an Azure Synapse Analytics (Private Link Hub).", @@ -466,8 +466,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -869,8 +869,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/synapse/private-link-hub/tests/e2e/defaults/main.test.bicep b/modules/synapse/private-link-hub/tests/e2e/defaults/main.test.bicep index 7ea78ed31d..d25afb53a7 100644 --- a/modules/synapse/private-link-hub/tests/e2e/defaults/main.test.bicep +++ b/modules/synapse/private-link-hub/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/synapse/private-link-hub/tests/e2e/max/main.test.bicep b/modules/synapse/private-link-hub/tests/e2e/max/main.test.bicep index 5f1dc18c70..a4718d62b4 100644 --- a/modules/synapse/private-link-hub/tests/e2e/max/main.test.bicep +++ b/modules/synapse/private-link-hub/tests/e2e/max/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -90,4 +91,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep b/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep index c5b50dbbd7..cda0f2510d 100644 --- a/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -90,4 +91,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/synapse/workspace/tests/e2e/defaults/main.test.bicep b/modules/synapse/workspace/tests/e2e/defaults/main.test.bicep index 0597e80b28..f6084c8e78 100644 --- a/modules/synapse/workspace/tests/e2e/defaults/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/defaults/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' defaultDataLakeStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId @@ -56,4 +57,4 @@ module testDeployment '../../../main.bicep' = { sqlAdministratorLogin: 'synwsadmin' enableDefaultTelemetry: enableDefaultTelemetry } -} +}] diff --git a/modules/synapse/workspace/tests/e2e/encrwsai/main.test.bicep b/modules/synapse/workspace/tests/e2e/encrwsai/main.test.bicep index 48e6c94103..bc21173e2f 100644 --- a/modules/synapse/workspace/tests/e2e/encrwsai/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/encrwsai/main.test.bicep @@ -48,9 +48,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' defaultDataLakeStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId @@ -63,4 +64,4 @@ module testDeployment '../../../main.bicep' = { encryptionActivateWorkspace: true enableDefaultTelemetry: enableDefaultTelemetry } -} +}] diff --git a/modules/synapse/workspace/tests/e2e/encrwuai/main.test.bicep b/modules/synapse/workspace/tests/e2e/encrwuai/main.test.bicep index 6049baaf1e..bad49f51aa 100644 --- a/modules/synapse/workspace/tests/e2e/encrwuai/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/encrwuai/main.test.bicep @@ -49,9 +49,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' defaultDataLakeStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId @@ -69,4 +70,4 @@ module testDeployment '../../../main.bicep' = { } enableDefaultTelemetry: enableDefaultTelemetry } -} +}] diff --git a/modules/synapse/workspace/tests/e2e/managedvnet/main.test.bicep b/modules/synapse/workspace/tests/e2e/managedvnet/main.test.bicep index 8b1a2bb851..7d4f2b072c 100644 --- a/modules/synapse/workspace/tests/e2e/managedvnet/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/managedvnet/main.test.bicep @@ -43,9 +43,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' defaultDataLakeStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId @@ -63,4 +64,4 @@ module testDeployment '../../../main.bicep' = { } enableDefaultTelemetry: enableDefaultTelemetry } -} +}] diff --git a/modules/synapse/workspace/tests/e2e/max/main.test.bicep b/modules/synapse/workspace/tests/e2e/max/main.test.bicep index 5767ce3c3e..7161f6dfc7 100644 --- a/modules/synapse/workspace/tests/e2e/max/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/max/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' defaultDataLakeStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId @@ -123,4 +124,4 @@ module testDeployment '../../../main.bicep' = { ] enableDefaultTelemetry: enableDefaultTelemetry } -} +}] diff --git a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep index a3969a051f..abf7d8b7c8 100644 --- a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -62,9 +62,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' defaultDataLakeStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId @@ -123,4 +124,4 @@ module testDeployment '../../../main.bicep' = { ] enableDefaultTelemetry: enableDefaultTelemetry } -} +}] diff --git a/modules/web/connection/main.json b/modules/web/connection/main.json index dab170f63e..679bd8421b 100644 --- a/modules/web/connection/main.json +++ b/modules/web/connection/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11837763267512511834" + "version": "0.23.1.45101", + "templateHash": "6835685979701514548" }, "name": "API Connections", "description": "This module deploys an Azure API Connection.", diff --git a/modules/web/connection/tests/e2e/max/main.test.bicep b/modules/web/connection/tests/e2e/max/main.test.bicep index 185384cf04..d57a2503f7 100644 --- a/modules/web/connection/tests/e2e/max/main.test.bicep +++ b/modules/web/connection/tests/e2e/max/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry displayName: 'azuremonitorlogs' @@ -74,4 +75,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep b/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep index acc6afbcd9..a8d11dca02 100644 --- a/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep @@ -46,9 +46,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry displayName: 'azuremonitorlogs' @@ -74,4 +75,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep b/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep index f6f0553f80..455dba1779 100644 --- a/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep +++ b/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep @@ -59,9 +59,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -108,4 +109,4 @@ module testDeployment '../../../main.bicep' = { kind: 'ASEv2' multiSize: 'Standard_D1_V2' } -} +}] diff --git a/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep b/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep index a2a66f610e..ac50975bc3 100644 --- a/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep +++ b/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep @@ -61,9 +61,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -116,4 +117,4 @@ module testDeployment '../../../main.bicep' = { customDnsSuffixCertificateUrl: nestedDependencies.outputs.certificateSecretUrl customDnsSuffixKeyVaultReferenceIdentity: nestedDependencies.outputs.managedIdentityResourceId } -} +}] diff --git a/modules/web/serverfarm/tests/e2e/max/main.test.bicep b/modules/web/serverfarm/tests/e2e/max/main.test.bicep index ab5b234c99..ce1c1ea9c1 100644 --- a/modules/web/serverfarm/tests/e2e/max/main.test.bicep +++ b/modules/web/serverfarm/tests/e2e/max/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -104,4 +105,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep b/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep index b6be6a4df6..24e51db825 100644 --- a/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -104,4 +105,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep b/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep index 2235080536..eb682196f8 100644 --- a/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep +++ b/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep @@ -63,9 +63,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // Test Execution // // ============== // // For the below test case, please consider the guidelines described here: https://github.com/Azure/ResourceModules/wiki/Getting%20started%20-%20Scenario%202%20Onboard%20module%20library%20and%20CI%20environment#microsoftwebsites -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -208,4 +209,4 @@ module testDeployment '../../../main.bicep' = { } ] } -} +}] diff --git a/modules/web/site/tests/e2e/functionAppMin/main.test.bicep b/modules/web/site/tests/e2e/functionAppMin/main.test.bicep index 29a416992c..4b341b5be5 100644 --- a/modules/web/site/tests/e2e/functionAppMin/main.test.bicep +++ b/modules/web/site/tests/e2e/functionAppMin/main.test.bicep @@ -43,9 +43,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -55,4 +56,4 @@ module testDeployment '../../../main.bicep' = { alwaysOn: true } } -} +}] diff --git a/modules/web/site/tests/e2e/webAppCommon/main.test.bicep b/modules/web/site/tests/e2e/webAppCommon/main.test.bicep index 459c7fa8f8..fbb4e0cf1d 100644 --- a/modules/web/site/tests/e2e/webAppCommon/main.test.bicep +++ b/modules/web/site/tests/e2e/webAppCommon/main.test.bicep @@ -60,9 +60,10 @@ module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.depe // ============== // // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -217,4 +218,4 @@ module testDeployment '../../../main.bicep' = { vnetRouteAllEnabled: true publicNetworkAccess: 'Disabled' } -} +}] diff --git a/modules/web/site/tests/e2e/webAppMin/main.test.bicep b/modules/web/site/tests/e2e/webAppMin/main.test.bicep index 38c74f798e..c173fb23e1 100644 --- a/modules/web/site/tests/e2e/webAppMin/main.test.bicep +++ b/modules/web/site/tests/e2e/webAppMin/main.test.bicep @@ -43,13 +43,14 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' kind: 'app' serverFarmResourceId: nestedDependencies.outputs.serverFarmResourceId } -} +}] diff --git a/modules/web/static-site/tests/e2e/defaults/main.test.bicep b/modules/web/static-site/tests/e2e/defaults/main.test.bicep index 97845e594d..4165b5c13e 100644 --- a/modules/web/static-site/tests/e2e/defaults/main.test.bicep +++ b/modules/web/static-site/tests/e2e/defaults/main.test.bicep @@ -38,11 +38,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' } -} +}] diff --git a/modules/web/static-site/tests/e2e/max/main.test.bicep b/modules/web/static-site/tests/e2e/max/main.test.bicep index 82d89e7b30..8bc7cecf8d 100644 --- a/modules/web/static-site/tests/e2e/max/main.test.bicep +++ b/modules/web/static-site/tests/e2e/max/main.test.bicep @@ -49,9 +49,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -106,4 +107,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] diff --git a/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep b/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep index fc075909dd..afe97a5d32 100644 --- a/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep @@ -49,9 +49,10 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' @@ -106,4 +107,4 @@ module testDeployment '../../../main.bicep' = { Role: 'DeploymentValidation' } } -} +}] From 22362c4679a2229db384434c59e4c7a639742834 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 19 Nov 2023 12:04:39 +0000 Subject: [PATCH 114/178] Push updated API Specs file --- utilities/src/apiSpecsList.json | 1343 +++++++++++-------------------- 1 file changed, 458 insertions(+), 885 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index 52d7783dee..923ac27312 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -1,4 +1,18 @@ { + "Astronomer.Astro": { + "locations": [ + "2023-08-01-preview" + ], + "locations/operationStatuses": [ + "2023-08-01-preview" + ], + "operations": [ + "2023-08-01-preview" + ], + "organizations": [ + "2023-08-01-preview" + ] + }, "Dynatrace.Observability": { "checkNameAvailability": [ "2021-09-01", @@ -9,7 +23,8 @@ "2023-04-27", "2023-08-14-preview", "2023-08-22-preview", - "2023-09-12-preview" + "2023-09-12-preview", + "2023-09-20-preview" ], "getMarketplaceSaaSResourceDetails": [ "2021-09-01", @@ -20,7 +35,8 @@ "2023-04-27", "2023-08-14-preview", "2023-08-22-preview", - "2023-09-12-preview" + "2023-09-12-preview", + "2023-09-20-preview" ], "locations": [ "2021-09-01", @@ -31,7 +47,8 @@ "2023-04-27", "2023-08-14-preview", "2023-08-22-preview", - "2023-09-12-preview" + "2023-09-12-preview", + "2023-09-20-preview" ], "locations/operationStatuses": [ "2021-09-01", @@ -42,7 +59,8 @@ "2023-04-27", "2023-08-14-preview", "2023-08-22-preview", - "2023-09-12-preview" + "2023-09-12-preview", + "2023-09-20-preview" ], "monitors": [ "2021-09-01", @@ -53,7 +71,8 @@ "2023-04-27", "2023-08-14-preview", "2023-08-22-preview", - "2023-09-12-preview" + "2023-09-12-preview", + "2023-09-20-preview" ], "monitors/singleSignOnConfigurations": [ "2021-09-01", @@ -64,7 +83,8 @@ "2023-04-27", "2023-08-14-preview", "2023-08-22-preview", - "2023-09-12-preview" + "2023-09-12-preview", + "2023-09-20-preview" ], "monitors/tagRules": [ "2021-09-01", @@ -75,7 +95,8 @@ "2023-04-27", "2023-08-14-preview", "2023-08-22-preview", - "2023-09-12-preview" + "2023-09-12-preview", + "2023-09-20-preview" ], "operations": [ "2021-09-01", @@ -86,7 +107,8 @@ "2023-04-27", "2023-08-14-preview", "2023-08-22-preview", - "2023-09-12-preview" + "2023-09-12-preview", + "2023-09-20-preview" ], "registeredSubscriptions": [ "2021-09-01", @@ -97,7 +119,8 @@ "2023-04-27", "2023-08-14-preview", "2023-08-22-preview", - "2023-09-12-preview" + "2023-09-12-preview", + "2023-09-20-preview" ] }, "GitHub.Network": { @@ -3888,17 +3911,20 @@ "2022-06-15-preview", "2023-01-15-preview", "2023-05-16-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "SqlServerInstances/AvailabilityGroups": [ "2023-05-16-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ], "sqlServerInstances/databases": [ "2022-06-15-preview", "2023-01-15-preview", "2023-05-16-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview" ] }, "Microsoft.AzureBridge.Admin": { @@ -6114,7 +6140,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ], "autoQuotaIncrease": [ "2019-07-19" @@ -6135,7 +6163,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ], "calculatePrice": [ "2017-11-01", @@ -6154,7 +6184,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ], "calculatePurchasePrice": [ "2019-06-01-beta", @@ -6178,7 +6210,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ], "checkBenefitScopes": [ "2021-03-01-beta", @@ -6233,7 +6267,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ], "listbenefits": [ "2019-04-01", @@ -6255,7 +6291,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ], "operations": [ "2017-11-01", @@ -6273,7 +6311,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ], "ownReservations": [ "2020-06-01", @@ -6303,7 +6343,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ], "reservationOrders/availableScopes": [ "2017-11-01", @@ -6331,7 +6373,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ], "reservationOrders/changeDirectory": [ "2020-11-15", @@ -6345,7 +6389,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ], "reservationOrders/merge": [ "2017-11-01", @@ -6364,7 +6410,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ], "reservationOrders/reservations": [ "2017-11-01", @@ -6385,7 +6433,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ], "reservationOrders/reservations/availableScopes": [ "2019-04-01", @@ -6397,7 +6447,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ], "reservationOrders/reservations/revisions": [ "2017-11-01", @@ -6416,7 +6468,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ], "reservationOrders/return": [ "2017-11-01", @@ -6434,7 +6488,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ], "reservationOrders/split": [ "2017-11-01", @@ -6453,7 +6509,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ], "reservationOrders/swap": [ "2018-06-01", @@ -6481,7 +6539,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ], "resourceProviders": [ "2019-07-19-preview", @@ -6518,7 +6578,9 @@ "2022-06-02-beta", "2022-06-02-privatepreview", "2022-11-01", - "2022-11-01-beta" + "2022-11-01-beta", + "2023-07-01-beta", + "2023-07-01-preview" ] }, "Microsoft.Carbon": { @@ -8115,6 +8177,12 @@ "Microsoft.Community": { "communityTrainings": [ "2023-11-01" + ], + "Locations": [ + "2023-08-01-preview" + ], + "Operations": [ + "2023-08-01-preview" ] }, "Microsoft.Compute": { @@ -8220,7 +8288,8 @@ "2022-03-02", "2022-07-02", "2023-01-02", - "2023-04-02" + "2023-04-02", + "2023-10-02" ], "diskAccesses/privateEndpointConnections": [ "2020-09-30", @@ -8246,7 +8315,8 @@ "2022-03-02", "2022-07-02", "2023-01-02", - "2023-04-02" + "2023-04-02", + "2023-10-02" ], "disks": [ "2016-04-30-preview", @@ -8267,7 +8337,8 @@ "2022-03-02", "2022-07-02", "2023-01-02", - "2023-04-02" + "2023-04-02", + "2023-10-02" ], "galleries": [ "2018-06-01", @@ -8515,7 +8586,8 @@ "2022-03-02", "2022-07-02", "2023-01-02", - "2023-04-02" + "2023-04-02", + "2023-10-02" ], "locations/edgeZones": [ "2020-12-01", @@ -8942,7 +9014,8 @@ "2022-03-02", "2022-07-02", "2023-01-02", - "2023-04-02" + "2023-04-02", + "2023-10-02" ], "sharedVMImages": [ "2017-10-15-preview" @@ -8969,7 +9042,8 @@ "2022-03-02", "2022-07-02", "2023-01-02", - "2023-04-02" + "2023-04-02", + "2023-10-02" ], "sshPublicKeys": [ "2019-12-01", @@ -9125,7 +9199,8 @@ "2022-03-02", "2022-07-02", "2023-01-02", - "2023-04-02" + "2023-04-02", + "2023-10-02" ], "virtualMachineScaleSets/extensions": [ "2015-05-01-preview", @@ -11159,80 +11234,37 @@ "2023-10-01", "2023-10-02-preview" ], - "locations/usages": [ - "2023-10-01", - "2023-10-02-preview" - ], - "managedClusters": [ - "2017-08-31", - "2018-03-31", - "2018-08-01-preview", - "2019-02-01", - "2019-04-01", - "2019-06-01", - "2019-08-01", - "2019-10-01", - "2019-11-01", - "2020-01-01", - "2020-02-01", - "2020-03-01", - "2020-04-01", - "2020-06-01", - "2020-07-01", - "2020-09-01", - "2020-11-01", - "2020-12-01", - "2021-02-01", - "2021-03-01", - "2021-05-01", - "2021-07-01", - "2021-08-01", - "2021-09-01", - "2021-10-01", - "2021-11-01-preview", - "2022-01-01", - "2022-01-02-preview", - "2022-02-01", - "2022-02-02-preview", - "2022-03-01", - "2022-03-02-preview", - "2022-04-01", + "locations/trustedAccessRoles": [ "2022-04-02-preview", "2022-05-02-preview", - "2022-06-01", "2022-06-02-preview", - "2022-07-01", "2022-07-02-preview", - "2022-08-01", "2022-08-02-preview", "2022-08-03-preview", - "2022-09-01", "2022-09-02-preview", "2022-10-02-preview", - "2022-11-01", "2022-11-02-preview", - "2023-01-01", "2023-01-02-preview", - "2023-02-01", "2023-02-02-preview", - "2023-03-01", "2023-03-02-preview", - "2023-04-01", "2023-04-02-preview", - "2023-05-01", "2023-05-02-preview", - "2023-06-01", "2023-06-02-preview", - "2023-07-01", "2023-07-02-preview", - "2023-08-01", "2023-08-02-preview", "2023-09-01", "2023-09-02-preview", "2023-10-01", "2023-10-02-preview" ], - "managedClusters/agentPools": [ + "locations/usages": [ + "2023-10-01", + "2023-10-02-preview" + ], + "managedClusters": [ + "2017-08-31", + "2018-03-31", + "2018-08-01-preview", "2019-02-01", "2019-04-01", "2019-06-01", @@ -11269,53 +11301,6 @@ "2022-06-02-preview", "2022-07-01", "2022-07-02-preview", - "2022-08-02-preview", - "2022-08-03-preview", - "2022-09-01", - "2022-09-02-preview", - "2022-10-02-preview", - "2022-11-01", - "2022-11-02-preview", - "2023-01-01", - "2023-01-02-preview", - "2023-02-01", - "2023-02-02-preview", - "2023-03-01", - "2023-03-02-preview", - "2023-04-01", - "2023-04-02-preview", - "2023-05-01", - "2023-05-02-preview", - "2023-06-01", - "2023-06-02-preview", - "2023-07-01", - "2023-07-02-preview", - "2023-08-01", - "2023-08-02-preview", - "2023-09-01", - "2023-09-02-preview", - "2023-10-01" - ], - "ManagedClusters/eventGridFilters": [ - "2021-02-01", - "2021-03-01", - "2021-05-01", - "2021-07-01", - "2021-08-01", - "2021-09-01", - "2021-10-01", - "2022-01-01", - "2022-01-02-preview", - "2022-02-01", - "2022-03-01", - "2022-03-02-preview", - "2022-04-01", - "2022-04-02-preview", - "2022-05-02-preview", - "2022-06-01", - "2022-06-02-preview", - "2022-07-01", - "2022-07-02-preview", "2022-08-01", "2022-08-02-preview", "2022-08-03-preview", @@ -11345,57 +11330,17 @@ "2023-10-01", "2023-10-02-preview" ], - "managedClusters/maintenanceConfigurations": [ - "2020-12-01", - "2021-02-01", - "2021-03-01", - "2021-05-01", - "2021-07-01", - "2021-08-01", - "2021-09-01", - "2021-10-01", - "2021-11-01-preview", - "2022-01-01", - "2022-01-02-preview", - "2022-02-01", - "2022-02-02-preview", - "2022-03-01", - "2022-03-02-preview", - "2022-04-01", - "2022-04-02-preview", - "2022-05-02-preview", - "2022-06-01", - "2022-06-02-preview", - "2022-07-01", - "2022-07-02-preview", - "2022-08-02-preview", - "2022-08-03-preview", - "2022-09-01", - "2022-09-02-preview", - "2022-10-02-preview", - "2022-11-01", - "2022-11-02-preview", - "2023-01-01", - "2023-01-02-preview", - "2023-02-01", - "2023-02-02-preview", - "2023-03-01", - "2023-03-02-preview", - "2023-04-01", - "2023-04-02-preview", - "2023-05-01", - "2023-05-02-preview", - "2023-06-01", - "2023-06-02-preview", - "2023-07-01", - "2023-07-02-preview", - "2023-08-01", - "2023-08-02-preview", - "2023-09-01", - "2023-09-02-preview", - "2023-10-01" - ], - "managedClusters/privateEndpointConnections": [ + "managedClusters/agentPools": [ + "2019-02-01", + "2019-04-01", + "2019-06-01", + "2019-08-01", + "2019-10-01", + "2019-11-01", + "2020-01-01", + "2020-02-01", + "2020-03-01", + "2020-04-01", "2020-06-01", "2020-07-01", "2020-09-01", @@ -11447,7 +11392,163 @@ "2023-08-02-preview", "2023-09-01", "2023-09-02-preview", - "2023-10-01" + "2023-10-01", + "2023-10-02-preview" + ], + "ManagedClusters/eventGridFilters": [ + "2021-02-01", + "2021-03-01", + "2021-05-01", + "2021-07-01", + "2021-08-01", + "2021-09-01", + "2021-10-01", + "2022-01-01", + "2022-01-02-preview", + "2022-02-01", + "2022-03-01", + "2022-03-02-preview", + "2022-04-01", + "2022-04-02-preview", + "2022-05-02-preview", + "2022-06-01", + "2022-06-02-preview", + "2022-07-01", + "2022-07-02-preview", + "2022-08-01", + "2022-08-02-preview", + "2022-08-03-preview", + "2022-09-01", + "2022-09-02-preview", + "2022-10-02-preview", + "2022-11-01", + "2022-11-02-preview", + "2023-01-01", + "2023-01-02-preview", + "2023-02-01", + "2023-02-02-preview", + "2023-03-01", + "2023-03-02-preview", + "2023-04-01", + "2023-04-02-preview", + "2023-05-01", + "2023-05-02-preview", + "2023-06-01", + "2023-06-02-preview", + "2023-07-01", + "2023-07-02-preview", + "2023-08-01", + "2023-08-02-preview", + "2023-09-01", + "2023-09-02-preview", + "2023-10-01", + "2023-10-02-preview" + ], + "managedClusters/maintenanceConfigurations": [ + "2020-12-01", + "2021-02-01", + "2021-03-01", + "2021-05-01", + "2021-07-01", + "2021-08-01", + "2021-09-01", + "2021-10-01", + "2021-11-01-preview", + "2022-01-01", + "2022-01-02-preview", + "2022-02-01", + "2022-02-02-preview", + "2022-03-01", + "2022-03-02-preview", + "2022-04-01", + "2022-04-02-preview", + "2022-05-02-preview", + "2022-06-01", + "2022-06-02-preview", + "2022-07-01", + "2022-07-02-preview", + "2022-08-02-preview", + "2022-08-03-preview", + "2022-09-01", + "2022-09-02-preview", + "2022-10-02-preview", + "2022-11-01", + "2022-11-02-preview", + "2023-01-01", + "2023-01-02-preview", + "2023-02-01", + "2023-02-02-preview", + "2023-03-01", + "2023-03-02-preview", + "2023-04-01", + "2023-04-02-preview", + "2023-05-01", + "2023-05-02-preview", + "2023-06-01", + "2023-06-02-preview", + "2023-07-01", + "2023-07-02-preview", + "2023-08-01", + "2023-08-02-preview", + "2023-09-01", + "2023-09-02-preview", + "2023-10-01", + "2023-10-02-preview" + ], + "managedClusters/privateEndpointConnections": [ + "2020-06-01", + "2020-07-01", + "2020-09-01", + "2020-11-01", + "2020-12-01", + "2021-02-01", + "2021-03-01", + "2021-05-01", + "2021-07-01", + "2021-08-01", + "2021-09-01", + "2021-10-01", + "2021-11-01-preview", + "2022-01-01", + "2022-01-02-preview", + "2022-02-01", + "2022-02-02-preview", + "2022-03-01", + "2022-03-02-preview", + "2022-04-01", + "2022-04-02-preview", + "2022-05-02-preview", + "2022-06-01", + "2022-06-02-preview", + "2022-07-01", + "2022-07-02-preview", + "2022-08-02-preview", + "2022-08-03-preview", + "2022-09-01", + "2022-09-02-preview", + "2022-10-02-preview", + "2022-11-01", + "2022-11-02-preview", + "2023-01-01", + "2023-01-02-preview", + "2023-02-01", + "2023-02-02-preview", + "2023-03-01", + "2023-03-02-preview", + "2023-04-01", + "2023-04-02-preview", + "2023-05-01", + "2023-05-02-preview", + "2023-06-01", + "2023-06-02-preview", + "2023-07-01", + "2023-07-02-preview", + "2023-08-01", + "2023-08-02-preview", + "2023-09-01", + "2023-09-02-preview", + "2023-10-01", + "2023-10-02-preview" ], "managedClusters/trustedAccessRoleBindings": [ "2022-04-02-preview", @@ -11469,7 +11570,8 @@ "2023-08-02-preview", "2023-09-01", "2023-09-02-preview", - "2023-10-01" + "2023-10-01", + "2023-10-02-preview" ], "managedclustersnapshots": [ "2022-02-02-preview", @@ -11621,6 +11723,15 @@ ] }, "Microsoft.ContainerStorage": { + "locations": [ + "2023-07-01-preview" + ], + "locations/asyncoperations": [ + "2023-07-01-preview" + ], + "operations": [ + "2023-07-01-preview" + ], "pools": [ "2023-07-01-preview" ], @@ -12806,32 +12917,6 @@ "2016-03-30" ] }, - "Microsoft.DataCollaboration": { - "listinvitations": [ - "2020-05-04-preview", - "2022-05-04-preview" - ], - "locations": [ - "2020-05-04-preview", - "2022-05-04-preview" - ], - "locations/consumerInvitations": [ - "2020-05-04-preview", - "2022-05-04-preview" - ], - "locations/consumerInvitations/reject": [ - "2020-05-04-preview", - "2022-05-04-preview" - ], - "locations/operationResults": [ - "2020-05-04-preview", - "2022-05-04-preview" - ], - "operations": [ - "2020-05-04-preview", - "2022-05-04-preview" - ] - }, "Microsoft.Datadog": { "agreements": [ "2020-02-01-preview", @@ -14324,17 +14409,9 @@ "2023-03-01-preview", "2023-06-01-preview" ], - "flexibleServers/privateEndpointConnectionProxies": [ - "2022-06-01-privatepreview", - "2023-01-01-privatepreview" - ], "flexibleServers/privateEndpointConnections": [ - "2023-01-01-privatepreview", "2023-06-01-preview" ], - "flexibleServers/privateLinkResources": [ - "2023-01-01-privatepreview" - ], "flexibleServers/virtualendpoints": [ "2023-06-01-preview" ], @@ -18590,7 +18667,8 @@ "2021-11-01", "2022-01-01-preview", "2022-10-01-preview", - "2023-01-01-preview" + "2023-01-01-preview", + "2024-01-01" ], "locations": [ "2017-04-01", @@ -18651,14 +18729,16 @@ "2021-11-01", "2022-01-01-preview", "2022-10-01-preview", - "2023-01-01-preview" + "2023-01-01-preview", + "2024-01-01" ], "namespaces/applicationGroups": [ "2022-01-01-preview", "2022-10-01-preview", - "2023-01-01-preview" + "2023-01-01-preview", + "2024-01-01" ], - "namespaces/AuthorizationRules": [ + "namespaces/authorizationRules": [ "2014-09-01", "2015-08-01", "2017-04-01", @@ -18668,7 +18748,8 @@ "2021-11-01", "2022-01-01-preview", "2022-10-01-preview", - "2023-01-01-preview" + "2023-01-01-preview", + "2024-01-01" ], "namespaces/disasterRecoveryConfigs": [ "2017-04-01", @@ -18678,7 +18759,8 @@ "2021-11-01", "2022-01-01-preview", "2022-10-01-preview", - "2023-01-01-preview" + "2023-01-01-preview", + "2024-01-01" ], "namespaces/disasterrecoveryconfigs/checkNameAvailability": [ "2017-04-01", @@ -18700,7 +18782,8 @@ "2021-11-01", "2022-01-01-preview", "2022-10-01-preview", - "2023-01-01-preview" + "2023-01-01-preview", + "2024-01-01" ], "namespaces/eventhubs/authorizationRules": [ "2014-09-01", @@ -18712,7 +18795,8 @@ "2021-11-01", "2022-01-01-preview", "2022-10-01-preview", - "2023-01-01-preview" + "2023-01-01-preview", + "2024-01-01" ], "namespaces/eventhubs/consumergroups": [ "2014-09-01", @@ -18724,7 +18808,8 @@ "2021-11-01", "2022-01-01-preview", "2022-10-01-preview", - "2023-01-01-preview" + "2023-01-01-preview", + "2024-01-01" ], "namespaces/ipfilterrules": [ "2018-01-01-preview" @@ -18737,7 +18822,8 @@ "2021-11-01", "2022-01-01-preview", "2022-10-01-preview", - "2023-01-01-preview" + "2023-01-01-preview", + "2024-01-01" ], "namespaces/networkSecurityPerimeterAssociationProxies": [ "2022-01-01-preview", @@ -18765,13 +18851,15 @@ "2021-11-01", "2022-01-01-preview", "2022-10-01-preview", - "2023-01-01-preview" + "2023-01-01-preview", + "2024-01-01" ], "namespaces/schemagroups": [ "2021-11-01", "2022-01-01-preview", "2022-10-01-preview", - "2023-01-01-preview" + "2023-01-01-preview", + "2024-01-01" ], "namespaces/virtualnetworkrules": [ "2018-01-01-preview" @@ -19499,12 +19587,14 @@ "2023-03-03-preview", "2023-03-23-preview", "2023-06-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2024-03-01-preview" ], "diagnostics": [ "2023-01-01-preview", "2023-06-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2024-03-01-preview" ], "discoverSolutions": [ "2023-08-01-preview" @@ -19513,28 +19603,33 @@ "2023-01-01-preview", "2023-06-01", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2024-03-01-preview" ], "operationResults": [ "2023-01-01-preview", "2023-03-03-preview", "2023-06-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2024-03-01-preview" ], "operations": [ "2023-01-01-preview", "2023-03-03-preview", "2023-03-23-preview", "2023-06-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2024-03-01-preview" ], "solutions": [ "2023-03-03-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2024-03-01-preview" ], "troubleshooters": [ "2023-03-23-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2024-03-01-preview" ] }, "Microsoft.HybridCloud": { @@ -19818,11 +19913,14 @@ "2023-06-20-preview", "2023-10-03-preview" ], - "machines/runcommands": [ + "machines/runCommands": [ "2023-04-25-preview", "2023-06-20-preview", "2023-10-03-preview" ], + "networkConfigurations": [ + "2023-10-03-preview" + ], "operations": [ "2019-03-18-preview", "2019-08-02-preview", @@ -19980,7 +20078,8 @@ "2022-05-01-preview", "2022-09-01-preview", "2023-11-01", - "2023-11-15-preview" + "2023-11-15-preview", + "2024-01-01" ], "Locations/operationStatuses": [ "2021-08-01-preview", @@ -19989,7 +20088,8 @@ "2022-05-01-preview", "2022-09-01-preview", "2023-11-01", - "2023-11-15-preview" + "2023-11-15-preview", + "2024-01-01" ], "Operations": [ "2021-08-01-preview", @@ -19998,7 +20098,8 @@ "2022-05-01-preview", "2022-09-01-preview", "2023-11-01", - "2023-11-15-preview" + "2023-11-15-preview", + "2024-01-01" ], "provisionedClusterInstances": [ "2023-11-15-preview" @@ -20707,6 +20808,9 @@ "spaces/applications/businessProcesses": [ "2023-11-14-preview" ], + "Spaces/applications/BusinessProcesses/versions": [ + "2023-11-14-preview" + ], "spaces/applications/resources": [ "2023-11-14-preview" ], @@ -23268,14 +23372,6 @@ "2022-10-01" ] }, - "Microsoft.ManagedStorageClass": { - "Locations": [ - "2023-02-01-preview" - ], - "Locations/OperationStatuses": [ - "2023-02-01-preview" - ] - }, "Microsoft.Management": { "checkNameAvailability": [ "2018-01-01-preview", @@ -24121,7 +24217,8 @@ "2022-02-02-preview", "2023-03-03", "2023-03-15", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-07-07-preview" ], "assessmentProjects/groups": [ "2019-10-01", @@ -24171,7 +24268,9 @@ "2020-05-01-preview", "2022-02-02-preview", "2023-03-03", - "2023-04-01-preview" + "2023-03-15", + "2023-04-01-preview", + "2023-07-07-preview" ], "locations/rmsOperationResults": [ "2019-10-01-preview", @@ -24248,55 +24347,68 @@ "Microsoft.Mission": { "catalogs": [ "2023-02-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "checkNameAvailability": [ "2023-02-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "communities": [ "2023-02-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "communities/communityEndpoints": [ "2023-02-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "communities/transitHubs": [ "2023-02-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "enclaveConnections": [ "2023-02-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "externalConnections": [ "2023-02-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "internalConnections": [ "2023-02-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "Locations": [ "2023-02-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "Locations/OperationStatuses": [ "2023-02-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "Operations": [ "2023-02-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "virtualEnclaves": [ "2023-02-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "virtualEnclaves/enclaveEndpoints": [ "2023-02-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "virtualEnclaves/endpoints": [ "2023-02-01-preview", @@ -24304,7 +24416,8 @@ ], "virtualEnclaves/workloads": [ "2023-02-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ] }, "Microsoft.MixedReality": { @@ -31287,7 +31400,8 @@ "2019-05-01-preview", "2020-01-01-preview", "2020-02-01", - "2023-06-06" + "2023-06-06", + "2023-10-01-preview" ], "locations": [ "2020-07-07" @@ -31471,7 +31585,8 @@ "2020-03-01-preview", "2020-08-01", "2020-10-01", - "2021-06-01" + "2021-06-01", + "2022-10-01" ], "deletedWorkspaces": [ "2020-03-01-preview", @@ -31522,7 +31637,8 @@ "2020-08-01", "2020-10-01", "2021-12-01-preview", - "2022-10-01" + "2022-10-01", + "2023-09-01" ], "queryPacks": [ "2019-09-01", @@ -31550,7 +31666,8 @@ "2021-03-01-privatepreview", "2021-06-01", "2021-12-01-preview", - "2022-10-01" + "2022-10-01", + "2023-09-01" ], "workspaces/api": [ "2017-01-01-preview", @@ -31660,8 +31777,29 @@ ] }, "Microsoft.OracleDiscovery": { + "locations": [ + "2022-11-22-preview" + ], + "locations/operationStatuses": [ + "2022-11-22-preview" + ], "operations": [ "2022-11-22-preview" + ], + "oraclesites": [ + "2022-11-22-preview" + ], + "oraclesites/errorSummaries": [ + "2022-11-22-preview" + ], + "oraclesites/oracledatabases": [ + "2022-11-22-preview" + ], + "oraclesites/oracleservers": [ + "2022-11-22-preview" + ], + "oraclesites/summaries": [ + "2022-11-22-preview" ] }, "Microsoft.Orbital": { @@ -32529,7 +32667,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-07-01-preview" ], "locations/allocatedStamp": [ "2015-08-15", @@ -32597,7 +32736,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-07-01-preview" ], "locations/backupStatus": [ "2016-06-01", @@ -32622,7 +32762,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-07-01-preview" ], "locations/backupValidateFeatures": [ "2017-07-01", @@ -32646,7 +32787,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-07-01-preview" ], "locations/capabilities": [ "2022-01-31-preview", @@ -32655,7 +32797,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-07-01-preview" ], "locations/checkNameAvailability": [ "2018-01-10" @@ -32713,7 +32856,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-07-01-preview" ], "replicationEligibilityResults": [ "2018-07-10", @@ -32737,7 +32881,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-07-01-preview" ], "vaults": [ "2015-03-15", @@ -32793,7 +32938,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-07-01-preview" ], "vaults/backupconfig": [ "2019-06-15", @@ -33813,144 +33959,19 @@ ] }, "Microsoft.Resources": { - "builtInTemplateSpecs": [ - "2022-02-01" - ], - "builtInTemplateSpecs/versions": [ - "2022-02-01" - ], - "bulkDelete": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01" - ], - "calculateTemplateHash": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01", - "2019-09-01", - "2022-09-01", - "2023-07-01" - ], - "changes": [ - "2022-03-01-preview", - "2022-05-01", - "2023-03-01-preview", - "2023-07-01-preview" - ], - "checkPolicyCompliance": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01" - ], - "checkresourcename": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01" - ], "deployments": [ - "2014-04-01-preview", - "2015-01-01", "2015-11-01", "2016-02-01", - "2016-06-01", "2016-07-01", "2016-09-01", - "2017-03-01", - "2017-05-01", "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", "2018-02-01", "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", "2019-03-01", - "2019-04-01", "2019-05-01", "2019-05-10", "2019-07-01", "2019-08-01", - "2019-09-01", "2019-10-01", "2020-06-01", "2020-08-01", @@ -33960,196 +33981,23 @@ "2022-09-01", "2023-07-01" ], - "deployments/operations": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01", - "2019-09-01", - "2020-06-01", - "2020-10-01", - "2021-01-01", - "2021-04-01", - "2022-09-01", - "2023-07-01" - ], "deploymentScripts": [ "2019-10-01-preview", "2020-10-01", "2023-08-01" ], - "deploymentScripts/logs": [ - "2019-10-01-preview", - "2020-10-01", - "2023-08-01" - ], "deploymentStacks": [ "2022-08-01-preview" ], - "links": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01" - ], - "locations": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01", - "2019-09-01" - ], - "locations/deploymentScriptOperationResults": [ - "2019-10-01-preview", - "2020-10-01", - "2023-08-01" - ], - "locations/deploymentStackOperationStatus": [ - "2022-08-01-preview" - ], - "mobobrokers": [ - "2023-06-01-preview" - ], - "notifyResourceJobs": [ - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01", - "2019-09-01" - ], - "operationresults": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01", - "2019-09-01" - ], - "operations": [ - "2015-01-01" - ], - "providers": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01" - ], "resourceGroups": [ - "2014-04-01-preview", - "2015-01-01", "2015-11-01", "2016-02-01", - "2016-06-01", "2016-07-01", "2016-09-01", - "2017-03-01", - "2017-05-01", "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", "2018-02-01", "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", "2019-03-01", - "2019-04-01", "2019-05-01", "2019-05-10", "2019-07-01", @@ -34163,268 +34011,7 @@ "2022-09-01", "2023-07-01" ], - "resources": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01", - "2019-09-01" - ], - "snapshots": [ - "2022-11-01-preview" - ], - "subscriptions": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01", - "2019-09-01", - "2019-10-01" - ], - "subscriptions/locations": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01" - ], - "subscriptions/operationresults": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01" - ], - "subscriptions/providers": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01" - ], - "subscriptions/resourceGroups": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01" - ], - "subscriptions/resourcegroups/resources": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01" - ], - "subscriptions/resources": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01", - "2019-09-01" - ], - "subscriptions/tagnames": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01", - "2022-09-01", - "2023-07-01" - ], - "subscriptions/tagNames/tagValues": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01", - "2022-09-01", - "2023-07-01" - ], - "tagNamespaceOperationResults": [ - "2023-03-01-preview" - ], - "tagnamespaces": [ - "2023-03-01-preview" - ], "tags": [ - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01", "2019-10-01", "2020-06-01", "2020-08-01", @@ -34445,35 +34032,6 @@ "2021-03-01-preview", "2021-05-01", "2022-02-01" - ], - "tenants": [ - "2014-04-01-preview", - "2015-01-01", - "2015-11-01", - "2016-02-01", - "2016-06-01", - "2016-07-01", - "2016-09-01", - "2017-03-01", - "2017-05-01", - "2017-05-10", - "2017-06-01", - "2017-08-01", - "2018-01-01", - "2018-02-01", - "2018-05-01", - "2018-07-01", - "2018-08-01", - "2018-09-01", - "2018-11-01", - "2019-03-01", - "2019-04-01", - "2019-05-01", - "2019-09-01", - "2020-01-01" - ], - "validateResources": [ - "2022-06-01" ] }, "Microsoft.SaaS": { @@ -35298,7 +34856,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "alertRuleTemplates": [ "2019-01-01-preview", @@ -35416,7 +34975,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "cases": [ "2019-01-01-preview" @@ -35707,7 +35267,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "hunts/relations": [ "2023-04-01-preview", @@ -35715,7 +35276,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "huntsessions": [ "2022-09-01-preview", @@ -35791,7 +35353,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "incidents/relations": [ "2019-01-01-preview", @@ -35820,7 +35383,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "incidents/tasks": [ "2022-12-01-preview", @@ -35831,7 +35395,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "listrepositories": [ "2021-03-01-preview", @@ -36139,7 +35704,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "triggeredAnalyticsRuleRuns": [ "2023-02-01-preview", @@ -36209,7 +35775,8 @@ "2023-06-01-preview", "2023-07-01-preview", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "workspaceManagerAssignments": [ "2023-03-01-preview", @@ -46857,37 +46424,43 @@ "2021-05-01-preview", "2022-08-01", "2022-11-01-preview", - "2023-04-01" + "2023-04-01", + "2023-09-01" ], "locations/operationStatuses": [ "2021-05-01-preview", "2022-08-01", "2022-11-01-preview", - "2023-04-01" + "2023-04-01", + "2023-09-01" ], "nginxDeployments": [ "2021-05-01-preview", "2022-08-01", "2022-11-01-preview", - "2023-04-01" + "2023-04-01", + "2023-09-01" ], "nginxDeployments/certificates": [ "2021-05-01-preview", "2022-08-01", "2022-11-01-preview", - "2023-04-01" + "2023-04-01", + "2023-09-01" ], "nginxDeployments/configurations": [ "2021-05-01-preview", "2022-08-01", "2022-11-01-preview", - "2023-04-01" + "2023-04-01", + "2023-09-01" ], "operations": [ "2021-05-01-preview", "2022-08-01", "2022-11-01-preview", - "2023-04-01" + "2023-04-01", + "2023-09-01" ] }, "PaloAltoNetworks.Cloudngfw": { From 371655b37d4403d3e6251a11888b67ad1f171c55 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sun, 19 Nov 2023 20:00:56 +0100 Subject: [PATCH 115/178] [Fixes] Regenerated docs via WSL to resolve static tests issue (#4261) * Regenerated docs via wsl * Updated VNET * Fixed reference bug * ReadMe update --- modules/app/job/README.md | 1626 ++++++++--------- modules/app/job/tests/e2e/max/main.test.bicep | 2 +- .../job/tests/e2e/waf-aligned/main.test.bicep | 7 - modules/network/virtual-network/main.json | 16 +- .../network/virtual-network/subnet/README.md | 512 +++--- .../network/virtual-network/subnet/main.json | 4 +- .../virtual-network-peering/main.json | 4 +- 7 files changed, 1074 insertions(+), 1097 deletions(-) diff --git a/modules/app/job/README.md b/modules/app/job/README.md index 9b55693da6..c1201754ba 100644 --- a/modules/app/job/README.md +++ b/modules/app/job/README.md @@ -1,821 +1,805 @@ -# Container App Jobs `[Microsoft.App/jobs]` - -This module deploys a Container App Job. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.App/jobs` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.App/2023-05-01/jobs) | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | - -## Usage examples - -The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. - ->**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - ->**Note**: To reference the module, please use the following syntax `br:bicep/modules/app.job:1.0.0`. - -- [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) - -### Example 1: _Using only defaults_ - -This instance deploys the module with the minimum set of required parameters. - - -

- -via Bicep module - -```bicep -module job 'br:bicep/modules/app.job:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ajmin' - params: { - // Required parameters - containers: [ - { - image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' - name: 'simple-hello-world-container' - resources: { - cpu: '' - memory: '0.5Gi' - } - } - ] - environmentId: '' - name: 'ajmin001' - triggerType: 'Manual' - // Non-required parameters - enableDefaultTelemetry: '' - location: '' - manualTriggerConfig: { - parallelism: 1 - replicaCompletionCount: 1 - } - tags: { - Env: 'test' - 'hidden-title': 'This is visible in the resource name' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "containers": { - "value": [ - { - "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", - "name": "simple-hello-world-container", - "resources": { - "cpu": "", - "memory": "0.5Gi" - } - } - ] - }, - "environmentId": { - "value": "" - }, - "name": { - "value": "ajmin001" - }, - "triggerType": { - "value": "Manual" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "manualTriggerConfig": { - "value": { - "parallelism": 1, - "replicaCompletionCount": 1 - } - }, - "tags": { - "value": { - "Env": "test", - "hidden-title": "This is visible in the resource name" - } - } - } -} -``` - -
-

- -### Example 2: _Using large parameter set_ - -This instance deploys the module with most of its features enabled. - - -

- -via Bicep module - -```bicep -module job 'br:bicep/modules/app.job:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ajmax' - params: { - // Required parameters - containers: [ - { - image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' - name: 'simple-hello-world-container' - probes: [ - { - httpGet: { - httpHeaders: [ - { - name: 'Custom-Header' - value: 'Awesome' - } - ] - path: '/health' - port: 8080 - } - initialDelaySeconds: 3 - periodSeconds: 3 - type: 'Liveness' - } - ] - resources: { - cpu: '' - memory: '0.5Gi' - } - } - ] - environmentId: '' - name: 'ajmax001' - triggerType: 'Manual' - // Non-required parameters - enableDefaultTelemetry: '' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - manualTriggerConfig: { - parallelism: 1 - replicaCompletionCount: 1 - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'ContainerApp Reader' - } - ] - secrets: { - secureList: [ - { - name: 'customtest' - value: '' - } - ] - } - tags: { - Env: 'test' - 'hidden-title': 'This is visible in the resource name' - } - workloadProfileName: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "containers": { - "value": [ - { - "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", - "name": "simple-hello-world-container", - "probes": [ - { - "httpGet": { - "httpHeaders": [ - { - "name": "Custom-Header", - "value": "Awesome" - } - ], - "path": "/health", - "port": 8080 - }, - "initialDelaySeconds": 3, - "periodSeconds": 3, - "type": "Liveness" - } - ], - "resources": { - "cpu": "", - "memory": "0.5Gi" - } - } - ] - }, - "environmentId": { - "value": "" - }, - "name": { - "value": "ajmax001" - }, - "triggerType": { - "value": "Manual" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "manualTriggerConfig": { - "value": { - "parallelism": 1, - "replicaCompletionCount": 1 - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "ContainerApp Reader" - } - ] - }, - "secrets": { - "value": { - "secureList": [ - { - "name": "customtest", - "value": "" - } - ] - } - }, - "tags": { - "value": { - "Env": "test", - "hidden-title": "This is visible in the resource name" - } - }, - "workloadProfileName": { - "value": "" - } - } -} -``` - -
-

- -### Example 3: _WAF-aligned_ - -This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. - - -

- -via Bicep module - -```bicep -module job 'br:bicep/modules/app.job:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-ajwaf' - params: { - // Required parameters - containers: [ - { - image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' - name: 'simple-hello-world-container' - probes: [ - { - httpGet: { - httpHeaders: [ - { - name: 'Custom-Header' - value: 'Awesome' - } - ] - path: '/health' - port: 8080 - } - initialDelaySeconds: 3 - periodSeconds: 3 - type: 'Liveness' - } - ] - resources: { - cpu: '' - memory: '0.5Gi' - } - } - ] - environmentId: '' - name: 'ajwaf001' - triggerType: 'Manual' - // Non-required parameters - enableDefaultTelemetry: '' - location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - manualTriggerConfig: { - parallelism: 1 - replicaCompletionCount: 1 - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'ContainerApp Reader' - } - ] - secrets: { - secureList: [ - { - name: 'customtest' - value: '' - } - ] - } - tags: { - Env: 'test' - 'hidden-title': 'This is visible in the resource name' - } - workloadProfileName: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "containers": { - "value": [ - { - "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", - "name": "simple-hello-world-container", - "probes": [ - { - "httpGet": { - "httpHeaders": [ - { - "name": "Custom-Header", - "value": "Awesome" - } - ], - "path": "/health", - "port": 8080 - }, - "initialDelaySeconds": 3, - "periodSeconds": 3, - "type": "Liveness" - } - ], - "resources": { - "cpu": "", - "memory": "0.5Gi" - } - } - ] - }, - "environmentId": { - "value": "" - }, - "name": { - "value": "ajwaf001" - }, - "triggerType": { - "value": "Manual" - }, - // Non-required parameters - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "manualTriggerConfig": { - "value": { - "parallelism": 1, - "replicaCompletionCount": 1 - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "ContainerApp Reader" - } - ] - }, - "secrets": { - "value": { - "secureList": [ - { - "name": "customtest", - "value": "" - } - ] - } - }, - "tags": { - "value": { - "Env": "test", - "hidden-title": "This is visible in the resource name" - } - }, - "workloadProfileName": { - "value": "" - } - } -} -``` - -
-

- - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`containers`](#parameter-containers) | array | List of container definitions for the Container App. | -| [`environmentId`](#parameter-environmentid) | string | Resource ID of environment. | -| [`name`](#parameter-name) | string | Name of the Container App. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`eventTriggerConfig`](#parameter-eventtriggerconfig) | object | Required if TriggerType is Event. Configuration of an event driven job. | -| [`initContainersTemplate`](#parameter-initcontainerstemplate) | array | List of specialized containers that run before app containers. | -| [`location`](#parameter-location) | string | Location for all Resources. | -| [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`manualTriggerConfig`](#parameter-manualtriggerconfig) | object | Required if TriggerType is Manual. Configuration of a manual job. | -| [`registries`](#parameter-registries) | array | Collection of private container registry credentials for containers used by the Container app. | -| [`replicaRetryLimit`](#parameter-replicaretrylimit) | int | The maximum number of times a replica can be retried. | -| [`replicaTimeout`](#parameter-replicatimeout) | int | Maximum number of seconds a replica is allowed to run. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute. | -| [`scheduleTriggerConfig`](#parameter-scheduletriggerconfig) | object | Required if TriggerType is Schedule. Configuration of a schedule based job. | -| [`secrets`](#parameter-secrets) | secureObject | The secrets of the Container App. | -| [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`triggerType`](#parameter-triggertype) | string | Trigger type of the job. | -| [`volumes`](#parameter-volumes) | array | List of volume definitions for the Container App. | -| [`workloadProfileName`](#parameter-workloadprofilename) | string | The name of the workload profile to use. | - -### Parameter: `containers` - -List of container definitions for the Container App. -- Required: Yes -- Type: array - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `environmentId` - -Resource ID of environment. -- Required: Yes -- Type: string - -### Parameter: `eventTriggerConfig` - -Required if TriggerType is Event. Configuration of an event driven job. -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `initContainersTemplate` - -List of specialized containers that run before app containers. -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `location` - -Location for all Resources. -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - -### Parameter: `lock` - -The lock settings of the service. -- Required: No -- Type: object - - -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | - -### Parameter: `lock.kind` - -Optional. Specify the type of lock. - -- Required: No -- Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` - -### Parameter: `lock.name` - -Optional. Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. -- Required: No -- Type: object - - -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | - -### Parameter: `managedIdentities.systemAssigned` - -Optional. Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceIds` - -Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. - -- Required: No -- Type: array - -### Parameter: `manualTriggerConfig` - -Required if TriggerType is Manual. Configuration of a manual job. -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `name` - -Name of the Container App. -- Required: Yes -- Type: string - -### Parameter: `registries` - -Collection of private container registry credentials for containers used by the Container app. -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `replicaRetryLimit` - -The maximum number of times a replica can be retried. -- Required: No -- Type: int -- Default: `0` - -### Parameter: `replicaTimeout` - -Maximum number of seconds a replica is allowed to run. -- Required: No -- Type: int -- Default: `1800` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute. -- Required: No -- Type: array - - -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource ID of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -### Parameter: `roleAssignments.condition` - -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Optional. Version of the condition. - -- Required: No -- Type: string -- Allowed: `[2.0]` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -Optional. The Resource ID of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -Optional. The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalId` - -Required. The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.principalType` - -Optional. The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `scheduleTriggerConfig` - -Required if TriggerType is Schedule. Configuration of a schedule based job. -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `secrets` - -The secrets of the Container App. -- Required: No -- Type: secureObject -- Default: `{}` - -### Parameter: `tags` - -Tags of the resource. -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `triggerType` - -Trigger type of the job. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Event' - 'Manual' - 'Schedule' - ] - ``` - -### Parameter: `volumes` - -List of volume definitions for the Container App. -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `workloadProfileName` - -The name of the workload profile to use. -- Required: No -- Type: string -- Default: `'Consumption'` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the Container App Job. | -| `resourceGroupName` | string | The name of the resource group the Container App Job was deployed into. | -| `resourceId` | string | The resource ID of the Container App Job. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | - -## Cross-referenced modules - -_None_ +# Container App Jobs `[Microsoft.App/jobs]` + +This module deploys a Container App Job. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.App/jobs` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.App/2023-05-01/jobs) | +| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | + +## Usage examples + +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. + +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +>**Note**: To reference the module, please use the following syntax `br:bicep/modules/app.job:1.0.0`. + +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) + +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +

+ +via Bicep module + +```bicep +module job 'br:bicep/modules/app.job:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ajmin' + params: { + // Required parameters + containers: [ + { + image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' + name: 'simple-hello-world-container' + resources: { + cpu: '' + memory: '0.5Gi' + } + } + ] + environmentId: '' + name: 'ajmin001' + triggerType: 'Manual' + // Non-required parameters + enableDefaultTelemetry: '' + location: '' + manualTriggerConfig: { + parallelism: 1 + replicaCompletionCount: 1 + } + tags: { + Env: 'test' + 'hidden-title': 'This is visible in the resource name' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "containers": { + "value": [ + { + "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", + "name": "simple-hello-world-container", + "resources": { + "cpu": "", + "memory": "0.5Gi" + } + } + ] + }, + "environmentId": { + "value": "" + }, + "name": { + "value": "ajmin001" + }, + "triggerType": { + "value": "Manual" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "manualTriggerConfig": { + "value": { + "parallelism": 1, + "replicaCompletionCount": 1 + } + }, + "tags": { + "value": { + "Env": "test", + "hidden-title": "This is visible in the resource name" + } + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ + +This instance deploys the module with most of its features enabled. + + +

+ +via Bicep module + +```bicep +module job 'br:bicep/modules/app.job:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ajmax' + params: { + // Required parameters + containers: [ + { + image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' + name: 'simple-hello-world-container' + probes: [ + { + httpGet: { + httpHeaders: [ + { + name: 'Custom-Header' + value: 'Awesome' + } + ] + path: '/health' + port: 8080 + } + initialDelaySeconds: 3 + periodSeconds: 3 + type: 'Liveness' + } + ] + resources: { + cpu: '' + memory: '0.5Gi' + } + } + ] + environmentId: '' + name: 'ajmax001' + triggerType: 'Manual' + // Non-required parameters + enableDefaultTelemetry: '' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourceIds: [ + '' + ] + } + manualTriggerConfig: { + parallelism: 1 + replicaCompletionCount: 1 + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'ContainerApp Reader' + } + ] + secrets: { + secureList: [ + { + name: 'customtest' + value: '' + } + ] + } + tags: { + Env: 'test' + 'hidden-title': 'This is visible in the resource name' + } + workloadProfileName: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "containers": { + "value": [ + { + "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", + "name": "simple-hello-world-container", + "probes": [ + { + "httpGet": { + "httpHeaders": [ + { + "name": "Custom-Header", + "value": "Awesome" + } + ], + "path": "/health", + "port": 8080 + }, + "initialDelaySeconds": 3, + "periodSeconds": 3, + "type": "Liveness" + } + ], + "resources": { + "cpu": "", + "memory": "0.5Gi" + } + } + ] + }, + "environmentId": { + "value": "" + }, + "name": { + "value": "ajmax001" + }, + "triggerType": { + "value": "Manual" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourceIds": [ + "" + ] + } + }, + "manualTriggerConfig": { + "value": { + "parallelism": 1, + "replicaCompletionCount": 1 + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "ContainerApp Reader" + } + ] + }, + "secrets": { + "value": { + "secureList": [ + { + "name": "customtest", + "value": "" + } + ] + } + }, + "tags": { + "value": { + "Env": "test", + "hidden-title": "This is visible in the resource name" + } + }, + "workloadProfileName": { + "value": "" + } + } +} +``` + +
+

+ +### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module job 'br:bicep/modules/app.job:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ajwaf' + params: { + // Required parameters + containers: [ + { + image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' + name: 'simple-hello-world-container' + probes: [ + { + httpGet: { + httpHeaders: [ + { + name: 'Custom-Header' + value: 'Awesome' + } + ] + path: '/health' + port: 8080 + } + initialDelaySeconds: 3 + periodSeconds: 3 + type: 'Liveness' + } + ] + resources: { + cpu: '' + memory: '0.5Gi' + } + } + ] + environmentId: '' + name: 'ajwaf001' + triggerType: 'Manual' + // Non-required parameters + enableDefaultTelemetry: '' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourceIds: [ + '' + ] + } + manualTriggerConfig: { + parallelism: 1 + replicaCompletionCount: 1 + } + secrets: { + secureList: [ + { + name: 'customtest' + value: '' + } + ] + } + tags: { + Env: 'test' + 'hidden-title': 'This is visible in the resource name' + } + workloadProfileName: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "containers": { + "value": [ + { + "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", + "name": "simple-hello-world-container", + "probes": [ + { + "httpGet": { + "httpHeaders": [ + { + "name": "Custom-Header", + "value": "Awesome" + } + ], + "path": "/health", + "port": 8080 + }, + "initialDelaySeconds": 3, + "periodSeconds": 3, + "type": "Liveness" + } + ], + "resources": { + "cpu": "", + "memory": "0.5Gi" + } + } + ] + }, + "environmentId": { + "value": "" + }, + "name": { + "value": "ajwaf001" + }, + "triggerType": { + "value": "Manual" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourceIds": [ + "" + ] + } + }, + "manualTriggerConfig": { + "value": { + "parallelism": 1, + "replicaCompletionCount": 1 + } + }, + "secrets": { + "value": { + "secureList": [ + { + "name": "customtest", + "value": "" + } + ] + } + }, + "tags": { + "value": { + "Env": "test", + "hidden-title": "This is visible in the resource name" + } + }, + "workloadProfileName": { + "value": "" + } + } +} +``` + +
+

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`containers`](#parameter-containers) | array | List of container definitions for the Container App. | +| [`environmentId`](#parameter-environmentid) | string | Resource ID of environment. | +| [`name`](#parameter-name) | string | Name of the Container App. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`eventTriggerConfig`](#parameter-eventtriggerconfig) | object | Required if TriggerType is Event. Configuration of an event driven job. | +| [`initContainersTemplate`](#parameter-initcontainerstemplate) | array | List of specialized containers that run before app containers. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | +| [`manualTriggerConfig`](#parameter-manualtriggerconfig) | object | Required if TriggerType is Manual. Configuration of a manual job. | +| [`registries`](#parameter-registries) | array | Collection of private container registry credentials for containers used by the Container app. | +| [`replicaRetryLimit`](#parameter-replicaretrylimit) | int | The maximum number of times a replica can be retried. | +| [`replicaTimeout`](#parameter-replicatimeout) | int | Maximum number of seconds a replica is allowed to run. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute. | +| [`scheduleTriggerConfig`](#parameter-scheduletriggerconfig) | object | Required if TriggerType is Schedule. Configuration of a schedule based job. | +| [`secrets`](#parameter-secrets) | secureObject | The secrets of the Container App. | +| [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`triggerType`](#parameter-triggertype) | string | Trigger type of the job. | +| [`volumes`](#parameter-volumes) | array | List of volume definitions for the Container App. | +| [`workloadProfileName`](#parameter-workloadprofilename) | string | The name of the workload profile to use. | + +### Parameter: `containers` + +List of container definitions for the Container App. +- Required: Yes +- Type: array + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `environmentId` + +Resource ID of environment. +- Required: Yes +- Type: string + +### Parameter: `eventTriggerConfig` + +Required if TriggerType is Event. Configuration of an event driven job. +- Required: No +- Type: object +- Default: `{}` + +### Parameter: `initContainersTemplate` + +List of specialized containers that run before app containers. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all Resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + +- Required: No +- Type: string + +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourceIds` + +Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. + +- Required: No +- Type: array + +### Parameter: `manualTriggerConfig` + +Required if TriggerType is Manual. Configuration of a manual job. +- Required: No +- Type: object +- Default: `{}` + +### Parameter: `name` + +Name of the Container App. +- Required: Yes +- Type: string + +### Parameter: `registries` + +Collection of private container registry credentials for containers used by the Container app. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `replicaRetryLimit` + +The maximum number of times a replica can be retried. +- Required: No +- Type: int +- Default: `0` + +### Parameter: `replicaTimeout` + +Maximum number of seconds a replica is allowed to run. +- Required: No +- Type: int +- Default: `1800` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource ID of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource ID of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string + +### Parameter: `scheduleTriggerConfig` + +Required if TriggerType is Schedule. Configuration of a schedule based job. +- Required: No +- Type: object +- Default: `{}` + +### Parameter: `secrets` + +The secrets of the Container App. +- Required: No +- Type: secureObject +- Default: `{}` + +### Parameter: `tags` + +Tags of the resource. +- Required: No +- Type: object +- Default: `{}` + +### Parameter: `triggerType` + +Trigger type of the job. +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Event' + 'Manual' + 'Schedule' + ] + ``` + +### Parameter: `volumes` + +List of volume definitions for the Container App. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `workloadProfileName` + +The name of the workload profile to use. +- Required: No +- Type: string +- Default: `'Consumption'` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the Container App Job. | +| `resourceGroupName` | string | The name of the resource group the Container App Job was deployed into. | +| `resourceId` | string | The resource ID of the Container App Job. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +_None_ diff --git a/modules/app/job/tests/e2e/max/main.test.bicep b/modules/app/job/tests/e2e/max/main.test.bicep index b31091a7c4..10751e7801 100644 --- a/modules/app/job/tests/e2e/max/main.test.bicep +++ b/modules/app/job/tests/e2e/max/main.test.bicep @@ -115,7 +115,7 @@ module testDeployment '../../../main.bicep' = { ] roleAssignments: [ { - principalId: nestedDependencies.outputs.managedIdentityResourceId + principalId: nestedDependencies.outputs.managedIdentityPrincipalId roleDefinitionIdOrName: 'ContainerApp Reader' principalType: 'ServicePrincipal' } diff --git a/modules/app/job/tests/e2e/waf-aligned/main.test.bicep b/modules/app/job/tests/e2e/waf-aligned/main.test.bicep index ffe896743e..5de0b2f354 100644 --- a/modules/app/job/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app/job/tests/e2e/waf-aligned/main.test.bicep @@ -113,12 +113,5 @@ module testDeployment '../../../main.bicep' = { ] } ] - roleAssignments: [ - { - principalId: nestedDependencies.outputs.managedIdentityResourceId - roleDefinitionIdOrName: 'ContainerApp Reader' - principalType: 'ServicePrincipal' - } - ] } } diff --git a/modules/network/virtual-network/main.json b/modules/network/virtual-network/main.json index 767bf3b948..0de7bba004 100644 --- a/modules/network/virtual-network/main.json +++ b/modules/network/virtual-network/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17994966106128873660" + "version": "0.23.1.45101", + "templateHash": "17480456503748802804" }, "name": "Virtual Networks", "description": "This module deploys a Virtual Network (vNet).", @@ -495,8 +495,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17180599685720534663" + "version": "0.23.1.45101", + "templateHash": "10049142602469906602" }, "name": "Virtual Network Subnets", "description": "This module deploys a Virtual Network Subnet.", @@ -845,8 +845,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18346996432273628410" + "version": "0.23.1.45101", + "templateHash": "17147360311358108540" }, "name": "Virtual Network Peerings", "description": "This module deploys a Virtual Network Peering.", @@ -1014,8 +1014,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18346996432273628410" + "version": "0.23.1.45101", + "templateHash": "17147360311358108540" }, "name": "Virtual Network Peerings", "description": "This module deploys a Virtual Network Peering.", diff --git a/modules/network/virtual-network/subnet/README.md b/modules/network/virtual-network/subnet/README.md index 21a6956f67..d981e06cfc 100644 --- a/modules/network/virtual-network/subnet/README.md +++ b/modules/network/virtual-network/subnet/README.md @@ -1,256 +1,256 @@ -# Virtual Network Subnets `[Microsoft.Network/virtualNetworks/subnets]` - -This module deploys a Virtual Network Subnet. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Notes](#Notes) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/virtualNetworks/subnets` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualNetworks/subnets) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`addressPrefix`](#parameter-addressprefix) | string | The address prefix for the subnet. | - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`virtualNetworkName`](#parameter-virtualnetworkname) | string | The name of the parent virtual network. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`addressPrefixes`](#parameter-addressprefixes) | array | List of address prefixes for the subnet. | -| [`applicationGatewayIPConfigurations`](#parameter-applicationgatewayipconfigurations) | array | Application gateway IP configurations of virtual network resource. | -| [`delegations`](#parameter-delegations) | array | The delegations to enable on the subnet. | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`ipAllocations`](#parameter-ipallocations) | array | Array of IpAllocation which reference this subnet. | -| [`name`](#parameter-name) | string | The Name of the subnet resource. | -| [`natGatewayId`](#parameter-natgatewayid) | string | The resource ID of the NAT Gateway to use for the subnet. | -| [`networkSecurityGroupId`](#parameter-networksecuritygroupid) | string | The resource ID of the network security group to assign to the subnet. | -| [`privateEndpointNetworkPolicies`](#parameter-privateendpointnetworkpolicies) | string | enable or disable apply network policies on private endpoint in the subnet. | -| [`privateLinkServiceNetworkPolicies`](#parameter-privatelinkservicenetworkpolicies) | string | enable or disable apply network policies on private link service in the subnet. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`routeTableId`](#parameter-routetableid) | string | The resource ID of the route table to assign to the subnet. | -| [`serviceEndpointPolicies`](#parameter-serviceendpointpolicies) | array | An array of service endpoint policies. | -| [`serviceEndpoints`](#parameter-serviceendpoints) | array | The service endpoints to enable on the subnet. | - -### Parameter: `addressPrefix` - -The address prefix for the subnet. -- Required: Yes -- Type: string - -### Parameter: `addressPrefixes` - -List of address prefixes for the subnet. -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `applicationGatewayIPConfigurations` - -Application gateway IP configurations of virtual network resource. -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `delegations` - -The delegations to enable on the subnet. -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `ipAllocations` - -Array of IpAllocation which reference this subnet. -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `name` - -The Name of the subnet resource. -- Required: Yes -- Type: string - -### Parameter: `natGatewayId` - -The resource ID of the NAT Gateway to use for the subnet. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `networkSecurityGroupId` - -The resource ID of the network security group to assign to the subnet. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `privateEndpointNetworkPolicies` - -enable or disable apply network policies on private endpoint in the subnet. -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `privateLinkServiceNetworkPolicies` - -enable or disable apply network policies on private link service in the subnet. -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Disabled' - 'Enabled' - ] - ``` - -### Parameter: `roleAssignments` - -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No -- Type: array - - -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -### Parameter: `roleAssignments.condition` - -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - -- Required: No -- Type: string - -### Parameter: `roleAssignments.conditionVersion` - -Optional. Version of the condition. - -- Required: No -- Type: string -- Allowed: `[2.0]` - -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` - -Optional. The Resource Id of the delegated managed identity resource. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.description` - -Optional. The description of the role assignment. - -- Required: No -- Type: string - -### Parameter: `roleAssignments.principalId` - -Required. The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.principalType` - -Optional. The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string - -### Parameter: `routeTableId` - -The resource ID of the route table to assign to the subnet. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `serviceEndpointPolicies` - -An array of service endpoint policies. -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `serviceEndpoints` - -The service endpoints to enable on the subnet. -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `virtualNetworkName` - -The name of the parent virtual network. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the virtual network peering. | -| `resourceGroupName` | string | The resource group the virtual network peering was deployed into. | -| `resourceId` | string | The resource ID of the virtual network peering. | -| `subnetAddressPrefix` | string | The address prefix for the subnet. | -| `subnetAddressPrefixes` | array | List of address prefixes for the subnet. | - -## Cross-referenced modules - -_None_ - -## Notes - -The `privateEndpointNetworkPolicies` property must be set to disabled for subnets that contain private endpoints. It confirms that NSGs rules will not apply to private endpoints (currently not supported, [reference](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#limitations)). Default Value when not specified is "Enabled". +# Virtual Network Subnets `[Microsoft.Network/virtualNetworks/subnets]` + +This module deploys a Virtual Network Subnet. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) +- [Notes](#Notes) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | +| `Microsoft.Network/virtualNetworks/subnets` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/virtualNetworks/subnets) | + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`addressPrefix`](#parameter-addressprefix) | string | The address prefix for the subnet. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`virtualNetworkName`](#parameter-virtualnetworkname) | string | The name of the parent virtual network. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`addressPrefixes`](#parameter-addressprefixes) | array | List of address prefixes for the subnet. | +| [`applicationGatewayIPConfigurations`](#parameter-applicationgatewayipconfigurations) | array | Application gateway IP configurations of virtual network resource. | +| [`delegations`](#parameter-delegations) | array | The delegations to enable on the subnet. | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`ipAllocations`](#parameter-ipallocations) | array | Array of IpAllocation which reference this subnet. | +| [`name`](#parameter-name) | string | The Name of the subnet resource. | +| [`natGatewayId`](#parameter-natgatewayid) | string | The resource ID of the NAT Gateway to use for the subnet. | +| [`networkSecurityGroupId`](#parameter-networksecuritygroupid) | string | The resource ID of the network security group to assign to the subnet. | +| [`privateEndpointNetworkPolicies`](#parameter-privateendpointnetworkpolicies) | string | enable or disable apply network policies on private endpoint in the subnet. | +| [`privateLinkServiceNetworkPolicies`](#parameter-privatelinkservicenetworkpolicies) | string | enable or disable apply network policies on private link service in the subnet. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`routeTableId`](#parameter-routetableid) | string | The resource ID of the route table to assign to the subnet. | +| [`serviceEndpointPolicies`](#parameter-serviceendpointpolicies) | array | An array of service endpoint policies. | +| [`serviceEndpoints`](#parameter-serviceendpoints) | array | The service endpoints to enable on the subnet. | + +### Parameter: `addressPrefix` + +The address prefix for the subnet. +- Required: Yes +- Type: string + +### Parameter: `addressPrefixes` + +List of address prefixes for the subnet. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `applicationGatewayIPConfigurations` + +Application gateway IP configurations of virtual network resource. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `delegations` + +The delegations to enable on the subnet. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `ipAllocations` + +Array of IpAllocation which reference this subnet. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `name` + +The Name of the subnet resource. +- Required: Yes +- Type: string + +### Parameter: `natGatewayId` + +The resource ID of the NAT Gateway to use for the subnet. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `networkSecurityGroupId` + +The resource ID of the network security group to assign to the subnet. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `privateEndpointNetworkPolicies` + +enable or disable apply network policies on private endpoint in the subnet. +- Required: No +- Type: string +- Default: `''` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` + +### Parameter: `privateLinkServiceNetworkPolicies` + +enable or disable apply network policies on private link service in the subnet. +- Required: No +- Type: string +- Default: `''` +- Allowed: + ```Bicep + [ + '' + 'Disabled' + 'Enabled' + ] + ``` + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string + +### Parameter: `routeTableId` + +The resource ID of the route table to assign to the subnet. +- Required: No +- Type: string +- Default: `''` + +### Parameter: `serviceEndpointPolicies` + +An array of service endpoint policies. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `serviceEndpoints` + +The service endpoints to enable on the subnet. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `virtualNetworkName` + +The name of the parent virtual network. Required if the template is used in a standalone deployment. +- Required: Yes +- Type: string + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the virtual network peering. | +| `resourceGroupName` | string | The resource group the virtual network peering was deployed into. | +| `resourceId` | string | The resource ID of the virtual network peering. | +| `subnetAddressPrefix` | string | The address prefix for the subnet. | +| `subnetAddressPrefixes` | array | List of address prefixes for the subnet. | + +## Cross-referenced modules + +_None_ + +## Notes + +The `privateEndpointNetworkPolicies` property must be set to disabled for subnets that contain private endpoints. It confirms that NSGs rules will not apply to private endpoints (currently not supported, [reference](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#limitations)). Default Value when not specified is "Enabled". diff --git a/modules/network/virtual-network/subnet/main.json b/modules/network/virtual-network/subnet/main.json index 35790fa29b..c7f51d4570 100644 --- a/modules/network/virtual-network/subnet/main.json +++ b/modules/network/virtual-network/subnet/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17180599685720534663" + "version": "0.23.1.45101", + "templateHash": "10049142602469906602" }, "name": "Virtual Network Subnets", "description": "This module deploys a Virtual Network Subnet.", diff --git a/modules/network/virtual-network/virtual-network-peering/main.json b/modules/network/virtual-network/virtual-network-peering/main.json index a7efe2dec6..3308100208 100644 --- a/modules/network/virtual-network/virtual-network-peering/main.json +++ b/modules/network/virtual-network/virtual-network-peering/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18346996432273628410" + "version": "0.23.1.45101", + "templateHash": "17147360311358108540" }, "name": "Virtual Network Peerings", "description": "This module deploys a Virtual Network Peering.", From 0fc6f67ab937fe286359e1b2394393812e7dd763 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sun, 19 Nov 2023 20:32:08 +0100 Subject: [PATCH 116/178] [Fixes] Address BlobServices linter warning (#4262) * Updated SA * Update to latest --- .../storage-account/blob-service/README.md | 8 +--- .../container/immutability-policy/main.json | 4 +- .../blob-service/container/main.json | 8 ++-- .../storage-account/blob-service/main.bicep | 30 ++++++------- .../storage-account/blob-service/main.json | 36 +++++++-------- .../storage-account/file-service/main.json | 8 ++-- .../file-service/share/main.json | 4 +- .../storage-account/local-user/main.json | 4 +- modules/storage/storage-account/main.bicep | 8 ++-- modules/storage/storage-account/main.json | 44 ++++++++++--------- .../management-policy/main.json | 4 +- .../storage-account/queue-service/main.json | 8 ++-- .../queue-service/queue/main.json | 4 +- .../storage-account/table-service/main.json | 8 ++-- .../table-service/table/main.json | 4 +- 15 files changed, 87 insertions(+), 95 deletions(-) diff --git a/modules/storage/storage-account/blob-service/README.md b/modules/storage/storage-account/blob-service/README.md index 319a320e0b..6e8044ec03 100644 --- a/modules/storage/storage-account/blob-service/README.md +++ b/modules/storage/storage-account/blob-service/README.md @@ -47,7 +47,7 @@ This module deploys a Storage Account Blob Service. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`isVersioningEnabled`](#parameter-isversioningenabled) | bool | Use versioning to automatically maintain previous versions of your blobs. | | [`lastAccessTimeTrackingPolicyEnabled`](#parameter-lastaccesstimetrackingpolicyenabled) | bool | The blob service property to configure last access time based tracking policy. When set to true last access time based tracking is enabled. | -| [`restorePolicyDays`](#parameter-restorepolicydays) | int | how long this blob can be restored. It should be less than DeleteRetentionPolicy days. | +| [`restorePolicyDays`](#parameter-restorepolicydays) | int | How long this blob can be restored. It should be less than DeleteRetentionPolicy days. | | [`restorePolicyEnabled`](#parameter-restorepolicyenabled) | bool | The blob service properties for blob restore policy. If point-in-time restore is enabled, then versioning, change feed, and blob soft delete must also be enabled. | ### Parameter: `automaticSnapshotPolicyEnabled` @@ -69,7 +69,6 @@ The blob service properties for change feed events. Indicates whether change fee Indicates whether change feed event logging is enabled for the Blob service. Indicates the duration of changeFeed retention in days. A "0" value indicates an infinite retention of the change feed. - Required: No - Type: int -- Default: `7` ### Parameter: `containerDeleteRetentionPolicyAllowPermanentDelete` @@ -83,7 +82,6 @@ This property when set to true allows deletion of the soft deleted blob versions Indicates the number of days that the deleted item should be retained. - Required: No - Type: int -- Default: `7` ### Parameter: `containerDeleteRetentionPolicyEnabled` @@ -125,7 +123,6 @@ This property when set to true allows deletion of the soft deleted blob versions Indicates the number of days that the deleted blob should be retained. - Required: No - Type: int -- Default: `7` ### Parameter: `deleteRetentionPolicyEnabled` @@ -272,10 +269,9 @@ The blob service property to configure last access time based tracking policy. W ### Parameter: `restorePolicyDays` -how long this blob can be restored. It should be less than DeleteRetentionPolicy days. +How long this blob can be restored. It should be less than DeleteRetentionPolicy days. - Required: No - Type: int -- Default: `6` ### Parameter: `restorePolicyEnabled` diff --git a/modules/storage/storage-account/blob-service/container/immutability-policy/main.json b/modules/storage/storage-account/blob-service/container/immutability-policy/main.json index 8f5f095161..1e1265cebb 100644 --- a/modules/storage/storage-account/blob-service/container/immutability-policy/main.json +++ b/modules/storage/storage-account/blob-service/container/immutability-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5294108325383402237" + "version": "0.23.1.45101", + "templateHash": "11642031800707172818" }, "name": "Storage Account Blob Container Immutability Policies", "description": "This module deploys a Storage Account Blob Container Immutability Policy.", diff --git a/modules/storage/storage-account/blob-service/container/main.json b/modules/storage/storage-account/blob-service/container/main.json index 9eea0c53ae..c3e17f7ae9 100644 --- a/modules/storage/storage-account/blob-service/container/main.json +++ b/modules/storage/storage-account/blob-service/container/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15140230336138320985" + "version": "0.23.1.45101", + "templateHash": "11413707823135400961" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", @@ -302,8 +302,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5294108325383402237" + "version": "0.23.1.45101", + "templateHash": "11642031800707172818" }, "name": "Storage Account Blob Container Immutability Policies", "description": "This module deploys a Storage Account Blob Container Immutability Policy.", diff --git a/modules/storage/storage-account/blob-service/main.bicep b/modules/storage/storage-account/blob-service/main.bicep index 21f02d6049..114c0ece36 100644 --- a/modules/storage/storage-account/blob-service/main.bicep +++ b/modules/storage/storage-account/blob-service/main.bicep @@ -15,7 +15,7 @@ param changeFeedEnabled bool = true @minValue(0) @maxValue(146000) @description('Optional. Indicates whether change feed event logging is enabled for the Blob service. Indicates the duration of changeFeed retention in days. A "0" value indicates an infinite retention of the change feed.') -param changeFeedRetentionInDays int = 7 +param changeFeedRetentionInDays int? @description('Optional. The blob service properties for container soft delete. Indicates whether DeleteRetentionPolicy is enabled.') param containerDeleteRetentionPolicyEnabled bool = true @@ -23,7 +23,7 @@ param containerDeleteRetentionPolicyEnabled bool = true @minValue(1) @maxValue(365) @description('Optional. Indicates the number of days that the deleted item should be retained.') -param containerDeleteRetentionPolicyDays int = 7 +param containerDeleteRetentionPolicyDays int? @description('Optional. This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share.') param containerDeleteRetentionPolicyAllowPermanentDelete bool = false @@ -40,7 +40,7 @@ param deleteRetentionPolicyEnabled bool = true @minValue(1) @maxValue(365) @description('Optional. Indicates the number of days that the deleted blob should be retained.') -param deleteRetentionPolicyDays int = 7 +param deleteRetentionPolicyDays int? @description('Optional. This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share.') param deleteRetentionPolicyAllowPermanentDelete bool = false @@ -55,8 +55,8 @@ param lastAccessTimeTrackingPolicyEnabled bool = false param restorePolicyEnabled bool = true @minValue(1) -@description('Optional. how long this blob can be restored. It should be less than DeleteRetentionPolicy days.') -param restorePolicyDays int = 6 +@description('Optional. How long this blob can be restored. It should be less than DeleteRetentionPolicy days.') +param restorePolicyDays int? @description('Optional. Blob containers to create.') param containers array = [] @@ -93,13 +93,13 @@ resource blobServices 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01 parent: storageAccount properties: { automaticSnapshotPolicyEnabled: automaticSnapshotPolicyEnabled - changeFeed: { - enabled: changeFeedEnabled - retentionInDays: changeFeedEnabled == true ? (changeFeedRetentionInDays != 0 ? changeFeedRetentionInDays : null) : null - } + changeFeed: changeFeedEnabled ? { + enabled: true + retentionInDays: changeFeedRetentionInDays + } : null containerDeleteRetentionPolicy: { enabled: containerDeleteRetentionPolicyEnabled - days: containerDeleteRetentionPolicyEnabled == true ? containerDeleteRetentionPolicyDays : null + days: containerDeleteRetentionPolicyDays allowPermanentDelete: containerDeleteRetentionPolicyEnabled == true ? containerDeleteRetentionPolicyAllowPermanentDelete : null } cors: { @@ -108,7 +108,7 @@ resource blobServices 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01 defaultServiceVersion: !empty(defaultServiceVersion) ? defaultServiceVersion : null deleteRetentionPolicy: { enabled: deleteRetentionPolicyEnabled - days: deleteRetentionPolicyEnabled == true ? deleteRetentionPolicyDays : null + days: deleteRetentionPolicyDays allowPermanentDelete: deleteRetentionPolicyEnabled && deleteRetentionPolicyAllowPermanentDelete ? true : null } isVersioningEnabled: isVersioningEnabled @@ -117,10 +117,10 @@ resource blobServices 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01 name: lastAccessTimeTrackingPolicyEnabled == true ? 'AccessTimeTracking' : null trackingGranularityInDays: lastAccessTimeTrackingPolicyEnabled == true ? 1 : null } - restorePolicy: { - enabled: restorePolicyEnabled - days: restorePolicyEnabled == true ? restorePolicyDays : null - } + restorePolicy: restorePolicyEnabled ? { + enabled: true + days: restorePolicyDays + } : null } } diff --git a/modules/storage/storage-account/blob-service/main.json b/modules/storage/storage-account/blob-service/main.json index fe57c8019f..0635d9a154 100644 --- a/modules/storage/storage-account/blob-service/main.json +++ b/modules/storage/storage-account/blob-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3026533312164325767" + "version": "0.23.1.45101", + "templateHash": "18255279964987657305" }, "name": "Storage Account blob Services", "description": "This module deploys a Storage Account Blob Service.", @@ -144,7 +144,7 @@ }, "changeFeedRetentionInDays": { "type": "int", - "defaultValue": 7, + "nullable": true, "minValue": 0, "maxValue": 146000, "metadata": { @@ -160,7 +160,7 @@ }, "containerDeleteRetentionPolicyDays": { "type": "int", - "defaultValue": 7, + "nullable": true, "minValue": 1, "maxValue": 365, "metadata": { @@ -197,7 +197,7 @@ }, "deleteRetentionPolicyDays": { "type": "int", - "defaultValue": 7, + "nullable": true, "minValue": 1, "maxValue": 365, "metadata": { @@ -234,10 +234,10 @@ }, "restorePolicyDays": { "type": "int", - "defaultValue": 6, + "nullable": true, "minValue": 1, "metadata": { - "description": "Optional. how long this blob can be restored. It should be less than DeleteRetentionPolicy days." + "description": "Optional. How long this blob can be restored. It should be less than DeleteRetentionPolicy days." } }, "containers": { @@ -292,13 +292,10 @@ "name": "[format('{0}/{1}', parameters('storageAccountName'), variables('name'))]", "properties": { "automaticSnapshotPolicyEnabled": "[parameters('automaticSnapshotPolicyEnabled')]", - "changeFeed": { - "enabled": "[parameters('changeFeedEnabled')]", - "retentionInDays": "[if(equals(parameters('changeFeedEnabled'), true()), if(not(equals(parameters('changeFeedRetentionInDays'), 0)), parameters('changeFeedRetentionInDays'), null()), null())]" - }, + "changeFeed": "[if(parameters('changeFeedEnabled'), createObject('enabled', true(), 'retentionInDays', parameters('changeFeedRetentionInDays')), null())]", "containerDeleteRetentionPolicy": { "enabled": "[parameters('containerDeleteRetentionPolicyEnabled')]", - "days": "[if(equals(parameters('containerDeleteRetentionPolicyEnabled'), true()), parameters('containerDeleteRetentionPolicyDays'), null())]", + "days": "[parameters('containerDeleteRetentionPolicyDays')]", "allowPermanentDelete": "[if(equals(parameters('containerDeleteRetentionPolicyEnabled'), true()), parameters('containerDeleteRetentionPolicyAllowPermanentDelete'), null())]" }, "cors": { @@ -307,7 +304,7 @@ "defaultServiceVersion": "[if(not(empty(parameters('defaultServiceVersion'))), parameters('defaultServiceVersion'), null())]", "deleteRetentionPolicy": { "enabled": "[parameters('deleteRetentionPolicyEnabled')]", - "days": "[if(equals(parameters('deleteRetentionPolicyEnabled'), true()), parameters('deleteRetentionPolicyDays'), null())]", + "days": "[parameters('deleteRetentionPolicyDays')]", "allowPermanentDelete": "[if(and(parameters('deleteRetentionPolicyEnabled'), parameters('deleteRetentionPolicyAllowPermanentDelete')), true(), null())]" }, "isVersioningEnabled": "[parameters('isVersioningEnabled')]", @@ -316,10 +313,7 @@ "name": "[if(equals(parameters('lastAccessTimeTrackingPolicyEnabled'), true()), 'AccessTimeTracking', null())]", "trackingGranularityInDays": "[if(equals(parameters('lastAccessTimeTrackingPolicyEnabled'), true()), 1, null())]" }, - "restorePolicy": { - "enabled": "[parameters('restorePolicyEnabled')]", - "days": "[if(equals(parameters('restorePolicyEnabled'), true()), parameters('restorePolicyDays'), null())]" - } + "restorePolicy": "[if(parameters('restorePolicyEnabled'), createObject('enabled', true(), 'days', parameters('restorePolicyDays')), null())]" }, "dependsOn": [ "storageAccount" @@ -388,8 +382,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15140230336138320985" + "version": "0.23.1.45101", + "templateHash": "11413707823135400961" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", @@ -685,8 +679,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5294108325383402237" + "version": "0.23.1.45101", + "templateHash": "11642031800707172818" }, "name": "Storage Account Blob Container Immutability Policies", "description": "This module deploys a Storage Account Blob Container Immutability Policy.", diff --git a/modules/storage/storage-account/file-service/main.json b/modules/storage/storage-account/file-service/main.json index 0c3f269cbc..204b5b8f35 100644 --- a/modules/storage/storage-account/file-service/main.json +++ b/modules/storage/storage-account/file-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5811848536316127521" + "version": "0.23.1.45101", + "templateHash": "6280006322501716234" }, "name": "Storage Account File Share Services", "description": "This module deploys a Storage Account File Share Service.", @@ -271,8 +271,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6928373168012003070" + "version": "0.23.1.45101", + "templateHash": "15538733704323873805" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", diff --git a/modules/storage/storage-account/file-service/share/main.json b/modules/storage/storage-account/file-service/share/main.json index 99d21e926d..a3fcfe5179 100644 --- a/modules/storage/storage-account/file-service/share/main.json +++ b/modules/storage/storage-account/file-service/share/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6928373168012003070" + "version": "0.23.1.45101", + "templateHash": "15538733704323873805" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", diff --git a/modules/storage/storage-account/local-user/main.json b/modules/storage/storage-account/local-user/main.json index 274d270140..aa6273caf6 100644 --- a/modules/storage/storage-account/local-user/main.json +++ b/modules/storage/storage-account/local-user/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17857562856314258952" + "version": "0.23.1.45101", + "templateHash": "11792662730124549359" }, "name": "Storage Account Local Users", "description": "This module deploys a Storage Account Local User, which is used for SFTP authentication.", diff --git a/modules/storage/storage-account/main.bicep b/modules/storage/storage-account/main.bicep index 5c567942e0..2c8f1cdacb 100644 --- a/modules/storage/storage-account/main.bicep +++ b/modules/storage/storage-account/main.bicep @@ -402,19 +402,19 @@ module storageAccount_blobServices 'blob-service/main.bicep' = if (!empty(blobSe containers: contains(blobServices, 'containers') ? blobServices.containers : [] automaticSnapshotPolicyEnabled: contains(blobServices, 'automaticSnapshotPolicyEnabled') ? blobServices.automaticSnapshotPolicyEnabled : false changeFeedEnabled: contains(blobServices, 'changeFeedEnabled') ? blobServices.changeFeedEnabled : false - changeFeedRetentionInDays: contains(blobServices, 'changeFeedRetentionInDays') ? blobServices.changeFeedRetentionInDays : 7 + changeFeedRetentionInDays: blobServices.?changeFeedRetentionInDays containerDeleteRetentionPolicyEnabled: contains(blobServices, 'containerDeleteRetentionPolicyEnabled') ? blobServices.containerDeleteRetentionPolicyEnabled : false - containerDeleteRetentionPolicyDays: contains(blobServices, 'containerDeleteRetentionPolicyDays') ? blobServices.containerDeleteRetentionPolicyDays : 7 + containerDeleteRetentionPolicyDays: blobServices.?containerDeleteRetentionPolicyDays containerDeleteRetentionPolicyAllowPermanentDelete: contains(blobServices, 'containerDeleteRetentionPolicyAllowPermanentDelete') ? blobServices.containerDeleteRetentionPolicyAllowPermanentDelete : false corsRules: contains(blobServices, 'corsRules') ? blobServices.corsRules : [] defaultServiceVersion: contains(blobServices, 'defaultServiceVersion') ? blobServices.defaultServiceVersion : '' deleteRetentionPolicyAllowPermanentDelete: contains(blobServices, 'deleteRetentionPolicyAllowPermanentDelete') ? blobServices.deleteRetentionPolicyAllowPermanentDelete : false deleteRetentionPolicyEnabled: contains(blobServices, 'deleteRetentionPolicyEnabled') ? blobServices.deleteRetentionPolicyEnabled : false - deleteRetentionPolicyDays: contains(blobServices, 'deleteRetentionPolicyDays') ? blobServices.deleteRetentionPolicyDays : 7 + deleteRetentionPolicyDays: blobServices.?deleteRetentionPolicyDays isVersioningEnabled: contains(blobServices, 'isVersioningEnabled') ? blobServices.isVersioningEnabled : false lastAccessTimeTrackingPolicyEnabled: contains(blobServices, 'lastAccessTimeTrackingPolicyEnabled') ? blobServices.lastAccessTimeTrackingPolicyEnabled : false restorePolicyEnabled: contains(blobServices, 'restorePolicyEnabled') ? blobServices.restorePolicyEnabled : false - restorePolicyDays: contains(blobServices, 'restorePolicyDays') ? blobServices.restorePolicyDays : 6 + restorePolicyDays: blobServices.?restorePolicyDays diagnosticSettings: blobServices.?diagnosticSettings enableDefaultTelemetry: enableReferencedModulesTelemetry } diff --git a/modules/storage/storage-account/main.json b/modules/storage/storage-account/main.json index 10bde8951b..1eb678c07d 100644 --- a/modules/storage/storage-account/main.json +++ b/modules/storage/storage-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "12303802246802299756" + "templateHash": "7782694235197058482" }, "name": "Storage Accounts", "description": "This module deploys a Storage Account.", @@ -1833,19 +1833,27 @@ "containers": "[if(contains(parameters('blobServices'), 'containers'), createObject('value', parameters('blobServices').containers), createObject('value', createArray()))]", "automaticSnapshotPolicyEnabled": "[if(contains(parameters('blobServices'), 'automaticSnapshotPolicyEnabled'), createObject('value', parameters('blobServices').automaticSnapshotPolicyEnabled), createObject('value', false()))]", "changeFeedEnabled": "[if(contains(parameters('blobServices'), 'changeFeedEnabled'), createObject('value', parameters('blobServices').changeFeedEnabled), createObject('value', false()))]", - "changeFeedRetentionInDays": "[if(contains(parameters('blobServices'), 'changeFeedRetentionInDays'), createObject('value', parameters('blobServices').changeFeedRetentionInDays), createObject('value', 7))]", + "changeFeedRetentionInDays": { + "value": "[tryGet(parameters('blobServices'), 'changeFeedRetentionInDays')]" + }, "containerDeleteRetentionPolicyEnabled": "[if(contains(parameters('blobServices'), 'containerDeleteRetentionPolicyEnabled'), createObject('value', parameters('blobServices').containerDeleteRetentionPolicyEnabled), createObject('value', false()))]", - "containerDeleteRetentionPolicyDays": "[if(contains(parameters('blobServices'), 'containerDeleteRetentionPolicyDays'), createObject('value', parameters('blobServices').containerDeleteRetentionPolicyDays), createObject('value', 7))]", + "containerDeleteRetentionPolicyDays": { + "value": "[tryGet(parameters('blobServices'), 'containerDeleteRetentionPolicyDays')]" + }, "containerDeleteRetentionPolicyAllowPermanentDelete": "[if(contains(parameters('blobServices'), 'containerDeleteRetentionPolicyAllowPermanentDelete'), createObject('value', parameters('blobServices').containerDeleteRetentionPolicyAllowPermanentDelete), createObject('value', false()))]", "corsRules": "[if(contains(parameters('blobServices'), 'corsRules'), createObject('value', parameters('blobServices').corsRules), createObject('value', createArray()))]", "defaultServiceVersion": "[if(contains(parameters('blobServices'), 'defaultServiceVersion'), createObject('value', parameters('blobServices').defaultServiceVersion), createObject('value', ''))]", "deleteRetentionPolicyAllowPermanentDelete": "[if(contains(parameters('blobServices'), 'deleteRetentionPolicyAllowPermanentDelete'), createObject('value', parameters('blobServices').deleteRetentionPolicyAllowPermanentDelete), createObject('value', false()))]", "deleteRetentionPolicyEnabled": "[if(contains(parameters('blobServices'), 'deleteRetentionPolicyEnabled'), createObject('value', parameters('blobServices').deleteRetentionPolicyEnabled), createObject('value', false()))]", - "deleteRetentionPolicyDays": "[if(contains(parameters('blobServices'), 'deleteRetentionPolicyDays'), createObject('value', parameters('blobServices').deleteRetentionPolicyDays), createObject('value', 7))]", + "deleteRetentionPolicyDays": { + "value": "[tryGet(parameters('blobServices'), 'deleteRetentionPolicyDays')]" + }, "isVersioningEnabled": "[if(contains(parameters('blobServices'), 'isVersioningEnabled'), createObject('value', parameters('blobServices').isVersioningEnabled), createObject('value', false()))]", "lastAccessTimeTrackingPolicyEnabled": "[if(contains(parameters('blobServices'), 'lastAccessTimeTrackingPolicyEnabled'), createObject('value', parameters('blobServices').lastAccessTimeTrackingPolicyEnabled), createObject('value', false()))]", "restorePolicyEnabled": "[if(contains(parameters('blobServices'), 'restorePolicyEnabled'), createObject('value', parameters('blobServices').restorePolicyEnabled), createObject('value', false()))]", - "restorePolicyDays": "[if(contains(parameters('blobServices'), 'restorePolicyDays'), createObject('value', parameters('blobServices').restorePolicyDays), createObject('value', 6))]", + "restorePolicyDays": { + "value": "[tryGet(parameters('blobServices'), 'restorePolicyDays')]" + }, "diagnosticSettings": { "value": "[tryGet(parameters('blobServices'), 'diagnosticSettings')]" }, @@ -1861,7 +1869,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2468823120254808431" + "templateHash": "18255279964987657305" }, "name": "Storage Account blob Services", "description": "This module deploys a Storage Account Blob Service.", @@ -1999,7 +2007,7 @@ }, "changeFeedRetentionInDays": { "type": "int", - "defaultValue": 7, + "nullable": true, "minValue": 0, "maxValue": 146000, "metadata": { @@ -2015,7 +2023,7 @@ }, "containerDeleteRetentionPolicyDays": { "type": "int", - "defaultValue": 7, + "nullable": true, "minValue": 1, "maxValue": 365, "metadata": { @@ -2052,7 +2060,7 @@ }, "deleteRetentionPolicyDays": { "type": "int", - "defaultValue": 7, + "nullable": true, "minValue": 1, "maxValue": 365, "metadata": { @@ -2089,10 +2097,10 @@ }, "restorePolicyDays": { "type": "int", - "defaultValue": 6, + "nullable": true, "minValue": 1, "metadata": { - "description": "Optional. how long this blob can be restored. It should be less than DeleteRetentionPolicy days." + "description": "Optional. How long this blob can be restored. It should be less than DeleteRetentionPolicy days." } }, "containers": { @@ -2147,13 +2155,10 @@ "name": "[format('{0}/{1}', parameters('storageAccountName'), variables('name'))]", "properties": { "automaticSnapshotPolicyEnabled": "[parameters('automaticSnapshotPolicyEnabled')]", - "changeFeed": { - "enabled": "[parameters('changeFeedEnabled')]", - "retentionInDays": "[if(equals(parameters('changeFeedEnabled'), true()), if(not(equals(parameters('changeFeedRetentionInDays'), 0)), parameters('changeFeedRetentionInDays'), null()), null())]" - }, + "changeFeed": "[if(parameters('changeFeedEnabled'), createObject('enabled', true(), 'retentionInDays', parameters('changeFeedRetentionInDays')), null())]", "containerDeleteRetentionPolicy": { "enabled": "[parameters('containerDeleteRetentionPolicyEnabled')]", - "days": "[if(equals(parameters('containerDeleteRetentionPolicyEnabled'), true()), parameters('containerDeleteRetentionPolicyDays'), null())]", + "days": "[parameters('containerDeleteRetentionPolicyDays')]", "allowPermanentDelete": "[if(equals(parameters('containerDeleteRetentionPolicyEnabled'), true()), parameters('containerDeleteRetentionPolicyAllowPermanentDelete'), null())]" }, "cors": { @@ -2162,7 +2167,7 @@ "defaultServiceVersion": "[if(not(empty(parameters('defaultServiceVersion'))), parameters('defaultServiceVersion'), null())]", "deleteRetentionPolicy": { "enabled": "[parameters('deleteRetentionPolicyEnabled')]", - "days": "[if(equals(parameters('deleteRetentionPolicyEnabled'), true()), parameters('deleteRetentionPolicyDays'), null())]", + "days": "[parameters('deleteRetentionPolicyDays')]", "allowPermanentDelete": "[if(and(parameters('deleteRetentionPolicyEnabled'), parameters('deleteRetentionPolicyAllowPermanentDelete')), true(), null())]" }, "isVersioningEnabled": "[parameters('isVersioningEnabled')]", @@ -2171,10 +2176,7 @@ "name": "[if(equals(parameters('lastAccessTimeTrackingPolicyEnabled'), true()), 'AccessTimeTracking', null())]", "trackingGranularityInDays": "[if(equals(parameters('lastAccessTimeTrackingPolicyEnabled'), true()), 1, null())]" }, - "restorePolicy": { - "enabled": "[parameters('restorePolicyEnabled')]", - "days": "[if(equals(parameters('restorePolicyEnabled'), true()), parameters('restorePolicyDays'), null())]" - } + "restorePolicy": "[if(parameters('restorePolicyEnabled'), createObject('enabled', true(), 'days', parameters('restorePolicyDays')), null())]" }, "dependsOn": [ "storageAccount" diff --git a/modules/storage/storage-account/management-policy/main.json b/modules/storage/storage-account/management-policy/main.json index f559e2b86a..ab33a27862 100644 --- a/modules/storage/storage-account/management-policy/main.json +++ b/modules/storage/storage-account/management-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7686888659208772167" + "version": "0.23.1.45101", + "templateHash": "9776092818963506976" }, "name": "Storage Account Management Policies", "description": "This module deploys a Storage Account Management Policy.", diff --git a/modules/storage/storage-account/queue-service/main.json b/modules/storage/storage-account/queue-service/main.json index 95aa83129a..5e5e605312 100644 --- a/modules/storage/storage-account/queue-service/main.json +++ b/modules/storage/storage-account/queue-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6394050552796909716" + "version": "0.23.1.45101", + "templateHash": "1159938655127712786" }, "name": "Storage Account Queue Services", "description": "This module deploys a Storage Account Queue Service.", @@ -239,8 +239,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13802487373528262992" + "version": "0.23.1.45101", + "templateHash": "6271299191275064402" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", diff --git a/modules/storage/storage-account/queue-service/queue/main.json b/modules/storage/storage-account/queue-service/queue/main.json index 60d8e0c5bb..46144b8293 100644 --- a/modules/storage/storage-account/queue-service/queue/main.json +++ b/modules/storage/storage-account/queue-service/queue/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13802487373528262992" + "version": "0.23.1.45101", + "templateHash": "6271299191275064402" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", diff --git a/modules/storage/storage-account/table-service/main.json b/modules/storage/storage-account/table-service/main.json index 4bde0ded71..a5c64493b1 100644 --- a/modules/storage/storage-account/table-service/main.json +++ b/modules/storage/storage-account/table-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15951116507662113563" + "version": "0.23.1.45101", + "templateHash": "4505205701529964174" }, "name": "Storage Account Table Services", "description": "This module deploys a Storage Account Table Service.", @@ -236,8 +236,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2215203998686662901" + "version": "0.23.1.45101", + "templateHash": "10703796356093627612" }, "name": "Storage Account Table", "description": "This module deploys a Storage Account Table.", diff --git a/modules/storage/storage-account/table-service/table/main.json b/modules/storage/storage-account/table-service/table/main.json index 62a6eae7ba..07b25e405f 100644 --- a/modules/storage/storage-account/table-service/table/main.json +++ b/modules/storage/storage-account/table-service/table/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2215203998686662901" + "version": "0.23.1.45101", + "templateHash": "10703796356093627612" }, "name": "Storage Account Table", "description": "This module deploys a Storage Account Table.", From 9d9f984e5c95b4a37bc89a5cc1dfd9212c1d1255 Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Tue, 21 Nov 2023 07:44:22 +0100 Subject: [PATCH 117/178] Added MOVED-TO-AVM.md for `search/search-service` module (#4267) * Added MOVED-TO-AVM * Added MOVED-TO-AVM * removed insights/component from branch --- modules/search/search-service/MOVED-TO-AVM.md | 1 + modules/search/search-service/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/search/search-service/MOVED-TO-AVM.md diff --git a/modules/search/search-service/MOVED-TO-AVM.md b/modules/search/search-service/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/search/search-service/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index 94d3e8eeff..e9fb57b2d2 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -1,5 +1,7 @@ # Search Services `[Microsoft.Search/searchServices]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Search Service. ## Navigation From 68346b7af06f0e5435a7aabef5fb04f9ddd56fb0 Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Tue, 21 Nov 2023 07:45:07 +0100 Subject: [PATCH 118/178] Added MOVED-TO-AVM (#4269) --- modules/insights/component/MOVED-TO-AVM.md | 1 + modules/insights/component/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/insights/component/MOVED-TO-AVM.md diff --git a/modules/insights/component/MOVED-TO-AVM.md b/modules/insights/component/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/insights/component/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/component/README.md b/modules/insights/component/README.md index d3ae5f6d37..49d3a6a122 100644 --- a/modules/insights/component/README.md +++ b/modules/insights/component/README.md @@ -1,5 +1,7 @@ # Application Insights `[Microsoft.Insights/components]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This component deploys an Application Insights instance. ## Navigation From 34e96101f1827a241c46dd2ebd08f8e493ea90ba Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Tue, 21 Nov 2023 17:24:43 +0100 Subject: [PATCH 119/178] Added MOVED-TO-AVM (#4272) --- modules/sql/server/MOVED-TO-AVM.md | 1 + modules/sql/server/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/sql/server/MOVED-TO-AVM.md diff --git a/modules/sql/server/MOVED-TO-AVM.md b/modules/sql/server/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/sql/server/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index d8d6740394..cb747eaee9 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -1,5 +1,7 @@ # Azure SQL Servers `[Microsoft.Sql/servers]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys an Azure SQL Server. ## Navigation From 1fb163e45810d6dd01c2efdeeae027d3d53e73ba Mon Sep 17 00:00:00 2001 From: aadev1 <39670555+aadev1@users.noreply.github.com> Date: Tue, 21 Nov 2023 16:28:56 +0000 Subject: [PATCH 120/178] The current version of flux configuration 2022-03-01 doesn't add Postbuild substitution variables (#4142) * Updated flux configuration version to 2023-05-01 * Update readme and generate main.json * Add kustomization settings to tests * Update readme and generate main.json --------- Co-authored-by: Asad Arif --- .../extension/tests/e2e/max/main.test.bicep | 10 ++ .../tests/e2e/waf-aligned/main.test.bicep | 10 ++ .../flux-configuration/README.md | 129 +++++++++++------- .../flux-configuration/main.bicep | 8 +- .../flux-configuration/main.json | 9 +- .../tests/e2e/defaults/main.test.bicep | 16 +++ 6 files changed, 125 insertions(+), 57 deletions(-) diff --git a/modules/kubernetes-configuration/extension/tests/e2e/max/main.test.bicep b/modules/kubernetes-configuration/extension/tests/e2e/max/main.test.bicep index 2e89b688c5..bed927f07f 100644 --- a/modules/kubernetes-configuration/extension/tests/e2e/max/main.test.bicep +++ b/modules/kubernetes-configuration/extension/tests/e2e/max/main.test.bicep @@ -79,6 +79,16 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' timeoutInSeconds: 180 url: 'https://github.com/mspnp/aks-baseline' } + kustomizations: { + unified: { + dependsOn: [] + force: false + path: './cluster-manifests' + prune: true + syncIntervalInSeconds: 300 + timeoutInSeconds: 300 + } + } } ] } diff --git a/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep index c4d96b2b40..79318166b8 100644 --- a/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep @@ -79,6 +79,16 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' timeoutInSeconds: 180 url: 'https://github.com/mspnp/aks-baseline' } + kustomizations: { + unified: { + dependsOn: [] + force: false + path: './cluster-manifests' + prune: true + syncIntervalInSeconds: 300 + timeoutInSeconds: 300 + } + } } ] } diff --git a/modules/kubernetes-configuration/flux-configuration/README.md b/modules/kubernetes-configuration/flux-configuration/README.md index 31ff175b92..2da23ceb45 100644 --- a/modules/kubernetes-configuration/flux-configuration/README.md +++ b/modules/kubernetes-configuration/flux-configuration/README.md @@ -17,7 +17,7 @@ This module deploys a Kubernetes Configuration Flux Configuration. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/fluxConfigurations) | +| `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/fluxConfigurations) | ## Usage examples @@ -46,6 +46,22 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu params: { // Required parameters clusterName: '' + kustomizations: { + unified: { + dependsOn: [] + force: false + path: './cluster-manifests' + postBuild: { + substitute: { + TEST_VAR1: 'foo' + TEST_VAR2: 'bar' + } + } + prune: true + syncIntervalInSeconds: 300 + timeoutInSeconds: 300 + } + } name: 'kcfcmin001' namespace: 'flux-system' sourceKind: 'GitRepository' @@ -80,6 +96,24 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu "clusterName": { "value": "" }, + "kustomizations": { + "value": { + "unified": { + "dependsOn": [], + "force": false, + "path": "./cluster-manifests", + "postBuild": { + "substitute": { + "TEST_VAR1": "foo", + "TEST_VAR2": "bar" + } + }, + "prune": true, + "syncIntervalInSeconds": 300, + "timeoutInSeconds": 300 + } + } + }, "name": { "value": "kcfcmin001" }, @@ -126,6 +160,16 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu params: { // Required parameters clusterName: '' + kustomizations: { + unified: { + dependsOn: [] + force: false + path: './cluster-manifests' + prune: true + syncIntervalInSeconds: 300 + timeoutInSeconds: 300 + } + } name: 'kcfcmax001' namespace: 'flux-system' sourceKind: 'GitRepository' @@ -140,16 +184,6 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu timeoutInSeconds: 180 url: 'https://github.com/mspnp/aks-baseline' } - kustomizations: { - unified: { - dependsOn: [] - force: false - path: './cluster-manifests' - prune: true - syncIntervalInSeconds: 300 - timeoutInSeconds: 300 - } - } } } ``` @@ -170,6 +204,18 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu "clusterName": { "value": "" }, + "kustomizations": { + "value": { + "unified": { + "dependsOn": [], + "force": false, + "path": "./cluster-manifests", + "prune": true, + "syncIntervalInSeconds": 300, + "timeoutInSeconds": 300 + } + } + }, "name": { "value": "kcfcmax001" }, @@ -193,18 +239,6 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu "timeoutInSeconds": 180, "url": "https://github.com/mspnp/aks-baseline" } - }, - "kustomizations": { - "value": { - "unified": { - "dependsOn": [], - "force": false, - "path": "./cluster-manifests", - "prune": true, - "syncIntervalInSeconds": 300, - "timeoutInSeconds": 300 - } - } } } } @@ -228,6 +262,16 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu params: { // Required parameters clusterName: '' + kustomizations: { + unified: { + dependsOn: [] + force: false + path: './cluster-manifests' + prune: true + syncIntervalInSeconds: 300 + timeoutInSeconds: 300 + } + } name: 'kcfcwaf001' namespace: 'flux-system' sourceKind: 'GitRepository' @@ -242,16 +286,6 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu timeoutInSeconds: 180 url: 'https://github.com/mspnp/aks-baseline' } - kustomizations: { - unified: { - dependsOn: [] - force: false - path: './cluster-manifests' - prune: true - syncIntervalInSeconds: 300 - timeoutInSeconds: 300 - } - } } } ``` @@ -272,6 +306,18 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu "clusterName": { "value": "" }, + "kustomizations": { + "value": { + "unified": { + "dependsOn": [], + "force": false, + "path": "./cluster-manifests", + "prune": true, + "syncIntervalInSeconds": 300, + "timeoutInSeconds": 300 + } + } + }, "name": { "value": "kcfcwaf001" }, @@ -295,18 +341,6 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu "timeoutInSeconds": 180, "url": "https://github.com/mspnp/aks-baseline" } - }, - "kustomizations": { - "value": { - "unified": { - "dependsOn": [], - "force": false, - "path": "./cluster-manifests", - "prune": true, - "syncIntervalInSeconds": 300, - "timeoutInSeconds": 300 - } - } } } } @@ -323,6 +357,7 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu | Parameter | Type | Description | | :-- | :-- | :-- | | [`clusterName`](#parameter-clustername) | string | The name of the AKS cluster that should be configured. | +| [`kustomizations`](#parameter-kustomizations) | object | Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster. | | [`name`](#parameter-name) | string | The name of the Flux Configuration. | | [`namespace`](#parameter-namespace) | string | The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only. | | [`scope`](#parameter-scope) | string | Scope at which the configuration will be installed. | @@ -336,7 +371,6 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu | [`configurationProtectedSettings`](#parameter-configurationprotectedsettings) | secureObject | Key-value pairs of protected configuration settings for the configuration. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`gitRepository`](#parameter-gitrepository) | object | Parameters to reconcile to the GitRepository source kind type. | -| [`kustomizations`](#parameter-kustomizations) | object | Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster. | | [`location`](#parameter-location) | string | Location for all resources. | | [`suspend`](#parameter-suspend) | bool | Whether this configuration should suspend its reconciliation of its kustomizations and sources. | @@ -377,9 +411,8 @@ Parameters to reconcile to the GitRepository source kind type. ### Parameter: `kustomizations` Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster. -- Required: No +- Required: Yes - Type: object -- Default: `{}` ### Parameter: `location` diff --git a/modules/kubernetes-configuration/flux-configuration/main.bicep b/modules/kubernetes-configuration/flux-configuration/main.bicep index 8e10734dae..cc2a29c4d0 100644 --- a/modules/kubernetes-configuration/flux-configuration/main.bicep +++ b/modules/kubernetes-configuration/flux-configuration/main.bicep @@ -24,8 +24,8 @@ param configurationProtectedSettings object = {} @description('Optional. Parameters to reconcile to the GitRepository source kind type.') param gitRepository object = {} -@description('Optional. Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster.') -param kustomizations object = {} +@description('Required. Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster.') +param kustomizations object @description('Required. The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only.') param namespace string @@ -63,14 +63,14 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2022-07-01' name: clusterName } -resource fluxConfiguration 'Microsoft.KubernetesConfiguration/fluxConfigurations@2022-03-01' = { +resource fluxConfiguration 'Microsoft.KubernetesConfiguration/fluxConfigurations@2023-05-01' = { name: name scope: managedCluster properties: { bucket: !empty(bucket) ? bucket : null configurationProtectedSettings: !empty(configurationProtectedSettings) ? configurationProtectedSettings : {} gitRepository: !empty(gitRepository) ? gitRepository : null - kustomizations: !empty(kustomizations) ? kustomizations : {} + kustomizations: kustomizations namespace: namespace scope: scope sourceKind: sourceKind diff --git a/modules/kubernetes-configuration/flux-configuration/main.json b/modules/kubernetes-configuration/flux-configuration/main.json index 31cd5d44ab..e8e9b2bf1d 100644 --- a/modules/kubernetes-configuration/flux-configuration/main.json +++ b/modules/kubernetes-configuration/flux-configuration/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8985718648814286209" + "templateHash": "10031296768791737313" }, "name": "Kubernetes Configuration Flux Configurations", "description": "This module deploys a Kubernetes Configuration Flux Configuration.", @@ -61,9 +61,8 @@ }, "kustomizations": { "type": "object", - "defaultValue": {}, "metadata": { - "description": "Optional. Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster." + "description": "Required. Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster." } }, "namespace": { @@ -117,14 +116,14 @@ }, { "type": "Microsoft.KubernetesConfiguration/fluxConfigurations", - "apiVersion": "2022-03-01", + "apiVersion": "2023-05-01", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", "name": "[parameters('name')]", "properties": { "bucket": "[if(not(empty(parameters('bucket'))), parameters('bucket'), null())]", "configurationProtectedSettings": "[if(not(empty(parameters('configurationProtectedSettings'))), parameters('configurationProtectedSettings'), createObject())]", "gitRepository": "[if(not(empty(parameters('gitRepository'))), parameters('gitRepository'), null())]", - "kustomizations": "[if(not(empty(parameters('kustomizations'))), parameters('kustomizations'), createObject())]", + "kustomizations": "[parameters('kustomizations')]", "namespace": "[parameters('namespace')]", "scope": "[parameters('scope')]", "sourceKind": "[parameters('sourceKind')]", diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/main.test.bicep index 1e633b5bd0..55fa46533f 100644 --- a/modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/main.test.bicep +++ b/modules/kubernetes-configuration/flux-configuration/tests/e2e/defaults/main.test.bicep @@ -68,5 +68,21 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' timeoutInSeconds: 180 url: 'https://github.com/mspnp/aks-baseline' } + kustomizations: { + unified: { + dependsOn: [] + force: false + path: './cluster-manifests' + prune: true + syncIntervalInSeconds: 300 + timeoutInSeconds: 300 + postBuild: { + substitute: { + TEST_VAR1: 'foo' + TEST_VAR2: 'bar' + } + } + } + } } }] From 73fd500f3b2c7d8c91edf8d4ee57ab0c4c7fff57 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Tue, 21 Nov 2023 23:51:18 +0100 Subject: [PATCH 121/178] [Modules] Updated Role-Assignment schema & test cases (#4274) * Updated interface * Updated test cases * Update to latest * Removed unrelated tests * Removed changes from already migrated modules * Update to latest * Updated templates & readmes --- modules/aad/domain-service/README.md | 8 +- modules/aad/domain-service/main.bicep | 6 +- modules/aad/domain-service/main.json | 10 +- modules/analysis-services/server/README.md | 48 +++--- modules/analysis-services/server/main.bicep | 4 +- modules/analysis-services/server/main.json | 6 +- .../server/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/api-management/service/README.md | 48 +++--- modules/api-management/service/main.bicep | 6 +- modules/api-management/service/main.json | 8 +- .../service/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../configuration-store/README.md | 76 ++++++--- .../configuration-store/main.bicep | 8 +- .../configuration-store/main.json | 10 +- .../tests/e2e/encr/main.test.bicep | 12 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/app/container-app/README.md | 4 +- modules/app/container-app/main.bicep | 4 +- modules/app/container-app/main.json | 6 +- modules/app/job/README.md | 4 +- modules/app/job/main.bicep | 4 +- modules/app/job/main.json | 6 +- modules/app/managed-environment/README.md | 8 +- modules/app/managed-environment/main.bicep | 6 +- modules/app/managed-environment/main.json | 8 +- .../automation/automation-account/README.md | 52 +++--- .../automation/automation-account/main.bicep | 8 +- .../automation/automation-account/main.json | 10 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/cache/redis-enterprise/README.md | 52 +++--- modules/cache/redis-enterprise/main.bicep | 8 +- modules/cache/redis-enterprise/main.json | 10 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/cache/redis/README.md | 12 +- modules/cache/redis/main.bicep | 8 +- modules/cache/redis/main.json | 10 +- modules/cdn/profile/README.md | 72 ++++++--- modules/cdn/profile/main.bicep | 6 +- modules/cdn/profile/main.json | 8 +- .../cdn/profile/tests/e2e/afd/main.test.bicep | 12 +- .../cdn/profile/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/compute/availability-set/README.md | 48 +++--- modules/compute/availability-set/main.bicep | 6 +- modules/compute/availability-set/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/compute/disk-encryption-set/README.md | 72 ++++++--- .../compute/disk-encryption-set/main.bicep | 6 +- modules/compute/disk-encryption-set/main.json | 8 +- .../tests/e2e/accessPolicies/main.test.bicep | 12 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/compute/disk/README.md | 96 +++++++++--- modules/compute/disk/main.bicep | 6 +- modules/compute/disk/main.json | 8 +- .../disk/tests/e2e/image/main.test.bicep | 12 +- .../disk/tests/e2e/import/main.test.bicep | 12 +- .../disk/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/compute/gallery/README.md | 40 ++--- .../compute/gallery/application/main.bicep | 2 +- modules/compute/gallery/application/main.json | 6 +- modules/compute/gallery/image/main.bicep | 2 +- modules/compute/gallery/image/main.json | 6 +- modules/compute/gallery/main.bicep | 2 +- modules/compute/gallery/main.json | 12 +- .../gallery/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/compute/image/README.md | 48 +++--- modules/compute/image/main.bicep | 6 +- modules/compute/image/main.json | 8 +- .../image/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../proximity-placement-group/README.md | 48 +++--- .../proximity-placement-group/main.bicep | 6 +- .../proximity-placement-group/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../virtual-machine-scale-set/README.md | 8 +- .../virtual-machine-scale-set/main.bicep | 6 +- .../virtual-machine-scale-set/main.json | 8 +- modules/compute/virtual-machine/README.md | 56 ++++++- modules/compute/virtual-machine/main.bicep | 6 +- modules/compute/virtual-machine/main.json | 14 +- .../modules/nested_networkInterface.bicep | 4 +- .../tests/e2e/linux/main.test.bicep | 12 +- .../tests/e2e/windows/main.test.bicep | 12 +- modules/container-registry/registry/README.md | 52 +++--- .../container-registry/registry/main.bicep | 8 +- modules/container-registry/registry/main.json | 10 +- .../registry/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../managed-cluster/README.md | 58 +++++-- .../managed-cluster/main.bicep | 6 +- .../managed-cluster/main.json | 19 ++- .../tests/e2e/azure/main.test.bicep | 12 +- .../tests/e2e/kubenet/main.test.bicep | 12 +- modules/data-factory/factory/README.md | 52 +++--- modules/data-factory/factory/main.bicep | 8 +- modules/data-factory/factory/main.json | 10 +- .../factory/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../data-protection/backup-vault/README.md | 48 +++--- .../data-protection/backup-vault/main.bicep | 6 +- .../data-protection/backup-vault/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/databricks/access-connector/README.md | 48 +++--- .../databricks/access-connector/main.bicep | 6 +- modules/databricks/access-connector/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/databricks/workspace/README.md | 52 +++--- modules/databricks/workspace/main.bicep | 8 +- modules/databricks/workspace/main.json | 10 +- .../workspace/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../db-for-my-sql/flexible-server/README.md | 28 +++- .../db-for-my-sql/flexible-server/main.bicep | 4 +- .../db-for-my-sql/flexible-server/main.json | 6 +- .../tests/e2e/private/main.test.bicep | 12 +- .../flexible-server/README.md | 8 +- .../flexible-server/main.bicep | 6 +- .../flexible-server/main.json | 8 +- .../application-group/README.md | 40 ++--- .../application-group/main.bicep | 2 +- .../application-group/main.json | 4 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../host-pool/README.md | 40 ++--- .../host-pool/main.bicep | 2 +- .../host-pool/main.json | 4 +- .../host-pool/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../scaling-plan/README.md | 40 ++--- .../scaling-plan/main.bicep | 2 +- .../scaling-plan/main.json | 4 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../workspace/README.md | 40 ++--- .../workspace/main.bicep | 2 +- .../workspace/main.json | 4 +- .../workspace/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/dev-test-lab/lab/README.md | 44 +++--- modules/dev-test-lab/lab/main.bicep | 4 +- modules/dev-test-lab/lab/main.json | 30 ++-- .../lab/tests/e2e/max/main.test.bicep | 12 +- .../lab/tests/e2e/waf-aligned/main.test.bicep | 7 - .../digital-twins-instance/README.md | 8 +- .../digital-twins-instance/main.bicep | 6 +- .../digital-twins-instance/main.json | 8 +- .../document-db/database-account/README.md | 104 ++++++++++-- .../document-db/database-account/main.bicep | 6 +- .../document-db/database-account/main.json | 8 +- .../tests/e2e/gremlindb/main.test.bicep | 12 +- .../tests/e2e/mongodb/main.test.bicep | 12 +- .../tests/e2e/plain/main.test.bicep | 12 +- .../tests/e2e/sqldb/main.test.bicep | 12 +- modules/event-hub/namespace/README.md | 52 +++--- .../event-hub/namespace/eventhub/README.md | 8 +- .../event-hub/namespace/eventhub/main.bicep | 6 +- .../event-hub/namespace/eventhub/main.json | 18 +-- modules/event-hub/namespace/main.bicep | 8 +- modules/event-hub/namespace/main.json | 18 +-- .../namespace/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/health-bot/health-bot/README.md | 48 +++--- modules/health-bot/health-bot/main.bicep | 6 +- modules/health-bot/health-bot/main.json | 8 +- .../health-bot/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/healthcare-apis/workspace/README.md | 48 +++--- .../workspace/fhirservice/README.md | 8 +- .../workspace/fhirservice/main.bicep | 6 +- .../workspace/fhirservice/main.json | 8 +- modules/healthcare-apis/workspace/main.bicep | 6 +- modules/healthcare-apis/workspace/main.json | 16 +- .../workspace/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/insights/activity-log-alert/README.md | 48 +++--- .../insights/activity-log-alert/main.bicep | 6 +- modules/insights/activity-log-alert/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../data-collection-endpoint/README.md | 8 +- .../data-collection-endpoint/main.bicep | 6 +- .../data-collection-endpoint/main.json | 8 +- .../insights/data-collection-rule/main.bicep | 2 +- .../insights/data-collection-rule/main.json | 4 +- modules/insights/metric-alert/README.md | 48 +++--- modules/insights/metric-alert/main.bicep | 6 +- modules/insights/metric-alert/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/insights/private-link-scope/README.md | 52 +++--- .../insights/private-link-scope/main.bicep | 8 +- modules/insights/private-link-scope/main.json | 10 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../insights/scheduled-query-rule/README.md | 48 +++--- .../insights/scheduled-query-rule/main.bicep | 6 +- .../insights/scheduled-query-rule/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/insights/webtest/main.bicep | 2 +- modules/insights/webtest/main.json | 4 +- .../workspace/README.md | 40 ++--- .../workspace/main.bicep | 2 +- .../workspace/main.json | 8 +- .../workspace/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../maintenance-configuration/README.md | 48 +++--- .../maintenance-configuration/main.bicep | 6 +- .../maintenance-configuration/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../user-assigned-identity/README.md | 48 +++--- .../user-assigned-identity/main.bicep | 6 +- .../user-assigned-identity/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/net-app/net-app-account/README.md | 56 ++++++- .../net-app-account/capacity-pool/README.md | 8 +- .../net-app-account/capacity-pool/main.bicep | 6 +- .../net-app-account/capacity-pool/main.json | 20 +-- .../capacity-pool/volume/README.md | 8 +- .../capacity-pool/volume/main.bicep | 6 +- .../capacity-pool/volume/main.json | 10 +- modules/net-app/net-app-account/main.bicep | 6 +- modules/net-app/net-app-account/main.json | 24 +-- .../tests/e2e/nfs3/main.test.bicep | 12 +- .../tests/e2e/nfs41/main.test.bicep | 12 +- modules/network/application-gateway/README.md | 52 +++--- .../network/application-gateway/main.bicep | 8 +- modules/network/application-gateway/main.json | 10 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../application-security-group/README.md | 48 +++--- .../application-security-group/main.bicep | 6 +- .../application-security-group/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/network/azure-firewall/README.md | 48 +++--- modules/network/azure-firewall/main.bicep | 6 +- modules/network/azure-firewall/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/network/bastion-host/README.md | 48 +++--- modules/network/bastion-host/main.bicep | 6 +- modules/network/bastion-host/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../network/ddos-protection-plan/README.md | 48 +++--- .../network/ddos-protection-plan/main.bicep | 6 +- .../network/ddos-protection-plan/main.json | 10 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../network/express-route-circuit/README.md | 48 +++--- .../network/express-route-circuit/main.bicep | 6 +- .../network/express-route-circuit/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../network/express-route-gateway/README.md | 48 +++--- .../network/express-route-gateway/main.bicep | 6 +- .../network/express-route-gateway/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../README.md | 48 +++--- .../main.bicep | 6 +- .../main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/network/front-door/README.md | 48 +++--- modules/network/front-door/main.bicep | 6 +- modules/network/front-door/main.json | 8 +- .../front-door/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/network/ip-group/README.md | 48 +++--- modules/network/ip-group/main.bicep | 6 +- modules/network/ip-group/main.json | 8 +- .../ip-group/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../network/local-network-gateway/README.md | 48 +++--- .../network/local-network-gateway/main.bicep | 6 +- .../network/local-network-gateway/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/network/nat-gateway/README.md | 72 ++++++--- modules/network/nat-gateway/main.bicep | 6 +- modules/network/nat-gateway/main.json | 16 +- .../nat-gateway/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/prefixCombined/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/network/network-manager/README.md | 40 ++--- modules/network/network-manager/main.bicep | 2 +- modules/network/network-manager/main.json | 32 ++-- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../network/network-security-group/README.md | 48 +++--- .../network/network-security-group/main.bicep | 6 +- .../network/network-security-group/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/network/network-watcher/README.md | 48 +++--- modules/network/network-watcher/main.bicep | 6 +- modules/network/network-watcher/main.json | 12 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../network/private-link-service/README.md | 8 +- .../network/private-link-service/main.bicep | 6 +- .../network/private-link-service/main.json | 8 +- modules/network/public-ip-prefix/README.md | 48 +++--- modules/network/public-ip-prefix/main.bicep | 6 +- modules/network/public-ip-prefix/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../network/service-endpoint-policy/README.md | 48 +++--- .../service-endpoint-policy/main.bicep | 6 +- .../network/service-endpoint-policy/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../network/trafficmanagerprofile/README.md | 48 +++--- .../network/trafficmanagerprofile/main.bicep | 6 +- .../network/trafficmanagerprofile/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../network/virtual-network-gateway/README.md | 32 +++- .../virtual-network-gateway/main.bicep | 6 +- .../network/virtual-network-gateway/main.json | 8 +- .../tests/e2e/aadvpn/main.test.bicep | 12 +- modules/network/virtual-network/README.md | 48 +++--- modules/network/virtual-network/main.bicep | 6 +- modules/network/virtual-network/main.json | 16 +- .../network/virtual-network/subnet/README.md | 8 +- .../network/virtual-network/subnet/main.bicep | 6 +- .../network/virtual-network/subnet/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/network/virtual-wan/README.md | 48 +++--- modules/network/virtual-wan/main.bicep | 6 +- modules/network/virtual-wan/main.json | 8 +- .../virtual-wan/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/network/vpn-site/README.md | 48 +++--- modules/network/vpn-site/main.bicep | 6 +- modules/network/vpn-site/main.json | 8 +- .../vpn-site/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/purview/account/README.md | 48 +++--- modules/purview/account/main.bicep | 6 +- modules/purview/account/main.json | 8 +- .../account/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/recovery-services/vault/README.md | 52 +++--- modules/recovery-services/vault/main.bicep | 8 +- modules/recovery-services/vault/main.json | 26 +-- .../vault/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/relay/namespace/README.md | 52 +++--- .../namespace/hybrid-connection/README.md | 8 +- .../namespace/hybrid-connection/main.bicep | 6 +- .../namespace/hybrid-connection/main.json | 14 +- modules/relay/namespace/main.bicep | 8 +- modules/relay/namespace/main.json | 26 +-- .../namespace/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/relay/namespace/wcf-relay/README.md | 8 +- modules/relay/namespace/wcf-relay/main.bicep | 6 +- modules/relay/namespace/wcf-relay/main.json | 14 +- modules/resource-graph/query/README.md | 48 +++--- modules/resource-graph/query/main.bicep | 6 +- modules/resource-graph/query/main.json | 8 +- .../query/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/resources/resource-group/README.md | 48 +++--- modules/resources/resource-group/main.bicep | 6 +- modules/resources/resource-group/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/service-bus/namespace/README.md | 36 ++++- modules/service-bus/namespace/main.bicep | 8 +- modules/service-bus/namespace/main.json | 26 +-- modules/service-bus/namespace/queue/README.md | 8 +- .../service-bus/namespace/queue/main.bicep | 6 +- modules/service-bus/namespace/queue/main.json | 14 +- .../namespace/tests/e2e/encr/main.test.bicep | 12 +- modules/service-bus/namespace/topic/README.md | 8 +- .../service-bus/namespace/topic/main.bicep | 6 +- modules/service-bus/namespace/topic/main.json | 14 +- modules/service-fabric/cluster/README.md | 48 +++--- modules/service-fabric/cluster/main.bicep | 6 +- modules/service-fabric/cluster/main.json | 8 +- .../cluster/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/signal-r-service/signal-r/README.md | 12 +- modules/signal-r-service/signal-r/main.bicep | 8 +- modules/signal-r-service/signal-r/main.json | 10 +- .../signal-r-service/web-pub-sub/README.md | 12 +- .../signal-r-service/web-pub-sub/main.bicep | 8 +- .../signal-r-service/web-pub-sub/main.json | 10 +- modules/sql/managed-instance/README.md | 48 +++--- modules/sql/managed-instance/main.bicep | 6 +- modules/sql/managed-instance/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/sql/server/README.md | 52 +++--- modules/sql/server/main.bicep | 8 +- modules/sql/server/main.json | 10 +- .../sql/server/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/storage/storage-account/README.md | 148 ++++++++++++++---- .../blob-service/container/README.md | 8 +- .../blob-service/container/main.bicep | 6 +- .../blob-service/container/main.json | 8 +- .../file-service/share/README.md | 8 +- .../file-service/share/main.bicep | 6 +- .../file-service/share/main.json | 8 +- modules/storage/storage-account/main.bicep | 8 +- modules/storage/storage-account/main.json | 40 ++--- .../queue-service/queue/README.md | 8 +- .../queue-service/queue/main.bicep | 6 +- .../queue-service/queue/main.json | 8 +- .../tests/e2e/max/main.test.bicep | 48 +++++- .../tests/e2e/nfs/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/synapse/private-link-hub/README.md | 12 +- modules/synapse/private-link-hub/main.bicep | 8 +- modules/synapse/private-link-hub/main.json | 10 +- modules/synapse/workspace/README.md | 52 +++--- modules/synapse/workspace/main.bicep | 8 +- modules/synapse/workspace/main.json | 10 +- .../workspace/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - .../image-template/README.md | 48 +++--- .../image-template/main.bicep | 6 +- .../image-template/main.json | 10 +- .../tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/web/connection/README.md | 48 +++--- modules/web/connection/main.bicep | 6 +- modules/web/connection/main.json | 8 +- .../connection/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/web/hosting-environment/README.md | 56 ++++++- modules/web/hosting-environment/main.bicep | 6 +- modules/web/hosting-environment/main.json | 8 +- .../tests/e2e/asev2/main.test.bicep | 12 +- .../tests/e2e/asev3/main.test.bicep | 12 +- modules/web/serverfarm/README.md | 48 +++--- modules/web/serverfarm/main.bicep | 6 +- modules/web/serverfarm/main.json | 8 +- .../serverfarm/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - modules/web/site/README.md | 60 +++++-- modules/web/site/main.bicep | 8 +- modules/web/site/main.json | 20 +-- modules/web/site/slot/README.md | 12 +- modules/web/site/slot/main.bicep | 8 +- modules/web/site/slot/main.json | 10 +- .../e2e/functionAppCommon/main.test.bicep | 12 +- .../tests/e2e/webAppCommon/main.test.bicep | 12 +- modules/web/static-site/README.md | 52 +++--- modules/web/static-site/main.bicep | 8 +- modules/web/static-site/main.json | 10 +- .../static-site/tests/e2e/max/main.test.bicep | 12 +- .../tests/e2e/waf-aligned/main.test.bicep | 7 - 473 files changed, 4392 insertions(+), 3114 deletions(-) diff --git a/modules/aad/domain-service/README.md b/modules/aad/domain-service/README.md index 673231c2f7..a62f0857f9 100644 --- a/modules/aad/domain-service/README.md +++ b/modules/aad/domain-service/README.md @@ -323,7 +323,7 @@ module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = { | [`notifyGlobalAdmins`](#parameter-notifyglobaladmins) | string | The value is to notify the Global Admins. | | [`ntlmV1`](#parameter-ntlmv1) | string | The value is to enable clients making request using NTLM v1. | | [`replicaSets`](#parameter-replicasets) | array | Additional replica set for the managed domain. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sku`](#parameter-sku) | string | The name of the SKU specific to Azure ADDS Services. | | [`syncNtlmPasswords`](#parameter-syncntlmpasswords) | string | The value is to enable synchronized users to use NTLM authentication. | | [`syncOnPremPasswords`](#parameter-synconprempasswords) | string | The value is to enable on-premises users to authenticate against managed domain. | @@ -628,7 +628,7 @@ Additional replica set for the managed domain. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -641,7 +641,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -689,7 +689,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/aad/domain-service/main.bicep b/modules/aad/domain-service/main.bicep index 206efc45d4..5fd0a7a9fb 100644 --- a/modules/aad/domain-service/main.bicep +++ b/modules/aad/domain-service/main.bicep @@ -127,7 +127,7 @@ param enableDefaultTelemetry bool = true @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType var builtInRoleNames = { @@ -213,7 +213,7 @@ resource domainService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!em resource domainService_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(domainService.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -249,7 +249,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/aad/domain-service/main.json b/modules/aad/domain-service/main.json index 6e3976bfcc..d0510c3e8a 100644 --- a/modules/aad/domain-service/main.json +++ b/modules/aad/domain-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10052117540394396974" + "version": "0.23.1.45101", + "templateHash": "1250805842529058137" }, "name": "Azure Active Directory Domain Services", "description": "This module deploys an Azure Active Directory Domain Services (AADDS).", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -411,7 +411,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } } }, @@ -518,7 +518,7 @@ "scope": "[format('Microsoft.AAD/domainServices/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.AAD/domainServices', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/analysis-services/server/README.md b/modules/analysis-services/server/README.md index c35c2a2be3..88a08b2384 100644 --- a/modules/analysis-services/server/README.md +++ b/modules/analysis-services/server/README.md @@ -136,7 +136,17 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] skuCapacity: 1 @@ -217,7 +227,17 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -294,13 +314,6 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] skuCapacity: 1 skuName: 'S0' tags: { @@ -374,15 +387,6 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "skuCapacity": { "value": 1 }, @@ -421,7 +425,7 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { | [`firewallSettings`](#parameter-firewallsettings) | object | The inbound firewall rules to define on the server. If not specified, firewall is disabled. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`skuCapacity`](#parameter-skucapacity) | int | The total number of query replica scale-out instances. | | [`skuName`](#parameter-skuname) | string | The SKU name of the Azure Analysis Services server to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -609,7 +613,7 @@ The name of the Azure Analysis Services server to create. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -622,7 +626,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -670,7 +674,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/analysis-services/server/main.bicep b/modules/analysis-services/server/main.bicep index c0e59767e5..fe7c530a48 100644 --- a/modules/analysis-services/server/main.bicep +++ b/modules/analysis-services/server/main.bicep @@ -32,7 +32,7 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -148,7 +148,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/analysis-services/server/main.json b/modules/analysis-services/server/main.json index cb62fdcfee..b5a8657aef 100644 --- a/modules/analysis-services/server/main.json +++ b/modules/analysis-services/server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "11444956126966610005" + "templateHash": "16473107761572219540" }, "name": "Analysis Services Servers", "description": "This module deploys an Analysis Services Server.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -270,7 +270,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { diff --git a/modules/analysis-services/server/tests/e2e/max/main.test.bicep b/modules/analysis-services/server/tests/e2e/max/main.test.bicep index 95d51e6ea4..93bfb2efaa 100644 --- a/modules/analysis-services/server/tests/e2e/max/main.test.bicep +++ b/modules/analysis-services/server/tests/e2e/max/main.test.bicep @@ -85,7 +85,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep b/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep index e5705e2cbf..705eaf124d 100644 --- a/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep @@ -83,13 +83,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] enablePowerBIService: true } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] diagnosticSettings: [ { name: 'customSetting' diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index aa9604ceea..fd30fb48ed 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -250,7 +250,17 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] subscriptions: [ @@ -447,7 +457,17 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -616,13 +636,6 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { subscriptionRequired: false } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] subscriptions: [ { name: 'testArmSubscriptionAllApis' @@ -812,15 +825,6 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "subscriptions": { "value": [ { @@ -882,7 +886,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { | [`portalsettings`](#parameter-portalsettings) | array | Portal settings. | | [`products`](#parameter-products) | array | Products. | | [`restore`](#parameter-restore) | bool | Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sku`](#parameter-sku) | string | The pricing tier of this API Management service. | | [`skuCount`](#parameter-skucount) | int | The instance size of this API Management service. | | [`subnetResourceId`](#parameter-subnetresourceid) | string | The full resource ID of a subnet in a virtual network to deploy the API Management service in. | @@ -1233,7 +1237,7 @@ Undelete API Management Service if it was previously soft-deleted. If this flag ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1246,7 +1250,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1294,7 +1298,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/api-management/service/main.bicep b/modules/api-management/service/main.bicep index c71fd923f4..9e8142b83f 100644 --- a/modules/api-management/service/main.bicep +++ b/modules/api-management/service/main.bicep @@ -51,7 +51,7 @@ param publisherName string @description('Optional. Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored.') param restore bool = false -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The pricing tier of this API Management service.') @@ -430,7 +430,7 @@ resource service_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021- resource service_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(service.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -477,7 +477,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/api-management/service/main.json b/modules/api-management/service/main.json index 4331c55f43..bb97234fb2 100644 --- a/modules/api-management/service/main.json +++ b/modules/api-management/service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "12034021056308380039" + "templateHash": "12791748357960289440" }, "name": "API Management Services", "description": "This module deploys an API Management Service.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -346,7 +346,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "sku": { @@ -605,7 +605,7 @@ "scope": "[format('Microsoft.ApiManagement/service/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.ApiManagement/service', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/api-management/service/tests/e2e/max/main.test.bicep b/modules/api-management/service/tests/e2e/max/main.test.bicep index 609d61a44b..5a03a93afb 100644 --- a/modules/api-management/service/tests/e2e/max/main.test.bicep +++ b/modules/api-management/service/tests/e2e/max/main.test.bicep @@ -194,7 +194,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep b/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep index a722f02c9d..497fa84bc5 100644 --- a/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep @@ -192,13 +192,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' subscriptionRequired: false } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] subscriptions: [ { name: 'testArmSubscriptionAllApis' diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index 1913e261cd..990cfe2b51 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -129,7 +129,17 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] softDeleteRetentionInDays: 1 @@ -206,7 +216,17 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -289,7 +309,17 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] softDeleteRetentionInDays: 1 @@ -382,7 +412,17 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -562,13 +602,6 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor '' ] } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] softDeleteRetentionInDays: 1 tags: { Environment: 'Non-Prod' @@ -654,15 +687,6 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor ] } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "softDeleteRetentionInDays": { "value": 1 }, @@ -705,7 +729,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sku`](#parameter-sku) | string | Pricing tier of App Configuration. | | [`softDeleteRetentionInDays`](#parameter-softdeleteretentionindays) | int | The amount of time in days that the configuration store will be retained when it is soft deleted. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -995,7 +1019,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1147,7 +1171,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1190,7 +1214,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1203,7 +1227,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1251,7 +1275,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/app-configuration/configuration-store/main.bicep b/modules/app-configuration/configuration-store/main.bicep index 68dd210d37..f4bc48c14c 100644 --- a/modules/app-configuration/configuration-store/main.bicep +++ b/modules/app-configuration/configuration-store/main.bicep @@ -56,7 +56,7 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -188,7 +188,7 @@ resource configurationStore_diagnosticSettings 'Microsoft.Insights/diagnosticSet resource configurationStore_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(configurationStore.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -259,7 +259,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -336,7 +336,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/app-configuration/configuration-store/main.json b/modules/app-configuration/configuration-store/main.json index f3f2d4fd17..8356549175 100644 --- a/modules/app-configuration/configuration-store/main.json +++ b/modules/app-configuration/configuration-store/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "75945570727927214" + "templateHash": "1035721071234192840" }, "name": "App Configuration Stores", "description": "This module deploys an App Configuration Store.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -546,7 +546,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -701,7 +701,7 @@ "scope": "[format('Microsoft.AppConfiguration/configurationStores/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep index df73c1e7d6..8c676e3be7 100644 --- a/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep @@ -75,7 +75,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep index f3f76a3b95..a3bba846cd 100644 --- a/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep @@ -104,7 +104,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep index d5aa0ab214..11ffe42dcc 100644 --- a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep @@ -102,13 +102,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] softDeleteRetentionInDays: 1 managedIdentities: { systemAssigned: true diff --git a/modules/app/container-app/README.md b/modules/app/container-app/README.md index a5789ffb6c..6f88154a11 100644 --- a/modules/app/container-app/README.md +++ b/modules/app/container-app/README.md @@ -694,7 +694,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -742,7 +742,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/app/container-app/main.bicep b/modules/app/container-app/main.bicep index 2ba53033af..939f2bed5c 100644 --- a/modules/app/container-app/main.bicep +++ b/modules/app/container-app/main.bicep @@ -197,7 +197,7 @@ resource containerApp_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!emp resource containerApp_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(containerApp.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -244,7 +244,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/app/container-app/main.json b/modules/app/container-app/main.json index 3e89b56a68..151294bb80 100644 --- a/modules/app/container-app/main.json +++ b/modules/app/container-app/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3901132801605374235" + "templateHash": "3664175856787955387" }, "name": "Container Apps", "description": "This module deploys a Container App.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -457,7 +457,7 @@ "scope": "[format('Microsoft.App/containerApps/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.App/containerApps', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/app/job/README.md b/modules/app/job/README.md index c1201754ba..cd12e8e51d 100644 --- a/modules/app/job/README.md +++ b/modules/app/job/README.md @@ -687,7 +687,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -735,7 +735,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/app/job/main.bicep b/modules/app/job/main.bicep index ee9795e632..15d8106352 100644 --- a/modules/app/job/main.bicep +++ b/modules/app/job/main.bicep @@ -135,7 +135,7 @@ resource containerAppJob_lock 'Microsoft.Authorization/locks@2020-05-01' = if (! resource containerAppJob_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(containerAppJob.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -174,7 +174,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/app/job/main.json b/modules/app/job/main.json index 47a3c78d1e..2913e527df 100644 --- a/modules/app/job/main.json +++ b/modules/app/job/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "1177002150217044728" + "templateHash": "5076851392653441401" }, "name": "Container App Jobs", "description": "This module deploys a Container App Job.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -347,7 +347,7 @@ "scope": "[format('Microsoft.App/jobs/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.App/jobs', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/app/managed-environment/README.md b/modules/app/managed-environment/README.md index d222427925..913062b3a2 100644 --- a/modules/app/managed-environment/README.md +++ b/modules/app/managed-environment/README.md @@ -313,7 +313,7 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { | [`logsDestination`](#parameter-logsdestination) | string | Logs destination. | | [`platformReservedCidr`](#parameter-platformreservedcidr) | string | IP range in CIDR notation that can be reserved for environment infrastructure IP addresses. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | | [`platformReservedDnsIP`](#parameter-platformreserveddnsip) | string | An IP address from the IP range defined by "platformReservedCidr" that will be reserved for the internal DNS server. It must not be the first address in the range and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`skuName`](#parameter-skuname) | string | Managed environment SKU. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`workloadProfiles`](#parameter-workloadprofiles) | array | Workload profiles configured for the Managed Environment. | @@ -450,7 +450,7 @@ An IP address from the IP range defined by "platformReservedCidr" that will be r ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -463,7 +463,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -511,7 +511,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/app/managed-environment/main.bicep b/modules/app/managed-environment/main.bicep index 12fc9772c4..f3905ce986 100644 --- a/modules/app/managed-environment/main.bicep +++ b/modules/app/managed-environment/main.bicep @@ -14,7 +14,7 @@ param location string = resourceGroup().location @description('Optional. Tags of the resource.') param tags object? -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @allowed([ @@ -135,7 +135,7 @@ resource managedEnvironment 'Microsoft.App/managedEnvironments@2022-10-01' = { resource managedEnvironment_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(managedEnvironment.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -180,7 +180,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/app/managed-environment/main.json b/modules/app/managed-environment/main.json index cd7af31c94..ba37943c32 100644 --- a/modules/app/managed-environment/main.json +++ b/modules/app/managed-environment/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17510800738142190994" + "templateHash": "15830956831455159038" }, "name": "App ManagedEnvironments", "description": "This module deploys an App Managed Environment (also known as a Container App Environment).", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -135,7 +135,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "skuName": { @@ -334,7 +334,7 @@ "scope": "[format('Microsoft.App/managedEnvironments/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.App/managedEnvironments', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index 11b5cc06c2..fb894b62e8 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -252,7 +252,17 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] runbooks: [ @@ -484,7 +494,17 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -704,13 +724,6 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] runbooks: [ { description: 'Test runbook' @@ -935,15 +948,6 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "runbooks": { "value": [ { @@ -1097,7 +1101,7 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' | [`modules`](#parameter-modules) | array | List of modules to be created in the automation account. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`runbooks`](#parameter-runbooks) | array | List of runbooks to be created in the automation account. | | [`schedules`](#parameter-schedules) | array | List of schedules to be created in the automation account. | | [`skuName`](#parameter-skuname) | string | SKU name of the account. | @@ -1390,7 +1394,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1542,7 +1546,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1585,7 +1589,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1598,7 +1602,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1646,7 +1650,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/automation/automation-account/main.bicep b/modules/automation/automation-account/main.bicep index c7c66989e5..a2dfa7b527 100644 --- a/modules/automation/automation-account/main.bicep +++ b/modules/automation/automation-account/main.bicep @@ -65,7 +65,7 @@ param managedIdentities managedIdentitiesType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the Automation Account resource.') @@ -361,7 +361,7 @@ module automationAccount_privateEndpoints '../../network/private-endpoint/main.b resource automationAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(automationAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -408,7 +408,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -485,7 +485,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/automation/automation-account/main.json b/modules/automation/automation-account/main.json index db9ba071f1..369cf74eb5 100644 --- a/modules/automation/automation-account/main.json +++ b/modules/automation/automation-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3971272162822794152" + "templateHash": "15622091278066868534" }, "name": "Automation Accounts", "description": "This module deploys an Azure Automation Account.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -273,7 +273,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -573,7 +573,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -719,7 +719,7 @@ "scope": "[format('Microsoft.Automation/automationAccounts/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Automation/automationAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/automation/automation-account/tests/e2e/max/main.test.bicep b/modules/automation/automation-account/tests/e2e/max/main.test.bicep index 4a97bffb39..b77d8bbd82 100644 --- a/modules/automation/automation-account/tests/e2e/max/main.test.bicep +++ b/modules/automation/automation-account/tests/e2e/max/main.test.bicep @@ -137,7 +137,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep b/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep index f024413f06..e4d4913905 100644 --- a/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep @@ -135,13 +135,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] runbooks: [ { description: 'Test runbook' diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index 0c37755f50..e818d8120c 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -277,7 +277,17 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -378,7 +388,17 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -467,13 +487,6 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' resourceType: 'Redis Cache Enterprise' @@ -567,15 +580,6 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "hidden-title": "This is visible in the resource name", @@ -613,7 +617,7 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | Requires clients to use a specified TLS version (or higher) to connect. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`skuName`](#parameter-skuname) | string | The type of Redis Enterprise Cluster to deploy. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`zoneRedundant`](#parameter-zoneredundant) | bool | When true, the cluster will be deployed across availability zones. | @@ -801,7 +805,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -953,7 +957,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -981,7 +985,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -994,7 +998,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1042,7 +1046,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/cache/redis-enterprise/main.bicep b/modules/cache/redis-enterprise/main.bicep index 1be629fba1..cdc3b5a490 100644 --- a/modules/cache/redis-enterprise/main.bicep +++ b/modules/cache/redis-enterprise/main.bicep @@ -11,7 +11,7 @@ param name string @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -126,7 +126,7 @@ resource redisEnterprise_diagnosticSettings 'Microsoft.Insights/diagnosticSettin resource redisEnterprise_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(redisEnterprise.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -208,7 +208,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -285,7 +285,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/cache/redis-enterprise/main.json b/modules/cache/redis-enterprise/main.json index 27f647f9e5..07490f41f9 100644 --- a/modules/cache/redis-enterprise/main.json +++ b/modules/cache/redis-enterprise/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "9202709558148407604" + "templateHash": "14212744208009857353" }, "name": "Redis Cache Enterprise", "description": "This module deploys a Redis Cache Enterprise.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -251,7 +251,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -383,7 +383,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -550,7 +550,7 @@ "scope": "[format('Microsoft.Cache/redisEnterprise/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Cache/redisEnterprise', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep index 11967b6582..baf56e3e5e 100644 --- a/modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep +++ b/modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep @@ -89,7 +89,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep index e11f40719a..b9030436a7 100644 --- a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep @@ -87,13 +87,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] minimumTlsVersion: '1.2' zoneRedundant: true privateEndpoints: [ diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index 45e6ec422f..33f02d5c1f 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -473,7 +473,7 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { | [`redisVersion`](#parameter-redisversion) | string | Redis version. Only major version will be used in PUT/PATCH request with current valid values: (4, 6). | | [`replicasPerMaster`](#parameter-replicaspermaster) | int | The number of replicas to be created per primary. | | [`replicasPerPrimary`](#parameter-replicasperprimary) | int | The number of replicas to be created per primary. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`shardCount`](#parameter-shardcount) | int | The number of shards to be created on a Premium Cluster Cache. | | [`skuName`](#parameter-skuname) | string | The type of Redis cache to deploy. | | [`staticIP`](#parameter-staticip) | string | Static IP address. Optionally, may be specified when deploying a Redis cache inside an existing Azure Virtual Network; auto assigned by default. | @@ -732,7 +732,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -884,7 +884,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -962,7 +962,7 @@ The number of replicas to be created per primary. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -975,7 +975,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1023,7 +1023,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/cache/redis/main.bicep b/modules/cache/redis/main.bicep index bb1d2191e5..4a34e577ce 100644 --- a/modules/cache/redis/main.bicep +++ b/modules/cache/redis/main.bicep @@ -11,7 +11,7 @@ param name string @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -201,7 +201,7 @@ resource redis_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05 resource redis_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(redis.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -281,7 +281,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -358,7 +358,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/cache/redis/main.json b/modules/cache/redis/main.json index f05edb97ec..90b5617b8a 100644 --- a/modules/cache/redis/main.json +++ b/modules/cache/redis/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "7671125906841819197" + "templateHash": "10455754336377427456" }, "name": "Redis Cache", "description": "This module deploys a Redis Cache.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -432,7 +432,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -707,7 +707,7 @@ "scope": "[format('Microsoft.Cache/redis/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Cache/redis', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/cdn/profile/README.md b/modules/cdn/profile/README.md index 47cbe6ed82..81efa1a9e1 100644 --- a/modules/cdn/profile/README.md +++ b/modules/cdn/profile/README.md @@ -105,7 +105,17 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] ruleSets: [ @@ -221,7 +231,17 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -315,7 +335,17 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] } @@ -394,7 +424,17 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] } @@ -459,13 +499,6 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { name: 'myCustomLockName' } originResponseTimeoutSeconds: 60 - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] } } ``` @@ -536,15 +569,6 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { }, "originResponseTimeoutSeconds": { "value": 60 - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] } } } @@ -581,7 +605,7 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`originResponseTimeoutSeconds`](#parameter-originresponsetimeoutseconds) | int | Send and receive timeout on forwarding request to the origin. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`ruleSets`](#parameter-rulesets) | array | Array of rule set objects. | | [`secrets`](#parameter-secrets) | array | Array of secret objects. | | [`tags`](#parameter-tags) | object | Endpoint tags. | @@ -677,7 +701,7 @@ Array of origin group objects. Required if the afdEndpoints is specified. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -690,7 +714,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -738,7 +762,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/cdn/profile/main.bicep b/modules/cdn/profile/main.bicep index 30ce9173c1..dd7abe44db 100644 --- a/modules/cdn/profile/main.bicep +++ b/modules/cdn/profile/main.bicep @@ -56,7 +56,7 @@ param tags object? @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -112,7 +112,7 @@ resource profile_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo resource profile_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(profile.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -238,7 +238,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/cdn/profile/main.json b/modules/cdn/profile/main.json index e8a03d38c8..3b9850f2ef 100644 --- a/modules/cdn/profile/main.json +++ b/modules/cdn/profile/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17584746093289526242" + "templateHash": "9196888550176341860" }, "name": "CDN Profiles", "description": "This module deploys a CDN Profile.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -212,7 +212,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -289,7 +289,7 @@ "scope": "[format('Microsoft.Cdn/profiles/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Cdn/profiles', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/cdn/profile/tests/e2e/afd/main.test.bicep b/modules/cdn/profile/tests/e2e/afd/main.test.bicep index 9d3e21d539..e9e3864bf9 100644 --- a/modules/cdn/profile/tests/e2e/afd/main.test.bicep +++ b/modules/cdn/profile/tests/e2e/afd/main.test.bicep @@ -60,7 +60,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' enableDefaultTelemetry: enableDefaultTelemetry roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/cdn/profile/tests/e2e/max/main.test.bicep b/modules/cdn/profile/tests/e2e/max/main.test.bicep index fb18eefa09..85bf8f601d 100644 --- a/modules/cdn/profile/tests/e2e/max/main.test.bicep +++ b/modules/cdn/profile/tests/e2e/max/main.test.bicep @@ -93,7 +93,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep b/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep index 00e2285b20..af0c232249 100644 --- a/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep @@ -91,12 +91,5 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' originGroups: [] geoFilters: [] } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] } }] diff --git a/modules/compute/availability-set/README.md b/modules/compute/availability-set/README.md index b78be7385e..7eb1754df5 100644 --- a/modules/compute/availability-set/README.md +++ b/modules/compute/availability-set/README.md @@ -104,7 +104,17 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -150,7 +160,17 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -190,13 +210,6 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { name: 'myCustomLockName' } proximityPlacementGroupResourceId: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -235,15 +248,6 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { "proximityPlacementGroupResourceId": { "value": "" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -277,7 +281,7 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { | [`platformFaultDomainCount`](#parameter-platformfaultdomaincount) | int | The number of fault domains to use. | | [`platformUpdateDomainCount`](#parameter-platformupdatedomaincount) | int | The number of update domains to use. | | [`proximityPlacementGroupResourceId`](#parameter-proximityplacementgroupresourceid) | string | Resource ID of a proximity placement group. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`skuName`](#parameter-skuname) | string | SKU of the availability set.

- Use 'Aligned' for virtual machines with managed disks.

- Use 'Classic' for virtual machines with unmanaged disks. | | [`tags`](#parameter-tags) | object | Tags of the availability set resource. | @@ -351,7 +355,7 @@ Resource ID of a proximity placement group. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -364,7 +368,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -412,7 +416,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/compute/availability-set/main.bicep b/modules/compute/availability-set/main.bicep index d48a10bd65..e7365a0176 100644 --- a/modules/compute/availability-set/main.bicep +++ b/modules/compute/availability-set/main.bicep @@ -23,7 +23,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the availability set resource.') @@ -81,7 +81,7 @@ resource availabilitySet_lock 'Microsoft.Authorization/locks@2020-05-01' = if (! resource availabilitySet_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(availabilitySet.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -117,7 +117,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/compute/availability-set/main.json b/modules/compute/availability-set/main.json index b95d3d6e5b..1785fba305 100644 --- a/modules/compute/availability-set/main.json +++ b/modules/compute/availability-set/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10273034762819706688" + "templateHash": "5227518019590396567" }, "name": "Availability Sets", "description": "This module deploys an Availability Set.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -156,7 +156,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -237,7 +237,7 @@ "scope": "[format('Microsoft.Compute/availabilitySets/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/availabilitySets', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/availability-set/tests/e2e/max/main.test.bicep b/modules/compute/availability-set/tests/e2e/max/main.test.bicep index 1241842e7b..af84f42458 100644 --- a/modules/compute/availability-set/tests/e2e/max/main.test.bicep +++ b/modules/compute/availability-set/tests/e2e/max/main.test.bicep @@ -61,7 +61,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep index 7a305c8119..6aff4b922e 100644 --- a/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep @@ -59,13 +59,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' name: 'myCustomLockName' } proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/compute/disk-encryption-set/README.md b/modules/compute/disk-encryption-set/README.md index 024684795c..48783288cd 100644 --- a/modules/compute/disk-encryption-set/README.md +++ b/modules/compute/disk-encryption-set/README.md @@ -58,7 +58,17 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -109,7 +119,17 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -159,7 +179,17 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -215,7 +245,17 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -261,13 +301,6 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = '' ] } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -316,15 +349,6 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = ] } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -361,7 +385,7 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = | [`location`](#parameter-location) | string | Resource location. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. At least one identity type is required. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`rotationToLatestKeyVersionEnabled`](#parameter-rotationtolatestkeyversionenabled) | bool | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | | [`tags`](#parameter-tags) | object | Tags of the disk encryption resource. | @@ -486,7 +510,7 @@ The name of the disk encryption set that is being created. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -499,7 +523,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -547,7 +571,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/compute/disk-encryption-set/main.bicep b/modules/compute/disk-encryption-set/main.bicep index 0a96eb063a..c31fc9e4b7 100644 --- a/modules/compute/disk-encryption-set/main.bicep +++ b/modules/compute/disk-encryption-set/main.bicep @@ -38,7 +38,7 @@ param managedIdentities managedIdentitiesType = { systemAssigned: true } -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the disk encryption resource.') @@ -125,7 +125,7 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2022-07-02' = { resource diskEncryptionSet_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(diskEncryptionSet.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -187,7 +187,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/compute/disk-encryption-set/main.json b/modules/compute/disk-encryption-set/main.json index d55eee6014..dbd6c27c6b 100644 --- a/modules/compute/disk-encryption-set/main.json +++ b/modules/compute/disk-encryption-set/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2310785535465824906" + "templateHash": "3002808940290583221" }, "name": "Disk Encryption Sets", "description": "This module deploys a Disk Encryption Set.", @@ -68,7 +68,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -203,7 +203,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -304,7 +304,7 @@ "scope": "[format('Microsoft.Compute/diskEncryptionSets/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/diskEncryptionSets', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep index f494661b94..c7ca375354 100644 --- a/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep +++ b/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep @@ -59,7 +59,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep index b71ed7a6ec..23cb40bc46 100644 --- a/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep +++ b/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep @@ -66,7 +66,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep index c49b0266d2..f27ccfe1eb 100644 --- a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep @@ -64,13 +64,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } keyName: nestedDependencies.outputs.keyName keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] managedIdentities: { userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId diff --git a/modules/compute/disk/README.md b/modules/compute/disk/README.md index a2b245fd26..feef599a20 100644 --- a/modules/compute/disk/README.md +++ b/modules/compute/disk/README.md @@ -109,7 +109,17 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -155,7 +165,17 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -193,7 +213,17 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] sourceUri: '' @@ -238,7 +268,17 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -294,7 +334,17 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -358,7 +408,17 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -404,13 +464,6 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { logicalSectorSize: 512 osType: 'Windows' publicNetworkAccess: 'Enabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -467,15 +520,6 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { "publicNetworkAccess": { "value": "Enabled" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -529,7 +573,7 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { | [`optimizedForFrequentAttach`](#parameter-optimizedforfrequentattach) | bool | Setting this property to true improves reliability and performance of data disks that are frequently (more than 5 times a day) by detached from one virtual machine and attached to another. This property should not be set for disks that are not detached and attached frequently as it causes the disks to not align with the fault domain of the virtual machine. | | [`osType`](#parameter-ostype) | string | Sources of a disk creation. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Policy for controlling export on the disk. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`securityDataUri`](#parameter-securitydatauri) | string | If create option is ImportSecure, this is the URI of a blob to be imported into VM guest state. | | [`sourceResourceId`](#parameter-sourceresourceid) | string | If create option is Copy, this is the ARM ID of the source snapshot or disk. | | [`sourceUri`](#parameter-sourceuri) | string | If create option is Import, this is the URI of a blob to be imported into a managed disk. | @@ -750,7 +794,7 @@ Policy for controlling export on the disk. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -763,7 +807,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -811,7 +855,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/compute/disk/main.bicep b/modules/compute/disk/main.bicep index b81bda894c..7989977bb4 100644 --- a/modules/compute/disk/main.bicep +++ b/modules/compute/disk/main.bicep @@ -121,7 +121,7 @@ param acceleratedNetwork bool = false @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the availability set resource.') @@ -205,7 +205,7 @@ resource disk_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock resource disk_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(disk.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -241,7 +241,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/compute/disk/main.json b/modules/compute/disk/main.json index efff55288f..37e7361de7 100644 --- a/modules/compute/disk/main.json +++ b/modules/compute/disk/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13415296044159532527" + "templateHash": "8419179965275134660" }, "name": "Compute Disks", "description": "This module deploys a Compute Disk", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -325,7 +325,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -430,7 +430,7 @@ "scope": "[format('Microsoft.Compute/disks/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/disks', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/disk/tests/e2e/image/main.test.bicep b/modules/compute/disk/tests/e2e/image/main.test.bicep index 7b49045a5d..67fd259073 100644 --- a/modules/compute/disk/tests/e2e/image/main.test.bicep +++ b/modules/compute/disk/tests/e2e/image/main.test.bicep @@ -54,7 +54,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' imageReferenceId: '${subscription().id}/Providers/Microsoft.Compute/Locations/westeurope/Publishers/MicrosoftWindowsServer/ArtifactTypes/VMImage/Offers/WindowsServer/Skus/2022-datacenter-azure-edition/Versions/20348.1006.220908' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/disk/tests/e2e/import/main.test.bicep b/modules/compute/disk/tests/e2e/import/main.test.bicep index e343bbfbdc..0622d78455 100644 --- a/modules/compute/disk/tests/e2e/import/main.test.bicep +++ b/modules/compute/disk/tests/e2e/import/main.test.bicep @@ -57,7 +57,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' createOption: 'Import' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/disk/tests/e2e/max/main.test.bicep b/modules/compute/disk/tests/e2e/max/main.test.bicep index cd544f46b9..25ab818edd 100644 --- a/modules/compute/disk/tests/e2e/max/main.test.bicep +++ b/modules/compute/disk/tests/e2e/max/main.test.bicep @@ -65,7 +65,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' publicNetworkAccess: 'Enabled' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep index 0b70c6e0b5..e22035fb5e 100644 --- a/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep @@ -63,13 +63,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' logicalSectorSize: 512 osType: 'Windows' publicNetworkAccess: 'Enabled' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/compute/gallery/README.md b/modules/compute/gallery/README.md index 5d352f0fb3..478eaa6765 100644 --- a/modules/compute/gallery/README.md +++ b/modules/compute/gallery/README.md @@ -222,7 +222,17 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -386,7 +396,17 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -542,13 +562,6 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -705,15 +718,6 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", diff --git a/modules/compute/gallery/application/main.bicep b/modules/compute/gallery/application/main.bicep index f1cf6372c2..dcb745225b 100644 --- a/modules/compute/gallery/application/main.bicep +++ b/modules/compute/gallery/application/main.bicep @@ -90,7 +90,7 @@ resource application 'Microsoft.Compute/galleries/applications@2022-03-03' = { resource application_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(application.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/compute/gallery/application/main.json b/modules/compute/gallery/application/main.json index ffc09df846..173a43d0c8 100644 --- a/modules/compute/gallery/application/main.json +++ b/modules/compute/gallery/application/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4468420728204112478" + "version": "0.23.1.45101", + "templateHash": "13733131047823769084" }, "name": "Compute Galleries Applications", "description": "This module deploys an Azure Compute Gallery Application.", @@ -235,7 +235,7 @@ "scope": "[format('Microsoft.Compute/galleries/{0}/applications/{1}', parameters('galleryName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/galleries/applications', parameters('galleryName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/gallery/image/main.bicep b/modules/compute/gallery/image/main.bicep index 3f5a724b3c..a922e5e74b 100644 --- a/modules/compute/gallery/image/main.bicep +++ b/modules/compute/gallery/image/main.bicep @@ -213,7 +213,7 @@ resource image 'Microsoft.Compute/galleries/images@2022-03-03' = { resource image_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(image.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/compute/gallery/image/main.json b/modules/compute/gallery/image/main.json index 9c37688f70..966b22684c 100644 --- a/modules/compute/gallery/image/main.json +++ b/modules/compute/gallery/image/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12640831453229356933" + "version": "0.23.1.45101", + "templateHash": "17846161223611480196" }, "name": "Compute Galleries Image Definitions", "description": "This module deploys an Azure Compute Gallery Image Definition.", @@ -396,7 +396,7 @@ "scope": "[format('Microsoft.Compute/galleries/{0}/images/{1}', parameters('galleryName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/gallery/main.bicep b/modules/compute/gallery/main.bicep index 5d9a951fa4..54aaf1e3f9 100644 --- a/modules/compute/gallery/main.bicep +++ b/modules/compute/gallery/main.bicep @@ -75,7 +75,7 @@ resource gallery_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo resource gallery_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(gallery.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/compute/gallery/main.json b/modules/compute/gallery/main.json index 988b6b53a7..44e5d0a6f9 100644 --- a/modules/compute/gallery/main.json +++ b/modules/compute/gallery/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8907363611903070816" + "templateHash": "15313131097423380423" }, "name": "Azure Compute Galleries", "description": "This module deploys an Azure Compute Gallery (formerly known as Shared Image Gallery).", @@ -229,7 +229,7 @@ "scope": "[format('Microsoft.Compute/galleries/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/galleries', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -284,7 +284,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8232745966352037801" + "templateHash": "13733131047823769084" }, "name": "Compute Galleries Applications", "description": "This module deploys an Azure Compute Gallery Application.", @@ -513,7 +513,7 @@ "scope": "[format('Microsoft.Compute/galleries/{0}/applications/{1}', parameters('galleryName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/galleries/applications', parameters('galleryName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -618,7 +618,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3383509605637851908" + "templateHash": "17846161223611480196" }, "name": "Compute Galleries Image Definitions", "description": "This module deploys an Azure Compute Gallery Image Definition.", @@ -1008,7 +1008,7 @@ "scope": "[format('Microsoft.Compute/galleries/{0}/images/{1}', parameters('galleryName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/gallery/tests/e2e/max/main.test.bicep b/modules/compute/gallery/tests/e2e/max/main.test.bicep index efc7e9a946..2562a048e5 100644 --- a/modules/compute/gallery/tests/e2e/max/main.test.bicep +++ b/modules/compute/gallery/tests/e2e/max/main.test.bicep @@ -176,7 +176,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep index c519821e4f..7d759c2f2a 100644 --- a/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep @@ -174,13 +174,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' sku: '20_04-lts-gen2' } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/compute/image/README.md b/modules/compute/image/README.md index f642c6f3c1..8b7d4eb4db 100644 --- a/modules/compute/image/README.md +++ b/modules/compute/image/README.md @@ -57,7 +57,17 @@ module image 'br:bicep/modules/compute.image:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -119,7 +129,17 @@ module image 'br:bicep/modules/compute.image:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -165,13 +185,6 @@ module image 'br:bicep/modules/compute.image:1.0.0' = { enableDefaultTelemetry: '' hyperVGeneration: 'V1' osState: 'Generalized' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' tagA: 'You\'re it' @@ -226,15 +239,6 @@ module image 'br:bicep/modules/compute.image:1.0.0' = { "osState": { "value": "Generalized" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "hidden-title": "This is visible in the resource name", @@ -278,7 +282,7 @@ module image 'br:bicep/modules/compute.image:1.0.0' = { | [`osAccountType`](#parameter-osaccounttype) | string | Specifies the storage account type for the managed disk. NOTE: UltraSSD_LRS can only be used with data disks, it cannot be used with OS Disk. - Standard_LRS, Premium_LRS, StandardSSD_LRS, UltraSSD_LRS. | | [`osDiskCaching`](#parameter-osdiskcaching) | string | Specifies the caching requirements. Default: None for Standard storage. ReadOnly for Premium storage. - None, ReadOnly, ReadWrite. | | [`osState`](#parameter-osstate) | string | The OS State. For managed images, use Generalized. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`snapshotResourceId`](#parameter-snapshotresourceid) | string | The snapshot resource ID. | | [`sourceVirtualMachineResourceId`](#parameter-sourcevirtualmachineresourceid) | string | The source virtual machine from which Image is created. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -386,7 +390,7 @@ This property allows you to specify the type of the OS that is included in the d ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -399,7 +403,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -447,7 +451,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/compute/image/main.bicep b/modules/compute/image/main.bicep index f83ef220ab..20e3e6ea11 100644 --- a/modules/compute/image/main.bicep +++ b/modules/compute/image/main.bicep @@ -26,7 +26,7 @@ param zoneResilient bool = false @description('Optional. Gets the HyperVGenerationType of the VirtualMachine created from the image. - V1 or V2.') param hyperVGeneration string = 'V1' -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -120,7 +120,7 @@ resource image 'Microsoft.Compute/images@2022-11-01' = { resource image_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(image.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -147,7 +147,7 @@ output location string = image.location // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/compute/image/main.json b/modules/compute/image/main.json index d559e8bc9b..b3099a9dec 100644 --- a/modules/compute/image/main.json +++ b/modules/compute/image/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18345867974770384550" + "templateHash": "6473488393825855372" }, "name": "Images", "description": "This module deploys a Compute Image.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -135,7 +135,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -274,7 +274,7 @@ "scope": "[format('Microsoft.Compute/images/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/images', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/image/tests/e2e/max/main.test.bicep b/modules/compute/image/tests/e2e/max/main.test.bicep index e4da6461c2..4ef529aeea 100644 --- a/modules/compute/image/tests/e2e/max/main.test.bicep +++ b/modules/compute/image/tests/e2e/max/main.test.bicep @@ -69,7 +69,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' hyperVGeneration: 'V1' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep index 8403077e92..ee4dfe3db0 100644 --- a/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep @@ -67,13 +67,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' osDiskCaching: 'ReadWrite' osType: 'Windows' hyperVGeneration: 'V1' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] zoneResilient: true diskEncryptionSetResourceId: nestedDependencies.outputs.diskEncryptionSetResourceId osState: 'Generalized' diff --git a/modules/compute/proximity-placement-group/README.md b/modules/compute/proximity-placement-group/README.md index a5861c05f9..b78e4a52f2 100644 --- a/modules/compute/proximity-placement-group/README.md +++ b/modules/compute/proximity-placement-group/README.md @@ -115,7 +115,17 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -178,7 +188,17 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -237,13 +257,6 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' TagA: 'Would you kindly...' @@ -299,15 +312,6 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "hidden-title": "This is visible in the resource name", @@ -348,7 +352,7 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro | [`intent`](#parameter-intent) | object | Specifies the user intent of the proximity placement group. | | [`location`](#parameter-location) | string | Resource location. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the proximity placement group resource. | | [`type`](#parameter-type) | string | Specifies the type of the proximity placement group. | | [`zones`](#parameter-zones) | array | Specifies the Availability Zone where virtual machine, virtual machine scale set or availability set associated with the proximity placement group can be created. | @@ -416,7 +420,7 @@ The name of the proximity placement group that is being created. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -429,7 +433,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -477,7 +481,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/compute/proximity-placement-group/main.bicep b/modules/compute/proximity-placement-group/main.bicep index f2f76a2216..45047683d4 100644 --- a/modules/compute/proximity-placement-group/main.bicep +++ b/modules/compute/proximity-placement-group/main.bicep @@ -18,7 +18,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the proximity placement group resource.') @@ -80,7 +80,7 @@ resource proximityPlacementGroup_lock 'Microsoft.Authorization/locks@2020-05-01' resource proximityPlacementGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(proximityPlacementGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -116,7 +116,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/compute/proximity-placement-group/main.json b/modules/compute/proximity-placement-group/main.json index cf403363a2..6d3f4e9580 100644 --- a/modules/compute/proximity-placement-group/main.json +++ b/modules/compute/proximity-placement-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2277527270184526895" + "templateHash": "1474026739792714088" }, "name": "Proximity Placement Groups", "description": "This module deploys a Proximity Placement Group.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -139,7 +139,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -239,7 +239,7 @@ "scope": "[format('Microsoft.Compute/proximityPlacementGroups/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/proximityPlacementGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep index c996b25ec1..a0e4f0cbc6 100644 --- a/modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep +++ b/modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep @@ -59,7 +59,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep index 498ccb1f1d..db7c9800b0 100644 --- a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep @@ -57,13 +57,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] zones: [ '1' ] diff --git a/modules/compute/virtual-machine-scale-set/README.md b/modules/compute/virtual-machine-scale-set/README.md index 05c8624341..5e27d6d457 100644 --- a/modules/compute/virtual-machine-scale-set/README.md +++ b/modules/compute/virtual-machine-scale-set/README.md @@ -1267,7 +1267,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se | [`provisionVMAgent`](#parameter-provisionvmagent) | bool | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | | [`proximityPlacementGroupResourceId`](#parameter-proximityplacementgroupresourceid) | string | Resource ID of a proximity placement group. | | [`publicKeys`](#parameter-publickeys) | array | The list of SSH public keys used to authenticate with linux based VMs. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sasTokenValidityLength`](#parameter-sastokenvaliditylength) | string | SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | | [`scaleInPolicy`](#parameter-scaleinpolicy) | object | Specifies the scale-in policy that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled-in. | | [`scaleSetFaultDomain`](#parameter-scalesetfaultdomain) | int | Fault Domain count for each placement group. | @@ -1808,7 +1808,7 @@ The list of SSH public keys used to authenticate with linux based VMs. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1821,7 +1821,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1869,7 +1869,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/compute/virtual-machine-scale-set/main.bicep b/modules/compute/virtual-machine-scale-set/main.bicep index 977ec6753f..0f845b192c 100644 --- a/modules/compute/virtual-machine-scale-set/main.bicep +++ b/modules/compute/virtual-machine-scale-set/main.bicep @@ -46,7 +46,7 @@ param adminPassword string = '' @description('Optional. Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format.') param customData string = '' -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Fault Domain count for each placement group.') @@ -627,7 +627,7 @@ resource vmss_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05- resource vmss_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(vmss.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -674,7 +674,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/compute/virtual-machine-scale-set/main.json b/modules/compute/virtual-machine-scale-set/main.json index 1bde1e509e..95643ce69d 100644 --- a/modules/compute/virtual-machine-scale-set/main.json +++ b/modules/compute/virtual-machine-scale-set/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13725426990469147977" + "templateHash": "6314533557974797448" }, "name": "Virtual Machine Scale Sets", "description": "This module deploys a Virtual Machine Scale Set.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -306,7 +306,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "scaleSetFaultDomain": { @@ -974,7 +974,7 @@ "scope": "[format('Microsoft.Compute/virtualMachineScaleSets/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/virtual-machine/README.md b/modules/compute/virtual-machine/README.md index dfe8bb4ccc..3f0e0fce12 100644 --- a/modules/compute/virtual-machine/README.md +++ b/modules/compute/virtual-machine/README.md @@ -271,7 +271,17 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -578,7 +588,17 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1164,7 +1184,17 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -1491,7 +1521,17 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1983,7 +2023,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { | [`provisionVMAgent`](#parameter-provisionvmagent) | bool | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | | [`proximityPlacementGroupResourceId`](#parameter-proximityplacementgroupresourceid) | string | Resource ID of a proximity placement group. | | [`publicKeys`](#parameter-publickeys) | array | The list of SSH public keys used to authenticate with linux based VMs. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sasTokenValidityLength`](#parameter-sastokenvaliditylength) | string | SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | | [`secureBootEnabled`](#parameter-securebootenabled) | bool | Specifies whether secure boot should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | | [`securityType`](#parameter-securitytype) | string | Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to enable UefiSettings. | @@ -2509,7 +2549,7 @@ The list of SSH public keys used to authenticate with linux based VMs. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -2522,7 +2562,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -2570,7 +2610,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/compute/virtual-machine/main.bicep b/modules/compute/virtual-machine/main.bicep index a8660a203e..f908e4b473 100644 --- a/modules/compute/virtual-machine/main.bicep +++ b/modules/compute/virtual-machine/main.bicep @@ -189,7 +189,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -663,7 +663,7 @@ resource vm_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? resource vm_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(vm.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -710,7 +710,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/compute/virtual-machine/main.json b/modules/compute/virtual-machine/main.json index 601f4cfe90..cb696cbdcc 100644 --- a/modules/compute/virtual-machine/main.json +++ b/modules/compute/virtual-machine/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10032149803242831111" + "templateHash": "89939038941992549" }, "name": "Virtual Machines", "description": "This module deploys a Virtual Machine with one or multiple NICs and optionally one or multiple public IPs.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -602,7 +602,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -938,7 +938,7 @@ "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/virtualMachines', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1001,7 +1001,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10451257297733630828" + "templateHash": "11123708724712871468" } }, "definitions": { @@ -1144,7 +1144,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -1251,7 +1251,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } } }, diff --git a/modules/compute/virtual-machine/modules/nested_networkInterface.bicep b/modules/compute/virtual-machine/modules/nested_networkInterface.bicep index 3126ee1dfb..a7e44aaf79 100644 --- a/modules/compute/virtual-machine/modules/nested_networkInterface.bicep +++ b/modules/compute/virtual-machine/modules/nested_networkInterface.bicep @@ -15,7 +15,7 @@ param lock lockType @description('Optional. The diagnostic settings of the Network Interface.') param diagnosticSettings diagnosticSettingType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType var enableReferencedModulesTelemetry = false @@ -124,7 +124,7 @@ type diagnosticSettingType = { }[]? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep index a0562afb0a..b4b5e7ba57 100644 --- a/modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep +++ b/modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep @@ -281,7 +281,17 @@ module testDeployment '../../../main.bicep' = { ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep index e095862d0d..7bc8a2c00f 100644 --- a/modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep +++ b/modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep @@ -302,7 +302,17 @@ module testDeployment '../../../main.bicep' = { proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index 9d068e56b9..546708177b 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -261,7 +261,17 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] softDeletePolicyDays: 7 @@ -396,7 +406,17 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -602,13 +622,6 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { name: '' } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] softDeletePolicyDays: 7 softDeletePolicyStatus: 'disabled' tags: { @@ -736,15 +749,6 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "softDeletePolicyDays": { "value": 7 }, @@ -811,7 +815,7 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { | [`replications`](#parameter-replications) | array | All replications to create. | | [`retentionPolicyDays`](#parameter-retentionpolicydays) | int | The number of days to retain an untagged manifest after which it gets purged. | | [`retentionPolicyStatus`](#parameter-retentionpolicystatus) | string | The value that indicates whether the retention policy is enabled or not. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`softDeletePolicyDays`](#parameter-softdeletepolicydays) | int | The number of days after which a soft-deleted item is permanently deleted. | | [`softDeletePolicyStatus`](#parameter-softdeletepolicystatus) | string | Soft Delete policy status. Default is disabled. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -1175,7 +1179,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1327,7 +1331,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1412,7 +1416,7 @@ The value that indicates whether the retention policy is enabled or not. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1425,7 +1429,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1473,7 +1477,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/container-registry/registry/main.bicep b/modules/container-registry/registry/main.bicep index adb6b45d84..ff38067ac0 100644 --- a/modules/container-registry/registry/main.bicep +++ b/modules/container-registry/registry/main.bicep @@ -13,7 +13,7 @@ param acrAdminUserEnabled bool = false @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tier of your Azure container registry.') @@ -326,7 +326,7 @@ resource registry_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021 resource registry_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(registry.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -400,7 +400,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -477,7 +477,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/container-registry/registry/main.json b/modules/container-registry/registry/main.json index 40951db6fa..39a04d3a66 100644 --- a/modules/container-registry/registry/main.json +++ b/modules/container-registry/registry/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "601165591390231173" + "templateHash": "6862455028328660677" }, "name": "Azure Container Registries (ACR)", "description": "This module deploys an Azure Container Registry (ACR).", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -467,7 +467,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "acrSku": { @@ -847,7 +847,7 @@ "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.ContainerRegistry/registries', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/container-registry/registry/tests/e2e/max/main.test.bicep b/modules/container-registry/registry/tests/e2e/max/main.test.bicep index d846a7b696..767cc9ee2e 100644 --- a/modules/container-registry/registry/tests/e2e/max/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/max/main.test.bicep @@ -124,7 +124,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep b/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep index f0bf4552b3..7f6dd675d7 100644 --- a/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep @@ -122,13 +122,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' name: nestedDependencies.outputs.pairedRegionName } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] managedIdentities: { systemAssigned: true userAssignedResourceIds: [ diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index fe444ca1da..dd804e181f 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -21,7 +21,7 @@ This module deploys an Azure Kubernetes Service (AKS) Managed Cluster. | `Microsoft.ContainerService/managedClusters/agentPools` | [2023-07-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-07-02-preview/managedClusters/agentPools) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.KubernetesConfiguration/extensions` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/extensions) | -| `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/fluxConfigurations) | +| `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/fluxConfigurations) | ## Usage examples @@ -234,7 +234,17 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -501,7 +511,17 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -701,7 +721,17 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -838,7 +868,17 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1230,7 +1270,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' | [`podIdentityProfileUserAssignedIdentities`](#parameter-podidentityprofileuserassignedidentities) | array | The pod identities to use in the cluster. | | [`podIdentityProfileUserAssignedIdentityExceptions`](#parameter-podidentityprofileuserassignedidentityexceptions) | array | The pod identity exceptions to allow. | | [`privateDNSZone`](#parameter-privatednszone) | string | Private DNS Zone configuration. Set to 'system' and AKS will create a private DNS zone in the node resource group. Set to '' to disable private DNS Zone creation and use public DNS. Supply the resource ID here of an existing Private DNS zone to use an existing zone. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`serviceCidr`](#parameter-servicecidr) | string | A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. | | [`skuTier`](#parameter-skutier) | string | Tier of a managed cluster SKU. - Free or Standard. | | [`sshPublicKey`](#parameter-sshpublickey) | string | Specifies the SSH RSA public key string for the Linux nodes. | @@ -2116,7 +2156,7 @@ Private DNS Zone configuration. Set to 'system' and AKS will create a private DN ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -2129,7 +2169,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -2177,7 +2217,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/container-service/managed-cluster/main.bicep b/modules/container-service/managed-cluster/main.bicep index 304a5c48e6..bd9f8294c5 100644 --- a/modules/container-service/managed-cluster/main.bicep +++ b/modules/container-service/managed-cluster/main.bicep @@ -323,7 +323,7 @@ param monitoringWorkspaceId string = '' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') @@ -683,7 +683,7 @@ resource managedCluster_diagnosticSettings 'Microsoft.Insights/diagnosticSetting resource managedCluster_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(managedCluster.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -765,7 +765,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/container-service/managed-cluster/main.json b/modules/container-service/managed-cluster/main.json index e6da45a8e2..ae0399022d 100644 --- a/modules/container-service/managed-cluster/main.json +++ b/modules/container-service/managed-cluster/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "4013697482173328246" + "templateHash": "8572950365871080651" }, "name": "Azure Kubernetes Service (AKS) Managed Clusters", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -923,7 +923,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "lock": { @@ -1249,7 +1249,7 @@ "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1804,7 +1804,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18265527122738367400" + "templateHash": "548642834195454661" }, "name": "Kubernetes Configuration Extensions", "description": "This module deploys a Kubernetes Configuration Extension.", @@ -1967,7 +1967,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8985718648814286209" + "templateHash": "10031296768791737313" }, "name": "Kubernetes Configuration Flux Configurations", "description": "This module deploys a Kubernetes Configuration Flux Configuration.", @@ -2023,9 +2023,8 @@ }, "kustomizations": { "type": "object", - "defaultValue": {}, "metadata": { - "description": "Optional. Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster." + "description": "Required. Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster." } }, "namespace": { @@ -2079,14 +2078,14 @@ }, { "type": "Microsoft.KubernetesConfiguration/fluxConfigurations", - "apiVersion": "2022-03-01", + "apiVersion": "2023-05-01", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", "name": "[parameters('name')]", "properties": { "bucket": "[if(not(empty(parameters('bucket'))), parameters('bucket'), null())]", "configurationProtectedSettings": "[if(not(empty(parameters('configurationProtectedSettings'))), parameters('configurationProtectedSettings'), createObject())]", "gitRepository": "[if(not(empty(parameters('gitRepository'))), parameters('gitRepository'), null())]", - "kustomizations": "[if(not(empty(parameters('kustomizations'))), parameters('kustomizations'), createObject())]", + "kustomizations": "[parameters('kustomizations')]", "namespace": "[parameters('namespace')]", "scope": "[parameters('scope')]", "sourceKind": "[parameters('sourceKind')]", diff --git a/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep index 32f8c42ed3..c5cc686316 100644 --- a/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep +++ b/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep @@ -200,7 +200,17 @@ module testDeployment '../../../main.bicep' = { } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep index 9c91011d20..cede954b18 100644 --- a/modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep +++ b/modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep @@ -151,7 +151,17 @@ module testDeployment '../../../main.bicep' = { ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index 400baf8e89..c04ef52978 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -181,7 +181,17 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -313,7 +323,17 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -423,13 +443,6 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -554,15 +567,6 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -611,7 +615,7 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { | [`managedVirtualNetworkName`](#parameter-managedvirtualnetworkname) | string | The name of the Managed Virtual Network. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `customerManagedKey` @@ -955,7 +959,7 @@ Configuration Details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1107,7 +1111,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1150,7 +1154,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1163,7 +1167,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1211,7 +1215,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/data-factory/factory/main.bicep b/modules/data-factory/factory/main.bicep index d6c26ec855..f0718db857 100644 --- a/modules/data-factory/factory/main.bicep +++ b/modules/data-factory/factory/main.bicep @@ -70,7 +70,7 @@ param privateEndpoints privateEndpointType @description('Optional. The customer managed key definition.') param customerManagedKey customerManagedKeyType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -216,7 +216,7 @@ resource dataFactory_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2 resource dataFactory_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(dataFactory.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -287,7 +287,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -364,7 +364,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/data-factory/factory/main.json b/modules/data-factory/factory/main.json index e57d5fc9a6..2c237602dc 100644 --- a/modules/data-factory/factory/main.json +++ b/modules/data-factory/factory/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "1174493614082908540" + "templateHash": "13040115678809105758" }, "name": "Data Factories", "description": "This module deploys a Data Factory.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -591,7 +591,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -732,7 +732,7 @@ "scope": "[format('Microsoft.DataFactory/factories/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DataFactory/factories', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/data-factory/factory/tests/e2e/max/main.test.bicep b/modules/data-factory/factory/tests/e2e/max/main.test.bicep index a04cfe8f10..7134060c90 100644 --- a/modules/data-factory/factory/tests/e2e/max/main.test.bicep +++ b/modules/data-factory/factory/tests/e2e/max/main.test.bicep @@ -142,7 +142,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep b/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep index 28b941a4e4..1a7cb59527 100644 --- a/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep @@ -140,13 +140,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] managedIdentities: { systemAssigned: true userAssignedResourceIds: [ diff --git a/modules/data-protection/backup-vault/README.md b/modules/data-protection/backup-vault/README.md index a7771b8b43..6ade55fb30 100644 --- a/modules/data-protection/backup-vault/README.md +++ b/modules/data-protection/backup-vault/README.md @@ -171,7 +171,17 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -286,7 +296,17 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -391,13 +411,6 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { managedIdentities: { systemAssigned: true } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -505,15 +518,6 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { "systemAssigned": true } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -549,7 +553,7 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`securitySettings`](#parameter-securitysettings) | object | Security settings for the backup vault. | | [`tags`](#parameter-tags) | object | Tags of the Recovery Service Vault resource. | | [`type`](#parameter-type) | string | The vault redundancy level to use. | @@ -664,7 +668,7 @@ Name of the Backup Vault. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -677,7 +681,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -725,7 +729,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/data-protection/backup-vault/main.bicep b/modules/data-protection/backup-vault/main.bicep index 942fbcfb34..f337814938 100644 --- a/modules/data-protection/backup-vault/main.bicep +++ b/modules/data-protection/backup-vault/main.bicep @@ -11,7 +11,7 @@ param enableDefaultTelemetry bool = true @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') @@ -128,7 +128,7 @@ resource backupVault_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empt resource backupVault_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(backupVault.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -172,7 +172,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/data-protection/backup-vault/main.json b/modules/data-protection/backup-vault/main.json index 8b0c13673f..487583bb38 100644 --- a/modules/data-protection/backup-vault/main.json +++ b/modules/data-protection/backup-vault/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8279564580875716128" + "templateHash": "11737453267233569722" }, "name": "Data Protection Backup Vaults", "description": "This module deploys a Data Protection Backup Vault.", @@ -59,7 +59,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -142,7 +142,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "lock": { @@ -297,7 +297,7 @@ "scope": "[format('Microsoft.DataProtection/backupVaults/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DataProtection/backupVaults', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep index 4d25b7b7c4..588b2e0c20 100644 --- a/modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep +++ b/modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep @@ -55,7 +55,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' name: '${namePrefix}${serviceShort}001' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep index 8d44a80490..1bcb119964 100644 --- a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep @@ -53,13 +53,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] azureMonitorAlertSettingsAlertsForAllJobFailures: 'Disabled' managedIdentities: { systemAssigned: true diff --git a/modules/databricks/access-connector/README.md b/modules/databricks/access-connector/README.md index 56b4202f0c..02ebe4193a 100644 --- a/modules/databricks/access-connector/README.md +++ b/modules/databricks/access-connector/README.md @@ -110,7 +110,17 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -164,7 +174,17 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -210,13 +230,6 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { '' ] } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -263,15 +276,6 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { ] } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -303,7 +307,7 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `enableDefaultTelemetry` @@ -381,7 +385,7 @@ The name of the Azure Databricks access connector to create. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -394,7 +398,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -442,7 +446,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/databricks/access-connector/main.bicep b/modules/databricks/access-connector/main.bicep index 6a680d39ce..53ba92c2c2 100644 --- a/modules/databricks/access-connector/main.bicep +++ b/modules/databricks/access-connector/main.bicep @@ -11,7 +11,7 @@ param tags object? @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') @@ -70,7 +70,7 @@ resource accessConnector_lock 'Microsoft.Authorization/locks@2020-05-01' = if (! resource accessConnector_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(accessConnector.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -117,7 +117,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/databricks/access-connector/main.json b/modules/databricks/access-connector/main.json index fbb23e6cc8..dce724ef4b 100644 --- a/modules/databricks/access-connector/main.json +++ b/modules/databricks/access-connector/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6639727250601518153" + "templateHash": "3245638906962144809" }, "name": "Azure Databricks Access Connectors", "description": "This module deploys an Azure Databricks Access Connector.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -152,7 +152,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "lock": { @@ -234,7 +234,7 @@ "scope": "[format('Microsoft.Databricks/accessConnectors/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Databricks/accessConnectors', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/databricks/access-connector/tests/e2e/max/main.test.bicep b/modules/databricks/access-connector/tests/e2e/max/main.test.bicep index 268b24f056..586cd17f0c 100644 --- a/modules/databricks/access-connector/tests/e2e/max/main.test.bicep +++ b/modules/databricks/access-connector/tests/e2e/max/main.test.bicep @@ -65,7 +65,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep b/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep index bf7405d2c9..64b4f1b6ab 100644 --- a/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep @@ -63,13 +63,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' nestedDependencies.outputs.managedIdentityResourceId ] } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index fcb2e26a86..a41556f10d 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -160,7 +160,17 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] skuName: 'premium' @@ -298,7 +308,17 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -402,13 +422,6 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { publicNetworkAccess: 'Disabled' requiredNsgRules: 'NoAzureDatabricksRules' requireInfrastructureEncryption: true - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] skuName: 'premium' storageAccountName: 'sadwwaf001' storageAccountSkuName: 'Standard_ZRS' @@ -539,15 +552,6 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { "requireInfrastructureEncryption": { "value": true }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "skuName": { "value": "premium" }, @@ -608,7 +612,7 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | The network access type for accessing workspace. Set value to disabled to access workspace only via private link. | | [`requiredNsgRules`](#parameter-requirednsgrules) | string | Gets or sets a value indicating whether data plane (clusters) to control plane communication happen over private endpoint. | | [`requireInfrastructureEncryption`](#parameter-requireinfrastructureencryption) | bool | A boolean indicating whether or not the DBFS root file system will be enabled with secondary layer of encryption with platform managed keys for data at rest. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`skuName`](#parameter-skuname) | string | The pricing tier of workspace. | | [`storageAccountName`](#parameter-storageaccountname) | string | Default DBFS storage account name. | | [`storageAccountSkuName`](#parameter-storageaccountskuname) | string | Storage account SKU name. | @@ -939,7 +943,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1091,7 +1095,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1161,7 +1165,7 @@ A boolean indicating whether or not the DBFS root file system will be enabled wi ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1174,7 +1178,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1222,7 +1226,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/databricks/workspace/main.bicep b/modules/databricks/workspace/main.bicep index 524ab6c616..0d7e6cdb19 100644 --- a/modules/databricks/workspace/main.bicep +++ b/modules/databricks/workspace/main.bicep @@ -19,7 +19,7 @@ param skuName string = 'premium' @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The diagnostic settings of the service.') @@ -273,7 +273,7 @@ resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@202 resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -333,7 +333,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -410,7 +410,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/databricks/workspace/main.json b/modules/databricks/workspace/main.json index 390fcb0f0c..47a19aa465 100644 --- a/modules/databricks/workspace/main.json +++ b/modules/databricks/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "450554632364437388" + "templateHash": "17678709403904494263" }, "name": "Azure Databricks Workspaces", "description": "This module deploys an Azure Databricks Workspace.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -251,7 +251,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -475,7 +475,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "diagnosticSettings": { @@ -777,7 +777,7 @@ "scope": "[format('Microsoft.Databricks/workspaces/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Databricks/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/databricks/workspace/tests/e2e/max/main.test.bicep b/modules/databricks/workspace/tests/e2e/max/main.test.bicep index 00f1d84997..5656e772da 100644 --- a/modules/databricks/workspace/tests/e2e/max/main.test.bicep +++ b/modules/databricks/workspace/tests/e2e/max/main.test.bicep @@ -103,7 +103,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep index 537323ad34..66928e1121 100644 --- a/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -101,13 +101,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/db-for-my-sql/flexible-server/README.md b/modules/db-for-my-sql/flexible-server/README.md index e23b4de351..4d655aab35 100644 --- a/modules/db-for-my-sql/flexible-server/README.md +++ b/modules/db-for-my-sql/flexible-server/README.md @@ -160,7 +160,17 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] storageAutoGrow: 'Enabled' @@ -273,7 +283,17 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1044,7 +1064,7 @@ Array of role assignment objects that contain the "roleDefinitionIdOrName" and " | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1092,7 +1112,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/db-for-my-sql/flexible-server/main.bicep b/modules/db-for-my-sql/flexible-server/main.bicep index dc99f1c7e9..d89c29094a 100644 --- a/modules/db-for-my-sql/flexible-server/main.bicep +++ b/modules/db-for-my-sql/flexible-server/main.bicep @@ -284,7 +284,7 @@ resource flexibleServer_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e resource flexibleServer_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(flexibleServer.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -384,7 +384,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/db-for-my-sql/flexible-server/main.json b/modules/db-for-my-sql/flexible-server/main.json index a4ccada7bc..5d63ee48ca 100644 --- a/modules/db-for-my-sql/flexible-server/main.json +++ b/modules/db-for-my-sql/flexible-server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "4826973555855760872" + "templateHash": "13509958318011769977" }, "name": "DBforMySQL Flexible Servers", "description": "This module deploys a DBforMySQL Flexible Server.", @@ -61,7 +61,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -698,7 +698,7 @@ "scope": "[format('Microsoft.DBforMySQL/flexibleServers/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep index e5203d967c..46a67b9445 100644 --- a/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep @@ -76,7 +76,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/db-for-postgre-sql/flexible-server/README.md b/modules/db-for-postgre-sql/flexible-server/README.md index bfa29ed68f..30ebf9dba0 100644 --- a/modules/db-for-postgre-sql/flexible-server/README.md +++ b/modules/db-for-postgre-sql/flexible-server/README.md @@ -543,7 +543,7 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 | [`maintenanceWindow`](#parameter-maintenancewindow) | object | Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". | | [`passwordAuth`](#parameter-passwordauth) | string | If Enabled, password authentication is enabled. | | [`privateDnsZoneArmResourceId`](#parameter-privatednszonearmresourceid) | string | Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access" and required when "delegatedSubnetResourceId" is used. The Private DNS Zone must be lined to the Virtual Network referenced in "delegatedSubnetResourceId". | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`storageSizeGB`](#parameter-storagesizegb) | int | Max storage allowed for a server. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`tenantId`](#parameter-tenantid) | string | Tenant id of the server. | @@ -939,7 +939,7 @@ Private dns zone arm resource ID. Used when the desired connectivity mode is "Pr ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -952,7 +952,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1000,7 +1000,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/db-for-postgre-sql/flexible-server/main.bicep b/modules/db-for-postgre-sql/flexible-server/main.bicep index e1731b412a..c6d1b75d5c 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.bicep +++ b/modules/db-for-postgre-sql/flexible-server/main.bicep @@ -143,7 +143,7 @@ param configurations array = [] @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -261,7 +261,7 @@ resource flexibleServer_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e resource flexibleServer_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(flexibleServer.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -379,7 +379,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/db-for-postgre-sql/flexible-server/main.json b/modules/db-for-postgre-sql/flexible-server/main.json index 6a905a8e17..25dcb199a2 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.json +++ b/modules/db-for-postgre-sql/flexible-server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13706520211272319877" + "templateHash": "10058986332950368920" }, "name": "DBforPostgreSQL Flexible Servers", "description": "This module deploys a DBforPostgreSQL Flexible Server.", @@ -61,7 +61,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -506,7 +506,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -655,7 +655,7 @@ "scope": "[format('Microsoft.DBforPostgreSQL/flexibleServers/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DBforPostgreSQL/flexibleServers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/desktop-virtualization/application-group/README.md b/modules/desktop-virtualization/application-group/README.md index 22947a3ef1..0c3b211b08 100644 --- a/modules/desktop-virtualization/application-group/README.md +++ b/modules/desktop-virtualization/application-group/README.md @@ -145,7 +145,17 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -234,7 +244,17 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -305,13 +325,6 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -393,15 +406,6 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", diff --git a/modules/desktop-virtualization/application-group/main.bicep b/modules/desktop-virtualization/application-group/main.bicep index 390e74da2f..55bd2d0ee3 100644 --- a/modules/desktop-virtualization/application-group/main.bicep +++ b/modules/desktop-virtualization/application-group/main.bicep @@ -143,7 +143,7 @@ module appGroup_applications 'application/main.bicep' = [for (application, index resource appGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(appGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/desktop-virtualization/application-group/main.json b/modules/desktop-virtualization/application-group/main.json index 50f7154d0c..f94e06adf4 100644 --- a/modules/desktop-virtualization/application-group/main.json +++ b/modules/desktop-virtualization/application-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10392643216669479103" + "templateHash": "1467950374107623921" }, "name": "Azure Virtual Desktop (AVD) Application Groups", "description": "This module deploys an Azure Virtual Desktop (AVD) Application Group.", @@ -385,7 +385,7 @@ "scope": "[format('Microsoft.DesktopVirtualization/applicationGroups/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DesktopVirtualization/applicationGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep index 49d1fc5088..3529748317 100644 --- a/modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep +++ b/modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep @@ -106,7 +106,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep index a5bb068c02..8bfb658ff8 100644 --- a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep @@ -104,13 +104,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/desktop-virtualization/host-pool/README.md b/modules/desktop-virtualization/host-pool/README.md index 37af321393..5e3c70c4fb 100644 --- a/modules/desktop-virtualization/host-pool/README.md +++ b/modules/desktop-virtualization/host-pool/README.md @@ -135,7 +135,17 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -245,7 +255,17 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -337,13 +357,6 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { } maxSessionLimit: 99999 personalDesktopAssignmentType: 'Automatic' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -446,15 +459,6 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { "personalDesktopAssignmentType": { "value": "Automatic" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", diff --git a/modules/desktop-virtualization/host-pool/main.bicep b/modules/desktop-virtualization/host-pool/main.bicep index 228901fa8d..1af44b1e15 100644 --- a/modules/desktop-virtualization/host-pool/main.bicep +++ b/modules/desktop-virtualization/host-pool/main.bicep @@ -249,7 +249,7 @@ resource hostPool_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021 resource hostPool_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(hostPool.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/desktop-virtualization/host-pool/main.json b/modules/desktop-virtualization/host-pool/main.json index 9d02aba679..3e319b32f0 100644 --- a/modules/desktop-virtualization/host-pool/main.json +++ b/modules/desktop-virtualization/host-pool/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "14800561756618420199" + "templateHash": "14589445999747413105" }, "name": "Azure Virtual Desktop (AVD) Host Pools", "description": "This module deploys an Azure Virtual Desktop (AVD) Host Pool.", @@ -583,7 +583,7 @@ "scope": "[format('Microsoft.DesktopVirtualization/hostPools/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DesktopVirtualization/hostPools', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep index b014dcfb07..07996d49e3 100644 --- a/modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep @@ -90,7 +90,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' personalDesktopAssignmentType: 'Automatic' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep index eb8918d929..05123d5d47 100644 --- a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep @@ -88,13 +88,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } maxSessionLimit: 99999 personalDesktopAssignmentType: 'Automatic' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] vmTemplate: { customImageId: null domain: 'domainname.onmicrosoft.com' diff --git a/modules/desktop-virtualization/scaling-plan/README.md b/modules/desktop-virtualization/scaling-plan/README.md index 96f2d667e4..6511a66cc7 100644 --- a/modules/desktop-virtualization/scaling-plan/README.md +++ b/modules/desktop-virtualization/scaling-plan/README.md @@ -111,7 +111,17 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] schedules: [ @@ -208,7 +218,17 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -297,13 +317,6 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' enableDefaultTelemetry: '' friendlyName: 'My Scaling Plan' hostPoolType: 'Pooled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] schedules: [ { daysOfWeek: [ @@ -393,15 +406,6 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' "hostPoolType": { "value": "Pooled" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "schedules": { "value": [ { diff --git a/modules/desktop-virtualization/scaling-plan/main.bicep b/modules/desktop-virtualization/scaling-plan/main.bicep index 1f9734fb0a..69551d44a8 100644 --- a/modules/desktop-virtualization/scaling-plan/main.bicep +++ b/modules/desktop-virtualization/scaling-plan/main.bicep @@ -155,7 +155,7 @@ resource scalingPlan_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2 resource scalingplan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(scalingPlan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/desktop-virtualization/scaling-plan/main.json b/modules/desktop-virtualization/scaling-plan/main.json index aee281bcd0..8a5a0b2063 100644 --- a/modules/desktop-virtualization/scaling-plan/main.json +++ b/modules/desktop-virtualization/scaling-plan/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "16044277949435808798" + "templateHash": "16049673590929985376" }, "name": "Azure Virtual Desktop (AVD) Scaling Plans", "description": "This module deploys an Azure Virtual Desktop (AVD) Scaling Plan.", @@ -387,7 +387,7 @@ "scope": "[format('Microsoft.DesktopVirtualization/scalingPlans/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DesktopVirtualization/scalingPlans', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep index 9f93f1cae3..73f13bcc7f 100644 --- a/modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep @@ -69,7 +69,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' name: '${namePrefix}${serviceShort}001' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep index 4e2ea6cc47..5eedc422fe 100644 --- a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep @@ -67,13 +67,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] diagnosticSettings: [ { name: 'customSetting' diff --git a/modules/desktop-virtualization/workspace/README.md b/modules/desktop-virtualization/workspace/README.md index 641cdb7674..f363e71c1c 100644 --- a/modules/desktop-virtualization/workspace/README.md +++ b/modules/desktop-virtualization/workspace/README.md @@ -119,7 +119,17 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -187,7 +197,17 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -241,13 +261,6 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -308,15 +321,6 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", diff --git a/modules/desktop-virtualization/workspace/main.bicep b/modules/desktop-virtualization/workspace/main.bicep index 36963fc0af..418a5c72d4 100644 --- a/modules/desktop-virtualization/workspace/main.bicep +++ b/modules/desktop-virtualization/workspace/main.bicep @@ -108,7 +108,7 @@ resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@202 resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/desktop-virtualization/workspace/main.json b/modules/desktop-virtualization/workspace/main.json index 3f354c8932..dab0738414 100644 --- a/modules/desktop-virtualization/workspace/main.json +++ b/modules/desktop-virtualization/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2244374453334498480" + "templateHash": "13505731187520194526" }, "name": "Azure Virtual Desktop (AVD) Workspaces", "description": "This module deploys an Azure Virtual Desktop (AVD) Workspace.", @@ -357,7 +357,7 @@ "scope": "[format('Microsoft.DesktopVirtualization/workspaces/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DesktopVirtualization/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep index 92de7edff9..7e08439b65 100644 --- a/modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep +++ b/modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep @@ -88,7 +88,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep index 4de3839aa1..78a62c1b38 100644 --- a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -86,13 +86,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/dev-test-lab/lab/README.md b/modules/dev-test-lab/lab/README.md index 6970eecd5d..b062197091 100644 --- a/modules/dev-test-lab/lab/README.md +++ b/modules/dev-test-lab/lab/README.md @@ -247,7 +247,17 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] schedules: [ @@ -532,7 +542,17 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -785,13 +805,6 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { } ] premiumDataDisks: 'Enabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] schedules: [ { dailyRecurrence: { @@ -1069,15 +1082,6 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { "premiumDataDisks": { "value": "Enabled" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "schedules": { "value": [ { @@ -1464,7 +1468,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1512,7 +1516,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/dev-test-lab/lab/main.bicep b/modules/dev-test-lab/lab/main.bicep index 784eb271af..75e9e340d9 100644 --- a/modules/dev-test-lab/lab/main.bicep +++ b/modules/dev-test-lab/lab/main.bicep @@ -292,7 +292,7 @@ module lab_costs 'cost/main.bicep' = if (!empty(costs)) { resource lab_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(lab.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -339,7 +339,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/dev-test-lab/lab/main.json b/modules/dev-test-lab/lab/main.json index 049a0fad52..a5bb38da18 100644 --- a/modules/dev-test-lab/lab/main.json +++ b/modules/dev-test-lab/lab/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10325694451607731112" + "templateHash": "335466902333101649" }, "name": "DevTest Labs", "description": "This module deploys a DevTest Lab.", @@ -61,7 +61,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -431,7 +431,7 @@ "scope": "[format('Microsoft.DevTestLab/labs/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DevTestLab/labs', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -484,10 +484,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "15407797032940609921" + "templateHash": "2685254804143459925" }, "name": "DevTest Lab Virtual Networks", - "description": "This module deploys a DevTest Lab Virtual Network.\r\n\r\nLab virtual machines must be deployed into a virtual network. This resource type allows configuring the virtual network and subnet settings used for the lab virtual machines.", + "description": "This module deploys a DevTest Lab Virtual Network.\n\nLab virtual machines must be deployed into a virtual network. This resource type allows configuring the virtual network and subnet settings used for the lab virtual machines.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -657,10 +657,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "9914622679648067397" + "templateHash": "5652685942577853564" }, "name": "DevTest Lab Policy Sets Policies", - "description": "This module deploys a DevTest Lab Policy Sets Policy.\r\n\r\nDevTest lab policies are used to modify the lab settings such as only allowing certain VM Size SKUs, marketplace image types, number of VMs allowed per user and other settings.", + "description": "This module deploys a DevTest Lab Policy Sets Policy.\n\nDevTest lab policies are used to modify the lab settings such as only allowing certain VM Size SKUs, marketplace image types, number of VMs allowed per user and other settings.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -862,10 +862,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "12981849767656574818" + "templateHash": "1015942076148002236" }, "name": "DevTest Lab Schedules", - "description": "This module deploys a DevTest Lab Schedule.\r\n\r\nLab schedules are used to modify the settings for auto-shutdown, auto-start for lab virtual machines.", + "description": "This module deploys a DevTest Lab Schedule.\n\nLab schedules are used to modify the settings for auto-shutdown, auto-start for lab virtual machines.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -1086,10 +1086,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18307130406875558192" + "templateHash": "421100563759718119" }, "name": "DevTest Lab Notification Channels", - "description": "This module deploys a DevTest Lab Notification Channel.\r\n\r\nNotification channels are used by the schedule resource type in order to send notifications or events to email addresses and/or webhooks.", + "description": "This module deploys a DevTest Lab Notification Channel.\n\nNotification channels are used by the schedule resource type in order to send notifications or events to email addresses and/or webhooks.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -1270,10 +1270,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2347337632859394324" + "templateHash": "7965418783863447380" }, "name": "DevTest Lab Artifact Sources", - "description": "This module deploys a DevTest Lab Artifact Source.\r\n\r\nAn artifact source allows you to create custom artifacts for the VMs in the lab, or use Azure Resource Manager templates to create a custom test environment. You must add a private Git repository for the artifacts or Resource Manager templates that your team creates. The repository can be hosted on GitHub or on Azure DevOps Services.", + "description": "This module deploys a DevTest Lab Artifact Source.\n\nAn artifact source allows you to create custom artifacts for the VMs in the lab, or use Azure Resource Manager templates to create a custom test environment. You must add a private Git repository for the artifacts or Resource Manager templates that your team creates. The repository can be hosted on GitHub or on Azure DevOps Services.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -1486,10 +1486,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "12516166788941938286" + "templateHash": "14581778776350915706" }, "name": "DevTest Lab Costs", - "description": "This module deploys a DevTest Lab Cost.\r\n\r\nManage lab costs by setting a spending target that can be viewed in the Monthly Estimated Cost Trend chart. DevTest Labs can send a notification when spending reaches the specified target threshold.", + "description": "This module deploys a DevTest Lab Cost.\n\nManage lab costs by setting a spending target that can be viewed in the Monthly Estimated Cost Trend chart. DevTest Labs can send a notification when spending reaches the specified target threshold.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep index c93e8c1ec2..21a1faa4f9 100644 --- a/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep +++ b/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep @@ -68,7 +68,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep index 2fe087e82c..fb32ba4ed3 100644 --- a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep @@ -66,13 +66,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' resourceType: 'DevTest Lab' diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index a972da2410..b17f411ae0 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -716,7 +716,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -868,7 +868,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -924,7 +924,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -972,7 +972,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/digital-twins/digital-twins-instance/main.bicep b/modules/digital-twins/digital-twins-instance/main.bicep index 435fbefba7..d70d7c7c03 100644 --- a/modules/digital-twins/digital-twins-instance/main.bicep +++ b/modules/digital-twins/digital-twins-instance/main.bicep @@ -198,7 +198,7 @@ resource digitalTwinsInstance_diagnosticSettings 'Microsoft.Insights/diagnosticS resource digitalTwinsInstance_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(digitalTwinsInstance.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -248,7 +248,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -325,7 +325,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/digital-twins/digital-twins-instance/main.json b/modules/digital-twins/digital-twins-instance/main.json index 6906b63c09..418e025eaf 100644 --- a/modules/digital-twins/digital-twins-instance/main.json +++ b/modules/digital-twins/digital-twins-instance/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8178960412871211847" + "templateHash": "10882496143186980105" }, "name": "Digital Twins Instances", "description": "This module deploys an Azure Digital Twins Instance.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -590,7 +590,7 @@ "scope": "[format('Microsoft.DigitalTwins/digitalTwinsInstances/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index 2c1640c6c2..d9167cbc22 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -139,7 +139,17 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -269,7 +279,17 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -519,7 +539,17 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -780,7 +810,17 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -846,7 +886,17 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -919,7 +969,17 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1001,7 +1061,17 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] sqlDatabases: [ @@ -1170,7 +1240,17 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1666,7 +1746,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1818,7 +1898,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1859,7 +1939,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1907,7 +1987,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/document-db/database-account/main.bicep b/modules/document-db/database-account/main.bicep index c59540db7f..728a5b2274 100644 --- a/modules/document-db/database-account/main.bicep +++ b/modules/document-db/database-account/main.bicep @@ -271,7 +271,7 @@ resource databaseAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettin resource databaseAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(databaseAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -374,7 +374,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -451,7 +451,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/document-db/database-account/main.json b/modules/document-db/database-account/main.json index 5f9de4eea6..2b2a72a670 100644 --- a/modules/document-db/database-account/main.json +++ b/modules/document-db/database-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6369048122051620701" + "templateHash": "17655203248795781813" }, "name": "DocumentDB Database Accounts", "description": "This module deploys a DocumentDB Database Account.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -273,7 +273,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -759,7 +759,7 @@ "scope": "[format('Microsoft.DocumentDB/databaseAccounts/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/document-db/database-account/tests/e2e/gremlindb/main.test.bicep b/modules/document-db/database-account/tests/e2e/gremlindb/main.test.bicep index 44f12410b3..49de1571cd 100644 --- a/modules/document-db/database-account/tests/e2e/gremlindb/main.test.bicep +++ b/modules/document-db/database-account/tests/e2e/gremlindb/main.test.bicep @@ -144,7 +144,17 @@ module testDeployment '../../../main.bicep' = { location: location roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/document-db/database-account/tests/e2e/mongodb/main.test.bicep b/modules/document-db/database-account/tests/e2e/mongodb/main.test.bicep index ddb9ac1a75..6acaad1ecb 100644 --- a/modules/document-db/database-account/tests/e2e/mongodb/main.test.bicep +++ b/modules/document-db/database-account/tests/e2e/mongodb/main.test.bicep @@ -277,7 +277,17 @@ module testDeployment '../../../main.bicep' = { ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/document-db/database-account/tests/e2e/plain/main.test.bicep b/modules/document-db/database-account/tests/e2e/plain/main.test.bicep index c8dbd06e37..2b71669ee2 100644 --- a/modules/document-db/database-account/tests/e2e/plain/main.test.bicep +++ b/modules/document-db/database-account/tests/e2e/plain/main.test.bicep @@ -96,7 +96,17 @@ module testDeployment '../../../main.bicep' = { } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep b/modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep index aacecc5a6c..843e9e6afe 100644 --- a/modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep +++ b/modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep @@ -108,7 +108,17 @@ module testDeployment '../../../main.bicep' = { ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index 3fb31b9d56..faca598780 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -346,7 +346,17 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] skuCapacity: 2 @@ -553,7 +563,17 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -835,13 +855,6 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { } ] publicNetworkAccess: 'Disabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] skuCapacity: 2 skuName: 'Standard' tags: { @@ -1041,15 +1054,6 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "publicNetworkAccess": { "value": "Disabled" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "skuCapacity": { "value": 2 }, @@ -1104,7 +1108,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`requireInfrastructureEncryption`](#parameter-requireinfrastructureencryption) | bool | Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`skuCapacity`](#parameter-skucapacity) | int | The Event Hub's throughput units for Basic or Standard tiers, where value should be 0 to 20 throughput units. The Event Hubs premium units for Premium tier, where value should be 0 to 10 premium units. | | [`skuName`](#parameter-skuname) | string | event hub plan SKU name. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -1443,7 +1447,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1595,7 +1599,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1646,7 +1650,7 @@ Enable infrastructure encryption (double encryption). Note, this setting require ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1659,7 +1663,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1707,7 +1711,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/event-hub/namespace/eventhub/README.md b/modules/event-hub/namespace/eventhub/README.md index c07d8cf98d..2b6f569738 100644 --- a/modules/event-hub/namespace/eventhub/README.md +++ b/modules/event-hub/namespace/eventhub/README.md @@ -55,7 +55,7 @@ This module deploys an Event Hub Namespace Event Hub. | [`retentionDescriptionCleanupPolicy`](#parameter-retentiondescriptioncleanuppolicy) | string | Retention cleanup policy. Enumerates the possible values for cleanup policy. | | [`retentionDescriptionRetentionTimeInHours`](#parameter-retentiondescriptionretentiontimeinhours) | int | Retention time in hours. Number of hours to retain the events for this Event Hub. This value is only used when cleanupPolicy is Delete. If cleanupPolicy is Compact the returned value of this property is Long.MaxValue. | | [`retentionDescriptionTombstoneRetentionTimeInHours`](#parameter-retentiondescriptiontombstoneretentiontimeinhours) | int | Retention cleanup policy. Number of hours to retain the tombstone markers of a compacted Event Hub. This value is only used when cleanupPolicy is Compact. Consumer must complete reading the tombstone marker within this specified amount of time if consumer begins from starting offset to ensure they get a valid snapshot for the specific key described by the tombstone marker within the compacted Event Hub. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`status`](#parameter-status) | string | Enumerates the possible values for the status of the Event Hub. | ### Parameter: `authorizationRules` @@ -251,7 +251,7 @@ Retention cleanup policy. Number of hours to retain the tombstone markers of a c ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -264,7 +264,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -312,7 +312,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/event-hub/namespace/eventhub/main.bicep b/modules/event-hub/namespace/eventhub/main.bicep index 3c35bc5d6a..1a7b842fb7 100644 --- a/modules/event-hub/namespace/eventhub/main.bicep +++ b/modules/event-hub/namespace/eventhub/main.bicep @@ -54,7 +54,7 @@ param consumergroups array = [ @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Name for capture destination.') @@ -210,7 +210,7 @@ module eventHub_authorizationRules 'authorization-rule/main.bicep' = [for (autho resource eventHub_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(eventHub.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -246,7 +246,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/event-hub/namespace/eventhub/main.json b/modules/event-hub/namespace/eventhub/main.json index 6a49ec7b04..fd2925ece3 100644 --- a/modules/event-hub/namespace/eventhub/main.json +++ b/modules/event-hub/namespace/eventhub/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5933888781308133415" + "version": "0.23.1.45101", + "templateHash": "8940174354642715236" }, "name": "Event Hub Namespace Event Hubs", "description": "This module deploys an Event Hub Namespace Event Hub.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -190,7 +190,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "captureDescriptionDestinationName": { @@ -395,7 +395,7 @@ "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -441,8 +441,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3522913919009222120" + "version": "0.23.1.45101", + "templateHash": "7142673381100704232" }, "name": "Event Hub Namespace Event Hub Consumer Groups", "description": "This module deploys an Event Hub Namespace Event Hub Consumer Group.", @@ -569,8 +569,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12245634232079362340" + "version": "0.23.1.45101", + "templateHash": "4935957739850887741" }, "name": "Event Hub Namespace Event Hub Authorization Rules", "description": "This module deploys an Event Hub Namespace Event Hub Authorization Rule.", diff --git a/modules/event-hub/namespace/main.bicep b/modules/event-hub/namespace/main.bicep index d2d61ec7e5..15c2d861ac 100644 --- a/modules/event-hub/namespace/main.bicep +++ b/modules/event-hub/namespace/main.bicep @@ -89,7 +89,7 @@ param customerManagedKey customerManagedKeyType @description('Optional. Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters.') param requireInfrastructureEncryption bool = false -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -284,7 +284,7 @@ module eventHubNamespace_privateEndpoints '../../network/private-endpoint/main.b resource eventHubNamespace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(eventHubNamespace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -366,7 +366,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -443,7 +443,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/event-hub/namespace/main.json b/modules/event-hub/namespace/main.json index b9126fb393..3850b06fb2 100644 --- a/modules/event-hub/namespace/main.json +++ b/modules/event-hub/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8197964729486546650" + "templateHash": "16593644436338874715" }, "name": "Event Hub Namespaces", "description": "This module deploys an Event Hub Namespace.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -602,7 +602,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -732,7 +732,7 @@ "scope": "[format('Microsoft.EventHub/namespaces/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.EventHub/namespaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1074,7 +1074,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "303986499638328151" + "templateHash": "8940174354642715236" }, "name": "Event Hub Namespace Event Hubs", "description": "This module deploys an Event Hub Namespace Event Hub.", @@ -1114,7 +1114,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -1258,7 +1258,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "captureDescriptionDestinationName": { @@ -1463,7 +1463,7 @@ "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/event-hub/namespace/tests/e2e/max/main.test.bicep b/modules/event-hub/namespace/tests/e2e/max/main.test.bicep index 488b5ffd14..c909eeb152 100644 --- a/modules/event-hub/namespace/tests/e2e/max/main.test.bicep +++ b/modules/event-hub/namespace/tests/e2e/max/main.test.bicep @@ -202,7 +202,17 @@ module testDeployment '../../../main.bicep' = { ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep index cc44ed4bea..c00b8c1668 100644 --- a/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -200,13 +200,6 @@ module testDeployment '../../../main.bicep' = { } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] managedIdentities: { systemAssigned: true userAssignedResourceIds: [ diff --git a/modules/health-bot/health-bot/README.md b/modules/health-bot/health-bot/README.md index 79237275b6..6bc9b8f4a7 100644 --- a/modules/health-bot/health-bot/README.md +++ b/modules/health-bot/health-bot/README.md @@ -113,7 +113,17 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -166,7 +176,17 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -211,13 +231,6 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { '' ] } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -263,15 +276,6 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { ] } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -304,7 +308,7 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `enableDefaultTelemetry` @@ -374,7 +378,7 @@ Name of the resource. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -387,7 +391,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -435,7 +439,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/health-bot/health-bot/main.bicep b/modules/health-bot/health-bot/main.bicep index a871850e71..bf0e08c90d 100644 --- a/modules/health-bot/health-bot/main.bicep +++ b/modules/health-bot/health-bot/main.bicep @@ -22,7 +22,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -81,7 +81,7 @@ resource healthBot_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty( resource healthBot_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(healthBot.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -122,7 +122,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/health-bot/health-bot/main.json b/modules/health-bot/health-bot/main.json index 407ce75492..538d2d760a 100644 --- a/modules/health-bot/health-bot/main.json +++ b/modules/health-bot/health-bot/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8223277098210162532" + "templateHash": "582765600236650029" }, "name": "Azure Health Bots", "description": "This module deploys an Azure Health Bot.", @@ -61,7 +61,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -160,7 +160,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -240,7 +240,7 @@ "scope": "[format('Microsoft.HealthBot/healthBots/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.HealthBot/healthBots', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep index 95e2fb3513..d5e7889ab8 100644 --- a/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep +++ b/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep @@ -59,7 +59,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep index db64640a07..4e5cb79986 100644 --- a/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep @@ -57,13 +57,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/healthcare-apis/workspace/README.md b/modules/healthcare-apis/workspace/README.md index 157be90d8f..c16881ae98 100644 --- a/modules/healthcare-apis/workspace/README.md +++ b/modules/healthcare-apis/workspace/README.md @@ -211,7 +211,17 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -356,7 +366,17 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -489,13 +509,6 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { name: 'myCustomLockName' } publicNetworkAccess: 'Enabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -633,15 +646,6 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { "publicNetworkAccess": { "value": "Enabled" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -676,7 +680,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `dicomservices` @@ -763,7 +767,7 @@ Control permission for data plane traffic coming from public networks while priv ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -776,7 +780,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -824,7 +828,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/healthcare-apis/workspace/fhirservice/README.md b/modules/healthcare-apis/workspace/fhirservice/README.md index 812564b302..958af930d2 100644 --- a/modules/healthcare-apis/workspace/fhirservice/README.md +++ b/modules/healthcare-apis/workspace/fhirservice/README.md @@ -60,7 +60,7 @@ This module deploys a Healthcare API Workspace FHIR Service. | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | | [`resourceVersionOverrides`](#parameter-resourceversionoverrides) | object | A list of FHIR Resources and their version policy overrides. | | [`resourceVersionPolicy`](#parameter-resourceversionpolicy) | string | The default value for tracking history across all resources. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`smartProxyEnabled`](#parameter-smartproxyenabled) | bool | If the SMART on FHIR proxy is enabled. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -413,7 +413,7 @@ The default value for tracking history across all resources. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -426,7 +426,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -474,7 +474,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/healthcare-apis/workspace/fhirservice/main.bicep b/modules/healthcare-apis/workspace/fhirservice/main.bicep index 57d17573b7..b41f57a9b9 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.bicep +++ b/modules/healthcare-apis/workspace/fhirservice/main.bicep @@ -75,7 +75,7 @@ param initialImportMode bool = false @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @allowed([ @@ -236,7 +236,7 @@ resource fhir_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05- resource fhir_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(fhir.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -286,7 +286,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/healthcare-apis/workspace/fhirservice/main.json b/modules/healthcare-apis/workspace/fhirservice/main.json index fce246a502..f02cfeeaed 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.json +++ b/modules/healthcare-apis/workspace/fhirservice/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2224237744308505065" + "templateHash": "13185908730981475512" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -387,7 +387,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "publicNetworkAccess": { @@ -590,7 +590,7 @@ "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', parameters('workspaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/healthcare-apis/workspace/main.bicep b/modules/healthcare-apis/workspace/main.bicep index dae1a76439..dfc7fa3888 100644 --- a/modules/healthcare-apis/workspace/main.bicep +++ b/modules/healthcare-apis/workspace/main.bicep @@ -12,7 +12,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @allowed([ @@ -92,7 +92,7 @@ resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty( resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -204,7 +204,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/healthcare-apis/workspace/main.json b/modules/healthcare-apis/workspace/main.json index ea29fb1d3f..919958fc5a 100644 --- a/modules/healthcare-apis/workspace/main.json +++ b/modules/healthcare-apis/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "293789912767761082" + "templateHash": "16618408806092022062" }, "name": "Healthcare API Workspaces", "description": "This module deploys a Healthcare API Workspace.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -129,7 +129,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "publicNetworkAccess": { @@ -247,7 +247,7 @@ "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.HealthcareApis/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -326,7 +326,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2224237744308505065" + "templateHash": "13185908730981475512" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", @@ -389,7 +389,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -707,7 +707,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "publicNetworkAccess": { @@ -910,7 +910,7 @@ "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', parameters('workspaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep b/modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep index d60b106eae..3d1bf48e56 100644 --- a/modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep +++ b/modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep @@ -155,7 +155,17 @@ module testDeployment '../../../main.bicep' = { ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep index cf7c124a03..bc4990b2d3 100644 --- a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -153,13 +153,6 @@ module testDeployment '../../../main.bicep' = { ] } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/insights/activity-log-alert/README.md b/modules/insights/activity-log-alert/README.md index 09d6045d46..d6bec73204 100644 --- a/modules/insights/activity-log-alert/README.md +++ b/modules/insights/activity-log-alert/README.md @@ -86,7 +86,17 @@ module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] scopes: [ @@ -167,7 +177,17 @@ module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -244,13 +264,6 @@ module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { } ] enableDefaultTelemetry: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] scopes: [ '' ] @@ -324,15 +337,6 @@ module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { "enableDefaultTelemetry": { "value": "" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "scopes": { "value": [ "" @@ -371,7 +375,7 @@ module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { | [`enabled`](#parameter-enabled) | bool | Indicates whether this alert is enabled. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`scopes`](#parameter-scopes) | array | The list of resource IDs that this Activity Log Alert is scoped to. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -424,7 +428,7 @@ The name of the alert. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -437,7 +441,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -485,7 +489,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/insights/activity-log-alert/main.bicep b/modules/insights/activity-log-alert/main.bicep index 98263ac6db..86c5717716 100644 --- a/modules/insights/activity-log-alert/main.bicep +++ b/modules/insights/activity-log-alert/main.bicep @@ -25,7 +25,7 @@ param actions array = [] @description('Required. An Array of objects containing conditions that will cause this alert to activate. Conditions can also be combined with logical operators `allOf` and `anyOf`. Each condition can specify only one field between `equals` and `containsAny`. An alert rule condition must have exactly one category (Administrative, ServiceHealth, ResourceHealth, Alert, Autoscale, Recommendation, Security, or Policy).') param conditions array -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -79,7 +79,7 @@ resource activityLogAlert 'Microsoft.Insights/activityLogAlerts@2020-10-01' = { resource activityLogAlert_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(activityLogAlert.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -106,7 +106,7 @@ output location string = activityLogAlert.location // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/insights/activity-log-alert/main.json b/modules/insights/activity-log-alert/main.json index 34e3b67f45..404dcfedae 100644 --- a/modules/insights/activity-log-alert/main.json +++ b/modules/insights/activity-log-alert/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "367673046450488883" + "templateHash": "10623125824018281845" }, "name": "Activity Log Alerts", "description": "This module deploys an Activity Log Alert.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -133,7 +133,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -213,7 +213,7 @@ "scope": "[format('Microsoft.Insights/activityLogAlerts/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Insights/activityLogAlerts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep b/modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep index f0b393e71e..09f337ec7c 100644 --- a/modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep +++ b/modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep @@ -93,7 +93,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep index 4d12202f85..4efeddccfe 100644 --- a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep @@ -91,13 +91,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' actionGroupId: nestedDependencies.outputs.actionGroupResourceId } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] scopes: [ subscription().id ] diff --git a/modules/insights/data-collection-endpoint/README.md b/modules/insights/data-collection-endpoint/README.md index 4b38911013..4f94650da2 100644 --- a/modules/insights/data-collection-endpoint/README.md +++ b/modules/insights/data-collection-endpoint/README.md @@ -284,7 +284,7 @@ module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoin | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | The configuration to set whether network access from public internet to the endpoints are allowed. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Resource tags. | ### Parameter: `enableDefaultTelemetry` @@ -364,7 +364,7 @@ The configuration to set whether network access from public internet to the endp ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -377,7 +377,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -425,7 +425,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/insights/data-collection-endpoint/main.bicep b/modules/insights/data-collection-endpoint/main.bicep index e6e65306b7..b4f4003adb 100644 --- a/modules/insights/data-collection-endpoint/main.bicep +++ b/modules/insights/data-collection-endpoint/main.bicep @@ -25,7 +25,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The configuration to set whether network access from public internet to the endpoints are allowed.') @@ -86,7 +86,7 @@ resource dataCollectionEndpoint_lock 'Microsoft.Authorization/locks@2020-05-01' resource dataCollectionEndpoint_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(dataCollectionEndpoint.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -126,7 +126,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/insights/data-collection-endpoint/main.json b/modules/insights/data-collection-endpoint/main.json index 99cde4054c..fbababc42e 100644 --- a/modules/insights/data-collection-endpoint/main.json +++ b/modules/insights/data-collection-endpoint/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13482359133825530422" + "templateHash": "15918286561058568413" }, "name": "Data Collection Endpoints", "description": "This module deploys a Data Collection Endpoint.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -146,7 +146,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "publicNetworkAccess": { @@ -229,7 +229,7 @@ "scope": "[format('Microsoft.Insights/dataCollectionEndpoints/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Insights/dataCollectionEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/insights/data-collection-rule/main.bicep b/modules/insights/data-collection-rule/main.bicep index 14cb3af5b9..e5086019f1 100644 --- a/modules/insights/data-collection-rule/main.bicep +++ b/modules/insights/data-collection-rule/main.bicep @@ -100,7 +100,7 @@ resource dataCollectionRule_lock 'Microsoft.Authorization/locks@2020-05-01' = if resource dataCollectionRule_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(dataCollectionRule.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/insights/data-collection-rule/main.json b/modules/insights/data-collection-rule/main.json index 465b252587..f35574da13 100644 --- a/modules/insights/data-collection-rule/main.json +++ b/modules/insights/data-collection-rule/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "9197823813224298423" + "templateHash": "10935624485627515874" }, "name": "Data Collection Rules", "description": "This module deploys a Data Collection Rule.", @@ -260,7 +260,7 @@ "scope": "[format('Microsoft.Insights/dataCollectionRules/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Insights/dataCollectionRules', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/insights/metric-alert/README.md b/modules/insights/metric-alert/README.md index 2a8c4ddd54..73bea47720 100644 --- a/modules/insights/metric-alert/README.md +++ b/modules/insights/metric-alert/README.md @@ -64,7 +64,17 @@ module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -125,7 +135,17 @@ module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -184,13 +204,6 @@ module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { ] alertCriteriaType: 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' enableDefaultTelemetry: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -244,15 +257,6 @@ module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { "enableDefaultTelemetry": { "value": "" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -305,7 +309,7 @@ module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`evaluationFrequency`](#parameter-evaluationfrequency) | string | how often the metric alert is evaluated represented in ISO 8601 duration format. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`scopes`](#parameter-scopes) | array | the list of resource IDs that this metric alert is scoped to. | | [`severity`](#parameter-severity) | int | The severity of the alert. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -399,7 +403,7 @@ The name of the alert. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -412,7 +416,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -460,7 +464,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/insights/metric-alert/main.bicep b/modules/insights/metric-alert/main.bicep index 3dad0cc566..9ac5667d66 100644 --- a/modules/insights/metric-alert/main.bicep +++ b/modules/insights/metric-alert/main.bicep @@ -75,7 +75,7 @@ param alertCriteriaType string = 'Microsoft.Azure.Monitor.MultipleResourceMultip @description('Required. Criterias to trigger the alert. Array of \'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria\' or \'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria\' objects. When using MultipleResourceMultipleMetricCriteria criteria type, some parameters becomes mandatory. It is not possible to convert from SingleResourceMultipleMetricCriteria to MultipleResourceMultipleMetricCriteria. The alert must be deleted and recreated.') param criterias array -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -134,7 +134,7 @@ resource metricAlert 'Microsoft.Insights/metricAlerts@2018-03-01' = { resource metricAlert_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(metricAlert.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -161,7 +161,7 @@ output location string = metricAlert.location // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/insights/metric-alert/main.json b/modules/insights/metric-alert/main.json index 2db2abd469..bb99105f80 100644 --- a/modules/insights/metric-alert/main.json +++ b/modules/insights/metric-alert/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "5346116636281635704" + "templateHash": "3497356791031567888" }, "name": "Metric Alerts", "description": "This module deploys a Metric Alert.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -211,7 +211,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -296,7 +296,7 @@ "scope": "[format('Microsoft.Insights/metricAlerts/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Insights/metricAlerts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/insights/metric-alert/tests/e2e/max/main.test.bicep b/modules/insights/metric-alert/tests/e2e/max/main.test.bicep index aff5f631ca..ef36753b63 100644 --- a/modules/insights/metric-alert/tests/e2e/max/main.test.bicep +++ b/modules/insights/metric-alert/tests/e2e/max/main.test.bicep @@ -71,7 +71,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' alertCriteriaType: 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep index edad7e8898..8af9b43124 100644 --- a/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep @@ -69,13 +69,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' nestedDependencies.outputs.actionGroupResourceId ] alertCriteriaType: 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] targetResourceRegion: 'westeurope' targetResourceType: 'microsoft.compute/virtualmachines' windowSize: 'PT15M' diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index 847be38edc..dbe63cc67b 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -113,7 +113,17 @@ This instance deploys the module with most of its features enabled. { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] scopedResources: [ @@ -171,7 +181,17 @@ This instance deploys the module with most of its features enabled. { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -226,13 +246,6 @@ This instance deploys the module in alignment with the best-practices of the Azu } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] scopedResources: [ { linkedResourceId: '' @@ -283,15 +296,6 @@ This instance deploys the module in alignment with the best-practices of the Azu } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "scopedResources": { "value": [ { @@ -331,7 +335,7 @@ This instance deploys the module in alignment with the best-practices of the Azu | [`location`](#parameter-location) | string | The location of the private link scope. Should be global. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`scopedResources`](#parameter-scopedresources) | array | Configuration details for Azure Monitor Resources. | | [`tags`](#parameter-tags) | object | Resource tags. | @@ -402,7 +406,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -554,7 +558,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -582,7 +586,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -595,7 +599,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -643,7 +647,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/insights/private-link-scope/main.bicep b/modules/insights/private-link-scope/main.bicep index 1a4c327c37..aff38da1dd 100644 --- a/modules/insights/private-link-scope/main.bicep +++ b/modules/insights/private-link-scope/main.bicep @@ -12,7 +12,7 @@ param location string = 'global' @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Configuration details for Azure Monitor Resources.') @@ -102,7 +102,7 @@ module privateLinkScope_privateEndpoints '../../network/private-endpoint/main.bi resource privateLinkScope_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(privateLinkScope.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -138,7 +138,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -215,7 +215,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/insights/private-link-scope/main.json b/modules/insights/private-link-scope/main.json index 36e1148e6e..826cdce33e 100644 --- a/modules/insights/private-link-scope/main.json +++ b/modules/insights/private-link-scope/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2298112212939244874" + "templateHash": "3912801049685613645" }, "name": "Azure Monitor Private Link Scopes", "description": "This module deploys an Azure Monitor Private Link Scope.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -251,7 +251,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -304,7 +304,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "scopedResources": { @@ -392,7 +392,7 @@ "scope": "[format('microsoft.insights/privateLinkScopes/{0}', parameters('name'))]", "name": "[guid(resourceId('microsoft.insights/privateLinkScopes', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep index dc9ca75fdc..917468f472 100644 --- a/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep +++ b/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep @@ -76,7 +76,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep index c18ef415f3..8fa06958a0 100644 --- a/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep @@ -74,13 +74,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/insights/scheduled-query-rule/README.md b/modules/insights/scheduled-query-rule/README.md index c243ee7cbb..ea540474e8 100644 --- a/modules/insights/scheduled-query-rule/README.md +++ b/modules/insights/scheduled-query-rule/README.md @@ -83,7 +83,17 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] suppressForMinutes: 'PT5M' @@ -168,7 +178,17 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -243,13 +263,6 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' enableDefaultTelemetry: '' evaluationFrequency: 'PT5M' queryTimeRange: 'PT5M' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] suppressForMinutes: 'PT5M' tags: { Environment: 'Non-Prod' @@ -327,15 +340,6 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' "queryTimeRange": { "value": "PT5M" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "suppressForMinutes": { "value": "PT5M" }, @@ -380,7 +384,7 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' | [`kind`](#parameter-kind) | string | Indicates the type of scheduled query rule. | | [`location`](#parameter-location) | string | Location for all resources. | | [`queryTimeRange`](#parameter-querytimerange) | string | If specified (in ISO 8601 duration format) then overrides the query time range. Relevant only for rules of the kind LogAlert. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`severity`](#parameter-severity) | int | Severity of the alert. Should be an integer between [0-4]. Value of 0 is severest. Relevant and required only for rules of the kind LogAlert. | | [`skipQueryValidation`](#parameter-skipqueryvalidation) | bool | The flag which indicates whether the provided query should be validated or not. Relevant only for rules of the kind LogAlert. | | [`suppressForMinutes`](#parameter-suppressforminutes) | string | Mute actions for the chosen period of time (in ISO 8601 duration format) after the alert is fired. If set, autoMitigate must be disabled.Relevant only for rules of the kind LogAlert. | @@ -472,7 +476,7 @@ If specified (in ISO 8601 duration format) then overrides the query time range. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -485,7 +489,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -533,7 +537,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/insights/scheduled-query-rule/main.bicep b/modules/insights/scheduled-query-rule/main.bicep index 2d4ac0bd58..5a205cd495 100644 --- a/modules/insights/scheduled-query-rule/main.bicep +++ b/modules/insights/scheduled-query-rule/main.bicep @@ -33,7 +33,7 @@ param skipQueryValidation bool = false @description('Optional. List of resource type of the target resource(s) on which the alert is created/updated. For example if the scope is a resource group and targetResourceTypes is Microsoft.Compute/virtualMachines, then a different alert will be fired for each virtual machine in the resource group which meet the alert criteria. Relevant only for rules of the kind LogAlert.') param targetResourceTypes array = [] -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Required. The list of resource IDs that this scheduled query rule is scoped to.') @@ -119,7 +119,7 @@ resource queryRule 'Microsoft.Insights/scheduledQueryRules@2021-02-01-preview' = resource queryRule_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(queryRule.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -146,7 +146,7 @@ output location string = queryRule.location // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/insights/scheduled-query-rule/main.json b/modules/insights/scheduled-query-rule/main.json index 031154f77b..87d5b4cd95 100644 --- a/modules/insights/scheduled-query-rule/main.json +++ b/modules/insights/scheduled-query-rule/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13321854191011496877" + "templateHash": "12406976097155234839" }, "name": "Scheduled Query Rules", "description": "This module deploys a Scheduled Query Rule.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -150,7 +150,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "scopes": { @@ -283,7 +283,7 @@ "scope": "[format('Microsoft.Insights/scheduledQueryRules/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Insights/scheduledQueryRules', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep b/modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep index 703927ec7c..b6aa16ced8 100644 --- a/modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep +++ b/modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep @@ -87,7 +87,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' queryTimeRange: 'PT5M' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep index 3690a19042..3504694196 100644 --- a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep @@ -85,13 +85,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } evaluationFrequency: 'PT5M' queryTimeRange: 'PT5M' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] scopes: [ nestedDependencies.outputs.logAnalyticsWorkspaceResourceId ] diff --git a/modules/insights/webtest/main.bicep b/modules/insights/webtest/main.bicep index 7f464360ba..b5d72e8b02 100644 --- a/modules/insights/webtest/main.bicep +++ b/modules/insights/webtest/main.bicep @@ -129,7 +129,7 @@ resource webtest_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo resource webtest_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(webtest.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/insights/webtest/main.json b/modules/insights/webtest/main.json index 332045650c..5275b0e4c2 100644 --- a/modules/insights/webtest/main.json +++ b/modules/insights/webtest/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8858444279583976442" + "templateHash": "1408808004644515116" }, "name": "Web Tests", "description": "This module deploys a Web Test.", @@ -317,7 +317,7 @@ "scope": "[format('Microsoft.Insights/webtests/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Insights/webtests', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index 4f79f5409d..cb7a86c358 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -337,7 +337,17 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -475,7 +485,17 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -585,13 +605,6 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -722,15 +735,6 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", diff --git a/modules/machine-learning-services/workspace/main.bicep b/modules/machine-learning-services/workspace/main.bicep index 6fd6b14e6f..a80c313a99 100644 --- a/modules/machine-learning-services/workspace/main.bicep +++ b/modules/machine-learning-services/workspace/main.bicep @@ -269,7 +269,7 @@ module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/machine-learning-services/workspace/main.json b/modules/machine-learning-services/workspace/main.json index beecae4279..10c91f2d3c 100644 --- a/modules/machine-learning-services/workspace/main.json +++ b/modules/machine-learning-services/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "14893819276831488808" + "templateHash": "262742885593710440" }, "name": "Machine Learning Services Workspaces", "description": "This module deploys a Machine Learning Services Workspace.", @@ -740,7 +740,7 @@ "scope": "[format('Microsoft.MachineLearningServices/workspaces/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -798,10 +798,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "15942233592020548593" + "templateHash": "10790106014691997162" }, "name": "Machine Learning Services Workspaces Computes", - "description": "This module deploys a Machine Learning Services Workspaces Compute.\r\n\r\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", + "description": "This module deploys a Machine Learning Services Workspaces Compute.\n\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", "owner": "Azure/module-maintainers" }, "definitions": { diff --git a/modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep index ed13d35628..f09fb15a5c 100644 --- a/modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep +++ b/modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep @@ -142,7 +142,17 @@ module testDeployment '../../../main.bicep' = { ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep index 21ded20172..416696a964 100644 --- a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -140,13 +140,6 @@ module testDeployment '../../../main.bicep' = { } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] managedIdentities: { systemAssigned: false userAssignedResourceIds: [ diff --git a/modules/maintenance/maintenance-configuration/README.md b/modules/maintenance/maintenance-configuration/README.md index 208ba523f4..52d305a61f 100644 --- a/modules/maintenance/maintenance-configuration/README.md +++ b/modules/maintenance/maintenance-configuration/README.md @@ -130,7 +130,17 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -209,7 +219,17 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -278,13 +298,6 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config timeZone: 'W. Europe Standard Time' } namespace: 'mmcwafns' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -356,15 +369,6 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config "namespace": { "value": "mmcwafns" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -403,7 +407,7 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config | [`maintenanceScope`](#parameter-maintenancescope) | string | Gets or sets maintenanceScope of the configuration. | | [`maintenanceWindow`](#parameter-maintenancewindow) | object | Definition of a MaintenanceWindow. | | [`namespace`](#parameter-namespace) | string | Gets or sets namespace of the resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Gets or sets tags of the resource. | | [`visibility`](#parameter-visibility) | string | Gets or sets the visibility of the configuration. The default value is 'Custom'. | @@ -502,7 +506,7 @@ Gets or sets namespace of the resource. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -515,7 +519,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -563,7 +567,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/maintenance/maintenance-configuration/main.bicep b/modules/maintenance/maintenance-configuration/main.bicep index d3cf44d377..8a885c291f 100644 --- a/modules/maintenance/maintenance-configuration/main.bicep +++ b/modules/maintenance/maintenance-configuration/main.bicep @@ -38,7 +38,7 @@ param maintenanceWindow object = {} @description('Optional. Gets or sets namespace of the resource.') param namespace string = '' -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Gets or sets tags of the resource.') @@ -106,7 +106,7 @@ resource maintenanceConfiguration_lock 'Microsoft.Authorization/locks@2020-05-01 resource maintenanceConfiguration_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(maintenanceConfiguration.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -146,7 +146,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/maintenance/maintenance-configuration/main.json b/modules/maintenance/maintenance-configuration/main.json index 783f5211ae..4876cc4f59 100644 --- a/modules/maintenance/maintenance-configuration/main.json +++ b/modules/maintenance/maintenance-configuration/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17577108209638713488" + "templateHash": "11566518301977789457" }, "name": "Maintenance Configurations", "description": "This module deploys a Maintenance Configuration.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -171,7 +171,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -265,7 +265,7 @@ "scope": "[format('Microsoft.Maintenance/maintenanceConfigurations/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Maintenance/maintenanceConfigurations', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep index 27067531c7..dc3d91a268 100644 --- a/modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep @@ -67,7 +67,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep index 69183f0070..19697a964c 100644 --- a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep @@ -65,13 +65,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' Environment: 'Non-Prod' Role: 'DeploymentValidation' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] maintenanceScope: 'InGuestPatch' maintenanceWindow: { duration: '03:00' diff --git a/modules/managed-identity/user-assigned-identity/README.md b/modules/managed-identity/user-assigned-identity/README.md index c2e921ae09..5cf66b9f42 100644 --- a/modules/managed-identity/user-assigned-identity/README.md +++ b/modules/managed-identity/user-assigned-identity/README.md @@ -104,7 +104,17 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -157,7 +167,17 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -204,13 +224,6 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide name: 'myCustomLockName' } name: 'miuaiwaf001' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -256,15 +269,6 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide "name": { "value": "miuaiwaf001" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -291,7 +295,7 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`name`](#parameter-name) | string | Name of the User Assigned Identity. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `enableDefaultTelemetry` @@ -351,7 +355,7 @@ Name of the User Assigned Identity. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -364,7 +368,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -412,7 +416,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/managed-identity/user-assigned-identity/main.bicep b/modules/managed-identity/user-assigned-identity/main.bicep index ff35c43d96..19afb3549c 100644 --- a/modules/managed-identity/user-assigned-identity/main.bicep +++ b/modules/managed-identity/user-assigned-identity/main.bicep @@ -14,7 +14,7 @@ param federatedIdentityCredentials array = [] @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -77,7 +77,7 @@ module userMsi_federatedIdentityCredentials 'federated-identity-credential/main. resource userMsi_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(userAssignedIdentity.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -119,7 +119,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/managed-identity/user-assigned-identity/main.json b/modules/managed-identity/user-assigned-identity/main.json index c4e94ee69a..b143e7a16b 100644 --- a/modules/managed-identity/user-assigned-identity/main.json +++ b/modules/managed-identity/user-assigned-identity/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "5498176834182987595" + "templateHash": "13454855788862691467" }, "name": "User Assigned Identities", "description": "This module deploys a User Assigned Identity.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -136,7 +136,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -212,7 +212,7 @@ "scope": "[format('Microsoft.ManagedIdentity/userAssignedIdentities/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep index 1f0bb1dc8e..f633bc4d28 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep @@ -69,7 +69,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep index f2ab92ca67..17904d21b4 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep @@ -67,13 +67,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' subject: 'system:serviceaccount:default:workload-identity-sa' } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/net-app/net-app-account/README.md b/modules/net-app/net-app-account/README.md index f80c9ca0cf..934610d17a 100644 --- a/modules/net-app/net-app-account/README.md +++ b/modules/net-app/net-app-account/README.md @@ -164,7 +164,17 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -275,7 +285,17 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -392,7 +412,17 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -514,7 +544,17 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -559,7 +599,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`smbServerNamePrefix`](#parameter-smbservernameprefix) | string | Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes. | | [`tags`](#parameter-tags) | object | Tags for all resources. | @@ -672,7 +712,7 @@ The name of the NetApp account. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -685,7 +725,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -733,7 +773,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/net-app/net-app-account/capacity-pool/README.md b/modules/net-app/net-app-account/capacity-pool/README.md index 376ed58ced..5b2c659aec 100644 --- a/modules/net-app/net-app-account/capacity-pool/README.md +++ b/modules/net-app/net-app-account/capacity-pool/README.md @@ -41,7 +41,7 @@ This module deploys an Azure NetApp Files Capacity Pool. | [`encryptionType`](#parameter-encryptiontype) | string | Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool. | | [`location`](#parameter-location) | string | Location of the pool volume. | | [`qosType`](#parameter-qostype) | string | The qos type of the pool. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`serviceLevel`](#parameter-servicelevel) | string | The pool service level. | | [`tags`](#parameter-tags) | object | Tags for all resources. | | [`volumes`](#parameter-volumes) | array | List of volumnes to create in the capacity pool. | @@ -109,7 +109,7 @@ The qos type of the pool. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -122,7 +122,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -170,7 +170,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/net-app/net-app-account/capacity-pool/main.bicep b/modules/net-app/net-app-account/capacity-pool/main.bicep index 654d1e8af8..213245ba7e 100644 --- a/modules/net-app/net-app-account/capacity-pool/main.bicep +++ b/modules/net-app/net-app-account/capacity-pool/main.bicep @@ -39,7 +39,7 @@ param volumes array = [] @description('Optional. If enabled (true) the pool can contain cool Access enabled volumes.') param coolAccess bool = false -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool.') @@ -114,7 +114,7 @@ module capacityPool_volumes 'volume/main.bicep' = [for (volume, index) in volume resource capacityPool_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(capacityPool.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -141,7 +141,7 @@ output location string = capacityPool.location // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/net-app/net-app-account/capacity-pool/main.json b/modules/net-app/net-app-account/capacity-pool/main.json index 0582a97c81..464a90fcd8 100644 --- a/modules/net-app/net-app-account/capacity-pool/main.json +++ b/modules/net-app/net-app-account/capacity-pool/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5973731463189380166" + "version": "0.23.1.45101", + "templateHash": "15353329491336313807" }, "name": "Azure NetApp Files Capacity Pools", "description": "This module deploys an Azure NetApp Files Capacity Pool.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -154,7 +154,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "encryptionType": { @@ -234,7 +234,7 @@ "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}', parameters('netAppAccountName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -298,8 +298,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15651177191996280153" + "version": "0.23.1.45101", + "templateHash": "3662331312918191126" }, "name": "Azure NetApp Files Capacity Pool Volumes", "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", @@ -314,7 +314,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -448,7 +448,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -525,7 +525,7 @@ "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}/volumes/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/net-app/net-app-account/capacity-pool/volume/README.md b/modules/net-app/net-app-account/capacity-pool/volume/README.md index ebfb90556a..fd898c8faf 100644 --- a/modules/net-app/net-app-account/capacity-pool/volume/README.md +++ b/modules/net-app/net-app-account/capacity-pool/volume/README.md @@ -42,7 +42,7 @@ This module deploys an Azure NetApp Files Capacity Pool Volume. | [`exportPolicyRules`](#parameter-exportpolicyrules) | array | Export policy rules. | | [`location`](#parameter-location) | string | Location of the pool volume. | | [`protocolTypes`](#parameter-protocoltypes) | array | Set of protocol types. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`serviceLevel`](#parameter-servicelevel) | string | The pool service level. Must match the one of the parent capacity pool. | ### Parameter: `capacityPoolName` @@ -100,7 +100,7 @@ Set of protocol types. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -113,7 +113,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -161,7 +161,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/net-app/net-app-account/capacity-pool/volume/main.bicep b/modules/net-app/net-app-account/capacity-pool/volume/main.bicep index 71e47b1ad4..5870382621 100644 --- a/modules/net-app/net-app-account/capacity-pool/volume/main.bicep +++ b/modules/net-app/net-app-account/capacity-pool/volume/main.bicep @@ -38,7 +38,7 @@ param subnetResourceId string @description('Optional. Export policy rules.') param exportPolicyRules array = [] -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -91,7 +91,7 @@ resource volume 'Microsoft.NetApp/netAppAccounts/capacityPools/volumes@2022-11-0 resource volume_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(volume.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -118,7 +118,7 @@ output location string = volume.location // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/net-app/net-app-account/capacity-pool/volume/main.json b/modules/net-app/net-app-account/capacity-pool/volume/main.json index ac86c91c85..5e0f1b20ef 100644 --- a/modules/net-app/net-app-account/capacity-pool/volume/main.json +++ b/modules/net-app/net-app-account/capacity-pool/volume/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15651177191996280153" + "version": "0.23.1.45101", + "templateHash": "3662331312918191126" }, "name": "Azure NetApp Files Capacity Pool Volumes", "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -155,7 +155,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -232,7 +232,7 @@ "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}/volumes/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/net-app/net-app-account/main.bicep b/modules/net-app/net-app-account/main.bicep index cdb0ed0768..2fc4c5833d 100644 --- a/modules/net-app/net-app-account/main.bicep +++ b/modules/net-app/net-app-account/main.bicep @@ -30,7 +30,7 @@ param capacityPools array = [] @description('Optional. The managed identity definition for this resource.') param managedIdentities managedIdentitiesType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Location for all resources.') @@ -107,7 +107,7 @@ resource netAppAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!em resource netAppAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(netAppAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -166,7 +166,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/net-app/net-app-account/main.json b/modules/net-app/net-app-account/main.json index 71e7b63ee3..862b3c67db 100644 --- a/modules/net-app/net-app-account/main.json +++ b/modules/net-app/net-app-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "14030600332300784655" + "templateHash": "8081072067801758787" }, "name": "Azure NetApp Files", "description": "This module deploys an Azure NetApp File.", @@ -61,7 +61,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -185,7 +185,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "location": { @@ -288,7 +288,7 @@ "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -347,7 +347,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "1846961475837822728" + "templateHash": "15353329491336313807" }, "name": "Azure NetApp Files Capacity Pools", "description": "This module deploys an Azure NetApp Files Capacity Pool.", @@ -362,7 +362,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -495,7 +495,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "encryptionType": { @@ -575,7 +575,7 @@ "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}', parameters('netAppAccountName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -640,7 +640,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3333217353540724741" + "templateHash": "3662331312918191126" }, "name": "Azure NetApp Files Capacity Pool Volumes", "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", @@ -655,7 +655,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -789,7 +789,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -866,7 +866,7 @@ "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}/volumes/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/net-app/net-app-account/tests/e2e/nfs3/main.test.bicep b/modules/net-app/net-app-account/tests/e2e/nfs3/main.test.bicep index e1a7ed7917..dc2b95f9b3 100644 --- a/modules/net-app/net-app-account/tests/e2e/nfs3/main.test.bicep +++ b/modules/net-app/net-app-account/tests/e2e/nfs3/main.test.bicep @@ -118,7 +118,17 @@ module testDeployment '../../../main.bicep' = { } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep b/modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep index 4b8bc76afa..a751b084cc 100644 --- a/modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep +++ b/modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep @@ -124,7 +124,17 @@ module testDeployment '../../../main.bicep' = { ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index e337338c52..3f9491ef5b 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -427,7 +427,17 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] sku: 'WAF_v2' @@ -906,7 +916,17 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1357,13 +1377,6 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] sku: 'WAF_v2' sslCertificates: [ { @@ -1835,15 +1848,6 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "sku": { "value": "WAF_v2" }, @@ -1943,7 +1947,7 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = | [`redirectConfigurations`](#parameter-redirectconfigurations) | array | Redirect configurations of the application gateway resource. | | [`requestRoutingRules`](#parameter-requestroutingrules) | array | Request routing rules of the application gateway resource. | | [`rewriteRuleSets`](#parameter-rewriterulesets) | array | Rewrite rules for the application gateway resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`routingRules`](#parameter-routingrules) | array | Routing rules of the application gateway resource. | | [`sku`](#parameter-sku) | string | The name of the SKU for the Application Gateway. | | [`sslCertificates`](#parameter-sslcertificates) | array | SSL certificates of the application gateway resource. | @@ -2292,7 +2296,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -2444,7 +2448,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -2507,7 +2511,7 @@ Rewrite rules for the application gateway resource. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -2520,7 +2524,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -2568,7 +2572,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/application-gateway/main.bicep b/modules/network/application-gateway/main.bicep index 99e2acb087..ddcb2e145b 100644 --- a/modules/network/application-gateway/main.bicep +++ b/modules/network/application-gateway/main.bicep @@ -195,7 +195,7 @@ var enableReferencedModulesTelemetry = false @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Resource tags.') @@ -358,7 +358,7 @@ module applicationGateway_privateEndpoints '../../network/private-endpoint/main. resource applicationGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(applicationGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -399,7 +399,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -476,7 +476,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/network/application-gateway/main.json b/modules/network/application-gateway/main.json index 0c9f3e9049..c2301f3546 100644 --- a/modules/network/application-gateway/main.json +++ b/modules/network/application-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17602945870289276113" + "templateHash": "12788892286757802636" }, "name": "Network Application Gateways", "description": "This module deploys a Network Application Gateway.", @@ -61,7 +61,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -265,7 +265,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -743,7 +743,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -866,7 +866,7 @@ "scope": "[format('Microsoft.Network/applicationGateways/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/applicationGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/application-gateway/tests/e2e/max/main.test.bicep b/modules/network/application-gateway/tests/e2e/max/main.test.bicep index 895da7a68c..eed5a5bb44 100644 --- a/modules/network/application-gateway/tests/e2e/max/main.test.bicep +++ b/modules/network/application-gateway/tests/e2e/max/main.test.bicep @@ -417,7 +417,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep index 52253dd7c9..be6d16d560 100644 --- a/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -415,13 +415,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] sku: 'WAF_v2' sslCertificates: [ { diff --git a/modules/network/application-security-group/README.md b/modules/network/application-security-group/README.md index 362a0f108d..fc21701695 100644 --- a/modules/network/application-security-group/README.md +++ b/modules/network/application-security-group/README.md @@ -54,7 +54,17 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -97,7 +107,17 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -136,13 +156,6 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -178,15 +191,6 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -217,7 +221,7 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `enableDefaultTelemetry` @@ -269,7 +273,7 @@ Name of the Application Security Group. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -282,7 +286,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -330,7 +334,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/application-security-group/main.bicep b/modules/network/application-security-group/main.bicep index 55bacf2d7e..61539b0fba 100644 --- a/modules/network/application-security-group/main.bicep +++ b/modules/network/application-security-group/main.bicep @@ -11,7 +11,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -59,7 +59,7 @@ resource applicationSecurityGroup_lock 'Microsoft.Authorization/locks@2020-05-01 resource applicationSecurityGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(applicationSecurityGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -95,7 +95,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/application-security-group/main.json b/modules/network/application-security-group/main.json index 81e7562d2c..96b1855d26 100644 --- a/modules/network/application-security-group/main.json +++ b/modules/network/application-security-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "4261949823005751944" + "templateHash": "10321097929330960711" }, "name": "Application Security Groups (ASG)", "description": "This module deploys an Application Security Group (ASG).", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -128,7 +128,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -202,7 +202,7 @@ "scope": "[format('Microsoft.Network/applicationSecurityGroups/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/application-security-group/tests/e2e/max/main.test.bicep b/modules/network/application-security-group/tests/e2e/max/main.test.bicep index 1c6db275ed..8adbe4a43e 100644 --- a/modules/network/application-security-group/tests/e2e/max/main.test.bicep +++ b/modules/network/application-security-group/tests/e2e/max/main.test.bicep @@ -59,7 +59,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep index 37d595cd4f..b4cec250c2 100644 --- a/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep @@ -57,13 +57,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index 1a29630003..ccb0cb3de8 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -567,7 +567,17 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -720,7 +730,17 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -865,13 +885,6 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { } ] publicIPResourceID: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -1017,15 +1030,6 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { "publicIPResourceID": { "value": "" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -1085,7 +1089,7 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { | [`networkRuleCollections`](#parameter-networkrulecollections) | array | Collection of network rule collections used by Azure Firewall. | | [`publicIPAddressObject`](#parameter-publicipaddressobject) | object | Specifies the properties of the Public IP to create and be used by the Firewall, if no existing public IP was provided. | | [`publicIPResourceID`](#parameter-publicipresourceid) | string | The Public IP resource ID to associate to the AzureFirewallSubnet. If empty, then the Public IP that is created as part of this module will be applied to the AzureFirewallSubnet. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the Azure Firewall resource. | | [`threatIntelMode`](#parameter-threatintelmode) | string | The operation mode for Threat Intel. | | [`zones`](#parameter-zones) | array | Zone numbers e.g. 1,2,3. | @@ -1344,7 +1348,7 @@ The Public IP resource ID to associate to the AzureFirewallSubnet. If empty, the ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1357,7 +1361,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1405,7 +1409,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/azure-firewall/main.bicep b/modules/network/azure-firewall/main.bicep index d6e785f395..4e804feab2 100644 --- a/modules/network/azure-firewall/main.bicep +++ b/modules/network/azure-firewall/main.bicep @@ -75,7 +75,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the Azure Firewall resource.') @@ -269,7 +269,7 @@ resource azureFirewall_diagnosticSettings 'Microsoft.Insights/diagnosticSettings resource azureFirewall_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(azureFirewall.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -320,7 +320,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/azure-firewall/main.json b/modules/network/azure-firewall/main.json index 7d62269841..2b0ceaa962 100644 --- a/modules/network/azure-firewall/main.json +++ b/modules/network/azure-firewall/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13795244529737704006" + "templateHash": "11269425307217554818" }, "name": "Azure Firewalls", "description": "This module deploys an Azure Firewall.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -361,7 +361,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -479,7 +479,7 @@ "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/azure-firewall/tests/e2e/max/main.test.bicep b/modules/network/azure-firewall/tests/e2e/max/main.test.bicep index 22a9bd66d0..6952eb7b58 100644 --- a/modules/network/azure-firewall/tests/e2e/max/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/max/main.test.bicep @@ -172,7 +172,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep b/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep index eb3d525802..12b95314ae 100644 --- a/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep @@ -170,13 +170,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] zones: [ '1' '2' diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index 5524340559..583131bb54 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -254,7 +254,17 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] scaleUnits: 4 @@ -328,7 +338,17 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -388,13 +408,6 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] scaleUnits: 4 skuName: 'Standard' tags: { @@ -461,15 +474,6 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "scaleUnits": { "value": 4 }, @@ -515,7 +519,7 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`publicIPAddressObject`](#parameter-publicipaddressobject) | object | Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`scaleUnits`](#parameter-scaleunits) | int | The scale units for the Bastion Host resource. | | [`skuName`](#parameter-skuname) | string | The SKU of this Bastion Host. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -718,7 +722,7 @@ Specifies the properties of the Public IP to create and be used by Azure Bastion ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -731,7 +735,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -779,7 +783,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/bastion-host/main.bicep b/modules/network/bastion-host/main.bicep index 8877a5af1d..6c04ffdd8d 100644 --- a/modules/network/bastion-host/main.bicep +++ b/modules/network/bastion-host/main.bicep @@ -50,7 +50,7 @@ param enableShareableLink bool = false @description('Optional. The scale units for the Bastion Host resource.') param scaleUnits int = 2 -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -176,7 +176,7 @@ resource azureBastion_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@ resource azureBastion_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(azureBastion.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -215,7 +215,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/bastion-host/main.json b/modules/network/bastion-host/main.json index e767ea151b..6e0ee971c0 100644 --- a/modules/network/bastion-host/main.json +++ b/modules/network/bastion-host/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18247198571712055537" + "templateHash": "7116007649539447611" }, "name": "Bastion Hosts", "description": "This module deploys a Bastion Host.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -297,7 +297,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -400,7 +400,7 @@ "scope": "[format('Microsoft.Network/bastionHosts/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/bastionHosts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/bastion-host/tests/e2e/max/main.test.bicep b/modules/network/bastion-host/tests/e2e/max/main.test.bicep index 2623cdb0d2..f7b87a0177 100644 --- a/modules/network/bastion-host/tests/e2e/max/main.test.bicep +++ b/modules/network/bastion-host/tests/e2e/max/main.test.bicep @@ -90,7 +90,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep b/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep index c94cc48d12..a8095f58e2 100644 --- a/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep @@ -88,13 +88,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] scaleUnits: 4 skuName: 'Standard' tags: { diff --git a/modules/network/ddos-protection-plan/README.md b/modules/network/ddos-protection-plan/README.md index 0a82054e08..583e7a2350 100644 --- a/modules/network/ddos-protection-plan/README.md +++ b/modules/network/ddos-protection-plan/README.md @@ -103,7 +103,17 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -146,7 +156,17 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -185,13 +205,6 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -227,15 +240,6 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -266,7 +270,7 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `enableDefaultTelemetry` @@ -318,7 +322,7 @@ Name of the DDoS protection plan to assign the VNET to. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -331,7 +335,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -379,7 +383,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/ddos-protection-plan/main.bicep b/modules/network/ddos-protection-plan/main.bicep index 71111c0e8f..3f9b8b415d 100644 --- a/modules/network/ddos-protection-plan/main.bicep +++ b/modules/network/ddos-protection-plan/main.bicep @@ -12,7 +12,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -60,7 +60,7 @@ resource ddosProtectionPlan_lock 'Microsoft.Authorization/locks@2020-05-01' = if resource ddosProtectionPlan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(ddosProtectionPlan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -96,7 +96,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/ddos-protection-plan/main.json b/modules/network/ddos-protection-plan/main.json index 8aaaa921fd..3d92c7a798 100644 --- a/modules/network/ddos-protection-plan/main.json +++ b/modules/network/ddos-protection-plan/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10546222584302877653" + "version": "0.23.1.45101", + "templateHash": "13726158545733724947" }, "name": "DDoS Protection Plans", "description": "This module deploys a DDoS Protection Plan.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -129,7 +129,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -203,7 +203,7 @@ "scope": "[format('Microsoft.Network/ddosProtectionPlans/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/ddosProtectionPlans', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/ddos-protection-plan/tests/e2e/max/main.test.bicep b/modules/network/ddos-protection-plan/tests/e2e/max/main.test.bicep index 5ef4541d51..e020dc11a8 100644 --- a/modules/network/ddos-protection-plan/tests/e2e/max/main.test.bicep +++ b/modules/network/ddos-protection-plan/tests/e2e/max/main.test.bicep @@ -58,7 +58,17 @@ module testDeployment '../../../main.bicep' = { } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep index 8bdf24f0bd..593e44c39b 100644 --- a/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep @@ -56,13 +56,6 @@ module testDeployment '../../../main.bicep' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/express-route-circuit/README.md b/modules/network/express-route-circuit/README.md index 1a35356326..6f7e013b74 100644 --- a/modules/network/express-route-circuit/README.md +++ b/modules/network/express-route-circuit/README.md @@ -134,7 +134,17 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] skuFamily: 'MeteredData' @@ -207,7 +217,17 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -270,13 +290,6 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] skuFamily: 'MeteredData' skuTier: 'Standard' tags: { @@ -342,15 +355,6 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "skuFamily": { "value": "MeteredData" }, @@ -399,7 +403,7 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 | [`peering`](#parameter-peering) | bool | Enabled BGP peering type for the Circuit. | | [`peeringType`](#parameter-peeringtype) | string | BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering. | | [`primaryPeerAddressPrefix`](#parameter-primarypeeraddressprefix) | string | A /30 subnet used to configure IP addresses for interfaces on Link1. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`secondaryPeerAddressPrefix`](#parameter-secondarypeeraddressprefix) | string | A /30 subnet used to configure IP addresses for interfaces on Link2. | | [`sharedKey`](#parameter-sharedkey) | string | The shared key for peering configuration. Router does MD5 hash comparison to validate the packets sent by BGP connection. This parameter is optional and can be removed from peering configuration if not required. | | [`skuFamily`](#parameter-skufamily) | string | Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedData SKU families. | @@ -646,7 +650,7 @@ A /30 subnet used to configure IP addresses for interfaces on Link1. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -659,7 +663,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -707,7 +711,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/express-route-circuit/main.bicep b/modules/network/express-route-circuit/main.bicep index 8318922213..523d957700 100644 --- a/modules/network/express-route-circuit/main.bicep +++ b/modules/network/express-route-circuit/main.bicep @@ -75,7 +75,7 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -182,7 +182,7 @@ resource expressRouteCircuits_diagnosticSettings 'Microsoft.Insights/diagnosticS resource expressRouteCircuits_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(expressRouteCircuits.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -221,7 +221,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/express-route-circuit/main.json b/modules/network/express-route-circuit/main.json index 482950e671..bc213c59d2 100644 --- a/modules/network/express-route-circuit/main.json +++ b/modules/network/express-route-circuit/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6315579544397323393" + "templateHash": "5050638438810286539" }, "name": "ExpressRoute Circuits", "description": "This module deploys an Express Route Circuit.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -362,7 +362,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -489,7 +489,7 @@ "scope": "[format('Microsoft.Network/expressRouteCircuits/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/expressRouteCircuits', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/express-route-circuit/tests/e2e/max/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/max/main.test.bicep index 015786939d..705af9e25a 100644 --- a/modules/network/express-route-circuit/tests/e2e/max/main.test.bicep +++ b/modules/network/express-route-circuit/tests/e2e/max/main.test.bicep @@ -90,7 +90,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep index d3509c0c8d..afcdd32c69 100644 --- a/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep @@ -88,13 +88,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] skuFamily: 'MeteredData' skuTier: 'Standard' allowClassicOperations: true diff --git a/modules/network/express-route-gateway/README.md b/modules/network/express-route-gateway/README.md index 1804fe9a3f..152fbd6875 100644 --- a/modules/network/express-route-gateway/README.md +++ b/modules/network/express-route-gateway/README.md @@ -110,7 +110,17 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -161,7 +171,17 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -202,13 +222,6 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { hello: 'world' 'hidden-title': 'This is visible in the resource name' @@ -252,15 +265,6 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "hello": "world", @@ -295,7 +299,7 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 | [`expressRouteConnections`](#parameter-expressrouteconnections) | array | List of ExpressRoute connections to the ExpressRoute gateway. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the Firewall policy resource. | ### Parameter: `allowNonVirtualWanTraffic` @@ -375,7 +379,7 @@ Name of the Express Route Gateway. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -388,7 +392,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -436,7 +440,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/express-route-gateway/main.bicep b/modules/network/express-route-gateway/main.bicep index 811d433d11..3c092e14f1 100644 --- a/modules/network/express-route-gateway/main.bicep +++ b/modules/network/express-route-gateway/main.bicep @@ -26,7 +26,7 @@ param expressRouteConnections array = [] @description('Required. Resource ID of the Virtual Wan Hub.') param virtualHubId string -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -87,7 +87,7 @@ resource expressRouteGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = i resource expressRouteGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(expressRouteGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -123,7 +123,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/express-route-gateway/main.json b/modules/network/express-route-gateway/main.json index 6be627532b..96877d8514 100644 --- a/modules/network/express-route-gateway/main.json +++ b/modules/network/express-route-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13411012748796915951" + "templateHash": "17235076450976067211" }, "name": "Express Route Gateways", "description": "This module deploys an Express Route Gateway.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -163,7 +163,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -249,7 +249,7 @@ "scope": "[format('Microsoft.Network/expressRouteGateways/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/expressRouteGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/express-route-gateway/tests/e2e/max/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/max/main.test.bicep index 42867d94f4..1939d49a61 100644 --- a/modules/network/express-route-gateway/tests/e2e/max/main.test.bicep +++ b/modules/network/express-route-gateway/tests/e2e/max/main.test.bicep @@ -67,7 +67,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep index e95b805cb0..81e988ca2d 100644 --- a/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -65,12 +65,5 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] } }] diff --git a/modules/network/front-door-web-application-firewall-policy/README.md b/modules/network/front-door-web-application-firewall-policy/README.md index 45170239e9..c62511aad4 100644 --- a/modules/network/front-door-web-application-firewall-policy/README.md +++ b/modules/network/front-door-web-application-firewall-policy/README.md @@ -165,7 +165,17 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] sku: 'Premium_AzureFrontDoor' @@ -277,7 +287,17 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -381,13 +401,6 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo mode: 'Prevention' redirectUrl: 'http://www.bing.com' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] sku: 'Premium_AzureFrontDoor' tags: { Environment: 'Non-Prod' @@ -492,15 +505,6 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo "redirectUrl": "http://www.bing.com" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "sku": { "value": "Premium_AzureFrontDoor" }, @@ -537,7 +541,7 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedRules`](#parameter-managedrules) | object | Describes the managedRules structure. | | [`policySettings`](#parameter-policysettings) | object | The PolicySettings for policy. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sku`](#parameter-sku) | string | The pricing tier of the WAF profile. | | [`tags`](#parameter-tags) | object | Resource tags. | @@ -659,7 +663,7 @@ The PolicySettings for policy. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -672,7 +676,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -720,7 +724,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/front-door-web-application-firewall-policy/main.bicep b/modules/network/front-door-web-application-firewall-policy/main.bicep index 2cf41330a7..27bfa8e63d 100644 --- a/modules/network/front-door-web-application-firewall-policy/main.bicep +++ b/modules/network/front-door-web-application-firewall-policy/main.bicep @@ -72,7 +72,7 @@ param policySettings object = { @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType var builtInRoleNames = { @@ -121,7 +121,7 @@ resource frontDoorWAFPolicy_lock 'Microsoft.Authorization/locks@2020-05-01' = if resource frontDoorWAFPolicy_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(frontDoorWAFPolicy.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -157,7 +157,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/front-door-web-application-firewall-policy/main.json b/modules/network/front-door-web-application-firewall-policy/main.json index deff6d2c90..578eff792e 100644 --- a/modules/network/front-door-web-application-firewall-policy/main.json +++ b/modules/network/front-door-web-application-firewall-policy/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "4704133430078422281" + "templateHash": "12618111004267812285" }, "name": "Front Door Web Application Firewall (WAF) Policies", "description": "This module deploys a Front Door Web Application Firewall (WAF) Policy.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -215,7 +215,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } } }, @@ -282,7 +282,7 @@ "scope": "[format('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep index 835ce7f757..99bdd66dea 100644 --- a/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep @@ -127,7 +127,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep index 4248cdace9..67e8b06778 100644 --- a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep @@ -125,12 +125,5 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' Environment: 'Non-Prod' Role: 'DeploymentValidation' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] } }] diff --git a/modules/network/front-door/README.md b/modules/network/front-door/README.md index 75bd27f5d6..b86171346b 100644 --- a/modules/network/front-door/README.md +++ b/modules/network/front-door/README.md @@ -360,7 +360,17 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] sendRecvTimeoutSeconds: 10 @@ -504,7 +514,17 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -634,13 +654,6 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] sendRecvTimeoutSeconds: 10 tags: { Environment: 'Non-Prod' @@ -777,15 +790,6 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "sendRecvTimeoutSeconds": { "value": 10 }, @@ -828,7 +832,7 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { | [`friendlyName`](#parameter-friendlyname) | string | Friendly name of the frontdoor resource. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sendRecvTimeoutSeconds`](#parameter-sendrecvtimeoutseconds) | int | Certificate name check time of the frontdoor resource. | | [`tags`](#parameter-tags) | object | Resource tags. | @@ -1041,7 +1045,7 @@ The name of the frontDoor. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1054,7 +1058,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1102,7 +1106,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/front-door/main.bicep b/modules/network/front-door/main.bicep index f9cc41e08a..bcaa533984 100644 --- a/modules/network/front-door/main.bicep +++ b/modules/network/front-door/main.bicep @@ -13,7 +13,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Resource tags.') @@ -131,7 +131,7 @@ resource frontDoor_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@202 resource frontDoor_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(frontDoor.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -164,7 +164,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/front-door/main.json b/modules/network/front-door/main.json index 3b20f006ef..394c56eb8a 100644 --- a/modules/network/front-door/main.json +++ b/modules/network/front-door/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18065323177030790685" + "templateHash": "12127605503670931788" }, "name": "Azure Front Doors", "description": "This module deploys an Azure Front Door.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -236,7 +236,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -411,7 +411,7 @@ "scope": "[format('Microsoft.Network/frontDoors/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/frontDoors', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/front-door/tests/e2e/max/main.test.bicep b/modules/network/front-door/tests/e2e/max/main.test.bicep index c94b99aa79..4d954197e7 100644 --- a/modules/network/front-door/tests/e2e/max/main.test.bicep +++ b/modules/network/front-door/tests/e2e/max/main.test.bicep @@ -148,7 +148,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' sendRecvTimeoutSeconds: 10 roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep b/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep index 93650d477c..3652f40fa1 100644 --- a/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep @@ -146,13 +146,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } ] sendRecvTimeoutSeconds: 10 - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/ip-group/README.md b/modules/network/ip-group/README.md index d9706dfeb2..a5ac16bc08 100644 --- a/modules/network/ip-group/README.md +++ b/modules/network/ip-group/README.md @@ -107,7 +107,17 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -156,7 +166,17 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -199,13 +219,6 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -247,15 +260,6 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -287,7 +291,7 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { | [`ipAddresses`](#parameter-ipaddresses) | array | IpAddresses/IpAddressPrefixes in the IpGroups resource. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Resource tags. | ### Parameter: `enableDefaultTelemetry` @@ -346,7 +350,7 @@ The name of the ipGroups. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -359,7 +363,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -407,7 +411,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/ip-group/main.bicep b/modules/network/ip-group/main.bicep index 3e14ba223f..08a30eee33 100644 --- a/modules/network/ip-group/main.bicep +++ b/modules/network/ip-group/main.bicep @@ -15,7 +15,7 @@ param ipAddresses array = [] @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Resource tags.') @@ -66,7 +66,7 @@ resource ipGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo resource ipGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(ipGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -102,7 +102,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/ip-group/main.json b/modules/network/ip-group/main.json index f286f1deb9..ccf8f4d058 100644 --- a/modules/network/ip-group/main.json +++ b/modules/network/ip-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "16568387528687642838" + "templateHash": "12288057031488744578" }, "name": "IP Groups", "description": "This module deploys an IP Group.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -136,7 +136,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -213,7 +213,7 @@ "scope": "[format('Microsoft.Network/ipGroups/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/ipGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/ip-group/tests/e2e/max/main.test.bicep b/modules/network/ip-group/tests/e2e/max/main.test.bicep index 5e9c862414..06bb71dc3b 100644 --- a/modules/network/ip-group/tests/e2e/max/main.test.bicep +++ b/modules/network/ip-group/tests/e2e/max/main.test.bicep @@ -63,7 +63,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep index 6636c832de..e8767a2291 100644 --- a/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep @@ -61,13 +61,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/local-network-gateway/README.md b/modules/network/local-network-gateway/README.md index 2b5cac74a2..f2fb425a1a 100644 --- a/modules/network/local-network-gateway/README.md +++ b/modules/network/local-network-gateway/README.md @@ -121,7 +121,17 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -178,7 +188,17 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -223,13 +243,6 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -279,15 +292,6 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -324,7 +328,7 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 | [`localPeerWeight`](#parameter-localpeerweight) | string | The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `enableDefaultTelemetry` @@ -416,7 +420,7 @@ Name of the Local Network Gateway. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -429,7 +433,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -477,7 +481,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/local-network-gateway/main.bicep b/modules/network/local-network-gateway/main.bicep index 766ac4eb10..0d7877dc43 100644 --- a/modules/network/local-network-gateway/main.bicep +++ b/modules/network/local-network-gateway/main.bicep @@ -27,7 +27,7 @@ param localPeerWeight string = '' @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -92,7 +92,7 @@ resource localNetworkGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = i resource localNetworkGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(localNetworkGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -128,7 +128,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/local-network-gateway/main.json b/modules/network/local-network-gateway/main.json index da3cea4c2d..5fc6a78848 100644 --- a/modules/network/local-network-gateway/main.json +++ b/modules/network/local-network-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18232422639786183281" + "templateHash": "15135056201876239825" }, "name": "Local Network Gateways", "description": "This module deploys a Local Network Gateway.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -162,7 +162,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -256,7 +256,7 @@ "scope": "[format('Microsoft.Network/localNetworkGateways/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/localNetworkGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/local-network-gateway/tests/e2e/max/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/max/main.test.bicep index 93352e6ce5..150660fecf 100644 --- a/modules/network/local-network-gateway/tests/e2e/max/main.test.bicep +++ b/modules/network/local-network-gateway/tests/e2e/max/main.test.bicep @@ -65,7 +65,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep index 4c3d7522ce..a407b64c98 100644 --- a/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -63,13 +63,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/nat-gateway/README.md b/modules/network/nat-gateway/README.md index b764e57c4d..48343f3c1b 100644 --- a/modules/network/nat-gateway/README.md +++ b/modules/network/nat-gateway/README.md @@ -90,7 +90,17 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -167,7 +177,17 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -229,7 +249,17 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -295,7 +325,17 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -366,13 +406,6 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { ] } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -442,15 +475,6 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -486,7 +510,7 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { | [`publicIPPrefixObjects`](#parameter-publicipprefixobjects) | array | Specifies the properties of the Public IP Prefixes to create and be used by the NAT Gateway. | | [`publicIPPrefixResourceIds`](#parameter-publicipprefixresourceids) | array | Existing Public IP Prefixes resource IDs to use for the NAT Gateway. | | [`publicIpResourceIds`](#parameter-publicipresourceids) | array | Existing Public IP Address resource IDs to use for the NAT Gateway. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags for the resource. | | [`zones`](#parameter-zones) | array | A list of availability zones denoting the zone in which Nat Gateway should be deployed. | @@ -572,7 +596,7 @@ Existing Public IP Address resource IDs to use for the NAT Gateway. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -585,7 +609,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -633,7 +657,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/nat-gateway/main.bicep b/modules/network/nat-gateway/main.bicep index b3aab1a660..8e958da2d7 100644 --- a/modules/network/nat-gateway/main.bicep +++ b/modules/network/nat-gateway/main.bicep @@ -29,7 +29,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags for the resource.') @@ -139,7 +139,7 @@ resource natGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty resource natGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(natGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -175,7 +175,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/nat-gateway/main.json b/modules/network/nat-gateway/main.json index 496bdfff0a..5f0044c21c 100644 --- a/modules/network/nat-gateway/main.json +++ b/modules/network/nat-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "9381387795158980533" + "templateHash": "4790906560512983645" }, "name": "NAT Gateways", "description": "This module deploys a NAT Gateway.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -276,7 +276,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -364,7 +364,7 @@ "scope": "[format('Microsoft.Network/natGateways/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/natGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1022,7 +1022,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "9244193973447540175" + "templateHash": "11282022059497213596" }, "name": "Public IP Prefixes", "description": "This module deploys a Public IP Prefix.", @@ -1062,7 +1062,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -1153,7 +1153,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -1242,7 +1242,7 @@ "scope": "[format('Microsoft.Network/publicIPPrefixes/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/publicIPPrefixes', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/nat-gateway/tests/e2e/max/main.test.bicep b/modules/network/nat-gateway/tests/e2e/max/main.test.bicep index 7fc011d550..e6adb9a978 100644 --- a/modules/network/nat-gateway/tests/e2e/max/main.test.bicep +++ b/modules/network/nat-gateway/tests/e2e/max/main.test.bicep @@ -105,7 +105,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep b/modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep index d874324327..caceef126b 100644 --- a/modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep +++ b/modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep @@ -94,7 +94,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep index 9f155e50f0..15c733767d 100644 --- a/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -103,13 +103,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/network-manager/README.md b/modules/network/network-manager/README.md index 896d0bd79c..8460d85457 100644 --- a/modules/network/network-manager/README.md +++ b/modules/network/network-manager/README.md @@ -125,7 +125,17 @@ module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] scopeConnections: [ @@ -352,7 +362,17 @@ module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -571,13 +591,6 @@ module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { ] } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] scopeConnections: [ { description: 'description of the scope connection' @@ -797,15 +810,6 @@ module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "scopeConnections": { "value": [ { diff --git a/modules/network/network-manager/main.bicep b/modules/network/network-manager/main.bicep index 4fc57260bd..c867dd3d0c 100644 --- a/modules/network/network-manager/main.bicep +++ b/modules/network/network-manager/main.bicep @@ -142,7 +142,7 @@ resource networkManager_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e resource networkManager_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(networkManager.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/network/network-manager/main.json b/modules/network/network-manager/main.json index 24d0104710..038c02d2e2 100644 --- a/modules/network/network-manager/main.json +++ b/modules/network/network-manager/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "7208377569507005040" + "templateHash": "10987132052882747001" }, "name": "Network Managers", "description": "This module deploys a Network Manager.", @@ -258,7 +258,7 @@ "scope": "[format('Microsoft.Network/networkManagers/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/networkManagers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -303,10 +303,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3787957853488500608" + "templateHash": "9383612824689647197" }, "name": "Network Manager Network Groups", - "description": "This module deploys a Network Manager Network Group.\r\nA network group is a collection of same-type network resources that you can associate with network manager configurations. You can add same-type network resources after you create the network group.", + "description": "This module deploys a Network Manager Network Group.\nA network group is a collection of same-type network resources that you can associate with network manager configurations. You can add same-type network resources after you create the network group.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -409,10 +409,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6119539562042886994" + "templateHash": "6270695242836306169" }, "name": "Network Manager Network Group Static Members", - "description": "This module deploys a Network Manager Network Group Static Member.\r\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", + "description": "This module deploys a Network Manager Network Group Static Member.\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -572,10 +572,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "16434535140284685195" + "templateHash": "9661323239609366787" }, "name": "Network Manager Connectivity Configurations", - "description": "This module deploys a Network Manager Connectivity Configuration.\r\nConnectivity configurations define hub-and-spoke or mesh topologies applied to one or more network groups.", + "description": "This module deploys a Network Manager Connectivity Configuration.\nConnectivity configurations define hub-and-spoke or mesh topologies applied to one or more network groups.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -751,10 +751,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "5036358037363252898" + "templateHash": "15324552358719749208" }, "name": "Network Manager Scope Connections", - "description": "This module deploys a Network Manager Scope Connection.\r\nCreate a cross-tenant connection to manage a resource from another tenant.", + "description": "This module deploys a Network Manager Scope Connection.\nCreate a cross-tenant connection to manage a resource from another tenant.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -890,10 +890,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "11083461428572717010" + "templateHash": "220686347521741612" }, "name": "Network Manager Security Admin Configurations", - "description": "This module deploys an Network Manager Security Admin Configuration.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", + "description": "This module deploys an Network Manager Security Admin Configuration.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -1012,10 +1012,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17187717862116828818" + "templateHash": "10245325643114384455" }, "name": "Network Manager Security Admin Configuration Rule Collections", - "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", + "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -1147,10 +1147,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "144106033297451553" + "templateHash": "6215293821297223443" }, "name": "Network Manager Security Admin Configuration Rule Collection Rules", - "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", + "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/network/network-manager/tests/e2e/max/main.test.bicep b/modules/network/network-manager/tests/e2e/max/main.test.bicep index 1fb6b04824..d0e1fd2393 100644 --- a/modules/network/network-manager/tests/e2e/max/main.test.bicep +++ b/modules/network/network-manager/tests/e2e/max/main.test.bicep @@ -66,7 +66,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep index 1d94d18ba7..630be8e2bc 100644 --- a/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep @@ -64,13 +64,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] networkManagerScopeAccesses: [ 'Connectivity' 'SecurityAdmin' diff --git a/modules/network/network-security-group/README.md b/modules/network/network-security-group/README.md index 416644df15..f0672acbff 100644 --- a/modules/network/network-security-group/README.md +++ b/modules/network/network-security-group/README.md @@ -114,7 +114,17 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] securityRules: [ @@ -232,7 +242,17 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -346,13 +366,6 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] securityRules: [ { name: 'Specific' @@ -463,15 +476,6 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "securityRules": { "value": [ { @@ -570,7 +574,7 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 | [`flushConnection`](#parameter-flushconnection) | bool | When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. Network Security Group connection flushing is not available in all regions. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`securityRules`](#parameter-securityrules) | array | Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. | | [`tags`](#parameter-tags) | object | Tags of the NSG resource. | @@ -725,7 +729,7 @@ Name of the Network Security Group. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -738,7 +742,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -786,7 +790,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/network-security-group/main.bicep b/modules/network/network-security-group/main.bicep index 83928e9024..83266cb10a 100644 --- a/modules/network/network-security-group/main.bicep +++ b/modules/network/network-security-group/main.bicep @@ -20,7 +20,7 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the NSG resource.') @@ -136,7 +136,7 @@ resource networkSecurityGroup_diagnosticSettings 'Microsoft.Insights/diagnosticS resource networkSecurityGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(networkSecurityGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -172,7 +172,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/network-security-group/main.json b/modules/network/network-security-group/main.json index 5a078217ce..c6f01814cd 100644 --- a/modules/network/network-security-group/main.json +++ b/modules/network/network-security-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "750109442263573618" + "templateHash": "15234016184111184785" }, "name": "Network Security Groups", "description": "This module deploys a Network security Group (NSG).", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -236,7 +236,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -362,7 +362,7 @@ "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/networkSecurityGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/network-security-group/tests/e2e/max/main.test.bicep b/modules/network/network-security-group/tests/e2e/max/main.test.bicep index 24664977f4..b0cae014bc 100644 --- a/modules/network/network-security-group/tests/e2e/max/main.test.bicep +++ b/modules/network/network-security-group/tests/e2e/max/main.test.bicep @@ -83,7 +83,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep index 0a6ccc8de6..cb46477554 100644 --- a/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep @@ -81,13 +81,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] securityRules: [ { name: 'Specific' diff --git a/modules/network/network-watcher/README.md b/modules/network/network-watcher/README.md index 84b24a7db1..c8263f21d9 100644 --- a/modules/network/network-watcher/README.md +++ b/modules/network/network-watcher/README.md @@ -165,7 +165,17 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -276,7 +286,17 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -379,13 +399,6 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { ] location: '' name: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -489,15 +502,6 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { "name": { "value": "" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -525,7 +529,7 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`name`](#parameter-name) | string | Name of the Network Watcher resource (hidden). | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `connectionMonitors` @@ -592,7 +596,7 @@ Name of the Network Watcher resource (hidden). ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -605,7 +609,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -653,7 +657,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/network-watcher/main.bicep b/modules/network/network-watcher/main.bicep index 6ee4903f61..4cde8cc540 100644 --- a/modules/network/network-watcher/main.bicep +++ b/modules/network/network-watcher/main.bicep @@ -18,7 +18,7 @@ param flowLogs array = [] @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -69,7 +69,7 @@ resource networkWatcher_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e resource networkWatcher_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(networkWatcher.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -135,7 +135,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/network-watcher/main.json b/modules/network/network-watcher/main.json index af0b8f4ed7..aa3112d351 100644 --- a/modules/network/network-watcher/main.json +++ b/modules/network/network-watcher/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "16212234798998363097" + "templateHash": "10879972113485324121" }, "name": "Network Watchers", "description": "This module deploys a Network Watcher.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -144,7 +144,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -220,7 +220,7 @@ "scope": "[format('Microsoft.Network/networkWatchers/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/networkWatchers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -457,10 +457,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13019883939201211211" + "templateHash": "2197507893118006956" }, "name": "NSG Flow Logs", - "description": "This module controls the Network Security Group Flow Logs and analytics settings.\r\n**Note: this module must be run on the Resource Group where Network Watcher is deployed**", + "description": "This module controls the Network Security Group Flow Logs and analytics settings.\n**Note: this module must be run on the Resource Group where Network Watcher is deployed**", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/network/network-watcher/tests/e2e/max/main.test.bicep b/modules/network/network-watcher/tests/e2e/max/main.test.bicep index 578321530e..c453c48b8d 100644 --- a/modules/network/network-watcher/tests/e2e/max/main.test.bicep +++ b/modules/network/network-watcher/tests/e2e/max/main.test.bicep @@ -145,7 +145,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep index b940f74c67..0753347fd0 100644 --- a/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep @@ -143,13 +143,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/private-link-service/README.md b/modules/network/private-link-service/README.md index a2ba040a35..5d295b3fc2 100644 --- a/modules/network/private-link-service/README.md +++ b/modules/network/private-link-service/README.md @@ -459,7 +459,7 @@ module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' | [`loadBalancerFrontendIpConfigurations`](#parameter-loadbalancerfrontendipconfigurations) | array | An array of references to the load balancer IP configurations. The Private Link service is tied to the frontend IP address of a Standard Load Balancer. All traffic destined for the service will reach the frontend of the SLB. You can configure SLB rules to direct this traffic to appropriate backend pools where your applications are running. Load balancer frontend IP configurations are different than NAT IP configurations. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags to be applied on all resources/resource groups in this deployment. | | [`visibility`](#parameter-visibility) | object | Controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control (Azure RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions. | @@ -554,7 +554,7 @@ Name of the private link service to create. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -567,7 +567,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -615,7 +615,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/private-link-service/main.bicep b/modules/network/private-link-service/main.bicep index 6146a225bf..7f8f61068e 100644 --- a/modules/network/private-link-service/main.bicep +++ b/modules/network/private-link-service/main.bicep @@ -38,7 +38,7 @@ param visibility object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType var builtInRoleNames = { @@ -93,7 +93,7 @@ resource privateLinkService_lock 'Microsoft.Authorization/locks@2020-05-01' = if resource privateLinkService_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(privateLinkService.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -129,7 +129,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/private-link-service/main.json b/modules/network/private-link-service/main.json index 2b7574b6aa..5490f7706a 100644 --- a/modules/network/private-link-service/main.json +++ b/modules/network/private-link-service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "1799801226722953083" + "templateHash": "7895931636672414166" }, "name": "Private Link Services", "description": "This module deploys a Private Link Service.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -191,7 +191,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } } }, @@ -264,7 +264,7 @@ "scope": "[format('Microsoft.Network/privateLinkServices/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/privateLinkServices', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/public-ip-prefix/README.md b/modules/network/public-ip-prefix/README.md index 315a9026fd..8f34b55130 100644 --- a/modules/network/public-ip-prefix/README.md +++ b/modules/network/public-ip-prefix/README.md @@ -108,7 +108,17 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -154,7 +164,17 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -194,13 +214,6 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -239,15 +252,6 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -280,7 +284,7 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `customIPPrefix` @@ -345,7 +349,7 @@ Length of the Public IP Prefix. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -358,7 +362,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -406,7 +410,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/public-ip-prefix/main.bicep b/modules/network/public-ip-prefix/main.bicep index 5261690b6d..97b513f893 100644 --- a/modules/network/public-ip-prefix/main.bicep +++ b/modules/network/public-ip-prefix/main.bicep @@ -17,7 +17,7 @@ param prefixLength int @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -76,7 +76,7 @@ resource publicIpPrefix_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e resource publicIpPrefix_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(publicIpPrefix.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -112,7 +112,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/public-ip-prefix/main.json b/modules/network/public-ip-prefix/main.json index d327e41009..b8010113ed 100644 --- a/modules/network/public-ip-prefix/main.json +++ b/modules/network/public-ip-prefix/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "9244193973447540175" + "templateHash": "11282022059497213596" }, "name": "Public IP Prefixes", "description": "This module deploys a Public IP Prefix.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -137,7 +137,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -226,7 +226,7 @@ "scope": "[format('Microsoft.Network/publicIPPrefixes/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/publicIPPrefixes', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep index 2a0444770e..04bc42d4e9 100644 --- a/modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep +++ b/modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep @@ -60,7 +60,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep index cc31fc6d98..9081c0314b 100644 --- a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep @@ -58,13 +58,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/service-endpoint-policy/README.md b/modules/network/service-endpoint-policy/README.md index e8797a413c..b8a16af871 100644 --- a/modules/network/service-endpoint-policy/README.md +++ b/modules/network/service-endpoint-policy/README.md @@ -103,7 +103,17 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1 { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] serviceEndpointPolicyDefinitions: [ @@ -159,7 +169,17 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1 { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -213,13 +233,6 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1 kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] serviceEndpointPolicyDefinitions: [ { name: 'Storage.ServiceEndpoint' @@ -268,15 +281,6 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1 "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "serviceEndpointPolicyDefinitions": { "value": [ { @@ -323,7 +327,7 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1 | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`serviceAlias`](#parameter-servicealias) | string | The alias indicating if the policy belongs to a service. | | [`serviceEndpointPolicyDefinitions`](#parameter-serviceendpointpolicydefinitions) | array | An Array of service endpoint policy definitions. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -384,7 +388,7 @@ The Service Endpoint Policy name. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -397,7 +401,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -445,7 +449,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/service-endpoint-policy/main.bicep b/modules/network/service-endpoint-policy/main.bicep index c0183b63f9..9d9b83348d 100644 --- a/modules/network/service-endpoint-policy/main.bicep +++ b/modules/network/service-endpoint-policy/main.bicep @@ -20,7 +20,7 @@ param serviceAlias string = '' @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -73,7 +73,7 @@ resource serviceEndpointPolicy_lock 'Microsoft.Authorization/locks@2020-05-01' = resource serviceEndpointPolicy_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(serviceEndpointPolicy.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -109,7 +109,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/service-endpoint-policy/main.json b/modules/network/service-endpoint-policy/main.json index 0901fb297c..0e6f729e47 100644 --- a/modules/network/service-endpoint-policy/main.json +++ b/modules/network/service-endpoint-policy/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8576779256610363047" + "templateHash": "11859236081077741465" }, "name": "Service Endpoint Policies", "description": "This module deploys a Service Endpoint Policy.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -149,7 +149,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -228,7 +228,7 @@ "scope": "[format('Microsoft.Network/serviceEndpointPolicies/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/serviceEndpointPolicies', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep index 8ad3addf74..271bf7e24a 100644 --- a/modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep +++ b/modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep @@ -59,7 +59,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep index ab52288ff9..ba10f48947 100644 --- a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep @@ -57,13 +57,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/trafficmanagerprofile/README.md b/modules/network/trafficmanagerprofile/README.md index 01f22925a2..c7d12328ee 100644 --- a/modules/network/trafficmanagerprofile/README.md +++ b/modules/network/trafficmanagerprofile/README.md @@ -124,7 +124,17 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -186,7 +196,17 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -240,13 +260,6 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -301,15 +314,6 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -345,7 +349,7 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 | [`maxReturn`](#parameter-maxreturn) | int | Maximum number of endpoints to be returned for MultiValue routing type. | | [`monitorConfig`](#parameter-monitorconfig) | object | The endpoint monitoring settings of the Traffic Manager profile. | | [`profileStatus`](#parameter-profilestatus) | string | The status of the Traffic Manager profile. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Resource tags. | | [`trafficRoutingMethod`](#parameter-trafficroutingmethod) | string | The traffic routing method of the Traffic Manager profile. | | [`trafficViewEnrollmentStatus`](#parameter-trafficviewenrollmentstatus) | string | Indicates whether Traffic View is 'Enabled' or 'Disabled' for the Traffic Manager profile. Null, indicates 'Disabled'. Enabling this feature will increase the cost of the Traffic Manage profile. | @@ -556,7 +560,7 @@ The relative DNS name provided by this Traffic Manager profile. This value is co ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -569,7 +573,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -617,7 +621,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/trafficmanagerprofile/main.bicep b/modules/network/trafficmanagerprofile/main.bicep index 66238ec4dd..0b8890079e 100644 --- a/modules/network/trafficmanagerprofile/main.bicep +++ b/modules/network/trafficmanagerprofile/main.bicep @@ -56,7 +56,7 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Resource tags.') @@ -143,7 +143,7 @@ resource trafficManagerProfile_diagnosticSettings 'Microsoft.Insights/diagnostic resource trafficManagerProfile_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(trafficManagerProfile.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -176,7 +176,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/trafficmanagerprofile/main.json b/modules/network/trafficmanagerprofile/main.json index b70a6f3e81..76f4462e01 100644 --- a/modules/network/trafficmanagerprofile/main.json +++ b/modules/network/trafficmanagerprofile/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "11095049412788663057" + "templateHash": "16146918790976496656" }, "name": "Traffic Manager Profiles", "description": "This module deploys a Traffic Manager Profile.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -309,7 +309,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -419,7 +419,7 @@ "scope": "[format('Microsoft.Network/trafficmanagerprofiles/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/trafficmanagerprofiles', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep index b937b8d2af..997d876567 100644 --- a/modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep +++ b/modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep @@ -88,7 +88,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep index bddc3fdf32..850a5be046 100644 --- a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep @@ -86,13 +86,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/virtual-network-gateway/README.md b/modules/network/virtual-network-gateway/README.md index c43561c8b2..7a0a2b9daa 100644 --- a/modules/network/virtual-network-gateway/README.md +++ b/modules/network/virtual-network-gateway/README.md @@ -81,7 +81,17 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -176,7 +186,17 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -643,7 +663,7 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 | [`publicIpDiagnosticSettings`](#parameter-publicipdiagnosticsettings) | array | The diagnostic settings of the Public IP. | | [`publicIPPrefixResourceId`](#parameter-publicipprefixresourceid) | string | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | | [`publicIpZones`](#parameter-publicipzones) | array | Specifies the zones of the Public IP address. Basic IP SKU does not support Availability Zones. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`vpnClientAadConfiguration`](#parameter-vpnclientaadconfiguration) | object | Configuration for AAD Authentication for P2S Tunnel Type, Cannot be configured if clientRootCertData is provided. | | [`vpnClientAddressPoolPrefix`](#parameter-vpnclientaddresspoolprefix) | string | The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network. | @@ -1068,7 +1088,7 @@ Specifies the zones of the Public IP address. Basic IP SKU does not support Avai ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1081,7 +1101,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1129,7 +1149,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/virtual-network-gateway/main.bicep b/modules/network/virtual-network-gateway/main.bicep index b561f87fac..ec6385b67c 100644 --- a/modules/network/virtual-network-gateway/main.bicep +++ b/modules/network/virtual-network-gateway/main.bicep @@ -118,7 +118,7 @@ param publicIpDiagnosticSettings diagnosticSettingType @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') @@ -374,7 +374,7 @@ resource virtualNetworkGateway_diagnosticSettings 'Microsoft.Insights/diagnostic resource virtualNetworkGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(virtualNetworkGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -416,7 +416,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/virtual-network-gateway/main.json b/modules/network/virtual-network-gateway/main.json index 6ed43a2056..7180fe35f6 100644 --- a/modules/network/virtual-network-gateway/main.json +++ b/modules/network/virtual-network-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2357059360379446061" + "templateHash": "15357828351524045583" }, "name": "Virtual Network Gateways", "description": "This module deploys a Virtual Network Gateway.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -437,7 +437,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "lock": { @@ -593,7 +593,7 @@ "scope": "[format('Microsoft.Network/virtualNetworkGateways/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/virtualNetworkGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep b/modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep index 95dfbe06d2..a6e2410992 100644 --- a/modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep +++ b/modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep @@ -97,7 +97,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/virtual-network/README.md b/modules/network/virtual-network/README.md index 8f8acb2d0d..33dd1bb7cd 100644 --- a/modules/network/virtual-network/README.md +++ b/modules/network/virtual-network/README.md @@ -138,7 +138,17 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] subnets: [ @@ -256,7 +266,17 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -471,13 +491,6 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] subnets: [ { addressPrefix: '' @@ -588,15 +601,6 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "subnets": { "value": [ { @@ -680,7 +684,7 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`peerings`](#parameter-peerings) | array | Virtual Network Peerings configurations. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`subnets`](#parameter-subnets) | array | An Array of subnets to deploy to the Virtual Network. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`vnetEncryption`](#parameter-vnetencryption) | bool | Indicates if encryption is enabled on virtual network and if VM without encryption is allowed in encrypted VNet. Requires the EnableVNetEncryption feature to be registered for the subscription and a supported region to use this property. | @@ -884,7 +888,7 @@ Virtual Network Peerings configurations. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -897,7 +901,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -945,7 +949,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/virtual-network/main.bicep b/modules/network/virtual-network/main.bicep index 0a4003d1e5..59201d89b2 100644 --- a/modules/network/virtual-network/main.bicep +++ b/modules/network/virtual-network/main.bicep @@ -43,7 +43,7 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -226,7 +226,7 @@ resource virtualNetwork_diagnosticSettings 'Microsoft.Insights/diagnosticSetting resource virtualNetwork_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(virtualNetwork.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -268,7 +268,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/virtual-network/main.json b/modules/network/virtual-network/main.json index 0de7bba004..532eb7a1ed 100644 --- a/modules/network/virtual-network/main.json +++ b/modules/network/virtual-network/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17480456503748802804" + "templateHash": "13961908066049055170" }, "name": "Virtual Networks", "description": "This module deploys a Virtual Network (vNet).", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -300,7 +300,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -437,7 +437,7 @@ "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/virtualNetworks', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -496,7 +496,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10049142602469906602" + "templateHash": "17336277691652716048" }, "name": "Virtual Network Subnets", "description": "This module deploys a Virtual Network Subnet.", @@ -511,7 +511,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -679,7 +679,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -753,7 +753,7 @@ "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/virtual-network/subnet/README.md b/modules/network/virtual-network/subnet/README.md index d981e06cfc..fbe94623e8 100644 --- a/modules/network/virtual-network/subnet/README.md +++ b/modules/network/virtual-network/subnet/README.md @@ -45,7 +45,7 @@ This module deploys a Virtual Network Subnet. | [`networkSecurityGroupId`](#parameter-networksecuritygroupid) | string | The resource ID of the network security group to assign to the subnet. | | [`privateEndpointNetworkPolicies`](#parameter-privateendpointnetworkpolicies) | string | enable or disable apply network policies on private endpoint in the subnet. | | [`privateLinkServiceNetworkPolicies`](#parameter-privatelinkservicenetworkpolicies) | string | enable or disable apply network policies on private link service in the subnet. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`routeTableId`](#parameter-routetableid) | string | The resource ID of the route table to assign to the subnet. | | [`serviceEndpointPolicies`](#parameter-serviceendpointpolicies) | array | An array of service endpoint policies. | | [`serviceEndpoints`](#parameter-serviceendpoints) | array | The service endpoints to enable on the subnet. | @@ -143,7 +143,7 @@ enable or disable apply network policies on private link service in the subnet. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -156,7 +156,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -204,7 +204,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/virtual-network/subnet/main.bicep b/modules/network/virtual-network/subnet/main.bicep index 5f0fadf82e..3e8d129499 100644 --- a/modules/network/virtual-network/subnet/main.bicep +++ b/modules/network/virtual-network/subnet/main.bicep @@ -54,7 +54,7 @@ param ipAllocations array = [] @description('Optional. An array of service endpoint policies.') param serviceEndpointPolicies array = [] -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -113,7 +113,7 @@ resource subnet 'Microsoft.Network/virtualNetworks/subnets@2023-04-01' = { resource subnet_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(subnet.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -143,7 +143,7 @@ output subnetAddressPrefixes array = !empty(addressPrefixes) ? subnet.properties // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/virtual-network/subnet/main.json b/modules/network/virtual-network/subnet/main.json index c7f51d4570..dd6acc468b 100644 --- a/modules/network/virtual-network/subnet/main.json +++ b/modules/network/virtual-network/subnet/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10049142602469906602" + "templateHash": "17336277691652716048" }, "name": "Virtual Network Subnets", "description": "This module deploys a Virtual Network Subnet.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -189,7 +189,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -263,7 +263,7 @@ "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/virtual-network/tests/e2e/max/main.test.bicep b/modules/network/virtual-network/tests/e2e/max/main.test.bicep index 5a84c91f10..7181d9a40f 100644 --- a/modules/network/virtual-network/tests/e2e/max/main.test.bicep +++ b/modules/network/virtual-network/tests/e2e/max/main.test.bicep @@ -96,7 +96,17 @@ module testDeployment '../../../main.bicep' = { } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep index 58a38a9530..c2702cfe9f 100644 --- a/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep @@ -94,13 +94,6 @@ module testDeployment '../../../main.bicep' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] flowTimeoutInMinutes: 20 subnets: [ { diff --git a/modules/network/virtual-wan/README.md b/modules/network/virtual-wan/README.md index 63d33bf1aa..2cb16b518d 100644 --- a/modules/network/virtual-wan/README.md +++ b/modules/network/virtual-wan/README.md @@ -106,7 +106,17 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -159,7 +169,17 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -204,13 +224,6 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -256,15 +269,6 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -301,7 +305,7 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location where all resources will be created. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`type`](#parameter-type) | string | The type of the Virtual WAN. | @@ -375,7 +379,7 @@ Name of the Virtual WAN. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -388,7 +392,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -436,7 +440,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/virtual-wan/main.bicep b/modules/network/virtual-wan/main.bicep index 6d3f3fe0b0..b108e4573b 100644 --- a/modules/network/virtual-wan/main.bicep +++ b/modules/network/virtual-wan/main.bicep @@ -24,7 +24,7 @@ param allowVnetToVnetTraffic bool = false @description('Optional. VPN encryption to be disabled or not.') param disableVpnEncryption bool = false -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -81,7 +81,7 @@ resource virtualWan_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty resource virtualWan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(virtualWan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -117,7 +117,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/virtual-wan/main.json b/modules/network/virtual-wan/main.json index 73f79cbc33..99e7a9e7ca 100644 --- a/modules/network/virtual-wan/main.json +++ b/modules/network/virtual-wan/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "4189892179924911704" + "templateHash": "3497109504339292909" }, "name": "Virtual WANs", "description": "This module deploys a Virtual WAN.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -154,7 +154,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -240,7 +240,7 @@ "scope": "[format('Microsoft.Network/virtualWans/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/virtualWans', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/virtual-wan/tests/e2e/max/main.test.bicep b/modules/network/virtual-wan/tests/e2e/max/main.test.bicep index 3642b75961..9079c1e718 100644 --- a/modules/network/virtual-wan/tests/e2e/max/main.test.bicep +++ b/modules/network/virtual-wan/tests/e2e/max/main.test.bicep @@ -62,7 +62,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep index 290a115237..7bccc274c5 100644 --- a/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep @@ -60,13 +60,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] type: 'Basic' tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/network/vpn-site/README.md b/modules/network/vpn-site/README.md index 0db53524cd..d905533985 100644 --- a/modules/network/vpn-site/README.md +++ b/modules/network/vpn-site/README.md @@ -131,7 +131,17 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -221,7 +231,17 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -303,13 +323,6 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { optimize: true } } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' tagA: 'valueA' @@ -392,15 +405,6 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { } } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "hidden-title": "This is visible in the resource name", @@ -475,7 +479,7 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { | [`location`](#parameter-location) | string | Location where all resources will be created. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`o365Policy`](#parameter-o365policy) | object | The Office365 breakout policy. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`vpnSiteLinks`](#parameter-vpnsitelinks) | array | List of all VPN site links. | @@ -570,7 +574,7 @@ The Office365 breakout policy. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -583,7 +587,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -631,7 +635,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/vpn-site/main.bicep b/modules/network/vpn-site/main.bicep index cb5c422359..182a3ef359 100644 --- a/modules/network/vpn-site/main.bicep +++ b/modules/network/vpn-site/main.bicep @@ -41,7 +41,7 @@ param vpnSiteLinks array = [] @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType var builtInRoleNames = { @@ -97,7 +97,7 @@ resource vpnSite_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo resource vpnSite_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(vpnSite.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -133,7 +133,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/vpn-site/main.json b/modules/network/vpn-site/main.json index 0a32dfa9f5..f7300ea789 100644 --- a/modules/network/vpn-site/main.json +++ b/modules/network/vpn-site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "12353107767353318428" + "templateHash": "3174704764297333181" }, "name": "VPN Sites", "description": "This module deploys a VPN Site.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -197,7 +197,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } } }, @@ -269,7 +269,7 @@ "scope": "[format('Microsoft.Network/vpnSites/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/vpnSites', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/vpn-site/tests/e2e/max/main.test.bicep b/modules/network/vpn-site/tests/e2e/max/main.test.bicep index 629bdd1bd9..d57e267bbb 100644 --- a/modules/network/vpn-site/tests/e2e/max/main.test.bicep +++ b/modules/network/vpn-site/tests/e2e/max/main.test.bicep @@ -106,7 +106,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep b/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep index 62ed03a40d..3b996255bc 100644 --- a/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep @@ -104,12 +104,5 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' default: true } } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] } }] diff --git a/modules/purview/account/README.md b/modules/purview/account/README.md index 2ef08134de..a77bb25aa2 100644 --- a/modules/purview/account/README.md +++ b/modules/purview/account/README.md @@ -174,7 +174,17 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] storageBlobPrivateEndpoints: [ @@ -325,7 +335,17 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -460,13 +480,6 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { } ] publicNetworkAccess: 'Disabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] storageBlobPrivateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -610,15 +623,6 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { "publicNetworkAccess": { "value": "Disabled" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "storageBlobPrivateEndpoints": { "value": [ { @@ -688,7 +692,7 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { | [`managedResourceGroupName`](#parameter-managedresourcegroupname) | string | The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-'. | | [`portalPrivateEndpoints`](#parameter-portalprivateendpoints) | array | Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`storageBlobPrivateEndpoints`](#parameter-storageblobprivateendpoints) | array | Configuration details for Purview Managed Storage Account blob private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'blob'. | | [`storageQueuePrivateEndpoints`](#parameter-storagequeueprivateendpoints) | array | Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'queue'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -918,7 +922,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -931,7 +935,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -979,7 +983,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/purview/account/main.bicep b/modules/purview/account/main.bicep index 73cd7a3c1e..b93675e30d 100644 --- a/modules/purview/account/main.bicep +++ b/modules/purview/account/main.bicep @@ -30,7 +30,7 @@ param publicNetworkAccess string = 'NotSpecified' @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to \'account\'.') @@ -257,7 +257,7 @@ module eventHub_privateEndpoints '../../network/private-endpoint/main.bicep' = [ resource account_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(account.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -313,7 +313,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/purview/account/main.json b/modules/purview/account/main.json index 169ab57dbd..e18390b358 100644 --- a/modules/purview/account/main.json +++ b/modules/purview/account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "11685222895702986348" + "templateHash": "5819351942554123276" }, "name": "Purview Accounts", "description": "This module deploys a Purview Account.", @@ -61,7 +61,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -283,7 +283,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "accountPrivateEndpoints": { @@ -425,7 +425,7 @@ "scope": "[format('Microsoft.Purview/accounts/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Purview/accounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/purview/account/tests/e2e/max/main.test.bicep b/modules/purview/account/tests/e2e/max/main.test.bicep index 576acece67..5f09f48e2e 100644 --- a/modules/purview/account/tests/e2e/max/main.test.bicep +++ b/modules/purview/account/tests/e2e/max/main.test.bicep @@ -96,7 +96,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep b/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep index f58261b0a9..50ff6aa700 100644 --- a/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep @@ -94,13 +94,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] accountPrivateEndpoints: [ { privateDnsZoneResourceIds: [ diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index ee3cf09b77..8eb9e2c57d 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -574,7 +574,17 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] securitySettings: { @@ -924,7 +934,17 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1256,13 +1276,6 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { locale: 'en-US' sendToOwners: 'Send' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] securitySettings: { immutabilitySettings: { state: 'Unlocked' @@ -1605,15 +1618,6 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { "sendToOwners": "Send" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "securitySettings": { "value": { "immutabilitySettings": { @@ -1663,7 +1667,7 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { | [`replicationAlertSettings`](#parameter-replicationalertsettings) | object | Replication alert settings. | | [`replicationFabrics`](#parameter-replicationfabrics) | array | List of all replication fabrics. | | [`replicationPolicies`](#parameter-replicationpolicies) | array | List of all replication policies. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`securitySettings`](#parameter-securitysettings) | object | Security Settings of the vault. | | [`tags`](#parameter-tags) | object | Tags of the Recovery Service Vault resource. | @@ -1903,7 +1907,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -2055,7 +2059,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -2125,7 +2129,7 @@ List of all replication policies. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -2138,7 +2142,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -2186,7 +2190,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/recovery-services/vault/main.bicep b/modules/recovery-services/vault/main.bicep index ec25f0ce5d..276f4850c4 100644 --- a/modules/recovery-services/vault/main.bicep +++ b/modules/recovery-services/vault/main.bicep @@ -38,7 +38,7 @@ param replicationAlertSettings object = {} @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') @@ -269,7 +269,7 @@ module rsv_privateEndpoints '../../network/private-endpoint/main.bicep' = [for ( resource rsv_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(rsv.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -316,7 +316,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -393,7 +393,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/recovery-services/vault/main.json b/modules/recovery-services/vault/main.json index ba9780ebf9..c7129f3aef 100644 --- a/modules/recovery-services/vault/main.json +++ b/modules/recovery-services/vault/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "7312689804634982287" + "templateHash": "995975405658769372" }, "name": "Recovery Services Vaults", "description": "This module deploys a Recovery Services Vault.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -491,7 +491,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "lock": { @@ -642,7 +642,7 @@ "scope": "[format('Microsoft.RecoveryServices/vaults/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.RecoveryServices/vaults', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -687,10 +687,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18045555589113818401" + "templateHash": "141571686653146888" }, "name": "Recovery Services Vault Replication Fabrics", - "description": "This module deploys a Replication Fabric for Azure to Azure disaster recovery scenario of Azure Site Recovery.\r\n\r\n> Note: this module currently support only the `instanceType: 'Azure'` scenario.", + "description": "This module deploys a Replication Fabric for Azure to Azure disaster recovery scenario of Azure Site Recovery.\n\n> Note: this module currently support only the `instanceType: 'Azure'` scenario.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -793,10 +793,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3783488076539662325" + "templateHash": "10595314903369272974" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Containers", - "description": "This module deploys a Recovery Services Vault Replication Protection Container.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", + "description": "This module deploys a Recovery Services Vault Replication Protection Container.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -903,10 +903,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "14373191902278145406" + "templateHash": "13334445778984042102" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings", - "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", + "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -1136,10 +1136,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "5176653698082479064" + "templateHash": "7511225868129156252" }, "name": "Recovery Services Vault Replication Policies", - "description": "This module deploys a Recovery Services Vault Replication Policy for Disaster Recovery scenario.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", + "description": "This module deploys a Recovery Services Vault Replication Policy for Disaster Recovery scenario.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/recovery-services/vault/tests/e2e/max/main.test.bicep b/modules/recovery-services/vault/tests/e2e/max/main.test.bicep index a95ea0b468..0e78cb6064 100644 --- a/modules/recovery-services/vault/tests/e2e/max/main.test.bicep +++ b/modules/recovery-services/vault/tests/e2e/max/main.test.bicep @@ -352,7 +352,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep b/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep index 67c8e9c39b..005293b717 100644 --- a/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep @@ -350,13 +350,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] monitoringSettings: { azureMonitorAlertSettings: { alertsForAllJobFailures: 'Enabled' diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index 0e0ec1776b..32864ab014 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -193,7 +193,17 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] skuName: 'Standard' @@ -340,7 +350,17 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -566,13 +586,6 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] skuName: 'Standard' tags: { Environment: 'Non-Prod' @@ -712,15 +725,6 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "skuName": { "value": "Standard" }, @@ -774,7 +778,7 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`networkRuleSets`](#parameter-networkrulesets) | object | Configure networking options for Relay. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`skuName`](#parameter-skuname) | string | Name of this SKU. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`wcfRelays`](#parameter-wcfrelays) | array | The wcf relays to create in the relay namespace. | @@ -994,7 +998,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1146,7 +1150,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1174,7 +1178,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1187,7 +1191,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1235,7 +1239,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/relay/namespace/hybrid-connection/README.md b/modules/relay/namespace/hybrid-connection/README.md index b243f4adc7..338d271c3d 100644 --- a/modules/relay/namespace/hybrid-connection/README.md +++ b/modules/relay/namespace/hybrid-connection/README.md @@ -41,7 +41,7 @@ This module deploys a Relay Namespace Hybrid Connection. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`requiresClientAuthorization`](#parameter-requiresclientauthorization) | bool | A value indicating if this hybrid connection requires client authorization. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | ### Parameter: `authorizationRules` @@ -129,7 +129,7 @@ A value indicating if this hybrid connection requires client authorization. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -142,7 +142,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -190,7 +190,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/relay/namespace/hybrid-connection/main.bicep b/modules/relay/namespace/hybrid-connection/main.bicep index 26c75f7734..fcda242bda 100644 --- a/modules/relay/namespace/hybrid-connection/main.bicep +++ b/modules/relay/namespace/hybrid-connection/main.bicep @@ -45,7 +45,7 @@ param authorizationRules array = [ @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -112,7 +112,7 @@ resource hybridConnection_lock 'Microsoft.Authorization/locks@2020-05-01' = if ( resource hybridConnection_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(hybridConnection.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -145,7 +145,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/relay/namespace/hybrid-connection/main.json b/modules/relay/namespace/hybrid-connection/main.json index 1e8f46af01..b3ba439423 100644 --- a/modules/relay/namespace/hybrid-connection/main.json +++ b/modules/relay/namespace/hybrid-connection/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7588969568395991504" + "version": "0.23.1.45101", + "templateHash": "10713076217261186547" }, "name": "Relay Namespace Hybrid Connections", "description": "This module deploys a Relay Namespace Hybrid Connection.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -172,7 +172,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -253,7 +253,7 @@ "scope": "[format('Microsoft.Relay/namespaces/{0}/hybridConnections/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -299,8 +299,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2105813068659609285" + "version": "0.23.1.45101", + "templateHash": "8614944991526016585" }, "name": "Hybrid Connection Authorization Rules", "description": "This module deploys a Hybrid Connection Authorization Rule.", diff --git a/modules/relay/namespace/main.bicep b/modules/relay/namespace/main.bicep index 6f02fe6c2f..3ffa30c756 100644 --- a/modules/relay/namespace/main.bicep +++ b/modules/relay/namespace/main.bicep @@ -34,7 +34,7 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') @@ -241,7 +241,7 @@ module namespace_privateEndpoints '../../network/private-endpoint/main.bicep' = resource namespace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(namespace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -277,7 +277,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -354,7 +354,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/relay/namespace/main.json b/modules/relay/namespace/main.json index d8b196fe7e..1c9ac35781 100644 --- a/modules/relay/namespace/main.json +++ b/modules/relay/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2022191670394485396" + "templateHash": "5535628605331543748" }, "name": "Relay Namespaces", "description": "This module deploys a Relay Namespace", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -251,7 +251,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -443,7 +443,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "privateEndpoints": { @@ -574,7 +574,7 @@ "scope": "[format('Microsoft.Relay/namespaces/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Relay/namespaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -884,7 +884,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "4576720448388714998" + "templateHash": "10713076217261186547" }, "name": "Relay Namespace Hybrid Connections", "description": "This module deploys a Relay Namespace Hybrid Connection.", @@ -924,7 +924,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -1050,7 +1050,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -1131,7 +1131,7 @@ "scope": "[format('Microsoft.Relay/namespaces/{0}/hybridConnections/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1345,7 +1345,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "7252195436240071963" + "templateHash": "15802304453622016892" }, "name": "Relay Namespace WCF Relays", "description": "This module deploys a Relay Namespace WCF Relay.", @@ -1385,7 +1385,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -1529,7 +1529,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -1612,7 +1612,7 @@ "scope": "[format('Microsoft.Relay/namespaces/{0}/wcfRelays/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/relay/namespace/tests/e2e/max/main.test.bicep b/modules/relay/namespace/tests/e2e/max/main.test.bicep index 9615d7ad26..ef21d1c6bc 100644 --- a/modules/relay/namespace/tests/e2e/max/main.test.bicep +++ b/modules/relay/namespace/tests/e2e/max/main.test.bicep @@ -80,7 +80,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep index b8527deec2..f4d56ac66e 100644 --- a/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -78,13 +78,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' Environment: 'Non-Prod' Role: 'DeploymentValidation' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] networkRuleSets: { defaultAction: 'Deny' trustedServiceAccessEnabled: true diff --git a/modules/relay/namespace/wcf-relay/README.md b/modules/relay/namespace/wcf-relay/README.md index d79d0ecc46..9fd1f1fa89 100644 --- a/modules/relay/namespace/wcf-relay/README.md +++ b/modules/relay/namespace/wcf-relay/README.md @@ -42,7 +42,7 @@ This module deploys a Relay Namespace WCF Relay. | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`requiresClientAuthorization`](#parameter-requiresclientauthorization) | bool | A value indicating if this relay requires client authorization. | | [`requiresTransportSecurity`](#parameter-requirestransportsecurity) | bool | A value indicating if this relay requires transport security. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`userMetadata`](#parameter-usermetadata) | string | User-defined string data for the WCF Relay. | ### Parameter: `authorizationRules` @@ -151,7 +151,7 @@ A value indicating if this relay requires transport security. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -164,7 +164,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -212,7 +212,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/relay/namespace/wcf-relay/main.bicep b/modules/relay/namespace/wcf-relay/main.bicep index b550e525f9..f5a030cfa5 100644 --- a/modules/relay/namespace/wcf-relay/main.bicep +++ b/modules/relay/namespace/wcf-relay/main.bicep @@ -55,7 +55,7 @@ param authorizationRules array = [ @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -124,7 +124,7 @@ resource wcfRelay_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(l resource wcfRelay_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(wcfRelay.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -157,7 +157,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/relay/namespace/wcf-relay/main.json b/modules/relay/namespace/wcf-relay/main.json index b03f789e67..bbe1de970b 100644 --- a/modules/relay/namespace/wcf-relay/main.json +++ b/modules/relay/namespace/wcf-relay/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2747029204512692072" + "version": "0.23.1.45101", + "templateHash": "15802304453622016892" }, "name": "Relay Namespace WCF Relays", "description": "This module deploys a Relay Namespace WCF Relay.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -190,7 +190,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -273,7 +273,7 @@ "scope": "[format('Microsoft.Relay/namespaces/{0}/wcfRelays/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -319,8 +319,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9905508445063497603" + "version": "0.23.1.45101", + "templateHash": "5333168181360876794" }, "name": "WCF Relay Authorization Rules", "description": "This module deploys a WCF Relay Authorization Rule.", diff --git a/modules/resource-graph/query/README.md b/modules/resource-graph/query/README.md index b9d4187d55..6060bb18ea 100644 --- a/modules/resource-graph/query/README.md +++ b/modules/resource-graph/query/README.md @@ -109,7 +109,17 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -158,7 +168,17 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -199,13 +219,6 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { name: 'myCustomLockName' } queryDescription: 'An example query to list first 10 resources in the subscription.' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -247,15 +260,6 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { "queryDescription": { "value": "An example query to list first 10 resources in the subscription." }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -288,7 +292,7 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`queryDescription`](#parameter-querydescription) | string | The description of a graph query. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `enableDefaultTelemetry` @@ -353,7 +357,7 @@ The description of a graph query. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -366,7 +370,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -414,7 +418,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/resource-graph/query/main.bicep b/modules/resource-graph/query/main.bicep index e4e5472ea4..229c82e68c 100644 --- a/modules/resource-graph/query/main.bicep +++ b/modules/resource-graph/query/main.bicep @@ -11,7 +11,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -68,7 +68,7 @@ resource rgQuery_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo resource rgQuery_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(rgQuery.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -104,7 +104,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/resource-graph/query/main.json b/modules/resource-graph/query/main.json index 74b82c908c..f267077d80 100644 --- a/modules/resource-graph/query/main.json +++ b/modules/resource-graph/query/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8296730698201438039" + "templateHash": "11112562742135242475" }, "name": "Resource Graph Queries", "description": "This module deploys a Resource Graph Query.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -128,7 +128,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -218,7 +218,7 @@ "scope": "[format('Microsoft.ResourceGraph/queries/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.ResourceGraph/queries', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/resource-graph/query/tests/e2e/max/main.test.bicep b/modules/resource-graph/query/tests/e2e/max/main.test.bicep index 25ac98145e..93f3005086 100644 --- a/modules/resource-graph/query/tests/e2e/max/main.test.bicep +++ b/modules/resource-graph/query/tests/e2e/max/main.test.bicep @@ -59,7 +59,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep b/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep index 1209174e7c..893732aaee 100644 --- a/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep @@ -57,13 +57,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/resources/resource-group/README.md b/modules/resources/resource-group/README.md index 6e0fab2365..7f77ff124e 100644 --- a/modules/resources/resource-group/README.md +++ b/modules/resources/resource-group/README.md @@ -103,7 +103,17 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -146,7 +156,17 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -185,13 +205,6 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -227,15 +240,6 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -267,7 +271,7 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { | [`location`](#parameter-location) | string | Location of the Resource Group. It uses the deployment's location when not provided. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedBy`](#parameter-managedby) | string | The ID of the resource that manages this resource group. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the storage account resource. | ### Parameter: `enableDefaultTelemetry` @@ -326,7 +330,7 @@ The name of the Resource Group. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -339,7 +343,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -387,7 +391,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/resources/resource-group/main.bicep b/modules/resources/resource-group/main.bicep index b4d65b905a..7bb4f4cc20 100644 --- a/modules/resources/resource-group/main.bicep +++ b/modules/resources/resource-group/main.bicep @@ -13,7 +13,7 @@ param location string = deployment().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the storage account resource.') @@ -71,7 +71,7 @@ module resourceGroup_lock 'modules/nested_lock.bicep' = if (!empty(lock ?? {}) & resource resourceGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(resourceGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -103,7 +103,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/resources/resource-group/main.json b/modules/resources/resource-group/main.json index 245ce057e8..eccb25088a 100644 --- a/modules/resources/resource-group/main.json +++ b/modules/resources/resource-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3578190975032336788" + "templateHash": "4157027857802113569" }, "name": "Resource Groups", "description": "This module deploys a Resource Group.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -128,7 +128,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -201,7 +201,7 @@ "apiVersion": "2022-04-01", "name": "[guid(subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/resources/resource-group/tests/e2e/max/main.test.bicep b/modules/resources/resource-group/tests/e2e/max/main.test.bicep index a110f2a5f4..e5d862b927 100644 --- a/modules/resources/resource-group/tests/e2e/max/main.test.bicep +++ b/modules/resources/resource-group/tests/e2e/max/main.test.bicep @@ -58,7 +58,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep b/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep index 5818c0052f..27d87dc197 100644 --- a/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep @@ -56,13 +56,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 09d052abaf..5c16abffb6 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -157,7 +157,17 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] skuName: 'Premium' @@ -251,7 +261,17 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1176,7 +1196,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`queues`](#parameter-queues) | array | The queues to create in the service bus namespace. | | [`requireInfrastructureEncryption`](#parameter-requireinfrastructureencryption) | bool | Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`skuCapacity`](#parameter-skucapacity) | int | The specified messaging units for the tier. Only used for Premium Sku tier. | | [`skuName`](#parameter-skuname) | string | Name of this SKU. - Basic, Standard, Premium. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -1509,7 +1529,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1661,7 +1681,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1719,7 +1739,7 @@ Enable infrastructure encryption (double encryption). Note, this setting require ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1732,7 +1752,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1780,7 +1800,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/service-bus/namespace/main.bicep b/modules/service-bus/namespace/main.bicep index 4daedd1379..04d5cc64a3 100644 --- a/modules/service-bus/namespace/main.bicep +++ b/modules/service-bus/namespace/main.bicep @@ -72,7 +72,7 @@ param lock lockType @description('Optional. The managed identity definition for this resource.') param managedIdentities managedIdentitiesType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') @@ -365,7 +365,7 @@ module serviceBusNamespace_privateEndpoints '../../network/private-endpoint/main resource serviceBusNamespace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(serviceBusNamespace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -412,7 +412,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -489,7 +489,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/service-bus/namespace/main.json b/modules/service-bus/namespace/main.json index d24d8680d9..473e54d7b7 100644 --- a/modules/service-bus/namespace/main.json +++ b/modules/service-bus/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "11924265008092294292" + "templateHash": "15999404248309451971" }, "name": "Service Bus Namespaces", "description": "This module deploys a Service Bus Namespace.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -567,7 +567,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "publicNetworkAccess": { @@ -777,7 +777,7 @@ "scope": "[format('Microsoft.ServiceBus/namespaces/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1379,7 +1379,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "16361123354606932948" + "templateHash": "11801990742718728628" }, "name": "Service Bus Namespace Queue", "description": "This module deploys a Service Bus Namespace Queue.", @@ -1419,7 +1419,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -1645,7 +1645,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -1740,7 +1740,7 @@ "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/queues/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1963,7 +1963,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17834121031858727476" + "templateHash": "15417348357364247690" }, "name": "Service Bus Namespace Topic", "description": "This module deploys a Service Bus Namespace Topic.", @@ -2003,7 +2003,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -2194,7 +2194,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -2284,7 +2284,7 @@ "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/topics/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/service-bus/namespace/queue/README.md b/modules/service-bus/namespace/queue/README.md index a99b09cfd8..852c05c23f 100644 --- a/modules/service-bus/namespace/queue/README.md +++ b/modules/service-bus/namespace/queue/README.md @@ -54,7 +54,7 @@ This module deploys a Service Bus Namespace Queue. | [`maxSizeInMegabytes`](#parameter-maxsizeinmegabytes) | int | The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024. | | [`requiresDuplicateDetection`](#parameter-requiresduplicatedetection) | bool | A value indicating if this queue requires duplicate detection. | | [`requiresSession`](#parameter-requiressession) | bool | A value that indicates whether the queue supports the concept of sessions. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`status`](#parameter-status) | string | Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. | ### Parameter: `authorizationRules` @@ -231,7 +231,7 @@ A value that indicates whether the queue supports the concept of sessions. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -244,7 +244,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -292,7 +292,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/service-bus/namespace/queue/main.bicep b/modules/service-bus/namespace/queue/main.bicep index a4ab68d0ba..2f111f109e 100644 --- a/modules/service-bus/namespace/queue/main.bicep +++ b/modules/service-bus/namespace/queue/main.bicep @@ -88,7 +88,7 @@ param authorizationRules array = [ @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -169,7 +169,7 @@ resource queue_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock resource queue_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(queue.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -202,7 +202,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/service-bus/namespace/queue/main.json b/modules/service-bus/namespace/queue/main.json index 266d6b0ba3..ec18685913 100644 --- a/modules/service-bus/namespace/queue/main.json +++ b/modules/service-bus/namespace/queue/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7820306070042751113" + "version": "0.23.1.45101", + "templateHash": "11801990742718728628" }, "name": "Service Bus Namespace Queue", "description": "This module deploys a Service Bus Namespace Queue.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -272,7 +272,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -367,7 +367,7 @@ "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/queues/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -413,8 +413,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4578845431207793137" + "version": "0.23.1.45101", + "templateHash": "17590031156732651952" }, "name": "Service Bus Namespace Queue Authorization Rules", "description": "This module deploys a Service Bus Namespace Queue Authorization Rule.", diff --git a/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep b/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep index 745b38b64b..4bc6f9d364 100644 --- a/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep +++ b/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep @@ -59,7 +59,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' skuName: 'Premium' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/service-bus/namespace/topic/README.md b/modules/service-bus/namespace/topic/README.md index 0e2bfa7837..69c13d5acf 100644 --- a/modules/service-bus/namespace/topic/README.md +++ b/modules/service-bus/namespace/topic/README.md @@ -48,7 +48,7 @@ This module deploys a Service Bus Namespace Topic. | [`maxMessageSizeInKilobytes`](#parameter-maxmessagesizeinkilobytes) | int | Maximum size (in KB) of the message payload that can be accepted by the topic. This property is only used in Premium today and default is 1024. | | [`maxSizeInMegabytes`](#parameter-maxsizeinmegabytes) | int | The maximum size of the topic in megabytes, which is the size of memory allocated for the topic. Default is 1024. | | [`requiresDuplicateDetection`](#parameter-requiresduplicatedetection) | bool | A value indicating if this topic requires duplicate detection. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`status`](#parameter-status) | string | Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. | | [`supportOrdering`](#parameter-supportordering) | bool | Value that indicates whether the topic supports ordering. | @@ -184,7 +184,7 @@ A value indicating if this topic requires duplicate detection. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -197,7 +197,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -245,7 +245,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/service-bus/namespace/topic/main.bicep b/modules/service-bus/namespace/topic/main.bicep index 7aba25aa34..9ff8bdcb06 100644 --- a/modules/service-bus/namespace/topic/main.bicep +++ b/modules/service-bus/namespace/topic/main.bicep @@ -73,7 +73,7 @@ param authorizationRules array = [ @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -149,7 +149,7 @@ resource topic_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock resource topic_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(topic.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -182,7 +182,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/service-bus/namespace/topic/main.json b/modules/service-bus/namespace/topic/main.json index e1787bdfb8..4b0e2d0904 100644 --- a/modules/service-bus/namespace/topic/main.json +++ b/modules/service-bus/namespace/topic/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14755107204839231715" + "version": "0.23.1.45101", + "templateHash": "15417348357364247690" }, "name": "Service Bus Namespace Topic", "description": "This module deploys a Service Bus Namespace Topic.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -237,7 +237,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -327,7 +327,7 @@ "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/topics/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -373,8 +373,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3590235297575239025" + "version": "0.23.1.45101", + "templateHash": "1333107238814449885" }, "name": "Service Bus Namespace Topic Authorization Rules", "description": "This module deploys a Service Bus Namespace Topic Authorization Rule.", diff --git a/modules/service-fabric/cluster/README.md b/modules/service-fabric/cluster/README.md index e24432c80e..15c49a3dcc 100644 --- a/modules/service-fabric/cluster/README.md +++ b/modules/service-fabric/cluster/README.md @@ -391,7 +391,17 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -609,7 +619,17 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -801,13 +821,6 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { ] } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { clusterName: 'sfcwaf001' 'hidden-title': 'This is visible in the resource name' @@ -1018,15 +1031,6 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "clusterName": "sfcwaf001", @@ -1099,7 +1103,7 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { | [`notifications`](#parameter-notifications) | array | Indicates a list of notification channels for cluster events. | | [`reverseProxyCertificate`](#parameter-reverseproxycertificate) | object | Describes the certificate details. | | [`reverseProxyCertificateCommonNames`](#parameter-reverseproxycertificatecommonnames) | object | Describes a list of server certificates referenced by common name that are used to secure the cluster. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sfZonalUpgradeMode`](#parameter-sfzonalupgrademode) | string | This property controls the logical grouping of VMs in upgrade domains (UDs). This property cannot be modified if a node type with multiple Availability Zones is already present in the cluster. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`upgradeDescription`](#parameter-upgradedescription) | object | Describes the policy used when upgrading the cluster. | @@ -1309,7 +1313,7 @@ Describes a list of server certificates referenced by common name that are used ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1322,7 +1326,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1370,7 +1374,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/service-fabric/cluster/main.bicep b/modules/service-fabric/cluster/main.bicep index 86f0780b18..b49631e5e7 100644 --- a/modules/service-fabric/cluster/main.bicep +++ b/modules/service-fabric/cluster/main.bicep @@ -128,7 +128,7 @@ param vmssZonalUpgradeMode string = 'Hierarchical' @description('Optional. Boolean to pause automatic runtime version upgrades to the cluster.') param waveUpgradePaused bool = false -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Array of Service Fabric cluster application types.') @@ -300,7 +300,7 @@ resource serviceFabricCluster_lock 'Microsoft.Authorization/locks@2020-05-01' = resource serviceFabricCluster_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(serviceFabricCluster.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -350,7 +350,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/service-fabric/cluster/main.json b/modules/service-fabric/cluster/main.json index 5295769ffa..f23067b513 100644 --- a/modules/service-fabric/cluster/main.json +++ b/modules/service-fabric/cluster/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18205764020383874033" + "templateHash": "5275013787596152510" }, "name": "Service Fabric Clusters", "description": "This module deploys a Service Fabric Cluster.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -358,7 +358,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "applicationTypes": { @@ -513,7 +513,7 @@ "scope": "[format('Microsoft.ServiceFabric/clusters/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.ServiceFabric/clusters', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/service-fabric/cluster/tests/e2e/max/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/max/main.test.bicep index ed86853a2b..cb3ffc3d41 100644 --- a/modules/service-fabric/cluster/tests/e2e/max/main.test.bicep +++ b/modules/service-fabric/cluster/tests/e2e/max/main.test.bicep @@ -212,7 +212,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' vmImage: 'Linux' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep index e54b21fd94..4cc334c475 100644 --- a/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep @@ -210,13 +210,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } vmImage: 'Linux' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] applicationTypes: [ { name: 'WordCount' // not idempotent diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index 88a6f92780..a50cb51919 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -492,7 +492,7 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`resourceLogConfigurationsToEnable`](#parameter-resourcelogconfigurationstoenable) | array | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sku`](#parameter-sku) | string | The SKU of the service. | | [`tags`](#parameter-tags) | object | The tags of the resource. | | [`upstreamTemplatesToEnable`](#parameter-upstreamtemplatestoenable) | array | Upstream templates to enable. For more information, see https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/2022-02-01/signalr?pivots=deployment-language-bicep#upstreamtemplate. | @@ -660,7 +660,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -812,7 +812,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -875,7 +875,7 @@ Control permission for data plane traffic coming from public networks while priv ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -888,7 +888,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -936,7 +936,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/signal-r-service/signal-r/main.bicep b/modules/signal-r-service/signal-r/main.bicep index 59510d3f23..651e8d9707 100644 --- a/modules/signal-r-service/signal-r/main.bicep +++ b/modules/signal-r-service/signal-r/main.bicep @@ -95,7 +95,7 @@ param privateEndpoints privateEndpointType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -211,7 +211,7 @@ resource signalR_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo resource signalR_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(signalR.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -247,7 +247,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -324,7 +324,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/signal-r-service/signal-r/main.json b/modules/signal-r-service/signal-r/main.json index 11fb90c5b6..050a462238 100644 --- a/modules/signal-r-service/signal-r/main.json +++ b/modules/signal-r-service/signal-r/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2894209744845511778" + "templateHash": "17822146109821250505" }, "name": "SignalR Service SignalR", "description": "This module deploys a SignalR Service SignalR.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -251,7 +251,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -446,7 +446,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -563,7 +563,7 @@ "scope": "[format('Microsoft.SignalRService/signalR/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.SignalRService/signalR', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index 93c9eff877..db8dd5f45c 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -591,7 +591,7 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`resourceLogConfigurationsToEnable`](#parameter-resourcelogconfigurationstoenable) | array | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sku`](#parameter-sku) | string | Pricing tier of the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -723,7 +723,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -875,7 +875,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -938,7 +938,7 @@ Control permission for data plane traffic coming from public networks while priv ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -951,7 +951,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -999,7 +999,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/signal-r-service/web-pub-sub/main.bicep b/modules/signal-r-service/web-pub-sub/main.bicep index 141b8dbb59..7590254f7a 100644 --- a/modules/signal-r-service/web-pub-sub/main.bicep +++ b/modules/signal-r-service/web-pub-sub/main.bicep @@ -14,7 +14,7 @@ param privateEndpoints privateEndpointType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -168,7 +168,7 @@ resource webPubSub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty( resource webPubSub_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(webPubSub.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -227,7 +227,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -304,7 +304,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/signal-r-service/web-pub-sub/main.json b/modules/signal-r-service/web-pub-sub/main.json index 1eb5855175..b3cfca3ae4 100644 --- a/modules/signal-r-service/web-pub-sub/main.json +++ b/modules/signal-r-service/web-pub-sub/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10050729733452360096" + "templateHash": "9704119963251935464" }, "name": "SignalR Web PubSub Services", "description": "This module deploys a SignalR Web PubSub Service.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -332,7 +332,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -522,7 +522,7 @@ "scope": "[format('Microsoft.SignalRService/webPubSub/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.SignalRService/webPubSub', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index 68e213b0e0..1a70895914 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -187,7 +187,17 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] securityAlertPoliciesObj: { @@ -340,7 +350,17 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -588,13 +608,6 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { primaryUserAssignedIdentityId: '' proxyOverride: 'Proxy' publicDataEndpointEnabled: false - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] securityAlertPoliciesObj: { emailAccountAdmins: true name: 'default' @@ -740,15 +753,6 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { "publicDataEndpointEnabled": { "value": false }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "securityAlertPoliciesObj": { "value": { "emailAccountAdmins": true, @@ -840,7 +844,7 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { | [`publicDataEndpointEnabled`](#parameter-publicdataendpointenabled) | bool | Whether or not the public data endpoint is enabled. | | [`requestedBackupStorageRedundancy`](#parameter-requestedbackupstorageredundancy) | string | The storage account type used to store backups for this database. | | [`restorePointInTime`](#parameter-restorepointintime) | string | Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`securityAlertPoliciesObj`](#parameter-securityalertpoliciesobj) | object | The security alert policy configuration. | | [`servicePrincipal`](#parameter-serviceprincipal) | string | Service principal type. If using AD Authentication and applying Admin, must be set to `SystemAssigned`. Then Global Admin must allow Reader access to Azure AD for the Service Principal. | | [`skuName`](#parameter-skuname) | string | The name of the SKU, typically, a letter + Number code, e.g. P3. | @@ -1207,7 +1211,7 @@ Specifies the point in time (ISO8601 format) of the source database that will be ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1220,7 +1224,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1268,7 +1272,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/sql/managed-instance/main.bicep b/modules/sql/managed-instance/main.bicep index 71e9246b15..955174b9e9 100644 --- a/modules/sql/managed-instance/main.bicep +++ b/modules/sql/managed-instance/main.bicep @@ -92,7 +92,7 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -253,7 +253,7 @@ resource managedInstance_diagnosticSettings 'Microsoft.Insights/diagnosticSettin resource managedInstance_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(managedInstance.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -390,7 +390,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/sql/managed-instance/main.json b/modules/sql/managed-instance/main.json index 89f34c4545..01d4fc7e31 100644 --- a/modules/sql/managed-instance/main.json +++ b/modules/sql/managed-instance/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "7480252808079342861" + "templateHash": "3344803418636007926" }, "name": "SQL Managed Instances", "description": "This module deploys a SQL Managed Instance.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -417,7 +417,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -634,7 +634,7 @@ "scope": "[format('Microsoft.Sql/managedInstances/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Sql/managedInstances', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/sql/managed-instance/tests/e2e/max/main.test.bicep b/modules/sql/managed-instance/tests/e2e/max/main.test.bicep index 6fd22ed422..62ecd613a7 100644 --- a/modules/sql/managed-instance/tests/e2e/max/main.test.bicep +++ b/modules/sql/managed-instance/tests/e2e/max/main.test.bicep @@ -141,7 +141,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' publicDataEndpointEnabled: false roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep index 1627c8cc0c..9f69895001 100644 --- a/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep @@ -139,13 +139,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' primaryUserAssignedIdentityId: nestedDependencies.outputs.managedIdentityResourceId proxyOverride: 'Proxy' publicDataEndpointEnabled: false - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] securityAlertPoliciesObj: { emailAccountAdmins: true name: 'default' diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index cb747eaee9..c9aff2d0db 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -214,7 +214,17 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] securityAlertPolicies: [ @@ -380,7 +390,17 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -837,13 +857,6 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { } ] restrictOutboundNetworkAccess: 'Disabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] securityAlertPolicies: [ { emailAccountAdmins: true @@ -1002,15 +1015,6 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { "restrictOutboundNetworkAccess": { "value": "Disabled" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "securityAlertPolicies": { "value": [ { @@ -1090,7 +1094,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. | | [`restrictOutboundNetworkAccess`](#parameter-restrictoutboundnetworkaccess) | string | Whether or not to restrict outbound network access for this server. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`securityAlertPolicies`](#parameter-securityalertpolicies) | array | The security alert policies to create in the server. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`virtualNetworkRules`](#parameter-virtualnetworkrules) | array | The virtual network rules to create in the server. | @@ -1267,7 +1271,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1419,7 +1423,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1477,7 +1481,7 @@ Whether or not to restrict outbound network access for this server. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1490,7 +1494,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1538,7 +1542,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/sql/server/main.bicep b/modules/sql/server/main.bicep index 10704ba9fa..c3654e9520 100644 --- a/modules/sql/server/main.bicep +++ b/modules/sql/server/main.bicep @@ -24,7 +24,7 @@ param primaryUserAssignedIdentityId string = '' @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -159,7 +159,7 @@ resource server_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(loc resource server_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(server.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -373,7 +373,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -450,7 +450,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/sql/server/main.json b/modules/sql/server/main.json index 87256e1cb5..362e1a67bd 100644 --- a/modules/sql/server/main.json +++ b/modules/sql/server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17532070601905880257" + "templateHash": "13872952382016158092" }, "name": "Azure SQL Servers", "description": "This module deploys an Azure SQL Server.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -353,7 +353,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -552,7 +552,7 @@ "scope": "[format('Microsoft.Sql/servers/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Sql/servers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/sql/server/tests/e2e/max/main.test.bicep b/modules/sql/server/tests/e2e/max/main.test.bicep index 4de18a90ed..a71f7575a2 100644 --- a/modules/sql/server/tests/e2e/max/main.test.bicep +++ b/modules/sql/server/tests/e2e/max/main.test.bicep @@ -84,7 +84,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' location: location roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep index 298ab514b7..c72c12cfee 100644 --- a/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep @@ -82,13 +82,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' administratorLogin: 'adminUserName' administratorLoginPassword: password location: location - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] vulnerabilityAssessmentsObj: { name: 'default' emailSubscriptionAdmins: true diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 0356684d3c..d6d27552a8 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -300,7 +300,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] } @@ -374,7 +384,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] shareQuota: 5120 @@ -503,7 +523,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] } @@ -518,7 +548,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] sasExpirationPeriod: '180.00:00:00' @@ -587,7 +627,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -673,7 +723,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ], "shareQuota": 5120 @@ -818,7 +878,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -837,7 +907,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -935,7 +1015,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] skuName: 'Premium_LRS' @@ -1020,7 +1110,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1354,13 +1454,6 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { ] } requireInfrastructureEncryption: true - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] sasExpirationPeriod: '180.00:00:00' skuName: 'Standard_LRS' tableServices: { @@ -1672,15 +1765,6 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "requireInfrastructureEncryption": { "value": true }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "sasExpirationPeriod": { "value": "180.00:00:00" }, @@ -1773,7 +1857,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. | | [`queueServices`](#parameter-queueservices) | object | Queue service and queues to create. | | [`requireInfrastructureEncryption`](#parameter-requireinfrastructureencryption) | bool | A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sasExpirationPeriod`](#parameter-sasexpirationperiod) | string | The SAS expiration period. DD.HH:MM:SS. | | [`skuName`](#parameter-skuname) | string | Storage Account Sku Name. | | [`supportsHttpsTrafficOnly`](#parameter-supportshttpstrafficonly) | bool | Allows HTTPS traffic only to storage service if sets to true. | @@ -2205,7 +2289,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -2357,7 +2441,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -2414,7 +2498,7 @@ A Boolean indicating whether or not the service applies a secondary layer of enc ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -2427,7 +2511,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -2475,7 +2559,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/storage/storage-account/blob-service/container/README.md b/modules/storage/storage-account/blob-service/container/README.md index edaa79f02b..8090c24588 100644 --- a/modules/storage/storage-account/blob-service/container/README.md +++ b/modules/storage/storage-account/blob-service/container/README.md @@ -45,7 +45,7 @@ This module deploys a Storage Account Blob Container. | [`immutableStorageWithVersioningEnabled`](#parameter-immutablestoragewithversioningenabled) | bool | This is an immutable property, when set to true it enables object level immutability at the container level. The property is immutable and can only be set to true at the container creation time. Existing containers must undergo a migration process. | | [`metadata`](#parameter-metadata) | object | A name-value pair to associate with the container as metadata. | | [`publicAccess`](#parameter-publicaccess) | string | Specifies whether data in the container may be accessed publicly and the level of access. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | ### Parameter: `defaultEncryptionScope` @@ -133,7 +133,7 @@ Specifies whether data in the container may be accessed publicly and the level o ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -146,7 +146,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -194,7 +194,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/storage/storage-account/blob-service/container/main.bicep b/modules/storage/storage-account/blob-service/container/main.bicep index 7326ed40c4..2515388344 100644 --- a/modules/storage/storage-account/blob-service/container/main.bicep +++ b/modules/storage/storage-account/blob-service/container/main.bicep @@ -41,7 +41,7 @@ param metadata object = {} @description('Optional. Specifies whether data in the container may be accessed publicly and the level of access.') param publicAccess string = 'None' -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -125,7 +125,7 @@ module immutabilityPolicy 'immutability-policy/main.bicep' = if (!empty(immutabi resource container_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(container.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -149,7 +149,7 @@ output resourceGroupName string = resourceGroup().name // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/storage/storage-account/blob-service/container/main.json b/modules/storage/storage-account/blob-service/container/main.json index c3e17f7ae9..6965e07fc0 100644 --- a/modules/storage/storage-account/blob-service/container/main.json +++ b/modules/storage/storage-account/blob-service/container/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "11413707823135400961" + "templateHash": "679743391871280708" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -165,7 +165,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -260,7 +260,7 @@ "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}/containers/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/storage/storage-account/file-service/share/README.md b/modules/storage/storage-account/file-service/share/README.md index 7ca6ac07bd..5be390f912 100644 --- a/modules/storage/storage-account/file-service/share/README.md +++ b/modules/storage/storage-account/file-service/share/README.md @@ -38,7 +38,7 @@ This module deploys a Storage Account File Share. | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`enabledProtocols`](#parameter-enabledprotocols) | string | The authentication protocol that is used for the file share. Can only be specified when creating a share. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`rootSquash`](#parameter-rootsquash) | string | Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares. | | [`shareQuota`](#parameter-sharequota) | int | The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5120 (5TB). For Large File Shares, the maximum size is 102400 (100TB). | @@ -94,7 +94,7 @@ The name of the file share to create. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -107,7 +107,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -155,7 +155,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/storage/storage-account/file-service/share/main.bicep b/modules/storage/storage-account/file-service/share/main.bicep index 656058fb92..554464fc4a 100644 --- a/modules/storage/storage-account/file-service/share/main.bicep +++ b/modules/storage/storage-account/file-service/share/main.bicep @@ -39,7 +39,7 @@ param enabledProtocols string = 'SMB' @description('Optional. Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares.') param rootSquash string = 'NoRootSquash' -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -104,7 +104,7 @@ resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2021-0 resource fileShare_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(fileShare.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -128,7 +128,7 @@ output resourceGroupName string = resourceGroup().name // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/storage/storage-account/file-service/share/main.json b/modules/storage/storage-account/file-service/share/main.json index a3fcfe5179..09244c51ff 100644 --- a/modules/storage/storage-account/file-service/share/main.json +++ b/modules/storage/storage-account/file-service/share/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "15538733704323873805" + "templateHash": "9132955781190739589" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -147,7 +147,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -238,7 +238,7 @@ "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}/shares/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/storage/storage-account/main.bicep b/modules/storage/storage-account/main.bicep index 2c8f1cdacb..81f8427eda 100644 --- a/modules/storage/storage-account/main.bicep +++ b/modules/storage/storage-account/main.bicep @@ -9,7 +9,7 @@ param name string @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The managed identity definition for this resource.') @@ -330,7 +330,7 @@ resource storageAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e resource storageAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(storageAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -497,7 +497,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -574,7 +574,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/storage/storage-account/main.json b/modules/storage/storage-account/main.json index 1eb678c07d..489d9444ee 100644 --- a/modules/storage/storage-account/main.json +++ b/modules/storage/storage-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "7782694235197058482" + "templateHash": "3619035184821404610" }, "name": "Storage Accounts", "description": "This module deploys a Storage Account.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -273,7 +273,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -432,7 +432,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "managedIdentities": { @@ -907,7 +907,7 @@ "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1869,7 +1869,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18255279964987657305" + "templateHash": "7804367921688111066" }, "name": "Storage Account blob Services", "description": "This module deploys a Storage Account Blob Service.", @@ -2246,7 +2246,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "11413707823135400961" + "templateHash": "679743391871280708" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", @@ -2261,7 +2261,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -2405,7 +2405,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -2500,7 +2500,7 @@ "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}/containers/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -2740,7 +2740,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6280006322501716234" + "templateHash": "14917534017717518918" }, "name": "Storage Account File Share Services", "description": "This module deploys a Storage Account File Share Service.", @@ -3006,7 +3006,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "15538733704323873805" + "templateHash": "9132955781190739589" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", @@ -3021,7 +3021,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -3147,7 +3147,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -3238,7 +3238,7 @@ "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}/shares/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -3341,7 +3341,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "1159938655127712786" + "templateHash": "13348116021204111185" }, "name": "Storage Account Queue Services", "description": "This module deploys a Storage Account Queue Service.", @@ -3575,7 +3575,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6271299191275064402" + "templateHash": "1310506738440238472" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", @@ -3590,7 +3590,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -3673,7 +3673,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -3761,7 +3761,7 @@ "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}/queues/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/storage/storage-account/queue-service/queue/README.md b/modules/storage/storage-account/queue-service/queue/README.md index 80f73fb29e..5932d7872e 100644 --- a/modules/storage/storage-account/queue-service/queue/README.md +++ b/modules/storage/storage-account/queue-service/queue/README.md @@ -36,7 +36,7 @@ This module deploys a Storage Account Queue. | Parameter | Type | Description | | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | ### Parameter: `enableDefaultTelemetry` @@ -60,7 +60,7 @@ The name of the storage queue to deploy. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -73,7 +73,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -121,7 +121,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/storage/storage-account/queue-service/queue/main.bicep b/modules/storage/storage-account/queue-service/queue/main.bicep index bb2ee92dcd..8394d222c7 100644 --- a/modules/storage/storage-account/queue-service/queue/main.bicep +++ b/modules/storage/storage-account/queue-service/queue/main.bicep @@ -12,7 +12,7 @@ param name string @description('Required. A name-value pair that represents queue metadata.') param metadata object = {} -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -74,7 +74,7 @@ resource queue 'Microsoft.Storage/storageAccounts/queueServices/queues@2021-09-0 resource queue_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(queue.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -98,7 +98,7 @@ output resourceGroupName string = resourceGroup().name // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/storage/storage-account/queue-service/queue/main.json b/modules/storage/storage-account/queue-service/queue/main.json index 46144b8293..374952345c 100644 --- a/modules/storage/storage-account/queue-service/queue/main.json +++ b/modules/storage/storage-account/queue-service/queue/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6271299191275064402" + "templateHash": "1310506738440238472" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -104,7 +104,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -192,7 +192,7 @@ "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}/queues/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/storage/storage-account/tests/e2e/max/main.test.bicep b/modules/storage/storage-account/tests/e2e/max/main.test.bicep index db2803d5f3..8f1a304088 100644 --- a/modules/storage/storage-account/tests/e2e/max/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/max/main.test.bicep @@ -150,7 +150,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' publicAccess: 'None' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } @@ -195,7 +205,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' shareQuota: 5120 roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } @@ -251,7 +271,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } @@ -272,7 +302,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep b/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep index 4c3fb2ad5a..59e23e6707 100644 --- a/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep @@ -88,7 +88,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep b/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep index cd06ed1f80..1ceb919f76 100644 --- a/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep @@ -270,13 +270,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' nestedDependencies.outputs.managedIdentityResourceId ] } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] diagnosticSettings: [ { name: 'customSetting' diff --git a/modules/synapse/private-link-hub/README.md b/modules/synapse/private-link-hub/README.md index c023d34f2e..7b95540281 100644 --- a/modules/synapse/private-link-hub/README.md +++ b/modules/synapse/private-link-hub/README.md @@ -349,7 +349,7 @@ module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { | [`location`](#parameter-location) | string | The geo-location where the resource lives. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `enableDefaultTelemetry` @@ -419,7 +419,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -571,7 +571,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -599,7 +599,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -612,7 +612,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -660,7 +660,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/synapse/private-link-hub/main.bicep b/modules/synapse/private-link-hub/main.bicep index 63beeebac2..bd100e3ab1 100644 --- a/modules/synapse/private-link-hub/main.bicep +++ b/modules/synapse/private-link-hub/main.bicep @@ -17,7 +17,7 @@ param lock lockType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') @@ -65,7 +65,7 @@ resource privateLinkHub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e resource privateLinkHub_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(privateLinkHub.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -126,7 +126,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -203,7 +203,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/synapse/private-link-hub/main.json b/modules/synapse/private-link-hub/main.json index 08bd584f4e..789ade5675 100644 --- a/modules/synapse/private-link-hub/main.json +++ b/modules/synapse/private-link-hub/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13641263936979099332" + "templateHash": "8159099394121602956" }, "name": "Azure Synapse Analytics", "description": "This module deploys an Azure Synapse Analytics (Private Link Hub).", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -250,7 +250,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -316,7 +316,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "privateEndpoints": { @@ -382,7 +382,7 @@ "scope": "[format('Microsoft.Synapse/privateLinkHubs/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Synapse/privateLinkHubs', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index cc322cb201..0573d4ba92 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -404,7 +404,17 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] } @@ -501,7 +511,17 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] } @@ -576,13 +596,6 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] } } ``` @@ -671,15 +684,6 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { } } ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] } } } @@ -723,7 +727,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Enable or Disable public network access to workspace. | | [`purviewResourceID`](#parameter-purviewresourceid) | string | Purview Resource ID. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sqlAdministratorLoginPassword`](#parameter-sqladministratorloginpassword) | string | Password for administrator access to the workspace's SQL pools. If you don't provide a password, one will be automatically generated. You can change the password later. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`workspaceRepositoryConfiguration`](#parameter-workspacerepositoryconfiguration) | object | Git integration settings. | @@ -1032,7 +1036,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1184,7 +1188,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1233,7 +1237,7 @@ Purview Resource ID. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1246,7 +1250,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1294,7 +1298,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/synapse/workspace/main.bicep b/modules/synapse/workspace/main.bicep index 8f3a6081b1..5071d3792b 100644 --- a/modules/synapse/workspace/main.bicep +++ b/modules/synapse/workspace/main.bicep @@ -82,7 +82,7 @@ param managedIdentities managedIdentitiesType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') @@ -244,7 +244,7 @@ resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty( resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -336,7 +336,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -413,7 +413,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/synapse/workspace/main.json b/modules/synapse/workspace/main.json index 921607a393..992c7ee7a8 100644 --- a/modules/synapse/workspace/main.json +++ b/modules/synapse/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "15054643166708760026" + "templateHash": "11432454877578684886" }, "name": "Synapse Workspaces", "description": "This module deploys a Synapse Workspace.", @@ -61,7 +61,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -265,7 +265,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -585,7 +585,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "privateEndpoints": { @@ -719,7 +719,7 @@ "scope": "[format('Microsoft.Synapse/workspaces/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Synapse/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/synapse/workspace/tests/e2e/max/main.test.bicep b/modules/synapse/workspace/tests/e2e/max/main.test.bicep index 7161f6dfc7..b94327be00 100644 --- a/modules/synapse/workspace/tests/e2e/max/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/max/main.test.bicep @@ -79,7 +79,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep index abf7d8b7c8..ddc6aaef1c 100644 --- a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -77,13 +77,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' nestedDependencies.outputs.managedIdentityResourceId ] } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] privateEndpoints: [ { subnetResourceId: nestedDependencies.outputs.subnetResourceId diff --git a/modules/virtual-machine-images/image-template/README.md b/modules/virtual-machine-images/image-template/README.md index d58507d074..94be45115b 100644 --- a/modules/virtual-machine-images/image-template/README.md +++ b/modules/virtual-machine-images/image-template/README.md @@ -164,7 +164,17 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] sigImageDefinitionId: '' @@ -249,7 +259,17 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -332,13 +352,6 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 } managedImageName: 'mi-vmiitwaf-001' osDiskSizeGB: 127 - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] sigImageDefinitionId: '' sigImageVersion: '' stagingResourceGroup: '' @@ -416,15 +429,6 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 "osDiskSizeGB": { "value": 127 }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "sigImageDefinitionId": { "value": "" }, @@ -489,7 +493,7 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedImageName`](#parameter-managedimagename) | string | Name of the managed image that will be created in the AIB resourcegroup. | | [`osDiskSizeGB`](#parameter-osdisksizegb) | int | Specifies the size of OS disk. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sigImageDefinitionId`](#parameter-sigimagedefinitionid) | string | Resource ID of Shared Image Gallery to distribute image to, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/. | | [`sigImageVersion`](#parameter-sigimageversion) | string | Version of the Shared Image Gallery Image. Supports the following Version Syntax: Major.Minor.Build (i.e., '1.1.1' or '10.1.2'). | | [`stagingResourceGroup`](#parameter-stagingresourcegroup) | string | Resource ID of the staging resource group in the same subscription and location as the image template that will be used to build the image.

If this field is empty, a resource group with a random name will be created.

If the resource group specified in this field doesn't exist, it will be created with the same name.

If the resource group specified exists, it must be empty and in the same region as the image template.

The resource group created will be deleted during template deletion if this field is empty or the resource group specified doesn't exist,

but if the resource group specified exists the resources created in the resource group will be deleted during template deletion and the resource group itself will remain. | @@ -610,7 +614,7 @@ Specifies the size of OS disk. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -623,7 +627,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -671,7 +675,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/virtual-machine-images/image-template/main.bicep b/modules/virtual-machine-images/image-template/main.bicep index fe3615ab8a..bf152429d2 100644 --- a/modules/virtual-machine-images/image-template/main.bicep +++ b/modules/virtual-machine-images/image-template/main.bicep @@ -77,7 +77,7 @@ param baseTime string = utcNow('yyyy-MM-dd-HH-mm-ss') @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType var managedImageNameVar = '${managedImageName}-${baseTime}' @@ -197,7 +197,7 @@ resource imageTemplate_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!em resource imageTemplate_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(imageTemplate.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -239,7 +239,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/virtual-machine-images/image-template/main.json b/modules/virtual-machine-images/image-template/main.json index db5fe986d1..735a4da338 100644 --- a/modules/virtual-machine-images/image-template/main.json +++ b/modules/virtual-machine-images/image-template/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11391151747567689793" + "version": "0.23.1.45101", + "templateHash": "10277577540639461484" }, "name": "Virtual Machine Image Templates", "description": "This module deploys a Virtual Machine Image Template that can be consumed by Azure Image Builder (AIB).", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -271,7 +271,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } } }, @@ -407,7 +407,7 @@ "scope": "[format('Microsoft.VirtualMachineImages/imageTemplates/{0}', format('{0}-{1}', parameters('name'), parameters('baseTime')))]", "name": "[guid(resourceId('Microsoft.VirtualMachineImages/imageTemplates', format('{0}-{1}', parameters('name'), parameters('baseTime'))), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep b/modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep index 254fadcce6..cc579a73df 100644 --- a/modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep +++ b/modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep @@ -94,7 +94,17 @@ module testDeployment '../../../main.bicep' = { osDiskSizeGB: 127 roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep index 7e2e523fee..4c43082a0b 100644 --- a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep @@ -92,13 +92,6 @@ module testDeployment '../../../main.bicep' = { } managedImageName: '${namePrefix}-mi-${serviceShort}-001' osDiskSizeGB: 127 - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] sigImageDefinitionId: nestedDependencies.outputs.sigImageDefinitionId sigImageVersion: sigImageVersion subnetId: nestedDependencies.outputs.subnetId diff --git a/modules/web/connection/README.md b/modules/web/connection/README.md index 682936b91b..e05f020df9 100644 --- a/modules/web/connection/README.md +++ b/modules/web/connection/README.md @@ -58,7 +58,17 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -109,7 +119,17 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -152,13 +172,6 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -202,15 +215,6 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -246,7 +250,7 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = { | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`nonSecretParameterValues`](#parameter-nonsecretparametervalues) | object | Dictionary of nonsecret parameter values. | | [`parameterValues`](#parameter-parametervalues) | secureObject | Connection strings or access keys for connection. Example: 'accountName' and 'accessKey' when using blobs. It can change depending on the resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`statuses`](#parameter-statuses) | array | Status of the connection. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`testLinks`](#parameter-testlinks) | array | Links to test the API connection. | @@ -334,7 +338,7 @@ Connection strings or access keys for connection. Example: 'accountName' and 'ac ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -347,7 +351,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -395,7 +399,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/web/connection/main.bicep b/modules/web/connection/main.bicep index 96bb44f427..833405ad8a 100644 --- a/modules/web/connection/main.bicep +++ b/modules/web/connection/main.bicep @@ -28,7 +28,7 @@ param nonSecretParameterValues object = {} @secure() param parameterValues object = {} -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Status of the connection.') @@ -90,7 +90,7 @@ resource connection_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty resource connection_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(connection.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -126,7 +126,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/web/connection/main.json b/modules/web/connection/main.json index 679bd8421b..99018cbb1c 100644 --- a/modules/web/connection/main.json +++ b/modules/web/connection/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6835685979701514548" + "templateHash": "12952997110880403069" }, "name": "API Connections", "description": "This module deploys an Azure API Connection.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -163,7 +163,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "statuses": { @@ -258,7 +258,7 @@ "scope": "[format('Microsoft.Web/connections/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Web/connections', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/web/connection/tests/e2e/max/main.test.bicep b/modules/web/connection/tests/e2e/max/main.test.bicep index d57a2503f7..6a482325ae 100644 --- a/modules/web/connection/tests/e2e/max/main.test.bicep +++ b/modules/web/connection/tests/e2e/max/main.test.bicep @@ -64,7 +64,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep b/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep index a8d11dca02..9718e758f7 100644 --- a/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep @@ -62,13 +62,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/web/hosting-environment/README.md b/modules/web/hosting-environment/README.md index 734fd524e6..1f8855f1a6 100644 --- a/modules/web/hosting-environment/README.md +++ b/modules/web/hosting-environment/README.md @@ -79,7 +79,17 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -164,7 +174,17 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -235,7 +255,17 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -336,7 +366,17 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -396,7 +436,7 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`multiSize`](#parameter-multisize) | string | Frontend VM size. Cannot be used when kind is set to ASEv3. | | [`remoteDebugEnabled`](#parameter-remotedebugenabled) | bool | Property to enable and disable Remote Debug on ASEv3. Ignored when kind is set to ASEv2. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Resource tags. | | [`upgradePreference`](#parameter-upgradepreference) | string | Specify preference for when and how the planned maintenance is applied. | | [`userWhitelistedIpRanges`](#parameter-userwhitelistedipranges) | array | User added IP ranges to whitelist on ASE DB. Cannot be used with 'kind' `ASEv3`. | @@ -717,7 +757,7 @@ Property to enable and disable Remote Debug on ASEv3. Ignored when kind is set t ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -730,7 +770,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -778,7 +818,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/web/hosting-environment/main.bicep b/modules/web/hosting-environment/main.bicep index 9088e0474d..6119f42ebe 100644 --- a/modules/web/hosting-environment/main.bicep +++ b/modules/web/hosting-environment/main.bicep @@ -12,7 +12,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Resource tags.') @@ -225,7 +225,7 @@ resource appServiceEnvironment_diagnosticSettings 'Microsoft.Insights/diagnostic resource appServiceEnvironment_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(appServiceEnvironment.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -269,7 +269,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/web/hosting-environment/main.json b/modules/web/hosting-environment/main.json index b53284c51d..c74528106b 100644 --- a/modules/web/hosting-environment/main.json +++ b/modules/web/hosting-environment/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10962869599499139784" + "templateHash": "13887067591224249437" }, "name": "App Service Environments", "description": "This module deploys an App Service Environment.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -240,7 +240,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -534,7 +534,7 @@ "scope": "[format('Microsoft.Web/hostingEnvironments/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Web/hostingEnvironments', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep b/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep index 455dba1779..36c5157724 100644 --- a/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep +++ b/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep @@ -73,7 +73,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep b/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep index ac50975bc3..93269c7e3b 100644 --- a/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep +++ b/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep @@ -75,7 +75,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index 9e93d77498..79c2341050 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -76,7 +76,17 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -144,7 +154,17 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -204,13 +224,6 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -271,15 +284,6 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -321,7 +325,7 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maximumElasticWorkerCount`](#parameter-maximumelasticworkercount) | int | Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan. | | [`perSiteScaling`](#parameter-persitescaling) | bool | If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`targetWorkerCount`](#parameter-targetworkercount) | int | Scaling worker count. | | [`targetWorkerSize`](#parameter-targetworkersize) | int | The instance size of the hosting plan (small, medium, or large). | @@ -492,7 +496,7 @@ Defaults to false when creating Windows/app App Service Plan. Required if creati ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -505,7 +509,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -553,7 +557,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/web/serverfarm/main.bicep b/modules/web/serverfarm/main.bicep index d5bc0cd954..81f5bb336a 100644 --- a/modules/web/serverfarm/main.bicep +++ b/modules/web/serverfarm/main.bicep @@ -45,7 +45,7 @@ param targetWorkerSize int = 0 @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -136,7 +136,7 @@ resource appServicePlan_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e resource appServicePlan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(appServicePlan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -175,7 +175,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/web/serverfarm/main.json b/modules/web/serverfarm/main.json index 74be015ae5..9402f8697b 100644 --- a/modules/web/serverfarm/main.json +++ b/modules/web/serverfarm/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10832175948195959384" + "templateHash": "8141689023365328842" }, "name": "App Service Plans", "description": "This module deploys an App Service Plan.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -270,7 +270,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -391,7 +391,7 @@ "scope": "[format('Microsoft.Web/serverfarms/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Web/serverfarms', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/web/serverfarm/tests/e2e/max/main.test.bicep b/modules/web/serverfarm/tests/e2e/max/main.test.bicep index ce1c1ea9c1..7eadba7f28 100644 --- a/modules/web/serverfarm/tests/e2e/max/main.test.bicep +++ b/modules/web/serverfarm/tests/e2e/max/main.test.bicep @@ -94,7 +94,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep b/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep index 24e51db825..f784e6761a 100644 --- a/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep @@ -92,13 +92,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 8722de026a..f5c22619c5 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -185,7 +185,17 @@ module site 'br:bicep/modules/web.site:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] setAzureWebJobsDashboard: true @@ -372,7 +382,17 @@ module site 'br:bicep/modules/web.site:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -531,7 +551,17 @@ module site 'br:bicep/modules/web.site:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] scmSiteAlsoStopped: true @@ -723,7 +753,17 @@ module site 'br:bicep/modules/web.site:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -924,7 +964,7 @@ module site 'br:bicep/modules/web.site:1.0.0' = { | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`redundancyMode`](#parameter-redundancymode) | string | Site redundancy mode. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`scmSiteAlsoStopped`](#parameter-scmsitealsostopped) | bool | Stop SCM (KUDU) site when the app is stopped. | | [`setAzureWebJobsDashboard`](#parameter-setazurewebjobsdashboard) | bool | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | | [`siteConfig`](#parameter-siteconfig) | object | The site config object. | @@ -1302,7 +1342,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1454,7 +1494,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1514,7 +1554,7 @@ Site redundancy mode. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1527,7 +1567,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1575,7 +1615,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/web/site/main.bicep b/modules/web/site/main.bicep index 6440c271b1..78c7f41c6c 100644 --- a/modules/web/site/main.bicep +++ b/modules/web/site/main.bicep @@ -87,7 +87,7 @@ param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The diagnostic settings of the service.') @@ -349,7 +349,7 @@ resource app_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-0 resource app_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(app.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -432,7 +432,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -509,7 +509,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/web/site/main.json b/modules/web/site/main.json index 27cc961134..211a57eeee 100644 --- a/modules/web/site/main.json +++ b/modules/web/site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8821774728735377657" + "templateHash": "6627371400613258723" }, "name": "Web/Function Apps", "description": "This module deploys a Web or Function App.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -596,7 +596,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "diagnosticSettings": { @@ -833,7 +833,7 @@ "scope": "[format('Microsoft.Web/sites/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Web/sites', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1206,7 +1206,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3288853087979845666" + "templateHash": "16876460167630133410" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -1269,7 +1269,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -1474,7 +1474,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -1768,7 +1768,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "diagnosticSettings": { @@ -2034,7 +2034,7 @@ "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', parameters('appName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index 952f9bec31..ea3d48350f 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -70,7 +70,7 @@ This module deploys a Web or Function App Deployment Slot. | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Allow or block all public traffic. | | [`redundancyMode`](#parameter-redundancymode) | string | Site redundancy mode. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`serverFarmResourceId`](#parameter-serverfarmresourceid) | string | The resource ID of the app service plan to use for the slot. | | [`setAzureWebJobsDashboard`](#parameter-setazurewebjobsdashboard) | bool | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | | [`siteConfig`](#parameter-siteconfig) | object | The site config object. | @@ -453,7 +453,7 @@ Configuration details for private endpoints. | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -605,7 +605,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -665,7 +665,7 @@ Site redundancy mode. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -678,7 +678,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -726,7 +726,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/web/site/slot/main.bicep b/modules/web/site/slot/main.bicep index 49722f7eef..dd2199d0bd 100644 --- a/modules/web/site/slot/main.bicep +++ b/modules/web/site/slot/main.bicep @@ -75,7 +75,7 @@ param tags object? @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The diagnostic settings of the service.') @@ -305,7 +305,7 @@ resource slot_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05- resource slot_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(slot.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -376,7 +376,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -453,7 +453,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/web/site/slot/main.json b/modules/web/site/slot/main.json index efe7f4d81a..d108d20bcd 100644 --- a/modules/web/site/slot/main.json +++ b/modules/web/site/slot/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3288853087979845666" + "templateHash": "16876460167630133410" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -568,7 +568,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "diagnosticSettings": { @@ -834,7 +834,7 @@ "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', parameters('appName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep b/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep index eb682196f8..5abbca04b8 100644 --- a/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep +++ b/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep @@ -184,7 +184,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/web/site/tests/e2e/webAppCommon/main.test.bicep b/modules/web/site/tests/e2e/webAppCommon/main.test.bicep index fbb4e0cf1d..4fea3485cd 100644 --- a/modules/web/site/tests/e2e/webAppCommon/main.test.bicep +++ b/modules/web/site/tests/e2e/webAppCommon/main.test.bicep @@ -175,7 +175,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index 6eaa86c579..c4dbc50149 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -140,7 +140,17 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] sku: 'Standard' @@ -231,7 +241,17 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -308,13 +328,6 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] sku: 'Standard' stagingEnvironmentPolicy: 'Enabled' tags: { @@ -398,15 +411,6 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "sku": { "value": "Standard" }, @@ -456,7 +460,7 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { | [`provider`](#parameter-provider) | string | The provider that submitted the last deployment to the primary environment of the static site. | | [`repositoryToken`](#parameter-repositorytoken) | securestring | The Personal Access Token for accessing the GitHub repository. | | [`repositoryUrl`](#parameter-repositoryurl) | string | The name of the GitHub repository. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sku`](#parameter-sku) | string | Type of static site to deploy. | | [`stagingEnvironmentPolicy`](#parameter-stagingenvironmentpolicy) | string | State indicating whether staging environments are allowed or not allowed for a static web app. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -620,7 +624,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -772,7 +776,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -821,7 +825,7 @@ The name of the GitHub repository. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -834,7 +838,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -882,7 +886,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/web/static-site/main.bicep b/modules/web/static-site/main.bicep index 6ca47ca5ec..704cebbe70 100644 --- a/modules/web/static-site/main.bicep +++ b/modules/web/static-site/main.bicep @@ -70,7 +70,7 @@ param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Object with "resourceId" and "location" of the a user defined function app.') @@ -190,7 +190,7 @@ resource staticSite_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty resource staticSite_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(staticSite.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -264,7 +264,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -341,7 +341,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/web/static-site/main.json b/modules/web/static-site/main.json index fc659eef34..850eea7879 100644 --- a/modules/web/static-site/main.json +++ b/modules/web/static-site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "12660101708954592641" + "templateHash": "1972191621448105734" }, "name": "Static Web Apps", "description": "This module deploys a Static Web App.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -438,7 +438,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "linkedBackend": { @@ -546,7 +546,7 @@ "scope": "[format('Microsoft.Web/staticSites/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Web/staticSites', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/web/static-site/tests/e2e/max/main.test.bicep b/modules/web/static-site/tests/e2e/max/main.test.bicep index 8bc7cecf8d..8181fac011 100644 --- a/modules/web/static-site/tests/e2e/max/main.test.bicep +++ b/modules/web/static-site/tests/e2e/max/main.test.bicep @@ -77,7 +77,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep b/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep index afe97a5d32..183fa819ef 100644 --- a/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep @@ -75,13 +75,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] sku: 'Standard' stagingEnvironmentPolicy: 'Enabled' managedIdentities: { From 1072e81e9703d9786ddf7a0cefb23ed94cad77f3 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 22 Nov 2023 00:14:56 +0100 Subject: [PATCH 122/178] Update to latest (#4277) --- modules/analysis-services/server/main.bicep | 2 +- modules/analysis-services/server/main.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/analysis-services/server/main.bicep b/modules/analysis-services/server/main.bicep index fe7c530a48..0d4d966a3b 100644 --- a/modules/analysis-services/server/main.bicep +++ b/modules/analysis-services/server/main.bicep @@ -112,7 +112,7 @@ resource server_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-0 resource server_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(server.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/analysis-services/server/main.json b/modules/analysis-services/server/main.json index b5a8657aef..b3e4158662 100644 --- a/modules/analysis-services/server/main.json +++ b/modules/analysis-services/server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "16473107761572219540" + "templateHash": "1605417065240868452" }, "name": "Analysis Services Servers", "description": "This module deploys an Analysis Services Server.", @@ -373,7 +373,7 @@ "scope": "[format('Microsoft.AnalysisServices/servers/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.AnalysisServices/servers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", From 7de92c109e278cd10471d7a3cc088617f833ff72 Mon Sep 17 00:00:00 2001 From: Nate Arnold Date: Tue, 21 Nov 2023 16:17:42 -0700 Subject: [PATCH 123/178] Migrated module to AVM (#4276) --- modules/network/express-route-gateway/MOVED-TO-AVM.MD | 1 + modules/network/express-route-gateway/README.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 modules/network/express-route-gateway/MOVED-TO-AVM.MD diff --git a/modules/network/express-route-gateway/MOVED-TO-AVM.MD b/modules/network/express-route-gateway/MOVED-TO-AVM.MD new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/network/express-route-gateway/MOVED-TO-AVM.MD @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/express-route-gateway/README.md b/modules/network/express-route-gateway/README.md index 152fbd6875..9a75adad10 100644 --- a/modules/network/express-route-gateway/README.md +++ b/modules/network/express-route-gateway/README.md @@ -1,6 +1,6 @@ # Express Route Gateways `[Microsoft.Network/expressRouteGateways]` -This module deploys an Express Route Gateway. +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). ## Navigation From 3d827c3621e7d83ad5b9d9266e593f0afc6b7683 Mon Sep 17 00:00:00 2001 From: Nate Arnold Date: Tue, 21 Nov 2023 16:18:01 -0700 Subject: [PATCH 124/178] Migrated to AVM (#4275) --- modules/network/express-route-circuit/MOVED-TO-AVM.MD | 1 + modules/network/express-route-circuit/README.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 modules/network/express-route-circuit/MOVED-TO-AVM.MD diff --git a/modules/network/express-route-circuit/MOVED-TO-AVM.MD b/modules/network/express-route-circuit/MOVED-TO-AVM.MD new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/network/express-route-circuit/MOVED-TO-AVM.MD @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/express-route-circuit/README.md b/modules/network/express-route-circuit/README.md index 6f7e013b74..2707dc288a 100644 --- a/modules/network/express-route-circuit/README.md +++ b/modules/network/express-route-circuit/README.md @@ -1,6 +1,6 @@ # ExpressRoute Circuits `[Microsoft.Network/expressRouteCircuits]` -This module deploys an Express Route Circuit. +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). ## Navigation From 25ed2b2acb9feb439a06fa5661ebe06e74fbf0db Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 22 Nov 2023 12:55:07 +0100 Subject: [PATCH 125/178] Updated docs (#4283) --- modules/network/express-route-circuit/README.md | 4 +++- modules/network/express-route-gateway/README.md | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/network/express-route-circuit/README.md b/modules/network/express-route-circuit/README.md index 2707dc288a..3548350675 100644 --- a/modules/network/express-route-circuit/README.md +++ b/modules/network/express-route-circuit/README.md @@ -1,6 +1,8 @@ # ExpressRoute Circuits `[Microsoft.Network/expressRouteCircuits]` -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + +This module deploys an Express Route Circuit. ## Navigation diff --git a/modules/network/express-route-gateway/README.md b/modules/network/express-route-gateway/README.md index 9a75adad10..2bba6a1bf2 100644 --- a/modules/network/express-route-gateway/README.md +++ b/modules/network/express-route-gateway/README.md @@ -1,6 +1,8 @@ # Express Route Gateways `[Microsoft.Network/expressRouteGateways]` -This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + +This module deploys an Express Route Gateway. ## Navigation From 092988057a8964f6fbba4cd6a30e0abfda9f02fa Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Thu, 23 Nov 2023 09:34:43 +0100 Subject: [PATCH 126/178] Updated test cases & added performance improvements (#4273) --- .../jobs.getModuleTestFiles.yml | 16 +- .../templates/getModuleTestFiles/action.yml | 17 +- .../sharedScripts/Get-ModuleTestFileList.ps1 | 59 ---- .../sharedScripts/Set-ModuleReadMe.ps1 | 3 +- .../staticValidation/helper/helper.psm1 | 1 - .../staticValidation/module.tests.ps1 | 255 +++--------------- 6 files changed, 53 insertions(+), 298 deletions(-) delete mode 100644 utilities/pipelines/sharedScripts/Get-ModuleTestFileList.ps1 diff --git a/.azuredevops/pipelineTemplates/jobs.getModuleTestFiles.yml b/.azuredevops/pipelineTemplates/jobs.getModuleTestFiles.yml index 74b38d5e97..6c8dc4e3b0 100644 --- a/.azuredevops/pipelineTemplates/jobs.getModuleTestFiles.yml +++ b/.azuredevops/pipelineTemplates/jobs.getModuleTestFiles.yml @@ -25,18 +25,16 @@ jobs: targetType: inline pwsh: true script: | - # Load used functions - . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Get-ModuleTestFileList.ps1') + # Get the list of parameter file paths + $moduleFolderPath = Join-Path '$(System.DefaultWorkingDirectory)' '${{ parameters.modulePath }}' + $testFilePaths = (Get-ChildItem -Path $moduleFolderPath -Recurse -Filter 'main.test.bicep').FullName | Sort-Object - $functionInput = @{ - ModulePath = Join-Path '$(System.DefaultWorkingDirectory)' '${{ parameters.modulePath }}' + $deploymentTestPaths = $testFilePaths | ForEach-Object { + $_.Replace($moduleFolderPath, '').Trim('\').Trim('/') } - Write-Verbose "Invoke task with" -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - # Set agent up - $deploymentTestPaths = Get-ModuleTestFileList @functionInput -Verbose + Write-Verbose 'Found module test files' -Verbose + $deploymentTestPaths | ForEach-Object { Write-Verbose "- [$_]" -Verbose } $testTable = @{} foreach ($deploymentTestPath in $deploymentTestPaths) { diff --git a/.github/actions/templates/getModuleTestFiles/action.yml b/.github/actions/templates/getModuleTestFiles/action.yml index 1cce2fb82e..704f13bad5 100644 --- a/.github/actions/templates/getModuleTestFiles/action.yml +++ b/.github/actions/templates/getModuleTestFiles/action.yml @@ -20,18 +20,17 @@ runs: run: | # Grouping task logs Write-Output '::group::Get parameter files' - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Get-ModuleTestFileList.ps1') - $functionInput = @{ - ModulePath = Join-Path $env:GITHUB_WORKSPACE '${{ inputs.modulePath }}' - } + # Get the list of parameter file paths + $moduleFolderPath = Join-Path $env:GITHUB_WORKSPACE '${{ inputs.modulePath }}' + $testFilePaths = (Get-ChildItem -Path $moduleFolderPath -Recurse -Filter 'main.test.bicep').FullName | Sort-Object - Write-Verbose "Invoke task with" -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + $testFilePaths = $testFilePaths | ForEach-Object { + $_.Replace($moduleFolderPath, '').Trim('\').Trim('/') + } - # Get the list of parameter file paths - $testFilePaths = Get-ModuleTestFileList @functionInput -Verbose + Write-Verbose 'Found module test files' -Verbose + $testFilePaths | ForEach-Object { Write-Verbose "- [$_]" -Verbose } # Output values to be accessed by next jobs $compressedOutput = $testFilePaths | ConvertTo-Json -Compress diff --git a/utilities/pipelines/sharedScripts/Get-ModuleTestFileList.ps1 b/utilities/pipelines/sharedScripts/Get-ModuleTestFileList.ps1 deleted file mode 100644 index 7fb5b13699..0000000000 --- a/utilities/pipelines/sharedScripts/Get-ModuleTestFileList.ps1 +++ /dev/null @@ -1,59 +0,0 @@ -<# -.SYNOPSIS -Get the relative file paths of all test files in the given module. - -.DESCRIPTION -Get the relative file paths of all test files (*.json / main.test.bicep) in the given module. -The relative path is returned instead of the full one to make paths easier to read in the pipeline. - -.PARAMETER ModulePath -Mandatory. The module path to search in. - -.PARAMETER SearchFolder -Optional. The folder to search for files in - -.PARAMETER TestFilePattern -Optional. The pattern of test files to search for. For example '*.json' - -.EXAMPLE -Get-ModuleTestFileList -ModulePath 'C:\ResourceModules\modules\compute\virtual-machine' - -Returns the relative file paths of all test files of the virtual-machine module in the default test folder ('tests'). - -.EXAMPLE -Get-ModuleTestFileList -ModulePath 'C:\ResourceModules\modules\compute\virtual-machine' -SearchFolder 'parameters' - -Returns the relative file paths of all test files of the virtual-machine module in folder 'parameters'. -#> -function Get-ModuleTestFileList { - - [CmdletBinding()] - param ( - [Parameter(Mandatory)] - [string] $ModulePath, - - [Parameter(Mandatory = $false)] - [string] $SearchFolder = 'tests', - - [Parameter(Mandatory = $false)] - [string[]] $TestFilePattern = @('*.json', 'main.test.bicep') - ) - - $deploymentTests = @() - if (Test-Path (Join-Path $ModulePath $SearchFolder)) { - $deploymentTests += (Get-ChildItem -Path (Join-Path $ModulePath $SearchFolder) -Recurse -Include $TestFilePattern -File).FullName - } - - if (-not $deploymentTests) { - throw "No deployment test files found for module [$ModulePath]" - } - - $deploymentTests = $deploymentTests | ForEach-Object { - $_.Replace($ModulePath, '').Trim('\').Trim('/') - } - - Write-Verbose 'Found parameter files' - $deploymentTests | ForEach-Object { Write-Verbose "- $_" } - - return $deploymentTests -} diff --git a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 index 404fdf259c..8ba3a514d2 100644 --- a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 +++ b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 @@ -1172,7 +1172,7 @@ function Set-UsageExamplesSection { $moduleNameCamelCase = $First.Tolower() + (Get-Culture).TextInfo.ToTitleCase($Rest) -Replace '-' } - $testFilePaths = Get-ModuleTestFileList -ModulePath $moduleRoot | ForEach-Object { Join-Path $moduleRoot $_ } + $testFilePaths = (Get-ChildItem -Path $ModuleRoot -Recurse -Filter 'main.test.bicep').FullName | Sort-Object $RequiredParametersList = $TemplateFileContent.parameters.Keys | Where-Object { Get-IsParameterRequired -TemplateFileContent $TemplateFileContent -Parameter $TemplateFileContent.parameters[$_] @@ -1613,7 +1613,6 @@ function Set-ModuleReadMe { # Load external functions . (Join-Path $PSScriptRoot 'Get-NestedResourceList.ps1') - . (Join-Path $PSScriptRoot 'Get-ModuleTestFileList.ps1') . (Join-Path $PSScriptRoot 'helper' 'Merge-FileWithNewContent.ps1') . (Join-Path $PSScriptRoot 'helper' 'Get-IsParameterRequired.ps1') . (Join-Path $PSScriptRoot 'helper' 'Get-SpecsAlignedResourceName.ps1') diff --git a/utilities/pipelines/staticValidation/helper/helper.psm1 b/utilities/pipelines/staticValidation/helper/helper.psm1 index ab80fbbac0..c50c1e2f0e 100644 --- a/utilities/pipelines/staticValidation/helper/helper.psm1 +++ b/utilities/pipelines/staticValidation/helper/helper.psm1 @@ -5,7 +5,6 @@ $repoRootPath = (Get-Item $PSScriptRoot).Parent.Parent.Parent.Parent.FullName . (Join-Path $repoRootPath 'utilities' 'pipelines' 'sharedScripts' 'Get-NestedResourceList.ps1') . (Join-Path $repoRootPath 'utilities' 'pipelines' 'sharedScripts' 'Get-ScopeOfTemplateFile.ps1') -. (Join-Path $repoRootPath 'utilities' 'pipelines' 'sharedScripts' 'Get-ModuleTestFileList.ps1') . (Join-Path $repoRootPath 'utilities' 'pipelines' 'sharedScripts' 'helper' 'ConvertTo-OrderedHashtable.ps1') . (Join-Path $repoRootPath 'utilities' 'pipelines' 'sharedScripts' 'helper' 'Get-IsParameterRequired.ps1') . (Join-Path $repoRootPath 'utilities' 'tools' 'Get-CrossReferencedModuleList.ps1') diff --git a/utilities/pipelines/staticValidation/module.tests.ps1 b/utilities/pipelines/staticValidation/module.tests.ps1 index f608f5f24b..c973dd9929 100644 --- a/utilities/pipelines/staticValidation/module.tests.ps1 +++ b/utilities/pipelines/staticValidation/module.tests.ps1 @@ -3,7 +3,7 @@ param ( [Parameter(Mandatory = $false)] [array] $moduleFolderPaths = ((Get-ChildItem $repoRootPath -Recurse -Directory -Force).FullName | Where-Object { - (Get-ChildItem $_ -File -Depth 0 -Include @('main.json', 'main.bicep') -Force).Count -gt 0 + (Get-ChildItem $_ -File -Depth 0 -Include @('main.bicep') -Force).Count -gt 0 }), [Parameter(Mandatory = $false)] @@ -26,9 +26,6 @@ $script:MGdeployment = 'https://schema.management.azure.com/schemas/2019-08-01/m $script:Tenantdeployment = 'https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#' $script:moduleFolderPaths = $moduleFolderPaths -# For runtime purposes, we cache the compiled template in a hashtable that uses a formatted relative module path as a key -$script:convertedTemplates = @{} - # Shared exception messages $script:bicepTemplateCompilationFailedException = "Unable to compile the main.bicep template's content. This can happen if there is an error in the template. Please check if you can run the command ``bicep build {0} --stdout | ConvertFrom-Json -AsHashtable``." # -f $templateFilePath $script:jsonTemplateLoadFailedException = "Unable to load the main.json template's content. This can happen if there is an error in the template. Please check if you can run the command `Get-Content {0} -Raw | ConvertFrom-Json -AsHashtable`." # -f $templateFilePath @@ -37,6 +34,24 @@ $script:templateNotFoundException = 'No template file found in folder [{0}]' # - # Import any helper function used in this test script Import-Module (Join-Path $PSScriptRoot 'helper' 'helper.psm1') -Force +# Building all required files for tests to optimize performance (using thread-safe multithreading) to consume later +# Collecting paths +$pathsToBuild = [System.Collections.ArrayList]@() +$pathsToBuild += $moduleFolderPaths | ForEach-Object { Join-Path $_ 'main.bicep' } +foreach ($moduleFolderPath in $moduleFolderPaths) { + if ($testFilePaths = ((Get-ChildItem -Path $moduleFolderPath -Recurse -Filter 'main.test.bicep').FullName | Sort-Object)) { + $pathsToBuild += $testFilePaths + } +} + +# building paths +$builtTestFileMap = [System.Collections.Concurrent.ConcurrentDictionary[string, object]]::new() +$pathsToBuild | ForEach-Object -Parallel { + $dict = $using:builtTestFileMap + $builtTemplate = bicep build $_ --stdout | ConvertFrom-Json -AsHashtable + $null = $dict.TryAdd($_, $builtTemplate) +} + $script:crossReferencedModuleList = Get-CrossReferencedModuleList Describe 'File/folder tests' -Tag 'Modules' { @@ -52,13 +67,13 @@ Describe 'File/folder tests' -Tag 'Modules' { } } - It '[] Module should contain a [` main.json ` / ` main.bicep `] file.' -TestCases $moduleFolderTestCases { + It '[] Module should contain a [` main.json ` & ` main.bicep `] file.' -TestCases $moduleFolderTestCases { param( [string] $moduleFolderPath ) $hasARM = Test-Path (Join-Path -Path $moduleFolderPath 'main.json') $hasBicep = Test-Path (Join-Path -Path $moduleFolderPath 'main.bicep') - ($hasARM -or $hasBicep) | Should -Be $true + ($hasARM -and $hasBicep) | Should -Be $true } It '[] Module should contain a [` README.md `] file.' -TestCases $moduleFolderTestCases { @@ -111,11 +126,10 @@ Describe 'File/folder tests' -Tag 'Modules' { It '[] Folder should contain one or more test files.' -TestCases $folderTestCases { param( - [string] $moduleFolderName, [string] $moduleFolderPath ) - $moduleTestFilePaths = Get-ModuleTestFileList -ModulePath $moduleFolderPath | ForEach-Object { Join-Path $moduleFolderPath $_ } + $moduleTestFilePaths = (Get-ChildItem -Path $moduleFolderPath -Recurse -Filter 'main.test.bicep').FullName | Sort-Object $moduleTestFilePaths.Count | Should -BeGreaterThan 0 } @@ -123,7 +137,7 @@ Describe 'File/folder tests' -Tag 'Modules' { foreach ($moduleFolderPath in $moduleFolderPaths) { $testFolderPath = Join-Path $moduleFolderPath '.test' if (Test-Path $testFolderPath) { - foreach ($testFilePath in (Get-ModuleTestFileList -ModulePath $moduleFolderPath | ForEach-Object { Join-Path $moduleFolderPath $_ })) { + foreach ($testFilePath in ((Get-ChildItem -Path $moduleFolderPath -Recurse -Filter 'main.test.bicep').FullName | Sort-Object)) { $testFolderFilesTestCases += @{ moduleFolderName = $moduleFolderPath.Replace('\', '/').Split('/modules/')[1] testFilePath = $testFilePath @@ -131,19 +145,6 @@ Describe 'File/folder tests' -Tag 'Modules' { } } } - - It '[] JSON test files in the `.test` folder should be valid json.' -TestCases $testFolderFilesTestCases { - - param( - [string] $moduleFolderName, - [string] $testFilePath - ) - if ((Split-Path $testFilePath -Extension) -eq '.json') { - { (Get-Content $testFilePath) | ConvertFrom-Json } | Should -Not -Throw - } else { - Set-ItResult -Skipped -Because 'the module has no JSON test files.' - } - } } } @@ -311,41 +312,13 @@ Describe 'Module tests' -Tag 'Module' { foreach ($moduleFolderPath in $moduleFolderPaths) { - # For runtime purposes, we cache the compiled template in a hashtable that uses a formatted relative module path as a key - $moduleFolderPathKey = $moduleFolderPath.Replace('\', '/').Split('/modules/')[1].Trim('/').Replace('/', '-') - if (-not ($convertedTemplates.Keys -contains $moduleFolderPathKey)) { - if (Test-Path (Join-Path $moduleFolderPath 'main.bicep')) { - $templateFilePath = Join-Path $moduleFolderPath 'main.bicep' - $templateContent = bicep build $templateFilePath --stdout | ConvertFrom-Json -AsHashtable - - if (-not $templateContent) { - throw ($bicepTemplateCompilationFailedException -f $templateFilePath) - } - } elseIf (Test-Path (Join-Path $moduleFolderPath 'main.json')) { - $templateFilePath = Join-Path $moduleFolderPath 'main.json' - $templateContent = Get-Content $templateFilePath -Raw | ConvertFrom-Json -AsHashtable - - if (-not $templateContent) { - throw ($jsonTemplateLoadFailedException -f $templateFilePath) - } - } else { - throw ($templateNotFoundException -f $moduleFolderPath) - } - $convertedTemplates[$moduleFolderPathKey] = @{ - templateFilePath = $templateFilePath - templateContent = $templateContent - } - } else { - $templateContent = $convertedTemplates[$moduleFolderPathKey].templateContent - $templateFilePath = $convertedTemplates[$moduleFolderPathKey].templateFilePath - } - $resourceTypeIdentifier = $moduleFolderPath.Replace('\', '/').Split('/modules/')[1] + $templateFilePath = Join-Path $moduleFolderPath 'main.bicep' $readmeFileTestCases += @{ moduleFolderName = $resourceTypeIdentifier moduleFolderPath = $moduleFolderPath - templateContent = $templateContent + templateContent = $builtTestFileMap[$templateFilePath] templateFilePath = $templateFilePath readMeFilePath = Join-Path -Path $moduleFolderPath 'README.md' readMeContent = Get-Content (Join-Path -Path $moduleFolderPath 'README.md') @@ -459,34 +432,8 @@ Describe 'Module tests' -Tag 'Module' { $deploymentFolderTestCases = [System.Collections.ArrayList] @() foreach ($moduleFolderPath in $moduleFolderPaths) { - # For runtime purposes, we cache the compiled template in a hashtable that uses a formatted relative module path as a key - $moduleFolderPathKey = $moduleFolderPath.Replace('\', '/').Split('/modules/')[1].Trim('/').Replace('/', '-') - if (-not ($convertedTemplates.Keys -contains $moduleFolderPathKey)) { - if (Test-Path (Join-Path $moduleFolderPath 'main.bicep')) { - $templateFilePath = Join-Path $moduleFolderPath 'main.bicep' - $templateContent = bicep build $templateFilePath --stdout | ConvertFrom-Json -AsHashtable - - if (-not $templateContent) { - throw ($bicepTemplateCompilationFailedException -f $templateFilePath) - } - } elseIf (Test-Path (Join-Path $moduleFolderPath 'main.json')) { - $templateFilePath = Join-Path $moduleFolderPath 'main.json' - $templateContent = Get-Content $templateFilePath -Raw | ConvertFrom-Json -AsHashtable - - if (-not $templateContent) { - throw ($jsonTemplateLoadFailedException -f $templateFilePath) - } - } else { - throw ($templateNotFoundException -f $moduleFolderPath) - } - $convertedTemplates[$moduleFolderPathKey] = @{ - templateFilePath = $templateFilePath - templateContent = $templateContent - } - } else { - $templateContent = $convertedTemplates[$moduleFolderPathKey].templateContent - $templateFilePath = $convertedTemplates[$moduleFolderPathKey].templateFilePath - } + $templateFilePath = Join-Path $moduleFolderPath 'main.bicep' + $templateContent = $builtTestFileMap[$templateFilePath] # Parameter file test cases $testFileTestCases = @() @@ -497,24 +444,13 @@ Describe 'Module tests' -Tag 'Module' { if (Test-Path (Join-Path $moduleFolderPath '.test')) { # Can be removed after full migration to bicep test files - $moduleTestFilePaths = Get-ModuleTestFileList -ModulePath $moduleFolderPath | ForEach-Object { Join-Path $moduleFolderPath $_ } + $moduleTestFilePaths = (Get-ChildItem -Path $moduleFolderPath -Recurse -Filter 'main.test.bicep').FullName | Sort-Object foreach ($moduleTestFilePath in $moduleTestFilePaths) { - if ((Split-Path $moduleTestFilePath -Extension) -eq '.json') { - - $rawContentHashtable = (Get-Content $moduleTestFilePath) | ConvertFrom-Json -AsHashtable - # Skipping any file that is not actually a ARM-JSON parameter file - $isParameterFile = $rawContentHashtable.'$schema' -like '*deploymentParameters*' - if (-not $isParameterFile) { - continue - } + $deploymentFileContent = bicep build $moduleTestFilePath --stdout | ConvertFrom-Json -AsHashtable + $deploymentTestFile_AllParameterNames = $deploymentFileContent.resources[-1].properties.parameters.Keys | Sort-Object # The last resource should be the test - $deploymentTestFile_AllParameterNames = $rawContentHashtable.parameters.Keys | Sort-Object - } else { - $deploymentFileContent = bicep build $moduleTestFilePath --stdout | ConvertFrom-Json -AsHashtable - $deploymentTestFile_AllParameterNames = $deploymentFileContent.resources[-1].properties.parameters.Keys | Sort-Object # The last resource should be the test - } $testFileTestCases += @{ testFile_Path = $moduleTestFilePath testFile_Name = Split-Path $moduleTestFilePath -Leaf @@ -900,35 +836,6 @@ Describe 'Module tests' -Tag 'Module' { $incorrectOutputs | Should -BeNullOrEmpty } - # PARAMETER Tests - It '[] All parameters in parameters files exist in template file (`main.json`).' -TestCases $deploymentFolderTestCases { - param ( - [hashtable[]] $testFileTestCases - ) - - foreach ($parameterFileTestCase in $testFileTestCases) { - $testFile_AllParameterNames = $parameterFileTestCase.testFile_AllParameterNames - $templateFile_AllParameterNames = $parameterFileTestCase.templateFile_AllParameterNames - - $nonExistentParameters = $testFile_AllParameterNames | Where-Object { $templateFile_AllParameterNames -notcontains $_ } - $nonExistentParameters.Count | Should -Be 0 -Because ('no parameter in the parameter file should not exist in the template file. Found excess items: [{0}].' -f ($nonExistentParameters -join ', ')) - } - } - - It '[] All required parameters in template file (`main.json`) should exist in parameters files.' -TestCases $deploymentFolderTestCases { - param ( - [hashtable[]] $testFileTestCases - ) - - foreach ($parameterFileTestCase in $testFileTestCases) { - $TemplateFile_RequiredParametersNames = $parameterFileTestCase.TemplateFile_RequiredParametersNames - $testFile_AllParameterNames = $parameterFileTestCase.testFile_AllParameterNames - - $missingParameters = $templateFile_RequiredParametersNames | Where-Object { $testFile_AllParameterNames -notcontains $_ } - $missingParameters.Count | Should -Be 0 -Because ('no required parameters in the template file should be missing in the parameter file. Found missing items: [{0}].' -f ($missingParameters -join ', ')) - } - } - It '[] All non-required parameters in template file should not have description that start with "Required.".' -TestCases $deploymentFolderTestCases { param ( [hashtable[]] $testFileTestCases, @@ -956,33 +863,8 @@ Describe 'Module tests' -Tag 'Module' { foreach ($moduleFolderPath in $moduleFolderPaths) { $moduleFolderName = $moduleFolderPath.Replace('\', '/').Split('/modules/')[1] - - # For runtime purposes, we cache the compiled template in a hashtable that uses a formatted relative module path as a key - $moduleFolderPathKey = $moduleFolderPath.Replace('\', '/').Split('/modules/')[1].Trim('/').Replace('/', '-') - if (-not ($convertedTemplates.Keys -contains $moduleFolderPathKey)) { - if (Test-Path (Join-Path $moduleFolderPath 'main.bicep')) { - $templateFilePath = Join-Path $moduleFolderPath 'main.bicep' - $templateContent = bicep build $templateFilePath --stdout | ConvertFrom-Json -AsHashtable - - if (-not $templateContent) { - throw ($bicepTemplateCompilationFailedException -f $templateFilePath) - } - } elseIf (Test-Path (Join-Path $moduleFolderPath 'main.json')) { - $templateFilePath = Join-Path $moduleFolderPath 'main.json' - $templateContent = Get-Content $templateFilePath -Raw | ConvertFrom-Json -AsHashtable - - if (-not $templateContent) { - throw ($jsonTemplateLoadFailedException -f $templateFilePath) - } - } else { - throw ($templateNotFoundException -f $moduleFolderPath) - } - $convertedTemplates[$moduleFolderPathKey] = @{ - templateContent = $templateContent - } - } else { - $templateContent = $convertedTemplates[$moduleFolderPathKey].templateContent - } + $templateFilePath = Join-Path $moduleFolderPath 'main.bicep' + $templateContent = $builtTestFileMap[$templateFilePath] $metadataFileTestCases += @{ moduleFolderName = $moduleFolderName @@ -1023,22 +905,11 @@ Describe 'Test file tests' -Tag 'TestTemplate' { foreach ($moduleFolderPath in $moduleFolderPaths) { if (Test-Path (Join-Path $moduleFolderPath '.test')) { - $testFilePaths = Get-ModuleTestFileList -ModulePath $moduleFolderPath | ForEach-Object { Join-Path $moduleFolderPath $_ } + $testFilePaths = (Get-ChildItem -Path $moduleFolderPath -Recurse -Filter 'main.test.bicep').FullName | Sort-Object foreach ($testFilePath in $testFilePaths) { - $testFileContent = Get-Content $testFilePath - - if ((Split-Path $testFilePath -Extension) -eq '.json') { - # Skip any classic parameter files - $contentHashtable = $testFileContent | ConvertFrom-Json -Depth 99 - $isParameterFile = $contentHashtable.'$schema' -like '*deploymentParameters*' - if ($isParameterFile) { - continue - } - } - $deploymentTestFileTestCases += @{ testFilePath = $testFilePath - testFileContent = $testFileContent + testFileContent = Get-Content $testFilePath moduleFolderName = $moduleFolderPath.Replace('\', '/').Split('/modules/')[1] } } @@ -1076,31 +947,6 @@ Describe 'Test file tests' -Tag 'TestTemplate' { $hasExpectedParam | Should -Be $true } - - It '[] JSON test deployment name should contain [`-test-`].' -TestCases ($deploymentTestFileTestCases | Where-Object { (Split-Path $_.testFilePath -Extension) -eq '.json' }) { - - param( - [object[]] $testFileContent - ) - - # Handle case of deployment test file (instead of ARM-JSON parameter file) - $rawContentHashtable = $testFileContent | ConvertFrom-Json -Depth 99 - - # Uses deployment test file (instead of parameter file). Need to extract parameters. - $testResource = $rawContentHashtable.resources | Where-Object { $_.name -like '*-test-*' } - - $testResource | Should -Not -BeNullOrEmpty -Because 'the handle ''-test-'' should be part of the module test invocation''s resource name to allow identification.' - } - - It '[] JSON test deployment should have parameter [`serviceShort`].' -TestCases ($deploymentTestFileTestCases | Where-Object { (Split-Path $_.testFilePath -Extension) -eq '.json' }) { - - param( - [object[]] $testFileContent - ) - - $rawContentHashtable = $testFileContent | ConvertFrom-Json -Depth 99 -AsHashtable - $rawContentHashtable.parameters.keys | Should -Contain 'serviceShort' - } } Context 'Token usage' { @@ -1110,7 +956,7 @@ Describe 'Test file tests' -Tag 'TestTemplate' { foreach ($moduleFolderPath in $moduleFolderPaths) { if (Test-Path (Join-Path $moduleFolderPath '.test')) { - $testFilePaths = Get-ModuleTestFileList -ModulePath $moduleFolderPath | ForEach-Object { Join-Path $moduleFolderPath $_ } + $testFilePaths = (Get-ChildItem -Path $moduleFolderPath -Recurse -Filter 'main.test.bicep').FullName | Sort-Object foreach ($testFilePath in $testFilePaths) { foreach ($token in $enforcedTokenList.Keys) { $parameterFileTokenTestCases += @{ @@ -1160,35 +1006,8 @@ Describe 'API version tests' -Tag 'ApiCheck' { foreach ($moduleFolderPath in $moduleFolderPaths) { $moduleFolderName = $moduleFolderPath.Replace('\', '/').Split('/modules/')[1] - - # For runtime purposes, we cache the compiled template in a hashtable that uses a formatted relative module path as a key - $moduleFolderPathKey = $moduleFolderPath.Replace('\', '/').Split('/modules/')[1].Trim('/').Replace('/', '-') - if (-not ($convertedTemplates.Keys -contains $moduleFolderPathKey)) { - if (Test-Path (Join-Path $moduleFolderPath 'main.bicep')) { - $templateFilePath = Join-Path $moduleFolderPath 'main.bicep' - $templateContent = bicep build $templateFilePath --stdout | ConvertFrom-Json -AsHashtable - - if (-not $templateContent) { - throw ($bicepTemplateCompilationFailedException -f $templateFilePath) - } - } elseIf (Test-Path (Join-Path $moduleFolderPath 'main.json')) { - $templateFilePath = Join-Path $moduleFolderPath 'main.json' - $templateContent = Get-Content $templateFilePath -Raw | ConvertFrom-Json -AsHashtable - - if (-not $templateContent) { - throw ($jsonTemplateLoadFailedException -f $templateFilePath) - } - } else { - throw ($templateNotFoundException -f $moduleFolderPath) - } - $convertedTemplates[$moduleFolderPathKey] = @{ - templateFilePath = $templateFilePath - templateContent = $templateContent - } - } else { - $templateContent = $convertedTemplates[$moduleFolderPathKey].templateContent - $templateFilePath = $convertedTemplates[$moduleFolderPathKey].templateFilePath - } + $templateFilePath = Join-Path $moduleFolderPath 'main.bicep' + $templateContent = $builtTestFileMap[$templateFilePath] $nestedResources = Get-NestedResourceList -TemplateFileContent $templateContent | Where-Object { $_.type -notin @('Microsoft.Resources/deployments') -and $_ From def953bd960c5c8c4b1ed26edf281923f03ecd8a Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Thu, 23 Nov 2023 08:35:34 +0000 Subject: [PATCH 127/178] Push updated API Specs file --- docs/wiki/The CI environment - Static validation.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/docs/wiki/The CI environment - Static validation.md b/docs/wiki/The CI environment - Static validation.md index 483660f8c2..9b03c9b1a8 100644 --- a/docs/wiki/The CI environment - Static validation.md +++ b/docs/wiki/The CI environment - Static validation.md @@ -20,13 +20,12 @@ The following activities are performed by the [`utilities/pipelines/staticValida - **File/folder tests** - **General module folder tests** - 1. Module should contain a [` main.json ` / ` main.bicep `] file. + 1. Module should contain a [` main.json ` & ` main.bicep `] file. 1. Module should contain a [` README.md `] file. 1. Module should contain a [` .test `] folder. 1. Module should contain a [` version.json `] file. - **.test folder** 1. Folder should contain one or more test files. - 1. JSON test files in the `.test` folder should be valid json. - **Pipeline tests** 1. Module should have a GitHub workflow. 1. Module workflow should have trigger for cross-module references, if any. @@ -54,8 +53,6 @@ The following activities are performed by the [`utilities/pipelines/staticValida 1. Resource Group output should exist for resources that are deployed into a resource group scope. 1. Resource name output should exist. 1. Resource ID output should exist. - 1. All parameters in parameters files exist in template file (`main.json`). - 1. All required parameters in template file (`main.json`) should exist in parameters files. 1. All non-required parameters in template file should not have description that start with "Required.". - **Metadata content tests** 1. template file should have a module name specified. @@ -64,8 +61,6 @@ The following activities are performed by the [`utilities/pipelines/staticValida - **General test file** 1. Bicep test deployment name should contain [`-test-`]. 1. Bicep test deployment should have parameter [`serviceShort`]. - 1. JSON test deployment name should contain [`-test-`]. - 1. JSON test deployment should have parameter [`serviceShort`]. - **Token usage** 1. [Tokens] Test file should not contain the plain value for token guid. - **API version tests** From 80ff2b785d903f1a6a62b5bbae291a5e4acff667 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 26 Nov 2023 12:05:34 +0000 Subject: [PATCH 128/178] Push updated API Specs file --- utilities/src/apiSpecsList.json | 932 ++++++++++++++++++++++++++++++-- 1 file changed, 885 insertions(+), 47 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index 923ac27312..2f526fc6d6 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -2583,6 +2583,44 @@ "2023-09-01-preview", "2023-11-01-preview" ], + "Spring/apps/deployments/operationResults": [ + "2020-07-01", + "2020-11-01-preview", + "2021-06-01-preview", + "2021-09-01-preview", + "2022-01-01-preview", + "2022-03-01-preview", + "2022-04-01", + "2022-05-01-preview", + "2022-09-01-preview", + "2022-11-01-preview", + "2022-12-01", + "2023-01-01-preview", + "2023-03-01-preview", + "2023-05-01-preview", + "2023-07-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" + ], + "Spring/apps/deployments/operationStatuses": [ + "2020-07-01", + "2020-11-01-preview", + "2021-06-01-preview", + "2021-09-01-preview", + "2022-01-01-preview", + "2022-03-01-preview", + "2022-04-01", + "2022-05-01-preview", + "2022-09-01-preview", + "2022-11-01-preview", + "2022-12-01", + "2023-01-01-preview", + "2023-03-01-preview", + "2023-05-01-preview", + "2023-07-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" + ], "Spring/apps/domains": [ "2020-07-01", "2020-11-01-preview", @@ -2602,6 +2640,44 @@ "2023-09-01-preview", "2023-11-01-preview" ], + "Spring/apps/operationResults": [ + "2020-07-01", + "2020-11-01-preview", + "2021-06-01-preview", + "2021-09-01-preview", + "2022-01-01-preview", + "2022-03-01-preview", + "2022-04-01", + "2022-05-01-preview", + "2022-09-01-preview", + "2022-11-01-preview", + "2022-12-01", + "2023-01-01-preview", + "2023-03-01-preview", + "2023-05-01-preview", + "2023-07-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" + ], + "Spring/apps/operationStatuses": [ + "2020-07-01", + "2020-11-01-preview", + "2021-06-01-preview", + "2021-09-01-preview", + "2022-01-01-preview", + "2022-03-01-preview", + "2022-04-01", + "2022-05-01-preview", + "2022-09-01-preview", + "2022-11-01-preview", + "2022-12-01", + "2023-01-01-preview", + "2023-03-01-preview", + "2023-05-01-preview", + "2023-07-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" + ], "Spring/buildServices": [ "2023-03-01-preview", "2023-05-01-preview", @@ -2707,6 +2783,44 @@ "2023-09-01-preview", "2023-11-01-preview" ], + "Spring/configServers/operationResults": [ + "2020-07-01", + "2020-11-01-preview", + "2021-06-01-preview", + "2021-09-01-preview", + "2022-01-01-preview", + "2022-03-01-preview", + "2022-04-01", + "2022-05-01-preview", + "2022-09-01-preview", + "2022-11-01-preview", + "2022-12-01", + "2023-01-01-preview", + "2023-03-01-preview", + "2023-05-01-preview", + "2023-07-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" + ], + "Spring/configServers/operationStatuses": [ + "2020-07-01", + "2020-11-01-preview", + "2021-06-01-preview", + "2021-09-01-preview", + "2022-01-01-preview", + "2022-03-01-preview", + "2022-04-01", + "2022-05-01-preview", + "2022-09-01-preview", + "2022-11-01-preview", + "2022-12-01", + "2023-01-01-preview", + "2023-03-01-preview", + "2023-05-01-preview", + "2023-07-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" + ], "Spring/configurationServices": [ "2022-01-01-preview", "2022-03-01-preview", @@ -2739,6 +2853,57 @@ "2023-11-01-preview" ], "Spring/eurekaServers": [ + "2020-07-01", + "2020-11-01-preview", + "2021-06-01-preview", + "2021-09-01-preview", + "2022-01-01-preview", + "2022-03-01-preview", + "2022-04-01", + "2022-05-01-preview", + "2022-09-01-preview", + "2022-11-01-preview", + "2022-12-01", + "2023-01-01-preview", + "2023-03-01-preview", + "2023-05-01-preview", + "2023-07-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" + ], + "Spring/eurekaServers/operationResults": [ + "2020-07-01", + "2020-11-01-preview", + "2021-06-01-preview", + "2021-09-01-preview", + "2022-01-01-preview", + "2022-03-01-preview", + "2022-04-01", + "2022-05-01-preview", + "2022-09-01-preview", + "2022-11-01-preview", + "2022-12-01", + "2023-01-01-preview", + "2023-03-01-preview", + "2023-05-01-preview", + "2023-07-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" + ], + "Spring/eurekaServers/operationStatuses": [ + "2020-07-01", + "2020-11-01-preview", + "2021-06-01-preview", + "2021-09-01-preview", + "2022-01-01-preview", + "2022-03-01-preview", + "2022-04-01", + "2022-05-01-preview", + "2022-09-01-preview", + "2022-11-01-preview", + "2022-12-01", + "2023-01-01-preview", + "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", @@ -2805,6 +2970,44 @@ "2023-09-01-preview", "2023-11-01-preview" ], + "Spring/operationResults": [ + "2020-07-01", + "2020-11-01-preview", + "2021-06-01-preview", + "2021-09-01-preview", + "2022-01-01-preview", + "2022-03-01-preview", + "2022-04-01", + "2022-05-01-preview", + "2022-09-01-preview", + "2022-11-01-preview", + "2022-12-01", + "2023-01-01-preview", + "2023-03-01-preview", + "2023-05-01-preview", + "2023-07-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" + ], + "Spring/operationStatuses": [ + "2020-07-01", + "2020-11-01-preview", + "2021-06-01-preview", + "2021-09-01-preview", + "2022-01-01-preview", + "2022-03-01-preview", + "2022-04-01", + "2022-05-01-preview", + "2022-09-01-preview", + "2022-11-01-preview", + "2022-12-01", + "2023-01-01-preview", + "2023-03-01-preview", + "2023-05-01-preview", + "2023-07-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" + ], "Spring/serviceRegistries": [ "2022-01-01-preview", "2022-03-01-preview", @@ -2839,9 +3042,6 @@ "Microsoft.AppSecurity": { "operationStatuses": [ "2023-02-06-preview" - ], - "policies": [ - "2023-02-06-preview" ] }, "Microsoft.ArcNetworking": { @@ -4420,27 +4620,32 @@ "2020-08-06-preview", "2021-08-09", "2023-04-06", - "2023-08-04-preview" + "2023-08-04-preview", + "2023-11-01-preview" ], "bareMetalStorageInstances": [ "2023-04-06", - "2023-08-04-preview" + "2023-08-04-preview", + "2023-11-01-preview" ], "locations": [ "2020-08-06-preview", "2021-08-09", "2023-04-06", - "2023-08-04-preview" + "2023-08-04-preview", + "2023-11-01-preview" ], "locations/operationsStatus": [ "2020-08-06-preview", - "2023-08-04-preview" + "2023-08-04-preview", + "2023-11-01-preview" ], "operations": [ "2020-08-06-preview", "2021-08-09", "2023-04-06", - "2023-08-04-preview" + "2023-08-04-preview", + "2023-11-01-preview" ] }, "Microsoft.Batch": { @@ -9543,6 +9748,9 @@ "2023-08-22", "2023-10-03-preview" ], + "organizations/access/deleteRoleBinding": [ + "2023-10-03-preview" + ], "validations": [ "2021-03-01-preview", "2021-09-01-preview", @@ -15993,6 +16201,15 @@ ] }, "Microsoft.DevOpsInfrastructure": { + "Locations": [ + "2023-10-30-preview" + ], + "Locations/OperationStatuses": [ + "2023-10-30-preview" + ], + "Operations": [ + "2023-10-30-preview" + ], "pools": [ "2023-10-30-preview" ] @@ -19099,7 +19316,8 @@ }, "Microsoft.HardwareSecurityModules": { "cloudHsmClusters": [ - "2022-08-31-preview" + "2022-08-31-preview", + "2023-12-10-preview" ], "cloudHsmClusters/privateEndpointConnections": [ "2022-08-31-preview" @@ -19117,7 +19335,8 @@ "2018-10-31", "2018-10-31-preview", "2021-11-30", - "2022-08-31-preview" + "2022-08-31-preview", + "2023-12-10-preview" ] }, "Microsoft.HDInsight": { @@ -31118,7 +31337,8 @@ "2023-11-15" ], "Operations": [ - "2022-11-15-preview" + "2022-11-15-preview", + "2023-11-15" ], "registeredSubscriptions": [ "2022-11-15-preview", @@ -31323,14 +31543,16 @@ "2017-04-01", "2020-01-01-preview", "2023-01-01-preview", - "2023-09-01" + "2023-09-01", + "2023-10-01-preview" ], "namespaces/AuthorizationRules": [ "2014-09-01", "2016-03-01", "2017-04-01", "2023-01-01-preview", - "2023-09-01" + "2023-09-01", + "2023-10-01-preview" ], "namespaces/notificationHubs": [ "2014-09-01", @@ -31338,18 +31560,21 @@ "2017-04-01", "2020-01-01-preview", "2023-01-01-preview", - "2023-09-01" + "2023-09-01", + "2023-10-01-preview" ], "namespaces/notificationHubs/AuthorizationRules": [ "2014-09-01", "2016-03-01", "2017-04-01", "2023-01-01-preview", - "2023-09-01" + "2023-09-01", + "2023-10-01-preview" ], "namespaces/privateEndpointConnections": [ "2023-01-01-preview", - "2023-09-01" + "2023-09-01", + "2023-10-01-preview" ], "operations": [ "2014-09-01", @@ -31832,16 +32057,17 @@ "l3Connections": [ "2021-04-04-preview" ], - "locations": [ - "2022-11-01" - ], + "locations": [], "locations/operationResults": [ "2022-03-01", "2022-06-01-preview", "2022-11-01" ], "operations": [ - "2022-11-01" + "2021-04-04-preview", + "2022-03-01", + "2022-11-01", + "2024-01-31-preview" ], "orbitalGateways": [ "2021-04-04-preview" @@ -32567,9 +32793,24 @@ "groupQuotas/groupQuotaLimits": [ "2023-06-01-preview" ], + "groupQuotas/groupQuotaOperationsStatus": [ + "2023-06-01-preview" + ], + "groupQuotas/groupQuotaRequests": [ + "2023-06-01-preview" + ], + "groupQuotas/quotaAllocationOperationsStatus": [ + "2023-06-01-preview" + ], + "groupQuotas/quotaAllocationRequests": [ + "2023-06-01-preview" + ], "groupQuotas/quotaAllocations": [ "2023-06-01-preview" ], + "groupQuotas/subscriptionRequests": [ + "2023-06-01-preview" + ], "groupQuotas/subscriptions": [ "2023-06-01-preview" ], @@ -33959,19 +34200,144 @@ ] }, "Microsoft.Resources": { + "builtInTemplateSpecs": [ + "2022-02-01" + ], + "builtInTemplateSpecs/versions": [ + "2022-02-01" + ], + "bulkDelete": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01" + ], + "calculateTemplateHash": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01", + "2019-09-01", + "2022-09-01", + "2023-07-01" + ], + "changes": [ + "2022-03-01-preview", + "2022-05-01", + "2023-03-01-preview", + "2023-07-01-preview" + ], + "checkPolicyCompliance": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01" + ], + "checkresourcename": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01" + ], "deployments": [ + "2014-04-01-preview", + "2015-01-01", "2015-11-01", "2016-02-01", + "2016-06-01", "2016-07-01", "2016-09-01", + "2017-03-01", + "2017-05-01", "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", "2018-02-01", "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", "2019-03-01", + "2019-04-01", "2019-05-01", "2019-05-10", "2019-07-01", "2019-08-01", + "2019-09-01", "2019-10-01", "2020-06-01", "2020-08-01", @@ -33981,23 +34347,196 @@ "2022-09-01", "2023-07-01" ], + "deployments/operations": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01", + "2019-09-01", + "2020-06-01", + "2020-10-01", + "2021-01-01", + "2021-04-01", + "2022-09-01", + "2023-07-01" + ], "deploymentScripts": [ "2019-10-01-preview", "2020-10-01", "2023-08-01" ], + "deploymentScripts/logs": [ + "2019-10-01-preview", + "2020-10-01", + "2023-08-01" + ], "deploymentStacks": [ "2022-08-01-preview" ], + "links": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01" + ], + "locations": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01", + "2019-09-01" + ], + "locations/deploymentScriptOperationResults": [ + "2019-10-01-preview", + "2020-10-01", + "2023-08-01" + ], + "locations/deploymentStackOperationStatus": [ + "2022-08-01-preview" + ], + "mobobrokers": [ + "2023-06-01-preview" + ], + "notifyResourceJobs": [ + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01", + "2019-09-01" + ], + "operationresults": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01", + "2019-09-01" + ], + "operations": [ + "2015-01-01" + ], + "providers": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01" + ], "resourceGroups": [ + "2014-04-01-preview", + "2015-01-01", "2015-11-01", "2016-02-01", + "2016-06-01", "2016-07-01", "2016-09-01", + "2017-03-01", + "2017-05-01", "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", "2018-02-01", "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", "2019-03-01", + "2019-04-01", "2019-05-01", "2019-05-10", "2019-07-01", @@ -34011,7 +34550,268 @@ "2022-09-01", "2023-07-01" ], + "resources": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01", + "2019-09-01" + ], + "snapshots": [ + "2022-11-01-preview" + ], + "subscriptions": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01", + "2019-09-01", + "2019-10-01" + ], + "subscriptions/locations": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01" + ], + "subscriptions/operationresults": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01" + ], + "subscriptions/providers": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01" + ], + "subscriptions/resourceGroups": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01" + ], + "subscriptions/resourcegroups/resources": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01" + ], + "subscriptions/resources": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01", + "2019-09-01" + ], + "subscriptions/tagnames": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01", + "2022-09-01", + "2023-07-01" + ], + "subscriptions/tagNames/tagValues": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01", + "2022-09-01", + "2023-07-01" + ], + "tagNamespaceOperationResults": [ + "2023-03-01-preview" + ], + "tagnamespaces": [ + "2023-03-01-preview" + ], "tags": [ + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01", "2019-10-01", "2020-06-01", "2020-08-01", @@ -34032,6 +34832,35 @@ "2021-03-01-preview", "2021-05-01", "2022-02-01" + ], + "tenants": [ + "2014-04-01-preview", + "2015-01-01", + "2015-11-01", + "2016-02-01", + "2016-06-01", + "2016-07-01", + "2016-09-01", + "2017-03-01", + "2017-05-01", + "2017-05-10", + "2017-06-01", + "2017-08-01", + "2018-01-01", + "2018-02-01", + "2018-05-01", + "2018-07-01", + "2018-08-01", + "2018-09-01", + "2018-11-01", + "2019-03-01", + "2019-04-01", + "2019-05-01", + "2019-09-01", + "2020-01-01" + ], + "validateResources": [ + "2022-06-01" ] }, "Microsoft.SaaS": { @@ -43794,7 +44623,8 @@ "2022-09-01-preview", "2022-12-01-preview", "2023-02-01-preview", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-09-01-preview" ] }, "Microsoft.VideoIndexer": { @@ -44266,9 +45096,6 @@ "2022-09-01", "2023-01-01" ], - "freeTrialStaticWebApps": [ - "2022-09-01" - ], "functionAppStacks": [ "2020-10-01", "2020-12-01", @@ -46239,12 +47066,6 @@ "2022-03-01", "2022-09-01", "2023-01-01" - ], - "workerApps": [ - "2020-12-01", - "2021-01-01", - "2021-01-15", - "2021-02-01" ] }, "Microsoft.WindowsESU": { @@ -46380,43 +47201,53 @@ "NewRelic.Observability": { "accounts": [ "2022-07-01", - "2022-07-01-preview" + "2022-07-01-preview", + "2023-10-01-preview" ], "checkNameAvailability": [ "2022-07-01", - "2022-07-01-preview" + "2022-07-01-preview", + "2023-10-01-preview" ], "locations": [ "2022-07-01", - "2022-07-01-preview" + "2022-07-01-preview", + "2023-10-01-preview" ], "locations/operationStatuses": [ "2022-07-01", - "2022-07-01-preview" + "2022-07-01-preview", + "2023-10-01-preview" ], "monitors": [ "2022-07-01", - "2022-07-01-preview" + "2022-07-01-preview", + "2023-10-01-preview" ], "monitors/tagRules": [ "2022-07-01", - "2022-07-01-preview" + "2022-07-01-preview", + "2023-10-01-preview" ], "operations": [ "2022-07-01", - "2022-07-01-preview" + "2022-07-01-preview", + "2023-10-01-preview" ], "organizations": [ "2022-07-01", - "2022-07-01-preview" + "2022-07-01-preview", + "2023-10-01-preview" ], "plans": [ "2022-07-01", - "2022-07-01-preview" + "2022-07-01-preview", + "2023-10-01-preview" ], "registeredSubscriptions": [ "2022-07-01", - "2022-07-01-preview" + "2022-07-01-preview", + "2023-10-01-preview" ] }, "NGINX.NGINXPLUS": { @@ -46474,13 +47305,15 @@ "2022-08-29", "2022-08-29-preview", "2023-09-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-10-preview" ], "firewalls/statuses": [ "2022-08-29", "2022-08-29-preview", "2023-09-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-10-preview" ], "globalRulestacks": [ "2022-08-29", @@ -46510,31 +47343,36 @@ "2022-08-29", "2022-08-29-preview", "2023-09-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-10-preview" ], "localRulestacks/certificates": [ "2022-08-29", "2022-08-29-preview", "2023-09-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-10-preview" ], "localRulestacks/fqdnlists": [ "2022-08-29", "2022-08-29-preview", "2023-09-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-10-preview" ], "localRulestacks/localRules": [ "2022-08-29", "2022-08-29-preview", "2023-09-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-10-preview" ], "localRulestacks/prefixlists": [ "2022-08-29", "2022-08-29-preview", "2023-09-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-10-preview" ], "locations": [ "2022-08-29", From 761f3608799a8e7946c658cb56a588f61faacf3d Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Mon, 27 Nov 2023 10:42:27 +0100 Subject: [PATCH 129/178] [Utilities] Ported 2 AVM Updates back to CARML (#4263) * Performance Update 1 * ReadMe Recursion Update * Generated KeyVault ReadMes for review * Regenerated docs --- modules/aad/domain-service/README.md | 230 ++- modules/analysis-services/server/README.md | 203 +- modules/api-management/service/README.md | 266 +-- .../service/api-version-set/README.md | 4 + modules/api-management/service/api/README.md | 68 +- .../service/api/policy/README.md | 18 +- .../service/authorization-server/README.md | 74 +- .../api-management/service/backend/README.md | 36 +- .../api-management/service/cache/README.md | 39 +- .../service/identity-provider/README.md | 50 +- .../service/named-value/README.md | 28 +- .../api-management/service/policy/README.md | 17 +- .../service/portalsetting/README.md | 30 +- .../api-management/service/product/README.md | 23 +- .../service/product/api/README.md | 24 +- .../service/product/group/README.md | 24 +- .../service/subscription/README.md | 31 +- .../configuration-store/README.md | 478 +++-- .../configuration-store/key-value/README.md | 30 +- modules/app/container-app/README.md | 181 +- modules/app/job/README.md | 157 +- modules/app/managed-environment/README.md | 159 +- modules/authorization/lock/README.md | 20 +- .../lock/resource-group/README.md | 18 +- .../authorization/lock/subscription/README.md | 18 +- .../authorization/policy-assignment/README.md | 43 +- .../management-group/README.md | 41 +- .../resource-group/README.md | 42 +- .../policy-assignment/subscription/README.md | 41 +- .../authorization/policy-definition/README.md | 35 +- .../management-group/README.md | 33 +- .../policy-definition/subscription/README.md | 33 +- .../authorization/policy-exemption/README.md | 39 +- .../management-group/README.md | 36 +- .../policy-exemption/resource-group/README.md | 35 +- .../policy-exemption/subscription/README.md | 36 +- .../policy-set-definition/README.md | 35 +- .../management-group/README.md | 33 +- .../subscription/README.md | 33 +- .../authorization/role-assignment/README.md | 36 +- .../management-group/README.md | 34 +- .../role-assignment/resource-group/README.md | 34 +- .../role-assignment/subscription/README.md | 34 +- .../authorization/role-definition/README.md | 24 +- .../management-group/README.md | 20 +- .../role-definition/resource-group/README.md | 22 +- .../role-definition/subscription/README.md | 22 +- .../automation/automation-account/README.md | 482 +++-- .../automation-account/job-schedule/README.md | 39 +- .../automation-account/module/README.md | 31 +- .../automation-account/runbook/README.md | 68 +- .../automation-account/schedule/README.md | 41 +- .../software-update-configuration/README.md | 148 +- .../automation-account/variable/README.md | 30 +- modules/batch/batch-account/README.md | 494 +++-- modules/cache/redis-enterprise/README.md | 411 ++-- .../cache/redis-enterprise/database/README.md | 87 +- modules/cache/redis/README.md | 459 +++-- modules/cdn/profile/README.md | 189 +- modules/cdn/profile/afdEndpoint/README.md | 32 +- .../cdn/profile/afdEndpoint/route/README.md | 53 +- modules/cdn/profile/customdomain/README.md | 58 +- modules/cdn/profile/endpoint/README.md | 40 +- modules/cdn/profile/endpoint/origin/README.md | 94 +- modules/cdn/profile/origingroup/README.md | 36 +- .../cdn/profile/origingroup/origin/README.md | 61 +- modules/cdn/profile/ruleset/README.md | 18 +- modules/cdn/profile/ruleset/rule/README.md | 50 +- modules/cdn/profile/secret/README.md | 54 +- modules/cognitive-services/account/README.md | 557 +++--- modules/compute/availability-set/README.md | 122 +- modules/compute/disk-encryption-set/README.md | 162 +- modules/compute/disk/README.md | 200 +- modules/compute/gallery/README.md | 121 +- modules/compute/gallery/application/README.md | 115 +- modules/compute/gallery/image/README.md | 130 +- modules/compute/image/README.md | 131 +- .../proximity-placement-group/README.md | 122 +- modules/compute/ssh-public-key/README.md | 119 +- .../virtual-machine-scale-set/README.md | 1125 ++++++----- .../extension/README.md | 72 +- modules/compute/virtual-machine/README.md | 1760 +++++++++-------- .../virtual-machine/extension/README.md | 74 +- modules/consumption/budget/README.md | 60 +- .../container-group/README.md | 118 +- modules/container-registry/registry/README.md | 491 +++-- .../registry/cache-rules/README.md | 30 +- .../registry/replication/README.md | 31 +- .../registry/webhook/README.md | 34 +- .../managed-cluster/README.md | 373 ++-- .../managed-cluster/agent-pool/README.md | 61 +- modules/data-factory/factory/README.md | 485 +++-- .../factory/integration-runtime/README.md | 44 +- .../factory/managed-virtual-network/README.md | 16 +- .../managed-private-endpoint/README.md | 33 +- .../data-protection/backup-vault/README.md | 134 +- .../backup-vault/backup-policy/README.md | 4 + modules/databricks/access-connector/README.md | 132 +- modules/databricks/workspace/README.md | 490 +++-- .../db-for-my-sql/flexible-server/README.md | 427 ++-- .../flexible-server/administrator/README.md | 45 +- .../flexible-server/database/README.md | 30 +- .../flexible-server/firewall-rule/README.md | 29 +- .../flexible-server/README.md | 360 ++-- .../flexible-server/administrator/README.md | 47 +- .../flexible-server/configuration/README.md | 28 +- .../flexible-server/database/README.md | 30 +- .../flexible-server/firewall-rule/README.md | 29 +- .../application-group/README.md | 201 +- .../application-group/application/README.md | 47 +- .../host-pool/README.md | 223 ++- .../scaling-plan/README.md | 168 +- .../workspace/README.md | 187 +- modules/dev-test-lab/lab/README.md | 176 +- .../dev-test-lab/lab/artifactsource/README.md | 62 +- modules/dev-test-lab/lab/cost/README.md | 57 +- .../lab/notificationchannel/README.md | 75 +- .../lab/policyset/policy/README.md | 71 +- modules/dev-test-lab/lab/schedule/README.md | 77 +- .../dev-test-lab/lab/virtualnetwork/README.md | 44 +- .../digital-twins-instance/README.md | 448 +++-- .../endpoint--event-grid/README.md | 43 +- .../endpoint--event-hub/README.md | 50 +- .../endpoint--service-bus/README.md | 50 +- .../document-db/database-account/README.md | 473 +++-- .../gremlin-database/README.md | 19 +- .../gremlin-database/graph/README.md | 31 +- .../mongodb-database/README.md | 28 +- .../mongodb-database/collection/README.md | 45 +- .../database-account/sql-database/README.md | 31 +- .../sql-database/container/README.md | 50 +- modules/event-grid/domain/README.md | 435 ++-- modules/event-grid/domain/topic/README.md | 16 +- modules/event-grid/system-topic/README.md | 241 +-- .../system-topic/event-subscription/README.md | 49 +- modules/event-grid/topic/README.md | 433 ++-- .../topic/event-subscription/README.md | 49 +- modules/event-hub/namespace/README.md | 485 +++-- .../namespace/authorization-rule/README.md | 18 +- .../disaster-recovery-config/README.md | 18 +- .../event-hub/namespace/eventhub/README.md | 146 +- .../eventhub/authorization-rule/README.md | 25 +- .../eventhub/consumergroup/README.md | 25 +- .../namespace/network-rule-set/README.md | 19 +- modules/health-bot/health-bot/README.md | 147 +- modules/healthcare-apis/workspace/README.md | 122 +- .../workspace/dicomservice/README.md | 154 +- .../workspace/fhirservice/README.md | 246 ++- .../workspace/iotconnector/README.md | 183 +- .../iotconnector/fhirdestination/README.md | 46 +- modules/insights/action-group/README.md | 119 +- modules/insights/activity-log-alert/README.md | 112 +- modules/insights/component/README.md | 196 +- .../data-collection-endpoint/README.md | 120 +- .../insights/data-collection-rule/README.md | 151 +- modules/insights/diagnostic-setting/README.md | 33 +- modules/insights/metric-alert/README.md | 147 +- modules/insights/private-link-scope/README.md | 349 ++-- .../scoped-resource/README.md | 18 +- .../insights/scheduled-query-rule/README.md | 133 +- modules/insights/webtest/README.md | 166 +- modules/key-vault/vault/README.md | 444 +++-- .../key-vault/vault/access-policy/README.md | 15 +- modules/key-vault/vault/key/README.md | 115 +- modules/key-vault/vault/secret/README.md | 124 +- .../extension/README.md | 78 +- .../flux-configuration/README.md | 82 +- modules/logic/workflow/README.md | 229 ++- .../workspace/README.md | 553 +++--- .../workspace/compute/README.md | 65 +- .../maintenance-configuration/README.md | 124 +- .../user-assigned-identity/README.md | 107 +- .../federated-identity-credential/README.md | 20 +- .../registration-definition/README.md | 35 +- modules/management/management-group/README.md | 17 +- modules/net-app/net-app-account/README.md | 135 +- .../net-app-account/capacity-pool/README.md | 126 +- .../capacity-pool/volume/README.md | 138 +- .../README.md | 19 +- modules/network/application-gateway/README.md | 477 +++-- .../application-security-group/README.md | 118 +- modules/network/azure-firewall/README.md | 257 +-- modules/network/bastion-host/README.md | 206 +- modules/network/connection/README.md | 68 +- .../network/ddos-protection-plan/README.md | 118 +- .../network/dns-forwarding-ruleset/README.md | 121 +- .../forwarding-rule/README.md | 40 +- .../virtual-network-link/README.md | 17 +- modules/network/dns-resolver/README.md | 133 +- modules/network/dns-zone/README.md | 128 +- modules/network/dns-zone/a/README.md | 108 +- modules/network/dns-zone/aaaa/README.md | 108 +- modules/network/dns-zone/caa/README.md | 107 +- modules/network/dns-zone/cname/README.md | 108 +- modules/network/dns-zone/mx/README.md | 97 +- modules/network/dns-zone/ns/README.md | 97 +- modules/network/dns-zone/ptr/README.md | 97 +- modules/network/dns-zone/soa/README.md | 97 +- modules/network/dns-zone/srv/README.md | 97 +- modules/network/dns-zone/txt/README.md | 97 +- .../network/express-route-circuit/README.md | 252 +-- .../network/express-route-gateway/README.md | 135 +- modules/network/firewall-policy/README.md | 46 +- .../rule-collection-group/README.md | 31 +- .../README.md | 122 +- modules/network/front-door/README.md | 253 +-- modules/network/ip-group/README.md | 119 +- modules/network/load-balancer/README.md | 195 +- .../backend-address-pool/README.md | 31 +- .../load-balancer/inbound-nat-rule/README.md | 61 +- .../network/local-network-gateway/README.md | 148 +- modules/network/nat-gateway/README.md | 124 +- modules/network/network-interface/README.md | 196 +- modules/network/network-manager/README.md | 155 +- .../connectivity-configuration/README.md | 47 +- .../network-manager/network-group/README.md | 29 +- .../network-group/static-member/README.md | 27 +- .../scope-connection/README.md | 42 +- .../security-admin-configuration/README.md | 30 +- .../rule-collection/README.md | 43 +- .../rule-collection/rule/README.md | 80 +- .../network/network-security-group/README.md | 186 +- .../security-rule/README.md | 114 +- modules/network/network-watcher/README.md | 108 +- .../connection-monitor/README.md | 21 +- .../network-watcher/flow-log/README.md | 36 +- modules/network/private-dns-zone/README.md | 127 +- modules/network/private-dns-zone/a/README.md | 109 +- .../network/private-dns-zone/aaaa/README.md | 109 +- .../network/private-dns-zone/cname/README.md | 109 +- modules/network/private-dns-zone/mx/README.md | 109 +- .../network/private-dns-zone/ptr/README.md | 109 +- .../network/private-dns-zone/soa/README.md | 109 +- .../network/private-dns-zone/srv/README.md | 109 +- .../network/private-dns-zone/txt/README.md | 109 +- .../virtual-network-link/README.md | 31 +- modules/network/private-endpoint/README.md | 216 +- .../private-dns-zone-group/README.md | 28 +- .../network/private-link-service/README.md | 125 +- modules/network/public-ip-address/README.md | 210 +- modules/network/public-ip-prefix/README.md | 132 +- modules/network/route-table/README.md | 120 +- .../network/service-endpoint-policy/README.md | 121 +- .../network/trafficmanagerprofile/README.md | 219 +- modules/network/virtual-hub/README.md | 67 +- .../virtual-hub/hub-route-table/README.md | 29 +- .../hub-virtual-network-connection/README.md | 42 +- .../network/virtual-network-gateway/README.md | 391 ++-- .../nat-rule/README.md | 32 +- modules/network/virtual-network/README.md | 208 +- .../network/virtual-network/subnet/README.md | 106 +- .../virtual-network-peering/README.md | 33 +- modules/network/virtual-wan/README.md | 122 +- modules/network/vpn-gateway/README.md | 58 +- .../network/vpn-gateway/nat-rule/README.md | 32 +- .../vpn-gateway/vpn-connection/README.md | 41 +- modules/network/vpn-site/README.md | 138 +- .../operational-insights/workspace/README.md | 242 ++- .../workspace/data-export/README.md | 30 +- .../workspace/data-source/README.md | 80 +- .../workspace/linked-service/README.md | 32 +- .../linked-storage-account/README.md | 30 +- .../workspace/saved-search/README.md | 47 +- .../storage-insight-config/README.md | 31 +- .../workspace/table/README.md | 33 +- .../operations-management/solution/README.md | 30 +- modules/policy-insights/remediation/README.md | 37 +- .../remediation/management-group/README.md | 34 +- .../remediation/resource-group/README.md | 34 +- .../remediation/subscription/README.md | 34 +- modules/power-bi-dedicated/capacity/README.md | 147 +- modules/purview/account/README.md | 217 +- modules/recovery-services/vault/README.md | 454 +++-- .../vault/backup-config/README.md | 22 +- .../protection-container/README.md | 33 +- .../protected-item/README.md | 42 +- .../vault/backup-policy/README.md | 18 +- .../vault/backup-storage-config/README.md | 17 +- .../vault/replication-alert-setting/README.md | 18 +- .../vault/replication-fabric/README.md | 31 +- .../README.md | 31 +- .../README.md | 46 +- .../vault/replication-policy/README.md | 31 +- modules/relay/namespace/README.md | 435 ++-- .../namespace/authorization-rule/README.md | 18 +- .../namespace/hybrid-connection/README.md | 144 +- .../authorization-rule/README.md | 25 +- .../namespace/network-rule-set/README.md | 17 +- modules/relay/namespace/wcf-relay/README.md | 160 +- .../wcf-relay/authorization-rule/README.md | 31 +- modules/resource-graph/query/README.md | 132 +- modules/resources/deployment-script/README.md | 78 +- modules/resources/resource-group/README.md | 119 +- modules/resources/tags/README.md | 6 + .../resources/tags/resource-group/README.md | 3 + modules/resources/tags/subscription/README.md | 4 + modules/search/search-service/README.md | 450 +++-- .../shared-private-link-resource/README.md | 33 +- .../security/azure-security-center/README.md | 45 +- modules/service-bus/namespace/README.md | 486 +++-- .../namespace/authorization-rule/README.md | 18 +- .../disaster-recovery-config/README.md | 17 +- .../migration-configuration/README.md | 28 +- .../namespace/network-rule-set/README.md | 19 +- modules/service-bus/namespace/queue/README.md | 146 +- .../queue/authorization-rule/README.md | 19 +- modules/service-bus/namespace/topic/README.md | 141 +- .../topic/authorization-rule/README.md | 31 +- modules/service-fabric/cluster/README.md | 202 +- .../cluster/application-type/README.md | 16 +- modules/signal-r-service/signal-r/README.md | 361 ++-- .../signal-r-service/web-pub-sub/README.md | 370 ++-- modules/sql/managed-instance/README.md | 269 +-- .../managed-instance/administrator/README.md | 27 +- .../sql/managed-instance/database/README.md | 212 +- .../README.md | 32 +- .../README.md | 27 +- .../encryption-protector/README.md | 29 +- modules/sql/managed-instance/key/README.md | 23 +- .../security-alert-policy/README.md | 29 +- .../vulnerability-assessment/README.md | 45 +- modules/sql/server/README.md | 391 ++-- modules/sql/server/database/README.md | 137 +- .../README.md | 19 +- .../README.md | 17 +- modules/sql/server/elastic-pool/README.md | 40 +- .../sql/server/encryption-protector/README.md | 29 +- modules/sql/server/firewall-rule/README.md | 29 +- modules/sql/server/key/README.md | 29 +- .../server/security-alert-policy/README.md | 34 +- .../sql/server/virtual-network-rule/README.md | 37 +- .../server/vulnerability-assessment/README.md | 45 +- modules/storage/storage-account/README.md | 490 +++-- .../storage-account/blob-service/README.md | 112 +- .../blob-service/container/README.md | 115 +- .../container/immutability-policy/README.md | 30 +- .../storage-account/file-service/README.md | 100 +- .../file-service/share/README.md | 123 +- .../storage-account/local-user/README.md | 63 +- .../management-policy/README.md | 17 +- .../storage-account/queue-service/README.md | 97 +- .../queue-service/queue/README.md | 109 +- .../storage-account/table-service/README.md | 97 +- .../table-service/table/README.md | 17 +- modules/synapse/private-link-hub/README.md | 348 ++-- modules/synapse/workspace/README.md | 504 +++-- .../workspace/integration-runtime/README.md | 19 +- modules/synapse/workspace/key/README.md | 34 +- .../image-template/README.md | 180 +- modules/web/connection/README.md | 137 +- modules/web/hosting-environment/README.md | 255 ++- .../configuration--customdnssuffix/README.md | 23 +- .../configuration--networking/README.md | 18 +- modules/web/serverfarm/README.md | 209 +- modules/web/site/README.md | 521 +++-- .../README.md | 43 +- .../web/site/config--appsettings/README.md | 47 +- .../web/site/config--authsettingsv2/README.md | 30 +- .../relay/README.md | 17 +- modules/web/site/slot/README.md | 516 +++-- .../README.md | 54 +- .../site/slot/config--appsettings/README.md | 60 +- .../slot/config--authsettingsv2/README.md | 31 +- .../relay/README.md | 30 +- modules/web/static-site/README.md | 376 ++-- modules/web/static-site/config/README.md | 33 +- .../web/static-site/custom-domain/README.md | 29 +- .../web/static-site/linked-backend/README.md | 18 +- .../sharedScripts/Set-ModuleReadMe.ps1 | 357 ++-- utilities/tools/Test-ModuleLocally.ps1 | 2 +- 370 files changed, 26756 insertions(+), 17983 deletions(-) diff --git a/modules/aad/domain-service/README.md b/modules/aad/domain-service/README.md index a62f0857f9..fa2a33f667 100644 --- a/modules/aad/domain-service/README.md +++ b/modules/aad/domain-service/README.md @@ -330,9 +330,33 @@ module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`tlsV1`](#parameter-tlsv1) | string | The value is to enable clients making request using TLSv1. | +### Parameter: `domainName` + +The domain name specific to the Azure ADDS service. + +- Required: Yes +- Type: string + +### Parameter: `pfxCertificate` + +The certificate required to configure Secure LDAP. Should be a base64encoded representation of the certificate PFX file. Required if secure LDAP is enabled and must be valid more than 30 days. + +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `pfxCertificatePassword` + +The password to decrypt the provided Secure LDAP certificate PFX file. Required if secure LDAP is enabled. + +- Required: No +- Type: securestring +- Default: `''` + ### Parameter: `additionalRecipients` The email recipient value to receive alerts. + - Required: No - Type: array - Default: `[]` @@ -340,94 +364,82 @@ The email recipient value to receive alerts. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -435,6 +447,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `domainConfigurationType` The value is to provide domain configuration type. + - Required: No - Type: string - Default: `'FullySynced'` @@ -446,15 +459,10 @@ The value is to provide domain configuration type. ] ``` -### Parameter: `domainName` - -The domain name specific to the Azure ADDS service. -- Required: Yes -- Type: string - ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -462,6 +470,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `externalAccess` The value is to enable the Secure LDAP for external services of Azure ADDS Services. + - Required: No - Type: string - Default: `'Enabled'` @@ -476,6 +485,7 @@ The value is to enable the Secure LDAP for external services of Azure ADDS Servi ### Parameter: `filteredSync` The value is to synchronize scoped users and groups. + - Required: No - Type: string - Default: `'Enabled'` @@ -483,6 +493,7 @@ The value is to synchronize scoped users and groups. ### Parameter: `kerberosArmoring` The value is to enable to provide a protected channel between the Kerberos client and the KDC. + - Required: No - Type: string - Default: `'Enabled'` @@ -497,6 +508,7 @@ The value is to enable to provide a protected channel between the Kerberos clien ### Parameter: `kerberosRc4Encryption` The value is to enable Kerberos requests that use RC4 encryption. + - Required: No - Type: string - Default: `'Enabled'` @@ -511,6 +523,7 @@ The value is to enable Kerberos requests that use RC4 encryption. ### Parameter: `ldaps` A flag to determine whether or not Secure LDAP is enabled or disabled. + - Required: No - Type: string - Default: `'Enabled'` @@ -525,6 +538,7 @@ A flag to determine whether or not Secure LDAP is enabled or disabled. ### Parameter: `location` The location to deploy the Azure ADDS Services. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -532,26 +546,35 @@ The location to deploy the Azure ADDS Services. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -559,6 +582,7 @@ Optional. Specify the name of lock. ### Parameter: `name` The name of the AADDS resource. Defaults to the domain name specific to the Azure ADDS service. + - Required: No - Type: string - Default: `[parameters('domainName')]` @@ -566,6 +590,7 @@ The name of the AADDS resource. Defaults to the domain name specific to the Azur ### Parameter: `notifyDcAdmins` The value is to notify the DC Admins. + - Required: No - Type: string - Default: `'Enabled'` @@ -580,6 +605,7 @@ The value is to notify the DC Admins. ### Parameter: `notifyGlobalAdmins` The value is to notify the Global Admins. + - Required: No - Type: string - Default: `'Enabled'` @@ -594,6 +620,7 @@ The value is to notify the Global Admins. ### Parameter: `ntlmV1` The value is to enable clients making request using NTLM v1. + - Required: No - Type: string - Default: `'Enabled'` @@ -605,23 +632,10 @@ The value is to enable clients making request using NTLM v1. ] ``` -### Parameter: `pfxCertificate` - -The certificate required to configure Secure LDAP. Should be a base64encoded representation of the certificate PFX file. Required if secure LDAP is enabled and must be valid more than 30 days. -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `pfxCertificatePassword` - -The password to decrypt the provided Secure LDAP certificate PFX file. Required if secure LDAP is enabled. -- Required: No -- Type: securestring -- Default: `''` - ### Parameter: `replicaSets` Additional replica set for the managed domain. + - Required: No - Type: array - Default: `[]` @@ -629,74 +643,96 @@ Additional replica set for the managed domain. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `sku` The name of the SKU specific to Azure ADDS Services. + - Required: No - Type: string - Default: `'Standard'` @@ -712,6 +748,7 @@ The name of the SKU specific to Azure ADDS Services. ### Parameter: `syncNtlmPasswords` The value is to enable synchronized users to use NTLM authentication. + - Required: No - Type: string - Default: `'Enabled'` @@ -726,6 +763,7 @@ The value is to enable synchronized users to use NTLM authentication. ### Parameter: `syncOnPremPasswords` The value is to enable on-premises users to authenticate against managed domain. + - Required: No - Type: string - Default: `'Enabled'` @@ -740,12 +778,14 @@ The value is to enable on-premises users to authenticate against managed domain. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `tlsV1` The value is to enable clients making request using TLSv1. + - Required: No - Type: string - Default: `'Enabled'` diff --git a/modules/analysis-services/server/README.md b/modules/analysis-services/server/README.md index 88a08b2384..e98e2db197 100644 --- a/modules/analysis-services/server/README.md +++ b/modules/analysis-services/server/README.md @@ -430,117 +430,100 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { | [`skuName`](#parameter-skuname) | string | The SKU name of the Azure Analysis Services server to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +The name of the Azure Analysis Services server to create. + +- Required: Yes +- Type: string + ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -548,6 +531,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -555,6 +539,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `firewallSettings` The inbound firewall rules to define on the server. If not specified, firewall is disabled. + - Required: No - Type: object - Default: @@ -574,6 +559,7 @@ The inbound firewall rules to define on the server. If not specified, firewall i ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -581,107 +567,132 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The name of the Azure Analysis Services server to create. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `skuCapacity` The total number of query replica scale-out instances. + - Required: No - Type: int - Default: `1` @@ -689,6 +700,7 @@ The total number of query replica scale-out instances. ### Parameter: `skuName` The SKU name of the Azure Analysis Services server to create. + - Required: No - Type: string - Default: `'S0'` @@ -696,6 +708,7 @@ The SKU name of the Azure Analysis Services server to create. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index fd30fb48ed..5e4a021247 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -895,9 +895,31 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { | [`virtualNetworkType`](#parameter-virtualnetworktype) | string | The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. | | [`zones`](#parameter-zones) | array | A list of availability zones denoting where the resource needs to come from. | +### Parameter: `name` + +The name of the API Management service. + +- Required: Yes +- Type: string + +### Parameter: `publisherEmail` + +The email address of the owner of the service. + +- Required: Yes +- Type: string + +### Parameter: `publisherName` + +The name of the owner of the service. + +- Required: Yes +- Type: string + ### Parameter: `additionalLocations` Additional datacenter locations of the API Management service. + - Required: No - Type: array - Default: `[]` @@ -905,6 +927,7 @@ Additional datacenter locations of the API Management service. ### Parameter: `apis` APIs. + - Required: No - Type: array - Default: `[]` @@ -912,6 +935,7 @@ APIs. ### Parameter: `apiVersionSets` API Version Sets. + - Required: No - Type: array - Default: `[]` @@ -919,6 +943,7 @@ API Version Sets. ### Parameter: `authorizationServers` Authorization servers. + - Required: No - Type: secureObject - Default: `{}` @@ -926,6 +951,7 @@ Authorization servers. ### Parameter: `backends` Backends. + - Required: No - Type: array - Default: `[]` @@ -933,6 +959,7 @@ Backends. ### Parameter: `caches` Caches. + - Required: No - Type: array - Default: `[]` @@ -940,6 +967,7 @@ Caches. ### Parameter: `certificates` List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. + - Required: No - Type: array - Default: `[]` @@ -947,6 +975,7 @@ List of Certificates that need to be installed in the API Management service. Ma ### Parameter: `customProperties` Custom properties of the API Management service. + - Required: No - Type: object - Default: `{}` @@ -954,114 +983,90 @@ Custom properties of the API Management service. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -1069,6 +1074,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `disableGateway` Property only valid for an API Management service deployed in multiple locations. This can be used to disable the gateway in master region. + - Required: No - Type: bool - Default: `False` @@ -1076,6 +1082,7 @@ Property only valid for an API Management service deployed in multiple locations ### Parameter: `enableClientCertificate` Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway. + - Required: No - Type: bool - Default: `False` @@ -1083,6 +1090,7 @@ Property only meant to be used for Consumption SKU Service. This enforces a clie ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1090,6 +1098,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `hostnameConfigurations` Custom hostname configuration of the API Management service. + - Required: No - Type: array - Default: `[]` @@ -1097,6 +1106,7 @@ Custom hostname configuration of the API Management service. ### Parameter: `identityProviders` Identity providers. + - Required: No - Type: array - Default: `[]` @@ -1104,6 +1114,7 @@ Identity providers. ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1111,26 +1122,35 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -1138,25 +1158,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array @@ -1164,19 +1186,15 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `minApiVersion` Limit control plane API calls to API Management service with version equal to or newer than this value. + - Required: No - Type: string - Default: `''` -### Parameter: `name` - -The name of the API Management service. -- Required: Yes -- Type: string - ### Parameter: `namedValues` Named values. + - Required: No - Type: array - Default: `[]` @@ -1184,6 +1202,7 @@ Named values. ### Parameter: `newGuidValue` Necessary to create a new GUID. + - Required: No - Type: string - Default: `[newGuid()]` @@ -1191,6 +1210,7 @@ Necessary to create a new GUID. ### Parameter: `notificationSenderEmail` The notification sender email address for the service. + - Required: No - Type: string - Default: `'apimgmt-noreply@mail.windowsazure.com'` @@ -1198,6 +1218,7 @@ The notification sender email address for the service. ### Parameter: `policies` Policies. + - Required: No - Type: array - Default: `[]` @@ -1205,6 +1226,7 @@ Policies. ### Parameter: `portalsettings` Portal settings. + - Required: No - Type: array - Default: `[]` @@ -1212,25 +1234,15 @@ Portal settings. ### Parameter: `products` Products. + - Required: No - Type: array - Default: `[]` -### Parameter: `publisherEmail` - -The email address of the owner of the service. -- Required: Yes -- Type: string - -### Parameter: `publisherName` - -The name of the owner of the service. -- Required: Yes -- Type: string - ### Parameter: `restore` Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored. + - Required: No - Type: bool - Default: `False` @@ -1238,74 +1250,96 @@ Undelete API Management Service if it was previously soft-deleted. If this flag ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `sku` The pricing tier of this API Management service. + - Required: No - Type: string - Default: `'Developer'` @@ -1323,6 +1357,7 @@ The pricing tier of this API Management service. ### Parameter: `skuCount` The instance size of this API Management service. + - Required: No - Type: int - Default: `1` @@ -1337,6 +1372,7 @@ The instance size of this API Management service. ### Parameter: `subnetResourceId` The full resource ID of a subnet in a virtual network to deploy the API Management service in. + - Required: No - Type: string - Default: `''` @@ -1344,6 +1380,7 @@ The full resource ID of a subnet in a virtual network to deploy the API Manageme ### Parameter: `subscriptions` Subscriptions. + - Required: No - Type: array - Default: `[]` @@ -1351,12 +1388,14 @@ Subscriptions. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `virtualNetworkType` The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. + - Required: No - Type: string - Default: `'None'` @@ -1372,6 +1411,7 @@ The type of VPN in which API Management service needs to be configured in. None ### Parameter: `zones` A list of availability zones denoting where the resource needs to come from. + - Required: No - Type: array - Default: `[]` diff --git a/modules/api-management/service/api-version-set/README.md b/modules/api-management/service/api-version-set/README.md index 15300dd5bf..59367616e1 100644 --- a/modules/api-management/service/api-version-set/README.md +++ b/modules/api-management/service/api-version-set/README.md @@ -34,12 +34,14 @@ This module deploys an API Management Service API Version Set. ### Parameter: `apiManagementServiceName` The name of the parent API Management service. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -47,6 +49,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `name` API Version set name. + - Required: No - Type: string - Default: `'default'` @@ -54,6 +57,7 @@ API Version set name. ### Parameter: `properties` API Version set properties. + - Required: No - Type: object - Default: `{}` diff --git a/modules/api-management/service/api/README.md b/modules/api-management/service/api/README.md index a746976978..8f7687330e 100644 --- a/modules/api-management/service/api/README.md +++ b/modules/api-management/service/api/README.md @@ -57,22 +57,46 @@ This module deploys an API Management Service API. | [`value`](#parameter-value) | string | Content value when Importing an API. | | [`wsdlSelector`](#parameter-wsdlselector) | object | Criteria to limit import of WSDL to a subset of the document. | -### Parameter: `apiDescription` +### Parameter: `displayName` -Description of the API. May include HTML formatting tags. -- Required: No +API name. Must be 1 to 300 characters long. + +- Required: Yes +- Type: string + +### Parameter: `name` + +API revision identifier. Must be unique in the current API Management service instance. Non-current revision has ;rev=n as a suffix where n is the revision number. + +- Required: Yes +- Type: string + +### Parameter: `path` + +Relative URL uniquely identifying this API and all of its resource paths within the API Management service instance. It is appended to the API endpoint base URL specified during the service instance creation to form a public URL for this API. + +- Required: Yes - Type: string -- Default: `''` ### Parameter: `apiManagementServiceName` The name of the parent API Management service. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `apiDescription` + +Description of the API. May include HTML formatting tags. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `apiRevision` Describes the Revision of the API. If no value is provided, default revision 1 is created. + - Required: No - Type: string - Default: `''` @@ -80,6 +104,7 @@ Describes the Revision of the API. If no value is provided, default revision 1 i ### Parameter: `apiRevisionDescription` Description of the API Revision. + - Required: No - Type: string - Default: `''` @@ -87,6 +112,7 @@ Description of the API Revision. ### Parameter: `apiType` Type of API to create. * http creates a REST API * soap creates a SOAP pass-through API * websocket creates websocket API * graphql creates GraphQL API. + - Required: No - Type: string - Default: `'http'` @@ -103,6 +129,7 @@ Type of API to create. * http creates a REST API * soap creates a SOAP pass-thro ### Parameter: `apiVersion` Indicates the Version identifier of the API if the API is versioned. + - Required: No - Type: string - Default: `''` @@ -110,6 +137,7 @@ Indicates the Version identifier of the API if the API is versioned. ### Parameter: `apiVersionDescription` Description of the API Version. + - Required: No - Type: string - Default: `''` @@ -117,6 +145,7 @@ Description of the API Version. ### Parameter: `apiVersionSetId` Indicates the Version identifier of the API version set. + - Required: No - Type: string - Default: `''` @@ -124,19 +153,15 @@ Indicates the Version identifier of the API version set. ### Parameter: `authenticationSettings` Collection of authentication settings included into this API. + - Required: No - Type: object - Default: `{}` -### Parameter: `displayName` - -API name. Must be 1 to 300 characters long. -- Required: Yes -- Type: string - ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -144,6 +169,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `format` Format of the Content in which the API is getting imported. + - Required: No - Type: string - Default: `'openapi'` @@ -166,25 +192,15 @@ Format of the Content in which the API is getting imported. ### Parameter: `isCurrent` Indicates if API revision is current API revision. + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -API revision identifier. Must be unique in the current API Management service instance. Non-current revision has ;rev=n as a suffix where n is the revision number. -- Required: Yes -- Type: string - -### Parameter: `path` - -Relative URL uniquely identifying this API and all of its resource paths within the API Management service instance. It is appended to the API endpoint base URL specified during the service instance creation to form a public URL for this API. -- Required: Yes -- Type: string - ### Parameter: `policies` Array of Policies to apply to the Service API. + - Required: No - Type: array - Default: `[]` @@ -192,6 +208,7 @@ Array of Policies to apply to the Service API. ### Parameter: `protocols` Describes on which protocols the operations in this API can be invoked. - HTTP or HTTPS. + - Required: No - Type: array - Default: @@ -204,6 +221,7 @@ Describes on which protocols the operations in this API can be invoked. - HTTP o ### Parameter: `serviceUrl` Absolute URL of the backend service implementing this API. Cannot be more than 2000 characters long. + - Required: No - Type: string - Default: `''` @@ -211,6 +229,7 @@ Absolute URL of the backend service implementing this API. Cannot be more than 2 ### Parameter: `sourceApiId` API identifier of the source API. + - Required: No - Type: string - Default: `''` @@ -218,6 +237,7 @@ API identifier of the source API. ### Parameter: `subscriptionKeyParameterNames` Protocols over which API is made available. + - Required: No - Type: object - Default: `{}` @@ -225,6 +245,7 @@ Protocols over which API is made available. ### Parameter: `subscriptionRequired` Specifies whether an API or Product subscription is required for accessing the API. + - Required: No - Type: bool - Default: `False` @@ -232,6 +253,7 @@ Specifies whether an API or Product subscription is required for accessing the A ### Parameter: `type` Type of API. + - Required: No - Type: string - Default: `'http'` @@ -248,6 +270,7 @@ Type of API. ### Parameter: `value` Content value when Importing an API. + - Required: No - Type: string - Default: `''` @@ -255,6 +278,7 @@ Content value when Importing an API. ### Parameter: `wsdlSelector` Criteria to limit import of WSDL to a subset of the document. + - Required: No - Type: object - Default: `{}` diff --git a/modules/api-management/service/api/policy/README.md b/modules/api-management/service/api/policy/README.md index da2b69af2c..aa6e2a665e 100644 --- a/modules/api-management/service/api/policy/README.md +++ b/modules/api-management/service/api/policy/README.md @@ -38,21 +38,31 @@ This module deploys an API Management Service API Policy. | [`format`](#parameter-format) | string | Format of the policyContent. | | [`name`](#parameter-name) | string | The name of the policy. | +### Parameter: `value` + +Contents of the Policy as defined by the format. + +- Required: Yes +- Type: string + ### Parameter: `apiManagementServiceName` The name of the parent API Management service. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `apiName` The name of the parent API. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -60,6 +70,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `format` Format of the policyContent. + - Required: No - Type: string - Default: `'xml'` @@ -76,16 +87,11 @@ Format of the policyContent. ### Parameter: `name` The name of the policy. + - Required: No - Type: string - Default: `'policy'` -### Parameter: `value` - -Contents of the Policy as defined by the format. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/api-management/service/authorization-server/README.md b/modules/api-management/service/authorization-server/README.md index 9f9569411e..9c72d842e4 100644 --- a/modules/api-management/service/authorization-server/README.md +++ b/modules/api-management/service/authorization-server/README.md @@ -50,21 +50,52 @@ This module deploys an API Management Service Authorization Server. | [`tokenBodyParameters`](#parameter-tokenbodyparameters) | array | Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}. - TokenBodyParameterContract object. | | [`tokenEndpoint`](#parameter-tokenendpoint) | string | OAuth token endpoint. Contains absolute URI to entity being referenced. | -### Parameter: `apiManagementServiceName` +### Parameter: `authorizationEndpoint` + +OAuth authorization endpoint. See . -The name of the parent API Management service. Required if the template is used in a standalone deployment. - Required: Yes - Type: string -### Parameter: `authorizationEndpoint` +### Parameter: `clientId` + +Client or app ID registered with this authorization server. + +- Required: Yes +- Type: securestring + +### Parameter: `clientSecret` + +Client or app secret registered with this authorization server. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. + +- Required: Yes +- Type: securestring + +### Parameter: `grantTypes` + +Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials. + +- Required: Yes +- Type: array + +### Parameter: `name` + +Identifier of the authorization server. + +- Required: Yes +- Type: string + +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. -OAuth authorization endpoint. See . - Required: Yes - Type: string ### Parameter: `authorizationMethods` HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE. + - Required: No - Type: array - Default: @@ -77,6 +108,7 @@ HTTP verbs supported by the authorization endpoint. GET must be always present. ### Parameter: `bearerTokenSendingMethods` Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query. + - Required: No - Type: array - Default: @@ -89,6 +121,7 @@ Specifies the mechanism by which access token is passed to the API. - authorizat ### Parameter: `clientAuthenticationMethod` Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body. + - Required: No - Type: array - Default: @@ -98,28 +131,18 @@ Method of authentication supported by the token endpoint of this authorization s ] ``` -### Parameter: `clientId` - -Client or app ID registered with this authorization server. -- Required: Yes -- Type: securestring - ### Parameter: `clientRegistrationEndpoint` Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced. + - Required: No - Type: string - Default: `''` -### Parameter: `clientSecret` - -Client or app secret registered with this authorization server. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. -- Required: Yes -- Type: securestring - ### Parameter: `defaultScope` Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values. + - Required: No - Type: string - Default: `''` @@ -127,25 +150,15 @@ Access token scope that is going to be requested by default. Can be overridden a ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `grantTypes` - -Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials. -- Required: Yes -- Type: array - -### Parameter: `name` - -Identifier of the authorization server. -- Required: Yes -- Type: string - ### Parameter: `resourceOwnerPassword` Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password. + - Required: No - Type: string - Default: `''` @@ -153,6 +166,7 @@ Can be optionally specified when resource owner password grant type is supported ### Parameter: `resourceOwnerUsername` Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username. + - Required: No - Type: string - Default: `''` @@ -160,6 +174,7 @@ Can be optionally specified when resource owner password grant type is supported ### Parameter: `serverDescription` Description of the authorization server. Can contain HTML formatting tags. + - Required: No - Type: string - Default: `''` @@ -167,6 +182,7 @@ Description of the authorization server. Can contain HTML formatting tags. ### Parameter: `supportState` If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security. + - Required: No - Type: bool - Default: `False` @@ -174,6 +190,7 @@ If true, authorization server will include state parameter from the authorizatio ### Parameter: `tokenBodyParameters` Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}. - TokenBodyParameterContract object. + - Required: No - Type: array - Default: `[]` @@ -181,6 +198,7 @@ Additional parameters required by the token endpoint of this authorization serve ### Parameter: `tokenEndpoint` OAuth token endpoint. Contains absolute URI to entity being referenced. + - Required: No - Type: string - Default: `''` diff --git a/modules/api-management/service/backend/README.md b/modules/api-management/service/backend/README.md index 4307963bdb..fd4dd42342 100644 --- a/modules/api-management/service/backend/README.md +++ b/modules/api-management/service/backend/README.md @@ -45,15 +45,31 @@ This module deploys an API Management Service Backend. | [`title`](#parameter-title) | string | Backend Title. | | [`tls`](#parameter-tls) | object | Backend TLS Properties. | +### Parameter: `name` + +Backend Name. + +- Required: Yes +- Type: string + +### Parameter: `url` + +Runtime URL of the Backend. + +- Required: Yes +- Type: string + ### Parameter: `apiManagementServiceName` The name of the parent API Management service. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `credentials` Backend Credentials Contract Properties. + - Required: No - Type: object - Default: `{}` @@ -61,6 +77,7 @@ Backend Credentials Contract Properties. ### Parameter: `description` Backend Description. + - Required: No - Type: string - Default: `''` @@ -68,19 +85,15 @@ Backend Description. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -Backend Name. -- Required: Yes -- Type: string - ### Parameter: `protocol` Backend communication protocol. - http or soap. + - Required: No - Type: string - Default: `'http'` @@ -88,6 +101,7 @@ Backend communication protocol. - http or soap. ### Parameter: `proxy` Backend Proxy Contract Properties. + - Required: No - Type: object - Default: `{}` @@ -95,6 +109,7 @@ Backend Proxy Contract Properties. ### Parameter: `resourceId` Management Uri of the Resource in External System. This URL can be the Arm Resource ID of Logic Apps, Function Apps or API Apps. + - Required: No - Type: string - Default: `''` @@ -102,6 +117,7 @@ Management Uri of the Resource in External System. This URL can be the Arm Resou ### Parameter: `serviceFabricCluster` Backend Service Fabric Cluster Properties. + - Required: No - Type: object - Default: `{}` @@ -109,6 +125,7 @@ Backend Service Fabric Cluster Properties. ### Parameter: `title` Backend Title. + - Required: No - Type: string - Default: `''` @@ -116,6 +133,7 @@ Backend Title. ### Parameter: `tls` Backend TLS Properties. + - Required: No - Type: object - Default: @@ -126,12 +144,6 @@ Backend TLS Properties. } ``` -### Parameter: `url` - -Runtime URL of the Backend. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/api-management/service/cache/README.md b/modules/api-management/service/cache/README.md index 3bc84b82c2..31c4f02a3c 100644 --- a/modules/api-management/service/cache/README.md +++ b/modules/api-management/service/cache/README.md @@ -39,21 +39,38 @@ This module deploys an API Management Service Cache. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`resourceId`](#parameter-resourceid) | string | Original uri of entity in external system cache points to. | -### Parameter: `apiManagementServiceName` +### Parameter: `connectionString` + +Runtime connection string to cache. Can be referenced by a named value like so, {{}}. -The name of the parent API Management service. Required if the template is used in a standalone deployment. - Required: Yes - Type: string -### Parameter: `connectionString` +### Parameter: `name` + +Identifier of the Cache entity. Cache identifier (should be either 'default' or valid Azure region identifier). + +- Required: Yes +- Type: string + +### Parameter: `useFromLocation` + +Location identifier to use cache from (should be either 'default' or valid Azure region identifier). + +- Required: Yes +- Type: string + +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. -Runtime connection string to cache. Can be referenced by a named value like so, {{}}. - Required: Yes - Type: string ### Parameter: `description` Cache description. + - Required: No - Type: string - Default: `''` @@ -61,29 +78,19 @@ Cache description. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -Identifier of the Cache entity. Cache identifier (should be either 'default' or valid Azure region identifier). -- Required: Yes -- Type: string - ### Parameter: `resourceId` Original uri of entity in external system cache points to. + - Required: No - Type: string - Default: `''` -### Parameter: `useFromLocation` - -Location identifier to use cache from (should be either 'default' or valid Azure region identifier). -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/api-management/service/identity-provider/README.md b/modules/api-management/service/identity-provider/README.md index e276d5e7d3..3cd1e42cce 100644 --- a/modules/api-management/service/identity-provider/README.md +++ b/modules/api-management/service/identity-provider/README.md @@ -46,29 +46,24 @@ This module deploys an API Management Service Identity Provider. | [`signUpPolicyName`](#parameter-signuppolicyname) | string | Signup Policy Name. Only applies to AAD B2C Identity Provider. | | [`type`](#parameter-type) | string | Identity Provider Type identifier. | -### Parameter: `allowedTenants` - -List of Allowed Tenants when configuring Azure Active Directory login. - string. -- Required: No -- Type: array -- Default: `[]` +### Parameter: `name` -### Parameter: `apiManagementServiceName` +Identity provider name. -The name of the parent API Management service. Required if the template is used in a standalone deployment. - Required: Yes - Type: string -### Parameter: `authority` +### Parameter: `apiManagementServiceName` -OpenID Connect discovery endpoint hostname for AAD or AAD B2C. -- Required: No +The name of the parent API Management service. Required if the template is used in a standalone deployment. + +- Required: Yes - Type: string -- Default: `''` ### Parameter: `clientId` Client ID of the Application in the external Identity Provider. Required if identity provider is used. + - Required: No - Type: string - Default: `''` @@ -76,13 +71,31 @@ Client ID of the Application in the external Identity Provider. Required if iden ### Parameter: `clientSecret` Client secret of the Application in external Identity Provider, used to authenticate login request. Required if identity provider is used. + - Required: No - Type: securestring - Default: `''` +### Parameter: `allowedTenants` + +List of Allowed Tenants when configuring Azure Active Directory login. - string. + +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `authority` + +OpenID Connect discovery endpoint hostname for AAD or AAD B2C. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -90,19 +103,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableIdentityProviders` Used to enable the deployment of the identityProviders child resource. + - Required: No - Type: bool - Default: `False` -### Parameter: `name` - -Identity provider name. -- Required: Yes -- Type: string - ### Parameter: `passwordResetPolicyName` Password Reset Policy Name. Only applies to AAD B2C Identity Provider. + - Required: No - Type: string - Default: `''` @@ -110,6 +119,7 @@ Password Reset Policy Name. Only applies to AAD B2C Identity Provider. ### Parameter: `profileEditingPolicyName` Profile Editing Policy Name. Only applies to AAD B2C Identity Provider. + - Required: No - Type: string - Default: `''` @@ -117,6 +127,7 @@ Profile Editing Policy Name. Only applies to AAD B2C Identity Provider. ### Parameter: `signInPolicyName` Signin Policy Name. Only applies to AAD B2C Identity Provider. + - Required: No - Type: string - Default: `''` @@ -124,6 +135,7 @@ Signin Policy Name. Only applies to AAD B2C Identity Provider. ### Parameter: `signInTenant` The TenantId to use instead of Common when logging into Active Directory. + - Required: No - Type: string - Default: `''` @@ -131,6 +143,7 @@ The TenantId to use instead of Common when logging into Active Directory. ### Parameter: `signUpPolicyName` Signup Policy Name. Only applies to AAD B2C Identity Provider. + - Required: No - Type: string - Default: `''` @@ -138,6 +151,7 @@ Signup Policy Name. Only applies to AAD B2C Identity Provider. ### Parameter: `type` Identity Provider Type identifier. + - Required: No - Type: string - Default: `'aad'` diff --git a/modules/api-management/service/named-value/README.md b/modules/api-management/service/named-value/README.md index a10dbe60dc..a34ff1560b 100644 --- a/modules/api-management/service/named-value/README.md +++ b/modules/api-management/service/named-value/README.md @@ -41,21 +41,31 @@ This module deploys an API Management Service Named Value. | [`tags`](#parameter-tags) | array | Tags that when provided can be used to filter the NamedValue list. - string. | | [`value`](#parameter-value) | string | Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. | -### Parameter: `apiManagementServiceName` +### Parameter: `displayName` + +Unique name of NamedValue. It may contain only letters, digits, period, dash, and underscore characters. -The name of the parent API Management service. Required if the template is used in a standalone deployment. - Required: Yes - Type: string -### Parameter: `displayName` +### Parameter: `name` + +Named value Name. + +- Required: Yes +- Type: string + +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. -Unique name of NamedValue. It may contain only letters, digits, period, dash, and underscore characters. - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -63,19 +73,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `keyVault` KeyVault location details of the namedValue. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Named value Name. -- Required: Yes -- Type: string - ### Parameter: `secret` Determines whether the value is a secret and should be encrypted or not. Default value is false. + - Required: No - Type: bool - Default: `False` @@ -83,12 +89,14 @@ Determines whether the value is a secret and should be encrypted or not. Default ### Parameter: `tags` Tags that when provided can be used to filter the NamedValue list. - string. + - Required: No - Type: array ### Parameter: `value` Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. + - Required: No - Type: string - Default: `[newGuid()]` diff --git a/modules/api-management/service/policy/README.md b/modules/api-management/service/policy/README.md index 6828ee1678..6b8af635b3 100644 --- a/modules/api-management/service/policy/README.md +++ b/modules/api-management/service/policy/README.md @@ -37,15 +37,24 @@ This module deploys an API Management Service Policy. | [`format`](#parameter-format) | string | Format of the policyContent. | | [`name`](#parameter-name) | string | The name of the policy. | +### Parameter: `value` + +Contents of the Policy as defined by the format. + +- Required: Yes +- Type: string + ### Parameter: `apiManagementServiceName` The name of the parent API Management service. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -53,6 +62,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `format` Format of the policyContent. + - Required: No - Type: string - Default: `'xml'` @@ -69,16 +79,11 @@ Format of the policyContent. ### Parameter: `name` The name of the policy. + - Required: No - Type: string - Default: `'policy'` -### Parameter: `value` - -Contents of the Policy as defined by the format. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/api-management/service/portalsetting/README.md b/modules/api-management/service/portalsetting/README.md index 18168fd945..05641fe1d1 100644 --- a/modules/api-management/service/portalsetting/README.md +++ b/modules/api-management/service/portalsetting/README.md @@ -36,22 +36,10 @@ This module deploys an API Management Service Portal Setting. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`properties`](#parameter-properties) | object | Portal setting properties. | -### Parameter: `apiManagementServiceName` - -The name of the parent API Management service. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `name` Portal setting name. + - Required: Yes - Type: string - Allowed: @@ -63,9 +51,25 @@ Portal setting name. ] ``` +### Parameter: `apiManagementServiceName` + +The name of the parent API Management service. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `properties` Portal setting properties. + - Required: No - Type: object - Default: `{}` diff --git a/modules/api-management/service/product/README.md b/modules/api-management/service/product/README.md index 03ba03cf8b..faea3e798b 100644 --- a/modules/api-management/service/product/README.md +++ b/modules/api-management/service/product/README.md @@ -45,15 +45,24 @@ This module deploys an API Management Service Product. | [`subscriptionsLimit`](#parameter-subscriptionslimit) | int | Whether the number of subscriptions a user can have to this product at the same time. Set to null or omit to allow unlimited per user subscriptions. Can be present only if subscriptionRequired property is present and has a value of false. | | [`terms`](#parameter-terms) | string | Product terms of use. Developers trying to subscribe to the product will be presented and required to accept these terms before they can complete the subscription process. | +### Parameter: `name` + +Product Name. + +- Required: Yes +- Type: string + ### Parameter: `apiManagementServiceName` The name of the parent API Management service. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `apis` Array of Product APIs. + - Required: No - Type: array - Default: `[]` @@ -61,6 +70,7 @@ Array of Product APIs. ### Parameter: `approvalRequired` Whether subscription approval is required. If false, new subscriptions will be approved automatically enabling developers to call the products APIs immediately after subscribing. If true, administrators must manually approve the subscription before the developer can any of the products APIs. Can be present only if subscriptionRequired property is present and has a value of false. + - Required: No - Type: bool - Default: `False` @@ -68,6 +78,7 @@ Whether subscription approval is required. If false, new subscriptions will be a ### Parameter: `description` Product description. May include HTML formatting tags. + - Required: No - Type: string - Default: `''` @@ -75,6 +86,7 @@ Product description. May include HTML formatting tags. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -82,19 +94,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `groups` Array of Product Groups. + - Required: No - Type: array - Default: `[]` -### Parameter: `name` - -Product Name. -- Required: Yes -- Type: string - ### Parameter: `state` whether product is published or not. Published products are discoverable by users of developer portal. Non published products are visible only to administrators. Default state of Product is notPublished. - notPublished or published. + - Required: No - Type: string - Default: `'published'` @@ -102,6 +110,7 @@ whether product is published or not. Published products are discoverable by user ### Parameter: `subscriptionRequired` Whether a product subscription is required for accessing APIs included in this product. If true, the product is referred to as "protected" and a valid subscription key is required for a request to an API included in the product to succeed. If false, the product is referred to as "open" and requests to an API included in the product can be made without a subscription key. If property is omitted when creating a new product it's value is assumed to be true. + - Required: No - Type: bool - Default: `False` @@ -109,6 +118,7 @@ Whether a product subscription is required for accessing APIs included in this p ### Parameter: `subscriptionsLimit` Whether the number of subscriptions a user can have to this product at the same time. Set to null or omit to allow unlimited per user subscriptions. Can be present only if subscriptionRequired property is present and has a value of false. + - Required: No - Type: int - Default: `1` @@ -116,6 +126,7 @@ Whether the number of subscriptions a user can have to this product at the same ### Parameter: `terms` Product terms of use. Developers trying to subscribe to the product will be presented and required to accept these terms before they can complete the subscription process. + - Required: No - Type: string - Default: `''` diff --git a/modules/api-management/service/product/api/README.md b/modules/api-management/service/product/api/README.md index 3ae7df516b..67e3cbc13c 100644 --- a/modules/api-management/service/product/api/README.md +++ b/modules/api-management/service/product/api/README.md @@ -36,31 +36,35 @@ This module deploys an API Management Service Product API. | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter: `apiManagementServiceName` +### Parameter: `name` + +Name of the product API. -The name of the parent API Management service. Required if the template is used in a standalone deployment. - Required: Yes - Type: string -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` +### Parameter: `apiManagementServiceName` -### Parameter: `name` +The name of the parent API Management service. Required if the template is used in a standalone deployment. -Name of the product API. - Required: Yes - Type: string ### Parameter: `productName` The name of the parent Product. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ## Outputs diff --git a/modules/api-management/service/product/group/README.md b/modules/api-management/service/product/group/README.md index 943378da28..b5d1cf7d8d 100644 --- a/modules/api-management/service/product/group/README.md +++ b/modules/api-management/service/product/group/README.md @@ -36,31 +36,35 @@ This module deploys an API Management Service Product Group. | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter: `apiManagementServiceName` +### Parameter: `name` + +Name of the product group. -The name of the parent API Management service. Required if the template is used in a standalone deployment. - Required: Yes - Type: string -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` +### Parameter: `apiManagementServiceName` -### Parameter: `name` +The name of the parent API Management service. Required if the template is used in a standalone deployment. -Name of the product group. - Required: Yes - Type: string ### Parameter: `productName` The name of the parent Product. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ## Outputs diff --git a/modules/api-management/service/subscription/README.md b/modules/api-management/service/subscription/README.md index 81c7f5c71b..a140d3d3a6 100644 --- a/modules/api-management/service/subscription/README.md +++ b/modules/api-management/service/subscription/README.md @@ -41,35 +41,40 @@ This module deploys an API Management Service Subscription. | [`secondaryKey`](#parameter-secondarykey) | string | Secondary subscription key. If not specified during request key will be generated automatically. | | [`state`](#parameter-state) | string | Initial subscription state. If no value is specified, subscription is created with Submitted state. Possible states are "*" active "?" the subscription is active, "*" suspended "?" the subscription is blocked, and the subscriber cannot call any APIs of the product, * submitted ? the subscription request has been made by the developer, but has not yet been approved or rejected, * rejected ? the subscription request has been denied by an administrator, * cancelled ? the subscription has been cancelled by the developer or administrator, * expired ? the subscription reached its expiration date and was deactivated. - suspended, active, expired, submitted, rejected, cancelled. | -### Parameter: `allowTracing` +### Parameter: `name` -Determines whether tracing can be enabled. -- Required: No -- Type: bool -- Default: `True` +Subscription name. + +- Required: Yes +- Type: string ### Parameter: `apiManagementServiceName` The name of the parent API Management service. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string -### Parameter: `enableDefaultTelemetry` +### Parameter: `allowTracing` + +Determines whether tracing can be enabled. -Enable telemetry via a Globally Unique Identifier (GUID). - Required: No - Type: bool - Default: `True` -### Parameter: `name` +### Parameter: `enableDefaultTelemetry` -Subscription name. -- Required: Yes -- Type: string +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` ### Parameter: `ownerId` User (user ID path) for whom subscription is being created in form /users/{userId}. + - Required: No - Type: string - Default: `''` @@ -77,6 +82,7 @@ User (user ID path) for whom subscription is being created in form /users/{userI ### Parameter: `primaryKey` Primary subscription key. If not specified during request key will be generated automatically. + - Required: No - Type: string - Default: `''` @@ -84,6 +90,7 @@ Primary subscription key. If not specified during request key will be generated ### Parameter: `scope` Scope type to choose between a product, "allAPIs" or a specific API. Scope like "/products/{productId}" or "/apis" or "/apis/{apiId}". + - Required: No - Type: string - Default: `'/apis'` @@ -91,6 +98,7 @@ Scope type to choose between a product, "allAPIs" or a specific API. Scope like ### Parameter: `secondaryKey` Secondary subscription key. If not specified during request key will be generated automatically. + - Required: No - Type: string - Default: `''` @@ -98,6 +106,7 @@ Secondary subscription key. If not specified during request key will be generate ### Parameter: `state` Initial subscription state. If no value is specified, subscription is created with Submitted state. Possible states are "*" active "?" the subscription is active, "*" suspended "?" the subscription is blocked, and the subscriber cannot call any APIs of the product, * submitted ? the subscription request has been made by the developer, but has not yet been approved or rejected, * rejected ? the subscription request has been denied by an administrator, * cancelled ? the subscription has been cancelled by the developer or administrator, * expired ? the subscription reached its expiration date and was deactivated. - suspended, active, expired, submitted, rejected, cancelled. + - Required: No - Type: string - Default: `''` diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index 990cfe2b51..e9f8d2f80e 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -734,9 +734,17 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor | [`softDeleteRetentionInDays`](#parameter-softdeleteretentionindays) | int | The amount of time in days that the configuration store will be retained when it is soft deleted. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +Name of the Azure App Configuration. + +- Required: Yes +- Type: string + ### Parameter: `createMode` Indicates whether the configuration store need to be recovered. + - Required: No - Type: string - Default: `'Default'` @@ -751,41 +759,48 @@ Indicates whether the configuration store need to be recovered. ### Parameter: `customerManagedKey` The customer managed key definition. + - Required: No - Type: object +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | + +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | ### Parameter: `customerManagedKey.keyName` -Required. The name of the customer managed key to use for encryption. +The name of the customer managed key to use for encryption. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVaultResourceId` -Required. The resource ID of a key vault to reference a customer managed key for encryption from. +The resource ID of a key vault to reference a customer managed key for encryption from. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVersion` -Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - Required: No - Type: string ### Parameter: `customerManagedKey.userAssignedIdentityResourceId` -Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. +User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - Required: No - Type: string @@ -793,114 +808,90 @@ Optional. User assigned identity to use when fetching the customer managed key. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -908,6 +899,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `disableLocalAuth` Disables all authentication methods other than AAD authentication. + - Required: No - Type: bool - Default: `False` @@ -915,6 +907,7 @@ Disables all authentication methods other than AAD authentication. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -922,6 +915,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enablePurgeProtection` Property specifying whether protection against purge is enabled for this configuration store. + - Required: No - Type: bool - Default: `False` @@ -929,6 +923,7 @@ Property specifying whether protection against purge is enabled for this configu ### Parameter: `keyValues` All Key / Values to create. Requires local authentication to be enabled. + - Required: No - Type: array - Default: `[]` @@ -936,6 +931,7 @@ All Key / Values to create. Requires local authentication to be enabled. ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -943,26 +939,35 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -970,229 +975,275 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -Name of the Azure App Configuration. -- Required: Yes -- Type: string - ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -Optional. Application security groups in which the private endpoint IP configuration is included. +**Optional parameters** -- Required: No -- Type: array +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -### Parameter: `privateEndpoints.customDnsConfigs` +### Parameter: `privateEndpoints.subnetResourceId` -Optional. Custom DNS configurations. +Resource ID of the subnet where the endpoint needs to be created. -- Required: No -- Type: array - -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +### Parameter: `privateEndpoints.lock.kind` -- Required: Yes +Specify the type of lock. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` -Optional. The location to deploy the private endpoint to. +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** -Optional. The name of the private endpoint. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -1200,6 +1251,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. + - Required: No - Type: string - Default: `''` @@ -1215,74 +1267,96 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `roleAssignments.principalId` -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `sku` Pricing tier of App Configuration. + - Required: No - Type: string - Default: `'Standard'` @@ -1297,6 +1371,7 @@ Pricing tier of App Configuration. ### Parameter: `softDeleteRetentionInDays` The amount of time in days that the configuration store will be retained when it is soft deleted. + - Required: No - Type: int - Default: `1` @@ -1304,6 +1379,7 @@ The amount of time in days that the configuration store will be retained when it ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/app-configuration/configuration-store/key-value/README.md b/modules/app-configuration/configuration-store/key-value/README.md index bf6dd94639..6f6a67e760 100644 --- a/modules/app-configuration/configuration-store/key-value/README.md +++ b/modules/app-configuration/configuration-store/key-value/README.md @@ -38,15 +38,31 @@ This module deploys an App Configuration Store Key Value. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +Name of the key. + +- Required: Yes +- Type: string + +### Parameter: `value` + +Name of the value. + +- Required: Yes +- Type: string + ### Parameter: `appConfigurationName` The name of the parent app configuration store. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `contentType` The content type of the key-values value. Providing a proper content-type can enable transformations of values when they are retrieved by applications. + - Required: No - Type: string - Default: `''` @@ -54,28 +70,18 @@ The content type of the key-values value. Providing a proper content-type can en ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -Name of the key. -- Required: Yes -- Type: string - ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object -### Parameter: `value` - -Name of the value. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/app/container-app/README.md b/modules/app/container-app/README.md index 6f88154a11..3c53161686 100644 --- a/modules/app/container-app/README.md +++ b/modules/app/container-app/README.md @@ -487,9 +487,31 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { | [`volumes`](#parameter-volumes) | array | List of volume definitions for the Container App. | | [`workloadProfileType`](#parameter-workloadprofiletype) | string | Workload profile type to pin for container app execution. | +### Parameter: `containers` + +List of container definitions for the Container App. + +- Required: Yes +- Type: array + +### Parameter: `environmentId` + +Resource ID of environment. + +- Required: Yes +- Type: string + +### Parameter: `name` + +Name of the Container App. + +- Required: Yes +- Type: string + ### Parameter: `activeRevisionsMode` ActiveRevisionsMode controls how active revisions are handled for the Container app. + - Required: No - Type: string - Default: `'Single'` @@ -501,15 +523,10 @@ ActiveRevisionsMode controls how active revisions are handled for the Container ] ``` -### Parameter: `containers` - -List of container definitions for the Container App. -- Required: Yes -- Type: array - ### Parameter: `customDomains` Custom domain bindings for Container App hostnames. + - Required: No - Type: array - Default: `[]` @@ -517,6 +534,7 @@ Custom domain bindings for Container App hostnames. ### Parameter: `dapr` Dapr configuration for the Container App. + - Required: No - Type: object - Default: `{}` @@ -524,19 +542,15 @@ Dapr configuration for the Container App. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `environmentId` - -Resource ID of environment. -- Required: Yes -- Type: string - ### Parameter: `exposedPort` Exposed Port in containers for TCP traffic from ingress. + - Required: No - Type: int - Default: `0` @@ -544,6 +558,7 @@ Exposed Port in containers for TCP traffic from ingress. ### Parameter: `ingressAllowInsecure` Bool indicating if HTTP connections to is allowed. If set to false HTTP connections are automatically redirected to HTTPS connections. + - Required: No - Type: bool - Default: `True` @@ -551,6 +566,7 @@ Bool indicating if HTTP connections to is allowed. If set to false HTTP connecti ### Parameter: `ingressExternal` Bool indicating if app exposes an external http endpoint. + - Required: No - Type: bool - Default: `True` @@ -558,6 +574,7 @@ Bool indicating if app exposes an external http endpoint. ### Parameter: `ingressTargetPort` Target Port in containers for traffic from ingress. + - Required: No - Type: int - Default: `80` @@ -565,6 +582,7 @@ Target Port in containers for traffic from ingress. ### Parameter: `ingressTransport` Ingress transport protocol. + - Required: No - Type: string - Default: `'auto'` @@ -581,6 +599,7 @@ Ingress transport protocol. ### Parameter: `initContainersTemplate` List of specialized containers that run before app containers. + - Required: No - Type: array - Default: `[]` @@ -588,6 +607,7 @@ List of specialized containers that run before app containers. ### Parameter: `ipSecurityRestrictions` Rules to restrict incoming IP address. + - Required: No - Type: array - Default: `[]` @@ -595,6 +615,7 @@ Rules to restrict incoming IP address. ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -602,26 +623,35 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -629,25 +659,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array @@ -655,19 +687,15 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `maxInactiveRevisions` Max inactive revisions a Container App can have. + - Required: No - Type: int - Default: `0` -### Parameter: `name` - -Name of the Container App. -- Required: Yes -- Type: string - ### Parameter: `registries` Collection of private container registry credentials for containers used by the Container app. + - Required: No - Type: array - Default: `[]` @@ -675,6 +703,7 @@ Collection of private container registry credentials for containers used by the ### Parameter: `revisionSuffix` User friendly suffix that is appended to the revision name. + - Required: No - Type: string - Default: `''` @@ -682,74 +711,96 @@ User friendly suffix that is appended to the revision name. ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `roleAssignments.principalId` -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `scaleMaxReplicas` Maximum number of container replicas. Defaults to 10 if not set. + - Required: No - Type: int - Default: `1` @@ -757,6 +808,7 @@ Maximum number of container replicas. Defaults to 10 if not set. ### Parameter: `scaleMinReplicas` Minimum number of container replicas. + - Required: No - Type: int - Default: `0` @@ -764,6 +816,7 @@ Minimum number of container replicas. ### Parameter: `scaleRules` Scaling rules. + - Required: No - Type: array - Default: `[]` @@ -771,6 +824,7 @@ Scaling rules. ### Parameter: `secrets` The secrets of the Container App. + - Required: No - Type: secureObject - Default: `{}` @@ -778,12 +832,14 @@ The secrets of the Container App. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `trafficLabel` Associates a traffic label with a revision. Label name should be consist of lower case alphanumeric characters or dashes. + - Required: No - Type: string - Default: `'label-1'` @@ -791,6 +847,7 @@ Associates a traffic label with a revision. Label name should be consist of lowe ### Parameter: `trafficLatestRevision` Indicates that the traffic weight belongs to a latest stable revision. + - Required: No - Type: bool - Default: `True` @@ -798,6 +855,7 @@ Indicates that the traffic weight belongs to a latest stable revision. ### Parameter: `trafficRevisionName` Name of a revision. + - Required: No - Type: string - Default: `''` @@ -805,6 +863,7 @@ Name of a revision. ### Parameter: `trafficWeight` Traffic weight assigned to a revision. + - Required: No - Type: int - Default: `100` @@ -812,6 +871,7 @@ Traffic weight assigned to a revision. ### Parameter: `volumes` List of volume definitions for the Container App. + - Required: No - Type: array - Default: `[]` @@ -819,6 +879,7 @@ List of volume definitions for the Container App. ### Parameter: `workloadProfileType` Workload profile type to pin for container app execution. + - Required: No - Type: string - Default: `''` diff --git a/modules/app/job/README.md b/modules/app/job/README.md index cd12e8e51d..c041013706 100644 --- a/modules/app/job/README.md +++ b/modules/app/job/README.md @@ -548,25 +548,36 @@ module job 'br:bicep/modules/app.job:1.0.0' = { ### Parameter: `containers` List of container definitions for the Container App. + - Required: Yes - Type: array +### Parameter: `environmentId` + +Resource ID of environment. + +- Required: Yes +- Type: string + +### Parameter: `name` + +Name of the Container App. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `environmentId` - -Resource ID of environment. -- Required: Yes -- Type: string - ### Parameter: `eventTriggerConfig` Required if TriggerType is Event. Configuration of an event driven job. + - Required: No - Type: object - Default: `{}` @@ -574,6 +585,7 @@ Required if TriggerType is Event. Configuration of an event driven job. ### Parameter: `initContainersTemplate` List of specialized containers that run before app containers. + - Required: No - Type: array - Default: `[]` @@ -581,6 +593,7 @@ List of specialized containers that run before app containers. ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -588,26 +601,35 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -615,25 +637,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. +The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. - Required: No - Type: array @@ -641,19 +665,15 @@ Optional. The resource ID(s) to assign to the resource. Required if a user assig ### Parameter: `manualTriggerConfig` Required if TriggerType is Manual. Configuration of a manual job. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Name of the Container App. -- Required: Yes -- Type: string - ### Parameter: `registries` Collection of private container registry credentials for containers used by the Container app. + - Required: No - Type: array - Default: `[]` @@ -661,6 +681,7 @@ Collection of private container registry credentials for containers used by the ### Parameter: `replicaRetryLimit` The maximum number of times a replica can be retried. + - Required: No - Type: int - Default: `0` @@ -668,6 +689,7 @@ The maximum number of times a replica can be retried. ### Parameter: `replicaTimeout` Maximum number of seconds a replica is allowed to run. + - Required: No - Type: int - Default: `1800` @@ -675,74 +697,96 @@ Maximum number of seconds a replica is allowed to run. ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource ID of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource ID of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource ID of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource ID of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `scheduleTriggerConfig` Required if TriggerType is Schedule. Configuration of a schedule based job. + - Required: No - Type: object - Default: `{}` @@ -750,6 +794,7 @@ Required if TriggerType is Schedule. Configuration of a schedule based job. ### Parameter: `secrets` The secrets of the Container App. + - Required: No - Type: secureObject - Default: `{}` @@ -757,6 +802,7 @@ The secrets of the Container App. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object - Default: `{}` @@ -764,6 +810,7 @@ Tags of the resource. ### Parameter: `triggerType` Trigger type of the job. + - Required: Yes - Type: string - Allowed: @@ -778,6 +825,7 @@ Trigger type of the job. ### Parameter: `volumes` List of volume definitions for the Container App. + - Required: No - Type: array - Default: `[]` @@ -785,6 +833,7 @@ List of volume definitions for the Container App. ### Parameter: `workloadProfileName` The name of the workload profile to use. + - Required: No - Type: string - Default: `'Consumption'` diff --git a/modules/app/managed-environment/README.md b/modules/app/managed-environment/README.md index 913062b3a2..d044d9f6fa 100644 --- a/modules/app/managed-environment/README.md +++ b/modules/app/managed-environment/README.md @@ -319,9 +319,32 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { | [`workloadProfiles`](#parameter-workloadprofiles) | array | Workload profiles configured for the Managed Environment. | | [`zoneRedundant`](#parameter-zoneredundant) | bool | Whether or not this Managed Environment is zone-redundant. | +### Parameter: `logAnalyticsWorkspaceResourceId` + +Existing Log Analytics Workspace resource ID. Note: This value is not required as per the resource type. However, not providing it currently causes an issue that is tracked [here](https://github.com/Azure/bicep/issues/9990). + +- Required: Yes +- Type: string + +### Parameter: `name` + +Name of the Container Apps Managed Environment. + +- Required: Yes +- Type: string + +### Parameter: `infrastructureSubnetId` + +Resource ID of a subnet for infrastructure components. This is used to deploy the environment into a virtual network. Must not overlap with any other provided IP ranges. Required if "internal" is set to true. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `certificatePassword` Password of the certificate used by the custom domain. + - Required: No - Type: securestring - Default: `''` @@ -329,6 +352,7 @@ Password of the certificate used by the custom domain. ### Parameter: `certificateValue` Certificate to use for the custom domain. PFX or PEM. + - Required: No - Type: securestring - Default: `''` @@ -336,6 +360,7 @@ Certificate to use for the custom domain. PFX or PEM. ### Parameter: `daprAIConnectionString` Application Insights connection string used by Dapr to export Service to Service communication telemetry. + - Required: No - Type: securestring - Default: `''` @@ -343,6 +368,7 @@ Application Insights connection string used by Dapr to export Service to Service ### Parameter: `daprAIInstrumentationKey` Azure Monitor instrumentation key used by Dapr to export Service to Service communication telemetry. + - Required: No - Type: securestring - Default: `''` @@ -350,6 +376,7 @@ Azure Monitor instrumentation key used by Dapr to export Service to Service comm ### Parameter: `dnsSuffix` DNS suffix for the environment domain. + - Required: No - Type: string - Default: `''` @@ -357,6 +384,7 @@ DNS suffix for the environment domain. ### Parameter: `dockerBridgeCidr` CIDR notation IP range assigned to the Docker bridge, network. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. + - Required: No - Type: string - Default: `''` @@ -364,19 +392,14 @@ CIDR notation IP range assigned to the Docker bridge, network. It must not overl ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: Yes - Type: bool -### Parameter: `infrastructureSubnetId` - -Resource ID of a subnet for infrastructure components. This is used to deploy the environment into a virtual network. Must not overlap with any other provided IP ranges. Required if "internal" is set to true. -- Required: No -- Type: string -- Default: `''` - ### Parameter: `internal` Boolean indicating the environment only has an internal load balancer. These environments do not have a public static IP resource. If set to true, then "infrastructureSubnetId" must be provided. + - Required: No - Type: bool - Default: `False` @@ -384,6 +407,7 @@ Boolean indicating the environment only has an internal load balancer. These env ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -391,52 +415,51 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `logAnalyticsWorkspaceResourceId` - -Existing Log Analytics Workspace resource ID. Note: This value is not required as per the resource type. However, not providing it currently causes an issue that is tracked [here](https://github.com/Azure/bicep/issues/9990). -- Required: Yes -- Type: string - ### Parameter: `logsDestination` Logs destination. + - Required: No - Type: string - Default: `'log-analytics'` -### Parameter: `name` - -Name of the Container Apps Managed Environment. -- Required: Yes -- Type: string - ### Parameter: `platformReservedCidr` IP range in CIDR notation that can be reserved for environment infrastructure IP addresses. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. + - Required: No - Type: string - Default: `''` @@ -444,6 +467,7 @@ IP range in CIDR notation that can be reserved for environment infrastructure IP ### Parameter: `platformReservedDnsIP` An IP address from the IP range defined by "platformReservedCidr" that will be reserved for the internal DNS server. It must not be the first address in the range and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. + - Required: No - Type: string - Default: `''` @@ -451,74 +475,96 @@ An IP address from the IP range defined by "platformReservedCidr" that will be r ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `skuName` Managed environment SKU. + - Required: No - Type: string - Default: `'Consumption'` @@ -533,12 +579,14 @@ Managed environment SKU. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `workloadProfiles` Workload profiles configured for the Managed Environment. + - Required: No - Type: array - Default: `[]` @@ -546,6 +594,7 @@ Workload profiles configured for the Managed Environment. ### Parameter: `zoneRedundant` Whether or not this Managed Environment is zone-redundant. + - Required: No - Type: bool - Default: `False` diff --git a/modules/authorization/lock/README.md b/modules/authorization/lock/README.md index 7e2543aee3..20a037b24f 100644 --- a/modules/authorization/lock/README.md +++ b/modules/authorization/lock/README.md @@ -158,16 +158,10 @@ module lock 'br:bicep/modules/authorization.lock:1.0.0' = { | [`resourceGroupName`](#parameter-resourcegroupname) | string | Name of the Resource Group to assign the lock to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided lock to the resource group. | | [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the lock to. If not provided, will use the current scope for deployment. If no resource group name is provided, the module deploys at subscription level, therefore assigns the provided locks to the subscription. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `level` Set lock level. + - Required: Yes - Type: string - Allowed: @@ -178,9 +172,18 @@ Set lock level. ] ``` +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[deployment().location]` @@ -188,6 +191,7 @@ Location for all resources. ### Parameter: `notes` The decription attached to the lock. + - Required: No - Type: string - Default: `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` @@ -195,6 +199,7 @@ The decription attached to the lock. ### Parameter: `resourceGroupName` Name of the Resource Group to assign the lock to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided lock to the resource group. + - Required: No - Type: string - Default: `''` @@ -202,6 +207,7 @@ Name of the Resource Group to assign the lock to. If Resource Group name is prov ### Parameter: `subscriptionId` Subscription ID of the subscription to assign the lock to. If not provided, will use the current scope for deployment. If no resource group name is provided, the module deploys at subscription level, therefore assigns the provided locks to the subscription. + - Required: No - Type: string - Default: `[subscription().id]` diff --git a/modules/authorization/lock/resource-group/README.md b/modules/authorization/lock/resource-group/README.md index 2195850acd..a74295ef1a 100644 --- a/modules/authorization/lock/resource-group/README.md +++ b/modules/authorization/lock/resource-group/README.md @@ -31,16 +31,10 @@ This module deploys an Authorization Lock at a Resource Group scope. | [`name`](#parameter-name) | string | The name of the lock. | | [`notes`](#parameter-notes) | string | The decription attached to the lock. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `level` Set lock level. + - Required: Yes - Type: string - Allowed: @@ -51,9 +45,18 @@ Set lock level. ] ``` +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `name` The name of the lock. + - Required: No - Type: string - Default: `[format('{0}-lock', parameters('level'))]` @@ -61,6 +64,7 @@ The name of the lock. ### Parameter: `notes` The decription attached to the lock. + - Required: No - Type: string - Default: `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` diff --git a/modules/authorization/lock/subscription/README.md b/modules/authorization/lock/subscription/README.md index 7da7ff5614..2458071e3c 100644 --- a/modules/authorization/lock/subscription/README.md +++ b/modules/authorization/lock/subscription/README.md @@ -31,16 +31,10 @@ This module deploys an Authorization Lock at a Subscription scope. | [`name`](#parameter-name) | string | The name of the lock. | | [`notes`](#parameter-notes) | string | The decription attached to the lock. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `level` Set lock level. + - Required: Yes - Type: string - Allowed: @@ -51,9 +45,18 @@ Set lock level. ] ``` +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `name` The name of the lock. + - Required: No - Type: string - Default: `[format('{0}-lock', parameters('level'))]` @@ -61,6 +64,7 @@ The name of the lock. ### Parameter: `notes` The decription attached to the lock. + - Required: No - Type: string - Default: `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` diff --git a/modules/authorization/policy-assignment/README.md b/modules/authorization/policy-assignment/README.md index ec478b7f18..fcbd860880 100644 --- a/modules/authorization/policy-assignment/README.md +++ b/modules/authorization/policy-assignment/README.md @@ -869,9 +869,24 @@ module policyAssignment 'br:bicep/modules/authorization.policy-assignment:1.0.0' | [`subscriptionId`](#parameter-subscriptionid) | string | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. | | [`userAssignedIdentityId`](#parameter-userassignedidentityid) | string | The Resource ID for the user assigned identity to assign to the policy assignment. | +### Parameter: `name` + +Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes. + +- Required: Yes +- Type: string + +### Parameter: `policyDefinitionId` + +Specifies the ID of the policy definition or policy set definition being assigned. + +- Required: Yes +- Type: string + ### Parameter: `description` This message will be part of response in case of policy violation. + - Required: No - Type: string - Default: `''` @@ -879,6 +894,7 @@ This message will be part of response in case of policy violation. ### Parameter: `displayName` The display name of the policy assignment. Maximum length is 128 characters. + - Required: No - Type: string - Default: `''` @@ -886,6 +902,7 @@ The display name of the policy assignment. Maximum length is 128 characters. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -893,6 +910,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enforcementMode` The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. + - Required: No - Type: string - Default: `'Default'` @@ -907,6 +925,7 @@ The policy assignment enforcement mode. Possible values are Default and DoNotEnf ### Parameter: `identity` The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. + - Required: No - Type: string - Default: `'SystemAssigned'` @@ -922,6 +941,7 @@ The managed identity associated with the policy assignment. Policy assignments m ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[deployment().location]` @@ -929,6 +949,7 @@ Location for all resources. ### Parameter: `managementGroupId` The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[managementGroup().name]` @@ -936,19 +957,15 @@ The Target Scope for the Policy. The name of the management group for the policy ### Parameter: `metadata` The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes. -- Required: Yes -- Type: string - ### Parameter: `nonComplianceMessages` The messages that describe why a resource is non-compliant with the policy. + - Required: No - Type: array - Default: `[]` @@ -956,6 +973,7 @@ The messages that describe why a resource is non-compliant with the policy. ### Parameter: `notScopes` The policy excluded scopes. + - Required: No - Type: array - Default: `[]` @@ -963,6 +981,7 @@ The policy excluded scopes. ### Parameter: `overrides` The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. + - Required: No - Type: array - Default: `[]` @@ -970,19 +989,15 @@ The policy property value override. Allows changing the effect of a policy defin ### Parameter: `parameters` Parameters for the policy assignment if needed. + - Required: No - Type: object - Default: `{}` -### Parameter: `policyDefinitionId` - -Specifies the ID of the policy definition or policy set definition being assigned. -- Required: Yes -- Type: string - ### Parameter: `resourceGroupName` The Target Scope for the Policy. The name of the resource group for the policy assignment. + - Required: No - Type: string - Default: `''` @@ -990,6 +1005,7 @@ The Target Scope for the Policy. The name of the resource group for the policy a ### Parameter: `resourceSelectors` The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. + - Required: No - Type: array - Default: `[]` @@ -997,6 +1013,7 @@ The resource selector list to filter policies by resource properties. Facilitate ### Parameter: `roleDefinitionIds` The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. + - Required: No - Type: array - Default: `[]` @@ -1004,6 +1021,7 @@ The IDs Of the Azure Role Definition list that is used to assign permissions to ### Parameter: `subscriptionId` The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. + - Required: No - Type: string - Default: `''` @@ -1011,6 +1029,7 @@ The Target Scope for the Policy. The subscription ID of the subscription for the ### Parameter: `userAssignedIdentityId` The Resource ID for the user assigned identity to assign to the policy assignment. + - Required: No - Type: string - Default: `''` diff --git a/modules/authorization/policy-assignment/management-group/README.md b/modules/authorization/policy-assignment/management-group/README.md index 76cbe8d5b4..c49026c652 100644 --- a/modules/authorization/policy-assignment/management-group/README.md +++ b/modules/authorization/policy-assignment/management-group/README.md @@ -45,9 +45,24 @@ This module deploys a Policy Assignment at a Management Group scope. | [`roleDefinitionIds`](#parameter-roledefinitionids) | array | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. | | [`userAssignedIdentityId`](#parameter-userassignedidentityid) | string | The Resource ID for the user assigned identity to assign to the policy assignment. | +### Parameter: `name` + +Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope. + +- Required: Yes +- Type: string + +### Parameter: `policyDefinitionId` + +Specifies the ID of the policy definition or policy set definition being assigned. + +- Required: Yes +- Type: string + ### Parameter: `description` This message will be part of response in case of policy violation. + - Required: No - Type: string - Default: `''` @@ -55,6 +70,7 @@ This message will be part of response in case of policy violation. ### Parameter: `displayName` The display name of the policy assignment. Maximum length is 128 characters. + - Required: No - Type: string - Default: `''` @@ -62,6 +78,7 @@ The display name of the policy assignment. Maximum length is 128 characters. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -69,6 +86,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enforcementMode` The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. + - Required: No - Type: string - Default: `'Default'` @@ -83,6 +101,7 @@ The policy assignment enforcement mode. Possible values are Default and DoNotEnf ### Parameter: `identity` The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. + - Required: No - Type: string - Default: `'SystemAssigned'` @@ -98,6 +117,7 @@ The managed identity associated with the policy assignment. Policy assignments m ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[deployment().location]` @@ -105,6 +125,7 @@ Location for all resources. ### Parameter: `managementGroupId` The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[managementGroup().name]` @@ -112,19 +133,15 @@ The Target Scope for the Policy. The name of the management group for the policy ### Parameter: `metadata` The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope. -- Required: Yes -- Type: string - ### Parameter: `nonComplianceMessages` The messages that describe why a resource is non-compliant with the policy. + - Required: No - Type: array - Default: `[]` @@ -132,6 +149,7 @@ The messages that describe why a resource is non-compliant with the policy. ### Parameter: `notScopes` The policy excluded scopes. + - Required: No - Type: array - Default: `[]` @@ -139,6 +157,7 @@ The policy excluded scopes. ### Parameter: `overrides` The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. + - Required: No - Type: array - Default: `[]` @@ -146,19 +165,15 @@ The policy property value override. Allows changing the effect of a policy defin ### Parameter: `parameters` Parameters for the policy assignment if needed. + - Required: No - Type: object - Default: `{}` -### Parameter: `policyDefinitionId` - -Specifies the ID of the policy definition or policy set definition being assigned. -- Required: Yes -- Type: string - ### Parameter: `resourceSelectors` The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. + - Required: No - Type: array - Default: `[]` @@ -166,6 +181,7 @@ The resource selector list to filter policies by resource properties. Facilitate ### Parameter: `roleDefinitionIds` The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. + - Required: No - Type: array - Default: `[]` @@ -173,6 +189,7 @@ The IDs Of the Azure Role Definition list that is used to assign permissions to ### Parameter: `userAssignedIdentityId` The Resource ID for the user assigned identity to assign to the policy assignment. + - Required: No - Type: string - Default: `''` diff --git a/modules/authorization/policy-assignment/resource-group/README.md b/modules/authorization/policy-assignment/resource-group/README.md index 450859dbd6..da543f77c1 100644 --- a/modules/authorization/policy-assignment/resource-group/README.md +++ b/modules/authorization/policy-assignment/resource-group/README.md @@ -46,9 +46,24 @@ This module deploys a Policy Assignment at a Resource Group scope. | [`subscriptionId`](#parameter-subscriptionid) | string | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. | | [`userAssignedIdentityId`](#parameter-userassignedidentityid) | string | The Resource ID for the user assigned identity to assign to the policy assignment. | +### Parameter: `name` + +Specifies the name of the policy assignment. Maximum length is 64 characters for resource group scope. + +- Required: Yes +- Type: string + +### Parameter: `policyDefinitionId` + +Specifies the ID of the policy definition or policy set definition being assigned. + +- Required: Yes +- Type: string + ### Parameter: `description` This message will be part of response in case of policy violation. + - Required: No - Type: string - Default: `''` @@ -56,6 +71,7 @@ This message will be part of response in case of policy violation. ### Parameter: `displayName` The display name of the policy assignment. Maximum length is 128 characters. + - Required: No - Type: string - Default: `''` @@ -63,6 +79,7 @@ The display name of the policy assignment. Maximum length is 128 characters. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -70,6 +87,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enforcementMode` The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. + - Required: No - Type: string - Default: `'Default'` @@ -84,6 +102,7 @@ The policy assignment enforcement mode. Possible values are Default and DoNotEnf ### Parameter: `identity` The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. + - Required: No - Type: string - Default: `'SystemAssigned'` @@ -99,6 +118,7 @@ The managed identity associated with the policy assignment. Policy assignments m ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -106,19 +126,15 @@ Location for all resources. ### Parameter: `metadata` The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Specifies the name of the policy assignment. Maximum length is 64 characters for resource group scope. -- Required: Yes -- Type: string - ### Parameter: `nonComplianceMessages` The messages that describe why a resource is non-compliant with the policy. + - Required: No - Type: array - Default: `[]` @@ -126,6 +142,7 @@ The messages that describe why a resource is non-compliant with the policy. ### Parameter: `notScopes` The policy excluded scopes. + - Required: No - Type: array - Default: `[]` @@ -133,6 +150,7 @@ The policy excluded scopes. ### Parameter: `overrides` The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. + - Required: No - Type: array - Default: `[]` @@ -140,19 +158,15 @@ The policy property value override. Allows changing the effect of a policy defin ### Parameter: `parameters` Parameters for the policy assignment if needed. + - Required: No - Type: object - Default: `{}` -### Parameter: `policyDefinitionId` - -Specifies the ID of the policy definition or policy set definition being assigned. -- Required: Yes -- Type: string - ### Parameter: `resourceGroupName` The Target Scope for the Policy. The name of the resource group for the policy assignment. If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[resourceGroup().name]` @@ -160,6 +174,7 @@ The Target Scope for the Policy. The name of the resource group for the policy a ### Parameter: `resourceSelectors` The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. + - Required: No - Type: array - Default: `[]` @@ -167,6 +182,7 @@ The resource selector list to filter policies by resource properties. Facilitate ### Parameter: `roleDefinitionIds` The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. + - Required: No - Type: array - Default: `[]` @@ -174,6 +190,7 @@ The IDs Of the Azure Role Definition list that is used to assign permissions to ### Parameter: `subscriptionId` The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[subscription().subscriptionId]` @@ -181,6 +198,7 @@ The Target Scope for the Policy. The subscription ID of the subscription for the ### Parameter: `userAssignedIdentityId` The Resource ID for the user assigned identity to assign to the policy assignment. + - Required: No - Type: string - Default: `''` diff --git a/modules/authorization/policy-assignment/subscription/README.md b/modules/authorization/policy-assignment/subscription/README.md index 112ba9f51f..3cdd823dd4 100644 --- a/modules/authorization/policy-assignment/subscription/README.md +++ b/modules/authorization/policy-assignment/subscription/README.md @@ -45,9 +45,24 @@ This module deploys a Policy Assignment at a Subscription scope. | [`subscriptionId`](#parameter-subscriptionid) | string | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. | | [`userAssignedIdentityId`](#parameter-userassignedidentityid) | string | The Resource ID for the user assigned identity to assign to the policy assignment. | +### Parameter: `name` + +Specifies the name of the policy assignment. Maximum length is 64 characters for subscription scope. + +- Required: Yes +- Type: string + +### Parameter: `policyDefinitionId` + +Specifies the ID of the policy definition or policy set definition being assigned. + +- Required: Yes +- Type: string + ### Parameter: `description` This message will be part of response in case of policy violation. + - Required: No - Type: string - Default: `''` @@ -55,6 +70,7 @@ This message will be part of response in case of policy violation. ### Parameter: `displayName` The display name of the policy assignment. Maximum length is 128 characters. + - Required: No - Type: string - Default: `''` @@ -62,6 +78,7 @@ The display name of the policy assignment. Maximum length is 128 characters. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -69,6 +86,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enforcementMode` The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. + - Required: No - Type: string - Default: `'Default'` @@ -83,6 +101,7 @@ The policy assignment enforcement mode. Possible values are Default and DoNotEnf ### Parameter: `identity` The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. + - Required: No - Type: string - Default: `'SystemAssigned'` @@ -98,6 +117,7 @@ The managed identity associated with the policy assignment. Policy assignments m ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[deployment().location]` @@ -105,19 +125,15 @@ Location for all resources. ### Parameter: `metadata` The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Specifies the name of the policy assignment. Maximum length is 64 characters for subscription scope. -- Required: Yes -- Type: string - ### Parameter: `nonComplianceMessages` The messages that describe why a resource is non-compliant with the policy. + - Required: No - Type: array - Default: `[]` @@ -125,6 +141,7 @@ The messages that describe why a resource is non-compliant with the policy. ### Parameter: `notScopes` The policy excluded scopes. + - Required: No - Type: array - Default: `[]` @@ -132,6 +149,7 @@ The policy excluded scopes. ### Parameter: `overrides` The policy property value override. Allows changing the effect of a policy definition without modifying the underlying policy definition or using a parameterized effect in the policy definition. + - Required: No - Type: array - Default: `[]` @@ -139,19 +157,15 @@ The policy property value override. Allows changing the effect of a policy defin ### Parameter: `parameters` Parameters for the policy assignment if needed. + - Required: No - Type: object - Default: `{}` -### Parameter: `policyDefinitionId` - -Specifies the ID of the policy definition or policy set definition being assigned. -- Required: Yes -- Type: string - ### Parameter: `resourceSelectors` The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. + - Required: No - Type: array - Default: `[]` @@ -159,6 +173,7 @@ The resource selector list to filter policies by resource properties. Facilitate ### Parameter: `roleDefinitionIds` The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. + - Required: No - Type: array - Default: `[]` @@ -166,6 +181,7 @@ The IDs Of the Azure Role Definition list that is used to assign permissions to ### Parameter: `subscriptionId` The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[subscription().subscriptionId]` @@ -173,6 +189,7 @@ The Target Scope for the Policy. The subscription ID of the subscription for the ### Parameter: `userAssignedIdentityId` The Resource ID for the user assigned identity to assign to the policy assignment. + - Required: No - Type: string - Default: `''` diff --git a/modules/authorization/policy-definition/README.md b/modules/authorization/policy-definition/README.md index ed1607f680..4e0ff7369a 100644 --- a/modules/authorization/policy-definition/README.md +++ b/modules/authorization/policy-definition/README.md @@ -550,9 +550,24 @@ module policyDefinition 'br:bicep/modules/authorization.policy-definition:1.0.0' | [`parameters`](#parameter-parameters) | object | The policy definition parameters that can be used in policy definition references. | | [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID of the subscription (Scope). Cannot be used with managementGroupId. | +### Parameter: `name` + +Specifies the name of the policy definition. Maximum length is 64 characters for management group scope and subscription scope. + +- Required: Yes +- Type: string + +### Parameter: `policyRule` + +The Policy Rule details for the Policy Definition. + +- Required: Yes +- Type: object + ### Parameter: `description` The policy definition description. + - Required: No - Type: string - Default: `''` @@ -560,6 +575,7 @@ The policy definition description. ### Parameter: `displayName` The display name of the policy definition. Maximum length is 128 characters. + - Required: No - Type: string - Default: `''` @@ -567,6 +583,7 @@ The display name of the policy definition. Maximum length is 128 characters. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -574,6 +591,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -581,6 +599,7 @@ Location deployment metadata. ### Parameter: `managementGroupId` The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[managementGroup().name]` @@ -588,6 +607,7 @@ The group ID of the Management Group (Scope). If not provided, will use the curr ### Parameter: `metadata` The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. + - Required: No - Type: object - Default: `{}` @@ -595,6 +615,7 @@ The policy Definition metadata. Metadata is an open ended object and is typicall ### Parameter: `mode` The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. + - Required: No - Type: string - Default: `'All'` @@ -610,28 +631,18 @@ The policy definition mode. Default is All, Some examples are All, Indexed, Micr ] ``` -### Parameter: `name` - -Specifies the name of the policy definition. Maximum length is 64 characters for management group scope and subscription scope. -- Required: Yes -- Type: string - ### Parameter: `parameters` The policy definition parameters that can be used in policy definition references. + - Required: No - Type: object - Default: `{}` -### Parameter: `policyRule` - -The Policy Rule details for the Policy Definition. -- Required: Yes -- Type: object - ### Parameter: `subscriptionId` The subscription ID of the subscription (Scope). Cannot be used with managementGroupId. + - Required: No - Type: string - Default: `''` diff --git a/modules/authorization/policy-definition/management-group/README.md b/modules/authorization/policy-definition/management-group/README.md index 63cfc770a2..610d78baf7 100644 --- a/modules/authorization/policy-definition/management-group/README.md +++ b/modules/authorization/policy-definition/management-group/README.md @@ -36,9 +36,24 @@ This module deploys a Policy Definition at a Management Group scope. | [`mode`](#parameter-mode) | string | The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | | [`parameters`](#parameter-parameters) | object | The policy definition parameters that can be used in policy definition references. | +### Parameter: `name` + +Specifies the name of the policy definition. Maximum length is 64 characters. + +- Required: Yes +- Type: string + +### Parameter: `policyRule` + +The Policy Rule details for the Policy Definition. + +- Required: Yes +- Type: object + ### Parameter: `description` The policy definition description. + - Required: No - Type: string - Default: `''` @@ -46,6 +61,7 @@ The policy definition description. ### Parameter: `displayName` The display name of the policy definition. Maximum length is 128 characters. + - Required: No - Type: string - Default: `''` @@ -53,6 +69,7 @@ The display name of the policy definition. Maximum length is 128 characters. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -60,6 +77,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -67,6 +85,7 @@ Location deployment metadata. ### Parameter: `metadata` The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. + - Required: No - Type: object - Default: `{}` @@ -74,6 +93,7 @@ The policy Definition metadata. Metadata is an open ended object and is typicall ### Parameter: `mode` The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. + - Required: No - Type: string - Default: `'All'` @@ -89,25 +109,14 @@ The policy definition mode. Default is All, Some examples are All, Indexed, Micr ] ``` -### Parameter: `name` - -Specifies the name of the policy definition. Maximum length is 64 characters. -- Required: Yes -- Type: string - ### Parameter: `parameters` The policy definition parameters that can be used in policy definition references. + - Required: No - Type: object - Default: `{}` -### Parameter: `policyRule` - -The Policy Rule details for the Policy Definition. -- Required: Yes -- Type: object - ## Outputs diff --git a/modules/authorization/policy-definition/subscription/README.md b/modules/authorization/policy-definition/subscription/README.md index c7e4f1a2de..6de136d33a 100644 --- a/modules/authorization/policy-definition/subscription/README.md +++ b/modules/authorization/policy-definition/subscription/README.md @@ -36,9 +36,24 @@ This module deploys a Policy Definition at a Subscription scope. | [`mode`](#parameter-mode) | string | The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | | [`parameters`](#parameter-parameters) | object | The policy definition parameters that can be used in policy definition references. | +### Parameter: `name` + +Specifies the name of the policy definition. Maximum length is 64 characters. + +- Required: Yes +- Type: string + +### Parameter: `policyRule` + +The Policy Rule details for the Policy Definition. + +- Required: Yes +- Type: object + ### Parameter: `description` The policy definition description. + - Required: No - Type: string - Default: `''` @@ -46,6 +61,7 @@ The policy definition description. ### Parameter: `displayName` The display name of the policy definition. Maximum length is 128 characters. + - Required: No - Type: string - Default: `''` @@ -53,6 +69,7 @@ The display name of the policy definition. Maximum length is 128 characters. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -60,6 +77,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -67,6 +85,7 @@ Location deployment metadata. ### Parameter: `metadata` The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. + - Required: No - Type: object - Default: `{}` @@ -74,6 +93,7 @@ The policy Definition metadata. Metadata is an open ended object and is typicall ### Parameter: `mode` The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. + - Required: No - Type: string - Default: `'All'` @@ -89,25 +109,14 @@ The policy definition mode. Default is All, Some examples are All, Indexed, Micr ] ``` -### Parameter: `name` - -Specifies the name of the policy definition. Maximum length is 64 characters. -- Required: Yes -- Type: string - ### Parameter: `parameters` The policy definition parameters that can be used in policy definition references. + - Required: No - Type: object - Default: `{}` -### Parameter: `policyRule` - -The Policy Rule details for the Policy Definition. -- Required: Yes -- Type: object - ## Outputs diff --git a/modules/authorization/policy-exemption/README.md b/modules/authorization/policy-exemption/README.md index 826ca7aacc..365732cdd7 100644 --- a/modules/authorization/policy-exemption/README.md +++ b/modules/authorization/policy-exemption/README.md @@ -546,9 +546,24 @@ module policyExemption 'br:bicep/modules/authorization.policy-exemption:1.0.0' = | [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. | | [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID of the subscription to be exempted from the policy assignment. Cannot use with management group ID parameter. | +### Parameter: `name` + +Specifies the name of the policy exemption. Maximum length is 64 characters for management group, subscription and resource group scopes. + +- Required: Yes +- Type: string + +### Parameter: `policyAssignmentId` + +The resource ID of the policy assignment that is being exempted. + +- Required: Yes +- Type: string + ### Parameter: `assignmentScopeValidation` The option whether validate the exemption is at or under the assignment scope. + - Required: No - Type: string - Default: `''` @@ -564,6 +579,7 @@ The option whether validate the exemption is at or under the assignment scope. ### Parameter: `description` The description of the policy exemption. + - Required: No - Type: string - Default: `''` @@ -571,6 +587,7 @@ The description of the policy exemption. ### Parameter: `displayName` The display name of the policy exemption. Maximum length is 128 characters. + - Required: No - Type: string - Default: `''` @@ -578,6 +595,7 @@ The display name of the policy exemption. Maximum length is 128 characters. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -585,6 +603,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `exemptionCategory` The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. + - Required: No - Type: string - Default: `'Mitigated'` @@ -599,6 +618,7 @@ The policy exemption category. Possible values are Waiver and Mitigated. Default ### Parameter: `expiresOn` The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. + - Required: No - Type: string - Default: `''` @@ -606,6 +626,7 @@ The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of th ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -613,6 +634,7 @@ Location deployment metadata. ### Parameter: `managementGroupId` The group ID of the management group to be exempted from the policy assignment. If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[managementGroup().name]` @@ -620,25 +642,15 @@ The group ID of the management group to be exempted from the policy assignment. ### Parameter: `metadata` The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Specifies the name of the policy exemption. Maximum length is 64 characters for management group, subscription and resource group scopes. -- Required: Yes -- Type: string - -### Parameter: `policyAssignmentId` - -The resource ID of the policy assignment that is being exempted. -- Required: Yes -- Type: string - ### Parameter: `policyDefinitionReferenceIds` The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. + - Required: No - Type: array - Default: `[]` @@ -646,6 +658,7 @@ The policy definition reference ID list when the associated policy assignment is ### Parameter: `resourceGroupName` The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter. + - Required: No - Type: string - Default: `''` @@ -653,6 +666,7 @@ The name of the resource group to be exempted from the policy assignment. Must a ### Parameter: `resourceSelectors` The resource selector list to filter policies by resource properties. + - Required: No - Type: array - Default: `[]` @@ -660,6 +674,7 @@ The resource selector list to filter policies by resource properties. ### Parameter: `subscriptionId` The subscription ID of the subscription to be exempted from the policy assignment. Cannot use with management group ID parameter. + - Required: No - Type: string - Default: `''` diff --git a/modules/authorization/policy-exemption/management-group/README.md b/modules/authorization/policy-exemption/management-group/README.md index b244cc53ba..303d90d848 100644 --- a/modules/authorization/policy-exemption/management-group/README.md +++ b/modules/authorization/policy-exemption/management-group/README.md @@ -39,9 +39,24 @@ This module deploys a Policy Exemption at a Management Group scope. | [`policyDefinitionReferenceIds`](#parameter-policydefinitionreferenceids) | array | The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | | [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. | +### Parameter: `name` + +Specifies the name of the policy exemption. Maximum length is 64 characters for management group scope. + +- Required: Yes +- Type: string + +### Parameter: `policyAssignmentId` + +The resource ID of the policy assignment that is being exempted. + +- Required: Yes +- Type: string + ### Parameter: `assignmentScopeValidation` The option whether validate the exemption is at or under the assignment scope. + - Required: No - Type: string - Default: `''` @@ -57,6 +72,7 @@ The option whether validate the exemption is at or under the assignment scope. ### Parameter: `description` The description of the policy exemption. + - Required: No - Type: string - Default: `''` @@ -64,6 +80,7 @@ The description of the policy exemption. ### Parameter: `displayName` The display name of the policy assignment. Maximum length is 128 characters. + - Required: No - Type: string - Default: `''` @@ -71,6 +88,7 @@ The display name of the policy assignment. Maximum length is 128 characters. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -78,6 +96,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `exemptionCategory` The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. + - Required: No - Type: string - Default: `'Mitigated'` @@ -92,6 +111,7 @@ The policy exemption category. Possible values are Waiver and Mitigated. Default ### Parameter: `expiresOn` The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. + - Required: No - Type: string - Default: `''` @@ -99,6 +119,7 @@ The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of th ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -106,25 +127,15 @@ Location deployment metadata. ### Parameter: `metadata` The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Specifies the name of the policy exemption. Maximum length is 64 characters for management group scope. -- Required: Yes -- Type: string - -### Parameter: `policyAssignmentId` - -The resource ID of the policy assignment that is being exempted. -- Required: Yes -- Type: string - ### Parameter: `policyDefinitionReferenceIds` The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. + - Required: No - Type: array - Default: `[]` @@ -132,6 +143,7 @@ The policy definition reference ID list when the associated policy assignment is ### Parameter: `resourceSelectors` The resource selector list to filter policies by resource properties. + - Required: No - Type: array - Default: `[]` diff --git a/modules/authorization/policy-exemption/resource-group/README.md b/modules/authorization/policy-exemption/resource-group/README.md index 96f7a76d2a..0db23d6178 100644 --- a/modules/authorization/policy-exemption/resource-group/README.md +++ b/modules/authorization/policy-exemption/resource-group/README.md @@ -38,9 +38,24 @@ This module deploys a Policy Exemption at a Resource Group scope. | [`policyDefinitionReferenceIds`](#parameter-policydefinitionreferenceids) | array | The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | | [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. | +### Parameter: `name` + +Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope. + +- Required: Yes +- Type: string + +### Parameter: `policyAssignmentId` + +The resource ID of the policy assignment that is being exempted. + +- Required: Yes +- Type: string + ### Parameter: `assignmentScopeValidation` The option whether validate the exemption is at or under the assignment scope. + - Required: No - Type: string - Default: `''` @@ -56,6 +71,7 @@ The option whether validate the exemption is at or under the assignment scope. ### Parameter: `description` The description of the policy exemption. + - Required: No - Type: string - Default: `''` @@ -63,6 +79,7 @@ The description of the policy exemption. ### Parameter: `displayName` The display name of the policy exemption. Maximum length is 128 characters. + - Required: No - Type: string - Default: `''` @@ -70,6 +87,7 @@ The display name of the policy exemption. Maximum length is 128 characters. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -77,6 +95,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `exemptionCategory` The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. + - Required: No - Type: string - Default: `'Mitigated'` @@ -91,6 +110,7 @@ The policy exemption category. Possible values are Waiver and Mitigated. Default ### Parameter: `expiresOn` The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. + - Required: No - Type: string - Default: `''` @@ -98,25 +118,15 @@ The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of th ### Parameter: `metadata` The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope. -- Required: Yes -- Type: string - -### Parameter: `policyAssignmentId` - -The resource ID of the policy assignment that is being exempted. -- Required: Yes -- Type: string - ### Parameter: `policyDefinitionReferenceIds` The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. + - Required: No - Type: array - Default: `[]` @@ -124,6 +134,7 @@ The policy definition reference ID list when the associated policy assignment is ### Parameter: `resourceSelectors` The resource selector list to filter policies by resource properties. + - Required: No - Type: array - Default: `[]` diff --git a/modules/authorization/policy-exemption/subscription/README.md b/modules/authorization/policy-exemption/subscription/README.md index 7b9995a326..3240cff663 100644 --- a/modules/authorization/policy-exemption/subscription/README.md +++ b/modules/authorization/policy-exemption/subscription/README.md @@ -39,9 +39,24 @@ This module deploys a Policy Exemption at a Subscription scope. | [`policyDefinitionReferenceIds`](#parameter-policydefinitionreferenceids) | array | The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | | [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. | +### Parameter: `name` + +Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope. + +- Required: Yes +- Type: string + +### Parameter: `policyAssignmentId` + +The resource ID of the policy assignment that is being exempted. + +- Required: Yes +- Type: string + ### Parameter: `assignmentScopeValidation` The option whether validate the exemption is at or under the assignment scope. + - Required: No - Type: string - Default: `''` @@ -57,6 +72,7 @@ The option whether validate the exemption is at or under the assignment scope. ### Parameter: `description` The description of the policy exemption. + - Required: No - Type: string - Default: `''` @@ -64,6 +80,7 @@ The description of the policy exemption. ### Parameter: `displayName` The display name of the policy exemption. Maximum length is 128 characters. + - Required: No - Type: string - Default: `''` @@ -71,6 +88,7 @@ The display name of the policy exemption. Maximum length is 128 characters. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -78,6 +96,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `exemptionCategory` The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated. + - Required: No - Type: string - Default: `'Mitigated'` @@ -92,6 +111,7 @@ The policy exemption category. Possible values are Waiver and Mitigated. Default ### Parameter: `expiresOn` The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z. + - Required: No - Type: string - Default: `''` @@ -99,6 +119,7 @@ The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of th ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -106,25 +127,15 @@ Location deployment metadata. ### Parameter: `metadata` The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope. -- Required: Yes -- Type: string - -### Parameter: `policyAssignmentId` - -The resource ID of the policy assignment that is being exempted. -- Required: Yes -- Type: string - ### Parameter: `policyDefinitionReferenceIds` The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. + - Required: No - Type: array - Default: `[]` @@ -132,6 +143,7 @@ The policy definition reference ID list when the associated policy assignment is ### Parameter: `resourceSelectors` The resource selector list to filter policies by resource properties. + - Required: No - Type: array - Default: `[]` diff --git a/modules/authorization/policy-set-definition/README.md b/modules/authorization/policy-set-definition/README.md index ea439e2b56..7cca9b5479 100644 --- a/modules/authorization/policy-set-definition/README.md +++ b/modules/authorization/policy-set-definition/README.md @@ -482,9 +482,24 @@ module policySetDefinition 'br:bicep/modules/authorization.policy-set-definition | [`policyDefinitionGroups`](#parameter-policydefinitiongroups) | array | The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | | [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID of the subscription (Scope). Cannot be used with managementGroupId. | +### Parameter: `name` + +Specifies the name of the policy Set Definition (Initiative). + +- Required: Yes +- Type: string + +### Parameter: `policyDefinitions` + +The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. + +- Required: Yes +- Type: array + ### Parameter: `description` The description name of the Set Definition (Initiative). + - Required: No - Type: string - Default: `''` @@ -492,6 +507,7 @@ The description name of the Set Definition (Initiative). ### Parameter: `displayName` The display name of the Set Definition (Initiative). Maximum length is 128 characters. + - Required: No - Type: string - Default: `''` @@ -499,6 +515,7 @@ The display name of the Set Definition (Initiative). Maximum length is 128 chara ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -506,6 +523,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -513,6 +531,7 @@ Location deployment metadata. ### Parameter: `managementGroupId` The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[managementGroup().name]` @@ -520,19 +539,15 @@ The group ID of the Management Group (Scope). If not provided, will use the curr ### Parameter: `metadata` The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Specifies the name of the policy Set Definition (Initiative). -- Required: Yes -- Type: string - ### Parameter: `parameters` The Set Definition (Initiative) parameters that can be used in policy definition references. + - Required: No - Type: object - Default: `{}` @@ -540,19 +555,15 @@ The Set Definition (Initiative) parameters that can be used in policy definition ### Parameter: `policyDefinitionGroups` The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). + - Required: No - Type: array - Default: `[]` -### Parameter: `policyDefinitions` - -The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. -- Required: Yes -- Type: array - ### Parameter: `subscriptionId` The subscription ID of the subscription (Scope). Cannot be used with managementGroupId. + - Required: No - Type: string - Default: `''` diff --git a/modules/authorization/policy-set-definition/management-group/README.md b/modules/authorization/policy-set-definition/management-group/README.md index bc32aac337..b34845fcab 100644 --- a/modules/authorization/policy-set-definition/management-group/README.md +++ b/modules/authorization/policy-set-definition/management-group/README.md @@ -36,9 +36,24 @@ This module deploys a Policy Set Definition (Initiative) at a Management Group s | [`parameters`](#parameter-parameters) | object | The Set Definition (Initiative) parameters that can be used in policy definition references. | | [`policyDefinitionGroups`](#parameter-policydefinitiongroups) | array | The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | +### Parameter: `name` + +Specifies the name of the policy Set Definition (Initiative). + +- Required: Yes +- Type: string + +### Parameter: `policyDefinitions` + +The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. + +- Required: Yes +- Type: array + ### Parameter: `description` The description name of the Set Definition (Initiative). + - Required: No - Type: string - Default: `''` @@ -46,6 +61,7 @@ The description name of the Set Definition (Initiative). ### Parameter: `displayName` The display name of the Set Definition (Initiative). Maximum length is 128 characters. + - Required: No - Type: string - Default: `''` @@ -53,6 +69,7 @@ The display name of the Set Definition (Initiative). Maximum length is 128 chara ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -60,6 +77,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -67,19 +85,15 @@ Location deployment metadata. ### Parameter: `metadata` The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Specifies the name of the policy Set Definition (Initiative). -- Required: Yes -- Type: string - ### Parameter: `parameters` The Set Definition (Initiative) parameters that can be used in policy definition references. + - Required: No - Type: object - Default: `{}` @@ -87,16 +101,11 @@ The Set Definition (Initiative) parameters that can be used in policy definition ### Parameter: `policyDefinitionGroups` The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). + - Required: No - Type: array - Default: `[]` -### Parameter: `policyDefinitions` - -The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. -- Required: Yes -- Type: array - ## Outputs diff --git a/modules/authorization/policy-set-definition/subscription/README.md b/modules/authorization/policy-set-definition/subscription/README.md index 61c950bffb..1b567eeea5 100644 --- a/modules/authorization/policy-set-definition/subscription/README.md +++ b/modules/authorization/policy-set-definition/subscription/README.md @@ -36,9 +36,24 @@ This module deploys a Policy Set Definition (Initiative) at a Subscription scope | [`parameters`](#parameter-parameters) | object | The Set Definition (Initiative) parameters that can be used in policy definition references. | | [`policyDefinitionGroups`](#parameter-policydefinitiongroups) | array | The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | +### Parameter: `name` + +Specifies the name of the policy Set Definition (Initiative). Maximum length is 64 characters for subscription scope. + +- Required: Yes +- Type: string + +### Parameter: `policyDefinitions` + +The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. + +- Required: Yes +- Type: array + ### Parameter: `description` The description name of the Set Definition (Initiative). + - Required: No - Type: string - Default: `''` @@ -46,6 +61,7 @@ The description name of the Set Definition (Initiative). ### Parameter: `displayName` The display name of the Set Definition (Initiative). Maximum length is 128 characters. + - Required: No - Type: string - Default: `''` @@ -53,6 +69,7 @@ The display name of the Set Definition (Initiative). Maximum length is 128 chara ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -60,6 +77,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -67,19 +85,15 @@ Location deployment metadata. ### Parameter: `metadata` The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Specifies the name of the policy Set Definition (Initiative). Maximum length is 64 characters for subscription scope. -- Required: Yes -- Type: string - ### Parameter: `parameters` The Set Definition (Initiative) parameters that can be used in policy definition references. + - Required: No - Type: object - Default: `{}` @@ -87,16 +101,11 @@ The Set Definition (Initiative) parameters that can be used in policy definition ### Parameter: `policyDefinitionGroups` The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). + - Required: No - Type: array - Default: `[]` -### Parameter: `policyDefinitions` - -The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. -- Required: Yes -- Type: array - ## Outputs diff --git a/modules/authorization/role-assignment/README.md b/modules/authorization/role-assignment/README.md index f8980b222d..f71f9cf46a 100644 --- a/modules/authorization/role-assignment/README.md +++ b/modules/authorization/role-assignment/README.md @@ -415,9 +415,24 @@ module roleAssignment 'br:bicep/modules/authorization.role-assignment:1.0.0' = { | [`resourceGroupName`](#parameter-resourcegroupname) | string | Name of the Resource Group to assign the RBAC role to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided RBAC role to the resource group. | | [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | +### Parameter: `principalId` + +The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). + +- Required: Yes +- Type: string + +### Parameter: `roleDefinitionIdOrName` + +You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + ### Parameter: `condition` The conditions on the role assignment. This limits the resources it can be assigned to. + - Required: No - Type: string - Default: `''` @@ -425,6 +440,7 @@ The conditions on the role assignment. This limits the resources it can be assig ### Parameter: `conditionVersion` Version of the condition. Currently accepted value is "2.0". + - Required: No - Type: string - Default: `'2.0'` @@ -438,6 +454,7 @@ Version of the condition. Currently accepted value is "2.0". ### Parameter: `delegatedManagedIdentityResourceId` ID of the delegated managed identity resource. + - Required: No - Type: string - Default: `''` @@ -445,6 +462,7 @@ ID of the delegated managed identity resource. ### Parameter: `description` The description of the role assignment. + - Required: No - Type: string - Default: `''` @@ -452,6 +470,7 @@ The description of the role assignment. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -459,6 +478,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -466,19 +486,15 @@ Location deployment metadata. ### Parameter: `managementGroupId` Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[managementGroup().name]` -### Parameter: `principalId` - -The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). -- Required: Yes -- Type: string - ### Parameter: `principalType` The principal type of the assigned principal ID. + - Required: No - Type: string - Default: `''` @@ -497,19 +513,15 @@ The principal type of the assigned principal ID. ### Parameter: `resourceGroupName` Name of the Resource Group to assign the RBAC role to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided RBAC role to the resource group. + - Required: No - Type: string - Default: `''` -### Parameter: `roleDefinitionIdOrName` - -You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: Yes -- Type: string - ### Parameter: `subscriptionId` Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. + - Required: No - Type: string - Default: `''` diff --git a/modules/authorization/role-assignment/management-group/README.md b/modules/authorization/role-assignment/management-group/README.md index 07603f6817..e021e05271 100644 --- a/modules/authorization/role-assignment/management-group/README.md +++ b/modules/authorization/role-assignment/management-group/README.md @@ -37,9 +37,24 @@ This module deploys a Role Assignment at a Management Group scope. | [`managementGroupId`](#parameter-managementgroupid) | string | Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | | [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | +### Parameter: `principalId` + +The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). + +- Required: Yes +- Type: string + +### Parameter: `roleDefinitionIdOrName` + +You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + ### Parameter: `condition` The conditions on the role assignment. This limits the resources it can be assigned to. + - Required: No - Type: string - Default: `''` @@ -47,6 +62,7 @@ The conditions on the role assignment. This limits the resources it can be assig ### Parameter: `conditionVersion` Version of the condition. Currently accepted value is "2.0". + - Required: No - Type: string - Default: `'2.0'` @@ -60,6 +76,7 @@ Version of the condition. Currently accepted value is "2.0". ### Parameter: `delegatedManagedIdentityResourceId` ID of the delegated managed identity resource. + - Required: No - Type: string - Default: `''` @@ -67,6 +84,7 @@ ID of the delegated managed identity resource. ### Parameter: `description` The description of the role assignment. + - Required: No - Type: string - Default: `''` @@ -74,6 +92,7 @@ The description of the role assignment. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -81,6 +100,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -88,19 +108,15 @@ Location deployment metadata. ### Parameter: `managementGroupId` Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[managementGroup().name]` -### Parameter: `principalId` - -The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). -- Required: Yes -- Type: string - ### Parameter: `principalType` The principal type of the assigned principal ID. + - Required: No - Type: string - Default: `''` @@ -116,12 +132,6 @@ The principal type of the assigned principal ID. ] ``` -### Parameter: `roleDefinitionIdOrName` - -You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/authorization/role-assignment/resource-group/README.md b/modules/authorization/role-assignment/resource-group/README.md index 941feeb254..1a09562d67 100644 --- a/modules/authorization/role-assignment/resource-group/README.md +++ b/modules/authorization/role-assignment/resource-group/README.md @@ -37,9 +37,24 @@ This module deploys a Role Assignment at a Resource Group scope. | [`resourceGroupName`](#parameter-resourcegroupname) | string | Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | | [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. | +### Parameter: `principalId` + +The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). + +- Required: Yes +- Type: string + +### Parameter: `roleDefinitionIdOrName` + +You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + ### Parameter: `condition` The conditions on the role assignment. This limits the resources it can be assigned to. + - Required: No - Type: string - Default: `''` @@ -47,6 +62,7 @@ The conditions on the role assignment. This limits the resources it can be assig ### Parameter: `conditionVersion` Version of the condition. Currently accepted value is "2.0". + - Required: No - Type: string - Default: `'2.0'` @@ -60,6 +76,7 @@ Version of the condition. Currently accepted value is "2.0". ### Parameter: `delegatedManagedIdentityResourceId` ID of the delegated managed identity resource. + - Required: No - Type: string - Default: `''` @@ -67,6 +84,7 @@ ID of the delegated managed identity resource. ### Parameter: `description` The description of the role assignment. + - Required: No - Type: string - Default: `''` @@ -74,19 +92,15 @@ The description of the role assignment. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `principalId` - -The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). -- Required: Yes -- Type: string - ### Parameter: `principalType` The principal type of the assigned principal ID. + - Required: No - Type: string - Default: `''` @@ -105,19 +119,15 @@ The principal type of the assigned principal ID. ### Parameter: `resourceGroupName` Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[resourceGroup().name]` -### Parameter: `roleDefinitionIdOrName` - -You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: Yes -- Type: string - ### Parameter: `subscriptionId` Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[subscription().subscriptionId]` diff --git a/modules/authorization/role-assignment/subscription/README.md b/modules/authorization/role-assignment/subscription/README.md index 04b004fd39..7f0b4ada16 100644 --- a/modules/authorization/role-assignment/subscription/README.md +++ b/modules/authorization/role-assignment/subscription/README.md @@ -37,9 +37,24 @@ This module deploys a Role Assignment at a Subscription scope. | [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | | [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. | +### Parameter: `principalId` + +The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). + +- Required: Yes +- Type: string + +### Parameter: `roleDefinitionIdOrName` + +You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + ### Parameter: `condition` The conditions on the role assignment. This limits the resources it can be assigned to. + - Required: No - Type: string - Default: `''` @@ -47,6 +62,7 @@ The conditions on the role assignment. This limits the resources it can be assig ### Parameter: `conditionVersion` Version of the condition. Currently accepted value is "2.0". + - Required: No - Type: string - Default: `'2.0'` @@ -60,6 +76,7 @@ Version of the condition. Currently accepted value is "2.0". ### Parameter: `delegatedManagedIdentityResourceId` ID of the delegated managed identity resource. + - Required: No - Type: string - Default: `''` @@ -67,6 +84,7 @@ ID of the delegated managed identity resource. ### Parameter: `description` The description of the role assignment. + - Required: No - Type: string - Default: `''` @@ -74,6 +92,7 @@ The description of the role assignment. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -81,19 +100,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` -### Parameter: `principalId` - -The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). -- Required: Yes -- Type: string - ### Parameter: `principalType` The principal type of the assigned principal ID. + - Required: No - Type: string - Default: `''` @@ -109,15 +124,10 @@ The principal type of the assigned principal ID. ] ``` -### Parameter: `roleDefinitionIdOrName` - -You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: Yes -- Type: string - ### Parameter: `subscriptionId` Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[subscription().subscriptionId]` diff --git a/modules/authorization/role-definition/README.md b/modules/authorization/role-definition/README.md index 0008ff66c4..626454d49c 100644 --- a/modules/authorization/role-definition/README.md +++ b/modules/authorization/role-definition/README.md @@ -495,9 +495,17 @@ module roleDefinition 'br:bicep/modules/authorization.role-definition:1.0.0' = { | [`resourceGroupName`](#parameter-resourcegroupname) | string | The name of the Resource Group where the Role Definition and Target Scope will be applied to. | | [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level. | +### Parameter: `roleName` + +Name of the custom RBAC role to be created. + +- Required: Yes +- Type: string + ### Parameter: `actions` List of allowed actions. + - Required: No - Type: array - Default: `[]` @@ -505,6 +513,7 @@ List of allowed actions. ### Parameter: `assignableScopes` Role definition assignable scopes. If not provided, will use the current scope provided. + - Required: No - Type: array - Default: `[]` @@ -512,6 +521,7 @@ Role definition assignable scopes. If not provided, will use the current scope p ### Parameter: `dataActions` List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. + - Required: No - Type: array - Default: `[]` @@ -519,6 +529,7 @@ List of allowed data actions. This is not supported if the assignableScopes cont ### Parameter: `description` Description of the custom RBAC role to be created. + - Required: No - Type: string - Default: `''` @@ -526,6 +537,7 @@ Description of the custom RBAC role to be created. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -533,6 +545,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -540,6 +553,7 @@ Location deployment metadata. ### Parameter: `managementGroupId` The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[managementGroup().name]` @@ -547,6 +561,7 @@ The group ID of the Management Group where the Role Definition and Target Scope ### Parameter: `notActions` List of denied actions. + - Required: No - Type: array - Default: `[]` @@ -554,6 +569,7 @@ List of denied actions. ### Parameter: `notDataActions` List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. + - Required: No - Type: array - Default: `[]` @@ -561,19 +577,15 @@ List of denied data actions. This is not supported if the assignableScopes conta ### Parameter: `resourceGroupName` The name of the Resource Group where the Role Definition and Target Scope will be applied to. + - Required: No - Type: string - Default: `''` -### Parameter: `roleName` - -Name of the custom RBAC role to be created. -- Required: Yes -- Type: string - ### Parameter: `subscriptionId` The subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level. + - Required: No - Type: string - Default: `''` diff --git a/modules/authorization/role-definition/management-group/README.md b/modules/authorization/role-definition/management-group/README.md index e892466ced..0c9b29c7a5 100644 --- a/modules/authorization/role-definition/management-group/README.md +++ b/modules/authorization/role-definition/management-group/README.md @@ -35,9 +35,17 @@ This module deploys a Role Definition at a Management Group scope. | [`managementGroupId`](#parameter-managementgroupid) | string | The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | | [`notActions`](#parameter-notactions) | array | List of denied actions. | +### Parameter: `roleName` + +Name of the custom RBAC role to be created. + +- Required: Yes +- Type: string + ### Parameter: `actions` List of allowed actions. + - Required: No - Type: array - Default: `[]` @@ -45,6 +53,7 @@ List of allowed actions. ### Parameter: `assignableScopes` Role definition assignable scopes. If not provided, will use the current scope provided. + - Required: No - Type: array - Default: `[]` @@ -52,6 +61,7 @@ Role definition assignable scopes. If not provided, will use the current scope p ### Parameter: `description` Description of the custom RBAC role to be created. + - Required: No - Type: string - Default: `''` @@ -59,6 +69,7 @@ Description of the custom RBAC role to be created. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -66,6 +77,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -73,6 +85,7 @@ Location deployment metadata. ### Parameter: `managementGroupId` The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[managementGroup().name]` @@ -80,16 +93,11 @@ The group ID of the Management Group where the Role Definition and Target Scope ### Parameter: `notActions` List of denied actions. + - Required: No - Type: array - Default: `[]` -### Parameter: `roleName` - -Name of the custom RBAC role to be created. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/authorization/role-definition/resource-group/README.md b/modules/authorization/role-definition/resource-group/README.md index 1e5da9a0d7..f8a299f434 100644 --- a/modules/authorization/role-definition/resource-group/README.md +++ b/modules/authorization/role-definition/resource-group/README.md @@ -37,9 +37,17 @@ This module deploys a Role Definition at a Resource Group scope. | [`resourceGroupName`](#parameter-resourcegroupname) | string | The name of the Resource Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | | [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | +### Parameter: `roleName` + +Name of the custom RBAC role to be created. + +- Required: Yes +- Type: string + ### Parameter: `actions` List of allowed actions. + - Required: No - Type: array - Default: `[]` @@ -47,6 +55,7 @@ List of allowed actions. ### Parameter: `assignableScopes` Role definition assignable scopes. If not provided, will use the current scope provided. + - Required: No - Type: array - Default: `[]` @@ -54,6 +63,7 @@ Role definition assignable scopes. If not provided, will use the current scope p ### Parameter: `dataActions` List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. + - Required: No - Type: array - Default: `[]` @@ -61,6 +71,7 @@ List of allowed data actions. This is not supported if the assignableScopes cont ### Parameter: `description` Description of the custom RBAC role to be created. + - Required: No - Type: string - Default: `''` @@ -68,6 +79,7 @@ Description of the custom RBAC role to be created. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -75,6 +87,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `notActions` List of denied actions. + - Required: No - Type: array - Default: `[]` @@ -82,6 +95,7 @@ List of denied actions. ### Parameter: `notDataActions` List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. + - Required: No - Type: array - Default: `[]` @@ -89,19 +103,15 @@ List of denied data actions. This is not supported if the assignableScopes conta ### Parameter: `resourceGroupName` The name of the Resource Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[resourceGroup().name]` -### Parameter: `roleName` - -Name of the custom RBAC role to be created. -- Required: Yes -- Type: string - ### Parameter: `subscriptionId` The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[subscription().subscriptionId]` diff --git a/modules/authorization/role-definition/subscription/README.md b/modules/authorization/role-definition/subscription/README.md index e0f96a3894..5737fd2aff 100644 --- a/modules/authorization/role-definition/subscription/README.md +++ b/modules/authorization/role-definition/subscription/README.md @@ -37,9 +37,17 @@ This module deploys a Role Definition at a Subscription scope. | [`notDataActions`](#parameter-notdataactions) | array | List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. | | [`subscriptionId`](#parameter-subscriptionid) | string | The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | +### Parameter: `roleName` + +Name of the custom RBAC role to be created. + +- Required: Yes +- Type: string + ### Parameter: `actions` List of allowed actions. + - Required: No - Type: array - Default: `[]` @@ -47,6 +55,7 @@ List of allowed actions. ### Parameter: `assignableScopes` Role definition assignable scopes. If not provided, will use the current scope provided. + - Required: No - Type: array - Default: `[]` @@ -54,6 +63,7 @@ Role definition assignable scopes. If not provided, will use the current scope p ### Parameter: `dataActions` List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes. + - Required: No - Type: array - Default: `[]` @@ -61,6 +71,7 @@ List of allowed data actions. This is not supported if the assignableScopes cont ### Parameter: `description` Description of the custom RBAC role to be created. + - Required: No - Type: string - Default: `''` @@ -68,6 +79,7 @@ Description of the custom RBAC role to be created. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -75,6 +87,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -82,6 +95,7 @@ Location deployment metadata. ### Parameter: `notActions` List of denied actions. + - Required: No - Type: array - Default: `[]` @@ -89,19 +103,15 @@ List of denied actions. ### Parameter: `notDataActions` List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes. + - Required: No - Type: array - Default: `[]` -### Parameter: `roleName` - -Name of the custom RBAC role to be created. -- Required: Yes -- Type: string - ### Parameter: `subscriptionId` The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[subscription().subscriptionId]` diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index fb894b62e8..c4be8ef65e 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -1109,44 +1109,58 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' | [`tags`](#parameter-tags) | object | Tags of the Automation Account resource. | | [`variables`](#parameter-variables) | array | List of variables to be created in the automation account. | +### Parameter: `name` + +Name of the Automation Account. + +- Required: Yes +- Type: string + ### Parameter: `customerManagedKey` The customer managed key definition. + - Required: No - Type: object +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | + +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | ### Parameter: `customerManagedKey.keyName` -Required. The name of the customer managed key to use for encryption. +The name of the customer managed key to use for encryption. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVaultResourceId` -Required. The resource ID of a key vault to reference a customer managed key for encryption from. +The resource ID of a key vault to reference a customer managed key for encryption from. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVersion` -Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - Required: No - Type: string ### Parameter: `customerManagedKey.userAssignedIdentityResourceId` -Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. +User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - Required: No - Type: string @@ -1154,114 +1168,90 @@ Optional. User assigned identity to use when fetching the customer managed key. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -1269,6 +1259,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `disableLocalAuth` Disable local authentication profile used within the resource. + - Required: No - Type: bool - Default: `True` @@ -1276,6 +1267,7 @@ Disable local authentication profile used within the resource. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1283,6 +1275,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `gallerySolutions` List of gallerySolutions to be created in the linked log analytics workspace. + - Required: No - Type: array - Default: `[]` @@ -1290,6 +1283,7 @@ List of gallerySolutions to be created in the linked log analytics workspace. ### Parameter: `jobSchedules` List of jobSchedules to be created in the automation account. + - Required: No - Type: array - Default: `[]` @@ -1297,6 +1291,7 @@ List of jobSchedules to be created in the automation account. ### Parameter: `linkedWorkspaceResourceId` ID of the log analytics workspace to be linked to the deployed automation account. + - Required: No - Type: string - Default: `''` @@ -1304,6 +1299,7 @@ ID of the log analytics workspace to be linked to the deployed automation accoun ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1311,26 +1307,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -1338,25 +1343,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array @@ -1364,210 +1371,255 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `modules` List of modules to be created in the automation account. + - Required: No - Type: array - Default: `[]` -### Parameter: `name` - -Name of the Automation Account. -- Required: Yes -- Type: string - ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Application security groups in which the private endpoint IP configuration is included. +### Parameter: `privateEndpoints.service` -- Required: No -- Type: array +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -### Parameter: `privateEndpoints.customDnsConfigs` +- Required: Yes +- Type: string -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +### Parameter: `privateEndpoints.lock.kind` -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +Specify the type of lock. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** -Optional. The name of the private endpoint. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -- Required: No +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +Version of the condition. - Required: No -- Type: array +- Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. Array of role assignments to create. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.description` -Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The description of the role assignment. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Required. Resource ID of the subnet where the endpoint needs to be created. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -1575,6 +1627,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. + - Required: No - Type: string - Default: `''` @@ -1590,74 +1643,96 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `runbooks` List of runbooks to be created in the automation account. + - Required: No - Type: array - Default: `[]` @@ -1665,6 +1740,7 @@ List of runbooks to be created in the automation account. ### Parameter: `schedules` List of schedules to be created in the automation account. + - Required: No - Type: array - Default: `[]` @@ -1672,6 +1748,7 @@ List of schedules to be created in the automation account. ### Parameter: `skuName` SKU name of the account. + - Required: No - Type: string - Default: `'Basic'` @@ -1686,6 +1763,7 @@ SKU name of the account. ### Parameter: `softwareUpdateConfigurations` List of softwareUpdateConfigurations to be created in the automation account. + - Required: No - Type: array - Default: `[]` @@ -1693,12 +1771,14 @@ List of softwareUpdateConfigurations to be created in the automation account. ### Parameter: `tags` Tags of the Automation Account resource. + - Required: No - Type: object ### Parameter: `variables` List of variables to be created in the automation account. + - Required: No - Type: array - Default: `[]` diff --git a/modules/automation/automation-account/job-schedule/README.md b/modules/automation/automation-account/job-schedule/README.md index 1faf4e3c61..05dd4ccf1e 100644 --- a/modules/automation/automation-account/job-schedule/README.md +++ b/modules/automation/automation-account/job-schedule/README.md @@ -44,51 +44,58 @@ This module deploys an Azure Automation Account Job Schedule. | :-- | :-- | :-- | | [`name`](#parameter-name) | string | Name of the Automation Account job schedule. Must be a GUID and is autogenerated. No need to provide this value. | +### Parameter: `runbookName` + +The runbook property associated with the entity. + +- Required: Yes +- Type: string + +### Parameter: `scheduleName` + +The schedule property associated with the entity. + +- Required: Yes +- Type: string + ### Parameter: `automationAccountName` The name of the parent Automation Account. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -Name of the Automation Account job schedule. Must be a GUID and is autogenerated. No need to provide this value. -- Required: No -- Type: string -- Default: `[newGuid()]` - ### Parameter: `parameters` List of job properties. + - Required: No - Type: object - Default: `{}` -### Parameter: `runbookName` - -The runbook property associated with the entity. -- Required: Yes -- Type: string - ### Parameter: `runOn` The hybrid worker group that the scheduled job should run on. + - Required: No - Type: string - Default: `''` -### Parameter: `scheduleName` +### Parameter: `name` -The schedule property associated with the entity. -- Required: Yes +Name of the Automation Account job schedule. Must be a GUID and is autogenerated. No need to provide this value. + +- Required: No - Type: string +- Default: `[newGuid()]` ## Outputs diff --git a/modules/automation/automation-account/module/README.md b/modules/automation/automation-account/module/README.md index 71d279aaf2..558c759726 100644 --- a/modules/automation/automation-account/module/README.md +++ b/modules/automation/automation-account/module/README.md @@ -39,15 +39,31 @@ This module deploys an Azure Automation Account Module. | [`tags`](#parameter-tags) | object | Tags of the Automation Account resource. | | [`version`](#parameter-version) | string | Module version or specify latest to get the latest version. | +### Parameter: `name` + +Name of the Automation Account module. + +- Required: Yes +- Type: string + +### Parameter: `uri` + +Module package URI, e.g. https://www.powershellgallery.com/api/v2/package. + +- Required: Yes +- Type: string + ### Parameter: `automationAccountName` The name of the parent Automation Account. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -55,31 +71,22 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -Name of the Automation Account module. -- Required: Yes -- Type: string - ### Parameter: `tags` Tags of the Automation Account resource. + - Required: No - Type: object -### Parameter: `uri` - -Module package URI, e.g. https://www.powershellgallery.com/api/v2/package. -- Required: Yes -- Type: string - ### Parameter: `version` Module version or specify latest to get the latest version. + - Required: No - Type: string - Default: `'latest'` diff --git a/modules/automation/automation-account/runbook/README.md b/modules/automation/automation-account/runbook/README.md index e3b163f55f..6baba0a6a7 100644 --- a/modules/automation/automation-account/runbook/README.md +++ b/modules/automation/automation-account/runbook/README.md @@ -49,22 +49,41 @@ This module deploys an Azure Automation Account Runbook. | :-- | :-- | :-- | | [`baseTime`](#parameter-basetime) | string | Time used as a basis for e.g. the schedule start date. | -### Parameter: `automationAccountName` +### Parameter: `name` + +Name of the Automation Account runbook. -The name of the parent Automation Account. Required if the template is used in a standalone deployment. - Required: Yes - Type: string -### Parameter: `baseTime` +### Parameter: `type` -Time used as a basis for e.g. the schedule start date. -- Required: No +The type of the runbook. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Graph' + 'GraphPowerShell' + 'GraphPowerShellWorkflow' + 'PowerShell' + 'PowerShellWorkflow' + ] + ``` + +### Parameter: `automationAccountName` + +The name of the parent Automation Account. Required if the template is used in a standalone deployment. + +- Required: Yes - Type: string -- Default: `[utcNow('u')]` ### Parameter: `description` The description of the runbook. + - Required: No - Type: string - Default: `''` @@ -72,6 +91,7 @@ The description of the runbook. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -79,19 +99,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -Name of the Automation Account runbook. -- Required: Yes -- Type: string - ### Parameter: `sasTokenValidityLength` SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. + - Required: No - Type: string - Default: `'PT8H'` @@ -99,34 +115,21 @@ SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for ### Parameter: `scriptStorageAccountResourceId` Resource Id of the runbook storage account. + - Required: No - Type: string ### Parameter: `tags` Tags of the Automation Account resource. + - Required: No - Type: object -### Parameter: `type` - -The type of the runbook. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Graph' - 'GraphPowerShell' - 'GraphPowerShellWorkflow' - 'PowerShell' - 'PowerShellWorkflow' - ] - ``` - ### Parameter: `uri` The uri of the runbook content. + - Required: No - Type: string - Default: `''` @@ -134,10 +137,19 @@ The uri of the runbook content. ### Parameter: `version` The version of the runbook content. + - Required: No - Type: string - Default: `''` +### Parameter: `baseTime` + +Time used as a basis for e.g. the schedule start date. + +- Required: No +- Type: string +- Default: `[utcNow('u')]` + ## Outputs diff --git a/modules/automation/automation-account/schedule/README.md b/modules/automation/automation-account/schedule/README.md index b4f572ed41..c322245c12 100644 --- a/modules/automation/automation-account/schedule/README.md +++ b/modules/automation/automation-account/schedule/README.md @@ -48,29 +48,32 @@ This module deploys an Azure Automation Account Schedule. | :-- | :-- | :-- | | [`baseTime`](#parameter-basetime) | string | Time used as a basis for e.g. the schedule start date. | -### Parameter: `advancedSchedule` +### Parameter: `name` -The properties of the create Advanced Schedule. -- Required: No -- Type: object -- Default: `{}` +Name of the Automation Account schedule. + +- Required: Yes +- Type: string ### Parameter: `automationAccountName` The name of the parent Automation Account. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string -### Parameter: `baseTime` +### Parameter: `advancedSchedule` + +The properties of the create Advanced Schedule. -Time used as a basis for e.g. the schedule start date. - Required: No -- Type: string -- Default: `[utcNow('u')]` +- Type: object +- Default: `{}` ### Parameter: `description` The description of the schedule. + - Required: No - Type: string - Default: `''` @@ -78,6 +81,7 @@ The description of the schedule. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -85,6 +89,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `expiryTime` The end time of the schedule. + - Required: No - Type: string - Default: `''` @@ -92,6 +97,7 @@ The end time of the schedule. ### Parameter: `frequency` The frequency of the schedule. + - Required: No - Type: string - Default: `'OneTime'` @@ -110,19 +116,15 @@ The frequency of the schedule. ### Parameter: `interval` Anything. + - Required: No - Type: int - Default: `0` -### Parameter: `name` - -Name of the Automation Account schedule. -- Required: Yes -- Type: string - ### Parameter: `startTime` The start time of the schedule. + - Required: No - Type: string - Default: `''` @@ -130,10 +132,19 @@ The start time of the schedule. ### Parameter: `timeZone` The time zone of the schedule. + - Required: No - Type: string - Default: `''` +### Parameter: `baseTime` + +Time used as a basis for e.g. the schedule start date. + +- Required: No +- Type: string +- Default: `[utcNow('u')]` + ## Outputs diff --git a/modules/automation/automation-account/software-update-configuration/README.md b/modules/automation/automation-account/software-update-configuration/README.md index 0090d203d5..da37b18b6e 100644 --- a/modules/automation/automation-account/software-update-configuration/README.md +++ b/modules/automation/automation-account/software-update-configuration/README.md @@ -72,29 +72,79 @@ This module deploys an Azure Automation Account Software Update Configuration. | :-- | :-- | :-- | | [`baseTime`](#parameter-basetime) | string | Do not touch. Is used to provide the base time for time comparison for startTime. If startTime is specified in HH:MM format, baseTime is used to check if the provided startTime has passed, adding one day before setting the deployment schedule. | +### Parameter: `frequency` + +The frequency of the deployment schedule. When using 'Hour', 'Day', 'Week' or 'Month', an interval needs to be provided. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Day' + 'Hour' + 'Month' + 'OneTime' + 'Week' + ] + ``` + +### Parameter: `name` + +The name of the Deployment schedule. + +- Required: Yes +- Type: string + +### Parameter: `operatingSystem` + +The operating system to be configured by the deployment schedule. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Linux' + 'Windows' + ] + ``` + +### Parameter: `rebootSetting` + +Reboot setting for the deployment schedule. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Always' + 'IfRequired' + 'Never' + 'RebootOnly' + ] + ``` + ### Parameter: `automationAccountName` The name of the parent Automation Account. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `azureVirtualMachines` List of azure resource IDs for azure virtual machines in scope for the deployment schedule. + - Required: No - Type: array - Default: `[]` -### Parameter: `baseTime` - -Do not touch. Is used to provide the base time for time comparison for startTime. If startTime is specified in HH:MM format, baseTime is used to check if the provided startTime has passed, adding one day before setting the deployment schedule. -- Required: No -- Type: string -- Default: `[utcNow('u')]` - ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -102,6 +152,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `excludeUpdates` KB numbers or Linux packages excluded in the deployment schedule. + - Required: No - Type: array - Default: `[]` @@ -109,6 +160,7 @@ KB numbers or Linux packages excluded in the deployment schedule. ### Parameter: `expiryTime` The end time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. + - Required: No - Type: string - Default: `''` @@ -116,29 +168,15 @@ The end time of the deployment schedule in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, ### Parameter: `expiryTimeOffsetMinutes` The expiry time's offset in minutes. + - Required: No - Type: int - Default: `0` -### Parameter: `frequency` - -The frequency of the deployment schedule. When using 'Hour', 'Day', 'Week' or 'Month', an interval needs to be provided. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Day' - 'Hour' - 'Month' - 'OneTime' - 'Week' - ] - ``` - ### Parameter: `includeUpdates` KB numbers or Linux packages included in the deployment schedule. + - Required: No - Type: array - Default: `[]` @@ -146,6 +184,7 @@ KB numbers or Linux packages included in the deployment schedule. ### Parameter: `interval` The interval of the frequency for the deployment schedule. 1 Hour is every hour, 2 Day is every second day, etc. + - Required: No - Type: int - Default: `1` @@ -153,6 +192,7 @@ The interval of the frequency for the deployment schedule. 1 Hour is every hour, ### Parameter: `isEnabled` Enables the deployment schedule. + - Required: No - Type: bool - Default: `True` @@ -160,6 +200,7 @@ Enables the deployment schedule. ### Parameter: `maintenanceWindow` Maximum time allowed for the deployment schedule to run. Duration needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. + - Required: No - Type: string - Default: `'PT2H'` @@ -167,6 +208,7 @@ Maximum time allowed for the deployment schedule to run. Duration needs to be sp ### Parameter: `monthDays` Can be used with frequency 'Month'. Provides the specific days of the month to run the deployment schedule. + - Required: No - Type: array - Default: `[]` @@ -210,19 +252,15 @@ Can be used with frequency 'Month'. Provides the specific days of the month to r ### Parameter: `monthlyOccurrences` Can be used with frequency 'Month'. Provides the pattern/cadence for running the deployment schedule in a month. Takes objects formed like this {occurance(int),day(string)}. Day is the name of the day to run the deployment schedule, the occurance specifies which occurance of that day to run the deployment schedule. + - Required: No - Type: array - Default: `[]` -### Parameter: `name` - -The name of the Deployment schedule. -- Required: Yes -- Type: string - ### Parameter: `nextRun` The next time the deployment schedule runs in ISO 8601 format. YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. + - Required: No - Type: string - Default: `''` @@ -230,6 +268,7 @@ The next time the deployment schedule runs in ISO 8601 format. YYYY-MM-DDTHH:MM: ### Parameter: `nextRunOffsetMinutes` The next run's offset in minutes. + - Required: No - Type: int - Default: `0` @@ -237,6 +276,7 @@ The next run's offset in minutes. ### Parameter: `nonAzureComputerNames` List of names of non-azure machines in scope for the deployment schedule. + - Required: No - Type: array - Default: `[]` @@ -244,26 +284,15 @@ List of names of non-azure machines in scope for the deployment schedule. ### Parameter: `nonAzureQueries` Array of functions from a Log Analytics workspace, used to scope the deployment schedule. + - Required: No - Type: array - Default: `[]` -### Parameter: `operatingSystem` - -The operating system to be configured by the deployment schedule. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Linux' - 'Windows' - ] - ``` - ### Parameter: `postTaskParameters` Parameters provided to the task running after the deployment schedule. + - Required: No - Type: object - Default: `{}` @@ -271,6 +300,7 @@ Parameters provided to the task running after the deployment schedule. ### Parameter: `postTaskSource` The source of the task running after the deployment schedule. + - Required: No - Type: string - Default: `''` @@ -278,6 +308,7 @@ The source of the task running after the deployment schedule. ### Parameter: `preTaskParameters` Parameters provided to the task running before the deployment schedule. + - Required: No - Type: object - Default: `{}` @@ -285,28 +316,15 @@ Parameters provided to the task running before the deployment schedule. ### Parameter: `preTaskSource` The source of the task running before the deployment schedule. + - Required: No - Type: string - Default: `''` -### Parameter: `rebootSetting` - -Reboot setting for the deployment schedule. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Always' - 'IfRequired' - 'Never' - 'RebootOnly' - ] - ``` - ### Parameter: `scheduleDescription` The schedules description. + - Required: No - Type: string - Default: `''` @@ -314,6 +332,7 @@ The schedules description. ### Parameter: `scopeByLocations` Specify locations to which to scope the deployment schedule to. + - Required: No - Type: array - Default: `[]` @@ -321,6 +340,7 @@ Specify locations to which to scope the deployment schedule to. ### Parameter: `scopeByResources` Specify the resources to scope the deployment schedule to. + - Required: No - Type: array - Default: @@ -333,6 +353,7 @@ Specify the resources to scope the deployment schedule to. ### Parameter: `scopeByTags` Specify tags to which to scope the deployment schedule to. + - Required: No - Type: object - Default: `{}` @@ -340,6 +361,7 @@ Specify tags to which to scope the deployment schedule to. ### Parameter: `scopeByTagsOperation` Enables the scopeByTags to require All (Tag A and Tag B) or Any (Tag A or Tag B). + - Required: No - Type: string - Default: `'All'` @@ -354,6 +376,7 @@ Enables the scopeByTags to require All (Tag A and Tag B) or Any (Tag A or Tag B) ### Parameter: `startTime` The start time of the deployment schedule in ISO 8601 format. To specify a specific time use YYYY-MM-DDTHH:MM:SS, 2021-12-31T23:00:00. For schedules where we want to start the deployment as soon as possible, specify the time segment only in 24 hour format, HH:MM, 22:00. + - Required: No - Type: string - Default: `''` @@ -361,6 +384,7 @@ The start time of the deployment schedule in ISO 8601 format. To specify a speci ### Parameter: `timeZone` Time zone for the deployment schedule. IANA ID or a Windows Time Zone ID. + - Required: No - Type: string - Default: `'UTC'` @@ -368,6 +392,7 @@ Time zone for the deployment schedule. IANA ID or a Windows Time Zone ID. ### Parameter: `updateClassifications` Update classification included in the deployment schedule. + - Required: No - Type: array - Default: @@ -395,6 +420,7 @@ Update classification included in the deployment schedule. ### Parameter: `weekDays` Required when used with frequency 'Week'. Specified the day of the week to run the deployment schedule. + - Required: No - Type: array - Default: `[]` @@ -411,6 +437,14 @@ Required when used with frequency 'Week'. Specified the day of the week to run t ] ``` +### Parameter: `baseTime` + +Do not touch. Is used to provide the base time for time comparison for startTime. If startTime is specified in HH:MM format, baseTime is used to check if the provided startTime has passed, adding one day before setting the deployment schedule. + +- Required: No +- Type: string +- Default: `[utcNow('u')]` + ## Outputs diff --git a/modules/automation/automation-account/variable/README.md b/modules/automation/automation-account/variable/README.md index 99ec5a4985..f6b15abae7 100644 --- a/modules/automation/automation-account/variable/README.md +++ b/modules/automation/automation-account/variable/README.md @@ -39,15 +39,31 @@ This module deploys an Azure Automation Account Variable. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`isEncrypted`](#parameter-isencrypted) | bool | If the variable should be encrypted. For security reasons encryption of variables should be enabled. | +### Parameter: `name` + +The name of the variable. + +- Required: Yes +- Type: string + +### Parameter: `value` + +The value of the variable. For security best practices, this value is always passed as a secure string as it could contain an encrypted value when the "isEncrypted" property is set to true. + +- Required: Yes +- Type: securestring + ### Parameter: `automationAccountName` The name of the parent Automation Account. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `description` The description of the variable. + - Required: No - Type: string - Default: `''` @@ -55,6 +71,7 @@ The description of the variable. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -62,22 +79,11 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `isEncrypted` If the variable should be encrypted. For security reasons encryption of variables should be enabled. + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -The name of the variable. -- Required: Yes -- Type: string - -### Parameter: `value` - -The value of the variable. For security best practices, this value is always passed as a secure string as it could contain an encrypted value when the "isEncrypted" property is set to true. -- Required: Yes -- Type: securestring - ## Outputs diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index 74b8f009b7..74a78f3d57 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -614,9 +614,40 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { | [`storageAuthenticationMode`](#parameter-storageauthenticationmode) | string | The authentication mode which the Batch service will use to manage the auto-storage account. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +Name of the Azure Batch. + +- Required: Yes +- Type: string + +### Parameter: `storageAccountId` + +The resource ID of the storage account to be used for auto-storage account. + +- Required: Yes +- Type: string + +### Parameter: `cMKKeyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `keyVaultReferenceResourceId` + +The key vault to associate with the Batch account. Required if the 'poolAllocationMode' is set to 'UserSubscription' and requires the service principal 'Microsoft Azure Batch' to be granted contributor permissions on this key vault. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `allowedAuthenticationModes` List of allowed authentication modes for the Batch account that can be used to authenticate with the data plane. + - Required: No - Type: array - Default: `[]` @@ -632,13 +663,7 @@ List of allowed authentication modes for the Batch account that can be used to a ### Parameter: `cMKKeyName` The name of the customer managed key to use for encryption. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `cMKKeyVaultResourceId` -The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. - Required: No - Type: string - Default: `''` @@ -646,6 +671,7 @@ The resource ID of a key vault to reference a customer managed key for encryptio ### Parameter: `cMKKeyVersion` The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. + - Required: No - Type: string - Default: `''` @@ -653,114 +679,90 @@ The version of the customer managed key to reference for encryption. If not prov ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -768,20 +770,15 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `keyVaultReferenceResourceId` - -The key vault to associate with the Batch account. Required if the 'poolAllocationMode' is set to 'UserSubscription' and requires the service principal 'Microsoft Azure Batch' to be granted contributor permissions on this key vault. -- Required: No -- Type: string -- Default: `''` - ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -789,26 +786,35 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -816,38 +822,35 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -Name of the Azure Batch. -- Required: Yes -- Type: string - ### Parameter: `networkProfileAllowedIpRanges` Array of IP ranges to filter client IP address. It is only applicable when publicNetworkAccess is not explicitly disabled. + - Required: No - Type: array - Default: `[]` @@ -855,6 +858,7 @@ Array of IP ranges to filter client IP address. It is only applicable when publi ### Parameter: `networkProfileDefaultAction` The network profile default action for endpoint access. It is only applicable when publicNetworkAccess is not explicitly disabled. + - Required: No - Type: string - Default: `'Deny'` @@ -869,6 +873,7 @@ The network profile default action for endpoint access. It is only applicable wh ### Parameter: `poolAllocationMode` The allocation mode for creating pools in the Batch account. Determines which quota will be used. + - Required: No - Type: string - Default: `'BatchService'` @@ -883,197 +888,247 @@ The allocation mode for creating pools in the Batch account. Determines which qu ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -Optional. Application security groups in which the private endpoint IP configuration is included. +**Optional parameters** -- Required: No -- Type: array +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -### Parameter: `privateEndpoints.customDnsConfigs` +### Parameter: `privateEndpoints.subnetResourceId` -Optional. Custom DNS configurations. +Resource ID of the subnet where the endpoint needs to be created. -- Required: No -- Type: array - -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +### Parameter: `privateEndpoints.lock.kind` -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +Specify the type of lock. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` + +Manual PrivateLink Service Connections. -Required. A private ip address obtained from the private endpoint's subnet. +- Required: No +- Type: array -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.name` +The name of the private endpoint. +- Required: No +- Type: string -### Parameter: `privateEndpoints.location` +### Parameter: `privateEndpoints.privateDnsZoneGroupName` -Optional. The location to deploy the private endpoint to. +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string -Optional. The name of the private endpoint. +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -1081,6 +1136,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkProfileAllowedIpRanges are not set. + - Required: No - Type: string - Default: `''` @@ -1096,87 +1152,104 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `storageAccessIdentity` The resource ID of a user assigned identity assigned to pools which have compute nodes that need access to auto-storage. + - Required: No - Type: string - Default: `''` -### Parameter: `storageAccountId` - -The resource ID of the storage account to be used for auto-storage account. -- Required: Yes -- Type: string - ### Parameter: `storageAuthenticationMode` The authentication mode which the Batch service will use to manage the auto-storage account. + - Required: No - Type: string - Default: `'StorageKeys'` @@ -1191,6 +1264,7 @@ The authentication mode which the Batch service will use to manage the auto-stor ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index e818d8120c..c39d1698a8 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -622,9 +622,17 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`zoneRedundant`](#parameter-zoneredundant) | bool | When true, the cluster will be deployed across availability zones. | +### Parameter: `name` + +The name of the Redis Cache Enterprise resource. + +- Required: Yes +- Type: string + ### Parameter: `capacity` The size of the Redis Enterprise Cluster. Defaults to 2. Valid values are (2, 4, 6, ...) for Enterprise SKUs and (3, 9, 15, ...) for Flash SKUs. + - Required: No - Type: int - Default: `2` @@ -632,6 +640,7 @@ The size of the Redis Enterprise Cluster. Defaults to 2. Valid values are (2, 4, ### Parameter: `databases` The databases to create in the Redis Cache Enterprise Cluster. + - Required: No - Type: array - Default: `[]` @@ -639,86 +648,82 @@ The databases to create in the Redis Cache Enterprise Cluster. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -726,6 +731,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -733,6 +739,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` The geo-location where the resource lives. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -740,26 +747,35 @@ The geo-location where the resource lives. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -767,6 +783,7 @@ Optional. Specify the name of lock. ### Parameter: `minimumTlsVersion` Requires clients to use a specified TLS version (or higher) to connect. + - Required: No - Type: string - Default: `'1.2'` @@ -779,206 +796,250 @@ Requires clients to use a specified TLS version (or higher) to connect. ] ``` -### Parameter: `name` - -The name of the Redis Cache Enterprise resource. -- Required: Yes -- Type: string - ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +### Parameter: `privateEndpoints.lock.kind` -- Required: Yes +Specify the type of lock. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string -Optional. The name of the private endpoint. +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -986,74 +1047,96 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `skuName` The type of Redis Enterprise Cluster to deploy. + - Required: No - Type: string - Default: `'Enterprise_E10'` @@ -1073,12 +1156,14 @@ The type of Redis Enterprise Cluster to deploy. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `zoneRedundant` When true, the cluster will be deployed across availability zones. + - Required: No - Type: bool - Default: `True` diff --git a/modules/cache/redis-enterprise/database/README.md b/modules/cache/redis-enterprise/database/README.md index 6e8576ffaf..31f20ebd4b 100644 --- a/modules/cache/redis-enterprise/database/README.md +++ b/modules/cache/redis-enterprise/database/README.md @@ -41,9 +41,50 @@ This module deploys a Redis Cache Enterprise Database. | [`persistenceRdbEnabled`](#parameter-persistencerdbenabled) | bool | Sets whether RDB is enabled. RDB and AOF persistence cannot be enabled at the same time. | | [`port`](#parameter-port) | int | TCP port of the database endpoint. Specified at create time. Default is (-1) meaning value is not set and defaults to an available port. Current supported port is 10000. | +### Parameter: `persistenceAofFrequency` + +Sets the frequency at which data is written to disk. Required if AOF persistence is enabled. + +- Required: No +- Type: string +- Default: `''` +- Allowed: + ```Bicep + [ + '' + '1s' + 'always' + ] + ``` + +### Parameter: `persistenceRdbFrequency` + +Sets the frequency at which a snapshot of the database is created. Required if RDB persistence is enabled. + +- Required: No +- Type: string +- Default: `''` +- Allowed: + ```Bicep + [ + '' + '12h' + '1h' + '6h' + ] + ``` + +### Parameter: `redisCacheEnterpriseName` + +The name of the parent Redis Cache Enterprise Cluster. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `clientProtocol` Specifies whether redis clients can connect using TLS-encrypted or plaintext redis protocols. Default is TLS-encrypted. + - Required: No - Type: string - Default: `'Encrypted'` @@ -58,6 +99,7 @@ Specifies whether redis clients can connect using TLS-encrypted or plaintext red ### Parameter: `clusteringPolicy` Specifies the clustering policy to enable at creation time of the Redis Cache Enterprise Cluster. + - Required: No - Type: string - Default: `'OSSCluster'` @@ -72,6 +114,7 @@ Specifies the clustering policy to enable at creation time of the Redis Cache En ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -79,6 +122,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `evictionPolicy` Redis eviction policy - default is VolatileLRU. + - Required: No - Type: string - Default: `'VolatileLRU'` @@ -99,6 +143,7 @@ Redis eviction policy - default is VolatileLRU. ### Parameter: `geoReplication` Optional set of properties to configure geo replication for this database. Geo replication prerequisites must be met. See "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-active-geo-replication#active-geo-replication-prerequisites" for more information. + - Required: No - Type: object - Default: `{}` @@ -106,6 +151,7 @@ Optional set of properties to configure geo replication for this database. Geo r ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -113,6 +159,7 @@ Location for all resources. ### Parameter: `modules` Optional set of redis modules to enable in this database - modules can only be added at creation time. + - Required: No - Type: array - Default: `[]` @@ -120,61 +167,27 @@ Optional set of redis modules to enable in this database - modules can only be a ### Parameter: `persistenceAofEnabled` Sets whether AOF is enabled. Required if setting AOF frequency. AOF and RDB persistence cannot be enabled at the same time. + - Required: No - Type: bool - Default: `False` -### Parameter: `persistenceAofFrequency` - -Sets the frequency at which data is written to disk. Required if AOF persistence is enabled. -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - '1s' - 'always' - ] - ``` - ### Parameter: `persistenceRdbEnabled` Sets whether RDB is enabled. RDB and AOF persistence cannot be enabled at the same time. + - Required: No - Type: bool - Default: `False` -### Parameter: `persistenceRdbFrequency` - -Sets the frequency at which a snapshot of the database is created. Required if RDB persistence is enabled. -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - '12h' - '1h' - '6h' - ] - ``` - ### Parameter: `port` TCP port of the database endpoint. Specified at create time. Default is (-1) meaning value is not set and defaults to an available port. Current supported port is 10000. + - Required: No - Type: int - Default: `-1` -### Parameter: `redisCacheEnterpriseName` - -The name of the parent Redis Cache Enterprise Cluster. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index 33f02d5c1f..5f026c7c76 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -483,9 +483,17 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { | [`zoneRedundant`](#parameter-zoneredundant) | bool | When true, replicas will be provisioned in availability zones specified in the zones parameter. | | [`zones`](#parameter-zones) | array | If the zoneRedundant parameter is true, replicas will be provisioned in the availability zones specified here. Otherwise, the service will choose where replicas are deployed. | +### Parameter: `name` + +The name of the Redis cache resource. + +- Required: Yes +- Type: string + ### Parameter: `capacity` The size of the Redis cache to deploy. Valid values: for C (Basic/Standard) family (0, 1, 2, 3, 4, 5, 6), for P (Premium) family (1, 2, 3, 4). + - Required: No - Type: int - Default: `1` @@ -505,114 +513,90 @@ The size of the Redis cache to deploy. Valid values: for C (Basic/Standard) fami ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -620,6 +604,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -627,6 +612,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableNonSslPort` Specifies whether the non-ssl Redis server port (6379) is enabled. + - Required: No - Type: bool - Default: `False` @@ -634,6 +620,7 @@ Specifies whether the non-ssl Redis server port (6379) is enabled. ### Parameter: `location` The location to deploy the Redis cache service. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -641,26 +628,35 @@ The location to deploy the Redis cache service. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -668,25 +664,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array @@ -694,6 +692,7 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `minimumTlsVersion` Requires clients to use a specified TLS version (or higher) to connect. + - Required: No - Type: string - Default: `'1.2'` @@ -706,206 +705,250 @@ Requires clients to use a specified TLS version (or higher) to connect. ] ``` -### Parameter: `name` - -The name of the Redis cache resource. -- Required: Yes -- Type: string - ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +### Parameter: `privateEndpoints.lock.kind` -- Required: Yes +Specify the type of lock. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` -Optional. The name of the private endpoint. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -913,6 +956,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. + - Required: No - Type: string - Default: `''` @@ -928,6 +972,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `redisConfiguration` All Redis Settings. Few possible keys: rdb-backup-enabled,rdb-storage-connection-string,rdb-backup-frequency,maxmemory-delta,maxmemory-policy,notify-keyspace-events,maxmemory-samples,slowlog-log-slower-than,slowlog-max-len,list-max-ziplist-entries,list-max-ziplist-value,hash-max-ziplist-entries,hash-max-ziplist-value,set-max-intset-entries,zset-max-ziplist-entries,zset-max-ziplist-value etc. + - Required: No - Type: object - Default: `{}` @@ -935,6 +980,7 @@ All Redis Settings. Few possible keys: rdb-backup-enabled,rdb-storage-connection ### Parameter: `redisVersion` Redis version. Only major version will be used in PUT/PATCH request with current valid values: (4, 6). + - Required: No - Type: string - Default: `'6'` @@ -949,6 +995,7 @@ Redis version. Only major version will be used in PUT/PATCH request with current ### Parameter: `replicasPerMaster` The number of replicas to be created per primary. + - Required: No - Type: int - Default: `1` @@ -956,6 +1003,7 @@ The number of replicas to be created per primary. ### Parameter: `replicasPerPrimary` The number of replicas to be created per primary. + - Required: No - Type: int - Default: `1` @@ -963,74 +1011,96 @@ The number of replicas to be created per primary. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `shardCount` The number of shards to be created on a Premium Cluster Cache. + - Required: No - Type: int - Default: `1` @@ -1038,6 +1108,7 @@ The number of shards to be created on a Premium Cluster Cache. ### Parameter: `skuName` The type of Redis cache to deploy. + - Required: No - Type: string - Default: `'Basic'` @@ -1053,6 +1124,7 @@ The type of Redis cache to deploy. ### Parameter: `staticIP` Static IP address. Optionally, may be specified when deploying a Redis cache inside an existing Azure Virtual Network; auto assigned by default. + - Required: No - Type: string - Default: `''` @@ -1060,6 +1132,7 @@ Static IP address. Optionally, may be specified when deploying a Redis cache ins ### Parameter: `subnetId` The full resource ID of a subnet in a virtual network to deploy the Redis cache in. Example format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/Microsoft.{Network|ClassicNetwork}/VirtualNetworks/vnet1/subnets/subnet1. + - Required: No - Type: string - Default: `''` @@ -1067,12 +1140,14 @@ The full resource ID of a subnet in a virtual network to deploy the Redis cache ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `tenantSettings` A dictionary of tenant settings. + - Required: No - Type: object - Default: `{}` @@ -1080,6 +1155,7 @@ A dictionary of tenant settings. ### Parameter: `zoneRedundant` When true, replicas will be provisioned in availability zones specified in the zones parameter. + - Required: No - Type: bool - Default: `True` @@ -1087,6 +1163,7 @@ When true, replicas will be provisioned in availability zones specified in the z ### Parameter: `zones` If the zoneRedundant parameter is true, replicas will be provisioned in the availability zones specified here. Otherwise, the service will choose where replicas are deployed. + - Required: No - Type: array - Default: `[]` diff --git a/modules/cdn/profile/README.md b/modules/cdn/profile/README.md index 81efa1a9e1..cb61a8f771 100644 --- a/modules/cdn/profile/README.md +++ b/modules/cdn/profile/README.md @@ -610,9 +610,50 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { | [`secrets`](#parameter-secrets) | array | Array of secret objects. | | [`tags`](#parameter-tags) | object | Endpoint tags. | +### Parameter: `name` + +Name of the CDN profile. + +- Required: Yes +- Type: string + +### Parameter: `sku` + +The pricing tier (defines a CDN provider, feature list and rate) of the CDN profile. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Custom_Verizon' + 'Premium_AzureFrontDoor' + 'Premium_Verizon' + 'Standard_955BandWidth_ChinaCdn' + 'Standard_Akamai' + 'Standard_AvgBandWidth_ChinaCdn' + 'Standard_AzureFrontDoor' + 'Standard_ChinaCdn' + 'Standard_Microsoft' + 'Standard_Verizon' + 'StandardPlus_955BandWidth_ChinaCdn' + 'StandardPlus_AvgBandWidth_ChinaCdn' + 'StandardPlus_ChinaCdn' + ] + ``` + +### Parameter: `origionGroups` + +Array of origin group objects. Required if the afdEndpoints is specified. + +- Required: No +- Type: array +- Default: `[]` + ### Parameter: `afdEndpoints` Array of AFD endpoint objects. + - Required: No - Type: array - Default: `[]` @@ -620,6 +661,7 @@ Array of AFD endpoint objects. ### Parameter: `customDomains` Array of custom domain objects. + - Required: No - Type: array - Default: `[]` @@ -627,6 +669,7 @@ Array of custom domain objects. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -634,6 +677,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `endpointName` Name of the endpoint under the profile which is unique globally. + - Required: No - Type: string - Default: `''` @@ -641,6 +685,7 @@ Name of the endpoint under the profile which is unique globally. ### Parameter: `endpointProperties` Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details). + - Required: No - Type: object - Default: `{}` @@ -648,6 +693,7 @@ Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/micro ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -655,121 +701,140 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the CDN profile. -- Required: Yes -- Type: string - ### Parameter: `originResponseTimeoutSeconds` Send and receive timeout on forwarding request to the origin. + - Required: No - Type: int - Default: `60` -### Parameter: `origionGroups` - -Array of origin group objects. Required if the afdEndpoints is specified. -- Required: No -- Type: array -- Default: `[]` - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `ruleSets` Array of rule set objects. + - Required: No - Type: array - Default: `[]` @@ -777,37 +842,15 @@ Array of rule set objects. ### Parameter: `secrets` Array of secret objects. + - Required: No - Type: array - Default: `[]` -### Parameter: `sku` - -The pricing tier (defines a CDN provider, feature list and rate) of the CDN profile. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Custom_Verizon' - 'Premium_AzureFrontDoor' - 'Premium_Verizon' - 'Standard_955BandWidth_ChinaCdn' - 'Standard_Akamai' - 'Standard_AvgBandWidth_ChinaCdn' - 'Standard_AzureFrontDoor' - 'Standard_ChinaCdn' - 'Standard_Microsoft' - 'Standard_Verizon' - 'StandardPlus_955BandWidth_ChinaCdn' - 'StandardPlus_AvgBandWidth_ChinaCdn' - 'StandardPlus_ChinaCdn' - ] - ``` - ### Parameter: `tags` Endpoint tags. + - Required: No - Type: object diff --git a/modules/cdn/profile/afdEndpoint/README.md b/modules/cdn/profile/afdEndpoint/README.md index 550b574e0e..d2bd8ba7d6 100644 --- a/modules/cdn/profile/afdEndpoint/README.md +++ b/modules/cdn/profile/afdEndpoint/README.md @@ -41,9 +41,24 @@ This module deploys a CDN Profile AFD Endpoint. | [`routes`](#parameter-routes) | array | The list of routes for this AFD Endpoint. | | [`tags`](#parameter-tags) | object | The tags of the AFD Endpoint. | +### Parameter: `name` + +The name of the AFD Endpoint. + +- Required: Yes +- Type: string + +### Parameter: `profileName` + +The name of the parent CDN profile. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `autoGeneratedDomainNameLabelScope` Indicates the endpoint name reuse scope. The default value is TenantReuse. + - Required: No - Type: string - Default: `'TenantReuse'` @@ -60,6 +75,7 @@ Indicates the endpoint name reuse scope. The default value is TenantReuse. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -67,6 +83,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enabledState` Indicates whether the AFD Endpoint is enabled. The default value is Enabled. + - Required: No - Type: string - Default: `'Enabled'` @@ -81,25 +98,15 @@ Indicates whether the AFD Endpoint is enabled. The default value is Enabled. ### Parameter: `location` The location of the AFD Endpoint. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -The name of the AFD Endpoint. -- Required: Yes -- Type: string - -### Parameter: `profileName` - -The name of the parent CDN profile. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `routes` The list of routes for this AFD Endpoint. + - Required: No - Type: array - Default: `[]` @@ -107,6 +114,7 @@ The list of routes for this AFD Endpoint. ### Parameter: `tags` The tags of the AFD Endpoint. + - Required: No - Type: object diff --git a/modules/cdn/profile/afdEndpoint/route/README.md b/modules/cdn/profile/afdEndpoint/route/README.md index ee38e36c07..f00b17c993 100644 --- a/modules/cdn/profile/afdEndpoint/route/README.md +++ b/modules/cdn/profile/afdEndpoint/route/README.md @@ -45,12 +45,36 @@ This module deploys a CDN Profile AFD Endpoint route. ### Parameter: `afdEndpointName` The name of the AFD endpoint. + +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the route. + +- Required: Yes +- Type: string + +### Parameter: `originGroupName` + +The name of the origin group. The origin group must be defined in the profile originGroups. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `profileName` + +The name of the parent CDN profile. + - Required: Yes - Type: string ### Parameter: `cacheConfiguration` The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object. + - Required: No - Type: object - Default: `{}` @@ -58,12 +82,14 @@ The caching configuration for this route. To disable caching, do not provide a c ### Parameter: `customDomainName` The name of the custom domain. The custom domain must be defined in the profile customDomains. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -71,6 +97,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enabledState` Whether this route is enabled. + - Required: No - Type: string - Default: `'Enabled'` @@ -85,6 +112,7 @@ Whether this route is enabled. ### Parameter: `forwardingProtocol` The protocol this rule will use when forwarding traffic to backends. + - Required: No - Type: string - Default: `'MatchRequest'` @@ -100,6 +128,7 @@ The protocol this rule will use when forwarding traffic to backends. ### Parameter: `httpsRedirect` Whether to automatically redirect HTTP traffic to HTTPS traffic. + - Required: No - Type: string - Default: `'Enabled'` @@ -114,6 +143,7 @@ Whether to automatically redirect HTTP traffic to HTTPS traffic. ### Parameter: `linkToDefaultDomain` Whether this route will be linked to the default endpoint domain. + - Required: No - Type: string - Default: `'Enabled'` @@ -125,22 +155,10 @@ Whether this route will be linked to the default endpoint domain. ] ``` -### Parameter: `name` - -The name of the route. -- Required: Yes -- Type: string - -### Parameter: `originGroupName` - -The name of the origin group. The origin group must be defined in the profile originGroups. -- Required: No -- Type: string -- Default: `''` - ### Parameter: `originPath` A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath. + - Required: No - Type: string - Default: `''` @@ -148,19 +166,15 @@ A directory path on the origin that AzureFrontDoor can use to retrieve content f ### Parameter: `patternsToMatch` The route patterns of the rule. + - Required: No - Type: array - Default: `[]` -### Parameter: `profileName` - -The name of the parent CDN profile. -- Required: Yes -- Type: string - ### Parameter: `ruleSets` The rule sets of the rule. The rule sets must be defined in the profile ruleSets. + - Required: No - Type: array - Default: `[]` @@ -168,6 +182,7 @@ The rule sets of the rule. The rule sets must be defined in the profile ruleSets ### Parameter: `supportedProtocols` The supported protocols of the rule. + - Required: No - Type: array - Default: `[]` diff --git a/modules/cdn/profile/customdomain/README.md b/modules/cdn/profile/customdomain/README.md index 7ce7762573..33c0144835 100644 --- a/modules/cdn/profile/customdomain/README.md +++ b/modules/cdn/profile/customdomain/README.md @@ -42,16 +42,10 @@ This module deploys a CDN Profile Custom Domains. | :-- | :-- | :-- | | [`azureDnsZoneResourceId`](#parameter-azurednszoneresourceid) | string | Resource reference to the Azure DNS zone. | -### Parameter: `azureDnsZoneResourceId` - -Resource reference to the Azure DNS zone. -- Required: No -- Type: string -- Default: `''` - ### Parameter: `certificateType` The type of the certificate used for secure delivery. + - Required: Yes - Type: string - Allowed: @@ -62,9 +56,31 @@ The type of the certificate used for secure delivery. ] ``` +### Parameter: `hostName` + +The host name of the domain. Must be a domain name. + +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the custom domain. + +- Required: Yes +- Type: string + +### Parameter: `profileName` + +The name of the CDN profile. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -72,19 +88,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `extendedProperties` Key-Value pair representing migration properties for domains. + - Required: No - Type: object - Default: `{}` -### Parameter: `hostName` - -The host name of the domain. Must be a domain name. -- Required: Yes -- Type: string - ### Parameter: `minimumTlsVersion` The minimum TLS version required for the custom domain. Default value: TLS12. + - Required: No - Type: string - Default: `'TLS12'` @@ -96,28 +108,26 @@ The minimum TLS version required for the custom domain. Default value: TLS12. ] ``` -### Parameter: `name` - -The name of the custom domain. -- Required: Yes -- Type: string - ### Parameter: `preValidatedCustomDomainResourceId` Resource reference to the Azure resource where custom domain ownership was prevalidated. + - Required: No - Type: string - Default: `''` -### Parameter: `profileName` +### Parameter: `secretName` -The name of the CDN profile. -- Required: Yes +The name of the secret. ie. subs/rg/profile/secret. + +- Required: No - Type: string +- Default: `''` -### Parameter: `secretName` +### Parameter: `azureDnsZoneResourceId` + +Resource reference to the Azure DNS zone. -The name of the secret. ie. subs/rg/profile/secret. - Required: No - Type: string - Default: `''` diff --git a/modules/cdn/profile/endpoint/README.md b/modules/cdn/profile/endpoint/README.md index f1a4da9f0f..2ed256dbe2 100644 --- a/modules/cdn/profile/endpoint/README.md +++ b/modules/cdn/profile/endpoint/README.md @@ -39,41 +39,47 @@ This module deploys a CDN Profile Endpoint. | [`location`](#parameter-location) | string | Resource location. | | [`tags`](#parameter-tags) | object | Endpoint tags. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` +### Parameter: `name` -### Parameter: `location` +Name of the endpoint under the profile which is unique globally. -Resource location. -- Required: No +- Required: Yes - Type: string -- Default: `[resourceGroup().location]` -### Parameter: `name` +### Parameter: `properties` + +Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details). -Name of the endpoint under the profile which is unique globally. - Required: Yes -- Type: string +- Type: object ### Parameter: `profileName` The name of the parent CDN profile. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string -### Parameter: `properties` +### Parameter: `enableDefaultTelemetry` -Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details). -- Required: Yes -- Type: object +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Resource location. + +- Required: No +- Type: string +- Default: `[resourceGroup().location]` ### Parameter: `tags` Endpoint tags. + - Required: No - Type: object diff --git a/modules/cdn/profile/endpoint/origin/README.md b/modules/cdn/profile/endpoint/origin/README.md index 706d8a9c4a..f68d78a71a 100644 --- a/modules/cdn/profile/endpoint/origin/README.md +++ b/modules/cdn/profile/endpoint/origin/README.md @@ -46,61 +46,31 @@ This module deploys a CDN Profile Endpoint Origin. | [`privateLinkResourceId`](#parameter-privatelinkresourceid) | string | The private link resource ID of the origin. | | [`profileName`](#parameter-profilename) | string | The name of the CDN profile. Default to "default". | -### Parameter: `enabled` - -Whether the origin is enabled for load balancing. -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `endpointName` The name of the CDN Endpoint. + - Required: Yes - Type: string ### Parameter: `hostName` The hostname of the origin. + - Required: Yes - Type: string -### Parameter: `httpPort` - -The HTTP port of the origin. -- Required: No -- Type: int -- Default: `80` - -### Parameter: `httpsPort` - -The HTTPS port of the origin. -- Required: No -- Type: int -- Default: `443` - ### Parameter: `name` The name of the origin. -- Required: Yes -- Type: string - -### Parameter: `originHostHeader` -The host header value sent to the origin. - Required: Yes - Type: string ### Parameter: `priority` The priority of origin in given origin group for load balancing. Required if `weight` is provided. + - Required: No - Type: int - Default: `-1` @@ -108,35 +78,79 @@ The priority of origin in given origin group for load balancing. Required if `we ### Parameter: `privateLinkAlias` The private link alias of the origin. Required if privateLinkLocation is provided. + - Required: Yes - Type: string ### Parameter: `privateLinkLocation` The private link location of the origin. Required if privateLinkAlias is provided. + +- Required: Yes +- Type: string + +### Parameter: `weight` + +The weight of the origin used for load balancing. Required if `priority` is provided. + +- Required: No +- Type: int +- Default: `-1` + +### Parameter: `enabled` + +Whether the origin is enabled for load balancing. + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `httpPort` + +The HTTP port of the origin. + +- Required: No +- Type: int +- Default: `80` + +### Parameter: `httpsPort` + +The HTTPS port of the origin. + +- Required: No +- Type: int +- Default: `443` + +### Parameter: `originHostHeader` + +The host header value sent to the origin. + - Required: Yes - Type: string ### Parameter: `privateLinkResourceId` The private link resource ID of the origin. + - Required: Yes - Type: string ### Parameter: `profileName` The name of the CDN profile. Default to "default". + - Required: No - Type: string - Default: `'default'` -### Parameter: `weight` - -The weight of the origin used for load balancing. Required if `priority` is provided. -- Required: No -- Type: int -- Default: `-1` - ## Outputs diff --git a/modules/cdn/profile/origingroup/README.md b/modules/cdn/profile/origingroup/README.md index 9bdf5278c6..7b01a13bb7 100644 --- a/modules/cdn/profile/origingroup/README.md +++ b/modules/cdn/profile/origingroup/README.md @@ -36,35 +36,24 @@ This module deploys a CDN Profile Origin Group. | [`sessionAffinityState`](#parameter-sessionaffinitystate) | string | Whether to allow session affinity on this host. | | [`trafficRestorationTimeToHealedOrNewEndpointsInMinutes`](#parameter-trafficrestorationtimetohealedornewendpointsinminutes) | int | Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `healthProbeSettings` - -Health probe settings to the origin that is used to determine the health of the origin. -- Required: No -- Type: object -- Default: `{}` - ### Parameter: `loadBalancingSettings` Load balancing settings for a backend pool. + - Required: Yes - Type: object ### Parameter: `name` The name of the origin group. + - Required: Yes - Type: string ### Parameter: `origins` The list of origins within the origin group. + - Required: No - Type: array - Default: `[]` @@ -72,12 +61,30 @@ The list of origins within the origin group. ### Parameter: `profileName` The name of the CDN profile. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `healthProbeSettings` + +Health probe settings to the origin that is used to determine the health of the origin. + +- Required: No +- Type: object +- Default: `{}` + ### Parameter: `sessionAffinityState` Whether to allow session affinity on this host. + - Required: No - Type: string - Default: `'Disabled'` @@ -92,6 +99,7 @@ Whether to allow session affinity on this host. ### Parameter: `trafficRestorationTimeToHealedOrNewEndpointsInMinutes` Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins. + - Required: No - Type: int - Default: `10` diff --git a/modules/cdn/profile/origingroup/origin/README.md b/modules/cdn/profile/origingroup/origin/README.md index b85b8c8edc..50ca9fa71e 100644 --- a/modules/cdn/profile/origingroup/origin/README.md +++ b/modules/cdn/profile/origingroup/origin/README.md @@ -40,9 +40,38 @@ This module deploys a CDN Profile Origin. | [`sharedPrivateLinkResource`](#parameter-sharedprivatelinkresource) | object | The properties of the private link resource for private origin. | | [`weight`](#parameter-weight) | int | Weight of the origin in given origin group for load balancing. Must be between 1 and 1000. | +### Parameter: `hostName` + +The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint. + +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the origion. + +- Required: Yes +- Type: string + +### Parameter: `originGroupName` + +The name of the group. + +- Required: Yes +- Type: string + +### Parameter: `profileName` + +The name of the CDN profile. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -50,6 +79,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enabledState` Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool. + - Required: No - Type: string - Default: `'Enabled'` @@ -64,19 +94,15 @@ Whether to enable health probes to be made against backends defined under backen ### Parameter: `enforceCertificateNameCheck` Whether to enable certificate name check at origin level. + - Required: No - Type: bool - Default: `True` -### Parameter: `hostName` - -The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint. -- Required: Yes -- Type: string - ### Parameter: `httpPort` The value of the HTTP port. Must be between 1 and 65535. + - Required: No - Type: int - Default: `80` @@ -84,25 +110,15 @@ The value of the HTTP port. Must be between 1 and 65535. ### Parameter: `httpsPort` The value of the HTTPS port. Must be between 1 and 65535. + - Required: No - Type: int - Default: `443` -### Parameter: `name` - -The name of the origion. -- Required: Yes -- Type: string - -### Parameter: `originGroupName` - -The name of the group. -- Required: Yes -- Type: string - ### Parameter: `originHostHeader` The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint. + - Required: No - Type: string - Default: `''` @@ -110,19 +126,15 @@ The host header value sent to the origin with each request. If you leave this bl ### Parameter: `priority` Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5. + - Required: No - Type: int - Default: `1` -### Parameter: `profileName` - -The name of the CDN profile. -- Required: Yes -- Type: string - ### Parameter: `sharedPrivateLinkResource` The properties of the private link resource for private origin. + - Required: No - Type: object - Default: `{}` @@ -130,6 +142,7 @@ The properties of the private link resource for private origin. ### Parameter: `weight` Weight of the origin in given origin group for load balancing. Must be between 1 and 1000. + - Required: No - Type: int - Default: `1000` diff --git a/modules/cdn/profile/ruleset/README.md b/modules/cdn/profile/ruleset/README.md index e7dc4c15de..d42984d60e 100644 --- a/modules/cdn/profile/ruleset/README.md +++ b/modules/cdn/profile/ruleset/README.md @@ -37,28 +37,32 @@ This module deploys a CDN Profile rule set. | :-- | :-- | :-- | | [`rules`](#parameter-rules) | array | The rules to apply to the rule set. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `name` The name of the rule set. + - Required: Yes - Type: string ### Parameter: `profileName` The name of the CDN profile. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `rules` The rules to apply to the rule set. + - Required: No - Type: array - Default: `[]` diff --git a/modules/cdn/profile/ruleset/rule/README.md b/modules/cdn/profile/ruleset/rule/README.md index 266206f611..75419429db 100644 --- a/modules/cdn/profile/ruleset/rule/README.md +++ b/modules/cdn/profile/ruleset/rule/README.md @@ -35,30 +35,10 @@ This module deploys a CDN Profile rule. | [`conditions`](#parameter-conditions) | array | A list of conditions that must be matched for the actions to be executed. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter: `actions` - -A list of actions that are executed when all the conditions of a rule are satisfied. -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `conditions` - -A list of conditions that must be matched for the actions to be executed. -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `matchProcessingBehavior` If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue. + - Required: Yes - Type: string - Allowed: @@ -72,27 +52,55 @@ If this rule is a match should the rules engine continue running the remaining r ### Parameter: `name` The name of the rule. + - Required: Yes - Type: string ### Parameter: `order` The order in which this rule will be applied. Rules with a lower order are applied before rules with a higher order. + - Required: Yes - Type: int ### Parameter: `profileName` The name of the profile. + - Required: Yes - Type: string ### Parameter: `ruleSetName` The name of the rule set. + - Required: Yes - Type: string +### Parameter: `actions` + +A list of actions that are executed when all the conditions of a rule are satisfied. + +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `conditions` + +A list of conditions that must be matched for the actions to be executed. + +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ## Outputs diff --git a/modules/cdn/profile/secret/README.md b/modules/cdn/profile/secret/README.md index 2a539a98af..b1b08a4d45 100644 --- a/modules/cdn/profile/secret/README.md +++ b/modules/cdn/profile/secret/README.md @@ -40,35 +40,57 @@ This module deploys a CDN Profile Secret. | [`subjectAlternativeNames`](#parameter-subjectalternativenames) | array | The subject alternative names of the secrect. | | [`useLatestVersion`](#parameter-uselatestversion) | bool | Indicates whether to use the latest version of the secrect. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `name` The name of the secrect. + - Required: Yes - Type: string +### Parameter: `type` + +The type of the secrect. + +- Required: No +- Type: string +- Default: `'AzureFirstPartyManagedCertificate'` +- Allowed: + ```Bicep + [ + 'AzureFirstPartyManagedCertificate' + 'CustomerCertificate' + 'ManagedCertificate' + 'UrlSigningKey' + ] + ``` + ### Parameter: `profileName` The name of the parent CDN profile. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `secretSourceResourceId` The resource ID of the secrect source. Required if the type is CustomerCertificate. + - Required: No - Type: string - Default: `''` +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `secretVersion` The version of the secret. + - Required: No - Type: string - Default: `''` @@ -76,29 +98,15 @@ The version of the secret. ### Parameter: `subjectAlternativeNames` The subject alternative names of the secrect. + - Required: No - Type: array - Default: `[]` -### Parameter: `type` - -The type of the secrect. -- Required: No -- Type: string -- Default: `'AzureFirstPartyManagedCertificate'` -- Allowed: - ```Bicep - [ - 'AzureFirstPartyManagedCertificate' - 'CustomerCertificate' - 'ManagedCertificate' - 'UrlSigningKey' - ] - ``` - ### Parameter: `useLatestVersion` Indicates whether to use the latest version of the secrect. + - Required: No - Type: bool - Default: `False` diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index 5a6f311874..fdc4c529e8 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -732,37 +732,51 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`userOwnedStorage`](#parameter-userownedstorage) | array | The storage accounts for this resource. | -### Parameter: `allowedFqdnList` +### Parameter: `kind` -List of allowed FQDN. -- Required: No -- Type: array -- Default: `[]` +Kind of the Cognitive Services. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region. -### Parameter: `apiProperties` +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'AnomalyDetector' + 'Bing.Autosuggest.v7' + 'Bing.CustomSearch' + 'Bing.EntitySearch' + 'Bing.Search.v7' + 'Bing.SpellCheck.v7' + 'CognitiveServices' + 'ComputerVision' + 'ContentModerator' + 'CustomVision.Prediction' + 'CustomVision.Training' + 'Face' + 'FormRecognizer' + 'ImmersiveReader' + 'Internal.AllInOne' + 'LUIS' + 'LUIS.Authoring' + 'Personalizer' + 'QnAMaker' + 'SpeechServices' + 'TextAnalytics' + 'TextTranslation' + ] + ``` -The API properties for special APIs. -- Required: No -- Type: object -- Default: `{}` +### Parameter: `name` -### Parameter: `cMKKeyName` +The name of Cognitive Services account. -The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. -- Required: No +- Required: Yes - Type: string -- Default: `''` ### Parameter: `cMKKeyVaultResourceId` The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `cMKKeyVersion` -The version of the customer managed key to reference for encryption. If not provided, latest is used. - Required: No - Type: string - Default: `''` @@ -770,6 +784,7 @@ The version of the customer managed key to reference for encryption. If not prov ### Parameter: `cMKUserAssignedIdentityResourceId` User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. + - Required: No - Type: string - Default: `''` @@ -777,121 +792,130 @@ User assigned identity to use when fetching the customer managed key. Required i ### Parameter: `customSubDomainName` Subdomain name used for token-based authentication. Required if 'networkAcls' or 'privateEndpoints' are set. + - Required: No - Type: string - Default: `''` -### Parameter: `diagnosticSettings` +### Parameter: `allowedFqdnList` + +List of allowed FQDN. -The diagnostic settings of the service. - Required: No - Type: array +- Default: `[]` +### Parameter: `apiProperties` -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | - -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` - -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +The API properties for special APIs. - Required: No -- Type: string +- Type: object +- Default: `{}` -### Parameter: `diagnosticSettings.eventHubName` +### Parameter: `cMKKeyName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. - Required: No - Type: string +- Default: `''` -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` +### Parameter: `cMKKeyVersion` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +The version of the customer managed key to reference for encryption. If not provided, latest is used. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Default: `''` -### Parameter: `diagnosticSettings.logCategoriesAndGroups` +### Parameter: `diagnosticSettings` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The diagnostic settings of the service. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` +### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` -### Parameter: `diagnosticSettings.metricCategories` +### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. -- Required: Yes +- Required: No - Type: string +### Parameter: `diagnosticSettings.metricCategories` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. + +- Required: No +- Type: array ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -899,6 +923,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `disableLocalAuth` Allow only Azure AD authentication. Should be enabled for security reasons. + - Required: No - Type: bool - Default: `True` @@ -906,6 +931,7 @@ Allow only Azure AD authentication. Should be enabled for security reasons. ### Parameter: `dynamicThrottlingEnabled` The flag to enable dynamic throttling. + - Required: No - Type: bool - Default: `False` @@ -913,46 +939,15 @@ The flag to enable dynamic throttling. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `kind` - -Kind of the Cognitive Services. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'AnomalyDetector' - 'Bing.Autosuggest.v7' - 'Bing.CustomSearch' - 'Bing.EntitySearch' - 'Bing.Search.v7' - 'Bing.SpellCheck.v7' - 'CognitiveServices' - 'ComputerVision' - 'ContentModerator' - 'CustomVision.Prediction' - 'CustomVision.Training' - 'Face' - 'FormRecognizer' - 'ImmersiveReader' - 'Internal.AllInOne' - 'LUIS' - 'LUIS.Authoring' - 'Personalizer' - 'QnAMaker' - 'SpeechServices' - 'TextAnalytics' - 'TextTranslation' - ] - ``` - ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -960,26 +955,35 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -987,25 +991,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. +The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. - Required: No - Type: array @@ -1013,19 +1019,15 @@ Optional. The resource ID(s) to assign to the resource. Required if a user assig ### Parameter: `migrationToken` Resource migration token. + - Required: No - Type: string - Default: `''` -### Parameter: `name` - -The name of Cognitive Services account. -- Required: Yes -- Type: string - ### Parameter: `networkAcls` A collection of rules governing the accessibility from specific network locations. + - Required: No - Type: object - Default: `{}` @@ -1033,197 +1035,247 @@ A collection of rules governing the accessibility from specific network location ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +### Parameter: `privateEndpoints.lock.kind` -- Required: Yes +Specify the type of lock. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` -Optional. The name of the private endpoint. +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -1231,6 +1283,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. + - Required: No - Type: string - Default: `''` @@ -1246,6 +1299,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `restore` Restore a soft-deleted cognitive service at deployment time. Will fail if no such soft-deleted resource exists. + - Required: No - Type: bool - Default: `False` @@ -1253,6 +1307,7 @@ Restore a soft-deleted cognitive service at deployment time. Will fail if no suc ### Parameter: `restrictOutboundNetworkAccess` Restrict outbound network access. + - Required: No - Type: bool - Default: `True` @@ -1260,74 +1315,96 @@ Restrict outbound network access. ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `sku` SKU of the Cognitive Services resource. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region. + - Required: No - Type: string - Default: `'S0'` @@ -1357,12 +1434,14 @@ SKU of the Cognitive Services resource. Use 'Get-AzCognitiveServicesAccountSku' ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `userOwnedStorage` The storage accounts for this resource. + - Required: No - Type: array - Default: `[]` diff --git a/modules/compute/availability-set/README.md b/modules/compute/availability-set/README.md index 7eb1754df5..8f1eeb1480 100644 --- a/modules/compute/availability-set/README.md +++ b/modules/compute/availability-set/README.md @@ -285,9 +285,17 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { | [`skuName`](#parameter-skuname) | string | SKU of the availability set.

- Use 'Aligned' for virtual machines with managed disks.

- Use 'Classic' for virtual machines with unmanaged disks. | | [`tags`](#parameter-tags) | object | Tags of the availability set resource. | +### Parameter: `name` + +The name of the availability set that is being created. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -295,6 +303,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Resource location. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -302,39 +311,43 @@ Resource location. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The name of the availability set that is being created. -- Required: Yes -- Type: string - ### Parameter: `platformFaultDomainCount` The number of fault domains to use. + - Required: No - Type: int - Default: `2` @@ -342,6 +355,7 @@ The number of fault domains to use. ### Parameter: `platformUpdateDomainCount` The number of update domains to use. + - Required: No - Type: int - Default: `5` @@ -349,6 +363,7 @@ The number of update domains to use. ### Parameter: `proximityPlacementGroupResourceId` Resource ID of a proximity placement group. + - Required: No - Type: string - Default: `''` @@ -356,74 +371,96 @@ Resource ID of a proximity placement group. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `skuName` SKU of the availability set.

- Use 'Aligned' for virtual machines with managed disks.

- Use 'Classic' for virtual machines with unmanaged disks. + - Required: No - Type: string - Default: `'Aligned'` @@ -431,6 +468,7 @@ SKU of the availability set.

- Use 'Aligned' for virtual machines with manage ### Parameter: `tags` Tags of the availability set resource. + - Required: No - Type: object diff --git a/modules/compute/disk-encryption-set/README.md b/modules/compute/disk-encryption-set/README.md index 48783288cd..5c0be2dd82 100644 --- a/modules/compute/disk-encryption-set/README.md +++ b/modules/compute/disk-encryption-set/README.md @@ -389,9 +389,31 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = | [`rotationToLatestKeyVersionEnabled`](#parameter-rotationtolatestkeyversionenabled) | bool | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | | [`tags`](#parameter-tags) | object | Tags of the disk encryption resource. | +### Parameter: `keyName` + +Key URL (with version) pointing to a key or secret in KeyVault. + +- Required: Yes +- Type: string + +### Parameter: `keyVaultResourceId` + +Resource ID of the KeyVault containing the key or secret. + +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the disk encryption set that is being created. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -399,6 +421,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `encryptionType` The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys. + - Required: No - Type: string - Default: `'EncryptionAtRestWithPlatformAndCustomerKeys'` @@ -413,25 +436,15 @@ The type of key used to encrypt the data of the disk. For security reasons, it i ### Parameter: `federatedClientId` Multi-tenant application client ID to access key vault in a different tenant. Setting the value to "None" will clear the property. + - Required: No - Type: string - Default: `'None'` -### Parameter: `keyName` - -Key URL (with version) pointing to a key or secret in KeyVault. -- Required: Yes -- Type: string - -### Parameter: `keyVaultResourceId` - -Resource ID of the KeyVault containing the key or secret. -- Required: Yes -- Type: string - ### Parameter: `keyVersion` The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. + - Required: No - Type: string - Default: `''` @@ -439,6 +452,7 @@ The version of the customer managed key to reference for encryption. If not prov ### Parameter: `location` Resource location. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -446,26 +460,35 @@ Resource location. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -473,6 +496,7 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. At least one identity type is required. + - Required: No - Type: object - Default: @@ -482,103 +506,120 @@ The managed identity definition for this resource. At least one identity type is } ``` +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -The name of the disk encryption set that is being created. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `rotationToLatestKeyVersionEnabled` Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. + - Required: No - Type: bool - Default: `False` @@ -586,6 +627,7 @@ Set this flag to true to enable auto-updating of this disk encryption set to the ### Parameter: `tags` Tags of the disk encryption resource. + - Required: No - Type: object diff --git a/modules/compute/disk/README.md b/modules/compute/disk/README.md index feef599a20..3bc00fac1b 100644 --- a/modules/compute/disk/README.md +++ b/modules/compute/disk/README.md @@ -580,9 +580,52 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the availability set resource. | | [`uploadSizeBytes`](#parameter-uploadsizebytes) | int | If create option is Upload, this is the size of the contents of the upload including the VHD footer. | +### Parameter: `name` + +The name of the disk that is being created. + +- Required: Yes +- Type: string + +### Parameter: `sku` + +The disks sku name. Can be . + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Premium_LRS' + 'Premium_ZRS' + 'Premium_ZRS' + 'PremiumV2_LRS' + 'Standard_LRS' + 'StandardSSD_LRS' + 'UltraSSD_LRS' + ] + ``` + +### Parameter: `diskSizeGB` + +The size of the disk to create. Required if create option is Empty. + +- Required: No +- Type: int +- Default: `0` + +### Parameter: `storageAccountId` + +The resource ID of the storage account containing the blob to import as a disk. Required if create option is Import. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `acceleratedNetwork` True if the image from which the OS disk is created supports accelerated networking. + - Required: No - Type: bool - Default: `False` @@ -590,6 +633,7 @@ True if the image from which the OS disk is created supports accelerated network ### Parameter: `architecture` CPU architecture supported by an OS disk. + - Required: No - Type: string - Default: `''` @@ -605,6 +649,7 @@ CPU architecture supported by an OS disk. ### Parameter: `burstingEnabled` Set to true to enable bursting beyond the provisioned performance target of the disk. + - Required: No - Type: bool - Default: `False` @@ -612,6 +657,7 @@ Set to true to enable bursting beyond the provisioned performance target of the ### Parameter: `completionPercent` Percentage complete for the background copy when a resource is created via the CopyStart operation. + - Required: No - Type: int - Default: `100` @@ -619,6 +665,7 @@ Percentage complete for the background copy when a resource is created via the C ### Parameter: `createOption` Sources of a disk creation. + - Required: No - Type: string - Default: `'Empty'` @@ -641,6 +688,7 @@ Sources of a disk creation. ### Parameter: `diskIOPSReadWrite` The number of IOPS allowed for this disk; only settable for UltraSSD disks. + - Required: No - Type: int - Default: `0` @@ -648,13 +696,7 @@ The number of IOPS allowed for this disk; only settable for UltraSSD disks. ### Parameter: `diskMBpsReadWrite` The bandwidth allowed for this disk; only settable for UltraSSD disks. -- Required: No -- Type: int -- Default: `0` -### Parameter: `diskSizeGB` - -The size of the disk to create. Required if create option is Empty. - Required: No - Type: int - Default: `0` @@ -662,6 +704,7 @@ The size of the disk to create. Required if create option is Empty. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -669,6 +712,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `hyperVGeneration` The hypervisor generation of the Virtual Machine. Applicable to OS disks only. + - Required: No - Type: string - Default: `'V2'` @@ -683,6 +727,7 @@ The hypervisor generation of the Virtual Machine. Applicable to OS disks only. ### Parameter: `imageReferenceId` A relative uri containing either a Platform Image Repository or user image reference. + - Required: No - Type: string - Default: `''` @@ -690,6 +735,7 @@ A relative uri containing either a Platform Image Repository or user image refer ### Parameter: `location` Resource location. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -697,26 +743,35 @@ Resource location. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -724,6 +779,7 @@ Optional. Specify the name of lock. ### Parameter: `logicalSectorSize` Logical sector size in bytes for Ultra disks. Supported values are 512 ad 4096. + - Required: No - Type: int - Default: `4096` @@ -731,19 +787,15 @@ Logical sector size in bytes for Ultra disks. Supported values are 512 ad 4096. ### Parameter: `maxShares` The maximum number of VMs that can attach to the disk at the same time. Default value is 0. + - Required: No - Type: int - Default: `1` -### Parameter: `name` - -The name of the disk that is being created. -- Required: Yes -- Type: string - ### Parameter: `networkAccessPolicy` Policy for accessing the disk via network. + - Required: No - Type: string - Default: `'DenyAll'` @@ -759,6 +811,7 @@ Policy for accessing the disk via network. ### Parameter: `optimizedForFrequentAttach` Setting this property to true improves reliability and performance of data disks that are frequently (more than 5 times a day) by detached from one virtual machine and attached to another. This property should not be set for disks that are not detached and attached frequently as it causes the disks to not align with the fault domain of the virtual machine. + - Required: No - Type: bool - Default: `False` @@ -766,6 +819,7 @@ Setting this property to true improves reliability and performance of data disks ### Parameter: `osType` Sources of a disk creation. + - Required: No - Type: string - Default: `''` @@ -781,6 +835,7 @@ Sources of a disk creation. ### Parameter: `publicNetworkAccess` Policy for controlling export on the disk. + - Required: No - Type: string - Default: `'Disabled'` @@ -795,99 +850,104 @@ Policy for controlling export on the disk. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `securityDataUri` If create option is ImportSecure, this is the URI of a blob to be imported into VM guest state. + - Required: No - Type: string - Default: `''` -### Parameter: `sku` - -The disks sku name. Can be . -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Premium_LRS' - 'Premium_ZRS' - 'Premium_ZRS' - 'PremiumV2_LRS' - 'Standard_LRS' - 'StandardSSD_LRS' - 'UltraSSD_LRS' - ] - ``` - ### Parameter: `sourceResourceId` If create option is Copy, this is the ARM ID of the source snapshot or disk. + - Required: No - Type: string - Default: `''` @@ -895,13 +955,7 @@ If create option is Copy, this is the ARM ID of the source snapshot or disk. ### Parameter: `sourceUri` If create option is Import, this is the URI of a blob to be imported into a managed disk. -- Required: No -- Type: string -- Default: `''` -### Parameter: `storageAccountId` - -The resource ID of the storage account containing the blob to import as a disk. Required if create option is Import. - Required: No - Type: string - Default: `''` @@ -909,12 +963,14 @@ The resource ID of the storage account containing the blob to import as a disk. ### Parameter: `tags` Tags of the availability set resource. + - Required: No - Type: object ### Parameter: `uploadSizeBytes` If create option is Upload, this is the size of the contents of the upload including the VHD footer. + - Required: No - Type: int - Default: `20972032` diff --git a/modules/compute/gallery/README.md b/modules/compute/gallery/README.md index 478eaa6765..b23170f00f 100644 --- a/modules/compute/gallery/README.md +++ b/modules/compute/gallery/README.md @@ -754,9 +754,17 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags for all resources. | +### Parameter: `name` + +Name of the Azure Compute Gallery. + +- Required: Yes +- Type: string + ### Parameter: `applications` Applications to create. + - Required: No - Type: array - Default: `[]` @@ -764,6 +772,7 @@ Applications to create. ### Parameter: `description` Description of the Azure Shared Image Gallery. + - Required: No - Type: string - Default: `''` @@ -771,6 +780,7 @@ Description of the Azure Shared Image Gallery. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -778,6 +788,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `images` Images to create. + - Required: No - Type: array - Default: `[]` @@ -785,6 +796,7 @@ Images to create. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -792,107 +804,132 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the Azure Compute Gallery. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags for all resources. + - Required: No - Type: object diff --git a/modules/compute/gallery/application/README.md b/modules/compute/gallery/application/README.md index 00ecdbd247..e07919f955 100644 --- a/modules/compute/gallery/application/README.md +++ b/modules/compute/gallery/application/README.md @@ -47,9 +47,24 @@ This module deploys an Azure Compute Gallery Application. | [`supportedOSType`](#parameter-supportedostype) | string | This property allows you to specify the supported type of the OS that application is built for. | | [`tags`](#parameter-tags) | object | Tags for all resources. | +### Parameter: `name` + +Name of the application definition. + +- Required: Yes +- Type: string + +### Parameter: `galleryName` + +The name of the parent Azure Compute Gallery. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `customActions` A list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application. + - Required: No - Type: array - Default: `[]` @@ -57,6 +72,7 @@ A list of custom actions that can be performed with all of the Gallery Applicati ### Parameter: `description` The description of this gallery Application Definition resource. This property is updatable. + - Required: No - Type: string - Default: `''` @@ -64,6 +80,7 @@ The description of this gallery Application Definition resource. This property i ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -71,6 +88,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `endOfLifeDate` The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z. + - Required: No - Type: string - Default: `''` @@ -78,32 +96,23 @@ The end of life date of the gallery Image Definition. This property can be used ### Parameter: `eula` The Eula agreement for the gallery Application Definition. Has to be a valid URL. + - Required: No - Type: string - Default: `''` -### Parameter: `galleryName` - -The name of the parent Azure Compute Gallery. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -Name of the application definition. -- Required: Yes -- Type: string - ### Parameter: `privacyStatementUri` The privacy statement uri. Has to be a valid URL. + - Required: No - Type: string - Default: `''` @@ -111,6 +120,7 @@ The privacy statement uri. Has to be a valid URL. ### Parameter: `releaseNoteUri` The release note uri. Has to be a valid URL. + - Required: No - Type: string - Default: `''` @@ -118,74 +128,96 @@ The release note uri. Has to be a valid URL. ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `supportedOSType` This property allows you to specify the supported type of the OS that application is built for. + - Required: No - Type: string - Default: `'Windows'` @@ -200,6 +232,7 @@ This property allows you to specify the supported type of the OS that applicatio ### Parameter: `tags` Tags for all resources. + - Required: No - Type: object diff --git a/modules/compute/gallery/image/README.md b/modules/compute/gallery/image/README.md index d4ea8b2d72..a1299ecc52 100644 --- a/modules/compute/gallery/image/README.md +++ b/modules/compute/gallery/image/README.md @@ -61,9 +61,24 @@ This module deploys an Azure Compute Gallery Image Definition. | [`sku`](#parameter-sku) | string | The name of the gallery Image Definition SKU. | | [`tags`](#parameter-tags) | object | Tags for all resources. | +### Parameter: `name` + +Name of the image definition. + +- Required: Yes +- Type: string + +### Parameter: `galleryName` + +The name of the parent Azure Shared Image Gallery. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `description` The description of this gallery Image Definition resource. This property is updatable. + - Required: No - Type: string - Default: `''` @@ -71,6 +86,7 @@ The description of this gallery Image Definition resource. This property is upda ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -78,6 +94,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `endOfLife` The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z. + - Required: No - Type: string - Default: `''` @@ -85,6 +102,7 @@ The end of life date of the gallery Image Definition. This property can be used ### Parameter: `eula` The Eula agreement for the gallery Image Definition. Has to be a valid URL. + - Required: No - Type: string - Default: `''` @@ -92,19 +110,15 @@ The Eula agreement for the gallery Image Definition. Has to be a valid URL. ### Parameter: `excludedDiskTypes` List of the excluded disk types. E.g. Standard_LRS. + - Required: No - Type: array - Default: `[]` -### Parameter: `galleryName` - -The name of the parent Azure Shared Image Gallery. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `hyperVGeneration` The hypervisor generation of the Virtual Machine.

- If this value is not specified, then it is determined by the securityType parameter.

- If the securityType parameter is specified, then the value of hyperVGeneration will be V2, else V1. + - Required: No - Type: string - Default: `''` @@ -120,6 +134,7 @@ The hypervisor generation of the Virtual Machine.

- If this value is not spec ### Parameter: `isAcceleratedNetworkSupported` The image supports accelerated networking.

Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance.

This high-performance path bypasses the host from the data path, which reduces latency, jitter, and CPU utilization for the most demanding network workloads on supported VM types. + - Required: No - Type: string - Default: `'false'` @@ -134,6 +149,7 @@ The image supports accelerated networking.

Accelerated networking enables sin ### Parameter: `isHibernateSupported` The image will support hibernation. + - Required: No - Type: string - Default: `'false'` @@ -148,6 +164,7 @@ The image will support hibernation. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -155,6 +172,7 @@ Location for all resources. ### Parameter: `maxRecommendedMemory` The maximum amount of RAM in GB recommended for this image. + - Required: No - Type: int - Default: `16` @@ -162,6 +180,7 @@ The maximum amount of RAM in GB recommended for this image. ### Parameter: `maxRecommendedvCPUs` The maximum number of the CPU cores recommended for this image. + - Required: No - Type: int - Default: `4` @@ -169,6 +188,7 @@ The maximum number of the CPU cores recommended for this image. ### Parameter: `minRecommendedMemory` The minimum amount of RAM in GB recommended for this image. + - Required: No - Type: int - Default: `4` @@ -176,19 +196,15 @@ The minimum amount of RAM in GB recommended for this image. ### Parameter: `minRecommendedvCPUs` The minimum number of the CPU cores recommended for this image. + - Required: No - Type: int - Default: `1` -### Parameter: `name` - -Name of the image definition. -- Required: Yes -- Type: string - ### Parameter: `offer` The name of the gallery Image Definition offer. + - Required: No - Type: string - Default: `'WindowsServer'` @@ -196,6 +212,7 @@ The name of the gallery Image Definition offer. ### Parameter: `osState` This property allows the user to specify whether the virtual machines created under this image are 'Generalized' or 'Specialized'. + - Required: No - Type: string - Default: `'Generalized'` @@ -210,6 +227,7 @@ This property allows the user to specify whether the virtual machines created un ### Parameter: `osType` OS type of the image to be created. + - Required: No - Type: string - Default: `'Windows'` @@ -224,6 +242,7 @@ OS type of the image to be created. ### Parameter: `planName` The plan ID. + - Required: No - Type: string - Default: `''` @@ -231,6 +250,7 @@ The plan ID. ### Parameter: `planPublisherName` The publisher ID. + - Required: No - Type: string - Default: `''` @@ -238,6 +258,7 @@ The publisher ID. ### Parameter: `privacyStatementUri` The privacy statement uri. Has to be a valid URL. + - Required: No - Type: string - Default: `''` @@ -245,6 +266,7 @@ The privacy statement uri. Has to be a valid URL. ### Parameter: `productName` The product ID. + - Required: No - Type: string - Default: `''` @@ -252,6 +274,7 @@ The product ID. ### Parameter: `publisher` The name of the gallery Image Definition publisher. + - Required: No - Type: string - Default: `'MicrosoftWindowsServer'` @@ -259,6 +282,7 @@ The name of the gallery Image Definition publisher. ### Parameter: `releaseNoteUri` The release note uri. Has to be a valid URL. + - Required: No - Type: string - Default: `''` @@ -266,74 +290,96 @@ The release note uri. Has to be a valid URL. ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `securityType` The security type of the image. Requires a hyperVGeneration V2. + - Required: No - Type: string - Default: `'Standard'` @@ -350,6 +396,7 @@ The security type of the image. Requires a hyperVGeneration V2. ### Parameter: `sku` The name of the gallery Image Definition SKU. + - Required: No - Type: string - Default: `'2019-Datacenter'` @@ -357,6 +404,7 @@ The name of the gallery Image Definition SKU. ### Parameter: `tags` Tags for all resources. + - Required: No - Type: object diff --git a/modules/compute/image/README.md b/modules/compute/image/README.md index 8b7d4eb4db..dbfd145add 100644 --- a/modules/compute/image/README.md +++ b/modules/compute/image/README.md @@ -288,9 +288,31 @@ module image 'br:bicep/modules/compute.image:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`zoneResilient`](#parameter-zoneresilient) | bool | Default is false. Specifies whether an image is zone resilient or not. Zone resilient images can be created only in regions that provide Zone Redundant Storage (ZRS). | +### Parameter: `name` + +The name of the image. + +- Required: Yes +- Type: string + +### Parameter: `osDiskBlobUri` + +The Virtual Hard Disk. + +- Required: Yes +- Type: string + +### Parameter: `osType` + +This property allows you to specify the type of the OS that is included in the disk if creating a VM from a custom image. - Windows or Linux. + +- Required: Yes +- Type: string + ### Parameter: `dataDisks` Specifies the parameters that are used to add a data disk to a virtual machine. + - Required: No - Type: array - Default: `[]` @@ -298,6 +320,7 @@ Specifies the parameters that are used to add a data disk to a virtual machine. ### Parameter: `diskEncryptionSetResourceId` Specifies the customer managed disk encryption set resource ID for the managed image disk. + - Required: No - Type: string - Default: `''` @@ -305,6 +328,7 @@ Specifies the customer managed disk encryption set resource ID for the managed i ### Parameter: `diskSizeGB` Specifies the size of empty data disks in gigabytes. This element can be used to overwrite the name of the disk in a virtual machine image. This value cannot be larger than 1023 GB. + - Required: No - Type: int - Default: `128` @@ -312,6 +336,7 @@ Specifies the size of empty data disks in gigabytes. This element can be used to ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -319,6 +344,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `extendedLocation` The extended location of the Image. + - Required: No - Type: object - Default: `{}` @@ -326,6 +352,7 @@ The extended location of the Image. ### Parameter: `hyperVGeneration` Gets the HyperVGenerationType of the VirtualMachine created from the image. - V1 or V2. + - Required: No - Type: string - Default: `'V1'` @@ -333,6 +360,7 @@ Gets the HyperVGenerationType of the VirtualMachine created from the image. - V1 ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -340,37 +368,29 @@ Location for all resources. ### Parameter: `managedDiskResourceId` The managedDisk. + - Required: No - Type: string - Default: `''` -### Parameter: `name` - -The name of the image. -- Required: Yes -- Type: string - ### Parameter: `osAccountType` Specifies the storage account type for the managed disk. NOTE: UltraSSD_LRS can only be used with data disks, it cannot be used with OS Disk. - Standard_LRS, Premium_LRS, StandardSSD_LRS, UltraSSD_LRS. -- Required: Yes -- Type: string - -### Parameter: `osDiskBlobUri` -The Virtual Hard Disk. - Required: Yes - Type: string ### Parameter: `osDiskCaching` Specifies the caching requirements. Default: None for Standard storage. ReadOnly for Premium storage. - None, ReadOnly, ReadWrite. + - Required: Yes - Type: string ### Parameter: `osState` The OS State. For managed images, use Generalized. + - Required: No - Type: string - Default: `'Generalized'` @@ -382,83 +402,99 @@ The OS State. For managed images, use Generalized. ] ``` -### Parameter: `osType` - -This property allows you to specify the type of the OS that is included in the disk if creating a VM from a custom image. - Windows or Linux. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `snapshotResourceId` The snapshot resource ID. + - Required: No - Type: string - Default: `''` @@ -466,6 +502,7 @@ The snapshot resource ID. ### Parameter: `sourceVirtualMachineResourceId` The source virtual machine from which Image is created. + - Required: No - Type: string - Default: `''` @@ -473,12 +510,14 @@ The source virtual machine from which Image is created. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `zoneResilient` Default is false. Specifies whether an image is zone resilient or not. Zone resilient images can be created only in regions that provide Zone Redundant Storage (ZRS). + - Required: No - Type: bool - Default: `False` diff --git a/modules/compute/proximity-placement-group/README.md b/modules/compute/proximity-placement-group/README.md index b78e4a52f2..613055ce67 100644 --- a/modules/compute/proximity-placement-group/README.md +++ b/modules/compute/proximity-placement-group/README.md @@ -357,9 +357,17 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro | [`type`](#parameter-type) | string | Specifies the type of the proximity placement group. | | [`zones`](#parameter-zones) | array | Specifies the Availability Zone where virtual machine, virtual machine scale set or availability set associated with the proximity placement group can be created. | +### Parameter: `name` + +The name of the proximity placement group that is being created. + +- Required: Yes +- Type: string + ### Parameter: `colocationStatus` Describes colocation status of the Proximity Placement Group. + - Required: No - Type: object - Default: `{}` @@ -367,6 +375,7 @@ Describes colocation status of the Proximity Placement Group. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -374,6 +383,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `intent` Specifies the user intent of the proximity placement group. + - Required: No - Type: object - Default: `{}` @@ -381,6 +391,7 @@ Specifies the user intent of the proximity placement group. ### Parameter: `location` Resource location. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -388,113 +399,139 @@ Resource location. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The name of the proximity placement group that is being created. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the proximity placement group resource. + - Required: No - Type: object ### Parameter: `type` Specifies the type of the proximity placement group. + - Required: No - Type: string - Default: `'Standard'` @@ -509,6 +546,7 @@ Specifies the type of the proximity placement group. ### Parameter: `zones` Specifies the Availability Zone where virtual machine, virtual machine scale set or availability set associated with the proximity placement group can be created. + - Required: No - Type: array - Default: `[]` diff --git a/modules/compute/ssh-public-key/README.md b/modules/compute/ssh-public-key/README.md index 096bdf0a7f..509a83961d 100644 --- a/modules/compute/ssh-public-key/README.md +++ b/modules/compute/ssh-public-key/README.md @@ -206,9 +206,17 @@ module sshPublicKey 'br:bicep/modules/compute.ssh-public-key:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the availability set resource. | +### Parameter: `name` + +The name of the SSH public Key that is being created. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -216,6 +224,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Resource location. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -223,39 +232,43 @@ Resource location. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The name of the SSH public Key that is being created. -- Required: Yes -- Type: string - ### Parameter: `publicKey` SSH public key used to authenticate to a virtual machine through SSH. If this property is not initially provided when the resource is created, the publicKey property will be populated when generateKeyPair is called. If the public key is provided upon resource creation, the provided public key needs to be at least 2048-bit and in ssh-rsa format. + - Required: No - Type: string - Default: `''` @@ -263,74 +276,96 @@ SSH public key used to authenticate to a virtual machine through SSH. If this pr ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the availability set resource. + - Required: No - Type: object diff --git a/modules/compute/virtual-machine-scale-set/README.md b/modules/compute/virtual-machine-scale-set/README.md index 5e27d6d457..5479ba0268 100644 --- a/modules/compute/virtual-machine-scale-set/README.md +++ b/modules/compute/virtual-machine-scale-set/README.md @@ -29,13 +29,337 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.virtual-machine-scale-set:1.0.0`. -- [Linux](#example-1-linux) -- [Linux.Min](#example-2-linuxmin) -- [Linux.Ssecmk](#example-3-linuxssecmk) -- [Windows](#example-4-windows) -- [Windows.Min](#example-5-windowsmin) +- [Linux.Min](#example-1-linuxmin) +- [Linux.Ssecmk](#example-2-linuxssecmk) +- [Linux](#example-3-linux) +- [Windows.Min](#example-4-windowsmin) +- [Windows](#example-5-windows) -### Example 1: _Linux_ +### Example 1: _Linux.Min_ + +
+ +via Bicep module + +```bicep +module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-set:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cvmsslinmin' + params: { + // Required parameters + adminUsername: 'scaleSetAdmin' + imageReference: { + offer: '0001-com-ubuntu-server-jammy' + publisher: 'Canonical' + sku: '22_04-lts-gen2' + version: 'latest' + } + name: 'cvmsslinmin001' + osDisk: { + createOption: 'fromImage' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + osType: 'Linux' + skuName: 'Standard_B12ms' + // Non-required parameters + disablePasswordAuthentication: true + enableDefaultTelemetry: '' + nicConfigurations: [ + { + ipConfigurations: [ + { + name: 'ipconfig1' + properties: { + subnet: { + id: '' + } + } + } + ] + nicSuffix: '-nic01' + } + ] + publicKeys: [ + { + keyData: '' + path: '/home/scaleSetAdmin/.ssh/authorized_keys' + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "adminUsername": { + "value": "scaleSetAdmin" + }, + "imageReference": { + "value": { + "offer": "0001-com-ubuntu-server-jammy", + "publisher": "Canonical", + "sku": "22_04-lts-gen2", + "version": "latest" + } + }, + "name": { + "value": "cvmsslinmin001" + }, + "osDisk": { + "value": { + "createOption": "fromImage", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } + }, + "osType": { + "value": "Linux" + }, + "skuName": { + "value": "Standard_B12ms" + }, + // Non-required parameters + "disablePasswordAuthentication": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "nicConfigurations": { + "value": [ + { + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "subnet": { + "id": "" + } + } + } + ], + "nicSuffix": "-nic01" + } + ] + }, + "publicKeys": { + "value": [ + { + "keyData": "", + "path": "/home/scaleSetAdmin/.ssh/authorized_keys" + } + ] + } + } +} +``` + +
+

+ +### Example 2: _Linux.Ssecmk_ + +

+ +via Bicep module + +```bicep +module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-set:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cvmsslcmk' + params: { + // Required parameters + adminUsername: 'scaleSetAdmin' + imageReference: { + offer: '0001-com-ubuntu-server-jammy' + publisher: 'Canonical' + sku: '22_04-lts-gen2' + version: 'latest' + } + name: 'cvmsslcmk001' + osDisk: { + createOption: 'fromImage' + diskSizeGB: '128' + managedDisk: { + diskEncryptionSet: { + id: '' + } + storageAccountType: 'Premium_LRS' + } + } + osType: 'Linux' + skuName: 'Standard_B12ms' + // Non-required parameters + dataDisks: [ + { + caching: 'ReadOnly' + createOption: 'Empty' + diskSizeGB: '128' + managedDisk: { + diskEncryptionSet: { + id: '' + } + storageAccountType: 'Premium_LRS' + } + } + ] + disablePasswordAuthentication: true + enableDefaultTelemetry: '' + location: '' + nicConfigurations: [ + { + ipConfigurations: [ + { + name: 'ipconfig1' + properties: { + subnet: { + id: '' + } + } + } + ] + nicSuffix: '-nic01' + } + ] + publicKeys: [ + { + keyData: '' + path: '/home/scaleSetAdmin/.ssh/authorized_keys' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "adminUsername": { + "value": "scaleSetAdmin" + }, + "imageReference": { + "value": { + "offer": "0001-com-ubuntu-server-jammy", + "publisher": "Canonical", + "sku": "22_04-lts-gen2", + "version": "latest" + } + }, + "name": { + "value": "cvmsslcmk001" + }, + "osDisk": { + "value": { + "createOption": "fromImage", + "diskSizeGB": "128", + "managedDisk": { + "diskEncryptionSet": { + "id": "" + }, + "storageAccountType": "Premium_LRS" + } + } + }, + "osType": { + "value": "Linux" + }, + "skuName": { + "value": "Standard_B12ms" + }, + // Non-required parameters + "dataDisks": { + "value": [ + { + "caching": "ReadOnly", + "createOption": "Empty", + "diskSizeGB": "128", + "managedDisk": { + "diskEncryptionSet": { + "id": "" + }, + "storageAccountType": "Premium_LRS" + } + } + ] + }, + "disablePasswordAuthentication": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "nicConfigurations": { + "value": [ + { + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "subnet": { + "id": "" + } + } + } + ], + "nicSuffix": "-nic01" + } + ] + }, + "publicKeys": { + "value": [ + { + "keyData": "", + "path": "/home/scaleSetAdmin/.ssh/authorized_keys" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ +### Example 3: _Linux_

@@ -367,174 +691,37 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se "path": "/home/scaleSetAdmin/.ssh/authorized_keys" } ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "scaleSetFaultDomain": { - "value": 1 - }, - "skuCapacity": { - "value": 1 - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - }, - "upgradePolicyMode": { - "value": "Manual" - }, - "vmNamePrefix": { - "value": "vmsslinvm" - }, - "vmPriority": { - "value": "Regular" - } - } -} -``` - -
-

- -### Example 2: _Linux.Min_ - -

- -via Bicep module - -```bicep -module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-set:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmsslinmin' - params: { - // Required parameters - adminUsername: 'scaleSetAdmin' - imageReference: { - offer: '0001-com-ubuntu-server-jammy' - publisher: 'Canonical' - sku: '22_04-lts-gen2' - version: 'latest' - } - name: 'cvmsslinmin001' - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - skuName: 'Standard_B12ms' - // Non-required parameters - disablePasswordAuthentication: true - enableDefaultTelemetry: '' - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: '' - } - } - } - ] - nicSuffix: '-nic01' - } - ] - publicKeys: [ - { - keyData: '' - path: '/home/scaleSetAdmin/.ssh/authorized_keys' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "scaleSetAdmin" - }, - "imageReference": { - "value": { - "offer": "0001-com-ubuntu-server-jammy", - "publisher": "Canonical", - "sku": "22_04-lts-gen2", - "version": "latest" - } - }, - "name": { - "value": "cvmsslinmin001" - }, - "osDisk": { - "value": { - "createOption": "fromImage", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Linux" - }, - "skuName": { - "value": "Standard_B12ms" - }, - // Non-required parameters - "disablePasswordAuthentication": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig1", - "properties": { - "subnet": { - "id": "" - } - } - } - ], - "nicSuffix": "-nic01" - } - ] - }, - "publicKeys": { - "value": [ - { - "keyData": "", - "path": "/home/scaleSetAdmin/.ssh/authorized_keys" - } - ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "scaleSetFaultDomain": { + "value": 1 + }, + "skuCapacity": { + "value": 1 + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "upgradePolicyMode": { + "value": "Manual" + }, + "vmNamePrefix": { + "value": "vmsslinvm" + }, + "vmPriority": { + "value": "Regular" } } } @@ -543,7 +730,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se

-### Example 3: _Linux.Ssecmk_ +### Example 4: _Windows.Min_

@@ -551,46 +738,29 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se ```bicep module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-set:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmsslcmk' + name: '${uniqueString(deployment().name, location)}-test-cvmsswinmin' params: { // Required parameters - adminUsername: 'scaleSetAdmin' + adminUsername: 'localAdminUser' imageReference: { - offer: '0001-com-ubuntu-server-jammy' - publisher: 'Canonical' - sku: '22_04-lts-gen2' + offer: 'WindowsServer' + publisher: 'MicrosoftWindowsServer' + sku: '2022-datacenter-azure-edition' version: 'latest' } - name: 'cvmsslcmk001' + name: 'cvmsswinmin001' osDisk: { createOption: 'fromImage' diskSizeGB: '128' managedDisk: { - diskEncryptionSet: { - id: '' - } storageAccountType: 'Premium_LRS' } } - osType: 'Linux' + osType: 'Windows' skuName: 'Standard_B12ms' // Non-required parameters - dataDisks: [ - { - caching: 'ReadOnly' - createOption: 'Empty' - diskSizeGB: '128' - managedDisk: { - diskEncryptionSet: { - id: '' - } - storageAccountType: 'Premium_LRS' - } - } - ] - disablePasswordAuthentication: true + adminPassword: '' enableDefaultTelemetry: '' - location: '' nicConfigurations: [ { ipConfigurations: [ @@ -606,17 +776,6 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se nicSuffix: '-nic01' } ] - publicKeys: [ - { - keyData: '' - path: '/home/scaleSetAdmin/.ssh/authorized_keys' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } } ``` @@ -635,62 +794,41 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se "parameters": { // Required parameters "adminUsername": { - "value": "scaleSetAdmin" + "value": "localAdminUser" }, "imageReference": { "value": { - "offer": "0001-com-ubuntu-server-jammy", - "publisher": "Canonical", - "sku": "22_04-lts-gen2", + "offer": "WindowsServer", + "publisher": "MicrosoftWindowsServer", + "sku": "2022-datacenter-azure-edition", "version": "latest" } }, "name": { - "value": "cvmsslcmk001" + "value": "cvmsswinmin001" }, "osDisk": { "value": { "createOption": "fromImage", "diskSizeGB": "128", "managedDisk": { - "diskEncryptionSet": { - "id": "" - }, "storageAccountType": "Premium_LRS" } } }, "osType": { - "value": "Linux" + "value": "Windows" }, "skuName": { "value": "Standard_B12ms" }, // Non-required parameters - "dataDisks": { - "value": [ - { - "caching": "ReadOnly", - "createOption": "Empty", - "diskSizeGB": "128", - "managedDisk": { - "diskEncryptionSet": { - "id": "" - }, - "storageAccountType": "Premium_LRS" - } - } - ] - }, - "disablePasswordAuthentication": { - "value": true + "adminPassword": { + "value": "" }, "enableDefaultTelemetry": { "value": "" }, - "location": { - "value": "" - }, "nicConfigurations": { "value": [ { @@ -707,21 +845,6 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se "nicSuffix": "-nic01" } ] - }, - "publicKeys": { - "value": [ - { - "keyData": "", - "path": "/home/scaleSetAdmin/.ssh/authorized_keys" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } } } @@ -730,7 +853,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se

-### Example 4: _Windows_ +### Example 5: _Windows_

@@ -1068,136 +1191,13 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se } }, "upgradePolicyMode": { - "value": "Manual" - }, - "vmNamePrefix": { - "value": "vmsswinvm" - }, - "vmPriority": { - "value": "Regular" - } - } -} -``` - -
-

- -### Example 5: _Windows.Min_ - -

- -via Bicep module - -```bicep -module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-set:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmsswinmin' - params: { - // Required parameters - adminUsername: 'localAdminUser' - imageReference: { - offer: 'WindowsServer' - publisher: 'MicrosoftWindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' - } - name: 'cvmsswinmin001' - osDisk: { - createOption: 'fromImage' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - skuName: 'Standard_B12ms' - // Non-required parameters - adminPassword: '' - enableDefaultTelemetry: '' - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig1' - properties: { - subnet: { - id: '' - } - } - } - ] - nicSuffix: '-nic01' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "localAdminUser" - }, - "imageReference": { - "value": { - "offer": "WindowsServer", - "publisher": "MicrosoftWindowsServer", - "sku": "2022-datacenter-azure-edition", - "version": "latest" - } - }, - "name": { - "value": "cvmsswinmin001" - }, - "osDisk": { - "value": { - "createOption": "fromImage", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Windows" - }, - "skuName": { - "value": "Standard_B12ms" - }, - // Non-required parameters - "adminPassword": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig1", - "properties": { - "subnet": { - "id": "" - } - } - } - ], - "nicSuffix": "-nic01" - } - ] + "value": "Manual" + }, + "vmNamePrefix": { + "value": "vmsswinvm" + }, + "vmPriority": { + "value": "Regular" } } } @@ -1293,9 +1293,67 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se | :-- | :-- | :-- | | [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date value is used to generate a registration token. | +### Parameter: `adminUsername` + +Administrator username. + +- Required: Yes +- Type: securestring + +### Parameter: `imageReference` + +OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. + +- Required: Yes +- Type: object + +### Parameter: `name` + +Name of the VMSS. + +- Required: Yes +- Type: string + +### Parameter: `nicConfigurations` + +Configures NICs and PIPs. + +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `osDisk` + +Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. + +- Required: Yes +- Type: object + +### Parameter: `osType` + +The chosen OS type. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Linux' + 'Windows' + ] + ``` + +### Parameter: `skuName` + +The SKU size of the VMs. + +- Required: Yes +- Type: string + ### Parameter: `additionalUnattendContent` Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. + - Required: No - Type: array - Default: `[]` @@ -1303,19 +1361,15 @@ Specifies additional base-64 encoded XML formatted information that can be inclu ### Parameter: `adminPassword` When specifying a Windows Virtual Machine, this value should be passed. + - Required: No - Type: securestring - Default: `''` -### Parameter: `adminUsername` - -Administrator username. -- Required: Yes -- Type: securestring - ### Parameter: `automaticRepairsPolicyEnabled` Specifies whether automatic repairs should be enabled on the virtual machine scale set. + - Required: No - Type: bool - Default: `False` @@ -1323,20 +1377,15 @@ Specifies whether automatic repairs should be enabled on the virtual machine sca ### Parameter: `availabilityZones` The virtual machine scale set zones. NOTE: Availability zones can only be set when you create the scale set. + - Required: No - Type: array - Default: `[]` -### Parameter: `baseTime` - -Do not provide a value! This date value is used to generate a registration token. -- Required: No -- Type: string -- Default: `[utcNow('u')]` - ### Parameter: `bootDiagnosticStorageAccountName` Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided. + - Required: No - Type: string - Default: `''` @@ -1344,6 +1393,7 @@ Storage account used to store boot diagnostic information. Boot diagnostics will ### Parameter: `bootDiagnosticStorageAccountUri` Storage account boot diagnostic base URI. + - Required: No - Type: string - Default: `[format('.blob.{0}/', environment().suffixes.storage)]` @@ -1351,6 +1401,7 @@ Storage account boot diagnostic base URI. ### Parameter: `customData` Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. + - Required: No - Type: string - Default: `''` @@ -1358,6 +1409,7 @@ Custom data associated to the VM, this value will be automatically converted int ### Parameter: `dataDisks` Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. + - Required: No - Type: array - Default: `[]` @@ -1365,86 +1417,82 @@ Specifies the data disks. For security reasons, it is recommended to specify Dis ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -1452,6 +1500,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `disableAutomaticRollback` Whether OS image rollback feature should be disabled. + - Required: No - Type: bool - Default: `False` @@ -1459,6 +1508,7 @@ Whether OS image rollback feature should be disabled. ### Parameter: `disablePasswordAuthentication` Specifies whether password authentication should be disabled. + - Required: No - Type: bool - Default: `False` @@ -1466,6 +1516,7 @@ Specifies whether password authentication should be disabled. ### Parameter: `doNotRunExtensionsOnOverprovisionedVMs` When Overprovision is enabled, extensions are launched only on the requested number of VMs which are finally kept. This property will hence ensure that the extensions do not run on the extra overprovisioned VMs. + - Required: No - Type: bool - Default: `False` @@ -1473,6 +1524,7 @@ When Overprovision is enabled, extensions are launched only on the requested num ### Parameter: `enableAutomaticOSUpgrade` Indicates whether OS upgrades should automatically be applied to scale set instances in a rolling fashion when a newer version of the OS image becomes available. Default value is false. If this is set to true for Windows based scale sets, enableAutomaticUpdates is automatically set to false and cannot be set to true. + - Required: No - Type: bool - Default: `False` @@ -1480,6 +1532,7 @@ Indicates whether OS upgrades should automatically be applied to scale set insta ### Parameter: `enableAutomaticUpdates` Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. + - Required: No - Type: bool - Default: `True` @@ -1487,6 +1540,7 @@ Indicates whether Automatic Updates is enabled for the Windows virtual machine. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1494,6 +1548,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableEvictionPolicy` Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. + - Required: No - Type: bool - Default: `False` @@ -1501,6 +1556,7 @@ Specifies the eviction policy for the low priority virtual machine. Will result ### Parameter: `encryptionAtHost` This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your virtual machine scale sets. + - Required: No - Type: bool - Default: `True` @@ -1508,6 +1564,7 @@ This property can be used by user in the request to enable or disable the Host E ### Parameter: `extensionAntiMalwareConfig` The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. + - Required: No - Type: object - Default: @@ -1520,6 +1577,7 @@ The configuration for the [Anti Malware] extension. Must at least contain the [" ### Parameter: `extensionAzureDiskEncryptionConfig` The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. + - Required: No - Type: object - Default: @@ -1532,6 +1590,7 @@ The configuration for the [Azure Disk Encryption] extension. Must at least conta ### Parameter: `extensionCustomScriptConfig` The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. + - Required: No - Type: object - Default: @@ -1545,6 +1604,7 @@ The configuration for the [Custom Script] extension. Must at least contain the [ ### Parameter: `extensionDependencyAgentConfig` The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. + - Required: No - Type: object - Default: @@ -1557,6 +1617,7 @@ The configuration for the [Dependency Agent] extension. Must at least contain th ### Parameter: `extensionDomainJoinConfig` The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. + - Required: No - Type: object - Default: @@ -1569,6 +1630,7 @@ The configuration for the [Domain Join] extension. Must at least contain the ["e ### Parameter: `extensionDomainJoinPassword` Required if name is specified. Password of the user specified in user parameter. + - Required: No - Type: securestring - Default: `''` @@ -1576,6 +1638,7 @@ Required if name is specified. Password of the user specified in user parameter. ### Parameter: `extensionDSCConfig` The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. + - Required: No - Type: object - Default: @@ -1588,6 +1651,7 @@ The configuration for the [Desired State Configuration] extension. Must at least ### Parameter: `extensionMonitoringAgentConfig` The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. + - Required: No - Type: object - Default: @@ -1600,6 +1664,7 @@ The configuration for the [Monitoring Agent] extension. Must at least contain th ### Parameter: `extensionNetworkWatcherAgentConfig` The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. + - Required: No - Type: object - Default: @@ -1612,19 +1677,15 @@ The configuration for the [Network Watcher Agent] extension. Must at least conta ### Parameter: `gracePeriod` The amount of time for which automatic repairs are suspended due to a state change on VM. The grace time starts after the state change has completed. This helps avoid premature or accidental repairs. The time duration should be specified in ISO 8601 format. The minimum allowed grace period is 30 minutes (PT30M). The maximum allowed grace period is 90 minutes (PT90M). + - Required: No - Type: string - Default: `'PT30M'` -### Parameter: `imageReference` - -OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. -- Required: Yes -- Type: object - ### Parameter: `licenseType` Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. + - Required: No - Type: string - Default: `''` @@ -1640,6 +1701,7 @@ Specifies that the image or disk that is being used was licensed on-premises. Th ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1647,26 +1709,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -1674,25 +1745,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array @@ -1700,6 +1773,7 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `maxBatchInstancePercent` The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability. + - Required: No - Type: int - Default: `20` @@ -1707,6 +1781,7 @@ The maximum percent of total virtual machine instances that will be upgraded sim ### Parameter: `maxPriceForLowPriorityVm` Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. + - Required: No - Type: string - Default: `''` @@ -1714,6 +1789,7 @@ Specifies the maximum price you are willing to pay for a low priority VM/VMSS. T ### Parameter: `maxUnhealthyInstancePercent` The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. + - Required: No - Type: int - Default: `20` @@ -1721,6 +1797,7 @@ The maximum percentage of the total virtual machine instances in the scale set t ### Parameter: `maxUnhealthyUpgradedInstancePercent` The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. + - Required: No - Type: int - Default: `20` @@ -1728,45 +1805,15 @@ The maximum percentage of the total virtual machine instances in the scale set t ### Parameter: `monitoringWorkspaceId` Resource ID of the monitoring log analytics workspace. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `name` - -Name of the VMSS. -- Required: Yes -- Type: string - -### Parameter: `nicConfigurations` -Configures NICs and PIPs. - Required: No -- Type: array -- Default: `[]` - -### Parameter: `osDisk` - -Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VM Scale sets. -- Required: Yes -- Type: object - -### Parameter: `osType` - -The chosen OS type. -- Required: Yes - Type: string -- Allowed: - ```Bicep - [ - 'Linux' - 'Windows' - ] - ``` +- Default: `''` ### Parameter: `overprovision` Specifies whether the Virtual Machine Scale Set should be overprovisioned. + - Required: No - Type: bool - Default: `False` @@ -1774,6 +1821,7 @@ Specifies whether the Virtual Machine Scale Set should be overprovisioned. ### Parameter: `pauseTimeBetweenBatches` The wait time between completing the update for all virtual machines in one batch and starting the next batch. The time duration should be specified in ISO 8601 format. + - Required: No - Type: string - Default: `'PT0S'` @@ -1781,6 +1829,7 @@ The wait time between completing the update for all virtual machines in one batc ### Parameter: `plan` Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. + - Required: No - Type: object - Default: `{}` @@ -1788,6 +1837,7 @@ Specifies information about the marketplace image used to create the virtual mac ### Parameter: `provisionVMAgent` Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. + - Required: No - Type: bool - Default: `True` @@ -1795,6 +1845,7 @@ Indicates whether virtual machine agent should be provisioned on the virtual mac ### Parameter: `proximityPlacementGroupResourceId` Resource ID of a proximity placement group. + - Required: No - Type: string - Default: `''` @@ -1802,6 +1853,7 @@ Resource ID of a proximity placement group. ### Parameter: `publicKeys` The list of SSH public keys used to authenticate with linux based VMs. + - Required: No - Type: array - Default: `[]` @@ -1809,74 +1861,96 @@ The list of SSH public keys used to authenticate with linux based VMs. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `sasTokenValidityLength` SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. + - Required: No - Type: string - Default: `'PT8H'` @@ -1884,6 +1958,7 @@ SAS token validity length to use to download files from storage accounts. Usage: ### Parameter: `scaleInPolicy` Specifies the scale-in policy that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled-in. + - Required: No - Type: object - Default: @@ -1898,6 +1973,7 @@ Specifies the scale-in policy that decides which virtual machines are chosen for ### Parameter: `scaleSetFaultDomain` Fault Domain count for each placement group. + - Required: No - Type: int - Default: `2` @@ -1905,6 +1981,7 @@ Fault Domain count for each placement group. ### Parameter: `scheduledEventsProfile` Specifies Scheduled Event related configurations. + - Required: No - Type: object - Default: `{}` @@ -1912,6 +1989,7 @@ Specifies Scheduled Event related configurations. ### Parameter: `secrets` Specifies set of certificates that should be installed onto the virtual machines in the scale set. + - Required: No - Type: array - Default: `[]` @@ -1919,6 +1997,7 @@ Specifies set of certificates that should be installed onto the virtual machines ### Parameter: `secureBootEnabled` Specifies whether secure boot should be enabled on the virtual machine scale set. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. + - Required: No - Type: bool - Default: `False` @@ -1926,6 +2005,7 @@ Specifies whether secure boot should be enabled on the virtual machine scale set ### Parameter: `securityType` Specifies the SecurityType of the virtual machine scale set. It is set as TrustedLaunch to enable UefiSettings. + - Required: No - Type: string - Default: `''` @@ -1933,6 +2013,7 @@ Specifies the SecurityType of the virtual machine scale set. It is set as Truste ### Parameter: `singlePlacementGroup` When true this limits the scale set to a single placement group, of max size 100 virtual machines. NOTE: If singlePlacementGroup is true, it may be modified to false. However, if singlePlacementGroup is false, it may not be modified to true. + - Required: No - Type: bool - Default: `True` @@ -1940,25 +2021,22 @@ When true this limits the scale set to a single placement group, of max size 100 ### Parameter: `skuCapacity` The initial instance count of scale set VMs. + - Required: No - Type: int - Default: `1` -### Parameter: `skuName` - -The SKU size of the VMs. -- Required: Yes -- Type: string - ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `timeZone` Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. + - Required: No - Type: string - Default: `''` @@ -1966,6 +2044,7 @@ Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Po ### Parameter: `ultraSSDEnabled` The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. + - Required: No - Type: bool - Default: `False` @@ -1973,6 +2052,7 @@ The flag that enables or disables a capability to have one or more managed data ### Parameter: `upgradePolicyMode` Specifies the mode of an upgrade to virtual machines in the scale set.' Manual - You control the application of updates to virtual machines in the scale set. You do this by using the manualUpgrade action. ; Automatic - All virtual machines in the scale set are automatically updated at the same time. - Automatic, Manual, Rolling. + - Required: No - Type: string - Default: `'Manual'` @@ -1988,6 +2068,7 @@ Specifies the mode of an upgrade to virtual machines in the scale set.' Manual - ### Parameter: `vmNamePrefix` Specifies the computer name prefix for all of the virtual machines in the scale set. + - Required: No - Type: string - Default: `'vmssvm'` @@ -1995,6 +2076,7 @@ Specifies the computer name prefix for all of the virtual machines in the scale ### Parameter: `vmPriority` Specifies the priority for the virtual machine. + - Required: No - Type: string - Default: `'Regular'` @@ -2010,6 +2092,7 @@ Specifies the priority for the virtual machine. ### Parameter: `vTpmEnabled` Specifies whether vTPM should be enabled on the virtual machine scale set. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. + - Required: No - Type: bool - Default: `False` @@ -2017,6 +2100,7 @@ Specifies whether vTPM should be enabled on the virtual machine scale set. This ### Parameter: `winRM` Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. + - Required: No - Type: object - Default: `{}` @@ -2024,10 +2108,19 @@ Specifies the Windows Remote Management listeners. This enables remote Windows P ### Parameter: `zoneBalance` Whether to force strictly even Virtual Machine distribution cross x-zones in case there is zone outage. + - Required: No - Type: bool - Default: `False` +### Parameter: `baseTime` + +Do not provide a value! This date value is used to generate a registration token. + +- Required: No +- Type: string +- Default: `[utcNow('u')]` + ## Outputs diff --git a/modules/compute/virtual-machine-scale-set/extension/README.md b/modules/compute/virtual-machine-scale-set/extension/README.md index 468af0d8f6..9053bdd926 100644 --- a/modules/compute/virtual-machine-scale-set/extension/README.md +++ b/modules/compute/virtual-machine-scale-set/extension/README.md @@ -47,18 +47,56 @@ This module deploys a Virtual Machine Scale Set Extension. ### Parameter: `autoUpgradeMinorVersion` Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true. + - Required: Yes - Type: bool ### Parameter: `enableAutomaticUpgrade` Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available. + - Required: Yes - Type: bool +### Parameter: `name` + +The name of the virtual machine scale set extension. + +- Required: Yes +- Type: string + +### Parameter: `publisher` + +The name of the extension handler publisher. + +- Required: Yes +- Type: string + +### Parameter: `type` + +Specifies the type of the extension; an example is "CustomScriptExtension". + +- Required: Yes +- Type: string + +### Parameter: `typeHandlerVersion` + +Specifies the version of the script handler. + +- Required: Yes +- Type: string + +### Parameter: `virtualMachineScaleSetName` + +The name of the parent virtual machine scale set that extension is provisioned for. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -66,32 +104,23 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `forceUpdateTag` How the extension handler should be forced to update even if the extension configuration has not changed. + - Required: No - Type: string - Default: `''` -### Parameter: `name` - -The name of the virtual machine scale set extension. -- Required: Yes -- Type: string - ### Parameter: `protectedSettings` Any object that contains the extension specific protected settings. + - Required: No - Type: secureObject - Default: `{}` -### Parameter: `publisher` - -The name of the extension handler publisher. -- Required: Yes -- Type: string - ### Parameter: `settings` Any object that contains the extension specific settings. + - Required: No - Type: object - Default: `{}` @@ -99,28 +128,11 @@ Any object that contains the extension specific settings. ### Parameter: `supressFailures` Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false. + - Required: No - Type: bool - Default: `False` -### Parameter: `type` - -Specifies the type of the extension; an example is "CustomScriptExtension". -- Required: Yes -- Type: string - -### Parameter: `typeHandlerVersion` - -Specifies the version of the script handler. -- Required: Yes -- Type: string - -### Parameter: `virtualMachineScaleSetName` - -The name of the parent virtual machine scale set that extension is provisioned for. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/compute/virtual-machine/README.md b/modules/compute/virtual-machine/README.md index 3f0e0fce12..b92ce4549a 100644 --- a/modules/compute/virtual-machine/README.md +++ b/modules/compute/virtual-machine/README.md @@ -33,15 +33,15 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.virtual-machine:1.0.0`. -- [Linux](#example-1-linux) -- [Linux.Atmg](#example-2-linuxatmg) -- [Linux.Min](#example-3-linuxmin) -- [Windows](#example-4-windows) -- [Windows.Atmg](#example-5-windowsatmg) -- [Windows.Min](#example-6-windowsmin) -- [Windows.Ssecmk](#example-7-windowsssecmk) +- [Linux.Atmg](#example-1-linuxatmg) +- [Linux.Min](#example-2-linuxmin) +- [Linux](#example-3-linux) +- [Windows.Atmg](#example-4-windowsatmg) +- [Windows.Min](#example-5-windowsmin) +- [Windows.Ssecmk](#example-6-windowsssecmk) +- [Windows](#example-7-windows) -### Example 1: _Linux_ +### Example 1: _Linux.Atmg_
@@ -49,69 +49,28 @@ The following section provides usage examples for the module, which were used to ```bicep module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmlincom' + name: '${uniqueString(deployment().name, location)}-test-cvmlinatmg' params: { // Required parameters - adminUsername: 'localAdministrator' + adminUsername: 'localAdminUser' imageReference: { - offer: '0001-com-ubuntu-server-focal' + offer: '0001-com-ubuntu-server-jammy' publisher: 'Canonical' - sku: '' + sku: '22_04-lts-gen2' version: 'latest' } nicConfigurations: [ { - deleteOption: 'Delete' - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] ipConfigurations: [ { - applicationSecurityGroups: [ - { - id: '' - } - ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] - loadBalancerBackendAddressPools: [ - { - id: '' - } - ] name: 'ipconfig01' pipConfiguration: { publicIpNameSuffix: '-pip-01' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } } subnetResourceId: '' zones: [ @@ -122,19 +81,14 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } ] nicSuffix: '-nic-01' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } } ] osDisk: { - caching: 'ReadOnly' - createOption: 'fromImage' - deleteOption: 'Delete' diskSizeGB: '128' managedDisk: { storageAccountType: 'Premium_LRS' @@ -143,145 +97,15 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { osType: 'Linux' vmSize: 'Standard_DS2_v2' // Non-required parameters - availabilityZone: 1 - backupPolicyName: '' - backupVaultName: '' - backupVaultResourceGroup: '' - computerName: 'linvm1' - dataDisks: [ - { - caching: 'ReadWrite' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - { - caching: 'ReadWrite' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - ] + configurationProfile: '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' disablePasswordAuthentication: true - enableAutomaticUpdates: true enableDefaultTelemetry: '' - encryptionAtHost: false - extensionAadJoinConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: '' - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: '' - KeyVaultResourceId: '' - KeyVaultURL: '' - ResizeOSDisk: 'false' - VolumeType: 'All' - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: '' - uri: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionCustomScriptProtectedSetting: { - commandToExecute: '' - } - extensionDependencyAgentConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionDSCConfig: { - enabled: false - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionMonitoringAgentConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } - extensionNetworkWatcherAgentConfig: { - enabled: true - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - managedIdentities: { - systemAssigned: true - userAssignedResourceIds: [ - '' - ] - } - monitoringWorkspaceId: '' - name: 'cvmlincom' - patchMode: 'AutomaticByPlatform' + name: 'cvmlinatmg' publicKeys: [ { keyData: '' - path: '/home/localAdministrator/.ssh/authorized_keys' - } - ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' + path: '/home/localAdminUser/.ssh/authorized_keys' } ] tags: { @@ -307,70 +131,29 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "parameters": { // Required parameters "adminUsername": { - "value": "localAdministrator" + "value": "localAdminUser" }, "imageReference": { "value": { - "offer": "0001-com-ubuntu-server-focal", + "offer": "0001-com-ubuntu-server-jammy", "publisher": "Canonical", - "sku": "", + "sku": "22_04-lts-gen2", "version": "latest" } }, "nicConfigurations": { "value": [ { - "deleteOption": "Delete", - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], "ipConfigurations": [ { - "applicationSecurityGroups": [ - { - "id": "" - } - ], - "diagnosticSettings": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ], - "loadBalancerBackendAddressPools": [ - { - "id": "" - } - ], "name": "ipconfig01", "pipConfiguration": { "publicIpNameSuffix": "-pip-01", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } }, "subnetResourceId": "", "zones": [ @@ -381,21 +164,16 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } ], "nicSuffix": "-nic-01", - "roleAssignments": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } } ] }, "osDisk": { "value": { - "caching": "ReadOnly", - "createOption": "fromImage", - "deleteOption": "Delete", "diskSizeGB": "128", "managedDisk": { "storageAccountType": "Premium_LRS" @@ -409,196 +187,26 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "value": "Standard_DS2_v2" }, // Non-required parameters - "availabilityZone": { - "value": 1 - }, - "backupPolicyName": { - "value": "" - }, - "backupVaultName": { - "value": "" - }, - "backupVaultResourceGroup": { - "value": "" - }, - "computerName": { - "value": "linvm1" - }, - "dataDisks": { - "value": [ - { - "caching": "ReadWrite", - "createOption": "Empty", - "deleteOption": "Delete", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - }, - { - "caching": "ReadWrite", - "createOption": "Empty", - "deleteOption": "Delete", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - ] + "configurationProfile": { + "value": "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction" }, "disablePasswordAuthentication": { "value": true }, - "enableAutomaticUpdates": { - "value": true - }, "enableDefaultTelemetry": { "value": "" }, - "encryptionAtHost": { - "value": false - }, - "extensionAadJoinConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionAzureDiskEncryptionConfig": { - "value": { - "enabled": true, - "settings": { - "EncryptionOperation": "EnableEncryption", - "KekVaultResourceId": "", - "KeyEncryptionAlgorithm": "RSA-OAEP", - "KeyEncryptionKeyURL": "", - "KeyVaultResourceId": "", - "KeyVaultURL": "", - "ResizeOSDisk": "false", - "VolumeType": "All" - }, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionCustomScriptConfig": { - "value": { - "enabled": true, - "fileData": [ - { - "storageAccountId": "", - "uri": "" - } - ], - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionCustomScriptProtectedSetting": { - "value": { - "commandToExecute": "" - } - }, - "extensionDependencyAgentConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionDSCConfig": { - "value": { - "enabled": false, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionMonitoringAgentConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionNetworkWatcherAgentConfig": { - "value": { - "enabled": true, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, "location": { "value": "" }, - "lock": { - "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" - } - }, - "managedIdentities": { - "value": { - "systemAssigned": true, - "userAssignedResourceIds": [ - "" - ] - } - }, - "monitoringWorkspaceId": { - "value": "" - }, "name": { - "value": "cvmlincom" - }, - "patchMode": { - "value": "AutomaticByPlatform" + "value": "cvmlinatmg" }, "publicKeys": { "value": [ { "keyData": "", - "path": "/home/localAdministrator/.ssh/authorized_keys" - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" + "path": "/home/localAdminUser/.ssh/authorized_keys" } ] }, @@ -616,7 +224,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = {

-### Example 2: _Linux.Atmg_ +### Example 2: _Linux.Min_

@@ -624,7 +232,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { ```bicep module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmlinatmg' + name: '${uniqueString(deployment().name, location)}-test-cvmlinmin' params: { // Required parameters adminUsername: 'localAdminUser' @@ -641,26 +249,11 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { name: 'ipconfig01' pipConfiguration: { publicIpNameSuffix: '-pip-01' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } subnetResourceId: '' - zones: [ - '1' - '2' - '3' - ] } ] nicSuffix: '-nic-01' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } ] osDisk: { @@ -672,22 +265,16 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { osType: 'Linux' vmSize: 'Standard_DS2_v2' // Non-required parameters - configurationProfile: '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' disablePasswordAuthentication: true enableDefaultTelemetry: '' location: '' - name: 'cvmlinatmg' + name: 'cvmlinmin' publicKeys: [ { keyData: '' path: '/home/localAdminUser/.ssh/authorized_keys' } ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } } ``` @@ -723,27 +310,12 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { { "name": "ipconfig01", "pipConfiguration": { - "publicIpNameSuffix": "-pip-01", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } + "publicIpNameSuffix": "-pip-01" }, - "subnetResourceId": "", - "zones": [ - "1", - "2", - "3" - ] + "subnetResourceId": "" } ], - "nicSuffix": "-nic-01", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } + "nicSuffix": "-nic-01" } ] }, @@ -762,9 +334,6 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "value": "Standard_DS2_v2" }, // Non-required parameters - "configurationProfile": { - "value": "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction" - }, "disablePasswordAuthentication": { "value": true }, @@ -775,7 +344,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "value": "" }, "name": { - "value": "cvmlinatmg" + "value": "cvmlinmin" }, "publicKeys": { "value": [ @@ -784,13 +353,6 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "path": "/home/localAdminUser/.ssh/authorized_keys" } ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } } } @@ -799,7 +361,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = {

-### Example 3: _Linux.Min_ +### Example 3: _Linux_

@@ -807,151 +369,14 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { ```bicep module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmlinmin' + name: '${uniqueString(deployment().name, location)}-test-cvmlincom' params: { // Required parameters - adminUsername: 'localAdminUser' + adminUsername: 'localAdministrator' imageReference: { - offer: '0001-com-ubuntu-server-jammy' + offer: '0001-com-ubuntu-server-focal' publisher: 'Canonical' - sku: '22_04-lts-gen2' - version: 'latest' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig01' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - } - subnetResourceId: '' - } - ] - nicSuffix: '-nic-01' - } - ] - osDisk: { - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - vmSize: 'Standard_DS2_v2' - // Non-required parameters - disablePasswordAuthentication: true - enableDefaultTelemetry: '' - location: '' - name: 'cvmlinmin' - publicKeys: [ - { - keyData: '' - path: '/home/localAdminUser/.ssh/authorized_keys' - } - ] - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "localAdminUser" - }, - "imageReference": { - "value": { - "offer": "0001-com-ubuntu-server-jammy", - "publisher": "Canonical", - "sku": "22_04-lts-gen2", - "version": "latest" - } - }, - "nicConfigurations": { - "value": [ - { - "ipConfigurations": [ - { - "name": "ipconfig01", - "pipConfiguration": { - "publicIpNameSuffix": "-pip-01" - }, - "subnetResourceId": "" - } - ], - "nicSuffix": "-nic-01" - } - ] - }, - "osDisk": { - "value": { - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Linux" - }, - "vmSize": { - "value": "Standard_DS2_v2" - }, - // Non-required parameters - "disablePasswordAuthentication": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "name": { - "value": "cvmlinmin" - }, - "publicKeys": { - "value": [ - { - "keyData": "", - "path": "/home/localAdminUser/.ssh/authorized_keys" - } - ] - } - } -} -``` - -
-

- -### Example 4: _Windows_ - -

- -via Bicep module - -```bicep -module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-cvmwincom' - params: { - // Required parameters - adminUsername: 'VMAdmin' - imageReference: { - offer: 'WindowsServer' - publisher: 'MicrosoftWindowsServer' - sku: '2019-datacenter' + sku: '' version: 'latest' } nicConfigurations: [ @@ -1027,7 +452,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } ] osDisk: { - caching: 'None' + caching: 'ReadOnly' createOption: 'fromImage' deleteOption: 'Delete' diskSizeGB: '128' @@ -1035,18 +460,17 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { storageAccountType: 'Premium_LRS' } } - osType: 'Windows' + osType: 'Linux' vmSize: 'Standard_DS2_v2' // Non-required parameters - adminPassword: '' - availabilityZone: 2 + availabilityZone: 1 backupPolicyName: '' backupVaultName: '' backupVaultResourceGroup: '' - computerName: 'winvm1' + computerName: 'linvm1' dataDisks: [ { - caching: 'None' + caching: 'ReadWrite' createOption: 'Empty' deleteOption: 'Delete' diskSizeGB: '128' @@ -1055,7 +479,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } } { - caching: 'None' + caching: 'ReadWrite' createOption: 'Empty' deleteOption: 'Delete' diskSizeGB: '128' @@ -1064,6 +488,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } } ] + disablePasswordAuthentication: true enableAutomaticUpdates: true enableDefaultTelemetry: '' encryptionAtHost: false @@ -1075,29 +500,6 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { Role: 'DeploymentValidation' } } - extensionAntiMalwareConfig: { - enabled: true - settings: { - AntimalwareEnabled: 'true' - Exclusions: { - Extensions: '.ext1;.ext2' - Paths: 'c:\\excluded-path-1;c:\\excluded-path-2' - Processes: 'excludedproc1.exe;excludedproc2.exe' - } - RealtimeProtectionEnabled: 'true' - ScheduledScanSettings: { - day: '7' - isEnabled: 'true' - scanType: 'Quick' - time: '120' - } - } - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } - } extensionAzureDiskEncryptionConfig: { enabled: true settings: { @@ -1108,13 +510,13 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { KeyVaultResourceId: '' KeyVaultURL: '' ResizeOSDisk: 'false' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } VolumeType: 'All' } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } } extensionCustomScriptConfig: { enabled: true @@ -1142,7 +544,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } } extensionDSCConfig: { - enabled: true + enabled: false tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -1177,9 +579,14 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { ] } monitoringWorkspaceId: '' - name: 'cvmwincom' + name: 'cvmlincom' patchMode: 'AutomaticByPlatform' - proximityPlacementGroupResourceId: '' + publicKeys: [ + { + keyData: '' + path: '/home/localAdministrator/.ssh/authorized_keys' + } + ] roleAssignments: [ { principalId: '' @@ -1220,13 +627,13 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "parameters": { // Required parameters "adminUsername": { - "value": "VMAdmin" + "value": "localAdministrator" }, "imageReference": { "value": { - "offer": "WindowsServer", - "publisher": "MicrosoftWindowsServer", - "sku": "2019-datacenter", + "offer": "0001-com-ubuntu-server-focal", + "publisher": "Canonical", + "sku": "", "version": "latest" } }, @@ -1306,7 +713,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { }, "osDisk": { "value": { - "caching": "None", + "caching": "ReadOnly", "createOption": "fromImage", "deleteOption": "Delete", "diskSizeGB": "128", @@ -1316,17 +723,14 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } }, "osType": { - "value": "Windows" + "value": "Linux" }, "vmSize": { "value": "Standard_DS2_v2" }, // Non-required parameters - "adminPassword": { - "value": "" - }, "availabilityZone": { - "value": 2 + "value": 1 }, "backupPolicyName": { "value": "" @@ -1338,12 +742,12 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "value": "" }, "computerName": { - "value": "winvm1" + "value": "linvm1" }, "dataDisks": { "value": [ { - "caching": "None", + "caching": "ReadWrite", "createOption": "Empty", "deleteOption": "Delete", "diskSizeGB": "128", @@ -1352,7 +756,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } }, { - "caching": "None", + "caching": "ReadWrite", "createOption": "Empty", "deleteOption": "Delete", "diskSizeGB": "128", @@ -1362,6 +766,9 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } ] }, + "disablePasswordAuthentication": { + "value": true + }, "enableAutomaticUpdates": { "value": true }, @@ -1381,32 +788,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } } }, - "extensionAntiMalwareConfig": { - "value": { - "enabled": true, - "settings": { - "AntimalwareEnabled": "true", - "Exclusions": { - "Extensions": ".ext1;.ext2", - "Paths": "c:\\excluded-path-1;c:\\excluded-path-2", - "Processes": "excludedproc1.exe;excludedproc2.exe" - }, - "RealtimeProtectionEnabled": "true", - "ScheduledScanSettings": { - "day": "7", - "isEnabled": "true", - "scanType": "Quick", - "time": "120" - } - }, - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } - } - }, - "extensionAzureDiskEncryptionConfig": { + "extensionAzureDiskEncryptionConfig": { "value": { "enabled": true, "settings": { @@ -1417,12 +799,12 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "KeyVaultResourceId": "", "KeyVaultURL": "", "ResizeOSDisk": "false", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - }, "VolumeType": "All" + }, + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" } } }, @@ -1459,7 +841,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { }, "extensionDSCConfig": { "value": { - "enabled": true, + "enabled": false, "tags": { "Environment": "Non-Prod", "hidden-title": "This is visible in the resource name", @@ -1508,13 +890,18 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { "value": "" }, "name": { - "value": "cvmwincom" + "value": "cvmlincom" }, "patchMode": { "value": "AutomaticByPlatform" }, - "proximityPlacementGroupResourceId": { - "value": "" + "publicKeys": { + "value": [ + { + "keyData": "", + "path": "/home/localAdministrator/.ssh/authorized_keys" + } + ] }, "roleAssignments": { "value": [ @@ -1549,7 +936,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = {

-### Example 5: _Windows.Atmg_ +### Example 4: _Windows.Atmg_

@@ -1682,7 +1069,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = {

-### Example 6: _Windows.Min_ +### Example 5: _Windows.Min_

@@ -1799,7 +1186,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = {

-### Example 7: _Windows.Ssecmk_ +### Example 6: _Windows.Ssecmk_

@@ -1935,15 +1322,628 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { } ] }, - "enableDefaultTelemetry": { - "value": "" - }, - "location": { - "value": "" - }, - "name": { - "value": "cvmwincmk" - }, + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "name": { + "value": "cvmwincmk" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ +### Example 7: _Windows_ + +

+ +via Bicep module + +```bicep +module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cvmwincom' + params: { + // Required parameters + adminUsername: 'VMAdmin' + imageReference: { + offer: 'WindowsServer' + publisher: 'MicrosoftWindowsServer' + sku: '2019-datacenter' + version: 'latest' + } + nicConfigurations: [ + { + deleteOption: 'Delete' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + ipConfigurations: [ + { + applicationSecurityGroups: [ + { + id: '' + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + loadBalancerBackendAddressPools: [ + { + id: '' + } + ] + name: 'ipconfig01' + pipConfiguration: { + publicIpNameSuffix: '-pip-01' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + subnetResourceId: '' + zones: [ + '1' + '2' + '3' + ] + } + ] + nicSuffix: '-nic-01' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + ] + osDisk: { + caching: 'None' + createOption: 'fromImage' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + osType: 'Windows' + vmSize: 'Standard_DS2_v2' + // Non-required parameters + adminPassword: '' + availabilityZone: 2 + backupPolicyName: '' + backupVaultName: '' + backupVaultResourceGroup: '' + computerName: 'winvm1' + dataDisks: [ + { + caching: 'None' + createOption: 'Empty' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + { + caching: 'None' + createOption: 'Empty' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + ] + enableAutomaticUpdates: true + enableDefaultTelemetry: '' + encryptionAtHost: false + extensionAadJoinConfig: { + enabled: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + extensionAntiMalwareConfig: { + enabled: true + settings: { + AntimalwareEnabled: 'true' + Exclusions: { + Extensions: '.ext1;.ext2' + Paths: 'c:\\excluded-path-1;c:\\excluded-path-2' + Processes: 'excludedproc1.exe;excludedproc2.exe' + } + RealtimeProtectionEnabled: 'true' + ScheduledScanSettings: { + day: '7' + isEnabled: 'true' + scanType: 'Quick' + time: '120' + } + } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + extensionAzureDiskEncryptionConfig: { + enabled: true + settings: { + EncryptionOperation: 'EnableEncryption' + KekVaultResourceId: '' + KeyEncryptionAlgorithm: 'RSA-OAEP' + KeyEncryptionKeyURL: '' + KeyVaultResourceId: '' + KeyVaultURL: '' + ResizeOSDisk: 'false' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + VolumeType: 'All' + } + } + extensionCustomScriptConfig: { + enabled: true + fileData: [ + { + storageAccountId: '' + uri: '' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + extensionCustomScriptProtectedSetting: { + commandToExecute: '' + } + extensionDependencyAgentConfig: { + enabled: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + extensionDSCConfig: { + enabled: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + extensionMonitoringAgentConfig: { + enabled: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + extensionNetworkWatcherAgentConfig: { + enabled: true + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourceIds: [ + '' + ] + } + monitoringWorkspaceId: '' + name: 'cvmwincom' + patchMode: 'AutomaticByPlatform' + proximityPlacementGroupResourceId: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "adminUsername": { + "value": "VMAdmin" + }, + "imageReference": { + "value": { + "offer": "WindowsServer", + "publisher": "MicrosoftWindowsServer", + "sku": "2019-datacenter", + "version": "latest" + } + }, + "nicConfigurations": { + "value": [ + { + "deleteOption": "Delete", + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "ipConfigurations": [ + { + "applicationSecurityGroups": [ + { + "id": "" + } + ], + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "loadBalancerBackendAddressPools": [ + { + "id": "" + } + ], + "name": "ipconfig01", + "pipConfiguration": { + "publicIpNameSuffix": "-pip-01", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "subnetResourceId": "", + "zones": [ + "1", + "2", + "3" + ] + } + ], + "nicSuffix": "-nic-01", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + } + ] + }, + "osDisk": { + "value": { + "caching": "None", + "createOption": "fromImage", + "deleteOption": "Delete", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } + }, + "osType": { + "value": "Windows" + }, + "vmSize": { + "value": "Standard_DS2_v2" + }, + // Non-required parameters + "adminPassword": { + "value": "" + }, + "availabilityZone": { + "value": 2 + }, + "backupPolicyName": { + "value": "" + }, + "backupVaultName": { + "value": "" + }, + "backupVaultResourceGroup": { + "value": "" + }, + "computerName": { + "value": "winvm1" + }, + "dataDisks": { + "value": [ + { + "caching": "None", + "createOption": "Empty", + "deleteOption": "Delete", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + }, + { + "caching": "None", + "createOption": "Empty", + "deleteOption": "Delete", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } + ] + }, + "enableAutomaticUpdates": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "encryptionAtHost": { + "value": false + }, + "extensionAadJoinConfig": { + "value": { + "enabled": true, + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + }, + "extensionAntiMalwareConfig": { + "value": { + "enabled": true, + "settings": { + "AntimalwareEnabled": "true", + "Exclusions": { + "Extensions": ".ext1;.ext2", + "Paths": "c:\\excluded-path-1;c:\\excluded-path-2", + "Processes": "excludedproc1.exe;excludedproc2.exe" + }, + "RealtimeProtectionEnabled": "true", + "ScheduledScanSettings": { + "day": "7", + "isEnabled": "true", + "scanType": "Quick", + "time": "120" + } + }, + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + }, + "extensionAzureDiskEncryptionConfig": { + "value": { + "enabled": true, + "settings": { + "EncryptionOperation": "EnableEncryption", + "KekVaultResourceId": "", + "KeyEncryptionAlgorithm": "RSA-OAEP", + "KeyEncryptionKeyURL": "", + "KeyVaultResourceId": "", + "KeyVaultURL": "", + "ResizeOSDisk": "false", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + }, + "VolumeType": "All" + } + } + }, + "extensionCustomScriptConfig": { + "value": { + "enabled": true, + "fileData": [ + { + "storageAccountId": "", + "uri": "" + } + ], + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + }, + "extensionCustomScriptProtectedSetting": { + "value": { + "commandToExecute": "" + } + }, + "extensionDependencyAgentConfig": { + "value": { + "enabled": true, + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + }, + "extensionDSCConfig": { + "value": { + "enabled": true, + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + }, + "extensionMonitoringAgentConfig": { + "value": { + "enabled": true, + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + }, + "extensionNetworkWatcherAgentConfig": { + "value": { + "enabled": true, + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourceIds": [ + "" + ] + } + }, + "monitoringWorkspaceId": { + "value": "" + }, + "name": { + "value": "cvmwincom" + }, + "patchMode": { + "value": "AutomaticByPlatform" + }, + "proximityPlacementGroupResourceId": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" + } + ] + }, "tags": { "value": { "Environment": "Non-Prod", @@ -2039,9 +2039,75 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { | :-- | :-- | :-- | | [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date value is used to generate a registration token. | +### Parameter: `adminUsername` + +Administrator username. + +- Required: Yes +- Type: securestring + +### Parameter: `configurationProfile` + +The configuration profile of automanage. + +- Required: No +- Type: string +- Default: `''` +- Allowed: + ```Bicep + [ + '' + '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest' + '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' + ] + ``` + +### Parameter: `imageReference` + +OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. + +- Required: Yes +- Type: object + +### Parameter: `nicConfigurations` + +Configures NICs and PIPs. + +- Required: Yes +- Type: array + +### Parameter: `osDisk` + +Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. + +- Required: Yes +- Type: object + +### Parameter: `osType` + +The chosen OS type. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Linux' + 'Windows' + ] + ``` + +### Parameter: `vmSize` + +Specifies the size for the VMs. + +- Required: Yes +- Type: string + ### Parameter: `additionalUnattendContent` Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. + - Required: No - Type: array - Default: `[]` @@ -2049,19 +2115,15 @@ Specifies additional base-64 encoded XML formatted information that can be inclu ### Parameter: `adminPassword` When specifying a Windows Virtual Machine, this value should be passed. + - Required: No - Type: securestring - Default: `''` -### Parameter: `adminUsername` - -Administrator username. -- Required: Yes -- Type: securestring - ### Parameter: `allowExtensionOperations` Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine. + - Required: No - Type: bool - Default: `True` @@ -2069,6 +2131,7 @@ Specifies whether extension operations should be allowed on the virtual machine. ### Parameter: `availabilitySetResourceId` Resource ID of an availability set. Cannot be used in combination with availability zone nor scale set. + - Required: No - Type: string - Default: `''` @@ -2076,6 +2139,7 @@ Resource ID of an availability set. Cannot be used in combination with availabil ### Parameter: `availabilityZone` If set to 1, 2 or 3, the availability zone for all VMs is hardcoded to that value. If zero, then availability zones is not used. Cannot be used in combination with availability set nor scale set. + - Required: No - Type: int - Default: `0` @@ -2092,6 +2156,7 @@ If set to 1, 2 or 3, the availability zone for all VMs is hardcoded to that valu ### Parameter: `backupPolicyName` Backup policy the VMs should be using for backup. If not provided, it will use the DefaultPolicy from the backup recovery service vault. + - Required: No - Type: string - Default: `'DefaultPolicy'` @@ -2099,6 +2164,7 @@ Backup policy the VMs should be using for backup. If not provided, it will use t ### Parameter: `backupVaultName` Recovery service vault name to add VMs to backup. + - Required: No - Type: string - Default: `''` @@ -2106,20 +2172,15 @@ Recovery service vault name to add VMs to backup. ### Parameter: `backupVaultResourceGroup` Resource group of the backup recovery service vault. If not provided the current resource group name is considered by default. -- Required: No -- Type: string -- Default: `[resourceGroup().name]` - -### Parameter: `baseTime` -Do not provide a value! This date value is used to generate a registration token. - Required: No - Type: string -- Default: `[utcNow('u')]` +- Default: `[resourceGroup().name]` ### Parameter: `bootDiagnostics` Whether boot diagnostics should be enabled on the Virtual Machine. Boot diagnostics will be enabled with a managed storage account if no bootDiagnosticsStorageAccountName value is provided. If bootDiagnostics and bootDiagnosticsStorageAccountName values are not provided, boot diagnostics will be disabled. + - Required: No - Type: bool - Default: `False` @@ -2127,6 +2188,7 @@ Whether boot diagnostics should be enabled on the Virtual Machine. Boot diagnost ### Parameter: `bootDiagnosticStorageAccountName` Custom storage account used to store boot diagnostic information. Boot diagnostics will be enabled with a custom storage account if a value is provided. + - Required: No - Type: string - Default: `''` @@ -2134,6 +2196,7 @@ Custom storage account used to store boot diagnostic information. Boot diagnosti ### Parameter: `bootDiagnosticStorageAccountUri` Storage account boot diagnostic base URI. + - Required: No - Type: string - Default: `[format('.blob.{0}/', environment().suffixes.storage)]` @@ -2141,6 +2204,7 @@ Storage account boot diagnostic base URI. ### Parameter: `certificatesToBeInstalled` Specifies set of certificates that should be installed onto the virtual machine. + - Required: No - Type: array - Default: `[]` @@ -2148,28 +2212,15 @@ Specifies set of certificates that should be installed onto the virtual machine. ### Parameter: `computerName` Can be used if the computer name needs to be different from the Azure VM resource name. If not used, the resource name will be used as computer name. -- Required: No -- Type: string -- Default: `[parameters('name')]` - -### Parameter: `configurationProfile` -The configuration profile of automanage. - Required: No - Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest' - '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' - ] - ``` +- Default: `[parameters('name')]` ### Parameter: `customData` Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. + - Required: No - Type: string - Default: `''` @@ -2177,6 +2228,7 @@ Custom data associated to the VM, this value will be automatically converted int ### Parameter: `dataDisks` Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. + - Required: No - Type: array - Default: `[]` @@ -2184,6 +2236,7 @@ Specifies the data disks. For security reasons, it is recommended to specify Dis ### Parameter: `dedicatedHostId` Specifies resource ID about the dedicated host that the virtual machine resides in. + - Required: No - Type: string - Default: `''` @@ -2191,6 +2244,7 @@ Specifies resource ID about the dedicated host that the virtual machine resides ### Parameter: `disablePasswordAuthentication` Specifies whether password authentication should be disabled. + - Required: No - Type: bool - Default: `False` @@ -2198,6 +2252,7 @@ Specifies whether password authentication should be disabled. ### Parameter: `enableAutomaticUpdates` Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When patchMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. + - Required: No - Type: bool - Default: `True` @@ -2205,6 +2260,7 @@ Indicates whether Automatic Updates is enabled for the Windows virtual machine. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -2212,6 +2268,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableEvictionPolicy` Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. + - Required: No - Type: bool - Default: `False` @@ -2219,6 +2276,7 @@ Specifies the eviction policy for the low priority virtual machine. Will result ### Parameter: `encryptionAtHost` This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. + - Required: No - Type: bool - Default: `True` @@ -2226,6 +2284,7 @@ This property can be used by user in the request to enable or disable the Host E ### Parameter: `extensionAadJoinConfig` The configuration for the [AAD Join] extension. Must at least contain the ["enabled": true] property to be executed. + - Required: No - Type: object - Default: @@ -2238,6 +2297,7 @@ The configuration for the [AAD Join] extension. Must at least contain the ["enab ### Parameter: `extensionAntiMalwareConfig` The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. + - Required: No - Type: object - Default: @@ -2250,6 +2310,7 @@ The configuration for the [Anti Malware] extension. Must at least contain the [" ### Parameter: `extensionAzureDiskEncryptionConfig` The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. + - Required: No - Type: object - Default: @@ -2262,6 +2323,7 @@ The configuration for the [Azure Disk Encryption] extension. Must at least conta ### Parameter: `extensionCustomScriptConfig` The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. + - Required: No - Type: object - Default: @@ -2275,6 +2337,7 @@ The configuration for the [Custom Script] extension. Must at least contain the [ ### Parameter: `extensionCustomScriptProtectedSetting` Any object that contains the extension specific protected settings. + - Required: No - Type: secureObject - Default: `{}` @@ -2282,6 +2345,7 @@ Any object that contains the extension specific protected settings. ### Parameter: `extensionDependencyAgentConfig` The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. + - Required: No - Type: object - Default: @@ -2294,6 +2358,7 @@ The configuration for the [Dependency Agent] extension. Must at least contain th ### Parameter: `extensionDomainJoinConfig` The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. + - Required: No - Type: object - Default: @@ -2306,6 +2371,7 @@ The configuration for the [Domain Join] extension. Must at least contain the ["e ### Parameter: `extensionDomainJoinPassword` Required if name is specified. Password of the user specified in user parameter. + - Required: No - Type: securestring - Default: `''` @@ -2313,6 +2379,7 @@ Required if name is specified. Password of the user specified in user parameter. ### Parameter: `extensionDSCConfig` The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. + - Required: No - Type: object - Default: @@ -2325,6 +2392,7 @@ The configuration for the [Desired State Configuration] extension. Must at least ### Parameter: `extensionMonitoringAgentConfig` The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. + - Required: No - Type: object - Default: @@ -2337,6 +2405,7 @@ The configuration for the [Monitoring Agent] extension. Must at least contain th ### Parameter: `extensionNetworkWatcherAgentConfig` The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. + - Required: No - Type: object - Default: @@ -2346,15 +2415,10 @@ The configuration for the [Network Watcher Agent] extension. Must at least conta } ``` -### Parameter: `imageReference` - -OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. -- Required: Yes -- Type: object - ### Parameter: `licenseType` Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. + - Required: No - Type: string - Default: `''` @@ -2370,6 +2434,7 @@ Specifies that the image or disk that is being used was licensed on-premises. Th ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -2377,26 +2442,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -2404,25 +2478,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. The system-assigned managed identity will automatically be enabled if extensionAadJoinConfig.enabled = "True". + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array @@ -2430,6 +2506,7 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `maxPriceForLowPriorityVm` Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. + - Required: No - Type: string - Default: `''` @@ -2437,6 +2514,7 @@ Specifies the maximum price you are willing to pay for a low priority VM/VMSS. T ### Parameter: `monitoringWorkspaceId` Resource ID of the monitoring log analytics workspace. Must be set when extensionMonitoringAgentConfig is set to true. + - Required: No - Type: string - Default: `''` @@ -2444,38 +2522,15 @@ Resource ID of the monitoring log analytics workspace. Must be set when extensio ### Parameter: `name` The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. + - Required: No - Type: string - Default: `[take(toLower(uniqueString(resourceGroup().name)), 10)]` -### Parameter: `nicConfigurations` - -Configures NICs and PIPs. -- Required: Yes -- Type: array - -### Parameter: `osDisk` - -Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. -- Required: Yes -- Type: object - -### Parameter: `osType` - -The chosen OS type. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Linux' - 'Windows' - ] - ``` - ### Parameter: `patchAssessmentMode` VM guest patching assessment mode. Set it to 'AutomaticByPlatform' to enable automatically check for updates every 24 hours. + - Required: No - Type: string - Default: `'ImageDefault'` @@ -2490,6 +2545,7 @@ VM guest patching assessment mode. Set it to 'AutomaticByPlatform' to enable aut ### Parameter: `patchMode` VM guest patching orchestration mode. 'AutomaticByOS' & 'Manual' are for Windows only, 'ImageDefault' for Linux only. Refer to 'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching'. + - Required: No - Type: string - Default: `''` @@ -2507,6 +2563,7 @@ VM guest patching orchestration mode. 'AutomaticByOS' & 'Manual' are for Windows ### Parameter: `plan` Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. + - Required: No - Type: object - Default: `{}` @@ -2514,6 +2571,7 @@ Specifies information about the marketplace image used to create the virtual mac ### Parameter: `priority` Specifies the priority for the virtual machine. + - Required: No - Type: string - Default: `'Regular'` @@ -2529,6 +2587,7 @@ Specifies the priority for the virtual machine. ### Parameter: `provisionVMAgent` Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. + - Required: No - Type: bool - Default: `True` @@ -2536,6 +2595,7 @@ Indicates whether virtual machine agent should be provisioned on the virtual mac ### Parameter: `proximityPlacementGroupResourceId` Resource ID of a proximity placement group. + - Required: No - Type: string - Default: `''` @@ -2543,6 +2603,7 @@ Resource ID of a proximity placement group. ### Parameter: `publicKeys` The list of SSH public keys used to authenticate with linux based VMs. + - Required: No - Type: array - Default: `[]` @@ -2550,74 +2611,96 @@ The list of SSH public keys used to authenticate with linux based VMs. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `sasTokenValidityLength` SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. + - Required: No - Type: string - Default: `'PT8H'` @@ -2625,6 +2708,7 @@ SAS token validity length to use to download files from storage accounts. Usage: ### Parameter: `secureBootEnabled` Specifies whether secure boot should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. + - Required: No - Type: bool - Default: `False` @@ -2632,6 +2716,7 @@ Specifies whether secure boot should be enabled on the virtual machine. This par ### Parameter: `securityType` Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to enable UefiSettings. + - Required: No - Type: string - Default: `''` @@ -2639,12 +2724,14 @@ Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `timeZone` Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. + - Required: No - Type: string - Default: `''` @@ -2652,19 +2739,15 @@ Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Po ### Parameter: `ultraSSDEnabled` The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. + - Required: No - Type: bool - Default: `False` -### Parameter: `vmSize` - -Specifies the size for the VMs. -- Required: Yes -- Type: string - ### Parameter: `vTpmEnabled` Specifies whether vTPM should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. + - Required: No - Type: bool - Default: `False` @@ -2672,10 +2755,19 @@ Specifies whether vTPM should be enabled on the virtual machine. This parameter ### Parameter: `winRM` Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. + - Required: No - Type: object - Default: `{}` +### Parameter: `baseTime` + +Do not provide a value! This date value is used to generate a registration token. + +- Required: No +- Type: string +- Default: `[utcNow('u')]` + ## Outputs diff --git a/modules/compute/virtual-machine/extension/README.md b/modules/compute/virtual-machine/extension/README.md index 447f83aed0..324ebc8179 100644 --- a/modules/compute/virtual-machine/extension/README.md +++ b/modules/compute/virtual-machine/extension/README.md @@ -49,18 +49,56 @@ This module deploys a Virtual Machine Extension. ### Parameter: `autoUpgradeMinorVersion` Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true. + - Required: Yes - Type: bool ### Parameter: `enableAutomaticUpgrade` Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available. + - Required: Yes - Type: bool +### Parameter: `name` + +The name of the virtual machine extension. + +- Required: Yes +- Type: string + +### Parameter: `publisher` + +The name of the extension handler publisher. + +- Required: Yes +- Type: string + +### Parameter: `type` + +Specifies the type of the extension; an example is "CustomScriptExtension". + +- Required: Yes +- Type: string + +### Parameter: `typeHandlerVersion` + +Specifies the version of the script handler. + +- Required: Yes +- Type: string + +### Parameter: `virtualMachineName` + +The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -68,6 +106,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `forceUpdateTag` How the extension handler should be forced to update even if the extension configuration has not changed. + - Required: No - Type: string - Default: `''` @@ -75,32 +114,23 @@ How the extension handler should be forced to update even if the extension confi ### Parameter: `location` The location the extension is deployed to. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -The name of the virtual machine extension. -- Required: Yes -- Type: string - ### Parameter: `protectedSettings` Any object that contains the extension specific protected settings. + - Required: No - Type: secureObject - Default: `{}` -### Parameter: `publisher` - -The name of the extension handler publisher. -- Required: Yes -- Type: string - ### Parameter: `settings` Any object that contains the extension specific settings. + - Required: No - Type: object - Default: `{}` @@ -108,6 +138,7 @@ Any object that contains the extension specific settings. ### Parameter: `supressFailures` Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false. + - Required: No - Type: bool - Default: `False` @@ -115,27 +146,10 @@ Indicates whether failures stemming from the extension will be suppressed (Opera ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object -### Parameter: `type` - -Specifies the type of the extension; an example is "CustomScriptExtension". -- Required: Yes -- Type: string - -### Parameter: `typeHandlerVersion` - -Specifies the version of the script handler. -- Required: Yes -- Type: string - -### Parameter: `virtualMachineName` - -The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/consumption/budget/README.md b/modules/consumption/budget/README.md index 748abdf07f..27a7dbedeb 100644 --- a/modules/consumption/budget/README.md +++ b/modules/consumption/budget/README.md @@ -270,36 +270,32 @@ module budget 'br:bicep/modules/consumption.budget:1.0.0' = { | [`startDate`](#parameter-startdate) | string | The start date for the budget. Start date should be the first day of the month and cannot be in the past (except for the current month). | | [`thresholds`](#parameter-thresholds) | array | Percent thresholds of budget for when to get a notification. Can be up to 5 thresholds, where each must be between 1 and 1000. | -### Parameter: `actionGroups` - -List of action group resource IDs that will receive the alert. Required if neither `contactEmails` nor `contactEmails` was provided. -- Required: No -- Type: array -- Default: `[]` - ### Parameter: `amount` The total amount of cost or usage to track with the budget. + - Required: Yes - Type: int -### Parameter: `category` +### Parameter: `name` -The category of the budget, whether the budget tracks cost or usage. -- Required: No +The name of the budget. + +- Required: Yes - Type: string -- Default: `'Cost'` -- Allowed: - ```Bicep - [ - 'Cost' - 'Usage' - ] - ``` + +### Parameter: `actionGroups` + +List of action group resource IDs that will receive the alert. Required if neither `contactEmails` nor `contactEmails` was provided. + +- Required: No +- Type: array +- Default: `[]` ### Parameter: `contactEmails` The list of email addresses to send the budget notification to when the thresholds are exceeded. Required if neither `contactRoles` nor `actionGroups` was provided. + - Required: No - Type: array - Default: `[]` @@ -307,13 +303,30 @@ The list of email addresses to send the budget notification to when the threshol ### Parameter: `contactRoles` The list of contact roles to send the budget notification to when the thresholds are exceeded. Required if neither `contactEmails` nor `actionGroups` was provided. + - Required: No - Type: array - Default: `[]` +### Parameter: `category` + +The category of the budget, whether the budget tracks cost or usage. + +- Required: No +- Type: string +- Default: `'Cost'` +- Allowed: + ```Bicep + [ + 'Cost' + 'Usage' + ] + ``` + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -321,6 +334,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `endDate` The end date for the budget. If not provided, it will default to 10 years from the start date. + - Required: No - Type: string - Default: `''` @@ -328,19 +342,15 @@ The end date for the budget. If not provided, it will default to 10 years from t ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` -### Parameter: `name` - -The name of the budget. -- Required: Yes -- Type: string - ### Parameter: `resetPeriod` The time covered by a budget. Tracking of the amount will be reset based on the time grain. BillingMonth, BillingQuarter, and BillingAnnual are only supported by WD customers. + - Required: No - Type: string - Default: `'Monthly'` @@ -359,6 +369,7 @@ The time covered by a budget. Tracking of the amount will be reset based on the ### Parameter: `startDate` The start date for the budget. Start date should be the first day of the month and cannot be in the past (except for the current month). + - Required: No - Type: string - Default: `[format('{0}-{1}-01T00:00:00Z', utcNow('yyyy'), utcNow('MM'))]` @@ -366,6 +377,7 @@ The start date for the budget. Start date should be the first day of the month a ### Parameter: `thresholds` Percent thresholds of budget for when to get a notification. Can be up to 5 thresholds, where each must be between 1 and 1000. + - Required: No - Type: array - Default: diff --git a/modules/container-instance/container-group/README.md b/modules/container-instance/container-group/README.md index 7c696de967..8e0da9832e 100644 --- a/modules/container-instance/container-group/README.md +++ b/modules/container-instance/container-group/README.md @@ -1023,9 +1023,32 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0 | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`volumes`](#parameter-volumes) | array | Specify if volumes (emptyDir, AzureFileShare or GitRepo) shall be attached to your containergroup. | +### Parameter: `containers` + +The containers and their respective config within the container group. + +- Required: Yes +- Type: array + +### Parameter: `name` + +Name for the container group. + +- Required: Yes +- Type: string + +### Parameter: `ipAddressPorts` + +Ports to open on the public IP address. Must include all ports assigned on container level. Required if `ipAddressType` is set to `public`. + +- Required: No +- Type: array +- Default: `[]` + ### Parameter: `autoGeneratedDomainNameLabelScope` Specify level of protection of the domain name label. + - Required: No - Type: string - Default: `'TenantReuse'` @@ -1040,50 +1063,51 @@ Specify level of protection of the domain name label. ] ``` -### Parameter: `containers` - -The containers and their respective config within the container group. -- Required: Yes -- Type: array - ### Parameter: `customerManagedKey` The customer managed key definition. + - Required: No - Type: object +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | ### Parameter: `customerManagedKey.keyName` -Required. The name of the customer managed key to use for encryption. +The name of the customer managed key to use for encryption. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVaultResourceId` -Required. The resource ID of a key vault to reference a customer managed key for encryption from. +The resource ID of a key vault to reference a customer managed key for encryption from. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVersion` -Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - Required: No - Type: string ### Parameter: `customerManagedKey.userAssignedIdentityResourceId` -Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. +User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - Required: No - Type: string @@ -1091,6 +1115,7 @@ Optional. User assigned identity to use when fetching the customer managed key. ### Parameter: `dnsNameLabel` The Dns name label for the resource. + - Required: No - Type: string - Default: `''` @@ -1098,6 +1123,7 @@ The Dns name label for the resource. ### Parameter: `dnsNameServers` List of dns servers used by the containers for lookups. + - Required: No - Type: array - Default: `[]` @@ -1105,6 +1131,7 @@ List of dns servers used by the containers for lookups. ### Parameter: `dnsSearchDomains` DNS search domain which will be appended to each DNS lookup. + - Required: No - Type: string - Default: `''` @@ -1112,6 +1139,7 @@ DNS search domain which will be appended to each DNS lookup. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1119,6 +1147,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `imageRegistryCredentials` The image registry credentials by which the container group is created from. + - Required: No - Type: array - Default: `[]` @@ -1126,13 +1155,7 @@ The image registry credentials by which the container group is created from. ### Parameter: `initContainers` A list of container definitions which will be executed before the application container starts. -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `ipAddressPorts` -Ports to open on the public IP address. Must include all ports assigned on container level. Required if `ipAddressType` is set to `public`. - Required: No - Type: array - Default: `[]` @@ -1140,6 +1163,7 @@ Ports to open on the public IP address. Must include all ports assigned on conta ### Parameter: `ipAddressType` Specifies if the IP is exposed to the public internet or private VNET. - Public or Private. + - Required: No - Type: string - Default: `'Public'` @@ -1154,6 +1178,7 @@ Specifies if the IP is exposed to the public internet or private VNET. - Public ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1161,26 +1186,35 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -1188,38 +1222,35 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -Name for the container group. -- Required: Yes -- Type: string - ### Parameter: `osType` The operating system type required by the containers in the container group. - Windows or Linux. + - Required: No - Type: string - Default: `'Linux'` @@ -1227,6 +1258,7 @@ The operating system type required by the containers in the container group. - W ### Parameter: `restartPolicy` Restart policy for all containers within the container group. - Always: Always restart. OnFailure: Restart on failure. Never: Never restart. - Always, OnFailure, Never. + - Required: No - Type: string - Default: `'Always'` @@ -1242,6 +1274,7 @@ Restart policy for all containers within the container group. - Always: Always r ### Parameter: `sku` The container group SKU. + - Required: No - Type: string - Default: `'Standard'` @@ -1256,6 +1289,7 @@ The container group SKU. ### Parameter: `subnetId` Resource ID of the subnet. Only specify when ipAddressType is Private. + - Required: No - Type: string - Default: `''` @@ -1263,12 +1297,14 @@ Resource ID of the subnet. Only specify when ipAddressType is Private. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `volumes` Specify if volumes (emptyDir, AzureFileShare or GitRepo) shall be attached to your containergroup. + - Required: No - Type: array - Default: `[]` diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index 546708177b..51f807006c 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -823,9 +823,17 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { | [`webhooks`](#parameter-webhooks) | array | All webhooks to create. | | [`zoneRedundancy`](#parameter-zoneredundancy) | string | Whether or not zone redundancy is enabled for this container registry. | +### Parameter: `name` + +Name of your Azure container registry. + +- Required: Yes +- Type: string + ### Parameter: `acrAdminUserEnabled` Enable admin user that have push / pull permission to the registry. + - Required: No - Type: bool - Default: `False` @@ -833,6 +841,7 @@ Enable admin user that have push / pull permission to the registry. ### Parameter: `acrSku` Tier of your Azure container registry. + - Required: No - Type: string - Default: `'Basic'` @@ -848,6 +857,7 @@ Tier of your Azure container registry. ### Parameter: `anonymousPullEnabled` Enables registry-wide pull from unauthenticated clients. It's in preview and available in the Standard and Premium service tiers. + - Required: No - Type: bool - Default: `False` @@ -855,6 +865,7 @@ Enables registry-wide pull from unauthenticated clients. It's in preview and ava ### Parameter: `azureADAuthenticationAsArmPolicyStatus` The value that indicates whether the policy for using ARM audience token for a container registr is enabled or not. Default is enabled. + - Required: No - Type: string - Default: `'enabled'` @@ -869,6 +880,7 @@ The value that indicates whether the policy for using ARM audience token for a c ### Parameter: `cacheRules` Array of Cache Rules. Note: This is a preview feature ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache#cache-for-acr-preview)). + - Required: No - Type: array - Default: `[]` @@ -876,41 +888,48 @@ Array of Cache Rules. Note: This is a preview feature ([ref](https://learn.micro ### Parameter: `customerManagedKey` The customer managed key definition. + - Required: No - Type: object +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | + +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | ### Parameter: `customerManagedKey.keyName` -Required. The name of the customer managed key to use for encryption. +The name of the customer managed key to use for encryption. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVaultResourceId` -Required. The resource ID of a key vault to reference a customer managed key for encryption from. +The resource ID of a key vault to reference a customer managed key for encryption from. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVersion` -Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - Required: No - Type: string ### Parameter: `customerManagedKey.userAssignedIdentityResourceId` -Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. +User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - Required: No - Type: string @@ -918,6 +937,7 @@ Optional. User assigned identity to use when fetching the customer managed key. ### Parameter: `dataEndpointEnabled` Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access. Note, requires the 'acrSku' to be 'Premium'. + - Required: No - Type: bool - Default: `False` @@ -925,114 +945,90 @@ Enable a single data endpoint per region for serving data. Not relevant in case ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -1040,6 +1036,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1047,6 +1044,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `exportPolicyStatus` The value that indicates whether the export policy is enabled or not. + - Required: No - Type: string - Default: `'disabled'` @@ -1061,6 +1059,7 @@ The value that indicates whether the export policy is enabled or not. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1068,26 +1067,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -1095,38 +1103,35 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -Name of your Azure container registry. -- Required: Yes -- Type: string - ### Parameter: `networkRuleBypassOptions` Whether to allow trusted Azure services to access a network restricted registry. + - Required: No - Type: string - Default: `'AzureServices'` @@ -1141,6 +1146,7 @@ Whether to allow trusted Azure services to access a network restricted registry. ### Parameter: `networkRuleSetDefaultAction` The default action of allow or deny when no other rules match. + - Required: No - Type: string - Default: `'Deny'` @@ -1155,6 +1161,7 @@ The default action of allow or deny when no other rules match. ### Parameter: `networkRuleSetIpRules` The IP ACL rules. Note, requires the 'acrSku' to be 'Premium'. + - Required: No - Type: array - Default: `[]` @@ -1162,197 +1169,247 @@ The IP ACL rules. Note, requires the 'acrSku' to be 'Premium'. ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'acrSku' to be 'Premium'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +### Parameter: `privateEndpoints.lock.kind` -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +Specify the type of lock. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` -Optional. The location to deploy the private endpoint to. +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** -Optional. The name of the private endpoint. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -1360,6 +1417,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkRuleSetIpRules are not set. Note, requires the 'acrSku' to be 'Premium'. + - Required: No - Type: string - Default: `''` @@ -1375,6 +1433,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `quarantinePolicyStatus` The value that indicates whether the quarantine policy is enabled or not. + - Required: No - Type: string - Default: `'disabled'` @@ -1389,6 +1448,7 @@ The value that indicates whether the quarantine policy is enabled or not. ### Parameter: `replications` All replications to create. + - Required: No - Type: array - Default: `[]` @@ -1396,6 +1456,7 @@ All replications to create. ### Parameter: `retentionPolicyDays` The number of days to retain an untagged manifest after which it gets purged. + - Required: No - Type: int - Default: `15` @@ -1403,6 +1464,7 @@ The number of days to retain an untagged manifest after which it gets purged. ### Parameter: `retentionPolicyStatus` The value that indicates whether the retention policy is enabled or not. + - Required: No - Type: string - Default: `'enabled'` @@ -1417,74 +1479,96 @@ The value that indicates whether the retention policy is enabled or not. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `softDeletePolicyDays` The number of days after which a soft-deleted item is permanently deleted. + - Required: No - Type: int - Default: `7` @@ -1492,6 +1576,7 @@ The number of days after which a soft-deleted item is permanently deleted. ### Parameter: `softDeletePolicyStatus` Soft Delete policy status. Default is disabled. + - Required: No - Type: string - Default: `'disabled'` @@ -1506,12 +1591,14 @@ Soft Delete policy status. Default is disabled. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `trustPolicyStatus` The value that indicates whether the trust policy is enabled or not. + - Required: No - Type: string - Default: `'disabled'` @@ -1526,6 +1613,7 @@ The value that indicates whether the trust policy is enabled or not. ### Parameter: `webhooks` All webhooks to create. + - Required: No - Type: array - Default: `[]` @@ -1533,6 +1621,7 @@ All webhooks to create. ### Parameter: `zoneRedundancy` Whether or not zone redundancy is enabled for this container registry. + - Required: No - Type: string - Default: `'Disabled'` diff --git a/modules/container-registry/registry/cache-rules/README.md b/modules/container-registry/registry/cache-rules/README.md index 75303e848b..9e9dd03dda 100644 --- a/modules/container-registry/registry/cache-rules/README.md +++ b/modules/container-registry/registry/cache-rules/README.md @@ -33,9 +33,24 @@ Cache for Azure Container Registry (Preview) feature allows users to cache conta | [`name`](#parameter-name) | string | The name of the cache rule. Will be dereived from the source repository name if not defined. | | [`targetRepository`](#parameter-targetrepository) | string | Target repository specified in docker pull command. E.g.: docker pull myregistry.azurecr.io/{targetRepository}:{tag}. | +### Parameter: `registryName` + +The name of the parent registry. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `sourceRepository` + +Source repository pulled from upstream. + +- Required: Yes +- Type: string + ### Parameter: `credentialSetResourceId` The resource ID of the credential store which is associated with the cache rule. + - Required: No - Type: string - Default: `''` @@ -43,6 +58,7 @@ The resource ID of the credential store which is associated with the cache rule. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -50,25 +66,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `name` The name of the cache rule. Will be dereived from the source repository name if not defined. + - Required: No - Type: string - Default: `[replace(replace(parameters('sourceRepository'), '/', '-'), '.', '-')]` -### Parameter: `registryName` - -The name of the parent registry. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `sourceRepository` - -Source repository pulled from upstream. -- Required: Yes -- Type: string - ### Parameter: `targetRepository` Target repository specified in docker pull command. E.g.: docker pull myregistry.azurecr.io/{targetRepository}:{tag}. + - Required: No - Type: string - Default: `[parameters('sourceRepository')]` diff --git a/modules/container-registry/registry/replication/README.md b/modules/container-registry/registry/replication/README.md index 1dbe5d559c..6f7f21c1f1 100644 --- a/modules/container-registry/registry/replication/README.md +++ b/modules/container-registry/registry/replication/README.md @@ -39,9 +39,24 @@ This module deploys an Azure Container Registry (ACR) Replication. | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`zoneRedundancy`](#parameter-zoneredundancy) | string | Whether or not zone redundancy is enabled for this container registry. | +### Parameter: `name` + +The name of the replication. + +- Required: Yes +- Type: string + +### Parameter: `registryName` + +The name of the parent registry. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -49,38 +64,30 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -The name of the replication. -- Required: Yes -- Type: string - ### Parameter: `regionEndpointEnabled` Specifies whether the replication regional endpoint is enabled. Requests will not be routed to a replication whose regional endpoint is disabled, however its data will continue to be synced with other replications. + - Required: No - Type: bool - Default: `True` -### Parameter: `registryName` - -The name of the parent registry. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `zoneRedundancy` Whether or not zone redundancy is enabled for this container registry. + - Required: No - Type: string - Default: `'Disabled'` diff --git a/modules/container-registry/registry/webhook/README.md b/modules/container-registry/registry/webhook/README.md index 380e28389e..55b48b3f3e 100644 --- a/modules/container-registry/registry/webhook/README.md +++ b/modules/container-registry/registry/webhook/README.md @@ -42,9 +42,24 @@ This module deploys an Azure Container Registry (ACR) Webhook. | [`status`](#parameter-status) | string | The status of the webhook at the time the operation was called. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `serviceUri` + +The service URI for the webhook to post notifications. + +- Required: Yes +- Type: string + +### Parameter: `registryName` + +The name of the parent registry. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `action` The list of actions that trigger the webhook to post notifications. + - Required: No - Type: array - Default: @@ -61,6 +76,7 @@ The list of actions that trigger the webhook to post notifications. ### Parameter: `customHeaders` Custom headers that will be added to the webhook notifications. + - Required: No - Type: object - Default: `{}` @@ -68,6 +84,7 @@ Custom headers that will be added to the webhook notifications. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -75,6 +92,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -82,32 +100,23 @@ Location for all resources. ### Parameter: `name` The name of the registry webhook. + - Required: No - Type: string - Default: `[format('{0}webhook', parameters('registryName'))]` -### Parameter: `registryName` - -The name of the parent registry. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `scope` The scope of repositories where the event can be triggered. For example, 'foo:*' means events for all tags under repository 'foo'. 'foo:bar' means events for 'foo:bar' only. 'foo' is equivalent to 'foo:latest'. Empty means all events. + - Required: No - Type: string - Default: `''` -### Parameter: `serviceUri` - -The service URI for the webhook to post notifications. -- Required: Yes -- Type: string - ### Parameter: `status` The status of the webhook at the time the operation was called. + - Required: No - Type: string - Default: `'enabled'` @@ -122,6 +131,7 @@ The status of the webhook at the time the operation was called. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index dd804e181f..0b88e6a7b3 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -1278,9 +1278,40 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`webApplicationRoutingEnabled`](#parameter-webapplicationroutingenabled) | bool | Specifies whether the webApplicationRoutingEnabled add-on is enabled or not. | +### Parameter: `name` + +Specifies the name of the AKS cluster. + +- Required: Yes +- Type: string + +### Parameter: `primaryAgentPoolProfile` + +Properties of the primary agent pool. + +- Required: Yes +- Type: array + +### Parameter: `aksServicePrincipalProfile` + +Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster. + +- Required: No +- Type: object +- Default: `{}` + +### Parameter: `appGatewayResourceId` + +Specifies the resource ID of connected application gateway. Required if `ingressApplicationGatewayEnabled` is set to `true`. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `aadProfileAdminGroupObjectIDs` Specifies the AAD group object IDs that will have admin role of the cluster. + - Required: No - Type: array - Default: `[]` @@ -1288,6 +1319,7 @@ Specifies the AAD group object IDs that will have admin role of the cluster. ### Parameter: `aadProfileClientAppID` The client AAD application ID. + - Required: No - Type: string - Default: `''` @@ -1295,6 +1327,7 @@ The client AAD application ID. ### Parameter: `aadProfileEnableAzureRBAC` Specifies whether to enable Azure RBAC for Kubernetes authorization. + - Required: No - Type: bool - Default: `[parameters('enableRBAC')]` @@ -1302,6 +1335,7 @@ Specifies whether to enable Azure RBAC for Kubernetes authorization. ### Parameter: `aadProfileManaged` Specifies whether to enable managed AAD integration. + - Required: No - Type: bool - Default: `True` @@ -1309,6 +1343,7 @@ Specifies whether to enable managed AAD integration. ### Parameter: `aadProfileServerAppID` The server AAD application ID. + - Required: No - Type: string - Default: `''` @@ -1316,6 +1351,7 @@ The server AAD application ID. ### Parameter: `aadProfileServerAppSecret` The server AAD application secret. + - Required: No - Type: string - Default: `''` @@ -1323,6 +1359,7 @@ The server AAD application secret. ### Parameter: `aadProfileTenantId` Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication. + - Required: No - Type: string - Default: `[subscription().tenantId]` @@ -1330,6 +1367,7 @@ Specifies the tenant ID of the Azure Active Directory used by the AKS cluster fo ### Parameter: `aciConnectorLinuxEnabled` Specifies whether the aciConnectorLinux add-on is enabled or not. + - Required: No - Type: bool - Default: `False` @@ -1337,6 +1375,7 @@ Specifies whether the aciConnectorLinux add-on is enabled or not. ### Parameter: `adminUsername` Specifies the administrator username of Linux virtual machines. + - Required: No - Type: string - Default: `'azureuser'` @@ -1344,27 +1383,15 @@ Specifies the administrator username of Linux virtual machines. ### Parameter: `agentPools` Define one or more secondary/additional agent pools. + - Required: No - Type: array - Default: `[]` -### Parameter: `aksServicePrincipalProfile` - -Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster. -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `appGatewayResourceId` - -Specifies the resource ID of connected application gateway. Required if `ingressApplicationGatewayEnabled` is set to `true`. -- Required: No -- Type: string -- Default: `''` - ### Parameter: `authorizedIPRanges` IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. + - Required: No - Type: array - Default: `[]` @@ -1372,6 +1399,7 @@ IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is ### Parameter: `autoScalerProfileBalanceSimilarNodeGroups` Specifies the balance of similar node groups for the auto-scaler of the AKS cluster. + - Required: No - Type: string - Default: `'false'` @@ -1386,6 +1414,7 @@ Specifies the balance of similar node groups for the auto-scaler of the AKS clus ### Parameter: `autoScalerProfileExpander` Specifies the expand strategy for the auto-scaler of the AKS cluster. + - Required: No - Type: string - Default: `'random'` @@ -1402,6 +1431,7 @@ Specifies the expand strategy for the auto-scaler of the AKS cluster. ### Parameter: `autoScalerProfileMaxEmptyBulkDelete` Specifies the maximum empty bulk delete for the auto-scaler of the AKS cluster. + - Required: No - Type: string - Default: `'10'` @@ -1409,6 +1439,7 @@ Specifies the maximum empty bulk delete for the auto-scaler of the AKS cluster. ### Parameter: `autoScalerProfileMaxGracefulTerminationSec` Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster. + - Required: No - Type: string - Default: `'600'` @@ -1416,6 +1447,7 @@ Specifies the max graceful termination time interval in seconds for the auto-sca ### Parameter: `autoScalerProfileMaxNodeProvisionTime` Specifies the maximum node provisioning time for the auto-scaler of the AKS cluster. Values must be an integer followed by an "m". No unit of time other than minutes (m) is supported. + - Required: No - Type: string - Default: `'15m'` @@ -1423,6 +1455,7 @@ Specifies the maximum node provisioning time for the auto-scaler of the AKS clus ### Parameter: `autoScalerProfileMaxTotalUnreadyPercentage` Specifies the mximum total unready percentage for the auto-scaler of the AKS cluster. The maximum is 100 and the minimum is 0. + - Required: No - Type: string - Default: `'45'` @@ -1430,6 +1463,7 @@ Specifies the mximum total unready percentage for the auto-scaler of the AKS clu ### Parameter: `autoScalerProfileNewPodScaleUpDelay` For scenarios like burst/batch scale where you do not want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they are a certain age. Values must be an integer followed by a unit ("s" for seconds, "m" for minutes, "h" for hours, etc). + - Required: No - Type: string - Default: `'0s'` @@ -1437,6 +1471,7 @@ For scenarios like burst/batch scale where you do not want CA to act before the ### Parameter: `autoScalerProfileOkTotalUnreadyCount` Specifies the OK total unready count for the auto-scaler of the AKS cluster. + - Required: No - Type: string - Default: `'3'` @@ -1444,6 +1479,7 @@ Specifies the OK total unready count for the auto-scaler of the AKS cluster. ### Parameter: `autoScalerProfileScaleDownDelayAfterAdd` Specifies the scale down delay after add of the auto-scaler of the AKS cluster. + - Required: No - Type: string - Default: `'10m'` @@ -1451,6 +1487,7 @@ Specifies the scale down delay after add of the auto-scaler of the AKS cluster. ### Parameter: `autoScalerProfileScaleDownDelayAfterDelete` Specifies the scale down delay after delete of the auto-scaler of the AKS cluster. + - Required: No - Type: string - Default: `'20s'` @@ -1458,6 +1495,7 @@ Specifies the scale down delay after delete of the auto-scaler of the AKS cluste ### Parameter: `autoScalerProfileScaleDownDelayAfterFailure` Specifies scale down delay after failure of the auto-scaler of the AKS cluster. + - Required: No - Type: string - Default: `'3m'` @@ -1465,6 +1503,7 @@ Specifies scale down delay after failure of the auto-scaler of the AKS cluster. ### Parameter: `autoScalerProfileScaleDownUnneededTime` Specifies the scale down unneeded time of the auto-scaler of the AKS cluster. + - Required: No - Type: string - Default: `'10m'` @@ -1472,6 +1511,7 @@ Specifies the scale down unneeded time of the auto-scaler of the AKS cluster. ### Parameter: `autoScalerProfileScaleDownUnreadyTime` Specifies the scale down unready time of the auto-scaler of the AKS cluster. + - Required: No - Type: string - Default: `'20m'` @@ -1479,6 +1519,7 @@ Specifies the scale down unready time of the auto-scaler of the AKS cluster. ### Parameter: `autoScalerProfileScanInterval` Specifies the scan interval of the auto-scaler of the AKS cluster. + - Required: No - Type: string - Default: `'10s'` @@ -1486,6 +1527,7 @@ Specifies the scan interval of the auto-scaler of the AKS cluster. ### Parameter: `autoScalerProfileSkipNodesWithLocalStorage` Specifies if nodes with local storage should be skipped for the auto-scaler of the AKS cluster. + - Required: No - Type: string - Default: `'true'` @@ -1500,6 +1542,7 @@ Specifies if nodes with local storage should be skipped for the auto-scaler of t ### Parameter: `autoScalerProfileSkipNodesWithSystemPods` Specifies if nodes with system pods should be skipped for the auto-scaler of the AKS cluster. + - Required: No - Type: string - Default: `'true'` @@ -1514,6 +1557,7 @@ Specifies if nodes with system pods should be skipped for the auto-scaler of the ### Parameter: `autoScalerProfileUtilizationThreshold` Specifies the utilization threshold of the auto-scaler of the AKS cluster. + - Required: No - Type: string - Default: `'0.5'` @@ -1521,6 +1565,7 @@ Specifies the utilization threshold of the auto-scaler of the AKS cluster. ### Parameter: `autoUpgradeProfileUpgradeChannel` Auto-upgrade channel on the AKS cluster. + - Required: No - Type: string - Default: `''` @@ -1539,6 +1584,7 @@ Auto-upgrade channel on the AKS cluster. ### Parameter: `azurePolicyEnabled` Specifies whether the azurepolicy add-on is enabled or not. For security reasons, this setting should be enabled. + - Required: No - Type: bool - Default: `True` @@ -1546,6 +1592,7 @@ Specifies whether the azurepolicy add-on is enabled or not. For security reasons ### Parameter: `azurePolicyVersion` Specifies the azure policy version to use. + - Required: No - Type: string - Default: `'v2'` @@ -1553,42 +1600,55 @@ Specifies the azure policy version to use. ### Parameter: `customerManagedKey` The customer managed key definition. + - Required: No - Type: object +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | +| [`keyVaultNetworkAccess`](#parameter-customermanagedkeykeyvaultnetworkaccess) | string | Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | -| [`keyVaultNetworkAccess`](#parameter-customermanagedkeykeyvaultnetworkaccess) | Yes | string | Required. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | ### Parameter: `customerManagedKey.keyName` -Required. The name of the customer managed key to use for encryption. +The name of the customer managed key to use for encryption. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVaultNetworkAccess` -Required. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public. +Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public. - Required: Yes - Type: string -- Allowed: `[Private, Public]` +- Allowed: + ```Bicep + [ + 'Private' + 'Public' + ] + ``` ### Parameter: `customerManagedKey.keyVaultResourceId` -Required. The resource ID of a key vault to reference a customer managed key for encryption from. +The resource ID of a key vault to reference a customer managed key for encryption from. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVersion` -Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - Required: No - Type: string @@ -1596,114 +1656,90 @@ Optional. The version of the customer managed key to reference for encryption. I ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -1711,6 +1747,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `disableLocalAccounts` If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. + - Required: No - Type: bool - Default: `False` @@ -1718,6 +1755,7 @@ If set to true, getting static credentials will be disabled for this cluster. Th ### Parameter: `disableRunCommand` Whether to disable run command for the cluster or not. + - Required: No - Type: bool - Default: `False` @@ -1725,6 +1763,7 @@ Whether to disable run command for the cluster or not. ### Parameter: `diskEncryptionSetID` The resource ID of the disc encryption set to apply to the cluster. For security reasons, this value should be provided. + - Required: No - Type: string - Default: `''` @@ -1732,6 +1771,7 @@ The resource ID of the disc encryption set to apply to the cluster. For security ### Parameter: `dnsPrefix` Specifies the DNS prefix specified when creating the managed cluster. + - Required: No - Type: string - Default: `[parameters('name')]` @@ -1739,6 +1779,7 @@ Specifies the DNS prefix specified when creating the managed cluster. ### Parameter: `dnsServiceIP` Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. + - Required: No - Type: string - Default: `''` @@ -1746,6 +1787,7 @@ Specifies the IP address assigned to the Kubernetes DNS service. It must be with ### Parameter: `dnsZoneResourceId` Specifies the resource ID of connected DNS zone. It will be ignored if `webApplicationRoutingEnabled` is set to `false`. + - Required: No - Type: string - Default: `''` @@ -1753,6 +1795,7 @@ Specifies the resource ID of connected DNS zone. It will be ignored if `webAppli ### Parameter: `enableAzureDefender` Whether to enable Azure Defender. + - Required: No - Type: bool - Default: `False` @@ -1760,6 +1803,7 @@ Whether to enable Azure Defender. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1767,6 +1811,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableDnsZoneContributorRoleAssignment` Specifies whether assing the DNS zone contributor role to the cluster service principal. It will be ignored if `webApplicationRoutingEnabled` is set to `false` or `dnsZoneResourceId` not provided. + - Required: No - Type: bool - Default: `True` @@ -1774,6 +1819,7 @@ Specifies whether assing the DNS zone contributor role to the cluster service pr ### Parameter: `enableKeyvaultSecretsProvider` Specifies whether the KeyvaultSecretsProvider add-on is enabled or not. + - Required: No - Type: bool - Default: `False` @@ -1781,6 +1827,7 @@ Specifies whether the KeyvaultSecretsProvider add-on is enabled or not. ### Parameter: `enableOidcIssuerProfile` Whether the The OIDC issuer profile of the Managed Cluster is enabled. + - Required: No - Type: bool - Default: `False` @@ -1788,6 +1835,7 @@ Whether the The OIDC issuer profile of the Managed Cluster is enabled. ### Parameter: `enablePodSecurityPolicy` Whether to enable Kubernetes pod security policy. Requires enabling the pod security policy feature flag on the subscription. + - Required: No - Type: bool - Default: `False` @@ -1795,6 +1843,7 @@ Whether to enable Kubernetes pod security policy. Requires enabling the pod secu ### Parameter: `enablePrivateCluster` Specifies whether to create the cluster as a private cluster or not. + - Required: No - Type: bool - Default: `False` @@ -1802,6 +1851,7 @@ Specifies whether to create the cluster as a private cluster or not. ### Parameter: `enablePrivateClusterPublicFQDN` Whether to create additional public FQDN for private cluster or not. + - Required: No - Type: bool - Default: `False` @@ -1809,6 +1859,7 @@ Whether to create additional public FQDN for private cluster or not. ### Parameter: `enableRBAC` Whether to enable Kubernetes Role-Based Access Control. + - Required: No - Type: bool - Default: `True` @@ -1816,6 +1867,7 @@ Whether to enable Kubernetes Role-Based Access Control. ### Parameter: `enableSecretRotation` Specifies whether the KeyvaultSecretsProvider add-on uses secret rotation. + - Required: No - Type: string - Default: `'false'` @@ -1830,6 +1882,7 @@ Specifies whether the KeyvaultSecretsProvider add-on uses secret rotation. ### Parameter: `enableStorageProfileBlobCSIDriver` Whether the AzureBlob CSI Driver for the storage profile is enabled. + - Required: No - Type: bool - Default: `False` @@ -1837,6 +1890,7 @@ Whether the AzureBlob CSI Driver for the storage profile is enabled. ### Parameter: `enableStorageProfileDiskCSIDriver` Whether the AzureDisk CSI Driver for the storage profile is enabled. + - Required: No - Type: bool - Default: `False` @@ -1844,6 +1898,7 @@ Whether the AzureDisk CSI Driver for the storage profile is enabled. ### Parameter: `enableStorageProfileFileCSIDriver` Whether the AzureFile CSI Driver for the storage profile is enabled. + - Required: No - Type: bool - Default: `False` @@ -1851,6 +1906,7 @@ Whether the AzureFile CSI Driver for the storage profile is enabled. ### Parameter: `enableStorageProfileSnapshotController` Whether the snapshot controller for the storage profile is enabled. + - Required: No - Type: bool - Default: `False` @@ -1858,6 +1914,7 @@ Whether the snapshot controller for the storage profile is enabled. ### Parameter: `enableWorkloadIdentity` Whether to enable Workload Identity. Requires OIDC issuer profile to be enabled. + - Required: No - Type: bool - Default: `False` @@ -1865,6 +1922,7 @@ Whether to enable Workload Identity. Requires OIDC issuer profile to be enabled. ### Parameter: `fluxConfigurationProtectedSettings` Configuration settings that are sensitive, as name-value pairs for configuring this extension. + - Required: No - Type: secureObject - Default: `{}` @@ -1872,6 +1930,7 @@ Configuration settings that are sensitive, as name-value pairs for configuring t ### Parameter: `fluxExtension` Settings and configurations for the flux extension. + - Required: No - Type: object - Default: `{}` @@ -1879,6 +1938,7 @@ Settings and configurations for the flux extension. ### Parameter: `httpApplicationRoutingEnabled` Specifies whether the httpApplicationRouting add-on is enabled or not. + - Required: No - Type: bool - Default: `False` @@ -1886,6 +1946,7 @@ Specifies whether the httpApplicationRouting add-on is enabled or not. ### Parameter: `httpProxyConfig` Configurations for provisioning the cluster with HTTP proxy servers. + - Required: No - Type: object - Default: `{}` @@ -1893,6 +1954,7 @@ Configurations for provisioning the cluster with HTTP proxy servers. ### Parameter: `identityProfile` Identities associated with the cluster. + - Required: No - Type: object - Default: `{}` @@ -1900,6 +1962,7 @@ Identities associated with the cluster. ### Parameter: `ingressApplicationGatewayEnabled` Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not. + - Required: No - Type: bool - Default: `False` @@ -1907,6 +1970,7 @@ Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not. ### Parameter: `kubeDashboardEnabled` Specifies whether the kubeDashboard add-on is enabled or not. + - Required: No - Type: bool - Default: `False` @@ -1914,6 +1978,7 @@ Specifies whether the kubeDashboard add-on is enabled or not. ### Parameter: `kubernetesVersion` Version of Kubernetes specified when creating the managed cluster. + - Required: No - Type: string - Default: `''` @@ -1921,6 +1986,7 @@ Version of Kubernetes specified when creating the managed cluster. ### Parameter: `loadBalancerSku` Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools. + - Required: No - Type: string - Default: `'standard'` @@ -1935,6 +2001,7 @@ Specifies the sku of the load balancer used by the virtual machine scale sets us ### Parameter: `location` Specifies the location of AKS cluster. It picks up Resource Group's location by default. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1942,26 +2009,35 @@ Specifies the location of AKS cluster. It picks up Resource Group's location by ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -1969,25 +2045,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array @@ -1995,6 +2073,7 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `managedOutboundIPCount` Outbound IP Count for the Load balancer. + - Required: No - Type: int - Default: `0` @@ -2002,19 +2081,15 @@ Outbound IP Count for the Load balancer. ### Parameter: `monitoringWorkspaceId` Resource ID of the monitoring log analytics workspace. + - Required: No - Type: string - Default: `''` -### Parameter: `name` - -Specifies the name of the AKS cluster. -- Required: Yes -- Type: string - ### Parameter: `networkDataplane` Network dataplane used in the Kubernetes cluster. Not compatible with kubenet network plugin. + - Required: No - Type: string - Default: `''` @@ -2030,6 +2105,7 @@ Network dataplane used in the Kubernetes cluster. Not compatible with kubenet ne ### Parameter: `networkPlugin` Specifies the network plugin used for building Kubernetes network. + - Required: No - Type: string - Default: `''` @@ -2045,6 +2121,7 @@ Specifies the network plugin used for building Kubernetes network. ### Parameter: `networkPluginMode` Network plugin mode used for building the Kubernetes network. Not compatible with kubenet network plugin. + - Required: No - Type: string - Default: `''` @@ -2059,6 +2136,7 @@ Network plugin mode used for building the Kubernetes network. Not compatible wit ### Parameter: `networkPolicy` Specifies the network policy used for building Kubernetes network. - calico or azure. + - Required: No - Type: string - Default: `''` @@ -2074,6 +2152,7 @@ Specifies the network policy used for building Kubernetes network. - calico or a ### Parameter: `nodeResourceGroup` Name of the resource group containing agent pool nodes. + - Required: No - Type: string - Default: `[format('{0}_aks_{1}_nodes', resourceGroup().name, parameters('name'))]` @@ -2081,6 +2160,7 @@ Name of the resource group containing agent pool nodes. ### Parameter: `omsAgentEnabled` Specifies whether the OMS agent is enabled. + - Required: No - Type: bool - Default: `True` @@ -2088,6 +2168,7 @@ Specifies whether the OMS agent is enabled. ### Parameter: `openServiceMeshEnabled` Specifies whether the openServiceMesh add-on is enabled or not. + - Required: No - Type: bool - Default: `False` @@ -2095,6 +2176,7 @@ Specifies whether the openServiceMesh add-on is enabled or not. ### Parameter: `outboundType` Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting. + - Required: No - Type: string - Default: `'loadBalancer'` @@ -2109,6 +2191,7 @@ Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting ### Parameter: `podCidr` Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used. + - Required: No - Type: string - Default: `''` @@ -2116,6 +2199,7 @@ Specifies the CIDR notation IP range from which to assign pod IPs when kubenet i ### Parameter: `podIdentityProfileAllowNetworkPluginKubenet` Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. + - Required: No - Type: bool - Default: `False` @@ -2123,6 +2207,7 @@ Running in Kubenet is disabled by default due to the security related nature of ### Parameter: `podIdentityProfileEnable` Whether the pod identity addon is enabled. + - Required: No - Type: bool - Default: `False` @@ -2130,6 +2215,7 @@ Whether the pod identity addon is enabled. ### Parameter: `podIdentityProfileUserAssignedIdentities` The pod identities to use in the cluster. + - Required: No - Type: array - Default: `[]` @@ -2137,19 +2223,15 @@ The pod identities to use in the cluster. ### Parameter: `podIdentityProfileUserAssignedIdentityExceptions` The pod identity exceptions to allow. + - Required: No - Type: array - Default: `[]` -### Parameter: `primaryAgentPoolProfile` - -Properties of the primary agent pool. -- Required: Yes -- Type: array - ### Parameter: `privateDNSZone` Private DNS Zone configuration. Set to 'system' and AKS will create a private DNS zone in the node resource group. Set to '' to disable private DNS Zone creation and use public DNS. Supply the resource ID here of an existing Private DNS zone to use an existing zone. + - Required: No - Type: string - Default: `''` @@ -2157,74 +2239,96 @@ Private DNS Zone configuration. Set to 'system' and AKS will create a private DN ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `serviceCidr` A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. + - Required: No - Type: string - Default: `''` @@ -2232,6 +2336,7 @@ A CIDR notation IP range from which to assign service cluster IPs. It must not o ### Parameter: `skuTier` Tier of a managed cluster SKU. - Free or Standard. + - Required: No - Type: string - Default: `'Free'` @@ -2247,6 +2352,7 @@ Tier of a managed cluster SKU. - Free or Standard. ### Parameter: `sshPublicKey` Specifies the SSH RSA public key string for the Linux nodes. + - Required: No - Type: string - Default: `''` @@ -2254,6 +2360,7 @@ Specifies the SSH RSA public key string for the Linux nodes. ### Parameter: `supportPlan` The support plan for the Managed Cluster. + - Required: No - Type: string - Default: `'KubernetesOfficial'` @@ -2268,12 +2375,14 @@ The support plan for the Managed Cluster. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `webApplicationRoutingEnabled` Specifies whether the webApplicationRoutingEnabled add-on is enabled or not. + - Required: No - Type: bool - Default: `False` diff --git a/modules/container-service/managed-cluster/agent-pool/README.md b/modules/container-service/managed-cluster/agent-pool/README.md index ea2052f582..5519e82572 100644 --- a/modules/container-service/managed-cluster/agent-pool/README.md +++ b/modules/container-service/managed-cluster/agent-pool/README.md @@ -69,9 +69,24 @@ This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool | [`vnetSubnetId`](#parameter-vnetsubnetid) | string | Node Subnet ID. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}. | | [`workloadRuntime`](#parameter-workloadruntime) | string | Determines the type of workload a node can run. | +### Parameter: `name` + +Name of the agent pool. + +- Required: Yes +- Type: string + +### Parameter: `managedClusterName` + +The name of the parent managed cluster. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `availabilityZones` The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is "VirtualMachineScaleSets". + - Required: No - Type: array - Default: `[]` @@ -79,6 +94,7 @@ The list of Availability zones to use for nodes. This can only be specified if t ### Parameter: `count` Desired Number of agents (VMs) specified to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. + - Required: No - Type: int - Default: `1` @@ -86,6 +102,7 @@ Desired Number of agents (VMs) specified to host docker containers. Allowed valu ### Parameter: `enableAutoScaling` Whether to enable auto-scaler. + - Required: No - Type: bool - Default: `False` @@ -93,6 +110,7 @@ Whether to enable auto-scaler. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -100,6 +118,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableEncryptionAtHost` This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled. + - Required: No - Type: bool - Default: `False` @@ -107,6 +126,7 @@ This is only supported on certain VM sizes and in certain Azure regions. For mor ### Parameter: `enableFIPS` See Add a FIPS-enabled node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details. + - Required: No - Type: bool - Default: `False` @@ -114,6 +134,7 @@ See Add a FIPS-enabled node pool (https://learn.microsoft.com/en-us/azure/aks/us ### Parameter: `enableNodePublicIP` Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools). + - Required: No - Type: bool - Default: `False` @@ -121,6 +142,7 @@ Some scenarios may require nodes in a node pool to receive their own dedicated p ### Parameter: `enableUltraSSD` Whether to enable UltraSSD. + - Required: No - Type: bool - Default: `False` @@ -128,6 +150,7 @@ Whether to enable UltraSSD. ### Parameter: `gpuInstanceProfile` GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. + - Required: No - Type: string - Default: `''` @@ -146,19 +169,15 @@ GPUInstanceProfile to be used to specify GPU MIG instance profile for supported ### Parameter: `kubeletDiskType` Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. + - Required: No - Type: string - Default: `''` -### Parameter: `managedClusterName` - -The name of the parent managed cluster. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `maxCount` The maximum number of nodes for auto-scaling. + - Required: No - Type: int - Default: `-1` @@ -166,6 +185,7 @@ The maximum number of nodes for auto-scaling. ### Parameter: `maxPods` The maximum number of pods that can run on a node. + - Required: No - Type: int - Default: `-1` @@ -173,6 +193,7 @@ The maximum number of pods that can run on a node. ### Parameter: `maxSurge` This can either be set to an integer (e.g. "5") or a percentage (e.g. "50%"). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade. + - Required: No - Type: string - Default: `''` @@ -180,6 +201,7 @@ This can either be set to an integer (e.g. "5") or a percentage (e.g. "50%"). If ### Parameter: `minCount` The minimum number of nodes for auto-scaling. + - Required: No - Type: int - Default: `-1` @@ -187,19 +209,15 @@ The minimum number of nodes for auto-scaling. ### Parameter: `mode` A cluster must have at least one "System" Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools. + - Required: No - Type: string - Default: `''` -### Parameter: `name` - -Name of the agent pool. -- Required: Yes -- Type: string - ### Parameter: `nodeLabels` The node labels to be persisted across all nodes in agent pool. + - Required: No - Type: object - Default: `{}` @@ -207,6 +225,7 @@ The node labels to be persisted across all nodes in agent pool. ### Parameter: `nodePublicIpPrefixId` ResourceId of the node PublicIPPrefix. + - Required: No - Type: string - Default: `''` @@ -214,6 +233,7 @@ ResourceId of the node PublicIPPrefix. ### Parameter: `nodeTaints` The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. + - Required: No - Type: array - Default: `[]` @@ -221,6 +241,7 @@ The taints added to new nodes during node pool create and scale. For example, ke ### Parameter: `orchestratorVersion` As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#upgrade-a-node-pool). + - Required: No - Type: string - Default: `''` @@ -228,6 +249,7 @@ As a best practice, you should upgrade all node pools in an AKS cluster to the s ### Parameter: `osDiskSizeGB` OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. + - Required: No - Type: int - Default: `0` @@ -235,6 +257,7 @@ OS Disk Size in GB to be used to specify the disk size for every machine in the ### Parameter: `osDiskType` The default is "Ephemeral" if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to "Managed". May not be changed after creation. For more information see Ephemeral OS (https://learn.microsoft.com/en-us/azure/aks/cluster-configuration#ephemeral-os). + - Required: No - Type: string - Default: `''` @@ -250,6 +273,7 @@ The default is "Ephemeral" if the VM supports it and has a cache disk larger tha ### Parameter: `osSku` Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows. + - Required: No - Type: string - Default: `''` @@ -268,6 +292,7 @@ Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is ### Parameter: `osType` The operating system type. The default is Linux. + - Required: No - Type: string - Default: `'Linux'` @@ -282,6 +307,7 @@ The operating system type. The default is Linux. ### Parameter: `podSubnetId` Subnet ID for the pod IPs. If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}. + - Required: No - Type: string - Default: `''` @@ -289,6 +315,7 @@ Subnet ID for the pod IPs. If omitted, pod IPs are statically assigned on the no ### Parameter: `proximityPlacementGroupResourceId` The ID for the Proximity Placement Group. + - Required: No - Type: string - Default: `''` @@ -296,6 +323,7 @@ The ID for the Proximity Placement Group. ### Parameter: `scaleDownMode` Describes how VMs are added to or removed from Agent Pools. See billing states (https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing). + - Required: No - Type: string - Default: `'Delete'` @@ -310,6 +338,7 @@ Describes how VMs are added to or removed from Agent Pools. See billing states ( ### Parameter: `scaleSetEvictionPolicy` The eviction policy specifies what to do with the VM when it is evicted. The default is Delete. For more information about eviction see spot VMs. + - Required: No - Type: string - Default: `'Delete'` @@ -324,6 +353,7 @@ The eviction policy specifies what to do with the VM when it is evicted. The def ### Parameter: `scaleSetPriority` The Virtual Machine Scale Set priority. + - Required: No - Type: string - Default: `''` @@ -339,6 +369,7 @@ The Virtual Machine Scale Set priority. ### Parameter: `sourceResourceId` This is the ARM ID of the source object to be used to create the target object. + - Required: No - Type: string - Default: `''` @@ -346,6 +377,7 @@ This is the ARM ID of the source object to be used to create the target object. ### Parameter: `spotMaxPrice` Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing (https://learn.microsoft.com/en-us/azure/virtual-machines/spot-vms#pricing). + - Required: No - Type: int - Default: `-1` @@ -353,12 +385,14 @@ Possible values are any decimal value greater than zero or -1 which indicates th ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `type` The type of Agent Pool. + - Required: No - Type: string - Default: `''` @@ -366,6 +400,7 @@ The type of Agent Pool. ### Parameter: `vmSize` VM size. VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions. + - Required: No - Type: string - Default: `'Standard_D2s_v3'` @@ -373,6 +408,7 @@ VM size. VM size availability varies by region. If a node contains insufficient ### Parameter: `vnetSubnetId` Node Subnet ID. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}. + - Required: No - Type: string - Default: `''` @@ -380,6 +416,7 @@ Node Subnet ID. If this is not specified, a VNET and subnet will be generated an ### Parameter: `workloadRuntime` Determines the type of workload a node can run. + - Required: No - Type: string - Default: `''` diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index c04ef52978..dd0ad74ada 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -618,44 +618,58 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +The name of the Azure Factory to create. + +- Required: Yes +- Type: string + ### Parameter: `customerManagedKey` The customer managed key definition. + - Required: No - Type: object +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | ### Parameter: `customerManagedKey.keyName` -Required. The name of the customer managed key to use for encryption. +The name of the customer managed key to use for encryption. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVaultResourceId` -Required. The resource ID of a key vault to reference a customer managed key for encryption from. +The resource ID of a key vault to reference a customer managed key for encryption from. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVersion` -Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - Required: No - Type: string ### Parameter: `customerManagedKey.userAssignedIdentityResourceId` -Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. +User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - Required: No - Type: string @@ -663,114 +677,90 @@ Optional. User assigned identity to use when fetching the customer managed key. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -778,6 +768,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -785,6 +776,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `gitAccountName` The account name. + - Required: No - Type: string - Default: `''` @@ -792,6 +784,7 @@ The account name. ### Parameter: `gitCollaborationBranch` The collaboration branch name. Default is 'main'. + - Required: No - Type: string - Default: `'main'` @@ -799,6 +792,7 @@ The collaboration branch name. Default is 'main'. ### Parameter: `gitConfigureLater` Boolean to define whether or not to configure git during template deployment. + - Required: No - Type: bool - Default: `True` @@ -806,6 +800,7 @@ Boolean to define whether or not to configure git during template deployment. ### Parameter: `gitDisablePublish` Disable manual publish operation in ADF studio to favor automated publish. + - Required: No - Type: bool - Default: `False` @@ -813,6 +808,7 @@ Disable manual publish operation in ADF studio to favor automated publish. ### Parameter: `gitHostName` The GitHub Enterprise Server host (prefixed with 'https://'). Only relevant for 'FactoryGitHubConfiguration'. + - Required: No - Type: string - Default: `''` @@ -820,6 +816,7 @@ The GitHub Enterprise Server host (prefixed with 'https://'). Only relevant for ### Parameter: `gitProjectName` The project name. Only relevant for 'FactoryVSTSConfiguration'. + - Required: No - Type: string - Default: `''` @@ -827,6 +824,7 @@ The project name. Only relevant for 'FactoryVSTSConfiguration'. ### Parameter: `gitRepositoryName` The repository name. + - Required: No - Type: string - Default: `''` @@ -834,6 +832,7 @@ The repository name. ### Parameter: `gitRepoType` Repository type - can be 'FactoryVSTSConfiguration' or 'FactoryGitHubConfiguration'. Default is 'FactoryVSTSConfiguration'. + - Required: No - Type: string - Default: `'FactoryVSTSConfiguration'` @@ -841,6 +840,7 @@ Repository type - can be 'FactoryVSTSConfiguration' or 'FactoryGitHubConfigurati ### Parameter: `gitRootFolder` The root folder path name. Default is '/'. + - Required: No - Type: string - Default: `'/'` @@ -848,6 +848,7 @@ The root folder path name. Default is '/'. ### Parameter: `globalParameters` List of Global Parameters for the factory. + - Required: No - Type: object - Default: `{}` @@ -855,6 +856,7 @@ List of Global Parameters for the factory. ### Parameter: `integrationRuntimes` An array of objects for the configuration of an Integration Runtime. + - Required: No - Type: array - Default: `[]` @@ -862,6 +864,7 @@ An array of objects for the configuration of an Integration Runtime. ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -869,26 +872,35 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -896,25 +908,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array @@ -922,6 +936,7 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `managedPrivateEndpoints` An array of managed private endpoints objects created in the Data Factory managed virtual network. + - Required: No - Type: array - Default: `[]` @@ -929,210 +944,255 @@ An array of managed private endpoints objects created in the Data Factory manage ### Parameter: `managedVirtualNetworkName` The name of the Managed Virtual Network. + - Required: No - Type: string - Default: `''` -### Parameter: `name` - -The name of the Azure Factory to create. -- Required: Yes -- Type: string - ### Parameter: `privateEndpoints` Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +### Parameter: `privateEndpoints.lock.kind` -- Required: Yes +Specify the type of lock. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** -Optional. The name of the private endpoint. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -1140,6 +1200,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. + - Required: No - Type: string - Default: `''` @@ -1155,74 +1216,96 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/data-factory/factory/integration-runtime/README.md b/modules/data-factory/factory/integration-runtime/README.md index 0e9de57341..1db7d93a4e 100644 --- a/modules/data-factory/factory/integration-runtime/README.md +++ b/modules/data-factory/factory/integration-runtime/README.md @@ -39,15 +39,38 @@ This module deploys a Data Factory Managed or Self-Hosted Integration Runtime. | [`managedVirtualNetworkName`](#parameter-managedvirtualnetworkname) | string | The name of the Managed Virtual Network if using type "Managed" . | | [`typeProperties`](#parameter-typeproperties) | object | Integration Runtime type properties. Required if type is "Managed". | +### Parameter: `name` + +The name of the Integration Runtime. + +- Required: Yes +- Type: string + +### Parameter: `type` + +The type of Integration Runtime. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Managed' + 'SelfHosted' + ] + ``` + ### Parameter: `dataFactoryName` The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -55,32 +78,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `managedVirtualNetworkName` The name of the Managed Virtual Network if using type "Managed" . + - Required: No - Type: string - Default: `''` -### Parameter: `name` - -The name of the Integration Runtime. -- Required: Yes -- Type: string - -### Parameter: `type` - -The type of Integration Runtime. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Managed' - 'SelfHosted' - ] - ``` - ### Parameter: `typeProperties` Integration Runtime type properties. Required if type is "Managed". + - Required: No - Type: object - Default: `{}` diff --git a/modules/data-factory/factory/managed-virtual-network/README.md b/modules/data-factory/factory/managed-virtual-network/README.md index 59b92e31fe..a22063ff97 100644 --- a/modules/data-factory/factory/managed-virtual-network/README.md +++ b/modules/data-factory/factory/managed-virtual-network/README.md @@ -38,15 +38,24 @@ This module deploys a Data Factory Managed Virtual Network. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`managedPrivateEndpoints`](#parameter-managedprivateendpoints) | array | An array of managed private endpoints objects created in the Data Factory managed virtual network. | +### Parameter: `name` + +The name of the Managed Virtual Network. + +- Required: Yes +- Type: string + ### Parameter: `dataFactoryName` The name of the parent Azure Data Factory. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -54,16 +63,11 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `managedPrivateEndpoints` An array of managed private endpoints objects created in the Data Factory managed virtual network. + - Required: No - Type: array - Default: `[]` -### Parameter: `name` - -The name of the Managed Virtual Network. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/README.md b/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/README.md index 8d1265830d..dbffcad961 100644 --- a/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/README.md +++ b/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/README.md @@ -39,49 +39,56 @@ This module deploys a Data Factory Managed Virtual Network Managed Private Endpo | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter: `dataFactoryName` - -The name of the parent data factory. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `fqdns` Fully qualified domain names. + - Required: Yes - Type: array ### Parameter: `groupId` The groupId to which the managed private endpoint is created. + - Required: Yes - Type: string ### Parameter: `managedVirtualNetworkName` The name of the parent managed virtual network. + - Required: Yes - Type: string ### Parameter: `name` The managed private endpoint resource name. + - Required: Yes - Type: string ### Parameter: `privateLinkResourceId` The ARM resource ID of the resource to which the managed private endpoint is created. + +- Required: Yes +- Type: string + +### Parameter: `dataFactoryName` + +The name of the parent data factory. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ## Outputs diff --git a/modules/data-protection/backup-vault/README.md b/modules/data-protection/backup-vault/README.md index 6ade55fb30..3744f13387 100644 --- a/modules/data-protection/backup-vault/README.md +++ b/modules/data-protection/backup-vault/README.md @@ -558,9 +558,17 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the Recovery Service Vault resource. | | [`type`](#parameter-type) | string | The vault redundancy level to use. | +### Parameter: `name` + +Name of the Backup Vault. + +- Required: Yes +- Type: string + ### Parameter: `azureMonitorAlertSettingsAlertsForAllJobFailures` Settings for Azure Monitor based alerts for job failures. + - Required: No - Type: string - Default: `'Enabled'` @@ -575,6 +583,7 @@ Settings for Azure Monitor based alerts for job failures. ### Parameter: `backupPolicies` List of all backup policies. + - Required: No - Type: array - Default: `[]` @@ -582,6 +591,7 @@ List of all backup policies. ### Parameter: `dataStoreType` The datastore type to use. ArchiveStore does not support ZoneRedundancy. + - Required: No - Type: string - Default: `'VaultStore'` @@ -597,6 +607,7 @@ The datastore type to use. ArchiveStore does not support ZoneRedundancy. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -604,6 +615,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `featureSettings` Feature settings for the backup vault. + - Required: No - Type: object - Default: `{}` @@ -611,6 +623,7 @@ Feature settings for the backup vault. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -618,26 +631,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -645,98 +667,116 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `name` - -Name of the Backup Vault. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `securitySettings` Security settings for the backup vault. + - Required: No - Type: object - Default: `{}` @@ -744,12 +784,14 @@ Security settings for the backup vault. ### Parameter: `tags` Tags of the Recovery Service Vault resource. + - Required: No - Type: object ### Parameter: `type` The vault redundancy level to use. + - Required: No - Type: string - Default: `'GeoRedundant'` diff --git a/modules/data-protection/backup-vault/backup-policy/README.md b/modules/data-protection/backup-vault/backup-policy/README.md index 07cfc9da89..990af9e3de 100644 --- a/modules/data-protection/backup-vault/backup-policy/README.md +++ b/modules/data-protection/backup-vault/backup-policy/README.md @@ -35,12 +35,14 @@ This module deploys a Data Protection Backup Vault Backup Policy. ### Parameter: `backupVaultName` The name of the backup vault. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -48,6 +50,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `name` The name of the backup policy. + - Required: No - Type: string - Default: `'DefaultPolicy'` @@ -55,6 +58,7 @@ The name of the backup policy. ### Parameter: `properties` The properties of the backup policy. + - Required: No - Type: object - Default: `{}` diff --git a/modules/databricks/access-connector/README.md b/modules/databricks/access-connector/README.md index 02ebe4193a..ba68a44a37 100644 --- a/modules/databricks/access-connector/README.md +++ b/modules/databricks/access-connector/README.md @@ -310,9 +310,17 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +The name of the Azure Databricks access connector to create. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -320,6 +328,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -327,26 +336,35 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -354,106 +372,124 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -The name of the Azure Databricks access connector to create. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index a41556f10d..a6502ad9f6 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -619,9 +619,17 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`vnetAddressPrefix`](#parameter-vnetaddressprefix) | string | Address prefix for Managed virtual network. | +### Parameter: `name` + +The name of the Azure Databricks workspace to create. + +- Required: Yes +- Type: string + ### Parameter: `amlWorkspaceResourceId` The resource ID of a Azure Machine Learning workspace to link with Databricks workspace. + - Required: No - Type: string - Default: `''` @@ -629,41 +637,48 @@ The resource ID of a Azure Machine Learning workspace to link with Databricks wo ### Parameter: `customerManagedKey` The customer managed key definition to use for the managed service. + - Required: No - Type: object +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | ### Parameter: `customerManagedKey.keyName` -Required. The name of the customer managed key to use for encryption. +The name of the customer managed key to use for encryption. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVaultResourceId` -Required. The resource ID of a key vault to reference a customer managed key for encryption from. +The resource ID of a key vault to reference a customer managed key for encryption from. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVersion` -Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - Required: No - Type: string ### Parameter: `customerManagedKey.userAssignedIdentityResourceId` -Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. +User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - Required: No - Type: string @@ -671,49 +686,56 @@ Optional. User assigned identity to use when fetching the customer managed key. ### Parameter: `customerManagedKeyManagedDisk` The customer managed key definition to use for the managed disk. + - Required: No - Type: object +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-customermanagedkeymanageddiskkeyname) | string | The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeymanageddiskkeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | + +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`keyName`](#parameter-customermanagedkeymanageddiskkeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeymanageddiskkeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`keyVersion`](#parameter-customermanagedkeymanageddiskkeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`rotationToLatestKeyVersionEnabled`](#parameter-customermanagedkeymanageddiskrotationtolatestkeyversionenabled) | No | bool | Optional. Indicate whether the latest key version should be automatically used for Managed Disk Encryption. Enabled by default. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeymanageddiskuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyVersion`](#parameter-customermanagedkeymanageddiskkeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`rotationToLatestKeyVersionEnabled`](#parameter-customermanagedkeymanageddiskrotationtolatestkeyversionenabled) | bool | Indicate whether the latest key version should be automatically used for Managed Disk Encryption. Enabled by default. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeymanageddiskuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | ### Parameter: `customerManagedKeyManagedDisk.keyName` -Required. The name of the customer managed key to use for encryption. +The name of the customer managed key to use for encryption. - Required: Yes - Type: string ### Parameter: `customerManagedKeyManagedDisk.keyVaultResourceId` -Required. The resource ID of a key vault to reference a customer managed key for encryption from. +The resource ID of a key vault to reference a customer managed key for encryption from. - Required: Yes - Type: string ### Parameter: `customerManagedKeyManagedDisk.keyVersion` -Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - Required: No - Type: string ### Parameter: `customerManagedKeyManagedDisk.rotationToLatestKeyVersionEnabled` -Optional. Indicate whether the latest key version should be automatically used for Managed Disk Encryption. Enabled by default. +Indicate whether the latest key version should be automatically used for Managed Disk Encryption. Enabled by default. - Required: No - Type: bool ### Parameter: `customerManagedKeyManagedDisk.userAssignedIdentityResourceId` -Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. +User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - Required: No - Type: string @@ -721,6 +743,7 @@ Optional. User assigned identity to use when fetching the customer managed key. ### Parameter: `customPrivateSubnetName` The name of the Private Subnet within the Virtual Network. + - Required: No - Type: string - Default: `''` @@ -728,6 +751,7 @@ The name of the Private Subnet within the Virtual Network. ### Parameter: `customPublicSubnetName` The name of a Public Subnet within the Virtual Network. + - Required: No - Type: string - Default: `''` @@ -735,6 +759,7 @@ The name of a Public Subnet within the Virtual Network. ### Parameter: `customVirtualNetworkResourceId` The resource ID of a Virtual Network where this Databricks Cluster should be created. + - Required: No - Type: string - Default: `''` @@ -742,94 +767,82 @@ The resource ID of a Virtual Network where this Databricks Cluster should be cre ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -837,6 +850,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `disablePublicIp` Disable Public IP. + - Required: No - Type: bool - Default: `False` @@ -844,6 +858,7 @@ Disable Public IP. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -851,6 +866,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `loadBalancerBackendPoolName` Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP). + - Required: No - Type: string - Default: `''` @@ -858,6 +874,7 @@ Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity ### Parameter: `loadBalancerResourceId` Resource URI of Outbound Load balancer for Secure Cluster Connectivity (No Public IP) workspace. + - Required: No - Type: string - Default: `''` @@ -865,6 +882,7 @@ Resource URI of Outbound Load balancer for Secure Cluster Connectivity (No Publi ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -872,26 +890,35 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -899,19 +926,15 @@ Optional. Specify the name of lock. ### Parameter: `managedResourceGroupResourceId` The managed resource group ID. It is created by the module as per the to-be resource ID you provide. + - Required: No - Type: string - Default: `''` -### Parameter: `name` - -The name of the Azure Databricks workspace to create. -- Required: Yes -- Type: string - ### Parameter: `natGatewayName` Name of the NAT gateway for Secure Cluster Connectivity (No Public IP) workspace subnets. + - Required: No - Type: string - Default: `''` @@ -919,6 +942,7 @@ Name of the NAT gateway for Secure Cluster Connectivity (No Public IP) workspace ### Parameter: `prepareEncryption` Prepare the workspace for encryption. Enables the Managed Identity for managed storage account. + - Required: No - Type: bool - Default: `False` @@ -926,197 +950,247 @@ Prepare the workspace for encryption. Enables the Managed Identity for managed s ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -Optional. Application security groups in which the private endpoint IP configuration is included. +**Optional parameters** -- Required: No -- Type: array +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -### Parameter: `privateEndpoints.customDnsConfigs` +### Parameter: `privateEndpoints.subnetResourceId` -Optional. Custom DNS configurations. +Resource ID of the subnet where the endpoint needs to be created. -- Required: No -- Type: array - -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +### Parameter: `privateEndpoints.lock.kind` -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +Specify the type of lock. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** -Optional. The name of the private endpoint. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -1124,6 +1198,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicIpName` Name of the Public IP for No Public IP workspace with managed vNet. + - Required: No - Type: string - Default: `''` @@ -1131,6 +1206,7 @@ Name of the Public IP for No Public IP workspace with managed vNet. ### Parameter: `publicNetworkAccess` The network access type for accessing workspace. Set value to disabled to access workspace only via private link. + - Required: No - Type: string - Default: `'Enabled'` @@ -1145,6 +1221,7 @@ Name of the Public IP for No Public IP workspace with managed vNet. ### Parameter: `requiredNsgRules` Gets or sets a value indicating whether data plane (clusters) to control plane communication happen over private endpoint. + - Required: No - Type: string - Default: `'AllRules'` @@ -1159,6 +1236,7 @@ Gets or sets a value indicating whether data plane (clusters) to control plane c ### Parameter: `requireInfrastructureEncryption` A boolean indicating whether or not the DBFS root file system will be enabled with secondary layer of encryption with platform managed keys for data at rest. + - Required: No - Type: bool - Default: `False` @@ -1166,74 +1244,96 @@ A boolean indicating whether or not the DBFS root file system will be enabled wi ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `skuName` The pricing tier of workspace. + - Required: No - Type: string - Default: `'premium'` @@ -1249,6 +1349,7 @@ The pricing tier of workspace. ### Parameter: `storageAccountName` Default DBFS storage account name. + - Required: No - Type: string - Default: `''` @@ -1256,6 +1357,7 @@ Default DBFS storage account name. ### Parameter: `storageAccountSkuName` Storage account SKU name. + - Required: No - Type: string - Default: `'Standard_GRS'` @@ -1263,12 +1365,14 @@ Storage account SKU name. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `vnetAddressPrefix` Address prefix for Managed virtual network. + - Required: No - Type: string - Default: `'10.139'` diff --git a/modules/db-for-my-sql/flexible-server/README.md b/modules/db-for-my-sql/flexible-server/README.md index 4d655aab35..bdbfbf4aa1 100644 --- a/modules/db-for-my-sql/flexible-server/README.md +++ b/modules/db-for-my-sql/flexible-server/README.md @@ -639,9 +639,98 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`version`](#parameter-version) | string | MySQL Server version. | +### Parameter: `name` + +The name of the MySQL flexible server. + +- Required: Yes +- Type: string + +### Parameter: `skuName` + +The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3. + +- Required: Yes +- Type: string + +### Parameter: `tier` + +The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3". + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Burstable' + 'GeneralPurpose' + 'MemoryOptimized' + ] + ``` + +### Parameter: `managedIdentities` + +The managed identity definition for this resource. Required if 'customerManagedKey' is not empty. + +- Required: No +- Type: object + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.userAssignedResourceIds` + +The resource ID(s) to assign to the resource. + +- Required: Yes +- Type: array + +### Parameter: `privateDnsZoneResourceId` + +Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access". Required if "delegatedSubnetResourceId" is used and the Private DNS Zone name must end with mysql.database.azure.com in order to be linked to the MySQL Flexible Server. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `restorePointInTime` + +Restore point creation time (ISO8601 format), specifying the time to restore from. Required if "createMode" is set to "PointInTimeRestore". + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `sourceServerResourceId` + +The source MySQL server ID. Required if "createMode" is set to "PointInTimeRestore". + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `storageAutoGrow` + +Enable Storage Auto Grow or not. Storage auto-growth prevents a server from running out of storage and becoming read-only. Required if "highAvailability" is not "Disabled". + +- Required: No +- Type: string +- Default: `'Disabled'` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` + ### Parameter: `administratorLogin` The administrator login name of a server. Can only be specified when the MySQL server is being created. + - Required: No - Type: string - Default: `''` @@ -649,6 +738,7 @@ The administrator login name of a server. Can only be specified when the MySQL s ### Parameter: `administratorLoginPassword` The administrator login password. + - Required: No - Type: securestring - Default: `''` @@ -656,6 +746,7 @@ The administrator login password. ### Parameter: `administrators` The Azure AD administrators when AAD authentication enabled. + - Required: No - Type: array - Default: `[]` @@ -663,6 +754,7 @@ The Azure AD administrators when AAD authentication enabled. ### Parameter: `availabilityZone` Availability zone information of the server. Default will have no preference set. + - Required: No - Type: string - Default: `''` @@ -679,6 +771,7 @@ Availability zone information of the server. Default will have no preference set ### Parameter: `backupRetentionDays` Backup retention days for the server. + - Required: No - Type: int - Default: `7` @@ -686,6 +779,7 @@ Backup retention days for the server. ### Parameter: `createMode` The mode to create a new MySQL server. + - Required: No - Type: string - Default: `'Default'` @@ -702,90 +796,105 @@ The mode to create a new MySQL server. ### Parameter: `customerManagedKey` The customer managed key definition to use for the managed service. + - Required: No - Type: object +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | Yes | string | Required. User assigned identity to use when fetching the customer managed key. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | ### Parameter: `customerManagedKey.keyName` -Required. The name of the customer managed key to use for encryption. +The name of the customer managed key to use for encryption. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVaultResourceId` -Required. The resource ID of a key vault to reference a customer managed key for encryption from. +The resource ID of a key vault to reference a customer managed key for encryption from. - Required: Yes - Type: string -### Parameter: `customerManagedKey.keyVersion` +### Parameter: `customerManagedKey.userAssignedIdentityResourceId` -Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +User assigned identity to use when fetching the customer managed key. -- Required: No +- Required: Yes - Type: string -### Parameter: `customerManagedKey.userAssignedIdentityResourceId` +### Parameter: `customerManagedKey.keyVersion` -Required. User assigned identity to use when fetching the customer managed key. +The version of the customer managed key to reference for encryption. If not provided, using 'latest'. -- Required: Yes +- Required: No - Type: string ### Parameter: `customerManagedKeyGeo` The customer managed key definition to use when geoRedundantBackup is "Enabled". + - Required: No - Type: object +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-customermanagedkeygeokeyname) | string | The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeygeokeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeygeouserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. | + +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`keyName`](#parameter-customermanagedkeygeokeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeygeokeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`keyVersion`](#parameter-customermanagedkeygeokeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeygeouserassignedidentityresourceid) | Yes | string | Required. User assigned identity to use when fetching the customer managed key. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyVersion`](#parameter-customermanagedkeygeokeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | ### Parameter: `customerManagedKeyGeo.keyName` -Required. The name of the customer managed key to use for encryption. +The name of the customer managed key to use for encryption. - Required: Yes - Type: string ### Parameter: `customerManagedKeyGeo.keyVaultResourceId` -Required. The resource ID of a key vault to reference a customer managed key for encryption from. +The resource ID of a key vault to reference a customer managed key for encryption from. - Required: Yes - Type: string -### Parameter: `customerManagedKeyGeo.keyVersion` +### Parameter: `customerManagedKeyGeo.userAssignedIdentityResourceId` -Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +User assigned identity to use when fetching the customer managed key. -- Required: No +- Required: Yes - Type: string -### Parameter: `customerManagedKeyGeo.userAssignedIdentityResourceId` +### Parameter: `customerManagedKeyGeo.keyVersion` -Required. User assigned identity to use when fetching the customer managed key. +The version of the customer managed key to reference for encryption. If not provided, using 'latest'. -- Required: Yes +- Required: No - Type: string ### Parameter: `databases` The databases to create in the server. + - Required: No - Type: array - Default: `[]` @@ -793,6 +902,7 @@ The databases to create in the server. ### Parameter: `delegatedSubnetResourceId` Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. Delegation must be enabled on the subnet for MySQL Flexible Servers and subnet CIDR size is /29. + - Required: No - Type: string - Default: `''` @@ -800,114 +910,90 @@ Delegated subnet arm resource ID. Used when the desired connectivity mode is "Pr ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -915,6 +1001,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -922,6 +1009,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `firewallRules` The firewall rules to create in the MySQL flexible server. + - Required: No - Type: array - Default: `[]` @@ -929,6 +1017,7 @@ The firewall rules to create in the MySQL flexible server. ### Parameter: `geoRedundantBackup` A value indicating whether Geo-Redundant backup is enabled on the server. If "Enabled" and "cMKKeyName" is not empty, then "geoBackupCMKKeyVaultResourceId" and "cMKUserAssignedIdentityResourceId" are also required. + - Required: No - Type: string - Default: `'Disabled'` @@ -943,6 +1032,7 @@ A value indicating whether Geo-Redundant backup is enabled on the server. If "En ### Parameter: `highAvailability` The mode for High Availability (HA). It is not supported for the Burstable pricing tier and Zone redundant HA can only be set during server provisioning. + - Required: No - Type: string - Default: `'Disabled'` @@ -958,6 +1048,7 @@ The mode for High Availability (HA). It is not supported for the Burstable prici ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -965,26 +1056,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -992,44 +1092,15 @@ Optional. Specify the name of lock. ### Parameter: `maintenanceWindow` Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `managedIdentities` -The managed identity definition for this resource. Required if 'customerManagedKey' is not empty. - Required: No - Type: object - - -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.userAssignedResourceIds` - -Optional. The resource ID(s) to assign to the resource. - -- Required: Yes -- Type: array - -### Parameter: `name` - -The name of the MySQL flexible server. -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneResourceId` - -Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access". Required if "delegatedSubnetResourceId" is used and the Private DNS Zone name must end with mysql.database.azure.com in order to be linked to the MySQL Flexible Server. -- Required: No -- Type: string -- Default: `''` +- Default: `{}` ### Parameter: `replicationRole` The replication role. + - Required: No - Type: string - Default: `'None'` @@ -1042,111 +1113,99 @@ The replication role. ] ``` -### Parameter: `restorePointInTime` - -Restore point creation time (ISO8601 format), specifying the time to restore from. Required if "createMode" is set to "PointInTimeRestore". -- Required: No -- Type: string -- Default: `''` - ### Parameter: `roleAssignments` Array of role assignment objects that contain the "roleDefinitionIdOrName" and "principalId" to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11". + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +**Optional parameters** -- Required: No -- Type: string +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.principalId` -Optional. Version of the condition. +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. The Resource Id of the delegated managed identity resource. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.condition` -Optional. The description of the role assignment. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.principalId` - -Required. The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.conditionVersion` -Optional. The principal type of the assigned principal ID. +Version of the condition. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `skuName` - -The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3. -- Required: Yes -- Type: string +### Parameter: `roleAssignments.description` -### Parameter: `sourceServerResourceId` +The description of the role assignment. -The source MySQL server ID. Required if "createMode" is set to "PointInTimeRestore". - Required: No - Type: string -- Default: `''` -### Parameter: `storageAutoGrow` +### Parameter: `roleAssignments.principalType` + +The principal type of the assigned principal ID. -Enable Storage Auto Grow or not. Storage auto-growth prevents a server from running out of storage and becoming read-only. Required if "highAvailability" is not "Disabled". - Required: No - Type: string -- Default: `'Disabled'` - Allowed: ```Bicep [ - 'Disabled' - 'Enabled' + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' ] ``` ### Parameter: `storageAutoIoScaling` Enable IO Auto Scaling or not. The server scales IOPs up or down automatically depending on your workload needs. + - Required: No - Type: string - Default: `'Disabled'` @@ -1161,6 +1220,7 @@ Enable IO Auto Scaling or not. The server scales IOPs up or down automatically d ### Parameter: `storageIOPS` Storage IOPS for a server. Max IOPS are determined by compute size. + - Required: No - Type: int - Default: `1000` @@ -1168,6 +1228,7 @@ Storage IOPS for a server. Max IOPS are determined by compute size. ### Parameter: `storageSizeGB` Max storage allowed for a server. In all compute tiers, the minimum storage supported is 20 GiB and maximum is 16 TiB. + - Required: No - Type: int - Default: `64` @@ -1191,26 +1252,14 @@ Max storage allowed for a server. In all compute tiers, the minimum storage supp ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object -### Parameter: `tier` - -The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3". -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Burstable' - 'GeneralPurpose' - 'MemoryOptimized' - ] - ``` - ### Parameter: `version` MySQL Server version. + - Required: No - Type: string - Default: `'5.7'` diff --git a/modules/db-for-my-sql/flexible-server/administrator/README.md b/modules/db-for-my-sql/flexible-server/administrator/README.md index 247e680d29..827b434ef7 100644 --- a/modules/db-for-my-sql/flexible-server/administrator/README.md +++ b/modules/db-for-my-sql/flexible-server/administrator/README.md @@ -39,47 +39,54 @@ This module deploys a DBforMySQL Flexible Server Administrator. | [`location`](#parameter-location) | string | Location for all resources. | | [`tenantId`](#parameter-tenantid) | string | The tenantId of the Active Directory administrator. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` +### Parameter: `identityResourceId` -### Parameter: `flexibleServerName` +The resource ID of the identity used for AAD Authentication. -The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment. - Required: Yes - Type: string -### Parameter: `identityResourceId` +### Parameter: `login` + +Login name of the server administrator. -The resource ID of the identity used for AAD Authentication. - Required: Yes - Type: string -### Parameter: `location` +### Parameter: `sid` -Location for all resources. -- Required: No +SID (object ID) of the server administrator. + +- Required: Yes - Type: string -- Default: `[resourceGroup().location]` -### Parameter: `login` +### Parameter: `flexibleServerName` + +The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment. -Login name of the server administrator. - Required: Yes - Type: string -### Parameter: `sid` +### Parameter: `enableDefaultTelemetry` -SID (object ID) of the server administrator. -- Required: Yes +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. + +- Required: No - Type: string +- Default: `[resourceGroup().location]` ### Parameter: `tenantId` The tenantId of the Active Directory administrator. + - Required: No - Type: string - Default: `[tenant().tenantId]` diff --git a/modules/db-for-my-sql/flexible-server/database/README.md b/modules/db-for-my-sql/flexible-server/database/README.md index f2cced0ae4..4bcb034a0b 100644 --- a/modules/db-for-my-sql/flexible-server/database/README.md +++ b/modules/db-for-my-sql/flexible-server/database/README.md @@ -38,9 +38,24 @@ This module deploys a DBforMySQL Flexible Server Database. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | +### Parameter: `name` + +The name of the database. + +- Required: Yes +- Type: string + +### Parameter: `flexibleServerName` + +The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `charset` The charset of the database. + - Required: No - Type: string - Default: `'utf8_general_ci'` @@ -48,6 +63,7 @@ The charset of the database. ### Parameter: `collation` The collation of the database. + - Required: No - Type: string - Default: `'utf8'` @@ -55,29 +71,19 @@ The collation of the database. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `flexibleServerName` - -The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -The name of the database. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/db-for-my-sql/flexible-server/firewall-rule/README.md b/modules/db-for-my-sql/flexible-server/firewall-rule/README.md index ee7be0779a..593969aa25 100644 --- a/modules/db-for-my-sql/flexible-server/firewall-rule/README.md +++ b/modules/db-for-my-sql/flexible-server/firewall-rule/README.md @@ -37,37 +37,42 @@ This module deploys a DBforMySQL Flexible Server Firewall Rule. | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `endIpAddress` The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. -- Required: Yes -- Type: string - -### Parameter: `flexibleServerName` -The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment. - Required: Yes - Type: string ### Parameter: `name` The name of the MySQL flexible server Firewall Rule. + - Required: Yes - Type: string ### Parameter: `startIpAddress` The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. + - Required: Yes - Type: string +### Parameter: `flexibleServerName` + +The name of the parent MySQL flexible server. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ## Outputs diff --git a/modules/db-for-postgre-sql/flexible-server/README.md b/modules/db-for-postgre-sql/flexible-server/README.md index 30ebf9dba0..eb3ff48630 100644 --- a/modules/db-for-postgre-sql/flexible-server/README.md +++ b/modules/db-for-postgre-sql/flexible-server/README.md @@ -549,9 +549,75 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 | [`tenantId`](#parameter-tenantid) | string | Tenant id of the server. | | [`version`](#parameter-version) | string | PostgreSQL Server version. | +### Parameter: `name` + +The name of the PostgreSQL flexible server. + +- Required: Yes +- Type: string + +### Parameter: `skuName` + +The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3. + +- Required: Yes +- Type: string + +### Parameter: `tier` + +The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3". + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Burstable' + 'GeneralPurpose' + 'MemoryOptimized' + ] + ``` + +### Parameter: `managedIdentities` + +The managed identity definition for this resource. Required if 'cMKKeyName' is not empty. + +- Required: No +- Type: object + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.userAssignedResourceIds` + +The resource ID(s) to assign to the resource. + +- Required: Yes +- Type: array + +### Parameter: `pointInTimeUTC` + +Required if "createMode" is set to "PointInTimeRestore". + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `sourceServerResourceId` + +Required if "createMode" is set to "PointInTimeRestore". + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `activeDirectoryAuth` If Enabled, Azure Active Directory authentication is enabled. + - Required: No - Type: string - Default: `'Enabled'` @@ -566,6 +632,7 @@ If Enabled, Azure Active Directory authentication is enabled. ### Parameter: `administratorLogin` The administrator login name of a server. Can only be specified when the PostgreSQL server is being created. + - Required: No - Type: string - Default: `''` @@ -573,6 +640,7 @@ The administrator login name of a server. Can only be specified when the Postgre ### Parameter: `administratorLoginPassword` The administrator login password. + - Required: No - Type: securestring - Default: `''` @@ -580,6 +648,7 @@ The administrator login password. ### Parameter: `administrators` The Azure AD administrators when AAD authentication enabled. + - Required: No - Type: array - Default: `[]` @@ -587,6 +656,7 @@ The Azure AD administrators when AAD authentication enabled. ### Parameter: `availabilityZone` Availability zone information of the server. Default will have no preference set. + - Required: No - Type: string - Default: `''` @@ -603,6 +673,7 @@ Availability zone information of the server. Default will have no preference set ### Parameter: `backupRetentionDays` Backup retention days for the server. + - Required: No - Type: int - Default: `7` @@ -610,6 +681,7 @@ Backup retention days for the server. ### Parameter: `configurations` The configurations to create in the server. + - Required: No - Type: array - Default: `[]` @@ -617,6 +689,7 @@ The configurations to create in the server. ### Parameter: `createMode` The mode to create a new PostgreSQL server. + - Required: No - Type: string - Default: `'Default'` @@ -633,48 +706,56 @@ The mode to create a new PostgreSQL server. ### Parameter: `customerManagedKey` The customer managed key definition. + - Required: No - Type: object +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | Yes | string | Required. User assigned identity to use when fetching the customer managed key. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | ### Parameter: `customerManagedKey.keyName` -Required. The name of the customer managed key to use for encryption. +The name of the customer managed key to use for encryption. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVaultResourceId` -Required. The resource ID of a key vault to reference a customer managed key for encryption from. +The resource ID of a key vault to reference a customer managed key for encryption from. - Required: Yes - Type: string -### Parameter: `customerManagedKey.keyVersion` +### Parameter: `customerManagedKey.userAssignedIdentityResourceId` -Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +User assigned identity to use when fetching the customer managed key. -- Required: No +- Required: Yes - Type: string -### Parameter: `customerManagedKey.userAssignedIdentityResourceId` +### Parameter: `customerManagedKey.keyVersion` -Required. User assigned identity to use when fetching the customer managed key. +The version of the customer managed key to reference for encryption. If not provided, using 'latest'. -- Required: Yes +- Required: No - Type: string ### Parameter: `databases` The databases to create in the server. + - Required: No - Type: array - Default: `[]` @@ -682,6 +763,7 @@ The databases to create in the server. ### Parameter: `delegatedSubnetResourceId` Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. + - Required: No - Type: string - Default: `''` @@ -689,114 +771,90 @@ Delegated subnet arm resource ID. Used when the desired connectivity mode is "Pr ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -804,6 +862,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -811,6 +870,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `firewallRules` The firewall rules to create in the PostgreSQL flexible server. + - Required: No - Type: array - Default: `[]` @@ -818,6 +878,7 @@ The firewall rules to create in the PostgreSQL flexible server. ### Parameter: `geoRedundantBackup` A value indicating whether Geo-Redundant backup is enabled on the server. Should be left disabled if 'cMKKeyName' is not empty. + - Required: No - Type: string - Default: `'Disabled'` @@ -832,6 +893,7 @@ A value indicating whether Geo-Redundant backup is enabled on the server. Should ### Parameter: `highAvailability` The mode for high availability. + - Required: No - Type: string - Default: `'Disabled'` @@ -847,6 +909,7 @@ The mode for high availability. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -854,26 +917,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -881,37 +953,15 @@ Optional. Specify the name of lock. ### Parameter: `maintenanceWindow` Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". -- Required: No -- Type: object -- Default: `{}` - -### Parameter: `managedIdentities` -The managed identity definition for this resource. Required if 'cMKKeyName' is not empty. - Required: No - Type: object - - -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.userAssignedResourceIds` - -Optional. The resource ID(s) to assign to the resource. - -- Required: Yes -- Type: array - -### Parameter: `name` - -The name of the PostgreSQL flexible server. -- Required: Yes -- Type: string +- Default: `{}` ### Parameter: `passwordAuth` If Enabled, password authentication is enabled. + - Required: No - Type: string - Default: `'Disabled'` @@ -923,16 +973,10 @@ If Enabled, password authentication is enabled. ] ``` -### Parameter: `pointInTimeUTC` - -Required if "createMode" is set to "PointInTimeRestore". -- Required: No -- Type: string -- Default: `''` - ### Parameter: `privateDnsZoneArmResourceId` Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access" and required when "delegatedSubnetResourceId" is used. The Private DNS Zone must be lined to the Virtual Network referenced in "delegatedSubnetResourceId". + - Required: No - Type: string - Default: `''` @@ -940,87 +984,96 @@ Private dns zone arm resource ID. Used when the desired connectivity mode is "Pr ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +**Optional parameters** -- Required: No -- Type: string +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.principalId` -Optional. Version of the condition. +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. The Resource Id of the delegated managed identity resource. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.condition` -Optional. The description of the role assignment. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.conditionVersion` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +Version of the condition. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Optional. The principal type of the assigned principal ID. +The Resource Id of the delegated managed identity resource. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.description` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The description of the role assignment. -- Required: Yes +- Required: No - Type: string -### Parameter: `skuName` - -The name of the sku, typically, tier + family + cores, e.g. Standard_D4s_v3. -- Required: Yes -- Type: string +### Parameter: `roleAssignments.principalType` -### Parameter: `sourceServerResourceId` +The principal type of the assigned principal ID. -Required if "createMode" is set to "PointInTimeRestore". - Required: No - Type: string -- Default: `''` +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `storageSizeGB` Max storage allowed for a server. + - Required: No - Type: int - Default: `32` @@ -1043,33 +1096,22 @@ Max storage allowed for a server. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `tenantId` Tenant id of the server. + - Required: No - Type: string - Default: `''` -### Parameter: `tier` - -The tier of the particular SKU. Tier must align with the "skuName" property. Example, tier cannot be "Burstable" if skuName is "Standard_D4s_v3". -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Burstable' - 'GeneralPurpose' - 'MemoryOptimized' - ] - ``` - ### Parameter: `version` PostgreSQL Server version. + - Required: No - Type: string - Default: `'15'` diff --git a/modules/db-for-postgre-sql/flexible-server/administrator/README.md b/modules/db-for-postgre-sql/flexible-server/administrator/README.md index 3c95a48a9c..c0f2f4352f 100644 --- a/modules/db-for-postgre-sql/flexible-server/administrator/README.md +++ b/modules/db-for-postgre-sql/flexible-server/administrator/README.md @@ -39,41 +39,24 @@ This module deploys a DBforPostgreSQL Flexible Server Administrator. | [`location`](#parameter-location) | string | Location for all resources. | | [`tenantId`](#parameter-tenantid) | string | The tenantId of the Active Directory administrator. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `flexibleServerName` - -The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `location` - -Location for all resources. -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - ### Parameter: `objectId` The objectId of the Active Directory administrator. + - Required: Yes - Type: string ### Parameter: `principalName` Active Directory administrator principal name. + - Required: Yes - Type: string ### Parameter: `principalType` The principal type used to represent the type of Active Directory Administrator. + - Required: Yes - Type: string - Allowed: @@ -86,9 +69,33 @@ The principal type used to represent the type of Active Directory Administrator. ] ``` +### Parameter: `flexibleServerName` + +The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. + +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + ### Parameter: `tenantId` The tenantId of the Active Directory administrator. + - Required: No - Type: string - Default: `[tenant().tenantId]` diff --git a/modules/db-for-postgre-sql/flexible-server/configuration/README.md b/modules/db-for-postgre-sql/flexible-server/configuration/README.md index d156b0635a..fc940f2120 100644 --- a/modules/db-for-postgre-sql/flexible-server/configuration/README.md +++ b/modules/db-for-postgre-sql/flexible-server/configuration/README.md @@ -38,35 +38,40 @@ This module deploys a DBforPostgreSQL Flexible Server Configuration. | [`source`](#parameter-source) | string | Source of the configuration. | | [`value`](#parameter-value) | string | Value of the configuration. | -### Parameter: `enableDefaultTelemetry` +### Parameter: `name` -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` +The name of the configuration. + +- Required: Yes +- Type: string ### Parameter: `flexibleServerName` The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -The name of the configuration. -- Required: Yes -- Type: string - ### Parameter: `source` Source of the configuration. + - Required: No - Type: string - Default: `''` @@ -74,6 +79,7 @@ Source of the configuration. ### Parameter: `value` Value of the configuration. + - Required: No - Type: string - Default: `''` diff --git a/modules/db-for-postgre-sql/flexible-server/database/README.md b/modules/db-for-postgre-sql/flexible-server/database/README.md index 57ba0b45a5..7e2b9c3c0d 100644 --- a/modules/db-for-postgre-sql/flexible-server/database/README.md +++ b/modules/db-for-postgre-sql/flexible-server/database/README.md @@ -38,9 +38,24 @@ This module deploys a DBforPostgreSQL Flexible Server Database. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | +### Parameter: `name` + +The name of the database. + +- Required: Yes +- Type: string + +### Parameter: `flexibleServerName` + +The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `charset` The charset of the database. + - Required: No - Type: string - Default: `''` @@ -48,6 +63,7 @@ The charset of the database. ### Parameter: `collation` The collation of the database. + - Required: No - Type: string - Default: `''` @@ -55,29 +71,19 @@ The collation of the database. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `flexibleServerName` - -The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -The name of the database. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/db-for-postgre-sql/flexible-server/firewall-rule/README.md b/modules/db-for-postgre-sql/flexible-server/firewall-rule/README.md index de0f21fadf..db3b0df266 100644 --- a/modules/db-for-postgre-sql/flexible-server/firewall-rule/README.md +++ b/modules/db-for-postgre-sql/flexible-server/firewall-rule/README.md @@ -37,37 +37,42 @@ This module deploys a DBforPostgreSQL Flexible Server Firewall Rule. | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `endIpAddress` The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. -- Required: Yes -- Type: string - -### Parameter: `flexibleServerName` -The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. - Required: Yes - Type: string ### Parameter: `name` The name of the PostgreSQL flexible server Firewall Rule. + - Required: Yes - Type: string ### Parameter: `startIpAddress` The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. + - Required: Yes - Type: string +### Parameter: `flexibleServerName` + +The name of the parent PostgreSQL flexible server. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ## Outputs diff --git a/modules/desktop-virtualization/application-group/README.md b/modules/desktop-virtualization/application-group/README.md index 0c3b211b08..2a1f26658b 100644 --- a/modules/desktop-virtualization/application-group/README.md +++ b/modules/desktop-virtualization/application-group/README.md @@ -448,6 +448,7 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro ### Parameter: `applicationGroupType` The type of the Application Group to be created. Allowed values: RemoteApp or Desktop. + - Required: Yes - Type: string - Allowed: @@ -458,9 +459,24 @@ The type of the Application Group to be created. Allowed values: RemoteApp or De ] ``` +### Parameter: `hostpoolName` + +Name of the Host Pool to be linked to this Application Group. + +- Required: Yes +- Type: string + +### Parameter: `name` + +Name of the Application Group to create this application in. + +- Required: Yes +- Type: string + ### Parameter: `applications` List of applications to be created in the Application Group. + - Required: No - Type: array - Default: `[]` @@ -468,6 +484,7 @@ List of applications to be created in the Application Group. ### Parameter: `description` The description of the Application Group to be created. + - Required: No - Type: string - Default: `''` @@ -475,94 +492,82 @@ The description of the Application Group to be created. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -570,6 +575,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -577,19 +583,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `friendlyName` The friendly name of the Application Group to be created. + - Required: No - Type: string - Default: `''` -### Parameter: `hostpoolName` - -Name of the Host Pool to be linked to this Application Group. -- Required: Yes -- Type: string - ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -597,107 +599,132 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the Application Group to create this application in. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/desktop-virtualization/application-group/application/README.md b/modules/desktop-virtualization/application-group/application/README.md index 61b2562dac..816f676251 100644 --- a/modules/desktop-virtualization/application-group/application/README.md +++ b/modules/desktop-virtualization/application-group/application/README.md @@ -43,15 +43,38 @@ This module deploys an Azure Virtual Desktop (AVD) Application Group Application | [`iconPath`](#parameter-iconpath) | string | Path to icon. | | [`showInPortal`](#parameter-showinportal) | bool | Specifies whether to show the RemoteApp program in the RD Web Access server. | +### Parameter: `filePath` + +Specifies a path for the executable file for the application. + +- Required: Yes +- Type: string + +### Parameter: `friendlyName` + +Friendly name of Application.. + +- Required: Yes +- Type: string + +### Parameter: `name` + +Name of the Application to be created in the Application Group. + +- Required: Yes +- Type: string + ### Parameter: `appGroupName` The name of the parent Application Group to create the application(s) in. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `commandLineArguments` Command-Line Arguments for Application. + - Required: No - Type: string - Default: `''` @@ -59,6 +82,7 @@ Command-Line Arguments for Application. ### Parameter: `commandLineSetting` Specifies whether this published application can be launched with command-line arguments provided by the client, command-line arguments specified at publish time, or no command-line arguments at all. + - Required: No - Type: string - Default: `'DoNotAllow'` @@ -74,6 +98,7 @@ Specifies whether this published application can be launched with command-line a ### Parameter: `description` Description of Application.. + - Required: No - Type: string - Default: `''` @@ -81,25 +106,15 @@ Description of Application.. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `filePath` - -Specifies a path for the executable file for the application. -- Required: Yes -- Type: string - -### Parameter: `friendlyName` - -Friendly name of Application.. -- Required: Yes -- Type: string - ### Parameter: `iconIndex` Index of the icon. + - Required: No - Type: int - Default: `0` @@ -107,19 +122,15 @@ Index of the icon. ### Parameter: `iconPath` Path to icon. + - Required: No - Type: string - Default: `''` -### Parameter: `name` - -Name of the Application to be created in the Application Group. -- Required: Yes -- Type: string - ### Parameter: `showInPortal` Specifies whether to show the RemoteApp program in the RD Web Access server. + - Required: No - Type: bool - Default: `False` diff --git a/modules/desktop-virtualization/host-pool/README.md b/modules/desktop-virtualization/host-pool/README.md index 5e3c70c4fb..38c5d530d4 100644 --- a/modules/desktop-virtualization/host-pool/README.md +++ b/modules/desktop-virtualization/host-pool/README.md @@ -545,9 +545,17 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { | :-- | :-- | :-- | | [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date value is used to generate a registration token. | +### Parameter: `name` + +Name of the Host Pool. + +- Required: Yes +- Type: string + ### Parameter: `agentUpdate` The session host configuration for updating agent, monitoring agent, and stack component. + - Required: No - Type: object - Default: @@ -563,6 +571,7 @@ The session host configuration for updating agent, monitoring agent, and stack c ### Parameter: `agentUpdateMaintenanceWindowDayOfWeek` Update day for scheduled agent updates. + - Required: No - Type: string - Default: `'Sunday'` @@ -582,6 +591,7 @@ Update day for scheduled agent updates. ### Parameter: `agentUpdateMaintenanceWindowHour` Update hour for scheduled agent updates. + - Required: No - Type: int - Default: `22` @@ -589,6 +599,7 @@ Update hour for scheduled agent updates. ### Parameter: `agentUpdateMaintenanceWindows` List of maintenance windows for scheduled agent updates. + - Required: No - Type: array - Default: @@ -604,6 +615,7 @@ List of maintenance windows for scheduled agent updates. ### Parameter: `agentUpdateMaintenanceWindowTimeZone` Time zone for scheduled agent updates. + - Required: No - Type: string - Default: `'Central Standard Time'` @@ -611,6 +623,7 @@ Time zone for scheduled agent updates. ### Parameter: `agentUpdateType` Enable scheduled agent updates, Default means agent updates will automatically be installed by AVD when they become available. + - Required: No - Type: string - Default: `'Default'` @@ -625,20 +638,15 @@ Enable scheduled agent updates, Default means agent updates will automatically b ### Parameter: `agentUpdateUseSessionHostLocalTime` Whether to use localTime of the virtual machine for scheduled agent updates. + - Required: No - Type: bool - Default: `False` -### Parameter: `baseTime` - -Do not provide a value! This date value is used to generate a registration token. -- Required: No -- Type: string -- Default: `[utcNow('u')]` - ### Parameter: `customRdpProperty` Host Pool RDP properties. + - Required: No - Type: string - Default: `'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;'` @@ -646,6 +654,7 @@ Host Pool RDP properties. ### Parameter: `description` The description of the Host Pool to be created. + - Required: No - Type: string - Default: `''` @@ -653,94 +662,82 @@ The description of the Host Pool to be created. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -748,6 +745,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -755,6 +753,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `friendlyName` The friendly name of the Host Pool to be created. + - Required: No - Type: string - Default: `''` @@ -762,6 +761,7 @@ The friendly name of the Host Pool to be created. ### Parameter: `loadBalancerType` Type of load balancer algorithm. + - Required: No - Type: string - Default: `'BreadthFirst'` @@ -777,6 +777,7 @@ Type of load balancer algorithm. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -784,26 +785,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -811,19 +821,15 @@ Optional. Specify the name of lock. ### Parameter: `maxSessionLimit` Maximum number of sessions. + - Required: No - Type: int - Default: `99999` -### Parameter: `name` - -Name of the Host Pool. -- Required: Yes -- Type: string - ### Parameter: `personalDesktopAssignmentType` Set the type of assignment for a Personal Host Pool type. + - Required: No - Type: string - Default: `''` @@ -839,6 +845,7 @@ Set the type of assignment for a Personal Host Pool type. ### Parameter: `preferredAppGroupType` The type of preferred application group type, default to Desktop Application Group. + - Required: No - Type: string - Default: `'Desktop'` @@ -854,6 +861,7 @@ The type of preferred application group type, default to Desktop Application Gro ### Parameter: `ring` The ring number of HostPool. + - Required: No - Type: int - Default: `-1` @@ -861,74 +869,96 @@ The ring number of HostPool. ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -### Parameter: `roleAssignments.condition` +### Parameter: `roleAssignments.principalId` -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `ssoadfsAuthority` URL to customer ADFS server for signing WVD SSO certificates. + - Required: No - Type: string - Default: `''` @@ -936,6 +966,7 @@ URL to customer ADFS server for signing WVD SSO certificates. ### Parameter: `ssoClientId` ClientId for the registered Relying Party used to issue WVD SSO certificates. + - Required: No - Type: string - Default: `''` @@ -943,6 +974,7 @@ ClientId for the registered Relying Party used to issue WVD SSO certificates. ### Parameter: `ssoClientSecretKeyVaultPath` Path to Azure KeyVault storing the secret used for communication to ADFS. + - Required: No - Type: string - Default: `''` @@ -950,6 +982,7 @@ Path to Azure KeyVault storing the secret used for communication to ADFS. ### Parameter: `ssoSecretType` The type of single sign on Secret Type. + - Required: No - Type: string - Default: `''` @@ -967,6 +1000,7 @@ The type of single sign on Secret Type. ### Parameter: `startVMOnConnect` Enable Start VM on connect to allow users to start the virtual machine from a deallocated state. Important: Custom RBAC role required to power manage VMs. + - Required: No - Type: bool - Default: `False` @@ -974,12 +1008,14 @@ Enable Start VM on connect to allow users to start the virtual machine from a de ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `tokenValidityLength` Host Pool token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the token will be valid for 8 hours. + - Required: No - Type: string - Default: `'PT8H'` @@ -987,6 +1023,7 @@ Host Pool token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - vali ### Parameter: `type` Set this parameter to Personal if you would like to enable Persistent Desktop experience. Defaults to Pooled. + - Required: No - Type: string - Default: `'Pooled'` @@ -1001,6 +1038,7 @@ Set this parameter to Personal if you would like to enable Persistent Desktop ex ### Parameter: `validationEnvironment` Validation host pools allows you to test service changes before they are deployed to production. When set to true, the Host Pool will be deployed in a validation 'ring' (environment) that receives all the new features (might be less stable). Defaults to false that stands for the stable, production-ready environment. + - Required: No - Type: bool - Default: `False` @@ -1008,10 +1046,19 @@ Validation host pools allows you to test service changes before they are deploye ### Parameter: `vmTemplate` The necessary information for adding more VMs to this Host Pool. The object is converted to an in-line string when handed over to the resource deployment, since that only takes strings. + - Required: No - Type: object - Default: `{}` +### Parameter: `baseTime` + +Do not provide a value! This date value is used to generate a registration token. + +- Required: No +- Type: string +- Default: `[utcNow('u')]` + ## Outputs diff --git a/modules/desktop-virtualization/scaling-plan/README.md b/modules/desktop-virtualization/scaling-plan/README.md index 6511a66cc7..a9ffd616df 100644 --- a/modules/desktop-virtualization/scaling-plan/README.md +++ b/modules/desktop-virtualization/scaling-plan/README.md @@ -488,9 +488,17 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`timeZone`](#parameter-timezone) | string | Timezone to be used for the scaling plan. | +### Parameter: `name` + +Name of the scaling plan. + +- Required: Yes +- Type: string + ### Parameter: `description` Description of the scaling plan. + - Required: No - Type: string - Default: `[parameters('name')]` @@ -498,94 +506,82 @@ Description of the scaling plan. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -593,6 +589,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -600,6 +597,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `exclusionTag` Provide a tag to be used for hosts that should not be affected by the scaling plan. + - Required: No - Type: string - Default: `''` @@ -607,6 +605,7 @@ Provide a tag to be used for hosts that should not be affected by the scaling pl ### Parameter: `friendlyName` Friendly Name of the scaling plan. + - Required: No - Type: string - Default: `[parameters('name')]` @@ -614,6 +613,7 @@ Friendly Name of the scaling plan. ### Parameter: `hostPoolReferences` An array of references to hostpools. + - Required: No - Type: array - Default: `[]` @@ -621,6 +621,7 @@ An array of references to hostpools. ### Parameter: `hostPoolType` The type of hostpool where this scaling plan should be applied. + - Required: No - Type: string - Default: `'Pooled'` @@ -634,87 +635,104 @@ The type of hostpool where this scaling plan should be applied. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -Name of the scaling plan. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `schedules` The schedules related to this scaling plan. If no value is provided a default schedule will be provided. + - Required: No - Type: array - Default: @@ -764,12 +782,14 @@ The schedules related to this scaling plan. If no value is provided a default sc ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `timeZone` Timezone to be used for the scaling plan. + - Required: No - Type: string - Default: `'W. Europe Standard Time'` diff --git a/modules/desktop-virtualization/workspace/README.md b/modules/desktop-virtualization/workspace/README.md index f363e71c1c..6e0fe0f8c8 100644 --- a/modules/desktop-virtualization/workspace/README.md +++ b/modules/desktop-virtualization/workspace/README.md @@ -358,9 +358,17 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +The name of the workspace to be attach to new Application Group. + +- Required: Yes +- Type: string + ### Parameter: `appGroupResourceIds` Resource IDs for the existing Application groups this workspace will group together. + - Required: No - Type: array - Default: `[]` @@ -368,6 +376,7 @@ Resource IDs for the existing Application groups this workspace will group toget ### Parameter: `description` The description of the Workspace to be created. + - Required: No - Type: string - Default: `''` @@ -375,94 +384,82 @@ The description of the Workspace to be created. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -470,6 +467,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -477,6 +475,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `friendlyName` The friendly name of the Workspace to be created. + - Required: No - Type: string - Default: `''` @@ -484,6 +483,7 @@ The friendly name of the Workspace to be created. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -491,107 +491,132 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The name of the workspace to be attach to new Application Group. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/dev-test-lab/lab/README.md b/modules/dev-test-lab/lab/README.md index b062197091..2735d1bdfc 100644 --- a/modules/dev-test-lab/lab/README.md +++ b/modules/dev-test-lab/lab/README.md @@ -1219,9 +1219,33 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { | [`virtualnetworks`](#parameter-virtualnetworks) | array | Virtual networks to create for the lab. | | [`vmCreationResourceGroupId`](#parameter-vmcreationresourcegroupid) | string | Resource Group allocation for virtual machines. If left empty, virtual machines will be deployed in their own Resource Groups. Default is the same Resource Group for DevTest Lab. | +### Parameter: `name` + +The name of the lab. + +- Required: Yes +- Type: string + +### Parameter: `encryptionDiskEncryptionSetId` + +The Disk Encryption Set Resource ID used to encrypt OS and data disks created as part of the the lab. Required if encryptionType is set to "EncryptionAtRestWithCustomerKey". + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `notificationchannels` + +Notification Channels to create for the lab. Required if the schedules property "notificationSettingsStatus" is set to "Enabled. + +- Required: No +- Type: array +- Default: `[]` + ### Parameter: `announcement` The properties of any lab announcement associated with this lab. + - Required: No - Type: object - Default: `{}` @@ -1229,6 +1253,7 @@ The properties of any lab announcement associated with this lab. ### Parameter: `artifactsources` Artifact sources to create for the lab. + - Required: No - Type: array - Default: `[]` @@ -1236,6 +1261,7 @@ Artifact sources to create for the lab. ### Parameter: `artifactsStorageAccount` The resource ID of the storage account used to store artifacts and images by the lab. Also used for defaultStorageAccount, defaultPremiumStorageAccount and premiumDataDiskStorageAccount properties. If left empty, a default storage account will be created by the lab and used. + - Required: No - Type: string - Default: `''` @@ -1243,6 +1269,7 @@ The resource ID of the storage account used to store artifacts and images by the ### Parameter: `browserConnect` Enable browser connect on virtual machines if the lab's VNETs have configured Azure Bastion. + - Required: No - Type: string - Default: `'Disabled'` @@ -1257,6 +1284,7 @@ Enable browser connect on virtual machines if the lab's VNETs have configured Az ### Parameter: `costs` Costs to create for the lab. + - Required: No - Type: object - Default: `{}` @@ -1264,6 +1292,7 @@ Costs to create for the lab. ### Parameter: `disableAutoUpgradeCseMinorVersion` Disable auto upgrade custom script extension minor version. + - Required: No - Type: bool - Default: `False` @@ -1271,20 +1300,15 @@ Disable auto upgrade custom script extension minor version. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `encryptionDiskEncryptionSetId` - -The Disk Encryption Set Resource ID used to encrypt OS and data disks created as part of the the lab. Required if encryptionType is set to "EncryptionAtRestWithCustomerKey". -- Required: No -- Type: string -- Default: `''` - ### Parameter: `encryptionType` Specify how OS and data disks created as part of the lab are encrypted. + - Required: No - Type: string - Default: `'EncryptionAtRestWithPlatformKey'` @@ -1299,6 +1323,7 @@ Specify how OS and data disks created as part of the lab are encrypted. ### Parameter: `environmentPermission` The access rights to be granted to the user when provisioning an environment. + - Required: No - Type: string - Default: `'Reader'` @@ -1313,6 +1338,7 @@ The access rights to be granted to the user when provisioning an environment. ### Parameter: `extendedProperties` Extended properties of the lab used for experimental features. + - Required: No - Type: object - Default: `{}` @@ -1320,6 +1346,7 @@ Extended properties of the lab used for experimental features. ### Parameter: `isolateLabResources` Enable lab resources isolation from the public internet. + - Required: No - Type: string - Default: `'Enabled'` @@ -1334,6 +1361,7 @@ Enable lab resources isolation from the public internet. ### Parameter: `labStorageType` Type of storage used by the lab. It can be either Premium or Standard. + - Required: No - Type: string - Default: `'Premium'` @@ -1349,6 +1377,7 @@ Type of storage used by the lab. It can be either Premium or Standard. ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1356,26 +1385,35 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -1383,17 +1421,19 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: Yes - Type: array @@ -1401,6 +1441,7 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `managementIdentitiesResourceIds` The resource ID(s) to assign to the virtual machines associated with this lab. + - Required: No - Type: array - Default: `[]` @@ -1408,6 +1449,7 @@ The resource ID(s) to assign to the virtual machines associated with this lab. ### Parameter: `mandatoryArtifactsResourceIdsLinux` The ordered list of artifact resource IDs that should be applied on all Linux VM creations by default, prior to the artifacts specified by the user. + - Required: No - Type: array - Default: `[]` @@ -1415,19 +1457,7 @@ The ordered list of artifact resource IDs that should be applied on all Linux VM ### Parameter: `mandatoryArtifactsResourceIdsWindows` The ordered list of artifact resource IDs that should be applied on all Windows VM creations by default, prior to the artifacts specified by the user. -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `name` - -The name of the lab. -- Required: Yes -- Type: string -### Parameter: `notificationchannels` - -Notification Channels to create for the lab. Required if the schedules property "notificationSettingsStatus" is set to "Enabled. - Required: No - Type: array - Default: `[]` @@ -1435,6 +1465,7 @@ Notification Channels to create for the lab. Required if the schedules property ### Parameter: `policies` Policies to create for the lab. + - Required: No - Type: array - Default: `[]` @@ -1442,6 +1473,7 @@ Policies to create for the lab. ### Parameter: `premiumDataDisks` The setting to enable usage of premium data disks. When its value is "Enabled", creation of standard or premium data disks is allowed. When its value is "Disabled", only creation of standard data disks is allowed. Default is "Disabled". + - Required: No - Type: string - Default: `'Disabled'` @@ -1456,74 +1488,96 @@ The setting to enable usage of premium data disks. When its value is "Enabled", ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `schedules` Schedules to create for the lab. + - Required: No - Type: array - Default: `[]` @@ -1531,6 +1585,7 @@ Schedules to create for the lab. ### Parameter: `support` The properties of any lab support message associated with this lab. + - Required: No - Type: object - Default: `{}` @@ -1538,12 +1593,14 @@ The properties of any lab support message associated with this lab. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `virtualnetworks` Virtual networks to create for the lab. + - Required: No - Type: array - Default: `[]` @@ -1551,6 +1608,7 @@ Virtual networks to create for the lab. ### Parameter: `vmCreationResourceGroupId` Resource Group allocation for virtual machines. If left empty, virtual machines will be deployed in their own Resource Groups. Default is the same Resource Group for DevTest Lab. + - Required: No - Type: string - Default: `[resourceGroup().id]` diff --git a/modules/dev-test-lab/lab/artifactsource/README.md b/modules/dev-test-lab/lab/artifactsource/README.md index 596527ee0d..0a5d74362c 100644 --- a/modules/dev-test-lab/lab/artifactsource/README.md +++ b/modules/dev-test-lab/lab/artifactsource/README.md @@ -46,16 +46,47 @@ An artifact source allows you to create custom artifacts for the VMs in the lab, | [`status`](#parameter-status) | string | Indicates if the artifact source is enabled (values: Enabled, Disabled). Default is "Enabled". | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +The name of the artifact source. + +- Required: Yes +- Type: string + +### Parameter: `uri` + +The artifact source's URI. + +- Required: Yes +- Type: string + ### Parameter: `armTemplateFolderPath` The folder containing Azure Resource Manager templates. Required if "folderPath" is empty. + - Required: No - Type: string - Default: `''` +### Parameter: `folderPath` + +The folder containing artifacts. At least one folder path is required. Required if "armTemplateFolderPath" is empty. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `labName` + +The name of the parent lab. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `branchRef` The artifact source's branch reference (e.g. main or master). + - Required: No - Type: string - Default: `''` @@ -63,6 +94,7 @@ The artifact source's branch reference (e.g. main or master). ### Parameter: `displayName` The artifact source's display name. Default is the name of the artifact source. + - Required: No - Type: string - Default: `[parameters('name')]` @@ -70,32 +102,15 @@ The artifact source's display name. Default is the name of the artifact source. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `folderPath` - -The folder containing artifacts. At least one folder path is required. Required if "armTemplateFolderPath" is empty. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `labName` - -The name of the parent lab. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the artifact source. -- Required: Yes -- Type: string - ### Parameter: `securityToken` The security token to authenticate to the artifact source. + - Required: No - Type: securestring - Default: `''` @@ -103,6 +118,7 @@ The security token to authenticate to the artifact source. ### Parameter: `sourceType` The artifact source's type. + - Required: No - Type: string - Default: `''` @@ -119,6 +135,7 @@ The artifact source's type. ### Parameter: `status` Indicates if the artifact source is enabled (values: Enabled, Disabled). Default is "Enabled". + - Required: No - Type: string - Default: `'Enabled'` @@ -133,15 +150,10 @@ Indicates if the artifact source is enabled (values: Enabled, Disabled). Default ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object -### Parameter: `uri` - -The artifact source's URI. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/dev-test-lab/lab/cost/README.md b/modules/dev-test-lab/lab/cost/README.md index 7d50b0542b..d2950dda2b 100644 --- a/modules/dev-test-lab/lab/cost/README.md +++ b/modules/dev-test-lab/lab/cost/README.md @@ -53,16 +53,24 @@ Manage lab costs by setting a spending target that can be viewed in the Monthly | [`thresholdValue75DisplayOnChart`](#parameter-thresholdvalue75displayonchart) | string | Target Cost threshold at 75% display on chart. Indicates whether this threshold will be displayed on cost charts. | | [`thresholdValue75SendNotificationWhenExceeded`](#parameter-thresholdvalue75sendnotificationwhenexceeded) | string | Target cost threshold at 75% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. | -### Parameter: `currencyCode` +### Parameter: `cycleType` -The currency code of the cost. -- Required: No +Reporting cycle type. + +- Required: Yes - Type: string -- Default: `'USD'` +- Allowed: + ```Bicep + [ + 'CalendarMonth' + 'Custom' + ] + ``` ### Parameter: `cycleEndDateTime` Reporting cycle end date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to "Custom". + - Required: No - Type: string - Default: `''` @@ -70,39 +78,38 @@ Reporting cycle end date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z) ### Parameter: `cycleStartDateTime` Reporting cycle start date in the zulu time format (e.g. 2023-12-01T00:00:00.000Z). Required if cycleType is set to "Custom". + - Required: No - Type: string - Default: `''` -### Parameter: `cycleType` +### Parameter: `labName` + +The name of the parent lab. Required if the template is used in a standalone deployment. -Reporting cycle type. - Required: Yes - Type: string -- Allowed: - ```Bicep - [ - 'CalendarMonth' - 'Custom' - ] - ``` + +### Parameter: `currencyCode` + +The currency code of the cost. + +- Required: No +- Type: string +- Default: `'USD'` ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `labName` - -The name of the parent lab. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `status` Target cost status. + - Required: No - Type: string - Default: `'Enabled'` @@ -117,12 +124,14 @@ Target cost status. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `target` Lab target cost (e.g. 100). The target cost will appear in the "Cost trend" chart to allow tracking lab spending relative to the target cost for the current reporting cycleSetting the target cost to 0 will disable all thresholds. + - Required: No - Type: int - Default: `0` @@ -130,6 +139,7 @@ Lab target cost (e.g. 100). The target cost will appear in the "Cost trend" char ### Parameter: `thresholdValue100DisplayOnChart` Target Cost threshold at 100% display on chart. Indicates whether this threshold will be displayed on cost charts. + - Required: No - Type: string - Default: `'Disabled'` @@ -144,6 +154,7 @@ Target Cost threshold at 100% display on chart. Indicates whether this threshold ### Parameter: `thresholdValue100SendNotificationWhenExceeded` Target cost threshold at 100% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. + - Required: No - Type: string - Default: `'Disabled'` @@ -158,6 +169,7 @@ Target cost threshold at 100% send notification when exceeded. Indicates whether ### Parameter: `thresholdValue125DisplayOnChart` Target Cost threshold at 125% display on chart. Indicates whether this threshold will be displayed on cost charts. + - Required: No - Type: string - Default: `'Disabled'` @@ -172,6 +184,7 @@ Target Cost threshold at 125% display on chart. Indicates whether this threshold ### Parameter: `thresholdValue125SendNotificationWhenExceeded` Target cost threshold at 125% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. + - Required: No - Type: string - Default: `'Disabled'` @@ -186,6 +199,7 @@ Target cost threshold at 125% send notification when exceeded. Indicates whether ### Parameter: `thresholdValue25DisplayOnChart` Target Cost threshold at 25% display on chart. Indicates whether this threshold will be displayed on cost charts. + - Required: No - Type: string - Default: `'Disabled'` @@ -200,6 +214,7 @@ Target Cost threshold at 25% display on chart. Indicates whether this threshold ### Parameter: `thresholdValue25SendNotificationWhenExceeded` Target cost threshold at 25% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. + - Required: No - Type: string - Default: `'Disabled'` @@ -214,6 +229,7 @@ Target cost threshold at 25% send notification when exceeded. Indicates whether ### Parameter: `thresholdValue50DisplayOnChart` Target Cost threshold at 50% display on chart. Indicates whether this threshold will be displayed on cost charts. + - Required: No - Type: string - Default: `'Disabled'` @@ -228,6 +244,7 @@ Target Cost threshold at 50% display on chart. Indicates whether this threshold ### Parameter: `thresholdValue50SendNotificationWhenExceeded` Target cost threshold at 50% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. + - Required: No - Type: string - Default: `'Disabled'` @@ -242,6 +259,7 @@ Target cost threshold at 50% send notification when exceeded. Indicates whether ### Parameter: `thresholdValue75DisplayOnChart` Target Cost threshold at 75% display on chart. Indicates whether this threshold will be displayed on cost charts. + - Required: No - Type: string - Default: `'Disabled'` @@ -256,6 +274,7 @@ Target Cost threshold at 75% display on chart. Indicates whether this threshold ### Parameter: `thresholdValue75SendNotificationWhenExceeded` Target cost threshold at 75% send notification when exceeded. Indicates whether notifications will be sent when this threshold is exceeded. + - Required: No - Type: string - Default: `'Disabled'` diff --git a/modules/dev-test-lab/lab/notificationchannel/README.md b/modules/dev-test-lab/lab/notificationchannel/README.md index 026f51995a..fa378b420e 100644 --- a/modules/dev-test-lab/lab/notificationchannel/README.md +++ b/modules/dev-test-lab/lab/notificationchannel/README.md @@ -43,56 +43,71 @@ Notification channels are used by the schedule resource type in order to send no | [`notificationLocale`](#parameter-notificationlocale) | string | The locale to use when sending a notification (fallback for unsupported languages is EN). | | [`tags`](#parameter-tags) | object | Tags of the resource. | -### Parameter: `description` +### Parameter: `events` + +The list of event for which this notification is enabled. -Description of notification. - Required: No +- Type: array +- Default: `[]` + +### Parameter: `name` + +The name of the notification channel. + +- Required: Yes - Type: string -- Default: `''` +- Allowed: + ```Bicep + [ + 'autoShutdown' + 'costThreshold' + ] + ``` ### Parameter: `emailRecipient` The email recipient to send notifications to (can be a list of semi-colon separated email addresses). Required if "webHookUrl" is empty. + - Required: No - Type: string - Default: `''` -### Parameter: `enableDefaultTelemetry` +### Parameter: `labName` -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` +The name of the parent lab. Required if the template is used in a standalone deployment. -### Parameter: `events` +- Required: Yes +- Type: string -The list of event for which this notification is enabled. -- Required: No -- Type: array -- Default: `[]` +### Parameter: `webHookUrl` -### Parameter: `labName` +The webhook URL to which the notification will be sent. Required if "emailRecipient" is empty. -The name of the parent lab. Required if the template is used in a standalone deployment. -- Required: Yes +- Required: No - Type: string +- Default: `''` -### Parameter: `name` +### Parameter: `description` -The name of the notification channel. -- Required: Yes +Description of notification. + +- Required: No - Type: string -- Allowed: - ```Bicep - [ - 'autoShutdown' - 'costThreshold' - ] - ``` +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` ### Parameter: `notificationLocale` The locale to use when sending a notification (fallback for unsupported languages is EN). + - Required: No - Type: string - Default: `'en'` @@ -100,15 +115,9 @@ The locale to use when sending a notification (fallback for unsupported language ### Parameter: `tags` Tags of the resource. -- Required: No -- Type: object - -### Parameter: `webHookUrl` -The webhook URL to which the notification will be sent. Required if "emailRecipient" is empty. - Required: No -- Type: string -- Default: `''` +- Type: object ## Outputs diff --git a/modules/dev-test-lab/lab/policyset/policy/README.md b/modules/dev-test-lab/lab/policyset/policy/README.md index 21a43a924c..0cc9ece256 100644 --- a/modules/dev-test-lab/lab/policyset/policy/README.md +++ b/modules/dev-test-lab/lab/policyset/policy/README.md @@ -45,23 +45,10 @@ DevTest lab policies are used to modify the lab settings such as only allowing c | [`status`](#parameter-status) | string | The status of the policy. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -### Parameter: `description` - -The description of the policy. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `evaluatorType` The evaluator type of the policy (i.e. AllowedValuesPolicy, MaxValuePolicy). + - Required: Yes - Type: string - Allowed: @@ -72,16 +59,10 @@ The evaluator type of the policy (i.e. AllowedValuesPolicy, MaxValuePolicy). ] ``` -### Parameter: `factData` - -The fact data of the policy. -- Required: No -- Type: string -- Default: `''` - ### Parameter: `factName` The fact name of the policy. + - Required: Yes - Type: string - Allowed: @@ -100,21 +81,55 @@ The fact name of the policy. ] ``` +### Parameter: `name` + +The name of the policy. + +- Required: Yes +- Type: string + +### Parameter: `threshold` + +The threshold of the policy (i.e. a number for MaxValuePolicy, and a JSON array of values for AllowedValuesPolicy). + +- Required: Yes +- Type: string + ### Parameter: `labName` The name of the parent lab. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string -### Parameter: `name` +### Parameter: `description` -The name of the policy. -- Required: Yes +The description of the policy. + +- Required: No - Type: string +- Default: `''` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `factData` + +The fact data of the policy. + +- Required: No +- Type: string +- Default: `''` ### Parameter: `policySetName` The name of the parent policy set. + - Required: No - Type: string - Default: `'default'` @@ -122,6 +137,7 @@ The name of the parent policy set. ### Parameter: `status` The status of the policy. + - Required: No - Type: string - Default: `'Enabled'` @@ -136,16 +152,11 @@ The status of the policy. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object - Default: `{}` -### Parameter: `threshold` - -The threshold of the policy (i.e. a number for MaxValuePolicy, and a JSON array of values for AllowedValuesPolicy). -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/dev-test-lab/lab/schedule/README.md b/modules/dev-test-lab/lab/schedule/README.md index 35c6ea868e..ba6b6479ba 100644 --- a/modules/dev-test-lab/lab/schedule/README.md +++ b/modules/dev-test-lab/lab/schedule/README.md @@ -47,9 +47,45 @@ Lab schedules are used to modify the settings for auto-shutdown, auto-start for | [`timeZoneId`](#parameter-timezoneid) | string | The time zone ID (e.g. Pacific Standard time). | | [`weeklyRecurrence`](#parameter-weeklyrecurrence) | object | If the schedule will occur only some days of the week, specify the weekly recurrence. | +### Parameter: `name` + +The name of the schedule. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'LabVmAutoStart' + 'LabVmsShutdown' + ] + ``` + +### Parameter: `taskType` + +The task type of the schedule (e.g. LabVmsShutdownTask, LabVmsStartupTask). + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'LabVmsShutdownTask' + 'LabVmsStartupTask' + ] + ``` + +### Parameter: `labName` + +The name of the parent lab. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `dailyRecurrence` If the schedule will occur once each day of the week, specify the daily recurrence. + - Required: No - Type: object - Default: `{}` @@ -57,6 +93,7 @@ If the schedule will occur once each day of the week, specify the daily recurren ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -64,32 +101,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `hourlyRecurrence` If the schedule will occur multiple times a day, specify the hourly recurrence. + - Required: No - Type: object - Default: `{}` -### Parameter: `labName` - -The name of the parent lab. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the schedule. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'LabVmAutoStart' - 'LabVmsShutdown' - ] - ``` - ### Parameter: `notificationSettingsStatus` If notifications are enabled for this schedule (i.e. Enabled, Disabled). + - Required: No - Type: string - Default: `'Disabled'` @@ -104,6 +124,7 @@ If notifications are enabled for this schedule (i.e. Enabled, Disabled). ### Parameter: `notificationSettingsTimeInMinutes` Time in minutes before event at which notification will be sent. Optional if "notificationSettingsStatus" is set to "Enabled". Default is 30 minutes. + - Required: No - Type: int - Default: `30` @@ -111,6 +132,7 @@ Time in minutes before event at which notification will be sent. Optional if "no ### Parameter: `status` The status of the schedule (i.e. Enabled, Disabled). + - Required: No - Type: string - Default: `'Enabled'` @@ -125,32 +147,22 @@ The status of the schedule (i.e. Enabled, Disabled). ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `targetResourceId` The resource ID to which the schedule belongs. + - Required: No - Type: string - Default: `''` -### Parameter: `taskType` - -The task type of the schedule (e.g. LabVmsShutdownTask, LabVmsStartupTask). -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'LabVmsShutdownTask' - 'LabVmsStartupTask' - ] - ``` - ### Parameter: `timeZoneId` The time zone ID (e.g. Pacific Standard time). + - Required: No - Type: string - Default: `'Pacific Standard time'` @@ -158,6 +170,7 @@ The time zone ID (e.g. Pacific Standard time). ### Parameter: `weeklyRecurrence` If the schedule will occur only some days of the week, specify the weekly recurrence. + - Required: No - Type: object - Default: `{}` diff --git a/modules/dev-test-lab/lab/virtualnetwork/README.md b/modules/dev-test-lab/lab/virtualnetwork/README.md index 494fe14296..365a071731 100644 --- a/modules/dev-test-lab/lab/virtualnetwork/README.md +++ b/modules/dev-test-lab/lab/virtualnetwork/README.md @@ -42,9 +42,31 @@ Lab virtual machines must be deployed into a virtual network. This resource type | [`subnetOverrides`](#parameter-subnetoverrides) | array | The subnet overrides of the virtual network. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `externalProviderResourceId` + +The resource ID of the virtual network. + +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the virtual network. + +- Required: Yes +- Type: string + +### Parameter: `labName` + +The name of the parent lab. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `allowedSubnets` The allowed subnets of the virtual network. + - Required: No - Type: array - Default: `[]` @@ -52,6 +74,7 @@ The allowed subnets of the virtual network. ### Parameter: `description` The description of the virtual network. + - Required: No - Type: string - Default: `''` @@ -59,31 +82,15 @@ The description of the virtual network. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `externalProviderResourceId` - -The resource ID of the virtual network. -- Required: Yes -- Type: string - -### Parameter: `labName` - -The name of the parent lab. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the virtual network. -- Required: Yes -- Type: string - ### Parameter: `subnetOverrides` The subnet overrides of the virtual network. + - Required: No - Type: array - Default: `[]` @@ -91,6 +98,7 @@ The subnet overrides of the virtual network. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index b17f411ae0..6e6d82d64a 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -494,117 +494,100 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan | [`serviceBusEndpoint`](#parameter-servicebusendpoint) | object | Service Bus Endpoint. | | [`tags`](#parameter-tags) | object | Resource tags. | +### Parameter: `name` + +The name of the Digital Twin Instance. + +- Required: Yes +- Type: string + ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -612,6 +595,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via the Customer Usage Attribution ID (GUID). + - Required: No - Type: bool - Default: `True` @@ -619,6 +603,7 @@ Enable telemetry via the Customer Usage Attribution ID (GUID). ### Parameter: `eventGridEndpoint` Event Grid Endpoint. + - Required: No - Type: object - Default: `{}` @@ -626,6 +611,7 @@ Event Grid Endpoint. ### Parameter: `eventHubEndpoint` Event Hub Endpoint. + - Required: No - Type: object - Default: `{}` @@ -633,6 +619,7 @@ Event Hub Endpoint. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -640,26 +627,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -667,229 +663,275 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -The name of the Digital Twin Instance. -- Required: Yes -- Type: string - ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +### Parameter: `privateEndpoints.lock.kind` -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +Specify the type of lock. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` -Optional. The location to deploy the private endpoint to. +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The name of the private endpoint. +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -897,6 +939,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. + - Required: No - Type: string - Default: `''` @@ -912,74 +955,96 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `serviceBusEndpoint` Service Bus Endpoint. + - Required: No - Type: object - Default: `{}` @@ -987,6 +1052,7 @@ Service Bus Endpoint. ### Parameter: `tags` Resource tags. + - Required: No - Type: object diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/README.md b/modules/digital-twins/digital-twins-instance/endpoint--event-grid/README.md index 0b66892ffa..7c0b4fd0a5 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/README.md +++ b/modules/digital-twins/digital-twins-instance/endpoint--event-grid/README.md @@ -39,9 +39,31 @@ This module deploys a Digital Twins Instance Event Grid Endpoint. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`name`](#parameter-name) | string | The name of the Digital Twin Endpoint. | +### Parameter: `eventGridDomainResourceId` + +The resource ID of the Event Grid to get access keys from. + +- Required: Yes +- Type: string + +### Parameter: `topicEndpoint` + +EventGrid Topic Endpoint. + +- Required: Yes +- Type: string + +### Parameter: `digitalTwinInstanceName` + +The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `deadLetterSecret` Dead letter storage secret for key-based authentication. Will be obfuscated during read. + - Required: No - Type: securestring - Default: `''` @@ -49,42 +71,27 @@ Dead letter storage secret for key-based authentication. Will be obfuscated duri ### Parameter: `deadLetterUri` Dead letter storage URL for identity-based authentication. + - Required: No - Type: string - Default: `''` -### Parameter: `digitalTwinInstanceName` - -The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `enableDefaultTelemetry` Enable telemetry via the Customer Usage Attribution ID (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `eventGridDomainResourceId` - -The resource ID of the Event Grid to get access keys from. -- Required: Yes -- Type: string - ### Parameter: `name` The name of the Digital Twin Endpoint. + - Required: No - Type: string - Default: `'EventGridEndpoint'` -### Parameter: `topicEndpoint` - -EventGrid Topic Endpoint. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md index 1101a6dfdb..ee717d8aa1 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md +++ b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md @@ -38,9 +38,25 @@ This module deploys a Digital Twins Instance EventHub Endpoint. | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`name`](#parameter-name) | string | The name of the Digital Twin Endpoint. | +### Parameter: `connectionStringPrimaryKey` + +PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". + +- Required: No +- Type: securestring +- Default: `''` + +### Parameter: `digitalTwinInstanceName` + +The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `authenticationType` Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified. + - Required: No - Type: string - Default: `'IdentityBased'` @@ -52,16 +68,10 @@ Specifies the authentication type being used for connecting to the endpoint. If ] ``` -### Parameter: `connectionStringPrimaryKey` - -PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". -- Required: No -- Type: securestring -- Default: `''` - ### Parameter: `connectionStringSecondaryKey` SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". + - Required: No - Type: securestring - Default: `''` @@ -69,6 +79,7 @@ SecondaryConnectionString of the endpoint for key-based authentication. Will be ### Parameter: `deadLetterSecret` Dead letter storage secret for key-based authentication. Will be obfuscated during read. + - Required: No - Type: securestring - Default: `''` @@ -76,19 +87,15 @@ Dead letter storage secret for key-based authentication. Will be obfuscated duri ### Parameter: `deadLetterUri` Dead letter storage URL for identity-based authentication. + - Required: No - Type: string - Default: `''` -### Parameter: `digitalTwinInstanceName` - -The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `enableDefaultTelemetry` Enable telemetry via the Customer Usage Attribution ID (GUID). + - Required: No - Type: bool - Default: `True` @@ -96,6 +103,7 @@ Enable telemetry via the Customer Usage Attribution ID (GUID). ### Parameter: `endpointUri` The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://' (i.e. sb://xyz.servicebus.windows.net). + - Required: No - Type: string - Default: `''` @@ -103,6 +111,7 @@ The URL of the EventHub namespace for identity-based authentication. It must inc ### Parameter: `entityPath` The EventHub name in the EventHub namespace for identity-based authentication. + - Required: No - Type: string - Default: `''` @@ -110,25 +119,27 @@ The EventHub name in the EventHub namespace for identity-based authentication. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceId`](#parameter-managedidentitiesuserassignedresourceid) | No | string | Optional. The resource ID to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceId`](#parameter-managedidentitiesuserassignedresourceid) | string | The resource ID to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceId` -Optional. The resource ID to assign to the resource. +The resource ID to assign to the resource. - Required: No - Type: string @@ -136,6 +147,7 @@ Optional. The resource ID to assign to the resource. ### Parameter: `name` The name of the Digital Twin Endpoint. + - Required: No - Type: string - Default: `'EventHubEndpoint'` diff --git a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md index c9e29b7746..040d68825a 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md +++ b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md @@ -38,9 +38,25 @@ This module deploys a Digital Twins Instance ServiceBus Endpoint. | [`name`](#parameter-name) | string | The name of the Digital Twin Endpoint. | | [`secondaryConnectionString`](#parameter-secondaryconnectionstring) | securestring | SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". | +### Parameter: `digitalTwinInstanceName` + +The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `primaryConnectionString` + +PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". + +- Required: No +- Type: securestring +- Default: `''` + ### Parameter: `authenticationType` Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified. + - Required: No - Type: string - Default: `'IdentityBased'` @@ -55,6 +71,7 @@ Specifies the authentication type being used for connecting to the endpoint. If ### Parameter: `deadLetterSecret` Dead letter storage secret for key-based authentication. Will be obfuscated during read. + - Required: No - Type: securestring - Default: `''` @@ -62,19 +79,15 @@ Dead letter storage secret for key-based authentication. Will be obfuscated duri ### Parameter: `deadLetterUri` Dead letter storage URL for identity-based authentication. + - Required: No - Type: string - Default: `''` -### Parameter: `digitalTwinInstanceName` - -The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `enableDefaultTelemetry` Enable telemetry via the Customer Usage Attribution ID (GUID). + - Required: No - Type: bool - Default: `True` @@ -82,6 +95,7 @@ Enable telemetry via the Customer Usage Attribution ID (GUID). ### Parameter: `endpointUri` The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://' (e.g. sb://xyz.servicebus.windows.net). + - Required: No - Type: string - Default: `''` @@ -89,6 +103,7 @@ The URL of the ServiceBus namespace for identity-based authentication. It must i ### Parameter: `entityPath` The ServiceBus Topic name for identity-based authentication. + - Required: No - Type: string - Default: `''` @@ -96,25 +111,27 @@ The ServiceBus Topic name for identity-based authentication. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceId`](#parameter-managedidentitiesuserassignedresourceid) | No | string | Optional. The resource ID to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceId`](#parameter-managedidentitiesuserassignedresourceid) | string | The resource ID to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceId` -Optional. The resource ID to assign to the resource. +The resource ID to assign to the resource. - Required: No - Type: string @@ -122,20 +139,15 @@ Optional. The resource ID to assign to the resource. ### Parameter: `name` The name of the Digital Twin Endpoint. + - Required: No - Type: string - Default: `'ServiceBusEndpoint'` -### Parameter: `primaryConnectionString` - -PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". -- Required: No -- Type: securestring -- Default: `''` - ### Parameter: `secondaryConnectionString` SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". + - Required: No - Type: securestring - Default: `''` diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index d9167cbc22..e0e87268ce 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -1385,9 +1385,24 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { | [`sqlDatabases`](#parameter-sqldatabases) | array | SQL Databases configurations. | | [`tags`](#parameter-tags) | object | Tags of the Database Account resource. | +### Parameter: `locations` + +Locations enabled for the Cosmos DB account. + +- Required: Yes +- Type: array + +### Parameter: `name` + +Name of the Database Account. + +- Required: Yes +- Type: string + ### Parameter: `automaticFailover` Enable automatic failover for regions. + - Required: No - Type: bool - Default: `True` @@ -1395,6 +1410,7 @@ Enable automatic failover for regions. ### Parameter: `backupIntervalInMinutes` An integer representing the interval in minutes between two backups. Only applies to periodic backup type. + - Required: No - Type: int - Default: `240` @@ -1402,6 +1418,7 @@ An integer representing the interval in minutes between two backups. Only applie ### Parameter: `backupPolicyContinuousTier` Configuration values for continuous mode backup. + - Required: No - Type: string - Default: `'Continuous30Days'` @@ -1416,6 +1433,7 @@ Configuration values for continuous mode backup. ### Parameter: `backupPolicyType` Describes the mode of backups. + - Required: No - Type: string - Default: `'Continuous'` @@ -1430,6 +1448,7 @@ Describes the mode of backups. ### Parameter: `backupRetentionIntervalInHours` An integer representing the time (in hours) that each backup is retained. Only applies to periodic backup type. + - Required: No - Type: int - Default: `8` @@ -1437,6 +1456,7 @@ An integer representing the time (in hours) that each backup is retained. Only a ### Parameter: `backupStorageRedundancy` Enum to indicate type of backup residency. Only applies to periodic backup type. + - Required: No - Type: string - Default: `'Local'` @@ -1452,6 +1472,7 @@ Enum to indicate type of backup residency. Only applies to periodic backup type. ### Parameter: `capabilitiesToAdd` List of Cosmos DB capabilities for the account. + - Required: No - Type: array - Default: `[]` @@ -1470,6 +1491,7 @@ List of Cosmos DB capabilities for the account. ### Parameter: `databaseAccountOfferType` The offer type for the Cosmos DB database account. + - Required: No - Type: string - Default: `'Standard'` @@ -1483,6 +1505,7 @@ The offer type for the Cosmos DB database account. ### Parameter: `defaultConsistencyLevel` The default consistency level of the Cosmos DB account. + - Required: No - Type: string - Default: `'Session'` @@ -1500,114 +1523,90 @@ The default consistency level of the Cosmos DB account. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -1615,6 +1614,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1622,6 +1622,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableFreeTier` Flag to indicate whether Free Tier is enabled. + - Required: No - Type: bool - Default: `False` @@ -1629,6 +1630,7 @@ Flag to indicate whether Free Tier is enabled. ### Parameter: `gremlinDatabases` Gremlin Databases configurations. + - Required: No - Type: array - Default: `[]` @@ -1636,39 +1638,43 @@ Gremlin Databases configurations. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `locations` - -Locations enabled for the Cosmos DB account. -- Required: Yes -- Type: array - ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -1676,25 +1682,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array @@ -1702,6 +1710,7 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `maxIntervalInSeconds` Max lag time (minutes). Required for BoundedStaleness. Valid ranges, Single Region: 5 to 84600. Multi Region: 300 to 86400. + - Required: No - Type: int - Default: `300` @@ -1709,6 +1718,7 @@ Max lag time (minutes). Required for BoundedStaleness. Valid ranges, Single Regi ### Parameter: `maxStalenessPrefix` Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: 10 to 1000000. Multi Region: 100000 to 1000000. + - Required: No - Type: int - Default: `100000` @@ -1716,210 +1726,255 @@ Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: ### Parameter: `mongodbDatabases` MongoDB Databases configurations. + - Required: No - Type: array - Default: `[]` -### Parameter: `name` - -Name of the Database Account. -- Required: Yes -- Type: string - ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | +**Optional parameters** -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Application security groups in which the private endpoint IP configuration is included. +### Parameter: `privateEndpoints.service` -- Required: No -- Type: array +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -### Parameter: `privateEndpoints.customDnsConfigs` +- Required: Yes +- Type: string -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +### Parameter: `privateEndpoints.lock.kind` -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +Specify the type of lock. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` -Optional. The location to deploy the private endpoint to. +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** -Optional. The name of the private endpoint. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -- Required: No +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +Version of the condition. - Required: No -- Type: array +- Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. Array of role assignments to create. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.description` -Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The description of the role assignment. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Required. Resource ID of the subnet where the endpoint needs to be created. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -1927,74 +1982,96 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `roleAssignments.principalId` -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `serverVersion` Specifies the MongoDB server version to use. + - Required: No - Type: string - Default: `'4.2'` @@ -2011,6 +2088,7 @@ Specifies the MongoDB server version to use. ### Parameter: `sqlDatabases` SQL Databases configurations. + - Required: No - Type: array - Default: `[]` @@ -2018,6 +2096,7 @@ SQL Databases configurations. ### Parameter: `tags` Tags of the Database Account resource. + - Required: No - Type: object diff --git a/modules/document-db/database-account/gremlin-database/README.md b/modules/document-db/database-account/gremlin-database/README.md index da1fb97246..df1136e3f0 100644 --- a/modules/document-db/database-account/gremlin-database/README.md +++ b/modules/document-db/database-account/gremlin-database/README.md @@ -41,15 +41,24 @@ This module deploys a Gremlin Database within a CosmosDB Account. | [`tags`](#parameter-tags) | object | Tags of the Gremlin database resource. | | [`throughput`](#parameter-throughput) | int | Request Units per second (for example 10000). Cannot be set together with `maxThroughput`. | +### Parameter: `name` + +Name of the Gremlin database. + +- Required: Yes +- Type: string + ### Parameter: `databaseAccountName` The name of the parent Gremlin database. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -57,6 +66,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `graphs` Array of graphs to deploy in the Gremlin database. + - Required: No - Type: array - Default: `[]` @@ -64,25 +74,22 @@ Array of graphs to deploy in the Gremlin database. ### Parameter: `maxThroughput` Represents maximum throughput, the resource can scale up to. Cannot be set together with `throughput`. If `throughput` is set to something else than -1, this autoscale setting is ignored. + - Required: No - Type: int - Default: `4000` -### Parameter: `name` - -Name of the Gremlin database. -- Required: Yes -- Type: string - ### Parameter: `tags` Tags of the Gremlin database resource. + - Required: No - Type: object ### Parameter: `throughput` Request Units per second (for example 10000). Cannot be set together with `maxThroughput`. + - Required: No - Type: int - Default: `-1` diff --git a/modules/document-db/database-account/gremlin-database/graph/README.md b/modules/document-db/database-account/gremlin-database/graph/README.md index 6e358a9bfe..3127f1d371 100644 --- a/modules/document-db/database-account/gremlin-database/graph/README.md +++ b/modules/document-db/database-account/gremlin-database/graph/README.md @@ -40,41 +40,47 @@ This module deploys a DocumentDB Database Accounts Gremlin Database Graph. | [`partitionKeyPaths`](#parameter-partitionkeypaths) | array | List of paths using which data within the container can be partitioned. | | [`tags`](#parameter-tags) | object | Tags of the Gremlin graph resource. | +### Parameter: `name` + +Name of the graph. + +- Required: Yes +- Type: string + ### Parameter: `databaseAccountName` The name of the parent Database Account. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `gremlinDatabaseName` + +The name of the parent Gremlin Database. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `gremlinDatabaseName` - -The name of the parent Gremlin Database. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `indexingPolicy` Indexing policy of the graph. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Name of the graph. -- Required: Yes -- Type: string - ### Parameter: `partitionKeyPaths` List of paths using which data within the container can be partitioned. + - Required: No - Type: array - Default: `[]` @@ -82,6 +88,7 @@ List of paths using which data within the container can be partitioned. ### Parameter: `tags` Tags of the Gremlin graph resource. + - Required: No - Type: object diff --git a/modules/document-db/database-account/mongodb-database/README.md b/modules/document-db/database-account/mongodb-database/README.md index 330081f50e..b20e184e59 100644 --- a/modules/document-db/database-account/mongodb-database/README.md +++ b/modules/document-db/database-account/mongodb-database/README.md @@ -39,41 +39,47 @@ This module deploys a MongoDB Database within a CosmosDB Account. | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`throughput`](#parameter-throughput) | int | Name of the mongodb database. | -### Parameter: `collections` +### Parameter: `name` -Collections in the mongodb database. -- Required: No -- Type: array -- Default: `[]` +Name of the mongodb database. + +- Required: Yes +- Type: string ### Parameter: `databaseAccountName` The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `collections` + +Collections in the mongodb database. + +- Required: No +- Type: array +- Default: `[]` + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -Name of the mongodb database. -- Required: Yes -- Type: string - ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `throughput` Name of the mongodb database. + - Required: No - Type: int - Default: `400` diff --git a/modules/document-db/database-account/mongodb-database/collection/README.md b/modules/document-db/database-account/mongodb-database/collection/README.md index ce98977d82..da1fc38cd2 100644 --- a/modules/document-db/database-account/mongodb-database/collection/README.md +++ b/modules/document-db/database-account/mongodb-database/collection/README.md @@ -40,46 +40,53 @@ This module deploys a MongoDB Database Collection. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`throughput`](#parameter-throughput) | int | Name of the mongodb database. | -### Parameter: `databaseAccountName` - -The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `indexes` Indexes for the collection. -- Required: Yes -- Type: array -### Parameter: `mongodbDatabaseName` - -The name of the parent mongodb database. Required if the template is used in a standalone deployment. - Required: Yes -- Type: string +- Type: array ### Parameter: `name` Name of the collection. + - Required: Yes - Type: string ### Parameter: `shardKey` ShardKey for the collection. + - Required: Yes - Type: object +### Parameter: `databaseAccountName` + +The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `mongodbDatabaseName` + +The name of the parent mongodb database. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `throughput` Name of the mongodb database. + - Required: No - Type: int - Default: `400` diff --git a/modules/document-db/database-account/sql-database/README.md b/modules/document-db/database-account/sql-database/README.md index bb5beed3eb..96ae778d2c 100644 --- a/modules/document-db/database-account/sql-database/README.md +++ b/modules/document-db/database-account/sql-database/README.md @@ -40,9 +40,24 @@ This module deploys a SQL Database in a CosmosDB Account. | [`tags`](#parameter-tags) | object | Tags of the SQL database resource. | | [`throughput`](#parameter-throughput) | int | Request units per second. Will be set to null if autoscaleSettingsMaxThroughput is used. | +### Parameter: `name` + +Name of the SQL database . + +- Required: Yes +- Type: string + +### Parameter: `databaseAccountName` + +The name of the parent Database Account. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `autoscaleSettingsMaxThroughput` Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled. + - Required: No - Type: int - Default: `-1` @@ -50,38 +65,30 @@ Specifies the Autoscale settings and represents maximum throughput, the resource ### Parameter: `containers` Array of containers to deploy in the SQL database. + - Required: No - Type: array - Default: `[]` -### Parameter: `databaseAccountName` - -The name of the parent Database Account. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -Name of the SQL database . -- Required: Yes -- Type: string - ### Parameter: `tags` Tags of the SQL database resource. + - Required: No - Type: object ### Parameter: `throughput` Request units per second. Will be set to null if autoscaleSettingsMaxThroughput is used. + - Required: No - Type: int - Default: `400` diff --git a/modules/document-db/database-account/sql-database/container/README.md b/modules/document-db/database-account/sql-database/container/README.md index cc46af3c67..8876592f85 100644 --- a/modules/document-db/database-account/sql-database/container/README.md +++ b/modules/document-db/database-account/sql-database/container/README.md @@ -47,9 +47,31 @@ This module deploys a SQL Database Container in a CosmosDB Account. | [`throughput`](#parameter-throughput) | int | Request Units per second. Will be set to null if autoscaleSettingsMaxThroughput is used. | | [`uniqueKeyPolicyKeys`](#parameter-uniquekeypolicykeys) | array | The unique key policy configuration containing a list of unique keys that enforces uniqueness constraint on documents in the collection in the Azure Cosmos DB service. | +### Parameter: `name` + +Name of the container. + +- Required: Yes +- Type: string + +### Parameter: `databaseAccountName` + +The name of the parent Database Account. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `sqlDatabaseName` + +The name of the parent SQL Database. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `analyticalStorageTtl` Indicates how long data should be retained in the analytical store, for a container. Analytical store is enabled when ATTL is set with a value other than 0. If the value is set to -1, the analytical store retains all historical data, irrespective of the retention of the data in the transactional store. + - Required: No - Type: int - Default: `0` @@ -57,6 +79,7 @@ Indicates how long data should be retained in the analytical store, for a contai ### Parameter: `autoscaleSettingsMaxThroughput` Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to -1, then the property will be set to null and autoscale will be disabled. + - Required: No - Type: int - Default: `-1` @@ -64,19 +87,15 @@ Specifies the Autoscale settings and represents maximum throughput, the resource ### Parameter: `conflictResolutionPolicy` The conflict resolution policy for the container. Conflicts and conflict resolution policies are applicable if the Azure Cosmos DB account is configured with multiple write regions. + - Required: No - Type: object - Default: `{}` -### Parameter: `databaseAccountName` - -The name of the parent Database Account. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `defaultTtl` Default time to live (in seconds). With Time to Live or TTL, Azure Cosmos DB provides the ability to delete items automatically from a container after a certain time period. If the value is set to "-1", it is equal to infinity, and items dont expire by default. + - Required: No - Type: int - Default: `-1` @@ -84,6 +103,7 @@ Default time to live (in seconds). With Time to Live or TTL, Azure Cosmos DB pro ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -91,6 +111,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `indexingPolicy` Indexing policy of the container. + - Required: No - Type: object - Default: `{}` @@ -98,6 +119,7 @@ Indexing policy of the container. ### Parameter: `kind` Indicates the kind of algorithm used for partitioning. + - Required: No - Type: string - Default: `'Hash'` @@ -110,34 +132,25 @@ Indicates the kind of algorithm used for partitioning. ] ``` -### Parameter: `name` - -Name of the container. -- Required: Yes -- Type: string - ### Parameter: `paths` List of paths using which data within the container can be partitioned. + - Required: No - Type: array - Default: `[]` -### Parameter: `sqlDatabaseName` - -The name of the parent SQL Database. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `tags` Tags of the SQL Database resource. + - Required: No - Type: object ### Parameter: `throughput` Request Units per second. Will be set to null if autoscaleSettingsMaxThroughput is used. + - Required: No - Type: int - Default: `400` @@ -145,6 +158,7 @@ Request Units per second. Will be set to null if autoscaleSettingsMaxThroughput ### Parameter: `uniqueKeyPolicyKeys` The unique key policy configuration containing a list of unique keys that enforces uniqueness constraint on documents in the collection in the Azure Cosmos DB service. + - Required: No - Type: array - Default: `[]` diff --git a/modules/event-grid/domain/README.md b/modules/event-grid/domain/README.md index 38f46a6a77..678b989436 100644 --- a/modules/event-grid/domain/README.md +++ b/modules/event-grid/domain/README.md @@ -530,9 +530,17 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`topics`](#parameter-topics) | array | The topic names which are associated with the domain. | +### Parameter: `name` + +The name of the Event Grid Domain. + +- Required: Yes +- Type: string + ### Parameter: `autoCreateTopicWithFirstSubscription` Location for all Resources. + - Required: No - Type: bool - Default: `True` @@ -540,6 +548,7 @@ Location for all Resources. ### Parameter: `autoDeleteTopicWithLastSubscription` Location for all Resources. + - Required: No - Type: bool - Default: `True` @@ -547,114 +556,90 @@ Location for all Resources. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -662,6 +647,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -669,6 +655,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `inboundIpRules` This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled. + - Required: No - Type: array - Default: `[]` @@ -676,6 +663,7 @@ This can be used to restrict traffic from specific IPs instead of all IPs. Note: ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -683,230 +671,283 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The name of the Event Grid Domain. -- Required: Yes -- Type: string - ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +### Parameter: `privateEndpoints.lock.kind` -- Required: Yes +Specify the type of lock. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` -Optional. The name of the private endpoint. +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -914,6 +955,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set. + - Required: No - Type: string - Default: `''` @@ -929,80 +971,103 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `topics` The topic names which are associated with the domain. + - Required: No - Type: array - Default: `[]` diff --git a/modules/event-grid/domain/topic/README.md b/modules/event-grid/domain/topic/README.md index f4c4b1a733..6dc88f87ef 100644 --- a/modules/event-grid/domain/topic/README.md +++ b/modules/event-grid/domain/topic/README.md @@ -36,15 +36,24 @@ This module deploys an Event Grid Domain Topic. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all Resources. | +### Parameter: `name` + +The name of the Event Grid Domain Topic. + +- Required: Yes +- Type: string + ### Parameter: `domainName` The name of the parent Event Grid Domain. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -52,16 +61,11 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -The name of the Event Grid Domain Topic. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/event-grid/system-topic/README.md b/modules/event-grid/system-topic/README.md index c484cc32a3..b901bdc3de 100644 --- a/modules/event-grid/system-topic/README.md +++ b/modules/event-grid/system-topic/README.md @@ -476,117 +476,114 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +The name of the Event Grid Topic. + +- Required: Yes +- Type: string + +### Parameter: `source` + +Source for the system topic. + +- Required: Yes +- Type: string + +### Parameter: `topicType` + +TopicType for the system topic. + +- Required: Yes +- Type: string + ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -594,6 +591,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -601,6 +599,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `eventSubscriptions` Event subscriptions to deploy. + - Required: No - Type: array - Default: `[]` @@ -608,6 +607,7 @@ Event subscriptions to deploy. ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -615,26 +615,35 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -642,121 +651,127 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -The name of the Event Grid Topic. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +**Optional parameters** -- Required: No -- Type: string +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.principalId` -Optional. Version of the condition. +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. The Resource Id of the delegated managed identity resource. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.condition` -Optional. The description of the role assignment. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.conditionVersion` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +Version of the condition. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Optional. The principal type of the assigned principal ID. +The Resource Id of the delegated managed identity resource. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.description` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The description of the role assignment. -- Required: Yes +- Required: No - Type: string -### Parameter: `source` +### Parameter: `roleAssignments.principalType` -Source for the system topic. -- Required: Yes +The principal type of the assigned principal ID. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object -### Parameter: `topicType` - -TopicType for the system topic. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/event-grid/system-topic/event-subscription/README.md b/modules/event-grid/system-topic/event-subscription/README.md index f8c63e5e22..397b1c50a7 100644 --- a/modules/event-grid/system-topic/event-subscription/README.md +++ b/modules/event-grid/system-topic/event-subscription/README.md @@ -40,9 +40,31 @@ This module deploys an Event Grid System Topic Event Subscription. | [`location`](#parameter-location) | string | Location for all Resources. | | [`retryPolicy`](#parameter-retrypolicy) | object | The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events. | +### Parameter: `destination` + +The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information). + +- Required: Yes +- Type: object + +### Parameter: `name` + +The name of the Event Subscription. + +- Required: Yes +- Type: string + +### Parameter: `systemTopicName` + +Name of the Event Grid System Topic. + +- Required: Yes +- Type: string + ### Parameter: `deadLetterDestination` Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information). + - Required: No - Type: object - Default: `{}` @@ -50,6 +72,7 @@ Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/ ### Parameter: `deadLetterWithResourceIdentity` Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information). + - Required: No - Type: object - Default: `{}` @@ -57,19 +80,15 @@ Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.c ### Parameter: `deliveryWithResourceIdentity` Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information). + - Required: No - Type: object - Default: `{}` -### Parameter: `destination` - -The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information). -- Required: Yes -- Type: object - ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -77,6 +96,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `eventDeliverySchema` The event delivery schema for the event subscription. + - Required: No - Type: string - Default: `'EventGridSchema'` @@ -93,6 +113,7 @@ The event delivery schema for the event subscription. ### Parameter: `expirationTimeUtc` The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ). + - Required: No - Type: string - Default: `''` @@ -100,6 +121,7 @@ The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTH ### Parameter: `filter` The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information). + - Required: No - Type: object - Default: `{}` @@ -107,6 +129,7 @@ The filter for the event subscription. (See https://learn.microsoft.com/en-us/az ### Parameter: `labels` The list of user defined labels. + - Required: No - Type: array - Default: `[]` @@ -114,29 +137,19 @@ The list of user defined labels. ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -The name of the Event Subscription. -- Required: Yes -- Type: string - ### Parameter: `retryPolicy` The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events. + - Required: No - Type: object - Default: `{}` -### Parameter: `systemTopicName` - -Name of the Event Grid System Topic. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index a00df258c6..2abc6b61c7 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -612,117 +612,100 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +The name of the Event Grid Topic. + +- Required: Yes +- Type: string + ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -730,6 +713,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -737,6 +721,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `eventSubscriptions` Event subscriptions to deploy. + - Required: No - Type: array - Default: `[]` @@ -744,6 +729,7 @@ Event subscriptions to deploy. ### Parameter: `inboundIpRules` This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled. + - Required: No - Type: array - Default: `[]` @@ -751,6 +737,7 @@ This can be used to restrict traffic from specific IPs instead of all IPs. Note: ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -758,230 +745,283 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The name of the Event Grid Topic. -- Required: Yes -- Type: string - ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +### Parameter: `privateEndpoints.lock.kind` -- Required: Yes +Specify the type of lock. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` -Optional. The name of the private endpoint. +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -989,6 +1029,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and inboundIpRules are not set. + - Required: No - Type: string - Default: `''` @@ -1004,74 +1045,96 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/event-grid/topic/event-subscription/README.md b/modules/event-grid/topic/event-subscription/README.md index 5ca0bc97ca..aa6ab314d5 100644 --- a/modules/event-grid/topic/event-subscription/README.md +++ b/modules/event-grid/topic/event-subscription/README.md @@ -40,9 +40,31 @@ This module deploys an Event Grid Topic Event Subscription. | [`location`](#parameter-location) | string | Location for all Resources. | | [`retryPolicy`](#parameter-retrypolicy) | object | The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events. | +### Parameter: `destination` + +The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information). + +- Required: Yes +- Type: object + +### Parameter: `name` + +The name of the Event Subscription. + +- Required: Yes +- Type: string + +### Parameter: `topicName` + +Name of the Event Grid Topic. + +- Required: Yes +- Type: string + ### Parameter: `deadLetterDestination` Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterdestination-objects for more information). + - Required: No - Type: object - Default: `{}` @@ -50,6 +72,7 @@ Dead Letter Destination. (See https://learn.microsoft.com/en-us/azure/templates/ ### Parameter: `deadLetterWithResourceIdentity` Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deadletterwithresourceidentity-objects for more information). + - Required: No - Type: object - Default: `{}` @@ -57,19 +80,15 @@ Dead Letter with Resource Identity Configuration. (See https://learn.microsoft.c ### Parameter: `deliveryWithResourceIdentity` Delivery with Resource Identity Configuration. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#deliverywithresourceidentity-objects for more information). + - Required: No - Type: object - Default: `{}` -### Parameter: `destination` - -The destination for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptiondestination-objects for more information). -- Required: Yes -- Type: object - ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -77,6 +96,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `eventDeliverySchema` The event delivery schema for the event subscription. + - Required: No - Type: string - Default: `'EventGridSchema'` @@ -93,6 +113,7 @@ The event delivery schema for the event subscription. ### Parameter: `expirationTimeUtc` The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTHH:mm:ssZ). + - Required: No - Type: string - Default: `''` @@ -100,6 +121,7 @@ The expiration time for the event subscription. Format is ISO-8601 (yyyy-MM-ddTH ### Parameter: `filter` The filter for the event subscription. (See https://learn.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?pivots=deployment-language-bicep#eventsubscriptionfilter for more information). + - Required: No - Type: object - Default: `{}` @@ -107,6 +129,7 @@ The filter for the event subscription. (See https://learn.microsoft.com/en-us/az ### Parameter: `labels` The list of user defined labels. + - Required: No - Type: array - Default: `[]` @@ -114,29 +137,19 @@ The list of user defined labels. ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -The name of the Event Subscription. -- Required: Yes -- Type: string - ### Parameter: `retryPolicy` The retry policy for events. This can be used to configure the TTL and maximum number of delivery attempts and time to live for events. + - Required: No - Type: object - Default: `{}` -### Parameter: `topicName` - -Name of the Event Grid Topic. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index faca598780..a7afa4ab37 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -1114,9 +1114,17 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`zoneRedundant`](#parameter-zoneredundant) | bool | Switch to make the Event Hub Namespace zone redundant. | +### Parameter: `name` + +The name of the event hub namespace. + +- Required: Yes +- Type: string + ### Parameter: `authorizationRules` Authorization Rules for the Event Hub namespace. + - Required: No - Type: array - Default: @@ -1136,41 +1144,48 @@ Authorization Rules for the Event Hub namespace. ### Parameter: `customerManagedKey` The customer managed key definition. + - Required: No - Type: object +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | ### Parameter: `customerManagedKey.keyName` -Required. The name of the customer managed key to use for encryption. +The name of the customer managed key to use for encryption. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVaultResourceId` -Required. The resource ID of a key vault to reference a customer managed key for encryption from. +The resource ID of a key vault to reference a customer managed key for encryption from. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVersion` -Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - Required: No - Type: string ### Parameter: `customerManagedKey.userAssignedIdentityResourceId` -Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. +User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - Required: No - Type: string @@ -1178,114 +1193,90 @@ Optional. User assigned identity to use when fetching the customer managed key. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -1293,6 +1284,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `disableLocalAuth` This property disables SAS authentication for the Event Hubs namespace. + - Required: No - Type: bool - Default: `True` @@ -1300,6 +1292,7 @@ This property disables SAS authentication for the Event Hubs namespace. ### Parameter: `disasterRecoveryConfig` The disaster recovery config for this namespace. + - Required: No - Type: object - Default: `{}` @@ -1307,6 +1300,7 @@ The disaster recovery config for this namespace. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1314,6 +1308,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `eventhubs` The event hubs to deploy into this namespace. + - Required: No - Type: array - Default: `[]` @@ -1321,6 +1316,7 @@ The event hubs to deploy into this namespace. ### Parameter: `isAutoInflateEnabled` Switch to enable the Auto Inflate feature of Event Hub. Auto Inflate is not supported in Premium SKU EventHub. + - Required: No - Type: bool - Default: `False` @@ -1328,6 +1324,7 @@ Switch to enable the Auto Inflate feature of Event Hub. Auto Inflate is not supp ### Parameter: `kafkaEnabled` Value that indicates whether Kafka is enabled for Event Hubs Namespace. + - Required: No - Type: bool - Default: `False` @@ -1335,6 +1332,7 @@ Value that indicates whether Kafka is enabled for Event Hubs Namespace. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1342,26 +1340,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -1369,25 +1376,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array @@ -1395,6 +1404,7 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `maximumThroughputUnits` Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units. + - Required: No - Type: int - Default: `1` @@ -1402,6 +1412,7 @@ Upper limit of throughput units when AutoInflate is enabled, value should be wit ### Parameter: `minimumTlsVersion` The minimum TLS version for the cluster to support. + - Required: No - Type: string - Default: `'1.2'` @@ -1414,15 +1425,10 @@ The minimum TLS version for the cluster to support. ] ``` -### Parameter: `name` - -The name of the event hub namespace. -- Required: Yes -- Type: string - ### Parameter: `networkRuleSets` Configure networking options. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. + - Required: No - Type: object - Default: `{}` @@ -1430,197 +1436,247 @@ Configure networking options. This object contains IPs/Subnets to allow or restr ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +### Parameter: `privateEndpoints.lock.kind` -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +Specify the type of lock. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** -Optional. The name of the private endpoint. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -1628,6 +1684,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. + - Required: No - Type: string - Default: `''` @@ -1644,6 +1701,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `requireInfrastructureEncryption` Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. + - Required: No - Type: bool - Default: `False` @@ -1651,74 +1709,96 @@ Enable infrastructure encryption (double encryption). Note, this setting require ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `roleAssignments.principalId` -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `skuCapacity` The Event Hub's throughput units for Basic or Standard tiers, where value should be 0 to 20 throughput units. The Event Hubs premium units for Premium tier, where value should be 0 to 10 premium units. + - Required: No - Type: int - Default: `1` @@ -1726,6 +1806,7 @@ The Event Hub's throughput units for Basic or Standard tiers, where value should ### Parameter: `skuName` event hub plan SKU name. + - Required: No - Type: string - Default: `'Standard'` @@ -1741,12 +1822,14 @@ event hub plan SKU name. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `zoneRedundant` Switch to make the Event Hub Namespace zone redundant. + - Required: No - Type: bool - Default: `False` diff --git a/modules/event-hub/namespace/authorization-rule/README.md b/modules/event-hub/namespace/authorization-rule/README.md index dfb4d84591..430a336800 100644 --- a/modules/event-hub/namespace/authorization-rule/README.md +++ b/modules/event-hub/namespace/authorization-rule/README.md @@ -36,28 +36,32 @@ This module deploys an Event Hub Namespace Authorization Rule. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`rights`](#parameter-rights) | array | The rights associated with the rule. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `name` The name of the authorization rule. + - Required: Yes - Type: string ### Parameter: `namespaceName` The name of the parent event hub namespace. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `rights` The rights associated with the rule. + - Required: No - Type: array - Default: `[]` diff --git a/modules/event-hub/namespace/disaster-recovery-config/README.md b/modules/event-hub/namespace/disaster-recovery-config/README.md index d9ccac42a8..5587dbcbd0 100644 --- a/modules/event-hub/namespace/disaster-recovery-config/README.md +++ b/modules/event-hub/namespace/disaster-recovery-config/README.md @@ -36,28 +36,32 @@ This module deploys an Event Hub Namespace Disaster Recovery Config. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`partnerNamespaceId`](#parameter-partnernamespaceid) | string | Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `name` The name of the disaster recovery config. + - Required: Yes - Type: string ### Parameter: `namespaceName` The name of the parent event hub namespace. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `partnerNamespaceId` Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing. + - Required: No - Type: string - Default: `''` diff --git a/modules/event-hub/namespace/eventhub/README.md b/modules/event-hub/namespace/eventhub/README.md index 2b6f569738..cd1f41f928 100644 --- a/modules/event-hub/namespace/eventhub/README.md +++ b/modules/event-hub/namespace/eventhub/README.md @@ -58,9 +58,24 @@ This module deploys an Event Hub Namespace Event Hub. | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`status`](#parameter-status) | string | Enumerates the possible values for the status of the Event Hub. | +### Parameter: `name` + +The name of the event hub. + +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent event hub namespace. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `authorizationRules` Authorization Rules for the event hub. + - Required: No - Type: array - Default: @@ -80,6 +95,7 @@ Authorization Rules for the event hub. ### Parameter: `captureDescriptionDestinationArchiveNameFormat` Blob naming convention for archive, e.g. {Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}. Here all the parameters (Namespace,EventHub .. etc) are mandatory irrespective of order. + - Required: No - Type: string - Default: `'{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}'` @@ -87,6 +103,7 @@ Blob naming convention for archive, e.g. {Namespace}/{EventHub}/{PartitionId}/{Y ### Parameter: `captureDescriptionDestinationBlobContainer` Blob container Name. + - Required: No - Type: string - Default: `''` @@ -94,6 +111,7 @@ Blob container Name. ### Parameter: `captureDescriptionDestinationName` Name for capture destination. + - Required: No - Type: string - Default: `'EventHubArchive.AzureBlockBlob'` @@ -101,6 +119,7 @@ Name for capture destination. ### Parameter: `captureDescriptionDestinationStorageAccountResourceId` Resource ID of the storage account to be used to create the blobs. + - Required: No - Type: string - Default: `''` @@ -108,6 +127,7 @@ Resource ID of the storage account to be used to create the blobs. ### Parameter: `captureDescriptionEnabled` A value that indicates whether capture description is enabled. + - Required: No - Type: bool - Default: `False` @@ -115,6 +135,7 @@ A value that indicates whether capture description is enabled. ### Parameter: `captureDescriptionEncoding` Enumerates the possible values for the encoding format of capture description. Note: "AvroDeflate" will be deprecated in New API Version. + - Required: No - Type: string - Default: `'Avro'` @@ -129,6 +150,7 @@ Enumerates the possible values for the encoding format of capture description. N ### Parameter: `captureDescriptionIntervalInSeconds` The time window allows you to set the frequency with which the capture to Azure Blobs will happen. + - Required: No - Type: int - Default: `300` @@ -136,6 +158,7 @@ The time window allows you to set the frequency with which the capture to Azure ### Parameter: `captureDescriptionSizeLimitInBytes` The size window defines the amount of data built up in your Event Hub before an capture operation. + - Required: No - Type: int - Default: `314572800` @@ -143,6 +166,7 @@ The size window defines the amount of data built up in your Event Hub before an ### Parameter: `captureDescriptionSkipEmptyArchives` A value that indicates whether to Skip Empty Archives. + - Required: No - Type: bool - Default: `False` @@ -150,6 +174,7 @@ A value that indicates whether to Skip Empty Archives. ### Parameter: `consumergroups` The consumer groups to create in this event hub instance. + - Required: No - Type: array - Default: @@ -164,6 +189,7 @@ The consumer groups to create in this event hub instance. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -171,26 +197,35 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -198,25 +233,15 @@ Optional. Specify the name of lock. ### Parameter: `messageRetentionInDays` Number of days to retain the events for this Event Hub, value should be 1 to 7 days. Will be automatically set to infinite retention if cleanup policy is set to "Compact". + - Required: No - Type: int - Default: `1` -### Parameter: `name` - -The name of the event hub. -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent event hub namespace. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `partitionCount` Number of partitions created for the Event Hub, allowed values are from 1 to 32 partitions. + - Required: No - Type: int - Default: `2` @@ -224,6 +249,7 @@ Number of partitions created for the Event Hub, allowed values are from 1 to 32 ### Parameter: `retentionDescriptionCleanupPolicy` Retention cleanup policy. Enumerates the possible values for cleanup policy. + - Required: No - Type: string - Default: `'Delete'` @@ -238,6 +264,7 @@ Retention cleanup policy. Enumerates the possible values for cleanup policy. ### Parameter: `retentionDescriptionRetentionTimeInHours` Retention time in hours. Number of hours to retain the events for this Event Hub. This value is only used when cleanupPolicy is Delete. If cleanupPolicy is Compact the returned value of this property is Long.MaxValue. + - Required: No - Type: int - Default: `1` @@ -245,6 +272,7 @@ Retention time in hours. Number of hours to retain the events for this Event Hub ### Parameter: `retentionDescriptionTombstoneRetentionTimeInHours` Retention cleanup policy. Number of hours to retain the tombstone markers of a compacted Event Hub. This value is only used when cleanupPolicy is Compact. Consumer must complete reading the tombstone marker within this specified amount of time if consumer begins from starting offset to ensure they get a valid snapshot for the specific key described by the tombstone marker within the compacted Event Hub. + - Required: No - Type: int - Default: `1` @@ -252,74 +280,96 @@ Retention cleanup policy. Number of hours to retain the tombstone markers of a c ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `roleAssignments.principalId` -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `status` Enumerates the possible values for the status of the Event Hub. + - Required: No - Type: string - Default: `'Active'` diff --git a/modules/event-hub/namespace/eventhub/authorization-rule/README.md b/modules/event-hub/namespace/eventhub/authorization-rule/README.md index 4880cabcbd..f0679730be 100644 --- a/modules/event-hub/namespace/eventhub/authorization-rule/README.md +++ b/modules/event-hub/namespace/eventhub/authorization-rule/README.md @@ -37,34 +37,39 @@ This module deploys an Event Hub Namespace Event Hub Authorization Rule. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`rights`](#parameter-rights) | array | The rights associated with the rule. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` +### Parameter: `name` -### Parameter: `eventHubName` +The name of the authorization rule. -The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment. - Required: Yes - Type: string -### Parameter: `name` +### Parameter: `eventHubName` + +The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment. -The name of the authorization rule. - Required: Yes - Type: string ### Parameter: `namespaceName` The name of the parent event hub namespace. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `rights` The rights associated with the rule. + - Required: No - Type: array - Default: `[]` diff --git a/modules/event-hub/namespace/eventhub/consumergroup/README.md b/modules/event-hub/namespace/eventhub/consumergroup/README.md index 589b4fa044..7a0da60dee 100644 --- a/modules/event-hub/namespace/eventhub/consumergroup/README.md +++ b/modules/event-hub/namespace/eventhub/consumergroup/README.md @@ -37,34 +37,39 @@ This module deploys an Event Hub Namespace Event Hub Consumer Group. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`userMetadata`](#parameter-usermetadata) | string | User Metadata is a placeholder to store user-defined string data with maximum length 1024. e.g. it can be used to store descriptive data, such as list of teams and their contact information also user-defined configuration settings can be stored. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` +### Parameter: `name` -### Parameter: `eventHubName` +The name of the consumer group. -The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment. - Required: Yes - Type: string -### Parameter: `name` +### Parameter: `eventHubName` + +The name of the parent event hub namespace event hub. Required if the template is used in a standalone deployment. -The name of the consumer group. - Required: Yes - Type: string ### Parameter: `namespaceName` The name of the parent event hub namespace. Required if the template is used in a standalone deployment.s. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `userMetadata` User Metadata is a placeholder to store user-defined string data with maximum length 1024. e.g. it can be used to store descriptive data, such as list of teams and their contact information also user-defined configuration settings can be stored. + - Required: No - Type: string - Default: `''` diff --git a/modules/event-hub/namespace/network-rule-set/README.md b/modules/event-hub/namespace/network-rule-set/README.md index ff9c6bb262..55f4143a56 100644 --- a/modules/event-hub/namespace/network-rule-set/README.md +++ b/modules/event-hub/namespace/network-rule-set/README.md @@ -34,9 +34,17 @@ This module deploys an Event Hub Namespace Network Rule Set. | [`trustedServiceAccessEnabled`](#parameter-trustedserviceaccessenabled) | bool | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | | [`virtualNetworkRules`](#parameter-virtualnetworkrules) | array | An array of subnet resource ID objects that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | +### Parameter: `namespaceName` + +The name of the parent event hub namespace. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `defaultAction` Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. + - Required: No - Type: string - Default: `'Allow'` @@ -51,6 +59,7 @@ Default Action for Network Rule Set. Default is "Allow". It will not be set if p ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -58,19 +67,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `ipRules` An array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". + - Required: No - Type: array - Default: `[]` -### Parameter: `namespaceName` - -The name of the parent event hub namespace. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `publicNetworkAccess` This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. + - Required: No - Type: string - Default: `'Enabled'` @@ -85,6 +90,7 @@ This determines if traffic is allowed over public network. Default is "Enabled". ### Parameter: `trustedServiceAccessEnabled` Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". + - Required: No - Type: bool - Default: `True` @@ -92,6 +98,7 @@ Value that indicates whether Trusted Service Access is enabled or not. Default i ### Parameter: `virtualNetworkRules` An array of subnet resource ID objects that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". + - Required: No - Type: array - Default: `[]` diff --git a/modules/health-bot/health-bot/README.md b/modules/health-bot/health-bot/README.md index 6bc9b8f4a7..3b796cfb65 100644 --- a/modules/health-bot/health-bot/README.md +++ b/modules/health-bot/health-bot/README.md @@ -311,9 +311,32 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +Name of the resource. + +- Required: Yes +- Type: string + +### Parameter: `sku` + +The name of the Azure Health Bot SKU. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'C0' + 'F0' + 'S1' + ] + ``` + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -321,6 +344,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -328,26 +352,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -355,112 +388,116 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: Yes - Type: array -### Parameter: `name` - -Name of the resource. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +**Optional parameters** -- Required: No -- Type: string +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.principalId` -Optional. Version of the condition. +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. The Resource Id of the delegated managed identity resource. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.condition` -Optional. The description of the role assignment. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.conditionVersion` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +Version of the condition. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Optional. The principal type of the assigned principal ID. +The Resource Id of the delegated managed identity resource. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.description` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The description of the role assignment. -- Required: Yes +- Required: No - Type: string -### Parameter: `sku` +### Parameter: `roleAssignments.principalType` -The name of the Azure Health Bot SKU. -- Required: Yes +The principal type of the assigned principal ID. + +- Required: No - Type: string - Allowed: ```Bicep [ - 'C0' - 'F0' - 'S1' + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' ] ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/healthcare-apis/workspace/README.md b/modules/healthcare-apis/workspace/README.md index c16881ae98..8b7c4da9e7 100644 --- a/modules/healthcare-apis/workspace/README.md +++ b/modules/healthcare-apis/workspace/README.md @@ -683,9 +683,17 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +The name of the Health Data Services Workspace service. + +- Required: Yes +- Type: string + ### Parameter: `dicomservices` Deploy DICOM services. + - Required: No - Type: array - Default: `[]` @@ -693,6 +701,7 @@ Deploy DICOM services. ### Parameter: `enableDefaultTelemetry` Enable telemetry via the Customer Usage Attribution ID (GUID). + - Required: No - Type: bool - Default: `True` @@ -700,6 +709,7 @@ Enable telemetry via the Customer Usage Attribution ID (GUID). ### Parameter: `fhirservices` Deploy FHIR services. + - Required: No - Type: array - Default: `[]` @@ -707,6 +717,7 @@ Deploy FHIR services. ### Parameter: `iotconnectors` Deploy IOT connectors. + - Required: No - Type: array - Default: `[]` @@ -714,6 +725,7 @@ Deploy IOT connectors. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -721,39 +733,43 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The name of the Health Data Services Workspace service. -- Required: Yes -- Type: string - ### Parameter: `publicNetworkAccess` Control permission for data plane traffic coming from public networks while private endpoint is enabled. + - Required: No - Type: string - Default: `'Disabled'` @@ -768,74 +784,96 @@ Control permission for data plane traffic coming from public networks while priv ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/healthcare-apis/workspace/dicomservice/README.md b/modules/healthcare-apis/workspace/dicomservice/README.md index c90f58ca21..454ed418e7 100644 --- a/modules/healthcare-apis/workspace/dicomservice/README.md +++ b/modules/healthcare-apis/workspace/dicomservice/README.md @@ -48,9 +48,24 @@ This module deploys a Healthcare API Workspace DICOM Service. | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +The name of the DICOM service. + +- Required: Yes +- Type: string + +### Parameter: `workspaceName` + +The name of the parent health data services workspace. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `corsAllowCredentials` Use this setting to indicate that cookies should be included in CORS requests. + - Required: No - Type: bool - Default: `False` @@ -58,6 +73,7 @@ Use this setting to indicate that cookies should be included in CORS requests. ### Parameter: `corsHeaders` Specify HTTP headers which can be used during the request. Use "*" for any header. + - Required: No - Type: array - Default: `[]` @@ -65,6 +81,7 @@ Specify HTTP headers which can be used during the request. Use "*" for any heade ### Parameter: `corsMaxAge` Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes. + - Required: No - Type: int - Default: `-1` @@ -72,6 +89,7 @@ Specify how long a result from a request can be cached in seconds. Example: 600 ### Parameter: `corsMethods` Specify the allowed HTTP methods. + - Required: No - Type: array - Default: `[]` @@ -90,6 +108,7 @@ Specify the allowed HTTP methods. ### Parameter: `corsOrigins` Specify URLs of origin sites that can access this API, or use "*" to allow access from any site. + - Required: No - Type: array - Default: `[]` @@ -97,114 +116,90 @@ Specify URLs of origin sites that can access this API, or use "*" to allow acces ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -212,6 +207,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via the Customer Usage Attribution ID (GUID). + - Required: No - Type: bool - Default: `True` @@ -219,6 +215,7 @@ Enable telemetry via the Customer Usage Attribution ID (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -226,26 +223,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -253,38 +259,35 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -The name of the DICOM service. -- Required: Yes -- Type: string - ### Parameter: `publicNetworkAccess` Control permission for data plane traffic coming from public networks while private endpoint is enabled. + - Required: No - Type: string - Default: `'Disabled'` @@ -299,15 +302,10 @@ Control permission for data plane traffic coming from public networks while priv ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object -### Parameter: `workspaceName` - -The name of the parent health data services workspace. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/healthcare-apis/workspace/fhirservice/README.md b/modules/healthcare-apis/workspace/fhirservice/README.md index 958af930d2..a5e3cad81d 100644 --- a/modules/healthcare-apis/workspace/fhirservice/README.md +++ b/modules/healthcare-apis/workspace/fhirservice/README.md @@ -64,9 +64,24 @@ This module deploys a Healthcare API Workspace FHIR Service. | [`smartProxyEnabled`](#parameter-smartproxyenabled) | bool | If the SMART on FHIR proxy is enabled. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +The name of the FHIR service. + +- Required: Yes +- Type: string + +### Parameter: `workspaceName` + +The name of the parent health data services workspace. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `accessPolicyObjectIds` List of Azure AD object IDs (User or Apps) that is allowed access to the FHIR service. + - Required: No - Type: array - Default: `[]` @@ -74,6 +89,7 @@ List of Azure AD object IDs (User or Apps) that is allowed access to the FHIR se ### Parameter: `acrLoginServers` The list of the Azure container registry login servers. + - Required: No - Type: array - Default: `[]` @@ -81,6 +97,7 @@ The list of the Azure container registry login servers. ### Parameter: `acrOciArtifacts` The list of Open Container Initiative (OCI) artifacts. + - Required: No - Type: array - Default: `[]` @@ -88,6 +105,7 @@ The list of Open Container Initiative (OCI) artifacts. ### Parameter: `authenticationAudience` The audience url for the service. + - Required: No - Type: string - Default: `[format('https://{0}-{1}.fhir.azurehealthcareapis.com', parameters('workspaceName'), parameters('name'))]` @@ -95,6 +113,7 @@ The audience url for the service. ### Parameter: `authenticationAuthority` The authority url for the service. + - Required: No - Type: string - Default: `[uri(environment().authentication.loginEndpoint, subscription().tenantId)]` @@ -102,6 +121,7 @@ The authority url for the service. ### Parameter: `corsAllowCredentials` Use this setting to indicate that cookies should be included in CORS requests. + - Required: No - Type: bool - Default: `False` @@ -109,6 +129,7 @@ Use this setting to indicate that cookies should be included in CORS requests. ### Parameter: `corsHeaders` Specify HTTP headers which can be used during the request. Use "*" for any header. + - Required: No - Type: array - Default: `[]` @@ -116,6 +137,7 @@ Specify HTTP headers which can be used during the request. Use "*" for any heade ### Parameter: `corsMaxAge` Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes. + - Required: No - Type: int - Default: `-1` @@ -123,6 +145,7 @@ Specify how long a result from a request can be cached in seconds. Example: 600 ### Parameter: `corsMethods` Specify the allowed HTTP methods. + - Required: No - Type: array - Default: `[]` @@ -141,6 +164,7 @@ Specify the allowed HTTP methods. ### Parameter: `corsOrigins` Specify URLs of origin sites that can access this API, or use "*" to allow access from any site. + - Required: No - Type: array - Default: `[]` @@ -148,114 +172,90 @@ Specify URLs of origin sites that can access this API, or use "*" to allow acces ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -263,6 +263,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via the Customer Usage Attribution ID (GUID). + - Required: No - Type: bool - Default: `True` @@ -270,6 +271,7 @@ Enable telemetry via the Customer Usage Attribution ID (GUID). ### Parameter: `exportStorageAccountName` The name of the default export storage account. + - Required: No - Type: string - Default: `''` @@ -277,6 +279,7 @@ The name of the default export storage account. ### Parameter: `importEnabled` If the import operation is enabled. + - Required: No - Type: bool - Default: `False` @@ -284,6 +287,7 @@ If the import operation is enabled. ### Parameter: `importStorageAccountName` The name of the default integration storage account. + - Required: No - Type: string - Default: `''` @@ -291,6 +295,7 @@ The name of the default integration storage account. ### Parameter: `initialImportMode` If the FHIR service is in InitialImportMode. + - Required: No - Type: bool - Default: `False` @@ -298,6 +303,7 @@ If the FHIR service is in InitialImportMode. ### Parameter: `kind` The kind of the service. Defaults to R4. + - Required: No - Type: string - Default: `'fhir-R4'` @@ -312,6 +318,7 @@ The kind of the service. Defaults to R4. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -319,26 +326,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -346,38 +362,35 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -The name of the FHIR service. -- Required: Yes -- Type: string - ### Parameter: `publicNetworkAccess` Control permission for data plane traffic coming from public networks while private endpoint is enabled. + - Required: No - Type: string - Default: `'Disabled'` @@ -392,6 +405,7 @@ Control permission for data plane traffic coming from public networks while priv ### Parameter: `resourceVersionOverrides` A list of FHIR Resources and their version policy overrides. + - Required: No - Type: object - Default: `{}` @@ -399,6 +413,7 @@ A list of FHIR Resources and their version policy overrides. ### Parameter: `resourceVersionPolicy` The default value for tracking history across all resources. + - Required: No - Type: string - Default: `'versioned'` @@ -414,74 +429,96 @@ The default value for tracking history across all resources. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `smartProxyEnabled` If the SMART on FHIR proxy is enabled. + - Required: No - Type: bool - Default: `False` @@ -489,15 +526,10 @@ If the SMART on FHIR proxy is enabled. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object -### Parameter: `workspaceName` - -The name of the parent health data services workspace. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/healthcare-apis/workspace/iotconnector/README.md b/modules/healthcare-apis/workspace/iotconnector/README.md index 9b64e6e344..72dff50dec 100644 --- a/modules/healthcare-apis/workspace/iotconnector/README.md +++ b/modules/healthcare-apis/workspace/iotconnector/README.md @@ -49,16 +49,10 @@ This module deploys a Healthcare API Workspace IoT Connector. | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -### Parameter: `consumerGroup` - -Consumer group of the event hub to connected to. -- Required: No -- Type: string -- Default: `[parameters('name')]` - ### Parameter: `deviceMapping` The mapping JSON that determines how incoming device data is normalized. + - Required: No - Type: object - Default: @@ -69,117 +63,129 @@ The mapping JSON that determines how incoming device data is normalized. } ``` -### Parameter: `diagnosticSettings` +### Parameter: `eventHubName` -The diagnostic settings of the service. -- Required: No -- Type: array +Event Hub name to connect to. +- Required: Yes +- Type: string -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +### Parameter: `eventHubNamespaceName` -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` +Namespace of the Event Hub to connect to. -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +- Required: Yes +- Type: string -- Required: No +### Parameter: `name` + +The name of the MedTech service. + +- Required: Yes - Type: string -### Parameter: `diagnosticSettings.eventHubName` +### Parameter: `workspaceName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +The name of the parent health data services workspace. Required if the template is used in a standalone deployment. -- Required: No +- Required: Yes - Type: string -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` +### Parameter: `consumerGroup` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +Consumer group of the event hub to connected to. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Default: `[parameters('name')]` -### Parameter: `diagnosticSettings.logCategoriesAndGroups` +### Parameter: `diagnosticSettings` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The diagnostic settings of the service. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` +### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` -### Parameter: `diagnosticSettings.metricCategories` +### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. -- Required: Yes +- Required: No - Type: string +### Parameter: `diagnosticSettings.metricCategories` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. + +- Required: No +- Type: array ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -187,25 +193,15 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via the Customer Usage Attribution ID (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `eventHubName` - -Event Hub name to connect to. -- Required: Yes -- Type: string - -### Parameter: `eventHubNamespaceName` - -Namespace of the Event Hub to connect to. -- Required: Yes -- Type: string - ### Parameter: `fhirdestination` FHIR Destination. + - Required: No - Type: object - Default: `{}` @@ -213,6 +209,7 @@ FHIR Destination. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -220,26 +217,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -247,47 +253,38 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -The name of the MedTech service. -- Required: Yes -- Type: string - ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object -### Parameter: `workspaceName` - -The name of the parent health data services workspace. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md b/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md index 3e561c8be8..2b4f0ee464 100644 --- a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md +++ b/modules/healthcare-apis/workspace/iotconnector/fhirdestination/README.md @@ -44,6 +44,7 @@ This module deploys a Healthcare API Workspace IoT Connector FHIR Destination. ### Parameter: `destinationMapping` The mapping JSON that determines how normalized data is converted to FHIR Observations. + - Required: No - Type: object - Default: @@ -54,41 +55,54 @@ The mapping JSON that determines how normalized data is converted to FHIR Observ } ``` -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `fhirServiceResourceId` The resource identifier of the FHIR Service to connect to. + +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the FHIR destination. + - Required: Yes - Type: string ### Parameter: `iotConnectorName` The name of the MedTech service to add this destination to. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `workspaceName` + +The name of the parent health data services workspace. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -The name of the FHIR destination. -- Required: Yes -- Type: string - ### Parameter: `resourceIdentityResolutionType` Determines how resource identity is resolved on the destination. + - Required: No - Type: string - Default: `'Lookup'` @@ -100,12 +114,6 @@ Determines how resource identity is resolved on the destination. ] ``` -### Parameter: `workspaceName` - -The name of the parent health data services workspace. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/insights/action-group/README.md b/modules/insights/action-group/README.md index 36196c3663..c5087c691b 100644 --- a/modules/insights/action-group/README.md +++ b/modules/insights/action-group/README.md @@ -358,9 +358,24 @@ module actionGroup 'br:bicep/modules/insights.action-group:1.0.0' = { | [`voiceReceivers`](#parameter-voicereceivers) | array | The list of voice receivers that are part of this action group. | | [`webhookReceivers`](#parameter-webhookreceivers) | array | The list of webhook receivers that are part of this action group. | +### Parameter: `groupShortName` + +The short name of the action group. + +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the action group. + +- Required: Yes +- Type: string + ### Parameter: `armRoleReceivers` The list of ARM role receivers that are part of this action group. Roles are Azure RBAC roles and only built-in roles are supported. + - Required: No - Type: array - Default: `[]` @@ -368,6 +383,7 @@ The list of ARM role receivers that are part of this action group. Roles are Azu ### Parameter: `automationRunbookReceivers` The list of AutomationRunbook receivers that are part of this action group. + - Required: No - Type: array - Default: `[]` @@ -375,6 +391,7 @@ The list of AutomationRunbook receivers that are part of this action group. ### Parameter: `azureAppPushReceivers` The list of AzureAppPush receivers that are part of this action group. + - Required: No - Type: array - Default: `[]` @@ -382,6 +399,7 @@ The list of AzureAppPush receivers that are part of this action group. ### Parameter: `azureFunctionReceivers` The list of function receivers that are part of this action group. + - Required: No - Type: array - Default: `[]` @@ -389,6 +407,7 @@ The list of function receivers that are part of this action group. ### Parameter: `emailReceivers` The list of email receivers that are part of this action group. + - Required: No - Type: array - Default: `[]` @@ -396,6 +415,7 @@ The list of email receivers that are part of this action group. ### Parameter: `enabled` Indicates whether this action group is enabled. If an action group is not enabled, then none of its receivers will receive communications. + - Required: No - Type: bool - Default: `True` @@ -403,19 +423,15 @@ Indicates whether this action group is enabled. If an action group is not enable ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `groupShortName` - -The short name of the action group. -- Required: Yes -- Type: string - ### Parameter: `itsmReceivers` The list of ITSM receivers that are part of this action group. + - Required: No - Type: array - Default: `[]` @@ -423,6 +439,7 @@ The list of ITSM receivers that are part of this action group. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `'global'` @@ -430,87 +447,104 @@ Location for all resources. ### Parameter: `logicAppReceivers` The list of logic app receivers that are part of this action group. + - Required: No - Type: array - Default: `[]` -### Parameter: `name` - -The name of the action group. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `smsReceivers` The list of SMS receivers that are part of this action group. + - Required: No - Type: array - Default: `[]` @@ -518,12 +552,14 @@ The list of SMS receivers that are part of this action group. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `voiceReceivers` The list of voice receivers that are part of this action group. + - Required: No - Type: array - Default: `[]` @@ -531,6 +567,7 @@ The list of voice receivers that are part of this action group. ### Parameter: `webhookReceivers` The list of webhook receivers that are part of this action group. + - Required: No - Type: array - Default: `[]` diff --git a/modules/insights/activity-log-alert/README.md b/modules/insights/activity-log-alert/README.md index d6bec73204..b7efef2649 100644 --- a/modules/insights/activity-log-alert/README.md +++ b/modules/insights/activity-log-alert/README.md @@ -379,9 +379,24 @@ module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { | [`scopes`](#parameter-scopes) | array | The list of resource IDs that this Activity Log Alert is scoped to. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `conditions` + +An Array of objects containing conditions that will cause this alert to activate. Conditions can also be combined with logical operators `allOf` and `anyOf`. Each condition can specify only one field between `equals` and `containsAny`. An alert rule condition must have exactly one category (Administrative, ServiceHealth, ResourceHealth, Alert, Autoscale, Recommendation, Security, or Policy). + +- Required: Yes +- Type: array + +### Parameter: `name` + +The name of the alert. + +- Required: Yes +- Type: string + ### Parameter: `actions` The list of actions to take when alert triggers. + - Required: No - Type: array - Default: `[]` @@ -389,19 +404,15 @@ The list of actions to take when alert triggers. ### Parameter: `alertDescription` Description of the alert. + - Required: No - Type: string - Default: `''` -### Parameter: `conditions` - -An Array of objects containing conditions that will cause this alert to activate. Conditions can also be combined with logical operators `allOf` and `anyOf`. Each condition can specify only one field between `equals` and `containsAny`. An alert rule condition must have exactly one category (Administrative, ServiceHealth, ResourceHealth, Alert, Autoscale, Recommendation, Security, or Policy). -- Required: Yes -- Type: array - ### Parameter: `enabled` Indicates whether this alert is enabled. + - Required: No - Type: bool - Default: `True` @@ -409,6 +420,7 @@ Indicates whether this alert is enabled. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -416,87 +428,104 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `'global'` -### Parameter: `name` - -The name of the alert. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `scopes` The list of resource IDs that this Activity Log Alert is scoped to. + - Required: No - Type: array - Default: @@ -509,6 +538,7 @@ The list of resource IDs that this Activity Log Alert is scoped to. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/insights/component/README.md b/modules/insights/component/README.md index 49d3a6a122..71509c45e5 100644 --- a/modules/insights/component/README.md +++ b/modules/insights/component/README.md @@ -330,9 +330,24 @@ module component 'br:bicep/modules/insights.component:1.0.0' = { | [`samplingPercentage`](#parameter-samplingpercentage) | int | Percentage of the data produced by the application being monitored that is being sampled for Application Insights telemetry. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +Name of the Application Insights. + +- Required: Yes +- Type: string + +### Parameter: `workspaceResourceId` + +Resource ID of the log analytics workspace which the data will be ingested to. This property is required to create an application with this API version. Applications from older versions will not have this property. + +- Required: Yes +- Type: string + ### Parameter: `applicationType` Application type. + - Required: No - Type: string - Default: `'web'` @@ -347,114 +362,90 @@ Application type. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -462,6 +453,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -469,6 +461,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `kind` The kind of application that this component refers to, used to customize UI. This value is a freeform string, values should typically be one of the following: web, ios, other, store, java, phone. + - Required: No - Type: string - Default: `''` @@ -476,19 +469,15 @@ The kind of application that this component refers to, used to customize UI. Thi ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -Name of the Application Insights. -- Required: Yes -- Type: string - ### Parameter: `publicNetworkAccessForIngestion` The network access type for accessing Application Insights ingestion. - Enabled or Disabled. + - Required: No - Type: string - Default: `'Enabled'` @@ -503,6 +492,7 @@ The network access type for accessing Application Insights ingestion. - Enabled ### Parameter: `publicNetworkAccessForQuery` The network access type for accessing Application Insights query. - Enabled or Disabled. + - Required: No - Type: string - Default: `'Enabled'` @@ -517,6 +507,7 @@ The network access type for accessing Application Insights query. - Enabled or D ### Parameter: `retentionInDays` Retention period in days. + - Required: No - Type: int - Default: `365` @@ -538,74 +529,96 @@ Retention period in days. ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `samplingPercentage` Percentage of the data produced by the application being monitored that is being sampled for Application Insights telemetry. + - Required: No - Type: int - Default: `100` @@ -613,15 +626,10 @@ Percentage of the data produced by the application being monitored that is being ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object -### Parameter: `workspaceResourceId` - -Resource ID of the log analytics workspace which the data will be ingested to. This property is required to create an application with this API version. Applications from older versions will not have this property. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/insights/data-collection-endpoint/README.md b/modules/insights/data-collection-endpoint/README.md index 4f94650da2..f37af6c9f6 100644 --- a/modules/insights/data-collection-endpoint/README.md +++ b/modules/insights/data-collection-endpoint/README.md @@ -287,9 +287,17 @@ module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoin | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Resource tags. | +### Parameter: `name` + +The name of the data collection endpoint. The name is case insensitive. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via the Customer Usage Attribution ID (GUID). + - Required: No - Type: bool - Default: `True` @@ -297,6 +305,7 @@ Enable telemetry via the Customer Usage Attribution ID (GUID). ### Parameter: `kind` The kind of the resource. + - Required: No - Type: string - Default: `'Linux'` @@ -311,6 +320,7 @@ The kind of the resource. ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -318,39 +328,43 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The name of the data collection endpoint. The name is case insensitive. -- Required: Yes -- Type: string - ### Parameter: `publicNetworkAccess` The configuration to set whether network access from public internet to the endpoints are allowed. + - Required: No - Type: string - Default: `'Disabled'` @@ -365,74 +379,96 @@ The configuration to set whether network access from public internet to the endp ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Resource tags. + - Required: No - Type: object diff --git a/modules/insights/data-collection-rule/README.md b/modules/insights/data-collection-rule/README.md index 176e51eab6..ea8e8c8b8b 100644 --- a/modules/insights/data-collection-rule/README.md +++ b/modules/insights/data-collection-rule/README.md @@ -1504,41 +1504,54 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' | [`streamDeclarations`](#parameter-streamdeclarations) | object | Declaration of custom streams used in this rule. | | [`tags`](#parameter-tags) | object | Resource tags. | -### Parameter: `dataCollectionEndpointId` - -The resource ID of the data collection endpoint that this rule can be used with. -- Required: No -- Type: string -- Default: `''` - ### Parameter: `dataFlows` The specification of data flows. + - Required: Yes - Type: array ### Parameter: `dataSources` Specification of data sources that will be collected. + - Required: Yes - Type: object -### Parameter: `description` +### Parameter: `destinations` + +Specification of destinations that can be used in data flows. + +- Required: Yes +- Type: object + +### Parameter: `name` + +The name of the data collection rule. The name is case insensitive. + +- Required: Yes +- Type: string + +### Parameter: `dataCollectionEndpointId` + +The resource ID of the data collection endpoint that this rule can be used with. -Description of the data collection rule. - Required: No - Type: string - Default: `''` -### Parameter: `destinations` +### Parameter: `description` -Specification of destinations that can be used in data flows. -- Required: Yes -- Type: object +Description of the data collection rule. + +- Required: No +- Type: string +- Default: `''` ### Parameter: `enableDefaultTelemetry` Enable telemetry via the Customer Usage Attribution ID (GUID). + - Required: No - Type: bool - Default: `True` @@ -1546,6 +1559,7 @@ Enable telemetry via the Customer Usage Attribution ID (GUID). ### Parameter: `kind` The kind of the resource. + - Required: No - Type: string - Default: `'Linux'` @@ -1560,6 +1574,7 @@ The kind of the resource. ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1567,107 +1582,132 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The name of the data collection rule. The name is case insensitive. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `streamDeclarations` Declaration of custom streams used in this rule. + - Required: No - Type: object - Default: `{}` @@ -1675,6 +1715,7 @@ Declaration of custom streams used in this rule. ### Parameter: `tags` Resource tags. + - Required: No - Type: object diff --git a/modules/insights/diagnostic-setting/README.md b/modules/insights/diagnostic-setting/README.md index db7021624f..35e68f7f10 100644 --- a/modules/insights/diagnostic-setting/README.md +++ b/modules/insights/diagnostic-setting/README.md @@ -195,6 +195,7 @@ module diagnosticSetting 'br:bicep/modules/insights.diagnostic-setting:1.0.0' = ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -202,18 +203,21 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `eventHubAuthorizationRuleResourceId` Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. + - Required: No - Type: string ### Parameter: `eventHubName` Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. + - Required: No - Type: string ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -221,6 +225,7 @@ Location deployment metadata. ### Parameter: `logAnalyticsDestinationType` A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. + - Required: No - Type: string - Default: `''` @@ -236,25 +241,27 @@ A string indicating whether the export to Log Analytics should use the default d ### Parameter: `logCategoriesAndGroups` The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-logcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-logcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`category`](#parameter-logcategoriesandgroupscategory) | string | Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | +| [`categoryGroup`](#parameter-logcategoriesandgroupscategorygroup) | string | Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | ### Parameter: `logCategoriesAndGroups.category` -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. +Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - Required: No - Type: string ### Parameter: `logCategoriesAndGroups.categoryGroup` -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. +Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - Required: No - Type: string @@ -262,23 +269,26 @@ Optional. Name of a Diagnostic Log category group for a resource type this setti ### Parameter: `marketplacePartnerResourceId` The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. + - Required: No - Type: string ### Parameter: `metricCategories` The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-metriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`category`](#parameter-metriccategoriescategory) | string | Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | ### Parameter: `metricCategories.category` -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. +Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - Required: Yes - Type: string @@ -286,6 +296,7 @@ Required. Name of a Diagnostic Metric category for a resource type this setting ### Parameter: `name` Name of the Diagnostic settings. + - Required: No - Type: string - Default: `[format('{0}-diagnosticSettings', uniqueString(subscription().id))]` @@ -293,12 +304,14 @@ Name of the Diagnostic settings. ### Parameter: `storageAccountResourceId` Resource ID of the diagnostic storage account. + - Required: No - Type: string ### Parameter: `workspaceResourceId` Resource ID of the diagnostic log analytics workspace. + - Required: No - Type: string diff --git a/modules/insights/metric-alert/README.md b/modules/insights/metric-alert/README.md index 73bea47720..4a80c79593 100644 --- a/modules/insights/metric-alert/README.md +++ b/modules/insights/metric-alert/README.md @@ -315,9 +315,40 @@ module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`windowSize`](#parameter-windowsize) | string | the period of time (in ISO 8601 duration format) that is used to monitor alert activity based on the threshold. | +### Parameter: `criterias` + +Criterias to trigger the alert. Array of 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' or 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' objects. When using MultipleResourceMultipleMetricCriteria criteria type, some parameters becomes mandatory. It is not possible to convert from SingleResourceMultipleMetricCriteria to MultipleResourceMultipleMetricCriteria. The alert must be deleted and recreated. + +- Required: Yes +- Type: array + +### Parameter: `name` + +The name of the alert. + +- Required: Yes +- Type: string + +### Parameter: `targetResourceRegion` + +The region of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `targetResourceType` + +The resource type of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `actions` The list of actions to take when alert triggers. + - Required: No - Type: array - Default: `[]` @@ -325,6 +356,7 @@ The list of actions to take when alert triggers. ### Parameter: `alertCriteriaType` Maps to the 'odata.type' field. Specifies the type of the alert criteria. + - Required: No - Type: string - Default: `'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria'` @@ -340,6 +372,7 @@ Maps to the 'odata.type' field. Specifies the type of the alert criteria. ### Parameter: `alertDescription` Description of the alert. + - Required: No - Type: string - Default: `''` @@ -347,19 +380,15 @@ Description of the alert. ### Parameter: `autoMitigate` The flag that indicates whether the alert should be auto resolved or not. + - Required: No - Type: bool - Default: `True` -### Parameter: `criterias` - -Criterias to trigger the alert. Array of 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria' or 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' objects. When using MultipleResourceMultipleMetricCriteria criteria type, some parameters becomes mandatory. It is not possible to convert from SingleResourceMultipleMetricCriteria to MultipleResourceMultipleMetricCriteria. The alert must be deleted and recreated. -- Required: Yes -- Type: array - ### Parameter: `enabled` Indicates whether this alert is enabled. + - Required: No - Type: bool - Default: `True` @@ -367,6 +396,7 @@ Indicates whether this alert is enabled. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -374,6 +404,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `evaluationFrequency` how often the metric alert is evaluated represented in ISO 8601 duration format. + - Required: No - Type: string - Default: `'PT5M'` @@ -391,87 +422,104 @@ how often the metric alert is evaluated represented in ISO 8601 duration format. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `'global'` -### Parameter: `name` - -The name of the alert. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `scopes` the list of resource IDs that this metric alert is scoped to. + - Required: No - Type: array - Default: @@ -484,6 +532,7 @@ the list of resource IDs that this metric alert is scoped to. ### Parameter: `severity` The severity of the alert. + - Required: No - Type: int - Default: `3` @@ -501,26 +550,14 @@ The severity of the alert. ### Parameter: `tags` Tags of the resource. -- Required: No -- Type: object -### Parameter: `targetResourceRegion` - -The region of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria. - Required: No -- Type: string -- Default: `''` - -### Parameter: `targetResourceType` - -The resource type of the target resource(s) on which the alert is created/updated. Required if alertCriteriaType is MultipleResourceMultipleMetricCriteria. -- Required: No -- Type: string -- Default: `''` +- Type: object ### Parameter: `windowSize` the period of time (in ISO 8601 duration format) that is used to monitor alert activity based on the threshold. + - Required: No - Type: string - Default: `'PT15M'` diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index dbe63cc67b..4470ffb40d 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -339,9 +339,17 @@ This instance deploys the module in alignment with the best-practices of the Azu | [`scopedResources`](#parameter-scopedresources) | array | Configuration details for Azure Monitor Resources. | | [`tags`](#parameter-tags) | object | Resource tags. | +### Parameter: `name` + +Name of the private link scope. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -349,6 +357,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` The location of the private link scope. Should be global. + - Required: No - Type: string - Default: `'global'` @@ -356,230 +365,283 @@ The location of the private link scope. Should be global. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the private link scope. -- Required: Yes -- Type: string - ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +### Parameter: `privateEndpoints.lock.kind` -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +Specify the type of lock. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` -Optional. The name of the private endpoint. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -587,74 +649,96 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `scopedResources` Configuration details for Azure Monitor Resources. + - Required: No - Type: array - Default: `[]` @@ -662,6 +746,7 @@ Configuration details for Azure Monitor Resources. ### Parameter: `tags` Resource tags. + - Required: No - Type: object diff --git a/modules/insights/private-link-scope/scoped-resource/README.md b/modules/insights/private-link-scope/scoped-resource/README.md index 77b61ba102..5946a32116 100644 --- a/modules/insights/private-link-scope/scoped-resource/README.md +++ b/modules/insights/private-link-scope/scoped-resource/README.md @@ -36,31 +36,35 @@ This module deploys a Private Link Scope Scoped Resource. | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `linkedResourceId` The resource ID of the scoped Azure monitor resource. + - Required: Yes - Type: string ### Parameter: `name` Name of the private link scoped resource. + - Required: Yes - Type: string ### Parameter: `privateLinkScopeName` The name of the parent private link scope. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ## Outputs diff --git a/modules/insights/scheduled-query-rule/README.md b/modules/insights/scheduled-query-rule/README.md index ea540474e8..4b925dc11d 100644 --- a/modules/insights/scheduled-query-rule/README.md +++ b/modules/insights/scheduled-query-rule/README.md @@ -392,9 +392,31 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' | [`targetResourceTypes`](#parameter-targetresourcetypes) | array | List of resource type of the target resource(s) on which the alert is created/updated. For example if the scope is a resource group and targetResourceTypes is Microsoft.Compute/virtualMachines, then a different alert will be fired for each virtual machine in the resource group which meet the alert criteria. Relevant only for rules of the kind LogAlert. | | [`windowSize`](#parameter-windowsize) | string | The period of time (in ISO 8601 duration format) on which the Alert query will be executed (bin size). Relevant and required only for rules of the kind LogAlert. | +### Parameter: `criterias` + +The rule criteria that defines the conditions of the scheduled query rule. + +- Required: Yes +- Type: object + +### Parameter: `name` + +The name of the Alert. + +- Required: Yes +- Type: string + +### Parameter: `scopes` + +The list of resource IDs that this scheduled query rule is scoped to. + +- Required: Yes +- Type: array + ### Parameter: `actions` Actions to invoke when the alert fires. + - Required: No - Type: array - Default: `[]` @@ -402,6 +424,7 @@ Actions to invoke when the alert fires. ### Parameter: `alertDescription` The description of the scheduled query rule. + - Required: No - Type: string - Default: `''` @@ -409,19 +432,15 @@ The description of the scheduled query rule. ### Parameter: `autoMitigate` The flag that indicates whether the alert should be automatically resolved or not. Relevant only for rules of the kind LogAlert. + - Required: No - Type: bool - Default: `True` -### Parameter: `criterias` - -The rule criteria that defines the conditions of the scheduled query rule. -- Required: Yes -- Type: object - ### Parameter: `enabled` The flag which indicates whether this scheduled query rule is enabled. + - Required: No - Type: bool - Default: `True` @@ -429,6 +448,7 @@ The flag which indicates whether this scheduled query rule is enabled. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -436,6 +456,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `evaluationFrequency` How often the scheduled query rule is evaluated represented in ISO 8601 duration format. Relevant and required only for rules of the kind LogAlert. + - Required: No - Type: string - Default: `''` @@ -443,6 +464,7 @@ How often the scheduled query rule is evaluated represented in ISO 8601 duration ### Parameter: `kind` Indicates the type of scheduled query rule. + - Required: No - Type: string - Default: `'LogAlert'` @@ -457,19 +479,15 @@ Indicates the type of scheduled query rule. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -The name of the Alert. -- Required: Yes -- Type: string - ### Parameter: `queryTimeRange` If specified (in ISO 8601 duration format) then overrides the query time range. Relevant only for rules of the kind LogAlert. + - Required: No - Type: string - Default: `''` @@ -477,80 +495,96 @@ If specified (in ISO 8601 duration format) then overrides the query time range. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string - -### Parameter: `scopes` - -The list of resource IDs that this scheduled query rule is scoped to. -- Required: Yes -- Type: array +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `severity` Severity of the alert. Should be an integer between [0-4]. Value of 0 is severest. Relevant and required only for rules of the kind LogAlert. + - Required: No - Type: int - Default: `3` @@ -568,6 +602,7 @@ Severity of the alert. Should be an integer between [0-4]. Value of 0 is severes ### Parameter: `skipQueryValidation` The flag which indicates whether the provided query should be validated or not. Relevant only for rules of the kind LogAlert. + - Required: No - Type: bool - Default: `False` @@ -575,6 +610,7 @@ The flag which indicates whether the provided query should be validated or not. ### Parameter: `suppressForMinutes` Mute actions for the chosen period of time (in ISO 8601 duration format) after the alert is fired. If set, autoMitigate must be disabled.Relevant only for rules of the kind LogAlert. + - Required: No - Type: string - Default: `''` @@ -582,12 +618,14 @@ Mute actions for the chosen period of time (in ISO 8601 duration format) after t ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `targetResourceTypes` List of resource type of the target resource(s) on which the alert is created/updated. For example if the scope is a resource group and targetResourceTypes is Microsoft.Compute/virtualMachines, then a different alert will be fired for each virtual machine in the resource group which meet the alert criteria. Relevant only for rules of the kind LogAlert. + - Required: No - Type: array - Default: `[]` @@ -595,6 +633,7 @@ List of resource type of the target resource(s) on which the alert is created/up ### Parameter: `windowSize` The period of time (in ISO 8601 duration format) on which the Alert query will be executed (bin size). Relevant and required only for rules of the kind LogAlert. + - Required: No - Type: string - Default: `''` diff --git a/modules/insights/webtest/README.md b/modules/insights/webtest/README.md index 3f532543ca..e08756c1d1 100644 --- a/modules/insights/webtest/README.md +++ b/modules/insights/webtest/README.md @@ -329,9 +329,38 @@ module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { | [`timeout`](#parameter-timeout) | int | Seconds until this WebTest will timeout and fail. | | [`validationRules`](#parameter-validationrules) | object | The collection of validation rule properties. | +### Parameter: `name` + +Name of the webtest. + +- Required: Yes +- Type: string + +### Parameter: `request` + +The collection of request properties. + +- Required: Yes +- Type: object + +### Parameter: `tags` + +A single hidden-link tag pointing to an existing AI component is required. + +- Required: Yes +- Type: object + +### Parameter: `webTestName` + +User defined name if this WebTest. + +- Required: Yes +- Type: string + ### Parameter: `configuration` An XML configuration specification for a WebTest. + - Required: No - Type: object - Default: `{}` @@ -339,6 +368,7 @@ An XML configuration specification for a WebTest. ### Parameter: `description` User defined description for this WebTest. + - Required: No - Type: string - Default: `''` @@ -346,6 +376,7 @@ User defined description for this WebTest. ### Parameter: `enabled` Is the test actively being monitored. + - Required: No - Type: bool - Default: `True` @@ -353,6 +384,7 @@ Is the test actively being monitored. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -360,6 +392,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `frequency` Interval in seconds between test runs for this WebTest. + - Required: No - Type: int - Default: `300` @@ -367,6 +400,7 @@ Interval in seconds between test runs for this WebTest. ### Parameter: `kind` The kind of WebTest that this web test watches. + - Required: No - Type: string - Default: `'standard'` @@ -382,6 +416,7 @@ The kind of WebTest that this web test watches. ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -389,6 +424,7 @@ Location for all Resources. ### Parameter: `locations` List of where to physically run the tests from to give global coverage for accessibility of your application. + - Required: No - Type: array - Default: @@ -415,45 +451,43 @@ List of where to physically run the tests from to give global coverage for acces ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the webtest. -- Required: Yes -- Type: string - -### Parameter: `request` - -The collection of request properties. -- Required: Yes -- Type: object - ### Parameter: `retryEnabled` Allow for retries should this WebTest fail. + - Required: No - Type: bool - Default: `True` @@ -461,87 +495,104 @@ Allow for retries should this WebTest fail. ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `syntheticMonitorId` Unique ID of this WebTest. + - Required: No - Type: string - Default: `[parameters('name')]` -### Parameter: `tags` - -A single hidden-link tag pointing to an existing AI component is required. -- Required: Yes -- Type: object - ### Parameter: `timeout` Seconds until this WebTest will timeout and fail. + - Required: No - Type: int - Default: `30` @@ -549,16 +600,11 @@ Seconds until this WebTest will timeout and fail. ### Parameter: `validationRules` The collection of validation rule properties. + - Required: No - Type: object - Default: `{}` -### Parameter: `webTestName` - -User defined name if this WebTest. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 155324660e..d78189962a 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -1113,9 +1113,17 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { | [`tags`](#parameter-tags) | object | Resource tags. | | [`vaultSku`](#parameter-vaultsku) | string | Specifies the SKU for the vault. | +### Parameter: `name` + +Name of the Key Vault. Must be globally unique. + +- Required: Yes +- Type: string + ### Parameter: `accessPolicies` All access policies to create. + - Required: No - Type: array - Default: `[]` @@ -1123,6 +1131,7 @@ All access policies to create. ### Parameter: `createMode` The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default. + - Required: No - Type: string - Default: `'default'` @@ -1130,114 +1139,90 @@ The vault's create mode to indicate whether the vault need to be recovered or no ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -1245,6 +1230,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1252,6 +1238,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enablePurgeProtection` Provide 'true' to enable Key Vault's purge protection feature. + - Required: No - Type: bool - Default: `True` @@ -1259,6 +1246,7 @@ Provide 'true' to enable Key Vault's purge protection feature. ### Parameter: `enableRbacAuthorization` Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC. + - Required: No - Type: bool - Default: `True` @@ -1266,6 +1254,7 @@ Property that controls how data actions are authorized. When true, the key vault ### Parameter: `enableSoftDelete` Switch to enable/disable Key Vault's soft delete feature. + - Required: No - Type: bool - Default: `True` @@ -1273,6 +1262,7 @@ Switch to enable/disable Key Vault's soft delete feature. ### Parameter: `enableVaultForDeployment` Specifies if the vault is enabled for deployment by script or compute. + - Required: No - Type: bool - Default: `True` @@ -1280,6 +1270,7 @@ Specifies if the vault is enabled for deployment by script or compute. ### Parameter: `enableVaultForDiskEncryption` Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. + - Required: No - Type: bool - Default: `True` @@ -1287,6 +1278,7 @@ Specifies if the azure platform has access to the vault for enabling disk encryp ### Parameter: `enableVaultForTemplateDeployment` Specifies if the vault is enabled for a template deployment. + - Required: No - Type: bool - Default: `True` @@ -1294,6 +1286,7 @@ Specifies if the vault is enabled for a template deployment. ### Parameter: `keys` All keys to create. + - Required: No - Type: array - Default: `[]` @@ -1301,6 +1294,7 @@ All keys to create. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1308,39 +1302,43 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the Key Vault. Must be globally unique. -- Required: Yes -- Type: string - ### Parameter: `networkAcls` Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny. + - Required: No - Type: object - Default: `{}` @@ -1348,197 +1346,247 @@ Service endpoint object information. For security reasons, it is recommended to ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +### Parameter: `privateEndpoints.lock.kind` -- Required: Yes +Specify the type of lock. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` -Optional. The location to deploy the private endpoint to. +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` -Optional. The name of the private endpoint. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -1546,6 +1594,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. + - Required: No - Type: string - Default: `''` @@ -1561,74 +1610,96 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `secrets` All secrets to create. + - Required: No - Type: secureObject - Default: `{}` @@ -1636,6 +1707,7 @@ All secrets to create. ### Parameter: `softDeleteRetentionInDays` softDelete data retention days. It accepts >=7 and <=90. + - Required: No - Type: int - Default: `90` @@ -1643,12 +1715,14 @@ softDelete data retention days. It accepts >=7 and <=90. ### Parameter: `tags` Resource tags. + - Required: No - Type: object ### Parameter: `vaultSku` Specifies the SKU for the vault. + - Required: No - Type: string - Default: `'premium'` diff --git a/modules/key-vault/vault/access-policy/README.md b/modules/key-vault/vault/access-policy/README.md index 3cd899cab1..4e417d6857 100644 --- a/modules/key-vault/vault/access-policy/README.md +++ b/modules/key-vault/vault/access-policy/README.md @@ -30,9 +30,17 @@ This module deploys a Key Vault Access Policy. | [`accessPolicies`](#parameter-accesspolicies) | array | An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +### Parameter: `keyVaultName` + +The name of the parent key vault. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `accessPolicies` An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. + - Required: No - Type: array - Default: `[]` @@ -40,16 +48,11 @@ An array of 0 to 16 identities that have access to the key vault. All identities ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `keyVaultName` - -The name of the parent key vault. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/key-vault/vault/key/README.md b/modules/key-vault/vault/key/README.md index 9a4617afd2..56a60ada8c 100644 --- a/modules/key-vault/vault/key/README.md +++ b/modules/key-vault/vault/key/README.md @@ -47,9 +47,24 @@ This module deploys a Key Vault Key. | [`rotationPolicy`](#parameter-rotationpolicy) | object | Key rotation policy properties object. | | [`tags`](#parameter-tags) | object | Resource tags. | +### Parameter: `name` + +The name of the key. + +- Required: Yes +- Type: string + +### Parameter: `keyVaultName` + +The name of the parent key vault. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `attributesEnabled` Determines whether the object is enabled. + - Required: No - Type: bool - Default: `True` @@ -57,6 +72,7 @@ Determines whether the object is enabled. ### Parameter: `attributesExp` Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible. + - Required: No - Type: int - Default: `-1` @@ -64,6 +80,7 @@ Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is r ### Parameter: `attributesNbf` Not before date in seconds since 1970-01-01T00:00:00Z. + - Required: No - Type: int - Default: `-1` @@ -71,6 +88,7 @@ Not before date in seconds since 1970-01-01T00:00:00Z. ### Parameter: `curveName` The elliptic curve name. + - Required: No - Type: string - Default: `'P-256'` @@ -87,6 +105,7 @@ The elliptic curve name. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -94,6 +113,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `keyOps` Array of JsonWebKeyOperation. + - Required: No - Type: array - Default: `[]` @@ -113,19 +133,15 @@ Array of JsonWebKeyOperation. ### Parameter: `keySize` The key size in bits. For example: 2048, 3072, or 4096 for RSA. + - Required: No - Type: int - Default: `-1` -### Parameter: `keyVaultName` - -The name of the parent key vault. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `kty` The type of the key. + - Required: No - Type: string - Default: `'EC'` @@ -139,83 +155,99 @@ The type of the key. ] ``` -### Parameter: `name` - -The name of the key. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `rotationPolicy` Key rotation policy properties object. + - Required: No - Type: object - Default: `{}` @@ -223,6 +255,7 @@ Key rotation policy properties object. ### Parameter: `tags` Resource tags. + - Required: No - Type: object diff --git a/modules/key-vault/vault/secret/README.md b/modules/key-vault/vault/secret/README.md index 93ae0de35b..781351c2d8 100644 --- a/modules/key-vault/vault/secret/README.md +++ b/modules/key-vault/vault/secret/README.md @@ -43,9 +43,31 @@ This module deploys a Key Vault Secret. | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Resource tags. | +### Parameter: `name` + +The name of the secret. + +- Required: Yes +- Type: string + +### Parameter: `value` + +The value of the secret. NOTE: "value" will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. + +- Required: Yes +- Type: securestring + +### Parameter: `keyVaultName` + +The name of the parent key vault. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `attributesEnabled` Determines whether the object is enabled. + - Required: No - Type: bool - Default: `True` @@ -53,6 +75,7 @@ Determines whether the object is enabled. ### Parameter: `attributesExp` Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible. + - Required: No - Type: int - Default: `-1` @@ -60,6 +83,7 @@ Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is r ### Parameter: `attributesNbf` Not before date in seconds since 1970-01-01T00:00:00Z. + - Required: No - Type: int - Default: `-1` @@ -67,6 +91,7 @@ Not before date in seconds since 1970-01-01T00:00:00Z. ### Parameter: `contentType` The content type of the secret. + - Required: No - Type: securestring - Default: `''` @@ -74,102 +99,107 @@ The content type of the secret. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `keyVaultName` - -The name of the parent key vault. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the secret. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Resource tags. + - Required: No - Type: object -### Parameter: `value` - -The value of the secret. NOTE: "value" will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. -- Required: Yes -- Type: securestring - ## Outputs diff --git a/modules/kubernetes-configuration/extension/README.md b/modules/kubernetes-configuration/extension/README.md index 9019bb4998..638d8bb08c 100644 --- a/modules/kubernetes-configuration/extension/README.md +++ b/modules/kubernetes-configuration/extension/README.md @@ -17,7 +17,7 @@ This module deploys a Kubernetes Configuration Extension. | Resource Type | API Version | | :-- | :-- | | `Microsoft.KubernetesConfiguration/extensions` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/extensions) | -| `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/fluxConfigurations) | +| `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/fluxConfigurations) | ## Usage examples @@ -132,6 +132,16 @@ module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = { timeoutInSeconds: 180 url: 'https://github.com/mspnp/aks-baseline' } + kustomizations: { + unified: { + dependsOn: [] + force: false + path: './cluster-manifests' + prune: true + syncIntervalInSeconds: 300 + timeoutInSeconds: 300 + } + } namespace: 'flux-system' } ] @@ -189,6 +199,16 @@ module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = { "timeoutInSeconds": 180, "url": "https://github.com/mspnp/aks-baseline" }, + "kustomizations": { + "unified": { + "dependsOn": [], + "force": false, + "path": "./cluster-manifests", + "prune": true, + "syncIntervalInSeconds": 300, + "timeoutInSeconds": 300 + } + }, "namespace": "flux-system" } ] @@ -246,6 +266,16 @@ module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = { timeoutInSeconds: 180 url: 'https://github.com/mspnp/aks-baseline' } + kustomizations: { + unified: { + dependsOn: [] + force: false + path: './cluster-manifests' + prune: true + syncIntervalInSeconds: 300 + timeoutInSeconds: 300 + } + } namespace: 'flux-system' } ] @@ -303,6 +333,16 @@ module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = { "timeoutInSeconds": 180, "url": "https://github.com/mspnp/aks-baseline" }, + "kustomizations": { + "unified": { + "dependsOn": [], + "force": false, + "path": "./cluster-manifests", + "prune": true, + "syncIntervalInSeconds": 300, + "timeoutInSeconds": 300 + } + }, "namespace": "flux-system" } ] @@ -351,12 +391,28 @@ module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = { ### Parameter: `clusterName` The name of the AKS cluster that should be configured. + +- Required: Yes +- Type: string + +### Parameter: `extensionType` + +Type of the Extension, of which this resource is an instance of. It must be one of the Extension Types registered with Microsoft.KubernetesConfiguration by the Extension publisher. + +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the Flux Configuration. + - Required: Yes - Type: string ### Parameter: `configurationProtectedSettings` Configuration settings that are sensitive, as name-value pairs for configuring this extension. + - Required: No - Type: secureObject - Default: `{}` @@ -364,6 +420,7 @@ Configuration settings that are sensitive, as name-value pairs for configuring t ### Parameter: `configurationSettings` Configuration settings, as name-value pairs for configuring this extension. + - Required: No - Type: object - Default: `{}` @@ -371,19 +428,15 @@ Configuration settings, as name-value pairs for configuring this extension. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `extensionType` - -Type of the Extension, of which this resource is an instance of. It must be one of the Extension Types registered with Microsoft.KubernetesConfiguration by the Extension publisher. -- Required: Yes -- Type: string - ### Parameter: `fluxConfigurations` A list of flux configuraitons. + - Required: No - Type: array - Default: `[]` @@ -391,19 +444,15 @@ A list of flux configuraitons. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -The name of the Flux Configuration. -- Required: Yes -- Type: string - ### Parameter: `releaseNamespace` Namespace where the extension Release must be placed, for a Cluster scoped extension. If this namespace does not exist, it will be created. + - Required: No - Type: string - Default: `''` @@ -411,6 +460,7 @@ Namespace where the extension Release must be placed, for a Cluster scoped exten ### Parameter: `releaseTrain` ReleaseTrain this extension participates in for auto-upgrade (e.g. Stable, Preview, etc.) - only if autoUpgradeMinorVersion is "true". + - Required: No - Type: string - Default: `'Stable'` @@ -418,6 +468,7 @@ ReleaseTrain this extension participates in for auto-upgrade (e.g. Stable, Previ ### Parameter: `targetNamespace` Namespace where the extension will be created for an Namespace scoped extension. If this namespace does not exist, it will be created. + - Required: No - Type: string - Default: `''` @@ -425,6 +476,7 @@ Namespace where the extension will be created for an Namespace scoped extension. ### Parameter: `version` Version of the extension for this extension, if it is "pinned" to a specific version. + - Required: No - Type: string - Default: `''` diff --git a/modules/kubernetes-configuration/flux-configuration/README.md b/modules/kubernetes-configuration/flux-configuration/README.md index 2da23ceb45..8f11c31731 100644 --- a/modules/kubernetes-configuration/flux-configuration/README.md +++ b/modules/kubernetes-configuration/flux-configuration/README.md @@ -374,68 +374,38 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu | [`location`](#parameter-location) | string | Location for all resources. | | [`suspend`](#parameter-suspend) | bool | Whether this configuration should suspend its reconciliation of its kustomizations and sources. | -### Parameter: `bucket` - -Parameters to reconcile to the GitRepository source kind type. -- Required: No -- Type: object -- Default: `{}` - ### Parameter: `clusterName` The name of the AKS cluster that should be configured. + - Required: Yes - Type: string -### Parameter: `configurationProtectedSettings` - -Key-value pairs of protected configuration settings for the configuration. -- Required: No -- Type: secureObject -- Default: `{}` - -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `gitRepository` - -Parameters to reconcile to the GitRepository source kind type. -- Required: No -- Type: object -- Default: `{}` - ### Parameter: `kustomizations` Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster. + - Required: Yes - Type: object -### Parameter: `location` - -Location for all resources. -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - ### Parameter: `name` The name of the Flux Configuration. + - Required: Yes - Type: string ### Parameter: `namespace` The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only. + - Required: Yes - Type: string ### Parameter: `scope` Scope at which the configuration will be installed. + - Required: Yes - Type: string - Allowed: @@ -449,6 +419,7 @@ Scope at which the configuration will be installed. ### Parameter: `sourceKind` Source Kind to pull the configuration data from. + - Required: Yes - Type: string - Allowed: @@ -459,9 +430,50 @@ Source Kind to pull the configuration data from. ] ``` +### Parameter: `bucket` + +Parameters to reconcile to the GitRepository source kind type. + +- Required: No +- Type: object +- Default: `{}` + +### Parameter: `configurationProtectedSettings` + +Key-value pairs of protected configuration settings for the configuration. + +- Required: No +- Type: secureObject +- Default: `{}` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `gitRepository` + +Parameters to reconcile to the GitRepository source kind type. + +- Required: No +- Type: object +- Default: `{}` + +### Parameter: `location` + +Location for all resources. + +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + ### Parameter: `suspend` Whether this configuration should suspend its reconciliation of its kustomizations and sources. + - Required: No - Type: bool - Default: `False` diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index a8dec6b147..a078f14601 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -457,9 +457,17 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { | [`workflowStaticResults`](#parameter-workflowstaticresults) | object | The definitions for one or more static results returned by actions as mock outputs when static results are enabled on those actions. In each action definition, the runtimeConfiguration.staticResult.name attribute references the corresponding definition inside staticResults. | | [`workflowTriggers`](#parameter-workflowtriggers) | object | The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer. | +### Parameter: `name` + +The logic app workflow name. + +- Required: Yes +- Type: string + ### Parameter: `actionsAccessControlConfiguration` The access control configuration for workflow actions. + - Required: No - Type: object - Default: `{}` @@ -467,6 +475,7 @@ The access control configuration for workflow actions. ### Parameter: `connectorEndpointsConfiguration` The endpoints configuration: Access endpoint and outgoing IP addresses for the connector. + - Required: No - Type: object - Default: `{}` @@ -474,6 +483,7 @@ The endpoints configuration: Access endpoint and outgoing IP addresses for the ### Parameter: `contentsAccessControlConfiguration` The access control configuration for accessing workflow run contents. + - Required: No - Type: object - Default: `{}` @@ -481,6 +491,7 @@ The access control configuration for accessing workflow run contents. ### Parameter: `definitionParameters` Parameters for the definition template. + - Required: No - Type: object - Default: `{}` @@ -488,114 +499,90 @@ Parameters for the definition template. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -603,6 +590,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -610,6 +598,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `integrationAccount` The integration account. + - Required: No - Type: object - Default: `{}` @@ -617,6 +606,7 @@ The integration account. ### Parameter: `integrationServiceEnvironmentResourceId` The integration service environment Id. + - Required: No - Type: string - Default: `''` @@ -624,6 +614,7 @@ The integration service environment Id. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -631,26 +622,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -658,106 +658,124 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -The logic app workflow name. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `state` The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended. + - Required: No - Type: string - Default: `'Enabled'` @@ -776,12 +794,14 @@ The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `triggersAccessControlConfiguration` The access control configuration for invoking workflow triggers. + - Required: No - Type: object - Default: `{}` @@ -789,6 +809,7 @@ The access control configuration for invoking workflow triggers. ### Parameter: `workflowActions` The definitions for one or more actions to execute at workflow runtime. + - Required: No - Type: object - Default: `{}` @@ -796,6 +817,7 @@ The definitions for one or more actions to execute at workflow runtime. ### Parameter: `workflowEndpointsConfiguration` The endpoints configuration: Access endpoint and outgoing IP addresses for the workflow. + - Required: No - Type: object - Default: `{}` @@ -803,6 +825,7 @@ The endpoints configuration: Access endpoint and outgoing IP addresses for the ### Parameter: `workflowManagementAccessControlConfiguration` The access control configuration for workflow management. + - Required: No - Type: object - Default: `{}` @@ -810,6 +833,7 @@ The access control configuration for workflow management. ### Parameter: `workflowOutputs` The definitions for the outputs to return from a workflow run. + - Required: No - Type: object - Default: `{}` @@ -817,6 +841,7 @@ The definitions for the outputs to return from a workflow run. ### Parameter: `workflowParameters` The definitions for one or more parameters that pass the values to use at your logic app's runtime. + - Required: No - Type: object - Default: `{}` @@ -824,6 +849,7 @@ The definitions for one or more parameters that pass the values to use at your l ### Parameter: `workflowStaticResults` The definitions for one or more static results returned by actions as mock outputs when static results are enabled on those actions. In each action definition, the runtimeConfiguration.staticResult.name attribute references the corresponding definition inside staticResults. + - Required: No - Type: object - Default: `{}` @@ -831,6 +857,7 @@ The definitions for one or more static results returned by actions as mock outpu ### Parameter: `workflowTriggers` The definitions for one or more triggers that instantiate your workflow. You can define more than one trigger, but only with the Workflow Definition Language, not visually through the Logic Apps Designer. + - Required: No - Type: object - Default: `{}` diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index cb7a86c358..b056b265b6 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -792,41 +792,78 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = | [`sharedPrivateLinkResources`](#parameter-sharedprivatelinkresources) | array | The list of shared private link resources in this workspace. | | [`tags`](#parameter-tags) | object | Resource tags. | -### Parameter: `allowPublicAccessWhenBehindVnet` - -The flag to indicate whether to allow public access when behind VNet. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `associatedApplicationInsightsResourceId` The resource ID of the associated Application Insights. -- Required: Yes -- Type: string -### Parameter: `associatedContainerRegistryResourceId` - -The resource ID of the associated Container Registry. -- Required: No +- Required: Yes - Type: string -- Default: `''` ### Parameter: `associatedKeyVaultResourceId` The resource ID of the associated Key Vault. + - Required: Yes - Type: string ### Parameter: `associatedStorageAccountResourceId` The resource ID of the associated Storage Account. + +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the machine learning workspace. + - Required: Yes - Type: string +### Parameter: `sku` + +Specifies the SKU, also referred as 'edition' of the Azure Machine Learning workspace. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Basic' + 'Free' + 'Premium' + 'Standard' + ] + ``` + +### Parameter: `primaryUserAssignedIdentity` + +The user assigned identity resource ID that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `allowPublicAccessWhenBehindVnet` + +The flag to indicate whether to allow public access when behind VNet. + +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `associatedContainerRegistryResourceId` + +The resource ID of the associated Container Registry. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `computes` Computes to create respectively attach to the workspace. + - Required: No - Type: array - Default: `[]` @@ -834,41 +871,48 @@ Computes to create respectively attach to the workspace. ### Parameter: `customerManagedKey` The customer managed key definition. + - Required: No - Type: object +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | ### Parameter: `customerManagedKey.keyName` -Required. The name of the customer managed key to use for encryption. +The name of the customer managed key to use for encryption. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVaultResourceId` -Required. The resource ID of a key vault to reference a customer managed key for encryption from. +The resource ID of a key vault to reference a customer managed key for encryption from. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVersion` -Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - Required: No - Type: string ### Parameter: `customerManagedKey.userAssignedIdentityResourceId` -Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. +User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - Required: No - Type: string @@ -876,6 +920,7 @@ Optional. User assigned identity to use when fetching the customer managed key. ### Parameter: `description` The description of this workspace. + - Required: No - Type: string - Default: `''` @@ -883,114 +928,90 @@ The description of this workspace. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -998,6 +1019,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `discoveryUrl` URL for the discovery service to identify regional endpoints for machine learning experimentation services. + - Required: No - Type: string - Default: `''` @@ -1005,6 +1027,7 @@ URL for the discovery service to identify regional endpoints for machine learnin ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1012,6 +1035,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `hbiWorkspace` The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service. + - Required: No - Type: bool - Default: `False` @@ -1019,6 +1043,7 @@ The flag to signal HBI data in the workspace and reduce diagnostic data collecte ### Parameter: `imageBuildCompute` The compute name for image build. + - Required: No - Type: string - Default: `''` @@ -1026,6 +1051,7 @@ The compute name for image build. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1033,26 +1059,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -1060,6 +1095,7 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. At least one identity type is required. + - Required: No - Type: object - Default: @@ -1069,212 +1105,271 @@ The managed identity definition for this resource. At least one identity type is } ``` +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -The name of the machine learning workspace. -- Required: Yes -- Type: string - -### Parameter: `primaryUserAssignedIdentity` - -The user assigned identity resource ID that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. -- Required: No -- Type: string -- Default: `''` - ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Application security groups in which the private endpoint IP configuration is included. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -### Parameter: `privateEndpoints.customDnsConfigs` +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Optional. Custom DNS configurations. +Application security groups in which the private endpoint IP configuration is included. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | | +### Parameter: `privateEndpoints.customDnsConfigs` -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` -- Required: No -- Type: string +Custom DNS configurations. -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | | - -### Parameter: `privateEndpoints.ipConfigurations.name` -- Required: Yes -- Type: string - -### Parameter: `privateEndpoints.ipConfigurations.properties` -- Required: Yes -- Type: object +### Parameter: `privateEndpoints.location` -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | | +The location to deploy the private endpoint to. -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` -- Required: Yes -- Type: string +### Parameter: `privateEndpoints.lock` -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` -- Required: Yes -- Type: string +Specify the type of lock. +- Required: No +- Type: object +**Optional parameters** -### Parameter: `privateEndpoints.location` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | + +### Parameter: `privateEndpoints.lock.kind` -Optional. The location to deploy the private endpoint to. +Specify the type of lock. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.lock.name` -Optional. Specify the type of lock. +Specify the name of lock. - Required: No -- Type: object +- Type: string ### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Optional. Manual PrivateLink Service Connections. +Manual PrivateLink Service Connections. - Required: No - Type: array ### Parameter: `privateEndpoints.name` -Optional. The name of the private endpoint. +The name of the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.privateDnsZoneGroupName` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string ### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No - Type: array ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -### Parameter: `privateEndpoints.service` +**Required parameters** -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -- Required: No +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` -Required. Resource ID of the subnet where the endpoint needs to be created. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - Required: Yes - Type: string +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` + +Version of the condition. + +- Required: No +- Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` + +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` + +The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.description` + +The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.principalType` + +The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` + +### Parameter: `privateEndpoints.service` + +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: No +- Type: string + ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -1282,6 +1377,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. + - Required: No - Type: string - Default: `''` @@ -1297,74 +1393,96 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `serviceManagedResourcesSettings` The service managed resource settings. + - Required: No - Type: object - Default: `{}` @@ -1372,28 +1490,15 @@ The service managed resource settings. ### Parameter: `sharedPrivateLinkResources` The list of shared private link resources in this workspace. + - Required: No - Type: array - Default: `[]` -### Parameter: `sku` - -Specifies the SKU, also referred as 'edition' of the Azure Machine Learning workspace. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Basic' - 'Free' - 'Premium' - 'Standard' - ] - ``` - ### Parameter: `tags` Resource tags. + - Required: No - Type: object diff --git a/modules/machine-learning-services/workspace/compute/README.md b/modules/machine-learning-services/workspace/compute/README.md index 4f7dd172eb..1eb2928cd4 100644 --- a/modules/machine-learning-services/workspace/compute/README.md +++ b/modules/machine-learning-services/workspace/compute/README.md @@ -48,16 +48,10 @@ Attaching a compute is not idempotent and will fail in case you try to redeploy | [`sku`](#parameter-sku) | string | Specifies the sku, also referred as "edition". Required for creating a compute resource. | | [`tags`](#parameter-tags) | object | Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID. | -### Parameter: `computeLocation` - -Location for the underlying compute. Ignored when attaching a compute resource, i.e. when you provide a resource ID. -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - ### Parameter: `computeType` Set the object type. + - Required: Yes - Type: string - Allowed: @@ -76,9 +70,32 @@ Set the object type. ] ``` +### Parameter: `name` + +Name of the compute. + +- Required: Yes +- Type: string + +### Parameter: `machineLearningWorkspaceName` + +The name of the parent Machine Learning Workspace. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `computeLocation` + +Location for the underlying compute. Ignored when attaching a compute resource, i.e. when you provide a resource ID. + +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + ### Parameter: `deployCompute` Flag to specify whether to deploy the compute. Required only for attach (i.e. providing a resource ID), as in this case the operation is not idempotent, i.e. a second deployment will fail. Therefore, this flag needs to be set to "false" as long as the compute resource exists. + - Required: No - Type: bool - Default: `True` @@ -86,6 +103,7 @@ Flag to specify whether to deploy the compute. Required only for attach (i.e. pr ### Parameter: `description` The description of the Machine Learning compute. + - Required: No - Type: string - Default: `''` @@ -93,6 +111,7 @@ The description of the Machine Learning compute. ### Parameter: `disableLocalAuth` Opt-out of local authentication and ensure customers can use only MSI and AAD exclusively for authentication. + - Required: No - Type: bool - Default: `False` @@ -100,6 +119,7 @@ Opt-out of local authentication and ensure customers can use only MSI and AAD ex ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -107,51 +127,43 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Specifies the location of the resource. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `machineLearningWorkspaceName` - -The name of the parent Machine Learning Workspace. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -Name of the compute. -- Required: Yes -- Type: string - ### Parameter: `properties` The properties of the compute. Will be ignored in case "resourceId" is set. + - Required: No - Type: object - Default: `{}` @@ -159,6 +171,7 @@ The properties of the compute. Will be ignored in case "resourceId" is set. ### Parameter: `resourceId` ARM resource ID of the underlying compute. + - Required: No - Type: string - Default: `''` @@ -166,6 +179,7 @@ ARM resource ID of the underlying compute. ### Parameter: `sku` Specifies the sku, also referred as "edition". Required for creating a compute resource. + - Required: No - Type: string - Default: `''` @@ -183,6 +197,7 @@ Specifies the sku, also referred as "edition". Required for creating a compute r ### Parameter: `tags` Contains resource tags defined as key-value pairs. Ignored when attaching a compute resource, i.e. when you provide a resource ID. + - Required: No - Type: object diff --git a/modules/maintenance/maintenance-configuration/README.md b/modules/maintenance/maintenance-configuration/README.md index 52d305a61f..e26f1b8299 100644 --- a/modules/maintenance/maintenance-configuration/README.md +++ b/modules/maintenance/maintenance-configuration/README.md @@ -411,9 +411,17 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config | [`tags`](#parameter-tags) | object | Gets or sets tags of the resource. | | [`visibility`](#parameter-visibility) | string | Gets or sets the visibility of the configuration. The default value is 'Custom'. | +### Parameter: `name` + +Maintenance Configuration Name. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -421,6 +429,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `extensionProperties` Gets or sets extensionProperties of the maintenanceConfiguration. + - Required: No - Type: object - Default: `{}` @@ -428,6 +437,7 @@ Gets or sets extensionProperties of the maintenanceConfiguration. ### Parameter: `installPatches` Configuration settings for VM guest patching with Azure Update Manager. + - Required: No - Type: object - Default: `{}` @@ -435,6 +445,7 @@ Configuration settings for VM guest patching with Azure Update Manager. ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -442,26 +453,35 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -469,6 +489,7 @@ Optional. Specify the name of lock. ### Parameter: `maintenanceScope` Gets or sets maintenanceScope of the configuration. + - Required: No - Type: string - Default: `'Host'` @@ -487,19 +508,15 @@ Gets or sets maintenanceScope of the configuration. ### Parameter: `maintenanceWindow` Definition of a MaintenanceWindow. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Maintenance Configuration Name. -- Required: Yes -- Type: string - ### Parameter: `namespace` Gets or sets namespace of the resource. + - Required: No - Type: string - Default: `''` @@ -507,80 +524,103 @@ Gets or sets namespace of the resource. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Gets or sets tags of the resource. + - Required: No - Type: object ### Parameter: `visibility` Gets or sets the visibility of the configuration. The default value is 'Custom'. + - Required: No - Type: string - Default: `''` diff --git a/modules/managed-identity/user-assigned-identity/README.md b/modules/managed-identity/user-assigned-identity/README.md index 5cf66b9f42..cb4ec31501 100644 --- a/modules/managed-identity/user-assigned-identity/README.md +++ b/modules/managed-identity/user-assigned-identity/README.md @@ -301,6 +301,7 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -308,6 +309,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `federatedIdentityCredentials` The federated identity credentials list to indicate which token from the external IdP should be trusted by your application. Federated identity credentials are supported on applications only. A maximum of 20 federated identity credentials can be added per application object. + - Required: No - Type: array - Default: `[]` @@ -315,6 +317,7 @@ The federated identity credentials list to indicate which token from the externa ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -322,26 +325,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -349,6 +361,7 @@ Optional. Specify the name of lock. ### Parameter: `name` Name of the User Assigned Identity. + - Required: No - Type: string - Default: `[guid(resourceGroup().id)]` @@ -356,74 +369,96 @@ Name of the User Assigned Identity. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md b/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md index ab9e7a346f..a9483eb2d7 100644 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md +++ b/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md @@ -41,40 +41,46 @@ This module deploys a User Assigned Identity Federated Identity Credential. ### Parameter: `audiences` The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token. + - Required: Yes - Type: array -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `issuer` The URL of the issuer to be trusted. Must match the issuer claim of the external token being exchanged. + - Required: Yes - Type: string ### Parameter: `name` The name of the secret. + - Required: Yes - Type: string ### Parameter: `subject` The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD. + - Required: Yes - Type: string ### Parameter: `userAssignedIdentityName` The name of the parent user assigned identity. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ## Outputs diff --git a/modules/managed-services/registration-definition/README.md b/modules/managed-services/registration-definition/README.md index 759632f268..c60cb76100 100644 --- a/modules/managed-services/registration-definition/README.md +++ b/modules/managed-services/registration-definition/README.md @@ -334,44 +334,51 @@ module registrationDefinition 'br:bicep/modules/managed-services.registration-de ### Parameter: `authorizations` Specify an array of objects, containing object of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider's Active Directory and the principalIdDisplayName is visible to customers. + - Required: Yes - Type: array -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location deployment metadata. -- Required: No -- Type: string -- Default: `[deployment().location]` - ### Parameter: `managedByTenantId` Specify the tenant ID of the tenant which homes the principals you are delegating permissions to. + - Required: Yes - Type: string ### Parameter: `name` Specify a unique name for your offer/registration. i.e ' - - '. + - Required: Yes - Type: string ### Parameter: `registrationDescription` Description of the offer/registration. i.e. 'Managed by '. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. + +- Required: No +- Type: string +- Default: `[deployment().location]` + ### Parameter: `resourceGroupName` Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription. + - Required: No - Type: string - Default: `''` diff --git a/modules/management/management-group/README.md b/modules/management/management-group/README.md index d5e7a66097..9749a8155e 100644 --- a/modules/management/management-group/README.md +++ b/modules/management/management-group/README.md @@ -211,9 +211,17 @@ module managementGroup 'br:bicep/modules/management.management-group:1.0.0' = { | [`location`](#parameter-location) | string | Location deployment metadata. | | [`parentId`](#parameter-parentid) | string | The management group parent ID. Defaults to current scope. | +### Parameter: `name` + +The group ID of the Management group. + +- Required: Yes +- Type: string + ### Parameter: `displayName` The friendly name of the management group. If no value is passed then this field will be set to the group ID. + - Required: No - Type: string - Default: `''` @@ -221,6 +229,7 @@ The friendly name of the management group. If no value is passed then this field ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -228,19 +237,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` -### Parameter: `name` - -The group ID of the Management group. -- Required: Yes -- Type: string - ### Parameter: `parentId` The management group parent ID. Defaults to current scope. + - Required: No - Type: string - Default: `[last(split(managementGroup().id, '/'))]` diff --git a/modules/net-app/net-app-account/README.md b/modules/net-app/net-app-account/README.md index 934610d17a..c0fdd19a6e 100644 --- a/modules/net-app/net-app-account/README.md +++ b/modules/net-app/net-app-account/README.md @@ -603,9 +603,17 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { | [`smbServerNamePrefix`](#parameter-smbservernameprefix) | string | Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes. | | [`tags`](#parameter-tags) | object | Tags for all resources. | +### Parameter: `name` + +The name of the NetApp account. + +- Required: Yes +- Type: string + ### Parameter: `capacityPools` Capacity pools to create. + - Required: No - Type: array - Default: `[]` @@ -613,6 +621,7 @@ Capacity pools to create. ### Parameter: `dnsServers` Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed. + - Required: No - Type: string - Default: `''` @@ -620,6 +629,7 @@ Required if domainName is specified. Comma separated list of DNS server IP addre ### Parameter: `domainJoinOU` Used only if domainName is specified. LDAP Path for the Organization Unit (OU) where SMB Server machine accounts will be created (i.e. 'OU=SecondLevel,OU=FirstLevel'). + - Required: No - Type: string - Default: `''` @@ -627,6 +637,7 @@ Used only if domainName is specified. LDAP Path for the Organization Unit (OU) w ### Parameter: `domainJoinPassword` Required if domainName is specified. Password of the user specified in domainJoinUser parameter. + - Required: No - Type: securestring - Default: `''` @@ -634,6 +645,7 @@ Required if domainName is specified. Password of the user specified in domainJoi ### Parameter: `domainJoinUser` Required if domainName is specified. Username of Active Directory domain administrator, with permissions to create SMB server machine account in the AD domain. + - Required: No - Type: string - Default: `''` @@ -641,6 +653,7 @@ Required if domainName is specified. Username of Active Directory domain adminis ### Parameter: `domainName` Fully Qualified Active Directory DNS Domain Name (e.g. 'contoso.com'). + - Required: No - Type: string - Default: `''` @@ -648,6 +661,7 @@ Fully Qualified Active Directory DNS Domain Name (e.g. 'contoso.com'). ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -655,6 +669,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -662,26 +677,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -689,98 +713,116 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: Yes - Type: array -### Parameter: `name` - -The name of the NetApp account. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -### Parameter: `roleAssignments.condition` +### Parameter: `roleAssignments.principalId` -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `smbServerNamePrefix` Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes. + - Required: No - Type: string - Default: `''` @@ -788,6 +830,7 @@ Required if domainName is specified. NetBIOS name of the SMB server. A computer ### Parameter: `tags` Tags for all resources. + - Required: No - Type: object diff --git a/modules/net-app/net-app-account/capacity-pool/README.md b/modules/net-app/net-app-account/capacity-pool/README.md index 5b2c659aec..381674df79 100644 --- a/modules/net-app/net-app-account/capacity-pool/README.md +++ b/modules/net-app/net-app-account/capacity-pool/README.md @@ -46,9 +46,31 @@ This module deploys an Azure NetApp Files Capacity Pool. | [`tags`](#parameter-tags) | object | Tags for all resources. | | [`volumes`](#parameter-volumes) | array | List of volumnes to create in the capacity pool. | +### Parameter: `name` + +The name of the capacity pool. + +- Required: Yes +- Type: string + +### Parameter: `size` + +Provisioned size of the pool (in bytes). Allowed values are in 4TiB chunks (value must be multiply of 4398046511104). + +- Required: Yes +- Type: int + +### Parameter: `netAppAccountName` + +The name of the parent NetApp account. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `coolAccess` If enabled (true) the pool can contain cool Access enabled volumes. + - Required: No - Type: bool - Default: `False` @@ -56,6 +78,7 @@ If enabled (true) the pool can contain cool Access enabled volumes. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -63,6 +86,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `encryptionType` Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool. + - Required: No - Type: string - Default: `'Single'` @@ -77,25 +101,15 @@ Encryption type of the capacity pool, set encryption type for data at rest for t ### Parameter: `location` Location of the pool volume. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -The name of the capacity pool. -- Required: Yes -- Type: string - -### Parameter: `netAppAccountName` - -The name of the parent NetApp account. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `qosType` The qos type of the pool. + - Required: No - Type: string - Default: `'Auto'` @@ -110,74 +124,96 @@ The qos type of the pool. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `serviceLevel` The pool service level. + - Required: No - Type: string - Default: `'Standard'` @@ -191,21 +227,17 @@ The pool service level. ] ``` -### Parameter: `size` - -Provisioned size of the pool (in bytes). Allowed values are in 4TiB chunks (value must be multiply of 4398046511104). -- Required: Yes -- Type: int - ### Parameter: `tags` Tags for all resources. + - Required: No - Type: object ### Parameter: `volumes` List of volumnes to create in the capacity pool. + - Required: No - Type: array - Default: `[]` diff --git a/modules/net-app/net-app-account/capacity-pool/volume/README.md b/modules/net-app/net-app-account/capacity-pool/volume/README.md index fd898c8faf..bf17feb0a2 100644 --- a/modules/net-app/net-app-account/capacity-pool/volume/README.md +++ b/modules/net-app/net-app-account/capacity-pool/volume/README.md @@ -45,15 +45,45 @@ This module deploys an Azure NetApp Files Capacity Pool Volume. | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`serviceLevel`](#parameter-servicelevel) | string | The pool service level. Must match the one of the parent capacity pool. | +### Parameter: `name` + +The name of the pool volume. + +- Required: Yes +- Type: string + +### Parameter: `subnetResourceId` + +The Azure Resource URI for a delegated subnet. Must have the delegation Microsoft.NetApp/volumes. + +- Required: Yes +- Type: string + +### Parameter: `usageThreshold` + +Maximum storage quota allowed for a file system in bytes. + +- Required: Yes +- Type: int + ### Parameter: `capacityPoolName` The name of the parent capacity pool. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `netAppAccountName` + +The name of the parent NetApp account. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `creationToken` A unique file path for the volume. This is the name of the volume export. A volume is mounted using the export path. File path must start with an alphabetical character and be unique within the subscription. + - Required: No - Type: string - Default: `[parameters('name')]` @@ -61,6 +91,7 @@ A unique file path for the volume. This is the name of the volume export. A volu ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -68,6 +99,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `exportPolicyRules` Export policy rules. + - Required: No - Type: array - Default: `[]` @@ -75,25 +107,15 @@ Export policy rules. ### Parameter: `location` Location of the pool volume. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -The name of the pool volume. -- Required: Yes -- Type: string - -### Parameter: `netAppAccountName` - -The name of the parent NetApp account. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `protocolTypes` Set of protocol types. + - Required: No - Type: array - Default: `[]` @@ -101,74 +123,96 @@ Set of protocol types. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -### Parameter: `roleAssignments.condition` +### Parameter: `roleAssignments.principalId` -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `serviceLevel` The pool service level. Must match the one of the parent capacity pool. + - Required: No - Type: string - Default: `'Standard'` @@ -182,18 +226,6 @@ The pool service level. Must match the one of the parent capacity pool. ] ``` -### Parameter: `subnetResourceId` - -The Azure Resource URI for a delegated subnet. Must have the delegation Microsoft.NetApp/volumes. -- Required: Yes -- Type: string - -### Parameter: `usageThreshold` - -Maximum storage quota allowed for a file system in bytes. -- Required: Yes -- Type: int - ## Outputs diff --git a/modules/network/application-gateway-web-application-firewall-policy/README.md b/modules/network/application-gateway-web-application-firewall-policy/README.md index 9b9ea51250..096047b5f3 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/README.md +++ b/modules/network/application-gateway-web-application-firewall-policy/README.md @@ -251,9 +251,17 @@ module applicationGatewayWebApplicationFirewallPolicy 'br:bicep/modules/network. | [`policySettings`](#parameter-policysettings) | object | The PolicySettings for policy. | | [`tags`](#parameter-tags) | object | Resource tags. | +### Parameter: `name` + +Name of the Application Gateway WAF policy. + +- Required: Yes +- Type: string + ### Parameter: `customRules` The custom rules inside the policy. + - Required: No - Type: array - Default: `[]` @@ -261,6 +269,7 @@ The custom rules inside the policy. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -268,6 +277,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -275,19 +285,15 @@ Location for all resources. ### Parameter: `managedRules` Describes the managedRules structure. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Name of the Application Gateway WAF policy. -- Required: Yes -- Type: string - ### Parameter: `policySettings` The PolicySettings for policy. + - Required: No - Type: object - Default: `{}` @@ -295,6 +301,7 @@ The PolicySettings for policy. ### Parameter: `tags` Resource tags. + - Required: No - Type: object diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index 3f9491ef5b..8848ba6a2e 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -1963,9 +1963,17 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = | [`webApplicationFirewallConfiguration`](#parameter-webapplicationfirewallconfiguration) | object | Application gateway web application firewall configuration. Should be configured for security reasons. | | [`zones`](#parameter-zones) | array | A list of availability zones denoting where the resource needs to come from. | +### Parameter: `name` + +Name of the Application Gateway. + +- Required: Yes +- Type: string + ### Parameter: `authenticationCertificates` Authentication certificates of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -1973,6 +1981,7 @@ Authentication certificates of the application gateway resource. ### Parameter: `autoscaleMaxCapacity` Upper bound on number of Application Gateway capacity. + - Required: No - Type: int - Default: `-1` @@ -1980,6 +1989,7 @@ Upper bound on number of Application Gateway capacity. ### Parameter: `autoscaleMinCapacity` Lower bound on number of Application Gateway capacity. + - Required: No - Type: int - Default: `-1` @@ -1987,6 +1997,7 @@ Lower bound on number of Application Gateway capacity. ### Parameter: `backendAddressPools` Backend address pool of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -1994,6 +2005,7 @@ Backend address pool of the application gateway resource. ### Parameter: `backendHttpSettingsCollection` Backend http settings of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -2001,6 +2013,7 @@ Backend http settings of the application gateway resource. ### Parameter: `backendSettingsCollection` Backend settings of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits). + - Required: No - Type: array - Default: `[]` @@ -2008,6 +2021,7 @@ Backend settings of the application gateway resource. For default limits, see [A ### Parameter: `capacity` The number of Application instances to be configured. + - Required: No - Type: int - Default: `2` @@ -2015,6 +2029,7 @@ The number of Application instances to be configured. ### Parameter: `customErrorConfigurations` Custom error configurations of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -2022,114 +2037,90 @@ Custom error configurations of the application gateway resource. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -2137,6 +2128,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -2144,6 +2136,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableFips` Whether FIPS is enabled on the application gateway resource. + - Required: No - Type: bool - Default: `False` @@ -2151,6 +2144,7 @@ Whether FIPS is enabled on the application gateway resource. ### Parameter: `enableHttp2` Whether HTTP2 is enabled on the application gateway resource. + - Required: No - Type: bool - Default: `False` @@ -2158,6 +2152,7 @@ Whether HTTP2 is enabled on the application gateway resource. ### Parameter: `enableRequestBuffering` Enable request buffering. + - Required: No - Type: bool - Default: `False` @@ -2165,6 +2160,7 @@ Enable request buffering. ### Parameter: `enableResponseBuffering` Enable response buffering. + - Required: No - Type: bool - Default: `False` @@ -2172,6 +2168,7 @@ Enable response buffering. ### Parameter: `firewallPolicyId` The resource ID of an associated firewall policy. Should be configured for security reasons. + - Required: No - Type: string - Default: `''` @@ -2179,6 +2176,7 @@ The resource ID of an associated firewall policy. Should be configured for secur ### Parameter: `frontendIPConfigurations` Frontend IP addresses of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -2186,6 +2184,7 @@ Frontend IP addresses of the application gateway resource. ### Parameter: `frontendPorts` Frontend ports of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -2193,6 +2192,7 @@ Frontend ports of the application gateway resource. ### Parameter: `gatewayIPConfigurations` Subnets of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -2200,6 +2200,7 @@ Subnets of the application gateway resource. ### Parameter: `httpListeners` Http listeners of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -2207,6 +2208,7 @@ Http listeners of the application gateway resource. ### Parameter: `listeners` Listeners of the application gateway resource. For default limits, see [Application Gateway limits](https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits). + - Required: No - Type: array - Default: `[]` @@ -2214,6 +2216,7 @@ Listeners of the application gateway resource. For default limits, see [Applicat ### Parameter: `loadDistributionPolicies` Load distribution policies of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -2221,6 +2224,7 @@ Load distribution policies of the application gateway resource. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -2228,26 +2232,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -2255,221 +2268,267 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: Yes - Type: array -### Parameter: `name` - -Name of the Application Gateway. -- Required: Yes -- Type: string - ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` +**Optional parameters** -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -- Required: No -- Type: array +### Parameter: `privateEndpoints.service` -### Parameter: `privateEndpoints.customDnsConfigs` +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -Optional. Custom DNS configurations. +- Required: Yes +- Type: string -- Required: No -- Type: array +### Parameter: `privateEndpoints.subnetResourceId` + +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +### Parameter: `privateEndpoints.lock.kind` -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +Specify the type of lock. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` -Optional. The location to deploy the private endpoint to. +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** -Optional. The name of the private endpoint. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -- Required: No +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +Version of the condition. - Required: No -- Type: array +- Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. Array of role assignments to create. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.description` -Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The description of the role assignment. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Required. Resource ID of the subnet where the endpoint needs to be created. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -2477,6 +2536,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `privateLinkConfigurations` PrivateLink configurations on application gateway. + - Required: No - Type: array - Default: `[]` @@ -2484,6 +2544,7 @@ PrivateLink configurations on application gateway. ### Parameter: `probes` Probes of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -2491,6 +2552,7 @@ Probes of the application gateway resource. ### Parameter: `redirectConfigurations` Redirect configurations of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -2498,6 +2560,7 @@ Redirect configurations of the application gateway resource. ### Parameter: `requestRoutingRules` Request routing rules of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -2505,6 +2568,7 @@ Request routing rules of the application gateway resource. ### Parameter: `rewriteRuleSets` Rewrite rules for the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -2512,74 +2576,96 @@ Rewrite rules for the application gateway resource. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `routingRules` Routing rules of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -2587,6 +2673,7 @@ Routing rules of the application gateway resource. ### Parameter: `sku` The name of the SKU for the Application Gateway. + - Required: No - Type: string - Default: `'WAF_Medium'` @@ -2606,6 +2693,7 @@ The name of the SKU for the Application Gateway. ### Parameter: `sslCertificates` SSL certificates of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -2613,6 +2701,7 @@ SSL certificates of the application gateway resource. ### Parameter: `sslPolicyCipherSuites` Ssl cipher suites to be enabled in the specified order to application gateway. + - Required: No - Type: array - Default: @@ -2659,6 +2748,7 @@ Ssl cipher suites to be enabled in the specified order to application gateway. ### Parameter: `sslPolicyMinProtocolVersion` Ssl protocol enums. + - Required: No - Type: string - Default: `'TLSv1_2'` @@ -2675,6 +2765,7 @@ Ssl protocol enums. ### Parameter: `sslPolicyName` Ssl predefined policy name enums. + - Required: No - Type: string - Default: `''` @@ -2693,6 +2784,7 @@ Ssl predefined policy name enums. ### Parameter: `sslPolicyType` Type of Ssl Policy. + - Required: No - Type: string - Default: `'Custom'` @@ -2708,6 +2800,7 @@ Type of Ssl Policy. ### Parameter: `sslProfiles` SSL profiles of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -2715,12 +2808,14 @@ SSL profiles of the application gateway resource. ### Parameter: `tags` Resource tags. + - Required: No - Type: object ### Parameter: `trustedClientCertificates` Trusted client certificates of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -2728,6 +2823,7 @@ Trusted client certificates of the application gateway resource. ### Parameter: `trustedRootCertificates` Trusted Root certificates of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -2735,6 +2831,7 @@ Trusted Root certificates of the application gateway resource. ### Parameter: `urlPathMaps` URL path map of the application gateway resource. + - Required: No - Type: array - Default: `[]` @@ -2742,6 +2839,7 @@ URL path map of the application gateway resource. ### Parameter: `webApplicationFirewallConfiguration` Application gateway web application firewall configuration. Should be configured for security reasons. + - Required: No - Type: object - Default: `{}` @@ -2749,6 +2847,7 @@ Application gateway web application firewall configuration. Should be configured ### Parameter: `zones` A list of availability zones denoting where the resource needs to come from. + - Required: No - Type: array - Default: `[]` diff --git a/modules/network/application-security-group/README.md b/modules/network/application-security-group/README.md index fc21701695..a1376bb487 100644 --- a/modules/network/application-security-group/README.md +++ b/modules/network/application-security-group/README.md @@ -224,9 +224,17 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +Name of the Application Security Group. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -234,6 +242,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -241,107 +250,132 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the Application Security Group. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index ccb0cb3de8..d232283c5c 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -1094,9 +1094,41 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { | [`threatIntelMode`](#parameter-threatintelmode) | string | The operation mode for Threat Intel. | | [`zones`](#parameter-zones) | array | Zone numbers e.g. 1,2,3. | +### Parameter: `name` + +Name of the Azure Firewall. + +- Required: Yes +- Type: string + +### Parameter: `hubIPAddresses` + +IP addresses associated with AzureFirewall. Required if `virtualHubId` is supplied. + +- Required: No +- Type: object +- Default: `{}` + +### Parameter: `virtualHubId` + +The virtualHub resource ID to which the firewall belongs. Required if `vNetId` is empty. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `vNetId` + +Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a Public IP is not provided, then the Public IP that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `additionalPublicIpConfigurations` This is to add any additional Public IP configurations on top of the Public IP with subnet IP configuration. + - Required: No - Type: array - Default: `[]` @@ -1104,6 +1136,7 @@ This is to add any additional Public IP configurations on top of the Public IP w ### Parameter: `applicationRuleCollections` Collection of application rule collections used by Azure Firewall. + - Required: No - Type: array - Default: `[]` @@ -1111,6 +1144,7 @@ Collection of application rule collections used by Azure Firewall. ### Parameter: `azureSkuTier` Tier of an Azure Firewall. + - Required: No - Type: string - Default: `'Standard'` @@ -1126,114 +1160,90 @@ Tier of an Azure Firewall. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -1241,6 +1251,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1248,20 +1259,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `firewallPolicyId` Resource ID of the Firewall Policy that should be attached. + - Required: No - Type: string - Default: `''` -### Parameter: `hubIPAddresses` - -IP addresses associated with AzureFirewall. Required if `virtualHubId` is supplied. -- Required: No -- Type: object -- Default: `{}` - ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1269,26 +1275,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -1296,6 +1311,7 @@ Optional. Specify the name of lock. ### Parameter: `managementIPAddressObject` Specifies the properties of the Management Public IP to create and be used by Azure Firewall. If it's not provided and managementIPResourceID is empty, a '-mip' suffix will be appended to the Firewall's name. + - Required: No - Type: object - Default: `{}` @@ -1303,19 +1319,15 @@ Specifies the properties of the Management Public IP to create and be used by Az ### Parameter: `managementIPResourceID` The Management Public IP resource ID to associate to the AzureFirewallManagementSubnet. If empty, then the Management Public IP that is created as part of this module will be applied to the AzureFirewallManagementSubnet. + - Required: No - Type: string - Default: `''` -### Parameter: `name` - -Name of the Azure Firewall. -- Required: Yes -- Type: string - ### Parameter: `natRuleCollections` Collection of NAT rule collections used by Azure Firewall. + - Required: No - Type: array - Default: `[]` @@ -1323,6 +1335,7 @@ Collection of NAT rule collections used by Azure Firewall. ### Parameter: `networkRuleCollections` Collection of network rule collections used by Azure Firewall. + - Required: No - Type: array - Default: `[]` @@ -1330,6 +1343,7 @@ Collection of network rule collections used by Azure Firewall. ### Parameter: `publicIPAddressObject` Specifies the properties of the Public IP to create and be used by the Firewall, if no existing public IP was provided. + - Required: No - Type: object - Default: @@ -1342,6 +1356,7 @@ Specifies the properties of the Public IP to create and be used by the Firewall, ### Parameter: `publicIPResourceID` The Public IP resource ID to associate to the AzureFirewallSubnet. If empty, then the Public IP that is created as part of this module will be applied to the AzureFirewallSubnet. + - Required: No - Type: string - Default: `''` @@ -1349,80 +1364,103 @@ The Public IP resource ID to associate to the AzureFirewallSubnet. If empty, the ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the Azure Firewall resource. + - Required: No - Type: object ### Parameter: `threatIntelMode` The operation mode for Threat Intel. + - Required: No - Type: string - Default: `'Deny'` @@ -1435,23 +1473,10 @@ The operation mode for Threat Intel. ] ``` -### Parameter: `virtualHubId` - -The virtualHub resource ID to which the firewall belongs. Required if `vNetId` is empty. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `vNetId` - -Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a Public IP is not provided, then the Public IP that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty. -- Required: No -- Type: string -- Default: `''` - ### Parameter: `zones` Zone numbers e.g. 1,2,3. + - Required: No - Type: array - Default: diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index 583131bb54..5057715cf3 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -524,9 +524,24 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { | [`skuName`](#parameter-skuname) | string | The SKU of this Bastion Host. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +Name of the Azure Bastion resource. + +- Required: Yes +- Type: string + +### Parameter: `vNetId` + +Shared services Virtual Network resource identifier. + +- Required: Yes +- Type: string + ### Parameter: `bastionSubnetPublicIpResourceId` The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet. + - Required: No - Type: string - Default: `''` @@ -534,94 +549,82 @@ The Public IP resource ID to associate to the azureBastionSubnet. If empty, then ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -629,6 +632,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `disableCopyPaste` Choose to disable or enable Copy Paste. + - Required: No - Type: bool - Default: `False` @@ -636,6 +640,7 @@ Choose to disable or enable Copy Paste. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -643,6 +648,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableFileCopy` Choose to disable or enable File Copy. + - Required: No - Type: bool - Default: `True` @@ -650,6 +656,7 @@ Choose to disable or enable File Copy. ### Parameter: `enableIpConnect` Choose to disable or enable IP Connect. + - Required: No - Type: bool - Default: `False` @@ -657,6 +664,7 @@ Choose to disable or enable IP Connect. ### Parameter: `enableKerberos` Choose to disable or enable Kerberos authentication. + - Required: No - Type: bool - Default: `False` @@ -664,6 +672,7 @@ Choose to disable or enable Kerberos authentication. ### Parameter: `enableShareableLink` Choose to disable or enable Shareable Link. + - Required: No - Type: bool - Default: `False` @@ -671,6 +680,7 @@ Choose to disable or enable Shareable Link. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -678,39 +688,43 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the Azure Bastion resource. -- Required: Yes -- Type: string - ### Parameter: `publicIPAddressObject` Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided. + - Required: No - Type: object - Default: @@ -723,74 +737,96 @@ Specifies the properties of the Public IP to create and be used by Azure Bastion ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `scaleUnits` The scale units for the Bastion Host resource. + - Required: No - Type: int - Default: `2` @@ -798,6 +834,7 @@ The scale units for the Bastion Host resource. ### Parameter: `skuName` The SKU of this Bastion Host. + - Required: No - Type: string - Default: `'Basic'` @@ -812,15 +849,10 @@ The SKU of this Bastion Host. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object -### Parameter: `vNetId` - -Shared services Virtual Network resource identifier. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/network/connection/README.md b/modules/network/connection/README.md index d8f8169acb..8a2af94d6a 100644 --- a/modules/network/connection/README.md +++ b/modules/network/connection/README.md @@ -158,9 +158,24 @@ module connection 'br:bicep/modules/network.connection:1.0.0' = { | [`virtualNetworkGateway2`](#parameter-virtualnetworkgateway2) | object | The remote Virtual Network Gateway. Used for connection connectionType [Vnet2Vnet]. | | [`vpnSharedKey`](#parameter-vpnsharedkey) | securestring | Specifies a VPN shared key. The same value has to be specified on both Virtual Network Gateways. | +### Parameter: `name` + +Remote connection name. + +- Required: Yes +- Type: string + +### Parameter: `virtualNetworkGateway1` + +The primary Virtual Network Gateway. + +- Required: Yes +- Type: object + ### Parameter: `authorizationKey` The Authorization Key to connect to an Express Route Circuit. Used for connection type [ExpressRoute]. + - Required: No - Type: securestring - Default: `''` @@ -168,6 +183,7 @@ The Authorization Key to connect to an Express Route Circuit. Used for connectio ### Parameter: `connectionMode` The connection connectionMode for this connection. Available for IPSec connections. + - Required: No - Type: string - Default: `'Default'` @@ -183,6 +199,7 @@ The connection connectionMode for this connection. Available for IPSec connectio ### Parameter: `connectionProtocol` Connection connectionProtocol used for this connection. Available for IPSec connections. + - Required: No - Type: string - Default: `'IKEv2'` @@ -197,6 +214,7 @@ Connection connectionProtocol used for this connection. Available for IPSec conn ### Parameter: `connectionType` Gateway connection connectionType. + - Required: No - Type: string - Default: `'IPsec'` @@ -213,6 +231,7 @@ Gateway connection connectionType. ### Parameter: `customIPSecPolicy` The IPSec Policies to be considered by this connection. + - Required: No - Type: object - Default: @@ -232,6 +251,7 @@ The IPSec Policies to be considered by this connection. ### Parameter: `dpdTimeoutSeconds` The dead peer detection timeout of this connection in seconds. Setting the timeout to shorter periods will cause IKE to rekey more aggressively, causing the connection to appear to be disconnected in some instances. The general recommendation is to set the timeout between 30 to 45 seconds. + - Required: No - Type: int - Default: `45` @@ -239,6 +259,7 @@ The dead peer detection timeout of this connection in seconds. Setting the timeo ### Parameter: `enableBgp` Value to specify if BGP is enabled or not. + - Required: No - Type: bool - Default: `False` @@ -246,6 +267,7 @@ Value to specify if BGP is enabled or not. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -253,6 +275,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enablePrivateLinkFastPath` Bypass the ExpressRoute gateway when accessing private-links. ExpressRoute FastPath (expressRouteGatewayBypass) must be enabled. Only available when connection connectionType is Express Route. + - Required: No - Type: bool - Default: `False` @@ -260,6 +283,7 @@ Bypass the ExpressRoute gateway when accessing private-links. ExpressRoute FastP ### Parameter: `expressRouteGatewayBypass` Bypass ExpressRoute Gateway for data forwarding. Only available when connection connectionType is Express Route. + - Required: No - Type: bool - Default: `False` @@ -267,6 +291,7 @@ Bypass ExpressRoute Gateway for data forwarding. Only available when connection ### Parameter: `localNetworkGateway2` The local network gateway. Used for connection type [IPsec]. + - Required: No - Type: object - Default: `{}` @@ -274,6 +299,7 @@ The local network gateway. Used for connection type [IPsec]. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -281,39 +307,43 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Remote connection name. -- Required: Yes -- Type: string - ### Parameter: `peer` The remote peer. Used for connection connectionType [ExpressRoute]. + - Required: No - Type: object - Default: `{}` @@ -321,6 +351,7 @@ The remote peer. Used for connection connectionType [ExpressRoute]. ### Parameter: `routingWeight` The weight added to routes learned from this BGP speaker. + - Required: No - Type: int - Default: `-1` @@ -328,12 +359,14 @@ The weight added to routes learned from this BGP speaker. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `useLocalAzureIpAddress` Use private local Azure IP for the connection. Only available for IPSec Virtual Network Gateways that use the Azure Private IP Property. + - Required: No - Type: bool - Default: `False` @@ -341,19 +374,15 @@ Use private local Azure IP for the connection. Only available for IPSec Virtual ### Parameter: `usePolicyBasedTrafficSelectors` Enable policy-based traffic selectors. + - Required: No - Type: bool - Default: `False` -### Parameter: `virtualNetworkGateway1` - -The primary Virtual Network Gateway. -- Required: Yes -- Type: object - ### Parameter: `virtualNetworkGateway2` The remote Virtual Network Gateway. Used for connection connectionType [Vnet2Vnet]. + - Required: No - Type: object - Default: `{}` @@ -361,6 +390,7 @@ The remote Virtual Network Gateway. Used for connection connectionType [Vnet2Vne ### Parameter: `vpnSharedKey` Specifies a VPN shared key. The same value has to be specified on both Virtual Network Gateways. + - Required: No - Type: securestring - Default: `''` diff --git a/modules/network/ddos-protection-plan/README.md b/modules/network/ddos-protection-plan/README.md index 583e7a2350..844e478c25 100644 --- a/modules/network/ddos-protection-plan/README.md +++ b/modules/network/ddos-protection-plan/README.md @@ -273,9 +273,17 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +Name of the DDoS protection plan to assign the VNET to. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -283,6 +291,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -290,107 +299,132 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the DDoS protection plan to assign the VNET to. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/network/dns-forwarding-ruleset/README.md b/modules/network/dns-forwarding-ruleset/README.md index 7f80e40e75..77a9d2fe37 100644 --- a/modules/network/dns-forwarding-ruleset/README.md +++ b/modules/network/dns-forwarding-ruleset/README.md @@ -375,12 +375,21 @@ module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0 ### Parameter: `dnsResolverOutboundEndpointResourceIds` The reference to the DNS resolver outbound endpoints that are used to route DNS queries matching the forwarding rules in the ruleset to the target DNS servers. + - Required: Yes - Type: array +### Parameter: `name` + +Name of the DNS Forwarding Ruleset. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -388,6 +397,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `forwardingRules` Array of forwarding rules. + - Required: No - Type: array - Default: `[]` @@ -395,6 +405,7 @@ Array of forwarding rules. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -402,113 +413,139 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the DNS Forwarding Ruleset. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `vNetLinks` Array of virtual network links. + - Required: No - Type: array - Default: `[]` diff --git a/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md b/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md index 39dd2043dd..64a7cf0a97 100644 --- a/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md +++ b/modules/network/dns-forwarding-ruleset/forwarding-rule/README.md @@ -40,21 +40,38 @@ This template deploys Forwarding Rule in a Dns Forwarding Ruleset. | [`location`](#parameter-location) | string | Location for all resources. | | [`metadata`](#parameter-metadata) | object | Metadata attached to the forwarding rule. | -### Parameter: `dnsForwardingRulesetName` +### Parameter: `domainName` + +The domain name for the forwarding rule. -Name of the parent DNS Forwarding Ruleset. Required if the template is used in a standalone deployment. - Required: Yes - Type: string -### Parameter: `domainName` +### Parameter: `name` + +Name of the Forwarding Rule. + +- Required: Yes +- Type: string + +### Parameter: `targetDnsServers` + +DNS servers to forward the DNS query to. + +- Required: Yes +- Type: array + +### Parameter: `dnsForwardingRulesetName` + +Name of the parent DNS Forwarding Ruleset. Required if the template is used in a standalone deployment. -The domain name for the forwarding rule. - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -62,6 +79,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `forwardingRuleState` The state of forwarding rule. + - Required: No - Type: string - Default: `'Enabled'` @@ -76,6 +94,7 @@ The state of forwarding rule. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -83,22 +102,11 @@ Location for all resources. ### Parameter: `metadata` Metadata attached to the forwarding rule. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Name of the Forwarding Rule. -- Required: Yes -- Type: string - -### Parameter: `targetDnsServers` - -DNS servers to forward the DNS query to. -- Required: Yes -- Type: array - ## Outputs diff --git a/modules/network/dns-forwarding-ruleset/virtual-network-link/README.md b/modules/network/dns-forwarding-ruleset/virtual-network-link/README.md index af8b359da9..90efca7cd6 100644 --- a/modules/network/dns-forwarding-ruleset/virtual-network-link/README.md +++ b/modules/network/dns-forwarding-ruleset/virtual-network-link/README.md @@ -37,15 +37,24 @@ This template deploys Virtual Network Link in a Dns Forwarding Ruleset. | [`location`](#parameter-location) | string | The location of the PrivateDNSZone. Should be global. | | [`name`](#parameter-name) | string | The name of the virtual network link. | +### Parameter: `virtualNetworkResourceId` + +Link to another virtual network resource ID. + +- Required: Yes +- Type: string + ### Parameter: `dnsForwardingRulesetName` The name of the parent DNS Fowarding Rule Set. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -53,6 +62,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` The location of the PrivateDNSZone. Should be global. + - Required: No - Type: string - Default: `'global'` @@ -60,16 +70,11 @@ The location of the PrivateDNSZone. Should be global. ### Parameter: `name` The name of the virtual network link. + - Required: No - Type: string - Default: `[format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/')))]` -### Parameter: `virtualNetworkResourceId` - -Link to another virtual network resource ID. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/network/dns-resolver/README.md b/modules/network/dns-resolver/README.md index 9dd23b73e9..70ca712dfc 100644 --- a/modules/network/dns-resolver/README.md +++ b/modules/network/dns-resolver/README.md @@ -239,9 +239,24 @@ module dnsResolver 'br:bicep/modules/network.dns-resolver:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +Name of the Private DNS Resolver. + +- Required: Yes +- Type: string + +### Parameter: `virtualNetworkId` + +ResourceId of the virtual network to attach the Private DNS Resolver to. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -249,6 +264,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `inboundEndpoints` Inbound Endpoints for Private DNS Resolver. + - Required: No - Type: array - Default: `[]` @@ -256,6 +272,7 @@ Inbound Endpoints for Private DNS Resolver. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -263,39 +280,43 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the Private DNS Resolver. -- Required: Yes -- Type: string - ### Parameter: `outboundEndpoints` Outbound Endpoints for Private DNS Resolver. + - Required: No - Type: array - Default: `[]` @@ -303,83 +324,99 @@ Outbound Endpoints for Private DNS Resolver. ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object -### Parameter: `virtualNetworkId` - -ResourceId of the virtual network to attach the Private DNS Resolver to. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/network/dns-zone/README.md b/modules/network/dns-zone/README.md index 003e5548ed..4d7a11a4e4 100644 --- a/modules/network/dns-zone/README.md +++ b/modules/network/dns-zone/README.md @@ -919,9 +919,17 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`txt`](#parameter-txt) | array | Array of TXT records. | +### Parameter: `name` + +DNS zone name. + +- Required: Yes +- Type: string + ### Parameter: `a` Array of A records. + - Required: No - Type: array - Default: `[]` @@ -929,6 +937,7 @@ Array of A records. ### Parameter: `aaaa` Array of AAAA records. + - Required: No - Type: array - Default: `[]` @@ -936,6 +945,7 @@ Array of AAAA records. ### Parameter: `caa` Array of CAA records. + - Required: No - Type: array - Default: `[]` @@ -943,6 +953,7 @@ Array of CAA records. ### Parameter: `cname` Array of CNAME records. + - Required: No - Type: array - Default: `[]` @@ -950,6 +961,7 @@ Array of CNAME records. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -957,6 +969,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` The location of the dnsZone. Should be global. + - Required: No - Type: string - Default: `'global'` @@ -964,26 +977,35 @@ The location of the dnsZone. Should be global. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -991,19 +1013,15 @@ Optional. Specify the name of lock. ### Parameter: `mx` Array of MX records. + - Required: No - Type: array - Default: `[]` -### Parameter: `name` - -DNS zone name. -- Required: Yes -- Type: string - ### Parameter: `ns` Array of NS records. + - Required: No - Type: array - Default: `[]` @@ -1011,6 +1029,7 @@ Array of NS records. ### Parameter: `ptr` Array of PTR records. + - Required: No - Type: array - Default: `[]` @@ -1018,74 +1037,96 @@ Array of PTR records. ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `soa` Array of SOA records. + - Required: No - Type: array - Default: `[]` @@ -1093,6 +1134,7 @@ Array of SOA records. ### Parameter: `srv` Array of SRV records. + - Required: No - Type: array - Default: `[]` @@ -1100,12 +1142,14 @@ Array of SRV records. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `txt` Array of TXT records. + - Required: No - Type: array - Default: `[]` diff --git a/modules/network/dns-zone/a/README.md b/modules/network/dns-zone/a/README.md index 222006ccc6..99577d607a 100644 --- a/modules/network/dns-zone/a/README.md +++ b/modules/network/dns-zone/a/README.md @@ -41,22 +41,32 @@ This module deploys a Public DNS Zone A record. | [`targetResourceId`](#parameter-targetresourceid) | string | A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. | | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | -### Parameter: `aRecords` +### Parameter: `name` -The list of A records in the record set. Cannot be used in conjuction with the "targetResource" property. -- Required: No -- Type: array -- Default: `[]` +The name of the A record. + +- Required: Yes +- Type: string ### Parameter: `dnsZoneName` The name of the parent DNS zone. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `aRecords` + +The list of A records in the record set. Cannot be used in conjuction with the "targetResource" property. + +- Required: No +- Type: array +- Default: `[]` + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -64,87 +74,104 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -The name of the A record. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `targetResourceId` A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. + - Required: No - Type: string - Default: `''` @@ -152,6 +179,7 @@ A reference to an azure resource from where the dns resource value is taken. Als ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` diff --git a/modules/network/dns-zone/aaaa/README.md b/modules/network/dns-zone/aaaa/README.md index fb0bcad96e..aa68ea3696 100644 --- a/modules/network/dns-zone/aaaa/README.md +++ b/modules/network/dns-zone/aaaa/README.md @@ -41,22 +41,32 @@ This module deploys a Public DNS Zone AAAA record. | [`targetResourceId`](#parameter-targetresourceid) | string | A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. | | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | -### Parameter: `aaaaRecords` +### Parameter: `name` -The list of AAAA records in the record set. Cannot be used in conjuction with the "targetResource" property. -- Required: No -- Type: array -- Default: `[]` +The name of the AAAA record. + +- Required: Yes +- Type: string ### Parameter: `dnsZoneName` The name of the parent DNS zone. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `aaaaRecords` + +The list of AAAA records in the record set. Cannot be used in conjuction with the "targetResource" property. + +- Required: No +- Type: array +- Default: `[]` + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -64,87 +74,104 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -The name of the AAAA record. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `targetResourceId` A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. + - Required: No - Type: string - Default: `''` @@ -152,6 +179,7 @@ A reference to an azure resource from where the dns resource value is taken. Als ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` diff --git a/modules/network/dns-zone/caa/README.md b/modules/network/dns-zone/caa/README.md index bd705d06a7..4d72be6d76 100644 --- a/modules/network/dns-zone/caa/README.md +++ b/modules/network/dns-zone/caa/README.md @@ -40,22 +40,32 @@ This module deploys a Public DNS Zone CAA record. | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | -### Parameter: `caaRecords` +### Parameter: `name` -The list of CAA records in the record set. -- Required: No -- Type: array -- Default: `[]` +The name of the CAA record. + +- Required: Yes +- Type: string ### Parameter: `dnsZoneName` The name of the parent DNS zone. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `caaRecords` + +The list of CAA records in the record set. + +- Required: No +- Type: array +- Default: `[]` + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -63,87 +73,104 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -The name of the CAA record. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` diff --git a/modules/network/dns-zone/cname/README.md b/modules/network/dns-zone/cname/README.md index 063728513a..a89e2c97a6 100644 --- a/modules/network/dns-zone/cname/README.md +++ b/modules/network/dns-zone/cname/README.md @@ -41,22 +41,32 @@ This module deploys a Public DNS Zone CNAME record. | [`targetResourceId`](#parameter-targetresourceid) | string | A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. | | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | -### Parameter: `cnameRecord` +### Parameter: `name` -A CNAME record. Cannot be used in conjuction with the "targetResource" property. -- Required: No -- Type: object -- Default: `{}` +The name of the CNAME record. + +- Required: Yes +- Type: string ### Parameter: `dnsZoneName` The name of the parent DNS zone. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `cnameRecord` + +A CNAME record. Cannot be used in conjuction with the "targetResource" property. + +- Required: No +- Type: object +- Default: `{}` + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -64,87 +74,104 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -The name of the CNAME record. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `targetResourceId` A reference to an azure resource from where the dns resource value is taken. Also known as an alias record sets and are only supported for record types A, AAAA and CNAME. A resource ID can be an Azure Traffic Manager, Azure CDN, Front Door, Static Web App, or a resource ID of a record set of the same type in the DNS zone (i.e. A, AAAA or CNAME). Cannot be used in conjuction with the "aRecords" property. + - Required: No - Type: string - Default: `''` @@ -152,6 +179,7 @@ A reference to an azure resource from where the dns resource value is taken. Als ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` diff --git a/modules/network/dns-zone/mx/README.md b/modules/network/dns-zone/mx/README.md index 7aaa4e37fe..bea5e827f7 100644 --- a/modules/network/dns-zone/mx/README.md +++ b/modules/network/dns-zone/mx/README.md @@ -40,15 +40,24 @@ This module deploys a Public DNS Zone MX record. | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | +### Parameter: `name` + +The name of the MX record. + +- Required: Yes +- Type: string + ### Parameter: `dnsZoneName` The name of the parent DNS zone. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -56,6 +65,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` @@ -63,87 +73,104 @@ The metadata attached to the record set. ### Parameter: `mxRecords` The list of MX records in the record set. + - Required: No - Type: array - Default: `[]` -### Parameter: `name` - -The name of the MX record. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` diff --git a/modules/network/dns-zone/ns/README.md b/modules/network/dns-zone/ns/README.md index 4330bd1fd0..8035417f4b 100644 --- a/modules/network/dns-zone/ns/README.md +++ b/modules/network/dns-zone/ns/README.md @@ -40,15 +40,24 @@ This module deploys a Public DNS Zone NS record. | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | +### Parameter: `name` + +The name of the NS record. + +- Required: Yes +- Type: string + ### Parameter: `dnsZoneName` The name of the parent DNS zone. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -56,19 +65,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -The name of the NS record. -- Required: Yes -- Type: string - ### Parameter: `nsRecords` The list of NS records in the record set. + - Required: No - Type: array - Default: `[]` @@ -76,74 +81,96 @@ The list of NS records in the record set. ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` diff --git a/modules/network/dns-zone/ptr/README.md b/modules/network/dns-zone/ptr/README.md index 6609c1ff35..68258a9035 100644 --- a/modules/network/dns-zone/ptr/README.md +++ b/modules/network/dns-zone/ptr/README.md @@ -40,15 +40,24 @@ This module deploys a Public DNS Zone PTR record. | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | +### Parameter: `name` + +The name of the PTR record. + +- Required: Yes +- Type: string + ### Parameter: `dnsZoneName` The name of the parent DNS zone. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -56,19 +65,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -The name of the PTR record. -- Required: Yes -- Type: string - ### Parameter: `ptrRecords` The list of PTR records in the record set. + - Required: No - Type: array - Default: `[]` @@ -76,74 +81,96 @@ The list of PTR records in the record set. ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` diff --git a/modules/network/dns-zone/soa/README.md b/modules/network/dns-zone/soa/README.md index 155270e1da..3b8577a68c 100644 --- a/modules/network/dns-zone/soa/README.md +++ b/modules/network/dns-zone/soa/README.md @@ -40,15 +40,24 @@ This module deploys a Public DNS Zone SOA record. | [`soaRecord`](#parameter-soarecord) | object | A SOA record. | | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | +### Parameter: `name` + +The name of the SOA record. + +- Required: Yes +- Type: string + ### Parameter: `dnsZoneName` The name of the parent DNS zone. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -56,87 +65,104 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -The name of the SOA record. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `soaRecord` A SOA record. + - Required: No - Type: object - Default: `{}` @@ -144,6 +170,7 @@ A SOA record. ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` diff --git a/modules/network/dns-zone/srv/README.md b/modules/network/dns-zone/srv/README.md index 0143e63e5d..6650830d14 100644 --- a/modules/network/dns-zone/srv/README.md +++ b/modules/network/dns-zone/srv/README.md @@ -40,15 +40,24 @@ This module deploys a Public DNS Zone SRV record. | [`srvRecords`](#parameter-srvrecords) | array | The list of SRV records in the record set. | | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | +### Parameter: `name` + +The name of the SRV record. + +- Required: Yes +- Type: string + ### Parameter: `dnsZoneName` The name of the parent DNS zone. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -56,87 +65,104 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -The name of the SRV record. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `srvRecords` The list of SRV records in the record set. + - Required: No - Type: array - Default: `[]` @@ -144,6 +170,7 @@ The list of SRV records in the record set. ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` diff --git a/modules/network/dns-zone/txt/README.md b/modules/network/dns-zone/txt/README.md index 35897fbd07..101e48bca4 100644 --- a/modules/network/dns-zone/txt/README.md +++ b/modules/network/dns-zone/txt/README.md @@ -40,15 +40,24 @@ This module deploys a Public DNS Zone TXT record. | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | | [`txtRecords`](#parameter-txtrecords) | array | The list of TXT records in the record set. | +### Parameter: `name` + +The name of the TXT record. + +- Required: Yes +- Type: string + ### Parameter: `dnsZoneName` The name of the parent DNS zone. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -56,87 +65,104 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -The name of the TXT record. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` @@ -144,6 +170,7 @@ The TTL (time-to-live) of the records in the record set. ### Parameter: `txtRecords` The list of TXT records in the record set. + - Required: No - Type: array - Default: `[]` diff --git a/modules/network/express-route-circuit/README.md b/modules/network/express-route-circuit/README.md index 3548350675..0252c375f3 100644 --- a/modules/network/express-route-circuit/README.md +++ b/modules/network/express-route-circuit/README.md @@ -413,9 +413,38 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`vlanId`](#parameter-vlanid) | int | Specifies the identifier that is used to identify the customer. | +### Parameter: `bandwidthInMbps` + +This is the bandwidth in Mbps of the circuit being created. It must exactly match one of the available bandwidth offers List ExpressRoute Service Providers API call. + +- Required: Yes +- Type: int + +### Parameter: `name` + +This is the name of the ExpressRoute circuit. + +- Required: Yes +- Type: string + +### Parameter: `peeringLocation` + +This is the name of the peering location and not the ARM resource location. It must exactly match one of the available peering locations from List ExpressRoute Service Providers API call. + +- Required: Yes +- Type: string + +### Parameter: `serviceProviderName` + +This is the name of the ExpressRoute Service Provider. It must exactly match one of the Service Providers from List ExpressRoute Service Providers API call. + +- Required: Yes +- Type: string + ### Parameter: `allowClassicOperations` Allow classic operations. You can connect to virtual networks in the classic deployment model by setting allowClassicOperations to true. + - Required: No - Type: bool - Default: `False` @@ -423,127 +452,98 @@ Allow classic operations. You can connect to virtual networks in the classic dep ### Parameter: `bandwidthInGbps` The bandwidth of the circuit when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct. Default value of 0 will set the property to null. + - Required: No - Type: int - Default: `0` -### Parameter: `bandwidthInMbps` - -This is the bandwidth in Mbps of the circuit being created. It must exactly match one of the available bandwidth offers List ExpressRoute Service Providers API call. -- Required: Yes -- Type: int - ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -551,6 +551,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -558,6 +559,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `expressRoutePortResourceId` The reference to the ExpressRoutePort resource when the circuit is provisioned on an ExpressRoutePort resource. Available when configuring Express Route Direct. + - Required: No - Type: string - Default: `''` @@ -565,6 +567,7 @@ The reference to the ExpressRoutePort resource when the circuit is provisioned o ### Parameter: `globalReachEnabled` Flag denoting global reach status. To enable ExpressRoute Global Reach between different geopolitical regions, your circuits must be Premium SKU. + - Required: No - Type: bool - Default: `False` @@ -572,6 +575,7 @@ Flag denoting global reach status. To enable ExpressRoute Global Reach between d ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -579,39 +583,43 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -This is the name of the ExpressRoute circuit. -- Required: Yes -- Type: string - ### Parameter: `peerASN` The autonomous system number of the customer/connectivity provider. + - Required: No - Type: int - Default: `0` @@ -619,19 +627,15 @@ The autonomous system number of the customer/connectivity provider. ### Parameter: `peering` Enabled BGP peering type for the Circuit. + - Required: No - Type: bool - Default: `False` -### Parameter: `peeringLocation` - -This is the name of the peering location and not the ARM resource location. It must exactly match one of the available peering locations from List ExpressRoute Service Providers API call. -- Required: Yes -- Type: string - ### Parameter: `peeringType` BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering. + - Required: No - Type: string - Default: `'AzurePrivatePeering'` @@ -646,6 +650,7 @@ BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPe ### Parameter: `primaryPeerAddressPrefix` A /30 subnet used to configure IP addresses for interfaces on Link1. + - Required: No - Type: string - Default: `''` @@ -653,87 +658,104 @@ A /30 subnet used to configure IP addresses for interfaces on Link1. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `secondaryPeerAddressPrefix` A /30 subnet used to configure IP addresses for interfaces on Link2. + - Required: No - Type: string - Default: `''` -### Parameter: `serviceProviderName` - -This is the name of the ExpressRoute Service Provider. It must exactly match one of the Service Providers from List ExpressRoute Service Providers API call. -- Required: Yes -- Type: string - ### Parameter: `sharedKey` The shared key for peering configuration. Router does MD5 hash comparison to validate the packets sent by BGP connection. This parameter is optional and can be removed from peering configuration if not required. + - Required: No - Type: string - Default: `''` @@ -741,6 +763,7 @@ The shared key for peering configuration. Router does MD5 hash comparison to val ### Parameter: `skuFamily` Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedData SKU families. + - Required: No - Type: string - Default: `'MeteredData'` @@ -755,6 +778,7 @@ Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedD ### Parameter: `skuTier` Chosen SKU Tier of ExpressRoute circuit. Choose from Local, Premium or Standard SKU tiers. + - Required: No - Type: string - Default: `'Standard'` @@ -770,12 +794,14 @@ Chosen SKU Tier of ExpressRoute circuit. Choose from Local, Premium or Standard ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `vlanId` Specifies the identifier that is used to identify the customer. + - Required: No - Type: int - Default: `0` diff --git a/modules/network/express-route-gateway/README.md b/modules/network/express-route-gateway/README.md index 2bba6a1bf2..c2084076e9 100644 --- a/modules/network/express-route-gateway/README.md +++ b/modules/network/express-route-gateway/README.md @@ -304,9 +304,24 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the Firewall policy resource. | +### Parameter: `name` + +Name of the Express Route Gateway. + +- Required: Yes +- Type: string + +### Parameter: `virtualHubId` + +Resource ID of the Virtual Wan Hub. + +- Required: Yes +- Type: string + ### Parameter: `allowNonVirtualWanTraffic` Configures this gateway to accept traffic from non Virtual WAN networks. + - Required: No - Type: bool - Default: `False` @@ -314,6 +329,7 @@ Configures this gateway to accept traffic from non Virtual WAN networks. ### Parameter: `autoScaleConfigurationBoundsMax` Maximum number of scale units deployed for ExpressRoute gateway. + - Required: No - Type: int - Default: `2` @@ -321,6 +337,7 @@ Maximum number of scale units deployed for ExpressRoute gateway. ### Parameter: `autoScaleConfigurationBoundsMin` Minimum number of scale units deployed for ExpressRoute gateway. + - Required: No - Type: int - Default: `2` @@ -328,6 +345,7 @@ Minimum number of scale units deployed for ExpressRoute gateway. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -335,6 +353,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `expressRouteConnections` List of ExpressRoute connections to the ExpressRoute gateway. + - Required: No - Type: array - Default: `[]` @@ -342,6 +361,7 @@ List of ExpressRoute connections to the ExpressRoute gateway. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -349,116 +369,135 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the Express Route Gateway. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -### Parameter: `roleAssignments.condition` +### Parameter: `roleAssignments.principalId` -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the Firewall policy resource. + - Required: No - Type: object -### Parameter: `virtualHubId` - -Resource ID of the Virtual Wan Hub. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/network/firewall-policy/README.md b/modules/network/firewall-policy/README.md index 3b9ff291c6..c99c673261 100644 --- a/modules/network/firewall-policy/README.md +++ b/modules/network/firewall-policy/README.md @@ -407,9 +407,17 @@ module firewallPolicy 'br:bicep/modules/network.firewall-policy:1.0.0' = { | [`tier`](#parameter-tier) | string | Tier of Firewall Policy. | | [`workspaces`](#parameter-workspaces) | array | List of workspaces for Firewall Policy Insights. | +### Parameter: `name` + +Name of the Firewall Policy. + +- Required: Yes +- Type: string + ### Parameter: `allowSqlRedirect` A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999. + - Required: No - Type: bool - Default: `False` @@ -417,6 +425,7 @@ A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the ### Parameter: `autoLearnPrivateRanges` The operation mode for automatically learning private ranges to not be SNAT. + - Required: No - Type: string - Default: `'Disabled'` @@ -431,6 +440,7 @@ The operation mode for automatically learning private ranges to not be SNAT. ### Parameter: `basePolicyResourceId` Resource ID of the base policy. + - Required: No - Type: string - Default: `''` @@ -438,6 +448,7 @@ Resource ID of the base policy. ### Parameter: `bypassTrafficSettings` List of rules for traffic to bypass. + - Required: No - Type: array - Default: `[]` @@ -445,6 +456,7 @@ List of rules for traffic to bypass. ### Parameter: `certificateName` Name of the CA certificate. + - Required: No - Type: string - Default: `''` @@ -452,6 +464,7 @@ Name of the CA certificate. ### Parameter: `defaultWorkspaceId` Default Log Analytics Resource ID for Firewall Policy Insights. + - Required: No - Type: string - Default: `''` @@ -459,6 +472,7 @@ Default Log Analytics Resource ID for Firewall Policy Insights. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -466,6 +480,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableProxy` Enable DNS Proxy on Firewalls attached to the Firewall Policy. + - Required: No - Type: bool - Default: `False` @@ -473,6 +488,7 @@ Enable DNS Proxy on Firewalls attached to the Firewall Policy. ### Parameter: `fqdns` List of FQDNs for the ThreatIntel Allowlist. + - Required: No - Type: array - Default: `[]` @@ -480,6 +496,7 @@ List of FQDNs for the ThreatIntel Allowlist. ### Parameter: `insightsIsEnabled` A flag to indicate if the insights are enabled on the policy. + - Required: No - Type: bool - Default: `False` @@ -487,6 +504,7 @@ A flag to indicate if the insights are enabled on the policy. ### Parameter: `ipAddresses` List of IP addresses for the ThreatIntel Allowlist. + - Required: No - Type: array - Default: `[]` @@ -494,6 +512,7 @@ List of IP addresses for the ThreatIntel Allowlist. ### Parameter: `keyVaultSecretId` Secret ID of (base-64 encoded unencrypted PFX) Secret or Certificate object stored in KeyVault. + - Required: No - Type: string - Default: `''` @@ -501,6 +520,7 @@ Secret ID of (base-64 encoded unencrypted PFX) Secret or Certificate object stor ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -508,17 +528,19 @@ Location for all resources. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: Yes - Type: array @@ -526,6 +548,7 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `mode` The configuring of intrusion detection. + - Required: No - Type: string - Default: `'Off'` @@ -538,15 +561,10 @@ The configuring of intrusion detection. ] ``` -### Parameter: `name` - -Name of the Firewall Policy. -- Required: Yes -- Type: string - ### Parameter: `privateRanges` List of private IP addresses/IP address ranges to not be SNAT. + - Required: No - Type: array - Default: `[]` @@ -554,6 +572,7 @@ List of private IP addresses/IP address ranges to not be SNAT. ### Parameter: `retentionDays` Number of days the insights should be enabled on the policy. + - Required: No - Type: int - Default: `365` @@ -561,6 +580,7 @@ Number of days the insights should be enabled on the policy. ### Parameter: `ruleCollectionGroups` Rule collection groups. + - Required: No - Type: array - Default: `[]` @@ -568,6 +588,7 @@ Rule collection groups. ### Parameter: `servers` List of Custom DNS Servers. + - Required: No - Type: array - Default: `[]` @@ -575,6 +596,7 @@ List of Custom DNS Servers. ### Parameter: `signatureOverrides` List of specific signatures states. + - Required: No - Type: array - Default: `[]` @@ -582,12 +604,14 @@ List of specific signatures states. ### Parameter: `tags` Tags of the Firewall policy resource. + - Required: No - Type: object ### Parameter: `threatIntelMode` The operation mode for Threat Intel. + - Required: No - Type: string - Default: `'Off'` @@ -603,6 +627,7 @@ The operation mode for Threat Intel. ### Parameter: `tier` Tier of Firewall Policy. + - Required: No - Type: string - Default: `'Standard'` @@ -617,6 +642,7 @@ Tier of Firewall Policy. ### Parameter: `workspaces` List of workspaces for Firewall Policy Insights. + - Required: No - Type: array - Default: `[]` diff --git a/modules/network/firewall-policy/rule-collection-group/README.md b/modules/network/firewall-policy/rule-collection-group/README.md index 920f33ecd8..aa3fdbc956 100644 --- a/modules/network/firewall-policy/rule-collection-group/README.md +++ b/modules/network/firewall-policy/rule-collection-group/README.md @@ -37,34 +37,39 @@ This module deploys a Firewall Policy Rule Collection Group. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`ruleCollections`](#parameter-rulecollections) | array | Group of Firewall Policy rule collections. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `firewallPolicyName` - -The name of the parent Firewall Policy. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `name` The name of the rule collection group to deploy. + - Required: Yes - Type: string ### Parameter: `priority` Priority of the Firewall Policy Rule Collection Group resource. + - Required: Yes - Type: int +### Parameter: `firewallPolicyName` + +The name of the parent Firewall Policy. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `ruleCollections` Group of Firewall Policy rule collections. + - Required: No - Type: array - Default: `[]` diff --git a/modules/network/front-door-web-application-firewall-policy/README.md b/modules/network/front-door-web-application-firewall-policy/README.md index c62511aad4..cf76c7f7bc 100644 --- a/modules/network/front-door-web-application-firewall-policy/README.md +++ b/modules/network/front-door-web-application-firewall-policy/README.md @@ -545,9 +545,17 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo | [`sku`](#parameter-sku) | string | The pricing tier of the WAF profile. | | [`tags`](#parameter-tags) | object | Resource tags. | +### Parameter: `name` + +Name of the Front Door WAF policy. + +- Required: Yes +- Type: string + ### Parameter: `customRules` The custom rules inside the policy. + - Required: No - Type: object - Default: @@ -578,6 +586,7 @@ The custom rules inside the policy. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -585,6 +594,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `'global'` @@ -592,26 +602,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -619,6 +638,7 @@ Optional. Specify the name of lock. ### Parameter: `managedRules` Describes the managedRules structure. + - Required: No - Type: object - Default: @@ -642,15 +662,10 @@ Describes the managedRules structure. } ``` -### Parameter: `name` - -Name of the Front Door WAF policy. -- Required: Yes -- Type: string - ### Parameter: `policySettings` The PolicySettings for policy. + - Required: No - Type: object - Default: @@ -664,74 +679,96 @@ The PolicySettings for policy. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `sku` The pricing tier of the WAF profile. + - Required: No - Type: string - Default: `'Standard_AzureFrontDoor'` @@ -746,6 +783,7 @@ The pricing tier of the WAF profile. ### Parameter: `tags` Resource tags. + - Required: No - Type: object diff --git a/modules/network/front-door/README.md b/modules/network/front-door/README.md index b86171346b..6fd669facf 100644 --- a/modules/network/front-door/README.md +++ b/modules/network/front-door/README.md @@ -839,120 +839,132 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { ### Parameter: `backendPools` Backend address pool of the frontdoor resource. + - Required: Yes - Type: array -### Parameter: `diagnosticSettings` +### Parameter: `frontendEndpoints` -The diagnostic settings of the service. -- Required: No +Frontend endpoints of the frontdoor resource. + +- Required: Yes - Type: array +### Parameter: `healthProbeSettings` -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +Heath probe settings of the frontdoor resource. -### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` +- Required: Yes +- Type: array -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +### Parameter: `loadBalancingSettings` -- Required: No -- Type: string +Load balancing settings of the frontdoor resource. -### Parameter: `diagnosticSettings.eventHubName` +- Required: Yes +- Type: array -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +### Parameter: `name` -- Required: No +The name of the frontDoor. + +- Required: Yes - Type: string -### Parameter: `diagnosticSettings.logAnalyticsDestinationType` +### Parameter: `routingRules` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +Routing rules settings of the frontdoor resource. -- Required: No -- Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Required: Yes +- Type: array -### Parameter: `diagnosticSettings.logCategoriesAndGroups` +### Parameter: `diagnosticSettings` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The diagnostic settings of the service. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` +### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` +### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string +### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -### Parameter: `diagnosticSettings.marketplacePartnerResourceId` - -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` -### Parameter: `diagnosticSettings.metricCategories` +### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` +### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. -- Required: Yes +- Required: No - Type: string +### Parameter: `diagnosticSettings.metricCategories` + +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. + +- Required: No +- Type: array ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -960,6 +972,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -967,6 +980,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enabledState` State of the frontdoor resource. + - Required: No - Type: string - Default: `'Enabled'` @@ -974,6 +988,7 @@ State of the frontdoor resource. ### Parameter: `enforceCertificateNameCheck` Enforce certificate name check of the frontdoor resource. + - Required: No - Type: string - Default: `'Disabled'` @@ -981,31 +996,15 @@ Enforce certificate name check of the frontdoor resource. ### Parameter: `friendlyName` Friendly name of the frontdoor resource. + - Required: No - Type: string - Default: `''` -### Parameter: `frontendEndpoints` - -Frontend endpoints of the frontdoor resource. -- Required: Yes -- Type: array - -### Parameter: `healthProbeSettings` - -Heath probe settings of the frontdoor resource. -- Required: Yes -- Type: array - -### Parameter: `loadBalancingSettings` - -Load balancing settings of the frontdoor resource. -- Required: Yes -- Type: array - ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1013,113 +1012,132 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The name of the frontDoor. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string - -### Parameter: `routingRules` - -Routing rules settings of the frontdoor resource. -- Required: Yes -- Type: array +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `sendRecvTimeoutSeconds` Certificate name check time of the frontdoor resource. + - Required: No - Type: int - Default: `240` @@ -1127,6 +1145,7 @@ Certificate name check time of the frontdoor resource. ### Parameter: `tags` Resource tags. + - Required: No - Type: object diff --git a/modules/network/ip-group/README.md b/modules/network/ip-group/README.md index a5ac16bc08..295e9b4498 100644 --- a/modules/network/ip-group/README.md +++ b/modules/network/ip-group/README.md @@ -294,9 +294,17 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Resource tags. | +### Parameter: `name` + +The name of the ipGroups. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -304,6 +312,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `ipAddresses` IpAddresses/IpAddressPrefixes in the IpGroups resource. + - Required: No - Type: array - Default: `[]` @@ -311,6 +320,7 @@ IpAddresses/IpAddressPrefixes in the IpGroups resource. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -318,107 +328,132 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The name of the ipGroups. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Resource tags. + - Required: No - Type: object diff --git a/modules/network/load-balancer/README.md b/modules/network/load-balancer/README.md index 1da31adc09..94e0c1185f 100644 --- a/modules/network/load-balancer/README.md +++ b/modules/network/load-balancer/README.md @@ -927,9 +927,24 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { | [`skuName`](#parameter-skuname) | string | Name of a load balancer SKU. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `frontendIPConfigurations` + +Array of objects containing all frontend IP configurations. + +- Required: Yes +- Type: array + +### Parameter: `name` + +The Proximity Placement Groups Name. + +- Required: Yes +- Type: string + ### Parameter: `backendAddressPools` Collection of backend address pools used by a load balancer. + - Required: No - Type: array - Default: `[]` @@ -937,86 +952,82 @@ Collection of backend address pools used by a load balancer. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -1024,19 +1035,15 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `frontendIPConfigurations` - -Array of objects containing all frontend IP configurations. -- Required: Yes -- Type: array - ### Parameter: `inboundNatRules` Collection of inbound NAT Rules used by a load balancer. Defining inbound NAT rules on your load balancer is mutually exclusive with defining an inbound NAT pool. Inbound NAT pools are referenced from virtual machine scale sets. NICs that are associated with individual virtual machines cannot reference an Inbound NAT pool. They have to reference individual inbound NAT rules. + - Required: No - Type: array - Default: `[]` @@ -1044,6 +1051,7 @@ Collection of inbound NAT Rules used by a load balancer. Defining inbound NAT ru ### Parameter: `loadBalancingRules` Array of objects containing all load balancing rules. + - Required: No - Type: array - Default: `[]` @@ -1051,6 +1059,7 @@ Array of objects containing all load balancing rules. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1058,39 +1067,43 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The Proximity Placement Groups Name. -- Required: Yes -- Type: string - ### Parameter: `outboundRules` The outbound rules. + - Required: No - Type: array - Default: `[]` @@ -1098,6 +1111,7 @@ The outbound rules. ### Parameter: `probes` Array of objects containing all probes, these are references in the load balancing rules. + - Required: No - Type: array - Default: `[]` @@ -1105,74 +1119,96 @@ Array of objects containing all probes, these are references in the load balanci ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `skuName` Name of a load balancer SKU. + - Required: No - Type: string - Default: `'Standard'` @@ -1187,6 +1223,7 @@ Name of a load balancer SKU. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/network/load-balancer/backend-address-pool/README.md b/modules/network/load-balancer/backend-address-pool/README.md index 98c95d3b23..6570434862 100644 --- a/modules/network/load-balancer/backend-address-pool/README.md +++ b/modules/network/load-balancer/backend-address-pool/README.md @@ -39,9 +39,24 @@ This module deploys a Load Balancer Backend Address Pools. | [`syncMode`](#parameter-syncmode) | string | Backend address synchronous mode for the backend pool. | | [`tunnelInterfaces`](#parameter-tunnelinterfaces) | array | An array of gateway load balancer tunnel interfaces. | +### Parameter: `name` + +The name of the backend address pool. + +- Required: Yes +- Type: string + +### Parameter: `loadBalancerName` + +The name of the parent load balancer. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `drainPeriodInSeconds` Amount of seconds Load Balancer waits for before sending RESET to client and backend address. if value is 0 then this property will be set to null. Subscription must register the feature Microsoft.Network/SLBAllowConnectionDraining before using this property. + - Required: No - Type: int - Default: `0` @@ -49,6 +64,7 @@ Amount of seconds Load Balancer waits for before sending RESET to client and bac ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -56,25 +72,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `loadBalancerBackendAddresses` An array of backend addresses. + - Required: No - Type: array - Default: `[]` -### Parameter: `loadBalancerName` - -The name of the parent load balancer. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the backend address pool. -- Required: Yes -- Type: string - ### Parameter: `syncMode` Backend address synchronous mode for the backend pool. + - Required: No - Type: string - Default: `''` @@ -90,6 +96,7 @@ Backend address synchronous mode for the backend pool. ### Parameter: `tunnelInterfaces` An array of gateway load balancer tunnel interfaces. + - Required: No - Type: array - Default: `[]` diff --git a/modules/network/load-balancer/inbound-nat-rule/README.md b/modules/network/load-balancer/inbound-nat-rule/README.md index 5cd6e7873d..85f725237f 100644 --- a/modules/network/load-balancer/inbound-nat-rule/README.md +++ b/modules/network/load-balancer/inbound-nat-rule/README.md @@ -45,9 +45,38 @@ This module deploys a Load Balancer Inbound NAT Rules. | [`idleTimeoutInMinutes`](#parameter-idletimeoutinminutes) | int | The timeout for the TCP idle connection. The value can be set between 4 and 30 minutes. The default value is 4 minutes. This element is only used when the protocol is set to TCP. | | [`protocol`](#parameter-protocol) | string | The transport protocol for the endpoint. | +### Parameter: `frontendIPConfigurationName` + +The name of the frontend IP address to set for the inbound NAT rule. + +- Required: Yes +- Type: string + +### Parameter: `frontendPort` + +The port for the external endpoint. Port numbers for each rule must be unique within the Load Balancer. + +- Required: Yes +- Type: int + +### Parameter: `name` + +The name of the inbound NAT rule. + +- Required: Yes +- Type: string + +### Parameter: `loadBalancerName` + +The name of the parent load balancer. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `backendAddressPoolName` Name of the backend address pool. + - Required: No - Type: string - Default: `''` @@ -55,6 +84,7 @@ Name of the backend address pool. ### Parameter: `backendPort` The port used for the internal endpoint. + - Required: No - Type: int - Default: `[parameters('frontendPort')]` @@ -62,6 +92,7 @@ The port used for the internal endpoint. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -69,6 +100,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableFloatingIP` Configures a virtual machine's endpoint for the floating IP capability required to configure a SQL AlwaysOn Availability Group. This setting is required when using the SQL AlwaysOn Availability Groups in SQL server. This setting can't be changed after you create the endpoint. + - Required: No - Type: bool - Default: `False` @@ -76,25 +108,15 @@ Configures a virtual machine's endpoint for the floating IP capability required ### Parameter: `enableTcpReset` Receive bidirectional TCP Reset on TCP flow idle timeout or unexpected connection termination. This element is only used when the protocol is set to TCP. + - Required: No - Type: bool - Default: `False` -### Parameter: `frontendIPConfigurationName` - -The name of the frontend IP address to set for the inbound NAT rule. -- Required: Yes -- Type: string - -### Parameter: `frontendPort` - -The port for the external endpoint. Port numbers for each rule must be unique within the Load Balancer. -- Required: Yes -- Type: int - ### Parameter: `frontendPortRangeEnd` The port range end for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeStart. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. + - Required: No - Type: int - Default: `-1` @@ -102,6 +124,7 @@ The port range end for the external endpoint. This property is used together wit ### Parameter: `frontendPortRangeStart` The port range start for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeEnd. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. + - Required: No - Type: int - Default: `-1` @@ -109,25 +132,15 @@ The port range start for the external endpoint. This property is used together w ### Parameter: `idleTimeoutInMinutes` The timeout for the TCP idle connection. The value can be set between 4 and 30 minutes. The default value is 4 minutes. This element is only used when the protocol is set to TCP. + - Required: No - Type: int - Default: `4` -### Parameter: `loadBalancerName` - -The name of the parent load balancer. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the inbound NAT rule. -- Required: Yes -- Type: string - ### Parameter: `protocol` The transport protocol for the endpoint. + - Required: No - Type: string - Default: `'Tcp'` diff --git a/modules/network/local-network-gateway/README.md b/modules/network/local-network-gateway/README.md index f2fb425a1a..97c73c9da3 100644 --- a/modules/network/local-network-gateway/README.md +++ b/modules/network/local-network-gateway/README.md @@ -331,9 +331,31 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `localAddressPrefixes` + +List of the local (on-premises) IP address ranges. + +- Required: Yes +- Type: array + +### Parameter: `localGatewayPublicIpAddress` + +Public IP of the local gateway. + +- Required: Yes +- Type: string + +### Parameter: `name` + +Name of the Local Network Gateway. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -341,19 +363,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `fqdn` FQDN of local network gateway. + - Required: No - Type: string - Default: `''` -### Parameter: `localAddressPrefixes` - -List of the local (on-premises) IP address ranges. -- Required: Yes -- Type: array - ### Parameter: `localAsn` The BGP speaker's ASN. Not providing this value will automatically disable BGP on this Local Network Gateway resource. + - Required: No - Type: string - Default: `''` @@ -361,19 +379,15 @@ The BGP speaker's ASN. Not providing this value will automatically disable BGP o ### Parameter: `localBgpPeeringAddress` The BGP peering address and BGP identifier of this BGP speaker. Not providing this value will automatically disable BGP on this Local Network Gateway resource. + - Required: No - Type: string - Default: `''` -### Parameter: `localGatewayPublicIpAddress` - -Public IP of the local gateway. -- Required: Yes -- Type: string - ### Parameter: `localPeerWeight` The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided. + - Required: No - Type: string - Default: `''` @@ -381,6 +395,7 @@ The weight added to routes learned from this BGP speaker. This will only take ef ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -388,107 +403,132 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the Local Network Gateway. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/network/nat-gateway/README.md b/modules/network/nat-gateway/README.md index 48343f3c1b..cf808aa8bb 100644 --- a/modules/network/nat-gateway/README.md +++ b/modules/network/nat-gateway/README.md @@ -514,9 +514,17 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags for the resource. | | [`zones`](#parameter-zones) | array | A list of availability zones denoting the zone in which Nat Gateway should be deployed. | +### Parameter: `name` + +Name of the Azure Bastion resource. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -524,6 +532,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `idleTimeoutInMinutes` The idle timeout of the NAT gateway. + - Required: No - Type: int - Default: `5` @@ -531,6 +540,7 @@ The idle timeout of the NAT gateway. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -538,51 +548,57 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the Azure Bastion resource. -- Required: Yes -- Type: string - ### Parameter: `publicIPAddressObjects` Specifies the properties of the Public IPs to create and be used by the NAT Gateway. + - Required: No - Type: array ### Parameter: `publicIPPrefixObjects` Specifies the properties of the Public IP Prefixes to create and be used by the NAT Gateway. + - Required: No - Type: array ### Parameter: `publicIPPrefixResourceIds` Existing Public IP Prefixes resource IDs to use for the NAT Gateway. + - Required: No - Type: array - Default: `[]` @@ -590,6 +606,7 @@ Existing Public IP Prefixes resource IDs to use for the NAT Gateway. ### Parameter: `publicIpResourceIds` Existing Public IP Address resource IDs to use for the NAT Gateway. + - Required: No - Type: array - Default: `[]` @@ -597,80 +614,103 @@ Existing Public IP Address resource IDs to use for the NAT Gateway. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags for the resource. + - Required: No - Type: object ### Parameter: `zones` A list of availability zones denoting the zone in which Nat Gateway should be deployed. + - Required: No - Type: array - Default: `[]` diff --git a/modules/network/network-interface/README.md b/modules/network/network-interface/README.md index 0efe82db56..398da34fed 100644 --- a/modules/network/network-interface/README.md +++ b/modules/network/network-interface/README.md @@ -455,9 +455,24 @@ module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `ipConfigurations` + +A list of IPConfigurations of the network interface. + +- Required: Yes +- Type: array + +### Parameter: `name` + +The name of the network interface. + +- Required: Yes +- Type: string + ### Parameter: `auxiliaryMode` Auxiliary mode of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic. + - Required: No - Type: string - Default: `'None'` @@ -473,6 +488,7 @@ Auxiliary mode of Network Interface resource. Not all regions are enabled for Au ### Parameter: `auxiliarySku` Auxiliary sku of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic. + - Required: No - Type: string - Default: `'None'` @@ -490,86 +506,82 @@ Auxiliary sku of Network Interface resource. Not all regions are enabled for Aux ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -577,6 +589,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `disableTcpStateTracking` Indicates whether to disable tcp state tracking. Subscription must be registered for the Microsoft.Network/AllowDisableTcpStateTracking feature before this property can be set to true. + - Required: No - Type: bool - Default: `False` @@ -584,6 +597,7 @@ Indicates whether to disable tcp state tracking. Subscription must be registered ### Parameter: `dnsServers` List of DNS servers IP addresses. Use 'AzureProvidedDNS' to switch to azure provided DNS resolution. 'AzureProvidedDNS' value cannot be combined with other IPs, it must be the only value in dnsServers collection. + - Required: No - Type: array - Default: `[]` @@ -591,6 +605,7 @@ List of DNS servers IP addresses. Use 'AzureProvidedDNS' to switch to azure prov ### Parameter: `enableAcceleratedNetworking` If the network interface is accelerated networking enabled. + - Required: No - Type: bool - Default: `False` @@ -598,6 +613,7 @@ If the network interface is accelerated networking enabled. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -605,19 +621,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableIPForwarding` Indicates whether IP forwarding is enabled on this network interface. + - Required: No - Type: bool - Default: `False` -### Parameter: `ipConfigurations` - -A list of IPConfigurations of the network interface. -- Required: Yes -- Type: array - ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -625,39 +637,43 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The name of the network interface. -- Required: Yes -- Type: string - ### Parameter: `networkSecurityGroupResourceId` The network security group (NSG) to attach to the network interface. + - Required: No - Type: string - Default: `''` @@ -665,74 +681,96 @@ The network security group (NSG) to attach to the network interface. ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -### Parameter: `roleAssignments.condition` +### Parameter: `roleAssignments.principalId` -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/network/network-manager/README.md b/modules/network/network-manager/README.md index 8460d85457..ad557d501f 100644 --- a/modules/network/network-manager/README.md +++ b/modules/network/network-manager/README.md @@ -972,9 +972,39 @@ module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { | [`securityAdminConfigurations`](#parameter-securityadminconfigurations) | array | Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +Name of the Network Manager. + +- Required: Yes +- Type: string + +### Parameter: `networkManagerScopeAccesses` + +Scope Access. String array containing any of "Connectivity", "SecurityAdmin". The connectivity feature allows you to create network topologies at scale. The security admin feature lets you create high-priority security rules, which take precedence over NSGs. + +- Required: Yes +- Type: array + +### Parameter: `networkManagerScopes` + +Scope of Network Manager. Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this Network Manager instance can manage. If using Management Groups, ensure that the "Microsoft.Network" resource provider is registered for those Management Groups prior to deployment. + +- Required: Yes +- Type: object + +### Parameter: `networkGroups` + +Network Groups and static members to create for the network manager. Required if using "connectivityConfigurations" or "securityAdminConfigurations" parameters. A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details. + +- Required: No +- Type: array +- Default: `[]` + ### Parameter: `connectivityConfigurations` Connectivity Configurations to create for the network manager. Network manager must contain at least one network group in order to define connectivity configurations. + - Required: No - Type: array - Default: `[]` @@ -982,6 +1012,7 @@ Connectivity Configurations to create for the network manager. Network manager m ### Parameter: `description` A description of the network manager. + - Required: No - Type: string - Default: `''` @@ -989,6 +1020,7 @@ A description of the network manager. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -996,6 +1028,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1003,126 +1036,132 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the Network Manager. -- Required: Yes -- Type: string +### Parameter: `roleAssignments` -### Parameter: `networkGroups` +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -Network Groups and static members to create for the network manager. Required if using "connectivityConfigurations" or "securityAdminConfigurations" parameters. A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details. - Required: No - Type: array -- Default: `[]` -### Parameter: `networkManagerScopeAccesses` +**Required parameters** -Scope Access. String array containing any of "Connectivity", "SecurityAdmin". The connectivity feature allows you to create network topologies at scale. The security admin feature lets you create high-priority security rules, which take precedence over NSGs. -- Required: Yes -- Type: array +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `networkManagerScopes` +**Optional parameters** -Scope of Network Manager. Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this Network Manager instance can manage. If using Management Groups, ensure that the "Microsoft.Network" resource provider is registered for those Management Groups prior to deployment. -- Required: Yes -- Type: object +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -### Parameter: `roleAssignments` +### Parameter: `roleAssignments.principalId` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No -- Type: array +The principal ID of the principal (user/group/identity) to assign the role to. +- Required: Yes +- Type: string -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string ### Parameter: `roleAssignments.condition` -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string ### Parameter: `roleAssignments.conditionVersion` -Optional. Version of the condition. +Version of the condition. - Required: No - Type: string -- Allowed: `[2.0]` +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` ### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Optional. The Resource Id of the delegated managed identity resource. +The Resource Id of the delegated managed identity resource. - Required: No - Type: string ### Parameter: `roleAssignments.description` -Optional. The description of the role assignment. +The description of the role assignment. - Required: No - Type: string -### Parameter: `roleAssignments.principalId` - -Required. The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - ### Parameter: `roleAssignments.principalType` -Optional. The principal type of the assigned principal ID. +The principal type of the assigned principal ID. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. - -- Required: Yes -- Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `scopeConnections` Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant. + - Required: No - Type: array - Default: `[]` @@ -1130,6 +1169,7 @@ Scope Connections to create for the network manager. Allows network manager to m ### Parameter: `securityAdminConfigurations` Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to. + - Required: No - Type: array - Default: `[]` @@ -1137,6 +1177,7 @@ Security Admin Configurations, Rule Collections and Rules to create for the netw ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/network/network-manager/connectivity-configuration/README.md b/modules/network/network-manager/connectivity-configuration/README.md index 82d0de0287..6168ea4e7f 100644 --- a/modules/network/network-manager/connectivity-configuration/README.md +++ b/modules/network/network-manager/connectivity-configuration/README.md @@ -45,6 +45,7 @@ Connectivity configurations define hub-and-spoke or mesh topologies applied to o ### Parameter: `appliesToGroups` Network Groups for the configuration. + - Required: No - Type: array - Default: `[]` @@ -52,6 +53,7 @@ Network Groups for the configuration. ### Parameter: `connectivityTopology` Connectivity topology type. + - Required: Yes - Type: string - Allowed: @@ -62,9 +64,32 @@ Connectivity topology type. ] ``` +### Parameter: `name` + +The name of the connectivity configuration. + +- Required: Yes +- Type: string + +### Parameter: `hubs` + +List of hub items. This will create peerings between the specified hub and the virtual networks in the network group specified. Required if connectivityTopology is of type "HubAndSpoke". + +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `networkManagerName` + +The name of the parent network manager. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `deleteExistingPeering` Flag if need to remove current existing peerings. If set to "True", all peerings on virtual networks in selected network groups will be removed and replaced with the peerings defined by this configuration. Optional when connectivityTopology is of type "HubAndSpoke". + - Required: No - Type: string - Default: `'False'` @@ -79,6 +104,7 @@ Flag if need to remove current existing peerings. If set to "True", all peerings ### Parameter: `description` A description of the connectivity configuration. + - Required: No - Type: string - Default: `''` @@ -86,20 +112,15 @@ A description of the connectivity configuration. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `hubs` - -List of hub items. This will create peerings between the specified hub and the virtual networks in the network group specified. Required if connectivityTopology is of type "HubAndSpoke". -- Required: No -- Type: array -- Default: `[]` - ### Parameter: `isGlobal` Flag if global mesh is supported. By default, mesh connectivity is applied to virtual networks within the same region. If set to "True", a global mesh enables connectivity across regions. + - Required: No - Type: string - Default: `'False'` @@ -111,18 +132,6 @@ Flag if global mesh is supported. By default, mesh connectivity is applied to vi ] ``` -### Parameter: `name` - -The name of the connectivity configuration. -- Required: Yes -- Type: string - -### Parameter: `networkManagerName` - -The name of the parent network manager. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/network/network-manager/network-group/README.md b/modules/network/network-manager/network-group/README.md index a5f8dca4a0..dfc2942b79 100644 --- a/modules/network/network-manager/network-group/README.md +++ b/modules/network/network-manager/network-group/README.md @@ -39,9 +39,24 @@ A network group is a collection of same-type network resources that you can asso | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`staticMembers`](#parameter-staticmembers) | array | Static Members to create for the network group. Contains virtual networks to add to the network group. | +### Parameter: `name` + +The name of the network group. + +- Required: Yes +- Type: string + +### Parameter: `networkManagerName` + +The name of the parent network manager. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `description` A description of the network group. + - Required: No - Type: string - Default: `''` @@ -49,25 +64,15 @@ A description of the network group. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -The name of the network group. -- Required: Yes -- Type: string - -### Parameter: `networkManagerName` - -The name of the parent network manager. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `staticMembers` Static Members to create for the network group. Contains virtual networks to add to the network group. + - Required: No - Type: array - Default: `[]` diff --git a/modules/network/network-manager/network-group/static-member/README.md b/modules/network/network-manager/network-group/static-member/README.md index 7a10fbc50c..43d13ca7e6 100644 --- a/modules/network/network-manager/network-group/static-member/README.md +++ b/modules/network/network-manager/network-group/static-member/README.md @@ -38,36 +38,41 @@ Static membership allows you to explicitly add virtual networks to a group by ma | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `name` The name of the static member. + +- Required: Yes +- Type: string + +### Parameter: `resourceId` + +Resource ID of the virtual network. + - Required: Yes - Type: string ### Parameter: `networkGroupName` The name of the parent network group. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `networkManagerName` The name of the parent network manager. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string -### Parameter: `resourceId` +### Parameter: `enableDefaultTelemetry` -Resource ID of the virtual network. -- Required: Yes -- Type: string +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` ## Outputs diff --git a/modules/network/network-manager/scope-connection/README.md b/modules/network/network-manager/scope-connection/README.md index b2e6fbf6c5..ad53105021 100644 --- a/modules/network/network-manager/scope-connection/README.md +++ b/modules/network/network-manager/scope-connection/README.md @@ -39,43 +39,49 @@ Create a cross-tenant connection to manage a resource from another tenant. | [`description`](#parameter-description) | string | A description of the scope connection. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter: `description` +### Parameter: `name` -A description of the scope connection. -- Required: No +The name of the scope connection. + +- Required: Yes - Type: string -- Default: `''` -### Parameter: `enableDefaultTelemetry` +### Parameter: `resourceId` -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` +Enter the subscription or management group resource ID that you want to add to this network manager's scope. -### Parameter: `name` +- Required: Yes +- Type: string + +### Parameter: `tenantId` + +Tenant ID of the subscription or management group that you want to manage. -The name of the scope connection. - Required: Yes - Type: string ### Parameter: `networkManagerName` The name of the parent network manager. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string -### Parameter: `resourceId` +### Parameter: `description` -Enter the subscription or management group resource ID that you want to add to this network manager's scope. -- Required: Yes +A description of the scope connection. + +- Required: No - Type: string +- Default: `''` -### Parameter: `tenantId` +### Parameter: `enableDefaultTelemetry` -Tenant ID of the subscription or management group that you want to manage. -- Required: Yes -- Type: string +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` ## Outputs diff --git a/modules/network/network-manager/security-admin-configuration/README.md b/modules/network/network-manager/security-admin-configuration/README.md index e49e0a6867..acf913b035 100644 --- a/modules/network/network-manager/security-admin-configuration/README.md +++ b/modules/network/network-manager/security-admin-configuration/README.md @@ -44,6 +44,7 @@ A security admin configuration contains a set of rule collections. Each rule col ### Parameter: `applyOnNetworkIntentPolicyBasedServices` Enum list of network intent policy based services. + - Required: No - Type: array - Default: @@ -61,9 +62,24 @@ Enum list of network intent policy based services. ] ``` +### Parameter: `name` + +The name of the security admin configuration. + +- Required: Yes +- Type: string + +### Parameter: `networkManagerName` + +The name of the parent network manager. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `description` A description of the security admin configuration. + - Required: No - Type: string - Default: `''` @@ -71,25 +87,15 @@ A description of the security admin configuration. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -The name of the security admin configuration. -- Required: Yes -- Type: string - -### Parameter: `networkManagerName` - -The name of the parent network manager. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `ruleCollections` A security admin configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more security admin rules. + - Required: No - Type: array - Default: `[]` diff --git a/modules/network/network-manager/security-admin-configuration/rule-collection/README.md b/modules/network/network-manager/security-admin-configuration/rule-collection/README.md index 8f8dbcef8f..dc47633126 100644 --- a/modules/network/network-manager/security-admin-configuration/rule-collection/README.md +++ b/modules/network/network-manager/security-admin-configuration/rule-collection/README.md @@ -44,12 +44,35 @@ A security admin configuration contains a set of rule collections. Each rule col ### Parameter: `appliesToGroups` List of network groups for configuration. An admin rule collection must be associated to at least one network group. + - Required: Yes - Type: array +### Parameter: `name` + +The name of the admin rule collection. + +- Required: Yes +- Type: string + +### Parameter: `networkManagerName` + +The name of the parent network manager. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `securityAdminConfigurationName` + +The name of the parent security admin configuration. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `description` A description of the admin rule collection. + - Required: No - Type: string - Default: `''` @@ -57,33 +80,17 @@ A description of the admin rule collection. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -The name of the admin rule collection. -- Required: Yes -- Type: string - -### Parameter: `networkManagerName` - -The name of the parent network manager. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `rules` List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail. -- Required: Yes -- Type: array -### Parameter: `securityAdminConfigurationName` - -The name of the parent security admin configuration. Required if the template is used in a standalone deployment. - Required: Yes -- Type: string +- Type: array ## Outputs diff --git a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/README.md b/modules/network/network-manager/security-admin-configuration/rule-collection/rule/README.md index dfb454ced3..7e0081bd9e 100644 --- a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/README.md +++ b/modules/network/network-manager/security-admin-configuration/rule-collection/rule/README.md @@ -50,6 +50,7 @@ A security admin configuration contains a set of rule collections. Each rule col ### Parameter: `access` Indicates the access allowed for this particular rule. "Allow" means traffic matching this rule will be allowed. "Deny" means traffic matching this rule will be blocked. "AlwaysAllow" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs. + - Required: Yes - Type: string - Allowed: @@ -61,30 +62,10 @@ Indicates the access allowed for this particular rule. "Allow" means traffic mat ] ``` -### Parameter: `description` - -A description of the rule. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `destinationPortRanges` - -List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535. -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `destinations` - -The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted. -- Required: No -- Type: array -- Default: `[]` - ### Parameter: `direction` Indicates if the traffic matched against the rule in inbound or outbound. + - Required: Yes - Type: string - Allowed: @@ -95,34 +76,24 @@ Indicates if the traffic matched against the rule in inbound or outbound. ] ``` -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `name` The name of the rule. -- Required: Yes -- Type: string -### Parameter: `networkManagerName` - -The name of the parent network manager. Required if the template is used in a standalone deployment. - Required: Yes - Type: string ### Parameter: `priority` The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. + - Required: Yes - Type: int ### Parameter: `protocol` Network protocol this rule applies to. + - Required: Yes - Type: string - Allowed: @@ -137,21 +108,63 @@ Network protocol this rule applies to. ] ``` +### Parameter: `networkManagerName` + +The name of the parent network manager. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `ruleCollectionName` The name of the parent rule collection. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `securityAdminConfigurationName` The name of the parent security admin configuration. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `description` + +A description of the rule. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `destinationPortRanges` + +List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535. + +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `destinations` + +The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted. + +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `sourcePortRanges` List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535. + - Required: No - Type: array - Default: `[]` @@ -159,6 +172,7 @@ List of destination port ranges. This specifies on which ports traffic will be a ### Parameter: `sources` The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted. + - Required: No - Type: array - Default: `[]` diff --git a/modules/network/network-security-group/README.md b/modules/network/network-security-group/README.md index f0672acbff..9ea167f1eb 100644 --- a/modules/network/network-security-group/README.md +++ b/modules/network/network-security-group/README.md @@ -578,97 +578,92 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 | [`securityRules`](#parameter-securityrules) | array | Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. | | [`tags`](#parameter-tags) | object | Tags of the NSG resource. | +### Parameter: `name` + +Name of the Network Security Group. + +- Required: Yes +- Type: string + ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -676,6 +671,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -683,6 +679,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `flushConnection` When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. Network Security Group connection flushing is not available in all regions. + - Required: No - Type: bool - Default: `False` @@ -690,6 +687,7 @@ When enabled, flows created from Network Security Group connections will be re-e ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -697,107 +695,132 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the Network Security Group. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `securityRules` Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. + - Required: No - Type: array - Default: `[]` @@ -805,6 +828,7 @@ Array of Security Rules to deploy to the Network Security Group. When not provid ### Parameter: `tags` Tags of the NSG resource. + - Required: No - Type: object diff --git a/modules/network/network-security-group/security-rule/README.md b/modules/network/network-security-group/security-rule/README.md index 98658edd16..b0f951daa0 100644 --- a/modules/network/network-security-group/security-rule/README.md +++ b/modules/network/network-security-group/security-rule/README.md @@ -50,9 +50,63 @@ This module deploys a Network Security Group (NSG) Security Rule. | [`sourcePortRange`](#parameter-sourceportrange) | string | The source port or range. Integer or range between 0 and 65535. Asterisk "*" can also be used to match all ports. | | [`sourcePortRanges`](#parameter-sourceportranges) | array | The source port ranges. | +### Parameter: `direction` + +The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Inbound' + 'Outbound' + ] + ``` + +### Parameter: `name` + +The name of the security rule. + +- Required: Yes +- Type: string + +### Parameter: `priority` + +The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. + +- Required: Yes +- Type: int + +### Parameter: `protocol` + +Network protocol this rule applies to. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + '*' + 'Ah' + 'Esp' + 'Icmp' + 'Tcp' + 'Udp' + ] + ``` + +### Parameter: `networkSecurityGroupName` + +The name of the parent network security group to deploy the security rule into. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `access` Whether network traffic is allowed or denied. + - Required: No - Type: string - Default: `'Deny'` @@ -67,6 +121,7 @@ Whether network traffic is allowed or denied. ### Parameter: `description` A description for this rule. + - Required: No - Type: string - Default: `''` @@ -74,6 +129,7 @@ A description for this rule. ### Parameter: `destinationAddressPrefix` The destination address prefix. CIDR or destination IP range. Asterisk "*" can also be used to match all source IPs. Default tags such as "VirtualNetwork", "AzureLoadBalancer" and "Internet" can also be used. + - Required: No - Type: string - Default: `''` @@ -81,6 +137,7 @@ The destination address prefix. CIDR or destination IP range. Asterisk "*" can a ### Parameter: `destinationAddressPrefixes` The destination address prefixes. CIDR or destination IP ranges. + - Required: No - Type: array - Default: `[]` @@ -88,6 +145,7 @@ The destination address prefixes. CIDR or destination IP ranges. ### Parameter: `destinationApplicationSecurityGroups` The application security group specified as destination. + - Required: No - Type: array - Default: `[]` @@ -95,6 +153,7 @@ The application security group specified as destination. ### Parameter: `destinationPortRange` The destination port or range. Integer or range between 0 and 65535. Asterisk "*" can also be used to match all ports. + - Required: No - Type: string - Default: `''` @@ -102,68 +161,23 @@ The destination port or range. Integer or range between 0 and 65535. Asterisk "* ### Parameter: `destinationPortRanges` The destination port ranges. + - Required: No - Type: array - Default: `[]` -### Parameter: `direction` - -The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Inbound' - 'Outbound' - ] - ``` - ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -The name of the security rule. -- Required: Yes -- Type: string - -### Parameter: `networkSecurityGroupName` - -The name of the parent network security group to deploy the security rule into. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `priority` - -The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. -- Required: Yes -- Type: int - -### Parameter: `protocol` - -Network protocol this rule applies to. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - '*' - 'Ah' - 'Esp' - 'Icmp' - 'Tcp' - 'Udp' - ] - ``` - ### Parameter: `sourceAddressPrefix` The CIDR or source IP range. Asterisk "*" can also be used to match all source IPs. Default tags such as "VirtualNetwork", "AzureLoadBalancer" and "Internet" can also be used. If this is an ingress rule, specifies where network traffic originates from. + - Required: No - Type: string - Default: `''` @@ -171,6 +185,7 @@ The CIDR or source IP range. Asterisk "*" can also be used to match all source I ### Parameter: `sourceAddressPrefixes` The CIDR or source IP ranges. + - Required: No - Type: array - Default: `[]` @@ -178,6 +193,7 @@ The CIDR or source IP ranges. ### Parameter: `sourceApplicationSecurityGroups` The application security group specified as source. + - Required: No - Type: array - Default: `[]` @@ -185,6 +201,7 @@ The application security group specified as source. ### Parameter: `sourcePortRange` The source port or range. Integer or range between 0 and 65535. Asterisk "*" can also be used to match all ports. + - Required: No - Type: string - Default: `''` @@ -192,6 +209,7 @@ The source port or range. Integer or range between 0 and 65535. Asterisk "*" can ### Parameter: `sourcePortRanges` The source port ranges. + - Required: No - Type: array - Default: `[]` diff --git a/modules/network/network-watcher/README.md b/modules/network/network-watcher/README.md index c8263f21d9..07a3771138 100644 --- a/modules/network/network-watcher/README.md +++ b/modules/network/network-watcher/README.md @@ -535,6 +535,7 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { ### Parameter: `connectionMonitors` Array that contains the Connection Monitors. + - Required: No - Type: array - Default: `[]` @@ -542,6 +543,7 @@ Array that contains the Connection Monitors. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -549,6 +551,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `flowLogs` Array that contains the Flow Logs. + - Required: No - Type: array - Default: `[]` @@ -556,6 +559,7 @@ Array that contains the Flow Logs. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -563,26 +567,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -590,6 +603,7 @@ Optional. Specify the name of lock. ### Parameter: `name` Name of the Network Watcher resource (hidden). + - Required: No - Type: string - Default: `[format('NetworkWatcher_{0}', parameters('location'))]` @@ -597,74 +611,96 @@ Name of the Network Watcher resource (hidden). ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/network/network-watcher/connection-monitor/README.md b/modules/network/network-watcher/connection-monitor/README.md index 313167cd95..ff5812ad1a 100644 --- a/modules/network/network-watcher/connection-monitor/README.md +++ b/modules/network/network-watcher/connection-monitor/README.md @@ -36,9 +36,17 @@ This module deploys a Network Watcher Connection Monitor. | [`testGroups`](#parameter-testgroups) | array | List of connection monitor test groups. | | [`workspaceResourceId`](#parameter-workspaceresourceid) | string | Specify the Log Analytics Workspace Resource ID. | +### Parameter: `name` + +Name of the resource. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -46,6 +54,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `endpoints` List of connection monitor endpoints. + - Required: No - Type: array - Default: `[]` @@ -53,19 +62,15 @@ List of connection monitor endpoints. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -Name of the resource. -- Required: Yes -- Type: string - ### Parameter: `networkWatcherName` Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG. + - Required: No - Type: string - Default: `[format('NetworkWatcher_{0}', resourceGroup().location)]` @@ -73,12 +78,14 @@ Name of the network watcher resource. Must be in the resource group where the Fl ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `testConfigurations` List of connection monitor test configurations. + - Required: No - Type: array - Default: `[]` @@ -86,6 +93,7 @@ List of connection monitor test configurations. ### Parameter: `testGroups` List of connection monitor test groups. + - Required: No - Type: array - Default: `[]` @@ -93,6 +101,7 @@ List of connection monitor test groups. ### Parameter: `workspaceResourceId` Specify the Log Analytics Workspace Resource ID. + - Required: No - Type: string - Default: `''` diff --git a/modules/network/network-watcher/flow-log/README.md b/modules/network/network-watcher/flow-log/README.md index 512cbc68db..b6489b44bb 100644 --- a/modules/network/network-watcher/flow-log/README.md +++ b/modules/network/network-watcher/flow-log/README.md @@ -40,9 +40,24 @@ This module controls the Network Security Group Flow Logs and analytics settings | [`trafficAnalyticsInterval`](#parameter-trafficanalyticsinterval) | int | The interval in minutes which would decide how frequently TA service should do flow analytics. | | [`workspaceResourceId`](#parameter-workspaceresourceid) | string | Specify the Log Analytics Workspace Resource ID. | +### Parameter: `storageId` + +Resource ID of the diagnostic storage account. + +- Required: Yes +- Type: string + +### Parameter: `targetResourceId` + +Resource ID of the NSG that must be enabled for Flow Logs. + +- Required: Yes +- Type: string + ### Parameter: `enabled` If the flow log should be enabled. + - Required: No - Type: bool - Default: `True` @@ -50,6 +65,7 @@ If the flow log should be enabled. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -57,6 +73,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `formatVersion` The flow log format version. + - Required: No - Type: int - Default: `2` @@ -71,6 +88,7 @@ The flow log format version. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -78,6 +96,7 @@ Location for all resources. ### Parameter: `name` Name of the resource. + - Required: No - Type: string - Default: `[format('{0}-{1}-flowlog', last(split(parameters('targetResourceId'), '/')), split(parameters('targetResourceId'), '/')[4])]` @@ -85,6 +104,7 @@ Name of the resource. ### Parameter: `networkWatcherName` Name of the network watcher resource. Must be in the resource group where the Flow log will be created and same region as the NSG. + - Required: No - Type: string - Default: `[format('NetworkWatcher_{0}', resourceGroup().location)]` @@ -92,31 +112,22 @@ Name of the network watcher resource. Must be in the resource group where the Fl ### Parameter: `retentionInDays` Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. + - Required: No - Type: int - Default: `365` -### Parameter: `storageId` - -Resource ID of the diagnostic storage account. -- Required: Yes -- Type: string - ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object -### Parameter: `targetResourceId` - -Resource ID of the NSG that must be enabled for Flow Logs. -- Required: Yes -- Type: string - ### Parameter: `trafficAnalyticsInterval` The interval in minutes which would decide how frequently TA service should do flow analytics. + - Required: No - Type: int - Default: `60` @@ -131,6 +142,7 @@ The interval in minutes which would decide how frequently TA service should do f ### Parameter: `workspaceResourceId` Specify the Log Analytics Workspace Resource ID. + - Required: No - Type: string - Default: `''` diff --git a/modules/network/private-dns-zone/README.md b/modules/network/private-dns-zone/README.md index 714eea7f96..cb8de05f03 100644 --- a/modules/network/private-dns-zone/README.md +++ b/modules/network/private-dns-zone/README.md @@ -929,9 +929,17 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { | [`txt`](#parameter-txt) | array | Array of TXT records. | | [`virtualNetworkLinks`](#parameter-virtualnetworklinks) | array | Array of custom objects describing vNet links of the DNS zone. Each object should contain properties 'vnetResourceId' and 'registrationEnabled'. The 'vnetResourceId' is a resource ID of a vNet to link, 'registrationEnabled' (bool) enables automatic DNS registration in the zone for the linked vNet. | +### Parameter: `name` + +Private DNS zone name. + +- Required: Yes +- Type: string + ### Parameter: `a` Array of A records. + - Required: No - Type: array - Default: `[]` @@ -939,6 +947,7 @@ Array of A records. ### Parameter: `aaaa` Array of AAAA records. + - Required: No - Type: array - Default: `[]` @@ -946,6 +955,7 @@ Array of AAAA records. ### Parameter: `cname` Array of CNAME records. + - Required: No - Type: array - Default: `[]` @@ -953,6 +963,7 @@ Array of CNAME records. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -960,6 +971,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` The location of the PrivateDNSZone. Should be global. + - Required: No - Type: string - Default: `'global'` @@ -967,26 +979,35 @@ The location of the PrivateDNSZone. Should be global. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -994,19 +1015,15 @@ Optional. Specify the name of lock. ### Parameter: `mx` Array of MX records. + - Required: No - Type: array - Default: `[]` -### Parameter: `name` - -Private DNS zone name. -- Required: Yes -- Type: string - ### Parameter: `ptr` Array of PTR records. + - Required: No - Type: array - Default: `[]` @@ -1014,74 +1031,96 @@ Array of PTR records. ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `soa` Array of SOA records. + - Required: No - Type: array - Default: `[]` @@ -1089,6 +1128,7 @@ Array of SOA records. ### Parameter: `srv` Array of SRV records. + - Required: No - Type: array - Default: `[]` @@ -1096,12 +1136,14 @@ Array of SRV records. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `txt` Array of TXT records. + - Required: No - Type: array - Default: `[]` @@ -1109,6 +1151,7 @@ Array of TXT records. ### Parameter: `virtualNetworkLinks` Array of custom objects describing vNet links of the DNS zone. Each object should contain properties 'vnetResourceId' and 'registrationEnabled'. The 'vnetResourceId' is a resource ID of a vNet to link, 'registrationEnabled' (bool) enables automatic DNS registration in the zone for the linked vNet. + - Required: No - Type: array - Default: `[]` diff --git a/modules/network/private-dns-zone/a/README.md b/modules/network/private-dns-zone/a/README.md index 9c8802653e..324cf8f429 100644 --- a/modules/network/private-dns-zone/a/README.md +++ b/modules/network/private-dns-zone/a/README.md @@ -40,9 +40,24 @@ This module deploys a Private DNS Zone A record. | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | +### Parameter: `name` + +The name of the A record. + +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `aRecords` The list of A records in the record set. + - Required: No - Type: array - Default: `[]` @@ -50,6 +65,7 @@ The list of A records in the record set. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -57,93 +73,104 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -The name of the A record. -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` diff --git a/modules/network/private-dns-zone/aaaa/README.md b/modules/network/private-dns-zone/aaaa/README.md index d825a7c1c4..a7aabb30c0 100644 --- a/modules/network/private-dns-zone/aaaa/README.md +++ b/modules/network/private-dns-zone/aaaa/README.md @@ -40,9 +40,24 @@ This module deploys a Private DNS Zone AAAA record. | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | +### Parameter: `name` + +The name of the AAAA record. + +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `aaaaRecords` The list of AAAA records in the record set. + - Required: No - Type: array - Default: `[]` @@ -50,6 +65,7 @@ The list of AAAA records in the record set. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -57,93 +73,104 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -The name of the AAAA record. -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` diff --git a/modules/network/private-dns-zone/cname/README.md b/modules/network/private-dns-zone/cname/README.md index 0a2e3b151b..14ac042831 100644 --- a/modules/network/private-dns-zone/cname/README.md +++ b/modules/network/private-dns-zone/cname/README.md @@ -40,9 +40,24 @@ This module deploys a Private DNS Zone CNAME record. | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | +### Parameter: `name` + +The name of the CNAME record. + +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `cnameRecord` A CNAME record. + - Required: No - Type: object - Default: `{}` @@ -50,6 +65,7 @@ A CNAME record. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -57,93 +73,104 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -The name of the CNAME record. -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` diff --git a/modules/network/private-dns-zone/mx/README.md b/modules/network/private-dns-zone/mx/README.md index f8ec7f7dfa..666ea216fa 100644 --- a/modules/network/private-dns-zone/mx/README.md +++ b/modules/network/private-dns-zone/mx/README.md @@ -40,9 +40,24 @@ This module deploys a Private DNS Zone MX record. | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | +### Parameter: `name` + +The name of the MX record. + +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -50,6 +65,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` @@ -57,93 +73,104 @@ The metadata attached to the record set. ### Parameter: `mxRecords` The list of MX records in the record set. + - Required: No - Type: array - Default: `[]` -### Parameter: `name` - -The name of the MX record. -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` diff --git a/modules/network/private-dns-zone/ptr/README.md b/modules/network/private-dns-zone/ptr/README.md index 58f270d3c3..20aa566d5e 100644 --- a/modules/network/private-dns-zone/ptr/README.md +++ b/modules/network/private-dns-zone/ptr/README.md @@ -40,9 +40,24 @@ This module deploys a Private DNS Zone PTR record. | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | +### Parameter: `name` + +The name of the PTR record. + +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -50,25 +65,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -The name of the PTR record. -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `ptrRecords` The list of PTR records in the record set. + - Required: No - Type: array - Default: `[]` @@ -76,74 +81,96 @@ The list of PTR records in the record set. ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` diff --git a/modules/network/private-dns-zone/soa/README.md b/modules/network/private-dns-zone/soa/README.md index 827a5007c3..37fd471fdf 100644 --- a/modules/network/private-dns-zone/soa/README.md +++ b/modules/network/private-dns-zone/soa/README.md @@ -40,9 +40,24 @@ This module deploys a Private DNS Zone SOA record. | [`soaRecord`](#parameter-soarecord) | object | A SOA record. | | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | +### Parameter: `name` + +The name of the SOA record. + +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -50,93 +65,104 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -The name of the SOA record. -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `soaRecord` A SOA record. + - Required: No - Type: object - Default: `{}` @@ -144,6 +170,7 @@ A SOA record. ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` diff --git a/modules/network/private-dns-zone/srv/README.md b/modules/network/private-dns-zone/srv/README.md index 650c311142..da0f621c88 100644 --- a/modules/network/private-dns-zone/srv/README.md +++ b/modules/network/private-dns-zone/srv/README.md @@ -40,9 +40,24 @@ This module deploys a Private DNS Zone SRV record. | [`srvRecords`](#parameter-srvrecords) | array | The list of SRV records in the record set. | | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | +### Parameter: `name` + +The name of the SRV record. + +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -50,93 +65,104 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -The name of the SRV record. -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `srvRecords` The list of SRV records in the record set. + - Required: No - Type: array - Default: `[]` @@ -144,6 +170,7 @@ The list of SRV records in the record set. ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` diff --git a/modules/network/private-dns-zone/txt/README.md b/modules/network/private-dns-zone/txt/README.md index 600c4871f0..36e82bc657 100644 --- a/modules/network/private-dns-zone/txt/README.md +++ b/modules/network/private-dns-zone/txt/README.md @@ -40,9 +40,24 @@ This module deploys a Private DNS Zone TXT record. | [`ttl`](#parameter-ttl) | int | The TTL (time-to-live) of the records in the record set. | | [`txtRecords`](#parameter-txtrecords) | array | The list of TXT records in the record set. | +### Parameter: `name` + +The name of the TXT record. + +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -50,93 +65,104 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `metadata` The metadata attached to the record set. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -The name of the TXT record. -- Required: Yes -- Type: string - -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `ttl` The TTL (time-to-live) of the records in the record set. + - Required: No - Type: int - Default: `3600` @@ -144,6 +170,7 @@ The TTL (time-to-live) of the records in the record set. ### Parameter: `txtRecords` The list of TXT records in the record set. + - Required: No - Type: array - Default: `[]` diff --git a/modules/network/private-dns-zone/virtual-network-link/README.md b/modules/network/private-dns-zone/virtual-network-link/README.md index b83d22b41d..8cb4a9d04d 100644 --- a/modules/network/private-dns-zone/virtual-network-link/README.md +++ b/modules/network/private-dns-zone/virtual-network-link/README.md @@ -39,9 +39,24 @@ This module deploys a Private DNS Zone Virtual Network Link. | [`registrationEnabled`](#parameter-registrationenabled) | bool | Is auto-registration of virtual machine records in the virtual network in the Private DNS zone enabled?. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `virtualNetworkResourceId` + +Link to another virtual network resource ID. + +- Required: Yes +- Type: string + +### Parameter: `privateDnsZoneName` + +The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -49,6 +64,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` The location of the PrivateDNSZone. Should be global. + - Required: No - Type: string - Default: `'global'` @@ -56,19 +72,15 @@ The location of the PrivateDNSZone. Should be global. ### Parameter: `name` The name of the virtual network link. + - Required: No - Type: string - Default: `[format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/')))]` -### Parameter: `privateDnsZoneName` - -The name of the parent Private DNS zone. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `registrationEnabled` Is auto-registration of virtual machine records in the virtual network in the Private DNS zone enabled?. + - Required: No - Type: bool - Default: `False` @@ -76,15 +88,10 @@ Is auto-registration of virtual machine records in the virtual network in the Pr ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object -### Parameter: `virtualNetworkResourceId` - -Link to another virtual network resource ID. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/network/private-endpoint/README.md b/modules/network/private-endpoint/README.md index 866ff9fecc..1ca7067d72 100644 --- a/modules/network/private-endpoint/README.md +++ b/modules/network/private-endpoint/README.md @@ -450,34 +450,65 @@ module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags to be applied on all resources/resource groups in this deployment. | +### Parameter: `groupIds` + +Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to. + +- Required: Yes +- Type: array + +### Parameter: `name` + +Name of the private endpoint resource to create. + +- Required: Yes +- Type: string + +### Parameter: `serviceResourceId` + +Resource ID of the resource that needs to be connected to the network. + +- Required: Yes +- Type: string + +### Parameter: `subnetResourceId` + +Resource ID of the subnet where the endpoint needs to be created. + +- Required: Yes +- Type: string + ### Parameter: `applicationSecurityGroupResourceIds` Application security groups in which the private endpoint IP configuration is included. + - Required: No - Type: array ### Parameter: `customDnsConfigs` Custom DNS configurations. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-customdnsconfigsfqdn) | Yes | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-customdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`fqdn`](#parameter-customdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint ip address. | +| [`ipAddresses`](#parameter-customdnsconfigsipaddresses) | array | A list of private ip addresses of the private endpoint. | ### Parameter: `customDnsConfigs.fqdn` -Required. Fqdn that resolves to private endpoint ip address. +Fqdn that resolves to private endpoint ip address. - Required: Yes - Type: string ### Parameter: `customDnsConfigs.ipAddresses` -Required. A list of private ip addresses of the private endpoint. +A list of private ip addresses of the private endpoint. - Required: Yes - Type: array @@ -485,79 +516,50 @@ Required. A list of private ip addresses of the private endpoint. ### Parameter: `customNetworkInterfaceName` The custom name of the network interface attached to the private endpoint. + - Required: No - Type: string ### Parameter: `enableDefaultTelemetry` Enable/Disable usage telemetry for module. + - Required: No - Type: bool - Default: `True` -### Parameter: `groupIds` - -Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to. -- Required: Yes -- Type: array - ### Parameter: `ipConfigurations` A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-ipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-ipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-ipconfigurationsname) | string | The name of the resource that is unique within a resource group. | +| [`properties`](#parameter-ipconfigurationsproperties) | object | Properties of private endpoint IP configurations. | ### Parameter: `ipConfigurations.name` -Required. The name of the resource that is unique within a resource group. +The name of the resource that is unique within a resource group. - Required: Yes - Type: string ### Parameter: `ipConfigurations.properties` -Required. Properties of private endpoint IP configurations. +Properties of private endpoint IP configurations. - Required: Yes - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-ipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-ipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-ipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | - -### Parameter: `ipConfigurations.properties.groupId` - -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. - -- Required: Yes -- Type: string - -### Parameter: `ipConfigurations.properties.memberName` - -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. - -- Required: Yes -- Type: string - -### Parameter: `ipConfigurations.properties.privateIPAddress` - -Required. A private ip address obtained from the private endpoint's subnet. - -- Required: Yes -- Type: string - - ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -565,26 +567,35 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -592,110 +603,117 @@ Optional. Specify the name of lock. ### Parameter: `manualPrivateLinkServiceConnections` Manual PrivateLink Service Connections. + - Required: No - Type: array -### Parameter: `name` - -Name of the private endpoint resource to create. -- Required: Yes -- Type: string - ### Parameter: `privateDnsZoneGroupName` The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided. + - Required: No - Type: string ### Parameter: `privateDnsZoneResourceIds` The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones. + - Required: No - Type: array ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | - -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +**Optional parameters** -- Required: No -- Type: string +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.principalId` -Optional. Version of the condition. +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. The Resource Id of the delegated managed identity resource. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.condition` -Optional. The description of the role assignment. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.conditionVersion` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +Version of the condition. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Optional. The principal type of the assigned principal ID. +The Resource Id of the delegated managed identity resource. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.description` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The description of the role assignment. -- Required: Yes +- Required: No - Type: string -### Parameter: `serviceResourceId` - -Resource ID of the resource that needs to be connected to the network. -- Required: Yes -- Type: string +### Parameter: `roleAssignments.principalType` -### Parameter: `subnetResourceId` +The principal type of the assigned principal ID. -Resource ID of the subnet where the endpoint needs to be created. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags to be applied on all resources/resource groups in this deployment. + - Required: No - Type: object diff --git a/modules/network/private-endpoint/private-dns-zone-group/README.md b/modules/network/private-endpoint/private-dns-zone-group/README.md index d6c0e0b294..bdcb972739 100644 --- a/modules/network/private-endpoint/private-dns-zone-group/README.md +++ b/modules/network/private-endpoint/private-dns-zone-group/README.md @@ -36,9 +36,24 @@ This module deploys a Private Endpoint Private DNS Zone Group. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable/Disable usage telemetry for module. | | [`name`](#parameter-name) | string | The name of the private DNS zone group. | +### Parameter: `privateDNSResourceIds` + +Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones. + +- Required: Yes +- Type: array + +### Parameter: `privateEndpointName` + +The name of the parent private endpoint. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable/Disable usage telemetry for module. + - Required: No - Type: bool - Default: `True` @@ -46,22 +61,11 @@ Enable/Disable usage telemetry for module. ### Parameter: `name` The name of the private DNS zone group. + - Required: No - Type: string - Default: `'default'` -### Parameter: `privateDNSResourceIds` - -Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones. -- Required: Yes -- Type: array - -### Parameter: `privateEndpointName` - -The name of the parent private endpoint. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/network/private-link-service/README.md b/modules/network/private-link-service/README.md index 5d295b3fc2..3015544cdf 100644 --- a/modules/network/private-link-service/README.md +++ b/modules/network/private-link-service/README.md @@ -463,9 +463,17 @@ module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' | [`tags`](#parameter-tags) | object | Tags to be applied on all resources/resource groups in this deployment. | | [`visibility`](#parameter-visibility) | object | Controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control (Azure RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions. | +### Parameter: `name` + +Name of the private link service to create. + +- Required: Yes +- Type: string + ### Parameter: `autoApproval` The auto-approval list of the private link service. + - Required: No - Type: object - Default: `{}` @@ -473,6 +481,7 @@ The auto-approval list of the private link service. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -480,6 +489,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableProxyProtocol` Lets the service provider use tcp proxy v2 to retrieve connection information about the service consumer. Service Provider is responsible for setting up receiver configs to be able to parse the proxy protocol v2 header. + - Required: No - Type: bool - Default: `False` @@ -487,6 +497,7 @@ Lets the service provider use tcp proxy v2 to retrieve connection information ab ### Parameter: `extendedLocation` The extended location of the load balancer. + - Required: No - Type: object - Default: `{}` @@ -494,6 +505,7 @@ The extended location of the load balancer. ### Parameter: `fqdns` The list of Fqdn. + - Required: No - Type: array - Default: `[]` @@ -501,6 +513,7 @@ The list of Fqdn. ### Parameter: `ipConfigurations` An array of private link service IP configurations. + - Required: No - Type: array - Default: `[]` @@ -508,6 +521,7 @@ An array of private link service IP configurations. ### Parameter: `loadBalancerFrontendIpConfigurations` An array of references to the load balancer IP configurations. The Private Link service is tied to the frontend IP address of a Standard Load Balancer. All traffic destined for the service will reach the frontend of the SLB. You can configure SLB rules to direct this traffic to appropriate backend pools where your applications are running. Load balancer frontend IP configurations are different than NAT IP configurations. + - Required: No - Type: array - Default: `[]` @@ -515,6 +529,7 @@ An array of references to the load balancer IP configurations. The Private Link ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -522,113 +537,139 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the private link service to create. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags to be applied on all resources/resource groups in this deployment. + - Required: No - Type: object ### Parameter: `visibility` Controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control (Azure RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions. + - Required: No - Type: object - Default: `{}` diff --git a/modules/network/public-ip-address/README.md b/modules/network/public-ip-address/README.md index cfe71b8195..758b33d6c9 100644 --- a/modules/network/public-ip-address/README.md +++ b/modules/network/public-ip-address/README.md @@ -383,117 +383,100 @@ module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`zones`](#parameter-zones) | array | A list of availability zones denoting the IP allocated for the resource needs to come from. | +### Parameter: `name` + +The name of the Public IP Address. + +- Required: Yes +- Type: string + ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -501,6 +484,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `domainNameLabel` The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system. + - Required: No - Type: string - Default: `''` @@ -508,6 +492,7 @@ The domain name label. The concatenation of the domain name label and the region ### Parameter: `domainNameLabelScope` The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN. + - Required: No - Type: string - Default: `''` @@ -525,6 +510,7 @@ The domain name label scope. If a domain name label and a domain name label scop ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -532,6 +518,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `fqdn` The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone. + - Required: No - Type: string - Default: `''` @@ -539,6 +526,7 @@ The Fully Qualified Domain Name of the A DNS record associated with the public I ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -546,39 +534,43 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The name of the Public IP Address. -- Required: Yes -- Type: string - ### Parameter: `publicIPAddressVersion` IP address version. + - Required: No - Type: string - Default: `'IPv4'` @@ -593,6 +585,7 @@ IP address version. ### Parameter: `publicIPAllocationMethod` The public IP address allocation method. + - Required: No - Type: string - Default: `'Static'` @@ -607,6 +600,7 @@ The public IP address allocation method. ### Parameter: `publicIPPrefixResourceId` Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. + - Required: No - Type: string - Default: `''` @@ -614,6 +608,7 @@ Resource ID of the Public IP Prefix object. This is only needed if you want your ### Parameter: `reverseFqdn` The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN. + - Required: No - Type: string - Default: `''` @@ -621,74 +616,96 @@ The reverse FQDN. A user-visible, fully qualified domain name that resolves to t ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `skuName` Name of a public IP address SKU. + - Required: No - Type: string - Default: `'Standard'` @@ -703,6 +720,7 @@ Name of a public IP address SKU. ### Parameter: `skuTier` Tier of a public IP address SKU. + - Required: No - Type: string - Default: `'Regional'` @@ -717,12 +735,14 @@ Tier of a public IP address SKU. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `zones` A list of availability zones denoting the IP allocated for the resource needs to come from. + - Required: No - Type: array - Default: `[]` diff --git a/modules/network/public-ip-prefix/README.md b/modules/network/public-ip-prefix/README.md index 8f34b55130..6d50284c85 100644 --- a/modules/network/public-ip-prefix/README.md +++ b/modules/network/public-ip-prefix/README.md @@ -287,9 +287,24 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +Name of the Public IP Prefix. + +- Required: Yes +- Type: string + +### Parameter: `prefixLength` + +Length of the Public IP Prefix. + +- Required: Yes +- Type: int + ### Parameter: `customIPPrefix` The customIpPrefix that this prefix is associated with. A custom IP address prefix is a contiguous range of IP addresses owned by an external customer and provisioned into a subscription. When a custom IP prefix is in Provisioned, Commissioning, or Commissioned state, a linked public IP prefix can be created. Either as a subset of the custom IP prefix range or the entire range. + - Required: No - Type: object - Default: `{}` @@ -297,6 +312,7 @@ The customIpPrefix that this prefix is associated with. A custom IP address pref ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -304,6 +320,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -311,113 +328,132 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the Public IP Prefix. -- Required: Yes -- Type: string - -### Parameter: `prefixLength` - -Length of the Public IP Prefix. -- Required: Yes -- Type: int - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `roleAssignments.principalId` -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/network/route-table/README.md b/modules/network/route-table/README.md index f5c8ab94de..4602a539dd 100644 --- a/modules/network/route-table/README.md +++ b/modules/network/route-table/README.md @@ -315,9 +315,17 @@ module routeTable 'br:bicep/modules/network.route-table:1.0.0' = { | [`routes`](#parameter-routes) | array | An Array of Routes to be established within the hub route table. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +Name given for the hub route table. + +- Required: Yes +- Type: string + ### Parameter: `disableBgpRoutePropagation` Switch to disable BGP route propagation. + - Required: No - Type: bool - Default: `False` @@ -325,6 +333,7 @@ Switch to disable BGP route propagation. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -332,6 +341,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -339,107 +349,132 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name given for the hub route table. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `routes` An Array of Routes to be established within the hub route table. + - Required: No - Type: array - Default: `[]` @@ -447,6 +482,7 @@ An Array of Routes to be established within the hub route table. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/network/service-endpoint-policy/README.md b/modules/network/service-endpoint-policy/README.md index b8a16af871..e3f68a8e08 100644 --- a/modules/network/service-endpoint-policy/README.md +++ b/modules/network/service-endpoint-policy/README.md @@ -332,9 +332,17 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1 | [`serviceEndpointPolicyDefinitions`](#parameter-serviceendpointpolicydefinitions) | array | An Array of service endpoint policy definitions. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +The Service Endpoint Policy name. + +- Required: Yes +- Type: string + ### Parameter: `contextualServiceEndpointPolicies` An Array of contextual service endpoint policy. + - Required: No - Type: array - Default: `[]` @@ -342,6 +350,7 @@ An Array of contextual service endpoint policy. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -349,6 +358,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -356,107 +366,132 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The Service Endpoint Policy name. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `serviceAlias` The alias indicating if the policy belongs to a service. + - Required: No - Type: string - Default: `''` @@ -464,6 +499,7 @@ The alias indicating if the policy belongs to a service. ### Parameter: `serviceEndpointPolicyDefinitions` An Array of service endpoint policy definitions. + - Required: No - Type: array - Default: `[]` @@ -471,6 +507,7 @@ An Array of service endpoint policy definitions. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/network/trafficmanagerprofile/README.md b/modules/network/trafficmanagerprofile/README.md index c7d12328ee..b76f98eb95 100644 --- a/modules/network/trafficmanagerprofile/README.md +++ b/modules/network/trafficmanagerprofile/README.md @@ -355,117 +355,107 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 | [`trafficViewEnrollmentStatus`](#parameter-trafficviewenrollmentstatus) | string | Indicates whether Traffic View is 'Enabled' or 'Disabled' for the Traffic Manager profile. Null, indicates 'Disabled'. Enabling this feature will increase the cost of the Traffic Manage profile. | | [`ttl`](#parameter-ttl) | int | The DNS Time-To-Live (TTL), in seconds. This informs the local DNS resolvers and DNS clients how long to cache DNS responses provided by this Traffic Manager profile. | +### Parameter: `name` + +Name of the Traffic Manager. + +- Required: Yes +- Type: string + +### Parameter: `relativeName` + +The relative DNS name provided by this Traffic Manager profile. This value is combined with the DNS domain name used by Azure Traffic Manager to form the fully-qualified domain name (FQDN) of the profile. + +- Required: Yes +- Type: string + ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -473,6 +463,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -480,6 +471,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `endpoints` The list of endpoints in the Traffic Manager profile. + - Required: No - Type: array - Default: `[]` @@ -487,26 +479,35 @@ The list of endpoints in the Traffic Manager profile. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -514,6 +515,7 @@ Optional. Specify the name of lock. ### Parameter: `maxReturn` Maximum number of endpoints to be returned for MultiValue routing type. + - Required: No - Type: int - Default: `1` @@ -521,6 +523,7 @@ Maximum number of endpoints to be returned for MultiValue routing type. ### Parameter: `monitorConfig` The endpoint monitoring settings of the Traffic Manager profile. + - Required: No - Type: object - Default: @@ -532,15 +535,10 @@ The endpoint monitoring settings of the Traffic Manager profile. } ``` -### Parameter: `name` - -Name of the Traffic Manager. -- Required: Yes -- Type: string - ### Parameter: `profileStatus` The status of the Traffic Manager profile. + - Required: No - Type: string - Default: `'Enabled'` @@ -552,89 +550,106 @@ The status of the Traffic Manager profile. ] ``` -### Parameter: `relativeName` - -The relative DNS name provided by this Traffic Manager profile. This value is combined with the DNS domain name used by Azure Traffic Manager to form the fully-qualified domain name (FQDN) of the profile. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `roleAssignments.principalId` -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Resource tags. + - Required: No - Type: object ### Parameter: `trafficRoutingMethod` The traffic routing method of the Traffic Manager profile. + - Required: No - Type: string - Default: `'Performance'` @@ -653,6 +668,7 @@ The traffic routing method of the Traffic Manager profile. ### Parameter: `trafficViewEnrollmentStatus` Indicates whether Traffic View is 'Enabled' or 'Disabled' for the Traffic Manager profile. Null, indicates 'Disabled'. Enabling this feature will increase the cost of the Traffic Manage profile. + - Required: No - Type: string - Default: `'Disabled'` @@ -667,6 +683,7 @@ Indicates whether Traffic View is 'Enabled' or 'Disabled' for the Traffic Manage ### Parameter: `ttl` The DNS Time-To-Live (TTL), in seconds. This informs the local DNS resolvers and DNS clients how long to cache DNS responses provided by this Traffic Manager profile. + - Required: No - Type: int - Default: `60` diff --git a/modules/network/virtual-hub/README.md b/modules/network/virtual-hub/README.md index c4c25d0839..a4c9622826 100644 --- a/modules/network/virtual-hub/README.md +++ b/modules/network/virtual-hub/README.md @@ -393,12 +393,28 @@ module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = { ### Parameter: `addressPrefix` Address-prefix for this VirtualHub. + +- Required: Yes +- Type: string + +### Parameter: `name` + +The virtual hub name. + +- Required: Yes +- Type: string + +### Parameter: `virtualWanId` + +Resource ID of the virtual WAN to link to. + - Required: Yes - Type: string ### Parameter: `allowBranchToBranchTraffic` Flag to control transit for VirtualRouter hub. + - Required: No - Type: bool - Default: `True` @@ -406,6 +422,7 @@ Flag to control transit for VirtualRouter hub. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -413,6 +430,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `expressRouteGatewayId` Resource ID of the Express Route Gateway to link to. + - Required: No - Type: string - Default: `''` @@ -420,6 +438,7 @@ Resource ID of the Express Route Gateway to link to. ### Parameter: `hubRouteTables` Route tables to create for the virtual hub. + - Required: No - Type: array - Default: `[]` @@ -427,6 +446,7 @@ Route tables to create for the virtual hub. ### Parameter: `hubVirtualNetworkConnections` Virtual network connections to create for the virtual hub. + - Required: No - Type: array - Default: `[]` @@ -434,6 +454,7 @@ Virtual network connections to create for the virtual hub. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -441,39 +462,43 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The virtual hub name. -- Required: Yes -- Type: string - ### Parameter: `p2SVpnGatewayId` Resource ID of the Point-to-Site VPN Gateway to link to. + - Required: No - Type: string - Default: `''` @@ -481,6 +506,7 @@ Resource ID of the Point-to-Site VPN Gateway to link to. ### Parameter: `preferredRoutingGateway` The preferred routing gateway types. + - Required: No - Type: string - Default: `''` @@ -497,6 +523,7 @@ The preferred routing gateway types. ### Parameter: `routeTableRoutes` VirtualHub route tables. + - Required: No - Type: array - Default: `[]` @@ -504,6 +531,7 @@ VirtualHub route tables. ### Parameter: `securityPartnerProviderId` ID of the Security Partner Provider to link to. + - Required: No - Type: string - Default: `''` @@ -511,6 +539,7 @@ ID of the Security Partner Provider to link to. ### Parameter: `securityProviderName` The Security Provider name. + - Required: No - Type: string - Default: `''` @@ -518,6 +547,7 @@ The Security Provider name. ### Parameter: `sku` The sku of this VirtualHub. + - Required: No - Type: string - Default: `'Standard'` @@ -532,12 +562,14 @@ The sku of this VirtualHub. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `virtualHubRouteTableV2s` List of all virtual hub route table v2s associated with this VirtualHub. + - Required: No - Type: array - Default: `[]` @@ -545,6 +577,7 @@ List of all virtual hub route table v2s associated with this VirtualHub. ### Parameter: `virtualRouterAsn` VirtualRouter ASN. + - Required: No - Type: int - Default: `-1` @@ -552,19 +585,15 @@ VirtualRouter ASN. ### Parameter: `virtualRouterIps` VirtualRouter IPs. + - Required: No - Type: array - Default: `[]` -### Parameter: `virtualWanId` - -Resource ID of the virtual WAN to link to. -- Required: Yes -- Type: string - ### Parameter: `vpnGatewayId` Resource ID of the VPN Gateway to link to. + - Required: No - Type: string - Default: `''` diff --git a/modules/network/virtual-hub/hub-route-table/README.md b/modules/network/virtual-hub/hub-route-table/README.md index 37e065b3e2..d60664ecb0 100644 --- a/modules/network/virtual-hub/hub-route-table/README.md +++ b/modules/network/virtual-hub/hub-route-table/README.md @@ -37,9 +37,24 @@ This module deploys a Virtual Hub Route Table. | [`labels`](#parameter-labels) | array | List of labels associated with this route table. | | [`routes`](#parameter-routes) | array | List of all routes. | +### Parameter: `name` + +The route table name. + +- Required: Yes +- Type: string + +### Parameter: `virtualHubName` + +The name of the parent virtual hub. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -47,29 +62,19 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `labels` List of labels associated with this route table. + - Required: No - Type: array - Default: `[]` -### Parameter: `name` - -The route table name. -- Required: Yes -- Type: string - ### Parameter: `routes` List of all routes. + - Required: No - Type: array - Default: `[]` -### Parameter: `virtualHubName` - -The name of the parent virtual hub. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/network/virtual-hub/hub-virtual-network-connection/README.md b/modules/network/virtual-hub/hub-virtual-network-connection/README.md index f591dc99f6..87b479fa96 100644 --- a/modules/network/virtual-hub/hub-virtual-network-connection/README.md +++ b/modules/network/virtual-hub/hub-virtual-network-connection/README.md @@ -38,9 +38,31 @@ This module deploys a Virtual Hub Virtual Network Connection. | [`enableInternetSecurity`](#parameter-enableinternetsecurity) | bool | Enable internet security. | | [`routingConfiguration`](#parameter-routingconfiguration) | object | Routing Configuration indicating the associated and propagated route tables for this connection. | +### Parameter: `name` + +The connection name. + +- Required: Yes +- Type: string + +### Parameter: `remoteVirtualNetworkId` + +Resource ID of the virtual network to link to. + +- Required: Yes +- Type: string + +### Parameter: `virtualHubName` + +The name of the parent virtual hub. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -48,35 +70,19 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableInternetSecurity` Enable internet security. + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -The connection name. -- Required: Yes -- Type: string - -### Parameter: `remoteVirtualNetworkId` - -Resource ID of the virtual network to link to. -- Required: Yes -- Type: string - ### Parameter: `routingConfiguration` Routing Configuration indicating the associated and propagated route tables for this connection. + - Required: No - Type: object - Default: `{}` -### Parameter: `virtualHubName` - -The name of the parent virtual hub. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/network/virtual-network-gateway/README.md b/modules/network/virtual-network-gateway/README.md index 7a0a2b9daa..a4ff558ef0 100644 --- a/modules/network/virtual-network-gateway/README.md +++ b/modules/network/virtual-network-gateway/README.md @@ -670,9 +670,67 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 | [`vpnGatewayGeneration`](#parameter-vpngatewaygeneration) | string | The generation for this VirtualNetworkGateway. Must be None if virtualNetworkGatewayType is not VPN. | | [`vpnType`](#parameter-vpntype) | string | Specifies the VPN type. | +### Parameter: `gatewayType` + +Specifies the gateway type. E.g. VPN, ExpressRoute. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'ExpressRoute' + 'Vpn' + ] + ``` + +### Parameter: `name` + +Specifies the Virtual Network Gateway name. + +- Required: Yes +- Type: string + +### Parameter: `skuName` + +The SKU of the Gateway. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Basic' + 'ErGw1AZ' + 'ErGw2AZ' + 'ErGw3AZ' + 'HighPerformance' + 'Standard' + 'UltraPerformance' + 'VpnGw1' + 'VpnGw1AZ' + 'VpnGw2' + 'VpnGw2AZ' + 'VpnGw3' + 'VpnGw3AZ' + 'VpnGw4' + 'VpnGw4AZ' + 'VpnGw5' + 'VpnGw5AZ' + ] + ``` + +### Parameter: `vNetResourceId` + +Virtual Network resource ID. + +- Required: Yes +- Type: string + ### Parameter: `activeActive` Value to specify if the Gateway should be deployed in active-active or active-passive configuration. + - Required: No - Type: bool - Default: `True` @@ -680,6 +738,7 @@ Value to specify if the Gateway should be deployed in active-active or active-pa ### Parameter: `activeGatewayPipName` Specifies the name of the Public IP used by the Virtual Network Gateway when active-active configuration is required. If it's not provided, a '-pip' suffix will be appended to the gateway's name. + - Required: No - Type: string - Default: `[format('{0}-pip2', parameters('name'))]` @@ -687,6 +746,7 @@ Specifies the name of the Public IP used by the Virtual Network Gateway when act ### Parameter: `allowRemoteVnetTraffic` Configure this gateway to accept traffic from other Azure Virtual Networks. This configuration does not support connectivity to Azure Virtual WAN. + - Required: No - Type: bool - Default: `False` @@ -694,6 +754,7 @@ Configure this gateway to accept traffic from other Azure Virtual Networks. This ### Parameter: `allowVirtualWanTraffic` Configures this gateway to accept traffic from remote Virtual WAN networks. + - Required: No - Type: bool - Default: `False` @@ -701,6 +762,7 @@ Configures this gateway to accept traffic from remote Virtual WAN networks. ### Parameter: `asn` ASN value. + - Required: No - Type: int - Default: `65815` @@ -708,6 +770,7 @@ ASN value. ### Parameter: `clientRevokedCertThumbprint` Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet. + - Required: No - Type: string - Default: `''` @@ -715,6 +778,7 @@ Thumbprint of the revoked certificate. This would revoke VPN client certificates ### Parameter: `clientRootCertData` Client root certificate data used to authenticate VPN clients. Cannot be configured if vpnClientAadConfiguration is provided. + - Required: No - Type: string - Default: `''` @@ -722,114 +786,90 @@ Client root certificate data used to authenticate VPN clients. Cannot be configu ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -837,6 +877,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `disableIPSecReplayProtection` disableIPSecReplayProtection flag. Used for VPN Gateways. + - Required: No - Type: bool - Default: `False` @@ -844,6 +885,7 @@ disableIPSecReplayProtection flag. Used for VPN Gateways. ### Parameter: `domainNameLabel` DNS name(s) of the Public IP resource(s). If you enabled active-active configuration, you need to provide 2 DNS names, if you want to use this feature. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com. + - Required: No - Type: array - Default: `[]` @@ -851,6 +893,7 @@ DNS name(s) of the Public IP resource(s). If you enabled active-active configura ### Parameter: `enableBgp` Value to specify if BGP is enabled or not. + - Required: No - Type: bool - Default: `True` @@ -858,6 +901,7 @@ Value to specify if BGP is enabled or not. ### Parameter: `enableBgpRouteTranslationForNat` EnableBgpRouteTranslationForNat flag. Can only be used when "natRules" are enabled on the Virtual Network Gateway. + - Required: No - Type: bool - Default: `False` @@ -865,6 +909,7 @@ EnableBgpRouteTranslationForNat flag. Can only be used when "natRules" are enabl ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -872,6 +917,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableDnsForwarding` Whether DNS forwarding is enabled or not and is only supported for Express Route Gateways. The DNS forwarding feature flag must be enabled on the current subscription. + - Required: No - Type: bool - Default: `False` @@ -879,6 +925,7 @@ Whether DNS forwarding is enabled or not and is only supported for Express Route ### Parameter: `enablePrivateIpAddress` Whether private IP needs to be enabled on this gateway for connections or not. Used for configuring a Site-to-Site VPN connection over ExpressRoute private peering. + - Required: No - Type: bool - Default: `False` @@ -886,6 +933,7 @@ Whether private IP needs to be enabled on this gateway for connections or not. U ### Parameter: `gatewayDefaultSiteLocalNetworkGatewayId` The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. + - Required: No - Type: string - Default: `''` @@ -893,26 +941,15 @@ The reference to the LocalNetworkGateway resource which represents local network ### Parameter: `gatewayPipName` Specifies the name of the Public IP used by the Virtual Network Gateway. If it's not provided, a '-pip' suffix will be appended to the gateway's name. + - Required: No - Type: string - Default: `[format('{0}-pip1', parameters('name'))]` -### Parameter: `gatewayType` - -Specifies the gateway type. E.g. VPN, ExpressRoute. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'ExpressRoute' - 'Vpn' - ] - ``` - ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -920,39 +957,43 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Specifies the Virtual Network Gateway name. -- Required: Yes -- Type: string - ### Parameter: `natRules` NatRules for virtual network gateway. NAT is supported on the the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ and is supported for IPsec/IKE cross-premises connections only. + - Required: No - Type: array - Default: `[]` @@ -960,114 +1001,90 @@ NatRules for virtual network gateway. NAT is supported on the the following SKUs ### Parameter: `publicIpDiagnosticSettings` The diagnostic settings of the Public IP. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-publicipdiagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-publicipdiagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-publicipdiagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-publicipdiagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-publicipdiagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-publicipdiagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-publicipdiagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-publicipdiagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-publicipdiagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-publicipdiagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-publicipdiagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-publicipdiagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-publicipdiagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-publicipdiagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-publicipdiagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-publicipdiagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-publicipdiagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-publicipdiagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `publicIpDiagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `publicIpDiagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `publicIpDiagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `publicIpDiagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-publicipdiagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-publicipdiagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `publicIpDiagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `publicIpDiagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `publicIpDiagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `publicIpDiagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-publicipdiagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `publicIpDiagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `publicIpDiagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `publicIpDiagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `publicIpDiagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -1075,6 +1092,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `publicIPPrefixResourceId` Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. + - Required: No - Type: string - Default: `''` @@ -1082,6 +1100,7 @@ Resource ID of the Public IP Prefix object. This is only needed if you want your ### Parameter: `publicIpZones` Specifies the zones of the Public IP address. Basic IP SKU does not support Availability Zones. + - Required: No - Type: array - Default: `[]` @@ -1089,114 +1108,103 @@ Specifies the zones of the Public IP address. Basic IP SKU does not support Avai ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +**Optional parameters** -- Required: No -- Type: string +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.principalId` -Optional. Version of the condition. +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. The Resource Id of the delegated managed identity resource. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.condition` -Optional. The description of the role assignment. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.conditionVersion` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +Version of the condition. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Optional. The principal type of the assigned principal ID. +The Resource Id of the delegated managed identity resource. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.description` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The description of the role assignment. -- Required: Yes +- Required: No - Type: string -### Parameter: `skuName` +### Parameter: `roleAssignments.principalType` -The SKU of the Gateway. -- Required: Yes +The principal type of the assigned principal ID. + +- Required: No - Type: string - Allowed: ```Bicep [ - 'Basic' - 'ErGw1AZ' - 'ErGw2AZ' - 'ErGw3AZ' - 'HighPerformance' - 'Standard' - 'UltraPerformance' - 'VpnGw1' - 'VpnGw1AZ' - 'VpnGw2' - 'VpnGw2AZ' - 'VpnGw3' - 'VpnGw3AZ' - 'VpnGw4' - 'VpnGw4AZ' - 'VpnGw5' - 'VpnGw5AZ' + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' ] ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object -### Parameter: `vNetResourceId` - -Virtual Network resource ID. -- Required: Yes -- Type: string - ### Parameter: `vpnClientAadConfiguration` Configuration for AAD Authentication for P2S Tunnel Type, Cannot be configured if clientRootCertData is provided. + - Required: No - Type: object - Default: `{}` @@ -1204,6 +1212,7 @@ Configuration for AAD Authentication for P2S Tunnel Type, Cannot be configured i ### Parameter: `vpnClientAddressPoolPrefix` The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network. + - Required: No - Type: string - Default: `''` @@ -1211,6 +1220,7 @@ The IP address range from which VPN clients will receive an IP address when conn ### Parameter: `vpnGatewayGeneration` The generation for this VirtualNetworkGateway. Must be None if virtualNetworkGatewayType is not VPN. + - Required: No - Type: string - Default: `'None'` @@ -1226,6 +1236,7 @@ The generation for this VirtualNetworkGateway. Must be None if virtualNetworkGat ### Parameter: `vpnType` Specifies the VPN type. + - Required: No - Type: string - Default: `'RouteBased'` diff --git a/modules/network/virtual-network-gateway/nat-rule/README.md b/modules/network/virtual-network-gateway/nat-rule/README.md index 854cb64616..000683efbc 100644 --- a/modules/network/virtual-network-gateway/nat-rule/README.md +++ b/modules/network/virtual-network-gateway/nat-rule/README.md @@ -40,9 +40,24 @@ This module deploys a Virtual Network Gateway NAT Rule. | [`mode`](#parameter-mode) | string | The type of NAT rule for Virtual Network NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site Virtual Network gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site Virtual Network gateway. | | [`type`](#parameter-type) | string | The type of NAT rule for Virtual Network NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability. | +### Parameter: `name` + +The name of the NAT rule. + +- Required: Yes +- Type: string + +### Parameter: `virtualNetworkGatewayName` + +The name of the parent Virtual Network Gateway this NAT rule is associated with. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -50,6 +65,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `externalMappings` An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range. + - Required: No - Type: array - Default: `[]` @@ -57,6 +73,7 @@ An address prefix range of destination IPs on the outside network that source IP ### Parameter: `internalMappings` An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range. + - Required: No - Type: array - Default: `[]` @@ -64,6 +81,7 @@ An address prefix range of source IPs on the inside network that will be mapped ### Parameter: `ipConfigurationId` A NAT rule must be configured to a specific Virtual Network Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both Virtual Network Gateway instances. + - Required: No - Type: string - Default: `''` @@ -71,6 +89,7 @@ A NAT rule must be configured to a specific Virtual Network Gateway instance. Th ### Parameter: `mode` The type of NAT rule for Virtual Network NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site Virtual Network gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site Virtual Network gateway. + - Required: No - Type: string - Default: `''` @@ -83,15 +102,10 @@ The type of NAT rule for Virtual Network NAT. IngressSnat mode (also known as In ] ``` -### Parameter: `name` - -The name of the NAT rule. -- Required: Yes -- Type: string - ### Parameter: `type` The type of NAT rule for Virtual Network NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability. + - Required: No - Type: string - Default: `''` @@ -104,12 +118,6 @@ The type of NAT rule for Virtual Network NAT. Static one-to-one NAT establishes ] ``` -### Parameter: `virtualNetworkGatewayName` - -The name of the parent Virtual Network Gateway this NAT rule is associated with. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/network/virtual-network/README.md b/modules/network/virtual-network/README.md index 33dd1bb7cd..a4740e6bd8 100644 --- a/modules/network/virtual-network/README.md +++ b/modules/network/virtual-network/README.md @@ -693,12 +693,21 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { ### Parameter: `addressPrefixes` An Array of 1 or more IP Address Prefixes for the Virtual Network. + - Required: Yes - Type: array +### Parameter: `name` + +The Virtual Network (vNet) Name. + +- Required: Yes +- Type: string + ### Parameter: `ddosProtectionPlanId` Resource ID of the DDoS protection plan to assign the VNET to. If it's left blank, DDoS protection will not be configured. If it's provided, the VNET created by this template will be attached to the referenced DDoS protection plan. The DDoS protection plan can exist in the same or in a different subscription. + - Required: No - Type: string - Default: `''` @@ -706,114 +715,90 @@ Resource ID of the DDoS protection plan to assign the VNET to. If it's left blan ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -821,6 +806,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `dnsServers` DNS Servers associated to the Virtual Network. + - Required: No - Type: array - Default: `[]` @@ -828,6 +814,7 @@ DNS Servers associated to the Virtual Network. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -835,6 +822,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `flowTimeoutInMinutes` The flow timeout in minutes for the Virtual Network, which is used to enable connection tracking for intra-VM flows. Possible values are between 4 and 30 minutes. Default value 0 will set the property to null. + - Required: No - Type: int - Default: `0` @@ -842,6 +830,7 @@ The flow timeout in minutes for the Virtual Network, which is used to enable con ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -849,39 +838,43 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The Virtual Network (vNet) Name. -- Required: Yes -- Type: string - ### Parameter: `peerings` Virtual Network Peerings configurations. + - Required: No - Type: array - Default: `[]` @@ -889,74 +882,96 @@ Virtual Network Peerings configurations. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `subnets` An Array of subnets to deploy to the Virtual Network. + - Required: No - Type: array - Default: `[]` @@ -964,12 +979,14 @@ An Array of subnets to deploy to the Virtual Network. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `vnetEncryption` Indicates if encryption is enabled on virtual network and if VM without encryption is allowed in encrypted VNet. Requires the EnableVNetEncryption feature to be registered for the subscription and a supported region to use this property. + - Required: No - Type: bool - Default: `False` @@ -977,6 +994,7 @@ Indicates if encryption is enabled on virtual network and if VM without encrypti ### Parameter: `vnetEncryptionEnforcement` If the encrypted VNet allows VM that does not support encryption. Can only be used when vnetEncryption is enabled. + - Required: No - Type: string - Default: `'AllowUnencrypted'` diff --git a/modules/network/virtual-network/subnet/README.md b/modules/network/virtual-network/subnet/README.md index fbe94623e8..dc3d90591a 100644 --- a/modules/network/virtual-network/subnet/README.md +++ b/modules/network/virtual-network/subnet/README.md @@ -53,12 +53,21 @@ This module deploys a Virtual Network Subnet. ### Parameter: `addressPrefix` The address prefix for the subnet. + +- Required: Yes +- Type: string + +### Parameter: `virtualNetworkName` + +The name of the parent virtual network. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `addressPrefixes` List of address prefixes for the subnet. + - Required: No - Type: array - Default: `[]` @@ -66,6 +75,7 @@ List of address prefixes for the subnet. ### Parameter: `applicationGatewayIPConfigurations` Application gateway IP configurations of virtual network resource. + - Required: No - Type: array - Default: `[]` @@ -73,6 +83,7 @@ Application gateway IP configurations of virtual network resource. ### Parameter: `delegations` The delegations to enable on the subnet. + - Required: No - Type: array - Default: `[]` @@ -80,6 +91,7 @@ The delegations to enable on the subnet. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -87,6 +99,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `ipAllocations` Array of IpAllocation which reference this subnet. + - Required: No - Type: array - Default: `[]` @@ -94,12 +107,14 @@ Array of IpAllocation which reference this subnet. ### Parameter: `name` The Name of the subnet resource. + - Required: Yes - Type: string ### Parameter: `natGatewayId` The resource ID of the NAT Gateway to use for the subnet. + - Required: No - Type: string - Default: `''` @@ -107,6 +122,7 @@ The resource ID of the NAT Gateway to use for the subnet. ### Parameter: `networkSecurityGroupId` The resource ID of the network security group to assign to the subnet. + - Required: No - Type: string - Default: `''` @@ -114,6 +130,7 @@ The resource ID of the network security group to assign to the subnet. ### Parameter: `privateEndpointNetworkPolicies` enable or disable apply network policies on private endpoint in the subnet. + - Required: No - Type: string - Default: `''` @@ -129,6 +146,7 @@ enable or disable apply network policies on private endpoint in the subnet. ### Parameter: `privateLinkServiceNetworkPolicies` enable or disable apply network policies on private link service in the subnet. + - Required: No - Type: string - Default: `''` @@ -144,74 +162,96 @@ enable or disable apply network policies on private link service in the subnet. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `routeTableId` The resource ID of the route table to assign to the subnet. + - Required: No - Type: string - Default: `''` @@ -219,6 +259,7 @@ The resource ID of the route table to assign to the subnet. ### Parameter: `serviceEndpointPolicies` An array of service endpoint policies. + - Required: No - Type: array - Default: `[]` @@ -226,16 +267,11 @@ An array of service endpoint policies. ### Parameter: `serviceEndpoints` The service endpoints to enable on the subnet. + - Required: No - Type: array - Default: `[]` -### Parameter: `virtualNetworkName` - -The name of the parent virtual network. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/network/virtual-network/virtual-network-peering/README.md b/modules/network/virtual-network/virtual-network-peering/README.md index fb53ca2d3f..6b9779648d 100644 --- a/modules/network/virtual-network/virtual-network-peering/README.md +++ b/modules/network/virtual-network/virtual-network-peering/README.md @@ -41,9 +41,24 @@ This module deploys a Virtual Network Peering. | [`name`](#parameter-name) | string | The Name of Vnet Peering resource. If not provided, default value will be localVnetName-remoteVnetName. | | [`useRemoteGateways`](#parameter-useremotegateways) | bool | If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false. | +### Parameter: `remoteVirtualNetworkId` + +The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID. + +- Required: Yes +- Type: string + +### Parameter: `localVnetName` + +The name of the parent Virtual Network to add the peering to. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `allowForwardedTraffic` Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. Default is true. + - Required: No - Type: bool - Default: `True` @@ -51,6 +66,7 @@ Whether the forwarded traffic from the VMs in the local virtual network will be ### Parameter: `allowGatewayTransit` If gateway links can be used in remote virtual networking to link to this virtual network. Default is false. + - Required: No - Type: bool - Default: `False` @@ -58,6 +74,7 @@ If gateway links can be used in remote virtual networking to link to this virtua ### Parameter: `allowVirtualNetworkAccess` Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. Default is true. + - Required: No - Type: bool - Default: `True` @@ -65,6 +82,7 @@ Whether the VMs in the local virtual network space would be able to access the V ### Parameter: `doNotVerifyRemoteGateways` If we need to verify the provisioning state of the remote gateway. Default is true. + - Required: No - Type: bool - Default: `True` @@ -72,32 +90,23 @@ If we need to verify the provisioning state of the remote gateway. Default is tr ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `localVnetName` - -The name of the parent Virtual Network to add the peering to. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `name` The Name of Vnet Peering resource. If not provided, default value will be localVnetName-remoteVnetName. + - Required: No - Type: string - Default: `[format('{0}-{1}', parameters('localVnetName'), last(split(parameters('remoteVirtualNetworkId'), '/')))]` -### Parameter: `remoteVirtualNetworkId` - -The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID. -- Required: Yes -- Type: string - ### Parameter: `useRemoteGateways` If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false. + - Required: No - Type: bool - Default: `False` diff --git a/modules/network/virtual-wan/README.md b/modules/network/virtual-wan/README.md index 2cb16b518d..9dee8a1d23 100644 --- a/modules/network/virtual-wan/README.md +++ b/modules/network/virtual-wan/README.md @@ -309,9 +309,17 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`type`](#parameter-type) | string | The type of the Virtual WAN. | +### Parameter: `name` + +Name of the Virtual WAN. + +- Required: Yes +- Type: string + ### Parameter: `allowBranchToBranchTraffic` True if branch to branch traffic is allowed. + - Required: No - Type: bool - Default: `False` @@ -319,6 +327,7 @@ True if branch to branch traffic is allowed. ### Parameter: `allowVnetToVnetTraffic` True if VNET to VNET traffic is allowed. + - Required: No - Type: bool - Default: `False` @@ -326,6 +335,7 @@ True if VNET to VNET traffic is allowed. ### Parameter: `disableVpnEncryption` VPN encryption to be disabled or not. + - Required: No - Type: bool - Default: `False` @@ -333,6 +343,7 @@ VPN encryption to be disabled or not. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -340,6 +351,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location where all resources will be created. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -347,113 +359,139 @@ Location where all resources will be created. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the Virtual WAN. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `type` The type of the Virtual WAN. + - Required: No - Type: string - Default: `'Standard'` diff --git a/modules/network/vpn-gateway/README.md b/modules/network/vpn-gateway/README.md index ae23f37365..90986c4cc0 100644 --- a/modules/network/vpn-gateway/README.md +++ b/modules/network/vpn-gateway/README.md @@ -409,9 +409,24 @@ module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = { | [`vpnConnections`](#parameter-vpnconnections) | array | The VPN connections to create in the VPN gateway. | | [`vpnGatewayScaleUnit`](#parameter-vpngatewayscaleunit) | int | The scale unit for this VPN gateway. | +### Parameter: `name` + +Name of the VPN gateway. + +- Required: Yes +- Type: string + +### Parameter: `virtualHubResourceId` + +The resource ID of a virtual Hub to connect to. Note: The virtual Hub and Gateway must be deployed into the same location. + +- Required: Yes +- Type: string + ### Parameter: `bgpSettings` BGP settings details. + - Required: No - Type: object - Default: `{}` @@ -419,6 +434,7 @@ BGP settings details. ### Parameter: `enableBgpRouteTranslationForNat` Enable BGP routes translation for NAT on this VPN gateway. + - Required: No - Type: bool - Default: `False` @@ -426,6 +442,7 @@ Enable BGP routes translation for NAT on this VPN gateway. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -433,6 +450,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `isRoutingPreferenceInternet` Enable routing preference property for the public IP interface of the VPN gateway. + - Required: No - Type: bool - Default: `False` @@ -440,6 +458,7 @@ Enable routing preference property for the public IP interface of the VPN gatewa ### Parameter: `location` Location where all resources will be created. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -447,39 +466,43 @@ Location where all resources will be created. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the VPN gateway. -- Required: Yes -- Type: string - ### Parameter: `natRules` List of all the NAT Rules to associate with the gateway. + - Required: No - Type: array - Default: `[]` @@ -487,18 +510,14 @@ List of all the NAT Rules to associate with the gateway. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object -### Parameter: `virtualHubResourceId` - -The resource ID of a virtual Hub to connect to. Note: The virtual Hub and Gateway must be deployed into the same location. -- Required: Yes -- Type: string - ### Parameter: `vpnConnections` The VPN connections to create in the VPN gateway. + - Required: No - Type: array - Default: `[]` @@ -506,6 +525,7 @@ The VPN connections to create in the VPN gateway. ### Parameter: `vpnGatewayScaleUnit` The scale unit for this VPN gateway. + - Required: No - Type: int - Default: `2` diff --git a/modules/network/vpn-gateway/nat-rule/README.md b/modules/network/vpn-gateway/nat-rule/README.md index a14fb65749..f53cf33f2f 100644 --- a/modules/network/vpn-gateway/nat-rule/README.md +++ b/modules/network/vpn-gateway/nat-rule/README.md @@ -40,9 +40,24 @@ This module deploys a VPN Gateway NAT Rule. | [`mode`](#parameter-mode) | string | The type of NAT rule for VPN NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site VPN gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site VPN gateway. | | [`type`](#parameter-type) | string | The type of NAT rule for VPN NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability. | +### Parameter: `name` + +The name of the NAT rule. + +- Required: Yes +- Type: string + +### Parameter: `vpnGatewayName` + +The name of the parent VPN gateway this NAT rule is associated with. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -50,6 +65,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `externalMappings` An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range. + - Required: No - Type: array - Default: `[]` @@ -57,6 +73,7 @@ An address prefix range of destination IPs on the outside network that source IP ### Parameter: `internalMappings` An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range. + - Required: No - Type: array - Default: `[]` @@ -64,6 +81,7 @@ An address prefix range of source IPs on the inside network that will be mapped ### Parameter: `ipConfigurationId` A NAT rule must be configured to a specific VPN Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both VPN Gateway instances. + - Required: No - Type: string - Default: `''` @@ -71,6 +89,7 @@ A NAT rule must be configured to a specific VPN Gateway instance. This is applic ### Parameter: `mode` The type of NAT rule for VPN NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site VPN gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site VPN gateway. + - Required: No - Type: string - Default: `''` @@ -83,15 +102,10 @@ The type of NAT rule for VPN NAT. IngressSnat mode (also known as Ingress Source ] ``` -### Parameter: `name` - -The name of the NAT rule. -- Required: Yes -- Type: string - ### Parameter: `type` The type of NAT rule for VPN NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability. + - Required: No - Type: string - Default: `''` @@ -104,12 +118,6 @@ The type of NAT rule for VPN NAT. Static one-to-one NAT establishes a one-to-one ] ``` -### Parameter: `vpnGatewayName` - -The name of the parent VPN gateway this NAT rule is associated with. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/network/vpn-gateway/vpn-connection/README.md b/modules/network/vpn-gateway/vpn-connection/README.md index d533488822..5b7275f37e 100644 --- a/modules/network/vpn-gateway/vpn-connection/README.md +++ b/modules/network/vpn-gateway/vpn-connection/README.md @@ -50,9 +50,24 @@ This module deploys a VPN Gateway VPN Connection. | [`vpnConnectionProtocolType`](#parameter-vpnconnectionprotocoltype) | string | Gateway connection protocol. | | [`vpnLinkConnections`](#parameter-vpnlinkconnections) | array | List of all VPN site link connections to the gateway. | +### Parameter: `name` + +The name of the VPN connection. + +- Required: Yes +- Type: string + +### Parameter: `vpnGatewayName` + +The name of the parent VPN gateway this VPN connection is associated with. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `connectionBandwidth` Expected bandwidth in MBPS. + - Required: No - Type: int - Default: `10` @@ -60,6 +75,7 @@ Expected bandwidth in MBPS. ### Parameter: `enableBgp` Enable BGP flag. + - Required: No - Type: bool - Default: `False` @@ -67,6 +83,7 @@ Enable BGP flag. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -74,6 +91,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableInternetSecurity` Enable internet security. + - Required: No - Type: bool - Default: `False` @@ -81,6 +99,7 @@ Enable internet security. ### Parameter: `enableRateLimiting` Enable rate limiting. + - Required: No - Type: bool - Default: `False` @@ -88,19 +107,15 @@ Enable rate limiting. ### Parameter: `ipsecPolicies` The IPSec policies to be considered by this connection. + - Required: No - Type: array - Default: `[]` -### Parameter: `name` - -The name of the VPN connection. -- Required: Yes -- Type: string - ### Parameter: `remoteVpnSiteResourceId` Reference to a VPN site to link to. + - Required: No - Type: string - Default: `''` @@ -108,6 +123,7 @@ Reference to a VPN site to link to. ### Parameter: `routingConfiguration` Routing configuration indicating the associated and propagated route tables for this connection. + - Required: No - Type: object - Default: `{}` @@ -115,6 +131,7 @@ Routing configuration indicating the associated and propagated route tables for ### Parameter: `routingWeight` Routing weight for VPN connection. + - Required: No - Type: int - Default: `0` @@ -122,6 +139,7 @@ Routing weight for VPN connection. ### Parameter: `sharedKey` SharedKey for the VPN connection. + - Required: No - Type: securestring - Default: `''` @@ -129,6 +147,7 @@ SharedKey for the VPN connection. ### Parameter: `trafficSelectorPolicies` The traffic selector policies to be considered by this connection. + - Required: No - Type: array - Default: `[]` @@ -136,6 +155,7 @@ The traffic selector policies to be considered by this connection. ### Parameter: `useLocalAzureIpAddress` Use local Azure IP to initiate connection. + - Required: No - Type: bool - Default: `False` @@ -143,6 +163,7 @@ Use local Azure IP to initiate connection. ### Parameter: `usePolicyBasedTrafficSelectors` Enable policy-based traffic selectors. + - Required: No - Type: bool - Default: `False` @@ -150,6 +171,7 @@ Enable policy-based traffic selectors. ### Parameter: `vpnConnectionProtocolType` Gateway connection protocol. + - Required: No - Type: string - Default: `'IKEv2'` @@ -161,15 +183,10 @@ Gateway connection protocol. ] ``` -### Parameter: `vpnGatewayName` - -The name of the parent VPN gateway this VPN connection is associated with. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `vpnLinkConnections` List of all VPN site link connections to the gateway. + - Required: No - Type: array - Default: `[]` diff --git a/modules/network/vpn-site/README.md b/modules/network/vpn-site/README.md index d905533985..bc0947729e 100644 --- a/modules/network/vpn-site/README.md +++ b/modules/network/vpn-site/README.md @@ -483,9 +483,24 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`vpnSiteLinks`](#parameter-vpnsitelinks) | array | List of all VPN site links. | +### Parameter: `name` + +Name of the VPN Site. + +- Required: Yes +- Type: string + +### Parameter: `virtualWanId` + +Resource ID of the virtual WAN to link to. + +- Required: Yes +- Type: string + ### Parameter: `addressPrefixes` An array of IP address ranges that can be used by subnets of the virtual network. Required if no bgpProperties or VPNSiteLinks are configured. + - Required: No - Type: array - Default: `[]` @@ -493,6 +508,7 @@ An array of IP address ranges that can be used by subnets of the virtual network ### Parameter: `bgpProperties` BGP settings details. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. Required if no addressPrefixes or VPNSiteLinks are configured. + - Required: No - Type: object - Default: `{}` @@ -500,6 +516,7 @@ BGP settings details. Note: This is a deprecated property, please use the corres ### Parameter: `deviceProperties` List of properties of the device. + - Required: No - Type: object - Default: `{}` @@ -507,6 +524,7 @@ List of properties of the device. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -514,6 +532,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `ipAddress` The IP-address for the VPN-site. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. + - Required: No - Type: string - Default: `''` @@ -521,6 +540,7 @@ The IP-address for the VPN-site. Note: This is a deprecated property, please use ### Parameter: `isSecuritySite` IsSecuritySite flag. + - Required: No - Type: bool - Default: `False` @@ -528,6 +548,7 @@ IsSecuritySite flag. ### Parameter: `location` Location where all resources will be created. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -535,39 +556,43 @@ Location where all resources will be created. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the VPN Site. -- Required: Yes -- Type: string - ### Parameter: `o365Policy` The Office365 breakout policy. + - Required: No - Type: object - Default: `{}` @@ -575,86 +600,103 @@ The Office365 breakout policy. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object -### Parameter: `virtualWanId` - -Resource ID of the virtual WAN to link to. -- Required: Yes -- Type: string - ### Parameter: `vpnSiteLinks` List of all VPN site links. + - Required: No - Type: array - Default: `[]` diff --git a/modules/operational-insights/workspace/README.md b/modules/operational-insights/workspace/README.md index cced023771..817891fcc3 100644 --- a/modules/operational-insights/workspace/README.md +++ b/modules/operational-insights/workspace/README.md @@ -1501,9 +1501,25 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`useResourcePermissions`](#parameter-useresourcepermissions) | bool | Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions. | +### Parameter: `name` + +Name of the Log Analytics workspace. + +- Required: Yes +- Type: string + +### Parameter: `linkedStorageAccounts` + +List of Storage Accounts to be linked. Required if 'forceCmkForQuery' is set to 'true' and 'savedSearches' is not empty. + +- Required: No +- Type: array +- Default: `[]` + ### Parameter: `dailyQuotaGb` The workspace daily quota for ingestion. + - Required: No - Type: int - Default: `-1` @@ -1511,6 +1527,7 @@ The workspace daily quota for ingestion. ### Parameter: `dataExports` LAW data export instances to be deployed. + - Required: No - Type: array - Default: `[]` @@ -1518,6 +1535,7 @@ LAW data export instances to be deployed. ### Parameter: `dataRetention` Number of days data will be retained for. + - Required: No - Type: int - Default: `365` @@ -1525,6 +1543,7 @@ Number of days data will be retained for. ### Parameter: `dataSources` LAW data sources to configure. + - Required: No - Type: array - Default: `[]` @@ -1532,114 +1551,90 @@ LAW data sources to configure. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -1647,6 +1642,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1654,6 +1650,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `forceCmkForQuery` Indicates whether customer managed storage is mandatory for query management. + - Required: No - Type: bool - Default: `True` @@ -1661,6 +1658,7 @@ Indicates whether customer managed storage is mandatory for query management. ### Parameter: `gallerySolutions` List of gallerySolutions to be created in the log analytics workspace. + - Required: No - Type: array - Default: `[]` @@ -1668,13 +1666,7 @@ List of gallerySolutions to be created in the log analytics workspace. ### Parameter: `linkedServices` List of services to be linked. -- Required: No -- Type: array -- Default: `[]` - -### Parameter: `linkedStorageAccounts` -List of Storage Accounts to be linked. Required if 'forceCmkForQuery' is set to 'true' and 'savedSearches' is not empty. - Required: No - Type: array - Default: `[]` @@ -1682,6 +1674,7 @@ List of Storage Accounts to be linked. Required if 'forceCmkForQuery' is set to ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1689,26 +1682,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -1716,38 +1718,35 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -Name of the Log Analytics workspace. -- Required: Yes -- Type: string - ### Parameter: `publicNetworkAccessForIngestion` The network access type for accessing Log Analytics ingestion. + - Required: No - Type: string - Default: `'Enabled'` @@ -1762,6 +1761,7 @@ The network access type for accessing Log Analytics ingestion. ### Parameter: `publicNetworkAccessForQuery` The network access type for accessing Log Analytics query. + - Required: No - Type: string - Default: `'Enabled'` @@ -1776,74 +1776,96 @@ The network access type for accessing Log Analytics query. ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `savedSearches` Kusto Query Language searches to save. + - Required: No - Type: array - Default: `[]` @@ -1851,6 +1873,7 @@ Kusto Query Language searches to save. ### Parameter: `skuCapacityReservationLevel` The capacity reservation level in GB for this workspace, when CapacityReservation sku is selected. Must be in increments of 100 between 100 and 5000. + - Required: No - Type: int - Default: `100` @@ -1858,6 +1881,7 @@ The capacity reservation level in GB for this workspace, when CapacityReservatio ### Parameter: `skuName` The name of the SKU. + - Required: No - Type: string - Default: `'PerGB2018'` @@ -1878,6 +1902,7 @@ The name of the SKU. ### Parameter: `storageInsightsConfigs` List of storage accounts to be read by the workspace. + - Required: No - Type: array - Default: `[]` @@ -1885,6 +1910,7 @@ List of storage accounts to be read by the workspace. ### Parameter: `tables` LAW custom tables to be deployed. + - Required: No - Type: array - Default: `[]` @@ -1892,12 +1918,14 @@ LAW custom tables to be deployed. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `useResourcePermissions` Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions. + - Required: No - Type: bool - Default: `False` diff --git a/modules/operational-insights/workspace/data-export/README.md b/modules/operational-insights/workspace/data-export/README.md index 71d77ffb7f..1e9ab320e3 100644 --- a/modules/operational-insights/workspace/data-export/README.md +++ b/modules/operational-insights/workspace/data-export/README.md @@ -38,9 +38,24 @@ This module deploys a Log Analytics Workspace Data Export. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`tableNames`](#parameter-tablenames) | array | An array of tables to export, for example: ['Heartbeat', 'SecurityEvent']. | +### Parameter: `name` + +The data export rule name. + +- Required: Yes +- Type: string + +### Parameter: `workspaceName` + +The name of the parent workspaces. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `destination` Destination properties. + - Required: No - Type: object - Default: `{}` @@ -48,6 +63,7 @@ Destination properties. ### Parameter: `enable` Active when enabled. + - Required: No - Type: bool - Default: `False` @@ -55,29 +71,19 @@ Active when enabled. ### Parameter: `enableDefaultTelemetry` Enable telemetry via the Customer Usage Attribution ID (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -The data export rule name. -- Required: Yes -- Type: string - ### Parameter: `tableNames` An array of tables to export, for example: ['Heartbeat', 'SecurityEvent']. + - Required: No - Type: array - Default: `[]` -### Parameter: `workspaceName` - -The name of the parent workspaces. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/operational-insights/workspace/data-source/README.md b/modules/operational-insights/workspace/data-source/README.md index 99c4331190..c06337774d 100644 --- a/modules/operational-insights/workspace/data-source/README.md +++ b/modules/operational-insights/workspace/data-source/README.md @@ -48,9 +48,45 @@ This module deploys a Log Analytics Workspace Data Source. | [`syslogSeverities`](#parameter-syslogseverities) | array | Severities to configure when kind is LinuxSyslog. | | [`tags`](#parameter-tags) | object | Tags to configure in the resource. | +### Parameter: `kind` + +The kind of the DataSource. + +- Required: No +- Type: string +- Default: `'AzureActivityLog'` +- Allowed: + ```Bicep + [ + 'AzureActivityLog' + 'IISLogs' + 'LinuxPerformanceCollection' + 'LinuxPerformanceObject' + 'LinuxSyslog' + 'LinuxSyslogCollection' + 'WindowsEvent' + 'WindowsPerformanceCounter' + ] + ``` + +### Parameter: `name` + +Name of the solution. + +- Required: Yes +- Type: string + +### Parameter: `logAnalyticsWorkspaceName` + +The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `counterName` Counter name to configure when kind is WindowsPerformanceCounter. + - Required: No - Type: string - Default: `''` @@ -58,6 +94,7 @@ Counter name to configure when kind is WindowsPerformanceCounter. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -65,6 +102,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `eventLogName` Windows event log name to configure when kind is WindowsEvent. + - Required: No - Type: string - Default: `''` @@ -72,6 +110,7 @@ Windows event log name to configure when kind is WindowsEvent. ### Parameter: `eventTypes` Windows event types to configure when kind is WindowsEvent. + - Required: No - Type: array - Default: `[]` @@ -79,6 +118,7 @@ Windows event types to configure when kind is WindowsEvent. ### Parameter: `instanceName` Name of the instance to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. + - Required: No - Type: string - Default: `'*'` @@ -86,52 +126,23 @@ Name of the instance to configure when kind is WindowsPerformanceCounter or Linu ### Parameter: `intervalSeconds` Interval in seconds to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. + - Required: No - Type: int - Default: `60` -### Parameter: `kind` - -The kind of the DataSource. -- Required: No -- Type: string -- Default: `'AzureActivityLog'` -- Allowed: - ```Bicep - [ - 'AzureActivityLog' - 'IISLogs' - 'LinuxPerformanceCollection' - 'LinuxPerformanceObject' - 'LinuxSyslog' - 'LinuxSyslogCollection' - 'WindowsEvent' - 'WindowsPerformanceCounter' - ] - ``` - ### Parameter: `linkedResourceId` Resource ID of the resource to be linked. + - Required: No - Type: string - Default: `''` -### Parameter: `logAnalyticsWorkspaceName` - -The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `name` - -Name of the solution. -- Required: Yes -- Type: string - ### Parameter: `objectName` Name of the object to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. + - Required: No - Type: string - Default: `''` @@ -139,6 +150,7 @@ Name of the object to configure when kind is WindowsPerformanceCounter or LinuxP ### Parameter: `performanceCounters` List of counters to configure when the kind is LinuxPerformanceObject. + - Required: No - Type: array - Default: `[]` @@ -146,6 +158,7 @@ List of counters to configure when the kind is LinuxPerformanceObject. ### Parameter: `state` State to configure when kind is IISLogs or LinuxSyslogCollection or LinuxPerformanceCollection. + - Required: No - Type: string - Default: `''` @@ -153,6 +166,7 @@ State to configure when kind is IISLogs or LinuxSyslogCollection or LinuxPerform ### Parameter: `syslogName` System log to configure when kind is LinuxSyslog. + - Required: No - Type: string - Default: `''` @@ -160,6 +174,7 @@ System log to configure when kind is LinuxSyslog. ### Parameter: `syslogSeverities` Severities to configure when kind is LinuxSyslog. + - Required: No - Type: array - Default: `[]` @@ -167,6 +182,7 @@ Severities to configure when kind is LinuxSyslog. ### Parameter: `tags` Tags to configure in the resource. + - Required: No - Type: object diff --git a/modules/operational-insights/workspace/linked-service/README.md b/modules/operational-insights/workspace/linked-service/README.md index c30872ecce..e9eef72244 100644 --- a/modules/operational-insights/workspace/linked-service/README.md +++ b/modules/operational-insights/workspace/linked-service/README.md @@ -38,41 +38,47 @@ This module deploys a Log Analytics Workspace Linked Service. | [`tags`](#parameter-tags) | object | Tags to configure in the resource. | | [`writeAccessResourceId`](#parameter-writeaccessresourceid) | string | The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require write access. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `logAnalyticsWorkspaceName` - -The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `name` Name of the link. + - Required: Yes - Type: string ### Parameter: `resourceId` The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access. + - Required: No - Type: string - Default: `''` +### Parameter: `logAnalyticsWorkspaceName` + +The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `tags` Tags to configure in the resource. + - Required: No - Type: object ### Parameter: `writeAccessResourceId` The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require write access. + - Required: No - Type: string - Default: `''` diff --git a/modules/operational-insights/workspace/linked-storage-account/README.md b/modules/operational-insights/workspace/linked-storage-account/README.md index 97a318c405..983a98fe21 100644 --- a/modules/operational-insights/workspace/linked-storage-account/README.md +++ b/modules/operational-insights/workspace/linked-storage-account/README.md @@ -36,22 +36,10 @@ This module deploys a Log Analytics Workspace Linked Storage Account. | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `logAnalyticsWorkspaceName` - -The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `name` Name of the link. + - Required: Yes - Type: string - Allowed: @@ -67,9 +55,25 @@ Name of the link. ### Parameter: `resourceId` The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access. + - Required: Yes - Type: string +### Parameter: `logAnalyticsWorkspaceName` + +The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ## Outputs diff --git a/modules/operational-insights/workspace/saved-search/README.md b/modules/operational-insights/workspace/saved-search/README.md index 6d8fabc766..848c79064d 100644 --- a/modules/operational-insights/workspace/saved-search/README.md +++ b/modules/operational-insights/workspace/saved-search/README.md @@ -46,18 +46,42 @@ This module deploys a Log Analytics Workspace Saved Search. ### Parameter: `category` Query category. + - Required: Yes - Type: string ### Parameter: `displayName` Display name for the search. + +- Required: Yes +- Type: string + +### Parameter: `name` + +Name of the saved search. + +- Required: Yes +- Type: string + +### Parameter: `query` + +Kusto Query to be stored. + +- Required: Yes +- Type: string + +### Parameter: `logAnalyticsWorkspaceName` + +The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -65,6 +89,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `etag` The ETag of the saved search. To override an existing saved search, use "*" or specify the current Etag. + - Required: No - Type: string - Default: `'*'` @@ -72,6 +97,7 @@ The ETag of the saved search. To override an existing saved search, use "*" or s ### Parameter: `functionAlias` The function alias if query serves as a function. + - Required: No - Type: string - Default: `''` @@ -79,31 +105,15 @@ The function alias if query serves as a function. ### Parameter: `functionParameters` The optional function parameters if query serves as a function. Value should be in the following format: "param-name1:type1 = default_value1, param-name2:type2 = default_value2". For more examples and proper syntax please refer to /azure/kusto/query/functions/user-defined-functions. + - Required: No - Type: string - Default: `''` -### Parameter: `logAnalyticsWorkspaceName` - -The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `name` - -Name of the saved search. -- Required: Yes -- Type: string - -### Parameter: `query` - -Kusto Query to be stored. -- Required: Yes -- Type: string - ### Parameter: `tags` Tags to configure in the resource. + - Required: No - Type: array - Default: `[]` @@ -111,6 +121,7 @@ Tags to configure in the resource. ### Parameter: `version` The version number of the query language. + - Required: No - Type: int - Default: `2` diff --git a/modules/operational-insights/workspace/storage-insight-config/README.md b/modules/operational-insights/workspace/storage-insight-config/README.md index 1e589388ee..5f3b984a87 100644 --- a/modules/operational-insights/workspace/storage-insight-config/README.md +++ b/modules/operational-insights/workspace/storage-insight-config/README.md @@ -39,9 +39,24 @@ This module deploys a Log Analytics Workspace Storage Insight Config. | [`tables`](#parameter-tables) | array | The names of the Azure tables that the workspace should read. | | [`tags`](#parameter-tags) | object | Tags to configure in the resource. | +### Parameter: `storageAccountResourceId` + +The Azure Resource Manager ID of the storage account resource. + +- Required: Yes +- Type: string + +### Parameter: `logAnalyticsWorkspaceName` + +The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `containers` The names of the blob containers that the workspace should read. + - Required: No - Type: array - Default: `[]` @@ -49,32 +64,23 @@ The names of the blob containers that the workspace should read. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `logAnalyticsWorkspaceName` - -The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `name` The name of the storage insights config. + - Required: No - Type: string - Default: `[format('{0}-stinsconfig', last(split(parameters('storageAccountResourceId'), '/')))]` -### Parameter: `storageAccountResourceId` - -The Azure Resource Manager ID of the storage account resource. -- Required: Yes -- Type: string - ### Parameter: `tables` The names of the Azure tables that the workspace should read. + - Required: No - Type: array - Default: `[]` @@ -82,6 +88,7 @@ The names of the Azure tables that the workspace should read. ### Parameter: `tags` Tags to configure in the resource. + - Required: No - Type: object diff --git a/modules/operational-insights/workspace/table/README.md b/modules/operational-insights/workspace/table/README.md index eb3e62a8d1..5ad6220105 100644 --- a/modules/operational-insights/workspace/table/README.md +++ b/modules/operational-insights/workspace/table/README.md @@ -41,22 +41,32 @@ This module deploys a Log Analytics Workspace Table. | [`searchResults`](#parameter-searchresults) | object | Parameters of the search job that initiated this table. | | [`totalRetentionInDays`](#parameter-totalretentionindays) | int | The table total retention in days, between 4 and 2555. Setting this property to -1 will default to table retention. | +### Parameter: `name` + +The name of the table. + +- Required: Yes +- Type: string + +### Parameter: `workspaceName` + +The name of the parent workspaces. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via the Customer Usage Attribution ID (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -The name of the table. -- Required: Yes -- Type: string - ### Parameter: `plan` Instruct the system how to handle and charge the logs ingested to this table. + - Required: No - Type: string - Default: `'Analytics'` @@ -71,6 +81,7 @@ Instruct the system how to handle and charge the logs ingested to this table. ### Parameter: `restoredLogs` Restore parameters. + - Required: No - Type: object - Default: `{}` @@ -78,6 +89,7 @@ Restore parameters. ### Parameter: `retentionInDays` The table retention in days, between 4 and 730. Setting this property to -1 will default to the workspace retention. + - Required: No - Type: int - Default: `-1` @@ -85,6 +97,7 @@ The table retention in days, between 4 and 730. Setting this property to -1 will ### Parameter: `schema` Table's schema. + - Required: No - Type: object - Default: `{}` @@ -92,6 +105,7 @@ Table's schema. ### Parameter: `searchResults` Parameters of the search job that initiated this table. + - Required: No - Type: object - Default: `{}` @@ -99,16 +113,11 @@ Parameters of the search job that initiated this table. ### Parameter: `totalRetentionInDays` The table total retention in days, between 4 and 2555. Setting this property to -1 will default to table retention. + - Required: No - Type: int - Default: `-1` -### Parameter: `workspaceName` - -The name of the parent workspaces. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/operations-management/solution/README.md b/modules/operations-management/solution/README.md index 6927388c0e..460d47533d 100644 --- a/modules/operations-management/solution/README.md +++ b/modules/operations-management/solution/README.md @@ -215,9 +215,24 @@ module solution 'br:bicep/modules/operations-management.solution:1.0.0' = { | [`product`](#parameter-product) | string | The product of the deployed solution. For Microsoft published gallery solution it should be `OMSGallery` and the target solution resource product will be composed as `OMSGallery/{name}`. For third party solution, it can be anything. This is case sensitive. | | [`publisher`](#parameter-publisher) | string | The publisher name of the deployed solution. For Microsoft published gallery solution, it is `Microsoft`. | +### Parameter: `logAnalyticsWorkspaceName` + +Name of the Log Analytics workspace where the solution will be deployed/enabled. + +- Required: Yes +- Type: string + +### Parameter: `name` + +Name of the solution. For Microsoft published gallery solution the target solution resource name will be composed as `{name}({logAnalyticsWorkspaceName})`. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -225,25 +240,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `logAnalyticsWorkspaceName` - -Name of the Log Analytics workspace where the solution will be deployed/enabled. -- Required: Yes -- Type: string - -### Parameter: `name` - -Name of the solution. For Microsoft published gallery solution the target solution resource name will be composed as `{name}({logAnalyticsWorkspaceName})`. -- Required: Yes -- Type: string - ### Parameter: `product` The product of the deployed solution. For Microsoft published gallery solution it should be `OMSGallery` and the target solution resource product will be composed as `OMSGallery/{name}`. For third party solution, it can be anything. This is case sensitive. + - Required: No - Type: string - Default: `'OMSGallery'` @@ -251,6 +256,7 @@ The product of the deployed solution. For Microsoft published gallery solution i ### Parameter: `publisher` The publisher name of the deployed solution. For Microsoft published gallery solution, it is `Microsoft`. + - Required: No - Type: string - Default: `'Microsoft'` diff --git a/modules/policy-insights/remediation/README.md b/modules/policy-insights/remediation/README.md index c22cb0aede..23000704d6 100644 --- a/modules/policy-insights/remediation/README.md +++ b/modules/policy-insights/remediation/README.md @@ -448,9 +448,24 @@ module remediation 'br:bicep/modules/policy-insights.remediation:1.0.0' = { | [`resourceGroupName`](#parameter-resourcegroupname) | string | The target scope for the remediation. The name of the resource group for the policy assignment. | | [`subscriptionId`](#parameter-subscriptionid) | string | The target scope for the remediation. The subscription ID of the subscription for the policy assignment. | +### Parameter: `name` + +Specifies the name of the policy remediation. + +- Required: Yes +- Type: string + +### Parameter: `policyAssignmentId` + +The resource ID of the policy assignment that should be remediated. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -458,6 +473,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `failureThresholdPercentage` The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. + - Required: No - Type: string - Default: `'1'` @@ -465,6 +481,7 @@ The remediation failure threshold settings. A number between 0.0 to 1.0 represen ### Parameter: `filtersLocations` The filters that will be applied to determine which resources to remediate. + - Required: No - Type: array - Default: `[]` @@ -472,6 +489,7 @@ The filters that will be applied to determine which resources to remediate. ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -479,32 +497,23 @@ Location deployment metadata. ### Parameter: `managementGroupId` The target scope for the remediation. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. + - Required: No - Type: string - Default: `[managementGroup().name]` -### Parameter: `name` - -Specifies the name of the policy remediation. -- Required: Yes -- Type: string - ### Parameter: `parallelDeployments` Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. + - Required: No - Type: int - Default: `10` -### Parameter: `policyAssignmentId` - -The resource ID of the policy assignment that should be remediated. -- Required: Yes -- Type: string - ### Parameter: `policyDefinitionReferenceId` The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. + - Required: No - Type: string - Default: `''` @@ -512,6 +521,7 @@ The policy definition reference ID of the individual definition that should be r ### Parameter: `resourceCount` Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. + - Required: No - Type: int - Default: `500` @@ -519,6 +529,7 @@ Determines the max number of resources that can be remediated by the remediation ### Parameter: `resourceDiscoveryMode` The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. + - Required: No - Type: string - Default: `'ExistingNonCompliant'` @@ -533,6 +544,7 @@ The way resources to remediate are discovered. Defaults to ExistingNonCompliant ### Parameter: `resourceGroupName` The target scope for the remediation. The name of the resource group for the policy assignment. + - Required: No - Type: string - Default: `''` @@ -540,6 +552,7 @@ The target scope for the remediation. The name of the resource group for the pol ### Parameter: `subscriptionId` The target scope for the remediation. The subscription ID of the subscription for the policy assignment. + - Required: No - Type: string - Default: `''` diff --git a/modules/policy-insights/remediation/management-group/README.md b/modules/policy-insights/remediation/management-group/README.md index f93cf15102..a3fe72ecf2 100644 --- a/modules/policy-insights/remediation/management-group/README.md +++ b/modules/policy-insights/remediation/management-group/README.md @@ -37,9 +37,24 @@ This module deploys a Policy Insights Remediation on a Management Group scope. | [`resourceCount`](#parameter-resourcecount) | int | Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. | | [`resourceDiscoveryMode`](#parameter-resourcediscoverymode) | string | The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. | +### Parameter: `name` + +Specifies the name of the policy remediation. + +- Required: Yes +- Type: string + +### Parameter: `policyAssignmentId` + +The resource ID of the policy assignment that should be remediated. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -47,6 +62,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `failureThresholdPercentage` The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. + - Required: No - Type: string - Default: `'1'` @@ -54,6 +70,7 @@ The remediation failure threshold settings. A number between 0.0 to 1.0 represen ### Parameter: `filtersLocations` The filters that will be applied to determine which resources to remediate. + - Required: No - Type: array - Default: `[]` @@ -61,32 +78,23 @@ The filters that will be applied to determine which resources to remediate. ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` -### Parameter: `name` - -Specifies the name of the policy remediation. -- Required: Yes -- Type: string - ### Parameter: `parallelDeployments` Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. + - Required: No - Type: int - Default: `10` -### Parameter: `policyAssignmentId` - -The resource ID of the policy assignment that should be remediated. -- Required: Yes -- Type: string - ### Parameter: `policyDefinitionReferenceId` The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. + - Required: No - Type: string - Default: `''` @@ -94,6 +102,7 @@ The policy definition reference ID of the individual definition that should be r ### Parameter: `resourceCount` Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. + - Required: No - Type: int - Default: `500` @@ -101,6 +110,7 @@ Determines the max number of resources that can be remediated by the remediation ### Parameter: `resourceDiscoveryMode` The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. + - Required: No - Type: string - Default: `'ExistingNonCompliant'` diff --git a/modules/policy-insights/remediation/resource-group/README.md b/modules/policy-insights/remediation/resource-group/README.md index 4878811b31..9f60629423 100644 --- a/modules/policy-insights/remediation/resource-group/README.md +++ b/modules/policy-insights/remediation/resource-group/README.md @@ -37,9 +37,24 @@ This module deploys a Policy Insights Remediation on a Resource Group scope. | [`resourceCount`](#parameter-resourcecount) | int | Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. | | [`resourceDiscoveryMode`](#parameter-resourcediscoverymode) | string | The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. | +### Parameter: `name` + +Specifies the name of the policy remediation. + +- Required: Yes +- Type: string + +### Parameter: `policyAssignmentId` + +The resource ID of the policy assignment that should be remediated. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -47,6 +62,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `failureThresholdPercentage` The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. + - Required: No - Type: string - Default: `'1'` @@ -54,6 +70,7 @@ The remediation failure threshold settings. A number between 0.0 to 1.0 represen ### Parameter: `filtersLocations` The filters that will be applied to determine which resources to remediate. + - Required: No - Type: array - Default: `[]` @@ -61,32 +78,23 @@ The filters that will be applied to determine which resources to remediate. ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -Specifies the name of the policy remediation. -- Required: Yes -- Type: string - ### Parameter: `parallelDeployments` Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. + - Required: No - Type: int - Default: `10` -### Parameter: `policyAssignmentId` - -The resource ID of the policy assignment that should be remediated. -- Required: Yes -- Type: string - ### Parameter: `policyDefinitionReferenceId` The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. + - Required: No - Type: string - Default: `''` @@ -94,6 +102,7 @@ The policy definition reference ID of the individual definition that should be r ### Parameter: `resourceCount` Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. + - Required: No - Type: int - Default: `500` @@ -101,6 +110,7 @@ Determines the max number of resources that can be remediated by the remediation ### Parameter: `resourceDiscoveryMode` The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. + - Required: No - Type: string - Default: `'ExistingNonCompliant'` diff --git a/modules/policy-insights/remediation/subscription/README.md b/modules/policy-insights/remediation/subscription/README.md index b121a0f8d5..6b9a9811c8 100644 --- a/modules/policy-insights/remediation/subscription/README.md +++ b/modules/policy-insights/remediation/subscription/README.md @@ -37,9 +37,24 @@ This module deploys a Policy Insights Remediation on a Subscription scope. | [`resourceCount`](#parameter-resourcecount) | int | Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. | | [`resourceDiscoveryMode`](#parameter-resourcediscoverymode) | string | The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. | +### Parameter: `name` + +Specifies the name of the policy remediation. + +- Required: Yes +- Type: string + +### Parameter: `policyAssignmentId` + +The resource ID of the policy assignment that should be remediated. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -47,6 +62,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `failureThresholdPercentage` The remediation failure threshold settings. A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold. 0 means that the remediation will stop after the first failure. 1 means that the remediation will not stop even if all deployments fail. + - Required: No - Type: string - Default: `'1'` @@ -54,6 +70,7 @@ The remediation failure threshold settings. A number between 0.0 to 1.0 represen ### Parameter: `filtersLocations` The filters that will be applied to determine which resources to remediate. + - Required: No - Type: array - Default: `[]` @@ -61,32 +78,23 @@ The filters that will be applied to determine which resources to remediate. ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` -### Parameter: `name` - -Specifies the name of the policy remediation. -- Required: Yes -- Type: string - ### Parameter: `parallelDeployments` Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. Can be between 1-30. Higher values will cause the remediation to complete more quickly, but increase the risk of throttling. If not provided, the default parallel deployments value is used. + - Required: No - Type: int - Default: `10` -### Parameter: `policyAssignmentId` - -The resource ID of the policy assignment that should be remediated. -- Required: Yes -- Type: string - ### Parameter: `policyDefinitionReferenceId` The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition. + - Required: No - Type: string - Default: `''` @@ -94,6 +102,7 @@ The policy definition reference ID of the individual definition that should be r ### Parameter: `resourceCount` Determines the max number of resources that can be remediated by the remediation job. Can be between 1-50000. If not provided, the default resource count is used. + - Required: No - Type: int - Default: `500` @@ -101,6 +110,7 @@ Determines the max number of resources that can be remediated by the remediation ### Parameter: `resourceDiscoveryMode` The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified. + - Required: No - Type: string - Default: `'ExistingNonCompliant'` diff --git a/modules/power-bi-dedicated/capacity/README.md b/modules/power-bi-dedicated/capacity/README.md index 93a0348544..01010cbef4 100644 --- a/modules/power-bi-dedicated/capacity/README.md +++ b/modules/power-bi-dedicated/capacity/README.md @@ -310,9 +310,31 @@ module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { | [`skuTier`](#parameter-skutier) | string | SkuCapacity of the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `members` + +Members of the resource. + +- Required: Yes +- Type: array + +### Parameter: `name` + +Name of the PowerBI Embedded. + +- Required: Yes +- Type: string + +### Parameter: `skuCapacity` + +SkuCapacity of the resource. + +- Required: Yes +- Type: int + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -320,6 +342,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -327,39 +350,43 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `members` - -Members of the resource. -- Required: Yes -- Type: array - ### Parameter: `mode` Mode of the resource. + - Required: No - Type: string - Default: `'Gen2'` @@ -371,89 +398,99 @@ Mode of the resource. ] ``` -### Parameter: `name` - -Name of the PowerBI Embedded. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string - -### Parameter: `skuCapacity` - -SkuCapacity of the resource. -- Required: Yes -- Type: int +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `skuName` SkuCapacity of the resource. + - Required: No - Type: string - Default: `'A1'` @@ -472,6 +509,7 @@ SkuCapacity of the resource. ### Parameter: `skuTier` SkuCapacity of the resource. + - Required: No - Type: string - Default: `'PBIE_Azure'` @@ -487,6 +525,7 @@ SkuCapacity of the resource. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/purview/account/README.md b/modules/purview/account/README.md index a77bb25aa2..eb5056c784 100644 --- a/modules/purview/account/README.md +++ b/modules/purview/account/README.md @@ -697,9 +697,17 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { | [`storageQueuePrivateEndpoints`](#parameter-storagequeueprivateendpoints) | array | Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'queue'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +Name of the Purview Account. + +- Required: Yes +- Type: string + ### Parameter: `accountPrivateEndpoints` Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'account'. + - Required: No - Type: array - Default: `[]` @@ -707,114 +715,90 @@ Configuration details for Purview Account private endpoints. For security reason ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -822,6 +806,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -829,6 +814,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `eventHubPrivateEndpoints` Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'namespace'. + - Required: No - Type: array - Default: `[]` @@ -836,6 +822,7 @@ Configuration details for Purview Managed Event Hub namespace private endpoints. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -843,26 +830,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -870,17 +866,19 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: Yes - Type: array @@ -888,19 +886,15 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `managedResourceGroupName` The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-'. + - Required: No - Type: string - Default: `[format('managed-rg-{0}', parameters('name'))]` -### Parameter: `name` - -Name of the Purview Account. -- Required: Yes -- Type: string - ### Parameter: `portalPrivateEndpoints` Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'. + - Required: No - Type: array - Default: `[]` @@ -908,6 +902,7 @@ Configuration details for Purview Portal private endpoints. For security reasons ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. + - Required: No - Type: string - Default: `'NotSpecified'` @@ -923,74 +918,96 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `storageBlobPrivateEndpoints` Configuration details for Purview Managed Storage Account blob private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'blob'. + - Required: No - Type: array - Default: `[]` @@ -998,6 +1015,7 @@ Configuration details for Purview Managed Storage Account blob private endpoints ### Parameter: `storageQueuePrivateEndpoints` Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'queue'. + - Required: No - Type: array - Default: `[]` @@ -1005,6 +1023,7 @@ Configuration details for Purview Managed Storage Account queue private endpoint ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index 8eb9e2c57d..def4d8dcf7 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -1671,9 +1671,17 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { | [`securitySettings`](#parameter-securitysettings) | object | Security Settings of the vault. | | [`tags`](#parameter-tags) | object | Tags of the Recovery Service Vault resource. | +### Parameter: `name` + +Name of the Azure Recovery Service Vault. + +- Required: Yes +- Type: string + ### Parameter: `backupConfig` The backup configuration. + - Required: No - Type: object - Default: `{}` @@ -1681,6 +1689,7 @@ The backup configuration. ### Parameter: `backupPolicies` List of all backup policies. + - Required: No - Type: array - Default: `[]` @@ -1688,6 +1697,7 @@ List of all backup policies. ### Parameter: `backupStorageConfig` The storage configuration for the Azure Recovery Service Vault. + - Required: No - Type: object - Default: `{}` @@ -1695,114 +1705,90 @@ The storage configuration for the Azure Recovery Service Vault. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -1810,6 +1796,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1817,6 +1804,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1824,26 +1812,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -1851,25 +1848,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array @@ -1877,210 +1876,255 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `monitoringSettings` Monitoring Settings of the vault. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -Name of the Azure Recovery Service Vault. -- Required: Yes -- Type: string - ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +### Parameter: `privateEndpoints.lock.kind` -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +Specify the type of lock. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` -Optional. The name of the private endpoint. +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -2088,6 +2132,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `protectionContainers` List of all protection containers. + - Required: No - Type: array - Default: `[]` @@ -2095,6 +2140,7 @@ List of all protection containers. ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. + - Required: No - Type: string - Default: `'Disabled'` @@ -2109,6 +2155,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `replicationAlertSettings` Replication alert settings. + - Required: No - Type: object - Default: `{}` @@ -2116,6 +2163,7 @@ Replication alert settings. ### Parameter: `replicationFabrics` List of all replication fabrics. + - Required: No - Type: array - Default: `[]` @@ -2123,6 +2171,7 @@ List of all replication fabrics. ### Parameter: `replicationPolicies` List of all replication policies. + - Required: No - Type: array - Default: `[]` @@ -2130,74 +2179,96 @@ List of all replication policies. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `securitySettings` Security Settings of the vault. + - Required: No - Type: object - Default: `{}` @@ -2205,6 +2276,7 @@ Security Settings of the vault. ### Parameter: `tags` Tags of the Recovery Service Vault resource. + - Required: No - Type: object diff --git a/modules/recovery-services/vault/backup-config/README.md b/modules/recovery-services/vault/backup-config/README.md index aec1ccbf4b..f9a077c8f8 100644 --- a/modules/recovery-services/vault/backup-config/README.md +++ b/modules/recovery-services/vault/backup-config/README.md @@ -37,9 +37,17 @@ This module deploys a Recovery Services Vault Backup Config. | [`storageType`](#parameter-storagetype) | string | Storage type. | | [`storageTypeState`](#parameter-storagetypestate) | string | Once a machine is registered against a resource, the storageTypeState is always Locked. | +### Parameter: `recoveryVaultName` + +The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -47,6 +55,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enhancedSecurityState` Enable this setting to protect hybrid backups against accidental deletes and add additional layer of authentication for critical operations. + - Required: No - Type: string - Default: `'Enabled'` @@ -61,6 +70,7 @@ Enable this setting to protect hybrid backups against accidental deletes and add ### Parameter: `isSoftDeleteFeatureStateEditable` Is soft delete feature state editable. + - Required: No - Type: bool - Default: `True` @@ -68,19 +78,15 @@ Is soft delete feature state editable. ### Parameter: `name` Name of the Azure Recovery Service Vault Backup Policy. + - Required: No - Type: string - Default: `'vaultconfig'` -### Parameter: `recoveryVaultName` - -The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `resourceGuardOperationRequests` ResourceGuard Operation Requests. + - Required: No - Type: array - Default: `[]` @@ -88,6 +94,7 @@ ResourceGuard Operation Requests. ### Parameter: `softDeleteFeatureState` Enable this setting to protect backup data for Azure VM, SQL Server in Azure VM and SAP HANA in Azure VM from accidental deletes. + - Required: No - Type: string - Default: `'Enabled'` @@ -102,6 +109,7 @@ Enable this setting to protect backup data for Azure VM, SQL Server in Azure VM ### Parameter: `storageModelType` Storage type. + - Required: No - Type: string - Default: `'GeoRedundant'` @@ -118,6 +126,7 @@ Storage type. ### Parameter: `storageType` Storage type. + - Required: No - Type: string - Default: `'GeoRedundant'` @@ -134,6 +143,7 @@ Storage type. ### Parameter: `storageTypeState` Once a machine is registered against a resource, the storageTypeState is always Locked. + - Required: No - Type: string - Default: `'Locked'` diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/README.md b/modules/recovery-services/vault/backup-fabric/protection-container/README.md index 98712cd47b..16d53d84a2 100644 --- a/modules/recovery-services/vault/backup-fabric/protection-container/README.md +++ b/modules/recovery-services/vault/backup-fabric/protection-container/README.md @@ -42,9 +42,24 @@ This module deploys a Recovery Services Vault Protection Container. | [`protectedItems`](#parameter-protecteditems) | array | Protected items to register in the container. | | [`sourceResourceId`](#parameter-sourceresourceid) | string | Resource ID of the target resource for the Protection Container. | +### Parameter: `name` + +Name of the Azure Recovery Service Vault Protection Container. + +- Required: Yes +- Type: string + +### Parameter: `recoveryVaultName` + +The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `backupManagementType` Backup management type to execute the current Protection Container job. + - Required: No - Type: string - Default: `''` @@ -67,6 +82,7 @@ Backup management type to execute the current Protection Container job. ### Parameter: `containerType` Type of the container. + - Required: No - Type: string - Default: `''` @@ -89,6 +105,7 @@ Type of the container. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -96,6 +113,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `friendlyName` Friendly name of the Protection Container. + - Required: No - Type: string - Default: `''` @@ -103,32 +121,23 @@ Friendly name of the Protection Container. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -Name of the Azure Recovery Service Vault Protection Container. -- Required: Yes -- Type: string - ### Parameter: `protectedItems` Protected items to register in the container. + - Required: No - Type: array - Default: `[]` -### Parameter: `recoveryVaultName` - -The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `sourceResourceId` Resource ID of the target resource for the Protection Container. + - Required: No - Type: string - Default: `''` diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/README.md b/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/README.md index 2c15bf89ea..0c9eda13b5 100644 --- a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/README.md +++ b/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/README.md @@ -40,35 +40,24 @@ This module deploys a Recovery Services Vault Protection Container Protected Ite | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `location` - -Location for all resources. -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - ### Parameter: `name` Name of the resource. + - Required: Yes - Type: string ### Parameter: `policyId` ID of the backup policy with which this item is backed up. + - Required: Yes - Type: string ### Parameter: `protectedItemType` The backup item type. + - Required: Yes - Type: string - Allowed: @@ -87,23 +76,42 @@ The backup item type. ] ``` +### Parameter: `sourceResourceId` + +Resource ID of the resource to back up. + +- Required: Yes +- Type: string + ### Parameter: `protectionContainerName` Name of the Azure Recovery Service Vault Protection Container. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `recoveryVaultName` The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string -### Parameter: `sourceResourceId` +### Parameter: `enableDefaultTelemetry` -Resource ID of the resource to back up. -- Required: Yes +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. + +- Required: No - Type: string +- Default: `[resourceGroup().location]` ## Outputs diff --git a/modules/recovery-services/vault/backup-policy/README.md b/modules/recovery-services/vault/backup-policy/README.md index c769d8ce08..a76148c582 100644 --- a/modules/recovery-services/vault/backup-policy/README.md +++ b/modules/recovery-services/vault/backup-policy/README.md @@ -36,31 +36,35 @@ This module deploys a Recovery Services Vault Backup Policy. | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `name` Name of the Azure Recovery Service Vault Backup Policy. + - Required: Yes - Type: string ### Parameter: `properties` Configuration of the Azure Recovery Service Vault Backup Policy. + - Required: Yes - Type: object ### Parameter: `recoveryVaultName` The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ## Outputs diff --git a/modules/recovery-services/vault/backup-storage-config/README.md b/modules/recovery-services/vault/backup-storage-config/README.md index e049b9e89d..3d0b89984c 100644 --- a/modules/recovery-services/vault/backup-storage-config/README.md +++ b/modules/recovery-services/vault/backup-storage-config/README.md @@ -32,9 +32,17 @@ This module deploys a Recovery Service Vault Backup Storage Configuration. | [`name`](#parameter-name) | string | The name of the backup storage config. | | [`storageModelType`](#parameter-storagemodeltype) | string | Change Vault Storage Type (Works if vault has not registered any backup instance). | +### Parameter: `recoveryVaultName` + +The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `crossRegionRestoreFlag` Opt in details of Cross Region Restore feature. + - Required: No - Type: bool - Default: `True` @@ -42,6 +50,7 @@ Opt in details of Cross Region Restore feature. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -49,19 +58,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `name` The name of the backup storage config. + - Required: No - Type: string - Default: `'vaultstorageconfig'` -### Parameter: `recoveryVaultName` - -The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `storageModelType` Change Vault Storage Type (Works if vault has not registered any backup instance). + - Required: No - Type: string - Default: `'GeoRedundant'` diff --git a/modules/recovery-services/vault/replication-alert-setting/README.md b/modules/recovery-services/vault/replication-alert-setting/README.md index d0067568b8..d8c489809d 100644 --- a/modules/recovery-services/vault/replication-alert-setting/README.md +++ b/modules/recovery-services/vault/replication-alert-setting/README.md @@ -33,9 +33,17 @@ This module deploys a Recovery Services Vault Replication Alert Settings. | [`name`](#parameter-name) | string | The name of the replication Alert Setting. | | [`sendToOwners`](#parameter-sendtoowners) | string | The value indicating whether to send email to subscription administrator. | +### Parameter: `recoveryVaultName` + +The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `customEmailAddresses` Comma separated list of custom email address for sending alert emails. + - Required: No - Type: array - Default: `[]` @@ -43,6 +51,7 @@ Comma separated list of custom email address for sending alert emails. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -50,6 +59,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `locale` The locale for the email notification. + - Required: No - Type: string - Default: `''` @@ -57,19 +67,15 @@ The locale for the email notification. ### Parameter: `name` The name of the replication Alert Setting. + - Required: No - Type: string - Default: `'defaultAlertSetting'` -### Parameter: `recoveryVaultName` - -The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `sendToOwners` The value indicating whether to send email to subscription administrator. + - Required: No - Type: string - Default: `'Send'` diff --git a/modules/recovery-services/vault/replication-fabric/README.md b/modules/recovery-services/vault/replication-fabric/README.md index 8213e34c2a..5b2a425fc5 100644 --- a/modules/recovery-services/vault/replication-fabric/README.md +++ b/modules/recovery-services/vault/replication-fabric/README.md @@ -41,36 +41,41 @@ This module deploys a Replication Fabric for Azure to Azure disaster recovery sc | [`name`](#parameter-name) | string | The name of the fabric. | | [`replicationContainers`](#parameter-replicationcontainers) | array | Replication containers to create. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `location` The recovery location the fabric represents. + - Required: No - Type: string - Default: `[resourceGroup().location]` +### Parameter: `recoveryVaultName` + +The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `name` The name of the fabric. + - Required: No - Type: string - Default: `[parameters('location')]` -### Parameter: `recoveryVaultName` - -The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `replicationContainers` Replication containers to create. + - Required: No - Type: array - Default: `[]` diff --git a/modules/recovery-services/vault/replication-fabric/replication-protection-container/README.md b/modules/recovery-services/vault/replication-fabric/replication-protection-container/README.md index 841d221908..6869b51b00 100644 --- a/modules/recovery-services/vault/replication-fabric/replication-protection-container/README.md +++ b/modules/recovery-services/vault/replication-fabric/replication-protection-container/README.md @@ -40,38 +40,43 @@ This module deploys a Recovery Services Vault Replication Protection Container. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`replicationContainerMappings`](#parameter-replicationcontainermappings) | array | Replication containers mappings to create. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `name` The name of the replication container. + - Required: Yes - Type: string ### Parameter: `recoveryVaultName` The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `replicationFabricName` + +The name of the parent Replication Fabric. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `replicationContainerMappings` Replication containers mappings to create. + - Required: No - Type: array - Default: `[]` -### Parameter: `replicationFabricName` - -The name of the parent Replication Fabric. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/README.md b/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/README.md index e409532d3e..f353db55e2 100644 --- a/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/README.md +++ b/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/README.md @@ -39,9 +39,31 @@ This module deploys a Recovery Services Vault (RSV) Replication Protection Conta | [`targetContainerName`](#parameter-targetcontainername) | string | Name of the target container. Must be specified if targetProtectionContainerId is not. If targetProtectionContainerId is specified, this parameter will be ignored. | | [`targetProtectionContainerId`](#parameter-targetprotectioncontainerid) | string | Resource ID of the target Replication container. Must be specified if targetContainerName is not. If specified, targetContainerFabricName and targetContainerName will be ignored. | +### Parameter: `recoveryVaultName` + +The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `replicationFabricName` + +The name of the parent Replication Fabric. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `sourceProtectionContainerName` + +The name of the parent source Replication container. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -49,6 +71,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `name` The name of the replication container mapping. If not provided, it will be automatically generated as `-`. + - Required: No - Type: string - Default: `''` @@ -56,6 +79,7 @@ The name of the replication container mapping. If not provided, it will be autom ### Parameter: `policyId` Resource ID of the replication policy. If defined, policyName will be ignored. + - Required: No - Type: string - Default: `''` @@ -63,31 +87,15 @@ Resource ID of the replication policy. If defined, policyName will be ignored. ### Parameter: `policyName` Name of the replication policy. Will be ignored if policyId is also specified. + - Required: No - Type: string - Default: `''` -### Parameter: `recoveryVaultName` - -The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `replicationFabricName` - -The name of the parent Replication Fabric. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `sourceProtectionContainerName` - -The name of the parent source Replication container. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `targetContainerFabricName` Name of the fabric containing the target container. If targetProtectionContainerId is specified, this parameter will be ignored. + - Required: No - Type: string - Default: `[parameters('replicationFabricName')]` @@ -95,6 +103,7 @@ Name of the fabric containing the target container. If targetProtectionContainer ### Parameter: `targetContainerName` Name of the target container. Must be specified if targetProtectionContainerId is not. If targetProtectionContainerId is specified, this parameter will be ignored. + - Required: No - Type: string - Default: `''` @@ -102,6 +111,7 @@ Name of the target container. Must be specified if targetProtectionContainerId i ### Parameter: `targetProtectionContainerId` Resource ID of the target Replication container. Must be specified if targetContainerName is not. If specified, targetContainerFabricName and targetContainerName will be ignored. + - Required: No - Type: string - Default: `''` diff --git a/modules/recovery-services/vault/replication-policy/README.md b/modules/recovery-services/vault/replication-policy/README.md index 5a36589e2b..d7b8fab197 100644 --- a/modules/recovery-services/vault/replication-policy/README.md +++ b/modules/recovery-services/vault/replication-policy/README.md @@ -41,9 +41,24 @@ This module deploys a Recovery Services Vault Replication Policy for Disaster Re | [`multiVmSyncStatus`](#parameter-multivmsyncstatus) | string | A value indicating whether multi-VM sync has to be enabled. | | [`recoveryPointHistory`](#parameter-recoverypointhistory) | int | The duration in minutes until which the recovery points need to be stored. | +### Parameter: `name` + +The name of the replication policy. + +- Required: Yes +- Type: string + +### Parameter: `recoveryVaultName` + +The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `appConsistentFrequencyInMinutes` The app consistent snapshot frequency (in minutes). + - Required: No - Type: int - Default: `60` @@ -51,6 +66,7 @@ The app consistent snapshot frequency (in minutes). ### Parameter: `crashConsistentFrequencyInMinutes` The crash consistent snapshot frequency (in minutes). + - Required: No - Type: int - Default: `5` @@ -58,6 +74,7 @@ The crash consistent snapshot frequency (in minutes). ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -65,6 +82,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `multiVmSyncStatus` A value indicating whether multi-VM sync has to be enabled. + - Required: No - Type: string - Default: `'Enable'` @@ -76,25 +94,14 @@ A value indicating whether multi-VM sync has to be enabled. ] ``` -### Parameter: `name` - -The name of the replication policy. -- Required: Yes -- Type: string - ### Parameter: `recoveryPointHistory` The duration in minutes until which the recovery points need to be stored. + - Required: No - Type: int - Default: `1440` -### Parameter: `recoveryVaultName` - -The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index 32864ab014..3bd4e855c5 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -783,9 +783,17 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`wcfRelays`](#parameter-wcfrelays) | array | The wcf relays to create in the relay namespace. | +### Parameter: `name` + +Name of the Relay Namespace. + +- Required: Yes +- Type: string + ### Parameter: `authorizationRules` Authorization Rules for the Relay namespace. + - Required: No - Type: array - Default: @@ -805,114 +813,90 @@ Authorization Rules for the Relay namespace. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -920,6 +904,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -927,6 +912,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `hybridConnections` The hybrid connections to create in the relay namespace. + - Required: No - Type: array - Default: `[]` @@ -934,6 +920,7 @@ The hybrid connections to create in the relay namespace. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -941,39 +928,43 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the Relay Namespace. -- Required: Yes -- Type: string - ### Parameter: `networkRuleSets` Configure networking options for Relay. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. + - Required: No - Type: object - Default: `{}` @@ -981,197 +972,247 @@ Configure networking options for Relay. This object contains IPs/Subnets to allo ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +### Parameter: `privateEndpoints.lock.kind` -- Required: Yes +Specify the type of lock. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` -Optional. The name of the private endpoint. +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -1179,74 +1220,96 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `skuName` Name of this SKU. + - Required: No - Type: string - Default: `'Standard'` @@ -1260,12 +1323,14 @@ Name of this SKU. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `wcfRelays` The wcf relays to create in the relay namespace. + - Required: No - Type: array - Default: `[]` diff --git a/modules/relay/namespace/authorization-rule/README.md b/modules/relay/namespace/authorization-rule/README.md index 468bfb15dc..f643f25c3c 100644 --- a/modules/relay/namespace/authorization-rule/README.md +++ b/modules/relay/namespace/authorization-rule/README.md @@ -36,28 +36,32 @@ This module deploys a Relay Namespace Authorization Rule. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`rights`](#parameter-rights) | array | The rights associated with the rule. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `name` The name of the authorization rule. + - Required: Yes - Type: string ### Parameter: `namespaceName` The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `rights` The rights associated with the rule. + - Required: No - Type: array - Default: `[]` diff --git a/modules/relay/namespace/hybrid-connection/README.md b/modules/relay/namespace/hybrid-connection/README.md index 338d271c3d..a205695854 100644 --- a/modules/relay/namespace/hybrid-connection/README.md +++ b/modules/relay/namespace/hybrid-connection/README.md @@ -43,9 +43,31 @@ This module deploys a Relay Namespace Hybrid Connection. | [`requiresClientAuthorization`](#parameter-requiresclientauthorization) | bool | A value indicating if this hybrid connection requires client authorization. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | +### Parameter: `name` + +The name of the hybrid connection. + +- Required: Yes +- Type: string + +### Parameter: `userMetadata` + +The user metadata is a placeholder to store user-defined string data for the hybrid connection endpoint. For example, it can be used to store descriptive data, such as a list of teams and their contact information. Also, user-defined configuration settings can be stored. + +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `authorizationRules` Authorization Rules for the Relay Hybrid Connection. + - Required: No - Type: array - Default: @@ -77,6 +99,7 @@ Authorization Rules for the Relay Hybrid Connection. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -84,45 +107,43 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The name of the hybrid connection. -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent Relay Namespace for the Relay Hybrid Connection. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `requiresClientAuthorization` A value indicating if this hybrid connection requires client authorization. + - Required: No - Type: bool - Default: `True` @@ -130,76 +151,91 @@ A value indicating if this hybrid connection requires client authorization. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +**Optional parameters** -- Required: No -- Type: string +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.principalId` -Optional. Version of the condition. +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. The Resource Id of the delegated managed identity resource. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.condition` -Optional. The description of the role assignment. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.conditionVersion` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +Version of the condition. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Optional. The principal type of the assigned principal ID. +The Resource Id of the delegated managed identity resource. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.description` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The description of the role assignment. -- Required: Yes +- Required: No - Type: string -### Parameter: `userMetadata` +### Parameter: `roleAssignments.principalType` -The user metadata is a placeholder to store user-defined string data for the hybrid connection endpoint. For example, it can be used to store descriptive data, such as a list of teams and their contact information. Also, user-defined configuration settings can be stored. -- Required: Yes +The principal type of the assigned principal ID. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ## Outputs diff --git a/modules/relay/namespace/hybrid-connection/authorization-rule/README.md b/modules/relay/namespace/hybrid-connection/authorization-rule/README.md index 369f7fd917..37b834a50c 100644 --- a/modules/relay/namespace/hybrid-connection/authorization-rule/README.md +++ b/modules/relay/namespace/hybrid-connection/authorization-rule/README.md @@ -37,34 +37,39 @@ This module deploys a Hybrid Connection Authorization Rule. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`rights`](#parameter-rights) | array | The rights associated with the rule. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` +### Parameter: `name` -### Parameter: `hybridConnectionName` +The name of the authorization rule. -The name of the parent Relay Namespace Hybrid Connection. Required if the template is used in a standalone deployment. - Required: Yes - Type: string -### Parameter: `name` +### Parameter: `hybridConnectionName` + +The name of the parent Relay Namespace Hybrid Connection. Required if the template is used in a standalone deployment. -The name of the authorization rule. - Required: Yes - Type: string ### Parameter: `namespaceName` The name of the parent Relay Namespace. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `rights` The rights associated with the rule. + - Required: No - Type: array - Default: `[]` diff --git a/modules/relay/namespace/network-rule-set/README.md b/modules/relay/namespace/network-rule-set/README.md index 6e4c2dcf28..d055e8ae60 100644 --- a/modules/relay/namespace/network-rule-set/README.md +++ b/modules/relay/namespace/network-rule-set/README.md @@ -32,9 +32,17 @@ This module deploys a Relay Namespace Network Rule Set. | [`ipRules`](#parameter-iprules) | array | List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | +### Parameter: `namespaceName` + +The name of the parent Relay Namespace for the Relay Network Rule Set. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `defaultAction` Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. + - Required: No - Type: string - Default: `'Allow'` @@ -49,6 +57,7 @@ Default Action for Network Rule Set. Default is "Allow". It will not be set if p ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -56,19 +65,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `ipRules` List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". + - Required: No - Type: array - Default: `[]` -### Parameter: `namespaceName` - -The name of the parent Relay Namespace for the Relay Network Rule Set. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `publicNetworkAccess` This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. + - Required: No - Type: string - Default: `'Enabled'` diff --git a/modules/relay/namespace/wcf-relay/README.md b/modules/relay/namespace/wcf-relay/README.md index 9fd1f1fa89..ed68177d9a 100644 --- a/modules/relay/namespace/wcf-relay/README.md +++ b/modules/relay/namespace/wcf-relay/README.md @@ -45,9 +45,38 @@ This module deploys a Relay Namespace WCF Relay. | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`userMetadata`](#parameter-usermetadata) | string | User-defined string data for the WCF Relay. | +### Parameter: `name` + +Name of the WCF Relay. + +- Required: Yes +- Type: string + +### Parameter: `relayType` + +Type of WCF Relay. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Http' + 'NetTcp' + ] + ``` + +### Parameter: `namespaceName` + +The name of the parent Relay Namespace for the WCF Relay. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `authorizationRules` Authorization Rules for the WCF Relay. + - Required: No - Type: array - Default: @@ -79,6 +108,7 @@ Authorization Rules for the WCF Relay. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -86,58 +116,43 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the WCF Relay. -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent Relay Namespace for the WCF Relay. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `relayType` - -Type of WCF Relay. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Http' - 'NetTcp' - ] - ``` - ### Parameter: `requiresClientAuthorization` A value indicating if this relay requires client authorization. + - Required: No - Type: bool - Default: `True` @@ -145,6 +160,7 @@ A value indicating if this relay requires client authorization. ### Parameter: `requiresTransportSecurity` A value indicating if this relay requires transport security. + - Required: No - Type: bool - Default: `True` @@ -152,74 +168,96 @@ A value indicating if this relay requires transport security. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `userMetadata` User-defined string data for the WCF Relay. + - Required: No - Type: string - Default: `''` diff --git a/modules/relay/namespace/wcf-relay/authorization-rule/README.md b/modules/relay/namespace/wcf-relay/authorization-rule/README.md index 0cd03c7520..387de82c37 100644 --- a/modules/relay/namespace/wcf-relay/authorization-rule/README.md +++ b/modules/relay/namespace/wcf-relay/authorization-rule/README.md @@ -37,28 +37,39 @@ This module deploys a WCF Relay Authorization Rule. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`rights`](#parameter-rights) | array | The rights associated with the rule. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `name` The name of the authorization rule. + - Required: Yes - Type: string ### Parameter: `namespaceName` The name of the parent Relay Namespace. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `wcfRelayName` + +The name of the parent Relay Namespace WCF Relay. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `rights` The rights associated with the rule. + - Required: No - Type: array - Default: `[]` @@ -71,12 +82,6 @@ The rights associated with the rule. ] ``` -### Parameter: `wcfRelayName` - -The name of the parent Relay Namespace WCF Relay. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/resource-graph/query/README.md b/modules/resource-graph/query/README.md index 6060bb18ea..7aeba279c1 100644 --- a/modules/resource-graph/query/README.md +++ b/modules/resource-graph/query/README.md @@ -295,9 +295,24 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +Name of the Resource Graph Query. + +- Required: Yes +- Type: string + +### Parameter: `query` + +KQL query that will be graph. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -305,6 +320,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -312,45 +328,43 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Name of the Resource Graph Query. -- Required: Yes -- Type: string - -### Parameter: `query` - -KQL query that will be graph. -- Required: Yes -- Type: string - ### Parameter: `queryDescription` The description of a graph query. + - Required: No - Type: string - Default: `''` @@ -358,74 +372,96 @@ The description of a graph query. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `roleAssignments.principalId` -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/resources/deployment-script/README.md b/modules/resources/deployment-script/README.md index c29d1ede15..0b21b880f7 100644 --- a/modules/resources/deployment-script/README.md +++ b/modules/resources/deployment-script/README.md @@ -305,9 +305,17 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = { | :-- | :-- | :-- | | [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date value is used to make sure the script run every time the template is deployed. | +### Parameter: `name` + +Display name of the script to be run. + +- Required: Yes +- Type: string + ### Parameter: `arguments` Command-line arguments to pass to the script. Arguments are separated by spaces. + - Required: No - Type: string - Default: `''` @@ -315,6 +323,7 @@ Command-line arguments to pass to the script. Arguments are separated by spaces. ### Parameter: `azCliVersion` Azure CLI module version to be used. + - Required: No - Type: string - Default: `''` @@ -322,20 +331,15 @@ Azure CLI module version to be used. ### Parameter: `azPowerShellVersion` Azure PowerShell module version to be used. -- Required: No -- Type: string -- Default: `'3.0'` -### Parameter: `baseTime` - -Do not provide a value! This date value is used to make sure the script run every time the template is deployed. - Required: No - Type: string -- Default: `[utcNow('yyyy-MM-dd-HH-mm-ss')]` +- Default: `'3.0'` ### Parameter: `cleanupPreference` The clean up preference when the script execution gets in a terminal state. Specify the preference on when to delete the deployment script resources. The default value is Always, which means the deployment script resources are deleted despite the terminal state (Succeeded, Failed, canceled). + - Required: No - Type: string - Default: `'Always'` @@ -351,6 +355,7 @@ The clean up preference when the script execution gets in a terminal state. Spec ### Parameter: `containerGroupName` Container group name, if not specified then the name will get auto-generated. Not specifying a 'containerGroupName' indicates the system to generate a unique name which might end up flagging an Azure Policy as non-compliant. Use 'containerGroupName' when you have an Azure Policy that expects a specific naming convention or when you want to fully control the name. 'containerGroupName' property must be between 1 and 63 characters long, must contain only lowercase letters, numbers, and dashes and it cannot start or end with a dash and consecutive dashes are not allowed. + - Required: No - Type: string - Default: `''` @@ -358,6 +363,7 @@ Container group name, if not specified then the name will get auto-generated. No ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -365,6 +371,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `environmentVariables` The environment variables to pass over to the script. The list is passed as an object with a key name "secureList" and the value is the list of environment variables (array). The list must have a 'name' and a 'value' or a 'secretValue' property for each object. + - Required: No - Type: secureObject - Default: `{}` @@ -372,6 +379,7 @@ The environment variables to pass over to the script. The list is passed as an o ### Parameter: `kind` Type of the script. AzurePowerShell, AzureCLI. + - Required: No - Type: string - Default: `'AzurePowerShell'` @@ -386,6 +394,7 @@ Type of the script. AzurePowerShell, AzureCLI. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -393,26 +402,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -420,30 +438,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: Yes - Type: array -### Parameter: `name` - -Display name of the script to be run. -- Required: Yes -- Type: string - ### Parameter: `primaryScriptUri` Uri for the external script. This is the entry point for the external script. To run an internal script, use the scriptContent instead. + - Required: No - Type: string - Default: `''` @@ -451,6 +466,7 @@ Uri for the external script. This is the entry point for the external script. To ### Parameter: `retentionInterval` Interval for which the service retains the script resource after it reaches a terminal state. Resource will be deleted when this duration expires. Duration is based on ISO 8601 pattern (for example P7D means one week). + - Required: No - Type: string - Default: `'P1D'` @@ -458,6 +474,7 @@ Interval for which the service retains the script resource after it reaches a te ### Parameter: `runOnce` When set to false, script will run every time the template is deployed. When set to true, the script will only run once. + - Required: No - Type: bool - Default: `False` @@ -465,6 +482,7 @@ When set to false, script will run every time the template is deployed. When set ### Parameter: `scriptContent` Script body. Max length: 32000 characters. To run an external script, use primaryScriptURI instead. + - Required: No - Type: string - Default: `''` @@ -472,6 +490,7 @@ Script body. Max length: 32000 characters. To run an external script, use primar ### Parameter: `storageAccountResourceId` The resource ID of the storage account to use for this deployment script. If none is provided, the deployment script uses a temporary, managed storage account. + - Required: No - Type: string - Default: `''` @@ -479,6 +498,7 @@ The resource ID of the storage account to use for this deployment script. If non ### Parameter: `supportingScriptUris` List of supporting files for the external script (defined in primaryScriptUri). Does not work with internal scripts (code defined in scriptContent). + - Required: No - Type: array - Default: `[]` @@ -486,16 +506,26 @@ List of supporting files for the external script (defined in primaryScriptUri). ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `timeout` Maximum allowed script execution time specified in ISO 8601 format. Default value is PT1H - 1 hour; 'PT30M' - 30 minutes; 'P5D' - 5 days; 'P1Y' 1 year. + - Required: No - Type: string - Default: `'PT1H'` +### Parameter: `baseTime` + +Do not provide a value! This date value is used to make sure the script run every time the template is deployed. + +- Required: No +- Type: string +- Default: `[utcNow('yyyy-MM-dd-HH-mm-ss')]` + ## Outputs diff --git a/modules/resources/resource-group/README.md b/modules/resources/resource-group/README.md index 7f77ff124e..3bd54c57d1 100644 --- a/modules/resources/resource-group/README.md +++ b/modules/resources/resource-group/README.md @@ -274,9 +274,17 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the storage account resource. | +### Parameter: `name` + +The name of the Resource Group. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -284,6 +292,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location of the Resource Group. It uses the deployment's location when not provided. + - Required: No - Type: string - Default: `[deployment().location]` @@ -291,26 +300,35 @@ Location of the Resource Group. It uses the deployment's location when not provi ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -318,87 +336,104 @@ Optional. Specify the name of lock. ### Parameter: `managedBy` The ID of the resource that manages this resource group. + - Required: No - Type: string - Default: `''` -### Parameter: `name` - -The name of the Resource Group. -- Required: Yes -- Type: string - ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the storage account resource. + - Required: No - Type: object diff --git a/modules/resources/tags/README.md b/modules/resources/tags/README.md index c65be02ed4..e117c4ec48 100644 --- a/modules/resources/tags/README.md +++ b/modules/resources/tags/README.md @@ -195,6 +195,7 @@ module tags 'br:bicep/modules/resources.tags:1.0.0' = { ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -202,6 +203,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -209,6 +211,7 @@ Location deployment metadata. ### Parameter: `onlyUpdate` Instead of overwriting the existing tags, combine them with the new tags. + - Required: No - Type: bool - Default: `False` @@ -216,6 +219,7 @@ Instead of overwriting the existing tags, combine them with the new tags. ### Parameter: `resourceGroupName` Name of the Resource Group to assign the tags to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided tags to the subscription. + - Required: No - Type: string - Default: `''` @@ -223,6 +227,7 @@ Name of the Resource Group to assign the tags to. If no Resource Group name is p ### Parameter: `subscriptionId` Subscription ID of the subscription to assign the tags to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided tags to the subscription. + - Required: No - Type: string - Default: `[subscription().id]` @@ -230,6 +235,7 @@ Subscription ID of the subscription to assign the tags to. If no Resource Group ### Parameter: `tags` Tags for the resource group. If not provided, removes existing tags. + - Required: No - Type: object diff --git a/modules/resources/tags/resource-group/README.md b/modules/resources/tags/resource-group/README.md index a89c83c006..bb606d2fb6 100644 --- a/modules/resources/tags/resource-group/README.md +++ b/modules/resources/tags/resource-group/README.md @@ -28,6 +28,7 @@ This module deploys a Resource Tag on a Resource Group scope. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -35,6 +36,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `onlyUpdate` Instead of overwriting the existing tags, combine them with the new tags. + - Required: No - Type: bool - Default: `False` @@ -42,6 +44,7 @@ Instead of overwriting the existing tags, combine them with the new tags. ### Parameter: `tags` Tags for the resource group. If not provided, removes existing tags. + - Required: No - Type: object diff --git a/modules/resources/tags/subscription/README.md b/modules/resources/tags/subscription/README.md index 352c754d72..67ef585df7 100644 --- a/modules/resources/tags/subscription/README.md +++ b/modules/resources/tags/subscription/README.md @@ -29,6 +29,7 @@ This module deploys a Resource Tag on a Subscription scope. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -36,6 +37,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -43,6 +45,7 @@ Location deployment metadata. ### Parameter: `onlyUpdate` Instead of overwriting the existing tags, combine them with the new tags. + - Required: No - Type: bool - Default: `False` @@ -50,6 +53,7 @@ Instead of overwriting the existing tags, combine them with the new tags. ### Parameter: `tags` Tags for the resource group. If not provided, removes existing tags. + - Required: No - Type: object diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index e9fb57b2d2..ed4c89fdfc 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -622,9 +622,17 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = { | [`sku`](#parameter-sku) | string | Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits. | | [`tags`](#parameter-tags) | object | Tags to help categorize the resource in the Azure portal. | +### Parameter: `name` + +The name of the Azure Cognitive Search service to create or update. Search service names must only contain lowercase letters, digits or dashes, cannot use dash as the first two or last one characters, cannot contain consecutive dashes, and must be between 2 and 60 characters in length. Search service names must be globally unique since they are part of the service URI (https://.search.windows.net). You cannot change the service name after the service is created. + +- Required: Yes +- Type: string + ### Parameter: `authOptions` Defines the options for how the data plane API of a Search service authenticates requests. Must remain an empty object {} if 'disableLocalAuth' is set to true. + - Required: No - Type: object - Default: `{}` @@ -632,6 +640,7 @@ Defines the options for how the data plane API of a Search service authenticates ### Parameter: `cmkEnforcement` Describes a policy that determines how resources within the search service are to be encrypted with Customer Managed Keys. + - Required: No - Type: string - Default: `'Unspecified'` @@ -647,114 +656,90 @@ Describes a policy that determines how resources within the search service are t ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -762,6 +747,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `disableLocalAuth` When set to true, calls to the search service will not be permitted to utilize API keys for authentication. This cannot be set to true if 'authOptions' are defined. + - Required: No - Type: bool - Default: `True` @@ -769,6 +755,7 @@ When set to true, calls to the search service will not be permitted to utilize A ### Parameter: `enableDefaultTelemetry` Enable telemetry via the Customer Usage Attribution ID (GUID). + - Required: No - Type: bool - Default: `True` @@ -776,6 +763,7 @@ Enable telemetry via the Customer Usage Attribution ID (GUID). ### Parameter: `hostingMode` Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either 'default' or 'highDensity'. For all other SKUs, this value must be 'default'. + - Required: No - Type: string - Default: `'default'` @@ -790,6 +778,7 @@ Applicable only for the standard3 SKU. You can set this property to enable up to ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -797,26 +786,35 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -824,30 +822,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool -### Parameter: `name` - -The name of the Azure Cognitive Search service to create or update. Search service names must only contain lowercase letters, digits or dashes, cannot use dash as the first two or last one characters, cannot contain consecutive dashes, and must be between 2 and 60 characters in length. Search service names must be globally unique since they are part of the service URI (https://.search.windows.net). You cannot change the service name after the service is created. -- Required: Yes -- Type: string - ### Parameter: `networkRuleSet` Network specific rules that determine how the Azure Cognitive Search service may be reached. + - Required: No - Type: object - Default: `{}` @@ -855,6 +850,7 @@ Network specific rules that determine how the Azure Cognitive Search service may ### Parameter: `partitionCount` The number of partitions in the search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For 'standard3' services with hostingMode set to 'highDensity', the allowed values are between 1 and 3. + - Required: No - Type: int - Default: `1` @@ -862,197 +858,247 @@ The number of partitions in the search service; if specified, it can be 1, 2, 3, ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +### Parameter: `privateEndpoints.lock.kind` -- Required: Yes +Specify the type of lock. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` -Optional. The location to deploy the private endpoint to. +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` -Optional. The name of the private endpoint. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -1060,6 +1106,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` This value can be set to 'enabled' to avoid breaking changes on existing customer resources and templates. If set to 'disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method. + - Required: No - Type: string - Default: `'enabled'` @@ -1074,6 +1121,7 @@ This value can be set to 'enabled' to avoid breaking changes on existing custome ### Parameter: `replicaCount` The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU. + - Required: No - Type: int - Default: `1` @@ -1081,74 +1129,96 @@ The number of replicas in the search service. If specified, it must be a value b ### Parameter: `roleAssignments` Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The name of the role to assign. If it cannot be found you can specify the role definition ID instead. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `sharedPrivateLinkResources` The sharedPrivateLinkResources to create as part of the search Service. + - Required: No - Type: array - Default: `[]` @@ -1156,6 +1226,7 @@ The sharedPrivateLinkResources to create as part of the search Service. ### Parameter: `sku` Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits. + - Required: No - Type: string - Default: `'standard'` @@ -1175,6 +1246,7 @@ Defines the SKU of an Azure Cognitive Search Service, which determines price tie ### Parameter: `tags` Tags to help categorize the resource in the Azure portal. + - Required: No - Type: object diff --git a/modules/search/search-service/shared-private-link-resource/README.md b/modules/search/search-service/shared-private-link-resource/README.md index 1edd330b70..3b9b383a8b 100644 --- a/modules/search/search-service/shared-private-link-resource/README.md +++ b/modules/search/search-service/shared-private-link-resource/README.md @@ -39,50 +39,57 @@ This module deploys a Search Service Private Link Resource. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`resourceRegion`](#parameter-resourceregion) | string | Can be used to specify the Azure Resource Manager location of the resource to which a shared private link is to be created. This is only required for those resources whose DNS configuration are regional (such as Azure Kubernetes Service). | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `groupId` The group ID from the provider of resource the shared private link resource is for. + - Required: Yes - Type: string ### Parameter: `name` The name of the shared private link resource managed by the Azure Cognitive Search service within the specified resource group. + - Required: Yes - Type: string ### Parameter: `privateLinkResourceId` The resource ID of the resource the shared private link resource is for. + - Required: Yes - Type: string ### Parameter: `requestMessage` The request message for requesting approval of the shared private link resource. + - Required: Yes - Type: string +### Parameter: `searchServiceName` + +The name of the parent searchServices. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `resourceRegion` Can be used to specify the Azure Resource Manager location of the resource to which a shared private link is to be created. This is only required for those resources whose DNS configuration are regional (such as Azure Kubernetes Service). + - Required: No - Type: string - Default: `''` -### Parameter: `searchServiceName` - -The name of the parent searchServices. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/security/azure-security-center/README.md b/modules/security/azure-security-center/README.md index f3a67e036f..99689ad43b 100644 --- a/modules/security/azure-security-center/README.md +++ b/modules/security/azure-security-center/README.md @@ -190,9 +190,24 @@ module azureSecurityCenter 'br:bicep/modules/security.azure-security-center:1.0. | [`storageAccountsPricingTier`](#parameter-storageaccountspricingtier) | string | The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | | [`virtualMachinesPricingTier`](#parameter-virtualmachinespricingtier) | string | The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +### Parameter: `scope` + +All the VMs in this scope will send their security data to the mentioned workspace unless overridden by a setting with more specific scope. + +- Required: Yes +- Type: string + +### Parameter: `workspaceId` + +The full Azure ID of the workspace to save the data in. + +- Required: Yes +- Type: string + ### Parameter: `appServicesPricingTier` The pricing tier value for AppServices. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + - Required: No - Type: string - Default: `'Free'` @@ -207,6 +222,7 @@ The pricing tier value for AppServices. Azure Security Center is provided in two ### Parameter: `armPricingTier` The pricing tier value for ARM. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + - Required: No - Type: string - Default: `'Free'` @@ -221,6 +237,7 @@ The pricing tier value for ARM. Azure Security Center is provided in two pricing ### Parameter: `autoProvision` Describes what kind of security agent provisioning action to take. - On or Off. + - Required: No - Type: string - Default: `'On'` @@ -235,6 +252,7 @@ Describes what kind of security agent provisioning action to take. - On or Off. ### Parameter: `containerRegistryPricingTier` The pricing tier value for ContainerRegistry. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + - Required: No - Type: string - Default: `'Free'` @@ -249,6 +267,7 @@ The pricing tier value for ContainerRegistry. Azure Security Center is provided ### Parameter: `containersTier` The pricing tier value for containers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + - Required: No - Type: string - Default: `'Free'` @@ -263,6 +282,7 @@ The pricing tier value for containers. Azure Security Center is provided in two ### Parameter: `cosmosDbsTier` The pricing tier value for CosmosDbs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + - Required: No - Type: string - Default: `'Free'` @@ -277,6 +297,7 @@ The pricing tier value for CosmosDbs. Azure Security Center is provided in two p ### Parameter: `deviceSecurityGroupProperties` Device Security group data. + - Required: No - Type: object - Default: `{}` @@ -284,6 +305,7 @@ Device Security group data. ### Parameter: `dnsPricingTier` The pricing tier value for DNS. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + - Required: No - Type: string - Default: `'Free'` @@ -298,6 +320,7 @@ The pricing tier value for DNS. Azure Security Center is provided in two pricing ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -305,6 +328,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `ioTSecuritySolutionProperties` Security Solution data. + - Required: No - Type: object - Default: `{}` @@ -312,6 +336,7 @@ Security Solution data. ### Parameter: `keyVaultsPricingTier` The pricing tier value for KeyVaults. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + - Required: No - Type: string - Default: `'Free'` @@ -326,6 +351,7 @@ The pricing tier value for KeyVaults. Azure Security Center is provided in two p ### Parameter: `kubernetesServicePricingTier` The pricing tier value for KubernetesService. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + - Required: No - Type: string - Default: `'Free'` @@ -340,6 +366,7 @@ The pricing tier value for KubernetesService. Azure Security Center is provided ### Parameter: `location` Location deployment metadata. + - Required: No - Type: string - Default: `[deployment().location]` @@ -347,6 +374,7 @@ Location deployment metadata. ### Parameter: `openSourceRelationalDatabasesTier` The pricing tier value for OpenSourceRelationalDatabases. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + - Required: No - Type: string - Default: `'Free'` @@ -358,15 +386,10 @@ The pricing tier value for OpenSourceRelationalDatabases. Azure Security Center ] ``` -### Parameter: `scope` - -All the VMs in this scope will send their security data to the mentioned workspace unless overridden by a setting with more specific scope. -- Required: Yes -- Type: string - ### Parameter: `securityContactProperties` Security contact data. + - Required: No - Type: object - Default: `{}` @@ -374,6 +397,7 @@ Security contact data. ### Parameter: `sqlServersPricingTier` The pricing tier value for SqlServers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + - Required: No - Type: string - Default: `'Free'` @@ -388,6 +412,7 @@ The pricing tier value for SqlServers. Azure Security Center is provided in two ### Parameter: `sqlServerVirtualMachinesPricingTier` The pricing tier value for SqlServerVirtualMachines. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + - Required: No - Type: string - Default: `'Free'` @@ -402,6 +427,7 @@ The pricing tier value for SqlServerVirtualMachines. Azure Security Center is pr ### Parameter: `storageAccountsPricingTier` The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + - Required: No - Type: string - Default: `'Free'` @@ -416,6 +442,7 @@ The pricing tier value for StorageAccounts. Azure Security Center is provided in ### Parameter: `virtualMachinesPricingTier` The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + - Required: No - Type: string - Default: `'Free'` @@ -427,12 +454,6 @@ The pricing tier value for VMs. Azure Security Center is provided in two pricing ] ``` -### Parameter: `workspaceId` - -The full Azure ID of the workspace to save the data in. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 5c16abffb6..a2fbd72ba2 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -1203,9 +1203,17 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { | [`topics`](#parameter-topics) | array | The topics to create in the service bus namespace. | | [`zoneRedundant`](#parameter-zoneredundant) | bool | Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. | +### Parameter: `name` + +Name of the Service Bus Namespace. + +- Required: Yes +- Type: string + ### Parameter: `alternateName` Alternate name for namespace. + - Required: No - Type: string - Default: `''` @@ -1213,6 +1221,7 @@ Alternate name for namespace. ### Parameter: `authorizationRules` Authorization Rules for the Service Bus namespace. + - Required: No - Type: array - Default: @@ -1232,41 +1241,48 @@ Authorization Rules for the Service Bus namespace. ### Parameter: `customerManagedKey` The customer managed key definition. + - Required: No - Type: object +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | ### Parameter: `customerManagedKey.keyName` -Required. The name of the customer managed key to use for encryption. +The name of the customer managed key to use for encryption. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVaultResourceId` -Required. The resource ID of a key vault to reference a customer managed key for encryption from. +The resource ID of a key vault to reference a customer managed key for encryption from. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVersion` -Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - Required: No - Type: string ### Parameter: `customerManagedKey.userAssignedIdentityResourceId` -Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. +User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - Required: No - Type: string @@ -1274,114 +1290,90 @@ Optional. User assigned identity to use when fetching the customer managed key. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -1389,6 +1381,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `disableLocalAuth` This property disables SAS authentication for the Service Bus namespace. + - Required: No - Type: bool - Default: `True` @@ -1396,6 +1389,7 @@ This property disables SAS authentication for the Service Bus namespace. ### Parameter: `disasterRecoveryConfigs` The disaster recovery configuration. + - Required: No - Type: object - Default: `{}` @@ -1403,6 +1397,7 @@ The disaster recovery configuration. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1410,6 +1405,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1417,26 +1413,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -1444,25 +1449,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array @@ -1470,6 +1477,7 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `migrationConfigurations` The migration configuration. + - Required: No - Type: object - Default: `{}` @@ -1477,6 +1485,7 @@ The migration configuration. ### Parameter: `minimumTlsVersion` The minimum TLS version for the cluster to support. + - Required: No - Type: string - Default: `'1.2'` @@ -1489,15 +1498,10 @@ The minimum TLS version for the cluster to support. ] ``` -### Parameter: `name` - -Name of the Service Bus Namespace. -- Required: Yes -- Type: string - ### Parameter: `networkRuleSets` Configure networking options for Premium SKU Service Bus. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. + - Required: No - Type: object - Default: `{}` @@ -1505,6 +1509,7 @@ Configure networking options for Premium SKU Service Bus. This object contains I ### Parameter: `premiumMessagingPartitions` The number of partitions of a Service Bus namespace. This property is only applicable to Premium SKU namespaces. The default value is 1 and possible values are 1, 2 and 4. + - Required: No - Type: int - Default: `1` @@ -1512,197 +1517,247 @@ The number of partitions of a Service Bus namespace. This property is only appli ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +### Parameter: `privateEndpoints.lock.kind` -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +Specify the type of lock. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` -Optional. The location to deploy the private endpoint to. +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** -Optional. The name of the private endpoint. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -1710,6 +1765,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. + - Required: No - Type: string - Default: `''` @@ -1726,6 +1782,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `queues` The queues to create in the service bus namespace. + - Required: No - Type: array - Default: `[]` @@ -1733,6 +1790,7 @@ The queues to create in the service bus namespace. ### Parameter: `requireInfrastructureEncryption` Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. + - Required: No - Type: bool - Default: `True` @@ -1740,74 +1798,96 @@ Enable infrastructure encryption (double encryption). Note, this setting require ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `skuCapacity` The specified messaging units for the tier. Only used for Premium Sku tier. + - Required: No - Type: int - Default: `1` @@ -1826,6 +1906,7 @@ The specified messaging units for the tier. Only used for Premium Sku tier. ### Parameter: `skuName` Name of this SKU. - Basic, Standard, Premium. + - Required: No - Type: string - Default: `'Basic'` @@ -1841,12 +1922,14 @@ Name of this SKU. - Basic, Standard, Premium. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `topics` The topics to create in the service bus namespace. + - Required: No - Type: array - Default: `[]` @@ -1854,6 +1937,7 @@ The topics to create in the service bus namespace. ### Parameter: `zoneRedundant` Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. + - Required: No - Type: bool - Default: `False` diff --git a/modules/service-bus/namespace/authorization-rule/README.md b/modules/service-bus/namespace/authorization-rule/README.md index 6596ebe9bf..3df8ec2c40 100644 --- a/modules/service-bus/namespace/authorization-rule/README.md +++ b/modules/service-bus/namespace/authorization-rule/README.md @@ -36,28 +36,32 @@ This module deploys a Service Bus Namespace Authorization Rule. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`rights`](#parameter-rights) | array | The rights associated with the rule. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `name` The name of the authorization rule. + - Required: Yes - Type: string ### Parameter: `namespaceName` The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `rights` The rights associated with the rule. + - Required: No - Type: array - Default: `[]` diff --git a/modules/service-bus/namespace/disaster-recovery-config/README.md b/modules/service-bus/namespace/disaster-recovery-config/README.md index f018bb7277..a69152b008 100644 --- a/modules/service-bus/namespace/disaster-recovery-config/README.md +++ b/modules/service-bus/namespace/disaster-recovery-config/README.md @@ -32,9 +32,17 @@ This module deploys a Service Bus Namespace Disaster Recovery Config | [`name`](#parameter-name) | string | The name of the disaster recovery config. | | [`partnerNamespaceResourceID`](#parameter-partnernamespaceresourceid) | string | Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing. | +### Parameter: `namespaceName` + +The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `alternateName` Primary/Secondary eventhub namespace name, which is part of GEO DR pairing. + - Required: No - Type: string - Default: `''` @@ -42,6 +50,7 @@ Primary/Secondary eventhub namespace name, which is part of GEO DR pairing. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -49,19 +58,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `name` The name of the disaster recovery config. + - Required: No - Type: string - Default: `'default'` -### Parameter: `namespaceName` - -The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `partnerNamespaceResourceID` Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing. + - Required: No - Type: string - Default: `''` diff --git a/modules/service-bus/namespace/migration-configuration/README.md b/modules/service-bus/namespace/migration-configuration/README.md index 26b9a9b0dd..32ce1391b2 100644 --- a/modules/service-bus/namespace/migration-configuration/README.md +++ b/modules/service-bus/namespace/migration-configuration/README.md @@ -36,31 +36,35 @@ This module deploys a Service Bus Namespace Migration Configuration. | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` +### Parameter: `postMigrationName` -### Parameter: `namespaceName` +Name to access Standard Namespace after migration. -The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. - Required: Yes - Type: string -### Parameter: `postMigrationName` +### Parameter: `targetNamespaceResourceId` + +Existing premium Namespace resource ID which has no entities, will be used for migration. -Name to access Standard Namespace after migration. - Required: Yes - Type: string -### Parameter: `targetNamespaceResourceId` +### Parameter: `namespaceName` + +The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. -Existing premium Namespace resource ID which has no entities, will be used for migration. - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ## Outputs diff --git a/modules/service-bus/namespace/network-rule-set/README.md b/modules/service-bus/namespace/network-rule-set/README.md index 86f7241c3b..18214d606d 100644 --- a/modules/service-bus/namespace/network-rule-set/README.md +++ b/modules/service-bus/namespace/network-rule-set/README.md @@ -34,9 +34,17 @@ This module deploys a ServiceBus Namespace Network Rule Set. | [`trustedServiceAccessEnabled`](#parameter-trustedserviceaccessenabled) | bool | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | | [`virtualNetworkRules`](#parameter-virtualnetworkrules) | array | List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | +### Parameter: `namespaceName` + +The name of the parent Service Bus Namespace for the Service Bus Network Rule Set. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `defaultAction` Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. + - Required: No - Type: string - Default: `'Allow'` @@ -51,6 +59,7 @@ Default Action for Network Rule Set. Default is "Allow". It will not be set if p ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -58,19 +67,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `ipRules` List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". + - Required: No - Type: array - Default: `[]` -### Parameter: `namespaceName` - -The name of the parent Service Bus Namespace for the Service Bus Network Rule Set. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `publicNetworkAccess` This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. + - Required: No - Type: string - Default: `'Enabled'` @@ -85,6 +90,7 @@ This determines if traffic is allowed over public network. Default is "Enabled". ### Parameter: `trustedServiceAccessEnabled` Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". + - Required: No - Type: bool - Default: `True` @@ -92,6 +98,7 @@ Value that indicates whether Trusted Service Access is enabled or not. Default i ### Parameter: `virtualNetworkRules` List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". + - Required: No - Type: array - Default: `[]` diff --git a/modules/service-bus/namespace/queue/README.md b/modules/service-bus/namespace/queue/README.md index 852c05c23f..f9c6d2da7a 100644 --- a/modules/service-bus/namespace/queue/README.md +++ b/modules/service-bus/namespace/queue/README.md @@ -57,9 +57,24 @@ This module deploys a Service Bus Namespace Queue. | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`status`](#parameter-status) | string | Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. | +### Parameter: `name` + +Name of the Service Bus Queue. + +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `authorizationRules` Authorization Rules for the Service Bus Queue. + - Required: No - Type: array - Default: @@ -81,6 +96,7 @@ Authorization Rules for the Service Bus Queue. ### Parameter: `autoDeleteOnIdle` ISO 8061 timeSpan idle interval after which the queue is automatically deleted. The minimum duration is 5 minutes (PT5M). + - Required: No - Type: string - Default: `''` @@ -88,6 +104,7 @@ ISO 8061 timeSpan idle interval after which the queue is automatically deleted. ### Parameter: `deadLetteringOnMessageExpiration` A value that indicates whether this queue has dead letter support when a message expires. + - Required: No - Type: bool - Default: `True` @@ -95,6 +112,7 @@ A value that indicates whether this queue has dead letter support when a message ### Parameter: `defaultMessageTimeToLive` ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself. + - Required: No - Type: string - Default: `'P14D'` @@ -102,6 +120,7 @@ ISO 8601 default message timespan to live value. This is the duration after whic ### Parameter: `duplicateDetectionHistoryTimeWindow` ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes. + - Required: No - Type: string - Default: `'PT10M'` @@ -109,6 +128,7 @@ ISO 8601 timeSpan structure that defines the duration of the duplicate detection ### Parameter: `enableBatchedOperations` Value that indicates whether server-side batched operations are enabled. + - Required: No - Type: bool - Default: `True` @@ -116,6 +136,7 @@ Value that indicates whether server-side batched operations are enabled. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -123,6 +144,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableExpress` A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage. + - Required: No - Type: bool - Default: `False` @@ -130,6 +152,7 @@ A value that indicates whether Express Entities are enabled. An express queue ho ### Parameter: `enablePartitioning` A value that indicates whether the queue is to be partitioned across multiple message brokers. + - Required: No - Type: bool - Default: `False` @@ -137,6 +160,7 @@ A value that indicates whether the queue is to be partitioned across multiple me ### Parameter: `forwardDeadLetteredMessagesTo` Queue/Topic name to forward the Dead Letter message. + - Required: No - Type: string - Default: `''` @@ -144,6 +168,7 @@ Queue/Topic name to forward the Dead Letter message. ### Parameter: `forwardTo` Queue/Topic name to forward the messages. + - Required: No - Type: string - Default: `''` @@ -151,26 +176,35 @@ Queue/Topic name to forward the messages. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -178,6 +212,7 @@ Optional. Specify the name of lock. ### Parameter: `lockDuration` ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute. + - Required: No - Type: string - Default: `'PT1M'` @@ -185,6 +220,7 @@ ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the ### Parameter: `maxDeliveryCount` The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10. + - Required: No - Type: int - Default: `10` @@ -192,6 +228,7 @@ The maximum delivery count. A message is automatically deadlettered after this n ### Parameter: `maxMessageSizeInKilobytes` Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024. + - Required: No - Type: int - Default: `1024` @@ -199,25 +236,15 @@ Maximum size (in KB) of the message payload that can be accepted by the queue. T ### Parameter: `maxSizeInMegabytes` The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024. + - Required: No - Type: int - Default: `1024` -### Parameter: `name` - -Name of the Service Bus Queue. -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `requiresDuplicateDetection` A value indicating if this queue requires duplicate detection. + - Required: No - Type: bool - Default: `False` @@ -225,6 +252,7 @@ A value indicating if this queue requires duplicate detection. ### Parameter: `requiresSession` A value that indicates whether the queue supports the concept of sessions. + - Required: No - Type: bool - Default: `False` @@ -232,74 +260,96 @@ A value that indicates whether the queue supports the concept of sessions. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `roleAssignments.principalId` -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `status` Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. + - Required: No - Type: string - Default: `'Active'` diff --git a/modules/service-bus/namespace/queue/authorization-rule/README.md b/modules/service-bus/namespace/queue/authorization-rule/README.md index c607332987..85306aedc9 100644 --- a/modules/service-bus/namespace/queue/authorization-rule/README.md +++ b/modules/service-bus/namespace/queue/authorization-rule/README.md @@ -37,34 +37,39 @@ This module deploys a Service Bus Namespace Queue Authorization Rule. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`rights`](#parameter-rights) | array | The rights associated with the rule. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `name` The name of the service bus namepace queue. + - Required: Yes - Type: string ### Parameter: `namespaceName` The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `queueName` The name of the parent Service Bus Namespace Queue. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `rights` The rights associated with the rule. + - Required: No - Type: array - Default: `[]` diff --git a/modules/service-bus/namespace/topic/README.md b/modules/service-bus/namespace/topic/README.md index 69c13d5acf..f81f109519 100644 --- a/modules/service-bus/namespace/topic/README.md +++ b/modules/service-bus/namespace/topic/README.md @@ -52,9 +52,24 @@ This module deploys a Service Bus Namespace Topic. | [`status`](#parameter-status) | string | Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. | | [`supportOrdering`](#parameter-supportordering) | bool | Value that indicates whether the topic supports ordering. | +### Parameter: `name` + +Name of the Service Bus Topic. + +- Required: Yes +- Type: string + +### Parameter: `namespaceName` + +The name of the parent Service Bus Namespace for the Service Bus Topic. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `authorizationRules` Authorization Rules for the Service Bus Topic. + - Required: No - Type: array - Default: @@ -76,6 +91,7 @@ Authorization Rules for the Service Bus Topic. ### Parameter: `autoDeleteOnIdle` ISO 8601 timespan idle interval after which the topic is automatically deleted. The minimum duration is 5 minutes. + - Required: No - Type: string - Default: `'PT5M'` @@ -83,6 +99,7 @@ ISO 8601 timespan idle interval after which the topic is automatically deleted. ### Parameter: `defaultMessageTimeToLive` ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself. + - Required: No - Type: string - Default: `'P14D'` @@ -90,6 +107,7 @@ ISO 8601 default message timespan to live value. This is the duration after whic ### Parameter: `duplicateDetectionHistoryTimeWindow` ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes. + - Required: No - Type: string - Default: `'PT10M'` @@ -97,6 +115,7 @@ ISO 8601 timeSpan structure that defines the duration of the duplicate detection ### Parameter: `enableBatchedOperations` Value that indicates whether server-side batched operations are enabled. + - Required: No - Type: bool - Default: `True` @@ -104,6 +123,7 @@ Value that indicates whether server-side batched operations are enabled. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -111,6 +131,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableExpress` A value that indicates whether Express Entities are enabled. An express topic holds a message in memory temporarily before writing it to persistent storage. + - Required: No - Type: bool - Default: `False` @@ -118,6 +139,7 @@ A value that indicates whether Express Entities are enabled. An express topic ho ### Parameter: `enablePartitioning` A value that indicates whether the topic is to be partitioned across multiple message brokers. + - Required: No - Type: bool - Default: `False` @@ -125,26 +147,35 @@ A value that indicates whether the topic is to be partitioned across multiple me ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -152,6 +183,7 @@ Optional. Specify the name of lock. ### Parameter: `maxMessageSizeInKilobytes` Maximum size (in KB) of the message payload that can be accepted by the topic. This property is only used in Premium today and default is 1024. + - Required: No - Type: int - Default: `1024` @@ -159,25 +191,15 @@ Maximum size (in KB) of the message payload that can be accepted by the topic. T ### Parameter: `maxSizeInMegabytes` The maximum size of the topic in megabytes, which is the size of memory allocated for the topic. Default is 1024. + - Required: No - Type: int - Default: `1024` -### Parameter: `name` - -Name of the Service Bus Topic. -- Required: Yes -- Type: string - -### Parameter: `namespaceName` - -The name of the parent Service Bus Namespace for the Service Bus Topic. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `requiresDuplicateDetection` A value indicating if this topic requires duplicate detection. + - Required: No - Type: bool - Default: `False` @@ -185,74 +207,96 @@ A value indicating if this topic requires duplicate detection. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `status` Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. + - Required: No - Type: string - Default: `'Active'` @@ -274,6 +318,7 @@ Enumerates the possible values for the status of a messaging entity. - Active, D ### Parameter: `supportOrdering` Value that indicates whether the topic supports ordering. + - Required: No - Type: bool - Default: `False` diff --git a/modules/service-bus/namespace/topic/authorization-rule/README.md b/modules/service-bus/namespace/topic/authorization-rule/README.md index 583c624576..c235204944 100644 --- a/modules/service-bus/namespace/topic/authorization-rule/README.md +++ b/modules/service-bus/namespace/topic/authorization-rule/README.md @@ -37,28 +37,39 @@ This module deploys a Service Bus Namespace Topic Authorization Rule. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`rights`](#parameter-rights) | array | The rights associated with the rule. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `name` The name of the service bus namespace topic. + - Required: Yes - Type: string ### Parameter: `namespaceName` The name of the parent Service Bus Namespace. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `topicName` + +The name of the parent Service Bus Namespace Topic. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `rights` The rights associated with the rule. + - Required: No - Type: array - Default: `[]` @@ -71,12 +82,6 @@ The rights associated with the rule. ] ``` -### Parameter: `topicName` - -The name of the parent Service Bus Namespace Topic. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/service-fabric/cluster/README.md b/modules/service-fabric/cluster/README.md index 15c49a3dcc..1cad50d156 100644 --- a/modules/service-fabric/cluster/README.md +++ b/modules/service-fabric/cluster/README.md @@ -1115,9 +1115,48 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { | [`vmssZonalUpgradeMode`](#parameter-vmsszonalupgrademode) | string | This property defines the upgrade mode for the virtual machine scale set, it is mandatory if a node type with multiple Availability Zones is added. | | [`waveUpgradePaused`](#parameter-waveupgradepaused) | bool | Boolean to pause automatic runtime version upgrades to the cluster. | +### Parameter: `managementEndpoint` + +The http management endpoint of the cluster. + +- Required: Yes +- Type: string + +### Parameter: `name` + +Name of the Service Fabric cluster. + +- Required: Yes +- Type: string + +### Parameter: `nodeTypes` + +The list of node types in the cluster. + +- Required: Yes +- Type: array + +### Parameter: `reliabilityLevel` + +The reliability level sets the replica set size of system services. Learn about ReliabilityLevel (https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-capacity). - None - Run the System services with a target replica set count of 1. This should only be used for test clusters. - Bronze - Run the System services with a target replica set count of 3. This should only be used for test clusters. - Silver - Run the System services with a target replica set count of 5. - Gold - Run the System services with a target replica set count of 7. - Platinum - Run the System services with a target replica set count of 9. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Bronze' + 'Gold' + 'None' + 'Platinum' + 'Silver' + ] + ``` + ### Parameter: `addOnFeatures` The list of add-on features to enable in the cluster. + - Required: No - Type: array - Default: `[]` @@ -1134,6 +1173,7 @@ The list of add-on features to enable in the cluster. ### Parameter: `applicationTypes` Array of Service Fabric cluster application types. + - Required: No - Type: array - Default: `[]` @@ -1141,6 +1181,7 @@ Array of Service Fabric cluster application types. ### Parameter: `azureActiveDirectory` The settings to enable AAD authentication on the cluster. + - Required: No - Type: object - Default: `{}` @@ -1148,6 +1189,7 @@ The settings to enable AAD authentication on the cluster. ### Parameter: `certificate` Describes the certificate details like thumbprint of the primary certificate, thumbprint of the secondary certificate and the local certificate store location. + - Required: No - Type: object - Default: `{}` @@ -1155,6 +1197,7 @@ Describes the certificate details like thumbprint of the primary certificate, th ### Parameter: `certificateCommonNames` Describes a list of server certificates referenced by common name that are used to secure the cluster. + - Required: No - Type: object - Default: `{}` @@ -1162,6 +1205,7 @@ Describes a list of server certificates referenced by common name that are used ### Parameter: `clientCertificateCommonNames` The list of client certificates referenced by common name that are allowed to manage the cluster. + - Required: No - Type: array - Default: `[]` @@ -1169,6 +1213,7 @@ The list of client certificates referenced by common name that are allowed to ma ### Parameter: `clientCertificateThumbprints` The list of client certificates referenced by thumbprint that are allowed to manage the cluster. + - Required: No - Type: array - Default: `[]` @@ -1176,6 +1221,7 @@ The list of client certificates referenced by thumbprint that are allowed to man ### Parameter: `clusterCodeVersion` The Service Fabric runtime version of the cluster. This property can only by set the user when upgradeMode is set to "Manual". To get list of available Service Fabric versions for new clusters use ClusterVersion API. To get the list of available version for existing clusters use availableClusterVersions. + - Required: No - Type: string - Default: `''` @@ -1183,6 +1229,7 @@ The Service Fabric runtime version of the cluster. This property can only by set ### Parameter: `diagnosticsStorageAccountConfig` The storage account information for storing Service Fabric diagnostic logs. + - Required: No - Type: object - Default: `{}` @@ -1190,6 +1237,7 @@ The storage account information for storing Service Fabric diagnostic logs. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1197,6 +1245,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `eventStoreServiceEnabled` Indicates if the event store service is enabled. + - Required: No - Type: bool - Default: `False` @@ -1204,6 +1253,7 @@ Indicates if the event store service is enabled. ### Parameter: `fabricSettings` The list of custom fabric settings to configure the cluster. + - Required: No - Type: array - Default: `[]` @@ -1211,6 +1261,7 @@ The list of custom fabric settings to configure the cluster. ### Parameter: `infrastructureServiceManager` Indicates if infrastructure service manager is enabled. + - Required: No - Type: bool - Default: `False` @@ -1218,6 +1269,7 @@ Indicates if infrastructure service manager is enabled. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1225,81 +1277,59 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `managementEndpoint` - -The http management endpoint of the cluster. -- Required: Yes -- Type: string - ### Parameter: `maxUnusedVersionsToKeep` Number of unused versions per application type to keep. + - Required: No - Type: int - Default: `3` -### Parameter: `name` - -Name of the Service Fabric cluster. -- Required: Yes -- Type: string - -### Parameter: `nodeTypes` - -The list of node types in the cluster. -- Required: Yes -- Type: array - ### Parameter: `notifications` Indicates a list of notification channels for cluster events. + - Required: No - Type: array - Default: `[]` -### Parameter: `reliabilityLevel` - -The reliability level sets the replica set size of system services. Learn about ReliabilityLevel (https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-capacity). - None - Run the System services with a target replica set count of 1. This should only be used for test clusters. - Bronze - Run the System services with a target replica set count of 3. This should only be used for test clusters. - Silver - Run the System services with a target replica set count of 5. - Gold - Run the System services with a target replica set count of 7. - Platinum - Run the System services with a target replica set count of 9. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Bronze' - 'Gold' - 'None' - 'Platinum' - 'Silver' - ] - ``` - ### Parameter: `reverseProxyCertificate` Describes the certificate details. + - Required: No - Type: object - Default: `{}` @@ -1307,6 +1337,7 @@ Describes the certificate details. ### Parameter: `reverseProxyCertificateCommonNames` Describes a list of server certificates referenced by common name that are used to secure the cluster. + - Required: No - Type: object - Default: `{}` @@ -1314,74 +1345,96 @@ Describes a list of server certificates referenced by common name that are used ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `sfZonalUpgradeMode` This property controls the logical grouping of VMs in upgrade domains (UDs). This property cannot be modified if a node type with multiple Availability Zones is already present in the cluster. + - Required: No - Type: string - Default: `'Hierarchical'` @@ -1396,12 +1449,14 @@ This property controls the logical grouping of VMs in upgrade domains (UDs). Thi ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `upgradeDescription` Describes the policy used when upgrading the cluster. + - Required: No - Type: object - Default: `{}` @@ -1409,6 +1464,7 @@ Describes the policy used when upgrading the cluster. ### Parameter: `upgradeMode` The upgrade mode of the cluster when new Service Fabric runtime version is available. + - Required: No - Type: string - Default: `'Automatic'` @@ -1423,6 +1479,7 @@ The upgrade mode of the cluster when new Service Fabric runtime version is avail ### Parameter: `upgradePauseEndTimestampUtc` Indicates the end date and time to pause automatic runtime version upgrades on the cluster for an specific period of time on the cluster (UTC). + - Required: No - Type: string - Default: `''` @@ -1430,6 +1487,7 @@ Indicates the end date and time to pause automatic runtime version upgrades on t ### Parameter: `upgradePauseStartTimestampUtc` Indicates the start date and time to pause automatic runtime version upgrades on the cluster for an specific period of time on the cluster (UTC). + - Required: No - Type: string - Default: `''` @@ -1437,6 +1495,7 @@ Indicates the start date and time to pause automatic runtime version upgrades on ### Parameter: `upgradeWave` Indicates when new cluster runtime version upgrades will be applied after they are released. By default is Wave0. + - Required: No - Type: string - Default: `'Wave0'` @@ -1452,6 +1511,7 @@ Indicates when new cluster runtime version upgrades will be applied after they a ### Parameter: `vmImage` The VM image VMSS has been configured with. Generic names such as Windows or Linux can be used. + - Required: No - Type: string - Default: `''` @@ -1459,6 +1519,7 @@ The VM image VMSS has been configured with. Generic names such as Windows or Lin ### Parameter: `vmssZonalUpgradeMode` This property defines the upgrade mode for the virtual machine scale set, it is mandatory if a node type with multiple Availability Zones is added. + - Required: No - Type: string - Default: `'Hierarchical'` @@ -1473,6 +1534,7 @@ This property defines the upgrade mode for the virtual machine scale set, it is ### Parameter: `waveUpgradePaused` Boolean to pause automatic runtime version upgrades to the cluster. + - Required: No - Type: bool - Default: `False` diff --git a/modules/service-fabric/cluster/application-type/README.md b/modules/service-fabric/cluster/application-type/README.md index 41f0879037..c2334d1daa 100644 --- a/modules/service-fabric/cluster/application-type/README.md +++ b/modules/service-fabric/cluster/application-type/README.md @@ -31,9 +31,17 @@ This module deploys a Service Fabric Cluster Application Type. | [`name`](#parameter-name) | string | Application type name. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `serviceFabricClusterName` + +The name of the parent Service Fabric cluster. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -41,19 +49,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `name` Application type name. + - Required: No - Type: string - Default: `'defaultApplicationType'` -### Parameter: `serviceFabricClusterName` - -The name of the parent Service Fabric cluster. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index a50cb51919..94f615ac14 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -497,9 +497,17 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { | [`tags`](#parameter-tags) | object | The tags of the resource. | | [`upstreamTemplatesToEnable`](#parameter-upstreamtemplatestoenable) | array | Upstream templates to enable. For more information, see https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/2022-02-01/signalr?pivots=deployment-language-bicep#upstreamtemplate. | +### Parameter: `name` + +The name of the SignalR Service resource. + +- Required: Yes +- Type: string + ### Parameter: `allowedOrigins` The allowed origin settings of the resource. + - Required: No - Type: array - Default: @@ -512,6 +520,7 @@ The allowed origin settings of the resource. ### Parameter: `capacity` The unit count of the resource. + - Required: No - Type: int - Default: `1` @@ -519,6 +528,7 @@ The unit count of the resource. ### Parameter: `clientCertEnabled` Request client certificate during TLS handshake if enabled. + - Required: No - Type: bool - Default: `False` @@ -526,6 +536,7 @@ Request client certificate during TLS handshake if enabled. ### Parameter: `disableAadAuth` The disable Azure AD auth settings of the resource. + - Required: No - Type: bool - Default: `False` @@ -533,6 +544,7 @@ The disable Azure AD auth settings of the resource. ### Parameter: `disableLocalAuth` The disable local auth settings of the resource. + - Required: No - Type: bool - Default: `True` @@ -540,6 +552,7 @@ The disable local auth settings of the resource. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -547,6 +560,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `features` The features settings of the resource, `ServiceMode` is the only required feature. See https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/signalr?pivots=deployment-language-bicep#signalrfeature for more information. + - Required: No - Type: array - Default: @@ -562,6 +576,7 @@ The features settings of the resource, `ServiceMode` is the only required featur ### Parameter: `kind` The kind of the service. + - Required: No - Type: string - Default: `'SignalR'` @@ -576,6 +591,7 @@ The kind of the service. ### Parameter: `liveTraceCatagoriesToEnable` Control permission for data plane traffic coming from public networks while private endpoint is enabled. + - Required: No - Type: array - Default: @@ -596,6 +612,7 @@ Control permission for data plane traffic coming from public networks while priv ### Parameter: `location` The location for the resource. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -603,39 +620,43 @@ The location for the resource. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The name of the SignalR Service resource. -- Required: Yes -- Type: string - ### Parameter: `networkAcls` Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny. + - Required: No - Type: object - Default: `{}` @@ -643,197 +664,247 @@ Networks ACLs, this value contains IPs to allow and/or Subnet information. Can o ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -Optional. Application security groups in which the private endpoint IP configuration is included. +**Optional parameters** -- Required: No -- Type: array +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -### Parameter: `privateEndpoints.customDnsConfigs` +### Parameter: `privateEndpoints.subnetResourceId` -Optional. Custom DNS configurations. +Resource ID of the subnet where the endpoint needs to be created. -- Required: No -- Type: array - -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +### Parameter: `privateEndpoints.lock.kind` -- Required: Yes +Specify the type of lock. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string -Optional. The name of the private endpoint. +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -841,6 +912,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. + - Required: No - Type: string - Default: `''` @@ -856,6 +928,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `resourceLogConfigurationsToEnable` Control permission for data plane traffic coming from public networks while private endpoint is enabled. + - Required: No - Type: array - Default: @@ -876,74 +949,96 @@ Control permission for data plane traffic coming from public networks while priv ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `sku` The SKU of the service. + - Required: No - Type: string - Default: `'Standard_S1'` @@ -963,12 +1058,14 @@ The SKU of the service. ### Parameter: `tags` The tags of the resource. + - Required: No - Type: object ### Parameter: `upstreamTemplatesToEnable` Upstream templates to enable. For more information, see https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/2022-02-01/signalr?pivots=deployment-language-bicep#upstreamtemplate. + - Required: No - Type: array - Default: `[]` diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index db8dd5f45c..7f7186177b 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -595,9 +595,17 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { | [`sku`](#parameter-sku) | string | Pricing tier of the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +The name of the Web PubSub Service resource. + +- Required: Yes +- Type: string + ### Parameter: `capacity` The unit count of the resource. 1 by default. + - Required: No - Type: int - Default: `1` @@ -605,6 +613,7 @@ The unit count of the resource. 1 by default. ### Parameter: `clientCertEnabled` Request client certificate during TLS handshake if enabled. + - Required: No - Type: bool - Default: `False` @@ -612,6 +621,7 @@ Request client certificate during TLS handshake if enabled. ### Parameter: `disableAadAuth` When set as true, connection with AuthType=aad won't work. + - Required: No - Type: bool - Default: `False` @@ -619,6 +629,7 @@ When set as true, connection with AuthType=aad won't work. ### Parameter: `disableLocalAuth` Disables all authentication methods other than AAD authentication. For security reasons, this value should be set to `true`. + - Required: No - Type: bool - Default: `True` @@ -626,6 +637,7 @@ Disables all authentication methods other than AAD authentication. For security ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -633,6 +645,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` The location for the resource. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -640,26 +653,35 @@ The location for the resource. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -667,38 +689,35 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -The name of the Web PubSub Service resource. -- Required: Yes -- Type: string - ### Parameter: `networkAcls` Networks ACLs, this value contains IPs to allow and/or Subnet information. Can only be set if the 'SKU' is not 'Free_F1'. For security reasons, it is recommended to set the DefaultAction Deny. + - Required: No - Type: object - Default: `{}` @@ -706,197 +725,247 @@ Networks ACLs, this value contains IPs to allow and/or Subnet information. Can o ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +### Parameter: `privateEndpoints.lock.kind` -- Required: Yes +Specify the type of lock. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` -Optional. The name of the private endpoint. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -904,6 +973,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. + - Required: No - Type: string - Default: `''` @@ -919,6 +989,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `resourceLogConfigurationsToEnable` Control permission for data plane traffic coming from public networks while private endpoint is enabled. + - Required: No - Type: array - Default: @@ -939,74 +1010,96 @@ Control permission for data plane traffic coming from public networks while priv ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `sku` Pricing tier of the resource. + - Required: No - Type: string - Default: `'Standard_S1'` @@ -1021,6 +1114,7 @@ Pricing tier of the resource. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index 1a70895914..d40d728918 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -860,18 +860,43 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { ### Parameter: `administratorLogin` The username used to establish jumpbox VMs. + - Required: Yes - Type: string ### Parameter: `administratorLoginPassword` The password given to the admin user. + - Required: Yes - Type: securestring +### Parameter: `name` + +The name of the SQL managed instance. + +- Required: Yes +- Type: string + +### Parameter: `subnetId` + +The fully qualified resource ID of the subnet on which the SQL managed instance will be placed. + +- Required: Yes +- Type: string + +### Parameter: `primaryUserAssignedIdentityId` + +The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `administratorsObj` The administrator configuration. + - Required: No - Type: object - Default: `{}` @@ -879,6 +904,7 @@ The administrator configuration. ### Parameter: `collation` Collation of the managed instance. + - Required: No - Type: string - Default: `'SQL_Latin1_General_CP1_CI_AS'` @@ -886,6 +912,7 @@ Collation of the managed instance. ### Parameter: `databases` Databases to create in this server. + - Required: No - Type: array - Default: `[]` @@ -893,114 +920,90 @@ Databases to create in this server. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -1008,6 +1011,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `dnsZonePartner` The resource ID of another managed instance whose DNS zone this managed instance will share after creation. + - Required: No - Type: string - Default: `''` @@ -1015,6 +1019,7 @@ The resource ID of another managed instance whose DNS zone this managed instance ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1022,6 +1027,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `encryptionProtectorObj` The encryption protection configuration. + - Required: No - Type: object - Default: `{}` @@ -1029,6 +1035,7 @@ The encryption protection configuration. ### Parameter: `hardwareFamily` If the service has different generations of hardware, for the same SKU, then that can be captured here. + - Required: No - Type: string - Default: `'Gen5'` @@ -1036,6 +1043,7 @@ If the service has different generations of hardware, for the same SKU, then tha ### Parameter: `instancePoolResourceId` The resource ID of the instance pool this managed server belongs to. + - Required: No - Type: string - Default: `''` @@ -1043,6 +1051,7 @@ The resource ID of the instance pool this managed server belongs to. ### Parameter: `keys` The keys to configure. + - Required: No - Type: array - Default: `[]` @@ -1050,6 +1059,7 @@ The keys to configure. ### Parameter: `licenseType` The license type. Possible values are 'LicenseIncluded' (regular price inclusive of a new SQL license) and 'BasePrice' (discounted AHB price for bringing your own SQL licenses). + - Required: No - Type: string - Default: `'LicenseIncluded'` @@ -1064,6 +1074,7 @@ The license type. Possible values are 'LicenseIncluded' (regular price inclusive ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1071,26 +1082,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -1098,25 +1118,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array @@ -1124,6 +1146,7 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `managedInstanceCreateMode` Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified. + - Required: No - Type: string - Default: `'Default'` @@ -1138,6 +1161,7 @@ Specifies the mode of database creation. Default: Regular instance creation. Res ### Parameter: `minimalTlsVersion` Minimal TLS version allowed. + - Required: No - Type: string - Default: `'1.2'` @@ -1151,22 +1175,10 @@ Minimal TLS version allowed. ] ``` -### Parameter: `name` - -The name of the SQL managed instance. -- Required: Yes -- Type: string - -### Parameter: `primaryUserAssignedIdentityId` - -The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty. -- Required: No -- Type: string -- Default: `''` - ### Parameter: `proxyOverride` Connection type used for connecting to the instance. + - Required: No - Type: string - Default: `'Proxy'` @@ -1182,6 +1194,7 @@ Connection type used for connecting to the instance. ### Parameter: `publicDataEndpointEnabled` Whether or not the public data endpoint is enabled. + - Required: No - Type: bool - Default: `False` @@ -1189,6 +1202,7 @@ Whether or not the public data endpoint is enabled. ### Parameter: `requestedBackupStorageRedundancy` The storage account type used to store backups for this database. + - Required: No - Type: string - Default: `'Geo'` @@ -1205,6 +1219,7 @@ The storage account type used to store backups for this database. ### Parameter: `restorePointInTime` Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. + - Required: No - Type: string - Default: `''` @@ -1212,74 +1227,96 @@ Specifies the point in time (ISO8601 format) of the source database that will be ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `securityAlertPoliciesObj` The security alert policy configuration. + - Required: No - Type: object - Default: `{}` @@ -1287,6 +1324,7 @@ The security alert policy configuration. ### Parameter: `servicePrincipal` Service principal type. If using AD Authentication and applying Admin, must be set to `SystemAssigned`. Then Global Admin must allow Reader access to Azure AD for the Service Principal. + - Required: No - Type: string - Default: `'None'` @@ -1301,6 +1339,7 @@ Service principal type. If using AD Authentication and applying Admin, must be s ### Parameter: `skuName` The name of the SKU, typically, a letter + Number code, e.g. P3. + - Required: No - Type: string - Default: `'GP_Gen5'` @@ -1308,6 +1347,7 @@ The name of the SKU, typically, a letter + Number code, e.g. P3. ### Parameter: `skuTier` The tier or edition of the particular SKU, e.g. Basic, Premium. + - Required: No - Type: string - Default: `'GeneralPurpose'` @@ -1315,6 +1355,7 @@ The tier or edition of the particular SKU, e.g. Basic, Premium. ### Parameter: `sourceManagedInstanceId` The resource identifier of the source managed instance associated with create operation of this instance. + - Required: No - Type: string - Default: `''` @@ -1322,25 +1363,22 @@ The resource identifier of the source managed instance associated with create op ### Parameter: `storageSizeInGB` Storage size in GB. Minimum value: 32. Maximum value: 8192. Increments of 32 GB allowed only. + - Required: No - Type: int - Default: `32` -### Parameter: `subnetId` - -The fully qualified resource ID of the subnet on which the SQL managed instance will be placed. -- Required: Yes -- Type: string - ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `timezoneId` ID of the timezone. Allowed values are timezones supported by Windows. + - Required: No - Type: string - Default: `'UTC'` @@ -1348,6 +1386,7 @@ ID of the timezone. Allowed values are timezones supported by Windows. ### Parameter: `vCores` The number of vCores. Allowed values: 8, 16, 24, 32, 40, 64, 80. + - Required: No - Type: int - Default: `4` @@ -1355,6 +1394,7 @@ The number of vCores. Allowed values: 8, 16, 24, 32, 40, 64, 80. ### Parameter: `vulnerabilityAssessmentsObj` The vulnerability assessment configuration. + - Required: No - Type: object - Default: `{}` @@ -1362,6 +1402,7 @@ The vulnerability assessment configuration. ### Parameter: `zoneRedundant` Whether or not multi-az is enabled. + - Required: No - Type: bool - Default: `False` diff --git a/modules/sql/managed-instance/administrator/README.md b/modules/sql/managed-instance/administrator/README.md index 8382a3a1c6..b6c59f67b3 100644 --- a/modules/sql/managed-instance/administrator/README.md +++ b/modules/sql/managed-instance/administrator/README.md @@ -37,34 +37,39 @@ This module deploys a SQL Managed Instance Administrator. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`tenantId`](#parameter-tenantid) | string | Tenant ID of the managed instance administrator. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `login` Login name of the managed instance administrator. + - Required: Yes - Type: string -### Parameter: `managedInstanceName` +### Parameter: `sid` + +SID (object ID) of the managed instance administrator. -The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. - Required: Yes - Type: string -### Parameter: `sid` +### Parameter: `managedInstanceName` + +The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. -SID (object ID) of the managed instance administrator. - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `tenantId` Tenant ID of the managed instance administrator. + - Required: No - Type: string - Default: `''` diff --git a/modules/sql/managed-instance/database/README.md b/modules/sql/managed-instance/database/README.md index 12e6fb4709..a7d39cc286 100644 --- a/modules/sql/managed-instance/database/README.md +++ b/modules/sql/managed-instance/database/README.md @@ -55,9 +55,72 @@ This module deploys a SQL Managed Instance Database. | [`restorableDroppedDatabaseId`](#parameter-restorabledroppeddatabaseid) | string | The restorable dropped database resource ID to restore when creating this database. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +The name of the SQL managed instance database. + +- Required: Yes +- Type: string + +### Parameter: `longTermRetentionBackupResourceId` + +The resource ID of the Long Term Retention backup to be used for restore of this managed database. Required if createMode is RestoreLongTermRetentionBackup. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `managedInstanceName` + +The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `recoverableDatabaseId` + +The resource identifier of the recoverable database associated with create operation of this database. Required if createMode is Recovery. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `restorePointInTime` + +Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. Required if createMode is PointInTimeRestore. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `sourceDatabaseId` + +The resource identifier of the source database associated with create operation of this database. Required if createMode is PointInTimeRestore. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `storageContainerSasToken` + +Specifies the storage container sas token. Required if createMode is RestoreExternalBackup. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `storageContainerUri` + +Specifies the uri of the storage container where backups for this restore are stored. Required if createMode is RestoreExternalBackup. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `backupLongTermRetentionPoliciesObj` The configuration for the backup long term retention policy definition. + - Required: No - Type: object - Default: `{}` @@ -65,6 +128,7 @@ The configuration for the backup long term retention policy definition. ### Parameter: `backupShortTermRetentionPoliciesObj` The configuration for the backup short term retention policy definition. + - Required: No - Type: object - Default: `{}` @@ -72,6 +136,7 @@ The configuration for the backup short term retention policy definition. ### Parameter: `catalogCollation` Collation of the managed instance. + - Required: No - Type: string - Default: `'SQL_Latin1_General_CP1_CI_AS'` @@ -79,6 +144,7 @@ Collation of the managed instance. ### Parameter: `collation` Collation of the managed instance database. + - Required: No - Type: string - Default: `'SQL_Latin1_General_CP1_CI_AS'` @@ -86,6 +152,7 @@ Collation of the managed instance database. ### Parameter: `createMode` Managed database create mode. PointInTimeRestore: Create a database by restoring a point in time backup of an existing database. SourceDatabaseName, SourceManagedInstanceName and PointInTime must be specified. RestoreExternalBackup: Create a database by restoring from external backup files. Collation, StorageContainerUri and StorageContainerSasToken must be specified. Recovery: Creates a database by restoring a geo-replicated backup. RecoverableDatabaseId must be specified as the recoverable database resource ID to restore. RestoreLongTermRetentionBackup: Create a database by restoring from a long term retention backup (longTermRetentionBackupResourceId required). + - Required: No - Type: string - Default: `'Default'` @@ -103,94 +170,82 @@ Managed database create mode. PointInTimeRestore: Create a database by restoring ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -198,6 +253,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -205,6 +261,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -212,87 +269,43 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. - -- Required: No -- Type: string - -### Parameter: `longTermRetentionBackupResourceId` - -The resource ID of the Long Term Retention backup to be used for restore of this managed database. Required if createMode is RestoreLongTermRetentionBackup. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `managedInstanceName` - -The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the SQL managed instance database. -- Required: Yes -- Type: string - -### Parameter: `recoverableDatabaseId` +Specify the name of lock. -The resource identifier of the recoverable database associated with create operation of this database. Required if createMode is Recovery. - Required: No - Type: string -- Default: `''` ### Parameter: `restorableDroppedDatabaseId` The restorable dropped database resource ID to restore when creating this database. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `restorePointInTime` - -Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. Required if createMode is PointInTimeRestore. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `sourceDatabaseId` -The resource identifier of the source database associated with create operation of this database. Required if createMode is PointInTimeRestore. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `storageContainerSasToken` - -Specifies the storage container sas token. Required if createMode is RestoreExternalBackup. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `storageContainerUri` - -Specifies the uri of the storage container where backups for this restore are stored. Required if createMode is RestoreExternalBackup. - Required: No - Type: string - Default: `''` @@ -300,6 +313,7 @@ Specifies the uri of the storage container where backups for this restore are st ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/sql/managed-instance/database/backup-long-term-retention-policy/README.md b/modules/sql/managed-instance/database/backup-long-term-retention-policy/README.md index 9456833a1b..8baceaa025 100644 --- a/modules/sql/managed-instance/database/backup-long-term-retention-policy/README.md +++ b/modules/sql/managed-instance/database/backup-long-term-retention-policy/README.md @@ -40,41 +40,47 @@ This module deploys a SQL Managed Instance Database Backup Long-Term Retention P | [`weekOfYear`](#parameter-weekofyear) | int | The week of year to take the yearly backup in an ISO 8601 format. | | [`yearlyRetention`](#parameter-yearlyretention) | string | The yearly retention policy for an LTR backup in an ISO 8601 format. | +### Parameter: `name` + +The name of the Long Term Retention backup policy. For example "default". + +- Required: Yes +- Type: string + ### Parameter: `databaseName` The name of the parent managed instance database. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `managedInstanceName` + +The name of the parent managed instance. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `managedInstanceName` - -The name of the parent managed instance. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `monthlyRetention` The monthly retention policy for an LTR backup in an ISO 8601 format. + - Required: No - Type: string - Default: `'P1Y'` -### Parameter: `name` - -The name of the Long Term Retention backup policy. For example "default". -- Required: Yes -- Type: string - ### Parameter: `weeklyRetention` The weekly retention policy for an LTR backup in an ISO 8601 format. + - Required: No - Type: string - Default: `'P1M'` @@ -82,6 +88,7 @@ The weekly retention policy for an LTR backup in an ISO 8601 format. ### Parameter: `weekOfYear` The week of year to take the yearly backup in an ISO 8601 format. + - Required: No - Type: int - Default: `5` @@ -89,6 +96,7 @@ The week of year to take the yearly backup in an ISO 8601 format. ### Parameter: `yearlyRetention` The yearly retention policy for an LTR backup in an ISO 8601 format. + - Required: No - Type: string - Default: `'P5Y'` diff --git a/modules/sql/managed-instance/database/backup-short-term-retention-policy/README.md b/modules/sql/managed-instance/database/backup-short-term-retention-policy/README.md index 85fbd84c25..b2dd3475e3 100644 --- a/modules/sql/managed-instance/database/backup-short-term-retention-policy/README.md +++ b/modules/sql/managed-instance/database/backup-short-term-retention-policy/README.md @@ -37,34 +37,39 @@ This module deploys a SQL Managed Instance Database Backup Short-Term Retention | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`retentionDays`](#parameter-retentiondays) | int | The backup retention period in days. This is how many days Point-in-Time Restore will be supported. | -### Parameter: `databaseName` +### Parameter: `name` + +The name of the Short Term Retention backup policy. For example "default". -The name of the parent SQL managed instance database. Required if the template is used in a standalone deployment. - Required: Yes - Type: string -### Parameter: `enableDefaultTelemetry` +### Parameter: `databaseName` -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` +The name of the parent SQL managed instance database. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string ### Parameter: `managedInstanceName` The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string -### Parameter: `name` +### Parameter: `enableDefaultTelemetry` -The name of the Short Term Retention backup policy. For example "default". -- Required: Yes -- Type: string +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` ### Parameter: `retentionDays` The backup retention period in days. This is how many days Point-in-Time Restore will be supported. + - Required: No - Type: int - Default: `35` diff --git a/modules/sql/managed-instance/encryption-protector/README.md b/modules/sql/managed-instance/encryption-protector/README.md index 13cdbd792b..1d1125961d 100644 --- a/modules/sql/managed-instance/encryption-protector/README.md +++ b/modules/sql/managed-instance/encryption-protector/README.md @@ -37,9 +37,24 @@ This module deploys a SQL Managed Instance Encryption Protector. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`serverKeyType`](#parameter-serverkeytype) | string | The encryption protector type like "ServiceManaged", "AzureKeyVault". | +### Parameter: `serverKeyName` + +The name of the SQL managed instance key. + +- Required: Yes +- Type: string + +### Parameter: `managedInstanceName` + +The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `autoRotationEnabled` Key auto rotation opt-in flag. + - Required: No - Type: bool - Default: `False` @@ -47,25 +62,15 @@ Key auto rotation opt-in flag. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `managedInstanceName` - -The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `serverKeyName` - -The name of the SQL managed instance key. -- Required: Yes -- Type: string - ### Parameter: `serverKeyType` The encryption protector type like "ServiceManaged", "AzureKeyVault". + - Required: No - Type: string - Default: `'ServiceManaged'` diff --git a/modules/sql/managed-instance/key/README.md b/modules/sql/managed-instance/key/README.md index 327b954416..48c0a3fe3e 100644 --- a/modules/sql/managed-instance/key/README.md +++ b/modules/sql/managed-instance/key/README.md @@ -37,28 +37,32 @@ This module deploys a SQL Managed Instance Key. | [`serverKeyType`](#parameter-serverkeytype) | string | The encryption protector type like "ServiceManaged", "AzureKeyVault". | | [`uri`](#parameter-uri) | string | The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required. | -### Parameter: `enableDefaultTelemetry` +### Parameter: `name` -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` +The name of the key. Must follow the [__] pattern. + +- Required: Yes +- Type: string ### Parameter: `managedInstanceName` The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string -### Parameter: `name` +### Parameter: `enableDefaultTelemetry` -The name of the key. Must follow the [__] pattern. -- Required: Yes -- Type: string +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` ### Parameter: `serverKeyType` The encryption protector type like "ServiceManaged", "AzureKeyVault". + - Required: No - Type: string - Default: `'ServiceManaged'` @@ -73,6 +77,7 @@ The encryption protector type like "ServiceManaged", "AzureKeyVault". ### Parameter: `uri` The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required. + - Required: No - Type: string - Default: `''` diff --git a/modules/sql/managed-instance/security-alert-policy/README.md b/modules/sql/managed-instance/security-alert-policy/README.md index 436ccd6b78..30d21ff3a8 100644 --- a/modules/sql/managed-instance/security-alert-policy/README.md +++ b/modules/sql/managed-instance/security-alert-policy/README.md @@ -37,9 +37,24 @@ This module deploys a SQL Managed Instance Security Alert Policy. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`state`](#parameter-state) | string | Enables advanced data security features, like recuring vulnerability assesment scans and ATP. If enabled, storage account must be provided. | +### Parameter: `name` + +The name of the security alert policy. + +- Required: Yes +- Type: string + +### Parameter: `managedInstanceName` + +The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `emailAccountAdmins` Specifies that the schedule scan notification will be is sent to the subscription administrators. + - Required: No - Type: bool - Default: `False` @@ -47,25 +62,15 @@ Specifies that the schedule scan notification will be is sent to the subscriptio ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `managedInstanceName` - -The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the security alert policy. -- Required: Yes -- Type: string - ### Parameter: `state` Enables advanced data security features, like recuring vulnerability assesment scans and ATP. If enabled, storage account must be provided. + - Required: No - Type: string - Default: `'Disabled'` diff --git a/modules/sql/managed-instance/vulnerability-assessment/README.md b/modules/sql/managed-instance/vulnerability-assessment/README.md index f785799af0..a231617216 100644 --- a/modules/sql/managed-instance/vulnerability-assessment/README.md +++ b/modules/sql/managed-instance/vulnerability-assessment/README.md @@ -42,9 +42,31 @@ This module deploys a SQL Managed Instance Vulnerability Assessment. | [`recurringScansIsEnabled`](#parameter-recurringscansisenabled) | bool | Recurring scans state. | | [`useStorageAccountAccessKey`](#parameter-usestorageaccountaccesskey) | bool | Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL MI system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account. | +### Parameter: `name` + +The name of the vulnerability assessment. + +- Required: Yes +- Type: string + +### Parameter: `storageAccountResourceId` + +A blob storage to hold the scan results. + +- Required: Yes +- Type: string + +### Parameter: `managedInstanceName` + +The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `createStorageRoleAssignment` Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account. + - Required: No - Type: bool - Default: `True` @@ -52,25 +74,15 @@ Create the Storage Blob Data Contributor role assignment on the storage account. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `managedInstanceName` - -The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `name` - -The name of the vulnerability assessment. -- Required: Yes -- Type: string - ### Parameter: `recurringScansEmails` Specifies an array of email addresses to which the scan notification is sent. + - Required: No - Type: array - Default: `[]` @@ -78,6 +90,7 @@ Specifies an array of email addresses to which the scan notification is sent. ### Parameter: `recurringScansEmailSubscriptionAdmins` Specifies that the schedule scan notification will be is sent to the subscription administrators. + - Required: No - Type: bool - Default: `False` @@ -85,19 +98,15 @@ Specifies that the schedule scan notification will be is sent to the subscriptio ### Parameter: `recurringScansIsEnabled` Recurring scans state. + - Required: No - Type: bool - Default: `False` -### Parameter: `storageAccountResourceId` - -A blob storage to hold the scan results. -- Required: Yes -- Type: string - ### Parameter: `useStorageAccountAccessKey` Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL MI system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account. + - Required: No - Type: bool - Default: `False` diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index c9aff2d0db..66ae1bdfeb 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -1100,9 +1100,17 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { | [`virtualNetworkRules`](#parameter-virtualnetworkrules) | array | The virtual network rules to create in the server. | | [`vulnerabilityAssessmentsObj`](#parameter-vulnerabilityassessmentsobj) | object | The vulnerability assessment configuration. | +### Parameter: `name` + +The name of the server. + +- Required: Yes +- Type: string + ### Parameter: `administratorLogin` The administrator username for the server. Required if no `administrators` object for AAD authentication is provided. + - Required: No - Type: string - Default: `''` @@ -1110,6 +1118,7 @@ The administrator username for the server. Required if no `administrators` objec ### Parameter: `administratorLoginPassword` The administrator login password. Required if no `administrators` object for AAD authentication is provided. + - Required: No - Type: securestring - Default: `''` @@ -1117,13 +1126,23 @@ The administrator login password. Required if no `administrators` object for AAD ### Parameter: `administrators` The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided. + - Required: No - Type: object - Default: `{}` +### Parameter: `primaryUserAssignedIdentityId` + +The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `databases` The databases to create in the server. + - Required: No - Type: array - Default: `[]` @@ -1131,6 +1150,7 @@ The databases to create in the server. ### Parameter: `elasticPools` The Elastic Pools to create in the server. + - Required: No - Type: array - Default: `[]` @@ -1138,6 +1158,7 @@ The Elastic Pools to create in the server. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1145,6 +1166,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `encryptionProtectorObj` The encryption protection configuration. + - Required: No - Type: object - Default: `{}` @@ -1152,6 +1174,7 @@ The encryption protection configuration. ### Parameter: `firewallRules` The firewall rules to create in the server. + - Required: No - Type: array - Default: `[]` @@ -1159,6 +1182,7 @@ The firewall rules to create in the server. ### Parameter: `keys` The keys to configure. + - Required: No - Type: array - Default: `[]` @@ -1166,6 +1190,7 @@ The keys to configure. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1173,26 +1198,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -1200,25 +1234,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array @@ -1226,6 +1262,7 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `minimalTlsVersion` Minimal TLS version allowed. + - Required: No - Type: string - Default: `'1.2'` @@ -1238,213 +1275,250 @@ Minimal TLS version allowed. ] ``` -### Parameter: `name` - -The name of the server. -- Required: Yes -- Type: string - -### Parameter: `primaryUserAssignedIdentityId` - -The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty. -- Required: No -- Type: string -- Default: `''` - ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +### Parameter: `privateEndpoints.lock.kind` -- Required: Yes +Specify the type of lock. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -Optional. The name of the private endpoint. +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -1452,6 +1526,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. + - Required: No - Type: string - Default: `''` @@ -1467,6 +1542,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `restrictOutboundNetworkAccess` Whether or not to restrict outbound network access for this server. + - Required: No - Type: string - Default: `''` @@ -1482,74 +1558,96 @@ Whether or not to restrict outbound network access for this server. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +**Optional parameters** -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `securityAlertPolicies` The security alert policies to create in the server. + - Required: No - Type: array - Default: `[]` @@ -1557,12 +1655,14 @@ The security alert policies to create in the server. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `virtualNetworkRules` The virtual network rules to create in the server. + - Required: No - Type: array - Default: `[]` @@ -1570,6 +1670,7 @@ The virtual network rules to create in the server. ### Parameter: `vulnerabilityAssessmentsObj` The vulnerability assessment configuration. + - Required: No - Type: object - Default: `{}` diff --git a/modules/sql/server/database/README.md b/modules/sql/server/database/README.md index 4909365a8f..3afe36f94b 100644 --- a/modules/sql/server/database/README.md +++ b/modules/sql/server/database/README.md @@ -67,9 +67,24 @@ This module deploys an Azure SQL Server Database. | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`zoneRedundant`](#parameter-zoneredundant) | bool | Whether or not this database is zone redundant. | +### Parameter: `name` + +The name of the database. + +- Required: Yes +- Type: string + +### Parameter: `serverName` + +The name of the parent SQL Server. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `autoPauseDelay` Time in minutes after which database is automatically paused. A value of -1 means that automatic pause is disabled. + - Required: No - Type: int - Default: `0` @@ -77,6 +92,7 @@ Time in minutes after which database is automatically paused. A value of -1 mean ### Parameter: `backupLongTermRetentionPolicy` The long term backup retention policy to create for the database. + - Required: No - Type: object - Default: `{}` @@ -84,6 +100,7 @@ The long term backup retention policy to create for the database. ### Parameter: `backupShortTermRetentionPolicy` The short term backup retention policy to create for the database. + - Required: No - Type: object - Default: `{}` @@ -91,6 +108,7 @@ The short term backup retention policy to create for the database. ### Parameter: `collation` The collation of the database. + - Required: No - Type: string - Default: `'SQL_Latin1_General_CP1_CI_AS'` @@ -98,6 +116,7 @@ The collation of the database. ### Parameter: `createMode` Specifies the mode of database creation. + - Required: No - Type: string - Default: `'Default'` @@ -118,114 +137,90 @@ Specifies the mode of database creation. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -233,6 +228,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `elasticPoolId` The resource ID of the elastic pool containing this database. + - Required: No - Type: string - Default: `''` @@ -240,6 +236,7 @@ The resource ID of the elastic pool containing this database. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -247,6 +244,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `highAvailabilityReplicaCount` The number of readonly secondary replicas associated with the database. + - Required: No - Type: int - Default: `0` @@ -254,6 +252,7 @@ The number of readonly secondary replicas associated with the database. ### Parameter: `isLedgerOn` Whether or not this database is a ledger database, which means all tables in the database are ledger tables. Note: the value of this property cannot be changed after the database has been created. + - Required: No - Type: bool - Default: `False` @@ -261,6 +260,7 @@ Whether or not this database is a ledger database, which means all tables in the ### Parameter: `licenseType` The license type to apply for this database. + - Required: No - Type: string - Default: `''` @@ -268,6 +268,7 @@ The license type to apply for this database. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -275,6 +276,7 @@ Location for all resources. ### Parameter: `maintenanceConfigurationId` Maintenance configuration ID assigned to the database. This configuration defines the period when the maintenance updates will occur. + - Required: No - Type: string - Default: `''` @@ -282,6 +284,7 @@ Maintenance configuration ID assigned to the database. This configuration define ### Parameter: `maxSizeBytes` The max size of the database expressed in bytes. + - Required: No - Type: int - Default: `34359738368` @@ -289,19 +292,15 @@ The max size of the database expressed in bytes. ### Parameter: `minCapacity` Minimal capacity that database will always have allocated. + - Required: No - Type: string - Default: `''` -### Parameter: `name` - -The name of the database. -- Required: Yes -- Type: string - ### Parameter: `preferredEnclaveType` Type of enclave requested on the database i.e. Default or VBS enclaves. + - Required: No - Type: string - Default: `''` @@ -317,6 +316,7 @@ Type of enclave requested on the database i.e. Default or VBS enclaves. ### Parameter: `readScale` The state of read-only routing. + - Required: No - Type: string - Default: `'Disabled'` @@ -331,6 +331,7 @@ The state of read-only routing. ### Parameter: `recoveryServicesRecoveryPointResourceId` Resource ID of backup if createMode set to RestoreLongTermRetentionBackup. + - Required: No - Type: string - Default: `''` @@ -338,6 +339,7 @@ Resource ID of backup if createMode set to RestoreLongTermRetentionBackup. ### Parameter: `requestedBackupStorageRedundancy` The storage account type to be used to store backups for this database. + - Required: No - Type: string - Default: `''` @@ -354,6 +356,7 @@ The storage account type to be used to store backups for this database. ### Parameter: `restorePointInTime` Point in time (ISO8601 format) of the source database to restore when createMode set to Restore or PointInTimeRestore. + - Required: No - Type: string - Default: `''` @@ -361,19 +364,15 @@ Point in time (ISO8601 format) of the source database to restore when createMode ### Parameter: `sampleName` The name of the sample schema to apply when creating this database. + - Required: No - Type: string - Default: `''` -### Parameter: `serverName` - -The name of the parent SQL Server. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `skuCapacity` Capacity of the particular SKU. + - Required: No - Type: int - Default: `-1` @@ -381,6 +380,7 @@ Capacity of the particular SKU. ### Parameter: `skuFamily` If the service has different generations of hardware, for the same SKU, then that can be captured here. + - Required: No - Type: string - Default: `''` @@ -388,6 +388,7 @@ If the service has different generations of hardware, for the same SKU, then tha ### Parameter: `skuName` The name of the SKU. + - Required: No - Type: string - Default: `'GP_Gen5_2'` @@ -395,6 +396,7 @@ The name of the SKU. ### Parameter: `skuSize` Size of the particular SKU. + - Required: No - Type: string - Default: `''` @@ -402,6 +404,7 @@ Size of the particular SKU. ### Parameter: `skuTier` The skuTier or edition of the particular SKU. + - Required: No - Type: string - Default: `'GeneralPurpose'` @@ -409,6 +412,7 @@ The skuTier or edition of the particular SKU. ### Parameter: `sourceDatabaseDeletionDate` The time that the database was deleted when restoring a deleted database. + - Required: No - Type: string - Default: `''` @@ -416,6 +420,7 @@ The time that the database was deleted when restoring a deleted database. ### Parameter: `sourceDatabaseResourceId` Resource ID of database if createMode set to Copy, Secondary, PointInTimeRestore, Recovery or Restore. + - Required: No - Type: string - Default: `''` @@ -423,12 +428,14 @@ Resource ID of database if createMode set to Copy, Secondary, PointInTimeRestore ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `zoneRedundant` Whether or not this database is zone redundant. + - Required: No - Type: bool - Default: `False` diff --git a/modules/sql/server/database/backup-long-term-retention-policy/README.md b/modules/sql/server/database/backup-long-term-retention-policy/README.md index 3a8d87595a..657bb34d3d 100644 --- a/modules/sql/server/database/backup-long-term-retention-policy/README.md +++ b/modules/sql/server/database/backup-long-term-retention-policy/README.md @@ -37,12 +37,21 @@ This module deploys an Azure SQL Server Database Long-Term Backup Retention Poli ### Parameter: `databaseName` The name of the parent database. + +- Required: Yes +- Type: string + +### Parameter: `serverName` + +The name of the parent SQL Server. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -50,19 +59,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `monthlyRetention` Weekly retention in ISO 8601 duration format. + - Required: No - Type: string - Default: `''` -### Parameter: `serverName` - -The name of the parent SQL Server. -- Required: Yes -- Type: string - ### Parameter: `weeklyRetention` Monthly retention in ISO 8601 duration format. + - Required: No - Type: string - Default: `''` @@ -70,6 +75,7 @@ Monthly retention in ISO 8601 duration format. ### Parameter: `weekOfYear` Week of year backup to keep for yearly retention. + - Required: No - Type: int - Default: `1` @@ -77,6 +83,7 @@ Week of year backup to keep for yearly retention. ### Parameter: `yearlyRetention` Yearly retention in ISO 8601 duration format. + - Required: No - Type: string - Default: `''` diff --git a/modules/sql/server/database/backup-short-term-retention-policy/README.md b/modules/sql/server/database/backup-short-term-retention-policy/README.md index d6df1d73e8..5b9bab597d 100644 --- a/modules/sql/server/database/backup-short-term-retention-policy/README.md +++ b/modules/sql/server/database/backup-short-term-retention-policy/README.md @@ -35,12 +35,21 @@ This module deploys an Azure SQL Server Database Short-Term Backup Retention Pol ### Parameter: `databaseName` The name of the parent database. + +- Required: Yes +- Type: string + +### Parameter: `serverName` + +The name of the parent SQL Server. + - Required: Yes - Type: string ### Parameter: `diffBackupIntervalInHours` Differential backup interval in hours. + - Required: No - Type: int - Default: `24` @@ -48,6 +57,7 @@ Differential backup interval in hours. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -55,16 +65,11 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `retentionDays` Poin-in-time retention in days. + - Required: No - Type: int - Default: `7` -### Parameter: `serverName` - -The name of the parent SQL Server. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/sql/server/elastic-pool/README.md b/modules/sql/server/elastic-pool/README.md index f4489258fb..f3f1863128 100644 --- a/modules/sql/server/elastic-pool/README.md +++ b/modules/sql/server/elastic-pool/README.md @@ -48,9 +48,24 @@ This module deploys an Azure SQL Server Elastic Pool. | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`zoneRedundant`](#parameter-zoneredundant) | bool | Whether or not this elastic pool is zone redundant, which means the replicas of this elastic pool will be spread across multiple availability zones. | +### Parameter: `name` + +The name of the Elastic Pool. + +- Required: Yes +- Type: string + +### Parameter: `serverName` + +The name of the parent SQL Server. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `databaseMaxCapacity` The maximum capacity any one database can consume. + - Required: No - Type: int - Default: `2` @@ -58,6 +73,7 @@ The maximum capacity any one database can consume. ### Parameter: `databaseMinCapacity` The minimum capacity all databases are guaranteed. + - Required: No - Type: int - Default: `0` @@ -65,6 +81,7 @@ The minimum capacity all databases are guaranteed. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -72,6 +89,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `highAvailabilityReplicaCount` The number of secondary replicas associated with the elastic pool that are used to provide high availability. Applicable only to Hyperscale elastic pools. + - Required: No - Type: int - Default: `-1` @@ -79,6 +97,7 @@ The number of secondary replicas associated with the elastic pool that are used ### Parameter: `licenseType` The license type to apply for this elastic pool. + - Required: No - Type: string - Default: `'LicenseIncluded'` @@ -93,6 +112,7 @@ The license type to apply for this elastic pool. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -100,6 +120,7 @@ Location for all resources. ### Parameter: `maintenanceConfigurationId` Maintenance configuration resource ID assigned to the elastic pool. This configuration defines the period when the maintenance updates will will occur. + - Required: No - Type: string - Default: `''` @@ -107,6 +128,7 @@ Maintenance configuration resource ID assigned to the elastic pool. This configu ### Parameter: `maxSizeBytes` The storage limit for the database elastic pool in bytes. + - Required: No - Type: int - Default: `34359738368` @@ -114,25 +136,15 @@ The storage limit for the database elastic pool in bytes. ### Parameter: `minCapacity` Minimal capacity that serverless pool will not shrink below, if not paused. + - Required: No - Type: int - Default: `-1` -### Parameter: `name` - -The name of the Elastic Pool. -- Required: Yes -- Type: string - -### Parameter: `serverName` - -The name of the parent SQL Server. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `skuCapacity` Capacity of the particular SKU. + - Required: No - Type: int - Default: `2` @@ -140,6 +152,7 @@ Capacity of the particular SKU. ### Parameter: `skuName` The name of the SKU, typically, a letter + Number code, e.g. P3. + - Required: No - Type: string - Default: `'GP_Gen5'` @@ -147,6 +160,7 @@ The name of the SKU, typically, a letter + Number code, e.g. P3. ### Parameter: `skuTier` The tier or edition of the particular SKU, e.g. Basic, Premium. + - Required: No - Type: string - Default: `'GeneralPurpose'` @@ -154,12 +168,14 @@ The tier or edition of the particular SKU, e.g. Basic, Premium. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `zoneRedundant` Whether or not this elastic pool is zone redundant, which means the replicas of this elastic pool will be spread across multiple availability zones. + - Required: No - Type: bool - Default: `False` diff --git a/modules/sql/server/encryption-protector/README.md b/modules/sql/server/encryption-protector/README.md index 241d32d52d..4807f2ee25 100644 --- a/modules/sql/server/encryption-protector/README.md +++ b/modules/sql/server/encryption-protector/README.md @@ -37,9 +37,24 @@ This module deploys an Azure SQL Server Encryption Protector. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`serverKeyType`](#parameter-serverkeytype) | string | The encryption protector type. | +### Parameter: `serverKeyName` + +The name of the server key. + +- Required: Yes +- Type: string + +### Parameter: `sqlServerName` + +The name of the sql server. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `autoRotationEnabled` Key auto rotation opt-in. + - Required: No - Type: bool - Default: `False` @@ -47,19 +62,15 @@ Key auto rotation opt-in. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `serverKeyName` - -The name of the server key. -- Required: Yes -- Type: string - ### Parameter: `serverKeyType` The encryption protector type. + - Required: No - Type: string - Default: `'ServiceManaged'` @@ -71,12 +82,6 @@ The encryption protector type. ] ``` -### Parameter: `sqlServerName` - -The name of the sql server. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/sql/server/firewall-rule/README.md b/modules/sql/server/firewall-rule/README.md index ba542bf482..adbb3b1ee1 100644 --- a/modules/sql/server/firewall-rule/README.md +++ b/modules/sql/server/firewall-rule/README.md @@ -37,9 +37,24 @@ This module deploys an Azure SQL Server Firewall Rule. | [`endIpAddress`](#parameter-endipaddress) | string | The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. | | [`startIpAddress`](#parameter-startipaddress) | string | The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. | +### Parameter: `name` + +The name of the Server Firewall Rule. + +- Required: Yes +- Type: string + +### Parameter: `serverName` + +The name of the parent SQL Server. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -47,25 +62,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `endIpAddress` The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses. + - Required: No - Type: string - Default: `'0.0.0.0'` -### Parameter: `name` - -The name of the Server Firewall Rule. -- Required: Yes -- Type: string - -### Parameter: `serverName` - -The name of the parent SQL Server. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `startIpAddress` The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses. + - Required: No - Type: string - Default: `'0.0.0.0'` diff --git a/modules/sql/server/key/README.md b/modules/sql/server/key/README.md index 778972e853..f2e1ac3ea2 100644 --- a/modules/sql/server/key/README.md +++ b/modules/sql/server/key/README.md @@ -37,22 +37,32 @@ This module deploys an Azure SQL Server Key. | [`serverKeyType`](#parameter-serverkeytype) | string | The encryption protector type like "ServiceManaged", "AzureKeyVault". | | [`uri`](#parameter-uri) | string | The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required. | +### Parameter: `name` + +The name of the key. Must follow the [__] pattern. + +- Required: Yes +- Type: string + +### Parameter: `serverName` + +The name of the parent SQL server. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -The name of the key. Must follow the [__] pattern. -- Required: Yes -- Type: string - ### Parameter: `serverKeyType` The encryption protector type like "ServiceManaged", "AzureKeyVault". + - Required: No - Type: string - Default: `'ServiceManaged'` @@ -64,15 +74,10 @@ The encryption protector type like "ServiceManaged", "AzureKeyVault". ] ``` -### Parameter: `serverName` - -The name of the parent SQL server. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `uri` The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required. + - Required: No - Type: string - Default: `''` diff --git a/modules/sql/server/security-alert-policy/README.md b/modules/sql/server/security-alert-policy/README.md index 208dc6904b..6a90d70d38 100644 --- a/modules/sql/server/security-alert-policy/README.md +++ b/modules/sql/server/security-alert-policy/README.md @@ -42,9 +42,24 @@ This module deploys an Azure SQL Server Security Alert Policy. | [`storageAccountAccessKey`](#parameter-storageaccountaccesskey) | securestring | Specifies the identifier key of the Threat Detection audit storage account.. | | [`storageEndpoint`](#parameter-storageendpoint) | string | Specifies the blob storage endpoint. This blob storage will hold all Threat Detection audit logs. | +### Parameter: `name` + +The name of the Security Alert Policy. + +- Required: Yes +- Type: string + +### Parameter: `serverName` + +The name of the parent SQL Server. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `disabledAlerts` Specifies an array of alerts that are disabled. Allowed values are: Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action, Brute_Force. + - Required: No - Type: array - Default: `[]` @@ -52,6 +67,7 @@ Specifies an array of alerts that are disabled. Allowed values are: Sql_Injectio ### Parameter: `emailAccountAdmins` Specifies that the alert is sent to the account administrators. + - Required: No - Type: bool - Default: `False` @@ -59,6 +75,7 @@ Specifies that the alert is sent to the account administrators. ### Parameter: `emailAddresses` Specifies an array of email addresses to which the alert is sent. + - Required: No - Type: array - Default: `[]` @@ -66,32 +83,23 @@ Specifies an array of email addresses to which the alert is sent. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -The name of the Security Alert Policy. -- Required: Yes -- Type: string - ### Parameter: `retentionDays` Specifies the number of days to keep in the Threat Detection audit logs. + - Required: No - Type: int - Default: `0` -### Parameter: `serverName` - -The name of the parent SQL Server. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `state` Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific database. + - Required: No - Type: string - Default: `'Disabled'` @@ -106,6 +114,7 @@ Specifies the state of the policy, whether it is enabled or disabled or a policy ### Parameter: `storageAccountAccessKey` Specifies the identifier key of the Threat Detection audit storage account.. + - Required: No - Type: securestring - Default: `''` @@ -113,6 +122,7 @@ Specifies the identifier key of the Threat Detection audit storage account.. ### Parameter: `storageEndpoint` Specifies the blob storage endpoint. This blob storage will hold all Threat Detection audit logs. + - Required: No - Type: string - Default: `''` diff --git a/modules/sql/server/virtual-network-rule/README.md b/modules/sql/server/virtual-network-rule/README.md index 147908a95b..a0eaf2fb10 100644 --- a/modules/sql/server/virtual-network-rule/README.md +++ b/modules/sql/server/virtual-network-rule/README.md @@ -37,37 +37,42 @@ This module deploys an Azure SQL Server Virtual Network Rule. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`ignoreMissingVnetServiceEndpoint`](#parameter-ignoremissingvnetserviceendpoint) | bool | Allow creating a firewall rule before the virtual network has vnet service endpoint enabled. | -### Parameter: `enableDefaultTelemetry` +### Parameter: `name` -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` +The name of the Server Virtual Network Rule. -### Parameter: `ignoreMissingVnetServiceEndpoint` +- Required: Yes +- Type: string -Allow creating a firewall rule before the virtual network has vnet service endpoint enabled. -- Required: No -- Type: bool -- Default: `False` +### Parameter: `virtualNetworkSubnetId` -### Parameter: `name` +The resource ID of the virtual network subnet. -The name of the Server Virtual Network Rule. - Required: Yes - Type: string ### Parameter: `serverName` The name of the parent SQL Server. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string -### Parameter: `virtualNetworkSubnetId` +### Parameter: `enableDefaultTelemetry` -The resource ID of the virtual network subnet. -- Required: Yes -- Type: string +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `ignoreMissingVnetServiceEndpoint` + +Allow creating a firewall rule before the virtual network has vnet service endpoint enabled. + +- Required: No +- Type: bool +- Default: `False` ## Outputs diff --git a/modules/sql/server/vulnerability-assessment/README.md b/modules/sql/server/vulnerability-assessment/README.md index 145b70da61..24fa7fed0b 100644 --- a/modules/sql/server/vulnerability-assessment/README.md +++ b/modules/sql/server/vulnerability-assessment/README.md @@ -42,9 +42,31 @@ This module deploys an Azure SQL Server Vulnerability Assessment. | [`recurringScansIsEnabled`](#parameter-recurringscansisenabled) | bool | Recurring scans state. | | [`useStorageAccountAccessKey`](#parameter-usestorageaccountaccesskey) | bool | Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL Server system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account. | +### Parameter: `name` + +The name of the vulnerability assessment. + +- Required: Yes +- Type: string + +### Parameter: `storageAccountResourceId` + +A blob storage to hold the scan results. + +- Required: Yes +- Type: string + +### Parameter: `serverName` + +The Name of SQL Server. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `createStorageRoleAssignment` Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account. + - Required: No - Type: bool - Default: `True` @@ -52,19 +74,15 @@ Create the Storage Blob Data Contributor role assignment on the storage account. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `name` - -The name of the vulnerability assessment. -- Required: Yes -- Type: string - ### Parameter: `recurringScansEmails` Specifies an array of email addresses to which the scan notification is sent. + - Required: No - Type: array - Default: `[]` @@ -72,6 +90,7 @@ Specifies an array of email addresses to which the scan notification is sent. ### Parameter: `recurringScansEmailSubscriptionAdmins` Specifies that the schedule scan notification will be is sent to the subscription administrators. + - Required: No - Type: bool - Default: `False` @@ -79,25 +98,15 @@ Specifies that the schedule scan notification will be is sent to the subscriptio ### Parameter: `recurringScansIsEnabled` Recurring scans state. + - Required: No - Type: bool - Default: `False` -### Parameter: `serverName` - -The Name of SQL Server. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - -### Parameter: `storageAccountResourceId` - -A blob storage to hold the scan results. -- Required: Yes -- Type: string - ### Parameter: `useStorageAccountAccessKey` Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL Server system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account. + - Required: No - Type: bool - Default: `False` diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index d6d27552a8..15e4f69073 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -1864,9 +1864,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { | [`tableServices`](#parameter-tableservices) | object | Table service and tables to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +Name of the Storage Account. + +- Required: Yes +- Type: string + ### Parameter: `accessTier` Required if the Storage Account kind is set to BlobStorage. The access tier is used for billing. The "Premium" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type. + - Required: No - Type: string - Default: `'Hot'` @@ -1879,9 +1887,18 @@ Required if the Storage Account kind is set to BlobStorage. The access tier is u ] ``` +### Parameter: `enableHierarchicalNamespace` + +If true, enables Hierarchical Namespace for the storage account. Required if enableSftp or enableNfsV3 is set to true. + +- Required: No +- Type: bool +- Default: `False` + ### Parameter: `allowBlobPublicAccess` Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false. + - Required: No - Type: bool - Default: `False` @@ -1889,6 +1906,7 @@ Indicates whether public access is enabled for all blobs or containers in the st ### Parameter: `allowCrossTenantReplication` Allow or disallow cross AAD tenant object replication. + - Required: No - Type: bool - Default: `True` @@ -1896,6 +1914,7 @@ Allow or disallow cross AAD tenant object replication. ### Parameter: `allowedCopyScope` Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. + - Required: No - Type: string - Default: `''` @@ -1911,6 +1930,7 @@ Restrict copy to and from Storage Accounts within an AAD tenant or with Private ### Parameter: `allowSharedKeyAccess` Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true. + - Required: No - Type: bool - Default: `True` @@ -1918,6 +1938,7 @@ Indicates whether the storage account permits requests to be authorized with the ### Parameter: `azureFilesIdentityBasedAuthentication` Provides the identity based authentication settings for Azure Files. + - Required: No - Type: object - Default: `{}` @@ -1925,6 +1946,7 @@ Provides the identity based authentication settings for Azure Files. ### Parameter: `blobServices` Blob service and containers to deploy. + - Required: No - Type: object - Default: `{}` @@ -1932,6 +1954,7 @@ Blob service and containers to deploy. ### Parameter: `customDomainName` Sets the custom domain name assigned to the storage account. Name is the CNAME source. + - Required: No - Type: string - Default: `''` @@ -1939,6 +1962,7 @@ Sets the custom domain name assigned to the storage account. Name is the CNAME s ### Parameter: `customDomainUseSubDomainName` Indicates whether indirect CName validation is enabled. This should only be set on updates. + - Required: No - Type: bool - Default: `False` @@ -1946,41 +1970,48 @@ Indicates whether indirect CName validation is enabled. This should only be set ### Parameter: `customerManagedKey` The customer managed key definition. + - Required: No - Type: object +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | ### Parameter: `customerManagedKey.keyName` -Required. The name of the customer managed key to use for encryption. +The name of the customer managed key to use for encryption. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVaultResourceId` -Required. The resource ID of a key vault to reference a customer managed key for encryption from. +The resource ID of a key vault to reference a customer managed key for encryption from. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVersion` -Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - Required: No - Type: string ### Parameter: `customerManagedKey.userAssignedIdentityResourceId` -Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. +User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - Required: No - Type: string @@ -1988,6 +2019,7 @@ Optional. User assigned identity to use when fetching the customer managed key. ### Parameter: `defaultToOAuthAuthentication` A boolean flag which indicates whether the default authentication is OAuth or not. + - Required: No - Type: bool - Default: `False` @@ -1995,86 +2027,82 @@ A boolean flag which indicates whether the default authentication is OAuth or no ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -2082,6 +2110,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `dnsEndpointType` Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier. + - Required: No - Type: string - Default: `''` @@ -2097,20 +2126,15 @@ Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` -### Parameter: `enableHierarchicalNamespace` - -If true, enables Hierarchical Namespace for the storage account. Required if enableSftp or enableNfsV3 is set to true. - Required: No - Type: bool -- Default: `False` +- Default: `True` ### Parameter: `enableNfsV3` If true, enables NFS 3.0 support for the storage account. Requires enableHierarchicalNamespace to be true. + - Required: No - Type: bool - Default: `False` @@ -2118,6 +2142,7 @@ If true, enables NFS 3.0 support for the storage account. Requires enableHierarc ### Parameter: `enableSftp` If true, enables Secure File Transfer Protocol for the storage account. Requires enableHierarchicalNamespace to be true. + - Required: No - Type: bool - Default: `False` @@ -2125,6 +2150,7 @@ If true, enables Secure File Transfer Protocol for the storage account. Requires ### Parameter: `fileServices` File service and shares to deploy. + - Required: No - Type: object - Default: `{}` @@ -2132,6 +2158,7 @@ File service and shares to deploy. ### Parameter: `isLocalUserEnabled` Enables local users feature, if set to true. + - Required: No - Type: bool - Default: `False` @@ -2139,6 +2166,7 @@ Enables local users feature, if set to true. ### Parameter: `kind` Type of Storage Account to create. + - Required: No - Type: string - Default: `'StorageV2'` @@ -2156,6 +2184,7 @@ Type of Storage Account to create. ### Parameter: `largeFileSharesState` Allow large file shares if sets to 'Enabled'. It cannot be disabled once it is enabled. Only supported on locally redundant and zone redundant file shares. It cannot be set on FileStorage storage accounts (storage accounts for premium file shares). + - Required: No - Type: string - Default: `'Disabled'` @@ -2170,6 +2199,7 @@ Allow large file shares if sets to 'Enabled'. It cannot be disabled once it is e ### Parameter: `localUsers` Local users to deploy for SFTP authentication. + - Required: No - Type: array - Default: `[]` @@ -2177,6 +2207,7 @@ Local users to deploy for SFTP authentication. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -2184,26 +2215,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -2211,25 +2251,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array @@ -2237,6 +2279,7 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `managementPolicyRules` The Storage Account ManagementPolicies Rules. + - Required: No - Type: array - Default: `[]` @@ -2244,6 +2287,7 @@ The Storage Account ManagementPolicies Rules. ### Parameter: `minimumTlsVersion` Set the minimum TLS version on request to storage. + - Required: No - Type: string - Default: `'TLS1_2'` @@ -2256,15 +2300,10 @@ Set the minimum TLS version on request to storage. ] ``` -### Parameter: `name` - -Name of the Storage Account. -- Required: Yes -- Type: string - ### Parameter: `networkAcls` Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny. + - Required: No - Type: object - Default: `{}` @@ -2272,197 +2311,247 @@ Networks ACLs, this value contains IPs to whitelist and/or Subnet information. F ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` +**Optional parameters** -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -- Required: No -- Type: array +### Parameter: `privateEndpoints.service` -### Parameter: `privateEndpoints.customDnsConfigs` +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -Optional. Custom DNS configurations. +- Required: Yes +- Type: string -- Required: No -- Type: array +### Parameter: `privateEndpoints.subnetResourceId` + +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +### Parameter: `privateEndpoints.lock.kind` -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +Specify the type of lock. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -Optional. The name of the private endpoint. +**Optional parameters** -- Required: No +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +Version of the condition. - Required: No -- Type: array +- Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. Array of role assignments to create. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.description` -Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The description of the role assignment. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Required. Resource ID of the subnet where the endpoint needs to be created. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -2470,6 +2559,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. + - Required: No - Type: string - Default: `''` @@ -2485,6 +2575,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `queueServices` Queue service and queues to create. + - Required: No - Type: object - Default: `{}` @@ -2492,6 +2583,7 @@ Queue service and queues to create. ### Parameter: `requireInfrastructureEncryption` A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. + - Required: No - Type: bool - Default: `True` @@ -2499,74 +2591,96 @@ A Boolean indicating whether or not the service applies a secondary layer of enc ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `sasExpirationPeriod` The SAS expiration period. DD.HH:MM:SS. + - Required: No - Type: string - Default: `''` @@ -2574,6 +2688,7 @@ The SAS expiration period. DD.HH:MM:SS. ### Parameter: `skuName` Storage Account Sku Name. + - Required: No - Type: string - Default: `'Standard_GRS'` @@ -2594,6 +2709,7 @@ Storage Account Sku Name. ### Parameter: `supportsHttpsTrafficOnly` Allows HTTPS traffic only to storage service if sets to true. + - Required: No - Type: bool - Default: `True` @@ -2601,6 +2717,7 @@ Allows HTTPS traffic only to storage service if sets to true. ### Parameter: `tableServices` Table service and tables to create. + - Required: No - Type: object - Default: `{}` @@ -2608,6 +2725,7 @@ Table service and tables to create. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/storage/storage-account/blob-service/README.md b/modules/storage/storage-account/blob-service/README.md index 6e8044ec03..34a9181734 100644 --- a/modules/storage/storage-account/blob-service/README.md +++ b/modules/storage/storage-account/blob-service/README.md @@ -50,9 +50,17 @@ This module deploys a Storage Account Blob Service. | [`restorePolicyDays`](#parameter-restorepolicydays) | int | How long this blob can be restored. It should be less than DeleteRetentionPolicy days. | | [`restorePolicyEnabled`](#parameter-restorepolicyenabled) | bool | The blob service properties for blob restore policy. If point-in-time restore is enabled, then versioning, change feed, and blob soft delete must also be enabled. | +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `automaticSnapshotPolicyEnabled` Automatic Snapshot is enabled if set to true. + - Required: No - Type: bool - Default: `False` @@ -60,6 +68,7 @@ Automatic Snapshot is enabled if set to true. ### Parameter: `changeFeedEnabled` The blob service properties for change feed events. Indicates whether change feed event logging is enabled for the Blob service. + - Required: No - Type: bool - Default: `True` @@ -67,12 +76,14 @@ The blob service properties for change feed events. Indicates whether change fee ### Parameter: `changeFeedRetentionInDays` Indicates whether change feed event logging is enabled for the Blob service. Indicates the duration of changeFeed retention in days. A "0" value indicates an infinite retention of the change feed. + - Required: No - Type: int ### Parameter: `containerDeleteRetentionPolicyAllowPermanentDelete` This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share. + - Required: No - Type: bool - Default: `False` @@ -80,12 +91,14 @@ This property when set to true allows deletion of the soft deleted blob versions ### Parameter: `containerDeleteRetentionPolicyDays` Indicates the number of days that the deleted item should be retained. + - Required: No - Type: int ### Parameter: `containerDeleteRetentionPolicyEnabled` The blob service properties for container soft delete. Indicates whether DeleteRetentionPolicy is enabled. + - Required: No - Type: bool - Default: `True` @@ -93,6 +106,7 @@ The blob service properties for container soft delete. Indicates whether DeleteR ### Parameter: `containers` Blob containers to create. + - Required: No - Type: array - Default: `[]` @@ -100,6 +114,7 @@ Blob containers to create. ### Parameter: `corsRules` Specifies CORS rules for the Blob service. You can include up to five CorsRule elements in the request. If no CorsRule elements are included in the request body, all CORS rules will be deleted, and CORS will be disabled for the Blob service. + - Required: No - Type: array - Default: `[]` @@ -107,6 +122,7 @@ Specifies CORS rules for the Blob service. You can include up to five CorsRule e ### Parameter: `defaultServiceVersion` Indicates the default version to use for requests to the Blob service if an incoming request's version is not specified. Possible values include version 2008-10-27 and all more recent versions. + - Required: No - Type: string - Default: `''` @@ -114,6 +130,7 @@ Indicates the default version to use for requests to the Blob service if an inco ### Parameter: `deleteRetentionPolicyAllowPermanentDelete` This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share. + - Required: No - Type: bool - Default: `False` @@ -121,12 +138,14 @@ This property when set to true allows deletion of the soft deleted blob versions ### Parameter: `deleteRetentionPolicyDays` Indicates the number of days that the deleted blob should be retained. + - Required: No - Type: int ### Parameter: `deleteRetentionPolicyEnabled` The blob service properties for blob soft delete. + - Required: No - Type: bool - Default: `True` @@ -134,114 +153,90 @@ The blob service properties for blob soft delete. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -249,6 +244,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -256,6 +252,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `isVersioningEnabled` Use versioning to automatically maintain previous versions of your blobs. + - Required: No - Type: bool - Default: `True` @@ -263,6 +260,7 @@ Use versioning to automatically maintain previous versions of your blobs. ### Parameter: `lastAccessTimeTrackingPolicyEnabled` The blob service property to configure last access time based tracking policy. When set to true last access time based tracking is enabled. + - Required: No - Type: bool - Default: `False` @@ -270,22 +268,18 @@ The blob service property to configure last access time based tracking policy. W ### Parameter: `restorePolicyDays` How long this blob can be restored. It should be less than DeleteRetentionPolicy days. + - Required: No - Type: int ### Parameter: `restorePolicyEnabled` The blob service properties for blob restore policy. If point-in-time restore is enabled, then versioning, change feed, and blob soft delete must also be enabled. + - Required: No - Type: bool - Default: `True` -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/storage/storage-account/blob-service/container/README.md b/modules/storage/storage-account/blob-service/container/README.md index 8090c24588..34149b563a 100644 --- a/modules/storage/storage-account/blob-service/container/README.md +++ b/modules/storage/storage-account/blob-service/container/README.md @@ -47,9 +47,24 @@ This module deploys a Storage Account Blob Container. | [`publicAccess`](#parameter-publicaccess) | string | Specifies whether data in the container may be accessed publicly and the level of access. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | +### Parameter: `name` + +The name of the storage container to deploy. + +- Required: Yes +- Type: string + +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `defaultEncryptionScope` Default the container to use specified encryption scope for all writes. + - Required: No - Type: string - Default: `''` @@ -57,6 +72,7 @@ Default the container to use specified encryption scope for all writes. ### Parameter: `denyEncryptionScopeOverride` Block override of encryption scope from the container default. + - Required: No - Type: bool - Default: `False` @@ -64,6 +80,7 @@ Block override of encryption scope from the container default. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -71,6 +88,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enableNfsV3AllSquash` Enable NFSv3 all squash on blob container. + - Required: No - Type: bool - Default: `False` @@ -78,6 +96,7 @@ Enable NFSv3 all squash on blob container. ### Parameter: `enableNfsV3RootSquash` Enable NFSv3 root squash on blob container. + - Required: No - Type: bool - Default: `False` @@ -85,6 +104,7 @@ Enable NFSv3 root squash on blob container. ### Parameter: `immutabilityPolicyName` Name of the immutable policy. + - Required: No - Type: string - Default: `'default'` @@ -92,6 +112,7 @@ Name of the immutable policy. ### Parameter: `immutabilityPolicyProperties` Configure immutability policy. + - Required: No - Type: object - Default: `{}` @@ -99,6 +120,7 @@ Configure immutability policy. ### Parameter: `immutableStorageWithVersioningEnabled` This is an immutable property, when set to true it enables object level immutability at the container level. The property is immutable and can only be set to true at the container creation time. Existing containers must undergo a migration process. + - Required: No - Type: bool - Default: `False` @@ -106,19 +128,15 @@ This is an immutable property, when set to true it enables object level immutabi ### Parameter: `metadata` A name-value pair to associate with the container as metadata. + - Required: No - Type: object - Default: `{}` -### Parameter: `name` - -The name of the storage container to deploy. -- Required: Yes -- Type: string - ### Parameter: `publicAccess` Specifies whether data in the container may be accessed publicly and the level of access. + - Required: No - Type: string - Default: `'None'` @@ -134,76 +152,91 @@ Specifies whether data in the container may be accessed publicly and the level o ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +**Optional parameters** -- Required: No -- Type: string +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.principalId` -Optional. Version of the condition. +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. The Resource Id of the delegated managed identity resource. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.condition` -Optional. The description of the role assignment. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.conditionVersion` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +Version of the condition. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Optional. The principal type of the assigned principal ID. +The Resource Id of the delegated managed identity resource. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.description` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The description of the role assignment. -- Required: Yes +- Required: No - Type: string -### Parameter: `storageAccountName` +### Parameter: `roleAssignments.principalType` -The name of the parent Storage Account. Required if the template is used in a standalone deployment. -- Required: Yes +The principal type of the assigned principal ID. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ## Outputs diff --git a/modules/storage/storage-account/blob-service/container/immutability-policy/README.md b/modules/storage/storage-account/blob-service/container/immutability-policy/README.md index 119022a4e9..074aec61c7 100644 --- a/modules/storage/storage-account/blob-service/container/immutability-policy/README.md +++ b/modules/storage/storage-account/blob-service/container/immutability-policy/README.md @@ -33,9 +33,24 @@ This module deploys a Storage Account Blob Container Immutability Policy. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`immutabilityPeriodSinceCreationInDays`](#parameter-immutabilityperiodsincecreationindays) | int | The immutability period for the blobs in the container since the policy creation, in days. | +### Parameter: `containerName` + +The name of the parent container to apply the policy to. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `allowProtectedAppendWrites` This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. + - Required: No - Type: bool - Default: `True` @@ -43,19 +58,15 @@ This property can only be changed for unlocked time-based retention policies. Wh ### Parameter: `allowProtectedAppendWritesAll` This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to both "Append and Block Blobs" while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. The "allowProtectedAppendWrites" and "allowProtectedAppendWritesAll" properties are mutually exclusive. + - Required: No - Type: bool - Default: `True` -### Parameter: `containerName` - -The name of the parent container to apply the policy to. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -63,16 +74,11 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `immutabilityPeriodSinceCreationInDays` The immutability period for the blobs in the container since the policy creation, in days. + - Required: No - Type: int - Default: `365` -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/storage/storage-account/file-service/README.md b/modules/storage/storage-account/file-service/README.md index 115e31eaf4..1bef3a67d8 100644 --- a/modules/storage/storage-account/file-service/README.md +++ b/modules/storage/storage-account/file-service/README.md @@ -37,117 +37,100 @@ This module deploys a Storage Account File Share Service. | [`shareDeleteRetentionPolicy`](#parameter-sharedeleteretentionpolicy) | object | The service properties for soft delete. | | [`shares`](#parameter-shares) | array | File shares to create. | +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -155,6 +138,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -162,6 +146,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `name` The name of the file service. + - Required: No - Type: string - Default: `'default'` @@ -169,6 +154,7 @@ The name of the file service. ### Parameter: `protocolSettings` Protocol settings for file service. + - Required: No - Type: object - Default: `{}` @@ -176,6 +162,7 @@ Protocol settings for file service. ### Parameter: `shareDeleteRetentionPolicy` The service properties for soft delete. + - Required: No - Type: object - Default: @@ -189,16 +176,11 @@ The service properties for soft delete. ### Parameter: `shares` File shares to create. + - Required: No - Type: array - Default: `[]` -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/storage/storage-account/file-service/share/README.md b/modules/storage/storage-account/file-service/share/README.md index 5be390f912..ae421797c0 100644 --- a/modules/storage/storage-account/file-service/share/README.md +++ b/modules/storage/storage-account/file-service/share/README.md @@ -42,9 +42,17 @@ This module deploys a Storage Account File Share. | [`rootSquash`](#parameter-rootsquash) | string | Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares. | | [`shareQuota`](#parameter-sharequota) | int | The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5120 (5TB). For Large File Shares, the maximum size is 102400 (100TB). | +### Parameter: `name` + +The name of the file share to create. + +- Required: Yes +- Type: string + ### Parameter: `accessTier` Access tier for specific share. Required if the Storage Account kind is set to FileStorage (should be set to "Premium"). GpV2 account can choose between TransactionOptimized (default), Hot, and Cool. + - Required: No - Type: string - Default: `'TransactionOptimized'` @@ -58,9 +66,25 @@ Access tier for specific share. Required if the Storage Account kind is set to F ] ``` +### Parameter: `fileServicesName` + +The name of the parent file service. Required if the template is used in a standalone deployment. + +- Required: No +- Type: string +- Default: `'default'` + +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -68,6 +92,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enabledProtocols` The authentication protocol that is used for the file share. Can only be specified when creating a share. + - Required: No - Type: string - Default: `'SMB'` @@ -79,90 +104,99 @@ The authentication protocol that is used for the file share. Can only be specifi ] ``` -### Parameter: `fileServicesName` +### Parameter: `roleAssignments` + +Array of role assignments to create. -The name of the parent file service. Required if the template is used in a standalone deployment. - Required: No -- Type: string -- Default: `'default'` +- Type: array -### Parameter: `name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. -The name of the file share to create. - Required: Yes - Type: string -### Parameter: `roleAssignments` - -Array of role assignments to create. -- Required: No -- Type: array +### Parameter: `roleAssignments.roleDefinitionIdOrName` +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +- Required: Yes +- Type: string ### Parameter: `roleAssignments.condition` -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string ### Parameter: `roleAssignments.conditionVersion` -Optional. Version of the condition. +Version of the condition. - Required: No - Type: string -- Allowed: `[2.0]` +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` ### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Optional. The Resource Id of the delegated managed identity resource. +The Resource Id of the delegated managed identity resource. - Required: No - Type: string ### Parameter: `roleAssignments.description` -Optional. The description of the role assignment. +The description of the role assignment. - Required: No - Type: string -### Parameter: `roleAssignments.principalId` - -Required. The principal ID of the principal (user/group/identity) to assign the role to. - -- Required: Yes -- Type: string - ### Parameter: `roleAssignments.principalType` -Optional. The principal type of the assigned principal ID. +The principal type of the assigned principal ID. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` - -### Parameter: `roleAssignments.roleDefinitionIdOrName` - -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `rootSquash` Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares. + - Required: No - Type: string - Default: `'NoRootSquash'` @@ -178,16 +212,11 @@ Permissions for NFS file shares are enforced by the client OS rather than the Az ### Parameter: `shareQuota` The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5120 (5TB). For Large File Shares, the maximum size is 102400 (100TB). + - Required: No - Type: int - Default: `5120` -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/storage/storage-account/local-user/README.md b/modules/storage/storage-account/local-user/README.md index 9f2197327d..f6ddd9aa7a 100644 --- a/modules/storage/storage-account/local-user/README.md +++ b/modules/storage/storage-account/local-user/README.md @@ -41,64 +41,73 @@ This module deploys a Storage Account Local User, which is used for SFTP authent | [`homeDirectory`](#parameter-homedirectory) | string | The local user home directory. | | [`sshAuthorizedKeys`](#parameter-sshauthorizedkeys) | array | The local user SSH authorized keys for SFTP. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - -### Parameter: `hasSharedKey` - -Indicates whether shared key exists. Set it to false to remove existing shared key. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `hasSshKey` Indicates whether SSH key exists. Set it to false to remove existing SSH key. + - Required: Yes - Type: bool ### Parameter: `hasSshPassword` Indicates whether SSH password exists. Set it to false to remove existing SSH password. + - Required: Yes - Type: bool -### Parameter: `homeDirectory` - -The local user home directory. -- Required: No -- Type: string -- Default: `''` - ### Parameter: `name` The name of the local user used for SFTP Authentication. + - Required: Yes - Type: string ### Parameter: `permissionScopes` The permission scopes of the local user. + - Required: Yes - Type: array +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `hasSharedKey` + +Indicates whether shared key exists. Set it to false to remove existing shared key. + +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `homeDirectory` + +The local user home directory. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `sshAuthorizedKeys` The local user SSH authorized keys for SFTP. + - Required: No - Type: array - Default: `[]` -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/storage/storage-account/management-policy/README.md b/modules/storage/storage-account/management-policy/README.md index 278fea96ea..1a8c25c5d1 100644 --- a/modules/storage/storage-account/management-policy/README.md +++ b/modules/storage/storage-account/management-policy/README.md @@ -35,25 +35,28 @@ This module deploys a Storage Account Management Policy. | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `rules` The Storage Account ManagementPolicies Rules. + - Required: Yes - Type: array ### Parameter: `storageAccountName` The name of the parent Storage Account. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ## Outputs diff --git a/modules/storage/storage-account/queue-service/README.md b/modules/storage/storage-account/queue-service/README.md index 7543d85557..7971dff96e 100644 --- a/modules/storage/storage-account/queue-service/README.md +++ b/modules/storage/storage-account/queue-service/README.md @@ -34,117 +34,100 @@ This module deploys a Storage Account Queue Service. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`queues`](#parameter-queues) | array | Queues to create. | +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -152,6 +135,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -159,16 +143,11 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `queues` Queues to create. + - Required: No - Type: array - Default: `[]` -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/storage/storage-account/queue-service/queue/README.md b/modules/storage/storage-account/queue-service/queue/README.md index 5932d7872e..2d25dd1845 100644 --- a/modules/storage/storage-account/queue-service/queue/README.md +++ b/modules/storage/storage-account/queue-service/queue/README.md @@ -38,16 +38,10 @@ This module deploys a Storage Account Queue. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `metadata` A name-value pair that represents queue metadata. + - Required: No - Type: object - Default: `{}` @@ -55,82 +49,113 @@ A name-value pair that represents queue metadata. ### Parameter: `name` The name of the storage queue to deploy. + +- Required: Yes +- Type: string + +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +**Optional parameters** -- Required: No -- Type: string +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.principalId` -Optional. Version of the condition. +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. The Resource Id of the delegated managed identity resource. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.condition` -Optional. The description of the role assignment. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.conditionVersion` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +Version of the condition. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Optional. The principal type of the assigned principal ID. +The Resource Id of the delegated managed identity resource. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.description` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The description of the role assignment. -- Required: Yes +- Required: No - Type: string -### Parameter: `storageAccountName` +### Parameter: `roleAssignments.principalType` -The name of the parent Storage Account. Required if the template is used in a standalone deployment. -- Required: Yes +The principal type of the assigned principal ID. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ## Outputs diff --git a/modules/storage/storage-account/table-service/README.md b/modules/storage/storage-account/table-service/README.md index 87435b1319..17526658f2 100644 --- a/modules/storage/storage-account/table-service/README.md +++ b/modules/storage/storage-account/table-service/README.md @@ -33,117 +33,100 @@ This module deploys a Storage Account Table Service. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`tables`](#parameter-tables) | array | tables to create. | +### Parameter: `storageAccountName` + +The name of the parent Storage Account. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -151,19 +134,15 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `storageAccountName` - -The name of the parent Storage Account. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `tables` tables to create. + - Required: No - Type: array - Default: `[]` diff --git a/modules/storage/storage-account/table-service/table/README.md b/modules/storage/storage-account/table-service/table/README.md index 4d8bb2da13..797f1baa2a 100644 --- a/modules/storage/storage-account/table-service/table/README.md +++ b/modules/storage/storage-account/table-service/table/README.md @@ -35,25 +35,28 @@ This module deploys a Storage Account Table. | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `name` Name of the table. + - Required: Yes - Type: string ### Parameter: `storageAccountName` The name of the parent Storage Account. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ## Outputs diff --git a/modules/synapse/private-link-hub/README.md b/modules/synapse/private-link-hub/README.md index 7b95540281..1cc54fa4b1 100644 --- a/modules/synapse/private-link-hub/README.md +++ b/modules/synapse/private-link-hub/README.md @@ -352,9 +352,17 @@ module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +### Parameter: `name` + +The name of the Private Link Hub. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -362,6 +370,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` The geo-location where the resource lives. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -369,230 +378,283 @@ The geo-location where the resource lives. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -The name of the Private Link Hub. -- Required: Yes -- Type: string - ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` +**Optional parameters** -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -- Required: No -- Type: array +### Parameter: `privateEndpoints.service` -### Parameter: `privateEndpoints.customDnsConfigs` +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -Optional. Custom DNS configurations. +- Required: Yes +- Type: string -- Required: No -- Type: array +### Parameter: `privateEndpoints.subnetResourceId` -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +Resource ID of the subnet where the endpoint needs to be created. -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +- Required: Yes +- Type: string -Required. Fqdn that resolves to private endpoint ip address. +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` + +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +### Parameter: `privateEndpoints.lock.kind` -- Required: Yes +Specify the type of lock. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` +The name of the private endpoint. +- Required: No +- Type: string -### Parameter: `privateEndpoints.location` +### Parameter: `privateEndpoints.privateDnsZoneGroupName` -Optional. The location to deploy the private endpoint to. +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** -Optional. The name of the private endpoint. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -- Required: No +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +Version of the condition. - Required: No -- Type: array +- Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. Array of role assignments to create. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.description` -Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The description of the role assignment. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Required. Resource ID of the subnet where the endpoint needs to be created. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -600,74 +662,96 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index 0573d4ba92..2b9461cd16 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -732,9 +732,38 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`workspaceRepositoryConfiguration`](#parameter-workspacerepositoryconfiguration) | object | Git integration settings. | +### Parameter: `defaultDataLakeStorageAccountResourceId` + +Resource ID of the default ADLS Gen2 storage account. + +- Required: Yes +- Type: string + +### Parameter: `defaultDataLakeStorageFilesystem` + +The default ADLS Gen2 file system. + +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the Synapse Workspace. + +- Required: Yes +- Type: string + +### Parameter: `sqlAdministratorLogin` + +Login for administrator access to the workspace's SQL pools. + +- Required: Yes +- Type: string + ### Parameter: `allowedAadTenantIdsForLinking` Allowed AAD Tenant IDs For Linking. + - Required: No - Type: array - Default: `[]` @@ -742,6 +771,7 @@ Allowed AAD Tenant IDs For Linking. ### Parameter: `azureADOnlyAuthentication` Enable or Disable AzureADOnlyAuthentication on All Workspace sub-resource. + - Required: No - Type: bool - Default: `False` @@ -749,155 +779,139 @@ Enable or Disable AzureADOnlyAuthentication on All Workspace sub-resource. ### Parameter: `customerManagedKey` The customer managed key definition. + - Required: No - Type: object +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | Yes | string | Required. The name of the customer managed key to use for encryption. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | Yes | string | Required. The resource ID of a key vault to reference a customer managed key for encryption from. | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | No | string | Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | -| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | No | string | Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | ### Parameter: `customerManagedKey.keyName` -Required. The name of the customer managed key to use for encryption. +The name of the customer managed key to use for encryption. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVaultResourceId` -Required. The resource ID of a key vault to reference a customer managed key for encryption from. +The resource ID of a key vault to reference a customer managed key for encryption from. - Required: Yes - Type: string ### Parameter: `customerManagedKey.keyVersion` -Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - Required: No - Type: string ### Parameter: `customerManagedKey.userAssignedIdentityResourceId` -Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. +User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. - Required: No - Type: string -### Parameter: `defaultDataLakeStorageAccountResourceId` - -Resource ID of the default ADLS Gen2 storage account. -- Required: Yes -- Type: string - ### Parameter: `defaultDataLakeStorageCreateManagedPrivateEndpoint` Create managed private endpoint to the default storage account or not. If Yes is selected, a managed private endpoint connection request is sent to the workspace's primary Data Lake Storage Gen2 account for Spark pools to access data. This must be approved by an owner of the storage account. + - Required: No - Type: bool - Default: `False` -### Parameter: `defaultDataLakeStorageFilesystem` - -The default ADLS Gen2 file system. -- Required: Yes -- Type: string - ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -905,6 +919,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -912,6 +927,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `encryptionActivateWorkspace` Activate workspace by adding the system managed identity in the KeyVault containing the customer managed key and activating the workspace. + - Required: No - Type: bool - Default: `False` @@ -919,6 +935,7 @@ Activate workspace by adding the system managed identity in the KeyVault contain ### Parameter: `initialWorkspaceAdminObjectID` AAD object ID of initial workspace admin. + - Required: No - Type: string - Default: `''` @@ -926,6 +943,7 @@ AAD object ID of initial workspace admin. ### Parameter: `integrationRuntimes` The Integration Runtimes to create. + - Required: No - Type: array - Default: `[]` @@ -933,6 +951,7 @@ The Integration Runtimes to create. ### Parameter: `linkedAccessCheckOnTargetResource` Linked Access Check On Target Resource. + - Required: No - Type: bool - Default: `False` @@ -940,6 +959,7 @@ Linked Access Check On Target Resource. ### Parameter: `location` The geo-location where the resource lives. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -947,26 +967,35 @@ The geo-location where the resource lives. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -974,17 +1003,19 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: Yes - Type: array @@ -992,6 +1023,7 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `managedResourceGroupName` Workspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.'. + - Required: No - Type: string - Default: `''` @@ -999,19 +1031,15 @@ Workspace managed resource group. The resource group name uniquely identifies th ### Parameter: `managedVirtualNetwork` Enable this to ensure that connection from your workspace to your data sources use Azure Private Links. You can create managed private endpoints to your data sources. + - Required: No - Type: bool - Default: `False` -### Parameter: `name` - -The name of the Synapse Workspace. -- Required: Yes -- Type: string - ### Parameter: `preventDataExfiltration` Prevent Data Exfiltration. + - Required: No - Type: bool - Default: `False` @@ -1019,197 +1047,247 @@ Prevent Data Exfiltration. ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` +**Optional parameters** -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -- Required: No -- Type: array +### Parameter: `privateEndpoints.service` -### Parameter: `privateEndpoints.customDnsConfigs` +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". + +- Required: Yes +- Type: string -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +### Parameter: `privateEndpoints.lock.kind` -- Required: Yes +Specify the type of lock. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroupName` -Optional. The location to deploy the private endpoint to. +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** -Optional. The name of the private endpoint. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -- Required: No +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +Version of the condition. - Required: No -- Type: array +- Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. Array of role assignments to create. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.description` -Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The description of the role assignment. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Required. Resource ID of the subnet where the endpoint needs to be created. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -1217,6 +1295,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Enable or Disable public network access to workspace. + - Required: No - Type: string - Default: `'Enabled'` @@ -1231,6 +1310,7 @@ Enable or Disable public network access to workspace. ### Parameter: `purviewResourceID` Purview Resource ID. + - Required: No - Type: string - Default: `''` @@ -1238,80 +1318,96 @@ Purview Resource ID. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +**Optional parameters** -- Required: No -- Type: string +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.principalId` -Optional. Version of the condition. +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. The Resource Id of the delegated managed identity resource. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.condition` -Optional. The description of the role assignment. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.conditionVersion` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +Version of the condition. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Optional. The principal type of the assigned principal ID. +The Resource Id of the delegated managed identity resource. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.description` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The description of the role assignment. -- Required: Yes +- Required: No - Type: string -### Parameter: `sqlAdministratorLogin` +### Parameter: `roleAssignments.principalType` -Login for administrator access to the workspace's SQL pools. -- Required: Yes +The principal type of the assigned principal ID. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `sqlAdministratorLoginPassword` Password for administrator access to the workspace's SQL pools. If you don't provide a password, one will be automatically generated. You can change the password later. + - Required: No - Type: string - Default: `''` @@ -1319,12 +1415,14 @@ Password for administrator access to the workspace's SQL pools. If you don't pro ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `workspaceRepositoryConfiguration` Git integration settings. + - Required: No - Type: object - Default: `{}` diff --git a/modules/synapse/workspace/integration-runtime/README.md b/modules/synapse/workspace/integration-runtime/README.md index 11fb0c65fe..20c5510bc2 100644 --- a/modules/synapse/workspace/integration-runtime/README.md +++ b/modules/synapse/workspace/integration-runtime/README.md @@ -37,22 +37,17 @@ This module deploys a Synapse Workspace Integration Runtime. | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `name` The name of the Integration Runtime. + - Required: Yes - Type: string ### Parameter: `type` The type of Integration Runtime. + - Required: Yes - Type: string - Allowed: @@ -66,6 +61,7 @@ The type of Integration Runtime. ### Parameter: `typeProperties` Integration Runtime type properties. Required if type is "Managed". + - Required: No - Type: object - Default: `{}` @@ -73,9 +69,18 @@ Integration Runtime type properties. Required if type is "Managed". ### Parameter: `workspaceName` The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ## Outputs diff --git a/modules/synapse/workspace/key/README.md b/modules/synapse/workspace/key/README.md index 2221af30c0..667aefb54b 100644 --- a/modules/synapse/workspace/key/README.md +++ b/modules/synapse/workspace/key/README.md @@ -38,44 +38,50 @@ This module deploys a Synapse Workspaces Key. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | The geo-location where the resource lives. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `isActiveCMK` Used to activate the workspace after a customer managed key is provided. + - Required: Yes - Type: bool ### Parameter: `keyVaultResourceId` The resource ID of a key vault to reference a customer managed key for encryption from. -- Required: Yes -- Type: string - -### Parameter: `location` -The geo-location where the resource lives. -- Required: No +- Required: Yes - Type: string -- Default: `[resourceGroup().location]` ### Parameter: `name` Encryption key name. + - Required: Yes - Type: string ### Parameter: `workspaceName` The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +The geo-location where the resource lives. + +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + ## Outputs diff --git a/modules/virtual-machine-images/image-template/README.md b/modules/virtual-machine-images/image-template/README.md index 94be45115b..658d35329c 100644 --- a/modules/virtual-machine-images/image-template/README.md +++ b/modules/virtual-machine-images/image-template/README.md @@ -511,29 +511,46 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 | :-- | :-- | :-- | | [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date value is used to generate a unique image template name. | -### Parameter: `baseTime` +### Parameter: `customizationSteps` -Do not provide a value! This date value is used to generate a unique image template name. -- Required: No +Customization steps to be run when building the VM image. + +- Required: Yes +- Type: array + +### Parameter: `imageSource` + +Image source definition in object format. + +- Required: Yes +- Type: object + +### Parameter: `name` + +Name prefix of the Image Template to be built by the Azure Image Builder service. + +- Required: Yes +- Type: string + +### Parameter: `userMsiName` + +Name of the User Assigned Identity to be used to deploy Image Templates in Azure Image Builder. + +- Required: Yes - Type: string -- Default: `[utcNow('yyyy-MM-dd-HH-mm-ss')]` ### Parameter: `buildTimeoutInMinutes` Image build timeout in minutes. Allowed values: 0-960. 0 means the default 240 minutes. + - Required: No - Type: int - Default: `0` -### Parameter: `customizationSteps` - -Customization steps to be run when building the VM image. -- Required: Yes -- Type: array - ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -541,6 +558,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `excludeFromLatest` Exclude the created Azure Compute Gallery image version from the latest. + - Required: No - Type: bool - Default: `False` @@ -548,19 +566,15 @@ Exclude the created Azure Compute Gallery image version from the latest. ### Parameter: `imageReplicationRegions` List of the regions the image produced by this solution should be stored in the Shared Image Gallery. When left empty, the deployment's location will be taken as a default value. + - Required: No - Type: array - Default: `[]` -### Parameter: `imageSource` - -Image source definition in object format. -- Required: Yes -- Type: object - ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -568,26 +582,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -595,19 +618,15 @@ Optional. Specify the name of lock. ### Parameter: `managedImageName` Name of the managed image that will be created in the AIB resourcegroup. + - Required: No - Type: string - Default: `''` -### Parameter: `name` - -Name prefix of the Image Template to be built by the Azure Image Builder service. -- Required: Yes -- Type: string - ### Parameter: `osDiskSizeGB` Specifies the size of OS disk. + - Required: No - Type: int - Default: `128` @@ -615,74 +634,96 @@ Specifies the size of OS disk. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `sigImageDefinitionId` Resource ID of Shared Image Gallery to distribute image to, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/. + - Required: No - Type: string - Default: `''` @@ -690,6 +731,7 @@ Resource ID of Shared Image Gallery to distribute image to, e.g.: /subscriptions ### Parameter: `sigImageVersion` Version of the Shared Image Gallery Image. Supports the following Version Syntax: Major.Minor.Build (i.e., '1.1.1' or '10.1.2'). + - Required: No - Type: string - Default: `''` @@ -697,6 +739,7 @@ Version of the Shared Image Gallery Image. Supports the following Version Syntax ### Parameter: `stagingResourceGroup` Resource ID of the staging resource group in the same subscription and location as the image template that will be used to build the image.

If this field is empty, a resource group with a random name will be created.

If the resource group specified in this field doesn't exist, it will be created with the same name.

If the resource group specified exists, it must be empty and in the same region as the image template.

The resource group created will be deleted during template deletion if this field is empty or the resource group specified doesn't exist,

but if the resource group specified exists the resources created in the resource group will be deleted during template deletion and the resource group itself will remain. + - Required: No - Type: string - Default: `''` @@ -704,6 +747,7 @@ Resource ID of the staging resource group in the same subscription and location ### Parameter: `storageAccountType` Storage account type to be used to store the image in the Azure Compute Gallery. + - Required: No - Type: string - Default: `'Standard_LRS'` @@ -718,6 +762,7 @@ Storage account type to be used to store the image in the Azure Compute Gallery. ### Parameter: `subnetId` Resource ID of an already existing subnet, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/.

If no value is provided, a new temporary VNET and subnet will be created in the staging resource group and will be deleted along with the remaining temporary resources. + - Required: No - Type: string - Default: `''` @@ -725,12 +770,14 @@ Resource ID of an already existing subnet, e.g.: /subscriptions/ ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `unManagedImageName` Name of the unmanaged image that will be created in the AIB resourcegroup. + - Required: No - Type: string - Default: `''` @@ -738,19 +785,15 @@ Name of the unmanaged image that will be created in the AIB resourcegroup. ### Parameter: `userAssignedIdentities` List of User-Assigned Identities associated to the Build VM for accessing Azure resources such as Key Vaults from your customizer scripts.

Be aware, the user assigned identity specified in the 'userMsiName' parameter must have the 'Managed Identity Operator' role assignment on all the user assigned identities specified in this parameter for Azure Image Builder to be able to associate them to the build VM. + - Required: No - Type: array - Default: `[]` -### Parameter: `userMsiName` - -Name of the User Assigned Identity to be used to deploy Image Templates in Azure Image Builder. -- Required: Yes -- Type: string - ### Parameter: `userMsiResourceGroup` Resource group of the user assigned identity. + - Required: No - Type: string - Default: `[resourceGroup().name]` @@ -758,10 +801,19 @@ Resource group of the user assigned identity. ### Parameter: `vmSize` Specifies the size for the VM. + - Required: No - Type: string - Default: `'Standard_D2s_v3'` +### Parameter: `baseTime` + +Do not provide a value! This date value is used to generate a unique image template name. + +- Required: No +- Type: string +- Default: `[utcNow('yyyy-MM-dd-HH-mm-ss')]` + ## Outputs diff --git a/modules/web/connection/README.md b/modules/web/connection/README.md index e05f020df9..5e0ce6d95d 100644 --- a/modules/web/connection/README.md +++ b/modules/web/connection/README.md @@ -255,9 +255,24 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`testLinks`](#parameter-testlinks) | array | Links to test the API connection. | +### Parameter: `displayName` + +Display name connection. Example: 'blobconnection' when using blobs. It can change depending on the resource. + +- Required: Yes +- Type: string + +### Parameter: `name` + +Connection name for connection. Example: 'azureblob' when using blobs. It can change depending on the resource. + +- Required: Yes +- Type: string + ### Parameter: `api` Specific values for some API connections. + - Required: No - Type: object - Default: `{}` @@ -265,19 +280,15 @@ Specific values for some API connections. ### Parameter: `customParameterValues` Customized parameter values for specific connections. + - Required: No - Type: object - Default: `{}` -### Parameter: `displayName` - -Display name connection. Example: 'blobconnection' when using blobs. It can change depending on the resource. -- Required: Yes -- Type: string - ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -285,6 +296,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location of the deployment. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -292,39 +304,43 @@ Location of the deployment. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string -### Parameter: `name` - -Connection name for connection. Example: 'azureblob' when using blobs. It can change depending on the resource. -- Required: Yes -- Type: string - ### Parameter: `nonSecretParameterValues` Dictionary of nonsecret parameter values. + - Required: No - Type: object - Default: `{}` @@ -332,6 +348,7 @@ Dictionary of nonsecret parameter values. ### Parameter: `parameterValues` Connection strings or access keys for connection. Example: 'accountName' and 'accessKey' when using blobs. It can change depending on the resource. + - Required: No - Type: secureObject - Default: `{}` @@ -339,74 +356,96 @@ Connection strings or access keys for connection. Example: 'accountName' and 'ac ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +### Parameter: `roleAssignments.principalId` -- Required: No +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `statuses` Status of the connection. + - Required: No - Type: array - Default: `[]` @@ -414,12 +453,14 @@ Status of the connection. ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `testLinks` Links to test the API connection. + - Required: No - Type: array - Default: `[]` diff --git a/modules/web/hosting-environment/README.md b/modules/web/hosting-environment/README.md index 1f8855f1a6..cd84a536b0 100644 --- a/modules/web/hosting-environment/README.md +++ b/modules/web/hosting-environment/README.md @@ -442,9 +442,40 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { | [`userWhitelistedIpRanges`](#parameter-userwhitelistedipranges) | array | User added IP ranges to whitelist on ASE DB. Cannot be used with 'kind' `ASEv3`. | | [`zoneRedundant`](#parameter-zoneredundant) | bool | Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`. | +### Parameter: `name` + +Name of the App Service Environment. + +- Required: Yes +- Type: string + +### Parameter: `subnetResourceId` + +ResourceId for the subnet. + +- Required: Yes +- Type: string + +### Parameter: `customDnsSuffixCertificateUrl` + +The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `customDnsSuffixKeyVaultReferenceIdentity` + +The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `allowNewPrivateEndpointConnections` Property to enable and disable new private endpoint connection creation on ASE. Ignored when kind is set to ASEv2. + - Required: No - Type: bool - Default: `False` @@ -452,6 +483,7 @@ Property to enable and disable new private endpoint connection creation on ASE. ### Parameter: `clusterSettings` Custom settings for changing the behavior of the App Service Environment. + - Required: No - Type: array - Default: @@ -467,20 +499,7 @@ Custom settings for changing the behavior of the App Service Environment. ### Parameter: `customDnsSuffix` Enable the default custom domain suffix to use for all sites deployed on the ASE. If provided, then customDnsSuffixCertificateUrl and customDnsSuffixKeyVaultReferenceIdentity are required. Cannot be used when kind is set to ASEv2. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `customDnsSuffixCertificateUrl` -The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2. -- Required: No -- Type: string -- Default: `''` - -### Parameter: `customDnsSuffixKeyVaultReferenceIdentity` - -The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available. Required if customDnsSuffix is not empty. Cannot be used when kind is set to ASEv2. - Required: No - Type: string - Default: `''` @@ -488,6 +507,7 @@ The user-assigned identity to use for resolving the key vault certificate refere ### Parameter: `dedicatedHostCount` The Dedicated Host Count. If `zoneRedundant` is false, and you want physical hardware isolation enabled, set to 2. Otherwise 0. Cannot be used when kind is set to ASEv2. + - Required: No - Type: int - Default: `0` @@ -495,94 +515,82 @@ The Dedicated Host Count. If `zoneRedundant` is false, and you want physical har ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -590,6 +598,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `dnsSuffix` DNS suffix of the App Service Environment. + - Required: No - Type: string - Default: `''` @@ -597,6 +606,7 @@ DNS suffix of the App Service Environment. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -604,6 +614,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `frontEndScaleFactor` Scale factor for frontends. + - Required: No - Type: int - Default: `15` @@ -611,6 +622,7 @@ Scale factor for frontends. ### Parameter: `ftpEnabled` Property to enable and disable FTP on ASEV3. Ignored when kind is set to ASEv2. + - Required: No - Type: bool - Default: `False` @@ -618,6 +630,7 @@ Property to enable and disable FTP on ASEV3. Ignored when kind is set to ASEv2. ### Parameter: `inboundIpAddressOverride` Customer provided Inbound IP Address. Only able to be set on Ase create. Ignored when kind is set to ASEv2. + - Required: No - Type: string - Default: `''` @@ -625,6 +638,7 @@ Customer provided Inbound IP Address. Only able to be set on Ase create. Ignored ### Parameter: `internalLoadBalancingMode` Specifies which endpoints to serve internally in the Virtual Network for the App Service Environment. - None, Web, Publishing, Web,Publishing. "None" Exposes the ASE-hosted apps on an internet-accessible IP address. + - Required: No - Type: string - Default: `'None'` @@ -641,6 +655,7 @@ Specifies which endpoints to serve internally in the Virtual Network for the App ### Parameter: `ipsslAddressCount` Number of IP SSL addresses reserved for the App Service Environment. Cannot be used when kind is set to ASEv3. + - Required: No - Type: int - Default: `0` @@ -648,6 +663,7 @@ Number of IP SSL addresses reserved for the App Service Environment. Cannot be u ### Parameter: `kind` Kind of resource. + - Required: No - Type: string - Default: `'ASEv3'` @@ -662,6 +678,7 @@ Kind of resource. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -669,26 +686,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -696,25 +722,27 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array @@ -722,6 +750,7 @@ Optional. The resource ID(s) to assign to the resource. ### Parameter: `multiSize` Frontend VM size. Cannot be used when kind is set to ASEv3. + - Required: No - Type: string - Default: `''` @@ -742,15 +771,10 @@ Frontend VM size. Cannot be used when kind is set to ASEv3. ] ``` -### Parameter: `name` - -Name of the App Service Environment. -- Required: Yes -- Type: string - ### Parameter: `remoteDebugEnabled` Property to enable and disable Remote Debug on ASEv3. Ignored when kind is set to ASEv2. + - Required: No - Type: bool - Default: `False` @@ -758,86 +782,103 @@ Property to enable and disable Remote Debug on ASEv3. Ignored when kind is set t ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -### Parameter: `roleAssignments.condition` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +**Optional parameters** -- Required: No -- Type: string +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.principalId` -Optional. Version of the condition. +The principal ID of the principal (user/group/identity) to assign the role to. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. The Resource Id of the delegated managed identity resource. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.condition` -Optional. The description of the role assignment. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.conditionVersion` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +Version of the condition. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Optional. The principal type of the assigned principal ID. +The Resource Id of the delegated managed identity resource. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.description` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The description of the role assignment. -- Required: Yes +- Required: No - Type: string -### Parameter: `subnetResourceId` +### Parameter: `roleAssignments.principalType` -ResourceId for the subnet. -- Required: Yes +The principal type of the assigned principal ID. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Resource tags. + - Required: No - Type: object ### Parameter: `upgradePreference` Specify preference for when and how the planned maintenance is applied. + - Required: No - Type: string - Default: `'None'` @@ -854,6 +895,7 @@ Specify preference for when and how the planned maintenance is applied. ### Parameter: `userWhitelistedIpRanges` User added IP ranges to whitelist on ASE DB. Cannot be used with 'kind' `ASEv3`. + - Required: No - Type: array - Default: `[]` @@ -861,6 +903,7 @@ User added IP ranges to whitelist on ASE DB. Cannot be used with 'kind' `ASEv3`. ### Parameter: `zoneRedundant` Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`. + - Required: No - Type: bool - Default: `False` diff --git a/modules/web/hosting-environment/configuration--customdnssuffix/README.md b/modules/web/hosting-environment/configuration--customdnssuffix/README.md index cc00a5bf05..38b2d7b578 100644 --- a/modules/web/hosting-environment/configuration--customdnssuffix/README.md +++ b/modules/web/hosting-environment/configuration--customdnssuffix/README.md @@ -40,33 +40,38 @@ This module deploys a Hosting Environment Custom DNS Suffix Configuration. ### Parameter: `certificateUrl` The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix. + - Required: Yes - Type: string ### Parameter: `dnsSuffix` Enable the default custom domain suffix to use for all sites deployed on the ASE. + - Required: Yes - Type: string -### Parameter: `enableDefaultTelemetry` +### Parameter: `keyVaultReferenceIdentity` -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` +The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available. + +- Required: Yes +- Type: string ### Parameter: `hostingEnvironmentName` The name of the parent Hosting Environment. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string -### Parameter: `keyVaultReferenceIdentity` +### Parameter: `enableDefaultTelemetry` -The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available. -- Required: Yes -- Type: string +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` ## Outputs diff --git a/modules/web/hosting-environment/configuration--networking/README.md b/modules/web/hosting-environment/configuration--networking/README.md index 9fb9176940..8b361c64f8 100644 --- a/modules/web/hosting-environment/configuration--networking/README.md +++ b/modules/web/hosting-environment/configuration--networking/README.md @@ -33,9 +33,17 @@ This module deploys a Hosting Environment Network Configuration. | [`inboundIpAddressOverride`](#parameter-inboundipaddressoverride) | string | Customer provided Inbound IP Address. Only able to be set on Ase create. | | [`remoteDebugEnabled`](#parameter-remotedebugenabled) | bool | Property to enable and disable Remote Debug on ASEv3. | +### Parameter: `hostingEnvironmentName` + +The name of the parent Hosting Environment. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `allowNewPrivateEndpointConnections` Property to enable and disable new private endpoint connection creation on ASE. + - Required: No - Type: bool - Default: `False` @@ -43,6 +51,7 @@ Property to enable and disable new private endpoint connection creation on ASE. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -50,19 +59,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `ftpEnabled` Property to enable and disable FTP on ASEV3. + - Required: No - Type: bool - Default: `False` -### Parameter: `hostingEnvironmentName` - -The name of the parent Hosting Environment. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `inboundIpAddressOverride` Customer provided Inbound IP Address. Only able to be set on Ase create. + - Required: No - Type: string - Default: `''` @@ -70,6 +75,7 @@ Customer provided Inbound IP Address. Only able to be set on Ase create. ### Parameter: `remoteDebugEnabled` Property to enable and disable Remote Debug on ASEv3. + - Required: No - Type: bool - Default: `False` diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index 79c2341050..fb2b37a291 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -332,9 +332,32 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { | [`workerTierName`](#parameter-workertiername) | string | Target worker tier assigned to the App Service plan. | | [`zoneRedundant`](#parameter-zoneredundant) | bool | When true, this App Service Plan will perform availability zone balancing. | +### Parameter: `name` + +The name of the app service plan to deploy. + +- Required: Yes +- Type: string + +### Parameter: `sku` + +Defines the name, tier, size, family and capacity of the App Service Plan. + +- Required: Yes +- Type: object + +### Parameter: `reserved` + +Defaults to false when creating Windows/app App Service Plan. Required if creating a Linux App Service Plan and must be set to true. + +- Required: No +- Type: bool +- Default: `False` + ### Parameter: `appServiceEnvironmentId` The Resource ID of the App Service Environment to use for the App Service Plan. + - Required: No - Type: string - Default: `''` @@ -342,86 +365,82 @@ The Resource ID of the App Service Environment to use for the App Service Plan. ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -429,6 +448,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -436,6 +456,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -443,26 +464,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -470,26 +500,15 @@ Optional. Specify the name of lock. ### Parameter: `maximumElasticWorkerCount` Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan. + - Required: No - Type: int - Default: `1` -### Parameter: `name` - -The name of the app service plan to deploy. -- Required: Yes -- Type: string - ### Parameter: `perSiteScaling` If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan. -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `reserved` -Defaults to false when creating Windows/app App Service Plan. Required if creating a Linux App Service Plan and must be set to true. - Required: No - Type: bool - Default: `False` @@ -497,86 +516,103 @@ Defaults to false when creating Windows/app App Service Plan. Required if creati ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string - -### Parameter: `sku` - -Defines the name, tier, size, family and capacity of the App Service Plan. -- Required: Yes -- Type: object +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `targetWorkerCount` Scaling worker count. + - Required: No - Type: int - Default: `0` @@ -584,6 +620,7 @@ Scaling worker count. ### Parameter: `targetWorkerSize` The instance size of the hosting plan (small, medium, or large). + - Required: No - Type: int - Default: `0` @@ -599,6 +636,7 @@ The instance size of the hosting plan (small, medium, or large). ### Parameter: `workerTierName` Target worker tier assigned to the App Service plan. + - Required: No - Type: string - Default: `''` @@ -606,6 +644,7 @@ Target worker tier assigned to the App Service plan. ### Parameter: `zoneRedundant` When true, this App Service Plan will perform availability zone balancing. + - Required: No - Type: bool - Default: `False` diff --git a/modules/web/site/README.md b/modules/web/site/README.md index f5c22619c5..e1542f55c6 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -977,9 +977,41 @@ module site 'br:bicep/modules/web.site:1.0.0' = { | [`vnetImagePullEnabled`](#parameter-vnetimagepullenabled) | bool | To enable pulling image over Virtual Network. | | [`vnetRouteAllEnabled`](#parameter-vnetrouteallenabled) | bool | Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. | +### Parameter: `kind` + +Type of site to deploy. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'app' + 'functionapp' + 'functionapplinux' + 'functionappworkflowapp' + 'functionappworkflowapplinux' + ] + ``` + +### Parameter: `name` + +Name of the site. + +- Required: Yes +- Type: string + +### Parameter: `serverFarmResourceId` + +The resource ID of the app service plan to use for the site. + +- Required: Yes +- Type: string + ### Parameter: `appInsightResourceId` Resource ID of the app insight to leverage for this resource. + - Required: No - Type: string - Default: `''` @@ -987,6 +1019,7 @@ Resource ID of the app insight to leverage for this resource. ### Parameter: `appServiceEnvironmentResourceId` The resource ID of the app service environment to use for this resource. + - Required: No - Type: string - Default: `''` @@ -994,6 +1027,7 @@ The resource ID of the app service environment to use for this resource. ### Parameter: `appSettingsKeyValuePairs` The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. + - Required: No - Type: object - Default: `{}` @@ -1001,6 +1035,7 @@ The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboa ### Parameter: `authSettingV2Configuration` The auth settings V2 configuration. + - Required: No - Type: object - Default: `{}` @@ -1008,6 +1043,7 @@ The auth settings V2 configuration. ### Parameter: `basicPublishingCredentialsPolicies` The site publishing credential policy names which are associated with the sites. + - Required: No - Type: array - Default: `[]` @@ -1015,6 +1051,7 @@ The site publishing credential policy names which are associated with the sites. ### Parameter: `clientAffinityEnabled` If client affinity is enabled. + - Required: No - Type: bool - Default: `True` @@ -1022,6 +1059,7 @@ If client affinity is enabled. ### Parameter: `clientCertEnabled` To enable client certificate authentication (TLS mutual authentication). + - Required: No - Type: bool - Default: `False` @@ -1029,6 +1067,7 @@ To enable client certificate authentication (TLS mutual authentication). ### Parameter: `clientCertExclusionPaths` Client certificate authentication comma-separated exclusion paths. + - Required: No - Type: string - Default: `''` @@ -1036,6 +1075,7 @@ Client certificate authentication comma-separated exclusion paths. ### Parameter: `clientCertMode` This composes with ClientCertEnabled setting.

- ClientCertEnabled: false means ClientCert is ignored.

- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.

- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted. + - Required: No - Type: string - Default: `'Optional'` @@ -1051,6 +1091,7 @@ This composes with ClientCertEnabled setting.

- ClientCertEnabled: false mean ### Parameter: `cloningInfo` If specified during app creation, the app is cloned from a source app. + - Required: No - Type: object - Default: `{}` @@ -1058,6 +1099,7 @@ If specified during app creation, the app is cloned from a source app. ### Parameter: `containerSize` Size of the function container. + - Required: No - Type: int - Default: `-1` @@ -1065,6 +1107,7 @@ Size of the function container. ### Parameter: `customDomainVerificationId` Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification. + - Required: No - Type: string - Default: `''` @@ -1072,6 +1115,7 @@ Unique identifier that verifies the custom domains assigned to the app. Customer ### Parameter: `dailyMemoryTimeQuota` Maximum allowed daily memory-time quota (applicable on dynamic apps only). + - Required: No - Type: int - Default: `-1` @@ -1079,114 +1123,90 @@ Maximum allowed daily memory-time quota (applicable on dynamic apps only). ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -1194,6 +1214,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enabled` Setting this value to false disables the app (takes the app offline). + - Required: No - Type: bool - Default: `True` @@ -1201,6 +1222,7 @@ Setting this value to false disables the app (takes the app offline). ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -1208,6 +1230,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `hostNameSslStates` Hostname SSL states are used to manage the SSL bindings for app's hostnames. + - Required: No - Type: array - Default: `[]` @@ -1215,6 +1238,7 @@ Hostname SSL states are used to manage the SSL bindings for app's hostnames. ### Parameter: `httpsOnly` Configures a site to accept only HTTPS requests. Issues redirect for HTTP requests. + - Required: No - Type: bool - Default: `True` @@ -1222,6 +1246,7 @@ Configures a site to accept only HTTPS requests. Issues redirect for HTTP reques ### Parameter: `hybridConnectionRelays` Names of hybrid connection relays to connect app with. + - Required: No - Type: array - Default: `[]` @@ -1229,6 +1254,7 @@ Names of hybrid connection relays to connect app with. ### Parameter: `hyperV` Hyper-V sandbox. + - Required: No - Type: bool - Default: `False` @@ -1236,29 +1262,15 @@ Hyper-V sandbox. ### Parameter: `keyVaultAccessIdentityResourceId` The resource ID of the assigned identity to be used to access a key vault with. + - Required: No - Type: string - Default: `''` -### Parameter: `kind` - -Type of site to deploy. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'app' - 'functionapp' - 'functionapplinux' - 'functionappworkflowapp' - 'functionappworkflowapplinux' - ] - ``` - ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -1266,26 +1278,35 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -1293,229 +1314,275 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -Name of the site. -- Required: Yes -- Type: string - ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +### Parameter: `privateEndpoints.lock.kind` -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +Specify the type of lock. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` -Optional. The name of the private endpoint. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -1523,6 +1590,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. + - Required: No - Type: string - Default: `''` @@ -1538,6 +1606,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `redundancyMode` Site redundancy mode. + - Required: No - Type: string - Default: `'None'` @@ -1555,87 +1624,104 @@ Site redundancy mode. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `scmSiteAlsoStopped` Stop SCM (KUDU) site when the app is stopped. + - Required: No - Type: bool - Default: `False` -### Parameter: `serverFarmResourceId` - -The resource ID of the app service plan to use for the site. -- Required: Yes -- Type: string - ### Parameter: `setAzureWebJobsDashboard` For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. + - Required: No - Type: bool - Default: `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` @@ -1643,6 +1729,7 @@ For function apps. If true the app settings "AzureWebJobsDashboard" will be set. ### Parameter: `siteConfig` The site config object. + - Required: No - Type: object - Default: `{}` @@ -1650,6 +1737,7 @@ The site config object. ### Parameter: `slots` Configuration for deployment slots for an app. + - Required: No - Type: array - Default: `[]` @@ -1657,6 +1745,7 @@ Configuration for deployment slots for an app. ### Parameter: `storageAccountRequired` Checks if Customer provided storage account is required. + - Required: No - Type: bool - Default: `False` @@ -1664,6 +1753,7 @@ Checks if Customer provided storage account is required. ### Parameter: `storageAccountResourceId` Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. + - Required: No - Type: string - Default: `''` @@ -1671,12 +1761,14 @@ Required if app of kind functionapp. Resource ID of the storage account to manag ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `virtualNetworkSubnetId` Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. + - Required: No - Type: string - Default: `''` @@ -1684,6 +1776,7 @@ Azure Resource Manager ID of the Virtual network and subnet to be joined by Regi ### Parameter: `vnetContentShareEnabled` To enable accessing content over virtual network. + - Required: No - Type: bool - Default: `False` @@ -1691,6 +1784,7 @@ To enable accessing content over virtual network. ### Parameter: `vnetImagePullEnabled` To enable pulling image over Virtual Network. + - Required: No - Type: bool - Default: `False` @@ -1698,6 +1792,7 @@ To enable pulling image over Virtual Network. ### Parameter: `vnetRouteAllEnabled` Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. + - Required: No - Type: bool - Default: `False` diff --git a/modules/web/site/basic-publishing-credentials-policy/README.md b/modules/web/site/basic-publishing-credentials-policy/README.md index a442531e1e..518f921374 100644 --- a/modules/web/site/basic-publishing-credentials-policy/README.md +++ b/modules/web/site/basic-publishing-credentials-policy/README.md @@ -37,9 +37,31 @@ This module deploys a Web Site Basic Publishing Credentials Policy. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all Resources. | +### Parameter: `name` + +The name of the resource. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'ftp' + 'scm' + ] + ``` + +### Parameter: `webAppName` + +The name of the parent web site. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `allow` Set to true to enable or false to disable a publishing method. + - Required: No - Type: bool - Default: `True` @@ -47,6 +69,7 @@ Set to true to enable or false to disable a publishing method. ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -54,29 +77,11 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -The name of the resource. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'ftp' - 'scm' - ] - ``` - -### Parameter: `webAppName` - -The name of the parent web site. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/web/site/config--appsettings/README.md b/modules/web/site/config--appsettings/README.md index 3b93bb02ce..bf1c6c2401 100644 --- a/modules/web/site/config--appsettings/README.md +++ b/modules/web/site/config--appsettings/README.md @@ -40,22 +40,42 @@ This module deploys a Site App Setting. | [`setAzureWebJobsDashboard`](#parameter-setazurewebjobsdashboard) | bool | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | | [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | -### Parameter: `appInsightResourceId` +### Parameter: `kind` -Resource ID of the app insight to leverage for this resource. -- Required: No +Type of site to deploy. + +- Required: Yes - Type: string -- Default: `''` +- Allowed: + ```Bicep + [ + 'app' + 'functionapp' + 'functionapplinux' + 'functionappworkflowapp' + 'functionappworkflowapplinux' + ] + ``` ### Parameter: `appName` The name of the parent site resource. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `appInsightResourceId` + +Resource ID of the app insight to leverage for this resource. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `appSettingsKeyValuePairs` The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. + - Required: No - Type: object - Default: `{}` @@ -63,29 +83,15 @@ The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDas ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `kind` - -Type of site to deploy. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'app' - 'functionapp' - 'functionapplinux' - 'functionappworkflowapp' - 'functionappworkflowapplinux' - ] - ``` - ### Parameter: `setAzureWebJobsDashboard` For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. + - Required: No - Type: bool - Default: `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` @@ -93,6 +99,7 @@ For function apps. If true the app settings "AzureWebJobsDashboard" will be set. ### Parameter: `storageAccountResourceId` Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. + - Required: No - Type: string - Default: `''` diff --git a/modules/web/site/config--authsettingsv2/README.md b/modules/web/site/config--authsettingsv2/README.md index da797e6048..36f7ea8c2a 100644 --- a/modules/web/site/config--authsettingsv2/README.md +++ b/modules/web/site/config--authsettingsv2/README.md @@ -36,28 +36,17 @@ This module deploys a Site Auth Settings V2 Configuration. | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -### Parameter: `appName` - -The name of the parent site resource. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `authSettingV2Configuration` The auth settings V2 configuration. + - Required: Yes - Type: object -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `kind` Type of site to deploy. + - Required: Yes - Type: string - Allowed: @@ -71,6 +60,21 @@ Type of site to deploy. ] ``` +### Parameter: `appName` + +The name of the parent site resource. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + ## Outputs diff --git a/modules/web/site/hybrid-connection-namespace/relay/README.md b/modules/web/site/hybrid-connection-namespace/relay/README.md index 20be37abae..920762c984 100644 --- a/modules/web/site/hybrid-connection-namespace/relay/README.md +++ b/modules/web/site/hybrid-connection-namespace/relay/README.md @@ -37,28 +37,32 @@ This module deploys a Site Hybrid Connection Namespace Relay. | [`location`](#parameter-location) | string | Location for all Resources. | | [`sendKeyName`](#parameter-sendkeyname) | string | Name of the authorization rule send key to use. | +### Parameter: `hybridConnectionResourceId` + +The resource ID of the relay namespace hybrid connection. + +- Required: Yes +- Type: string + ### Parameter: `appName` The name of the parent web site. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `hybridConnectionResourceId` - -The resource ID of the relay namespace hybrid connection. -- Required: Yes -- Type: string - ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -66,6 +70,7 @@ Location for all Resources. ### Parameter: `sendKeyName` Name of the authorization rule send key to use. + - Required: No - Type: string - Default: `'defaultSender'` diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index ea3d48350f..f0b32f3fbf 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -82,22 +82,49 @@ This module deploys a Web or Function App Deployment Slot. | [`vnetImagePullEnabled`](#parameter-vnetimagepullenabled) | bool | To enable pulling image over Virtual Network. | | [`vnetRouteAllEnabled`](#parameter-vnetrouteallenabled) | bool | Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. | -### Parameter: `appInsightResourceId` +### Parameter: `kind` -Resource ID of the app insight to leverage for this resource. -- Required: No +Type of slot to deploy. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'app' + 'functionapp' + 'functionapplinux' + 'functionappworkflowapp' + 'functionappworkflowapplinux' + ] + ``` + +### Parameter: `name` + +Name of the slot. + +- Required: Yes - Type: string -- Default: `''` ### Parameter: `appName` The name of the parent site resource. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `appInsightResourceId` + +Resource ID of the app insight to leverage for this resource. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `appServiceEnvironmentResourceId` The resource ID of the app service environment to use for this resource. + - Required: No - Type: string - Default: `''` @@ -105,6 +132,7 @@ The resource ID of the app service environment to use for this resource. ### Parameter: `appSettingsKeyValuePairs` The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. + - Required: No - Type: object - Default: `{}` @@ -112,6 +140,7 @@ The app settings-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboa ### Parameter: `authSettingV2Configuration` The auth settings V2 configuration. + - Required: No - Type: object - Default: `{}` @@ -119,6 +148,7 @@ The auth settings V2 configuration. ### Parameter: `basicPublishingCredentialsPolicies` The site publishing credential policy names which are associated with the site slot. + - Required: No - Type: array - Default: `[]` @@ -126,6 +156,7 @@ The site publishing credential policy names which are associated with the site s ### Parameter: `clientAffinityEnabled` If client affinity is enabled. + - Required: No - Type: bool - Default: `True` @@ -133,6 +164,7 @@ If client affinity is enabled. ### Parameter: `clientCertEnabled` To enable client certificate authentication (TLS mutual authentication). + - Required: No - Type: bool - Default: `False` @@ -140,6 +172,7 @@ To enable client certificate authentication (TLS mutual authentication). ### Parameter: `clientCertExclusionPaths` Client certificate authentication comma-separated exclusion paths. + - Required: No - Type: string - Default: `''` @@ -147,6 +180,7 @@ Client certificate authentication comma-separated exclusion paths. ### Parameter: `clientCertMode` This composes with ClientCertEnabled setting.

- ClientCertEnabled: false means ClientCert is ignored.

- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.

- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted. + - Required: No - Type: string - Default: `'Optional'` @@ -162,6 +196,7 @@ This composes with ClientCertEnabled setting.

- ClientCertEnabled: false mean ### Parameter: `cloningInfo` If specified during app creation, the app is cloned from a source app. + - Required: No - Type: object - Default: `{}` @@ -169,6 +204,7 @@ If specified during app creation, the app is cloned from a source app. ### Parameter: `containerSize` Size of the function container. + - Required: No - Type: int - Default: `-1` @@ -176,6 +212,7 @@ Size of the function container. ### Parameter: `customDomainVerificationId` Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification. + - Required: No - Type: string - Default: `''` @@ -183,6 +220,7 @@ Unique identifier that verifies the custom domains assigned to the app. Customer ### Parameter: `dailyMemoryTimeQuota` Maximum allowed daily memory-time quota (applicable on dynamic apps only). + - Required: No - Type: int - Default: `-1` @@ -190,114 +228,90 @@ Maximum allowed daily memory-time quota (applicable on dynamic apps only). ### Parameter: `diagnosticSettings` The diagnostic settings of the service. + - Required: No - Type: array +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | No | string | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | No | string | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | No | string | Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | -| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | No | string | Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | -| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | No | array | Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | -| [`name`](#parameter-diagnosticsettingsname) | No | string | Optional. The name of diagnostic setting. | -| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | No | string | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | No | string | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`eventHubAuthorizationRuleResourceId`](#parameter-diagnosticsettingseventhubauthorizationruleresourceid) | string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| [`eventHubName`](#parameter-diagnosticsettingseventhubname) | string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`logAnalyticsDestinationType`](#parameter-diagnosticsettingsloganalyticsdestinationtype) | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. | +| [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | +| [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter: `diagnosticSettings.eventHubAuthorizationRuleResourceId` -Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. +Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. - Required: No - Type: string ### Parameter: `diagnosticSettings.eventHubName` -Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.logAnalyticsDestinationType` -Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. +A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. - Required: No - Type: string -- Allowed: `[AzureDiagnostics, Dedicated]` +- Allowed: + ```Bicep + [ + 'AzureDiagnostics' + 'Dedicated' + ] + ``` ### Parameter: `diagnosticSettings.logCategoriesAndGroups` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingslogcategoriesandgroupscategory) | No | string | Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. | -| [`categoryGroup`](#parameter-diagnosticsettingslogcategoriesandgroupscategorygroup) | No | string | Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. | - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.category` - -Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. - -- Required: No -- Type: string - -### Parameter: `diagnosticSettings.logCategoriesAndGroups.categoryGroup` - -Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs. - -- Required: No -- Type: string - - ### Parameter: `diagnosticSettings.marketplacePartnerResourceId` -Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. +The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. - Required: No - Type: string ### Parameter: `diagnosticSettings.metricCategories` -Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. +The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to '' to disable log collection. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`category`](#parameter-diagnosticsettingsmetriccategoriescategory) | Yes | string | Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. | - -### Parameter: `diagnosticSettings.metricCategories.category` - -Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics. - -- Required: Yes -- Type: string - - ### Parameter: `diagnosticSettings.name` -Optional. The name of diagnostic setting. +The name of diagnostic setting. - Required: No - Type: string ### Parameter: `diagnosticSettings.storageAccountResourceId` -Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string ### Parameter: `diagnosticSettings.workspaceResourceId` -Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. +Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. - Required: No - Type: string @@ -305,6 +319,7 @@ Optional. Resource ID of the diagnostic log analytics workspace. For security re ### Parameter: `enabled` Setting this value to false disables the app (takes the app offline). + - Required: No - Type: bool - Default: `True` @@ -312,6 +327,7 @@ Setting this value to false disables the app (takes the app offline). ### Parameter: `enableDefaultTelemetry` Enable telemetry via the Customer Usage Attribution ID (GUID). + - Required: No - Type: bool - Default: `True` @@ -319,6 +335,7 @@ Enable telemetry via the Customer Usage Attribution ID (GUID). ### Parameter: `hostNameSslStates` Hostname SSL states are used to manage the SSL bindings for app's hostnames. + - Required: No - Type: array - Default: `[]` @@ -326,6 +343,7 @@ Hostname SSL states are used to manage the SSL bindings for app's hostnames. ### Parameter: `httpsOnly` Configures a slot to accept only HTTPS requests. Issues redirect for HTTP requests. + - Required: No - Type: bool - Default: `True` @@ -333,6 +351,7 @@ Configures a slot to accept only HTTPS requests. Issues redirect for HTTP reques ### Parameter: `hybridConnectionRelays` Names of hybrid connection relays to connect app with. + - Required: No - Type: array - Default: `[]` @@ -340,6 +359,7 @@ Names of hybrid connection relays to connect app with. ### Parameter: `hyperV` Hyper-V sandbox. + - Required: No - Type: bool - Default: `False` @@ -347,29 +367,15 @@ Hyper-V sandbox. ### Parameter: `keyVaultAccessIdentityResourceId` The resource ID of the assigned identity to be used to access a key vault with. + - Required: No - Type: string - Default: `''` -### Parameter: `kind` - -Type of slot to deploy. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'app' - 'functionapp' - 'functionapplinux' - 'functionappworkflowapp' - 'functionappworkflowapplinux' - ] - ``` - ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -377,26 +383,35 @@ Location for all Resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -404,229 +419,275 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -Name of the slot. -- Required: Yes -- Type: string - ### Parameter: `privateEndpoints` Configuration details for private endpoints. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +### Parameter: `privateEndpoints.lock.kind` -- Required: Yes +Specify the type of lock. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array + +### Parameter: `privateEndpoints.name` +The name of the private endpoint. +- Required: No +- Type: string -### Parameter: `privateEndpoints.location` +### Parameter: `privateEndpoints.privateDnsZoneGroupName` -Optional. The location to deploy the private endpoint to. +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -Optional. The name of the private endpoint. +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -634,6 +695,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `publicNetworkAccess` Allow or block all public traffic. + - Required: No - Type: string - Default: `''` @@ -649,6 +711,7 @@ Allow or block all public traffic. ### Parameter: `redundancyMode` Site redundancy mode. + - Required: No - Type: string - Default: `'None'` @@ -666,74 +729,96 @@ Site redundancy mode. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `serverFarmResourceId` The resource ID of the app service plan to use for the slot. + - Required: No - Type: string - Default: `''` @@ -741,6 +826,7 @@ The resource ID of the app service plan to use for the slot. ### Parameter: `setAzureWebJobsDashboard` For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. + - Required: No - Type: bool - Default: `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` @@ -748,6 +834,7 @@ For function apps. If true the app settings "AzureWebJobsDashboard" will be set. ### Parameter: `siteConfig` The site config object. + - Required: No - Type: object - Default: `{}` @@ -755,6 +842,7 @@ The site config object. ### Parameter: `storageAccountRequired` Checks if Customer provided storage account is required. + - Required: No - Type: bool - Default: `False` @@ -762,6 +850,7 @@ Checks if Customer provided storage account is required. ### Parameter: `storageAccountResourceId` Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. + - Required: No - Type: string - Default: `''` @@ -769,12 +858,14 @@ Required if app of kind functionapp. Resource ID of the storage account to manag ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `virtualNetworkSubnetId` Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. + - Required: No - Type: string - Default: `''` @@ -782,6 +873,7 @@ Azure Resource Manager ID of the Virtual network and subnet to be joined by Regi ### Parameter: `vnetContentShareEnabled` To enable accessing content over virtual network. + - Required: No - Type: bool - Default: `False` @@ -789,6 +881,7 @@ To enable accessing content over virtual network. ### Parameter: `vnetImagePullEnabled` To enable pulling image over Virtual Network. + - Required: No - Type: bool - Default: `False` @@ -796,6 +889,7 @@ To enable pulling image over Virtual Network. ### Parameter: `vnetRouteAllEnabled` Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied. + - Required: No - Type: bool - Default: `False` diff --git a/modules/web/site/slot/basic-publishing-credentials-policy/README.md b/modules/web/site/slot/basic-publishing-credentials-policy/README.md index 47e7844cd8..832ba049c9 100644 --- a/modules/web/site/slot/basic-publishing-credentials-policy/README.md +++ b/modules/web/site/slot/basic-publishing-credentials-policy/README.md @@ -38,22 +38,46 @@ This module deploys a Web Site Slot Basic Publishing Credentials Policy. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all Resources. | -### Parameter: `allow` +### Parameter: `name` -Set to true to enable or false to disable a publishing method. -- Required: No -- Type: bool -- Default: `True` +The name of the resource. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'ftp' + 'scm' + ] + ``` ### Parameter: `appName` The name of the parent web site. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `slotName` + +The name of the parent web site slot. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `allow` + +Set to true to enable or false to disable a publishing method. + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -61,29 +85,11 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -The name of the resource. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'ftp' - 'scm' - ] - ``` - -### Parameter: `slotName` - -The name of the parent web site slot. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/web/site/slot/config--appsettings/README.md b/modules/web/site/slot/config--appsettings/README.md index ffdebce0c4..23a65a557e 100644 --- a/modules/web/site/slot/config--appsettings/README.md +++ b/modules/web/site/slot/config--appsettings/README.md @@ -41,22 +41,49 @@ This module deploys a Site Slot App Setting. | [`setAzureWebJobsDashboard`](#parameter-setazurewebjobsdashboard) | bool | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | | [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. | -### Parameter: `appInsightResourceId` +### Parameter: `kind` -Resource ID of the app insight to leverage for this resource. -- Required: No +Type of slot to deploy. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'app' + 'functionapp' + 'functionapplinux' + 'functionappworkflowapp' + 'functionappworkflowapplinux' + ] + ``` + +### Parameter: `slotName` + +Slot name to be configured. + +- Required: Yes - Type: string -- Default: `''` ### Parameter: `appName` The name of the parent site resource. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `appInsightResourceId` + +Resource ID of the app insight to leverage for this resource. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `appSettingsKeyValuePairs` The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING. + - Required: No - Type: object - Default: `{}` @@ -64,42 +91,23 @@ The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDas ### Parameter: `enableDefaultTelemetry` Enable telemetry via the Customer Usage Attribution ID (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `kind` - -Type of slot to deploy. -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'app' - 'functionapp' - 'functionapplinux' - 'functionappworkflowapp' - 'functionappworkflowapplinux' - ] - ``` - ### Parameter: `setAzureWebJobsDashboard` For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. + - Required: No - Type: bool - Default: `[if(contains(parameters('kind'), 'functionapp'), true(), false())]` -### Parameter: `slotName` - -Slot name to be configured. -- Required: Yes -- Type: string - ### Parameter: `storageAccountResourceId` Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions. + - Required: No - Type: string - Default: `''` diff --git a/modules/web/site/slot/config--authsettingsv2/README.md b/modules/web/site/slot/config--authsettingsv2/README.md index 2d99aeaef9..4bb4311a05 100644 --- a/modules/web/site/slot/config--authsettingsv2/README.md +++ b/modules/web/site/slot/config--authsettingsv2/README.md @@ -37,28 +37,17 @@ This module deploys a Site Auth Settings V2 Configuration. | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | -### Parameter: `appName` - -The name of the parent site resource. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `authSettingV2Configuration` The auth settings V2 configuration. + - Required: Yes - Type: object -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via the Customer Usage Attribution ID (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `kind` Type of slot to deploy. + - Required: Yes - Type: string - Allowed: @@ -75,9 +64,25 @@ Type of slot to deploy. ### Parameter: `slotName` Slot name to be configured. + - Required: Yes - Type: string +### Parameter: `appName` + +The name of the parent site resource. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via the Customer Usage Attribution ID (GUID). + +- Required: No +- Type: bool +- Default: `True` + ## Outputs diff --git a/modules/web/site/slot/hybrid-connection-namespace/relay/README.md b/modules/web/site/slot/hybrid-connection-namespace/relay/README.md index 33b731809b..7c1752c839 100644 --- a/modules/web/site/slot/hybrid-connection-namespace/relay/README.md +++ b/modules/web/site/slot/hybrid-connection-namespace/relay/README.md @@ -38,28 +38,39 @@ This module deploys a Site Slot Hybrid Connection Namespace Relay. | [`location`](#parameter-location) | string | Location for all Resources. | | [`sendKeyName`](#parameter-sendkeyname) | string | Name of the authorization rule send key to use. | +### Parameter: `hybridConnectionResourceId` + +The resource ID of the relay namespace hybrid connection. + +- Required: Yes +- Type: string + ### Parameter: `appName` The name of the parent web site. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `slotName` + +The name of the site slot. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` -### Parameter: `hybridConnectionResourceId` - -The resource ID of the relay namespace hybrid connection. -- Required: Yes -- Type: string - ### Parameter: `location` Location for all Resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -67,16 +78,11 @@ Location for all Resources. ### Parameter: `sendKeyName` Name of the authorization rule send key to use. + - Required: No - Type: string - Default: `'defaultSender'` -### Parameter: `slotName` - -The name of the site slot. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index c4dbc50149..8f561002f1 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -466,9 +466,17 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`templateProperties`](#parameter-templateproperties) | object | Template Options for the static site. | +### Parameter: `name` + +Name of the static site. + +- Required: Yes +- Type: string + ### Parameter: `allowConfigFileUpdates` False if config file is locked for this static web app; otherwise, true. + - Required: No - Type: bool - Default: `True` @@ -476,6 +484,7 @@ False if config file is locked for this static web app; otherwise, true. ### Parameter: `appSettings` Static site app settings. + - Required: No - Type: object - Default: `{}` @@ -483,6 +492,7 @@ Static site app settings. ### Parameter: `branch` The branch name of the GitHub repository. + - Required: No - Type: string - Default: `''` @@ -490,6 +500,7 @@ The branch name of the GitHub repository. ### Parameter: `buildProperties` Build properties for the static site. + - Required: No - Type: object - Default: `{}` @@ -497,6 +508,7 @@ Build properties for the static site. ### Parameter: `customDomains` The custom domains associated with this static site. The deployment will fail as long as the validation records are not present. + - Required: No - Type: array - Default: `[]` @@ -504,6 +516,7 @@ The custom domains associated with this static site. The deployment will fail as ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -511,6 +524,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `enterpriseGradeCdnStatus` State indicating the status of the enterprise grade CDN serving traffic to the static web app. + - Required: No - Type: string - Default: `'Disabled'` @@ -527,6 +541,7 @@ State indicating the status of the enterprise grade CDN serving traffic to the s ### Parameter: `functionAppSettings` Function app settings. + - Required: No - Type: object - Default: `{}` @@ -534,6 +549,7 @@ Function app settings. ### Parameter: `linkedBackend` Object with "resourceId" and "location" of the a user defined function app. + - Required: No - Type: object - Default: `{}` @@ -541,6 +557,7 @@ Object with "resourceId" and "location" of the a user defined function app. ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -548,26 +565,35 @@ Location for all resources. ### Parameter: `lock` The lock settings of the service. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | -| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | ### Parameter: `lock.kind` -Optional. Specify the type of lock. +Specify the type of lock. - Required: No - Type: string -- Allowed: `[CanNotDelete, None, ReadOnly]` +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` ### Parameter: `lock.name` -Optional. Specify the name of lock. +Specify the name of lock. - Required: No - Type: string @@ -575,229 +601,275 @@ Optional. Specify the name of lock. ### Parameter: `managedIdentities` The managed identity definition for this resource. + - Required: No - Type: object +**Optional parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | No | array | Optional. The resource ID(s) to assign to the resource. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | ### Parameter: `managedIdentities.systemAssigned` -Optional. Enables system assigned managed identity on the resource. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -Optional. The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. - Required: No - Type: array -### Parameter: `name` - -Name of the static site. -- Required: Yes -- Type: string - ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Note, requires the 'sku' to be 'Standard'. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | No | array | Optional. Application security groups in which the private endpoint IP configuration is included. | -| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | No | array | Optional. Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | No | string | Optional. The custom name of the network interface attached to the private endpoint. | -| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | No | bool | Optional. Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | No | array | Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | -| [`location`](#parameter-privateendpointslocation) | No | string | Optional. The location to deploy the private endpoint to. | -| [`lock`](#parameter-privateendpointslock) | No | object | Optional. Specify the type of lock. | -| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | No | array | Optional. Manual PrivateLink Service Connections. | -| [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | -| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | -| [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | - -### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` - -Optional. Application security groups in which the private endpoint IP configuration is included. +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | string | Resource ID of the subnet where the endpoint needs to be created. | -- Required: No -- Type: array +**Optional parameters** -### Parameter: `privateEndpoints.customDnsConfigs` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | +| [`manualPrivateLinkServiceConnections`](#parameter-privateendpointsmanualprivatelinkserviceconnections) | array | Manual PrivateLink Service Connections. | +| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | +| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | +| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | +| [`service`](#parameter-privateendpointsservice) | string | The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | -Optional. Custom DNS configurations. +### Parameter: `privateEndpoints.subnetResourceId` -- Required: No -- Type: array +Resource ID of the subnet where the endpoint needs to be created. -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | No | string | Required. Fqdn that resolves to private endpoint ip address. | -| [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | Yes | array | Required. A list of private ip addresses of the private endpoint. | +- Required: Yes +- Type: string -### Parameter: `privateEndpoints.customDnsConfigs.fqdn` +### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Required. Fqdn that resolves to private endpoint ip address. +Application security groups in which the private endpoint IP configuration is included. - Required: No -- Type: string +- Type: array -### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses` +### Parameter: `privateEndpoints.customDnsConfigs` -Required. A list of private ip addresses of the private endpoint. +Custom DNS configurations. -- Required: Yes +- Required: No - Type: array - ### Parameter: `privateEndpoints.customNetworkInterfaceName` -Optional. The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the private endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.enableTelemetry` -Optional. Enable/Disable usage telemetry for module. +Enable/Disable usage telemetry for module. - Required: No - Type: bool ### Parameter: `privateEndpoints.ipConfigurations` -Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. - Required: No - Type: array -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`name`](#parameter-privateendpointsipconfigurationsname) | Yes | string | Required. The name of the resource that is unique within a resource group. | -| [`properties`](#parameter-privateendpointsipconfigurationsproperties) | Yes | object | Required. Properties of private endpoint IP configurations. | - -### Parameter: `privateEndpoints.ipConfigurations.name` +### Parameter: `privateEndpoints.location` -Required. The name of the resource that is unique within a resource group. +The location to deploy the private endpoint to. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties` +### Parameter: `privateEndpoints.lock` -Required. Properties of private endpoint IP configurations. +Specify the type of lock. -- Required: Yes +- Required: No - Type: object -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`groupId`](#parameter-privateendpointsipconfigurationspropertiesgroupid) | Yes | string | Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. | -| [`memberName`](#parameter-privateendpointsipconfigurationspropertiesmembername) | Yes | string | Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. | -| [`privateIPAddress`](#parameter-privateendpointsipconfigurationspropertiesprivateipaddress) | Yes | string | Required. A private ip address obtained from the private endpoint's subnet. | +**Optional parameters** -### Parameter: `privateEndpoints.ipConfigurations.properties.groupId` +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-privateendpointslockkind) | string | Specify the type of lock. | +| [`name`](#parameter-privateendpointslockname) | string | Specify the name of lock. | -Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. +### Parameter: `privateEndpoints.lock.kind` -- Required: Yes +Specify the type of lock. + +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` -### Parameter: `privateEndpoints.ipConfigurations.properties.memberName` +### Parameter: `privateEndpoints.lock.name` -Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. +Specify the name of lock. -- Required: Yes +- Required: No - Type: string -### Parameter: `privateEndpoints.ipConfigurations.properties.privateIPAddress` +### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` -Required. A private ip address obtained from the private endpoint's subnet. +Manual PrivateLink Service Connections. -- Required: Yes -- Type: string +- Required: No +- Type: array +### Parameter: `privateEndpoints.name` +The name of the private endpoint. -### Parameter: `privateEndpoints.location` +- Required: No +- Type: string -Optional. The location to deploy the private endpoint to. +### Parameter: `privateEndpoints.privateDnsZoneGroupName` + +The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. - Required: No - Type: string -### Parameter: `privateEndpoints.lock` +### Parameter: `privateEndpoints.privateDnsZoneResourceIds` -Optional. Specify the type of lock. +The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. - Required: No -- Type: object +- Type: array -### Parameter: `privateEndpoints.manualPrivateLinkServiceConnections` +### Parameter: `privateEndpoints.roleAssignments` -Optional. Manual PrivateLink Service Connections. +Array of role assignments to create. - Required: No - Type: array -### Parameter: `privateEndpoints.name` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-privateendpointsroleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-privateendpointsroleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-privateendpointsroleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `privateEndpoints.roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `privateEndpoints.roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string -Optional. The name of the private endpoint. +### Parameter: `privateEndpoints.roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.roleAssignments.conditionVersion` -Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.roleAssignments.delegatedManagedIdentityResourceId` -Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The Resource Id of the delegated managed identity resource. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.roleAssignments` +### Parameter: `privateEndpoints.roleAssignments.description` -Optional. Array of role assignments to create. +The description of the role assignment. - Required: No -- Type: array +- Type: string -### Parameter: `privateEndpoints.service` +### Parameter: `privateEndpoints.roleAssignments.principalType` -Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". +The principal type of the assigned principal ID. - Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` -### Parameter: `privateEndpoints.subnetResourceId` +### Parameter: `privateEndpoints.service` -Required. Resource ID of the subnet where the endpoint needs to be created. +The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". -- Required: Yes +- Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Optional. Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/resource groups in this deployment. - Required: No - Type: object @@ -805,6 +877,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `provider` The provider that submitted the last deployment to the primary environment of the static site. + - Required: No - Type: string - Default: `'None'` @@ -812,6 +885,7 @@ The provider that submitted the last deployment to the primary environment of th ### Parameter: `repositoryToken` The Personal Access Token for accessing the GitHub repository. + - Required: No - Type: securestring - Default: `''` @@ -819,6 +893,7 @@ The Personal Access Token for accessing the GitHub repository. ### Parameter: `repositoryUrl` The name of the GitHub repository. + - Required: No - Type: string - Default: `''` @@ -826,74 +901,96 @@ The name of the GitHub repository. ### Parameter: `roleAssignments` Array of role assignments to create. + - Required: No - Type: array +**Required parameters** -| Name | Required | Type | Description | -| :-- | :-- | :--| :-- | -| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | -| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | -| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | -| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | -| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -### Parameter: `roleAssignments.condition` +**Optional parameters** -Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | -- Required: No +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes - Type: string -### Parameter: `roleAssignments.conditionVersion` +### Parameter: `roleAssignments.roleDefinitionIdOrName` -Optional. Version of the condition. +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. -- Required: No +- Required: Yes - Type: string -- Allowed: `[2.0]` -### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` +### Parameter: `roleAssignments.condition` -Optional. The Resource Id of the delegated managed identity resource. +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" - Required: No - Type: string -### Parameter: `roleAssignments.description` +### Parameter: `roleAssignments.conditionVersion` -Optional. The description of the role assignment. +Version of the condition. - Required: No - Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` -### Parameter: `roleAssignments.principalId` +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -Required. The principal ID of the principal (user/group/identity) to assign the role to. +The Resource Id of the delegated managed identity resource. -- Required: Yes +- Required: No - Type: string -### Parameter: `roleAssignments.principalType` +### Parameter: `roleAssignments.description` -Optional. The principal type of the assigned principal ID. +The description of the role assignment. - Required: No - Type: string -- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` -### Parameter: `roleAssignments.roleDefinitionIdOrName` +### Parameter: `roleAssignments.principalType` -Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +The principal type of the assigned principal ID. -- Required: Yes +- Required: No - Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` ### Parameter: `sku` Type of static site to deploy. + - Required: No - Type: string - Default: `'Free'` @@ -908,6 +1005,7 @@ Type of static site to deploy. ### Parameter: `stagingEnvironmentPolicy` State indicating whether staging environments are allowed or not allowed for a static web app. + - Required: No - Type: string - Default: `'Enabled'` @@ -922,12 +1020,14 @@ State indicating whether staging environments are allowed or not allowed for a s ### Parameter: `tags` Tags of the resource. + - Required: No - Type: object ### Parameter: `templateProperties` Template Options for the static site. + - Required: No - Type: object - Default: `{}` diff --git a/modules/web/static-site/config/README.md b/modules/web/static-site/config/README.md index e17e11da76..c9ff608e25 100644 --- a/modules/web/static-site/config/README.md +++ b/modules/web/static-site/config/README.md @@ -37,16 +37,10 @@ This module deploys a Static Web App Site Config. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -### Parameter: `enableDefaultTelemetry` - -Enable telemetry via a Globally Unique Identifier (GUID). -- Required: No -- Type: bool -- Default: `True` - ### Parameter: `kind` Type of settings to apply. + - Required: Yes - Type: string - Allowed: @@ -57,25 +51,36 @@ Type of settings to apply. ] ``` -### Parameter: `location` - -Location for all resources. -- Required: No -- Type: string -- Default: `[resourceGroup().location]` - ### Parameter: `properties` App settings. + - Required: Yes - Type: object ### Parameter: `staticSiteName` The name of the parent Static Web App. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string +### Parameter: `enableDefaultTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location for all resources. + +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + ## Outputs diff --git a/modules/web/static-site/custom-domain/README.md b/modules/web/static-site/custom-domain/README.md index f5b55f3ad5..0ca1252cb2 100644 --- a/modules/web/static-site/custom-domain/README.md +++ b/modules/web/static-site/custom-domain/README.md @@ -37,9 +37,24 @@ This module deploys a Static Web App Site Custom Domain. | [`location`](#parameter-location) | string | Location for all resources. | | [`validationMethod`](#parameter-validationmethod) | string | Validation method for adding a custom domain. | +### Parameter: `name` + +The custom domain name. + +- Required: Yes +- Type: string + +### Parameter: `staticSiteName` + +The name of the parent Static Web App. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -47,25 +62,15 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `name` - -The custom domain name. -- Required: Yes -- Type: string - -### Parameter: `staticSiteName` - -The name of the parent Static Web App. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ### Parameter: `validationMethod` Validation method for adding a custom domain. + - Required: No - Type: string - Default: `'cname-delegation'` diff --git a/modules/web/static-site/linked-backend/README.md b/modules/web/static-site/linked-backend/README.md index c77db73a84..c12b65dbd1 100644 --- a/modules/web/static-site/linked-backend/README.md +++ b/modules/web/static-site/linked-backend/README.md @@ -41,12 +41,21 @@ This module deploys a Custom Function App into a Static Web App Site using the L ### Parameter: `backendResourceId` The resource ID of the backend linked to the static site. + +- Required: Yes +- Type: string + +### Parameter: `staticSiteName` + +The name of the parent Static Web App. Required if the template is used in a standalone deployment. + - Required: Yes - Type: string ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). + - Required: No - Type: bool - Default: `True` @@ -54,6 +63,7 @@ Enable telemetry via a Globally Unique Identifier (GUID). ### Parameter: `location` Location for all resources. + - Required: No - Type: string - Default: `[resourceGroup().location]` @@ -61,6 +71,7 @@ Location for all resources. ### Parameter: `name` Name of the backend to link to the static site. + - Required: No - Type: string - Default: `[uniqueString(parameters('backendResourceId'))]` @@ -68,16 +79,11 @@ Name of the backend to link to the static site. ### Parameter: `region` The region of the backend linked to the static site. + - Required: No - Type: string - Default: `[resourceGroup().location]` -### Parameter: `staticSiteName` - -The name of the parent Static Web App. Required if the template is used in a standalone deployment. -- Required: Yes -- Type: string - ## Outputs diff --git a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 index 8ba3a514d2..6ad25de0a9 100644 --- a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 +++ b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 @@ -180,20 +180,79 @@ function Set-ParametersSection { [string[]] $ColumnsInOrder = @('Required', 'Conditional', 'Optional', 'Generated') ) - # Collect sources for parameter usage section - $parameterUsageContentMap = @{} - if (Test-Path (Join-Path $PSScriptRoot 'moduleReadMeSource')) { - if ($resourceUsageSourceFiles = Get-ChildItem (Join-Path $PSScriptRoot 'moduleReadMeSource') -Recurse -Filter 'resourceUsage-*') { - foreach ($sourceFile in $resourceUsageSourceFiles.FullName) { - $parameterName = (Split-Path $sourceFile -LeafBase).Replace('resourceUsage-', '') - - $parameterUsageContentMap[$parameterName] = Get-Content $sourceFile -Raw - } - } + # Invoking recursive function to resolve parameters + $newSectionContent = Set-DefinitionSection -TemplateFileContent $TemplateFileContent -ColumnsInOrder $ColumnsInOrder + + # Build result + if ($PSCmdlet.ShouldProcess('Original file with new parameters content', 'Merge')) { + $updatedFileContent = Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $newSectionContent -SectionStartIdentifier $SectionStartIdentifier -contentType 'nextH2' } - # Get all descriptions - $descriptions = $TemplateFileContent.parameters.Values.metadata.description + return $updatedFileContent +} + +<# +.SYNOPSIS +Update parts of the 'parameters' section of the given readme file, if user defined types are used + +.DESCRIPTION +Adds user defined types to the 'parameters' section of the given readme file + +.PARAMETER TemplateFileContent +Mandatory. The template file content object to crawl data from + +.PARAMETER Properties +Optional. Hashtable of the user defined properties + +.PARAMETER ParentName +Optional. Name of the parameter, that has the user defined types + +.PARAMETER ParentIdentifierLink +Optional. Link of the parameter, that has the user defined types + +.PARAMETER ColumnsInOrder +Optional. The order of parameter categories to show in the readme parameters section. + +.EXAMPLE +Set-DefinitionSection -TemplateFileContent @{ resource = @{}; ... } -ColumnsInOrder @('Required', 'Optional') + +Top-level invocation. Will start from the TemplateFile's parameters object and recursively crawl through all children. Tables will be ordered by 'Required' first and 'Optional' after. + +.EXAMPLE +Set-DefinitionSection -TemplateFileContent @{ resource = @{}; ... } -Properties @{ @{ name = @{ type = 'string'; 'allowedValues' = @('A1','A2','A3','A4','A5','A6'); 'nullable' = $true; (...) } -ParentName 'diagnosticSettings' -ParentIdentifierLink '#parameter-diagnosticsettings' + +.NOTES +The function is recursive and will also output grand, great grand children, ... . +#> +function Set-DefinitionSection { + param ( + [Parameter(Mandatory = $true)] + [hashtable] $TemplateFileContent, + + [Parameter(Mandatory = $false)] + [hashtable] $Properties, + + [Parameter(Mandatory = $false)] + [string] $ParentName, + + [Parameter(Mandatory = $false)] + [string] $ParentIdentifierLink, + + [Parameter(Mandatory = $false)] + [string[]] $ColumnsInOrder = @('Required', 'Conditional', 'Optional', 'Generated') + ) + + if (-not $Properties) { + # Top-level invocation + # Get all descriptions + $descriptions = $TemplateFileContent.parameters.Values.metadata.description + # Add name as property for later reference + $TemplateFileContent.parameters.Keys | ForEach-Object { $TemplateFileContent.parameters[$_]['name'] = $_ } + } else { + $descriptions = $Properties.Values.metadata.description + # Add name as property for later reference + $Properties.Keys | ForEach-Object { $Properties[$_]['name'] = $_ } + } # Get the module parameter categories $paramCategories = $descriptions | ForEach-Object { $_.Split('.')[0] } | Select-Object -Unique @@ -202,34 +261,66 @@ function Set-ParametersSection { $sortedParamCategories = $ColumnsInOrder | Where-Object { $paramCategories -contains $_ } # Add all others that exist but are not specified in the columnsInOrder parameter $sortedParamCategories += $paramCategories | Where-Object { $ColumnsInOrder -notcontains $_ } - - # Add name as property for later reference - $TemplateFileContent.parameters.Keys | ForEach-Object { $TemplateFileContent.parameters[$_]['name'] = $_ } - $newSectionContent = [System.Collections.ArrayList]@() - $parameterList = @{} + $tableSectionContent = [System.Collections.ArrayList]@() + $listSectionContent = [System.Collections.ArrayList]@() - # Create parameter blocks foreach ($category in $sortedParamCategories) { # 1. Prepare # Filter to relevant items - [array] $categoryParameters = $TemplateFileContent.parameters.Values | Where-Object { $_.metadata.description -like "$category. *" } | Sort-Object -Property 'Name' -Culture 'en-US' + if (-not $Properties) { + # Top-level invocation + [array] $categoryParameters = $TemplateFileContent.parameters.Values | Where-Object { $_.metadata.description -like "$category. *" } | Sort-Object -Property 'Name' -Culture 'en-US' + } else { + $categoryParameters = $Properties.Values | Where-Object { $_.metadata.description -like "$category. *" } | Sort-Object -Property 'Name' -Culture 'en-US' + } - # 2. Create header including optional columns & initiate the parameter list - $newSectionContent += @( + $tableSectionContent += @( ('**{0} parameters**' -f $category), '', '| Parameter | Type | Description |', '| :-- | :-- | :-- |' ) - # 3. Add individual parameters foreach ($parameter in $categoryParameters) { - $isRequired = Get-IsParameterRequired -TemplateFileContent $TemplateFileContent -Parameter $parameter + ###################### + # Gather details # + ###################### + + $paramIdentifier = (-not [String]::IsNullOrEmpty($ParentName)) ? '{0}.{1}' -f $ParentName, $parameter.name : $parameter.name + $paramHeader = '### Parameter: `{0}`' -f $paramIdentifier + $paramIdentifierLink = (-not [String]::IsNullOrEmpty($ParentIdentifierLink)) ? ('{0}{1}' -f $ParentIdentifierLink, $parameter.name).ToLower() : ('#{0}' -f $paramHeader.TrimStart('#').Trim().ToLower()) -replace '[:|`]' -replace ' ', '-' - # Default values + # definition type (if any) + if ($parameter.Keys -contains '$ref') { + $identifier = Split-Path $parameter.'$ref' -Leaf + $definition = $TemplateFileContent.definitions[$identifier] + $type = $definition['type'] + $rawAllowedValues = $definition['allowedValues'] + } else { + $definition = $null + $type = $parameter.type + $rawAllowedValues = $parameter.allowedValues + } + + $isRequired = (Get-IsParameterRequired -TemplateFileContent $TemplateFileContent -Parameter $parameter) ? 'Yes' : 'No' + $description = $parameter.ContainsKey('metadata') ? $parameter['metadata']['description'] : $null + + ##################### + # Table content # + ##################### + + # build table for definition properties + $tableSectionContent += ('| [`{0}`]({1}) | {2} | {3} |' -f $parameter.name, $paramIdentifierLink, $type, $description.substring("$category. ".Length)) + + #################### + # List content # + #################### + + # Format default values + # ===================== if ($parameter.defaultValue -is [array]) { if ($parameter.defaultValue.count -eq 0) { $defaultValue = '[]' @@ -253,18 +344,23 @@ function Set-ParametersSection { $defaultValue = $parameter.defaultValue } - # User defined type - if ($null -eq $parameter.type -and $parameter.ContainsKey('$ref')) { - $identifier = Split-Path $parameter.'$ref' -Leaf - $definition = $TemplateFileContent.definitions[$identifier] - $type = $definition['type'] - $rawAllowedValues = $definition['allowedValues'] + if (-not [String]::IsNullOrEmpty($defaultValue)) { + if (($defaultValue -split '\n').count -eq 1) { + $formattedDefaultValue = '- Default: `{0}`' -f $defaultValue + } else { + $formattedDefaultValue = @( + '- Default:', + ' ```Bicep', + ($defaultValue -split '\n' | ForEach-Object { " $_" } | Out-String).TrimEnd(), + ' ```' + ) + } } else { - $type = $parameter.type - $rawAllowedValues = $parameter.allowedValues + $formattedDefaultValue = $null } - # Allowed values + # Format allowed values + # ===================== if ($rawAllowedValues -is [array]) { $bicepJSONAllowedParameterObject = @{ $parameter.name = ($rawAllowedValues ?? @()) } # Wrapping on object to work with formatted Bicep script $bicepRawformattedAllowed = ConvertTo-FormattedBicep -JSONParameters $bicepJSONAllowedParameterObject @@ -278,37 +374,6 @@ function Set-ParametersSection { $allowedValues = $rawAllowedValues } - # Prepare the links to local headers - $paramHeader = '### Parameter: `{0}`' -f $parameter.name - $paramIdentifier = ('#{0}' -f $paramHeader.TrimStart('#').Trim().ToLower()) -replace '[:|`]' -replace ' ', '-' - - # Add external single quotes to all default values of type string except for those using functions - $description = $parameter.metadata.description.Replace("`r`n", '

').Replace("`n", '

') - # Further, replace all "empty string" default values with actual visible quotes - if ([regex]::Match($allowedValues, '^(\[\s*,.+)|(\[.+,\s*,)|(.+,\s*\])$').Captures.Count -gt 0) { - $allowedValues = $allowedValues -replace '\[\s*,', "[''," -replace ',\s*,', ", ''," -replace ',\s*\]', ", '']" - } - - # Update parameter table content based on parameter category - ## Remove category from parameter description - $description = $description.substring("$category. ".Length) - $newSectionContent += ('| [`{0}`]({1}) | {2} | {3} |' -f $parameter.name, $paramIdentifier, $type, $description) - - if (-not [String]::IsNullOrEmpty($defaultValue)) { - if (($defaultValue -split '\n').count -eq 1) { - $formattedDefaultValue = '- Default: `{0}`' -f $defaultValue - } else { - $formattedDefaultValue = @( - '- Default:', - ' ```Bicep', - ($defaultValue -split '\n' | ForEach-Object { " $_" } | Out-String).TrimEnd(), - ' ```' - ) - } - } else { - $formattedDefaultValue = $null - } - if (-not [String]::IsNullOrEmpty($allowedValues)) { if (($allowedValues -split '\n').count -eq 1) { $formattedAllowedValues = '- Default: `{0}`' -f $allowedValues @@ -316,7 +381,7 @@ function Set-ParametersSection { $formattedAllowedValues = @( '- Allowed:', ' ```Bicep', - ($allowedValues -split '\n' | Where-Object { -not [String]::IsNullOrEmpty($_) } | ForEach-Object { " $_" } | Out-String).TrimEnd(), + ($allowedValues -split '\n' | Where-Object { -not [String]::IsNullOrEmpty($_) } | ForEach-Object { " $_" } | Out-String).TrimEnd(), ' ```' ) } @@ -324,138 +389,42 @@ function Set-ParametersSection { $formattedAllowedValues = $null } - $parameterList += @{ - $paramIdentifier = @( - $paramHeader, - '', - $description, - ('- Required: {0}' -f ($isRequired ? 'Yes' : 'No')), - ('- Type: {0}' -f $type), - ((-not [String]::IsNullOrEmpty($formattedDefaultValue)) ? $formattedDefaultValue : $null), - ((-not [String]::IsNullOrEmpty($formattedAllowedValues)) ? $formattedAllowedValues : $null), - '', - (($parameterUsageContentMap.Keys -contains $parameter.name) ? $parameterUsageContentMap[$parameter.name] : $null) - ) | Where-Object { $null -ne $_ } - } - - if (($parameter.Keys -contains '$ref') -or ($parameter.Keys -contains 'items' -and $parameter.items.Keys -contains '$ref')) { - # Has a user-defined type - $identifier = ($parameter.Keys -contains '$ref') ? (Split-Path $parameter.'$ref' -Leaf) : (Split-Path $parameter.items.'$ref' -Leaf) - $definition = $TemplateFileContent.definitions[$identifier] - $properties = ($definition.Keys -contains 'items' ? $definition['items']['properties'] : $definition['properties']) - $parameterList[$paramIdentifier] += Set-DefinitionSection -TemplateFileContent $TemplateFileContent -Properties $properties -ParentName $parameter.name -ParentIdentifierLink $paramIdentifier - } - } - $newSectionContent += '' - } - - $sortedFlatParamList = [System.Collections.ArrayList]@() - foreach ($key in ($parameterList.Keys | Sort-Object)) { - $sortedFlatParamList += $parameterList[$key] - } - $newSectionContent += $sortedFlatParamList - - # Build result - if ($PSCmdlet.ShouldProcess('Original file with new parameters content', 'Merge')) { - $updatedFileContent = Merge-FileWithNewContent -oldContent $ReadMeFileContent -newContent $newSectionContent -SectionStartIdentifier $SectionStartIdentifier -contentType 'nextH2' - } - - return $updatedFileContent -} - -<# -.SYNOPSIS -Update parts of the 'parameters' section of the given readme file, if user defined types are used - -.DESCRIPTION -Adds user defined types to the 'parameters' section of the given readme file - -.PARAMETER TemplateFileContent -Mandatory. The template file content object to crawl data from - -.PARAMETER Properties -Mandatory. Hashtable of the user defined properties - -.PARAMETER ParentName -Mandatory. Name of the parameter, that has the user defined types + # Build list item + # =============== + $listSectionContent += @( + $paramHeader, + ($parameter.ContainsKey('metadata') ? '' : $null), + ($parameter.ContainsKey('metadata') ? $parameter['metadata']['description'].substring("$category. ".Length) : $null), + ($parameter.ContainsKey('metadata') ? '' : $null), + ('- Required: {0}' -f $isRequired), + ('- Type: {0}' -f $type), + ((-not [String]::IsNullOrEmpty($formattedDefaultValue)) ? $formattedDefaultValue : $null), + ((-not [String]::IsNullOrEmpty($formattedAllowedValues)) ? $formattedAllowedValues : $null) + '' + ) | Where-Object { $null -ne $_ } -.PARAMETER ParentIdentifierLink -Mandatory. Link of the parameter, that has the user defined types + #recursive call for children + if ($definition) { + if ($definition.ContainsKey('items') -and $definition['items'].ContainsKey('properties')) { + $childProperties = $definition['items']['properties'] + $sectionContent = Set-DefinitionSection -TemplateFileContent $TemplateFileContent -Properties $childProperties -ParentName $paramIdentifier -ParentIdentifierLink $paramIdentifierLink -ColumnsInOrder $ColumnsInOrder -.EXAMPLE -Set-DefinitionSection -TemplateFileContent @{ resource = @{}; ... } -Properties @{ resource = @{}; ... } -ParentName 'diagnosticSettings' -ParentIdentifierLink '#parameter-diagnosticsettings' + $listSectionContent += $sectionContent -.NOTES -The function is recursive and will also output grand, great grand children, ... . -#> -function Set-DefinitionSection { - param ( - [Parameter(Mandatory)] - [hashtable] $TemplateFileContent, - - [Parameter(Mandatory)] - [hashtable] $Properties, - - [Parameter(Mandatory)] - [string] $ParentName, + } elseif ($definition.type -eq 'object' -and $definition['properties']) { + $childProperties = $definition['properties'] + $sectionContent = Set-DefinitionSection -TemplateFileContent $TemplateFileContent -Properties $childProperties -ParentName $paramIdentifier -ParentIdentifierLink $paramIdentifierLink -ColumnsInOrder $ColumnsInOrder - [Parameter(Mandatory)] - [string] $ParentIdentifierLink - ) - $newSectionContent = @( - '', - '| Name | Required | Type | Description |', - '| :-- | :-- | :--| :-- |' - ) - $tableSectionContent = [System.Collections.ArrayList]@() - $listSectionContent = [System.Collections.ArrayList]@() - - foreach ($parameterName in $Properties.Keys | Sort-Object) { - $parameterValue = $Properties[$parameterName] - $paramIdentifier = '{0}.{1}' -f $ParentName, $parameterName - $paramIdentifierLink = ('{0}{1}' -f $ParentIdentifierLink, $parameterName).ToLower() - - # definition type (if any) - if ($parameterValue.Keys -contains '$ref') { - $definition = $TemplateFileContent.definitions[(Split-Path $parameterValue.'$ref' -Leaf)] - } else { - $definition = $null + $listSectionContent += $sectionContent + } + } } - $isRequired = (Get-IsParameterRequired -TemplateFileContent $TemplateFileContent -Parameter $parameterValue) ? 'Yes' : 'No' - $type = ($parameterValue.Keys -contains '$ref') ? $definition.type : $parameterValue['type'] - $description = $parameterValue.ContainsKey('metadata') ? $parameterValue['metadata']['description'] : $null - - # build table for definition properties - $tableSectionContent += ('| [`{0}`]({1}) | {2} | {3} | {4} |' -f $parameterName, $paramIdentifierLink, $isRequired, $type, $description) - $allowedValues = ($parameterValue.ContainsKey('allowedValues')) ? (($parameterValue['allowedValues'] -is [array]) ? ('[{0}]' -f (($parameterValue['allowedValues'] | Sort-Object) -join ', ')) : (($parameterValue['allowedValues'] -is [hashtable]) ? '{object}' : $parameterValue['allowedValues'])) : $null - - #build flat list for definition properties - $listSectionContent += @( - '', - ('### Parameter: `{0}`' -f $paramIdentifier), - ($parameterValue.ContainsKey('metadata') ? '' : $null), - ($parameterValue.ContainsKey('metadata') ? $parameterValue['metadata']['description'] : $null), - ($parameterValue.ContainsKey('metadata') ? '' : $null), - ('- Required: {0}' -f $isRequired), - ('- Type: {0}' -f $type), - (($null -ne $allowedValues) ? ('- Allowed: `{0}`' -f $allowedValues) : $null) - ) | Where-Object { $null -ne $_ } - - #recursive call for children - if ($parameterValue.ContainsKey('items') -and $parameterValue['items'].ContainsKey('properties')) { - $childProperties = $parameterValue['items']['properties'] - $listSectionContent += Set-DefinitionSection -TemplateFileContent $TemplateFileContent -Properties $childProperties -ParentName $paramIdentifier -ParentIdentifierLink $paramIdentifierLink - } elseif ($parameterValue.type -eq 'object' -and $parameterValue['properties']) { - $childProperties = $parameterValue['properties'] - $listSectionContent += Set-DefinitionSection -TemplateFileContent $TemplateFileContent -Properties $childProperties -ParentName $paramIdentifier -ParentIdentifierLink $paramIdentifierLink - } + $tableSectionContent += '' } $newSectionContent += $tableSectionContent $newSectionContent += $listSectionContent - $newSectionContent += '' - return $newSectionContent } @@ -1181,6 +1150,17 @@ function Set-UsageExamplesSection { ############################ ## Process test files ## ############################ + + # Prepare data (using thread-safe multithreading) to consume later + $buildTestFileMap = [System.Collections.Concurrent.ConcurrentDictionary[string, object]]::new() + $testFilePaths | ForEach-Object -Parallel { + $folderName = Split-Path (Split-Path -Path $_) -Leaf + $buildTemplate = bicep build $_ --stdout | ConvertFrom-Json -AsHashtable + + $dict = $using:buildTestFileMap + $null = $dict.TryAdd($folderName, $buildTemplate) + } + $pathIndex = 1 $usageExampleSectionHeaders = @() $testFilesContent = @() @@ -1188,7 +1168,8 @@ function Set-UsageExamplesSection { # Read content $rawContentArray = Get-Content -Path $testFilePath - $compiledTestFileContent = bicep build $testFilePath --stdout | ConvertFrom-Json -AsHashtable + $folderName = Split-Path (Split-Path -Path $testFilePath) -Leaf + $compiledTestFileContent = $buildTestFileMap[$folderName] $rawContent = Get-Content -Path $testFilePath -Encoding 'utf8' | Out-String # Format example header diff --git a/utilities/tools/Test-ModuleLocally.ps1 b/utilities/tools/Test-ModuleLocally.ps1 index cc291faa18..ea87659b02 100644 --- a/utilities/tools/Test-ModuleLocally.ps1 +++ b/utilities/tools/Test-ModuleLocally.ps1 @@ -34,7 +34,7 @@ Optional. A hashtable parameter that contains custom tokens to be replaced in th $TestModuleLocallyInput = @{ TemplateFilePath = 'C:\network\route-table\main.bicep' - ModuleTestFilePath = 'C:\network\route-table\.test\parameters.json' + ModuleTestFilePath = 'C:\network\route-table\.test\parameters.json' PesterTest = $false DeploymentTest = $false ValidationTest = $true From 11b702b660fe118069f8e85b3dfd15447e69e042 Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Tue, 28 Nov 2023 00:19:32 +0100 Subject: [PATCH 130/178] Added MOVED-TO-AVM (#4306) --- modules/db-for-postgre-sql/flexible-server/MOVED-TO-AVM.md | 1 + modules/db-for-postgre-sql/flexible-server/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/db-for-postgre-sql/flexible-server/MOVED-TO-AVM.md diff --git a/modules/db-for-postgre-sql/flexible-server/MOVED-TO-AVM.md b/modules/db-for-postgre-sql/flexible-server/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/db-for-postgre-sql/flexible-server/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/db-for-postgre-sql/flexible-server/README.md b/modules/db-for-postgre-sql/flexible-server/README.md index eb3ff48630..9fd7665d16 100644 --- a/modules/db-for-postgre-sql/flexible-server/README.md +++ b/modules/db-for-postgre-sql/flexible-server/README.md @@ -1,5 +1,7 @@ # DBforPostgreSQL Flexible Servers `[Microsoft.DBforPostgreSQL/flexibleServers]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a DBforPostgreSQL Flexible Server. ## Navigation From 3b5965bab8461ed6dd00acec57db591b49cd0879 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 28 Nov 2023 19:12:08 +1100 Subject: [PATCH 131/178] [New Feature] Add WhatIf feature to Test module locally script (#4241) * Add WhatIf feature to Test module locally script * update * update * update * update * Update modules/web/serverfarm/tests/e2e/max/main.test.bicep Co-authored-by: Alexander Sehr --------- Co-authored-by: Alexander Sehr --- .../Get-TemplateDeploymenWhatIf.ps1 | 185 ++++++++++++++++++ utilities/tools/Test-ModuleLocally.ps1 | 78 +++++++- 2 files changed, 259 insertions(+), 4 deletions(-) create mode 100644 utilities/pipelines/resourceDeployment/Get-TemplateDeploymenWhatIf.ps1 diff --git a/utilities/pipelines/resourceDeployment/Get-TemplateDeploymenWhatIf.ps1 b/utilities/pipelines/resourceDeployment/Get-TemplateDeploymenWhatIf.ps1 new file mode 100644 index 0000000000..5e6e3ec0f6 --- /dev/null +++ b/utilities/pipelines/resourceDeployment/Get-TemplateDeploymenWhatIf.ps1 @@ -0,0 +1,185 @@ +<# +.SYNOPSIS +Get a template What-If deployment result using a given parameter file + +.DESCRIPTION +Get a template What-If deployment resultusing a given parameter file +Works on a resource group, subscription, managementgroup and tenant level + +.PARAMETER parametersBasePath +Mandatory. The path to the root of the parameters folder to test with + +.PARAMETER templateFilePath +Mandatory. Path to the template file from root. + +.PARAMETER parameterFilePath +Optional. Path to the parameter file from root. + +.PARAMETER location +Mandatory. Location to test in. E.g. WestEurope + +.PARAMETER resourceGroupName +Optional. Name of the resource group to deploy into. Mandatory if deploying into a resource group (resource group level) + +.PARAMETER subscriptionId +Optional. ID of the subscription to deploy into. Mandatory if deploying into a subscription (subscription level) using a Management groups service connection + +.PARAMETER managementGroupId +Optional. Name of the management group to deploy into. Mandatory if deploying into a management group (management group level) + +.PARAMETER additionalParameters +Optional. Additional parameters you can provide with the deployment. E.g. @{ resourceGroupName = 'myResourceGroup' } + +.EXAMPLE +Get-TemplateDeploymenWhatIf -templateFilePath 'C:/key-vault/vault/main.bicep' -parameterFilePath 'C:/key-vault/vault/.test/parameters.json' -location 'WestEurope' -resourceGroupName 'aLegendaryRg' + +Get What-If deployment result for the main.bicep of the KeyVault module with the parameter file 'parameters.json' using the resource group 'aLegendaryRg' in location 'WestEurope' + +.EXAMPLE +Get-TemplateDeploymenWhatIf -templateFilePath 'C:/key-vault/vault/main.bicep' -location 'WestEurope' -resourceGroupName 'aLegendaryRg' + +Get What-If deployment result for the main.bicep of the KeyVault module using the resource group 'aLegendaryRg' in location 'WestEurope' + +.EXAMPLE +Get-TemplateDeploymenWhatIf -templateFilePath 'C:/resources/resource-group/main.json' -parameterFilePath 'C:/resources/resource-group/.test/parameters.json' -location 'WestEurope' + +Get What-If deployment result for the main.json of the ResourceGroup module with the parameter file 'parameters.json' in location 'WestEurope' +#> +function Get-TemplateDeploymenWhatIf { + + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter(Mandatory)] + [string] $templateFilePath, + + [Parameter(Mandatory)] + [string] $location, + + [Parameter(Mandatory = $false)] + [string] $parameterFilePath, + + [Parameter(Mandatory = $false)] + [string] $resourceGroupName, + + [Parameter(Mandatory = $false)] + [string] $subscriptionId, + + [Parameter(Mandatory = $false)] + [string] $managementGroupId, + + [Parameter(Mandatory = $false)] + [Hashtable] $additionalParameters + ) + + begin { + Write-Debug ('{0} entered' -f $MyInvocation.MyCommand) + + # Load helper + . (Join-Path (Get-Item -Path $PSScriptRoot).parent.FullName 'sharedScripts' 'Get-ScopeOfTemplateFile.ps1') + } + + process { + $DeploymentInputs = @{ + TemplateFile = $templateFilePath + Verbose = $true + OutVariable = 'ValidationErrors' + } + if (-not [String]::IsNullOrEmpty($parameterFilePath)) { + $DeploymentInputs['TemplateParameterFile'] = $parameterFilePath + } + $ValidationErrors = $null + + # Additional parameter object provided yes/no + if ($additionalParameters) { + $DeploymentInputs += $additionalParameters + } + + $deploymentScope = Get-ScopeOfTemplateFile -TemplateFilePath $templateFilePath -Verbose + + $deploymentNamePrefix = Split-Path -Path (Split-Path $templateFilePath -Parent) -LeafBase + if ([String]::IsNullOrEmpty($deploymentNamePrefix)) { + $deploymentNamePrefix = 'templateDeployment-{0}' -f (Split-Path $templateFilePath -LeafBase) + } + if ($templateFilePath -match '.*(\\|\/)Microsoft.+') { + # If we can assume we're operating in a module structure, we can further fetch the provider namespace & resource type + $shortPathElem = (($templateFilePath -split 'Microsoft\.')[1] -replace '\\', '/') -split '/' # e.g., AppConfiguration, configurationStores, .test, common, main.test.bicep + $providerNamespace = $shortPathElem[0] # e.g., AppConfiguration + $providerNamespaceShort = ($providerNamespace -creplace '[^A-Z]').ToLower() # e.g., ac + + $resourceType = $shortPathElem[1] # e.g., configurationStores + $resourceTypeShort = ('{0}{1}' -f ($resourceType.ToLower())[0], ($resourceType -creplace '[^A-Z]')).ToLower() # e.g. cs + + $testFolderShort = Split-Path (Split-Path $templateFilePath -Parent) -Leaf # e.g., common + + $deploymentNamePrefix = "$providerNamespaceShort-$resourceTypeShort-$testFolderShort" # e.g., ac-cs-common + } + + # Generate a valid deployment name. Must match ^[-\w\._\(\)]+$ + do { + $deploymentName = ('{0}-{1}' -f $deploymentNamePrefix, (Get-Date -Format 'yyyyMMddTHHMMssffffZ'))[0..63] -join '' + } while ($deploymentName -notmatch '^[-\w\._\(\)]+$') + + if ($deploymentScope -ne 'resourceGroup') { + Write-Verbose "What-If Deployment Test with deployment name [$deploymentName]" -Verbose + $DeploymentInputs['DeploymentName'] = $deploymentName + } + + ################# + ## INVOKE TEST ## + ################# + switch ($deploymentScope) { + 'resourceGroup' { + if (-not [String]::IsNullOrEmpty($subscriptionId)) { + Write-Verbose ('Setting context to subscription [{0}]' -f $subscriptionId) + $null = Set-AzContext -Subscription $subscriptionId + } + if (-not (Get-AzResourceGroup -Name $resourceGroupName -ErrorAction 'SilentlyContinue')) { + if ($PSCmdlet.ShouldProcess("Resource group [$resourceGroupName] in location [$location]", 'Create')) { + $null = New-AzResourceGroup -Name $resourceGroupName -Location $location + } + } + if ($PSCmdlet.ShouldProcess('Resource group level deployment', 'WhatIf')) { + $res = New-AzResourceGroupDeployment @DeploymentInputs -WhatIf + } + break + } + 'subscription' { + if (-not [String]::IsNullOrEmpty($subscriptionId)) { + Write-Verbose ('Setting context to subscription [{0}]' -f $subscriptionId) + $null = Set-AzContext -Subscription $subscriptionId + } + if ($PSCmdlet.ShouldProcess('Subscription level deployment', 'WhatIf')) { + $res = New-AzDeployment @DeploymentInputs -Location $Location -WhatIf + } + break + } + 'managementGroup' { + if ($PSCmdlet.ShouldProcess('Management group level deployment', 'WhatIf')) { + $res = New-AzManagementGroupDeployment @DeploymentInputs -Location $Location -ManagementGroupId $ManagementGroupId -WhatIf + } + break + } + 'tenant' { + Write-Verbose 'Handling tenant level validation' + if ($PSCmdlet.ShouldProcess('Tenant level deployment', 'WhatIf')) { + $res = New-AzTenantDeployment @DeploymentInputs -Location $location -WhatIf + } + break + } + default { + throw "[$deploymentScope] is a non-supported template scope" + } + } + if ($ValidationErrors) { + if ($res.Details) { Write-Warning ($res.Details | ConvertTo-Json -Depth 10 | Out-String) } + if ($res.Message) { Write-Warning $res.Message } + Write-Error 'Template is not valid.' + } else { + Write-Verbose 'Template is valid' -Verbose + } + } + + end { + Write-Debug ('{0} exited' -f $MyInvocation.MyCommand) + } +} diff --git a/utilities/tools/Test-ModuleLocally.ps1 b/utilities/tools/Test-ModuleLocally.ps1 index ea87659b02..4e7d37c073 100644 --- a/utilities/tools/Test-ModuleLocally.ps1 +++ b/utilities/tools/Test-ModuleLocally.ps1 @@ -24,6 +24,9 @@ Optional. A switch parameter that triggers the deployment of the module .PARAMETER ValidationTest Optional. A switch parameter that triggers the validation of the module only without deployment +.PARAMETER WhatIfTest +Optional. A switch parameter that triggers the what-if test of the module only without deployment + .PARAMETER SkipParameterFileTokens Optional. A switch parameter that enables you to skip the search for local custom parameter file tokens. @@ -37,6 +40,7 @@ $TestModuleLocallyInput = @{ ModuleTestFilePath = 'C:\network\route-table\.test\parameters.json' PesterTest = $false DeploymentTest = $false + WhatIfTest = $false ValidationTest = $true ValidateOrDeployParameters = @{ Location = 'westeurope' @@ -60,6 +64,7 @@ $TestModuleLocallyInput = @{ ModuleTestFilePath = 'C:\network\route-table\.test\common\main.test.bicep' PesterTest = $false DeploymentTest = $false + WhatIfTest = $false ValidationTest = $true ValidateOrDeployParameters = @{ Location = 'westeurope' @@ -76,12 +81,60 @@ Test-ModuleLocally @TestModuleLocallyInput -Verbose Run a Test-Az*Deployment using a test file with the provided tokens + +$TestModuleLocallyInput = @{ + TemplateFilePath = 'C:\network\route-table\main.bicep' + ModuleTestFilePath = 'C:\network\route-table\.test\parameters.json' + PesterTest = $false + DeploymentTest = $false + WhatIfTest = $true + ValidationTest = $false + ValidateOrDeployParameters = @{ + Location = 'westeurope' + ResourceGroupName = 'validation-rg' + SubscriptionId = '00000000-0000-0000-0000-000000000000' + ManagementGroupId = '00000000-0000-0000-0000-000000000000' + RemoveDeployment = $false + } + AdditionalTokens = @{ + tenantId = '00000000-0000-0000-0000-000000000000' + } +} +Test-ModuleLocally @TestModuleLocallyInput -Verbose + +Get What-If deployment result using a specific parameter-template combination with the provided tokens + +.EXAMPLE + +$TestModuleLocallyInput = @{ + TemplateFilePath = 'C:\network\route-table\main.bicep' + ModuleTestFilePath = 'C:\network\route-table\.test\common\main.test.bicep' + PesterTest = $false + DeploymentTest = $false + WhatIfTest = $true + ValidationTest = $false + ValidateOrDeployParameters = @{ + Location = 'westeurope' + ResourceGroupName = 'validation-rg' + SubscriptionId = '00000000-0000-0000-0000-000000000000' + ManagementGroupId = '00000000-0000-0000-0000-000000000000' + RemoveDeployment = $false + } + AdditionalTokens = @{ + tenantId = '00000000-0000-0000-0000-000000000000' + } +} +Test-ModuleLocally @TestModuleLocallyInput -Verbose + +Get What-If deployment result using a test file with the provided tokens + .EXAMPLE $TestModuleLocallyInput = @{ TemplateFilePath = 'C:\network\route-table\main.bicep' PesterTest = $true DeploymentTest = $false + WhatIfTest = $false ValidationTest = $true ValidateOrDeployParameters = @{ Location = 'westeurope' @@ -127,7 +180,7 @@ Run all Pester tests for the given template file including tests for the use of .NOTES - Make sure you provide the right information in the 'ValidateOrDeployParameters' parameter for this function to work. -- Ensure you have the ability to perform the deployment operations using your account (if planning to test deploy) +- Ensure you have the ability to perform the deployment operations using your account (if planning to test deploy or performing what-if validation.) #> function Test-ModuleLocally { @@ -155,7 +208,10 @@ function Test-ModuleLocally { [switch] $DeploymentTest, [Parameter(Mandatory = $false)] - [switch] $ValidationTest + [switch] $ValidationTest, + + [Parameter(Mandatory = $false)] + [switch] $WhatIfTest ) begin { @@ -168,6 +224,7 @@ function Test-ModuleLocally { # Load Modules Validation / Deployment Scripts . (Join-Path $utilitiesFolderPath 'pipelines' 'resourceDeployment' 'New-TemplateDeployment.ps1') . (Join-Path $utilitiesFolderPath 'pipelines' 'resourceDeployment' 'Test-TemplateDeployment.ps1') + . (Join-Path $utilitiesFolderPath 'pipelines' 'resourceDeployment' 'Get-TemplateDeploymenWhatIf.ps1') } process { @@ -247,7 +304,7 @@ function Test-ModuleLocally { # Validation & Deployment tests # ################################# - if (($ValidationTest -or $DeploymentTest) -and $ValidateOrDeployParameters) { + if (($ValidationTest -or $DeploymentTest -or $WhatIfTest) -and $ValidateOrDeployParameters) { # Invoke Token Replacement Functionality and Convert Tokens in Parameter Files $null = Convert-TokensInFileList @tokenConfiguration @@ -278,7 +335,20 @@ function Test-ModuleLocally { } } } - + # What-If validation for template + # ----------------- + if ($WhatIfTest) { + # Loop through test files + foreach ($moduleTestFile in $moduleTestFiles) { + Write-Verbose ('Get Deployment What-If result for module [{0}] with test file [{1}]' -f $ModuleName, (Split-Path $moduleTestFile -Leaf)) -Verbose + if ((Split-Path $moduleTestFile -Extension) -eq '.json') { + Get-TemplateDeploymenWhatIf @functionInput -ParameterFilePath $moduleTestFile + } else { + $functionInput['TemplateFilePath'] = $moduleTestFile + Get-TemplateDeploymenWhatIf @functionInput + } + } + } # Deploy template # --------------- if ($DeploymentTest) { From d102bd59d3466ff2bdaa699a5bc0d6f26f805555 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Thu, 30 Nov 2023 14:14:01 +0100 Subject: [PATCH 132/178] [Utilities] Updated WhatIf feature to AVM changes (#4308) * Update to latest * Implemented several fixes + aligned to AVM changes * Update to latest * Update to latest * Update to latest --- .../New-TemplateDeployment.ps1 | 14 +++-- .../Test-TemplateDeployment.ps1 | 48 +++++++++------ utilities/tools/Test-ModuleLocally.ps1 | 61 +++---------------- .../helper/Get-TemplateDeploymentWhatIf.ps1} | 56 +++++++++-------- 4 files changed, 80 insertions(+), 99 deletions(-) rename utilities/{pipelines/resourceDeployment/Get-TemplateDeploymenWhatIf.ps1 => tools/helper/Get-TemplateDeploymentWhatIf.ps1} (82%) diff --git a/utilities/pipelines/resourceDeployment/New-TemplateDeployment.ps1 b/utilities/pipelines/resourceDeployment/New-TemplateDeployment.ps1 index f2f8a9ff68..0837c0442a 100644 --- a/utilities/pipelines/resourceDeployment/New-TemplateDeployment.ps1 +++ b/utilities/pipelines/resourceDeployment/New-TemplateDeployment.ps1 @@ -153,9 +153,6 @@ function New-TemplateDeploymentInner { begin { Write-Debug ('{0} entered' -f $MyInvocation.MyCommand) - - # Load helper - . (Join-Path (Get-Item -Path $PSScriptRoot).parent.FullName 'sharedScripts' 'Get-ScopeOfTemplateFile.ps1') } process { @@ -375,6 +372,9 @@ Optional. Maximum retry limit if the deployment fails. Default is 3. .PARAMETER doNotThrow Optional. Do not throw an exception if it failed. Still returns the error message though +.PARAMETER RepoRoot +Optional. The path to the repository's root + .EXAMPLE New-TemplateDeployment -templateFilePath 'C:/key-vault/vault/main.bicep' -parameterFilePath 'C:/key-vault/vault/.test/parameters.json' -location 'WestEurope' -resourceGroupName 'aLegendaryRg' @@ -422,11 +422,17 @@ function New-TemplateDeployment { [switch] $doNotThrow, [Parameter(Mandatory = $false)] - [int]$retryLimit = 3 + [int]$retryLimit = 3, + + [Parameter(Mandatory = $false)] + [string] $RepoRoot = (Get-Item -Path $PSScriptRoot).parent.parent.parent.FullName ) begin { Write-Debug ('{0} entered' -f $MyInvocation.MyCommand) + + # Load helper + . (Join-Path $RepoRoot 'utilities' 'pipelines' 'sharedScripts' 'Get-ScopeOfTemplateFile.ps1') } process { diff --git a/utilities/pipelines/resourceDeployment/Test-TemplateDeployment.ps1 b/utilities/pipelines/resourceDeployment/Test-TemplateDeployment.ps1 index 2593de5df6..bfe19d4538 100644 --- a/utilities/pipelines/resourceDeployment/Test-TemplateDeployment.ps1 +++ b/utilities/pipelines/resourceDeployment/Test-TemplateDeployment.ps1 @@ -30,6 +30,9 @@ Optional. Name of the management group to deploy into. Mandatory if deploying in .PARAMETER additionalParameters Optional. Additional parameters you can provide with the deployment. E.g. @{ resourceGroupName = 'myResourceGroup' } +.PARAMETER RepoRoot +Optional. The path to the repository's root + .EXAMPLE Test-TemplateDeployment -templateFilePath 'C:/key-vault/vault/main.bicep' -parameterFilePath 'C:/key-vault/vault/.test/parameters.json' -location 'WestEurope' -resourceGroupName 'aLegendaryRg' @@ -68,17 +71,40 @@ function Test-TemplateDeployment { [string] $managementGroupId, [Parameter(Mandatory = $false)] - [Hashtable] $additionalParameters + [Hashtable] $additionalParameters, + + [Parameter(Mandatory = $false)] + [string] $RepoRoot = (Get-Item -Path $PSScriptRoot).parent.parent.parent.FullName ) begin { Write-Debug ('{0} entered' -f $MyInvocation.MyCommand) # Load helper - . (Join-Path (Get-Item -Path $PSScriptRoot).parent.FullName 'sharedScripts' 'Get-ScopeOfTemplateFile.ps1') + . (Join-Path $RepoRoot 'utilities' 'pipelines' 'sharedScripts' 'Get-ScopeOfTemplateFile.ps1') } process { + $deploymentNamePrefix = Split-Path -Path (Split-Path $templateFilePath -Parent) -LeafBase + if ([String]::IsNullOrEmpty($deploymentNamePrefix)) { + $deploymentNamePrefix = 'templateDeployment-{0}' -f (Split-Path $templateFilePath -LeafBase) + } + + $modulesRegex = '.+[\\|\/]modules[\\|\/]' + if ($templateFilePath -match $modulesRegex) { + # If we can assume we're operating in a module structure, we can further fetch the provider namespace & resource type + $shortPathElem = (($templateFilePath -split $modulesRegex)[1] -replace '\\', '/') -split '/' # e.g., app-configuration, configuration-store, .test, common, main.test.bicep + $providerNamespace = $shortPathElem[0] # e.g., app-configuration + $providerNamespaceShort = ($providerNamespace -split '-' | ForEach-Object { $_[0] }) -join '' # e.g., ac + + $resourceType = $shortPathElem[1] # e.g., configuration-store + $resourceTypeShort = ($resourceType -split '-' | ForEach-Object { $_[0] }) -join '' # e.g. cs + + $testFolderShort = Split-Path (Split-Path $templateFilePath -Parent) -Leaf # e.g., common + + $deploymentNamePrefix = "$providerNamespaceShort-$resourceTypeShort-$testFolderShort" # e.g., ac-cs-common + } + $DeploymentInputs = @{ TemplateFile = $templateFilePath Verbose = $true @@ -96,24 +122,6 @@ function Test-TemplateDeployment { $deploymentScope = Get-ScopeOfTemplateFile -TemplateFilePath $templateFilePath -Verbose - $deploymentNamePrefix = Split-Path -Path (Split-Path $templateFilePath -Parent) -LeafBase - if ([String]::IsNullOrEmpty($deploymentNamePrefix)) { - $deploymentNamePrefix = 'templateDeployment-{0}' -f (Split-Path $templateFilePath -LeafBase) - } - if ($templateFilePath -match '.*(\\|\/)Microsoft.+') { - # If we can assume we're operating in a module structure, we can further fetch the provider namespace & resource type - $shortPathElem = (($templateFilePath -split 'Microsoft\.')[1] -replace '\\', '/') -split '/' # e.g., AppConfiguration, configurationStores, .test, common, main.test.bicep - $providerNamespace = $shortPathElem[0] # e.g., AppConfiguration - $providerNamespaceShort = ($providerNamespace -creplace '[^A-Z]').ToLower() # e.g., ac - - $resourceType = $shortPathElem[1] # e.g., configurationStores - $resourceTypeShort = ('{0}{1}' -f ($resourceType.ToLower())[0], ($resourceType -creplace '[^A-Z]')).ToLower() # e.g. cs - - $testFolderShort = Split-Path (Split-Path $templateFilePath -Parent) -Leaf # e.g., common - - $deploymentNamePrefix = "$providerNamespaceShort-$resourceTypeShort-$testFolderShort" # e.g., ac-cs-common - } - # Generate a valid deployment name. Must match ^[-\w\._\(\)]+$ do { $deploymentName = ('{0}-{1}' -f $deploymentNamePrefix, (Get-Date -Format 'yyyyMMddTHHMMssffffZ'))[0..63] -join '' diff --git a/utilities/tools/Test-ModuleLocally.ps1 b/utilities/tools/Test-ModuleLocally.ps1 index 4e7d37c073..fcc91d5fdb 100644 --- a/utilities/tools/Test-ModuleLocally.ps1 +++ b/utilities/tools/Test-ModuleLocally.ps1 @@ -37,31 +37,7 @@ Optional. A hashtable parameter that contains custom tokens to be replaced in th $TestModuleLocallyInput = @{ TemplateFilePath = 'C:\network\route-table\main.bicep' - ModuleTestFilePath = 'C:\network\route-table\.test\parameters.json' - PesterTest = $false - DeploymentTest = $false - WhatIfTest = $false - ValidationTest = $true - ValidateOrDeployParameters = @{ - Location = 'westeurope' - ResourceGroupName = 'validation-rg' - SubscriptionId = '00000000-0000-0000-0000-000000000000' - ManagementGroupId = '00000000-0000-0000-0000-000000000000' - RemoveDeployment = $false - } - AdditionalTokens = @{ - tenantId = '00000000-0000-0000-0000-000000000000' - } -} -Test-ModuleLocally @TestModuleLocallyInput -Verbose - -Run a Test-Az*Deployment using a specific parameter-template combination with the provided tokens - -.EXAMPLE - -$TestModuleLocallyInput = @{ - TemplateFilePath = 'C:\network\route-table\main.bicep' - ModuleTestFilePath = 'C:\network\route-table\.test\common\main.test.bicep' + ModuleTestFilePath = 'C:\network\route-table\.test\common\main.test.bicep' PesterTest = $false DeploymentTest = $false WhatIfTest = $false @@ -84,7 +60,7 @@ Run a Test-Az*Deployment using a test file with the provided tokens $TestModuleLocallyInput = @{ TemplateFilePath = 'C:\network\route-table\main.bicep' - ModuleTestFilePath = 'C:\network\route-table\.test\parameters.json' + ModuleTestFilePath = 'C:\network\route-table\tests\e2e\defaults\main.test.bicep' PesterTest = $false DeploymentTest = $false WhatIfTest = $true @@ -102,13 +78,13 @@ $TestModuleLocallyInput = @{ } Test-ModuleLocally @TestModuleLocallyInput -Verbose -Get What-If deployment result using a specific parameter-template combination with the provided tokens +Get What-If deployment result using a specific test-template combination with the provided tokens .EXAMPLE $TestModuleLocallyInput = @{ TemplateFilePath = 'C:\network\route-table\main.bicep' - ModuleTestFilePath = 'C:\network\route-table\.test\common\main.test.bicep' + ModuleTestFilePath = 'C:\network\route-table\.test\common\main.test.bicep' PesterTest = $false DeploymentTest = $false WhatIfTest = $true @@ -190,7 +166,7 @@ function Test-ModuleLocally { [string] $TemplateFilePath, [Parameter(Mandatory = $false)] - [string] $ModuleTestFilePath = (Join-Path (Split-Path $TemplateFilePath -Parent) '.test'), + [string] $ModuleTestFilePath = (Join-Path (Split-Path $TemplateFilePath -Parent) 'tests'), [Parameter(Mandatory = $false)] [string] $PesterTestFilePath = 'utilities/pipelines/staticValidation/module.tests.ps1', @@ -224,7 +200,7 @@ function Test-ModuleLocally { # Load Modules Validation / Deployment Scripts . (Join-Path $utilitiesFolderPath 'pipelines' 'resourceDeployment' 'New-TemplateDeployment.ps1') . (Join-Path $utilitiesFolderPath 'pipelines' 'resourceDeployment' 'Test-TemplateDeployment.ps1') - . (Join-Path $utilitiesFolderPath 'pipelines' 'resourceDeployment' 'Get-TemplateDeploymenWhatIf.ps1') + . (Join-Path $PSScriptRoot 'helper' 'Get-TemplateDeploymentWhatIf.ps1') } process { @@ -327,12 +303,7 @@ function Test-ModuleLocally { # Loop through test files foreach ($moduleTestFile in $moduleTestFiles) { Write-Verbose ('Validating module [{0}] with test file [{1}]' -f $ModuleName, (Split-Path $moduleTestFile -Leaf)) -Verbose - if ((Split-Path $moduleTestFile -Extension) -eq '.json') { - Test-TemplateDeployment @functionInput -ParameterFilePath $moduleTestFile - } else { - $functionInput['TemplateFilePath'] = $moduleTestFile - Test-TemplateDeployment @functionInput - } + Test-TemplateDeployment @functionInput -TemplateFilePath $moduleTestFile } } # What-If validation for template @@ -341,12 +312,7 @@ function Test-ModuleLocally { # Loop through test files foreach ($moduleTestFile in $moduleTestFiles) { Write-Verbose ('Get Deployment What-If result for module [{0}] with test file [{1}]' -f $ModuleName, (Split-Path $moduleTestFile -Leaf)) -Verbose - if ((Split-Path $moduleTestFile -Extension) -eq '.json') { - Get-TemplateDeploymenWhatIf @functionInput -ParameterFilePath $moduleTestFile - } else { - $functionInput['TemplateFilePath'] = $moduleTestFile - Get-TemplateDeploymenWhatIf @functionInput - } + Get-TemplateDeploymentWhatIf @functionInput -TemplateFilePath $moduleTestFile } } # Deploy template @@ -356,15 +322,8 @@ function Test-ModuleLocally { # Loop through test files foreach ($moduleTestFile in $moduleTestFiles) { Write-Verbose ('Deploy Module [{0}] with test file [{1}]' -f $ModuleName, (Split-Path $moduleTestFile -Leaf)) -Verbose - if ((Split-Path $moduleTestFile -Extension) -eq '.json') { - if ($PSCmdlet.ShouldProcess(('Module [{0}] with test file [{1}]' -f $ModuleName, (Split-Path $moduleTestFile -Leaf)), 'Deploy')) { - New-TemplateDeployment @functionInput -ParameterFilePath $moduleTestFile - } - } else { - $functionInput['TemplateFilePath'] = $moduleTestFile - if ($PSCmdlet.ShouldProcess(('Module [{0}] with test file [{1}]' -f $ModuleName, (Split-Path $moduleTestFile -Leaf)), 'Deploy')) { - New-TemplateDeployment @functionInput - } + if ($PSCmdlet.ShouldProcess(('Module [{0}] with test file [{1}]' -f $ModuleName, (Split-Path $moduleTestFile -Leaf)), 'Deploy')) { + New-TemplateDeployment @functionInput -TemplateFilePath $moduleTestFile } } } diff --git a/utilities/pipelines/resourceDeployment/Get-TemplateDeploymenWhatIf.ps1 b/utilities/tools/helper/Get-TemplateDeploymentWhatIf.ps1 similarity index 82% rename from utilities/pipelines/resourceDeployment/Get-TemplateDeploymenWhatIf.ps1 rename to utilities/tools/helper/Get-TemplateDeploymentWhatIf.ps1 index 5e6e3ec0f6..8570507784 100644 --- a/utilities/pipelines/resourceDeployment/Get-TemplateDeploymenWhatIf.ps1 +++ b/utilities/tools/helper/Get-TemplateDeploymentWhatIf.ps1 @@ -30,22 +30,25 @@ Optional. Name of the management group to deploy into. Mandatory if deploying in .PARAMETER additionalParameters Optional. Additional parameters you can provide with the deployment. E.g. @{ resourceGroupName = 'myResourceGroup' } +.PARAMETER RepoRoot +Optional. The path to the repository's root + .EXAMPLE -Get-TemplateDeploymenWhatIf -templateFilePath 'C:/key-vault/vault/main.bicep' -parameterFilePath 'C:/key-vault/vault/.test/parameters.json' -location 'WestEurope' -resourceGroupName 'aLegendaryRg' +Get-TemplateDeploymentWhatIf -templateFilePath 'C:/key-vault/vault/main.bicep' -parameterFilePath 'C:/key-vault/vault/.test/parameters.json' -location 'WestEurope' -resourceGroupName 'aLegendaryRg' Get What-If deployment result for the main.bicep of the KeyVault module with the parameter file 'parameters.json' using the resource group 'aLegendaryRg' in location 'WestEurope' .EXAMPLE -Get-TemplateDeploymenWhatIf -templateFilePath 'C:/key-vault/vault/main.bicep' -location 'WestEurope' -resourceGroupName 'aLegendaryRg' +Get-TemplateDeploymentWhatIf -templateFilePath 'C:/key-vault/vault/main.bicep' -location 'WestEurope' -resourceGroupName 'aLegendaryRg' Get What-If deployment result for the main.bicep of the KeyVault module using the resource group 'aLegendaryRg' in location 'WestEurope' .EXAMPLE -Get-TemplateDeploymenWhatIf -templateFilePath 'C:/resources/resource-group/main.json' -parameterFilePath 'C:/resources/resource-group/.test/parameters.json' -location 'WestEurope' +Get-TemplateDeploymentWhatIf -templateFilePath 'C:/resources/resource-group/main.json' -parameterFilePath 'C:/resources/resource-group/.test/parameters.json' -location 'WestEurope' Get What-If deployment result for the main.json of the ResourceGroup module with the parameter file 'parameters.json' in location 'WestEurope' #> -function Get-TemplateDeploymenWhatIf { +function Get-TemplateDeploymentWhatIf { [CmdletBinding(SupportsShouldProcess)] param ( @@ -68,17 +71,40 @@ function Get-TemplateDeploymenWhatIf { [string] $managementGroupId, [Parameter(Mandatory = $false)] - [Hashtable] $additionalParameters + [Hashtable] $additionalParameters, + + [Parameter(Mandatory = $false)] + [string] $RepoRoot = (Get-Item -Path $PSScriptRoot).parent.parent.parent.FullName ) begin { Write-Debug ('{0} entered' -f $MyInvocation.MyCommand) # Load helper - . (Join-Path (Get-Item -Path $PSScriptRoot).parent.FullName 'sharedScripts' 'Get-ScopeOfTemplateFile.ps1') + . (Join-Path $repoRoot 'utilities' 'pipelines' 'sharedScripts' 'Get-ScopeOfTemplateFile.ps1') } process { + $deploymentNamePrefix = Split-Path -Path (Split-Path $templateFilePath -Parent) -LeafBase + if ([String]::IsNullOrEmpty($deploymentNamePrefix)) { + $deploymentNamePrefix = 'templateDeployment-{0}' -f (Split-Path $templateFilePath -LeafBase) + } + + $modulesRegex = '.+[\\|\/]modules[\\|\/]' + if ($templateFilePath -match $modulesRegex) { + # If we can assume we're operating in a module structure, we can further fetch the provider namespace & resource type + $shortPathElem = (($templateFilePath -split $modulesRegex)[1] -replace '\\', '/') -split '/' # e.g., app-configuration, configuration-store, .test, common, main.test.bicep + $providerNamespace = $shortPathElem[0] # e.g., app-configuration + $providerNamespaceShort = ($providerNamespace -split '-' | ForEach-Object { $_[0] }) -join '' # e.g., ac + + $resourceType = $shortPathElem[1] # e.g., configuration-store + $resourceTypeShort = ($resourceType -split '-' | ForEach-Object { $_[0] }) -join '' # e.g. cs + + $testFolderShort = Split-Path (Split-Path $templateFilePath -Parent) -Leaf # e.g., common + + $deploymentNamePrefix = "$providerNamespaceShort-$resourceTypeShort-$testFolderShort" # e.g., ac-cs-common + } + $DeploymentInputs = @{ TemplateFile = $templateFilePath Verbose = $true @@ -96,24 +122,6 @@ function Get-TemplateDeploymenWhatIf { $deploymentScope = Get-ScopeOfTemplateFile -TemplateFilePath $templateFilePath -Verbose - $deploymentNamePrefix = Split-Path -Path (Split-Path $templateFilePath -Parent) -LeafBase - if ([String]::IsNullOrEmpty($deploymentNamePrefix)) { - $deploymentNamePrefix = 'templateDeployment-{0}' -f (Split-Path $templateFilePath -LeafBase) - } - if ($templateFilePath -match '.*(\\|\/)Microsoft.+') { - # If we can assume we're operating in a module structure, we can further fetch the provider namespace & resource type - $shortPathElem = (($templateFilePath -split 'Microsoft\.')[1] -replace '\\', '/') -split '/' # e.g., AppConfiguration, configurationStores, .test, common, main.test.bicep - $providerNamespace = $shortPathElem[0] # e.g., AppConfiguration - $providerNamespaceShort = ($providerNamespace -creplace '[^A-Z]').ToLower() # e.g., ac - - $resourceType = $shortPathElem[1] # e.g., configurationStores - $resourceTypeShort = ('{0}{1}' -f ($resourceType.ToLower())[0], ($resourceType -creplace '[^A-Z]')).ToLower() # e.g. cs - - $testFolderShort = Split-Path (Split-Path $templateFilePath -Parent) -Leaf # e.g., common - - $deploymentNamePrefix = "$providerNamespaceShort-$resourceTypeShort-$testFolderShort" # e.g., ac-cs-common - } - # Generate a valid deployment name. Must match ^[-\w\._\(\)]+$ do { $deploymentName = ('{0}-{1}' -f $deploymentNamePrefix, (Get-Date -Format 'yyyyMMddTHHMMssffffZ'))[0..63] -join '' From 1c3ccfb68277b03e18894751f0d473537b452a44 Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Sat, 2 Dec 2023 00:33:29 +0100 Subject: [PATCH 133/178] Added MOVED-TO-AVM (#4322) --- modules/document-db/database-account/MOVED-TO-AVM.md | 1 + modules/document-db/database-account/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/document-db/database-account/MOVED-TO-AVM.md diff --git a/modules/document-db/database-account/MOVED-TO-AVM.md b/modules/document-db/database-account/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/document-db/database-account/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index e0e87268ce..f7db7befdd 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -1,5 +1,7 @@ # DocumentDB Database Accounts `[Microsoft.DocumentDB/databaseAccounts]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a DocumentDB Database Account. ## Navigation From 7071a5e43aaf60276f74518104fb9382af96c728 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sun, 3 Dec 2023 00:03:38 +0100 Subject: [PATCH 134/178] [Fixes] Added missing connection property to VPN GW deployment (#4313) * First draft * Refreshed files * Update to latest * Update to latest * Update to latest --- modules/network/vpn-gateway/main.bicep | 50 +++++++---- modules/network/vpn-gateway/main.json | 82 +++++++++++++++---- .../network/vpn-gateway/nat-rule/main.json | 4 +- .../vpn-gateway/vpn-connection/main.json | 4 +- 4 files changed, 105 insertions(+), 35 deletions(-) diff --git a/modules/network/vpn-gateway/main.bicep b/modules/network/vpn-gateway/main.bicep index 98d2495329..943525aca2 100644 --- a/modules/network/vpn-gateway/main.bicep +++ b/modules/network/vpn-gateway/main.bicep @@ -61,6 +61,27 @@ resource vpnGateway 'Microsoft.Network/vpnGateways@2023-04-01' = { enableBgpRouteTranslationForNat: enableBgpRouteTranslationForNat isRoutingPreferenceInternet: isRoutingPreferenceInternet vpnGatewayScaleUnit: vpnGatewayScaleUnit + connections: [for (connection, index) in vpnConnections: { + name: connection.name + properties: { + connectionBandwidth: connection.?connectionBandwidth + enableBgp: connection.?enableBgp + enableInternetSecurity: connection.?enableInternetSecurity + remoteVpnSite: contains(connection, 'remoteVpnSiteResourceId') ? { + id: connection.remoteVpnSiteResourceId + } : null + enableRateLimiting: connection.?enableRateLimiting + routingConfiguration: connection.?routingConfiguration + routingWeight: connection.?routingWeight + sharedKey: connection.?sharedKey + useLocalAzureIpAddress: connection.?useLocalAzureIpAddress + usePolicyBasedTrafficSelectors: connection.?usePolicyBasedTrafficSelectors + vpnConnectionProtocolType: connection.?vpnConnectionProtocolType + ipsecPolicies: connection.?ipsecPolicies + trafficSelectorPolicies: connection.?trafficSelectorPolicies + vpnLinkConnections: connection.?vpnLinkConnections + } + }] virtualHub: { id: virtualHubResourceId } @@ -95,21 +116,20 @@ module vpnGateway_vpnConnections 'vpn-connection/main.bicep' = [for (connection, params: { name: connection.name vpnGatewayName: vpnGateway.name - connectionBandwidth: contains(connection, 'connectionBandwidth') ? connection.connectionBandwidth : 10 - enableBgp: contains(connection, 'enableBgp') ? connection.enableBgp : false - enableInternetSecurity: contains(connection, 'enableInternetSecurity') ? connection.enableInternetSecurity : false - remoteVpnSiteResourceId: contains(connection, 'remoteVpnSiteResourceId') ? connection.remoteVpnSiteResourceId : '' - enableRateLimiting: contains(connection, 'enableRateLimiting') ? connection.enableRateLimiting : false - routingConfiguration: contains(connection, 'routingConfiguration') ? connection.routingConfiguration : {} - routingWeight: contains(connection, 'routingWeight') ? connection.routingWeight : 0 - sharedKey: contains(connection, 'sharedKey') ? connection.sharedKey : '' - useLocalAzureIpAddress: contains(connection, 'useLocalAzureIpAddress') ? connection.useLocalAzureIpAddress : false - usePolicyBasedTrafficSelectors: contains(connection, 'usePolicyBasedTrafficSelectors') ? connection.usePolicyBasedTrafficSelectors : false - vpnConnectionProtocolType: contains(connection, 'vpnConnectionProtocolType') ? connection.vpnConnectionProtocolType : 'IKEv2' - enableDefaultTelemetry: enableReferencedModulesTelemetry - ipsecPolicies: contains(connection, 'ipsecPolicies') ? connection.ipsecPolicies : [] - trafficSelectorPolicies: contains(connection, 'trafficSelectorPolicies') ? connection.trafficSelectorPolicies : [] - vpnLinkConnections: contains(connection, 'vpnLinkConnections') ? connection.vpnLinkConnections : [] + connectionBandwidth: connection.?connectionBandwidth + enableBgp: connection.?enableBgp + enableInternetSecurity: connection.?enableInternetSecurity + remoteVpnSiteResourceId: connection.?remoteVpnSiteResourceId + enableRateLimiting: connection.?enableRateLimiting + routingConfiguration: connection.?routingConfiguration + routingWeight: connection.?routingWeight + sharedKey: connection.?sharedKey + useLocalAzureIpAddress: connection.?useLocalAzureIpAddress + usePolicyBasedTrafficSelectors: connection.?usePolicyBasedTrafficSelectors + vpnConnectionProtocolType: connection.?vpnConnectionProtocolType + enableDefaultTelemetry: connection.?ipsecPolicies + trafficSelectorPolicies: connection.?trafficSelectorPolicies + vpnLinkConnections: connection.?vpnLinkConnections } }] diff --git a/modules/network/vpn-gateway/main.json b/modules/network/vpn-gateway/main.json index aefc4f89d9..07ddb84961 100644 --- a/modules/network/vpn-gateway/main.json +++ b/modules/network/vpn-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8700890331432111745" + "templateHash": "12893789800987585694" }, "name": "VPN Gateways", "description": "This module deploys a VPN Gateway.", @@ -147,6 +147,31 @@ "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { + "copy": [ + { + "name": "connections", + "count": "[length(parameters('vpnConnections'))]", + "input": { + "name": "[parameters('vpnConnections')[copyIndex('connections')].name]", + "properties": { + "connectionBandwidth": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'connectionBandwidth')]", + "enableBgp": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'enableBgp')]", + "enableInternetSecurity": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'enableInternetSecurity')]", + "remoteVpnSite": "[if(contains(parameters('vpnConnections')[copyIndex('connections')], 'remoteVpnSiteResourceId'), createObject('id', parameters('vpnConnections')[copyIndex('connections')].remoteVpnSiteResourceId), null())]", + "enableRateLimiting": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'enableRateLimiting')]", + "routingConfiguration": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'routingConfiguration')]", + "routingWeight": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'routingWeight')]", + "sharedKey": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'sharedKey')]", + "useLocalAzureIpAddress": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'useLocalAzureIpAddress')]", + "usePolicyBasedTrafficSelectors": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'usePolicyBasedTrafficSelectors')]", + "vpnConnectionProtocolType": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'vpnConnectionProtocolType')]", + "ipsecPolicies": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'ipsecPolicies')]", + "trafficSelectorPolicies": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'trafficSelectorPolicies')]", + "vpnLinkConnections": "[tryGet(parameters('vpnConnections')[copyIndex('connections')], 'vpnLinkConnections')]" + } + } + } + ], "bgpSettings": "[parameters('bgpSettings')]", "enableBgpRouteTranslationForNat": "[parameters('enableBgpRouteTranslationForNat')]", "isRoutingPreferenceInternet": "[parameters('isRoutingPreferenceInternet')]", @@ -355,23 +380,48 @@ "vpnGatewayName": { "value": "[parameters('name')]" }, - "connectionBandwidth": "[if(contains(parameters('vpnConnections')[copyIndex()], 'connectionBandwidth'), createObject('value', parameters('vpnConnections')[copyIndex()].connectionBandwidth), createObject('value', 10))]", - "enableBgp": "[if(contains(parameters('vpnConnections')[copyIndex()], 'enableBgp'), createObject('value', parameters('vpnConnections')[copyIndex()].enableBgp), createObject('value', false()))]", - "enableInternetSecurity": "[if(contains(parameters('vpnConnections')[copyIndex()], 'enableInternetSecurity'), createObject('value', parameters('vpnConnections')[copyIndex()].enableInternetSecurity), createObject('value', false()))]", - "remoteVpnSiteResourceId": "[if(contains(parameters('vpnConnections')[copyIndex()], 'remoteVpnSiteResourceId'), createObject('value', parameters('vpnConnections')[copyIndex()].remoteVpnSiteResourceId), createObject('value', ''))]", - "enableRateLimiting": "[if(contains(parameters('vpnConnections')[copyIndex()], 'enableRateLimiting'), createObject('value', parameters('vpnConnections')[copyIndex()].enableRateLimiting), createObject('value', false()))]", - "routingConfiguration": "[if(contains(parameters('vpnConnections')[copyIndex()], 'routingConfiguration'), createObject('value', parameters('vpnConnections')[copyIndex()].routingConfiguration), createObject('value', createObject()))]", - "routingWeight": "[if(contains(parameters('vpnConnections')[copyIndex()], 'routingWeight'), createObject('value', parameters('vpnConnections')[copyIndex()].routingWeight), createObject('value', 0))]", - "sharedKey": "[if(contains(parameters('vpnConnections')[copyIndex()], 'sharedKey'), createObject('value', parameters('vpnConnections')[copyIndex()].sharedKey), createObject('value', ''))]", - "useLocalAzureIpAddress": "[if(contains(parameters('vpnConnections')[copyIndex()], 'useLocalAzureIpAddress'), createObject('value', parameters('vpnConnections')[copyIndex()].useLocalAzureIpAddress), createObject('value', false()))]", - "usePolicyBasedTrafficSelectors": "[if(contains(parameters('vpnConnections')[copyIndex()], 'usePolicyBasedTrafficSelectors'), createObject('value', parameters('vpnConnections')[copyIndex()].usePolicyBasedTrafficSelectors), createObject('value', false()))]", - "vpnConnectionProtocolType": "[if(contains(parameters('vpnConnections')[copyIndex()], 'vpnConnectionProtocolType'), createObject('value', parameters('vpnConnections')[copyIndex()].vpnConnectionProtocolType), createObject('value', 'IKEv2'))]", + "connectionBandwidth": { + "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'connectionBandwidth')]" + }, + "enableBgp": { + "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'enableBgp')]" + }, + "enableInternetSecurity": { + "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'enableInternetSecurity')]" + }, + "remoteVpnSiteResourceId": { + "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'remoteVpnSiteResourceId')]" + }, + "enableRateLimiting": { + "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'enableRateLimiting')]" + }, + "routingConfiguration": { + "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'routingConfiguration')]" + }, + "routingWeight": { + "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'routingWeight')]" + }, + "sharedKey": { + "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'sharedKey')]" + }, + "useLocalAzureIpAddress": { + "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'useLocalAzureIpAddress')]" + }, + "usePolicyBasedTrafficSelectors": { + "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'usePolicyBasedTrafficSelectors')]" + }, + "vpnConnectionProtocolType": { + "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'vpnConnectionProtocolType')]" + }, "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'ipsecPolicies')]" }, - "ipsecPolicies": "[if(contains(parameters('vpnConnections')[copyIndex()], 'ipsecPolicies'), createObject('value', parameters('vpnConnections')[copyIndex()].ipsecPolicies), createObject('value', createArray()))]", - "trafficSelectorPolicies": "[if(contains(parameters('vpnConnections')[copyIndex()], 'trafficSelectorPolicies'), createObject('value', parameters('vpnConnections')[copyIndex()].trafficSelectorPolicies), createObject('value', createArray()))]", - "vpnLinkConnections": "[if(contains(parameters('vpnConnections')[copyIndex()], 'vpnLinkConnections'), createObject('value', parameters('vpnConnections')[copyIndex()].vpnLinkConnections), createObject('value', createArray()))]" + "trafficSelectorPolicies": { + "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'trafficSelectorPolicies')]" + }, + "vpnLinkConnections": { + "value": "[tryGet(parameters('vpnConnections')[copyIndex()], 'vpnLinkConnections')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", diff --git a/modules/network/vpn-gateway/nat-rule/main.json b/modules/network/vpn-gateway/nat-rule/main.json index 9be53d2e0d..2e03c8868b 100644 --- a/modules/network/vpn-gateway/nat-rule/main.json +++ b/modules/network/vpn-gateway/nat-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4165642550711844737" + "version": "0.23.1.45101", + "templateHash": "2150556463317760652" }, "name": "VPN Gateway NAT Rules", "description": "This module deploys a VPN Gateway NAT Rule.", diff --git a/modules/network/vpn-gateway/vpn-connection/main.json b/modules/network/vpn-gateway/vpn-connection/main.json index a4ad3b7923..84a6dfdf0b 100644 --- a/modules/network/vpn-gateway/vpn-connection/main.json +++ b/modules/network/vpn-gateway/vpn-connection/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13660788048333105050" + "version": "0.23.1.45101", + "templateHash": "6383697389251029881" }, "name": "VPN Gateway VPN Connections", "description": "This module deploys a VPN Gateway VPN Connection.", From f9ef71331ef816118afb16a2a7fe2cd07d58dbd4 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sat, 2 Dec 2023 23:04:12 +0000 Subject: [PATCH 135/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 7c28791b22..a179adb657 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -120,7 +120,7 @@ This section provides an overview of the library's feature set. | 105 | network

virtual-network | [![Network - VirtualNetworks](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | | | | | | | [L1:3, L2:1, L3:4] | 276 | | 106 | network

virtual-network-gateway | [![Network - VirtualNetworkGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualNetworkGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworkgateways.yml) | | | | | | | [L1:2, L2:1, L3:3] | 403 | | 107 | network

virtual-wan | [![Network - VirtualWans](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VirtualWans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualwans.yml) | | | | | | | [L1:1, L2:1, L3:3] | 112 | -| 108 | network

vpn-gateway | [![Network - VPNGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPNGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpngateways.yml) | | | | | | | [L1:3, L2:1, L3:3] | 114 | +| 108 | network

vpn-gateway | [![Network - VPNGateways](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPNGateways/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpngateways.yml) | | | | | | | [L1:3, L2:1, L3:3] | 134 | | 109 | network

vpn-site | [![Network - VPN Sites](https://github.com/Azure/ResourceModules/workflows/Network%20-%20VPN%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.vpnsites.yml) | | | | | | | [L1:1, L2:1, L3:3] | 124 | | 110 | operational-insights

workspace | [![OperationalInsights - Workspaces](https://github.com/Azure/ResourceModules/workflows/OperationalInsights%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationalinsights.workspaces.yml) | | | | | | | [L1:8, L2:1, L3:4] | 348 | | 111 | operations-management

solution | [![OperationsManagement - Solutions](https://github.com/Azure/ResourceModules/workflows/OperationsManagement%20-%20Solutions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationsmanagement.solutions.yml) | | | | | | | [L1:1, L2:1, L3:3] | 53 | @@ -150,7 +150,7 @@ This section provides an overview of the library's feature set. | 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | [L1:1, L2:1, L3:2] | 184 | | 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:6, L2:6, L3:5] | 455 | | 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:4, L2:1, L3:3] | 284 | -| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29874 | +| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29894 | ## Legend From 3b5b435bf25bcdbfd7ef139ce775d9fba2c2d473 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 3 Dec 2023 12:05:28 +0000 Subject: [PATCH 136/178] Push updated API Specs file --- utilities/src/apiSpecsList.json | 655 +++++++++++++++++++++++--------- 1 file changed, 472 insertions(+), 183 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index 2f526fc6d6..b6047fdd50 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -11959,7 +11959,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "BenefitRecommendations": [ "2021-11-15-preview", @@ -11967,7 +11968,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "BenefitUtilizationSummaries": [ "2021-11-15-preview", @@ -11975,18 +11977,21 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "BenefitUtilizationSummariesOperationResults": [ "2023-03-01", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "BillingAccounts": [ "2018-03-31", "2023-03-01", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "budgets": [ "2019-04-01-preview", @@ -11997,7 +12002,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "CalculateCost": [ "2023-04-01-preview" @@ -12009,7 +12015,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "CheckConnectorEligibility": [ "2019-03-01-preview" @@ -12022,7 +12029,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "cloudConnectors": [ "2019-03-01-preview" @@ -12033,7 +12041,8 @@ "costAllocationRules": [ "2020-03-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "CostDetailsOperationResults": [ "2022-05-01", @@ -12041,13 +12050,15 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "Departments": [ "2018-03-31", "2023-03-01", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "Dimensions": [ "2018-05-31", @@ -12066,13 +12077,15 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "EnrollmentAccounts": [ "2018-03-31", "2023-03-01", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "exports": [ "2019-01-01", @@ -12090,7 +12103,8 @@ "2023-04-01-preview", "2023-07-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "ExternalBillingAccounts": [ "2019-03-01-preview" @@ -12103,7 +12117,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "ExternalBillingAccounts/Dimensions": [ "2019-03-01-preview", @@ -12116,7 +12131,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "ExternalBillingAccounts/Forecast": [ "2018-12-01-preview", @@ -12130,7 +12146,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "ExternalBillingAccounts/Query": [ "2019-03-01-preview", @@ -12143,13 +12160,15 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "externalSubscriptions": [ "2019-03-01-preview", "2023-03-01", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "ExternalSubscriptions/Alerts": [ "2018-08-01-preview", @@ -12159,7 +12178,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "ExternalSubscriptions/Dimensions": [ "2019-03-01-preview", @@ -12172,7 +12192,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "ExternalSubscriptions/Forecast": [ "2018-12-01-preview", @@ -12186,7 +12207,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "ExternalSubscriptions/Query": [ "2019-03-01-preview", @@ -12199,7 +12221,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "fetchMarketplacePrices": [ "2022-03-01", @@ -12208,7 +12231,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "fetchMicrosoftPrices": [ "2022-03-01", @@ -12216,7 +12240,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "fetchPrices": [ "2020-01-01-preview", @@ -12235,12 +12260,14 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "GenerateBenefitUtilizationSummariesReport": [ "2023-03-01", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "GenerateCostDetailsReport": [ "2022-05-01", @@ -12248,7 +12275,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "GenerateDetailedCostReport": [ "2020-12-01-preview", @@ -12258,7 +12286,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "GenerateReservationDetailsReport": [ "2019-11-01", @@ -12267,7 +12296,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "Insights": [ "2020-08-01-preview" @@ -12286,7 +12316,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "operations": [ "2018-08-01-preview", @@ -12299,7 +12330,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "OperationStatus": [ "2020-12-01-preview", @@ -12312,7 +12344,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "Pricesheets": [ "2022-02-01-preview", @@ -12322,7 +12355,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "Publish": [ "2021-04-01-preview" @@ -12344,7 +12378,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "register": [ "2019-03-01-preview" @@ -12352,7 +12387,8 @@ "reportconfigs": [ "2018-05-31", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "reports": [ "2018-08-01-preview", @@ -12365,7 +12401,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "scheduledActions": [ "2020-03-01-preview", @@ -12375,7 +12412,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "SendMessage": [ "2023-04-01-preview" @@ -12390,7 +12428,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "showbackRules": [ "2019-02-01-alpha", @@ -12398,7 +12437,8 @@ "2019-02-03-alpha", "2019-03-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ], "StartConversation": [ "2023-04-01-preview" @@ -12416,7 +12456,8 @@ "2023-03-01", "2023-04-01-preview", "2023-08-01", - "2023-09-01" + "2023-09-01", + "2023-11-01" ] }, "Microsoft.CostManagementExports": { @@ -13646,7 +13687,8 @@ "2023-05-01", "2023-06-01-preview", "2023-08-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" ], "backupVaults/backupInstances": [ "2021-01-01", @@ -13670,7 +13712,8 @@ "2023-05-01", "2023-06-01-preview", "2023-08-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" ], "backupVaults/backupPolicies": [ "2021-01-01", @@ -13694,7 +13737,8 @@ "2023-05-01", "2023-06-01-preview", "2023-08-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" ], "backupVaults/backupResourceGuardProxies": [ "2022-09-01-preview", @@ -13705,7 +13749,8 @@ "2023-05-01", "2023-06-01-preview", "2023-08-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" ], "locations": [ "2020-01-01-alpha", @@ -13890,7 +13935,8 @@ "2023-05-01", "2023-06-01-preview", "2023-08-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" ] }, "Microsoft.DataReplication": { @@ -14925,7 +14971,8 @@ "2023-03-21-privatepreview", "2023-07-07-preview", "2023-09-05", - "2023-10-04-preview" + "2023-10-04-preview", + "2023-11-01-preview" ], "applicationGroups": [ "2019-01-23-preview", @@ -14954,7 +15001,8 @@ "2023-03-21-privatepreview", "2023-07-07-preview", "2023-09-05", - "2023-10-04-preview" + "2023-10-04-preview", + "2023-11-01-preview" ], "applicationGroups/applications": [ "2019-01-23-preview", @@ -14983,7 +15031,8 @@ "2023-03-21-privatepreview", "2023-07-07-preview", "2023-09-05", - "2023-10-04-preview" + "2023-10-04-preview", + "2023-11-01-preview" ], "applicationgroups/desktops": [ "2019-01-23-preview", @@ -15070,7 +15119,8 @@ "2023-03-21-privatepreview", "2023-07-07-preview", "2023-09-05", - "2023-10-04-preview" + "2023-10-04-preview", + "2023-11-01-preview" ], "hostPools/msixPackages": [ "2019-01-23-preview", @@ -15099,7 +15149,8 @@ "2023-03-21-privatepreview", "2023-07-07-preview", "2023-09-05", - "2023-10-04-preview" + "2023-10-04-preview", + "2023-11-01-preview" ], "hostPools/privateEndpointConnections": [ "2021-04-01-preview", @@ -15109,7 +15160,14 @@ "2022-10-14-preview", "2023-07-07-preview", "2023-09-05", - "2023-10-04-preview" + "2023-10-04-preview", + "2023-11-01-preview" + ], + "hostPools/sessionHostConfigurations": [ + "2023-11-01-preview" + ], + "hostPools/sessionHostManagements": [ + "2023-11-01-preview" ], "hostpools/sessionhosts": [ "2019-01-23-preview", @@ -15265,12 +15323,14 @@ "2023-03-21-privatepreview", "2023-07-07-preview", "2023-09-05", - "2023-10-04-preview" + "2023-10-04-preview", + "2023-11-01-preview" ], "scalingPlans/personalSchedules": [ "2023-07-07-preview", "2023-09-05", - "2023-10-04-preview" + "2023-10-04-preview", + "2023-11-01-preview" ], "scalingPlans/pooledSchedules": [ "2022-04-01-preview", @@ -15278,7 +15338,8 @@ "2022-10-14-preview", "2023-07-07-preview", "2023-09-05", - "2023-10-04-preview" + "2023-10-04-preview", + "2023-11-01-preview" ], "workspaces": [ "2019-01-23-preview", @@ -15307,7 +15368,8 @@ "2023-03-21-privatepreview", "2023-07-07-preview", "2023-09-05", - "2023-10-04-preview" + "2023-10-04-preview", + "2023-11-01-preview" ], "workspaces/privateEndpointConnections": [ "2021-04-01-preview", @@ -15317,7 +15379,8 @@ "2022-10-14-preview", "2023-07-07-preview", "2023-09-05", - "2023-10-04-preview" + "2023-10-04-preview", + "2023-11-01-preview" ] }, "Microsoft.DevAI": { @@ -16159,7 +16222,8 @@ "2022-10-01", "2022-12-01-preview", "2023-07-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2024-04-01-preview" ], "locations": [ "2020-03-01-preview", @@ -16167,7 +16231,8 @@ "2022-10-01", "2022-12-01-preview", "2023-07-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2024-04-01-preview" ], "locations/operationStatuses": [ "2020-03-01-preview", @@ -16175,7 +16240,8 @@ "2022-10-01", "2022-12-01-preview", "2023-07-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2024-04-01-preview" ], "operations": [ "2020-03-01-preview", @@ -16183,7 +16249,8 @@ "2022-10-01", "2022-12-01-preview", "2023-07-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2024-04-01-preview" ], "registeredSubscriptions": [ "2020-03-01-preview", @@ -16191,7 +16258,8 @@ "2022-10-01", "2022-12-01-preview", "2023-07-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2024-04-01-preview" ] }, "Microsoft.DevOps": { @@ -18345,7 +18413,8 @@ "2023-06-01", "2023-06-15-preview", "2023-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "monitors/tagRules": [ "2020-07-01", @@ -18360,7 +18429,8 @@ "2023-06-01", "2023-06-15-preview", "2023-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "operations": [ "2020-07-01", @@ -19320,7 +19390,8 @@ "2023-12-10-preview" ], "cloudHsmClusters/privateEndpointConnections": [ - "2022-08-31-preview" + "2022-08-31-preview", + "2023-12-10-preview" ], "dedicatedHSMs": [ "2018-10-31-preview", @@ -25210,13 +25281,16 @@ "2022-09-01", "2022-11-01", "2022-11-01-preview", - "2023-05-01" + "2023-05-01", + "2023-05-01-preview" ], "netAppAccounts/backupVaults": [ - "2022-11-01-preview" + "2022-11-01-preview", + "2023-05-01-preview" ], "netAppAccounts/backupVaults/backups": [ - "2022-11-01-preview" + "2022-11-01-preview", + "2023-05-01-preview" ], "netAppAccounts/capacityPools": [ "2017-08-15", @@ -25378,7 +25452,8 @@ "2022-09-01", "2022-11-01", "2022-11-01-preview", - "2023-05-01" + "2023-05-01", + "2023-05-01-preview" ], "netAppAccounts/capacityPools/volumes/volumeQuotaRules": [ "2022-01-01", @@ -25387,7 +25462,8 @@ "2022-09-01", "2022-11-01", "2022-11-01-preview", - "2023-05-01" + "2023-05-01", + "2023-05-01-preview" ], "netAppAccounts/snapshotPolicies": [ "2020-05-01", @@ -25521,7 +25597,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "applicationGatewayAvailableResponseHeaders": [ "2018-11-01", @@ -25558,7 +25635,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "applicationGatewayAvailableServerVariables": [ "2018-11-01", @@ -25595,7 +25673,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "applicationGatewayAvailableSslOptions": [ "2017-06-01", @@ -25646,7 +25725,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "applicationGatewayAvailableWafRuleSets": [ "2017-03-01", @@ -25699,7 +25779,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "applicationGateways": [ "2014-12-01-preview", @@ -25763,7 +25844,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "applicationGateways/privateEndpointConnections": [ "2020-05-01", @@ -25819,7 +25901,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "applicationSecurityGroups": [ "2017-09-01", @@ -25868,7 +25951,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "azureFirewallFqdnTags": [ "2018-08-01", @@ -25907,7 +25991,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "azureFirewalls": [ "2018-04-01", @@ -25950,7 +26035,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "azureWebCategories": [ "2020-08-01", @@ -25972,7 +26058,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "bastionHosts": [ "2018-10-01", @@ -26010,7 +26097,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "bgpServiceCommunities": [ "2016-12-01", @@ -26064,7 +26152,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "checkFrontdoorNameAvailability": [ "2018-08-01", @@ -26100,7 +26189,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "connections": [ "2014-12-01-preview", @@ -26164,7 +26254,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "connections/sharedkey": [ "2015-05-01-preview", @@ -26238,7 +26329,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "ddosCustomPolicies": [ "2018-11-01", @@ -26315,7 +26407,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "dnsForwardingRulesets": [ "2020-04-01-preview", @@ -26532,7 +26625,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "expressRouteCircuits": [ "2014-12-01-preview", @@ -26596,7 +26690,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "expressRouteCircuits/authorizations": [ "2015-05-01-preview", @@ -26851,7 +26946,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "expressRouteGateways/expressRouteConnections": [ "2018-08-01", @@ -26925,7 +27021,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "expressRoutePorts/authorizations": [ "2021-08-01", @@ -26976,7 +27073,43 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" + ], + "expressRouteProviderPorts": [ + "2019-06-01", + "2019-07-01", + "2019-08-01", + "2019-09-01", + "2019-11-01", + "2019-12-01", + "2020-01-01", + "2020-03-01", + "2020-04-01", + "2020-05-01", + "2020-06-01", + "2020-07-01", + "2020-08-01", + "2020-11-01", + "2021-01-01", + "2021-02-01", + "2021-03-01", + "2021-04-01", + "2021-05-01", + "2021-06-01", + "2021-08-01", + "2021-12-01", + "2022-01-01", + "2022-05-01", + "2022-07-01", + "2022-09-01", + "2022-11-01", + "2023-01-01-preview", + "2023-02-01", + "2023-04-01", + "2023-05-01", + "2023-06-01", + "2023-09-01" ], "expressRouteServiceProviders": [ "2014-12-01-preview", @@ -27040,7 +27173,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "firewallPolicies": [ "2019-06-01", @@ -27074,7 +27208,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "firewallPolicies/ruleCollectionGroups": [ "2020-05-01", @@ -27217,7 +27352,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "IpAllocations": [ "2020-01-01", @@ -27244,7 +27380,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "ipGroups": [ "2019-06-01", @@ -27278,7 +27415,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "loadBalancers": [ "2014-12-01-preview", @@ -27342,7 +27480,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "loadBalancers/backendAddressPools": [ "2020-04-01", @@ -27471,7 +27610,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations": [ "2014-12-01-preview", @@ -27535,7 +27675,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/ApplicationGatewayWafDynamicManifests": [ "2022-05-01", @@ -27545,7 +27686,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/autoApprovedPrivateLinkServices": [ "2019-04-01", @@ -27579,7 +27721,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/availableDelegations": [ "2018-04-01", @@ -27622,7 +27765,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/availablePrivateEndpointTypes": [ "2019-02-01", @@ -27657,7 +27801,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/availableServiceAliases": [ "2019-08-01", @@ -27688,7 +27833,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/bareMetalTenants": [ "2018-07-01", @@ -27728,7 +27874,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/batchNotifyPrivateEndpointsForResourceMove": [ "2020-03-01", @@ -27754,7 +27901,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/batchValidatePrivateEndpointsForResourceMove": [ "2020-03-01", @@ -27780,7 +27928,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/checkAcceleratedNetworkingSupport": [ "2018-04-01", @@ -27823,7 +27972,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/CheckDnsNameAvailability": [ "2014-12-01-preview", @@ -27887,7 +28037,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/checkPrivateLinkServiceVisibility": [ "2019-04-01", @@ -27921,7 +28072,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/commitInternalAzureNetworkManagerConfiguration": [ "2022-01-01", @@ -27935,15 +28087,28 @@ "2023-03-01-preview", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" + ], + "locations/dataTasks": [ + "2021-03-01", + "2021-04-01", + "2021-05-01", + "2021-06-01", + "2021-08-01", + "2021-12-01", + "2022-01-01", + "2022-05-01", + "2022-07-01", + "2022-09-01", + "2022-11-01", + "2023-02-01", + "2023-04-01", + "2023-05-01", + "2023-06-01", + "2023-09-01" ], - "locations/dataTasks": [ - "2021-03-01", - "2021-04-01", - "2021-05-01", - "2021-06-01", - "2021-08-01", - "2021-12-01", + "locations/deletePacketTagging": [ "2022-01-01", "2022-05-01", "2022-07-01", @@ -27952,7 +28117,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/dnsResolverOperationResults": [ "2020-04-01-preview", @@ -28013,7 +28179,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/getAzureNetworkManagerConfiguration": [ "2020-08-01", @@ -28034,7 +28201,20 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" + ], + "locations/getPacketTagging": [ + "2022-01-01", + "2022-05-01", + "2022-07-01", + "2022-09-01", + "2022-11-01", + "2023-02-01", + "2023-04-01", + "2023-05-01", + "2023-06-01", + "2023-09-01" ], "locations/hybridEdgeZone": [ "2022-01-01", @@ -28046,7 +28226,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/internalAzureVirtualNetworkManagerOperation": [ "2022-01-01", @@ -28060,7 +28241,8 @@ "2023-03-01-preview", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/nfvOperationResults": [ "2017-09-01", @@ -28110,7 +28292,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/nfvOperations": [ "2017-09-01", @@ -28160,7 +28343,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/operationResults": [ "2014-12-01-preview", @@ -28224,7 +28408,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/operations": [ "2014-12-01-preview", @@ -28288,7 +28473,16 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" + ], + "locations/perimeterAssociableResourceTypes": [ + "2021-02-01-preview", + "2021-05-01-preview", + "2022-02-01-preview", + "2023-07-01-preview", + "2023-08-01-preview", + "2023-09-01-preview" ], "locations/privateLinkServices": [ "2020-03-01", @@ -28314,7 +28508,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/publishResources": [ "2022-01-01", @@ -28325,12 +28520,40 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/queryNetworkSecurityPerimeter": [ "2021-02-01-preview", "2021-05-01-preview", - "2022-02-01-preview" + "2022-02-01-preview", + "2023-07-01-preview", + "2023-08-01-preview", + "2023-09-01-preview" + ], + "locations/rnmEffectiveNetworkSecurityGroups": [ + "2022-01-01", + "2022-05-01", + "2022-07-01", + "2022-09-01", + "2022-11-01", + "2023-02-01", + "2023-04-01", + "2023-05-01", + "2023-06-01", + "2023-09-01" + ], + "locations/rnmEffectiveRouteTable": [ + "2022-01-01", + "2022-05-01", + "2022-07-01", + "2022-09-01", + "2022-11-01", + "2023-02-01", + "2023-04-01", + "2023-05-01", + "2023-06-01", + "2023-09-01" ], "locations/serviceTagDetails": [ "2021-03-01", @@ -28347,7 +28570,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/serviceTags": [ "2019-02-01", @@ -28382,7 +28606,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/setAzureNetworkManagerConfiguration": [ "2020-08-01", @@ -28403,7 +28628,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/setLoadBalancerFrontendPublicIpAddresses": [ "2020-05-01", @@ -28427,7 +28653,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/setResourceOwnership": [ "2018-04-01", @@ -28470,7 +28697,20 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" + ], + "locations/startPacketTagging": [ + "2022-01-01", + "2022-05-01", + "2022-07-01", + "2022-09-01", + "2022-11-01", + "2023-02-01", + "2023-04-01", + "2023-05-01", + "2023-06-01", + "2023-09-01" ], "locations/supportedVirtualMachineSizes": [ "2018-04-01", @@ -28513,7 +28753,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/usages": [ "2014-12-01-preview", @@ -28577,7 +28818,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/validateResourceOwnership": [ "2018-04-01", @@ -28620,7 +28862,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "locations/virtualNetworkAvailableEndpointServices": [ "2017-04-01", @@ -28672,7 +28915,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "managementGroups/networkManagerConnections": [ "2021-05-01-preview" @@ -28712,7 +28956,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "NetworkExperimentProfiles": [ "2019-11-01" @@ -28764,7 +29009,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkInterfaces": [ "2014-12-01-preview", @@ -28828,7 +29074,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkInterfaces/tapConfigurations": [ "2018-08-01", @@ -28878,7 +29125,8 @@ "2023-03-01-preview", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkManagers": [ "2021-02-01-preview", @@ -28895,7 +29143,8 @@ "2023-03-01-preview", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkManagers/connectivityConfigurations": [ "2021-02-01-preview", @@ -29058,7 +29307,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkSecurityGroups": [ "2014-12-01-preview", @@ -29122,7 +29372,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkSecurityGroups/securityRules": [ "2015-05-01-preview", @@ -29178,8 +29429,11 @@ "networkSecurityPerimeters": [ "2021-02-01-preview", "2021-03-01-preview", + "2021-05-01-preview", + "2022-02-01-preview", "2023-07-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-09-01-preview" ], "networkSecurityPerimeters/links": [ "2021-02-01-preview", @@ -29228,7 +29482,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkVirtualAppliances/inboundSecurityRules": [ "2020-06-01", @@ -29297,7 +29552,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkWatchers": [ "2014-12-01-preview", @@ -29361,7 +29617,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkWatchers/connectionMonitors": [ "2017-09-01", @@ -29410,7 +29667,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkWatchers/flowLogs": [ "2017-09-01", @@ -29459,7 +29717,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkWatchers/packetCaptures": [ "2016-09-01", @@ -29555,7 +29814,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "operations": [ "2014-12-01-preview", @@ -29619,7 +29879,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "p2svpnGateways": [ "2018-08-01", @@ -29658,7 +29919,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "privateDnsOperationResults": [ "2018-09-01", @@ -29759,7 +30021,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "privateEndpoints": [ "2019-02-01", @@ -29794,7 +30057,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "privateEndpoints/privateDnsZoneGroups": [ "2020-03-01", @@ -29851,7 +30115,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "privateLinkServices": [ "2018-08-01", @@ -29890,7 +30155,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "privateLinkServices/privateEndpointConnections": [ "2019-04-01", @@ -29983,7 +30249,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "publicIPPrefixes": [ "2018-07-01", @@ -30023,10 +30290,12 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "queryExpressRoutePortsBandwidth": [ - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "routeFilters": [ "2014-12-01-preview", @@ -30090,7 +30359,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "routeFilters/routeFilterRules": [ "2016-12-01", @@ -30200,7 +30470,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "routeTables/routes": [ "2015-05-01-preview", @@ -30278,7 +30549,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "serviceEndpointPolicies": [ "2018-01-01", @@ -30324,7 +30596,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "serviceEndpointPolicies/serviceEndpointPolicyDefinitions": [ "2018-07-01", @@ -30482,7 +30755,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualHubs/bgpConnections": [ "2020-05-01", @@ -30675,7 +30949,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualNetworkGateways/natRules": [ "2021-02-01", @@ -30754,7 +31029,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualNetworks/listDnsForwardingRulesets": [ "2020-04-01-preview", @@ -30780,7 +31056,8 @@ "2023-03-01-preview", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualNetworks/listNetworkManagerEffectiveSecurityAdminRules": [ "2022-01-01", @@ -30794,7 +31071,8 @@ "2023-03-01-preview", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualNetworks/privateDnsZoneLinks": [ "2020-06-01" @@ -30912,7 +31190,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualNetworks/virtualNetworkPeerings": [ "2016-06-01", @@ -30999,7 +31278,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualRouters": [ "2019-06-01", @@ -31033,7 +31313,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualRouters/peerings": [ "2019-07-01", @@ -31109,7 +31390,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualWans/p2sVpnServerConfigurations": [ "2018-08-01", @@ -31168,7 +31450,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "vpnGateways/natRules": [ "2020-08-01", @@ -31253,7 +31536,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "vpnServerConfigurations/configurationPolicyGroups": [ "2021-08-01", @@ -31314,7 +31598,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ] }, "Microsoft.Network.Admin": { @@ -35175,7 +35460,8 @@ "2019-01-01-preview" ], "automations": [ - "2019-01-01-preview" + "2019-01-01-preview", + "2023-12-01-preview" ], "autoProvisioningSettings": [ "2017-08-01-preview", @@ -43067,7 +43353,8 @@ "amlFilesystems": [ "2021-11-01-preview", "2023-03-01-preview", - "2023-05-01" + "2023-05-01", + "2023-11-01-preview" ], "caches": [ "2019-08-01-preview", @@ -43083,7 +43370,8 @@ "2022-09-01-preview", "2023-01-01", "2023-03-01-preview", - "2023-05-01" + "2023-05-01", + "2023-11-01-preview" ], "caches/storageTargets": [ "2019-08-01-preview", @@ -43099,7 +43387,8 @@ "2022-09-01-preview", "2023-01-01", "2023-03-01-preview", - "2023-05-01" + "2023-05-01", + "2023-11-01-preview" ], "checkAmlFSSubnets": [ "2021-11-01-preview", From 7839b5d0d90d137840fd9ae40727fb60c5f83fd8 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Sun, 3 Dec 2023 16:29:14 +0100 Subject: [PATCH 137/178] Added MovedToAVM (#4330) --- modules/event-grid/domain/MOVED-TO-AVM.md | 1 + modules/event-grid/domain/README.md | 2 ++ modules/event-grid/system-topic/MOVED-TO-AVM.md | 1 + modules/event-grid/system-topic/README.md | 2 ++ modules/event-grid/topic/MOVED-TO-AVM.md | 1 + modules/event-grid/topic/README.md | 2 ++ 6 files changed, 9 insertions(+) create mode 100644 modules/event-grid/domain/MOVED-TO-AVM.md create mode 100644 modules/event-grid/system-topic/MOVED-TO-AVM.md create mode 100644 modules/event-grid/topic/MOVED-TO-AVM.md diff --git a/modules/event-grid/domain/MOVED-TO-AVM.md b/modules/event-grid/domain/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/event-grid/domain/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/event-grid/domain/README.md b/modules/event-grid/domain/README.md index 678b989436..b38969fef0 100644 --- a/modules/event-grid/domain/README.md +++ b/modules/event-grid/domain/README.md @@ -1,5 +1,7 @@ # Event Grid Domains `[Microsoft.EventGrid/domains]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys an Event Grid Domain. ## Navigation diff --git a/modules/event-grid/system-topic/MOVED-TO-AVM.md b/modules/event-grid/system-topic/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/event-grid/system-topic/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/event-grid/system-topic/README.md b/modules/event-grid/system-topic/README.md index b901bdc3de..5c5801dfe9 100644 --- a/modules/event-grid/system-topic/README.md +++ b/modules/event-grid/system-topic/README.md @@ -1,5 +1,7 @@ # Event Grid System Topics `[Microsoft.EventGrid/systemTopics]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys an Event Grid System Topic. ## Navigation diff --git a/modules/event-grid/topic/MOVED-TO-AVM.md b/modules/event-grid/topic/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/event-grid/topic/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index 2abc6b61c7..6fd7b92f69 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -1,5 +1,7 @@ # Event Grid Topics `[Microsoft.EventGrid/topics]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys an Event Grid Topic. ## Navigation From fe1bd7f9bd8cda9522b24c13cae9453b844c937f Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Mon, 4 Dec 2023 18:14:03 +0100 Subject: [PATCH 138/178] Added MOVED-TO-AVM (#4334) --- modules/network/bastion-host/MOVED-TO-AVM.md | 1 + modules/network/bastion-host/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/network/bastion-host/MOVED-TO-AVM.md diff --git a/modules/network/bastion-host/MOVED-TO-AVM.md b/modules/network/bastion-host/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/network/bastion-host/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index 5057715cf3..573d2b938a 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -1,5 +1,7 @@ # Bastion Hosts `[Microsoft.Network/bastionHosts]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Bastion Host. ## Navigation From 95c44df0ada103cd99d6534500bdb1d20786a0cf Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Tue, 5 Dec 2023 06:45:55 +0000 Subject: [PATCH 139/178] Adding Moved to AVM for `power-bi-dedicated/capacity` (#4338) * Adding Moved to AVM * Fixed MOVED TO AVM --- modules/power-bi-dedicated/capacity/MOVED-TO-AVM.md | 1 + modules/power-bi-dedicated/capacity/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/power-bi-dedicated/capacity/MOVED-TO-AVM.md diff --git a/modules/power-bi-dedicated/capacity/MOVED-TO-AVM.md b/modules/power-bi-dedicated/capacity/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/power-bi-dedicated/capacity/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/power-bi-dedicated/capacity/README.md b/modules/power-bi-dedicated/capacity/README.md index 01010cbef4..4129db5ce7 100644 --- a/modules/power-bi-dedicated/capacity/README.md +++ b/modules/power-bi-dedicated/capacity/README.md @@ -1,5 +1,7 @@ # Power BI Dedicated Capacities `[Microsoft.PowerBIDedicated/capacities]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Power BI Dedicated Capacity. ## Navigation From f21852bda6cc94694f0ff4388eacb9666df39894 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Tue, 5 Dec 2023 06:46:38 +0000 Subject: [PATCH 140/178] Adding MOVED-TO-AVM.md (#4340) --- modules/service-bus/namespace/MOVED-TO-AVM.md | 1 + modules/service-bus/namespace/README.md | 2 ++ modules/service-bus/namespace/authorization-rule/main.json | 4 ++-- .../service-bus/namespace/disaster-recovery-config/main.json | 4 ++-- .../service-bus/namespace/migration-configuration/main.json | 4 ++-- modules/service-bus/namespace/network-rule-set/main.json | 4 ++-- .../service-bus/namespace/queue/authorization-rule/main.json | 4 ++-- .../service-bus/namespace/topic/authorization-rule/main.json | 4 ++-- 8 files changed, 15 insertions(+), 12 deletions(-) create mode 100644 modules/service-bus/namespace/MOVED-TO-AVM.md diff --git a/modules/service-bus/namespace/MOVED-TO-AVM.md b/modules/service-bus/namespace/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/service-bus/namespace/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index a2fbd72ba2..f4814f2cd9 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -1,5 +1,7 @@ # Service Bus Namespaces `[Microsoft.ServiceBus/namespaces]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Service Bus Namespace. ## Navigation diff --git a/modules/service-bus/namespace/authorization-rule/main.json b/modules/service-bus/namespace/authorization-rule/main.json index 5515b8c667..91d7c037fd 100644 --- a/modules/service-bus/namespace/authorization-rule/main.json +++ b/modules/service-bus/namespace/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4747986299110708591" + "version": "0.23.1.45101", + "templateHash": "1264227897820313372" }, "name": "Service Bus Namespace Authorization Rules", "description": "This module deploys a Service Bus Namespace Authorization Rule.", diff --git a/modules/service-bus/namespace/disaster-recovery-config/main.json b/modules/service-bus/namespace/disaster-recovery-config/main.json index e36745c3ff..397fb23db9 100644 --- a/modules/service-bus/namespace/disaster-recovery-config/main.json +++ b/modules/service-bus/namespace/disaster-recovery-config/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3706608794197885431" + "version": "0.23.1.45101", + "templateHash": "10655153602613161335" }, "name": "Service Bus Namespace Disaster Recovery Configs", "description": "This module deploys a Service Bus Namespace Disaster Recovery Config", diff --git a/modules/service-bus/namespace/migration-configuration/main.json b/modules/service-bus/namespace/migration-configuration/main.json index 67c9a0e7ca..32da98e44c 100644 --- a/modules/service-bus/namespace/migration-configuration/main.json +++ b/modules/service-bus/namespace/migration-configuration/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11329412672781710568" + "version": "0.23.1.45101", + "templateHash": "5089878909119216074" }, "name": "Service Bus Namespace Migration Configuration", "description": "This module deploys a Service Bus Namespace Migration Configuration.", diff --git a/modules/service-bus/namespace/network-rule-set/main.json b/modules/service-bus/namespace/network-rule-set/main.json index c859479f4b..1cf1be124a 100644 --- a/modules/service-bus/namespace/network-rule-set/main.json +++ b/modules/service-bus/namespace/network-rule-set/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "533952694982260366" + "version": "0.23.1.45101", + "templateHash": "13436940198974346018" }, "name": "Service Bus Namespace Network Rule Sets", "description": "This module deploys a ServiceBus Namespace Network Rule Set.", diff --git a/modules/service-bus/namespace/queue/authorization-rule/main.json b/modules/service-bus/namespace/queue/authorization-rule/main.json index 3610d204e0..4692fdcec7 100644 --- a/modules/service-bus/namespace/queue/authorization-rule/main.json +++ b/modules/service-bus/namespace/queue/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4578845431207793137" + "version": "0.23.1.45101", + "templateHash": "17590031156732651952" }, "name": "Service Bus Namespace Queue Authorization Rules", "description": "This module deploys a Service Bus Namespace Queue Authorization Rule.", diff --git a/modules/service-bus/namespace/topic/authorization-rule/main.json b/modules/service-bus/namespace/topic/authorization-rule/main.json index d7f9be9512..f5819014ca 100644 --- a/modules/service-bus/namespace/topic/authorization-rule/main.json +++ b/modules/service-bus/namespace/topic/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3590235297575239025" + "version": "0.23.1.45101", + "templateHash": "1333107238814449885" }, "name": "Service Bus Namespace Topic Authorization Rules", "description": "This module deploys a Service Bus Namespace Topic Authorization Rule.", From c95358f339903245da7bfd1840b52280a55c0223 Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Tue, 5 Dec 2023 13:38:36 +0100 Subject: [PATCH 141/178] Added MOVED-TO-AVM (#4336) --- modules/insights/data-collection-endpoint/MOVED-TO-AVM.md | 1 + modules/insights/data-collection-endpoint/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/insights/data-collection-endpoint/MOVED-TO-AVM.md diff --git a/modules/insights/data-collection-endpoint/MOVED-TO-AVM.md b/modules/insights/data-collection-endpoint/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/insights/data-collection-endpoint/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/data-collection-endpoint/README.md b/modules/insights/data-collection-endpoint/README.md index f37af6c9f6..48b0cc4d25 100644 --- a/modules/insights/data-collection-endpoint/README.md +++ b/modules/insights/data-collection-endpoint/README.md @@ -1,5 +1,7 @@ # Data Collection Endpoints `[Microsoft.Insights/dataCollectionEndpoints]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Data Collection Endpoint. ## Navigation From a9871a42560fc2c93543302fb9068c924153f1fc Mon Sep 17 00:00:00 2001 From: Luke Snoddy <37806411+lsnoddy@users.noreply.github.com> Date: Tue, 5 Dec 2023 07:48:36 -0700 Subject: [PATCH 142/178] Adding MOVED-TO-AVM to network/trafficmanagerprofile (#4341) * Updated settings * Updated settings * Updated settings * Updated version * test * test * test * Updated settings file * Migrate module to AVM * Updated readme and json * revert settings.yml --- modules/network/trafficmanagerprofile/MOVED-TO-AVM.md | 1 + modules/network/trafficmanagerprofile/README.md | 2 ++ modules/network/trafficmanagerprofile/main.json | 4 ++-- 3 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 modules/network/trafficmanagerprofile/MOVED-TO-AVM.md diff --git a/modules/network/trafficmanagerprofile/MOVED-TO-AVM.md b/modules/network/trafficmanagerprofile/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/network/trafficmanagerprofile/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/trafficmanagerprofile/README.md b/modules/network/trafficmanagerprofile/README.md index b76f98eb95..20d5f19260 100644 --- a/modules/network/trafficmanagerprofile/README.md +++ b/modules/network/trafficmanagerprofile/README.md @@ -1,5 +1,7 @@ # Traffic Manager Profiles `[Microsoft.Network/trafficmanagerprofiles]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Traffic Manager Profile. ## Navigation diff --git a/modules/network/trafficmanagerprofile/main.json b/modules/network/trafficmanagerprofile/main.json index 76f4462e01..de3aa92acd 100644 --- a/modules/network/trafficmanagerprofile/main.json +++ b/modules/network/trafficmanagerprofile/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "16146918790976496656" + "version": "0.21.1.54444", + "templateHash": "16012907393887579903" }, "name": "Traffic Manager Profiles", "description": "This module deploys a Traffic Manager Profile.", From 859c86a8a0d83e18a8c6d76fe058cf652c49a8a1 Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Tue, 5 Dec 2023 15:50:08 +0100 Subject: [PATCH 143/178] Added MOVED-TO-AVM (#4335) --- modules/network/public-ip-prefix/MOVED-TO-AVM.md | 1 + modules/network/public-ip-prefix/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/network/public-ip-prefix/MOVED-TO-AVM.md diff --git a/modules/network/public-ip-prefix/MOVED-TO-AVM.md b/modules/network/public-ip-prefix/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/network/public-ip-prefix/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/public-ip-prefix/README.md b/modules/network/public-ip-prefix/README.md index 6d50284c85..fa80cb1372 100644 --- a/modules/network/public-ip-prefix/README.md +++ b/modules/network/public-ip-prefix/README.md @@ -1,5 +1,7 @@ # Public IP Prefixes `[Microsoft.Network/publicIPPrefixes]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Public IP Prefix. ## Navigation From e4ebb48106d894d1c0851f9f9d8af08a3c32c9dd Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 6 Dec 2023 19:09:54 +0100 Subject: [PATCH 144/178] [Modules] Added azureMonitorProfile to allow us to enable the Prometheus collector (#4329) (#4331) * Added azureMonitorProfile to aks resource * Update readme and generate main.json * Add [[namePrefix]] back into test --------- Co-authored-by: aadev1 <39670555+aadev1@users.noreply.github.com> Co-authored-by: Asad Arif --- .../managed-cluster/README.md | 31 +++++++++++++++++++ .../managed-cluster/main.bicep | 18 +++++++++++ .../managed-cluster/main.json | 26 +++++++++++++++- .../tests/e2e/azure/main.test.bicep | 1 + 4 files changed, 75 insertions(+), 1 deletion(-) diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index 0b88e6a7b3..f2ffed3f46 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -145,6 +145,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' ] diskEncryptionSetID: '' enableAzureDefender: true + enableAzureMonitorProfileMetrics: true enableDefaultTelemetry: '' enableKeyvaultSecretsProvider: true enableOidcIssuerProfile: true @@ -383,6 +384,9 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' "enableAzureDefender": { "value": true }, + "enableAzureMonitorProfileMetrics": { + "value": true + }, "enableDefaultTelemetry": { "value": "" }, @@ -1228,6 +1232,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' | [`dnsServiceIP`](#parameter-dnsserviceip) | string | Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. | | [`dnsZoneResourceId`](#parameter-dnszoneresourceid) | string | Specifies the resource ID of connected DNS zone. It will be ignored if `webApplicationRoutingEnabled` is set to `false`. | | [`enableAzureDefender`](#parameter-enableazuredefender) | bool | Whether to enable Azure Defender. | +| [`enableAzureMonitorProfileMetrics`](#parameter-enableazuremonitorprofilemetrics) | bool | Whether the metrics profile for the Azure Monitor managed service for Prometheus addon is enabled. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`enableDnsZoneContributorRoleAssignment`](#parameter-enablednszonecontributorroleassignment) | bool | Specifies whether assing the DNS zone contributor role to the cluster service principal. It will be ignored if `webApplicationRoutingEnabled` is set to `false` or `dnsZoneResourceId` not provided. | | [`enableKeyvaultSecretsProvider`](#parameter-enablekeyvaultsecretsprovider) | bool | Specifies whether the KeyvaultSecretsProvider add-on is enabled or not. | @@ -1255,6 +1260,8 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. | | [`managedOutboundIPCount`](#parameter-managedoutboundipcount) | int | Outbound IP Count for the Load balancer. | +| [`metricAnnotationsAllowList`](#parameter-metricannotationsallowlist) | string | A comma-separated list of Kubernetes annotation keys. | +| [`metricLabelsAllowlist`](#parameter-metriclabelsallowlist) | string | A comma-separated list of additional Kubernetes label keys. | | [`monitoringWorkspaceId`](#parameter-monitoringworkspaceid) | string | Resource ID of the monitoring log analytics workspace. | | [`networkDataplane`](#parameter-networkdataplane) | string | Network dataplane used in the Kubernetes cluster. Not compatible with kubenet network plugin. | | [`networkPlugin`](#parameter-networkplugin) | string | Specifies the network plugin used for building Kubernetes network. | @@ -1800,6 +1807,14 @@ Whether to enable Azure Defender. - Type: bool - Default: `False` +### Parameter: `enableAzureMonitorProfileMetrics` + +Whether the metrics profile for the Azure Monitor managed service for Prometheus addon is enabled. + +- Required: No +- Type: bool +- Default: `False` + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). @@ -2078,6 +2093,22 @@ Outbound IP Count for the Load balancer. - Type: int - Default: `0` +### Parameter: `metricAnnotationsAllowList` + +A comma-separated list of Kubernetes annotation keys. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `metricLabelsAllowlist` + +A comma-separated list of additional Kubernetes label keys. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `monitoringWorkspaceId` Resource ID of the monitoring log analytics workspace. diff --git a/modules/container-service/managed-cluster/main.bicep b/modules/container-service/managed-cluster/main.bicep index bd9f8294c5..20456caecf 100644 --- a/modules/container-service/managed-cluster/main.bicep +++ b/modules/container-service/managed-cluster/main.bicep @@ -351,6 +351,15 @@ param identityProfile object = {} @description('Optional. The customer managed key definition.') param customerManagedKey customerManagedKeyType +@description('Optional. Whether the metrics profile for the Azure Monitor managed service for Prometheus addon is enabled.') +param enableAzureMonitorProfileMetrics bool = false + +@description('Optional. A comma-separated list of additional Kubernetes label keys.') +param metricLabelsAllowlist string = '' + +@description('Optional. A comma-separated list of Kubernetes annotation keys.') +param metricAnnotationsAllowList string = '' + resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) scope: resourceGroup(split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]) @@ -544,6 +553,15 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2023-07-02-p enablePrivateClusterPublicFQDN: enablePrivateClusterPublicFQDN privateDNSZone: privateDNSZone } + azureMonitorProfile: { + metrics: enableAzureMonitorProfileMetrics ? { + enabled: true + kubeStateMetrics: { + metricAnnotationsAllowList: metricAnnotationsAllowList + metricLabelsAllowlist: metricLabelsAllowlist + } + } : null + } podIdentityProfile: { allowNetworkPluginKubenet: podIdentityProfileAllowNetworkPluginKubenet enabled: podIdentityProfileEnable diff --git a/modules/container-service/managed-cluster/main.json b/modules/container-service/managed-cluster/main.json index ae0399022d..24c4e7027f 100644 --- a/modules/container-service/managed-cluster/main.json +++ b/modules/container-service/managed-cluster/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8572950365871080651" + "templateHash": "609013537229775592" }, "name": "Azure Kubernetes Service (AKS) Managed Clusters", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", @@ -979,6 +979,27 @@ "metadata": { "description": "Optional. The customer managed key definition." } + }, + "enableAzureMonitorProfileMetrics": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether the metrics profile for the Azure Monitor managed service for Prometheus addon is enabled." + } + }, + "metricLabelsAllowlist": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. A comma-separated list of additional Kubernetes label keys." + } + }, + "metricAnnotationsAllowList": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. A comma-separated list of Kubernetes annotation keys." + } } }, "variables": { @@ -1171,6 +1192,9 @@ "enablePrivateClusterPublicFQDN": "[parameters('enablePrivateClusterPublicFQDN')]", "privateDNSZone": "[parameters('privateDNSZone')]" }, + "azureMonitorProfile": { + "metrics": "[if(parameters('enableAzureMonitorProfileMetrics'), createObject('enabled', true(), 'kubeStateMetrics', createObject('metricAnnotationsAllowList', parameters('metricAnnotationsAllowList'), 'metricLabelsAllowlist', parameters('metricLabelsAllowlist'))), null())]" + }, "podIdentityProfile": { "allowNetworkPluginKubenet": "[parameters('podIdentityProfileAllowNetworkPluginKubenet')]", "enabled": "[parameters('podIdentityProfileEnable')]", diff --git a/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep index c5cc686316..11eeb9f2ff 100644 --- a/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep +++ b/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep @@ -189,6 +189,7 @@ module testDeployment '../../../main.bicep' = { enableAzureDefender: true enableKeyvaultSecretsProvider: true enablePodSecurityPolicy: false + enableAzureMonitorProfileMetrics: true customerManagedKey: { keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName keyVaultNetworkAccess: 'Public' From 6cebaef37faf5fd3b89139546c990a32ec8a441c Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Wed, 6 Dec 2023 18:10:28 +0000 Subject: [PATCH 145/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index a179adb657..cbcf4bcebc 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -45,7 +45,7 @@ This section provides an overview of the library's feature set. | 30 | consumption

budget | [![Consumption - Budgets](https://github.com/Azure/ResourceModules/workflows/Consumption%20-%20Budgets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.consumption.budgets.yml) | | | | | | | [L1:1, L2:1, L3:3] | 92 | | 31 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | | | | | [L1:1, L2:1, L3:5] | 175 | | 32 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | | | | | [L1:4, L2:1, L3:5] | 447 | -| 33 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | | | | | [L1:2, L2:1, L3:4] | 693 | +| 33 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | | | | | [L1:2, L2:1, L3:4] | 708 | | 34 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | | | | | [L1:3, L2:2, L3:3] | 342 | | 35 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | | | | | | [L1:2, L2:1, L3:3] | 159 | | 36 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | | | | | | | [L1:1, L2:1, L3:3] | 110 | @@ -150,7 +150,7 @@ This section provides an overview of the library's feature set. | 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | [L1:1, L2:1, L3:2] | 184 | | 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:6, L2:6, L3:5] | 455 | | 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:4, L2:1, L3:3] | 284 | -| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29894 | +| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29909 | ## Legend From fce84e879aa42a34a18da342ec5510b2cbac9500 Mon Sep 17 00:00:00 2001 From: Rajesh V <142348849+rajeshkaremane@users.noreply.github.com> Date: Thu, 7 Dec 2023 13:40:05 +0000 Subject: [PATCH 146/178] Container Apps Env Upgrade to latest version 2023-05-01 (#4307) * Upgrade to latest version 2023-05-01 * Formatted * assign subnet id if provided * updated arm template and output defaultDomain * Lint fix * minor fix for ReservedCidr, ReservedDnsIP and test --- modules/app/managed-environment/README.md | 51 ++++++++----------- modules/app/managed-environment/main.bicep | 27 +++++----- modules/app/managed-environment/main.json | 45 ++++++++-------- .../tests/e2e/max/dependencies.bicep | 8 +++ .../tests/e2e/max/main.test.bicep | 16 +++++- .../tests/e2e/waf-aligned/dependencies.bicep | 8 +++ .../tests/e2e/waf-aligned/main.test.bicep | 15 +++++- 7 files changed, 102 insertions(+), 68 deletions(-) diff --git a/modules/app/managed-environment/README.md b/modules/app/managed-environment/README.md index d044d9f6fa..a55dc9c7d5 100644 --- a/modules/app/managed-environment/README.md +++ b/modules/app/managed-environment/README.md @@ -4,11 +4,11 @@ This module deploys an App Managed Environment (also known as a Container App En ## Navigation -- [Resource Types](#Resource-Types) -- [Usage examples](#Usage-examples) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) +- [Resource Types](#resource-types) +- [Usage examples](#usage-examples) +- [Parameters](#parameters) +- [Outputs](#outputs) +- [Cross-referenced modules](#cross-referenced-modules) ## Resource Types @@ -34,7 +34,6 @@ The following section provides usage examples for the module, which were used to This instance deploys the module with the minimum set of required parameters. -

via Bicep module @@ -84,7 +83,6 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { This instance deploys the module with most of its features enabled. -
via Bicep module @@ -108,7 +106,8 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { } platformReservedCidr: '172.17.17.0/24' platformReservedDnsIP: '172.17.17.17' - skuName: 'Consumption' + infrastructureResourceGroupName: '' + workloadProfiles: '' tags: { Env: 'test' 'hidden-title': 'This is visible in the resource name' @@ -164,8 +163,8 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { "platformReservedDnsIP": { "value": "172.17.17.17" }, - "skuName": { - "value": "Consumption" + "infrastructureResourceGroupName": { + "value": "" }, "tags": { "value": { @@ -184,7 +183,6 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. -
via Bicep module @@ -208,7 +206,8 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { } platformReservedCidr: '172.17.17.0/24' platformReservedDnsIP: '172.17.17.17' - skuName: 'Consumption' + infrastructureResourceGroupName: '' + workloadProfiles: '' tags: { Env: 'test' 'hidden-title': 'This is visible in the resource name' @@ -264,8 +263,8 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { "platformReservedDnsIP": { "value": "172.17.17.17" }, - "skuName": { - "value": "Consumption" + "infrastructureResourceGroupName": { + "value": "" }, "tags": { "value": { @@ -280,7 +279,6 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = {

- ## Parameters **Required parameters** @@ -314,7 +312,7 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { | [`platformReservedCidr`](#parameter-platformreservedcidr) | string | IP range in CIDR notation that can be reserved for environment infrastructure IP addresses. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | | [`platformReservedDnsIP`](#parameter-platformreserveddnsip) | string | An IP address from the IP range defined by "platformReservedCidr" that will be reserved for the internal DNS server. It must not be the first address in the range and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`skuName`](#parameter-skuname) | string | Managed environment SKU. | +| [`infrastructureResourceGroupName`](#parameter-infrastructureresourcegroupname) | string | Custom Resource group name for infrastrcuture components. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`workloadProfiles`](#parameter-workloadprofiles) | array | Workload profiles configured for the Managed Environment. | | [`zoneRedundant`](#parameter-zoneredundant) | bool | Whether or not this Managed Environment is zone-redundant. | @@ -433,6 +431,7 @@ Specify the type of lock. - Required: No - Type: string - Allowed: + ```Bicep [ 'CanNotDelete' @@ -492,7 +491,7 @@ Array of role assignments to create. | :-- | :-- | :-- | | [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | | [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource ID of the delegated managed identity resource. | | [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | @@ -524,6 +523,7 @@ Version of the condition. - Required: No - Type: string - Allowed: + ```Bicep [ '2.0' @@ -532,7 +532,7 @@ Version of the condition. ### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -The Resource Id of the delegated managed identity resource. +The Resource ID of the delegated managed identity resource. - Required: No - Type: string @@ -551,6 +551,7 @@ The principal type of the assigned principal ID. - Required: No - Type: string - Allowed: + ```Bicep [ 'Device' @@ -561,20 +562,13 @@ The principal type of the assigned principal ID. ] ``` -### Parameter: `skuName` +### Parameter: `infrastructureResourceGroupName` -Managed environment SKU. +Customer Resource Group name for additional infrastructure components. - Required: No - Type: string -- Default: `'Consumption'` -- Allowed: - ```Bicep - [ - 'Consumption' - 'Premium' - ] - ``` +- Default: `'ME_ManagedEnvironmentName'` ### Parameter: `tags` @@ -599,7 +593,6 @@ Whether or not this Managed Environment is zone-redundant. - Type: bool - Default: `False` - ## Outputs | Output | Type | Description | diff --git a/modules/app/managed-environment/main.bicep b/modules/app/managed-environment/main.bicep index f3905ce986..93e9920902 100644 --- a/modules/app/managed-environment/main.bicep +++ b/modules/app/managed-environment/main.bicep @@ -17,13 +17,6 @@ param tags object? @description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType -@allowed([ - 'Consumption' - 'Premium' -]) -@description('Optional. Managed environment SKU.') -param skuName string = 'Consumption' - @description('Optional. Logs destination.') param logsDestination string = 'log-analytics' @@ -73,6 +66,9 @@ param lock lockType @description('Optional. Workload profiles configured for the Managed Environment.') param workloadProfiles array = [] +@description('Optional. Name of the infrastructure resource group. If not provided, it will be set with a default value.') +param infrastructureResourceGroupName string = take('ME_${name}', 63) + var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') @@ -98,13 +94,10 @@ resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06 scope: resourceGroup(split(logAnalyticsWorkspaceResourceId, '/')[2], split(logAnalyticsWorkspaceResourceId, '/')[4]) } -resource managedEnvironment 'Microsoft.App/managedEnvironments@2022-10-01' = { +resource managedEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' = { name: name location: location tags: tags - sku: { - name: skuName - } properties: { appLogsConfiguration: { destination: logsDestination @@ -122,13 +115,14 @@ resource managedEnvironment 'Microsoft.App/managedEnvironments@2022-10-01' = { } vnetConfiguration: { internal: internal - infrastructureSubnetId: !empty(infrastructureSubnetId) && internal == true ? infrastructureSubnetId : null - dockerBridgeCidr: !empty(infrastructureSubnetId) && internal == true ? dockerBridgeCidr : null - platformReservedCidr: !empty(infrastructureSubnetId) && internal == true ? platformReservedCidr : null - platformReservedDnsIP: !empty(infrastructureSubnetId) && internal == true ? platformReservedDnsIP : null + infrastructureSubnetId: !empty(infrastructureSubnetId) ? infrastructureSubnetId : null + dockerBridgeCidr: !empty(infrastructureSubnetId) ? dockerBridgeCidr : null + platformReservedCidr: empty(workloadProfiles) && !empty(infrastructureSubnetId) ? platformReservedCidr : null + platformReservedDnsIP: empty(workloadProfiles) && !empty(infrastructureSubnetId) ? platformReservedDnsIP : null } workloadProfiles: !empty(workloadProfiles) ? workloadProfiles : null zoneRedundant: zoneRedundant + infrastructureResourceGroup: infrastructureResourceGroupName } } @@ -167,6 +161,9 @@ output name string = managedEnvironment.name @description('The resource ID of the Managed Environment.') output resourceId string = managedEnvironment.id +@description('The Default domain of the Managed Environment.') +output defaultDomain string = managedEnvironment.properties.defaultDomain + // =============== // // Definitions // // =============== // diff --git a/modules/app/managed-environment/main.json b/modules/app/managed-environment/main.json index ba37943c32..d3860b25fa 100644 --- a/modules/app/managed-environment/main.json +++ b/modules/app/managed-environment/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "15830956831455159038" + "templateHash": "6452494198386670014" }, "name": "App ManagedEnvironments", "description": "This module deploys an App Managed Environment (also known as a Container App Environment).", @@ -138,17 +138,6 @@ "description": "Optional. Array of role assignments to create." } }, - "skuName": { - "type": "string", - "defaultValue": "Consumption", - "allowedValues": [ - "Consumption", - "Premium" - ], - "metadata": { - "description": "Optional. Managed environment SKU." - } - }, "logsDestination": { "type": "string", "defaultValue": "log-analytics", @@ -251,6 +240,13 @@ "metadata": { "description": "Optional. Workload profiles configured for the Managed Environment." } + }, + "infrastructureResourceGroupName": { + "type": "string", + "defaultValue": "[take(format('ME_{0}', parameters('name')), 63)]", + "metadata": { + "description": "Optional. Name of the infrastructure resource group. If not provided, it will be set with a default value." + } } }, "variables": { @@ -288,13 +284,10 @@ }, "managedEnvironment": { "type": "Microsoft.App/managedEnvironments", - "apiVersion": "2022-10-01", + "apiVersion": "2023-05-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('skuName')]" - }, "properties": { "appLogsConfiguration": { "destination": "[parameters('logsDestination')]", @@ -312,13 +305,14 @@ }, "vnetConfiguration": { "internal": "[parameters('internal')]", - "infrastructureSubnetId": "[if(and(not(empty(parameters('infrastructureSubnetId'))), equals(parameters('internal'), true())), parameters('infrastructureSubnetId'), null())]", - "dockerBridgeCidr": "[if(and(not(empty(parameters('infrastructureSubnetId'))), equals(parameters('internal'), true())), parameters('dockerBridgeCidr'), null())]", - "platformReservedCidr": "[if(and(not(empty(parameters('infrastructureSubnetId'))), equals(parameters('internal'), true())), parameters('platformReservedCidr'), null())]", - "platformReservedDnsIP": "[if(and(not(empty(parameters('infrastructureSubnetId'))), equals(parameters('internal'), true())), parameters('platformReservedDnsIP'), null())]" + "infrastructureSubnetId": "[if(not(empty(parameters('infrastructureSubnetId'))), parameters('infrastructureSubnetId'), null())]", + "dockerBridgeCidr": "[if(not(empty(parameters('infrastructureSubnetId'))), parameters('dockerBridgeCidr'), null())]", + "platformReservedCidr": "[if(and(empty(parameters('workloadProfiles')), not(empty(parameters('infrastructureSubnetId')))), parameters('platformReservedCidr'), null())]", + "platformReservedDnsIP": "[if(and(empty(parameters('workloadProfiles')), not(empty(parameters('infrastructureSubnetId')))), parameters('platformReservedDnsIP'), null())]" }, "workloadProfiles": "[if(not(empty(parameters('workloadProfiles'))), parameters('workloadProfiles'), null())]", - "zoneRedundant": "[parameters('zoneRedundant')]" + "zoneRedundant": "[parameters('zoneRedundant')]", + "infrastructureResourceGroup": "[parameters('infrastructureResourceGroupName')]" }, "dependsOn": [ "logAnalyticsWorkspace" @@ -374,7 +368,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('managedEnvironment', '2022-10-01', 'full').location]" + "value": "[reference('managedEnvironment', '2023-05-01', 'full').location]" }, "name": { "type": "string", @@ -389,6 +383,13 @@ "description": "The resource ID of the Managed Environment." }, "value": "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]" + }, + "defaultDomain": { + "type": "string", + "metadata": { + "description": "The Default domain of the Managed Environment." + }, + "value": "[reference('managedEnvironment').defaultDomain]" } } } \ No newline at end of file diff --git a/modules/app/managed-environment/tests/e2e/max/dependencies.bicep b/modules/app/managed-environment/tests/e2e/max/dependencies.bicep index f61380acc4..8d908b1603 100644 --- a/modules/app/managed-environment/tests/e2e/max/dependencies.bicep +++ b/modules/app/managed-environment/tests/e2e/max/dependencies.bicep @@ -37,6 +37,14 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { name: 'defaultSubnet' properties: { addressPrefix: cidrSubnet(addressPrefix, 16, 0) + delegations: [ + { + name: 'Microsoft.App.environments' + properties: { + serviceName: 'Microsoft.App/environments' + } + } + ] } } ] diff --git a/modules/app/managed-environment/tests/e2e/max/main.test.bicep b/modules/app/managed-environment/tests/e2e/max/main.test.bicep index 7eecb1c599..1646791a1b 100644 --- a/modules/app/managed-environment/tests/e2e/max/main.test.bicep +++ b/modules/app/managed-environment/tests/e2e/max/main.test.bicep @@ -10,6 +10,9 @@ metadata description = 'This instance deploys the module with most of its featur @maxLength(90) param resourceGroupName string = 'dep-${namePrefix}-app.managedenvironments-${serviceShort}-rg' +@description('Optional. The name of the infrastructre resource group to deploy for testing purposes.') +param infrastructureResourceGroupName string = 'me-dep-${namePrefix}-app.managedenvironments-${serviceShort}-rg' + @description('Optional. The location to deploy resources to.') param location string = deployment().location @@ -22,6 +25,16 @@ param enableDefaultTelemetry bool = true @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '[[namePrefix]]' +@description('Optional. WorkloadProfile') +param workloadProfiles array = [ + { + workloadProfileType: 'D4' + name: 'CAW01' + minimumCount: 0 + maximumCount: 3 + } +] + // =========== // // Deployments // // =========== // @@ -55,12 +68,13 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' name: '${namePrefix}${serviceShort}001' logAnalyticsWorkspaceResourceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId location: location - skuName: 'Consumption' + workloadProfiles: workloadProfiles internal: true dockerBridgeCidr: '172.16.0.1/28' platformReservedCidr: '172.17.17.0/24' platformReservedDnsIP: '172.17.17.17' infrastructureSubnetId: nestedDependencies.outputs.subnetResourceId + infrastructureResourceGroupName: infrastructureResourceGroupName lock: { kind: 'CanNotDelete' name: 'myCustomLockName' diff --git a/modules/app/managed-environment/tests/e2e/waf-aligned/dependencies.bicep b/modules/app/managed-environment/tests/e2e/waf-aligned/dependencies.bicep index f61380acc4..8d908b1603 100644 --- a/modules/app/managed-environment/tests/e2e/waf-aligned/dependencies.bicep +++ b/modules/app/managed-environment/tests/e2e/waf-aligned/dependencies.bicep @@ -37,6 +37,14 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { name: 'defaultSubnet' properties: { addressPrefix: cidrSubnet(addressPrefix, 16, 0) + delegations: [ + { + name: 'Microsoft.App.environments' + properties: { + serviceName: 'Microsoft.App/environments' + } + } + ] } } ] diff --git a/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep b/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep index f7416ce8ed..11807a0ea4 100644 --- a/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep @@ -10,6 +10,9 @@ metadata description = 'This instance deploys the module in alignment with the b @maxLength(90) param resourceGroupName string = 'dep-${namePrefix}-app.managedenvironments-${serviceShort}-rg' +@description('Optional. The name of the infrastructre resource group to deploy for testing purposes.') +param infrastructureResourceGroupName string = 'me-dep-${namePrefix}-app.managedenvironments-${serviceShort}-rg' + @description('Optional. The location to deploy resources to.') param location string = deployment().location @@ -22,6 +25,15 @@ param enableDefaultTelemetry bool = true @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '[[namePrefix]]' +@description('Optional. WorkloadProfile') +param workloadProfiles array = [ + { + workloadProfileType: 'D4' + name: 'CAW01' + minimumCount: 0 + maximumCount: 3 + } +] // =========== // // Deployments // // =========== // @@ -55,12 +67,13 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' name: '${namePrefix}${serviceShort}001' logAnalyticsWorkspaceResourceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId location: location - skuName: 'Consumption' + workloadProfiles: workloadProfiles internal: true dockerBridgeCidr: '172.16.0.1/28' platformReservedCidr: '172.17.17.0/24' platformReservedDnsIP: '172.17.17.17' infrastructureSubnetId: nestedDependencies.outputs.subnetResourceId + infrastructureResourceGroupName: infrastructureResourceGroupName lock: { kind: 'CanNotDelete' name: 'myCustomLockName' From 26b6020b7e76d25f11d2834c960440916a9c2b9c Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Thu, 7 Dec 2023 13:40:59 +0000 Subject: [PATCH 147/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index cbcf4bcebc..5b9e457f6e 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -19,7 +19,7 @@ This section provides an overview of the library's feature set. | 4 | app-configuration

configuration-store | [![AppConfiguration - ConfigurationStores](https://github.com/Azure/ResourceModules/workflows/AppConfiguration%20-%20ConfigurationStores/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.appconfiguration.configurationstores.yml) | | | | | | | [L1:2, L2:1, L3:5] | 322 | | 5 | app

container-app | [![App - ContainerApps](https://github.com/Azure/ResourceModules/workflows/App%20-%20ContainerApps/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.containerapps.yml) | | | | | | | [L1:1, L2:1, L3:3] | 211 | | 6 | app

job | [![App - Jobs](https://github.com/Azure/ResourceModules/workflows/App%20-%20Jobs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.jobs.yml) | | | :white_check_mark: | | | | [L1:1, L2:1, L3:3] | 162 | -| 7 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | | | | | | | [L1:1, L2:1, L3:3] | 163 | +| 7 | app

managed-environment | [![App - Managed Environments](https://github.com/Azure/ResourceModules/workflows/App%20-%20Managed%20Environments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.app.managedenvironments.yml) | | | | | | | [L1:1, L2:1, L3:3] | 159 | | 8 | authorization

lock | [![Authorization - Locks](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20Locks/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.locks.yml) | | | | | | | [L1:3, L2:1, L3:2] | 62 | | 9 | authorization

policy-assignment | [![Authorization - PolicyAssignments](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policyassignments.yml) | | | | | | | [L1:4, L2:1, L3:6] | 143 | | 10 | authorization

policy-definition | [![Authorization - PolicyDefinitions](https://github.com/Azure/ResourceModules/workflows/Authorization%20-%20PolicyDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policydefinitions.yml) | | | | | | | [L1:3, L2:1, L3:4] | 86 | @@ -150,7 +150,7 @@ This section provides an overview of the library's feature set. | 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | [L1:1, L2:1, L3:2] | 184 | | 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:6, L2:6, L3:5] | 455 | | 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:4, L2:1, L3:3] | 284 | -| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29909 | +| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29905 | ## Legend From c0eac04bf98b1adcb587bfa15bd7f09c752f100c Mon Sep 17 00:00:00 2001 From: Preston Alvarado <700740+coolhome@users.noreply.github.com> Date: Thu, 7 Dec 2023 14:02:18 -0600 Subject: [PATCH 148/178] ManagedCluster - WebAppRouting - Updates (#4195) * Update main.bicep Do not attempt to load Private DNS Zone when `enableDnsZoneContributorRoleAssignment` is false. Added output `managedCluster.properties.ingressProfile.webAppRouting.identity.objectId` so I can add role assignment for private dns zone * Update module * Upgraded bicep, re-ran --- modules/container-service/managed-cluster/README.md | 1 + modules/container-service/managed-cluster/main.bicep | 5 ++++- modules/container-service/managed-cluster/main.json | 11 +++++++++-- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index f2ffed3f46..bca703ec61 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -2435,6 +2435,7 @@ Specifies whether the webApplicationRoutingEnabled add-on is enabled or not. | `resourceGroupName` | string | The resource group the managed cluster was deployed into. | | `resourceId` | string | The resource ID of the managed cluster. | | `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | +| `webAppRoutingIdentityObjectId` | string | The Object ID of Web Application Routing. | ## Cross-referenced modules diff --git a/modules/container-service/managed-cluster/main.bicep b/modules/container-service/managed-cluster/main.bicep index 20456caecf..21208d0a5a 100644 --- a/modules/container-service/managed-cluster/main.bicep +++ b/modules/container-service/managed-cluster/main.bicep @@ -712,7 +712,7 @@ resource managedCluster_roleAssignments 'Microsoft.Authorization/roleAssignments scope: managedCluster }] -resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = if (dnsZoneResourceId != null && webApplicationRoutingEnabled) { +resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = if (enableDnsZoneContributorRoleAssignment == true && dnsZoneResourceId != null && webApplicationRoutingEnabled) { name: last(split((!empty(dnsZoneResourceId) ? dnsZoneResourceId : '/dummmyZone'), '/'))! } @@ -762,6 +762,9 @@ output oidcIssuerUrl string = enableOidcIssuerProfile ? managedCluster.propertie @description('The addonProfiles of the Kubernetes cluster.') output addonProfiles object = contains(managedCluster.properties, 'addonProfiles') ? managedCluster.properties.addonProfiles : {} +@description('The Object ID of Web Application Routing.') +output webAppRoutingIdentityObjectId string = contains(managedCluster.properties, 'ingressProfile') && contains(managedCluster.properties.ingressProfile, 'webAppRouting') && contains(managedCluster.properties.ingressProfile.webAppRouting, 'identity') && contains(managedCluster.properties.ingressProfile.webAppRouting.identity, 'objectId') ? managedCluster.properties.ingressProfile.webAppRouting.identity.objectId : '' + // =============== // // Definitions // // =============== // diff --git a/modules/container-service/managed-cluster/main.json b/modules/container-service/managed-cluster/main.json index 24c4e7027f..b3e159c0f7 100644 --- a/modules/container-service/managed-cluster/main.json +++ b/modules/container-service/managed-cluster/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "609013537229775592" + "templateHash": "1679575632831341410" }, "name": "Azure Kubernetes Service (AKS) Managed Clusters", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", @@ -1286,7 +1286,7 @@ ] }, "dnsZone": { - "condition": "[and(not(equals(parameters('dnsZoneResourceId'), null())), parameters('webApplicationRoutingEnabled'))]", + "condition": "[and(and(equals(parameters('enableDnsZoneContributorRoleAssignment'), true()), not(equals(parameters('dnsZoneResourceId'), null()))), parameters('webApplicationRoutingEnabled'))]", "existing": true, "type": "Microsoft.Network/dnsZones", "apiVersion": "2018-05-01", @@ -2261,6 +2261,13 @@ "description": "The addonProfiles of the Kubernetes cluster." }, "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), reference('managedCluster').addonProfiles, createObject())]" + }, + "webAppRoutingIdentityObjectId": { + "type": "string", + "metadata": { + "description": "The Object ID of Web Application Routing." + }, + "value": "[if(and(and(and(contains(reference('managedCluster'), 'ingressProfile'), contains(reference('managedCluster').ingressProfile, 'webAppRouting')), contains(reference('managedCluster').ingressProfile.webAppRouting, 'identity')), contains(reference('managedCluster').ingressProfile.webAppRouting.identity, 'objectId')), reference('managedCluster').ingressProfile.webAppRouting.identity.objectId, '')]" } } } \ No newline at end of file From dfc642778411432ab24a49ef7108444273117604 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Thu, 7 Dec 2023 20:02:51 +0000 Subject: [PATCH 149/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index 5b9e457f6e..e1ebd8a740 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -45,7 +45,7 @@ This section provides an overview of the library's feature set. | 30 | consumption

budget | [![Consumption - Budgets](https://github.com/Azure/ResourceModules/workflows/Consumption%20-%20Budgets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.consumption.budgets.yml) | | | | | | | [L1:1, L2:1, L3:3] | 92 | | 31 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | | | | | [L1:1, L2:1, L3:5] | 175 | | 32 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | | | | | [L1:4, L2:1, L3:5] | 447 | -| 33 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | | | | | [L1:2, L2:1, L3:4] | 708 | +| 33 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | | | | | [L1:2, L2:1, L3:4] | 710 | | 34 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | | | | | [L1:3, L2:2, L3:3] | 342 | | 35 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | | | | | | [L1:2, L2:1, L3:3] | 159 | | 36 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | | | | | | | [L1:1, L2:1, L3:3] | 110 | @@ -150,7 +150,7 @@ This section provides an overview of the library's feature set. | 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | [L1:1, L2:1, L3:2] | 184 | | 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:6, L2:6, L3:5] | 455 | | 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:4, L2:1, L3:3] | 284 | -| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29905 | +| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29907 | ## Legend From 26df38805dea8385df45207f474f144170c2c825 Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Sat, 9 Dec 2023 09:33:35 +0100 Subject: [PATCH 150/178] Added MOVED-TO-AVM (#4353) --- modules/insights/data-collection-rule/MOVED-TO-AVM.md | 1 + modules/insights/data-collection-rule/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/insights/data-collection-rule/MOVED-TO-AVM.md diff --git a/modules/insights/data-collection-rule/MOVED-TO-AVM.md b/modules/insights/data-collection-rule/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/insights/data-collection-rule/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/data-collection-rule/README.md b/modules/insights/data-collection-rule/README.md index ea8e8c8b8b..d9870bdf8f 100644 --- a/modules/insights/data-collection-rule/README.md +++ b/modules/insights/data-collection-rule/README.md @@ -1,5 +1,7 @@ # Data Collection Rules `[Microsoft.Insights/dataCollectionRules]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Data Collection Rule. ## Navigation From 438e5abd3d618a0a65cdcb90d4fc895f0c1ff758 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 10 Dec 2023 12:05:22 +0000 Subject: [PATCH 151/178] Push updated API Specs file --- utilities/src/apiSpecsList.json | 871 +++++++++++++++++++++----------- 1 file changed, 574 insertions(+), 297 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index b6047fdd50..87ec502779 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -24,7 +24,9 @@ "2023-08-14-preview", "2023-08-22-preview", "2023-09-12-preview", - "2023-09-20-preview" + "2023-09-20-preview", + "2023-11-11-preview", + "2023-11-24-preview" ], "getMarketplaceSaaSResourceDetails": [ "2021-09-01", @@ -36,7 +38,9 @@ "2023-08-14-preview", "2023-08-22-preview", "2023-09-12-preview", - "2023-09-20-preview" + "2023-09-20-preview", + "2023-11-11-preview", + "2023-11-24-preview" ], "locations": [ "2021-09-01", @@ -48,7 +52,9 @@ "2023-08-14-preview", "2023-08-22-preview", "2023-09-12-preview", - "2023-09-20-preview" + "2023-09-20-preview", + "2023-11-11-preview", + "2023-11-24-preview" ], "locations/operationStatuses": [ "2021-09-01", @@ -60,7 +66,9 @@ "2023-08-14-preview", "2023-08-22-preview", "2023-09-12-preview", - "2023-09-20-preview" + "2023-09-20-preview", + "2023-11-11-preview", + "2023-11-24-preview" ], "monitors": [ "2021-09-01", @@ -72,7 +80,9 @@ "2023-08-14-preview", "2023-08-22-preview", "2023-09-12-preview", - "2023-09-20-preview" + "2023-09-20-preview", + "2023-11-11-preview", + "2023-11-24-preview" ], "monitors/singleSignOnConfigurations": [ "2021-09-01", @@ -84,7 +94,9 @@ "2023-08-14-preview", "2023-08-22-preview", "2023-09-12-preview", - "2023-09-20-preview" + "2023-09-20-preview", + "2023-11-11-preview", + "2023-11-24-preview" ], "monitors/tagRules": [ "2021-09-01", @@ -96,7 +108,9 @@ "2023-08-14-preview", "2023-08-22-preview", "2023-09-12-preview", - "2023-09-20-preview" + "2023-09-20-preview", + "2023-11-11-preview", + "2023-11-24-preview" ], "operations": [ "2021-09-01", @@ -108,7 +122,9 @@ "2023-08-14-preview", "2023-08-22-preview", "2023-09-12-preview", - "2023-09-20-preview" + "2023-09-20-preview", + "2023-11-11-preview", + "2023-11-24-preview" ], "registeredSubscriptions": [ "2021-09-01", @@ -120,12 +136,13 @@ "2023-08-14-preview", "2023-08-22-preview", "2023-09-12-preview", - "2023-09-20-preview" + "2023-09-20-preview", + "2023-11-11-preview", + "2023-11-24-preview" ] }, "GitHub.Network": { "networkSettings": [ - "2023-03-15-beta", "2023-11-01-preview" ], "Operations": [ @@ -3176,6 +3193,12 @@ "findOrphanRoleAssignments": [ "2019-04-01-preview" ], + "listPolicyDefinitionVersions": [ + "2023-04-01" + ], + "listPolicySetDefinitionVersions": [ + "2023-04-01" + ], "locks": [ "2015-01-01", "2015-05-01-preview", @@ -3226,7 +3249,7 @@ "2022-06-01", "2023-04-01" ], - "policyDefinitions": [ + "policydefinitions": [ "2015-10-01-preview", "2015-11-01", "2016-04-01", @@ -3988,7 +4011,8 @@ "2021-04-01", "2021-04-01-preview", "2022-03-01-preview", - "2023-01-18-preview" + "2023-01-18-preview", + "2023-05-17-preview" ], "checkNameAvailability": [ "2019-01-01-preview", @@ -3997,7 +4021,8 @@ "2021-04-01", "2021-04-01-preview", "2022-03-01-preview", - "2023-01-18-preview" + "2023-01-18-preview", + "2023-05-17-preview" ], "ciamDirectories": [ "2022-03-01-preview", @@ -4022,7 +4047,11 @@ "2021-04-01", "2021-04-01-preview", "2022-03-01-preview", - "2023-01-18-preview" + "2023-01-18-preview", + "2023-05-17-preview" + ], + "operationStatuses": [ + "2023-05-17-preview" ] }, "Microsoft.AzureArcData": { @@ -4338,7 +4367,8 @@ "2023-03-01", "2023-06-01", "2023-08-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "clusters/arcSettings": [ "2021-01-01-preview", @@ -4355,7 +4385,8 @@ "2023-03-01", "2023-06-01", "2023-08-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "clusters/arcSettings/extensions": [ "2021-01-01-preview", @@ -4372,10 +4403,12 @@ "2023-03-01", "2023-06-01", "2023-08-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "clusters/deploymentSettings": [ - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "clusters/offers": [ "2022-04-01-preview" @@ -4389,6 +4422,9 @@ "clusters/publishers/offers/skus": [ "2022-04-01-preview" ], + "clusters/securitySettings": [ + "2023-11-01-preview" + ], "clusters/updates": [ "2022-08-01-preview", "2022-10-01", @@ -4398,7 +4434,8 @@ "2023-03-01", "2023-06-01", "2023-08-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "clusters/updates/updateRuns": [ "2022-08-01-preview", @@ -4409,7 +4446,8 @@ "2023-03-01", "2023-06-01", "2023-08-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "clusters/updateSummaries": [ "2022-08-01-preview", @@ -4420,12 +4458,14 @@ "2023-03-01", "2023-06-01", "2023-08-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], "edgeDevices": [ - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], - "galleryImages": [ + "galleryimages": [ "2020-11-01-preview", "2021-07-01-preview", "2021-09-01-preview", @@ -4482,13 +4522,13 @@ "logicalNetworks": [ "2023-09-01-preview" ], - "marketplaceGalleryImages": [ + "marketplacegalleryimages": [ "2021-09-01-preview", "2022-12-15-preview", "2023-07-01-preview", "2023-09-01-preview" ], - "networkInterfaces": [ + "networkinterfaces": [ "2020-11-01-preview", "2021-07-01-preview", "2021-09-01-preview", @@ -4530,13 +4570,13 @@ "2023-08-01", "2023-08-01-preview" ], - "storageContainers": [ + "storagecontainers": [ "2021-09-01-preview", "2022-12-15-preview", "2023-07-01-preview", "2023-09-01-preview" ], - "virtualHardDisks": [ + "virtualharddisks": [ "2020-11-01-preview", "2021-07-01-preview", "2021-09-01-preview", @@ -4552,7 +4592,7 @@ "2023-07-01-preview", "2023-09-01-preview" ], - "virtualMachines": [ + "virtualmachines": [ "2020-11-01-preview", "2021-07-01-preview", "2021-09-01-preview", @@ -4570,7 +4610,7 @@ "2021-09-01-preview", "2022-12-15-preview" ], - "virtualNetworks": [ + "virtualnetworks": [ "2020-11-01-preview", "2021-07-01-preview", "2021-09-01-preview", @@ -4669,7 +4709,8 @@ "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "batchAccounts/applications": [ "2015-12-01", @@ -4687,7 +4728,8 @@ "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "batchAccounts/applications/versions": [ "2015-12-01", @@ -4705,7 +4747,8 @@ "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "batchAccounts/certificateOperationResults": [ "2017-09-01", @@ -4721,7 +4764,8 @@ "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "batchAccounts/certificates": [ "2017-09-01", @@ -4737,13 +4781,15 @@ "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "batchAccounts/detectors": [ "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "batchAccounts/operationResults": [ "2014-05-01-privatepreview", @@ -4765,7 +4811,8 @@ "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "batchAccounts/poolOperationResults": [ "2017-09-01", @@ -4781,7 +4828,8 @@ "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "batchAccounts/pools": [ "2017-09-01", @@ -4797,7 +4845,8 @@ "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "batchAccounts/privateEndpointConnectionProxyResults": [ "2020-03-01", @@ -4809,7 +4858,8 @@ "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "batchAccounts/privateEndpointConnectionResults": [ "2020-03-01", @@ -4821,7 +4871,8 @@ "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "locations": [ "2015-09-01", @@ -4841,7 +4892,8 @@ "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "locations/accountOperationResults": [ "2014-05-01-privatepreview", @@ -4863,7 +4915,8 @@ "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "locations/checkNameAvailability": [ "2017-05-01", @@ -4880,14 +4933,16 @@ "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "locations/cloudServiceSkus": [ "2021-06-01", "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "locations/quotas": [ "2015-09-01", @@ -4907,14 +4962,16 @@ "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "locations/virtualMachineSkus": [ "2021-06-01", "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ], "operations": [ "2015-09-01", @@ -4934,7 +4991,8 @@ "2022-01-01", "2022-06-01", "2022-10-01", - "2023-05-01" + "2023-05-01", + "2023-11-01" ] }, "Microsoft.Billing": { @@ -5858,7 +5916,7 @@ "2022-09-15", "2023-09-15-preview" ], - "botServices/connections": [ + "botServices/Connections": [ "2017-12-01", "2018-07-12", "2020-06-02", @@ -6151,7 +6209,7 @@ "2023-05-01-preview", "2023-08-01" ], - "redis/linkedServers": [ + "Redis/linkedServers": [ "2017-02-01", "2017-10-01", "2018-03-01", @@ -6820,7 +6878,7 @@ "2023-07-01-preview", "2024-01-01-preview" ], - "CdnWebApplicationFirewallPolicies": [ + "cdnWebApplicationFirewallPolicies": [ "2019-06-15", "2019-06-15-preview", "2020-03-31", @@ -8119,6 +8177,16 @@ "accounts/raiPolicies": [ "2023-10-01-preview" ], + "attestationDefinitions": [ + "2023-05-01", + "2023-06-01-preview", + "2023-10-01-preview" + ], + "attestations": [ + "2023-05-01", + "2023-06-01-preview", + "2023-10-01-preview" + ], "checkDomainAvailability": [ "2016-02-01-preview", "2017-04-18", @@ -8283,7 +8351,8 @@ "2023-03-01-preview", "2023-03-31", "2023-04-01", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-06-01-preview" ], "communicationServices": [ "2020-08-20", @@ -8344,7 +8413,8 @@ "2023-03-01-preview", "2023-03-31", "2023-04-01", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-06-01-preview" ], "locations/operationStatuses": [ "2020-08-20", @@ -8355,7 +8425,8 @@ "2023-03-01-preview", "2023-03-31", "2023-04-01", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-06-01-preview" ], "operations": [ "2020-08-20", @@ -8366,7 +8437,8 @@ "2023-03-01-preview", "2023-03-31", "2023-04-01", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-06-01-preview" ], "registeredSubscriptions": [ "2020-08-20", @@ -8376,7 +8448,8 @@ "2023-03-01-preview", "2023-03-31", "2023-04-01", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-06-01-preview" ] }, "Microsoft.Community": { @@ -8384,10 +8457,15 @@ "2023-11-01" ], "Locations": [ - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" + ], + "Locations/OperationStatuses": [ + "2023-11-01" ], "Operations": [ - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" ] }, "Microsoft.Compute": { @@ -9584,7 +9662,8 @@ "2022-08-01", "2022-11-01", "2023-03-01", - "2023-07-01" + "2023-07-01", + "2023-09-01" ] }, "Microsoft.Compute.Admin": { @@ -12664,7 +12743,8 @@ "2022-09-01", "2022-10-01", "2022-12-01", - "2023-03-01" + "2023-03-01", + "2023-12-01" ], "jobs/eventGridFilters": [ "2022-09-01", @@ -13686,7 +13766,6 @@ "2023-04-01-preview", "2023-05-01", "2023-06-01-preview", - "2023-08-01", "2023-08-01-preview", "2023-11-01" ], @@ -13711,7 +13790,6 @@ "2023-04-01-preview", "2023-05-01", "2023-06-01-preview", - "2023-08-01", "2023-08-01-preview", "2023-11-01" ], @@ -13736,7 +13814,6 @@ "2023-04-01-preview", "2023-05-01", "2023-06-01-preview", - "2023-08-01", "2023-08-01-preview", "2023-11-01" ], @@ -13748,7 +13825,6 @@ "2023-04-01-preview", "2023-05-01", "2023-06-01-preview", - "2023-08-01", "2023-08-01-preview", "2023-11-01" ], @@ -13773,7 +13849,8 @@ "2023-04-01-preview", "2023-05-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" ], "locations/checkFeatureSupport": [ "2020-01-01-alpha", @@ -13796,7 +13873,8 @@ "2023-04-01-preview", "2023-05-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" ], "locations/checkNameAvailability": [ "2020-01-01-alpha", @@ -13819,27 +13897,32 @@ "2023-04-01-preview", "2023-05-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" ], "locations/crossRegionRestore": [ "2023-04-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" ], "locations/fetchCrossRegionRestoreJob": [ "2023-04-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" ], "locations/fetchCrossRegionRestoreJobs": [ "2023-04-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" ], "locations/fetchSecondaryRecoveryPoints": [ "2023-04-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" ], "locations/operationResults": [ "2020-01-01-alpha", @@ -13862,7 +13945,8 @@ "2023-04-01-preview", "2023-05-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" ], "locations/operationStatus": [ "2020-01-01-alpha", @@ -13885,12 +13969,14 @@ "2023-04-01-preview", "2023-05-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" ], "locations/validateCrossRegionRestore": [ "2023-04-01-preview", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" ], "operations": [ "2020-01-01-alpha", @@ -13913,7 +13999,8 @@ "2023-04-01-preview", "2023-05-01", "2023-06-01-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01" ], "resourceGuards": [ "2021-02-01-preview", @@ -13934,7 +14021,6 @@ "2023-04-01-preview", "2023-05-01", "2023-06-01-preview", - "2023-08-01", "2023-08-01-preview", "2023-11-01" ] @@ -14475,7 +14561,10 @@ "servers": [ "2017-12-01", "2017-12-01-preview", - "2018-06-01-privatepreview" + "2018-06-01-privatepreview", + "2020-01-01", + "2020-01-01-preview", + "2020-01-01-privatepreview" ], "servers/administrators": [ "2017-12-01", @@ -14541,16 +14630,6 @@ "2017-12-01-preview", "2018-06-01-privatepreview" ], - "servers/start": [ - "2020-01-01", - "2020-01-01-preview", - "2020-01-01-privatepreview" - ], - "servers/stop": [ - "2020-01-01", - "2020-01-01-preview", - "2020-01-01-privatepreview" - ], "servers/topQueryStatistics": [ "2018-06-01", "2018-06-01-preview", @@ -15294,7 +15373,9 @@ "2023-07-07-preview", "2023-09-05", "2023-10-04-preview", - "2023-10-09-privatepreview" + "2023-10-09-privatepreview", + "2023-11-01-preview", + "2023-11-29-privatepreview" ], "scalingPlans": [ "2019-01-23-preview", @@ -16558,7 +16639,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccountNames": [ "2014-04-01", @@ -16770,7 +16852,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/cassandraKeyspaces/tables": [ "2019-08-01", @@ -16802,7 +16885,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/cassandraKeyspaces/tables/throughputSettings": [ "2019-08-01", @@ -16834,7 +16918,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/cassandraKeyspaces/throughputSettings": [ "2019-08-01", @@ -16866,7 +16951,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/cassandraKeyspaces/views": [ "2021-07-01-preview", @@ -16969,7 +17055,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/gremlinDatabases/graphs": [ "2019-08-01", @@ -17001,7 +17088,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/gremlinDatabases/graphs/throughputSettings": [ "2019-08-01", @@ -17033,7 +17121,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/gremlinDatabases/throughputSettings": [ "2019-08-01", @@ -17065,7 +17154,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/mongodbDatabases": [ "2019-08-01", @@ -17097,7 +17187,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/mongodbDatabases/collections": [ "2019-08-01", @@ -17129,7 +17220,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/mongodbDatabases/collections/throughputSettings": [ "2019-08-01", @@ -17161,7 +17253,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/mongodbDatabases/throughputSettings": [ "2019-08-01", @@ -17193,7 +17286,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/mongodbRoleDefinitions": [ "2021-10-15-preview", @@ -17209,7 +17303,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/mongodbUserDefinitions": [ "2021-10-15-preview", @@ -17225,7 +17320,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/notebookWorkspaces": [ "2019-08-01", @@ -17257,7 +17353,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/privateEndpointConnections": [ "2019-08-01-preview", @@ -17284,7 +17381,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/services": [ "2021-04-01-preview", @@ -17303,7 +17401,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/sqlDatabases": [ "2019-08-01", @@ -17335,7 +17434,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/sqlDatabases/clientEncryptionKeys": [ "2021-10-15-preview", @@ -17350,7 +17450,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/sqlDatabases/containers": [ "2019-08-01", @@ -17382,7 +17483,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/sqlDatabases/containers/storedProcedures": [ "2019-08-01", @@ -17414,7 +17516,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/sqlDatabases/containers/throughputSettings": [ "2019-08-01", @@ -17446,7 +17549,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/sqlDatabases/containers/triggers": [ "2019-08-01", @@ -17478,7 +17582,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/sqlDatabases/containers/userDefinedFunctions": [ "2019-08-01", @@ -17510,7 +17615,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/sqlDatabases/throughputSettings": [ "2019-08-01", @@ -17542,7 +17648,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/sqlRoleAssignments": [ "2020-06-01-preview", @@ -17567,7 +17674,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/sqlRoleDefinitions": [ "2020-06-01-preview", @@ -17592,7 +17700,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/tables": [ "2019-08-01", @@ -17624,7 +17733,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "databaseAccounts/tables/throughputSettings": [ "2019-08-01", @@ -17656,7 +17766,8 @@ "2023-03-15-preview", "2023-04-15", "2023-09-15", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15" ], "locations": [ "2014-04-01", @@ -18222,12 +18333,15 @@ }, "Microsoft.EdgeMarketplace": { "locations": [ + "2023-08-01", "2023-08-01-preview" ], "locations/operationStatuses": [ + "2023-08-01", "2023-08-01-preview" ], "offers": [ + "2023-08-01", "2023-08-01-preview" ], "operations": [ @@ -18237,6 +18351,7 @@ "2023-08-01-preview" ], "publishers": [ + "2023-08-01", "2023-08-01-preview" ] }, @@ -18347,7 +18462,8 @@ "2023-06-01", "2023-06-15-preview", "2023-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "elasticVersions": [ "2023-02-01-preview", @@ -18355,12 +18471,14 @@ "2023-06-01", "2023-06-15-preview", "2023-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "getElasticOrganizationToAzureSubscriptionMapping": [ "2023-06-15-preview", "2023-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "getOrganizationApiKey": [ "2023-02-01-preview", @@ -18368,7 +18486,8 @@ "2023-06-01", "2023-06-15-preview", "2023-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "locations": [ "2020-07-01", @@ -18383,7 +18502,8 @@ "2023-06-01", "2023-06-15-preview", "2023-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "locations/operationStatuses": [ "2020-07-01", @@ -18398,7 +18518,8 @@ "2023-06-01", "2023-06-15-preview", "2023-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "monitors": [ "2020-07-01", @@ -18445,7 +18566,8 @@ "2023-06-01", "2023-06-15-preview", "2023-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ] }, "Microsoft.ElasticSan": { @@ -19280,6 +19402,11 @@ "2021-07-01" ] }, + "Microsoft.FileShares": { + "locations": [ + "2023-01-01-preview" + ] + }, "Microsoft.FluidRelay": { "fluidRelayServers": [ "2021-03-12-preview", @@ -20496,7 +20623,8 @@ "2022-01-01-preview", "2022-09-01-preview", "2023-01-01", - "2023-04-01-preview" + "2023-04-01-preview", + "2023-09-01" ], "publishers": [ "2023-01-01", @@ -20574,7 +20702,7 @@ "2016-05-01" ] }, - "Microsoft.Insights": { + "microsoft.insights": { "actionGroups": [ "2017-03-01-preview", "2017-04-01", @@ -20586,7 +20714,6 @@ "2022-04-01", "2022-06-01", "2023-01-01", - "2023-05-01", "2023-08-01-preview" ], "activityLogAlerts": [ @@ -20851,7 +20978,6 @@ "2022-04-01", "2022-06-01", "2023-01-01", - "2023-05-01", "2023-05-01-preview" ], "dataCollectionEndpoints": [ @@ -20993,7 +21119,6 @@ "2022-04-01", "2022-06-01", "2023-01-01", - "2023-05-01", "2023-05-01-preview" ], "operations": [ @@ -21789,6 +21914,17 @@ "2023-05-01" ] }, + "Microsoft.KubernetesRuntime": { + "bgpPeers": [ + "2023-10-01-preview" + ], + "loadBalancers": [ + "2023-10-01-preview" + ], + "operations": [ + "2023-10-01-preview" + ] + }, "Microsoft.Kusto": { "clusters": [ "2017-09-07-privatepreview", @@ -23409,7 +23545,8 @@ "2022-07-01-preview", "2022-11-01-preview", "2023-04-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "configurationAssignments": [ "2018-06-01-preview", @@ -23421,7 +23558,8 @@ "2022-07-01-preview", "2022-11-01-preview", "2023-04-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "maintenanceConfigurations": [ "2016-01-01", @@ -23437,7 +23575,8 @@ "2022-07-01-preview", "2022-11-01-preview", "2023-04-01", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-10-01-preview" ], "operations": [ "2016-01-01", @@ -23488,25 +23627,29 @@ "2018-11-30", "2021-09-30-PREVIEW", "2022-01-31-PREVIEW", - "2023-01-31" + "2023-01-31", + "2023-07-31-PREVIEW" ], "operations": [ "2015-08-31-PREVIEW", "2018-11-30", "2021-09-30-PREVIEW", "2022-01-31-PREVIEW", - "2023-01-31" + "2023-01-31", + "2023-07-31-PREVIEW" ], "userAssignedIdentities": [ "2015-08-31-preview", "2018-11-30", "2021-09-30-preview", "2022-01-31-preview", - "2023-01-31" + "2023-01-31", + "2023-07-31-preview" ], "userAssignedIdentities/federatedIdentityCredentials": [ "2022-01-31-preview", - "2023-01-31" + "2023-01-31", + "2023-07-31-preview" ] }, "Microsoft.ManagedNetwork": { @@ -24532,7 +24675,7 @@ "2019-10-01", "2023-03-15" ], - "assessmentProjects/privateEndpointConnections": [ + "assessmentprojects/privateEndpointConnections": [ "2019-10-01", "2023-03-15" ], @@ -30887,7 +31030,7 @@ "2023-05-01", "2023-06-01" ], - "virtualNetworkGateways": [ + "virtualnetworkgateways": [ "2014-12-01-preview", "2015-05-01-preview", "2015-06-15", @@ -30967,7 +31110,7 @@ "2023-05-01", "2023-06-01" ], - "virtualNetworks": [ + "virtualnetworks": [ "2014-12-01-preview", "2015-05-01-preview", "2015-06-15", @@ -31077,7 +31220,7 @@ "virtualNetworks/privateDnsZoneLinks": [ "2020-06-01" ], - "virtualNetworks/subnets": [ + "virtualnetworks/subnets": [ "2015-05-01-preview", "2015-06-15", "2016-03-30", @@ -31619,6 +31762,8 @@ ], "Locations/OperationStatuses": [ "2022-11-15-preview", + "2023-03-31-preview", + "2023-04-30-preview", "2023-11-15" ], "Operations": [ @@ -31632,66 +31777,62 @@ }, "Microsoft.NetworkCloud": { "bareMetalMachines": [ - "2022-12-12-preview", "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "cloudServicesNetworks": [ - "2022-12-12-preview", "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "clusterManagers": [ - "2022-12-12-preview", "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "clusters": [ - "2022-12-12-preview", "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "clusters/admissions": [ "2022-09-30-preview" ], "clusters/bareMetalMachineKeySets": [ - "2022-12-12-preview", "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "clusters/bmcKeySets": [ - "2022-12-12-preview", "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "clusters/metricsConfigurations": [ - "2022-12-12-preview", "2023-05-01-preview", - "2023-07-01" - ], - "defaultCniNetworks": [ - "2022-12-12-preview" - ], - "hybridAksClusters": [ - "2022-12-12-preview" + "2023-07-01", + "2023-10-01-preview" ], "kubernetesClusters": [ "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "kubernetesClusters/agentPools": [ "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "l2Networks": [ - "2022-12-12-preview", "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "l3Networks": [ - "2022-12-12-preview", "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "locations": [ "2023-05-01-preview", @@ -31700,7 +31841,8 @@ ], "locations/operationStatuses": [ "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "operations": [ "2023-05-01-preview", @@ -31708,13 +31850,14 @@ "2023-10-01-preview" ], "racks": [ - "2022-12-12-preview", "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "rackSkus": [ "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "registeredSubscriptions": [ "2023-05-01-preview", @@ -31722,29 +31865,29 @@ "2023-10-01-preview" ], "storageAppliances": [ - "2022-12-12-preview", "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "trunkedNetworks": [ - "2022-12-12-preview", "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "virtualMachines": [ - "2022-12-12-preview", "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "virtualMachines/consoles": [ - "2022-12-12-preview", "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ], "volumes": [ - "2022-12-12-preview", "2023-05-01-preview", - "2023-07-01" + "2023-07-01", + "2023-10-01-preview" ] }, "Microsoft.NetworkFunction": { @@ -31831,7 +31974,7 @@ "2023-09-01", "2023-10-01-preview" ], - "namespaces/AuthorizationRules": [ + "namespaces/authorizationRules": [ "2014-09-01", "2016-03-01", "2017-04-01", @@ -31848,7 +31991,7 @@ "2023-09-01", "2023-10-01-preview" ], - "namespaces/notificationHubs/AuthorizationRules": [ + "namespaces/notificationHubs/authorizationRules": [ "2014-09-01", "2016-03-01", "2017-04-01", @@ -32984,10 +33127,12 @@ "accounts": [ "2020-12-01-preview", "2021-07-01", - "2021-12-01" + "2021-12-01", + "2023-05-01-preview" ], "accounts/kafkaConfigurations": [ - "2021-12-01" + "2021-12-01", + "2023-05-01-preview" ], "accounts/privateEndpointConnections": [ "2020-12-01-preview", @@ -33011,15 +33156,18 @@ "2021-12-01" ], "locations/listFeatures": [ - "2021-12-01" + "2021-12-01", + "2023-05-01-preview" ], "locations/operationResults": [ "2020-12-01-preview", "2021-07-01", - "2021-12-01" + "2021-12-01", + "2023-05-01-preview" ], "locations/usages": [ - "2021-12-01" + "2021-12-01", + "2023-05-01-preview" ], "operations": [ "2020-12-01-preview", @@ -33194,7 +33342,8 @@ "2023-02-01", "2023-04-01", "2023-06-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-08-01" ], "locations/allocatedStamp": [ "2015-08-15", @@ -33263,7 +33412,8 @@ "2023-02-01", "2023-04-01", "2023-06-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-08-01" ], "locations/backupStatus": [ "2016-06-01", @@ -33289,7 +33439,8 @@ "2023-02-01", "2023-04-01", "2023-06-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-08-01" ], "locations/backupValidateFeatures": [ "2017-07-01", @@ -33314,7 +33465,8 @@ "2023-02-01", "2023-04-01", "2023-06-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-08-01" ], "locations/capabilities": [ "2022-01-31-preview", @@ -33324,7 +33476,8 @@ "2023-02-01", "2023-04-01", "2023-06-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-08-01" ], "locations/checkNameAvailability": [ "2018-01-10" @@ -33383,7 +33536,8 @@ "2023-02-01", "2023-04-01", "2023-06-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-08-01" ], "replicationEligibilityResults": [ "2018-07-10", @@ -33408,7 +33562,8 @@ "2023-02-01", "2023-04-01", "2023-06-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-08-01" ], "vaults": [ "2015-03-15", @@ -33465,7 +33620,8 @@ "2023-02-01", "2023-04-01", "2023-06-01", - "2023-07-01-preview" + "2023-07-01-preview", + "2023-08-01" ], "vaults/backupconfig": [ "2019-06-15", @@ -34222,19 +34378,19 @@ "2018-01-01-preview", "2021-11-01" ], - "namespaces/authorizationRules": [ + "namespaces/AuthorizationRules": [ "2016-07-01", "2017-04-01", "2018-01-01-preview", "2021-11-01" ], - "namespaces/hybridConnections": [ + "namespaces/HybridConnections": [ "2016-07-01", "2017-04-01", "2018-01-01-preview", "2021-11-01" ], - "namespaces/hybridConnections/authorizationRules": [ + "namespaces/HybridConnections/authorizationRules": [ "2016-07-01", "2017-04-01", "2018-01-01-preview", @@ -34252,13 +34408,13 @@ "2018-01-01-preview", "2021-11-01" ], - "namespaces/wcfRelays": [ + "namespaces/WcfRelays": [ "2016-07-01", "2017-04-01", "2018-01-01-preview", "2021-11-01" ], - "namespaces/wcfRelays/authorizationRules": [ + "namespaces/WcfRelays/authorizationRules": [ "2016-07-01", "2017-04-01", "2018-01-01-preview", @@ -34824,16 +34980,31 @@ "2019-04-01", "2019-05-01", "2019-05-10", + "2019-06-01", "2019-07-01", "2019-08-01", + "2019-09-01", "2019-10-01", + "2019-11-01", + "2020-01-01", + "2020-05-01", "2020-06-01", + "2020-07-01", "2020-08-01", + "2020-09-01", "2020-10-01", "2021-01-01", "2021-04-01", + "2022-01-01", + "2022-03-01-preview", + "2022-05-01", + "2022-06-01", "2022-09-01", - "2023-07-01" + "2022-11-01-preview", + "2022-12-01", + "2023-03-01-preview", + "2023-07-01", + "2023-07-01-preview" ], "resources": [ "2014-04-01-preview", @@ -35086,12 +35257,6 @@ "2022-09-01", "2023-07-01" ], - "tagNamespaceOperationResults": [ - "2023-03-01-preview" - ], - "tagnamespaces": [ - "2023-03-01-preview" - ], "tags": [ "2018-11-01", "2019-03-01", @@ -35622,7 +35787,8 @@ "2017-08-01-preview", "2018-06-01", "2022-03-01", - "2023-01-01" + "2023-01-01", + "2024-01-01" ], "pricings/securityOperators": [ "2023-01-01-preview" @@ -35942,7 +36108,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "alertRules/actions": [ "2019-01-01-preview", @@ -36002,7 +36169,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "automationRules": [ "2019-01-01-preview", @@ -36030,7 +36198,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "billingStatistics": [ "2023-05-01-preview", @@ -36038,7 +36207,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "bookmarks": [ "2019-01-01-preview", @@ -36067,7 +36237,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "bookmarks/relations": [ "2019-01-01-preview", @@ -36118,7 +36289,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "contentPackages": [ "2022-11-01-preview", @@ -36131,7 +36303,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "contentProductPackages": [ "2023-04-01-preview", @@ -36140,7 +36313,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "contentProductTemplates": [ "2023-04-01-preview", @@ -36149,7 +36323,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "contentTemplates": [ "2022-11-01-preview", @@ -36162,7 +36337,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "dataConnectorDefinitions": [ "2022-09-01-preview", @@ -36177,7 +36353,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "dataConnectors": [ "2019-01-01-preview", @@ -36207,7 +36384,9 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview", + "2024-01-01-preview" ], "dataConnectorsCheckRequirements": [ "2019-01-01-preview", @@ -36231,7 +36410,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "dynamicSummaries": [ "2023-03-01-preview", @@ -36241,7 +36421,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "enrichment": [ "2019-01-01-preview", @@ -36265,7 +36446,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "entities": [ "2019-01-01-preview", @@ -36289,7 +36471,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "entityQueries": [ "2019-01-01-preview", @@ -36314,7 +36497,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "entityQueryTemplates": [ "2019-01-01-preview", @@ -36339,7 +36523,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "exportConnections": [ "2023-03-01-preview", @@ -36349,7 +36534,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "fileImports": [ "2022-08-01-preview", @@ -36365,7 +36551,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "hunts": [ "2023-04-01-preview", @@ -36374,7 +36561,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "hunts/comments": [ "2023-04-01-preview", @@ -36407,7 +36595,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "incidents": [ "2019-01-01-preview", @@ -36438,7 +36627,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "incidents/comments": [ "2019-01-01-preview", @@ -36535,7 +36725,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "metadata": [ "2021-03-01-preview", @@ -36560,7 +36751,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "MitreCoverageRecords": [ "2022-01-01-preview", @@ -36581,7 +36773,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "officeConsents": [ "2019-01-01-preview", @@ -36605,7 +36798,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "onboardingStates": [ "2021-03-01-preview", @@ -36633,7 +36827,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "operations": [ "2019-01-01-preview", @@ -36664,7 +36859,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "overview": [ "2022-09-01-preview", @@ -36679,7 +36875,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "recommendations": [ "2022-11-01-preview", @@ -36692,7 +36889,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "securityMLAnalyticsSettings": [ "2022-05-01-preview", @@ -36713,7 +36911,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "settings": [ "2019-01-01-preview", @@ -36738,7 +36937,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "sourcecontrols": [ "2021-03-01-preview", @@ -36762,7 +36962,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "threatIntelligence": [ "2019-01-01-preview", @@ -36791,7 +36992,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "threatIntelligence/indicators": [ "2019-01-01-preview", @@ -36831,7 +37033,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "watchlists": [ "2019-01-01-preview", @@ -36861,7 +37064,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "watchlists/watchlistItems": [ "2019-01-01-preview", @@ -36901,7 +37105,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "workspaceManagerConfigurations": [ "2023-03-01-preview", @@ -36911,7 +37116,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "workspaceManagerGroups": [ "2023-03-01-preview", @@ -36921,7 +37127,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "workspaceManagerMembers": [ "2023-03-01-preview", @@ -36931,7 +37138,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ] }, "Microsoft.SerialConsole": { @@ -43393,12 +43601,14 @@ "checkAmlFSSubnets": [ "2021-11-01-preview", "2023-03-01-preview", - "2023-05-01" + "2023-05-01", + "2023-11-01-preview" ], "getRequiredAmlFSSubnetsSize": [ "2021-11-01-preview", "2023-03-01-preview", - "2023-05-01" + "2023-05-01", + "2023-11-01-preview" ], "locations": [ "2019-08-01-preview", @@ -43415,7 +43625,8 @@ "2022-09-01-preview", "2023-01-01", "2023-03-01-preview", - "2023-05-01" + "2023-05-01", + "2023-11-01-preview" ], "locations/ascoperations": [ "2019-08-01-preview", @@ -43432,7 +43643,8 @@ "2022-09-01-preview", "2023-01-01", "2023-03-01-preview", - "2023-05-01" + "2023-05-01", + "2023-11-01-preview" ], "locations/usages": [ "2022-01-01", @@ -43440,7 +43652,8 @@ "2022-09-01-preview", "2023-01-01", "2023-03-01-preview", - "2023-05-01" + "2023-05-01", + "2023-11-01-preview" ], "operations": [ "2019-08-01-preview", @@ -43457,7 +43670,8 @@ "2022-09-01-preview", "2023-01-01", "2023-03-01-preview", - "2023-05-01" + "2023-05-01", + "2023-11-01-preview" ], "usageModels": [ "2019-08-01-preview", @@ -43473,7 +43687,8 @@ "2022-09-01-preview", "2023-01-01", "2023-03-01-preview", - "2023-05-01" + "2023-05-01", + "2023-11-01-preview" ] }, "Microsoft.StorageMover": { @@ -44507,7 +44722,8 @@ "2023-08-01-preview", "2023-08-15-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "locations/operationstatuses": [ "2020-12-16-preview", @@ -44529,7 +44745,8 @@ "2023-08-01-preview", "2023-08-15-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "operations": [ "2020-12-16-preview", @@ -44551,7 +44768,8 @@ "2023-08-01-preview", "2023-08-15-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "skus": [ "2020-12-16-preview", @@ -44573,7 +44791,8 @@ "2023-08-01-preview", "2023-08-15-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts": [ "2020-12-16-preview", @@ -44588,14 +44807,16 @@ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/actionRequests": [ "2023-01-01-preview", "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/availableInplaceUpgradeOSs": [ "2022-11-01-preview", @@ -44604,7 +44825,8 @@ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/availableOSs": [ "2020-12-16-preview", @@ -44619,13 +44841,19 @@ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" + ], + "testBaseAccounts/availableVMConfigurationTypes": [ + "2023-12-01-preview" ], "testBaseAccounts/chatSessions": [ - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/credentials": [ - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/customerEvents": [ "2020-12-16-preview", @@ -44640,12 +44868,14 @@ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/customImages": [ "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/draftPackages": [ "2022-12-01-preview", @@ -44653,7 +44883,8 @@ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/emailEvents": [ "2020-12-16-preview", @@ -44668,7 +44899,8 @@ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/featureUpdateSupportedOses": [ "2022-08-01-preview", @@ -44678,7 +44910,8 @@ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/firstPartyApps": [ "2022-11-01-preview", @@ -44687,7 +44920,8 @@ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/flightingRings": [ "2020-12-16-preview", @@ -44702,28 +44936,33 @@ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/freeHourBalances": [ "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/galleryApps": [ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/galleryApps/galleryAppSkus": [ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/imageDefinitions": [ "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/packages": [ "2020-12-16-preview", @@ -44738,7 +44977,8 @@ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/packages/favoriteProcesses": [ "2020-12-16-preview", @@ -44753,7 +44993,8 @@ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/packages/osUpdates": [ "2020-12-16-preview", @@ -44768,7 +45009,8 @@ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/packages/testResults": [ "2020-12-16-preview", @@ -44783,7 +45025,8 @@ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/packages/testResults/analysisResults": [ "2020-12-16-preview", @@ -44798,7 +45041,14 @@ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" + ], + "testBaseAccounts/testConfigurations": [ + "2023-12-01-preview" + ], + "testBaseAccounts/testConfigurations/testResults": [ + "2023-12-01-preview" ], "testBaseAccounts/testSummaries": [ "2020-12-16-preview", @@ -44813,7 +45063,8 @@ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/testTypes": [ "2020-12-16-preview", @@ -44828,7 +45079,8 @@ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/usages": [ "2020-12-16-preview", @@ -44843,12 +45095,14 @@ "2023-06-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "testBaseAccounts/vhds": [ "2023-08-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ] }, "Microsoft.TimeSeriesInsights": { @@ -44913,7 +45167,8 @@ "2022-12-01-preview", "2023-02-01-preview", "2023-04-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-12-01-preview" ] }, "Microsoft.VideoIndexer": { @@ -45170,6 +45425,9 @@ ] }, "Microsoft.Web": { + "aseregions": [ + "2023-01-01" + ], "availableStacks": [ "2014-04-01", "2014-04-01-preview", @@ -45869,6 +46127,9 @@ "2016-06-01", "2018-03-01-preview" ], + "locations/usages": [ + "2023-01-01" + ], "locations/validateDeleteVirtualNetworkOrSubnets": [ "2014-04-01", "2014-04-01-preview", @@ -47491,52 +47752,68 @@ "accounts": [ "2022-07-01", "2022-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "checkNameAvailability": [ "2022-07-01", "2022-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "locations": [ "2022-07-01", "2022-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "locations/operationStatuses": [ "2022-07-01", "2022-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "monitors": [ "2022-07-01", "2022-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" + ], + "monitors/monitoredSubscriptions": [ + "2022-07-01", + "2022-07-01-preview", + "2023-10-01-preview", + "2023-11-01-preview" ], "monitors/tagRules": [ "2022-07-01", "2022-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "operations": [ "2022-07-01", "2022-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "organizations": [ "2022-07-01", "2022-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "plans": [ "2022-07-01", "2022-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ], "registeredSubscriptions": [ "2022-07-01", "2022-07-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01-preview" ] }, "NGINX.NGINXPLUS": { From 022f7b8b82404464fde6fe9a4e393bbe3e51d2eb Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Mon, 11 Dec 2023 07:35:04 +0100 Subject: [PATCH 152/178] Added MOVED-TO-AVM for three modules (#4354) --- modules/insights/activity-log-alert/MOVED-TO-AVM.md | 1 + modules/insights/activity-log-alert/README.md | 2 ++ modules/insights/metric-alert/MOVED-TO-AVM.md | 1 + modules/insights/metric-alert/README.md | 2 ++ modules/insights/scheduled-query-rule/MOVED-TO-AVM.md | 1 + modules/insights/scheduled-query-rule/README.md | 2 ++ 6 files changed, 9 insertions(+) create mode 100644 modules/insights/activity-log-alert/MOVED-TO-AVM.md create mode 100644 modules/insights/metric-alert/MOVED-TO-AVM.md create mode 100644 modules/insights/scheduled-query-rule/MOVED-TO-AVM.md diff --git a/modules/insights/activity-log-alert/MOVED-TO-AVM.md b/modules/insights/activity-log-alert/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/insights/activity-log-alert/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/activity-log-alert/README.md b/modules/insights/activity-log-alert/README.md index b7efef2649..02ded7facf 100644 --- a/modules/insights/activity-log-alert/README.md +++ b/modules/insights/activity-log-alert/README.md @@ -1,5 +1,7 @@ # Activity Log Alerts `[Microsoft.Insights/activityLogAlerts]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys an Activity Log Alert. ## Navigation diff --git a/modules/insights/metric-alert/MOVED-TO-AVM.md b/modules/insights/metric-alert/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/insights/metric-alert/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/metric-alert/README.md b/modules/insights/metric-alert/README.md index 4a80c79593..e519eb367e 100644 --- a/modules/insights/metric-alert/README.md +++ b/modules/insights/metric-alert/README.md @@ -1,5 +1,7 @@ # Metric Alerts `[Microsoft.Insights/metricAlerts]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Metric Alert. ## Navigation diff --git a/modules/insights/scheduled-query-rule/MOVED-TO-AVM.md b/modules/insights/scheduled-query-rule/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/insights/scheduled-query-rule/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/scheduled-query-rule/README.md b/modules/insights/scheduled-query-rule/README.md index 4b925dc11d..695dd4df5f 100644 --- a/modules/insights/scheduled-query-rule/README.md +++ b/modules/insights/scheduled-query-rule/README.md @@ -1,5 +1,7 @@ # Scheduled Query Rules `[Microsoft.Insights/scheduledQueryRules]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Scheduled Query Rule. ## Navigation From 972277ee199542430d1e4b397d9b3e774cffa023 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Mon, 11 Dec 2023 09:46:01 +0100 Subject: [PATCH 153/178] Ported fixed implemented in AVM to reenabled static test issues (#4352) --- utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 | 2 +- utilities/pipelines/staticValidation/module.tests.ps1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 index 6ad25de0a9..2130c0167c 100644 --- a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 +++ b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 @@ -1155,7 +1155,7 @@ function Set-UsageExamplesSection { $buildTestFileMap = [System.Collections.Concurrent.ConcurrentDictionary[string, object]]::new() $testFilePaths | ForEach-Object -Parallel { $folderName = Split-Path (Split-Path -Path $_) -Leaf - $buildTemplate = bicep build $_ --stdout | ConvertFrom-Json -AsHashtable + $buildTemplate = (bicep build $_ --stdout 2>$null) | ConvertFrom-Json -AsHashtable $dict = $using:buildTestFileMap $null = $dict.TryAdd($folderName, $buildTemplate) diff --git a/utilities/pipelines/staticValidation/module.tests.ps1 b/utilities/pipelines/staticValidation/module.tests.ps1 index c973dd9929..ccc4a7dc2f 100644 --- a/utilities/pipelines/staticValidation/module.tests.ps1 +++ b/utilities/pipelines/staticValidation/module.tests.ps1 @@ -48,7 +48,7 @@ foreach ($moduleFolderPath in $moduleFolderPaths) { $builtTestFileMap = [System.Collections.Concurrent.ConcurrentDictionary[string, object]]::new() $pathsToBuild | ForEach-Object -Parallel { $dict = $using:builtTestFileMap - $builtTemplate = bicep build $_ --stdout | ConvertFrom-Json -AsHashtable + $builtTemplate = (bicep build $_ --stdout 2>$null) | ConvertFrom-Json -AsHashtable $null = $dict.TryAdd($_, $builtTemplate) } From 6630a3245fc93d8472919687f5505119a975f88c Mon Sep 17 00:00:00 2001 From: elisa anzelmo Date: Mon, 11 Dec 2023 13:38:26 +0100 Subject: [PATCH 154/178] Adding Moved to AVM for managed-identity/user-assigned-identity (#4339) * first draft * updated avm draft * moved to avm * conflicts * final userid * readme update --- .../managed-identity/user-assigned-identity/MOVED-TO-AVM.md | 1 + modules/managed-identity/user-assigned-identity/README.md | 2 ++ .../federated-identity-credential/main.json | 4 ++-- 3 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 modules/managed-identity/user-assigned-identity/MOVED-TO-AVM.md diff --git a/modules/managed-identity/user-assigned-identity/MOVED-TO-AVM.md b/modules/managed-identity/user-assigned-identity/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/managed-identity/user-assigned-identity/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/managed-identity/user-assigned-identity/README.md b/modules/managed-identity/user-assigned-identity/README.md index cb4ec31501..0e9abdef58 100644 --- a/modules/managed-identity/user-assigned-identity/README.md +++ b/modules/managed-identity/user-assigned-identity/README.md @@ -1,5 +1,7 @@ # User Assigned Identities `[Microsoft.ManagedIdentity/userAssignedIdentities]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a User Assigned Identity. ## Navigation diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json index d7d037aaa3..ac48d00ac2 100644 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json +++ b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15026838206978058830" + "version": "0.23.1.45101", + "templateHash": "16507829721467583096" }, "name": "User Assigned Identity Federated Identity Credential", "description": "This module deploys a User Assigned Identity Federated Identity Credential.", From dd5925d4672e64f8e9a9c97f79065fcf5ad6f126 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Mon, 11 Dec 2023 12:38:59 +0000 Subject: [PATCH 155/178] Push updated Readme file(s) --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 44acccd038..b9c189fa13 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,7 @@ The CI environment supports both ARM and Bicep and can be leveraged using GitHub | `Microsoft.AppConfiguration` | [configurationStores](https://github.com/Azure/ResourceModules/tree/main/modules/app-configuration/configuration-store) | [App Configuration Stores](https://github.com/Azure/ResourceModules/tree/main/modules/app-configuration/configuration-store) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.Authorization` | [locks](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/lock) | [Authorization Locks (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/lock) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [policyAssignments](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-assignment) | [Policy Assignments (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-assignment) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [policyDefinitions](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-definition) | [Policy Definitions (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-definition) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| | [policydefinitions](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-definition) | [Policy Definitions (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-definition) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [policyExemptions](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-exemption) | [Policy Exemptions (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-exemption) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [policySetDefinitions](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-set-definition) | [Policy Set Definitions (Initiatives) (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/policy-set-definition) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [roleAssignments](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/role-assignment) | [Role Assignments (All scopes)](https://github.com/Azure/ResourceModules/tree/main/modules/authorization/role-assignment) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | @@ -92,7 +92,7 @@ The CI environment supports both ARM and Bicep and can be leveraged using GitHub | `Microsoft.EventHub` | [namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/event-hub/namespace) | [Event Hub Namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/event-hub/namespace) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.HealthBot` | [healthBots](https://github.com/Azure/ResourceModules/tree/main/modules/health-bot/health-bot) | [Azure Health Bots](https://github.com/Azure/ResourceModules/tree/main/modules/health-bot/health-bot) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.HealthcareApis` | [workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/healthcare-apis/workspace) | [Healthcare API Workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/healthcare-apis/workspace) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `Microsoft.Insights` | [actionGroups](https://github.com/Azure/ResourceModules/tree/main/modules/insights/action-group) | [Action Groups](https://github.com/Azure/ResourceModules/tree/main/modules/insights/action-group) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| `microsoft.insights` | [actionGroups](https://github.com/Azure/ResourceModules/tree/main/modules/insights/action-group) | [Action Groups](https://github.com/Azure/ResourceModules/tree/main/modules/insights/action-group) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [activityLogAlerts](https://github.com/Azure/ResourceModules/tree/main/modules/insights/activity-log-alert) | [Activity Log Alerts](https://github.com/Azure/ResourceModules/tree/main/modules/insights/activity-log-alert) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [components](https://github.com/Azure/ResourceModules/tree/main/modules/insights/component) | [Application Insights](https://github.com/Azure/ResourceModules/tree/main/modules/insights/component) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [dataCollectionEndpoints](https://github.com/Azure/ResourceModules/tree/main/modules/insights/data-collection-endpoint) | [Data Collection Endpoints](https://github.com/Azure/ResourceModules/tree/main/modules/insights/data-collection-endpoint) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | @@ -144,8 +144,8 @@ The CI environment supports both ARM and Bicep and can be leveraged using GitHub | | [serviceEndpointPolicies](https://github.com/Azure/ResourceModules/tree/main/modules/network/service-endpoint-policy) | [Service Endpoint Policies](https://github.com/Azure/ResourceModules/tree/main/modules/network/service-endpoint-policy) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [trafficmanagerprofiles](https://github.com/Azure/ResourceModules/tree/main/modules/network/trafficmanagerprofile) | [Traffic Manager Profiles](https://github.com/Azure/ResourceModules/tree/main/modules/network/trafficmanagerprofile) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [virtualHubs](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-hub) | [Virtual Hubs](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-hub) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [virtualNetworks](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network) | [Virtual Networks](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [virtualNetworkGateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network-gateway) | [Virtual Network Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network-gateway) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| | [virtualnetworks](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network) | [Virtual Networks](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| | [virtualnetworkgateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network-gateway) | [Virtual Network Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-network-gateway) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [virtualWans](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-wan) | [Virtual WANs](https://github.com/Azure/ResourceModules/tree/main/modules/network/virtual-wan) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [vpnGateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/vpn-gateway) | [VPN Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/vpn-gateway) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [vpnSites](https://github.com/Azure/ResourceModules/tree/main/modules/network/vpn-site) | [VPN Sites](https://github.com/Azure/ResourceModules/tree/main/modules/network/vpn-site) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | From 23ce557eed83890ecb394bbd40a219252540b75f Mon Sep 17 00:00:00 2001 From: elisa anzelmo Date: Tue, 12 Dec 2023 18:05:45 +0100 Subject: [PATCH 156/178] migrated module (#4364) --- modules/automation/automation-account/MOVED-TO-AVM.md | 1 + modules/automation/automation-account/README.md | 2 ++ modules/automation/automation-account/job-schedule/main.json | 4 ++-- modules/automation/automation-account/module/main.json | 4 ++-- modules/automation/automation-account/runbook/main.json | 4 ++-- modules/automation/automation-account/schedule/main.json | 4 ++-- .../software-update-configuration/main.json | 4 ++-- modules/automation/automation-account/variable/main.json | 4 ++-- 8 files changed, 15 insertions(+), 12 deletions(-) create mode 100644 modules/automation/automation-account/MOVED-TO-AVM.md diff --git a/modules/automation/automation-account/MOVED-TO-AVM.md b/modules/automation/automation-account/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/automation/automation-account/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index c4be8ef65e..7517eecfda 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -1,5 +1,7 @@ # Automation Accounts `[Microsoft.Automation/automationAccounts]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys an Azure Automation Account. ## Navigation diff --git a/modules/automation/automation-account/job-schedule/main.json b/modules/automation/automation-account/job-schedule/main.json index bb8ec2e35b..8c6c38ea2d 100644 --- a/modules/automation/automation-account/job-schedule/main.json +++ b/modules/automation/automation-account/job-schedule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7560418296837405700" + "version": "0.23.1.45101", + "templateHash": "7940366869013991296" }, "name": "Automation Account Job Schedules", "description": "This module deploys an Azure Automation Account Job Schedule.", diff --git a/modules/automation/automation-account/module/main.json b/modules/automation/automation-account/module/main.json index 305926a6eb..06805114ac 100644 --- a/modules/automation/automation-account/module/main.json +++ b/modules/automation/automation-account/module/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18249732142000845439" + "version": "0.23.1.45101", + "templateHash": "6971821068699927304" }, "name": "Automation Account Modules", "description": "This module deploys an Azure Automation Account Module.", diff --git a/modules/automation/automation-account/runbook/main.json b/modules/automation/automation-account/runbook/main.json index 9d60de1b4d..a089f92bde 100644 --- a/modules/automation/automation-account/runbook/main.json +++ b/modules/automation/automation-account/runbook/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1833872657708381069" + "version": "0.23.1.45101", + "templateHash": "3054091660106074138" }, "name": "Automation Account Runbooks", "description": "This module deploys an Azure Automation Account Runbook.", diff --git a/modules/automation/automation-account/schedule/main.json b/modules/automation/automation-account/schedule/main.json index 4183686e3a..489a4c3022 100644 --- a/modules/automation/automation-account/schedule/main.json +++ b/modules/automation/automation-account/schedule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4119330639685982378" + "version": "0.23.1.45101", + "templateHash": "3941184452068098954" }, "name": "Automation Account Schedules", "description": "This module deploys an Azure Automation Account Schedule.", diff --git a/modules/automation/automation-account/software-update-configuration/main.json b/modules/automation/automation-account/software-update-configuration/main.json index 14b2d33ac1..9612d02f44 100644 --- a/modules/automation/automation-account/software-update-configuration/main.json +++ b/modules/automation/automation-account/software-update-configuration/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10775503419002427646" + "version": "0.23.1.45101", + "templateHash": "17152541334253964982" }, "name": "Automation Account Software Update Configurations", "description": "This module deploys an Azure Automation Account Software Update Configuration.", diff --git a/modules/automation/automation-account/variable/main.json b/modules/automation/automation-account/variable/main.json index 333cb278b4..36b7c3584b 100644 --- a/modules/automation/automation-account/variable/main.json +++ b/modules/automation/automation-account/variable/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17400819380217562013" + "version": "0.23.1.45101", + "templateHash": "13399277967950966124" }, "name": "Automation Account Variables", "description": "This module deploys an Azure Automation Account Variable.", From c58ee37d873460bab790a403e050736cdd9dbdc3 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Wed, 13 Dec 2023 12:02:52 +0100 Subject: [PATCH 157/178] Bugfix for allowed value logic --- modules/web/site/README.md | 6 +++--- .../pipelines/sharedScripts/Set-ModuleReadMe.ps1 | 15 +++++++++------ 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/modules/web/site/README.md b/modules/web/site/README.md index e1542f55c6..2cc75780b8 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -988,9 +988,9 @@ Type of site to deploy. [ 'app' 'functionapp' - 'functionapplinux' - 'functionappworkflowapp' - 'functionappworkflowapplinux' + 'functionapp,linux' + 'functionapp,workflowapp' + 'functionapp,workflowapp,linux' ] ``` diff --git a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 index 2130c0167c..77f2849eb6 100644 --- a/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 +++ b/utilities/pipelines/sharedScripts/Set-ModuleReadMe.ps1 @@ -1017,12 +1017,15 @@ function ConvertTo-FormattedBicep { # [2/5] Remove any JSON specific formatting $templateParameterObject = $orderedJSONParameters | ConvertTo-Json -Depth 99 if ($templateParameterObject -ne '{}') { - $contentInBicepFormat = $templateParameterObject -replace "'", "\'" # Update any [ "field": "[[concat('tags[', parameters('tagName'), ']')]"] to [ "field": "[[concat(\'tags[\', parameters(\'tagName\'), \']\')]"] - $contentInBicepFormat = $contentInBicepFormat -replace '"', "'" # Update any [xyz: "xyz"] to [xyz: 'xyz'] - $contentInBicepFormat = $contentInBicepFormat -replace ',', '' # Update any [xyz: xyz,] to [xyz: xyz] - $contentInBicepFormat = $contentInBicepFormat -replace "'(\w+)':", '$1:' # Update any ['xyz': xyz] to [xyz: xyz] - $contentInBicepFormat = $contentInBicepFormat -replace "'(.+.getSecret\('.+'\))'", '$1' # Update any [xyz: 'xyz.GetSecret()'] to [xyz: xyz.GetSecret()] - $bicepParamsArray = $contentInBicepFormat -split '\n' + $bicepParamsArray = $templateParameterObject -split '\r?\n' | ForEach-Object { + $line = $_ + $line = $line -replace "'", "\'" # Update any [ "field": "[[concat('tags[', parameters('tagName'), ']')]"] to [ "field": "[[concat(\'tags[\', parameters(\'tagName\'), \']\')]"] + $line = $line -replace '"', "'" # Update any [xyz: "xyz"] to [xyz: 'xyz'] + $line = $line -replace ',$', '' # Update any [xyz: abc,xyz,] to [xyz: abc,xyz] + $line = $line -replace "'(\w+)':", '$1:' # Update any ['xyz': xyz] to [xyz: xyz] + $line = $line -replace "'(.+.getSecret\('.+'\))'", '$1' # Update any [xyz: 'xyz.GetSecret()'] to [xyz: xyz.GetSecret()] + $line + } $bicepParamsArray = $bicepParamsArray[1..($bicepParamsArray.count - 2)] # [3/5] Format 'getSecret' references From 4f5e13d4cf3676060ef4c0e68f06f2765a86b31b Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 13 Dec 2023 22:48:28 +1100 Subject: [PATCH 158/178] Updated NSG Module VM (#4365) --- modules/network/network-security-group/MOVED-TO-AVM.md | 1 + modules/network/network-security-group/README.md | 2 ++ .../network/network-security-group/security-rule/main.json | 4 ++-- 3 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 modules/network/network-security-group/MOVED-TO-AVM.md diff --git a/modules/network/network-security-group/MOVED-TO-AVM.md b/modules/network/network-security-group/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/network/network-security-group/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/network-security-group/README.md b/modules/network/network-security-group/README.md index 9ea167f1eb..ba3e62ca92 100644 --- a/modules/network/network-security-group/README.md +++ b/modules/network/network-security-group/README.md @@ -1,5 +1,7 @@ # Network Security Groups `[Microsoft.Network/networkSecurityGroups]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Network security Group (NSG). ## Navigation diff --git a/modules/network/network-security-group/security-rule/main.json b/modules/network/network-security-group/security-rule/main.json index a024c862c1..9d34ec99a7 100644 --- a/modules/network/network-security-group/security-rule/main.json +++ b/modules/network/network-security-group/security-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "820939823450891186" + "version": "0.23.1.45101", + "templateHash": "5230356401692373453" }, "name": "Network Security Group (NSG) Security Rules", "description": "This module deploys a Network Security Group (NSG) Security Rule.", From a807012a885d23ed121f9f3e017551f1171fced5 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 13 Dec 2023 13:40:35 +0100 Subject: [PATCH 159/178] Regenerated all docs & json templates (#4366) --- .../service/api-version-set/main.json | 4 +- modules/api-management/service/api/main.json | 8 +-- .../service/api/policy/main.json | 4 +- .../service/authorization-server/main.json | 4 +- .../api-management/service/backend/main.json | 4 +- .../api-management/service/cache/main.json | 4 +- .../service/identity-provider/main.json | 4 +- .../service/named-value/main.json | 4 +- .../api-management/service/policy/main.json | 4 +- .../service/portalsetting/main.json | 4 +- .../service/product/api/main.json | 4 +- .../service/product/group/main.json | 4 +- .../api-management/service/product/main.json | 12 ++-- .../service/subscription/main.json | 4 +- .../configuration-store/key-value/main.json | 4 +- modules/app/managed-environment/README.md | 69 +++++++++++-------- modules/authorization/lock/main.json | 12 ++-- .../lock/resource-group/main.json | 4 +- .../authorization/lock/subscription/main.json | 4 +- .../authorization/policy-assignment/main.json | 16 ++--- .../management-group/main.json | 4 +- .../resource-group/main.json | 4 +- .../policy-assignment/subscription/main.json | 4 +- .../authorization/policy-definition/README.md | 8 +-- .../authorization/policy-definition/main.json | 12 ++-- .../management-group/main.json | 4 +- .../policy-definition/subscription/main.json | 4 +- .../authorization/policy-exemption/main.json | 16 ++--- .../management-group/main.json | 4 +- .../policy-exemption/resource-group/main.json | 4 +- .../policy-exemption/subscription/main.json | 4 +- .../policy-set-definition/main.json | 12 ++-- .../management-group/main.json | 4 +- .../subscription/main.json | 4 +- .../authorization/role-assignment/main.json | 16 ++--- .../management-group/main.json | 4 +- .../role-assignment/resource-group/main.json | 4 +- .../role-assignment/subscription/main.json | 4 +- .../authorization/role-definition/main.json | 16 ++--- .../management-group/main.json | 4 +- .../role-definition/resource-group/main.json | 4 +- .../role-definition/subscription/main.json | 4 +- .../cache/redis-enterprise/database/main.json | 4 +- modules/cdn/profile/afdEndpoint/main.json | 8 +-- .../cdn/profile/afdEndpoint/route/main.json | 4 +- modules/cdn/profile/customdomain/main.json | 4 +- modules/cdn/profile/endpoint/main.json | 8 +-- modules/cdn/profile/endpoint/origin/main.json | 4 +- modules/cdn/profile/origingroup/main.json | 8 +-- .../cdn/profile/origingroup/origin/main.json | 4 +- modules/cdn/profile/ruleset/main.json | 8 +-- modules/cdn/profile/ruleset/rule/main.json | 4 +- modules/cdn/profile/secret/main.json | 4 +- .../extension/main.json | 4 +- .../virtual-machine/extension/main.json | 4 +- .../registry/cache-rules/main.json | 4 +- .../registry/replication/main.json | 4 +- .../registry/webhook/main.json | 4 +- .../factory/integration-runtime/main.json | 4 +- .../factory/managed-virtual-network/main.json | 8 +-- .../managed-private-endpoint/main.json | 4 +- .../backup-vault/backup-policy/main.json | 4 +- .../flexible-server/administrator/main.json | 4 +- .../flexible-server/database/main.json | 4 +- .../flexible-server/firewall-rule/main.json | 4 +- .../flexible-server/administrator/main.json | 4 +- .../flexible-server/configuration/main.json | 4 +- .../flexible-server/database/main.json | 4 +- .../flexible-server/firewall-rule/main.json | 4 +- .../application-group/application/main.json | 4 +- .../dev-test-lab/lab/artifactsource/main.json | 6 +- modules/dev-test-lab/lab/cost/main.json | 6 +- .../lab/notificationchannel/main.json | 6 +- .../lab/policyset/policy/main.json | 6 +- modules/dev-test-lab/lab/schedule/main.json | 6 +- .../dev-test-lab/lab/virtualnetwork/main.json | 6 +- .../gremlin-database/graph/main.json | 4 +- .../mongodb-database/collection/main.json | 4 +- .../mongodb-database/main.json | 8 +-- .../sql-database/container/main.json | 4 +- .../database-account/sql-database/main.json | 8 +-- modules/event-grid/domain/topic/main.json | 4 +- .../system-topic/event-subscription/main.json | 4 +- .../topic/event-subscription/main.json | 4 +- .../namespace/authorization-rule/main.json | 4 +- .../disaster-recovery-config/main.json | 4 +- .../eventhub/authorization-rule/main.json | 4 +- .../eventhub/consumergroup/main.json | 4 +- .../namespace/network-rule-set/main.json | 4 +- .../iotconnector/fhirdestination/main.json | 4 +- .../insights/data-collection-rule/README.md | 6 +- .../scoped-resource/main.json | 4 +- .../insights/scheduled-query-rule/README.md | 4 +- .../key-vault/vault/access-policy/main.json | 4 +- modules/key-vault/vault/key/main.json | 4 +- modules/key-vault/vault/secret/main.json | 4 +- .../extension/main.json | 11 ++- .../workspace/compute/main.json | 4 +- .../registration-definition/main.json | 4 +- modules/management/management-group/main.json | 4 +- modules/network/azure-firewall/README.md | 2 +- modules/network/bastion-host/README.md | 2 +- .../forwarding-rule/main.json | 4 +- .../virtual-network-link/main.json | 4 +- modules/network/dns-zone/a/main.json | 4 +- modules/network/dns-zone/aaaa/main.json | 4 +- modules/network/dns-zone/caa/main.json | 4 +- modules/network/dns-zone/cname/main.json | 4 +- modules/network/dns-zone/mx/main.json | 4 +- modules/network/dns-zone/ns/main.json | 4 +- modules/network/dns-zone/ptr/main.json | 4 +- modules/network/dns-zone/soa/main.json | 4 +- modules/network/dns-zone/srv/main.json | 4 +- modules/network/dns-zone/txt/main.json | 4 +- .../rule-collection-group/main.json | 4 +- .../backend-address-pool/main.json | 4 +- .../load-balancer/inbound-nat-rule/main.json | 4 +- modules/network/load-balancer/main.json | 12 ++-- .../connectivity-configuration/main.json | 6 +- .../network-manager/network-group/main.json | 12 ++-- .../network-group/static-member/main.json | 6 +- .../scope-connection/main.json | 6 +- .../security-admin-configuration/main.json | 18 ++--- .../rule-collection/main.json | 12 ++-- .../rule-collection/rule/main.json | 6 +- .../connection-monitor/main.json | 4 +- .../network-watcher/flow-log/main.json | 6 +- modules/network/private-dns-zone/a/main.json | 4 +- .../network/private-dns-zone/aaaa/main.json | 4 +- .../network/private-dns-zone/cname/main.json | 4 +- modules/network/private-dns-zone/mx/main.json | 4 +- .../network/private-dns-zone/ptr/main.json | 4 +- .../network/private-dns-zone/soa/main.json | 4 +- .../network/private-dns-zone/srv/main.json | 4 +- .../network/private-dns-zone/txt/main.json | 4 +- .../virtual-network-link/main.json | 4 +- .../private-dns-zone-group/main.json | 4 +- .../network/trafficmanagerprofile/main.json | 4 +- .../virtual-hub/hub-route-table/main.json | 4 +- .../hub-virtual-network-connection/main.json | 4 +- modules/network/virtual-hub/main.json | 4 +- .../nat-rule/main.json | 4 +- .../workspace/data-export/main.json | 4 +- .../workspace/data-source/main.json | 4 +- .../workspace/linked-service/main.json | 4 +- .../linked-storage-account/main.json | 4 +- .../workspace/saved-search/main.json | 4 +- .../storage-insight-config/main.json | 4 +- .../workspace/table/main.json | 4 +- .../remediation/management-group/main.json | 4 +- .../remediation/resource-group/main.json | 4 +- .../remediation/subscription/main.json | 4 +- .../vault/backup-config/main.json | 4 +- .../protection-container/main.json | 8 +-- .../protected-item/main.json | 4 +- .../vault/backup-policy/main.json | 4 +- .../vault/backup-storage-config/main.json | 4 +- .../vault/replication-alert-setting/main.json | 4 +- .../vault/replication-fabric/main.json | 18 ++--- .../main.json | 12 ++-- .../main.json | 6 +- .../vault/replication-policy/main.json | 6 +- modules/relay/namespace/README.md | 4 +- .../namespace/authorization-rule/main.json | 4 +- .../authorization-rule/main.json | 4 +- .../namespace/network-rule-set/main.json | 4 +- .../wcf-relay/authorization-rule/main.json | 4 +- modules/resources/tags/main.json | 20 +++--- .../resources/tags/resource-group/main.json | 8 +-- modules/resources/tags/subscription/main.json | 8 +-- .../shared-private-link-resource/main.json | 4 +- .../cluster/application-type/main.json | 4 +- .../managed-instance/administrator/main.json | 4 +- .../main.json | 4 +- .../main.json | 4 +- .../sql/managed-instance/database/main.json | 12 ++-- .../encryption-protector/main.json | 4 +- modules/sql/managed-instance/key/main.json | 4 +- .../security-alert-policy/main.json | 4 +- .../vulnerability-assessment/main.json | 8 +-- .../main.json | 4 +- .../main.json | 4 +- modules/sql/server/database/main.json | 12 ++-- modules/sql/server/elastic-pool/main.json | 4 +- .../sql/server/encryption-protector/main.json | 4 +- modules/sql/server/firewall-rule/main.json | 4 +- modules/sql/server/key/main.json | 4 +- .../server/security-alert-policy/main.json | 4 +- .../sql/server/virtual-network-rule/main.json | 4 +- .../server/vulnerability-assessment/main.json | 8 +-- .../storage-account/blob-service/main.json | 10 +-- .../storage-account/file-service/main.json | 10 +-- .../storage-account/queue-service/main.json | 10 +-- .../workspace/integration-runtime/main.json | 4 +- modules/synapse/workspace/key/main.json | 4 +- modules/web/hosting-environment/README.md | 4 +- .../configuration--customdnssuffix/main.json | 4 +- .../configuration--networking/main.json | 4 +- .../web/site/config--appsettings/README.md | 6 +- .../web/site/config--appsettings/main.json | 4 +- .../web/site/config--authsettingsv2/README.md | 6 +- .../web/site/config--authsettingsv2/main.json | 4 +- .../relay/main.json | 4 +- modules/web/site/slot/README.md | 6 +- .../site/slot/config--appsettings/README.md | 6 +- .../site/slot/config--appsettings/main.json | 4 +- .../slot/config--authsettingsv2/README.md | 6 +- .../slot/config--authsettingsv2/main.json | 4 +- .../relay/main.json | 4 +- modules/web/static-site/config/main.json | 4 +- .../web/static-site/custom-domain/main.json | 4 +- .../web/static-site/linked-backend/main.json | 4 +- 212 files changed, 604 insertions(+), 596 deletions(-) diff --git a/modules/api-management/service/api-version-set/main.json b/modules/api-management/service/api-version-set/main.json index 1f27892ce2..1dce7d194a 100644 --- a/modules/api-management/service/api-version-set/main.json +++ b/modules/api-management/service/api-version-set/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12233980723609740158" + "version": "0.23.1.45101", + "templateHash": "16962621369738378491" }, "name": "API Management Service API Version Sets", "description": "This module deploys an API Management Service API Version Set.", diff --git a/modules/api-management/service/api/main.json b/modules/api-management/service/api/main.json index f150d2bcb8..9baad434aa 100644 --- a/modules/api-management/service/api/main.json +++ b/modules/api-management/service/api/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17340528539230351720" + "version": "0.23.1.45101", + "templateHash": "11512052528068634292" }, "name": "API Management Service APIs", "description": "This module deploys an API Management Service API.", @@ -284,8 +284,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14571499926134179860" + "version": "0.23.1.45101", + "templateHash": "17230254380289042348" }, "name": "API Management Service APIs Policies", "description": "This module deploys an API Management Service API Policy.", diff --git a/modules/api-management/service/api/policy/main.json b/modules/api-management/service/api/policy/main.json index 02322fa340..d497a5e4af 100644 --- a/modules/api-management/service/api/policy/main.json +++ b/modules/api-management/service/api/policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14571499926134179860" + "version": "0.23.1.45101", + "templateHash": "17230254380289042348" }, "name": "API Management Service APIs Policies", "description": "This module deploys an API Management Service API Policy.", diff --git a/modules/api-management/service/authorization-server/main.json b/modules/api-management/service/authorization-server/main.json index 09fc98f3c1..a88731af50 100644 --- a/modules/api-management/service/authorization-server/main.json +++ b/modules/api-management/service/authorization-server/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7988688467600216709" + "version": "0.23.1.45101", + "templateHash": "4791396269511004286" }, "name": "API Management Service Authorization Servers", "description": "This module deploys an API Management Service Authorization Server.", diff --git a/modules/api-management/service/backend/main.json b/modules/api-management/service/backend/main.json index e10f1c81ee..212f333040 100644 --- a/modules/api-management/service/backend/main.json +++ b/modules/api-management/service/backend/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3713166604792624713" + "version": "0.23.1.45101", + "templateHash": "14371393063475773678" }, "name": "API Management Service Backends", "description": "This module deploys an API Management Service Backend.", diff --git a/modules/api-management/service/cache/main.json b/modules/api-management/service/cache/main.json index 80972f2881..6e66b25bb1 100644 --- a/modules/api-management/service/cache/main.json +++ b/modules/api-management/service/cache/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4933923478377534151" + "version": "0.23.1.45101", + "templateHash": "10312358305910336044" }, "name": "API Management Service Caches", "description": "This module deploys an API Management Service Cache.", diff --git a/modules/api-management/service/identity-provider/main.json b/modules/api-management/service/identity-provider/main.json index a5131f7311..23202bb012 100644 --- a/modules/api-management/service/identity-provider/main.json +++ b/modules/api-management/service/identity-provider/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13822474427587974385" + "version": "0.23.1.45101", + "templateHash": "13036858747462562466" }, "name": "API Management Service Identity Providers", "description": "This module deploys an API Management Service Identity Provider.", diff --git a/modules/api-management/service/named-value/main.json b/modules/api-management/service/named-value/main.json index 9d72a76220..ad8627e752 100644 --- a/modules/api-management/service/named-value/main.json +++ b/modules/api-management/service/named-value/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16893893897869493831" + "version": "0.23.1.45101", + "templateHash": "14872932654104188944" }, "name": "API Management Service Named Values", "description": "This module deploys an API Management Service Named Value.", diff --git a/modules/api-management/service/policy/main.json b/modules/api-management/service/policy/main.json index 32bd1ce4bc..bb5cfde55e 100644 --- a/modules/api-management/service/policy/main.json +++ b/modules/api-management/service/policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3650757020022888901" + "version": "0.23.1.45101", + "templateHash": "16586961527396343119" }, "name": "API Management Service Policies", "description": "This module deploys an API Management Service Policy.", diff --git a/modules/api-management/service/portalsetting/main.json b/modules/api-management/service/portalsetting/main.json index 01f872a8e5..6320ca39fb 100644 --- a/modules/api-management/service/portalsetting/main.json +++ b/modules/api-management/service/portalsetting/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1124223085084988655" + "version": "0.23.1.45101", + "templateHash": "12676245745541867340" }, "name": "API Management Service Portal Settings", "description": "This module deploys an API Management Service Portal Setting.", diff --git a/modules/api-management/service/product/api/main.json b/modules/api-management/service/product/api/main.json index 0ecf6ebe3a..f0565ff5ae 100644 --- a/modules/api-management/service/product/api/main.json +++ b/modules/api-management/service/product/api/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16488730655399972556" + "version": "0.23.1.45101", + "templateHash": "17352324470715058273" }, "name": "API Management Service Products APIs", "description": "This module deploys an API Management Service Product API.", diff --git a/modules/api-management/service/product/group/main.json b/modules/api-management/service/product/group/main.json index 209c9c33d6..cc2f8d7988 100644 --- a/modules/api-management/service/product/group/main.json +++ b/modules/api-management/service/product/group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14085709622188800883" + "version": "0.23.1.45101", + "templateHash": "16541523008963717147" }, "name": "API Management Service Products Groups", "description": "This module deploys an API Management Service Product Group.", diff --git a/modules/api-management/service/product/main.json b/modules/api-management/service/product/main.json index 94a2143e2a..ac581fc5d6 100644 --- a/modules/api-management/service/product/main.json +++ b/modules/api-management/service/product/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2758822676627115160" + "version": "0.23.1.45101", + "templateHash": "8527180272588578376" }, "name": "API Management Service Products", "description": "This module deploys an API Management Service Product.", @@ -153,8 +153,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16488730655399972556" + "version": "0.23.1.45101", + "templateHash": "17352324470715058273" }, "name": "API Management Service Products APIs", "description": "This module deploys an API Management Service Product API.", @@ -267,8 +267,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14085709622188800883" + "version": "0.23.1.45101", + "templateHash": "16541523008963717147" }, "name": "API Management Service Products Groups", "description": "This module deploys an API Management Service Product Group.", diff --git a/modules/api-management/service/subscription/main.json b/modules/api-management/service/subscription/main.json index faefcb8783..174a7585d5 100644 --- a/modules/api-management/service/subscription/main.json +++ b/modules/api-management/service/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10733141744485121232" + "version": "0.23.1.45101", + "templateHash": "15367144313924447449" }, "name": "API Management Service Subscriptions", "description": "This module deploys an API Management Service Subscription.", diff --git a/modules/app-configuration/configuration-store/key-value/main.json b/modules/app-configuration/configuration-store/key-value/main.json index 2893f5eb2f..560a51de67 100644 --- a/modules/app-configuration/configuration-store/key-value/main.json +++ b/modules/app-configuration/configuration-store/key-value/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5336531799585402354" + "version": "0.23.1.45101", + "templateHash": "11370563001494590361" }, "name": "App Configuration Stores Key Values", "description": "This module deploys an App Configuration Store Key Value.", diff --git a/modules/app/managed-environment/README.md b/modules/app/managed-environment/README.md index a55dc9c7d5..770a70a9cb 100644 --- a/modules/app/managed-environment/README.md +++ b/modules/app/managed-environment/README.md @@ -4,17 +4,17 @@ This module deploys an App Managed Environment (also known as a Container App En ## Navigation -- [Resource Types](#resource-types) -- [Usage examples](#usage-examples) -- [Parameters](#parameters) -- [Outputs](#outputs) -- [Cross-referenced modules](#cross-referenced-modules) +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) ## Resource Types | Resource Type | API Version | | :-- | :-- | -| `Microsoft.App/managedEnvironments` | [2022-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.App/2022-10-01/managedEnvironments) | +| `Microsoft.App/managedEnvironments` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.App/2023-05-01/managedEnvironments) | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | @@ -34,6 +34,7 @@ The following section provides usage examples for the module, which were used to This instance deploys the module with the minimum set of required parameters. +

via Bicep module @@ -83,6 +84,7 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { This instance deploys the module with most of its features enabled. +
via Bicep module @@ -97,6 +99,7 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { name: 'amemax001' // Non-required parameters dockerBridgeCidr: '172.16.0.1/28' + infrastructureResourceGroupName: '' infrastructureSubnetId: '' internal: true location: '' @@ -106,12 +109,11 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { } platformReservedCidr: '172.17.17.0/24' platformReservedDnsIP: '172.17.17.17' - infrastructureResourceGroupName: '' - workloadProfiles: '' tags: { Env: 'test' 'hidden-title': 'This is visible in the resource name' } + workloadProfiles: '' } } ``` @@ -142,6 +144,9 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { "dockerBridgeCidr": { "value": "172.16.0.1/28" }, + "infrastructureResourceGroupName": { + "value": "" + }, "infrastructureSubnetId": { "value": "" }, @@ -163,14 +168,14 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { "platformReservedDnsIP": { "value": "172.17.17.17" }, - "infrastructureResourceGroupName": { - "value": "" - }, "tags": { "value": { "Env": "test", "hidden-title": "This is visible in the resource name" } + }, + "workloadProfiles": { + "value": "" } } } @@ -183,6 +188,7 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. +
via Bicep module @@ -197,6 +203,7 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { name: 'amewaf001' // Non-required parameters dockerBridgeCidr: '172.16.0.1/28' + infrastructureResourceGroupName: '' infrastructureSubnetId: '' internal: true location: '' @@ -206,12 +213,11 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { } platformReservedCidr: '172.17.17.0/24' platformReservedDnsIP: '172.17.17.17' - infrastructureResourceGroupName: '' - workloadProfiles: '' tags: { Env: 'test' 'hidden-title': 'This is visible in the resource name' } + workloadProfiles: '' } } ``` @@ -242,6 +248,9 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { "dockerBridgeCidr": { "value": "172.16.0.1/28" }, + "infrastructureResourceGroupName": { + "value": "" + }, "infrastructureSubnetId": { "value": "" }, @@ -263,14 +272,14 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { "platformReservedDnsIP": { "value": "172.17.17.17" }, - "infrastructureResourceGroupName": { - "value": "" - }, "tags": { "value": { "Env": "test", "hidden-title": "This is visible in the resource name" } + }, + "workloadProfiles": { + "value": "" } } } @@ -279,6 +288,7 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = {

+ ## Parameters **Required parameters** @@ -305,6 +315,7 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { | [`dnsSuffix`](#parameter-dnssuffix) | string | DNS suffix for the environment domain. | | [`dockerBridgeCidr`](#parameter-dockerbridgecidr) | string | CIDR notation IP range assigned to the Docker bridge, network. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`infrastructureResourceGroupName`](#parameter-infrastructureresourcegroupname) | string | Name of the infrastructure resource group. If not provided, it will be set with a default value. | | [`internal`](#parameter-internal) | bool | Boolean indicating the environment only has an internal load balancer. These environments do not have a public static IP resource. If set to true, then "infrastructureSubnetId" must be provided. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | @@ -312,7 +323,6 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { | [`platformReservedCidr`](#parameter-platformreservedcidr) | string | IP range in CIDR notation that can be reserved for environment infrastructure IP addresses. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | | [`platformReservedDnsIP`](#parameter-platformreserveddnsip) | string | An IP address from the IP range defined by "platformReservedCidr" that will be reserved for the internal DNS server. It must not be the first address in the range and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | -| [`infrastructureResourceGroupName`](#parameter-infrastructureresourcegroupname) | string | Custom Resource group name for infrastrcuture components. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`workloadProfiles`](#parameter-workloadprofiles) | array | Workload profiles configured for the Managed Environment. | | [`zoneRedundant`](#parameter-zoneredundant) | bool | Whether or not this Managed Environment is zone-redundant. | @@ -394,6 +404,14 @@ Enable telemetry via a Globally Unique Identifier (GUID). - Required: Yes - Type: bool +### Parameter: `infrastructureResourceGroupName` + +Name of the infrastructure resource group. If not provided, it will be set with a default value. + +- Required: No +- Type: string +- Default: `[take(format('ME_{0}', parameters('name')), 63)]` + ### Parameter: `internal` Boolean indicating the environment only has an internal load balancer. These environments do not have a public static IP resource. If set to true, then "infrastructureSubnetId" must be provided. @@ -431,7 +449,6 @@ Specify the type of lock. - Required: No - Type: string - Allowed: - ```Bicep [ 'CanNotDelete' @@ -491,7 +508,7 @@ Array of role assignments to create. | :-- | :-- | :-- | | [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | | [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | -| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource ID of the delegated managed identity resource. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | | [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | @@ -523,7 +540,6 @@ Version of the condition. - Required: No - Type: string - Allowed: - ```Bicep [ '2.0' @@ -532,7 +548,7 @@ Version of the condition. ### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` -The Resource ID of the delegated managed identity resource. +The Resource Id of the delegated managed identity resource. - Required: No - Type: string @@ -551,7 +567,6 @@ The principal type of the assigned principal ID. - Required: No - Type: string - Allowed: - ```Bicep [ 'Device' @@ -562,14 +577,6 @@ The principal type of the assigned principal ID. ] ``` -### Parameter: `infrastructureResourceGroupName` - -Customer Resource Group name for additional infrastructure components. - -- Required: No -- Type: string -- Default: `'ME_ManagedEnvironmentName'` - ### Parameter: `tags` Tags of the resource. @@ -593,10 +600,12 @@ Whether or not this Managed Environment is zone-redundant. - Type: bool - Default: `False` + ## Outputs | Output | Type | Description | | :-- | :-- | :-- | +| `defaultDomain` | string | The Default domain of the Managed Environment. | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the Managed Environment. | | `resourceGroupName` | string | The name of the resource group the Managed Environment was deployed into. | diff --git a/modules/authorization/lock/main.json b/modules/authorization/lock/main.json index 927dc1ae2c..5aaf036ee8 100644 --- a/modules/authorization/lock/main.json +++ b/modules/authorization/lock/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15385346851879884120" + "version": "0.23.1.45101", + "templateHash": "16738109321180473178" }, "name": "Authorization Locks (All scopes)", "description": "This module deploys an Authorization Lock at a Subscription or Resource Group scope.", @@ -109,8 +109,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "876321567657394219" + "version": "0.23.1.45101", + "templateHash": "15541007349238410358" }, "name": "Authorization Locks (Subscription scope)", "description": "This module deploys an Authorization Lock at a Subscription scope.", @@ -239,8 +239,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8961143332409950444" + "version": "0.23.1.45101", + "templateHash": "11141983424917801407" }, "name": "Authorization Locks (Resource Group scope)", "description": "This module deploys an Authorization Lock at a Resource Group scope.", diff --git a/modules/authorization/lock/resource-group/main.json b/modules/authorization/lock/resource-group/main.json index 903530da93..c49325ae7e 100644 --- a/modules/authorization/lock/resource-group/main.json +++ b/modules/authorization/lock/resource-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8961143332409950444" + "version": "0.23.1.45101", + "templateHash": "11141983424917801407" }, "name": "Authorization Locks (Resource Group scope)", "description": "This module deploys an Authorization Lock at a Resource Group scope.", diff --git a/modules/authorization/lock/subscription/main.json b/modules/authorization/lock/subscription/main.json index 19ec31903c..178b86e853 100644 --- a/modules/authorization/lock/subscription/main.json +++ b/modules/authorization/lock/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "876321567657394219" + "version": "0.23.1.45101", + "templateHash": "15541007349238410358" }, "name": "Authorization Locks (Subscription scope)", "description": "This module deploys an Authorization Lock at a Subscription scope.", diff --git a/modules/authorization/policy-assignment/main.json b/modules/authorization/policy-assignment/main.json index 4b15a7c3ee..7b8b74787d 100644 --- a/modules/authorization/policy-assignment/main.json +++ b/modules/authorization/policy-assignment/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10579624444479342334" + "version": "0.23.1.45101", + "templateHash": "16217430690270754728" }, "name": "Policy Assignments (All scopes)", "description": "This module deploys a Policy Assignment at a Management Group, Subscription or Resource Group scope.", @@ -226,8 +226,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14811948404877688716" + "version": "0.23.1.45101", + "templateHash": "7850011262143738057" }, "name": "Policy Assignments (Management Group scope)", "description": "This module deploys a Policy Assignment at a Management Group scope.", @@ -506,8 +506,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1296030047986147440" + "version": "0.23.1.45101", + "templateHash": "6792324469101659711" }, "name": "Policy Assignments (Subscription scope)", "description": "This module deploys a Policy Assignment at a Subscription scope.", @@ -786,8 +786,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15032410491892224041" + "version": "0.23.1.45101", + "templateHash": "16072203882278482118" }, "name": "Policy Assignments (Resource Group scope)", "description": "This module deploys a Policy Assignment at a Resource Group scope.", diff --git a/modules/authorization/policy-assignment/management-group/main.json b/modules/authorization/policy-assignment/management-group/main.json index 5041a99c35..4d9bb31953 100644 --- a/modules/authorization/policy-assignment/management-group/main.json +++ b/modules/authorization/policy-assignment/management-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14811948404877688716" + "version": "0.23.1.45101", + "templateHash": "7850011262143738057" }, "name": "Policy Assignments (Management Group scope)", "description": "This module deploys a Policy Assignment at a Management Group scope.", diff --git a/modules/authorization/policy-assignment/resource-group/main.json b/modules/authorization/policy-assignment/resource-group/main.json index 65912a4b91..d29fb42006 100644 --- a/modules/authorization/policy-assignment/resource-group/main.json +++ b/modules/authorization/policy-assignment/resource-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15032410491892224041" + "version": "0.23.1.45101", + "templateHash": "16072203882278482118" }, "name": "Policy Assignments (Resource Group scope)", "description": "This module deploys a Policy Assignment at a Resource Group scope.", diff --git a/modules/authorization/policy-assignment/subscription/main.json b/modules/authorization/policy-assignment/subscription/main.json index 5d6deb533a..2c40c5d10a 100644 --- a/modules/authorization/policy-assignment/subscription/main.json +++ b/modules/authorization/policy-assignment/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1296030047986147440" + "version": "0.23.1.45101", + "templateHash": "6792324469101659711" }, "name": "Policy Assignments (Subscription scope)", "description": "This module deploys a Policy Assignment at a Subscription scope.", diff --git a/modules/authorization/policy-definition/README.md b/modules/authorization/policy-definition/README.md index 4e0ff7369a..94191d66bd 100644 --- a/modules/authorization/policy-definition/README.md +++ b/modules/authorization/policy-definition/README.md @@ -51,7 +51,7 @@ module policyDefinition 'br:bicep/modules/authorization.policy-definition:1.0.0' } { exists: 'false' - field: '[concat(\'tags[\' parameters(\'tagName\') \']\')]' + field: '[concat(\'tags[\', parameters(\'tagName\'), \']\')]' } ] } @@ -59,7 +59,7 @@ module policyDefinition 'br:bicep/modules/authorization.policy-definition:1.0.0' details: { operations: [ { - field: '[concat(\'tags[\' parameters(\'tagName\') \']\')]' + field: '[concat(\'tags[\', parameters(\'tagName\'), \']\')]' operation: 'add' value: '[parameters(\'tagValue\')]' } @@ -299,7 +299,7 @@ module policyDefinition 'br:bicep/modules/authorization.policy-definition:1.0.0' } { exists: 'false' - field: '[concat(\'tags[\' parameters(\'tagName\') \']\')]' + field: '[concat(\'tags[\', parameters(\'tagName\'), \']\')]' } ] } @@ -307,7 +307,7 @@ module policyDefinition 'br:bicep/modules/authorization.policy-definition:1.0.0' details: { operations: [ { - field: '[concat(\'tags[\' parameters(\'tagName\') \']\')]' + field: '[concat(\'tags[\', parameters(\'tagName\'), \']\')]' operation: 'add' value: '[parameters(\'tagValue\')]' } diff --git a/modules/authorization/policy-definition/main.json b/modules/authorization/policy-definition/main.json index 0667382c4a..a299944baf 100644 --- a/modules/authorization/policy-definition/main.json +++ b/modules/authorization/policy-definition/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12398926446776214850" + "version": "0.23.1.45101", + "templateHash": "1518485483876836980" }, "name": "Policy Definitions (All scopes)", "description": "This module deploys a Policy Definition at a Management Group or Subscription scope.", @@ -156,8 +156,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3632302304949681871" + "version": "0.23.1.45101", + "templateHash": "2259464056966333575" }, "name": "Policy Definitions (Management Group scope)", "description": "This module deploys a Policy Definition at a Management Group scope.", @@ -332,8 +332,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15610043692526006499" + "version": "0.23.1.45101", + "templateHash": "12007737347705921951" }, "name": "Policy Definitions (Subscription scope)", "description": "This module deploys a Policy Definition at a Subscription scope.", diff --git a/modules/authorization/policy-definition/management-group/main.json b/modules/authorization/policy-definition/management-group/main.json index 0c99261e72..41f0e262e6 100644 --- a/modules/authorization/policy-definition/management-group/main.json +++ b/modules/authorization/policy-definition/management-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3632302304949681871" + "version": "0.23.1.45101", + "templateHash": "2259464056966333575" }, "name": "Policy Definitions (Management Group scope)", "description": "This module deploys a Policy Definition at a Management Group scope.", diff --git a/modules/authorization/policy-definition/subscription/main.json b/modules/authorization/policy-definition/subscription/main.json index d765d1b498..c7c9979db4 100644 --- a/modules/authorization/policy-definition/subscription/main.json +++ b/modules/authorization/policy-definition/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15610043692526006499" + "version": "0.23.1.45101", + "templateHash": "12007737347705921951" }, "name": "Policy Definitions (Subscription scope)", "description": "This module deploys a Policy Definition at a Subscription scope.", diff --git a/modules/authorization/policy-exemption/main.json b/modules/authorization/policy-exemption/main.json index 37bb291bf4..8603600205 100644 --- a/modules/authorization/policy-exemption/main.json +++ b/modules/authorization/policy-exemption/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5596643679633132129" + "version": "0.23.1.45101", + "templateHash": "17158026498364887660" }, "name": "Policy Exemptions (All scopes)", "description": "This module deploys a Policy Exemption at a Management Group, Subscription or Resource Group scope.", @@ -202,8 +202,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5606667569084267633" + "version": "0.23.1.45101", + "templateHash": "9567732291130716323" }, "name": "Policy Exemptions (Management Group scope)", "description": "This module deploys a Policy Exemption at a Management Group scope.", @@ -413,8 +413,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10613705515536903891" + "version": "0.23.1.45101", + "templateHash": "15478604165722569737" }, "name": "Policy Exemptions (Subscription scope)", "description": "This module deploys a Policy Exemption at a Subscription scope.", @@ -621,8 +621,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17689607806582642174" + "version": "0.23.1.45101", + "templateHash": "16772443718148714979" }, "name": "Policy Exemptions (Resource Group scope)", "description": "This module deploys a Policy Exemption at a Resource Group scope.", diff --git a/modules/authorization/policy-exemption/management-group/main.json b/modules/authorization/policy-exemption/management-group/main.json index 8271a1ee56..da990d6e2c 100644 --- a/modules/authorization/policy-exemption/management-group/main.json +++ b/modules/authorization/policy-exemption/management-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5606667569084267633" + "version": "0.23.1.45101", + "templateHash": "9567732291130716323" }, "name": "Policy Exemptions (Management Group scope)", "description": "This module deploys a Policy Exemption at a Management Group scope.", diff --git a/modules/authorization/policy-exemption/resource-group/main.json b/modules/authorization/policy-exemption/resource-group/main.json index 8672a1ff5d..ef2c732777 100644 --- a/modules/authorization/policy-exemption/resource-group/main.json +++ b/modules/authorization/policy-exemption/resource-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17689607806582642174" + "version": "0.23.1.45101", + "templateHash": "16772443718148714979" }, "name": "Policy Exemptions (Resource Group scope)", "description": "This module deploys a Policy Exemption at a Resource Group scope.", diff --git a/modules/authorization/policy-exemption/subscription/main.json b/modules/authorization/policy-exemption/subscription/main.json index b9bce72b18..b199d7110c 100644 --- a/modules/authorization/policy-exemption/subscription/main.json +++ b/modules/authorization/policy-exemption/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10613705515536903891" + "version": "0.23.1.45101", + "templateHash": "15478604165722569737" }, "name": "Policy Exemptions (Subscription scope)", "description": "This module deploys a Policy Exemption at a Subscription scope.", diff --git a/modules/authorization/policy-set-definition/main.json b/modules/authorization/policy-set-definition/main.json index d0051bf41a..36759a1b88 100644 --- a/modules/authorization/policy-set-definition/main.json +++ b/modules/authorization/policy-set-definition/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9153336425223705834" + "version": "0.23.1.45101", + "templateHash": "13920267319234015315" }, "name": "Policy Set Definitions (Initiatives) (All scopes)", "description": "This module deploys a Policy Set Definition (Initiative) at a Management Group or Subscription scope.", @@ -146,8 +146,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13574874097410910980" + "version": "0.23.1.45101", + "templateHash": "11109083846476796782" }, "name": "Policy Set Definitions (Initiatives) (Management Group scope)", "description": "This module deploys a Policy Set Definition (Initiative) at a Management Group scope.", @@ -305,8 +305,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "566743094418434146" + "version": "0.23.1.45101", + "templateHash": "14930393896542927337" }, "name": "Policy Set Definitions (Initiatives) (Subscription scope)", "description": "This module deploys a Policy Set Definition (Initiative) at a Subscription scope.", diff --git a/modules/authorization/policy-set-definition/management-group/main.json b/modules/authorization/policy-set-definition/management-group/main.json index 9b627357b6..c83e9df9dd 100644 --- a/modules/authorization/policy-set-definition/management-group/main.json +++ b/modules/authorization/policy-set-definition/management-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13574874097410910980" + "version": "0.23.1.45101", + "templateHash": "11109083846476796782" }, "name": "Policy Set Definitions (Initiatives) (Management Group scope)", "description": "This module deploys a Policy Set Definition (Initiative) at a Management Group scope.", diff --git a/modules/authorization/policy-set-definition/subscription/main.json b/modules/authorization/policy-set-definition/subscription/main.json index 4f8ea43907..d75060d8dd 100644 --- a/modules/authorization/policy-set-definition/subscription/main.json +++ b/modules/authorization/policy-set-definition/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "566743094418434146" + "version": "0.23.1.45101", + "templateHash": "14930393896542927337" }, "name": "Policy Set Definitions (Initiatives) (Subscription scope)", "description": "This module deploys a Policy Set Definition (Initiative) at a Subscription scope.", diff --git a/modules/authorization/role-assignment/main.json b/modules/authorization/role-assignment/main.json index 6311a9275b..118704a484 100644 --- a/modules/authorization/role-assignment/main.json +++ b/modules/authorization/role-assignment/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2040051567998498237" + "version": "0.23.1.45101", + "templateHash": "2663041221460783528" }, "name": "Role Assignments (All scopes)", "description": "This module deploys a Role Assignment at a Management Group, Subscription or Resource Group scope.", @@ -167,8 +167,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1817613308362702007" + "version": "0.23.1.45101", + "templateHash": "16507104263145087588" }, "name": "Role Assignments (Management Group scope)", "description": "This module deploys a Role Assignment at a Management Group scope.", @@ -365,8 +365,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4243689736369983310" + "version": "0.23.1.45101", + "templateHash": "4504500051244266304" }, "name": "Role Assignments (Subscription scope)", "description": "This module deploys a Role Assignment at a Subscription scope.", @@ -562,8 +562,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1089537449035070857" + "version": "0.23.1.45101", + "templateHash": "6411559413209094837" }, "name": "Role Assignments (Resource Group scope)", "description": "This module deploys a Role Assignment at a Resource Group scope.", diff --git a/modules/authorization/role-assignment/management-group/main.json b/modules/authorization/role-assignment/management-group/main.json index ed5c032329..5db7c6f28e 100644 --- a/modules/authorization/role-assignment/management-group/main.json +++ b/modules/authorization/role-assignment/management-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1817613308362702007" + "version": "0.23.1.45101", + "templateHash": "16507104263145087588" }, "name": "Role Assignments (Management Group scope)", "description": "This module deploys a Role Assignment at a Management Group scope.", diff --git a/modules/authorization/role-assignment/resource-group/main.json b/modules/authorization/role-assignment/resource-group/main.json index 48d6001058..44381a2b4c 100644 --- a/modules/authorization/role-assignment/resource-group/main.json +++ b/modules/authorization/role-assignment/resource-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1089537449035070857" + "version": "0.23.1.45101", + "templateHash": "6411559413209094837" }, "name": "Role Assignments (Resource Group scope)", "description": "This module deploys a Role Assignment at a Resource Group scope.", diff --git a/modules/authorization/role-assignment/subscription/main.json b/modules/authorization/role-assignment/subscription/main.json index 5557d18578..9812552a62 100644 --- a/modules/authorization/role-assignment/subscription/main.json +++ b/modules/authorization/role-assignment/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4243689736369983310" + "version": "0.23.1.45101", + "templateHash": "4504500051244266304" }, "name": "Role Assignments (Subscription scope)", "description": "This module deploys a Role Assignment at a Subscription scope.", diff --git a/modules/authorization/role-definition/main.json b/modules/authorization/role-definition/main.json index 51ac23254d..6626d49464 100644 --- a/modules/authorization/role-definition/main.json +++ b/modules/authorization/role-definition/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16702773762135222765" + "version": "0.23.1.45101", + "templateHash": "3377145363217957068" }, "name": "Role Definitions (All scopes)", "description": "This module deploys a Role Definition at a Management Group, Subscription or Resource Group scope.", @@ -151,8 +151,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5277764931156995532" + "version": "0.23.1.45101", + "templateHash": "15617520602952688455" }, "name": "Role Definitions (Management Group scope)", "description": "This module deploys a Role Definition at a Management Group scope.", @@ -313,8 +313,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5911596219403447648" + "version": "0.23.1.45101", + "templateHash": "9622245925766749041" }, "name": "Role Definitions (Subscription scope)", "description": "This module deploys a Role Definition at a Subscription scope.", @@ -491,8 +491,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15123790149450958610" + "version": "0.23.1.45101", + "templateHash": "16590569046115003591" }, "name": "Role Definitions (Resource Group scope)", "description": "This module deploys a Role Definition at a Resource Group scope.", diff --git a/modules/authorization/role-definition/management-group/main.json b/modules/authorization/role-definition/management-group/main.json index 00d197b4e8..86daa4679b 100644 --- a/modules/authorization/role-definition/management-group/main.json +++ b/modules/authorization/role-definition/management-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5277764931156995532" + "version": "0.23.1.45101", + "templateHash": "15617520602952688455" }, "name": "Role Definitions (Management Group scope)", "description": "This module deploys a Role Definition at a Management Group scope.", diff --git a/modules/authorization/role-definition/resource-group/main.json b/modules/authorization/role-definition/resource-group/main.json index c10d685cc7..0e6b83a68e 100644 --- a/modules/authorization/role-definition/resource-group/main.json +++ b/modules/authorization/role-definition/resource-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15123790149450958610" + "version": "0.23.1.45101", + "templateHash": "16590569046115003591" }, "name": "Role Definitions (Resource Group scope)", "description": "This module deploys a Role Definition at a Resource Group scope.", diff --git a/modules/authorization/role-definition/subscription/main.json b/modules/authorization/role-definition/subscription/main.json index ab79f1d69a..58ef47ed1a 100644 --- a/modules/authorization/role-definition/subscription/main.json +++ b/modules/authorization/role-definition/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5911596219403447648" + "version": "0.23.1.45101", + "templateHash": "9622245925766749041" }, "name": "Role Definitions (Subscription scope)", "description": "This module deploys a Role Definition at a Subscription scope.", diff --git a/modules/cache/redis-enterprise/database/main.json b/modules/cache/redis-enterprise/database/main.json index d5698a412b..b5b92407aa 100644 --- a/modules/cache/redis-enterprise/database/main.json +++ b/modules/cache/redis-enterprise/database/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8155705065039005753" + "version": "0.23.1.45101", + "templateHash": "2473493174520406257" }, "name": "Redis Cache Enterprise Databases", "description": "This module deploys a Redis Cache Enterprise Database.", diff --git a/modules/cdn/profile/afdEndpoint/main.json b/modules/cdn/profile/afdEndpoint/main.json index 9d22cf48e7..a492e5cd9b 100644 --- a/modules/cdn/profile/afdEndpoint/main.json +++ b/modules/cdn/profile/afdEndpoint/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14944467223785761559" + "version": "0.23.1.45101", + "templateHash": "10217508381442897285" }, "name": "CDN Profiles AFD Endpoints", "description": "This module deploys a CDN Profile AFD Endpoint.", @@ -160,8 +160,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13253134886056545686" + "version": "0.23.1.45101", + "templateHash": "6429015991033675991" }, "name": "CDN Profiles AFD Endpoint Route", "description": "This module deploys a CDN Profile AFD Endpoint route.", diff --git a/modules/cdn/profile/afdEndpoint/route/main.json b/modules/cdn/profile/afdEndpoint/route/main.json index 31b11ea4a0..0873b0c0bb 100644 --- a/modules/cdn/profile/afdEndpoint/route/main.json +++ b/modules/cdn/profile/afdEndpoint/route/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13253134886056545686" + "version": "0.23.1.45101", + "templateHash": "6429015991033675991" }, "name": "CDN Profiles AFD Endpoint Route", "description": "This module deploys a CDN Profile AFD Endpoint route.", diff --git a/modules/cdn/profile/customdomain/main.json b/modules/cdn/profile/customdomain/main.json index cc466d0cea..b4fa0e31fa 100644 --- a/modules/cdn/profile/customdomain/main.json +++ b/modules/cdn/profile/customdomain/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1547160911539181378" + "version": "0.23.1.45101", + "templateHash": "16926903089536842323" }, "name": "CDN Profiles Custom Domains", "description": "This module deploys a CDN Profile Custom Domains.", diff --git a/modules/cdn/profile/endpoint/main.json b/modules/cdn/profile/endpoint/main.json index 3c3bd432dc..8bb2f15980 100644 --- a/modules/cdn/profile/endpoint/main.json +++ b/modules/cdn/profile/endpoint/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4870857598190177606" + "version": "0.23.1.45101", + "templateHash": "15779750813347176502" }, "name": "CDN Profiles Endpoints", "description": "This module deploys a CDN Profile Endpoint.", @@ -135,8 +135,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5759722302271159823" + "version": "0.23.1.45101", + "templateHash": "7311789591820295360" }, "name": "CDN Profiles Endpoints Origins", "description": "This module deploys a CDN Profile Endpoint Origin.", diff --git a/modules/cdn/profile/endpoint/origin/main.json b/modules/cdn/profile/endpoint/origin/main.json index 00fd4df753..25db519b70 100644 --- a/modules/cdn/profile/endpoint/origin/main.json +++ b/modules/cdn/profile/endpoint/origin/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5759722302271159823" + "version": "0.23.1.45101", + "templateHash": "7311789591820295360" }, "name": "CDN Profiles Endpoints Origins", "description": "This module deploys a CDN Profile Endpoint Origin.", diff --git a/modules/cdn/profile/origingroup/main.json b/modules/cdn/profile/origingroup/main.json index 529935e7f3..35219f23ef 100644 --- a/modules/cdn/profile/origingroup/main.json +++ b/modules/cdn/profile/origingroup/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5730470112775090005" + "version": "0.23.1.45101", + "templateHash": "11717674362000061520" }, "name": "CDN Profiles Origin Group", "description": "This module deploys a CDN Profile Origin Group.", @@ -143,8 +143,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6401260748375374430" + "version": "0.23.1.45101", + "templateHash": "6315538909881747607" }, "name": "CDN Profiles Origin", "description": "This module deploys a CDN Profile Origin.", diff --git a/modules/cdn/profile/origingroup/origin/main.json b/modules/cdn/profile/origingroup/origin/main.json index 4715abbae8..6d0ca97ce5 100644 --- a/modules/cdn/profile/origingroup/origin/main.json +++ b/modules/cdn/profile/origingroup/origin/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6401260748375374430" + "version": "0.23.1.45101", + "templateHash": "6315538909881747607" }, "name": "CDN Profiles Origin", "description": "This module deploys a CDN Profile Origin.", diff --git a/modules/cdn/profile/ruleset/main.json b/modules/cdn/profile/ruleset/main.json index cfe7060568..4aaafba0dd 100644 --- a/modules/cdn/profile/ruleset/main.json +++ b/modules/cdn/profile/ruleset/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2165712570349315066" + "version": "0.23.1.45101", + "templateHash": "14060531422180532953" }, "name": "CDN Profiles Rule Sets", "description": "This module deploys a CDN Profile rule set.", @@ -103,8 +103,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17627422900186578144" + "version": "0.23.1.45101", + "templateHash": "7170380293485699276" }, "name": "CDN Profiles Rules", "description": "This module deploys a CDN Profile rule.", diff --git a/modules/cdn/profile/ruleset/rule/main.json b/modules/cdn/profile/ruleset/rule/main.json index bd8539a656..2d0a323a15 100644 --- a/modules/cdn/profile/ruleset/rule/main.json +++ b/modules/cdn/profile/ruleset/rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17627422900186578144" + "version": "0.23.1.45101", + "templateHash": "7170380293485699276" }, "name": "CDN Profiles Rules", "description": "This module deploys a CDN Profile rule.", diff --git a/modules/cdn/profile/secret/main.json b/modules/cdn/profile/secret/main.json index b285eceb11..1ce85722c7 100644 --- a/modules/cdn/profile/secret/main.json +++ b/modules/cdn/profile/secret/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10634340039151667854" + "version": "0.23.1.45101", + "templateHash": "7448367317152547669" }, "name": "CDN Profiles Secret", "description": "This module deploys a CDN Profile Secret.", diff --git a/modules/compute/virtual-machine-scale-set/extension/main.json b/modules/compute/virtual-machine-scale-set/extension/main.json index d63e240501..3ffa0a4e03 100644 --- a/modules/compute/virtual-machine-scale-set/extension/main.json +++ b/modules/compute/virtual-machine-scale-set/extension/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5906561479759498703" + "version": "0.23.1.45101", + "templateHash": "7901509432352717969" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", diff --git a/modules/compute/virtual-machine/extension/main.json b/modules/compute/virtual-machine/extension/main.json index 50534220f0..5ddd571641 100644 --- a/modules/compute/virtual-machine/extension/main.json +++ b/modules/compute/virtual-machine/extension/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9638144716839375831" + "version": "0.23.1.45101", + "templateHash": "5421737065579119324" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension.", diff --git a/modules/container-registry/registry/cache-rules/main.json b/modules/container-registry/registry/cache-rules/main.json index 05e6d97ffd..e4224727b4 100644 --- a/modules/container-registry/registry/cache-rules/main.json +++ b/modules/container-registry/registry/cache-rules/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6694265508496204217" + "version": "0.23.1.45101", + "templateHash": "9350283035071510554" }, "name": "Container Registries Cache", "description": "Cache for Azure Container Registry (Preview) feature allows users to cache container images in a private container registry. Cache for ACR, is a preview feature available in Basic, Standard, and Premium service tiers ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache)).", diff --git a/modules/container-registry/registry/replication/main.json b/modules/container-registry/registry/replication/main.json index 599a9db03f..5abda75971 100644 --- a/modules/container-registry/registry/replication/main.json +++ b/modules/container-registry/registry/replication/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12719783741437890545" + "version": "0.23.1.45101", + "templateHash": "17278738816613868587" }, "name": "Azure Container Registry (ACR) Replications", "description": "This module deploys an Azure Container Registry (ACR) Replication.", diff --git a/modules/container-registry/registry/webhook/main.json b/modules/container-registry/registry/webhook/main.json index 3d462e11c7..2eb1a3a71b 100644 --- a/modules/container-registry/registry/webhook/main.json +++ b/modules/container-registry/registry/webhook/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17193481488069435754" + "version": "0.23.1.45101", + "templateHash": "4878566967080590991" }, "name": "Azure Container Registry (ACR) Webhooks", "description": "This module deploys an Azure Container Registry (ACR) Webhook.", diff --git a/modules/data-factory/factory/integration-runtime/main.json b/modules/data-factory/factory/integration-runtime/main.json index 1622eb4e06..41d273d0e1 100644 --- a/modules/data-factory/factory/integration-runtime/main.json +++ b/modules/data-factory/factory/integration-runtime/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2407789138740487733" + "version": "0.23.1.45101", + "templateHash": "10377382264693749693" }, "name": "Data Factory Integration RunTimes", "description": "This module deploys a Data Factory Managed or Self-Hosted Integration Runtime.", diff --git a/modules/data-factory/factory/managed-virtual-network/main.json b/modules/data-factory/factory/managed-virtual-network/main.json index 96dc5dd33b..cc3de35985 100644 --- a/modules/data-factory/factory/managed-virtual-network/main.json +++ b/modules/data-factory/factory/managed-virtual-network/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14273608975905052502" + "version": "0.23.1.45101", + "templateHash": "7086724603457879213" }, "name": "Data Factory Managed Virtual Networks", "description": "This module deploys a Data Factory Managed Virtual Network.", @@ -105,8 +105,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1490870890954327678" + "version": "0.23.1.45101", + "templateHash": "6951739479886220769" }, "name": "Data Factory Managed Virtual Network Managed PrivateEndpoints", "description": "This module deploys a Data Factory Managed Virtual Network Managed Private Endpoint.", diff --git a/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/main.json b/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/main.json index 96606099ca..371ba2b3d2 100644 --- a/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/main.json +++ b/modules/data-factory/factory/managed-virtual-network/managed-private-endpoint/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1490870890954327678" + "version": "0.23.1.45101", + "templateHash": "6951739479886220769" }, "name": "Data Factory Managed Virtual Network Managed PrivateEndpoints", "description": "This module deploys a Data Factory Managed Virtual Network Managed Private Endpoint.", diff --git a/modules/data-protection/backup-vault/backup-policy/main.json b/modules/data-protection/backup-vault/backup-policy/main.json index 9717619f41..f3a79705fc 100644 --- a/modules/data-protection/backup-vault/backup-policy/main.json +++ b/modules/data-protection/backup-vault/backup-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4068293382331739919" + "version": "0.23.1.45101", + "templateHash": "3378438498887899064" }, "name": "Data Protection Backup Vault Backup Policies", "description": "This module deploys a Data Protection Backup Vault Backup Policy.", diff --git a/modules/db-for-my-sql/flexible-server/administrator/main.json b/modules/db-for-my-sql/flexible-server/administrator/main.json index 41ee008d22..347c0a171f 100644 --- a/modules/db-for-my-sql/flexible-server/administrator/main.json +++ b/modules/db-for-my-sql/flexible-server/administrator/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16367563858411209197" + "version": "0.23.1.45101", + "templateHash": "8863151548145849170" }, "name": "DBforMySQL Flexible Server Administrators", "description": "This module deploys a DBforMySQL Flexible Server Administrator.", diff --git a/modules/db-for-my-sql/flexible-server/database/main.json b/modules/db-for-my-sql/flexible-server/database/main.json index 4a68e48562..c7747c6684 100644 --- a/modules/db-for-my-sql/flexible-server/database/main.json +++ b/modules/db-for-my-sql/flexible-server/database/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16649222900362138505" + "version": "0.23.1.45101", + "templateHash": "7585808247826533259" }, "name": "DBforMySQL Flexible Server Databases", "description": "This module deploys a DBforMySQL Flexible Server Database.", diff --git a/modules/db-for-my-sql/flexible-server/firewall-rule/main.json b/modules/db-for-my-sql/flexible-server/firewall-rule/main.json index 4b909f3882..c86c3c1a46 100644 --- a/modules/db-for-my-sql/flexible-server/firewall-rule/main.json +++ b/modules/db-for-my-sql/flexible-server/firewall-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12840531816938690352" + "version": "0.23.1.45101", + "templateHash": "9889972221731602451" }, "name": "DBforMySQL Flexible Server Firewall Rules", "description": "This module deploys a DBforMySQL Flexible Server Firewall Rule.", diff --git a/modules/db-for-postgre-sql/flexible-server/administrator/main.json b/modules/db-for-postgre-sql/flexible-server/administrator/main.json index 6ac911a9e5..b44df7bf9d 100644 --- a/modules/db-for-postgre-sql/flexible-server/administrator/main.json +++ b/modules/db-for-postgre-sql/flexible-server/administrator/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3514176123135146796" + "version": "0.23.1.45101", + "templateHash": "13863840477045657155" }, "name": "DBforPostgreSQL Flexible Server Administrators", "description": "This module deploys a DBforPostgreSQL Flexible Server Administrator.", diff --git a/modules/db-for-postgre-sql/flexible-server/configuration/main.json b/modules/db-for-postgre-sql/flexible-server/configuration/main.json index 54b8e1f4b7..a928b33bd9 100644 --- a/modules/db-for-postgre-sql/flexible-server/configuration/main.json +++ b/modules/db-for-postgre-sql/flexible-server/configuration/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12961146168624492771" + "version": "0.23.1.45101", + "templateHash": "16469307943232243904" }, "name": "DBforPostgreSQL Flexible Server Configurations", "description": "This module deploys a DBforPostgreSQL Flexible Server Configuration.", diff --git a/modules/db-for-postgre-sql/flexible-server/database/main.json b/modules/db-for-postgre-sql/flexible-server/database/main.json index bc43485c4f..b65e7e4697 100644 --- a/modules/db-for-postgre-sql/flexible-server/database/main.json +++ b/modules/db-for-postgre-sql/flexible-server/database/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15866259518448635553" + "version": "0.23.1.45101", + "templateHash": "16111012435403700897" }, "name": "DBforPostgreSQL Flexible Server Databases", "description": "This module deploys a DBforPostgreSQL Flexible Server Database.", diff --git a/modules/db-for-postgre-sql/flexible-server/firewall-rule/main.json b/modules/db-for-postgre-sql/flexible-server/firewall-rule/main.json index 79c31b0bfb..81090c398e 100644 --- a/modules/db-for-postgre-sql/flexible-server/firewall-rule/main.json +++ b/modules/db-for-postgre-sql/flexible-server/firewall-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13418631602887252631" + "version": "0.23.1.45101", + "templateHash": "12680201884935036782" }, "name": "DBforPostgreSQL Flexible Server Firewall Rules", "description": "This module deploys a DBforPostgreSQL Flexible Server Firewall Rule.", diff --git a/modules/desktop-virtualization/application-group/application/main.json b/modules/desktop-virtualization/application-group/application/main.json index 70e339a8b2..a289573ad1 100644 --- a/modules/desktop-virtualization/application-group/application/main.json +++ b/modules/desktop-virtualization/application-group/application/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10616827856455579307" + "version": "0.23.1.45101", + "templateHash": "14264026920797711856" }, "name": "Azure Virtual Desktop (AVD) Application Group Applications", "description": "This module deploys an Azure Virtual Desktop (AVD) Application Group Application.", diff --git a/modules/dev-test-lab/lab/artifactsource/main.json b/modules/dev-test-lab/lab/artifactsource/main.json index 734c1e482d..3254b72d30 100644 --- a/modules/dev-test-lab/lab/artifactsource/main.json +++ b/modules/dev-test-lab/lab/artifactsource/main.json @@ -5,11 +5,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12165020180713564819" + "version": "0.23.1.45101", + "templateHash": "7965418783863447380" }, "name": "DevTest Lab Artifact Sources", - "description": "This module deploys a DevTest Lab Artifact Source.\r\n\r\nAn artifact source allows you to create custom artifacts for the VMs in the lab, or use Azure Resource Manager templates to create a custom test environment. You must add a private Git repository for the artifacts or Resource Manager templates that your team creates. The repository can be hosted on GitHub or on Azure DevOps Services.", + "description": "This module deploys a DevTest Lab Artifact Source.\n\nAn artifact source allows you to create custom artifacts for the VMs in the lab, or use Azure Resource Manager templates to create a custom test environment. You must add a private Git repository for the artifacts or Resource Manager templates that your team creates. The repository can be hosted on GitHub or on Azure DevOps Services.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/dev-test-lab/lab/cost/main.json b/modules/dev-test-lab/lab/cost/main.json index 3ec2b33776..ba27416077 100644 --- a/modules/dev-test-lab/lab/cost/main.json +++ b/modules/dev-test-lab/lab/cost/main.json @@ -5,11 +5,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12104430168487418019" + "version": "0.23.1.45101", + "templateHash": "14581778776350915706" }, "name": "DevTest Lab Costs", - "description": "This module deploys a DevTest Lab Cost.\r\n\r\nManage lab costs by setting a spending target that can be viewed in the Monthly Estimated Cost Trend chart. DevTest Labs can send a notification when spending reaches the specified target threshold.", + "description": "This module deploys a DevTest Lab Cost.\n\nManage lab costs by setting a spending target that can be viewed in the Monthly Estimated Cost Trend chart. DevTest Labs can send a notification when spending reaches the specified target threshold.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/dev-test-lab/lab/notificationchannel/main.json b/modules/dev-test-lab/lab/notificationchannel/main.json index bfab5a4069..0d5a7a6e93 100644 --- a/modules/dev-test-lab/lab/notificationchannel/main.json +++ b/modules/dev-test-lab/lab/notificationchannel/main.json @@ -5,11 +5,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5225332129791836269" + "version": "0.23.1.45101", + "templateHash": "421100563759718119" }, "name": "DevTest Lab Notification Channels", - "description": "This module deploys a DevTest Lab Notification Channel.\r\n\r\nNotification channels are used by the schedule resource type in order to send notifications or events to email addresses and/or webhooks.", + "description": "This module deploys a DevTest Lab Notification Channel.\n\nNotification channels are used by the schedule resource type in order to send notifications or events to email addresses and/or webhooks.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/dev-test-lab/lab/policyset/policy/main.json b/modules/dev-test-lab/lab/policyset/policy/main.json index 18e4b827e3..2c61e96df9 100644 --- a/modules/dev-test-lab/lab/policyset/policy/main.json +++ b/modules/dev-test-lab/lab/policyset/policy/main.json @@ -4,11 +4,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7402281637422771358" + "version": "0.23.1.45101", + "templateHash": "5652685942577853564" }, "name": "DevTest Lab Policy Sets Policies", - "description": "This module deploys a DevTest Lab Policy Sets Policy.\r\n\r\nDevTest lab policies are used to modify the lab settings such as only allowing certain VM Size SKUs, marketplace image types, number of VMs allowed per user and other settings.", + "description": "This module deploys a DevTest Lab Policy Sets Policy.\n\nDevTest lab policies are used to modify the lab settings such as only allowing certain VM Size SKUs, marketplace image types, number of VMs allowed per user and other settings.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/dev-test-lab/lab/schedule/main.json b/modules/dev-test-lab/lab/schedule/main.json index dbbccd0c7e..60a7860676 100644 --- a/modules/dev-test-lab/lab/schedule/main.json +++ b/modules/dev-test-lab/lab/schedule/main.json @@ -5,11 +5,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10592511541548002212" + "version": "0.23.1.45101", + "templateHash": "1015942076148002236" }, "name": "DevTest Lab Schedules", - "description": "This module deploys a DevTest Lab Schedule.\r\n\r\nLab schedules are used to modify the settings for auto-shutdown, auto-start for lab virtual machines.", + "description": "This module deploys a DevTest Lab Schedule.\n\nLab schedules are used to modify the settings for auto-shutdown, auto-start for lab virtual machines.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/dev-test-lab/lab/virtualnetwork/main.json b/modules/dev-test-lab/lab/virtualnetwork/main.json index 0f32f00fd3..91ea4aa04b 100644 --- a/modules/dev-test-lab/lab/virtualnetwork/main.json +++ b/modules/dev-test-lab/lab/virtualnetwork/main.json @@ -5,11 +5,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8382075673072622254" + "version": "0.23.1.45101", + "templateHash": "2685254804143459925" }, "name": "DevTest Lab Virtual Networks", - "description": "This module deploys a DevTest Lab Virtual Network.\r\n\r\nLab virtual machines must be deployed into a virtual network. This resource type allows configuring the virtual network and subnet settings used for the lab virtual machines.", + "description": "This module deploys a DevTest Lab Virtual Network.\n\nLab virtual machines must be deployed into a virtual network. This resource type allows configuring the virtual network and subnet settings used for the lab virtual machines.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/document-db/database-account/gremlin-database/graph/main.json b/modules/document-db/database-account/gremlin-database/graph/main.json index 140ebcbb80..8d22d62b8c 100644 --- a/modules/document-db/database-account/gremlin-database/graph/main.json +++ b/modules/document-db/database-account/gremlin-database/graph/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16432474498986701571" + "version": "0.23.1.45101", + "templateHash": "4035784770059836359" }, "name": "DocumentDB Database Accounts Gremlin Databases Graphs", "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.", diff --git a/modules/document-db/database-account/mongodb-database/collection/main.json b/modules/document-db/database-account/mongodb-database/collection/main.json index 7b4dd23c09..85cb3ee998 100644 --- a/modules/document-db/database-account/mongodb-database/collection/main.json +++ b/modules/document-db/database-account/mongodb-database/collection/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14573428332905458641" + "version": "0.23.1.45101", + "templateHash": "2460347721734751381" }, "name": "DocumentDB Database Account MongoDB Database Collections", "description": "This module deploys a MongoDB Database Collection.", diff --git a/modules/document-db/database-account/mongodb-database/main.json b/modules/document-db/database-account/mongodb-database/main.json index ea41158c15..5c79b10a6c 100644 --- a/modules/document-db/database-account/mongodb-database/main.json +++ b/modules/document-db/database-account/mongodb-database/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "18265317713061610546" + "version": "0.23.1.45101", + "templateHash": "10909630292111406683" }, "name": "DocumentDB Database Account MongoDB Databases", "description": "This module deploys a MongoDB Database within a CosmosDB Account.", @@ -132,8 +132,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14573428332905458641" + "version": "0.23.1.45101", + "templateHash": "2460347721734751381" }, "name": "DocumentDB Database Account MongoDB Database Collections", "description": "This module deploys a MongoDB Database Collection.", diff --git a/modules/document-db/database-account/sql-database/container/main.json b/modules/document-db/database-account/sql-database/container/main.json index 4f00fe50ef..9166dbfa7a 100644 --- a/modules/document-db/database-account/sql-database/container/main.json +++ b/modules/document-db/database-account/sql-database/container/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5628064493958565248" + "version": "0.23.1.45101", + "templateHash": "7712060799698135624" }, "name": "DocumentDB Database Account SQL Database Containers", "description": "This module deploys a SQL Database Container in a CosmosDB Account.", diff --git a/modules/document-db/database-account/sql-database/main.json b/modules/document-db/database-account/sql-database/main.json index d3c8fefc92..bc17eea062 100644 --- a/modules/document-db/database-account/sql-database/main.json +++ b/modules/document-db/database-account/sql-database/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10948740009827102632" + "version": "0.23.1.45101", + "templateHash": "5236608683863945170" }, "name": "DocumentDB Database Account SQL Databases", "description": "This module deploys a SQL Database in a CosmosDB Account.", @@ -143,8 +143,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5628064493958565248" + "version": "0.23.1.45101", + "templateHash": "7712060799698135624" }, "name": "DocumentDB Database Account SQL Database Containers", "description": "This module deploys a SQL Database Container in a CosmosDB Account.", diff --git a/modules/event-grid/domain/topic/main.json b/modules/event-grid/domain/topic/main.json index c640f2628c..db8189344c 100644 --- a/modules/event-grid/domain/topic/main.json +++ b/modules/event-grid/domain/topic/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13108601447016690436" + "version": "0.23.1.45101", + "templateHash": "13344838042263797685" }, "name": "Event Grid Domain Topics", "description": "This module deploys an Event Grid Domain Topic.", diff --git a/modules/event-grid/system-topic/event-subscription/main.json b/modules/event-grid/system-topic/event-subscription/main.json index 1b3870ba98..fc756da09d 100644 --- a/modules/event-grid/system-topic/event-subscription/main.json +++ b/modules/event-grid/system-topic/event-subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10392297144322720436" + "version": "0.23.1.45101", + "templateHash": "15173790856574805238" }, "name": "Event Grid System Topic Event Subscriptions", "description": "This module deploys an Event Grid System Topic Event Subscription.", diff --git a/modules/event-grid/topic/event-subscription/main.json b/modules/event-grid/topic/event-subscription/main.json index 9891a17599..3d5fcc0124 100644 --- a/modules/event-grid/topic/event-subscription/main.json +++ b/modules/event-grid/topic/event-subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2222106647839764321" + "version": "0.23.1.45101", + "templateHash": "19673224192591950" }, "name": "EventGrid Topic Event Subscriptions", "description": "This module deploys an Event Grid Topic Event Subscription.", diff --git a/modules/event-hub/namespace/authorization-rule/main.json b/modules/event-hub/namespace/authorization-rule/main.json index d9f8dc98a7..893fbee67c 100644 --- a/modules/event-hub/namespace/authorization-rule/main.json +++ b/modules/event-hub/namespace/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3063860457313937367" + "version": "0.23.1.45101", + "templateHash": "7668723234672576868" }, "name": "Event Hub Namespace Authorization Rule", "description": "This module deploys an Event Hub Namespace Authorization Rule.", diff --git a/modules/event-hub/namespace/disaster-recovery-config/main.json b/modules/event-hub/namespace/disaster-recovery-config/main.json index 65b8246881..e9ebf75e66 100644 --- a/modules/event-hub/namespace/disaster-recovery-config/main.json +++ b/modules/event-hub/namespace/disaster-recovery-config/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7624585689136088815" + "version": "0.23.1.45101", + "templateHash": "7231520764645220131" }, "name": "Event Hub Namespace Disaster Recovery Configs", "description": "This module deploys an Event Hub Namespace Disaster Recovery Config.", diff --git a/modules/event-hub/namespace/eventhub/authorization-rule/main.json b/modules/event-hub/namespace/eventhub/authorization-rule/main.json index 7b2d55d760..fdad6f3587 100644 --- a/modules/event-hub/namespace/eventhub/authorization-rule/main.json +++ b/modules/event-hub/namespace/eventhub/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12245634232079362340" + "version": "0.23.1.45101", + "templateHash": "4935957739850887741" }, "name": "Event Hub Namespace Event Hub Authorization Rules", "description": "This module deploys an Event Hub Namespace Event Hub Authorization Rule.", diff --git a/modules/event-hub/namespace/eventhub/consumergroup/main.json b/modules/event-hub/namespace/eventhub/consumergroup/main.json index e64fa652a1..6505e1c92b 100644 --- a/modules/event-hub/namespace/eventhub/consumergroup/main.json +++ b/modules/event-hub/namespace/eventhub/consumergroup/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3522913919009222120" + "version": "0.23.1.45101", + "templateHash": "7142673381100704232" }, "name": "Event Hub Namespace Event Hub Consumer Groups", "description": "This module deploys an Event Hub Namespace Event Hub Consumer Group.", diff --git a/modules/event-hub/namespace/network-rule-set/main.json b/modules/event-hub/namespace/network-rule-set/main.json index f4eab5a4ca..0053bd5902 100644 --- a/modules/event-hub/namespace/network-rule-set/main.json +++ b/modules/event-hub/namespace/network-rule-set/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2605359643798084834" + "version": "0.23.1.45101", + "templateHash": "7843391232136950856" }, "name": "Event Hub Namespace Network Rule Sets", "description": "This module deploys an Event Hub Namespace Network Rule Set.", diff --git a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/main.json b/modules/healthcare-apis/workspace/iotconnector/fhirdestination/main.json index 8f1f5ff94d..04779d95b0 100644 --- a/modules/healthcare-apis/workspace/iotconnector/fhirdestination/main.json +++ b/modules/healthcare-apis/workspace/iotconnector/fhirdestination/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10973515077627017376" + "version": "0.23.1.45101", + "templateHash": "6245123463457389463" }, "name": "Healthcare API Workspace IoT Connector FHIR Destinations", "description": "This module deploys a Healthcare API Workspace IoT Connector FHIR Destination.", diff --git a/modules/insights/data-collection-rule/README.md b/modules/insights/data-collection-rule/README.md index d9870bdf8f..886394f71a 100644 --- a/modules/insights/data-collection-rule/README.md +++ b/modules/insights/data-collection-rule/README.md @@ -55,7 +55,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' streams: [ 'Custom-CustomTableAdvanced_CL' ] - transformKql: 'source | extend LogFields = split(RawData \'\') | extend EventTime = todatetime(LogFields[0]) | extend EventLevel = tostring(LogFields[1]) | extend EventCode = toint(LogFields[2]) | extend Message = tostring(LogFields[3]) | project TimeGenerated EventTime EventLevel EventCode Message' + transformKql: 'source | extend LogFields = split(RawData, \',\') | extend EventTime = todatetime(LogFields[0]) | extend EventLevel = tostring(LogFields[1]) | extend EventCode = toint(LogFields[2]) | extend Message = tostring(LogFields[3]) | project TimeGenerated, EventTime, EventLevel, EventCode, Message' } ] dataSources: { @@ -89,7 +89,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' name: 'idcrcusadv001' // Non-required parameters dataCollectionEndpointId: '' - description: 'Collecting custom text logs with ingestion-time transformation to columns. Expected format of a log line (comma separated values): \'\' for example: \'2023-01-25T20:15:05ZERROR404Page not found\'' + description: 'Collecting custom text logs with ingestion-time transformation to columns. Expected format of a log line (comma separated values): \',,,\', for example: \'2023-01-25T20:15:05Z,ERROR,404,Page not found\'' enableDefaultTelemetry: '' kind: 'Windows' lock: { @@ -1276,7 +1276,7 @@ module dataCollectionRule 'br:bicep/modules/insights.data-collection-rule:1.0.0' ] xPathQueries: [ 'Application!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]' - 'Security!*[System[(band(Keywords13510798882111488))]]' + 'Security!*[System[(band(Keywords,13510798882111488))]]' 'System!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]' ] } diff --git a/modules/insights/private-link-scope/scoped-resource/main.json b/modules/insights/private-link-scope/scoped-resource/main.json index 349184548c..1bb65fbf76 100644 --- a/modules/insights/private-link-scope/scoped-resource/main.json +++ b/modules/insights/private-link-scope/scoped-resource/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13415430389319270642" + "version": "0.23.1.45101", + "templateHash": "6728675477102381760" }, "name": "Private Link Scope Scoped Resources", "description": "This module deploys a Private Link Scope Scoped Resource.", diff --git a/modules/insights/scheduled-query-rule/README.md b/modules/insights/scheduled-query-rule/README.md index 695dd4df5f..be3ba88d2d 100644 --- a/modules/insights/scheduled-query-rule/README.md +++ b/modules/insights/scheduled-query-rule/README.md @@ -65,7 +65,7 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' ] metricMeasureColumn: 'AggregatedValue' operator: 'GreaterThan' - query: 'Perf | where ObjectName == \'LogicalDisk\' | where CounterName == \'% Free Space\' | where InstanceName <> \'HarddiskVolume1\' and InstanceName <> \'_Total\' | summarize AggregatedValue = min(CounterValue) by Computer InstanceName bin(TimeGenerated5m)' + query: 'Perf | where ObjectName == \'LogicalDisk\' | where CounterName == \'% Free Space\' | where InstanceName <> \'HarddiskVolume1\' and InstanceName <> \'_Total\' | summarize AggregatedValue = min(CounterValue) by Computer, InstanceName, bin(TimeGenerated,5m)' threshold: 0 timeAggregation: 'Average' } @@ -249,7 +249,7 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' ] metricMeasureColumn: 'AggregatedValue' operator: 'GreaterThan' - query: 'Perf | where ObjectName == \'LogicalDisk\' | where CounterName == \'% Free Space\' | where InstanceName <> \'HarddiskVolume1\' and InstanceName <> \'_Total\' | summarize AggregatedValue = min(CounterValue) by Computer InstanceName bin(TimeGenerated5m)' + query: 'Perf | where ObjectName == \'LogicalDisk\' | where CounterName == \'% Free Space\' | where InstanceName <> \'HarddiskVolume1\' and InstanceName <> \'_Total\' | summarize AggregatedValue = min(CounterValue) by Computer, InstanceName, bin(TimeGenerated,5m)' threshold: 0 timeAggregation: 'Average' } diff --git a/modules/key-vault/vault/access-policy/main.json b/modules/key-vault/vault/access-policy/main.json index ca9895ce0c..a17b0dbe18 100644 --- a/modules/key-vault/vault/access-policy/main.json +++ b/modules/key-vault/vault/access-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2131300650084383528" + "version": "0.23.1.45101", + "templateHash": "5636934877550105255" }, "name": "Key Vault Access Policies", "description": "This module deploys a Key Vault Access Policy.", diff --git a/modules/key-vault/vault/key/main.json b/modules/key-vault/vault/key/main.json index daadf7027b..3b27f5a930 100644 --- a/modules/key-vault/vault/key/main.json +++ b/modules/key-vault/vault/key/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2953672245031093442" + "version": "0.23.1.45101", + "templateHash": "6556101606252284471" }, "name": "Key Vault Keys", "description": "This module deploys a Key Vault Key.", diff --git a/modules/key-vault/vault/secret/main.json b/modules/key-vault/vault/secret/main.json index 58bf08f760..0c944e07e2 100644 --- a/modules/key-vault/vault/secret/main.json +++ b/modules/key-vault/vault/secret/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3223693327720603920" + "version": "0.23.1.45101", + "templateHash": "14408031654729406286" }, "name": "Key Vault Secrets", "description": "This module deploys a Key Vault Secret.", diff --git a/modules/kubernetes-configuration/extension/main.json b/modules/kubernetes-configuration/extension/main.json index adb39135d7..92daee7616 100644 --- a/modules/kubernetes-configuration/extension/main.json +++ b/modules/kubernetes-configuration/extension/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18265527122738367400" + "templateHash": "548642834195454661" }, "name": "Kubernetes Configuration Extensions", "description": "This module deploys a Kubernetes Configuration Extension.", @@ -168,7 +168,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8985718648814286209" + "templateHash": "10031296768791737313" }, "name": "Kubernetes Configuration Flux Configurations", "description": "This module deploys a Kubernetes Configuration Flux Configuration.", @@ -224,9 +224,8 @@ }, "kustomizations": { "type": "object", - "defaultValue": {}, "metadata": { - "description": "Optional. Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster." + "description": "Required. Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster." } }, "namespace": { @@ -280,14 +279,14 @@ }, { "type": "Microsoft.KubernetesConfiguration/fluxConfigurations", - "apiVersion": "2022-03-01", + "apiVersion": "2023-05-01", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", "name": "[parameters('name')]", "properties": { "bucket": "[if(not(empty(parameters('bucket'))), parameters('bucket'), null())]", "configurationProtectedSettings": "[if(not(empty(parameters('configurationProtectedSettings'))), parameters('configurationProtectedSettings'), createObject())]", "gitRepository": "[if(not(empty(parameters('gitRepository'))), parameters('gitRepository'), null())]", - "kustomizations": "[if(not(empty(parameters('kustomizations'))), parameters('kustomizations'), createObject())]", + "kustomizations": "[parameters('kustomizations')]", "namespace": "[parameters('namespace')]", "scope": "[parameters('scope')]", "sourceKind": "[parameters('sourceKind')]", diff --git a/modules/machine-learning-services/workspace/compute/main.json b/modules/machine-learning-services/workspace/compute/main.json index 37b32fb8a0..ec121697d2 100644 --- a/modules/machine-learning-services/workspace/compute/main.json +++ b/modules/machine-learning-services/workspace/compute/main.json @@ -6,10 +6,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "15942233592020548593" + "templateHash": "10790106014691997162" }, "name": "Machine Learning Services Workspaces Computes", - "description": "This module deploys a Machine Learning Services Workspaces Compute.\r\n\r\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", + "description": "This module deploys a Machine Learning Services Workspaces Compute.\n\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", "owner": "Azure/module-maintainers" }, "definitions": { diff --git a/modules/managed-services/registration-definition/main.json b/modules/managed-services/registration-definition/main.json index 09d2985143..5c0ad2afbd 100644 --- a/modules/managed-services/registration-definition/main.json +++ b/modules/managed-services/registration-definition/main.json @@ -5,10 +5,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "16560417041249407404" + "templateHash": "13729611017288752561" }, "name": "Registration Definitions", - "description": "This module deploys a `Registration Definition` and a `Registration Assignment` (often referred to as 'Lighthouse' or 'resource delegation')\r\non subscription or resource group scopes. This type of delegation is very similar to role assignments but here the principal that is\r\nassigned a role is in a remote/managing Azure Active Directory tenant. The templates are run towards the tenant where\r\nthe Azure resources you want to delegate access to are, providing 'authorizations' (aka. access delegation) to principals in a\r\nremote/managing tenant.", + "description": "This module deploys a `Registration Definition` and a `Registration Assignment` (often referred to as 'Lighthouse' or 'resource delegation')\non subscription or resource group scopes. This type of delegation is very similar to role assignments but here the principal that is\nassigned a role is in a remote/managing Azure Active Directory tenant. The templates are run towards the tenant where\nthe Azure resources you want to delegate access to are, providing 'authorizations' (aka. access delegation) to principals in a\nremote/managing tenant.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/management/management-group/main.json b/modules/management/management-group/main.json index 387fccb26a..532fdd84b8 100644 --- a/modules/management/management-group/main.json +++ b/modules/management/management-group/main.json @@ -5,10 +5,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8382659886206939676" + "templateHash": "9848271619799259955" }, "name": "Management Groups", - "description": "This template will prepare the management group structure based on the provided parameter.\r\n\r\nThis module has some known **limitations**:\r\n- It's not possible to change the display name of the root management group (the one that has the tenant GUID as ID)\r\n- It can't manage the Root (/) management group", + "description": "This template will prepare the management group structure based on the provided parameter.\n\nThis module has some known **limitations**:\n- It's not possible to change the display name of the root management group (the one that has the tenant GUID as ID)\n- It can't manage the Root (/) management group", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index d232283c5c..59e663c6da 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -1349,7 +1349,7 @@ Specifies the properties of the Public IP to create and be used by the Firewall, - Default: ```Bicep { - name: '[format(\'{0}-pip\' parameters(\'name\'))]' + name: '[format(\'{0}-pip\', parameters(\'name\'))]' } ``` diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index 573d2b938a..84cd231586 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -732,7 +732,7 @@ Specifies the properties of the Public IP to create and be used by Azure Bastion - Default: ```Bicep { - name: '[format(\'{0}-pip\' parameters(\'name\'))]' + name: '[format(\'{0}-pip\', parameters(\'name\'))]' } ``` diff --git a/modules/network/dns-forwarding-ruleset/forwarding-rule/main.json b/modules/network/dns-forwarding-ruleset/forwarding-rule/main.json index 398ba866ee..aa3b317b11 100644 --- a/modules/network/dns-forwarding-ruleset/forwarding-rule/main.json +++ b/modules/network/dns-forwarding-ruleset/forwarding-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14481617304679147684" + "version": "0.23.1.45101", + "templateHash": "15853222260858972029" }, "name": "Dns Forwarding Rulesets Forwarding Rules", "description": "This template deploys Forwarding Rule in a Dns Forwarding Ruleset.", diff --git a/modules/network/dns-forwarding-ruleset/virtual-network-link/main.json b/modules/network/dns-forwarding-ruleset/virtual-network-link/main.json index ac505b8cef..8171b67084 100644 --- a/modules/network/dns-forwarding-ruleset/virtual-network-link/main.json +++ b/modules/network/dns-forwarding-ruleset/virtual-network-link/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13868433916800604215" + "version": "0.23.1.45101", + "templateHash": "10716706455477062359" }, "name": "Dns Forwarding Rulesets Virtual Network Links", "description": "This template deploys Virtual Network Link in a Dns Forwarding Ruleset.", diff --git a/modules/network/dns-zone/a/main.json b/modules/network/dns-zone/a/main.json index b06788a26a..2ed01910e3 100644 --- a/modules/network/dns-zone/a/main.json +++ b/modules/network/dns-zone/a/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10974837461645436691" + "version": "0.23.1.45101", + "templateHash": "9611074560358227947" }, "name": "Public DNS Zone A record", "description": "This module deploys a Public DNS Zone A record.", diff --git a/modules/network/dns-zone/aaaa/main.json b/modules/network/dns-zone/aaaa/main.json index 8b707375df..274e115628 100644 --- a/modules/network/dns-zone/aaaa/main.json +++ b/modules/network/dns-zone/aaaa/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11266429358803831455" + "version": "0.23.1.45101", + "templateHash": "14864971256419465724" }, "name": "Public DNS Zone AAAA record", "description": "This module deploys a Public DNS Zone AAAA record.", diff --git a/modules/network/dns-zone/caa/main.json b/modules/network/dns-zone/caa/main.json index bc7befc61b..e264524581 100644 --- a/modules/network/dns-zone/caa/main.json +++ b/modules/network/dns-zone/caa/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17336929917389994115" + "version": "0.23.1.45101", + "templateHash": "334963919740395938" }, "name": "Public DNS Zone CAA record", "description": "This module deploys a Public DNS Zone CAA record.", diff --git a/modules/network/dns-zone/cname/main.json b/modules/network/dns-zone/cname/main.json index b33300806f..8ebb91fc6a 100644 --- a/modules/network/dns-zone/cname/main.json +++ b/modules/network/dns-zone/cname/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13232609782269052972" + "version": "0.23.1.45101", + "templateHash": "1267823163217140681" }, "name": "Public DNS Zone CNAME record", "description": "This module deploys a Public DNS Zone CNAME record.", diff --git a/modules/network/dns-zone/mx/main.json b/modules/network/dns-zone/mx/main.json index e45e0fe6f1..19169c06c3 100644 --- a/modules/network/dns-zone/mx/main.json +++ b/modules/network/dns-zone/mx/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16614736782890395121" + "version": "0.23.1.45101", + "templateHash": "913365561266018486" }, "name": "Public DNS Zone MX record", "description": "This module deploys a Public DNS Zone MX record.", diff --git a/modules/network/dns-zone/ns/main.json b/modules/network/dns-zone/ns/main.json index d840dcd791..4d7b270aae 100644 --- a/modules/network/dns-zone/ns/main.json +++ b/modules/network/dns-zone/ns/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10360566575253611568" + "version": "0.23.1.45101", + "templateHash": "14921767837432456957" }, "name": "Public DNS Zone NS record", "description": "This module deploys a Public DNS Zone NS record.", diff --git a/modules/network/dns-zone/ptr/main.json b/modules/network/dns-zone/ptr/main.json index ad029b2b73..52d8ea8776 100644 --- a/modules/network/dns-zone/ptr/main.json +++ b/modules/network/dns-zone/ptr/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "694884293764156099" + "version": "0.23.1.45101", + "templateHash": "1781674036442480125" }, "name": "Public DNS Zone PTR record", "description": "This module deploys a Public DNS Zone PTR record.", diff --git a/modules/network/dns-zone/soa/main.json b/modules/network/dns-zone/soa/main.json index b3486a03bf..da09092353 100644 --- a/modules/network/dns-zone/soa/main.json +++ b/modules/network/dns-zone/soa/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10526329700400149290" + "version": "0.23.1.45101", + "templateHash": "15508005336915398346" }, "name": "Public DNS Zone SOA record", "description": "This module deploys a Public DNS Zone SOA record.", diff --git a/modules/network/dns-zone/srv/main.json b/modules/network/dns-zone/srv/main.json index b98e3e817c..d0e0b82fe7 100644 --- a/modules/network/dns-zone/srv/main.json +++ b/modules/network/dns-zone/srv/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2773338273433722142" + "version": "0.23.1.45101", + "templateHash": "12022158765353146053" }, "name": "Public DNS Zone SRV record", "description": "This module deploys a Public DNS Zone SRV record.", diff --git a/modules/network/dns-zone/txt/main.json b/modules/network/dns-zone/txt/main.json index 8a4fe8146f..11dc4de054 100644 --- a/modules/network/dns-zone/txt/main.json +++ b/modules/network/dns-zone/txt/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8314659933691992641" + "version": "0.23.1.45101", + "templateHash": "12802491396062490027" }, "name": "Public DNS Zone TXT record", "description": "This module deploys a Public DNS Zone TXT record.", diff --git a/modules/network/firewall-policy/rule-collection-group/main.json b/modules/network/firewall-policy/rule-collection-group/main.json index 6c26a49d8a..60a32a18e8 100644 --- a/modules/network/firewall-policy/rule-collection-group/main.json +++ b/modules/network/firewall-policy/rule-collection-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13617778659554817427" + "version": "0.23.1.45101", + "templateHash": "18100190658467124638" }, "name": "Firewall Policy Rule Collection Groups", "description": "This module deploys a Firewall Policy Rule Collection Group.", diff --git a/modules/network/load-balancer/backend-address-pool/main.json b/modules/network/load-balancer/backend-address-pool/main.json index e79735bfeb..166b5e8185 100644 --- a/modules/network/load-balancer/backend-address-pool/main.json +++ b/modules/network/load-balancer/backend-address-pool/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8746126160153035357" + "version": "0.23.1.45101", + "templateHash": "11772165650732157187" }, "name": "Load Balancer Backend Address Pools", "description": "This module deploys a Load Balancer Backend Address Pools.", diff --git a/modules/network/load-balancer/inbound-nat-rule/main.json b/modules/network/load-balancer/inbound-nat-rule/main.json index f72e675dc4..0b7171f431 100644 --- a/modules/network/load-balancer/inbound-nat-rule/main.json +++ b/modules/network/load-balancer/inbound-nat-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10708877822656641045" + "version": "0.23.1.45101", + "templateHash": "10843150655101094909" }, "name": "Load Balancer Inbound NAT Rules", "description": "This module deploys a Load Balancer Inbound NAT Rules.", diff --git a/modules/network/load-balancer/main.json b/modules/network/load-balancer/main.json index d58ef9dcc6..6503086e86 100644 --- a/modules/network/load-balancer/main.json +++ b/modules/network/load-balancer/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15804132676777658588" + "version": "0.23.1.45101", + "templateHash": "9944578791387151773" }, "name": "Load Balancers", "description": "This module deploys a Load Balancer.", @@ -505,8 +505,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8746126160153035357" + "version": "0.23.1.45101", + "templateHash": "11772165650732157187" }, "name": "Load Balancer Backend Address Pools", "description": "This module deploys a Load Balancer Backend Address Pools.", @@ -666,8 +666,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10708877822656641045" + "version": "0.23.1.45101", + "templateHash": "10843150655101094909" }, "name": "Load Balancer Inbound NAT Rules", "description": "This module deploys a Load Balancer Inbound NAT Rules.", diff --git a/modules/network/network-manager/connectivity-configuration/main.json b/modules/network/network-manager/connectivity-configuration/main.json index 9d92ba9227..ac5aa40b56 100644 --- a/modules/network/network-manager/connectivity-configuration/main.json +++ b/modules/network/network-manager/connectivity-configuration/main.json @@ -4,11 +4,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5280310149581848411" + "version": "0.23.1.45101", + "templateHash": "9661323239609366787" }, "name": "Network Manager Connectivity Configurations", - "description": "This module deploys a Network Manager Connectivity Configuration.\r\nConnectivity configurations define hub-and-spoke or mesh topologies applied to one or more network groups.", + "description": "This module deploys a Network Manager Connectivity Configuration.\nConnectivity configurations define hub-and-spoke or mesh topologies applied to one or more network groups.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/network/network-manager/network-group/main.json b/modules/network/network-manager/network-group/main.json index 8073af7494..357252e74e 100644 --- a/modules/network/network-manager/network-group/main.json +++ b/modules/network/network-manager/network-group/main.json @@ -4,11 +4,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15734624931109113465" + "version": "0.23.1.45101", + "templateHash": "9383612824689647197" }, "name": "Network Manager Network Groups", - "description": "This module deploys a Network Manager Network Group.\r\nA network group is a collection of same-type network resources that you can associate with network manager configurations. You can add same-type network resources after you create the network group.", + "description": "This module deploys a Network Manager Network Group.\nA network group is a collection of same-type network resources that you can associate with network manager configurations. You can add same-type network resources after you create the network group.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -110,11 +110,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13400290933908034947" + "version": "0.23.1.45101", + "templateHash": "6270695242836306169" }, "name": "Network Manager Network Group Static Members", - "description": "This module deploys a Network Manager Network Group Static Member.\r\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", + "description": "This module deploys a Network Manager Network Group Static Member.\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/network/network-manager/network-group/static-member/main.json b/modules/network/network-manager/network-group/static-member/main.json index cc511c69ae..c829beab04 100644 --- a/modules/network/network-manager/network-group/static-member/main.json +++ b/modules/network/network-manager/network-group/static-member/main.json @@ -4,11 +4,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13400290933908034947" + "version": "0.23.1.45101", + "templateHash": "6270695242836306169" }, "name": "Network Manager Network Group Static Members", - "description": "This module deploys a Network Manager Network Group Static Member.\r\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", + "description": "This module deploys a Network Manager Network Group Static Member.\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/network/network-manager/scope-connection/main.json b/modules/network/network-manager/scope-connection/main.json index 91c4436a36..bc5da99fff 100644 --- a/modules/network/network-manager/scope-connection/main.json +++ b/modules/network/network-manager/scope-connection/main.json @@ -4,11 +4,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9309301917607746358" + "version": "0.23.1.45101", + "templateHash": "15324552358719749208" }, "name": "Network Manager Scope Connections", - "description": "This module deploys a Network Manager Scope Connection.\r\nCreate a cross-tenant connection to manage a resource from another tenant.", + "description": "This module deploys a Network Manager Scope Connection.\nCreate a cross-tenant connection to manage a resource from another tenant.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/network/network-manager/security-admin-configuration/main.json b/modules/network/network-manager/security-admin-configuration/main.json index 7cc19444ba..885b76b792 100644 --- a/modules/network/network-manager/security-admin-configuration/main.json +++ b/modules/network/network-manager/security-admin-configuration/main.json @@ -4,11 +4,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14740794033127814314" + "version": "0.23.1.45101", + "templateHash": "220686347521741612" }, "name": "Network Manager Security Admin Configurations", - "description": "This module deploys an Network Manager Security Admin Configuration.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", + "description": "This module deploys an Network Manager Security Admin Configuration.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -126,11 +126,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11695176114935586913" + "version": "0.23.1.45101", + "templateHash": "10245325643114384455" }, "name": "Network Manager Security Admin Configuration Rule Collections", - "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", + "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -261,11 +261,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8150493920671936292" + "version": "0.23.1.45101", + "templateHash": "6215293821297223443" }, "name": "Network Manager Security Admin Configuration Rule Collection Rules", - "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", + "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/network/network-manager/security-admin-configuration/rule-collection/main.json b/modules/network/network-manager/security-admin-configuration/rule-collection/main.json index 936667268a..2ab0f2b404 100644 --- a/modules/network/network-manager/security-admin-configuration/rule-collection/main.json +++ b/modules/network/network-manager/security-admin-configuration/rule-collection/main.json @@ -4,11 +4,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11695176114935586913" + "version": "0.23.1.45101", + "templateHash": "10245325643114384455" }, "name": "Network Manager Security Admin Configuration Rule Collections", - "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", + "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -139,11 +139,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8150493920671936292" + "version": "0.23.1.45101", + "templateHash": "6215293821297223443" }, "name": "Network Manager Security Admin Configuration Rule Collection Rules", - "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", + "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/main.json b/modules/network/network-manager/security-admin-configuration/rule-collection/rule/main.json index 5a3dc77879..8e7e1fd280 100644 --- a/modules/network/network-manager/security-admin-configuration/rule-collection/rule/main.json +++ b/modules/network/network-manager/security-admin-configuration/rule-collection/rule/main.json @@ -4,11 +4,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8150493920671936292" + "version": "0.23.1.45101", + "templateHash": "6215293821297223443" }, "name": "Network Manager Security Admin Configuration Rule Collection Rules", - "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", + "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/network/network-watcher/connection-monitor/main.json b/modules/network/network-watcher/connection-monitor/main.json index 81a437ce7e..f80ecbc337 100644 --- a/modules/network/network-watcher/connection-monitor/main.json +++ b/modules/network/network-watcher/connection-monitor/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3258279638384899203" + "version": "0.23.1.45101", + "templateHash": "15782320161408670286" }, "name": "Network Watchers Connection Monitors", "description": "This module deploys a Network Watcher Connection Monitor.", diff --git a/modules/network/network-watcher/flow-log/main.json b/modules/network/network-watcher/flow-log/main.json index c7d365f80c..43b245b827 100644 --- a/modules/network/network-watcher/flow-log/main.json +++ b/modules/network/network-watcher/flow-log/main.json @@ -5,11 +5,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7397123180177309349" + "version": "0.23.1.45101", + "templateHash": "2197507893118006956" }, "name": "NSG Flow Logs", - "description": "This module controls the Network Security Group Flow Logs and analytics settings.\r\n**Note: this module must be run on the Resource Group where Network Watcher is deployed**", + "description": "This module controls the Network Security Group Flow Logs and analytics settings.\n**Note: this module must be run on the Resource Group where Network Watcher is deployed**", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/network/private-dns-zone/a/main.json b/modules/network/private-dns-zone/a/main.json index 93e1b28b45..4c0a30545a 100644 --- a/modules/network/private-dns-zone/a/main.json +++ b/modules/network/private-dns-zone/a/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12900025093691887371" + "version": "0.23.1.45101", + "templateHash": "3949185236374936253" }, "name": "Private DNS Zone A record", "description": "This module deploys a Private DNS Zone A record.", diff --git a/modules/network/private-dns-zone/aaaa/main.json b/modules/network/private-dns-zone/aaaa/main.json index 8f1297ff92..af984e6778 100644 --- a/modules/network/private-dns-zone/aaaa/main.json +++ b/modules/network/private-dns-zone/aaaa/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4724178141308652025" + "version": "0.23.1.45101", + "templateHash": "18254437762408001216" }, "name": "Private DNS Zone AAAA record", "description": "This module deploys a Private DNS Zone AAAA record.", diff --git a/modules/network/private-dns-zone/cname/main.json b/modules/network/private-dns-zone/cname/main.json index d1dbff765d..73a4108987 100644 --- a/modules/network/private-dns-zone/cname/main.json +++ b/modules/network/private-dns-zone/cname/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14332603634620066077" + "version": "0.23.1.45101", + "templateHash": "5688376231538421822" }, "name": "Private DNS Zone CNAME record", "description": "This module deploys a Private DNS Zone CNAME record.", diff --git a/modules/network/private-dns-zone/mx/main.json b/modules/network/private-dns-zone/mx/main.json index 903f0c7413..b4e3e092af 100644 --- a/modules/network/private-dns-zone/mx/main.json +++ b/modules/network/private-dns-zone/mx/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13915386259037819236" + "version": "0.23.1.45101", + "templateHash": "6121652824910092918" }, "name": "Private DNS Zone MX record", "description": "This module deploys a Private DNS Zone MX record.", diff --git a/modules/network/private-dns-zone/ptr/main.json b/modules/network/private-dns-zone/ptr/main.json index 297450c58f..756e0de5ba 100644 --- a/modules/network/private-dns-zone/ptr/main.json +++ b/modules/network/private-dns-zone/ptr/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8103973730749015801" + "version": "0.23.1.45101", + "templateHash": "13755349248029897715" }, "name": "Private DNS Zone PTR record", "description": "This module deploys a Private DNS Zone PTR record.", diff --git a/modules/network/private-dns-zone/soa/main.json b/modules/network/private-dns-zone/soa/main.json index 27b4d7d86f..2da7e394d2 100644 --- a/modules/network/private-dns-zone/soa/main.json +++ b/modules/network/private-dns-zone/soa/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11066047807464279527" + "version": "0.23.1.45101", + "templateHash": "17071167904833492436" }, "name": "Private DNS Zone SOA record", "description": "This module deploys a Private DNS Zone SOA record.", diff --git a/modules/network/private-dns-zone/srv/main.json b/modules/network/private-dns-zone/srv/main.json index 7a8c0468f4..d795aa1f9d 100644 --- a/modules/network/private-dns-zone/srv/main.json +++ b/modules/network/private-dns-zone/srv/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6734977459689095702" + "version": "0.23.1.45101", + "templateHash": "11637594462630888096" }, "name": "Private DNS Zone SRV record", "description": "This module deploys a Private DNS Zone SRV record.", diff --git a/modules/network/private-dns-zone/txt/main.json b/modules/network/private-dns-zone/txt/main.json index 65fa0ceb85..2b6c165ec4 100644 --- a/modules/network/private-dns-zone/txt/main.json +++ b/modules/network/private-dns-zone/txt/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15093956155477786576" + "version": "0.23.1.45101", + "templateHash": "61165308790737358" }, "name": "Private DNS Zone TXT record", "description": "This module deploys a Private DNS Zone TXT record.", diff --git a/modules/network/private-dns-zone/virtual-network-link/main.json b/modules/network/private-dns-zone/virtual-network-link/main.json index 10f3e34f7e..7fc8dca0c1 100644 --- a/modules/network/private-dns-zone/virtual-network-link/main.json +++ b/modules/network/private-dns-zone/virtual-network-link/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14262386012436592269" + "version": "0.23.1.45101", + "templateHash": "2575181024828080198" }, "name": "Private DNS Zone Virtual Network Link", "description": "This module deploys a Private DNS Zone Virtual Network Link.", diff --git a/modules/network/private-endpoint/private-dns-zone-group/main.json b/modules/network/private-endpoint/private-dns-zone-group/main.json index 4216fc2481..4fd7738ac7 100644 --- a/modules/network/private-endpoint/private-dns-zone-group/main.json +++ b/modules/network/private-endpoint/private-dns-zone-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", diff --git a/modules/network/trafficmanagerprofile/main.json b/modules/network/trafficmanagerprofile/main.json index de3aa92acd..76f4462e01 100644 --- a/modules/network/trafficmanagerprofile/main.json +++ b/modules/network/trafficmanagerprofile/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.21.1.54444", - "templateHash": "16012907393887579903" + "version": "0.23.1.45101", + "templateHash": "16146918790976496656" }, "name": "Traffic Manager Profiles", "description": "This module deploys a Traffic Manager Profile.", diff --git a/modules/network/virtual-hub/hub-route-table/main.json b/modules/network/virtual-hub/hub-route-table/main.json index 801ad71e30..83581c7ceb 100644 --- a/modules/network/virtual-hub/hub-route-table/main.json +++ b/modules/network/virtual-hub/hub-route-table/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16158603795616593379" + "version": "0.23.1.45101", + "templateHash": "14379005468048197578" }, "name": "Virtual Hub Route Tables", "description": "This module deploys a Virtual Hub Route Table.", diff --git a/modules/network/virtual-hub/hub-virtual-network-connection/main.json b/modules/network/virtual-hub/hub-virtual-network-connection/main.json index c514e9baaa..cbe73029be 100644 --- a/modules/network/virtual-hub/hub-virtual-network-connection/main.json +++ b/modules/network/virtual-hub/hub-virtual-network-connection/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16334618854228578572" + "version": "0.23.1.45101", + "templateHash": "1891918102977675989" }, "name": "Virtual Hub Virtual Network Connections", "description": "This module deploys a Virtual Hub Virtual Network Connection.", diff --git a/modules/network/virtual-hub/main.json b/modules/network/virtual-hub/main.json index acbcfb5ce7..29df355b0d 100644 --- a/modules/network/virtual-hub/main.json +++ b/modules/network/virtual-hub/main.json @@ -6,10 +6,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3410935905412487886" + "templateHash": "15154780567521533176" }, "name": "Virtual Hubs", - "description": "This module deploys a Virtual Hub.\r\nIf you are planning to deploy a Secure Virtual Hub (with an Azure Firewall integrated), please refer to the Azure Firewall module.", + "description": "This module deploys a Virtual Hub.\nIf you are planning to deploy a Secure Virtual Hub (with an Azure Firewall integrated), please refer to the Azure Firewall module.", "owner": "Azure/module-maintainers" }, "definitions": { diff --git a/modules/network/virtual-network-gateway/nat-rule/main.json b/modules/network/virtual-network-gateway/nat-rule/main.json index 8435d984f4..b1c5884076 100644 --- a/modules/network/virtual-network-gateway/nat-rule/main.json +++ b/modules/network/virtual-network-gateway/nat-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14778714560462406442" + "version": "0.23.1.45101", + "templateHash": "10871428827476692387" }, "name": "VPN Gateway NAT Rules", "description": "This module deploys a Virtual Network Gateway NAT Rule.", diff --git a/modules/operational-insights/workspace/data-export/main.json b/modules/operational-insights/workspace/data-export/main.json index ee5f16fa67..a59c427049 100644 --- a/modules/operational-insights/workspace/data-export/main.json +++ b/modules/operational-insights/workspace/data-export/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7753879701724594327" + "version": "0.23.1.45101", + "templateHash": "17342339934568813477" }, "name": "Log Analytics Workspace Data Exports", "description": "This module deploys a Log Analytics Workspace Data Export.", diff --git a/modules/operational-insights/workspace/data-source/main.json b/modules/operational-insights/workspace/data-source/main.json index 4bc4f80e43..26eafea591 100644 --- a/modules/operational-insights/workspace/data-source/main.json +++ b/modules/operational-insights/workspace/data-source/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13903182753870680383" + "version": "0.23.1.45101", + "templateHash": "16555972198709151465" }, "name": "Log Analytics Workspace Datasources", "description": "This module deploys a Log Analytics Workspace Data Source.", diff --git a/modules/operational-insights/workspace/linked-service/main.json b/modules/operational-insights/workspace/linked-service/main.json index ca4bdb12b7..100567f48e 100644 --- a/modules/operational-insights/workspace/linked-service/main.json +++ b/modules/operational-insights/workspace/linked-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9970744617970664745" + "version": "0.23.1.45101", + "templateHash": "4319942183601642190" }, "name": "Log Analytics Workspace Linked Services", "description": "This module deploys a Log Analytics Workspace Linked Service.", diff --git a/modules/operational-insights/workspace/linked-storage-account/main.json b/modules/operational-insights/workspace/linked-storage-account/main.json index ae3c9c7965..24f1fe2b4b 100644 --- a/modules/operational-insights/workspace/linked-storage-account/main.json +++ b/modules/operational-insights/workspace/linked-storage-account/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2117697022066188694" + "version": "0.23.1.45101", + "templateHash": "9016006615324724877" }, "name": "Log Analytics Workspace Linked Storage Accounts", "description": "This module deploys a Log Analytics Workspace Linked Storage Account.", diff --git a/modules/operational-insights/workspace/saved-search/main.json b/modules/operational-insights/workspace/saved-search/main.json index 43332dd89b..c108b5ac43 100644 --- a/modules/operational-insights/workspace/saved-search/main.json +++ b/modules/operational-insights/workspace/saved-search/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12667331360871593591" + "version": "0.23.1.45101", + "templateHash": "8110791564584546252" }, "name": "Log Analytics Workspace Saved Searches", "description": "This module deploys a Log Analytics Workspace Saved Search.", diff --git a/modules/operational-insights/workspace/storage-insight-config/main.json b/modules/operational-insights/workspace/storage-insight-config/main.json index d3b44b1f6d..a1c8b035f8 100644 --- a/modules/operational-insights/workspace/storage-insight-config/main.json +++ b/modules/operational-insights/workspace/storage-insight-config/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13014071648331654478" + "version": "0.23.1.45101", + "templateHash": "9008031661126171508" }, "name": "Log Analytics Workspace Storage Insight Configs", "description": "This module deploys a Log Analytics Workspace Storage Insight Config.", diff --git a/modules/operational-insights/workspace/table/main.json b/modules/operational-insights/workspace/table/main.json index 91a62f8371..c7952b7a0d 100644 --- a/modules/operational-insights/workspace/table/main.json +++ b/modules/operational-insights/workspace/table/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9983426146462646968" + "version": "0.23.1.45101", + "templateHash": "10977258600449669407" }, "name": "Log Analytics Workspace Tables", "description": "This module deploys a Log Analytics Workspace Table.", diff --git a/modules/policy-insights/remediation/management-group/main.json b/modules/policy-insights/remediation/management-group/main.json index bc27183d72..f2de28f853 100644 --- a/modules/policy-insights/remediation/management-group/main.json +++ b/modules/policy-insights/remediation/management-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9807832589850582654" + "version": "0.23.1.45101", + "templateHash": "11915278545941211218" }, "name": "Policy Insights Remediations (Management Group scope)", "description": "This module deploys a Policy Insights Remediation on a Management Group scope.", diff --git a/modules/policy-insights/remediation/resource-group/main.json b/modules/policy-insights/remediation/resource-group/main.json index ec8b34293a..a5af317771 100644 --- a/modules/policy-insights/remediation/resource-group/main.json +++ b/modules/policy-insights/remediation/resource-group/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1603868954809777625" + "version": "0.23.1.45101", + "templateHash": "6808524543119403982" }, "name": "Policy Insights Remediations (Resource Group scope)", "description": "This module deploys a Policy Insights Remediation on a Resource Group scope.", diff --git a/modules/policy-insights/remediation/subscription/main.json b/modules/policy-insights/remediation/subscription/main.json index b7d7bb8b13..f88eabdeb0 100644 --- a/modules/policy-insights/remediation/subscription/main.json +++ b/modules/policy-insights/remediation/subscription/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8491362450892267233" + "version": "0.23.1.45101", + "templateHash": "15638854500024270747" }, "name": "Policy Insights Remediations (Subscription scope)", "description": "This module deploys a Policy Insights Remediation on a Subscription scope.", diff --git a/modules/recovery-services/vault/backup-config/main.json b/modules/recovery-services/vault/backup-config/main.json index 7ba9a5b1cb..ae17434536 100644 --- a/modules/recovery-services/vault/backup-config/main.json +++ b/modules/recovery-services/vault/backup-config/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7310792683713567656" + "version": "0.23.1.45101", + "templateHash": "12267998063539265813" }, "name": "Recovery Services Vault Backup Config", "description": "This module deploys a Recovery Services Vault Backup Config.", diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/main.json b/modules/recovery-services/vault/backup-fabric/protection-container/main.json index ce42abbbf0..936d6013a9 100644 --- a/modules/recovery-services/vault/backup-fabric/protection-container/main.json +++ b/modules/recovery-services/vault/backup-fabric/protection-container/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2599343254432362849" + "version": "0.23.1.45101", + "templateHash": "13622946234752234891" }, "name": "Recovery Services Vault Protection Container", "description": "This module deploys a Recovery Services Vault Protection Container.", @@ -172,8 +172,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7148492251760573310" + "version": "0.23.1.45101", + "templateHash": "9921011786088905122" }, "name": "Recovery Service Vaults Protection Container Protected Item", "description": "This module deploys a Recovery Services Vault Protection Container Protected Item.", diff --git a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/main.json b/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/main.json index 232937bb2a..1bc3ed2a39 100644 --- a/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/main.json +++ b/modules/recovery-services/vault/backup-fabric/protection-container/protected-item/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7148492251760573310" + "version": "0.23.1.45101", + "templateHash": "9921011786088905122" }, "name": "Recovery Service Vaults Protection Container Protected Item", "description": "This module deploys a Recovery Services Vault Protection Container Protected Item.", diff --git a/modules/recovery-services/vault/backup-policy/main.json b/modules/recovery-services/vault/backup-policy/main.json index c6180ca142..14698052f8 100644 --- a/modules/recovery-services/vault/backup-policy/main.json +++ b/modules/recovery-services/vault/backup-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5026084694620767555" + "version": "0.23.1.45101", + "templateHash": "4289896830796340565" }, "name": "Recovery Services Vault Backup Policies", "description": "This module deploys a Recovery Services Vault Backup Policy.", diff --git a/modules/recovery-services/vault/backup-storage-config/main.json b/modules/recovery-services/vault/backup-storage-config/main.json index b3b1a961d8..bb44f2781e 100644 --- a/modules/recovery-services/vault/backup-storage-config/main.json +++ b/modules/recovery-services/vault/backup-storage-config/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11669127714287855633" + "version": "0.23.1.45101", + "templateHash": "9499262871851480671" }, "name": "Recovery Services Vault Backup Storage Config", "description": "This module deploys a Recovery Service Vault Backup Storage Configuration.", diff --git a/modules/recovery-services/vault/replication-alert-setting/main.json b/modules/recovery-services/vault/replication-alert-setting/main.json index 27d98ff68e..731253a5b9 100644 --- a/modules/recovery-services/vault/replication-alert-setting/main.json +++ b/modules/recovery-services/vault/replication-alert-setting/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "326959657687879671" + "version": "0.23.1.45101", + "templateHash": "9038487209624086059" }, "name": "Recovery Services Vault Replication Alert Settings", "description": "This module deploys a Recovery Services Vault Replication Alert Settings.", diff --git a/modules/recovery-services/vault/replication-fabric/main.json b/modules/recovery-services/vault/replication-fabric/main.json index 695123e7e7..798663b16a 100644 --- a/modules/recovery-services/vault/replication-fabric/main.json +++ b/modules/recovery-services/vault/replication-fabric/main.json @@ -4,11 +4,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4084364932296928832" + "version": "0.23.1.45101", + "templateHash": "141571686653146888" }, "name": "Recovery Services Vault Replication Fabrics", - "description": "This module deploys a Replication Fabric for Azure to Azure disaster recovery scenario of Azure Site Recovery.\r\n\r\n> Note: this module currently support only the `instanceType: 'Azure'` scenario.", + "description": "This module deploys a Replication Fabric for Azure to Azure disaster recovery scenario of Azure Site Recovery.\n\n> Note: this module currently support only the `instanceType: 'Azure'` scenario.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -110,11 +110,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12428378308583074618" + "version": "0.23.1.45101", + "templateHash": "10595314903369272974" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Containers", - "description": "This module deploys a Recovery Services Vault Replication Protection Container.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", + "description": "This module deploys a Recovery Services Vault Replication Protection Container.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -220,11 +220,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13312155038829056102" + "version": "0.23.1.45101", + "templateHash": "13334445778984042102" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings", - "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", + "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/recovery-services/vault/replication-fabric/replication-protection-container/main.json b/modules/recovery-services/vault/replication-fabric/replication-protection-container/main.json index 1dac942bdb..70d1d4f6bc 100644 --- a/modules/recovery-services/vault/replication-fabric/replication-protection-container/main.json +++ b/modules/recovery-services/vault/replication-fabric/replication-protection-container/main.json @@ -4,11 +4,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12428378308583074618" + "version": "0.23.1.45101", + "templateHash": "10595314903369272974" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Containers", - "description": "This module deploys a Recovery Services Vault Replication Protection Container.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", + "description": "This module deploys a Recovery Services Vault Replication Protection Container.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -114,11 +114,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13312155038829056102" + "version": "0.23.1.45101", + "templateHash": "13334445778984042102" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings", - "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", + "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.json b/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.json index 8e5a371f40..89ab6e740e 100644 --- a/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.json +++ b/modules/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.json @@ -4,11 +4,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13312155038829056102" + "version": "0.23.1.45101", + "templateHash": "13334445778984042102" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings", - "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", + "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/recovery-services/vault/replication-policy/main.json b/modules/recovery-services/vault/replication-policy/main.json index 783b758258..2c1c8d1b93 100644 --- a/modules/recovery-services/vault/replication-policy/main.json +++ b/modules/recovery-services/vault/replication-policy/main.json @@ -4,11 +4,11 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4881591174035362600" + "version": "0.23.1.45101", + "templateHash": "7511225868129156252" }, "name": "Recovery Services Vault Replication Policies", - "description": "This module deploys a Recovery Services Vault Replication Policy for Disaster Recovery scenario.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", + "description": "This module deploys a Recovery Services Vault Replication Policy for Disaster Recovery scenario.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index 3bd4e855c5..a1fbdbeca8 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -146,7 +146,7 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - userMetadata: '[{\'key\':\'endpoint\'\'value\':\'db-server.constoso.com:1433\'}]' + userMetadata: '[{\'key\':\'endpoint\',\'value\':\'db-server.constoso.com:1433\'}]' } ] lock: { @@ -543,7 +543,7 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - userMetadata: '[{\'key\':\'endpoint\'\'value\':\'db-server.constoso.com:1433\'}]' + userMetadata: '[{\'key\':\'endpoint\',\'value\':\'db-server.constoso.com:1433\'}]' } ] lock: { diff --git a/modules/relay/namespace/authorization-rule/main.json b/modules/relay/namespace/authorization-rule/main.json index 6969a1416e..bc2bf1ddba 100644 --- a/modules/relay/namespace/authorization-rule/main.json +++ b/modules/relay/namespace/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8947023489504947393" + "version": "0.23.1.45101", + "templateHash": "6991913570355678944" }, "name": "Relay Namespace Authorization Rules", "description": "This module deploys a Relay Namespace Authorization Rule.", diff --git a/modules/relay/namespace/hybrid-connection/authorization-rule/main.json b/modules/relay/namespace/hybrid-connection/authorization-rule/main.json index 7f723b5086..fe0d832c02 100644 --- a/modules/relay/namespace/hybrid-connection/authorization-rule/main.json +++ b/modules/relay/namespace/hybrid-connection/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2105813068659609285" + "version": "0.23.1.45101", + "templateHash": "8614944991526016585" }, "name": "Hybrid Connection Authorization Rules", "description": "This module deploys a Hybrid Connection Authorization Rule.", diff --git a/modules/relay/namespace/network-rule-set/main.json b/modules/relay/namespace/network-rule-set/main.json index d7742ddf49..c4f2128cf1 100644 --- a/modules/relay/namespace/network-rule-set/main.json +++ b/modules/relay/namespace/network-rule-set/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4617716666405561945" + "version": "0.23.1.45101", + "templateHash": "11855121384015754907" }, "name": "Relay Namespace Network Rules Sets", "description": "This module deploys a Relay Namespace Network Rule Set.", diff --git a/modules/relay/namespace/wcf-relay/authorization-rule/main.json b/modules/relay/namespace/wcf-relay/authorization-rule/main.json index 2ab62ecde8..2734867f0e 100644 --- a/modules/relay/namespace/wcf-relay/authorization-rule/main.json +++ b/modules/relay/namespace/wcf-relay/authorization-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9905508445063497603" + "version": "0.23.1.45101", + "templateHash": "5333168181360876794" }, "name": "WCF Relay Authorization Rules", "description": "This module deploys a WCF Relay Authorization Rule.", diff --git a/modules/resources/tags/main.json b/modules/resources/tags/main.json index 1e82fc6871..4e5126e625 100644 --- a/modules/resources/tags/main.json +++ b/modules/resources/tags/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17437787787716832327" + "version": "0.23.1.45101", + "templateHash": "15162198398682035947" }, "name": "Resources Tags", "description": "This module deploys a Resource Tag at a Subscription or Resource Group scope.", @@ -107,8 +107,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6739306478169191405" + "version": "0.23.1.45101", + "templateHash": "10898258701499103964" }, "name": "Resources Tags Subscription Scope", "description": "This module deploys a Resource Tag on a Subscription scope.", @@ -188,8 +188,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9833962804635676625" + "version": "0.23.1.45101", + "templateHash": "15368390157759392588" } }, "parameters": { @@ -270,8 +270,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15660323099140717252" + "version": "0.23.1.45101", + "templateHash": "5948722293988001886" }, "name": "Resources Tags Resource Group", "description": "This module deploys a Resource Tag on a Resource Group scope.", @@ -342,8 +342,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4088100020210156530" + "version": "0.23.1.45101", + "templateHash": "18223311450921971493" } }, "parameters": { diff --git a/modules/resources/tags/resource-group/main.json b/modules/resources/tags/resource-group/main.json index 2cae75d417..19d250c7df 100644 --- a/modules/resources/tags/resource-group/main.json +++ b/modules/resources/tags/resource-group/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15660323099140717252" + "version": "0.23.1.45101", + "templateHash": "5948722293988001886" }, "name": "Resources Tags Resource Group", "description": "This module deploys a Resource Tag on a Resource Group scope.", @@ -77,8 +77,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4088100020210156530" + "version": "0.23.1.45101", + "templateHash": "18223311450921971493" } }, "parameters": { diff --git a/modules/resources/tags/subscription/main.json b/modules/resources/tags/subscription/main.json index 6640264a96..cb8f474092 100644 --- a/modules/resources/tags/subscription/main.json +++ b/modules/resources/tags/subscription/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6739306478169191405" + "version": "0.23.1.45101", + "templateHash": "10898258701499103964" }, "name": "Resources Tags Subscription Scope", "description": "This module deploys a Resource Tag on a Subscription scope.", @@ -86,8 +86,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9833962804635676625" + "version": "0.23.1.45101", + "templateHash": "15368390157759392588" } }, "parameters": { diff --git a/modules/search/search-service/shared-private-link-resource/main.json b/modules/search/search-service/shared-private-link-resource/main.json index aa59a81fa9..10404f34cd 100644 --- a/modules/search/search-service/shared-private-link-resource/main.json +++ b/modules/search/search-service/shared-private-link-resource/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13590696020139320386" + "version": "0.23.1.45101", + "templateHash": "15235633206826642766" }, "name": "Search Services Private Link Resources", "description": "This module deploys a Search Service Private Link Resource.", diff --git a/modules/service-fabric/cluster/application-type/main.json b/modules/service-fabric/cluster/application-type/main.json index 89edee625a..eacd61f908 100644 --- a/modules/service-fabric/cluster/application-type/main.json +++ b/modules/service-fabric/cluster/application-type/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16143571289588705380" + "version": "0.23.1.45101", + "templateHash": "4810595833725093386" }, "name": "Service Fabric Cluster Application Types", "description": "This module deploys a Service Fabric Cluster Application Type.", diff --git a/modules/sql/managed-instance/administrator/main.json b/modules/sql/managed-instance/administrator/main.json index aa680fae76..ef471a0da8 100644 --- a/modules/sql/managed-instance/administrator/main.json +++ b/modules/sql/managed-instance/administrator/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11038010290222457255" + "version": "0.23.1.45101", + "templateHash": "13377515851590815602" }, "name": "SQL Managed Instances Administrator", "description": "This module deploys a SQL Managed Instance Administrator.", diff --git a/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.json b/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.json index e6b1c504bd..1c6f131763 100644 --- a/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.json +++ b/modules/sql/managed-instance/database/backup-long-term-retention-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10571563219835680436" + "version": "0.23.1.45101", + "templateHash": "16019450329698749532" }, "name": "SQL Managed Instance Database Backup Long-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Long-Term Retention Policy.", diff --git a/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.json b/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.json index bbbd9a5c3b..bef1c487f2 100644 --- a/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.json +++ b/modules/sql/managed-instance/database/backup-short-term-retention-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1444574199601154138" + "version": "0.23.1.45101", + "templateHash": "11209046177276627049" }, "name": "SQL Managed Instance Database Backup Short-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Short-Term Retention Policy.", diff --git a/modules/sql/managed-instance/database/main.json b/modules/sql/managed-instance/database/main.json index a2638dea38..29e8fad7ba 100644 --- a/modules/sql/managed-instance/database/main.json +++ b/modules/sql/managed-instance/database/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8385261968552186747" + "version": "0.23.1.45101", + "templateHash": "4106645650177315472" }, "name": "SQL Managed Instance Databases", "description": "This module deploys a SQL Managed Instance Database.", @@ -378,8 +378,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1444574199601154138" + "version": "0.23.1.45101", + "templateHash": "11209046177276627049" }, "name": "SQL Managed Instance Database Backup Short-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Short-Term Retention Policy.", @@ -506,8 +506,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10571563219835680436" + "version": "0.23.1.45101", + "templateHash": "16019450329698749532" }, "name": "SQL Managed Instance Database Backup Long-Term Retention Policies", "description": "This module deploys a SQL Managed Instance Database Backup Long-Term Retention Policy.", diff --git a/modules/sql/managed-instance/encryption-protector/main.json b/modules/sql/managed-instance/encryption-protector/main.json index 8ae990e86f..bf39b8f8bd 100644 --- a/modules/sql/managed-instance/encryption-protector/main.json +++ b/modules/sql/managed-instance/encryption-protector/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "368930923603337685" + "version": "0.23.1.45101", + "templateHash": "16033269094870106735" }, "name": "SQL Managed Instance Encryption Protector", "description": "This module deploys a SQL Managed Instance Encryption Protector.", diff --git a/modules/sql/managed-instance/key/main.json b/modules/sql/managed-instance/key/main.json index bb44b47e19..4c3185af6a 100644 --- a/modules/sql/managed-instance/key/main.json +++ b/modules/sql/managed-instance/key/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7006376985801799255" + "version": "0.23.1.45101", + "templateHash": "7581585600933737681" }, "name": "SQL Managed Instance Keys", "description": "This module deploys a SQL Managed Instance Key.", diff --git a/modules/sql/managed-instance/security-alert-policy/main.json b/modules/sql/managed-instance/security-alert-policy/main.json index 3cc136b702..a18b716232 100644 --- a/modules/sql/managed-instance/security-alert-policy/main.json +++ b/modules/sql/managed-instance/security-alert-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "73480634697264424" + "version": "0.23.1.45101", + "templateHash": "5872425656575904293" }, "name": "SQL Managed Instance Security Alert Policies", "description": "This module deploys a SQL Managed Instance Security Alert Policy.", diff --git a/modules/sql/managed-instance/vulnerability-assessment/main.json b/modules/sql/managed-instance/vulnerability-assessment/main.json index eb70ed8caa..e731e7a912 100644 --- a/modules/sql/managed-instance/vulnerability-assessment/main.json +++ b/modules/sql/managed-instance/vulnerability-assessment/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5582620280313265167" + "version": "0.23.1.45101", + "templateHash": "8033336711737173681" }, "name": "SQL Managed Instance Vulnerability Assessments", "description": "This module deploys a SQL Managed Instance Vulnerability Assessment.", @@ -127,8 +127,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9210546972730714858" + "version": "0.23.1.45101", + "templateHash": "11127995627829971090" } }, "parameters": { diff --git a/modules/sql/server/database/backup-long-term-retention-policy/main.json b/modules/sql/server/database/backup-long-term-retention-policy/main.json index 6d00874970..6e8367af41 100644 --- a/modules/sql/server/database/backup-long-term-retention-policy/main.json +++ b/modules/sql/server/database/backup-long-term-retention-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8422402072460240545" + "version": "0.23.1.45101", + "templateHash": "6078887169611486577" }, "name": "SQL Server Database Long Term Backup Retention Policies", "description": "This module deploys an Azure SQL Server Database Long-Term Backup Retention Policy.", diff --git a/modules/sql/server/database/backup-short-term-retention-policy/main.json b/modules/sql/server/database/backup-short-term-retention-policy/main.json index 64a75a29be..5502db4fc5 100644 --- a/modules/sql/server/database/backup-short-term-retention-policy/main.json +++ b/modules/sql/server/database/backup-short-term-retention-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11274542290979624142" + "version": "0.23.1.45101", + "templateHash": "16957286289914102707" }, "name": "Azure SQL Server Database Short Term Backup Retention Policies", "description": "This module deploys an Azure SQL Server Database Short-Term Backup Retention Policy.", diff --git a/modules/sql/server/database/main.json b/modules/sql/server/database/main.json index f7e79bc48c..34f0ec70b3 100644 --- a/modules/sql/server/database/main.json +++ b/modules/sql/server/database/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17297721819291768897" + "version": "0.23.1.45101", + "templateHash": "4314496383428784436" }, "name": "SQL Server Database", "description": "This module deploys an Azure SQL Server Database.", @@ -472,8 +472,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11274542290979624142" + "version": "0.23.1.45101", + "templateHash": "16957286289914102707" }, "name": "Azure SQL Server Database Short Term Backup Retention Policies", "description": "This module deploys an Azure SQL Server Database Short-Term Backup Retention Policy.", @@ -595,8 +595,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8422402072460240545" + "version": "0.23.1.45101", + "templateHash": "6078887169611486577" }, "name": "SQL Server Database Long Term Backup Retention Policies", "description": "This module deploys an Azure SQL Server Database Long-Term Backup Retention Policy.", diff --git a/modules/sql/server/elastic-pool/main.json b/modules/sql/server/elastic-pool/main.json index dd9e5202b8..1f94baec98 100644 --- a/modules/sql/server/elastic-pool/main.json +++ b/modules/sql/server/elastic-pool/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9388916155534343976" + "version": "0.23.1.45101", + "templateHash": "2462504606421092214" }, "name": "SQL Server Elastic Pool", "description": "This module deploys an Azure SQL Server Elastic Pool.", diff --git a/modules/sql/server/encryption-protector/main.json b/modules/sql/server/encryption-protector/main.json index 718cfcff2b..bae7f41f59 100644 --- a/modules/sql/server/encryption-protector/main.json +++ b/modules/sql/server/encryption-protector/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17224807912051676418" + "version": "0.23.1.45101", + "templateHash": "17270982128022391504" }, "name": "Azure SQL Server Encryption Protector", "description": "This module deploys an Azure SQL Server Encryption Protector.", diff --git a/modules/sql/server/firewall-rule/main.json b/modules/sql/server/firewall-rule/main.json index 23cfad9e0d..ae9f77780b 100644 --- a/modules/sql/server/firewall-rule/main.json +++ b/modules/sql/server/firewall-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "17045860485834879442" + "version": "0.23.1.45101", + "templateHash": "6791289458860590076" }, "name": "Azure SQL Server Firewall Rule", "description": "This module deploys an Azure SQL Server Firewall Rule.", diff --git a/modules/sql/server/key/main.json b/modules/sql/server/key/main.json index 7e4fc30512..25b6ba22c5 100644 --- a/modules/sql/server/key/main.json +++ b/modules/sql/server/key/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11118825836661698100" + "version": "0.23.1.45101", + "templateHash": "11306919877164146196" }, "name": "Azure SQL Server Keys", "description": "This module deploys an Azure SQL Server Key.", diff --git a/modules/sql/server/security-alert-policy/main.json b/modules/sql/server/security-alert-policy/main.json index f7e0552ee2..2ab1e02c88 100644 --- a/modules/sql/server/security-alert-policy/main.json +++ b/modules/sql/server/security-alert-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "6325803563225314820" + "version": "0.23.1.45101", + "templateHash": "15800765189083682209" }, "name": "Azure SQL Server Security Alert Policies", "description": "This module deploys an Azure SQL Server Security Alert Policy.", diff --git a/modules/sql/server/virtual-network-rule/main.json b/modules/sql/server/virtual-network-rule/main.json index bc545b9b1e..52b74413a7 100644 --- a/modules/sql/server/virtual-network-rule/main.json +++ b/modules/sql/server/virtual-network-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "938348054010287381" + "version": "0.23.1.45101", + "templateHash": "8445811621384772574" }, "name": "Azure SQL Server Virtual Network Rules", "description": "This module deploys an Azure SQL Server Virtual Network Rule.", diff --git a/modules/sql/server/vulnerability-assessment/main.json b/modules/sql/server/vulnerability-assessment/main.json index 3942036e23..bd156145db 100644 --- a/modules/sql/server/vulnerability-assessment/main.json +++ b/modules/sql/server/vulnerability-assessment/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1780388510504326565" + "version": "0.23.1.45101", + "templateHash": "2867406426882642505" }, "name": "Azure SQL Server Vulnerability Assessments", "description": "This module deploys an Azure SQL Server Vulnerability Assessment.", @@ -127,8 +127,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9210546972730714858" + "version": "0.23.1.45101", + "templateHash": "11127995627829971090" } }, "parameters": { diff --git a/modules/storage/storage-account/blob-service/main.json b/modules/storage/storage-account/blob-service/main.json index 0635d9a154..a9670807c1 100644 --- a/modules/storage/storage-account/blob-service/main.json +++ b/modules/storage/storage-account/blob-service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18255279964987657305" + "templateHash": "7804367921688111066" }, "name": "Storage Account blob Services", "description": "This module deploys a Storage Account Blob Service.", @@ -383,7 +383,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "11413707823135400961" + "templateHash": "679743391871280708" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", @@ -398,7 +398,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -542,7 +542,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -637,7 +637,7 @@ "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}/containers/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/storage/storage-account/file-service/main.json b/modules/storage/storage-account/file-service/main.json index 204b5b8f35..fe39f789cc 100644 --- a/modules/storage/storage-account/file-service/main.json +++ b/modules/storage/storage-account/file-service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6280006322501716234" + "templateHash": "14917534017717518918" }, "name": "Storage Account File Share Services", "description": "This module deploys a Storage Account File Share Service.", @@ -272,7 +272,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "15538733704323873805" + "templateHash": "9132955781190739589" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", @@ -287,7 +287,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -413,7 +413,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -504,7 +504,7 @@ "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}/shares/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/storage/storage-account/queue-service/main.json b/modules/storage/storage-account/queue-service/main.json index 5e5e605312..db10af66c2 100644 --- a/modules/storage/storage-account/queue-service/main.json +++ b/modules/storage/storage-account/queue-service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "1159938655127712786" + "templateHash": "13348116021204111185" }, "name": "Storage Account Queue Services", "description": "This module deploys a Storage Account Queue Service.", @@ -240,7 +240,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6271299191275064402" + "templateHash": "1310506738440238472" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", @@ -255,7 +255,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -338,7 +338,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -426,7 +426,7 @@ "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}/queues/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/synapse/workspace/integration-runtime/main.json b/modules/synapse/workspace/integration-runtime/main.json index c5f4521231..f23599a93a 100644 --- a/modules/synapse/workspace/integration-runtime/main.json +++ b/modules/synapse/workspace/integration-runtime/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3121962670071772951" + "version": "0.23.1.45101", + "templateHash": "15433128731134325120" }, "name": "Synapse Workspace Integration Runtimes", "description": "This module deploys a Synapse Workspace Integration Runtime.", diff --git a/modules/synapse/workspace/key/main.json b/modules/synapse/workspace/key/main.json index 938863a640..371874873e 100644 --- a/modules/synapse/workspace/key/main.json +++ b/modules/synapse/workspace/key/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5952844918734432483" + "version": "0.23.1.45101", + "templateHash": "17878422697036938783" }, "name": "Synapse Workspaces Keys", "description": "This module deploys a Synapse Workspaces Key.", diff --git a/modules/web/hosting-environment/README.md b/modules/web/hosting-environment/README.md index cd84a536b0..0d9f2ec478 100644 --- a/modules/web/hosting-environment/README.md +++ b/modules/web/hosting-environment/README.md @@ -238,7 +238,7 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { enableDefaultTelemetry: '' ftpEnabled: true inboundIpAddressOverride: '10.0.0.10' - internalLoadBalancingMode: 'Web Publishing' + internalLoadBalancingMode: 'Web, Publishing' location: '' lock: { kind: 'CanNotDelete' @@ -648,7 +648,7 @@ Specifies which endpoints to serve internally in the Virtual Network for the App 'None' 'Publishing' 'Web' - 'Web Publishing' + 'Web, Publishing' ] ``` diff --git a/modules/web/hosting-environment/configuration--customdnssuffix/main.json b/modules/web/hosting-environment/configuration--customdnssuffix/main.json index c4d514811f..7bdfbc2f8a 100644 --- a/modules/web/hosting-environment/configuration--customdnssuffix/main.json +++ b/modules/web/hosting-environment/configuration--customdnssuffix/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10660520916707434118" + "version": "0.23.1.45101", + "templateHash": "2088750160033594355" }, "name": "Hosting Environment Custom DNS Suffix Configuration", "description": "This module deploys a Hosting Environment Custom DNS Suffix Configuration.", diff --git a/modules/web/hosting-environment/configuration--networking/main.json b/modules/web/hosting-environment/configuration--networking/main.json index 0630c14d2c..c609fae4c5 100644 --- a/modules/web/hosting-environment/configuration--networking/main.json +++ b/modules/web/hosting-environment/configuration--networking/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5725974299523715311" + "version": "0.23.1.45101", + "templateHash": "545140399885435174" }, "name": "Hosting Environment Network Configuration", "description": "This module deploys a Hosting Environment Network Configuration.", diff --git a/modules/web/site/config--appsettings/README.md b/modules/web/site/config--appsettings/README.md index bf1c6c2401..8beef8b592 100644 --- a/modules/web/site/config--appsettings/README.md +++ b/modules/web/site/config--appsettings/README.md @@ -51,9 +51,9 @@ Type of site to deploy. [ 'app' 'functionapp' - 'functionapplinux' - 'functionappworkflowapp' - 'functionappworkflowapplinux' + 'functionapp,linux' + 'functionapp,workflowapp' + 'functionapp,workflowapp,linux' ] ``` diff --git a/modules/web/site/config--appsettings/main.json b/modules/web/site/config--appsettings/main.json index c5bb4f96d9..ace57555b6 100644 --- a/modules/web/site/config--appsettings/main.json +++ b/modules/web/site/config--appsettings/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12140652943143922490" + "version": "0.23.1.45101", + "templateHash": "12410494471478708764" }, "name": "Site App Settings", "description": "This module deploys a Site App Setting.", diff --git a/modules/web/site/config--authsettingsv2/README.md b/modules/web/site/config--authsettingsv2/README.md index 36f7ea8c2a..3c76ae259b 100644 --- a/modules/web/site/config--authsettingsv2/README.md +++ b/modules/web/site/config--authsettingsv2/README.md @@ -54,9 +54,9 @@ Type of site to deploy. [ 'app' 'functionapp' - 'functionapplinux' - 'functionappworkflowapp' - 'functionappworkflowapplinux' + 'functionapp,linux' + 'functionapp,workflowapp' + 'functionapp,workflowapp,linux' ] ``` diff --git a/modules/web/site/config--authsettingsv2/main.json b/modules/web/site/config--authsettingsv2/main.json index 3ecec714d3..6f40405eb1 100644 --- a/modules/web/site/config--authsettingsv2/main.json +++ b/modules/web/site/config--authsettingsv2/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1120403064106188130" + "version": "0.23.1.45101", + "templateHash": "15667145082226037238" }, "name": "Site Auth Settings V2 Config", "description": "This module deploys a Site Auth Settings V2 Configuration.", diff --git a/modules/web/site/hybrid-connection-namespace/relay/main.json b/modules/web/site/hybrid-connection-namespace/relay/main.json index bc3ae19be6..e230e699f6 100644 --- a/modules/web/site/hybrid-connection-namespace/relay/main.json +++ b/modules/web/site/hybrid-connection-namespace/relay/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10458383238656360850" + "version": "0.23.1.45101", + "templateHash": "14574905385050050440" }, "name": "Web/Function Apps Hybrid Connection Relay", "description": "This module deploys a Site Hybrid Connection Namespace Relay.", diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index f0b32f3fbf..81cb13f3a5 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -93,9 +93,9 @@ Type of slot to deploy. [ 'app' 'functionapp' - 'functionapplinux' - 'functionappworkflowapp' - 'functionappworkflowapplinux' + 'functionapp,linux' + 'functionapp,workflowapp' + 'functionapp,workflowapp,linux' ] ``` diff --git a/modules/web/site/slot/config--appsettings/README.md b/modules/web/site/slot/config--appsettings/README.md index 23a65a557e..7ef555845d 100644 --- a/modules/web/site/slot/config--appsettings/README.md +++ b/modules/web/site/slot/config--appsettings/README.md @@ -52,9 +52,9 @@ Type of slot to deploy. [ 'app' 'functionapp' - 'functionapplinux' - 'functionappworkflowapp' - 'functionappworkflowapplinux' + 'functionapp,linux' + 'functionapp,workflowapp' + 'functionapp,workflowapp,linux' ] ``` diff --git a/modules/web/site/slot/config--appsettings/main.json b/modules/web/site/slot/config--appsettings/main.json index c4220e1b9a..9f20225ec7 100644 --- a/modules/web/site/slot/config--appsettings/main.json +++ b/modules/web/site/slot/config--appsettings/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13223616826795830599" + "version": "0.23.1.45101", + "templateHash": "10562313393461278954" }, "name": "Site Slot App Settings", "description": "This module deploys a Site Slot App Setting.", diff --git a/modules/web/site/slot/config--authsettingsv2/README.md b/modules/web/site/slot/config--authsettingsv2/README.md index 4bb4311a05..f6a3b6b73c 100644 --- a/modules/web/site/slot/config--authsettingsv2/README.md +++ b/modules/web/site/slot/config--authsettingsv2/README.md @@ -55,9 +55,9 @@ Type of slot to deploy. [ 'app' 'functionapp' - 'functionapplinux' - 'functionappworkflowapp' - 'functionappworkflowapplinux' + 'functionapp,linux' + 'functionapp,workflowapp' + 'functionapp,workflowapp,linux' ] ``` diff --git a/modules/web/site/slot/config--authsettingsv2/main.json b/modules/web/site/slot/config--authsettingsv2/main.json index bfdb1d3153..a9c77ad4c3 100644 --- a/modules/web/site/slot/config--authsettingsv2/main.json +++ b/modules/web/site/slot/config--authsettingsv2/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16157844933162881953" + "version": "0.23.1.45101", + "templateHash": "13215271953171449159" }, "name": "Site Slot Auth Settings V2 Config", "description": "This module deploys a Site Auth Settings V2 Configuration.", diff --git a/modules/web/site/slot/hybrid-connection-namespace/relay/main.json b/modules/web/site/slot/hybrid-connection-namespace/relay/main.json index 5381c3268e..3895e0f3d3 100644 --- a/modules/web/site/slot/hybrid-connection-namespace/relay/main.json +++ b/modules/web/site/slot/hybrid-connection-namespace/relay/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11888981629758921842" + "version": "0.23.1.45101", + "templateHash": "299894459930368764" }, "name": "Web/Function Apps Slot Hybrid Connection Relay", "description": "This module deploys a Site Slot Hybrid Connection Namespace Relay.", diff --git a/modules/web/static-site/config/main.json b/modules/web/static-site/config/main.json index e063d1a3c3..4740c67aec 100644 --- a/modules/web/static-site/config/main.json +++ b/modules/web/static-site/config/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8340850851413090940" + "version": "0.23.1.45101", + "templateHash": "2145280265348211589" }, "name": "Static Web App Site Config", "description": "This module deploys a Static Web App Site Config.", diff --git a/modules/web/static-site/custom-domain/main.json b/modules/web/static-site/custom-domain/main.json index 6613ffb610..138ed53dc4 100644 --- a/modules/web/static-site/custom-domain/main.json +++ b/modules/web/static-site/custom-domain/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13208835708722733896" + "version": "0.23.1.45101", + "templateHash": "10034836397316444891" }, "name": "Static Web App Site Custom Domains", "description": "This module deploys a Static Web App Site Custom Domain.", diff --git a/modules/web/static-site/linked-backend/main.json b/modules/web/static-site/linked-backend/main.json index 78a05690f0..849ca3e262 100644 --- a/modules/web/static-site/linked-backend/main.json +++ b/modules/web/static-site/linked-backend/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "13553590806488370796" + "version": "0.23.1.45101", + "templateHash": "2577415583443518856" }, "name": "Static Web App Site Linked Backends", "description": "This module deploys a Custom Function App into a Static Web App Site using the Linked Backends property.", From a348c76a94c5c32deb9c4fcb7fad500c77fb3b31 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Fri, 15 Dec 2023 13:43:06 +0100 Subject: [PATCH 160/178] [Modules] Cluster - Expose AGIC Identity Object Id (#4349) (#4375) * Managed Cluster - Expose AGIC Identity Object Id (#4349) * Add AGIC identity * Set-Module * Update to latest --------- Co-authored-by: Preston Alvarado <700740+coolhome@users.noreply.github.com> --- .../managed-cluster/README.md | 1 + .../managed-cluster/main.bicep | 3 + .../managed-cluster/main.json | 4551 +++++++++-------- 3 files changed, 2283 insertions(+), 2272 deletions(-) diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index bca703ec61..648c316142 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -2425,6 +2425,7 @@ Specifies whether the webApplicationRoutingEnabled add-on is enabled or not. | :-- | :-- | :-- | | `addonProfiles` | object | The addonProfiles of the Kubernetes cluster. | | `controlPlaneFQDN` | string | The control plane FQDN of the managed cluster. | +| `ingressApplicationGatewayIdentityObjectId` | string | The Object ID of Application Gateway Ingress Controller (AGIC) identity. | | `keyvaultIdentityClientId` | string | The Client ID of the Key Vault Secrets Provider identity. | | `keyvaultIdentityObjectId` | string | The Object ID of the Key Vault Secrets Provider identity. | | `kubeletidentityObjectId` | string | The Object ID of the AKS identity. | diff --git a/modules/container-service/managed-cluster/main.bicep b/modules/container-service/managed-cluster/main.bicep index 21208d0a5a..ea5c89b3af 100644 --- a/modules/container-service/managed-cluster/main.bicep +++ b/modules/container-service/managed-cluster/main.bicep @@ -753,6 +753,9 @@ output keyvaultIdentityObjectId string = contains(managedCluster.properties, 'ad @description('The Client ID of the Key Vault Secrets Provider identity.') output keyvaultIdentityClientId string = contains(managedCluster.properties, 'addonProfiles') ? contains(managedCluster.properties.addonProfiles, 'azureKeyvaultSecretsProvider') ? contains(managedCluster.properties.addonProfiles.azureKeyvaultSecretsProvider, 'identity') ? managedCluster.properties.addonProfiles.azureKeyvaultSecretsProvider.identity.clientId : '' : '' : '' +@description('The Object ID of Application Gateway Ingress Controller (AGIC) identity.') +output ingressApplicationGatewayIdentityObjectId string = managedCluster.properties.addonProfiles.?ingressApplicationGateway.?identity.?objectId ?? '' + @description('The location the resource was deployed into.') output location string = managedCluster.location diff --git a/modules/container-service/managed-cluster/main.json b/modules/container-service/managed-cluster/main.json index b3e159c0f7..149fdbc9a5 100644 --- a/modules/container-service/managed-cluster/main.json +++ b/modules/container-service/managed-cluster/main.json @@ -1,2273 +1,2280 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1679575632831341410" - }, - "name": "Azure Kubernetes Service (AKS) Managed Clusters", - "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - }, - "customerManagedKeyType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "keyVaultNetworkAccess": { - "type": "string", - "allowedValues": [ - "Private", - "Public" - ], - "metadata": { - "description": "Required. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Specifies the name of the AKS cluster." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Specifies the location of AKS cluster. It picks up Resource Group's location by default." - } - }, - "dnsPrefix": { - "type": "string", - "defaultValue": "[parameters('name')]", - "metadata": { - "description": "Optional. Specifies the DNS prefix specified when creating the managed cluster." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." - } - }, - "networkDataplane": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "azure", - "cilium" - ], - "metadata": { - "description": "Optional. Network dataplane used in the Kubernetes cluster. Not compatible with kubenet network plugin." - } - }, - "networkPlugin": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "azure", - "kubenet" - ], - "metadata": { - "description": "Optional. Specifies the network plugin used for building Kubernetes network." - } - }, - "networkPluginMode": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "overlay" - ], - "metadata": { - "description": "Optional. Network plugin mode used for building the Kubernetes network. Not compatible with kubenet network plugin." - } - }, - "networkPolicy": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "azure", - "calico" - ], - "metadata": { - "description": "Optional. Specifies the network policy used for building Kubernetes network. - calico or azure." - } - }, - "podCidr": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used." - } - }, - "serviceCidr": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges." - } - }, - "dnsServiceIP": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr." - } - }, - "loadBalancerSku": { - "type": "string", - "defaultValue": "standard", - "allowedValues": [ - "basic", - "standard" - ], - "metadata": { - "description": "Optional. Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools." - } - }, - "managedOutboundIPCount": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Outbound IP Count for the Load balancer." - } - }, - "outboundType": { - "type": "string", - "defaultValue": "loadBalancer", - "allowedValues": [ - "loadBalancer", - "userDefinedRouting" - ], - "metadata": { - "description": "Optional. Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting." - } - }, - "skuTier": { - "type": "string", - "defaultValue": "Free", - "allowedValues": [ - "Free", - "Premium", - "Standard" - ], - "metadata": { - "description": "Optional. Tier of a managed cluster SKU. - Free or Standard." - } - }, - "kubernetesVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Version of Kubernetes specified when creating the managed cluster." - } - }, - "adminUsername": { - "type": "string", - "defaultValue": "azureuser", - "metadata": { - "description": "Optional. Specifies the administrator username of Linux virtual machines." - } - }, - "sshPublicKey": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the SSH RSA public key string for the Linux nodes." - } - }, - "aksServicePrincipalProfile": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Conditional. Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster." - } - }, - "aadProfileClientAppID": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The client AAD application ID." - } - }, - "aadProfileServerAppID": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The server AAD application ID." - } - }, - "aadProfileServerAppSecret": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The server AAD application secret." - } - }, - "aadProfileTenantId": { - "type": "string", - "defaultValue": "[subscription().tenantId]", - "metadata": { - "description": "Optional. Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication." - } - }, - "aadProfileAdminGroupObjectIDs": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Specifies the AAD group object IDs that will have admin role of the cluster." - } - }, - "aadProfileManaged": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Specifies whether to enable managed AAD integration." - } - }, - "enableRBAC": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Whether to enable Kubernetes Role-Based Access Control." - } - }, - "aadProfileEnableAzureRBAC": { - "type": "bool", - "defaultValue": "[parameters('enableRBAC')]", - "metadata": { - "description": "Optional. Specifies whether to enable Azure RBAC for Kubernetes authorization." - } - }, - "disableLocalAccounts": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled." - } - }, - "nodeResourceGroup": { - "type": "string", - "defaultValue": "[format('{0}_aks_{1}_nodes', resourceGroup().name, parameters('name'))]", - "metadata": { - "description": "Optional. Name of the resource group containing agent pool nodes." - } - }, - "authorizedIPRanges": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer." - } - }, - "disableRunCommand": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to disable run command for the cluster or not." - } - }, - "enablePrivateCluster": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether to create the cluster as a private cluster or not." - } - }, - "enablePrivateClusterPublicFQDN": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to create additional public FQDN for private cluster or not." - } - }, - "privateDNSZone": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Private DNS Zone configuration. Set to 'system' and AKS will create a private DNS zone in the node resource group. Set to '' to disable private DNS Zone creation and use public DNS. Supply the resource ID here of an existing Private DNS zone to use an existing zone." - } - }, - "primaryAgentPoolProfile": { - "type": "array", - "metadata": { - "description": "Required. Properties of the primary agent pool." - } - }, - "agentPools": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Define one or more secondary/additional agent pools." - } - }, - "httpApplicationRoutingEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether the httpApplicationRouting add-on is enabled or not." - } - }, - "webApplicationRoutingEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether the webApplicationRoutingEnabled add-on is enabled or not." - } - }, - "dnsZoneResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the resource ID of connected DNS zone. It will be ignored if `webApplicationRoutingEnabled` is set to `false`." - } - }, - "enableDnsZoneContributorRoleAssignment": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Specifies whether assing the DNS zone contributor role to the cluster service principal. It will be ignored if `webApplicationRoutingEnabled` is set to `false` or `dnsZoneResourceId` not provided." - } - }, - "ingressApplicationGatewayEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not." - } - }, - "appGatewayResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Conditional. Specifies the resource ID of connected application gateway. Required if `ingressApplicationGatewayEnabled` is set to `true`." - } - }, - "aciConnectorLinuxEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether the aciConnectorLinux add-on is enabled or not." - } - }, - "azurePolicyEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Specifies whether the azurepolicy add-on is enabled or not. For security reasons, this setting should be enabled." - } - }, - "openServiceMeshEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether the openServiceMesh add-on is enabled or not." - } - }, - "azurePolicyVersion": { - "type": "string", - "defaultValue": "v2", - "metadata": { - "description": "Optional. Specifies the azure policy version to use." - } - }, - "kubeDashboardEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether the kubeDashboard add-on is enabled or not." - } - }, - "enableKeyvaultSecretsProvider": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Specifies whether the KeyvaultSecretsProvider add-on is enabled or not." - } - }, - "enableSecretRotation": { - "type": "string", - "defaultValue": "false", - "allowedValues": [ - "false", - "true" - ], - "metadata": { - "description": "Optional. Specifies whether the KeyvaultSecretsProvider add-on uses secret rotation." - } - }, - "autoScalerProfileScanInterval": { - "type": "string", - "defaultValue": "10s", - "metadata": { - "description": "Optional. Specifies the scan interval of the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileScaleDownDelayAfterAdd": { - "type": "string", - "defaultValue": "10m", - "metadata": { - "description": "Optional. Specifies the scale down delay after add of the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileScaleDownDelayAfterDelete": { - "type": "string", - "defaultValue": "20s", - "metadata": { - "description": "Optional. Specifies the scale down delay after delete of the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileScaleDownDelayAfterFailure": { - "type": "string", - "defaultValue": "3m", - "metadata": { - "description": "Optional. Specifies scale down delay after failure of the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileScaleDownUnneededTime": { - "type": "string", - "defaultValue": "10m", - "metadata": { - "description": "Optional. Specifies the scale down unneeded time of the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileScaleDownUnreadyTime": { - "type": "string", - "defaultValue": "20m", - "metadata": { - "description": "Optional. Specifies the scale down unready time of the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileUtilizationThreshold": { - "type": "string", - "defaultValue": "0.5", - "metadata": { - "description": "Optional. Specifies the utilization threshold of the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileMaxGracefulTerminationSec": { - "type": "string", - "defaultValue": "600", - "metadata": { - "description": "Optional. Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileBalanceSimilarNodeGroups": { - "type": "string", - "defaultValue": "false", - "allowedValues": [ - "false", - "true" - ], - "metadata": { - "description": "Optional. Specifies the balance of similar node groups for the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileExpander": { - "type": "string", - "defaultValue": "random", - "allowedValues": [ - "least-waste", - "most-pods", - "priority", - "random" - ], - "metadata": { - "description": "Optional. Specifies the expand strategy for the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileMaxEmptyBulkDelete": { - "type": "string", - "defaultValue": "10", - "metadata": { - "description": "Optional. Specifies the maximum empty bulk delete for the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileMaxNodeProvisionTime": { - "type": "string", - "defaultValue": "15m", - "metadata": { - "description": "Optional. Specifies the maximum node provisioning time for the auto-scaler of the AKS cluster. Values must be an integer followed by an \"m\". No unit of time other than minutes (m) is supported." - } - }, - "autoScalerProfileMaxTotalUnreadyPercentage": { - "type": "string", - "defaultValue": "45", - "metadata": { - "description": "Optional. Specifies the mximum total unready percentage for the auto-scaler of the AKS cluster. The maximum is 100 and the minimum is 0." - } - }, - "autoScalerProfileNewPodScaleUpDelay": { - "type": "string", - "defaultValue": "0s", - "metadata": { - "description": "Optional. For scenarios like burst/batch scale where you do not want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they are a certain age. Values must be an integer followed by a unit (\"s\" for seconds, \"m\" for minutes, \"h\" for hours, etc)." - } - }, - "autoScalerProfileOkTotalUnreadyCount": { - "type": "string", - "defaultValue": "3", - "metadata": { - "description": "Optional. Specifies the OK total unready count for the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileSkipNodesWithLocalStorage": { - "type": "string", - "defaultValue": "true", - "allowedValues": [ - "false", - "true" - ], - "metadata": { - "description": "Optional. Specifies if nodes with local storage should be skipped for the auto-scaler of the AKS cluster." - } - }, - "autoScalerProfileSkipNodesWithSystemPods": { - "type": "string", - "defaultValue": "true", - "allowedValues": [ - "false", - "true" - ], - "metadata": { - "description": "Optional. Specifies if nodes with system pods should be skipped for the auto-scaler of the AKS cluster." - } - }, - "autoUpgradeProfileUpgradeChannel": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "node-image", - "none", - "patch", - "rapid", - "stable", - "" - ], - "metadata": { - "description": "Optional. Auto-upgrade channel on the AKS cluster." - } - }, - "podIdentityProfileAllowNetworkPluginKubenet": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing." - } - }, - "podIdentityProfileEnable": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether the pod identity addon is enabled." - } - }, - "podIdentityProfileUserAssignedIdentities": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The pod identities to use in the cluster." - } - }, - "podIdentityProfileUserAssignedIdentityExceptions": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The pod identity exceptions to allow." - } - }, - "enableOidcIssuerProfile": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether the The OIDC issuer profile of the Managed Cluster is enabled." - } - }, - "enableWorkloadIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to enable Workload Identity. Requires OIDC issuer profile to be enabled." - } - }, - "enableAzureDefender": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to enable Azure Defender." - } - }, - "enablePodSecurityPolicy": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to enable Kubernetes pod security policy. Requires enabling the pod security policy feature flag on the subscription." - } - }, - "enableStorageProfileBlobCSIDriver": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether the AzureBlob CSI Driver for the storage profile is enabled." - } - }, - "enableStorageProfileDiskCSIDriver": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether the AzureDisk CSI Driver for the storage profile is enabled." - } - }, - "enableStorageProfileFileCSIDriver": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether the AzureFile CSI Driver for the storage profile is enabled." - } - }, - "enableStorageProfileSnapshotController": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether the snapshot controller for the storage profile is enabled." - } - }, - "supportPlan": { - "type": "string", - "defaultValue": "KubernetesOfficial", - "allowedValues": [ - "AKSLongTermSupport", - "KubernetesOfficial" - ], - "metadata": { - "description": "Optional. The support plan for the Managed Cluster." - } - }, - "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "omsAgentEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Specifies whether the OMS agent is enabled." - } - }, - "monitoringWorkspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the monitoring log analytics workspace." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "diskEncryptionSetID": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The resource ID of the disc encryption set to apply to the cluster. For security reasons, this value should be provided." - } - }, - "fluxConfigurationProtectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configuration settings that are sensitive, as name-value pairs for configuring this extension." - } - }, - "fluxExtension": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Settings and configurations for the flux extension." - } - }, - "httpProxyConfig": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configurations for provisioning the cluster with HTTP proxy servers." - } - }, - "identityProfile": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Identities associated with the cluster." - } - }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyType", - "metadata": { - "description": "Optional. The customer managed key definition." - } - }, - "enableAzureMonitorProfileMetrics": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether the metrics profile for the Azure Monitor managed service for Prometheus addon is enabled." - } - }, - "metricLabelsAllowlist": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A comma-separated list of additional Kubernetes label keys." - } - }, - "metricAnnotationsAllowList": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A comma-separated list of Kubernetes annotation keys." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "linuxProfile": { - "adminUsername": "[parameters('adminUsername')]", - "ssh": { - "publicKeys": [ - { - "keyData": "[parameters('sshPublicKey')]" - } - ] - } - }, - "lbProfile": { - "managedOutboundIPs": { - "count": "[parameters('managedOutboundIPCount')]" - }, - "effectiveOutboundIPs": [] - }, - "enableReferencedModulesTelemetry": false, - "builtInRoleNames": { - "Azure Kubernetes Fleet Manager Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63bb64ad-9799-4770-b5c3-24ed299a07bf')]", - "Azure Kubernetes Fleet Manager RBAC Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '434fb43a-c01c-447e-9f67-c3ad923cfaba')]", - "Azure Kubernetes Fleet Manager RBAC Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ab4d3d-a1bf-4477-8ad9-8359bc988f69')]", - "Azure Kubernetes Fleet Manager RBAC Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '30b27cfc-9c84-438e-b0ce-70e35255df80')]", - "Azure Kubernetes Fleet Manager RBAC Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5af6afb3-c06c-4fa4-8848-71a8aee05683')]", - "Azure Kubernetes Service Cluster Admin Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", - "Azure Kubernetes Service Cluster Monitoring User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1afdec4b-e479-420e-99e7-f82237c7c5e6')]", - "Azure Kubernetes Service Cluster User Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", - "Azure Kubernetes Service Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", - "Azure Kubernetes Service RBAC Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3498e952-d568-435e-9b2c-8d77e338d7f7')]", - "Azure Kubernetes Service RBAC Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b')]", - "Azure Kubernetes Service RBAC Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f6c6a51-bcf8-42ba-9220-52d62157d7db')]", - "Azure Kubernetes Service RBAC Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Kubernetes Agentless Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a2ae44-610b-4500-93be-660a0c5f5ca6')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] - }, - "cMKKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "managedCluster": { - "type": "Microsoft.ContainerService/managedClusters", - "apiVersion": "2023-07-02-preview", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "sku": { - "name": "Base", - "tier": "[parameters('skuTier')]" - }, - "properties": { - "httpProxyConfig": "[if(not(empty(parameters('httpProxyConfig'))), parameters('httpProxyConfig'), null())]", - "identityProfile": "[if(not(empty(parameters('identityProfile'))), parameters('identityProfile'), null())]", - "diskEncryptionSetID": "[if(not(empty(parameters('diskEncryptionSetID'))), parameters('diskEncryptionSetID'), null())]", - "kubernetesVersion": "[if(empty(parameters('kubernetesVersion')), null(), parameters('kubernetesVersion'))]", - "dnsPrefix": "[parameters('dnsPrefix')]", - "agentPoolProfiles": "[parameters('primaryAgentPoolProfile')]", - "linuxProfile": "[if(empty(parameters('sshPublicKey')), null(), variables('linuxProfile'))]", - "servicePrincipalProfile": "[if(empty(parameters('aksServicePrincipalProfile')), null(), parameters('aksServicePrincipalProfile'))]", - "ingressProfile": { - "webAppRouting": { - "enabled": "[parameters('webApplicationRoutingEnabled')]", - "dnsZoneResourceIds": "[if(not(empty(parameters('dnsZoneResourceId'))), createArray(parameters('dnsZoneResourceId')), null())]" - } - }, - "addonProfiles": { - "httpApplicationRouting": { - "enabled": "[parameters('httpApplicationRoutingEnabled')]" - }, - "ingressApplicationGateway": { - "enabled": "[and(parameters('ingressApplicationGatewayEnabled'), not(empty(parameters('appGatewayResourceId'))))]", - "config": "[if(and(parameters('ingressApplicationGatewayEnabled'), not(empty(parameters('appGatewayResourceId')))), createObject('applicationGatewayId', if(not(empty(parameters('appGatewayResourceId'))), parameters('appGatewayResourceId'), null()), 'effectiveApplicationGatewayId', if(not(empty(parameters('appGatewayResourceId'))), parameters('appGatewayResourceId'), null())), null())]" - }, - "omsagent": { - "enabled": "[and(parameters('omsAgentEnabled'), not(empty(parameters('monitoringWorkspaceId'))))]", - "config": "[if(and(parameters('omsAgentEnabled'), not(empty(parameters('monitoringWorkspaceId')))), createObject('logAnalyticsWorkspaceResourceID', if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), null())), null())]" - }, - "aciConnectorLinux": { - "enabled": "[parameters('aciConnectorLinuxEnabled')]" - }, - "azurepolicy": { - "enabled": "[parameters('azurePolicyEnabled')]", - "config": "[if(parameters('azurePolicyEnabled'), createObject('version', parameters('azurePolicyVersion')), null())]" - }, - "openServiceMesh": { - "enabled": "[parameters('openServiceMeshEnabled')]", - "config": "[if(parameters('openServiceMeshEnabled'), createObject(), null())]" - }, - "kubeDashboard": { - "enabled": "[parameters('kubeDashboardEnabled')]" - }, - "azureKeyvaultSecretsProvider": { - "enabled": "[parameters('enableKeyvaultSecretsProvider')]", - "config": "[if(parameters('enableKeyvaultSecretsProvider'), createObject('enableSecretRotation', parameters('enableSecretRotation')), null())]" - } - }, - "oidcIssuerProfile": "[if(parameters('enableOidcIssuerProfile'), createObject('enabled', parameters('enableOidcIssuerProfile')), null())]", - "enableRBAC": "[parameters('enableRBAC')]", - "disableLocalAccounts": "[parameters('disableLocalAccounts')]", - "nodeResourceGroup": "[parameters('nodeResourceGroup')]", - "enablePodSecurityPolicy": "[parameters('enablePodSecurityPolicy')]", - "networkProfile": { - "networkDataplane": "[if(not(empty(parameters('networkDataplane'))), parameters('networkDataplane'), null())]", - "networkPlugin": "[if(not(empty(parameters('networkPlugin'))), parameters('networkPlugin'), null())]", - "networkPluginMode": "[if(not(empty(parameters('networkPluginMode'))), parameters('networkPluginMode'), null())]", - "networkPolicy": "[if(not(empty(parameters('networkPolicy'))), parameters('networkPolicy'), null())]", - "podCidr": "[if(not(empty(parameters('podCidr'))), parameters('podCidr'), null())]", - "serviceCidr": "[if(not(empty(parameters('serviceCidr'))), parameters('serviceCidr'), null())]", - "dnsServiceIP": "[if(not(empty(parameters('dnsServiceIP'))), parameters('dnsServiceIP'), null())]", - "outboundType": "[parameters('outboundType')]", - "loadBalancerSku": "[parameters('loadBalancerSku')]", - "loadBalancerProfile": "[if(not(equals(parameters('managedOutboundIPCount'), 0)), variables('lbProfile'), null())]" - }, - "aadProfile": { - "clientAppID": "[parameters('aadProfileClientAppID')]", - "serverAppID": "[parameters('aadProfileServerAppID')]", - "serverAppSecret": "[parameters('aadProfileServerAppSecret')]", - "managed": "[parameters('aadProfileManaged')]", - "enableAzureRBAC": "[parameters('aadProfileEnableAzureRBAC')]", - "adminGroupObjectIDs": "[parameters('aadProfileAdminGroupObjectIDs')]", - "tenantID": "[parameters('aadProfileTenantId')]" - }, - "autoScalerProfile": { - "balance-similar-node-groups": "[parameters('autoScalerProfileBalanceSimilarNodeGroups')]", - "expander": "[parameters('autoScalerProfileExpander')]", - "max-empty-bulk-delete": "[parameters('autoScalerProfileMaxEmptyBulkDelete')]", - "max-graceful-termination-sec": "[parameters('autoScalerProfileMaxGracefulTerminationSec')]", - "max-node-provision-time": "[parameters('autoScalerProfileMaxNodeProvisionTime')]", - "max-total-unready-percentage": "[parameters('autoScalerProfileMaxTotalUnreadyPercentage')]", - "new-pod-scale-up-delay": "[parameters('autoScalerProfileNewPodScaleUpDelay')]", - "ok-total-unready-count": "[parameters('autoScalerProfileOkTotalUnreadyCount')]", - "scale-down-delay-after-add": "[parameters('autoScalerProfileScaleDownDelayAfterAdd')]", - "scale-down-delay-after-delete": "[parameters('autoScalerProfileScaleDownDelayAfterDelete')]", - "scale-down-delay-after-failure": "[parameters('autoScalerProfileScaleDownDelayAfterFailure')]", - "scale-down-unneeded-time": "[parameters('autoScalerProfileScaleDownUnneededTime')]", - "scale-down-unready-time": "[parameters('autoScalerProfileScaleDownUnreadyTime')]", - "scale-down-utilization-threshold": "[parameters('autoScalerProfileUtilizationThreshold')]", - "scan-interval": "[parameters('autoScalerProfileScanInterval')]", - "skip-nodes-with-local-storage": "[parameters('autoScalerProfileSkipNodesWithLocalStorage')]", - "skip-nodes-with-system-pods": "[parameters('autoScalerProfileSkipNodesWithSystemPods')]" - }, - "autoUpgradeProfile": { - "upgradeChannel": "[if(not(empty(parameters('autoUpgradeProfileUpgradeChannel'))), parameters('autoUpgradeProfileUpgradeChannel'), null())]" - }, - "apiServerAccessProfile": { - "authorizedIPRanges": "[parameters('authorizedIPRanges')]", - "disableRunCommand": "[parameters('disableRunCommand')]", - "enablePrivateCluster": "[parameters('enablePrivateCluster')]", - "enablePrivateClusterPublicFQDN": "[parameters('enablePrivateClusterPublicFQDN')]", - "privateDNSZone": "[parameters('privateDNSZone')]" - }, - "azureMonitorProfile": { - "metrics": "[if(parameters('enableAzureMonitorProfileMetrics'), createObject('enabled', true(), 'kubeStateMetrics', createObject('metricAnnotationsAllowList', parameters('metricAnnotationsAllowList'), 'metricLabelsAllowlist', parameters('metricLabelsAllowlist'))), null())]" - }, - "podIdentityProfile": { - "allowNetworkPluginKubenet": "[parameters('podIdentityProfileAllowNetworkPluginKubenet')]", - "enabled": "[parameters('podIdentityProfileEnable')]", - "userAssignedIdentities": "[parameters('podIdentityProfileUserAssignedIdentities')]", - "userAssignedIdentityExceptions": "[parameters('podIdentityProfileUserAssignedIdentityExceptions')]" - }, - "securityProfile": { - "azureKeyVaultKms": "[if(not(empty(parameters('customerManagedKey'))), createObject('enabled', true(), 'keyId', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), reference('cMKKeyVault::cMKKey').keyUriWithVersion), 'keyVaultNetworkAccess', parameters('customerManagedKey').keyVaultNetworkAccess, 'keyVaultResourceId', if(equals(parameters('customerManagedKey').keyVaultNetworkAccess, 'Private'), extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))), null())), null())]", - "defender": "[if(parameters('enableAzureDefender'), createObject('securityMonitoring', createObject('enabled', parameters('enableAzureDefender')), 'logAnalyticsWorkspaceResourceId', if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), null())), null())]", - "workloadIdentity": "[if(parameters('enableWorkloadIdentity'), createObject('enabled', parameters('enableWorkloadIdentity')), null())]" - }, - "storageProfile": { - "blobCSIDriver": { - "enabled": "[parameters('enableStorageProfileBlobCSIDriver')]" - }, - "diskCSIDriver": { - "enabled": "[parameters('enableStorageProfileDiskCSIDriver')]" - }, - "fileCSIDriver": { - "enabled": "[parameters('enableStorageProfileFileCSIDriver')]" - }, - "snapshotController": { - "enabled": "[parameters('enableStorageProfileSnapshotController')]" - } - }, - "supportPlan": "[parameters('supportPlan')]" - }, - "dependsOn": [ - "cMKKeyVault" - ] - }, - "managedCluster_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, - "dependsOn": [ - "managedCluster" - ] - }, - "managedCluster_diagnosticSettings": { - "copy": { - "name": "managedCluster_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", - "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "managedCluster" - ] - }, - "managedCluster_roleAssignments": { - "copy": { - "name": "managedCluster_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", - "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "managedCluster" - ] - }, - "dnsZone": { - "condition": "[and(and(equals(parameters('enableDnsZoneContributorRoleAssignment'), true()), not(equals(parameters('dnsZoneResourceId'), null()))), parameters('webApplicationRoutingEnabled'))]", - "existing": true, - "type": "Microsoft.Network/dnsZones", - "apiVersion": "2018-05-01", - "name": "[last(split(if(not(empty(parameters('dnsZoneResourceId'))), parameters('dnsZoneResourceId'), '/dummmyZone'), '/'))]" - }, - "dnsZone_roleAssignment": { - "condition": "[and(and(equals(parameters('enableDnsZoneContributorRoleAssignment'), true()), not(equals(parameters('dnsZoneResourceId'), null()))), parameters('webApplicationRoutingEnabled'))]", - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/dnsZones/{0}', last(split(if(not(empty(parameters('dnsZoneResourceId'))), parameters('dnsZoneResourceId'), '/dummmyZone'), '/')))]", - "name": "[guid(parameters('dnsZoneResourceId'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314'), 'DNS Zone Contributor')]", - "properties": { - "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "principalId": "[reference('managedCluster').ingressProfile.webAppRouting.identity.objectId]", - "principalType": "ServicePrincipal" - }, - "dependsOn": [ - "dnsZone", - "managedCluster" - ] - }, - "managedCluster_agentPools": { - "copy": { - "name": "managedCluster_agentPools", - "count": "[length(parameters('agentPools'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ManagedCluster-AgentPool-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "managedClusterName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[parameters('agentPools')[copyIndex()].name]" - }, - "availabilityZones": "[if(contains(parameters('agentPools')[copyIndex()], 'availabilityZones'), createObject('value', parameters('agentPools')[copyIndex()].availabilityZones), createObject('value', createArray()))]", - "count": "[if(contains(parameters('agentPools')[copyIndex()], 'count'), createObject('value', parameters('agentPools')[copyIndex()].count), createObject('value', 1))]", - "sourceResourceId": "[if(contains(parameters('agentPools')[copyIndex()], 'sourceResourceId'), createObject('value', parameters('agentPools')[copyIndex()].sourceResourceId), createObject('value', ''))]", - "enableAutoScaling": "[if(contains(parameters('agentPools')[copyIndex()], 'enableAutoScaling'), createObject('value', parameters('agentPools')[copyIndex()].enableAutoScaling), createObject('value', false()))]", - "enableEncryptionAtHost": "[if(contains(parameters('agentPools')[copyIndex()], 'enableEncryptionAtHost'), createObject('value', parameters('agentPools')[copyIndex()].enableEncryptionAtHost), createObject('value', false()))]", - "enableFIPS": "[if(contains(parameters('agentPools')[copyIndex()], 'enableFIPS'), createObject('value', parameters('agentPools')[copyIndex()].enableFIPS), createObject('value', false()))]", - "enableNodePublicIP": "[if(contains(parameters('agentPools')[copyIndex()], 'enableNodePublicIP'), createObject('value', parameters('agentPools')[copyIndex()].enableNodePublicIP), createObject('value', false()))]", - "enableUltraSSD": "[if(contains(parameters('agentPools')[copyIndex()], 'enableUltraSSD'), createObject('value', parameters('agentPools')[copyIndex()].enableUltraSSD), createObject('value', false()))]", - "gpuInstanceProfile": "[if(contains(parameters('agentPools')[copyIndex()], 'gpuInstanceProfile'), createObject('value', parameters('agentPools')[copyIndex()].gpuInstanceProfile), createObject('value', ''))]", - "kubeletDiskType": "[if(contains(parameters('agentPools')[copyIndex()], 'kubeletDiskType'), createObject('value', parameters('agentPools')[copyIndex()].kubeletDiskType), createObject('value', ''))]", - "maxCount": "[if(contains(parameters('agentPools')[copyIndex()], 'maxCount'), createObject('value', parameters('agentPools')[copyIndex()].maxCount), createObject('value', -1))]", - "maxPods": "[if(contains(parameters('agentPools')[copyIndex()], 'maxPods'), createObject('value', parameters('agentPools')[copyIndex()].maxPods), createObject('value', -1))]", - "minCount": "[if(contains(parameters('agentPools')[copyIndex()], 'minCount'), createObject('value', parameters('agentPools')[copyIndex()].minCount), createObject('value', -1))]", - "mode": "[if(contains(parameters('agentPools')[copyIndex()], 'mode'), createObject('value', parameters('agentPools')[copyIndex()].mode), createObject('value', ''))]", - "nodeLabels": "[if(contains(parameters('agentPools')[copyIndex()], 'nodeLabels'), createObject('value', parameters('agentPools')[copyIndex()].nodeLabels), createObject('value', createObject()))]", - "nodePublicIpPrefixId": "[if(contains(parameters('agentPools')[copyIndex()], 'nodePublicIpPrefixId'), createObject('value', parameters('agentPools')[copyIndex()].nodePublicIpPrefixId), createObject('value', ''))]", - "nodeTaints": "[if(contains(parameters('agentPools')[copyIndex()], 'nodeTaints'), createObject('value', parameters('agentPools')[copyIndex()].nodeTaints), createObject('value', createArray()))]", - "orchestratorVersion": "[if(contains(parameters('agentPools')[copyIndex()], 'orchestratorVersion'), createObject('value', parameters('agentPools')[copyIndex()].orchestratorVersion), createObject('value', parameters('kubernetesVersion')))]", - "osDiskSizeGB": "[if(contains(parameters('agentPools')[copyIndex()], 'osDiskSizeGB'), createObject('value', parameters('agentPools')[copyIndex()].osDiskSizeGB), createObject('value', -1))]", - "osDiskType": "[if(contains(parameters('agentPools')[copyIndex()], 'osDiskType'), createObject('value', parameters('agentPools')[copyIndex()].osDiskType), createObject('value', ''))]", - "osSku": "[if(contains(parameters('agentPools')[copyIndex()], 'osSku'), createObject('value', parameters('agentPools')[copyIndex()].osSku), createObject('value', ''))]", - "osType": "[if(contains(parameters('agentPools')[copyIndex()], 'osType'), createObject('value', parameters('agentPools')[copyIndex()].osType), createObject('value', 'Linux'))]", - "podSubnetId": "[if(contains(parameters('agentPools')[copyIndex()], 'podSubnetId'), createObject('value', parameters('agentPools')[copyIndex()].podSubnetId), createObject('value', ''))]", - "proximityPlacementGroupResourceId": "[if(contains(parameters('agentPools')[copyIndex()], 'proximityPlacementGroupResourceId'), createObject('value', parameters('agentPools')[copyIndex()].proximityPlacementGroupResourceId), createObject('value', ''))]", - "scaleDownMode": "[if(contains(parameters('agentPools')[copyIndex()], 'scaleDownMode'), createObject('value', parameters('agentPools')[copyIndex()].scaleDownMode), createObject('value', 'Delete'))]", - "scaleSetEvictionPolicy": "[if(contains(parameters('agentPools')[copyIndex()], 'scaleSetEvictionPolicy'), createObject('value', parameters('agentPools')[copyIndex()].scaleSetEvictionPolicy), createObject('value', 'Delete'))]", - "scaleSetPriority": "[if(contains(parameters('agentPools')[copyIndex()], 'scaleSetPriority'), createObject('value', parameters('agentPools')[copyIndex()].scaleSetPriority), createObject('value', ''))]", - "spotMaxPrice": "[if(contains(parameters('agentPools')[copyIndex()], 'spotMaxPrice'), createObject('value', parameters('agentPools')[copyIndex()].spotMaxPrice), createObject('value', -1))]", - "tags": { - "value": "[coalesce(tryGet(parameters('agentPools')[copyIndex()], 'tags'), parameters('tags'))]" - }, - "type": "[if(contains(parameters('agentPools')[copyIndex()], 'type'), createObject('value', parameters('agentPools')[copyIndex()].type), createObject('value', ''))]", - "maxSurge": "[if(contains(parameters('agentPools')[copyIndex()], 'maxSurge'), createObject('value', parameters('agentPools')[copyIndex()].maxSurge), createObject('value', ''))]", - "vmSize": "[if(contains(parameters('agentPools')[copyIndex()], 'vmSize'), createObject('value', parameters('agentPools')[copyIndex()].vmSize), createObject('value', 'Standard_D2s_v3'))]", - "vnetSubnetId": "[if(contains(parameters('agentPools')[copyIndex()], 'vnetSubnetId'), createObject('value', parameters('agentPools')[copyIndex()].vnetSubnetId), createObject('value', ''))]", - "workloadRuntime": "[if(contains(parameters('agentPools')[copyIndex()], 'workloadRuntime'), createObject('value', parameters('agentPools')[copyIndex()].workloadRuntime), createObject('value', ''))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13811832596066396545" - }, - "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools", - "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "managedClusterName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent managed cluster. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the agent pool." - } - }, - "availabilityZones": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is \"VirtualMachineScaleSets\"." - } - }, - "count": { - "type": "int", - "defaultValue": 1, - "minValue": 0, - "maxValue": 1000, - "metadata": { - "description": "Optional. Desired Number of agents (VMs) specified to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1." - } - }, - "sourceResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. This is the ARM ID of the source object to be used to create the target object." - } - }, - "enableAutoScaling": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to enable auto-scaler." - } - }, - "enableEncryptionAtHost": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled." - } - }, - "enableFIPS": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. See Add a FIPS-enabled node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details." - } - }, - "enableNodePublicIP": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools)." - } - }, - "enableUltraSSD": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether to enable UltraSSD." - } - }, - "gpuInstanceProfile": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "MIG1g", - "MIG2g", - "MIG3g", - "MIG4g", - "MIG7g", - "" - ], - "metadata": { - "description": "Optional. GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU." - } - }, - "kubeletDiskType": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage." - } - }, - "maxCount": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. The maximum number of nodes for auto-scaling." - } - }, - "maxPods": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. The maximum number of pods that can run on a node." - } - }, - "minCount": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. The minimum number of nodes for auto-scaling." - } - }, - "mode": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A cluster must have at least one \"System\" Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools." - } - }, - "nodeLabels": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The node labels to be persisted across all nodes in agent pool." - } - }, - "nodePublicIpPrefixId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ResourceId of the node PublicIPPrefix." - } - }, - "nodeTaints": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule." - } - }, - "orchestratorVersion": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#upgrade-a-node-pool)." - } - }, - "osDiskSizeGB": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified." - } - }, - "osDiskType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Ephemeral", - "Managed", - "" - ], - "metadata": { - "description": "Optional. The default is \"Ephemeral\" if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to \"Managed\". May not be changed after creation. For more information see Ephemeral OS (https://learn.microsoft.com/en-us/azure/aks/cluster-configuration#ephemeral-os)." - } - }, - "osSku": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "AzureLinux", - "CBLMariner", - "Ubuntu", - "Windows2019", - "Windows2022", - "" - ], - "metadata": { - "description": "Optional. Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows." - } - }, - "osType": { - "type": "string", - "defaultValue": "Linux", - "allowedValues": [ - "Linux", - "Windows" - ], - "metadata": { - "description": "Optional. The operating system type. The default is Linux." - } - }, - "podSubnetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Subnet ID for the pod IPs. If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}." - } - }, - "proximityPlacementGroupResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The ID for the Proximity Placement Group." - } - }, - "scaleDownMode": { - "type": "string", - "defaultValue": "Delete", - "allowedValues": [ - "Deallocate", - "Delete" - ], - "metadata": { - "description": "Optional. Describes how VMs are added to or removed from Agent Pools. See billing states (https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing)." - } - }, - "scaleSetEvictionPolicy": { - "type": "string", - "defaultValue": "Delete", - "allowedValues": [ - "Deallocate", - "Delete" - ], - "metadata": { - "description": "Optional. The eviction policy specifies what to do with the VM when it is evicted. The default is Delete. For more information about eviction see spot VMs." - } - }, - "scaleSetPriority": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "Regular", - "Spot", - "" - ], - "metadata": { - "description": "Optional. The Virtual Machine Scale Set priority." - } - }, - "spotMaxPrice": { - "type": "int", - "defaultValue": -1, - "metadata": { - "description": "Optional. Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing (https://learn.microsoft.com/en-us/azure/virtual-machines/spot-vms#pricing)." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "type": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The type of Agent Pool." - } - }, - "maxSurge": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. This can either be set to an integer (e.g. \"5\") or a percentage (e.g. \"50%\"). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade." - } - }, - "vmSize": { - "type": "string", - "defaultValue": "Standard_D2s_v3", - "metadata": { - "description": "Optional. VM size. VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions." - } - }, - "vnetSubnetId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Node Subnet ID. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}." - } - }, - "workloadRuntime": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Determines the type of workload a node can run." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "creationData": { - "sourceResourceId": "[if(not(empty(parameters('sourceResourceId'))), parameters('sourceResourceId'), null())]" - }, - "upgradeSettings": { - "maxSurge": "[parameters('maxSurge')]" - } - }, - "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - "managedCluster": { - "existing": true, - "type": "Microsoft.ContainerService/managedClusters", - "apiVersion": "2023-07-02-preview", - "name": "[parameters('managedClusterName')]" - }, - "agentPool": { - "type": "Microsoft.ContainerService/managedClusters/agentPools", - "apiVersion": "2023-07-02-preview", - "name": "[format('{0}/{1}', parameters('managedClusterName'), parameters('name'))]", - "properties": { - "availabilityZones": "[parameters('availabilityZones')]", - "count": "[parameters('count')]", - "creationData": "[if(not(empty(parameters('sourceResourceId'))), variables('creationData'), null())]", - "enableAutoScaling": "[parameters('enableAutoScaling')]", - "enableEncryptionAtHost": "[parameters('enableEncryptionAtHost')]", - "enableFIPS": "[parameters('enableFIPS')]", - "enableNodePublicIP": "[parameters('enableNodePublicIP')]", - "enableUltraSSD": "[parameters('enableUltraSSD')]", - "gpuInstanceProfile": "[if(not(empty(parameters('gpuInstanceProfile'))), parameters('gpuInstanceProfile'), null())]", - "kubeletDiskType": "[parameters('kubeletDiskType')]", - "maxCount": "[if(not(equals(parameters('maxCount'), -1)), parameters('maxCount'), null())]", - "maxPods": "[if(not(equals(parameters('maxPods'), -1)), parameters('maxPods'), null())]", - "minCount": "[if(not(equals(parameters('minCount'), -1)), parameters('minCount'), null())]", - "mode": "[if(not(empty(parameters('mode'))), parameters('mode'), null())]", - "nodeLabels": "[parameters('nodeLabels')]", - "nodePublicIPPrefixID": "[if(not(empty(parameters('nodePublicIpPrefixId'))), parameters('nodePublicIpPrefixId'), null())]", - "nodeTaints": "[parameters('nodeTaints')]", - "orchestratorVersion": "[parameters('orchestratorVersion')]", - "osDiskSizeGB": "[if(not(equals(parameters('osDiskSizeGB'), -1)), parameters('osDiskSizeGB'), null())]", - "osDiskType": "[if(not(empty(parameters('osDiskType'))), parameters('osDiskType'), null())]", - "osSKU": "[if(not(empty(parameters('osSku'))), parameters('osSku'), null())]", - "osType": "[parameters('osType')]", - "podSubnetID": "[if(not(empty(parameters('podSubnetId'))), parameters('podSubnetId'), null())]", - "proximityPlacementGroupID": "[if(not(empty(parameters('proximityPlacementGroupResourceId'))), parameters('proximityPlacementGroupResourceId'), null())]", - "scaleDownMode": "[parameters('scaleDownMode')]", - "scaleSetEvictionPolicy": "[parameters('scaleSetEvictionPolicy')]", - "scaleSetPriority": "[if(not(empty(parameters('scaleSetPriority'))), parameters('scaleSetPriority'), null())]", - "spotMaxPrice": "[parameters('spotMaxPrice')]", - "tags": "[parameters('tags')]", - "type": "[parameters('type')]", - "upgradeSettings": "[variables('upgradeSettings')]", - "vmSize": "[parameters('vmSize')]", - "vnetSubnetID": "[parameters('vnetSubnetId')]", - "workloadRuntime": "[parameters('workloadRuntime')]" - }, - "dependsOn": [ - "managedCluster" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the agent pool." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the agent pool." - }, - "value": "[resourceId('Microsoft.ContainerService/managedClusters/agentPools', parameters('managedClusterName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the agent pool was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "managedCluster" - ] - }, - "managedCluster_extension": { - "condition": "[not(empty(parameters('fluxExtension')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ManagedCluster-FluxExtension', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "clusterName": { - "value": "[parameters('name')]" - }, - "configurationProtectedSettings": "[if(not(empty(parameters('fluxConfigurationProtectedSettings'))), createObject('value', parameters('fluxConfigurationProtectedSettings')), createObject('value', createObject()))]", - "configurationSettings": "[if(contains(parameters('fluxExtension'), 'configurationSettings'), createObject('value', parameters('fluxExtension').configurationSettings), createObject('value', createObject()))]", - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "extensionType": { - "value": "microsoft.flux" - }, - "fluxConfigurations": { - "value": "[parameters('fluxExtension').configurations]" - }, - "location": { - "value": "[parameters('location')]" - }, - "name": { - "value": "flux" - }, - "releaseNamespace": { - "value": "flux-system" - }, - "releaseTrain": "[if(contains(parameters('fluxExtension'), 'releaseTrain'), createObject('value', parameters('fluxExtension').releaseTrain), createObject('value', 'Stable'))]", - "version": "[if(contains(parameters('fluxExtension'), 'version'), createObject('value', parameters('fluxExtension').version), createObject('value', ''))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "548642834195454661" - }, - "name": "Kubernetes Configuration Extensions", - "description": "This module deploys a Kubernetes Configuration Extension.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Flux Configuration." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "clusterName": { - "type": "string", - "metadata": { - "description": "Required. The name of the AKS cluster that should be configured." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "configurationProtectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configuration settings that are sensitive, as name-value pairs for configuring this extension." - } - }, - "configurationSettings": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Configuration settings, as name-value pairs for configuring this extension." - } - }, - "extensionType": { - "type": "string", - "metadata": { - "description": "Required. Type of the Extension, of which this resource is an instance of. It must be one of the Extension Types registered with Microsoft.KubernetesConfiguration by the Extension publisher." - } - }, - "releaseTrain": { - "type": "string", - "defaultValue": "Stable", - "metadata": { - "description": "Optional. ReleaseTrain this extension participates in for auto-upgrade (e.g. Stable, Preview, etc.) - only if autoUpgradeMinorVersion is \"true\"." - } - }, - "releaseNamespace": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Namespace where the extension Release must be placed, for a Cluster scoped extension. If this namespace does not exist, it will be created." - } - }, - "targetNamespace": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Namespace where the extension will be created for an Namespace scoped extension. If this namespace does not exist, it will be created." - } - }, - "version": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Version of the extension for this extension, if it is \"pinned\" to a specific version." - } - }, - "fluxConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of flux configuraitons." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.KubernetesConfiguration/extensions", - "apiVersion": "2022-03-01", - "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", - "name": "[parameters('name')]", - "properties": { - "autoUpgradeMinorVersion": "[if(not(empty(parameters('version'))), false(), true())]", - "configurationProtectedSettings": "[if(not(empty(parameters('configurationProtectedSettings'))), parameters('configurationProtectedSettings'), createObject())]", - "configurationSettings": "[if(not(empty(parameters('configurationSettings'))), parameters('configurationSettings'), createObject())]", - "extensionType": "[parameters('extensionType')]", - "releaseTrain": "[if(not(empty(parameters('releaseTrain'))), parameters('releaseTrain'), null())]", - "scope": { - "cluster": "[if(not(empty(parameters('releaseNamespace'))), createObject('releaseNamespace', parameters('releaseNamespace')), null())]", - "namespace": "[if(not(empty(parameters('targetNamespace'))), createObject('targetNamespace', parameters('targetNamespace')), null())]" - }, - "version": "[if(not(empty(parameters('version'))), parameters('version'), null())]" - } - }, - { - "copy": { - "name": "fluxConfiguration", - "count": "[length(parameters('fluxConfigurations'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-ManagedCluster-FluxConfiguration{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "enableDefaultTelemetry": { - "value": "[parameters('enableDefaultTelemetry')]" - }, - "clusterName": { - "value": "[parameters('clusterName')]" - }, - "scope": { - "value": "[parameters('fluxConfigurations')[copyIndex()].scope]" - }, - "namespace": { - "value": "[parameters('fluxConfigurations')[copyIndex()].namespace]" - }, - "sourceKind": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'gitRepository'), createObject('value', 'GitRepository'), createObject('value', 'Bucket'))]", - "name": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'name'), createObject('value', parameters('fluxConfigurations')[copyIndex()].name), createObject('value', toLower(format('{0}-fluxconfiguration{1}', parameters('clusterName'), copyIndex()))))]", - "bucket": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'bucket'), createObject('value', parameters('fluxConfigurations')[copyIndex()].bucket), createObject('value', createObject()))]", - "configurationProtectedSettings": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'configurationProtectedSettings'), createObject('value', parameters('fluxConfigurations')[copyIndex()].configurationProtectedSettings), createObject('value', createObject()))]", - "gitRepository": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'gitRepository'), createObject('value', parameters('fluxConfigurations')[copyIndex()].gitRepository), createObject('value', createObject()))]", - "kustomizations": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'kustomizations'), createObject('value', parameters('fluxConfigurations')[copyIndex()].kustomizations), createObject('value', createObject()))]", - "suspend": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'suspend'), createObject('value', parameters('fluxConfigurations')[copyIndex()].suspend), createObject('value', false()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10031296768791737313" - }, - "name": "Kubernetes Configuration Flux Configurations", - "description": "This module deploys a Kubernetes Configuration Flux Configuration.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Flux Configuration." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - }, - "clusterName": { - "type": "string", - "metadata": { - "description": "Required. The name of the AKS cluster that should be configured." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "bucket": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters to reconcile to the GitRepository source kind type." - } - }, - "configurationProtectedSettings": { - "type": "secureObject", - "defaultValue": {}, - "metadata": { - "description": "Optional. Key-value pairs of protected configuration settings for the configuration." - } - }, - "gitRepository": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters to reconcile to the GitRepository source kind type." - } - }, - "kustomizations": { - "type": "object", - "metadata": { - "description": "Required. Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster." - } - }, - "namespace": { - "type": "string", - "metadata": { - "description": "Required. The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only." - } - }, - "scope": { - "type": "string", - "allowedValues": [ - "cluster", - "namespace" - ], - "metadata": { - "description": "Required. Scope at which the configuration will be installed." - } - }, - "sourceKind": { - "type": "string", - "allowedValues": [ - "Bucket", - "GitRepository" - ], - "metadata": { - "description": "Required. Source Kind to pull the configuration data from." - } - }, - "suspend": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Whether this configuration should suspend its reconciliation of its kustomizations and sources." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.KubernetesConfiguration/fluxConfigurations", - "apiVersion": "2023-05-01", - "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", - "name": "[parameters('name')]", - "properties": { - "bucket": "[if(not(empty(parameters('bucket'))), parameters('bucket'), null())]", - "configurationProtectedSettings": "[if(not(empty(parameters('configurationProtectedSettings'))), parameters('configurationProtectedSettings'), createObject())]", - "gitRepository": "[if(not(empty(parameters('gitRepository'))), parameters('gitRepository'), null())]", - "kustomizations": "[parameters('kustomizations')]", - "namespace": "[parameters('namespace')]", - "scope": "[parameters('scope')]", - "sourceKind": "[parameters('sourceKind')]", - "suspend": "[parameters('suspend')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the flux configuration." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the flux configuration." - }, - "value": "[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), 'Microsoft.KubernetesConfiguration/fluxConfigurations', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the flux configuration was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), 'Microsoft.KubernetesConfiguration/extensions', parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the extension." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the extension." - }, - "value": "[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), 'Microsoft.KubernetesConfiguration/extensions', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the extension was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "managedCluster" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the managed cluster." - }, - "value": "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the managed cluster was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the managed cluster." - }, - "value": "[parameters('name')]" - }, - "controlPlaneFQDN": { - "type": "string", - "metadata": { - "description": "The control plane FQDN of the managed cluster." - }, - "value": "[if(parameters('enablePrivateCluster'), reference('managedCluster').privateFQDN, reference('managedCluster').fqdn)]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('managedCluster', '2023-07-02-preview', 'full').identity, 'principalId')), reference('managedCluster', '2023-07-02-preview', 'full').identity.principalId, '')]" - }, - "kubeletidentityObjectId": { - "type": "string", - "metadata": { - "description": "The Object ID of the AKS identity." - }, - "value": "[if(contains(reference('managedCluster'), 'identityProfile'), if(contains(reference('managedCluster').identityProfile, 'kubeletidentity'), reference('managedCluster').identityProfile.kubeletidentity.objectId, ''), '')]" - }, - "omsagentIdentityObjectId": { - "type": "string", - "metadata": { - "description": "The Object ID of the OMS agent identity." - }, - "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), if(contains(reference('managedCluster').addonProfiles, 'omsagent'), if(contains(reference('managedCluster').addonProfiles.omsagent, 'identity'), reference('managedCluster').addonProfiles.omsagent.identity.objectId, ''), ''), '')]" - }, - "keyvaultIdentityObjectId": { - "type": "string", - "metadata": { - "description": "The Object ID of the Key Vault Secrets Provider identity." - }, - "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), if(contains(reference('managedCluster').addonProfiles, 'azureKeyvaultSecretsProvider'), if(contains(reference('managedCluster').addonProfiles.azureKeyvaultSecretsProvider, 'identity'), reference('managedCluster').addonProfiles.azureKeyvaultSecretsProvider.identity.objectId, ''), ''), '')]" - }, - "keyvaultIdentityClientId": { - "type": "string", - "metadata": { - "description": "The Client ID of the Key Vault Secrets Provider identity." - }, - "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), if(contains(reference('managedCluster').addonProfiles, 'azureKeyvaultSecretsProvider'), if(contains(reference('managedCluster').addonProfiles.azureKeyvaultSecretsProvider, 'identity'), reference('managedCluster').addonProfiles.azureKeyvaultSecretsProvider.identity.clientId, ''), ''), '')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('managedCluster', '2023-07-02-preview', 'full').location]" - }, - "oidcIssuerUrl": { - "type": "string", - "metadata": { - "description": "The OIDC token issuer URL." - }, - "value": "[if(parameters('enableOidcIssuerProfile'), reference('managedCluster').oidcIssuerProfile.issuerURL, '')]" - }, - "addonProfiles": { - "type": "object", - "metadata": { - "description": "The addonProfiles of the Kubernetes cluster." - }, - "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), reference('managedCluster').addonProfiles, createObject())]" - }, - "webAppRoutingIdentityObjectId": { - "type": "string", - "metadata": { - "description": "The Object ID of Web Application Routing." - }, - "value": "[if(and(and(and(contains(reference('managedCluster'), 'ingressProfile'), contains(reference('managedCluster').ingressProfile, 'webAppRouting')), contains(reference('managedCluster').ingressProfile.webAppRouting, 'identity')), contains(reference('managedCluster').ingressProfile.webAppRouting.identity, 'objectId')), reference('managedCluster').ingressProfile.webAppRouting.identity.objectId, '')]" - } - } +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "1414107545361983559" + }, + "name": "Azure Kubernetes Service (AKS) Managed Clusters", + "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + }, + "diagnosticSettingType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to 'AllLogs' to collect all logs." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to 'AllMetrics' to collect all metrics." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to '' to disable log collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + } + }, + "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "keyVaultNetworkAccess": { + "type": "string", + "allowedValues": [ + "Private", + "Public" + ], + "metadata": { + "description": "Required. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public." + } + } + }, + "nullable": true + } + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Specifies the name of the AKS cluster." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Specifies the location of AKS cluster. It picks up Resource Group's location by default." + } + }, + "dnsPrefix": { + "type": "string", + "defaultValue": "[parameters('name')]", + "metadata": { + "description": "Optional. Specifies the DNS prefix specified when creating the managed cluster." + } + }, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", + "metadata": { + "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." + } + }, + "networkDataplane": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "azure", + "cilium" + ], + "metadata": { + "description": "Optional. Network dataplane used in the Kubernetes cluster. Not compatible with kubenet network plugin." + } + }, + "networkPlugin": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "azure", + "kubenet" + ], + "metadata": { + "description": "Optional. Specifies the network plugin used for building Kubernetes network." + } + }, + "networkPluginMode": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "overlay" + ], + "metadata": { + "description": "Optional. Network plugin mode used for building the Kubernetes network. Not compatible with kubenet network plugin." + } + }, + "networkPolicy": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "azure", + "calico" + ], + "metadata": { + "description": "Optional. Specifies the network policy used for building Kubernetes network. - calico or azure." + } + }, + "podCidr": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used." + } + }, + "serviceCidr": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges." + } + }, + "dnsServiceIP": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr." + } + }, + "loadBalancerSku": { + "type": "string", + "defaultValue": "standard", + "allowedValues": [ + "basic", + "standard" + ], + "metadata": { + "description": "Optional. Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools." + } + }, + "managedOutboundIPCount": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Optional. Outbound IP Count for the Load balancer." + } + }, + "outboundType": { + "type": "string", + "defaultValue": "loadBalancer", + "allowedValues": [ + "loadBalancer", + "userDefinedRouting" + ], + "metadata": { + "description": "Optional. Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting." + } + }, + "skuTier": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Premium", + "Standard" + ], + "metadata": { + "description": "Optional. Tier of a managed cluster SKU. - Free or Standard." + } + }, + "kubernetesVersion": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Version of Kubernetes specified when creating the managed cluster." + } + }, + "adminUsername": { + "type": "string", + "defaultValue": "azureuser", + "metadata": { + "description": "Optional. Specifies the administrator username of Linux virtual machines." + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the SSH RSA public key string for the Linux nodes." + } + }, + "aksServicePrincipalProfile": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Conditional. Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster." + } + }, + "aadProfileClientAppID": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The client AAD application ID." + } + }, + "aadProfileServerAppID": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The server AAD application ID." + } + }, + "aadProfileServerAppSecret": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The server AAD application secret." + } + }, + "aadProfileTenantId": { + "type": "string", + "defaultValue": "[subscription().tenantId]", + "metadata": { + "description": "Optional. Specifies the tenant ID of the Azure Active Directory used by the AKS cluster for authentication." + } + }, + "aadProfileAdminGroupObjectIDs": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Specifies the AAD group object IDs that will have admin role of the cluster." + } + }, + "aadProfileManaged": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Specifies whether to enable managed AAD integration." + } + }, + "enableRBAC": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Whether to enable Kubernetes Role-Based Access Control." + } + }, + "aadProfileEnableAzureRBAC": { + "type": "bool", + "defaultValue": "[parameters('enableRBAC')]", + "metadata": { + "description": "Optional. Specifies whether to enable Azure RBAC for Kubernetes authorization." + } + }, + "disableLocalAccounts": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled." + } + }, + "nodeResourceGroup": { + "type": "string", + "defaultValue": "[format('{0}_aks_{1}_nodes', resourceGroup().name, parameters('name'))]", + "metadata": { + "description": "Optional. Name of the resource group containing agent pool nodes." + } + }, + "authorizedIPRanges": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer." + } + }, + "disableRunCommand": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether to disable run command for the cluster or not." + } + }, + "enablePrivateCluster": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies whether to create the cluster as a private cluster or not." + } + }, + "enablePrivateClusterPublicFQDN": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether to create additional public FQDN for private cluster or not." + } + }, + "privateDNSZone": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Private DNS Zone configuration. Set to 'system' and AKS will create a private DNS zone in the node resource group. Set to '' to disable private DNS Zone creation and use public DNS. Supply the resource ID here of an existing Private DNS zone to use an existing zone." + } + }, + "primaryAgentPoolProfile": { + "type": "array", + "metadata": { + "description": "Required. Properties of the primary agent pool." + } + }, + "agentPools": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Define one or more secondary/additional agent pools." + } + }, + "httpApplicationRoutingEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies whether the httpApplicationRouting add-on is enabled or not." + } + }, + "webApplicationRoutingEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies whether the webApplicationRoutingEnabled add-on is enabled or not." + } + }, + "dnsZoneResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Specifies the resource ID of connected DNS zone. It will be ignored if `webApplicationRoutingEnabled` is set to `false`." + } + }, + "enableDnsZoneContributorRoleAssignment": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Specifies whether assing the DNS zone contributor role to the cluster service principal. It will be ignored if `webApplicationRoutingEnabled` is set to `false` or `dnsZoneResourceId` not provided." + } + }, + "ingressApplicationGatewayEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not." + } + }, + "appGatewayResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Conditional. Specifies the resource ID of connected application gateway. Required if `ingressApplicationGatewayEnabled` is set to `true`." + } + }, + "aciConnectorLinuxEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies whether the aciConnectorLinux add-on is enabled or not." + } + }, + "azurePolicyEnabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Specifies whether the azurepolicy add-on is enabled or not. For security reasons, this setting should be enabled." + } + }, + "openServiceMeshEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies whether the openServiceMesh add-on is enabled or not." + } + }, + "azurePolicyVersion": { + "type": "string", + "defaultValue": "v2", + "metadata": { + "description": "Optional. Specifies the azure policy version to use." + } + }, + "kubeDashboardEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies whether the kubeDashboard add-on is enabled or not." + } + }, + "enableKeyvaultSecretsProvider": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies whether the KeyvaultSecretsProvider add-on is enabled or not." + } + }, + "enableSecretRotation": { + "type": "string", + "defaultValue": "false", + "allowedValues": [ + "false", + "true" + ], + "metadata": { + "description": "Optional. Specifies whether the KeyvaultSecretsProvider add-on uses secret rotation." + } + }, + "autoScalerProfileScanInterval": { + "type": "string", + "defaultValue": "10s", + "metadata": { + "description": "Optional. Specifies the scan interval of the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileScaleDownDelayAfterAdd": { + "type": "string", + "defaultValue": "10m", + "metadata": { + "description": "Optional. Specifies the scale down delay after add of the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileScaleDownDelayAfterDelete": { + "type": "string", + "defaultValue": "20s", + "metadata": { + "description": "Optional. Specifies the scale down delay after delete of the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileScaleDownDelayAfterFailure": { + "type": "string", + "defaultValue": "3m", + "metadata": { + "description": "Optional. Specifies scale down delay after failure of the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileScaleDownUnneededTime": { + "type": "string", + "defaultValue": "10m", + "metadata": { + "description": "Optional. Specifies the scale down unneeded time of the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileScaleDownUnreadyTime": { + "type": "string", + "defaultValue": "20m", + "metadata": { + "description": "Optional. Specifies the scale down unready time of the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileUtilizationThreshold": { + "type": "string", + "defaultValue": "0.5", + "metadata": { + "description": "Optional. Specifies the utilization threshold of the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileMaxGracefulTerminationSec": { + "type": "string", + "defaultValue": "600", + "metadata": { + "description": "Optional. Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileBalanceSimilarNodeGroups": { + "type": "string", + "defaultValue": "false", + "allowedValues": [ + "false", + "true" + ], + "metadata": { + "description": "Optional. Specifies the balance of similar node groups for the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileExpander": { + "type": "string", + "defaultValue": "random", + "allowedValues": [ + "least-waste", + "most-pods", + "priority", + "random" + ], + "metadata": { + "description": "Optional. Specifies the expand strategy for the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileMaxEmptyBulkDelete": { + "type": "string", + "defaultValue": "10", + "metadata": { + "description": "Optional. Specifies the maximum empty bulk delete for the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileMaxNodeProvisionTime": { + "type": "string", + "defaultValue": "15m", + "metadata": { + "description": "Optional. Specifies the maximum node provisioning time for the auto-scaler of the AKS cluster. Values must be an integer followed by an \"m\". No unit of time other than minutes (m) is supported." + } + }, + "autoScalerProfileMaxTotalUnreadyPercentage": { + "type": "string", + "defaultValue": "45", + "metadata": { + "description": "Optional. Specifies the mximum total unready percentage for the auto-scaler of the AKS cluster. The maximum is 100 and the minimum is 0." + } + }, + "autoScalerProfileNewPodScaleUpDelay": { + "type": "string", + "defaultValue": "0s", + "metadata": { + "description": "Optional. For scenarios like burst/batch scale where you do not want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they are a certain age. Values must be an integer followed by a unit (\"s\" for seconds, \"m\" for minutes, \"h\" for hours, etc)." + } + }, + "autoScalerProfileOkTotalUnreadyCount": { + "type": "string", + "defaultValue": "3", + "metadata": { + "description": "Optional. Specifies the OK total unready count for the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileSkipNodesWithLocalStorage": { + "type": "string", + "defaultValue": "true", + "allowedValues": [ + "false", + "true" + ], + "metadata": { + "description": "Optional. Specifies if nodes with local storage should be skipped for the auto-scaler of the AKS cluster." + } + }, + "autoScalerProfileSkipNodesWithSystemPods": { + "type": "string", + "defaultValue": "true", + "allowedValues": [ + "false", + "true" + ], + "metadata": { + "description": "Optional. Specifies if nodes with system pods should be skipped for the auto-scaler of the AKS cluster." + } + }, + "autoUpgradeProfileUpgradeChannel": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "node-image", + "none", + "patch", + "rapid", + "stable", + "" + ], + "metadata": { + "description": "Optional. Auto-upgrade channel on the AKS cluster." + } + }, + "podIdentityProfileAllowNetworkPluginKubenet": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing." + } + }, + "podIdentityProfileEnable": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether the pod identity addon is enabled." + } + }, + "podIdentityProfileUserAssignedIdentities": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The pod identities to use in the cluster." + } + }, + "podIdentityProfileUserAssignedIdentityExceptions": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The pod identity exceptions to allow." + } + }, + "enableOidcIssuerProfile": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether the The OIDC issuer profile of the Managed Cluster is enabled." + } + }, + "enableWorkloadIdentity": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether to enable Workload Identity. Requires OIDC issuer profile to be enabled." + } + }, + "enableAzureDefender": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether to enable Azure Defender." + } + }, + "enablePodSecurityPolicy": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether to enable Kubernetes pod security policy. Requires enabling the pod security policy feature flag on the subscription." + } + }, + "enableStorageProfileBlobCSIDriver": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether the AzureBlob CSI Driver for the storage profile is enabled." + } + }, + "enableStorageProfileDiskCSIDriver": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether the AzureDisk CSI Driver for the storage profile is enabled." + } + }, + "enableStorageProfileFileCSIDriver": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether the AzureFile CSI Driver for the storage profile is enabled." + } + }, + "enableStorageProfileSnapshotController": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether the snapshot controller for the storage profile is enabled." + } + }, + "supportPlan": { + "type": "string", + "defaultValue": "KubernetesOfficial", + "allowedValues": [ + "AKSLongTermSupport", + "KubernetesOfficial" + ], + "metadata": { + "description": "Optional. The support plan for the Managed Cluster." + } + }, + "diagnosticSettings": { + "$ref": "#/definitions/diagnosticSettingType", + "metadata": { + "description": "Optional. The diagnostic settings of the service." + } + }, + "omsAgentEnabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Specifies whether the OMS agent is enabled." + } + }, + "monitoringWorkspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the monitoring log analytics workspace." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. The lock settings of the service." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "diskEncryptionSetID": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The resource ID of the disc encryption set to apply to the cluster. For security reasons, this value should be provided." + } + }, + "fluxConfigurationProtectedSettings": { + "type": "secureObject", + "defaultValue": {}, + "metadata": { + "description": "Optional. Configuration settings that are sensitive, as name-value pairs for configuring this extension." + } + }, + "fluxExtension": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Settings and configurations for the flux extension." + } + }, + "httpProxyConfig": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Configurations for provisioning the cluster with HTTP proxy servers." + } + }, + "identityProfile": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Identities associated with the cluster." + } + }, + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", + "metadata": { + "description": "Optional. The customer managed key definition." + } + }, + "enableAzureMonitorProfileMetrics": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether the metrics profile for the Azure Monitor managed service for Prometheus addon is enabled." + } + }, + "metricLabelsAllowlist": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. A comma-separated list of additional Kubernetes label keys." + } + }, + "metricAnnotationsAllowList": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. A comma-separated list of Kubernetes annotation keys." + } + } + }, + "variables": { + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "linuxProfile": { + "adminUsername": "[parameters('adminUsername')]", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]" + } + ] + } + }, + "lbProfile": { + "managedOutboundIPs": { + "count": "[parameters('managedOutboundIPCount')]" + }, + "effectiveOutboundIPs": [] + }, + "enableReferencedModulesTelemetry": false, + "builtInRoleNames": { + "Azure Kubernetes Fleet Manager Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '63bb64ad-9799-4770-b5c3-24ed299a07bf')]", + "Azure Kubernetes Fleet Manager RBAC Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '434fb43a-c01c-447e-9f67-c3ad923cfaba')]", + "Azure Kubernetes Fleet Manager RBAC Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ab4d3d-a1bf-4477-8ad9-8359bc988f69')]", + "Azure Kubernetes Fleet Manager RBAC Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '30b27cfc-9c84-438e-b0ce-70e35255df80')]", + "Azure Kubernetes Fleet Manager RBAC Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5af6afb3-c06c-4fa4-8848-71a8aee05683')]", + "Azure Kubernetes Service Cluster Admin Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", + "Azure Kubernetes Service Cluster Monitoring User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1afdec4b-e479-420e-99e7-f82237c7c5e6')]", + "Azure Kubernetes Service Cluster User Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", + "Azure Kubernetes Service Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", + "Azure Kubernetes Service RBAC Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3498e952-d568-435e-9b2c-8d77e338d7f7')]", + "Azure Kubernetes Service RBAC Cluster Admin": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b')]", + "Azure Kubernetes Service RBAC Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f6c6a51-bcf8-42ba-9220-52d62157d7db')]", + "Azure Kubernetes Service RBAC Writer": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Kubernetes Agentless Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a2ae44-610b-4500-93be-660a0c5f5ca6')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, + "cMKKeyVault": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "defaultTelemetry": { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + "managedCluster": { + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2023-07-02-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "identity": "[variables('identity')]", + "sku": { + "name": "Base", + "tier": "[parameters('skuTier')]" + }, + "properties": { + "httpProxyConfig": "[if(not(empty(parameters('httpProxyConfig'))), parameters('httpProxyConfig'), null())]", + "identityProfile": "[if(not(empty(parameters('identityProfile'))), parameters('identityProfile'), null())]", + "diskEncryptionSetID": "[if(not(empty(parameters('diskEncryptionSetID'))), parameters('diskEncryptionSetID'), null())]", + "kubernetesVersion": "[if(empty(parameters('kubernetesVersion')), null(), parameters('kubernetesVersion'))]", + "dnsPrefix": "[parameters('dnsPrefix')]", + "agentPoolProfiles": "[parameters('primaryAgentPoolProfile')]", + "linuxProfile": "[if(empty(parameters('sshPublicKey')), null(), variables('linuxProfile'))]", + "servicePrincipalProfile": "[if(empty(parameters('aksServicePrincipalProfile')), null(), parameters('aksServicePrincipalProfile'))]", + "ingressProfile": { + "webAppRouting": { + "enabled": "[parameters('webApplicationRoutingEnabled')]", + "dnsZoneResourceIds": "[if(not(empty(parameters('dnsZoneResourceId'))), createArray(parameters('dnsZoneResourceId')), null())]" + } + }, + "addonProfiles": { + "httpApplicationRouting": { + "enabled": "[parameters('httpApplicationRoutingEnabled')]" + }, + "ingressApplicationGateway": { + "enabled": "[and(parameters('ingressApplicationGatewayEnabled'), not(empty(parameters('appGatewayResourceId'))))]", + "config": "[if(and(parameters('ingressApplicationGatewayEnabled'), not(empty(parameters('appGatewayResourceId')))), createObject('applicationGatewayId', if(not(empty(parameters('appGatewayResourceId'))), parameters('appGatewayResourceId'), null()), 'effectiveApplicationGatewayId', if(not(empty(parameters('appGatewayResourceId'))), parameters('appGatewayResourceId'), null())), null())]" + }, + "omsagent": { + "enabled": "[and(parameters('omsAgentEnabled'), not(empty(parameters('monitoringWorkspaceId'))))]", + "config": "[if(and(parameters('omsAgentEnabled'), not(empty(parameters('monitoringWorkspaceId')))), createObject('logAnalyticsWorkspaceResourceID', if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), null())), null())]" + }, + "aciConnectorLinux": { + "enabled": "[parameters('aciConnectorLinuxEnabled')]" + }, + "azurepolicy": { + "enabled": "[parameters('azurePolicyEnabled')]", + "config": "[if(parameters('azurePolicyEnabled'), createObject('version', parameters('azurePolicyVersion')), null())]" + }, + "openServiceMesh": { + "enabled": "[parameters('openServiceMeshEnabled')]", + "config": "[if(parameters('openServiceMeshEnabled'), createObject(), null())]" + }, + "kubeDashboard": { + "enabled": "[parameters('kubeDashboardEnabled')]" + }, + "azureKeyvaultSecretsProvider": { + "enabled": "[parameters('enableKeyvaultSecretsProvider')]", + "config": "[if(parameters('enableKeyvaultSecretsProvider'), createObject('enableSecretRotation', parameters('enableSecretRotation')), null())]" + } + }, + "oidcIssuerProfile": "[if(parameters('enableOidcIssuerProfile'), createObject('enabled', parameters('enableOidcIssuerProfile')), null())]", + "enableRBAC": "[parameters('enableRBAC')]", + "disableLocalAccounts": "[parameters('disableLocalAccounts')]", + "nodeResourceGroup": "[parameters('nodeResourceGroup')]", + "enablePodSecurityPolicy": "[parameters('enablePodSecurityPolicy')]", + "networkProfile": { + "networkDataplane": "[if(not(empty(parameters('networkDataplane'))), parameters('networkDataplane'), null())]", + "networkPlugin": "[if(not(empty(parameters('networkPlugin'))), parameters('networkPlugin'), null())]", + "networkPluginMode": "[if(not(empty(parameters('networkPluginMode'))), parameters('networkPluginMode'), null())]", + "networkPolicy": "[if(not(empty(parameters('networkPolicy'))), parameters('networkPolicy'), null())]", + "podCidr": "[if(not(empty(parameters('podCidr'))), parameters('podCidr'), null())]", + "serviceCidr": "[if(not(empty(parameters('serviceCidr'))), parameters('serviceCidr'), null())]", + "dnsServiceIP": "[if(not(empty(parameters('dnsServiceIP'))), parameters('dnsServiceIP'), null())]", + "outboundType": "[parameters('outboundType')]", + "loadBalancerSku": "[parameters('loadBalancerSku')]", + "loadBalancerProfile": "[if(not(equals(parameters('managedOutboundIPCount'), 0)), variables('lbProfile'), null())]" + }, + "aadProfile": { + "clientAppID": "[parameters('aadProfileClientAppID')]", + "serverAppID": "[parameters('aadProfileServerAppID')]", + "serverAppSecret": "[parameters('aadProfileServerAppSecret')]", + "managed": "[parameters('aadProfileManaged')]", + "enableAzureRBAC": "[parameters('aadProfileEnableAzureRBAC')]", + "adminGroupObjectIDs": "[parameters('aadProfileAdminGroupObjectIDs')]", + "tenantID": "[parameters('aadProfileTenantId')]" + }, + "autoScalerProfile": { + "balance-similar-node-groups": "[parameters('autoScalerProfileBalanceSimilarNodeGroups')]", + "expander": "[parameters('autoScalerProfileExpander')]", + "max-empty-bulk-delete": "[parameters('autoScalerProfileMaxEmptyBulkDelete')]", + "max-graceful-termination-sec": "[parameters('autoScalerProfileMaxGracefulTerminationSec')]", + "max-node-provision-time": "[parameters('autoScalerProfileMaxNodeProvisionTime')]", + "max-total-unready-percentage": "[parameters('autoScalerProfileMaxTotalUnreadyPercentage')]", + "new-pod-scale-up-delay": "[parameters('autoScalerProfileNewPodScaleUpDelay')]", + "ok-total-unready-count": "[parameters('autoScalerProfileOkTotalUnreadyCount')]", + "scale-down-delay-after-add": "[parameters('autoScalerProfileScaleDownDelayAfterAdd')]", + "scale-down-delay-after-delete": "[parameters('autoScalerProfileScaleDownDelayAfterDelete')]", + "scale-down-delay-after-failure": "[parameters('autoScalerProfileScaleDownDelayAfterFailure')]", + "scale-down-unneeded-time": "[parameters('autoScalerProfileScaleDownUnneededTime')]", + "scale-down-unready-time": "[parameters('autoScalerProfileScaleDownUnreadyTime')]", + "scale-down-utilization-threshold": "[parameters('autoScalerProfileUtilizationThreshold')]", + "scan-interval": "[parameters('autoScalerProfileScanInterval')]", + "skip-nodes-with-local-storage": "[parameters('autoScalerProfileSkipNodesWithLocalStorage')]", + "skip-nodes-with-system-pods": "[parameters('autoScalerProfileSkipNodesWithSystemPods')]" + }, + "autoUpgradeProfile": { + "upgradeChannel": "[if(not(empty(parameters('autoUpgradeProfileUpgradeChannel'))), parameters('autoUpgradeProfileUpgradeChannel'), null())]" + }, + "apiServerAccessProfile": { + "authorizedIPRanges": "[parameters('authorizedIPRanges')]", + "disableRunCommand": "[parameters('disableRunCommand')]", + "enablePrivateCluster": "[parameters('enablePrivateCluster')]", + "enablePrivateClusterPublicFQDN": "[parameters('enablePrivateClusterPublicFQDN')]", + "privateDNSZone": "[parameters('privateDNSZone')]" + }, + "azureMonitorProfile": { + "metrics": "[if(parameters('enableAzureMonitorProfileMetrics'), createObject('enabled', true(), 'kubeStateMetrics', createObject('metricAnnotationsAllowList', parameters('metricAnnotationsAllowList'), 'metricLabelsAllowlist', parameters('metricLabelsAllowlist'))), null())]" + }, + "podIdentityProfile": { + "allowNetworkPluginKubenet": "[parameters('podIdentityProfileAllowNetworkPluginKubenet')]", + "enabled": "[parameters('podIdentityProfileEnable')]", + "userAssignedIdentities": "[parameters('podIdentityProfileUserAssignedIdentities')]", + "userAssignedIdentityExceptions": "[parameters('podIdentityProfileUserAssignedIdentityExceptions')]" + }, + "securityProfile": { + "azureKeyVaultKms": "[if(not(empty(parameters('customerManagedKey'))), createObject('enabled', true(), 'keyId', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), reference('cMKKeyVault::cMKKey').keyUriWithVersion), 'keyVaultNetworkAccess', parameters('customerManagedKey').keyVaultNetworkAccess, 'keyVaultResourceId', if(equals(parameters('customerManagedKey').keyVaultNetworkAccess, 'Private'), extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))), null())), null())]", + "defender": "[if(parameters('enableAzureDefender'), createObject('securityMonitoring', createObject('enabled', parameters('enableAzureDefender')), 'logAnalyticsWorkspaceResourceId', if(not(empty(parameters('monitoringWorkspaceId'))), parameters('monitoringWorkspaceId'), null())), null())]", + "workloadIdentity": "[if(parameters('enableWorkloadIdentity'), createObject('enabled', parameters('enableWorkloadIdentity')), null())]" + }, + "storageProfile": { + "blobCSIDriver": { + "enabled": "[parameters('enableStorageProfileBlobCSIDriver')]" + }, + "diskCSIDriver": { + "enabled": "[parameters('enableStorageProfileDiskCSIDriver')]" + }, + "fileCSIDriver": { + "enabled": "[parameters('enableStorageProfileFileCSIDriver')]" + }, + "snapshotController": { + "enabled": "[parameters('enableStorageProfileSnapshotController')]" + } + }, + "supportPlan": "[parameters('supportPlan')]" + }, + "dependsOn": [ + "cMKKeyVault" + ] + }, + "managedCluster_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + }, + "dependsOn": [ + "managedCluster" + ] + }, + "managedCluster_diagnosticSettings": { + "copy": { + "name": "managedCluster_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", + "properties": { + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "metrics": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics', 'timeGrain', null(), 'enabled', true())))]", + "logs": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'AllLogs', 'enabled', true())))]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" + }, + "dependsOn": [ + "managedCluster" + ] + }, + "managedCluster_roleAssignments": { + "copy": { + "name": "managedCluster_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "managedCluster" + ] + }, + "dnsZone": { + "condition": "[and(and(equals(parameters('enableDnsZoneContributorRoleAssignment'), true()), not(equals(parameters('dnsZoneResourceId'), null()))), parameters('webApplicationRoutingEnabled'))]", + "existing": true, + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2018-05-01", + "name": "[last(split(if(not(empty(parameters('dnsZoneResourceId'))), parameters('dnsZoneResourceId'), '/dummmyZone'), '/'))]" + }, + "dnsZone_roleAssignment": { + "condition": "[and(and(equals(parameters('enableDnsZoneContributorRoleAssignment'), true()), not(equals(parameters('dnsZoneResourceId'), null()))), parameters('webApplicationRoutingEnabled'))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/dnsZones/{0}', last(split(if(not(empty(parameters('dnsZoneResourceId'))), parameters('dnsZoneResourceId'), '/dummmyZone'), '/')))]", + "name": "[guid(parameters('dnsZoneResourceId'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314'), 'DNS Zone Contributor')]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "principalId": "[reference('managedCluster').ingressProfile.webAppRouting.identity.objectId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "dnsZone", + "managedCluster" + ] + }, + "managedCluster_agentPools": { + "copy": { + "name": "managedCluster_agentPools", + "count": "[length(parameters('agentPools'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-ManagedCluster-AgentPool-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "managedClusterName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[parameters('agentPools')[copyIndex()].name]" + }, + "availabilityZones": "[if(contains(parameters('agentPools')[copyIndex()], 'availabilityZones'), createObject('value', parameters('agentPools')[copyIndex()].availabilityZones), createObject('value', createArray()))]", + "count": "[if(contains(parameters('agentPools')[copyIndex()], 'count'), createObject('value', parameters('agentPools')[copyIndex()].count), createObject('value', 1))]", + "sourceResourceId": "[if(contains(parameters('agentPools')[copyIndex()], 'sourceResourceId'), createObject('value', parameters('agentPools')[copyIndex()].sourceResourceId), createObject('value', ''))]", + "enableAutoScaling": "[if(contains(parameters('agentPools')[copyIndex()], 'enableAutoScaling'), createObject('value', parameters('agentPools')[copyIndex()].enableAutoScaling), createObject('value', false()))]", + "enableEncryptionAtHost": "[if(contains(parameters('agentPools')[copyIndex()], 'enableEncryptionAtHost'), createObject('value', parameters('agentPools')[copyIndex()].enableEncryptionAtHost), createObject('value', false()))]", + "enableFIPS": "[if(contains(parameters('agentPools')[copyIndex()], 'enableFIPS'), createObject('value', parameters('agentPools')[copyIndex()].enableFIPS), createObject('value', false()))]", + "enableNodePublicIP": "[if(contains(parameters('agentPools')[copyIndex()], 'enableNodePublicIP'), createObject('value', parameters('agentPools')[copyIndex()].enableNodePublicIP), createObject('value', false()))]", + "enableUltraSSD": "[if(contains(parameters('agentPools')[copyIndex()], 'enableUltraSSD'), createObject('value', parameters('agentPools')[copyIndex()].enableUltraSSD), createObject('value', false()))]", + "gpuInstanceProfile": "[if(contains(parameters('agentPools')[copyIndex()], 'gpuInstanceProfile'), createObject('value', parameters('agentPools')[copyIndex()].gpuInstanceProfile), createObject('value', ''))]", + "kubeletDiskType": "[if(contains(parameters('agentPools')[copyIndex()], 'kubeletDiskType'), createObject('value', parameters('agentPools')[copyIndex()].kubeletDiskType), createObject('value', ''))]", + "maxCount": "[if(contains(parameters('agentPools')[copyIndex()], 'maxCount'), createObject('value', parameters('agentPools')[copyIndex()].maxCount), createObject('value', -1))]", + "maxPods": "[if(contains(parameters('agentPools')[copyIndex()], 'maxPods'), createObject('value', parameters('agentPools')[copyIndex()].maxPods), createObject('value', -1))]", + "minCount": "[if(contains(parameters('agentPools')[copyIndex()], 'minCount'), createObject('value', parameters('agentPools')[copyIndex()].minCount), createObject('value', -1))]", + "mode": "[if(contains(parameters('agentPools')[copyIndex()], 'mode'), createObject('value', parameters('agentPools')[copyIndex()].mode), createObject('value', ''))]", + "nodeLabels": "[if(contains(parameters('agentPools')[copyIndex()], 'nodeLabels'), createObject('value', parameters('agentPools')[copyIndex()].nodeLabels), createObject('value', createObject()))]", + "nodePublicIpPrefixId": "[if(contains(parameters('agentPools')[copyIndex()], 'nodePublicIpPrefixId'), createObject('value', parameters('agentPools')[copyIndex()].nodePublicIpPrefixId), createObject('value', ''))]", + "nodeTaints": "[if(contains(parameters('agentPools')[copyIndex()], 'nodeTaints'), createObject('value', parameters('agentPools')[copyIndex()].nodeTaints), createObject('value', createArray()))]", + "orchestratorVersion": "[if(contains(parameters('agentPools')[copyIndex()], 'orchestratorVersion'), createObject('value', parameters('agentPools')[copyIndex()].orchestratorVersion), createObject('value', parameters('kubernetesVersion')))]", + "osDiskSizeGB": "[if(contains(parameters('agentPools')[copyIndex()], 'osDiskSizeGB'), createObject('value', parameters('agentPools')[copyIndex()].osDiskSizeGB), createObject('value', -1))]", + "osDiskType": "[if(contains(parameters('agentPools')[copyIndex()], 'osDiskType'), createObject('value', parameters('agentPools')[copyIndex()].osDiskType), createObject('value', ''))]", + "osSku": "[if(contains(parameters('agentPools')[copyIndex()], 'osSku'), createObject('value', parameters('agentPools')[copyIndex()].osSku), createObject('value', ''))]", + "osType": "[if(contains(parameters('agentPools')[copyIndex()], 'osType'), createObject('value', parameters('agentPools')[copyIndex()].osType), createObject('value', 'Linux'))]", + "podSubnetId": "[if(contains(parameters('agentPools')[copyIndex()], 'podSubnetId'), createObject('value', parameters('agentPools')[copyIndex()].podSubnetId), createObject('value', ''))]", + "proximityPlacementGroupResourceId": "[if(contains(parameters('agentPools')[copyIndex()], 'proximityPlacementGroupResourceId'), createObject('value', parameters('agentPools')[copyIndex()].proximityPlacementGroupResourceId), createObject('value', ''))]", + "scaleDownMode": "[if(contains(parameters('agentPools')[copyIndex()], 'scaleDownMode'), createObject('value', parameters('agentPools')[copyIndex()].scaleDownMode), createObject('value', 'Delete'))]", + "scaleSetEvictionPolicy": "[if(contains(parameters('agentPools')[copyIndex()], 'scaleSetEvictionPolicy'), createObject('value', parameters('agentPools')[copyIndex()].scaleSetEvictionPolicy), createObject('value', 'Delete'))]", + "scaleSetPriority": "[if(contains(parameters('agentPools')[copyIndex()], 'scaleSetPriority'), createObject('value', parameters('agentPools')[copyIndex()].scaleSetPriority), createObject('value', ''))]", + "spotMaxPrice": "[if(contains(parameters('agentPools')[copyIndex()], 'spotMaxPrice'), createObject('value', parameters('agentPools')[copyIndex()].spotMaxPrice), createObject('value', -1))]", + "tags": { + "value": "[coalesce(tryGet(parameters('agentPools')[copyIndex()], 'tags'), parameters('tags'))]" + }, + "type": "[if(contains(parameters('agentPools')[copyIndex()], 'type'), createObject('value', parameters('agentPools')[copyIndex()].type), createObject('value', ''))]", + "maxSurge": "[if(contains(parameters('agentPools')[copyIndex()], 'maxSurge'), createObject('value', parameters('agentPools')[copyIndex()].maxSurge), createObject('value', ''))]", + "vmSize": "[if(contains(parameters('agentPools')[copyIndex()], 'vmSize'), createObject('value', parameters('agentPools')[copyIndex()].vmSize), createObject('value', 'Standard_D2s_v3'))]", + "vnetSubnetId": "[if(contains(parameters('agentPools')[copyIndex()], 'vnetSubnetId'), createObject('value', parameters('agentPools')[copyIndex()].vnetSubnetId), createObject('value', ''))]", + "workloadRuntime": "[if(contains(parameters('agentPools')[copyIndex()], 'workloadRuntime'), createObject('value', parameters('agentPools')[copyIndex()].workloadRuntime), createObject('value', ''))]", + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "13811832596066396545" + }, + "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools", + "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "managedClusterName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent managed cluster. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. Name of the agent pool." + } + }, + "availabilityZones": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is \"VirtualMachineScaleSets\"." + } + }, + "count": { + "type": "int", + "defaultValue": 1, + "minValue": 0, + "maxValue": 1000, + "metadata": { + "description": "Optional. Desired Number of agents (VMs) specified to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1." + } + }, + "sourceResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. This is the ARM ID of the source object to be used to create the target object." + } + }, + "enableAutoScaling": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether to enable auto-scaler." + } + }, + "enableEncryptionAtHost": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled." + } + }, + "enableFIPS": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. See Add a FIPS-enabled node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details." + } + }, + "enableNodePublicIP": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools)." + } + }, + "enableUltraSSD": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether to enable UltraSSD." + } + }, + "gpuInstanceProfile": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "MIG1g", + "MIG2g", + "MIG3g", + "MIG4g", + "MIG7g", + "" + ], + "metadata": { + "description": "Optional. GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU." + } + }, + "kubeletDiskType": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage." + } + }, + "maxCount": { + "type": "int", + "defaultValue": -1, + "metadata": { + "description": "Optional. The maximum number of nodes for auto-scaling." + } + }, + "maxPods": { + "type": "int", + "defaultValue": -1, + "metadata": { + "description": "Optional. The maximum number of pods that can run on a node." + } + }, + "minCount": { + "type": "int", + "defaultValue": -1, + "metadata": { + "description": "Optional. The minimum number of nodes for auto-scaling." + } + }, + "mode": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. A cluster must have at least one \"System\" Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools." + } + }, + "nodeLabels": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The node labels to be persisted across all nodes in agent pool." + } + }, + "nodePublicIpPrefixId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. ResourceId of the node PublicIPPrefix." + } + }, + "nodeTaints": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule." + } + }, + "orchestratorVersion": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool (https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#upgrade-a-node-pool)." + } + }, + "osDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Optional. OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified." + } + }, + "osDiskType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "Ephemeral", + "Managed", + "" + ], + "metadata": { + "description": "Optional. The default is \"Ephemeral\" if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to \"Managed\". May not be changed after creation. For more information see Ephemeral OS (https://learn.microsoft.com/en-us/azure/aks/cluster-configuration#ephemeral-os)." + } + }, + "osSku": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "AzureLinux", + "CBLMariner", + "Ubuntu", + "Windows2019", + "Windows2022", + "" + ], + "metadata": { + "description": "Optional. Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows." + } + }, + "osType": { + "type": "string", + "defaultValue": "Linux", + "allowedValues": [ + "Linux", + "Windows" + ], + "metadata": { + "description": "Optional. The operating system type. The default is Linux." + } + }, + "podSubnetId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Subnet ID for the pod IPs. If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}." + } + }, + "proximityPlacementGroupResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The ID for the Proximity Placement Group." + } + }, + "scaleDownMode": { + "type": "string", + "defaultValue": "Delete", + "allowedValues": [ + "Deallocate", + "Delete" + ], + "metadata": { + "description": "Optional. Describes how VMs are added to or removed from Agent Pools. See billing states (https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing)." + } + }, + "scaleSetEvictionPolicy": { + "type": "string", + "defaultValue": "Delete", + "allowedValues": [ + "Deallocate", + "Delete" + ], + "metadata": { + "description": "Optional. The eviction policy specifies what to do with the VM when it is evicted. The default is Delete. For more information about eviction see spot VMs." + } + }, + "scaleSetPriority": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "Regular", + "Spot", + "" + ], + "metadata": { + "description": "Optional. The Virtual Machine Scale Set priority." + } + }, + "spotMaxPrice": { + "type": "int", + "defaultValue": -1, + "metadata": { + "description": "Optional. Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing (https://learn.microsoft.com/en-us/azure/virtual-machines/spot-vms#pricing)." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "type": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The type of Agent Pool." + } + }, + "maxSurge": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. This can either be set to an integer (e.g. \"5\") or a percentage (e.g. \"50%\"). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade." + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D2s_v3", + "metadata": { + "description": "Optional. VM size. VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions." + } + }, + "vnetSubnetId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Node Subnet ID. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}." + } + }, + "workloadRuntime": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Determines the type of workload a node can run." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "variables": { + "creationData": { + "sourceResourceId": "[if(not(empty(parameters('sourceResourceId'))), parameters('sourceResourceId'), null())]" + }, + "upgradeSettings": { + "maxSurge": "[parameters('maxSurge')]" + } + }, + "resources": { + "defaultTelemetry": { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + "managedCluster": { + "existing": true, + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2023-07-02-preview", + "name": "[parameters('managedClusterName')]" + }, + "agentPool": { + "type": "Microsoft.ContainerService/managedClusters/agentPools", + "apiVersion": "2023-07-02-preview", + "name": "[format('{0}/{1}', parameters('managedClusterName'), parameters('name'))]", + "properties": { + "availabilityZones": "[parameters('availabilityZones')]", + "count": "[parameters('count')]", + "creationData": "[if(not(empty(parameters('sourceResourceId'))), variables('creationData'), null())]", + "enableAutoScaling": "[parameters('enableAutoScaling')]", + "enableEncryptionAtHost": "[parameters('enableEncryptionAtHost')]", + "enableFIPS": "[parameters('enableFIPS')]", + "enableNodePublicIP": "[parameters('enableNodePublicIP')]", + "enableUltraSSD": "[parameters('enableUltraSSD')]", + "gpuInstanceProfile": "[if(not(empty(parameters('gpuInstanceProfile'))), parameters('gpuInstanceProfile'), null())]", + "kubeletDiskType": "[parameters('kubeletDiskType')]", + "maxCount": "[if(not(equals(parameters('maxCount'), -1)), parameters('maxCount'), null())]", + "maxPods": "[if(not(equals(parameters('maxPods'), -1)), parameters('maxPods'), null())]", + "minCount": "[if(not(equals(parameters('minCount'), -1)), parameters('minCount'), null())]", + "mode": "[if(not(empty(parameters('mode'))), parameters('mode'), null())]", + "nodeLabels": "[parameters('nodeLabels')]", + "nodePublicIPPrefixID": "[if(not(empty(parameters('nodePublicIpPrefixId'))), parameters('nodePublicIpPrefixId'), null())]", + "nodeTaints": "[parameters('nodeTaints')]", + "orchestratorVersion": "[parameters('orchestratorVersion')]", + "osDiskSizeGB": "[if(not(equals(parameters('osDiskSizeGB'), -1)), parameters('osDiskSizeGB'), null())]", + "osDiskType": "[if(not(empty(parameters('osDiskType'))), parameters('osDiskType'), null())]", + "osSKU": "[if(not(empty(parameters('osSku'))), parameters('osSku'), null())]", + "osType": "[parameters('osType')]", + "podSubnetID": "[if(not(empty(parameters('podSubnetId'))), parameters('podSubnetId'), null())]", + "proximityPlacementGroupID": "[if(not(empty(parameters('proximityPlacementGroupResourceId'))), parameters('proximityPlacementGroupResourceId'), null())]", + "scaleDownMode": "[parameters('scaleDownMode')]", + "scaleSetEvictionPolicy": "[parameters('scaleSetEvictionPolicy')]", + "scaleSetPriority": "[if(not(empty(parameters('scaleSetPriority'))), parameters('scaleSetPriority'), null())]", + "spotMaxPrice": "[parameters('spotMaxPrice')]", + "tags": "[parameters('tags')]", + "type": "[parameters('type')]", + "upgradeSettings": "[variables('upgradeSettings')]", + "vmSize": "[parameters('vmSize')]", + "vnetSubnetID": "[parameters('vnetSubnetId')]", + "workloadRuntime": "[parameters('workloadRuntime')]" + }, + "dependsOn": [ + "managedCluster" + ] + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the agent pool." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the agent pool." + }, + "value": "[resourceId('Microsoft.ContainerService/managedClusters/agentPools', parameters('managedClusterName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the agent pool was deployed into." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "managedCluster" + ] + }, + "managedCluster_extension": { + "condition": "[not(empty(parameters('fluxExtension')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-ManagedCluster-FluxExtension', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "clusterName": { + "value": "[parameters('name')]" + }, + "configurationProtectedSettings": "[if(not(empty(parameters('fluxConfigurationProtectedSettings'))), createObject('value', parameters('fluxConfigurationProtectedSettings')), createObject('value', createObject()))]", + "configurationSettings": "[if(contains(parameters('fluxExtension'), 'configurationSettings'), createObject('value', parameters('fluxExtension').configurationSettings), createObject('value', createObject()))]", + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + }, + "extensionType": { + "value": "microsoft.flux" + }, + "fluxConfigurations": { + "value": "[parameters('fluxExtension').configurations]" + }, + "location": { + "value": "[parameters('location')]" + }, + "name": { + "value": "flux" + }, + "releaseNamespace": { + "value": "flux-system" + }, + "releaseTrain": "[if(contains(parameters('fluxExtension'), 'releaseTrain'), createObject('value', parameters('fluxExtension').releaseTrain), createObject('value', 'Stable'))]", + "version": "[if(contains(parameters('fluxExtension'), 'version'), createObject('value', parameters('fluxExtension').version), createObject('value', ''))]" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "548642834195454661" + }, + "name": "Kubernetes Configuration Extensions", + "description": "This module deploys a Kubernetes Configuration Extension.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the Flux Configuration." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + }, + "clusterName": { + "type": "string", + "metadata": { + "description": "Required. The name of the AKS cluster that should be configured." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "configurationProtectedSettings": { + "type": "secureObject", + "defaultValue": {}, + "metadata": { + "description": "Optional. Configuration settings that are sensitive, as name-value pairs for configuring this extension." + } + }, + "configurationSettings": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Configuration settings, as name-value pairs for configuring this extension." + } + }, + "extensionType": { + "type": "string", + "metadata": { + "description": "Required. Type of the Extension, of which this resource is an instance of. It must be one of the Extension Types registered with Microsoft.KubernetesConfiguration by the Extension publisher." + } + }, + "releaseTrain": { + "type": "string", + "defaultValue": "Stable", + "metadata": { + "description": "Optional. ReleaseTrain this extension participates in for auto-upgrade (e.g. Stable, Preview, etc.) - only if autoUpgradeMinorVersion is \"true\"." + } + }, + "releaseNamespace": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Namespace where the extension Release must be placed, for a Cluster scoped extension. If this namespace does not exist, it will be created." + } + }, + "targetNamespace": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Namespace where the extension will be created for an Namespace scoped extension. If this namespace does not exist, it will be created." + } + }, + "version": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Version of the extension for this extension, if it is \"pinned\" to a specific version." + } + }, + "fluxConfigurations": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. A list of flux configuraitons." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.KubernetesConfiguration/extensions", + "apiVersion": "2022-03-01", + "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", + "name": "[parameters('name')]", + "properties": { + "autoUpgradeMinorVersion": "[if(not(empty(parameters('version'))), false(), true())]", + "configurationProtectedSettings": "[if(not(empty(parameters('configurationProtectedSettings'))), parameters('configurationProtectedSettings'), createObject())]", + "configurationSettings": "[if(not(empty(parameters('configurationSettings'))), parameters('configurationSettings'), createObject())]", + "extensionType": "[parameters('extensionType')]", + "releaseTrain": "[if(not(empty(parameters('releaseTrain'))), parameters('releaseTrain'), null())]", + "scope": { + "cluster": "[if(not(empty(parameters('releaseNamespace'))), createObject('releaseNamespace', parameters('releaseNamespace')), null())]", + "namespace": "[if(not(empty(parameters('targetNamespace'))), createObject('targetNamespace', parameters('targetNamespace')), null())]" + }, + "version": "[if(not(empty(parameters('version'))), parameters('version'), null())]" + } + }, + { + "copy": { + "name": "fluxConfiguration", + "count": "[length(parameters('fluxConfigurations'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-ManagedCluster-FluxConfiguration{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "enableDefaultTelemetry": { + "value": "[parameters('enableDefaultTelemetry')]" + }, + "clusterName": { + "value": "[parameters('clusterName')]" + }, + "scope": { + "value": "[parameters('fluxConfigurations')[copyIndex()].scope]" + }, + "namespace": { + "value": "[parameters('fluxConfigurations')[copyIndex()].namespace]" + }, + "sourceKind": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'gitRepository'), createObject('value', 'GitRepository'), createObject('value', 'Bucket'))]", + "name": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'name'), createObject('value', parameters('fluxConfigurations')[copyIndex()].name), createObject('value', toLower(format('{0}-fluxconfiguration{1}', parameters('clusterName'), copyIndex()))))]", + "bucket": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'bucket'), createObject('value', parameters('fluxConfigurations')[copyIndex()].bucket), createObject('value', createObject()))]", + "configurationProtectedSettings": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'configurationProtectedSettings'), createObject('value', parameters('fluxConfigurations')[copyIndex()].configurationProtectedSettings), createObject('value', createObject()))]", + "gitRepository": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'gitRepository'), createObject('value', parameters('fluxConfigurations')[copyIndex()].gitRepository), createObject('value', createObject()))]", + "kustomizations": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'kustomizations'), createObject('value', parameters('fluxConfigurations')[copyIndex()].kustomizations), createObject('value', createObject()))]", + "suspend": "[if(contains(parameters('fluxConfigurations')[copyIndex()], 'suspend'), createObject('value', parameters('fluxConfigurations')[copyIndex()].suspend), createObject('value', false()))]" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "10031296768791737313" + }, + "name": "Kubernetes Configuration Flux Configurations", + "description": "This module deploys a Kubernetes Configuration Flux Configuration.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the Flux Configuration." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + }, + "clusterName": { + "type": "string", + "metadata": { + "description": "Required. The name of the AKS cluster that should be configured." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "bucket": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Parameters to reconcile to the GitRepository source kind type." + } + }, + "configurationProtectedSettings": { + "type": "secureObject", + "defaultValue": {}, + "metadata": { + "description": "Optional. Key-value pairs of protected configuration settings for the configuration." + } + }, + "gitRepository": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Parameters to reconcile to the GitRepository source kind type." + } + }, + "kustomizations": { + "type": "object", + "metadata": { + "description": "Required. Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster." + } + }, + "namespace": { + "type": "string", + "metadata": { + "description": "Required. The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only." + } + }, + "scope": { + "type": "string", + "allowedValues": [ + "cluster", + "namespace" + ], + "metadata": { + "description": "Required. Scope at which the configuration will be installed." + } + }, + "sourceKind": { + "type": "string", + "allowedValues": [ + "Bucket", + "GitRepository" + ], + "metadata": { + "description": "Required. Source Kind to pull the configuration data from." + } + }, + "suspend": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Whether this configuration should suspend its reconciliation of its kustomizations and sources." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.KubernetesConfiguration/fluxConfigurations", + "apiVersion": "2023-05-01", + "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", + "name": "[parameters('name')]", + "properties": { + "bucket": "[if(not(empty(parameters('bucket'))), parameters('bucket'), null())]", + "configurationProtectedSettings": "[if(not(empty(parameters('configurationProtectedSettings'))), parameters('configurationProtectedSettings'), createObject())]", + "gitRepository": "[if(not(empty(parameters('gitRepository'))), parameters('gitRepository'), null())]", + "kustomizations": "[parameters('kustomizations')]", + "namespace": "[parameters('namespace')]", + "scope": "[parameters('scope')]", + "sourceKind": "[parameters('sourceKind')]", + "suspend": "[parameters('suspend')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the flux configuration." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the flux configuration." + }, + "value": "[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), 'Microsoft.KubernetesConfiguration/fluxConfigurations', parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the flux configuration was deployed into." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), 'Microsoft.KubernetesConfiguration/extensions', parameters('name'))]" + ] + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the extension." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the extension." + }, + "value": "[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), 'Microsoft.KubernetesConfiguration/extensions', parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the extension was deployed into." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "managedCluster" + ] + } + }, + "outputs": { + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the managed cluster." + }, + "value": "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the managed cluster was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the managed cluster." + }, + "value": "[parameters('name')]" + }, + "controlPlaneFQDN": { + "type": "string", + "metadata": { + "description": "The control plane FQDN of the managed cluster." + }, + "value": "[if(parameters('enablePrivateCluster'), reference('managedCluster').privateFQDN, reference('managedCluster').fqdn)]" + }, + "systemAssignedMIPrincipalId": { + "type": "string", + "metadata": { + "description": "The principal ID of the system assigned identity." + }, + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('managedCluster', '2023-07-02-preview', 'full').identity, 'principalId')), reference('managedCluster', '2023-07-02-preview', 'full').identity.principalId, '')]" + }, + "kubeletidentityObjectId": { + "type": "string", + "metadata": { + "description": "The Object ID of the AKS identity." + }, + "value": "[if(contains(reference('managedCluster'), 'identityProfile'), if(contains(reference('managedCluster').identityProfile, 'kubeletidentity'), reference('managedCluster').identityProfile.kubeletidentity.objectId, ''), '')]" + }, + "omsagentIdentityObjectId": { + "type": "string", + "metadata": { + "description": "The Object ID of the OMS agent identity." + }, + "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), if(contains(reference('managedCluster').addonProfiles, 'omsagent'), if(contains(reference('managedCluster').addonProfiles.omsagent, 'identity'), reference('managedCluster').addonProfiles.omsagent.identity.objectId, ''), ''), '')]" + }, + "keyvaultIdentityObjectId": { + "type": "string", + "metadata": { + "description": "The Object ID of the Key Vault Secrets Provider identity." + }, + "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), if(contains(reference('managedCluster').addonProfiles, 'azureKeyvaultSecretsProvider'), if(contains(reference('managedCluster').addonProfiles.azureKeyvaultSecretsProvider, 'identity'), reference('managedCluster').addonProfiles.azureKeyvaultSecretsProvider.identity.objectId, ''), ''), '')]" + }, + "keyvaultIdentityClientId": { + "type": "string", + "metadata": { + "description": "The Client ID of the Key Vault Secrets Provider identity." + }, + "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), if(contains(reference('managedCluster').addonProfiles, 'azureKeyvaultSecretsProvider'), if(contains(reference('managedCluster').addonProfiles.azureKeyvaultSecretsProvider, 'identity'), reference('managedCluster').addonProfiles.azureKeyvaultSecretsProvider.identity.clientId, ''), ''), '')]" + }, + "ingressApplicationGatewayIdentityObjectId": { + "type": "string", + "metadata": { + "description": "The Object ID of Application Gateway Ingress Controller (AGIC) identity." + }, + "value": "[coalesce(tryGet(tryGet(tryGet(reference('managedCluster').addonProfiles, 'ingressApplicationGateway'), 'identity'), 'objectId'), '')]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference('managedCluster', '2023-07-02-preview', 'full').location]" + }, + "oidcIssuerUrl": { + "type": "string", + "metadata": { + "description": "The OIDC token issuer URL." + }, + "value": "[if(parameters('enableOidcIssuerProfile'), reference('managedCluster').oidcIssuerProfile.issuerURL, '')]" + }, + "addonProfiles": { + "type": "object", + "metadata": { + "description": "The addonProfiles of the Kubernetes cluster." + }, + "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), reference('managedCluster').addonProfiles, createObject())]" + }, + "webAppRoutingIdentityObjectId": { + "type": "string", + "metadata": { + "description": "The Object ID of Web Application Routing." + }, + "value": "[if(and(and(and(contains(reference('managedCluster'), 'ingressProfile'), contains(reference('managedCluster').ingressProfile, 'webAppRouting')), contains(reference('managedCluster').ingressProfile.webAppRouting, 'identity')), contains(reference('managedCluster').ingressProfile.webAppRouting.identity, 'objectId')), reference('managedCluster').ingressProfile.webAppRouting.identity.objectId, '')]" + } + } } \ No newline at end of file From d9d83cdf2318209b63df1fda2e8007f600aa875f Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Fri, 15 Dec 2023 12:43:42 +0000 Subject: [PATCH 161/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index e1ebd8a740..c2daac8768 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -45,7 +45,7 @@ This section provides an overview of the library's feature set. | 30 | consumption

budget | [![Consumption - Budgets](https://github.com/Azure/ResourceModules/workflows/Consumption%20-%20Budgets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.consumption.budgets.yml) | | | | | | | [L1:1, L2:1, L3:3] | 92 | | 31 | container-instance

container-group | [![ContainerInstance - ContainerGroups](https://github.com/Azure/ResourceModules/workflows/ContainerInstance%20-%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | | | | | | [L1:1, L2:1, L3:5] | 175 | | 32 | container-registry

registry | [![ContainerRegistry - Registries](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry%20-%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | | | | | | [L1:4, L2:1, L3:5] | 447 | -| 33 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | | | | | [L1:2, L2:1, L3:4] | 710 | +| 33 | container-service

managed-cluster | [![ContainerService - ManagedClusters](https://github.com/Azure/ResourceModules/workflows/ContainerService%20-%20ManagedClusters/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | | | | | | | [L1:2, L2:1, L3:4] | 712 | | 34 | data-factory

factory | [![DataFactory - Factories](https://github.com/Azure/ResourceModules/workflows/DataFactory%20-%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | | | | | | | [L1:3, L2:2, L3:3] | 342 | | 35 | data-protection

backup-vault | [![DataProtection - BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection%20-%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | | | | | | [L1:2, L2:1, L3:3] | 159 | | 36 | databricks

access-connector | [![Databricks - Access Connectors](https://github.com/Azure/ResourceModules/workflows/Databricks%20-%20Access%20Connectors/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.accessconnectors.yml) | | | | | | | [L1:1, L2:1, L3:3] | 110 | @@ -150,7 +150,7 @@ This section provides an overview of the library's feature set. | 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | [L1:1, L2:1, L3:2] | 184 | | 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:6, L2:6, L3:5] | 455 | | 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:4, L2:1, L3:3] | 284 | -| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29907 | +| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29909 | ## Legend From 99a7200f5655d7ae9883dd81e50d4944dab9ef24 Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Sat, 16 Dec 2023 04:36:31 +0100 Subject: [PATCH 162/178] Added MOVED-TO-AVM for four modules (#4379) --- modules/api-management/service/MOVED-TO-AVM.md | 1 + modules/api-management/service/README.md | 2 ++ modules/data-factory/factory/MOVED-TO-AVM.md | 1 + modules/data-factory/factory/README.md | 2 ++ modules/insights/webtest/MOVED-TO-AVM.md | 1 + modules/insights/webtest/README.md | 2 ++ modules/maintenance/maintenance-configuration/MOVED-TO-AVM.md | 1 + modules/maintenance/maintenance-configuration/README.md | 2 ++ 8 files changed, 12 insertions(+) create mode 100644 modules/api-management/service/MOVED-TO-AVM.md create mode 100644 modules/data-factory/factory/MOVED-TO-AVM.md create mode 100644 modules/insights/webtest/MOVED-TO-AVM.md create mode 100644 modules/maintenance/maintenance-configuration/MOVED-TO-AVM.md diff --git a/modules/api-management/service/MOVED-TO-AVM.md b/modules/api-management/service/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/api-management/service/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index 5e4a021247..8e1d7f8732 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -1,5 +1,7 @@ # API Management Services `[Microsoft.ApiManagement/service]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys an API Management Service. ## Navigation diff --git a/modules/data-factory/factory/MOVED-TO-AVM.md b/modules/data-factory/factory/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/data-factory/factory/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index dd0ad74ada..dd236c95ca 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -1,5 +1,7 @@ # Data Factories `[Microsoft.DataFactory/factories]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Data Factory. ## Navigation diff --git a/modules/insights/webtest/MOVED-TO-AVM.md b/modules/insights/webtest/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/insights/webtest/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/insights/webtest/README.md b/modules/insights/webtest/README.md index e08756c1d1..4fbcb8642c 100644 --- a/modules/insights/webtest/README.md +++ b/modules/insights/webtest/README.md @@ -1,5 +1,7 @@ # Web Tests `[Microsoft.Insights/webtests]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Web Test. ## Navigation diff --git a/modules/maintenance/maintenance-configuration/MOVED-TO-AVM.md b/modules/maintenance/maintenance-configuration/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/maintenance/maintenance-configuration/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/maintenance/maintenance-configuration/README.md b/modules/maintenance/maintenance-configuration/README.md index e26f1b8299..3cd31f63f0 100644 --- a/modules/maintenance/maintenance-configuration/README.md +++ b/modules/maintenance/maintenance-configuration/README.md @@ -1,5 +1,7 @@ # Maintenance Configurations `[Microsoft.Maintenance/maintenanceConfigurations]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Maintenance Configuration. ## Navigation From 87892f938c1b37860bee206ba9a9f6662ae5bb1d Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 17 Dec 2023 12:05:33 +0000 Subject: [PATCH 163/178] Push updated API Specs file --- utilities/src/apiSpecsList.json | 275 +++++++++++++++++++++----------- 1 file changed, 179 insertions(+), 96 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index 87ec502779..041285de63 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -493,7 +493,8 @@ ], "prometheusRuleGroups": [ "2021-07-22-preview", - "2023-03-01" + "2023-03-01", + "2023-09-01-preview" ], "smartDetectorAlertRules": [ "2018-02-01-privatepreview", @@ -654,7 +655,6 @@ "2020-06-01-preview", "2020-12-01", "2021-01-01-preview", - "2021-04-01-preview", "2021-08-01", "2021-12-01-preview", "2022-04-01-preview", @@ -692,7 +692,6 @@ "2020-06-01-preview", "2020-12-01", "2021-01-01-preview", - "2021-04-01-preview", "2021-08-01", "2021-12-01-preview", "2022-04-01-preview", @@ -1202,7 +1201,6 @@ ], "service/eventGridFilters": [ "2021-01-01-preview", - "2021-04-01-preview", "2021-08-01", "2021-12-01-preview", "2022-04-01-preview", @@ -2259,7 +2257,8 @@ "2021-10-01-preview", "2022-03-01-preview", "2022-05-01", - "2023-03-01" + "2023-03-01", + "2023-08-01-preview" ], "configurationStores/eventGridFilters": [ "2019-02-01-preview", @@ -2279,7 +2278,8 @@ "2021-10-01-preview", "2022-03-01-preview", "2022-05-01", - "2023-03-01" + "2023-03-01", + "2023-08-01-preview" ], "configurationStores/privateEndpointConnections": [ "2019-11-01-preview", @@ -2289,11 +2289,16 @@ "2021-10-01-preview", "2022-03-01-preview", "2022-05-01", - "2023-03-01" + "2023-03-01", + "2023-08-01-preview" ], "configurationStores/replicas": [ "2022-03-01-preview", - "2023-03-01" + "2023-03-01", + "2023-08-01-preview" + ], + "configurationStores/snapshots": [ + "2023-08-01-preview" ], "deletedConfigurationStores": [ "2021-10-01-preview", @@ -2480,7 +2485,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/apiPortals": [ "2022-01-01-preview", @@ -2494,7 +2500,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/apiPortals/domains": [ "2022-01-01-preview", @@ -2508,13 +2515,15 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/apms": [ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/applicationAccelerators": [ "2022-11-01-preview", @@ -2523,7 +2532,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/applicationAccelerators/customizedAccelerators": [ "2022-11-01-preview", @@ -2532,7 +2542,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/applicationLiveViews": [ "2022-11-01-preview", @@ -2541,7 +2552,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/apps": [ "2020-07-01", @@ -2560,7 +2572,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/apps/bindings": [ "2020-07-01", @@ -2579,7 +2592,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/apps/deployments": [ "2020-07-01", @@ -2598,7 +2612,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/apps/deployments/operationResults": [ "2020-07-01", @@ -2655,7 +2670,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/apps/operationResults": [ "2020-07-01", @@ -2700,7 +2716,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/buildServices/agentPools": [ "2022-01-01-preview", @@ -2715,7 +2732,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/buildServices/builders": [ "2022-01-01-preview", @@ -2730,7 +2748,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/buildServices/builders/buildpackBindings": [ "2022-01-01-preview", @@ -2745,7 +2764,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/buildServices/builds": [ "2022-01-01-preview", @@ -2760,7 +2780,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/certificates": [ "2020-07-01", @@ -2779,7 +2800,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/configServers": [ "2020-07-01", @@ -2798,7 +2820,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/configServers/operationResults": [ "2020-07-01", @@ -2851,14 +2874,16 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/containerRegistries": [ "2023-03-01-preview", "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/DevToolPortals": [ "2022-11-01-preview", @@ -2867,7 +2892,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/eurekaServers": [ "2020-07-01", @@ -2938,7 +2964,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/gateways/domains": [ "2022-01-01-preview", @@ -2952,7 +2979,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/gateways/routeConfigs": [ "2022-01-01-preview", @@ -2966,7 +2994,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/monitoringSettings": [ "2020-07-01", @@ -2985,7 +3014,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/operationResults": [ "2020-07-01", @@ -3038,7 +3068,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "Spring/storages": [ "2021-09-01-preview", @@ -3053,7 +3084,8 @@ "2023-05-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ] }, "Microsoft.AppSecurity": { @@ -4082,7 +4114,8 @@ "2023-01-15-preview", "2023-05-16-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "Locations/OperationStatuses": [ "2021-07-01-preview", @@ -4093,7 +4126,8 @@ "2023-01-15-preview", "2023-05-16-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "Operations": [ "2021-07-01-preview", @@ -4104,7 +4138,8 @@ "2023-01-15-preview", "2023-05-16-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "postgresInstances": [ "2021-06-01-preview", @@ -4141,19 +4176,22 @@ "2023-01-15-preview", "2023-05-16-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "SqlServerInstances/AvailabilityGroups": [ "2023-05-16-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "sqlServerInstances/databases": [ "2022-06-15-preview", "2023-01-15-preview", "2023-05-16-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ] }, "Microsoft.AzureBridge.Admin": { @@ -4494,7 +4532,9 @@ "2023-07-01-preview", "2023-08-01", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview", + "2024-01-01" ], "locations/operationstatuses": [ "2020-10-01", @@ -4517,12 +4557,15 @@ "2023-07-01-preview", "2023-08-01", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview", + "2023-12-01-preview", + "2024-01-01" ], "logicalNetworks": [ "2023-09-01-preview" ], - "marketplacegalleryimages": [ + "marketplaceGalleryImages": [ "2021-09-01-preview", "2022-12-15-preview", "2023-07-01-preview", @@ -4558,7 +4601,10 @@ "2023-07-01-preview", "2023-08-01", "2023-08-01-preview", - "2023-09-01-preview" + "2023-09-01-preview", + "2023-11-01-preview", + "2023-12-01-preview", + "2024-01-01" ], "registeredSubscriptions": [ "2022-09-01", @@ -4568,9 +4614,10 @@ "2023-03-01", "2023-06-01", "2023-08-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-01-preview" ], - "storagecontainers": [ + "storageContainers": [ "2021-09-01-preview", "2022-12-15-preview", "2023-07-01-preview", @@ -5916,7 +5963,7 @@ "2022-09-15", "2023-09-15-preview" ], - "botServices/Connections": [ + "botServices/connections": [ "2017-12-01", "2018-07-12", "2020-06-02", @@ -12750,7 +12797,8 @@ "2022-09-01", "2022-10-01", "2022-12-01", - "2023-03-01" + "2023-03-01", + "2023-12-01" ], "locations": [ "2018-01-01", @@ -12765,7 +12813,8 @@ "2022-09-01", "2022-10-01", "2022-12-01", - "2023-03-01" + "2023-03-01", + "2023-12-01" ], "locations/availableSkus": [ "2018-01-01", @@ -12780,7 +12829,8 @@ "2022-09-01", "2022-10-01", "2022-12-01", - "2023-03-01" + "2023-03-01", + "2023-12-01" ], "locations/checkNameAvailability": [ "2018-01-01", @@ -12795,7 +12845,8 @@ "2022-09-01", "2022-10-01", "2022-12-01", - "2023-03-01" + "2023-03-01", + "2023-12-01" ], "locations/operationresults": [ "2018-01-01", @@ -12810,7 +12861,8 @@ "2022-09-01", "2022-10-01", "2022-12-01", - "2023-03-01" + "2023-03-01", + "2023-12-01" ], "locations/regionConfiguration": [ "2018-01-01", @@ -12825,7 +12877,8 @@ "2022-09-01", "2022-10-01", "2022-12-01", - "2023-03-01" + "2023-03-01", + "2023-12-01" ], "locations/validateAddress": [ "2018-01-01", @@ -12840,7 +12893,8 @@ "2022-09-01", "2022-10-01", "2022-12-01", - "2023-03-01" + "2023-03-01", + "2023-12-01" ], "locations/validateInputs": [ "2018-01-01", @@ -12855,7 +12909,8 @@ "2022-09-01", "2022-10-01", "2022-12-01", - "2023-03-01" + "2023-03-01", + "2023-12-01" ], "operations": [ "2018-01-01", @@ -12870,7 +12925,8 @@ "2022-09-01", "2022-10-01", "2022-12-01", - "2023-03-01" + "2023-03-01", + "2023-12-01" ] }, "Microsoft.DataBoxEdge": { @@ -13706,7 +13762,8 @@ "2021-06-30", "2021-10-30-preview", "2022-01-30-preview", - "2022-03-30-preview" + "2022-03-30-preview", + "2023-07-15-preview" ], "services/projects/tasks": [ "2017-11-15-preview", @@ -13717,14 +13774,16 @@ "2021-06-30", "2021-10-30-preview", "2022-01-30-preview", - "2022-03-30-preview" + "2022-03-30-preview", + "2023-07-15-preview" ], "services/serviceTasks": [ "2018-07-15-preview", "2021-06-30", "2021-10-30-preview", "2022-01-30-preview", - "2022-03-30-preview" + "2022-03-30-preview", + "2023-07-15-preview" ], "sqlMigrationServices": [ "2020-09-01-preview", @@ -14566,7 +14625,7 @@ "2020-01-01-preview", "2020-01-01-privatepreview" ], - "servers/administrators": [ + "servers/Administrators": [ "2017-12-01", "2017-12-01-preview", "2018-06-01-privatepreview" @@ -16351,16 +16410,20 @@ }, "Microsoft.DevOpsInfrastructure": { "Locations": [ - "2023-10-30-preview" + "2023-10-30-preview", + "2023-12-13-preview" ], "Locations/OperationStatuses": [ - "2023-10-30-preview" + "2023-10-30-preview", + "2023-12-13-preview" ], "Operations": [ - "2023-10-30-preview" + "2023-10-30-preview", + "2023-12-13-preview" ], "pools": [ - "2023-10-30-preview" + "2023-10-30-preview", + "2023-12-13-preview" ] }, "Microsoft.DevSpaces": { @@ -18626,6 +18689,9 @@ ], "operationStatuses": [ "2023-05-01-preview" + ], + "validate": [ + "2023-05-01-preview" ] }, "Microsoft.EntitlementManagement": { @@ -19402,11 +19468,6 @@ "2021-07-01" ] }, - "Microsoft.FileShares": { - "locations": [ - "2023-01-01-preview" - ] - }, "Microsoft.FluidRelay": { "fluidRelayServers": [ "2021-03-12-preview", @@ -19730,7 +19791,8 @@ "2023-09-06", "2023-10-15-preview", "2023-11-01", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01" ], "locations/operationresults": [ "2018-08-20-preview", @@ -20486,7 +20548,8 @@ }, "Microsoft.HybridContainerService": { "kubernetesVersions": [ - "2023-11-15-preview" + "2023-11-15-preview", + "2024-01-01" ], "Locations": [ "2021-08-01-preview", @@ -20519,13 +20582,16 @@ "2024-01-01" ], "provisionedClusterInstances": [ - "2023-11-15-preview" + "2023-11-15-preview", + "2024-01-01" ], "provisionedClusterInstances/agentPools": [ - "2023-11-15-preview" + "2023-11-15-preview", + "2024-01-01" ], "provisionedClusterInstances/hybridIdentityMetadata": [ - "2023-11-15-preview" + "2023-11-15-preview", + "2024-01-01" ], "provisionedClusters": [ "2021-08-01-preview", @@ -20549,7 +20615,8 @@ "2022-09-01-preview" ], "skus": [ - "2023-11-15-preview" + "2023-11-15-preview", + "2024-01-01" ], "storageSpaces": [ "2022-05-01-preview", @@ -20558,7 +20625,8 @@ "virtualNetworks": [ "2022-05-01-preview", "2022-09-01-preview", - "2023-11-15-preview" + "2023-11-15-preview", + "2024-01-01" ] }, "Microsoft.HybridData": { @@ -20702,7 +20770,7 @@ "2016-05-01" ] }, - "microsoft.insights": { + "Microsoft.Insights": { "actionGroups": [ "2017-03-01-preview", "2017-04-01", @@ -21800,7 +21868,8 @@ "2021-10-01", "2022-05-01-preview", "2022-10-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2024-01-01" ], "locations": [ "2020-01-01-preview", @@ -24675,7 +24744,7 @@ "2019-10-01", "2023-03-15" ], - "assessmentprojects/privateEndpointConnections": [ + "assessmentProjects/privateEndpointConnections": [ "2019-10-01", "2023-03-15" ], @@ -25072,6 +25141,9 @@ "2021-06-03-preview", "2023-04-03" ], + "locations/operationStatuses": [ + "2023-10-01-preview" + ], "operations": [ "2021-06-01-preview", "2021-06-03-preview", @@ -26607,7 +26679,7 @@ "2023-07-01", "2023-07-01-preview" ], - "dnsZones": [ + "dnszones": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -26617,7 +26689,7 @@ "2018-05-01", "2023-07-01-preview" ], - "dnsZones/A": [ + "dnszones/A": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -26627,7 +26699,7 @@ "2018-05-01", "2023-07-01-preview" ], - "dnsZones/AAAA": [ + "dnszones/AAAA": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -26655,7 +26727,7 @@ "2018-05-01", "2023-07-01-preview" ], - "dnsZones/CNAME": [ + "dnszones/CNAME": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -26671,7 +26743,7 @@ "dnszones/DS": [ "2023-07-01-preview" ], - "dnsZones/MX": [ + "dnszones/MX": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -26684,7 +26756,7 @@ "dnszones/NAPTR": [ "2023-07-01-preview" ], - "dnsZones/NS": [ + "dnszones/NS": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -26694,7 +26766,7 @@ "2018-05-01", "2023-07-01-preview" ], - "dnsZones/PTR": [ + "dnszones/PTR": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -26714,7 +26786,7 @@ "2018-05-01", "2023-07-01-preview" ], - "dnsZones/SOA": [ + "dnszones/SOA": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -26724,7 +26796,7 @@ "2018-05-01", "2023-07-01-preview" ], - "dnsZones/SRV": [ + "dnszones/SRV": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -26737,7 +26809,7 @@ "dnszones/TLSA": [ "2023-07-01-preview" ], - "dnsZones/TXT": [ + "dnszones/TXT": [ "2015-05-04-preview", "2016-04-01", "2017-09-01", @@ -35686,9 +35758,6 @@ "informationProtectionPolicies": [ "2017-08-01-preview" ], - "ingestionSettings": [ - "2021-01-15-preview" - ], "integrations": [ "2023-07-01-preview" ], @@ -36860,7 +36929,8 @@ "2023-08-01-preview", "2023-09-01-preview", "2023-10-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "overview": [ "2022-09-01-preview", @@ -42947,10 +43017,12 @@ }, "Microsoft.StandbyPool": { "Locations": [ - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-01-preview" ], "Locations/OperationStatuses": [ - "2023-06-01-preview" + "2023-06-01-preview", + "2023-12-01-preview" ] }, "Microsoft.Storage": { @@ -47860,6 +47932,17 @@ "2023-09-01" ] }, + "Oracle.Database": { + "Locations": [ + "2023-09-01-preview" + ], + "Locations/OperationStatuses": [ + "2023-09-01-preview" + ], + "Operations": [ + "2023-09-01-preview" + ] + }, "PaloAltoNetworks.Cloudngfw": { "checkNameAvailability": [ "2022-08-29", From 1985742bcbc4f481b8df215c3dc7d1e09b043904 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Thu, 21 Dec 2023 12:29:40 +0100 Subject: [PATCH 164/178] [Module] Implemented workaround for fileShare role assignment (#4391) * Update to latest * Update to latest --- modules/storage/storage-account/README.md | 2 +- .../container/immutability-policy/main.json | 4 +- .../blob-service/container/main.json | 8 +- .../storage-account/blob-service/main.json | 12 +- .../storage-account/file-service/README.md | 3 +- .../storage-account/file-service/main.json | 258 ++++++++++++--- .../file-service/share/README.md | 3 +- .../file-service/share/main.bicep | 47 +-- .../file-service/share/main.json | 254 ++++++++++++--- .../modules/nested_inner_roleAssignment.json | 93 ++++++ .../share/modules/nested_roleAssignment.bicep | 70 ++++ .../storage-account/local-user/main.json | 4 +- modules/storage/storage-account/main.json | 306 ++++++++++++++---- .../management-policy/main.json | 4 +- .../storage-account/queue-service/main.json | 8 +- .../queue-service/queue/main.json | 4 +- .../storage-account/table-service/main.json | 8 +- .../table-service/table/main.json | 4 +- .../sharedScripts/Get-NestedResourceList.ps1 | 4 +- .../staticValidation/helper/helper.psm1 | 4 +- 20 files changed, 866 insertions(+), 234 deletions(-) create mode 100644 modules/storage/storage-account/file-service/share/modules/nested_inner_roleAssignment.json create mode 100644 modules/storage/storage-account/file-service/share/modules/nested_roleAssignment.bicep diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 15e4f69073..27bdc6a182 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -25,7 +25,7 @@ This module deploys a Storage Account. | `Microsoft.Storage/storageAccounts/blobServices/containers` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2022-09-01/storageAccounts/blobServices/containers) | | `Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2022-09-01/storageAccounts/blobServices/containers/immutabilityPolicies) | | `Microsoft.Storage/storageAccounts/fileServices` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/fileServices) | -| `Microsoft.Storage/storageAccounts/fileServices/shares` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/fileServices/shares) | +| `Microsoft.Storage/storageAccounts/fileServices/shares` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/storageAccounts/fileServices/shares) | | `Microsoft.Storage/storageAccounts/localUsers` | [2022-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2022-05-01/storageAccounts/localUsers) | | `Microsoft.Storage/storageAccounts/managementPolicies` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/storageAccounts/managementPolicies) | | `Microsoft.Storage/storageAccounts/queueServices` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/queueServices) | diff --git a/modules/storage/storage-account/blob-service/container/immutability-policy/main.json b/modules/storage/storage-account/blob-service/container/immutability-policy/main.json index 1e1265cebb..acccffe952 100644 --- a/modules/storage/storage-account/blob-service/container/immutability-policy/main.json +++ b/modules/storage/storage-account/blob-service/container/immutability-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11642031800707172818" + "version": "0.24.24.22086", + "templateHash": "4658218767079659572" }, "name": "Storage Account Blob Container Immutability Policies", "description": "This module deploys a Storage Account Blob Container Immutability Policy.", diff --git a/modules/storage/storage-account/blob-service/container/main.json b/modules/storage/storage-account/blob-service/container/main.json index 6965e07fc0..32e4f44927 100644 --- a/modules/storage/storage-account/blob-service/container/main.json +++ b/modules/storage/storage-account/blob-service/container/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "679743391871280708" + "version": "0.24.24.22086", + "templateHash": "12877248389226548296" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", @@ -302,8 +302,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11642031800707172818" + "version": "0.24.24.22086", + "templateHash": "4658218767079659572" }, "name": "Storage Account Blob Container Immutability Policies", "description": "This module deploys a Storage Account Blob Container Immutability Policy.", diff --git a/modules/storage/storage-account/blob-service/main.json b/modules/storage/storage-account/blob-service/main.json index a9670807c1..c0f00a1339 100644 --- a/modules/storage/storage-account/blob-service/main.json +++ b/modules/storage/storage-account/blob-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7804367921688111066" + "version": "0.24.24.22086", + "templateHash": "15895331301993414988" }, "name": "Storage Account blob Services", "description": "This module deploys a Storage Account Blob Service.", @@ -382,8 +382,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "679743391871280708" + "version": "0.24.24.22086", + "templateHash": "12877248389226548296" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", @@ -679,8 +679,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11642031800707172818" + "version": "0.24.24.22086", + "templateHash": "4658218767079659572" }, "name": "Storage Account Blob Container Immutability Policies", "description": "This module deploys a Storage Account Blob Container Immutability Policy.", diff --git a/modules/storage/storage-account/file-service/README.md b/modules/storage/storage-account/file-service/README.md index 1bef3a67d8..f62b23abcc 100644 --- a/modules/storage/storage-account/file-service/README.md +++ b/modules/storage/storage-account/file-service/README.md @@ -13,10 +13,9 @@ This module deploys a Storage Account File Share Service. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Storage/storageAccounts/fileServices` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/fileServices) | -| `Microsoft.Storage/storageAccounts/fileServices/shares` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/fileServices/shares) | +| `Microsoft.Storage/storageAccounts/fileServices/shares` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/storageAccounts/fileServices/shares) | ## Parameters diff --git a/modules/storage/storage-account/file-service/main.json b/modules/storage/storage-account/file-service/main.json index fe39f789cc..62cc609f66 100644 --- a/modules/storage/storage-account/file-service/main.json +++ b/modules/storage/storage-account/file-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14917534017717518918" + "version": "0.24.24.22086", + "templateHash": "5919540891902254282" }, "name": "Storage Account File Share Services", "description": "This module deploys a Storage Account File Share Service.", @@ -271,8 +271,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9132955781190739589" + "version": "0.24.24.22086", + "templateHash": "3643709768620634256" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", @@ -424,32 +424,6 @@ } } }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, "resources": { "storageAccount::fileService": { "existing": true, @@ -482,7 +456,7 @@ }, "fileShare": { "type": "Microsoft.Storage/storageAccounts/fileServices/shares", - "apiVersion": "2021-09-01", + "apiVersion": "2023-01-01", "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", "properties": { "accessTier": "[parameters('accessTier')]", @@ -495,22 +469,214 @@ ] }, "fileShare_roleAssignments": { - "copy": { - "name": "fileShare_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}/shares/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "condition": "[not(empty(parameters('roleAssignments')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Share-Rbac', uniqueString(deployment().name))]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "fileShareResourceId": { + "value": "[resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]" + }, + "roleAssignments": { + "value": "[parameters('roleAssignments')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "12925188407376905475" + } + }, + "parameters": { + "roleAssignments": { + "type": "array", + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "fileShareResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of the file share to assign the roles to." + } + } + }, + "variables": { + "$fxv#0": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "scope": { + "type": "string", + "metadata": { + "description": "Required. The scope to deploy the role assignment to." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the role assignment." + } + }, + "roleDefinitionId": { + "type": "string", + "metadata": { + "description": "Required. The role definition Id to assign." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User", + "" + ], + "defaultValue": "", + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "defaultValue": "2.0", + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[[parameters('scope')]", + "name": "[[parameters('name')]", + "properties": { + "roleDefinitionId": "[[parameters('roleDefinitionId')]", + "principalId": "[[parameters('principalId')]", + "description": "[[parameters('description')]", + "principalType": "[[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "condition": "[[if(not(empty(parameters('condition'))), parameters('condition'), null())]", + "conditionVersion": "[[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "delegatedManagedIdentityResourceId": "[[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" + } + } + ] + }, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", + "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", + "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": [ + { + "copy": { + "name": "fileShare_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('{0}-Share-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "Outer" + }, + "template": "[variables('$fxv#0')]", + "parameters": { + "scope": { + "value": "[replace(parameters('fileShareResourceId'), '/shares/', '/fileShares/')]" + }, + "name": { + "value": "[guid(parameters('fileShareResourceId'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, 'tyfa')]" + }, + "roleDefinitionId": { + "value": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]" + }, + "principalId": { + "value": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]" + }, + "principalType": { + "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]" + }, + "description": { + "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]" + }, + "condition": { + "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]" + }, + "conditionVersion": { + "value": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]" + }, + "delegatedManagedIdentityResourceId": { + "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + } + } + } + } + ] + } }, "dependsOn": [ "fileShare" diff --git a/modules/storage/storage-account/file-service/share/README.md b/modules/storage/storage-account/file-service/share/README.md index ae421797c0..e34cc1ad9d 100644 --- a/modules/storage/storage-account/file-service/share/README.md +++ b/modules/storage/storage-account/file-service/share/README.md @@ -13,8 +13,7 @@ This module deploys a Storage Account File Share. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Storage/storageAccounts/fileServices/shares` | [2021-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-09-01/storageAccounts/fileServices/shares) | +| `Microsoft.Storage/storageAccounts/fileServices/shares` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/storageAccounts/fileServices/shares) | ## Parameters diff --git a/modules/storage/storage-account/file-service/share/main.bicep b/modules/storage/storage-account/file-service/share/main.bicep index 554464fc4a..dff258f06b 100644 --- a/modules/storage/storage-account/file-service/share/main.bicep +++ b/modules/storage/storage-account/file-service/share/main.bicep @@ -45,31 +45,6 @@ param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reader and Data Access': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'Storage Account Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1') - 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') - 'Storage Account Key Operator Service Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12') - 'Storage Blob Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') - 'Storage Blob Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b') - 'Storage Blob Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1') - 'Storage Blob Delegator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a') - 'Storage File Data SMB Share Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb') - 'Storage File Data SMB Share Elevated Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7') - 'Storage File Data SMB Share Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314') - 'Storage Queue Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88') - 'Storage Queue Data Message Processor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed') - 'Storage Queue Data Message Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a') - 'Storage Queue Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925') - 'Storage Table Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3') - 'Storage Table Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -90,7 +65,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' existing } } -resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2021-09-01' = { +resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2023-01-01' = { name: name parent: storageAccount::fileService properties: { @@ -101,19 +76,14 @@ resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2021-0 } } -resource fileShare_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(fileShare.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) - properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) - principalId: roleAssignment.principalId - description: roleAssignment.?description - principalType: roleAssignment.?principalType - condition: roleAssignment.?condition - conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set - delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId +// NOTE: This is a workaround for a bug of the resource provider. Ref: https://github.com/Azure/bicep-types-az/issues/1532 +module fileShare_roleAssignments 'modules/nested_roleAssignment.bicep' = if (!empty(roleAssignments)) { + name: '${uniqueString(deployment().name)}-Share-Rbac' + params: { + fileShareResourceId: fileShare.id + roleAssignments: roleAssignments! } - scope: fileShare -}] +} @description('The name of the deployed file share.') output name string = fileShare.name @@ -123,6 +93,7 @@ output resourceId string = fileShare.id @description('The resource group of the deployed file share.') output resourceGroupName string = resourceGroup().name + // =============== // // Definitions // // =============== // diff --git a/modules/storage/storage-account/file-service/share/main.json b/modules/storage/storage-account/file-service/share/main.json index 09244c51ff..485ca37a88 100644 --- a/modules/storage/storage-account/file-service/share/main.json +++ b/modules/storage/storage-account/file-service/share/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9132955781190739589" + "version": "0.24.24.22086", + "templateHash": "3643709768620634256" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", @@ -158,32 +158,6 @@ } } }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, "resources": { "storageAccount::fileService": { "existing": true, @@ -216,7 +190,7 @@ }, "fileShare": { "type": "Microsoft.Storage/storageAccounts/fileServices/shares", - "apiVersion": "2021-09-01", + "apiVersion": "2023-01-01", "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", "properties": { "accessTier": "[parameters('accessTier')]", @@ -229,22 +203,214 @@ ] }, "fileShare_roleAssignments": { - "copy": { - "name": "fileShare_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}/shares/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "condition": "[not(empty(parameters('roleAssignments')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Share-Rbac', uniqueString(deployment().name))]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "fileShareResourceId": { + "value": "[resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]" + }, + "roleAssignments": { + "value": "[parameters('roleAssignments')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "12925188407376905475" + } + }, + "parameters": { + "roleAssignments": { + "type": "array", + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "fileShareResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of the file share to assign the roles to." + } + } + }, + "variables": { + "$fxv#0": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "scope": { + "type": "string", + "metadata": { + "description": "Required. The scope to deploy the role assignment to." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the role assignment." + } + }, + "roleDefinitionId": { + "type": "string", + "metadata": { + "description": "Required. The role definition Id to assign." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User", + "" + ], + "defaultValue": "", + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "defaultValue": "2.0", + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[[parameters('scope')]", + "name": "[[parameters('name')]", + "properties": { + "roleDefinitionId": "[[parameters('roleDefinitionId')]", + "principalId": "[[parameters('principalId')]", + "description": "[[parameters('description')]", + "principalType": "[[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "condition": "[[if(not(empty(parameters('condition'))), parameters('condition'), null())]", + "conditionVersion": "[[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "delegatedManagedIdentityResourceId": "[[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" + } + } + ] + }, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", + "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", + "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": [ + { + "copy": { + "name": "fileShare_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('{0}-Share-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "Outer" + }, + "template": "[variables('$fxv#0')]", + "parameters": { + "scope": { + "value": "[replace(parameters('fileShareResourceId'), '/shares/', '/fileShares/')]" + }, + "name": { + "value": "[guid(parameters('fileShareResourceId'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, 'tyfa')]" + }, + "roleDefinitionId": { + "value": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]" + }, + "principalId": { + "value": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]" + }, + "principalType": { + "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]" + }, + "description": { + "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]" + }, + "condition": { + "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]" + }, + "conditionVersion": { + "value": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]" + }, + "delegatedManagedIdentityResourceId": { + "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + } + } + } + } + ] + } }, "dependsOn": [ "fileShare" diff --git a/modules/storage/storage-account/file-service/share/modules/nested_inner_roleAssignment.json b/modules/storage/storage-account/file-service/share/modules/nested_inner_roleAssignment.json new file mode 100644 index 0000000000..12470dd7d0 --- /dev/null +++ b/modules/storage/storage-account/file-service/share/modules/nested_inner_roleAssignment.json @@ -0,0 +1,93 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "scope": { + "type": "string", + "metadata": { + "description": "Required. The scope to deploy the role assignment to." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the role assignment." + } + }, + "roleDefinitionId": { + "type": "string", + "metadata": { + "description": "Required. The role definition Id to assign." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User", + "" + ], + "defaultValue": "", + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "defaultValue": "2.0", + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[parameters('scope')]", + "name": "[parameters('name')]", + "properties": { + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "principalId": "[parameters('principalId')]", + "description": "[parameters('description')]", + "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", + "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" + } + } + ] +} diff --git a/modules/storage/storage-account/file-service/share/modules/nested_roleAssignment.bicep b/modules/storage/storage-account/file-service/share/modules/nested_roleAssignment.bicep new file mode 100644 index 0000000000..a557511193 --- /dev/null +++ b/modules/storage/storage-account/file-service/share/modules/nested_roleAssignment.bicep @@ -0,0 +1,70 @@ +@description('Optional. Array of role assignments to create.') +param roleAssignments array + +@description('Required. The resource id of the file share to assign the roles to.') +param fileShareResourceId string + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Reader and Data Access': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'Storage Account Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1') + 'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab') + 'Storage Account Key Operator Service Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12') + 'Storage Blob Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') + 'Storage Blob Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b') + 'Storage Blob Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1') + 'Storage Blob Delegator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a') + 'Storage File Data SMB Share Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb') + 'Storage File Data SMB Share Elevated Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7') + 'Storage File Data SMB Share Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314') + 'Storage Queue Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88') + 'Storage Queue Data Message Processor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed') + 'Storage Queue Data Message Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a') + 'Storage Queue Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925') + 'Storage Table Data Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3') + 'Storage Table Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource fileShare_roleAssignments 'Microsoft.Resources/deployments@2021-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: '${uniqueString(deployment().name)}-Share-Rbac-${index}' + properties: { + mode: 'Incremental' + expressionEvaluationOptions: { + scope: 'Outer' + } + template: loadJsonContent('nested_inner_roleAssignment.json') + parameters: { + scope: { + value: replace(fileShareResourceId, '/shares/', '/fileShares/') + } + name: { + value: guid(fileShareResourceId, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName, 'tyfa') + } + roleDefinitionId: { + value: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) + } + principalId: { + value: roleAssignment.principalId + } + principalType: { + value: roleAssignment.?principalType + } + description: { + value: roleAssignment.?description + } + condition: { + value: roleAssignment.?condition + } + conditionVersion: { + value: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + } + delegatedManagedIdentityResourceId: { + value: roleAssignment.?delegatedManagedIdentityResourceId + } + } + } +}] diff --git a/modules/storage/storage-account/local-user/main.json b/modules/storage/storage-account/local-user/main.json index aa6273caf6..741cf04608 100644 --- a/modules/storage/storage-account/local-user/main.json +++ b/modules/storage/storage-account/local-user/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11792662730124549359" + "version": "0.24.24.22086", + "templateHash": "9451599245128557073" }, "name": "Storage Account Local Users", "description": "This module deploys a Storage Account Local User, which is used for SFTP authentication.", diff --git a/modules/storage/storage-account/main.json b/modules/storage/storage-account/main.json index 489d9444ee..d51f4396a4 100644 --- a/modules/storage/storage-account/main.json +++ b/modules/storage/storage-account/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3619035184821404610" + "version": "0.24.24.22086", + "templateHash": "18392898268305996931" }, "name": "Storage Accounts", "description": "This module deploys a Storage Account.", @@ -991,8 +991,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" + "version": "0.24.24.22086", + "templateHash": "11154909986774213690" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1394,8 +1394,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" + "version": "0.24.24.22086", + "templateHash": "6129461321051281170" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1562,8 +1562,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9776092818963506976" + "version": "0.24.24.22086", + "templateHash": "17367295274678732206" }, "name": "Storage Account Management Policies", "description": "This module deploys a Storage Account Management Policy.", @@ -1690,8 +1690,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11792662730124549359" + "version": "0.24.24.22086", + "templateHash": "9451599245128557073" }, "name": "Storage Account Local Users", "description": "This module deploys a Storage Account Local User, which is used for SFTP authentication.", @@ -1868,8 +1868,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7804367921688111066" + "version": "0.24.24.22086", + "templateHash": "15895331301993414988" }, "name": "Storage Account blob Services", "description": "This module deploys a Storage Account Blob Service.", @@ -2245,8 +2245,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "679743391871280708" + "version": "0.24.24.22086", + "templateHash": "12877248389226548296" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", @@ -2542,8 +2542,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "11642031800707172818" + "version": "0.24.24.22086", + "templateHash": "4658218767079659572" }, "name": "Storage Account Blob Container Immutability Policies", "description": "This module deploys a Storage Account Blob Container Immutability Policy.", @@ -2739,8 +2739,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "14917534017717518918" + "version": "0.24.24.22086", + "templateHash": "5919540891902254282" }, "name": "Storage Account File Share Services", "description": "This module deploys a Storage Account File Share Service.", @@ -3005,8 +3005,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9132955781190739589" + "version": "0.24.24.22086", + "templateHash": "3643709768620634256" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", @@ -3158,32 +3158,6 @@ } } }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, "resources": { "storageAccount::fileService": { "existing": true, @@ -3216,7 +3190,7 @@ }, "fileShare": { "type": "Microsoft.Storage/storageAccounts/fileServices/shares", - "apiVersion": "2021-09-01", + "apiVersion": "2023-01-01", "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", "properties": { "accessTier": "[parameters('accessTier')]", @@ -3229,22 +3203,214 @@ ] }, "fileShare_roleAssignments": { - "copy": { - "name": "fileShare_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}/shares/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "condition": "[not(empty(parameters('roleAssignments')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Share-Rbac', uniqueString(deployment().name))]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "fileShareResourceId": { + "value": "[resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]" + }, + "roleAssignments": { + "value": "[parameters('roleAssignments')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "12925188407376905475" + } + }, + "parameters": { + "roleAssignments": { + "type": "array", + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "fileShareResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of the file share to assign the roles to." + } + } + }, + "variables": { + "$fxv#0": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "scope": { + "type": "string", + "metadata": { + "description": "Required. The scope to deploy the role assignment to." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the role assignment." + } + }, + "roleDefinitionId": { + "type": "string", + "metadata": { + "description": "Required. The role definition Id to assign." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User", + "" + ], + "defaultValue": "", + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "defaultValue": "2.0", + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[[parameters('scope')]", + "name": "[[parameters('name')]", + "properties": { + "roleDefinitionId": "[[parameters('roleDefinitionId')]", + "principalId": "[[parameters('principalId')]", + "description": "[[parameters('description')]", + "principalType": "[[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "condition": "[[if(not(empty(parameters('condition'))), parameters('condition'), null())]", + "conditionVersion": "[[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "delegatedManagedIdentityResourceId": "[[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" + } + } + ] + }, + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", + "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", + "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", + "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", + "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", + "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", + "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", + "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", + "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", + "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", + "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", + "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", + "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": [ + { + "copy": { + "name": "fileShare_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('{0}-Share-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "Outer" + }, + "template": "[variables('$fxv#0')]", + "parameters": { + "scope": { + "value": "[replace(parameters('fileShareResourceId'), '/shares/', '/fileShares/')]" + }, + "name": { + "value": "[guid(parameters('fileShareResourceId'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, 'tyfa')]" + }, + "roleDefinitionId": { + "value": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]" + }, + "principalId": { + "value": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]" + }, + "principalType": { + "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]" + }, + "description": { + "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]" + }, + "condition": { + "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]" + }, + "conditionVersion": { + "value": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]" + }, + "delegatedManagedIdentityResourceId": { + "value": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + } + } + } + } + ] + } }, "dependsOn": [ "fileShare" @@ -3340,8 +3506,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13348116021204111185" + "version": "0.24.24.22086", + "templateHash": "488727166620230076" }, "name": "Storage Account Queue Services", "description": "This module deploys a Storage Account Queue Service.", @@ -3574,8 +3740,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1310506738440238472" + "version": "0.24.24.22086", + "templateHash": "100286929116341954" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", @@ -3862,8 +4028,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4505205701529964174" + "version": "0.24.24.22086", + "templateHash": "4899998340898025880" }, "name": "Storage Account Table Services", "description": "This module deploys a Storage Account Table Service.", @@ -4093,8 +4259,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10703796356093627612" + "version": "0.24.24.22086", + "templateHash": "12296091632007980628" }, "name": "Storage Account Table", "description": "This module deploys a Storage Account Table.", diff --git a/modules/storage/storage-account/management-policy/main.json b/modules/storage/storage-account/management-policy/main.json index ab33a27862..e14e0b5a9e 100644 --- a/modules/storage/storage-account/management-policy/main.json +++ b/modules/storage/storage-account/management-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9776092818963506976" + "version": "0.24.24.22086", + "templateHash": "17367295274678732206" }, "name": "Storage Account Management Policies", "description": "This module deploys a Storage Account Management Policy.", diff --git a/modules/storage/storage-account/queue-service/main.json b/modules/storage/storage-account/queue-service/main.json index db10af66c2..5c2212b540 100644 --- a/modules/storage/storage-account/queue-service/main.json +++ b/modules/storage/storage-account/queue-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "13348116021204111185" + "version": "0.24.24.22086", + "templateHash": "488727166620230076" }, "name": "Storage Account Queue Services", "description": "This module deploys a Storage Account Queue Service.", @@ -239,8 +239,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1310506738440238472" + "version": "0.24.24.22086", + "templateHash": "100286929116341954" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", diff --git a/modules/storage/storage-account/queue-service/queue/main.json b/modules/storage/storage-account/queue-service/queue/main.json index 374952345c..908d9584b7 100644 --- a/modules/storage/storage-account/queue-service/queue/main.json +++ b/modules/storage/storage-account/queue-service/queue/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "1310506738440238472" + "version": "0.24.24.22086", + "templateHash": "100286929116341954" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", diff --git a/modules/storage/storage-account/table-service/main.json b/modules/storage/storage-account/table-service/main.json index a5c64493b1..b8cf06226e 100644 --- a/modules/storage/storage-account/table-service/main.json +++ b/modules/storage/storage-account/table-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4505205701529964174" + "version": "0.24.24.22086", + "templateHash": "4899998340898025880" }, "name": "Storage Account Table Services", "description": "This module deploys a Storage Account Table Service.", @@ -236,8 +236,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10703796356093627612" + "version": "0.24.24.22086", + "templateHash": "12296091632007980628" }, "name": "Storage Account Table", "description": "This module deploys a Storage Account Table.", diff --git a/modules/storage/storage-account/table-service/table/main.json b/modules/storage/storage-account/table-service/table/main.json index 07b25e405f..7c0d098231 100644 --- a/modules/storage/storage-account/table-service/table/main.json +++ b/modules/storage/storage-account/table-service/table/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10703796356093627612" + "version": "0.24.24.22086", + "templateHash": "12296091632007980628" }, "name": "Storage Account Table", "description": "This module deploys a Storage Account Table.", diff --git a/utilities/pipelines/sharedScripts/Get-NestedResourceList.ps1 b/utilities/pipelines/sharedScripts/Get-NestedResourceList.ps1 index c00d655c9c..6348a8bc8a 100644 --- a/utilities/pipelines/sharedScripts/Get-NestedResourceList.ps1 +++ b/utilities/pipelines/sharedScripts/Get-NestedResourceList.ps1 @@ -42,7 +42,9 @@ function Get-NestedResourceList { $res += $resource if ($resource.type -eq 'Microsoft.Resources/deployments') { - $res += Get-NestedResourceList -TemplateFileContent $resource.properties.template + if ($resource.properties.template.GetType().BaseType.Name -eq 'Hashtable') { + $res += Get-NestedResourceList -TemplateFileContent $resource.properties.template + } } else { $res += Get-NestedResourceList -TemplateFileContent $resource } diff --git a/utilities/pipelines/staticValidation/helper/helper.psm1 b/utilities/pipelines/staticValidation/helper/helper.psm1 index c50c1e2f0e..e091c7937e 100644 --- a/utilities/pipelines/staticValidation/helper/helper.psm1 +++ b/utilities/pipelines/staticValidation/helper/helper.psm1 @@ -161,14 +161,14 @@ function Remove-JSONMetadata { # Case: Hashtable $resourceIdentifiers = $TemplateObject.resources.Keys for ($index = 0; $index -lt $resourceIdentifiers.Count; $index++) { - if ($TemplateObject.resources[$resourceIdentifiers[$index]].type -eq 'Microsoft.Resources/deployments') { + if ($TemplateObject.resources[$resourceIdentifiers[$index]].type -eq 'Microsoft.Resources/deployments' -and $TemplateObject.resources[$resourceIdentifiers[$index]].properties.template.GetType().BaseType.Name -eq 'Hashtable') { $TemplateObject.resources[$resourceIdentifiers[$index]] = Remove-JSONMetadata -TemplateObject $TemplateObject.resources[$resourceIdentifiers[$index]].properties.template } } } else { # Case: Array for ($index = 0; $index -lt $TemplateObject.resources.Count; $index++) { - if ($TemplateObject.resources[$index].type -eq 'Microsoft.Resources/deployments') { + if ($TemplateObject.resources[$index].type -eq 'Microsoft.Resources/deployments' -and $TemplateObject.resources[$index].properties.template.GetType().BaseType.Name -eq 'Hashtable') { $TemplateObject.resources[$index] = Remove-JSONMetadata -TemplateObject $TemplateObject.resources[$index].properties.template } } From 3e858dc2f82af7f5fe1864d803d127a077328d76 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Thu, 21 Dec 2023 11:30:48 +0000 Subject: [PATCH 165/178] Push updated Readme file(s) --- README.md | 4 ++-- docs/wiki/The library - Module overview.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b9c189fa13..613249e900 100644 --- a/README.md +++ b/README.md @@ -92,7 +92,7 @@ The CI environment supports both ARM and Bicep and can be leveraged using GitHub | `Microsoft.EventHub` | [namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/event-hub/namespace) | [Event Hub Namespaces](https://github.com/Azure/ResourceModules/tree/main/modules/event-hub/namespace) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.HealthBot` | [healthBots](https://github.com/Azure/ResourceModules/tree/main/modules/health-bot/health-bot) | [Azure Health Bots](https://github.com/Azure/ResourceModules/tree/main/modules/health-bot/health-bot) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | `Microsoft.HealthcareApis` | [workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/healthcare-apis/workspace) | [Healthcare API Workspaces](https://github.com/Azure/ResourceModules/tree/main/modules/healthcare-apis/workspace) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| `microsoft.insights` | [actionGroups](https://github.com/Azure/ResourceModules/tree/main/modules/insights/action-group) | [Action Groups](https://github.com/Azure/ResourceModules/tree/main/modules/insights/action-group) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| `Microsoft.Insights` | [actionGroups](https://github.com/Azure/ResourceModules/tree/main/modules/insights/action-group) | [Action Groups](https://github.com/Azure/ResourceModules/tree/main/modules/insights/action-group) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [activityLogAlerts](https://github.com/Azure/ResourceModules/tree/main/modules/insights/activity-log-alert) | [Activity Log Alerts](https://github.com/Azure/ResourceModules/tree/main/modules/insights/activity-log-alert) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [components](https://github.com/Azure/ResourceModules/tree/main/modules/insights/component) | [Application Insights](https://github.com/Azure/ResourceModules/tree/main/modules/insights/component) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [dataCollectionEndpoints](https://github.com/Azure/ResourceModules/tree/main/modules/insights/data-collection-endpoint) | [Data Collection Endpoints](https://github.com/Azure/ResourceModules/tree/main/modules/insights/data-collection-endpoint) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | @@ -121,7 +121,7 @@ The CI environment supports both ARM and Bicep and can be leveraged using GitHub | | [ddosProtectionPlans](https://github.com/Azure/ResourceModules/tree/main/modules/network/ddos-protection-plan) | [DDoS Protection Plans](https://github.com/Azure/ResourceModules/tree/main/modules/network/ddos-protection-plan) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [dnsForwardingRulesets](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-forwarding-ruleset) | [Dns Forwarding Rulesets](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-forwarding-ruleset) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [dnsResolvers](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-resolver) | [DNS Resolvers](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-resolver) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| | [dnsZones](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-zone) | [Public DNS Zones](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-zone) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| | [dnszones](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-zone) | [Public DNS Zones](https://github.com/Azure/ResourceModules/tree/main/modules/network/dns-zone) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [expressRouteCircuits](https://github.com/Azure/ResourceModules/tree/main/modules/network/express-route-circuit) | [ExpressRoute Circuits](https://github.com/Azure/ResourceModules/tree/main/modules/network/express-route-circuit) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [expressRouteGateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/express-route-gateway) | [Express Route Gateways](https://github.com/Azure/ResourceModules/tree/main/modules/network/express-route-gateway) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | | [firewallPolicies](https://github.com/Azure/ResourceModules/tree/main/modules/network/firewall-policy) | [Firewall Policies](https://github.com/Azure/ResourceModules/tree/main/modules/network/firewall-policy) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index c2daac8768..ed056046e1 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -141,7 +141,7 @@ This section provides an overview of the library's feature set. | 126 | signal-r-service

web-pub-sub | [![SignalRService - WebPubSub](https://github.com/Azure/ResourceModules/workflows/SignalRService%20-%20WebPubSub/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.signalrservice.webpubsub.yml) | | | | | | | [L1:1, L2:1, L3:4] | 253 | | 127 | sql

managed-instance | [![Sql - ManagedInstances](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20ManagedInstances/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.managedinstances.yml) | | | | | | | [L1:7, L2:4, L3:4] | 373 | | 128 | sql

server | [![Sql - Servers](https://github.com/Azure/ResourceModules/workflows/Sql%20-%20Servers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.sql.servers.yml) | | | | | | | [L1:9, L2:4, L3:6] | 389 | -| 129 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | | | | | [L1:7, L2:5, L3:7] | 524 | +| 129 | storage

storage-account | [![Storage - StorageAccounts](https://github.com/Azure/ResourceModules/workflows/Storage%20-%20StorageAccounts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | | | | | | | [L1:7, L2:5, L3:8] | 524 | | 130 | synapse

private-link-hub | [![Synapse - PrivateLinkHubs](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20PrivateLinkHubs/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.privatelinkhubs.yml) | | | | | | | [L1:1, L2:1, L3:3] | 171 | | 131 | synapse

workspace | [![Synapse - Workspaces](https://github.com/Azure/ResourceModules/workflows/Synapse%20-%20Workspaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.synapse.workspaces.yml) | | | | | | | [L1:4, L2:1, L3:6] | 377 | | 132 | virtual-machine-images

image-template | [![VirtualMachineImages - ImageTemplates](https://github.com/Azure/ResourceModules/workflows/VirtualMachineImages%20-%20ImageTemplates/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.virtualmachineimages.imagetemplates.yml) | | | | | | | [L1:1, L2:1, L3:3] | 216 | @@ -150,7 +150,7 @@ This section provides an overview of the library's feature set. | 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | [L1:1, L2:1, L3:2] | 184 | | 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:6, L2:6, L3:5] | 455 | | 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:4, L2:1, L3:3] | 284 | -| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 981 | 29909 | +| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 982 | 29909 | ## Legend From 474c70992b3ef7b0269bd794b8bf64e027ccbdde Mon Sep 17 00:00:00 2001 From: Nate Arnold Date: Fri, 22 Dec 2023 11:48:42 -0700 Subject: [PATCH 166/178] Users/arnoldna/4409 app managedenvironment (#4410) * Moved app/managedenvironment to AVM * Updated Readme --- modules/app/managed-environment/MOVED-TO-AVM.md | 1 + modules/app/managed-environment/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/app/managed-environment/MOVED-TO-AVM.md diff --git a/modules/app/managed-environment/MOVED-TO-AVM.md b/modules/app/managed-environment/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/app/managed-environment/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/app/managed-environment/README.md b/modules/app/managed-environment/README.md index 770a70a9cb..2c75e23c35 100644 --- a/modules/app/managed-environment/README.md +++ b/modules/app/managed-environment/README.md @@ -1,5 +1,7 @@ # App ManagedEnvironments `[Microsoft.App/managedEnvironments]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys an App Managed Environment (also known as a Container App Environment). ## Navigation From e2bd3d4a501c02d46e352889c8e29d5bcb6d49d3 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 24 Dec 2023 12:05:56 +0000 Subject: [PATCH 167/178] Push updated API Specs file --- utilities/src/apiSpecsList.json | 423 ++++++++++++++++++++++---------- 1 file changed, 295 insertions(+), 128 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index 041285de63..94bf768e70 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -362,6 +362,11 @@ "2023-01-01-alpha", "2023-09-01-preview" ], + "predict": [ + "2022-09-01", + "2022-10-01", + "2023-01-01" + ], "recommendations": [ "2016-05-09-preview", "2016-07-12-preview", @@ -792,7 +797,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/apis/diagnostics": [ "2017-03-01", @@ -810,7 +816,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/apis/diagnostics/loggers": [ "2017-03-01", @@ -832,7 +839,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/apis/issues/attachments": [ "2017-03-01", @@ -850,7 +858,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/apis/issues/comments": [ "2017-03-01", @@ -868,7 +877,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/apis/operations": [ "2016-07-07", @@ -888,7 +898,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/apis/operations/policies": [ "2017-03-01", @@ -906,7 +917,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/apis/operations/policy": [ "2016-10-10" @@ -927,7 +939,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/apis/policies": [ "2017-03-01", @@ -945,7 +958,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/apis/policy": [ "2016-10-10" @@ -966,17 +980,20 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/apis/resolvers": [ "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/apis/resolvers/policies": [ "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/apis/schemas": [ "2017-03-01", @@ -994,7 +1011,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/apis/tagDescriptions": [ "2017-03-01", @@ -1012,7 +1030,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/apis/tags": [ "2017-03-01", @@ -1030,12 +1049,14 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/apis/wikis": [ "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/apiVersionSets": [ "2019-01-01", @@ -1050,25 +1071,29 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/authorizationProviders": [ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/authorizationProviders/authorizations": [ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/authorizationProviders/authorizations/accessPolicies": [ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/authorizationServers": [ "2016-07-07", @@ -1088,7 +1113,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/backends": [ "2016-07-07", @@ -1108,7 +1134,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/caches": [ "2018-06-01-preview", @@ -1124,7 +1151,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/certificates": [ "2016-07-07", @@ -1144,7 +1172,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/contentTypes": [ "2019-12-01", @@ -1157,7 +1186,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/contentTypes/contentItems": [ "2019-12-01", @@ -1170,7 +1200,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/diagnostics": [ "2017-03-01", @@ -1188,7 +1219,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/diagnostics/loggers": [ "2017-03-01", @@ -1197,7 +1229,8 @@ "service/documentations": [ "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/eventGridFilters": [ "2021-01-01-preview", @@ -1221,7 +1254,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/gateways/apis": [ "2019-12-01", @@ -1235,7 +1269,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/gateways/certificateAuthorities": [ "2020-06-01-preview", @@ -1247,7 +1282,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/gateways/hostnameConfigurations": [ "2019-12-01", @@ -1261,7 +1297,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/groups": [ "2016-07-07", @@ -1281,7 +1318,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/groups/users": [ "2016-07-07", @@ -1301,7 +1339,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/identityProviders": [ "2016-07-07", @@ -1321,7 +1360,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/loggers": [ "2016-07-07", @@ -1341,7 +1381,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/namedValues": [ "2019-12-01", @@ -1355,7 +1396,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/notifications": [ "2017-03-01", @@ -1373,7 +1415,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/notifications/recipientEmails": [ "2017-03-01", @@ -1391,7 +1434,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/notifications/recipientUsers": [ "2017-03-01", @@ -1409,7 +1453,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/openidConnectProviders": [ "2016-07-07", @@ -1429,7 +1474,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/policies": [ "2017-03-01", @@ -1447,21 +1493,27 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/policyFragments": [ "2021-12-01-preview", "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" + ], + "service/policyRestrictions": [ + "2023-05-01-preview" ], "service/portalconfigs": [ "2021-12-01-preview", "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/portalRevisions": [ "2020-06-01-preview", @@ -1473,7 +1525,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/portalsettings": [ "2017-03-01", @@ -1491,7 +1544,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/privateEndpointConnections": [ "2021-04-01-preview", @@ -1500,7 +1554,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/products": [ "2016-07-07", @@ -1520,11 +1575,13 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/products/apiLinks": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/products/apis": [ "2016-07-07", @@ -1544,11 +1601,13 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/products/groupLinks": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/products/groups": [ "2016-07-07", @@ -1568,7 +1627,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/products/policies": [ "2017-03-01", @@ -1586,7 +1646,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/products/policy": [ "2016-10-10" @@ -1607,12 +1668,14 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/products/wikis": [ "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/properties": [ "2016-07-07", @@ -1629,7 +1692,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/subscriptions": [ "2016-07-07", @@ -1649,7 +1713,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/tags": [ "2017-03-01", @@ -1667,19 +1732,23 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/tags/apiLinks": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/tags/operationLinks": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/tags/productLinks": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/templates": [ "2017-03-01", @@ -1697,7 +1766,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/tenant": [ "2016-10-10", @@ -1710,7 +1780,8 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/users": [ "2016-07-07", @@ -1730,111 +1801,138 @@ "2022-04-01-preview", "2022-08-01", "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/apis": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/apis/operations": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/apis/operations/policies": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/apis/policies": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/apis/releases": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/apis/schemas": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/apiVersionSets": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/groups": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/groups/users": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/namedValues": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/notifications": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/notifications/recipientEmails": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/notifications/recipientUsers": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/policies": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/policyFragments": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/products": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/products/apiLinks": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/products/groupLinks": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/products/policies": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/schemas": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/subscriptions": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/tags": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/tags/apiLinks": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/tags/operationLinks": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "service/workspaces/tags/productLinks": [ "2022-09-01-preview", - "2023-03-01-preview" + "2023-03-01-preview", + "2023-05-01-preview" ], "validateServiceName": [ "2014-02-14", @@ -2673,6 +2771,44 @@ "2023-11-01-preview", "2023-12-01" ], + "Spring/apps/domains/operationResults": [ + "2020-07-01", + "2020-11-01-preview", + "2021-06-01-preview", + "2021-09-01-preview", + "2022-01-01-preview", + "2022-03-01-preview", + "2022-04-01", + "2022-05-01-preview", + "2022-09-01-preview", + "2022-11-01-preview", + "2022-12-01", + "2023-01-01-preview", + "2023-03-01-preview", + "2023-05-01-preview", + "2023-07-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" + ], + "Spring/apps/domains/operationStatuses": [ + "2020-07-01", + "2020-11-01-preview", + "2021-06-01-preview", + "2021-09-01-preview", + "2022-01-01-preview", + "2022-03-01-preview", + "2022-04-01", + "2022-05-01-preview", + "2022-09-01-preview", + "2022-11-01-preview", + "2022-12-01", + "2023-01-01-preview", + "2023-03-01-preview", + "2023-05-01-preview", + "2023-07-01-preview", + "2023-09-01-preview", + "2023-11-01-preview" + ], "Spring/apps/operationResults": [ "2020-07-01", "2020-11-01-preview", @@ -8630,7 +8766,8 @@ "2022-03-02", "2022-07-02", "2023-01-02", - "2023-04-02" + "2023-04-02", + "2023-10-02" ], "diskEncryptionSets": [ "2019-07-01", @@ -12057,15 +12194,6 @@ ] }, "Microsoft.ContainerStorage": { - "locations": [ - "2023-07-01-preview" - ], - "locations/asyncoperations": [ - "2023-07-01-preview" - ], - "operations": [ - "2023-07-01-preview" - ], "pools": [ "2023-07-01-preview" ], @@ -16558,6 +16686,9 @@ "checkNameAvailability": [ "2020-07-01-preview" ], + "discoverSolutions": [ + "2020-07-01-preview" + ], "insights": [ "2020-07-01-preview" ], @@ -21878,7 +22009,8 @@ "2021-10-01", "2022-05-01-preview", "2022-10-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2024-01-01" ], "locations/operationStatuses": [ "2020-01-01-preview", @@ -21887,7 +22019,8 @@ "2021-10-01", "2022-05-01-preview", "2022-10-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2024-01-01" ], "Operations": [ "2019-09-01-privatepreview", @@ -21898,7 +22031,8 @@ "2021-10-01", "2022-05-01-preview", "2022-10-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2024-01-01" ], "registeredSubscriptions": [ "2020-01-01-preview", @@ -21907,7 +22041,8 @@ "2021-10-01", "2022-05-01-preview", "2022-10-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2024-01-01" ] }, "Microsoft.KubernetesConfiguration": { @@ -24006,10 +24141,12 @@ }, "Microsoft.ManufacturingPlatform": { "locations": [ - "2023-02-01-preview" + "2023-02-01-preview", + "2024-02-01-preview" ], - "Operations": [ - "2023-02-01-preview" + "operations": [ + "2023-02-01-preview", + "2024-02-01-preview" ] }, "Microsoft.Maps": { @@ -24021,7 +24158,8 @@ "2021-07-01-preview", "2021-12-01-preview", "2023-06-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-12-01-preview" ], "accounts/creators": [ "2020-02-01-preview", @@ -24029,7 +24167,8 @@ "2021-07-01-preview", "2021-12-01-preview", "2023-06-01", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-12-01-preview" ], "accounts/eventGridFilters": [ "2018-05-01", @@ -24043,6 +24182,9 @@ "accounts/privateAtlases": [ "2020-02-01-preview" ], + "accounts/privateEndpointConnections": [ + "2023-12-01-preview" + ], "operations": [ "2017-01-01-preview", "2018-05-01", @@ -25497,7 +25639,8 @@ "2022-11-01", "2022-11-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01" ], "netAppAccounts/backupVaults": [ "2022-11-01-preview", @@ -25668,7 +25811,8 @@ "2022-11-01", "2022-11-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01" ], "netAppAccounts/capacityPools/volumes/volumeQuotaRules": [ "2022-01-01", @@ -25678,7 +25822,8 @@ "2022-11-01", "2022-11-01-preview", "2023-05-01", - "2023-05-01-preview" + "2023-05-01-preview", + "2023-07-01" ], "netAppAccounts/snapshotPolicies": [ "2020-05-01", @@ -33931,7 +34076,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "vaults/extendedInformation": [ "2016-06-01", @@ -33959,7 +34105,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "vaults/privateEndpointConnections": [ "2020-02-02", @@ -35917,8 +36064,7 @@ ], "securityContacts": [ "2017-08-01-preview", - "2020-01-01-preview", - "2023-12-01-preview" + "2020-01-01-preview" ], "securitySolutions": [ "2015-06-01-preview", @@ -37476,7 +37622,8 @@ "2020-03-01", "2020-12-01-preview", "2020-12-01-privatepreview", - "2021-06-01" + "2021-06-01", + "2023-11-01-preview" ], "clusters/applications": [ "2016-03-01", @@ -37491,7 +37638,8 @@ "2020-03-01", "2020-12-01-preview", "2020-12-01-privatepreview", - "2021-06-01" + "2021-06-01", + "2023-11-01-preview" ], "clusters/applications/services": [ "2016-03-01", @@ -37506,7 +37654,8 @@ "2020-03-01", "2020-12-01-preview", "2020-12-01-privatepreview", - "2021-06-01" + "2021-06-01", + "2023-11-01-preview" ], "clusters/applicationTypes": [ "2016-03-01", @@ -37521,7 +37670,8 @@ "2020-03-01", "2020-12-01-preview", "2020-12-01-privatepreview", - "2021-06-01" + "2021-06-01", + "2023-11-01-preview" ], "clusters/applicationTypes/versions": [ "2016-03-01", @@ -37536,7 +37686,8 @@ "2020-03-01", "2020-12-01-preview", "2020-12-01-privatepreview", - "2021-06-01" + "2021-06-01", + "2023-11-01-preview" ], "locations": [ "2016-03-01", @@ -37771,7 +37922,8 @@ "2023-03-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "managedclusters/applications": [ "2021-01-01-preview", @@ -37788,7 +37940,8 @@ "2023-03-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "managedclusters/applications/services": [ "2021-01-01-preview", @@ -37805,7 +37958,8 @@ "2023-03-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "managedclusters/applicationTypes": [ "2021-01-01-preview", @@ -37822,7 +37976,8 @@ "2023-03-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "managedclusters/applicationTypes/versions": [ "2021-01-01-preview", @@ -37839,7 +37994,8 @@ "2023-03-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "managedClusters/nodeTypes": [ "2020-01-01-preview", @@ -37857,7 +38013,8 @@ "2023-03-01-preview", "2023-07-01-preview", "2023-09-01-preview", - "2023-11-01-preview" + "2023-11-01-preview", + "2023-12-01-preview" ], "operations": [ "2016-03-01", @@ -38032,7 +38189,11 @@ "Microsoft.ServicesHub": { "connectors": [ "2019-08-15-preview", - "2023-04-17-preview" + "2023-04-17-preview", + "2023-10-20-preview" + ], + "connectors/connectorSpaces": [ + "2023-10-20-preview" ], "getRecommendationsContent": [ "2023-03-24-preview" @@ -38614,6 +38775,12 @@ "2023-02-01-preview", "2023-05-01-preview" ], + "locations/changeLongTermRetentionBackupAccessTierAzureAsyncOperation": [ + "2023-05-01-preview" + ], + "locations/changeLongTermRetentionBackupAccessTierOperationResults": [ + "2023-05-01-preview" + ], "locations/connectionPoliciesAzureAsyncOperation": [ "2015-05-01-preview", "2017-03-01-preview", From 28f6ae8e70542213b0236e06dcce27dc025a5cb2 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 31 Dec 2023 12:05:28 +0000 Subject: [PATCH 168/178] Push updated API Specs file --- utilities/src/apiSpecsList.json | 402 ++++++++++++++++++++++++-------- 1 file changed, 300 insertions(+), 102 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index 94bf768e70..e1668cdb19 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -9868,6 +9868,35 @@ "2021-01-01" ] }, + "Microsoft.ComputeSchedule": { + "Locations": [ + "2023-12-01-preview" + ], + "locations/virtualmachinescanceloperations": [ + "2023-12-01-preview" + ], + "locations/virtualmachinesexecutedeallocate": [ + "2023-12-01-preview" + ], + "locations/virtualmachinesexecutehibernate": [ + "2023-12-01-preview" + ], + "locations/virtualmachinesexecutestart": [ + "2023-12-01-preview" + ], + "locations/virtualmachinesgetoperationstatus": [ + "2023-12-01-preview" + ], + "locations/virtualmachinessubmitdeallocate": [ + "2023-12-01-preview" + ], + "locations/virtualmachinessubmithibernate": [ + "2023-12-01-preview" + ], + "locations/virtualmachinessubmitstart": [ + "2023-12-01-preview" + ] + }, "Microsoft.ConfidentialLedger": { "checkNameAvailability": [ "2020-12-01-preview", @@ -12894,6 +12923,52 @@ "2023-10-01-preview" ] }, + "Microsoft.DatabaseFleetManager": { + "fleets": [ + "2021-05-01-preview", + "2023-08-01-preview" + ], + "fleets/authorizedPrincipals": [ + "2021-05-01-preview", + "2023-08-01-preview" + ], + "fleets/firewallRules": [ + "2021-05-01-preview", + "2023-08-01-preview" + ], + "fleets/fleetspaces": [ + "2021-05-01-preview", + "2023-08-01-preview" + ], + "fleets/fleetspaces/databases": [ + "2021-05-01-preview", + "2023-08-01-preview" + ], + "fleets/tiers": [ + "2021-05-01-preview", + "2023-08-01-preview" + ], + "locations": [ + "2021-05-01-preview", + "2023-08-01-preview" + ], + "locations/operationTypes": [ + "2021-05-01-preview", + "2023-08-01-preview" + ], + "locations/operationTypes/operationResults": [ + "2021-05-01-preview", + "2023-08-01-preview" + ], + "locations/routedOperationResults": [ + "2021-05-01-preview", + "2023-08-01-preview" + ], + "operations": [ + "2021-05-01-preview", + "2023-08-01-preview" + ] + }, "Microsoft.DatabaseWatcher": { "locations": [ "2023-03-01-preview", @@ -13954,7 +14029,8 @@ "2023-05-01", "2023-06-01-preview", "2023-08-01-preview", - "2023-11-01" + "2023-11-01", + "2023-12-01" ], "backupVaults/backupInstances": [ "2021-01-01", @@ -13978,7 +14054,8 @@ "2023-05-01", "2023-06-01-preview", "2023-08-01-preview", - "2023-11-01" + "2023-11-01", + "2023-12-01" ], "backupVaults/backupPolicies": [ "2021-01-01", @@ -14002,7 +14079,8 @@ "2023-05-01", "2023-06-01-preview", "2023-08-01-preview", - "2023-11-01" + "2023-11-01", + "2023-12-01" ], "backupVaults/backupResourceGuardProxies": [ "2022-09-01-preview", @@ -14013,7 +14091,8 @@ "2023-05-01", "2023-06-01-preview", "2023-08-01-preview", - "2023-11-01" + "2023-11-01", + "2023-12-01" ], "locations": [ "2020-01-01-alpha", @@ -14209,7 +14288,8 @@ "2023-05-01", "2023-06-01-preview", "2023-08-01-preview", - "2023-11-01" + "2023-11-01", + "2023-12-01" ] }, "Microsoft.DataReplication": { @@ -16834,7 +16914,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccountNames": [ "2014-04-01", @@ -17047,7 +17128,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/cassandraKeyspaces/tables": [ "2019-08-01", @@ -17080,7 +17162,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/cassandraKeyspaces/tables/throughputSettings": [ "2019-08-01", @@ -17113,7 +17196,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/cassandraKeyspaces/throughputSettings": [ "2019-08-01", @@ -17146,7 +17230,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/cassandraKeyspaces/views": [ "2021-07-01-preview", @@ -17158,7 +17243,8 @@ "2022-11-15-preview", "2023-03-01-preview", "2023-03-15-preview", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15-preview" ], "databaseAccounts/cassandraKeyspaces/views/throughputSettings": [ "2021-07-01-preview", @@ -17170,7 +17256,8 @@ "2022-11-15-preview", "2023-03-01-preview", "2023-03-15-preview", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15-preview" ], "databaseAccounts/dataTransferJobs": [ "2021-10-15-preview", @@ -17181,7 +17268,8 @@ "2022-11-15-preview", "2023-03-01-preview", "2023-03-15-preview", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15-preview" ], "databaseAccounts/encryptionScopes": [ "2021-03-01-preview", @@ -17217,7 +17305,8 @@ "2022-11-15-preview", "2023-03-01-preview", "2023-03-15-preview", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15-preview" ], "databaseAccounts/gremlinDatabases": [ "2019-08-01", @@ -17250,7 +17339,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/gremlinDatabases/graphs": [ "2019-08-01", @@ -17283,7 +17373,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/gremlinDatabases/graphs/throughputSettings": [ "2019-08-01", @@ -17316,7 +17407,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/gremlinDatabases/throughputSettings": [ "2019-08-01", @@ -17349,7 +17441,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/mongodbDatabases": [ "2019-08-01", @@ -17382,7 +17475,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/mongodbDatabases/collections": [ "2019-08-01", @@ -17415,7 +17509,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/mongodbDatabases/collections/throughputSettings": [ "2019-08-01", @@ -17448,7 +17543,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/mongodbDatabases/throughputSettings": [ "2019-08-01", @@ -17481,7 +17577,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/mongodbRoleDefinitions": [ "2021-10-15-preview", @@ -17498,7 +17595,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/mongodbUserDefinitions": [ "2021-10-15-preview", @@ -17515,7 +17613,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/notebookWorkspaces": [ "2019-08-01", @@ -17548,7 +17647,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/privateEndpointConnections": [ "2019-08-01-preview", @@ -17576,7 +17676,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/services": [ "2021-04-01-preview", @@ -17596,7 +17697,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/sqlDatabases": [ "2019-08-01", @@ -17629,7 +17731,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/sqlDatabases/clientEncryptionKeys": [ "2021-10-15-preview", @@ -17645,7 +17748,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/sqlDatabases/containers": [ "2019-08-01", @@ -17678,7 +17782,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/sqlDatabases/containers/storedProcedures": [ "2019-08-01", @@ -17711,7 +17816,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/sqlDatabases/containers/throughputSettings": [ "2019-08-01", @@ -17744,7 +17850,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/sqlDatabases/containers/triggers": [ "2019-08-01", @@ -17777,7 +17884,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/sqlDatabases/containers/userDefinedFunctions": [ "2019-08-01", @@ -17810,7 +17918,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/sqlDatabases/throughputSettings": [ "2019-08-01", @@ -17843,7 +17952,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/sqlRoleAssignments": [ "2020-06-01-preview", @@ -17869,7 +17979,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/sqlRoleDefinitions": [ "2020-06-01-preview", @@ -17895,7 +18006,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/tables": [ "2019-08-01", @@ -17928,7 +18040,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "databaseAccounts/tables/throughputSettings": [ "2019-08-01", @@ -17961,7 +18074,8 @@ "2023-04-15", "2023-09-15", "2023-09-15-preview", - "2023-11-15" + "2023-11-15", + "2023-11-15-preview" ], "locations": [ "2014-04-01", @@ -18198,7 +18312,8 @@ "mongoClusters/firewallRules": [ "2023-03-01-preview", "2023-03-15-preview", - "2023-09-15-preview" + "2023-09-15-preview", + "2023-11-15-preview" ], "operationResults": [ "2014-04-01", @@ -18348,6 +18463,12 @@ "2023-09-15-preview", "2023-11-15", "2023-11-15-preview" + ], + "throughputPools": [ + "2023-11-15-preview" + ], + "throughputPools/throughputPoolAccounts": [ + "2023-11-15-preview" ] }, "Microsoft.DomainRegistration": { @@ -26225,7 +26346,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "ApplicationGatewayWebApplicationFirewallPolicies": [ "2018-12-01", @@ -26666,7 +26788,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "customIpPrefixes": [ "2020-06-01", @@ -26722,7 +26845,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "ddosProtectionPlans": [ "2018-02-01", @@ -27102,7 +27226,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "expressRouteCircuits/peerings": [ "2015-05-01-preview", @@ -27153,7 +27278,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "expressRouteCircuits/peerings/connections": [ "2018-02-01", @@ -27191,7 +27317,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "expressRouteCrossConnections": [ "2018-02-01", @@ -27229,7 +27356,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "expressRouteCrossConnections/peerings": [ "2018-02-01", @@ -27267,7 +27395,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "expressRouteGateways": [ "2018-08-01", @@ -27341,7 +27470,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "ExpressRoutePorts": [ "2018-07-01", @@ -27394,7 +27524,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "expressRoutePortsLocations": [ "2018-08-01", @@ -27589,7 +27720,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "firewallPolicies/ruleGroups": [ "2019-06-01", @@ -27612,7 +27744,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "frontdoorOperationResults": [ "2018-08-01", @@ -27862,7 +27995,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "loadBalancers/inboundNatRules": [ "2017-06-01", @@ -27906,7 +28040,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "localNetworkGateways": [ "2014-12-01-preview", @@ -29469,7 +29604,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkManagerConnections": [ "2021-05-01-preview", @@ -29519,7 +29655,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkManagers/networkGroups": [ "2021-02-01-preview", @@ -29534,7 +29671,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkManagers/networkGroups/staticMembers": [ "2021-05-01-preview", @@ -29548,7 +29686,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkManagers/scopeConnections": [ "2021-05-01-preview", @@ -29562,7 +29701,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkManagers/securityAdminConfigurations": [ "2021-02-01-preview", @@ -29577,7 +29717,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkManagers/securityAdminConfigurations/ruleCollections": [ "2021-02-01-preview", @@ -29592,7 +29733,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkManagers/securityAdminConfigurations/ruleCollections/rules": [ "2021-02-01-preview", @@ -29607,7 +29749,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkManagers/securityUserConfigurations": [ "2021-02-01-preview", @@ -29784,7 +29927,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkSecurityPerimeters": [ "2021-02-01-preview", @@ -29862,10 +30006,12 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkVirtualAppliances/networkVirtualApplianceConnections": [ - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkVirtualAppliances/virtualApplianceSites": [ "2020-05-01", @@ -29885,7 +30031,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkVirtualApplianceSkus": [ "2020-03-01", @@ -30125,7 +30272,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "networkWatchers/pingMeshes": [ "2017-09-01", @@ -30440,7 +30588,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "privateEndpoints/privateLinkServiceProxies": [ "2019-02-01", @@ -30545,7 +30694,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "publicIPAddresses": [ "2014-12-01-preview", @@ -30766,7 +30916,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "routeTables": [ "2014-12-01-preview", @@ -30882,7 +31033,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "securityPartnerProviders": [ "2020-01-01", @@ -30992,7 +31144,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "trafficManagerGeographicHierarchies": [ "2017-03-01", @@ -31136,7 +31289,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualHubs/hubRouteTables": [ "2020-04-01", @@ -31157,7 +31311,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualHubs/hubVirtualNetworkConnections": [ "2020-05-01", @@ -31177,7 +31332,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualHubs/ipConfigurations": [ "2020-05-01", @@ -31197,7 +31353,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualHubs/routeMaps": [ "2022-05-01", @@ -31207,7 +31364,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualHubs/routeTables": [ "2019-09-01", @@ -31232,7 +31390,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualHubs/routingIntent": [ "2021-05-01", @@ -31245,7 +31404,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualnetworkgateways": [ "2014-12-01-preview", @@ -31325,7 +31485,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualnetworks": [ "2014-12-01-preview", @@ -31486,7 +31647,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualNetworks/taggedTrafficConsumers": [ "2014-12-01-preview", @@ -31599,7 +31761,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualNetworkTaps": [ "2018-08-01", @@ -31701,7 +31864,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "virtualWans": [ "2017-09-01", @@ -31828,7 +31992,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "vpnGateways/vpnConnections": [ "2018-04-01", @@ -31865,7 +32030,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "vpnServerConfigurations": [ "2019-08-01", @@ -31909,7 +32075,8 @@ "2023-02-01", "2023-04-01", "2023-05-01", - "2023-06-01" + "2023-06-01", + "2023-09-01" ], "vpnSites": [ "2017-09-01", @@ -33013,7 +33180,8 @@ "2018-10-01-preview", "2019-01-01-preview", "2020-09-01-alpha", - "2020-09-01-preview" + "2020-09-01-preview", + "2022-12-01-preview" ], "listTenantConfigurationViolations": [ "2019-01-01-preview", @@ -33866,7 +34034,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "vaults/backupEncryptionConfigs": [ "2020-10-01", @@ -33893,7 +34062,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "vaults/backupFabrics/backupProtectionIntent": [ "2017-07-01", @@ -33918,7 +34088,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "vaults/backupFabrics/protectionContainers": [ "2016-12-01", @@ -33946,7 +34117,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "vaults/backupFabrics/protectionContainers/protectedItems": [ "2016-06-01", @@ -33976,7 +34148,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "vaults/backupPolicies": [ "2016-06-01", @@ -34006,7 +34179,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "vaults/backupResourceGuardProxies": [ "2021-02-01-preview", @@ -34025,7 +34199,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "vaults/backupstorageconfig": [ "2016-12-01", @@ -34048,7 +34223,8 @@ "2023-01-15", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "vaults/certificates": [ "2016-06-01", @@ -34134,7 +34310,8 @@ "2023-01-01", "2023-02-01", "2023-04-01", - "2023-06-01" + "2023-06-01", + "2023-08-01" ], "vaults/replicationAlertSettings": [ "2016-08-10", @@ -36324,6 +36501,7 @@ "2023-08-01-preview", "2023-09-01-preview", "2023-10-01-preview", + "2023-11-01", "2023-11-01-preview" ], "alertRules/actions": [ @@ -36354,7 +36532,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01" ], "alertRuleTemplates": [ "2019-01-01-preview", @@ -36414,6 +36593,7 @@ "2023-08-01-preview", "2023-09-01-preview", "2023-10-01-preview", + "2023-11-01", "2023-11-01-preview" ], "billingStatistics": [ @@ -36453,6 +36633,7 @@ "2023-08-01-preview", "2023-09-01-preview", "2023-10-01-preview", + "2023-11-01", "2023-11-01-preview" ], "bookmarks/relations": [ @@ -36519,6 +36700,7 @@ "2023-08-01-preview", "2023-09-01-preview", "2023-10-01-preview", + "2023-11-01", "2023-11-01-preview" ], "contentProductPackages": [ @@ -36553,6 +36735,7 @@ "2023-08-01-preview", "2023-09-01-preview", "2023-10-01-preview", + "2023-11-01", "2023-11-01-preview" ], "dataConnectorDefinitions": [ @@ -36600,6 +36783,7 @@ "2023-08-01-preview", "2023-09-01-preview", "2023-10-01-preview", + "2023-11-01", "2023-11-01-preview", "2024-01-01-preview" ], @@ -36843,6 +37027,7 @@ "2023-08-01-preview", "2023-09-01-preview", "2023-10-01-preview", + "2023-11-01", "2023-11-01-preview" ], "incidents/comments": [ @@ -36874,7 +37059,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01" ], "incidents/relations": [ "2019-01-01-preview", @@ -36904,7 +37090,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01" ], "incidents/tasks": [ "2022-12-01-preview", @@ -36967,6 +37154,7 @@ "2023-08-01-preview", "2023-09-01-preview", "2023-10-01-preview", + "2023-11-01", "2023-11-01-preview" ], "MitreCoverageRecords": [ @@ -37043,6 +37231,7 @@ "2023-08-01-preview", "2023-09-01-preview", "2023-10-01-preview", + "2023-11-01", "2023-11-01-preview" ], "operations": [ @@ -37128,6 +37317,7 @@ "2023-08-01-preview", "2023-09-01-preview", "2023-10-01-preview", + "2023-11-01", "2023-11-01-preview" ], "settings": [ @@ -37179,6 +37369,7 @@ "2023-08-01-preview", "2023-09-01-preview", "2023-10-01-preview", + "2023-11-01", "2023-11-01-preview" ], "threatIntelligence": [ @@ -37238,7 +37429,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01" ], "triggeredAnalyticsRuleRuns": [ "2023-02-01-preview", @@ -37281,6 +37473,7 @@ "2023-08-01-preview", "2023-09-01-preview", "2023-10-01-preview", + "2023-11-01", "2023-11-01-preview" ], "watchlists/watchlistItems": [ @@ -37311,7 +37504,8 @@ "2023-07-01-preview", "2023-08-01-preview", "2023-09-01-preview", - "2023-10-01-preview" + "2023-10-01-preview", + "2023-11-01" ], "workspaceManagerAssignments": [ "2023-03-01-preview", @@ -37372,7 +37566,8 @@ "2018-05-01" ], "serialPorts": [ - "2018-05-01" + "2018-05-01", + "2023-01-01" ] }, "Microsoft.ServiceBus": { @@ -45430,6 +45625,7 @@ "2023-06-02-preview", "2023-08-01-preview", "2023-09-01-preview", + "2023-11-01-preview", "2024-01-01" ], "locations": [ @@ -45442,6 +45638,7 @@ "2023-06-02-preview", "2023-08-01-preview", "2023-09-01-preview", + "2023-11-01-preview", "2024-01-01" ], "locations/classicaccounts": [ @@ -45479,6 +45676,7 @@ "2023-06-02-preview", "2023-08-01-preview", "2023-09-01-preview", + "2023-11-01-preview", "2024-01-01" ] }, From 3f018f8d05a768c18e28f00a106dcd3e6ee425eb Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Tue, 2 Jan 2024 02:52:24 +0100 Subject: [PATCH 169/178] [Fixes] Ensure that VirtualMachineImages are removed before MSIs are removed as there's otherwise a high chance for a lock (#4418) * Updated removal * Update to latest * Update to latest * Update to latest --- .../virtual-machine-images/image-template/main.json | 4 ++-- .../image-template/tests/e2e/max/dependencies.bicep | 10 ++++++++++ .../image-template/tests/e2e/max/main.test.bicep | 10 ---------- .../tests/e2e/waf-aligned/dependencies.bicep | 13 ++++++++++--- .../tests/e2e/waf-aligned/main.test.bicep | 10 ---------- .../Initialize-DeploymentRemoval.ps1 | 6 ++++-- 6 files changed, 26 insertions(+), 27 deletions(-) diff --git a/modules/virtual-machine-images/image-template/main.json b/modules/virtual-machine-images/image-template/main.json index 735a4da338..f7c62ccb8c 100644 --- a/modules/virtual-machine-images/image-template/main.json +++ b/modules/virtual-machine-images/image-template/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "10277577540639461484" + "version": "0.24.24.22086", + "templateHash": "3206365221053341077" }, "name": "Virtual Machine Image Templates", "description": "This module deploys a Virtual Machine Image Template that can be consumed by Azure Image Builder (AIB).", diff --git a/modules/virtual-machine-images/image-template/tests/e2e/max/dependencies.bicep b/modules/virtual-machine-images/image-template/tests/e2e/max/dependencies.bicep index ec4e08c2d4..3fd5595fde 100644 --- a/modules/virtual-machine-images/image-template/tests/e2e/max/dependencies.bicep +++ b/modules/virtual-machine-images/image-template/tests/e2e/max/dependencies.bicep @@ -18,6 +18,16 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018- location: location } +// required for the Azure Image Builder service to assign the list of User Assigned Identities to the Build VM. +resource msi_managedIdentityOperatorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(subscription().id, 'ManagedIdentityContributor', managedIdentity.id) + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') // Managed Identity Operator + principalId: managedIdentity.properties.principalId + principalType: 'ServicePrincipal' + } +} + var addressPrefix = '10.0.0.0/16' resource gallery 'Microsoft.Compute/galleries@2022-03-03' = { diff --git a/modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep b/modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep index cc579a73df..363cf67ccf 100644 --- a/modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep +++ b/modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep @@ -51,16 +51,6 @@ module nestedDependencies 'dependencies.bicep' = { } } -// required for the Azure Image Builder service to assign the list of User Assigned Identities to the Build VM. -resource msi_managedIdentityOperatorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(subscription().id, 'ManagedIdentityContributor', '${namePrefix}') - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') // Managed Identity Operator - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } -} - // ============== // // Test Execution // // ============== // diff --git a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/dependencies.bicep b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/dependencies.bicep index ec4e08c2d4..d2e04163bf 100644 --- a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/dependencies.bicep +++ b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/dependencies.bicep @@ -18,6 +18,16 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018- location: location } +// required for the Azure Image Builder service to assign the list of User Assigned Identities to the Build VM. +resource msi_managedIdentityOperatorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(subscription().id, 'ManagedIdentityContributor', managedIdentity.id) + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') // Managed Identity Operator + principalId: managedIdentity.properties.principalId + principalType: 'ServicePrincipal' + } +} + var addressPrefix = '10.0.0.0/16' resource gallery 'Microsoft.Compute/galleries@2022-03-03' = { @@ -86,9 +96,6 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { @description('The principal ID of the created Managed Identity.') output managedIdentityResourceId string = managedIdentity.id -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - @description('The name of the created Managed Identity.') output managedIdentityName string = managedIdentity.name diff --git a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep index 4c43082a0b..1367e24573 100644 --- a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep @@ -51,16 +51,6 @@ module nestedDependencies 'dependencies.bicep' = { } } -// required for the Azure Image Builder service to assign the list of User Assigned Identities to the Build VM. -resource msi_managedIdentityOperatorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(subscription().id, 'ManagedIdentityContributor', '${namePrefix}') - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') // Managed Identity Operator - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } -} - // ============== // // Test Execution // // ============== // diff --git a/utilities/pipelines/resourceRemoval/Initialize-DeploymentRemoval.ps1 b/utilities/pipelines/resourceRemoval/Initialize-DeploymentRemoval.ps1 index 3c2b11eeec..5939f2a474 100644 --- a/utilities/pipelines/resourceRemoval/Initialize-DeploymentRemoval.ps1 +++ b/utilities/pipelines/resourceRemoval/Initialize-DeploymentRemoval.ps1 @@ -76,8 +76,10 @@ function Initialize-DeploymentRemoval { 'Microsoft.Authorization/policyDefinitions' 'Microsoft.Sql/managedInstances', 'Microsoft.MachineLearningServices/workspaces', - 'Microsoft.Resources/resourceGroups', - 'Microsoft.Compute/virtualMachines' + 'Microsoft.Compute/virtualMachines', + 'Microsoft.VirtualMachineImages/imageTemplates', # Must be removed before their MSI + 'Microsoft.ManagedIdentity/userAssignedIdentities', + 'Microsoft.Resources/resourceGroups' ) Write-Verbose ('Handling resource removal with deployment names [{0}]' -f ($deploymentNames -join ', ')) -Verbose From 2f95cf6d328e6ce42a2d0a121929aee5899f74b9 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 3 Jan 2024 09:49:54 +0100 Subject: [PATCH 170/178] Added moved md (#4424) --- modules/web/serverfarm/MOVED-TO-AVM.md | 1 + modules/web/serverfarm/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/web/serverfarm/MOVED-TO-AVM.md diff --git a/modules/web/serverfarm/MOVED-TO-AVM.md b/modules/web/serverfarm/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/web/serverfarm/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index fb2b37a291..8e6283c085 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -1,5 +1,7 @@ # App Service Plans `[Microsoft.Web/serverfarms]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys an App Service Plan. ## Navigation From 2630c351ef272f033161cd3e9024c295ac4ba18f Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Thu, 4 Jan 2024 02:04:35 +0100 Subject: [PATCH 171/178] Added MOVED-TO-AVM for recently migrated modules (#4429) --- modules/compute/disk-encryption-set/MOVED-TO-AVM.md | 1 + modules/compute/disk-encryption-set/README.md | 2 ++ modules/compute/gallery/MOVED-TO-AVM.md | 1 + modules/compute/gallery/README.md | 2 ++ 4 files changed, 6 insertions(+) create mode 100644 modules/compute/disk-encryption-set/MOVED-TO-AVM.md create mode 100644 modules/compute/gallery/MOVED-TO-AVM.md diff --git a/modules/compute/disk-encryption-set/MOVED-TO-AVM.md b/modules/compute/disk-encryption-set/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/compute/disk-encryption-set/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/compute/disk-encryption-set/README.md b/modules/compute/disk-encryption-set/README.md index 5c0be2dd82..bb9b6c10ff 100644 --- a/modules/compute/disk-encryption-set/README.md +++ b/modules/compute/disk-encryption-set/README.md @@ -1,5 +1,7 @@ # Disk Encryption Sets `[Microsoft.Compute/diskEncryptionSets]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Disk Encryption Set. ## Navigation diff --git a/modules/compute/gallery/MOVED-TO-AVM.md b/modules/compute/gallery/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/compute/gallery/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/compute/gallery/README.md b/modules/compute/gallery/README.md index b23170f00f..e4881d82aa 100644 --- a/modules/compute/gallery/README.md +++ b/modules/compute/gallery/README.md @@ -1,5 +1,7 @@ # Azure Compute Galleries `[Microsoft.Compute/galleries]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys an Azure Compute Gallery (formerly known as Shared Image Gallery). ## Navigation From 864df52bf3d7f2f49fd56f1f41373403a5dfa5a2 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Thu, 4 Jan 2024 13:36:34 +0100 Subject: [PATCH 172/178] Updated RG readme (#4431) --- modules/resources/resource-group/MOVED-TO-AVM.md | 1 + modules/resources/resource-group/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/resources/resource-group/MOVED-TO-AVM.md diff --git a/modules/resources/resource-group/MOVED-TO-AVM.md b/modules/resources/resource-group/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/resources/resource-group/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/resources/resource-group/README.md b/modules/resources/resource-group/README.md index 3bd54c57d1..211775619c 100644 --- a/modules/resources/resource-group/README.md +++ b/modules/resources/resource-group/README.md @@ -1,5 +1,7 @@ # Resource Groups `[Microsoft.Resources/resourceGroups]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Resource Group. ## Navigation From cfd1a4a51024bedce0522a9efbef3ec8ae6e65c5 Mon Sep 17 00:00:00 2001 From: John Date: Thu, 4 Jan 2024 13:57:59 +0100 Subject: [PATCH 173/178] [Modules] Updates to the Azure Monitor Private Link Service (AMPLS) Module (#4392) * Added types and upgraded api version * Added tests * Uncommented code * Added documentation to accessModeSettings and added PrivateOnly value * Testing using condition * PR feedback * Removed access mode from default test * Updated readme and main.json * PR feedback * Uncommented code, added description for exclusion * Updated markdown and json * Fixed description to adhere to test * PR feedback --- modules/insights/private-link-scope/README.md | 134 +++++++++++++++++- .../insights/private-link-scope/main.bicep | 47 +++++- modules/insights/private-link-scope/main.json | 124 +++++++++++++--- .../scoped-resource/main.json | 4 +- .../tests/e2e/max/main.test.bicep | 11 ++ .../tests/e2e/waf-aligned/main.test.bicep | 11 ++ 6 files changed, 307 insertions(+), 24 deletions(-) diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index 4470ffb40d..064fc8ba09 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -16,7 +16,7 @@ This module deploys an Azure Monitor Private Link Scope. | :-- | :-- | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `microsoft.insights/privateLinkScopes` | [2019-10-17-preview](https://learn.microsoft.com/en-us/azure/templates/microsoft.insights/2019-10-17-preview/privateLinkScopes) | +| `microsoft.insights/privateLinkScopes` | [2021-07-01-preview](https://learn.microsoft.com/en-us/azure/templates/microsoft.insights/2021-07-01-preview/privateLinkScopes) | | `Microsoft.Insights/privateLinkScopes/scopedResources` | [2021-07-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-07-01-preview/privateLinkScopes/scopedResources) | | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | @@ -95,6 +95,17 @@ This instance deploys the module with most of its features enabled. // Required parameters name: 'iplsmax001' // Non-required parameters + accessModeSettings: { + exclusions: [ + { + ingestionAccessMode: 'PrivateOnly' + privateEndpointConnectionName: 'thisisatest' + queryAccessMode: 'PrivateOnly' + } + ] + ingestionAccessMode: 'Open' + queryAccessMode: 'Open' + } enableDefaultTelemetry: '' privateEndpoints: [ { @@ -158,6 +169,19 @@ This instance deploys the module with most of its features enabled. "value": "iplsmax001" }, // Non-required parameters + "accessModeSettings": { + "value": { + "exclusions": [ + { + "ingestionAccessMode": "PrivateOnly", + "privateEndpointConnectionName": "thisisatest", + "queryAccessMode": "PrivateOnly" + } + ], + "ingestionAccessMode": "Open", + "queryAccessMode": "Open" + } + }, "enableDefaultTelemetry": { "value": "" }, @@ -232,6 +256,17 @@ This instance deploys the module in alignment with the best-practices of the Azu // Required parameters name: 'iplswaf001' // Non-required parameters + accessModeSettings: { + exclusions: [ + { + ingestionAccessMode: 'PrivateOnly' + privateEndpointConnectionName: 'thisisatest' + queryAccessMode: 'PrivateOnly' + } + ] + ingestionAccessMode: 'Open' + queryAccessMode: 'Open' + } enableDefaultTelemetry: '' privateEndpoints: [ { @@ -278,6 +313,19 @@ This instance deploys the module in alignment with the best-practices of the Azu "value": "iplswaf001" }, // Non-required parameters + "accessModeSettings": { + "value": { + "exclusions": [ + { + "ingestionAccessMode": "PrivateOnly", + "privateEndpointConnectionName": "thisisatest", + "queryAccessMode": "PrivateOnly" + } + ], + "ingestionAccessMode": "Open", + "queryAccessMode": "Open" + } + }, "enableDefaultTelemetry": { "value": "" }, @@ -331,6 +379,10 @@ This instance deploys the module in alignment with the best-practices of the Azu | Parameter | Type | Description | | :-- | :-- | :-- | +| [`accessModeSettings`](#parameter-accessmodesettings) | object | Specifies the access mode of ingestion or queries through associated private endpoints in scope. For security reasons, it is recommended to use PrivateOnly whenever possible to avoid data exfiltration. + + * Private Only - This mode allows the connected virtual network to reach only Private Link resources. It is the most secure mode and is set as the default when the `privateEndpoints` parameter is configured. + * Open - Allows the connected virtual network to reach both Private Link resources and the resources not in the AMPLS resource. Data exfiltration cannot be prevented in this mode. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | The location of the private link scope. Should be global. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | @@ -346,6 +398,64 @@ Name of the private link scope. - Required: Yes - Type: string +### Parameter: `accessModeSettings` + +Specifies the access mode of ingestion or queries through associated private endpoints in scope. For security reasons, it is recommended to use PrivateOnly whenever possible to avoid data exfiltration. + + * Private Only - This mode allows the connected virtual network to reach only Private Link resources. It is the most secure mode and is set as the default when the `privateEndpoints` parameter is configured. + * Open - Allows the connected virtual network to reach both Private Link resources and the resources not in the AMPLS resource. Data exfiltration cannot be prevented in this mode. + +- Required: No +- Type: object + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`ingestionAccessMode`](#parameter-accessmodesettingsingestionaccessmode) | string | Specifies the default access mode of ingestion through associated private endpoints in scope. | +| [`queryAccessMode`](#parameter-accessmodesettingsqueryaccessmode) | string | Specifies the default access mode of queries through associated private endpoints in scope. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`exclusions`](#parameter-accessmodesettingsexclusions) | array | List of exclusions that override the default access mode settings for specific private endpoint connections. Exclusions for the current created Private endpoints can only be applied post initial provisioning. | + +### Parameter: `accessModeSettings.ingestionAccessMode` + +Specifies the default access mode of ingestion through associated private endpoints in scope. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Open' + 'PrivateOnly' + ] + ``` + +### Parameter: `accessModeSettings.queryAccessMode` + +Specifies the default access mode of queries through associated private endpoints in scope. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Open' + 'PrivateOnly' + ] + ``` + +### Parameter: `accessModeSettings.exclusions` + +List of exclusions that override the default access mode settings for specific private endpoint connections. Exclusions for the current created Private endpoints can only be applied post initial provisioning. + +- Required: No +- Type: array + ### Parameter: `enableDefaultTelemetry` Enable telemetry via a Globally Unique Identifier (GUID). @@ -741,7 +851,27 @@ Configuration details for Azure Monitor Resources. - Required: No - Type: array -- Default: `[]` + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`linkedResourceId`](#parameter-scopedresourceslinkedresourceid) | string | The resource ID of the scoped Azure monitor resource. | +| [`name`](#parameter-scopedresourcesname) | string | Name of the private link scoped resource. | + +### Parameter: `scopedResources.linkedResourceId` + +The resource ID of the scoped Azure monitor resource. + +- Required: Yes +- Type: string + +### Parameter: `scopedResources.name` + +Name of the private link scoped resource. + +- Required: Yes +- Type: string ### Parameter: `tags` diff --git a/modules/insights/private-link-scope/main.bicep b/modules/insights/private-link-scope/main.bicep index aff38da1dd..66fc5d5273 100644 --- a/modules/insights/private-link-scope/main.bicep +++ b/modules/insights/private-link-scope/main.bicep @@ -6,6 +6,12 @@ metadata owner = 'Azure/module-maintainers' @minLength(1) param name string +@description('''Optional. Specifies the access mode of ingestion or queries through associated private endpoints in scope. For security reasons, it is recommended to use PrivateOnly whenever possible to avoid data exfiltration. + + * Private Only - This mode allows the connected virtual network to reach only Private Link resources. It is the most secure mode and is set as the default when the `privateEndpoints` parameter is configured. + * Open - Allows the connected virtual network to reach both Private Link resources and the resources not in the AMPLS resource. Data exfiltration cannot be prevented in this mode.''') +param accessModeSettings accessModeType + @description('Optional. The location of the private link scope. Should be global.') param location string = 'global' @@ -16,7 +22,7 @@ param lock lockType param roleAssignments roleAssignmentType @description('Optional. Configuration details for Azure Monitor Resources.') -param scopedResources array = [] +param scopedResources scopedResourceType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointType @@ -49,14 +55,19 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource privateLinkScope 'Microsoft.Insights/privateLinkScopes@2019-10-17-preview' = { +resource privateLinkScope 'microsoft.insights/privateLinkScopes@2021-07-01-preview' = { name: name location: location tags: tags - properties: {} + properties: { + accessModeSettings: accessModeSettings ?? { + ingestionAccessMode: empty(privateEndpoints) ? 'Open' : 'PrivateOnly' + queryAccessMode: empty(privateEndpoints) ? 'Open' : 'PrivateOnly' + } + } } -module privateLinkScope_scopedResource 'scoped-resource/main.bicep' = [for (scopedResource, index) in scopedResources: { +module privateLinkScope_scopedResource 'scoped-resource/main.bicep' = [for (scopedResource, index) in (scopedResources ?? []): { name: '${uniqueString(deployment().name, location)}-PvtLinkScope-ScopedRes-${index}' params: { name: scopedResource.name @@ -227,3 +238,31 @@ type privateEndpointType = { @description('Optional. Enable/Disable usage telemetry for module.') enableTelemetry: bool? }[]? + +type scopedResourceType = { + @description('Required. Name of the private link scoped resource.') + name: string + + @description('Required. The resource ID of the scoped Azure monitor resource.') + linkedResourceId: string +}[]? + +type accessModeType = { + @description('Optional. List of exclusions that override the default access mode settings for specific private endpoint connections. Exclusions for the current created Private endpoints can only be applied post initial provisioning.') + exclusions: { + @description('Required. The private endpoint connection name associated to the private endpoint on which we want to apply the specific access mode settings.') + privateEndpointConnectionName: string + + @description('Required. Specifies the access mode of ingestion through the specified private endpoint connection in the exclusion.') + ingestionAccessMode: 'Open' | 'PrivateOnly' + + @description('Required. Specifies the access mode of queries through the specified private endpoint connection in the exclusion.') + queryAccessMode: 'Open' | 'PrivateOnly' + }[]? + + @description('Required. Specifies the default access mode of ingestion through associated private endpoints in scope.') + ingestionAccessMode: 'Open' | 'PrivateOnly' + + @description('Required. Specifies the default access mode of queries through associated private endpoints in scope.') + queryAccessMode: 'Open' | 'PrivateOnly' +}? diff --git a/modules/insights/private-link-scope/main.json b/modules/insights/private-link-scope/main.json index 826cdce33e..c858435d9f 100644 --- a/modules/insights/private-link-scope/main.json +++ b/modules/insights/private-link-scope/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "3912801049685613645" + "version": "0.21.1.54444", + "templateHash": "10175644994453911680" }, "name": "Azure Monitor Private Link Scopes", "description": "This module deploys an Azure Monitor Private Link Scope.", @@ -278,6 +278,91 @@ } }, "nullable": true + }, + "scopedResourceType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Name of the private link scoped resource." + } + }, + "linkedResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the scoped Azure monitor resource." + } + } + } + }, + "nullable": true + }, + "accessModeType": { + "type": "object", + "properties": { + "exclusions": { + "type": "array", + "items": { + "type": "object", + "properties": { + "privateEndpointConnectionName": { + "type": "string", + "metadata": { + "description": "Required. The private endpoint connection name associated to the private endpoint on which we want to apply the specific access mode settings." + } + }, + "ingestionAccessMode": { + "type": "string", + "allowedValues": [ + "Open", + "PrivateOnly" + ], + "metadata": { + "description": "Required. Specifies the access mode of ingestion through the specified private endpoint connection in the exclusion." + } + }, + "queryAccessMode": { + "type": "string", + "allowedValues": [ + "Open", + "PrivateOnly" + ], + "metadata": { + "description": "Required. Specifies the access mode of queries through the specified private endpoint connection in the exclusion." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. List of exclusions that override the default access mode settings for specific private endpoint connections. Exclusions for the current created Private endpoints can only be applied post initial provisioning." + } + }, + "ingestionAccessMode": { + "type": "string", + "allowedValues": [ + "Open", + "PrivateOnly" + ], + "metadata": { + "description": "Required. Specifies the default access mode of ingestion through associated private endpoints in scope." + } + }, + "queryAccessMode": { + "type": "string", + "allowedValues": [ + "Open", + "PrivateOnly" + ], + "metadata": { + "description": "Required. Specifies the default access mode of queries through associated private endpoints in scope." + } + } + }, + "nullable": true } }, "parameters": { @@ -288,6 +373,12 @@ "description": "Required. Name of the private link scope." } }, + "accessModeSettings": { + "$ref": "#/definitions/accessModeType", + "metadata": { + "description": "Optional. Specifies the access mode of ingestion or queries through associated private endpoints in scope. For security reasons, it is recommended to use PrivateOnly whenever possible to avoid data exfiltration.\n\n * Private Only - This mode allows the connected virtual network to reach only Private Link resources. It is the most secure mode and is set as the default when the `privateEndpoints` parameter is configured.\n * Open - Allows the connected virtual network to reach both Private Link resources and the resources not in the AMPLS resource. Data exfiltration cannot be prevented in this mode." + } + }, "location": { "type": "string", "defaultValue": "global", @@ -308,8 +399,7 @@ } }, "scopedResources": { - "type": "array", - "defaultValue": [], + "$ref": "#/definitions/scopedResourceType", "metadata": { "description": "Optional. Configuration details for Azure Monitor Resources." } @@ -362,11 +452,13 @@ }, "privateLinkScope": { "type": "microsoft.insights/privateLinkScopes", - "apiVersion": "2019-10-17-preview", + "apiVersion": "2021-07-01-preview", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", - "properties": {} + "properties": { + "accessModeSettings": "[coalesce(parameters('accessModeSettings'), createObject('ingestionAccessMode', if(empty(parameters('privateEndpoints')), 'Open', 'PrivateOnly'), 'queryAccessMode', if(empty(parameters('privateEndpoints')), 'Open', 'PrivateOnly')))]" + } }, "privateLinkScope_lock": { "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", @@ -407,7 +499,7 @@ "privateLinkScope_scopedResource": { "copy": { "name": "privateLinkScope_scopedResource", - "count": "[length(parameters('scopedResources'))]" + "count": "[length(coalesce(parameters('scopedResources'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -419,13 +511,13 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[parameters('scopedResources')[copyIndex()].name]" + "value": "[coalesce(parameters('scopedResources'), createArray())[copyIndex()].name]" }, "privateLinkScopeName": { "value": "[parameters('name')]" }, "linkedResourceId": { - "value": "[parameters('scopedResources')[copyIndex()].linkedResourceId]" + "value": "[coalesce(parameters('scopedResources'), createArray())[copyIndex()].linkedResourceId]" }, "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" @@ -437,8 +529,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6728675477102381760" + "version": "0.21.1.54444", + "templateHash": "3902218127334936289" }, "name": "Private Link Scope Scoped Resources", "description": "This module deploys a Private Link Scope Scoped Resource.", @@ -598,8 +690,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6873008238043407177" + "version": "0.21.1.54444", + "templateHash": "12070877359436548097" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1001,8 +1093,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "17578977753131828304" + "version": "0.21.1.54444", + "templateHash": "18097769811078256480" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1170,7 +1262,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('privateLinkScope', '2019-10-17-preview', 'full').location]" + "value": "[reference('privateLinkScope', '2021-07-01-preview', 'full').location]" } } } \ No newline at end of file diff --git a/modules/insights/private-link-scope/scoped-resource/main.json b/modules/insights/private-link-scope/scoped-resource/main.json index 1bb65fbf76..1f5b896ded 100644 --- a/modules/insights/private-link-scope/scoped-resource/main.json +++ b/modules/insights/private-link-scope/scoped-resource/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "6728675477102381760" + "version": "0.21.1.54444", + "templateHash": "3902218127334936289" }, "name": "Private Link Scope Scoped Resources", "description": "This module deploys a Private Link Scope Scoped Resource.", diff --git a/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep index 917468f472..651acc7941 100644 --- a/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep +++ b/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep @@ -55,6 +55,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' + accessModeSettings: { + exclusions: [ + { + ingestionAccessMode: 'PrivateOnly' + queryAccessMode: 'PrivateOnly' + privateEndpointConnectionName: 'thisisatest' + } + ] + ingestionAccessMode: 'Open' + queryAccessMode: 'Open' + } scopedResources: [ { name: 'scoped1' diff --git a/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep index 8fa06958a0..fc7a863664 100644 --- a/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep @@ -55,6 +55,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' + accessModeSettings: { + exclusions: [ + { + ingestionAccessMode: 'PrivateOnly' + queryAccessMode: 'PrivateOnly' + privateEndpointConnectionName: 'thisisatest' + } + ] + ingestionAccessMode: 'Open' + queryAccessMode: 'Open' + } scopedResources: [ { name: 'scoped1' From d98278d2e97354a5bec8175609a7648d722ab863 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Thu, 4 Jan 2024 12:58:34 +0000 Subject: [PATCH 174/178] Push updated Readme file(s) --- docs/wiki/The library - Module overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/wiki/The library - Module overview.md b/docs/wiki/The library - Module overview.md index ed056046e1..e6e86575c5 100644 --- a/docs/wiki/The library - Module overview.md +++ b/docs/wiki/The library - Module overview.md @@ -72,7 +72,7 @@ This section provides an overview of the library's feature set. | 57 | insights

data-collection-rule | [![Insights - DataCollectionRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DataCollectionRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.datacollectionrules.yml) | | | | | | | [L1:1, L2:1, L3:6] | 129 | | 58 | insights

diagnostic-setting | [![Insights - DiagnosticSettings](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20DiagnosticSettings/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.diagnosticsettings.yml) | | | | | | | [L1:1, L2:1, L3:2] | 91 | | 59 | insights

metric-alert | [![Insights - MetricAlerts](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20MetricAlerts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.metricalerts.yml) | | | | | | | [L1:1, L2:1, L3:2] | 152 | -| 60 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | | | | | | | [L1:2, L2:1, L3:3] | 181 | +| 60 | insights

private-link-scope | [![Insights - PrivateLinkScopes](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20PrivateLinkScopes/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | | | | | | | [L1:2, L2:1, L3:3] | 211 | | 61 | insights

scheduled-query-rule | [![Insights - ScheduledQueryRules](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20ScheduledQueryRules/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml) | | | | | | | [L1:1, L2:1, L3:2] | 136 | | 62 | insights

webtest | [![Insights - Web Tests](https://github.com/Azure/ResourceModules/workflows/Insights%20-%20Web%20Tests/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.webtests.yml) | | | | | | | [L1:1, L2:1, L3:3] | 152 | | 63 | key-vault

vault | [![KeyVault - Vaults](https://github.com/Azure/ResourceModules/workflows/KeyVault%20-%20Vaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | | | | | | | [L1:4, L2:1, L3:5] | 356 | @@ -150,7 +150,7 @@ This section provides an overview of the library's feature set. | 135 | web

serverfarm | [![Web - Serverfarms](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Serverfarms/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.serverfarms.yml) | | | | | | | [L1:1, L2:1, L3:2] | 184 | | 136 | web

site | [![Web - Sites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20Sites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.sites.yml) | | | | | | | [L1:6, L2:6, L3:5] | 455 | | 137 | web

static-site | [![Web - StaticSites](https://github.com/Azure/ResourceModules/workflows/Web%20-%20StaticSites/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.web.staticsites.yml) | | | | | | | [L1:4, L2:1, L3:3] | 284 | -| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 982 | 29909 | +| Sum | | | 0 | 0 | 1 | 0 | 0 | 2 | 982 | 29939 | ## Legend From d71cbcc8fcbfc0a73d7d61b3d24f98fa745b73f4 Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Fri, 5 Jan 2024 00:07:09 +0100 Subject: [PATCH 175/178] Added MOVED-TO-AVM (#4435) --- modules/compute/proximity-placement-group/MOVED-TO-AVM.md | 1 + modules/compute/proximity-placement-group/README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/compute/proximity-placement-group/MOVED-TO-AVM.md diff --git a/modules/compute/proximity-placement-group/MOVED-TO-AVM.md b/modules/compute/proximity-placement-group/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/compute/proximity-placement-group/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/compute/proximity-placement-group/README.md b/modules/compute/proximity-placement-group/README.md index 613055ce67..89d99b10b9 100644 --- a/modules/compute/proximity-placement-group/README.md +++ b/modules/compute/proximity-placement-group/README.md @@ -1,5 +1,7 @@ # Proximity Placement Groups `[Microsoft.Compute/proximityPlacementGroups]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Proximity Placement Group. ## Navigation From f4c322e8c55eb788ff63256daf59eb633685c4ef Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Sat, 6 Jan 2024 23:14:45 +0100 Subject: [PATCH 176/178] Added MOVED-TO-AVM (#4439) --- modules/network/firewall-policy/MOVED-TO-AVM.md | 1 + modules/network/firewall-policy/README.md | 2 ++ .../front-door-web-application-firewall-policy/MOVED-TO-AVM.md | 1 + .../front-door-web-application-firewall-policy/README.md | 2 ++ modules/network/front-door/MOVED-TO-AVM.md | 1 + modules/network/front-door/README.md | 2 ++ 6 files changed, 9 insertions(+) create mode 100644 modules/network/firewall-policy/MOVED-TO-AVM.md create mode 100644 modules/network/front-door-web-application-firewall-policy/MOVED-TO-AVM.md create mode 100644 modules/network/front-door/MOVED-TO-AVM.md diff --git a/modules/network/firewall-policy/MOVED-TO-AVM.md b/modules/network/firewall-policy/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/network/firewall-policy/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/firewall-policy/README.md b/modules/network/firewall-policy/README.md index c99c673261..7edb8d41ee 100644 --- a/modules/network/firewall-policy/README.md +++ b/modules/network/firewall-policy/README.md @@ -1,5 +1,7 @@ # Firewall Policies `[Microsoft.Network/firewallPolicies]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Firewall Policy. ## Navigation diff --git a/modules/network/front-door-web-application-firewall-policy/MOVED-TO-AVM.md b/modules/network/front-door-web-application-firewall-policy/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/network/front-door-web-application-firewall-policy/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/front-door-web-application-firewall-policy/README.md b/modules/network/front-door-web-application-firewall-policy/README.md index cf76c7f7bc..ee7773322d 100644 --- a/modules/network/front-door-web-application-firewall-policy/README.md +++ b/modules/network/front-door-web-application-firewall-policy/README.md @@ -1,5 +1,7 @@ # Front Door Web Application Firewall (WAF) Policies `[Microsoft.Network/FrontDoorWebApplicationFirewallPolicies]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a Front Door Web Application Firewall (WAF) Policy. ## Navigation diff --git a/modules/network/front-door/MOVED-TO-AVM.md b/modules/network/front-door/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/network/front-door/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). diff --git a/modules/network/front-door/README.md b/modules/network/front-door/README.md index 6fd669facf..5bd96bd73c 100644 --- a/modules/network/front-door/README.md +++ b/modules/network/front-door/README.md @@ -1,5 +1,7 @@ # Azure Front Doors `[Microsoft.Network/frontDoors]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys an Azure Front Door. ## Navigation From 31f0e75f26ca67476afd06252638d620401f16e4 Mon Sep 17 00:00:00 2001 From: CARMLPipelinePrincipal Date: Sun, 7 Jan 2024 12:05:21 +0000 Subject: [PATCH 177/178] Push updated API Specs file --- utilities/src/apiSpecsList.json | 60 +++++++++++++++++++++++---------- 1 file changed, 42 insertions(+), 18 deletions(-) diff --git a/utilities/src/apiSpecsList.json b/utilities/src/apiSpecsList.json index e1668cdb19..f56a9ae89d 100644 --- a/utilities/src/apiSpecsList.json +++ b/utilities/src/apiSpecsList.json @@ -2258,7 +2258,8 @@ "2023-04-01-preview", "2023-05-01", "2023-05-02-preview", - "2023-08-01-preview" + "2023-08-01-preview", + "2023-11-02-preview" ] }, "Microsoft.AppAssessment": { @@ -13473,7 +13474,8 @@ "workspaces/privateEndpointConnections": [ "2021-04-01-preview", "2022-04-01-preview", - "2023-02-01" + "2023-02-01", + "2023-09-15-preview" ], "workspaces/virtualNetworkPeerings": [ "2018-04-01", @@ -22246,6 +22248,12 @@ "loadBalancers": [ "2023-10-01-preview" ], + "locations": [ + "2023-10-01-preview" + ], + "locations/operationStatuses": [ + "2019-10-01" + ], "operations": [ "2023-10-01-preview" ] @@ -32347,7 +32355,8 @@ "2017-04-01", "2020-01-01-preview", "2023-01-01-preview", - "2023-09-01" + "2023-09-01", + "2023-10-01-preview" ], "namespaces": [ "2014-09-01", @@ -32394,7 +32403,8 @@ "2017-04-01", "2020-01-01-preview", "2023-01-01-preview", - "2023-09-01" + "2023-09-01", + "2023-10-01-preview" ] }, "Microsoft.Nutanix": { @@ -33522,7 +33532,8 @@ "accounts/privateEndpointConnections": [ "2020-12-01-preview", "2021-07-01", - "2021-12-01" + "2021-12-01", + "2023-05-01-preview" ], "checkNameAvailability": [ "2020-12-01-preview", @@ -48481,67 +48492,80 @@ "Locations": [ "2022-01-01-preview", "2022-10-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-11-01-preview" ], "Locations/operationStatuses": [ "2022-01-01-preview", "2022-10-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-11-01-preview" ], "migrators": [ "2022-01-01-preview", "2022-10-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-11-01-preview" ], "migrators/dataTransferAgents": [ "2022-01-01-preview", "2022-10-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-11-01-preview" ], "migrators/exclusionTemplates": [ "2022-01-01-preview", "2022-10-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-11-01-preview" ], "migrators/liveDataMigrations": [ "2022-01-01-preview", "2022-10-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-11-01-preview" ], "migrators/metadataMigrations": [ "2022-01-01-preview", "2022-10-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-11-01-preview" ], "migrators/metadataTargets": [ "2022-01-01-preview", "2022-10-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-11-01-preview" ], "migrators/pathMappings": [ "2022-01-01-preview", "2022-10-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-11-01-preview" ], "migrators/targets": [ "2022-01-01-preview", "2022-10-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-11-01-preview" ], "migrators/verifications": [ "2022-01-01-preview", "2022-10-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-11-01-preview" ], "Operations": [ "2022-01-01-preview", "2022-10-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-11-01-preview" ], "registeredSubscriptions": [ "2022-01-01-preview", "2022-10-01-preview", - "2023-02-01-preview" + "2023-02-01-preview", + "2023-11-01-preview" ] } } From 36b627af02024591c0da7fd6d79122181c73af91 Mon Sep 17 00:00:00 2001 From: Erika Gressi <56914614+eriqua@users.noreply.github.com> Date: Mon, 8 Jan 2024 14:48:11 +0100 Subject: [PATCH 178/178] replace ubuntu version (#4437) --- .github/workflows/ms.aad.domainservices.yml | 2 +- .github/workflows/ms.analysisservices.servers.yml | 2 +- .github/workflows/ms.apimanagement.service.yml | 2 +- .github/workflows/ms.app.containerapps.yml | 2 +- .github/workflows/ms.app.jobs.yml | 2 +- .github/workflows/ms.app.managedenvironments.yml | 2 +- .../workflows/ms.appconfiguration.configurationstores.yml | 2 +- .github/workflows/ms.authorization.locks.yml | 2 +- .github/workflows/ms.authorization.policyassignments.yml | 2 +- .github/workflows/ms.authorization.policydefinitions.yml | 2 +- .github/workflows/ms.authorization.policyexemptions.yml | 2 +- .../workflows/ms.authorization.policysetdefinitions.yml | 2 +- .github/workflows/ms.authorization.roleassignments.yml | 2 +- .github/workflows/ms.authorization.roledefinitions.yml | 2 +- .github/workflows/ms.automation.automationaccounts.yml | 2 +- .github/workflows/ms.batch.batchaccounts.yml | 2 +- .github/workflows/ms.cache.redis.yml | 2 +- .github/workflows/ms.cache.redisenterprise.yml | 2 +- .github/workflows/ms.cdn.profiles.yml | 2 +- .github/workflows/ms.cognitiveservices.accounts.yml | 2 +- .github/workflows/ms.compute.availabilitysets.yml | 2 +- .github/workflows/ms.compute.diskencryptionsets.yml | 2 +- .github/workflows/ms.compute.disks.yml | 2 +- .github/workflows/ms.compute.galleries.yml | 2 +- .github/workflows/ms.compute.images.yml | 2 +- .github/workflows/ms.compute.proximityplacementgroups.yml | 2 +- .github/workflows/ms.compute.sshpublickeys.yml | 2 +- .github/workflows/ms.compute.virtualmachines.yml | 2 +- .github/workflows/ms.compute.virtualmachinescalesets.yml | 2 +- .github/workflows/ms.consumption.budgets.yml | 2 +- .../workflows/ms.containerinstance.containergroups.yml | 2 +- .github/workflows/ms.containerregistry.registries.yml | 2 +- .github/workflows/ms.containerservice.managedclusters.yml | 2 +- .github/workflows/ms.databricks.accessconnectors.yml | 2 +- .github/workflows/ms.databricks.workspaces.yml | 2 +- .github/workflows/ms.datafactory.factories.yml | 2 +- .github/workflows/ms.dataprotection.backupvaults.yml | 2 +- .github/workflows/ms.dbformysql.flexibleservers.yml | 2 +- .github/workflows/ms.dbforpostgresql.flexibleservers.yml | 2 +- .../ms.desktopvirtualization.applicationgroups.yml | 2 +- .github/workflows/ms.desktopvirtualization.hostpools.yml | 2 +- .../workflows/ms.desktopvirtualization.scalingplans.yml | 2 +- .github/workflows/ms.desktopvirtualization.workspaces.yml | 2 +- .github/workflows/ms.devtestlab.labs.yml | 2 +- .../workflows/ms.digitaltwins.digitaltwinsinstances.yml | 2 +- .github/workflows/ms.documentdb.databaseaccounts.yml | 2 +- .github/workflows/ms.eventgrid.domains.yml | 2 +- .github/workflows/ms.eventgrid.systemtopics.yml | 2 +- .github/workflows/ms.eventgrid.topics.yml | 2 +- .github/workflows/ms.eventhub.namespaces.yml | 2 +- .github/workflows/ms.healthbot.healthbots.yml | 2 +- .github/workflows/ms.healthcareapis.workspaces.yml | 2 +- .github/workflows/ms.insights.actiongroups.yml | 2 +- .github/workflows/ms.insights.activitylogalerts.yml | 2 +- .github/workflows/ms.insights.components.yml | 2 +- .github/workflows/ms.insights.datacollectionendpoints.yml | 2 +- .github/workflows/ms.insights.datacollectionrules.yml | 2 +- .github/workflows/ms.insights.diagnosticsettings.yml | 2 +- .github/workflows/ms.insights.metricalerts.yml | 2 +- .github/workflows/ms.insights.privatelinkscopes.yml | 2 +- .github/workflows/ms.insights.scheduledqueryrules.yml | 2 +- .github/workflows/ms.insights.webtests.yml | 2 +- .github/workflows/ms.keyvault.vaults.yml | 2 +- .../workflows/ms.kubernetesconfiguration.extensions.yml | 2 +- .../ms.kubernetesconfiguration.fluxconfigurations.yml | 2 +- .github/workflows/ms.logic.workflows.yml | 2 +- .../workflows/ms.machinelearningservices.workspaces.yml | 2 +- .../ms.maintenance.maintenanceconfigurations.yml | 2 +- .../ms.managedidentity.userassignedidentities.yml | 2 +- .../ms.managedservices.registrationdefinitions.yml | 2 +- .github/workflows/ms.management.managementgroups.yml | 2 +- .github/workflows/ms.netapp.netappaccounts.yml | 2 +- .github/workflows/ms.network.applicationgateways.yml | 2 +- ...k.applicationgatewaywebapplicationfirewallpolicies.yml | 2 +- .../workflows/ms.network.applicationsecuritygroups.yml | 2 +- .github/workflows/ms.network.azurefirewalls.yml | 2 +- .github/workflows/ms.network.bastionhosts.yml | 2 +- .github/workflows/ms.network.connections.yml | 2 +- .github/workflows/ms.network.ddosprotectionplans.yml | 2 +- .github/workflows/ms.network.dnsforwardingrulesets.yml | 2 +- .github/workflows/ms.network.dnsresolvers.yml | 2 +- .github/workflows/ms.network.dnszones.yml | 2 +- .github/workflows/ms.network.expressroutecircuits.yml | 2 +- .github/workflows/ms.network.expressroutegateways.yml | 2 +- .github/workflows/ms.network.firewallpolicies.yml | 2 +- .github/workflows/ms.network.frontdoors.yml | 2 +- ...ms.network.frontdoorwebapplicationfirewallpolicies.yml | 2 +- .github/workflows/ms.network.ipgroups.yml | 2 +- .github/workflows/ms.network.loadbalancers.yml | 2 +- .github/workflows/ms.network.localnetworkgateways.yml | 2 +- .github/workflows/ms.network.natgateways.yml | 2 +- .github/workflows/ms.network.networkinterfaces.yml | 2 +- .github/workflows/ms.network.networkmanagers.yml | 2 +- .github/workflows/ms.network.networksecuritygroups.yml | 2 +- .github/workflows/ms.network.networkwatchers.yml | 2 +- .github/workflows/ms.network.privatednszones.yml | 2 +- .github/workflows/ms.network.privateendpoints.yml | 2 +- .github/workflows/ms.network.privatelinkservices.yml | 2 +- .github/workflows/ms.network.publicipaddresses.yml | 2 +- .github/workflows/ms.network.publicipprefixes.yml | 2 +- .github/workflows/ms.network.routetables.yml | 2 +- .github/workflows/ms.network.serviceendpointpolicies.yml | 2 +- .github/workflows/ms.network.trafficmanagerprofiles.yml | 2 +- .github/workflows/ms.network.virtualhubs.yml | 2 +- .github/workflows/ms.network.virtualnetworkgateways.yml | 2 +- .github/workflows/ms.network.virtualnetworks.yml | 2 +- .github/workflows/ms.network.virtualwans.yml | 2 +- .github/workflows/ms.network.vpngateways.yml | 2 +- .github/workflows/ms.network.vpnsites.yml | 2 +- .github/workflows/ms.operationalinsights.workspaces.yml | 2 +- .github/workflows/ms.operationsmanagement.solutions.yml | 2 +- .github/workflows/ms.policyinsights.remediations.yml | 2 +- .github/workflows/ms.powerbidedicated.capacities.yml | 2 +- .github/workflows/ms.purview.accounts.yml | 2 +- .github/workflows/ms.recoveryservices.vaults.yml | 2 +- .github/workflows/ms.relay.namespaces.yml | 2 +- .github/workflows/ms.resourcegraph.queries.yml | 2 +- .github/workflows/ms.resources.deploymentscripts.yml | 2 +- .github/workflows/ms.resources.resourcegroups.yml | 2 +- .github/workflows/ms.resources.tags.yml | 2 +- .github/workflows/ms.search.searchservices.yml | 2 +- .github/workflows/ms.security.azuresecuritycenter.yml | 2 +- .github/workflows/ms.servicebus.namespaces.yml | 2 +- .github/workflows/ms.servicefabric.clusters.yml | 2 +- .github/workflows/ms.signalrservice.signalr.yml | 2 +- .github/workflows/ms.signalrservice.webpubsub.yml | 2 +- .github/workflows/ms.sql.managedinstances.yml | 2 +- .github/workflows/ms.sql.servers.yml | 2 +- .github/workflows/ms.storage.storageaccounts.yml | 2 +- .github/workflows/ms.synapse.privatelinkhubs.yml | 2 +- .github/workflows/ms.synapse.workspaces.yml | 2 +- .../workflows/ms.virtualmachineimages.imagetemplates.yml | 2 +- .github/workflows/ms.web.connections.yml | 2 +- .github/workflows/ms.web.hostingenvironments.yml | 2 +- .github/workflows/ms.web.serverfarms.yml | 2 +- .github/workflows/ms.web.sites.yml | 2 +- .github/workflows/ms.web.staticsites.yml | 2 +- .github/workflows/platform.apiSpecs.yml | 2 +- .github/workflows/platform.deployment.history.cleanup.yml | 6 +++--- .github/workflows/platform.librarycheck.psrule.yml | 2 +- .github/workflows/platform.updateReadMe.yml | 2 +- .github/workflows/platform.updateStaticTestDocs.yml | 2 +- .github/workflows/template.module.yml | 8 ++++---- docs/wiki/Solution creation.md | 2 +- 144 files changed, 149 insertions(+), 149 deletions(-) diff --git a/.github/workflows/ms.aad.domainservices.yml b/.github/workflows/ms.aad.domainservices.yml index a0c6994f44..bd4d45b92e 100644 --- a/.github/workflows/ms.aad.domainservices.yml +++ b/.github/workflows/ms.aad.domainservices.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.analysisservices.servers.yml b/.github/workflows/ms.analysisservices.servers.yml index 1b6112c79a..9ae908653d 100644 --- a/.github/workflows/ms.analysisservices.servers.yml +++ b/.github/workflows/ms.analysisservices.servers.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.apimanagement.service.yml b/.github/workflows/ms.apimanagement.service.yml index 7f2e468384..5e9a4fb392 100644 --- a/.github/workflows/ms.apimanagement.service.yml +++ b/.github/workflows/ms.apimanagement.service.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.app.containerapps.yml b/.github/workflows/ms.app.containerapps.yml index eef3ba994d..ea6366874e 100644 --- a/.github/workflows/ms.app.containerapps.yml +++ b/.github/workflows/ms.app.containerapps.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.app.jobs.yml b/.github/workflows/ms.app.jobs.yml index bde1eff318..fd08008d87 100644 --- a/.github/workflows/ms.app.jobs.yml +++ b/.github/workflows/ms.app.jobs.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.app.managedenvironments.yml b/.github/workflows/ms.app.managedenvironments.yml index 8d4b40c46f..3a0eb0ae4c 100644 --- a/.github/workflows/ms.app.managedenvironments.yml +++ b/.github/workflows/ms.app.managedenvironments.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.appconfiguration.configurationstores.yml b/.github/workflows/ms.appconfiguration.configurationstores.yml index 482c2c8701..caa07e54ef 100644 --- a/.github/workflows/ms.appconfiguration.configurationstores.yml +++ b/.github/workflows/ms.appconfiguration.configurationstores.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.authorization.locks.yml b/.github/workflows/ms.authorization.locks.yml index c61e151638..75dff0c9ef 100644 --- a/.github/workflows/ms.authorization.locks.yml +++ b/.github/workflows/ms.authorization.locks.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.authorization.policyassignments.yml b/.github/workflows/ms.authorization.policyassignments.yml index e72e96b7e4..1dc4a1e38f 100644 --- a/.github/workflows/ms.authorization.policyassignments.yml +++ b/.github/workflows/ms.authorization.policyassignments.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.authorization.policydefinitions.yml b/.github/workflows/ms.authorization.policydefinitions.yml index c0373b819c..7ee0b7be54 100644 --- a/.github/workflows/ms.authorization.policydefinitions.yml +++ b/.github/workflows/ms.authorization.policydefinitions.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.authorization.policyexemptions.yml b/.github/workflows/ms.authorization.policyexemptions.yml index e71c5179fb..075ab4fe90 100644 --- a/.github/workflows/ms.authorization.policyexemptions.yml +++ b/.github/workflows/ms.authorization.policyexemptions.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.authorization.policysetdefinitions.yml b/.github/workflows/ms.authorization.policysetdefinitions.yml index 71867097ec..ccdb663b8b 100644 --- a/.github/workflows/ms.authorization.policysetdefinitions.yml +++ b/.github/workflows/ms.authorization.policysetdefinitions.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.authorization.roleassignments.yml b/.github/workflows/ms.authorization.roleassignments.yml index 5bce87ae6e..ba85f6368f 100644 --- a/.github/workflows/ms.authorization.roleassignments.yml +++ b/.github/workflows/ms.authorization.roleassignments.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.authorization.roledefinitions.yml b/.github/workflows/ms.authorization.roledefinitions.yml index b0b2d0a719..ffd351ca61 100644 --- a/.github/workflows/ms.authorization.roledefinitions.yml +++ b/.github/workflows/ms.authorization.roledefinitions.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.automation.automationaccounts.yml b/.github/workflows/ms.automation.automationaccounts.yml index b7dd50b978..6f22922e0d 100644 --- a/.github/workflows/ms.automation.automationaccounts.yml +++ b/.github/workflows/ms.automation.automationaccounts.yml @@ -51,7 +51,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.batch.batchaccounts.yml b/.github/workflows/ms.batch.batchaccounts.yml index 03e1407a97..3b43c6ebff 100644 --- a/.github/workflows/ms.batch.batchaccounts.yml +++ b/.github/workflows/ms.batch.batchaccounts.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.cache.redis.yml b/.github/workflows/ms.cache.redis.yml index 9007689102..9d61e89657 100644 --- a/.github/workflows/ms.cache.redis.yml +++ b/.github/workflows/ms.cache.redis.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.cache.redisenterprise.yml b/.github/workflows/ms.cache.redisenterprise.yml index f61822f658..c574fbe41e 100644 --- a/.github/workflows/ms.cache.redisenterprise.yml +++ b/.github/workflows/ms.cache.redisenterprise.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.cdn.profiles.yml b/.github/workflows/ms.cdn.profiles.yml index 7d7b947dec..d9e589cf98 100644 --- a/.github/workflows/ms.cdn.profiles.yml +++ b/.github/workflows/ms.cdn.profiles.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.cognitiveservices.accounts.yml b/.github/workflows/ms.cognitiveservices.accounts.yml index 1c701ea118..28b4e4c4cf 100644 --- a/.github/workflows/ms.cognitiveservices.accounts.yml +++ b/.github/workflows/ms.cognitiveservices.accounts.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.compute.availabilitysets.yml b/.github/workflows/ms.compute.availabilitysets.yml index 46bd78d9b5..5820406b90 100644 --- a/.github/workflows/ms.compute.availabilitysets.yml +++ b/.github/workflows/ms.compute.availabilitysets.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.compute.diskencryptionsets.yml b/.github/workflows/ms.compute.diskencryptionsets.yml index 61b107ac57..d15f629829 100644 --- a/.github/workflows/ms.compute.diskencryptionsets.yml +++ b/.github/workflows/ms.compute.diskencryptionsets.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.compute.disks.yml b/.github/workflows/ms.compute.disks.yml index c32d9b8e25..dc28fc87a5 100644 --- a/.github/workflows/ms.compute.disks.yml +++ b/.github/workflows/ms.compute.disks.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.compute.galleries.yml b/.github/workflows/ms.compute.galleries.yml index 1666408461..b20f05ebf1 100644 --- a/.github/workflows/ms.compute.galleries.yml +++ b/.github/workflows/ms.compute.galleries.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.compute.images.yml b/.github/workflows/ms.compute.images.yml index b38045cea3..a846fcdb2b 100644 --- a/.github/workflows/ms.compute.images.yml +++ b/.github/workflows/ms.compute.images.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.compute.proximityplacementgroups.yml b/.github/workflows/ms.compute.proximityplacementgroups.yml index f948bdf889..90732fd348 100644 --- a/.github/workflows/ms.compute.proximityplacementgroups.yml +++ b/.github/workflows/ms.compute.proximityplacementgroups.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.compute.sshpublickeys.yml b/.github/workflows/ms.compute.sshpublickeys.yml index 3e063e68c5..da7ae084e4 100644 --- a/.github/workflows/ms.compute.sshpublickeys.yml +++ b/.github/workflows/ms.compute.sshpublickeys.yml @@ -46,7 +46,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.compute.virtualmachines.yml b/.github/workflows/ms.compute.virtualmachines.yml index f6e7889233..149bc8e025 100644 --- a/.github/workflows/ms.compute.virtualmachines.yml +++ b/.github/workflows/ms.compute.virtualmachines.yml @@ -50,7 +50,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.compute.virtualmachinescalesets.yml b/.github/workflows/ms.compute.virtualmachinescalesets.yml index 1914a4b01a..35978d541e 100644 --- a/.github/workflows/ms.compute.virtualmachinescalesets.yml +++ b/.github/workflows/ms.compute.virtualmachinescalesets.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.consumption.budgets.yml b/.github/workflows/ms.consumption.budgets.yml index b8c4032d49..56d97b2f2f 100644 --- a/.github/workflows/ms.consumption.budgets.yml +++ b/.github/workflows/ms.consumption.budgets.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.containerinstance.containergroups.yml b/.github/workflows/ms.containerinstance.containergroups.yml index 4728696318..1678d17088 100644 --- a/.github/workflows/ms.containerinstance.containergroups.yml +++ b/.github/workflows/ms.containerinstance.containergroups.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.containerregistry.registries.yml b/.github/workflows/ms.containerregistry.registries.yml index 191829635a..7da11fe32b 100644 --- a/.github/workflows/ms.containerregistry.registries.yml +++ b/.github/workflows/ms.containerregistry.registries.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.containerservice.managedclusters.yml b/.github/workflows/ms.containerservice.managedclusters.yml index 7ab99433dd..47ada548e5 100644 --- a/.github/workflows/ms.containerservice.managedclusters.yml +++ b/.github/workflows/ms.containerservice.managedclusters.yml @@ -49,7 +49,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.databricks.accessconnectors.yml b/.github/workflows/ms.databricks.accessconnectors.yml index 8a6c4d076d..d162270eb3 100644 --- a/.github/workflows/ms.databricks.accessconnectors.yml +++ b/.github/workflows/ms.databricks.accessconnectors.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.databricks.workspaces.yml b/.github/workflows/ms.databricks.workspaces.yml index 90e7614604..8a4267615f 100644 --- a/.github/workflows/ms.databricks.workspaces.yml +++ b/.github/workflows/ms.databricks.workspaces.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.datafactory.factories.yml b/.github/workflows/ms.datafactory.factories.yml index 9d59489afe..8529089198 100644 --- a/.github/workflows/ms.datafactory.factories.yml +++ b/.github/workflows/ms.datafactory.factories.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.dataprotection.backupvaults.yml b/.github/workflows/ms.dataprotection.backupvaults.yml index 8697537f1f..2e3b8aa66a 100644 --- a/.github/workflows/ms.dataprotection.backupvaults.yml +++ b/.github/workflows/ms.dataprotection.backupvaults.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.dbformysql.flexibleservers.yml b/.github/workflows/ms.dbformysql.flexibleservers.yml index 84a408e9c2..da1c483d32 100644 --- a/.github/workflows/ms.dbformysql.flexibleservers.yml +++ b/.github/workflows/ms.dbformysql.flexibleservers.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.dbforpostgresql.flexibleservers.yml b/.github/workflows/ms.dbforpostgresql.flexibleservers.yml index e3ee92834d..7d7da52212 100644 --- a/.github/workflows/ms.dbforpostgresql.flexibleservers.yml +++ b/.github/workflows/ms.dbforpostgresql.flexibleservers.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.desktopvirtualization.applicationgroups.yml b/.github/workflows/ms.desktopvirtualization.applicationgroups.yml index 1545aef23d..6d91829dc6 100644 --- a/.github/workflows/ms.desktopvirtualization.applicationgroups.yml +++ b/.github/workflows/ms.desktopvirtualization.applicationgroups.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.desktopvirtualization.hostpools.yml b/.github/workflows/ms.desktopvirtualization.hostpools.yml index d14ec4b8d5..54a8497dc5 100644 --- a/.github/workflows/ms.desktopvirtualization.hostpools.yml +++ b/.github/workflows/ms.desktopvirtualization.hostpools.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.desktopvirtualization.scalingplans.yml b/.github/workflows/ms.desktopvirtualization.scalingplans.yml index 890280846f..fef746cd4d 100644 --- a/.github/workflows/ms.desktopvirtualization.scalingplans.yml +++ b/.github/workflows/ms.desktopvirtualization.scalingplans.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.desktopvirtualization.workspaces.yml b/.github/workflows/ms.desktopvirtualization.workspaces.yml index 786990b0a3..9ba8618f12 100644 --- a/.github/workflows/ms.desktopvirtualization.workspaces.yml +++ b/.github/workflows/ms.desktopvirtualization.workspaces.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.devtestlab.labs.yml b/.github/workflows/ms.devtestlab.labs.yml index 9f84e4bdeb..ae0964c7bc 100644 --- a/.github/workflows/ms.devtestlab.labs.yml +++ b/.github/workflows/ms.devtestlab.labs.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.digitaltwins.digitaltwinsinstances.yml b/.github/workflows/ms.digitaltwins.digitaltwinsinstances.yml index d92c0c803f..e5f9765d53 100644 --- a/.github/workflows/ms.digitaltwins.digitaltwinsinstances.yml +++ b/.github/workflows/ms.digitaltwins.digitaltwinsinstances.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.documentdb.databaseaccounts.yml b/.github/workflows/ms.documentdb.databaseaccounts.yml index f97a702ba8..364dd0d04d 100644 --- a/.github/workflows/ms.documentdb.databaseaccounts.yml +++ b/.github/workflows/ms.documentdb.databaseaccounts.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.eventgrid.domains.yml b/.github/workflows/ms.eventgrid.domains.yml index 069b9ad36c..b979a04aff 100644 --- a/.github/workflows/ms.eventgrid.domains.yml +++ b/.github/workflows/ms.eventgrid.domains.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.eventgrid.systemtopics.yml b/.github/workflows/ms.eventgrid.systemtopics.yml index 7bb4cffd6a..e3bbb137a0 100644 --- a/.github/workflows/ms.eventgrid.systemtopics.yml +++ b/.github/workflows/ms.eventgrid.systemtopics.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.eventgrid.topics.yml b/.github/workflows/ms.eventgrid.topics.yml index 1abd156fdb..95d475a260 100644 --- a/.github/workflows/ms.eventgrid.topics.yml +++ b/.github/workflows/ms.eventgrid.topics.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.eventhub.namespaces.yml b/.github/workflows/ms.eventhub.namespaces.yml index 38e74b51e9..477ff4f1fd 100644 --- a/.github/workflows/ms.eventhub.namespaces.yml +++ b/.github/workflows/ms.eventhub.namespaces.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.healthbot.healthbots.yml b/.github/workflows/ms.healthbot.healthbots.yml index 85f6e0cdaf..5963c295e5 100644 --- a/.github/workflows/ms.healthbot.healthbots.yml +++ b/.github/workflows/ms.healthbot.healthbots.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.healthcareapis.workspaces.yml b/.github/workflows/ms.healthcareapis.workspaces.yml index 718ece3502..f5b0a612bf 100644 --- a/.github/workflows/ms.healthcareapis.workspaces.yml +++ b/.github/workflows/ms.healthcareapis.workspaces.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.insights.actiongroups.yml b/.github/workflows/ms.insights.actiongroups.yml index 7cecc95f02..21c8a4990c 100644 --- a/.github/workflows/ms.insights.actiongroups.yml +++ b/.github/workflows/ms.insights.actiongroups.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.insights.activitylogalerts.yml b/.github/workflows/ms.insights.activitylogalerts.yml index 51a1ce2318..66e7e92892 100644 --- a/.github/workflows/ms.insights.activitylogalerts.yml +++ b/.github/workflows/ms.insights.activitylogalerts.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.insights.components.yml b/.github/workflows/ms.insights.components.yml index 3e9506f5f2..138d69ba56 100644 --- a/.github/workflows/ms.insights.components.yml +++ b/.github/workflows/ms.insights.components.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.insights.datacollectionendpoints.yml b/.github/workflows/ms.insights.datacollectionendpoints.yml index f8ff6db09e..d81626ead5 100644 --- a/.github/workflows/ms.insights.datacollectionendpoints.yml +++ b/.github/workflows/ms.insights.datacollectionendpoints.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.insights.datacollectionrules.yml b/.github/workflows/ms.insights.datacollectionrules.yml index 150833c295..7d14e70536 100644 --- a/.github/workflows/ms.insights.datacollectionrules.yml +++ b/.github/workflows/ms.insights.datacollectionrules.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.insights.diagnosticsettings.yml b/.github/workflows/ms.insights.diagnosticsettings.yml index 219bc552fd..7e29353089 100644 --- a/.github/workflows/ms.insights.diagnosticsettings.yml +++ b/.github/workflows/ms.insights.diagnosticsettings.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.insights.metricalerts.yml b/.github/workflows/ms.insights.metricalerts.yml index 304d04e326..e319b49d8f 100644 --- a/.github/workflows/ms.insights.metricalerts.yml +++ b/.github/workflows/ms.insights.metricalerts.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.insights.privatelinkscopes.yml b/.github/workflows/ms.insights.privatelinkscopes.yml index 5600269a78..e878324aa8 100644 --- a/.github/workflows/ms.insights.privatelinkscopes.yml +++ b/.github/workflows/ms.insights.privatelinkscopes.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.insights.scheduledqueryrules.yml b/.github/workflows/ms.insights.scheduledqueryrules.yml index f06533563c..b0fbb811b2 100644 --- a/.github/workflows/ms.insights.scheduledqueryrules.yml +++ b/.github/workflows/ms.insights.scheduledqueryrules.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.insights.webtests.yml b/.github/workflows/ms.insights.webtests.yml index f0badf64c6..40d3afc21c 100644 --- a/.github/workflows/ms.insights.webtests.yml +++ b/.github/workflows/ms.insights.webtests.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.keyvault.vaults.yml b/.github/workflows/ms.keyvault.vaults.yml index d34edcf8af..9355923fde 100644 --- a/.github/workflows/ms.keyvault.vaults.yml +++ b/.github/workflows/ms.keyvault.vaults.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.kubernetesconfiguration.extensions.yml b/.github/workflows/ms.kubernetesconfiguration.extensions.yml index 96d2b238ef..4d57060cdb 100644 --- a/.github/workflows/ms.kubernetesconfiguration.extensions.yml +++ b/.github/workflows/ms.kubernetesconfiguration.extensions.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml b/.github/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml index e538204821..9c389c58c7 100644 --- a/.github/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml +++ b/.github/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.logic.workflows.yml b/.github/workflows/ms.logic.workflows.yml index d09183ab1a..070773d9d3 100644 --- a/.github/workflows/ms.logic.workflows.yml +++ b/.github/workflows/ms.logic.workflows.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.machinelearningservices.workspaces.yml b/.github/workflows/ms.machinelearningservices.workspaces.yml index 982e62084f..5de45511e9 100644 --- a/.github/workflows/ms.machinelearningservices.workspaces.yml +++ b/.github/workflows/ms.machinelearningservices.workspaces.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.maintenance.maintenanceconfigurations.yml b/.github/workflows/ms.maintenance.maintenanceconfigurations.yml index bcb865efd9..db907debd6 100644 --- a/.github/workflows/ms.maintenance.maintenanceconfigurations.yml +++ b/.github/workflows/ms.maintenance.maintenanceconfigurations.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.managedidentity.userassignedidentities.yml b/.github/workflows/ms.managedidentity.userassignedidentities.yml index f20ba0edf8..a539ecee3a 100644 --- a/.github/workflows/ms.managedidentity.userassignedidentities.yml +++ b/.github/workflows/ms.managedidentity.userassignedidentities.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.managedservices.registrationdefinitions.yml b/.github/workflows/ms.managedservices.registrationdefinitions.yml index b63f35ec89..cf52956c55 100644 --- a/.github/workflows/ms.managedservices.registrationdefinitions.yml +++ b/.github/workflows/ms.managedservices.registrationdefinitions.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.management.managementgroups.yml b/.github/workflows/ms.management.managementgroups.yml index 59b78ab4b6..4156eedef4 100644 --- a/.github/workflows/ms.management.managementgroups.yml +++ b/.github/workflows/ms.management.managementgroups.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.netapp.netappaccounts.yml b/.github/workflows/ms.netapp.netappaccounts.yml index 0ce0114907..9d17b522ec 100644 --- a/.github/workflows/ms.netapp.netappaccounts.yml +++ b/.github/workflows/ms.netapp.netappaccounts.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.applicationgateways.yml b/.github/workflows/ms.network.applicationgateways.yml index 5ebffcbfa2..8df7b2ca06 100644 --- a/.github/workflows/ms.network.applicationgateways.yml +++ b/.github/workflows/ms.network.applicationgateways.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml b/.github/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml index d81b6967d0..78c20be486 100644 --- a/.github/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml +++ b/.github/workflows/ms.network.applicationgatewaywebapplicationfirewallpolicies.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.applicationsecuritygroups.yml b/.github/workflows/ms.network.applicationsecuritygroups.yml index b660216ac5..59fe44a0ce 100644 --- a/.github/workflows/ms.network.applicationsecuritygroups.yml +++ b/.github/workflows/ms.network.applicationsecuritygroups.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.azurefirewalls.yml b/.github/workflows/ms.network.azurefirewalls.yml index d4d9dc0794..e6e498b962 100644 --- a/.github/workflows/ms.network.azurefirewalls.yml +++ b/.github/workflows/ms.network.azurefirewalls.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.bastionhosts.yml b/.github/workflows/ms.network.bastionhosts.yml index 583f7f716d..1b3b212c13 100644 --- a/.github/workflows/ms.network.bastionhosts.yml +++ b/.github/workflows/ms.network.bastionhosts.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.connections.yml b/.github/workflows/ms.network.connections.yml index 18a2b5a92c..483f1032ca 100644 --- a/.github/workflows/ms.network.connections.yml +++ b/.github/workflows/ms.network.connections.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.ddosprotectionplans.yml b/.github/workflows/ms.network.ddosprotectionplans.yml index 8ac944f013..e8755288c0 100644 --- a/.github/workflows/ms.network.ddosprotectionplans.yml +++ b/.github/workflows/ms.network.ddosprotectionplans.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.dnsforwardingrulesets.yml b/.github/workflows/ms.network.dnsforwardingrulesets.yml index 7811c594bd..4726bfaba8 100644 --- a/.github/workflows/ms.network.dnsforwardingrulesets.yml +++ b/.github/workflows/ms.network.dnsforwardingrulesets.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.dnsresolvers.yml b/.github/workflows/ms.network.dnsresolvers.yml index 94a01588cb..7e9ff35637 100644 --- a/.github/workflows/ms.network.dnsresolvers.yml +++ b/.github/workflows/ms.network.dnsresolvers.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.dnszones.yml b/.github/workflows/ms.network.dnszones.yml index 673a4c5008..86eeb8a03e 100644 --- a/.github/workflows/ms.network.dnszones.yml +++ b/.github/workflows/ms.network.dnszones.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.expressroutecircuits.yml b/.github/workflows/ms.network.expressroutecircuits.yml index b28e5385ec..c12b75e878 100644 --- a/.github/workflows/ms.network.expressroutecircuits.yml +++ b/.github/workflows/ms.network.expressroutecircuits.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.expressroutegateways.yml b/.github/workflows/ms.network.expressroutegateways.yml index 81e5604306..8c6e40ded2 100644 --- a/.github/workflows/ms.network.expressroutegateways.yml +++ b/.github/workflows/ms.network.expressroutegateways.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.firewallpolicies.yml b/.github/workflows/ms.network.firewallpolicies.yml index 7b64a673ad..08a61f0afa 100644 --- a/.github/workflows/ms.network.firewallpolicies.yml +++ b/.github/workflows/ms.network.firewallpolicies.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.frontdoors.yml b/.github/workflows/ms.network.frontdoors.yml index 00501d5814..2538bed6ba 100644 --- a/.github/workflows/ms.network.frontdoors.yml +++ b/.github/workflows/ms.network.frontdoors.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml b/.github/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml index effaa6dfcb..70a22fbaea 100644 --- a/.github/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml +++ b/.github/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.ipgroups.yml b/.github/workflows/ms.network.ipgroups.yml index b80c01dfee..d4f65e9956 100644 --- a/.github/workflows/ms.network.ipgroups.yml +++ b/.github/workflows/ms.network.ipgroups.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.loadbalancers.yml b/.github/workflows/ms.network.loadbalancers.yml index 8b43df88d7..e7528cf994 100644 --- a/.github/workflows/ms.network.loadbalancers.yml +++ b/.github/workflows/ms.network.loadbalancers.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.localnetworkgateways.yml b/.github/workflows/ms.network.localnetworkgateways.yml index 0d5a48da8b..a6df39c66c 100644 --- a/.github/workflows/ms.network.localnetworkgateways.yml +++ b/.github/workflows/ms.network.localnetworkgateways.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.natgateways.yml b/.github/workflows/ms.network.natgateways.yml index 7cbb0c2281..b7be305f2c 100644 --- a/.github/workflows/ms.network.natgateways.yml +++ b/.github/workflows/ms.network.natgateways.yml @@ -49,7 +49,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.networkinterfaces.yml b/.github/workflows/ms.network.networkinterfaces.yml index e8b4bba214..be9d8b8aa6 100644 --- a/.github/workflows/ms.network.networkinterfaces.yml +++ b/.github/workflows/ms.network.networkinterfaces.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.networkmanagers.yml b/.github/workflows/ms.network.networkmanagers.yml index 3ca4f93377..e44a020bba 100644 --- a/.github/workflows/ms.network.networkmanagers.yml +++ b/.github/workflows/ms.network.networkmanagers.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.networksecuritygroups.yml b/.github/workflows/ms.network.networksecuritygroups.yml index 4eb4c1c09a..90cd846a3e 100644 --- a/.github/workflows/ms.network.networksecuritygroups.yml +++ b/.github/workflows/ms.network.networksecuritygroups.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.networkwatchers.yml b/.github/workflows/ms.network.networkwatchers.yml index 4f2d015c5e..f732b73667 100644 --- a/.github/workflows/ms.network.networkwatchers.yml +++ b/.github/workflows/ms.network.networkwatchers.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.privatednszones.yml b/.github/workflows/ms.network.privatednszones.yml index 67da06f595..de0a32fda7 100644 --- a/.github/workflows/ms.network.privatednszones.yml +++ b/.github/workflows/ms.network.privatednszones.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.privateendpoints.yml b/.github/workflows/ms.network.privateendpoints.yml index 9b02a26023..884fbba6d1 100644 --- a/.github/workflows/ms.network.privateendpoints.yml +++ b/.github/workflows/ms.network.privateendpoints.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.privatelinkservices.yml b/.github/workflows/ms.network.privatelinkservices.yml index e622625946..66c8b93125 100644 --- a/.github/workflows/ms.network.privatelinkservices.yml +++ b/.github/workflows/ms.network.privatelinkservices.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.publicipaddresses.yml b/.github/workflows/ms.network.publicipaddresses.yml index ebcb21bf2c..223e208d49 100644 --- a/.github/workflows/ms.network.publicipaddresses.yml +++ b/.github/workflows/ms.network.publicipaddresses.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.publicipprefixes.yml b/.github/workflows/ms.network.publicipprefixes.yml index db391eaf7d..d416b317d6 100644 --- a/.github/workflows/ms.network.publicipprefixes.yml +++ b/.github/workflows/ms.network.publicipprefixes.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.routetables.yml b/.github/workflows/ms.network.routetables.yml index 936accf277..176dc2b4bd 100644 --- a/.github/workflows/ms.network.routetables.yml +++ b/.github/workflows/ms.network.routetables.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.serviceendpointpolicies.yml b/.github/workflows/ms.network.serviceendpointpolicies.yml index 9afc417756..1a4b46d53e 100644 --- a/.github/workflows/ms.network.serviceendpointpolicies.yml +++ b/.github/workflows/ms.network.serviceendpointpolicies.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.trafficmanagerprofiles.yml b/.github/workflows/ms.network.trafficmanagerprofiles.yml index ef71e4bdcb..adaa8bd042 100644 --- a/.github/workflows/ms.network.trafficmanagerprofiles.yml +++ b/.github/workflows/ms.network.trafficmanagerprofiles.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.virtualhubs.yml b/.github/workflows/ms.network.virtualhubs.yml index aafa9a1915..147e3e356b 100644 --- a/.github/workflows/ms.network.virtualhubs.yml +++ b/.github/workflows/ms.network.virtualhubs.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.virtualnetworkgateways.yml b/.github/workflows/ms.network.virtualnetworkgateways.yml index 0281596767..5cc51f28a6 100644 --- a/.github/workflows/ms.network.virtualnetworkgateways.yml +++ b/.github/workflows/ms.network.virtualnetworkgateways.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.virtualnetworks.yml b/.github/workflows/ms.network.virtualnetworks.yml index 62613c6abd..30ff971fd2 100644 --- a/.github/workflows/ms.network.virtualnetworks.yml +++ b/.github/workflows/ms.network.virtualnetworks.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.virtualwans.yml b/.github/workflows/ms.network.virtualwans.yml index f46af1f821..501463fd21 100644 --- a/.github/workflows/ms.network.virtualwans.yml +++ b/.github/workflows/ms.network.virtualwans.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.vpngateways.yml b/.github/workflows/ms.network.vpngateways.yml index 1fbae28f09..c31f992100 100644 --- a/.github/workflows/ms.network.vpngateways.yml +++ b/.github/workflows/ms.network.vpngateways.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.network.vpnsites.yml b/.github/workflows/ms.network.vpnsites.yml index 3f134e4ab3..4dd09491a0 100644 --- a/.github/workflows/ms.network.vpnsites.yml +++ b/.github/workflows/ms.network.vpnsites.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.operationalinsights.workspaces.yml b/.github/workflows/ms.operationalinsights.workspaces.yml index 14f1dfce82..54d369e9ca 100644 --- a/.github/workflows/ms.operationalinsights.workspaces.yml +++ b/.github/workflows/ms.operationalinsights.workspaces.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.operationsmanagement.solutions.yml b/.github/workflows/ms.operationsmanagement.solutions.yml index ad898a5b82..c2db85b9b6 100644 --- a/.github/workflows/ms.operationsmanagement.solutions.yml +++ b/.github/workflows/ms.operationsmanagement.solutions.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.policyinsights.remediations.yml b/.github/workflows/ms.policyinsights.remediations.yml index 8ea4040e18..bda9ed753b 100644 --- a/.github/workflows/ms.policyinsights.remediations.yml +++ b/.github/workflows/ms.policyinsights.remediations.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.powerbidedicated.capacities.yml b/.github/workflows/ms.powerbidedicated.capacities.yml index c381a5dd24..e4ee8df6ce 100644 --- a/.github/workflows/ms.powerbidedicated.capacities.yml +++ b/.github/workflows/ms.powerbidedicated.capacities.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.purview.accounts.yml b/.github/workflows/ms.purview.accounts.yml index e70ad519bf..65fbe62b4a 100644 --- a/.github/workflows/ms.purview.accounts.yml +++ b/.github/workflows/ms.purview.accounts.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.recoveryservices.vaults.yml b/.github/workflows/ms.recoveryservices.vaults.yml index 40e1ff39b8..475cba7c21 100644 --- a/.github/workflows/ms.recoveryservices.vaults.yml +++ b/.github/workflows/ms.recoveryservices.vaults.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.relay.namespaces.yml b/.github/workflows/ms.relay.namespaces.yml index 34f3dd0720..0a4ba11917 100644 --- a/.github/workflows/ms.relay.namespaces.yml +++ b/.github/workflows/ms.relay.namespaces.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.resourcegraph.queries.yml b/.github/workflows/ms.resourcegraph.queries.yml index c875d7cbc7..bf066f3964 100644 --- a/.github/workflows/ms.resourcegraph.queries.yml +++ b/.github/workflows/ms.resourcegraph.queries.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.resources.deploymentscripts.yml b/.github/workflows/ms.resources.deploymentscripts.yml index 45ca2cf28c..6843b69946 100644 --- a/.github/workflows/ms.resources.deploymentscripts.yml +++ b/.github/workflows/ms.resources.deploymentscripts.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.resources.resourcegroups.yml b/.github/workflows/ms.resources.resourcegroups.yml index 996fc00bb0..70c83c06b9 100644 --- a/.github/workflows/ms.resources.resourcegroups.yml +++ b/.github/workflows/ms.resources.resourcegroups.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.resources.tags.yml b/.github/workflows/ms.resources.tags.yml index e7c2361a64..43dd0811ad 100644 --- a/.github/workflows/ms.resources.tags.yml +++ b/.github/workflows/ms.resources.tags.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.search.searchservices.yml b/.github/workflows/ms.search.searchservices.yml index ee7f27ea4a..f0fc782c0e 100644 --- a/.github/workflows/ms.search.searchservices.yml +++ b/.github/workflows/ms.search.searchservices.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.security.azuresecuritycenter.yml b/.github/workflows/ms.security.azuresecuritycenter.yml index a4081ca227..44514a93b1 100644 --- a/.github/workflows/ms.security.azuresecuritycenter.yml +++ b/.github/workflows/ms.security.azuresecuritycenter.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.servicebus.namespaces.yml b/.github/workflows/ms.servicebus.namespaces.yml index d861580ae1..fccfe41d0c 100644 --- a/.github/workflows/ms.servicebus.namespaces.yml +++ b/.github/workflows/ms.servicebus.namespaces.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.servicefabric.clusters.yml b/.github/workflows/ms.servicefabric.clusters.yml index 81e006a569..9a2659af47 100644 --- a/.github/workflows/ms.servicefabric.clusters.yml +++ b/.github/workflows/ms.servicefabric.clusters.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.signalrservice.signalr.yml b/.github/workflows/ms.signalrservice.signalr.yml index a786e71548..de64aaf921 100644 --- a/.github/workflows/ms.signalrservice.signalr.yml +++ b/.github/workflows/ms.signalrservice.signalr.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.signalrservice.webpubsub.yml b/.github/workflows/ms.signalrservice.webpubsub.yml index be281f1791..4ba88d808b 100644 --- a/.github/workflows/ms.signalrservice.webpubsub.yml +++ b/.github/workflows/ms.signalrservice.webpubsub.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.sql.managedinstances.yml b/.github/workflows/ms.sql.managedinstances.yml index afc8baa49c..871baf30c8 100644 --- a/.github/workflows/ms.sql.managedinstances.yml +++ b/.github/workflows/ms.sql.managedinstances.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.sql.servers.yml b/.github/workflows/ms.sql.servers.yml index 92889a0fdd..3c85198e0a 100644 --- a/.github/workflows/ms.sql.servers.yml +++ b/.github/workflows/ms.sql.servers.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.storage.storageaccounts.yml b/.github/workflows/ms.storage.storageaccounts.yml index 11d2688358..ef998a5985 100644 --- a/.github/workflows/ms.storage.storageaccounts.yml +++ b/.github/workflows/ms.storage.storageaccounts.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.synapse.privatelinkhubs.yml b/.github/workflows/ms.synapse.privatelinkhubs.yml index 3a960d63e2..9c5768321d 100644 --- a/.github/workflows/ms.synapse.privatelinkhubs.yml +++ b/.github/workflows/ms.synapse.privatelinkhubs.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.synapse.workspaces.yml b/.github/workflows/ms.synapse.workspaces.yml index 1736e9d265..0fc6c8fb8d 100644 --- a/.github/workflows/ms.synapse.workspaces.yml +++ b/.github/workflows/ms.synapse.workspaces.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.virtualmachineimages.imagetemplates.yml b/.github/workflows/ms.virtualmachineimages.imagetemplates.yml index b06c1507a2..cd741e5231 100644 --- a/.github/workflows/ms.virtualmachineimages.imagetemplates.yml +++ b/.github/workflows/ms.virtualmachineimages.imagetemplates.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.web.connections.yml b/.github/workflows/ms.web.connections.yml index fd788f5ba0..5de8a78be5 100644 --- a/.github/workflows/ms.web.connections.yml +++ b/.github/workflows/ms.web.connections.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.web.hostingenvironments.yml b/.github/workflows/ms.web.hostingenvironments.yml index 70b5a977a2..75fe7b0180 100644 --- a/.github/workflows/ms.web.hostingenvironments.yml +++ b/.github/workflows/ms.web.hostingenvironments.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.web.serverfarms.yml b/.github/workflows/ms.web.serverfarms.yml index da09c51d9f..63b3a041d2 100644 --- a/.github/workflows/ms.web.serverfarms.yml +++ b/.github/workflows/ms.web.serverfarms.yml @@ -47,7 +47,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.web.sites.yml b/.github/workflows/ms.web.sites.yml index f27f832917..6baa282c73 100644 --- a/.github/workflows/ms.web.sites.yml +++ b/.github/workflows/ms.web.sites.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/ms.web.staticsites.yml b/.github/workflows/ms.web.staticsites.yml index c67da50a3f..5fb0e2ad02 100644 --- a/.github/workflows/ms.web.staticsites.yml +++ b/.github/workflows/ms.web.staticsites.yml @@ -48,7 +48,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' diff --git a/.github/workflows/platform.apiSpecs.yml b/.github/workflows/platform.apiSpecs.yml index 239525f3d4..2c36d8bf84 100644 --- a/.github/workflows/platform.apiSpecs.yml +++ b/.github/workflows/platform.apiSpecs.yml @@ -13,7 +13,7 @@ jobs: job_update_api_specs_file: name: "Update file" if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - name: "Checkout" uses: actions/checkout@v4 diff --git a/.github/workflows/platform.deployment.history.cleanup.yml b/.github/workflows/platform.deployment.history.cleanup.yml index be586fce60..dcd2c68030 100644 --- a/.github/workflows/platform.deployment.history.cleanup.yml +++ b/.github/workflows/platform.deployment.history.cleanup.yml @@ -30,7 +30,7 @@ jobs: # Initialize pipeline # ########################### job_initialize_pipeline: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Initialize pipeline' steps: - name: 'Checkout' @@ -49,7 +49,7 @@ jobs: # Removal # ############### job_cleanup_subscription_deployments: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Remove Subscription deployments' needs: - job_initialize_pipeline @@ -90,7 +90,7 @@ jobs: azPSVersion: 'latest' job_cleanup_managementGroup_deployments: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Remove Management Group deployments' needs: - job_initialize_pipeline diff --git a/.github/workflows/platform.librarycheck.psrule.yml b/.github/workflows/platform.librarycheck.psrule.yml index c9ef889801..2add1905b2 100644 --- a/.github/workflows/platform.librarycheck.psrule.yml +++ b/.github/workflows/platform.librarycheck.psrule.yml @@ -13,7 +13,7 @@ env: jobs: psrule: name: 'PSRule validation' - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: # Analyze module library with PSRule - name: Checkout diff --git a/.github/workflows/platform.updateReadMe.yml b/.github/workflows/platform.updateReadMe.yml index a84c71697a..943e15c902 100644 --- a/.github/workflows/platform.updateReadMe.yml +++ b/.github/workflows/platform.updateReadMe.yml @@ -23,7 +23,7 @@ env: jobs: job_update_readme: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Update status tables' steps: - name: 'Checkout' diff --git a/.github/workflows/platform.updateStaticTestDocs.yml b/.github/workflows/platform.updateStaticTestDocs.yml index 27ab6caaa5..82c0474c7b 100644 --- a/.github/workflows/platform.updateStaticTestDocs.yml +++ b/.github/workflows/platform.updateStaticTestDocs.yml @@ -18,7 +18,7 @@ jobs: job_update_static_test_docs: name: "Update file" if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - name: "Checkout" uses: actions/checkout@v4 diff --git a/.github/workflows/template.module.yml b/.github/workflows/template.module.yml index f3f5b116e8..98e6d58081 100644 --- a/.github/workflows/template.module.yml +++ b/.github/workflows/template.module.yml @@ -30,7 +30,7 @@ jobs: ######################### job_module_static_validation: # Note: Please don't change this job name. It is used by the setEnvironment action to define which PS modules to install on runners. name: 'Static validation' - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest if: (fromJson(inputs.workflowInput)).staticValidation == 'true' steps: - name: 'Checkout' @@ -52,7 +52,7 @@ jobs: ######################### job_psrule_test: # Note: Please don't change this job name. It is used by the setEnvironment action to define which PS modules to install on runners. name: 'PSRule validation' - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest if: (fromJson(inputs.workflowInput)).staticValidation == 'true' strategy: fail-fast: false @@ -77,7 +77,7 @@ jobs: ############################# job_module_deploy_validation: # Note: Please don't change this job name. It is used by the setEnvironment action to define which PS modules to install on runners. name: 'Deployment validation' - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest if: | !cancelled() && (fromJson(inputs.workflowInput)).deploymentValidation == 'true' && @@ -113,7 +113,7 @@ jobs: ################## job_publish_module: # Note: Please don't change this job name. It is used by the setEnvironment action to define which PS modules to install on runners. name: 'Publishing' - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || fromJson(inputs.workflowInput).prerelease == 'true' needs: - job_module_deploy_validation diff --git a/docs/wiki/Solution creation.md b/docs/wiki/Solution creation.md index 11bb6119d3..6c8e117bbf 100644 --- a/docs/wiki/Solution creation.md +++ b/docs/wiki/Solution creation.md @@ -451,7 +451,7 @@ env: jobs: job_deploy_multi_repo_solution: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: 'Deploy multi-repo solution' steps: - name: 'Checkout ResourceModules repo at the root location'